Vender import of BIND 9.3.0rc4.

1090 files changed, 509412 insertions, 0 deletions

diff --git a/contrib/bind9/CHANGES b/contrib/bind9/CHANGES
new file mode 100644
index 0000000..ac7f212
--- /dev/null
+++ b/contrib/bind9/CHANGES
@@ -0,0 +1,5479 @@
+
+	--- 9.3.0rc4 released ---
+
+1709.	[port]		solaris: add SMF support.
+
+1708.	[cleanup]	Replaced dns_fullname_hash() with dns_name_fullhash()
+			for conformance to the name space convention.  Binary
+			backward compatibility to the old function name is
+			provided. [RT #12376]
+
+1707.	[contrib]	sdb/ldap updated to version 1.0-beta.
+
+1706.	[bug]		'rndc stop' failed to cause zones to be flushed
+			sometimes. [RT #12328]
+
+1704.	[port]		lwres needed a snprintf() implementation for
+			platforms without snprintf().  Add missing
+			"#include <isc/print.h>". [RT #12321]
+
+1703.	[bug]		named would loop sending NOTIFY messages when it
+			failed to receive a response. [RT #12322]
+
+1702.	[bug]		also-notify should not be applied to builtin zones.
+			[RT #12323]
+
+1701.	[doc]		A minimal named.conf man page.
+
+1700.	[func]		nslookup is no longer to be treated as deprecated.
+			Remove "deprecated" warning message.  Add man page.
+
+1699.	[bug]		dnssec-signzone can generate "not exact" errors
+			when resigning. [RT #12281]
+
+1698.	[doc]		Use reserved IPv6 documentation prefix.
+
+1697.	[bug]		xxx-source{,-v6} was not effective when it
+			specified one of listening addresses and a
+			different port than the listening port. [RT #12257]
+
+	--- 9.3.0rc3 released ---
+
+1696.	[bug]		dnssec-signzone failed to clean out nodes that
+			consisted of only NSEC and RRSIG records.
+			[RT #12154]
+
+1695.	[bug]		DS records when forwarding require special handling.
+			[RT #12133]
+
+1694.	[bug]		Report if the builtin views of "_default" / "_bind"
+			are defined in named.conf. [RT #12023]
+
+1693.	[bug]		max-journal-size was not effective for master zones
+			with ixfr-from-differences set. [RT# 12024]
+
+1692.	[bug]		Don't set -I, -L and -R flags when libcrypto is in
+			/usr/lib. [RT #11971]
+
+1691.	[bug]		sdb's attachversion was not complete. [RT #11990]
+
+1690.	[bug]		Delay detaching view from the client until UPDATE
+			processing completes when shutting down. [RT #11714]
+
+1689.	[bug]		DNS_NAME_TOREGION() and DNS_NAME_SPLIT() macros
+			contained gratuitous semicolons. [RT #11707]
+
+1688.	[bug]		LDFLAGS was not supported.
+
+1687.	[bug]		Race condition in dispatch. [RT #10272]
+
+1686.	[bug]		Named sent a extraneous NOTIFY when it received a
+			redundant UPDATE request. [RT #11943]
+
+	--- 9.3.0rc2 released ---
+
+1685.	[bug]		Change #1679 loop tests weren't quite right.
+
+1683.	[bug]		dig +sigchase could leak memory. [RT #11445]
+
+1682.	[port]		Update configure test for (long long) printf format.
+			[RT #5066]
+
+1681.	[bug]		Only set SO_REUSEADDR when a port is specified in
+			isc_socket_bind(). [RT #11742]
+
+1679.	[bug]		When there was a single nameserver with multiple
+			addresses for a zone not all addresses were tried.
+			[RT #11706]
+
+1678.	[bug]		RRSIG should use TYPEXXXXX for unknown types.
+
+1677.	[bug]		dig: +aaonly didn't work, +aaflag undocumented.
+
+1675.	[bug]		named would sometimes add extra NSEC records to
+			the authority section.
+			
+1674.	[port]		linux: increase buffer size used to scan
+			/proc/net/if_inet6.
+
+1673.	[port]		linux: issue a error messages if IPv6 interface
+			scans fails.
+
+1672.	[cleanup]	Tests which only function in a threaded build
+			now return R:THREADONLY (rather than R:UNTESTED)
+			in a non-threaded build.
+
+1671.	[contrib]	queryperf: add NAPTR to the list of known types.
+
+1670.	[func]		Log UPDATE requests to slave zones without an acl as
+			"disabled" at debug level 3. [RT# 11657]
+
+1668.	[bug]		DIG_SIGCHASE was making bin/dig/host dump core.
+
+1667.	[port]		linux: not all versions have IF_NAMESIZE.
+
+1666.	[bug]		The optional port on hostnames in dual-stack-servers
+			was being ignored.
+
+1663.	[func]		Look for OpenSSL by default.
+
+1661.	[bug]		Restore dns_name_concatenate() call in
+			adb.c:set_target().  [RT #11582]
+
+1660.	[bug]		win32: connection_reset_fix() was being called
+			unconditionally.  [RT #11595]
+
+	--- 9.3.0rc1 released ---
+
+1664.	[bug]		nsupdate needed KEY for SIG(0), not DNSKEY.
+
+1662.	[bug]		Change #1658 failed to change one use of 'type'
+			to 'keytype'.
+
+1659.	[cleanup]	Cleanup some messages that were referring to KEY vs
+			DNSKEY, NXT vs NSEC and SIG vs RRSIG.
+
+1658.	[func]		Update dnssec-keygen to default to KEY for HMAC-MD5
+			and DH.  Tighten which options apply to KEY and
+			DNSKEY records.
+
+1657.	[doc]		ARM: document query log output.
+
+1656.	[doc]		Update DNSSEC description in ARM to cover DS, NSEC
+			DNSKEY and RRSIG.  [RT #11542]
+
+1655.	[bug]		Logging multiple versions w/o a size was broken.
+			[RT #11446]
+
+1654.	[bug]		isc_result_totext() contained array bounds read
+			error.
+
+1653.	[func]		Add key type checking to dst_key_fromfilename(),
+			DST_TYPE_KEY should be used to read TSIG, TKEY and
+			SIG(0) keys.
+
+1652.	[bug]		TKEY still uses KEY.
+
+1651.	[bug]		dig: process multiple dash options.
+
+1650.	[bug]		dig, nslookup: flush standard out after each command.
+
+1649.	[bug]		Silence "unexpected non-minimal diff" message.
+			[RT #11206]
+
+1648.	[func]		Update dnssec-lookaside named.conf syntax to support
+			multiple dnssec-lookaside namespaces (not yet
+			implemented).  
+
+1647.	[bug]		It was possible trigger a INSIST when chasing a DS
+			record that required walking back over a empty node.
+			[RT #11445]
+
+1646.	[bug]		win32: logging file versions didn't work with
+			non-UNC filenames.  [RT#11486]
+
+1645.	[bug]		named could trigger a REQUIRE failure if multiple
+			masters with keys are specified.
+
+1644.	[bug]		Update the journal modification time after a
+			sucessfull refresh query. [RT #11436]
+
+1643.	[bug]		dns_db_closeversion() could leak memory / node
+			references. [RT #11163]
+
+1642.	[port]		Support OpenSSL implementations which don't have
+			DSA support. [RT #11360]
+
+1641.	[bug]		Update the check-names description in ARM. [RT #11389]
+
+	--- 9.3.0beta4 released ---
+
+1640.	[bug]		win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was
+			incorrectly closing the socket.  [RT #11291]
+
+1639.	[func]		Initial dlv system test.
+
+1638.	[bug]		"ixfr-from-differences" could generate a REQUIRE
+			failure if the journal open failed. [RT #11347]
+			
+1637.	[bug]		Node reference leak on error in addnoqname().
+
+1636.	[bug]		The dump done callback could get ISC_R_SUCCESS even if
+			a error had occured.  The database version no longer
+			matched the version of the database that was dumped.
+
+1635.	[bug]		Memory leak on error in query_addds().
+
+1634.	[bug]		named didn't supply a useful error message when it
+			detected duplicate views.  [RT #11208]
+
+1633.	[bug]		named should return NOTIMP to update requests to a
+			slaves without a allow-update-forwarding acl specified.
+			[RT #11331]
+
+1632.	[bug]		nsupdate failed to send prerequisite only UPDATE
+			messages. [RT #11288]
+
+1631.	[bug]		dns_journal_compact() could sometimes corrupt the
+			journal. [RT #11124]
+
+1630.	[contrib]	queryperf: add support for IPv6 transport.
+
+1629.	[func]		dig now supports IPv6 scoped addresses with the
+			extended format in the local-server part. [RT #8753]
+
+1628.	[bug]		Typo in Compaq Trucluster support. [RT# 11264]
+
+1627.	[bug]		win32: sockets were not being closed when the
+			last external reference was removed. [RT# 11179]
+
+1626.	[bug]		--enable-getifaddrs was broken. [RT#11259]
+
+1625.	[bug]		named failed to load/transfer RFC2535 signed zones
+			which contained CNAMES. [RT# 11237]
+
+1606.	[bug]	 	DLV insecurity proof was failing.
+
+1605.	[func]		New dns_db_find() option DNS_DBFIND_COVERINGNSEC.
+
+	--- 9.3.0beta3 released ---
+
+1624.	[bug]		zonemgr_putio() call should be locked. [RT# 11163]
+
+1623.	[bug]		A serial number of zero was being displayed in the
+			"sending notifies" log message when also-notify was
+			used. [RT #11177]
+
+1622.	[func]		probe the system to see if IPV6_(RECV)PKTINFO is
+			available, and suppress wildcard binding if not.
+
+1621.	[bug]		match-destinations did not work for IPv6 TCP queries.
+			[RT# 11156]
+
+1620.	[func]		When loading a zone report if it is signed. [RT #11149]
+
+1619.	[bug]		Missing ISC_LIST_UNLINK in end_reserved_dispatches().
+			[RT# 11118]
+
+1618.	[bug]		Fencepost errors in dns_name_ishostname() and
+			dns_name_ismailbox() could trigger a INSIST().
+
+1617.	[port]		win32: VC++ 6.0 support.
+
+1616.	[compat]	Ensure that named's version is visible in the core
+			dump. [RT #11127]
+
+1615.	[port]		Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if
+			it is defined.
+
+1614.	[port]		win32: silence resource limit messages. [RT# 11101]
+
+1613.	[bug]		Builds would fail on machines w/o a if_nametoindex().
+			Missing #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX/#endif.
+			[RT #11119]
+
+1612.	[bug]		check-names at the option/view level could trigger
+			an INSIST. [RT# 11116]
+
+1611.	[bug]		solaris: IPv6 interface scanning failed to cope with
+			no active IPv6 interfaces.
+
+1610.	[bug]		On dual stack machines "dig -b" failed to set the
+			address type to be looked up with "@server".
+			[RT #11069]
+
+1600.	[bug]		Duplicate zone pre-load checks were not case
+			insensitive.
+
+1599.	[bug]		Fix memory leak on error path when checking named.conf.
+
+1598.	[func]		Specify that certain parts of the namespace must
+			be secure (dnssec-must-be-secure).
+
+	--- 9.3.0beta2 released ---
+
+1609.	[func]		dig now has support to chase DNSSEC signature chains.
+			Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES.
+
+1608.	[func]		dig and host now accept -4/-6 to select IP transport
+			to use when making queries.
+
+1607.	[bug]		dig, host and nslookup were still using random()
+			to generate query ids. [RT# 11013]
+
+1604.	[bug]		A xfrout_ctx_create() failure would result in
+			xfrout_ctx_destroy() being called with a
+			partially initialized structure.
+			
+1603.	[bug]		nsupdate: set interactive based on isatty().
+			[RT# 10929]
+
+1602.	[bug]		Logging to a file failed unless a size was specified.
+			[RT# 10925]
+
+1601.	[bug]		Silence spurious warning 'both "recursion no;" and 
+			"allow-recursion" active' warning from view "_bind".
+			[RT# 10920]
+
+1594.	[bug]		'rndc dumpdb' could prevent named from answering
+			queries while the dump was in progress.  [RT #10565]
+
+1593.	[bug]		rndc should return "unknown command" to unknown
+			commands. [RT# 10642]
+
+	--- 9.3.0beta1 released ---
+
+1592.	[bug]		configure_view() could leak a dispatch. [RT #10675]
+
+1591.	[bug]		libbind: updated to BIND 8.4.5.
+
+1590.	[port]		netbsd: update thread support.
+
+1589.	[func]		DNSSEC lookaside validation.
+
+1588.	[bug]		win32: TCP sockets could become blocked. [RT #10115]
+
+1587.	[bug]		dns_message_settsigkey() failed to clear existing key.
+			[RT #10590]
+
+1586.	[func]		"check-names" is now implemented.
+
+1584.	[bug]		"make test" failed with a read only source tree.
+			[RT #10461]
+
+1583.	[bug]		Records add via UPDATE failed to get the correct trust
+			level. [RT #10452]
+
+1582.	[bug]		rrset-order failed to work on RRsets with more
+			than 32 elements. [RT #10381]
+
+1581.	[func]		Disable DNSSEC support by default.  To enable
+			DNSSEC specify "dnssec-enable yes;" in named.conf.
+
+1580.	[bug]		Zone destruction on final detach takes a long time.
+			[RT #3746]
+
+1579.	[bug]		Multiple task managers could not be created.
+
+1578.	[bug]		Don't use CLASS E IPv4 addresses when resolving.
+			[RT #10346]
+
+1577.	[bug]		Use isc_uint32_t in ultrasparc optimizer bug
+			workaround code. [RT #10331]
+
+1576.	[bug]		Race condition in dns_dispatch_addresponse().
+			[RT# 10272]
+
+1575.	[func]		Log TSIG name on TSIG verify failure. [RT #4404]
+
+1574.	[bug]		Don't attempt to open the controls socket(s) when
+			running tests. [RT #9091]
+
+1573.	[port]		linux: update to libtool 1.5.2 so that
+			"make install DESTDIR=/xx" works with
+			"configure --with-libtool".  [RT #9941]
+
+1572.	[bug]		nsupdate: sign the soa query to find the enclosing
+			zone if the server is specified. [RT #10148]
+
+1571.	[bug]		rbt:hash_node() could fail leaving the hash table
+			in an inconsistent state.  [RT #10208]
+
+1570.	[bug]		nsupdate failed to handle classes other than IN.
+			New keyword 'class' which sets the default class.
+			[RT #10202]
+
+1569.	[func]		nsupdate new command 'answer' which displays the
+			complete answer message to the last update.
+
+1568.	[bug]		nsupdate now reports that the update failed in
+			interactive mode. [RT# 10236]
+
+1567.	[bug]		B.ROOT-SERVERS.NET is now 192.228.79.201.
+
+1566.	[port]		Support for the cmsg framework on Solaris and HP/UX.
+			This also solved the problem that match-destinations
+			for IPv6 addresses did not work on these systems.
+			[RT #10221]
+
+1565.	[bug]		CD flag should be copied to outgoing queries unless
+			the query is under a secure entry point in which case
+			CD should be set.
+
+1564.	[func]		Attempt to provide a fallback entropy source to be
+			used if named is running chrooted and named is unable
+			to open entropy source within the chroot area.
+			[RT #10133]
+
+1563.	[bug]		Gracefully fail when unable to obtain neither an IPv4
+			nor an IPv6 dispatch. [RT #10230]
+
+1562.	[bug]		isc_socket_create() and isc_socket_accept() could
+			leak memory under error conditions. [RT #10230]
+
+1561.	[bug]		It was possible to release the same name twice if
+			named ran out of memory. [RT #10197]
+
+1560.	[port]		FreeBSD: work around FreeBSD 5.2 mapping EAI_NODATA
+			and EAI_NONAME to the same value.
+
+1559.	[port]		named should ignore SIGFSZ.
+
+1558.	[func]		New DNSSEC 'disable-algorithms'.  Support entry into
+			child zones for which we don't have a supported
+			algorithm.  Such child zones are treated as unsigned.
+
+1557.	[func]		Implement missing DNSSEC tests for
+			* NOQNAME proof with wildcard answers.
+			* NOWILDARD proof with NXDOMAIN.
+			Cache and return NOQNAME with wildcard answers.
+
+1556.	[bug]		nsupdate now treats all names as fully qualified.
+			[RT #6427]
+
+1555.	[func]		'rrset-order cyclic' no longer has a random starting
+			point. [RT #7572]
+
+1554.	[bug]		dig, host, nslookup failed when no nameservers
+			were specified in /etc/resolv.conf. [RT #8232]
+
+1553.	[bug]		The windows socket code could stop accepting
+			connections. [RT#10115]
+
+1552.	[bug]		Accept NOTIFY requests from mapped masters if
+			matched-mapped is set. [RT #10049]
+
+1551.	[port]		Open "/dev/null" before calling chroot().
+
+1550.	[port]		Call tzset(), if available, before calling chroot().
+
+1549.	[func]		named-checkzone can now write out the zone contents
+			in a easily parsable format (-D and -o).
+
+1548.	[bug]		When parsing APL records it was possible to silently
+			accept out of range ADDRESSFAMILY values. [RT# 9979]
+
+1547.	[bug]		Named wasted memory recording duplicate lame zone
+			entries. [RT #9341]
+
+1546.	[bug]		We were rejecting valid secure CNAME to negative
+			answers.
+
+1545.	[bug]		It was possible to leak memory if named was unable to
+			bind to the specified transfer source and TSIG was
+			being used. [RT #10120]
+
+1544.	[bug]		Named would logged a single entry to a file despite it
+			being over the specified size limit.
+
+1543.	[bug]		Logging using "versions unlimited" did not work.
+
+1541.	[func]		NSEC now uses new bitmap format.
+
+1540.	[bug]		"rndc reload <dynamiczone>" was silently accepted.
+			[RT #8934]
+
+1539.	[bug]		Open UDP sockets for notify-source and transfer-source
+			that use reserved ports at startup. [RT #9475]
+
+1537.	[func]		New option "querylog".  If set specify whether query
+			logging is to be enabled or disabled at startup.
+
+1536.	[bug]		Windows socket code failed to log a error description
+			when returning ISC_R_UNEXPECTED. [RT #9998]
+
+1534.	[bug]		Race condition when priming cache. [RT# 9940]
+
+1533.	[func]		Warn if both "recursion no;" and "allow-recursion"
+			are active. [RT# 4389]
+
+1532.	[port]		netbsd: the configure test for <sys/sysctl.h>
+			requires <sys/param.h>.
+
+1531.	[port]		AIX more libtool fixes.
+
+1530.	[bug]		It was possible to trigger a INSIST() failure if a
+			slave master file was removed at just the correct
+			moment. [RT #9462]
+
+1529.	[bug]		"notify explicit;" failed to log that NOTIFY messages
+			were being sent for the zone. [RT# 9442]
+
+1528.	[cleanup]	Simplify some dns_name_ functions based on the
+			deprecation of bitstring labels.
+
+1527.	[cleanup]	Reduce the number of gettimeofday() calls without
+			losing necessary timer granularity.
+
+1525.	[bug]		dns_cache_create() could trigger a REQUIRE
+			failure in isc_mem_put() during error cleanup.
+			[RT# 9360]
+
+1524.	[port]		AIX needs to be able to resolve all symbols when
+			creating shared libraries (--with-libtool).
+
+1523.	[bug]		Fix race condition in rbtdb. [RT# 9189]
+
+1522.	[bug]		dns_db_findnode() relax the requirements on 'name'.
+			[RT# 9286]
+
+1521.	[bug]		dns_view_createresolver() failed to check the
+			result from isc_mem_create(). [RT# 9294]
+
+1520.	[protocol]	Add SSHFP (SSH Finger Print) type.
+
+1519.	[bug]		dnssec-signzone:nsec_setbit() computed the wrong
+			length of the new bitmap.
+
+1518.	[bug]		dns_nsec_buildrdata(), and hence dns_nsec_build(),
+			contained a off-by-one error when working out the
+			number of octets in the bitmap.
+
+1517.	[port]		Support for IPv6 interface scanning on HP/UX and
+			TrueUNIX 5.1.
+
+1516.	[func]		Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
+
+1515.	[func]		Allow transfer source to be set in a server statement.
+			[RT #6496]
+
+1514.	[bug]		named: isc_hash_destroy() was being called too early.
+			[RT #9160]
+
+1513.	[doc]		Add "US" to root-delegation-only exclude list.
+
+1512.	[bug]		Extend the delegation-only logging to return query
+			type, class and responding nameserver.
+
+1511.	[bug]		delegation-only was generating false positives
+			on negative answers from subzones.
+
+1510.	[func]		New view option "root-delegation-only".  Apply
+			delegation-only check to all TLDs and root.
+			Note there are some TLDs that are NOT delegation
+			only (e.g. DE, LV, US and MUSEUM) these can be excluded
+			from the checks by using exclude.
+
+			root-delegation-only exclude {
+				"DE"; "LV"; "US"; "MUSEUM";
+			};
+
+1509.	[bug]		Hint zones should accept delegation-only.  Forward
+			zone should not accept delegation-only.
+
+1508.	[bug]		Don't apply delegation-only checks to answers from
+			forwarders.
+
+1507.	[bug]		Handle BIND 8 style returns to NS queries to parents
+			when making delegation-only checks.
+
+1506.	[bug]		Wrong return type for dns_view_isdelegationonly().
+
+1505.	[bug]		Uninitialized rdataset in sdb. [RT #8750]
+
+1504.	[func]		New zone type "delegation-only".
+
+1503.	[port]		win32: install libeay32.dll outside of system32.
+
+1502.	[bug]		nsupdate: adjust timeouts for UPDATE requests over TCP.
+
+1501.	[func]		Allow TCP queue length to be specified via
+			named.conf, tcp-listen-queue.
+
+1500.	[bug]		host failed to lookup MX records.  Also look up
+			AAAA records.
+
+1475.	[port]		Probe for old sprintf().
+
+1474.	[port]		Provide strtoul() and memmove() for platforms
+			without them.
+
+1469.	[func]		Log end of outgoing zone transfer at same level
+			as the start of transfer is logged. [RT #4441]
+
+1468.	[func]		Internal zones are no longer counted for
+			'rndc status'.  [RT #4706]
+
+1467.	[func]		$GENERATES now supports optional class and ttl.
+
+1458.	[cleanup]	sprintf() -> snprintf().
+
+1457.	[port]		Provide strlcat() and strlcpy() for platforms without
+			them.
+
+1455.	[bug]		<netaddr> missing from server grammar in
+			doc/misc/options. [RT #5616]
+
+1454.	[port]		Use getifaddrs() if available for interface scanning.
+			--disable-getifaddrs to override.  Glibc currently
+			has a getifaddrs() that does not support IPv6.
+			Use --enable-getifaddrs=glibc to force the use of
+			this version under linux machines.
+
+1446.	[func]		Implemented undocumented alternate transfer sources
+			from BIND 8.  See use-alt-transfer-source,
+			alt-transfer-source and alt-transfer-source-v6.
+
+			SECURITY: use-alt-transfer-source is ENABLED unless
+			you are using views.  This may cause a security risk
+			resulting in accidental disclosure of wrong zone
+			content if the master supplying different source
+			content based on IP address.  If you are not certain
+			ISC recommends setting use-alt-transfer-source no;
+
+1444.	[func]		dns_view_findzonecut2() allows you to specify if the
+			cache should be searched for zone cuts.
+
+1443.	[func]		Masters lists can now be specified and referenced
+			in zone masters clauses and other masters lists.
+
+1442.	[func]		New functions for manipulating port lists:
+			dns_portlist_create(), dns_portlist_add(),
+			dns_portlist_remove(), dns_portlist_match(),
+			dns_portlist_attach() and dns_portlist_detach().
+
+1441.	[func]		It is now possible to tell dig to bind to a specific
+			source port.
+
+1440.	[func]		It is now possible to tell named to avoid using
+			certain source ports (avoid-v4-udp-ports,
+			avoid-v6-udp-ports).
+
+1438.	[func]		Log TSIG (if any) when logging NOTIFY requests.
+
+1436.	[func]		dns_zonemgr_resumexfrs() can be used to restart
+			stalled transfers.
+
+1433.	[bug]		named could trigger a REQUIRE failure if it could
+			not get a file descriptor when attempting to write
+			a master file. [RT #4347]
+
+1432.	[func]		The advertised EDNS UDP buffer size can now be set
+			via named.conf (edns-udp-size).
+
+1430.	[port]		linux: IPv6 interface scanning support.
+
+1422.	[func]		Log name/type/class when denying a query.  [RT #4663]
+
+1421.	[func]		Differentiate updates that don't succeed due to
+			prerequisites (unsuccessful) vs other reasons
+			(failed).
+
+1417.	[func]		ID.SERVER/CHAOS is now a built in zone.
+			See "server-id" for how to configure.
+
+1415.	[func]		DS TTL now derived from NS ttl.  NXT TTL now derived
+			from SOA MINIMUM.
+
+1414.	[func]		Support for KSK flag.
+
+1413.	[func]		Explictly request the (re-)generation of DS records from
+			keysets (dnssec-signzone -g).
+
+1412.	[func]		You can now specify servers to be tried if a nameserver
+			has IPv6 address and you only support IPv4 or the
+			reverse. See dual-stack-servers.
+
+1410.	[func]		Handle records that live in the parent zone, e.g. DS.
+
+1409.	[bug]		DS should have attribute DNS_RDATATYPEATTR_DNSSEC.
+
+1404.	[bug]		libbind: ns_name_ntol() could overwrite a zero length
+			buffer.
+
+1403.	[func]		dnssec-signzone, dnssec-keygen, dnssec-makekeyset
+			dnssec-signkey now report their version in the
+			usage message.
+
+1402.	[cleanup]	A6 has been moved to experimental and is no longer
+			fully supported.
+
+1400.	[bug]		Block the addition of wildcard NS records by IXFR
+			or UPDATE. [RT #3502]
+
+1398.	[doc]		ARM: notify-also should have been also-notify.
+			[RT #4345]
+
+1396.	[func]		dnssec-signzone: adjust the default signing time by
+			1 hour to allow for clock skew.
+
+1394.	[func]		It is now possible to check if a particular element is
+			in a acl.  Remove duplicate entries from the localnets
+			acl.
+
+1393.	[port]		Bind to individual IPv6 interfaces if IPV6_IPV6ONLY
+			is not available in the kernel to prevent accidently
+			listening on IPv4 interfaces.
+
+1392.	[bug]		named-checkzone: update usage.
+
+1391.	[func]		Add support for IPv6 scoped addresses in named.
+
+1390.	[func]		host now supports ixfr.
+
+1386.	[bug]		named-checkzone -z stopped on errors in a zone.
+			[RT #3653]
+
+1383.	[func]		Track the serial number in a IXFR response and log if
+			a mismatch occurs.  This is a more specific error than
+			"not exact". [RT #3445]
+
+1380.	[func]		'rndc recursing' dump recursing queries to
+			'recursing-file = "named.recursing";'.
+
+1379.	[func]		'rndc status' now reports tcp and recursion quota
+			states.
+
+1378.	[func]		Improved positive feedback for 'rndc {reload|refresh}.
+
+1377.	[func]		dns_zone_load{new}() now reports if the zone was
+			loaded, queued for loading to up to date.
+
+1376.	[func]		New function dns_zone_logc() to log to specified
+			category.
+
+1375.	[func]		'rndc dumpdb' now dumps the adb cache along with the
+			data cache.
+
+1374.	[func]		dns_adb_dump() now logs the lame zones associated
+			with each server.
+
+1371.	[bug]		notify-source-v6, transfer-source-v6 and
+			query-source-v6 with explicit addresses and using the
+			same ports as named was listening on could interfere
+			with named's ability to answer queries sent to those
+			addresses.
+
+1368.	[func]		remove support for bitstring labels.
+
+1367.	[func]		Use response times to select forwarders.
+
+1365.	[func]		"localhost" and "localnets" acls now include IPv6
+			addresses / prefixes.
+
+1364.	[func]		Log file name when unable to open memory statistics
+			and dump database files. [RT# 3437]
+
+1363.	[func]		Listen-on-v6 now supports specific addresses.
+
+1362.	[bug]		remove IFF_RUNNING test when scanning interfaces.
+
+1361.	[func]		log the reason for rejecting a server when resolving
+			queries.
+
+1355.	[bug]		Fix DNSSEC wildcard proof for CNAME/DNAME.
+
+1344.	[func]		Log if the serial number on the master has gone
+			backwards.
+			If you have multiple machines specified in the masters
+			clause you may want to set 'multi-master yes;' to
+			suppress this warning.
+
+1343.	[func]		Log successful notifies received (info).  Adjust log
+			level for failed notifies to notice.
+
+1342.	[func]		Log remote address with TCP dispatch failures.
+
+1341.	[func]		Allow a rate limiter to be stalled.
+
+1339.	[func]		dig, host and nslookup now use IP6.ARPA for nibble
+			lookups.  Bit string lookups are no longer attempted.
+
+1336.	[func]		Nibble lookups under IP6.ARPA are now supported by
+			dns_byaddr_create().  dns_byaddr_createptrname() is
+			deprecated, use dns_byaddr_createptrname2() instead.
+
+1332.	[func]		Report the current serial with periodic commits when
+			rolling forward the journal.
+
+1331.	[func]		Generate DNSSEC wildcard proofs.
+
+1329.	[func]		named-checkzone will now check if nameservers that
+			appear to be IP addresses.  Available modes "fail",
+			"warn" (default) and "ignore" the results of the
+			check.
+
+1328.	[bug]		The validator could incorrectly verify an invalid
+			negative proof.
+
+1322.	[bug]		dnssec-signzone usage message was misleading.
+
+1321.	[bug]		If the last RRset in a zone is glue, dnssec-signzone
+			would incorrectly duplicate its output and sign it.
+
+1313.	[func]		Query log now says if the query was signed (S) or
+			if EDNS was used (E).
+
+1312.	[func]		Log TSIG key used w/ outgoing zone transfers.
+
+1309.	[func]		Log that a zone transfer was covered by a TSIG.
+
+1308.	[func]		DS (delegation signer) support.
+
+1304.	[func]		New function: dns_zone_name().
+
+1303.	[func]		Option 'flush-zones-on-shutdown <boolean>;'.
+
+1302.	[func]		Extended rndc dumpdb to support dumping of zones and
+			view selection: 'dumpdb [-all|-zones|-cache] [view]'.
+
+1301.	[func]		New category 'update-security'.
+
+1300.	[port]		Compaq Trucluster support.
+
+1293.	[func]		Entropy can now be retrieved from EGDs. [RT #2438]
+
+1292.	[func]		Enable IPv6 support when using ioctl style interface
+			scanning and OS supports SIOCGLIFADDR using struct
+			if_laddrreq.
+
+1291.	[func]		Enable IPv6 support when using sysctl style interface
+			scanning.
+
+1290.	[func]		"dig axfr" now reports the number of messages
+			as well as the number of records.
+
+1285.	[func]		lwres: probe the system to see what address families
+			are currently in use.
+
+1283.	[func]		Use "dataready" accept filter if available.
+
+1281.	[func]		Log zone when unable to get private keys to update
+			zone.  Log zone when NXT records are missing from
+			secure zone.
+
+1278.	[func]		dig: now supports +[no]cl +[no]ttlid.
+
+1277.	[func]		You can now create your own customized printing
+			styles: dns_master_stylecreate() and
+			dns_master_styledestroy().
+
+1271.	[bug]		"recursion available: {denied,approved}" was too
+			confusing.
+
+1267.	[func]		isc_file_openunique() now creates file using mode
+			0666 rather than 0600.
+
+1254.	[func]		preferred-glue option from BIND 8.3.
+
+1250.	[func]		Nsupdate will report the address the update was
+			sent to.
+
+1247.	[bug]		Don't reset the interface index for link/site local
+			addresses. [RT #2576]
+
+1246.	[func]		New functions isc_sockaddr_issitelocal(),
+			isc_sockaddr_islinklocal(), isc_netaddr_issitelocal()
+			and isc_netaddr_islinklocal().
+
+1243.	[bug]		It was possible to trigger a REQUIRE() in
+			dns_message_findtype(). [RT #2659]
+
+1235.	[func]		Report 'out of memory' errors from openssl.
+
+1234.	[bug]		contrib/sdb: 'zonetodb' failed to call
+			dns_result_register().  DNS_R_SEENINCLUDE should not
+			be fatal.
+
+1233.	[bug]		The flags field of a KEY record can be expressed in
+			hex as well as decimal.
+
+1226.	[func]		Use EDNS for zone refresh queries. [RT #2551]
+
+1225.	[func]		dns_message_setopt() no longer requires that
+			dns_message_renderbegin() to have been called.
+
+1224.	[bug]		'rrset-order' and 'sortlist' should be additive
+			not exclusive.
+
+1223.	[func]		'rrset-order' partially works 'cyclic' and 'random'
+			are supported.
+
+1220.	[func]		Support for APL rdata type.
+
+1219.	[func]		Named now reports the TSIG extended error code when
+			signature verification fails. [RT #1651]
+
+1217.	[func]		Report locations of previous key definition when a
+			duplicate is detected.
+
+1213.	[func]		Report view associated with client if it is not a
+			standard view (_default or _bind).
+
+1203.	[func]		Report locations of previous acl and zone definitions
+			when a duplicate is detected.
+
+1202.	[func]		New functions: cfg_obj_line() and cfg_obj_file().
+
+1192.	[bug]		The seconds fields in LOC records were restricted
+			to three decimal places.  More decimal places should
+			be allowed but warned about.
+
+1190.	[func]		Add the "rndc freeze" and "rndc unfreeze" commands.
+			[RT #2394]
+
+1187.	[bug]		named was incorrectly returning DNSSEC records
+			in negative responses when the DO bit was not set.
+
+1181.	[func]		Add the "key-directory" configuration statement,
+			which allows the server to look for online signing
+			keys in alternate directories.
+
+1180.	[func]		dnssec-keygen should always generate keys with
+			protocol 3 (DNSSEC), since it's less confusing
+			that way.
+
+1179.	[func]		Add SIG(0) support to nsupdate.
+
+1177.	[func]		Report view when loading zones if it is not a
+			standard view (_default or _bind). [RT #2270]
+
+1171.	[func]		Added function isc_region_compare(), updated files in
+			lib/dns to use this function instead of local one.
+
+1169.	[func]		Identify recursive queries in the query log.
+
+1163.	[func]		isc_time_formattimestamp() now includes the year.
+
+1159.	[bug]		MD and MF are not permitted to be loaded by RFC1123.
+
+1158.	[func]		Report the client's address when logging notify
+			messages.
+
+1157.	[func]		match-clients and match-destinations now accept
+			keys. [RT #2045]
+
+1155.	[func]		Recover from master files being removed from under
+			us.
+
+1153.	[func]		'rndc {stop|halt} -p' now reports the process id
+			of the instance of named being shutdown.
+
+1151.	[bug]		nslookup failed to check that the arguments to
+			the port, timeout, and retry options were
+			valid integers and in range. [RT #2099]
+
+1150.	[bug]		named incorrectly accepted TTL values
+			containing plus or minus signs, such as
+			1d+1h-1s.
+
+1149.	[func]		New function isc_parse_uint32().
+
+1148.	[func]		'rndc-confgen -a' now provides positive feedback.
+
+1147.	[func]		Set IPV6_V6ONLY on IPv6 sockets if supported by
+			the OS.  listen-on-v6 { any; }; should no longer
+			result in IPv4 queries be accepted.  Similarly
+			control { inet :: ... }; should no longer result
+			in IPv4 connections being accepted.  This can be
+			overridden at compile time by defining
+			ISC_ALLOW_MAPPED=1.
+
+1146.	[func]		Allow IPV6_IPV6ONLY to be set/cleared on a socket if
+			supported by the OS by a new function
+			isc_socket_ipv6only().
+
+1145.	[func]		"host" no longer reports a NOERROR/NODATA response
+			by printing nothing. [RT #2065]
+
+1143.	[bug]		When a trusted-keys statement was present and named
+			was built without crypto support, it would leak memory.
+
+1139.	[func]		It is now possible to flush a given name from the
+			cache(s) via 'rndc flushname name [view]'. [RT #2051]
+
+1138.	[func]		It is now possible to flush a given name from the
+			cache by calling the new function
+			dns_cache_flushname().
+
+1137.	[func]		It is now possible to flush a given name from the
+			ADB by calling the new function dns_adb_flushname().
+
+1135.	[func]		You can now override the default syslog() facility for
+			named/lwresd at compile time. [RT #1982]
+
+1132.	[func]		Improve UPDATE prerequisite failure diagnostic messages.
+
+1128.	[func]		sdb drivers can now provide RR data in either text
+			or wire format, the latter using the new functions
+			dns_sdb_putrdata() and dns_sdb_putnamedrdata().
+
+1127.	[func]		rndc: If the server to contact has multiple addresses,
+			try all of them.
+
+1119.	[func]		Added support in Win32 for NTFS file/directory ACL's
+			for access control.
+
+1115.	[func]		Set maximum values for cleaning-interval,
+			heartbeat-interval, interface-interval,
+			max-transfer-idle-in, max-transfer-idle-out,
+			max-transfer-time-in, max-transfer-time-out,
+			statistics-interval of 28 days and
+			sig-validity-interval of 3660 days. [RT #2002]
+
+1110.	[bug]		dig should only accept valid abbreviations of +options.
+			[RT #2003]
+
+1105.	[port]		OpenUNIX 8 enable threads by default. [RT #1970]
+
+1080.	[bug]		BIND 8 compatibility: accept bare IP prefixes
+			as the second element of a two-element top level
+			sort list statement. [RT #1964]
+
+1079.	[bug]		BIND 8 compatibility: accept bare elements at top
+			level of sort list treating them as if they were
+			a single element list. [RT #1963]
+
+1077.	[func]		Do not accept further recursive clients when
+			the total number of recursive lookups being
+			processed exceeds max-recursive-clients, even
+			if some of the lookups are internally generated.
+			[RT #1915, #1938]
+
+1073.	[bug]		The ADB cache cleaning should also be space driven.
+			[RT #1915, #1938]
+
+1067.	[func]		Allow quotas to be soft, isc_quota_soft().
+
+1065.	[func]		Runtime support to select new / old style interface
+			scanning using ioctls.
+
+1060.	[func]		Move refresh, stub and notify UDP retry processing
+			into dns_request.
+
+1059.	[func]		dns_request now support will now retry UDP queries,
+			dns_request_createvia2() and dns_request_createraw2().
+
+1058.	[func]		Limited lifetime ticker timers are now available,
+			isc_timertype_limited.
+
+1055.	[func]		Version and hostname queries can now be disabled
+			using "version none;" and "hostname none;",
+			respectively.
+
+1049.	[func]		"pid-file none;" will disable writing a pid file.
+			[RT #1848]
+
+1037.	[bug]		Negative responses whose authority section contain
+			SOA or NS records whose owner names are not equal
+			equal to or parents of the query name should be
+			rejected. [RT #1862]
+
+1036.	[func]		Silently drop requests received via multicast as
+			long as there is no final multicast DNS standard.
+
+1035.	[bug]		If we respond to multicast queries (which we
+			currently do not), respond from a unicast address
+			as specified in RFC 1123. [RT #137]
+
+1034.	[bug]		Ignore the RD bit on multicast queries as specified
+			in RFC 1123. [RT #137]
+
+1032.	[func]		hostname.bind/txt/chaos now returns the name of
+			the machine hosting the nameserver.  This is useful
+			in diagnosing problems with anycast servers.
+
+1025.	[bug]		Don't use multicast addresses to resolve iterative
+			queries. [RT #101]
+
+1024.	[port]		Compilation failed on HP-UX 11.11 due to
+			incompatible use of the SIOCGLIFCONF macro
+			name. [RT #1831]
+
+1023.	[func]		Accept hints without TTLs.
+
+1011.	[cleanup]	Removed isc_dir_current().
+
+1009.	[port]		OpenUNIX 8 support. [RT #1728]
+
+1008.	[port]		libtool.m4, ltmain.sh from libtool-1.4.2.
+
+1007.	[port]		config.guess, config.sub from autoconf-2.52.
+
+1003.	[func]		Add the +retry option to dig.
+
+ 999.	[func]		"rndc retransfer zone [class [view]]" added.
+			[RT #1752]
+
+ 998.	[func]		named-checkzone now has arguments to specify the
+			chroot directory (-t) and working directory (-w).
+			[RT #1755]
+
+ 997.	[func]		Add support for RSA-SHA1 keys (RFC3110).
+
+ 996.	[func]		Issue warning if the configuration filename contains
+			the chroot path.
+
+ 994.	[func]		Treat non-authoritative responses to queries for type
+			NS as referrals even if the NS records are in the
+			answer section, because BIND 8 servers incorrectly
+			send them that way.  This is necessary for DNSSEC
+			validation of the NS records of a secure zone to
+			succeed when the parent is a BIND 8 server. [RT #1706]
+
+ 993.	[func]		dig: -v now reports the version.
+
+ 991.	[func]		Lower UDP refresh timeout messages to level
+			debug 1.
+
+ 985.	[func]		Consider network interfaces to be up iff they have
+			a nonzero IP address rather than based on the
+			IFF_UP flag. [RT #1160]
+
+ 983.	[func]		The server now supports generating IXFR difference
+			sequences for non-dynamic zones by comparing zone
+			versions, when enabled using the new config
+			option "ixfr-from-differences". [RT #1727]
+
+ 982.	[func]		If "memstatistics-file" is set in options the memory
+			statistics will be written to it.
+
+ 981.	[func]		The dnssec tools can now take multiple '-r randomfile'
+			arguments.
+
+ 979.	[func]		Incremental master file dumping.  dns_master_dumpinc(),
+			dns_master_dumptostreaminc(), dns_dumpctx_attach(),
+			dns_dumpctx_detach(), dns_dumpctx_cancel(),
+			dns_dumpctx_db() and dns_dumpctx_version().
+
+ 976.	[func]		named-checkconf can now test load master zones
+			(named-checkconf -z). [RT #1468]
+
+ 970.	[func]		'max-journal-size' can now be used to set a target
+			size for a journal.
+
+ 969.	[func]		dig now supports the undocumented dig 8 feature
+			of allowing arbitrary labels, not just dotted
+			decimal quads, with the -x option.  This can be
+			used to conveniently look up RFC2317 names as in
+			"dig -x 10.0.0.0-127". [RT #827, #1576, #1598]
+
+	--- 9.2.3rc1 released ---
+
+1499.	[bug]		isc_random need to be seeded better if arc4random()
+			is not used.
+
+1498.	[port]		bsdos: 5.x support.
+
+1497.	[protocol]	dig, nslookup and host now perform nibble lookups
+			under IP6.ARPA, use -i for IP6.INT (dig and host).
+			lwres now uses IP6.ARPA.
+
+1496.	[port]		test for pthread_attr_setstacksize().
+
+1495.	[cleanup]	Replace hash functions with universal hash.
+
+1494.	[security]	Turn on RSA BLINDING as a precaution.
+
+1493.	[doc]		A6 and "bitstring" labels are now experimental.
+
+1492.	[cleanup]	Preserve rwlock quota context when upgrading /
+			downgrading. [RT #5599]
+
+1491.	[bug]		dns_master_dump*() would produce extraneous $ORIGIN
+			lines. [RT #6206]
+
+1490.	[bug]		Accept reading state as well as working state in
+			ns_client_next(). [RT #6813]
+
+1489.	[compat]	Treat 'allow-update' on slave zones as a warning.
+			[RT #3469]
+
+1488.	[bug]		Don't override trust levels for glue addresses.
+			[RT #5764]
+
+1487.	[bug]		A REQUIRE() failure could be triggered if a zone was
+			queued for transfer and the zone was then removed.
+			[RT #6189]
+
+1486.	[bug]		isc_print_snprintf() '%%' consumed one too many format
+			characters. [RT# 8230]
+
+1485.	[bug]		gen failed to handle high type values. [RT #6225]
+
+1484.	[bug]		The number of records reported after a AXFR was wrong.
+			[RT #6229]
+
+1483.	[bug]		dig axfr failed if the message id in the answer failed
+			to match that in the request.  Only the id in the first
+			message is required to match. [RT #8138]
+
+1482.	[bug]		named could fail to start if the kernel supports
+			IPv6 but no interfaces are configured.  Similarly
+			for IPv4. [RT #6229]
+
+1481.	[bug]		Refresh and stub queries failed to use masters keys
+			if specified. [RT #7391]
+
+1480.	[bug]		Provide replay protection for rndc commands.  Full
+			replay protection requires both rndc and named to
+			be updated.  Partial replay protection (limited
+			exposure after restart) is provided if just named
+			is updated.
+
+1479.	[bug]		cfg_create_tuple() failed to handle out of
+			memory cleanup.  parse_list() would leak memory
+			on syntax errors.
+
+1478.	[port]		ifconfig.sh didn't account for other virtual
+			interfaces.  It now takes a optional argument
+			to specify the first interface number. [RT #3907]
+
+1477.	[bug]		memory leak using stub zones and TSIG.
+
+1476.	[port]		win32: port unreachables were blocking further i/o
+			on sockets (Windows 2000 SP2 and later).
+
+1473.	[bug]		create_map() and create_string() failed to handle out
+			of memory cleanup.  [RT #6813]
+
+1472.	[contrib]	idnkit-1.0 from JPNIC, replaces mdnkit.
+
+1471.	[bug]		libbind: updated to BIND 8.4.0.
+
+1470.	[bug]		Incorrect length passed to snprintf. [RT #5966]
+
+1466.	[bug]		lwresd configuration errors resulted in memory
+			and lock leaks.  [RT #5228]
+
+1465.	[bug]		isc_base64_decodestring() and isc_base64_tobuffer()
+			failed to check that trailing bits were zero allowing
+			some invalid base64 strings to be accepted.  [RT #5397]
+
+1464.	[bug]		Preserve "out of zone" data for outgoing zone
+			transfers. [RT #5192]
+
+1463.	[bug]		dns_rdata_from{wire,struct}() failed to catch bad
+			NXT bit maps. [RT #5577]
+
+1462.	[bug]		parse_sizeval() failed to check the token type.
+			[RT #5586]
+
+1461.	[bug]		Remove deadlock from rbtdb code. [RT #5599]
+
+1460.	[bug]		inet_pton() failed to reject certain malformed
+			IPv6 literals.
+
+1459.	[bug]		win32: we were leaking a bits in the exception
+			fd_set resulting in "Socket operation on non-socket"
+			errors from select(). [RT #2966]
+
+1456.	[contrib]	gen-data-queryperf.py from Stephane Bortzmeyer.
+
+1453.	[doc]		ARM: $GENERATE example wasn't accurate. [RT #5298]
+
+1452.	[bug]		Bad #ifdef, ISC_RFC2335 -> ISC_RFC2535.
+
+1451.	[bug]		rndc-confgen didn't exit with a error code for all
+			failures. [RT #5209]
+
+1450.	[bug]		Fetching expired glue failed under certain
+			circumstances.  [RT #5124]
+
+1449.	[bug]		query_addbestns() didn't handle running out of memory
+			gracefully.
+
+1448.	[bug]		Handle empty wildcards labels.
+
+1447.	[bug]		We were casting (unsigned int) to and from (void *).
+			rdataset->private4 is now rdataset->privateuint4
+			to reflect a type change.
+
+1445.	[bug]		DNS_ADBFIND_STARTATROOT broke stub zones.  This has
+			been replaced with DNS_ADBFIND_STARTATZONE which
+			causes the search to start using the closest zone.
+
+1439.	[bug]		Named could return NOERROR with certain NOTIFY
+			failures.  Return NOTAUTH if the NOTIFY zone is
+			not being served.
+
+1435.	[bug]		zmgr_resume_xfrs() was being called read locked
+			rather than write locked.  zmgr_resume_xfrs()
+			was not being called if the zone was being
+			shutdown.
+
+1437.	[bug]		Leave space for stdio to work in. [RT #5033]
+
+1434.	[bug]		"rndc reconfig" failed to initiate the initial
+			zone transfer of new slave zones.
+
+1431.	[bug]		isc_print_snprintf() "%s" with precision could walk off
+			end of argument. [RT #5191]
+
+1429.	[bug]		Prevent the cache getting locked to old servers.
+
+1424.	[bug]		EDNS version not being correctly printed.
+
+1423.	[contrib]	queryperf: added A6 and SRV.
+
+1420.	[port]		solaris: work around gcc optimizer bug.
+
+1419.	[port]		openbsd: use /dev/arandom. [RT #4950]
+
+1418.	[bug]		'rndc reconfig' did not cause new slaves to load.
+
+1416.	[bug]		Empty node should return NOERROR NODATA, not NXDOMAIN.
+			[RT #4715]
+
+1411.	[bug]		empty nodes should stop wildcard matches. [RT #4802]
+
+1408.	[bug]		"make distclean" was not complete. [RT #4700]
+
+1407.	[bug]		lfsr incorrectly implements the shift register.
+			[RT #4617]
+
+1406.	[bug]		dispatch initializes one of the LFSR's with a incorrect
+			polynomial.  [RT #4617]
+
+1405.	[func]		Use arc4random() if available.
+
+1401.	[bug]		adb wasn't clearing state when the timer expired.
+
+1399.	[bug]		Use serial number arithmetic when testing SIG
+			timestamps. [RT #4268]
+
+1397.	[bug]		J.ROOT-SERVERS.NET is now 192.58.128.30.
+
+1389.	[bug]		named could fail to rotate long log files.  [RT #3666]
+
+1388.	[port]		irix: check for sys/sysctl.h and NET_RT_IFLIST before
+			defining HAVE_IFLIST_SYSCTL. [RT #3770]
+
+1387.	[bug]		named could crash due to an access to invalid memory
+			space (which caused an assertion failure) in
+			incremental cleaning.  [RT #3588]
+
+1385.	[bug]		Setting serial-query-rate to 10 would trigger a
+			REQUIRE failure.
+
+1384.	[bug]		host was incompatible with BIND 8 in its exit code and
+			in the output with the -l option.  [RT #3536]
+
+1373.	[bug]		Recovery from expired glue failed under certain
+			circumstances.
+
+1372.	[bug]		named crashes with an assertion failure on exit when
+			sharing the same port for listening and querying, and
+			changing listening addresses several times. [RT# 3509]
+
+1370.	[bug]		dig '+[no]recurse' was incorrectly documented.
+
+1369.	[bug]		Adding an NS record as the lexicographically last
+			record in a secure zone didn't work.
+
+1366.	[contrib]	queryperf usage was incomplete.  Add '-h' for help.
+
+1348.	[port]		win32: Rewrote code to use I/O Completion Ports
+			in socket.c and eliminating a host of socket
+			errors. Performance is enhanced.
+
+1333.	[contrib]	queryperf now reports a summary of returned
+			rcodes (-c), rcodes are printed in mnemonic form (-v).
+
+1299.	[bug]		Set AI_ADDRCONFIG when looking up addresses
+			via getaddrinfo() (affects dig, host, nslookup, rndc
+			and nsupdate).
+
+1199.	[doc]		ARM reference to RFC 2157 should have been RFC 1918.
+			[RT #2436]
+
+1122.	[tuning]	Resolution timeout reduced from 90 to 30 seconds.
+			[RT #2046]
+
+ 992.	[doc]		dig: ~/.digrc is now documented.
+
+	--- 9.2.2 released ---
+
+1428.	[port]		hpux: temporary work around of hpux 11.11 interface
+			scanning.
+
+1427.	[bug]		Race condition in adb with threaded build.
+
+1426.	[cleanup]	Disable RFC2535 style DNSSEC.  This is incompatible
+			with the forthcoming DS style DNSSEC.
+
+1425.	[port]		linux/libbind: define __USE_MISC when testing *_r()
+			function prototypes in netdb.h.  [RT #4921]
+
+1395.	[port]		OpenSSL 0.9.7 defines CRYPTO_LOCK_ENGINE but doesn't
+			have a working implementation.  [RT #4079]
+
+1382.	[bug]		make install failed with --enable-libbind. [RT #3656]
+
+1381.	[bug]		named failed to correctly process answers that
+			contained DNAME records where the resulting CNAME
+			resulted in a negative answer.
+
+	--- 9.2.2rc1 released ---
+
+1360.	[bug]		--enable-libbind would fail when not built in the
+			source tree for certain OS's.
+
+1359.	[security]	Support patches OpenSSL libraries.
+			http://www.cert.org/advisories/CA-2002-23.html
+
+1358.	[bug]		It was possible to trigger a INSIST when debugging
+			large dynamic updates. [RT #3390]
+
+1357.	[bug]		nsupdate was extremely wasteful of memory.
+
+1356.	[tuning]	Reduce the number of events / quantum for zone tasks.
+
+1354.	[doc]		lwres man pages had illegal nroff.
+
+1353.	[contrib]	sdb/ldap to version 0.9.
+
+1352.	[bug]		dig, host, nslookup when falling back to TCP use the
+			current search entry (if any). [RT #3374]
+
+1351.	[bug]		lwres_getipnodebyname() returned the wrong name
+			when given a IPv4 literal, af=AF_INET6 and AI_MAPPED
+			was set.
+
+1350.	[bug]		dns_name_fromtext() failed to handle too many labels
+			gracefully.
+
+1349.	[security]	Minimum OpenSSL version now 0.9.6e (was 0.9.5a).
+			http://www.cert.org/advisories/CA-2002-23.html
+
+1346.	[bug]		Win32: select timeout in socket.c was too small
+			as value given was meant to be milliseconds and
+			timeval structure requires microseconds. This
+			caused high CPU loads with a compute bound loop.
+			[RT #3358]
+
+1345.	[port]		Use a explicit -Wformat with gcc.  Not all versions
+			include it in -Wall.
+
+1340.	[bug]		Delay and spread out the startup refresh load.
+
+1335.	[bug]		When performing a nonexistence proof, the validator
+			should discard parent NXTs from higher in the DNS.
+
+1334.	[bug]		When signing/verifying rdatasets, duplicate rdatas
+			need to be suppressed.
+
+1330.	[bug]		When processing events (non-threaded) only allow
+			the task one chance to use to use its quantum.
+
+1327.	[bug]		The validator would incorrectly mark data as insecure
+			when seeing a bogus signature before a correct
+			signature.
+
+1326.	[bug]		DNAME/CNAME signatures were not being cached when
+			validation was not being performed. [RT #3284]
+
+1325.	[bug]		If the tcpquota was exhausted it was possible to
+			to trigger a INSIST() failure.
+
+1324.	[port]		darwin: ifconfig.sh now supports darwin.
+
+1323.	[port]		linux: Slackware 4.0 needs <asm/unistd.h>. [RT #3205]
+
+1320.	[doc]		query-source-v6 was missing from options section.
+			[RT #3218]
+
+1319.	[func]		libbind: log attempts to exploit #1318.
+
+1318.	[bug]		libbind: Remote buffer overrun.
+
+1317.	[port]		libbind: TrueUNIX 5.1 does not like __align as a
+			element name.
+
+1316.	[bug]		libbind: gethostans() could get out of sync parsing
+			the response if there was a very long CNAME chain.
+
+1315.	[bug]		Options should apply to the internal _bind view.
+
+1314.	[port]		Handle ECONNRESET from sendmsg() [unix].
+
+1311.	[bug]		lwres_getrrsetbyname leaked memory.  [RT #3159]
+
+1310.	[bug]		'rndc stop' failed to cause zones to be flushed
+			sometimes. [RT #3157]
+
+1307.	[bug]		nsupdate: allow white space base64 key data.
+
+1306.	[bug]		Badly encoded LOC record when the size, horizontal
+			precision or vertical precision was 0.1m.
+
+1305.	[bug]		Document that internal zones are included in the
+			rndc status results.
+
+1298.	[bug]		The CINCLUDES macro in lib/dns/sec/dst/Makefile
+			could be left with a trailing "\" after configure
+			has been run.
+
+1297.	[port]		linux: make handling EINVAL from socket() no longer
+			conditional on #ifdef LINUX.
+
+1296.	[bug]		isc_log_closefilelogs() needed to lock the log
+			context.
+
+1295.	[bug]		isc_log_setdebuglevel() needed to lock the log
+			context.
+
+1294.	[func]		libbind: no longer attempts bit string labels for
+			IPv6 reverse resolution.  Try IP6.ARPA then IP6.INT
+			for nibble style resolution.
+
+1289.	[port]		See if -ldl is required for OpenSSL? [RT #2672]
+
+1288.	[bug]		Adjusted REQUIRE's in lib/dns/name.c to better
+			reflect written requirements.
+
+1287.	[bug]		REQUIRE that DNS_DBADD_MERGE only be set when adding
+			a rdataset to a zone db in the rbtdb implementation of
+			addrdataset.
+
+1286.	[bug]		dns_name_downcase() enforce requirement that
+			target != NULL or name->buffer != NULL.
+
+1284.	[bug]		The RTT estimate on unused servers was not aged.
+			[RT #2569]
+
+1282.	[port]		libbind: hpux 11.11 interface scanning.
+
+1280.	[bug]		libbind: escape '(' and ')' when converting to
+			presentation form.
+
+1279.	[port]		Darwin uses (unsigned long) for size_t. [RT #2590]
+
+1276.	[bug]		libbind: const pointer conflicts in res_debug.c.
+
+1275.	[port]		libbind: hpux: treat all hpux systems as BIG_ENDIAN.
+
+1274.	[bug]		Memory leak in lwres_gnbarequest_parse().
+
+1273.	[port]		libbind: solaris: 64 bit binary compatibility.
+
+1272.	[contrib]	Berkeley DB 4.0 sdb implementation from
+			Nuno Miguel Rodrigues <nmr@co.sapo.pt>.
+
+1270.	[bug]		Check that system inet_pton() and inet_ntop() support
+			AF_INET6.
+
+1269.	[port]		Openserver: ifconfig.sh support.
+
+1268.	[port]		Openserver: the value FD_SETSIZE depends on whether
+			<sys/param.h> is included or not.  Be consistent.
+
+1266.	[bug]		ISC_LINK_INIT, ISC_LINK_UNLINK, ISC_LIST_DEQUEUE,
+			__ISC_LINK_UNLINKUNSAFE and __ISC_LIST_DEQUEUEUNSAFE
+			are not C++ compatible, use *_TYPE versions instead.
+
+1265.	[bug]		libbind: LINK_INIT and UNLINK were not compatible with
+			C++, use LINK_INIT_TYPE and UNLINK_TYPE instead.
+
+1263.	[bug]		Reference after free error if dns_dispatchmgr_create()
+			failed.
+
+1262.	[bug]		ns_server_destroy() failed to set *serverp to NULL.
+
+1261.	[func]		libbind: ns_sign2() and ns_sign_tcp() now provide
+			support for compressed TSIG owner names.
+
+1260.	[func]		libbind: res_update can now update IPv6 servers,
+			new function res_findzonecut2().
+
+1259.	[bug]		libbind: get_salen() IPv6 support was broken for OSs
+			w/o sa_len.
+
+1258.	[bug]		libbind: res_nametotype() and res_nametoclass() were
+			broken.
+
+1257.	[bug]		Failure to write pid-file should not be fatal on
+			reload. [RT #2861]
+
+1256.	[contrib]	'queryperf' now has EDNS (-e) + DNSSEC DO (-D) support.
+
+1255.	[bug]		When verifying that an NXT proves nonexistence, check
+			the rcode of the message and only do the matching NXT
+			check.  That is, for NXDOMAIN responses, check that
+			the name is in the range between the NXT owner and
+			next name, and for NOERROR NODATA responses, check
+			that the type is not present in the NXT bitmap.
+
+1253.	[bug]		The dnssec system test failed to remove the correct
+			files.
+
+1252.	[bug]		Dig, host and nslookup were not checking the address
+			the answer was coming from against the address it was
+			sent to. [RT# 2692]
+
+1248.	[bug]		DESTDIR was not being propagated between makes.
+
+1245.	[bug]		Treat ENOBUFS, ENOMEM and ENFILE as soft errors for
+			accept().
+
+1242.	[bug]		named-checkzone failed if a journal existed. [RT #2657]
+
+1241.	[bug]		Drop received UDP messages with a zero source port
+			as these are invariably forged. [RT #2621]
+
+1209.	[bug]		Dig, host, nslookup were not checking the message ids
+			on the responses. [RT #2454]
+
+1097.	[func]		libbind: RES_PRF_TRUNC for dig.
+
+1096.	[func]		libbind: "DNSSEC OK" (DO) support.
+
+1095.	[func]		libbind: resolver option: no-tld-query.  disables
+			trying unqualified as a tld.  no_tld_query is also
+			supported for FreeBSD compatibility.
+
+1094.	[func]		libbind: add support gcc's format string checking.
+
+1089.	[func]		libbind: inet_{cidr,net}_{pton,ntop}() now have IPv6
+			support.
+
+	--- 9.2.1 released ---
+
+1251.	[port]		win32: a make file contained absolute version specific
+			references.
+
+1249.	[bug]		Missing masters clause was not handled gracefully.
+			[RT #2703]
+
+1244.	[bug]		Receiving a TCP message from a blackhole address would
+			prevent further messages being received over that
+			interface.
+
+1178.	[bug]		Follow and cache (if appropriate) A6 and other
+			data chains to completion in the additional section.
+
+	--- 9.2.1rc2 released ---
+
+1240.	[bug]		It was possible to leak zone references by
+			specifying an incorrect zone to rndc.
+
+1239.	[bug]		Under certain circumstances named could continue to
+			use a name after it had been freed triggering
+			INSIST() failures.  [RT #2614]
+
+1238.	[bug]		It is possible to lockup the server when shutting down
+			if notifies were being processed. [RT #2591]
+
+1237.	[bug]		nslookup: "set q=type" failed.
+
+1236.	[bug]		dns_rdata{class,type}_fromtext() didn't handle non
+			NULL terminated text regions. [RT #2588]
+
+1232.	[bug]		unix/errno2result() didn't handle EADDRNOTAVAIL.
+
+1231.	[port]		HPUX 11.11 recvmsg() can return spurious EADDRNOTAVAIL.
+
+1230.	[bug]		isccc_cc_isreply() and isccc_cc_isack() were broken.
+
+1229.	[bug]		named would crash if it received a TSIG signed
+			query as part of an AXFR response. [RT #2570]
+
+1228.	[bug]		'make install' did not depend on 'make all'. [RT #2559]
+
+1227.	[bug]		dns_lex_getmastertoken() now returns ISC_R_BADNUMBER
+			if a number was expected and some other token was
+			found. [RT#2532]
+
+1222.	[bug]		Specifying 'port *' did not always result in a system
+			selected (non-reserved) port being used. [RT #2537]
+
+1221.	[bug]		Zone types 'master', 'slave' and 'stub' were not being
+			compared case insensitively. [RT #2542]
+
+1218.	[bug]		Named incorrectly returned SERVFAIL rather than
+			NOTAUTH when there was a TSIG BADTIME error. [RT #2519]
+
+1216.	[bug]		Multiple server clauses for the same server were not
+			reported.  [RT #2514]
+
+1215.	[port]		solaris: add support to ifconfig.sh for x86 2.5.1
+
+1214.	[bug]		Win32: isc_file_renameunique() could leave zero length
+			files behind.
+
+1212.	[port]		libbind: 64k answer buffers were causing stack space
+			to be exceeded for certain OS.  Use heap space instead.
+
+1211.	[bug]		dns_name_fromtext() incorrectly handled certain
+			valid octal bitlabels. [RT #2483]
+
+1210.	[bug]		libbind: getnameinfo() failed to lookup IPv4 mapped /
+			compatible addresses. [RT #2461]
+
+1208.	[bug]		dns_master_load*() failed to log a error message if
+			an error was detected when parsing the ownername of
+			a record.  [RT #2448]
+
+	--- 9.2.1rc1 released ---
+
+1207.	[bug]		libbind: getaddrinfo() could call freeaddrinfo() with
+			an invalid pointer.
+
+1206.	[bug]		SERVFAIL and NOTIMP responses to an EDNS query should
+			trigger a non-EDNS retry.
+
+1205.	[bug]		OPT, TSIG and TKEY cannot be used to set the "class"
+			of the message. [RT #2449]
+
+1204.	[bug]		libbind: res_nupdate() failed to update the name
+			server addresses before sending the update.
+
+1201.	[bug]		Require that if 'callbacks' is passed to
+			dns_rdata_fromtext(), callbacks->error and
+			callbacks->warn are initialized.
+
+1200.	[bug]		Log 'errno' that we are unable to convert to
+			isc_result_t. [RT #2404]
+
+1198.	[bug]		OPT printing style was not consistent with the way the
+			header fields are printed.  The DO bit was not reported
+			if set.  Report if any of the MBZ bits are set.
+
+1197.	[bug]		Attempts to define the same acl multiple times were not
+			detected.
+
+1196.	[contrib]	update mdnkit to 2.2.3.
+
+1195.	[bug]		Attempts to redefine builtin acls should be caught.
+			[RT #2403]
+
+1194.	[bug]		Not all duplicate zone definitions were being detected
+			at the named.conf checking stage. [RT #2431]
+
+1193.	[bug]		Best effort parsing didn't handle packet truncation.
+
+1191.	[bug]		A dynamic update removing the last non-apex name in
+			a secure zone would fail. [RT #2399]
+
+1189.	[bug]		On some systems, malloc(0) returns NULL, which
+			could cause the caller to report an out of memory
+			error. [RT #2398]
+
+1188.	[bug]		Dynamic updates of a signed zone would fail if
+			some of the zone private keys were unavailable.
+
+1186.	[bug]		isc_hex_tobuffer(,,length = 0) failed to unget the
+			EOL token when reading to end of line.
+
+1185.	[bug]		libbind: don't assume statp->_u._ext.ext is valid
+			unless RES_INIT is set when calling res_*init().
+
+1184.	[bug]		libbind: call res_ndestroy() if RES_INIT is set
+			when res_*init() is called.
+
+1183.	[bug]		Handle ENOSR error when writing to the internal
+			control pipe. [RT #2395]
+
+1182.	[bug]		The server could throw an assertion failure when
+			constructing a negative response packet.
+
+1176.	[doc]		Document that allow-v6-synthesis is only performed
+			for clients that are supplied recursive service.
+			[RT #2260]
+
+1175.	[bug]		named-checkzone failed to call dns_result_register()
+			at startup which could result in runtime
+			exceptions when printing "out of memory" errors.
+			[RT #2335]
+
+1174.	[bug]		Win32: add WSAECONNRESET to the expected errors
+			from connect(). [RT #2308]
+
+1173.	[bug]		Potential memory leaks in isc_log_create() and
+			isc_log_settag(). [RT #2336]
+
+1172.	[doc]		Add CERT, GPOS, KX, NAPTR, NSAP, PX and TXT to
+			table of RR types in ARM.
+
+1170.	[bug]		Don't attempt to print the token when a I/O error
+			occurs when parsing named.conf. [RT #2275]
+
+1168.	[bug]		Empty also-notify clauses were not handled. [RT #2309]
+
+1167.	[contrib]	nslint-2.1a3 (from author).
+
+1166.	[bug]		"Not Implemented" should be reported as NOTIMP,
+			not NOTIMPL. [RT #2281]
+
+1165.	[bug]		We were rejecting notify-source{-v6} in zone clauses.
+
+1164.	[bug]		Empty masters clauses in slave / stub zones were not
+			handled gracefully. [RT #2262]
+
+1162.	[bug]		The allow-notify option was not accepted in slave
+			zone statements.
+
+1161.	[bug]		named-checkzone looped on unbalanced brackets.
+			[RT #2248]
+
+1160.	[bug]		Generating Diffie-Hellman keys longer than 1024
+			bits could fail. [RT #2241]
+
+1156.	[port]		The configure test for strsep() incorrectly
+			succeeded on certain patched versions of
+			AIX 4.3.3. [RT #2190]
+
+1154.	[bug]		Don't attempt to obtain the netmask of a interface
+			if there is no address configured. [RT #2176]
+
+1152.	[bug]		libbind: read buffer overflows.
+
+1144.	[bug]		rndc-confgen would crash if both the -a and -t
+			options were specified. [RT #2159]
+
+1142.	[bug]		dnssec-signzone would fail to delete temporary files
+			in some failure cases. [RT #2144]
+
+1141.	[bug]		When named rejected a control message, it would
+			leak a file descriptor and memory.  It would also
+			fail to respond, causing rndc to hang.
+			[RT #2139, #2164]
+
+1140.	[bug]		rndc-confgen did not accept IPv6 addresses as arguments
+			to the -s option. [RT #2138]
+
+1136.	[bug]		CNAME records synthesized from DNAMEs did not
+			have a TTL of zero as required by RFC2672.
+			[RT #2129]
+
+1125.	[bug]		rndc: -k option was missing from usage message.
+			[RT #2057]
+
+1124.	[doc]		dig: +[no]dnssec, +[no]besteffort and +[no]fail
+			are now documented. [RT #2052]
+
+1123.	[bug]		dig +[no]fail did not match description. [RT #2052]
+
+1109.	[bug]		nsupdate accepted illegal ttl values.
+
+1108.	[bug]		On Win32, rndc was hanging when named was not running
+			due to failure to select for exceptional conditions
+			in select(). [RT #1870]
+
+1081.	[bug]		Multicast queries were incorrectly identified
+			based on the source address, not the destination
+			address.
+
+1072.	[bug]		The TCP client quota could be exceeded when
+			recursion occurred. [RT #1937]
+
+1071.	[bug]		Sockets listening for TCP DNS connections
+			specified an excessive listen backlog. [RT #1937]
+
+1070.	[bug]		Copy DNSSEC OK (DO) to response as specified by
+			draft-ietf-dnsext-dnssec-okbit-03.txt.
+
+1014.	[bug]		Some queries would cause statistics counters to
+			increment more than once or not at all. [RT #1321]
+
+1012.	[bug]		The -p option to named did not behave as documented.
+
+ 988.	[bug]		'additional-from-auth no;' did not work reliably
+			in the case of queries answered from the cache.
+			[RT #1436]
+
+ 995.	[bug]		dig, host, nslookup: using a raw IPv6 address as a
+			target address should be fatal on a IPv4 only system.
+
+	--- 9.2.0 released ---
+
+1134.	[bug]		Multi-threaded servers could deadlock in ferror()
+			when reloading zone files. [RT #1951, #1998]
+
+1133.	[bug]		IN6_IS_ADDR_LOOPBACK was not portably defined on
+			platforms without IN6_IS_ADDR_LOOPBACK. [RT #2106]
+
+	--- 9.2.0rc10 released ---
+
+1131.	[bug]		The match-destinations view option did not work with
+			IPv6 destinations. [RT #2073, #2074]
+
+1130.	[bug]		Log messages reporting an out-of-range serial number
+			did not include the out-of-range number but the
+			following token. [RT #2076]
+
+1129.	[bug]		Multi-threaded servers could crash under heavy
+			resolution load due to a race condition. [RT #2018]
+
+1126.	[bug]		The server could access a freed event if shut
+			down while a client start event was pending
+			delivery. [RT #2061]
+
+1121.	[bug]		The server could attempt to access a NULL zone
+			table if shut down while resolving.
+			[RT #1587, #2054]
+
+1120.	[bug]		Errors in options were not fatal. [RT #2002]
+
+1118.	[bug]		On multi-threaded servers, a race condition
+			could cause an assertion failure in resolver.c
+			during resolver shutdown. [RT #2029]
+
+1117.	[port]		The configure check for in6addr_loopback incorrectly
+			succeeded on AIX 4.3 when compiling with -O2
+			because the test code was optimized away.
+			[RT #2016]
+
+1116.	[bug]		Setting transfers in a server clause, transfers-in,
+			or transfers-per-ns to a value greater than
+			2147483647 disabled transfers. [RT #2002]
+
+1114.	[port]		Ignore more accept() errors. [RT #2021]
+
+1113.	[bug]		The allow-update-forwarding option was ignored
+			when specified in a view. [RT #2014]
+
+1111.	[bug]		Multi-threaded servers could deadlock processing
+			recursive queries due to a locking hierarchy
+			violation in adb.c. [RT #2017]
+
+	--- 9.2.0rc9 released ---
+
+1107.	[bug]		nsupdate could catch an assertion failure if an
+			invalid domain name was given as the argument to
+			the "zone" command.
+
+1106.	[bug]		After seeing an out of range TTL, nsupdate would
+			treat all TTLs as out of range. [RT #2001]
+
+1104.	[bug]		Invalid arguments to the transfer-format option
+			could cause an assertion failure. [RT #1995]
+
+1103.	[port]		OpenUNIX 8 support (ifconfig.sh). [RT #1970]
+
+1102.	[doc]		Note that query logging is enabled by directing the
+			queries category to a channel.
+
+1101.	[bug]		Array bounds read error in lwres_gai_strerror.
+
+1100.	[bug]		libbind: DNSSEC key ids were computed incorrectly.
+
+1099.	[cleanup]	libbind: defining REPORT_ERRORS in lib/bind/dst caused
+			compile time errors.
+
+1098.	[bug]		libbind: HMAC-MD5 key files are now mode 0600.
+
+1093.	[doc]		libbind: miscellaneous nroff fixes.
+
+1092.	[bug]		libbind: get*by*() failed to check if res_init() had
+			been called.
+
+1091.	[bug]		libbind: misplaced va_end().
+
+1090.	[bug]		libbind: dns_ho.c:add_hostent() was not returning
+			the amount of memory consumed resulting in garbage
+			address being returned.  Alignment calculations were
+			wasting space.  We weren't suppressing duplicate
+			addresses.
+
+1088.	[port]		libbind: MPE/iX C.70 (incomplete)
+
+1087.	[bug]		libbind: struct __res_state too large on 64 bit arch.
+
+1086.	[port]		libbind: sunos: old sprintf.
+
+1085.	[port]		libbind: solaris: sys_nerr and sys_errlist do not
+			exist when compiling in 64 bit mode.
+
+1084.	[cleanup]	libbind: gai_strerror() rewritten.
+
+1083.	[bug]		The default control channel listened on the
+			wildcard address, not the loopback as documented.
+			[RT #1975]
+
+1082.	[bug]		The -g option to named incorrectly caused logging
+			to be sent to syslog in addition to stderr.
+			[RT #1974]
+
+1078.	[bug]		We failed to correct bad tv_usec values in one case.
+			[RT #1966]
+
+1076.	[bug]		A badly defined global key could trigger an assertion
+			on load/reload if views were used. [RT #1947]
+
+1075.	[bug]		Out-of-range network prefix lengths were not
+			reported. [RT #1954]
+
+1074.	[bug]		Running out of memory in dump_rdataset() could
+			cause an assertion failure. [RT #1946]
+
+	--- 9.2.0rc8 released ---
+
+1068.	[bug]		errno could be overwritten by catgets(). [RT #1921]
+
+1066.	[bug]		Provide a thread safe wrapper for strerror().
+			[RT #1689]
+
+1064.	[bug]		Do not shut down active network interfaces if we
+			are unable to scan the interface list. [RT #1921]
+
+1063.	[bug]		libbind: "make install" was failing on IRIX.
+			[RT #1919]
+
+1062.	[bug]		If the control channel listener socket was shut
+			down before server exit, the listener object could
+			be freed twice. [RT #1916]
+
+1061.	[bug]		If periodic cache cleaning happened to start
+			while cleaning due to reaching the configured
+			maximum cache size was in progress, the server
+			could catch an assertion failure. [RT #1912]
+
+1057.	[bug]		Reloading the server after adding a "file" clause
+			to a zone statement could cause the server to
+			crash due to a typo in change 1016.
+
+1056.	[bug]		Rndc could catch an assertion failure on SIGINT due
+			to an uninitialized variable. [RT #1908]
+
+	--- 9.2.0rc7 released ---
+
+1054.	[bug]		On Win32, cfg_categories and cfg_modules need to be
+			exported from the libisccfg DLL.
+
+1053.	[bug]		Dig did not increase its timeout when receiving
+			AXFRs unless the +time option was used. [RT #1904]
+
+1052.	[bug]		Journals were not being created in binary mode
+			resulting in "journal format not recognized" error
+			under Win32. [RT #1889]
+
+1051.	[bug]		Do not ignore a network interface completely just
+			because it has a noncontiguous netmask.  Instead,
+			omit it from the localnets ACL and issue a warning.
+			[RT #1891]
+
+1050.	[bug]		Log messages reporting malformed IP addresses in
+			address lists such as that of the forwarders option
+			failed to include the correct error code, file
+			name, and line number. [RT #1890]
+
+1048.	[bug]		Servers built with -DISC_MEM_USE_INTERNAL_MALLOC=1
+			didn't work.
+
+1047.	[bug]		named was incorrectly refusing all requests signed
+			with a TSIG key derived from an unsigned TKEY
+			negotiation with a NOERROR response. [RT #1886]
+
+1046.	[bug]		The help message for the --with-openssl configure
+			option was inaccurate. [RT #1880]
+
+1045.	[bug]		It was possible to skip saving glue for a nameserver
+			for a stub zone.
+
+1044.	[bug]		Specifying allow-transfer, notify-source, or
+			notify-source-v6 in a stub zone was not treated
+			as an error.
+
+1043.	[bug]		Specifying a transfer-source or transfer-source-v6
+			option in the zone statement for a master zone was
+			not treated as an error. [RT #1876]
+
+1042.	[bug]		The "config" logging category did not work properly.
+			[RT #1873]
+
+1041.	[bug]		Dig/host/nslookup could catch an assertion failure
+			on SIGINT due to an uninitialized variable. [RT #1867]
+
+1040.	[bug]		Multiple listen-on-v6 options with different ports
+			were not accepted. [RT #1875]
+
+1039.	[bug]		Negative responses with CNAMEs in the answer section
+			were cached incorrectly. [RT #1862]
+
+1038.	[bug]		In servers configured with a tkey-domain option,
+			TKEY queries with an owner name other than the root
+			could cause an assertion failure. [RT #1866, #1869]
+
+1033.	[bug]		Always respond to requests with an unsupported opcode
+			with NOTIMP, even if we don't have a matching view
+			or cannot determine the class.
+
+	--- 9.2.0rc6 released ---
+
+1031.	[bug]		libbind.a: isc__gettimeofday() infinite recursion.
+			[RT #1858]
+
+1030.	[bug]		On systems with no resolv.conf file, nsupdate
+			exited with an error rather than defaulting
+			to using the loopback address. [RT #1836]
+
+1029.	[bug]		Some named.conf errors did not cause the loading
+			of the configuration file to return a failure
+			status even though they were logged. [RT #1847]
+
+1028.	[bug]		On Win32, dig/host/nslookup looked for resolv.conf
+			in the wrong directory. [RT #1833]
+
+1027.	[bug]		RRs having the reserved type 0 should be rejected.
+			[RT #1471]
+
+1026.	[port]		Recognize OpenUNIX 8 in config.guess. [RT #1830]
+
+1022.	[bug]		Don't report empty root hints as "extra data".
+			[RT #1802]
+
+	--- 9.2.0rc5 released ---
+
+1021.	[bug]		On Win32, log message timestamps were one month
+			later than they should have been, and the server
+			would exhibit unspecified behavior in December.
+
+1020.	[bug]		IXFR log messages did not distinguish between
+			true IXFRs, AXFR-style IXFRs, and mere version
+			polls. [RT #1811]
+
+1019.	[bug]		The value of the lame-ttl option was limited to 18000
+			seconds, not 1800 seconds as documented. [RT #1803]
+
+1018.	[bug]		The default log channel was not always initialized
+			correctly. [RT #1813]
+
+1017.	[bug]		When specifying TSIG keys to dig and nsupdate using
+			the -k option, they must be HMAC-MD5 keys. [RT #1810]
+
+1016.	[bug]		Slave zones with no backup file were re-transferred
+			on every server reload.
+
+1015.	[bug]		Log channels that had a "versions" option but no
+			"size" option failed to create numbered log
+			files. [RT #1783]
+
+	--- 9.2.0rc4 released ---
+
+1013.	[bug]		It was possible to cancel a query twice when marking
+			a server as bogus or by having a blackhole acl.
+			[RT #1776]
+
+1010.	[bug]		The server could attempt to execute a command channel
+			command after initiating server shutdown, causing
+			an assertion failure. [RT #1766]
+
+1006.	[bug]		If a KEY RR was found missing during DNSSEC validation,
+			an assertion failure could subsequently be triggered
+			in the resolver. [RT #1763]
+
+1005.	[bug]		Don't copy nonzero RCODEs from request to response.
+			[RT #1765]
+
+1004.	[port]		Deal with recvfrom() returning EHOSTDOWN. [RT #1770]
+
+1002.	[bug]		When reporting an unknown class name in named.conf,
+			including the file name and line number. [RT #1759]
+
+1001.	[bug]		win32 socket code doio_recv was not catching a
+			WSACONNRESET error when a client was timing out
+			the request and closing its socket. [RT #1745]
+
+1000.	[bug]		BIND 8 compatibility: accept "HESIOD" as an alias
+			for class "HS". [RT #1759]
+
+	--- 9.2.0rc3 released ---
+
+ 990.	[bug]		The rndc-confgen man page was not installed.
+
+ 989.	[bug]		Report filename if $INCLUDE fails for file related
+			errors. [RT #1736]
+
+ 987.	[bug]		"dig -help" didn't show "+[no]stats".
+
+ 986.	[bug]		"dig +noall" failed to clear stats and command
+			printing.
+
+ 984.	[bug]		Multi-threading should be enabled by default on
+			Solaris 2.7 and newer, but it wasn't.
+
+	--- 9.2.0rc2 released ---
+
+ 980.	[bug]		Incoming zone transfers restarting after an error
+			could trigger an assertion failure. [RT #1692]
+
+ 978.	[bug]		dns_db_attachversion() had an invalid REQUIRE()
+			condition.
+
+ 977.	[bug]		Improve "not at top of zone" error message.
+
+ 975.	[bug]		"max-cache-size default;" as a view option
+			caused an assertion failure.
+
+ 974.	[bug]		"max-cache-size unlimited;" as a global option
+			was not accepted.
+
+ 973.	[bug]		Failed to log the question name when logging:
+			"bad zone transfer request: non-authoritative zone
+			(NOTAUTH)".
+
+ 972.	[bug]		The file modification time code in zone.c was using the
+			wrong epoch. [RT #1667]
+
+ 968.	[bug]		On win32, the isc_time_now() function was unnecessarily
+			calling strtime(). [RT #1671]
+
+ 967.	[bug]		On win32, the link for bindevt was not including the
+			required resource file to enable the event viewer
+			to interpret the error messages in the event log,
+			[RT #1668]
+
+ 966.	[placeholder]
+
+ 965.	[bug]		Including data other than root server NS and A
+			records in the root hint file could cause a rbtdb
+			node reference leak. [RT #1581, #1618]
+
+ 964.	[func]		Warn if data other than root server NS and A records
+			are found in the root hint file. [RT #1581, #1618]
+
+ 963.	[bug]		Bad ISC_LANG_ENDDECLS. [RT #1645]
+
+ 962.	[bug]		libbind: bad "#undef", don't attempt to install
+			non-existant nlist.h. [RT #1640]
+
+ 961.	[bug]		Tried to use a IPV6 feature when ISC_PLATFORM_HAVEIPV6
+			was not defined. [RT #1482]
+
+ 960.	[port]		liblwres failed to build on systems with support for
+			getrrsetbyname() in the OS. [RT #1592]
+
+ 959.	[port]		On FreeBSD, determine the number of CPUs by calling
+			sysctlbyname(). [RT #1584]
+
+ 958.	[port]		ssize_t is not available on all platforms. [RT #1607]
+
+ 957.	[bug]		sys/select.h inclusion was broken on older platforms.
+			[RT #1607]
+
+ 956.	[bug]		ns_g_autorndcfile changed to ns_g_keyfile
+			in named/win32/os.c due to code changes in
+			change #953. win32 .make file for rndc-confgen
+			updated to add include path for os.h header.
+
+	--- 9.2.0rc1 released ---
+
+ 955.	[bug]		When using views, the zone's class was not being
+			inherited from the view's class. [RT #1583]
+
+ 954.	[bug]		When requesting AXFRs or IXFRs using dig, host, or
+			nslookup, the RD bit should not be set as zone
+			transfers are inherently nonrecursive. [RT #1575]
+
+ 953.	[func]		The /var/run/named.key file from change #843
+			has been replaced by /etc/rndc.key.  Both
+			named and rndc will look for this file and use
+			it to configure a default control channel key
+			if not already configured using a different
+			method (rndc.conf / controls).  Unlike
+			named.key, rndc.key is not created automatically;
+			it must be created by manually running
+			"rndc-confgen -a".
+
+ 952.	[bug]		The server required manual intervention to serve the
+			affected zones if it died between creating a journal
+			and committing the first change to it.
+
+ 951.	[bug]		CFLAGS was not passed to the linker when
+			linking some of the test programs under
+			bin/tests. [RT #1555].
+
+ 950.	[bug]		Explicit TTLs did not properly override $TTL
+			due to a bug in change 834. [RT #1558]
+
+ 949.	[bug]		host was unable to print records larger than 512
+			bytes. [RT #1557]
+
+	--- 9.2.0b2 released ---
+
+ 948.	[port]		Integrated support for building on Windows NT /
+			Windows 2000.
+
+ 947.	[bug]		dns_rdata_soa_t had a badly named element "mname" which
+			was really the RNAME field from RFC1035.  To avoid
+			confusion and silent errors that would occur it the
+			"origin" and "mname" elements were given their correct
+			names "mname" and "rname" respectively, the "mname"
+			element is renamed to "contact".
+
+ 946.	[cleanup]	doc/misc/options is now machine-generated from the
+			configuration parser syntax tables, and therefore
+			more likely to be correct.
+
+ 945.	[func]		Add the new view-specific options
+			"match-destinations" and "match-recursive-only".
+
+ 944.	[func]		Check for expired signatures on load.
+
+ 943.	[bug]		The server could crash when receiving a command
+			via rndc if the configuration file listed only
+			nonexistent keys in the controls statement. [RT #1530]
+
+ 942.	[port]		libbind: GETNETBYADDR_ADDR_T was not correctly
+			defined on some platforms.
+
+ 941.	[bug]		The configuration checker crashed if a slave
+			zone didn't contain a masters statement. [RT #1514]
+
+ 940.	[bug]		Double zone locking failure on error path. [RT #1510]
+
+	--- 9.2.0b1 released ---
+
+ 939.	[port]		Add the --disable-linux-caps option to configure for
+			systems that manage capabilities outside of named.
+			[RT #1503]
+
+ 938.	[placeholder]
+
+ 937.	[bug]		A race when shutting down a zone could trigger a
+			INSIST() failure. [RT #1034]
+
+ 936.	[func]		Warn about IPv4 addresses that are not complete
+			dotted quads. [RT #1084]
+
+ 935.	[bug]		inet_pton failed to reject leading zeros.
+
+ 934.	[port]		Deal with systems where accept() spuriously returns
+			ECONNRESET.
+
+ 933.	[bug]		configure failed doing libbind on platforms not
+			supported by BIND 8. [RT #1496]
+
+	--- 9.2.0a3 released ---
+
+ 932.	[bug]		Use INSTALL_SCRIPT, not INSTALL_PROGRAM,
+			when installing isc-config.sh.
+			[RT #198, #1466]
+
+ 931.	[bug]		The controls statement only attempted to verify
+			messages using the first key in the key list.
+			(9.2.0a1/a2 only).
+
+ 930.	[func]		Query performance testing tool added as
+			contrib/queryperf.
+
+ 929.	[placeholder]
+
+ 928.	[bug]		nsupdate would send empty update packets if the
+			send (or empty line) command was run after
+			another send but before any new updates or
+			prerequisites were specified.  It should simply
+			ignore this command.
+
+ 927.	[bug]		Don't hold the zone lock for the entire dump to disk.
+			[RT #1423]
+
+ 926.	[bug]		The resolver could deadlock with the ADB when
+			shutting down (multi-threaded builds only).
+			[RT #1324]
+
+ 925.	[cleanup]	Remove openssl from the distribution; require that
+			--with-openssl be specified if DNSSEC is needed.
+
+ 924.	[port]		Extend support for pre-RFC2133 IPv6 implementation.
+			[RT #987]
+
+ 923.	[bug]		Multiline TSIG secrets (and other multiline strings)
+			were not accepted in named.conf. [RT #1469]
+
+ 922.	[func]		Added two new lwres_getrrsetbyname() result codes,
+			ERR_NONAME and ERR_NODATA.
+
+ 921.	[bug]		lwres returned an incorrect error code if it received
+			a truncated message.
+
+ 920.	[func]		Increase the lwres receive buffer size to 16K.
+			[RT #1451]
+
+ 919.	[placeholder]
+
+ 918.	[func]		In nsupdate, TSIG errors are no longer treated as
+			fatal errors.
+
+ 917.	[func]		New nsupdate command 'key', allowing TSIG keys to
+			be specified in the nsupdate command stream rather
+			than the command line.
+
+ 916.	[bug]		Specifying type ixfr to dig without specifying
+			a serial number failed in unexpected ways.
+
+ 915.	[func]		The named-checkconf and named-checkzone programs
+			now have a '-v' option for printing their version.
+			[RT #1151]
+
+ 914.	[bug]		Global 'server' statements were rejected when
+			using views, even though they were accepted
+			in 9.1. [RT #1368]
+
+ 913.	[bug]		Cache cleaning was not sufficiently aggressive.
+			[RT #1441, #1444]
+
+ 912.	[bug]		Attempts to set the 'additional-from-cache' or
+			'additional-from-auth' option to 'no' in a
+			server with recursion enabled will now
+			be ignored and cause a warning message.
+			[RT #1145]
+
+ 911.	[placeholder]
+
+ 910.	[port]		Some pre-RFC2133 IPv6 implementations do not define
+			IN6ADDR_ANY_INIT. [RT #1416]
+
+ 908.	[func]		New program, rndc-confgen, to simplify setting up rndc.
+
+ 907.	[func]		The ability to get entropy from either the
+			random device, a user-provided file or from
+			the keyboard was migrated from the DNSSEC tools
+			to libisc as isc_entropy_usebestsource().
+
+ 906.	[port]		Separated the system independent portion of
+			lib/isc/unix/entropy.c into lib/isc/entropy.c
+			and added lib/isc/win32/entropy.c.
+
+ 905.	[bug]		Configuring a forward "zone" for the root domain
+			did not work. [RT #1418]
+
+ 904.	[bug]		The server would leak memory if attempting to use
+			an expired TSIG key. [RT #1406]
+
+ 903.	[bug]		dig should not crash when receiving a TCP packet
+			of length 0.
+
+ 902.	[bug]		The -d option was ignored if both -t and -g were also
+			specified.
+
+ 901.	[placeholder]
+
+ 900.	[bug]		A config.guess update changed the system identification
+			string of FreeBSD systems; configure and
+			bin/tests/system/ifconfig.sh now recognize the new
+			string.
+
+	--- 9.2.0a2 released ---
+
+ 899.	[bug]		lib/dns/soa.c failed to compile on many platforms
+			due to inappropriate use of a void value.
+			[RT #1372, #1373, #1386, #1387, #1395]
+
+ 898.	[bug]		"dig" failed to set a nonzero exit status
+			on UDP query timeout. [RT #1323]
+
+ 897.	[bug]		A config.guess update changed the system identification
+			string of UnixWare systems; configure now recognizes
+			the new string.
+
+ 896.	[bug]		If a configuration file is set on named's command line
+			and it has a relative pathname, the current directory
+			(after any possible jailing resulting from named -t)
+			will be prepended to it so that reloading works
+			properly even when a directory option is present.
+
+ 895.	[func]		New function, isc_dir_current(), akin to POSIX's
+			getcwd().
+
+ 894.	[bug]		When using the DNSSEC tools, a message intended to warn
+			when the keyboard was being used because of the lack
+			of a suitable random device was not being printed.
+
+ 893.	[func]		Removed isc_file_test() and added isc_file_exists()
+			for the basic functionality that was being added
+			with isc_file_test().
+
+ 892.	[placeholder]
+
+ 891.	[bug]		Return an error when a SIG(0) signed response to
+			an unsigned query is seen.  This should actually
+			do the verification, but it's not currently
+			possible. [RT #1391]
+
+ 890.	[cleanup]	The man pages no longer require the mandoc macros
+			and should now format cleanly using most versions of
+			nroff, and HTML versions of the man pages have been
+			added.  Both are generated from DocBook source.
+
+ 889.	[port]		Eliminated blank lines before .TH in nroff man
+			pages since they cause problems with some versions
+			of nroff. [RT #1390]
+
+ 888.	[bug]		Don't die when using TKEY to delete a nonexistent
+			TSIG key. [RT #1392]
+
+ 887.	[port]		Detect broken compilers that can't call static
+			functions from inline functions. [RT #1212]
+
+ 866.	[func]		Close debug only file channels when debug is set to
+			zero. [RT #1246]
+
+ 865.	[bug]		The new configuration parser did not allow
+			the optional debug level in a "severity debug"
+			clause of a logging channel to be omitted.
+			This is now allowed and treated as "severity
+			debug 1;" like it does in BIND 8.2.4, not as
+			"severity debug 0;" like it did in BIND 9.1.
+			[RT #1367]
+
+ 864.	[cleanup]	Multi-threading is now enabled by default on
+			OSF1, Solaris 2.7 and newer, AIX, IRIX, and HP-UX.
+
+ 863.	[bug]		If an error occurred while an outgoing zone transfer
+			was starting up, the server could access a domain
+			name that had already been freed when logging a
+			message saying that the transfer was starting.
+			[RT #1383]
+
+ 862.	[bug]		Use after realloc(), non portable pointer arithmetic in
+			grmerge().
+
+ 861.	[port]		Add support for Mac OS X, by making it equivalent
+			to Darwin.  This was derived from the config.guess
+			file shipped with Mac OS X. [RT #1355]
+
+ 860.	[func]		Drop cross class glue in zone transfers.
+
+ 859.	[bug]		Cache cleaning now won't swamp the CPU if there
+			is a persistent overlimit condition.
+
+ 858.	[func]		isc_mem_setwater() no longer requires that when the
+			callback function is non-NULL then its hi_water
+			argument must be greater than its lo_water argument
+			(they can now be equal) or that they be non-zero.
+
+ 857.	[cleanup]	Use ISC_MAGIC() to define all magic numbers for
+			structs, for our friends in EBCDIC-land.
+
+ 856.	[func]		Allow partial rdatasets to be returned in answer and
+			authority sections to help non-TCP capable clients
+			recover from truncation. [RT #1301]
+
+ 855.	[bug]		Stop spurious "using RFC 1035 TTL semantics" warnings.
+
+ 854.	[bug]		The config parser didn't properly handle config
+			options that were specified in units of time other
+			than seconds. [RT #1372]
+
+ 853.	[bug]		configure_view_acl() failed to detach existing acls.
+			[RT #1374]
+
+ 852.	[bug]		Handle responses from servers which do not know
+			about IXFR.
+
+ 851.	[cleanup]	The obsolete support-ixfr option was not properly
+			ignored.
+
+	--- 9.2.0a1 released ---
+
+ 850.	[bug]		dns_rbt_findnode() would not find nodes that were
+			split on a bitstring label somewhere other than in
+			the last label of the node. [RT #1351]
+
+ 849.	[func]		<isc/net.h> will ensure INADDR_LOOPBACK is defined.
+
+ 848.	[func]		A minimum max-cache-size of two megabytes is enforced
+			by the cache cleaner.
+
+ 847.	[func]		Added isc_file_test(), which currently only has
+			some very basic functionality to test for the
+			existence of a file, whether a pathname is absolute,
+			or whether a pathname is the fundamental representation
+			of the current directory.  It is intended that this
+			function can be expanded to test other things a
+			programmer might want to know about a file.
+
+ 846.	[func]		A non-zero 'param' to dst_key_generate() when making an
+			hmac-md5 key means that good entropy is not required.
+
+ 845.	[bug]		The access rights on the public file of a symmetric
+			key are now restricted as soon as the file is opened,
+			rather than after it has been written and closed.
+
+ 844.	[func]		<isc/net.h> will ensure INADDR_LOOPBACK is defined,
+			just as <lwres/net.h> does.
+
+ 843.	[func]		If no controls statement is present in named.conf,
+			or if any inet phrase of a controls statement is
+			lacking a keys clause, then a key will be automatically
+			generated by named and an rndc.conf-style file
+			named named.key will be written that uses it.  rndc
+			will use this file only if its normal configuration
+			file, or one provided on the command line, does not
+			exist.
+
+ 842.	[func]		'rndc flush' now takes an optional view.
+
+ 841.	[bug]		When sdb modules were not declared threadsafe, their
+			create and destroy functions were not serialized.
+
+ 840.	[bug]		The config file parser could print the wrong file
+			name if an error was detected after an included file
+			was parsed. [RT #1353]
+
+ 839.	[func]		Dump packets for which there was no view or that the
+			class could not be determined to category "unmatched".
+
+ 838.	[port]		UnixWare 7.x.x is now suported by
+			bin/tests/system/ifconfig.sh.
+
+ 837.	[cleanup]	Multi-threading is now enabled by default only on
+			OSF1, Solaris 2.7 and newer, and AIX.
+
+ 836.	[func]		Upgraded libtool to 1.4.
+
+ 835.	[bug]		The dispatcher could enter a busy loop if
+			it got an I/O error receiving on a UDP socket.
+			[RT #1293]
+
+ 834.	[func]		Accept (but warn about) master files beginning with
+			an SOA record without an explicit TTL field and
+			lacking a $TTL directive, by using the SOA MINTTL
+			as a default TTL.  This is for backwards compatibility
+			with old versions of BIND 8, which accepted such
+			files without warning although they are illegal
+			according to RFC1035.
+
+ 833.	[cleanup]	Moved dns_soa_*() from <dns/journal.h> to
+			<dns/soa.h>, and extended them to support
+			all the integer-valued fields of the SOA RR.
+
+ 832.	[bug]		The default location for named.conf in named-checkconf
+			should depend on --sysconfdir like it does in named.
+			[RT #1258]
+
+ 831.	[placeholder]
+
+ 830.	[func]		Implement 'rndc status'.
+
+ 829.	[bug]		The DNS_R_ZONECUT result code should only be returned
+			when an ANY query is made with DNS_DBFIND_GLUEOK set.
+			In all other ANY query cases, returning the delegation
+			is better.
+
+ 828.	[bug]		The errno value from recvfrom() could be overwritten
+			by logging code. [RT #1293]
+
+ 827.	[bug]		When an IXFR protocol error occurs, the slave
+			should retry with AXFR.
+
+ 826.	[bug]		Some IXFR protocol errors were not detected.
+
+ 825.	[bug]		zone.c:ns_query() detached from the wrong zone
+			reference. [RT #1264]
+
+ 824.	[bug]		Correct line numbers reported by dns_master_load().
+			[RT #1263]
+
+ 823.	[func]		The output of "dig -h" now goes to stdout so that it
+			can easily be piped through "more". [RT #1254]
+
+ 822.	[bug]		Sending nxrrset prerequisites would crash nsupdate.
+			[RT #1248]
+
+ 821.	[bug]		The program name used when logging to syslog should
+			be stripped of leading path components.
+			[RT #1178, #1232]
+
+ 820.	[bug]		Name server address lookups failed to follow
+			A6 chains into the glue of local authoritative
+			zones.
+
+ 819.	[bug]		In certain cases, the resolver's attempts to
+			restart an address lookup at the root could cause
+			the fetch to deadlock (with itself) instead of
+			restarting. [RT #1225]
+
+ 818.	[bug]		Certain pathological responses to ANY queries could
+			cause an assertion failure. [RT #1218]
+
+ 817.	[func]		Adjust timeouts for dialup zone queries.
+
+ 816.	[bug]		Report potential problems with log file accessibility
+			at configuration time, since such problems can't
+			reliably be reported at the time they actually occur.
+
+ 815.	[bug]		If a log file was specified with a path separator
+			character (i.e. "/") in its name and the directory
+			did not exist, the log file's name was treated as
+			though it were the directory name. [RT #1189]
+
+ 814.	[bug]		Socket objects left over from accept() failures
+			were incorrectly destroyed, causing corruption
+			of socket manager data structures.
+
+ 813.	[bug]		File descriptors exceeding FD_SETSIZE were handled
+			badly. [RT #1192]
+
+ 812.	[bug]		dig sometimes printed incomplete IXFR responses
+			due to an uninitialized variable. [RT #1188]
+
+ 811.	[bug]		Parentheses were not quoted in zone dumps. [RT #1194]
+
+ 810.	[bug]		The signer name in SIG records was not properly
+			downcased when signing/verifying records. [RT #1186]
+
+ 809.	[bug]		Configuring a non-local address as a transfer-source
+			could cause an assertion failure during load.
+
+ 808.	[func]		Add 'rndc flush' to flush the server's cache.
+
+ 807.	[bug]		When setting up TCP connections for incoming zone
+			transfers, the transfer-source port was not
+			ignored like it should be.
+
+ 806.	[bug]		DNS_R_SEENINCLUDE was failing to propagate back up
+			the calling stack to the zone maintence level, causing
+			zones to not reload when an included file was touched
+			but the top-level zone file was not.
+
+ 805.	[bug]		When using "forward only", missing root hints should
+			not cause queries to fail. [RT #1143]
+
+ 804.	[bug]		Attempting to obtain entropy could fail in some
+			situations.  This would be most common on systems
+			with user-space threads. [RT #1131]
+
+ 803.	[bug]		Treat all SIG queries as if they have the CD bit set,
+			otherwise no data will be returned [RT #749]
+
+ 802.	[bug]		DNSSEC key tags were computed incorrectly in almost
+			all cases. [RT #1146]
+
+ 801.	[bug]		nsupdate should treat lines beginning with ';' as
+			comments. [RT #1139]
+
+ 800.	[bug]		dnssec-signzone produced incorrect statistics for
+			large zones. [RT #1133]
+
+ 799.	[bug]		The ADB didn't find AAAA glue in a zone unless A6
+			glue was also present.
+
+ 798.	[bug]		nsupdate should be able to reject bad input lines
+			and continue. [RT #1130]
+
+ 797.	[func]		Issue a warning if the 'directory' option contains
+			a relative path. [RT #269]
+
+ 796.	[func]		When a size limit is associated with a log file,
+			only roll it when the size is reached, not every
+			time the log file is opened. [RT #1096]
+
+ 795.	[func]		Add the +multiline option to dig. [RT #1095]
+
+ 794.	[func]		Implement the "port" and "default-port" statements
+			in rndc.conf.
+
+ 793.	[cleanup]	The DNSSEC tools could create filenames that were
+			illegal or contained shell metacharacters.  They
+			now use a different text encoding of names that
+			doesn't have these problems. [RT #1101]
+
+ 792.	[cleanup]	Replace the OMAPI command channel protocol with a
+			simpler one.
+
+ 791.	[bug]		The command channel now works over IPv6.
+
+ 790.	[bug]		Wildcards created using dynamic update or IXFR
+			could fail to match. [RT #1111]
+
+ 789.	[bug]		The "localhost" and "localnets" ACLs did not match
+			when used as the second element of a two-element
+			sortlist item.
+
+ 788.	[func]		Add the "match-mapped-addresses" option, which
+			causes IPv6 v4mapped addresses to be treated as
+			IPv4 addresses for the purpose of acl matching.
+
+ 787.	[bug]		The DNSSEC tools failed to downcase domain
+			names when mapping them into file names.
+
+ 786.	[bug]		When DNSSEC signing/verifying data, owner names were
+			not properly downcased.
+
+ 785.	[bug]		A race condition in the resolver could cause
+			an assertion failure. [RT #673, #872, #1048]
+
+ 784.	[bug]		nsupdate and other programs would not quit properly
+			if some signals were blocked by the caller. [RT #1081]
+
+ 783.	[bug]		Following CNAMEs could cause an assertion failure
+			when either using an sdb database or under very
+			rare conditions.
+
+ 782.	[func]		Implement the "serial-query-rate" option.
+
+ 781.	[func]		Avoid error packet loops by dropping duplicate FORMERR
+			responses. [RT #1006]
+
+ 780.	[bug]		Error handling code dealing with out of memory or
+			other rare errors could lead to assertion failures
+			by calling functions on unitialized names. [RT #1065]
+
+ 779.	[func]		Added the "minimal-responses" option.
+
+ 778.	[bug]		When starting cache cleaning, cleaning_timer_action()
+			returned without first pausing the iterator, which
+			could cause deadlock. [RT #998]
+
+ 777.	[bug]		An empty forwarders list in a zone failed to override
+			global forwarders. [RT #995]
+
+ 776.	[func]		Improved error reporting in denied messages. [RT #252]
+
+ 775.	[placeholder]
+
+ 774.	[func]		max-cache-size is implemented.
+
+ 773.	[func]		Added isc_rwlock_trylock() to attempt to lock without
+			blocking.
+
+ 772.	[bug]		Owner names could be incorrectly omitted from cache
+			dumps in the presence of negative caching entries.
+			[RT #991]
+
+ 771.	[cleanup]	TSIG errors related to unsynchronized clocks
+			are logged better. [RT #919]
+
+ 770.	[func]		Add the "edns yes_or_no" statement to the server
+			clause. [RT #524]
+
+ 769.	[func]		Improved error reporting when parsing rdata. [RT #740]
+
+ 768.	[bug]		The server did not emit an SOA when a CNAME
+			or DNAME chain ended in NXDOMAIN in an
+			authoritative zone.
+
+ 767.	[placeholder]
+
+ 766.	[bug]		A few cases in query_find() could leak fname.
+			This would trigger the mpctx->allocated == 0
+			assertion when the server exited.
+			[RT #739, #776, #798, #812, #818, #821, #845,
+			#892, #935, #966]
+
+ 765.	[func]		ACL names are once again case insensitive, like
+			in BIND 8. [RT #252]
+
+ 764.	[func]		Configuration files now allow "include" directives
+			in more places, such as inside the "view" statement.
+			[RT #377, #728, #860]
+
+ 763.	[func]		Configuration files no longer have reserved words.
+			[RT #731, #753]
+
+ 762.	[cleanup]	The named.conf and rndc.conf file parsers have
+			been completely rewritten.
+
+ 761.	[bug]		_REENTRANT was still defined when building with
+			--disable-threads.
+
+ 760.	[contrib]	Significant enhancements to the pgsql sdb driver.
+
+ 759.	[bug]		The resolver didn't turn off "avoid fetches" mode
+			when restarting, possibly causing resolution
+			to fail when it should not.  This bug only affected
+			platforms which support both IPv4 and IPv6. [RT #927]
+
+ 758.	[bug]		The "avoid fetches" code did not treat negative
+			cache entries correctly, causing fetches that would
+			be useful to be avoided.  This bug only affected
+			platforms which support both IPv4 and IPv6. [RT #927]
+
+ 757.	[func]		Log zone transfers.
+
+ 756.	[bug]		dns_zone_load() could "return" success when no master
+			file was configured.
+
+ 755.	[bug]		Fix incorrectly formatted log messages in zone.c.
+
+ 754.	[bug]		Certain failure conditions sending UDP packets
+			could cause the server to retry the transmission
+			indefinitely. [RT #902]
+
+ 753.	[bug]		dig, host, and nslookup would fail to contact a
+			remote server if getaddrinfo() returned an IPv6
+			address on a system that doesn't support IPv6.
+			[RT #917]
+
+ 752.	[func]		Correct bad tv_usec elements returned by
+			gettimeofday().
+
+ 751.	[func]		Log successful zone loads / transfers.  [RT #898]
+
+ 750.	[bug]		A query should not match a DNAME whose trust level
+			is pending. [RT #916]
+
+ 749.	[bug]		When a query matched a DNAME in a secure zone, the
+			server did not return the signature of the DNAME.
+			[RT #915]
+
+ 748.	[doc]		List supported RFCs in doc/misc/rfc-compliance.
+			[RT #781]
+
+ 747.	[bug]		The code to determine whether an IXFR was possible
+			did not properly check for a database that could
+			not have a journal. [RT #865, #908]
+
+ 746.	[bug]		The sdb didn't clone rdatasets properly, causing
+			a crash when the server followed delegations. [RT #905]
+
+ 745.	[func]		Report the owner name of records that fail
+			semantic checks while loading.
+
+ 744.	[bug]		When returning DNS_R_CNAME or DNS_R_DNAME as the
+			result of an ANY or SIG query, the resolver failed
+			to setup the return event's rdatasets, causing an
+			assertion failure in the query code. [RT #881]
+
+ 743.	[bug]		Receiving a large number of certain malformed
+			answers could cause named to stop responding.
+			[RT #861]
+
+ 742.	[placeholder]
+
+ 741.	[port]		Support openssl-engine. [RT #709]
+
+ 740.	[port]		Handle openssl library mismatches slightly better.
+
+ 739.	[port]		Look for /dev/random in configure, rather than
+			assuming it will be there for only a predefined
+			set of OSes.
+
+ 738.	[bug]		If a non-threadsafe sdb driver supported AXFR and
+			received an AXFR request, it would deadlock or die
+			with an assertion failure. [RT #852]
+
+ 737.	[port]		stdtime.c failed to compile on certain platforms.
+
+ 736.	[func]		New functions isc_task_{begin,end}exclusive().
+
+ 735.	[doc]		Add BIND 4 migration notes.
+
+ 734.	[bug]		An attempt to re-lock the zone lock could occur if
+			the server was shutdown during a zone tranfer.
+			[RT #830]
+
+ 733.	[bug]		Reference counts of dns_acl_t objects need to be
+			locked but were not. [RT #801, #821]
+
+ 732.	[bug]		Glue with 0 TTL could also cause SERVFAIL. [RT #828]
+
+ 731.	[bug]		Certain zone errors could cause named-checkzone to
+			fail ungracefully. [RT #819]
+
+ 730.	[bug]		lwres_getaddrinfo() returns the correct result when
+			it fails to contact a server. [RT #768]
+
+ 729.	[port]		pthread_setconcurrency() needs to be called on Solaris.
+
+ 728.	[bug]		Fix comment processing on master file directives.
+			[RT# 757]
+
+ 727.	[port]		Work around OS bug where accept() succeeds but
+			fails to fill in the peer address of the accepted
+			connection, by treating it as an error rather than
+			an assertion failure. [RT #809]
+
+ 726.	[func]		Implement the "trace" and "notrace" commands in rndc.
+
+ 725.	[bug]		Installing man pages could fail.
+
+ 724.	[func]		New libisc functions isc_netaddr_any(),
+			isc_netaddr_any6().
+
+ 723.	[bug]		Referrals whose NS RRs had a 0 TTL caused the resolver
+			to return DNS_R_SERVFAIL. [RT #783]
+
+ 722.	[func]		Allow incremental loads to be canceled.
+
+ 721.	[cleanup]	Load manager and dns_master_loadfilequota() are no
+			more.
+
+ 720.	[bug]		Server could enter infinite loop in
+			dispatch.c:do_cancel(). [RT #733]
+
+ 719.	[bug]		Rapid reloads could trigger an assertion failure.
+			[RT #743, #763]
+
+ 718.	[cleanup]	"internal" is no longer a reserved word in named.conf.
+			[RT #753, #731]
+
+ 717.	[bug]		Certain TKEY processing failure modes could
+			reference an uninitialized variable, causing the
+			server to crash. [RT #750]
+
+ 716.	[bug]		The first line of a $INCLUDE master file was lost if
+			an origin was specified. [RT #744]
+
+ 715.	[bug]		Resolving some A6 chains could cause an assertion
+			failure in adb.c. [RT #738]
+
+ 714.	[bug]		Preserve interval timers across reloads unless changed.
+			[RT# 729]
+
+ 713.	[func]		named-checkconf takes '-t directory' similar to named.
+			[RT #726]
+
+ 712.	[bug]		Sending a large signed update message caused an
+			assertion failure. [RT #718]
+
+ 711.	[bug]		The libisc and liblwres implementations of
+			inet_ntop contained an off by one error.
+
+ 710.	[func]		The forwarders statement now takes an optional
+			port. [RT #418]
+
+ 709.	[bug]		ANY or SIG queries for data with a TTL of 0
+			would return SERVFAIL. [RT #620]
+
+ 708.	[bug]		When building with --with-openssl, the openssl headers
+			included with BIND 9 should not be used. [RT #702]
+
+ 707.	[func]		The "filename" argument to named-checkzone is no
+			longer optional, to reduce confusion. [RT #612]
+
+ 706.	[bug]		Zones with an explicit "allow-update { none; };"
+			were considered dynamic and therefore not reloaded
+			on SIGHUP or "rndc reload".
+
+ 705.	[port]		Work out resource limit type for use where rlim_t is
+			not available. [RT #695]
+
+ 704.	[port]		RLIMIT_NOFILE is not available on all platforms.
+			[RT #695]
+
+ 703.	[port]		sys/select.h is needed on older platforms. [RT #695]
+
+ 702.	[func]		If the address 0.0.0.0 is seen in resolv.conf,
+			use 127.0.0.1 instead. [RT #693]
+
+ 701.	[func]		Root hints are now fully optional.  Class IN
+			views use compiled-in hints by default, as
+			before.  Non-IN views with no root hints now
+			provide authoritative service but not recursion.
+			A warning is logged if a view has neither root
+			hints nor authoritative data for the root. [RT #696]
+
+ 700.	[bug]		$GENERATE range check was wrong. [RT #688]
+
+ 699.	[bug]		The lexer mishandled empty quoted strings. [RT #694]
+
+ 698.	[bug]		Aborting nsupdate with ^C would lead to several
+			race conditions.
+
+ 697.	[bug]		nsupdate was not compatible with the undocumented
+			BIND 8 behavior of ignoring TTLs in "update delete"
+			commands. [RT #693]
+
+ 696.	[bug]		lwresd would die with an assertion failure when passed
+			a zero-length name. [RT #692]
+
+ 695.	[bug]		If the resolver attempted to query a blackholed or
+			bogus server, the resolution would fail immediately.
+
+ 694.	[bug]		$GENERATE did not produce the last entry.
+			[RT #682, #683]
+
+ 693.	[bug]		An empty lwres statement in named.conf caused
+			the server to crash while loading.
+
+ 692.	[bug]		Deal with systems that have getaddrinfo() but not
+			gai_strerror(). [RT #679]
+
+ 691.	[bug]		Configuring per-view forwarders caused an assertion
+			failure. [RT #675, #734]
+
+ 690.	[func]		$GENERATE now supports DNAME. [RT #654]
+
+ 689.	[doc]		man pages are now installed. [RT #210]
+
+ 688.	[func]		"make tags" now works on systems with the
+			"Exuberant Ctags" etags.
+
+ 687.	[bug]		Only say we have IPv6, with sufficent functionality,
+			if it has actually been tested. [RT #586]
+
+ 686.	[bug]		dig and nslookup can now be properly aborted during
+			blocking operations. [RT #568]
+
+ 685.	[bug]		nslookup should use the search list/domain options
+			from resolv.conf by default. [RT #405, #630]
+
+ 684.	[bug]		Memory leak with view forwarders. [RT #656]
+
+ 683.	[bug]		File descriptor leak in isc_lex_openfile().
+
+ 682.	[bug]		nslookup displayed SOA records incorrectly. [RT #665]
+
+ 681.	[bug]		$GENERATE specifying output format was broken. [RT #653]
+
+ 680.	[bug]		dns_rdata_fromstruct() mishandled options bigger
+			than 255 octets.
+
+ 679.	[bug]		$INCLUDE could leak memory and file descriptors on
+			reload. [RT #639]
+
+ 678.	[bug]		"transfer-format one-answer;" could trigger an assertion
+			failure. [RT #646]
+
+ 677.	[bug]		dnssec-signzone would occasionally use the wrong ttl
+			for database operations and fail. [RT #643]
+
+ 676.	[bug]		Log messages about lame servers to category
+			'lame-servers' rather than 'resolver', so as not
+			to be gratuitously incompatible with BIND 8.
+
+ 675.	[bug]		TKEY queries could cause the server to leak
+			memory.
+
+ 674.	[func]		Allow messages to be TSIG signed / verified using
+			a offset from the current time.
+
+ 673.	[func]		The server can now convert RFC1886-style recursive
+			lookup requests into RFC2874-style lookups, when
+			enabled using the new option "allow-v6-synthesis".
+
+ 672.	[bug]		The wrong time was in the "time signed" field when
+			replying with BADTIME error.
+
+ 671.	[bug]		The message code was failing to parse a message with
+			no question section and a TSIG record. [RT #628]
+
+ 670.	[bug]		The lwres replacements for getaddrinfo and
+			getipnodebyname didn't properly check for the
+			existence of the sockaddr sa_len field.
+
+ 669.	[bug]		dnssec-keygen now makes the public key file
+			non-world-readable for symmetric keys. [RT #403]
+
+ 668.	[func]		named-checkzone now reports multiple errors in master
+			files.
+
+ 667.	[bug]		On Linux, running named with the -u option and a
+			non-world-readable configuration file didn't work.
+			[RT #626]
+
+ 666.	[bug]		If a request sent by dig is longer than 512 bytes,
+			use TCP.
+
+ 665.	[bug]		Signed responses were not sent when the size of the
+			TSIG + question exceeded the maximum message size.
+			[RT #628]
+
+ 664.	[bug]		The t_tasks and t_timers module tests are now skipped
+			when building without threads, since they require
+			threads.
+
+ 663.	[func]		Accept a size_spec, not just an integer, in the
+			(unimplemented and ignored) max-ixfr-log-size option
+			for compatibility with recent versions of BIND 8.
+			[RT #613]
+
+ 662.	[bug]		dns_rdata_fromtext() failed to log certain errors.
+
+ 661.	[bug]		Certain UDP IXFR requests caused an assertion failure
+			(mpctx->allocated == 0). [RT #355, #394, #623]
+
+ 660.	[port]		Detect multiple CPUs on HP-UX and IRIX.
+
+ 659.	[performance]	Rewrite the name compression code to be much faster.
+
+ 658.	[cleanup]	Remove all vestiges of 16 bit global compression.
+
+ 657.	[bug]		When a listen-on statement in an lwres block does not
+			specify a port, use 921, not 53.  Also update the
+			listen-on documentation. [RT #616]
+
+ 656.	[func]		Treat an unescaped newline in a quoted string as
+			an error.  This means that TXT records with missing
+			close quotes should have meaningful errors printed.
+
+ 655.	[bug]		Improve error reporting on unexpected eof when loading
+			zones. [RT #611]
+
+ 654.	[bug]		Origin was being forgotten in TCP retries in dig.
+			[RT #574]
+
+ 653.	[bug]		+defname option in dig was reversed in sense.
+			[RT #549]
+
+ 652.	[bug]		zone_saveunique() did not report the new name.
+
+ 651.	[func]		The AD bit in responses now has the meaning
+			specified in <draft-ietf-dnsext-ad-is-secure>.
+
+ 650.	[bug]		SIG(0) records were being generated and verified
+			incorrectly. [RT #606]
+
+ 649.	[bug]		It was possible to join to an already running fctx
+			after it had "cloned" its events, but before it sent
+			them.  In this case, the event of the newly joined
+			fetch would not contain the answer, and would
+			trigger the INSIST() in fctx_sendevents().  In
+			BIND 9.0, this bug did not trigger an INSIST(), but
+			caused the fetch to fail with a SERVFAIL result.
+			[RT #588, #597, #605, #607]
+
+ 648.	[port]		Add support for pre-RFC2133 IPv6 implementations.
+
+ 647.	[bug]		Resolver queries sent after following multiple
+			referrals had excessively long retransmission
+			timeouts due to incorrectly counting the referrals
+			as "restarts".
+
+ 646.	[bug]		The UnixWare ISC_PLATFORM_FIXIN6INADDR fix in isc/net.h
+			didn't _cleanly_ fix the problem it was trying to fix.
+
+ 645.	[port]		BSD/OS 3.0 needs pthread_init(). [RT #603]
+
+ 644.	[bug]		#622 needed more work. [RT #562]
+
+ 643.	[bug]		xfrin error messages made more verbose, added class
+			of the zone. [RT# 599]
+
+ 642.	[bug]		Break the exit_check() race in the zone module.
+			[RT #598]
+
+	--- 9.1.0b2 released ---
+
+ 641.	[bug]		$GENERATE caused a uninitialized link to be used.
+			[RT #595]
+
+ 640.	[bug]		Memory leak in error path could cause
+			"mpctx->allocated == 0" failure. [RT #584]
+
+ 639.	[bug]		Reading entropy from the keyboard would sometimes fail.
+			[RT #591]
+
+ 638.	[port]		lib/isc/random.c needed to explicitly include time.h
+			to get a prototype for time() when pthreads was not
+			being used. [RT #592]
+
+ 637.	[port]		Use isc_u?int64_t instead of (unsigned) long long in
+			lib/isc/print.c.  Also allow lib/isc/print.c to
+			be compiled even if the platform does not need it.
+			[RT #592]
+
+ 636.	[port]		Shut up MSVC++ about a possible loss of precision
+			in the ISC__BUFFER_PUTUINT*() macros. [RT #592]
+
+ 635.	[bug]		Reloading a server with a configured blackhole list
+			would cause an assertion. [RT #590]
+
+ 634.	[bug]		A log file will completely stop being written when
+			it reaches the maximum size in all cases, not just
+			when versioning is also enabled. [RT #570]
+
+ 633.	[port]		Cope with rlim_t missing on BSD/OS systems. [RT #575]
+
+ 632.	[bug]		The index array of the journal file was
+			corrupted as it was written to disk.
+
+ 631.	[port]		Build without thread support on systems without
+			pthreads.
+
+ 630.	[bug]		Locking failure in zone code. [RT #582]
+
+ 629.	[bug]		9.1.0b1 dereferenced a null pointer and crashed
+			when responding to a UDP IXFR request.
+
+ 628.	[bug]		If the root hints contained only AAAA addresses,
+			named would be unable to perform resolution.
+
+ 627.	[bug]		The EDNS0 blackhole detection code of change 324
+			waited for three retransmissions to each server,
+			which takes much too long when a domain has many
+			name servers and all of them drop EDNS0 queries.
+			Now we retry without EDNS0 after three consecutive
+			timeouts, even if they are all from different
+			servers. [RT #143]
+
+ 626.	[bug]		The lightweight resolver daemon no longer crashes
+			when asked for a SIG rrset. [RT #558]
+
+ 625.	[func]		Zones now inherit their class from the enclosing view.
+
+ 624.	[bug]		The zone object could get timer events after it had
+			been destroyed, causing a server crash. [RT #571]
+
+ 623.	[func]		Added "named-checkconf" and "named-checkzone" program
+			for syntax checking named.conf files and zone files,
+			respectively.
+
+ 622.	[bug]		A canceled request could be destroyed before
+			dns_request_destroy() was called. [RT #562]
+
+ 621.	[port]		Disable IPv6 at runtime if IPv6 sockets are unusable.
+			This mostly affects Red Hat Linux 7.0, which has
+			conflicts between libc and the kernel.
+
+ 620.	[bug]		dns_master_load*inc() now require 'task' and 'load'
+			to be non-null.  Also 'done' will not be called if
+			dns_master_load*inc() fails immediately. [RT #565]
+
+ 618.	[bug]		Queries to a signed zone could sometimes cause
+			an assertion failure.
+
+ 617.	[bug]		When using dynamic update to add a new RR to an
+			existing RRset with a different TTL, the journal
+			entries generated from the update did not include
+			explicit deletions and re-additions of the existing
+			RRs to update their TTL to the new value.
+
+ 616.	[func]		dnssec-signzone -t output now includes performance
+			statistics.
+
+ 615.	[bug]		dnssec-signzone did not like child keysets signed
+			by multiple keys.
+
+ 614.	[bug]		Checks for uninitialized link fields were prone
+			to false positives, causing assertion failures.
+			The checks are now disabled by default and may
+			be re-enabled by defining ISC_LIST_CHECKINIT.
+
+ 613.	[bug]		"rndc reload zone" now reloads primary zones.
+			It previously only updated slave and stub zones,
+			if an SOA query indicated an out of date serial.
+
+ 612.	[cleanup]	Shutup a ridiculously noisy HP-UX compiler that
+			complains relentlessly about how its treatment
+			of 'const' has changed as well as how casting
+			sometimes tightens alignment constraints.
+
+ 611.	[func]		allow-notify can be used to permit processing of
+			notify messages from hosts other than a slave's
+			masters.
+
+ 610.	[func]		rndc dumpdb is now supported.
+
+ 609.	[bug]		getrrsetbyname() would crash lwresd if the server
+			found more SIGs than answers. [RT #554]
+
+ 608.	[func]		dnssec-signzone now adds a comment to the zone
+			with the time the file was signed.
+
+ 607.	[bug]		nsupdate would fail if it encountered a CNAME or
+			DNAME in a response to an SOA query. [RT #515]
+
+ 606.	[bug]		Compiling with --disable-threads failed due
+			to isc_thread_self() being incorrectly defined
+			as an integer rather than a function.
+
+ 605.	[func]		New function isc_lex_getlasttokentext().
+
+ 604.	[bug]		The named.conf parser could print incorrect line
+			numbers when long comments were present.
+
+ 603.	[bug]		Make dig handle multiple types or classes on the same
+			query more correctly.
+
+ 602.	[func]		Cope automatically with UnixWare's broken
+			IN6_IS_ADDR_* macros. [RT #539]
+
+ 601.	[func]		Return a non-zero exit code if an update fails
+			in nsupdate.
+
+ 600.	[bug]		Reverse lookups sometimes failed in dig, etc...
+
+ 599.	[func]		Added four new functions to the libisc log API to
+			support i18n messages.  isc_log_iwrite(),
+			isc_log_ivwrite(), isc_log_iwrite1() and
+			isc_log_ivwrite1() were added.
+
+ 598.	[bug]		An update-policy statement would cause the server
+			to assert while loading. [RT #536]
+
+ 597.	[func]		dnssec-signzone is now multi-threaded.
+
+ 596.	[bug]		DNS_RDATASLAB_FORCE and DNS_RDATASLAB_EXACT are
+			not mutually exclusive.
+
+ 595.	[port]		On Linux 2.2, socket() returns EINVAL when it
+			should return EAFNOSUPPORT.  Work around this.
+			[RT #531]
+
+ 594.	[func]		sdb drivers are now assumed to not be thread-safe
+			unless the DNS_SDBFLAG_THREADSAFE flag is supplied.
+
+ 593.	[bug]		If a secure zone was missing all its NXTs and
+			a dynamic update was attempted, the server entered
+			an infinite loop.
+
+ 592.	[bug]		The sig-validity-interval option now specifies a
+			number of days, not seconds.  This matches the
+			documentation. [RT #529]
+
+	--- 9.1.0b1 released ---
+
+ 591.	[bug]		Work around non-reentrancy in openssl by disabling
+			precomputation in keys.
+
+ 590.	[doc]		There are now man pages for the lwres library in
+			doc/man/lwres.
+
+ 589.	[bug]		The server could deadlock if a zone was updated
+			while being transferred out.
+
+ 588.	[bug]		ctx->in_use was not being correctly initialized when
+			when pushing a file for $INCLUDE. [RT #523]
+
+ 587.	[func]		A warning is now printed if the "allow-update"
+			option allows updates based on the source IP
+			address, to alert users to the fact that this
+			is insecure and becoming increasingly so as
+			servers capable of update forwarding are being
+			deployed.
+
+ 586.	[bug]		multiple views with the same name were fatal. [RT #516]
+
+ 585.	[func]		dns_db_addrdataset() and and dns_rdataslab_merge()
+			now support 'exact' additions in a similar manner to
+			dns_db_subtractrdataset() and dns_rdataslab_subtract().
+
+ 584.	[func]		You can now say 'notify explicit'; to suppress
+			notification of the servers listed in NS records
+			and notify only those servers listed in the
+			'also-notify' option.
+
+ 583.	[func]		"rndc querylog" will now toggle logging of
+			queries, like "ndc querylog" in BIND 8.
+
+ 582.	[bug]		dns_zone_idetach() failed to lock the zone.
+			[RT #199, #463]
+
+ 581.	[bug]		log severity was not being correctly processed.
+			[RT #485]
+
+ 580.	[func]		Ignore trailing garbage on incoming DNS packets,
+			for interoperability with broken server
+			implementations. [RT #491]
+
+ 579.	[bug]		nsupdate did not take a filename to read update from.
+			[RT #492]
+
+ 578.	[func]		New config option "notify-source", to specify the
+			source address for notify messages.
+
+ 577.	[func]		Log illegal RDATA combinations. e.g. multiple
+			singlton types, cname and other data.
+
+ 576.	[doc]		isc_log_create() description did not match reality.
+
+ 575.	[bug]		isc_log_create() was not setting internal state
+			correctly to reflect the default channels created.
+
+ 574.	[bug]		TSIG signed queries sent by the resolver would fail to
+			have their responses validated and would leak memory.
+
+ 573.	[bug]		The journal files of IXFRed slave zones were
+			inadvertantly discarded on server reload, causing
+			"journal out of sync with zone" errors on subsequent
+			reloads. [RT #482]
+
+ 572.	[bug]		Quoted strings were not accepted as key names in
+			address match lists.
+
+ 571.	[bug]		It was possible to create an rdataset of singleton
+			type which had more than one rdata. [RT #154]
+			[RT #279]
+
+ 570.	[bug]		rbtdb.c allowed zones containing nodes which had
+			both a CNAME and "other data". [RT #154]
+
+ 569.	[func]		The DNSSEC AD bit will not be set on queries which
+			have not requested a DNSSEC response.
+
+ 568.	[func]		Add sample simple database drivers in contrib/sdb.
+
+ 567.	[bug]		Setting the zone transfer timeout to zero caused an
+			assertion failure. [RT #302]
+
+ 566.	[func]		New public function dns_timer_setidle().
+
+ 565.	[func]		Log queries more like BIND 8: query logging is now
+			done to category "queries", level "info". [RT #169]
+
+ 564.	[func]		Add sortlist support to lwresd.
+
+ 563.	[func]		New public functions dns_rdatatype_format() and
+			dns_rdataclass_format(), for convenient formatting
+			of rdata type/class mnemonics in log messages.
+
+ 562.	[cleanup]	Moved lib/dns/*conf.c to bin/named where they belong.
+
+ 561.	[func]		The 'datasize', 'stacksize', 'coresize' and 'files'
+			clauses of the options{} statement are now implemented.
+
+ 560.	[bug]		dns_name_split did not properly the resulting prefix
+			when a maximal length bitstring label was split which
+			was preceded by another bitstring label. [RT #429]
+
+ 559.	[bug]		dns_name_split did not properly create the suffix
+			when splitting within a maximal length bitstring label.
+
+ 558.	[func]		New functions, isc_resource_getlimit and
+			isc_resource_setlimit.
+
+ 557.	[func]		Symbolic constants for libisc integral types.
+
+ 556.	[func]		The DNSSEC OK bit in the EDNS extended flags
+			is now implemented.  Responses to queries without
+			this bit set will not contain any DNSSEC records.
+
+ 555.	[bug]		A slave server attempting a zone transfer could
+			crash with an assertion failure on certain
+			malformed responses from the master. [RT #457]
+
+ 554.	[bug]		In some cases, not all of the dnssec tools were
+			properly installed.
+
+ 553.	[bug]		Incoming zone transfers deferred due to quota
+			were not started when quota was increased but
+			only when a transfer in progress finished. [RT #456]
+
+ 552.	[bug]		We were not correctly detecting the end of all c-style
+			comments. [RT #455]
+
+ 551.	[func]		Implemented the 'sortlist' option.
+
+ 550.	[func]		Support unknown rdata types and classes.
+
+ 549.	[bug]		"make" did not immediately abort the build when a
+			subdirectory make failed [RT #450].
+
+ 548.	[func]		The lexer now ungets tokens more correctly.
+
+ 546.	[func]		Option 'lame-ttl' is now implemented.
+
+ 545.	[func]		Name limit and counting options removed from dig;
+			they didn't work properly, and cannot be correctly
+			implemented without significant changes.
+
+ 544.	[func]		Add statistics option, enable statistics-file option,
+			add RNDC option "dump-statistics" to write out a
+			query statistics file.
+
+ 543.	[doc]		The 'port' option is now documented.
+
+ 542.	[func]		Add support for update forwarding as required for
+			full compliance with RFC2136.  It is turned off
+			by default and can be enabled using the
+			'allow-update-forwarding' option.
+
+ 541.	[func]		Add bogus server support.
+
+ 540.	[func]		Add dialup support.
+
+ 539.	[func]		Support the blackhole option.
+
+ 538.	[bug]		fix buffer overruns by 1 in lwres_getnameinfo().
+
+ 536.	[func]		Use transfer-source{-v6} when sending refresh queries.
+			Transfer-source{-v6} now take a optional port
+			parameter for setting the UDP source port.  The port
+			parameter is ignored for TCP.
+
+ 535.	[func]		Use transfer-source{-v6} when forwarding update
+			requests.
+
+ 534.	[func]		Ancestors have been removed from RBT chains.  Ancestor
+			information can be discerned via node parent pointers.
+
+ 533.	[func]		Incorporated name hashing into the RBT database to
+			improve search speed.
+
+ 532.	[func]		Implement DNS UPDATE pseudo records using
+			DNS_RDATA_UPDATE flag.
+
+ 531.	[func]		Rdata really should be initialized before being assigned
+			to (dns_rdata_fromwire(), dns_rdata_fromtext(),
+			dns_rdata_clone(), dns_rdata_fromregion()),
+			check that it is.
+
+ 530.	[func]		New function dns_rdata_invalidate().
+
+ 529.	[bug]		521 contained a bug which caused zones to always
+			reload.  [RT #410]
+
+ 528.	[func]		The ISC_LIST_XXXX macros now perform sanity checks
+			on their arguments.  ISC_LIST_XXXXUNSAFE can be use
+			to skip the checks however use with caution.
+
+ 527.	[func]		New function dns_rdata_clone().
+
+ 526.	[bug]		nsupdate incorrectly refused to add RRs with a TTL
+			of 0.
+
+ 525.	[func]		New arguments 'options' for dns_db_subtractrdataset(),
+			and 'flags' for dns_rdataslab_subtract() allowing you
+			to request that the RR's must exist prior to deletion.
+			DNS_R_NOTEXACT is returned if the condition is not met.
+
+ 524.	[func]		The 'forward' and 'forwarders' statement in
+			non-forward zones should work now.
+
+ 523.	[doc]		The source to the Administrator Reference Manual is
+			now an XML file using the DocBook DTD, and is included
+			in the distribution.  The plain text version of the
+			ARM is temporarily unavailable while we figure out
+			how to generate readable plain text from the XML.
+
+ 522.	[func]		The lightweight resolver daemon can now use
+			a real configuration file, and its functionality
+			can be provided by a name server.  Also, the -p and -P
+			options to lwresd have been reversed.
+
+ 521.	[bug]		Detect master files which contain $INCLUDE and always
+			reload. [RT #196]
+
+ 520.	[bug]		Upgraded libtool to 1.3.5, which makes shared
+			library builds almost work on AIX (and possibly
+			others).
+
+ 519.	[bug]		dns_name_split() would improperly split some bitstring
+			labels, zeroing a few of the least signficant bits in
+			the prefix part.  When such an improperly created
+			prefix was returned to the RBT database, the bogus
+			label was dutifully stored, corrupting the tree.
+			[RT #369]
+
+ 518.	[bug]		The resolver did not realize that a DNAME which was
+			"the answer" to the client's query was "the answer",
+			and such queries would fail. [RT #399]
+
+ 517.	[bug]		The resolver's DNAME code would trigger an assertion
+			if there was more than one DNAME in the chain.
+			[RT #399]
+
+ 516.	[bug]		Cache lookups which had a NULL node pointer, e.g.
+			those by dns_view_find(), and which would match a
+			DNAME, would trigger an INSIST(!search.need_cleanup)
+			assertion. [RT #399]
+
+ 515.	[bug]		The ssu table was not being attached / detached
+			by dns_zone_[sg]etssutable. [RT#397]
+
+ 514.	[func]		Retry refresh and notify queries if they timeout.
+			[RT #388]
+
+ 513.	[func]		New functionality added to rdnc and server to allow
+			individual zones to be refreshed or reloaded.
+
+ 512.	[bug]		The zone transfer code could throw an execption with
+			an invalid IXFR stream.
+
+ 511.	[bug]		The message code could throw an assertion on an
+			out of memory failure. [RT #392]
+
+ 510.	[bug]		Remove spurious view notify warning. [RT #376]
+
+ 509.	[func]		Add support for write of zone files on shutdown.
+
+ 508.	[func]		dns_message_parse() can now do a best-effort
+			attempt, which should allow dig to print more invalid
+			messages.
+
+ 507.	[func]		New functions dns_zone_flush(), dns_zt_flushanddetach()
+			and dns_view_flushanddetach().
+
+ 506.	[func]		Do not fail to start on errors in zone files.
+
+ 505.	[bug]		nsupdate was printing "unknown result code". [RT #373]
+
+ 504.	[bug]		The zone was not being marked as dirty when updated via
+			IXFR.
+
+ 503.	[bug]		dumptime was not being set along with
+			DNS_ZONEFLG_NEEDDUMP.
+
+ 502.	[func]		On a SERVFAIL reply, DiG will now try the next server
+			in the list, unless the +fail option is specified.
+
+ 501.	[bug]		Incorrect port numbers were being displayed by
+			nslookup. [RT #352]
+
+ 500.	[func]		Nearly useless +details option removed from DiG.
+
+ 499.	[func]		In DiG, specifying a class with -c or type with -t
+			changes command-line parsing so that classes and
+			types are only recognized if following -c or -t.
+			This allows hosts with the same name as a class or
+			type to be looked up.
+
+ 498.	[doc]		There is now a man page for "dig"
+			in doc/man/bin/dig.1.
+
+ 497.	[bug]		The error messages printed when an IP match list
+			contained a network address with a nonzero host
+			part where not sufficiently detailed. [RT #365]
+
+ 496.	[bug]		named didn't sanity check numeric parameters. [RT #361]
+
+ 495.	[bug]		nsupdate was unable to handle large records. [RT #368]
+
+ 494.	[func]		Do not cache NXDOMAIN responses for SOA queries.
+
+ 493.	[func]		Return non-cachable (ttl = 0) NXDOMAIN responses
+			for SOA queries.  This makes it easier to locate
+			the containing zone without polluting intermediate
+			caches.
+
+ 492.	[bug]		attempting to reload a zone caused the server fail
+			to shutdown cleanly. [RT #360]
+
+ 491.	[bug]		nsupdate would segfault when sending certain
+			prerequisites with empty RDATA. [RT #356]
+
+ 490.	[func]		When a slave/stub zone has not yet successfully
+			obtained an SOA containing the zone's configured
+			retry time, perform the SOA query retries using
+			exponential backoff. [RT #337]
+
+ 489.	[func]		The zone manager now has a "i/o" queue.
+
+ 488.	[bug]		Locks weren't properly destroyed in some cases.
+
+ 487.	[port]		flockfile() is not defined on all systems.
+
+ 486.	[bug]		nslookup: "set all" and "server" commands showed
+			the incorrect port number if a port other than 53
+			was specified. [RT #352]
+
+ 485.	[func]		When dig had more than one server to query, it would
+			send all of the messages at the same time.  Add
+			rate limiting of the transmitted messages.
+
+ 484.	[bug]		When the server was reloaded after removing addresses
+			from the named.conf "listen-on" statement, sockets
+			were still listening on the removed addresses due
+			to reference count loops. [RT #325]
+
+ 483.	[bug]		nslookup: "set all" showed a "search" option but it
+			was not settable.
+
+ 482.	[bug]		nslookup: a plain "server" or "lserver" should be
+			treated as a lookup.
+
+ 481.	[bug]		nslookup:get_next_command() stack size could exceed
+			per thread limit.
+
+ 480.	[bug]		strtok() is not thread safe. [RT #349]
+
+ 479.	[func]		The test suite can now be run by typing "make check"
+			or "make test" at the top level.
+
+ 478.	[bug]		"make install" failed if the directory specified with
+			--prefix did not already exist.
+
+ 477.	[bug]		The the isc-config.sh script could be installed before
+			its directory was created. [RT #324]
+
+ 476.	[bug]		A zone could expire while a zone transfer was in
+			progress triggering a INSIST failure. [RT #329]
+
+ 475.	[bug]		query_getzonedb() sometimes returned a non-null version
+			on failure.  This caused assertion failures when
+			generating query responses where names subject to
+			additional section processing pointed to a zone
+			to which access had been denied by means of the
+			allow-query option. [RT #336]
+
+ 474.	[bug]		The mnemonic of the CHAOS class is CH according to
+			RFC1035, but it was printed and read only as CHAOS.
+			We now accept both forms as input, and print it
+			as CH. [RT #305]
+
+ 473.	[bug]		nsupdate overran the end of the list of name servers
+			when no servers could be reached, typically causing
+			it to print the error message "dns_request_create:
+			not implemented".
+
+ 472.	[bug]		Off-by-one error caused isc_time_add() to sometimes
+			produce invalid time values.
+
+ 471.	[bug]		nsupdate didn't compile on HP/UX 10.20
+
+ 470.	[func]		$GENERATE is now supported.  See also
+			doc/misc/migration.
+
+ 469.	[bug]		"query-source address * port 53;" now works.
+
+ 468.	[bug]		dns_master_load*() failed to report file and line
+			number in certain error conditions.
+
+ 467.	[bug]		dns_master_load*() failed to log an error if
+			pushfile() failed.
+
+ 466.	[bug]		dns_master_load*() could return success when it failed.
+
+ 465.	[cleanup]	Allow 0 to be set as an omapi_value_t value by
+			omapi_value_storeint().
+
+ 464.	[cleanup]	Build with openssl's RSA code instead of dnssafe.
+
+ 463.	[bug]		nsupdate sent malformed SOA queries to the second
+			and subsequent name servers in resolv.conf if the
+			query sent to the first one failed.
+
+ 462.	[bug]		--disable-ipv6 should work now.
+
+ 461.	[bug]		Specifying an unknown key in the "keys" clause of the
+			"controls" statement caused a NULL pointer dereference.
+			[RT #316]
+
+ 460.	[bug]		Much of the DNSSEC code only worked with class IN.
+
+ 459.	[bug]		Nslookup processed the "set" command incorrectly.
+
+ 458.	[bug]		Nslookup didn't properly check class and type values.
+			[RT #305]
+
+ 457.	[bug]		Dig/host/hslookup didn't properly handle connect
+			timeouts in certain situations, causing an
+			unnecessary warning message to be printed.
+
+ 456.	[bug]		Stub zones were not resetting the refresh and expire
+			counters, loadtime or clearing the DNS_ZONE_REFRESH
+			(refresh in progress) flag upon successful update.
+			This disabled further refreshing of the stub zone,
+			causing it to eventually expire. [RT #300]
+
+ 455.	[doc]		Document IPv4 prefix notation does not require a
+			dotted decimal quad but may be just dotted decimal.
+
+ 454.	[bug]		Enforce dotted decimal and dotted decimal quad where
+			documented as such in named.conf. [RT #304, RT #311]
+
+ 453.	[bug]		Warn if the obsolete option "maintain-ixfr-base"
+			is specified in named.conf. [RT #306]
+
+ 452.	[bug]		Warn if the unimplemented option "statistics-file"
+			is specified in named.conf. [RT #301]
+
+ 451.	[func]		Update forwarding implememted.
+
+ 450.	[func]		New function ns_client_sendraw().
+
+ 449.	[bug]		isc_bitstring_copy() only works correctly if the
+			two bitstrings have the same lsb0 value, but this
+			requirement was not documented, nor was there a
+			REQUIRE for it.
+
+ 448.	[bug]		Host output formatting change, to match v8. [RT #255]
+
+ 447.	[bug]		Dig didn't properly retry in TCP mode after
+			a truncated reply. [RT #277]
+
+ 446.	[bug]		Confusing notify log message. [RT #298]
+
+ 445.	[bug]		Doing a 0 bit isc_bitstring_copy() of an lsb0
+			bitstring triggered a REQUIRE statement.  The REQUIRE
+			statement was incorrect. [RT #297]
+
+ 444.	[func]		"recursion denied" messages are always logged at
+			debug level 1, now, rather than sometimes at ERROR.
+			This silences these warnings in the usual case, where
+			some clients set the RD bit in all queries.
+
+ 443.	[bug]		When loading a master file failed because of an
+			unrecognized RR type name, the error message
+			did not include the file name and line number.
+			[RT #285]
+
+ 442.	[bug]		TSIG signed messages that did not match any view
+			crashed the server. [RT #290]
+
+ 441.	[bug]		Nodes obscured by a DNAME were inaccessible even
+			when DNS_DBFIND_GLUEOK was set.
+
+ 440.	[func]		New function dns_zone_forwardupdate().
+
+ 439.	[func]		New function dns_request_createraw().
+
+ 438.	[func]		New function dns_message_getrawmessage().
+
+ 437.	[func]		Log NOTIFY activity to the notify channel.
+
+ 436.	[bug]		If recvmsg() returned EHOSTUNREACH or ENETUNREACH,
+			which sometimes happens on Linux, named would enter
+			a busy loop.  Also, unexpected socket errors were
+			not logged at a high enough logging level to be
+			useful in diagnosing this situation. [RT #275]
+
+ 435.	[bug]		dns_zone_dump() overwrote existing zone files
+			rather than writing to a temporary file and
+			renaming.  This could lead to empty or partial
+			zone files being left around in certain error
+			conditions involving the initial transfer of a
+			slave zone, interfering with subsequent server
+			startup. [RT #282]
+
+ 434.	[func]		New function isc_file_isabsolute().
+
+ 433.	[func]		isc_base64_decodestring() now accepts newlines
+			within the base64 data.  This makes it possible
+			to break up the key data in a "trusted-keys"
+			statement into multiple lines. [RT #284]
+
+ 432.	[func]		Added refresh/retry jitter.  The actual refresh/
+			retry time is now a random value between 75% and
+			100% of the configured value.
+
+ 431.	[func]		Log at ISC_LOG_INFO when a zone is successfully
+			loaded.
+
+ 430.	[bug]		Rewrote the lightweight resolver client management
+			code to handle shutdown correctly and general
+			cleanup.
+
+ 429.	[bug]		The space reserved for a TSIG record in a response
+			was 2 bytes too short, leading to message
+			generation failures.
+
+ 428.	[bug]		rbtdb.c:find_closest_nxt() erroneously returned
+			DNS_R_BADDB for nodes which had neither NXT nor SIG NXT
+			(e.g. glue).  This could cause SERVFAILs when
+			generating negative responses in a secure zone.
+
+ 427.	[bug]		Avoid going into an infinite loop when the validator
+			gets a negative response to a key query where the
+			records are signed by the missing key.
+
+ 426.	[bug]		Attempting to generate an oversized RSA key could
+			cause dnssec-keygen to dump core.
+
+ 425.	[bug]		Warn about the auth-nxdomain default value change
+			if there is no auth-nxdomain statement in the
+			config file. [RT #287]
+
+ 424.	[bug]		notify_createmessage() could trigger an assertion
+			failure when creating the notify message failed,
+			e.g. due to corrupt zones with multiple SOA records.
+			[RT #279]
+
+ 423.	[bug]		When responding to a recusive query, errors that occur
+			after following a CNAME should cause the query to fail.
+			[RT #274]
+
+ 422.	[func]		get rid of isc_random_t, and make isc_random_get()
+			and isc_random_jitter() use rand() internally
+			instead of local state.  Note that isc_random_*()
+			functions are only for weak, non-critical "randomness"
+			such as timing jitter and such.
+
+ 421.	[bug]		nslookup would exit when given a blank line as input.
+
+ 420.	[bug]		nslookup failed to implement the "exit" command.
+
+ 419.	[bug]		The certificate type PKIX was misspelled as SKIX.
+
+ 418.	[bug]		At debug levels >= 10, getting an unexpected
+			socket receive error would crash the server
+			while trying to log the error message.
+
+ 417.	[func]		Add isc_app_block() and isc_app_unblock(), which
+			allow an application to handle signals while
+			blocking.
+
+ 416.	[bug]		Slave zones with no master file tried to use a
+			NULL pointer for a journal file name when they
+			received an IXFR. [RT #273]
+
+ 415.	[bug]		The logging code leaked file descriptors.
+
+ 414.	[bug]		Server did not shut down until all incoming zone
+			transfers were finished.
+
+ 413.	[bug]		Notify could attempt to use the zone database after
+			it had been unloaded. [RT#267]
+
+ 412.	[bug]		named -v didn't print the version.
+
+ 411.	[bug]		A typo in the HS A code caused an assertion failure.
+
+ 410.	[bug]		lwres_gethostbyname() and company set lwres_h_errno
+			to a random value on success.
+
+ 409.	[bug]		If named was shut down early in the startup
+			process, ns_omapi_shutdown() would attempt to lock
+			an unintialized mutex. [RT #262]
+
+ 408.	[bug]		stub zones could leak memory and reference counts if
+			all the masters were unreachable.
+
+ 407.	[bug]		isc_rwlock_lock() would needlessly block
+			readers when it reached the read quota even
+			if no writers were waiting.
+
+ 406.	[bug]		Log messages were occasionally lost or corrupted
+			due to a race condition in isc_log_doit().
+
+ 405.	[func]		Add support for selective forwarding (forward zones)
+
+ 404.	[bug]		The request library didn't completely work with IPv6.
+
+ 403.	[bug]		"host" did not use the search list.
+
+ 402.	[bug]		Treat undefined acls as errors, rather than
+			warning and then later throwing an assertion.
+			[RT #252]
+
+ 401.	[func]		Added simple database API.
+
+ 400.	[bug]		SIG(0) signing and verifying was done incorrectly.
+			[RT #249]
+
+ 399.	[bug]		When reloading the server with a config file
+			containing a syntax error, it could catch an
+			assertion failure trying to perform zone
+			maintenance on, or sending notifies from,
+			tentatively created zones whose views were
+			never fully configured and lacked an address
+			database and request manager.
+
+ 398.	[bug]		"dig" sometimes caught an assertion failure when
+			using TSIG, depending on the key length.
+
+ 397.	[func]		Added utility functions dns_view_gettsig() and
+			dns_view_getpeertsig().
+
+ 396.	[doc]		There is now a man page for "nsupdate"
+			in doc/man/bin/nsupdate.8.
+
+ 395.	[bug]		nslookup printed incorrect RR type mnemonics
+			for RRs of type >= 21 [RT #237].
+
+ 394.	[bug]		Current name was not propagated via $INCLUDE.
+
+ 393.	[func]		Initial answer while loading (awl) support.
+			Entry points: dns_master_loadfileinc(),
+			dns_master_loadstreaminc(), dns_master_loadbufferinc().
+			Note: calls to dns_master_load*inc() should be rate
+			be rate limited so as to not use up all file
+			descriptors.
+
+ 392.	[func]		Add ISC_R_FAMILYNOSUPPORT.  Returned when OS does
+			not support the given address family requested.
+
+ 391.	[clarity]	ISC_R_FAMILY -> ISC_R_FAMILYMISMATCH.
+
+ 390.	[func]		The function dns_zone_setdbtype() now takes
+			an argc/argv style vector of words and sets
+			both the zone database type and its arguments,
+			making the functions dns_zone_adddbarg()
+			and dns_zone_cleardbargs() unnecessary.
+
+ 389.	[bug]		Attempting to send a reqeust over IPv6 using
+			dns_request_create() on a system without IPv6
+			support caused an assertion failure [RT #235].
+
+ 388.	[func]		dig and host can now do reverse ipv6 lookups.
+
+ 387.	[func]		Add dns_byaddr_createptrname(), which converts
+			an address into the name used by a PTR query.
+
+ 386.	[bug]		Missing strdup() of ACL name caused random
+			ACL matching failures [RT #228].
+
+ 385.	[cleanup]	Removed functions dns_zone_equal(), dns_zone_print(),
+			and dns_zt_print().
+
+ 384.	[bug]		nsupdate was incorrectly limiting TTLs to 65535 instead
+			of 2147483647.
+
+ 383.	[func]		When writing a master file, print the SOA and NS
+			records (and their SIGs) before other records.
+
+ 382.	[bug]		named -u failed on many Linux systems where the
+			libc provided kernel headers do not match
+			the current kernel.
+
+ 381.	[bug]		Check for IPV6_RECVPKTINFO and use it instead of
+			IPV6_PKTINFO if found. [RT #229]
+
+ 380.	[bug]		nsupdate didn't work with IPv6.
+
+ 379.	[func]		New library function isc_sockaddr_anyofpf().
+
+ 378.	[func]		named and lwresd will log the command line arguments
+			they were started with in the "starting ..." message.
+
+ 377.	[bug]		When additional data lookups were refused due to
+			"allow-query", the databases were still being
+			attached causing reference leaks.
+
+ 376.	[bug]		The server should always use good entropy when
+			performing cryptographic functions needing entropy.
+
+ 375.	[bug]		Per-zone "allow-query" did not properly override the
+			view/global one for CNAME targets and additional
+			data [RT #220].
+
+ 374.	[bug]		SOA in authoritative negative responses had wrong TTL.
+
+ 373.	[func]		nslookup is now installed by "make install".
+
+ 372.	[bug]		Deal with Microsoft DNS servers appending two bytes of
+			garbage to zone transfer requests.
+
+ 371.	[bug]		At high debug levels, doing an outgoing zone transfer
+			of a very large RRset could cause an assertion failure
+			during logging.
+
+ 370.	[bug]		The error messages for rollforward failures were
+			overly terse.
+
+ 369.	[func]		Support new named.conf options, view and zone
+			statements:
+
+				max-retry-time, min-retry-time,
+				max-refresh-time, min-refresh-time.
+
+ 368.	[func]		Restructure the internal ".bind" view so that more
+			zones can be added to it.
+
+ 367.	[bug]		Allow proper selection of server on nslookup command
+			line.
+
+ 366.	[func]		Allow use of '-' batch file in dig for stdin.
+
+ 365.	[bug]		nsupdate -k leaked memory.
+
+ 364.	[func]		Added additional-from-{cache,auth}
+
+ 362.	[bug]		rndc no longer aborts if the configuration file is
+			missing an options statement. [RT #209]
+
+ 361.	[func]		When the RBT find or chain functions set the name and
+			origin for a node that stores the root label
+			the name is now set to an empty name, instead of ".",
+			to simplify later use of the name and origin by
+			dns_name_concatenate(), dns_name_totext() or
+			dns_name_format().
+
+ 360.	[func]		dns_name_totext() and dns_name_format() now allow
+			an empty name to be passed, which is formatted as "@".
+
+ 359.	[bug]		dnssec-signzone occasionally signed glue records.
+
+ 358.	[cleanup]	Rename the intermediate files used by the dnssec
+			programs.
+
+ 357.	[bug]		The zone file parser crashed if the argument
+			to $INCLUDE was a quoted string.
+
+ 356.	[cleanup]	isc_task_send no longer requires event->sender to
+			be non-null.
+
+ 355.	[func]		Added isc_dir_createunique(), similar to mkdtemp().
+
+ 354.	[doc]		Man pages for the dnssec tools are now included in
+			the distribution, in doc/man/dnssec.
+
+ 353.	[bug]		double increment in lwres/gethost.c:copytobuf().
+			[RT# 187]
+
+ 352.	[bug]		Race condition in dns_client_t startup could cause
+			an assertion failure.
+
+ 351.	[bug]		Constructing a response with rcode SERVFAIL to a TSIG
+			signed query could crash the server.
+
+ 350.	[bug]		Also-notify lists specified in the global options
+			block were not correctly reference counted, causing
+			a memory leak.
+
+ 349.	[bug]		Processing a query with the CD bit set now works
+			as expected.
+
+ 348.	[func]		New boolean named.conf options 'additional-from-auth'
+			and 'additional-from-cache' now supported in view and
+			global options statement.
+
+ 347.	[bug]		Don't crash if an argument is left off options in dig.
+
+ 346.	[func]		Add support for .digrc config file, in the
+			user's current directory.
+
+ 345.	[bug]		Large-scale changes/cleanups to dig:
+			* Significantly improve structure handling
+			* Don't pre-load entire batch files
+			* Add name/rr counting/limiting
+			* Fix SIGINT handling
+			* Shorten timeouts to match v8's behavior
+
+ 344.	[bug]		When shutting down, lwresd sometimes tried
+			to shut down its client tasks twice,
+			triggering an assertion.
+
+ 343.	[bug]		Although zone maintenance SOA queries and
+			notify requests were signed with TSIG keys
+			when configured for the server in case,
+			the TSIG was not verified on the response.
+
+ 342.	[bug]		The wrong name was being passed to
+			dns_name_dup() when generating a TSIG
+			key using TKEY.
+
+ 341.	[func]		Support 'key' clause in named.conf zone masters
+			statement to allow authentication via TSIG keys:
+
+				masters {
+					10.0.0.1 port 5353 key "foo";
+					10.0.0.2 ;
+				};
+
+ 340.	[bug]		The top-level COPYRIGHT file was missing from
+			the distribution.
+
+ 339.	[bug]		DNSSEC validation of the response to an ANY
+			query at a name with a CNAME RR in a secure
+			zone triggered an assertion failure.
+
+ 338.	[bug]		lwresd logged to syslog as named, not lwresd.
+
+ 337.	[bug]		"dig" did not recognize "nsap-ptr" as an RR type
+			on the command line.
+
+ 336.	[bug]		"dig -f" used 64 k of memory for each line in
+			the file.  It now uses much less, though still
+			proportionally to the file size.
+
+ 335.	[bug]		named would occasionally attempt recursion when
+			it was disallowed or undesired.
+
+ 334.	[func]		Added hmac-md5 to libisc.
+
+ 333.	[bug]		The resolver incorrectly accepted referrals to
+			domains that were not parents of the query name,
+			causing assertion failures.
+
+ 332.	[func]		New function dns_name_reset().
+
+ 331.	[bug]		Only log "recursion denied" if RD is set. [RT #178]
+
+ 330.	[bug]		Many debugging messages were partially formatted
+			even when debugging was turned off, causing a
+			significant decrease in query performance.
+
+ 329.	[func]		omapi_auth_register() now takes a size_t argument for
+			the length of a key's secret data.  Previously
+			OMAPI only stored secrets up to the first NUL byte.
+
+ 328.	[func]		Added isc_base64_decodestring().
+
+ 327.	[bug]		rndc.conf parser wasn't correctly recognising an IP
+			address where a host specification was required.
+
+ 326.	[func]		'keys' in an 'inet' control statement is now
+			required and must have at least one item in it.
+			A "not supported" warning is now issued if a 'unix'
+			control channel is defined.
+
+ 325.	[bug]		isc_lex_gettoken was processing octal strings when
+			ISC_LEXOPT_CNUMBER was not set.
+
+ 324.	[func]		In the resolver, turn EDNS0 off if there is no
+			response after a number of retransmissions.
+			This is to allow queries some chance of succeeding
+			even if all the authoritative servers of a zone
+			silently discard EDNS0 requests instead of
+			sending an error response like they ought to.
+
+ 323.	[bug]		dns_rbt_findname() did not ignore empty rbt nodes.
+			Because of this, servers authoritative for a parent
+			and grandchild zone but not authoritative for the
+			intervening child zone did not correctly issue
+			referrals to the servers of the child zone.
+
+ 322.	[bug]		Queries for KEY RRs are now sent to the parent
+			server before the authoritative one, making
+			DNSSEC insecurity proofs work in many cases
+			where they previously didn't.
+
+ 321.	[bug]		When synthesizing a CNAME RR for a DNAME
+			response, query_addcname() failed to intitialize
+			the type and class of the CNAME dns_rdata_t,
+			causing random failures.
+
+ 320.	[func]		Multiple rndc changes: parses an rndc.conf file,
+			uses authentication to talk to named, command
+			line syntax changed.  This will all be described
+			in the ARM.
+
+ 319.	[func]		The named.conf "controls" statement is now used
+			to configure the OMAPI command channel.
+
+ 318.	[func]		dns_c_ndcctx_destroy() could never return anything
+			except ISC_R_SUCCESS; made it have void return instead.
+
+ 317.	[func]		Use callbacks from libomapi to determine if a
+			new connection is valid, and if a key requested
+			to be used with that connection is valid.
+
+ 316.	[bug]		Generate a warning if we detect an unexpected <eof>
+			but treat as <eol><eof>.
+
+ 315.	[bug]		Handle non-empty blanks lines. [RT #163]
+
+ 314.	[func]		The named.conf controls statement can now have
+			more than one key specified for the inet clause.
+
+ 313.	[bug]		When parsing resolv.conf, don't terminate on an
+			error.  Instead, parse as much as possible, but
+			still return an error if one was found.
+
+ 312.	[bug]		Increase the number of allowed elements in the
+			resolv.conf search path from 6 to 8.  If there
+			are more than this, ignore the remainder rather
+			than returning a failure in lwres_conf_parse.
+
+ 311.	[bug]		lwres_conf_parse failed when the first line of
+			resolv.conf was empty or a comment.
+
+ 310.	[func]		Changes to named.conf "controls" statement (inet
+			subtype only)
+
+			  - support "keys" clause
+
+				controls {
+				   inet * port 1024
+					allow { any; } keys { "foo"; }
+				}
+
+			  - allow "port xxx" to be left out of statement,
+			    in which case it defaults to omapi's default port
+			    of 953.
+
+ 309.	[bug]		When sending a referral, the server did not look
+			for name server addresses as glue in the zone
+			holding the NS RRset in the case where this zone
+			was not the same as the one where it looked for
+			name server addresses as authoritative data.
+
+ 308.	[bug]		Treat a SOA record not at top of zone as an error
+			when loading a zone. [RT #154]
+
+ 307.	[bug]		When canceling a query, the resolver didn't check for
+			isc_socket_sendto() calls that did not yet have their
+			completion events posted, so it could (rarely) end up
+			destroying the query context and then want to use
+			it again when the send event posted, triggering an
+			assertion as it tried to cancel an already-canceled
+			query.  [RT #77]
+
+ 306.	[bug]		Reading HMAC-MD5 private key files didn't work.
+
+ 305.	[bug]		When reloading the server with a config file
+			containing a syntax error, it could catch an
+			assertion failure trying to perform zone
+			maintenance on tentatively created zones whose
+			views were never fully configured and lacked
+			an address database.
+
+ 304.	[bug]		If more than LWRES_CONFMAXNAMESERVERS servers
+			are listed in resolv.conf, silently ignore them
+			instead of returning failure.
+
+ 303.	[bug]		Add additional sanity checks to differentiate a AXFR
+			response vs a IXFR response. [RT #157]
+
+ 302.	[bug]		In dig, host, and nslookup, MXNAME should be large
+			enough to hold any legal domain name in presentation
+			format + terminating NULL.
+
+ 301.	[bug]		Uninitialized pointer in host:printmessage(). [RT #159]
+
+ 300.	[bug]		Using both <isc/net.h> and <lwres/net.h> didn't work
+			on platforms lacking IPv6 because each included their
+			own ipv6 header file for the missing definitions.  Now
+			each library's ipv6.h defines the wrapper symbol of
+			the other (ISC_IPV6_H and LWRES_IPV6_H).
+
+ 299.	[cleanup]	Get the user and group information before changing the
+			root directory, so the administrator does not need to
+			keep a copy of the user and group databases in the
+			chroot'ed environment.  Suggested by Hakan Olsson.
+
+ 298.	[bug]		A mutex deadlock occurred during shutdown of the
+			interface manager under certain conditions.
+			Digital Unix systems were the most affected.
+
+ 297.	[bug]		Specifying a key name that wasn't fully qualified
+			in certain parts of the config file could cause
+			an assertion failure.
+
+ 296.	[bug]		"make install" from a separate build directory
+			failed unless configure had been run in the source
+			directory, too.
+
+ 295.	[bug]		When invoked with type==CNAME and a message
+			not constructed by dns_message_parse(),
+			dns_message_findname() failed to find anything
+			due to checking for attribute bits that are set
+			only in dns_message_parse().  This caused an
+			infinite loop when constructing the response to
+			an ANY query at a CNAME in a secure zone.
+
+ 294.	[bug]		If we run out of space in while processing glue
+			when reading a master file and commit "current name"
+			reverts to "name_current" instead of staying as
+			"name_glue".
+
+ 293.	[port]		Add support for FreeBSD 4.0 system tests.
+
+ 292.	[bug]		Due to problems with the way some operating systems
+			handle simultaneous listening on IPv4 and IPv6
+			addresses, the server no longer listens on IPv6
+			addresses by default.  To revert to the previous
+			behavior, specify "listen-on-v6 { any; };" in
+			the config file.
+
+ 291.	[func]		Caching servers no longer send outgoing queries
+			over TCP just because the incoming recursive query
+			was a TCP one.
+
+ 290.	[cleanup]	+twiddle option to dig (for testing only) removed.
+
+ 289.	[cleanup]	dig is now installed in $bindir instead of $sbindir.
+			host is now installed in $bindir.  (Be sure to remove
+			any $sbindir/dig from a previous release.)
+
+ 288.	[func]		rndc is now installed by "make install" into $sbindir.
+
+ 287.	[bug]		rndc now works again as "rndc 127.1 reload" (for
+			only that task).  Parsing its configuration file and
+			using digital signatures for authentication has been
+			disabled until named supports the "controls" statement,
+			post-9.0.0.
+
+ 286.	[bug]		On Solaris 2, when named inherited a signal state
+			where SIGHUP had the SIG_IGN action, SIGHUP would
+			be ignored rather than causing the server to reload
+			its configuration.
+
+ 285.	[bug]		A change made to the dst API for beta4 inadvertently
+			broke OMAPI's creation of a dst key from an incoming
+			message, causing an assertion to be triggered.  Fixed.
+
+ 284.	[func]		The DNSSEC key generation and signing tools now
+			generate randomness from keyboard input on systems
+			that lack /dev/random.
+
+ 283.	[cleanup]	The 'lwresd' program is now a link to 'named'.
+
+ 282.	[bug]		The lexer now returns ISC_R_RANGE if parsed integer is
+			too big for an unsigned long.
+
+ 281.	[bug]		Fixed list of recognized config file category names.
+
+ 280.	[func]		Add isc-config.sh, which can be used to more
+			easily build applications that link with
+			our libraries.
+
+ 279.	[bug]		Private omapi function symbols shared between
+			two or more files in libomapi.a were not namespace
+			protected using the ISC convention of starting with
+			the library name and two underscores ("omapi__"...)
+
+ 278.	[bug]		bin/named/logconf.c:category_fromconf() didn't take
+			note of when isc_log_categorybyname() wasn't able
+			to find the category name and would then apply the
+			channel list of the unknown category to all categories.
+
+ 277.	[bug]		isc_log_categorybyname() and isc_log_modulebyname()
+			would fail to find the first member of any category
+			or module array apart from the internal defaults.
+			Thus, for example, the "notify" category was improperly
+			configured by named.
+
+ 276.	[bug]		dig now supports maximum sized TCP messages.
+
+ 275.	[bug]		The definition of lwres_gai_strerror() was missing
+			the lwres_ prefix.
+
+ 274.	[bug]		TSIG AXFR verify failed when talking to a BIND 8
+			server.
+
+ 273.	[func]		The default for the 'transfer-format' option is
+			now 'many-answers'.  This will break zone transfers
+			to BIND 4.9.5 and older unless there is an explicit
+			'one-answer' configuration.
+
+ 272.	[bug]		The sending of large TCP responses was canceled
+			in mid-transmission due to a race condition
+			caused by the failure to set the client object's
+			"newstate" variable correctly when transitioning
+			to the "working" state.
+
+ 271.	[func]		Attempt to probe the number of cpus in named
+			if unspecified rather than defaulting to 1.
+
+ 270.	[func]		Allow maximum sized TCP answers.
+
+ 269.	[bug]		Failed DNSSEC validations could cause an assertion
+			failure by causing clone_results() to be called with
+			with hevent->node == NULL.
+
+ 268.	[doc]		A plain text version of the Administrator
+			Reference Manual is now included in the distribution,
+			as doc/arm/Bv9ARM.txt.
+
+ 267.	[func]		Nsupdate is now provided in the distribution.
+
+ 266.	[bug]		zone.c:save_nsrrset() node was not initialized.
+
+ 265.	[bug]		dns_request_create() now works for TCP.
+
+ 264.	[func]		Dispatch can not take TCP sockets in connecting
+			state.  Set DNS_DISPATCHATTR_CONNECTED when calling
+			dns_dispatch_createtcp() for connected TCP sockets
+			or call dns_dispatch_starttcp() when the socket is
+			connected.
+
+ 263.	[func]		New logging channel type 'stderr'
+
+				channel some-name {
+					stderr;
+					severity error;
+				}
+
+ 262.	[bug]		'master' was not initialized in zone.c:stub_callback().
+
+ 261.	[func]		Add dns_zone_markdirty().
+
+ 260.	[bug]		Running named as a non-root user failed on Linux
+			kernels new enough to support retaining capabilities
+			after setuid().
+
+ 259.	[func]		New random-device and random-seed-file statements
+			for global options block of named.conf. Both accept
+			a single string argument.
+
+ 258.	[bug]		Fixed printing of lwres_addr_t.address field.
+
+ 257.	[bug]		The server detached the last zone manager reference
+			too early, while it could still be in use by queries.
+			This manifested itself as assertion failures during the
+			shutdown process for busy name servers. [RT #133]
+
+ 256.	[func]		isc_ratelimiter_t now has attach/detach semantics, and
+			isc_ratelimiter_shutdown guarantees that the rate
+			limiter is detached from its task.
+
+ 255.	[func]		New function dns_zonemgr_attach().
+
+ 254.	[bug]		Suppress "query denied" messages on additional data
+			lookups.
+
+	--- 9.0.0b4 released ---
+
+ 253.	[func]		resolv.conf parser now recognises ';' and '#' as
+			comments (anywhere in line, not just as the beginning).
+
+ 252.	[bug]		resolv.conf parser mishandled masks on sortlists.
+			It also aborted when an unrecognized keyword was seen,
+			now it silently ignores the entire line.
+
+ 251.	[bug]		lwresd caught an assertion failure on startup.
+
+ 250.	[bug]		fixed handling of size+unit when value would be too
+			large for internal representation.
+
+ 249.	[cleanup]	max-cache-size config option now takes a size-spec
+			like 'datasize', except 'default' is not allowed.
+
+ 248.	[bug]		global lame-ttl option was not being printed when
+			config structures were written out.
+
+ 247.	[cleanup]	Rename cache-size config option to max-cache-size.
+
+ 246.	[func]		Rename global option cachesize to cache-size and
+			add corresponding option to view statement.
+
+ 245.	[bug]		If an uncompressed name will take more than 255
+			bytes and the buffer is sufficiently long,
+			dns_name_fromwire should return DNS_R_FORMERR,
+			not ISC_R_NOSPACE.  This bug caused cause the
+			server to catch an assertion failure when it
+			received a query for a name longer than 255
+			bytes.
+
+ 244.	[bug]		empty named.conf file and empty options statement are
+			now parsed properly.
+
+ 243.	[func]		new cachesize option for named.conf
+
+ 242.	[cleanup]	fixed incorrect warning about auth-nxdomain usage.
+
+ 241.	[cleanup]	nscount and soacount have been removed from the
+			dns_master_*() argument lists.
+
+ 240.	[func]		databases now come in three flavours: zone, cache
+			and stub.
+
+ 239.	[func]		If ISC_MEM_DEBUG is enabled, the variable
+			isc_mem_debugging controls whether messages
+			are printed or not.
+
+ 238.	[cleanup]	A few more compilation warnings have been quieted:
+			+ missing sigwait prototype on BSD/OS 4.0/4.0.1.
+			+ PTHREAD_ONCE_INIT unbraced initializer warnings on
+				Solaris 2.8.
+			+ IN6ADDR_ANY_INIT unbraced initializer warnings on
+				BSD/OS 4.*, Linux and Solaris 2.8.
+
+ 237.	[bug]		If connect() returned ENOBUFS when the resolver was
+			initiating a TCP query, the socket didn't get
+			destroyed, and the server did not shut down cleanly.
+
+ 236.	[func]		Added new listen-on-v6 config file statement.
+
+ 235.	[func]		Consider it a config file error if a listen-on
+			statement has an IPv6 address in it, or a
+			listen-on-v6 statement has an IPv4 address in it.
+
+ 234.	[bug]		Allow a trusted-key's first field (domain-name) be
+			either a quoted or an unquoted string, instead of
+			requiring a quoted string.
+
+ 233.	[cleanup]	Convert all config structure integer values to unsigned
+			integer (isc_uint32_t) to match grammer.
+
+ 232.	[bug]		Allow slave zones to not have a file.
+
+ 231.	[func]		Support new 'port' clause in config file options
+			section. Causes 'listen-on', 'masters' and
+			'also-notify' statements to use its value instead of
+			default (53).
+
+ 230.	[func]		Replace the dst sign/verify API with a cleaner one.
+
+ 229.	[func]		Support config file sig-validity-interval statement
+			in options, views and zone statements (master
+			zones only).
+
+ 228.	[cleanup]	Logging messages in config module stripped of
+			trailing period.
+
+ 227.	[cleanup]	The enumerated identifiers dns_rdataclass_*,
+			dns_rcode_*, dns_opcode_*, and dns_trust_* are
+			also now cast to their appropriate types, as with
+			dns_rdatatype_* in item number 225 below.
+
+ 226.	[func]		dns_name_totext() now always prints the root name as
+			'.', even when omit_final_dot is true.
+
+ 225.	[cleanup]	The enumerated dns_rdatatype_* identifiers are now
+			cast to dns_rdatatype_t via macros of their same name
+			so that they are of the proper integral type wherever
+			a dns_rdatatype_t is needed.
+
+ 224.	[cleanup]	The entire project builds cleanly with gcc's
+			-Wcast-qual and -Wwrite-strings warnings enabled,
+			which is now the default when using gcc.  (Warnings
+			from confparser.c, because of yacc's code, are
+			unfortunately to be expected.)
+
+ 223.	[func]		Several functions were reprototyped to qualify one
+			or more of their arguments with "const".  Similarly,
+			several functions that return pointers now have
+			those pointers qualified with const.
+
+ 222.	[bug]		The global 'also-notify' option was ignored.
+
+ 221.	[bug]		An uninitialized variable was sometimes passed to
+			dns_rdata_freestruct() when loading a zone, causing
+			an assertion failure.
+
+ 220.	[cleanup]	Set the default outgoing port in the view, and
+			set it in sockaddrs returned from the ADB.
+			[31-May-2000 explorer]
+
+ 219.	[bug]		Signed truncated messages more correctly follow
+			the respective specs.
+
+ 218.	[func]		When an rdataset is signed, its ttl is normalized
+			based on the signature validity period.
+
+ 217.	[func]		Also-notify and trusted-keys can now be used in
+			the 'view' statement.
+
+ 216.	[func]		The 'max-cache-ttl' and 'max-ncache-ttl' options
+			now work.
+
+ 215.	[bug]		Failures at certain points in request processing
+			could cause the assertion INSIST(client->lockview
+			== NULL) to be triggered.
+
+ 214.	[func]		New public function isc_netaddr_format(), for
+			formatting network addresses in log messages.
+
+ 213.	[bug]		Don't leak memory when reloading the zone if
+			an update-policy clause was present in the old zone.
+
+ 212.	[func]		Added dns_message_get/settsigkey, to make TSIG
+			key management reasonable.
+
+ 211.	[func]		The 'key' and 'server' statements can now occur
+			inside 'view' statements.
+
+ 210.	[bug]		The 'allow-transfer' option was ignored for slave
+			zones, and the 'transfers-per-ns' option was
+			was ignored for all zones.
+
+ 209.	[cleanup]	Upgraded openssl files to new version 0.9.5a
+
+ 208.	[func]		Added ISC_OFFSET_MAXIMUM for the maximum value
+			of an isc_offset_t.
+
+ 207.	[func]		The dnssec tools properly use the logging subsystem.
+
+ 206.	[cleanup]	dst now stores the key name as a dns_name_t, not
+			a char *.
+
+ 205.	[cleanup]	On IRIX, turn off the mostly harmless warnings 1692
+			("prototyped function redeclared without prototype")
+			and 1552 ("variable ... set but not used") when
+			compiling in the lib/dns/sec/{dnssafe,openssl}
+			directories, which contain code imported from outside
+			sources.
+
+ 204.	[cleanup]	On HP/UX, pass +vnocompatwarnings to the linker
+			to quiet the warnings that "The linked output may not
+			run on a PA 1.x system."
+
+ 203.	[func]		notify and zone soa queries are now tsig signed when
+			appropriate.
+
+ 202.	[func]		isc_lex_getsourceline() changed from returning int
+			to returning unsigned long, the type of its underlying
+			counter.
+
+ 201.	[cleanup]	Removed the test/sdig program, it has been
+			replaced by bin/dig/dig.
+
+
+	--- 9.0.0b3 released ---
+
+ 200.	[bug]		Failures in sending query responses to clients
+			(e.g., running out of network buffers) were
+			not logged.
+
+ 199.	[bug]		isc_heap_delete() sometimes violated the heap
+			invariant, causing timer events not to be posted
+			when due.
+
+ 198.	[func]		Dispatch managers hold memory pools which
+			any managed dispatcher may use.  This allows
+			us to avoid dipping into the memory context for
+			most allocations. [19-May-2000 explorer]
+
+ 197.	[bug]		When an incoming AXFR or IXFR completes, the
+			zone's internal state is refreshed from the
+			SOA data. [19-May-2000 explorer]
+
+ 196.	[func]		Dispatchers can be shared easily between views
+			and/or interfaces. [19-May-2000 explorer]
+
+ 195.	[bug]		Including the NXT record of the root domain
+			in a negative response caused an assertion
+			failure.
+
+ 194.	[doc]		The PDF version of the Administrator's Reference
+			Manual is no longer included in the ISC BIND9
+			distribution.
+
+ 193.	[func]		changed dst_key_free() prototype.
+
+ 192.	[bug]		Zone configuration validation is now done at end
+			of config file parsing, and before loading
+			callbacks.
+
+ 191.	[func]		Patched to compile on UnixWare 7.x.  This platform
+			is not directly supported by the ISC.
+
+ 190.	[cleanup]	The DNSSEC tools have been moved to a separate
+			directory dnssec/ and given the following new,
+			more descriptive names:
+
+			      dnssec-keygen
+			      dnssec-signzone
+			      dnssec-signkey
+			      dnssec-makekeyset
+
+			Their command line arguments have also been changed to
+			be more consistent.  dnssec-keygen now prints the
+			name of the generated key files (sans extension)
+			on standard output to simplify its use in automated
+			scripts.
+
+ 189.	[func]		isc_time_secondsastimet(), a new function, will ensure
+			that the number of seconds in an isc_time_t does not
+			exceed the range of a time_t, or return ISC_R_RANGE.
+			Similarly, isc_time_now(), isc_time_nowplusinterval(),
+			isc_time_add() and isc_time_subtract() now check the
+			range for overflow/underflow.  In the case of
+			isc_time_subtract, this changed a calling requirement
+			(ie, something that could generate an assertion)
+			into merely a condition that returns an error result.
+			isc_time_add() and isc_time_subtract() were void-
+			valued before but now return isc_result_t.
+
+ 188.	[func]		Log a warning message when an incoming zone transfer
+			contains out-of-zone data.
+
+ 187.	[func]		isc_ratelimter_enqueue() has an additional argument
+			'task'.
+
+ 186.	[func]		dns_request_getresponse() has an additional argument
+			'preserve_order'.
+
+ 185.	[bug]		Fixed up handling of ISC_MEMCLUSTER_LEGACY.  Several
+			public functions did not have an isc__ prefix, and
+			referred to functions that had previously been
+			renamed.
+
+ 184.	[cleanup]	Variables/functions which began with two leading
+			underscores were made to conform to the ANSI/ISO
+			standard, which says that such names are reserved.
+
+ 183.	[func]		ISC_LOG_PRINTTAG option for log channels.  Useful
+			for logging the program name or other identifier.
+
+ 182.	[cleanup]	New commandline parameters for dnssec tools
+
+ 181.	[func]		Added dst_key_buildfilename and dst_key_parsefilename
+
+ 180.	[func]		New isc_result_t ISC_R_RANGE.  Supersedes DNS_R_RANGE.
+
+ 179.	[func]		options named.conf statement *must* now come
+			before any zone or view statements.
+
+ 178.	[func]		Post-load of named.conf check verifies a slave zone
+			has non-empty list of masters defined.
+
+ 177.	[func]		New per-zone boolean:
+
+				enable-zone yes | no ;
+
+			intended to let a zone be disabled without having
+			to comment out the entire zone statement.
+
+ 176.	[func]		New global and per-view option:
+
+				max-cache-ttl number
+
+ 175.	[func]		New global and per-view option:
+
+				additional-data internal | minimal | maximal;
+
+ 174.	[func]		New public function isc_sockaddr_format(), for
+			formatting socket addresses in log messages.
+
+ 173.	[func]		Keep a queue of zones waiting for zone transfer
+			quota so that a new transfer can be dispatched
+			immediately whenever quota becomes available.
+
+ 172.	[bug]		$TTL directive was sometimes missing from dumped
+			master files because totext_ctx_init() failed to
+			initialize ctx->current_ttl_valid.
+
+ 171.	[cleanup]	On NetBSD systems, the mit-pthreads or
+			unproven-pthreads library is now always used
+			unless --with-ptl2 is explicitly specified on
+			the configure command line.  The
+			--with-mit-pthreads option is no longer needed
+			and has been removed.
+
+ 170.	[cleanup]	Remove inter server consistancy checks from zone,
+			these should return as a seperate module in 9.1.
+			dns_zone_checkservers(), dns_zone_checkparents(),
+			dns_zone_checkchildren(), dns_zone_checkglue().
+
+			Remove dns_zone_setadb(), dns_zone_setresolver(),
+			dns_zone_setrequestmgr() these should now be found
+			via the view.
+
+ 169.	[func]		ratelimiter can now process N events per interval.
+
+ 168.	[bug]		include statements in named.conf caused syntax errors
+			due to not consuming the semicolon ending the include
+			statement before switching input streams.
+
+ 167.	[bug]		Make lack of masters for a slave zone a soft error.
+
+ 166.	[bug]		Keygen was overwriting existing keys if key_id
+			conflicted, now it will retry, and non-null keys
+			with key_id == 0 are not generated anymore.  Key
+			was not able to generate NOAUTHCONF DSA key,
+			increased RSA key size to 2048 bits.
+
+ 165.	[cleanup]	Silence "end-of-loop condition not reached" warnings
+			from Solaris compiler.
+
+ 164.	[func]		Added functions isc_stdio_open(), isc_stdio_close(),
+			isc_stdio_seek(), isc_stdio_read(), isc_stdio_write(),
+			isc_stdio_flush(), isc_stdio_sync(), isc_file_remove()
+			to encapsulate nonportable usage of errno and sync.
+
+ 163.	[func]		Added result codes ISC_R_FILENOTFOUND and
+			ISC_R_FILEEXISTS.
+
+ 162.	[bug]		Ensure proper range for arguments to ctype.h functions.
+
+ 161.	[cleanup]	error in yyparse prototype that only HPUX caught.
+
+ 160.	[cleanup]	getnet*() are not going to be implemented at this
+			stage.
+
+ 159.	[func]		Redefinition of config file elements is now an
+			error (instead of a warning).
+
+ 158.	[bug]		Log channel and category list copy routines
+			weren't assigning properly to output parameter.
+
+ 157.	[port]		Fix missing prototype for getopt().
+
+ 156.	[func]		Support new 'database' statement in zone.
+
+				database "quoted-string";
+
+ 155.	[bug]		ns_notify_start() was not detaching the found zone.
+
+ 154.	[func]		The signer now logs libdns warnings to stderr even when
+			not verbose, and in a nicer format.
+
+ 153.	[func]		dns_rdata_tostruct() 'mctx' is now optional.  If 'mctx'
+			is NULL then you need to preserve the 'rdata' until
+			you have finished using the structure as there may be
+			references to the associated memory.  If 'mctx' is
+			non-NULL it is guaranteed that there are no references
+			to memory associated with 'rdata'.
+
+			dns_rdata_freestruct() must be called if 'mctx' was
+			non-NULL and may safely be called if 'mctx' was NULL.
+
+ 152.	[bug]		keygen dumped core if domain name argument was omitted
+			from command line.
+
+ 151.	[func]		Support 'disabled' statement in zone config (causes
+			zone to be parsed and then ignored). Currently must
+			come after the 'type' clause.
+
+ 150.	[func]		Support optional ports in masters and also-notify
+			statements:
+
+				masters [ port xxx ] { y.y.y.y [ port zzz ] ; }
+
+ 149.	[cleanup]	Removed usused argument 'olist' from
+			dns_c_view_unsetordering().
+
+ 148.	[cleanup]	Stop issuing some warnings about some configuration
+			file statements that were not implemented, but now are.
+
+ 147.	[bug]		Changed yacc union size to be smaller for yaccs that
+			put yacc-stack on the real stack.
+
+ 146.	[cleanup]	More general redundant header file cleanup.  Rather
+			than continuing to itemize every header which changed,
+			this changelog entry just notes that if a header file
+			did not need another header file that it was including
+			in order to provide its advertized functionality, the
+			inclusion of the other header file was removed.  See
+			util/check-includes for how this was tested.
+
+ 145.	[cleanup]	Added <isc/lang.h> and ISC_LANG_BEGINDECLS/
+			ISC_LANG_ENDDECLS to header files that had function
+			prototypes, and removed it from those that did not.
+
+ 144.	[cleanup]	libdns header files too numerous to name were made
+			to conform to the same style for multiple inclusion
+			protection.
+
+ 143.	[func]		Added function dns_rdatatype_isknown().
+
+ 142.	[cleanup]	<isc/stdtime.h> does not need <time.h> or
+			<isc/result.h>.
+
+ 141.	[bug]		Corrupt requests with multiple questions could
+			cause an assertion failure.
+
+ 140.	[cleanup]	<isc/time.h> does not need <time.h> or <isc/result.h>.
+
+ 139.	[cleanup]	<isc/net.h> now includes <isc/types.h> instead of
+			<isc/int.h> and <isc/result.h>.
+
+ 138.	[cleanup]	isc_strtouq moved from str.[ch] to string.[ch] and
+			renamed isc_string_touint64.  isc_strsep moved from
+			strsep.c to string.c and renamed isc_string_separate.
+
+ 137.	[cleanup]	<isc/commandline.h>, <isc/mem.h>, <isc/print.h>
+			<isc/serial.h>, <isc/string.h> and <isc/offset.h>
+			made to conform to the same style for multiple
+			inclusion protection.
+
+ 136.	[cleanup]	<isc/commandline.h>, <isc/interfaceiter.h>,
+			<isc/net.h> and Win32's <isc/thread.h> needed
+			ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS.
+
+ 135.	[cleanup]	Win32's <isc/condition.h> did not need <isc/result.h>
+			or <isc/boolean.h>, now uses <isc/types.h> in place
+			of <isc/time.h>, and needed ISC_LANG_BEGINDECLS
+			and ISC_LANG_ENDDECLS.
+
+ 134.	[cleanup]	<isc/dir.h> does not need <limits.h>.
+
+ 133.	[cleanup]	<isc/ipv6.h> needs <isc/platform.h>.
+
+ 132.	[cleanup]	<isc/app.h> does not need <isc/task.h>, but does
+			need <isc/eventclass.h>.
+
+ 131.	[cleanup]	<isc/mutex.h> and <isc/util.h> need <isc/result.h>
+			for ISC_R_* codes used in macros.
+
+ 130.	[cleanup]	<isc/condition.h> does not need <pthread.h> or
+			<isc/boolean.h>, and now includes <isc/types.h>
+			instead of <isc/time.h>.
+
+ 129.	[bug]		The 'default_debug' log channel was not set up when
+			'category default' was present in the config file
+
+ 128.	[cleanup]	<isc/dir.h> had ISC_LANG_BEGINDECLS instead of
+			ISC_LANG_ENDDECLS at end of header.
+
+ 127.	[cleanup]	The contracts for the comparision routines
+			dns_name_fullcompare(), dns_name_compare(),
+			dns_name_rdatacompare(), and dns_rdata_compare() now
+			specify that the order value returned is < 0, 0, or > 0
+			instead of -1, 0, or 1.
+
+ 126.	[cleanup]	<isc/quota.h> and <isc/taskpool.h> need <isc/lang.h>.
+
+ 125.	[cleanup]	<isc/eventclass.h>, <isc/ipv6.h>, <isc/magic.h>,
+			<isc/mutex.h>, <isc/once.h>, <isc/region.h>, and
+			<isc/resultclass.h> do not need <isc/lang.h>.
+
+ 124.	[func]		signer now imports parent's zone key signature
+			and creates null keys/sets zone status bit for
+			children when necessary
+
+ 123.	[cleanup]	<isc/event.h> does not need <stddef.h>.
+
+ 122.	[cleanup]	<isc/task.h> does not need <isc/mem.h> or
+			<isc/result.h>.
+
+ 121.	[cleanup]	<isc/symtab.h> does not need <isc/mem.h> or
+			<isc/result.h>.  Multiple inclusion protection
+			symbol fixed from ISC_SYMBOL_H to ISC_SYMTAB_H.
+			isc_symtab_t moved to <isc/types.h>.
+
+ 120.	[cleanup]	<isc/socket.h> does not need <isc/boolean.h>,
+			<isc/bufferlist.h>, <isc/task.h>, <isc/mem.h> or
+			<isc/net.h>.
+
+ 119.	[cleanup]	structure definitions for generic rdata stuctures do
+			not have _generic_ in their names.
+
+ 118.	[cleanup]	libdns.a is now namespace-clean, on NetBSD, excepting
+			YACC crust (yyparse, etc) [2000-apr-27 explorer]
+
+ 117.	[cleanup]	libdns.a changes:
+			dns_zone_clearnotify() and dns_zone_addnotify()
+			are replaced by dns_zone_setnotifyalso().
+			dns_zone_clearmasters() and dns_zone_addmaster()
+			are replaced by dns_zone_setmasters().
+
+ 116.	[func]		Added <isc/offset.h> for isc_offset_t (aka off_t
+			on Unix systems).
+
+ 115.	[port]		Shut up the -Wmissing-declarations warning about
+			<stdio.h>'s __sputaux on BSD/OS pre-4.1.
+
+ 114.	[cleanup]	<isc/sockaddr.h> does not need <isc/buffer.h> or
+			<isc/list.h>.
+
+ 113.	[func]		Utility programs dig and host added.
+
+ 112.	[cleanup]	<isc/serial.h> does not need <isc/boolean.h>.
+
+ 111.	[cleanup]	<isc/rwlock.h> does not need <isc/result.h> or
+			<isc/mutex.h>.
+
+ 110.	[cleanup]	<isc/result.h> does not need <isc/boolean.h> or
+			<isc/list.h>.
+
+ 109.	[bug]		"make depend" did nothing for
+			bin/tests/{db,mem,sockaddr,tasks,timers}/.
+
+ 108.	[cleanup]	DNS_SETBIT/DNS_GETBIT/DNS_CLEARBIT moved from
+			<dns/types.h> to <dns/bit.h> and renamed to
+			DNS_BIT_SET/DNS_BIT_GET/DNS_BIT_CLEAR.
+
+ 107.	[func]		Add keysigner and keysettool.
+
+ 106.	[func]		Allow dnssec verifications to ignore the validity
+			period.  Used by several of the dnssec tools.
+
+ 105.	[doc]		doc/dev/coding.html expanded with other
+			implicit conventions the developers have used.
+
+ 104.	[bug]		Made compress_add and compress_find static to
+			lib/dns/compress.c.
+
+ 103.	[func]		libisc buffer API changes for <isc/buffer.h>:
+			Added:
+				isc_buffer_base(b)          (pointer)
+				isc_buffer_current(b)       (pointer)
+				isc_buffer_active(b)        (pointer)
+				isc_buffer_used(b)          (pointer)
+				isc_buffer_length(b)            (int)
+				isc_buffer_usedlength(b)        (int)
+				isc_buffer_consumedlength(b)    (int)
+				isc_buffer_remaininglength(b)   (int)
+				isc_buffer_activelength(b)      (int)
+				isc_buffer_availablelength(b)   (int)
+			Removed:
+				ISC_BUFFER_USEDCOUNT(b)
+				ISC_BUFFER_AVAILABLECOUNT(b)
+				isc_buffer_type(b)
+			Changed names:
+				isc_buffer_used(b, r) ->
+					isc_buffer_usedregion(b, r)
+				isc_buffer_available(b, r) ->
+					isc_buffer_available_region(b, r)
+				isc_buffer_consumed(b, r) ->
+					isc_buffer_consumedregion(b, r)
+				isc_buffer_active(b, r) ->
+					isc_buffer_activeregion(b, r)
+				isc_buffer_remaining(b, r) ->
+					isc_buffer_remainingregion(b, r)
+
+			Buffer types were removed, so the ISC_BUFFERTYPE_*
+			macros are no more, and the type argument to
+			isc_buffer_init and isc_buffer_allocate were removed.
+			isc_buffer_putstr is now void (instead of isc_result_t)
+			and requires that the caller ensure that there
+			is enough available buffer space for the string.
+
+ 102.	[port]		Correctly detect inet_aton, inet_pton and inet_ptop
+			on BSD/OS 4.1.
+
+ 101.	[cleanup]	Quieted EGCS warnings from lib/isc/print.c.
+
+ 100.	[cleanup]	<isc/random.h> does not need <isc/int.h> or
+			<isc/mutex.h>.  isc_random_t moved to <isc/types.h>.
+
+  99.	[cleanup]	Rate limiter now has separate shutdown() and
+			destroy() functions, and it guarantees that all
+			queued events are delivered even in the shutdown case.
+
+  98.	[cleanup]	<isc/print.h> does not need <stdarg.h> or <stddef.h>
+			unless ISC_PLATFORM_NEEDVSNPRINTF is defined.
+
+  97.	[cleanup]	<isc/ondestroy.h> does not need <stddef.h> or
+			<isc/event.h>.
+
+  96.	[cleanup]	<isc/mutex.h> does not need <isc/result.h>.
+
+  95.	[cleanup]	<isc/mutexblock.h> does not need <isc/result.h>.
+
+  94.	[cleanup]	Some installed header files did not compile as C++.
+
+  93.	[cleanup]	<isc/msgcat.h> does not need <isc/result.h>.
+
+  92.	[cleanup]	<isc/mem.h> does not need <stddef.h>, <isc/boolean.h>,
+			or <isc/result.h>.
+
+  91.	[cleanup]	<isc/log.h> does not need <sys/types.h> or
+			<isc/result.h>.
+
+  90.	[cleanup]	Removed unneeded ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS
+			from <named/listenlist.h>.
+
+  89.	[cleanup]	<isc/lex.h> does not need <stddef.h>.
+
+  88.	[cleanup]	<isc/interfaceiter.h> does not need <isc/result.h> or
+			<isc/mem.h>.  isc_interface_t and isc_interfaceiter_t
+			moved to <isc/types.h>.
+
+  87.	[cleanup]	<isc/heap.h> does not need <isc/boolean.h>,
+			<isc/mem.h> or <isc/result.h>.
+
+  86.	[cleanup]	isc_bufferlist_t moved from <isc/bufferlist.h> to
+			<isc/types.h>.
+
+  85.	[cleanup]	<isc/bufferlist.h> does not need <isc/buffer.h>,
+			<isc/list.h>, <isc/mem.h>, <isc/region.h> or
+			<isc/int.h>.
+
+  84.	[func]		allow-query ACL checks now apply to all data
+			added to a response.
+
+  83.	[func]		If the server is authoritative for both a
+			delegating zone and its (nonsecure) delegatee, and
+			a query is made for a KEY RR at the top of the
+			delegatee, then the server will look for a KEY
+			in the delegator if it is not found in the delegatee.
+
+  82.	[cleanup]	<isc/buffer.h> does not need <isc/list.h>.
+
+  81.	[cleanup]	<isc/int.h> and <isc/boolean.h> do not need
+			<isc/lang.h>.
+
+  80.	[cleanup]	<isc/print.h> does not need <stdio.h> or <stdlib.h>.
+
+  79.	[cleanup]	<dns/callbacks.h> does not need <stdio.h>.
+
+  78.	[cleanup]	lwres_conftest renamed to lwresconf_test for
+			consistency with other *_test programs.
+
+  77.	[cleanup]	typedef of isc_time_t and isc_interval_t moved from
+			<isc/time.h> to <isc/types.h>.
+
+  76.	[cleanup]	Rewrote keygen.
+
+  75.	[func]		Don't load a zone if its database file is older
+			than the last time the zone was loaded.
+
+  74.	[cleanup]	Removed mktemplate.o and ufile.o from libisc.a,
+			subsumed by file.o.
+
+  73.	[func]		New "file" API in libisc, including new function
+			isc_file_getmodtime, isc_mktemplate renamed to
+			isc_file_mktemplate and isc_ufile renamed to
+			isc_file_openunique.  By no means an exhaustive API,
+			it is just what's needed for now.
+
+  72.	[func]		DNS_RBTFIND_NOPREDECESSOR and DNS_RBTFIND_NOOPTIONS
+			added for dns_rbt_findnode, the former to disable the
+			setting of the chain to the predecessor, and the
+			latter to make clear when no options are set.
+
+  71.	[cleanup]	Made explicit the implicit REQUIREs of
+			isc_time_seconds, isc_time_nanoseconds, and
+			isc_time_subtract.
+
+  70.	[func]		isc_time_set() added.
+
+  69.	[bug]		The zone object's master and also-notify lists grew
+			longer with each server reload.
+
+  68.	[func]		Partial support for SIG(0) on incoming messages.
+
+  67.	[performance]	Allow use of alternate (compile-time supplied)
+			OpenSSL libraries/headers.
+
+  66.	[func]		Data in authoritative zones should have a trust level
+			beyond secure.
+
+  65.	[cleanup]	Removed obsolete typedef of dns_zone_callbackarg_t
+			from <dns/types.h>.
+
+  64.	[func]		The RBT, DB, and zone table APIs now allow the
+			caller find the most-enclosing superdomain of
+			a name.
+
+  63.	[func]		Generate NOTIFY messages.
+
+  62.	[func]		Add UDP refresh support.
+
+  61.	[cleanup]	Use single quotes consistently in log messages.
+
+  60.	[func]		Catch and disallow singleton types on message
+			parse.
+
+  59.	[bug]		Cause net/host unreachable to be a hard error
+			when sending and receiving.
+
+  58.	[bug]		bin/named/query.c could sometimes trigger the
+			(client->query.attributes & NS_QUERYATTR_NAMEBUFUSED)
+			== 0 assertion in query_newname().
+
+  57.	[func]		Added dns_nxt_typepresent()
+
+  56.	[bug]		SIG records were not properly returned in cached
+			negative answers.
+
+  55.	[bug]		Responses containing multiple names in the authority
+			section were not negatively cached.
+
+  54.	[bug]		If a fetch with sigrdataset==NULL joined one with
+			sigrdataset!=NULL or vice versa, the resolver
+			could catch an assertion or lose signature data,
+			respectively.
+
+  53.	[port]		freebsd 4.0: lib/isc/unix/socket.c requires
+			<sys/param.h>.
+
+  52.	[bug]		rndc: taskmgr and socketmgr were not initialized
+			to NULL.
+
+  51.	[cleanup]	dns/compress.h and dns/zt.h did not need to include
+			dns/rbt.h; it was needed only by compress.c and zt.c.
+
+  50.	[func]		RBT deletion no longer requires a valid chain to work,
+			and dns_rbt_deletenode was added.
+
+  49.	[func]		Each cache now has its own mctx.
+
+  48.	[func]		isc_task_create() no longer takes an mctx.
+			isc_task_mem() has been eliminated.
+
+  47.	[func]		A number of modules now use memory context reference
+			counting.
+
+  46.	[func]		Memory contexts are now reference counted.
+			Added isc_mem_inuse() and isc_mem_preallocate().
+			Renamed isc_mem_destroy_check() to
+			isc_mem_setdestroycheck().
+
+  45.	[bug]		The trusted-key statement incorrectly loaded keys.
+
+  44.	[bug]		Don't include authority data if it would force us
+			to unset the AD bit in the message.
+
+  43.	[bug]		DNSSEC verification of cached rdatasets was failing.
+
+  42.	[cleanup]	Simplified logging of messages with embedded domain
+			names by introducing a new convenience function
+			dns_name_format().
+
+  41.	[func]		Use PR_SET_KEEPCAPS on Linux 2.3.99-pre3 and later
+			to allow 'named' to run as a non-root user while
+			retaining the ability to bind() to privileged
+			ports.
+
+  40.	[func]		Introduced new logging category "dnssec" and
+			logging module "dns/validator".
+
+  39.	[cleanup]	Moved the typedefs for isc_region_t, isc_textregion_t,
+			and isc_lex_t to <isc/types.h>.
+
+  38.	[bug]		TSIG signed incoming zone transfers work now.
+
+  37.	[bug]		If the first RR in an incoming zone transfer was
+			not an SOA, the server died with an assertion failure
+			instead of just reporting an error.
+
+  36.	[cleanup]	Change DNS_R_SUCCESS (and others) to ISC_R_SUCCESS
+
+  35.	[performance]	Log messages which are of a level too high to be
+			logged by any channel in the logging configuration
+			will not cause the log mutex to be locked.
+
+  34.	[bug]		Recursion was allowed even with 'recursion no'.
+
+  33.	[func]		The RBT now maintains a parent pointer at each node.
+
+  32.	[cleanup]	bin/lwresd/client.c needs <string.h> for memset()
+			prototype.
+
+  31.	[bug]		Use ${LIBTOOL} to compile bin/named/main.@O@.
+
+  30.	[func]		config file grammer change to support optional
+			class type for a view.
+
+  29.	[func]		support new config file view options:
+
+				auth-nxdomain recursion query-source
+				query-source-v6 transfer-source
+				transfer-source-v6 max-transfer-time-out
+				max-transfer-idle-out transfer-format
+				request-ixfr provide-ixfr cleaning-interval
+				fetch-glue notify rfc2308-type1 lame-ttl
+				max-ncache-ttl min-roots
+
+  28.	[func]		support lame-ttl, min-roots and serial-queries
+			config global options.
+
+  27.	[bug]		Only include <netinet6/in6.h> on BSD/OS 4.[01]*.
+			Including it on other platforms (eg, NetBSD) can
+			cause a forced #error from the C preprocessor.
+
+  26.	[func]		new match-clients statement in config file view.
+
+  25.	[bug]		make install failed to install <isc/log.h> and
+			<isc/ondestroy.h>.
+
+  24.	[cleanup]	Eliminate some unnecessary #includes of header
+			files from header files.
+
+  23.	[cleanup]	Provide more context in log messages about client
+			requests, using a new function ns_client_log().
+
+  22.	[bug]		SIGs weren't returned in the answer section when
+			the query resulted in a fetch.
+
+  21.	[port]		Look at STD_CINCLUDES after CINCLUDES during
+			compilation, so additional system include directories
+			can be searched but header files in the bind9 source
+			tree with conflicting names take precedence.  This
+			avoids issues with installed versions of dnssafe and
+			openssl.
+
+  20.	[func]		Configuration file post-load validation of zones
+			failed if there were no zones.
+
+  19.	[bug]		dns_zone_notifyreceive() failed to unlock the zone
+			lock in certain error cases.
+
+  18.	[bug]		Use AC_TRY_LINK rather than AC_TRY_COMPILE in
+			configure.in to check for presence of in6addr_any.
+
+  17.	[func]		Do configuration file post-load validation of zones.
+
+  16.	[bug]		put quotes around key names on config file
+			output to avoid possible keyword clashes.
+
+  15.	[func]		Add dns_name_dupwithoffsets().  This function is
+			improves comparison performance for duped names.
+
+  14.	[bug]		free_rbtdb() could have 'put' unallocated memory in
+			an unlikely error path.
+
+  13.	[bug]		lib/dns/master.c and lib/dns/xfrin.c didn't ignore
+			out-of-zone data.
+
+  12.	[bug]		Fixed possible unitialized variable error.
+
+  11.	[bug]		axfr_rrstream_first() didn't check the result code of
+			db_rr_iterator_first(), possibly causing an assertion
+			to be triggered later.
+
+  10.	[bug]		A bug in the code which makes EDNS0 OPT records in
+			bin/named/client.c and lib/dns/resolver.c could
+			trigger an assertion.
+
+   9.	[cleanup]	replaced bit-setting code in confctx.c and replaced
+			repeated code with macro calls.
+
+   8.	[bug]		Shutdown of incoming zone transfer accessed
+			freed memory.
+
+   7.	[cleanup]	removed 'listen-on' from view statement.
+
+   6.	[bug]		quote RR names when generating config file to
+			prevent possible clash with config file keywords
+			(such as 'key').
+
+   5.	[func]		syntax change to named.conf file: new ssu grant/deny
+			statements must now be enclosed by an 'update-policy'
+			block.
+
+   4.	[port]		bin/named/unix/os.c didn't compile on systems with
+			linux 2.3 kernel includes due to conflicts between
+			C library includes and the kernel includes.  We now
+			get only what we need from <linux/capability.h>, and
+			avoid pulling in other linux kernel .h files.
+
+   3.	[bug]		TKEYs go in the answer section of responses, not
+			the additional section.
+
+   2.	[bug]		Generating cryptographic randomness failed on
+			systems without /dev/random.
+
+   1.	[bug]		The installdirs rule in
+			lib/isc/unix/include/isc/Makefile.in had a typo which
+			prevented the isc directory from being created if it
+			didn't exist.
+
+	--- 9.0.0b2 released ---
+
+# This tells Emacs to use hard tabs in this file.
+# Local Variables:
+# indent-tabs-mode: t
+# End:
diff --git a/contrib/bind9/COPYRIGHT b/contrib/bind9/COPYRIGHT
new file mode 100644
index 0000000..ee10478
--- /dev/null
+++ b/contrib/bind9/COPYRIGHT
@@ -0,0 +1,30 @@
+Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 1996-2003  Internet Software Consortium.
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.
+
+$Id: COPYRIGHT,v 1.6.2.2.8.2 2004/03/08 04:04:12 marka Exp $
+
+Portions Copyright (C) 1996-2001  Nominum, Inc.
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND NOMINUM DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL NOMINUM BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
diff --git a/contrib/bind9/FAQ b/contrib/bind9/FAQ
new file mode 100644
index 0000000..25eb00c
--- /dev/null
+++ b/contrib/bind9/FAQ
@@ -0,0 +1,454 @@
+
+
+
+Frequently Asked Questions about BIND 9
+
+
+Q: Why doesn't -u work on Linux 2.2.x when I build with --enable-threads?
+
+A: Linux threads do not fully implement the Posix threads (pthreads) standard.
+In particular, setuid() operates only on the current thread, not the full
+process.  Because of this limitation, BIND 9 cannot use setuid() on Linux as it
+can on all other supported platforms.  setuid() cannot be called before
+creating threads, since the server does not start listening on reserved ports
+until after threads have started.
+
+  In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability to preserve
+capabilities across a setuid() call is present.  This allows BIND 9 to call
+setuid() early, while retaining the ability to bind reserved ports.  This is
+a Linux-specific hack.
+
+  On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less
+of a security risk than a root process that has not dropped privileges.
+
+  If Linux threads ever work correctly, this restriction will go away.
+
+  Configuring BIND9 with the --disable-threads option (the default) causes a
+non-threaded version to be built, which will allow -u to be used.
+
+
+Q: Why does named log the warning message "no TTL specified - using SOA
+MINTTL instead"?
+
+A: Your zone file is illegal according to RFC1035.  It must either
+have a line like
+
+   $TTL 86400
+
+at the beginning, or the first record in it must have a TTL field,
+like the "84600" in this example:
+
+   example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )
+
+Q: Why do I see 5 (or more) copies of named on Linux?
+
+A: Linux threads each show up as a process under ps.  The approximate
+number of threads running is n+4, where n is the number of CPUs.  Note that
+the amount of memory used is not cumulative; if each process is using 10M of
+memory, only a total of 10M is used.
+
+
+Q: Why does BIND 9 log "permission denied" errors accessing its
+configuration files or zones on my Linux system even though it is running
+as root?
+
+A: On Linux, BIND 9 drops most of its root privileges on startup.
+This including the privilege to open files owned by other users.
+Therefore, if the server is running as root, the configuration files
+and zone files should also be owned by root.
+
+
+Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file
+bar: ran out of space"
+
+A: This is often caused by TXT records with missing close quotes.  Check that
+all TXT records containing quoted strings have both open and close quotes.
+
+
+Q: How do I produce a usable core file from a multithreaded named on Linux?
+
+A: If the Linux kernel is 2.4.7 or newer, multithreaded core dumps
+are usable (that is, the correct thread is dumped).  Otherwise, if using
+a 2.2 kernel, apply the kernel patch found in contrib/linux/coredump-patch
+and rebuild the kernel.  This patch will cause multithreaded programs to dump
+the correct thread.
+
+
+Q: How do I restrict people from looking up the server version?
+
+A: Put a "version" option containing something other than the real
+version in the "options" section of named.conf.  Note doing this will
+not prevent attacks and may impede people trying to diagnose problems
+with your server.  Also it is possible to "fingerprint" nameservers to
+determine their version.
+
+
+Q: How do I restrict only remote users from looking up the server
+version?
+
+A: The following view statement will intercept lookups as the internal
+view that holds the version information will be matched last.  The
+caveats of the previous answer still apply, of course.
+
+  view "chaos" chaos {
+	  match-clients { <those to be refused>; };
+	  allow-query { none; };
+	  zone "." {
+		  type hint;
+		  file "/dev/null";  // or any empty file
+	  };
+  };
+
+
+Q: What do "no source of entropy found" or "could not open entropy source foo"
+mean?
+
+A: The server requires a source of entropy to perform certain operations,
+mostly DNSSEC related.  These messages indicate that you have no source
+of entropy.  On systems with /dev/random or an equivalent, it is used by
+default.  A source of entropy can also be defined using the random-device
+option in named.conf.
+
+
+Q: I installed BIND 9 and restarted named, but it's still BIND 8.  Why?
+
+A: BIND 9 is installed under /usr/local by default.  BIND 8 is often
+installed under /usr.  Check that the correct named is running.
+
+
+Q: I'm trying to use TSIG to authenticate dynamic updates or zone
+transfers.  I'm sure I have the keys set up correctly, but the server
+is rejecting the TSIG.  Why?
+
+A: This may be a clock skew problem.  Check that the the clocks on
+the client and server are properly synchronized (e.g., using ntp).
+
+
+Q: I'm trying to compile BIND 9, and "make" is failing due to files not
+being found.  Why?
+
+A: Using a parallel or distributed "make" to build BIND 9 is not
+supported, and doesn't work.  If you are using one of these, use
+normal make or gmake instead.
+
+
+Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is
+logging error messages like "notify to 10.0.0.1#53 failed: unexpected
+end of input".  What's wrong?
+
+A: This error message is caused by a known bug in BIND 8.2.3 and is fixed
+in BIND 8.2.4.  It can be safely ignored - the notify has been acted on by
+the slave despite the error message.
+
+
+Q: I keep getting log messages like the following.  Why?
+
+   Dec  4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN':
+   update failed: 'RRset exists (value dependent)' prerequisite not
+   satisfied (NXRRSET)
+
+A: DNS updates allow the update request to test to see if certain
+conditions are met prior to proceeding with the update.  The message
+above is saying that conditions were not met and the update is not
+proceeding.  See doc/rfc/rfc2136.txt for more details on prerequisites.
+
+
+Q: I keep getting log messages like the following.  Why?
+
+   Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
+
+A: Someone is trying to update your DNS data using the RFC2136 Dynamic
+Update protocol.  Windows 2000 machines have a habit of sending dynamic
+update requests to DNS servers without being specifically configured to
+do so.  If the update requests are coming from a Windows 2000 machine,
+see <http://support.microsoft.com/support/kb/articles/q246/8/04.asp>
+for information about how to turn them off.
+
+
+Q: I see a log message like the following.  Why?
+
+   couldn't open pid file '/var/run/named.pid': Permission denied
+
+A: You are most likely running named as a non-root user, and that user
+does not have permission to write in /var/run.  The common ways of
+fixing this are to create a /var/run/named directory owned by the named
+user and set pid-file to "/var/run/named/named.pid", or set
+pid-file to "named.pid", which will put the file in the directory
+specified by the directory option (which, in this case, must be writable
+by the named user).
+
+
+Q: When I do a "dig . ns", many of the A records for the root
+servers are missing.  Why?
+
+A: This is normal and harmless.  It is a somewhat confusing side effect
+of the way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9
+makes to avoid promoting glue into answers.
+
+When BIND 9 first starts up and primes its cache, it receives the root
+server addresses as additional data in an authoritative response from
+a root server, and these records are eligible for inclusion as
+additional data in responses.  Subsequently it receives a subset of
+the root server addresses as additional data in a non-authoritative
+(referral) response from a root server.  This causes the addresses to
+now be considered non-authoritative (glue) data, which is not eligible
+for inclusion in responses.
+
+The server does have a complete set of root server addresses cached
+at all times, it just may not include all of them as additional data,
+depending on whether they were last received as answers or as glue.
+You can always look up the addresses with explicit queries like
+"dig a.root-servers.net A".
+
+
+Q: Zone transfers from my BIND 9 master to my Windows 2000 slave
+fail.  Why?
+
+A: This may be caused by a bug in the Windows 2000 DNS server where
+DNS messages larger than 16K are not handled properly.  This can be
+worked around by setting the option "transfer-format one-answer;".
+Also check whether your zone contains domain names with embedded
+spaces or other special characters, like "John\032Doe\213s\032Computer",
+since such names have been known to cause Windows 2000 slaves to
+incorrectly reject the zone.
+
+
+Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP?
+
+A: A zone can be updated either by editing zone files and reloading
+the server or by dynamic update, but not both.  If you have enabled
+dynamic update for a zone using the "allow-update" option, you are not
+supposed to edit the zone file by hand, and the server will not
+attempt to reload it.
+
+
+Q: I can query the nameserver from the nameserver but not from other
+machines.  Why?
+
+A: This is usually the result of the firewall configuration stopping
+the queries and / or the replies.
+
+
+Q: How can I make a server a slave for both an internal and
+an external view at the same time?  When I tried, both views
+on the slave were transferred from the same view on the master.
+
+A: You will need to give the master and slave multiple IP addresses and
+use those to make sure you reach the correct view on the other machine.
+
+	e.g.
+	Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
+	    internal:
+		match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
+		notify-source 10.0.1.1;
+		transfer-source 10.0.1.1;
+		query-source address 10.0.1.1;
+	    external:
+		match-clients { any; };
+		recursion no;	// don't offer recursion to the world
+		notify-source 10.0.1.2;
+		transfer-source 10.0.1.2;
+		query-source address 10.0.1.2;
+
+	Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
+	    internal:
+		match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
+		notify-source 10.0.1.3;
+		transfer-source 10.0.1.3;
+		query-source address 10.0.1.3;
+	    external:
+		match-clients { any; };
+		recursion no;	// don't offer recursion to the world
+		notify-source 10.0.1.4;
+		transfer-source 10.0.1.4;
+		query-source address 10.0.1.4;
+
+	You put the external address on the alias so that all the other
+	dns clients on these boxes see the internal view by default.
+
+A: (BIND 9.3 and later) Use TSIG to select the appropriate view.
+
+	Master 10.0.1.1:
+	key "external" {
+		algorithm hmac-md5;
+		secret "xxxxxxxx";
+	};
+	view "internal" {
+		match-clients { !key external; 10.0.1/24; };
+		...
+	};
+	view "external" {
+		match-clients { key external; any; };
+		server 10.0.0.2 { keys external; };
+		recursion no;
+		...
+	};
+
+	Slave 10.0.1.2:
+	key "external" {
+		 algorithm hmac-md5;
+		 secret "xxxxxxxx";
+	};
+	view "internal" {
+		match-clients { !key external; 10.0.1/24; };
+	};
+	view "external" {
+		match-clients { key external; any; };
+		server 10.0.0.1 { keys external; };
+		recursion no;
+		...
+	};
+
+
+Q: I have Freebsd 4.x and "rndc-confgen -a" just sits there.
+
+A: /dev/random is not configured.  Use rndcontrol(8) to tell the kernel
+to use certain interrupts as a source of random events.  You can make this
+permanent by setting rand_irqs in /etc/rc.conf.
+
+e.g.
+	/etc/rc.conf
+	rand_irqs="3 14 15"
+
+See also http://people.freebsd.org/~dougb/randomness.html
+
+
+Q: Why is named listening on UDP port other than 53?
+
+A: Named uses a system selected port to make queries of other nameservers.
+This behaviour can be overridden by using query-source to lock down the
+port and/or address.  See also notify-source and transfer-source.
+
+
+Q: I get error messages like "multiple RRs of singleton type" and
+"CNAME and other data" when transferring a zone.  What does this mean?
+
+A: These indicate a malformed master zone.  You can identify the
+exact records involved by transferring the zone using dig then
+running named-checkzone on it.
+
+	e.g.
+		dig axfr example.com @master-server > tmp
+		named-checkzone example.com tmp
+
+
+Q: I get error messages like "named.conf:99: unexpected end of input" where
+99 is the last line of named.conf.
+
+A: Some text editors (notepad and wordpad) fail to put a line termination
+indication (e.g. CR/LF) on the last line of a text file.  This can be fixed
+by "adding" a blank line to the end of the file.  Named expects to see EOF
+immediately after EOL and treats text files where this is not met as truncated.
+
+
+Q: I get warning messages like "zone example.com/IN: refresh: failure trying master
+1.2.3.4#53: timed out".
+
+A: Check that you can make UDP queries from the slave to the master
+
+	dig +norec example.com soa @1.2.3.4
+
+A: You could be generating queries faster than the slave can cope with.  Lower
+the serial query rate.
+
+	serial-query-rate 5; // default 20
+
+Q: How do I share a dynamic zone between multiple views?
+
+A: You choose one view to be master and the second a slave and transfer
+the zone between views.
+
+	Master 10.0.1.1:
+	key "external" {
+		algorithm hmac-md5;
+		secret "xxxxxxxx";
+	};
+
+	key "mykey" {
+		algorithm hmac-md5;
+		secret "yyyyyyyy";
+	};
+
+	view "internal" {
+		match-clients { !external; 10.0.1/24; };
+		server 10.0.1.1 {
+			/* Deliver notify messages to external view. */
+			keys { external; };
+		};
+		zone "example.com" {
+			type master;
+			file "internal/example.db";
+			allow-update { key mykey; };
+			notify-also { 10.0.1.1; };
+		};
+	};
+
+	view "external" {
+		match-clients { external; any; };
+		zone "example.com" {
+			type slave;
+			file "external/example.db";
+			masters { 10.0.1.1; };
+			transfer-source { 10.0.1.1; };
+			// allow-update-forwarding { any; };
+			// allow-notify { ... };
+		};
+	};
+
+Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading master
+file primaries/wireless.ietf56.ietf.org: no owner".
+
+A: This error is produced when a line in the master file contains leading
+white space (tab/space) but the is no current record owner name to inherit
+the name from.  Usually this is the result of putting white space before
+a comment.  Forgeting the "@" for the SOA record or indenting the master
+file.
+
+
+Q: Why are my logs in GMT (UTC).
+
+A: You are running chrooted (-t) and have not supplied local timzone
+information in the chroot area.
+
+	FreeBSD: /etc/localtime
+	Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo
+	OSF: /etc/zoneinfo/localtime
+
+	See also tzset(3) and zic(8).
+
+
+Q: I get the error message "named: capset failed: Operation not permitted"
+when starting named.
+
+A: The capset module has not been loaded into the kernel.  See insmod(8).
+
+
+Q: I get "rndc: connect failed: connection refused" when I try to run
+   rndc.
+
+A: This is usually a configuration error.
+
+   First ensure that named is running and no errors are being
+   reported at startup (/var/log/messages or equivalent).  Running
+   "named -g <usual arguements>" from a terminal can help at this
+   point.
+
+   Secondly ensure that named is configured to use rndc either by
+   "rndc-confgen -a", rndc-confgen or manually.  The Administators
+   Reference manual has details on how to do this.
+
+   Old versions of rndc-confgen used localhost rather than 127.0.0.1
+   in /etc/rndc.conf for the default server.  Update /etc/rndc.conf
+   if necessary so that the default server listed in /etc/rndc.conf
+   matches the addresses used in named.conf.  "localhost" has two
+   address (127.0.0.1 and ::1).
+
+   If you use "rndc-confgen -a" and named is running with -t or -u
+   ensure that /etc/rndc.conf has the correct ownership and that
+   a copy is in the chroot area.  You can do this by re-running
+   "rndc-confgen -a" with appropriate -t and -u arguements.
+
+
+Q: I don't get RRSIG's returned when I use "dig +dnssec".
+
+A: You need to ensure DNSSEC is enabled (dnssec-enable yes;).
diff --git a/contrib/bind9/Makefile.in b/contrib/bind9/Makefile.in
new file mode 100644
index 0000000..a2a0653
--- /dev/null
+++ b/contrib/bind9/Makefile.in
@@ -0,0 +1,59 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1998-2002  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.41.2.2.2.2 2004/03/08 04:04:12 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+SUBDIRS =	make lib bin doc @LIBBIND@
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+distclean::
+	@if [ "X@LIBBIND@" = "X" ] ; then \
+		i=lib/bind; \
+		echo "making $@ in `pwd`/$$i"; \
+		(cd $$i; ${MAKE} ${MAKEDEFS} $@) || exit 1; \
+	fi
+
+distclean::
+	rm -f config.cache config.h config.log config.status TAGS
+	rm -f libtool isc-config.sh configure.lineno
+	rm -f util/conf.sh docutil/docbook2man-wrapper.sh
+
+# XXX we should clean libtool stuff too.  Only do this after we add rules
+# to make it.
+maintainer-clean::
+	rm -f configure
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
+
+install:: isc-config.sh installdirs
+	${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}
+
+tags:
+	rm -f TAGS
+	find lib bin -name "*.[ch]" -print | @ETAGS@ -
+
+check: test
+
+test:
+	(cd bin/tests && ${MAKE} ${MAKEDEFS} test)
diff --git a/contrib/bind9/README b/contrib/bind9/README
new file mode 100644
index 0000000..73715ce
--- /dev/null
+++ b/contrib/bind9/README
@@ -0,0 +1,344 @@
+BIND 9
+
+	BIND version 9 is a major rewrite of nearly all aspects of the
+	underlying BIND architecture.  Some of the important features of
+	BIND 9 are:
+
+		- DNS Security
+			DNSSEC (signed zones)
+			TSIG (signed DNS requests)
+
+		- IP version 6
+			Answers DNS queries on IPv6 sockets
+			IPv6 resource records (AAAA)
+			Experimental IPv6 Resolver Library
+
+		- DNS Protocol Enhancements
+			IXFR, DDNS, Notify, EDNS0
+			Improved standards conformance
+
+		- Views
+			One server process can provide multiple "views" of
+			the DNS namespace, e.g. an "inside" view to certain
+			clients, and an "outside" view to others.
+
+		- Multiprocessor Support
+
+		- Improved Portability Architecture
+
+
+	BIND version 9 development has been underwritten by the following
+	organizations:
+
+		Sun Microsystems, Inc.
+		Hewlett Packard
+		Compaq Computer Corporation
+		IBM
+		Process Software Corporation
+		Silicon Graphics, Inc.
+		Network Associates, Inc.
+		U.S. Defense Information Systems Agency
+		USENIX Association
+		Stichting NLnet - NLnet Foundation
+		Nominum, Inc.
+
+
+BIND 9.3.0
+
+	BIND 9.3.0 has a number of new features over 9.2,
+	including:
+
+	DNSSEC is now DS based (RFC 3658).
+	See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
+
+	DNSSEC lookaside validation.
+
+	check-names is now implemented.
+	rrset-order in more complete.
+
+	IPv4/IPv6 transition support, dual-stack-servers.
+
+	IXFR deltas can now be generated when loading master files,
+	ixfr-from-differences.
+
+	It is now possible to specify the size of a journal, max-journal-size.
+
+	It is now possible to define a named set of master servers to be
+	used in masters clause, masters.
+
+	The advertised EDNS UDP size can now be set, edns-udp-size.
+
+	allow-v6-synthesis has been obsoleted.
+
+	NOTE:
+	* Zones containing MD and MF will now be rejected.
+	* dig, nslookup name. now report "Not Implemented" as
+	  NOTIMP rather than NOTIMPL.  This will have impact on scripts
+	  that are looking for NOTIMPL.
+
+	libbind: corresponds to that from BIND 8.4.5.
+
+BIND 9.2.0
+
+	BIND 9.2.0 has a number of new features over 9.1,
+	including:
+
+	  - The size of the cache can now be limited using the
+            "max-cache-size" option.
+
+	  - The server can now automatically convert RFC1886-style
+	    recursive lookup requests into RFC2874-style lookups, 
+	    when enabled using the new option "allow-v6-synthesis".
+            This allows stub resolvers that support AAAA records
+            but not A6 record chains or binary labels to perform
+            lookups in domains that make use of these IPv6 DNS
+            features.
+
+	  - Performance has been improved.
+
+	  - The man pages now use the more portable "man" macros
+	    rather than the "mandoc" macros, and are installed
+            by "make install".
+
+          - The named.conf parser has been completely rewritten.
+            It now supports "include" directives in more
+            places such as inside "view" statements, and it no
+            longer has any reserved words.
+
+          - The "rndc status" command is now implemented.
+
+	  - rndc can now be configured automatically.
+
+	  - A BIND 8 compatible stub resolver library is now
+	    included in lib/bind.
+
+	  - OpenSSL has been removed from the distribution.  This
+	    means that to use DNSSEC, OpenSSL must be installed and
+	    the --with-openssl option must be supplied to configure.
+	    This does not apply to the use of TSIG, which does not
+	    require OpenSSL.
+
+	  - The source distribution now builds on Windows NT/2000.
+	    See win32utils/readme1.txt and win32utils/win32-build.txt
+	    for details.
+
+	This distribution also includes a new lightweight stub
+	resolver library and associated resolver daemon that fully
+	support forward and reverse lookups of both IPv4 and IPv6
+	addresses.  This library is considered experimental and
+	is not a complete replacement for the BIND 8 resolver library.
+	Applications that use the BIND 8 res_* functions to perform
+	DNS lookups or dynamic updates still need to be linked against
+	the BIND 8 libraries.  For DNS lookups, they can also use the
+	new "getrrsetbyname()" API.
+
+	BIND 9.2 is capable of acting as an authoritative server
+	for DNSSEC secured zones.  This functionality is believed to
+	be stable and complete except for lacking support for
+	verifications involving wildcard records in secure zones.
+
+	When acting as a caching server, BIND 9.2 can be configured
+	to perform DNSSEC secure resolution on behalf of its clients.
+	This part of the DNSSEC implementation is still considered
+	experimental.  For detailed information about the state of the
+	DNSSEC implementation, see the file doc/misc/dnssec.
+
+	There are a few known bugs:
+
+		On some systems, IPv6 and IPv4 sockets interact in
+		unexpected ways.  For details, see doc/misc/ipv6.
+		To reduce the impact of these problems, the server
+		no longer listens for requests on IPv6 addresses
+		by default.  If you need to accept DNS queries over
+		IPv6, you must specify "listen-on-v6 { any; };"
+		in the named.conf options statement.
+
+		FreeBSD prior to 4.2 (and 4.2 if running as non-root)
+		and OpenBSD prior to 2.8 log messages like
+		"fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
+		This is due to a bug in "/dev/random" and impacts the
+		server's DNSSEC support.
+
+		OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
+		OS X 10.2 (Darwin 6.0) reports errors like
+		"fcntl(3, F_SETFL, 4): Operation not supported by device".
+		This is due to a bug in "/dev/random" and impacts the
+		server's DNSSEC support.
+
+		--with-libtool does not work on AIX.
+
+	A bug in the Windows 2000 DNS server can cause zone transfers
+	from a BIND 9 server to a W2K server to fail.  For details,
+	see the "Zone Transfers" section in doc/misc/migration.
+
+	For a detailed list of user-visible changes from
+	previous releases, see the CHANGES file.
+
+
+Building
+
+	BIND 9 currently requires a UNIX system with an ANSI C compiler,
+	basic POSIX support, and a 64 bit integer type.
+
+	We've had successful builds and tests on the following systems:
+
+		COMPAQ Tru64 UNIX 5.1B
+		FreeBSD 4.10, 5.2.1
+		HP-UX 11.11
+		NetBSD 1.5
+		Slackware Linux 8.1
+		Solaris 8, 9, 9 (x86)
+		Windows NT/2000/XP/2003
+
+	Additionally, we have unverified reports of success building
+	previous versions of BIND 9 from users of the following systems:
+
+		AIX 5L
+		SuSE Linux 7.0
+		Slackware Linux 7.x, 8.0
+	        Red Hat Linux 7.1
+		Debian GNU/Linux 2.2 and 3.0
+		Mandrake 8.1
+		OpenBSD 2.6, 2.8, 2.9
+		UnixWare 7.1.1
+		HP-UX 10.20
+		BSD/OS 4.2
+		Mac OS X 10.1
+
+	To build, just
+
+		./configure
+		make
+
+	Do not use a parallel "make".
+
+	Several environment variables that can be set before running
+	configure will affect compilation:
+
+	    CC
+		The C compiler to use.	configure tries to figure
+		out the right one for supported systems.
+
+	    CFLAGS
+		C compiler flags.  Defaults to include -g and/or -O2
+		as supported by the compiler.  
+
+	    STD_CINCLUDES
+		System header file directories.	 Can be used to specify
+		where add-on thread or IPv6 support is, for example.
+		Defaults to empty string.
+
+	    STD_CDEFINES
+		Any additional preprocessor symbols you want defined.
+		Defaults to empty string.
+
+		Possible settings:
+		Change the default syslog facility of named/lwresd.
+		  -DISC_FACILITY=LOG_LOCAL0	
+		Enable DNSSEC signature chasing support in dig.
+		  -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
+				    -DDIG_SIGCHASE_BU=1)
+
+	    LDFLAGS
+		Linker flags. Defaults to empty string.
+
+	To build shared libraries, specify "--with-libtool" on the
+	configure command line.
+
+	For the server to support DNSSEC, you need to build it
+	with crypto support.  You must have OpenSSL 0.9.5a
+	or newer installed and specify "--with-openssl" on the
+	configure command line.  If OpenSSL is installed under
+	a nonstandard prefix, you can tell configure where to
+	look for it using "--with-openssl=/prefix".
+
+	To build libbind (the BIND 8 resolver library), specify
+	"--enable-libbind" on the configure command line.
+
+	On some platforms, BIND 9 can be built with multithreading
+	support, allowing it to take advantage of multiple CPUs.
+	You can specify whether to build a multithreaded BIND 9 
+	by specifying "--enable-threads" or "--disable-threads"
+	on the configure command line.  The default is operating
+	system dependent.
+
+	If your operating system has integrated support for IPv6, it
+	will be used automatically.  If you have installed KAME IPv6
+	separately, use "--with-kame[=PATH]" to specify its location.
+
+	"make install" will install "named" and the various BIND 9 libraries.
+	By default, installation is into /usr/local, but this can be changed
+	with the "--prefix" option when running "configure".
+
+	You may specify the option "--sysconfdir" to set the directory 
+	where configuration files like "named.conf" go by default,
+	and "--localstatedir" to set the default parent directory
+	of "run/named.pid".   For backwards compatibility with BIND 8,
+	--sysconfdir defaults to "/etc" and --localstatedir defaults to
+	"/var" if no --prefix option is given.  If there is a --prefix
+	option, sysconfdir defaults to "$prefix/etc" and localstatedir
+	defaults to "$prefix/var".
+
+	To see additional configure options, run "configure --help".
+	Note that the help message does not reflect the BIND 8 
+	compatibility defaults for sysconfdir and localstatedir.
+
+	If you're planning on making changes to the BIND 9 source, you
+	should also "make depend".  If you're using Emacs, you might find
+	"make tags" helpful.
+
+	If you need to re-run configure please run "make distclean" first.
+	This will ensure that all the option changes take.
+
+	Building with gcc is not supported, unless gcc is the vendor's usual
+	compiler (e.g. the various BSD systems, Linux).
+	
+	* gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
+	* gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
+
+	A limited test suite can be run with "make test".  Many of
+	the tests require you to configure a set of virtual IP addresses
+	on your system, and some require Perl; see bin/tests/system/README
+	for details.
+
+
+Documentation
+
+	The BIND 9 Administrator Reference Manual is included with the
+	source distribution in DocBook XML and HTML format, in the
+	doc/arm directory.
+
+	Some of the programs in the BIND 9 distribution have man pages
+	in their directories.  In particular, the command line
+	options of "named" are documented in /bin/named/named.8.
+	There is now also a set of man pages for the lwres library.
+
+	If you are upgrading from BIND 8, please read the migration
+	notes in doc/misc/migration.  If you are upgrading from
+	BIND 4, read doc/misc/migration-4to9.
+
+	Frequently asked questions and their answers can be found in
+	FAQ.
+
+
+Bug Reports and Mailing Lists
+
+	Bugs reports should be sent to
+
+		bind9-bugs@isc.org
+
+	To join the BIND Users mailing list, send mail to
+
+		bind-users-request@isc.org
+
+	archives of which can be found via
+
+		http://www.isc.org/ops/lists/
+
+	If you're planning on making changes to the BIND 9 source
+	code, you might want to join the BIND Workers mailing list.
+	Send mail to
+
+		bind-workers-request@isc.org
+
+
diff --git a/contrib/bind9/acconfig.h b/contrib/bind9/acconfig.h
new file mode 100644
index 0000000..0eacd06
--- /dev/null
+++ b/contrib/bind9/acconfig.h
@@ -0,0 +1,141 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: acconfig.h,v 1.35.2.4.2.8 2004/05/21 08:24:04 marka Exp $ */
+
+/***
+ *** This file is not to be included by any public header files, because
+ *** it does not get installed.
+ ***/
+@TOP@
+
+/* define to `int' if <sys/types.h> doesn't define.  */
+#undef ssize_t
+
+/* define on DEC OSF to enable 4.4BSD style sa_len support */
+#undef _SOCKADDR_LEN
+
+/* define if your system needs pthread_init() before using pthreads */
+#undef NEED_PTHREAD_INIT
+
+/* define if your system has sigwait() */
+#undef HAVE_SIGWAIT
+
+/* define if sigwait() is the UnixWare flavor */
+#undef HAVE_UNIXWARE_SIGWAIT
+
+/* define on Solaris to get sigwait() to work using pthreads semantics */
+#undef _POSIX_PTHREAD_SEMANTICS
+
+/* define if LinuxThreads is in use */
+#undef HAVE_LINUXTHREADS
+
+/* define if sysconf() is available */
+#undef HAVE_SYSCONF
+
+/* define if sysctlbyname() is available */
+#undef HAVE_SYSCTLBYNAME
+
+/* define if catgets() is available */
+#undef HAVE_CATGETS
+
+/* define if getifaddrs() exists */
+#undef HAVE_GETIFADDRS
+
+/* define if you have the NET_RT_IFLIST sysctl variable and sys/sysctl.h */
+#undef HAVE_IFLIST_SYSCTL
+
+/* define if chroot() is available */
+#undef HAVE_CHROOT
+
+/* define if tzset() is available */
+#undef HAVE_TZSET
+
+/* define if struct addrinfo exists */
+#undef HAVE_ADDRINFO
+
+/* define if getaddrinfo() exists */
+#undef HAVE_GETADDRINFO
+
+/* define if gai_strerror() exists */
+#undef HAVE_GAISTRERROR
+
+/* define if arc4random() exists */
+#undef HAVE_ARC4RANDOM
+
+/* define if pthread_setconcurrency() should be called to tell the
+ * OS how many threads we might want to run.
+ */
+#undef CALL_PTHREAD_SETCONCURRENCY
+
+/* define if IPv6 is not disabled */
+#undef WANT_IPV6
+
+/* define if flockfile() is available */
+#undef HAVE_FLOCKFILE
+
+/* define if getc_unlocked() is available */
+#undef HAVE_GETCUNLOCKED
+
+/* Shut up warnings about sputaux in stdio.h on BSD/OS pre-4.1 */
+#undef SHUTUP_SPUTAUX
+#ifdef SHUTUP_SPUTAUX
+struct __sFILE;
+extern __inline int __sputaux(int _c, struct __sFILE *_p);
+#endif
+
+/* Shut up warnings about missing sigwait prototype on BSD/OS 4.0* */
+#undef SHUTUP_SIGWAIT
+#ifdef SHUTUP_SIGWAIT
+int sigwait(const unsigned int *set, int *sig);
+#endif
+
+/* Shut up warnings from gcc -Wcast-qual on BSD/OS 4.1. */
+#undef SHUTUP_STDARG_CAST
+#if defined(SHUTUP_STDARG_CAST) && defined(__GNUC__)
+#include <stdarg.h>		/* Grr.  Must be included *every time*. */
+/*
+ * The silly continuation line is to keep configure from
+ * commenting out the #undef.
+ */
+#undef \
+	va_start
+#define	va_start(ap, last) \
+	do { \
+		union { const void *konst; long *var; } _u; \
+		_u.konst = &(last); \
+		ap = (va_list)(_u.var + __va_words(__typeof(last))); \
+	} while (0)
+#endif /* SHUTUP_STDARG_CAST && __GNUC__ */
+
+/* define if the system has a random number generating device */
+#undef PATH_RANDOMDEV
+
+/* define if pthread_attr_getstacksize() is available */
+#undef HAVE_PTHREAD_ATTR_GETSTACKSIZE
+
+/* define if pthread_attr_setstacksize() is available */
+#undef HAVE_PTHREAD_ATTR_SETSTACKSIZE
+
+/* define if you have strerror in the C library. */
+#undef HAVE_STRERROR
+
+/* Define if you are running under Compaq TruCluster..  */
+#undef HAVE_TRUCLUSTER
+
+/* Define if OpenSSL includes DSA support */
+#undef HAVE_OPENSSL_DSA
diff --git a/contrib/bind9/bin/Makefile.in b/contrib/bind9/bin/Makefile.in
new file mode 100644
index 0000000..d8261d7
--- /dev/null
+++ b/contrib/bind9/bin/Makefile.in
@@ -0,0 +1,25 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1998-2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.22.208.1 2004/03/06 10:21:10 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	named rndc dig dnssec tests nsupdate check
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/bin/check/Makefile.in b/contrib/bind9/bin/check/Makefile.in
new file mode 100644
index 0000000..5fdf463
--- /dev/null
+++ b/contrib/bind9/bin/check/Makefile.in
@@ -0,0 +1,95 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2000-2003  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.15.2.3.8.6 2004/07/20 07:01:48 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISCCFG_INCLUDES} \
+		${ISC_INCLUDES}
+
+CDEFINES = 	-DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
+CWARNINGS =
+
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+ISCLIBS =	../../lib/isc/libisc.@A@
+BIND9LIBS =	../../lib/bind9/libbind9.@A@
+
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
+
+LIBS =		@LIBS@
+
+SUBDIRS =
+
+# Alphabetically
+TARGETS =	named-checkconf@EXEEXT@ named-checkzone@EXEEXT@
+
+# Alphabetically
+SRCS =		named-checkconf.c named-checkzone.c check-tool.c
+
+MANPAGES =	named-checkconf.8 named-checkzone.8
+
+HTMLPAGES =	named-checkconf.html named-checkzone.html
+
+MANOBJS =	${MANPAGES} ${HTMLPAGES}
+
+@BIND9_MAKE_RULES@
+
+named-checkconf.@O@: named-checkconf.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-c ${srcdir}/named-checkconf.c
+
+named-checkzone.@O@: named-checkzone.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-c ${srcdir}/named-checkzone.c
+
+named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \
+		${ISCCFGDEPLIBS} ${BIND9DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	named-checkconf.@O@ check-tool.@O@ ${BIND9LIBS} ${ISCCFGLIBS} \
+	${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	named-checkzone.@O@ check-tool.@O@ ${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+	rm -f ${MANOBJS}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
+
+install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir}
+	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
+
+clean distclean::
+	rm -f ${TARGETS} r1.htm
diff --git a/contrib/bind9/bin/check/check-tool.c b/contrib/bind9/bin/check/check-tool.c
new file mode 100644
index 0000000..cefee82
--- /dev/null
+++ b/contrib/bind9/bin/check/check-tool.c
@@ -0,0 +1,159 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: check-tool.c,v 1.4.12.5 2004/03/08 04:04:13 marka Exp $ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <string.h>
+
+#include "check-tool.h"
+#include <isc/util.h>
+
+#include <isc/buffer.h>
+#include <isc/log.h>
+#include <isc/region.h>
+#include <isc/stdio.h>
+#include <isc/types.h>
+
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdataclass.h>
+#include <dns/types.h>
+#include <dns/zone.h>
+
+#define CHECK(r) \
+        do { \
+		result = (r); \
+                if (result != ISC_R_SUCCESS) \
+                        goto cleanup; \
+        } while (0)   
+
+static const char *dbtype[] = { "rbt" };
+
+int debug = 0;
+isc_boolean_t nomerge = ISC_TRUE;
+unsigned int zone_options = DNS_ZONEOPT_CHECKNS|DNS_ZONEOPT_MANYERRORS;
+
+isc_result_t
+setup_logging(isc_mem_t *mctx, isc_log_t **logp) {
+	isc_logdestination_t destination;
+	isc_logconfig_t *logconfig = NULL;
+	isc_log_t *log = NULL;
+
+	RUNTIME_CHECK(isc_log_create(mctx, &log, &logconfig) == ISC_R_SUCCESS);
+	isc_log_setcontext(log);
+
+	destination.file.stream = stdout;
+	destination.file.name = NULL;
+	destination.file.versions = ISC_LOG_ROLLNEVER;
+	destination.file.maximum_size = 0;
+	RUNTIME_CHECK(isc_log_createchannel(logconfig, "stderr",
+				       ISC_LOG_TOFILEDESC,
+				       ISC_LOG_DYNAMIC,
+				       &destination, 0) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_log_usechannel(logconfig, "stderr",
+					 NULL, NULL) == ISC_R_SUCCESS);
+
+	*logp = log;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
+	  const char *classname, dns_zone_t **zonep)
+{
+	isc_result_t result;
+	dns_rdataclass_t rdclass;
+	isc_textregion_t region;
+	isc_buffer_t buffer;
+	dns_fixedname_t fixorigin;
+	dns_name_t *origin;
+	dns_zone_t *zone = NULL;
+
+	REQUIRE(zonep == NULL || *zonep == NULL);
+
+	if (debug)
+		fprintf(stderr, "loading \"%s\" from \"%s\" class \"%s\"\n",
+			zonename, filename, classname);
+
+	CHECK(dns_zone_create(&zone, mctx));
+
+	dns_zone_settype(zone, dns_zone_master);
+
+	isc_buffer_init(&buffer, zonename, strlen(zonename));
+	isc_buffer_add(&buffer, strlen(zonename));
+	dns_fixedname_init(&fixorigin);
+	origin = dns_fixedname_name(&fixorigin);
+	CHECK(dns_name_fromtext(origin, &buffer, dns_rootname,
+			        ISC_FALSE, NULL));
+	CHECK(dns_zone_setorigin(zone, origin));
+	CHECK(dns_zone_setdbtype(zone, 1, (const char * const *) dbtype));
+	CHECK(dns_zone_setfile(zone, filename));
+
+	DE_CONST(classname, region.base);
+	region.length = strlen(classname);
+	CHECK(dns_rdataclass_fromtext(&rdclass, &region));
+
+	dns_zone_setclass(zone, rdclass);
+	dns_zone_setoption(zone, zone_options, ISC_TRUE);
+	dns_zone_setoption(zone, DNS_ZONEOPT_NOMERGE, nomerge);
+
+	CHECK(dns_zone_load(zone));
+	if (zonep != NULL){
+		*zonep = zone;
+		zone = NULL;
+	}
+
+ cleanup:
+	if (zone != NULL)
+		dns_zone_detach(&zone);
+	return (result);
+}
+
+isc_result_t
+dump_zone(const char *zonename, dns_zone_t *zone, const char *filename)
+{
+	isc_result_t result;
+	FILE *output = stdout;
+
+	if (debug) {
+		if (filename != NULL)
+			fprintf(stderr, "dumping \"%s\" to \"%s\"\n",
+				zonename, filename);
+		else
+			fprintf(stderr, "dumping \"%s\"\n", zonename);
+	}
+
+	if (filename != NULL) {
+		result = isc_stdio_open(filename, "w+", &output);
+
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "could not open output "
+				"file \"%s\" for writing\n", filename);
+			return (ISC_R_FAILURE);
+		}
+	}
+
+	result = dns_zone_fulldumptostream(zone, output);
+
+	if (filename != NULL)
+		(void)isc_stdio_close(output);
+
+	return (result);
+}
diff --git a/contrib/bind9/bin/check/check-tool.h b/contrib/bind9/bin/check/check-tool.h
new file mode 100644
index 0000000..105cd25
--- /dev/null
+++ b/contrib/bind9/bin/check/check-tool.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: check-tool.h,v 1.2.12.5 2004/03/08 04:04:13 marka Exp $ */
+
+#ifndef CHECK_TOOL_H
+#define CHECK_TOOL_H
+
+#include <isc/lang.h>
+
+#include <isc/types.h>
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+setup_logging(isc_mem_t *mctx, isc_log_t **logp);
+
+isc_result_t
+load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
+	  const char *classname, dns_zone_t **zonep);
+
+isc_result_t
+dump_zone(const char *zonename, dns_zone_t *zone, const char *filename);
+
+extern int debug;
+extern isc_boolean_t nomerge;
+extern unsigned int zone_options;
+
+ISC_LANG_ENDDECLS
+
+#endif
diff --git a/contrib/bind9/bin/check/named-checkconf.8 b/contrib/bind9/bin/check/named-checkconf.8
new file mode 100644
index 0000000..25dbdd8
--- /dev/null
+++ b/contrib/bind9/bin/check/named-checkconf.8
@@ -0,0 +1,59 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: named-checkconf.8,v 1.11.12.4 2004/06/03 05:35:41 marka Exp $
+.\"
+.TH "NAMED-CHECKCONF" "8" "June 14, 2000" "BIND9" ""
+.SH NAME
+named-checkconf \- named configuration file syntax checking tool
+.SH SYNOPSIS
+.sp
+\fBnamed-checkconf\fR [ \fB-v\fR ]  [ \fB-j\fR ]  [ \fB-t \fIdirectory\fB\fR ]  \fBfilename\fR [ \fB-z\fR ] 
+.SH "DESCRIPTION"
+.PP
+\fBnamed-checkconf\fR checks the syntax, but not
+the semantics, of a named configuration file.
+.SH "OPTIONS"
+.TP
+\fB-t \fIdirectory\fB\fR
+chroot to \fIdirectory\fR so that include
+directives in the configuration file are processed as if
+run by a similarly chrooted named.
+.TP
+\fB-v\fR
+Print the version of the \fBnamed-checkconf\fR
+program and exit.
+.TP
+\fB-z\fR
+Perform a check load the master zonefiles found in
+\fInamed.conf\fR.
+.TP
+\fB-j\fR
+When loading a zonefile read the journal if it exists.
+.TP
+\fBfilename\fR
+The name of the configuration file to be checked. If not
+specified, it defaults to \fI/etc/named.conf\fR.
+.SH "RETURN VALUES"
+.PP
+\fBnamed-checkconf\fR returns an exit status of 1 if
+errors were detected and 0 otherwise.
+.SH "SEE ALSO"
+.PP
+\fBnamed\fR(8),
+\fIBIND 9 Administrator Reference Manual\fR.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
diff --git a/contrib/bind9/bin/check/named-checkconf.c b/contrib/bind9/bin/check/named-checkconf.c
new file mode 100644
index 0000000..88a7299
--- /dev/null
+++ b/contrib/bind9/bin/check/named-checkconf.c
@@ -0,0 +1,286 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named-checkconf.c,v 1.12.12.7 2004/03/08 09:04:14 marka Exp $ */
+
+#include <config.h>
+
+#include <errno.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+#include <isc/commandline.h>
+#include <isc/dir.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <isccfg/namedconf.h>
+
+#include <bind9/check.h>
+
+#include <dns/log.h>
+#include <dns/result.h>
+
+#include "check-tool.h"
+
+isc_log_t *logc = NULL;
+
+#define CHECK(r)\
+	do { \
+		result = (r); \
+		if (result != ISC_R_SUCCESS) \
+			goto cleanup; \
+	} while (0)
+
+static void
+usage(void) {
+        fprintf(stderr, "usage: named-checkconf [-j] [-v] [-z] [-t directory] "
+		"[named.conf]\n");
+        exit(1);
+}
+
+static isc_result_t
+directory_callback(const char *clausename, cfg_obj_t *obj, void *arg) {
+	isc_result_t result;
+	char *directory;
+
+	REQUIRE(strcasecmp("directory", clausename) == 0);
+
+	UNUSED(arg);
+	UNUSED(clausename);
+
+	/*
+	 * Change directory.
+	 */
+	directory = cfg_obj_asstring(obj);
+	result = isc_dir_chdir(directory);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(obj, logc, ISC_LOG_ERROR,
+			    "change directory to '%s' failed: %s\n",
+			    directory, isc_result_totext(result));
+		return (result);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+configure_zone(const char *vclass, const char *view, cfg_obj_t *zconfig,
+	       isc_mem_t *mctx)
+{
+	isc_result_t result;
+	const char *zclass;
+	const char *zname;
+	const char *zfile;
+	cfg_obj_t *zoptions = NULL;
+	cfg_obj_t *classobj = NULL;
+	cfg_obj_t *typeobj = NULL;
+	cfg_obj_t *fileobj = NULL;
+	cfg_obj_t *dbobj = NULL;
+
+	zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
+	classobj = cfg_tuple_get(zconfig, "class");
+        if (!cfg_obj_isstring(classobj))
+                zclass = vclass;
+        else
+		zclass = cfg_obj_asstring(classobj);
+	zoptions = cfg_tuple_get(zconfig, "options");
+	cfg_map_get(zoptions, "type", &typeobj);
+	if (typeobj == NULL)
+		return (ISC_R_FAILURE);
+	if (strcasecmp(cfg_obj_asstring(typeobj), "master") != 0)
+		return (ISC_R_SUCCESS);
+        cfg_map_get(zoptions, "database", &dbobj);
+        if (dbobj != NULL)
+                return (ISC_R_SUCCESS);
+	cfg_map_get(zoptions, "file", &fileobj);
+	if (fileobj == NULL)
+		return (ISC_R_FAILURE);
+	zfile = cfg_obj_asstring(fileobj);
+	result = load_zone(mctx, zname, zfile, zclass, NULL);
+	if (result != ISC_R_SUCCESS)
+		fprintf(stderr, "%s/%s/%s: %s\n", view, zname, zclass,
+			dns_result_totext(result));
+	return(result);
+}
+
+static isc_result_t
+configure_view(const char *vclass, const char *view, cfg_obj_t *config,
+	       cfg_obj_t *vconfig, isc_mem_t *mctx)
+{
+	cfg_listelt_t *element;
+	cfg_obj_t *voptions;
+	cfg_obj_t *zonelist;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+
+	voptions = NULL;
+	if (vconfig != NULL)
+		voptions = cfg_tuple_get(vconfig, "options");
+
+	zonelist = NULL;
+	if (voptions != NULL)
+		(void)cfg_map_get(voptions, "zone", &zonelist);
+	else
+		(void)cfg_map_get(config, "zone", &zonelist);
+
+	for (element = cfg_list_first(zonelist);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		cfg_obj_t *zconfig = cfg_listelt_value(element);
+		tresult = configure_zone(vclass, view, zconfig, mctx);
+		if (tresult != ISC_R_SUCCESS)
+			result = tresult;
+	}
+	return (result);
+}
+
+
+static isc_result_t
+load_zones_fromconfig(cfg_obj_t *config, isc_mem_t *mctx) {
+	cfg_listelt_t *element;
+	cfg_obj_t *classobj;
+	cfg_obj_t *views;
+	cfg_obj_t *vconfig;
+	const char *vclass;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+
+	views = NULL;
+
+	(void)cfg_map_get(config, "view", &views);
+	for (element = cfg_list_first(views);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const char *vname;
+
+		vclass = "IN";
+		vconfig = cfg_listelt_value(element);
+		if (vconfig != NULL) {
+			classobj = cfg_tuple_get(vconfig, "class");
+			if (cfg_obj_isstring(classobj))
+				vclass = cfg_obj_asstring(classobj);
+		}
+		vname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
+		tresult = configure_view(vclass, vname, config, vconfig, mctx);
+		if (tresult != ISC_R_SUCCESS)
+			result = tresult;
+	}
+
+	if (views == NULL) {
+		tresult = configure_view("IN", "_default", config, NULL, mctx);
+		if (tresult != ISC_R_SUCCESS)
+			result = tresult;
+	}
+	return (result);
+}
+
+int
+main(int argc, char **argv) {
+	int c;
+	cfg_parser_t *parser = NULL;
+	cfg_obj_t *config = NULL;
+	const char *conffile = NULL;
+	isc_mem_t *mctx = NULL;
+	isc_result_t result;
+	int exit_status = 0;
+	isc_boolean_t load_zones = ISC_FALSE;
+	
+	while ((c = isc_commandline_parse(argc, argv, "djt:vz")) != EOF) {
+		switch (c) {
+		case 'd':
+			debug++;
+			break;
+
+		case 'j':
+			nomerge = ISC_FALSE;
+			break;
+
+		case 't':
+			result = isc_dir_chroot(isc_commandline_argument);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "isc_dir_chroot: %s\n",
+					isc_result_totext(result));
+				exit(1);
+			}
+			result = isc_dir_chdir("/");
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "isc_dir_chdir: %s\n",
+					isc_result_totext(result));
+				exit(1);
+			}
+			break;
+
+		case 'v':
+			printf(VERSION "\n");
+			exit(0);
+
+		case 'z':
+			load_zones = ISC_TRUE;
+			break;
+
+		default:
+			usage();
+		}
+	}
+
+	if (argv[isc_commandline_index] != NULL)
+		conffile = argv[isc_commandline_index];
+	if (conffile == NULL || conffile[0] == '\0')
+		conffile = NAMED_CONFFILE;
+
+	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
+
+	RUNTIME_CHECK(setup_logging(mctx, &logc) == ISC_R_SUCCESS);
+
+	dns_result_register();
+
+	RUNTIME_CHECK(cfg_parser_create(mctx, logc, &parser) == ISC_R_SUCCESS);
+
+	cfg_parser_setcallback(parser, directory_callback, NULL);
+
+	if (cfg_parse_file(parser, conffile, &cfg_type_namedconf, &config) !=
+	    ISC_R_SUCCESS)
+		exit(1);
+
+	result = bind9_check_namedconf(config, logc, mctx);
+	if (result != ISC_R_SUCCESS)
+		exit_status = 1;
+
+	if (result == ISC_R_SUCCESS && load_zones) {
+		dns_log_init(logc);
+                dns_log_setcontext(logc);
+		result = load_zones_fromconfig(config, mctx);
+		if (result != ISC_R_SUCCESS)
+			exit_status = 1;
+	}
+
+	cfg_obj_destroy(parser, &config);
+
+	cfg_parser_destroy(&parser);
+
+	isc_log_destroy(&logc);
+
+	isc_mem_destroy(&mctx);
+
+	return (exit_status);
+}
diff --git a/contrib/bind9/bin/check/named-checkconf.docbook b/contrib/bind9/bin/check/named-checkconf.docbook
new file mode 100644
index 0000000..d1336cf
--- /dev/null
+++ b/contrib/bind9/bin/check/named-checkconf.docbook
@@ -0,0 +1,146 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2002  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: named-checkconf.docbook,v 1.3.2.1.8.5 2004/06/03 02:24:59 marka Exp $ -->
+
+<refentry>
+  <refentryinfo>
+    <date>June 14, 2000</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>named-checkconf</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>named-checkconf</application></refname>
+    <refpurpose>named configuration file syntax checking tool</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>named-checkconf</command>
+      <arg><option>-v</option></arg>
+      <arg><option>-j</option></arg>
+      <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg choice="req">filename</arg>
+      <arg><option>-z</option></arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+        <command>named-checkconf</command> checks the syntax, but not
+	the semantics, of a named configuration file.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>OPTIONS</title>
+
+    <variablelist>
+      <varlistentry>
+        <term>-t <replaceable class="parameter">directory</replaceable></term>
+	<listitem>
+	  <para>
+	      chroot to <filename>directory</filename> so that include
+	      directives in the configuration file are processed as if
+	      run by a similarly chrooted named.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-v</term>
+	<listitem>
+	  <para>
+	      Print the version of the <command>named-checkconf</command>
+	      program and exit.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-z</term>
+	<listitem>
+	  <para>
+	      Perform a check load the master zonefiles found in
+	      <filename>named.conf</filename>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-j</term>
+	<listitem>
+	  <para>
+	      When loading a zonefile read the journal if it exists.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>filename</term>
+	<listitem>
+	  <para>
+	       The name of the configuration file to be checked.  If not
+	       specified, it defaults to <filename>/etc/named.conf</filename>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+    </variablelist>
+
+  </refsect1>
+
+  <refsect1>
+    <title>RETURN VALUES</title>
+    <para>
+        <command>named-checkconf</command> returns an exit status of 1 if
+	errors were detected and 0 otherwise.
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>named</refentrytitle>
+	<manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para>
+        <corpauthor>Internet Systems Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry>
+
+<!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
+
diff --git a/contrib/bind9/bin/check/named-checkconf.html b/contrib/bind9/bin/check/named-checkconf.html
new file mode 100644
index 0000000..8d5f38e
--- /dev/null
+++ b/contrib/bind9/bin/check/named-checkconf.html
@@ -0,0 +1,216 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2002  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: named-checkconf.html,v 1.5.2.1.4.5 2004/08/22 23:38:57 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>named-checkconf</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+><SPAN
+CLASS="APPLICATION"
+>named-checkconf</SPAN
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><SPAN
+CLASS="APPLICATION"
+>named-checkconf</SPAN
+>&nbsp;--&nbsp;named configuration file syntax checking tool</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>named-checkconf</B
+>  [<VAR
+CLASS="OPTION"
+>-v</VAR
+>] [<VAR
+CLASS="OPTION"
+>-j</VAR
+>] [<VAR
+CLASS="OPTION"
+>-t <VAR
+CLASS="REPLACEABLE"
+>directory</VAR
+></VAR
+>] {filename} [<VAR
+CLASS="OPTION"
+>-z</VAR
+>]</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN26"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>        <B
+CLASS="COMMAND"
+>named-checkconf</B
+> checks the syntax, but not
+	the semantics, of a named configuration file.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN30"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-t <VAR
+CLASS="REPLACEABLE"
+>directory</VAR
+></DT
+><DD
+><P
+>	      chroot to <TT
+CLASS="FILENAME"
+>directory</TT
+> so that include
+	      directives in the configuration file are processed as if
+	      run by a similarly chrooted named.
+	  </P
+></DD
+><DT
+>-v</DT
+><DD
+><P
+>	      Print the version of the <B
+CLASS="COMMAND"
+>named-checkconf</B
+>
+	      program and exit.
+	  </P
+></DD
+><DT
+>-z</DT
+><DD
+><P
+>	      Perform a check load the master zonefiles found in
+	      <TT
+CLASS="FILENAME"
+>named.conf</TT
+>.
+	  </P
+></DD
+><DT
+>-j</DT
+><DD
+><P
+>	      When loading a zonefile read the journal if it exists.
+	  </P
+></DD
+><DT
+>filename</DT
+><DD
+><P
+>	       The name of the configuration file to be checked.  If not
+	       specified, it defaults to <TT
+CLASS="FILENAME"
+>/etc/named.conf</TT
+>.
+	  </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN58"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+>        <B
+CLASS="COMMAND"
+>named-checkconf</B
+> returns an exit status of 1 if
+	errors were detected and 0 otherwise.
+  </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN62"
+></A
+><H2
+>SEE ALSO</H2
+><P
+>      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>named</SPAN
+>(8)</SPAN
+>,
+      <I
+CLASS="CITETITLE"
+>BIND 9 Administrator Reference Manual</I
+>.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN69"
+></A
+><H2
+>AUTHOR</H2
+><P
+>        Internet Systems Consortium
+    </P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/bin/check/named-checkzone.8 b/contrib/bind9/bin/check/named-checkzone.8
new file mode 100644
index 0000000..efa600c
--- /dev/null
+++ b/contrib/bind9/bin/check/named-checkzone.8
@@ -0,0 +1,94 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: named-checkzone.8,v 1.11.2.1.8.4 2004/06/03 05:35:42 marka Exp $
+.\"
+.TH "NAMED-CHECKZONE" "8" "June 13, 2000" "BIND9" ""
+.SH NAME
+named-checkzone \- zone file validity checking tool
+.SH SYNOPSIS
+.sp
+\fBnamed-checkzone\fR [ \fB-d\fR ]  [ \fB-j\fR ]  [ \fB-q\fR ]  [ \fB-v\fR ]  [ \fB-c \fIclass\fB\fR ]  [ \fB-k \fImode\fB\fR ]  [ \fB-n \fImode\fB\fR ]  [ \fB-o \fIfilename\fB\fR ]  [ \fB-t \fIdirectory\fB\fR ]  [ \fB-w \fIdirectory\fB\fR ]  [ \fB-D\fR ]  \fBzonename\fR \fBfilename\fR
+.SH "DESCRIPTION"
+.PP
+\fBnamed-checkzone\fR checks the syntax and integrity of
+a zone file. It performs the same checks as \fBnamed\fR
+does when loading a zone. This makes
+\fBnamed-checkzone\fR useful for checking zone
+files before configuring them into a name server.
+.SH "OPTIONS"
+.TP
+\fB-d\fR
+Enable debugging.
+.TP
+\fB-q\fR
+Quiet mode - exit code only.
+.TP
+\fB-v\fR
+Print the version of the \fBnamed-checkzone\fR
+program and exit.
+.TP
+\fB-j\fR
+When loading the zone file read the journal if it exists.
+.TP
+\fB-c \fIclass\fB\fR
+Specify the class of the zone. If not specified "IN" is assumed.
+.TP
+\fB-k \fImode\fB\fR
+Perform \fB"check-name"\fR checks with the specified failure mode.
+Possible modes are \fB"fail"\fR,
+\fB"warn"\fR (default) and
+\fB"ignore"\fR.
+.TP
+\fB-n \fImode\fB\fR
+Specify whether NS records should be checked to see if they
+are addresses. Possible modes are \fB"fail"\fR,
+\fB"warn"\fR (default) and
+\fB"ignore"\fR.
+.TP
+\fB-o \fIfilename\fB\fR
+Write zone output to \fIdirectory\fR.
+.TP
+\fB-t \fIdirectory\fB\fR
+chroot to \fIdirectory\fR so that include
+directives in the configuration file are processed as if
+run by a similarly chrooted named.
+.TP
+\fB-w \fIdirectory\fB\fR
+chdir to \fIdirectory\fR so that relative
+filenames in master file $INCLUDE directives work. This
+is similar to the directory clause in
+\fInamed.conf\fR.
+.TP
+\fB-D\fR
+Dump zone file in canonical format.
+.TP
+\fBzonename\fR
+The domain name of the zone being checked.
+.TP
+\fBfilename\fR
+The name of the zone file.
+.SH "RETURN VALUES"
+.PP
+\fBnamed-checkzone\fR returns an exit status of 1 if
+errors were detected and 0 otherwise.
+.SH "SEE ALSO"
+.PP
+\fBnamed\fR(8),
+\fIRFC 1035\fR,
+\fIBIND 9 Administrator Reference Manual\fR.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
diff --git a/contrib/bind9/bin/check/named-checkzone.c b/contrib/bind9/bin/check/named-checkzone.c
new file mode 100644
index 0000000..d023bd6
--- /dev/null
+++ b/contrib/bind9/bin/check/named-checkzone.c
@@ -0,0 +1,200 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named-checkzone.c,v 1.13.2.3.8.9 2004/03/06 10:21:11 marka Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/app.h>
+#include <isc/commandline.h>
+#include <isc/dir.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/socket.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/rdataclass.h>
+#include <dns/rdataset.h>
+#include <dns/result.h>
+#include <dns/zone.h>
+
+#include "check-tool.h"
+
+static int quiet = 0;
+static isc_mem_t *mctx = NULL;
+dns_zone_t *zone = NULL;
+dns_zonetype_t zonetype = dns_zone_master;
+static int dumpzone = 0;
+static const char *output_filename;
+
+#define ERRRET(result, function) \
+	do { \
+		if (result != ISC_R_SUCCESS) { \
+			if (!quiet) \
+				fprintf(stderr, "%s() returned %s\n", \
+					function, dns_result_totext(result)); \
+			return (result); \
+		} \
+	} while (0)
+
+static void
+usage(void) {
+	fprintf(stderr,
+		"usage: named-checkzone [-djqvD] [-c class] [-o output] "
+		"[-t directory] [-w directory] [-k option] zonename filename\n");
+	exit(1);
+}
+
+static void
+destroy(void) {
+	if (zone != NULL)
+		dns_zone_detach(&zone);
+}
+
+int
+main(int argc, char **argv) {
+	int c;
+	char *origin = NULL;
+	char *filename = NULL;
+	isc_log_t *lctx = NULL;
+	isc_result_t result;
+	char classname_in[] = "IN";
+	char *classname = classname_in;
+	const char *workdir = NULL;
+
+	while ((c = isc_commandline_parse(argc, argv, "c:dijk:n:qst:o:vw:D")) != EOF) {
+		switch (c) {
+		case 'c':
+			classname = isc_commandline_argument;
+			break;
+
+		case 'd':
+			debug++;
+			break;
+
+		case 'j':
+			nomerge = ISC_FALSE;
+			break;
+
+		case 'n':
+			if (!strcmp(isc_commandline_argument, "ignore"))
+				zone_options &= ~(DNS_ZONEOPT_CHECKNS|
+						  DNS_ZONEOPT_FATALNS);
+			else if (!strcmp(isc_commandline_argument, "warn")) {
+				zone_options |= DNS_ZONEOPT_CHECKNS;
+				zone_options &= ~DNS_ZONEOPT_FATALNS;
+			} else if (!strcmp(isc_commandline_argument, "fail"))
+				zone_options |= DNS_ZONEOPT_CHECKNS|
+					        DNS_ZONEOPT_FATALNS;
+			break;
+
+		case 'k':
+			if (!strcmp(isc_commandline_argument, "check-names")) {
+				zone_options |= DNS_ZONEOPT_CHECKNAMES;
+			} else if (!strcmp(isc_commandline_argument,
+					   "check-names-fail")) {
+				zone_options |= DNS_ZONEOPT_CHECKNAMES |
+						DNS_ZONEOPT_CHECKNAMESFAIL;
+			}
+			break;
+
+		case 'q':
+			quiet++;
+			break;
+
+		case 't':
+			result = isc_dir_chroot(isc_commandline_argument);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "isc_dir_chroot: %s: %s\n",
+					isc_commandline_argument,
+					isc_result_totext(result));
+				exit(1);
+			}
+			result = isc_dir_chdir("/");
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "isc_dir_chdir: %s\n",
+					isc_result_totext(result));
+				exit(1);
+			}
+			break;
+
+		case 'o':
+			output_filename = isc_commandline_argument;
+			break;
+
+		case 'v':
+			printf(VERSION "\n");
+			exit(0);
+
+		case 'w':
+			workdir = isc_commandline_argument;
+			break;
+
+		case 'D':
+			dumpzone++;
+			break;
+
+		default:
+			usage();
+		}
+	}
+
+	if (workdir != NULL) {
+		result = isc_dir_chdir(workdir);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "isc_dir_chdir: %s: %s\n",
+				workdir, isc_result_totext(result));
+			exit(1);
+		}
+	}
+
+	if (isc_commandline_index + 2 > argc)
+		usage();
+
+	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
+	if (!quiet) {
+		RUNTIME_CHECK(setup_logging(mctx, &lctx) == ISC_R_SUCCESS);
+		dns_log_init(lctx);
+		dns_log_setcontext(lctx);
+	}
+
+	dns_result_register();
+
+	origin = argv[isc_commandline_index++];
+	filename = argv[isc_commandline_index++];
+	result = load_zone(mctx, origin, filename, classname, &zone);
+
+	if (result == ISC_R_SUCCESS && dumpzone) {
+		result = dump_zone(origin, zone, output_filename);
+	}
+
+	if (!quiet && result == ISC_R_SUCCESS)
+		fprintf(stdout, "OK\n");
+	destroy();
+	if (lctx != NULL)
+		isc_log_destroy(&lctx);
+	isc_mem_destroy(&mctx);
+	return ((result == ISC_R_SUCCESS) ? 0 : 1);
+}
diff --git a/contrib/bind9/bin/check/named-checkzone.docbook b/contrib/bind9/bin/check/named-checkzone.docbook
new file mode 100644
index 0000000..68b0bae
--- /dev/null
+++ b/contrib/bind9/bin/check/named-checkzone.docbook
@@ -0,0 +1,236 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2002  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: named-checkzone.docbook,v 1.3.2.2.8.7 2004/06/03 02:25:00 marka Exp $ -->
+
+<refentry>
+  <refentryinfo>
+    <date>June 13, 2000</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>named-checkzone</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>named-checkzone</application></refname>
+    <refpurpose>zone file validity checking tool</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>named-checkzone</command>
+      <arg><option>-d</option></arg>
+      <arg><option>-j</option></arg>
+      <arg><option>-q</option></arg>
+      <arg><option>-v</option></arg>
+      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg><option>-k <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
+      <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg><option>-D</option></arg>
+      <arg choice="req">zonename</arg>
+      <arg choice="req">filename</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+        <command>named-checkzone</command> checks the syntax and integrity of
+	a zone file.  It performs the same checks as <command>named</command>
+	does when loading a zone.  This makes
+	<command>named-checkzone</command> useful for checking zone
+	files before configuring them into a name server.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>OPTIONS</title>
+
+    <variablelist>
+      <varlistentry>
+        <term>-d</term>
+	<listitem>
+	  <para>
+	      Enable debugging.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-q</term>
+	<listitem>
+	  <para>
+	      Quiet mode - exit code only.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-v</term>
+	<listitem>
+	  <para>
+	      Print the version of the <command>named-checkzone</command>
+	      program and exit.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-j</term>
+        <listitem>
+          <para>
+              When loading the zone file read the journal if it exists.
+          </para>   
+        </listitem>
+
+      <varlistentry>
+        <term>-c <replaceable class="parameter">class</replaceable></term>
+	<listitem>
+	  <para>
+	      Specify the class of the zone.  If not specified "IN" is assumed.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-k <replaceable class="parameter">mode</replaceable></term>
+	<listitem>
+	  <para>
+	      Perform <command>"check-name"</command> checks with the specified failure mode.
+	      Possible modes are <command>"fail"</command>,
+	      <command>"warn"</command> (default) and
+	      <command>"ignore"</command>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-n <replaceable class="parameter">mode</replaceable></term>
+	<listitem>
+	  <para>
+	      Specify whether NS records should be checked to see if they
+	      are addresses.  Possible modes are <command>"fail"</command>,
+	      <command>"warn"</command> (default) and
+	      <command>"ignore"</command>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-o <replaceable class="parameter">filename</replaceable></term>
+        <listitem>
+          <para>
+	      Write zone output to <filename>directory</filename>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-t <replaceable class="parameter">directory</replaceable></term>
+        <listitem>
+          <para>
+              chroot to <filename>directory</filename> so that include
+              directives in the configuration file are processed as if
+              run by a similarly chrooted named.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-w <replaceable class="parameter">directory</replaceable></term>
+        <listitem>
+          <para>
+              chdir to <filename>directory</filename> so that relative
+	      filenames in master file $INCLUDE directives work.  This
+	      is similar to the directory clause in
+	      <filename>named.conf</filename>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-D</term>
+	<listitem>
+	  <para>
+	      Dump zone file in canonical format.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>zonename</term>
+	<listitem>
+	  <para>
+	       The domain name of the zone being checked.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>filename</term>
+	<listitem>
+	  <para>
+	       The name of the zone file.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+    </variablelist>
+
+  </refsect1>
+
+  <refsect1>
+    <title>RETURN VALUES</title>
+    <para>
+        <command>named-checkzone</command> returns an exit status of 1 if
+	errors were detected and 0 otherwise.
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>named</refentrytitle>
+	<manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>RFC 1035</citetitle>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para>
+        <corpauthor>Internet Systems Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry>
+
+<!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
+
diff --git a/contrib/bind9/bin/check/named-checkzone.html b/contrib/bind9/bin/check/named-checkzone.html
new file mode 100644
index 0000000..dd14c1f
--- /dev/null
+++ b/contrib/bind9/bin/check/named-checkzone.html
@@ -0,0 +1,367 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2002  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: named-checkzone.html,v 1.5.2.2.4.5 2004/08/22 23:38:57 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>named-checkzone</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+><SPAN
+CLASS="APPLICATION"
+>named-checkzone</SPAN
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><SPAN
+CLASS="APPLICATION"
+>named-checkzone</SPAN
+>&nbsp;--&nbsp;zone file validity checking tool</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>named-checkzone</B
+>  [<VAR
+CLASS="OPTION"
+>-d</VAR
+>] [<VAR
+CLASS="OPTION"
+>-j</VAR
+>] [<VAR
+CLASS="OPTION"
+>-q</VAR
+>] [<VAR
+CLASS="OPTION"
+>-v</VAR
+>] [<VAR
+CLASS="OPTION"
+>-c <VAR
+CLASS="REPLACEABLE"
+>class</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-k <VAR
+CLASS="REPLACEABLE"
+>mode</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-n <VAR
+CLASS="REPLACEABLE"
+>mode</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-o <VAR
+CLASS="REPLACEABLE"
+>filename</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-t <VAR
+CLASS="REPLACEABLE"
+>directory</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-w <VAR
+CLASS="REPLACEABLE"
+>directory</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-D</VAR
+>] {zonename} {filename}</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN46"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>        <B
+CLASS="COMMAND"
+>named-checkzone</B
+> checks the syntax and integrity of
+	a zone file.  It performs the same checks as <B
+CLASS="COMMAND"
+>named</B
+>
+	does when loading a zone.  This makes
+	<B
+CLASS="COMMAND"
+>named-checkzone</B
+> useful for checking zone
+	files before configuring them into a name server.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN52"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-d</DT
+><DD
+><P
+>	      Enable debugging.
+	  </P
+></DD
+><DT
+>-q</DT
+><DD
+><P
+>	      Quiet mode - exit code only.
+	  </P
+></DD
+><DT
+>-v</DT
+><DD
+><P
+>	      Print the version of the <B
+CLASS="COMMAND"
+>named-checkzone</B
+>
+	      program and exit.
+	  </P
+></DD
+><DT
+>-j</DT
+><DD
+><P
+>              When loading the zone file read the journal if it exists.
+          </P
+></DD
+><DT
+>-c <VAR
+CLASS="REPLACEABLE"
+>class</VAR
+></DT
+><DD
+><P
+>	      Specify the class of the zone.  If not specified "IN" is assumed.
+	  </P
+></DD
+><DT
+>-k <VAR
+CLASS="REPLACEABLE"
+>mode</VAR
+></DT
+><DD
+><P
+>	      Perform <B
+CLASS="COMMAND"
+>"check-name"</B
+> checks with the specified failure mode.
+	      Possible modes are <B
+CLASS="COMMAND"
+>"fail"</B
+>,
+	      <B
+CLASS="COMMAND"
+>"warn"</B
+> (default) and
+	      <B
+CLASS="COMMAND"
+>"ignore"</B
+>.
+	  </P
+></DD
+><DT
+>-n <VAR
+CLASS="REPLACEABLE"
+>mode</VAR
+></DT
+><DD
+><P
+>	      Specify whether NS records should be checked to see if they
+	      are addresses.  Possible modes are <B
+CLASS="COMMAND"
+>"fail"</B
+>,
+	      <B
+CLASS="COMMAND"
+>"warn"</B
+> (default) and
+	      <B
+CLASS="COMMAND"
+>"ignore"</B
+>.
+	  </P
+></DD
+><DT
+>-o <VAR
+CLASS="REPLACEABLE"
+>filename</VAR
+></DT
+><DD
+><P
+>	      Write zone output to <TT
+CLASS="FILENAME"
+>directory</TT
+>.
+          </P
+></DD
+><DT
+>-t <VAR
+CLASS="REPLACEABLE"
+>directory</VAR
+></DT
+><DD
+><P
+>              chroot to <TT
+CLASS="FILENAME"
+>directory</TT
+> so that include
+              directives in the configuration file are processed as if
+              run by a similarly chrooted named.
+          </P
+></DD
+><DT
+>-w <VAR
+CLASS="REPLACEABLE"
+>directory</VAR
+></DT
+><DD
+><P
+>              chdir to <TT
+CLASS="FILENAME"
+>directory</TT
+> so that relative
+	      filenames in master file $INCLUDE directives work.  This
+	      is similar to the directory clause in
+	      <TT
+CLASS="FILENAME"
+>named.conf</TT
+>.
+          </P
+></DD
+><DT
+>-D</DT
+><DD
+><P
+>	      Dump zone file in canonical format.
+	  </P
+></DD
+><DT
+>zonename</DT
+><DD
+><P
+>	       The domain name of the zone being checked.
+	  </P
+></DD
+><DT
+>filename</DT
+><DD
+><P
+>	       The name of the zone file.
+	  </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN125"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+>        <B
+CLASS="COMMAND"
+>named-checkzone</B
+> returns an exit status of 1 if
+	errors were detected and 0 otherwise.
+  </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN129"
+></A
+><H2
+>SEE ALSO</H2
+><P
+>      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>named</SPAN
+>(8)</SPAN
+>,
+      <I
+CLASS="CITETITLE"
+>RFC 1035</I
+>,
+      <I
+CLASS="CITETITLE"
+>BIND 9 Administrator Reference Manual</I
+>.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN137"
+></A
+><H2
+>AUTHOR</H2
+><P
+>        Internet Systems Consortium
+    </P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/bin/dig/Makefile.in b/contrib/bind9/bin/dig/Makefile.in
new file mode 100644
index 0000000..65c14ce
--- /dev/null
+++ b/contrib/bind9/bin/dig/Makefile.in
@@ -0,0 +1,101 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2000-2002  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.25.12.12 2004/08/18 23:25:57 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} ${BIND9_INCLUDES} \
+		${ISC_INCLUDES} ${LWRES_INCLUDES}
+
+CDEFINES =	-DVERSION=\"${VERSION}\"
+CWARNINGS =
+
+ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+BIND9LIBS =	../../lib/bind9/libbind9.@A@
+ISCLIBS =	../../lib/isc/libisc.@A@
+LWRESLIBS =	../../lib/lwres/liblwres.@A@
+
+ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+LWRESDEPLIBS =	../../lib/lwres/liblwres.@A@
+
+DEPLIBS =	${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS} \
+		${LWRESDEPLIBS}
+
+LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCLIBS} \
+		${ISCCFGLIBS} @LIBS@
+
+SUBDIRS =
+
+TARGETS =	dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@
+
+OBJS =		dig.@O@ dighost.@O@ host.@O@ nslookup.@O@
+
+UOBJS =
+
+SRCS =		dig.c dighost.c host.c nslookup.c
+
+MANPAGES =	dig.1 host.1 nslookup.1
+
+HTMLPAGES =	dig.html host.html nslookup.html
+
+MANOBJS =	${MANPAGES} ${HTMLPAGES}
+
+@BIND9_MAKE_RULES@
+
+dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	dig.@O@ dighost.@O@ ${UOBJS} ${LIBS}
+
+host@EXEEXT@: host.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	host.@O@ dighost.@O@ ${UOBJS} ${LIBS}
+
+nslookup@EXEEXT@: nslookup.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	nslookup.@O@ dighost.@O@ ${UOBJS} ${LIBS}
+
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+	rm -f ${MANOBJS}
+
+clean distclean maintainer-clean::
+	rm -f ${TARGETS}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
+
+install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
+		dig@EXEEXT@ ${DESTDIR}${bindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
+		host@EXEEXT@ ${DESTDIR}${bindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
+		nslookup@EXEEXT@ ${DESTDIR}${bindir}
+	for m in ${MANPAGES}; do \
+		${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1; \
+		done
diff --git a/contrib/bind9/bin/dig/dig.1 b/contrib/bind9/bin/dig/dig.1
new file mode 100644
index 0000000..f14d921
--- /dev/null
+++ b/contrib/bind9/bin/dig/dig.1
@@ -0,0 +1,401 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2003  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: dig.1,v 1.14.2.4.2.6 2004/06/23 09:11:01 marka Exp $
+.\"
+.TH "DIG" "1" "Jun 30, 2000" "BIND9" ""
+.SH NAME
+dig \- DNS lookup utility
+.SH SYNOPSIS
+.sp
+\fBdig\fR [ \fB@server\fR ]  [ \fB-b \fIaddress\fB\fR ]  [ \fB-c \fIclass\fB\fR ]  [ \fB-f \fIfilename\fB\fR ]  [ \fB-k \fIfilename\fB\fR ]  [ \fB-p \fIport#\fB\fR ]  [ \fB-t \fItype\fB\fR ]  [ \fB-x \fIaddr\fB\fR ]  [ \fB-y \fIname:key\fB\fR ]  [ \fB-4\fR ]  [ \fB-6\fR ]  [ \fBname\fR ]  [ \fBtype\fR ]  [ \fBclass\fR ]  [ \fBqueryopt\fR\fI...\fR ] 
+.sp
+\fBdig\fR [ \fB-h\fR ] 
+.sp
+\fBdig\fR [ \fBglobal-queryopt\fR\fI...\fR ]  [ \fBquery\fR\fI...\fR ] 
+.SH "DESCRIPTION"
+.PP
+\fBdig\fR (domain information groper) is a flexible tool
+for interrogating DNS name servers. It performs DNS lookups and
+displays the answers that are returned from the name server(s) that
+were queried. Most DNS administrators use \fBdig\fR to
+troubleshoot DNS problems because of its flexibility, ease of use and
+clarity of output. Other lookup tools tend to have less functionality
+than \fBdig\fR.
+.PP
+Although \fBdig\fR is normally used with command-line
+arguments, it also has a batch mode of operation for reading lookup
+requests from a file. A brief summary of its command-line arguments
+and options is printed when the \fB-h\fR option is given.
+Unlike earlier versions, the BIND9 implementation of
+\fBdig\fR allows multiple lookups to be issued from the
+command line.
+.PP
+Unless it is told to query a specific name server,
+\fBdig\fR will try each of the servers listed in
+\fI/etc/resolv.conf\fR.
+.PP
+When no command line arguments or options are given, will perform an
+NS query for "." (the root).
+.PP
+It is possible to set per-user defaults for \fBdig\fR via
+\fI${HOME}/.digrc\fR. This file is read and any options in it
+are applied before the command line arguments.
+.SH "SIMPLE USAGE"
+.PP
+A typical invocation of \fBdig\fR looks like:
+.sp
+.nf
+ dig @server name type 
+.sp
+.fi
+where:
+.TP
+\fBserver\fR
+is the name or IP address of the name server to query. This can be an IPv4
+address in dotted-decimal notation or an IPv6
+address in colon-delimited notation. When the supplied
+\fIserver\fR argument is a hostname,
+\fBdig\fR resolves that name before querying that name
+server. If no \fIserver\fR argument is provided,
+\fBdig\fR consults \fI/etc/resolv.conf\fR
+and queries the name servers listed there. The reply from the name
+server that responds is displayed.
+.TP
+\fBname\fR
+is the name of the resource record that is to be looked up.
+.TP
+\fBtype\fR
+indicates what type of query is required \(em
+ANY, A, MX, SIG, etc.
+\fItype\fR can be any valid query type. If no
+\fItype\fR argument is supplied,
+\fBdig\fR will perform a lookup for an A record.
+.SH "OPTIONS"
+.PP
+The \fB-b\fR option sets the source IP address of the query
+to \fIaddress\fR. This must be a valid address on
+one of the host's network interfaces or "0.0.0.0" or "::". An optional port
+may be specified by appending "#<port>"
+.PP
+The default query class (IN for internet) is overridden by the
+\fB-c\fR option. \fIclass\fR is any valid
+class, such as HS for Hesiod records or CH for CHAOSNET records.
+.PP
+The \fB-f\fR option makes \fBdig \fR operate
+in batch mode by reading a list of lookup requests to process from the
+file \fIfilename\fR. The file contains a number of
+queries, one per line. Each entry in the file should be organised in
+the same way they would be presented as queries to
+\fBdig\fR using the command-line interface.
+.PP
+If a non-standard port number is to be queried, the
+\fB-p\fR option is used. \fIport#\fR is
+the port number that \fBdig\fR will send its queries
+instead of the standard DNS port number 53. This option would be used
+to test a name server that has been configured to listen for queries
+on a non-standard port number.
+.PP
+The \fB-4\fR option forces \fBdig\fR to only
+use IPv4 query transport. The \fB-6\fR option forces
+\fBdig\fR to only use IPv6 query transport.
+.PP
+The \fB-t\fR option sets the query type to
+\fItype\fR. It can be any valid query type which is
+supported in BIND9. The default query type "A", unless the
+\fB-x\fR option is supplied to indicate a reverse lookup.
+A zone transfer can be requested by specifying a type of AXFR. When
+an incremental zone transfer (IXFR) is required,
+\fItype\fR is set to ixfr=N.
+The incremental zone transfer will contain the changes made to the zone
+since the serial number in the zone's SOA record was
+\fIN\fR.
+.PP
+Reverse lookups - mapping addresses to names - are simplified by the
+\fB-x\fR option. \fIaddr\fR is an IPv4
+address in dotted-decimal notation, or a colon-delimited IPv6 address.
+When this option is used, there is no need to provide the
+\fIname\fR, \fIclass\fR and
+\fItype\fR arguments. \fBdig\fR
+automatically performs a lookup for a name like
+11.12.13.10.in-addr.arpa and sets the query type and
+class to PTR and IN respectively. By default, IPv6 addresses are
+looked up using nibble format under the IP6.ARPA domain.
+To use the older RFC1886 method using the IP6.INT domain 
+specify the \fB-i\fR option. Bit string labels (RFC2874)
+are now experimental and are not attempted.
+.PP
+To sign the DNS queries sent by \fBdig\fR and their
+responses using transaction signatures (TSIG), specify a TSIG key file
+using the \fB-k\fR option. You can also specify the TSIG
+key itself on the command line using the \fB-y\fR option;
+\fIname\fR is the name of the TSIG key and
+\fIkey\fR is the actual key. The key is a base-64
+encoded string, typically generated by \fBdnssec-keygen\fR(8).
+Caution should be taken when using the \fB-y\fR option on
+multi-user systems as the key can be visible in the output from
+\fBps\fR(1) or in the shell's history file. When
+using TSIG authentication with \fBdig\fR, the name
+server that is queried needs to know the key and algorithm that is
+being used. In BIND, this is done by providing appropriate
+\fBkey\fR and \fBserver\fR statements in
+\fInamed.conf\fR.
+.SH "QUERY OPTIONS"
+.PP
+\fBdig\fR provides a number of query options which affect
+the way in which lookups are made and the results displayed. Some of
+these set or reset flag bits in the query header, some determine which
+sections of the answer get printed, and others determine the timeout
+and retry strategies.
+.PP
+Each query option is identified by a keyword preceded by a plus sign
+(+). Some keywords set or reset an option. These may be preceded
+by the string no to negate the meaning of that keyword. Other
+keywords assign values to options like the timeout interval. They
+have the form \fB+keyword=value\fR.
+The query options are:
+.TP
+\fB+[no]tcp\fR
+Use [do not use] TCP when querying name servers. The default
+behaviour is to use UDP unless an AXFR or IXFR query is requested, in
+which case a TCP connection is used.
+.TP
+\fB+[no]vc\fR
+Use [do not use] TCP when querying name servers. This alternate
+syntax to \fI+[no]tcp\fR is provided for backwards
+compatibility. The "vc" stands for "virtual circuit".
+.TP
+\fB+[no]ignore\fR
+Ignore truncation in UDP responses instead of retrying with TCP. By
+default, TCP retries are performed.
+.TP
+\fB+domain=somename\fR
+Set the search list to contain the single domain
+\fIsomename\fR, as if specified in a
+\fBdomain\fR directive in
+\fI/etc/resolv.conf\fR, and enable search list
+processing as if the \fI+search\fR option were given.
+.TP
+\fB+[no]search\fR
+Use [do not use] the search list defined by the searchlist or domain
+directive in \fIresolv.conf\fR (if any).
+The search list is not used by default.
+.TP
+\fB+[no]defname\fR
+Deprecated, treated as a synonym for \fI+[no]search\fR
+.TP
+\fB+[no]aaonly\fR
+Sets the "aa" flag in the query.
+.TP
+\fB+[no]aaflag\fR
+A synonym for \fI+[no]aaonly\fR.
+.TP
+\fB+[no]adflag\fR
+Set [do not set] the AD (authentic data) bit in the query. The AD bit
+currently has a standard meaning only in responses, not in queries,
+but the ability to set the bit in the query is provided for
+completeness.
+.TP
+\fB+[no]cdflag\fR
+Set [do not set] the CD (checking disabled) bit in the query. This
+requests the server to not perform DNSSEC validation of responses.
+.TP
+\fB+[no]cl\fR
+Display [do not display] the CLASS when printing the record.
+.TP
+\fB+[no]ttlid\fR
+Display [do not display] the TTL when printing the record.
+.TP
+\fB+[no]recurse\fR
+Toggle the setting of the RD (recursion desired) bit in the query.
+This bit is set by default, which means \fBdig\fR
+normally sends recursive queries. Recursion is automatically disabled
+when the \fI+nssearch\fR or
+\fI+trace\fR query options are used.
+.TP
+\fB+[no]nssearch\fR
+When this option is set, \fBdig\fR attempts to find the
+authoritative name servers for the zone containing the name being
+looked up and display the SOA record that each name server has for the
+zone.
+.TP
+\fB+[no]trace\fR
+Toggle tracing of the delegation path from the root name servers for
+the name being looked up. Tracing is disabled by default. When
+tracing is enabled, \fBdig\fR makes iterative queries to
+resolve the name being looked up. It will follow referrals from the
+root servers, showing the answer from each server that was used to
+resolve the lookup.
+.TP
+\fB+[no]cmd\fR
+toggles the printing of the initial comment in the output identifying
+the version of \fBdig\fR and the query options that have
+been applied. This comment is printed by default.
+.TP
+\fB+[no]short\fR
+Provide a terse answer. The default is to print the answer in a
+verbose form.
+.TP
+\fB+[no]identify\fR
+Show [or do not show] the IP address and port number that supplied the
+answer when the \fI+short\fR option is enabled. If
+short form answers are requested, the default is not to show the
+source address and port number of the server that provided the answer.
+.TP
+\fB+[no]comments\fR
+Toggle the display of comment lines in the output. The default is to
+print comments.
+.TP
+\fB+[no]stats\fR
+This query option toggles the printing of statistics: when the query
+was made, the size of the reply and so on. The default behaviour is
+to print the query statistics.
+.TP
+\fB+[no]qr\fR
+Print [do not print] the query as it is sent.
+By default, the query is not printed.
+.TP
+\fB+[no]question\fR
+Print [do not print] the question section of a query when an answer is
+returned. The default is to print the question section as a comment.
+.TP
+\fB+[no]answer\fR
+Display [do not display] the answer section of a reply. The default
+is to display it.
+.TP
+\fB+[no]authority\fR
+Display [do not display] the authority section of a reply. The
+default is to display it.
+.TP
+\fB+[no]additional\fR
+Display [do not display] the additional section of a reply.
+The default is to display it.
+.TP
+\fB+[no]all\fR
+Set or clear all display flags.
+.TP
+\fB+time=T\fR
+Sets the timeout for a query to
+\fIT\fR seconds. The default time out is 5 seconds.
+An attempt to set \fIT\fR to less than 1 will result
+in a query timeout of 1 second being applied.
+.TP
+\fB+tries=T\fR
+Sets the number of times to try UDP queries to server to
+\fIT\fR instead of the default, 3. If
+\fIT\fR is less than or equal to zero, the number of
+tries is silently rounded up to 1.
+.TP
+\fB+retry=T\fR
+Sets the number of times to retry UDP queries to server to
+\fIT\fR instead of the default, 2. Unlike
+\fI+tries\fR, this does not include the initial
+query.
+.TP
+\fB+ndots=D\fR
+Set the number of dots that have to appear in
+\fIname\fR to \fID\fR for it to be
+considered absolute. The default value is that defined using the
+ndots statement in \fI/etc/resolv.conf\fR, or 1 if no
+ndots statement is present. Names with fewer dots are interpreted as
+relative names and will be searched for in the domains listed in the
+\fBsearch\fR or \fBdomain\fR directive in
+\fI/etc/resolv.conf\fR.
+.TP
+\fB+bufsize=B\fR
+Set the UDP message buffer size advertised using EDNS0 to
+\fIB\fR bytes. The maximum and minimum sizes of this
+buffer are 65535 and 0 respectively. Values outside this range are
+rounded up or down appropriately.
+.TP
+\fB+[no]multiline\fR
+Print records like the SOA records in a verbose multi-line
+format with human-readable comments. The default is to print
+each record on a single line, to facilitate machine parsing 
+of the \fBdig\fR output.
+.TP
+\fB+[no]fail\fR
+Do not try the next server if you receive a SERVFAIL. The default is
+to not try the next server which is the reverse of normal stub resolver
+behaviour.
+.TP
+\fB+[no]besteffort\fR
+Attempt to display the contents of messages which are malformed.
+The default is to not display malformed answers.
+.TP
+\fB+[no]dnssec\fR
+Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO)
+in the OPT record in the additional section of the query.
+.TP
+\fB+[no]sigchase\fR
+Chase DNSSEC signature chains. Requires dig be compiled with
+-DDIG_SIGCHASE.
+.TP
+\fB+trusted-key=####\fR
+Specify a trusted key to be used with \fB+sigchase\fR.
+Requires dig be compiled with -DDIG_SIGCHASE.
+.TP
+\fB+[no]topdown\fR
+When chasing DNSSEC signature chains perform a top down validation.
+Requires dig be compiled with -DDIG_SIGCHASE.
+.SH "MULTIPLE QUERIES"
+.PP
+The BIND 9 implementation of \fBdig \fR supports
+specifying multiple queries on the command line (in addition to
+supporting the \fB-f\fR batch file option). Each of those
+queries can be supplied with its own set of flags, options and query
+options.
+.PP
+In this case, each \fIquery\fR argument represent an
+individual query in the command-line syntax described above. Each
+consists of any of the standard options and flags, the name to be
+looked up, an optional query type and class and any query options that
+should be applied to that query.
+.PP
+A global set of query options, which should be applied to all queries,
+can also be supplied. These global query options must precede the
+first tuple of name, class, type, options, flags, and query options
+supplied on the command line. Any global query options (except
+the \fB+[no]cmd\fR option) can be
+overridden by a query-specific set of query options. For example:
+.sp
+.nf
+dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
+.sp
+.fi
+shows how \fBdig\fR could be used from the command line
+to make three lookups: an ANY query for www.isc.org, a
+reverse lookup of 127.0.0.1 and a query for the NS records of
+isc.org.
+A global query option of \fI+qr\fR is applied, so
+that \fBdig\fR shows the initial query it made for each
+lookup. The final query has a local query option of
+\fI+noqr\fR which means that \fBdig\fR
+will not print the initial query when it looks up the NS records for
+isc.org.
+.SH "FILES"
+.PP
+\fI/etc/resolv.conf\fR
+.PP
+\fI${HOME}/.digrc\fR
+.SH "SEE ALSO"
+.PP
+\fBhost\fR(1),
+\fBnamed\fR(8),
+\fBdnssec-keygen\fR(8),
+\fIRFC1035\fR.
+.SH "BUGS"
+.PP
+There are probably too many query options. 
diff --git a/contrib/bind9/bin/dig/dig.c b/contrib/bind9/bin/dig/dig.c
new file mode 100644
index 0000000..b2c4625
--- /dev/null
+++ b/contrib/bind9/bin/dig/dig.c
@@ -0,0 +1,1671 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dig.c,v 1.157.2.13.2.20 2004/06/23 04:19:40 marka Exp $ */
+
+#include <config.h>
+#include <stdlib.h>
+#include <time.h>
+#include <ctype.h>
+
+#include <isc/app.h>
+#include <isc/netaddr.h>
+#include <isc/parseint.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+#include <isc/task.h>
+
+#include <dns/byaddr.h>
+#include <dns/fixedname.h>
+#include <dns/masterdump.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatatype.h>
+#include <dns/rdataclass.h>
+#include <dns/result.h>
+
+#include <dig/dig.h>
+
+extern ISC_LIST(dig_lookup_t) lookup_list;
+extern dig_serverlist_t server_list;
+extern ISC_LIST(dig_searchlist_t) search_list;
+
+#define ADD_STRING(b, s) { 				\
+	if (strlen(s) >= isc_buffer_availablelength(b)) \
+ 		return (ISC_R_NOSPACE); 		\
+	else 						\
+		isc_buffer_putstr(b, s); 		\
+}
+
+
+extern isc_boolean_t have_ipv4, have_ipv6, specified_source,
+	usesearch, qr;
+extern in_port_t port;
+extern unsigned int timeout;
+extern isc_mem_t *mctx;
+extern dns_messageid_t id;
+extern int sendcount;
+extern int ndots;
+extern int lookup_counter;
+extern int exitcode;
+extern isc_sockaddr_t bind_address;
+extern char keynametext[MXNAME];
+extern char keyfile[MXNAME];
+extern char keysecret[MXNAME];
+#ifdef DIG_SIGCHASE
+extern char trustedkey[MXNAME];
+#endif
+extern dns_tsigkey_t *key;
+extern isc_boolean_t validated;
+extern isc_taskmgr_t *taskmgr;
+extern isc_task_t *global_task;
+extern isc_boolean_t free_now;
+dig_lookup_t *default_lookup = NULL;
+
+extern isc_boolean_t debugging, memdebugging;
+static char *batchname = NULL;
+static FILE *batchfp = NULL;
+static char *argv0;
+
+static char domainopt[DNS_NAME_MAXTEXT];
+
+static isc_boolean_t short_form = ISC_FALSE, printcmd = ISC_TRUE,
+	ip6_int = ISC_FALSE, plusquest = ISC_FALSE, pluscomm = ISC_FALSE,
+	multiline = ISC_FALSE, nottl = ISC_FALSE, noclass = ISC_FALSE;
+
+static const char *opcodetext[] = {
+	"QUERY",
+	"IQUERY",
+	"STATUS",
+	"RESERVED3",
+	"NOTIFY",
+	"UPDATE",
+	"RESERVED6",
+	"RESERVED7",
+	"RESERVED8",
+	"RESERVED9",
+	"RESERVED10",
+	"RESERVED11",
+	"RESERVED12",
+	"RESERVED13",
+	"RESERVED14",
+	"RESERVED15"
+};
+
+static const char *rcodetext[] = {
+	"NOERROR",
+	"FORMERR",
+	"SERVFAIL",
+	"NXDOMAIN",
+	"NOTIMP",
+	"REFUSED",
+	"YXDOMAIN",
+	"YXRRSET",
+	"NXRRSET",
+	"NOTAUTH",
+	"NOTZONE",
+	"RESERVED11",
+	"RESERVED12",
+	"RESERVED13",
+	"RESERVED14",
+	"RESERVED15",
+	"BADVERS"
+};
+
+extern char *progname;
+
+static void
+print_usage(FILE *fp) {
+	fputs(
+"Usage:  dig [@global-server] [domain] [q-type] [q-class] {q-opt}\n"
+"            {global-d-opt} host [@local-server] {local-d-opt}\n"
+"            [ host [@local-server] {local-d-opt} [...]]\n", fp);
+}
+
+static void
+usage(void) {
+	print_usage(stderr);
+	fputs("\nUse \"dig -h\" (or \"dig -h | more\") "
+	      "for complete list of options\n", stderr);
+	exit(1);
+}
+
+static void
+version(void) {
+	fputs("DiG " VERSION "\n", stderr);
+}
+
+static void
+help(void) {
+	print_usage(stdout);
+	fputs(
+"Where:  domain	  is in the Domain Name System\n"
+"        q-class  is one of (in,hs,ch,...) [default: in]\n"
+"        q-type   is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]\n"
+"                 (Use ixfr=version for type ixfr)\n"
+"        q-opt    is one of:\n"
+"                 -x dot-notation     (shortcut for in-addr lookups)\n"
+"                 -i                  (IP6.INT reverse IPv6 lookups)\n"
+"                 -f filename         (batch mode)\n"
+"                 -b address[#port]   (bind to source address/port)\n"
+"                 -p port             (specify port number)\n"
+"                 -t type             (specify query type)\n"
+"                 -c class            (specify query class)\n"
+"                 -k keyfile          (specify tsig key file)\n"
+"                 -y name:key         (specify named base64 tsig key)\n"
+"                 -4                  (use IPv4 query transport only)\n"
+"                 -6                  (use IPv6 query transport only)\n"
+"        d-opt    is of the form +keyword[=value], where keyword is:\n"
+"                 +[no]vc             (TCP mode)\n"
+"                 +[no]tcp            (TCP mode, alternate syntax)\n"
+"                 +time=###           (Set query timeout) [5]\n"
+"                 +tries=###          (Set number of UDP attempts) [3]\n"
+"                 +retry=###          (Set number of UDP retries) [2]\n"
+"                 +domain=###         (Set default domainname)\n"
+"                 +bufsize=###        (Set EDNS0 Max UDP packet size)\n"
+"                 +ndots=###          (Set NDOTS value)\n"
+"                 +[no]search         (Set whether to use searchlist)\n"
+"                 +[no]defname        (Ditto)\n"
+"                 +[no]recurse        (Recursive mode)\n"
+"                 +[no]ignore         (Don't revert to TCP for TC responses.)"
+"\n"
+"                 +[no]fail           (Don't try next server on SERVFAIL)\n"
+"                 +[no]besteffort     (Try to parse even illegal messages)\n"
+"                 +[no]aaonly         (Set AA flag in query (+[no]aaflag))\n"
+"                 +[no]adflag         (Set AD flag in query)\n"
+"                 +[no]cdflag         (Set CD flag in query)\n"
+"                 +[no]cl             (Control display of class in records)\n"
+"                 +[no]cmd            (Control display of command line)\n"
+"                 +[no]comments       (Control display of comment lines)\n"
+"                 +[no]question       (Control display of question)\n"
+"                 +[no]answer         (Control display of answer)\n"
+"                 +[no]authority      (Control display of authority)\n"
+"                 +[no]additional     (Control display of additional)\n"
+"                 +[no]stats          (Control display of statistics)\n"
+"                 +[no]short          (Disable everything except short\n"
+"                                      form of answer)\n"
+"                 +[no]ttlid          (Control display of ttls in records)\n"
+"                 +[no]all            (Set or clear all display flags)\n"
+"                 +[no]qr             (Print question before sending)\n"
+"                 +[no]nssearch       (Search all authoritative nameservers)\n"
+"                 +[no]identify       (ID responders in short answers)\n"
+"                 +[no]trace          (Trace delegation down from root)\n"
+"                 +[no]dnssec         (Request DNSSEC records)\n"
+#ifdef DIG_SIGCHASE
+"                 +[no]sigchase       (Chase DNSSEC signatures)\n"
+"                 +trusted-key=####   (Trusted Key when chasing DNSSEC sigs)\n"
+#if DIG_SIGCHASE_TD
+"                 +[no]topdown        (Do DNSSEC validation top down mode)\n"
+#endif
+#endif
+"                 +[no]multiline      (Print records in an expanded format)\n"
+"        global d-opts and servers (before host name) affect all queries.\n"
+"        local d-opts and servers (after host name) affect only that lookup.\n"
+"        -h                           (print help and exit)\n"
+"        -v                           (print version and exit)\n",
+	stdout);
+}
+
+/*
+ * Callback from dighost.c to print the received message.
+ */
+void
+received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
+	isc_uint64_t diff;
+	isc_time_t now;
+	time_t tnow;
+	char fromtext[ISC_SOCKADDR_FORMATSIZE];
+
+	isc_sockaddr_format(from, fromtext, sizeof(fromtext));
+
+	TIME_NOW(&now);
+
+	if (query->lookup->stats && !short_form) {
+		diff = isc_time_microdiff(&now, &query->time_sent);
+		printf(";; Query time: %ld msec\n", (long int)diff/1000);
+		printf(";; SERVER: %s(%s)\n", fromtext, query->servname);
+		time(&tnow);
+		printf(";; WHEN: %s", ctime(&tnow));
+		if (query->lookup->doing_xfr) {
+			printf(";; XFR size: %u records (messages %u)\n",
+			       query->rr_count, query->msg_count);
+		} else {
+			printf(";; MSG SIZE  rcvd: %d\n", bytes);
+
+		}
+		if (key != NULL) {
+			if (!validated)
+				puts(";; WARNING -- Some TSIG could not "
+				     "be validated");
+		}
+		if ((key == NULL) && (keysecret[0] != 0)) {
+			puts(";; WARNING -- TSIG key was not used.");
+		}
+		puts("");
+	} else if (query->lookup->identify && !short_form) {
+		diff = isc_time_microdiff(&now, &query->time_sent);
+		printf(";; Received %u bytes from %s(%s) in %d ms\n\n",
+		       bytes, fromtext, query->servname,
+		       (int)diff/1000);
+	}
+}
+
+/*
+ * Callback from dighost.c to print that it is trying a server.
+ * Not used in dig.
+ * XXX print_trying
+ */
+void
+trying(char *frm, dig_lookup_t *lookup) {
+	UNUSED(frm);
+	UNUSED(lookup);
+}
+
+/*
+ * Internal print routine used to print short form replies.
+ */
+static isc_result_t
+say_message(dns_rdata_t *rdata, dig_query_t *query, isc_buffer_t *buf) {
+	isc_result_t result;
+	isc_uint64_t diff;
+	isc_time_t now;
+	char store[sizeof("12345678901234567890")];
+
+	if (query->lookup->trace || query->lookup->ns_search_only) {
+		result = dns_rdatatype_totext(rdata->type, buf);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		ADD_STRING(buf, " ");
+	}
+	result = dns_rdata_totext(rdata, NULL, buf);
+	check_result(result, "dns_rdata_totext");
+	if (query->lookup->identify) {
+		TIME_NOW(&now);
+		diff = isc_time_microdiff(&now, &query->time_sent);
+		ADD_STRING(buf, " from server ");
+		ADD_STRING(buf, query->servname);
+		snprintf(store, 19, " in %d ms.", (int)diff/1000);
+		ADD_STRING(buf, store);
+	}
+	ADD_STRING(buf, "\n");
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * short_form message print handler.  Calls above say_message()
+ */
+static isc_result_t
+short_answer(dns_message_t *msg, dns_messagetextflag_t flags,
+	     isc_buffer_t *buf, dig_query_t *query)
+{
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+	isc_buffer_t target;
+	isc_result_t result, loopresult;
+	dns_name_t empty_name;
+	char t[4096];
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+
+	UNUSED(flags);
+
+	dns_name_init(&empty_name, NULL);
+	result = dns_message_firstname(msg, DNS_SECTION_ANSWER);
+	if (result == ISC_R_NOMORE)
+		return (ISC_R_SUCCESS);
+	else if (result != ISC_R_SUCCESS)
+		return (result);
+
+	for (;;) {
+		name = NULL;
+		dns_message_currentname(msg, DNS_SECTION_ANSWER, &name);
+
+		isc_buffer_init(&target, t, sizeof(t));
+
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			loopresult = dns_rdataset_first(rdataset);
+			while (loopresult == ISC_R_SUCCESS) {
+				dns_rdataset_current(rdataset, &rdata);
+				result = say_message(&rdata, query,
+						     buf);
+				check_result(result, "say_message");
+				loopresult = dns_rdataset_next(rdataset);
+				dns_rdata_reset(&rdata);
+			}
+		}
+		result = dns_message_nextname(msg, DNS_SECTION_ANSWER);
+		if (result == ISC_R_NOMORE)
+			break;
+		else if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+#ifdef DIG_SIGCHASE
+isc_result_t
+printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
+	      isc_buffer_t *target)
+{
+	isc_result_t result;
+	dns_master_style_t *style = NULL;
+	unsigned int styleflags = 0;
+
+	if (rdataset == NULL || owner_name == NULL || target == NULL)
+		return(ISC_FALSE);
+
+	styleflags |= DNS_STYLEFLAG_REL_OWNER;
+	if (nottl)
+		styleflags |= DNS_STYLEFLAG_NO_TTL;
+	if (noclass)
+		styleflags |= DNS_STYLEFLAG_NO_CLASS;
+	if (multiline) {
+		styleflags |= DNS_STYLEFLAG_OMIT_OWNER;
+		styleflags |= DNS_STYLEFLAG_OMIT_CLASS;
+		styleflags |= DNS_STYLEFLAG_REL_DATA;
+		styleflags |= DNS_STYLEFLAG_OMIT_TTL;
+		styleflags |= DNS_STYLEFLAG_TTL;
+		styleflags |= DNS_STYLEFLAG_MULTILINE;
+		styleflags |= DNS_STYLEFLAG_COMMENT;
+	}
+	if (multiline || (nottl && noclass))
+		result = dns_master_stylecreate(&style, styleflags,
+						24, 24, 24, 32, 80, 8, mctx);
+	else if (nottl || noclass)
+		result = dns_master_stylecreate(&style, styleflags,
+						24, 24, 32, 40, 80, 8, mctx);
+	else 
+		result = dns_master_stylecreate(&style, styleflags,
+						24, 32, 40, 48, 80, 8, mctx);
+	check_result(result, "dns_master_stylecreate");
+
+	result = dns_master_rdatasettotext(owner_name, rdataset, style, target);
+
+	if (style != NULL)
+		dns_master_styledestroy(&style, mctx);
+  
+	return(result);
+}
+#endif
+
+/*
+ * Callback from dighost.c to print the reply from a server
+ */
+isc_result_t
+printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
+	isc_result_t result;
+	dns_messagetextflag_t flags;
+	isc_buffer_t *buf = NULL;
+	unsigned int len = OUTPUTBUF;
+	dns_master_style_t *style = NULL;
+	unsigned int styleflags = 0;
+
+	styleflags |= DNS_STYLEFLAG_REL_OWNER;
+	if (nottl)
+		styleflags |= DNS_STYLEFLAG_NO_TTL;
+	if (noclass)
+		styleflags |= DNS_STYLEFLAG_NO_CLASS;
+	if (multiline) {
+		styleflags |= DNS_STYLEFLAG_OMIT_OWNER;
+		styleflags |= DNS_STYLEFLAG_OMIT_CLASS;
+		styleflags |= DNS_STYLEFLAG_REL_DATA;
+		styleflags |= DNS_STYLEFLAG_OMIT_TTL;
+		styleflags |= DNS_STYLEFLAG_TTL;
+		styleflags |= DNS_STYLEFLAG_MULTILINE;
+		styleflags |= DNS_STYLEFLAG_COMMENT;
+	}
+	if (multiline || (nottl && noclass))
+		result = dns_master_stylecreate(&style, styleflags,
+						24, 24, 24, 32, 80, 8, mctx);
+	else if (nottl || noclass)
+		result = dns_master_stylecreate(&style, styleflags,
+						24, 24, 32, 40, 80, 8, mctx);
+	else 
+		result = dns_master_stylecreate(&style, styleflags,
+						24, 32, 40, 48, 80, 8, mctx);
+	check_result(result, "dns_master_stylecreate");
+
+	if (query->lookup->cmdline[0] != 0) {
+		if (!short_form)
+			fputs(query->lookup->cmdline, stdout);
+		query->lookup->cmdline[0]=0;
+	}
+	debug("printmessage(%s %s %s)", headers ? "headers" : "noheaders",
+	      query->lookup->comments ? "comments" : "nocomments",
+	      short_form ? "short_form" : "long_form");
+
+	flags = 0;
+	if (!headers) {
+		flags |= DNS_MESSAGETEXTFLAG_NOHEADERS;
+		flags |= DNS_MESSAGETEXTFLAG_NOCOMMENTS;
+	}
+	if (!query->lookup->comments)
+		flags |= DNS_MESSAGETEXTFLAG_NOCOMMENTS;
+
+	result = ISC_R_SUCCESS;
+
+	result = isc_buffer_allocate(mctx, &buf, len);
+	check_result(result, "isc_buffer_allocate");
+
+	if (query->lookup->comments && !short_form) {
+		if (query->lookup->cmdline[0] != 0)
+			printf("; %s\n", query->lookup->cmdline);
+		if (msg == query->lookup->sendmsg)
+			printf(";; Sending:\n");
+		else
+			printf(";; Got answer:\n");
+
+		if (headers) {
+			printf(";; ->>HEADER<<- opcode: %s, status: %s, "
+			       "id: %u\n",
+			       opcodetext[msg->opcode], rcodetext[msg->rcode],
+			       msg->id);
+			printf(";; flags:");
+			if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0)
+				printf(" qr");
+			if ((msg->flags & DNS_MESSAGEFLAG_AA) != 0)
+				printf(" aa");
+			if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0)
+				printf(" tc");
+			if ((msg->flags & DNS_MESSAGEFLAG_RD) != 0)
+				printf(" rd");
+			if ((msg->flags & DNS_MESSAGEFLAG_RA) != 0)
+				printf(" ra");
+			if ((msg->flags & DNS_MESSAGEFLAG_AD) != 0)
+				printf(" ad");
+			if ((msg->flags & DNS_MESSAGEFLAG_CD) != 0)
+				printf(" cd");
+
+			printf("; QUERY: %u, ANSWER: %u, "
+			       "AUTHORITY: %u, ADDITIONAL: %u\n",
+			       msg->counts[DNS_SECTION_QUESTION],
+			       msg->counts[DNS_SECTION_ANSWER],
+			       msg->counts[DNS_SECTION_AUTHORITY],
+			       msg->counts[DNS_SECTION_ADDITIONAL]);
+		}
+	}
+
+repopulate_buffer:
+
+	if (query->lookup->comments && headers && !short_form) {
+		result = dns_message_pseudosectiontotext(msg,
+			 DNS_PSEUDOSECTION_OPT,
+			 style, flags, buf);
+		if (result == ISC_R_NOSPACE) {
+buftoosmall:
+			len += OUTPUTBUF;
+			isc_buffer_free(&buf);
+			result = isc_buffer_allocate(mctx, &buf, len);
+			if (result == ISC_R_SUCCESS)
+				goto repopulate_buffer;
+			else
+				goto cleanup;
+		}
+		check_result(result,
+		     "dns_message_pseudosectiontotext");
+	}
+
+	if (query->lookup->section_question && headers) {
+		if (!short_form) {
+			result = dns_message_sectiontotext(msg,
+						       DNS_SECTION_QUESTION,
+						       style, flags, buf);
+			if (result == ISC_R_NOSPACE)
+				goto buftoosmall;
+			check_result(result, "dns_message_sectiontotext");
+		}
+	}
+	if (query->lookup->section_answer) {
+		if (!short_form) {
+			result = dns_message_sectiontotext(msg,
+						       DNS_SECTION_ANSWER,
+						       style, flags, buf);
+			if (result == ISC_R_NOSPACE)
+				goto buftoosmall;
+			check_result(result, "dns_message_sectiontotext");
+		} else {
+			result = short_answer(msg, flags, buf, query);
+			if (result == ISC_R_NOSPACE)
+				goto buftoosmall;
+			check_result(result, "short_answer");
+		}
+	}
+	if (query->lookup->section_authority) {
+		if (!short_form) {
+			result = dns_message_sectiontotext(msg,
+						       DNS_SECTION_AUTHORITY,
+						       style, flags, buf);
+			if (result == ISC_R_NOSPACE)
+				goto buftoosmall;
+			check_result(result, "dns_message_sectiontotext");
+		}
+	}
+	if (query->lookup->section_additional) {
+		if (!short_form) {
+			result = dns_message_sectiontotext(msg,
+						      DNS_SECTION_ADDITIONAL,
+						      style, flags, buf);
+			if (result == ISC_R_NOSPACE)
+				goto buftoosmall;
+			check_result(result, "dns_message_sectiontotext");
+			/*
+			 * Only print the signature on the first record.
+			 */
+			if (headers) {
+				result = dns_message_pseudosectiontotext(
+						   msg,
+						   DNS_PSEUDOSECTION_TSIG,
+						   style, flags, buf);
+				if (result == ISC_R_NOSPACE)
+					goto buftoosmall;
+				check_result(result,
+					  "dns_message_pseudosectiontotext");
+				result = dns_message_pseudosectiontotext(
+						   msg,
+						   DNS_PSEUDOSECTION_SIG0,
+						   style, flags, buf);
+				if (result == ISC_R_NOSPACE)
+					goto buftoosmall;
+				check_result(result,
+					   "dns_message_pseudosectiontotext");
+			}
+		}
+	}
+	if (headers && query->lookup->comments && !short_form)
+		printf("\n");
+
+	printf("%.*s", (int)isc_buffer_usedlength(buf),
+	       (char *)isc_buffer_base(buf));
+	isc_buffer_free(&buf);
+
+cleanup:
+	if (style != NULL)
+		dns_master_styledestroy(&style, mctx);
+	return (result);
+}
+
+/*
+ * print the greeting message when the program first starts up.
+ */
+static void
+printgreeting(int argc, char **argv, dig_lookup_t *lookup) {
+	int i;
+	int remaining;
+	static isc_boolean_t first = ISC_TRUE;
+	char append[MXNAME];
+
+	if (printcmd) {
+		lookup->cmdline[sizeof(lookup->cmdline) - 1] = 0;
+		snprintf(lookup->cmdline, sizeof(lookup->cmdline),
+			 "%s; <<>> DiG " VERSION " <<>>",
+			 first?"\n":"");
+		i = 1;
+		while (i < argc) {
+			snprintf(append, sizeof(append), " %s", argv[i++]);
+			remaining = sizeof(lookup->cmdline) -
+				    strlen(lookup->cmdline) - 1;
+			strncat(lookup->cmdline, append, remaining);
+		}
+		remaining = sizeof(lookup->cmdline) -
+			    strlen(lookup->cmdline) - 1;
+		strncat(lookup->cmdline, "\n", remaining);
+		if (first) {
+			snprintf(append, sizeof(append), 
+				 ";; global options: %s %s\n",
+			       short_form ? "short_form" : "",
+			       printcmd ? "printcmd" : "");
+			first = ISC_FALSE;
+			remaining = sizeof(lookup->cmdline) -
+				    strlen(lookup->cmdline) - 1;
+			strncat(lookup->cmdline, append, remaining);
+		}
+	}
+}
+
+/*
+ * Reorder an argument list so that server names all come at the end.
+ * This is a bit of a hack, to allow batch-mode processing to properly
+ * handle the server options.
+ */
+static void
+reorder_args(int argc, char *argv[]) {
+	int i, j;
+	char *ptr;
+	int end;
+
+	debug("reorder_args()");
+	end = argc - 1;
+	while (argv[end][0] == '@') {
+		end--;
+		if (end == 0)
+			return;
+	}
+	debug("arg[end]=%s", argv[end]);
+	for (i = 1; i < end - 1; i++) {
+		if (argv[i][0] == '@') {
+			debug("arg[%d]=%s", i, argv[i]);
+			ptr = argv[i];
+			for (j = i + 1; j < end; j++) {
+				debug("Moving %s to %d", argv[j], j - 1);
+				argv[j - 1] = argv[j];
+			}
+			debug("moving %s to end, %d", ptr, end - 1);
+			argv[end - 1] = ptr;
+			end--;
+			if (end < 1)
+				return;
+		}
+	}
+}
+
+static isc_uint32_t
+parse_uint(char *arg, const char *desc, isc_uint32_t max) {
+	isc_result_t result;
+	isc_uint32_t tmp;
+
+	result = isc_parse_uint32(&tmp, arg, 10);
+	if (result == ISC_R_SUCCESS && tmp > max)
+		result = ISC_R_RANGE;
+	if (result != ISC_R_SUCCESS)
+		fatal("%s '%s': %s", desc, arg, isc_result_totext(result));
+	return (tmp);
+}
+
+/*
+ * We're not using isc_commandline_parse() here since the command line
+ * syntax of dig is quite a bit different from that which can be described
+ * by that routine.
+ * XXX doc options
+ */
+
+static void
+plus_option(char *option, isc_boolean_t is_batchfile,
+	    dig_lookup_t *lookup)
+{
+	char option_store[256];
+	char *cmd, *value, *ptr;
+	isc_boolean_t state = ISC_TRUE;
+#ifdef DIG_SIGCHASE
+	size_t n;
+#endif
+
+	strncpy(option_store, option, sizeof(option_store));
+	option_store[sizeof(option_store)-1]=0;
+	ptr = option_store;
+	cmd = next_token(&ptr,"=");
+	if (cmd == NULL) {
+		printf(";; Invalid option %s\n", option_store);
+		return;
+	}
+	value = ptr;
+	if (strncasecmp(cmd, "no", 2)==0) {
+		cmd += 2;
+		state = ISC_FALSE;
+	}
+
+#define FULLCHECK(A) \
+	do { \
+		size_t _l = strlen(cmd); \
+		if (_l >= sizeof(A) || strncasecmp(cmd, A, _l) != 0) \
+			goto invalid_option; \
+	} while (0)
+#define FULLCHECK2(A, B) \
+	do { \
+		size_t _l = strlen(cmd); \
+		if ((_l >= sizeof(A) || strncasecmp(cmd, A, _l) != 0) && \
+		    (_l >= sizeof(B) || strncasecmp(cmd, B, _l) != 0)) \
+			goto invalid_option; \
+	} while (0)
+
+	switch (cmd[0]) {
+	case 'a':
+		switch (cmd[1]) {
+		case 'a': /* aaonly / aaflag */
+			FULLCHECK2("aaonly", "aaflag");
+			lookup->aaonly = state;
+			break;
+		case 'd': 
+			switch (cmd[2]) {
+			case 'd': /* additional */
+				FULLCHECK("additional");
+				lookup->section_additional = state;
+				break;
+			case 'f': /* adflag */
+				FULLCHECK("adflag");
+				lookup->adflag = state;
+				break;
+			default:
+				goto invalid_option;
+			}
+			break;
+		case 'l': /* all */
+			FULLCHECK("all");
+			lookup->section_question = state;
+			lookup->section_authority = state;
+			lookup->section_answer = state;
+			lookup->section_additional = state;
+			lookup->comments = state;
+			lookup->stats = state;
+			printcmd = state;
+			break;
+		case 'n': /* answer */
+			FULLCHECK("answer");
+			lookup->section_answer = state;
+			break;
+		case 'u': /* authority */
+			FULLCHECK("authority");
+			lookup->section_authority = state;
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'b':
+		switch (cmd[1]) {
+		case 'e':/* besteffort */
+			FULLCHECK("besteffort");
+			lookup->besteffort = state;
+			break;
+		case 'u':/* bufsize */
+			FULLCHECK("bufsize");
+			if (value == NULL)
+				goto need_value;
+			if (!state)
+				goto invalid_option;
+			lookup->udpsize = (isc_uint16_t) parse_uint(value,
+						    "buffer size", COMMSIZE);
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'c':
+		switch (cmd[1]) {
+		case 'd':/* cdflag */
+			FULLCHECK("cdflag");
+			lookup->cdflag = state;
+			break;
+		case 'l': /* cl */
+			FULLCHECK("cl");
+			noclass = !state;
+			break;
+		case 'm': /* cmd */
+			FULLCHECK("cmd");
+			printcmd = state;
+			break;
+		case 'o': /* comments */
+			FULLCHECK("comments");
+			lookup->comments = state;
+			if (lookup == default_lookup)
+				pluscomm = state;
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'd':
+		switch (cmd[1]) {
+		case 'e': /* defname */
+			FULLCHECK("defname");
+			usesearch = state;
+			break;
+		case 'n': /* dnssec */	
+			FULLCHECK("dnssec");
+			lookup->dnssec = state;
+			break;
+		case 'o': /* domain */	
+			FULLCHECK("domain");
+			if (value == NULL)
+				goto need_value;
+			if (!state)
+				goto invalid_option;
+			strncpy(domainopt, value, sizeof(domainopt));
+			domainopt[sizeof(domainopt)-1] = '\0';
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'f': /* fail */
+		FULLCHECK("fail");
+		lookup->servfail_stops = state;
+		break;
+	case 'i':
+		switch (cmd[1]) {
+		case 'd': /* identify */
+			FULLCHECK("identify");
+			lookup->identify = state;
+			break;
+		case 'g': /* ignore */
+		default: /* Inherets default for compatibility */
+			FULLCHECK("ignore");
+			lookup->ignore = ISC_TRUE;
+		}
+		break;
+	case 'm': /* multiline */
+		FULLCHECK("multiline");
+		multiline = state;
+		break;
+	case 'n':
+		switch (cmd[1]) {
+		case 'd': /* ndots */
+			FULLCHECK("ndots");
+			if (value == NULL)
+				goto need_value;
+			if (!state)
+				goto invalid_option;
+			ndots = parse_uint(value, "ndots", MAXNDOTS);
+			break;
+		case 's': /* nssearch */
+			FULLCHECK("nssearch");
+			lookup->ns_search_only = state;
+			if (state) {
+				lookup->trace_root = ISC_TRUE;
+				lookup->recurse = ISC_FALSE;
+				lookup->identify = ISC_TRUE;
+				lookup->stats = ISC_FALSE;
+				lookup->comments = ISC_FALSE;
+				lookup->section_additional = ISC_FALSE;
+				lookup->section_authority = ISC_FALSE;
+				lookup->section_question = ISC_FALSE;
+				lookup->rdtype = dns_rdatatype_ns;
+				lookup->rdtypeset = ISC_TRUE;
+				short_form = ISC_TRUE;
+			}
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'q': 
+		switch (cmd[1]) {
+		case 'r': /* qr */
+			FULLCHECK("qr");
+			qr = state;
+			break;
+		case 'u': /* question */
+			FULLCHECK("question");
+			lookup->section_question = state;
+			if (lookup == default_lookup)
+				plusquest = state;
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'r':
+		switch (cmd[1]) {
+		case 'e':
+			switch (cmd[2]) {
+			case 'c': /* recurse */
+				FULLCHECK("recurse");
+				lookup->recurse = state;
+				break;
+			case 't': /* retry / retries */
+				FULLCHECK2("retry", "retries");
+				if (value == NULL)
+					goto need_value;
+				if (!state)
+					goto invalid_option;
+				lookup->retries = parse_uint(value, "retries",
+						       MAXTRIES - 1);
+				lookup->retries++;
+				break;
+			default:
+				goto invalid_option;
+			}
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 's':
+		switch (cmd[1]) {
+		case 'e': /* search */
+			FULLCHECK("search");
+			usesearch = state;
+			break;
+		case 'h': /* short */
+			FULLCHECK("short");
+			short_form = state;
+			if (state) {
+				printcmd = ISC_FALSE;
+				lookup->section_additional = ISC_FALSE;
+				lookup->section_answer = ISC_TRUE;
+				lookup->section_authority = ISC_FALSE;
+				lookup->section_question = ISC_FALSE;
+				lookup->comments = ISC_FALSE;
+				lookup->stats = ISC_FALSE;
+			}
+			break;
+#ifdef DIG_SIGCHASE
+		case 'i': /* sigchase */
+		        FULLCHECK("sigchase");
+			lookup->sigchase = state;
+			if (lookup->sigchase)
+				lookup->dnssec = ISC_TRUE;
+			break;	
+#endif
+		case 't': /* stats */
+			FULLCHECK("stats");
+			lookup->stats = state;
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 't':
+		switch (cmd[1]) {
+		case 'c': /* tcp */
+			FULLCHECK("tcp");
+			if (!is_batchfile)
+				lookup->tcp_mode = state;
+			break;
+		case 'i': /* timeout */
+			FULLCHECK("timeout");
+			if (value == NULL)
+				goto need_value;
+			if (!state)
+				goto invalid_option;
+			timeout = parse_uint(value, "timeout", MAXTIMEOUT);
+			if (timeout == 0)
+				timeout = 1;
+			break;
+#if DIG_SIGCHASE_TD
+		case 'o': /* topdown */	
+			FULLCHECK("topdown");
+			lookup->do_topdown = state;
+			break;
+#endif
+		case 'r':
+			switch (cmd[2]) {
+			case 'a': /* trace */
+				FULLCHECK("trace");
+				lookup->trace = state;
+				lookup->trace_root = state;
+				if (state) {
+					lookup->recurse = ISC_FALSE;
+					lookup->identify = ISC_TRUE;
+					lookup->comments = ISC_FALSE;
+					lookup->stats = ISC_FALSE;
+					lookup->section_additional = ISC_FALSE;
+					lookup->section_authority = ISC_TRUE;
+				lookup->section_question = ISC_FALSE;
+				}
+				break;
+			case 'i': /* tries */
+				FULLCHECK("tries");
+				if (value == NULL)
+					goto need_value;
+				if (!state)
+					goto invalid_option;
+				lookup->retries = parse_uint(value, "tries",
+							     MAXTRIES);
+				if (lookup->retries == 0)
+					lookup->retries = 1;
+				break;
+#ifdef DIG_SIGCHASE
+			case 'u': /* trusted-key */
+			  	if (value == NULL) 
+					goto need_value;
+				if (!state)
+					goto invalid_option;
+				n = strlcpy(trustedkey, ptr,
+					    sizeof(trustedkey));
+				if (n >= sizeof(trustedkey))
+					fatal("trusted key too large");
+				break;
+#endif
+			default:
+				goto invalid_option;
+			}
+			break;
+		case 't': /* ttlid */
+			FULLCHECK("ttlid");
+			nottl = !state;
+			break;
+		default:
+			goto invalid_option;
+		}
+		break;
+	case 'v':
+		FULLCHECK("vc");
+		if (!is_batchfile)
+			lookup->tcp_mode = state;
+		break;
+	default:
+	invalid_option:
+	need_value:
+		fprintf(stderr, "Invalid option: +%s\n",
+			 option);
+		usage();
+	}
+	return;
+}
+
+/*
+ * ISC_TRUE returned if value was used
+ */
+static const char *single_dash_opts = "46dhimnv";
+static const char *dash_opts = "46bcdfhikmnptvyx";
+static isc_boolean_t
+dash_option(char *option, char *next, dig_lookup_t **lookup,
+	    isc_boolean_t *open_type_class, isc_boolean_t *firstarg,
+	    int argc, char **argv)
+{
+	char opt, *value, *ptr;
+	isc_result_t result;
+	isc_boolean_t value_from_next;
+	isc_textregion_t tr;
+	dns_rdatatype_t rdtype;
+	dns_rdataclass_t rdclass;
+	char textname[MXNAME];
+	struct in_addr in4;
+	struct in6_addr in6;
+	in_port_t srcport;
+	char *hash, *cmd;
+
+	while (strpbrk(option, single_dash_opts) == &option[0]) {
+		/*
+		 * Since the -[46dhimnv] options do not take an argument,
+		 * account for them (in any number and/or combination)
+		 * if they appear as the first character(s) of a q-opt.
+		 */
+		opt = option[0];
+		switch (opt) {
+		case '4':
+			if (have_ipv4) {
+				isc_net_disableipv6();
+				have_ipv6 = ISC_FALSE;
+			} else {
+				fatal("can't find IPv4 networking");
+				return (ISC_FALSE);
+			}
+			break;
+		case '6':
+			if (have_ipv6) {
+				isc_net_disableipv4();
+				have_ipv4 = ISC_FALSE;
+			} else {
+				fatal("can't find IPv6 networking");
+				return (ISC_FALSE);
+			}
+			break;
+		case 'd':
+			ptr = strpbrk(&option[1], dash_opts);
+			if (ptr != &option[1]) {
+				cmd = option;
+				FULLCHECK("debug");
+				debugging = ISC_TRUE;
+				return (ISC_FALSE);
+			} else
+				debugging = ISC_TRUE;
+			break;
+		case 'h':
+			help();
+			exit(0);
+			break;
+		case 'i':
+			ip6_int = ISC_TRUE;
+			break;
+		case 'm': /* memdebug */
+			/* memdebug is handled in preparse_args() */
+			break;
+		case 'n':
+			/* deprecated */
+			break;
+		case 'v':
+			version();
+			exit(0);
+			break;
+		}
+		if (strlen(option) > 1U)
+			option = &option[1];
+		else
+			return (ISC_FALSE);
+	}
+	opt = option[0];
+	if (strlen(option) > 1U) {
+		value_from_next = ISC_FALSE;
+		value = &option[1];
+	} else {
+		value_from_next = ISC_TRUE;
+		value = next;
+	}
+	if (value == NULL)
+		goto invalid_option;
+	switch (opt) {
+	case 'b':
+		hash = strchr(value, '#');
+		if (hash != NULL) {
+			srcport = (in_port_t)
+			  	parse_uint(hash + 1,
+					   "port number", MAXPORT);
+			*hash = '\0';
+		} else
+			srcport = 0;
+		if (have_ipv6 && inet_pton(AF_INET6, value, &in6) == 1) {
+			isc_sockaddr_fromin6(&bind_address, &in6, srcport);
+			isc_net_disableipv4();
+		} else if (have_ipv4 && inet_pton(AF_INET, value, &in4) == 1) {
+			isc_sockaddr_fromin(&bind_address, &in4, srcport);
+			isc_net_disableipv6();
+		} else {
+			if (hash != NULL)
+				*hash = '#';
+			fatal("invalid address %s", value);
+		}
+		if (hash != NULL)
+			*hash = '#';
+		specified_source = ISC_TRUE;
+		return (value_from_next);
+	case 'c':
+		if ((*lookup)->rdclassset) {
+			fprintf(stderr, ";; Warning, extra class option\n");
+		}
+		*open_type_class = ISC_FALSE;
+		tr.base = value;
+		tr.length = strlen(value);
+		result = dns_rdataclass_fromtext(&rdclass,
+						 (isc_textregion_t *)&tr);
+		if (result == ISC_R_SUCCESS) {
+			(*lookup)->rdclass = rdclass;
+			(*lookup)->rdclassset = ISC_TRUE;
+		} else
+			fprintf(stderr, ";; Warning, ignoring "
+				"invalid class %s\n",
+				value);
+		return (value_from_next);
+	case 'f':
+		batchname = value;
+		return (value_from_next);
+	case 'k':
+		strncpy(keyfile, value, sizeof(keyfile));
+		keyfile[sizeof(keyfile)-1]=0;
+		return (value_from_next);
+	case 'p':
+		port = (in_port_t) parse_uint(value, "port number", MAXPORT);
+		return (value_from_next);
+	case 't':
+		*open_type_class = ISC_FALSE;
+		if (strncasecmp(value, "ixfr=", 5) == 0) {
+			rdtype = dns_rdatatype_ixfr;
+			result = ISC_R_SUCCESS;
+		} else {
+			tr.base = value;
+			tr.length = strlen(value);
+			result = dns_rdatatype_fromtext(&rdtype,
+						(isc_textregion_t *)&tr);
+			if (result == ISC_R_SUCCESS &&
+			    rdtype == dns_rdatatype_ixfr) {
+				result = DNS_R_UNKNOWN;
+			}
+		}
+		if (result == ISC_R_SUCCESS) {
+			if ((*lookup)->rdtypeset) {
+				fprintf(stderr, ";; Warning, "
+						"extra type option\n");
+			}
+			if (rdtype == dns_rdatatype_ixfr) {
+				(*lookup)->rdtype = dns_rdatatype_ixfr;
+				(*lookup)->rdtypeset = ISC_TRUE;
+				(*lookup)->ixfr_serial =
+					parse_uint(&value[5], "serial number",
+					  	MAXSERIAL);
+				(*lookup)->section_question = plusquest;
+				(*lookup)->comments = pluscomm;
+			} else {
+				(*lookup)->rdtype = rdtype;
+				(*lookup)->rdtypeset = ISC_TRUE;
+				if (rdtype == dns_rdatatype_axfr) {
+					(*lookup)->section_question = plusquest;
+					(*lookup)->comments = pluscomm;
+				}
+				(*lookup)->ixfr_serial = ISC_FALSE;
+			}
+		} else
+			fprintf(stderr, ";; Warning, ignoring "
+				 "invalid type %s\n",
+				 value);
+		return (value_from_next);
+	case 'y':
+		ptr = next_token(&value,":");
+		if (ptr == NULL) {
+			usage();
+		}
+		strncpy(keynametext, ptr, sizeof(keynametext));
+		keynametext[sizeof(keynametext)-1]=0;
+		ptr = next_token(&value, "");
+		if (ptr == NULL)
+			usage();
+		strncpy(keysecret, ptr, sizeof(keysecret));
+		keysecret[sizeof(keysecret)-1]=0;
+		return (value_from_next);
+	case 'x':
+		*lookup = clone_lookup(default_lookup, ISC_TRUE);
+		if (get_reverse(textname, sizeof(textname), value,
+				ip6_int, ISC_FALSE) == ISC_R_SUCCESS) {
+			strncpy((*lookup)->textname, textname,
+				sizeof((*lookup)->textname));
+			debug("looking up %s", (*lookup)->textname);
+			(*lookup)->trace_root = ISC_TF((*lookup)->trace  ||
+						(*lookup)->ns_search_only);
+			(*lookup)->ip6_int = ip6_int;
+			if (!(*lookup)->rdtypeset)
+				(*lookup)->rdtype = dns_rdatatype_ptr;
+			if (!(*lookup)->rdclassset)
+				(*lookup)->rdclass = dns_rdataclass_in;
+			(*lookup)->new_search = ISC_TRUE;
+			if (*lookup && *firstarg) {
+				printgreeting(argc, argv, *lookup);
+				*firstarg = ISC_FALSE;
+			}
+			ISC_LIST_APPEND(lookup_list, *lookup, link);
+		} else {
+			fprintf(stderr, "Invalid IP address %s\n", value);
+			exit(1);
+		}
+		return (value_from_next);
+	invalid_option:
+	default:
+		fprintf(stderr, "Invalid option: -%s\n", option);
+		usage();
+	}
+	return (ISC_FALSE);
+}
+
+/*
+ * Because we may be trying to do memory allocation recording, we're going
+ * to need to parse the arguments for the -m *before* we start the main
+ * argument parsing routine.
+ * I'd prefer not to have to do this, but I am not quite sure how else to
+ * fix the problem.  Argument parsing in dig involves memory allocation
+ * by its nature, so it can't be done in the main argument parser.
+ */
+static void
+preparse_args(int argc, char **argv) {
+	int rc;
+	char **rv;
+	char *option;
+
+	rc = argc;
+	rv = argv;
+	for (rc--, rv++; rc > 0; rc--, rv++) {
+		if (rv[0][0] != '-')
+			continue;
+		option = &rv[0][1];
+		while (strpbrk(option, single_dash_opts) == &option[0]) {
+			if (option[0] == 'm') {
+				memdebugging = ISC_TRUE;
+				isc_mem_debugging = ISC_MEM_DEBUGTRACE |
+					ISC_MEM_DEBUGRECORD;
+				return;
+			}
+			option = &option[1];
+		}
+	}
+}
+
+static void
+parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
+	   int argc, char **argv) {
+	isc_result_t result;
+	isc_textregion_t tr;
+	isc_boolean_t firstarg = ISC_TRUE;
+	dig_server_t *srv = NULL;
+	dig_lookup_t *lookup = NULL;
+	dns_rdatatype_t rdtype;
+	dns_rdataclass_t rdclass;
+	isc_boolean_t open_type_class = ISC_TRUE;
+	char batchline[MXNAME];
+	int bargc;
+	char *bargv[64];
+	int rc;
+	char **rv;
+#ifndef NOPOSIX
+	char *homedir;
+	char rcfile[256];
+#endif
+	char *input;
+
+	/*
+	 * The semantics for parsing the args is a bit complex; if
+	 * we don't have a host yet, make the arg apply globally,
+	 * otherwise make it apply to the latest host.  This is
+	 * a bit different than the previous versions, but should
+	 * form a consistent user interface.
+	 *
+	 * First, create a "default lookup" which won't actually be used
+	 * anywhere, except for cloning into new lookups
+	 */
+
+	debug("parse_args()");
+	if (!is_batchfile) {
+		debug("making new lookup");
+		default_lookup = make_empty_lookup();
+
+#ifndef NOPOSIX
+		/*
+		 * Treat ${HOME}/.digrc as a special batchfile
+		 */
+		INSIST(batchfp == NULL);
+		homedir = getenv("HOME");
+		if (homedir != NULL) {
+			unsigned int n;
+			n = snprintf(rcfile, sizeof(rcfile), "%s/.digrc",
+			             homedir);
+			if (n < sizeof(rcfile))
+				batchfp = fopen(rcfile, "r");
+		}
+		if (batchfp != NULL) {
+			while (fgets(batchline, sizeof(batchline),
+				     batchfp) != 0) {
+				debug("config line %s", batchline);
+				bargc = 1;
+				input = batchline;
+				bargv[bargc] = next_token(&input, " \t\r\n");
+				while ((bargv[bargc] != NULL) &&
+				       (bargc < 62)) {
+					bargc++;
+					bargv[bargc] =
+						next_token(&input, " \t\r\n");
+				}
+
+				bargv[0] = argv[0];
+				argv0 = argv[0];
+
+				reorder_args(bargc, (char **)bargv);
+				parse_args(ISC_TRUE, ISC_TRUE, bargc,
+					   (char **)bargv);
+			}
+			fclose(batchfp);
+		}
+#endif
+	}
+
+	lookup = default_lookup;
+
+	rc = argc;
+	rv = argv;
+	for (rc--, rv++; rc > 0; rc--, rv++) {
+		debug("main parsing %s", rv[0]);
+		if (strncmp(rv[0], "%", 1) == 0)
+			break;
+		if (strncmp(rv[0], "@", 1) == 0) {
+			srv = make_server(&rv[0][1]);
+			ISC_LIST_APPEND(lookup->my_server_list,
+					srv, link);
+		} else if (rv[0][0] == '+') {
+			plus_option(&rv[0][1], is_batchfile,
+				    lookup);
+		} else if (rv[0][0] == '-') {
+			if (rc <= 1) {
+				if (dash_option(&rv[0][1], NULL,
+						&lookup, &open_type_class,
+						&firstarg, argc, argv)) {
+					rc--;
+					rv++;
+				}
+			} else {
+				if (dash_option(&rv[0][1], rv[1],
+						&lookup, &open_type_class,
+						&firstarg, argc, argv)) {
+					rc--;
+					rv++;
+				}
+			}
+		} else {
+			/*
+			 * Anything which isn't an option
+			 */
+			if (open_type_class) {
+				if (strncmp(rv[0], "ixfr=", 5) == 0) {
+					rdtype = dns_rdatatype_ixfr;
+					result = ISC_R_SUCCESS;
+				} else {
+					tr.base = rv[0];
+					tr.length = strlen(rv[0]);
+					result = dns_rdatatype_fromtext(&rdtype,
+					     	(isc_textregion_t *)&tr);
+					if (result == ISC_R_SUCCESS &&
+					    rdtype == dns_rdatatype_ixfr) {
+						result = DNS_R_UNKNOWN;
+						fprintf(stderr, ";; Warning, "
+							"ixfr requires a "
+							"serial number\n");
+						continue;
+					}
+				}
+				if (result == ISC_R_SUCCESS) {
+					if (lookup->rdtypeset) {
+						fprintf(stderr, ";; Warning, "
+							"extra type option\n");
+					}
+					if (rdtype == dns_rdatatype_ixfr) {
+						lookup->rdtype =
+							dns_rdatatype_ixfr;
+						lookup->rdtypeset = ISC_TRUE;
+						lookup->ixfr_serial =
+							parse_uint(&rv[0][5],
+							  	"serial number",
+							  	MAXSERIAL);
+						lookup->section_question =
+							plusquest;
+						lookup->comments = pluscomm;
+					} else {
+						lookup->rdtype = rdtype;
+						lookup->rdtypeset = ISC_TRUE;
+						if (rdtype ==
+						    dns_rdatatype_axfr) {
+						    lookup->section_question =
+								plusquest;
+						    lookup->comments = pluscomm;
+						}
+						lookup->ixfr_serial = ISC_FALSE;
+					}
+					continue;
+				}
+				result = dns_rdataclass_fromtext(&rdclass,
+						     (isc_textregion_t *)&tr);
+				if (result == ISC_R_SUCCESS) {
+					if (lookup->rdclassset) {
+						fprintf(stderr, ";; Warning, "
+							"extra class option\n");
+					}
+					lookup->rdclass = rdclass;
+					lookup->rdclassset = ISC_TRUE;
+					continue;
+				}
+			}
+			if (!config_only) {
+				lookup = clone_lookup(default_lookup,
+						      ISC_TRUE);
+				if (firstarg) {
+					printgreeting(argc, argv, lookup);
+					firstarg = ISC_FALSE;
+				}
+				strncpy(lookup->textname, rv[0], 
+					sizeof(lookup->textname));
+				lookup->textname[sizeof(lookup->textname)-1]=0;
+				lookup->trace_root = ISC_TF(lookup->trace  ||
+						     lookup->ns_search_only);
+				lookup->new_search = ISC_TRUE;
+				ISC_LIST_APPEND(lookup_list, lookup, link);
+				debug("looking up %s", lookup->textname);
+			}
+			/* XXX Error message */
+		}
+	}
+	/*
+	 * If we have a batchfile, seed the lookup list with the
+	 * first entry, then trust the callback in dighost_shutdown
+	 * to get the rest
+	 */
+	if ((batchname != NULL) && !(is_batchfile)) {
+		if (strcmp(batchname, "-") == 0)
+			batchfp = stdin;
+		else
+			batchfp = fopen(batchname, "r");
+		if (batchfp == NULL) {
+			perror(batchname);
+			if (exitcode < 8)
+				exitcode = 8;
+			fatal("couldn't open specified batch file");
+		}
+		/* XXX Remove code dup from shutdown code */
+	next_line:
+		if (fgets(batchline, sizeof(batchline), batchfp) != 0) {
+			bargc = 1;
+			debug("batch line %s", batchline);
+			if (batchline[0] == '\r' || batchline[0] == '\n'
+			    || batchline[0] == '#' || batchline[0] == ';')
+				goto next_line;
+			input = batchline;
+			bargv[bargc] = next_token(&input, " \t\r\n");
+			while ((bargv[bargc] != NULL) && (bargc < 14)) {
+				bargc++;
+				bargv[bargc] = next_token(&input, " \t\r\n");
+			}
+
+			bargv[0] = argv[0];
+			argv0 = argv[0];
+
+			reorder_args(bargc, (char **)bargv);
+			parse_args(ISC_TRUE, ISC_FALSE, bargc, (char **)bargv);
+		}
+	}
+	/*
+	 * If no lookup specified, search for root
+	 */
+	if ((lookup_list.head == NULL) && !config_only) {
+		lookup = clone_lookup(default_lookup, ISC_TRUE);
+		lookup->trace_root = ISC_TF(lookup->trace ||
+					    lookup->ns_search_only);
+		lookup->new_search = ISC_TRUE;
+		strcpy(lookup->textname, ".");
+		lookup->rdtype = dns_rdatatype_ns;
+		lookup->rdtypeset = ISC_TRUE;
+		if (firstarg) {
+			printgreeting(argc, argv, lookup);
+			firstarg = ISC_FALSE;
+		}
+		ISC_LIST_APPEND(lookup_list, lookup, link);
+	}
+}
+
+/*
+ * Callback from dighost.c to allow program-specific shutdown code.
+ * Here, we're possibly reading from a batch file, then shutting down
+ * for real if there's nothing in the batch file to read.
+ */
+void
+dighost_shutdown(void) {
+	char batchline[MXNAME];
+	int bargc;
+	char *bargv[16];
+	char *input;
+
+
+	if (batchname == NULL) {
+		isc_app_shutdown();
+		return;
+	}
+
+	fflush(stdout);
+	if (feof(batchfp)) {
+		batchname = NULL;
+		isc_app_shutdown();
+		if (batchfp != stdin)
+			fclose(batchfp);
+		return;
+	}
+
+	if (fgets(batchline, sizeof(batchline), batchfp) != 0) {
+		debug("batch line %s", batchline);
+		bargc = 1;
+		input = batchline;
+		bargv[bargc] = next_token(&input, " \t\r\n");
+		while ((bargv[bargc] != NULL) && (bargc < 14)) {
+			bargc++;
+			bargv[bargc] = next_token(&input, " \t\r\n");
+		}
+
+		bargv[0] = argv0;
+
+		reorder_args(bargc, (char **)bargv);
+		parse_args(ISC_TRUE, ISC_FALSE, bargc, (char **)bargv);
+		start_lookup();
+	} else {
+		batchname = NULL;
+		if (batchfp != stdin)
+			fclose(batchfp);
+		isc_app_shutdown();
+		return;
+	}
+}
+
+int
+main(int argc, char **argv) {
+	isc_result_t result;
+	dig_server_t *s, *s2;
+
+	ISC_LIST_INIT(lookup_list);
+	ISC_LIST_INIT(server_list);
+	ISC_LIST_INIT(search_list);
+
+	debug("main()");
+	preparse_args(argc, argv);
+	progname = argv[0];
+	result = isc_app_start();
+	check_result(result, "isc_app_start");
+	setup_libs();
+	parse_args(ISC_FALSE, ISC_FALSE, argc, argv);
+	setup_system();
+	if (domainopt[0] != '\0') {
+		set_search_domain(domainopt);
+		usesearch = ISC_TRUE;
+	}
+	result = isc_app_onrun(mctx, global_task, onrun_callback, NULL);
+	check_result(result, "isc_app_onrun");
+	isc_app_run();
+	s = ISC_LIST_HEAD(default_lookup->my_server_list);
+	while (s != NULL) {
+		debug("freeing server %p belonging to %p",
+		      s, default_lookup);
+		s2 = s;
+		s = ISC_LIST_NEXT(s, link);
+		ISC_LIST_DEQUEUE(default_lookup->my_server_list, s2, link);
+		isc_mem_free(mctx, s2);
+	}
+	isc_mem_free(mctx, default_lookup);
+	if (batchname != NULL) {
+		if (batchfp != stdin)
+			fclose(batchfp);
+		batchname = NULL;
+	}
+#ifdef DIG_SIGCHASE
+	clean_trustedkey();
+#endif
+	cancel_all();
+	destroy_libs();
+	isc_app_finish();
+	return (exitcode);
+}
diff --git a/contrib/bind9/bin/dig/dig.docbook b/contrib/bind9/bin/dig/dig.docbook
new file mode 100644
index 0000000..d22ae87
--- /dev/null
+++ b/contrib/bind9/bin/dig/dig.docbook
@@ -0,0 +1,611 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: dig.docbook,v 1.4.2.7.4.9 2004/06/23 04:19:41 marka Exp $ -->
+
+<refentry>
+
+<refentryinfo>
+<date>Jun 30, 2000</date>
+</refentryinfo>
+
+<refmeta>
+<refentrytitle>dig</refentrytitle>
+<manvolnum>1</manvolnum>
+<refmiscinfo>BIND9</refmiscinfo>
+</refmeta>
+
+<refnamediv>
+<refname>dig</refname>
+<refpurpose>DNS lookup utility</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+<cmdsynopsis>
+<command>dig</command>
+<arg choice=opt>@server</arg>
+<arg><option>-b <replaceable class="parameter">address</replaceable></option></arg>
+<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+<arg><option>-f <replaceable class="parameter">filename</replaceable></option></arg>
+<arg><option>-k <replaceable class="parameter">filename</replaceable></option></arg>
+<arg><option>-p <replaceable class="parameter">port#</replaceable></option></arg>
+<arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
+<arg><option>-x <replaceable class="parameter">addr</replaceable></option></arg>
+<arg><option>-y <replaceable class="parameter">name:key</replaceable></option></arg>
+<arg><option>-4</option></arg>
+<arg><option>-6</option></arg>
+<arg choice=opt>name</arg>
+<arg choice=opt>type</arg>
+<arg choice=opt>class</arg>
+<arg choice=opt rep=repeat>queryopt</arg>
+</cmdsynopsis>
+
+<cmdsynopsis>
+<command>dig</command>
+<arg><option>-h</option></arg>
+</cmdsynopsis>
+
+<cmdsynopsis>
+<command>dig</command>
+<arg choice=opt rep=repeat>global-queryopt</arg>
+<arg choice=opt rep=repeat>query</arg>
+</cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+<title>DESCRIPTION</title>
+<para>
+<command>dig</command> (domain information groper) is a flexible tool
+for interrogating DNS name servers.  It performs DNS lookups and
+displays the answers that are returned from the name server(s) that
+were queried.  Most DNS administrators use <command>dig</command> to
+troubleshoot DNS problems because of its flexibility, ease of use and
+clarity of output.  Other lookup tools tend to have less functionality
+than <command>dig</command>.
+</para>
+
+<para>
+Although <command>dig</command> is normally used with command-line
+arguments, it also has a batch mode of operation for reading lookup
+requests from a file.  A brief summary of its command-line arguments
+and options is printed when the <option>-h</option> option is given.
+Unlike earlier versions, the BIND9 implementation of
+<command>dig</command> allows multiple lookups to be issued from the
+command line.
+</para>
+
+<para>
+Unless it is told to query a specific name server,
+<command>dig</command> will try each of the servers listed in
+<filename>/etc/resolv.conf</filename>.
+</para>
+
+<para>
+When no command line arguments or options are given, will perform an
+NS query for "." (the root).
+</para>
+
+<para>
+It is possible to set per-user defaults for <command>dig</command> via
+<filename>${HOME}/.digrc</filename>.  This file is read and any options in it
+are applied before the command line arguments.
+</para>
+
+</refsect1>
+
+<refsect1>
+<title>SIMPLE USAGE</title>
+
+<para>
+A typical invocation of <command>dig</command> looks like:
+<programlisting> dig @server name type </programlisting> where:
+
+<variablelist>
+
+<varlistentry><term><constant>server</constant></term>
+<listitem><para>
+is the name or IP address of the name server to query.  This can be an IPv4
+address in dotted-decimal notation or an IPv6
+address in colon-delimited notation.  When the supplied
+<parameter>server</parameter> argument is a hostname,
+<command>dig</command> resolves that name before querying that name
+server.  If no <parameter>server</parameter> argument is provided,
+<command>dig</command> consults <filename>/etc/resolv.conf</filename>
+and queries the name servers listed there.  The reply from the name
+server that responds is displayed.
+</para></listitem></varlistentry>
+
+<varlistentry><term><constant>name</constant></term>
+<listitem><para>
+is the name of the resource record that is to be looked up.
+</para></listitem></varlistentry>
+
+<varlistentry><term><constant>type</constant></term>
+<listitem><para>
+indicates what type of query is required &mdash;
+ANY, A, MX, SIG, etc.
+<parameter>type</parameter> can be any valid query type.  If no
+<parameter>type</parameter> argument is supplied,
+<command>dig</command> will perform a lookup for an A record.
+</para></listitem></varlistentry>
+
+</variablelist>
+</para>
+
+</refsect1>
+
+<refsect1>
+<title>OPTIONS</title>
+
+<para>
+The <option>-b</option> option sets the source IP address of the query
+to <parameter>address</parameter>.  This must be a valid address on
+one of the host's network interfaces or "0.0.0.0" or "::".  An optional port
+may be specified by appending "#&lt;port&gt;"
+</para>
+
+<para>
+The default query class (IN for internet) is overridden by the
+<option>-c</option> option.  <parameter>class</parameter> is any valid
+class, such as HS for Hesiod records or CH for CHAOSNET records.
+</para>
+
+<para>
+The <option>-f</option> option makes <command>dig </command> operate
+in batch mode by reading a list of lookup requests to process from the
+file <parameter>filename</parameter>.  The file contains a number of
+queries, one per line.  Each entry in the file should be organised in
+the same way they would be presented as queries to
+<command>dig</command> using the command-line interface.
+</para>
+
+<para>
+If a non-standard port number is to be queried, the
+<option>-p</option> option is used.  <parameter>port#</parameter> is
+the port number that <command>dig</command> will send its queries
+instead of the standard DNS port number 53.  This option would be used
+to test a name server that has been configured to listen for queries
+on a non-standard port number.
+</para>
+
+<para>
+The <option>-4</option> option forces <command>dig</command> to only
+use IPv4 query transport.  The <option>-6</option> option forces
+<command>dig</command> to only use IPv6 query transport.
+</para>
+
+<para>
+The <option>-t</option> option sets the query type to
+<parameter>type</parameter>.  It can be any valid query type which is
+supported in BIND9.  The default query type "A", unless the
+<option>-x</option> option is supplied to indicate a reverse lookup.
+A zone transfer can be requested by specifying a type of AXFR.  When
+an incremental zone transfer (IXFR) is required,
+<parameter>type</parameter> is set to <literal>ixfr=N</literal>.
+The incremental zone transfer will contain the changes made to the zone
+since the serial number in the zone's SOA record was
+<parameter>N</parameter>.
+</para>
+
+<para>
+Reverse lookups - mapping addresses to names - are simplified by the
+<option>-x</option> option.  <parameter>addr</parameter> is an IPv4
+address in dotted-decimal notation, or a colon-delimited IPv6 address.
+When this option is used, there is no need to provide the
+<parameter>name</parameter>, <parameter>class</parameter> and
+<parameter>type</parameter> arguments.  <command>dig</command>
+automatically performs a lookup for a name like
+<literal>11.12.13.10.in-addr.arpa</literal> and sets the query type and
+class to PTR and IN respectively.  By default, IPv6 addresses are
+looked up using nibble format under the IP6.ARPA domain.
+To use the older RFC1886 method using the IP6.INT domain 
+specify the <option>-i</option> option.  Bit string labels (RFC2874)
+are now experimental and are not attempted.
+</para>
+
+<para>
+To sign the DNS queries sent by <command>dig</command> and their
+responses using transaction signatures (TSIG), specify a TSIG key file
+using the <option>-k</option> option.  You can also specify the TSIG
+key itself on the command line using the <option>-y</option> option;
+<parameter>name</parameter> is the name of the TSIG key and
+<parameter>key</parameter> is the actual key.  The key is a base-64
+encoded string, typically generated by <citerefentry>
+<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
+</citerefentry>.
+
+Caution should be taken when using the <option>-y</option> option on
+multi-user systems as the key can be visible in the output from
+<citerefentry> <refentrytitle>ps</refentrytitle><manvolnum>1
+</manvolnum> </citerefentry> or in the shell's history file.  When
+using TSIG authentication with <command>dig</command>, the name
+server that is queried needs to know the key and algorithm that is
+being used.  In BIND, this is done by providing appropriate
+<command>key</command> and <command>server</command> statements in
+<filename>named.conf</filename>.
+</para>
+
+</refsect1>
+
+<refsect1>
+<title>QUERY OPTIONS</title>
+
+<para>
+<command>dig</command> provides a number of query options which affect
+the way in which lookups are made and the results displayed.  Some of
+these set or reset flag bits in the query header, some determine which
+sections of the answer get printed, and others determine the timeout
+and retry strategies.
+</para>
+
+<para>
+Each query option is identified by a keyword preceded by a plus sign
+(<literal>+</literal>).  Some keywords set or reset an option.  These may be preceded
+by the string <literal>no</literal> to negate the meaning of that keyword.  Other
+keywords assign values to options like the timeout interval.  They
+have the form <option>+keyword=value</option>.
+The query options are:
+
+<variablelist>
+
+<varlistentry><term><option>+[no]tcp</option></term>
+<listitem><para>
+Use [do not use] TCP when querying name servers.  The default
+behaviour is to use UDP unless an AXFR or IXFR query is requested, in
+which case a TCP connection is used.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+[no]vc</option></term>
+<listitem><para>
+Use [do not use] TCP when querying name servers.  This alternate
+syntax to <parameter>+[no]tcp</parameter> is provided for backwards
+compatibility.  The "vc" stands for "virtual circuit".
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+[no]ignore</option></term>
+<listitem><para>
+Ignore truncation in UDP responses instead of retrying with TCP.  By
+default, TCP retries are performed.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+domain=somename</option></term>
+<listitem><para>
+Set the search list to contain the single domain
+<parameter>somename</parameter>, as if specified in a
+<command>domain</command> directive in
+<filename>/etc/resolv.conf</filename>, and enable search list
+processing as if the <parameter>+search</parameter> option were given.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+[no]search</option></term>
+<listitem><para>
+Use [do not use] the search list defined by the searchlist or domain
+directive in <filename>resolv.conf</filename> (if any).
+The search list is not used by default.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+[no]defname</option></term>
+<listitem><para>
+Deprecated, treated as a synonym for <parameter>+[no]search</parameter>
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+[no]aaonly</option></term>
+<listitem><para>
+Sets the "aa" flag in the query.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+[no]aaflag</option></term>
+<listitem><para>
+A synonym for <parameter>+[no]aaonly</parameter>.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+[no]adflag</option></term>
+<listitem><para>
+Set [do not set] the AD (authentic data) bit in the query.  The AD bit
+currently has a standard meaning only in responses, not in queries,
+but the ability to set the bit in the query is provided for
+completeness.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+[no]cdflag</option></term>
+<listitem><para>
+Set [do not set] the CD (checking disabled) bit in the query.  This
+requests the server to not perform DNSSEC validation of responses.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+[no]cl</option></term>
+<listitem><para>
+Display [do not display] the CLASS when printing the record.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+[no]ttlid</option></term>
+<listitem><para>
+Display [do not display] the TTL when printing the record.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+[no]recurse</option></term>
+<listitem><para>
+Toggle the setting of the RD (recursion desired) bit in the query.
+This bit is set by default, which means <command>dig</command>
+normally sends recursive queries.  Recursion is automatically disabled
+when the <parameter>+nssearch</parameter> or
+<parameter>+trace</parameter> query options are used.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+[no]nssearch</option></term>
+<listitem><para>
+When this option is set, <command>dig</command> attempts to find the
+authoritative name servers for the zone containing the name being
+looked up and display the SOA record that each name server has for the
+zone.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+[no]trace</option></term>
+<listitem><para>
+Toggle tracing of the delegation path from the root name servers for
+the name being looked up.  Tracing is disabled by default.  When
+tracing is enabled, <command>dig</command> makes iterative queries to
+resolve the name being looked up.  It will follow referrals from the
+root servers, showing the answer from each server that was used to
+resolve the lookup.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+[no]cmd</option></term>
+<listitem><para>
+toggles the printing of the initial comment in the output identifying
+the version of <command>dig</command> and the query options that have
+been applied.  This comment is printed by default.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+[no]short</option></term>
+<listitem><para>
+Provide a terse answer.  The default is to print the answer in a
+verbose form.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+[no]identify</option></term>
+<listitem><para>
+Show [or do not show] the IP address and port number that supplied the
+answer when the <parameter>+short</parameter> option is enabled.  If
+short form answers are requested, the default is not to show the
+source address and port number of the server that provided the answer.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+[no]comments</option></term>
+<listitem><para>
+Toggle the display of comment lines in the output.  The default is to
+print comments.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+[no]stats</option></term>
+<listitem><para>
+This query option toggles the printing of statistics: when the query
+was made, the size of the reply and so on.  The default behaviour is
+to print the query statistics.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+[no]qr</option></term>
+<listitem><para>
+Print [do not print] the query as it is sent.
+By default, the query is not printed.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+[no]question</option></term>
+<listitem><para>
+Print [do not print] the question section of a query when an answer is
+returned.  The default is to print the question section as a comment.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+[no]answer</option></term>
+<listitem><para>
+Display [do not display] the answer section of a reply.  The default
+is to display it.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+[no]authority</option></term>
+<listitem><para>
+Display [do not display] the authority section of a reply.  The
+default is to display it.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+[no]additional</option></term>
+<listitem><para>
+Display [do not display] the additional section of a reply.
+The default is to display it.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+[no]all</option></term>
+<listitem><para>
+Set or clear all display flags.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+time=T</option></term>
+<listitem><para>
+
+Sets the timeout for a query to
+<parameter>T</parameter> seconds.  The default time out is 5 seconds.
+An attempt to set <parameter>T</parameter> to less than 1 will result
+in a query timeout of 1 second being applied.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+tries=T</option></term>
+<listitem><para>
+Sets the number of times to try UDP queries to server to
+<parameter>T</parameter> instead of the default, 3.  If
+<parameter>T</parameter> is less than or equal to zero, the number of
+tries is silently rounded up to 1.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+retry=T</option></term>
+<listitem><para>
+Sets the number of times to retry UDP queries to server to
+<parameter>T</parameter> instead of the default, 2.  Unlike
+<parameter>+tries</parameter>, this does not include the initial
+query.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+ndots=D</option></term>
+<listitem><para>
+Set the number of dots that have to appear in
+<parameter>name</parameter> to <parameter>D</parameter> for it to be
+considered absolute.  The default value is that defined using the
+ndots statement in <filename>/etc/resolv.conf</filename>, or 1 if no
+ndots statement is present.  Names with fewer dots are interpreted as
+relative names and will be searched for in the domains listed in the
+<option>search</option> or <option>domain</option> directive in
+<filename>/etc/resolv.conf</filename>.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+bufsize=B</option></term>
+<listitem><para>
+Set the UDP message buffer size advertised using EDNS0 to
+<parameter>B</parameter> bytes.  The maximum and minimum sizes of this
+buffer are 65535 and 0 respectively.  Values outside this range are
+rounded up or down appropriately.
+</para>
+</listitem></varlistentry>
+
+<varlistentry><term><option>+[no]multiline</option></term>
+<listitem><para>
+Print records like the SOA records in a verbose multi-line
+format with human-readable comments.  The default is to print
+each record on a single line, to facilitate machine parsing 
+of the <command>dig</command> output.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+[no]fail</option></term>
+<listitem><para>
+Do not try the next server if you receive a SERVFAIL.  The default is
+to not try the next server which is the reverse of normal stub resolver
+behaviour.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+[no]besteffort</option></term>
+<listitem><para>
+Attempt to display the contents of messages which are malformed.
+The default is to not display malformed answers.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+[no]dnssec</option></term>
+<listitem><para>
+Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO)
+in the OPT record in the additional section of the query.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+[no]sigchase</option></term>
+<listitem><para>
+Chase DNSSEC signature chains.  Requires dig be compiled with
+-DDIG_SIGCHASE.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+trusted-key=####</option></term>
+<listitem><para>
+Specify a trusted key to be used with <option>+sigchase</option>.
+Requires dig be compiled with -DDIG_SIGCHASE.
+</para></listitem></varlistentry>
+
+<varlistentry><term><option>+[no]topdown</option></term>
+<listitem><para>
+When chasing DNSSEC signature chains perform a top down validation.
+Requires dig be compiled with -DDIG_SIGCHASE.
+</para></listitem></varlistentry>
+
+
+
+</variablelist>
+
+</para>
+</refsect1>
+
+<refsect1>
+<title>MULTIPLE QUERIES</title>
+
+<para>
+The BIND 9 implementation of <command>dig </command> supports
+specifying multiple queries on the command line (in addition to
+supporting the <option>-f</option> batch file option).  Each of those
+queries can be supplied with its own set of flags, options and query
+options.
+</para>
+
+<para>
+In this case, each <parameter>query</parameter> argument represent an
+individual query in the command-line syntax described above.  Each
+consists of any of the standard options and flags, the name to be
+looked up, an optional query type and class and any query options that
+should be applied to that query.
+</para>
+
+<para>
+A global set of query options, which should be applied to all queries,
+can also be supplied.  These global query options must precede the
+first tuple of name, class, type, options, flags, and query options
+supplied on the command line.  Any global query options (except
+the <option>+[no]cmd</option> option) can be
+overridden by a query-specific set of query options.  For example:
+<programlisting>
+dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
+</programlisting>
+shows how <command>dig</command> could be used from the command line
+to make three lookups: an ANY query for <literal>www.isc.org</literal>, a
+reverse lookup of 127.0.0.1 and a query for the NS records of
+<literal>isc.org</literal>.
+
+A global query option of <parameter>+qr</parameter> is applied, so
+that <command>dig</command> shows the initial query it made for each
+lookup.  The final query has a local query option of
+<parameter>+noqr</parameter> which means that <command>dig</command>
+will not print the initial query when it looks up the NS records for
+<literal>isc.org</literal>.
+</para>
+
+</refsect1>
+
+<refsect1>
+<title>FILES</title>
+<para>
+<filename>/etc/resolv.conf</filename>
+</para>
+<para>
+<filename>${HOME}/.digrc</filename>
+</para>
+</refsect1>
+
+<refsect1>
+<title>SEE ALSO</title>
+<para>
+<citerefentry>
+<refentrytitle>host</refentrytitle><manvolnum>1</manvolnum>
+</citerefentry>,
+<citerefentry>
+<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+</citerefentry>,
+<citerefentry>
+<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
+</citerefentry>,
+<citetitle>RFC1035</citetitle>.
+</para>
+</refsect1>
+
+<refsect1>
+<title>BUGS </title>
+<para>
+There are probably too many query options. 
+</para>
+</refsect1>
+</refentry>
diff --git a/contrib/bind9/bin/dig/dig.html b/contrib/bind9/bin/dig/dig.html
new file mode 100644
index 0000000..e9e1fd4
--- /dev/null
+++ b/contrib/bind9/bin/dig/dig.html
@@ -0,0 +1,1174 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: dig.html,v 1.6.2.4.2.7 2004/08/22 23:38:57 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>dig</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+>dig</H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>dig&nbsp;--&nbsp;DNS lookup utility</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN11"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>dig</B
+>  [@server] [<VAR
+CLASS="OPTION"
+>-b <VAR
+CLASS="REPLACEABLE"
+>address</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-c <VAR
+CLASS="REPLACEABLE"
+>class</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-f <VAR
+CLASS="REPLACEABLE"
+>filename</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-k <VAR
+CLASS="REPLACEABLE"
+>filename</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-p <VAR
+CLASS="REPLACEABLE"
+>port#</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-t <VAR
+CLASS="REPLACEABLE"
+>type</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-x <VAR
+CLASS="REPLACEABLE"
+>addr</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-y <VAR
+CLASS="REPLACEABLE"
+>name:key</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-4</VAR
+>] [<VAR
+CLASS="OPTION"
+>-6</VAR
+>] [name] [type] [class] [queryopt...]</P
+><P
+><B
+CLASS="COMMAND"
+>dig</B
+>  [<VAR
+CLASS="OPTION"
+>-h</VAR
+>]</P
+><P
+><B
+CLASS="COMMAND"
+>dig</B
+>  [global-queryopt...] [query...]</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN55"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+><B
+CLASS="COMMAND"
+>dig</B
+> (domain information groper) is a flexible tool
+for interrogating DNS name servers.  It performs DNS lookups and
+displays the answers that are returned from the name server(s) that
+were queried.  Most DNS administrators use <B
+CLASS="COMMAND"
+>dig</B
+> to
+troubleshoot DNS problems because of its flexibility, ease of use and
+clarity of output.  Other lookup tools tend to have less functionality
+than <B
+CLASS="COMMAND"
+>dig</B
+>.</P
+><P
+>Although <B
+CLASS="COMMAND"
+>dig</B
+> is normally used with command-line
+arguments, it also has a batch mode of operation for reading lookup
+requests from a file.  A brief summary of its command-line arguments
+and options is printed when the <VAR
+CLASS="OPTION"
+>-h</VAR
+> option is given.
+Unlike earlier versions, the BIND9 implementation of
+<B
+CLASS="COMMAND"
+>dig</B
+> allows multiple lookups to be issued from the
+command line.</P
+><P
+>Unless it is told to query a specific name server,
+<B
+CLASS="COMMAND"
+>dig</B
+> will try each of the servers listed in
+<TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+>.</P
+><P
+>When no command line arguments or options are given, will perform an
+NS query for "." (the root).</P
+><P
+>It is possible to set per-user defaults for <B
+CLASS="COMMAND"
+>dig</B
+> via
+<TT
+CLASS="FILENAME"
+>${HOME}/.digrc</TT
+>.  This file is read and any options in it
+are applied before the command line arguments.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN72"
+></A
+><H2
+>SIMPLE USAGE</H2
+><P
+>A typical invocation of <B
+CLASS="COMMAND"
+>dig</B
+> looks like:
+<PRE
+CLASS="PROGRAMLISTING"
+> dig @server name type </PRE
+> where:
+
+<P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><CODE
+CLASS="CONSTANT"
+>server</CODE
+></DT
+><DD
+><P
+>is the name or IP address of the name server to query.  This can be an IPv4
+address in dotted-decimal notation or an IPv6
+address in colon-delimited notation.  When the supplied
+<VAR
+CLASS="PARAMETER"
+>server</VAR
+> argument is a hostname,
+<B
+CLASS="COMMAND"
+>dig</B
+> resolves that name before querying that name
+server.  If no <VAR
+CLASS="PARAMETER"
+>server</VAR
+> argument is provided,
+<B
+CLASS="COMMAND"
+>dig</B
+> consults <TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+>
+and queries the name servers listed there.  The reply from the name
+server that responds is displayed.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>name</CODE
+></DT
+><DD
+><P
+>is the name of the resource record that is to be looked up.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>type</CODE
+></DT
+><DD
+><P
+>indicates what type of query is required &mdash;
+ANY, A, MX, SIG, etc.
+<VAR
+CLASS="PARAMETER"
+>type</VAR
+> can be any valid query type.  If no
+<VAR
+CLASS="PARAMETER"
+>type</VAR
+> argument is supplied,
+<B
+CLASS="COMMAND"
+>dig</B
+> will perform a lookup for an A record.</P
+></DD
+></DL
+></DIV
+></P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN101"
+></A
+><H2
+>OPTIONS</H2
+><P
+>The <VAR
+CLASS="OPTION"
+>-b</VAR
+> option sets the source IP address of the query
+to <VAR
+CLASS="PARAMETER"
+>address</VAR
+>.  This must be a valid address on
+one of the host's network interfaces or "0.0.0.0" or "::".  An optional port
+may be specified by appending "#&lt;port&gt;"</P
+><P
+>The default query class (IN for internet) is overridden by the
+<VAR
+CLASS="OPTION"
+>-c</VAR
+> option.  <VAR
+CLASS="PARAMETER"
+>class</VAR
+> is any valid
+class, such as HS for Hesiod records or CH for CHAOSNET records.</P
+><P
+>The <VAR
+CLASS="OPTION"
+>-f</VAR
+> option makes <B
+CLASS="COMMAND"
+>dig </B
+> operate
+in batch mode by reading a list of lookup requests to process from the
+file <VAR
+CLASS="PARAMETER"
+>filename</VAR
+>.  The file contains a number of
+queries, one per line.  Each entry in the file should be organised in
+the same way they would be presented as queries to
+<B
+CLASS="COMMAND"
+>dig</B
+> using the command-line interface.</P
+><P
+>If a non-standard port number is to be queried, the
+<VAR
+CLASS="OPTION"
+>-p</VAR
+> option is used.  <VAR
+CLASS="PARAMETER"
+>port#</VAR
+> is
+the port number that <B
+CLASS="COMMAND"
+>dig</B
+> will send its queries
+instead of the standard DNS port number 53.  This option would be used
+to test a name server that has been configured to listen for queries
+on a non-standard port number.</P
+><P
+>The <VAR
+CLASS="OPTION"
+>-4</VAR
+> option forces <B
+CLASS="COMMAND"
+>dig</B
+> to only
+use IPv4 query transport.  The <VAR
+CLASS="OPTION"
+>-6</VAR
+> option forces
+<B
+CLASS="COMMAND"
+>dig</B
+> to only use IPv6 query transport.</P
+><P
+>The <VAR
+CLASS="OPTION"
+>-t</VAR
+> option sets the query type to
+<VAR
+CLASS="PARAMETER"
+>type</VAR
+>.  It can be any valid query type which is
+supported in BIND9.  The default query type "A", unless the
+<VAR
+CLASS="OPTION"
+>-x</VAR
+> option is supplied to indicate a reverse lookup.
+A zone transfer can be requested by specifying a type of AXFR.  When
+an incremental zone transfer (IXFR) is required,
+<VAR
+CLASS="PARAMETER"
+>type</VAR
+> is set to <VAR
+CLASS="LITERAL"
+>ixfr=N</VAR
+>.
+The incremental zone transfer will contain the changes made to the zone
+since the serial number in the zone's SOA record was
+<VAR
+CLASS="PARAMETER"
+>N</VAR
+>.</P
+><P
+>Reverse lookups - mapping addresses to names - are simplified by the
+<VAR
+CLASS="OPTION"
+>-x</VAR
+> option.  <VAR
+CLASS="PARAMETER"
+>addr</VAR
+> is an IPv4
+address in dotted-decimal notation, or a colon-delimited IPv6 address.
+When this option is used, there is no need to provide the
+<VAR
+CLASS="PARAMETER"
+>name</VAR
+>, <VAR
+CLASS="PARAMETER"
+>class</VAR
+> and
+<VAR
+CLASS="PARAMETER"
+>type</VAR
+> arguments.  <B
+CLASS="COMMAND"
+>dig</B
+>
+automatically performs a lookup for a name like
+<VAR
+CLASS="LITERAL"
+>11.12.13.10.in-addr.arpa</VAR
+> and sets the query type and
+class to PTR and IN respectively.  By default, IPv6 addresses are
+looked up using nibble format under the IP6.ARPA domain.
+To use the older RFC1886 method using the IP6.INT domain 
+specify the <VAR
+CLASS="OPTION"
+>-i</VAR
+> option.  Bit string labels (RFC2874)
+are now experimental and are not attempted.</P
+><P
+>To sign the DNS queries sent by <B
+CLASS="COMMAND"
+>dig</B
+> and their
+responses using transaction signatures (TSIG), specify a TSIG key file
+using the <VAR
+CLASS="OPTION"
+>-k</VAR
+> option.  You can also specify the TSIG
+key itself on the command line using the <VAR
+CLASS="OPTION"
+>-y</VAR
+> option;
+<VAR
+CLASS="PARAMETER"
+>name</VAR
+> is the name of the TSIG key and
+<VAR
+CLASS="PARAMETER"
+>key</VAR
+> is the actual key.  The key is a base-64
+encoded string, typically generated by <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-keygen</SPAN
+>(8)</SPAN
+>.
+
+Caution should be taken when using the <VAR
+CLASS="OPTION"
+>-y</VAR
+> option on
+multi-user systems as the key can be visible in the output from
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>ps</SPAN
+>(1)</SPAN
+> or in the shell's history file.  When
+using TSIG authentication with <B
+CLASS="COMMAND"
+>dig</B
+>, the name
+server that is queried needs to know the key and algorithm that is
+being used.  In BIND, this is done by providing appropriate
+<B
+CLASS="COMMAND"
+>key</B
+> and <B
+CLASS="COMMAND"
+>server</B
+> statements in
+<TT
+CLASS="FILENAME"
+>named.conf</TT
+>.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN156"
+></A
+><H2
+>QUERY OPTIONS</H2
+><P
+><B
+CLASS="COMMAND"
+>dig</B
+> provides a number of query options which affect
+the way in which lookups are made and the results displayed.  Some of
+these set or reset flag bits in the query header, some determine which
+sections of the answer get printed, and others determine the timeout
+and retry strategies.</P
+><P
+>Each query option is identified by a keyword preceded by a plus sign
+(<VAR
+CLASS="LITERAL"
+>+</VAR
+>).  Some keywords set or reset an option.  These may be preceded
+by the string <VAR
+CLASS="LITERAL"
+>no</VAR
+> to negate the meaning of that keyword.  Other
+keywords assign values to options like the timeout interval.  They
+have the form <VAR
+CLASS="OPTION"
+>+keyword=value</VAR
+>.
+The query options are:
+
+<P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><VAR
+CLASS="OPTION"
+>+[no]tcp</VAR
+></DT
+><DD
+><P
+>Use [do not use] TCP when querying name servers.  The default
+behaviour is to use UDP unless an AXFR or IXFR query is requested, in
+which case a TCP connection is used.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+[no]vc</VAR
+></DT
+><DD
+><P
+>Use [do not use] TCP when querying name servers.  This alternate
+syntax to <VAR
+CLASS="PARAMETER"
+>+[no]tcp</VAR
+> is provided for backwards
+compatibility.  The "vc" stands for "virtual circuit".</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+[no]ignore</VAR
+></DT
+><DD
+><P
+>Ignore truncation in UDP responses instead of retrying with TCP.  By
+default, TCP retries are performed.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+domain=somename</VAR
+></DT
+><DD
+><P
+>Set the search list to contain the single domain
+<VAR
+CLASS="PARAMETER"
+>somename</VAR
+>, as if specified in a
+<B
+CLASS="COMMAND"
+>domain</B
+> directive in
+<TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+>, and enable search list
+processing as if the <VAR
+CLASS="PARAMETER"
+>+search</VAR
+> option were given.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+[no]search</VAR
+></DT
+><DD
+><P
+>Use [do not use] the search list defined by the searchlist or domain
+directive in <TT
+CLASS="FILENAME"
+>resolv.conf</TT
+> (if any).
+The search list is not used by default.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+[no]defname</VAR
+></DT
+><DD
+><P
+>Deprecated, treated as a synonym for <VAR
+CLASS="PARAMETER"
+>+[no]search</VAR
+></P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+[no]aaonly</VAR
+></DT
+><DD
+><P
+>Sets the "aa" flag in the query.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+[no]aaflag</VAR
+></DT
+><DD
+><P
+>A synonym for <VAR
+CLASS="PARAMETER"
+>+[no]aaonly</VAR
+>.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+[no]adflag</VAR
+></DT
+><DD
+><P
+>Set [do not set] the AD (authentic data) bit in the query.  The AD bit
+currently has a standard meaning only in responses, not in queries,
+but the ability to set the bit in the query is provided for
+completeness.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+[no]cdflag</VAR
+></DT
+><DD
+><P
+>Set [do not set] the CD (checking disabled) bit in the query.  This
+requests the server to not perform DNSSEC validation of responses.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+[no]cl</VAR
+></DT
+><DD
+><P
+>Display [do not display] the CLASS when printing the record.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+[no]ttlid</VAR
+></DT
+><DD
+><P
+>Display [do not display] the TTL when printing the record.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+[no]recurse</VAR
+></DT
+><DD
+><P
+>Toggle the setting of the RD (recursion desired) bit in the query.
+This bit is set by default, which means <B
+CLASS="COMMAND"
+>dig</B
+>
+normally sends recursive queries.  Recursion is automatically disabled
+when the <VAR
+CLASS="PARAMETER"
+>+nssearch</VAR
+> or
+<VAR
+CLASS="PARAMETER"
+>+trace</VAR
+> query options are used.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+[no]nssearch</VAR
+></DT
+><DD
+><P
+>When this option is set, <B
+CLASS="COMMAND"
+>dig</B
+> attempts to find the
+authoritative name servers for the zone containing the name being
+looked up and display the SOA record that each name server has for the
+zone.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+[no]trace</VAR
+></DT
+><DD
+><P
+>Toggle tracing of the delegation path from the root name servers for
+the name being looked up.  Tracing is disabled by default.  When
+tracing is enabled, <B
+CLASS="COMMAND"
+>dig</B
+> makes iterative queries to
+resolve the name being looked up.  It will follow referrals from the
+root servers, showing the answer from each server that was used to
+resolve the lookup.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+[no]cmd</VAR
+></DT
+><DD
+><P
+>toggles the printing of the initial comment in the output identifying
+the version of <B
+CLASS="COMMAND"
+>dig</B
+> and the query options that have
+been applied.  This comment is printed by default.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+[no]short</VAR
+></DT
+><DD
+><P
+>Provide a terse answer.  The default is to print the answer in a
+verbose form.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+[no]identify</VAR
+></DT
+><DD
+><P
+>Show [or do not show] the IP address and port number that supplied the
+answer when the <VAR
+CLASS="PARAMETER"
+>+short</VAR
+> option is enabled.  If
+short form answers are requested, the default is not to show the
+source address and port number of the server that provided the answer.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+[no]comments</VAR
+></DT
+><DD
+><P
+>Toggle the display of comment lines in the output.  The default is to
+print comments.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+[no]stats</VAR
+></DT
+><DD
+><P
+>This query option toggles the printing of statistics: when the query
+was made, the size of the reply and so on.  The default behaviour is
+to print the query statistics.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+[no]qr</VAR
+></DT
+><DD
+><P
+>Print [do not print] the query as it is sent.
+By default, the query is not printed.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+[no]question</VAR
+></DT
+><DD
+><P
+>Print [do not print] the question section of a query when an answer is
+returned.  The default is to print the question section as a comment.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+[no]answer</VAR
+></DT
+><DD
+><P
+>Display [do not display] the answer section of a reply.  The default
+is to display it.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+[no]authority</VAR
+></DT
+><DD
+><P
+>Display [do not display] the authority section of a reply.  The
+default is to display it.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+[no]additional</VAR
+></DT
+><DD
+><P
+>Display [do not display] the additional section of a reply.
+The default is to display it.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+[no]all</VAR
+></DT
+><DD
+><P
+>Set or clear all display flags.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+time=T</VAR
+></DT
+><DD
+><P
+>&#13;Sets the timeout for a query to
+<VAR
+CLASS="PARAMETER"
+>T</VAR
+> seconds.  The default time out is 5 seconds.
+An attempt to set <VAR
+CLASS="PARAMETER"
+>T</VAR
+> to less than 1 will result
+in a query timeout of 1 second being applied.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+tries=T</VAR
+></DT
+><DD
+><P
+>Sets the number of times to try UDP queries to server to
+<VAR
+CLASS="PARAMETER"
+>T</VAR
+> instead of the default, 3.  If
+<VAR
+CLASS="PARAMETER"
+>T</VAR
+> is less than or equal to zero, the number of
+tries is silently rounded up to 1.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+retry=T</VAR
+></DT
+><DD
+><P
+>Sets the number of times to retry UDP queries to server to
+<VAR
+CLASS="PARAMETER"
+>T</VAR
+> instead of the default, 2.  Unlike
+<VAR
+CLASS="PARAMETER"
+>+tries</VAR
+>, this does not include the initial
+query.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+ndots=D</VAR
+></DT
+><DD
+><P
+>Set the number of dots that have to appear in
+<VAR
+CLASS="PARAMETER"
+>name</VAR
+> to <VAR
+CLASS="PARAMETER"
+>D</VAR
+> for it to be
+considered absolute.  The default value is that defined using the
+ndots statement in <TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+>, or 1 if no
+ndots statement is present.  Names with fewer dots are interpreted as
+relative names and will be searched for in the domains listed in the
+<VAR
+CLASS="OPTION"
+>search</VAR
+> or <VAR
+CLASS="OPTION"
+>domain</VAR
+> directive in
+<TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+>.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+bufsize=B</VAR
+></DT
+><DD
+><P
+>Set the UDP message buffer size advertised using EDNS0 to
+<VAR
+CLASS="PARAMETER"
+>B</VAR
+> bytes.  The maximum and minimum sizes of this
+buffer are 65535 and 0 respectively.  Values outside this range are
+rounded up or down appropriately.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+[no]multiline</VAR
+></DT
+><DD
+><P
+>Print records like the SOA records in a verbose multi-line
+format with human-readable comments.  The default is to print
+each record on a single line, to facilitate machine parsing 
+of the <B
+CLASS="COMMAND"
+>dig</B
+> output.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+[no]fail</VAR
+></DT
+><DD
+><P
+>Do not try the next server if you receive a SERVFAIL.  The default is
+to not try the next server which is the reverse of normal stub resolver
+behaviour.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+[no]besteffort</VAR
+></DT
+><DD
+><P
+>Attempt to display the contents of messages which are malformed.
+The default is to not display malformed answers.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+[no]dnssec</VAR
+></DT
+><DD
+><P
+>Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO)
+in the OPT record in the additional section of the query.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+[no]sigchase</VAR
+></DT
+><DD
+><P
+>Chase DNSSEC signature chains.  Requires dig be compiled with
+-DDIG_SIGCHASE.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+trusted-key=####</VAR
+></DT
+><DD
+><P
+>Specify a trusted key to be used with <VAR
+CLASS="OPTION"
+>+sigchase</VAR
+>.
+Requires dig be compiled with -DDIG_SIGCHASE.</P
+></DD
+><DT
+><VAR
+CLASS="OPTION"
+>+[no]topdown</VAR
+></DT
+><DD
+><P
+>When chasing DNSSEC signature chains perform a top down validation.
+Requires dig be compiled with -DDIG_SIGCHASE.</P
+></DD
+></DL
+></DIV
+>&#13;</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN385"
+></A
+><H2
+>MULTIPLE QUERIES</H2
+><P
+>The BIND 9 implementation of <B
+CLASS="COMMAND"
+>dig </B
+> supports
+specifying multiple queries on the command line (in addition to
+supporting the <VAR
+CLASS="OPTION"
+>-f</VAR
+> batch file option).  Each of those
+queries can be supplied with its own set of flags, options and query
+options.</P
+><P
+>In this case, each <VAR
+CLASS="PARAMETER"
+>query</VAR
+> argument represent an
+individual query in the command-line syntax described above.  Each
+consists of any of the standard options and flags, the name to be
+looked up, an optional query type and class and any query options that
+should be applied to that query.</P
+><P
+>A global set of query options, which should be applied to all queries,
+can also be supplied.  These global query options must precede the
+first tuple of name, class, type, options, flags, and query options
+supplied on the command line.  Any global query options (except
+the <VAR
+CLASS="OPTION"
+>+[no]cmd</VAR
+> option) can be
+overridden by a query-specific set of query options.  For example:
+<PRE
+CLASS="PROGRAMLISTING"
+>dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr</PRE
+>
+shows how <B
+CLASS="COMMAND"
+>dig</B
+> could be used from the command line
+to make three lookups: an ANY query for <VAR
+CLASS="LITERAL"
+>www.isc.org</VAR
+>, a
+reverse lookup of 127.0.0.1 and a query for the NS records of
+<VAR
+CLASS="LITERAL"
+>isc.org</VAR
+>.
+
+A global query option of <VAR
+CLASS="PARAMETER"
+>+qr</VAR
+> is applied, so
+that <B
+CLASS="COMMAND"
+>dig</B
+> shows the initial query it made for each
+lookup.  The final query has a local query option of
+<VAR
+CLASS="PARAMETER"
+>+noqr</VAR
+> which means that <B
+CLASS="COMMAND"
+>dig</B
+>
+will not print the initial query when it looks up the NS records for
+<VAR
+CLASS="LITERAL"
+>isc.org</VAR
+>.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN403"
+></A
+><H2
+>FILES</H2
+><P
+><TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+></P
+><P
+><TT
+CLASS="FILENAME"
+>${HOME}/.digrc</TT
+></P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN409"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>host</SPAN
+>(1)</SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>named</SPAN
+>(8)</SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-keygen</SPAN
+>(8)</SPAN
+>,
+<I
+CLASS="CITETITLE"
+>RFC1035</I
+>.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN422"
+></A
+><H2
+>BUGS </H2
+><P
+>There are probably too many query options. </P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/bin/dig/dighost.c b/contrib/bind9/bin/dig/dighost.c
new file mode 100644
index 0000000..dd49b5b
--- /dev/null
+++ b/contrib/bind9/bin/dig/dighost.c
@@ -0,0 +1,5074 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dighost.c,v 1.221.2.19.2.14 2004/06/30 23:57:52 marka Exp $ */
+
+/*
+ * Notice to programmers:  Do not use this code as an example of how to
+ * use the ISC library to perform DNS lookups.  Dig and Host both operate
+ * on the request level, since they allow fine-tuning of output and are
+ * intended as debugging tools.  As a result, they perform many of the
+ * functions which could be better handled using the dns_resolver
+ * functions in most applications.
+ */
+
+#include <config.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <limits.h>
+
+#include <dns/byaddr.h>
+#ifdef DIG_SIGCHASE
+#include <dns/dnssec.h>
+#include <dns/ds.h>
+#include <dns/nsec.h>
+#include <isc/file.h>
+#include <isc/random.h>
+#include <ctype.h>
+#endif
+#include <dns/fixedname.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/tsig.h>
+
+#include <dst/dst.h>
+
+#include <isc/app.h>
+#include <isc/base64.h>
+#include <isc/entropy.h>
+#include <isc/lang.h>
+#include <isc/netaddr.h>
+#ifdef DIG_SIGCHASE
+#include <isc/netdb.h>
+#endif
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <lwres/lwres.h>
+#include <lwres/net.h>
+
+#include <bind9/getaddresses.h>
+
+#include <dig/dig.h>
+
+#if ! defined(NS_INADDRSZ)
+#define NS_INADDRSZ	 4
+#endif
+
+#if ! defined(NS_IN6ADDRSZ)
+#define NS_IN6ADDRSZ	16
+#endif
+
+static lwres_context_t *lwctx = NULL;
+static lwres_conf_t *lwconf;
+
+ISC_LIST(dig_lookup_t) lookup_list;
+dig_serverlist_t server_list;
+ISC_LIST(dig_searchlist_t) search_list;
+
+isc_boolean_t
+	have_ipv4 = ISC_FALSE,
+	have_ipv6 = ISC_FALSE,
+	specified_source = ISC_FALSE,
+	free_now = ISC_FALSE,
+	cancel_now = ISC_FALSE,
+	usesearch = ISC_FALSE,
+	qr = ISC_FALSE,
+	is_dst_up = ISC_FALSE;
+in_port_t port = 53;
+unsigned int timeout = 0;
+isc_mem_t *mctx = NULL;
+isc_taskmgr_t *taskmgr = NULL;
+isc_task_t *global_task = NULL;
+isc_timermgr_t *timermgr = NULL;
+isc_socketmgr_t *socketmgr = NULL;
+isc_sockaddr_t bind_address;
+isc_sockaddr_t bind_any;
+int sendcount = 0;
+int recvcount = 0;
+int sockcount = 0;
+int ndots = -1;
+int tries = 3;
+int lookup_counter = 0;
+
+/*
+ * Exit Codes:
+ *   0   Everything went well, including things like NXDOMAIN
+ *   1   Usage error
+ *   7   Got too many RR's or Names
+ *   8   Couldn't open batch file
+ *   9   No reply from server
+ *   10  Internal error
+ */
+int exitcode = 0;
+int fatalexit = 0;
+char keynametext[MXNAME];
+char keyfile[MXNAME] = "";
+char keysecret[MXNAME] = "";
+isc_buffer_t *namebuf = NULL;
+dns_tsigkey_t *key = NULL;
+isc_boolean_t validated = ISC_TRUE;
+isc_entropy_t *entp = NULL;
+isc_mempool_t *commctx = NULL;
+isc_boolean_t debugging = ISC_FALSE;
+isc_boolean_t memdebugging = ISC_FALSE;
+char *progname = NULL;
+isc_mutex_t lookup_lock;
+dig_lookup_t *current_lookup = NULL;
+
+#ifdef DIG_SIGCHASE
+
+isc_result_t      get_trusted_key(isc_mem_t *mctx);
+dns_rdataset_t *  sigchase_scanname(dns_rdatatype_t type,
+				    dns_rdatatype_t covers,
+				    isc_boolean_t *lookedup,
+				    dns_name_t *rdata_name);
+dns_rdataset_t *  chase_scanname_section(dns_message_t *msg,
+					 dns_name_t *name,
+					 dns_rdatatype_t type,
+					 dns_rdatatype_t covers,
+					 int section);
+isc_result_t      advanced_rrsearch(dns_rdataset_t **rdataset,
+				    dns_name_t *name,
+				    dns_rdatatype_t type,
+				    dns_rdatatype_t covers,
+				    isc_boolean_t *lookedup);
+isc_result_t      sigchase_verify_sig_key(dns_name_t *name,
+					  dns_rdataset_t *rdataset,
+					  dst_key_t* dnsseckey,
+					  dns_rdataset_t *sigrdataset,
+					  isc_mem_t *mctx);
+isc_result_t      sigchase_verify_sig(dns_name_t *name,
+				      dns_rdataset_t *rdataset,
+				      dns_rdataset_t *keyrdataset,
+				      dns_rdataset_t *sigrdataset,
+				      isc_mem_t *mctx);
+isc_result_t      sigchase_verify_ds(dns_name_t *name,
+				     dns_rdataset_t *keyrdataset,
+				     dns_rdataset_t *dsrdataset,
+				     isc_mem_t *mctx);
+void              sigchase(dns_message_t *msg);
+void              print_rdata(dns_rdata_t *rdata, isc_mem_t *mctx);
+void              print_rdataset(dns_name_t *name,
+				 dns_rdataset_t *rdataset, isc_mem_t *mctx);
+void              dup_name(dns_name_t *source, dns_name_t* target,
+			   isc_mem_t *mctx);
+void              dump_database(void);
+void              dump_database_section(dns_message_t *msg, int section);
+dns_rdataset_t *  search_type(dns_name_t *name, dns_rdatatype_t type,
+			      dns_rdatatype_t covers);
+isc_result_t      contains_trusted_key(dns_name_t *name,
+				       dns_rdataset_t *rdataset,
+				       dns_rdataset_t *sigrdataset,
+				       isc_mem_t *mctx);
+void              print_type(dns_rdatatype_t type);
+isc_result_t      prove_nx_domain(dns_message_t * msg,
+				  dns_name_t * name,
+				  dns_name_t * rdata_name,
+				  dns_rdataset_t ** rdataset,
+				  dns_rdataset_t ** sigrdataset);
+isc_result_t      prove_nx_type(dns_message_t * msg, dns_name_t *name,
+				dns_rdataset_t *nsec,
+				dns_rdataclass_t class,
+				dns_rdatatype_t type,
+				dns_name_t * rdata_name,
+				dns_rdataset_t ** rdataset,
+				dns_rdataset_t ** sigrdataset);
+isc_result_t      prove_nx(dns_message_t * msg, dns_name_t * name,
+			   dns_rdataclass_t class,
+			   dns_rdatatype_t type,
+			   dns_name_t * rdata_name,
+			   dns_rdataset_t ** rdataset,
+			   dns_rdataset_t ** sigrdataset);
+static void	  nameFromString(const char *str, dns_name_t *p_ret);
+int               inf_name(dns_name_t * name1, dns_name_t * name2);
+isc_result_t      opentmpkey(isc_mem_t *mctx, const char *file,
+			     char **tempp, FILE **fp);
+isc_result_t      removetmpkey(isc_mem_t *mctx, const char *file);
+void              clean_trustedkey(void );
+void              insert_trustedkey(dst_key_t  * key);
+#if DIG_SIGCHASE_BU
+isc_result_t      getneededrr(dns_message_t *msg);
+void              sigchase_bottom_up(dns_message_t *msg);
+void              sigchase_bu(dns_message_t *msg);
+#endif
+#if DIG_SIGCHASE_TD
+isc_result_t      initialization(dns_name_t *name);
+isc_result_t      prepare_lookup(dns_name_t *name);
+isc_result_t      grandfather_pb_test(dns_name_t * zone_name,
+				      dns_rdataset_t *sigrdataset);
+isc_result_t      child_of_zone(dns_name_t *name,
+				dns_name_t *zone_name,
+				dns_name_t *child_name);
+void              sigchase_td(dns_message_t *msg);
+#endif
+char trustedkey[MXNAME] = "";
+
+dns_rdataset_t * chase_rdataset = NULL;
+dns_rdataset_t * chase_sigrdataset = NULL;
+dns_rdataset_t * chase_dsrdataset = NULL;
+dns_rdataset_t * chase_sigdsrdataset = NULL;
+dns_rdataset_t * chase_keyrdataset = NULL;
+dns_rdataset_t * chase_sigkeyrdataset = NULL;
+dns_rdataset_t * chase_nsrdataset = NULL;
+
+dns_name_t  chase_name; /* the query name */
+#if DIG_SIGCHASE_TD
+/*
+ * the current name is the parent name when we follow delegation
+ */
+dns_name_t  chase_current_name; 
+/*
+ * the child name is used for delegation (NS DS responses in AUTHORITY section)
+ */
+dns_name_t  chase_authority_name;
+#endif
+#if DIG_SIGCHASE_BU
+dns_name_t  chase_signame;
+#endif
+
+
+isc_boolean_t chase_siglookedup = ISC_FALSE;
+isc_boolean_t chase_keylookedup = ISC_FALSE;
+isc_boolean_t chase_sigkeylookedup = ISC_FALSE;
+isc_boolean_t chase_dslookedup = ISC_FALSE;
+isc_boolean_t chase_sigdslookedup = ISC_FALSE;
+#if DIG_SIGCHASE_TD
+isc_boolean_t chase_nslookedup = ISC_FALSE;
+isc_boolean_t chase_lookedup = ISC_FALSE;
+
+
+isc_boolean_t delegation_follow = ISC_FALSE;
+isc_boolean_t grandfather_pb = ISC_FALSE;
+isc_boolean_t have_response = ISC_FALSE;
+isc_boolean_t have_delegation_ns = ISC_FALSE;
+dns_message_t * error_message = NULL;
+#endif
+
+isc_boolean_t dsvalidating = ISC_FALSE;
+isc_boolean_t chase_name_dup  = ISC_FALSE;
+
+ISC_LIST(dig_message_t) chase_message_list;
+ISC_LIST(dig_message_t) chase_message_list2;
+
+
+#define MAX_TRUSTED_KEY 5
+typedef struct struct_trusted_key_list {
+  dst_key_t * key[MAX_TRUSTED_KEY];
+  int nb_tk;
+} struct_tk_list;
+
+struct_tk_list  tk_list = { {NULL, NULL, NULL, NULL, NULL}, 0};
+
+#endif
+
+/*
+ * Apply and clear locks at the event level in global task.
+ * Can I get rid of these using shutdown events?  XXX
+ */
+#define LOCK_LOOKUP {\
+	debug("lock_lookup %s:%d", __FILE__, __LINE__);\
+	check_result(isc_mutex_lock((&lookup_lock)), "isc_mutex_lock");\
+	debug("success");\
+}
+#define UNLOCK_LOOKUP {\
+	debug("unlock_lookup %s:%d", __FILE__, __LINE__);\
+	check_result(isc_mutex_unlock((&lookup_lock)),\
+		     "isc_mutex_unlock");\
+}
+
+static void
+cancel_lookup(dig_lookup_t *lookup);
+
+static void
+recv_done(isc_task_t *task, isc_event_t *event);
+
+static void
+connect_timeout(isc_task_t *task, isc_event_t *event);
+
+static void
+launch_next_query(dig_query_t *query, isc_boolean_t include_question);
+
+
+static void *
+mem_alloc(void *arg, size_t size) {
+	return (isc_mem_get(arg, size));
+}
+
+static void
+mem_free(void *arg, void *mem, size_t size) {
+	isc_mem_put(arg, mem, size);
+}
+
+char *
+next_token(char **stringp, const char *delim) {
+	char *res;
+
+	do {
+		res = strsep(stringp, delim);
+		if (res == NULL)
+			break;
+	} while (*res == '\0');
+	return (res);
+}
+
+static int
+count_dots(char *string) {
+	char *s;
+	int i = 0;
+
+	s = string;
+	while (*s != '\0') {
+		if (*s == '.')
+			i++;
+		s++;
+	}
+	return (i);
+}
+
+static void
+hex_dump(isc_buffer_t *b) {
+	unsigned int len;
+	isc_region_t r;
+
+	isc_buffer_usedregion(b, &r);
+
+	printf("%d bytes\n", r.length);
+	for (len = 0; len < r.length; len++) {
+		printf("%02x ", r.base[len]);
+		if (len % 16 == 15)
+			printf("\n");
+	}
+	if (len % 16 != 0)
+		printf("\n");
+}
+
+/*
+ * Append 'len' bytes of 'text' at '*p', failing with
+ * ISC_R_NOSPACE if that would advance p past 'end'.
+ */
+static isc_result_t
+append(const char *text, int len, char **p, char *end) {
+	if (len > end - *p)
+		return (ISC_R_NOSPACE);
+	memcpy(*p, text, len);
+	*p += len;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+reverse_octets(const char *in, char **p, char *end) {
+	char *dot = strchr(in, '.');
+	int len;
+	if (dot != NULL) {
+		isc_result_t result;
+		result = reverse_octets(dot + 1, p, end);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		result = append(".", 1, p, end);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		len = dot - in;
+	} else {
+		len = strlen(in);
+	}
+	return (append(in, len, p, end));
+}
+
+isc_result_t
+get_reverse(char *reverse, size_t len, char *value, isc_boolean_t ip6_int,
+	    isc_boolean_t strict)
+{
+	int r;
+	isc_result_t result;
+	isc_netaddr_t addr;
+
+	addr.family = AF_INET6;
+	r = inet_pton(AF_INET6, value, &addr.type.in6);
+	if (r > 0) {
+		/* This is a valid IPv6 address. */
+		dns_fixedname_t fname;
+		dns_name_t *name;
+		unsigned int options = 0;
+
+		if (ip6_int)
+			options |= DNS_BYADDROPT_IPV6INT;
+		dns_fixedname_init(&fname);
+		name = dns_fixedname_name(&fname);
+		result = dns_byaddr_createptrname2(&addr, options, name);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		dns_name_format(name, reverse, len);
+		return (ISC_R_SUCCESS);
+	} else {
+		/*
+		 * Not a valid IPv6 address.  Assume IPv4.
+		 * If 'strict' is not set, construct the
+		 * in-addr.arpa name by blindly reversing
+		 * octets whether or not they look like integers,
+		 * so that this can be used for RFC2317 names
+		 * and such.
+		 */
+		char *p = reverse;
+		char *end = reverse + len;
+		if (strict && inet_pton(AF_INET, value, &addr.type.in) != 1)
+			return (DNS_R_BADDOTTEDQUAD);
+		result = reverse_octets(value, &p, end);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		/* Append .in-addr.arpa. and a terminating NUL. */
+		result = append(".in-addr.arpa.", 15, &p, end);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		return (ISC_R_SUCCESS);
+	}
+}
+
+void
+fatal(const char *format, ...) {
+	va_list args;
+
+	fprintf(stderr, "%s: ", progname);
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+	if (exitcode < 10)
+		exitcode = 10;
+	if (fatalexit != 0)
+		exitcode = fatalexit;
+	exit(exitcode);
+}
+
+void
+debug(const char *format, ...) {
+	va_list args;
+
+	if (debugging) {
+		va_start(args, format);
+		vfprintf(stderr, format, args);
+		va_end(args);
+		fprintf(stderr, "\n");
+	}
+}
+
+void
+check_result(isc_result_t result, const char *msg) {
+	if (result != ISC_R_SUCCESS) {
+		fatal("%s: %s", msg, isc_result_totext(result));
+	}
+}
+
+/*
+ * Create a server structure, which is part of the lookup structure.
+ * This is little more than a linked list of servers to query in hopes
+ * of finding the answer the user is looking for
+ */
+dig_server_t *
+make_server(const char *servname) {
+	dig_server_t *srv;
+
+	REQUIRE(servname != NULL);
+
+	debug("make_server(%s)", servname);
+	srv = isc_mem_allocate(mctx, sizeof(struct dig_server));
+	if (srv == NULL)
+		fatal("memory allocation failure in %s:%d",
+		      __FILE__, __LINE__);
+	strncpy(srv->servername, servname, MXNAME);
+	srv->servername[MXNAME-1] = 0;
+	ISC_LINK_INIT(srv, link);
+	return (srv);
+}
+static int
+addr2af(int lwresaddrtype)
+{
+	int af = 0;
+
+	switch (lwresaddrtype) {
+	case LWRES_ADDRTYPE_V4:
+		af = AF_INET;
+		break;
+
+	case LWRES_ADDRTYPE_V6:
+		af = AF_INET6;
+		break;
+	}
+
+	return (af);
+}
+/*
+ * Create a copy of the server list from the lwres configuration structure.
+ * The dest list must have already had ISC_LIST_INIT applied.
+ */
+static void
+copy_server_list(lwres_conf_t *confdata, dig_serverlist_t *dest) {
+	dig_server_t *newsrv;
+	char tmp[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")];
+	int af;
+	int i;
+
+	debug("copy_server_list()");
+	for (i = 0; i < confdata->nsnext; i++) {
+		af = addr2af(confdata->nameservers[i].family);
+
+		lwres_net_ntop(af, confdata->nameservers[i].address,
+				   tmp, sizeof(tmp));
+		newsrv = make_server(tmp);
+		ISC_LINK_INIT(newsrv, link);
+		ISC_LIST_ENQUEUE(*dest, newsrv, link);
+	}
+}
+void
+flush_server_list(void) {
+	dig_server_t *s, *ps;
+
+	debug("flush_server_list()");
+	s = ISC_LIST_HEAD(server_list);
+	while (s != NULL) {
+		ps = s;
+		s = ISC_LIST_NEXT(s, link);
+		ISC_LIST_DEQUEUE(server_list, ps, link);
+		isc_mem_free(mctx, ps);
+	}
+}
+void
+set_nameserver(char *opt) {
+	dig_server_t *srv;
+
+	if (opt == NULL)
+		return;
+
+	flush_server_list();
+	srv = make_server(opt);
+	if (srv == NULL)
+		fatal("memory allocation failure");
+	ISC_LIST_INITANDAPPEND(server_list, srv, link);
+}
+
+static isc_result_t
+add_nameserver(lwres_conf_t *confdata, const char *addr, int af) {
+
+	int i = confdata->nsnext;
+
+	if (confdata->nsnext >= LWRES_CONFMAXNAMESERVERS)
+		return (ISC_R_FAILURE);
+
+	switch (af) {
+	case AF_INET:
+		confdata->nameservers[i].family = LWRES_ADDRTYPE_V4;
+		confdata->nameservers[i].length = NS_INADDRSZ;
+		break;
+	case AF_INET6:
+		confdata->nameservers[i].family = LWRES_ADDRTYPE_V6;
+		confdata->nameservers[i].length = NS_IN6ADDRSZ;
+		break;
+	default:
+		return (ISC_R_FAILURE);
+	}
+
+	if (lwres_net_pton(af, addr, &confdata->nameservers[i].address) == 1) {
+		confdata->nsnext++;
+		return (ISC_R_SUCCESS);
+	}
+	return (ISC_R_FAILURE);
+}
+
+/*
+ * Produce a cloned server list.  The dest list must have already had
+ * ISC_LIST_INIT applied.
+ */
+void
+clone_server_list(dig_serverlist_t src, dig_serverlist_t *dest) {
+	dig_server_t *srv, *newsrv;
+
+	debug("clone_server_list()");
+	srv = ISC_LIST_HEAD(src);
+	while (srv != NULL) {
+		newsrv = make_server(srv->servername);
+		ISC_LINK_INIT(newsrv, link);
+		ISC_LIST_ENQUEUE(*dest, newsrv, link);
+		srv = ISC_LIST_NEXT(srv, link);
+	}
+}
+
+/*
+ * Create an empty lookup structure, which holds all the information needed
+ * to get an answer to a user's question.  This structure contains two
+ * linked lists: the server list (servers to query) and the query list
+ * (outstanding queries which have been made to the listed servers).
+ */
+dig_lookup_t *
+make_empty_lookup(void) {
+	dig_lookup_t *looknew;
+
+	debug("make_empty_lookup()");
+
+	INSIST(!free_now);
+
+	looknew = isc_mem_allocate(mctx, sizeof(struct dig_lookup));
+	if (looknew == NULL)
+		fatal("memory allocation failure in %s:%d",
+		       __FILE__, __LINE__);
+	looknew->pending = ISC_TRUE;
+	looknew->textname[0] = 0;
+	looknew->cmdline[0] = 0;
+	looknew->rdtype = dns_rdatatype_a;
+	looknew->qrdtype = dns_rdatatype_a;
+	looknew->rdclass = dns_rdataclass_in;
+	looknew->rdtypeset = ISC_FALSE;
+	looknew->rdclassset = ISC_FALSE;
+	looknew->sendspace = NULL;
+	looknew->sendmsg = NULL;
+	looknew->name = NULL;
+	looknew->oname = NULL;
+	looknew->timer = NULL;
+	looknew->xfr_q = NULL;
+	looknew->current_query = NULL;
+	looknew->doing_xfr = ISC_FALSE;
+	looknew->ixfr_serial = ISC_FALSE;
+	looknew->trace = ISC_FALSE;
+	looknew->trace_root = ISC_FALSE;
+	looknew->identify = ISC_FALSE;
+	looknew->identify_previous_line = ISC_FALSE;
+	looknew->ignore = ISC_FALSE;
+	looknew->servfail_stops = ISC_TRUE;
+	looknew->besteffort = ISC_TRUE;
+	looknew->dnssec = ISC_FALSE;
+#ifdef DIG_SIGCHASE
+	looknew->sigchase = ISC_FALSE;
+#if DIG_SIGCHASE_TD
+	looknew->do_topdown =  ISC_FALSE;
+	looknew->trace_root_sigchase = ISC_FALSE;
+	looknew->rdtype_sigchaseset = ISC_FALSE;
+	looknew->rdtype_sigchase = dns_rdatatype_any;
+	looknew->qrdtype_sigchase = dns_rdatatype_any;
+	looknew->rdclass_sigchase = dns_rdataclass_in;
+	looknew->rdclass_sigchaseset  = ISC_FALSE;
+#endif
+#endif
+	looknew->udpsize = 0;
+	looknew->recurse = ISC_TRUE;
+	looknew->aaonly = ISC_FALSE;
+	looknew->adflag = ISC_FALSE;
+	looknew->cdflag = ISC_FALSE;
+	looknew->ns_search_only = ISC_FALSE;
+	looknew->origin = NULL;
+	looknew->tsigctx = NULL;
+	looknew->querysig = NULL;
+	looknew->retries = tries;
+	looknew->nsfound = 0;
+	looknew->tcp_mode = ISC_FALSE;
+	looknew->ip6_int = ISC_FALSE;
+	looknew->comments = ISC_TRUE;
+	looknew->stats = ISC_TRUE;
+	looknew->section_question = ISC_TRUE;
+	looknew->section_answer = ISC_TRUE;
+	looknew->section_authority = ISC_TRUE;
+	looknew->section_additional = ISC_TRUE;
+	looknew->new_search = ISC_FALSE;
+	ISC_LINK_INIT(looknew, link);
+	ISC_LIST_INIT(looknew->q);
+	ISC_LIST_INIT(looknew->my_server_list);
+	return (looknew);
+}
+
+/*
+ * Clone a lookup, perhaps copying the server list.  This does not clone
+ * the query list, since it will be regenerated by the setup_lookup()
+ * function, nor does it queue up the new lookup for processing.
+ * Caution: If you don't clone the servers, you MUST clone the server
+ * list seperately from somewhere else, or construct it by hand.
+ */
+dig_lookup_t *
+clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
+	dig_lookup_t *looknew;
+
+	debug("clone_lookup()");
+
+	INSIST(!free_now);
+
+	looknew = make_empty_lookup();
+	INSIST(looknew != NULL);
+	strncpy(looknew->textname, lookold->textname, MXNAME);
+#if DIG_SIGCHASE_TD
+	strncpy(looknew->textnamesigchase, lookold->textnamesigchase, MXNAME);
+#endif
+	strncpy(looknew->cmdline, lookold->cmdline, MXNAME);
+	looknew->textname[MXNAME-1] = 0;
+	looknew->rdtype = lookold->rdtype;
+	looknew->qrdtype = lookold->qrdtype;
+	looknew->rdclass = lookold->rdclass;
+	looknew->rdtypeset = lookold->rdtypeset;
+	looknew->rdclassset = lookold->rdclassset;
+	looknew->doing_xfr = lookold->doing_xfr;
+	looknew->ixfr_serial = lookold->ixfr_serial;
+	looknew->trace = lookold->trace;
+	looknew->trace_root = lookold->trace_root;
+	looknew->identify = lookold->identify;
+	looknew->identify_previous_line = lookold->identify_previous_line;
+	looknew->ignore = lookold->ignore;
+	looknew->servfail_stops = lookold->servfail_stops;
+	looknew->besteffort = lookold->besteffort;
+	looknew->dnssec = lookold->dnssec;
+#ifdef DIG_SIGCHASE
+	looknew->sigchase = lookold->sigchase;
+#if DIG_SIGCHASE_TD
+	looknew->do_topdown =  lookold->do_topdown;
+	looknew->trace_root_sigchase = lookold->trace_root_sigchase;
+	looknew->rdtype_sigchaseset =  lookold->rdtype_sigchaseset;
+	looknew->rdtype_sigchase = lookold->rdtype_sigchase;
+	looknew->qrdtype_sigchase = lookold->qrdtype_sigchase;
+	looknew->rdclass_sigchase = lookold->rdclass_sigchase;
+	looknew->rdclass_sigchaseset = lookold->rdclass_sigchaseset;
+#endif
+#endif
+	looknew->udpsize = lookold->udpsize;
+	looknew->recurse = lookold->recurse;
+	looknew->aaonly = lookold->aaonly;
+	looknew->adflag = lookold->adflag;
+	looknew->cdflag = lookold->cdflag;
+	looknew->ns_search_only = lookold->ns_search_only;
+	looknew->tcp_mode = lookold->tcp_mode;
+	looknew->comments = lookold->comments;
+	looknew->stats = lookold->stats;
+	looknew->section_question = lookold->section_question;
+	looknew->section_answer = lookold->section_answer;
+	looknew->section_authority = lookold->section_authority;
+	looknew->section_additional = lookold->section_additional;
+	looknew->retries = lookold->retries;
+	looknew->tsigctx = NULL;
+
+	if (servers)
+		clone_server_list(lookold->my_server_list,
+				  &looknew->my_server_list);
+	return (looknew);
+}
+
+/*
+ * Requeue a lookup for further processing, perhaps copying the server
+ * list.  The new lookup structure is returned to the caller, and is
+ * queued for processing.  If servers are not cloned in the requeue, they
+ * must be added before allowing the current event to complete, since the
+ * completion of the event may result in the next entry on the lookup
+ * queue getting run.
+ */
+dig_lookup_t *
+requeue_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
+	dig_lookup_t *looknew;
+
+	debug("requeue_lookup()");
+
+	lookup_counter++;
+	if (lookup_counter > LOOKUP_LIMIT)
+		fatal("too many lookups");
+
+	looknew = clone_lookup(lookold, servers);
+	INSIST(looknew != NULL);
+
+	debug("before insertion, init@%p -> %p, new@%p -> %p",
+	      lookold, lookold->link.next, looknew, looknew->link.next);
+	ISC_LIST_PREPEND(lookup_list, looknew, link);
+	debug("after insertion, init -> %p, new = %p, new -> %p",
+	      lookold, looknew, looknew->link.next);
+	return (looknew);
+}
+
+
+static void
+setup_text_key(void) {
+	isc_result_t result;
+	dns_name_t keyname;
+	isc_buffer_t secretbuf;
+	int secretsize;
+	unsigned char *secretstore;
+
+	debug("setup_text_key()");
+	result = isc_buffer_allocate(mctx, &namebuf, MXNAME);
+	check_result(result, "isc_buffer_allocate");
+	dns_name_init(&keyname, NULL);
+	check_result(result, "dns_name_init");
+	isc_buffer_putstr(namebuf, keynametext);
+	secretsize = strlen(keysecret) * 3 / 4;
+	secretstore = isc_mem_allocate(mctx, secretsize);
+	if (secretstore == NULL)
+		fatal("memory allocation failure in %s:%d",
+		      __FILE__, __LINE__);
+	isc_buffer_init(&secretbuf, secretstore, secretsize);
+	result = isc_base64_decodestring(keysecret, &secretbuf);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+	
+	secretsize = isc_buffer_usedlength(&secretbuf);
+
+	result = dns_name_fromtext(&keyname, namebuf,
+				   dns_rootname, ISC_FALSE,
+				   namebuf);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	result = dns_tsigkey_create(&keyname, dns_tsig_hmacmd5_name,
+				    secretstore, secretsize,
+				    ISC_FALSE, NULL, 0, 0, mctx,
+				    NULL, &key);
+ failure:
+	if (result != ISC_R_SUCCESS)
+		printf(";; Couldn't create key %s: %s\n",
+		       keynametext, isc_result_totext(result));
+
+	isc_mem_free(mctx, secretstore);
+	dns_name_invalidate(&keyname);
+	isc_buffer_free(&namebuf);
+}
+
+static void
+setup_file_key(void) {
+	isc_result_t result;
+	dst_key_t *dstkey = NULL;
+
+	debug("setup_file_key()");
+	result = dst_key_fromnamedfile(keyfile, DST_TYPE_PRIVATE | DST_TYPE_KEY,
+				       mctx, &dstkey);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "Couldn't read key from %s: %s\n",
+			keyfile, isc_result_totext(result));
+		goto failure;
+	}
+
+	result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
+					   dns_tsig_hmacmd5_name,
+					   dstkey, ISC_FALSE, NULL, 0, 0,
+					   mctx, NULL, &key);
+	if (result != ISC_R_SUCCESS) {
+		printf(";; Couldn't create key %s: %s\n",
+		       keynametext, isc_result_totext(result));
+		goto failure;
+	}
+	dstkey = NULL;
+ failure:
+	if (dstkey != NULL)
+		dst_key_free(&dstkey);
+}
+
+static dig_searchlist_t *
+make_searchlist_entry(char *domain) {
+	dig_searchlist_t *search;
+	search = isc_mem_allocate(mctx, sizeof(*search));
+	if (search == NULL)
+		fatal("memory allocation failure in %s:%d",
+		      __FILE__, __LINE__);
+	strncpy(search->origin, domain, MXNAME);
+	search->origin[MXNAME-1] = 0;
+	ISC_LINK_INIT(search, link);
+	return (search);
+}
+
+static void
+create_search_list(lwres_conf_t *confdata) {
+	int i;
+	dig_searchlist_t *search;
+
+	debug("create_search_list()");
+	ISC_LIST_INIT(search_list);
+
+	for (i = 0; i < confdata->searchnxt; i++) {
+		search = make_searchlist_entry(confdata->search[i]);
+		ISC_LIST_APPEND(search_list, search, link);
+	}
+}
+
+/*
+ * Setup the system as a whole, reading key information and resolv.conf
+ * settings.
+ */
+void
+setup_system(void) {
+	dig_searchlist_t *domain = NULL;
+	lwres_result_t lwresult;
+
+	debug("setup_system()");
+
+	lwresult = lwres_context_create(&lwctx, mctx, mem_alloc, mem_free, 1);
+	if (lwresult != LWRES_R_SUCCESS)
+		fatal("lwres_context_create failed");
+
+	(void)lwres_conf_parse(lwctx, RESOLV_CONF);
+	lwconf = lwres_conf_get(lwctx);
+
+	/* Make the search list */
+	if (lwconf->searchnxt > 0)
+		create_search_list(lwconf);
+	else {
+		/* No search list. Use the domain name if any */
+		if (lwconf->domainname != NULL) {
+			domain = make_searchlist_entry(lwconf->domainname);
+			ISC_LIST_INITANDAPPEND(search_list, domain, link);
+			domain  = NULL;
+		}
+	}
+			
+	ndots = lwconf->ndots;
+	debug("ndots is %d.", ndots);
+
+	/* If we don't find a nameserver fall back to localhost */
+	if (lwconf->nsnext == 0) {
+		if (have_ipv4) {
+			lwresult = add_nameserver(lwconf, "127.0.0.1", AF_INET);
+			if (lwresult != ISC_R_SUCCESS)
+				fatal("add_nameserver failed");
+		}
+		if (have_ipv6) {
+			lwresult = add_nameserver(lwconf, "::1", AF_INET6);
+			if (lwresult != ISC_R_SUCCESS)
+				fatal("add_nameserver failed");
+		}
+	}
+
+	if (ISC_LIST_EMPTY(server_list))
+		copy_server_list(lwconf, &server_list);
+
+	if (keyfile[0] != 0)
+		setup_file_key();
+	else if (keysecret[0] != 0)
+		setup_text_key();
+#ifdef DIG_SIGCHASE
+	/* Setup the list of messages for +sigchase */
+        ISC_LIST_INIT(chase_message_list);
+        ISC_LIST_INIT(chase_message_list2);
+	dns_name_init(&chase_name, NULL);
+#if DIG_SIGCHASE_TD
+	dns_name_init(&chase_current_name, NULL);
+	dns_name_init(&chase_authority_name, NULL);
+#endif
+#if DIG_SIGCHASE_BU
+  	dns_name_init(&chase_signame, NULL);
+#endif
+
+#endif
+
+}
+
+static void
+clear_searchlist(void) {
+	dig_searchlist_t *search;
+	while ((search = ISC_LIST_HEAD(search_list)) != NULL) {
+		ISC_LIST_UNLINK(search_list, search, link);
+		isc_mem_free(mctx, search);
+	}
+}
+
+/*
+ * Override the search list derived from resolv.conf by 'domain'.
+ */
+void
+set_search_domain(char *domain) {
+	dig_searchlist_t *search;
+	
+	clear_searchlist();
+	search = make_searchlist_entry(domain);
+	ISC_LIST_APPEND(search_list, search, link);
+}
+
+/*
+ * Setup the ISC and DNS libraries for use by the system.
+ */
+void
+setup_libs(void) {
+	isc_result_t result;
+
+	debug("setup_libs()");
+
+	result = isc_net_probeipv4();
+	if (result == ISC_R_SUCCESS)
+		have_ipv4 = ISC_TRUE;
+
+	result = isc_net_probeipv6();
+	if (result == ISC_R_SUCCESS)
+		have_ipv6 = ISC_TRUE;
+	if (!have_ipv6 && !have_ipv4)
+		fatal("can't find either v4 or v6 networking");
+
+	result = isc_mem_create(0, 0, &mctx);
+	check_result(result, "isc_mem_create");
+
+	result = isc_taskmgr_create(mctx, 1, 0, &taskmgr);
+	check_result(result, "isc_taskmgr_create");
+
+	result = isc_task_create(taskmgr, 0, &global_task);
+	check_result(result, "isc_task_create");
+
+	result = isc_timermgr_create(mctx, &timermgr);
+	check_result(result, "isc_timermgr_create");
+
+	result = isc_socketmgr_create(mctx, &socketmgr);
+	check_result(result, "isc_socketmgr_create");
+
+	result = isc_entropy_create(mctx, &entp);
+	check_result(result, "isc_entropy_create");
+
+	result = dst_lib_init(mctx, entp, 0);
+	check_result(result, "dst_lib_init");
+	is_dst_up = ISC_TRUE;
+
+	result = isc_mempool_create(mctx, COMMSIZE, &commctx);
+	check_result(result, "isc_mempool_create");
+	isc_mempool_setname(commctx, "COMMPOOL");
+	/*
+	 * 6 and 2 set as reasonable parameters for 3 or 4 nameserver
+	 * systems.
+	 */
+	isc_mempool_setfreemax(commctx, 6);
+	isc_mempool_setfillcount(commctx, 2);
+
+	result = isc_mutex_init(&lookup_lock);
+	check_result(result, "isc_mutex_init");
+
+	dns_result_register();
+}
+
+/*
+ * Add EDNS0 option record to a message.  Currently, the only supported
+ * options are UDP buffer size and the DO bit.
+ */
+static void
+add_opt(dns_message_t *msg, isc_uint16_t udpsize, isc_boolean_t dnssec) {
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdatalist_t *rdatalist = NULL;
+	dns_rdata_t *rdata = NULL;
+	isc_result_t result;
+
+	debug("add_opt()");
+	result = dns_message_gettemprdataset(msg, &rdataset);
+	check_result(result, "dns_message_gettemprdataset");
+	dns_rdataset_init(rdataset);
+	result = dns_message_gettemprdatalist(msg, &rdatalist);
+	check_result(result, "dns_message_gettemprdatalist");
+	result = dns_message_gettemprdata(msg, &rdata);
+	check_result(result, "dns_message_gettemprdata");
+
+	debug("setting udp size of %d", udpsize);
+	rdatalist->type = dns_rdatatype_opt;
+	rdatalist->covers = 0;
+	rdatalist->rdclass = udpsize;
+	rdatalist->ttl = 0;
+	if (dnssec)
+		rdatalist->ttl = DNS_MESSAGEEXTFLAG_DO;
+	rdata->data = NULL;
+	rdata->length = 0;
+	ISC_LIST_INIT(rdatalist->rdata);
+	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	dns_rdatalist_tordataset(rdatalist, rdataset);
+	result = dns_message_setopt(msg, rdataset);
+	check_result(result, "dns_message_setopt");
+}
+
+/*
+ * Add a question section to a message, asking for the specified name,
+ * type, and class.
+ */
+static void
+add_question(dns_message_t *message, dns_name_t *name,
+	     dns_rdataclass_t rdclass, dns_rdatatype_t rdtype)
+{
+	dns_rdataset_t *rdataset;
+	isc_result_t result;
+
+	debug("add_question()");
+	rdataset = NULL;
+	result = dns_message_gettemprdataset(message, &rdataset);
+	check_result(result, "dns_message_gettemprdataset()");
+	dns_rdataset_init(rdataset);
+	dns_rdataset_makequestion(rdataset, rdclass, rdtype);
+	ISC_LIST_APPEND(name->list, rdataset, link);
+}
+
+/*
+ * Check if we're done with all the queued lookups, which is true iff
+ * all sockets, sends, and recvs are accounted for (counters == 0),
+ * and the lookup list is empty.
+ * If we are done, pass control back out to dighost_shutdown() (which is
+ * part of dig.c, host.c, or nslookup.c) to either shutdown the system as
+ * a whole or reseed the lookup list.
+ */
+static void
+check_if_done(void) {
+	debug("check_if_done()");
+	debug("list %s", ISC_LIST_EMPTY(lookup_list) ? "empty" : "full");
+	if (ISC_LIST_EMPTY(lookup_list) && current_lookup == NULL &&
+	    sendcount == 0) {
+		INSIST(sockcount == 0);
+		INSIST(recvcount == 0);
+		debug("shutting down");
+		dighost_shutdown();
+	}
+}
+
+/*
+ * Clear out a query when we're done with it.  WARNING: This routine
+ * WILL invalidate the query pointer.
+ */
+static void
+clear_query(dig_query_t *query) {
+	dig_lookup_t *lookup;
+
+	REQUIRE(query != NULL);
+
+	debug("clear_query(%p)", query);
+
+	lookup = query->lookup;
+
+	if (lookup->current_query == query)
+		lookup->current_query = NULL;
+
+	ISC_LIST_UNLINK(lookup->q, query, link);
+	if (ISC_LINK_LINKED(&query->recvbuf, link))
+		ISC_LIST_DEQUEUE(query->recvlist, &query->recvbuf,
+				 link);
+	if (ISC_LINK_LINKED(&query->lengthbuf, link))
+		ISC_LIST_DEQUEUE(query->lengthlist, &query->lengthbuf,
+				 link);
+	INSIST(query->recvspace != NULL);
+	if (query->sock != NULL) {
+		isc_socket_detach(&query->sock);
+		sockcount--;
+		debug("sockcount=%d", sockcount);
+	}
+	isc_mempool_put(commctx, query->recvspace);
+	isc_buffer_invalidate(&query->recvbuf);
+	isc_buffer_invalidate(&query->lengthbuf);
+	isc_mem_free(mctx, query);
+}
+
+/*
+ * Try and clear out a lookup if we're done with it.  Return ISC_TRUE if
+ * the lookup was successfully cleared.  If ISC_TRUE is returned, the
+ * lookup pointer has been invalidated.
+ */
+static isc_boolean_t
+try_clear_lookup(dig_lookup_t *lookup) {
+	dig_server_t *s;
+	dig_query_t *q;
+	void *ptr;
+
+	REQUIRE(lookup != NULL);
+
+	debug("try_clear_lookup(%p)", lookup);
+
+	if (ISC_LIST_HEAD(lookup->q) != NULL) {
+		if (debugging) {
+			q = ISC_LIST_HEAD(lookup->q);
+			while (q != NULL) {
+				debug("query to %s still pending",
+				       q->servname);
+				q = ISC_LIST_NEXT(q, link);
+			}
+			return (ISC_FALSE);
+		}
+	}
+	/*
+	 * At this point, we know there are no queries on the lookup,
+	 * so can make it go away also.
+	 */
+	debug("cleared");
+	s = ISC_LIST_HEAD(lookup->my_server_list);
+	while (s != NULL) {
+		debug("freeing server %p belonging to %p",
+		      s, lookup);
+		ptr = s;
+		s = ISC_LIST_NEXT(s, link);
+		ISC_LIST_DEQUEUE(lookup->my_server_list,
+				 (dig_server_t *)ptr, link);
+		isc_mem_free(mctx, ptr);
+	}
+	if (lookup->sendmsg != NULL)
+		dns_message_destroy(&lookup->sendmsg);
+	if (lookup->querysig != NULL) {
+		debug("freeing buffer %p", lookup->querysig);
+		isc_buffer_free(&lookup->querysig);
+	}
+	if (lookup->timer != NULL)
+		isc_timer_detach(&lookup->timer);
+	if (lookup->sendspace != NULL)
+		isc_mempool_put(commctx, lookup->sendspace);
+
+	if (lookup->tsigctx != NULL)
+		dst_context_destroy(&lookup->tsigctx);
+
+	isc_mem_free(mctx, lookup);
+	return (ISC_TRUE);
+}
+
+
+/*
+ * If we can, start the next lookup in the queue running.
+ * This assumes that the lookup on the head of the queue hasn't been
+ * started yet.  It also removes the lookup from the head of the queue,
+ * setting the current_lookup pointer pointing to it.
+ */
+void
+start_lookup(void) {
+	debug("start_lookup()");
+	if (cancel_now)
+		return;
+
+	/*
+	 * If there's a current lookup running, we really shouldn't get
+	 * here.
+	 */
+	INSIST(current_lookup == NULL);
+
+	current_lookup = ISC_LIST_HEAD(lookup_list);
+	/*
+	 * Put the current lookup somewhere so cancel_all can find it
+	 */
+	if (current_lookup != NULL) {
+		ISC_LIST_DEQUEUE(lookup_list, current_lookup, link);
+#if DIG_SIGCHASE_TD
+		if (current_lookup->do_topdown &&
+		    !current_lookup->rdtype_sigchaseset) {
+			dst_key_t * trustedkey = NULL;
+			isc_buffer_t *b = NULL;
+			isc_region_t r;
+			isc_result_t result;
+			dns_name_t query_name;
+			dns_name_t * key_name;
+			int i;
+
+			result = get_trusted_key(mctx);
+			if (result != ISC_R_SUCCESS) {
+				printf("\n;; No trusted key, "
+				       "+sigchase option is disabled\n");
+				current_lookup->sigchase = ISC_FALSE;
+				goto novalidation;
+			}
+			dns_name_init(&query_name, NULL);
+			nameFromString(current_lookup->textname, &query_name);
+
+			for (i = 0; i< tk_list.nb_tk; i++) {
+				key_name = dst_key_name(tk_list.key[i]);
+		      
+				if (dns_name_issubdomain(&query_name,
+							 key_name) == ISC_TRUE)
+					trustedkey = tk_list.key[i];
+				/*
+				 * Verifier que la temp est bien la plus basse
+				 * WARNING
+				 */
+			}
+			if (trustedkey == NULL) {
+				printf("\n;; The queried zone: ");
+				dns_name_print(&query_name, stdout);
+				printf(" isn't a subdomain of any Trusted Keys"
+				       ": +sigchase option is disable\n");
+				current_lookup->sigchase = ISC_FALSE;
+				dns_name_free(&query_name, mctx);
+				goto novalidation;
+			}
+			dns_name_free(&query_name, mctx);
+
+		    
+			current_lookup->rdtype_sigchase
+			  	= current_lookup->rdtype;
+			current_lookup->rdtype_sigchaseset
+			  	= current_lookup->rdtypeset;
+			current_lookup->rdtype = dns_rdatatype_ns;
+		      
+		 
+			current_lookup->qrdtype_sigchase
+				= current_lookup->qrdtype;
+			current_lookup->qrdtype = dns_rdatatype_ns;
+		   
+			current_lookup->rdclass_sigchase
+				= current_lookup->rdclass;
+			current_lookup->rdclass_sigchaseset
+				= current_lookup->rdclassset;
+			current_lookup->rdclass = dns_rdataclass_in;
+		
+
+			strncpy(current_lookup->textnamesigchase,
+				current_lookup->textname, MXNAME);
+
+			current_lookup->trace_root_sigchase = ISC_TRUE;
+		    
+			result = isc_buffer_allocate(mctx, &b, BUFSIZE);
+			check_result(result, "isc_buffer_allocate");
+			result = dns_name_totext(dst_key_name(trustedkey),
+						 ISC_FALSE, b);
+			check_result(result, "dns_name_totext");
+			isc_buffer_usedregion(b, &r);
+			r.base[r.length] = '\0';
+			strncpy(current_lookup->textname, (char*)r.base,
+				MXNAME);
+			isc_buffer_free(&b);
+
+			nameFromString(current_lookup->textnamesigchase,
+				       &chase_name);
+
+			dns_name_init(&chase_authority_name, NULL);
+		}
+	novalidation:
+#endif
+		setup_lookup(current_lookup);
+		do_lookup(current_lookup);
+	} else {
+		check_if_done();
+	}
+}
+
+/*
+ * If we can, clear the current lookup and start the next one running.
+ * This calls try_clear_lookup, so may invalidate the lookup pointer.
+ */
+static void
+check_next_lookup(dig_lookup_t *lookup) {
+
+	INSIST(!free_now);
+
+	debug("check_next_lookup(%p)", lookup);
+
+	if (ISC_LIST_HEAD(lookup->q) != NULL) {
+		debug("still have a worker");
+		return;
+	}
+	if (try_clear_lookup(lookup)) {
+		current_lookup = NULL;
+		start_lookup();
+	}
+}
+
+/*
+ * Create and queue a new lookup as a followup to the current lookup,
+ * based on the supplied message and section.  This is used in trace and
+ * name server search modes to start a new lookup using servers from
+ * NS records in a reply. Returns the number of followup lookups made.
+ */
+static int
+followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section)
+{
+	dig_lookup_t *lookup = NULL;
+	dig_server_t *srv = NULL;
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_name_t *name = NULL;
+	isc_result_t result;
+	isc_boolean_t success = ISC_FALSE;
+	int numLookups = 0;
+
+	INSIST(!free_now);
+
+	debug("following up %s", query->lookup->textname);
+	
+	for (result = dns_message_firstname(msg, section);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(msg, section)) {
+		name = NULL;
+		dns_message_currentname(msg, section, &name);
+
+		rdataset = NULL;
+		result = dns_message_findtype(name, dns_rdatatype_ns, 0,
+					      &rdataset);
+		if (result != ISC_R_SUCCESS)
+			continue;
+
+		debug("found NS set");
+
+		for (result = dns_rdataset_first(rdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(rdataset)) {
+			char namestr[DNS_NAME_FORMATSIZE];
+			dns_rdata_ns_t ns;
+
+			if (query->lookup->trace_root &&
+			    query->lookup->nsfound >= MXSERV)
+				break;
+
+			dns_rdataset_current(rdataset, &rdata);
+
+			query->lookup->nsfound++;
+			(void)dns_rdata_tostruct(&rdata, &ns, NULL);
+			dns_name_format(&ns.name, namestr, sizeof(namestr));
+			dns_rdata_freestruct(&ns);
+
+			/* Initialize lookup if we've not yet */
+			debug("found NS %d %s", numLookups, namestr);
+			numLookups++;
+			if (!success) {
+				success = ISC_TRUE;
+				lookup_counter++;
+				lookup = requeue_lookup(query->lookup,
+							ISC_FALSE);
+				cancel_lookup(query->lookup);
+				lookup->doing_xfr = ISC_FALSE;
+				if (!lookup->trace_root &&
+				    section == DNS_SECTION_ANSWER)
+					lookup->trace = ISC_FALSE;
+				else
+					lookup->trace = query->lookup->trace;
+				lookup->ns_search_only =
+					query->lookup->ns_search_only;
+				lookup->trace_root = ISC_FALSE;
+			}
+			srv = make_server(namestr);
+			debug("adding server %s", srv->servername);
+			ISC_LIST_APPEND(lookup->my_server_list, srv, link);
+			dns_rdata_reset(&rdata);
+		}
+	}
+
+	if (lookup == NULL &&
+	    section == DNS_SECTION_ANSWER &&
+	    (query->lookup->trace || query->lookup->ns_search_only))
+		return (followup_lookup(msg, query, DNS_SECTION_AUTHORITY));
+
+	return numLookups;
+}
+
+/*
+ * Create and queue a new lookup using the next origin from the search
+ * list, read in setup_system().
+ *
+ * Return ISC_TRUE iff there was another searchlist entry.
+ */
+static isc_boolean_t
+next_origin(dns_message_t *msg, dig_query_t *query) {
+	dig_lookup_t *lookup;
+
+	UNUSED(msg);
+
+	INSIST(!free_now);
+
+	debug("next_origin()");
+	debug("following up %s", query->lookup->textname);
+
+	if (!usesearch)
+		/*
+		 * We're not using a search list, so don't even think
+		 * about finding the next entry.
+		 */
+		return (ISC_FALSE);
+	if (query->lookup->origin == NULL)
+		/*
+		 * Then we just did rootorg; there's nothing left.
+		 */
+		return (ISC_FALSE);
+	lookup = requeue_lookup(query->lookup, ISC_TRUE);
+	lookup->origin = ISC_LIST_NEXT(query->lookup->origin, link);
+	cancel_lookup(query->lookup);
+	return (ISC_TRUE);
+}
+
+/*
+ * Insert an SOA record into the sendmessage in a lookup.  Used for
+ * creating IXFR queries.
+ */
+static void
+insert_soa(dig_lookup_t *lookup) {
+	isc_result_t result;
+	dns_rdata_soa_t soa;
+	dns_rdata_t *rdata = NULL;
+	dns_rdatalist_t *rdatalist = NULL;
+	dns_rdataset_t *rdataset = NULL;
+	dns_name_t *soaname = NULL;
+
+	debug("insert_soa()");
+	soa.mctx = mctx;
+	soa.serial = lookup->ixfr_serial;
+	soa.refresh = 0;
+	soa.retry = 0;
+	soa.expire = 0;
+	soa.minimum = 0;
+	soa.common.rdclass = lookup->rdclass;
+	soa.common.rdtype = dns_rdatatype_soa;
+
+	dns_name_init(&soa.origin, NULL);
+	dns_name_init(&soa.contact, NULL);
+
+	dns_name_clone(dns_rootname, &soa.origin);
+	dns_name_clone(dns_rootname, &soa.contact);
+
+	isc_buffer_init(&lookup->rdatabuf, lookup->rdatastore,
+			sizeof(lookup->rdatastore));
+
+	result = dns_message_gettemprdata(lookup->sendmsg, &rdata);
+	check_result(result, "dns_message_gettemprdata");
+
+	result = dns_rdata_fromstruct(rdata, lookup->rdclass,
+				      dns_rdatatype_soa, &soa,
+				      &lookup->rdatabuf);
+	check_result(result, "isc_rdata_fromstruct");
+
+	result = dns_message_gettemprdatalist(lookup->sendmsg, &rdatalist);
+	check_result(result, "dns_message_gettemprdatalist");
+
+	result = dns_message_gettemprdataset(lookup->sendmsg, &rdataset);
+	check_result(result, "dns_message_gettemprdataset");
+
+	dns_rdatalist_init(rdatalist);
+	rdatalist->type = dns_rdatatype_soa;
+	rdatalist->rdclass = lookup->rdclass;
+	rdatalist->covers = 0;
+	rdatalist->ttl = 0;
+	ISC_LIST_INIT(rdatalist->rdata);
+	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+
+	dns_rdataset_init(rdataset);
+	dns_rdatalist_tordataset(rdatalist, rdataset);
+
+	result = dns_message_gettempname(lookup->sendmsg, &soaname);
+	check_result(result, "dns_message_gettempname");
+	dns_name_init(soaname, NULL);
+	dns_name_clone(lookup->name, soaname);
+	ISC_LIST_INIT(soaname->list);
+	ISC_LIST_APPEND(soaname->list, rdataset, link);
+	dns_message_addname(lookup->sendmsg, soaname, DNS_SECTION_AUTHORITY);
+}
+
+/*
+ * Setup the supplied lookup structure, making it ready to start sending
+ * queries to servers.  Create and initialize the message to be sent as
+ * well as the query structures and buffer space for the replies.  If the
+ * server list is empty, clone it from the system default list.
+ */
+void
+setup_lookup(dig_lookup_t *lookup) {
+	isc_result_t result;
+	isc_uint32_t id;
+	int len;
+	dig_server_t *serv;
+	dig_query_t *query;
+	isc_buffer_t b;
+	dns_compress_t cctx;
+	char store[MXNAME];
+
+	REQUIRE(lookup != NULL);
+	INSIST(!free_now);
+
+	debug("setup_lookup(%p)", lookup);
+
+	result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER,
+				    &lookup->sendmsg);
+	check_result(result, "dns_message_create");
+
+	if (lookup->new_search) {
+		debug("resetting lookup counter.");
+		lookup_counter = 0;
+	}
+
+	if (ISC_LIST_EMPTY(lookup->my_server_list)) {
+		debug("cloning server list");
+		clone_server_list(server_list, &lookup->my_server_list);
+	}
+	result = dns_message_gettempname(lookup->sendmsg, &lookup->name);
+	check_result(result, "dns_message_gettempname");
+	dns_name_init(lookup->name, NULL);
+
+	isc_buffer_init(&lookup->namebuf, lookup->namespace,
+			sizeof(lookup->namespace));
+	isc_buffer_init(&lookup->onamebuf, lookup->onamespace,
+			sizeof(lookup->onamespace));
+
+	/*
+	 * If the name has too many dots, force the origin to be NULL
+	 * (which produces an absolute lookup).  Otherwise, take the origin
+	 * we have if there's one in the struct already.  If it's NULL,
+	 * take the first entry in the searchlist iff either usesearch
+	 * is TRUE or we got a domain line in the resolv.conf file.
+	 */
+	/* XXX New search here? */
+	if ((count_dots(lookup->textname) >= ndots) || !usesearch)
+		lookup->origin = NULL; /* Force abs lookup */
+	else if (lookup->origin == NULL && lookup->new_search && usesearch) {
+		lookup->origin = ISC_LIST_HEAD(search_list);
+	}
+	if (lookup->origin != NULL) {
+		debug("trying origin %s", lookup->origin->origin);
+		result = dns_message_gettempname(lookup->sendmsg,
+						 &lookup->oname);
+		check_result(result, "dns_message_gettempname");
+		dns_name_init(lookup->oname, NULL);
+		/* XXX Helper funct to conv char* to name? */
+		len = strlen(lookup->origin->origin);
+		isc_buffer_init(&b, lookup->origin->origin, len);
+		isc_buffer_add(&b, len);
+		result = dns_name_fromtext(lookup->oname, &b, dns_rootname,
+					   ISC_FALSE, &lookup->onamebuf);
+		if (result != ISC_R_SUCCESS) {
+			dns_message_puttempname(lookup->sendmsg,
+						&lookup->name);
+			dns_message_puttempname(lookup->sendmsg,
+						&lookup->oname);
+			fatal("'%s' is not in legal name syntax (%s)",
+			      lookup->origin->origin,
+			      isc_result_totext(result));
+		}
+		if (lookup->trace && lookup->trace_root) {
+			dns_name_clone(dns_rootname, lookup->name);
+		} else {
+			len = strlen(lookup->textname);
+			isc_buffer_init(&b, lookup->textname, len);
+			isc_buffer_add(&b, len);
+			result = dns_name_fromtext(lookup->name, &b,
+						   lookup->oname, ISC_FALSE,
+						   &lookup->namebuf);
+		}
+		if (result != ISC_R_SUCCESS) {
+			dns_message_puttempname(lookup->sendmsg,
+						&lookup->name);
+			dns_message_puttempname(lookup->sendmsg,
+						&lookup->oname);
+			fatal("'%s' is not in legal name syntax (%s)",
+			      lookup->textname, isc_result_totext(result));
+		}
+		dns_message_puttempname(lookup->sendmsg, &lookup->oname);
+	} else {
+		debug("using root origin");
+		if (lookup->trace && lookup->trace_root)
+			dns_name_clone(dns_rootname, lookup->name);
+		else {
+			len = strlen(lookup->textname);
+			isc_buffer_init(&b, lookup->textname, len);
+			isc_buffer_add(&b, len);
+			result = dns_name_fromtext(lookup->name, &b,
+						   dns_rootname,
+						   ISC_FALSE,
+						   &lookup->namebuf);
+		}
+		if (result != ISC_R_SUCCESS) {
+			dns_message_puttempname(lookup->sendmsg,
+						&lookup->name);
+			isc_buffer_init(&b, store, MXNAME);
+			fatal("'%s' is not a legal name "
+			      "(%s)", lookup->textname,
+			      isc_result_totext(result));
+		}
+	}
+	dns_name_format(lookup->name, store, sizeof(store));
+	trying(store, lookup);
+	INSIST(dns_name_isabsolute(lookup->name));
+
+	isc_random_get(&id);
+	lookup->sendmsg->id = (unsigned short)id & 0xFFFF;
+	lookup->sendmsg->opcode = dns_opcode_query;
+	lookup->msgcounter = 0;
+	/*
+	 * If this is a trace request, completely disallow recursion, since
+	 * it's meaningless for traces.
+	 */
+	if (lookup->trace || (lookup->ns_search_only && !lookup->trace_root))
+		lookup->recurse = ISC_FALSE;
+
+	if (lookup->recurse &&
+	    lookup->rdtype != dns_rdatatype_axfr &&
+	    lookup->rdtype != dns_rdatatype_ixfr) {
+		debug("recursive query");
+		lookup->sendmsg->flags |= DNS_MESSAGEFLAG_RD;
+	}
+
+	/* XXX aaflag */
+	if (lookup->aaonly) {
+		debug("AA query");
+		lookup->sendmsg->flags |= DNS_MESSAGEFLAG_AA;
+	}
+
+	if (lookup->adflag) {
+		debug("AD query");
+		lookup->sendmsg->flags |= DNS_MESSAGEFLAG_AD;
+	}
+
+	if (lookup->cdflag) {
+		debug("CD query");
+		lookup->sendmsg->flags |= DNS_MESSAGEFLAG_CD;
+	}
+
+	dns_message_addname(lookup->sendmsg, lookup->name,
+			    DNS_SECTION_QUESTION);
+
+	if (lookup->trace && lookup->trace_root) {
+		lookup->qrdtype = lookup->rdtype;
+		lookup->rdtype = dns_rdatatype_ns;
+	}
+
+	if ((lookup->rdtype == dns_rdatatype_axfr) ||
+	    (lookup->rdtype == dns_rdatatype_ixfr)) {
+		lookup->doing_xfr = ISC_TRUE;
+		/*
+		 * Force TCP mode if we're doing an xfr.
+		 * XXX UDP ixfr's would be useful
+		 */
+		lookup->tcp_mode = ISC_TRUE;
+	}
+
+	add_question(lookup->sendmsg, lookup->name, lookup->rdclass,
+		     lookup->rdtype);
+
+	/* add_soa */
+	if (lookup->rdtype == dns_rdatatype_ixfr)
+		insert_soa(lookup);
+
+	/* XXX Insist this? */
+	lookup->tsigctx = NULL;
+	lookup->querysig = NULL;
+	if (key != NULL) {
+		debug("initializing keys");
+		result = dns_message_settsigkey(lookup->sendmsg, key);
+		check_result(result, "dns_message_settsigkey");
+	}
+
+	lookup->sendspace = isc_mempool_get(commctx);
+	if (lookup->sendspace == NULL)
+		fatal("memory allocation failure");
+
+	result = dns_compress_init(&cctx, -1, mctx);
+	check_result(result, "dns_compress_init");
+
+	debug("starting to render the message");
+	isc_buffer_init(&lookup->sendbuf, lookup->sendspace, COMMSIZE);
+	result = dns_message_renderbegin(lookup->sendmsg, &cctx,
+					 &lookup->sendbuf);
+	check_result(result, "dns_message_renderbegin");
+	if (lookup->udpsize > 0 || lookup->dnssec) {
+		if (lookup->udpsize == 0)
+			lookup->udpsize = 2048;
+		add_opt(lookup->sendmsg, lookup->udpsize, lookup->dnssec);
+	}
+
+	result = dns_message_rendersection(lookup->sendmsg,
+					   DNS_SECTION_QUESTION, 0);
+	check_result(result, "dns_message_rendersection");
+	result = dns_message_rendersection(lookup->sendmsg,
+					   DNS_SECTION_AUTHORITY, 0);
+	check_result(result, "dns_message_rendersection");
+	result = dns_message_renderend(lookup->sendmsg);
+	check_result(result, "dns_message_renderend");
+	debug("done rendering");
+
+	dns_compress_invalidate(&cctx);
+
+	/*
+	 * Force TCP mode if the request is larger than 512 bytes.
+	 */
+	if (isc_buffer_usedlength(&lookup->sendbuf) > 512)
+		lookup->tcp_mode = ISC_TRUE;
+
+	lookup->pending = ISC_FALSE;
+
+	for (serv = ISC_LIST_HEAD(lookup->my_server_list);
+	     serv != NULL;
+	     serv = ISC_LIST_NEXT(serv, link)) {
+		query = isc_mem_allocate(mctx, sizeof(dig_query_t));
+		if (query == NULL)
+			fatal("memory allocation failure in %s:%d",
+			      __FILE__, __LINE__);
+		debug("create query %p linked to lookup %p",
+		       query, lookup);
+		query->lookup = lookup;
+		query->waiting_connect = ISC_FALSE;
+		query->recv_made = ISC_FALSE;
+		query->first_pass = ISC_TRUE;
+		query->first_soa_rcvd = ISC_FALSE;
+		query->second_rr_rcvd = ISC_FALSE;
+		query->first_repeat_rcvd = ISC_FALSE;
+		query->warn_id = ISC_TRUE;
+		query->first_rr_serial = 0;
+		query->second_rr_serial = 0;
+		query->servname = serv->servername;
+		query->rr_count = 0;
+		query->msg_count = 0;
+		ISC_LINK_INIT(query, link);
+		ISC_LIST_INIT(query->recvlist);
+		ISC_LIST_INIT(query->lengthlist);
+		query->sock = NULL;
+		query->recvspace = isc_mempool_get(commctx);
+		if (query->recvspace == NULL)
+			fatal("memory allocation failure");
+
+		isc_buffer_init(&query->recvbuf, query->recvspace, COMMSIZE);
+		isc_buffer_init(&query->lengthbuf, query->lengthspace, 2);
+		isc_buffer_init(&query->slbuf, query->slspace, 2);
+
+		ISC_LINK_INIT(query, link);
+		ISC_LIST_ENQUEUE(lookup->q, query, link);
+	}
+	/* XXX qrflag, print_query, etc... */
+	if (!ISC_LIST_EMPTY(lookup->q) && qr) {
+		printmessage(ISC_LIST_HEAD(lookup->q), lookup->sendmsg,
+			     ISC_TRUE);
+	}
+}
+
+/*
+ * Event handler for send completion.  Track send counter, and clear out
+ * the query if the send was canceled.
+ */
+static void
+send_done(isc_task_t *_task, isc_event_t *event) {
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_SENDDONE);
+
+	UNUSED(_task);
+
+	LOCK_LOOKUP;
+
+	isc_event_free(&event);
+
+	debug("send_done()");
+	sendcount--;
+	debug("sendcount=%d", sendcount);
+	INSIST(sendcount >= 0);
+	check_if_done();
+	UNLOCK_LOOKUP;
+}
+
+/*
+ * Cancel a lookup, sending isc_socket_cancel() requests to all outstanding
+ * IO sockets.  The cancel handlers should take care of cleaning up the
+ * query and lookup structures
+ */
+static void
+cancel_lookup(dig_lookup_t *lookup) {
+	dig_query_t *query, *next;
+
+	debug("cancel_lookup()");
+	query = ISC_LIST_HEAD(lookup->q);
+	while (query != NULL) {
+		next = ISC_LIST_NEXT(query, link);
+		if (query->sock != NULL) {
+			isc_socket_cancel(query->sock, global_task,
+					  ISC_SOCKCANCEL_ALL);
+			check_if_done();
+		} else {
+			clear_query(query);
+		}
+		query = next;
+	}
+	if (lookup->timer != NULL)
+		isc_timer_detach(&lookup->timer);
+	lookup->pending = ISC_FALSE;
+	lookup->retries = 0;
+}
+
+static void
+bringup_timer(dig_query_t *query, unsigned int default_timeout) {
+	dig_lookup_t *l;
+	unsigned int local_timeout;
+	isc_result_t result;
+
+	debug("bringup_timer()");
+	/*
+	 * If the timer already exists, that means we're calling this
+	 * a second time (for a retry).  Don't need to recreate it,
+	 * just reset it.
+	 */
+	l = query->lookup;
+	if (ISC_LIST_NEXT(query, link) != NULL)
+		local_timeout = SERVER_TIMEOUT;
+	else {
+		if (timeout == 0) {
+			local_timeout = default_timeout;
+		} else
+			local_timeout = timeout;
+	}
+	debug("have local timeout of %d", local_timeout);
+	isc_interval_set(&l->interval, local_timeout, 0);
+	if (l->timer != NULL)
+		isc_timer_detach(&l->timer);
+	result = isc_timer_create(timermgr,
+				  isc_timertype_once,
+				  NULL,
+				  &l->interval,
+				  global_task,
+				  connect_timeout,
+				  l, &l->timer);
+	check_result(result, "isc_timer_create");
+}	
+
+static void
+connect_done(isc_task_t *task, isc_event_t *event);
+
+/*
+ * Unlike send_udp, this can't be called multiple times with the same
+ * query.  When we retry TCP, we requeue the whole lookup, which should
+ * start anew.
+ */
+static void
+send_tcp_connect(dig_query_t *query) {
+	isc_result_t result;
+	dig_query_t *next;
+	dig_lookup_t *l;
+
+	debug("send_tcp_connect(%p)", query);
+
+	l = query->lookup;
+	query->waiting_connect = ISC_TRUE;
+	query->lookup->current_query = query;
+	get_address(query->servname, port, &query->sockaddr);
+	
+	if (specified_source &&
+	    (isc_sockaddr_pf(&query->sockaddr) !=
+	     isc_sockaddr_pf(&bind_address))) {
+		printf(";; Skipping server %s, incompatible "
+		       "address family\n", query->servname);
+		query->waiting_connect = ISC_FALSE;
+		next = ISC_LIST_NEXT(query, link);
+		l = query->lookup;
+		clear_query(query);
+		if (next == NULL) {
+			printf(";; No acceptable nameservers\n");
+			check_next_lookup(l);
+			return;
+		}
+		send_tcp_connect(next);
+		return;
+	}
+	INSIST(query->sock == NULL);
+	result = isc_socket_create(socketmgr,
+				   isc_sockaddr_pf(&query->sockaddr),
+				   isc_sockettype_tcp, &query->sock);
+	check_result(result, "isc_socket_create");
+	sockcount++;
+	debug("sockcount=%d", sockcount);
+	if (specified_source)
+		result = isc_socket_bind(query->sock, &bind_address);
+	else {
+		if ((isc_sockaddr_pf(&query->sockaddr) == AF_INET) &&
+		    have_ipv4)
+			isc_sockaddr_any(&bind_any);
+		else
+			isc_sockaddr_any6(&bind_any);
+		result = isc_socket_bind(query->sock, &bind_any);
+	}
+	check_result(result, "isc_socket_bind");
+	bringup_timer(query, TCP_TIMEOUT);
+	result = isc_socket_connect(query->sock, &query->sockaddr,
+				    global_task, connect_done, query);
+	check_result(result, "isc_socket_connect");
+	/*
+	 * If we're at the endgame of a nameserver search, we need to
+	 * immediately bring up all the queries.  Do it here.
+	 */
+	if (l->ns_search_only && !l->trace_root) {
+		debug("sending next, since searching");
+		next = ISC_LIST_NEXT(query, link);
+		if (next != NULL)
+			send_tcp_connect(next);
+	}
+}
+
+/*
+ * Send a UDP packet to the remote nameserver, possible starting the
+ * recv action as well.  Also make sure that the timer is running and
+ * is properly reset.
+ */
+static void
+send_udp(dig_query_t *query) {
+	dig_lookup_t *l = NULL;
+	dig_query_t *next;
+	isc_result_t result;
+
+	debug("send_udp(%p)", query);
+
+	l = query->lookup;
+	bringup_timer(query, UDP_TIMEOUT);
+	l->current_query = query;
+	debug("working on lookup %p, query %p",
+	      query->lookup, query);
+	if (!query->recv_made) {
+		/* XXX Check the sense of this, need assertion? */
+		query->waiting_connect = ISC_FALSE;
+		get_address(query->servname, port, &query->sockaddr);
+
+		result = isc_socket_create(socketmgr,
+					   isc_sockaddr_pf(&query->sockaddr),
+					   isc_sockettype_udp, &query->sock);
+		check_result(result, "isc_socket_create");
+		sockcount++;
+		debug("sockcount=%d", sockcount);
+		if (specified_source) {
+			result = isc_socket_bind(query->sock, &bind_address);
+		} else {
+			isc_sockaddr_anyofpf(&bind_any,
+					isc_sockaddr_pf(&query->sockaddr));
+			result = isc_socket_bind(query->sock, &bind_any);
+		}
+		check_result(result, "isc_socket_bind");
+
+		query->recv_made = ISC_TRUE;
+		ISC_LINK_INIT(&query->recvbuf, link);
+		ISC_LIST_ENQUEUE(query->recvlist, &query->recvbuf,
+				 link);
+		debug("recving with lookup=%p, query=%p, sock=%p",
+		      query->lookup, query,
+		      query->sock);
+		result = isc_socket_recvv(query->sock,
+					  &query->recvlist, 1,
+					  global_task, recv_done,
+					  query);
+		check_result(result, "isc_socket_recvv");
+		recvcount++;
+		debug("recvcount=%d", recvcount);
+	}
+	ISC_LIST_INIT(query->sendlist);
+	ISC_LINK_INIT(&l->sendbuf, link);
+	ISC_LIST_ENQUEUE(query->sendlist, &l->sendbuf,
+			 link);
+	debug("sending a request");
+	TIME_NOW(&query->time_sent);
+	INSIST(query->sock != NULL);
+	result = isc_socket_sendtov(query->sock, &query->sendlist,
+				    global_task, send_done, query,
+				    &query->sockaddr, NULL);
+	check_result(result, "isc_socket_sendtov");
+	sendcount++;
+	/*
+	 * If we're at the endgame of a nameserver search, we need to
+	 * immediately bring up all the queries.  Do it here.
+	 */
+	if (l->ns_search_only && !l->trace_root) {
+		debug("sending next, since searching");
+		next = ISC_LIST_NEXT(query, link);
+		if (next != NULL)
+			send_udp(next);
+	}
+}
+
+/*
+ * IO timeout handler, used for both connect and recv timeouts.  If
+ * retries are still allowed, either resend the UDP packet or queue a
+ * new TCP lookup.  Otherwise, cancel the lookup.
+ */
+static void
+connect_timeout(isc_task_t *task, isc_event_t *event) {
+	dig_lookup_t *l = NULL, *n;
+	dig_query_t *query = NULL, *cq;
+
+	UNUSED(task);
+	REQUIRE(event->ev_type == ISC_TIMEREVENT_IDLE);
+
+	debug("connect_timeout()");
+
+	LOCK_LOOKUP;
+	l = event->ev_arg;
+	query = l->current_query;
+	isc_event_free(&event);
+
+	INSIST(!free_now);
+
+	if ((query != NULL) && (query->lookup->current_query != NULL) &&
+	    (ISC_LIST_NEXT(query->lookup->current_query, link) != NULL)) {
+		debug("trying next server...");
+		cq = query->lookup->current_query;
+		if (!l->tcp_mode)
+			send_udp(ISC_LIST_NEXT(cq, link));
+		else
+			send_tcp_connect(ISC_LIST_NEXT(cq, link));
+		UNLOCK_LOOKUP;
+		return;
+	}
+
+	if (l->retries > 1) {
+		if (!l->tcp_mode) {
+			l->retries--;
+			debug("resending UDP request to first server");
+			send_udp(ISC_LIST_HEAD(l->q));
+		} else {
+			debug("making new TCP request, %d tries left",
+			      l->retries);
+			l->retries--;
+			n = requeue_lookup(l, ISC_TRUE);
+			cancel_lookup(l);
+			check_next_lookup(l);
+		}
+	} else {
+		fputs(l->cmdline, stdout);
+		printf(";; connection timed out; no servers could be "
+		       "reached\n");
+		cancel_lookup(l);
+		check_next_lookup(l);
+		if (exitcode < 9)
+			exitcode = 9;
+	}
+	UNLOCK_LOOKUP;
+}
+
+/*
+ * Event handler for the TCP recv which gets the length header of TCP
+ * packets.  Start the next recv of length bytes.
+ */
+static void
+tcp_length_done(isc_task_t *task, isc_event_t *event) {
+	isc_socketevent_t *sevent;
+	isc_buffer_t *b = NULL;
+	isc_result_t result;
+	dig_query_t *query = NULL;
+	dig_lookup_t *l;
+	isc_uint16_t length;
+
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_RECVDONE);
+	INSIST(!free_now);
+
+	UNUSED(task);
+
+	debug("tcp_length_done()");
+
+	LOCK_LOOKUP;
+	sevent = (isc_socketevent_t *)event;
+	query = event->ev_arg;
+
+	recvcount--;
+	INSIST(recvcount >= 0);
+
+	if (sevent->result == ISC_R_CANCELED) {
+		isc_event_free(&event);
+		l = query->lookup;
+		clear_query(query);
+		check_next_lookup(l);
+		UNLOCK_LOOKUP;
+		return;
+	}
+	if (sevent->result != ISC_R_SUCCESS) {
+		char sockstr[ISC_SOCKADDR_FORMATSIZE];
+		isc_sockaddr_format(&query->sockaddr, sockstr,
+				    sizeof(sockstr));
+		printf(";; communications error to %s: %s\n",
+		       sockstr, isc_result_totext(sevent->result));
+		l = query->lookup;
+		isc_socket_detach(&query->sock);
+		sockcount--;
+		debug("sockcount=%d", sockcount);
+		INSIST(sockcount >= 0);
+		isc_event_free(&event);
+		clear_query(query);
+		check_next_lookup(l);
+		UNLOCK_LOOKUP;
+		return;
+	}
+	b = ISC_LIST_HEAD(sevent->bufferlist);
+	ISC_LIST_DEQUEUE(sevent->bufferlist, &query->lengthbuf, link);
+	length = isc_buffer_getuint16(b);
+	if (length == 0) {
+		isc_event_free(&event);
+		launch_next_query(query, ISC_FALSE);
+		UNLOCK_LOOKUP;
+		return;
+	}
+
+	/*
+	 * Even though the buffer was already init'ed, we need
+	 * to redo it now, to force the length we want.
+	 */
+	isc_buffer_invalidate(&query->recvbuf);
+	isc_buffer_init(&query->recvbuf, query->recvspace, length);
+	ENSURE(ISC_LIST_EMPTY(query->recvlist));
+	ISC_LINK_INIT(&query->recvbuf, link);
+	ISC_LIST_ENQUEUE(query->recvlist, &query->recvbuf, link);
+	debug("recving with lookup=%p, query=%p",
+	       query->lookup, query);
+	result = isc_socket_recvv(query->sock, &query->recvlist, length, task,
+				  recv_done, query);
+	check_result(result, "isc_socket_recvv");
+	recvcount++;
+	debug("resubmitted recv request with length %d, recvcount=%d",
+	      length, recvcount);
+	isc_event_free(&event);
+	UNLOCK_LOOKUP;
+}
+
+/*
+ * For transfers that involve multiple recvs (XFR's in particular),
+ * launch the next recv.
+ */
+static void
+launch_next_query(dig_query_t *query, isc_boolean_t include_question) {
+	isc_result_t result;
+	dig_lookup_t *l;
+
+	INSIST(!free_now);
+
+	debug("launch_next_query()");
+
+	if (!query->lookup->pending) {
+		debug("ignoring launch_next_query because !pending");
+		isc_socket_detach(&query->sock);
+		sockcount--;
+		debug("sockcount=%d", sockcount);
+		INSIST(sockcount >= 0);
+		query->waiting_connect = ISC_FALSE;
+		l = query->lookup;
+		clear_query(query);
+		check_next_lookup(l);
+		return;
+	}
+
+	isc_buffer_clear(&query->slbuf);
+	isc_buffer_clear(&query->lengthbuf);
+	isc_buffer_putuint16(&query->slbuf,
+			     (isc_uint16_t) query->lookup->sendbuf.used);
+	ISC_LIST_INIT(query->sendlist);
+	ISC_LINK_INIT(&query->slbuf, link);
+	ISC_LIST_ENQUEUE(query->sendlist, &query->slbuf, link);
+	if (include_question) {
+		ISC_LINK_INIT(&query->lookup->sendbuf, link);
+		ISC_LIST_ENQUEUE(query->sendlist, &query->lookup->sendbuf,
+				 link);
+	}
+	ISC_LINK_INIT(&query->lengthbuf, link);
+	ISC_LIST_ENQUEUE(query->lengthlist, &query->lengthbuf, link);
+
+	result = isc_socket_recvv(query->sock, &query->lengthlist, 0,
+				  global_task, tcp_length_done, query);
+	check_result(result, "isc_socket_recvv");
+	recvcount++;
+	debug("recvcount=%d", recvcount);
+	if (!query->first_soa_rcvd) {
+		debug("sending a request in launch_next_query");
+		TIME_NOW(&query->time_sent);
+		result = isc_socket_sendv(query->sock, &query->sendlist,
+					  global_task, send_done, query);
+		check_result(result, "isc_socket_sendv");
+		sendcount++;
+		debug("sendcount=%d", sendcount);
+	}
+	query->waiting_connect = ISC_FALSE;
+#if 0
+	check_next_lookup(query->lookup);
+#endif
+	return;
+}
+
+/*
+ * Event handler for TCP connect complete.  Make sure the connection was
+ * successful, then pass into launch_next_query to actually send the
+ * question.
+ */
+static void
+connect_done(isc_task_t *task, isc_event_t *event) {
+	isc_socketevent_t *sevent = NULL;
+	dig_query_t *query = NULL, *next;
+	dig_lookup_t *l;
+
+	UNUSED(task);
+
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_CONNECT);
+	INSIST(!free_now);
+
+	debug("connect_done()");
+
+	LOCK_LOOKUP;
+	sevent = (isc_socketevent_t *)event;
+	query = sevent->ev_arg;
+
+	INSIST(query->waiting_connect);
+
+	query->waiting_connect = ISC_FALSE;
+
+	if (sevent->result == ISC_R_CANCELED) {
+		debug("in cancel handler");
+		isc_socket_detach(&query->sock);
+		sockcount--;
+		INSIST(sockcount >= 0);
+		debug("sockcount=%d", sockcount);
+		query->waiting_connect = ISC_FALSE;
+		isc_event_free(&event);
+		l = query->lookup;
+		clear_query(query);
+		check_next_lookup(l);
+		UNLOCK_LOOKUP;
+		return;
+	}
+	if (sevent->result != ISC_R_SUCCESS) {
+		char sockstr[ISC_SOCKADDR_FORMATSIZE];
+
+		debug("unsuccessful connection: %s",
+		      isc_result_totext(sevent->result));
+		isc_sockaddr_format(&query->sockaddr, sockstr,
+				    sizeof(sockstr));
+		if (sevent->result != ISC_R_CANCELED)
+			printf(";; Connection to %s(%s) for %s failed: "
+			       "%s.\n", sockstr,
+			       query->servname, query->lookup->textname,
+			       isc_result_totext(sevent->result));
+		isc_socket_detach(&query->sock);
+		sockcount--;
+		INSIST(sockcount >= 0);
+		/* XXX Clean up exitcodes */
+		if (exitcode < 9)
+			exitcode = 9;
+		debug("sockcount=%d", sockcount);
+		query->waiting_connect = ISC_FALSE;
+		isc_event_free(&event);
+		l = query->lookup;
+		if (l->current_query != NULL)
+			next = ISC_LIST_NEXT(l->current_query, link);
+		else
+			next = NULL;
+		clear_query(query);
+		if (next != NULL) {
+			bringup_timer(next, TCP_TIMEOUT);
+			send_tcp_connect(next);
+		} else {
+			check_next_lookup(l);
+		}
+		UNLOCK_LOOKUP;
+		return;
+	}
+	launch_next_query(query, ISC_TRUE);
+	isc_event_free(&event);
+	UNLOCK_LOOKUP;
+}
+
+/*
+ * Check if the ongoing XFR needs more data before it's complete, using
+ * the semantics of IXFR and AXFR protocols.  Much of the complexity of
+ * this routine comes from determining when an IXFR is complete.
+ * ISC_FALSE means more data is on the way, and the recv has been issued.
+ */
+static isc_boolean_t
+check_for_more_data(dig_query_t *query, dns_message_t *msg,
+		    isc_socketevent_t *sevent)
+{
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_soa_t soa;
+	isc_uint32_t serial;
+	isc_result_t result;
+
+	debug("check_for_more_data()");
+
+	/*
+	 * By the time we're in this routine, we know we're doing
+	 * either an AXFR or IXFR.  If there's no second_rr_type,
+	 * then we don't yet know which kind of answer we got back
+	 * from the server.  Here, we're going to walk through the
+	 * rr's in the message, acting as necessary whenever we hit
+	 * an SOA rr.
+	 */
+
+	query->msg_count++;
+	result = dns_message_firstname(msg, DNS_SECTION_ANSWER);
+	if (result != ISC_R_SUCCESS) {
+		puts("; Transfer failed.");
+		return (ISC_TRUE);
+	}
+	do {
+		dns_name_t *name;
+		name = NULL;
+		dns_message_currentname(msg, DNS_SECTION_ANSWER,
+					&name);
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			result = dns_rdataset_first(rdataset);
+			if (result != ISC_R_SUCCESS)
+				continue;
+			do {
+				query->rr_count++;
+				dns_rdata_reset(&rdata);
+				dns_rdataset_current(rdataset, &rdata);
+				/*
+				 * If this is the first rr, make sure
+				 * it's an SOA
+				 */
+				if ((!query->first_soa_rcvd) &&
+				    (rdata.type != dns_rdatatype_soa)) {
+					puts("; Transfer failed.  "
+					     "Didn't start with "
+					     "SOA answer.");
+					return (ISC_TRUE);
+				}
+				if ((!query->second_rr_rcvd) &&
+				    (rdata.type != dns_rdatatype_soa)) {
+					query->second_rr_rcvd = ISC_TRUE;
+					query->second_rr_serial = 0;
+					debug("got the second rr as nonsoa");
+					goto next_rdata;
+				}
+
+				/*
+				 * If the record is anything except an SOA
+				 * now, just continue on...
+				 */
+				if (rdata.type != dns_rdatatype_soa)
+					goto next_rdata;
+				/* Now we have an SOA.  Work with it. */
+				debug("got an SOA");
+				(void)dns_rdata_tostruct(&rdata, &soa, NULL);
+				serial = soa.serial;
+				dns_rdata_freestruct(&soa);
+				if (!query->first_soa_rcvd) {
+					query->first_soa_rcvd = ISC_TRUE;
+					query->first_rr_serial = serial;
+					debug("this is the first %d",
+					       query->lookup->ixfr_serial);
+					if (query->lookup->ixfr_serial >=
+					    serial)
+						goto doexit;
+					goto next_rdata;
+				}
+				if (query->lookup->rdtype ==
+				    dns_rdatatype_axfr) {
+					debug("doing axfr, got second SOA");
+					goto doexit;
+				}
+				if (!query->second_rr_rcvd) {
+					if (query->first_rr_serial == serial) {
+						debug("doing ixfr, got "
+						      "empty zone");
+						goto doexit;
+					}
+					debug("this is the second %d",
+					       query->lookup->ixfr_serial);
+					query->second_rr_rcvd = ISC_TRUE;
+					query->second_rr_serial = serial;
+					goto next_rdata;
+				}
+				if (query->second_rr_serial == 0) {
+					/*
+					 * If the second RR was a non-SOA
+					 * record, and we're getting any
+					 * other SOA, then this is an
+					 * AXFR, and we're done.
+					 */
+					debug("done, since axfr");
+					goto doexit;
+				}
+				/*
+				 * If we get to this point, we're doing an
+				 * IXFR and have to start really looking
+				 * at serial numbers.
+				 */
+				if (query->first_rr_serial == serial) {
+					debug("got a match for ixfr");
+					if (!query->first_repeat_rcvd) {
+						query->first_repeat_rcvd =
+							ISC_TRUE;
+						goto next_rdata;
+					}
+					debug("done with ixfr");
+					goto doexit;
+				}
+				debug("meaningless soa %d", serial);
+			next_rdata:
+				result = dns_rdataset_next(rdataset);
+			} while (result == ISC_R_SUCCESS);
+		}
+		result = dns_message_nextname(msg, DNS_SECTION_ANSWER);
+	} while (result == ISC_R_SUCCESS);
+	launch_next_query(query, ISC_FALSE);
+	return (ISC_FALSE);
+ doexit:
+	received(sevent->n, &sevent->address, query);
+	return (ISC_TRUE);
+}
+
+/*
+ * Event handler for recv complete.  Perform whatever actions are necessary,
+ * based on the specifics of the user's request.
+ */
+static void
+recv_done(isc_task_t *task, isc_event_t *event) {
+	isc_socketevent_t *sevent = NULL;
+	dig_query_t *query = NULL;
+	isc_buffer_t *b = NULL;
+	dns_message_t *msg = NULL;
+#ifdef DIG_SIGCHASE
+	dig_message_t *chase_msg = NULL;
+	dig_message_t *chase_msg2 = NULL;
+#endif
+	isc_result_t result;
+	dig_lookup_t *n, *l;
+	isc_boolean_t docancel = ISC_FALSE;
+	isc_boolean_t match = ISC_TRUE;
+	unsigned int parseflags;
+	dns_messageid_t id;
+	unsigned int msgflags;
+#ifdef DIG_SIGCHASE
+	isc_result_t do_sigchase = ISC_FALSE;
+
+	dns_message_t *msg_temp = NULL;
+	isc_region_t r;
+	isc_buffer_t *buf = NULL;
+#endif
+
+	UNUSED(task);
+	INSIST(!free_now);
+
+	debug("recv_done()");
+
+	LOCK_LOOKUP;
+	recvcount--;
+	debug("recvcount=%d", recvcount);
+	INSIST(recvcount >= 0);
+
+	query = event->ev_arg;
+	debug("lookup=%p, query=%p", query->lookup, query);
+
+	l = query->lookup;
+
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_RECVDONE);
+	sevent = (isc_socketevent_t *)event;
+
+	if ((l->tcp_mode) && (l->timer != NULL))
+		isc_timer_touch(l->timer);
+	if ((!l->pending && !l->ns_search_only) || cancel_now) {
+		debug("no longer pending.  Got %s",
+			isc_result_totext(sevent->result));
+		query->waiting_connect = ISC_FALSE;
+
+		isc_event_free(&event);
+		clear_query(query);
+		check_next_lookup(l);
+		UNLOCK_LOOKUP;
+		return;
+	}
+
+	if (sevent->result != ISC_R_SUCCESS) {
+		if (sevent->result == ISC_R_CANCELED) {
+			debug("in recv cancel handler");
+			query->waiting_connect = ISC_FALSE;
+		} else {
+			printf(";; communications error: %s\n",
+			       isc_result_totext(sevent->result));
+			isc_socket_detach(&query->sock);
+			sockcount--;
+			debug("sockcount=%d", sockcount);
+			INSIST(sockcount >= 0);
+		}
+		isc_event_free(&event);
+		clear_query(query);
+		check_next_lookup(l);
+		UNLOCK_LOOKUP;
+		return;
+	}
+
+	b = ISC_LIST_HEAD(sevent->bufferlist);
+	ISC_LIST_DEQUEUE(sevent->bufferlist, &query->recvbuf, link);
+
+	if (!l->tcp_mode &&
+	    !isc_sockaddr_equal(&sevent->address, &query->sockaddr)) {
+		char buf1[ISC_SOCKADDR_FORMATSIZE];
+		char buf2[ISC_SOCKADDR_FORMATSIZE];
+		isc_sockaddr_t any;
+
+		if (isc_sockaddr_pf(&query->sockaddr) == AF_INET) 
+			isc_sockaddr_any(&any);
+		else
+			isc_sockaddr_any6(&any);
+
+		/*
+		* We don't expect a match when the packet is 
+		* sent to 0.0.0.0, :: or to a multicast addresses.
+		* XXXMPA broadcast needs to be handled here as well.
+		*/
+		if ((!isc_sockaddr_eqaddr(&query->sockaddr, &any) &&
+		     !isc_sockaddr_ismulticast(&query->sockaddr)) ||
+		    isc_sockaddr_getport(&query->sockaddr) !=
+		    isc_sockaddr_getport(&sevent->address)) {
+			isc_sockaddr_format(&sevent->address, buf1,
+			sizeof(buf1));
+			isc_sockaddr_format(&query->sockaddr, buf2,
+			sizeof(buf2));
+			printf(";; reply from unexpected source: %s,"
+			" expected %s\n", buf1, buf2);
+			match = ISC_FALSE;
+		}
+	}
+
+ 	result = dns_message_peekheader(b, &id, &msgflags);
+	if (result != ISC_R_SUCCESS || l->sendmsg->id != id) {
+		match = ISC_FALSE;
+		if (l->tcp_mode) {
+			isc_boolean_t fail = ISC_TRUE;
+			if (result == ISC_R_SUCCESS) {
+				if (!query->first_soa_rcvd ||
+				     query->warn_id)
+					printf(";; %s: ID mismatch: "
+					       "expected ID %u, got %u\n",
+					       query->first_soa_rcvd ?
+					       "WARNING" : "ERROR",
+					       l->sendmsg->id, id);
+				if (query->first_soa_rcvd)
+					fail = ISC_FALSE;
+				query->warn_id = ISC_FALSE;
+			} else
+				printf(";; ERROR: short "
+				       "(< header size) message\n");
+			if (fail) {
+				isc_event_free(&event);
+				clear_query(query);
+				check_next_lookup(l);
+				UNLOCK_LOOKUP;
+				return;
+			}
+			match = ISC_TRUE;
+		} else if (result == ISC_R_SUCCESS)
+			printf(";; Warning: ID mismatch: "
+			       "expected ID %u, got %u\n", l->sendmsg->id, id);
+		else
+			printf(";; Warning: short "
+			       "(< header size) message received\n");
+	}
+
+	if (!match) {
+		isc_buffer_invalidate(&query->recvbuf);
+		isc_buffer_init(&query->recvbuf, query->recvspace, COMMSIZE);
+		ISC_LIST_ENQUEUE(query->recvlist, &query->recvbuf, link);
+		result = isc_socket_recvv(query->sock, &query->recvlist, 1,
+					  global_task, recv_done, query);
+		check_result(result, "isc_socket_recvv");
+		recvcount++;
+		isc_event_free(&event);
+		UNLOCK_LOOKUP;
+		return;
+	}
+
+	result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg);
+	check_result(result, "dns_message_create");
+
+	if (key != NULL) {
+		if (l->querysig == NULL) {
+			debug("getting initial querysig");
+			result = dns_message_getquerytsig(l->sendmsg, mctx,
+							  &l->querysig);
+			check_result(result, "dns_message_getquerytsig");
+		}
+		result = dns_message_setquerytsig(msg, l->querysig);
+		check_result(result, "dns_message_setquerytsig");
+		result = dns_message_settsigkey(msg, key);
+		check_result(result, "dns_message_settsigkey");
+		msg->tsigctx = l->tsigctx;
+		l->tsigctx = NULL;
+		if (l->msgcounter != 0)
+			msg->tcp_continuation = 1;
+		l->msgcounter++;
+	}
+
+	debug("before parse starts");
+	parseflags = DNS_MESSAGEPARSE_PRESERVEORDER;
+#ifdef DIG_SIGCHASE
+	if (!l->sigchase) {
+		do_sigchase = ISC_FALSE;
+	} else {
+		parseflags = 0;
+		do_sigchase = ISC_TRUE;
+	}
+#endif
+	if (l->besteffort) {
+		parseflags |= DNS_MESSAGEPARSE_BESTEFFORT;
+		parseflags |= DNS_MESSAGEPARSE_IGNORETRUNCATION;
+	}
+	result = dns_message_parse(msg, b, parseflags);
+	if (result == DNS_R_RECOVERABLE) {
+		printf(";; Warning: Message parser reports malformed "
+		       "message packet.\n");
+		result = ISC_R_SUCCESS;
+	}
+	if (result != ISC_R_SUCCESS) {
+		printf(";; Got bad packet: %s\n", isc_result_totext(result));
+		hex_dump(b);
+		query->waiting_connect = ISC_FALSE;
+		dns_message_destroy(&msg);
+		isc_event_free(&event);
+		clear_query(query);
+		cancel_lookup(l);
+		check_next_lookup(l);
+		UNLOCK_LOOKUP;
+		return;
+	}
+	if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0
+	    && !l->ignore && !l->tcp_mode) {
+		printf(";; Truncated, retrying in TCP mode.\n");
+		n = requeue_lookup(l, ISC_TRUE);
+		n->tcp_mode = ISC_TRUE;
+		n->origin = query->lookup->origin;
+		dns_message_destroy(&msg);
+		isc_event_free(&event);
+		clear_query(query);
+		cancel_lookup(l);
+		check_next_lookup(l);
+		UNLOCK_LOOKUP;
+		return;
+	}			
+	if (msg->rcode == dns_rcode_servfail && !l->servfail_stops) {
+		dig_query_t *next = ISC_LIST_NEXT(query, link);
+		if (l->current_query == query)
+			l->current_query = NULL;
+		if (next != NULL) {
+			debug("sending query %p\n", next);
+			if (l->tcp_mode)
+				send_tcp_connect(next);
+			else
+				send_udp(next);
+		}
+		/*
+		 * If our query is at the head of the list and there
+		 * is no next, we're the only one left, so fall
+		 * through to print the message.
+		 */
+		if ((ISC_LIST_HEAD(l->q) != query) ||
+		    (ISC_LIST_NEXT(query, link) != NULL)) {
+			printf(";; Got SERVFAIL reply from %s, "
+			       "trying next server\n",
+			       query->servname);
+			clear_query(query);
+			check_next_lookup(l);
+			dns_message_destroy(&msg);
+			isc_event_free(&event);
+			UNLOCK_LOOKUP;
+			return;
+		}
+	}
+
+	if (key != NULL) {
+		result = dns_tsig_verify(&query->recvbuf, msg, NULL, NULL);
+		if (result != ISC_R_SUCCESS) {
+			printf(";; Couldn't verify signature: %s\n",
+			       isc_result_totext(result));
+			validated = ISC_FALSE;
+		}
+		l->tsigctx = msg->tsigctx;
+		msg->tsigctx = NULL;
+		if (l->querysig != NULL) {
+			debug("freeing querysig buffer %p", l->querysig);
+			isc_buffer_free(&l->querysig);
+		}
+		result = dns_message_getquerytsig(msg, mctx, &l->querysig);
+		check_result(result,"dns_message_getquerytsig");
+	}
+
+	debug("after parse");
+	if (l->doing_xfr && l->xfr_q == NULL) {
+		l->xfr_q = query;
+		/*
+		 * Once we are in the XFR message, increase
+		 * the timeout to much longer, so brief network
+		 * outages won't cause the XFR to abort
+		 */
+		if (timeout != INT_MAX && l->timer != NULL) {
+			unsigned int local_timeout;
+
+			if (timeout == 0) {
+				if (l->tcp_mode)
+					local_timeout = TCP_TIMEOUT * 4;
+				else
+					local_timeout = UDP_TIMEOUT * 4;
+			} else {
+				if (timeout < (INT_MAX / 4))
+					local_timeout = timeout * 4;
+				else
+					local_timeout = INT_MAX;
+			}
+			debug("have local timeout of %d", local_timeout);
+			isc_interval_set(&l->interval, local_timeout, 0);
+			result = isc_timer_reset(l->timer,
+						 isc_timertype_once,
+						 NULL,
+						 &l->interval,
+						 ISC_FALSE);
+			check_result(result, "isc_timer_reset");
+		}
+	}
+
+	if (!l->doing_xfr || l->xfr_q == query) {
+#ifdef DIG_SIGCHASE
+		int count = 0;
+#endif
+		if (msg->rcode != dns_rcode_noerror && l->origin != NULL) {
+			if (!next_origin(msg, query)) {
+				printmessage(query, msg, ISC_TRUE);
+				received(b->used, &sevent->address, query);
+			}
+		} else if (!l->trace && !l->ns_search_only) {
+#ifdef DIG_SIGCHASE
+			if (!do_sigchase)
+#endif
+				printmessage(query, msg, ISC_TRUE);
+		} else if (l->trace) {
+			int n = 0;
+#ifdef DIG_SIGCHASE
+			count = msg->counts[DNS_SECTION_ANSWER];
+#else
+			int count = msg->counts[DNS_SECTION_ANSWER];
+#endif
+
+			debug("in TRACE code");
+			if (!l->ns_search_only)
+				printmessage(query, msg, ISC_TRUE);
+
+			l->rdtype = l->qrdtype;
+			if (l->trace_root || (l->ns_search_only && count > 0)) {
+				if (!l->trace_root)
+					l->rdtype = dns_rdatatype_soa;
+				n = followup_lookup(msg, query,
+						    DNS_SECTION_ANSWER);
+				l->trace_root = ISC_FALSE;
+			} else if (count == 0)
+				n = followup_lookup(msg, query,
+						    DNS_SECTION_AUTHORITY);
+			if (n == 0)
+				docancel = ISC_TRUE;
+		} else {
+			debug("in NSSEARCH code");
+
+			if (l->trace_root) {
+				/*
+				 * This is the initial NS query. 
+				 */
+				int n;
+
+				l->rdtype = dns_rdatatype_soa;
+				n = followup_lookup(msg, query,
+						    DNS_SECTION_ANSWER);
+				if (n == 0)
+					docancel = ISC_TRUE;
+				l->trace_root = ISC_FALSE;
+			} else
+#ifdef DIG_SIGCHASE
+				if (!do_sigchase)
+#endif
+				printmessage(query, msg, ISC_TRUE);
+		} 
+#ifdef DIG_SIGCHASE
+		if ( do_sigchase) {	     
+			chase_msg = isc_mem_allocate(mctx,
+						     sizeof(dig_message_t));
+			if (chase_msg == NULL) {
+				fatal("Memory allocation failure in %s:%d",
+				      __FILE__, __LINE__);
+			}
+			ISC_LIST_INITANDAPPEND(chase_message_list, chase_msg,
+					       link);
+			if (dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE,
+					       &msg_temp) != ISC_R_SUCCESS) {
+				fatal("dns_message_create in %s:%d",
+				      __FILE__, __LINE__);
+			}
+	 
+			isc_buffer_usedregion(b, &r);
+			result = isc_buffer_allocate(mctx, &buf, r.length);
+	   
+			check_result(result, "isc_buffer_allocate");
+			result =  isc_buffer_copyregion(buf, &r);
+			check_result(result, "isc_buffer_copyregion");
+	   
+			result =  dns_message_parse(msg_temp, buf, 0);
+ 
+			isc_buffer_free(&buf);
+			chase_msg->msg = msg_temp;
+
+			chase_msg2 = isc_mem_allocate(mctx,
+						      sizeof(dig_message_t));
+			if (chase_msg2 == NULL) {
+				fatal("Memory allocation failure in %s:%d",
+				      __FILE__, __LINE__);
+			}
+			ISC_LIST_INITANDAPPEND(chase_message_list2, chase_msg2,
+					       link);
+			chase_msg2->msg = msg;
+		}
+#endif
+	
+	}
+       
+#ifdef DIG_SIGCHASE
+	if (l->sigchase && ISC_LIST_EMPTY(lookup_list) ) {   
+		sigchase(msg_temp);
+	}
+#endif
+
+	if (l->pending)
+		debug("still pending.");
+	if (l->doing_xfr) {
+		if (query != l->xfr_q) {
+			dns_message_destroy(&msg);
+			isc_event_free(&event);
+			query->waiting_connect = ISC_FALSE;
+			UNLOCK_LOOKUP;
+			return;
+		}
+		if (!docancel)
+			docancel = check_for_more_data(query, msg, sevent);
+		if (docancel) {
+			dns_message_destroy(&msg);
+			clear_query(query);
+			cancel_lookup(l);
+			check_next_lookup(l);
+		}
+	} else {
+
+		if (msg->rcode == dns_rcode_noerror || l->origin == NULL) {
+
+#ifdef DIG_SIGCHASE
+			if (!l->sigchase)
+#endif
+				received(b->used, &sevent->address, query);
+		}
+
+		if (!query->lookup->ns_search_only)
+			query->lookup->pending = ISC_FALSE;
+		if (!query->lookup->ns_search_only ||
+		    query->lookup->trace_root || docancel) {
+#ifdef DIG_SIGCHASE
+			if (!do_sigchase)
+#endif
+				dns_message_destroy(&msg);
+
+			cancel_lookup(l);
+		}
+		clear_query(query);
+		check_next_lookup(l);
+	}
+	if (msg != NULL) {
+#ifdef DIG_SIGCHASE
+		if (do_sigchase)
+			msg = NULL;
+		else
+#endif
+			dns_message_destroy(&msg);
+	}
+	isc_event_free(&event);
+	UNLOCK_LOOKUP;
+}
+
+/*
+ * Turn a name into an address, using system-supplied routines.  This is
+ * used in looking up server names, etc... and needs to use system-supplied
+ * routines, since they may be using a non-DNS system for these lookups.
+ */
+void
+get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) {
+	int count;
+	isc_result_t result;
+
+	isc_app_block();
+	result = bind9_getaddresses(host, port, sockaddr, 1, &count);
+	isc_app_unblock();
+	if (result != ISC_R_SUCCESS)
+		fatal("couldn't get address for '%s': %s",
+		      host, isc_result_totext(result));
+	INSIST(count == 1);
+}
+
+/*
+ * Initiate either a TCP or UDP lookup
+ */
+void
+do_lookup(dig_lookup_t *lookup) {
+
+	REQUIRE(lookup != NULL);
+
+	debug("do_lookup()");
+	lookup->pending = ISC_TRUE;
+	if (lookup->tcp_mode)
+		send_tcp_connect(ISC_LIST_HEAD(lookup->q));
+	else
+		send_udp(ISC_LIST_HEAD(lookup->q));
+}
+
+/*
+ * Start everything in action upon task startup.
+ */
+void
+onrun_callback(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+
+	isc_event_free(&event);
+	LOCK_LOOKUP;
+	start_lookup();
+	UNLOCK_LOOKUP;
+}
+
+/*
+ * Make everything on the lookup queue go away.  Mainly used by the
+ * SIGINT handler.
+ */
+void
+cancel_all(void) {
+	dig_lookup_t *l, *n;
+	dig_query_t *q, *nq;
+
+	debug("cancel_all()");
+
+	LOCK_LOOKUP;
+	if (free_now) {
+		UNLOCK_LOOKUP;
+		return;
+	}
+	cancel_now = ISC_TRUE;
+	if (current_lookup != NULL) {
+		if (current_lookup->timer != NULL)
+			isc_timer_detach(&current_lookup->timer);
+		q = ISC_LIST_HEAD(current_lookup->q);
+		while (q != NULL) {
+			debug("cancelling query %p, belonging to %p",
+			      q, current_lookup);
+			nq = ISC_LIST_NEXT(q, link);
+			if (q->sock != NULL) {
+				isc_socket_cancel(q->sock, NULL,
+						  ISC_SOCKCANCEL_ALL);
+			} else {
+				clear_query(q);
+			}
+			q = nq;
+		}
+	}
+	l = ISC_LIST_HEAD(lookup_list);
+	while (l != NULL) {
+		n = ISC_LIST_NEXT(l, link);
+		ISC_LIST_DEQUEUE(lookup_list, l, link);
+		try_clear_lookup(l);
+		l = n;
+	}
+	UNLOCK_LOOKUP;
+}
+
+/*
+ * Destroy all of the libs we are using, and get everything ready for a
+ * clean shutdown.
+ */
+void
+destroy_libs(void) {
+#ifdef DIG_SIGCHASE 
+	void * ptr;
+	dig_message_t *chase_msg;
+#endif
+
+	debug("destroy_libs()");
+	if (global_task != NULL) {
+		debug("freeing task");
+		isc_task_detach(&global_task);
+	}
+	/*
+	 * The taskmgr_destroy() call blocks until all events are cleared
+	 * from the task.
+	 */
+	if (taskmgr != NULL) {
+		debug("freeing taskmgr");
+		isc_taskmgr_destroy(&taskmgr);
+	}
+	LOCK_LOOKUP;
+	REQUIRE(sockcount == 0);
+	REQUIRE(recvcount == 0);
+	REQUIRE(sendcount == 0);
+
+	INSIST(ISC_LIST_HEAD(lookup_list) == NULL);
+	INSIST(current_lookup == NULL);
+	INSIST(!free_now);
+
+	free_now = ISC_TRUE;
+
+	lwres_conf_clear(lwctx);
+	lwres_context_destroy(&lwctx);
+
+	flush_server_list();
+
+	clear_searchlist();
+	if (commctx != NULL) {
+		debug("freeing commctx");
+		isc_mempool_destroy(&commctx);
+	}
+	if (socketmgr != NULL) {
+		debug("freeing socketmgr");
+		isc_socketmgr_destroy(&socketmgr);
+	}
+	if (timermgr != NULL) {
+		debug("freeing timermgr");
+		isc_timermgr_destroy(&timermgr);
+	}
+	if (key != NULL) {
+		debug("freeing key %p", key);
+		dns_tsigkey_detach(&key);
+	}
+	if (namebuf != NULL)
+		isc_buffer_free(&namebuf);
+
+	if (is_dst_up) {
+		debug("destroy DST lib");
+		dst_lib_destroy();
+		is_dst_up = ISC_FALSE;
+	}
+	if (entp != NULL) {
+		debug("detach from entropy");
+		isc_entropy_detach(&entp);
+	}
+
+	UNLOCK_LOOKUP;
+	DESTROYLOCK(&lookup_lock);
+#ifdef DIG_SIGCHASE
+
+	debug("Destroy the messages kept for sigchase");
+	/* Destroy the messages kept for sigchase */
+       	chase_msg = ISC_LIST_HEAD(chase_message_list);
+
+	while (chase_msg != NULL) {
+		INSIST(chase_msg->msg != NULL);
+		dns_message_destroy(&(chase_msg->msg));
+		ptr = chase_msg;
+		chase_msg = ISC_LIST_NEXT(chase_msg, link);
+		isc_mem_free(mctx, ptr);
+	}
+
+	chase_msg = ISC_LIST_HEAD(chase_message_list2);
+
+	while (chase_msg != NULL) {
+		INSIST(chase_msg->msg != NULL);
+		dns_message_destroy(&(chase_msg->msg));
+		ptr = chase_msg;
+		chase_msg = ISC_LIST_NEXT(chase_msg, link);
+		isc_mem_free(mctx, ptr);
+	}
+	if (dns_name_dynamic(&chase_name))
+		dns_name_free(&chase_name, mctx);
+#if DIG_SIGCHASE_TD
+	if (dns_name_dynamic(&chase_current_name))
+		dns_name_free(&chase_current_name, mctx);
+	if (dns_name_dynamic(&chase_authority_name))
+		dns_name_free(&chase_authority_name, mctx);
+#endif
+#if DIG_SIGCHASE_BU
+	if (dns_name_dynamic(&chase_signame))
+		dns_name_free(&chase_signame, mctx);
+#endif
+
+	debug("Destroy memory");
+	
+#endif
+	if (memdebugging != 0)
+		isc_mem_stats(mctx, stderr);
+	if (mctx != NULL)
+		isc_mem_destroy(&mctx);
+}
+
+ 
+
+
+#ifdef DIG_SIGCHASE
+void
+print_type(dns_rdatatype_t type)
+{
+	isc_buffer_t * b = NULL;
+	isc_result_t result;
+	isc_region_t r;
+  
+	result = isc_buffer_allocate(mctx, &b, 4000);
+	check_result(result, "isc_buffer_allocate");
+
+	result = dns_rdatatype_totext(type, b);
+	check_result(result, "print_type");
+  
+	isc_buffer_usedregion(b, &r);
+	r.base[r.length] = '\0';
+  
+	printf("%s", r.base);
+
+	isc_buffer_free(&b);
+}
+
+
+void
+dump_database_section( dns_message_t *msg, int section)
+{
+	dns_name_t *msg_name=NULL;
+ 
+	dns_rdataset_t *rdataset;
+
+	do {
+		dns_message_currentname(msg, section, &msg_name);
+    
+		for (rdataset = ISC_LIST_HEAD(msg_name->list); rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {	
+			dns_name_print(msg_name, stdout);
+			printf("\n");
+			print_rdataset(msg_name, rdataset, mctx);
+			printf("end\n");
+		}
+		msg_name = NULL;
+	} while ( dns_message_nextname(msg, section) == ISC_R_SUCCESS);
+}
+
+
+void dump_database(void)
+{
+	dig_message_t * msg;
+
+	for (msg = ISC_LIST_HEAD(chase_message_list);  msg != NULL;
+	     msg = ISC_LIST_NEXT(msg, link)) {
+		if (dns_message_firstname(msg->msg, DNS_SECTION_ANSWER)
+		    == ISC_R_SUCCESS) 
+			dump_database_section(msg->msg, DNS_SECTION_ANSWER);
+       
+		if (dns_message_firstname(msg->msg, DNS_SECTION_AUTHORITY)
+		    == ISC_R_SUCCESS) 
+			dump_database_section(msg->msg, DNS_SECTION_AUTHORITY);
+	
+		if (dns_message_firstname(msg->msg, DNS_SECTION_ADDITIONAL)
+		    == ISC_R_SUCCESS) 
+			dump_database_section(msg->msg, DNS_SECTION_ADDITIONAL);
+	}
+}
+
+
+dns_rdataset_t *  search_type(dns_name_t *name,
+			      dns_rdatatype_t type,
+			      dns_rdatatype_t covers)
+{
+	dns_rdataset_t *rdataset;
+	dns_rdata_sig_t siginfo;
+	dns_rdata_t sigrdata;
+	isc_result_t result;
+
+	for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
+	     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+		if (type == dns_rdatatype_any) {
+			if (rdataset->type != dns_rdatatype_rrsig)
+				return rdataset;
+		} 
+		else if ((type == dns_rdatatype_rrsig) &&
+			 (rdataset->type == dns_rdatatype_rrsig)) {
+			dns_rdata_init(&sigrdata);
+			result = dns_rdataset_first(rdataset);
+			check_result(result, "empty rdataset");
+			dns_rdataset_current(rdataset, &sigrdata);
+			result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
+			check_result(result, "sigrdata tostruct siginfo");
+
+			if ((siginfo.covered == covers) ||
+			    (covers == dns_rdatatype_any)) {
+				dns_rdata_reset(&sigrdata);
+				dns_rdata_freestruct(&siginfo);	
+				return rdataset;
+			}
+			dns_rdata_reset(&sigrdata);
+			dns_rdata_freestruct(&siginfo);
+		} 
+		else if (rdataset->type == type)
+			return rdataset;
+	}
+	return NULL;
+}
+
+dns_rdataset_t *
+chase_scanname_section(dns_message_t *msg,
+		       dns_name_t *name,
+		       dns_rdatatype_t type,
+		       dns_rdatatype_t covers,
+		       int section)
+{
+	dns_rdataset_t *rdataset;
+	dns_name_t *msg_name = NULL;
+  
+	do {
+		dns_message_currentname(msg, section, &msg_name);
+		if (dns_name_compare(msg_name, name) == 0) {
+			rdataset = search_type(msg_name, type, covers);
+			if ( rdataset != NULL)
+				return rdataset;
+		}
+		msg_name = NULL;
+	} while ( dns_message_nextname(msg, section) == ISC_R_SUCCESS);
+  
+	return(NULL);
+}
+
+
+dns_rdataset_t *
+chase_scanname(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers)
+{
+	dns_rdataset_t *rdataset = NULL;
+	dig_message_t * msg;
+ 
+	for (msg = ISC_LIST_HEAD(chase_message_list2);  msg != NULL;
+	     msg = ISC_LIST_NEXT(msg, link)) {
+		if (dns_message_firstname(msg->msg, DNS_SECTION_ANSWER)
+		    == ISC_R_SUCCESS)
+			rdataset = chase_scanname_section(msg->msg, name,
+							  type, covers,
+							  DNS_SECTION_ANSWER);
+			if (rdataset != NULL)
+				return rdataset;
+		if (dns_message_firstname(msg->msg, DNS_SECTION_AUTHORITY)
+		    == ISC_R_SUCCESS)
+			rdataset =
+				chase_scanname_section(msg->msg, name,
+						       type, covers,
+						       DNS_SECTION_AUTHORITY);
+			if (rdataset != NULL)
+				return rdataset;
+		if (dns_message_firstname(msg->msg, DNS_SECTION_ADDITIONAL)
+		    == ISC_R_SUCCESS)
+			rdataset =
+				chase_scanname_section(msg->msg, name, type,
+						       covers,
+						       DNS_SECTION_ADDITIONAL);
+			if (rdataset != NULL)
+				return rdataset;
+	}
+
+	return NULL;
+}
+
+dns_rdataset_t *
+sigchase_scanname(dns_rdatatype_t type, dns_rdatatype_t covers,
+		  isc_boolean_t * lookedup,
+		  dns_name_t *rdata_name )
+{
+	dig_lookup_t *lookup;
+	isc_buffer_t *b = NULL;
+	isc_region_t r;
+	isc_result_t result;
+	dns_rdataset_t * temp;
+	dns_rdatatype_t querytype;
+
+	if ((temp=chase_scanname(rdata_name, type, covers))!=NULL) {
+		return(temp);
+	}
+
+	if (*lookedup == ISC_TRUE) {
+		return(NULL);
+	}
+
+	lookup = clone_lookup(current_lookup, ISC_TRUE);
+	lookup->trace_root = ISC_FALSE;
+	lookup->new_search = ISC_TRUE;
+  
+	result = isc_buffer_allocate(mctx, &b, BUFSIZE);
+	check_result(result, "isc_buffer_allocate");
+	result = dns_name_totext(rdata_name, ISC_FALSE, b);
+	check_result(result, "dns_name_totext");
+	isc_buffer_usedregion(b, &r);
+	r.base[r.length] = '\0';
+	strcpy(lookup->textname, (char*)r.base);
+	isc_buffer_free(&b);
+
+	if (type ==  dns_rdatatype_rrsig)
+		querytype = covers;
+	else
+		querytype = type;
+	if (querytype == 0 || querytype == 255) {
+		printf("Error in the queried type: %d\n", querytype);
+		return(NULL);
+	}
+
+	lookup->rdtype = querytype;
+	lookup->rdtypeset = ISC_TRUE;
+	lookup->qrdtype = querytype;
+	*lookedup = ISC_TRUE;
+
+	ISC_LIST_APPEND(lookup_list, lookup, link);
+	printf("\n\nLaunch a query to find a RRset of type ");
+	print_type(type);
+	printf(" for zone: %s\n", lookup->textname);
+	return(NULL);
+}
+
+void
+insert_trustedkey(dst_key_t  * key)
+{
+	if (key == NULL)
+		return;
+	if (tk_list.nb_tk >= MAX_TRUSTED_KEY)
+		return;
+
+	tk_list.key[tk_list.nb_tk++] = key;
+	return;   
+}
+
+void
+clean_trustedkey()
+{
+	int i = 0;
+
+	for (i= 0; i < MAX_TRUSTED_KEY; i++) {
+		if (tk_list.key[i] != NULL) {
+			dst_key_free(&tk_list.key[i]);
+			tk_list.key[i] = NULL;
+		}
+		else
+			break;
+	}
+	tk_list.nb_tk = 0;
+	return;
+}
+
+char alphnum[] =
+	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+
+isc_result_t
+removetmpkey(isc_mem_t *mctx, const char *file) 
+{
+	char *tempnamekey = NULL;
+	int tempnamekeylen;
+	isc_result_t result;
+  
+	tempnamekeylen = strlen(file)+10;
+  
+	tempnamekey = isc_mem_allocate(mctx, tempnamekeylen);
+	if (tempnamekey == NULL)
+		return (ISC_R_NOMEMORY);
+
+	memset(tempnamekey, 0, tempnamekeylen);
+ 
+	strcat(tempnamekey, file);
+	strcat(tempnamekey,".key");
+	isc_file_remove(tempnamekey);
+
+	result = isc_file_remove(tempnamekey);
+	isc_mem_free(mctx, tempnamekey);
+	return(result);
+}
+
+isc_result_t
+opentmpkey(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) {
+        FILE *f = NULL;
+        isc_result_t result;
+        char *tempname = NULL;
+	char *tempnamekey = NULL;
+        int tempnamelen;
+	int tempnamekeylen;
+	char *x;
+	char *cp;
+	isc_uint32_t which;
+
+	while (1) {
+		tempnamelen = strlen(file) + 20;
+		tempname = isc_mem_allocate(mctx, tempnamelen);
+		if (tempname == NULL)
+			return (ISC_R_NOMEMORY);
+		memset(tempname, 0, tempnamelen);
+
+		result = isc_file_mktemplate(file, tempname, tempnamelen);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+
+		cp = tempname;
+		while (*cp != '\0')
+			cp++;
+		if (cp == tempname) {
+			isc_mem_free(mctx, tempname);
+			return (ISC_R_FAILURE);
+		}
+	    
+		x = cp--;
+		while (cp >= tempname && *cp == 'X') {
+			isc_random_get(&which);
+			*cp = alphnum[which % (sizeof(alphnum) - 1)];
+			x = cp--;
+		}
+ 
+		tempnamekeylen = tempnamelen+5;
+		tempnamekey = isc_mem_allocate(mctx, tempnamekeylen);
+		if (tempnamekey == NULL)
+			return (ISC_R_NOMEMORY);
+	
+		memset(tempnamekey, 0, tempnamekeylen);
+		strncpy(tempnamekey, tempname, tempnamelen);
+		strcat(tempnamekey ,".key");
+
+	   
+		if (isc_file_exists(tempnamekey)) {
+			isc_mem_free(mctx, tempnamekey);
+			isc_mem_free(mctx, tempname);
+			continue;
+		}
+
+		if ((f = fopen(tempnamekey, "w")) == NULL) {
+			printf("get_trusted_key(): trusted key not found %s\n",
+			       tempnamekey);
+			return ISC_R_FAILURE;
+		}
+		break;
+	}
+	isc_mem_free(mctx, tempnamekey);
+        *tempp = tempname;
+        *fp = f;
+        return (ISC_R_SUCCESS);
+
+ cleanup:
+        isc_mem_free(mctx, tempname);
+	
+        return (result);
+}
+
+
+isc_result_t
+get_trusted_key(isc_mem_t *mctx)
+{
+	isc_result_t result;
+	const char * filename = NULL;
+	char * filetemp =NULL;
+	char buf[1500];
+	FILE *fp , *fptemp;
+	dst_key_t  * key = NULL;
+ 
+	result  = isc_file_exists(trustedkey);
+	if (result !=  ISC_TRUE) {
+		result  = isc_file_exists("/etc/trusted-key.key");
+		if (result !=  ISC_TRUE) {
+			result  = isc_file_exists("./trusted-key.key");
+			if (result !=  ISC_TRUE)
+				return ISC_R_FAILURE;
+			else
+				filename = "./trusted-key.key";
+		}
+		else
+			filename = "/etc/trusted-key.key";
+	}
+	else
+		filename = trustedkey;
+
+	if (filename == NULL) {
+		printf("No trusted key\n");
+		return ISC_R_FAILURE;
+	}
+
+	if ((fp = fopen(filename, "r")) == NULL) {
+		printf("get_trusted_key(): trusted key not found %s\n",
+		       filename);
+		return ISC_R_FAILURE;
+	}
+	while (fgets(buf, 1500, fp) != NULL) {
+		result = opentmpkey(mctx,"tmp_file", &filetemp, &fptemp);
+		if (result != ISC_R_SUCCESS) {
+			fclose(fp);
+			return ISC_R_FAILURE;
+		}
+		if (fputs(buf, fptemp)<0) {
+			fclose(fp);
+			fclose(fptemp);
+			return ISC_R_FAILURE;
+		}
+		fclose(fptemp);
+		result = dst_key_fromnamedfile(filetemp, DST_TYPE_PUBLIC |
+					       DST_TYPE_KEY, mctx, &key);
+		removetmpkey(mctx, filetemp);
+		isc_mem_free(mctx, filetemp);
+		if (result !=  ISC_R_SUCCESS ) {
+			fclose(fp);
+			return ISC_R_FAILURE;
+		}
+		insert_trustedkey(key);
+#if 0
+		dst_key_tofile(key, DST_TYPE_PUBLIC,"/tmp");
+#endif
+		key = NULL;
+	}
+	return ISC_R_SUCCESS;
+}
+
+
+static void
+nameFromString(const char *str, dns_name_t *p_ret) {
+	size_t len = strlen(str);
+	isc_result_t result;
+	isc_buffer_t buffer;
+	dns_fixedname_t fixedname;
+
+	REQUIRE(p_ret != NULL);
+	REQUIRE(str != NULL);
+
+	isc_buffer_init(&buffer, str, len);
+	isc_buffer_add(&buffer, len);
+
+	dns_fixedname_init(&fixedname);
+	result = dns_name_fromtext(dns_fixedname_name(&fixedname), &buffer,
+				   dns_rootname, ISC_TRUE, NULL);
+	check_result(result, "nameFromString");
+
+	if (dns_name_dynamic(p_ret))
+		dns_name_free(p_ret, mctx);
+  
+	result = dns_name_dup(dns_fixedname_name(&fixedname), mctx, p_ret);
+	check_result(result, "nameFromString");
+} 
+
+
+#if DIG_SIGCHASE_TD
+isc_result_t 
+prepare_lookup(dns_name_t *name)
+{
+	isc_result_t    result;
+	dig_lookup_t  * lookup = NULL;
+	dig_server_t *s;
+	void *ptr;
+
+	lookup = clone_lookup(current_lookup, ISC_TRUE);
+	lookup->trace_root = ISC_FALSE;
+	lookup->new_search = ISC_TRUE;
+	lookup->trace_root_sigchase = ISC_FALSE;
+
+	strncpy(lookup->textname, lookup->textnamesigchase, MXNAME);
+
+	lookup->rdtype = lookup->rdtype_sigchase;
+	lookup->rdtypeset = ISC_TRUE;
+	lookup->qrdtype = lookup->qrdtype_sigchase;
+   
+	s = ISC_LIST_HEAD(lookup->my_server_list);
+	while (s != NULL) {
+		debug("freeing server %p belonging to %p",
+		      s, lookup);
+		ptr = s;
+		s = ISC_LIST_NEXT(s, link);
+		ISC_LIST_DEQUEUE(lookup->my_server_list,
+				 (dig_server_t *)ptr, link);
+		isc_mem_free(mctx, ptr);
+	}
+  
+
+	for (result = dns_rdataset_first(chase_nsrdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(chase_nsrdataset)) {
+		char namestr[DNS_NAME_FORMATSIZE];
+		dns_rdata_ns_t ns;
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dig_server_t * srv = NULL;
+#define  __FOLLOW_GLUE__
+#ifdef __FOLLOW_GLUE__
+		isc_buffer_t * b = NULL;
+		isc_result_t result;
+		isc_region_t r;
+		dns_rdataset_t * rdataset =NULL;
+		isc_boolean_t   true = ISC_TRUE;
+#endif
+
+		memset(namestr, 0, DNS_NAME_FORMATSIZE);
+
+		dns_rdataset_current(chase_nsrdataset, &rdata);
+
+		(void)dns_rdata_tostruct(&rdata, &ns, NULL);
+      
+     
+      
+#ifdef __FOLLOW_GLUE__
+      
+		result = advanced_rrsearch(&rdataset, &ns.name,
+					   dns_rdatatype_aaaa,
+					   dns_rdatatype_any, &true);
+		if (result == ISC_R_SUCCESS) {
+			for (result = dns_rdataset_first(rdataset);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(rdataset)) {
+				dns_rdata_t aaaa = DNS_RDATA_INIT;
+				dns_rdataset_current(rdataset, &aaaa);
+
+				result = isc_buffer_allocate(mctx, &b, 80);
+				check_result(result, "isc_buffer_allocate");
+
+				dns_rdata_totext(&aaaa, &ns.name, b);
+				isc_buffer_usedregion(b, &r);
+				r.base[r.length] = '\0';
+				strncpy(namestr, (char*)r.base,
+					DNS_NAME_FORMATSIZE);
+				isc_buffer_free(&b);
+				dns_rdata_reset(&aaaa);
+
+
+				srv = make_server(namestr);
+	     
+				ISC_LIST_APPEND(lookup->my_server_list,
+						srv, link);
+			}
+		}
+      
+		rdataset = NULL;
+		result = advanced_rrsearch(&rdataset, &ns.name, dns_rdatatype_a,
+					   dns_rdatatype_any, &true);
+		if (result == ISC_R_SUCCESS) {
+			for (result = dns_rdataset_first(rdataset);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(rdataset)) {
+				dns_rdata_t a = DNS_RDATA_INIT;
+				dns_rdataset_current(rdataset, &a);
+
+				result = isc_buffer_allocate(mctx, &b, 80);
+				check_result(result, "isc_buffer_allocate");
+
+				dns_rdata_totext(&a, &ns.name, b);
+				isc_buffer_usedregion(b, &r);
+				r.base[r.length] = '\0';
+				strncpy(namestr, (char*)r.base,
+					DNS_NAME_FORMATSIZE);
+				isc_buffer_free(&b);
+				dns_rdata_reset(&a);
+				printf("ns name: %s\n", namestr);
+      
+
+				srv = make_server(namestr);
+	     
+				ISC_LIST_APPEND(lookup->my_server_list,
+						srv, link);
+			}
+		}
+#else
+       
+		dns_name_format(&ns.name, namestr, sizeof(namestr));
+		printf("ns name: ");
+		dns_name_print(&ns.name, stdout);
+		printf("\n");
+		srv = make_server(namestr);
+	     
+		ISC_LIST_APPEND(lookup->my_server_list, srv, link);
+
+#endif 
+		dns_rdata_freestruct(&ns);
+		dns_rdata_reset(&rdata);
+      
+	}
+
+	ISC_LIST_APPEND(lookup_list, lookup, link);
+	printf("\nLaunch a query to find a RRset of type ");
+	print_type(lookup->rdtype);
+	printf(" for zone: %s", lookup->textname);
+	printf(" with nameservers:");
+	printf("\n");
+	print_rdataset(name, chase_nsrdataset, mctx);
+	return ISC_R_SUCCESS;
+}
+
+
+isc_result_t
+child_of_zone(dns_name_t * name, dns_name_t * zone_name,
+	      dns_name_t * child_name)
+{
+	dns_namereln_t name_reln;
+	int orderp;
+	unsigned int nlabelsp;
+
+	name_reln = dns_name_fullcompare(name, zone_name, &orderp, &nlabelsp);
+	if ( (name_reln != dns_namereln_subdomain) ||
+	     (dns_name_countlabels(name) <=
+	      dns_name_countlabels(zone_name) +1)) {
+		printf("\n;; ERROR : ");
+		dns_name_print(name, stdout);
+		printf(" is not a subdomain of: ");
+		dns_name_print(zone_name, stdout);
+		printf(" FAILED\n\n");
+		return ISC_R_FAILURE;
+	}
+
+	dns_name_getlabelsequence(name,
+				  dns_name_countlabels(name) -
+				  dns_name_countlabels(zone_name) -1,
+				  dns_name_countlabels(zone_name) +1,
+				  child_name);
+	return ISC_R_SUCCESS;
+}
+
+isc_result_t
+grandfather_pb_test(dns_name_t * zone_name, dns_rdataset_t  * sigrdataset)
+{
+	isc_result_t result;
+	dns_rdata_t sigrdata;
+	dns_rdata_sig_t siginfo;
+
+	result = dns_rdataset_first(sigrdataset);
+	check_result(result, "empty RRSIG dataset");
+	dns_rdata_init(&sigrdata);
+  
+	do {
+		dns_rdataset_current(sigrdataset, &sigrdata);
+    
+		result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
+		check_result(result, "sigrdata tostruct siginfo");
+ 
+		if (dns_name_compare(&siginfo.signer, zone_name) == 0) {
+			dns_rdata_freestruct(&siginfo);
+			dns_rdata_reset(&sigrdata);
+			return ISC_R_SUCCESS;
+		}
+
+		dns_rdata_freestruct(&siginfo);
+ 
+	} while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS);
+
+	dns_rdata_reset(&sigrdata);
+
+	return ISC_R_FAILURE;
+}
+
+
+isc_result_t
+initialization(dns_name_t * name)
+{
+	isc_result_t   result;
+	isc_boolean_t  true = ISC_TRUE;
+
+	chase_nsrdataset = NULL;
+	result = advanced_rrsearch(&chase_nsrdataset, name, dns_rdatatype_ns,
+				   dns_rdatatype_any, &true);
+	if (result != ISC_R_SUCCESS) {
+		printf("\n;; NS RRset is missing to continue validation:"
+		       " FAILED\n\n");
+		return ISC_R_FAILURE;
+	}
+	INSIST(chase_nsrdataset != NULL);
+	prepare_lookup(name);
+
+	dup_name(name, &chase_current_name, mctx);
+
+	return ISC_R_SUCCESS;
+}
+#endif 
+
+void
+print_rdataset(dns_name_t * name, dns_rdataset_t *rdataset, isc_mem_t *mctx)
+{
+	isc_buffer_t * b = NULL;
+	isc_result_t result;
+	isc_region_t r;
+
+	result = isc_buffer_allocate(mctx, &b, 9000);
+	check_result(result, "isc_buffer_allocate");
+
+	printrdataset(name, rdataset, b);
+
+	isc_buffer_usedregion(b, &r);
+	r.base[r.length] = '\0';
+
+
+	printf("%s\n", r.base);
+
+	isc_buffer_free(&b);
+}
+
+
+void 
+dup_name(dns_name_t *source, dns_name_t *target, isc_mem_t *mctx) {
+	isc_result_t result; 
+ 
+	if (dns_name_dynamic(target))
+		dns_name_free(target, mctx);
+	result = dns_name_dup(source, mctx, target);
+	check_result(result, "dns_name_dup");
+}
+
+/*
+ *
+ * take a DNSKEY RRset and the RRSIG RRset corresponding in parameter
+ * return ISC_R_SUCCESS if the DNSKEY RRset contains a trusted_key
+ * 			and the RRset is valid
+ * return ISC_R_NOTFOUND if not contains trusted key
+ 			or if the RRset isn't valid
+ * return ISC_R_FAILURE if problem
+ *
+ */
+isc_result_t
+contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset,
+		     dns_rdataset_t *sigrdataset,
+		     isc_mem_t *mctx)
+{
+	isc_result_t result;
+	dns_rdata_t rdata;
+	dst_key_t * trustedKey = NULL;
+	dst_key_t * dnsseckey = NULL;
+	int i;
+  
+	if (name == NULL || rdataset == NULL) {
+		return ISC_R_FAILURE;
+	}
+
+	result = dns_rdataset_first(rdataset);
+	check_result(result, "empty rdataset");
+	dns_rdata_init(&rdata);
+
+	do {
+		dns_rdataset_current(rdataset, &rdata);
+		INSIST(rdata.type == dns_rdatatype_dnskey);
+  	  
+		result = dns_dnssec_keyfromrdata(name, &rdata,
+						 mctx, &dnsseckey);
+		check_result(result, "dns_dnssec_keyfromrdata");
+
+    
+		for (i = 0; i< tk_list.nb_tk; i++) {
+			if (dst_key_compare(tk_list.key[i], dnsseckey)
+			    == ISC_TRUE) {
+				dns_rdata_reset(&rdata);
+	
+				printf(";; Ok, find a Trusted Key in the "
+				       "DNSKEY RRset: %d\n",
+				       dst_key_id(dnsseckey));
+				if (sigchase_verify_sig_key(name, rdataset,
+							    dnsseckey,
+							    sigrdataset,
+							    mctx)
+				    == ISC_R_SUCCESS) {
+					dst_key_free(&dnsseckey);
+					dnsseckey = NULL;
+					return  ISC_R_SUCCESS;
+				}
+			}
+		}
+ 
+		dns_rdata_reset(&rdata);
+		if (dnsseckey != NULL)
+			dst_key_free(&dnsseckey);
+	} while (dns_rdataset_next(rdataset) == ISC_R_SUCCESS);
+
+	if (trustedKey != NULL)
+		dst_key_free(&trustedKey);
+	trustedKey = NULL;
+  
+	return ISC_R_NOTFOUND;
+}
+
+isc_result_t
+sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset,
+		    dns_rdataset_t *keyrdataset,
+		    dns_rdataset_t *sigrdataset,
+		    isc_mem_t *mctx)
+{
+	isc_result_t result;
+	dns_rdata_t keyrdata;
+	dst_key_t * dnsseckey = NULL;
+
+	result = dns_rdataset_first(keyrdataset);
+	check_result(result, "empty DNSKEY dataset");
+	dns_rdata_init(&keyrdata);
+
+	do {
+		dns_rdataset_current(keyrdataset, &keyrdata);
+		INSIST(keyrdata.type == dns_rdatatype_dnskey);
+  	  
+		result = dns_dnssec_keyfromrdata(name, &keyrdata,
+						 mctx, &dnsseckey);
+		check_result(result, "dns_dnssec_keyfromrdata");
+
+		result = sigchase_verify_sig_key(name, rdataset, dnsseckey,
+						 sigrdataset, mctx);
+		if (result == ISC_R_SUCCESS) {
+			dns_rdata_reset(&keyrdata);
+			dst_key_free(&dnsseckey);
+			return(ISC_R_SUCCESS);
+		}
+		dst_key_free(&dnsseckey);
+	} while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS);
+  
+	dns_rdata_reset(&keyrdata);
+  
+	return ISC_R_NOTFOUND;
+}
+
+isc_result_t
+sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset,
+			dst_key_t* dnsseckey,
+			dns_rdataset_t *sigrdataset, isc_mem_t *mctx)
+{
+	isc_result_t result;
+	dns_rdata_t sigrdata;
+	dns_rdata_sig_t siginfo;
+
+	result = dns_rdataset_first(sigrdataset);
+	check_result(result, "empty RRSIG dataset");
+	dns_rdata_init(&sigrdata);
+    
+	do {
+		dns_rdataset_current(sigrdataset, &sigrdata);
+
+		result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
+		check_result(result, "sigrdata tostruct siginfo");
+ 
+		/*
+		 * Test if the id of the DNSKEY is
+		 * the id of the DNSKEY signer's
+		 */
+		if (siginfo.keyid == dst_key_id(dnsseckey)) {
+    
+			result = dns_rdataset_first(rdataset);
+			check_result(result, "empty DS dataset");
+    
+			result = dns_dnssec_verify(name, rdataset, dnsseckey,
+						   ISC_FALSE, mctx, &sigrdata);
+
+			printf(";; VERIFYING ");
+			print_type(rdataset->type);
+			printf(" RRset for ");
+			dns_name_print(name, stdout);
+			printf(" with DNSKEY:%d: %s\n", dst_key_id(dnsseckey),
+			       isc_result_totext(result));
+	 
+			if (result == ISC_R_SUCCESS) {
+				dns_rdata_reset(&sigrdata);
+				return result;
+			}
+		}
+		dns_rdata_freestruct(&siginfo);
+ 
+	} while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS);
+
+	dns_rdata_reset(&sigrdata);
+
+	return ISC_R_NOTFOUND;
+}
+
+
+isc_result_t
+sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
+		   dns_rdataset_t *dsrdataset, isc_mem_t *mctx)
+{
+	isc_result_t result;
+	dns_rdata_t keyrdata;
+	dns_rdata_t newdsrdata;
+	dns_rdata_t dsrdata;
+	dns_rdata_ds_t dsinfo;
+	dst_key_t* dnsseckey = NULL;
+	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
+
+	result = dns_rdataset_first(dsrdataset);
+	check_result(result, "empty DSset dataset");
+	dns_rdata_init(&dsrdata);
+	do {
+		dns_rdataset_current(dsrdataset, &dsrdata);
+    
+		result = dns_rdata_tostruct(&dsrdata, &dsinfo, NULL);
+		check_result(result, "dns_rdata_tostruct  for DS");
+    
+		result = dns_rdataset_first(keyrdataset);
+		check_result(result, "empty KEY dataset");
+		dns_rdata_init(&keyrdata);	  
+
+		do {
+			dns_rdataset_current(keyrdataset, &keyrdata);
+			INSIST(keyrdata.type == dns_rdatatype_dnskey);
+  	  
+			result = dns_dnssec_keyfromrdata(name, &keyrdata,
+							 mctx, &dnsseckey);
+			check_result(result, "dns_dnssec_keyfromrdata");
+
+			/*
+			 * Test if the id of the DNSKEY is the
+			 * id of DNSKEY referenced by the DS
+			 */
+			if (dsinfo.key_tag == dst_key_id(dnsseckey)) {
+				dns_rdata_init(&newdsrdata);
+
+				result = dns_ds_buildrdata(name, &keyrdata,
+							   dsinfo.digest_type,
+							   dsbuf, &newdsrdata);
+				dns_rdata_freestruct(&dsinfo);  
+
+				if (result != ISC_R_SUCCESS) {
+					dns_rdata_reset(&keyrdata);
+					dns_rdata_reset(&newdsrdata);
+					dns_rdata_reset(&dsrdata);
+					dst_key_free(&dnsseckey);
+					dns_rdata_freestruct(&dsinfo);  
+					printf("Oops: impossible to build"
+					       " new DS rdata\n");
+					return result;
+				}
+	
+	
+				if (dns_rdata_compare(&dsrdata,
+						      &newdsrdata) == 0) {
+					printf(";; OK a DS valids a DNSKEY"
+					       " in the RRset\n");
+					printf(";; Now verify that this"
+					       " DNSKEY validates the "
+					       "DNSKEY RRset\n");
+	       
+					result = sigchase_verify_sig_key(name,
+							 keyrdataset,
+							 dnsseckey,
+							 chase_sigkeyrdataset,
+							 mctx);
+					if (result ==  ISC_R_SUCCESS) {
+						dns_rdata_reset(&keyrdata);
+						dns_rdata_reset(&newdsrdata);
+						dns_rdata_reset(&dsrdata);
+						dst_key_free(&dnsseckey);
+		 
+						return result;
+					}
+				} 
+				else {
+					printf(";; This DS is NOT the DS for"
+					       " the chasing KEY: FAILED\n");
+				}
+
+				dns_rdata_reset(&newdsrdata);
+			}
+			dst_key_free(&dnsseckey);
+			dnsseckey = NULL;
+		} while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS);
+		dns_rdata_reset(&keyrdata);
+ 
+	} while (dns_rdataset_next(chase_dsrdataset) == ISC_R_SUCCESS);
+#if 0
+	dns_rdata_reset(&dsrdata); WARNING
+#endif
+ 
+	return ISC_R_NOTFOUND;
+}
+
+/*
+ *
+ * take a pointer on a rdataset in parameter and try to resolv it.
+ * the searched rrset is a rrset on 'name' with type 'type'
+ * (and if the type is a rrsig the signature cover 'covers').
+ * the lookedup is to known if you have already done the query on the net.
+ * ISC_R_SUCCESS: if we found the rrset
+ * ISC_R_NOTFOUND: we do not found the rrset in cache
+ * and we do a query on the net
+ * ISC_R_FAILURE: rrset not found 
+ */
+isc_result_t
+advanced_rrsearch(dns_rdataset_t **rdataset, dns_name_t * name,
+		  dns_rdatatype_t type,
+		  dns_rdatatype_t covers,
+		  isc_boolean_t *lookedup)
+{ 
+	isc_boolean_t  tmplookedup;
+
+	INSIST(rdataset != NULL);
+
+	if (*rdataset != NULL)
+		return(ISC_R_SUCCESS);
+
+	tmplookedup = *lookedup;
+	if ((*rdataset = sigchase_scanname(type, covers,
+					   lookedup, name)) == NULL) {
+		if (tmplookedup)
+			return (ISC_R_FAILURE);
+		return (ISC_R_NOTFOUND);
+	}
+	*lookedup = ISC_FALSE;
+	return(ISC_R_SUCCESS);
+}
+
+
+
+#if DIG_SIGCHASE_TD
+void
+sigchase_td(dns_message_t * msg)
+{
+	isc_result_t    result;
+	dns_name_t    * name = NULL;
+	isc_boolean_t   have_answer = ISC_FALSE;
+ 
+	isc_boolean_t   true = ISC_TRUE;
+
+	if ((result = dns_message_firstname(msg, DNS_SECTION_ANSWER))
+	    == ISC_R_SUCCESS) {
+		dns_message_currentname(msg, DNS_SECTION_ANSWER, &name);
+		if (current_lookup->trace_root_sigchase) {
+			initialization(name);
+			return;
+		}
+		have_answer = true;
+	}
+	else {
+		if (!current_lookup->trace_root_sigchase) {
+			result = dns_message_firstname(msg,
+						       DNS_SECTION_AUTHORITY);
+			if (result == ISC_R_SUCCESS)
+				dns_message_currentname(msg,
+							DNS_SECTION_AUTHORITY,
+							&name);
+			chase_nsrdataset
+				= chase_scanname_section(msg, name,
+							 dns_rdatatype_ns,
+							 dns_rdatatype_any,
+							 DNS_SECTION_AUTHORITY);
+			dup_name(name, &chase_authority_name, mctx);
+			if (chase_nsrdataset != NULL) {
+				have_delegation_ns = ISC_TRUE;
+				printf("no response but there is a delegation"
+				       " in authority section:");
+				dns_name_print(name, stdout);
+				printf("\n");
+			}
+			else {
+				printf("no response and no delegation in "
+				       "authority section but a reference"
+				       " to: ");
+				dns_name_print(name, stdout);
+				printf("\n");
+				error_message = msg;
+			}
+		}
+		else {
+			printf(";; NO ANSWERS: %s\n",
+			       isc_result_totext(result));
+			dns_name_free(&chase_name, mctx);
+			clean_trustedkey();
+			return;
+		}
+	}
+
+   
+	if (have_answer) {
+		chase_rdataset
+			= chase_scanname_section(msg, &chase_name,
+						 current_lookup
+						 ->rdtype_sigchase,
+						 dns_rdatatype_any,
+						 DNS_SECTION_ANSWER);
+		if (chase_rdataset != NULL)
+			have_response = ISC_TRUE;
+	}
+
+	result = advanced_rrsearch(&chase_keyrdataset,
+				   &chase_current_name,
+				   dns_rdatatype_dnskey,
+				   dns_rdatatype_any,
+				   &chase_keylookedup);
+	if (result == ISC_R_FAILURE) {
+		printf("\n;; DNSKEY is missing to continue validation:"
+		       " FAILED\n\n");
+		goto cleanandgo;
+	}
+	if (result == ISC_R_NOTFOUND)
+		return;
+	INSIST(chase_keyrdataset != NULL);
+	printf("\n;; DNSKEYset:\n");
+	print_rdataset(&chase_current_name , chase_keyrdataset, mctx);
+
+
+	result = advanced_rrsearch(&chase_sigkeyrdataset,
+				   &chase_current_name,
+				   dns_rdatatype_rrsig,
+				   dns_rdatatype_dnskey,
+				   &chase_sigkeylookedup);
+	if (result == ISC_R_FAILURE) {
+		printf("\n;; RRSIG of DNSKEY is missing to continue validation:"
+		       " FAILED\n\n");
+		goto cleanandgo;
+	}
+	if (result == ISC_R_NOTFOUND)
+		return;
+	INSIST(chase_sigkeyrdataset != NULL);
+	printf("\n;; RRSIG of the DNSKEYset:\n");
+	print_rdataset(&chase_current_name , chase_sigkeyrdataset, mctx);
+
+
+	if (!chase_dslookedup && !chase_nslookedup) {
+		if (!delegation_follow) {
+			result = contains_trusted_key(&chase_current_name,
+						      chase_keyrdataset,
+						      chase_sigkeyrdataset,
+						      mctx);
+		} 
+		else {
+			INSIST(chase_dsrdataset != NULL);
+			INSIST(chase_sigdsrdataset != NULL);
+			result = sigchase_verify_ds(&chase_current_name,
+						    chase_keyrdataset,
+						    chase_dsrdataset,
+						    mctx);
+		}
+      
+		if (result != ISC_R_SUCCESS) {
+			printf("\n;; chain of trust can't be validated:"
+			       " FAILED\n\n");
+			goto cleanandgo;
+		}
+		else {
+			chase_dsrdataset = NULL;
+			chase_sigdsrdataset = NULL;
+		}
+	}
+
+	if (have_response || (!have_delegation_ns && !have_response)) {
+		/* test if it's a grand father case */
+
+		if (have_response) {
+			result = advanced_rrsearch(&chase_sigrdataset,
+						   &chase_name,
+						   dns_rdatatype_rrsig,
+						   current_lookup
+						   ->rdtype_sigchase,
+						   &true);
+			if (result == ISC_R_FAILURE) {
+				printf("\n;; RRset is missing to continue"
+				       " validation SHOULD NOT APPEND:"
+				       " FAILED\n\n");
+				goto cleanandgo;
+			}
+	 
+		}
+		else {
+			result = advanced_rrsearch(&chase_sigrdataset,
+						   &chase_authority_name,
+						   dns_rdatatype_rrsig,
+						   dns_rdatatype_any,
+						   &true);
+			if (result == ISC_R_FAILURE) {
+				printf("\n;; RRSIG is missing  to continue"
+				       " validation SHOULD NOT APPEND:"
+				       " FAILED\n\n");
+				goto cleanandgo;
+			}
+		}
+		result =  grandfather_pb_test(&chase_current_name,
+					      chase_sigrdataset);
+		if (result != ISC_R_SUCCESS) {
+			dns_name_t tmp_name;
+
+			printf("\n;; We are in a Grand Father Problem:"
+			       " See 2.2.1 in RFC 3568\n");
+			chase_rdataset = NULL;
+			chase_sigrdataset = NULL;
+			have_response = ISC_FALSE;
+			have_delegation_ns = ISC_FALSE;
+	  
+			dns_name_init(&tmp_name, NULL);
+			result = child_of_zone(&chase_name, &chase_current_name,
+					       &tmp_name);
+			if (dns_name_dynamic(&chase_authority_name))
+				dns_name_free( &chase_authority_name, mctx);
+			dup_name(&tmp_name, &chase_authority_name, mctx);
+			printf(";; and we try to continue chain of trust"
+			       " validation of the zone: ");
+			dns_name_print(&chase_authority_name, stdout);
+			printf("\n");
+			have_delegation_ns = ISC_TRUE;
+		}
+		else {
+			if (have_response)
+				goto finalstep;
+			else
+				chase_sigrdataset = NULL;
+		}
+	}
+
+	if (have_delegation_ns) {
+		chase_nsrdataset = NULL;
+		result = advanced_rrsearch(&chase_nsrdataset,
+					   &chase_authority_name,
+					   dns_rdatatype_ns,
+					   dns_rdatatype_any,
+					   &chase_nslookedup);
+		if (result == ISC_R_FAILURE) {
+			printf("\n;;NSset is missing to continue validation:"
+			       " FAILED\n\n");
+			goto cleanandgo;
+		}
+		if (result == ISC_R_NOTFOUND) {
+			return;
+		}
+		INSIST(chase_nsrdataset != NULL);
+  
+		result = advanced_rrsearch(&chase_dsrdataset,
+					   &chase_authority_name,
+					   dns_rdatatype_ds,
+					   dns_rdatatype_any,
+					   &chase_dslookedup);
+		if (result == ISC_R_FAILURE) {
+			printf("\n;; DSset is missing to continue validation:"
+			       " FAILED\n\n");
+			goto cleanandgo;
+		}
+		if (result == ISC_R_NOTFOUND)
+			return;
+		INSIST(chase_dsrdataset != NULL);
+		printf("\n;; DSset:\n");
+		print_rdataset(&chase_authority_name , chase_dsrdataset, mctx);
+
+		result = advanced_rrsearch(&chase_sigdsrdataset,
+					   &chase_authority_name,
+					   dns_rdatatype_rrsig,
+					   dns_rdatatype_ds,
+					   &true);
+		if (result != ISC_R_SUCCESS) {
+			printf("\n;; DSset is missing to continue validation:"
+			       " FAILED\n\n");
+			goto cleanandgo;
+		}
+		printf("\n;; RRSIGset of DSset\n");
+		print_rdataset(&chase_authority_name,
+			       chase_sigdsrdataset, mctx);
+		INSIST(chase_sigdsrdataset != NULL);
+
+		result = sigchase_verify_sig(&chase_authority_name,
+					     chase_dsrdataset,
+					     chase_keyrdataset,
+					     chase_sigdsrdataset, mctx);
+		if (result != ISC_R_SUCCESS) {
+			printf("\n;; Impossible to verify the DSset:"
+			       " FAILED\n\n");
+			goto cleanandgo;
+		}
+		chase_keyrdataset = NULL;
+		chase_sigkeyrdataset = NULL;
+    
+ 
+		prepare_lookup(&chase_authority_name);
+	
+		have_response = ISC_FALSE;
+		have_delegation_ns = ISC_FALSE;
+		delegation_follow = ISC_TRUE;
+		error_message = NULL;
+		dup_name(&chase_authority_name, &chase_current_name, mctx);
+		dns_name_free(&chase_authority_name, mctx);
+		return;
+	}
+
+  
+	if (error_message != NULL) {
+		dns_rdataset_t * rdataset;
+		dns_rdataset_t * sigrdataset;
+		dns_name_t       rdata_name;
+		isc_result_t     ret = ISC_R_FAILURE;
+
+		dns_name_init(&rdata_name, NULL);
+		result = prove_nx(error_message, &chase_name,
+				  current_lookup->rdclass_sigchase,
+				  current_lookup->rdtype_sigchase, &rdata_name,
+				  &rdataset, &sigrdataset);
+		if (&rdata_name == NULL || rdataset == NULL ||
+		    sigrdataset == NULL) {
+			printf("\n;; Impossible to verify the non-existence,"
+			       " the NSEC RRset can't be validated:"
+			       " FAILED\n\n");
+			goto cleanandgo;
+		}
+		ret = sigchase_verify_sig(&rdata_name, rdataset,
+					  chase_keyrdataset,
+					  sigrdataset, mctx);
+		if (ret != ISC_R_SUCCESS) {
+			dns_name_free(&rdata_name, mctx);
+			printf("\n;; Impossible to verify the NSEC RR to prove"
+			       " the non-existence : FAILED\n\n");
+			goto cleanandgo;
+		}
+		dns_name_free(&rdata_name, mctx);
+		if (result != ISC_R_SUCCESS) {
+			printf("\n;; Impossible to verify the non-existence:"
+			       " FAILED\n\n");
+			goto cleanandgo;
+		}
+		else {
+			printf("\n;; OK the query doesn't have response but"
+			       " we have validate this fact : SUCCESS\n\n");
+			goto cleanandgo;
+		}
+	}
+
+ cleanandgo:
+	printf(";; cleanandgo \n");
+	if (dns_name_dynamic(&chase_current_name))
+		dns_name_free(&chase_current_name, mctx);
+	if (dns_name_dynamic(&chase_authority_name))
+		dns_name_free(&chase_authority_name, mctx);
+	clean_trustedkey();
+	return;
+
+	finalstep :
+		result = advanced_rrsearch(&chase_rdataset, &chase_name,
+					   current_lookup->rdtype_sigchase,
+					   dns_rdatatype_any ,
+					   &true);
+	if (result == ISC_R_FAILURE) {
+		printf("\n;; RRsig of RRset is missing to continue validation"
+		       " SHOULD NOT APPEND: FAILED\n\n");
+		goto cleanandgo;
+	}
+	result = sigchase_verify_sig(&chase_name, chase_rdataset,
+				     chase_keyrdataset,
+				     chase_sigrdataset, mctx);
+	if (result != ISC_R_SUCCESS) {
+		printf("\n;; Impossible to verify the RRset : FAILED\n\n");
+		/*
+		  printf("RRset:\n");
+		  print_rdataset(&chase_name , chase_rdataset, mctx);
+		  printf("DNSKEYset:\n");
+		  print_rdataset(&chase_name , chase_keyrdataset, mctx);
+		  printf("RRSIG of RRset:\n");
+		  print_rdataset(&chase_name , chase_sigrdataset, mctx);
+		  printf("\n");
+		*/
+		goto cleanandgo;
+	}
+	else {
+		printf("\n;; The Answer:\n");
+		print_rdataset(&chase_name , chase_rdataset, mctx);
+
+		printf("\n;; FINISH : we have validate the DNSSEC chain"
+		       " of trust: SUCCESS\n\n");
+		goto cleanandgo;
+	}
+}
+
+#endif 
+
+
+#if DIG_SIGCHASE_BU
+
+isc_result_t
+getneededrr(dns_message_t *msg)
+{
+	isc_result_t result;
+	dns_name_t *name = NULL;
+	dns_rdata_t sigrdata;
+	dns_rdata_sig_t siginfo;
+	isc_boolean_t   true = ISC_TRUE;
+
+	if ((result = dns_message_firstname(msg, DNS_SECTION_ANSWER))
+	    != ISC_R_SUCCESS) {
+		printf(";; NO ANSWERS: %s\n", isc_result_totext(result));
+    
+		if (chase_name.ndata == NULL) {
+			return ISC_R_ADDRNOTAVAIL;
+		}
+	}
+	else {
+		dns_message_currentname(msg, DNS_SECTION_ANSWER, &name);
+	}
+
+	/* What do we chase? */
+	if (chase_rdataset == NULL) {
+		result = advanced_rrsearch(&chase_rdataset, name,
+					   dns_rdatatype_any,
+					   dns_rdatatype_any, &true);
+		if (result != ISC_R_SUCCESS) {
+			printf("\n;; No Answers: Validation FAILED\n\n");
+			return ISC_R_NOTFOUND;
+		}
+		dup_name(name, &chase_name, mctx);
+		printf(";; RRset to chase:\n");
+		print_rdataset(&chase_name, chase_rdataset, mctx);
+	}
+	INSIST(chase_rdataset != NULL);
+
+
+	if (chase_sigrdataset == NULL) {
+		result = advanced_rrsearch(&chase_sigrdataset, name,
+					   dns_rdatatype_rrsig,
+					   chase_rdataset->type,
+					   &chase_siglookedup);
+		if (result == ISC_R_FAILURE) {
+			printf("\n;; RRSIG is missing for continue validation:"
+			       " FAILED\n\n");
+			if (dns_name_dynamic(&chase_name))
+				dns_name_free(&chase_name, mctx);
+			return ISC_R_NOTFOUND;
+		}
+		if (result == ISC_R_NOTFOUND) {
+			return(ISC_R_NOTFOUND);
+		}
+		printf("\n;; RRSIG of the RRset to chase:\n");
+		print_rdataset(&chase_name, chase_sigrdataset, mctx);
+	}
+	INSIST(chase_sigrdataset != NULL);
+
+ 
+	/* first find the DNSKEY name */
+	result = dns_rdataset_first(chase_sigrdataset);
+	check_result(result, "empty RRSIG dataset");
+	dns_rdata_init(&sigrdata);
+	dns_rdataset_current(chase_sigrdataset, &sigrdata);
+	result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
+	check_result(result, "sigrdata tostruct siginfo");
+	dup_name(&siginfo.signer, &chase_signame, mctx);
+	dns_rdata_freestruct(&siginfo);
+	dns_rdata_reset(&sigrdata);
+ 
+	/* Do we have a key?  */
+	if (chase_keyrdataset == NULL) {
+		result = advanced_rrsearch(&chase_keyrdataset,
+					   &chase_signame,
+					   dns_rdatatype_dnskey,
+					   dns_rdatatype_any,
+					   &chase_keylookedup);
+		if (result == ISC_R_FAILURE) {
+			printf("\n;; DNSKEY is missing to continue validation:"
+			       " FAILED\n\n");
+			dns_name_free(&chase_signame, mctx);
+			if (dns_name_dynamic(&chase_name))
+				dns_name_free(&chase_name, mctx);
+			return ISC_R_NOTFOUND;
+		}
+		if (result == ISC_R_NOTFOUND) {
+			dns_name_free(&chase_signame, mctx);
+			return(ISC_R_NOTFOUND);
+		}
+		printf("\n;; DNSKEYset that signs the RRset to chase:\n");
+		print_rdataset(&chase_signame, chase_keyrdataset, mctx);
+	}
+	INSIST(chase_keyrdataset != NULL);
+
+	if (chase_sigkeyrdataset == NULL) {
+		result = advanced_rrsearch(&chase_sigkeyrdataset,
+					   &chase_signame,
+					   dns_rdatatype_rrsig,
+					   dns_rdatatype_dnskey,
+					   &chase_sigkeylookedup);
+		if (result == ISC_R_FAILURE) {
+			printf("\n;; RRSIG for DNSKEY  is missing  to continue"
+			       " validation : FAILED\n\n");
+			dns_name_free(&chase_signame, mctx);
+			if (dns_name_dynamic(&chase_name))
+				dns_name_free(&chase_name, mctx);
+			return ISC_R_NOTFOUND;
+		}
+		if (result == ISC_R_NOTFOUND) {
+			dns_name_free(&chase_signame, mctx);
+			return(ISC_R_NOTFOUND);
+		}
+		printf("\n;; RRSIG of the DNSKEYset that signs the "
+		       "RRset to chase:\n");
+		print_rdataset(&chase_signame, chase_sigkeyrdataset, mctx);
+	}
+	INSIST(chase_sigkeyrdataset != NULL);
+
+
+	if (chase_dsrdataset == NULL) {
+		result = advanced_rrsearch(&chase_dsrdataset, &chase_signame,
+					   dns_rdatatype_ds,
+					   dns_rdatatype_any,
+		&chase_dslookedup);
+		if (result == ISC_R_FAILURE) {
+			printf("\n;; WARNING There is no DS for the zone: ");
+			dns_name_print(&chase_signame, stdout);
+			printf("\n");
+		}
+		if (result == ISC_R_NOTFOUND) {
+			dns_name_free(&chase_signame, mctx);
+			return(ISC_R_NOTFOUND);
+		}
+		if (chase_dsrdataset != NULL) {
+			printf("\n;; DSset of the DNSKEYset\n");
+			print_rdataset(&chase_signame, chase_dsrdataset, mctx);
+		}
+	}
+ 
+	if (chase_dsrdataset != NULL) {
+		/*
+		 * if there is no RRSIG of DS,
+		 * we don't want to search on the network
+		 */
+		result = advanced_rrsearch(&chase_sigdsrdataset,
+					   &chase_signame,
+					   dns_rdatatype_rrsig,
+					   dns_rdatatype_ds, &true);
+		if (result == ISC_R_FAILURE) {
+			printf(";; WARNING : NO RRSIG DS : RRSIG DS"
+			       " should come with DS\n");
+			/*
+			 * We continue even the DS couldn't be validated,
+			 * because the DNSKEY could be a Trusted Key.
+			 */
+			chase_dsrdataset = NULL;
+		}
+		else {
+			printf("\n;; RRSIG of the DSset of the DNSKEYset\n");
+			print_rdataset(&chase_signame, chase_sigdsrdataset,
+				       mctx);
+		}
+	}
+	return(1);
+}
+
+
+
+void
+sigchase_bu(dns_message_t *msg)
+{
+	isc_result_t result;
+	int ret;
+
+	if (tk_list.nb_tk == 0) {
+		result = get_trusted_key(mctx);
+		if (result != ISC_R_SUCCESS) {
+			printf("No trusted keys present\n");
+			return;
+		}
+	}
+
+  
+	ret = getneededrr(msg);
+	if (ret == ISC_R_NOTFOUND)
+		return;
+
+	if (ret == ISC_R_ADDRNOTAVAIL) {
+		/* We have no response */
+		dns_rdataset_t * rdataset;
+		dns_rdataset_t * sigrdataset;
+		dns_name_t       rdata_name;
+		dns_name_t       query_name;
+
+
+		dns_name_init(&query_name, NULL);
+		nameFromString(current_lookup->textname, &query_name);
+   
+		result = prove_nx(msg, &query_name, current_lookup->rdclass,
+				  current_lookup->rdtype, &rdata_name,
+				  &rdataset, &sigrdataset);
+		dns_name_free(&query_name, mctx);
+		if (&rdata_name == NULL || rdataset == NULL ||
+		    sigrdataset == NULL) {
+			printf("\n;; Impossible to verify the Non-existence,"
+			       " the NSEC RRset can't be validated: "
+			       "FAILED\n\n");
+			clean_trustedkey();
+			return;
+		}
+
+		if (result != ISC_R_SUCCESS) {
+			printf("\n No Answers and impossible to prove the"
+			       " unsecurity : Validation FAILED\n\n");
+			clean_trustedkey();
+			return;
+		}
+		printf(";; An NSEC prove the non-existence of a answers,"
+		       " Now we want validate this NSEC\n");
+	
+		dup_name(&rdata_name, &chase_name, mctx);
+		dns_name_free(&rdata_name, mctx);
+		chase_rdataset =  rdataset;
+		chase_sigrdataset = sigrdataset;
+		chase_keyrdataset = NULL;
+		chase_sigkeyrdataset = NULL;
+		chase_dsrdataset = NULL;
+		chase_sigdsrdataset = NULL;
+		chase_siglookedup = ISC_FALSE;
+		chase_keylookedup = ISC_FALSE;
+		chase_dslookedup = ISC_FALSE;
+		chase_sigdslookedup = ISC_FALSE;
+		sigchase(msg);
+		clean_trustedkey();
+		return;
+	}
+  
+
+	printf("\n\n\n;; WE HAVE MATERIAL, WE NOW DO VALIDATION\n");
+
+	result = sigchase_verify_sig(&chase_name, chase_rdataset,
+				     chase_keyrdataset,
+				     chase_sigrdataset, mctx);
+	if (result != ISC_R_SUCCESS) {
+		dns_name_free(&chase_name, mctx);
+		dns_name_free(&chase_signame, mctx);
+		printf(";; No DNSKEY is valid to check the RRSIG"
+		       " of the RRset: FAILED\n");
+		clean_trustedkey();
+		return;
+	}
+	printf(";; OK We found DNSKEY (or more) to validate the RRset\n");
+
+	result = contains_trusted_key(&chase_signame, chase_keyrdataset,
+				      chase_sigkeyrdataset, mctx);
+	if (result ==  ISC_R_SUCCESS) {
+		dns_name_free(&chase_name, mctx);
+		dns_name_free(&chase_signame, mctx);
+		printf("\n;; Ok this DNSKEY is a Trusted Key,"
+		       " DNSSEC validation is ok: SUCCESS\n\n");
+		clean_trustedkey();
+		return;
+	}
+
+	printf(";; Now, we are going to validate this DNSKEY by the DS\n");
+
+	if (chase_dsrdataset == NULL) {
+		dns_name_free(&chase_name, mctx);
+		dns_name_free(&chase_signame, mctx);
+		printf(";; the DNSKEY isn't trusted-key and there isn't"
+		       " DS to validate the DNSKEY: FAILED\n");
+		clean_trustedkey();
+		return;
+	}
+
+	result =  sigchase_verify_ds(&chase_signame, chase_keyrdataset,
+				     chase_dsrdataset, mctx);
+	if (result !=  ISC_R_SUCCESS) {
+		dns_name_free(&chase_signame, mctx);
+		dns_name_free(&chase_name, mctx);
+		printf(";; ERROR no DS validates a DNSKEY in the"
+		       " DNSKEY RRset: FAILED\n");
+		clean_trustedkey();
+		return;
+	} 
+	else
+		printf(";; OK this DNSKEY (validated by the DS) validates"
+		       " the RRset of the DNSKEYs, thus the DNSKEY validates"
+		       " the RRset\n");
+	INSIST(chase_sigdsrdataset != NULL);
+
+	dup_name(&chase_signame, &chase_name, mctx);
+	dns_name_free(&chase_signame, mctx);
+	chase_rdataset = chase_dsrdataset;
+	chase_sigrdataset = chase_sigdsrdataset;
+	chase_keyrdataset = NULL;
+	chase_sigkeyrdataset = NULL;
+	chase_dsrdataset = NULL;
+	chase_sigdsrdataset = NULL;
+	chase_siglookedup = chase_keylookedup = ISC_FALSE;
+	chase_dslookedup = chase_sigdslookedup = ISC_FALSE;
+ 
+	printf(";; Now, we want to validate the DS :  recursive call\n");
+	sigchase(msg);
+	return;
+}
+#endif
+
+void
+sigchase(dns_message_t * msg)
+{
+#if DIG_SIGCHASE_TD
+	if (current_lookup->do_topdown) {
+		sigchase_td(msg);
+		return;
+	}
+#endif
+#if DIG_SIGCHASE_BU
+	sigchase_bu(msg);
+	return;
+#endif
+}
+
+
+/*
+ * return 1  if name1  <  name2
+ *        0  if name1  == name2
+ *        -1 if name1  >  name2
+ *    and -2 if problem
+ */
+int
+inf_name(dns_name_t * name1, dns_name_t * name2)
+{
+	dns_label_t  label1;
+	dns_label_t  label2;
+	unsigned int nblabel1;
+	unsigned int nblabel2;
+	int min_lum_label;
+	int i;
+	int ret = -2;
+
+	nblabel1 = dns_name_countlabels(name1);
+	nblabel2 = dns_name_countlabels(name2);
+
+	if (nblabel1 >= nblabel2)
+		min_lum_label = nblabel2;
+	else
+		min_lum_label = nblabel1;
+
+
+	for (i=1 ; i < min_lum_label; i++) {
+		dns_name_getlabel(name1, nblabel1 -1  - i, &label1);
+		dns_name_getlabel(name2, nblabel2 -1  - i, &label2);
+		if ((ret = isc_region_compare(&label1, &label2)) != 0) {
+			if (ret <0 )
+				return -1;
+			else if (ret >0 )
+				return 1;
+		}
+	}
+	if (nblabel1 == nblabel2)
+		return 0;
+
+	if (nblabel1 < nblabel2)
+		return -1;
+	else
+		return 1;
+}
+
+/**
+ *
+ *
+ *
+ */
+isc_result_t
+prove_nx_domain(dns_message_t *msg,
+		dns_name_t *name,
+		dns_name_t *rdata_name,
+		dns_rdataset_t ** rdataset,
+		dns_rdataset_t **sigrdataset)
+{
+	isc_result_t      ret = ISC_R_FAILURE;
+	isc_result_t      result = ISC_R_NOTFOUND;
+	dns_rdataset_t  * nsecset = NULL;
+	dns_rdataset_t  * signsecset = NULL ;
+	dns_rdata_t       nsec = DNS_RDATA_INIT;
+	dns_name_t      * nsecname = NULL;
+	dns_rdata_nsec_t  nsecstruct;
+  
+	if ((result = dns_message_firstname(msg, DNS_SECTION_AUTHORITY))
+	    != ISC_R_SUCCESS) {
+		printf(";; nothing in authority section : impossible to"
+		       " validate the non-existence : FAILED\n");
+		return(ISC_R_FAILURE);
+	}
+ 
+	do {
+		dns_message_currentname(msg, DNS_SECTION_AUTHORITY, &nsecname);
+		nsecset = search_type(nsecname, dns_rdatatype_nsec,
+				      dns_rdatatype_any);
+		if (nsecset == NULL)
+			continue;
+
+		printf("There is a NSEC for this zone in the"
+		       " AUTHORITY section:\n");
+		print_rdataset(nsecname, nsecset, mctx);
+
+		for (result = dns_rdataset_first(nsecset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(nsecset)) {
+			dns_rdataset_current(nsecset, &nsec);
+
+
+			signsecset
+				= chase_scanname_section(msg, nsecname,
+						 dns_rdatatype_rrsig,
+						 dns_rdatatype_nsec,
+						 DNS_SECTION_AUTHORITY);
+			if (signsecset == NULL) {
+				printf(";; no RRSIG NSEC in authority section:"
+				       " impossible to validate the "
+				       "non-existence: FAILED\n");
+				return(ISC_R_FAILURE);
+			}
+
+			ret = dns_rdata_tostruct(&nsec, &nsecstruct, NULL);
+			check_result(ret,"dns_rdata_tostruct");
+
+			if ((inf_name(nsecname, &nsecstruct.next) == 1 &&
+			     inf_name(name, &nsecstruct.next) == 1) ||
+			    (inf_name(name, nsecname) == 1 &&
+			     inf_name(&nsecstruct.next, name) == 1)) {
+				dns_rdata_freestruct(&nsecstruct);
+				*rdataset = nsecset;
+				*sigrdataset = signsecset;
+				dup_name(nsecname, rdata_name, mctx);
+		
+				return ISC_R_SUCCESS;
+			}
+
+			dns_rdata_freestruct(&nsecstruct);
+		}
+		nsecname = NULL;
+	} while (dns_message_nextname(msg, DNS_SECTION_AUTHORITY)
+		 == ISC_R_SUCCESS);
+
+	*rdataset = NULL;
+	*sigrdataset =  NULL;
+	rdata_name = NULL;
+	return(ISC_R_FAILURE);
+}
+
+/**
+ *
+ *
+ *
+ *
+ *
+ */
+isc_result_t
+prove_nx_type(dns_message_t * msg,
+	      dns_name_t *name,
+	      dns_rdataset_t *nsecset,
+	      dns_rdataclass_t class,
+	      dns_rdatatype_t type,
+	      dns_name_t * rdata_name,
+	      dns_rdataset_t ** rdataset,
+	      dns_rdataset_t ** sigrdataset)
+{
+	isc_result_t       ret;
+	dns_rdataset_t   * signsecset;
+	dns_rdata_t        nsec = DNS_RDATA_INIT;
+
+	UNUSED(class);
+	UNUSED(rdata_name);
+  
+	ret = dns_rdataset_first(nsecset);
+	check_result(ret,"dns_rdataset_first");
+	
+	dns_rdataset_current(nsecset, &nsec);
+  
+	ret = dns_nsec_typepresent(&nsec, type);
+	if (ret == ISC_R_SUCCESS)
+		printf("OK the NSEC said that the type doesn't exist \n");
+
+	signsecset = chase_scanname_section(msg, name,
+					    dns_rdatatype_rrsig,
+					    dns_rdatatype_nsec,
+					    DNS_SECTION_AUTHORITY);
+	if (signsecset == NULL) {
+		printf("There isn't RRSIG NSEC for the zone \n");
+		return ISC_R_FAILURE;
+	}
+	*rdataset = nsecset;
+	*sigrdataset = signsecset;
+
+	return (ret);
+}
+
+/**
+ *
+ *
+ *
+ *
+ */
+isc_result_t
+prove_nx(dns_message_t * msg,
+	 dns_name_t * name,
+	 dns_rdataclass_t class,
+	 dns_rdatatype_t type,
+	 dns_name_t * rdata_name,
+	 dns_rdataset_t ** rdataset,
+	 dns_rdataset_t ** sigrdataset)
+{
+	isc_result_t ret;
+	dns_rdataset_t * nsecset = NULL;
+  
+
+	printf("We want to prove the non-existance of a type of rdata %d"
+	       " or of the zone: \n", type);
+
+	if ((ret = dns_message_firstname(msg, DNS_SECTION_AUTHORITY))
+	    != ISC_R_SUCCESS) {
+		printf(";; nothing in authority section : impossible to"
+		       " validate the non-existence : FAILED\n");
+		return(ISC_R_FAILURE);
+	}
+
+	nsecset = chase_scanname_section(msg, name, dns_rdatatype_nsec,
+					 dns_rdatatype_any,
+					 DNS_SECTION_AUTHORITY);
+	if (nsecset != NULL) {
+		printf("We have a NSEC for this zone :OK\n");
+		ret = prove_nx_type(msg, name, nsecset, class,
+				    type, rdata_name, rdataset,
+				    sigrdataset);
+		if (ret != ISC_R_SUCCESS) {
+			printf("prove_nx: ERROR type exist\n");
+			return(ret);
+		} else {
+			printf("prove_nx: OK type does not exist\n");
+			return(ISC_R_SUCCESS);
+		}
+	} else {
+		printf("there is no NSEC for this zone: validating "
+		       "that the zone doesn't exist\n");
+		ret = prove_nx_domain(msg, name, rdata_name,
+				      rdataset, sigrdataset);
+		return(ret);
+	}
+	/* Never get here */ 
+}
+#endif
diff --git a/contrib/bind9/bin/dig/host.1 b/contrib/bind9/bin/dig/host.1
new file mode 100644
index 0000000..c93ab18
--- /dev/null
+++ b/contrib/bind9/bin/dig/host.1
@@ -0,0 +1,136 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: host.1,v 1.11.2.1.4.4 2004/04/13 04:11:03 marka Exp $
+.\"
+.TH "HOST" "1" "Jun 30, 2000" "BIND9" ""
+.SH NAME
+host \- DNS lookup utility
+.SH SYNOPSIS
+.sp
+\fBhost\fR [ \fB-aCdlnrTwv\fR ]  [ \fB-c \fIclass\fB\fR ]  [ \fB-N \fIndots\fB\fR ]  [ \fB-R \fInumber\fB\fR ]  [ \fB-t \fItype\fB\fR ]  [ \fB-W \fIwait\fB\fR ]  [ \fB-4\fR ]  [ \fB-6\fR ]  \fBname\fR [ \fBserver\fR ] 
+.SH "DESCRIPTION"
+.PP
+\fBhost\fR
+is a simple utility for performing DNS lookups.
+It is normally used to convert names to IP addresses and vice versa.
+When no arguments or options are given,
+\fBhost\fR
+prints a short summary of its command line arguments and options.
+.PP
+\fIname\fR is the domain name that is to be looked
+up. It can also be a dotted-decimal IPv4 address or a colon-delimited
+IPv6 address, in which case \fBhost\fR will by default
+perform a reverse lookup for that address.
+\fIserver\fR is an optional argument which is either
+the name or IP address of the name server that \fBhost\fR
+should query instead of the server or servers listed in
+\fI/etc/resolv.conf\fR.
+.PP
+The \fB-a\fR (all) option is equivalent to setting the
+\fB-v\fR option and asking \fBhost\fR to make
+a query of type ANY.
+.PP
+When the \fB-C\fR option is used, \fBhost\fR
+will attempt to display the SOA records for zone
+\fIname\fR from all the listed authoritative name
+servers for that zone. The list of name servers is defined by the NS
+records that are found for the zone.
+.PP
+The \fB-c\fR option instructs to make a DNS query of class
+\fIclass\fR. This can be used to lookup Hesiod or
+Chaosnet class resource records. The default class is IN (Internet).
+.PP
+Verbose output is generated by \fBhost\fR when the
+\fB-d\fR or \fB-v\fR option is used. The two
+options are equivalent. They have been provided for backwards
+compatibility. In previous versions, the \fB-d\fR option
+switched on debugging traces and \fB-v\fR enabled verbose
+output.
+.PP
+List mode is selected by the \fB-l\fR option. This makes
+\fBhost\fR perform a zone transfer for zone
+\fIname\fR. Transfer the zone printing out the NS, PTR
+and address records (A/AAAA). If combined with \fB-a\fR
+all records will be printed. 
+.PP
+The \fB-i\fR
+option specifies that reverse lookups of IPv6 addresses should
+use the IP6.INT domain as defined in RFC1886.
+The default is to use IP6.ARPA.
+.PP
+The \fB-N\fR option sets the number of dots that have to be
+in \fIname\fR for it to be considered absolute. The
+default value is that defined using the ndots statement in
+\fI/etc/resolv.conf\fR, or 1 if no ndots statement is
+present. Names with fewer dots are interpreted as relative names and
+will be searched for in the domains listed in the \fBsearch\fR
+or \fBdomain\fR directive in
+\fI/etc/resolv.conf\fR.
+.PP
+The number of UDP retries for a lookup can be changed with the
+\fB-R\fR option. \fInumber\fR indicates
+how many times \fBhost\fR will repeat a query that does
+not get answered. The default number of retries is 1. If
+\fInumber\fR is negative or zero, the number of
+retries will default to 1.
+.PP
+Non-recursive queries can be made via the \fB-r\fR option.
+Setting this option clears the \fBRD\fR \(em recursion
+desired \(em bit in the query which \fBhost\fR makes.
+This should mean that the name server receiving the query will not
+attempt to resolve \fIname\fR. The
+\fB-r\fR option enables \fBhost\fR to mimic
+the behaviour of a name server by making non-recursive queries and
+expecting to receive answers to those queries that are usually
+referrals to other name servers.
+.PP
+By default \fBhost\fR uses UDP when making queries. The
+\fB-T\fR option makes it use a TCP connection when querying
+the name server. TCP will be automatically selected for queries that
+require it, such as zone transfer (AXFR) requests.
+.PP
+The \fB-4\fR option forces \fBhost\fR to only
+use IPv4 query transport. The \fB-6\fR option forces
+\fBhost\fR to only use IPv6 query transport.
+.PP
+The \fB-t\fR option is used to select the query type.
+\fItype\fR can be any recognised query type: CNAME,
+NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified,
+\fBhost\fR automatically selects an appropriate query
+type. By default it looks for A records, but if the
+\fB-C\fR option was given, queries will be made for SOA
+records, and if \fIname\fR is a dotted-decimal IPv4
+address or colon-delimited IPv6 address, \fBhost\fR will
+query for PTR records. If a query type of IXFR is chosen the starting
+serial number can be specified by appending an equal followed by the
+starting serial number (e.g. -t IXFR=12345678).
+.PP
+The time to wait for a reply can be controlled through the
+\fB-W\fR and \fB-w\fR options. The
+\fB-W\fR option makes \fBhost\fR wait for
+\fIwait\fR seconds. If \fIwait\fR
+is less than one, the wait interval is set to one second. When the
+\fB-w\fR option is used, \fBhost\fR will
+effectively wait forever for a reply. The time to wait for a response
+will be set to the number of seconds given by the hardware's maximum
+value for an integer quantity.
+.SH "FILES"
+.PP
+\fI/etc/resolv.conf\fR
+.SH "SEE ALSO"
+.PP
+\fBdig\fR(1),
+\fBnamed\fR(8).
diff --git a/contrib/bind9/bin/dig/host.c b/contrib/bind9/bin/dig/host.c
new file mode 100644
index 0000000..53d7812
--- /dev/null
+++ b/contrib/bind9/bin/dig/host.c
@@ -0,0 +1,754 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: host.c,v 1.76.2.5.2.9 2004/04/13 03:00:06 marka Exp $ */
+
+#include <config.h>
+#include <limits.h>
+
+#include <isc/app.h>
+#include <isc/commandline.h>
+#include <isc/netaddr.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+#include <isc/task.h>
+#include <isc/stdlib.h>
+
+#include <dns/byaddr.h>
+#include <dns/fixedname.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdataset.h>
+#include <dns/rdatatype.h>
+
+#include <dig/dig.h>
+
+extern ISC_LIST(dig_lookup_t) lookup_list;
+extern dig_serverlist_t server_list;
+extern ISC_LIST(dig_searchlist_t) search_list;
+
+extern isc_boolean_t have_ipv4, have_ipv6;
+extern isc_boolean_t usesearch;
+extern isc_boolean_t debugging;
+extern unsigned int timeout;
+extern isc_mem_t *mctx;
+extern int ndots;
+extern int tries;
+extern char *progname;
+extern isc_task_t *global_task;
+extern int fatalexit;
+
+static isc_boolean_t short_form = ISC_TRUE, listed_server = ISC_FALSE;
+static isc_boolean_t default_lookups = ISC_TRUE;
+static int seen_error = -1;
+static isc_boolean_t list_addresses = ISC_TRUE;
+static dns_rdatatype_t list_type = dns_rdatatype_a;
+
+static const char *opcodetext[] = {
+	"QUERY",
+	"IQUERY",
+	"STATUS",
+	"RESERVED3",
+	"NOTIFY",
+	"UPDATE",
+	"RESERVED6",
+	"RESERVED7",
+	"RESERVED8",
+	"RESERVED9",
+	"RESERVED10",
+	"RESERVED11",
+	"RESERVED12",
+	"RESERVED13",
+	"RESERVED14",
+	"RESERVED15"
+};
+
+static const char *rcodetext[] = {
+	"NOERROR",
+	"FORMERR",
+	"SERVFAIL",
+	"NXDOMAIN",
+	"NOTIMP",
+	"REFUSED",
+	"YXDOMAIN",
+	"YXRRSET",
+	"NXRRSET",
+	"NOTAUTH",
+	"NOTZONE",
+	"RESERVED11",
+	"RESERVED12",
+	"RESERVED13",
+	"RESERVED14",
+	"RESERVED15",
+	"BADVERS"
+};
+
+struct rtype {
+	unsigned int type;
+	const char *text;
+};
+
+struct rtype rtypes[] = {
+	{ 1, 	"has address" },
+	{ 2, 	"name server" },
+	{ 5, 	"is an alias for" },
+	{ 11,	"has well known services" },
+	{ 12,	"domain name pointer" },
+	{ 13,	"host information" },
+	{ 15,	"mail is handled by" },
+	{ 16,	"descriptive text" },
+	{ 19,	"x25 address" },
+	{ 20,	"ISDN address" },
+	{ 24,	"has signature" },
+	{ 25,	"has key" },
+	{ 28,	"has IPv6 address" },
+	{ 29,	"location" },
+	{ 0, NULL }
+};
+
+static void
+show_usage(void) {
+	fputs(
+"Usage: host [-aCdlriTwv] [-c class] [-N ndots] [-t type] [-W time]\n"
+"            [-R number] hostname [server]\n"
+"       -a is equivalent to -v -t *\n"
+"       -c specifies query class for non-IN data\n"
+"       -C compares SOA records on authoritative nameservers\n"
+"       -d is equivalent to -v\n"
+"       -l lists all hosts in a domain, using AXFR\n"
+"       -i IP6.INT reverse lookups\n"
+"       -N changes the number of dots allowed before root lookup is done\n"
+"       -r disables recursive processing\n"
+"       -R specifies number of retries for UDP packets\n"
+"       -t specifies the query type\n"
+"       -T enables TCP/IP mode\n"
+"       -v enables verbose output\n"
+"       -w specifies to wait forever for a reply\n"
+"       -W specifies how long to wait for a reply\n"
+"       -4 use IPv4 query transport only\n"
+"       -6 use IPv6 query transport only\n", stderr);
+	exit(1);
+}
+
+void
+dighost_shutdown(void) {
+	isc_app_shutdown();
+}
+
+void
+received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
+	isc_time_t now;
+	int diff;
+
+	if (!short_form) {
+		char fromtext[ISC_SOCKADDR_FORMATSIZE];
+		isc_sockaddr_format(from, fromtext, sizeof(fromtext));
+		TIME_NOW(&now);
+		diff = (int) isc_time_microdiff(&now, &query->time_sent);
+		printf("Received %u bytes from %s in %d ms\n",
+		       bytes, fromtext, diff/1000);
+	}
+}
+
+void
+trying(char *frm, dig_lookup_t *lookup) {
+	UNUSED(lookup);
+
+	if (!short_form)
+		printf("Trying \"%s\"\n", frm);
+}
+
+static void
+say_message(dns_name_t *name, const char *msg, dns_rdata_t *rdata,
+	    dig_query_t *query)
+{
+	isc_buffer_t *b = NULL;
+	char namestr[DNS_NAME_FORMATSIZE];
+	isc_region_t r;
+	isc_result_t result;
+	unsigned int bufsize = BUFSIZ;
+
+	dns_name_format(name, namestr, sizeof(namestr));
+ retry:
+	result = isc_buffer_allocate(mctx, &b, bufsize);
+	check_result(result, "isc_buffer_allocate");
+	result = dns_rdata_totext(rdata, NULL, b);
+	if (result == ISC_R_NOSPACE) {
+		isc_buffer_free(&b);
+		bufsize *= 2;
+		goto retry;
+	}
+	check_result(result, "dns_rdata_totext");
+	isc_buffer_usedregion(b, &r);
+	if (query->lookup->identify_previous_line) {
+		printf("Nameserver %s:\n\t",
+			query->servname);
+	}
+	printf("%s %s %.*s", namestr,
+	       msg, (int)r.length, (char *)r.base);
+	if (query->lookup->identify) {
+		printf(" on server %s", query->servname);
+	}
+	printf("\n");
+	isc_buffer_free(&b);
+}
+#ifdef DIG_SIGCHASE
+/* Just for compatibility : not use in host program */
+isc_result_t
+printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
+	      isc_buffer_t *target)
+{
+  UNUSED(owner_name);
+  UNUSED(rdataset);
+  UNUSED(target);
+  return(ISC_FALSE);
+}
+#endif
+static isc_result_t
+printsection(dns_message_t *msg, dns_section_t sectionid,
+	     const char *section_name, isc_boolean_t headers,
+	     dig_query_t *query)
+{
+	dns_name_t *name, *print_name;
+	dns_rdataset_t *rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_buffer_t target;
+	isc_result_t result, loopresult;
+	isc_region_t r;
+	dns_name_t empty_name;
+	char t[4096];
+	isc_boolean_t first;
+	isc_boolean_t no_rdata;
+
+	if (sectionid == DNS_SECTION_QUESTION)
+		no_rdata = ISC_TRUE;
+	else
+		no_rdata = ISC_FALSE;
+
+	if (headers)
+		printf(";; %s SECTION:\n", section_name);
+
+	dns_name_init(&empty_name, NULL);
+
+	result = dns_message_firstname(msg, sectionid);
+	if (result == ISC_R_NOMORE)
+		return (ISC_R_SUCCESS);
+	else if (result != ISC_R_SUCCESS)
+		return (result);
+
+	for (;;) {
+		name = NULL;
+		dns_message_currentname(msg, sectionid, &name);
+
+		isc_buffer_init(&target, t, sizeof(t));
+		first = ISC_TRUE;
+		print_name = name;
+
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			if (query->lookup->rdtype == dns_rdatatype_axfr &&
+			    !((!list_addresses &&
+			       (list_type == dns_rdatatype_any ||
+			        rdataset->type == list_type)) ||
+			      (list_addresses &&
+			       (rdataset->type == dns_rdatatype_a ||
+			        rdataset->type == dns_rdatatype_aaaa ||
+				rdataset->type == dns_rdatatype_ns ||
+				rdataset->type == dns_rdatatype_ptr))))
+				continue;
+			if (!short_form) {
+				result = dns_rdataset_totext(rdataset,
+							     print_name,
+							     ISC_FALSE,
+							     no_rdata,
+							     &target);
+				if (result != ISC_R_SUCCESS)
+					return (result);
+#ifdef USEINITALWS
+				if (first) {
+					print_name = &empty_name;
+					first = ISC_FALSE;
+				}
+#else
+				UNUSED(first); /* Shut up compiler. */
+#endif
+			} else {
+				loopresult = dns_rdataset_first(rdataset);
+				while (loopresult == ISC_R_SUCCESS) {
+					struct rtype *t;
+					const char *rtt;
+					char typebuf[DNS_RDATATYPE_FORMATSIZE];
+					char typebuf2[DNS_RDATATYPE_FORMATSIZE
+						     + 20];
+					dns_rdataset_current(rdataset, &rdata);
+
+					for (t = rtypes; t->text != NULL; t++) {
+						if (t->type == rdata.type) {
+							rtt = t->text;
+							goto found;
+						}
+					}
+
+					dns_rdatatype_format(rdata.type,
+							     typebuf,
+							     sizeof(typebuf));
+					snprintf(typebuf2, sizeof(typebuf2),
+						 "has %s record", typebuf);
+					rtt = typebuf2;
+				found:
+					say_message(print_name, rtt,
+						    &rdata, query);
+					dns_rdata_reset(&rdata);
+					loopresult =
+						dns_rdataset_next(rdataset);
+				}
+			}
+		}
+		if (!short_form) {
+			isc_buffer_usedregion(&target, &r);
+			if (no_rdata)
+				printf(";%.*s", (int)r.length,
+				       (char *)r.base);
+			else
+				printf("%.*s", (int)r.length, (char *)r.base);
+		}
+
+		result = dns_message_nextname(msg, sectionid);
+		if (result == ISC_R_NOMORE)
+			break;
+		else if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+printrdata(dns_message_t *msg, dns_rdataset_t *rdataset, dns_name_t *owner,
+	   const char *set_name, isc_boolean_t headers)
+{
+	isc_buffer_t target;
+	isc_result_t result;
+	isc_region_t r;
+	char t[4096];
+
+	UNUSED(msg);
+	if (headers)
+		printf(";; %s SECTION:\n", set_name);
+
+	isc_buffer_init(&target, t, sizeof(t));
+
+	result = dns_rdataset_totext(rdataset, owner, ISC_FALSE, ISC_FALSE,
+				     &target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_buffer_usedregion(&target, &r);
+	printf("%.*s", (int)r.length, (char *)r.base);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
+	isc_boolean_t did_flag = ISC_FALSE;
+	dns_rdataset_t *opt, *tsig = NULL;
+	dns_name_t *tsigname;
+	isc_result_t result = ISC_R_SUCCESS;
+	int force_error;
+
+	UNUSED(headers);
+
+	/*
+	 * We get called multiple times.
+	 * Preserve any existing error status.
+	 */
+	force_error = (seen_error == 1) ? 1 : 0;
+	seen_error = 1;
+	if (listed_server) {
+		char sockstr[ISC_SOCKADDR_FORMATSIZE];
+
+		printf("Using domain server:\n");
+		printf("Name: %s\n", query->servname);
+		isc_sockaddr_format(&query->sockaddr, sockstr,
+				    sizeof(sockstr));
+		printf("Address: %s\n", sockstr);
+		printf("Aliases: \n\n");
+	}
+
+	if (msg->rcode != 0) {
+		char namestr[DNS_NAME_FORMATSIZE];
+		dns_name_format(query->lookup->name, namestr, sizeof(namestr));
+		printf("Host %s not found: %d(%s)\n", namestr,
+		       msg->rcode, rcodetext[msg->rcode]);
+		return (ISC_R_SUCCESS);
+	}
+
+	if (default_lookups && query->lookup->rdtype == dns_rdatatype_a) {
+		char namestr[DNS_NAME_FORMATSIZE];
+		dig_lookup_t *lookup;
+
+		/* Add AAAA and MX lookups. */
+
+		dns_name_format(query->lookup->name, namestr, sizeof(namestr));
+		lookup = clone_lookup(query->lookup, ISC_FALSE);
+		if (lookup != NULL) {
+			strncpy(lookup->textname, namestr,
+				sizeof(lookup->textname));
+			lookup->textname[sizeof(lookup->textname)-1] = 0;
+			lookup->rdtype = dns_rdatatype_aaaa;
+                        lookup->rdtypeset = ISC_TRUE;
+			lookup->origin = NULL;
+			lookup->retries = tries;
+			ISC_LIST_APPEND(lookup_list, lookup, link);
+		}
+		lookup = clone_lookup(query->lookup, ISC_FALSE);
+		if (lookup != NULL) {
+			strncpy(lookup->textname, namestr,
+				sizeof(lookup->textname));
+			lookup->textname[sizeof(lookup->textname)-1] = 0;
+			lookup->rdtype = dns_rdatatype_mx;
+                        lookup->rdtypeset = ISC_TRUE;
+			lookup->origin = NULL;
+			lookup->retries = tries;
+			ISC_LIST_APPEND(lookup_list, lookup, link);
+		}
+	}
+
+	if (!short_form) {
+		printf(";; ->>HEADER<<- opcode: %s, status: %s, id: %u\n",
+		       opcodetext[msg->opcode], rcodetext[msg->rcode],
+		       msg->id);
+		printf(";; flags: ");
+		if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) {
+			printf("qr");
+			did_flag = ISC_TRUE;
+		}
+		if ((msg->flags & DNS_MESSAGEFLAG_AA) != 0) {
+			printf("%saa", did_flag ? " " : "");
+			did_flag = ISC_TRUE;
+		}
+		if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) {
+			printf("%stc", did_flag ? " " : "");
+			did_flag = ISC_TRUE;
+		}
+		if ((msg->flags & DNS_MESSAGEFLAG_RD) != 0) {
+			printf("%srd", did_flag ? " " : "");
+			did_flag = ISC_TRUE;
+		}
+		if ((msg->flags & DNS_MESSAGEFLAG_RA) != 0) {
+			printf("%sra", did_flag ? " " : "");
+			did_flag = ISC_TRUE;
+		}
+		if ((msg->flags & DNS_MESSAGEFLAG_AD) != 0) {
+			printf("%sad", did_flag ? " " : "");
+			did_flag = ISC_TRUE;
+		}
+		if ((msg->flags & DNS_MESSAGEFLAG_CD) != 0) {
+			printf("%scd", did_flag ? " " : "");
+			did_flag = ISC_TRUE;
+		}
+		printf("; QUERY: %u, ANSWER: %u, "
+		       "AUTHORITY: %u, ADDITIONAL: %u\n",
+		       msg->counts[DNS_SECTION_QUESTION],
+		       msg->counts[DNS_SECTION_ANSWER],
+		       msg->counts[DNS_SECTION_AUTHORITY],
+		       msg->counts[DNS_SECTION_ADDITIONAL]);
+		opt = dns_message_getopt(msg);
+		if (opt != NULL)
+			printf(";; EDNS: version: %u, udp=%u\n",
+			       (unsigned int)((opt->ttl & 0x00ff0000) >> 16),
+			       (unsigned int)opt->rdclass);
+		tsigname = NULL;
+		tsig = dns_message_gettsig(msg, &tsigname);
+		if (tsig != NULL)
+			printf(";; PSEUDOSECTIONS: TSIG\n");
+	}
+	if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_QUESTION]) &&
+	    !short_form) {
+		printf("\n");
+		result = printsection(msg, DNS_SECTION_QUESTION, "QUESTION",
+				      ISC_TRUE, query);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ANSWER])) {
+		if (!short_form)
+			printf("\n");
+		result = printsection(msg, DNS_SECTION_ANSWER, "ANSWER",
+				      ISC_TF(!short_form), query);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_AUTHORITY]) &&
+	    !short_form) {
+		printf("\n");
+		result = printsection(msg, DNS_SECTION_AUTHORITY, "AUTHORITY",
+				      ISC_TRUE, query);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	if (! ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ADDITIONAL]) &&
+	    !short_form) {
+		printf("\n");
+		result = printsection(msg, DNS_SECTION_ADDITIONAL,
+				      "ADDITIONAL", ISC_TRUE, query);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	if ((tsig != NULL) && !short_form) {
+		printf("\n");
+		result = printrdata(msg, tsig, tsigname,
+				    "PSEUDOSECTION TSIG", ISC_TRUE);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	if (!short_form)
+		printf("\n");
+
+	if (short_form && !default_lookups &&
+	    ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ANSWER])) {
+		char namestr[DNS_NAME_FORMATSIZE];
+		char typestr[DNS_RDATATYPE_FORMATSIZE];
+		dns_name_format(query->lookup->name, namestr, sizeof(namestr));
+		dns_rdatatype_format(query->lookup->rdtype, typestr,
+				     sizeof(typestr));
+		printf("%s has no %s record\n", namestr, typestr);
+	}
+	seen_error = force_error;
+	return (result);
+}
+
+static void
+parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
+	char hostname[MXNAME];
+	dig_lookup_t *lookup;
+	int c;
+	char store[MXNAME];
+	isc_textregion_t tr;
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_rdatatype_t rdtype;
+	dns_rdataclass_t rdclass;
+	isc_uint32_t serial = 0;
+
+	UNUSED(is_batchfile);
+
+	lookup = make_empty_lookup();
+
+	while ((c = isc_commandline_parse(argc, argv, "lvwrdt:c:aTCN:R:W:Dni46"))
+	       != EOF) {
+		switch (c) {
+		case 'l':
+			lookup->tcp_mode = ISC_TRUE;
+			lookup->rdtype = dns_rdatatype_axfr;
+			lookup->rdtypeset = ISC_TRUE;
+			fatalexit = 3;
+			break;
+		case 'v':
+		case 'd':
+			short_form = ISC_FALSE;
+			break;
+		case 'r':
+			lookup->recurse = ISC_FALSE;
+			break;
+		case 't':
+			if (strncasecmp(isc_commandline_argument,
+					"ixfr=", 5) == 0) {
+				rdtype = dns_rdatatype_ixfr;
+				/* XXXMPA add error checking */
+				serial = strtoul(isc_commandline_argument + 5,
+						 NULL, 10);
+				result = ISC_R_SUCCESS;
+			} else {
+				tr.base = isc_commandline_argument;
+				tr.length = strlen(isc_commandline_argument);
+				result = dns_rdatatype_fromtext(&rdtype,
+						   (isc_textregion_t *)&tr);
+			}
+
+			if (result != ISC_R_SUCCESS) {
+				fatalexit = 2;
+				fatal("invalid type: %s\n",
+				      isc_commandline_argument);
+			}
+			if (!lookup->rdtypeset ||
+			    lookup->rdtype != dns_rdatatype_axfr)
+				lookup->rdtype = rdtype;
+			lookup->rdtypeset = ISC_TRUE;
+			if (rdtype == dns_rdatatype_axfr) {
+				/* -l -t any -v */
+				list_type = dns_rdatatype_any;
+				short_form = ISC_FALSE;
+				lookup->tcp_mode = ISC_TRUE;
+			} else if (rdtype == dns_rdatatype_ixfr) {
+				lookup->ixfr_serial = serial;
+				list_type = rdtype;
+			} else
+				list_type = rdtype;
+			list_addresses = ISC_FALSE;
+			break;
+		case 'c':
+			tr.base = isc_commandline_argument;
+			tr.length = strlen(isc_commandline_argument);
+			result = dns_rdataclass_fromtext(&rdclass,
+						   (isc_textregion_t *)&tr);
+
+			if (result != ISC_R_SUCCESS) {
+				fatalexit = 2;
+				fatal("invalid class: %s\n",
+				      isc_commandline_argument);
+			} else {
+				lookup->rdclass = rdclass;
+				lookup->rdclassset = ISC_TRUE;
+			}
+			default_lookups = ISC_FALSE;
+			break;
+		case 'a':
+			if (!lookup->rdtypeset ||
+			    lookup->rdtype != dns_rdatatype_axfr)
+				lookup->rdtype = dns_rdatatype_any;
+			list_type = dns_rdatatype_any;
+			list_addresses = ISC_FALSE;
+			lookup->rdtypeset = ISC_TRUE;
+			short_form = ISC_FALSE;
+			default_lookups = ISC_FALSE;
+			break;
+		case 'i':
+			lookup->ip6_int = ISC_TRUE;
+			break;
+		case 'n':
+			/* deprecated */
+			break;
+		case 'w':
+			/*
+			 * The timer routines are coded such that
+			 * timeout==MAXINT doesn't enable the timer
+			 */
+			timeout = INT_MAX;
+			break;
+		case 'W':
+			timeout = atoi(isc_commandline_argument);
+			if (timeout < 1)
+				timeout = 1;
+			break;
+		case 'R':
+			tries = atoi(isc_commandline_argument) + 1;
+			if (tries < 2)
+				tries = 2;
+			break;
+		case 'T':
+			lookup->tcp_mode = ISC_TRUE;
+			break;
+		case 'C':
+			debug("showing all SOAs");
+			lookup->rdtype = dns_rdatatype_ns;
+			lookup->rdtypeset = ISC_TRUE;
+			lookup->rdclass = dns_rdataclass_in;
+			lookup->rdclassset = ISC_TRUE;
+			lookup->ns_search_only = ISC_TRUE;
+			lookup->trace_root = ISC_TRUE;
+			lookup->identify_previous_line = ISC_TRUE;
+			default_lookups = ISC_FALSE;
+			break;
+		case 'N':
+			debug("setting NDOTS to %s",
+			      isc_commandline_argument);
+			ndots = atoi(isc_commandline_argument);
+			break;
+		case 'D':
+			debugging = ISC_TRUE;
+			break;
+		case '4':
+			if (have_ipv4) {
+				isc_net_disableipv6();
+				have_ipv6 = ISC_FALSE;
+			} else
+				fatal("can't find IPv4 networking");
+			break;
+		case '6':
+			if (have_ipv6) {
+				isc_net_disableipv4();
+				have_ipv4 = ISC_FALSE;
+			} else
+				fatal("can't find IPv6 networking");
+			break;
+		}
+	}
+
+	lookup->retries = tries;
+
+	if (isc_commandline_index >= argc)
+		show_usage();
+
+	strncpy(hostname, argv[isc_commandline_index], sizeof(hostname));
+	hostname[sizeof(hostname)-1]=0;
+	if (argc > isc_commandline_index + 1) {
+		set_nameserver(argv[isc_commandline_index+1]);
+		debug("server is %s", argv[isc_commandline_index+1]);
+		listed_server = ISC_TRUE;
+	}
+
+	lookup->pending = ISC_FALSE;
+	if (get_reverse(store, sizeof(store), hostname,
+			lookup->ip6_int, ISC_TRUE) == ISC_R_SUCCESS) {
+		strncpy(lookup->textname, store, sizeof(lookup->textname));
+		lookup->textname[sizeof(lookup->textname)-1] = 0;
+		lookup->rdtype = dns_rdatatype_ptr;
+		lookup->rdtypeset = ISC_TRUE;
+		default_lookups = ISC_FALSE;
+	} else {
+		strncpy(lookup->textname, hostname, sizeof(lookup->textname));
+		lookup->textname[sizeof(lookup->textname)-1]=0;
+	}
+	lookup->new_search = ISC_TRUE;
+	ISC_LIST_APPEND(lookup_list, lookup, link);
+
+	usesearch = ISC_TRUE;
+}
+
+int
+main(int argc, char **argv) {
+	isc_result_t result;
+
+	tries = 2;
+
+	ISC_LIST_INIT(lookup_list);
+	ISC_LIST_INIT(server_list);
+	ISC_LIST_INIT(search_list);
+	
+	fatalexit = 1;
+
+	debug("main()");
+	progname = argv[0];
+	result = isc_app_start();
+	check_result(result, "isc_app_start");
+	setup_libs();
+	parse_args(ISC_FALSE, argc, argv);
+	setup_system();
+	result = isc_app_onrun(mctx, global_task, onrun_callback, NULL);
+	check_result(result, "isc_app_onrun");
+	isc_app_run();
+	cancel_all();
+	destroy_libs();
+	isc_app_finish();
+	return ((seen_error == 0) ? 0 : 1);
+}
+
diff --git a/contrib/bind9/bin/dig/host.docbook b/contrib/bind9/bin/dig/host.docbook
new file mode 100644
index 0000000..561f7c4
--- /dev/null
+++ b/contrib/bind9/bin/dig/host.docbook
@@ -0,0 +1,212 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: host.docbook,v 1.2.2.2.4.5 2004/04/13 01:26:26 marka Exp $ -->
+
+<refentry>
+
+<refentryinfo>
+<date>Jun 30, 2000</date>
+</refentryinfo>
+
+<refmeta>
+<refentrytitle>host</refentrytitle>
+<manvolnum>1</manvolnum>
+<refmiscinfo>BIND9</refmiscinfo>
+</refmeta>
+
+<refnamediv>
+<refname>host</refname>
+<refpurpose>DNS lookup utility</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+<cmdsynopsis>
+  <command>host</command>
+  <arg><option>-aCdlnrTwv</option></arg>
+  <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+  <arg><option>-N <replaceable class="parameter">ndots</replaceable></option></arg>
+  <arg><option>-R <replaceable class="parameter">number</replaceable></option></arg>
+  <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
+  <arg><option>-W <replaceable class="parameter">wait</replaceable></option></arg>
+  <arg><option>-4</option></arg>
+  <arg><option>-6</option></arg>
+  <arg choice=req>name</arg>
+  <arg choice=opt>server</arg>
+</cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+<title>DESCRIPTION</title>
+<para>
+<command>host</command>
+is a simple utility for performing DNS lookups.
+It is normally used to convert names to IP addresses and vice versa.
+When no arguments or options are given,
+<command>host</command>
+prints a short summary of its command line arguments and options.
+</para>
+
+<para>
+<parameter>name</parameter> is the domain name that is to be looked
+up.  It can also be a dotted-decimal IPv4 address or a colon-delimited
+IPv6 address, in which case <command>host</command> will by default
+perform a reverse lookup for that address.
+<parameter>server</parameter> is an optional argument which is either
+the name or IP address of the name server that <command>host</command>
+should query instead of the server or servers listed in
+<filename>/etc/resolv.conf</filename>.
+</para>
+
+<para>
+The <option>-a</option> (all) option is equivalent to setting the
+<option>-v</option> option and asking <command>host</command> to make
+a query of type ANY.
+</para>
+
+<para>
+When the <option>-C</option> option is used, <command>host</command>
+will attempt to display the SOA records for zone
+<parameter>name</parameter> from all the listed authoritative name
+servers for that zone.  The list of name servers is defined by the NS
+records that are found for the zone.
+</para>
+
+<para>
+The <option>-c</option> option instructs to make a DNS query of class
+<parameter>class</parameter>.  This can be used to lookup Hesiod or
+Chaosnet class resource records.  The default class is IN (Internet).
+</para>
+
+<para>
+Verbose output is generated by <command>host</command> when the
+<option>-d</option> or <option>-v</option> option is used.  The two
+options are equivalent.  They have been provided for backwards
+compatibility.  In previous versions, the <option>-d</option> option
+switched on debugging traces and <option>-v</option> enabled verbose
+output.
+</para>
+
+<para>
+List mode is selected by the <option>-l</option> option.  This makes
+<command>host</command> perform a zone transfer for zone
+<parameter>name</parameter>.  Transfer the zone printing out the NS, PTR
+and address records (A/AAAA).  If combined with <option>-a</option>
+all records will be printed.  
+</para>
+
+<para>
+The <option>-i</option>
+option specifies that reverse lookups of IPv6 addresses should
+use the IP6.INT domain as defined in RFC1886.
+The default is to use IP6.ARPA.
+</para>
+
+<para>
+The <option>-N</option> option sets the number of dots that have to be
+in <parameter>name</parameter> for it to be considered absolute.  The
+default value is that defined using the ndots statement in
+<filename>/etc/resolv.conf</filename>, or 1 if no ndots statement is
+present.  Names with fewer dots are interpreted as relative names and
+will be searched for in the domains listed in the <type>search</type>
+or <type>domain</type> directive in
+<filename>/etc/resolv.conf</filename>.
+</para>
+
+<para>
+The number of UDP retries for a lookup can be changed with the
+<option>-R</option> option.  <parameter>number</parameter> indicates
+how many times <command>host</command> will repeat a query that does
+not get answered.  The default number of retries is 1.  If
+<parameter>number</parameter> is negative or zero, the number of
+retries will default to 1.
+</para>
+
+<para>
+Non-recursive queries can be made via the <option>-r</option> option.
+Setting this option clears the <type>RD</type> &mdash; recursion
+desired &mdash; bit in the query which <command>host</command> makes.
+This should mean that the name server receiving the query will not
+attempt to resolve <parameter>name</parameter>.  The
+<option>-r</option> option enables <command>host</command> to mimic
+the behaviour of a name server by making non-recursive queries and
+expecting to receive answers to those queries that are usually
+referrals to other name servers.
+</para>
+
+<para>
+By default <command>host</command> uses UDP when making queries.  The
+<option>-T</option> option makes it use a TCP connection when querying
+the name server.  TCP will be automatically selected for queries that
+require it, such as zone transfer (AXFR) requests.
+</para>
+
+<para>
+The <option>-4</option> option forces <command>host</command> to only
+use IPv4 query transport.  The <option>-6</option> option forces
+<command>host</command> to only use IPv6 query transport.
+</para>
+
+<para>
+The <option>-t</option> option is used to select the query type.
+<parameter>type</parameter> can be any recognised query type: CNAME,
+NS, SOA, SIG, KEY, AXFR, etc.  When no query type is specified,
+<command>host</command> automatically selects an appropriate query
+type.  By default it looks for A records, but if the
+<option>-C</option> option was given, queries will be made for SOA
+records, and if <parameter>name</parameter> is a dotted-decimal IPv4
+address or colon-delimited IPv6 address, <command>host</command> will
+query for PTR records.  If a query type of IXFR is chosen the starting
+serial number can be specified by appending an equal followed by the
+starting serial number (e.g. -t IXFR=12345678).
+</para>
+
+<para>
+The time to wait for a reply can be controlled through the
+<option>-W</option> and <option>-w</option> options.  The
+<option>-W</option> option makes <command>host</command> wait for
+<parameter>wait</parameter> seconds.  If <parameter>wait</parameter>
+is less than one, the wait interval is set to one second.  When the
+<option>-w</option> option is used, <command>host</command> will
+effectively wait forever for a reply.  The time to wait for a response
+will be set to the number of seconds given by the hardware's maximum
+value for an integer quantity.
+</para>
+
+</refsect1>
+
+<refsect1>
+<title>FILES</title>
+<para>
+<filename>/etc/resolv.conf</filename>
+</para>
+</refsect1>
+
+<refsect1>
+<title>SEE ALSO</title>
+<para>
+<citerefentry>
+<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
+</citerefentry>,
+<citerefentry>
+<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+</citerefentry>.
+</para>
+
+</refsect1>
+</refentry>
diff --git a/contrib/bind9/bin/dig/host.html b/contrib/bind9/bin/dig/host.html
new file mode 100644
index 0000000..fb011c0
--- /dev/null
+++ b/contrib/bind9/bin/dig/host.html
@@ -0,0 +1,434 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2002  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: host.html,v 1.4.2.1.4.6 2004/08/22 23:38:58 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>host</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+>host</H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>host&nbsp;--&nbsp;DNS lookup utility</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN11"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>host</B
+>  [<VAR
+CLASS="OPTION"
+>-aCdlnrTwv</VAR
+>] [<VAR
+CLASS="OPTION"
+>-c <VAR
+CLASS="REPLACEABLE"
+>class</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-N <VAR
+CLASS="REPLACEABLE"
+>ndots</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-R <VAR
+CLASS="REPLACEABLE"
+>number</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-t <VAR
+CLASS="REPLACEABLE"
+>type</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-W <VAR
+CLASS="REPLACEABLE"
+>wait</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-4</VAR
+>] [<VAR
+CLASS="OPTION"
+>-6</VAR
+>] {name} [server]</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN37"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+><B
+CLASS="COMMAND"
+>host</B
+>
+is a simple utility for performing DNS lookups.
+It is normally used to convert names to IP addresses and vice versa.
+When no arguments or options are given,
+<B
+CLASS="COMMAND"
+>host</B
+>
+prints a short summary of its command line arguments and options.</P
+><P
+><VAR
+CLASS="PARAMETER"
+>name</VAR
+> is the domain name that is to be looked
+up.  It can also be a dotted-decimal IPv4 address or a colon-delimited
+IPv6 address, in which case <B
+CLASS="COMMAND"
+>host</B
+> will by default
+perform a reverse lookup for that address.
+<VAR
+CLASS="PARAMETER"
+>server</VAR
+> is an optional argument which is either
+the name or IP address of the name server that <B
+CLASS="COMMAND"
+>host</B
+>
+should query instead of the server or servers listed in
+<TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+>.</P
+><P
+>The <VAR
+CLASS="OPTION"
+>-a</VAR
+> (all) option is equivalent to setting the
+<VAR
+CLASS="OPTION"
+>-v</VAR
+> option and asking <B
+CLASS="COMMAND"
+>host</B
+> to make
+a query of type ANY.</P
+><P
+>When the <VAR
+CLASS="OPTION"
+>-C</VAR
+> option is used, <B
+CLASS="COMMAND"
+>host</B
+>
+will attempt to display the SOA records for zone
+<VAR
+CLASS="PARAMETER"
+>name</VAR
+> from all the listed authoritative name
+servers for that zone.  The list of name servers is defined by the NS
+records that are found for the zone.</P
+><P
+>The <VAR
+CLASS="OPTION"
+>-c</VAR
+> option instructs to make a DNS query of class
+<VAR
+CLASS="PARAMETER"
+>class</VAR
+>.  This can be used to lookup Hesiod or
+Chaosnet class resource records.  The default class is IN (Internet).</P
+><P
+>Verbose output is generated by <B
+CLASS="COMMAND"
+>host</B
+> when the
+<VAR
+CLASS="OPTION"
+>-d</VAR
+> or <VAR
+CLASS="OPTION"
+>-v</VAR
+> option is used.  The two
+options are equivalent.  They have been provided for backwards
+compatibility.  In previous versions, the <VAR
+CLASS="OPTION"
+>-d</VAR
+> option
+switched on debugging traces and <VAR
+CLASS="OPTION"
+>-v</VAR
+> enabled verbose
+output.</P
+><P
+>List mode is selected by the <VAR
+CLASS="OPTION"
+>-l</VAR
+> option.  This makes
+<B
+CLASS="COMMAND"
+>host</B
+> perform a zone transfer for zone
+<VAR
+CLASS="PARAMETER"
+>name</VAR
+>.  Transfer the zone printing out the NS, PTR
+and address records (A/AAAA).  If combined with <VAR
+CLASS="OPTION"
+>-a</VAR
+>
+all records will be printed.  </P
+><P
+>The <VAR
+CLASS="OPTION"
+>-i</VAR
+>
+option specifies that reverse lookups of IPv6 addresses should
+use the IP6.INT domain as defined in RFC1886.
+The default is to use IP6.ARPA.</P
+><P
+>The <VAR
+CLASS="OPTION"
+>-N</VAR
+> option sets the number of dots that have to be
+in <VAR
+CLASS="PARAMETER"
+>name</VAR
+> for it to be considered absolute.  The
+default value is that defined using the ndots statement in
+<TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+>, or 1 if no ndots statement is
+present.  Names with fewer dots are interpreted as relative names and
+will be searched for in the domains listed in the <SPAN
+CLASS="TYPE"
+>search</SPAN
+>
+or <SPAN
+CLASS="TYPE"
+>domain</SPAN
+> directive in
+<TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+>.</P
+><P
+>The number of UDP retries for a lookup can be changed with the
+<VAR
+CLASS="OPTION"
+>-R</VAR
+> option.  <VAR
+CLASS="PARAMETER"
+>number</VAR
+> indicates
+how many times <B
+CLASS="COMMAND"
+>host</B
+> will repeat a query that does
+not get answered.  The default number of retries is 1.  If
+<VAR
+CLASS="PARAMETER"
+>number</VAR
+> is negative or zero, the number of
+retries will default to 1.</P
+><P
+>Non-recursive queries can be made via the <VAR
+CLASS="OPTION"
+>-r</VAR
+> option.
+Setting this option clears the <SPAN
+CLASS="TYPE"
+>RD</SPAN
+> &mdash; recursion
+desired &mdash; bit in the query which <B
+CLASS="COMMAND"
+>host</B
+> makes.
+This should mean that the name server receiving the query will not
+attempt to resolve <VAR
+CLASS="PARAMETER"
+>name</VAR
+>.  The
+<VAR
+CLASS="OPTION"
+>-r</VAR
+> option enables <B
+CLASS="COMMAND"
+>host</B
+> to mimic
+the behaviour of a name server by making non-recursive queries and
+expecting to receive answers to those queries that are usually
+referrals to other name servers.</P
+><P
+>By default <B
+CLASS="COMMAND"
+>host</B
+> uses UDP when making queries.  The
+<VAR
+CLASS="OPTION"
+>-T</VAR
+> option makes it use a TCP connection when querying
+the name server.  TCP will be automatically selected for queries that
+require it, such as zone transfer (AXFR) requests.</P
+><P
+>The <VAR
+CLASS="OPTION"
+>-4</VAR
+> option forces <B
+CLASS="COMMAND"
+>host</B
+> to only
+use IPv4 query transport.  The <VAR
+CLASS="OPTION"
+>-6</VAR
+> option forces
+<B
+CLASS="COMMAND"
+>host</B
+> to only use IPv6 query transport.</P
+><P
+>The <VAR
+CLASS="OPTION"
+>-t</VAR
+> option is used to select the query type.
+<VAR
+CLASS="PARAMETER"
+>type</VAR
+> can be any recognised query type: CNAME,
+NS, SOA, SIG, KEY, AXFR, etc.  When no query type is specified,
+<B
+CLASS="COMMAND"
+>host</B
+> automatically selects an appropriate query
+type.  By default it looks for A records, but if the
+<VAR
+CLASS="OPTION"
+>-C</VAR
+> option was given, queries will be made for SOA
+records, and if <VAR
+CLASS="PARAMETER"
+>name</VAR
+> is a dotted-decimal IPv4
+address or colon-delimited IPv6 address, <B
+CLASS="COMMAND"
+>host</B
+> will
+query for PTR records.  If a query type of IXFR is chosen the starting
+serial number can be specified by appending an equal followed by the
+starting serial number (e.g. -t IXFR=12345678).</P
+><P
+>The time to wait for a reply can be controlled through the
+<VAR
+CLASS="OPTION"
+>-W</VAR
+> and <VAR
+CLASS="OPTION"
+>-w</VAR
+> options.  The
+<VAR
+CLASS="OPTION"
+>-W</VAR
+> option makes <B
+CLASS="COMMAND"
+>host</B
+> wait for
+<VAR
+CLASS="PARAMETER"
+>wait</VAR
+> seconds.  If <VAR
+CLASS="PARAMETER"
+>wait</VAR
+>
+is less than one, the wait interval is set to one second.  When the
+<VAR
+CLASS="OPTION"
+>-w</VAR
+> option is used, <B
+CLASS="COMMAND"
+>host</B
+> will
+effectively wait forever for a reply.  The time to wait for a response
+will be set to the number of seconds given by the hardware's maximum
+value for an integer quantity.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN115"
+></A
+><H2
+>FILES</H2
+><P
+><TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+></P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN119"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dig</SPAN
+>(1)</SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>named</SPAN
+>(8)</SPAN
+>.</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/bin/dig/include/dig/dig.h b/contrib/bind9/bin/dig/include/dig/dig.h
new file mode 100644
index 0000000..12e1e21
--- /dev/null
+++ b/contrib/bind9/bin/dig/include/dig/dig.h
@@ -0,0 +1,343 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dig.h,v 1.71.2.6.2.6 2004/06/19 02:30:12 sra Exp $ */
+
+#ifndef DIG_H
+#define DIG_H
+
+#include <dns/rdatalist.h>
+
+#include <dst/dst.h>
+
+#include <isc/boolean.h>
+#include <isc/buffer.h>
+#include <isc/bufferlist.h>
+#include <isc/formatcheck.h>
+#include <isc/lang.h>
+#include <isc/list.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/sockaddr.h>
+#include <isc/socket.h>
+
+#define MXSERV 6
+#define MXNAME (DNS_NAME_MAXTEXT+1)
+#define MXRD 32
+#define BUFSIZE 512
+#define COMMSIZE 0xffff
+#ifndef RESOLV_CONF
+#define RESOLV_CONF "/etc/resolv.conf"
+#endif
+#define OUTPUTBUF 32767
+#define MAXRRLIMIT 0xffffffff
+#define MAXTIMEOUT 0xffff
+#define MAXTRIES 0xffffffff
+#define MAXNDOTS 0xffff
+#define MAXPORT 0xffff
+#define MAXSERIAL 0xffffffff
+
+/*
+ * Default timeout values
+ */
+#define TCP_TIMEOUT 10
+#define UDP_TIMEOUT 5
+
+#define SERVER_TIMEOUT 1
+
+#define LOOKUP_LIMIT 64
+/*
+ * Lookup_limit is just a limiter, keeping too many lookups from being
+ * created.  It's job is mainly to prevent the program from running away
+ * in a tight loop of constant lookups.  It's value is arbitrary.
+ */
+
+#define ROOTNS 1
+/*
+ * Set the number of root servers to ask for information when running in
+ * trace mode.
+ * XXXMWS -- trace mode is currently semi-broken, and this number *MUST*
+ * be 1.
+ */
+
+/*
+ * Defaults for the sigchase suboptions.  Consolidated here because
+ * these control the layout of dig_lookup_t (among other things).
+ */
+#ifdef DIG_SIGCHASE
+#ifndef DIG_SIGCHASE_BU
+#define DIG_SIGCHASE_BU 1
+#endif
+#ifndef DIG_SIGCHASE_TD
+#define DIG_SIGCHASE_TD 1
+#endif
+#endif
+
+ISC_LANG_BEGINDECLS
+
+typedef struct dig_lookup dig_lookup_t;
+typedef struct dig_query dig_query_t;
+typedef struct dig_server dig_server_t;
+#ifdef DIG_SIGCHASE
+typedef struct dig_message dig_message_t;
+#endif
+typedef ISC_LIST(dig_server_t) dig_serverlist_t;
+typedef struct dig_searchlist dig_searchlist_t;
+
+struct dig_lookup {
+	isc_boolean_t
+	        pending, /* Pending a successful answer */
+		waiting_connect,
+		doing_xfr,
+		ns_search_only, /* dig +nssearch, host -C */
+		identify, /* Append an "on server <foo>" message */
+		identify_previous_line, /* Prepend a "Nameserver <foo>:"
+					   message, with newline and tab */
+		ignore,
+		recurse,
+		aaonly,
+		adflag,
+		cdflag,
+		trace, /* dig +trace */
+		trace_root, /* initial query for either +trace or +nssearch */
+		tcp_mode,
+		ip6_int,
+		comments,
+		stats,
+		section_question,
+		section_answer,
+		section_authority,
+		section_additional,
+		servfail_stops,
+		new_search,
+		besteffort,
+		dnssec;
+#ifdef DIG_SIGCHASE
+isc_boolean_t	sigchase;
+#if DIG_SIGCHASE_TD
+ 	isc_boolean_t do_topdown,
+	        trace_root_sigchase,
+	        rdtype_sigchaseset,
+	        rdclass_sigchaseset;
+	/* Name we are going to validate RRset */
+  	char textnamesigchase[MXNAME];
+#endif
+#endif
+	
+	char textname[MXNAME]; /* Name we're going to be looking up */
+	char cmdline[MXNAME];
+	dns_rdatatype_t rdtype;
+	dns_rdatatype_t qrdtype;
+#if DIG_SIGCHASE_TD
+        dns_rdatatype_t rdtype_sigchase;
+        dns_rdatatype_t qrdtype_sigchase;
+        dns_rdataclass_t rdclass_sigchase;
+#endif
+	dns_rdataclass_t rdclass;
+	isc_boolean_t rdtypeset;
+	isc_boolean_t rdclassset;
+	char namespace[BUFSIZE];
+	char onamespace[BUFSIZE];
+	isc_buffer_t namebuf;
+	isc_buffer_t onamebuf;
+	isc_buffer_t sendbuf;
+	char *sendspace;
+	dns_name_t *name;
+	isc_timer_t *timer;
+	isc_interval_t interval;
+	dns_message_t *sendmsg;
+	dns_name_t *oname;
+	ISC_LINK(dig_lookup_t) link;
+	ISC_LIST(dig_query_t) q;
+	dig_query_t *current_query;
+	dig_serverlist_t my_server_list;
+	dig_searchlist_t *origin;
+	dig_query_t *xfr_q;
+	isc_uint32_t retries;
+	int nsfound;
+	isc_uint16_t udpsize;
+	isc_uint32_t ixfr_serial;
+	isc_buffer_t rdatabuf;
+	char rdatastore[MXNAME];
+	dst_context_t *tsigctx;
+	isc_buffer_t *querysig;
+	isc_uint32_t msgcounter;
+};
+
+struct dig_query {
+	dig_lookup_t *lookup;
+	isc_boolean_t waiting_connect,
+		first_pass,
+		first_soa_rcvd,
+		second_rr_rcvd,
+		first_repeat_rcvd,
+		recv_made,
+		warn_id;
+	isc_uint32_t first_rr_serial;
+	isc_uint32_t second_rr_serial;
+	isc_uint32_t msg_count;
+	isc_uint32_t rr_count;
+	char *servname;
+	isc_bufferlist_t sendlist,
+		recvlist,
+		lengthlist;
+	isc_buffer_t recvbuf,
+		lengthbuf,
+		slbuf;
+	char *recvspace,
+		lengthspace[4],
+		slspace[4];
+	isc_socket_t *sock;
+	ISC_LINK(dig_query_t) link;
+	isc_sockaddr_t sockaddr;
+	isc_time_t time_sent;
+};
+
+struct dig_server {
+	char servername[MXNAME];
+	ISC_LINK(dig_server_t) link;
+};
+
+struct dig_searchlist {
+	char origin[MXNAME];
+	ISC_LINK(dig_searchlist_t) link;
+};
+#ifdef DIG_SIGCHASE
+struct dig_message {
+	        dns_message_t *msg;
+		ISC_LINK(dig_message_t) link;
+};
+#endif
+/*
+ * Routines in dighost.c.
+ */
+void
+get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr);
+
+isc_result_t
+get_reverse(char *reverse, size_t len, char *value, isc_boolean_t ip6_int,
+	    isc_boolean_t strict);
+
+void
+fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
+
+void
+debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
+
+void
+check_result(isc_result_t result, const char *msg);
+
+void
+setup_lookup(dig_lookup_t *lookup);
+
+void
+do_lookup(dig_lookup_t *lookup);
+
+void
+start_lookup(void);
+
+void
+onrun_callback(isc_task_t *task, isc_event_t *event);
+
+int
+dhmain(int argc, char **argv);
+
+void
+setup_libs(void);
+
+void
+setup_system(void);
+
+dig_lookup_t *
+requeue_lookup(dig_lookup_t *lookold, isc_boolean_t servers);
+
+dig_lookup_t *
+make_empty_lookup(void);
+
+dig_lookup_t *
+clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers);
+
+dig_server_t *
+make_server(const char *servname);
+
+void
+flush_server_list(void);
+
+void
+set_nameserver(char *opt);
+
+void
+clone_server_list(dig_serverlist_t src,
+		  dig_serverlist_t *dest);
+
+void
+cancel_all(void);
+
+void
+destroy_libs(void);
+
+void
+set_search_domain(char *domain);
+
+#ifdef DIG_SIGCHASE
+void
+clean_trustedkey(void);
+#endif
+
+/*
+ * Routines to be defined in dig.c, host.c, and nslookup.c.
+ */
+#ifdef DIG_SIGCHASE
+isc_result_t
+printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
+	      isc_buffer_t *target);
+#endif
+
+isc_result_t
+printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers);
+/*
+ * Print the final result of the lookup.
+ */
+
+void
+received(int bytes, isc_sockaddr_t *from, dig_query_t *query);
+/*
+ * Print a message about where and when the response
+ * was received from, like the final comment in the
+ * output of "dig".
+ */
+
+void
+trying(char *frm, dig_lookup_t *lookup);
+
+void
+dighost_shutdown(void);
+
+char *
+next_token(char **stringp, const char *delim);
+
+#ifdef DIG_SIGCHASE
+/* Chasing functions */
+dns_rdataset_t *
+chase_scanname(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers);
+void
+chase_sig(dns_message_t *msg);
+#endif
+
+ISC_LANG_ENDDECLS
+
+#endif
diff --git a/contrib/bind9/bin/dig/nslookup.1 b/contrib/bind9/bin/dig/nslookup.1
new file mode 100644
index 0000000..71aa8a1
--- /dev/null
+++ b/contrib/bind9/bin/dig/nslookup.1
@@ -0,0 +1,192 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: nslookup.1,v 1.1.6.2 2004/08/20 02:29:39 marka Exp $
+.\"
+.TH "NSLOOKUP" "1" "Jun 30, 2000" "BIND9" ""
+.SH NAME
+nslookup \- query Internet name servers interactively
+.SH SYNOPSIS
+.sp
+\fBnslookup\fR [ \fB-option\fR ]  [ \fBname | -\fR ]  [ \fBserver\fR ] 
+.SH "DESCRIPTION"
+.PP
+\fBNslookup\fR
+is a program to query Internet domain name servers. \fBNslookup\fR
+has two modes: interactive and non-interactive. Interactive mode allows
+the user to query name servers for information about various hosts and
+domains or to print a list of hosts in a domain. Non-interactive mode is
+used to print just the name and requested information for a host or
+domain.
+.SH "ARGUMENTS"
+.PP
+Interactive mode is entered in the following cases:
+.IP 1. 
+when no arguments are given (the default name server will be used)
+.IP 2. 
+when the first argument is a hyphen (-) and the second argument is
+the host name or Internet address of a name server.
+.PP
+Non-interactive mode is used when the name or Internet address of the
+host to be looked up is given as the first argument. The optional second
+argument specifies the host name or address of a name server.
+.PP
+Options can also be specified on the command line if they precede the
+arguments and are prefixed with a hyphen. For example, to
+change the default query type to host information, and the initial timeout to 10 seconds, type:
+.PP
+.sp
+.nf
+nslookup -query=hinfo  -timeout=10
+.sp
+.fi
+.SH "INTERACTIVE COMMANDS"
+.TP
+\fBhost [server]\fR
+Look up information for host using the current default server or
+using server, if specified. If host is an Internet address and
+the query type is A or PTR, the name of the host is returned.
+If host is a name and does not have a trailing period, the
+search list is used to qualify the name.
+
+To look up a host not in the current domain, append a period to
+the name.
+.TP
+\fBserver \fIdomain\fB\fR
+.TP
+\fBlserver \fIdomain\fB\fR
+Change the default server to \fIdomain\fR; lserver uses the initial
+server to look up information about \fIdomain\fR, while server uses
+the current default server. If an authoritative answer can't be
+found, the names of servers that might have the answer are
+returned.
+.TP
+\fBroot\fR
+not implemented
+.TP
+\fBfinger\fR
+not implemented
+.TP
+\fBls\fR
+not implemented
+.TP
+\fBview\fR
+not implemented
+.TP
+\fBhelp\fR
+not implemented
+.TP
+\fB?\fR
+not implemented
+.TP
+\fBexit\fR
+Exits the program.
+.TP
+\fBset \fIkeyword[=value]\fB\fR
+This command is used to change state information that affects
+the lookups. Valid keywords are:
+.RS
+.TP
+\fBall\fR
+Prints the current values of the frequently used
+options to \fBset\fR. Information about the current default
+server and host is also printed.
+.TP
+\fBclass=\fIvalue\fB\fR
+Change the query class to one of:
+.RS
+.TP
+\fBIN\fR
+the Internet class
+.TP
+\fBCH\fR
+the Chaos class
+.TP
+\fBHS\fR
+the Hesiod class
+.TP
+\fBANY\fR
+wildcard
+.RE
+.PP
+The class specifies the protocol group of the information.
+
+(Default = IN; abbreviation = cl)
+.TP
+\fB\fI[no]\fBdebug\fR
+Turn debugging mode on. A lot more information is
+printed about the packet sent to the server and the
+resulting answer.
+
+(Default = nodebug; abbreviation = [no]deb)
+.TP
+\fB\fI[no]\fBd2\fR
+Turn debugging mode on. A lot more information is
+printed about the packet sent to the server and the
+resulting answer.
+
+(Default = nod2)
+.TP
+\fBdomain=\fIname\fB\fR
+Sets the search list to \fIname\fR.
+.TP
+\fB\fI[no]\fBsearch\fR
+If the lookup request contains at least one period but
+doesn't end with a trailing period, append the domain
+names in the domain search list to the request until an
+answer is received.
+
+(Default = search)
+.TP
+\fBport=\fIvalue\fB\fR
+Change the default TCP/UDP name server port to \fIvalue\fR.
+
+(Default = 53; abbreviation = po)
+.TP
+\fBquerytype=\fIvalue\fB\fR
+.TP
+\fBtype=\fIvalue\fB\fR
+Change the top of the information query.
+
+(Default = A; abbreviations = q, ty)
+.TP
+\fB\fI[no]\fBrecurse\fR
+Tell the name server to query other servers if it does not have the
+information.
+
+(Default = recurse; abbreviation = [no]rec)
+.TP
+\fBretry=\fInumber\fB\fR
+Set the number of retries to number.
+.TP
+\fBtimeout=\fInumber\fB\fR
+Change the initial timeout interval for waiting for a
+reply to number seconds.
+.TP
+\fB\fI[no]\fBvc\fR
+Always use a virtual circuit when sending requests to the server.
+
+(Default = novc)
+.RE
+.SH "FILES"
+.PP
+\fI/etc/resolv.conf\fR
+.SH "SEE ALSO"
+.PP
+\fBdig\fR(1),
+\fBhost\fR(1),
+\fBnamed\fR(8).
+.SH "AUTHOR"
+.PP
+Andrew Cherenson
diff --git a/contrib/bind9/bin/dig/nslookup.c b/contrib/bind9/bin/dig/nslookup.c
new file mode 100644
index 0000000..a616bae
--- /dev/null
+++ b/contrib/bind9/bin/dig/nslookup.c
@@ -0,0 +1,887 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: nslookup.c,v 1.90.2.4.2.7 2004/08/18 23:25:58 marka Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/app.h>
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/event.h>
+#include <isc/parseint.h>
+#include <isc/string.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+#include <isc/task.h>
+#include <isc/netaddr.h>
+
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/fixedname.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/byaddr.h>
+
+#include <dig/dig.h>
+
+extern ISC_LIST(dig_lookup_t) lookup_list;
+extern dig_serverlist_t server_list;
+extern ISC_LIST(dig_searchlist_t) search_list;
+
+extern isc_boolean_t usesearch, debugging;
+extern in_port_t port;
+extern unsigned int timeout;
+extern isc_mem_t *mctx;
+extern int tries;
+extern int lookup_counter;
+extern isc_task_t *global_task;
+extern char *progname;
+
+static isc_boolean_t short_form = ISC_TRUE,
+	tcpmode = ISC_FALSE,
+	identify = ISC_FALSE, stats = ISC_TRUE,
+	comments = ISC_TRUE, section_question = ISC_TRUE,
+	section_answer = ISC_TRUE, section_authority = ISC_TRUE,
+	section_additional = ISC_TRUE, recurse = ISC_TRUE,
+	aaonly = ISC_FALSE;
+static isc_boolean_t in_use = ISC_FALSE;
+static char defclass[MXRD] = "IN";
+static char deftype[MXRD] = "A";
+static isc_event_t *global_event = NULL;
+
+static char domainopt[DNS_NAME_MAXTEXT];
+
+static const char *rcodetext[] = {
+	"NOERROR",
+	"FORMERR",
+	"SERVFAIL",
+	"NXDOMAIN",
+	"NOTIMP",
+	"REFUSED",
+	"YXDOMAIN",
+	"YXRRSET",
+	"NXRRSET",
+	"NOTAUTH",
+	"NOTZONE",
+	"RESERVED11",
+	"RESERVED12",
+	"RESERVED13",
+	"RESERVED14",
+	"RESERVED15",
+	"BADVERS"
+};
+
+static const char *rtypetext[] = {
+	"rtype_0 = ",			/* 0 */
+	"internet address = ",		/* 1 */
+	"nameserver = ",		/* 2 */
+	"md = ",			/* 3 */
+	"mf = ",			/* 4 */
+	"canonical name = ",		/* 5 */
+	"soa = ",			/* 6 */
+	"mb = ",			/* 7 */
+	"mg = ",			/* 8 */
+	"mr = ",			/* 9 */
+	"rtype_10 = ",			/* 10 */
+	"protocol = ",			/* 11 */
+	"name = ",			/* 12 */
+	"hinfo = ",			/* 13 */
+	"minfo = ",			/* 14 */
+	"mail exchanger = ",		/* 15 */
+	"text = ",			/* 16 */
+	"rp = ",       			/* 17 */
+	"afsdb = ",			/* 18 */
+	"x25 address = ",		/* 19 */
+	"isdn address = ",		/* 20 */
+	"rt = ",			/* 21 */
+	"nsap = ",			/* 22 */
+	"nsap_ptr = ",			/* 23 */
+	"signature = ",			/* 24 */
+	"key = ",			/* 25 */
+	"px = ",			/* 26 */
+	"gpos = ",			/* 27 */
+	"has AAAA address ",		/* 28 */
+	"loc = ",			/* 29 */
+	"next = ",			/* 30 */
+	"rtype_31 = ",			/* 31 */
+	"rtype_32 = ",			/* 32 */
+	"service = ",			/* 33 */
+	"rtype_34 = ",			/* 34 */
+	"naptr = ",			/* 35 */
+	"kx = ",			/* 36 */
+	"cert = ",			/* 37 */
+	"v6 address = ",		/* 38 */
+	"dname = ",			/* 39 */
+	"rtype_40 = ",			/* 40 */
+	"optional = "			/* 41 */
+};
+
+#define N_KNOWN_RRTYPES (sizeof(rtypetext) / sizeof(rtypetext[0]))
+
+static void flush_lookup_list(void);
+static void getinput(isc_task_t *task, isc_event_t *event);
+
+void
+dighost_shutdown(void) {
+	isc_event_t *event = global_event;
+
+	flush_lookup_list();
+	debug("dighost_shutdown()");
+
+	if (!in_use) {
+		isc_app_shutdown();
+		return;
+	}
+
+	isc_task_send(global_task, &event);
+}
+
+static void
+printsoa(dns_rdata_t *rdata) {
+	dns_rdata_soa_t soa;
+	isc_result_t result;
+	char namebuf[DNS_NAME_FORMATSIZE];
+
+	result = dns_rdata_tostruct(rdata, &soa, NULL);
+	check_result(result, "dns_rdata_tostruct");
+
+	dns_name_format(&soa.origin, namebuf, sizeof(namebuf));
+	printf("\torigin = %s\n", namebuf);
+	dns_name_format(&soa.contact, namebuf, sizeof(namebuf));
+	printf("\tmail addr = %s\n", namebuf);
+	printf("\tserial = %u\n", soa.serial);
+	printf("\trefresh = %u\n", soa.refresh);
+	printf("\tretry = %u\n", soa.retry);
+	printf("\texpire = %u\n", soa.expire);
+	printf("\tminimum = %u\n", soa.minimum);
+	dns_rdata_freestruct(&soa);
+}
+
+static void
+printa(dns_rdata_t *rdata) {
+	isc_result_t result;
+	char text[sizeof("255.255.255.255")];
+	isc_buffer_t b;
+
+	isc_buffer_init(&b, text, sizeof(text));
+	result = dns_rdata_totext(rdata, NULL, &b);
+	check_result(result, "dns_rdata_totext");
+	printf("Address: %.*s\n", (int)isc_buffer_usedlength(&b),
+	       (char *)isc_buffer_base(&b));
+}
+#ifdef DIG_SIGCHASE
+/* Just for compatibility : not use in host program */
+isc_result_t
+printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
+	      isc_buffer_t *target)
+{
+	UNUSED(owner_name);
+	UNUSED(rdataset);
+	UNUSED(target);
+	return(ISC_FALSE);
+}
+#endif
+static void
+printrdata(dns_rdata_t *rdata) {
+	isc_result_t result;
+	isc_buffer_t *b = NULL;
+	unsigned int size = 1024;
+	isc_boolean_t done = ISC_FALSE;
+
+	if (rdata->type < N_KNOWN_RRTYPES)
+		printf("%s", rtypetext[rdata->type]);
+	else
+		printf("rdata_%d = ", rdata->type);
+
+	while (!done) {
+		result = isc_buffer_allocate(mctx, &b, size);
+		if (result != ISC_R_SUCCESS)
+			check_result(result, "isc_buffer_allocate");
+		result = dns_rdata_totext(rdata, NULL, b);
+		if (result == ISC_R_SUCCESS) {
+			printf("%.*s\n", (int)isc_buffer_usedlength(b),
+			       (char *)isc_buffer_base(b));
+			done = ISC_TRUE;
+		} else if (result != ISC_R_NOSPACE)
+			check_result(result, "dns_rdata_totext");
+		isc_buffer_free(&b);
+		size *= 2;
+	}
+}
+
+static isc_result_t
+printsection(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers,
+	     dns_section_t section) {
+	isc_result_t result, loopresult;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	char namebuf[DNS_NAME_FORMATSIZE];
+
+	UNUSED(query);
+	UNUSED(headers);
+
+	debug("printsection()");
+
+	result = dns_message_firstname(msg, section);
+	if (result == ISC_R_NOMORE)
+		return (ISC_R_SUCCESS);
+	else if (result != ISC_R_SUCCESS)
+		return (result);
+	for (;;) {
+		name = NULL;
+		dns_message_currentname(msg, section,
+					&name);
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			loopresult = dns_rdataset_first(rdataset);
+			while (loopresult == ISC_R_SUCCESS) {
+				dns_rdataset_current(rdataset, &rdata);
+				switch (rdata.type) {
+				case dns_rdatatype_a:
+					if (section != DNS_SECTION_ANSWER)
+						goto def_short_section;
+					dns_name_format(name, namebuf,
+							sizeof(namebuf));
+					printf("Name:\t%s\n", namebuf);
+					printa(&rdata);
+					break;
+				case dns_rdatatype_soa:
+					dns_name_format(name, namebuf,
+							sizeof(namebuf));
+					printf("%s\n", namebuf);
+					printsoa(&rdata);
+					break;
+				default:
+				def_short_section:
+					dns_name_format(name, namebuf,
+							sizeof(namebuf));
+					printf("%s\t", namebuf);
+					printrdata(&rdata);
+					break;
+				}
+				dns_rdata_reset(&rdata);
+				loopresult = dns_rdataset_next(rdataset);
+			}
+		}
+		result = dns_message_nextname(msg, section);
+		if (result == ISC_R_NOMORE)
+			break;
+		else if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+detailsection(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers,
+	     dns_section_t section) {
+	isc_result_t result, loopresult;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	char namebuf[DNS_NAME_FORMATSIZE];
+
+	UNUSED(query);
+
+	debug("detailsection()");
+
+	if (headers) {
+		switch (section) {
+		case DNS_SECTION_QUESTION:
+			puts("    QUESTIONS:");
+			break;
+		case DNS_SECTION_ANSWER:
+			puts("    ANSWERS:");
+			break;
+		case DNS_SECTION_AUTHORITY:
+			puts("    AUTHORITY RECORDS:");
+			break;
+		case DNS_SECTION_ADDITIONAL:
+			puts("    ADDITIONAL RECORDS:");
+			break;
+		}
+	}
+
+	result = dns_message_firstname(msg, section);
+	if (result == ISC_R_NOMORE)
+		return (ISC_R_SUCCESS);
+	else if (result != ISC_R_SUCCESS)
+		return (result);
+	for (;;) {
+		name = NULL;
+		dns_message_currentname(msg, section,
+					&name);
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			if (section == DNS_SECTION_QUESTION) {
+				dns_name_format(name, namebuf,
+						sizeof(namebuf));
+				printf("\t%s, ", namebuf);
+				dns_rdatatype_format(rdataset->type,
+						     namebuf,
+						     sizeof(namebuf));
+				printf("type = %s, ", namebuf);
+				dns_rdataclass_format(rdataset->rdclass,
+						      namebuf,
+						      sizeof(namebuf));
+				printf("class = %s\n", namebuf);
+			}
+			loopresult = dns_rdataset_first(rdataset);
+			while (loopresult == ISC_R_SUCCESS) {
+				dns_rdataset_current(rdataset, &rdata);
+
+				dns_name_format(name, namebuf,
+						sizeof(namebuf));
+				printf("    ->  %s\n", namebuf);
+
+				switch (rdata.type) {
+				case dns_rdatatype_soa:
+					printsoa(&rdata);
+					break;
+				default:
+					printf("\t");
+					printrdata(&rdata);
+				}
+				dns_rdata_reset(&rdata);
+				loopresult = dns_rdataset_next(rdataset);
+			}
+		}
+		result = dns_message_nextname(msg, section);
+		if (result == ISC_R_NOMORE)
+			break;
+		else if (result != ISC_R_SUCCESS) {
+			return (result);
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+void
+received(int bytes, isc_sockaddr_t *from, dig_query_t *query)
+{
+	UNUSED(bytes);
+	UNUSED(from);
+	UNUSED(query);
+}
+
+void
+trying(char *frm, dig_lookup_t *lookup) {
+	UNUSED(frm);
+	UNUSED(lookup);
+
+}
+
+isc_result_t
+printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
+	char servtext[ISC_SOCKADDR_FORMATSIZE];	
+
+	debug("printmessage()");
+
+	isc_sockaddr_format(&query->sockaddr, servtext, sizeof(servtext));
+	printf("Server:\t\t%s\n", query->servname);
+	printf("Address:\t%s\n", servtext);
+	
+	puts("");
+
+	if (!short_form) {
+		isc_boolean_t headers = ISC_TRUE;
+		puts("------------");
+		/*		detailheader(query, msg);*/
+		detailsection(query, msg, headers, DNS_SECTION_QUESTION);
+		detailsection(query, msg, headers, DNS_SECTION_ANSWER);
+		detailsection(query, msg, headers, DNS_SECTION_AUTHORITY);
+		detailsection(query, msg, headers, DNS_SECTION_ADDITIONAL);
+		puts("------------");
+	}
+
+	if (msg->rcode != 0) {
+		char nametext[DNS_NAME_FORMATSIZE];
+		dns_name_format(query->lookup->name,
+				nametext, sizeof(nametext));
+		printf("** server can't find %s: %s\n", nametext,
+		       rcodetext[msg->rcode]);
+		debug("returning with rcode == 0");
+		return (ISC_R_SUCCESS);
+	}
+
+	if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0)
+		puts("Non-authoritative answer:");
+	if (!ISC_LIST_EMPTY(msg->sections[DNS_SECTION_ANSWER]))
+		printsection(query, msg, headers, DNS_SECTION_ANSWER);
+	else
+		printf("*** Can't find %s: No answer\n",
+		       query->lookup->textname);
+
+	if (((msg->flags & DNS_MESSAGEFLAG_AA) == 0) &&
+	    (query->lookup->rdtype != dns_rdatatype_a)) {
+		puts("\nAuthoritative answers can be found from:");
+		printsection(query, msg, headers,
+			     DNS_SECTION_AUTHORITY);
+		printsection(query, msg, headers,
+			     DNS_SECTION_ADDITIONAL);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static void
+show_settings(isc_boolean_t full, isc_boolean_t serv_only) {
+	dig_server_t *srv;
+	isc_sockaddr_t sockaddr;
+	dig_searchlist_t *listent;
+
+	srv = ISC_LIST_HEAD(server_list);
+
+	while (srv != NULL) {
+		char sockstr[ISC_SOCKADDR_FORMATSIZE];
+
+		get_address(srv->servername, port, &sockaddr);
+		isc_sockaddr_format(&sockaddr, sockstr, sizeof(sockstr));
+		printf("Default server: %s\nAddress: %s\n",
+			srv->servername, sockstr);
+		if (!full)
+			return;
+		srv = ISC_LIST_NEXT(srv, link);
+	}
+	if (serv_only)
+		return;
+	printf("\nSet options:\n");
+	printf("  %s\t\t\t%s\t\t%s\n",
+	       tcpmode ? "vc" : "novc",
+	       short_form ? "nodebug" : "debug",
+	       debugging ? "d2" : "nod2");
+	printf("  %s\t\t%s\n",
+	       usesearch ? "search" : "nosearch",
+	       recurse ? "recurse" : "norecurse");
+	printf("  timeout = %d\t\tretry = %d\tport = %d\n",
+	       timeout, tries, port);
+	printf("  querytype = %-8s\tclass = %s\n", deftype, defclass);
+	printf("  srchlist = ");
+	for (listent = ISC_LIST_HEAD(search_list);
+	     listent != NULL;
+	     listent = ISC_LIST_NEXT(listent, link)) {
+		     printf("%s", listent->origin);
+		     if (ISC_LIST_NEXT(listent, link) != NULL)
+			     printf("/");
+	}
+	printf("\n");
+}
+
+static isc_boolean_t
+testtype(char *typetext) {
+	isc_result_t result;
+	isc_textregion_t tr;
+	dns_rdatatype_t rdtype;
+
+	tr.base = typetext;
+	tr.length = strlen(typetext);
+	result = dns_rdatatype_fromtext(&rdtype, &tr);
+	if (result == ISC_R_SUCCESS)
+		return (ISC_TRUE);
+	else {
+		printf("unknown query type: %s\n", typetext);
+		return (ISC_FALSE);
+	}
+}
+
+static isc_boolean_t
+testclass(char *typetext) {
+	isc_result_t result;
+	isc_textregion_t tr;
+	dns_rdataclass_t rdclass;
+
+	tr.base = typetext;
+	tr.length = strlen(typetext);
+	result = dns_rdataclass_fromtext(&rdclass, &tr);
+	if (result == ISC_R_SUCCESS) 
+		return (ISC_TRUE);
+	else {
+		printf("unknown query class: %s\n", typetext);
+		return (ISC_FALSE);
+	}
+}
+
+static void
+safecpy(char *dest, char *src, int size) {
+	strncpy(dest, src, size);
+	dest[size-1] = 0;
+}
+
+static isc_result_t
+parse_uint(isc_uint32_t *uip, const char *value, isc_uint32_t max,
+	   const char *desc) {
+	isc_uint32_t n;
+	isc_result_t result = isc_parse_uint32(&n, value, 10);
+	if (result == ISC_R_SUCCESS && n > max)
+		result = ISC_R_RANGE;
+	if (result != ISC_R_SUCCESS) {
+		printf("invalid %s '%s': %s\n", desc,
+		       value, isc_result_totext(result));
+		return result;
+	}
+	*uip = n;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+set_port(const char *value) {
+	isc_uint32_t n;
+	isc_result_t result = parse_uint(&n, value, 65535, "port");
+	if (result == ISC_R_SUCCESS)
+		port = (isc_uint16_t) n;
+}
+
+static void
+set_timeout(const char *value) {
+	isc_uint32_t n;
+	isc_result_t result = parse_uint(&n, value, UINT_MAX, "timeout");
+	if (result == ISC_R_SUCCESS)
+		timeout = n;
+}
+
+static void
+set_tries(const char *value) {
+	isc_uint32_t n;
+	isc_result_t result = parse_uint(&n, value, INT_MAX, "tries");
+	if (result == ISC_R_SUCCESS)
+		tries = n;
+}
+
+static void
+setoption(char *opt) {
+	if (strncasecmp(opt, "all", 4) == 0) {
+		show_settings(ISC_TRUE, ISC_FALSE);
+	} else if (strncasecmp(opt, "class=", 6) == 0) {
+		if (testclass(&opt[6]))
+			safecpy(defclass, &opt[6], sizeof(defclass));
+	} else if (strncasecmp(opt, "cl=", 3) == 0) {
+		if (testclass(&opt[3]))
+			safecpy(defclass, &opt[3], sizeof(defclass));
+	} else if (strncasecmp(opt, "type=", 5) == 0) {
+		if (testtype(&opt[5]))
+			safecpy(deftype, &opt[5], sizeof(deftype));
+	} else if (strncasecmp(opt, "ty=", 3) == 0) {
+		if (testtype(&opt[3]))
+			safecpy(deftype, &opt[3], sizeof(deftype));
+	} else if (strncasecmp(opt, "querytype=", 10) == 0) {
+		if (testtype(&opt[10]))
+			safecpy(deftype, &opt[10], sizeof(deftype));
+	} else if (strncasecmp(opt, "query=", 6) == 0) {
+		if (testtype(&opt[6]))
+			safecpy(deftype, &opt[6], sizeof(deftype));
+	} else if (strncasecmp(opt, "qu=", 3) == 0) {
+		if (testtype(&opt[3]))
+			safecpy(deftype, &opt[3], sizeof(deftype));
+	} else if (strncasecmp(opt, "q=", 2) == 0) {
+		if (testtype(&opt[2]))
+			safecpy(deftype, &opt[2], sizeof(deftype));
+	} else if (strncasecmp(opt, "domain=", 7) == 0) {
+		safecpy(domainopt, &opt[7], sizeof(domainopt));
+		set_search_domain(domainopt);
+		usesearch = ISC_TRUE;
+	} else if (strncasecmp(opt, "do=", 3) == 0) {
+		safecpy(domainopt, &opt[3], sizeof(domainopt));
+		set_search_domain(domainopt);
+		usesearch = ISC_TRUE;
+	} else if (strncasecmp(opt, "port=", 5) == 0) {
+		set_port(&opt[5]);
+	} else if (strncasecmp(opt, "po=", 3) == 0) {
+		set_port(&opt[3]);
+	} else if (strncasecmp(opt, "timeout=", 8) == 0) {
+		set_timeout(&opt[8]);
+	} else if (strncasecmp(opt, "t=", 2) == 0) {
+		set_timeout(&opt[2]);
+ 	} else if (strncasecmp(opt, "rec", 3) == 0) {
+		recurse = ISC_TRUE;
+	} else if (strncasecmp(opt, "norec", 5) == 0) {
+		recurse = ISC_FALSE;
+	} else if (strncasecmp(opt, "retry=", 6) == 0) {
+		set_tries(&opt[6]);
+	} else if (strncasecmp(opt, "ret=", 4) == 0) {
+		set_tries(&opt[4]);
+ 	} else if (strncasecmp(opt, "def", 3) == 0) {
+		usesearch = ISC_TRUE;
+	} else if (strncasecmp(opt, "nodef", 5) == 0) {
+		usesearch = ISC_FALSE;
+ 	} else if (strncasecmp(opt, "vc", 3) == 0) {
+		tcpmode = ISC_TRUE;
+	} else if (strncasecmp(opt, "novc", 5) == 0) {
+		tcpmode = ISC_FALSE;
+ 	} else if (strncasecmp(opt, "deb", 3) == 0) {
+		short_form = ISC_FALSE;
+	} else if (strncasecmp(opt, "nodeb", 5) == 0) {
+		short_form = ISC_TRUE;
+ 	} else if (strncasecmp(opt, "d2", 2) == 0) {
+		debugging = ISC_TRUE;
+	} else if (strncasecmp(opt, "nod2", 4) == 0) {
+		debugging = ISC_FALSE;
+	} else if (strncasecmp(opt, "search", 3) == 0) {
+		usesearch = ISC_TRUE;
+	} else if (strncasecmp(opt, "nosearch", 5) == 0) {
+		usesearch = ISC_FALSE;
+	} else if (strncasecmp(opt, "sil", 3) == 0) {
+		/* deprecation_msg = ISC_FALSE; */
+	} else {
+		printf("*** Invalid option: %s\n", opt);	
+	}
+}
+
+static void
+addlookup(char *opt) {
+	dig_lookup_t *lookup;
+	isc_result_t result;
+	isc_textregion_t tr;
+	dns_rdatatype_t rdtype;
+	dns_rdataclass_t rdclass;
+	char store[MXNAME];
+
+	debug("addlookup()");
+	tr.base = deftype;
+	tr.length = strlen(deftype);
+	result = dns_rdatatype_fromtext(&rdtype, &tr);
+	if (result != ISC_R_SUCCESS) {
+		printf("unknown query type: %s\n", deftype);
+		rdclass = dns_rdatatype_a;
+	}
+	tr.base = defclass;
+	tr.length = strlen(defclass);
+	result = dns_rdataclass_fromtext(&rdclass, &tr);
+	if (result != ISC_R_SUCCESS) {
+		printf("unknown query class: %s\n", defclass);
+		rdclass = dns_rdataclass_in;
+	}
+	lookup = make_empty_lookup();
+	if (get_reverse(store, sizeof(store), opt, lookup->ip6_int, ISC_TRUE)
+	    == ISC_R_SUCCESS) {
+		safecpy(lookup->textname, store, sizeof(lookup->textname));
+		lookup->rdtype = dns_rdatatype_ptr;
+		lookup->rdtypeset = ISC_TRUE;
+	} else {
+		safecpy(lookup->textname, opt, sizeof(lookup->textname));
+		lookup->rdtype = rdtype;
+		lookup->rdtypeset = ISC_TRUE;
+	}
+	lookup->rdclass = rdclass;
+	lookup->rdclassset = ISC_TRUE;
+	lookup->trace = ISC_FALSE;
+	lookup->trace_root = lookup->trace;
+	lookup->ns_search_only = ISC_FALSE;
+	lookup->identify = identify;
+	lookup->recurse = recurse;
+	lookup->aaonly = aaonly;
+	lookup->retries = tries;
+	lookup->udpsize = 0;
+	lookup->comments = comments;
+	lookup->tcp_mode = tcpmode;
+	lookup->stats = stats;
+	lookup->section_question = section_question;
+	lookup->section_answer = section_answer;
+	lookup->section_authority = section_authority;
+	lookup->section_additional = section_additional;
+	lookup->new_search = ISC_TRUE;
+	ISC_LIST_INIT(lookup->q);
+	ISC_LINK_INIT(lookup, link);
+	ISC_LIST_APPEND(lookup_list, lookup, link);
+	lookup->origin = NULL;
+	ISC_LIST_INIT(lookup->my_server_list);
+	debug("looking up %s", lookup->textname);
+}
+
+static void
+get_next_command(void) {
+	char *buf;
+	char *ptr, *arg;
+	char *input;
+
+	fflush(stdout);
+	buf = isc_mem_allocate(mctx, COMMSIZE);
+	if (buf == NULL)
+		fatal("memory allocation failure");
+	fputs("> ", stderr);
+	isc_app_block();
+	ptr = fgets(buf, COMMSIZE, stdin);
+	isc_app_unblock();
+	if (ptr == NULL) {
+		in_use = ISC_FALSE;
+		goto cleanup;
+	}
+	input = buf;
+	ptr = next_token(&input, " \t\r\n");
+	if (ptr == NULL)
+		goto cleanup;
+	arg = next_token(&input, " \t\r\n");
+	if ((strcasecmp(ptr, "set") == 0) &&
+	    (arg != NULL))
+		setoption(arg);
+	else if ((strcasecmp(ptr, "server") == 0) ||
+		 (strcasecmp(ptr, "lserver") == 0)) {
+		set_nameserver(arg);
+		show_settings(ISC_TRUE, ISC_TRUE);
+	} else if (strcasecmp(ptr, "exit") == 0) {
+		in_use = ISC_FALSE;
+		goto cleanup;
+	} else if (strcasecmp(ptr, "help") == 0 ||
+		   strcasecmp(ptr, "?") == 0) {
+		printf("The '%s' command is not yet implemented.\n", ptr);
+		goto cleanup;
+	} else if (strcasecmp(ptr, "finger") == 0 ||
+		   strcasecmp(ptr, "root") == 0 ||
+		   strcasecmp(ptr, "ls") == 0 ||
+		   strcasecmp(ptr, "view") == 0) {
+		printf("The '%s' command is not implemented.\n", ptr);
+		goto cleanup;
+	} else
+		addlookup(ptr);
+ cleanup:
+	isc_mem_free(mctx, buf);
+}
+
+static void
+parse_args(int argc, char **argv) {
+	isc_boolean_t have_lookup = ISC_FALSE;
+
+	usesearch = ISC_TRUE;
+	for (argc--, argv++; argc > 0; argc--, argv++) {
+		debug("main parsing %s", argv[0]);
+		if (argv[0][0] == '-') {
+			if (argv[0][1] != 0)
+				setoption(&argv[0][1]);
+			else
+				have_lookup = ISC_TRUE;
+		} else {
+			if (!have_lookup) {
+				have_lookup = ISC_TRUE;
+				in_use = ISC_TRUE;
+				addlookup(argv[0]);
+			}
+			else
+				set_nameserver(argv[0]);
+		}
+	}
+}
+
+static void
+flush_lookup_list(void) {
+	dig_lookup_t *l, *lp;
+	dig_query_t *q, *qp;
+	dig_server_t *s, *sp;
+
+	lookup_counter = 0;
+	l = ISC_LIST_HEAD(lookup_list);
+	while (l != NULL) {
+		q = ISC_LIST_HEAD(l->q);
+		while (q != NULL) {
+			if (q->sock != NULL) {
+				isc_socket_cancel(q->sock, NULL,
+						  ISC_SOCKCANCEL_ALL);
+				isc_socket_detach(&q->sock);
+			}
+			if (ISC_LINK_LINKED(&q->recvbuf, link))
+				ISC_LIST_DEQUEUE(q->recvlist, &q->recvbuf,
+						 link);
+			if (ISC_LINK_LINKED(&q->lengthbuf, link))
+				ISC_LIST_DEQUEUE(q->lengthlist, &q->lengthbuf,
+						 link);
+			isc_buffer_invalidate(&q->recvbuf);
+			isc_buffer_invalidate(&q->lengthbuf);
+			qp = q;
+			q = ISC_LIST_NEXT(q, link);
+			ISC_LIST_DEQUEUE(l->q, qp, link);
+			isc_mem_free(mctx, qp);
+		}
+		s = ISC_LIST_HEAD(l->my_server_list);
+		while (s != NULL) {
+			sp = s;
+			s = ISC_LIST_NEXT(s, link);
+			ISC_LIST_DEQUEUE(l->my_server_list, sp, link);
+			isc_mem_free(mctx, sp);
+
+		}
+		if (l->sendmsg != NULL)
+			dns_message_destroy(&l->sendmsg);
+		if (l->timer != NULL)
+			isc_timer_detach(&l->timer);
+		lp = l;
+		l = ISC_LIST_NEXT(l, link);
+		ISC_LIST_DEQUEUE(lookup_list, lp, link);
+		isc_mem_free(mctx, lp);
+	}
+}
+
+static void
+getinput(isc_task_t *task, isc_event_t *event) {
+	UNUSED(task);
+	if (global_event == NULL)
+		global_event = event;
+	while (in_use) {
+		get_next_command();
+		if (ISC_LIST_HEAD(lookup_list) != NULL) {
+			start_lookup();
+			return;
+		}
+	}
+	isc_app_shutdown();
+}
+
+int
+main(int argc, char **argv) {
+	isc_result_t result;
+
+	ISC_LIST_INIT(lookup_list);
+	ISC_LIST_INIT(server_list);
+	ISC_LIST_INIT(search_list);
+
+	result = isc_app_start();
+	check_result(result, "isc_app_start");
+
+	setup_libs();
+	progname = argv[0];
+
+	parse_args(argc, argv);
+
+	setup_system();
+	if (domainopt[0] != '\0')
+		set_search_domain(domainopt);
+	if (in_use)
+		result = isc_app_onrun(mctx, global_task, onrun_callback,
+				       NULL);
+	else
+		result = isc_app_onrun(mctx, global_task, getinput, NULL);
+	check_result(result, "isc_app_onrun");
+	in_use = ISC_TF(!in_use);
+
+	(void)isc_app_run();
+
+	puts("");
+	debug("done, and starting to shut down");
+	if (global_event != NULL)
+		isc_event_free(&global_event);
+	cancel_all();
+	destroy_libs();
+	isc_app_finish();
+
+	return (0);
+}
diff --git a/contrib/bind9/bin/dig/nslookup.docbook b/contrib/bind9/bin/dig/nslookup.docbook
new file mode 100644
index 0000000..134e5b3
--- /dev/null
+++ b/contrib/bind9/bin/dig/nslookup.docbook
@@ -0,0 +1,320 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: nslookup.docbook,v 1.3.6.3 2004/08/30 00:50:11 marka Exp $ -->
+
+<!--
+ - Copyright (c) 1985, 1989
+ -    The Regents of the University of California.  All rights reserved.
+ - 
+ - Redistribution and use in source and binary forms, with or without
+ - modification, are permitted provided that the following conditions
+ - are met:
+ - 1. Redistributions of source code must retain the above copyright
+ -    notice, this list of conditions and the following disclaimer.
+ - 2. Redistributions in binary form must reproduce the above copyright
+ -    notice, this list of conditions and the following disclaimer in the
+ -    documentation and/or other materials provided with the distribution.
+ - 3. All advertising materials mentioning features or use of this software
+ -    must display the following acknowledgement:
+ -     This product includes software developed by the University of
+ -     California, Berkeley and its contributors.
+ - 4. Neither the name of the University nor the names of its contributors
+ -    may be used to endorse or promote products derived from this software
+ -    without specific prior written permission.
+ - 
+ - THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ - ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ - ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ - FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ - DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ - OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ - HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ - LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ - OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ - SUCH DAMAGE.
+-->
+
+<refentry>
+
+<refentryinfo>
+<date>Jun 30, 2000</date>
+</refentryinfo>
+
+<refmeta>
+<refentrytitle>nslookup</refentrytitle>
+<manvolnum>1</manvolnum>
+<refmiscinfo>BIND9</refmiscinfo>
+</refmeta>
+
+<refnamediv>
+<refname>nslookup</refname>
+<refpurpose>query Internet name servers interactively</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+<cmdsynopsis>
+  <command>nslookup</command>
+  <arg><option>-option</option></arg>
+  <arg choice=opt>name | -</arg>
+  <arg choice=opt>server</arg>
+</cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+<title>DESCRIPTION</title>
+<para>
+<command>Nslookup</command>
+is a program to query Internet domain name servers.  <command>Nslookup</command>
+has two modes: interactive and non-interactive.  Interactive mode allows
+the user to query name servers for information about various hosts and
+domains or to print a list of hosts in a domain.  Non-interactive mode is
+used to print just the name and requested information for a host or
+domain.
+</para>
+</refsect1>
+
+<refsect1>
+<title>ARGUMENTS</title>
+<para>
+Interactive mode is entered in the following cases:
+<OrderedList Numeration=Loweralpha>
+<Listitem>
+<para>
+when no arguments are given (the default name server will be used)
+</para>
+</Listitem>
+<Listitem>
+<para>
+when the first argument is a hyphen (-) and the second argument is
+the host name or Internet address of a name server.
+</para>
+</Listitem>
+</OrderedList>
+</para>
+
+<para>
+Non-interactive mode is used when the name or Internet address of the
+host to be looked up is given as the first argument. The optional second
+argument specifies the host name or address of a name server.
+</para>
+
+<para>
+Options can also be specified on the command line if they precede the
+arguments and are prefixed with a hyphen.  For example, to
+change the default query type to host information, and the initial timeout to 10 seconds, type:
+<InformalExample>
+<PROGRAMLISTING>
+nslookup -query=hinfo  -timeout=10
+</PROGRAMLISTING>
+</InformalExample>
+</para>
+
+</refsect1>
+
+<refsect1>
+<title>INTERACTIVE COMMANDS</title>
+<variablelist>
+<varlistentry><term>host <optional>server</optional></term>
+<listitem><para>
+Look up information for host using the current default server or
+using server, if specified.  If host is an Internet address and
+the query type is A or PTR, the name of the host is returned.
+If host is a name and does not have a trailing period, the
+search list is used to qualify the name.
+</para>
+
+<para>
+To look up a host not in the current domain, append a period to
+the name.
+</para></listitem></varlistentry>
+
+<varlistentry><term><constant>server</constant> <replaceable class="parameter">domain</replaceable></term>
+<listitem><para></para></listitem></varlistentry>
+<varlistentry><term><constant>lserver</constant> <replaceable class="parameter">domain</replaceable></term>
+<listitem><para>
+Change the default server to <replaceable>domain</replaceable>; <constant>lserver</constant> uses the initial
+server to look up information about <replaceable>domain</replaceable>, while <constant>server</constant> uses
+the current default server.  If an authoritative answer can't be
+found, the names of servers that might have the answer are
+returned.
+</para></listitem></varlistentry>
+
+<varlistentry><term><constant>root</constant></term>
+<listitem><para>not implemented</para></listitem></varlistentry>
+
+<varlistentry><term><constant>finger</constant></term>
+<listitem><para>not implemented</para></listitem></varlistentry>
+
+<varlistentry><term><constant>ls</constant></term>
+<listitem><para>not implemented</para></listitem></varlistentry>
+
+<varlistentry><term><constant>view</constant></term>
+<listitem><para>not implemented</para></listitem></varlistentry>
+
+<varlistentry><term><constant>help</constant></term>
+<listitem><para>not implemented</para></listitem></varlistentry>
+
+<varlistentry><term><constant>?</constant></term>
+<listitem><para>not implemented</para></listitem></varlistentry>
+
+<varlistentry><term><constant>exit</constant></term>
+<listitem><para>Exits the program.</para></listitem></varlistentry>
+
+<varlistentry><term><constant>set</constant> <replaceable>keyword<optional>=value</optional></replaceable></term>
+<listitem><para>This command is used to change state information that affects
+the lookups.  Valid keywords are:
+ <variablelist>
+  <varlistentry><term><constant>all</constant></term>
+  <listitem>
+  <para>Prints the current values of the frequently used
+  options to <command>set</command>.  Information about the  current default
+  server and host is also printed.
+  </para>
+  </listitem>
+  </varlistentry>
+
+  <varlistentry><term><constant>class=</constant><replaceable>value</replaceable></term>
+  <listitem><para>
+   Change the query class to one of:
+   <variablelist>
+    <varlistentry><term><constant>IN</constant></term>
+    <listitem><para>the Internet class</para></listitem></varlistentry>
+    <varlistentry><term><constant>CH</constant></term>
+    <listitem><para>the Chaos class</para></listitem></varlistentry>
+    <varlistentry><term><constant>HS</constant></term>
+    <listitem><para>the Hesiod class</para></listitem></varlistentry>
+    <varlistentry><term><constant>ANY</constant></term>
+    <listitem><para>wildcard</para></listitem></varlistentry>
+   </variablelist>
+   The class specifies the protocol group of the information.
+   </para><para>
+   (Default = IN; abbreviation = cl)
+   </para></listitem>
+  </varlistentry>
+
+  <varlistentry><term><constant><replaceable><optional>no</optional></replaceable>debug</constant></term>
+  <listitem><para>
+  Turn debugging mode on.  A lot more information is
+  printed about the packet sent to the server and the
+  resulting answer.
+  </para><para>
+  (Default = nodebug; abbreviation = <optional>no</optional>deb)
+  </para></listitem></varlistentry>
+
+  <varlistentry><term><constant><replaceable><optional>no</optional></replaceable>d2</constant></term>
+  <listitem><para>
+  Turn debugging mode on.  A lot more information is
+  printed about the packet sent to the server and the
+  resulting answer.
+  </para><para>
+  (Default = nod2)
+  </para></listitem></varlistentry>
+
+  <varlistentry><term><constant>domain=</constant><replaceable>name</replaceable></term>
+  <listitem><para>
+  Sets the search list to <replaceable>name</replaceable>.
+  </para></listitem></varlistentry>
+
+  <varlistentry><term><constant><replaceable><optional>no</optional></replaceable>search</constant></term>
+  <listitem><para>
+  If the lookup request contains at least one period but
+  doesn't end with a trailing period, append the domain
+  names in the domain search list to the request until an
+  answer is received.
+  </para><para>
+  (Default = search)
+  </para></listitem></varlistentry>
+
+  <varlistentry><term><constant>port=</constant><replaceable>value</replaceable></term>
+  <listitem><para>
+  Change the default TCP/UDP name server port to <replaceable>value</replaceable>.
+  </para><para>
+  (Default = 53; abbreviation = po)
+  </para></listitem></varlistentry>
+
+  <varlistentry><term><constant>querytype=</constant><replaceable>value</replaceable></term>
+  <listitem><para></para></listitem></varlistentry>
+
+  <varlistentry><term><constant>type=</constant><replaceable>value</replaceable></term>
+  <listitem><para>
+  Change the top of the information query.
+  </para><para>
+  (Default = A; abbreviations = q, ty)
+  </para></listitem></varlistentry>
+
+  <varlistentry><term><constant><replaceable><optional>no</optional></replaceable>recurse</constant></term>
+  <listitem><para>
+  Tell the name server to query other servers if it does not have the
+  information.
+  </para><para>
+  (Default = recurse; abbreviation = [no]rec)
+  </para></listitem></varlistentry>
+
+  <varlistentry><term><constant>retry=</constant><replaceable>number</replaceable></term>
+  <listitem><para>
+  Set the number of retries to number.
+  </para></listitem></varlistentry>
+
+  <varlistentry><term><constant>timeout=</constant><replaceable>number</replaceable></term>
+  <listitem><para>
+  Change the initial timeout interval for waiting for a
+  reply to number seconds.
+  </para></listitem></varlistentry>
+
+  <varlistentry><term><constant><replaceable><optional>no</optional></replaceable>vc</constant></term>
+  <listitem><para>
+  Always use a virtual circuit when sending requests to the server.
+  </para><para>
+  (Default = novc)
+  </para></listitem></varlistentry>
+
+  </variablelist>
+</para></listitem></varlistentry>
+</variablelist>
+</refsect1>
+
+<refsect1>
+<title>FILES</title>
+<para>
+<filename>/etc/resolv.conf</filename>
+</para>
+</refsect1>
+
+<refsect1>
+<title>SEE ALSO</title>
+<para>
+<citerefentry>
+<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
+</citerefentry>,
+<citerefentry>
+<refentrytitle>host</refentrytitle><manvolnum>1</manvolnum>
+</citerefentry>,
+<citerefentry>
+<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+</citerefentry>.
+</para>
+</refsect1>
+
+<refsect1>
+<title>Author</title>
+<para>
+Andrew Cherenson
+</para>
+</refsect1>
+</refentry>
diff --git a/contrib/bind9/bin/dig/nslookup.html b/contrib/bind9/bin/dig/nslookup.html
new file mode 100644
index 0000000..e353377
--- /dev/null
+++ b/contrib/bind9/bin/dig/nslookup.html
@@ -0,0 +1,617 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: nslookup.html,v 1.1.6.3 2004/08/22 23:38:58 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>nslookup</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+>nslookup</H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>nslookup&nbsp;--&nbsp;query Internet name servers interactively</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN11"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>nslookup</B
+>  [<VAR
+CLASS="OPTION"
+>-option</VAR
+>] [name | -] [server]</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN18"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+><B
+CLASS="COMMAND"
+>Nslookup</B
+>
+is a program to query Internet domain name servers.  <B
+CLASS="COMMAND"
+>Nslookup</B
+>
+has two modes: interactive and non-interactive.  Interactive mode allows
+the user to query name servers for information about various hosts and
+domains or to print a list of hosts in a domain.  Non-interactive mode is
+used to print just the name and requested information for a host or
+domain.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN23"
+></A
+><H2
+>ARGUMENTS</H2
+><P
+>Interactive mode is entered in the following cases:
+<P
+></P
+><OL
+TYPE="a"
+><LI
+><P
+>when no arguments are given (the default name server will be used)</P
+></LI
+><LI
+><P
+>when the first argument is a hyphen (-) and the second argument is
+the host name or Internet address of a name server.</P
+></LI
+></OL
+></P
+><P
+>Non-interactive mode is used when the name or Internet address of the
+host to be looked up is given as the first argument. The optional second
+argument specifies the host name or address of a name server.</P
+><P
+>Options can also be specified on the command line if they precede the
+arguments and are prefixed with a hyphen.  For example, to
+change the default query type to host information, and the initial timeout to 10 seconds, type:
+<DIV
+CLASS="INFORMALEXAMPLE"
+><P
+></P
+><A
+NAME="AEN33"
+></A
+><PRE
+CLASS="PROGRAMLISTING"
+>nslookup -query=hinfo  -timeout=10</PRE
+><P
+></P
+></DIV
+></P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN35"
+></A
+><H2
+>INTERACTIVE COMMANDS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>host [<SPAN
+CLASS="OPTIONAL"
+>server</SPAN
+>]</DT
+><DD
+><P
+>Look up information for host using the current default server or
+using server, if specified.  If host is an Internet address and
+the query type is A or PTR, the name of the host is returned.
+If host is a name and does not have a trailing period, the
+search list is used to qualify the name.</P
+><P
+>To look up a host not in the current domain, append a period to
+the name.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>server</CODE
+> <VAR
+CLASS="REPLACEABLE"
+>domain</VAR
+></DT
+><DD
+><P
+></P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>lserver</CODE
+> <VAR
+CLASS="REPLACEABLE"
+>domain</VAR
+></DT
+><DD
+><P
+>Change the default server to <VAR
+CLASS="REPLACEABLE"
+>domain</VAR
+>; <CODE
+CLASS="CONSTANT"
+>lserver</CODE
+> uses the initial
+server to look up information about <VAR
+CLASS="REPLACEABLE"
+>domain</VAR
+>, while <CODE
+CLASS="CONSTANT"
+>server</CODE
+> uses
+the current default server.  If an authoritative answer can't be
+found, the names of servers that might have the answer are
+returned.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>root</CODE
+></DT
+><DD
+><P
+>not implemented</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>finger</CODE
+></DT
+><DD
+><P
+>not implemented</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>ls</CODE
+></DT
+><DD
+><P
+>not implemented</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>view</CODE
+></DT
+><DD
+><P
+>not implemented</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>help</CODE
+></DT
+><DD
+><P
+>not implemented</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>?</CODE
+></DT
+><DD
+><P
+>not implemented</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>exit</CODE
+></DT
+><DD
+><P
+>Exits the program.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>set</CODE
+> <VAR
+CLASS="REPLACEABLE"
+>keyword[<SPAN
+CLASS="OPTIONAL"
+>=value</SPAN
+>]</VAR
+></DT
+><DD
+><P
+>This command is used to change state information that affects
+the lookups.  Valid keywords are:
+ <P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><CODE
+CLASS="CONSTANT"
+>all</CODE
+></DT
+><DD
+><P
+>Prints the current values of the frequently used
+  options to <B
+CLASS="COMMAND"
+>set</B
+>.  Information about the  current default
+  server and host is also printed.
+  </P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>class=</CODE
+><VAR
+CLASS="REPLACEABLE"
+>value</VAR
+></DT
+><DD
+><P
+>   Change the query class to one of:
+   <P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><CODE
+CLASS="CONSTANT"
+>IN</CODE
+></DT
+><DD
+><P
+>the Internet class</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>CH</CODE
+></DT
+><DD
+><P
+>the Chaos class</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>HS</CODE
+></DT
+><DD
+><P
+>the Hesiod class</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>ANY</CODE
+></DT
+><DD
+><P
+>wildcard</P
+></DD
+></DL
+></DIV
+>
+   The class specifies the protocol group of the information.
+   </P
+><P
+>   (Default = IN; abbreviation = cl)
+   </P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+><VAR
+CLASS="REPLACEABLE"
+>[<SPAN
+CLASS="OPTIONAL"
+>no</SPAN
+>]</VAR
+>debug</CODE
+></DT
+><DD
+><P
+>  Turn debugging mode on.  A lot more information is
+  printed about the packet sent to the server and the
+  resulting answer.
+  </P
+><P
+>  (Default = nodebug; abbreviation = [<SPAN
+CLASS="OPTIONAL"
+>no</SPAN
+>]deb)
+  </P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+><VAR
+CLASS="REPLACEABLE"
+>[<SPAN
+CLASS="OPTIONAL"
+>no</SPAN
+>]</VAR
+>d2</CODE
+></DT
+><DD
+><P
+>  Turn debugging mode on.  A lot more information is
+  printed about the packet sent to the server and the
+  resulting answer.
+  </P
+><P
+>  (Default = nod2)
+  </P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>domain=</CODE
+><VAR
+CLASS="REPLACEABLE"
+>name</VAR
+></DT
+><DD
+><P
+>  Sets the search list to <VAR
+CLASS="REPLACEABLE"
+>name</VAR
+>.
+  </P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+><VAR
+CLASS="REPLACEABLE"
+>[<SPAN
+CLASS="OPTIONAL"
+>no</SPAN
+>]</VAR
+>search</CODE
+></DT
+><DD
+><P
+>  If the lookup request contains at least one period but
+  doesn't end with a trailing period, append the domain
+  names in the domain search list to the request until an
+  answer is received.
+  </P
+><P
+>  (Default = search)
+  </P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>port=</CODE
+><VAR
+CLASS="REPLACEABLE"
+>value</VAR
+></DT
+><DD
+><P
+>  Change the default TCP/UDP name server port to <VAR
+CLASS="REPLACEABLE"
+>value</VAR
+>.
+  </P
+><P
+>  (Default = 53; abbreviation = po)
+  </P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>querytype=</CODE
+><VAR
+CLASS="REPLACEABLE"
+>value</VAR
+></DT
+><DD
+><P
+></P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>type=</CODE
+><VAR
+CLASS="REPLACEABLE"
+>value</VAR
+></DT
+><DD
+><P
+>  Change the top of the information query.
+  </P
+><P
+>  (Default = A; abbreviations = q, ty)
+  </P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+><VAR
+CLASS="REPLACEABLE"
+>[<SPAN
+CLASS="OPTIONAL"
+>no</SPAN
+>]</VAR
+>recurse</CODE
+></DT
+><DD
+><P
+>  Tell the name server to query other servers if it does not have the
+  information.
+  </P
+><P
+>  (Default = recurse; abbreviation = [no]rec)
+  </P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>retry=</CODE
+><VAR
+CLASS="REPLACEABLE"
+>number</VAR
+></DT
+><DD
+><P
+>  Set the number of retries to number.
+  </P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>timeout=</CODE
+><VAR
+CLASS="REPLACEABLE"
+>number</VAR
+></DT
+><DD
+><P
+>  Change the initial timeout interval for waiting for a
+  reply to number seconds.
+  </P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+><VAR
+CLASS="REPLACEABLE"
+>[<SPAN
+CLASS="OPTIONAL"
+>no</SPAN
+>]</VAR
+>vc</CODE
+></DT
+><DD
+><P
+>  Always use a virtual circuit when sending requests to the server.
+  </P
+><P
+>  (Default = novc)
+  </P
+></DD
+></DL
+></DIV
+></P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN218"
+></A
+><H2
+>FILES</H2
+><P
+><TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+></P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN222"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dig</SPAN
+>(1)</SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>host</SPAN
+>(1)</SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>named</SPAN
+>(8)</SPAN
+>.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN234"
+></A
+><H2
+>Author</H2
+><P
+>Andrew Cherenson</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/bin/dnssec/Makefile.in b/contrib/bind9/bin/dnssec/Makefile.in
new file mode 100644
index 0000000..993c54e
--- /dev/null
+++ b/contrib/bind9/bin/dnssec/Makefile.in
@@ -0,0 +1,82 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2000-2002  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.19.12.9 2004/07/20 07:01:48 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES}
+
+CDEFINES =	-DVERSION=\"${VERSION}\" 
+CWARNINGS =
+
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+ISCLIBS =	../../lib/isc/libisc.@A@
+
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+
+DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
+
+LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
+
+# Alphabetically
+TARGETS =	dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@
+
+OBJS =		dnssectool.@O@
+
+SRCS =		dnssec-keygen.c dnssec-signzone.c dnssectool.c
+
+MANPAGES =	dnssec-keygen.8 dnssec-signzone.8
+
+HTMLPAGES =	dnssec-keygen.html dnssec-signzone.html
+
+MANOBJS =	${MANPAGES} ${HTMLPAGES}
+
+@BIND9_MAKE_RULES@
+
+dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	dnssec-keygen.@O@ ${OBJS} ${LIBS}
+
+dnssec-signzone.@O@: dnssec-signzone.c
+	${LIBTOOL_MODE_COMPILE} ${PURIFY} ${CC} ${ALL_CFLAGS} -c $<
+
+dnssec-signzone@EXEEXT@: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	dnssec-signzone.@O@ ${OBJS} ${LIBS}
+
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+	rm -f ${MANOBJS}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
+
+install:: ${TARGETS} installdirs
+	for t in ${TARGETS}; do ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done
+	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
+
+clean distclean::
+	rm -f ${TARGETS}
+
diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.8 b/contrib/bind9/bin/dnssec/dnssec-keygen.8
new file mode 100644
index 0000000..235c26e
--- /dev/null
+++ b/contrib/bind9/bin/dnssec/dnssec-keygen.8
@@ -0,0 +1,174 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2003  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: dnssec-keygen.8,v 1.19.12.5 2004/06/11 02:32:45 marka Exp $
+.\"
+.TH "DNSSEC-KEYGEN" "8" "June 30, 2000" "BIND9" ""
+.SH NAME
+dnssec-keygen \- DNSSEC key generation tool
+.SH SYNOPSIS
+.sp
+\fBdnssec-keygen\fR \fB-a \fIalgorithm\fB\fR \fB-b \fIkeysize\fB\fR \fB-n \fInametype\fB\fR [ \fB-c \fIclass\fB\fR ]  [ \fB-e\fR ]  [ \fB-f \fIflag\fB\fR ]  [ \fB-g \fIgenerator\fB\fR ]  [ \fB-h\fR ]  [ \fB-k\fR ]  [ \fB-p \fIprotocol\fB\fR ]  [ \fB-r \fIrandomdev\fB\fR ]  [ \fB-s \fIstrength\fB\fR ]  [ \fB-t \fItype\fB\fR ]  [ \fB-v \fIlevel\fB\fR ]  \fBname\fR
+.SH "DESCRIPTION"
+.PP
+\fBdnssec-keygen\fR generates keys for DNSSEC
+(Secure DNS), as defined in RFC 2535 and RFC <TBA\\>. It can also generate
+keys for use with TSIG (Transaction Signatures), as
+defined in RFC 2845.
+.SH "OPTIONS"
+.TP
+\fB-a \fIalgorithm\fB\fR
+Selects the cryptographic algorithm. The value of
+\fBalgorithm\fR must be one of RSAMD5 (RSA) or RSASHA1,
+DSA, DH (Diffie Hellman), or HMAC-MD5. These values
+are case insensitive.
+
+Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm,
+and DSA is recommended. For TSIG, HMAC-MD5 is mandatory.
+
+Note 2: HMAC-MD5 and DH automatically set the -k flag.
+.TP
+\fB-b \fIkeysize\fB\fR
+Specifies the number of bits in the key. The choice of key
+size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between
+512 and 2048 bits. Diffie Hellman keys must be between
+128 and 4096 bits. DSA keys must be between 512 and 1024
+bits and an exact multiple of 64. HMAC-MD5 keys must be
+between 1 and 512 bits.
+.TP
+\fB-n \fInametype\fB\fR
+Specifies the owner type of the key. The value of
+\fBnametype\fR must either be ZONE (for a DNSSEC
+zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)),
+USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are
+case insensitive.
+.TP
+\fB-c \fIclass\fB\fR
+Indicates that the DNS record containing the key should have
+the specified class. If not specified, class IN is used.
+.TP
+\fB-e\fR
+If generating an RSAMD5/RSASHA1 key, use a large exponent.
+.TP
+\fB-f \fIflag\fB\fR
+Set the specified flag in the flag field of the KEY/DNSKEY record.
+The only recognized flag is KSK (Key Signing Key) DNSKEY.
+.TP
+\fB-g \fIgenerator\fB\fR
+If generating a Diffie Hellman key, use this generator.
+Allowed values are 2 and 5. If no generator
+is specified, a known prime from RFC 2539 will be used
+if possible; otherwise the default is 2.
+.TP
+\fB-h\fR
+Prints a short summary of the options and arguments to
+\fBdnssec-keygen\fR.
+.TP
+\fB-k\fR
+Generate KEY records rather than DNSKEY records.
+.TP
+\fB-p \fIprotocol\fB\fR
+Sets the protocol value for the generated key. The protocol
+is a number between 0 and 255. The default is 3 (DNSSEC).
+Other possible values for this argument are listed in
+RFC 2535 and its successors.
+.TP
+\fB-r \fIrandomdev\fB\fR
+Specifies the source of randomness. If the operating
+system does not provide a \fI/dev/random\fR
+or equivalent device, the default source of randomness
+is keyboard input. \fIrandomdev\fR specifies
+the name of a character device or file containing random
+data to be used instead of the default. The special value
+\fIkeyboard\fR indicates that keyboard
+input should be used.
+.TP
+\fB-s \fIstrength\fB\fR
+Specifies the strength value of the key. The strength is
+a number between 0 and 15, and currently has no defined
+purpose in DNSSEC.
+.TP
+\fB-t \fItype\fB\fR
+Indicates the use of the key. \fBtype\fR must be
+one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
+is AUTHCONF. AUTH refers to the ability to authenticate
+data, and CONF the ability to encrypt data.
+.TP
+\fB-v \fIlevel\fB\fR
+Sets the debugging level.
+.SH "GENERATED KEYS"
+.PP
+When \fBdnssec-keygen\fR completes successfully,
+it prints a string of the form \fIKnnnn.+aaa+iiiii\fR
+to the standard output. This is an identification string for
+the key it has generated. These strings can be used as arguments
+to \fBdnssec-makekeyset\fR.
+.TP 0.2i
+\(bu
+\fInnnn\fR is the key name.
+.TP 0.2i
+\(bu
+\fIaaa\fR is the numeric representation of the
+algorithm.
+.TP 0.2i
+\(bu
+\fIiiiii\fR is the key identifier (or footprint).
+.PP
+\fBdnssec-keygen\fR creates two file, with names based
+on the printed string. \fIKnnnn.+aaa+iiiii.key\fR
+contains the public key, and
+\fIKnnnn.+aaa+iiiii.private\fR contains the private
+key.
+.PP
+.PP
+The \fI.key\fR file contains a DNS KEY record that
+can be inserted into a zone file (directly or with a $INCLUDE
+statement).
+.PP
+.PP
+The \fI.private\fR file contains algorithm specific
+fields. For obvious security reasons, this file does not have
+general read permission.
+.PP
+.PP
+Both \fI.key\fR and \fI.private\fR
+files are generated for symmetric encryption algorithm such as
+HMAC-MD5, even though the public and private key are equivalent.
+.PP
+.SH "EXAMPLE"
+.PP
+To generate a 768-bit DSA key for the domain
+\fBexample.com\fR, the following command would be
+issued:
+.PP
+\fBdnssec-keygen -a DSA -b 768 -n ZONE example.com\fR
+.PP
+The command would print a string of the form:
+.PP
+\fBKexample.com.+003+26160\fR
+.PP
+In this example, \fBdnssec-keygen\fR creates
+the files \fIKexample.com.+003+26160.key\fR and
+\fIKexample.com.+003+26160.private\fR
+.SH "SEE ALSO"
+.PP
+\fBdnssec-signzone\fR(8),
+\fIBIND 9 Administrator Reference Manual\fR,
+\fIRFC 2535\fR,
+\fIRFC 2845\fR,
+\fIRFC 2539\fR.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.c b/contrib/bind9/bin/dnssec/dnssec-keygen.c
new file mode 100644
index 0000000..7feaf7c
--- /dev/null
+++ b/contrib/bind9/bin/dnssec/dnssec-keygen.c
@@ -0,0 +1,415 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2000-2003  Internet Software Consortium.
+ * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnssec-keygen.c,v 1.48.2.1.10.11 2004/06/11 01:17:34 marka Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/entropy.h>
+#include <isc/mem.h>
+#include <isc/region.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/name.h>
+#include <dns/rdataclass.h>
+#include <dns/result.h>
+#include <dns/secalg.h>
+
+#include <dst/dst.h>
+
+#include "dnssectool.h"
+
+#define MAX_RSA 4096 /* should be long enough... */
+
+const char *program = "dnssec-keygen";
+int verbose;
+
+static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 | HMAC-MD5";
+
+static isc_boolean_t
+dsa_size_ok(int size) {
+	return (ISC_TF(size >= 512 && size <= 1024 && size % 64 == 0));
+}
+
+static void
+usage(void) {
+	fprintf(stderr, "Usage:\n");
+	fprintf(stderr, "    %s -a alg -b bits -n type [options] name\n\n",
+		program);
+	fprintf(stderr, "Version: %s\n", VERSION);
+	fprintf(stderr, "Required options:\n");
+	fprintf(stderr, "    -a algorithm: %s\n", algs);
+	fprintf(stderr, "    -b key size, in bits:\n");
+	fprintf(stderr, "        RSAMD5:\t\t[512..%d]\n", MAX_RSA);
+	fprintf(stderr, "        RSASHA1:\t\t[512..%d]\n", MAX_RSA);
+	fprintf(stderr, "        DH:\t\t[128..4096]\n");
+	fprintf(stderr, "        DSA:\t\t[512..1024] and divisible by 64\n");
+	fprintf(stderr, "        HMAC-MD5:\t[1..512]\n");
+	fprintf(stderr, "    -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
+	fprintf(stderr, "    name: owner of the key\n");
+	fprintf(stderr, "Other options:\n");
+	fprintf(stderr, "    -c <class> (default: IN)\n");
+	fprintf(stderr, "    -e use large exponent (RSAMD5/RSASHA1 only)\n");
+	fprintf(stderr, "    -f keyflag: KSK\n");
+	fprintf(stderr, "    -g <generator> use specified generator "
+		"(DH only)\n");
+	fprintf(stderr, "    -t <type>: "
+		"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
+		"(default: AUTHCONF)\n");
+	fprintf(stderr, "    -p <protocol>: "
+	       "default: 3 [dnssec]\n");
+	fprintf(stderr, "    -s <strength> strength value this key signs DNS "
+		"records with (default: 0)\n");
+	fprintf(stderr, "    -r <randomdev>: a file containing random data\n");
+	fprintf(stderr, "    -v <verbose level>\n");
+	fprintf(stderr, "    -k : generate a TYPE=KEY key\n");
+	fprintf(stderr, "Output:\n");
+	fprintf(stderr, "     K<name>+<alg>+<id>.key, "
+		"K<name>+<alg>+<id>.private\n");
+
+	exit (-1);
+}
+
+int
+main(int argc, char **argv) {
+	char		*algname = NULL, *nametype = NULL, *type = NULL;
+	char		*classname = NULL;
+	char		*endp;
+	dst_key_t	*key = NULL, *oldkey;
+	dns_fixedname_t	fname;
+	dns_name_t	*name;
+	isc_uint16_t	flags = 0, ksk = 0;
+	dns_secalg_t	alg;
+	isc_boolean_t	conflict = ISC_FALSE, null_key = ISC_FALSE;
+	isc_mem_t	*mctx = NULL;
+	int		ch, rsa_exp = 0, generator = 0, param = 0;
+	int		protocol = -1, size = -1, signatory = 0;
+	isc_result_t	ret;
+	isc_textregion_t r;
+	char		filename[255];
+	isc_buffer_t	buf;
+	isc_log_t	*log = NULL;
+	isc_entropy_t	*ectx = NULL;
+	dns_rdataclass_t rdclass;
+	int		options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
+
+	if (argc == 1)
+		usage();
+
+	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
+
+	dns_result_register();
+
+	while ((ch = isc_commandline_parse(argc, argv,
+					   "a:b:c:ef:g:kn:t:p:s:r:v:h")) != -1)
+	{
+	    switch (ch) {
+		case 'a':
+			algname = isc_commandline_argument;
+			break;
+		case 'b':
+			size = strtol(isc_commandline_argument, &endp, 10);
+			if (*endp != '\0' || size < 0)
+				fatal("-b requires a non-negative number");
+			break;
+		case 'c':
+			classname = isc_commandline_argument;
+			break;
+		case 'e':
+			rsa_exp = 1;
+			break;
+		case 'f':
+			if (strcasecmp(isc_commandline_argument, "KSK") == 0)
+				ksk = DNS_KEYFLAG_KSK;
+			else
+				fatal("unknown flag '%s'",
+				      isc_commandline_argument);
+			break;
+		case 'g':
+			generator = strtol(isc_commandline_argument,
+					   &endp, 10);
+			if (*endp != '\0' || generator <= 0)
+				fatal("-g requires a positive number");
+			break;
+		case 'k':
+			options |= DST_TYPE_KEY;
+			break;
+		case 'n':
+			nametype = isc_commandline_argument;
+			break;
+		case 't':
+			type = isc_commandline_argument;
+			break;
+		case 'p':
+			protocol = strtol(isc_commandline_argument, &endp, 10);
+			if (*endp != '\0' || protocol < 0 || protocol > 255)
+				fatal("-p must be followed by a number "
+				      "[0..255]");
+			break;
+		case 's':
+			signatory = strtol(isc_commandline_argument,
+					   &endp, 10);
+			if (*endp != '\0' || signatory < 0 || signatory > 15)
+				fatal("-s must be followed by a number "
+				      "[0..15]");
+			break;
+		case 'r':
+			setup_entropy(mctx, isc_commandline_argument, &ectx);
+			break;
+		case 'v':
+			endp = NULL;
+			verbose = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0')
+				fatal("-v must be followed by a number");
+			break;
+
+		case 'h':
+			usage();
+		default:
+			fprintf(stderr, "%s: invalid argument -%c\n",
+				program, ch);
+			usage();
+		}
+	}
+
+	if (ectx == NULL)
+		setup_entropy(mctx, NULL, &ectx);
+	ret = dst_lib_init(mctx, ectx,
+			   ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
+	if (ret != ISC_R_SUCCESS)
+		fatal("could not initialize dst");
+
+	setup_logging(verbose, mctx, &log);
+
+	if (argc < isc_commandline_index + 1)
+		fatal("the key name was not specified");
+	if (argc > isc_commandline_index + 1)
+		fatal("extraneous arguments");
+
+	if (algname == NULL)
+		fatal("no algorithm was specified");
+	if (strcasecmp(algname, "HMAC-MD5") == 0) {
+		options |= DST_TYPE_KEY;
+		alg = DST_ALG_HMACMD5;
+	} else {
+		r.base = algname;
+		r.length = strlen(algname);
+		ret = dns_secalg_fromtext(&alg, &r);
+		if (ret != ISC_R_SUCCESS)
+			fatal("unknown algorithm %s", algname);
+		if (alg == DST_ALG_DH)
+			options |= DST_TYPE_KEY;
+	}
+
+	if (type != NULL && (options & DST_TYPE_KEY) != 0) {
+		if (strcasecmp(type, "NOAUTH") == 0)
+			flags |= DNS_KEYTYPE_NOAUTH;
+		else if (strcasecmp(type, "NOCONF") == 0)
+			flags |= DNS_KEYTYPE_NOCONF;
+		else if (strcasecmp(type, "NOAUTHCONF") == 0) {
+			flags |= (DNS_KEYTYPE_NOAUTH | DNS_KEYTYPE_NOCONF);
+			if (size < 0)
+				size = 0;
+		}
+		else if (strcasecmp(type, "AUTHCONF") == 0)
+			/* nothing */;
+		else
+			fatal("invalid type %s", type);
+	}
+
+	if (size < 0)
+		fatal("key size not specified (-b option)");
+
+	switch (alg) {
+	case DNS_KEYALG_RSAMD5:
+	case DNS_KEYALG_RSASHA1:
+		if (size != 0 && (size < 512 || size > MAX_RSA))
+			fatal("RSA key size %d out of range", size);
+		break;
+	case DNS_KEYALG_DH:
+		if (size != 0 && (size < 128 || size > 4096))
+			fatal("DH key size %d out of range", size);
+		break;
+	case DNS_KEYALG_DSA:
+		if (size != 0 && !dsa_size_ok(size))
+			fatal("invalid DSS key size: %d", size);
+		break;
+	case DST_ALG_HMACMD5:
+		if (size < 1 || size > 512)
+			fatal("HMAC-MD5 key size %d out of range", size);
+		break;
+	}
+
+	if (!(alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_RSASHA1) &&
+	    rsa_exp != 0)
+		fatal("specified RSA exponent for a non-RSA key");
+
+	if (alg != DNS_KEYALG_DH && generator != 0)
+		fatal("specified DH generator for a non-DH key");
+
+	if (nametype == NULL)
+		fatal("no nametype specified");
+	if (strcasecmp(nametype, "zone") == 0)
+		flags |= DNS_KEYOWNER_ZONE;
+	else if ((options & DST_TYPE_KEY) != 0)	{ /* KEY */
+		if (strcasecmp(nametype, "host") == 0 ||
+			 strcasecmp(nametype, "entity") == 0)
+			flags |= DNS_KEYOWNER_ENTITY;
+		else if (strcasecmp(nametype, "user") == 0)
+			flags |= DNS_KEYOWNER_USER;
+		else
+			fatal("invalid KEY nametype %s", nametype);
+	} else if (strcasecmp(nametype, "other") != 0) /* DNSKEY */
+		fatal("invalid DNSKEY nametype %s", nametype);
+
+	rdclass = strtoclass(classname);
+
+	if ((options & DST_TYPE_KEY) != 0)  /* KEY */
+		flags |= signatory;
+	else if ((flags & DNS_KEYOWNER_ZONE) != 0) /* DNSKEY */
+		flags |= ksk;
+
+	if (protocol == -1)
+		protocol = DNS_KEYPROTO_DNSSEC;
+	else if ((options & DST_TYPE_KEY) == 0 &&
+		 protocol != DNS_KEYPROTO_DNSSEC)
+		fatal("invalid DNSKEY protocol: %d", protocol);
+
+	if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
+		if (size > 0)
+			fatal("specified null key with non-zero size");
+		if ((flags & DNS_KEYFLAG_SIGNATORYMASK) != 0)
+			fatal("specified null key with signing authority");
+	}
+
+	if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE &&
+	    (alg == DNS_KEYALG_DH || alg == DST_ALG_HMACMD5))
+		fatal("a key with algorithm '%s' cannot be a zone key",
+		      algname);
+
+	dns_fixedname_init(&fname);
+	name = dns_fixedname_name(&fname);
+	isc_buffer_init(&buf, argv[isc_commandline_index],
+			strlen(argv[isc_commandline_index]));
+	isc_buffer_add(&buf, strlen(argv[isc_commandline_index]));
+	ret = dns_name_fromtext(name, &buf, dns_rootname, ISC_FALSE, NULL);
+	if (ret != ISC_R_SUCCESS)
+		fatal("invalid key name %s: %s", argv[isc_commandline_index],
+		      isc_result_totext(ret));
+
+	switch(alg) {
+	case DNS_KEYALG_RSAMD5:
+	case DNS_KEYALG_RSASHA1:
+		param = rsa_exp;
+		break;
+	case DNS_KEYALG_DH:
+		param = generator;
+		break;
+	case DNS_KEYALG_DSA:
+	case DST_ALG_HMACMD5:
+		param = 0;
+		break;
+	}
+
+	if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY)
+		null_key = ISC_TRUE;
+
+	isc_buffer_init(&buf, filename, sizeof(filename) - 1);
+
+	do {
+		conflict = ISC_FALSE;
+		oldkey = NULL;
+
+		/* generate the key */
+		ret = dst_key_generate(name, alg, size, param, flags, protocol,
+				       rdclass, mctx, &key);
+		isc_entropy_stopcallbacksources(ectx);
+
+		if (ret != ISC_R_SUCCESS) {
+			char namestr[DNS_NAME_FORMATSIZE];
+			char algstr[ALG_FORMATSIZE];
+			dns_name_format(name, namestr, sizeof(namestr));
+			alg_format(alg, algstr, sizeof(algstr));
+			fatal("failed to generate key %s/%s: %s\n",
+			      namestr, algstr, isc_result_totext(ret));
+			exit(-1);
+		}
+
+		/*
+		 * Try to read a key with the same name, alg and id from disk.
+		 * If there is one we must continue generating a new one
+		 * unless we were asked to generate a null key, in which
+		 * case we return failure.
+		 */
+		ret = dst_key_fromfile(name, dst_key_id(key), alg,
+				       DST_TYPE_PRIVATE, NULL, mctx, &oldkey);
+		/* do not overwrite an existing key  */
+		if (ret == ISC_R_SUCCESS) {
+			dst_key_free(&oldkey);
+			conflict = ISC_TRUE;
+			if (null_key)
+				break;
+		}
+		if (conflict == ISC_TRUE) {
+			if (verbose > 0) {
+				isc_buffer_clear(&buf);
+				ret = dst_key_buildfilename(key, 0, NULL, &buf);
+				fprintf(stderr,
+					"%s: %s already exists, "
+					"generating a new key\n",
+					program, filename);
+			}
+			dst_key_free(&key);
+		}
+
+	} while (conflict == ISC_TRUE);
+
+	if (conflict)
+		fatal("cannot generate a null key when a key with id 0 "
+		      "already exists");
+
+	ret = dst_key_tofile(key, options, NULL);
+	if (ret != ISC_R_SUCCESS) {
+		char keystr[KEY_FORMATSIZE];
+		key_format(key, keystr, sizeof(keystr));
+		fatal("failed to write key %s: %s\n", keystr,
+		      isc_result_totext(ret));
+	}
+
+	isc_buffer_clear(&buf);
+	ret = dst_key_buildfilename(key, 0, NULL, &buf);
+	printf("%s\n", filename);
+	dst_key_free(&key);
+
+	cleanup_logging(&log);
+	cleanup_entropy(&ectx);
+	dst_lib_destroy();
+	if (verbose > 10)
+		isc_mem_stats(mctx, stdout);
+	isc_mem_destroy(&mctx);
+
+	return (0);
+}
diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.docbook b/contrib/bind9/bin/dnssec/dnssec-keygen.docbook
new file mode 100644
index 0000000..a2034d9
--- /dev/null
+++ b/contrib/bind9/bin/dnssec/dnssec-keygen.docbook
@@ -0,0 +1,342 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001-2003  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: dnssec-keygen.docbook,v 1.3.12.6 2004/06/11 01:17:34 marka Exp $ -->
+
+<refentry>
+  <refentryinfo>
+    <date>June 30, 2000</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>dnssec-keygen</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>dnssec-keygen</application></refname>
+    <refpurpose>DNSSEC key generation tool</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>dnssec-keygen</command>
+      <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
+      <arg choice="req">-b <replaceable class="parameter">keysize</replaceable></arg>
+      <arg choice="req">-n <replaceable class="parameter">nametype</replaceable></arg>
+      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg><option>-e</option></arg>
+      <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
+      <arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
+      <arg><option>-h</option></arg>
+      <arg><option>-k</option></arg>
+      <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
+      <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
+      <arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
+      <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
+      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+      <arg choice="req">name</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+        <command>dnssec-keygen</command> generates keys for DNSSEC
+	(Secure DNS), as defined in RFC 2535 and RFC &lt;TBA\&gt;.  It can also generate
+	keys for use with TSIG (Transaction Signatures), as
+	defined in RFC 2845.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>OPTIONS</title>
+
+    <variablelist>
+      <varlistentry>
+        <term>-a <replaceable class="parameter">algorithm</replaceable></term>
+	<listitem>
+	  <para>
+	      Selects the cryptographic algorithm.  The value of
+	      <option>algorithm</option> must be one of RSAMD5 (RSA) or RSASHA1,
+	      DSA, DH (Diffie Hellman), or HMAC-MD5.  These values
+	      are case insensitive.
+	  </para>
+	  <para>
+	      Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm,
+	      and DSA is recommended.  For TSIG, HMAC-MD5 is mandatory.
+	  </para>
+	  <para>
+	      Note 2: HMAC-MD5 and DH automatically set the -k flag.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-b <replaceable class="parameter">keysize</replaceable></term>
+	<listitem>
+	  <para>
+	       Specifies the number of bits in the key.  The choice of key
+	       size depends on the algorithm used.  RSAMD5 / RSASHA1 keys must be between
+	       512 and 2048 bits.  Diffie Hellman keys must be between
+	       128 and 4096 bits.  DSA keys must be between 512 and 1024
+	       bits and an exact multiple of 64.  HMAC-MD5 keys must be
+	       between 1 and 512 bits.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-n <replaceable class="parameter">nametype</replaceable></term>
+	<listitem>
+	  <para>
+	       Specifies the owner type of the key.  The value of
+	       <option>nametype</option> must either be ZONE (for a DNSSEC
+	       zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)),
+	       USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).  These values are
+	       case insensitive.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-c <replaceable class="parameter">class</replaceable></term>
+	<listitem>
+	  <para>
+	       Indicates that the DNS record containing the key should have
+	       the specified class.  If not specified, class IN is used.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-e</term>
+	<listitem>
+	  <para>
+	       If generating an RSAMD5/RSASHA1 key, use a large exponent.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-f <replaceable class="parameter">flag</replaceable></term>
+	<listitem>
+	  <para>
+		Set the specified flag in the flag field of the KEY/DNSKEY record.
+		The only recognized flag is KSK (Key Signing Key) DNSKEY.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-g <replaceable class="parameter">generator</replaceable></term>
+	<listitem>
+	  <para>
+	       If generating a Diffie Hellman key, use this generator.
+	       Allowed values are 2 and 5.  If no generator
+	       is specified, a known prime from RFC 2539 will be used
+	       if possible; otherwise the default is 2.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-h</term>
+	<listitem>
+	  <para>
+	       Prints a short summary of the options and arguments to
+	       <command>dnssec-keygen</command>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-k</term>
+	<listitem>
+	  <para>
+	       Generate KEY records rather than DNSKEY records.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-p <replaceable class="parameter">protocol</replaceable></term>
+	<listitem>
+	  <para>
+	       Sets the protocol value for the generated key.  The protocol
+	       is a number between 0 and 255.  The default is 3 (DNSSEC).
+	       Other possible values for this argument are listed in
+	       RFC 2535 and its successors.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-r <replaceable class="parameter">randomdev</replaceable></term>
+	<listitem>
+	  <para>
+	       Specifies the source of randomness.  If the operating
+	       system does not provide a <filename>/dev/random</filename>
+	       or equivalent device, the default source of randomness
+	       is keyboard input.  <filename>randomdev</filename> specifies
+	       the name of a character device or file containing random
+	       data to be used instead of the default.  The special value
+	       <filename>keyboard</filename> indicates that keyboard
+	       input should be used.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-s <replaceable class="parameter">strength</replaceable></term>
+	<listitem>
+	  <para>
+	       Specifies the strength value of the key.  The strength is
+	       a number between 0 and 15, and currently has no defined
+	       purpose in DNSSEC.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-t <replaceable class="parameter">type</replaceable></term>
+	<listitem>
+	  <para>
+	       Indicates the use of the key.  <option>type</option> must be
+	       one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
+	       is AUTHCONF.  AUTH refers to the ability to authenticate
+	       data, and CONF the ability to encrypt data.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-v <replaceable class="parameter">level</replaceable></term>
+	<listitem>
+	  <para>
+	       Sets the debugging level.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>GENERATED KEYS</title>
+    <para>
+        When <command>dnssec-keygen</command> completes successfully,
+	it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
+	to the standard output.  This is an identification string for
+	the key it has generated.  These strings can be used as arguments
+	to <command>dnssec-makekeyset</command>.
+    </para>
+    <itemizedlist>
+      <listitem>
+        <para>
+          <filename>nnnn</filename> is the key name.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <filename>aaa</filename> is the numeric representation of the
+          algorithm.
+        </para>
+      </listitem>
+      <listitem>
+        <para>
+          <filename>iiiii</filename> is the key identifier (or footprint).
+        </para>
+      </listitem>
+    </itemizedlist>
+    <para>
+        <command>dnssec-keygen</command> creates two file, with names based
+	on the printed string.  <filename>Knnnn.+aaa+iiiii.key</filename>
+	contains the public key, and
+	<filename>Knnnn.+aaa+iiiii.private</filename> contains the private
+	key.
+    </para>
+    <para>
+        The <filename>.key</filename> file contains a DNS KEY record that
+	can be inserted into a zone file (directly or with a $INCLUDE
+	statement).
+    </para>
+    <para>
+        The <filename>.private</filename> file contains algorithm specific
+	fields.  For obvious security reasons, this file does not have
+	general read permission.
+    </para>
+    <para>
+        Both <filename>.key</filename> and <filename>.private</filename>
+	files are generated for symmetric encryption algorithm such as
+	HMAC-MD5, even though the public and private key are equivalent.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>EXAMPLE</title>
+    <para>
+        To generate a 768-bit DSA key for the domain
+	<userinput>example.com</userinput>, the following command would be
+	issued:
+    </para>
+    <para>
+        <userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput>
+    </para>
+    <para>
+        The command would print a string of the form:
+    </para>
+    <para>
+        <userinput>Kexample.com.+003+26160</userinput>
+    </para>
+    <para>
+        In this example, <command>dnssec-keygen</command> creates
+	the files <filename>Kexample.com.+003+26160.key</filename> and
+	<filename>Kexample.com.+003+26160.private</filename>
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>dnssec-signzone</refentrytitle>
+	<manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+      <citetitle>RFC 2535</citetitle>,
+      <citetitle>RFC 2845</citetitle>,
+      <citetitle>RFC 2539</citetitle>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para>
+        <corpauthor>Internet Systems Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry>
+
+<!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.html b/contrib/bind9/bin/dnssec/dnssec-keygen.html
new file mode 100644
index 0000000..734c914
--- /dev/null
+++ b/contrib/bind9/bin/dnssec/dnssec-keygen.html
@@ -0,0 +1,544 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001-2003  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: dnssec-keygen.html,v 1.5.2.1.4.6 2004/08/22 23:38:58 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>dnssec-keygen</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+><SPAN
+CLASS="APPLICATION"
+>dnssec-keygen</SPAN
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><SPAN
+CLASS="APPLICATION"
+>dnssec-keygen</SPAN
+>&nbsp;--&nbsp;DNSSEC key generation tool</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>dnssec-keygen</B
+>  {-a <VAR
+CLASS="REPLACEABLE"
+>algorithm</VAR
+>} {-b <VAR
+CLASS="REPLACEABLE"
+>keysize</VAR
+>} {-n <VAR
+CLASS="REPLACEABLE"
+>nametype</VAR
+>} [<VAR
+CLASS="OPTION"
+>-c <VAR
+CLASS="REPLACEABLE"
+>class</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-e</VAR
+>] [<VAR
+CLASS="OPTION"
+>-f <VAR
+CLASS="REPLACEABLE"
+>flag</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-g <VAR
+CLASS="REPLACEABLE"
+>generator</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-h</VAR
+>] [<VAR
+CLASS="OPTION"
+>-k</VAR
+>] [<VAR
+CLASS="OPTION"
+>-p <VAR
+CLASS="REPLACEABLE"
+>protocol</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-r <VAR
+CLASS="REPLACEABLE"
+>randomdev</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-s <VAR
+CLASS="REPLACEABLE"
+>strength</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-t <VAR
+CLASS="REPLACEABLE"
+>type</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-v <VAR
+CLASS="REPLACEABLE"
+>level</VAR
+></VAR
+>] {name}</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN53"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>        <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+> generates keys for DNSSEC
+	(Secure DNS), as defined in RFC 2535 and RFC &lt;TBA\&gt;.  It can also generate
+	keys for use with TSIG (Transaction Signatures), as
+	defined in RFC 2845.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN57"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-a <VAR
+CLASS="REPLACEABLE"
+>algorithm</VAR
+></DT
+><DD
+><P
+>	      Selects the cryptographic algorithm.  The value of
+	      <VAR
+CLASS="OPTION"
+>algorithm</VAR
+> must be one of RSAMD5 (RSA) or RSASHA1,
+	      DSA, DH (Diffie Hellman), or HMAC-MD5.  These values
+	      are case insensitive.
+	  </P
+><P
+>	      Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm,
+	      and DSA is recommended.  For TSIG, HMAC-MD5 is mandatory.
+	  </P
+><P
+>	      Note 2: HMAC-MD5 and DH automatically set the -k flag.
+	  </P
+></DD
+><DT
+>-b <VAR
+CLASS="REPLACEABLE"
+>keysize</VAR
+></DT
+><DD
+><P
+>	       Specifies the number of bits in the key.  The choice of key
+	       size depends on the algorithm used.  RSAMD5 / RSASHA1 keys must be between
+	       512 and 2048 bits.  Diffie Hellman keys must be between
+	       128 and 4096 bits.  DSA keys must be between 512 and 1024
+	       bits and an exact multiple of 64.  HMAC-MD5 keys must be
+	       between 1 and 512 bits.
+	  </P
+></DD
+><DT
+>-n <VAR
+CLASS="REPLACEABLE"
+>nametype</VAR
+></DT
+><DD
+><P
+>	       Specifies the owner type of the key.  The value of
+	       <VAR
+CLASS="OPTION"
+>nametype</VAR
+> must either be ZONE (for a DNSSEC
+	       zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)),
+	       USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).  These values are
+	       case insensitive.
+	  </P
+></DD
+><DT
+>-c <VAR
+CLASS="REPLACEABLE"
+>class</VAR
+></DT
+><DD
+><P
+>	       Indicates that the DNS record containing the key should have
+	       the specified class.  If not specified, class IN is used.
+	  </P
+></DD
+><DT
+>-e</DT
+><DD
+><P
+>	       If generating an RSAMD5/RSASHA1 key, use a large exponent.
+	  </P
+></DD
+><DT
+>-f <VAR
+CLASS="REPLACEABLE"
+>flag</VAR
+></DT
+><DD
+><P
+>		Set the specified flag in the flag field of the KEY/DNSKEY record.
+		The only recognized flag is KSK (Key Signing Key) DNSKEY.
+	  </P
+></DD
+><DT
+>-g <VAR
+CLASS="REPLACEABLE"
+>generator</VAR
+></DT
+><DD
+><P
+>	       If generating a Diffie Hellman key, use this generator.
+	       Allowed values are 2 and 5.  If no generator
+	       is specified, a known prime from RFC 2539 will be used
+	       if possible; otherwise the default is 2.
+	  </P
+></DD
+><DT
+>-h</DT
+><DD
+><P
+>	       Prints a short summary of the options and arguments to
+	       <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+>.
+	  </P
+></DD
+><DT
+>-k</DT
+><DD
+><P
+>	       Generate KEY records rather than DNSKEY records.
+	  </P
+></DD
+><DT
+>-p <VAR
+CLASS="REPLACEABLE"
+>protocol</VAR
+></DT
+><DD
+><P
+>	       Sets the protocol value for the generated key.  The protocol
+	       is a number between 0 and 255.  The default is 3 (DNSSEC).
+	       Other possible values for this argument are listed in
+	       RFC 2535 and its successors.
+	  </P
+></DD
+><DT
+>-r <VAR
+CLASS="REPLACEABLE"
+>randomdev</VAR
+></DT
+><DD
+><P
+>	       Specifies the source of randomness.  If the operating
+	       system does not provide a <TT
+CLASS="FILENAME"
+>/dev/random</TT
+>
+	       or equivalent device, the default source of randomness
+	       is keyboard input.  <TT
+CLASS="FILENAME"
+>randomdev</TT
+> specifies
+	       the name of a character device or file containing random
+	       data to be used instead of the default.  The special value
+	       <TT
+CLASS="FILENAME"
+>keyboard</TT
+> indicates that keyboard
+	       input should be used.
+	  </P
+></DD
+><DT
+>-s <VAR
+CLASS="REPLACEABLE"
+>strength</VAR
+></DT
+><DD
+><P
+>	       Specifies the strength value of the key.  The strength is
+	       a number between 0 and 15, and currently has no defined
+	       purpose in DNSSEC.
+	  </P
+></DD
+><DT
+>-t <VAR
+CLASS="REPLACEABLE"
+>type</VAR
+></DT
+><DD
+><P
+>	       Indicates the use of the key.  <VAR
+CLASS="OPTION"
+>type</VAR
+> must be
+	       one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
+	       is AUTHCONF.  AUTH refers to the ability to authenticate
+	       data, and CONF the ability to encrypt data.
+	  </P
+></DD
+><DT
+>-v <VAR
+CLASS="REPLACEABLE"
+>level</VAR
+></DT
+><DD
+><P
+>	       Sets the debugging level.
+	  </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN136"
+></A
+><H2
+>GENERATED KEYS</H2
+><P
+>        When <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+> completes successfully,
+	it prints a string of the form <TT
+CLASS="FILENAME"
+>Knnnn.+aaa+iiiii</TT
+>
+	to the standard output.  This is an identification string for
+	the key it has generated.  These strings can be used as arguments
+	to <B
+CLASS="COMMAND"
+>dnssec-makekeyset</B
+>.
+    </P
+><P
+></P
+><UL
+><LI
+><P
+>          <TT
+CLASS="FILENAME"
+>nnnn</TT
+> is the key name.
+        </P
+></LI
+><LI
+><P
+>          <TT
+CLASS="FILENAME"
+>aaa</TT
+> is the numeric representation of the
+          algorithm.
+        </P
+></LI
+><LI
+><P
+>          <TT
+CLASS="FILENAME"
+>iiiii</TT
+> is the key identifier (or footprint).
+        </P
+></LI
+></UL
+><P
+>        <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+> creates two file, with names based
+	on the printed string.  <TT
+CLASS="FILENAME"
+>Knnnn.+aaa+iiiii.key</TT
+>
+	contains the public key, and
+	<TT
+CLASS="FILENAME"
+>Knnnn.+aaa+iiiii.private</TT
+> contains the private
+	key.
+    </P
+><P
+>        The <TT
+CLASS="FILENAME"
+>.key</TT
+> file contains a DNS KEY record that
+	can be inserted into a zone file (directly or with a $INCLUDE
+	statement).
+    </P
+><P
+>        The <TT
+CLASS="FILENAME"
+>.private</TT
+> file contains algorithm specific
+	fields.  For obvious security reasons, this file does not have
+	general read permission.
+    </P
+><P
+>        Both <TT
+CLASS="FILENAME"
+>.key</TT
+> and <TT
+CLASS="FILENAME"
+>.private</TT
+>
+	files are generated for symmetric encryption algorithm such as
+	HMAC-MD5, even though the public and private key are equivalent.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN163"
+></A
+><H2
+>EXAMPLE</H2
+><P
+>        To generate a 768-bit DSA key for the domain
+	<KBD
+CLASS="USERINPUT"
+>example.com</KBD
+>, the following command would be
+	issued:
+    </P
+><P
+>        <KBD
+CLASS="USERINPUT"
+>dnssec-keygen -a DSA -b 768 -n ZONE example.com</KBD
+>
+    </P
+><P
+>        The command would print a string of the form:
+    </P
+><P
+>        <KBD
+CLASS="USERINPUT"
+>Kexample.com.+003+26160</KBD
+>
+    </P
+><P
+>        In this example, <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+> creates
+	the files <TT
+CLASS="FILENAME"
+>Kexample.com.+003+26160.key</TT
+> and
+	<TT
+CLASS="FILENAME"
+>Kexample.com.+003+26160.private</TT
+>
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN176"
+></A
+><H2
+>SEE ALSO</H2
+><P
+>      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-signzone</SPAN
+>(8)</SPAN
+>,
+      <I
+CLASS="CITETITLE"
+>BIND 9 Administrator Reference Manual</I
+>,
+      <I
+CLASS="CITETITLE"
+>RFC 2535</I
+>,
+      <I
+CLASS="CITETITLE"
+>RFC 2845</I
+>,
+      <I
+CLASS="CITETITLE"
+>RFC 2539</I
+>.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN186"
+></A
+><H2
+>AUTHOR</H2
+><P
+>        Internet Systems Consortium
+    </P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/bin/dnssec/dnssec-makekeyset.8 b/contrib/bind9/bin/dnssec/dnssec-makekeyset.8
new file mode 100644
index 0000000..0189b31
--- /dev/null
+++ b/contrib/bind9/bin/dnssec/dnssec-makekeyset.8
@@ -0,0 +1,113 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: dnssec-makekeyset.8,v 1.16.2.2.4.1 2004/03/06 07:41:39 marka Exp $
+.\"
+.TH "DNSSEC-MAKEKEYSET" "8" "June 30, 2000" "BIND9" ""
+.SH NAME
+dnssec-makekeyset \- DNSSEC zone signing tool
+.SH SYNOPSIS
+.sp
+\fBdnssec-makekeyset\fR [ \fB-a\fR ]  [ \fB-s \fIstart-time\fB\fR ]  [ \fB-e \fIend-time\fB\fR ]  [ \fB-h\fR ]  [ \fB-p\fR ]  [ \fB-r \fIrandomdev\fB\fR ]  [ \fB-t\fIttl\fB\fR ]  [ \fB-v \fIlevel\fB\fR ]  \fBkey\fR\fI...\fR
+.SH "DESCRIPTION"
+.PP
+\fBdnssec-makekeyset\fR generates a key set from one
+or more keys created by \fBdnssec-keygen\fR. It creates
+a file containing a KEY record for each key, and self-signs the key
+set with each zone key. The output file is of the form
+\fIkeyset-nnnn.\fR, where \fInnnn\fR
+is the zone name.
+.SH "OPTIONS"
+.TP
+\fB-a\fR
+Verify all generated signatures.
+.TP
+\fB-s \fIstart-time\fB\fR
+Specify the date and time when the generated SIG records
+become valid. This can be either an absolute or relative
+time. An absolute start time is indicated by a number
+in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+14:45:00 UTC on May 30th, 2000. A relative start time is
+indicated by +N, which is N seconds from the current time.
+If no \fBstart-time\fR is specified, the current
+time is used.
+.TP
+\fB-e \fIend-time\fB\fR
+Specify the date and time when the generated SIG records
+expire. As with \fBstart-time\fR, an absolute
+time is indicated in YYYYMMDDHHMMSS notation. A time relative
+to the start time is indicated with +N, which is N seconds from
+the start time. A time relative to the current time is
+indicated with now+N. If no \fBend-time\fR is
+specified, 30 days from the start time is used as a default.
+.TP
+\fB-h\fR
+Prints a short summary of the options and arguments to
+\fBdnssec-makekeyset\fR.
+.TP
+\fB-p\fR
+Use pseudo-random data when signing the zone. This is faster,
+but less secure, than using real random data. This option
+may be useful when signing large zones or when the entropy
+source is limited.
+.TP
+\fB-r \fIrandomdev\fB\fR
+Specifies the source of randomness. If the operating
+system does not provide a \fI/dev/random\fR
+or equivalent device, the default source of randomness
+is keyboard input. \fIrandomdev\fR specifies
+the name of a character device or file containing random
+data to be used instead of the default. The special value
+\fIkeyboard\fR indicates that keyboard
+input should be used.
+.TP
+\fB-t \fIttl\fB\fR
+Specify the TTL (time to live) of the KEY and SIG records.
+The default is 3600 seconds.
+.TP
+\fB-v \fIlevel\fB\fR
+Sets the debugging level.
+.TP
+\fBkey\fR
+The list of keys to be included in the keyset file. These keys
+are expressed in the form \fIKnnnn.+aaa+iiiii\fR
+as generated by \fBdnssec-keygen\fR.
+.SH "EXAMPLE"
+.PP
+The following command generates a keyset containing the DSA key for
+\fBexample.com\fR generated in the
+\fBdnssec-keygen\fR man page.
+.PP
+\fBdnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160\fR
+.PP
+In this example, \fBdnssec-makekeyset\fR creates
+the file \fIkeyset-example.com.\fR. This file
+contains the specified key and a self-generated signature.
+.PP
+The DNS administrator for \fBexample.com\fR could
+send \fIkeyset-example.com.\fR to the DNS
+administrator for \fB.com\fR for signing, if the
+\&.com zone is DNSSEC-aware and the administrators of the two zones
+have some mechanism for authenticating each other and exchanging
+the keys and signatures securely.
+.SH "SEE ALSO"
+.PP
+\fBdnssec-keygen\fR(8),
+\fBdnssec-signkey\fR(8),
+\fIBIND 9 Administrator Reference Manual\fR,
+\fIRFC 2535\fR.
+.SH "AUTHOR"
+.PP
+Internet Software Consortium
diff --git a/contrib/bind9/bin/dnssec/dnssec-makekeyset.c b/contrib/bind9/bin/dnssec/dnssec-makekeyset.c
new file mode 100644
index 0000000..c8224ed
--- /dev/null
+++ b/contrib/bind9/bin/dnssec/dnssec-makekeyset.c
@@ -0,0 +1,401 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2000-2003  Internet Software Consortium.
+ * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnssec-makekeyset.c,v 1.52.2.1.10.7 2004/08/28 06:25:27 marka Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/commandline.h>
+#include <isc/entropy.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/diff.h>
+#include <dns/dnssec.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/result.h>
+#include <dns/secalg.h>
+#include <dns/time.h>
+
+#include <dst/dst.h>
+
+#include "dnssectool.h"
+
+const char *program = "dnssec-makekeyset";
+int verbose;
+
+typedef struct keynode keynode_t;
+struct keynode {
+	dst_key_t *key;
+	ISC_LINK(keynode_t) link;
+};
+typedef ISC_LIST(keynode_t) keylist_t;
+
+static isc_stdtime_t starttime = 0, endtime = 0, now;
+static int ttl = -1;
+
+static isc_mem_t *mctx = NULL;
+static isc_entropy_t *ectx = NULL;
+
+static keylist_t keylist;
+
+static void
+usage(void) {
+	fprintf(stderr, "Usage:\n");
+	fprintf(stderr, "\t%s [options] keys\n", program);
+
+	fprintf(stderr, "\n");
+
+	fprintf(stderr, "Version: %s\n", VERSION);
+
+	fprintf(stderr, "Options: (default value in parenthesis) \n");
+	fprintf(stderr, "\t-a\n");
+	fprintf(stderr, "\t\tverify generated signatures\n");
+	fprintf(stderr, "\t-s YYYYMMDDHHMMSS|+offset:\n");
+	fprintf(stderr, "\t\tSIG start time - absolute|offset (now)\n");
+	fprintf(stderr, "\t-e YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
+	fprintf(stderr, "\t\tSIG end time  - "
+			     "absolute|from start|from now (now + 30 days)\n");
+	fprintf(stderr, "\t-t ttl\n");
+	fprintf(stderr, "\t-p\n");
+	fprintf(stderr, "\t\tuse pseudorandom data (faster but less secure)\n");
+	fprintf(stderr, "\t-r randomdev:\n");
+	fprintf(stderr, "\t\ta file containing random data\n");
+	fprintf(stderr, "\t-v level:\n");
+	fprintf(stderr, "\t\tverbose level (0)\n");
+
+	fprintf(stderr, "\n");
+
+	fprintf(stderr, "keys:\n");
+	fprintf(stderr, "\tkeyfile (Kname+alg+tag)\n");
+
+	fprintf(stderr, "\n");
+
+	fprintf(stderr, "Output:\n");
+	fprintf(stderr, "\tkeyset (keyset-<name>)\n");
+	exit(0);
+}
+
+static isc_boolean_t
+zonekey_on_list(dst_key_t *key) {
+	keynode_t *keynode;
+	for (keynode = ISC_LIST_HEAD(keylist);
+	     keynode != NULL;
+	     keynode = ISC_LIST_NEXT(keynode, link))
+	{
+		if (dst_key_compare(keynode->key, key))
+			return (ISC_TRUE);
+	}
+	return (ISC_FALSE);
+}
+
+int
+main(int argc, char *argv[]) {
+	int i, ch;
+	char *startstr = NULL, *endstr = NULL;
+	dns_fixedname_t fdomain;
+	dns_name_t *domain = NULL;
+	char *output = NULL;
+	char *endp;
+	unsigned char data[65536];
+	dns_db_t *db;
+	dns_dbversion_t *version;
+	dns_diff_t diff;
+	dns_difftuple_t *tuple;
+	dns_fixedname_t tname;
+	dst_key_t *key = NULL;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rdataset;
+	dns_rdataclass_t rdclass;
+	isc_result_t result;
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_log_t *log = NULL;
+	keynode_t *keynode;
+	unsigned int eflags;
+	isc_boolean_t pseudorandom = ISC_FALSE;
+	isc_boolean_t tryverify = ISC_FALSE;
+
+	result = isc_mem_create(0, 0, &mctx);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to create memory context: %s",
+		      isc_result_totext(result));
+
+	dns_result_register();
+
+	while ((ch = isc_commandline_parse(argc, argv, "as:e:t:r:v:ph")) != -1)
+	{
+		switch (ch) {
+		case 'a':
+			tryverify = ISC_TRUE;
+			break;
+		case 's':
+			startstr = isc_commandline_argument;
+			break;
+
+		case 'e':
+			endstr = isc_commandline_argument;
+			break;
+
+		case 't':
+			endp = NULL;
+			ttl = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0')
+				fatal("TTL must be numeric");
+			break;
+
+		case 'r':
+			setup_entropy(mctx, isc_commandline_argument, &ectx);
+			break;
+
+		case 'v':
+			endp = NULL;
+			verbose = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0')
+				fatal("verbose level must be numeric");
+			break;
+
+		case 'p':
+			pseudorandom = ISC_TRUE;
+			break;
+
+		case 'h':
+		default:
+			usage();
+
+		}
+	}
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+
+	if (argc < 1)
+		usage();
+
+	if (ectx == NULL)
+		setup_entropy(mctx, NULL, &ectx);
+	eflags = ISC_ENTROPY_BLOCKING;
+	if (!pseudorandom)
+		eflags |= ISC_ENTROPY_GOODONLY;
+	result = dst_lib_init(mctx, ectx, eflags);
+	if (result != ISC_R_SUCCESS)
+		fatal("could not initialize dst: %s", 
+		      isc_result_totext(result));
+
+	isc_stdtime_get(&now);
+
+	if (startstr != NULL)
+		starttime = strtotime(startstr, now, now);
+	else
+		starttime = now;
+
+	if (endstr != NULL)
+		endtime = strtotime(endstr, now, starttime);
+	else
+		endtime = starttime + (30 * 24 * 60 * 60);
+
+	if (ttl == -1) {
+		ttl = 3600;
+		fprintf(stderr, "%s: TTL not specified, assuming 3600\n",
+			program);
+	}
+
+	setup_logging(verbose, mctx, &log);
+
+	dns_diff_init(mctx, &diff);
+	rdclass = 0;
+
+	ISC_LIST_INIT(keylist);
+
+	for (i = 0; i < argc; i++) {
+		char namestr[DNS_NAME_FORMATSIZE];
+		isc_buffer_t namebuf;
+
+		key = NULL;
+		result = dst_key_fromnamedfile(argv[i], DST_TYPE_PUBLIC,
+					       mctx, &key);
+		if (result != ISC_R_SUCCESS)
+			fatal("error loading key from %s: %s", argv[i],
+			      isc_result_totext(result));
+		if (rdclass == 0)
+			rdclass = dst_key_class(key);
+
+		isc_buffer_init(&namebuf, namestr, sizeof(namestr));
+		result = dns_name_tofilenametext(dst_key_name(key),
+						 ISC_FALSE,
+						 &namebuf);
+		check_result(result, "dns_name_tofilenametext");
+		isc_buffer_putuint8(&namebuf, 0);
+
+		if (domain == NULL) {
+			dns_fixedname_init(&fdomain);
+			domain = dns_fixedname_name(&fdomain);
+			dns_name_copy(dst_key_name(key), domain, NULL);
+		} else if (!dns_name_equal(domain, dst_key_name(key))) {
+			char str[DNS_NAME_FORMATSIZE];
+			dns_name_format(domain, str, sizeof(str));
+			fatal("all keys must have the same owner - %s "
+			      "and %s do not match", str, namestr);
+		}
+
+		if (output == NULL) {
+			output = isc_mem_allocate(mctx,
+						  strlen("keyset-") +
+						  strlen(namestr) + 1);
+			if (output == NULL)
+				fatal("out of memory");
+			sprintf(output, "keyset-%s", namestr);
+		}
+
+		if (dst_key_iszonekey(key)) {
+			dst_key_t *zonekey = NULL;
+			result = dst_key_fromnamedfile(argv[i],
+						       DST_TYPE_PUBLIC |
+						       DST_TYPE_PRIVATE,
+						       mctx, &zonekey);
+			if (result != ISC_R_SUCCESS)
+				fatal("failed to read private key %s: %s",
+				      argv[i], isc_result_totext(result));
+			if (!zonekey_on_list(zonekey)) {
+				keynode = isc_mem_get(mctx, sizeof(keynode_t));
+				if (keynode == NULL)
+					fatal("out of memory");
+				keynode->key = zonekey;
+				ISC_LIST_INITANDAPPEND(keylist, keynode, link);
+			} else
+				dst_key_free(&zonekey);
+		}
+		dns_rdata_reset(&rdata);
+		isc_buffer_init(&b, data, sizeof(data));
+		result = dst_key_todns(key, &b);
+		dst_key_free(&key);
+		if (result != ISC_R_SUCCESS)
+			fatal("failed to convert key %s to a DNS KEY: %s",
+			      argv[i], isc_result_totext(result));
+		isc_buffer_usedregion(&b, &r);
+		dns_rdata_fromregion(&rdata, rdclass, dns_rdatatype_dnskey, &r);
+		tuple = NULL;
+		result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
+					      domain, ttl, &rdata, &tuple);
+		check_result(result, "dns_difftuple_create");
+		dns_diff_append(&diff, &tuple);
+	}
+
+	db = NULL;
+	result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
+			       rdclass, 0, NULL, &db);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to create a database");
+
+	version = NULL;
+	dns_db_newversion(db, &version);
+
+	result = dns_diff_apply(&diff, db, version);
+	check_result(result, "dns_diff_apply");
+	dns_diff_clear(&diff);
+
+	dns_fixedname_init(&tname);
+	dns_rdataset_init(&rdataset);
+	result = dns_db_find(db, domain, version, dns_rdatatype_dnskey, 0, 0,
+			     NULL, dns_fixedname_name(&tname), &rdataset,
+			     NULL);
+	check_result(result, "dns_db_find");
+
+	if (ISC_LIST_EMPTY(keylist))
+		fprintf(stderr,
+			"%s: no private zone key found; not self-signing\n",
+			program);
+	for (keynode = ISC_LIST_HEAD(keylist);
+	     keynode != NULL;
+	     keynode = ISC_LIST_NEXT(keynode, link))
+	{
+		dns_rdata_reset(&rdata);
+		isc_buffer_init(&b, data, sizeof(data));
+		result = dns_dnssec_sign(domain, &rdataset, keynode->key,
+					 &starttime, &endtime, mctx, &b,
+					 &rdata);
+		isc_entropy_stopcallbacksources(ectx);
+		if (result != ISC_R_SUCCESS) {
+			char keystr[KEY_FORMATSIZE];
+			key_format(keynode->key, keystr, sizeof(keystr));
+			fatal("failed to sign keyset with key %s: %s",
+			      keystr, isc_result_totext(result));
+		}
+		if (tryverify) {
+			result = dns_dnssec_verify(domain, &rdataset,
+						   keynode->key, ISC_TRUE,
+						   mctx, &rdata);
+			if (result != ISC_R_SUCCESS) {
+				char keystr[KEY_FORMATSIZE];
+				key_format(keynode->key, keystr, sizeof(keystr));
+				fatal("signature from key '%s' failed to "
+				      "verify: %s",
+				      keystr, isc_result_totext(result));
+			}
+		}
+		tuple = NULL;
+		result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
+					      domain, ttl, &rdata, &tuple);
+		check_result(result, "dns_difftuple_create");
+		dns_diff_append(&diff, &tuple);
+	}
+
+	result = dns_diff_apply(&diff, db, version);
+	check_result(result, "dns_diff_apply");
+	dns_diff_clear(&diff);
+
+	dns_rdataset_disassociate(&rdataset);
+
+	dns_db_closeversion(db, &version, ISC_TRUE);
+	result = dns_db_dump(db, version, output);
+	if (result != ISC_R_SUCCESS) {
+		char domainstr[DNS_NAME_FORMATSIZE];
+		dns_name_format(domain, domainstr, sizeof(domainstr));
+		fatal("failed to write database for %s to %s",
+		      domainstr, output);
+	}
+
+	printf("%s\n", output);
+
+	dns_db_detach(&db);
+
+	while (!ISC_LIST_EMPTY(keylist)) {
+		keynode = ISC_LIST_HEAD(keylist);
+		ISC_LIST_UNLINK(keylist, keynode, link);
+		dst_key_free(&keynode->key);
+		isc_mem_put(mctx, keynode, sizeof(keynode_t));
+	}
+
+	cleanup_logging(&log);
+	cleanup_entropy(&ectx);
+
+	isc_mem_free(mctx, output);
+	dst_lib_destroy();
+	if (verbose > 10)
+		isc_mem_stats(mctx, stdout);
+	isc_mem_destroy(&mctx);
+	return (0);
+}
diff --git a/contrib/bind9/bin/dnssec/dnssec-makekeyset.docbook b/contrib/bind9/bin/dnssec/dnssec-makekeyset.docbook
new file mode 100644
index 0000000..0732748
--- /dev/null
+++ b/contrib/bind9/bin/dnssec/dnssec-makekeyset.docbook
@@ -0,0 +1,233 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: dnssec-makekeyset.docbook,v 1.2.2.3.4.2 2004/06/03 02:24:55 marka Exp $ -->
+
+<refentry>
+  <refentryinfo>
+    <date>June 30, 2000</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>dnssec-makekeyset</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>dnssec-makekeyset</application></refname>
+    <refpurpose>DNSSEC zone signing tool</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>dnssec-makekeyset</command>
+      <arg><option>-a</option></arg>
+      <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
+      <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
+      <arg><option>-h</option></arg>
+      <arg><option>-p</option></arg>
+      <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
+      <arg><option>-t</option><replaceable class="parameter">ttl</replaceable></arg>
+      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+      <arg choice="req" rep="repeat">key</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+        <command>dnssec-makekeyset</command> generates a key set from one
+	or more keys created by <command>dnssec-keygen</command>.  It creates
+	a file containing a KEY record for each key, and self-signs the key
+	set with each zone key.  The output file is of the form
+	<filename>keyset-nnnn.</filename>, where <filename>nnnn</filename>
+	is the zone name.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>OPTIONS</title>
+
+    <variablelist>
+      <varlistentry>
+        <term>-a</term>
+	<listitem>
+	  <para>
+	      Verify all generated signatures.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-s <replaceable class="parameter">start-time</replaceable></term>
+	<listitem>
+	  <para>
+	       Specify the date and time when the generated SIG records
+	       become valid.  This can be either an absolute or relative
+	       time.  An absolute start time is indicated by a number
+	       in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+	       14:45:00 UTC on May 30th, 2000.  A relative start time is
+	       indicated by +N, which is N seconds from the current time.
+	       If no <option>start-time</option> is specified, the current
+	       time is used.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-e <replaceable class="parameter">end-time</replaceable></term>
+	<listitem>
+	  <para>
+	       Specify the date and time when the generated SIG records
+	       expire.  As with <option>start-time</option>, an absolute
+	       time is indicated in YYYYMMDDHHMMSS notation.  A time relative
+	       to the start time is indicated with +N, which is N seconds from
+	       the start time.  A time relative to the current time is
+	       indicated with now+N.  If no <option>end-time</option> is
+	       specified, 30 days from the start time is used as a default.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-h</term>
+	<listitem>
+	  <para>
+	       Prints a short summary of the options and arguments to
+	       <command>dnssec-makekeyset</command>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-p</term>
+	<listitem>
+	  <para>
+	       Use pseudo-random data when signing the zone.  This is faster,
+	       but less secure, than using real random data.  This option
+	       may be useful when signing large zones or when the entropy
+	       source is limited.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-r <replaceable class="parameter">randomdev</replaceable></term>
+	<listitem>
+	  <para>
+	       Specifies the source of randomness.  If the operating
+	       system does not provide a <filename>/dev/random</filename>
+	       or equivalent device, the default source of randomness
+	       is keyboard input.  <filename>randomdev</filename> specifies
+	       the name of a character device or file containing random
+	       data to be used instead of the default.  The special value
+	       <filename>keyboard</filename> indicates that keyboard
+	       input should be used.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-t <replaceable class="parameter">ttl</replaceable></term>
+	<listitem>
+	  <para>
+	       Specify the TTL (time to live) of the KEY and SIG records.
+	       The default is 3600 seconds.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-v <replaceable class="parameter">level</replaceable></term>
+	<listitem>
+	  <para>
+	       Sets the debugging level.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>key</term>
+	<listitem>
+	  <para>
+	       The list of keys to be included in the keyset file.  These keys
+	       are expressed in the form <filename>Knnnn.+aaa+iiiii</filename>
+	       as generated by <command>dnssec-keygen</command>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>EXAMPLE</title>
+    <para>
+        The following command generates a keyset containing the DSA key for
+	<userinput>example.com</userinput> generated in the
+	<command>dnssec-keygen</command> man page.
+    </para>
+    <para>
+        <userinput>dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160</userinput>
+    </para>
+    <para>
+        In this example, <command>dnssec-makekeyset</command> creates
+	the file <filename>keyset-example.com.</filename>.  This file
+	contains the specified key and a self-generated signature.
+    </para>
+    <para>
+        The DNS administrator for <userinput>example.com</userinput> could
+	send <filename>keyset-example.com.</filename> to the DNS
+	administrator for <userinput>.com</userinput> for signing, if the
+	.com zone is DNSSEC-aware and the administrators of the two zones
+	have some mechanism for authenticating each other and exchanging
+	the keys and signatures securely.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>dnssec-keygen</refentrytitle>
+	<manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>dnssec-signkey</refentrytitle>
+	<manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+      <citetitle>RFC 2535</citetitle>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para>
+        <corpauthor>Internet Systems Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry>
+
+<!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/bin/dnssec/dnssec-makekeyset.html b/contrib/bind9/bin/dnssec/dnssec-makekeyset.html
new file mode 100644
index 0000000..48f1d4a
--- /dev/null
+++ b/contrib/bind9/bin/dnssec/dnssec-makekeyset.html
@@ -0,0 +1,407 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: dnssec-makekeyset.html,v 1.4.2.2.4.1 2004/03/06 10:21:15 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>dnssec-makekeyset</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+><SPAN
+CLASS="APPLICATION"
+>dnssec-makekeyset</SPAN
+></A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><SPAN
+CLASS="APPLICATION"
+>dnssec-makekeyset</SPAN
+>&nbsp;--&nbsp;DNSSEC zone signing tool</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>dnssec-makekeyset</B
+>  [<TT
+CLASS="OPTION"
+>-a</TT
+>] [<TT
+CLASS="OPTION"
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>start-time</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-e <TT
+CLASS="REPLACEABLE"
+><I
+>end-time</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-h</TT
+>] [<TT
+CLASS="OPTION"
+>-p</TT
+>] [<TT
+CLASS="OPTION"
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>randomdev</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-t</TT
+><TT
+CLASS="REPLACEABLE"
+><I
+>ttl</I
+></TT
+>] [<TT
+CLASS="OPTION"
+>-v <TT
+CLASS="REPLACEABLE"
+><I
+>level</I
+></TT
+></TT
+>] {key...}</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN38"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>        <B
+CLASS="COMMAND"
+>dnssec-makekeyset</B
+> generates a key set from one
+	or more keys created by <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+>.  It creates
+	a file containing a KEY record for each key, and self-signs the key
+	set with each zone key.  The output file is of the form
+	<TT
+CLASS="FILENAME"
+>keyset-nnnn.</TT
+>, where <TT
+CLASS="FILENAME"
+>nnnn</TT
+>
+	is the zone name.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN45"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-a</DT
+><DD
+><P
+>	      Verify all generated signatures.
+	  </P
+></DD
+><DT
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>start-time</I
+></TT
+></DT
+><DD
+><P
+>	       Specify the date and time when the generated SIG records
+	       become valid.  This can be either an absolute or relative
+	       time.  An absolute start time is indicated by a number
+	       in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+	       14:45:00 UTC on May 30th, 2000.  A relative start time is
+	       indicated by +N, which is N seconds from the current time.
+	       If no <TT
+CLASS="OPTION"
+>start-time</TT
+> is specified, the current
+	       time is used.
+	  </P
+></DD
+><DT
+>-e <TT
+CLASS="REPLACEABLE"
+><I
+>end-time</I
+></TT
+></DT
+><DD
+><P
+>	       Specify the date and time when the generated SIG records
+	       expire.  As with <TT
+CLASS="OPTION"
+>start-time</TT
+>, an absolute
+	       time is indicated in YYYYMMDDHHMMSS notation.  A time relative
+	       to the start time is indicated with +N, which is N seconds from
+	       the start time.  A time relative to the current time is
+	       indicated with now+N.  If no <TT
+CLASS="OPTION"
+>end-time</TT
+> is
+	       specified, 30 days from the start time is used as a default.
+	  </P
+></DD
+><DT
+>-h</DT
+><DD
+><P
+>	       Prints a short summary of the options and arguments to
+	       <B
+CLASS="COMMAND"
+>dnssec-makekeyset</B
+>.
+	  </P
+></DD
+><DT
+>-p</DT
+><DD
+><P
+>	       Use pseudo-random data when signing the zone.  This is faster,
+	       but less secure, than using real random data.  This option
+	       may be useful when signing large zones or when the entropy
+	       source is limited.
+	  </P
+></DD
+><DT
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>randomdev</I
+></TT
+></DT
+><DD
+><P
+>	       Specifies the source of randomness.  If the operating
+	       system does not provide a <TT
+CLASS="FILENAME"
+>/dev/random</TT
+>
+	       or equivalent device, the default source of randomness
+	       is keyboard input.  <TT
+CLASS="FILENAME"
+>randomdev</TT
+> specifies
+	       the name of a character device or file containing random
+	       data to be used instead of the default.  The special value
+	       <TT
+CLASS="FILENAME"
+>keyboard</TT
+> indicates that keyboard
+	       input should be used.
+	  </P
+></DD
+><DT
+>-t <TT
+CLASS="REPLACEABLE"
+><I
+>ttl</I
+></TT
+></DT
+><DD
+><P
+>	       Specify the TTL (time to live) of the KEY and SIG records.
+	       The default is 3600 seconds.
+	  </P
+></DD
+><DT
+>-v <TT
+CLASS="REPLACEABLE"
+><I
+>level</I
+></TT
+></DT
+><DD
+><P
+>	       Sets the debugging level.
+	  </P
+></DD
+><DT
+>key</DT
+><DD
+><P
+>	       The list of keys to be included in the keyset file.  These keys
+	       are expressed in the form <TT
+CLASS="FILENAME"
+>Knnnn.+aaa+iiiii</TT
+>
+	       as generated by <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+>.
+	  </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN98"
+></A
+><H2
+>EXAMPLE</H2
+><P
+>        The following command generates a keyset containing the DSA key for
+	<TT
+CLASS="USERINPUT"
+><B
+>example.com</B
+></TT
+> generated in the
+	<B
+CLASS="COMMAND"
+>dnssec-keygen</B
+> man page.
+    </P
+><P
+>        <TT
+CLASS="USERINPUT"
+><B
+>dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160</B
+></TT
+>
+    </P
+><P
+>        In this example, <B
+CLASS="COMMAND"
+>dnssec-makekeyset</B
+> creates
+	the file <TT
+CLASS="FILENAME"
+>keyset-example.com.</TT
+>.  This file
+	contains the specified key and a self-generated signature.
+    </P
+><P
+>        The DNS administrator for <TT
+CLASS="USERINPUT"
+><B
+>example.com</B
+></TT
+> could
+	send <TT
+CLASS="FILENAME"
+>keyset-example.com.</TT
+> to the DNS
+	administrator for <TT
+CLASS="USERINPUT"
+><B
+>.com</B
+></TT
+> for signing, if the
+	.com zone is DNSSEC-aware and the administrators of the two zones
+	have some mechanism for authenticating each other and exchanging
+	the keys and signatures securely.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN112"
+></A
+><H2
+>SEE ALSO</H2
+><P
+>      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-keygen</SPAN
+>(8)</SPAN
+>,
+      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-signkey</SPAN
+>(8)</SPAN
+>,
+      <I
+CLASS="CITETITLE"
+>BIND 9 Administrator Reference Manual</I
+>,
+      <I
+CLASS="CITETITLE"
+>RFC 2535</I
+>.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN123"
+></A
+><H2
+>AUTHOR</H2
+><P
+>        Internet Software Consortium
+    </P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/bin/dnssec/dnssec-signkey.8 b/contrib/bind9/bin/dnssec/dnssec-signkey.8
new file mode 100644
index 0000000..ea2818b
--- /dev/null
+++ b/contrib/bind9/bin/dnssec/dnssec-signkey.8
@@ -0,0 +1,108 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: dnssec-signkey.8,v 1.18.2.1.4.1 2004/03/06 07:41:39 marka Exp $
+.\"
+.TH "DNSSEC-SIGNKEY" "8" "June 30, 2000" "BIND9" ""
+.SH NAME
+dnssec-signkey \- DNSSEC key set signing tool
+.SH SYNOPSIS
+.sp
+\fBdnssec-signkey\fR [ \fB-a\fR ]  [ \fB-c \fIclass\fB\fR ]  [ \fB-s \fIstart-time\fB\fR ]  [ \fB-e \fIend-time\fB\fR ]  [ \fB-h\fR ]  [ \fB-p\fR ]  [ \fB-r \fIrandomdev\fB\fR ]  [ \fB-v \fIlevel\fB\fR ]  \fBkeyset\fR \fBkey\fR\fI...\fR
+.SH "DESCRIPTION"
+.PP
+\fBdnssec-signkey\fR signs a keyset. Typically
+the keyset will be for a child zone, and will have been generated
+by \fBdnssec-makekeyset\fR. The child zone's keyset
+is signed with the zone keys for its parent zone. The output file
+is of the form \fIsignedkey-nnnn.\fR, where
+\fInnnn\fR is the zone name.
+.SH "OPTIONS"
+.TP
+\fB-a\fR
+Verify all generated signatures.
+.TP
+\fB-c \fIclass\fB\fR
+Specifies the DNS class of the key sets.
+.TP
+\fB-s \fIstart-time\fB\fR
+Specify the date and time when the generated SIG records
+become valid. This can be either an absolute or relative
+time. An absolute start time is indicated by a number
+in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+14:45:00 UTC on May 30th, 2000. A relative start time is
+indicated by +N, which is N seconds from the current time.
+If no \fBstart-time\fR is specified, the current
+time is used.
+.TP
+\fB-e \fIend-time\fB\fR
+Specify the date and time when the generated SIG records
+expire. As with \fBstart-time\fR, an absolute
+time is indicated in YYYYMMDDHHMMSS notation. A time relative
+to the start time is indicated with +N, which is N seconds from
+the start time. A time relative to the current time is
+indicated with now+N. If no \fBend-time\fR is
+specified, 30 days from the start time is used as a default.
+.TP
+\fB-h\fR
+Prints a short summary of the options and arguments to
+\fBdnssec-signkey\fR.
+.TP
+\fB-p\fR
+Use pseudo-random data when signing the zone. This is faster,
+but less secure, than using real random data. This option
+may be useful when signing large zones or when the entropy
+source is limited.
+.TP
+\fB-r \fIrandomdev\fB\fR
+Specifies the source of randomness. If the operating
+system does not provide a \fI/dev/random\fR
+or equivalent device, the default source of randomness
+is keyboard input. \fIrandomdev\fR specifies
+the name of a character device or file containing random
+data to be used instead of the default. The special value
+\fIkeyboard\fR indicates that keyboard
+input should be used.
+.TP
+\fB-v \fIlevel\fB\fR
+Sets the debugging level.
+.TP
+\fBkeyset\fR
+The file containing the child's keyset.
+.TP
+\fBkey\fR
+The keys used to sign the child's keyset.
+.SH "EXAMPLE"
+.PP
+The DNS administrator for a DNSSEC-aware \fB.com\fR
+zone would use the following command to sign the
+\fIkeyset\fR file for \fBexample.com\fR
+created by \fBdnssec-makekeyset\fR with a key generated
+by \fBdnssec-keygen\fR:
+.PP
+\fBdnssec-signkey keyset-example.com. Kcom.+003+51944\fR
+.PP
+In this example, \fBdnssec-signkey\fR creates
+the file \fIsignedkey-example.com.\fR, which
+contains the \fBexample.com\fR keys and the
+signatures by the \fB.com\fR keys.
+.SH "SEE ALSO"
+.PP
+\fBdnssec-keygen\fR(8),
+\fBdnssec-makekeyset\fR(8),
+\fBdnssec-signzone\fR(8).
+.SH "AUTHOR"
+.PP
+Internet Software Consortium
diff --git a/contrib/bind9/bin/dnssec/dnssec-signkey.c b/contrib/bind9/bin/dnssec/dnssec-signkey.c
new file mode 100644
index 0000000..fd8b0fd
--- /dev/null
+++ b/contrib/bind9/bin/dnssec/dnssec-signkey.c
@@ -0,0 +1,448 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2000-2003  Internet Software Consortium.
+ * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnssec-signkey.c,v 1.50.2.2.2.7 2004/08/28 06:25:28 marka Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/string.h>
+#include <isc/commandline.h>
+#include <isc/entropy.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/diff.h>
+#include <dns/dnssec.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+#include <dns/secalg.h>
+
+#include <dst/dst.h>
+
+#include "dnssectool.h"
+
+const char *program = "dnssec-signkey";
+int verbose;
+
+typedef struct keynode keynode_t;
+struct keynode {
+	dst_key_t *key;
+	isc_boolean_t verified;
+	ISC_LINK(keynode_t) link;
+};
+typedef ISC_LIST(keynode_t) keylist_t;
+
+static isc_stdtime_t starttime = 0, endtime = 0, now;
+
+static isc_mem_t *mctx = NULL;
+static isc_entropy_t *ectx = NULL;
+static keylist_t keylist;
+
+static void
+usage(void) {
+	fprintf(stderr, "Usage:\n");
+	fprintf(stderr, "\t%s [options] keyset keys\n", program);
+
+	fprintf(stderr, "\n");
+
+	fprintf(stderr, "Version: %s\n", VERSION);
+
+	fprintf(stderr, "Options: (default value in parenthesis) \n");
+	fprintf(stderr, "\t-a\n");
+	fprintf(stderr, "\t\tverify generated signatures\n");
+	fprintf(stderr, "\t-c class (IN)\n");
+	fprintf(stderr, "\t-s YYYYMMDDHHMMSS|+offset:\n");
+	fprintf(stderr, "\t\tSIG start time - absolute|offset (from keyset)\n");
+	fprintf(stderr, "\t-e YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
+	fprintf(stderr, "\t\tSIG end time  - absolute|from start|from now "
+		"(from keyset)\n");
+	fprintf(stderr, "\t-v level:\n");
+	fprintf(stderr, "\t\tverbose level (0)\n");
+	fprintf(stderr, "\t-p\n");
+	fprintf(stderr, "\t\tuse pseudorandom data (faster but less secure)\n");
+	fprintf(stderr, "\t-r randomdev:\n");
+	fprintf(stderr, "\t\ta file containing random data\n");
+
+	fprintf(stderr, "\n");
+
+	fprintf(stderr, "keyset:\n");
+	fprintf(stderr, "\tfile with keyset to be signed (keyset-<name>)\n");
+	fprintf(stderr, "keys:\n");
+	fprintf(stderr, "\tkeyfile (Kname+alg+tag)\n");
+
+	fprintf(stderr, "\n");
+	fprintf(stderr, "Output:\n");
+	fprintf(stderr, "\tsigned keyset (signedkey-<name>)\n");
+	exit(0);
+}
+
+static void
+loadkeys(dns_name_t *name, dns_rdataset_t *rdataset) {
+	dst_key_t *key;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	keynode_t *keynode;
+	isc_result_t result;
+
+	ISC_LIST_INIT(keylist);
+	result = dns_rdataset_first(rdataset);
+	check_result(result, "dns_rdataset_first");
+	for (; result == ISC_R_SUCCESS; result = dns_rdataset_next(rdataset)) {
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(rdataset, &rdata);
+		key = NULL;
+		result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &key);
+		if (result != ISC_R_SUCCESS)
+			continue;
+		if (!dst_key_iszonekey(key)) {
+			dst_key_free(&key);
+			continue;
+		}
+		keynode = isc_mem_get(mctx, sizeof(keynode_t));
+		if (keynode == NULL)
+			fatal("out of memory");
+		keynode->key = key;
+		keynode->verified = ISC_FALSE;
+		ISC_LIST_INITANDAPPEND(keylist, keynode, link);
+	}
+	if (result != ISC_R_NOMORE)
+		fatal("failure traversing key list");
+}
+
+static dst_key_t *
+findkey(dns_rdata_rrsig_t *sig) {
+	keynode_t *keynode;
+	for (keynode = ISC_LIST_HEAD(keylist);
+	     keynode != NULL;
+	     keynode = ISC_LIST_NEXT(keynode, link))
+	{
+		if (dst_key_id(keynode->key) == sig->keyid &&
+		    dst_key_alg(keynode->key) == sig->algorithm) {
+			keynode->verified = ISC_TRUE;
+			return (keynode->key);
+		}
+	}
+	fatal("signature generated by non-zone or missing key");
+	return (NULL);
+}
+
+int
+main(int argc, char *argv[]) {
+	int i, ch;
+	char *startstr = NULL, *endstr = NULL, *classname = NULL;
+	char tdomain[1025];
+	dns_fixedname_t fdomain;
+	dns_name_t *domain;
+	char *output = NULL;
+	char *endp;
+	unsigned char data[65536];
+	dns_db_t *db;
+	dns_dbnode_t *node;
+	dns_dbversion_t *version;
+	dns_diff_t diff;
+	dns_difftuple_t *tuple;
+	dns_dbiterator_t *dbiter;
+	dns_rdatasetiter_t *rdsiter;
+	dst_key_t *key = NULL;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_t sigrdata = DNS_RDATA_INIT;
+	dns_rdataset_t rdataset, sigrdataset;
+	dns_rdata_rrsig_t sig;
+	isc_result_t result;
+	isc_buffer_t b;
+	isc_log_t *log = NULL;
+	keynode_t *keynode;
+	isc_boolean_t pseudorandom = ISC_FALSE;
+	unsigned int eflags;
+	dns_rdataclass_t rdclass;
+	isc_boolean_t tryverify = ISC_FALSE;
+	isc_boolean_t settime = ISC_FALSE;
+
+	result = isc_mem_create(0, 0, &mctx);
+	check_result(result, "isc_mem_create()");
+
+	dns_result_register();
+
+	while ((ch = isc_commandline_parse(argc, argv, "ac:s:e:pr:v:h")) != -1)
+	{
+		switch (ch) {
+		case 'a':
+			tryverify = ISC_TRUE;
+			break;
+		case 'c':
+			classname = isc_commandline_argument;
+			break;
+
+		case 's':
+			startstr = isc_commandline_argument;
+			break;
+						
+		case 'e':
+			endstr = isc_commandline_argument;
+			break;
+
+		case 'p':
+			pseudorandom = ISC_TRUE;
+			break;
+
+		case 'r':
+			setup_entropy(mctx, isc_commandline_argument, &ectx);
+			break;
+
+		case 'v':
+			endp = NULL;
+			verbose = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0')
+				fatal("verbose level must be numeric");
+			break;
+
+		case 'h':
+		default:
+			usage();
+
+		}
+	}
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+
+	if (argc < 2)
+		usage();
+
+	rdclass = strtoclass(classname);
+
+	if (ectx == NULL)
+		setup_entropy(mctx, NULL, &ectx);
+	eflags = ISC_ENTROPY_BLOCKING;
+	if (!pseudorandom)
+		eflags |= ISC_ENTROPY_GOODONLY;
+	result = dst_lib_init(mctx, ectx, eflags);
+	if (result != ISC_R_SUCCESS)
+		fatal("could not initialize dst: %s", 
+		      isc_result_totext(result));
+
+	isc_stdtime_get(&now);
+
+	if ((startstr == NULL || endstr == NULL) &&
+	    !(startstr == NULL && endstr == NULL))
+		fatal("if -s or -e is specified, both must be");
+
+	if (startstr != NULL) {
+		starttime = strtotime(startstr, now, now);
+		endtime = strtotime(endstr, now, starttime);
+		settime = ISC_TRUE;
+	}
+
+	setup_logging(verbose, mctx, &log);
+
+	if (strlen(argv[0]) < 8U || strncmp(argv[0], "keyset-", 7) != 0)
+		fatal("keyset file '%s' must start with keyset-", argv[0]);
+
+	db = NULL;
+	result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
+			       rdclass, 0, NULL, &db);
+	check_result(result, "dns_db_create()");
+
+	result = dns_db_load(db, argv[0]);
+	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
+		fatal("failed to load database from '%s': %s", argv[0],
+		      isc_result_totext(result));
+
+	dns_fixedname_init(&fdomain);
+	domain = dns_fixedname_name(&fdomain);
+
+	dbiter = NULL;
+	result = dns_db_createiterator(db, ISC_FALSE, &dbiter);
+	check_result(result, "dns_db_createiterator()");
+
+	result = dns_dbiterator_first(dbiter);
+	check_result(result, "dns_dbiterator_first()");
+	while (result == ISC_R_SUCCESS) {
+		node = NULL;
+		dns_dbiterator_current(dbiter, &node, domain);
+		rdsiter = NULL;
+		result = dns_db_allrdatasets(db, node, NULL, 0, &rdsiter);
+		check_result(result, "dns_db_allrdatasets()");
+		result = dns_rdatasetiter_first(rdsiter);
+		dns_rdatasetiter_destroy(&rdsiter);
+		if (result == ISC_R_SUCCESS)
+			break;
+		dns_db_detachnode(db, &node);
+		result = dns_dbiterator_next(dbiter);
+	}
+	dns_dbiterator_destroy(&dbiter);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to find data in keyset file");
+
+	isc_buffer_init(&b, tdomain, sizeof(tdomain) - 1);
+	result = dns_name_tofilenametext(domain, ISC_FALSE, &b);
+	check_result(result, "dns_name_tofilenametext()");
+	isc_buffer_putuint8(&b, 0);
+
+	output = isc_mem_allocate(mctx,
+				  strlen("signedkey-") + strlen(tdomain) + 1);
+	if (output == NULL)
+		fatal("out of memory");
+	sprintf(output, "signedkey-%s", tdomain);
+
+	version = NULL;
+	dns_db_newversion(db, &version);
+
+	dns_rdataset_init(&rdataset);
+	dns_rdataset_init(&sigrdataset);
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey, 0,
+				     0, &rdataset, &sigrdataset);
+	if (result != ISC_R_SUCCESS) {
+		char domainstr[DNS_NAME_FORMATSIZE];
+		dns_name_format(domain, domainstr, sizeof(domainstr));
+		fatal("failed to find rdataset '%s KEY': %s",
+		      domainstr, isc_result_totext(result));
+	}
+
+	loadkeys(domain, &rdataset);
+
+	dns_diff_init(mctx, &diff);
+
+	if (!dns_rdataset_isassociated(&sigrdataset))
+		fatal("no SIG KEY set present");
+
+	result = dns_rdataset_first(&sigrdataset);
+	check_result(result, "dns_rdataset_first()");
+	do {
+		dns_rdataset_current(&sigrdataset, &sigrdata);
+		result = dns_rdata_tostruct(&sigrdata, &sig, mctx);
+		check_result(result, "dns_rdata_tostruct()");
+		key = findkey(&sig);
+		result = dns_dnssec_verify(domain, &rdataset, key,
+					   ISC_TRUE, mctx, &sigrdata);
+		if (result != ISC_R_SUCCESS) {
+			char keystr[KEY_FORMATSIZE];
+			key_format(key, keystr, sizeof(keystr));
+			fatal("signature by key '%s' did not verify: %s",
+			      keystr, isc_result_totext(result));
+		}
+		if (!settime) {
+			starttime = sig.timesigned;
+			endtime = sig.timeexpire;
+			settime = ISC_TRUE;
+		}
+		dns_rdata_freestruct(&sig);
+		dns_rdata_reset(&sigrdata);
+		result = dns_rdataset_next(&sigrdataset);
+	} while (result == ISC_R_SUCCESS);
+
+	for (keynode = ISC_LIST_HEAD(keylist);
+	     keynode != NULL;
+	     keynode = ISC_LIST_NEXT(keynode, link))
+		if (!keynode->verified)
+			fatal("not all zone keys self signed the key set");
+
+	argc -= 1;
+	argv += 1;
+
+	for (i = 0; i < argc; i++) {
+		key = NULL;
+		result = dst_key_fromnamedfile(argv[i],
+					       DST_TYPE_PUBLIC |
+					       DST_TYPE_PRIVATE,
+					       mctx, &key);
+		if (result != ISC_R_SUCCESS)
+			fatal("failed to read key %s from disk: %s",
+			      argv[i], isc_result_totext(result));
+
+		dns_rdata_reset(&rdata);
+		isc_buffer_init(&b, data, sizeof(data));
+		result = dns_dnssec_sign(domain, &rdataset, key,
+					 &starttime, &endtime,
+					 mctx, &b, &rdata);
+		isc_entropy_stopcallbacksources(ectx);
+		if (result != ISC_R_SUCCESS) {
+			char keystr[KEY_FORMATSIZE];
+			key_format(key, keystr, sizeof(keystr));
+			fatal("key '%s' failed to sign data: %s",
+			      keystr, isc_result_totext(result));
+		}
+		if (tryverify) {
+			result = dns_dnssec_verify(domain, &rdataset, key,
+						   ISC_TRUE, mctx, &rdata);
+			if (result != ISC_R_SUCCESS) {
+				char keystr[KEY_FORMATSIZE];
+				key_format(key, keystr, sizeof(keystr));
+				fatal("signature from key '%s' failed to "
+				      "verify: %s",
+				      keystr, isc_result_totext(result));
+			}
+		}
+		tuple = NULL;
+		result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
+					      domain, rdataset.ttl,
+					      &rdata, &tuple);
+		check_result(result, "dns_difftuple_create");
+		dns_diff_append(&diff, &tuple);
+		dst_key_free(&key);
+	}
+
+	result = dns_db_deleterdataset(db, node, version, dns_rdatatype_rrsig,
+				       dns_rdatatype_dnskey);
+	check_result(result, "dns_db_deleterdataset");
+
+	result = dns_diff_apply(&diff, db, version);
+	check_result(result, "dns_diff_apply");
+	dns_diff_clear(&diff);
+
+	dns_db_detachnode(db, &node);
+	dns_db_closeversion(db, &version, ISC_TRUE);
+	result = dns_db_dump(db, version, output);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to write database to '%s': %s",
+		      output, isc_result_totext(result));
+
+	printf("%s\n", output);
+
+	dns_rdataset_disassociate(&rdataset);
+	dns_rdataset_disassociate(&sigrdataset);
+
+	dns_db_detach(&db);
+
+	while (!ISC_LIST_EMPTY(keylist)) {
+		keynode = ISC_LIST_HEAD(keylist);
+		ISC_LIST_UNLINK(keylist, keynode, link);
+		dst_key_free(&keynode->key);
+		isc_mem_put(mctx, keynode, sizeof(keynode_t));
+	}
+
+	cleanup_logging(&log);
+
+	isc_mem_free(mctx, output);
+	cleanup_entropy(&ectx);
+	dst_lib_destroy();
+	if (verbose > 10)
+		isc_mem_stats(mctx, stdout);
+	isc_mem_destroy(&mctx);
+	return (0);
+}
diff --git a/contrib/bind9/bin/dnssec/dnssec-signkey.docbook b/contrib/bind9/bin/dnssec/dnssec-signkey.docbook
new file mode 100644
index 0000000..8258a3d
--- /dev/null
+++ b/contrib/bind9/bin/dnssec/dnssec-signkey.docbook
@@ -0,0 +1,237 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: dnssec-signkey.docbook,v 1.2.2.2.4.2 2004/06/03 02:24:55 marka Exp $ -->
+
+<refentry>
+  <refentryinfo>
+    <date>June 30, 2000</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>dnssec-signkey</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>dnssec-signkey</application></refname>
+    <refpurpose>DNSSEC key set signing tool</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>dnssec-signkey</command>
+      <arg><option>-a</option></arg>
+      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
+      <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
+      <arg><option>-h</option></arg>
+      <arg><option>-p</option></arg>
+      <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
+      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+      <arg choice="req">keyset</arg>
+      <arg choice="req" rep="repeat">key</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+        <command>dnssec-signkey</command> signs a keyset.  Typically
+	the keyset will be for a child zone, and will have been generated
+	by <command>dnssec-makekeyset</command>.  The child zone's keyset
+	is signed with the zone keys for its parent zone.  The output file
+	is of the form <filename>signedkey-nnnn.</filename>, where
+	<filename>nnnn</filename> is the zone name.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>OPTIONS</title>
+
+    <variablelist>
+      <varlistentry>
+        <term>-a</term>
+	<listitem>
+	  <para>
+	      Verify all generated signatures.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-c <replaceable class="parameter">class</replaceable></term>
+	<listitem>
+	  <para>
+	       Specifies the DNS class of the key sets.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-s <replaceable class="parameter">start-time</replaceable></term>
+	<listitem>
+	  <para>
+	       Specify the date and time when the generated SIG records
+	       become valid.  This can be either an absolute or relative
+	       time.  An absolute start time is indicated by a number
+	       in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+	       14:45:00 UTC on May 30th, 2000.  A relative start time is
+	       indicated by +N, which is N seconds from the current time.
+	       If no <option>start-time</option> is specified, the current
+	       time is used.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-e <replaceable class="parameter">end-time</replaceable></term>
+	<listitem>
+	  <para>
+	       Specify the date and time when the generated SIG records
+	       expire.  As with <option>start-time</option>, an absolute
+	       time is indicated in YYYYMMDDHHMMSS notation.  A time relative
+	       to the start time is indicated with +N, which is N seconds from
+	       the start time.  A time relative to the current time is
+	       indicated with now+N.  If no <option>end-time</option> is
+	       specified, 30 days from the start time is used as a default.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-h</term>
+	<listitem>
+	  <para>
+	       Prints a short summary of the options and arguments to
+	       <command>dnssec-signkey</command>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-p</term>
+	<listitem>
+	  <para>
+	       Use pseudo-random data when signing the zone.  This is faster,
+	       but less secure, than using real random data.  This option
+	       may be useful when signing large zones or when the entropy
+	       source is limited.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-r <replaceable class="parameter">randomdev</replaceable></term>
+	<listitem>
+	  <para>
+	       Specifies the source of randomness.  If the operating
+	       system does not provide a <filename>/dev/random</filename>
+	       or equivalent device, the default source of randomness
+	       is keyboard input.  <filename>randomdev</filename> specifies
+	       the name of a character device or file containing random
+	       data to be used instead of the default.  The special value
+	       <filename>keyboard</filename> indicates that keyboard
+	       input should be used.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-v <replaceable class="parameter">level</replaceable></term>
+	<listitem>
+	  <para>
+	       Sets the debugging level.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>keyset</term>
+	  <listitem>
+	    <para>
+	        The file containing the child's keyset.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>key</term>
+	  <listitem>
+	    <para>
+	        The keys used to sign the child's keyset.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>EXAMPLE</title>
+    <para>
+        The DNS administrator for a DNSSEC-aware <userinput>.com</userinput>
+	zone would use the following command to sign the
+	<filename>keyset</filename> file for <userinput>example.com</userinput>
+	created by <command>dnssec-makekeyset</command> with a key generated
+	by <command>dnssec-keygen</command>:
+    </para>
+    <para>
+        <userinput>dnssec-signkey keyset-example.com. Kcom.+003+51944</userinput>
+    </para>
+    <para>
+        In this example, <command>dnssec-signkey</command> creates
+	the file <filename>signedkey-example.com.</filename>, which
+	contains the <userinput>example.com</userinput> keys and the
+	signatures by the <userinput>.com</userinput> keys.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>dnssec-keygen</refentrytitle>
+	<manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>dnssec-makekeyset</refentrytitle>
+	<manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>dnssec-signzone</refentrytitle>
+	<manvolnum>8</manvolnum>
+      </citerefentry>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para>
+        <corpauthor>Internet Systems Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry>
+
+<!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/bin/dnssec/dnssec-signkey.html b/contrib/bind9/bin/dnssec/dnssec-signkey.html
new file mode 100644
index 0000000..8cbf1fc
--- /dev/null
+++ b/contrib/bind9/bin/dnssec/dnssec-signkey.html
@@ -0,0 +1,407 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: dnssec-signkey.html,v 1.4.2.1.4.1 2004/03/06 10:21:15 marka Exp $ -->
+
+<HTML
+><HEAD
+><TITLE
+>dnssec-signkey</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.73
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+><SPAN
+CLASS="APPLICATION"
+>dnssec-signkey</SPAN
+></A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><SPAN
+CLASS="APPLICATION"
+>dnssec-signkey</SPAN
+>&nbsp;--&nbsp;DNSSEC key set signing tool</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>dnssec-signkey</B
+>  [<TT
+CLASS="OPTION"
+>-a</TT
+>] [<TT
+CLASS="OPTION"
+>-c <TT
+CLASS="REPLACEABLE"
+><I
+>class</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>start-time</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-e <TT
+CLASS="REPLACEABLE"
+><I
+>end-time</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-h</TT
+>] [<TT
+CLASS="OPTION"
+>-p</TT
+>] [<TT
+CLASS="OPTION"
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>randomdev</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-v <TT
+CLASS="REPLACEABLE"
+><I
+>level</I
+></TT
+></TT
+>] {keyset} {key...}</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN39"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>        <B
+CLASS="COMMAND"
+>dnssec-signkey</B
+> signs a keyset.  Typically
+	the keyset will be for a child zone, and will have been generated
+	by <B
+CLASS="COMMAND"
+>dnssec-makekeyset</B
+>.  The child zone's keyset
+	is signed with the zone keys for its parent zone.  The output file
+	is of the form <TT
+CLASS="FILENAME"
+>signedkey-nnnn.</TT
+>, where
+	<TT
+CLASS="FILENAME"
+>nnnn</TT
+> is the zone name.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN46"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-a</DT
+><DD
+><P
+>	      Verify all generated signatures.
+	  </P
+></DD
+><DT
+>-c <TT
+CLASS="REPLACEABLE"
+><I
+>class</I
+></TT
+></DT
+><DD
+><P
+>	       Specifies the DNS class of the key sets.
+	  </P
+></DD
+><DT
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>start-time</I
+></TT
+></DT
+><DD
+><P
+>	       Specify the date and time when the generated SIG records
+	       become valid.  This can be either an absolute or relative
+	       time.  An absolute start time is indicated by a number
+	       in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+	       14:45:00 UTC on May 30th, 2000.  A relative start time is
+	       indicated by +N, which is N seconds from the current time.
+	       If no <TT
+CLASS="OPTION"
+>start-time</TT
+> is specified, the current
+	       time is used.
+	  </P
+></DD
+><DT
+>-e <TT
+CLASS="REPLACEABLE"
+><I
+>end-time</I
+></TT
+></DT
+><DD
+><P
+>	       Specify the date and time when the generated SIG records
+	       expire.  As with <TT
+CLASS="OPTION"
+>start-time</TT
+>, an absolute
+	       time is indicated in YYYYMMDDHHMMSS notation.  A time relative
+	       to the start time is indicated with +N, which is N seconds from
+	       the start time.  A time relative to the current time is
+	       indicated with now+N.  If no <TT
+CLASS="OPTION"
+>end-time</TT
+> is
+	       specified, 30 days from the start time is used as a default.
+	  </P
+></DD
+><DT
+>-h</DT
+><DD
+><P
+>	       Prints a short summary of the options and arguments to
+	       <B
+CLASS="COMMAND"
+>dnssec-signkey</B
+>.
+	  </P
+></DD
+><DT
+>-p</DT
+><DD
+><P
+>	       Use pseudo-random data when signing the zone.  This is faster,
+	       but less secure, than using real random data.  This option
+	       may be useful when signing large zones or when the entropy
+	       source is limited.
+	  </P
+></DD
+><DT
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>randomdev</I
+></TT
+></DT
+><DD
+><P
+>	       Specifies the source of randomness.  If the operating
+	       system does not provide a <TT
+CLASS="FILENAME"
+>/dev/random</TT
+>
+	       or equivalent device, the default source of randomness
+	       is keyboard input.  <TT
+CLASS="FILENAME"
+>randomdev</TT
+> specifies
+	       the name of a character device or file containing random
+	       data to be used instead of the default.  The special value
+	       <TT
+CLASS="FILENAME"
+>keyboard</TT
+> indicates that keyboard
+	       input should be used.
+	  </P
+></DD
+><DT
+>-v <TT
+CLASS="REPLACEABLE"
+><I
+>level</I
+></TT
+></DT
+><DD
+><P
+>	       Sets the debugging level.
+	  </P
+></DD
+><DT
+>keyset</DT
+><DD
+><P
+>	        The file containing the child's keyset.
+	  </P
+></DD
+><DT
+>key</DT
+><DD
+><P
+>	        The keys used to sign the child's keyset.
+	  </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN101"
+></A
+><H2
+>EXAMPLE</H2
+><P
+>        The DNS administrator for a DNSSEC-aware <TT
+CLASS="USERINPUT"
+><B
+>.com</B
+></TT
+>
+	zone would use the following command to sign the
+	<TT
+CLASS="FILENAME"
+>keyset</TT
+> file for <TT
+CLASS="USERINPUT"
+><B
+>example.com</B
+></TT
+>
+	created by <B
+CLASS="COMMAND"
+>dnssec-makekeyset</B
+> with a key generated
+	by <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+>:
+    </P
+><P
+>        <TT
+CLASS="USERINPUT"
+><B
+>dnssec-signkey keyset-example.com. Kcom.+003+51944</B
+></TT
+>
+    </P
+><P
+>        In this example, <B
+CLASS="COMMAND"
+>dnssec-signkey</B
+> creates
+	the file <TT
+CLASS="FILENAME"
+>signedkey-example.com.</TT
+>, which
+	contains the <TT
+CLASS="USERINPUT"
+><B
+>example.com</B
+></TT
+> keys and the
+	signatures by the <TT
+CLASS="USERINPUT"
+><B
+>.com</B
+></TT
+> keys.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN116"
+></A
+><H2
+>SEE ALSO</H2
+><P
+>      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-keygen</SPAN
+>(8)</SPAN
+>,
+      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-makekeyset</SPAN
+>(8)</SPAN
+>,
+      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-signzone</SPAN
+>(8)</SPAN
+>.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN128"
+></A
+><H2
+>AUTHOR</H2
+><P
+>        Internet Software Consortium
+    </P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.8 b/contrib/bind9/bin/dnssec/dnssec-signzone.8
new file mode 100644
index 0000000..a1795b8
--- /dev/null
+++ b/contrib/bind9/bin/dnssec/dnssec-signzone.8
@@ -0,0 +1,167 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2003  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: dnssec-signzone.8,v 1.23.2.1.4.6 2004/06/11 02:32:46 marka Exp $
+.\"
+.TH "DNSSEC-SIGNZONE" "8" "June 30, 2000" "BIND9" ""
+.SH NAME
+dnssec-signzone \- DNSSEC zone signing tool
+.SH SYNOPSIS
+.sp
+\fBdnssec-signzone\fR [ \fB-a\fR ]  [ \fB-c \fIclass\fB\fR ]  [ \fB-d \fIdirectory\fB\fR ]  [ \fB-e \fIend-time\fB\fR ]  [ \fB-f \fIoutput-file\fB\fR ]  [ \fB-g\fR ]  [ \fB-h\fR ]  [ \fB-k \fIkey\fB\fR ]  [ \fB-l \fIdomain\fB\fR ]  [ \fB-i \fIinterval\fB\fR ]  [ \fB-n \fInthreads\fB\fR ]  [ \fB-o \fIorigin\fB\fR ]  [ \fB-p\fR ]  [ \fB-r \fIrandomdev\fB\fR ]  [ \fB-s \fIstart-time\fB\fR ]  [ \fB-t\fR ]  [ \fB-v \fIlevel\fB\fR ]  [ \fB-z\fR ]  \fBzonefile\fR [ \fBkey\fR\fI...\fR ] 
+.SH "DESCRIPTION"
+.PP
+\fBdnssec-signzone\fR signs a zone. It generates
+NSEC and RRSIG records and produces a signed version of the
+zone. The security status of delegations from the signed zone
+(that is, whether the child zones are secure or not) is
+determined by the presence or absence of a
+\fIkeyset\fR file for each child zone.
+.SH "OPTIONS"
+.TP
+\fB-a\fR
+Verify all generated signatures.
+.TP
+\fB-c \fIclass\fB\fR
+Specifies the DNS class of the zone.
+.TP
+\fB-k \fIkey\fB\fR
+Treat specified key as a key signing key ignoring any
+key flags. This option may be specified multiple times.
+.TP
+\fB-l \fIdomain\fB\fR
+Generate a DLV set in addition to the key (DNSKEY) and DS sets.
+The domain is appended to the name of the records.
+.TP
+\fB-d \fIdirectory\fB\fR
+Look for \fIkeyset\fR files in
+\fBdirectory\fR as the directory 
+.TP
+\fB-g\fR
+Generate DS records for child zones from keyset files.
+Existing DS records will be removed.
+.TP
+\fB-s \fIstart-time\fB\fR
+Specify the date and time when the generated RRSIG records
+become valid. This can be either an absolute or relative
+time. An absolute start time is indicated by a number
+in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+14:45:00 UTC on May 30th, 2000. A relative start time is
+indicated by +N, which is N seconds from the current time.
+If no \fBstart-time\fR is specified, the current
+time minus 1 hour (to allow for clock skew) is used.
+.TP
+\fB-e \fIend-time\fB\fR
+Specify the date and time when the generated RRSIG records
+expire. As with \fBstart-time\fR, an absolute
+time is indicated in YYYYMMDDHHMMSS notation. A time relative
+to the start time is indicated with +N, which is N seconds from
+the start time. A time relative to the current time is
+indicated with now+N. If no \fBend-time\fR is
+specified, 30 days from the start time is used as a default.
+.TP
+\fB-f \fIoutput-file\fB\fR
+The name of the output file containing the signed zone. The
+default is to append \fI.signed\fR to the
+input file.
+.TP
+\fB-h\fR
+Prints a short summary of the options and arguments to
+\fBdnssec-signzone\fR.
+.TP
+\fB-i \fIinterval\fB\fR
+When a previously signed zone is passed as input, records
+may be resigned. The \fBinterval\fR option
+specifies the cycle interval as an offset from the current
+time (in seconds). If a RRSIG record expires after the
+cycle interval, it is retained. Otherwise, it is considered
+to be expiring soon, and it will be replaced.
+
+The default cycle interval is one quarter of the difference
+between the signature end and start times. So if neither
+\fBend-time\fR or \fBstart-time\fR
+are specified, \fBdnssec-signzone\fR generates
+signatures that are valid for 30 days, with a cycle
+interval of 7.5 days. Therefore, if any existing RRSIG records
+are due to expire in less than 7.5 days, they would be
+replaced.
+.TP
+\fB-n \fIncpus\fB\fR
+Specifies the number of threads to use. By default, one
+thread is started for each detected CPU.
+.TP
+\fB-o \fIorigin\fB\fR
+The zone origin. If not specified, the name of the zone file
+is assumed to be the origin.
+.TP
+\fB-p\fR
+Use pseudo-random data when signing the zone. This is faster,
+but less secure, than using real random data. This option
+may be useful when signing large zones or when the entropy
+source is limited.
+.TP
+\fB-r \fIrandomdev\fB\fR
+Specifies the source of randomness. If the operating
+system does not provide a \fI/dev/random\fR
+or equivalent device, the default source of randomness
+is keyboard input. \fIrandomdev\fR specifies
+the name of a character device or file containing random
+data to be used instead of the default. The special value
+\fIkeyboard\fR indicates that keyboard
+input should be used.
+.TP
+\fB-t\fR
+Print statistics at completion.
+.TP
+\fB-v \fIlevel\fB\fR
+Sets the debugging level.
+.TP
+\fB-z\fR
+Ignore KSK flag on key when determining what to sign.
+.TP
+\fBzonefile\fR
+The file containing the zone to be signed.
+Sets the debugging level.
+.TP
+\fBkey\fR
+The keys used to sign the zone. If no keys are specified, the
+default all zone keys that have private key files in the
+current directory.
+.SH "EXAMPLE"
+.PP
+The following command signs the \fBexample.com\fR
+zone with the DSA key generated in the \fBdnssec-keygen\fR
+man page. The zone's keys must be in the zone. If there are
+\fIkeyset\fR files associated with child zones,
+they must be in the current directory.
+\fBexample.com\fR, the following command would be
+issued:
+.PP
+\fBdnssec-signzone -o example.com db.example.com Kexample.com.+003+26160\fR
+.PP
+The command would print a string of the form:
+.PP
+In this example, \fBdnssec-signzone\fR creates
+the file \fIdb.example.com.signed\fR. This file
+should be referenced in a zone statement in a
+\fInamed.conf\fR file.
+.SH "SEE ALSO"
+.PP
+\fBdnssec-keygen\fR(8),
+\fIBIND 9 Administrator Reference Manual\fR,
+\fIRFC 2535\fR.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.c b/contrib/bind9/bin/dnssec/dnssec-signzone.c
new file mode 100644
index 0000000..096cd30
--- /dev/null
+++ b/contrib/bind9/bin/dnssec/dnssec-signzone.c
@@ -0,0 +1,2102 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 1999-2003  Internet Software Consortium.
+ * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnssec-signzone.c,v 1.139.2.2.4.16 2004/08/28 06:25:29 marka Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+#include <time.h>
+
+#include <isc/app.h>
+#include <isc/commandline.h>
+#include <isc/entropy.h>
+#include <isc/event.h>
+#include <isc/file.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/os.h>
+#include <isc/print.h>
+#include <isc/serial.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/util.h>
+#include <isc/time.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/diff.h>
+#include <dns/dnssec.h>
+#include <dns/ds.h>
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/master.h>
+#include <dns/masterdump.h>
+#include <dns/nsec.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/time.h>
+
+#include <dst/dst.h>
+
+#include "dnssectool.h"
+
+const char *program = "dnssec-signzone";
+int verbose;
+
+#define BUFSIZE 2048
+#define MAXDSKEYS 8
+
+typedef struct signer_key_struct signer_key_t;
+
+struct signer_key_struct {
+	dst_key_t *key;
+	isc_boolean_t issigningkey;
+	isc_boolean_t isdsk;
+	isc_boolean_t isksk;
+	unsigned int position;
+	ISC_LINK(signer_key_t) link;
+};
+
+#define SIGNER_EVENTCLASS	ISC_EVENTCLASS(0x4453)
+#define SIGNER_EVENT_WRITE	(SIGNER_EVENTCLASS + 0)
+#define SIGNER_EVENT_WORK	(SIGNER_EVENTCLASS + 1)
+
+typedef struct signer_event sevent_t;
+struct signer_event {
+	ISC_EVENT_COMMON(sevent_t);
+	dns_fixedname_t *fname;
+	dns_dbnode_t *node;
+};
+
+static ISC_LIST(signer_key_t) keylist;
+static unsigned int keycount = 0;
+static isc_stdtime_t starttime = 0, endtime = 0, now;
+static int cycle = -1;
+static isc_boolean_t tryverify = ISC_FALSE;
+static isc_boolean_t printstats = ISC_FALSE;
+static isc_mem_t *mctx = NULL;
+static isc_entropy_t *ectx = NULL;
+static dns_ttl_t zonettl;
+static FILE *fp;
+static char *tempfile = NULL;
+static const dns_master_style_t *masterstyle;
+static unsigned int nsigned = 0, nretained = 0, ndropped = 0;
+static unsigned int nverified = 0, nverifyfailed = 0;
+static const char *directory;
+static isc_mutex_t namelock, statslock;
+static isc_taskmgr_t *taskmgr = NULL;
+static dns_db_t *gdb;			/* The database */
+static dns_dbversion_t *gversion;	/* The database version */
+static dns_dbiterator_t *gdbiter;	/* The database iterator */
+static dns_rdataclass_t gclass;		/* The class */
+static dns_name_t *gorigin;		/* The database origin */
+static isc_task_t *master = NULL;
+static unsigned int ntasks = 0;
+static isc_boolean_t shuttingdown = ISC_FALSE, finished = ISC_FALSE;
+static unsigned int assigned = 0, completed = 0;
+static isc_boolean_t nokeys = ISC_FALSE;
+static isc_boolean_t removefile = ISC_FALSE;
+static isc_boolean_t generateds = ISC_FALSE;
+static isc_boolean_t ignoreksk = ISC_FALSE;
+static dns_name_t *dlv = NULL;
+static dns_fixedname_t dlv_fixed;
+static dns_master_style_t *dsstyle = NULL;
+
+#define INCSTAT(counter)		\
+	if (printstats) {		\
+		LOCK(&statslock);	\
+		counter++;		\
+		UNLOCK(&statslock);	\
+	}
+
+static void
+sign(isc_task_t *task, isc_event_t *event);
+
+
+static inline void
+set_bit(unsigned char *array, unsigned int index, unsigned int bit) {
+	unsigned int shift, mask;
+
+	shift = 7 - (index % 8);
+	mask = 1 << shift;
+
+	if (bit != 0)
+		array[index / 8] |= mask;
+	else
+		array[index / 8] &= (~mask & 0xFF);
+}
+
+static void
+dumpnode(dns_name_t *name, dns_dbnode_t *node) {
+	isc_result_t result;
+
+	result = dns_master_dumpnodetostream(mctx, gdb, gversion, node, name,
+					     masterstyle, fp);
+	check_result(result, "dns_master_dumpnodetostream");
+}
+
+static void
+dumpdb(dns_db_t *db) {
+	dns_dbiterator_t *dbiter = NULL;
+	dns_dbnode_t *node;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	isc_result_t result;
+
+	dbiter = NULL;
+	result = dns_db_createiterator(db, ISC_FALSE, &dbiter);
+	check_result(result, "dns_db_createiterator()");
+
+	dns_fixedname_init(&fname);
+	name = dns_fixedname_name(&fname);
+	node = NULL;
+
+	for (result = dns_dbiterator_first(dbiter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_dbiterator_next(dbiter))
+	{
+		result = dns_dbiterator_current(dbiter, &node, name);
+		check_result(result, "dns_dbiterator_current()");
+		dumpnode(name, node);
+		dns_db_detachnode(db, &node);
+	}
+	if (result != ISC_R_NOMORE)
+		fatal("iterating database: %s", isc_result_totext(result));
+
+	dns_dbiterator_destroy(&dbiter);
+}
+
+static signer_key_t *
+newkeystruct(dst_key_t *dstkey, isc_boolean_t signwithkey) {
+	signer_key_t *key;
+
+	key = isc_mem_get(mctx, sizeof(signer_key_t));
+	if (key == NULL)
+		fatal("out of memory");
+	key->key = dstkey;
+	if ((dst_key_flags(dstkey) & DNS_KEYFLAG_KSK) != 0) {
+		key->issigningkey = signwithkey;
+		key->isksk = ISC_TRUE;
+		key->isdsk = ISC_FALSE;
+	} else {
+		key->issigningkey = signwithkey;
+		key->isksk = ISC_FALSE;
+		key->isdsk = ISC_TRUE;
+	}
+	key->position = keycount++;
+	ISC_LINK_INIT(key, link);
+	return (key);
+}
+
+static void
+signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdata_t *rdata,
+	    dst_key_t *key, isc_buffer_t *b)
+{
+	isc_result_t result;
+
+	result = dns_dnssec_sign(name, rdataset, key, &starttime, &endtime,
+				 mctx, b, rdata);
+	isc_entropy_stopcallbacksources(ectx);
+	if (result != ISC_R_SUCCESS) {
+		char keystr[KEY_FORMATSIZE];
+		key_format(key, keystr, sizeof(keystr));
+		fatal("dnskey '%s' failed to sign data: %s",
+		      keystr, isc_result_totext(result));
+	}
+	INCSTAT(nsigned);
+
+	if (tryverify) {
+		result = dns_dnssec_verify(name, rdataset, key,
+					   ISC_TRUE, mctx, rdata);
+		if (result == ISC_R_SUCCESS) {
+			vbprintf(3, "\tsignature verified\n");
+			INCSTAT(nverified);
+		} else {
+			vbprintf(3, "\tsignature failed to verify\n");
+			INCSTAT(nverifyfailed);
+		}
+	}
+}
+
+static inline isc_boolean_t
+issigningkey(signer_key_t *key) {
+	return (key->issigningkey);
+}
+
+static inline isc_boolean_t
+iszonekey(signer_key_t *key) {
+	return (ISC_TF(dns_name_equal(dst_key_name(key->key), gorigin) &&
+		       dst_key_iszonekey(key->key)));
+}
+
+/*
+ * Finds the key that generated a RRSIG, if possible.  First look at the keys
+ * that we've loaded already, and then see if there's a key on disk.
+ */
+static signer_key_t *
+keythatsigned(dns_rdata_rrsig_t *rrsig) {
+	isc_result_t result;
+	dst_key_t *pubkey = NULL, *privkey = NULL;
+	signer_key_t *key;
+
+	key = ISC_LIST_HEAD(keylist);
+	while (key != NULL) {
+		if (rrsig->keyid == dst_key_id(key->key) &&
+		    rrsig->algorithm == dst_key_alg(key->key) &&
+		    dns_name_equal(&rrsig->signer, dst_key_name(key->key)))
+			return key;
+		key = ISC_LIST_NEXT(key, link);
+	}
+
+	result = dst_key_fromfile(&rrsig->signer, rrsig->keyid,
+				  rrsig->algorithm, DST_TYPE_PUBLIC,
+				  NULL, mctx, &pubkey);
+	if (result != ISC_R_SUCCESS)
+		return (NULL);
+
+	result = dst_key_fromfile(&rrsig->signer, rrsig->keyid,
+				  rrsig->algorithm,
+				  DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
+				  NULL, mctx, &privkey);
+	if (result == ISC_R_SUCCESS) {
+		dst_key_free(&pubkey);
+		key = newkeystruct(privkey, ISC_FALSE);
+	} else
+		key = newkeystruct(pubkey, ISC_FALSE);
+	ISC_LIST_APPEND(keylist, key, link);
+	return (key);
+}
+
+/*
+ * Check to see if we expect to find a key at this name.  If we see a RRSIG
+ * and can't find the signing key that we expect to find, we drop the rrsig.
+ * I'm not sure if this is completely correct, but it seems to work.
+ */
+static isc_boolean_t
+expecttofindkey(dns_name_t *name) {
+	unsigned int options = DNS_DBFIND_NOWILD;
+	dns_fixedname_t fname;
+	isc_result_t result;
+	char namestr[DNS_NAME_FORMATSIZE];
+
+	dns_fixedname_init(&fname);
+	result = dns_db_find(gdb, name, gversion, dns_rdatatype_dnskey, options,
+			     0, NULL, dns_fixedname_name(&fname), NULL, NULL);
+	switch (result) {
+	case ISC_R_SUCCESS:
+	case DNS_R_NXDOMAIN:
+	case DNS_R_NXRRSET:
+		return (ISC_TRUE);
+	case DNS_R_DELEGATION:
+	case DNS_R_CNAME:
+	case DNS_R_DNAME:
+		return (ISC_FALSE);
+	}
+	dns_name_format(name, namestr, sizeof(namestr));
+	fatal("failure looking for '%s DNSKEY' in database: %s",
+	      namestr, isc_result_totext(result));
+	return (ISC_FALSE); /* removes a warning */
+}
+
+static inline isc_boolean_t
+setverifies(dns_name_t *name, dns_rdataset_t *set, signer_key_t *key,
+	    dns_rdata_t *rrsig)
+{
+	isc_result_t result;
+	result = dns_dnssec_verify(name, set, key->key, ISC_FALSE, mctx, rrsig);
+	if (result == ISC_R_SUCCESS) {
+		INCSTAT(nverified);
+		return (ISC_TRUE);
+	} else {
+		INCSTAT(nverifyfailed);
+		return (ISC_FALSE);
+	}
+}
+
+/*
+ * Signs a set.  Goes through contortions to decide if each RRSIG should
+ * be dropped or retained, and then determines if any new SIGs need to
+ * be generated.
+ */
+static void
+signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
+	dns_rdataset_t *set)
+{
+	dns_rdataset_t sigset;
+	dns_rdata_t sigrdata = DNS_RDATA_INIT;
+	dns_rdata_rrsig_t rrsig;
+	signer_key_t *key;
+	isc_result_t result;
+	isc_boolean_t nosigs = ISC_FALSE;
+	isc_boolean_t *wassignedby, *nowsignedby;
+	int arraysize;
+	dns_difftuple_t *tuple;
+	dns_ttl_t ttl;
+	int i;
+	char namestr[DNS_NAME_FORMATSIZE];
+	char typestr[TYPE_FORMATSIZE];
+	char sigstr[SIG_FORMATSIZE];
+
+	dns_name_format(name, namestr, sizeof(namestr));
+	type_format(set->type, typestr, sizeof(typestr));
+
+	ttl = ISC_MIN(set->ttl, endtime - starttime);
+
+	dns_rdataset_init(&sigset);
+	result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_rrsig,
+				     set->type, 0, &sigset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		result = ISC_R_SUCCESS;
+		nosigs = ISC_TRUE;
+	}
+	if (result != ISC_R_SUCCESS)
+		fatal("failed while looking for '%s RRSIG %s': %s",
+		      namestr, typestr, isc_result_totext(result));
+
+	vbprintf(1, "%s/%s:\n", namestr, typestr);
+
+	arraysize = keycount;
+	if (!nosigs)
+		arraysize += dns_rdataset_count(&sigset);
+	wassignedby = isc_mem_get(mctx, arraysize * sizeof(isc_boolean_t));
+	nowsignedby = isc_mem_get(mctx, arraysize * sizeof(isc_boolean_t));
+	if (wassignedby == NULL || nowsignedby == NULL)
+		fatal("out of memory");
+
+	for (i = 0; i < arraysize; i++)
+		wassignedby[i] = nowsignedby[i] = ISC_FALSE;
+
+	if (nosigs)
+		result = ISC_R_NOMORE;
+	else
+		result = dns_rdataset_first(&sigset);
+
+	while (result == ISC_R_SUCCESS) {
+		isc_boolean_t expired, future;
+		isc_boolean_t keep = ISC_FALSE, resign = ISC_FALSE;
+
+		dns_rdataset_current(&sigset, &sigrdata);
+
+		result = dns_rdata_tostruct(&sigrdata, &rrsig, NULL);
+		check_result(result, "dns_rdata_tostruct");
+
+		future = isc_serial_lt(now, rrsig.timesigned);
+
+		key = keythatsigned(&rrsig);
+		sig_format(&rrsig, sigstr, sizeof(sigstr));
+		if (key != NULL && issigningkey(key))
+			expired = isc_serial_gt(now + cycle, rrsig.timeexpire);
+		else
+			expired = isc_serial_gt(now, rrsig.timeexpire);
+
+		if (isc_serial_gt(rrsig.timesigned, rrsig.timeexpire)) {
+			/* rrsig is dropped and not replaced */
+			vbprintf(2, "\trrsig by %s dropped - "
+				 "invalid validity period\n",
+				 sigstr);
+		} else if (key == NULL && !future &&
+			 expecttofindkey(&rrsig.signer))
+		{
+			/* rrsig is dropped and not replaced */
+			vbprintf(2, "\trrsig by %s dropped - "
+				 "private dnskey not found\n",
+				 sigstr);
+		} else if (key == NULL || future) {
+			vbprintf(2, "\trrsig by %s %s - dnskey not found\n",
+				 expired ? "retained" : "dropped", sigstr);
+			if (!expired)
+				keep = ISC_TRUE;
+		} else if (issigningkey(key)) {
+			if (!expired && setverifies(name, set, key, &sigrdata))
+			{
+				vbprintf(2, "\trrsig by %s retained\n", sigstr);
+				keep = ISC_TRUE;
+				wassignedby[key->position] = ISC_TRUE;
+				nowsignedby[key->position] = ISC_TRUE;
+			} else {
+				vbprintf(2, "\trrsig by %s dropped - %s\n",
+					 sigstr,
+					 expired ? "expired" :
+						   "failed to verify");
+				wassignedby[key->position] = ISC_TRUE;
+				resign = ISC_TRUE;
+			}
+		} else if (iszonekey(key)) {
+			if (!expired && setverifies(name, set, key, &sigrdata))
+			{
+				vbprintf(2, "\trrsig by %s retained\n", sigstr);
+				keep = ISC_TRUE;
+				wassignedby[key->position] = ISC_TRUE;
+				nowsignedby[key->position] = ISC_TRUE;
+			} else {
+				vbprintf(2, "\trrsig by %s dropped - %s\n",
+					 sigstr,
+					 expired ? "expired" :
+						   "failed to verify");
+				wassignedby[key->position] = ISC_TRUE;
+			}
+		} else if (!expired) {
+			vbprintf(2, "\trrsig by %s retained\n", sigstr);
+			keep = ISC_TRUE;
+		} else {
+			vbprintf(2, "\trrsig by %s expired\n", sigstr);
+		}
+
+		if (keep) {
+			nowsignedby[key->position] = ISC_TRUE;
+			INCSTAT(nretained);
+			if (sigset.ttl != ttl) {
+				vbprintf(2, "\tfixing ttl %s\n", sigstr);
+				tuple = NULL;
+				result = dns_difftuple_create(mctx,
+							      DNS_DIFFOP_DEL,
+							      name, sigset.ttl,
+							      &sigrdata,
+							      &tuple);
+				check_result(result, "dns_difftuple_create");
+				dns_diff_append(del, &tuple);
+				result = dns_difftuple_create(mctx,
+							      DNS_DIFFOP_ADD,
+							      name, ttl,
+							      &sigrdata,
+							      &tuple);
+				check_result(result, "dns_difftuple_create");
+				dns_diff_append(add, &tuple);
+			}
+		} else {
+			tuple = NULL;
+			result = dns_difftuple_create(mctx, DNS_DIFFOP_DEL,
+						      name, sigset.ttl,
+						      &sigrdata, &tuple);
+			check_result(result, "dns_difftuple_create");
+			dns_diff_append(del, &tuple);
+			INCSTAT(ndropped);
+		}
+
+		if (resign) {
+			isc_buffer_t b;
+			dns_rdata_t trdata = DNS_RDATA_INIT;
+			unsigned char array[BUFSIZE];
+			char keystr[KEY_FORMATSIZE];
+
+			INSIST(!keep);
+
+			key_format(key->key, keystr, sizeof(keystr));
+			vbprintf(1, "\tresigning with dnskey %s\n", keystr);
+			isc_buffer_init(&b, array, sizeof(array));
+			signwithkey(name, set, &trdata, key->key, &b);
+			nowsignedby[key->position] = ISC_TRUE;
+			tuple = NULL;
+			result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
+						      name, ttl, &trdata,
+						      &tuple);
+			check_result(result, "dns_difftuple_create");
+			dns_diff_append(add, &tuple);
+		}
+
+		dns_rdata_reset(&sigrdata);
+		dns_rdata_freestruct(&rrsig);
+		result = dns_rdataset_next(&sigset);
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+	check_result(result, "dns_rdataset_first/next");
+	if (dns_rdataset_isassociated(&sigset))
+		dns_rdataset_disassociate(&sigset);
+
+	for (key = ISC_LIST_HEAD(keylist);
+	     key != NULL;
+	     key = ISC_LIST_NEXT(key, link))
+	{
+		isc_buffer_t b;
+		dns_rdata_t trdata;
+		unsigned char array[BUFSIZE];
+		char keystr[KEY_FORMATSIZE];
+
+		if (nowsignedby[key->position])
+			continue;
+
+		if (!key->issigningkey)
+			continue;
+		if (!(ignoreksk || key->isdsk ||
+		      (key->isksk &&
+		       set->type == dns_rdatatype_dnskey &&
+		       dns_name_equal(name, gorigin))))
+			continue;
+
+		key_format(key->key, keystr, sizeof(keystr));
+		vbprintf(1, "\tsigning with dnskey %s\n", keystr);
+		dns_rdata_init(&trdata);
+		isc_buffer_init(&b, array, sizeof(array));
+		signwithkey(name, set, &trdata, key->key, &b);
+		tuple = NULL;
+		result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name,
+					      ttl, &trdata, &tuple);
+		check_result(result, "dns_difftuple_create");
+		dns_diff_append(add, &tuple);
+	}
+
+	isc_mem_put(mctx, wassignedby, arraysize * sizeof(isc_boolean_t));
+	isc_mem_put(mctx, nowsignedby, arraysize * sizeof(isc_boolean_t));
+}
+
+static void
+opendb(const char *prefix, dns_name_t *name, dns_rdataclass_t rdclass,
+       dns_db_t **dbp)
+{
+	char filename[256];
+	isc_buffer_t b;
+	isc_result_t result;
+
+	isc_buffer_init(&b, filename, sizeof(filename));
+	if (directory != NULL) {
+		isc_buffer_putstr(&b, directory);
+		if (directory[strlen(directory) - 1] != '/')
+			isc_buffer_putstr(&b, "/");
+	}
+	isc_buffer_putstr(&b, prefix);
+	result = dns_name_tofilenametext(name, ISC_FALSE, &b);
+	check_result(result, "dns_name_tofilenametext()");
+	if (isc_buffer_availablelength(&b) == 0) {
+		char namestr[DNS_NAME_FORMATSIZE];
+		dns_name_format(name, namestr, sizeof(namestr));
+		fatal("name '%s' is too long", namestr);
+	}
+	isc_buffer_putuint8(&b, 0);
+
+	result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
+			       rdclass, 0, NULL, dbp);
+	check_result(result, "dns_db_create()");
+
+	result = dns_db_load(*dbp, filename);
+	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
+		dns_db_detach(dbp);
+}
+
+/*
+ * Loads the key set for a child zone, if there is one, and builds DS records.
+ */
+static isc_result_t
+loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) {
+	dns_db_t *db = NULL;
+	dns_dbversion_t *ver = NULL;
+	dns_dbnode_t *node = NULL;
+	isc_result_t result;
+	dns_rdataset_t keyset;
+	dns_rdata_t key, ds;
+	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
+	dns_diff_t diff;
+	dns_difftuple_t *tuple = NULL;
+
+	opendb("keyset-", name, gclass, &db);
+	if (db == NULL)
+		return (ISC_R_NOTFOUND);
+
+	result = dns_db_findnode(db, name, ISC_FALSE, &node);
+	if (result != ISC_R_SUCCESS) {
+		dns_db_detach(&db);
+		return (DNS_R_BADDB);
+	}
+	dns_rdataset_init(&keyset);
+	result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey, 0, 0,
+				     &keyset, NULL);
+	if (result != ISC_R_SUCCESS) {
+		dns_db_detachnode(db, &node);
+		dns_db_detach(&db);
+		return (result);
+	}
+
+	vbprintf(2, "found DNSKEY records\n");
+
+	result = dns_db_newversion(db, &ver);
+	check_result(result, "dns_db_newversion");
+
+	dns_diff_init(mctx, &diff);
+
+	for (result = dns_rdataset_first(&keyset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&keyset))
+	{
+		dns_rdata_init(&key);
+		dns_rdata_init(&ds);
+		dns_rdataset_current(&keyset, &key);
+		result = dns_ds_buildrdata(name, &key, DNS_DSDIGEST_SHA1,
+					   dsbuf, &ds);
+		check_result(result, "dns_ds_buildrdata");
+
+		result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name,
+					      ttl, &ds, &tuple);
+		check_result(result, "dns_difftuple_create");
+		dns_diff_append(&diff, &tuple);
+	}
+	result = dns_diff_apply(&diff, db, ver);
+	check_result(result, "dns_diff_apply");
+	dns_diff_clear(&diff);
+
+	dns_db_closeversion(db, &ver, ISC_TRUE);
+
+	result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ds, 0, 0,
+				     dsset, NULL);
+	check_result(result, "dns_db_findrdataset");
+
+	dns_rdataset_disassociate(&keyset);
+	dns_db_detachnode(db, &node);
+	dns_db_detach(&db);
+	return (result);
+}
+
+static isc_boolean_t
+nsec_setbit(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdatatype_t type,
+	   unsigned int val)
+{
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_nsec_t nsec;
+	unsigned int newlen;
+	unsigned char bitmap[8192 + 512];
+	unsigned char nsecdata[8192 + 512 + DNS_NAME_MAXWIRE];
+	isc_boolean_t answer = ISC_FALSE;
+	unsigned int i, len, window;
+	int octet;
+
+	result = dns_rdataset_first(rdataset);
+	check_result(result, "dns_rdataset_first()");
+	dns_rdataset_current(rdataset, &rdata);
+	result = dns_rdata_tostruct(&rdata, &nsec, NULL);
+	check_result(result, "dns_rdata_tostruct");
+
+	INSIST(nsec.len <= sizeof(bitmap));
+
+	newlen = 0;
+
+	memset(bitmap, 0, sizeof(bitmap));
+	for (i = 0; i < nsec.len; i += len) {
+		INSIST(i + 2 <= nsec.len);
+		window = nsec.typebits[i];
+		len = nsec.typebits[i+1];
+		i += 2;
+		INSIST(len > 0 && len <= 32);
+		INSIST(i + len <= nsec.len);
+		memmove(&bitmap[window * 32 + 512], &nsec.typebits[i], len);
+	}
+	set_bit(bitmap + 512, type, val);
+	for (window = 0; window < 256; window++) {
+		for (octet = 31; octet >= 0; octet--)
+			if (bitmap[window * 32 + 512 + octet] != 0)
+				break;
+		if (octet < 0)
+			continue;
+		bitmap[newlen] = window;
+		bitmap[newlen + 1] = octet + 1;
+		newlen += 2;
+		/*
+		 * Overlapping move.
+		 */
+		memmove(&bitmap[newlen], &bitmap[window * 32 + 512], octet + 1);
+		newlen += octet + 1;
+	}
+	if (newlen != nsec.len ||
+	    memcmp(nsec.typebits, bitmap, newlen) != 0) {
+		dns_rdata_t newrdata = DNS_RDATA_INIT;
+		isc_buffer_t b;
+		dns_diff_t diff;
+		dns_difftuple_t *tuple = NULL;
+
+		dns_diff_init(mctx, &diff);
+		result = dns_difftuple_create(mctx, DNS_DIFFOP_DEL, name,
+					      rdataset->ttl, &rdata, &tuple);
+		check_result(result, "dns_difftuple_create");
+		dns_diff_append(&diff, &tuple);
+
+		nsec.typebits = bitmap;
+		nsec.len = newlen;
+		isc_buffer_init(&b, nsecdata, sizeof(nsecdata));
+		result = dns_rdata_fromstruct(&newrdata, rdata.rdclass,
+					      dns_rdatatype_nsec, &nsec,
+					      &b);
+		check_result(result, "dns_rdata_fromstruct");
+
+		result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
+					      name, rdataset->ttl,
+					      &newrdata, &tuple);
+		check_result(result, "dns_difftuple_create");
+		dns_diff_append(&diff, &tuple);
+		result = dns_diff_apply(&diff, gdb, gversion);
+		check_result(result, "dns_difftuple_apply");
+		dns_diff_clear(&diff);
+		answer = ISC_TRUE;
+	}
+	dns_rdata_freestruct(&nsec);
+	return (answer);
+}
+
+static isc_boolean_t
+delegation(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp) {
+	dns_rdataset_t nsset;
+	isc_result_t result;
+
+	if (dns_name_equal(name, gorigin))
+		return (ISC_FALSE);
+
+	dns_rdataset_init(&nsset);
+	result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_ns,
+				     0, 0, &nsset, NULL);
+	if (dns_rdataset_isassociated(&nsset)) {
+		if (ttlp != NULL)
+			*ttlp = nsset.ttl;
+		dns_rdataset_disassociate(&nsset);
+	}
+
+	return (ISC_TF(result == ISC_R_SUCCESS));
+}
+
+/*
+ * Signs all records at a name.  This mostly just signs each set individually,
+ * but also adds the RRSIG bit to any NSECs generated earlier, deals with
+ * parent/child KEY signatures, and handles other exceptional cases.
+ */
+static void
+signname(dns_dbnode_t *node, dns_name_t *name) {
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+	dns_rdatasetiter_t *rdsiter;
+	isc_boolean_t isdelegation = ISC_FALSE;
+	isc_boolean_t hasds = ISC_FALSE;
+	isc_boolean_t atorigin;
+	isc_boolean_t changed = ISC_FALSE;
+	dns_diff_t del, add;
+	char namestr[DNS_NAME_FORMATSIZE];
+	isc_uint32_t nsttl = 0;
+
+	dns_name_format(name, namestr, sizeof(namestr));
+
+	atorigin = dns_name_equal(name, gorigin);
+
+	/*
+	 * Determine if this is a delegation point.
+	 */
+	if (delegation(name, node, &nsttl))
+		isdelegation = ISC_TRUE;
+
+	/*
+	 * If this is a delegation point, look for a DS set.
+	 */
+	if (isdelegation) {
+		dns_rdataset_t dsset;
+		dns_rdataset_t sigdsset;
+
+		dns_rdataset_init(&dsset);
+		dns_rdataset_init(&sigdsset);
+		result = dns_db_findrdataset(gdb, node, gversion,
+					     dns_rdatatype_ds,
+					     0, 0, &dsset, &sigdsset);
+		if (result == ISC_R_SUCCESS) {
+			dns_rdataset_disassociate(&dsset);
+			if (generateds) {
+				result = dns_db_deleterdataset(gdb, node,
+							       gversion,
+							       dns_rdatatype_ds,
+							       0);
+				check_result(result, "dns_db_deleterdataset");
+			} else
+				hasds = ISC_TRUE;
+		}
+		if (generateds) {
+			result = loadds(name, nsttl, &dsset);
+			if (result == ISC_R_SUCCESS) {
+				result = dns_db_addrdataset(gdb, node,
+							    gversion, 0,
+							    &dsset, 0, NULL);
+				check_result(result, "dns_db_addrdataset");
+				hasds = ISC_TRUE;
+				dns_rdataset_disassociate(&dsset);
+				if (dns_rdataset_isassociated(&sigdsset))
+					dns_rdataset_disassociate(&sigdsset);
+			} else if (dns_rdataset_isassociated(&sigdsset)) {
+				result = dns_db_deleterdataset(gdb, node,
+							    gversion,
+							    dns_rdatatype_rrsig,
+							    dns_rdatatype_ds);
+				check_result(result, "dns_db_deleterdataset");
+				dns_rdataset_disassociate(&sigdsset);
+			}
+		} else if (dns_rdataset_isassociated(&sigdsset))
+			dns_rdataset_disassociate(&sigdsset);
+	}
+
+	/*
+	 * Make sure that NSEC bits are appropriately set.
+	 */
+	dns_rdataset_init(&rdataset);
+	RUNTIME_CHECK(dns_db_findrdataset(gdb, node, gversion,
+					  dns_rdatatype_nsec, 0, 0, &rdataset,
+					  NULL) == ISC_R_SUCCESS);
+	if (!nokeys)
+		changed = nsec_setbit(name, &rdataset, dns_rdatatype_rrsig, 1);
+	if (changed) {
+		dns_rdataset_disassociate(&rdataset);
+		RUNTIME_CHECK(dns_db_findrdataset(gdb, node, gversion,
+						  dns_rdatatype_nsec, 0, 0,
+						  &rdataset,
+						  NULL) == ISC_R_SUCCESS);
+	}
+	if (hasds)
+		(void)nsec_setbit(name, &rdataset, dns_rdatatype_ds, 1);
+	else
+		(void)nsec_setbit(name, &rdataset, dns_rdatatype_ds, 0);
+	dns_rdataset_disassociate(&rdataset);
+
+	/*
+	 * Now iterate through the rdatasets.
+	 */
+	dns_diff_init(mctx, &del);
+	dns_diff_init(mctx, &add);
+	rdsiter = NULL;
+	result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
+	check_result(result, "dns_db_allrdatasets()");
+	result = dns_rdatasetiter_first(rdsiter);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+
+		/* If this is a RRSIG set, skip it. */
+		if (rdataset.type == dns_rdatatype_rrsig)
+			goto skip;
+
+		/*
+		 * If this name is a delegation point, skip all records
+		 * except NSEC and DS sets.  Otherwise check that there
+		 * isn't a DS record.
+		 */
+		if (isdelegation) {
+			if (rdataset.type != dns_rdatatype_nsec &&
+			    rdataset.type != dns_rdatatype_ds)
+				goto skip;
+		} else if (rdataset.type == dns_rdatatype_ds) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			dns_name_format(name, namebuf, sizeof(namebuf));
+			fatal("'%s': found DS RRset without NS RRset\n",
+			      namebuf);
+		}
+
+		signset(&del, &add, node, name, &rdataset);
+
+ skip:
+		dns_rdataset_disassociate(&rdataset);
+		result = dns_rdatasetiter_next(rdsiter);
+	}
+	if (result != ISC_R_NOMORE)
+		fatal("rdataset iteration for name '%s' failed: %s",
+		      namestr, isc_result_totext(result));
+
+	dns_rdatasetiter_destroy(&rdsiter);
+
+	result = dns_diff_applysilently(&del, gdb, gversion);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to delete SIGs at node '%s': %s",
+		      namestr, isc_result_totext(result));
+
+	result = dns_diff_applysilently(&add, gdb, gversion);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to add SIGs at node '%s': %s",
+		      namestr, isc_result_totext(result));
+
+	dns_diff_clear(&del);
+	dns_diff_clear(&add);
+}
+
+static inline isc_boolean_t
+active_node(dns_dbnode_t *node) {
+	dns_rdatasetiter_t *rdsiter;
+	isc_boolean_t active = ISC_FALSE;
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+
+	dns_rdataset_init(&rdataset);
+	rdsiter = NULL;
+	result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
+	check_result(result, "dns_db_allrdatasets()");
+	result = dns_rdatasetiter_first(rdsiter);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+		if (rdataset.type != dns_rdatatype_nsec &&
+		    rdataset.type != dns_rdatatype_rrsig)
+			active = ISC_TRUE;
+		dns_rdataset_disassociate(&rdataset);
+		if (!active)
+			result = dns_rdatasetiter_next(rdsiter);
+		else
+			result = ISC_R_NOMORE;
+	}
+	if (result != ISC_R_NOMORE)
+		fatal("rdataset iteration failed: %s",
+		      isc_result_totext(result));
+
+	if (!active) {
+		/*
+		 * Make sure there is no NSEC / RRSIG records for
+		 * this node.
+		 */
+		result = dns_db_deleterdataset(gdb, node, gversion,
+					       dns_rdatatype_nsec, 0);
+		if (result == DNS_R_UNCHANGED)
+			result = ISC_R_SUCCESS;
+		check_result(result, "dns_db_deleterdataset(nsec)");
+		
+		result = dns_rdatasetiter_first(rdsiter);
+		for (result = dns_rdatasetiter_first(rdsiter);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdatasetiter_next(rdsiter)) {
+			dns_rdatasetiter_current(rdsiter, &rdataset);
+			if (rdataset.type == dns_rdatatype_rrsig) {
+				dns_rdatatype_t type = rdataset.type;
+				dns_rdatatype_t covers = rdataset.covers;
+				result = dns_db_deleterdataset(gdb, node,
+							       gversion, type,
+							       covers);
+				if (result == DNS_R_UNCHANGED)
+					result = ISC_R_SUCCESS;
+				check_result(result,
+					     "dns_db_deleterdataset(rrsig)");
+			}
+			dns_rdataset_disassociate(&rdataset);
+		}
+		if (result != ISC_R_NOMORE)
+			fatal("rdataset iteration failed: %s",
+			      isc_result_totext(result));
+	}
+	dns_rdatasetiter_destroy(&rdsiter);
+
+	return (active);
+}
+
+/*
+ * Extracts the TTL from the SOA.
+ */
+static dns_ttl_t
+soattl(void) {
+	dns_rdataset_t soaset;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	isc_result_t result;
+	dns_ttl_t ttl;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_soa_t soa;
+
+	dns_fixedname_init(&fname);
+	name = dns_fixedname_name(&fname);
+	dns_rdataset_init(&soaset);
+	result = dns_db_find(gdb, gorigin, gversion, dns_rdatatype_soa,
+			     0, 0, NULL, name, &soaset, NULL);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to find an SOA at the zone apex: %s",
+		      isc_result_totext(result));
+
+	result = dns_rdataset_first(&soaset);
+	check_result(result, "dns_rdataset_first");
+	dns_rdataset_current(&soaset, &rdata);
+	result = dns_rdata_tostruct(&rdata, &soa, NULL);
+	check_result(result, "dns_rdata_tostruct");
+	ttl = soa.minimum;
+	dns_rdataset_disassociate(&soaset);
+	return (ttl);
+}
+
+/*
+ * Delete any RRSIG records at a node.
+ */
+static void
+cleannode(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
+	dns_rdatasetiter_t *rdsiter = NULL;
+	dns_rdataset_t set;
+	isc_result_t result, dresult;
+
+	dns_rdataset_init(&set);
+	result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
+	check_result(result, "dns_db_allrdatasets");
+	result = dns_rdatasetiter_first(rdsiter);
+	while (result == ISC_R_SUCCESS) {
+		isc_boolean_t destroy = ISC_FALSE;
+		dns_rdatatype_t covers = 0;
+		dns_rdatasetiter_current(rdsiter, &set);
+		if (set.type == dns_rdatatype_rrsig) {
+			covers = set.covers;
+			destroy = ISC_TRUE;
+		}
+		dns_rdataset_disassociate(&set);
+		result = dns_rdatasetiter_next(rdsiter);
+		if (destroy) {
+			dresult = dns_db_deleterdataset(db, node, version,
+							dns_rdatatype_rrsig,
+							covers);
+			check_result(dresult, "dns_db_deleterdataset");
+		}
+	}
+	if (result != ISC_R_NOMORE)
+		fatal("rdataset iteration failed: %s",
+		      isc_result_totext(result));
+	dns_rdatasetiter_destroy(&rdsiter);
+}
+
+/*
+ * Set up the iterator and global state before starting the tasks.
+ */
+static void
+presign(void) {
+	isc_result_t result;
+
+	gdbiter = NULL;
+	result = dns_db_createiterator(gdb, ISC_FALSE, &gdbiter);
+	check_result(result, "dns_db_createiterator()");
+
+	result = dns_dbiterator_first(gdbiter);
+	check_result(result, "dns_dbiterator_first()");
+}
+
+/*
+ * Clean up the iterator and global state after the tasks complete.
+ */
+static void
+postsign(void) {
+	dns_dbiterator_destroy(&gdbiter);
+}
+
+/*
+ * Assigns a node to a worker thread.  This is protected by the master task's
+ * lock.
+ */
+static void
+assignwork(isc_task_t *task, isc_task_t *worker) {
+	dns_fixedname_t *fname;
+	dns_name_t *name;
+	dns_dbnode_t *node;
+	sevent_t *sevent;
+	dns_rdataset_t nsec;
+	isc_boolean_t found;
+	isc_result_t result;
+
+	if (shuttingdown)
+		return;
+
+	if (finished) {
+		if (assigned == completed) {
+			isc_task_detach(&task);
+			isc_app_shutdown();
+		}
+		return;
+	}
+
+	fname = isc_mem_get(mctx, sizeof(dns_fixedname_t));
+	if (fname == NULL)
+		fatal("out of memory");
+	dns_fixedname_init(fname);
+	name = dns_fixedname_name(fname);
+	node = NULL;
+	found = ISC_FALSE;
+	LOCK(&namelock);
+	while (!found) {
+		result = dns_dbiterator_current(gdbiter, &node, name);
+		if (result != ISC_R_SUCCESS)
+			fatal("failure iterating database: %s",
+			      isc_result_totext(result));
+		dns_rdataset_init(&nsec);
+		result = dns_db_findrdataset(gdb, node, gversion,
+					     dns_rdatatype_nsec, 0, 0,
+					     &nsec, NULL);
+		if (result == ISC_R_SUCCESS)
+			found = ISC_TRUE;
+		else
+			dumpnode(name, node);
+		if (dns_rdataset_isassociated(&nsec))
+			dns_rdataset_disassociate(&nsec);
+		if (!found)
+			dns_db_detachnode(gdb, &node);
+
+		result = dns_dbiterator_next(gdbiter);
+		if (result == ISC_R_NOMORE) {
+			finished = ISC_TRUE;
+			break;
+		} else if (result != ISC_R_SUCCESS)
+			fatal("failure iterating database: %s",
+			      isc_result_totext(result));
+	}
+	UNLOCK(&namelock);
+	if (!found) {
+		if (assigned == completed) {
+			isc_task_detach(&task);
+			isc_app_shutdown();
+		}
+		isc_mem_put(mctx, fname, sizeof(dns_fixedname_t));
+		return;
+	}
+	sevent = (sevent_t *)
+		 isc_event_allocate(mctx, task, SIGNER_EVENT_WORK,
+				    sign, NULL, sizeof(sevent_t));
+	if (sevent == NULL)
+		fatal("failed to allocate event\n");
+
+	sevent->node = node;
+	sevent->fname = fname;
+	isc_task_send(worker, ISC_EVENT_PTR(&sevent));
+	assigned++;
+}
+
+/*
+ * Start a worker task
+ */
+static void
+startworker(isc_task_t *task, isc_event_t *event) {
+	isc_task_t *worker;
+
+	worker = (isc_task_t *)event->ev_arg;
+	assignwork(task, worker);
+	isc_event_free(&event);
+}
+
+/*
+ * Write a node to the output file, and restart the worker task.
+ */
+static void
+writenode(isc_task_t *task, isc_event_t *event) {
+	isc_task_t *worker;
+	sevent_t *sevent = (sevent_t *)event;
+
+	completed++;
+	worker = (isc_task_t *)event->ev_sender;
+	dumpnode(dns_fixedname_name(sevent->fname), sevent->node);
+	cleannode(gdb, gversion, sevent->node);
+	dns_db_detachnode(gdb, &sevent->node);
+	isc_mem_put(mctx, sevent->fname, sizeof(dns_fixedname_t));
+	assignwork(task, worker);
+	isc_event_free(&event);
+}
+
+/*
+ *  Sign a database node.
+ */
+static void
+sign(isc_task_t *task, isc_event_t *event) {
+	dns_fixedname_t *fname;
+	dns_dbnode_t *node;
+	sevent_t *sevent, *wevent;
+
+	sevent = (sevent_t *)event;
+	node = sevent->node;
+	fname = sevent->fname;
+	isc_event_free(&event);
+
+	signname(node, dns_fixedname_name(fname));
+	wevent = (sevent_t *)
+		 isc_event_allocate(mctx, task, SIGNER_EVENT_WRITE,
+				    writenode, NULL, sizeof(sevent_t));
+	if (wevent == NULL)
+		fatal("failed to allocate event\n");
+	wevent->node = node;
+	wevent->fname = fname;
+	isc_task_send(master, ISC_EVENT_PTR(&wevent));
+}
+
+/*
+ * Generate NSEC records for the zone.
+ */
+static void
+nsecify(void) {
+	dns_dbiterator_t *dbiter = NULL;
+	dns_dbnode_t *node = NULL, *nextnode = NULL;
+	dns_fixedname_t fname, fnextname, fzonecut;
+	dns_name_t *name, *nextname, *zonecut;
+	isc_boolean_t done = ISC_FALSE;
+	isc_result_t result;
+
+	dns_fixedname_init(&fname);
+	name = dns_fixedname_name(&fname);
+	dns_fixedname_init(&fnextname);
+	nextname = dns_fixedname_name(&fnextname);
+	dns_fixedname_init(&fzonecut);
+	zonecut = NULL;
+
+	result = dns_db_createiterator(gdb, ISC_FALSE, &dbiter);
+	check_result(result, "dns_db_createiterator()");
+
+	result = dns_dbiterator_first(dbiter);
+	check_result(result, "dns_dbiterator_first()");
+
+	while (!done) {
+		dns_dbiterator_current(dbiter, &node, name);
+		if (delegation(name, node, NULL)) {
+			zonecut = dns_fixedname_name(&fzonecut);
+			dns_name_copy(name, zonecut, NULL);
+		}
+		result = dns_dbiterator_next(dbiter);
+		nextnode = NULL;
+		while (result == ISC_R_SUCCESS) {
+			isc_boolean_t active = ISC_FALSE;
+			result = dns_dbiterator_current(dbiter, &nextnode,
+							nextname);
+			if (result != ISC_R_SUCCESS)
+				break;
+			active = active_node(nextnode);
+			if (!active) {
+				dns_db_detachnode(gdb, &nextnode);
+				result = dns_dbiterator_next(dbiter);
+				continue;
+			}
+			if (result != ISC_R_SUCCESS) {
+				dns_db_detachnode(gdb, &nextnode);
+				break;
+			}
+			if (!dns_name_issubdomain(nextname, gorigin) ||
+			    (zonecut != NULL &&
+			     dns_name_issubdomain(nextname, zonecut)))
+			{
+				dns_db_detachnode(gdb, &nextnode);
+				result = dns_dbiterator_next(dbiter);
+				continue;
+			}
+			dns_db_detachnode(gdb, &nextnode);
+			break;
+		}
+		if (result == ISC_R_NOMORE) {
+			dns_name_clone(gorigin, nextname);
+			done = ISC_TRUE;
+		} else if (result != ISC_R_SUCCESS)
+			fatal("iterating through the database failed: %s",
+			      isc_result_totext(result));
+		result = dns_nsec_build(gdb, gversion, node, nextname,
+					zonettl);
+		check_result(result, "dns_nsec_build()");
+		dns_db_detachnode(gdb, &node);
+	}
+
+	dns_dbiterator_destroy(&dbiter);
+}
+
+/*
+ * Load the zone file from disk
+ */
+static void
+loadzone(char *file, char *origin, dns_rdataclass_t rdclass, dns_db_t **db) {
+	isc_buffer_t b;
+	int len;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	isc_result_t result;
+
+	len = strlen(origin);
+	isc_buffer_init(&b, origin, len);
+	isc_buffer_add(&b, len);
+
+	dns_fixedname_init(&fname);
+	name = dns_fixedname_name(&fname);
+	result = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed converting name '%s' to dns format: %s",
+		      origin, isc_result_totext(result));
+
+	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
+			       rdclass, 0, NULL, db);
+	check_result(result, "dns_db_create()");
+
+	result = dns_db_load(*db, file);
+	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
+		fatal("failed loading zone from '%s': %s",
+		      file, isc_result_totext(result));
+}
+
+/*
+ * Finds all public zone keys in the zone, and attempts to load the
+ * private keys from disk.
+ */
+static void
+loadzonekeys(dns_db_t *db) {
+	dns_dbnode_t *node;
+	dns_dbversion_t *currentversion;
+	isc_result_t result;
+	dst_key_t *keys[20];
+	unsigned int nkeys, i;
+
+	currentversion = NULL;
+	dns_db_currentversion(db, &currentversion);
+
+	node = NULL;
+	result = dns_db_findnode(db, gorigin, ISC_FALSE, &node);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to find the zone's origin: %s",
+		      isc_result_totext(result));
+
+	result = dns_dnssec_findzonekeys(db, currentversion, node, gorigin,
+					 mctx, 20, keys, &nkeys);
+	if (result == ISC_R_NOTFOUND)
+		result = ISC_R_SUCCESS;
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to find the zone keys: %s",
+		      isc_result_totext(result));
+
+	for (i = 0; i < nkeys; i++) {
+		signer_key_t *key;
+
+		key = newkeystruct(keys[i], ISC_TRUE);
+		ISC_LIST_APPEND(keylist, key, link);
+	}
+	dns_db_detachnode(db, &node);
+	dns_db_closeversion(db, &currentversion, ISC_FALSE);
+}
+
+/*
+ * Finds all public zone keys in the zone.
+ */
+static void
+loadzonepubkeys(dns_db_t *db) {
+	dns_dbversion_t *currentversion = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dst_key_t *pubkey;
+	signer_key_t *key;
+	isc_result_t result;
+
+	dns_db_currentversion(db, &currentversion);
+
+	result = dns_db_findnode(db, gorigin, ISC_FALSE, &node);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to find the zone's origin: %s",
+		      isc_result_totext(result));
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, currentversion,
+				     dns_rdatatype_dnskey, 0, 0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to find keys at the zone apex: %s",
+		      isc_result_totext(result));
+	result = dns_rdataset_first(&rdataset);
+	check_result(result, "dns_rdataset_first");
+	while (result == ISC_R_SUCCESS) {
+		pubkey = NULL;
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_dnssec_keyfromrdata(gorigin, &rdata, mctx,
+						 &pubkey);
+		if (result != ISC_R_SUCCESS)
+			goto next;
+		if (!dst_key_iszonekey(pubkey)) {
+			dst_key_free(&pubkey);
+			goto next;
+		}
+
+		key = newkeystruct(pubkey, ISC_FALSE);
+		ISC_LIST_APPEND(keylist, key, link);
+ next:
+		result = dns_rdataset_next(&rdataset);
+	}
+	dns_rdataset_disassociate(&rdataset);
+	dns_db_detachnode(db, &node);
+	dns_db_closeversion(db, &currentversion, ISC_FALSE);
+}
+
+static void
+warnifallksk(dns_db_t *db) {
+	dns_dbversion_t *currentversion = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dst_key_t *pubkey;
+	isc_result_t result;
+	dns_rdata_key_t key;
+	isc_boolean_t have_non_ksk = ISC_FALSE;
+
+	dns_db_currentversion(db, &currentversion);
+
+	result = dns_db_findnode(db, gorigin, ISC_FALSE, &node);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to find the zone's origin: %s",
+		      isc_result_totext(result));
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, currentversion,
+				     dns_rdatatype_dnskey, 0, 0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to find keys at the zone apex: %s",
+		      isc_result_totext(result));
+	result = dns_rdataset_first(&rdataset);
+	check_result(result, "dns_rdataset_first");
+	while (result == ISC_R_SUCCESS) {
+		pubkey = NULL;
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &key, NULL);
+		check_result(result, "dns_rdata_tostruct");
+		if ((key.flags & DNS_KEYFLAG_KSK) == 0) {
+			have_non_ksk = ISC_TRUE;
+			result = ISC_R_NOMORE;
+		} else
+			result = dns_rdataset_next(&rdataset);
+	}
+	dns_rdataset_disassociate(&rdataset);
+	dns_db_detachnode(db, &node);
+	dns_db_closeversion(db, &currentversion, ISC_FALSE);
+	if (!have_non_ksk && !ignoreksk)
+		fprintf(stderr, "%s: warning: No non-KSK dnskey found. "
+			"Supply non-KSK dnskey or use '-z'.\n",
+			program);
+}
+
+static void
+writeset(const char *prefix, dns_rdatatype_t type) {
+	char *filename;
+	char namestr[DNS_NAME_FORMATSIZE];
+	dns_db_t *db = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_diff_t diff;
+	dns_difftuple_t *tuple = NULL;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	dns_rdata_t rdata, ds;
+	isc_boolean_t have_ksk = ISC_FALSE;
+	isc_boolean_t have_non_ksk = ISC_FALSE;
+	isc_buffer_t b;
+	isc_buffer_t namebuf;
+	isc_region_t r;
+	isc_result_t result;
+	signer_key_t *key;
+	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
+	unsigned char keybuf[DST_KEY_MAXSIZE];
+	unsigned int filenamelen;
+	const dns_master_style_t *style = 
+		(type == dns_rdatatype_dnskey) ? masterstyle : dsstyle;
+
+	isc_buffer_init(&namebuf, namestr, sizeof(namestr));
+	result = dns_name_tofilenametext(gorigin, ISC_FALSE, &namebuf);
+	check_result(result, "dns_name_tofilenametext");
+	isc_buffer_putuint8(&namebuf, 0);
+	filenamelen = strlen(prefix) + strlen(namestr);
+	if (directory != NULL)
+		filenamelen += strlen(directory) + 1;
+	filename = isc_mem_get(mctx, filenamelen + 1);
+	if (filename == NULL)
+		fatal("out of memory");
+	if (directory != NULL)
+		sprintf(filename, "%s/", directory);
+	else
+		filename[0] = 0;
+	strcat(filename, prefix);
+	strcat(filename, namestr);
+
+	dns_diff_init(mctx, &diff);
+
+	for (key = ISC_LIST_HEAD(keylist);
+	     key != NULL;
+	     key = ISC_LIST_NEXT(key, link))
+		if (!key->isksk) {
+			have_non_ksk = ISC_TRUE;
+			break;
+		}
+
+	for (key = ISC_LIST_HEAD(keylist);
+	     key != NULL;
+	     key = ISC_LIST_NEXT(key, link))
+		if (key->isksk) {
+			have_ksk = ISC_TRUE;
+			break;
+		}
+
+	if (type == dns_rdatatype_dlv) {
+		dns_name_t tname;
+		unsigned int labels;
+
+		dns_name_init(&tname, NULL);
+		dns_fixedname_init(&fixed);
+		name = dns_fixedname_name(&fixed);
+		labels = dns_name_countlabels(gorigin);
+		dns_name_getlabelsequence(gorigin, 0, labels - 1, &tname);
+		result = dns_name_concatenate(&tname, dlv, name, NULL);
+		check_result(result, "dns_name_concatenate");
+	} else
+		name = gorigin;
+
+	for (key = ISC_LIST_HEAD(keylist);
+	     key != NULL;
+	     key = ISC_LIST_NEXT(key, link))
+	{
+		if (have_ksk && have_non_ksk && !key->isksk)
+			continue;
+		dns_rdata_init(&rdata);
+		dns_rdata_init(&ds);
+		isc_buffer_init(&b, keybuf, sizeof(keybuf));
+		result = dst_key_todns(key->key, &b);
+		check_result(result, "dst_key_todns");
+		isc_buffer_usedregion(&b, &r);
+		dns_rdata_fromregion(&rdata, gclass, dns_rdatatype_dnskey, &r);
+		if (type != dns_rdatatype_dnskey) {
+			result = dns_ds_buildrdata(gorigin, &rdata,
+						   DNS_DSDIGEST_SHA1,
+						   dsbuf, &ds);
+			check_result(result, "dns_ds_buildrdata");
+			if (type == dns_rdatatype_dlv)
+				ds.type = dns_rdatatype_dlv;
+			result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
+						      name, 0, &ds, &tuple);
+		} else
+			result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
+						      gorigin, zonettl,
+						      &rdata, &tuple);
+		check_result(result, "dns_difftuple_create");
+		dns_diff_append(&diff, &tuple);
+	}
+
+	result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
+			       gclass, 0, NULL, &db);
+	check_result(result, "dns_db_create");
+
+	result = dns_db_newversion(db, &version);
+	check_result(result, "dns_db_newversion");
+
+	result = dns_diff_apply(&diff, db, version);
+	check_result(result, "dns_diff_apply");
+	dns_diff_clear(&diff);
+
+	result = dns_master_dump(mctx, db, version, style, filename);
+	check_result(result, "dns_master_dump");
+
+	isc_mem_put(mctx, filename, filenamelen + 1);
+
+	dns_db_closeversion(db, &version, ISC_FALSE);
+	dns_db_detach(&db);
+}
+
+static void
+print_time(FILE *fp) {
+	time_t currenttime;
+
+	currenttime = time(NULL);
+	fprintf(fp, "; File written on %s", ctime(&currenttime));
+}
+
+static void
+print_version(FILE *fp) {
+	fprintf(fp, "; dnssec_signzone version " VERSION "\n");
+}
+
+static void
+usage(void) {
+	fprintf(stderr, "Usage:\n");
+	fprintf(stderr, "\t%s [options] zonefile [keys]\n", program);
+
+	fprintf(stderr, "\n");
+
+	fprintf(stderr, "Version: %s\n", VERSION);
+
+	fprintf(stderr, "Options: (default value in parenthesis) \n");
+	fprintf(stderr, "\t-c class (IN)\n");
+	fprintf(stderr, "\t-d directory\n");
+	fprintf(stderr, "\t\tdirectory to find keyset files (.)\n");
+	fprintf(stderr, "\t-g:\t");
+	fprintf(stderr, "generate DS records from keyset files\n");
+	fprintf(stderr, "\t-s YYYYMMDDHHMMSS|+offset:\n");
+	fprintf(stderr, "\t\tRRSIG start time - absolute|offset (now - 1 hour)\n");
+	fprintf(stderr, "\t-e YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
+	fprintf(stderr, "\t\tRRSIG end time  - absolute|from start|from now "
+				"(now + 30 days)\n");
+	fprintf(stderr, "\t-i interval:\n");
+	fprintf(stderr, "\t\tcycle interval - resign "
+				"if < interval from end ( (end-start)/4 )\n");
+	fprintf(stderr, "\t-v debuglevel (0)\n");
+	fprintf(stderr, "\t-o origin:\n");
+	fprintf(stderr, "\t\tzone origin (name of zonefile)\n");
+	fprintf(stderr, "\t-f outfile:\n");
+	fprintf(stderr, "\t\tfile the signed zone is written in "
+				"(zonefile + .signed)\n");
+	fprintf(stderr, "\t-r randomdev:\n");
+	fprintf(stderr,	"\t\ta file containing random data\n");
+	fprintf(stderr, "\t-a:\t");
+	fprintf(stderr, "verify generated signatures\n");
+	fprintf(stderr, "\t-p:\t");
+	fprintf(stderr, "use pseudorandom data (faster but less secure)\n");
+	fprintf(stderr, "\t-t:\t");
+	fprintf(stderr, "print statistics\n");
+	fprintf(stderr, "\t-n ncpus (number of cpus present)\n");
+	fprintf(stderr, "\t-k key_signing_key\n");
+	fprintf(stderr, "\t-l lookasidezone\n");
+	fprintf(stderr, "\t-z:\t");
+	fprintf(stderr, "ignore KSK flag in DNSKEYs");
+
+	fprintf(stderr, "\n");
+
+	fprintf(stderr, "Signing Keys: ");
+	fprintf(stderr, "(default: all zone keys that have private keys)\n");
+	fprintf(stderr, "\tkeyfile (Kname+alg+tag)\n");
+	exit(0);
+}
+
+static void
+removetempfile(void) {
+	if (removefile)
+		isc_file_remove(tempfile);
+}
+
+static void
+print_stats(isc_time_t *timer_start, isc_time_t *timer_finish) {
+	isc_uint64_t runtime_us;   /* Runtime in microseconds */
+	isc_uint64_t runtime_ms;   /* Runtime in milliseconds */
+	isc_uint64_t sig_ms;	   /* Signatures per millisecond */
+
+	runtime_us = isc_time_microdiff(timer_finish, timer_start);
+
+	printf("Signatures generated:               %10d\n", nsigned);
+	printf("Signatures retained:                %10d\n", nretained);
+	printf("Signatures dropped:                 %10d\n", ndropped);
+	printf("Signatures successfully verified:   %10d\n", nverified);
+	printf("Signatures unsuccessfully verified: %10d\n", nverifyfailed);
+	runtime_ms = runtime_us / 1000;
+	printf("Runtime in seconds:                %7u.%03u\n", 
+	       (unsigned int) (runtime_ms / 1000), 
+	       (unsigned int) (runtime_ms % 1000));
+	if (runtime_us > 0) {
+		sig_ms = ((isc_uint64_t)nsigned * 1000000000) / runtime_us;
+		printf("Signatures per second:             %7u.%03u\n",
+		       (unsigned int) sig_ms / 1000, 
+		       (unsigned int) sig_ms % 1000);
+	}
+}
+
+int
+main(int argc, char *argv[]) {
+	int i, ch;
+	char *startstr = NULL, *endstr = NULL, *classname = NULL;
+	char *origin = NULL, *file = NULL, *output = NULL;
+	char *dskeyfile[MAXDSKEYS];
+	int ndskeys = 0;
+	char *endp;
+	isc_time_t timer_start, timer_finish;
+	signer_key_t *key;
+	isc_result_t result;
+	isc_log_t *log = NULL;
+	isc_boolean_t pseudorandom = ISC_FALSE;
+	unsigned int eflags;
+	isc_boolean_t free_output = ISC_FALSE;
+	int tempfilelen;
+	dns_rdataclass_t rdclass;
+	dns_db_t *udb = NULL;
+	isc_task_t **tasks = NULL;
+	isc_buffer_t b;
+	int len;
+
+	masterstyle = &dns_master_style_explicitttl;
+
+	check_result(isc_app_start(), "isc_app_start");
+
+	result = isc_mem_create(0, 0, &mctx);
+	if (result != ISC_R_SUCCESS)
+		fatal("out of memory");
+
+	dns_result_register();
+
+	while ((ch = isc_commandline_parse(argc, argv,
+					   "ac:d:e:f:ghi:k:l:n:o:pr:s:Stv:z"))
+	       != -1) {
+		switch (ch) {
+		case 'a':
+			tryverify = ISC_TRUE;
+			break;
+
+		case 'c':
+			classname = isc_commandline_argument;
+			break;
+
+		case 'd':
+			directory = isc_commandline_argument;
+			break;
+
+		case 'e':
+			endstr = isc_commandline_argument;
+			break;
+
+		case 'f':
+			output = isc_commandline_argument;
+			break;
+
+		case 'g':
+			generateds = ISC_TRUE;
+			break;
+
+		case 'h':
+		default:
+			usage();
+			break;
+
+		case 'i':
+			endp = NULL;
+			cycle = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0' || cycle < 0)
+				fatal("cycle period must be numeric and "
+				      "positive");
+			break;
+
+		case 'l': 
+			dns_fixedname_init(&dlv_fixed);
+			len = strlen(isc_commandline_argument);
+			isc_buffer_init(&b, isc_commandline_argument, len);
+			isc_buffer_add(&b, len);
+
+			dns_fixedname_init(&dlv_fixed);
+			dlv = dns_fixedname_name(&dlv_fixed);
+			result = dns_name_fromtext(dlv, &b, dns_rootname,
+						   ISC_FALSE, NULL);
+			check_result(result, "dns_name_fromtext(dlv)");
+			break;
+
+		case 'k':
+			if (ndskeys == MAXDSKEYS)
+				fatal("too many key-signing keys specified");
+			dskeyfile[ndskeys++] = isc_commandline_argument;
+			break;
+
+		case 'n':
+			endp = NULL;
+			ntasks = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0' || ntasks > ISC_INT32_MAX)
+				fatal("number of cpus must be numeric");
+			break;
+
+		case 'o':
+			origin = isc_commandline_argument;
+			break;
+
+		case 'p':
+			pseudorandom = ISC_TRUE;
+			break;
+
+		case 'r':
+			setup_entropy(mctx, isc_commandline_argument, &ectx);
+			break;
+
+		case 's':
+			startstr = isc_commandline_argument;
+			break;
+
+		case 'S':
+			/* This is intentionally undocumented */
+			/* -S: simple output style */
+			masterstyle = &dns_master_style_simple;
+			break;
+
+		case 't':
+			printstats = ISC_TRUE;
+			break;
+
+		case 'v':
+			endp = NULL;
+			verbose = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0')
+				fatal("verbose level must be numeric");
+			break;
+
+		case 'z':
+			ignoreksk = ISC_TRUE;
+			break;
+		}
+	}
+
+	if (ectx == NULL)
+		setup_entropy(mctx, NULL, &ectx);
+	eflags = ISC_ENTROPY_BLOCKING;
+	if (!pseudorandom)
+		eflags |= ISC_ENTROPY_GOODONLY;
+	result = dst_lib_init(mctx, ectx, eflags);
+	if (result != ISC_R_SUCCESS)
+		fatal("could not initialize dst");
+
+	isc_stdtime_get(&now);
+
+	if (startstr != NULL)
+		starttime = strtotime(startstr, now, now);
+	else
+		starttime = now - 3600;  /* Allow for some clock skew. */
+
+	if (endstr != NULL)
+		endtime = strtotime(endstr, now, starttime);
+	else
+		endtime = starttime + (30 * 24 * 60 * 60);
+
+	if (cycle == -1)
+		cycle = (endtime - starttime) / 4;
+
+	if (ntasks == 0)
+		ntasks = isc_os_ncpus();
+	vbprintf(4, "using %d cpus\n", ntasks);
+
+	rdclass = strtoclass(classname);
+
+	setup_logging(verbose, mctx, &log);
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+
+	if (argc < 1)
+		usage();
+
+	file = argv[0];
+
+	argc -= 1;
+	argv += 1;
+
+	if (origin == NULL)
+		origin = file;
+
+	if (output == NULL) {
+		free_output = ISC_TRUE;
+		output = isc_mem_allocate(mctx,
+					  strlen(file) + strlen(".signed") + 1);
+		if (output == NULL)
+			fatal("out of memory");
+		sprintf(output, "%s.signed", file);
+	}
+
+	result = dns_master_stylecreate(&dsstyle,  DNS_STYLEFLAG_NO_TTL,
+					0, 24, 0, 0, 0, 8, mctx);
+	check_result(result, "dns_master_stylecreate");
+					
+
+	gdb = NULL;
+	TIME_NOW(&timer_start);
+	loadzone(file, origin, rdclass, &gdb);
+	gorigin = dns_db_origin(gdb);
+	gclass = dns_db_class(gdb);
+	zonettl = soattl();
+
+	ISC_LIST_INIT(keylist);
+
+	if (argc == 0) {
+		loadzonekeys(gdb);
+	} else {
+		for (i = 0; i < argc; i++) {
+			dst_key_t *newkey = NULL;
+
+			result = dst_key_fromnamedfile(argv[i],
+						       DST_TYPE_PUBLIC |
+						       DST_TYPE_PRIVATE,
+						       mctx, &newkey);
+			if (result != ISC_R_SUCCESS)
+				fatal("cannot load dnskey %s: %s", argv[i], 
+				      isc_result_totext(result)); 
+
+			key = ISC_LIST_HEAD(keylist);
+			while (key != NULL) {
+				dst_key_t *dkey = key->key;
+				if (dst_key_id(dkey) == dst_key_id(newkey) &&
+				    dst_key_alg(dkey) == dst_key_alg(newkey) &&
+				    dns_name_equal(dst_key_name(dkey),
+					    	   dst_key_name(newkey)))
+				{
+					if (!dst_key_isprivate(dkey))
+						fatal("cannot sign zone with "
+						      "non-private dnskey %s",
+						      argv[i]);
+					break;
+				}
+				key = ISC_LIST_NEXT(key, link);
+			}
+			if (key == NULL) {
+				key = newkeystruct(newkey, ISC_TRUE);
+				ISC_LIST_APPEND(keylist, key, link);
+			} else
+				dst_key_free(&newkey);
+		}
+
+		loadzonepubkeys(gdb);
+	}
+
+	for (i = 0; i < ndskeys; i++) {
+		dst_key_t *newkey = NULL;
+
+		result = dst_key_fromnamedfile(dskeyfile[i],
+					       DST_TYPE_PUBLIC |
+					       DST_TYPE_PRIVATE,
+					       mctx, &newkey);
+		if (result != ISC_R_SUCCESS)
+			fatal("cannot load dnskey %s: %s", dskeyfile[i],
+			      isc_result_totext(result)); 
+
+		key = ISC_LIST_HEAD(keylist);
+		while (key != NULL) {
+			dst_key_t *dkey = key->key;
+			if (dst_key_id(dkey) == dst_key_id(newkey) &&
+			    dst_key_alg(dkey) == dst_key_alg(newkey) &&
+			    dns_name_equal(dst_key_name(dkey),
+				    	   dst_key_name(newkey)))
+			{
+				/* Override key flags. */
+				key->issigningkey = ISC_TRUE;
+				key->isksk = ISC_TRUE;
+				key->isdsk = ISC_FALSE;
+				dst_key_free(&dkey);
+				key->key = newkey;
+				break;
+			}
+			key = ISC_LIST_NEXT(key, link);
+		}
+		if (key == NULL) {
+			/* Override dnskey flags. */
+			key = newkeystruct(newkey, ISC_TRUE);
+			key->isksk = ISC_TRUE;
+			key->isdsk = ISC_FALSE;
+			ISC_LIST_APPEND(keylist, key, link);
+		}
+	}
+
+	if (ISC_LIST_EMPTY(keylist)) {
+		fprintf(stderr, "%s: warning: No keys specified or found\n",
+			program);
+		nokeys = ISC_TRUE;
+	}
+
+	warnifallksk(gdb);
+
+	gversion = NULL;
+	result = dns_db_newversion(gdb, &gversion);
+	check_result(result, "dns_db_newversion()");
+
+	nsecify();
+
+	if (!nokeys) {
+		writeset("keyset-", dns_rdatatype_dnskey);
+		writeset("dsset-", dns_rdatatype_ds);
+		if (dlv != NULL) {
+			writeset("dlvset-", dns_rdatatype_dlv);
+		}
+	}
+
+	tempfilelen = strlen(output) + 20;
+	tempfile = isc_mem_get(mctx, tempfilelen);
+	if (tempfile == NULL)
+		fatal("out of memory");
+
+	result = isc_file_mktemplate(output, tempfile, tempfilelen);
+	check_result(result, "isc_file_mktemplate");
+
+	fp = NULL;
+	result = isc_file_openunique(tempfile, &fp);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to open temporary output file: %s",
+		      isc_result_totext(result));
+	removefile = ISC_TRUE;
+	setfatalcallback(&removetempfile);
+
+	print_time(fp);
+	print_version(fp);
+
+	result = isc_taskmgr_create(mctx, ntasks, 0, &taskmgr);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to create task manager: %s",
+		      isc_result_totext(result));
+
+	master = NULL;
+	result = isc_task_create(taskmgr, 0, &master);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to create task: %s", isc_result_totext(result));
+
+	tasks = isc_mem_get(mctx, ntasks * sizeof(isc_task_t *));
+	if (tasks == NULL)
+		fatal("out of memory");
+	for (i = 0; i < (int)ntasks; i++) {
+		tasks[i] = NULL;
+		result = isc_task_create(taskmgr, 0, &tasks[i]);
+		if (result != ISC_R_SUCCESS)
+			fatal("failed to create task: %s",
+			      isc_result_totext(result));
+		result = isc_app_onrun(mctx, master, startworker, tasks[i]);
+		if (result != ISC_R_SUCCESS)
+			fatal("failed to start task: %s",
+			      isc_result_totext(result));
+	}
+
+	RUNTIME_CHECK(isc_mutex_init(&namelock) == ISC_R_SUCCESS);
+	if (printstats)
+		RUNTIME_CHECK(isc_mutex_init(&statslock) == ISC_R_SUCCESS);
+
+	presign();
+	(void)isc_app_run();
+	if (!finished)
+		fatal("process aborted by user");
+	shuttingdown = ISC_TRUE;
+	for (i = 0; i < (int)ntasks; i++)
+		isc_task_detach(&tasks[i]);
+	isc_taskmgr_destroy(&taskmgr);
+	isc_mem_put(mctx, tasks, ntasks * sizeof(isc_task_t *));
+	postsign();
+
+	if (udb != NULL) {
+		dumpdb(udb);
+		dns_db_detach(&udb);
+	}
+
+	result = isc_stdio_close(fp);
+	check_result(result, "isc_stdio_close");
+	removefile = ISC_FALSE;
+
+	result = isc_file_rename(tempfile, output);
+	if (result != ISC_R_SUCCESS)
+		fatal("failed to rename temp file to %s: %s\n",
+		      output, isc_result_totext(result));
+
+	DESTROYLOCK(&namelock);
+	if (printstats)
+		DESTROYLOCK(&statslock);
+
+	printf("%s\n", output);
+
+	dns_db_closeversion(gdb, &gversion, ISC_FALSE);
+	dns_db_detach(&gdb);
+
+	while (!ISC_LIST_EMPTY(keylist)) {
+		key = ISC_LIST_HEAD(keylist);
+		ISC_LIST_UNLINK(keylist, key, link);
+		dst_key_free(&key->key);
+		isc_mem_put(mctx, key, sizeof(signer_key_t));
+	}
+
+	isc_mem_put(mctx, tempfile, tempfilelen);
+
+	if (free_output)
+		isc_mem_free(mctx, output);
+
+	dns_master_styledestroy(&dsstyle, mctx);
+
+	cleanup_logging(&log);
+	dst_lib_destroy();
+	cleanup_entropy(&ectx);
+	if (verbose > 10)
+		isc_mem_stats(mctx, stdout);
+	isc_mem_destroy(&mctx);
+
+	(void) isc_app_finish();
+
+	if (printstats) {
+		TIME_NOW(&timer_finish);
+		print_stats(&timer_start, &timer_finish);
+	}
+
+	return (0);
+}
diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.docbook b/contrib/bind9/bin/dnssec/dnssec-signzone.docbook
new file mode 100644
index 0000000..2b85102
--- /dev/null
+++ b/contrib/bind9/bin/dnssec/dnssec-signzone.docbook
@@ -0,0 +1,362 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001-2003  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: dnssec-signzone.docbook,v 1.2.2.2.4.8 2004/06/11 01:17:35 marka Exp $ -->
+
+<refentry>
+  <refentryinfo>
+    <date>June 30, 2000</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>dnssec-signzone</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>dnssec-signzone</application></refname>
+    <refpurpose>DNSSEC zone signing tool</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>dnssec-signzone</command>
+      <arg><option>-a</option></arg>
+      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
+      <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
+      <arg><option>-g</option></arg>
+      <arg><option>-h</option></arg>
+      <arg><option>-k <replaceable class="parameter">key</replaceable></option></arg>
+      <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
+      <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
+      <arg><option>-n <replaceable class="parameter">nthreads</replaceable></option></arg>
+      <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
+      <arg><option>-p</option></arg>
+      <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
+      <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
+      <arg><option>-t</option></arg>
+      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+      <arg><option>-z</option></arg>
+      <arg choice="req">zonefile</arg>
+      <arg rep="repeat">key</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+        <command>dnssec-signzone</command> signs a zone.  It generates
+	NSEC and RRSIG records and produces a signed version of the
+	zone. The security status of delegations from the signed zone
+	(that is, whether the child zones are secure or not) is
+	determined by the presence or absence of a
+	<filename>keyset</filename> file for each child zone.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>OPTIONS</title>
+
+    <variablelist>
+      <varlistentry>
+        <term>-a</term>
+	<listitem>
+	  <para>
+	      Verify all generated signatures.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-c <replaceable class="parameter">class</replaceable></term>
+	<listitem>
+	  <para>
+	       Specifies the DNS class of the zone.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-k <replaceable class="parameter">key</replaceable></term>
+	<listitem>
+	  <para>
+	       Treat specified key as a key signing key ignoring any
+	       key flags.  This option may be specified multiple times.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-l <replaceable class="parameter">domain</replaceable></term>
+	<listitem>
+	  <para>
+		Generate a DLV set in addition to the key (DNSKEY) and DS sets.
+		The domain is appended to the name of the records.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-d <replaceable class="parameter">directory</replaceable></term>
+	<listitem>
+	  <para>
+	       Look for <filename>keyset</filename> files in
+	       <option>directory</option> as the directory 
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-g</term>
+	<listitem>
+	  <para>
+		Generate DS records for child zones from keyset files.
+		Existing DS records will be removed.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-s <replaceable class="parameter">start-time</replaceable></term>
+	<listitem>
+	  <para>
+	       Specify the date and time when the generated RRSIG records
+	       become valid.  This can be either an absolute or relative
+	       time.  An absolute start time is indicated by a number
+	       in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+	       14:45:00 UTC on May 30th, 2000.  A relative start time is
+	       indicated by +N, which is N seconds from the current time.
+	       If no <option>start-time</option> is specified, the current
+	       time minus 1 hour (to allow for clock skew) is used.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-e <replaceable class="parameter">end-time</replaceable></term>
+	<listitem>
+	  <para>
+	       Specify the date and time when the generated RRSIG records
+	       expire.  As with <option>start-time</option>, an absolute
+	       time is indicated in YYYYMMDDHHMMSS notation.  A time relative
+	       to the start time is indicated with +N, which is N seconds from
+	       the start time.  A time relative to the current time is
+	       indicated with now+N.  If no <option>end-time</option> is
+	       specified, 30 days from the start time is used as a default.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-f <replaceable class="parameter">output-file</replaceable></term>
+	<listitem>
+	  <para>
+	       The name of the output file containing the signed zone.  The
+	       default is to append <filename>.signed</filename> to the
+	       input file.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-h</term>
+	<listitem>
+	  <para>
+	       Prints a short summary of the options and arguments to
+	       <command>dnssec-signzone</command>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-i <replaceable class="parameter">interval</replaceable></term>
+	<listitem>
+	  <para>
+	       When a previously signed zone is passed as input, records
+	       may be resigned.  The <option>interval</option> option
+	       specifies the cycle interval as an offset from the current
+	       time (in seconds).  If a RRSIG record expires after the
+	       cycle interval, it is retained.  Otherwise, it is considered
+	       to be expiring soon, and it will be replaced.
+	  </para>
+	  <para>
+	       The default cycle interval is one quarter of the difference
+	       between the signature end and start times.  So if neither
+	       <option>end-time</option> or <option>start-time</option>
+	       are specified, <command>dnssec-signzone</command> generates
+	       signatures that are valid for 30 days, with a cycle
+	       interval of 7.5 days.  Therefore, if any existing RRSIG records
+	       are due to expire in less than 7.5 days, they would be
+	       replaced.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-n <replaceable class="parameter">ncpus</replaceable></term>
+	<listitem>
+	  <para>
+	       Specifies the number of threads to use.  By default, one
+	       thread is started for each detected CPU.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-o <replaceable class="parameter">origin</replaceable></term>
+	<listitem>
+	  <para>
+	       The zone origin.  If not specified, the name of the zone file
+	       is assumed to be the origin.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-p</term>
+	<listitem>
+	  <para>
+	       Use pseudo-random data when signing the zone.  This is faster,
+	       but less secure, than using real random data.  This option
+	       may be useful when signing large zones or when the entropy
+	       source is limited.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-r <replaceable class="parameter">randomdev</replaceable></term>
+	<listitem>
+	  <para>
+	       Specifies the source of randomness.  If the operating
+	       system does not provide a <filename>/dev/random</filename>
+	       or equivalent device, the default source of randomness
+	       is keyboard input.  <filename>randomdev</filename> specifies
+	       the name of a character device or file containing random
+	       data to be used instead of the default.  The special value
+	       <filename>keyboard</filename> indicates that keyboard
+	       input should be used.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-t</term>
+	<listitem>
+	  <para>
+	       Print statistics at completion.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-v <replaceable class="parameter">level</replaceable></term>
+	<listitem>
+	  <para>
+	       Sets the debugging level.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-z</term>
+	<listitem>
+	  <para>
+	       Ignore KSK flag on key when determining what to sign.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>zonefile</term>
+	<listitem>
+	  <para>
+	       The file containing the zone to be signed.
+	       Sets the debugging level.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>key</term>
+	<listitem>
+	  <para>
+	       The keys used to sign the zone.  If no keys are specified, the
+	       default all zone keys that have private key files in the
+	       current directory.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>EXAMPLE</title>
+    <para>
+        The following command signs the <userinput>example.com</userinput>
+	zone with the DSA key generated in the <command>dnssec-keygen</command>
+	man page.  The zone's keys must be in the zone.  If there are
+	<filename>keyset</filename> files associated with child zones,
+	they must be in the current directory.
+	<userinput>example.com</userinput>, the following command would be
+	issued:
+    </para>
+    <para>
+        <userinput>dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</userinput>
+    </para>
+    <para>
+        The command would print a string of the form:
+    </para>
+    <para>
+        In this example, <command>dnssec-signzone</command> creates
+	the file <filename>db.example.com.signed</filename>.  This file
+	should be referenced in a zone statement in a
+	<filename>named.conf</filename> file.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>dnssec-keygen</refentrytitle>
+	<manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+      <citetitle>RFC 2535</citetitle>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para>
+        <corpauthor>Internet Systems Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry>
+
+<!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.html b/contrib/bind9/bin/dnssec/dnssec-signzone.html
new file mode 100644
index 0000000..221099f
--- /dev/null
+++ b/contrib/bind9/bin/dnssec/dnssec-signzone.html
@@ -0,0 +1,553 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001-2003  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: dnssec-signzone.html,v 1.4.2.1.4.7 2004/08/22 23:38:58 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>dnssec-signzone</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+><SPAN
+CLASS="APPLICATION"
+>dnssec-signzone</SPAN
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><SPAN
+CLASS="APPLICATION"
+>dnssec-signzone</SPAN
+>&nbsp;--&nbsp;DNSSEC zone signing tool</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>dnssec-signzone</B
+>  [<VAR
+CLASS="OPTION"
+>-a</VAR
+>] [<VAR
+CLASS="OPTION"
+>-c <VAR
+CLASS="REPLACEABLE"
+>class</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-d <VAR
+CLASS="REPLACEABLE"
+>directory</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-e <VAR
+CLASS="REPLACEABLE"
+>end-time</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-f <VAR
+CLASS="REPLACEABLE"
+>output-file</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-g</VAR
+>] [<VAR
+CLASS="OPTION"
+>-h</VAR
+>] [<VAR
+CLASS="OPTION"
+>-k <VAR
+CLASS="REPLACEABLE"
+>key</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-l <VAR
+CLASS="REPLACEABLE"
+>domain</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-i <VAR
+CLASS="REPLACEABLE"
+>interval</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-n <VAR
+CLASS="REPLACEABLE"
+>nthreads</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-o <VAR
+CLASS="REPLACEABLE"
+>origin</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-p</VAR
+>] [<VAR
+CLASS="OPTION"
+>-r <VAR
+CLASS="REPLACEABLE"
+>randomdev</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-s <VAR
+CLASS="REPLACEABLE"
+>start-time</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-t</VAR
+>] [<VAR
+CLASS="OPTION"
+>-v <VAR
+CLASS="REPLACEABLE"
+>level</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-z</VAR
+>] {zonefile} [key...]</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN66"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>        <B
+CLASS="COMMAND"
+>dnssec-signzone</B
+> signs a zone.  It generates
+	NSEC and RRSIG records and produces a signed version of the
+	zone. The security status of delegations from the signed zone
+	(that is, whether the child zones are secure or not) is
+	determined by the presence or absence of a
+	<TT
+CLASS="FILENAME"
+>keyset</TT
+> file for each child zone.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN71"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-a</DT
+><DD
+><P
+>	      Verify all generated signatures.
+	  </P
+></DD
+><DT
+>-c <VAR
+CLASS="REPLACEABLE"
+>class</VAR
+></DT
+><DD
+><P
+>	       Specifies the DNS class of the zone.
+	  </P
+></DD
+><DT
+>-k <VAR
+CLASS="REPLACEABLE"
+>key</VAR
+></DT
+><DD
+><P
+>	       Treat specified key as a key signing key ignoring any
+	       key flags.  This option may be specified multiple times.
+	  </P
+></DD
+><DT
+>-l <VAR
+CLASS="REPLACEABLE"
+>domain</VAR
+></DT
+><DD
+><P
+>		Generate a DLV set in addition to the key (DNSKEY) and DS sets.
+		The domain is appended to the name of the records.
+	  </P
+></DD
+><DT
+>-d <VAR
+CLASS="REPLACEABLE"
+>directory</VAR
+></DT
+><DD
+><P
+>	       Look for <TT
+CLASS="FILENAME"
+>keyset</TT
+> files in
+	       <VAR
+CLASS="OPTION"
+>directory</VAR
+> as the directory 
+	  </P
+></DD
+><DT
+>-g</DT
+><DD
+><P
+>		Generate DS records for child zones from keyset files.
+		Existing DS records will be removed.
+	  </P
+></DD
+><DT
+>-s <VAR
+CLASS="REPLACEABLE"
+>start-time</VAR
+></DT
+><DD
+><P
+>	       Specify the date and time when the generated RRSIG records
+	       become valid.  This can be either an absolute or relative
+	       time.  An absolute start time is indicated by a number
+	       in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+	       14:45:00 UTC on May 30th, 2000.  A relative start time is
+	       indicated by +N, which is N seconds from the current time.
+	       If no <VAR
+CLASS="OPTION"
+>start-time</VAR
+> is specified, the current
+	       time minus 1 hour (to allow for clock skew) is used.
+	  </P
+></DD
+><DT
+>-e <VAR
+CLASS="REPLACEABLE"
+>end-time</VAR
+></DT
+><DD
+><P
+>	       Specify the date and time when the generated RRSIG records
+	       expire.  As with <VAR
+CLASS="OPTION"
+>start-time</VAR
+>, an absolute
+	       time is indicated in YYYYMMDDHHMMSS notation.  A time relative
+	       to the start time is indicated with +N, which is N seconds from
+	       the start time.  A time relative to the current time is
+	       indicated with now+N.  If no <VAR
+CLASS="OPTION"
+>end-time</VAR
+> is
+	       specified, 30 days from the start time is used as a default.
+	  </P
+></DD
+><DT
+>-f <VAR
+CLASS="REPLACEABLE"
+>output-file</VAR
+></DT
+><DD
+><P
+>	       The name of the output file containing the signed zone.  The
+	       default is to append <TT
+CLASS="FILENAME"
+>.signed</TT
+> to the
+	       input file.
+	  </P
+></DD
+><DT
+>-h</DT
+><DD
+><P
+>	       Prints a short summary of the options and arguments to
+	       <B
+CLASS="COMMAND"
+>dnssec-signzone</B
+>.
+	  </P
+></DD
+><DT
+>-i <VAR
+CLASS="REPLACEABLE"
+>interval</VAR
+></DT
+><DD
+><P
+>	       When a previously signed zone is passed as input, records
+	       may be resigned.  The <VAR
+CLASS="OPTION"
+>interval</VAR
+> option
+	       specifies the cycle interval as an offset from the current
+	       time (in seconds).  If a RRSIG record expires after the
+	       cycle interval, it is retained.  Otherwise, it is considered
+	       to be expiring soon, and it will be replaced.
+	  </P
+><P
+>	       The default cycle interval is one quarter of the difference
+	       between the signature end and start times.  So if neither
+	       <VAR
+CLASS="OPTION"
+>end-time</VAR
+> or <VAR
+CLASS="OPTION"
+>start-time</VAR
+>
+	       are specified, <B
+CLASS="COMMAND"
+>dnssec-signzone</B
+> generates
+	       signatures that are valid for 30 days, with a cycle
+	       interval of 7.5 days.  Therefore, if any existing RRSIG records
+	       are due to expire in less than 7.5 days, they would be
+	       replaced.
+	  </P
+></DD
+><DT
+>-n <VAR
+CLASS="REPLACEABLE"
+>ncpus</VAR
+></DT
+><DD
+><P
+>	       Specifies the number of threads to use.  By default, one
+	       thread is started for each detected CPU.
+	  </P
+></DD
+><DT
+>-o <VAR
+CLASS="REPLACEABLE"
+>origin</VAR
+></DT
+><DD
+><P
+>	       The zone origin.  If not specified, the name of the zone file
+	       is assumed to be the origin.
+	  </P
+></DD
+><DT
+>-p</DT
+><DD
+><P
+>	       Use pseudo-random data when signing the zone.  This is faster,
+	       but less secure, than using real random data.  This option
+	       may be useful when signing large zones or when the entropy
+	       source is limited.
+	  </P
+></DD
+><DT
+>-r <VAR
+CLASS="REPLACEABLE"
+>randomdev</VAR
+></DT
+><DD
+><P
+>	       Specifies the source of randomness.  If the operating
+	       system does not provide a <TT
+CLASS="FILENAME"
+>/dev/random</TT
+>
+	       or equivalent device, the default source of randomness
+	       is keyboard input.  <TT
+CLASS="FILENAME"
+>randomdev</TT
+> specifies
+	       the name of a character device or file containing random
+	       data to be used instead of the default.  The special value
+	       <TT
+CLASS="FILENAME"
+>keyboard</TT
+> indicates that keyboard
+	       input should be used.
+	  </P
+></DD
+><DT
+>-t</DT
+><DD
+><P
+>	       Print statistics at completion.
+	  </P
+></DD
+><DT
+>-v <VAR
+CLASS="REPLACEABLE"
+>level</VAR
+></DT
+><DD
+><P
+>	       Sets the debugging level.
+	  </P
+></DD
+><DT
+>-z</DT
+><DD
+><P
+>	       Ignore KSK flag on key when determining what to sign.
+	  </P
+></DD
+><DT
+>zonefile</DT
+><DD
+><P
+>	       The file containing the zone to be signed.
+	       Sets the debugging level.
+	  </P
+></DD
+><DT
+>key</DT
+><DD
+><P
+>	       The keys used to sign the zone.  If no keys are specified, the
+	       default all zone keys that have private key files in the
+	       current directory.
+	  </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN181"
+></A
+><H2
+>EXAMPLE</H2
+><P
+>        The following command signs the <KBD
+CLASS="USERINPUT"
+>example.com</KBD
+>
+	zone with the DSA key generated in the <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+>
+	man page.  The zone's keys must be in the zone.  If there are
+	<TT
+CLASS="FILENAME"
+>keyset</TT
+> files associated with child zones,
+	they must be in the current directory.
+	<KBD
+CLASS="USERINPUT"
+>example.com</KBD
+>, the following command would be
+	issued:
+    </P
+><P
+>        <KBD
+CLASS="USERINPUT"
+>dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</KBD
+>
+    </P
+><P
+>        The command would print a string of the form:
+    </P
+><P
+>        In this example, <B
+CLASS="COMMAND"
+>dnssec-signzone</B
+> creates
+	the file <TT
+CLASS="FILENAME"
+>db.example.com.signed</TT
+>.  This file
+	should be referenced in a zone statement in a
+	<TT
+CLASS="FILENAME"
+>named.conf</TT
+> file.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN195"
+></A
+><H2
+>SEE ALSO</H2
+><P
+>      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-keygen</SPAN
+>(8)</SPAN
+>,
+      <I
+CLASS="CITETITLE"
+>BIND 9 Administrator Reference Manual</I
+>,
+      <I
+CLASS="CITETITLE"
+>RFC 2535</I
+>.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN203"
+></A
+><H2
+>AUTHOR</H2
+><P
+>        Internet Systems Consortium
+    </P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/bin/dnssec/dnssectool.c b/contrib/bind9/bin/dnssec/dnssectool.c
new file mode 100644
index 0000000..1b84de8
--- /dev/null
+++ b/contrib/bind9/bin/dnssec/dnssectool.c
@@ -0,0 +1,305 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnssectool.c,v 1.31.2.3.2.4 2004/03/08 02:07:38 marka Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/entropy.h>
+#include <isc/list.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+#include <isc/print.h>
+
+#include <dns/log.h>
+#include <dns/name.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/secalg.h>
+#include <dns/time.h>
+
+#include "dnssectool.h"
+
+extern int verbose;
+extern const char *program;
+
+typedef struct entropysource entropysource_t;
+
+struct entropysource {
+	isc_entropysource_t *source;
+	isc_mem_t *mctx;
+	ISC_LINK(entropysource_t) link;
+};
+
+static ISC_LIST(entropysource_t) sources;
+static fatalcallback_t *fatalcallback = NULL;
+
+void
+fatal(const char *format, ...) {
+	va_list args;
+
+	fprintf(stderr, "%s: ", program);
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+	if (fatalcallback != NULL)
+		(*fatalcallback)();
+	exit(1);
+}
+
+void
+setfatalcallback(fatalcallback_t *callback) {
+	fatalcallback = callback;
+}
+
+void
+check_result(isc_result_t result, const char *message) {
+	if (result != ISC_R_SUCCESS)
+		fatal("%s: %s", message, isc_result_totext(result));
+}
+
+void
+vbprintf(int level, const char *fmt, ...) {
+	va_list ap;
+	if (level > verbose)
+		return;
+	va_start(ap, fmt);
+	fprintf(stderr, "%s: ", program);
+	vfprintf(stderr, fmt, ap);
+	va_end(ap);
+}
+
+void
+type_format(const dns_rdatatype_t type, char *cp, unsigned int size) {
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_result_t result;
+
+	isc_buffer_init(&b, cp, size - 1);
+	result = dns_rdatatype_totext(type, &b);
+	check_result(result, "dns_rdatatype_totext()");
+	isc_buffer_usedregion(&b, &r);
+	r.base[r.length] = 0;
+}
+
+void
+alg_format(const dns_secalg_t alg, char *cp, unsigned int size) {
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_result_t result;
+
+	isc_buffer_init(&b, cp, size - 1);
+	result = dns_secalg_totext(alg, &b);
+	check_result(result, "dns_secalg_totext()");
+	isc_buffer_usedregion(&b, &r);
+	r.base[r.length] = 0;
+}
+
+void
+sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size) {
+	char namestr[DNS_NAME_FORMATSIZE];
+	char algstr[DNS_NAME_FORMATSIZE];
+
+	dns_name_format(&sig->signer, namestr, sizeof(namestr));
+	alg_format(sig->algorithm, algstr, sizeof(algstr));
+	snprintf(cp, size, "%s/%s/%d", namestr, algstr, sig->keyid);
+}
+
+void
+key_format(const dst_key_t *key, char *cp, unsigned int size) {
+	char namestr[DNS_NAME_FORMATSIZE];
+	char algstr[DNS_NAME_FORMATSIZE];
+
+	dns_name_format(dst_key_name(key), namestr, sizeof(namestr));
+	alg_format((dns_secalg_t) dst_key_alg(key), algstr, sizeof(algstr));
+	snprintf(cp, size, "%s/%s/%d", namestr, algstr, dst_key_id(key));
+}
+
+void
+setup_logging(int verbose, isc_mem_t *mctx, isc_log_t **logp) {
+	isc_result_t result;
+	isc_logdestination_t destination;
+	isc_logconfig_t *logconfig = NULL;
+	isc_log_t *log = NULL;
+	int level;
+
+	switch (verbose) {
+	case 0:
+		/*
+		 * We want to see warnings about things like out-of-zone
+		 * data in the master file even when not verbose.
+		 */
+		level = ISC_LOG_WARNING;
+		break;
+	case 1:
+		level = ISC_LOG_INFO;
+		break;
+	default:
+		level = ISC_LOG_DEBUG(verbose - 2 + 1);
+		break;
+	}
+
+	RUNTIME_CHECK(isc_log_create(mctx, &log, &logconfig) == ISC_R_SUCCESS);
+	isc_log_setcontext(log);
+	dns_log_init(log);
+	dns_log_setcontext(log);
+
+	RUNTIME_CHECK(isc_log_settag(logconfig, program) == ISC_R_SUCCESS);
+
+	/*
+	 * Set up a channel similar to default_stderr except:
+	 *  - the logging level is passed in
+	 *  - the program name and logging level are printed
+	 *  - no time stamp is printed
+	 */
+	destination.file.stream = stderr;
+	destination.file.name = NULL;
+	destination.file.versions = ISC_LOG_ROLLNEVER;
+	destination.file.maximum_size = 0;
+	result = isc_log_createchannel(logconfig, "stderr",
+				       ISC_LOG_TOFILEDESC,
+				       level,
+				       &destination,
+				       ISC_LOG_PRINTTAG|ISC_LOG_PRINTLEVEL);
+	check_result(result, "isc_log_createchannel()");
+
+	RUNTIME_CHECK(isc_log_usechannel(logconfig, "stderr",
+					 NULL, NULL) == ISC_R_SUCCESS);
+
+	*logp = log;
+}
+
+void
+cleanup_logging(isc_log_t **logp) {
+	isc_log_t *log;
+
+	REQUIRE(logp != NULL);
+
+	log = *logp;
+	if (log == NULL)
+		return;
+	isc_log_destroy(&log);
+	isc_log_setcontext(NULL);
+	dns_log_setcontext(NULL);
+	logp = NULL;
+}
+
+void
+setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx) {
+	isc_result_t result;
+	isc_entropysource_t *source = NULL;
+	entropysource_t *elt;
+	int usekeyboard = ISC_ENTROPY_KEYBOARDMAYBE;
+
+	REQUIRE(ectx != NULL);
+	
+	if (*ectx == NULL) {
+		result = isc_entropy_create(mctx, ectx);
+		if (result != ISC_R_SUCCESS)
+			fatal("could not create entropy object");
+		ISC_LIST_INIT(sources);
+	}
+
+	if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
+		usekeyboard = ISC_ENTROPY_KEYBOARDYES;
+		randomfile = NULL;
+	}
+
+	result = isc_entropy_usebestsource(*ectx, &source, randomfile,
+					   usekeyboard);
+
+	if (result != ISC_R_SUCCESS)
+		fatal("could not initialize entropy source: %s",
+		      isc_result_totext(result));
+
+	if (source != NULL) {
+		elt = isc_mem_get(mctx, sizeof(*elt));
+		if (elt == NULL)
+			fatal("out of memory");
+		elt->source = source;
+		elt->mctx = mctx;
+		ISC_LINK_INIT(elt, link);
+		ISC_LIST_APPEND(sources, elt, link);
+	}
+}
+
+void
+cleanup_entropy(isc_entropy_t **ectx) {
+	entropysource_t *source;
+	while (!ISC_LIST_EMPTY(sources)) {
+		source = ISC_LIST_HEAD(sources);
+		ISC_LIST_UNLINK(sources, source, link);
+		isc_entropy_destroysource(&source->source);
+		isc_mem_put(source->mctx, source, sizeof(*source));
+	}
+	isc_entropy_detach(ectx);
+}
+
+isc_stdtime_t
+strtotime(const char *str, isc_int64_t now, isc_int64_t base) {
+	isc_int64_t val, offset;
+	isc_result_t result;
+	char *endp;
+
+	if (str[0] == '+') {
+		offset = strtol(str + 1, &endp, 0);
+		if (*endp != '\0')
+			fatal("time value %s is invalid", str);
+		val = base + offset;
+	} else if (strncmp(str, "now+", 4) == 0) {
+		offset = strtol(str + 4, &endp, 0);
+		if (*endp != '\0')
+			fatal("time value %s is invalid", str);
+		val = now + offset;
+	} else if (strlen(str) == 8U) {
+		char timestr[15];
+		sprintf(timestr, "%s000000", str);
+		result = dns_time64_fromtext(timestr, &val);
+		if (result != ISC_R_SUCCESS)
+			fatal("time value %s is invalid", str);
+	} else {
+		result = dns_time64_fromtext(str, &val);
+		if (result != ISC_R_SUCCESS)
+			fatal("time value %s is invalid", str);
+	}
+
+	return ((isc_stdtime_t) val);
+}
+
+dns_rdataclass_t
+strtoclass(const char *str) {
+	isc_textregion_t r;
+	dns_rdataclass_t rdclass;
+	isc_result_t ret;
+
+	if (str == NULL)
+		return dns_rdataclass_in;
+	DE_CONST(str, r.base);
+	r.length = strlen(str);
+	ret = dns_rdataclass_fromtext(&rdclass, &r);
+	if (ret != ISC_R_SUCCESS)
+		fatal("unknown class %s", str);
+	return (rdclass);
+}
diff --git a/contrib/bind9/bin/dnssec/dnssectool.h b/contrib/bind9/bin/dnssec/dnssectool.h
new file mode 100644
index 0000000..0d17950
--- /dev/null
+++ b/contrib/bind9/bin/dnssec/dnssectool.h
@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnssectool.h,v 1.15.12.3 2004/03/08 04:04:18 marka Exp $ */
+
+#ifndef DNSSECTOOL_H
+#define DNSSECTOOL_H 1
+
+#include <isc/log.h>
+#include <isc/stdtime.h>
+#include <dns/rdatastruct.h>
+#include <dst/dst.h>
+
+typedef void (fatalcallback_t)(void);
+
+void
+fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
+
+void
+setfatalcallback(fatalcallback_t *callback);
+
+void
+check_result(isc_result_t result, const char *message);
+
+void
+vbprintf(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
+
+void
+type_format(const dns_rdatatype_t type, char *cp, unsigned int size);
+#define TYPE_FORMATSIZE 10
+
+void
+alg_format(const dns_secalg_t alg, char *cp, unsigned int size);
+#define ALG_FORMATSIZE 10
+
+void
+sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size);
+#define SIG_FORMATSIZE (DNS_NAME_FORMATSIZE + ALG_FORMATSIZE + sizeof("65535"))
+
+void
+key_format(const dst_key_t *key, char *cp, unsigned int size);
+#define KEY_FORMATSIZE (DNS_NAME_FORMATSIZE + ALG_FORMATSIZE + sizeof("65535"))
+
+void
+setup_logging(int verbose, isc_mem_t *mctx, isc_log_t **logp);
+
+void
+cleanup_logging(isc_log_t **logp);
+
+void
+setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx);
+
+void
+cleanup_entropy(isc_entropy_t **ectx);
+
+isc_stdtime_t
+strtotime(const char *str, isc_int64_t now, isc_int64_t base);
+
+dns_rdataclass_t
+strtoclass(const char *str);
+
+#endif /* DNSSEC_DNSSECTOOL_H */
diff --git a/contrib/bind9/bin/named/Makefile.in b/contrib/bind9/bin/named/Makefile.in
new file mode 100644
index 0000000..d95351a
--- /dev/null
+++ b/contrib/bind9/bin/named/Makefile.in
@@ -0,0 +1,131 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1998-2002  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.74.12.10 2004/08/21 06:22:40 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+#
+# Add database drivers here.
+#
+DBDRIVER_OBJS =
+DBDRIVER_SRCS =
+DBDRIVER_INCLUDES =
+DBDRIVER_LIBS =
+
+CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include \
+		${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
+		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
+		${DBDRIVER_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+ISCCCLIBS =	../../lib/isccc/libisccc.@A@
+ISCLIBS =	../../lib/isc/libisc.@A@
+LWRESLIBS =	../../lib/lwres/liblwres.@A@
+BIND9LIBS =	../../lib/bind9/libbind9.@A@
+
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
+ISCCCDEPLIBS =	../../lib/isccc/libisccc.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+LWRESDEPLIBS =	../../lib/lwres/liblwres.@A@
+BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
+
+DEPLIBS =	${LWRESDEPLIBS} ${DNSDEPLIBS} ${BIND9DEPLIBS} \
+		${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${ISCDEPLIBS}
+
+LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} \
+		${ISCCFGLIBS} ${ISCCCLIBS} ${ISCLIBS} ${DBDRIVER_LIBS} @LIBS@
+
+SUBDIRS =	unix
+
+TARGETS =	named@EXEEXT@ lwresd@EXEEXT@
+
+OBJS =		aclconf.@O@ builtin.@O@ client.@O@ config.@O@ control.@O@ \
+		controlconf.@O@ interfacemgr.@O@ \
+		listenlist.@O@ log.@O@ logconf.@O@ main.@O@ notify.@O@ \
+		query.@O@ server.@O@ sortlist.@O@ \
+		tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
+		zoneconf.@O@ \
+		lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
+		lwdgnba.@O@ lwdgrbn.@O@ lwdnoop.@O@ lwsearch.@O@ \
+		$(DBDRIVER_OBJS)
+
+UOBJS =		unix/os.@O@
+
+SRCS =		aclconf.c builtin.c client.c config.c control.c \
+		controlconf.c interfacemgr.c \
+		listenlist.c log.c logconf.c main.c notify.c \
+		query.c server.c sortlist.c \
+		tkeyconf.c tsigconf.c update.c xfrout.c \
+		zoneconf.c \
+		lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
+		lwdgnba.c lwdgrbn.c lwdnoop.c lwsearch.c \
+		$(DBDRIVER_SRCS)
+
+MANPAGES =	named.8 lwresd.8 named.conf.5
+
+HTMLPAGES =	named.html lwresd.html named.conf.html
+
+MANOBJS =	${MANPAGES} ${HTMLPAGES}
+
+@BIND9_MAKE_RULES@
+
+main.@O@: main.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-DNS_LOCALSTATEDIR=\"${localstatedir}\" \
+		-DNS_SYSCONFDIR=\"${sysconfdir}\" -c ${srcdir}/main.c
+
+config.@O@: config.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-DNS_LOCALSTATEDIR=\"${localstatedir}\" \
+		-c ${srcdir}/config.c
+
+named@EXEEXT@: ${OBJS} ${UOBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	${OBJS} ${UOBJS} ${LIBS}
+
+lwresd@EXEEXT@: named@EXEEXT@
+	rm -f lwresd@EXEEXT@
+	@LN@ named@EXEEXT@ lwresd@EXEEXT@
+
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+	rm -f ${MANOBJS}
+
+clean distclean maintainer-clean::
+	rm -f ${TARGETS} ${OBJS}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
+
+install:: named@EXEEXT@ lwresd@EXEEXT@ installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named@EXEEXT@ ${DESTDIR}${sbindir}
+	(cd ${DESTDIR}${sbindir}; rm -f lwresd@EXEEXT@; @LN@ named@EXEEXT@ lwresd@EXEEXT@)
+	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
diff --git a/contrib/bind9/bin/named/aclconf.c b/contrib/bind9/bin/named/aclconf.c
new file mode 100644
index 0000000..ef36c56
--- /dev/null
+++ b/contrib/bind9/bin/named/aclconf.c
@@ -0,0 +1,233 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: aclconf.c,v 1.27.12.3 2004/03/08 04:04:18 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/mem.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/util.h>
+
+#include <isccfg/namedconf.h>
+
+#include <dns/acl.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+
+#include <named/aclconf.h>
+
+void
+ns_aclconfctx_init(ns_aclconfctx_t *ctx) {
+	ISC_LIST_INIT(ctx->named_acl_cache);
+}
+
+void
+ns_aclconfctx_destroy(ns_aclconfctx_t *ctx) {
+     	dns_acl_t *dacl, *next;
+	for (dacl = ISC_LIST_HEAD(ctx->named_acl_cache);
+	     dacl != NULL;
+	     dacl = next)
+	{
+		next = ISC_LIST_NEXT(dacl, nextincache);
+		dns_acl_detach(&dacl);
+	}
+}
+
+/*
+ * Find the definition of the named acl whose name is "name".
+ */
+static isc_result_t
+get_acl_def(cfg_obj_t *cctx, char *name, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *acls = NULL;
+	cfg_listelt_t *elt;
+	
+	result = cfg_map_get(cctx, "acl", &acls);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	for (elt = cfg_list_first(acls);
+	     elt != NULL;
+	     elt = cfg_list_next(elt)) {
+		cfg_obj_t *acl = cfg_listelt_value(elt);
+		const char *aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
+		if (strcasecmp(aclname, name) == 0) {
+			*ret = cfg_tuple_get(acl, "value");
+			return (ISC_R_SUCCESS);
+		}
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+convert_named_acl(cfg_obj_t *nameobj, cfg_obj_t *cctx,
+		  ns_aclconfctx_t *ctx, isc_mem_t *mctx,
+		  dns_acl_t **target)
+{
+	isc_result_t result;
+	cfg_obj_t *cacl = NULL;
+	dns_acl_t *dacl;
+	char *aclname = cfg_obj_asstring(nameobj);
+
+	/* Look for an already-converted version. */
+	for (dacl = ISC_LIST_HEAD(ctx->named_acl_cache);
+	     dacl != NULL;
+	     dacl = ISC_LIST_NEXT(dacl, nextincache))
+	{
+		if (strcasecmp(aclname, dacl->name) == 0) {
+			dns_acl_attach(dacl, target);
+			return (ISC_R_SUCCESS);
+		}
+	}
+	/* Not yet converted.  Convert now. */
+	result = get_acl_def(cctx, aclname, &cacl);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(nameobj, dns_lctx, ISC_LOG_WARNING,
+			    "undefined ACL '%s'", aclname);
+		return (result);
+	}
+	result = ns_acl_fromconfig(cacl, cctx, ctx, mctx, &dacl);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	dacl->name = isc_mem_strdup(dacl->mctx, aclname);
+	if (dacl->name == NULL)
+		return (ISC_R_NOMEMORY);
+	ISC_LIST_APPEND(ctx->named_acl_cache, dacl, nextincache);
+	dns_acl_attach(dacl, target);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+convert_keyname(cfg_obj_t *keyobj, isc_mem_t *mctx, dns_name_t *dnsname) {
+	isc_result_t result;
+	isc_buffer_t buf;
+	dns_fixedname_t fixname;
+	unsigned int keylen;
+	const char *txtname = cfg_obj_asstring(keyobj);
+
+	keylen = strlen(txtname);
+	isc_buffer_init(&buf, txtname, keylen);
+	isc_buffer_add(&buf, keylen);
+	dns_fixedname_init(&fixname);
+	result = dns_name_fromtext(dns_fixedname_name(&fixname), &buf,
+				   dns_rootname, ISC_FALSE, NULL);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(keyobj, dns_lctx, ISC_LOG_WARNING,
+			    "key name '%s' is not a valid domain name",
+			    txtname);
+		return (result);
+	}
+	return (dns_name_dup(dns_fixedname_name(&fixname), mctx, dnsname));
+}
+
+isc_result_t
+ns_acl_fromconfig(cfg_obj_t *caml,
+		  cfg_obj_t *cctx,
+		  ns_aclconfctx_t *ctx,
+		  isc_mem_t *mctx,
+		  dns_acl_t **target)
+{
+	isc_result_t result;
+	unsigned int count;
+	dns_acl_t *dacl = NULL;
+	dns_aclelement_t *de;
+	cfg_listelt_t *elt;
+
+	REQUIRE(target != NULL && *target == NULL);
+
+	count = 0;
+	for (elt = cfg_list_first(caml);
+	     elt != NULL;
+	     elt = cfg_list_next(elt))
+		count++;
+
+	result = dns_acl_create(mctx, count, &dacl);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	de = dacl->elements;
+	for (elt = cfg_list_first(caml);
+	     elt != NULL;
+	     elt = cfg_list_next(elt))
+	{
+		cfg_obj_t *ce = cfg_listelt_value(elt);
+		if (cfg_obj_istuple(ce)) {
+			/* This must be a negated element. */
+			ce = cfg_tuple_get(ce, "value");
+			de->negative = ISC_TRUE;
+		} else {
+			de->negative = ISC_FALSE;
+		}
+
+		if (cfg_obj_isnetprefix(ce)) {
+			/* Network prefix */
+			de->type = dns_aclelementtype_ipprefix;
+
+			cfg_obj_asnetprefix(ce,
+					    &de->u.ip_prefix.address,
+					    &de->u.ip_prefix.prefixlen);
+		} else if (cfg_obj_istype(ce, &cfg_type_keyref)) {
+			/* Key name */
+			de->type = dns_aclelementtype_keyname;
+			dns_name_init(&de->u.keyname, NULL);
+			result = convert_keyname(ce, mctx, &de->u.keyname);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+		} else if (cfg_obj_islist(ce)) {
+			/* Nested ACL */
+			de->type = dns_aclelementtype_nestedacl;
+			result = ns_acl_fromconfig(ce, cctx, ctx, mctx,
+						   &de->u.nestedacl);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+		} else if (cfg_obj_isstring(ce)) {
+			/* ACL name */
+			char *name = cfg_obj_asstring(ce);
+			if (strcasecmp(name, "localhost") == 0) {
+				de->type = dns_aclelementtype_localhost;
+			} else if (strcasecmp(name, "localnets") == 0) {
+				de->type = dns_aclelementtype_localnets;
+			}  else if (strcasecmp(name, "any") == 0) {
+				de->type = dns_aclelementtype_any;
+			}  else if (strcasecmp(name, "none") == 0) {
+				de->type = dns_aclelementtype_any;
+				de->negative = ISC_TF(! de->negative);
+			} else {
+				de->type = dns_aclelementtype_nestedacl;
+				result = convert_named_acl(ce, cctx, ctx, mctx,
+							   &de->u.nestedacl);
+				if (result != ISC_R_SUCCESS)
+					goto cleanup;
+			}
+		} else {
+			cfg_obj_log(ce, dns_lctx, ISC_LOG_WARNING,
+				    "address match list contains "
+				    "unsupported element type");
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+		de++;
+		dacl->length++;
+	}
+
+	*target = dacl;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	dns_acl_detach(&dacl);
+	return (result);
+}
diff --git a/contrib/bind9/bin/named/builtin.c b/contrib/bind9/bin/named/builtin.c
new file mode 100644
index 0000000..af4d7a3
--- /dev/null
+++ b/contrib/bind9/bin/named/builtin.c
@@ -0,0 +1,228 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: builtin.c,v 1.4.106.4 2004/03/08 04:04:18 marka Exp $ */
+
+/*
+ * The built-in "version", "hostname", "id" and "authors" databases.
+ */
+
+#include <config.h>
+
+#include <string.h>
+#include <stdio.h>
+
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+#include <dns/sdb.h>
+#include <dns/result.h>
+
+#include <named/builtin.h>
+#include <named/globals.h>
+#include <named/server.h>
+#include <named/os.h>
+
+typedef struct builtin builtin_t;
+
+static isc_result_t do_version_lookup(dns_sdblookup_t *lookup);
+static isc_result_t do_hostname_lookup(dns_sdblookup_t *lookup);
+static isc_result_t do_authors_lookup(dns_sdblookup_t *lookup);
+static isc_result_t do_id_lookup(dns_sdblookup_t *lookup);
+
+/*
+ * We can't use function pointers as the db_data directly
+ * because ANSI C does not guarantee that function pointers
+ * can safely be cast to void pointers and back.
+ */
+
+struct builtin {
+	isc_result_t (*do_lookup)(dns_sdblookup_t *lookup);
+};
+
+static builtin_t version_builtin = { do_version_lookup };
+static builtin_t hostname_builtin = { do_hostname_lookup };
+static builtin_t authors_builtin = { do_authors_lookup };
+static builtin_t id_builtin = { do_id_lookup };
+
+static dns_sdbimplementation_t *builtin_impl;
+
+static isc_result_t
+builtin_lookup(const char *zone, const char *name, void *dbdata,
+	       dns_sdblookup_t *lookup)
+{
+	builtin_t *b = (builtin_t *) dbdata;
+
+	UNUSED(zone);
+
+	if (strcmp(name, "@") == 0)
+		return (b->do_lookup(lookup));
+	else
+		return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+put_txt(dns_sdblookup_t *lookup, const char *text) {
+	unsigned char buf[256];
+	unsigned int len = strlen(text);
+	if (len > 255)
+		len = 255; /* Silently truncate */
+	buf[0] = len;
+	memcpy(&buf[1], text, len);
+	return (dns_sdb_putrdata(lookup, dns_rdatatype_txt, 0, buf, len + 1));
+}
+
+static isc_result_t
+do_version_lookup(dns_sdblookup_t *lookup) {
+	if (ns_g_server->version_set) {	
+		if (ns_g_server->version == NULL)
+			return (ISC_R_SUCCESS);
+		else
+			return (put_txt(lookup, ns_g_server->version));
+	} else {
+		return (put_txt(lookup, ns_g_version));
+	}
+}
+
+static isc_result_t
+do_hostname_lookup(dns_sdblookup_t *lookup) {
+	if (ns_g_server->hostname_set) {
+		if (ns_g_server->hostname == NULL)
+			return (ISC_R_SUCCESS);
+		else
+			return (put_txt(lookup, ns_g_server->hostname));
+	} else {
+		char buf[256];
+		isc_result_t result = ns_os_gethostname(buf, sizeof(buf));
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		return (put_txt(lookup, buf));
+	}
+}
+
+static isc_result_t
+do_authors_lookup(dns_sdblookup_t *lookup) {
+	isc_result_t result;
+	const char **p;
+	static const char *authors[] = {
+		"Mark Andrews",
+		"James Brister",
+		"Ben Cottrell",
+		"Michael Graff",
+		"Andreas Gustafsson",
+		"Bob Halley",
+		"David Lawrence",
+		"Danny Mayer",
+		"Damien Neil",
+		"Matt Nelson",
+		"Michael Sawyer",
+		"Brian Wellington",
+		NULL
+	};
+
+	/*
+	 * If a version string is specified, disable the authors.bind zone.
+	 */
+	if (ns_g_server->version_set)
+		return (ISC_R_SUCCESS);
+
+	for (p = authors; *p != NULL; p++) {
+		result = put_txt(lookup, *p);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+do_id_lookup(dns_sdblookup_t *lookup) {
+
+	if (ns_g_server->server_usehostname) {
+		char buf[256];
+		isc_result_t result = ns_os_gethostname(buf, sizeof(buf));
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		return (put_txt(lookup, buf));
+	}
+
+	if (ns_g_server->server_id == NULL)
+		return (ISC_R_SUCCESS);
+	else
+		return (put_txt(lookup, ns_g_server->server_id));
+}
+
+static isc_result_t
+builtin_authority(const char *zone, void *dbdata, dns_sdblookup_t *lookup) {
+	isc_result_t result;
+
+	UNUSED(zone);
+	UNUSED(dbdata);
+
+	result = dns_sdb_putsoa(lookup, "@", "hostmaster", 0);
+	if (result != ISC_R_SUCCESS)
+		return (ISC_R_FAILURE);
+	result = dns_sdb_putrr(lookup, "ns", 0, "@");
+	if (result != ISC_R_SUCCESS)
+		return (ISC_R_FAILURE);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+builtin_create(const char *zone, int argc, char **argv,
+	       void *driverdata, void **dbdata)
+{
+	UNUSED(zone);
+	UNUSED(driverdata);
+	if (argc != 1)
+		return (DNS_R_SYNTAX);
+	if (strcmp(argv[0], "version") == 0)
+		*dbdata = &version_builtin;
+	else if (strcmp(argv[0], "hostname") == 0)
+		*dbdata = &hostname_builtin;
+	else if (strcmp(argv[0], "authors") == 0)
+		*dbdata = &authors_builtin;
+	else if (strcmp(argv[0], "id") == 0)
+		*dbdata = &id_builtin;
+	else
+		return (ISC_R_NOTIMPLEMENTED);
+	return (ISC_R_SUCCESS);
+}
+
+static dns_sdbmethods_t builtin_methods = {
+	builtin_lookup,
+	builtin_authority,
+	NULL,		/* allnodes */
+	builtin_create,
+	NULL		/* destroy */
+};
+
+isc_result_t
+ns_builtin_init(void) {
+	RUNTIME_CHECK(dns_sdb_register("_builtin", &builtin_methods, NULL,
+				       DNS_SDBFLAG_RELATIVEOWNER |
+				       DNS_SDBFLAG_RELATIVERDATA,
+				       ns_g_mctx, &builtin_impl)
+		      == ISC_R_SUCCESS);
+	return (ISC_R_SUCCESS);
+}
+
+void
+ns_builtin_deinit(void) {
+	dns_sdb_unregister(&builtin_impl);
+}
diff --git a/contrib/bind9/bin/named/client.c b/contrib/bind9/bin/named/client.c
new file mode 100644
index 0000000..acb9b21
--- /dev/null
+++ b/contrib/bind9/bin/named/client.c
@@ -0,0 +1,2361 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: client.c,v 1.176.2.13.4.22 2004/07/23 02:56:51 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/formatcheck.h>
+#include <isc/mutex.h>
+#include <isc/once.h>
+#include <isc/print.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dispatch.h>
+#include <dns/events.h>
+#include <dns/message.h>
+#include <dns/rcode.h>
+#include <dns/resolver.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/tsig.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+
+#include <named/interfacemgr.h>
+#include <named/log.h>
+#include <named/notify.h>
+#include <named/server.h>
+#include <named/update.h>
+
+/***
+ *** Client
+ ***/
+
+/*
+ * Important note!
+ *
+ * All client state changes, other than that from idle to listening, occur
+ * as a result of events.  This guarantees serialization and avoids the
+ * need for locking.
+ *
+ * If a routine is ever created that allows someone other than the client's
+ * task to change the client, then the client will have to be locked.
+ */
+
+#define NS_CLIENT_TRACE
+#ifdef NS_CLIENT_TRACE
+#define CTRACE(m)	ns_client_log(client, \
+				      NS_LOGCATEGORY_CLIENT, \
+				      NS_LOGMODULE_CLIENT, \
+				      ISC_LOG_DEBUG(3), \
+				      "%s", (m))
+#define MTRACE(m)	isc_log_write(ns_g_lctx, \
+				      NS_LOGCATEGORY_GENERAL, \
+				      NS_LOGMODULE_CLIENT, \
+				      ISC_LOG_DEBUG(3), \
+				      "clientmgr @%p: %s", manager, (m))
+#else
+#define CTRACE(m)	((void)(m))
+#define MTRACE(m)	((void)(m))
+#endif
+
+#define TCP_CLIENT(c)	(((c)->attributes & NS_CLIENTATTR_TCP) != 0)
+
+#define TCP_BUFFER_SIZE			(65535 + 2)
+#define SEND_BUFFER_SIZE		4096
+#define RECV_BUFFER_SIZE		4096
+
+struct ns_clientmgr {
+	/* Unlocked. */
+	unsigned int			magic;
+	isc_mem_t *			mctx;
+	isc_taskmgr_t *			taskmgr;
+	isc_timermgr_t *		timermgr;
+	isc_mutex_t			lock;
+	/* Locked by lock. */
+	isc_boolean_t			exiting;
+	client_list_t			active; 	/* Active clients */
+	client_list_t			recursing; 	/* Recursing clients */
+	client_list_t 			inactive;	/* To be recycled */
+};
+
+#define MANAGER_MAGIC			ISC_MAGIC('N', 'S', 'C', 'm')
+#define VALID_MANAGER(m)		ISC_MAGIC_VALID(m, MANAGER_MAGIC)
+
+/*
+ * Client object states.  Ordering is significant: higher-numbered
+ * states are generally "more active", meaning that the client can
+ * have more dynamically allocated data, outstanding events, etc.
+ * In the list below, any such properties listed for state N
+ * also apply to any state > N.
+ *
+ * To force the client into a less active state, set client->newstate
+ * to that state and call exit_check().  This will cause any
+ * activities defined for higher-numbered states to be aborted.
+ */
+
+#define NS_CLIENTSTATE_FREED    0
+/*
+ * The client object no longer exists.
+ */
+
+#define NS_CLIENTSTATE_INACTIVE 1
+/*
+ * The client object exists and has a task and timer.
+ * Its "query" struct and sendbuf are initialized.
+ * It is on the client manager's list of inactive clients.
+ * It has a message and OPT, both in the reset state.
+ */
+
+#define NS_CLIENTSTATE_READY    2
+/*
+ * The client object is either a TCP or a UDP one, and
+ * it is associated with a network interface.  It is on the
+ * client manager's list of active clients.
+ *
+ * If it is a TCP client object, it has a TCP listener socket
+ * and an outstanding TCP listen request.
+ *
+ * If it is a UDP client object, it has a UDP listener socket
+ * and an outstanding UDP receive request.
+ */
+
+#define NS_CLIENTSTATE_READING  3
+/*
+ * The client object is a TCP client object that has received
+ * a connection.  It has a tcpsocket, tcpmsg, TCP quota, and an
+ * outstanding TCP read request.  This state is not used for
+ * UDP client objects.
+ */
+
+#define NS_CLIENTSTATE_WORKING  4
+/*
+ * The client object has received a request and is working
+ * on it.  It has a view, and it may have any of a non-reset OPT,
+ * recursion quota, and an outstanding write request.
+ */
+
+#define NS_CLIENTSTATE_MAX      9
+/*
+ * Sentinel value used to indicate "no state".  When client->newstate
+ * has this value, we are not attempting to exit the current state.
+ * Must be greater than any valid state.
+ */
+
+
+static void client_read(ns_client_t *client);
+static void client_accept(ns_client_t *client);
+static void client_udprecv(ns_client_t *client);
+static void clientmgr_destroy(ns_clientmgr_t *manager);
+static isc_boolean_t exit_check(ns_client_t *client);
+static void ns_client_endrequest(ns_client_t *client);
+static void ns_client_checkactive(ns_client_t *client);
+static void client_start(isc_task_t *task, isc_event_t *event);
+static void client_request(isc_task_t *task, isc_event_t *event);
+static void ns_client_dumpmessage(ns_client_t *client, const char *reason);
+
+void
+ns_client_recursing(ns_client_t *client, isc_boolean_t killoldest) {
+	ns_client_t *oldest;
+	REQUIRE(NS_CLIENT_VALID(client));
+
+	LOCK(&client->manager->lock);
+	if (killoldest) {
+		oldest = ISC_LIST_HEAD(client->manager->recursing);
+		if (oldest != NULL) {
+			ns_query_cancel(oldest);
+			ISC_LIST_UNLINK(*oldest->list, oldest, link);
+			ISC_LIST_APPEND(client->manager->active, oldest, link);
+			oldest->list = &client->manager->active;
+		}
+	}
+	ISC_LIST_UNLINK(*client->list, client, link);
+	ISC_LIST_APPEND(client->manager->recursing, client, link);
+	client->list = &client->manager->recursing;
+	UNLOCK(&client->manager->lock);
+}
+
+void
+ns_client_settimeout(ns_client_t *client, unsigned int seconds) {
+	isc_result_t result;
+	isc_interval_t interval;
+
+	isc_interval_set(&interval, seconds, 0);
+	result = isc_timer_reset(client->timer, isc_timertype_once, NULL,
+				 &interval, ISC_FALSE);
+	client->timerset = ISC_TRUE;
+	if (result != ISC_R_SUCCESS) {
+		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
+			      "setting timeout: %s",
+			      isc_result_totext(result));
+		/* Continue anyway. */
+	}
+}
+
+/*
+ * Check for a deactivation or shutdown request and take appropriate
+ * action.  Returns ISC_TRUE if either is in progress; in this case
+ * the caller must no longer use the client object as it may have been
+ * freed.
+ */
+static isc_boolean_t
+exit_check(ns_client_t *client) {
+	ns_clientmgr_t *locked_manager = NULL;
+	ns_clientmgr_t *destroy_manager = NULL;
+
+	REQUIRE(NS_CLIENT_VALID(client));
+
+	if (client->state <= client->newstate)
+		return (ISC_FALSE); /* Business as usual. */
+
+	INSIST(client->newstate < NS_CLIENTSTATE_WORKING);
+
+	/*
+	 * We need to detach from the view early when shutting down
+	 * the server to break the following vicious circle:
+	 *
+	 *  - The resolver will not shut down until the view refcount is zero
+	 *  - The view refcount does not go to zero until all clients detach
+	 *  - The client does not detach from the view until references is zero
+	 *  - references does not go to zero until the resolver has shut down
+	 *
+	 * Keep the view attached until any outstanding updates complete.
+	 */
+	if (client->nupdates == 0 && 
+	    client->newstate == NS_CLIENTSTATE_FREED && client->view != NULL)
+		dns_view_detach(&client->view);
+
+	if (client->state == NS_CLIENTSTATE_WORKING) {
+		INSIST(client->newstate <= NS_CLIENTSTATE_READING);
+		/*
+		 * Let the update processing complete.
+		 */
+		if (client->nupdates > 0)
+			return (ISC_TRUE);
+		/*
+		 * We are trying to abort request processing.
+		 */
+		if (client->nsends > 0) {
+			isc_socket_t *socket;
+			if (TCP_CLIENT(client))
+				socket = client->tcpsocket;
+			else
+				socket = client->udpsocket;
+			isc_socket_cancel(socket, client->task,
+					  ISC_SOCKCANCEL_SEND);
+		}
+
+		if (! (client->nsends == 0 && client->nrecvs == 0 &&
+		       client->references == 0))
+		{
+			/*
+			 * Still waiting for I/O cancel completion.
+			 * or lingering references.
+			 */
+			return (ISC_TRUE);
+		}
+		/*
+		 * I/O cancel is complete.  Burn down all state
+		 * related to the current request.
+		 */
+		ns_client_endrequest(client);
+
+		client->state = NS_CLIENTSTATE_READING;
+		INSIST(client->recursionquota == NULL);
+		if (NS_CLIENTSTATE_READING == client->newstate) {
+			client_read(client);
+			client->newstate = NS_CLIENTSTATE_MAX;
+			return (ISC_TRUE); /* We're done. */
+		}
+	}
+
+	if (client->state == NS_CLIENTSTATE_READING) {
+		/*
+		 * We are trying to abort the current TCP connection,
+		 * if any.
+		 */
+		INSIST(client->recursionquota == NULL);
+		INSIST(client->newstate <= NS_CLIENTSTATE_READY);
+		if (client->nreads > 0)
+			dns_tcpmsg_cancelread(&client->tcpmsg);
+		if (! client->nreads == 0) {
+			/* Still waiting for read cancel completion. */
+			return (ISC_TRUE);
+		}
+
+		if (client->tcpmsg_valid) {
+			dns_tcpmsg_invalidate(&client->tcpmsg);
+			client->tcpmsg_valid = ISC_FALSE;
+		}
+		if (client->tcpsocket != NULL) {
+			CTRACE("closetcp");
+			isc_socket_detach(&client->tcpsocket);
+		}
+
+		if (client->tcpquota != NULL)
+			isc_quota_detach(&client->tcpquota);
+
+		if (client->timerset) {
+			(void)isc_timer_reset(client->timer,
+					      isc_timertype_inactive,
+					      NULL, NULL, ISC_TRUE);
+			client->timerset = ISC_FALSE;
+		}
+
+		client->peeraddr_valid = ISC_FALSE;
+
+		client->state = NS_CLIENTSTATE_READY;
+		INSIST(client->recursionquota == NULL);
+
+		/*
+		 * Now the client is ready to accept a new TCP connection
+		 * or UDP request, but we may have enough clients doing
+		 * that already.  Check whether this client needs to remain
+		 * active and force it to go inactive if not.
+		 */
+		ns_client_checkactive(client);
+
+		if (NS_CLIENTSTATE_READY == client->newstate) {
+			if (TCP_CLIENT(client)) {
+				client_accept(client);
+			} else
+				client_udprecv(client);
+			client->newstate = NS_CLIENTSTATE_MAX;
+			return (ISC_TRUE);
+		}
+	}
+
+	if (client->state == NS_CLIENTSTATE_READY) {
+		INSIST(client->newstate <= NS_CLIENTSTATE_INACTIVE);
+		/*
+		 * We are trying to enter the inactive state.
+		 */
+		if (client->naccepts > 0)
+			isc_socket_cancel(client->tcplistener, client->task,
+					  ISC_SOCKCANCEL_ACCEPT);
+
+		if (! (client->naccepts == 0)) {
+			/* Still waiting for accept cancel completion. */
+			return (ISC_TRUE);
+		}
+		/* Accept cancel is complete. */
+
+		if (client->nrecvs > 0)
+			isc_socket_cancel(client->udpsocket, client->task,
+					  ISC_SOCKCANCEL_RECV);
+		if (! (client->nrecvs == 0)) {
+			/* Still waiting for recv cancel completion. */
+			return (ISC_TRUE);
+		}
+		/* Recv cancel is complete. */
+
+		if (client->nctls > 0) {
+			/* Still waiting for control event to be delivered */
+			return (ISC_TRUE);
+		}
+
+		/* Deactivate the client. */
+		if (client->interface)
+			ns_interface_detach(&client->interface);
+
+		INSIST(client->naccepts == 0);
+		INSIST(client->recursionquota == NULL);
+		if (client->tcplistener != NULL)
+			isc_socket_detach(&client->tcplistener);
+
+		if (client->udpsocket != NULL)
+			isc_socket_detach(&client->udpsocket);
+
+		if (client->dispatch != NULL)
+			dns_dispatch_detach(&client->dispatch);
+
+		client->attributes = 0;
+		client->mortal = ISC_FALSE;
+
+		LOCK(&client->manager->lock);
+		/*
+		 * Put the client on the inactive list.  If we are aiming for
+		 * the "freed" state, it will be removed from the inactive
+		 * list shortly, and we need to keep the manager locked until
+		 * that has been done, lest the manager decide to reactivate
+		 * the dying client inbetween.
+		 */
+		locked_manager = client->manager;
+		ISC_LIST_UNLINK(*client->list, client, link);
+		ISC_LIST_APPEND(client->manager->inactive, client, link);
+		client->list = &client->manager->inactive;
+		client->state = NS_CLIENTSTATE_INACTIVE;
+		INSIST(client->recursionquota == NULL);
+
+		if (client->state == client->newstate) {
+			client->newstate = NS_CLIENTSTATE_MAX;
+			goto unlock;
+		}
+	}
+
+	if (client->state == NS_CLIENTSTATE_INACTIVE) {
+		INSIST(client->newstate == NS_CLIENTSTATE_FREED);
+		/*
+		 * We are trying to free the client.
+		 *
+		 * When "shuttingdown" is true, either the task has received
+		 * its shutdown event or no shutdown event has ever been
+		 * set up.  Thus, we have no outstanding shutdown
+		 * event at this point.
+		 */
+		REQUIRE(client->state == NS_CLIENTSTATE_INACTIVE);
+
+		INSIST(client->recursionquota == NULL);
+
+		ns_query_free(client);
+		isc_mem_put(client->mctx, client->recvbuf, RECV_BUFFER_SIZE);
+		isc_event_free((isc_event_t **)&client->sendevent);
+		isc_event_free((isc_event_t **)&client->recvevent);
+		isc_timer_detach(&client->timer);
+
+		if (client->tcpbuf != NULL)
+			isc_mem_put(client->mctx, client->tcpbuf, TCP_BUFFER_SIZE);
+		if (client->opt != NULL) {
+			INSIST(dns_rdataset_isassociated(client->opt));
+			dns_rdataset_disassociate(client->opt);
+			dns_message_puttemprdataset(client->message, &client->opt);
+		}
+		dns_message_destroy(&client->message);
+		if (client->manager != NULL) {
+			ns_clientmgr_t *manager = client->manager;
+			if (locked_manager == NULL) {
+				LOCK(&manager->lock);
+				locked_manager = manager;
+			}
+			ISC_LIST_UNLINK(*client->list, client, link);
+			client->list = NULL;
+			if (manager->exiting &&
+			    ISC_LIST_EMPTY(manager->active) &&
+			    ISC_LIST_EMPTY(manager->inactive) &&
+			    ISC_LIST_EMPTY(manager->recursing))
+				destroy_manager = manager;
+		}
+		/*
+		 * Detaching the task must be done after unlinking from
+		 * the manager's lists because the manager accesses
+		 * client->task.
+		 */
+		if (client->task != NULL)
+			isc_task_detach(&client->task);
+
+		CTRACE("free");
+		client->magic = 0;
+		isc_mem_put(client->mctx, client, sizeof(*client));
+
+		goto unlock;
+	}
+
+ unlock:
+	if (locked_manager != NULL) {
+		UNLOCK(&locked_manager->lock);
+		locked_manager = NULL;
+	}
+
+	/*
+	 * Only now is it safe to destroy the client manager (if needed),
+	 * because we have accessed its lock for the last time.
+	 */
+	if (destroy_manager != NULL)
+		clientmgr_destroy(destroy_manager);
+
+	return (ISC_TRUE);
+}
+
+/*
+ * The client's task has received the client's control event
+ * as part of the startup process.
+ */
+static void
+client_start(isc_task_t *task, isc_event_t *event) {
+	ns_client_t *client = (ns_client_t *) event->ev_arg;
+
+	INSIST(task == client->task);
+
+	UNUSED(task);
+
+	INSIST(client->nctls == 1);
+	client->nctls--;
+
+	if (exit_check(client))
+		return;
+
+	if (TCP_CLIENT(client)) {
+		client_accept(client);
+	} else {
+		client_udprecv(client);
+	}
+}
+
+
+/*
+ * The client's task has received a shutdown event.
+ */
+static void
+client_shutdown(isc_task_t *task, isc_event_t *event) {
+	ns_client_t *client;
+
+	REQUIRE(event != NULL);
+	REQUIRE(event->ev_type == ISC_TASKEVENT_SHUTDOWN);
+	client = event->ev_arg;
+	REQUIRE(NS_CLIENT_VALID(client));
+	REQUIRE(task == client->task);
+
+	UNUSED(task);
+
+	CTRACE("shutdown");
+
+	isc_event_free(&event);
+
+	if (client->shutdown != NULL) {
+		(client->shutdown)(client->shutdown_arg, ISC_R_SHUTTINGDOWN);
+		client->shutdown = NULL;
+		client->shutdown_arg = NULL;
+	}
+
+	client->newstate = NS_CLIENTSTATE_FREED;
+	(void)exit_check(client);
+}
+
+static void
+ns_client_endrequest(ns_client_t *client) {
+	INSIST(client->naccepts == 0);
+	INSIST(client->nreads == 0);
+	INSIST(client->nsends == 0);
+	INSIST(client->nrecvs == 0);
+	INSIST(client->nupdates == 0);
+	INSIST(client->state == NS_CLIENTSTATE_WORKING);
+
+	CTRACE("endrequest");
+
+	if (client->next != NULL) {
+		(client->next)(client);
+		client->next = NULL;
+	}
+
+	if (client->view != NULL)
+		dns_view_detach(&client->view);
+	if (client->opt != NULL) {
+		INSIST(dns_rdataset_isassociated(client->opt));
+		dns_rdataset_disassociate(client->opt);
+		dns_message_puttemprdataset(client->message, &client->opt);
+	}
+
+	client->udpsize = 512;
+	client->extflags = 0;
+	dns_message_reset(client->message, DNS_MESSAGE_INTENTPARSE);
+
+	if (client->recursionquota != NULL)
+		isc_quota_detach(&client->recursionquota);
+
+	/*
+	 * Clear all client attributes that are specific to
+	 * the request; that's all except the TCP flag.
+	 */
+	client->attributes &= NS_CLIENTATTR_TCP;
+}
+
+static void
+ns_client_checkactive(ns_client_t *client) {
+	if (client->mortal) {
+		/*
+		 * This client object should normally go inactive
+		 * at this point, but if we have fewer active client
+		 * objects than  desired due to earlier quota exhaustion,
+		 * keep it active to make up for the shortage.
+		 */
+		isc_boolean_t need_another_client = ISC_FALSE;
+		if (TCP_CLIENT(client)) {
+			LOCK(&client->interface->lock);
+			if (client->interface->ntcpcurrent <
+			    client->interface->ntcptarget)
+				need_another_client = ISC_TRUE;
+			UNLOCK(&client->interface->lock);
+		} else {
+			/*
+			 * The UDP client quota is enforced by making
+			 * requests fail rather than by not listening
+			 * for new ones.  Therefore, there is always a
+			 * full set of UDP clients listening.
+			 */
+		}
+		if (! need_another_client) {
+			/*
+			 * We don't need this client object.  Recycle it.
+			 */
+			if (client->newstate >= NS_CLIENTSTATE_INACTIVE)
+				client->newstate = NS_CLIENTSTATE_INACTIVE;
+		}
+	}
+}
+
+void
+ns_client_next(ns_client_t *client, isc_result_t result) {
+	int newstate;
+
+	REQUIRE(NS_CLIENT_VALID(client));
+	REQUIRE(client->state == NS_CLIENTSTATE_WORKING ||
+		client->state == NS_CLIENTSTATE_READING);
+
+	CTRACE("next");
+
+	if (result != ISC_R_SUCCESS)
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
+			      "request failed: %s", isc_result_totext(result));
+
+	/*
+	 * An error processing a TCP request may have left
+	 * the connection out of sync.  To be safe, we always
+	 * sever the connection when result != ISC_R_SUCCESS.
+	 */
+	if (result == ISC_R_SUCCESS && TCP_CLIENT(client))
+		newstate = NS_CLIENTSTATE_READING;
+	else
+		newstate = NS_CLIENTSTATE_READY;
+
+	if (client->newstate > newstate)
+		client->newstate = newstate;
+	(void)exit_check(client);
+}
+
+
+static void
+client_senddone(isc_task_t *task, isc_event_t *event) {
+	ns_client_t *client;
+	isc_socketevent_t *sevent = (isc_socketevent_t *) event;
+
+	REQUIRE(sevent != NULL);
+	REQUIRE(sevent->ev_type == ISC_SOCKEVENT_SENDDONE);
+	client = sevent->ev_arg;
+	REQUIRE(NS_CLIENT_VALID(client));
+	REQUIRE(task == client->task);
+	REQUIRE(sevent == client->sendevent);
+
+	UNUSED(task);
+
+	CTRACE("senddone");
+
+	if (sevent->result != ISC_R_SUCCESS)
+		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
+			      "error sending response: %s",
+			      isc_result_totext(sevent->result));
+
+	INSIST(client->nsends > 0);
+	client->nsends--;
+
+	if (client->tcpbuf != NULL) {
+		INSIST(TCP_CLIENT(client));
+		isc_mem_put(client->mctx, client->tcpbuf, TCP_BUFFER_SIZE);
+		client->tcpbuf = NULL;
+	}
+
+	if (exit_check(client))
+		return;
+
+	ns_client_next(client, ISC_R_SUCCESS);
+}
+
+/*
+ * We only want to fail with ISC_R_NOSPACE when called from
+ * ns_client_sendraw() and not when called from ns_client_send(),
+ * tcpbuffer is NULL when called from ns_client_sendraw() and
+ * length != 0.  tcpbuffer != NULL when called from ns_client_send()
+ * and length == 0.
+ */
+
+static isc_result_t
+client_allocsendbuf(ns_client_t *client, isc_buffer_t *buffer,
+		    isc_buffer_t *tcpbuffer, isc_uint32_t length,
+		    unsigned char *sendbuf, unsigned char **datap)
+{
+	unsigned char *data;
+	isc_uint32_t bufsize;
+	isc_result_t result;
+
+	INSIST(datap != NULL);
+	INSIST((tcpbuffer == NULL && length != 0) ||
+	       (tcpbuffer != NULL && length == 0));
+
+	if (TCP_CLIENT(client)) {
+		INSIST(client->tcpbuf == NULL);
+		if (length + 2 > TCP_BUFFER_SIZE) {
+			result = ISC_R_NOSPACE;
+			goto done;
+		}
+		client->tcpbuf = isc_mem_get(client->mctx, TCP_BUFFER_SIZE);
+		if (client->tcpbuf == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto done;
+		}
+		data = client->tcpbuf;
+		if (tcpbuffer != NULL) {
+			isc_buffer_init(tcpbuffer, data, TCP_BUFFER_SIZE);
+			isc_buffer_init(buffer, data + 2, TCP_BUFFER_SIZE - 2);
+		} else {
+			isc_buffer_init(buffer, data, TCP_BUFFER_SIZE);
+			INSIST(length <= 0xffff);
+			isc_buffer_putuint16(buffer, (isc_uint16_t)length);
+		}
+	} else {
+		data = sendbuf;
+		if (client->udpsize < SEND_BUFFER_SIZE)
+			bufsize = client->udpsize;
+		else
+			bufsize = SEND_BUFFER_SIZE;
+		if (length > bufsize) {
+			result = ISC_R_NOSPACE;
+			goto done;
+		}
+		isc_buffer_init(buffer, data, bufsize);
+	}
+	*datap = data;
+	result = ISC_R_SUCCESS;
+
+ done:
+	return (result);
+}
+
+static isc_result_t
+client_sendpkg(ns_client_t *client, isc_buffer_t *buffer) {
+	struct in6_pktinfo *pktinfo;
+	isc_result_t result;
+	isc_region_t r;
+	isc_sockaddr_t *address;
+	isc_socket_t *socket;
+	isc_netaddr_t netaddr;
+	int match;
+	unsigned int sockflags = ISC_SOCKFLAG_IMMEDIATE;
+
+	if (TCP_CLIENT(client)) {
+		socket = client->tcpsocket;
+		address = NULL;
+	} else {
+		socket = client->udpsocket;
+		address = &client->peeraddr;
+
+		isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
+		if (ns_g_server->blackholeacl != NULL &&
+		    dns_acl_match(&netaddr, NULL,
+			    	  ns_g_server->blackholeacl,
+				  &ns_g_server->aclenv,
+				  &match, NULL) == ISC_R_SUCCESS &&
+		    match > 0)
+			return (DNS_R_BLACKHOLED);
+		sockflags |= ISC_SOCKFLAG_NORETRY;
+	}
+
+	if ((client->attributes & NS_CLIENTATTR_PKTINFO) != 0 &&
+	    (client->attributes & NS_CLIENTATTR_MULTICAST) == 0)
+		pktinfo = &client->pktinfo;
+	else
+		pktinfo = NULL;
+
+	isc_buffer_usedregion(buffer, &r);
+
+	CTRACE("sendto");
+	
+	result = isc_socket_sendto2(socket, &r, client->task,
+				    address, pktinfo,
+				    client->sendevent, sockflags);
+	if (result == ISC_R_SUCCESS || result == ISC_R_INPROGRESS) {
+		client->nsends++;
+		if (result == ISC_R_SUCCESS)
+			client_senddone(client->task,
+					(isc_event_t *)client->sendevent);
+		result = ISC_R_SUCCESS;
+	}
+	return (result);
+}
+
+void
+ns_client_sendraw(ns_client_t *client, dns_message_t *message) {
+	isc_result_t result;
+	unsigned char *data;
+	isc_buffer_t buffer;
+	isc_region_t r;
+	isc_region_t *mr;
+	unsigned char sendbuf[SEND_BUFFER_SIZE];
+
+	REQUIRE(NS_CLIENT_VALID(client));
+
+	CTRACE("sendraw");
+
+	mr = dns_message_getrawmessage(message);
+	if (mr == NULL) {
+		result = ISC_R_UNEXPECTEDEND;
+		goto done;
+	}
+
+	result = client_allocsendbuf(client, &buffer, NULL, mr->length,
+				     sendbuf, &data);
+	if (result != ISC_R_SUCCESS)
+		goto done;
+
+	/*
+	 * Copy message to buffer and fixup id.
+	 */
+	isc_buffer_availableregion(&buffer, &r);
+	result = isc_buffer_copyregion(&buffer, mr);
+	if (result != ISC_R_SUCCESS)
+		goto done;
+	r.base[0] = (client->message->id >> 8) & 0xff;
+	r.base[1] = client->message->id & 0xff;
+
+	result = client_sendpkg(client, &buffer);
+	if (result == ISC_R_SUCCESS)
+		return;
+
+ done:
+	if (client->tcpbuf != NULL) {
+		isc_mem_put(client->mctx, client->tcpbuf, TCP_BUFFER_SIZE);
+		client->tcpbuf = NULL;
+	}
+	ns_client_next(client, result);
+}
+
+void
+ns_client_send(ns_client_t *client) {
+	isc_result_t result;
+	unsigned char *data;
+	isc_buffer_t buffer;
+	isc_buffer_t tcpbuffer;
+	isc_region_t r;
+	dns_compress_t cctx;
+	isc_boolean_t cleanup_cctx = ISC_FALSE;
+	unsigned char sendbuf[SEND_BUFFER_SIZE];
+	unsigned int dnssec_opts;
+	unsigned int preferred_glue;
+
+	REQUIRE(NS_CLIENT_VALID(client));
+
+	CTRACE("send");
+
+	if ((client->attributes & NS_CLIENTATTR_RA) != 0)
+		client->message->flags |= DNS_MESSAGEFLAG_RA;
+
+	if ((client->attributes & NS_CLIENTATTR_WANTDNSSEC) != 0)
+		dnssec_opts = 0;
+	else
+		dnssec_opts = DNS_MESSAGERENDER_OMITDNSSEC;
+
+	preferred_glue = 0;
+	if (client->view != NULL) {
+		if (client->view->preferred_glue == dns_rdatatype_a)
+			preferred_glue = DNS_MESSAGERENDER_PREFER_A;
+		else if (client->view->preferred_glue == dns_rdatatype_aaaa)
+			preferred_glue = DNS_MESSAGERENDER_PREFER_AAAA;
+	}
+
+	/*
+	 * XXXRTH  The following doesn't deal with TCP buffer resizing.
+	 */
+	result = client_allocsendbuf(client, &buffer, &tcpbuffer, 0,
+				     sendbuf, &data);
+	if (result != ISC_R_SUCCESS)
+		goto done;
+
+	result = dns_compress_init(&cctx, -1, client->mctx);
+	if (result != ISC_R_SUCCESS)
+		goto done;
+	cleanup_cctx = ISC_TRUE;
+
+	result = dns_message_renderbegin(client->message, &cctx, &buffer);
+	if (result != ISC_R_SUCCESS)
+		goto done;
+	if (client->opt != NULL) {
+		result = dns_message_setopt(client->message, client->opt);
+		/*
+		 * XXXRTH dns_message_setopt() should probably do this...
+		 */
+		client->opt = NULL;
+		if (result != ISC_R_SUCCESS)
+			goto done;
+	}
+	result = dns_message_rendersection(client->message,
+					   DNS_SECTION_QUESTION, 0);
+	if (result == ISC_R_NOSPACE) {
+		client->message->flags |= DNS_MESSAGEFLAG_TC;
+		goto renderend;
+	}
+	if (result != ISC_R_SUCCESS)
+		goto done;
+	result = dns_message_rendersection(client->message,
+					   DNS_SECTION_ANSWER,
+					   DNS_MESSAGERENDER_PARTIAL |
+					   dnssec_opts);
+	if (result == ISC_R_NOSPACE) {
+		client->message->flags |= DNS_MESSAGEFLAG_TC;
+		goto renderend;
+	}
+	if (result != ISC_R_SUCCESS)
+		goto done;
+	result = dns_message_rendersection(client->message,
+					   DNS_SECTION_AUTHORITY,
+					   DNS_MESSAGERENDER_PARTIAL |
+					   dnssec_opts);
+	if (result == ISC_R_NOSPACE) {
+		client->message->flags |= DNS_MESSAGEFLAG_TC;
+		goto renderend;
+	}
+	if (result != ISC_R_SUCCESS)
+		goto done;
+	result = dns_message_rendersection(client->message,
+					   DNS_SECTION_ADDITIONAL,
+					   preferred_glue | dnssec_opts);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOSPACE)
+		goto done;
+ renderend:
+	result = dns_message_renderend(client->message);
+
+	if (result != ISC_R_SUCCESS)
+		goto done;
+
+	if (cleanup_cctx) {
+		dns_compress_invalidate(&cctx);
+		cleanup_cctx = ISC_FALSE;
+	}
+
+	if (TCP_CLIENT(client)) {
+		isc_buffer_usedregion(&buffer, &r);
+		isc_buffer_putuint16(&tcpbuffer, (isc_uint16_t) r.length);
+		isc_buffer_add(&tcpbuffer, r.length);
+		result = client_sendpkg(client, &tcpbuffer);
+	} else
+		result = client_sendpkg(client, &buffer);
+	if (result == ISC_R_SUCCESS)
+		return;
+
+ done:
+	if (client->tcpbuf != NULL) {
+		isc_mem_put(client->mctx, client->tcpbuf, TCP_BUFFER_SIZE);
+		client->tcpbuf = NULL;
+	}
+
+	if (cleanup_cctx)
+		dns_compress_invalidate(&cctx);
+
+	ns_client_next(client, result);
+}
+
+void
+ns_client_error(ns_client_t *client, isc_result_t result) {
+	dns_rcode_t rcode;
+	dns_message_t *message;
+
+	REQUIRE(NS_CLIENT_VALID(client));
+
+	CTRACE("error");
+
+	message = client->message;
+	rcode = dns_result_torcode(result);
+
+	/*
+	 * Message may be an in-progress reply that we had trouble
+	 * with, in which case QR will be set.  We need to clear QR before
+	 * calling dns_message_reply() to avoid triggering an assertion.
+	 */
+	message->flags &= ~DNS_MESSAGEFLAG_QR;
+	/*
+	 * AA and AD shouldn't be set.
+	 */
+	message->flags &= ~(DNS_MESSAGEFLAG_AA | DNS_MESSAGEFLAG_AD);
+	result = dns_message_reply(message, ISC_TRUE);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * It could be that we've got a query with a good header,
+		 * but a bad question section, so we try again with
+		 * want_question_section set to ISC_FALSE.
+		 */
+		result = dns_message_reply(message, ISC_FALSE);
+		if (result != ISC_R_SUCCESS) {
+			ns_client_next(client, result);
+			return;
+		}
+	}
+	message->rcode = rcode;
+
+	/*
+	 * FORMERR loop avoidance:  If we sent a FORMERR message
+	 * with the same ID to the same client less than two
+	 * seconds ago, assume that we are in an infinite error 
+	 * packet dialog with a server for some protocol whose 
+	 * error responses look enough like DNS queries to
+	 * elicit a FORMERR response.  Drop a packet to break
+	 * the loop.
+	 */
+	if (rcode == dns_rcode_formerr) {
+		if (isc_sockaddr_equal(&client->peeraddr,
+				       &client->formerrcache.addr) &&
+		    message->id == client->formerrcache.id &&
+		    client->requesttime - client->formerrcache.time < 2) {
+			/* Drop packet. */
+			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+				      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1),
+				      "possible error packet loop, "
+				      "FORMERR dropped");
+			ns_client_next(client, result);
+			return;
+		}
+		client->formerrcache.addr = client->peeraddr;
+		client->formerrcache.time = client->requesttime;
+		client->formerrcache.id = message->id;
+	}
+	ns_client_send(client);
+}
+
+static inline isc_result_t
+client_addopt(ns_client_t *client) {
+	dns_rdataset_t *rdataset;
+	dns_rdatalist_t *rdatalist;
+	dns_rdata_t *rdata;
+	isc_result_t result;
+	dns_view_t *view;
+	dns_resolver_t *resolver;
+	isc_uint16_t udpsize;
+
+	REQUIRE(client->opt == NULL);	/* XXXRTH free old. */
+
+	rdatalist = NULL;
+	result = dns_message_gettemprdatalist(client->message, &rdatalist);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	rdata = NULL;
+	result = dns_message_gettemprdata(client->message, &rdata);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	rdataset = NULL;
+	result = dns_message_gettemprdataset(client->message, &rdataset);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	dns_rdataset_init(rdataset);
+
+	rdatalist->type = dns_rdatatype_opt;
+	rdatalist->covers = 0;
+
+	/*
+	 * Set the maximum UDP buffer size.
+	 */
+	view = client->view;
+	resolver = (view != NULL) ? view->resolver : NULL;
+	if (resolver != NULL)
+		udpsize = dns_resolver_getudpsize(resolver);
+	else
+		udpsize = ns_g_udpsize;
+	rdatalist->rdclass = udpsize;
+
+	/*
+	 * Set EXTENDED-RCODE, VERSION and Z to 0.
+	 */
+	rdatalist->ttl = (client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE);
+
+	/*
+	 * No ENDS options in the default case.
+	 */
+	rdata->data = NULL;
+	rdata->length = 0;
+	rdata->rdclass = rdatalist->rdclass;
+	rdata->type = rdatalist->type;
+	rdata->flags = 0;
+
+	ISC_LIST_INIT(rdatalist->rdata);
+	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset)
+		      == ISC_R_SUCCESS);
+
+	client->opt = rdataset;
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_boolean_t
+allowed(isc_netaddr_t *addr, dns_name_t *signer, dns_acl_t *acl) {
+	int match;
+	isc_result_t result;
+
+	if (acl == NULL)
+		return (ISC_TRUE);
+	result = dns_acl_match(addr, signer, acl, &ns_g_server->aclenv,
+			       &match, NULL);
+	if (result == ISC_R_SUCCESS && match > 0)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+/*
+ * Handle an incoming request event from the socket (UDP case)
+ * or tcpmsg (TCP case).
+ */
+static void
+client_request(isc_task_t *task, isc_event_t *event) {
+	ns_client_t *client;
+	isc_socketevent_t *sevent;
+	isc_result_t result;
+	isc_result_t sigresult = ISC_R_SUCCESS;
+	isc_buffer_t *buffer;
+	isc_buffer_t tbuffer;
+	dns_view_t *view;
+	dns_rdataset_t *opt;
+	isc_boolean_t ra; 	/* Recursion available. */
+	isc_netaddr_t netaddr;
+	isc_netaddr_t destaddr;
+	int match;
+	dns_messageid_t id;
+	unsigned int flags;
+	isc_boolean_t notimp;
+
+	REQUIRE(event != NULL);
+	client = event->ev_arg;
+	REQUIRE(NS_CLIENT_VALID(client));
+	REQUIRE(task == client->task);
+
+	INSIST(client->recursionquota == NULL);
+
+	INSIST(client->state ==
+	       TCP_CLIENT(client) ?
+	       NS_CLIENTSTATE_READING :
+	       NS_CLIENTSTATE_READY);
+
+	if (event->ev_type == ISC_SOCKEVENT_RECVDONE) {
+		INSIST(!TCP_CLIENT(client));
+		sevent = (isc_socketevent_t *)event;
+		REQUIRE(sevent == client->recvevent);
+		isc_buffer_init(&tbuffer, sevent->region.base, sevent->n);
+		isc_buffer_add(&tbuffer, sevent->n);
+		buffer = &tbuffer;
+		result = sevent->result;
+		if (result == ISC_R_SUCCESS) {
+			client->peeraddr = sevent->address;
+			client->peeraddr_valid = ISC_TRUE;
+		}
+		if ((sevent->attributes & ISC_SOCKEVENTATTR_PKTINFO) != 0) {
+			client->attributes |= NS_CLIENTATTR_PKTINFO;
+			client->pktinfo = sevent->pktinfo;
+		}
+		if ((sevent->attributes & ISC_SOCKEVENTATTR_MULTICAST) != 0)
+			client->attributes |= NS_CLIENTATTR_MULTICAST;
+		client->nrecvs--;
+	} else {
+		INSIST(TCP_CLIENT(client));
+		REQUIRE(event->ev_type == DNS_EVENT_TCPMSG);
+		REQUIRE(event->ev_sender == &client->tcpmsg);
+		buffer = &client->tcpmsg.buffer;
+		result = client->tcpmsg.result;
+		INSIST(client->nreads == 1);
+		/*
+		 * client->peeraddr was set when the connection was accepted.
+		 */
+		client->nreads--;
+	}
+
+	if (exit_check(client))
+		goto cleanup;
+	client->state = client->newstate = NS_CLIENTSTATE_WORKING;
+
+	isc_task_getcurrenttime(task, &client->requesttime);
+	client->now = client->requesttime;
+
+	if (result != ISC_R_SUCCESS) {
+		if (TCP_CLIENT(client)) {
+			ns_client_next(client, result);
+		} else {
+			if  (result != ISC_R_CANCELED)
+				isc_log_write(ns_g_lctx, NS_LOGCATEGORY_CLIENT,
+					      NS_LOGMODULE_CLIENT,
+					      ISC_LOG_ERROR,
+					      "UDP client handler shutting "
+					      "down due to fatal receive "
+					      "error: %s",
+					      isc_result_totext(result));
+			isc_task_shutdown(client->task);
+		}
+		goto cleanup;
+	}
+
+	isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
+
+	ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+		      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
+		      "%s request",
+		      TCP_CLIENT(client) ? "TCP" : "UDP");
+
+	/*
+	 * Check the blackhole ACL for UDP only, since TCP is done in
+	 * client_newconn.
+	 */
+	if (!TCP_CLIENT(client)) {
+
+		if (ns_g_server->blackholeacl != NULL &&
+		    dns_acl_match(&netaddr, NULL, ns_g_server->blackholeacl,
+				  &ns_g_server->aclenv,
+				  &match, NULL) == ISC_R_SUCCESS &&
+		    match > 0)
+		{
+			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+				      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10),
+				      "blackholed UDP datagram");
+			ns_client_next(client, ISC_R_SUCCESS);
+			goto cleanup;
+		}
+	}
+
+	/*
+	 * Silently drop multicast requests for the present.
+	 * XXXMPA look at when/if mDNS spec stabilizes.
+	 */
+	if ((client->attributes & NS_CLIENTATTR_MULTICAST) != 0) {
+		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(2),
+			      "dropping multicast request");
+		ns_client_next(client, DNS_R_REFUSED);
+	}
+
+	result = dns_message_peekheader(buffer, &id, &flags);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * There isn't enough header to determine whether
+		 * this was a request or a response.  Drop it.
+		 */
+		ns_client_next(client, result);
+		goto cleanup;
+	}
+
+	/*
+	 * The client object handles requests, not responses.
+	 * If this is a UDP response, forward it to the dispatcher.
+	 * If it's a TCP response, discard it here.
+	 */
+	if ((flags & DNS_MESSAGEFLAG_QR) != 0) {
+		if (TCP_CLIENT(client)) {
+			CTRACE("unexpected response");
+			ns_client_next(client, DNS_R_FORMERR);
+			goto cleanup;
+		} else {
+			dns_dispatch_importrecv(client->dispatch, event);
+			ns_client_next(client, ISC_R_SUCCESS);
+			goto cleanup;
+		}
+	}
+
+	/*
+	 * It's a request.  Parse it.
+	 */
+	result = dns_message_parse(client->message, buffer, 0);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * Parsing the request failed.  Send a response
+		 * (typically FORMERR or SERVFAIL).
+		 */
+		ns_client_error(client, result);
+		goto cleanup;
+	}
+
+	switch (client->message->opcode) {
+	case dns_opcode_query:
+	case dns_opcode_update:
+	case dns_opcode_notify:
+		notimp = ISC_FALSE;
+		break;
+	case dns_opcode_iquery:
+	default:
+		notimp = ISC_TRUE;
+		break;
+	}
+
+	client->message->rcode = dns_rcode_noerror;
+
+	/* RFC1123 section 6.1.3.2 */
+	if ((client->attributes & NS_CLIENTATTR_MULTICAST) != 0)
+		client->message->flags &= ~DNS_MESSAGEFLAG_RD;
+
+	/*
+	 * Deal with EDNS.
+	 */
+	opt = dns_message_getopt(client->message);
+	if (opt != NULL) {
+		unsigned int version;
+
+		/*
+		 * Set the client's UDP buffer size.
+		 */
+		client->udpsize = opt->rdclass;
+
+		/*
+		 * If the requested UDP buffer size is less than 512,
+		 * ignore it and use 512.
+		 */
+		if (client->udpsize < 512)
+			client->udpsize = 512;
+
+		/*
+		 * Get the flags out of the OPT record.
+		 */
+		client->extflags = (isc_uint16_t)(opt->ttl & 0xFFFF);
+
+		/*
+		 * Create an OPT for our reply.
+		 */
+		result = client_addopt(client);
+		if (result != ISC_R_SUCCESS) {
+			ns_client_error(client, result);
+			goto cleanup;
+		}
+
+		/*
+		 * Do we understand this version of ENDS?
+		 *
+		 * XXXRTH need library support for this!
+		 */
+		version = (opt->ttl & 0x00FF0000) >> 16;
+		if (version != 0) {
+			ns_client_error(client, DNS_R_BADVERS);
+			goto cleanup;
+		}
+	}
+
+	if (client->message->rdclass == 0) {
+		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1),
+			      "message class could not be determined");
+		ns_client_dumpmessage(client,
+				      "message class could not be determined");
+		ns_client_error(client, notimp ? DNS_R_NOTIMP : DNS_R_FORMERR);
+		goto cleanup;
+	}
+
+	/*
+	 * Determine the destination address.  If the receiving interface is
+	 * bound to a specific address, we simply use it regardless of the
+	 * address family.  All IPv4 queries should fall into this case.
+	 * Otherwise, if this is a TCP query, get the address from the
+	 * receiving socket (this needs a system call and can be heavy).
+	 * For IPv6 UDP queries, we get this from the pktinfo structure (if
+	 * supported).
+	 * If all the attempts fail (this can happen due to memory shortage,
+	 * etc), we regard this as an error for safety. 
+	 */
+	if ((client->interface->flags & NS_INTERFACEFLAG_ANYADDR) == 0)
+		isc_netaddr_fromsockaddr(&destaddr, &client->interface->addr);
+	else {
+		result = ISC_R_FAILURE;
+
+		if (TCP_CLIENT(client)) {
+			isc_sockaddr_t destsockaddr;
+
+			result = isc_socket_getsockname(client->tcpsocket,
+							&destsockaddr);
+			if (result == ISC_R_SUCCESS)
+				isc_netaddr_fromsockaddr(&destaddr,
+							 &destsockaddr);
+		}
+		if (result != ISC_R_SUCCESS &&
+		    client->interface->addr.type.sa.sa_family == AF_INET6 &&
+		    (client->attributes & NS_CLIENTATTR_PKTINFO) != 0) {
+			isc_uint32_t zone = 0;
+
+			/*
+			 * XXXJT technically, we should convert the receiving
+			 * interface ID to a proper scope zone ID.  However,
+			 * due to the fact there is no standard API for this,
+			 * we only handle link-local addresses and use the
+			 * interface index as link ID.  Despite the assumption,
+			 * it should cover most typical cases.
+			 */
+			if (IN6_IS_ADDR_LINKLOCAL(&client->pktinfo.ipi6_addr))
+				zone = (isc_uint32_t)client->pktinfo.ipi6_ifindex;
+
+			isc_netaddr_fromin6(&destaddr,
+					    &client->pktinfo.ipi6_addr);
+			isc_netaddr_setzone(&destaddr, zone);
+			result = ISC_R_SUCCESS;
+		}
+		if (result != ISC_R_SUCCESS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "failed to get request's "
+					 "destination: %s",
+					 isc_result_totext(result));
+			goto cleanup;
+		}
+	}
+
+	/*
+	 * Find a view that matches the client's source address.
+	 */
+	for (view = ISC_LIST_HEAD(ns_g_server->viewlist);
+	     view != NULL;
+	     view = ISC_LIST_NEXT(view, link)) {
+		if (client->message->rdclass == view->rdclass ||
+		    client->message->rdclass == dns_rdataclass_any)
+		{
+			dns_name_t *tsig = NULL;
+			sigresult = dns_message_rechecksig(client->message,
+							   view);
+			if (sigresult == ISC_R_SUCCESS)
+				tsig = client->message->tsigname;
+				
+			if (allowed(&netaddr, tsig, view->matchclients) &&
+			    allowed(&destaddr, tsig, view->matchdestinations) &&
+			    !((client->message->flags & DNS_MESSAGEFLAG_RD)
+			      == 0 && view->matchrecursiveonly))
+			{
+				dns_view_attach(view, &client->view);
+				break;
+			}
+		}
+	}
+
+	if (view == NULL) {
+		char classname[DNS_RDATACLASS_FORMATSIZE];
+
+		/*
+		 * Do a dummy TSIG verification attempt so that the
+		 * response will have a TSIG if the query did, as
+		 * required by RFC2845.
+		 */
+		isc_buffer_t b;
+		isc_region_t *r;
+
+		dns_message_resetsig(client->message);
+
+		r = dns_message_getrawmessage(client->message);
+		isc_buffer_init(&b, r->base, r->length);
+		isc_buffer_add(&b, r->length);
+		(void)dns_tsig_verify(&b, client->message, NULL, NULL);
+
+		dns_rdataclass_format(client->message->rdclass, classname,
+				      sizeof(classname));
+		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1),
+			      "no matching view in class '%s'", classname);
+		ns_client_dumpmessage(client, "no matching view in class");
+		ns_client_error(client, notimp ? DNS_R_NOTIMP : DNS_R_REFUSED);
+		goto cleanup;
+	}
+
+	ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+		      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(5),
+		      "using view '%s'", view->name);
+
+	/*
+	 * Check for a signature.  We log bad signatures regardless of
+	 * whether they ultimately cause the request to be rejected or
+	 * not.  We do not log the lack of a signature unless we are
+	 * debugging.
+	 */
+	client->signer = NULL;
+	dns_name_init(&client->signername, NULL);
+	result = dns_message_signer(client->message, &client->signername);
+	if (result == ISC_R_SUCCESS) {
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
+			      "request has valid signature");
+		client->signer = &client->signername;
+	} else if (result == ISC_R_NOTFOUND) {
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
+			      "request is not signed");
+	} else if (result == DNS_R_NOIDENTITY) {
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
+			      "request is signed by a nonauthoritative key");
+	} else {
+		char tsigrcode[64];
+		isc_buffer_t b;
+		dns_name_t *name = NULL;
+
+		isc_buffer_init(&b, tsigrcode, sizeof(tsigrcode) - 1);
+		RUNTIME_CHECK(dns_tsigrcode_totext(client->message->tsigstatus,
+						   &b) == ISC_R_SUCCESS);
+		tsigrcode[isc_buffer_usedlength(&b)] = '\0';
+		/* There is a signature, but it is bad. */
+		if (dns_message_gettsig(client->message, &name) != NULL) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			dns_name_format(name, namebuf, sizeof(namebuf));
+			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+				      NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
+				      "request has invalid signature: "
+				      "TSIG %s: %s (%s)", namebuf,
+				      isc_result_totext(result), tsigrcode);
+		} else {
+			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+				      NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
+				      "request has invalid signature: %s (%s)",
+				      isc_result_totext(result), tsigrcode);
+		}
+		/*
+		 * Accept update messages signed by unknown keys so that
+		 * update forwarding works transparently through slaves
+		 * that don't have all the same keys as the master.
+		 */
+		if (!(client->message->tsigstatus == dns_tsigerror_badkey &&
+		      client->message->opcode == dns_opcode_update)) {
+			ns_client_error(client, sigresult);
+			goto cleanup;
+		}
+	}
+
+	/*
+	 * Decide whether recursive service is available to this client.
+	 * We do this here rather than in the query code so that we can
+	 * set the RA bit correctly on all kinds of responses, not just
+	 * responses to ordinary queries.
+	 */
+	ra = ISC_FALSE;
+	if (client->view->resolver != NULL &&
+	    client->view->recursion == ISC_TRUE &&
+	    ns_client_checkaclsilent(client, client->view->recursionacl,
+				     ISC_TRUE) == ISC_R_SUCCESS)
+		ra = ISC_TRUE;
+
+	if (ra == ISC_TRUE)
+		client->attributes |= NS_CLIENTATTR_RA;
+
+	ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_CLIENT,
+		      ISC_LOG_DEBUG(3), ra ? "recursion available" :
+		      			     "recursion not available");
+
+	/*
+	 * Dispatch the request.
+	 */
+	switch (client->message->opcode) {
+	case dns_opcode_query:
+		CTRACE("query");
+		ns_query_start(client);
+		break;
+	case dns_opcode_update:
+		CTRACE("update");
+		ns_client_settimeout(client, 60);
+		ns_update_start(client, sigresult);
+		break;
+	case dns_opcode_notify:
+		CTRACE("notify");
+		ns_client_settimeout(client, 60);
+		ns_notify_start(client);
+		break;
+	case dns_opcode_iquery:
+		CTRACE("iquery");
+		ns_client_error(client, DNS_R_NOTIMP);
+		break;
+	default:
+		CTRACE("unknown opcode");
+		ns_client_error(client, DNS_R_NOTIMP);
+	}
+
+ cleanup:
+	return;
+}
+
+static void
+client_timeout(isc_task_t *task, isc_event_t *event) {
+	ns_client_t *client;
+
+	REQUIRE(event != NULL);
+	REQUIRE(event->ev_type == ISC_TIMEREVENT_LIFE ||
+		event->ev_type == ISC_TIMEREVENT_IDLE);
+	client = event->ev_arg;
+	REQUIRE(NS_CLIENT_VALID(client));
+	REQUIRE(task == client->task);
+	REQUIRE(client->timer != NULL);
+
+	UNUSED(task);
+
+	CTRACE("timeout");
+
+	isc_event_free(&event);
+
+	if (client->shutdown != NULL) {
+		(client->shutdown)(client->shutdown_arg, ISC_R_TIMEDOUT);
+		client->shutdown = NULL;
+		client->shutdown_arg = NULL;
+	}
+
+	if (client->newstate > NS_CLIENTSTATE_READY)
+		client->newstate = NS_CLIENTSTATE_READY;
+	(void)exit_check(client);
+}
+
+static isc_result_t
+client_create(ns_clientmgr_t *manager, ns_client_t **clientp)
+{
+	ns_client_t *client;
+	isc_result_t result;
+
+	/*
+	 * Caller must be holding the manager lock.
+	 *
+	 * Note: creating a client does not add the client to the
+	 * manager's client list or set the client's manager pointer.
+	 * The caller is responsible for that.
+	 */
+
+	REQUIRE(clientp != NULL && *clientp == NULL);
+
+	client = isc_mem_get(manager->mctx, sizeof(*client));
+	if (client == NULL)
+		return (ISC_R_NOMEMORY);
+
+	client->task = NULL;
+	result = isc_task_create(manager->taskmgr, 0, &client->task);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_client;
+	isc_task_setname(client->task, "client", client);
+
+	client->timer = NULL;
+	result = isc_timer_create(manager->timermgr, isc_timertype_inactive,
+				  NULL, NULL, client->task, client_timeout,
+				  client, &client->timer);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_task;
+	client->timerset = ISC_FALSE;
+
+	client->message = NULL;
+	result = dns_message_create(manager->mctx, DNS_MESSAGE_INTENTPARSE,
+				    &client->message);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_timer;
+
+	/* XXXRTH  Hardwired constants */
+
+	client->sendevent = (isc_socketevent_t *)
+			    isc_event_allocate(manager->mctx, client,
+					       ISC_SOCKEVENT_SENDDONE,
+					       client_senddone, client,
+					       sizeof(isc_socketevent_t));
+	if (client->sendevent == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup_message;
+	}
+
+	client->recvbuf = isc_mem_get(manager->mctx, RECV_BUFFER_SIZE);
+	if  (client->recvbuf == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup_sendevent;
+	}
+
+	client->recvevent = (isc_socketevent_t *)
+			    isc_event_allocate(manager->mctx, client,
+					       ISC_SOCKEVENT_RECVDONE,
+					       client_request, client,
+					       sizeof(isc_socketevent_t));
+	if (client->recvevent == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup_recvbuf;
+	}
+
+	client->magic = NS_CLIENT_MAGIC;
+	client->mctx = manager->mctx;
+	client->manager = NULL;
+	client->state = NS_CLIENTSTATE_INACTIVE;
+	client->newstate = NS_CLIENTSTATE_MAX;
+	client->naccepts = 0;
+	client->nreads = 0;
+	client->nsends = 0;
+	client->nrecvs = 0;
+	client->nupdates = 0;
+	client->nctls = 0;
+	client->references = 0;
+	client->attributes = 0;
+	client->view = NULL;
+	client->dispatch = NULL;
+	client->udpsocket = NULL;
+	client->tcplistener = NULL;
+	client->tcpsocket = NULL;
+	client->tcpmsg_valid = ISC_FALSE;
+	client->tcpbuf = NULL;
+	client->opt = NULL;
+	client->udpsize = 512;
+	client->extflags = 0;
+	client->next = NULL;
+	client->shutdown = NULL;
+	client->shutdown_arg = NULL;
+	dns_name_init(&client->signername, NULL);
+	client->mortal = ISC_FALSE;
+	client->tcpquota = NULL;
+	client->recursionquota = NULL;
+	client->interface = NULL;
+	client->peeraddr_valid = ISC_FALSE;
+	ISC_EVENT_INIT(&client->ctlevent, sizeof(client->ctlevent), 0, NULL,
+		       NS_EVENT_CLIENTCONTROL, client_start, client, client,
+		       NULL, NULL);
+	/*
+	 * Initialize FORMERR cache to sentinel value that will not match
+	 * any actual FORMERR response.
+	 */
+	isc_sockaddr_any(&client->formerrcache.addr);
+	client->formerrcache.time = 0;
+	client->formerrcache.id = 0;
+	ISC_LINK_INIT(client, link);
+	client->list = NULL;
+
+	/*
+	 * We call the init routines for the various kinds of client here,
+	 * after we have created an otherwise valid client, because some
+	 * of them call routines that REQUIRE(NS_CLIENT_VALID(client)).
+	 */
+	result = ns_query_init(client);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_recvevent;
+
+	result = isc_task_onshutdown(client->task, client_shutdown, client);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_query;
+
+	CTRACE("create");
+
+	*clientp = client;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup_query:
+	ns_query_free(client);
+
+ cleanup_recvevent:
+	isc_event_free((isc_event_t **)&client->recvevent);
+
+ cleanup_recvbuf:
+	isc_mem_put(manager->mctx, client->recvbuf, RECV_BUFFER_SIZE);
+
+ cleanup_sendevent:
+	isc_event_free((isc_event_t **)&client->sendevent);
+
+	client->magic = 0;
+
+ cleanup_message:
+	dns_message_destroy(&client->message);
+
+ cleanup_timer:
+	isc_timer_detach(&client->timer);
+
+ cleanup_task:
+	isc_task_detach(&client->task);
+
+ cleanup_client:
+	isc_mem_put(manager->mctx, client, sizeof(*client));
+
+	return (result);
+}
+
+static void
+client_read(ns_client_t *client) {
+	isc_result_t result;
+
+	CTRACE("read");
+
+	result = dns_tcpmsg_readmessage(&client->tcpmsg, client->task,
+					client_request, client);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	/*
+	 * Set a timeout to limit the amount of time we will wait
+	 * for a request on this TCP connection.
+	 */
+	ns_client_settimeout(client, 30);
+
+	client->state = client->newstate = NS_CLIENTSTATE_READING;
+	INSIST(client->nreads == 0);
+	INSIST(client->recursionquota == NULL);
+	client->nreads++;
+
+	return;
+ fail:
+	ns_client_next(client, result);
+}
+
+static void
+client_newconn(isc_task_t *task, isc_event_t *event) {
+	ns_client_t *client = event->ev_arg;
+	isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
+	isc_result_t result;
+
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_NEWCONN);
+	REQUIRE(NS_CLIENT_VALID(client));
+	REQUIRE(client->task == task);
+
+	UNUSED(task);
+
+	INSIST(client->state == NS_CLIENTSTATE_READY);
+
+	INSIST(client->naccepts == 1);
+	client->naccepts--;
+
+	LOCK(&client->interface->lock);
+	INSIST(client->interface->ntcpcurrent > 0);
+	client->interface->ntcpcurrent--;
+	UNLOCK(&client->interface->lock);
+
+	/*
+	 * We must take ownership of the new socket before the exit
+	 * check to make sure it gets destroyed if we decide to exit.
+	 */
+	if (nevent->result == ISC_R_SUCCESS) {
+		client->tcpsocket = nevent->newsocket;
+		client->state = NS_CLIENTSTATE_READING;
+		INSIST(client->recursionquota == NULL);
+
+		(void)isc_socket_getpeername(client->tcpsocket,
+					     &client->peeraddr);
+		client->peeraddr_valid = ISC_TRUE;
+		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+			   NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
+			   "new TCP connection");
+	} else {
+		/*
+		 * XXXRTH  What should we do?  We're trying to accept but
+		 *         it didn't work.  If we just give up, then TCP
+		 *	   service may eventually stop.
+		 *
+		 *	   For now, we just go idle.
+		 *
+		 *	   Going idle is probably the right thing if the
+		 *	   I/O was canceled.
+		 */
+		ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
+			      "accept failed: %s",
+			      isc_result_totext(nevent->result));
+	}
+
+	if (exit_check(client))
+		goto freeevent;
+
+	if (nevent->result == ISC_R_SUCCESS) {
+		int match;
+		isc_netaddr_t netaddr;
+
+		isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
+
+		if (ns_g_server->blackholeacl != NULL &&
+		    dns_acl_match(&netaddr, NULL,
+			    	  ns_g_server->blackholeacl,
+				  &ns_g_server->aclenv,
+				  &match, NULL) == ISC_R_SUCCESS &&
+		    match > 0)
+		{
+			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+				      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10),
+				      "blackholed connection attempt");
+			client->newstate = NS_CLIENTSTATE_READY;
+			(void)exit_check(client);
+			goto freeevent;
+		}
+
+		INSIST(client->tcpmsg_valid == ISC_FALSE);
+		dns_tcpmsg_init(client->mctx, client->tcpsocket,
+				&client->tcpmsg);
+		client->tcpmsg_valid = ISC_TRUE;
+
+		/*
+		 * Let a new client take our place immediately, before
+		 * we wait for a request packet.  If we don't,
+		 * telnetting to port 53 (once per CPU) will
+		 * deny service to legititmate TCP clients.
+		 */
+		result = isc_quota_attach(&ns_g_server->tcpquota,
+					  &client->tcpquota);
+		if (result == ISC_R_SUCCESS)
+			result = ns_client_replace(client);
+		if (result != ISC_R_SUCCESS) {
+			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+				      NS_LOGMODULE_CLIENT, ISC_LOG_WARNING,
+				      "no more TCP clients: %s",
+				      isc_result_totext(result));
+		}
+
+		client_read(client);
+	}
+
+ freeevent:
+	isc_event_free(&event);
+}
+
+static void
+client_accept(ns_client_t *client) {
+	isc_result_t result;
+
+	CTRACE("accept");
+
+	result = isc_socket_accept(client->tcplistener, client->task,
+				   client_newconn, client);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_socket_accept() failed: %s",
+				 isc_result_totext(result));
+		/*
+		 * XXXRTH  What should we do?  We're trying to accept but
+		 *         it didn't work.  If we just give up, then TCP
+		 *	   service may eventually stop.
+		 *
+		 *	   For now, we just go idle.
+		 */
+		return;
+	}
+	INSIST(client->naccepts == 0);
+	client->naccepts++;
+	LOCK(&client->interface->lock);
+	client->interface->ntcpcurrent++;
+	UNLOCK(&client->interface->lock);
+}
+
+static void
+client_udprecv(ns_client_t *client) {
+	isc_result_t result;
+	isc_region_t r;
+
+	CTRACE("udprecv");
+
+	r.base = client->recvbuf;
+	r.length = RECV_BUFFER_SIZE;
+	result = isc_socket_recv2(client->udpsocket, &r, 1,
+				  client->task, client->recvevent, 0);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_socket_recv() failed: %s",
+				 isc_result_totext(result));
+		/*
+		 * This cannot happen in the current implementation, since
+		 * isc_socket_recv2() cannot fail if flags == 0.
+		 *
+		 * If this does fail, we just go idle.
+		 */
+		return;
+	}
+	INSIST(client->nrecvs == 0);
+	client->nrecvs++;
+}
+
+void
+ns_client_attach(ns_client_t *source, ns_client_t **targetp) {
+	REQUIRE(NS_CLIENT_VALID(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	source->references++;
+	ns_client_log(source, NS_LOGCATEGORY_CLIENT,
+		      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10),
+		      "ns_client_attach: ref = %d", source->references);
+	*targetp = source;
+}
+
+void
+ns_client_detach(ns_client_t **clientp) {
+	ns_client_t *client = *clientp;
+
+	client->references--;
+	INSIST(client->references >= 0);
+	*clientp = NULL;
+	ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+		      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(10),
+		      "ns_client_detach: ref = %d", client->references);
+	(void)exit_check(client);
+}
+
+isc_boolean_t
+ns_client_shuttingdown(ns_client_t *client) {
+	return (ISC_TF(client->newstate == NS_CLIENTSTATE_FREED));
+}
+
+isc_result_t
+ns_client_replace(ns_client_t *client) {
+	isc_result_t result;
+
+	CTRACE("replace");
+
+	result = ns_clientmgr_createclients(client->manager,
+					    1, client->interface,
+					    (TCP_CLIENT(client) ?
+					     ISC_TRUE : ISC_FALSE));
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * The responsibility for listening for new requests is hereby
+	 * transferred to the new client.  Therefore, the old client
+	 * should refrain from listening for any more requests.
+	 */
+	client->mortal = ISC_TRUE;
+
+	return (ISC_R_SUCCESS);
+}
+
+/***
+ *** Client Manager
+ ***/
+
+static void
+clientmgr_destroy(ns_clientmgr_t *manager) {
+	REQUIRE(ISC_LIST_EMPTY(manager->active));
+	REQUIRE(ISC_LIST_EMPTY(manager->inactive));
+	REQUIRE(ISC_LIST_EMPTY(manager->recursing));
+
+	MTRACE("clientmgr_destroy");
+
+	DESTROYLOCK(&manager->lock);
+	manager->magic = 0;
+	isc_mem_put(manager->mctx, manager, sizeof(*manager));
+}
+
+isc_result_t
+ns_clientmgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
+		    isc_timermgr_t *timermgr, ns_clientmgr_t **managerp)
+{
+	ns_clientmgr_t *manager;
+	isc_result_t result;
+
+	manager = isc_mem_get(mctx, sizeof(*manager));
+	if (manager == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_mutex_init(&manager->lock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_manager;
+
+	manager->mctx = mctx;
+	manager->taskmgr = taskmgr;
+	manager->timermgr = timermgr;
+	manager->exiting = ISC_FALSE;
+	ISC_LIST_INIT(manager->active);
+	ISC_LIST_INIT(manager->inactive);
+	ISC_LIST_INIT(manager->recursing);
+	manager->magic = MANAGER_MAGIC;
+
+	MTRACE("create");
+
+	*managerp = manager;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup_manager:
+	isc_mem_put(manager->mctx, manager, sizeof(*manager));
+
+	return (result);
+}
+
+void
+ns_clientmgr_destroy(ns_clientmgr_t **managerp) {
+	ns_clientmgr_t *manager;
+	ns_client_t *client;
+	isc_boolean_t need_destroy = ISC_FALSE;
+
+	REQUIRE(managerp != NULL);
+	manager = *managerp;
+	REQUIRE(VALID_MANAGER(manager));
+
+	MTRACE("destroy");
+
+	LOCK(&manager->lock);
+
+	manager->exiting = ISC_TRUE;
+
+	for (client = ISC_LIST_HEAD(manager->recursing);
+	     client != NULL;
+	     client = ISC_LIST_NEXT(client, link))
+		isc_task_shutdown(client->task);
+
+	for (client = ISC_LIST_HEAD(manager->active);
+	     client != NULL;
+	     client = ISC_LIST_NEXT(client, link))
+		isc_task_shutdown(client->task);
+
+	for (client = ISC_LIST_HEAD(manager->inactive);
+	     client != NULL;
+	     client = ISC_LIST_NEXT(client, link))
+		isc_task_shutdown(client->task);
+
+	if (ISC_LIST_EMPTY(manager->active) &&
+	    ISC_LIST_EMPTY(manager->inactive) &&
+	    ISC_LIST_EMPTY(manager->recursing))
+		need_destroy = ISC_TRUE;
+
+	UNLOCK(&manager->lock);
+
+	if (need_destroy)
+		clientmgr_destroy(manager);
+
+	*managerp = NULL;
+}
+
+isc_result_t
+ns_clientmgr_createclients(ns_clientmgr_t *manager, unsigned int n,
+			   ns_interface_t *ifp, isc_boolean_t tcp)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	unsigned int i;
+	ns_client_t *client;
+
+	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(n > 0);
+
+	MTRACE("createclients");
+
+	/*
+	 * We MUST lock the manager lock for the entire client creation
+	 * process.  If we didn't do this, then a client could get a
+	 * shutdown event and disappear out from under us.
+	 */
+
+	LOCK(&manager->lock);
+
+	for (i = 0; i < n; i++) {
+		isc_event_t *ev;
+		/*
+		 * Allocate a client.  First try to get a recycled one;
+		 * if that fails, make a new one.
+		 */
+		client = ISC_LIST_HEAD(manager->inactive);
+		if (client != NULL) {
+			MTRACE("recycle");
+			ISC_LIST_UNLINK(manager->inactive, client, link);
+			client->list = NULL;
+		} else {
+			MTRACE("create new");
+			result = client_create(manager, &client);
+			if (result != ISC_R_SUCCESS)
+				break;
+		}
+
+		ns_interface_attach(ifp, &client->interface);
+		client->state = NS_CLIENTSTATE_READY;
+		INSIST(client->recursionquota == NULL);
+
+		if (tcp) {
+			client->attributes |= NS_CLIENTATTR_TCP;
+			isc_socket_attach(ifp->tcpsocket,
+					  &client->tcplistener);
+		} else {
+			isc_socket_t *sock;
+
+			dns_dispatch_attach(ifp->udpdispatch,
+					    &client->dispatch);
+			sock = dns_dispatch_getsocket(client->dispatch);
+			isc_socket_attach(sock, &client->udpsocket);
+		}
+		client->manager = manager;
+		ISC_LIST_APPEND(manager->active, client, link);
+		client->list = &manager->active;
+
+		INSIST(client->nctls == 0);
+		client->nctls++;
+		ev = &client->ctlevent;
+		isc_task_send(client->task, &ev);
+	}
+	if (i != 0) {
+		/*
+		 * We managed to create at least one client, so we
+		 * declare victory.
+		 */
+		result = ISC_R_SUCCESS;
+	}
+
+	UNLOCK(&manager->lock);
+
+	return (result);
+}
+
+isc_sockaddr_t *
+ns_client_getsockaddr(ns_client_t *client) {
+	return (&client->peeraddr);
+}
+
+isc_result_t
+ns_client_checkaclsilent(ns_client_t *client, dns_acl_t *acl,
+			 isc_boolean_t default_allow)
+{
+	isc_result_t result;
+	int match;
+	isc_netaddr_t netaddr;
+
+	if (acl == NULL) {
+		if (default_allow)
+			goto allow;
+		else
+			goto deny;
+	}
+
+	isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
+
+	result = dns_acl_match(&netaddr, client->signer, acl,
+			       &ns_g_server->aclenv,
+			       &match, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto deny; /* Internal error, already logged. */
+	if (match > 0)
+		goto allow;
+	goto deny; /* Negative match or no match. */
+
+ allow:
+	return (ISC_R_SUCCESS);
+
+ deny:
+	return (DNS_R_REFUSED);
+}
+
+isc_result_t
+ns_client_checkacl(ns_client_t *client,
+		   const char *opname, dns_acl_t *acl,
+		   isc_boolean_t default_allow, int log_level)
+{
+	isc_result_t result =
+		ns_client_checkaclsilent(client, acl, default_allow);
+
+	if (result == ISC_R_SUCCESS) 
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
+			      "%s approved", opname);
+	else
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_CLIENT,
+			      log_level, "%s denied", opname);
+	return (result);
+}
+
+static void
+ns_client_name(ns_client_t *client, char *peerbuf, size_t len) {
+	if (client->peeraddr_valid)
+		isc_sockaddr_format(&client->peeraddr, peerbuf, len);
+	else
+		snprintf(peerbuf, len, "@%p", client);
+}
+
+void
+ns_client_logv(ns_client_t *client, isc_logcategory_t *category,
+	   isc_logmodule_t *module, int level, const char *fmt, va_list ap)
+{
+	char msgbuf[2048];
+	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
+	const char *name = "";
+	const char *sep = "";
+
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	ns_client_name(client, peerbuf, sizeof(peerbuf));
+	if (client->view != NULL && strcmp(client->view->name, "_bind") != 0 &&
+	    strcmp(client->view->name, "_default") != 0) {
+		name = client->view->name;
+		sep = ": view ";
+	}
+
+	isc_log_write(ns_g_lctx, category, module, level,
+		      "client %s%s%s: %s", peerbuf, sep, name, msgbuf);
+}
+
+void
+ns_client_log(ns_client_t *client, isc_logcategory_t *category,
+	   isc_logmodule_t *module, int level, const char *fmt, ...)
+{
+	va_list ap;
+
+	if (! isc_log_wouldlog(ns_g_lctx, level))
+		return;
+
+	va_start(ap, fmt);
+	ns_client_logv(client, category, module, level, fmt, ap);
+	va_end(ap);
+}
+
+void
+ns_client_aclmsg(const char *msg, dns_name_t *name, dns_rdatatype_t type,
+		 dns_rdataclass_t rdclass, char *buf, size_t len) 
+{
+        char namebuf[DNS_NAME_FORMATSIZE];
+        char typebuf[DNS_RDATATYPE_FORMATSIZE];
+        char classbuf[DNS_RDATACLASS_FORMATSIZE];
+
+        dns_name_format(name, namebuf, sizeof(namebuf));
+        dns_rdatatype_format(type, typebuf, sizeof(typebuf));
+        dns_rdataclass_format(rdclass, classbuf, sizeof(classbuf));
+        (void)snprintf(buf, len, "%s '%s/%s/%s'", msg, namebuf, typebuf,
+		       classbuf);
+}
+
+static void
+ns_client_dumpmessage(ns_client_t *client, const char *reason) {
+	isc_buffer_t buffer;
+	char *buf = NULL;
+	int len = 1024;
+	isc_result_t result;
+
+	/*
+	 * Note that these are multiline debug messages.  We want a newline
+	 * to appear in the log after each message.
+	 */
+
+	do {
+		buf = isc_mem_get(client->mctx, len);
+		if (buf == NULL)
+			break;
+		isc_buffer_init(&buffer, buf, len);
+		result = dns_message_totext(client->message,
+					    &dns_master_style_debug,
+					    0, &buffer);
+		if (result == ISC_R_NOSPACE) {
+			isc_mem_put(client->mctx, buf, len);
+			len += 1024;
+		} else if (result == ISC_R_SUCCESS)
+		        ns_client_log(client, NS_LOGCATEGORY_UNMATCHED,
+				      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(1),
+				      "%s\n%.*s", reason,
+				       (int)isc_buffer_usedlength(&buffer),
+				       buf);
+	} while (result == ISC_R_NOSPACE);
+
+	if (buf != NULL)
+		isc_mem_put(client->mctx, buf, len);
+}
+
+void
+ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager) {
+	ns_client_t *client;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
+	const char *name;
+	const char *sep;
+
+	REQUIRE(VALID_MANAGER(manager));
+	      
+	LOCK(&manager->lock);
+	client = ISC_LIST_HEAD(manager->recursing);
+	while (client != NULL) {
+		ns_client_name(client, peerbuf, sizeof(peerbuf));
+		if (client->view != NULL &&
+		    strcmp(client->view->name, "_bind") != 0 &&
+		    strcmp(client->view->name, "_default") != 0) {
+			name = client->view->name;
+			sep = ": view ";
+		} else {
+			name = "";
+			sep = "";
+		}
+		dns_name_format(client->query.qname, namebuf, sizeof(namebuf));
+		fprintf(f, "; client %s%s%s: '%s' requesttime %d\n",
+			peerbuf, sep, name, namebuf, client->requesttime);
+		client = ISC_LIST_NEXT(client, link);
+	}
+	UNLOCK(&manager->lock);
+}
diff --git a/contrib/bind9/bin/named/config.c b/contrib/bind9/bin/named/config.c
new file mode 100644
index 0000000..75158c0
--- /dev/null
+++ b/contrib/bind9/bin/named/config.c
@@ -0,0 +1,723 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: config.c,v 1.11.2.4.8.28 2004/08/28 05:41:42 marka Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/buffer.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/region.h>
+#include <isc/result.h>
+#include <isc/sockaddr.h>
+#include <isc/util.h>
+
+#include <isccfg/namedconf.h>
+
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatatype.h>
+#include <dns/tsig.h>
+#include <dns/zone.h>
+
+#include <named/config.h>
+#include <named/globals.h>
+
+static char defaultconf[] = "\
+options {\n\
+#	blackhole {none;};\n"
+#ifndef WIN32
+"	coresize default;\n\
+	datasize default;\n\
+	files default;\n\
+	stacksize default;\n"
+#endif
+"	deallocate-on-exit true;\n\
+#	directory <none>\n\
+	dump-file \"named_dump.db\";\n\
+	fake-iquery no;\n\
+	has-old-clients false;\n\
+	heartbeat-interval 60;\n\
+	host-statistics no;\n\
+	interface-interval 60;\n\
+	listen-on {any;};\n\
+	listen-on-v6 {none;};\n\
+	match-mapped-addresses no;\n\
+	memstatistics-file \"named.memstats\";\n\
+	multiple-cnames no;\n\
+#	named-xfer <obsolete>;\n\
+#	pid-file \"" NS_LOCALSTATEDIR "/named.pid\"; /* or /lwresd.pid */\n\
+	port 53;\n\
+	recursing-file \"named.recursing\";\n\
+"
+#ifdef PATH_RANDOMDEV
+"\
+	random-device \"" PATH_RANDOMDEV "\";\n\
+"
+#endif
+"\
+	recursive-clients 1000;\n\
+	rrset-order {order cyclic;};\n\
+	serial-queries 20;\n\
+	serial-query-rate 20;\n\
+	server-id none;\n\
+	statistics-file \"named.stats\";\n\
+	statistics-interval 60;\n\
+	tcp-clients 100;\n\
+	tcp-listen-queue 3;\n\
+#	tkey-dhkey <none>\n\
+#	tkey-gssapi-credential <none>\n\
+#	tkey-domain <none>\n\
+	transfers-per-ns 2;\n\
+	transfers-in 10;\n\
+	transfers-out 10;\n\
+	treat-cr-as-space true;\n\
+	use-id-pool true;\n\
+	use-ixfr true;\n\
+	edns-udp-size 4096;\n\
+\n\
+	/* view */\n\
+	allow-notify {none;};\n\
+	allow-update-forwarding {none;};\n\
+	allow-recursion {any;};\n\
+#	allow-v6-synthesis <obsolete>;\n\
+#	sortlist <none>\n\
+#	topology <none>\n\
+	auth-nxdomain false;\n\
+	minimal-responses false;\n\
+	recursion true;\n\
+	provide-ixfr true;\n\
+	request-ixfr true;\n\
+	fetch-glue no;\n\
+	rfc2308-type1 no;\n\
+	additional-from-auth true;\n\
+	additional-from-cache true;\n\
+	query-source address *;\n\
+	query-source-v6 address *;\n\
+	notify-source *;\n\
+	notify-source-v6 *;\n\
+	cleaning-interval 60;\n\
+	min-roots 2;\n\
+	lame-ttl 600;\n\
+	max-ncache-ttl 10800; /* 3 hours */\n\
+	max-cache-ttl 604800; /* 1 week */\n\
+	transfer-format many-answers;\n\
+	max-cache-size 0;\n\
+	check-names master fail;\n\
+	check-names slave warn;\n\
+	check-names response ignore;\n\
+	dnssec-enable no; /* Make yes for 9.4. */ \n\
+"
+
+"	/* zone */\n\
+	allow-query {any;};\n\
+	allow-transfer {any;};\n\
+	notify yes;\n\
+#	also-notify <none>\n\
+	dialup no;\n\
+#	forward <none>\n\
+#	forwarders <none>\n\
+	maintain-ixfr-base no;\n\
+#	max-ixfr-log-size <obsolete>\n\
+	transfer-source *;\n\
+	transfer-source-v6 *;\n\
+	alt-transfer-source *;\n\
+	alt-transfer-source-v6 *;\n\
+	max-transfer-time-in 120;\n\
+	max-transfer-time-out 120;\n\
+	max-transfer-idle-in 60;\n\
+	max-transfer-idle-out 60;\n\
+	max-retry-time 1209600; /* 2 weeks */\n\
+	min-retry-time 500;\n\
+	max-refresh-time 2419200; /* 4 weeks */\n\
+	min-refresh-time 300;\n\
+	multi-master no;\n\
+	sig-validity-interval 30; /* days */\n\
+	zone-statistics false;\n\
+	max-journal-size unlimited;\n\
+	ixfr-from-differences false;\n\
+};\n\
+"
+
+"#\n\
+#  Zones in the \"_bind\" view are NOT counted is the count of zones.\n\
+#\n\
+view \"_bind\" chaos {\n\
+	recursion no;\n\
+	notify no;\n\
+\n\
+	zone \"version.bind\" chaos {\n\
+		type master;\n\
+		database \"_builtin version\";\n\
+	};\n\
+\n\
+	zone \"hostname.bind\" chaos {\n\
+		type master;\n\
+		database \"_builtin hostname\";\n\
+	};\n\
+\n\
+	zone \"authors.bind\" chaos {\n\
+		type master;\n\
+		database \"_builtin authors\";\n\
+	};\n\
+	zone \"id.server\" chaos {\n\
+		type master;\n\
+		database \"_builtin id\";\n\
+	};\n\
+};\n\
+";
+
+isc_result_t
+ns_config_parsedefaults(cfg_parser_t *parser, cfg_obj_t **conf) {
+	isc_buffer_t b;
+
+	isc_buffer_init(&b, defaultconf, sizeof(defaultconf) - 1);
+	isc_buffer_add(&b, sizeof(defaultconf) - 1);
+	return (cfg_parse_buffer(parser, &b, &cfg_type_namedconf, conf));
+}
+
+isc_result_t
+ns_config_get(cfg_obj_t **maps, const char *name, cfg_obj_t **obj) {
+	int i;
+
+	for (i = 0;; i++) {
+		if (maps[i] == NULL)
+			return (ISC_R_NOTFOUND);
+		if (cfg_map_get(maps[i], name, obj) == ISC_R_SUCCESS)
+			return (ISC_R_SUCCESS);
+	}
+}
+
+isc_result_t
+ns_checknames_get(cfg_obj_t **maps, const char *which, cfg_obj_t **obj) {
+	cfg_listelt_t *element;
+	cfg_obj_t *checknames;
+	cfg_obj_t *type;
+	cfg_obj_t *value;
+	int i;
+
+	for (i = 0;; i++) {
+		if (maps[i] == NULL)
+			return (ISC_R_NOTFOUND);
+		checknames = NULL;
+		if (cfg_map_get(maps[i], "check-names", &checknames) == ISC_R_SUCCESS) {
+			/*
+			 * Zone map entry is not a list.
+			 */
+			if (checknames != NULL && !cfg_obj_islist(checknames)) {
+				*obj = checknames;
+				return (ISC_R_SUCCESS);
+			}
+			for (element = cfg_list_first(checknames);
+			     element != NULL;
+			     element = cfg_list_next(element)) {
+				value = cfg_listelt_value(element);
+				type = cfg_tuple_get(value, "type");
+				if (strcasecmp(cfg_obj_asstring(type), which) == 0) {
+					*obj = cfg_tuple_get(value, "mode");
+					return (ISC_R_SUCCESS);
+				}
+			}
+
+		}
+	}
+}
+
+int
+ns_config_listcount(cfg_obj_t *list) {
+	cfg_listelt_t *e;
+	int i = 0;
+
+	for (e = cfg_list_first(list); e != NULL; e = cfg_list_next(e))
+		i++;
+
+	return (i);
+}
+
+isc_result_t
+ns_config_getclass(cfg_obj_t *classobj, dns_rdataclass_t defclass,
+		   dns_rdataclass_t *classp) {
+	char *str;
+	isc_textregion_t r;
+	isc_result_t result;
+
+	if (!cfg_obj_isstring(classobj)) {
+		*classp = defclass;
+		return (ISC_R_SUCCESS);
+	}
+	str = cfg_obj_asstring(classobj);
+	r.base = str;
+	r.length = strlen(str);
+	result = dns_rdataclass_fromtext(classp, &r);
+	if (result != ISC_R_SUCCESS)
+		cfg_obj_log(classobj, ns_g_lctx, ISC_LOG_ERROR,
+			    "unknown class '%s'", str);
+	return (result);
+}
+
+isc_result_t
+ns_config_gettype(cfg_obj_t *typeobj, dns_rdatatype_t deftype,
+		   dns_rdatatype_t *typep) {
+	char *str;
+	isc_textregion_t r;
+	isc_result_t result;
+
+	if (!cfg_obj_isstring(typeobj)) {
+		*typep = deftype;
+		return (ISC_R_SUCCESS);
+	}
+	str = cfg_obj_asstring(typeobj);
+	r.base = str;
+	r.length = strlen(str);
+	result = dns_rdatatype_fromtext(typep, &r);
+	if (result != ISC_R_SUCCESS)
+		cfg_obj_log(typeobj, ns_g_lctx, ISC_LOG_ERROR,
+			    "unknown type '%s'", str);
+	return (result);
+}
+
+dns_zonetype_t
+ns_config_getzonetype(cfg_obj_t *zonetypeobj) {
+	dns_zonetype_t ztype = dns_zone_none;
+	char *str;
+
+	str = cfg_obj_asstring(zonetypeobj);
+	if (strcasecmp(str, "master") == 0)
+		ztype = dns_zone_master;
+	else if (strcasecmp(str, "slave") == 0)
+		ztype = dns_zone_slave;
+	else if (strcasecmp(str, "stub") == 0)
+		ztype = dns_zone_stub;
+	else
+		INSIST(0);
+	return (ztype);
+}
+
+isc_result_t
+ns_config_getiplist(cfg_obj_t *config, cfg_obj_t *list,
+		    in_port_t defport, isc_mem_t *mctx,
+		    isc_sockaddr_t **addrsp, isc_uint32_t *countp)
+{
+	int count, i = 0;
+	cfg_obj_t *addrlist;
+	cfg_obj_t *portobj;
+	cfg_listelt_t *element;
+	isc_sockaddr_t *addrs;
+	in_port_t port;
+	isc_result_t result;
+
+	INSIST(addrsp != NULL && *addrsp == NULL);
+	INSIST(countp != NULL);
+
+	addrlist = cfg_tuple_get(list, "addresses");
+	count = ns_config_listcount(addrlist);
+
+	portobj = cfg_tuple_get(list, "port");
+	if (cfg_obj_isuint32(portobj)) {
+		isc_uint32_t val = cfg_obj_asuint32(portobj);
+		if (val > ISC_UINT16_MAX) {
+			cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
+				    "port '%u' out of range", val);
+			return (ISC_R_RANGE);
+		}
+		port = (in_port_t) val;
+	} else if (defport != 0)
+		port = defport;
+	else {
+		result = ns_config_getport(config, &port);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	addrs = isc_mem_get(mctx, count * sizeof(isc_sockaddr_t));
+	if (addrs == NULL)
+		return (ISC_R_NOMEMORY);
+
+	for (element = cfg_list_first(addrlist);
+	     element != NULL;
+	     element = cfg_list_next(element), i++)
+	{
+		INSIST(i < count);
+		addrs[i] = *cfg_obj_assockaddr(cfg_listelt_value(element));
+		if (isc_sockaddr_getport(&addrs[i]) == 0)
+			isc_sockaddr_setport(&addrs[i], port);
+	}
+	INSIST(i == count);
+
+	*addrsp = addrs;
+	*countp = count;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+ns_config_putiplist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
+		    isc_uint32_t count)
+{
+	INSIST(addrsp != NULL && *addrsp != NULL);
+
+	isc_mem_put(mctx, *addrsp, count * sizeof(isc_sockaddr_t));
+	*addrsp = NULL;
+}
+
+static isc_result_t
+get_masters_def(cfg_obj_t *cctx, char *name, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *masters = NULL;
+	cfg_listelt_t *elt;
+
+	result = cfg_map_get(cctx, "masters", &masters);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	for (elt = cfg_list_first(masters);
+	     elt != NULL;
+	     elt = cfg_list_next(elt)) {
+		cfg_obj_t *list;
+		const char *listname;
+
+		list = cfg_listelt_value(elt);
+		listname = cfg_obj_asstring(cfg_tuple_get(list, "name"));
+
+		if (strcasecmp(listname, name) == 0) {
+			*ret = list;
+			return (ISC_R_SUCCESS);
+		}
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+ns_config_getipandkeylist(cfg_obj_t *config, cfg_obj_t *list, isc_mem_t *mctx,
+			  isc_sockaddr_t **addrsp, dns_name_t ***keysp,
+			  isc_uint32_t *countp)
+{
+	isc_uint32_t addrcount = 0, keycount = 0, i = 0;
+	isc_uint32_t listcount = 0, l = 0, j;
+	isc_uint32_t stackcount = 0, pushed = 0;
+	isc_result_t result;
+	cfg_listelt_t *element;
+	cfg_obj_t *addrlist;
+	cfg_obj_t *portobj;
+	in_port_t port;
+	dns_fixedname_t fname;
+	isc_sockaddr_t *addrs = NULL;
+	dns_name_t **keys = NULL;
+	char **lists = NULL;
+	struct {
+		cfg_listelt_t *element;
+		in_port_t port;
+	} *stack = NULL;
+
+	REQUIRE(addrsp != NULL && *addrsp == NULL);
+	REQUIRE(keysp != NULL && *keysp == NULL);
+	REQUIRE(countp != NULL);
+
+ newlist:
+	addrlist = cfg_tuple_get(list, "addresses");
+	portobj = cfg_tuple_get(list, "port");
+	if (cfg_obj_isuint32(portobj)) {
+		isc_uint32_t val = cfg_obj_asuint32(portobj);
+		if (val > ISC_UINT16_MAX) {
+			cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
+				    "port '%u' out of range", val);
+			return (ISC_R_RANGE);
+		}
+		port = (in_port_t) val;
+	} else {
+		result = ns_config_getport(config, &port);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	result = ISC_R_NOMEMORY;
+
+	element = cfg_list_first(addrlist);
+ resume:
+	for ( ;
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		cfg_obj_t *addr;
+		cfg_obj_t *key;
+		char *keystr;
+		isc_buffer_t b;
+
+		addr = cfg_tuple_get(cfg_listelt_value(element),
+				     "masterselement");
+		key = cfg_tuple_get(cfg_listelt_value(element), "key");
+
+		if (!cfg_obj_issockaddr(addr)) {
+			char *listname = cfg_obj_asstring(addr);
+			isc_result_t tresult;
+
+			/* Grow lists? */
+			if (listcount == l) {
+				void * new;
+				isc_uint32_t newlen = listcount + 16;
+				size_t newsize, oldsize;
+
+				newsize = newlen * sizeof(*lists);
+				oldsize = listcount * sizeof(*lists);
+				new = isc_mem_get(mctx, newsize);
+				if (new == NULL)
+					goto cleanup;
+				if (listcount != 0) {
+					memcpy(new, lists, oldsize);
+					isc_mem_put(mctx, lists, oldsize);
+				}
+				lists = new;
+				listcount = newlen;
+			}
+			/* Seen? */
+			for (j = 0; j < l; j++)
+				if (strcasecmp(lists[j], listname) == 0)
+					break;
+			if (j < l)
+				continue;
+			tresult = get_masters_def(config, listname, &list);
+			if (tresult == ISC_R_NOTFOUND) {
+				cfg_obj_log(addr, ns_g_lctx, ISC_LOG_ERROR,
+                                    "masters \"%s\" not found", listname);
+
+				result = tresult;
+				goto cleanup;
+			}
+			if (tresult != ISC_R_SUCCESS)
+				goto cleanup;
+			lists[l++] = listname;
+			/* Grow stack? */
+			if (stackcount == pushed) {
+				void * new;
+				isc_uint32_t newlen = stackcount + 16;
+				size_t newsize, oldsize;
+
+				newsize = newlen * sizeof(*stack);
+				oldsize = stackcount * sizeof(*stack);
+				new = isc_mem_get(mctx, newsize);
+				if (new == NULL)
+					goto cleanup;
+				if (stackcount != 0) {
+					memcpy(new, stack, oldsize);
+					isc_mem_put(mctx, stack, oldsize);
+				}
+				stack = new;
+				stackcount = newlen;
+			}
+			/*
+			 * We want to resume processing this list on the
+			 * next element.
+			 */
+			stack[pushed].element = cfg_list_next(element);
+			stack[pushed].port = port;
+			pushed++;
+			goto newlist;
+		}
+
+		if (i == addrcount) {
+			void * new;
+			isc_uint32_t newlen = addrcount + 16;
+			size_t newsize, oldsize;
+
+			newsize = newlen * sizeof(isc_sockaddr_t);
+			oldsize = addrcount * sizeof(isc_sockaddr_t);
+			new = isc_mem_get(mctx, newsize);
+			if (new == NULL)
+				goto cleanup;
+			if (addrcount != 0) {
+				memcpy(new, addrs, oldsize);
+				isc_mem_put(mctx, addrs, oldsize);
+			}
+			addrs = new;
+			addrcount = newlen;
+
+			newsize = newlen * sizeof(dns_name_t *);
+			oldsize = keycount * sizeof(dns_name_t *);
+			new = isc_mem_get(mctx, newsize);
+			if (new == NULL)
+				goto cleanup;
+			if (keycount != 0) {
+				memcpy(new, keys, newsize);
+				isc_mem_put(mctx, keys, newsize);
+			}
+			keys = new;
+			keycount = newlen;
+		}
+
+		addrs[i] = *cfg_obj_assockaddr(addr);
+		if (isc_sockaddr_getport(&addrs[i]) == 0)
+			isc_sockaddr_setport(&addrs[i], port);
+		keys[i] = NULL;
+		if (!cfg_obj_isstring(key)) {
+			i++;
+			continue;
+		}
+		keys[i] = isc_mem_get(mctx, sizeof(dns_name_t));
+		if (keys[i] == NULL)
+			goto cleanup;
+		dns_name_init(keys[i], NULL);
+		
+		keystr = cfg_obj_asstring(key);
+		isc_buffer_init(&b, keystr, strlen(keystr));
+		isc_buffer_add(&b, strlen(keystr));
+		dns_fixedname_init(&fname);
+		result = dns_name_fromtext(dns_fixedname_name(&fname), &b,
+					   dns_rootname, ISC_FALSE, NULL);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		result = dns_name_dup(dns_fixedname_name(&fname), mctx,
+				      keys[i]);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		i++;
+	}
+	if (pushed != 0) {
+		pushed--;
+		element = stack[pushed].element;
+		port = stack[pushed].port;
+		goto resume;
+	}
+	if (i < addrcount) {
+		void * new;
+		size_t newsize, oldsize;
+
+		newsize = i * sizeof(isc_sockaddr_t);
+		oldsize = addrcount * sizeof(isc_sockaddr_t);
+		if (i != 0) {
+			new = isc_mem_get(mctx, newsize);
+			if (new == NULL)
+				goto cleanup;
+			memcpy(new, addrs, newsize);
+			isc_mem_put(mctx, addrs, oldsize);
+		} else
+			new = NULL;
+		addrs = new;
+		addrcount = i;
+
+		newsize = i * sizeof(dns_name_t *);
+		oldsize = keycount * sizeof(dns_name_t *);
+		if (i != 0) {
+			new = isc_mem_get(mctx, newsize);
+			if (new == NULL)
+				goto cleanup;
+			memcpy(new, keys,  newsize);
+			isc_mem_put(mctx, keys, oldsize);
+		} else
+			new = NULL;
+		keys = new;
+		keycount = i;
+	}
+
+	if (lists != NULL)
+		isc_mem_put(mctx, lists, listcount * sizeof(*lists));
+	if (stack != NULL)
+		isc_mem_put(mctx, stack, stackcount * sizeof(*stack));
+	
+	INSIST(keycount == addrcount);
+
+	*addrsp = addrs;
+	*keysp = keys;
+	*countp = addrcount;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (addrs != NULL)
+		isc_mem_put(mctx, addrs, addrcount * sizeof(isc_sockaddr_t));
+	if (keys != NULL) {
+		for (j = 0; j <= i; j++) {
+			if (keys[j] == NULL)
+				continue;
+			if (dns_name_dynamic(keys[j]))
+				dns_name_free(keys[j], mctx);
+			isc_mem_put(mctx, keys[j], sizeof(dns_name_t));
+		}
+		isc_mem_put(mctx, keys, keycount * sizeof(dns_name_t *));
+	}
+	if (lists != NULL)
+		isc_mem_put(mctx, lists, listcount * sizeof(*lists));
+	if (stack != NULL)
+		isc_mem_put(mctx, stack, stackcount * sizeof(*stack));
+	return (result);
+}
+
+void
+ns_config_putipandkeylist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
+			  dns_name_t ***keysp, isc_uint32_t count)
+{
+	unsigned int i;
+	dns_name_t **keys = *keysp;
+
+	INSIST(addrsp != NULL && *addrsp != NULL);
+
+	isc_mem_put(mctx, *addrsp, count * sizeof(isc_sockaddr_t));
+	for (i = 0; i < count; i++) {
+		if (keys[i] == NULL)
+			continue;
+		if (dns_name_dynamic(keys[i]))
+			dns_name_free(keys[i], mctx);
+		isc_mem_put(mctx, keys[i], sizeof(dns_name_t));
+	}
+	isc_mem_put(mctx, *keysp, count * sizeof(dns_name_t *));
+	*addrsp = NULL;
+	*keysp = NULL;
+}
+
+isc_result_t
+ns_config_getport(cfg_obj_t *config, in_port_t *portp) {
+	cfg_obj_t *maps[3];
+	cfg_obj_t *options = NULL;
+	cfg_obj_t *portobj = NULL;
+	isc_result_t result;
+	int i;
+
+	(void)cfg_map_get(config, "options", &options);
+	i = 0;
+	if (options != NULL)
+		maps[i++] = options;
+	maps[i++] = ns_g_defaults;
+	maps[i] = NULL;
+
+	result = ns_config_get(maps, "port", &portobj);
+	INSIST(result == ISC_R_SUCCESS);
+	if (cfg_obj_asuint32(portobj) >= ISC_UINT16_MAX) {
+		cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
+			    "port '%u' out of range",
+			    cfg_obj_asuint32(portobj));
+		return (ISC_R_RANGE);
+	}
+	*portp = (in_port_t)cfg_obj_asuint32(portobj);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+ns_config_getkeyalgorithm(const char *str, dns_name_t **name)
+{
+	if (strcasecmp(str, "hmac-md5") == 0 ||
+	    strcasecmp(str, "hmac-md5.sig-alg.reg.int") == 0 ||
+	    strcasecmp(str, "hmac-md5.sig-alg.reg.int.") == 0)
+	{
+		if (name != NULL)
+			*name = dns_tsig_hmacmd5_name;
+		return (ISC_R_SUCCESS);
+	}
+	return (ISC_R_NOTFOUND);
+}
diff --git a/contrib/bind9/bin/named/control.c b/contrib/bind9/bin/named/control.c
new file mode 100644
index 0000000..89e36bd
--- /dev/null
+++ b/contrib/bind9/bin/named/control.c
@@ -0,0 +1,140 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: control.c,v 1.7.2.2.2.10 2004/03/22 01:52:22 marka Exp $ */
+
+#include <config.h>
+
+#include <string.h>
+
+#include <isc/app.h>
+#include <isc/event.h>
+#include <isc/mem.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/result.h>
+
+#include <isccc/alist.h>
+#include <isccc/cc.h>
+#include <isccc/result.h>
+
+#include <named/control.h>
+#include <named/log.h>
+#include <named/os.h>
+#include <named/server.h>
+
+static isc_boolean_t
+command_compare(const char *text, const char *command) {
+	unsigned int commandlen = strlen(command);
+	if (strncasecmp(text, command, commandlen) == 0 &&
+	    (text[commandlen] == '\0' ||
+	     text[commandlen] == ' ' ||
+	     text[commandlen] == '\t'))
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+/*
+ * This function is called to process the incoming command
+ * when a control channel message is received.  
+ */
+isc_result_t
+ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
+	isccc_sexpr_t *data;
+	char *command;
+	isc_result_t result;
+
+	data = isccc_alist_lookup(message, "_data");
+	if (data == NULL) {
+		/*
+		 * No data section.
+		 */
+		return (ISC_R_FAILURE);
+	}
+
+	result = isccc_cc_lookupstring(data, "type", &command);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * We have no idea what this is.
+		 */
+		return (result);
+	}
+
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+		      NS_LOGMODULE_CONTROL, ISC_LOG_DEBUG(1),
+		      "received control channel command '%s'",
+		      command);
+
+	/*
+	 * Compare the 'command' parameter against all known control commands.
+	 */
+	if (command_compare(command, NS_COMMAND_RELOAD)) {
+		result = ns_server_reloadcommand(ns_g_server, command, text);
+	} else if (command_compare(command, NS_COMMAND_RECONFIG)) {
+		result = ns_server_reconfigcommand(ns_g_server, command);
+	} else if (command_compare(command, NS_COMMAND_REFRESH)) {
+		result = ns_server_refreshcommand(ns_g_server, command, text);
+	} else if (command_compare(command, NS_COMMAND_RETRANSFER)) {
+		result = ns_server_retransfercommand(ns_g_server, command);
+	} else if (command_compare(command, NS_COMMAND_HALT)) {
+		ns_server_flushonshutdown(ns_g_server, ISC_FALSE);
+		ns_os_shutdownmsg(command, text);
+		isc_app_shutdown();
+		result = ISC_R_SUCCESS;
+	} else if (command_compare(command, NS_COMMAND_STOP)) {
+		ns_server_flushonshutdown(ns_g_server, ISC_TRUE);
+		ns_os_shutdownmsg(command, text);
+		isc_app_shutdown();
+		result = ISC_R_SUCCESS;
+	} else if (command_compare(command, NS_COMMAND_DUMPSTATS)) {
+		result = ns_server_dumpstats(ns_g_server);
+	} else if (command_compare(command, NS_COMMAND_QUERYLOG)) {
+		result = ns_server_togglequerylog(ns_g_server);
+	} else if (command_compare(command, NS_COMMAND_DUMPDB)) {
+		ns_server_dumpdb(ns_g_server, command);
+		result = ISC_R_SUCCESS;
+	} else if (command_compare(command, NS_COMMAND_TRACE)) {
+		result = ns_server_setdebuglevel(ns_g_server, command);
+	} else if (command_compare(command, NS_COMMAND_NOTRACE)) {
+		ns_g_debuglevel = 0;
+		isc_log_setdebuglevel(ns_g_lctx, ns_g_debuglevel);
+		result = ISC_R_SUCCESS;
+	} else if (command_compare(command, NS_COMMAND_FLUSH)) {
+		result = ns_server_flushcache(ns_g_server, command);
+	} else if (command_compare(command, NS_COMMAND_FLUSHNAME)) {
+		result = ns_server_flushname(ns_g_server, command);
+	} else if (command_compare(command, NS_COMMAND_STATUS)) {
+		result = ns_server_status(ns_g_server, text);
+	} else if (command_compare(command, NS_COMMAND_FREEZE)) {
+		result = ns_server_freeze(ns_g_server, ISC_TRUE, command);
+	} else if (command_compare(command, NS_COMMAND_UNFREEZE)) {
+		result = ns_server_freeze(ns_g_server, ISC_FALSE, command);
+	} else if (command_compare(command, NS_COMMAND_RECURSING)) {
+		result = ns_server_dumprecursing(ns_g_server);
+	} else if (command_compare(command, NS_COMMAND_NULL)) {
+		result = ISC_R_SUCCESS;
+	} else {
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
+			      "unknown control channel command '%s'",
+			      command);
+		result = DNS_R_UNKNOWNCOMMAND;
+	}
+
+	return (result);
+}
diff --git a/contrib/bind9/bin/named/controlconf.c b/contrib/bind9/bin/named/controlconf.c
new file mode 100644
index 0000000..5b87fb9
--- /dev/null
+++ b/contrib/bind9/bin/named/controlconf.c
@@ -0,0 +1,1323 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: controlconf.c,v 1.28.2.9.2.6 2004/03/08 09:04:14 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/event.h>
+#include <isc/mem.h>
+#include <isc/net.h>
+#include <isc/netaddr.h>
+#include <isc/random.h>
+#include <isc/result.h>
+#include <isc/stdtime.h>
+#include <isc/string.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <isccfg/namedconf.h>
+
+#include <bind9/check.h>
+
+#include <isccc/alist.h>
+#include <isccc/cc.h>
+#include <isccc/ccmsg.h>
+#include <isccc/events.h>
+#include <isccc/result.h>
+#include <isccc/sexpr.h>
+#include <isccc/symtab.h>
+#include <isccc/util.h>
+
+#include <dns/result.h>
+
+#include <named/config.h>
+#include <named/control.h>
+#include <named/log.h>
+#include <named/server.h>
+
+/*
+ * Note: Listeners and connections are not locked.  All event handlers are
+ * executed by the server task, and all callers of exported routines must
+ * be running under the server task.
+ */
+
+typedef struct controlkey controlkey_t;
+typedef ISC_LIST(controlkey_t) controlkeylist_t;
+
+typedef struct controlconnection controlconnection_t;
+typedef ISC_LIST(controlconnection_t) controlconnectionlist_t;
+
+typedef struct controllistener controllistener_t;
+typedef ISC_LIST(controllistener_t) controllistenerlist_t;
+
+struct controlkey {
+	char *				keyname;
+	isc_region_t			secret;
+	ISC_LINK(controlkey_t)		link;
+};
+
+struct controlconnection {
+	isc_socket_t *			sock;
+	isccc_ccmsg_t			ccmsg;
+	isc_boolean_t			ccmsg_valid;
+	isc_boolean_t			sending;
+	isc_timer_t *			timer;
+	unsigned char			buffer[2048];
+	controllistener_t *		listener;
+	isc_uint32_t			nonce;
+	ISC_LINK(controlconnection_t)	link;
+};
+
+struct controllistener {
+	ns_controls_t *			controls;
+	isc_mem_t *			mctx;
+	isc_task_t *			task;
+	isc_sockaddr_t			address;
+	isc_socket_t *			sock;
+	dns_acl_t *			acl;
+	isc_boolean_t			listening;
+	isc_boolean_t			exiting;
+	controlkeylist_t		keys;
+	controlconnectionlist_t		connections;
+	ISC_LINK(controllistener_t)	link;
+};
+
+struct ns_controls {
+	ns_server_t			*server;
+	controllistenerlist_t 		listeners;
+	isc_boolean_t			shuttingdown;
+	isccc_symtab_t			*symtab;
+};
+
+static void control_newconn(isc_task_t *task, isc_event_t *event);
+static void control_recvmessage(isc_task_t *task, isc_event_t *event);
+
+#define CLOCKSKEW 300
+
+static void
+free_controlkey(controlkey_t *key, isc_mem_t *mctx) {
+	if (key->keyname != NULL)
+		isc_mem_free(mctx, key->keyname);
+	if (key->secret.base != NULL)
+		isc_mem_put(mctx, key->secret.base, key->secret.length);
+	isc_mem_put(mctx, key, sizeof(*key));
+}
+
+static void
+free_controlkeylist(controlkeylist_t *keylist, isc_mem_t *mctx) {
+	while (!ISC_LIST_EMPTY(*keylist)) {
+		controlkey_t *key = ISC_LIST_HEAD(*keylist);
+		ISC_LIST_UNLINK(*keylist, key, link);
+		free_controlkey(key, mctx);
+	}
+}
+
+static void
+free_listener(controllistener_t *listener) {
+	INSIST(listener->exiting);
+	INSIST(!listener->listening);
+	INSIST(ISC_LIST_EMPTY(listener->connections));
+
+	if (listener->sock != NULL)
+		isc_socket_detach(&listener->sock);
+
+	free_controlkeylist(&listener->keys, listener->mctx);
+
+	if (listener->acl != NULL)
+		dns_acl_detach(&listener->acl);
+
+	isc_mem_put(listener->mctx, listener, sizeof(*listener));
+}
+
+static void
+maybe_free_listener(controllistener_t *listener) {
+	if (listener->exiting &&
+	    !listener->listening &&
+	    ISC_LIST_EMPTY(listener->connections))
+		free_listener(listener);
+}
+
+static void
+maybe_free_connection(controlconnection_t *conn) {
+	controllistener_t *listener = conn->listener;
+
+	if (conn->timer != NULL)
+		isc_timer_detach(&conn->timer);
+
+	if (conn->ccmsg_valid) {
+		isccc_ccmsg_cancelread(&conn->ccmsg);
+		return;
+	}
+
+	if (conn->sending) {
+		isc_socket_cancel(conn->sock, listener->task,
+				  ISC_SOCKCANCEL_SEND);
+		return;
+	}
+
+	ISC_LIST_UNLINK(listener->connections, conn, link);
+	isc_mem_put(listener->mctx, conn, sizeof(*conn));
+}
+
+static void
+shutdown_listener(controllistener_t *listener) {
+	controlconnection_t *conn;
+	controlconnection_t *next;
+
+	if (!listener->exiting) {
+		char socktext[ISC_SOCKADDR_FORMATSIZE];
+
+		ISC_LIST_UNLINK(listener->controls->listeners, listener, link);
+
+		isc_sockaddr_format(&listener->address, socktext,
+				    sizeof(socktext));
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_CONTROL, ISC_LOG_NOTICE,
+			      "stopping command channel on %s", socktext);
+		listener->exiting = ISC_TRUE;
+	}
+
+	for (conn = ISC_LIST_HEAD(listener->connections);
+	     conn != NULL;
+	     conn = next)
+	{
+		next = ISC_LIST_NEXT(conn, link);
+		maybe_free_connection(conn);
+	}
+
+	if (listener->listening)
+		isc_socket_cancel(listener->sock, listener->task,
+				  ISC_SOCKCANCEL_ACCEPT);
+
+	maybe_free_listener(listener);
+}
+
+static isc_boolean_t
+address_ok(isc_sockaddr_t *sockaddr, dns_acl_t *acl) {
+	isc_netaddr_t netaddr;
+	isc_result_t result;
+	int match;
+
+	isc_netaddr_fromsockaddr(&netaddr, sockaddr);
+
+	result = dns_acl_match(&netaddr, NULL, acl,
+			       &ns_g_server->aclenv, &match, NULL);
+
+	if (result != ISC_R_SUCCESS || match <= 0)
+		return (ISC_FALSE);
+	else
+		return (ISC_TRUE);
+}
+
+static isc_result_t
+control_accept(controllistener_t *listener) {
+	isc_result_t result;
+	result = isc_socket_accept(listener->sock,
+				   listener->task,
+				   control_newconn, listener);
+	if (result != ISC_R_SUCCESS)
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_socket_accept() failed: %s",
+				 isc_result_totext(result));
+	else
+		listener->listening = ISC_TRUE;
+	return (result);
+}
+
+static isc_result_t
+control_listen(controllistener_t *listener) {
+	isc_result_t result;
+
+	result = isc_socket_listen(listener->sock, 0);
+	if (result != ISC_R_SUCCESS)
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_socket_listen() failed: %s",
+				 isc_result_totext(result));
+	return (result);
+}
+
+static void
+control_next(controllistener_t *listener) {
+	(void)control_accept(listener);
+}
+
+static void
+control_senddone(isc_task_t *task, isc_event_t *event) {
+	isc_socketevent_t *sevent = (isc_socketevent_t *) event;
+	controlconnection_t *conn = event->ev_arg;
+	controllistener_t *listener = conn->listener;
+	isc_socket_t *sock = (isc_socket_t *)sevent->ev_sender;
+	isc_result_t result;
+
+	REQUIRE(conn->sending);
+
+	UNUSED(task);
+
+	conn->sending = ISC_FALSE;
+
+	if (sevent->result != ISC_R_SUCCESS &&
+	    sevent->result != ISC_R_CANCELED)
+	{
+		char socktext[ISC_SOCKADDR_FORMATSIZE];
+		isc_sockaddr_t peeraddr;
+
+		(void)isc_socket_getpeername(sock, &peeraddr);
+		isc_sockaddr_format(&peeraddr, socktext, sizeof(socktext));
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
+			      "error sending command response to %s: %s",
+			      socktext, isc_result_totext(sevent->result));
+	}
+	isc_event_free(&event);
+
+	result = isccc_ccmsg_readmessage(&conn->ccmsg, listener->task,
+					 control_recvmessage, conn);
+	if (result != ISC_R_SUCCESS) {
+		isc_socket_detach(&conn->sock);
+		maybe_free_connection(conn);
+		maybe_free_listener(listener);
+	}
+}
+
+static inline void
+log_invalid(isccc_ccmsg_t *ccmsg, isc_result_t result) {
+	char socktext[ISC_SOCKADDR_FORMATSIZE];
+	isc_sockaddr_t peeraddr;
+
+	(void)isc_socket_getpeername(ccmsg->sock, &peeraddr);
+	isc_sockaddr_format(&peeraddr, socktext, sizeof(socktext));
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+		      NS_LOGMODULE_CONTROL, ISC_LOG_ERROR,
+		      "invalid command from %s: %s",
+		      socktext, isc_result_totext(result));
+}
+
+static void
+control_recvmessage(isc_task_t *task, isc_event_t *event) {
+	controlconnection_t *conn;
+	controllistener_t *listener;
+	controlkey_t *key;
+	isccc_sexpr_t *request = NULL;
+	isccc_sexpr_t *response = NULL;
+	isccc_region_t ccregion;
+	isccc_region_t secret;
+	isc_stdtime_t now;
+	isc_buffer_t b;
+	isc_region_t r;
+	isc_uint32_t len;
+	isc_buffer_t text;
+	char textarray[1024];
+	isc_result_t result;
+	isc_result_t eresult;
+	isccc_sexpr_t *_ctrl;
+	isccc_time_t sent;
+	isccc_time_t exp;
+	isc_uint32_t nonce;
+
+	REQUIRE(event->ev_type == ISCCC_EVENT_CCMSG);
+
+	conn = event->ev_arg;
+	listener = conn->listener;
+	secret.rstart = NULL;
+
+        /* Is the server shutting down? */
+        if (listener->controls->shuttingdown)
+                goto cleanup;
+
+	if (conn->ccmsg.result != ISC_R_SUCCESS) {
+		if (conn->ccmsg.result != ISC_R_CANCELED &&
+		    conn->ccmsg.result != ISC_R_EOF)
+			log_invalid(&conn->ccmsg, conn->ccmsg.result);
+		goto cleanup;
+	}
+
+	request = NULL;
+
+	for (key = ISC_LIST_HEAD(listener->keys);
+	     key != NULL;
+	     key = ISC_LIST_NEXT(key, link))
+	{
+		ccregion.rstart = isc_buffer_base(&conn->ccmsg.buffer);
+		ccregion.rend = isc_buffer_used(&conn->ccmsg.buffer);
+		secret.rstart = isc_mem_get(listener->mctx, key->secret.length);
+		if (secret.rstart == NULL)
+			goto cleanup;
+		memcpy(secret.rstart, key->secret.base, key->secret.length);
+		secret.rend = secret.rstart + key->secret.length;
+		result = isccc_cc_fromwire(&ccregion, &request, &secret);
+		if (result == ISC_R_SUCCESS)
+			break;
+		else if (result == ISCCC_R_BADAUTH) {
+			/*
+			 * For some reason, request is non-NULL when
+			 * isccc_cc_fromwire returns ISCCC_R_BADAUTH.
+			 */
+			if (request != NULL)
+				isccc_sexpr_free(&request);
+			isc_mem_put(listener->mctx, secret.rstart,
+				    REGION_SIZE(secret));
+		} else {
+			log_invalid(&conn->ccmsg, result);
+			goto cleanup;
+		}
+	}
+
+	if (key == NULL) {
+		log_invalid(&conn->ccmsg, ISCCC_R_BADAUTH);
+		goto cleanup;
+	}
+
+	/* We shouldn't be getting a reply. */
+	if (isccc_cc_isreply(request)) {
+		log_invalid(&conn->ccmsg, ISC_R_FAILURE);
+		goto cleanup;
+	}
+
+	isc_stdtime_get(&now);
+
+	/*
+	 * Limit exposure to replay attacks.
+	 */
+	_ctrl = isccc_alist_lookup(request, "_ctrl");
+	if (_ctrl == NULL) {
+		log_invalid(&conn->ccmsg, ISC_R_FAILURE);
+		goto cleanup;
+	}
+
+	if (isccc_cc_lookupuint32(_ctrl, "_tim", &sent) == ISC_R_SUCCESS) {
+		if ((sent + CLOCKSKEW) < now || (sent - CLOCKSKEW) > now) {
+			log_invalid(&conn->ccmsg, ISCCC_R_CLOCKSKEW);
+			goto cleanup;
+		}
+	} else {
+		log_invalid(&conn->ccmsg, ISC_R_FAILURE);
+		goto cleanup;
+	}
+
+	/*
+	 * Expire messages that are too old.
+	 */
+	if (isccc_cc_lookupuint32(_ctrl, "_exp", &exp) == ISC_R_SUCCESS &&
+	    now > exp) {
+		log_invalid(&conn->ccmsg, ISCCC_R_EXPIRED);
+		goto cleanup;
+	}
+
+	/*
+	 * Duplicate suppression (required for UDP).
+	 */
+	isccc_cc_cleansymtab(listener->controls->symtab, now);
+	result = isccc_cc_checkdup(listener->controls->symtab, request, now);
+	if (result != ISC_R_SUCCESS) {
+		if (result == ISC_R_EXISTS)
+                        result = ISCCC_R_DUPLICATE; 
+		log_invalid(&conn->ccmsg, result);
+		goto cleanup;
+	}
+
+	if (conn->nonce != 0 &&
+	    (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS ||
+	     conn->nonce != nonce)) {
+		log_invalid(&conn->ccmsg, ISCCC_R_BADAUTH);
+		goto cleanup;
+	}
+
+	/*
+	 * Establish nonce.
+	 */
+	while (conn->nonce == 0)
+		isc_random_get(&conn->nonce);
+
+	isc_buffer_init(&text, textarray, sizeof(textarray));
+	eresult = ns_control_docommand(request, &text);
+
+	result = isccc_cc_createresponse(request, now, now + 60, &response);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	if (eresult != ISC_R_SUCCESS) {
+		isccc_sexpr_t *data;
+
+		data = isccc_alist_lookup(response, "_data");
+		if (data != NULL) {
+			const char *estr = isc_result_totext(eresult);
+			if (isccc_cc_definestring(data, "err", estr) == NULL)
+				goto cleanup;
+		}
+	}
+
+	if (isc_buffer_usedlength(&text) > 0) {
+		isccc_sexpr_t *data;
+
+		data = isccc_alist_lookup(response, "_data");
+		if (data != NULL) {
+			char *str = (char *)isc_buffer_base(&text);
+			if (isccc_cc_definestring(data, "text", str) == NULL)
+				goto cleanup;
+		}
+	}
+
+	_ctrl = isccc_alist_lookup(response, "_ctrl");
+	if (_ctrl == NULL ||
+	    isccc_cc_defineuint32(_ctrl, "_nonce", conn->nonce) == NULL)
+		goto cleanup;
+
+	ccregion.rstart = conn->buffer + 4;
+	ccregion.rend = conn->buffer + sizeof(conn->buffer);
+	result = isccc_cc_towire(response, &ccregion, &secret);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	isc_buffer_init(&b, conn->buffer, 4);
+	len = sizeof(conn->buffer) - REGION_SIZE(ccregion);
+	isc_buffer_putuint32(&b, len - 4);
+	r.base = conn->buffer;
+	r.length = len;
+
+	result = isc_socket_send(conn->sock, &r, task, control_senddone, conn);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	conn->sending = ISC_TRUE;
+
+	if (secret.rstart != NULL)
+		isc_mem_put(listener->mctx, secret.rstart,
+			    REGION_SIZE(secret));
+	if (request != NULL)
+		isccc_sexpr_free(&request);
+	if (response != NULL)
+		isccc_sexpr_free(&response);
+	return;
+
+ cleanup:
+	if (secret.rstart != NULL)
+		isc_mem_put(listener->mctx, secret.rstart,
+			    REGION_SIZE(secret));
+	isc_socket_detach(&conn->sock);
+	isccc_ccmsg_invalidate(&conn->ccmsg);
+	conn->ccmsg_valid = ISC_FALSE;
+	maybe_free_connection(conn);
+	maybe_free_listener(listener);
+	if (request != NULL)
+		isccc_sexpr_free(&request);
+	if (response != NULL)
+		isccc_sexpr_free(&response);
+}
+
+static void
+control_timeout(isc_task_t *task, isc_event_t *event) {
+	controlconnection_t *conn = event->ev_arg;
+
+	UNUSED(task);
+
+	isc_timer_detach(&conn->timer);
+	maybe_free_connection(conn);
+
+	isc_event_free(&event);
+}
+
+static isc_result_t
+newconnection(controllistener_t *listener, isc_socket_t *sock) {
+	controlconnection_t *conn;
+	isc_interval_t interval;
+	isc_result_t result;
+
+	conn = isc_mem_get(listener->mctx, sizeof(*conn));
+	if (conn == NULL)
+		return (ISC_R_NOMEMORY);
+	
+	conn->sock = sock;
+	isccc_ccmsg_init(listener->mctx, sock, &conn->ccmsg);
+	conn->ccmsg_valid = ISC_TRUE;
+	conn->sending = ISC_FALSE;
+	conn->timer = NULL;
+	isc_interval_set(&interval, 60, 0);
+	result = isc_timer_create(ns_g_timermgr, isc_timertype_once,
+				  NULL, &interval, listener->task,
+				  control_timeout, conn, &conn->timer);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	conn->listener = listener;
+	conn->nonce = 0;
+	ISC_LINK_INIT(conn, link);
+
+	result = isccc_ccmsg_readmessage(&conn->ccmsg, listener->task,
+					 control_recvmessage, conn);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	isccc_ccmsg_setmaxsize(&conn->ccmsg, 2048);
+
+	ISC_LIST_APPEND(listener->connections, conn, link);
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	isccc_ccmsg_invalidate(&conn->ccmsg);
+	if (conn->timer != NULL)
+		isc_timer_detach(&conn->timer);
+	isc_mem_put(listener->mctx, conn, sizeof(*conn));
+	return (result);
+}
+
+static void
+control_newconn(isc_task_t *task, isc_event_t *event) {
+	isc_socket_newconnev_t *nevent = (isc_socket_newconnev_t *)event;
+	controllistener_t *listener = event->ev_arg;
+	isc_socket_t *sock;
+	isc_sockaddr_t peeraddr;
+	isc_result_t result;
+
+	UNUSED(task);
+
+	listener->listening = ISC_FALSE;
+
+	if (nevent->result != ISC_R_SUCCESS) {
+		if (nevent->result == ISC_R_CANCELED) {
+			shutdown_listener(listener);
+			goto cleanup;
+		}
+		goto restart;
+	}
+
+	sock = nevent->newsocket;
+	(void)isc_socket_getpeername(sock, &peeraddr);
+	if (!address_ok(&peeraddr, listener->acl)) {
+		char socktext[ISC_SOCKADDR_FORMATSIZE];
+		isc_sockaddr_format(&peeraddr, socktext, sizeof(socktext));
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
+			      "rejected command channel message from %s",
+			      socktext);
+		isc_socket_detach(&sock);
+		goto restart;
+	}
+
+	result = newconnection(listener, sock);
+	if (result != ISC_R_SUCCESS) {
+		char socktext[ISC_SOCKADDR_FORMATSIZE];
+		isc_sockaddr_format(&peeraddr, socktext, sizeof(socktext));
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,
+			      "dropped command channel from %s: %s",
+			      socktext, isc_result_totext(result));
+		isc_socket_detach(&sock);
+		goto restart;
+	}
+
+ restart:
+	control_next(listener);
+ cleanup:
+	isc_event_free(&event);
+}
+
+static void
+controls_shutdown(ns_controls_t *controls) {
+	controllistener_t *listener;
+	controllistener_t *next;
+
+	for (listener = ISC_LIST_HEAD(controls->listeners);
+	     listener != NULL;
+	     listener = next)
+	{
+		/*
+		 * This is asynchronous.  As listeners shut down, they will
+		 * call their callbacks.
+		 */
+		next = ISC_LIST_NEXT(listener, link);
+		shutdown_listener(listener);
+	}
+}
+
+void
+ns_controls_shutdown(ns_controls_t *controls) {
+	controls_shutdown(controls);
+	controls->shuttingdown = ISC_TRUE;
+}
+
+static isc_result_t
+cfgkeylist_find(cfg_obj_t *keylist, const char *keyname, cfg_obj_t **objp) {
+	cfg_listelt_t *element;
+	const char *str;
+	cfg_obj_t *obj;
+
+	for (element = cfg_list_first(keylist);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		obj = cfg_listelt_value(element);
+		str = cfg_obj_asstring(cfg_map_getname(obj));
+		if (strcasecmp(str, keyname) == 0)
+			break;
+	}
+	if (element == NULL)
+		return (ISC_R_NOTFOUND);
+	obj = cfg_listelt_value(element);
+	*objp = obj;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+controlkeylist_fromcfg(cfg_obj_t *keylist, isc_mem_t *mctx,
+		       controlkeylist_t *keyids)
+{
+	cfg_listelt_t *element;
+	char *newstr = NULL;
+	const char *str;
+	cfg_obj_t *obj;
+	controlkey_t *key = NULL;
+
+	for (element = cfg_list_first(keylist);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		obj = cfg_listelt_value(element);
+		str = cfg_obj_asstring(obj);
+		newstr = isc_mem_strdup(mctx, str);
+		if (newstr == NULL)
+			goto cleanup;
+		key = isc_mem_get(mctx, sizeof(*key));
+		if (key == NULL)
+			goto cleanup;
+		key->keyname = newstr;
+		key->secret.base = NULL;
+		key->secret.length = 0;
+		ISC_LINK_INIT(key, link);
+		ISC_LIST_APPEND(*keyids, key, link);
+		key = NULL;
+		newstr = NULL;
+	}
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (newstr != NULL)
+		isc_mem_free(mctx, newstr);
+	if (key != NULL)
+		isc_mem_put(mctx, key, sizeof(*key));
+	free_controlkeylist(keyids, mctx);
+	return (ISC_R_NOMEMORY);
+}
+
+static void
+register_keys(cfg_obj_t *control, cfg_obj_t *keylist,
+	      controlkeylist_t *keyids, isc_mem_t *mctx, const char *socktext)
+{
+	controlkey_t *keyid, *next;
+	cfg_obj_t *keydef;
+	char secret[1024];
+	isc_buffer_t b;
+	isc_result_t result;
+
+	/*
+	 * Find the keys corresponding to the keyids used by this listener.
+	 */
+	for (keyid = ISC_LIST_HEAD(*keyids); keyid != NULL; keyid = next) {
+		next = ISC_LIST_NEXT(keyid, link);
+
+		result = cfgkeylist_find(keylist, keyid->keyname, &keydef);
+		if (result != ISC_R_SUCCESS) {
+			cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
+				    "couldn't find key '%s' for use with "
+				    "command channel %s",
+				    keyid->keyname, socktext);
+			ISC_LIST_UNLINK(*keyids, keyid, link);
+			free_controlkey(keyid, mctx);
+		} else {
+			cfg_obj_t *algobj = NULL;
+			cfg_obj_t *secretobj = NULL;
+			char *algstr = NULL;
+			char *secretstr = NULL;
+
+			(void)cfg_map_get(keydef, "algorithm", &algobj);
+			(void)cfg_map_get(keydef, "secret", &secretobj);
+			INSIST(algobj != NULL && secretobj != NULL);
+
+			algstr = cfg_obj_asstring(algobj);
+			secretstr = cfg_obj_asstring(secretobj);
+
+			if (ns_config_getkeyalgorithm(algstr, NULL) !=
+			    ISC_R_SUCCESS)
+			{
+				cfg_obj_log(control, ns_g_lctx,
+					    ISC_LOG_WARNING,
+					    "unsupported algorithm '%s' in "
+					    "key '%s' for use with command "
+					    "channel %s",
+					    algstr, keyid->keyname, socktext);
+				ISC_LIST_UNLINK(*keyids, keyid, link);
+				free_controlkey(keyid, mctx);
+				continue;
+			}
+
+			isc_buffer_init(&b, secret, sizeof(secret));
+			result = isc_base64_decodestring(secretstr, &b);
+
+			if (result != ISC_R_SUCCESS) {
+				cfg_obj_log(keydef, ns_g_lctx, ISC_LOG_WARNING,
+					    "secret for key '%s' on "
+					    "command channel %s: %s",
+					    keyid->keyname, socktext,
+					    isc_result_totext(result));
+				ISC_LIST_UNLINK(*keyids, keyid, link);
+				free_controlkey(keyid, mctx);
+				continue;
+			}
+
+			keyid->secret.length = isc_buffer_usedlength(&b);
+			keyid->secret.base = isc_mem_get(mctx,
+							 keyid->secret.length);
+			if (keyid->secret.base == NULL) {
+				cfg_obj_log(keydef, ns_g_lctx, ISC_LOG_WARNING,
+					   "couldn't register key '%s': "
+					   "out of memory", keyid->keyname);
+				ISC_LIST_UNLINK(*keyids, keyid, link);
+				free_controlkey(keyid, mctx);
+				break;
+			}
+			memcpy(keyid->secret.base, isc_buffer_base(&b),
+			       keyid->secret.length);
+		}
+	}
+}
+
+#define CHECK(x) \
+	do { \
+		 result = (x); \
+		 if (result != ISC_R_SUCCESS) \
+			goto cleanup; \
+	} while (0)
+		
+static isc_result_t
+get_rndckey(isc_mem_t *mctx, controlkeylist_t *keyids) {
+	isc_result_t result;
+	cfg_parser_t *pctx = NULL;
+	cfg_obj_t *config = NULL;
+	cfg_obj_t *key = NULL;
+	cfg_obj_t *algobj = NULL;
+	cfg_obj_t *secretobj = NULL;
+	char *algstr = NULL;
+	char *secretstr = NULL;
+	controlkey_t *keyid = NULL;
+	char secret[1024];
+	isc_buffer_t b;
+
+	CHECK(cfg_parser_create(mctx, ns_g_lctx, &pctx));
+	CHECK(cfg_parse_file(pctx, ns_g_keyfile, &cfg_type_rndckey, &config));
+	CHECK(cfg_map_get(config, "key", &key));
+
+	keyid = isc_mem_get(mctx, sizeof(*keyid));
+	if (keyid == NULL) 
+		CHECK(ISC_R_NOMEMORY);
+	keyid->keyname = isc_mem_strdup(mctx,
+					cfg_obj_asstring(cfg_map_getname(key)));
+	keyid->secret.base = NULL;
+	keyid->secret.length = 0;
+	ISC_LINK_INIT(keyid, link);
+	if (keyid->keyname == NULL) 
+		CHECK(ISC_R_NOMEMORY);
+
+	CHECK(bind9_check_key(key, ns_g_lctx));
+
+	(void)cfg_map_get(key, "algorithm", &algobj);
+	(void)cfg_map_get(key, "secret", &secretobj);
+	INSIST(algobj != NULL && secretobj != NULL);
+
+	algstr = cfg_obj_asstring(algobj);
+	secretstr = cfg_obj_asstring(secretobj);
+
+	if (ns_config_getkeyalgorithm(algstr, NULL) != ISC_R_SUCCESS) {
+		cfg_obj_log(key, ns_g_lctx,
+			    ISC_LOG_WARNING,
+			    "unsupported algorithm '%s' in "
+			    "key '%s' for use with command "
+			    "channel",
+			    algstr, keyid->keyname);
+		goto cleanup;
+	}
+
+	isc_buffer_init(&b, secret, sizeof(secret));
+	result = isc_base64_decodestring(secretstr, &b);
+
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING,
+			    "secret for key '%s' on command channel: %s",
+			    keyid->keyname, isc_result_totext(result));
+		CHECK(result);
+	}
+
+	keyid->secret.length = isc_buffer_usedlength(&b);
+	keyid->secret.base = isc_mem_get(mctx,
+					 keyid->secret.length);
+	if (keyid->secret.base == NULL) {
+		cfg_obj_log(key, ns_g_lctx, ISC_LOG_WARNING,
+			   "couldn't register key '%s': "
+			   "out of memory", keyid->keyname);
+		CHECK(ISC_R_NOMEMORY);
+	}
+	memcpy(keyid->secret.base, isc_buffer_base(&b),
+	       keyid->secret.length);
+	ISC_LIST_APPEND(*keyids, keyid, link);
+	keyid = NULL;
+	result = ISC_R_SUCCESS;
+
+  cleanup:
+	if (keyid != NULL)
+		free_controlkey(keyid, mctx);
+	if (config != NULL)
+		cfg_obj_destroy(pctx, &config);
+	if (pctx != NULL)
+		cfg_parser_destroy(&pctx);
+	return (result);
+}
+			
+/*
+ * Ensures that both '*global_keylistp' and '*control_keylistp' are
+ * valid or both are NULL.
+ */
+static void
+get_key_info(cfg_obj_t *config, cfg_obj_t *control,
+	     cfg_obj_t **global_keylistp, cfg_obj_t **control_keylistp)
+{
+	isc_result_t result;
+	cfg_obj_t *control_keylist = NULL;
+	cfg_obj_t *global_keylist = NULL;
+
+	REQUIRE(global_keylistp != NULL && *global_keylistp == NULL);
+	REQUIRE(control_keylistp != NULL && *control_keylistp == NULL);
+
+	control_keylist = cfg_tuple_get(control, "keys");
+
+	if (!cfg_obj_isvoid(control_keylist) &&
+	    cfg_list_first(control_keylist) != NULL) {
+		result = cfg_map_get(config, "key", &global_keylist);
+
+		if (result == ISC_R_SUCCESS) {
+			*global_keylistp = global_keylist;
+			*control_keylistp = control_keylist;
+		}
+	}
+}
+
+static void
+update_listener(ns_controls_t *cp,
+		controllistener_t **listenerp, cfg_obj_t *control,
+		cfg_obj_t *config, isc_sockaddr_t *addr,
+		ns_aclconfctx_t *aclconfctx, const char *socktext)
+{
+	controllistener_t *listener;
+	cfg_obj_t *allow;
+	cfg_obj_t *global_keylist = NULL;
+	cfg_obj_t *control_keylist = NULL;
+	dns_acl_t *new_acl = NULL;
+	controlkeylist_t keys;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	for (listener = ISC_LIST_HEAD(cp->listeners);
+	     listener != NULL;
+	     listener = ISC_LIST_NEXT(listener, link))
+		if (isc_sockaddr_equal(addr, &listener->address))
+			break;
+
+	if (listener == NULL) {
+		*listenerp = NULL;
+		return;
+	}
+		
+	/*
+	 * There is already a listener for this sockaddr.
+	 * Update the access list and key information.
+	 *
+	 * First try to deal with the key situation.  There are a few
+	 * possibilities:
+	 *  (a)	It had an explicit keylist and still has an explicit keylist.
+	 *  (b)	It had an automagic key and now has an explicit keylist.
+	 *  (c)	It had an explicit keylist and now needs an automagic key.
+	 *  (d) It has an automagic key and still needs the automagic key.
+	 *
+	 * (c) and (d) are the annoying ones.  The caller needs to know
+	 * that it should use the automagic configuration for key information
+	 * in place of the named.conf configuration.
+	 *
+	 * XXXDCL There is one other hazard that has not been dealt with,
+	 * the problem that if a key change is being caused by a control
+	 * channel reload, then the response will be with the new key
+	 * and not able to be decrypted by the client.
+	 */
+	if (control != NULL)
+		get_key_info(config, control, &global_keylist,
+			     &control_keylist);
+
+	if (control_keylist != NULL) {
+		INSIST(global_keylist != NULL);
+
+		ISC_LIST_INIT(keys);
+		result = controlkeylist_fromcfg(control_keylist,
+						listener->mctx, &keys);
+		if (result == ISC_R_SUCCESS) {
+			free_controlkeylist(&listener->keys, listener->mctx);
+			listener->keys = keys;
+			register_keys(control, global_keylist, &listener->keys,
+				      listener->mctx, socktext);
+		}
+	} else {
+		free_controlkeylist(&listener->keys, listener->mctx);
+		result = get_rndckey(listener->mctx, &listener->keys);
+	}
+
+	if (result != ISC_R_SUCCESS && global_keylist != NULL)
+		/*
+		 * This message might be a little misleading since the
+		 * "new keys" might in fact be identical to the old ones,
+		 * but tracking whether they are identical just for the
+		 * sake of avoiding this message would be too much trouble.
+		 */
+		cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
+			    "couldn't install new keys for "
+			    "command channel %s: %s",
+			    socktext, isc_result_totext(result));
+
+
+	/*
+	 * Now, keep the old access list unless a new one can be made.
+	 */
+	if (control != NULL) {
+		allow = cfg_tuple_get(control, "allow");
+		result = ns_acl_fromconfig(allow, config, aclconfctx,
+					   listener->mctx, &new_acl);
+	} else {
+		result = dns_acl_any(listener->mctx, &new_acl);
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		dns_acl_detach(&listener->acl);
+		dns_acl_attach(new_acl, &listener->acl);
+		dns_acl_detach(&new_acl);
+	} else
+		/* XXXDCL say the old acl is still used? */
+		cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
+			    "couldn't install new acl for "
+			    "command channel %s: %s",
+			    socktext, isc_result_totext(result));
+
+	*listenerp = listener;
+}
+
+static void
+add_listener(ns_controls_t *cp, controllistener_t **listenerp,
+	     cfg_obj_t *control, cfg_obj_t *config, isc_sockaddr_t *addr,
+	     ns_aclconfctx_t *aclconfctx, const char *socktext)
+{
+	isc_mem_t *mctx = cp->server->mctx;
+	controllistener_t *listener;
+	cfg_obj_t *allow;
+	cfg_obj_t *global_keylist = NULL;
+	cfg_obj_t *control_keylist = NULL;
+	dns_acl_t *new_acl = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	listener = isc_mem_get(mctx, sizeof(*listener));
+	if (listener == NULL)
+		result = ISC_R_NOMEMORY;
+
+	if (result == ISC_R_SUCCESS) {
+		listener->controls = cp;
+		listener->mctx = mctx;
+		listener->task = cp->server->task;
+		listener->address = *addr;
+		listener->sock = NULL;
+		listener->listening = ISC_FALSE;
+		listener->exiting = ISC_FALSE;
+		listener->acl = NULL;
+		ISC_LINK_INIT(listener, link);
+		ISC_LIST_INIT(listener->keys);
+		ISC_LIST_INIT(listener->connections);
+
+		/*
+		 * Make the acl.
+		 */
+		if (control != NULL) {
+			allow = cfg_tuple_get(control, "allow");
+			result = ns_acl_fromconfig(allow, config, aclconfctx,
+						   mctx, &new_acl);
+		} else {
+			result = dns_acl_any(mctx, &new_acl);
+		}
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		dns_acl_attach(new_acl, &listener->acl);
+		dns_acl_detach(&new_acl);
+
+		if (config != NULL)
+			get_key_info(config, control, &global_keylist,
+				     &control_keylist);
+
+		if (control_keylist != NULL) {
+			result = controlkeylist_fromcfg(control_keylist,
+							listener->mctx,
+							&listener->keys);
+			if (result == ISC_R_SUCCESS)
+				register_keys(control, global_keylist,
+					      &listener->keys,
+					      listener->mctx, socktext);
+		} else
+			result = get_rndckey(mctx, &listener->keys);
+
+		if (result != ISC_R_SUCCESS && control != NULL)
+			cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
+				    "couldn't install keys for "
+				    "command channel %s: %s",
+				    socktext, isc_result_totext(result));
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		int pf = isc_sockaddr_pf(&listener->address);
+		if ((pf == AF_INET && isc_net_probeipv4() != ISC_R_SUCCESS) ||
+		    (pf == AF_INET6 && isc_net_probeipv6() != ISC_R_SUCCESS))
+			result = ISC_R_FAMILYNOSUPPORT;
+	}
+
+	if (result == ISC_R_SUCCESS)
+		result = isc_socket_create(ns_g_socketmgr,
+					   isc_sockaddr_pf(&listener->address),
+					   isc_sockettype_tcp,
+					   &listener->sock);
+
+	if (result == ISC_R_SUCCESS)
+		result = isc_socket_bind(listener->sock,
+					 &listener->address);
+
+	if (result == ISC_R_SUCCESS)
+		result = control_listen(listener);
+
+	if (result == ISC_R_SUCCESS)
+		result = control_accept(listener);
+
+	if (result == ISC_R_SUCCESS) {
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_CONTROL, ISC_LOG_NOTICE,
+			      "command channel listening on %s", socktext);
+		*listenerp = listener;
+
+	} else {
+		if (listener != NULL) {
+			listener->exiting = ISC_TRUE;
+			free_listener(listener);
+		}
+
+		if (control != NULL)
+			cfg_obj_log(control, ns_g_lctx, ISC_LOG_WARNING,
+				    "couldn't add command channel %s: %s",
+				    socktext, isc_result_totext(result));
+		else
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_CONTROL, ISC_LOG_NOTICE,
+				      "couldn't add command channel %s: %s",
+				      socktext, isc_result_totext(result));
+
+		*listenerp = NULL;
+	}
+
+	/* XXXDCL return error results? fail hard? */
+}
+
+isc_result_t
+ns_controls_configure(ns_controls_t *cp, cfg_obj_t *config,
+		      ns_aclconfctx_t *aclconfctx)
+{
+	controllistener_t *listener;
+	controllistenerlist_t new_listeners;
+	cfg_obj_t *controlslist = NULL;
+	cfg_listelt_t *element, *element2;
+	char socktext[ISC_SOCKADDR_FORMATSIZE];
+
+	ISC_LIST_INIT(new_listeners);
+
+	/*
+	 * Get the list of named.conf 'controls' statements.
+	 */
+	(void)cfg_map_get(config, "controls", &controlslist);
+
+	/*
+	 * Run through the new control channel list, noting sockets that
+	 * are already being listened on and moving them to the new list.
+	 *
+	 * Identifying duplicate addr/port combinations is left to either
+	 * the underlying config code, or to the bind attempt getting an
+	 * address-in-use error.
+	 */
+	if (controlslist != NULL) {
+		for (element = cfg_list_first(controlslist);
+		     element != NULL;
+		     element = cfg_list_next(element)) {
+			cfg_obj_t *controls;
+			cfg_obj_t *inetcontrols = NULL;
+
+			controls = cfg_listelt_value(element);
+			(void)cfg_map_get(controls, "inet", &inetcontrols);
+			if (inetcontrols == NULL)
+				continue;
+
+			for (element2 = cfg_list_first(inetcontrols);
+			     element2 != NULL;
+			     element2 = cfg_list_next(element2)) {
+				cfg_obj_t *control;
+				cfg_obj_t *obj;
+				isc_sockaddr_t *addr;
+
+				/*
+				 * The parser handles BIND 8 configuration file
+				 * syntax, so it allows unix phrases as well
+				 * inet phrases with no keys{} clause.
+				 *
+				 * "unix" phrases have been reported as
+				 * unsupported by the parser.
+				 */
+				control = cfg_listelt_value(element2);
+
+				obj = cfg_tuple_get(control, "address");
+				addr = cfg_obj_assockaddr(obj);
+				if (isc_sockaddr_getport(addr) == 0)
+					isc_sockaddr_setport(addr,
+							     NS_CONTROL_PORT);
+
+				isc_sockaddr_format(addr, socktext,
+						    sizeof(socktext));
+
+				isc_log_write(ns_g_lctx,
+					      NS_LOGCATEGORY_GENERAL,
+					      NS_LOGMODULE_CONTROL,
+					      ISC_LOG_DEBUG(9),
+					      "processing control channel %s",
+					      socktext);
+
+				update_listener(cp, &listener, control, config,
+						addr, aclconfctx, socktext);
+
+				if (listener != NULL)
+					/*
+					 * Remove the listener from the old
+					 * list, so it won't be shut down.
+					 */
+					ISC_LIST_UNLINK(cp->listeners,
+							listener, link);
+				else
+					/*
+					 * This is a new listener.
+					 */
+					add_listener(cp, &listener, control,
+						     config, addr, aclconfctx,
+						     socktext);
+
+				if (listener != NULL)
+					ISC_LIST_APPEND(new_listeners,
+							listener, link);
+			}
+		}
+	} else {
+		int i;
+
+		for (i = 0; i < 2; i++) {
+			isc_sockaddr_t addr;
+
+			if (i == 0) {
+				struct in_addr localhost;
+
+				if (isc_net_probeipv4() != ISC_R_SUCCESS)
+					continue;
+				localhost.s_addr = htonl(INADDR_LOOPBACK);
+				isc_sockaddr_fromin(&addr, &localhost, 0);
+			} else {
+				if (isc_net_probeipv6() != ISC_R_SUCCESS)
+					continue;
+				isc_sockaddr_fromin6(&addr,
+						     &in6addr_loopback, 0);
+			}
+			isc_sockaddr_setport(&addr, NS_CONTROL_PORT);
+
+			isc_sockaddr_format(&addr, socktext, sizeof(socktext));
+			
+			update_listener(cp, &listener, NULL, NULL,
+					&addr, NULL, socktext);
+
+			if (listener != NULL)
+				/*
+				 * Remove the listener from the old
+				 * list, so it won't be shut down.
+				 */
+				ISC_LIST_UNLINK(cp->listeners,
+						listener, link);
+			else
+				/*
+				 * This is a new listener.
+				 */
+				add_listener(cp, &listener, NULL, NULL,
+					     &addr, NULL, socktext);
+
+			if (listener != NULL)
+				ISC_LIST_APPEND(new_listeners,
+						listener, link);
+		}
+	}
+
+	/*
+	 * ns_control_shutdown() will stop whatever is on the global
+	 * listeners list, which currently only has whatever sockaddrs
+	 * were in the previous configuration (if any) that do not
+	 * remain in the current configuration.
+	 */
+	controls_shutdown(cp);
+
+	/*
+	 * Put all of the valid listeners on the listeners list.
+	 * Anything already on listeners in the process of shutting
+	 * down will be taken care of by listen_done().
+	 */
+	ISC_LIST_APPENDLIST(cp->listeners, new_listeners, link);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+ns_controls_create(ns_server_t *server, ns_controls_t **ctrlsp) {
+	isc_mem_t *mctx = server->mctx;
+	isc_result_t result;
+	ns_controls_t *controls = isc_mem_get(mctx, sizeof(*controls));
+
+	if (controls == NULL)
+		return (ISC_R_NOMEMORY);
+	controls->server = server;
+	ISC_LIST_INIT(controls->listeners);
+	controls->shuttingdown = ISC_FALSE;
+	controls->symtab = NULL;
+	result = isccc_cc_createsymtab(&controls->symtab);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(server->mctx, controls, sizeof(*controls));
+		return (result);
+	}
+	*ctrlsp = controls;
+	return (ISC_R_SUCCESS);
+}
+
+void
+ns_controls_destroy(ns_controls_t **ctrlsp) {
+	ns_controls_t *controls = *ctrlsp;
+
+	REQUIRE(ISC_LIST_EMPTY(controls->listeners));
+
+	isccc_symtab_destroy(&controls->symtab);
+	isc_mem_put(controls->server->mctx, controls, sizeof(*controls));
+	*ctrlsp = NULL;
+}
diff --git a/contrib/bind9/bin/named/include/named/aclconf.h b/contrib/bind9/bin/named/include/named/aclconf.h
new file mode 100644
index 0000000..8126572
--- /dev/null
+++ b/contrib/bind9/bin/named/include/named/aclconf.h
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: aclconf.h,v 1.12.208.1 2004/03/06 10:21:23 marka Exp $ */
+
+#ifndef NS_ACLCONF_H
+#define NS_ACLCONF_H 1
+
+#include <isc/lang.h>
+
+#include <isccfg/cfg.h>
+
+#include <dns/types.h>
+
+typedef struct ns_aclconfctx {
+	ISC_LIST(dns_acl_t) named_acl_cache;
+} ns_aclconfctx_t;
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+void
+ns_aclconfctx_init(ns_aclconfctx_t *ctx);
+/*
+ * Initialize an ACL configuration context.
+ */
+
+void
+ns_aclconfctx_destroy(ns_aclconfctx_t *ctx);
+/*
+ * Destroy an ACL configuration context.
+ */
+
+isc_result_t
+ns_acl_fromconfig(cfg_obj_t *caml,
+		  cfg_obj_t *cctx,
+		  ns_aclconfctx_t *ctx,
+		  isc_mem_t *mctx,
+		  dns_acl_t **target);
+/*
+ * Construct a new dns_acl_t from configuration data in 'caml' and
+ * 'cctx'.  Memory is allocated through 'mctx'.
+ *
+ * Any named ACLs referred to within 'caml' will be be converted
+ * inte nested dns_acl_t objects.  Multiple references to the same
+ * named ACLs will be converted into shared references to a single
+ * nested dns_acl_t object when the referring objects were created
+ * passing the same ACL configuration context 'ctx'.
+ *
+ * On success, attach '*target' to the new dns_acl_t object.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* NS_ACLCONF_H */
diff --git a/contrib/bind9/bin/named/include/named/builtin.h b/contrib/bind9/bin/named/include/named/builtin.h
new file mode 100644
index 0000000..15564bf
--- /dev/null
+++ b/contrib/bind9/bin/named/include/named/builtin.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: builtin.h,v 1.1.204.3 2004/03/08 04:04:20 marka Exp $ */
+
+#ifndef NAMED_BUILTIN_H
+#define NAMED_BUILTIN_H 1
+
+#include <isc/types.h>
+
+isc_result_t ns_builtin_init(void);
+
+void ns_builtin_deinit(void);
+
+#endif /* NAMED_BUILTIN_H */
diff --git a/contrib/bind9/bin/named/include/named/client.h b/contrib/bind9/bin/named/include/named/client.h
new file mode 100644
index 0000000..97951a4
--- /dev/null
+++ b/contrib/bind9/bin/named/include/named/client.h
@@ -0,0 +1,337 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: client.h,v 1.60.2.2.10.8 2004/07/23 02:56:52 marka Exp $ */
+
+#ifndef NAMED_CLIENT_H
+#define NAMED_CLIENT_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Client
+ *
+ * This module defines two objects, ns_client_t and ns_clientmgr_t.
+ *
+ * An ns_client_t object handles incoming DNS requests from clients
+ * on a given network interface.
+ *
+ * Each ns_client_t object can handle only one TCP connection or UDP
+ * request at a time.  Therefore, several ns_client_t objects are
+ * typically created to serve each network interface, e.g., one
+ * for handling TCP requests and a few (one per CPU) for handling
+ * UDP requests.
+ *
+ * Incoming requests are classified as queries, zone transfer
+ * requests, update requests, notify requests, etc, and handed off
+ * to the appropriate request handler.  When the request has been
+ * fully handled (which can be much later), the ns_client_t must be
+ * notified of this by calling one of the following functions
+ * exactly once in the context of its task:
+ *
+ *   ns_client_send()	(sending a non-error response)
+ *   ns_client_sendraw() (sending a raw response)
+ *   ns_client_error()	(sending an error response)
+ *   ns_client_next()	(sending no response)
+ *
+ * This will release any resources used by the request and
+ * and allow the ns_client_t to listen for the next request.
+ *
+ * A ns_clientmgr_t manages a number of ns_client_t objects.
+ * New ns_client_t objects are created by calling
+ * ns_clientmgr_createclients(). They are destroyed by
+ * destroying their manager.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/buffer.h>
+#include <isc/magic.h>
+#include <isc/stdtime.h>
+#include <isc/quota.h>
+
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatatype.h>
+#include <dns/tcpmsg.h>
+#include <dns/types.h>
+
+#include <named/types.h>
+#include <named/query.h>
+
+/***
+ *** Types
+ ***/
+
+typedef ISC_LIST(ns_client_t) client_list_t;
+
+struct ns_client {
+	unsigned int		magic;
+	isc_mem_t *		mctx;
+	ns_clientmgr_t *	manager;
+	int			state;
+	int			newstate;
+	int			naccepts;
+	int			nreads;
+	int			nsends;
+	int			nrecvs;
+	int			nupdates;
+	int			nctls;
+	int			references;
+	unsigned int		attributes;
+	isc_task_t *		task;
+	dns_view_t *		view;
+	dns_dispatch_t *	dispatch;
+	isc_socket_t *		udpsocket;
+	isc_socket_t *		tcplistener;
+	isc_socket_t *		tcpsocket;
+	unsigned char *		tcpbuf;
+	dns_tcpmsg_t		tcpmsg;
+	isc_boolean_t		tcpmsg_valid;
+	isc_timer_t *		timer;
+	isc_boolean_t 		timerset;
+	dns_message_t *		message;
+	isc_socketevent_t *	sendevent;
+	isc_socketevent_t *	recvevent;
+	unsigned char *		recvbuf;
+	dns_rdataset_t *	opt;
+	isc_uint16_t		udpsize;
+	isc_uint16_t		extflags;
+	void			(*next)(ns_client_t *);
+	void			(*shutdown)(void *arg, isc_result_t result);
+	void 			*shutdown_arg;
+	ns_query_t		query;
+	isc_stdtime_t		requesttime;
+	isc_stdtime_t		now;
+	dns_name_t		signername;   /* [T]SIG key name */
+	dns_name_t *		signer;	      /* NULL if not valid sig */
+	isc_boolean_t		mortal;	      /* Die after handling request */
+	isc_quota_t		*tcpquota;
+	isc_quota_t		*recursionquota;
+	ns_interface_t		*interface;
+	isc_sockaddr_t		peeraddr;
+	isc_boolean_t		peeraddr_valid;
+	struct in6_pktinfo	pktinfo;
+	isc_event_t		ctlevent;
+	/*
+	 * Information about recent FORMERR response(s), for
+	 * FORMERR loop avoidance.  This is separate for each
+	 * client object rather than global only to avoid
+	 * the need for locking.
+	 */
+	struct {
+		isc_sockaddr_t		addr;
+		isc_stdtime_t		time;
+		dns_messageid_t		id;
+	} formerrcache;
+	ISC_LINK(ns_client_t)	link;
+	/*
+	 * The list 'link' is part of, or NULL if not on any list.
+	 */
+	client_list_t		*list;
+};
+
+#define NS_CLIENT_MAGIC			ISC_MAGIC('N','S','C','c')
+#define NS_CLIENT_VALID(c)		ISC_MAGIC_VALID(c, NS_CLIENT_MAGIC)
+
+#define NS_CLIENTATTR_TCP		0x01
+#define NS_CLIENTATTR_RA		0x02 /* Client gets recusive service */
+#define NS_CLIENTATTR_PKTINFO		0x04 /* pktinfo is valid */
+#define NS_CLIENTATTR_MULTICAST		0x08 /* recv'd from multicast */
+#define NS_CLIENTATTR_WANTDNSSEC	0x10 /* include dnssec records */
+
+
+/***
+ *** Functions
+ ***/
+
+/*
+ * Note!  These ns_client_ routines MUST be called ONLY from the client's
+ * task in order to ensure synchronization.
+ */
+
+void
+ns_client_send(ns_client_t *client);
+/*
+ * Finish processing the current client request and
+ * send client->message as a response.
+ */
+
+void
+ns_client_sendraw(ns_client_t *client, dns_message_t *msg);
+/*
+ * Finish processing the current client request and
+ * send msg as a response using client->message->id for the id.
+ */
+
+void
+ns_client_error(ns_client_t *client, isc_result_t result);
+/*
+ * Finish processing the current client request and return
+ * an error response to the client.  The error response
+ * will have an RCODE determined by 'result'.
+ */
+
+void
+ns_client_next(ns_client_t *client, isc_result_t result);
+/*
+ * Finish processing the current client request,
+ * return no response to the client.
+ */
+
+isc_boolean_t
+ns_client_shuttingdown(ns_client_t *client);
+/*
+ * Return ISC_TRUE iff the client is currently shutting down.
+ */
+
+void
+ns_client_attach(ns_client_t *source, ns_client_t **target);
+/*
+ * Attach '*targetp' to 'source'.
+ */
+
+void
+ns_client_detach(ns_client_t **clientp);
+/*
+ * Detach '*clientp' from its client.
+ */
+
+isc_result_t
+ns_client_replace(ns_client_t *client);
+/*
+ * Try to replace the current client with a new one, so that the
+ * current one can go off and do some lengthy work without
+ * leaving the dispatch/socket without service.
+ */
+
+void
+ns_client_settimeout(ns_client_t *client, unsigned int seconds);
+/*
+ * Set a timer in the client to go off in the specified amount of time.
+ */
+
+isc_result_t
+ns_clientmgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
+		    isc_timermgr_t *timermgr, ns_clientmgr_t **managerp);
+/*
+ * Create a client manager.
+ */
+
+void
+ns_clientmgr_destroy(ns_clientmgr_t **managerp);
+/*
+ * Destroy a client manager and all ns_client_t objects
+ * managed by it.
+ */
+
+isc_result_t
+ns_clientmgr_createclients(ns_clientmgr_t *manager, unsigned int n,
+			   ns_interface_t *ifp, isc_boolean_t tcp);
+/*
+ * Create up to 'n' clients listening on interface 'ifp'.
+ * If 'tcp' is ISC_TRUE, the clients will listen for TCP connections,
+ * otherwise for UDP requests.
+ */
+
+isc_sockaddr_t *
+ns_client_getsockaddr(ns_client_t *client);
+/*
+ * Get the socket address of the client whose request is
+ * currently being processed.
+ */
+
+isc_result_t
+ns_client_checkaclsilent(ns_client_t  *client,dns_acl_t *acl,
+			 isc_boolean_t default_allow);
+
+/*
+ * Convenience function for client request ACL checking.
+ *
+ * Check the current client request against 'acl'.  If 'acl'
+ * is NULL, allow the request iff 'default_allow' is ISC_TRUE.
+ *
+ * Notes:
+ *	This is appropriate for checking allow-update,
+ * 	allow-query, allow-transfer, etc.  It is not appropriate
+ * 	for checking the blackhole list because we treat positive
+ * 	matches as "allow" and negative matches as "deny"; in
+ *	the case of the blackhole list this would be backwards.
+ *
+ * Requires:
+ *	'client' points to a valid client.
+ *	'acl' points to a valid ACL, or is NULL.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	if the request should be allowed
+ * 	ISC_R_REFUSED	if the request should be denied
+ *	No other return values are possible.
+ */
+
+isc_result_t
+ns_client_checkacl(ns_client_t  *client,
+		   const char *opname, dns_acl_t *acl,
+		   isc_boolean_t default_allow,
+		   int log_level);
+/*
+ * Like ns_client_checkacl, but also logs the outcome of the
+ * check at log level 'log_level' if denied, and at debug 3
+ * if approved.  Log messages will refer to the request as
+ * an 'opname' request.
+ *
+ * Requires:
+ *	Those of ns_client_checkaclsilent(), and:
+ *
+ *	'opname' points to a null-terminated string.
+ */
+
+void
+ns_client_log(ns_client_t *client, isc_logcategory_t *category,
+	      isc_logmodule_t *module, int level,
+	      const char *fmt, ...) ISC_FORMAT_PRINTF(5, 6);
+
+void
+ns_client_logv(ns_client_t *client, isc_logcategory_t *category,
+	       isc_logmodule_t *module, int level, const char *fmt, va_list ap) ISC_FORMAT_PRINTF(5, 0);
+
+void
+ns_client_aclmsg(const char *msg, dns_name_t *name, dns_rdatatype_t type,
+		 dns_rdataclass_t rdclass, char *buf, size_t len);
+
+#define NS_CLIENT_ACLMSGSIZE(x) \
+	(DNS_NAME_FORMATSIZE + DNS_RDATATYPE_FORMATSIZE + \
+	 DNS_RDATACLASS_FORMATSIZE + sizeof(x) + sizeof("'/'"))
+
+void
+ns_client_recursing(ns_client_t *client, isc_boolean_t killoldest);
+/*
+ * Add client to end of recursing list.  If 'killoldest' is true
+ * kill the oldest recursive client (list head). 
+ */
+
+void
+ns_client_dumprecursing(FILE *f, ns_clientmgr_t *manager);
+/*
+ * Dump the outstanding recursive queries to 'f'.
+ */
+
+#endif /* NAMED_CLIENT_H */
diff --git a/contrib/bind9/bin/named/include/named/config.h b/contrib/bind9/bin/named/include/named/config.h
new file mode 100644
index 0000000..b3b4f12
--- /dev/null
+++ b/contrib/bind9/bin/named/include/named/config.h
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001, 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: config.h,v 1.4.12.4 2004/04/20 14:12:10 marka Exp $ */
+
+#ifndef NAMED_CONFIG_H
+#define NAMED_CONFIG_H 1
+
+#include <isccfg/cfg.h>
+
+#include <dns/types.h>
+#include <dns/zone.h>
+
+isc_result_t
+ns_config_parsedefaults(cfg_parser_t *parser, cfg_obj_t **conf);
+
+isc_result_t
+ns_config_get(cfg_obj_t **maps, const char* name, cfg_obj_t **obj);
+
+isc_result_t
+ns_checknames_get(cfg_obj_t **maps, const char* name, cfg_obj_t **obj);
+
+int
+ns_config_listcount(cfg_obj_t *list);
+
+isc_result_t
+ns_config_getclass(cfg_obj_t *classobj, dns_rdataclass_t defclass,
+		   dns_rdataclass_t *classp);
+
+isc_result_t
+ns_config_gettype(cfg_obj_t *typeobj, dns_rdatatype_t deftype,
+		  dns_rdatatype_t *typep);
+
+dns_zonetype_t
+ns_config_getzonetype(cfg_obj_t *zonetypeobj);
+
+isc_result_t
+ns_config_getiplist(cfg_obj_t *config, cfg_obj_t *list,
+		    in_port_t defport, isc_mem_t *mctx,
+		    isc_sockaddr_t **addrsp, isc_uint32_t *countp);
+
+void
+ns_config_putiplist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
+		    isc_uint32_t count);
+
+isc_result_t
+ns_config_getipandkeylist(cfg_obj_t *config, cfg_obj_t *list, isc_mem_t *mctx,
+			  isc_sockaddr_t **addrsp, dns_name_t ***keys,
+			  isc_uint32_t *countp);
+
+void
+ns_config_putipandkeylist(isc_mem_t *mctx, isc_sockaddr_t **addrsp,
+			  dns_name_t ***keys, isc_uint32_t count);
+
+isc_result_t
+ns_config_getport(cfg_obj_t *config, in_port_t *portp);
+
+isc_result_t
+ns_config_getkeyalgorithm(const char *str, dns_name_t **name);
+
+#endif /* NAMED_CONFIG_H */
diff --git a/contrib/bind9/bin/named/include/named/control.h b/contrib/bind9/bin/named/include/named/control.h
new file mode 100644
index 0000000..b8d95d8b
--- /dev/null
+++ b/contrib/bind9/bin/named/include/named/control.h
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: control.h,v 1.6.2.2.2.6 2004/03/08 04:04:20 marka Exp $ */
+
+#ifndef NAMED_CONTROL_H
+#define NAMED_CONTROL_H 1
+
+/*
+ * The name server command channel.
+ */
+
+#include <isccc/types.h>
+
+#include <named/aclconf.h>
+#include <named/types.h>
+
+#define NS_CONTROL_PORT			953
+
+#define NS_COMMAND_STOP		"stop"
+#define NS_COMMAND_HALT		"halt"
+#define NS_COMMAND_RELOAD	"reload"
+#define NS_COMMAND_RECONFIG	"reconfig"
+#define NS_COMMAND_REFRESH	"refresh"
+#define NS_COMMAND_RETRANSFER	"retransfer"
+#define NS_COMMAND_DUMPSTATS	"stats"
+#define NS_COMMAND_QUERYLOG	"querylog"
+#define NS_COMMAND_DUMPDB	"dumpdb"
+#define NS_COMMAND_TRACE	"trace"
+#define NS_COMMAND_NOTRACE	"notrace"
+#define NS_COMMAND_FLUSH	"flush"
+#define NS_COMMAND_FLUSHNAME	"flushname"
+#define NS_COMMAND_STATUS	"status"
+#define NS_COMMAND_FREEZE	"freeze"
+#define NS_COMMAND_UNFREEZE	"unfreeze"
+#define NS_COMMAND_RECURSING	"recursing"
+#define NS_COMMAND_NULL		"null"
+
+isc_result_t
+ns_controls_create(ns_server_t *server, ns_controls_t **ctrlsp);
+/*
+ * Create an initial, empty set of command channels for 'server'.
+ */
+
+void
+ns_controls_destroy(ns_controls_t **ctrlsp);
+/*
+ * Destroy a set of command channels.
+ *
+ * Requires:
+ *	Shutdown of the channels has completed.
+ */
+
+isc_result_t
+ns_controls_configure(ns_controls_t *controls, cfg_obj_t *config,
+		      ns_aclconfctx_t *aclconfctx);
+/*
+ * Configure zero or more command channels into 'controls'
+ * as defined in the configuration parse tree 'config'.
+ * The channels will evaluate ACLs in the context of
+ * 'aclconfctx'.
+ */
+
+void
+ns_controls_shutdown(ns_controls_t *controls);
+/*
+ * Initiate shutdown of all the command channels in 'controls'.
+ */
+
+isc_result_t
+ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text);
+
+#endif /* NAMED_CONTROL_H */
diff --git a/contrib/bind9/bin/named/include/named/globals.h b/contrib/bind9/bin/named/include/named/globals.h
new file mode 100644
index 0000000..2cc8548
--- /dev/null
+++ b/contrib/bind9/bin/named/include/named/globals.h
@@ -0,0 +1,118 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: globals.h,v 1.59.68.5 2004/03/08 04:04:20 marka Exp $ */
+
+#ifndef NAMED_GLOBALS_H
+#define NAMED_GLOBALS_H 1
+
+#include <isc/rwlock.h>
+#include <isc/log.h>
+#include <isc/net.h>
+
+#include <isccfg/cfg.h>
+
+#include <dns/zone.h>
+
+#include <named/types.h>
+
+#undef EXTERN
+#undef INIT
+#ifdef NS_MAIN
+#define EXTERN
+#define INIT(v)	= (v)
+#else
+#define EXTERN extern
+#define INIT(v)
+#endif
+
+EXTERN isc_mem_t *		ns_g_mctx		INIT(NULL);
+EXTERN unsigned int		ns_g_cpus		INIT(0);
+EXTERN isc_taskmgr_t *		ns_g_taskmgr		INIT(NULL);
+EXTERN dns_dispatchmgr_t *	ns_g_dispatchmgr	INIT(NULL);
+EXTERN isc_entropy_t *		ns_g_entropy		INIT(NULL);
+EXTERN isc_entropy_t *		ns_g_fallbackentropy	INIT(NULL);
+
+/*
+ * XXXRTH  We're going to want multiple timer managers eventually.  One
+ *         for really short timers, another for client timers, and one
+ *         for zone timers.
+ */
+EXTERN isc_timermgr_t *		ns_g_timermgr		INIT(NULL);
+EXTERN isc_socketmgr_t *	ns_g_socketmgr		INIT(NULL);
+EXTERN cfg_parser_t *		ns_g_parser		INIT(NULL);
+EXTERN const char *		ns_g_version		INIT(VERSION);
+EXTERN in_port_t		ns_g_port		INIT(0);
+EXTERN in_port_t		lwresd_g_listenport	INIT(0);
+
+EXTERN ns_server_t *		ns_g_server		INIT(NULL);
+
+EXTERN isc_boolean_t		ns_g_lwresdonly		INIT(ISC_FALSE);
+
+/*
+ * Logging.
+ */
+EXTERN isc_log_t *		ns_g_lctx		INIT(NULL);
+EXTERN isc_logcategory_t *	ns_g_categories		INIT(NULL);
+EXTERN isc_logmodule_t *	ns_g_modules		INIT(NULL);
+EXTERN unsigned int		ns_g_debuglevel		INIT(0);
+
+/*
+ * Current configuration information.
+ */
+EXTERN cfg_obj_t *		ns_g_config		INIT(NULL);
+EXTERN cfg_obj_t *		ns_g_defaults		INIT(NULL);
+EXTERN const char *		ns_g_conffile		INIT(NS_SYSCONFDIR
+							     "/named.conf");
+EXTERN const char *		ns_g_keyfile		INIT(NS_SYSCONFDIR
+							     "/rndc.key");
+EXTERN const char *		lwresd_g_conffile	INIT(NS_SYSCONFDIR
+							     "/lwresd.conf");
+EXTERN const char *		lwresd_g_resolvconffile	INIT("/etc"
+							     "/resolv.conf");
+EXTERN isc_boolean_t		ns_g_conffileset	INIT(ISC_FALSE);
+EXTERN isc_boolean_t		lwresd_g_useresolvconf	INIT(ISC_FALSE);
+EXTERN isc_uint16_t		ns_g_udpsize		INIT(4096);
+
+/*
+ * Initial resource limits.
+ */
+EXTERN isc_resourcevalue_t	ns_g_initstacksize	INIT(0);
+EXTERN isc_resourcevalue_t	ns_g_initdatasize	INIT(0);
+EXTERN isc_resourcevalue_t	ns_g_initcoresize	INIT(0);
+EXTERN isc_resourcevalue_t	ns_g_initopenfiles	INIT(0);
+
+/*
+ * Misc.
+ */
+EXTERN isc_boolean_t		ns_g_coreok		INIT(ISC_TRUE);
+EXTERN const char *		ns_g_chrootdir		INIT(NULL);
+EXTERN isc_boolean_t		ns_g_foreground		INIT(ISC_FALSE);
+EXTERN isc_boolean_t		ns_g_logstderr		INIT(ISC_FALSE);
+
+EXTERN const char *		ns_g_defaultpidfile 	INIT(NS_LOCALSTATEDIR
+							     "/run/named.pid");
+EXTERN const char *		lwresd_g_defaultpidfile INIT(NS_LOCALSTATEDIR
+							    "/run/lwresd.pid");
+EXTERN const char *		ns_g_username		INIT(NULL);
+
+EXTERN int			ns_g_listen		INIT(3);
+
+#undef EXTERN
+#undef INIT
+
+#endif /* NAMED_GLOBALS_H */
diff --git a/contrib/bind9/bin/named/include/named/interfacemgr.h b/contrib/bind9/bin/named/include/named/interfacemgr.h
new file mode 100644
index 0000000..54bd91c
--- /dev/null
+++ b/contrib/bind9/bin/named/include/named/interfacemgr.h
@@ -0,0 +1,173 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: interfacemgr.h,v 1.23.24.7 2004/04/29 01:31:22 marka Exp $ */
+
+#ifndef NAMED_INTERFACEMGR_H
+#define NAMED_INTERFACEMGR_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Interface manager
+ *
+ * The interface manager monitors the operating system's list
+ * of network interfaces, creating and destroying listeners
+ * as needed.
+ *
+ * Reliability:
+ *	No impact expected.
+ *
+ * Resources:
+ *
+ * Security:
+ * 	The server will only be able to bind to the DNS port on
+ *	newly discovered interfaces if it is running as root.
+ *
+ * Standards:
+ *	The API for scanning varies greatly among operating systems.
+ *	This module attempts to hide the differences.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/socket.h>
+
+#include <dns/result.h>
+
+#include <named/listenlist.h>
+#include <named/types.h>
+
+/***
+ *** Types
+ ***/
+
+#define IFACE_MAGIC		ISC_MAGIC('I',':','-',')')
+#define NS_INTERFACE_VALID(t)	ISC_MAGIC_VALID(t, IFACE_MAGIC)
+
+#define NS_INTERFACEFLAG_ANYADDR	0x01U	/* bound to "any" address */
+
+struct ns_interface {
+	unsigned int		magic;		/* Magic number. */
+	ns_interfacemgr_t *	mgr;		/* Interface manager. */
+	isc_mutex_t		lock;
+	int			references;	/* Locked */
+	unsigned int		generation;     /* Generation number. */
+	isc_sockaddr_t		addr;           /* Address and port. */
+	unsigned int		flags;		/* Interface characteristics */
+	char 			name[32];	/* Null terminated. */
+	dns_dispatch_t *	udpdispatch;	/* UDP dispatcher. */
+	isc_socket_t *		tcpsocket;	/* TCP socket. */
+	int			ntcptarget;	/* Desired number of concurrent
+						   TCP accepts */
+	int			ntcpcurrent;	/* Current ditto, locked */
+	ns_clientmgr_t *	clientmgr;	/* Client manager. */
+	ISC_LINK(ns_interface_t) link;
+};
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
+		       isc_socketmgr_t *socketmgr,
+		       dns_dispatchmgr_t *dispatchmgr,
+		       ns_interfacemgr_t **mgrp);
+/*
+ * Create a new interface manager.
+ *
+ * Initially, the new manager will not listen on any interfaces.
+ * Call ns_interfacemgr_setlistenon() and/or ns_interfacemgr_setlistenon6()
+ * to set nonempty listen-on lists.
+ */
+
+void
+ns_interfacemgr_attach(ns_interfacemgr_t *source, ns_interfacemgr_t **target);
+
+void
+ns_interfacemgr_detach(ns_interfacemgr_t **targetp);
+
+void
+ns_interfacemgr_shutdown(ns_interfacemgr_t *mgr);
+
+void
+ns_interfacemgr_scan(ns_interfacemgr_t *mgr, isc_boolean_t verbose);
+/*
+ * Scan the operatings system's list of network interfaces
+ * and create listeners when new interfaces are discovered.
+ * Shut down the sockets for interfaces that go away.
+ *
+ * This should be called once on server startup and then
+ * periodically according to the 'interface-interval' option
+ * in named.conf.
+ */
+
+void
+ns_interfacemgr_adjust(ns_interfacemgr_t *mgr, ns_listenlist_t *list,
+		       isc_boolean_t verbose);
+/*
+ * Similar to ns_interfacemgr_scan(), but this function also tries to see the
+ * need for an explicit listen-on when a list element in 'list' is going to
+ * override an already-listening a wildcard interface.
+ *
+ * This function does not update localhost and localnets ACLs.
+ *
+ * This should be called once on server startup, after configuring views and
+ * zones.
+ */
+
+void
+ns_interfacemgr_setlistenon4(ns_interfacemgr_t *mgr, ns_listenlist_t *value);
+/*
+ * Set the IPv4 "listen-on" list of 'mgr' to 'value'.
+ * The previous IPv4 listen-on list is freed.
+ */
+
+void
+ns_interfacemgr_setlistenon6(ns_interfacemgr_t *mgr, ns_listenlist_t *value);
+/*
+ * Set the IPv6 "listen-on" list of 'mgr' to 'value'.
+ * The previous IPv6 listen-on list is freed.
+ */
+
+dns_aclenv_t *
+ns_interfacemgr_getaclenv(ns_interfacemgr_t *mgr);
+
+void
+ns_interface_attach(ns_interface_t *source, ns_interface_t **target);
+
+void
+ns_interface_detach(ns_interface_t **targetp);
+
+void
+ns_interface_shutdown(ns_interface_t *ifp);
+/*
+ * Stop listening for queries on interface 'ifp'.
+ * May safely be called multiple times.
+ */
+
+void
+ns_interfacemgr_dumprecursing(FILE *f, ns_interfacemgr_t *mgr);
+
+#endif /* NAMED_INTERFACEMGR_H */
diff --git a/contrib/bind9/bin/named/include/named/listenlist.h b/contrib/bind9/bin/named/include/named/listenlist.h
new file mode 100644
index 0000000..31e8893
--- /dev/null
+++ b/contrib/bind9/bin/named/include/named/listenlist.h
@@ -0,0 +1,104 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: listenlist.h,v 1.10.208.1 2004/03/06 10:21:24 marka Exp $ */
+
+#ifndef NAMED_LISTENLIST_H
+#define NAMED_LISTENLIST_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * "Listen lists", as in the "listen-on" configuration statement.
+ */
+
+/***
+ *** Imports
+ ***/
+#include <isc/net.h>
+
+#include <dns/types.h>
+
+/***
+ *** Types
+ ***/
+
+typedef struct ns_listenelt ns_listenelt_t;
+typedef struct ns_listenlist ns_listenlist_t;
+
+struct ns_listenelt {
+	isc_mem_t *	       		mctx;
+	in_port_t			port;
+	dns_acl_t *	       		acl;
+	ISC_LINK(ns_listenelt_t)	link;
+};
+
+struct ns_listenlist {
+	isc_mem_t *			mctx;
+	int				refcount;
+	ISC_LIST(ns_listenelt_t)	elts;
+};
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+ns_listenelt_create(isc_mem_t *mctx, in_port_t port,
+		    dns_acl_t *acl, ns_listenelt_t **target);
+/*
+ * Create a listen-on list element.
+ */
+
+void
+ns_listenelt_destroy(ns_listenelt_t *elt);
+/*
+ * Destroy a listen-on list element.
+ */
+
+isc_result_t
+ns_listenlist_create(isc_mem_t *mctx, ns_listenlist_t **target);
+/*
+ * Create a new, empty listen-on list.
+ */
+
+void
+ns_listenlist_attach(ns_listenlist_t *source, ns_listenlist_t **target);
+/*
+ * Attach '*target' to '*source'.
+ */
+
+void
+ns_listenlist_detach(ns_listenlist_t **listp);
+/*
+ * Detach 'listp'.
+ */
+
+isc_result_t
+ns_listenlist_default(isc_mem_t *mctx, in_port_t port,
+		      isc_boolean_t enabled, ns_listenlist_t **target);
+/*
+ * Create a listen-on list with default contents, matching
+ * all addresses with port 'port' (if 'enabled' is ISC_TRUE),
+ * or no addresses (if 'enabled' is ISC_FALSE).
+ */
+
+#endif /* NAMED_LISTENLIST_H */
+
+
diff --git a/contrib/bind9/bin/named/include/named/log.h b/contrib/bind9/bin/named/include/named/log.h
new file mode 100644
index 0000000..e8ad1ca
--- /dev/null
+++ b/contrib/bind9/bin/named/include/named/log.h
@@ -0,0 +1,96 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: log.h,v 1.19.12.3 2004/03/08 04:04:21 marka Exp $ */
+
+#ifndef NAMED_LOG_H
+#define NAMED_LOG_H 1
+
+#include <isc/log.h>
+#include <isc/types.h>
+
+#include <dns/log.h>
+
+#include <named/globals.h>	/* Required for ns_g_(categories|modules). */
+
+/* Unused slot 0. */
+#define NS_LOGCATEGORY_CLIENT		(&ns_g_categories[1])
+#define NS_LOGCATEGORY_NETWORK		(&ns_g_categories[2])
+#define NS_LOGCATEGORY_UPDATE		(&ns_g_categories[3])
+#define NS_LOGCATEGORY_QUERIES		(&ns_g_categories[4])
+#define NS_LOGCATEGORY_UNMATCHED	(&ns_g_categories[5])
+#define NS_LOGCATEGORY_UPDATE_SECURITY	(&ns_g_categories[6])
+
+/*
+ * Backwards compatibility.
+ */
+#define NS_LOGCATEGORY_GENERAL		ISC_LOGCATEGORY_GENERAL
+
+#define NS_LOGMODULE_MAIN		(&ns_g_modules[0])
+#define NS_LOGMODULE_CLIENT		(&ns_g_modules[1])
+#define NS_LOGMODULE_SERVER		(&ns_g_modules[2])
+#define NS_LOGMODULE_QUERY		(&ns_g_modules[3])
+#define NS_LOGMODULE_INTERFACEMGR	(&ns_g_modules[4])
+#define NS_LOGMODULE_UPDATE		(&ns_g_modules[5])
+#define NS_LOGMODULE_XFER_IN		(&ns_g_modules[6])
+#define NS_LOGMODULE_XFER_OUT		(&ns_g_modules[7])
+#define NS_LOGMODULE_NOTIFY		(&ns_g_modules[8])
+#define NS_LOGMODULE_CONTROL		(&ns_g_modules[9])
+#define NS_LOGMODULE_LWRESD		(&ns_g_modules[10])
+
+isc_result_t
+ns_log_init(isc_boolean_t safe);
+/*
+ * Initialize the logging system and set up an initial default
+ * logging default configuration that will be used until the
+ * config file has been read.
+ *
+ * If 'safe' is true, use a default configuration that refrains
+ * from opening files.  This is to avoid creating log files
+ * as root.
+ */
+
+isc_result_t
+ns_log_setdefaultchannels(isc_logconfig_t *lcfg);
+/*
+ * Set up logging channels according to the named defaults, which
+ * may differ from the logging library defaults.  Currently,
+ * this just means setting up default_debug.
+ */
+
+isc_result_t
+ns_log_setsafechannels(isc_logconfig_t *lcfg);
+/*
+ * Like ns_log_setdefaultchannels(), but omits any logging to files.
+ */
+
+isc_result_t
+ns_log_setdefaultcategory(isc_logconfig_t *lcfg);
+/*
+ * Set up "category default" to go to the right places.
+ */
+
+isc_result_t
+ns_log_setunmatchedcategory(isc_logconfig_t *lcfg);
+/*
+ * Set up "category unmatched" to go to the right places.
+ */
+
+void
+ns_log_shutdown(void);
+
+#endif /* NAMED_LOG_H */
diff --git a/contrib/bind9/bin/named/include/named/logconf.h b/contrib/bind9/bin/named/include/named/logconf.h
new file mode 100644
index 0000000..a6f7450
--- /dev/null
+++ b/contrib/bind9/bin/named/include/named/logconf.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: logconf.h,v 1.10.208.1 2004/03/06 10:21:24 marka Exp $ */
+
+#ifndef NAMED_LOGCONF_H
+#define NAMED_LOGCONF_H 1
+
+#include <isc/log.h>
+
+isc_result_t
+ns_log_configure(isc_logconfig_t *logconf, cfg_obj_t *logstmt);
+/*
+ * Set up the logging configuration in '*logconf' according to
+ * the named.conf data in 'logstmt'.
+ */
+
+#endif /* NAMED_LOGCONF_H */
diff --git a/contrib/bind9/bin/named/include/named/lwaddr.h b/contrib/bind9/bin/named/include/named/lwaddr.h
new file mode 100644
index 0000000..0aa66b7
--- /dev/null
+++ b/contrib/bind9/bin/named/include/named/lwaddr.h
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lwaddr.h,v 1.3.208.1 2004/03/06 10:21:24 marka Exp $ */
+
+#include <lwres/lwres.h>
+#include <lwres/net.h>
+
+isc_result_t
+lwaddr_netaddr_fromlwresaddr(isc_netaddr_t *na, lwres_addr_t *la);
+
+isc_result_t
+lwaddr_sockaddr_fromlwresaddr(isc_sockaddr_t *sa, lwres_addr_t *la,
+			      in_port_t port);
+
+isc_result_t
+lwaddr_lwresaddr_fromnetaddr(lwres_addr_t *la, isc_netaddr_t *na);
+
+isc_result_t
+lwaddr_lwresaddr_fromsockaddr(lwres_addr_t *la, isc_sockaddr_t *sa);
diff --git a/contrib/bind9/bin/named/include/named/lwdclient.h b/contrib/bind9/bin/named/include/named/lwdclient.h
new file mode 100644
index 0000000..09d68ff
--- /dev/null
+++ b/contrib/bind9/bin/named/include/named/lwdclient.h
@@ -0,0 +1,230 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lwdclient.h,v 1.13.208.1 2004/03/06 10:21:24 marka Exp $ */
+
+#ifndef NAMED_LWDCLIENT_H
+#define NAMED_LWDCLIENT_H 1
+
+#include <isc/event.h>
+#include <isc/eventclass.h>
+#include <isc/netaddr.h>
+#include <isc/sockaddr.h>
+#include <isc/types.h>
+
+#include <dns/fixedname.h>
+#include <dns/types.h>
+
+#include <lwres/lwres.h>
+
+#include <named/lwsearch.h>
+
+#define LWRD_EVENTCLASS		ISC_EVENTCLASS(4242)
+
+#define LWRD_SHUTDOWN		(LWRD_EVENTCLASS + 0x0001)
+
+struct ns_lwdclient {
+	isc_sockaddr_t		address;	/* where to reply */
+	struct in6_pktinfo	pktinfo;
+	isc_boolean_t		pktinfo_valid;
+	ns_lwdclientmgr_t	*clientmgr;	/* our parent */
+	ISC_LINK(ns_lwdclient_t) link;
+	unsigned int		state;
+	void			*arg;		/* packet processing state */
+
+	/*
+	 * Received data info.
+	 */
+	unsigned char		buffer[LWRES_RECVLENGTH]; /* receive buffer */
+	isc_uint32_t		recvlength;	/* length recv'd */
+	lwres_lwpacket_t	pkt;
+
+	/*
+	 * Send data state.  If sendbuf != buffer (that is, the send buffer
+	 * isn't our receive buffer) it will be freed to the lwres_context_t.
+	 */
+	unsigned char	       *sendbuf;
+	isc_uint32_t		sendlength;
+	isc_buffer_t		recv_buffer;
+
+	/*
+	 * gabn (get address by name) state info.
+	 */
+	dns_adbfind_t		*find;
+	dns_adbfind_t		*v4find;
+	dns_adbfind_t		*v6find;
+	unsigned int		find_wanted;	/* Addresses we want */
+	dns_fixedname_t		query_name;
+	dns_fixedname_t		target_name;
+	ns_lwsearchctx_t	searchctx;
+	lwres_gabnresponse_t	gabn;
+
+	/*
+	 * gnba (get name by address) state info.
+	 */
+	lwres_gnbaresponse_t	gnba;
+	dns_byaddr_t	       *byaddr;
+	unsigned int		options;
+	isc_netaddr_t		na;
+
+	/*
+	 * grbn (get rrset by name) state info.
+	 *
+	 * Note: this also uses target_name and searchctx.
+	 */
+	lwres_grbnresponse_t	grbn;
+	dns_lookup_t	       *lookup;
+	dns_rdatatype_t		rdtype;
+
+	/*
+	 * Alias and address info.  This is copied up to the gabn/gnba
+	 * structures eventually.
+	 *
+	 * XXXMLG We can keep all of this in a client since we only service
+	 * three packet types right now.  If we started handling more,
+	 * we'd need to use "arg" above and allocate/destroy things.
+	 */
+	char		       *aliases[LWRES_MAX_ALIASES];
+	isc_uint16_t		aliaslen[LWRES_MAX_ALIASES];
+	lwres_addr_t		addrs[LWRES_MAX_ADDRS];
+};
+
+/*
+ * Client states.
+ *
+ * _IDLE	The client is not doing anything at all.
+ *
+ * _RECV	The client is waiting for data after issuing a socket recv().
+ *
+ * _RECVDONE	Data has been received, and is being processed.
+ *
+ * _FINDWAIT	An adb (or other) request was made that cannot be satisfied
+ *		immediately.  An event will wake the client up.
+ *
+ * _SEND	All data for a response has completed, and a reply was
+ *		sent via a socket send() call.
+ *
+ * Badly formatted state table:
+ *
+ *	IDLE -> RECV when client has a recv() queued.
+ *
+ *	RECV -> RECVDONE when recvdone event received.
+ *
+ *	RECVDONE -> SEND if the data for a reply is at hand.
+ *	RECVDONE -> FINDWAIT if more searching is needed, and events will
+ *		eventually wake us up again.
+ *
+ *	FINDWAIT -> SEND when enough data was received to reply.
+ *
+ *	SEND -> IDLE when a senddone event was received.
+ *
+ *	At any time -> IDLE on error.  Sometimes this will be -> SEND
+ *	instead, if enough data is on hand to reply with a meaningful
+ *	error.
+ *
+ *	Packets which are badly formatted may or may not get error returns.
+ */
+#define NS_LWDCLIENT_STATEIDLE		1
+#define NS_LWDCLIENT_STATERECV		2
+#define NS_LWDCLIENT_STATERECVDONE	3
+#define NS_LWDCLIENT_STATEFINDWAIT	4
+#define NS_LWDCLIENT_STATESEND		5
+#define NS_LWDCLIENT_STATESENDDONE	6
+
+#define NS_LWDCLIENT_ISIDLE(c)		\
+			((c)->state == NS_LWDCLIENT_STATEIDLE)
+#define NS_LWDCLIENT_ISRECV(c)		\
+			((c)->state == NS_LWDCLIENT_STATERECV)
+#define NS_LWDCLIENT_ISRECVDONE(c)	\
+			((c)->state == NS_LWDCLIENT_STATERECVDONE)
+#define NS_LWDCLIENT_ISFINDWAIT(c)	\
+			((c)->state == NS_LWDCLIENT_STATEFINDWAIT)
+#define NS_LWDCLIENT_ISSEND(c)		\
+			((c)->state == NS_LWDCLIENT_STATESEND)
+
+/*
+ * Overall magic test that means we're not idle.
+ */
+#define NS_LWDCLIENT_ISRUNNING(c)	(!NS_LWDCLIENT_ISIDLE(c))
+
+#define NS_LWDCLIENT_SETIDLE(c)		\
+			((c)->state = NS_LWDCLIENT_STATEIDLE)
+#define NS_LWDCLIENT_SETRECV(c)		\
+			((c)->state = NS_LWDCLIENT_STATERECV)
+#define NS_LWDCLIENT_SETRECVDONE(c)	\
+			((c)->state = NS_LWDCLIENT_STATERECVDONE)
+#define NS_LWDCLIENT_SETFINDWAIT(c)	\
+			((c)->state = NS_LWDCLIENT_STATEFINDWAIT)
+#define NS_LWDCLIENT_SETSEND(c)		\
+			((c)->state = NS_LWDCLIENT_STATESEND)
+#define NS_LWDCLIENT_SETSENDDONE(c)	\
+			((c)->state = NS_LWDCLIENT_STATESENDDONE)
+
+struct ns_lwdclientmgr {
+	ns_lwreslistener_t     *listener;
+	isc_mem_t	       *mctx;
+	isc_socket_t	       *sock;		/* socket to use */
+	dns_view_t	       *view;
+	lwres_context_t	       *lwctx;		/* lightweight proto context */
+	isc_task_t	       *task;		/* owning task */
+	unsigned int		flags;
+	ISC_LINK(ns_lwdclientmgr_t)	link;
+	ISC_LIST(ns_lwdclient_t)	idle;		/* idle client slots */
+	ISC_LIST(ns_lwdclient_t)	running;	/* running clients */
+};
+
+#define NS_LWDCLIENTMGR_FLAGRECVPENDING		0x00000001
+#define NS_LWDCLIENTMGR_FLAGSHUTTINGDOWN	0x00000002
+
+isc_result_t
+ns_lwdclientmgr_create(ns_lwreslistener_t *, unsigned int, isc_taskmgr_t *);
+
+void
+ns_lwdclient_initialize(ns_lwdclient_t *, ns_lwdclientmgr_t *);
+
+isc_result_t
+ns_lwdclient_startrecv(ns_lwdclientmgr_t *);
+
+void
+ns_lwdclient_stateidle(ns_lwdclient_t *);
+
+void
+ns_lwdclient_recv(isc_task_t *, isc_event_t *);
+
+void
+ns_lwdclient_shutdown(isc_task_t *, isc_event_t *);
+
+void
+ns_lwdclient_send(isc_task_t *, isc_event_t *);
+
+isc_result_t
+ns_lwdclient_sendreply(ns_lwdclient_t *client, isc_region_t *r);
+
+/*
+ * Processing functions of various types.
+ */
+void ns_lwdclient_processgabn(ns_lwdclient_t *, lwres_buffer_t *);
+void ns_lwdclient_processgnba(ns_lwdclient_t *, lwres_buffer_t *);
+void ns_lwdclient_processgrbn(ns_lwdclient_t *, lwres_buffer_t *);
+void ns_lwdclient_processnoop(ns_lwdclient_t *, lwres_buffer_t *);
+
+void ns_lwdclient_errorpktsend(ns_lwdclient_t *, isc_uint32_t);
+
+void ns_lwdclient_log(int level, const char *format, ...)
+     ISC_FORMAT_PRINTF(2, 3);
+
+#endif /* NAMED_LWDCLIENT_H */
diff --git a/contrib/bind9/bin/named/include/named/lwresd.h b/contrib/bind9/bin/named/include/named/lwresd.h
new file mode 100644
index 0000000..7ba857c
--- /dev/null
+++ b/contrib/bind9/bin/named/include/named/lwresd.h
@@ -0,0 +1,111 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lwresd.h,v 1.12.208.1 2004/03/06 10:21:25 marka Exp $ */
+
+#ifndef NAMED_LWRESD_H
+#define NAMED_LWRESD_H 1
+
+#include <isc/types.h>
+#include <isc/sockaddr.h>
+
+#include <isccfg/cfg.h>
+
+#include <dns/types.h>
+
+struct ns_lwresd {
+	unsigned int magic;
+
+	isc_mutex_t lock;
+	dns_view_t *view;
+	ns_lwsearchlist_t *search;
+	unsigned int ndots;
+	isc_mem_t *mctx;
+	isc_boolean_t shutting_down;
+	unsigned int refs;
+};
+
+struct ns_lwreslistener {
+	unsigned int magic;
+
+	isc_mutex_t lock;
+	isc_mem_t *mctx;
+	isc_sockaddr_t address;
+	ns_lwresd_t *manager;
+	isc_socket_t *sock;
+	unsigned int refs;
+	ISC_LIST(ns_lwdclientmgr_t) cmgrs;
+	ISC_LINK(ns_lwreslistener_t) link;
+};
+
+/*
+ * Configure lwresd.
+ */
+isc_result_t
+ns_lwresd_configure(isc_mem_t *mctx, cfg_obj_t *config);
+
+isc_result_t
+ns_lwresd_parseeresolvconf(isc_mem_t *mctx, cfg_parser_t *pctx,
+			   cfg_obj_t **configp);
+
+/*
+ * Trigger shutdown.
+ */
+void
+ns_lwresd_shutdown(void);
+
+/*
+ * Manager functions
+ */
+isc_result_t
+ns_lwdmanager_create(isc_mem_t *mctx, cfg_obj_t *lwres, ns_lwresd_t **lwresdp);
+
+void
+ns_lwdmanager_attach(ns_lwresd_t *source, ns_lwresd_t **targetp);
+
+void
+ns_lwdmanager_detach(ns_lwresd_t **lwresdp);
+
+/*
+ * Listener functions
+ */
+void
+ns_lwreslistener_attach(ns_lwreslistener_t *source,
+			ns_lwreslistener_t **targetp);
+
+void
+ns_lwreslistener_detach(ns_lwreslistener_t **listenerp);
+
+void
+ns_lwreslistener_unlinkcm(ns_lwreslistener_t *listener, ns_lwdclientmgr_t *cm);
+
+void
+ns_lwreslistener_linkcm(ns_lwreslistener_t *listener, ns_lwdclientmgr_t *cm);
+
+
+
+
+/*
+ * INTERNAL FUNCTIONS.
+ */
+void *
+ns__lwresd_memalloc(void *arg, size_t size);
+
+void
+ns__lwresd_memfree(void *arg, void *mem, size_t size);
+
+#endif /* NAMED_LWRESD_H */
diff --git a/contrib/bind9/bin/named/include/named/lwsearch.h b/contrib/bind9/bin/named/include/named/lwsearch.h
new file mode 100644
index 0000000..a864a89
--- /dev/null
+++ b/contrib/bind9/bin/named/include/named/lwsearch.h
@@ -0,0 +1,110 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lwsearch.h,v 1.4.208.1 2004/03/06 10:21:25 marka Exp $ */
+
+#ifndef NAMED_LWSEARCH_H
+#define NAMED_LWSEARCH_H 1
+
+#include <isc/mutex.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+#include <dns/types.h>
+
+#include <named/types.h>
+
+/*
+ * Lightweight resolver search list types and routines.
+ *
+ * An ns_lwsearchlist_t holds a list of search path elements.
+ *
+ * An ns_lwsearchctx stores the state of search list during a lookup
+ * operation.
+ */
+
+struct ns_lwsearchlist {
+	unsigned int magic;
+
+	isc_mutex_t lock;
+	isc_mem_t *mctx;
+	unsigned int refs;
+	dns_namelist_t names;
+};
+
+struct ns_lwsearchctx {
+	dns_name_t *relname;
+	dns_name_t *searchname;
+	unsigned int ndots;
+	ns_lwsearchlist_t *list;
+	isc_boolean_t doneexact;
+	isc_boolean_t exactfirst;
+};
+
+isc_result_t
+ns_lwsearchlist_create(isc_mem_t *mctx, ns_lwsearchlist_t **listp);
+/*
+ * Create an empty search list object.
+ */
+
+void
+ns_lwsearchlist_attach(ns_lwsearchlist_t *source, ns_lwsearchlist_t **target);
+/*
+ * Attach to a search list object.
+ */
+
+void
+ns_lwsearchlist_detach(ns_lwsearchlist_t **listp);
+/*
+ * Detach from a search list object.
+ */
+
+isc_result_t
+ns_lwsearchlist_append(ns_lwsearchlist_t *list, dns_name_t *name);
+/*
+ * Append an element to a search list.  This creates a copy of the name.
+ */
+
+void
+ns_lwsearchctx_init(ns_lwsearchctx_t *sctx, ns_lwsearchlist_t *list,
+		    dns_name_t *name, unsigned int ndots);
+/*
+ * Creates a search list context structure.
+ */
+
+void
+ns_lwsearchctx_first(ns_lwsearchctx_t *sctx);
+/*
+ * Moves the search list context iterator to the first element, which
+ * is usually the exact name.
+ */
+
+isc_result_t
+ns_lwsearchctx_next(ns_lwsearchctx_t *sctx);
+/*
+ * Moves the search list context iterator to the next element.
+ */
+
+isc_result_t
+ns_lwsearchctx_current(ns_lwsearchctx_t *sctx, dns_name_t *absname);
+/*
+ * Obtains the current name to be looked up.  This involves either
+ * concatenating the name with a search path element, making an
+ * exact name absolute, or doing nothing.
+ */
+
+#endif /* NAMED_LWSEARCH_H */
diff --git a/contrib/bind9/bin/named/include/named/main.h b/contrib/bind9/bin/named/include/named/main.h
new file mode 100644
index 0000000..e37b519
--- /dev/null
+++ b/contrib/bind9/bin/named/include/named/main.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: main.h,v 1.8.2.2.8.4 2004/03/08 04:04:21 marka Exp $ */
+
+#ifndef NAMED_MAIN_H
+#define NAMED_MAIN_H 1
+
+void
+ns_main_earlyfatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
+
+void
+ns_main_earlywarning(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
+
+void
+ns_main_setmemstats(const char *);
+
+#endif /* NAMED_MAIN_H */
diff --git a/contrib/bind9/bin/named/include/named/notify.h b/contrib/bind9/bin/named/include/named/notify.h
new file mode 100644
index 0000000..3cb1d85
--- /dev/null
+++ b/contrib/bind9/bin/named/include/named/notify.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: notify.h,v 1.9.208.1 2004/03/06 10:21:25 marka Exp $ */
+
+#ifndef NAMED_NOTIFY_H
+#define NAMED_NOTIFY_H 1
+
+#include <named/types.h>
+#include <named/client.h>
+
+/***
+ ***	Module Info
+ ***/
+
+/*
+ *	RFC 1996
+ *	A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)
+ */
+
+/***
+ ***	Functions.
+ ***/
+
+void
+ns_notify_start(ns_client_t *client);
+
+/*
+ *	Examines the incoming message to determine apporiate zone.
+ *	Returns FORMERR if there is not exactly one question.
+ *	Returns REFUSED if we do not serve the listed zone.
+ *	Pass the message to the zone module for processing
+ *	and returns the return status.
+ *
+ * Requires
+ *	client to be valid.
+ */
+
+#endif /* NAMED_NOTIFY_H */
+
diff --git a/contrib/bind9/bin/named/include/named/query.h b/contrib/bind9/bin/named/include/named/query.h
new file mode 100644
index 0000000..6f348d5
--- /dev/null
+++ b/contrib/bind9/bin/named/include/named/query.h
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: query.h,v 1.28.2.3.8.6 2004/03/08 04:04:21 marka Exp $ */
+
+#ifndef NAMED_QUERY_H
+#define NAMED_QUERY_H 1
+
+#include <isc/types.h>
+#include <isc/buffer.h>
+#include <isc/netaddr.h>
+
+#include <dns/types.h>
+
+#include <named/types.h>
+
+typedef struct ns_dbversion {
+	dns_db_t			*db;
+	dns_dbversion_t			*version;
+	isc_boolean_t			queryok;
+	ISC_LINK(struct ns_dbversion)	link;
+} ns_dbversion_t;
+
+struct ns_query {
+	unsigned int			attributes;
+	unsigned int			restarts;
+	isc_boolean_t			timerset;
+	dns_name_t *			qname;
+	dns_name_t *			origqname;
+	unsigned int			dboptions;
+	unsigned int			fetchoptions;
+	dns_db_t *			gluedb;
+	dns_db_t *			authdb;
+	dns_zone_t *			authzone;
+	isc_boolean_t			authdbset;
+	isc_boolean_t			isreferral;
+	isc_mutex_t			fetchlock;
+	dns_fetch_t *			fetch;
+	isc_bufferlist_t		namebufs;
+	ISC_LIST(ns_dbversion_t)	activeversions;
+	ISC_LIST(ns_dbversion_t)	freeversions;
+};
+
+#define NS_QUERYATTR_RECURSIONOK	0x0001
+#define NS_QUERYATTR_CACHEOK		0x0002
+#define NS_QUERYATTR_PARTIALANSWER	0x0004
+#define NS_QUERYATTR_NAMEBUFUSED	0x0008
+#define NS_QUERYATTR_RECURSING		0x0010
+#define NS_QUERYATTR_CACHEGLUEOK	0x0020
+#define NS_QUERYATTR_QUERYOKVALID	0x0040
+#define NS_QUERYATTR_QUERYOK		0x0080
+#define NS_QUERYATTR_WANTRECURSION	0x0100
+#define NS_QUERYATTR_SECURE		0x0200
+#define NS_QUERYATTR_NOAUTHORITY	0x0400
+#define NS_QUERYATTR_NOADDITIONAL	0x0800
+
+isc_result_t
+ns_query_init(ns_client_t *client);
+
+void
+ns_query_free(ns_client_t *client);
+
+void
+ns_query_start(ns_client_t *client);
+
+void
+ns_query_cancel(ns_client_t *client);
+
+#endif /* NAMED_QUERY_H */
diff --git a/contrib/bind9/bin/named/include/named/server.h b/contrib/bind9/bin/named/include/named/server.h
new file mode 100644
index 0000000..97eb2ef
--- /dev/null
+++ b/contrib/bind9/bin/named/include/named/server.h
@@ -0,0 +1,213 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: server.h,v 1.58.2.1.10.11 2004/03/08 04:04:21 marka Exp $ */
+
+#ifndef NAMED_SERVER_H
+#define NAMED_SERVER_H 1
+
+#include <isc/log.h>
+#include <isc/sockaddr.h>
+#include <isc/magic.h>
+#include <isc/types.h>
+#include <isc/quota.h>
+
+#include <dns/types.h>
+#include <dns/acl.h>
+
+#include <named/types.h>
+
+#define NS_EVENTCLASS		ISC_EVENTCLASS(0x4E43)
+#define NS_EVENT_RELOAD		(NS_EVENTCLASS + 0)
+#define NS_EVENT_CLIENTCONTROL	(NS_EVENTCLASS + 1)
+
+/*
+ * Name server state.  Better here than in lots of separate global variables.
+ */
+struct ns_server {
+	unsigned int		magic;
+	isc_mem_t *		mctx;
+
+	isc_task_t *		task;
+
+	/* Configurable data. */
+	isc_quota_t		xfroutquota;
+	isc_quota_t		tcpquota;
+	isc_quota_t		recursionquota;
+	dns_acl_t		*blackholeacl;
+	char *			statsfile;	/* Statistics file name */
+	char *			dumpfile;	/* Dump file name */
+	char *			recfile;	/* Recursive file name */
+	isc_boolean_t		version_set;	/* User has set version */
+	char *			version;	/* User-specified version */
+	isc_boolean_t		hostname_set;	/* User has set hostname */
+	char *			hostname;	/* User-specified hostname */
+	/* Use hostname for server id */
+	isc_boolean_t		server_usehostname;
+	char *			server_id;	/* User-specified server id */
+
+        /*
+	 * Current ACL environment.  This defines the
+	 * current values of the localhost and localnets
+	 * ACLs.
+	 */
+	dns_aclenv_t		aclenv;
+
+	/* Server data structures. */
+	dns_loadmgr_t *		loadmgr;
+	dns_zonemgr_t *		zonemgr;
+	dns_viewlist_t		viewlist;
+	ns_interfacemgr_t *	interfacemgr;
+	dns_db_t *		in_roothints;
+	dns_tkeyctx_t *		tkeyctx;
+
+	isc_timer_t *		interface_timer;
+	isc_timer_t *		heartbeat_timer;
+	isc_uint32_t		interface_interval;
+	isc_uint32_t		heartbeat_interval;
+
+	isc_mutex_t		reload_event_lock;
+	isc_event_t *		reload_event;
+
+	isc_boolean_t		flushonshutdown;
+	isc_boolean_t		log_queries;	/* For BIND 8 compatibility */
+
+	isc_uint64_t *		querystats;	/* Query statistics counters */
+
+	ns_controls_t *		controls;	/* Control channels */
+	unsigned int		dispatchgen;
+	ns_dispatchlist_t	dispatches;
+						
+};
+
+#define NS_SERVER_MAGIC			ISC_MAGIC('S','V','E','R')
+#define NS_SERVER_VALID(s)		ISC_MAGIC_VALID(s, NS_SERVER_MAGIC)
+
+void
+ns_server_create(isc_mem_t *mctx, ns_server_t **serverp);
+/*
+ * Create a server object with default settings.
+ * This function either succeeds or causes the program to exit
+ * with a fatal error.
+ */
+
+void
+ns_server_destroy(ns_server_t **serverp);
+/*
+ * Destroy a server object, freeing its memory.
+ */
+
+void
+ns_server_reloadwanted(ns_server_t *server);
+/*
+ * Inform a server that a reload is wanted.  This function
+ * may be called asynchronously, from outside the server's task.
+ * If a reload is already scheduled or in progress, the call
+ * is ignored.
+ */
+
+void
+ns_server_flushonshutdown(ns_server_t *server, isc_boolean_t flush);
+/*
+ * Inform the server that the zones should be flushed to disk on shutdown.
+ */
+
+isc_result_t
+ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text);
+/*
+ * Act on a "reload" command from the command channel.
+ */
+
+isc_result_t
+ns_server_reconfigcommand(ns_server_t *server, char *args);
+/*
+ * Act on a "reconfig" command from the command channel.
+ */
+
+isc_result_t
+ns_server_refreshcommand(ns_server_t *server, char *args, isc_buffer_t *text);
+/*
+ * Act on a "refresh" command from the command channel.
+ */
+
+isc_result_t
+ns_server_retransfercommand(ns_server_t *server, char *args);
+/*
+ * Act on a "retransfer" command from the command channel.
+ */
+
+isc_result_t
+ns_server_togglequerylog(ns_server_t *server);
+/*
+ * Toggle logging of queries, as in BIND 8.
+ */
+
+/*
+ * Dump the current statistics to the statistics file.
+ */
+isc_result_t
+ns_server_dumpstats(ns_server_t *server);
+
+/*
+ * Dump the current cache to the dump file.
+ */
+isc_result_t
+ns_server_dumpdb(ns_server_t *server, char *args);
+
+/*
+ * Change or increment the server debug level.
+ */
+isc_result_t
+ns_server_setdebuglevel(ns_server_t *server, char *args);
+
+/*
+ * Flush the server's cache(s)
+ */
+isc_result_t
+ns_server_flushcache(ns_server_t *server, char *args);
+
+/*
+ * Flush a particular name from the server's cache(s)
+ */
+isc_result_t
+ns_server_flushname(ns_server_t *server, char *args);
+
+/*
+ * Report the server's status.
+ */
+isc_result_t
+ns_server_status(ns_server_t *server, isc_buffer_t *text);
+
+/*
+ * Enable or disable updates for a zone.
+ */
+isc_result_t
+ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args);
+
+/*
+ * Dump the current recursive queries.
+ */
+isc_result_t
+ns_server_dumprecursing(ns_server_t *server);
+
+/*
+ * Maintain a list of dispatches that require reserved ports.
+ */
+void
+ns_add_reserved_dispatch(ns_server_t *server, isc_sockaddr_t *addr);
+
+#endif /* NAMED_SERVER_H */
diff --git a/contrib/bind9/bin/named/include/named/sortlist.h b/contrib/bind9/bin/named/include/named/sortlist.h
new file mode 100644
index 0000000..88a1493
--- /dev/null
+++ b/contrib/bind9/bin/named/include/named/sortlist.h
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: sortlist.h,v 1.4.208.1 2004/03/06 10:21:26 marka Exp $ */
+
+#ifndef NAMED_SORTLIST_H
+#define NAMED_SORTLIST_H 1
+
+#include <isc/types.h>
+
+#include <dns/types.h>
+
+/*
+ * Type for callback functions that rank addresses.
+ */
+typedef int 
+(*dns_addressorderfunc_t)(isc_netaddr_t *address, void *arg);
+
+/*
+ * Return value type for setup_sortlist.
+ */
+typedef enum {
+	NS_SORTLISTTYPE_NONE,
+	NS_SORTLISTTYPE_1ELEMENT,
+	NS_SORTLISTTYPE_2ELEMENT
+} ns_sortlisttype_t;
+
+ns_sortlisttype_t
+ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr, void **argp);
+/*
+ * Find the sortlist statement in 'acl' that applies to 'clientaddr', if any.
+ *
+ * If a 1-element sortlist item applies, return NS_SORTLISTTYPE_1ELEMENT and
+ * make '*argp' point to the matching subelement.
+ *
+ * If a 2-element sortlist item applies, return NS_SORTLISTTYPE_2ELEMENT and
+ * make '*argp' point to ACL that forms the second element.
+ *
+ * If no sortlist item applies, return NS_SORTLISTTYPE_NONE and set '*argp'
+ * to NULL.
+ */
+
+int
+ns_sortlist_addrorder1(isc_netaddr_t *addr, void *arg);
+/*
+ * Find the sort order of 'addr' in 'arg', the matching element
+ * of a 1-element top-level sortlist statement.
+ */
+
+int
+ns_sortlist_addrorder2(isc_netaddr_t *addr, void *arg);
+/*
+ * Find the sort order of 'addr' in 'arg', a topology-like
+ * ACL forming the second element in a 2-element top-level
+ * sortlist statement.
+ */
+
+void
+ns_sortlist_byaddrsetup(dns_acl_t *sortlist_acl, isc_netaddr_t *client_addr,
+			dns_addressorderfunc_t *orderp,
+			void **argp);
+/*
+ * Find the sortlist statement in 'acl' that applies to 'clientaddr', if any.
+ * If a sortlist statement applies, return in '*orderp' a pointer to a function
+ * for ranking network addresses based on that sortlist statement, and in
+ * '*argp' an argument to pass to said function.  If no sortlist statement
+ * applies, set '*orderp' and '*argp' to NULL.
+ */
+
+#endif /* NAMED_SORTLIST_H */
diff --git a/contrib/bind9/bin/named/include/named/tkeyconf.h b/contrib/bind9/bin/named/include/named/tkeyconf.h
new file mode 100644
index 0000000..e3710ea
--- /dev/null
+++ b/contrib/bind9/bin/named/include/named/tkeyconf.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: tkeyconf.h,v 1.9.208.1 2004/03/06 10:21:26 marka Exp $ */
+
+#ifndef NS_TKEYCONF_H
+#define NS_TKEYCONF_H 1
+
+#include <isc/types.h>
+#include <isc/lang.h>
+
+#include <isccfg/cfg.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+ns_tkeyctx_fromconfig(cfg_obj_t *options, isc_mem_t *mctx, isc_entropy_t *ectx,
+		      dns_tkeyctx_t **tctxp);
+/*
+ * 	Create a TKEY context and configure it, including the default DH key
+ *	and default domain, according to 'options'.
+ *
+ *	Requires:
+ *		'cfg' is a valid configuration options object.
+ *		'mctx' is not NULL
+ *		'ectx' is not NULL
+ *		'tctx' is not NULL
+ *		'*tctx' is NULL
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ *		ISC_R_NOMEMORY
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* NS_TKEYCONF_H */
diff --git a/contrib/bind9/bin/named/include/named/tsigconf.h b/contrib/bind9/bin/named/include/named/tsigconf.h
new file mode 100644
index 0000000..ef4161d
--- /dev/null
+++ b/contrib/bind9/bin/named/include/named/tsigconf.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: tsigconf.h,v 1.9.208.1 2004/03/06 10:21:26 marka Exp $ */
+
+#ifndef NS_TSIGCONF_H
+#define NS_TSIGCONF_H 1
+
+#include <isc/types.h>
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+ns_tsigkeyring_fromconfig(cfg_obj_t *config, cfg_obj_t *vconfig,
+			  isc_mem_t *mctx, dns_tsig_keyring_t **ringp);
+/*
+ * Create a TSIG key ring and configure it according to the 'key'
+ * statements in the global and view configuration objects.
+ *
+ *	Requires:
+ *		'config' is not NULL.
+ *		'mctx' is not NULL
+ *		'ring' is not NULL, and '*ring' is NULL
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ *		ISC_R_NOMEMORY
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* NS_TSIGCONF_H */
diff --git a/contrib/bind9/bin/named/include/named/types.h b/contrib/bind9/bin/named/include/named/types.h
new file mode 100644
index 0000000..eb44c53
--- /dev/null
+++ b/contrib/bind9/bin/named/include/named/types.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: types.h,v 1.19.208.2 2004/03/06 10:21:26 marka Exp $ */
+
+#ifndef NAMED_TYPES_H
+#define NAMED_TYPES_H 1
+
+#include <dns/types.h>
+
+typedef struct ns_client		ns_client_t;
+typedef struct ns_clientmgr		ns_clientmgr_t;
+typedef struct ns_query			ns_query_t;
+typedef struct ns_server 		ns_server_t;
+typedef struct ns_interface 		ns_interface_t;
+typedef struct ns_interfacemgr		ns_interfacemgr_t;
+typedef struct ns_lwresd		ns_lwresd_t;
+typedef struct ns_lwreslistener		ns_lwreslistener_t;
+typedef struct ns_lwdclient		ns_lwdclient_t;
+typedef struct ns_lwdclientmgr		ns_lwdclientmgr_t;
+typedef struct ns_lwsearchlist		ns_lwsearchlist_t;
+typedef struct ns_lwsearchctx		ns_lwsearchctx_t;
+typedef struct ns_controls		ns_controls_t;
+typedef struct ns_dispatch		ns_dispatch_t;
+typedef ISC_LIST(ns_dispatch_t)		ns_dispatchlist_t;
+
+#endif /* NAMED_TYPES_H */
diff --git a/contrib/bind9/bin/named/include/named/update.h b/contrib/bind9/bin/named/include/named/update.h
new file mode 100644
index 0000000..4c97235
--- /dev/null
+++ b/contrib/bind9/bin/named/include/named/update.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: update.h,v 1.8.208.1 2004/03/06 10:21:26 marka Exp $ */
+
+#ifndef NAMED_UPDATE_H
+#define NAMED_UPDATE_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * RFC2136 Dynamic Update
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <dns/types.h>
+#include <dns/result.h>
+
+/***
+ *** Types.
+ ***/
+
+/***
+ *** Functions
+ ***/
+
+void
+ns_update_start(ns_client_t *client, isc_result_t sigresult);
+
+#endif /* NAMED_UPDATE_H */
diff --git a/contrib/bind9/bin/named/include/named/xfrout.h b/contrib/bind9/bin/named/include/named/xfrout.h
new file mode 100644
index 0000000..e96ff31
--- /dev/null
+++ b/contrib/bind9/bin/named/include/named/xfrout.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: xfrout.h,v 1.7.208.1 2004/03/06 10:21:27 marka Exp $ */
+
+#ifndef NAMED_XFROUT_H
+#define NAMED_XFROUT_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Outgoing zone transfers (AXFR + IXFR).
+ */
+
+/***
+ *** Functions
+ ***/
+
+void
+ns_xfr_start(ns_client_t *client, dns_rdatatype_t xfrtype);
+
+#endif /* NAMED_XFROUT_H */
diff --git a/contrib/bind9/bin/named/include/named/zoneconf.h b/contrib/bind9/bin/named/include/named/zoneconf.h
new file mode 100644
index 0000000..3b8f200
--- /dev/null
+++ b/contrib/bind9/bin/named/include/named/zoneconf.h
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: zoneconf.h,v 1.16.2.2.8.1 2004/03/06 10:21:27 marka Exp $ */
+
+#ifndef NS_ZONECONF_H
+#define NS_ZONECONF_H 1
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#include <isccfg/cfg.h>
+
+#include <named/aclconf.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+ns_zone_configure(cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_t *zconfig,
+		  ns_aclconfctx_t *ac, dns_zone_t *zone);
+/*
+ * Configure or reconfigure a zone according to the named.conf
+ * data in 'cctx' and 'czone'.
+ *
+ * The zone origin is not configured, it is assumed to have been set
+ * at zone creation time.
+ *
+ * Require:
+ *	'lctx' to be initialized or NULL.
+ *	'cctx' to be initialized or NULL.
+ *	'ac' to point to an initialized ns_aclconfctx_t.
+ *	'czone' to be initialized.
+ *	'zone' to be initialized.
+ */
+
+isc_boolean_t
+ns_zone_reusable(dns_zone_t *zone, cfg_obj_t *zconfig);
+/*
+ * If 'zone' can be safely reconfigured according to the configuration
+ * data in 'zconfig', return ISC_TRUE.  If the configuration data is so
+ * different from the current zone state that the zone needs to be destroyed
+ * and recreated, return ISC_FALSE.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* NS_ZONECONF_H */
diff --git a/contrib/bind9/bin/named/interfacemgr.c b/contrib/bind9/bin/named/interfacemgr.c
new file mode 100644
index 0000000..b212892
--- /dev/null
+++ b/contrib/bind9/bin/named/interfacemgr.c
@@ -0,0 +1,911 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: interfacemgr.c,v 1.59.2.5.8.15 2004/08/10 04:56:23 jinmei Exp $ */
+
+#include <config.h>
+
+#include <isc/interfaceiter.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/acl.h>
+#include <dns/dispatch.h>
+
+#include <named/client.h>
+#include <named/log.h>
+#include <named/interfacemgr.h>
+
+#define IFMGR_MAGIC			ISC_MAGIC('I', 'F', 'M', 'G')
+#define NS_INTERFACEMGR_VALID(t)	ISC_MAGIC_VALID(t, IFMGR_MAGIC)
+
+#define IFMGR_COMMON_LOGARGS \
+	ns_g_lctx, NS_LOGCATEGORY_NETWORK, NS_LOGMODULE_INTERFACEMGR
+
+struct ns_interfacemgr {
+	unsigned int		magic;		/* Magic number. */
+	int			references;
+	isc_mutex_t		lock;
+	isc_mem_t *		mctx;		/* Memory context. */
+	isc_taskmgr_t *		taskmgr;	/* Task manager. */
+	isc_socketmgr_t *	socketmgr;	/* Socket manager. */
+	dns_dispatchmgr_t *	dispatchmgr;
+	unsigned int		generation;	/* Current generation no. */
+	ns_listenlist_t *	listenon4;
+	ns_listenlist_t *	listenon6;
+	dns_aclenv_t		aclenv;		/* Localhost/localnets ACLs */
+	ISC_LIST(ns_interface_t) interfaces;	/* List of interfaces. */
+};
+
+static void
+purge_old_interfaces(ns_interfacemgr_t *mgr);
+
+isc_result_t
+ns_interfacemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
+		       isc_socketmgr_t *socketmgr,
+		       dns_dispatchmgr_t *dispatchmgr,
+		       ns_interfacemgr_t **mgrp)
+{
+	isc_result_t result;
+	ns_interfacemgr_t *mgr;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(mgrp != NULL);
+	REQUIRE(*mgrp == NULL);
+
+	mgr = isc_mem_get(mctx, sizeof(*mgr));
+	if (mgr == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_mutex_init(&mgr->lock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_mem;
+
+	mgr->mctx = mctx;
+	mgr->taskmgr = taskmgr;
+	mgr->socketmgr = socketmgr;
+	mgr->dispatchmgr = dispatchmgr;
+	mgr->generation = 1;
+	mgr->listenon4 = NULL;
+	mgr->listenon6 = NULL;
+	
+	ISC_LIST_INIT(mgr->interfaces);
+
+	/*
+	 * The listen-on lists are initially empty.
+	 */
+	result = ns_listenlist_create(mctx, &mgr->listenon4);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_mem;
+	ns_listenlist_attach(mgr->listenon4, &mgr->listenon6);
+
+	result = dns_aclenv_init(mctx, &mgr->aclenv);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_listenon;
+
+	mgr->references = 1;
+	mgr->magic = IFMGR_MAGIC;
+	*mgrp = mgr;
+	return (ISC_R_SUCCESS);
+
+ cleanup_listenon:
+	ns_listenlist_detach(&mgr->listenon4);
+	ns_listenlist_detach(&mgr->listenon6);
+ cleanup_mem:
+	isc_mem_put(mctx, mgr, sizeof(*mgr));
+	return (result);
+}
+
+static void
+ns_interfacemgr_destroy(ns_interfacemgr_t *mgr) {
+	REQUIRE(NS_INTERFACEMGR_VALID(mgr));
+	dns_aclenv_destroy(&mgr->aclenv);
+	ns_listenlist_detach(&mgr->listenon4);
+	ns_listenlist_detach(&mgr->listenon6);
+	DESTROYLOCK(&mgr->lock);
+	mgr->magic = 0;
+	isc_mem_put(mgr->mctx, mgr, sizeof(*mgr));
+}
+
+dns_aclenv_t *
+ns_interfacemgr_getaclenv(ns_interfacemgr_t *mgr) {
+	return (&mgr->aclenv);
+}
+
+void
+ns_interfacemgr_attach(ns_interfacemgr_t *source, ns_interfacemgr_t **target) {
+	REQUIRE(NS_INTERFACEMGR_VALID(source));
+	LOCK(&source->lock);
+	INSIST(source->references > 0);
+	source->references++;
+	UNLOCK(&source->lock);
+	*target = source;
+}
+
+void
+ns_interfacemgr_detach(ns_interfacemgr_t **targetp) {
+	isc_result_t need_destroy = ISC_FALSE;
+	ns_interfacemgr_t *target = *targetp;
+	REQUIRE(target != NULL);
+	REQUIRE(NS_INTERFACEMGR_VALID(target));
+	LOCK(&target->lock);
+	REQUIRE(target->references > 0);
+	target->references--;
+	if (target->references == 0)
+		need_destroy = ISC_TRUE;
+	UNLOCK(&target->lock);
+	if (need_destroy)
+		ns_interfacemgr_destroy(target);
+	*targetp = NULL;
+}
+
+void
+ns_interfacemgr_shutdown(ns_interfacemgr_t *mgr) {
+	REQUIRE(NS_INTERFACEMGR_VALID(mgr));
+
+	/*
+	 * Shut down and detach all interfaces.
+	 * By incrementing the generation count, we make purge_old_interfaces()
+	 * consider all interfaces "old".
+	 */
+	mgr->generation++;
+	purge_old_interfaces(mgr);
+}
+
+
+static isc_result_t
+ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
+		    const char *name, ns_interface_t **ifpret)
+{
+	ns_interface_t *ifp;
+	isc_result_t result;
+
+	REQUIRE(NS_INTERFACEMGR_VALID(mgr));
+	ifp = isc_mem_get(mgr->mctx, sizeof(*ifp));
+	if (ifp == NULL)
+		return (ISC_R_NOMEMORY);
+	ifp->mgr = NULL;
+	ifp->generation = mgr->generation;
+	ifp->addr = *addr;
+	strncpy(ifp->name, name, sizeof(ifp->name));
+	ifp->name[sizeof(ifp->name)-1] = '\0';
+	ifp->clientmgr = NULL;
+
+	result = isc_mutex_init(&ifp->lock);
+	if (result != ISC_R_SUCCESS)
+		goto lock_create_failure;
+
+	result = ns_clientmgr_create(mgr->mctx, mgr->taskmgr,
+				     ns_g_timermgr,
+				     &ifp->clientmgr);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "ns_clientmgr_create() failed: %s",
+			      isc_result_totext(result));
+		goto clientmgr_create_failure;
+	}
+
+	ifp->udpdispatch = NULL;
+
+	ifp->tcpsocket = NULL;
+	/*
+	 * Create a single TCP client object.  It will replace itself
+	 * with a new one as soon as it gets a connection, so the actual
+	 * connections will be handled in parallel even though there is
+	 * only one client initially.
+	 */
+	ifp->ntcptarget = 1;
+	ifp->ntcpcurrent = 0;
+
+	ISC_LINK_INIT(ifp, link);
+
+	ns_interfacemgr_attach(mgr, &ifp->mgr);
+	ISC_LIST_APPEND(mgr->interfaces, ifp, link);
+
+	ifp->references = 1;
+	ifp->magic = IFACE_MAGIC;
+	*ifpret = ifp;
+
+	return (ISC_R_SUCCESS);
+
+ clientmgr_create_failure:
+	DESTROYLOCK(&ifp->lock);
+ lock_create_failure:
+	ifp->magic = 0;
+	isc_mem_put(mgr->mctx, ifp, sizeof(*ifp));
+
+	return (ISC_R_UNEXPECTED);
+}
+
+static isc_result_t
+ns_interface_listenudp(ns_interface_t *ifp) {
+	isc_result_t result;
+	unsigned int attrs;
+	unsigned int attrmask;
+
+	attrs = 0;
+	attrs |= DNS_DISPATCHATTR_UDP;
+	if (isc_sockaddr_pf(&ifp->addr) == AF_INET)
+		attrs |= DNS_DISPATCHATTR_IPV4;
+	else
+		attrs |= DNS_DISPATCHATTR_IPV6;
+	attrs |= DNS_DISPATCHATTR_NOLISTEN;
+	attrmask = 0;
+	attrmask |= DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_TCP;
+	attrmask |= DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_IPV6;
+	result = dns_dispatch_getudp(ifp->mgr->dispatchmgr, ns_g_socketmgr,
+				     ns_g_taskmgr, &ifp->addr,
+				     4096, 1000, 32768, 8219, 8237,
+				     attrs, attrmask, &ifp->udpdispatch);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "could not listen on UDP socket: %s",
+			      isc_result_totext(result));
+		goto udp_dispatch_failure;
+	}
+
+	result = ns_clientmgr_createclients(ifp->clientmgr, ns_g_cpus,
+					    ifp, ISC_FALSE);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "UDP ns_clientmgr_createclients(): %s",
+				 isc_result_totext(result));
+		goto addtodispatch_failure;
+	}
+	return (ISC_R_SUCCESS);
+
+ addtodispatch_failure:
+	dns_dispatch_changeattributes(ifp->udpdispatch, 0,
+				      DNS_DISPATCHATTR_NOLISTEN);
+	dns_dispatch_detach(&ifp->udpdispatch);
+ udp_dispatch_failure:
+	return (result);
+}
+
+static isc_result_t
+ns_interface_accepttcp(ns_interface_t *ifp) {
+	isc_result_t result;
+
+	/*
+	 * Open a TCP socket.
+	 */
+	result = isc_socket_create(ifp->mgr->socketmgr,
+				   isc_sockaddr_pf(&ifp->addr),
+				   isc_sockettype_tcp,
+				   &ifp->tcpsocket);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
+				 "creating TCP socket: %s",
+				 isc_result_totext(result));
+		goto tcp_socket_failure;
+	}
+#ifndef ISC_ALLOW_MAPPED
+	isc_socket_ipv6only(ifp->tcpsocket, ISC_TRUE);
+#endif
+	result = isc_socket_bind(ifp->tcpsocket, &ifp->addr);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
+				 "binding TCP socket: %s",
+				 isc_result_totext(result));
+		goto tcp_bind_failure;
+	}
+	result = isc_socket_listen(ifp->tcpsocket, ns_g_listen);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_ERROR,
+				 "listening on TCP socket: %s",
+				 isc_result_totext(result));
+		goto tcp_listen_failure;
+	}
+
+	/* 
+	 * If/when there a multiple filters listen to the
+	 * result.
+	 */
+	(void)isc_socket_filter(ifp->tcpsocket, "dataready");
+
+	result = ns_clientmgr_createclients(ifp->clientmgr,
+					    ifp->ntcptarget, ifp,
+					    ISC_TRUE);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "TCP ns_clientmgr_createclients(): %s",
+				 isc_result_totext(result));
+		goto accepttcp_failure;
+	}
+	return (ISC_R_SUCCESS);
+
+ accepttcp_failure:
+ tcp_listen_failure:
+ tcp_bind_failure:
+	isc_socket_detach(&ifp->tcpsocket);
+ tcp_socket_failure:
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+ns_interface_setup(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
+		   const char *name, ns_interface_t **ifpret,
+		   isc_boolean_t accept_tcp)
+{
+	isc_result_t result;
+	ns_interface_t *ifp = NULL;
+	REQUIRE(ifpret != NULL && *ifpret == NULL);
+
+	result = ns_interface_create(mgr, addr, name, &ifp);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = ns_interface_listenudp(ifp);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_interface;
+
+	if (accept_tcp == ISC_TRUE) {
+		result = ns_interface_accepttcp(ifp);
+		if (result != ISC_R_SUCCESS) {
+			/*
+			 * XXXRTH We don't currently have a way to easily stop
+			 * dispatch service, so we currently return
+			 * ISC_R_SUCCESS (the UDP stuff will work even if TCP
+			 * creation failed).  This will be fixed later.
+			 */
+			result = ISC_R_SUCCESS;
+		}
+	}
+	*ifpret = ifp;
+	return (ISC_R_SUCCESS);
+
+ cleanup_interface:
+	ISC_LIST_UNLINK(ifp->mgr->interfaces, ifp, link);
+	ns_interface_detach(&ifp);
+	return (result);
+}
+
+void
+ns_interface_shutdown(ns_interface_t *ifp) {
+	if (ifp->clientmgr != NULL)
+		ns_clientmgr_destroy(&ifp->clientmgr);
+}
+
+static void
+ns_interface_destroy(ns_interface_t *ifp) {
+	isc_mem_t *mctx = ifp->mgr->mctx;
+	REQUIRE(NS_INTERFACE_VALID(ifp));
+
+	ns_interface_shutdown(ifp);
+
+	if (ifp->udpdispatch != NULL) {
+		dns_dispatch_changeattributes(ifp->udpdispatch, 0,
+					      DNS_DISPATCHATTR_NOLISTEN);
+		dns_dispatch_detach(&ifp->udpdispatch);
+	}
+	if (ifp->tcpsocket != NULL)
+		isc_socket_detach(&ifp->tcpsocket);
+
+	DESTROYLOCK(&ifp->lock);
+
+	ns_interfacemgr_detach(&ifp->mgr);
+
+	ifp->magic = 0;
+	isc_mem_put(mctx, ifp, sizeof(*ifp));
+}
+
+void
+ns_interface_attach(ns_interface_t *source, ns_interface_t **target) {
+	REQUIRE(NS_INTERFACE_VALID(source));
+	LOCK(&source->lock);
+	INSIST(source->references > 0);
+	source->references++;
+	UNLOCK(&source->lock);
+	*target = source;
+}
+
+void
+ns_interface_detach(ns_interface_t **targetp) {
+	isc_result_t need_destroy = ISC_FALSE;
+	ns_interface_t *target = *targetp;
+	REQUIRE(target != NULL);
+	REQUIRE(NS_INTERFACE_VALID(target));
+	LOCK(&target->lock);
+	REQUIRE(target->references > 0);
+	target->references--;
+	if (target->references == 0)
+		need_destroy = ISC_TRUE;
+	UNLOCK(&target->lock);
+	if (need_destroy)
+		ns_interface_destroy(target);
+	*targetp = NULL;
+}
+
+/*
+ * Search the interface list for an interface whose address and port
+ * both match those of 'addr'.  Return a pointer to it, or NULL if not found.
+ */
+static ns_interface_t *
+find_matching_interface(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr) {
+	ns_interface_t *ifp;
+	for (ifp = ISC_LIST_HEAD(mgr->interfaces); ifp != NULL;
+	     ifp = ISC_LIST_NEXT(ifp, link)) {
+		if (isc_sockaddr_equal(&ifp->addr, addr))
+			break;
+	}
+	return (ifp);
+}
+
+/*
+ * Remove any interfaces whose generation number is not the current one.
+ */
+static void
+purge_old_interfaces(ns_interfacemgr_t *mgr) {
+	ns_interface_t *ifp, *next;
+	for (ifp = ISC_LIST_HEAD(mgr->interfaces); ifp != NULL; ifp = next) {
+		INSIST(NS_INTERFACE_VALID(ifp));
+		next = ISC_LIST_NEXT(ifp, link);
+		if (ifp->generation != mgr->generation) {
+			char sabuf[256];
+			ISC_LIST_UNLINK(ifp->mgr->interfaces, ifp, link);
+			isc_sockaddr_format(&ifp->addr, sabuf, sizeof(sabuf));
+			isc_log_write(IFMGR_COMMON_LOGARGS,
+				      ISC_LOG_INFO,
+				      "no longer listening on %s", sabuf);
+			ns_interface_shutdown(ifp);
+			ns_interface_detach(&ifp);
+		}
+	}
+}
+
+static isc_result_t
+clearacl(isc_mem_t *mctx, dns_acl_t **aclp) {
+	dns_acl_t *newacl = NULL;
+	isc_result_t result;
+	result = dns_acl_create(mctx, 10, &newacl);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	dns_acl_detach(aclp);
+	dns_acl_attach(newacl, aclp);
+	dns_acl_detach(&newacl);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_boolean_t
+listenon_is_ip6_any(ns_listenelt_t *elt) {
+	if (elt->acl->length != 1)
+		return (ISC_FALSE);
+	if (elt->acl->elements[0].negative == ISC_FALSE &&
+	    elt->acl->elements[0].type == dns_aclelementtype_any)
+		return (ISC_TRUE);  /* listen-on-v6 { any; } */
+	return (ISC_FALSE); /* All others */
+}
+
+static isc_result_t
+setup_locals(ns_interfacemgr_t *mgr, isc_interface_t *interface) {
+	isc_result_t result;
+	dns_aclelement_t elt;
+	unsigned int family;
+	unsigned int prefixlen;
+
+	family = interface->address.family;
+	
+	elt.type = dns_aclelementtype_ipprefix;
+	elt.negative = ISC_FALSE;
+	elt.u.ip_prefix.address = interface->address;
+	elt.u.ip_prefix.prefixlen = (family == AF_INET) ? 32 : 128;
+	result = dns_acl_appendelement(mgr->aclenv.localhost, &elt);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = isc_netaddr_masktoprefixlen(&interface->netmask,
+					     &prefixlen);
+
+	/* Non contigious netmasks not allowed by IPv6 arch. */
+	if (result != ISC_R_SUCCESS && family == AF_INET6)
+		return (result);
+
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(IFMGR_COMMON_LOGARGS,
+			      ISC_LOG_WARNING,
+			      "omitting IPv4 interface %s from "
+			      "localnets ACL: %s",
+			      interface->name,
+			      isc_result_totext(result));
+	} else {
+		elt.u.ip_prefix.prefixlen = prefixlen;
+		if (dns_acl_elementmatch(mgr->aclenv.localnets, &elt,
+					 NULL) == ISC_R_NOTFOUND) {
+			result = dns_acl_appendelement(mgr->aclenv.localnets,
+						       &elt);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen,
+	isc_boolean_t verbose)
+{
+	isc_interfaceiter_t *iter = NULL;
+	isc_boolean_t scan_ipv4 = ISC_FALSE;
+	isc_boolean_t scan_ipv6 = ISC_FALSE;
+	isc_boolean_t adjusting = ISC_FALSE;
+	isc_boolean_t ipv6only = ISC_TRUE;
+	isc_boolean_t ipv6pktinfo = ISC_TRUE;
+	isc_result_t result;
+	isc_netaddr_t zero_address, zero_address6;
+	ns_listenelt_t *le;
+	isc_sockaddr_t listen_addr;
+	ns_interface_t *ifp;
+	isc_boolean_t log_explicit = ISC_FALSE;
+
+	if (ext_listen != NULL)
+		adjusting = ISC_TRUE;
+
+	if (isc_net_probeipv6() == ISC_R_SUCCESS)
+		scan_ipv6 = ISC_TRUE;
+#ifdef WANT_IPV6
+	else
+		isc_log_write(IFMGR_COMMON_LOGARGS,
+			      verbose ? ISC_LOG_INFO : ISC_LOG_DEBUG(1),
+			      "no IPv6 interfaces found");
+#endif
+
+	if (isc_net_probeipv4() == ISC_R_SUCCESS)
+		scan_ipv4 = ISC_TRUE;
+	else
+		isc_log_write(IFMGR_COMMON_LOGARGS,
+			      verbose ? ISC_LOG_INFO : ISC_LOG_DEBUG(1),
+			      "no IPv4 interfaces found");
+
+	/*
+	 * A special, but typical case; listen-on-v6 { any; }.
+	 * When we can make the socket IPv6-only, open a single wildcard
+	 * socket for IPv6 communication.  Otherwise, make separate socket
+	 * for each IPv6 address in order to avoid accepting IPv4 packets
+	 * as the form of mapped addresses unintentionally unless explicitly
+	 * allowed.
+	 */
+#ifndef ISC_ALLOW_MAPPED
+	if (scan_ipv6 == ISC_TRUE &&
+	    isc_net_probe_ipv6only() != ISC_R_SUCCESS) {
+		ipv6only = ISC_FALSE;
+		log_explicit = ISC_TRUE;
+	}
+#endif
+	if (scan_ipv6 == ISC_TRUE &&
+	    isc_net_probe_ipv6pktinfo() != ISC_R_SUCCESS) {
+		ipv6pktinfo = ISC_FALSE;
+		log_explicit = ISC_TRUE;
+	}
+	if (scan_ipv6 == ISC_TRUE && ipv6only && ipv6pktinfo) {
+		for (le = ISC_LIST_HEAD(mgr->listenon6->elts);
+		     le != NULL;
+		     le = ISC_LIST_NEXT(le, link)) {
+			struct in6_addr in6a;
+
+			if (!listenon_is_ip6_any(le))
+				continue;
+
+			in6a = in6addr_any;
+			isc_sockaddr_fromin6(&listen_addr, &in6a, le->port);
+
+			ifp = find_matching_interface(mgr, &listen_addr);
+			if (ifp != NULL) {
+				ifp->generation = mgr->generation;
+			} else {
+				isc_log_write(IFMGR_COMMON_LOGARGS,
+					      ISC_LOG_INFO,
+					      "listening on IPv6 "
+					      "interfaces, port %u",
+					      le->port);
+				result = ns_interface_setup(mgr, &listen_addr,
+							    "<any>", &ifp,
+							    ISC_TRUE);
+				if (result == ISC_R_SUCCESS)
+					ifp->flags |= NS_INTERFACEFLAG_ANYADDR;
+				else
+					isc_log_write(IFMGR_COMMON_LOGARGS,
+						      ISC_LOG_ERROR,
+						      "listening on all IPv6 "
+						      "interfaces failed");
+				/* Continue. */
+			}
+		}
+	}
+
+	isc_netaddr_any(&zero_address);
+	isc_netaddr_any6(&zero_address6);
+
+	result = isc_interfaceiter_create(mgr->mctx, &iter);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (adjusting == ISC_FALSE) {
+		result = clearacl(mgr->mctx, &mgr->aclenv.localhost);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_iter;
+		result = clearacl(mgr->mctx, &mgr->aclenv.localnets);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_iter;
+	}
+
+	for (result = isc_interfaceiter_first(iter);
+	     result == ISC_R_SUCCESS;
+	     result = isc_interfaceiter_next(iter))
+	{
+		isc_interface_t interface;
+		ns_listenlist_t *ll;
+		unsigned int family; 
+
+		result = isc_interfaceiter_current(iter, &interface);
+		if (result != ISC_R_SUCCESS)
+			break;
+
+		family = interface.address.family;
+		if (family != AF_INET && family != AF_INET6)
+			continue;
+		if (scan_ipv4 == ISC_FALSE && family == AF_INET)
+			continue;
+		if (scan_ipv6 == ISC_FALSE && family == AF_INET6)
+			continue;
+
+		/*
+		 * Test for the address being nonzero rather than testing
+		 * INTERFACE_F_UP, because on some systems the latter
+		 * follows the media state and we could end up ignoring
+		 * the interface for an entire rescan interval due to
+		 * a temporary media glitch at rescan time.
+		 */
+		if (family == AF_INET &&
+		    isc_netaddr_equal(&interface.address, &zero_address)) {
+			continue;
+		}
+		if (family == AF_INET6 &&
+		    isc_netaddr_equal(&interface.address, &zero_address6)) {
+			continue;
+		}
+
+		if (adjusting == ISC_FALSE) {
+			result = setup_locals(mgr, &interface);
+			if (result != ISC_R_SUCCESS)
+				goto ignore_interface;
+		}
+
+		ll = (family == AF_INET) ? mgr->listenon4 : mgr->listenon6;
+		for (le = ISC_LIST_HEAD(ll->elts);
+		     le != NULL;
+		     le = ISC_LIST_NEXT(le, link))
+		{
+			int match;
+			isc_boolean_t ipv6_wildcard = ISC_FALSE;
+			isc_netaddr_t listen_netaddr;
+			isc_sockaddr_t listen_sockaddr;
+
+			/*
+			 * Construct a socket address for this IP/port
+			 * combination.
+			 */
+			if (family == AF_INET) {
+				isc_netaddr_fromin(&listen_netaddr,
+						   &interface.address.type.in);
+			} else {
+				isc_netaddr_fromin6(&listen_netaddr,
+						    &interface.address.type.in6);
+				isc_netaddr_setzone(&listen_netaddr,
+						    interface.address.zone);
+			}
+			isc_sockaddr_fromnetaddr(&listen_sockaddr,
+						 &listen_netaddr,
+						 le->port);
+
+			/*
+			 * See if the address matches the listen-on statement;
+			 * if not, ignore the interface.
+			 */
+			result = dns_acl_match(&listen_netaddr, NULL,
+					       le->acl, &mgr->aclenv,
+					       &match, NULL);
+			if (match <= 0)
+				continue;
+
+			/*
+			 * The case of "any" IPv6 address will require
+			 * special considerations later, so remember it.
+			 */
+			if (family == AF_INET6 && ipv6only && ipv6pktinfo &&
+			    listenon_is_ip6_any(le))
+				ipv6_wildcard = ISC_TRUE;
+
+			/*
+			 * When adjusting interfaces with extra a listening
+			 * list, see if the address matches the extra list.
+			 * If it does, and is also covered by a wildcard
+			 * interface, we need to listen on the address
+			 * explicitly.
+			 */
+			if (adjusting == ISC_TRUE) {
+				ns_listenelt_t *ele;
+
+				match = 0;
+				for (ele = ISC_LIST_HEAD(ext_listen->elts);
+				     ele != NULL;
+				     ele = ISC_LIST_NEXT(ele, link)) {
+					dns_acl_match(&listen_netaddr, NULL,
+						      ele->acl, NULL,
+						      &match, NULL);
+					if (match > 0 && ele->port == le->port)
+						break;
+					else
+						match = 0;
+				}
+				if (ipv6_wildcard == ISC_TRUE && match == 0)
+					continue;
+			}
+
+			ifp = find_matching_interface(mgr, &listen_sockaddr);
+			if (ifp != NULL) {
+				ifp->generation = mgr->generation;
+			} else {
+				char sabuf[ISC_SOCKADDR_FORMATSIZE];
+
+				if (adjusting == ISC_FALSE &&
+				    ipv6_wildcard == ISC_TRUE)
+					continue;
+
+				if (log_explicit && family == AF_INET6 &&
+				    !adjusting && listenon_is_ip6_any(le)) {
+					isc_log_write(IFMGR_COMMON_LOGARGS,
+						      verbose ? ISC_LOG_INFO :
+							      ISC_LOG_DEBUG(1),
+						      "IPv6 socket API is "
+						      "incomplete; explicitly "
+						      "binding to each IPv6 "
+						      "address separately");
+					log_explicit = ISC_FALSE;
+				}
+				isc_sockaddr_format(&listen_sockaddr,
+						    sabuf, sizeof(sabuf));
+				isc_log_write(IFMGR_COMMON_LOGARGS,
+					      ISC_LOG_INFO,
+					      "%s"
+					      "listening on %s interface "
+					      "%s, %s",
+					      (adjusting == ISC_TRUE) ?
+					      "additionally " : "",
+					      (family == AF_INET) ?
+					      "IPv4" : "IPv6",
+					      interface.name, sabuf);
+
+				result = ns_interface_setup(mgr,
+							    &listen_sockaddr,
+							    interface.name,
+							    &ifp,
+							    (adjusting == ISC_TRUE) ?
+							    ISC_FALSE :
+							    ISC_TRUE);
+
+				if (result != ISC_R_SUCCESS) {
+					isc_log_write(IFMGR_COMMON_LOGARGS,
+						      ISC_LOG_ERROR,
+						      "creating %s interface "
+						      "%s failed; interface "
+						      "ignored",
+						      (family == AF_INET) ?
+						      "IPv4" : "IPv6",
+						      interface.name);
+				}
+				/* Continue. */
+			}
+
+		}
+		continue;
+
+	ignore_interface:
+		isc_log_write(IFMGR_COMMON_LOGARGS,
+			      ISC_LOG_ERROR,
+			      "ignoring %s interface %s: %s",
+			      (family == AF_INET) ? "IPv4" : "IPv6",
+			      interface.name, isc_result_totext(result));
+		continue;
+	}
+	if (result != ISC_R_NOMORE)
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "interface iteration failed: %s",
+				 isc_result_totext(result));
+	else 
+		result = ISC_R_SUCCESS;
+ cleanup_iter:
+	isc_interfaceiter_destroy(&iter);
+	return (result);
+}
+
+static void
+ns_interfacemgr_scan0(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen,
+		      isc_boolean_t verbose)
+{
+	isc_boolean_t purge = ISC_TRUE;
+
+	REQUIRE(NS_INTERFACEMGR_VALID(mgr));
+
+	mgr->generation++;	/* Increment the generation count. */
+
+	if (do_scan(mgr, ext_listen, verbose) != ISC_R_SUCCESS)
+		purge = ISC_FALSE;
+
+	/*
+	 * Now go through the interface list and delete anything that
+	 * does not have the current generation number.  This is
+	 * how we catch interfaces that go away or change their
+	 * addresses.
+	 */
+	if (purge)
+		purge_old_interfaces(mgr);
+
+	/*
+	 * Warn if we are not listening on any interface, unless
+	 * we're in lwresd-only mode, in which case that is to 
+	 * be expected.
+	 */
+	if (ext_listen == NULL &&
+	    ISC_LIST_EMPTY(mgr->interfaces) && ! ns_g_lwresdonly) {
+		isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_WARNING,
+			      "not listening on any interfaces");
+	}
+}
+
+void
+ns_interfacemgr_scan(ns_interfacemgr_t *mgr, isc_boolean_t verbose) {
+	ns_interfacemgr_scan0(mgr, NULL, verbose);
+}
+
+void
+ns_interfacemgr_adjust(ns_interfacemgr_t *mgr, ns_listenlist_t *list,
+		       isc_boolean_t verbose)
+{
+	ns_interfacemgr_scan0(mgr, list, verbose);
+}
+
+void
+ns_interfacemgr_setlistenon4(ns_interfacemgr_t *mgr, ns_listenlist_t *value) {
+	LOCK(&mgr->lock);
+	ns_listenlist_detach(&mgr->listenon4);
+	ns_listenlist_attach(value, &mgr->listenon4);
+	UNLOCK(&mgr->lock);
+}
+
+void
+ns_interfacemgr_setlistenon6(ns_interfacemgr_t *mgr, ns_listenlist_t *value) {
+	LOCK(&mgr->lock);
+	ns_listenlist_detach(&mgr->listenon6);
+	ns_listenlist_attach(value, &mgr->listenon6);
+	UNLOCK(&mgr->lock);
+}
+
+void
+ns_interfacemgr_dumprecursing(FILE *f, ns_interfacemgr_t *mgr) {
+	ns_interface_t *interface;
+
+	LOCK(&mgr->lock);
+	interface = ISC_LIST_HEAD(mgr->interfaces);
+	while (interface != NULL) {
+		if (interface->clientmgr != NULL)
+			ns_client_dumprecursing(f, interface->clientmgr);
+		interface = ISC_LIST_NEXT(interface, link);
+	}
+	UNLOCK(&mgr->lock);
+}
diff --git a/contrib/bind9/bin/named/listenlist.c b/contrib/bind9/bin/named/listenlist.c
new file mode 100644
index 0000000..bba164f
--- /dev/null
+++ b/contrib/bind9/bin/named/listenlist.c
@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: listenlist.c,v 1.9.208.1 2004/03/06 10:21:18 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/mem.h>
+#include <isc/util.h>
+
+#include <dns/acl.h>
+
+#include <named/listenlist.h>
+
+static void
+destroy(ns_listenlist_t *list);
+
+isc_result_t
+ns_listenelt_create(isc_mem_t *mctx, in_port_t port,
+		    dns_acl_t *acl, ns_listenelt_t **target)
+{
+	ns_listenelt_t *elt = NULL;
+	REQUIRE(target != NULL && *target == NULL);
+	elt = isc_mem_get(mctx, sizeof(*elt));
+	if (elt == NULL)
+		return (ISC_R_NOMEMORY);
+	elt->mctx = mctx;
+	ISC_LINK_INIT(elt, link);
+	elt->port = port;
+	elt->acl = acl;
+	*target = elt;
+	return (ISC_R_SUCCESS);
+}
+
+void
+ns_listenelt_destroy(ns_listenelt_t *elt) {
+	if (elt->acl != NULL)
+		dns_acl_detach(&elt->acl);
+	isc_mem_put(elt->mctx, elt, sizeof(*elt));
+}
+
+isc_result_t
+ns_listenlist_create(isc_mem_t *mctx, ns_listenlist_t **target) {
+	ns_listenlist_t *list = NULL;
+	REQUIRE(target != NULL && *target == NULL);
+	list = isc_mem_get(mctx, sizeof(*list));
+	if (list == NULL)
+		return (ISC_R_NOMEMORY);
+	list->mctx = mctx;
+	list->refcount = 1;
+	ISC_LIST_INIT(list->elts);
+	*target = list;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+destroy(ns_listenlist_t *list) {
+	ns_listenelt_t *elt, *next;
+	for (elt = ISC_LIST_HEAD(list->elts);
+	     elt != NULL;
+	     elt = next)
+	{
+		next = ISC_LIST_NEXT(elt, link);
+		ns_listenelt_destroy(elt);
+	}
+	isc_mem_put(list->mctx, list, sizeof(*list));
+}
+
+void
+ns_listenlist_attach(ns_listenlist_t *source, ns_listenlist_t **target) {
+	INSIST(source->refcount > 0);
+	source->refcount++;
+	*target = source;
+}
+
+void
+ns_listenlist_detach(ns_listenlist_t **listp) {
+	ns_listenlist_t *list = *listp;
+	INSIST(list->refcount > 0);
+	list->refcount--;
+	if (list->refcount == 0)
+		destroy(list);
+	*listp = NULL;
+}
+
+isc_result_t
+ns_listenlist_default(isc_mem_t *mctx, in_port_t port,
+		      isc_boolean_t enabled, ns_listenlist_t **target)
+{
+	isc_result_t result;
+	dns_acl_t *acl = NULL;
+	ns_listenelt_t *elt = NULL;
+	ns_listenlist_t *list = NULL;
+
+	REQUIRE(target != NULL && *target == NULL);
+	if (enabled)
+		result = dns_acl_any(mctx, &acl);
+	else
+		result = dns_acl_none(mctx, &acl);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = ns_listenelt_create(mctx, port, acl, &elt);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_acl;
+
+	result = ns_listenlist_create(mctx, &list);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_listenelt;
+
+	ISC_LIST_APPEND(list->elts, elt, link);
+
+	*target = list;
+	return (ISC_R_SUCCESS);
+
+ cleanup_listenelt:
+	ns_listenelt_destroy(elt);
+ cleanup_acl:
+	dns_acl_detach(&acl);
+ cleanup:
+	return (result);
+}
diff --git a/contrib/bind9/bin/named/log.c b/contrib/bind9/bin/named/log.c
new file mode 100644
index 0000000..31af4bd
--- /dev/null
+++ b/contrib/bind9/bin/named/log.c
@@ -0,0 +1,217 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: log.c,v 1.33.2.1.10.4 2004/03/08 09:04:14 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/result.h>
+
+#include <isccfg/log.h>
+
+#include <named/log.h>
+
+#ifndef ISC_FACILITY
+#define ISC_FACILITY LOG_DAEMON
+#endif
+
+/*
+ * When adding a new category, be sure to add the appropriate
+ * #define to <named/log.h>.
+ */
+static isc_logcategory_t categories[] = {
+	{ "",		 		0 },
+	{ "client",	 		0 },
+	{ "network",	 		0 },
+	{ "update",	 		0 },
+	{ "queries",	 		0 },
+	{ "unmatched",	 		0 },
+	{ "update-security",		0 },
+	{ NULL, 			0 }
+};
+
+/*
+ * When adding a new module, be sure to add the appropriate
+ * #define to <dns/log.h>.
+ */
+static isc_logmodule_t modules[] = {
+	{ "main",	 		0 },
+	{ "client",	 		0 },
+	{ "server",		 	0 },
+	{ "query",		 	0 },
+	{ "interfacemgr",	 	0 },
+	{ "update",	 		0 },
+	{ "xfer-in",	 		0 },
+	{ "xfer-out",	 		0 },
+	{ "notify",	 		0 },
+	{ "control",	 		0 },
+	{ "lwresd",	 		0 },
+	{ NULL, 			0 }
+};
+
+isc_result_t
+ns_log_init(isc_boolean_t safe) {
+	isc_result_t result;
+	isc_logconfig_t *lcfg = NULL;
+
+	ns_g_categories = categories;
+	ns_g_modules = modules;
+
+	/*
+	 * Setup a logging context.
+	 */
+	result = isc_log_create(ns_g_mctx, &ns_g_lctx, &lcfg);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	isc_log_registercategories(ns_g_lctx, ns_g_categories);
+	isc_log_registermodules(ns_g_lctx, ns_g_modules);
+	isc_log_setcontext(ns_g_lctx);
+	dns_log_init(ns_g_lctx);
+	dns_log_setcontext(ns_g_lctx);
+	cfg_log_init(ns_g_lctx);
+
+	if (safe)
+		result = ns_log_setsafechannels(lcfg);
+	else
+		result = ns_log_setdefaultchannels(lcfg);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = ns_log_setdefaultcategory(lcfg);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	isc_log_destroy(&ns_g_lctx);
+	isc_log_setcontext(NULL);
+	dns_log_setcontext(NULL);
+
+	return (result);
+}
+
+isc_result_t
+ns_log_setdefaultchannels(isc_logconfig_t *lcfg) {
+	isc_result_t result;
+	isc_logdestination_t destination;
+
+	/*
+	 * By default, the logging library makes "default_debug" log to
+	 * stderr.  In BIND, we want to override this and log to named.run
+	 * instead, unless the the -g option was given.
+	 */
+	if (! ns_g_logstderr) {
+		destination.file.stream = NULL;
+		destination.file.name = "named.run";
+		destination.file.versions = ISC_LOG_ROLLNEVER;
+		destination.file.maximum_size = 0;
+		result = isc_log_createchannel(lcfg, "default_debug",
+					       ISC_LOG_TOFILE,
+					       ISC_LOG_DYNAMIC,
+					       &destination,
+					       ISC_LOG_PRINTTIME|
+					       ISC_LOG_DEBUGONLY);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
+
+#if ISC_FACILITY != LOG_DAEMON
+	destination.facility = ISC_FACILITY;
+	result = isc_log_createchannel(lcfg, "default_syslog",
+				       ISC_LOG_TOSYSLOG, ISC_LOG_INFO,
+				       &destination, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+#endif
+
+	/*
+	 * Set the initial debug level.
+	 */
+	isc_log_setdebuglevel(ns_g_lctx, ns_g_debuglevel);
+
+	result = ISC_R_SUCCESS;
+
+ cleanup:
+	return (result);
+}
+
+isc_result_t
+ns_log_setsafechannels(isc_logconfig_t *lcfg) {
+	isc_result_t result;
+
+	if (! ns_g_logstderr) {
+		result = isc_log_createchannel(lcfg, "default_debug",
+					       ISC_LOG_TONULL,
+					       ISC_LOG_DYNAMIC,
+					       NULL, 0);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+
+		/*
+		 * Setting the debug level to zero should get the output
+		 * discarded a bit faster.
+		 */
+		isc_log_setdebuglevel(ns_g_lctx, 0);
+	} else {
+		isc_log_setdebuglevel(ns_g_lctx, ns_g_debuglevel);
+	}
+
+	result = ISC_R_SUCCESS;
+
+ cleanup:
+	return (result);
+}
+
+isc_result_t
+ns_log_setdefaultcategory(isc_logconfig_t *lcfg) {
+	isc_result_t result;
+
+	if (! ns_g_logstderr) {
+		result = isc_log_usechannel(lcfg, "default_syslog",
+					    ISC_LOGCATEGORY_DEFAULT, NULL);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
+
+	result = isc_log_usechannel(lcfg, "default_debug",
+				    ISC_LOGCATEGORY_DEFAULT, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = ISC_R_SUCCESS;
+
+ cleanup:
+	return (result);
+}
+
+isc_result_t
+ns_log_setunmatchedcategory(isc_logconfig_t *lcfg) {
+	isc_result_t result;
+
+	result = isc_log_usechannel(lcfg, "null",
+				    NS_LOGCATEGORY_UNMATCHED, NULL);
+	return (result);
+}
+
+void
+ns_log_shutdown(void) {
+	isc_log_destroy(&ns_g_lctx);
+	isc_log_setcontext(NULL);
+	dns_log_setcontext(NULL);
+}
diff --git a/contrib/bind9/bin/named/logconf.c b/contrib/bind9/bin/named/logconf.c
new file mode 100644
index 0000000..596d401
--- /dev/null
+++ b/contrib/bind9/bin/named/logconf.c
@@ -0,0 +1,295 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: logconf.c,v 1.30.2.3.10.2 2004/03/06 10:21:18 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/offset.h>
+#include <isc/result.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/syslog.h>
+
+#include <isccfg/cfg.h>
+#include <isccfg/log.h>
+
+#include <named/log.h>
+#include <named/logconf.h>
+
+#define CHECK(op) \
+	do { result = (op); 				  	 \
+	       if (result != ISC_R_SUCCESS) goto cleanup; 	 \
+	} while (0)
+
+/*
+ * Set up a logging category according to the named.conf data
+ * in 'ccat' and add it to 'lctx'.
+ */
+static isc_result_t
+category_fromconf(cfg_obj_t *ccat, isc_logconfig_t *lctx) {
+	isc_result_t result;
+	const char *catname;
+	isc_logcategory_t *category;
+	isc_logmodule_t *module;
+	cfg_obj_t *destinations = NULL;
+	cfg_listelt_t *element = NULL;
+
+	catname = cfg_obj_asstring(cfg_tuple_get(ccat, "name"));
+	category = isc_log_categorybyname(ns_g_lctx, catname);
+	if (category == NULL) {
+		cfg_obj_log(ccat, ns_g_lctx, ISC_LOG_ERROR,
+			    "unknown logging category '%s' ignored",
+			    catname);
+		/*
+		 * Allow further processing by returning success.
+		 */
+		return (ISC_R_SUCCESS);
+	}
+
+	module = NULL;
+
+	destinations = cfg_tuple_get(ccat, "destinations");
+	for (element = cfg_list_first(destinations);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		cfg_obj_t *channel = cfg_listelt_value(element);
+		char *channelname = cfg_obj_asstring(channel);
+
+		result = isc_log_usechannel(lctx, channelname, category,
+					    module);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(ns_g_lctx, CFG_LOGCATEGORY_CONFIG,
+				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "logging channel '%s': %s", channelname,
+				      isc_result_totext(result));
+			return (result);
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Set up a logging channel according to the named.conf data
+ * in 'cchan' and add it to 'lctx'.
+ */
+static isc_result_t
+channel_fromconf(cfg_obj_t *channel, isc_logconfig_t *lctx) {
+	isc_result_t result;
+	isc_logdestination_t dest;
+	unsigned int type;
+	unsigned int flags = 0;
+	int level;
+	const char *channelname;
+	cfg_obj_t *fileobj = NULL;
+	cfg_obj_t *syslogobj = NULL;
+	cfg_obj_t *nullobj = NULL;
+	cfg_obj_t *stderrobj = NULL;
+	cfg_obj_t *severity = NULL;
+	int i;
+
+	channelname = cfg_obj_asstring(cfg_map_getname(channel));
+
+	(void)cfg_map_get(channel, "file", &fileobj);
+	(void)cfg_map_get(channel, "syslog", &syslogobj);
+	(void)cfg_map_get(channel, "null", &nullobj);
+	(void)cfg_map_get(channel, "stderr", &stderrobj);
+
+	i = 0;
+	if (fileobj != NULL)
+		i++;
+	if (syslogobj != NULL)
+		i++;
+	if (nullobj != NULL)
+		i++;
+	if (stderrobj != NULL)
+		i++;
+
+	if (i != 1) {
+		cfg_obj_log(channel, ns_g_lctx, ISC_LOG_ERROR,
+			      "channel '%s': exactly one of file, syslog, "
+			      "null, and stderr must be present", channelname);
+		return (ISC_R_FAILURE);
+	}
+
+	type = ISC_LOG_TONULL;
+	
+	if (fileobj != NULL) {
+		cfg_obj_t *pathobj = cfg_tuple_get(fileobj, "file");
+		cfg_obj_t *sizeobj = cfg_tuple_get(fileobj, "size");
+		cfg_obj_t *versionsobj = cfg_tuple_get(fileobj, "versions");
+		isc_int32_t versions = ISC_LOG_ROLLNEVER;
+		isc_offset_t size = 0;
+
+		type = ISC_LOG_TOFILE;
+		
+		if (versionsobj != NULL && cfg_obj_isuint32(versionsobj))
+			versions = cfg_obj_asuint32(versionsobj);
+		if (versionsobj != NULL && cfg_obj_isstring(versionsobj) &&
+		    strcasecmp(cfg_obj_asstring(versionsobj), "unlimited") == 0)
+			versions = ISC_LOG_ROLLINFINITE;
+		if (sizeobj != NULL &&
+		    cfg_obj_isuint64(sizeobj) &&
+		    cfg_obj_asuint64(sizeobj) < ISC_OFFSET_MAXIMUM)
+			size = (isc_offset_t)cfg_obj_asuint64(sizeobj);
+		dest.file.stream = NULL;
+		dest.file.name = cfg_obj_asstring(pathobj);
+		dest.file.versions = versions;
+		dest.file.maximum_size = size;
+	} else if (syslogobj != NULL) {
+		int facility = LOG_DAEMON;
+
+		type = ISC_LOG_TOSYSLOG;
+
+		if (cfg_obj_isstring(syslogobj)) {
+			char *facilitystr = cfg_obj_asstring(syslogobj);
+			(void)isc_syslog_facilityfromstring(facilitystr,
+							    &facility);
+		}
+		dest.facility = facility;
+	} else if (stderrobj != NULL) {
+		type = ISC_LOG_TOFILEDESC;
+		dest.file.stream = stderr;
+		dest.file.name = NULL;
+		dest.file.versions = ISC_LOG_ROLLNEVER;
+		dest.file.maximum_size = 0;
+	}
+
+	/*
+	 * Munge flags.
+	 */
+	{
+		cfg_obj_t *printcat = NULL;
+		cfg_obj_t *printsev = NULL;
+		cfg_obj_t *printtime = NULL;
+
+		(void)cfg_map_get(channel, "print-category", &printcat);
+		(void)cfg_map_get(channel, "print-severity", &printsev);
+		(void)cfg_map_get(channel, "print-time", &printtime);
+
+		if (printcat != NULL && cfg_obj_asboolean(printcat))
+			flags |= ISC_LOG_PRINTCATEGORY;
+		if (printtime != NULL && cfg_obj_asboolean(printtime))
+			flags |= ISC_LOG_PRINTTIME;
+		if (printsev != NULL && cfg_obj_asboolean(printsev))
+			flags |= ISC_LOG_PRINTLEVEL;
+	}
+
+	level = ISC_LOG_INFO;
+	if (cfg_map_get(channel, "severity", &severity) == ISC_R_SUCCESS) {
+		if (cfg_obj_isstring(severity)) {
+			char *str = cfg_obj_asstring(severity);
+			if (strcasecmp(str, "critical") == 0)
+				level = ISC_LOG_CRITICAL;
+			else if (strcasecmp(str, "error") == 0)
+				level = ISC_LOG_ERROR;
+			else if (strcasecmp(str, "warning") == 0)
+				level = ISC_LOG_WARNING;
+			else if (strcasecmp(str, "notice") == 0)
+				level = ISC_LOG_NOTICE;
+			else if (strcasecmp(str, "info") == 0)
+				level = ISC_LOG_INFO;
+			else if (strcasecmp(str, "dynamic") == 0)
+				level = ISC_LOG_DYNAMIC;
+		} else
+			/* debug */
+			level = cfg_obj_asuint32(severity);
+	}
+
+	result = isc_log_createchannel(lctx, channelname,
+				       type, level, &dest, flags);
+
+	if (result == ISC_R_SUCCESS && type == ISC_LOG_TOFILE) {
+		FILE *fp;
+		
+		/*
+		 * Test that the file can be opened, since isc_log_open()
+		 * can't effectively report failures when called in
+		 * isc_log_doit().
+		 */
+		result = isc_stdio_open(dest.file.name, "a", &fp);
+		if (result != ISC_R_SUCCESS)
+			isc_log_write(ns_g_lctx, CFG_LOGCATEGORY_CONFIG,
+				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "logging channel '%s' file '%s': %s",
+				      channelname, dest.file.name,
+				      isc_result_totext(result));
+		else
+			(void)isc_stdio_close(fp);
+
+		/*
+		 * Allow named to continue by returning success.
+		 */
+		result = ISC_R_SUCCESS;
+	}
+
+	return (result);
+}
+
+isc_result_t
+ns_log_configure(isc_logconfig_t *logconf, cfg_obj_t *logstmt) {
+	isc_result_t result;
+	cfg_obj_t *channels = NULL;
+	cfg_obj_t *categories = NULL;
+	cfg_listelt_t *element;
+	isc_boolean_t default_set = ISC_FALSE;
+	isc_boolean_t unmatched_set = ISC_FALSE;
+
+	CHECK(ns_log_setdefaultchannels(logconf));
+
+	(void)cfg_map_get(logstmt, "channel", &channels);
+	for (element = cfg_list_first(channels);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		cfg_obj_t *channel = cfg_listelt_value(element);
+		CHECK(channel_fromconf(channel, logconf));
+	}
+
+	(void)cfg_map_get(logstmt, "category", &categories);
+	for (element = cfg_list_first(categories);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		cfg_obj_t *category = cfg_listelt_value(element);
+		CHECK(category_fromconf(category, logconf));
+		if (!default_set) {
+			cfg_obj_t *catname = cfg_tuple_get(category, "name");
+			if (strcmp(cfg_obj_asstring(catname), "default") == 0)
+				default_set = ISC_TRUE;
+		}
+		if (!unmatched_set) {
+			cfg_obj_t *catname = cfg_tuple_get(category, "name");
+			if (strcmp(cfg_obj_asstring(catname), "unmatched") == 0)
+				unmatched_set = ISC_TRUE;
+		}
+	}
+
+	if (!default_set)
+		CHECK(ns_log_setdefaultcategory(logconf));
+
+	if (!unmatched_set)
+		CHECK(ns_log_setunmatchedcategory(logconf));
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (logconf != NULL)
+		isc_logconfig_destroy(&logconf);
+	return (result);
+}
diff --git a/contrib/bind9/bin/named/lwaddr.c b/contrib/bind9/bin/named/lwaddr.c
new file mode 100644
index 0000000..1bd8d82
--- /dev/null
+++ b/contrib/bind9/bin/named/lwaddr.c
@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lwaddr.c,v 1.3.208.1 2004/03/06 10:21:18 marka Exp $ */
+
+#include <config.h>
+
+#include <string.h>
+
+#include <isc/result.h>
+#include <isc/netaddr.h>
+#include <isc/sockaddr.h>
+
+#include <lwres/lwres.h>
+
+#include <named/lwaddr.h>
+
+/*
+ * Convert addresses from lwres to isc format.
+ */
+isc_result_t
+lwaddr_netaddr_fromlwresaddr(isc_netaddr_t *na, lwres_addr_t *la) {
+	if (la->family != LWRES_ADDRTYPE_V4 && la->family != LWRES_ADDRTYPE_V6)
+		return (ISC_R_FAMILYNOSUPPORT);
+
+	if (la->family == LWRES_ADDRTYPE_V4) {
+		struct in_addr ina;
+		memcpy(&ina.s_addr, la->address, 4);
+		isc_netaddr_fromin(na, &ina);
+	} else {
+		struct in6_addr ina6;
+		memcpy(&ina6.s6_addr, la->address, 16);
+		isc_netaddr_fromin6(na, &ina6);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+lwaddr_sockaddr_fromlwresaddr(isc_sockaddr_t *sa, lwres_addr_t *la,
+			      in_port_t port)
+{
+	isc_netaddr_t na;
+	isc_result_t result;
+
+	result = lwaddr_netaddr_fromlwresaddr(&na, la);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_sockaddr_fromnetaddr(sa, &na, port);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Convert addresses from isc to lwres format.
+ */
+
+isc_result_t
+lwaddr_lwresaddr_fromnetaddr(lwres_addr_t *la, isc_netaddr_t *na) {
+	if (na->family != AF_INET && na->family != AF_INET6)
+		return (ISC_R_FAMILYNOSUPPORT);
+
+	if (na->family == AF_INET) {
+		la->family = LWRES_ADDRTYPE_V4;
+		la->length = 4;
+		memcpy(la->address, &na->type.in, 4);
+	} else {
+		la->family = LWRES_ADDRTYPE_V6;
+		la->length = 16;
+		memcpy(la->address, &na->type.in, 16);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+lwaddr_lwresaddr_fromsockaddr(lwres_addr_t *la, isc_sockaddr_t *sa) {
+	isc_netaddr_t na;
+	isc_netaddr_fromsockaddr(&na, sa);
+	return (lwaddr_lwresaddr_fromnetaddr(la, &na));
+}
diff --git a/contrib/bind9/bin/named/lwdclient.c b/contrib/bind9/bin/named/lwdclient.c
new file mode 100644
index 0000000..7975a49
--- /dev/null
+++ b/contrib/bind9/bin/named/lwdclient.c
@@ -0,0 +1,465 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lwdclient.c,v 1.13.12.5 2004/03/08 09:04:15 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/socket.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/adb.h>
+#include <dns/view.h>
+#include <dns/log.h>
+
+#include <named/types.h>
+#include <named/log.h>
+#include <named/lwresd.h>
+#include <named/lwdclient.h>
+
+#define SHUTTINGDOWN(cm) ((cm->flags & NS_LWDCLIENTMGR_FLAGSHUTTINGDOWN) != 0)
+
+static void
+lwdclientmgr_shutdown_callback(isc_task_t *task, isc_event_t *ev);
+
+void
+ns_lwdclient_log(int level, const char *format, ...) {
+	va_list args;
+
+	va_start(args, format);
+	isc_log_vwrite(dns_lctx,
+		       DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_ADB,
+		       ISC_LOG_DEBUG(level), format, args);
+	va_end(args);
+}
+
+isc_result_t
+ns_lwdclientmgr_create(ns_lwreslistener_t *listener, unsigned int nclients,
+		    isc_taskmgr_t *taskmgr)
+{
+	ns_lwresd_t *lwresd = listener->manager;
+	ns_lwdclientmgr_t *cm;
+	ns_lwdclient_t *client;
+	unsigned int i;
+	isc_result_t result = ISC_R_FAILURE;
+
+	cm = isc_mem_get(lwresd->mctx, sizeof(ns_lwdclientmgr_t));
+	if (cm == NULL)
+		return (ISC_R_NOMEMORY);
+
+	cm->listener = NULL;
+	ns_lwreslistener_attach(listener, &cm->listener);
+	cm->mctx = lwresd->mctx;
+	cm->sock = NULL;
+	isc_socket_attach(listener->sock, &cm->sock);
+	cm->view = lwresd->view;
+	cm->lwctx = NULL;
+	cm->task = NULL;
+	cm->flags = 0;
+	ISC_LINK_INIT(cm, link);
+	ISC_LIST_INIT(cm->idle);
+	ISC_LIST_INIT(cm->running);
+
+	if (lwres_context_create(&cm->lwctx, cm->mctx,
+				 ns__lwresd_memalloc, ns__lwresd_memfree,
+				 LWRES_CONTEXT_SERVERMODE)
+	    != ISC_R_SUCCESS)
+		goto errout;
+
+	for (i = 0; i < nclients; i++) {
+		client = isc_mem_get(lwresd->mctx, sizeof(ns_lwdclient_t));
+		if (client != NULL) {
+			ns_lwdclient_log(50, "created client %p, manager %p",
+					 client, cm);
+			ns_lwdclient_initialize(client, cm);
+		}
+	}
+
+	/*
+	 * If we could create no clients, clean up and return.
+	 */
+	if (ISC_LIST_EMPTY(cm->idle))
+		goto errout;
+
+	result = isc_task_create(taskmgr, 0, &cm->task);
+	if (result != ISC_R_SUCCESS)
+		goto errout;
+
+	/*
+	 * This MUST be last, since there is no way to cancel an onshutdown...
+	 */
+	result = isc_task_onshutdown(cm->task, lwdclientmgr_shutdown_callback,
+				     cm);
+	if (result != ISC_R_SUCCESS)
+		goto errout;
+
+	ns_lwreslistener_linkcm(listener, cm);
+
+	return (ISC_R_SUCCESS);
+
+ errout:
+	client = ISC_LIST_HEAD(cm->idle);
+	while (client != NULL) {
+		ISC_LIST_UNLINK(cm->idle, client, link);
+		isc_mem_put(lwresd->mctx, client, sizeof(*client));
+		client = ISC_LIST_HEAD(cm->idle);
+	}
+
+	if (cm->task != NULL)
+		isc_task_detach(&cm->task);
+
+	if (cm->lwctx != NULL)
+		lwres_context_destroy(&cm->lwctx);
+
+	isc_mem_put(lwresd->mctx, cm, sizeof(*cm));
+	return (result);
+}
+
+static void
+lwdclientmgr_destroy(ns_lwdclientmgr_t *cm) {
+	ns_lwdclient_t *client;
+	ns_lwreslistener_t *listener;
+
+	if (!SHUTTINGDOWN(cm))
+		return;
+
+	/*
+	 * run through the idle list and free the clients there.  Idle
+	 * clients do not have a recv running nor do they have any finds
+	 * or similar running.
+	 */
+	client = ISC_LIST_HEAD(cm->idle);
+	while (client != NULL) {
+		ns_lwdclient_log(50, "destroying client %p, manager %p",
+				 client, cm);
+		ISC_LIST_UNLINK(cm->idle, client, link);
+		isc_mem_put(cm->mctx, client, sizeof(*client));
+		client = ISC_LIST_HEAD(cm->idle);
+	}
+
+	if (!ISC_LIST_EMPTY(cm->running))
+		return;
+
+	lwres_context_destroy(&cm->lwctx);
+	cm->view = NULL;
+	isc_socket_detach(&cm->sock);
+	isc_task_detach(&cm->task);
+
+	listener = cm->listener;
+	ns_lwreslistener_unlinkcm(listener, cm);
+	ns_lwdclient_log(50, "destroying manager %p", cm);
+	isc_mem_put(cm->mctx, cm, sizeof(*cm));
+	ns_lwreslistener_detach(&listener);
+}
+
+static void
+process_request(ns_lwdclient_t *client) {
+	lwres_buffer_t b;
+	isc_result_t result;
+
+	lwres_buffer_init(&b, client->buffer, client->recvlength);
+	lwres_buffer_add(&b, client->recvlength);
+
+	result = lwres_lwpacket_parseheader(&b, &client->pkt);
+	if (result != ISC_R_SUCCESS) {
+		ns_lwdclient_log(50, "invalid packet header received");
+		goto restart;
+	}
+
+	ns_lwdclient_log(50, "opcode %08x", client->pkt.opcode);
+
+	switch (client->pkt.opcode) {
+	case LWRES_OPCODE_GETADDRSBYNAME:
+		ns_lwdclient_processgabn(client, &b);
+		return;
+	case LWRES_OPCODE_GETNAMEBYADDR:
+		ns_lwdclient_processgnba(client, &b);
+		return;
+	case LWRES_OPCODE_GETRDATABYNAME:
+		ns_lwdclient_processgrbn(client, &b);
+		return;
+	case LWRES_OPCODE_NOOP:
+		ns_lwdclient_processnoop(client, &b);
+		return;
+	default:
+		ns_lwdclient_log(50, "unknown opcode %08x", client->pkt.opcode);
+		goto restart;
+	}
+
+	/*
+	 * Drop the packet.
+	 */
+ restart:
+	ns_lwdclient_log(50, "restarting client %p...", client);
+	ns_lwdclient_stateidle(client);
+}
+
+void
+ns_lwdclient_recv(isc_task_t *task, isc_event_t *ev) {
+	isc_result_t result;
+	ns_lwdclient_t *client = ev->ev_arg;
+	ns_lwdclientmgr_t *cm = client->clientmgr;
+	isc_socketevent_t *dev = (isc_socketevent_t *)ev;
+
+	INSIST(dev->region.base == client->buffer);
+	INSIST(NS_LWDCLIENT_ISRECV(client));
+
+	NS_LWDCLIENT_SETRECVDONE(client);
+
+	INSIST((cm->flags & NS_LWDCLIENTMGR_FLAGRECVPENDING) != 0);
+	cm->flags &= ~NS_LWDCLIENTMGR_FLAGRECVPENDING;
+
+	ns_lwdclient_log(50,
+			 "event received: task %p, length %u, result %u (%s)",
+			 task, dev->n, dev->result,
+			 isc_result_totext(dev->result));
+
+	if (dev->result != ISC_R_SUCCESS) {
+		isc_event_free(&ev);
+		dev = NULL;
+
+		/*
+		 * Go idle.
+		 */
+		ns_lwdclient_stateidle(client);
+
+		return;
+	}
+
+	client->recvlength = dev->n;
+	client->address = dev->address;
+	if ((dev->attributes & ISC_SOCKEVENTATTR_PKTINFO) != 0) {
+		client->pktinfo = dev->pktinfo;
+		client->pktinfo_valid = ISC_TRUE;
+	} else
+		client->pktinfo_valid = ISC_FALSE;
+	isc_event_free(&ev);
+	dev = NULL;
+
+	result = ns_lwdclient_startrecv(cm);
+	if (result != ISC_R_SUCCESS)
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_LWRESD, ISC_LOG_ERROR,
+			      "could not start lwres "
+			      "client handler: %s",
+			      isc_result_totext(result));
+
+	process_request(client);
+}
+
+/*
+ * This function will start a new recv() on a socket for this client manager.
+ */
+isc_result_t
+ns_lwdclient_startrecv(ns_lwdclientmgr_t *cm) {
+	ns_lwdclient_t *client;
+	isc_result_t result;
+	isc_region_t r;
+
+	if (SHUTTINGDOWN(cm)) {
+		lwdclientmgr_destroy(cm);
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * If a recv is already running, don't bother.
+	 */
+	if ((cm->flags & NS_LWDCLIENTMGR_FLAGRECVPENDING) != 0)
+		return (ISC_R_SUCCESS);
+
+	/*
+	 * If we have no idle slots, just return success.
+	 */
+	client = ISC_LIST_HEAD(cm->idle);
+	if (client == NULL)
+		return (ISC_R_SUCCESS);
+	INSIST(NS_LWDCLIENT_ISIDLE(client));
+
+	/*
+	 * Issue the recv.  If it fails, return that it did.
+	 */
+	r.base = client->buffer;
+	r.length = LWRES_RECVLENGTH;
+	result = isc_socket_recv(cm->sock, &r, 0, cm->task, ns_lwdclient_recv,
+				 client);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * Set the flag to say we've issued a recv() call.
+	 */
+	cm->flags |= NS_LWDCLIENTMGR_FLAGRECVPENDING;
+
+	/*
+	 * Remove the client from the idle list, and put it on the running
+	 * list.
+	 */
+	NS_LWDCLIENT_SETRECV(client);
+	ISC_LIST_UNLINK(cm->idle, client, link);
+	ISC_LIST_APPEND(cm->running, client, link);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+lwdclientmgr_shutdown_callback(isc_task_t *task, isc_event_t *ev) {
+	ns_lwdclientmgr_t *cm = ev->ev_arg;
+	ns_lwdclient_t *client;
+
+	REQUIRE(!SHUTTINGDOWN(cm));
+
+	ns_lwdclient_log(50, "got shutdown event, task %p, lwdclientmgr %p",
+			 task, cm);
+
+	/*
+	 * run through the idle list and free the clients there.  Idle
+	 * clients do not have a recv running nor do they have any finds
+	 * or similar running.
+	 */
+	client = ISC_LIST_HEAD(cm->idle);
+	while (client != NULL) {
+		ns_lwdclient_log(50, "destroying client %p, manager %p",
+				 client, cm);
+		ISC_LIST_UNLINK(cm->idle, client, link);
+		isc_mem_put(cm->mctx, client, sizeof(*client));
+		client = ISC_LIST_HEAD(cm->idle);
+	}
+
+	/*
+	 * Cancel any pending I/O.
+	 */
+	isc_socket_cancel(cm->sock, task, ISC_SOCKCANCEL_ALL);
+
+	/*
+	 * Run through the running client list and kill off any finds
+	 * in progress.
+	 */
+	client = ISC_LIST_HEAD(cm->running);
+	while (client != NULL) {
+		if (client->find != client->v4find
+		    && client->find != client->v6find)
+			dns_adb_cancelfind(client->find);
+		if (client->v4find != NULL)
+			dns_adb_cancelfind(client->v4find);
+		if (client->v6find != NULL)
+			dns_adb_cancelfind(client->v6find);
+		client = ISC_LIST_NEXT(client, link);
+	}
+
+	cm->flags |= NS_LWDCLIENTMGR_FLAGSHUTTINGDOWN;
+
+	isc_event_free(&ev);
+}
+
+/*
+ * Do all the crap needed to move a client from the run queue to the idle
+ * queue.
+ */
+void
+ns_lwdclient_stateidle(ns_lwdclient_t *client) {
+	ns_lwdclientmgr_t *cm;
+	isc_result_t result;
+
+	cm = client->clientmgr;
+
+	INSIST(client->sendbuf == NULL);
+	INSIST(client->sendlength == 0);
+	INSIST(client->arg == NULL);
+	INSIST(client->v4find == NULL);
+	INSIST(client->v6find == NULL);
+
+	ISC_LIST_UNLINK(cm->running, client, link);
+	ISC_LIST_PREPEND(cm->idle, client, link);
+
+	NS_LWDCLIENT_SETIDLE(client);
+
+	result = ns_lwdclient_startrecv(cm);
+	if (result != ISC_R_SUCCESS)
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_LWRESD, ISC_LOG_ERROR,
+			      "could not start lwres "
+			      "client handler: %s",
+			      isc_result_totext(result));
+}
+
+void
+ns_lwdclient_send(isc_task_t *task, isc_event_t *ev) {
+	ns_lwdclient_t *client = ev->ev_arg;
+	ns_lwdclientmgr_t *cm = client->clientmgr;
+	isc_socketevent_t *dev = (isc_socketevent_t *)ev;
+
+	UNUSED(task);
+	UNUSED(dev);
+
+	INSIST(NS_LWDCLIENT_ISSEND(client));
+	INSIST(client->sendbuf == dev->region.base);
+
+	ns_lwdclient_log(50, "task %p for client %p got send-done event",
+			 task, client);
+
+	if (client->sendbuf != client->buffer)
+		lwres_context_freemem(cm->lwctx, client->sendbuf,
+				      client->sendlength);
+	client->sendbuf = NULL;
+	client->sendlength = 0;
+
+	ns_lwdclient_stateidle(client);
+
+	isc_event_free(&ev);
+}
+
+isc_result_t
+ns_lwdclient_sendreply(ns_lwdclient_t *client, isc_region_t *r) {
+	struct in6_pktinfo *pktinfo;
+	ns_lwdclientmgr_t *cm = client->clientmgr;
+
+	if (client->pktinfo_valid)
+		pktinfo = &client->pktinfo;
+	else
+		pktinfo = NULL;
+	return (isc_socket_sendto(cm->sock, r, cm->task, ns_lwdclient_send,
+				  client, &client->address, pktinfo));
+}
+
+void
+ns_lwdclient_initialize(ns_lwdclient_t *client, ns_lwdclientmgr_t *cmgr) {
+	client->clientmgr = cmgr;
+	ISC_LINK_INIT(client, link);
+	NS_LWDCLIENT_SETIDLE(client);
+	client->arg = NULL;
+
+	client->recvlength = 0;
+
+	client->sendbuf = NULL;
+	client->sendlength = 0;
+
+	client->find = NULL;
+	client->v4find = NULL;
+	client->v6find = NULL;
+	client->find_wanted = 0;
+
+	client->options = 0;
+	client->byaddr = NULL;
+
+	client->lookup = NULL;
+
+	client->pktinfo_valid = ISC_FALSE;
+
+	ISC_LIST_APPEND(cmgr->idle, client, link);
+}
diff --git a/contrib/bind9/bin/named/lwderror.c b/contrib/bind9/bin/named/lwderror.c
new file mode 100644
index 0000000..51cecf0
--- /dev/null
+++ b/contrib/bind9/bin/named/lwderror.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lwderror.c,v 1.7.208.1 2004/03/06 10:21:18 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/socket.h>
+#include <isc/util.h>
+
+#include <named/types.h>
+#include <named/lwdclient.h>
+
+/*
+ * Generate an error packet for the client, schedule a send, and put us in
+ * the SEND state.
+ *
+ * The client->pkt structure will be modified to form an error return.
+ * The receiver needs to verify that it is in fact an error, and do the
+ * right thing with it.  The opcode will be unchanged.  The result needs
+ * to be set before calling this function.
+ *
+ * The only change this code makes is to set the receive buffer size to the
+ * size we use, set the reply bit, and recompute any security information.
+ */
+void
+ns_lwdclient_errorpktsend(ns_lwdclient_t *client, isc_uint32_t _result) {
+	isc_result_t result;
+	int lwres;
+	isc_region_t r;
+	lwres_buffer_t b;
+
+	REQUIRE(NS_LWDCLIENT_ISRUNNING(client));
+
+	/*
+	 * Since we are only sending the packet header, we can safely toss
+	 * the receive buffer.  This means we won't need to allocate space
+	 * for sending an error reply.  This is a Good Thing.
+	 */
+	client->pkt.length = LWRES_LWPACKET_LENGTH;
+	client->pkt.pktflags |= LWRES_LWPACKETFLAG_RESPONSE;
+	client->pkt.recvlength = LWRES_RECVLENGTH;
+	client->pkt.authtype = 0; /* XXXMLG */
+	client->pkt.authlength = 0;
+	client->pkt.result = _result;
+
+	lwres_buffer_init(&b, client->buffer, LWRES_RECVLENGTH);
+	lwres = lwres_lwpacket_renderheader(&b, &client->pkt);
+	if (lwres != LWRES_R_SUCCESS) {
+		ns_lwdclient_stateidle(client);
+		return;
+	}
+
+	r.base = client->buffer;
+	r.length = b.used;
+	client->sendbuf = client->buffer;
+	result = ns_lwdclient_sendreply(client, &r);
+	if (result != ISC_R_SUCCESS) {
+		ns_lwdclient_stateidle(client);
+		return;
+	}
+
+	NS_LWDCLIENT_SETSEND(client);
+}
diff --git a/contrib/bind9/bin/named/lwdgabn.c b/contrib/bind9/bin/named/lwdgabn.c
new file mode 100644
index 0000000..030a77a
--- /dev/null
+++ b/contrib/bind9/bin/named/lwdgabn.c
@@ -0,0 +1,655 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lwdgabn.c,v 1.13.12.3 2004/03/08 04:04:19 marka Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/netaddr.h>
+#include <isc/sockaddr.h>
+#include <isc/socket.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/util.h>
+
+#include <dns/adb.h>
+#include <dns/events.h>
+#include <dns/result.h>
+
+#include <named/types.h>
+#include <named/lwaddr.h>
+#include <named/lwdclient.h>
+#include <named/lwresd.h>
+#include <named/lwsearch.h>
+#include <named/sortlist.h>
+
+#define NEED_V4(c)	((((c)->find_wanted & LWRES_ADDRTYPE_V4) != 0) \
+			 && ((c)->v4find == NULL))
+#define NEED_V6(c)	((((c)->find_wanted & LWRES_ADDRTYPE_V6) != 0) \
+			 && ((c)->v6find == NULL))
+
+static isc_result_t start_find(ns_lwdclient_t *);
+static void restart_find(ns_lwdclient_t *);
+static void init_gabn(ns_lwdclient_t *);
+
+/*
+ * Destroy any finds.  This can be used to "start over from scratch" and
+ * should only be called when events are _not_ being generated by the finds.
+ */
+static void
+cleanup_gabn(ns_lwdclient_t *client) {
+	ns_lwdclient_log(50, "cleaning up client %p", client);
+
+	if (client->v6find != NULL) {
+		if (client->v6find == client->v4find)
+			client->v6find = NULL;
+		else
+			dns_adb_destroyfind(&client->v6find);
+	}
+	if (client->v4find != NULL)
+		dns_adb_destroyfind(&client->v4find);
+}
+
+static void
+setup_addresses(ns_lwdclient_t *client, dns_adbfind_t *find, unsigned int at) {
+	dns_adbaddrinfo_t *ai;
+	lwres_addr_t *addr;
+	int af;
+	const struct sockaddr *sa;
+	isc_result_t result;
+
+	if (at == DNS_ADBFIND_INET)
+		af = AF_INET;
+	else
+		af = AF_INET6;
+
+	ai = ISC_LIST_HEAD(find->list);
+	while (ai != NULL && client->gabn.naddrs < LWRES_MAX_ADDRS) {
+		sa = &ai->sockaddr.type.sa;
+		if (sa->sa_family != af)
+			goto next;
+
+		addr = &client->addrs[client->gabn.naddrs];
+
+		result = lwaddr_lwresaddr_fromsockaddr(addr, &ai->sockaddr);
+		if (result != ISC_R_SUCCESS)
+			goto next;
+
+		ns_lwdclient_log(50, "adding address %p, family %d, length %d",
+				 addr->address, addr->family, addr->length);
+
+		client->gabn.naddrs++;
+		REQUIRE(!LWRES_LINK_LINKED(addr, link));
+		LWRES_LIST_APPEND(client->gabn.addrs, addr, link);
+
+	next:
+		ai = ISC_LIST_NEXT(ai, publink);
+	}
+}
+
+typedef struct {
+	isc_netaddr_t address;
+	int rank;
+} rankedaddress;
+
+static int
+addr_compare(const void *av, const void *bv) {
+	const rankedaddress *a = (const rankedaddress *) av;
+	const rankedaddress *b = (const rankedaddress *) bv;
+	return (a->rank - b->rank);
+}
+
+static void
+sort_addresses(ns_lwdclient_t *client) {
+	unsigned int naddrs;
+	rankedaddress *addrs;
+	isc_netaddr_t remote;
+	dns_addressorderfunc_t order;
+	void *arg;
+	ns_lwresd_t *lwresd = client->clientmgr->listener->manager;
+	unsigned int i;
+	isc_result_t result;
+
+	naddrs = client->gabn.naddrs;
+
+	if (naddrs <= 1 || lwresd->view->sortlist == NULL)
+		return;
+
+	addrs = isc_mem_get(lwresd->mctx, sizeof(rankedaddress) * naddrs);
+	if (addrs == NULL)
+		return;
+
+	isc_netaddr_fromsockaddr(&remote, &client->address);
+	ns_sortlist_byaddrsetup(lwresd->view->sortlist,
+				&remote, &order, &arg);
+	if (order == NULL) {
+		isc_mem_put(lwresd->mctx, addrs,
+			    sizeof(rankedaddress) * naddrs);
+		return;
+	}
+	for (i = 0; i < naddrs; i++) {
+		result = lwaddr_netaddr_fromlwresaddr(&addrs[i].address,
+						      &client->addrs[i]);
+		INSIST(result == ISC_R_SUCCESS);
+		addrs[i].rank = (*order)(&addrs[i].address, arg);
+	}
+	qsort(addrs, naddrs, sizeof(rankedaddress), addr_compare);
+	for (i = 0; i < naddrs; i++) {
+		result = lwaddr_lwresaddr_fromnetaddr(&client->addrs[i],
+						      &addrs[i].address);
+		INSIST(result == ISC_R_SUCCESS);
+	}
+
+	isc_mem_put(lwresd->mctx, addrs, sizeof(rankedaddress) * naddrs);
+}
+
+static void
+generate_reply(ns_lwdclient_t *client) {
+	isc_result_t result;
+	int lwres;
+	isc_region_t r;
+	lwres_buffer_t lwb;
+	ns_lwdclientmgr_t *cm;
+
+	cm = client->clientmgr;
+	lwb.base = NULL;
+
+	ns_lwdclient_log(50, "generating gabn reply for client %p", client);
+
+	/*
+	 * We must make certain the client->find is not still active.
+	 * If it is either the v4 or v6 answer, just set it to NULL and
+	 * let the cleanup code destroy it.  Otherwise, destroy it now.
+	 */
+	if (client->find == client->v4find || client->find == client->v6find)
+		client->find = NULL;
+	else
+		if (client->find != NULL)
+			dns_adb_destroyfind(&client->find);
+
+	/*
+	 * perhaps there are some here?
+	 */
+	if (NEED_V6(client) && client->v4find != NULL)
+		client->v6find = client->v4find;
+
+	/*
+	 * Run through the finds we have and wire them up to the gabn
+	 * structure.
+	 */
+	LWRES_LIST_INIT(client->gabn.addrs);
+	if (client->v4find != NULL)
+		setup_addresses(client, client->v4find, DNS_ADBFIND_INET);
+	if (client->v6find != NULL)
+		setup_addresses(client, client->v6find, DNS_ADBFIND_INET6);
+
+	/*
+	 * If there are no addresses, try the next element in the search
+	 * path, if there are any more.  Otherwise, fall through into
+	 * the error handling code below.
+	 */
+	if (client->gabn.naddrs == 0) {
+		do {
+			result = ns_lwsearchctx_next(&client->searchctx);
+			if (result == ISC_R_SUCCESS) {
+				cleanup_gabn(client);
+				result = start_find(client);
+				if (result == ISC_R_SUCCESS)
+					return;
+			}
+		} while (result == ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Render the packet.
+	 */
+	client->pkt.recvlength = LWRES_RECVLENGTH;
+	client->pkt.authtype = 0; /* XXXMLG */
+	client->pkt.authlength = 0;
+
+	/*
+	 * If there are no addresses, return failure.
+	 */
+	if (client->gabn.naddrs != 0)
+		client->pkt.result = LWRES_R_SUCCESS;
+	else
+		client->pkt.result = LWRES_R_NOTFOUND;
+
+	sort_addresses(client);
+
+	lwres = lwres_gabnresponse_render(cm->lwctx, &client->gabn,
+					  &client->pkt, &lwb);
+	if (lwres != LWRES_R_SUCCESS)
+		goto out;
+
+	r.base = lwb.base;
+	r.length = lwb.used;
+	client->sendbuf = r.base;
+	client->sendlength = r.length;
+	result = ns_lwdclient_sendreply(client, &r);
+	if (result != ISC_R_SUCCESS)
+		goto out;
+
+	NS_LWDCLIENT_SETSEND(client);
+
+	/*
+	 * All done!
+	 */
+	cleanup_gabn(client);
+
+	return;
+
+ out:
+	cleanup_gabn(client);
+
+	if (lwb.base != NULL)
+		lwres_context_freemem(client->clientmgr->lwctx,
+				      lwb.base, lwb.length);
+
+	ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
+}
+
+/*
+ * Take the current real name, move it to an alias slot (if any are
+ * open) then put this new name in as the real name for the target.
+ *
+ * Return success if it can be rendered, otherwise failure.  Note that
+ * not having enough alias slots open is NOT a failure.
+ */
+static isc_result_t
+add_alias(ns_lwdclient_t *client) {
+	isc_buffer_t b;
+	isc_result_t result;
+	isc_uint16_t naliases;
+
+	b = client->recv_buffer;
+
+	/*
+	 * Render the new name to the buffer.
+	 */
+	result = dns_name_totext(dns_fixedname_name(&client->target_name),
+				 ISC_TRUE, &client->recv_buffer);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * Are there any open slots?
+	 */
+	naliases = client->gabn.naliases;
+	if (naliases < LWRES_MAX_ALIASES) {
+		client->gabn.aliases[naliases] = client->gabn.realname;
+		client->gabn.aliaslen[naliases] = client->gabn.realnamelen;
+		client->gabn.naliases++;
+	}
+
+	/*
+	 * Save this name away as the current real name.
+	 */
+	client->gabn.realname = (char *)(b.base) + b.used;
+	client->gabn.realnamelen = client->recv_buffer.used - b.used;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+store_realname(ns_lwdclient_t *client) {
+	isc_buffer_t b;
+	isc_result_t result;
+	dns_name_t *tname;
+
+	b = client->recv_buffer;
+
+	tname = dns_fixedname_name(&client->target_name);
+	result = ns_lwsearchctx_current(&client->searchctx, tname);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * Render the new name to the buffer.
+	 */
+	result = dns_name_totext(tname, ISC_TRUE, &client->recv_buffer);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * Save this name away as the current real name.
+	 */
+	client->gabn.realname = (char *) b.base + b.used;
+	client->gabn.realnamelen = client->recv_buffer.used - b.used;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+process_gabn_finddone(isc_task_t *task, isc_event_t *ev) {
+	ns_lwdclient_t *client = ev->ev_arg;
+	isc_eventtype_t evtype;
+	isc_boolean_t claimed;
+
+	ns_lwdclient_log(50, "find done for task %p, client %p", task, client);
+
+	evtype = ev->ev_type;
+	isc_event_free(&ev);
+
+	/*
+	 * No more info to be had?  If so, we have all the good stuff
+	 * right now, so we can render things.
+	 */
+	claimed = ISC_FALSE;
+	if (evtype == DNS_EVENT_ADBNOMOREADDRESSES) {
+		if (NEED_V4(client)) {
+			client->v4find = client->find;
+			claimed = ISC_TRUE;
+		}
+		if (NEED_V6(client)) {
+			client->v6find = client->find;
+			claimed = ISC_TRUE;
+		}
+		if (client->find != NULL) {
+			if (claimed)
+				client->find = NULL;
+			else
+				dns_adb_destroyfind(&client->find);
+
+		}
+		generate_reply(client);
+		return;
+	}
+
+	/*
+	 * We probably don't need this find anymore.  We're either going to
+	 * reissue it, or an error occurred.  Either way, we're done with
+	 * it.
+	 */
+	if ((client->find != client->v4find)
+	    && (client->find != client->v6find)) {
+		dns_adb_destroyfind(&client->find);
+	} else {
+		client->find = NULL;
+	}
+
+	/*
+	 * We have some new information we can gather.  Run off and fetch
+	 * it.
+	 */
+	if (evtype == DNS_EVENT_ADBMOREADDRESSES) {
+		restart_find(client);
+		return;
+	}
+
+	/*
+	 * An error or other strangeness happened.  Drop this query.
+	 */
+	cleanup_gabn(client);
+	ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
+}
+
+static void
+restart_find(ns_lwdclient_t *client) {
+	unsigned int options;
+	isc_result_t result;
+	isc_boolean_t claimed;
+
+	ns_lwdclient_log(50, "starting find for client %p", client);
+
+	/*
+	 * Issue a find for the name contained in the request.  We won't
+	 * set the bit that says "anything is good enough" -- we want it
+	 * all.
+	 */
+	options = 0;
+	options |= DNS_ADBFIND_WANTEVENT;
+	options |= DNS_ADBFIND_RETURNLAME;
+
+	/*
+	 * Set the bits up here to mark that we want this address family
+	 * and that we do not currently have a find pending.  We will
+	 * set that bit again below if it turns out we will get an event.
+	 */
+	if (NEED_V4(client))
+		options |= DNS_ADBFIND_INET;
+	if (NEED_V6(client))
+		options |= DNS_ADBFIND_INET6;
+
+ find_again:
+	INSIST(client->find == NULL);
+	result = dns_adb_createfind(client->clientmgr->view->adb,
+				    client->clientmgr->task,
+				    process_gabn_finddone, client,
+				    dns_fixedname_name(&client->target_name),
+				    dns_rootname, options, 0,
+				    dns_fixedname_name(&client->target_name),
+				    client->clientmgr->view->dstport,
+				    &client->find);
+
+	/*
+	 * Did we get an alias?  If so, save it and re-issue the query.
+	 */
+	if (result == DNS_R_ALIAS) {
+		ns_lwdclient_log(50, "found alias, restarting query");
+		dns_adb_destroyfind(&client->find);
+		cleanup_gabn(client);
+		result = add_alias(client);
+		if (result != ISC_R_SUCCESS) {
+			ns_lwdclient_log(50,
+					 "out of buffer space adding alias");
+			ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
+			return;
+		}
+		goto find_again;
+	}
+
+	ns_lwdclient_log(50, "find returned %d (%s)", result,
+			 isc_result_totext(result));
+
+	/*
+	 * Did we get an error?
+	 */
+	if (result != ISC_R_SUCCESS) {
+		if (client->find != NULL)
+			dns_adb_destroyfind(&client->find);
+		cleanup_gabn(client);
+		ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
+		return;
+	}
+
+	claimed = ISC_FALSE;
+
+	/*
+	 * Did we get our answer to V4 addresses?
+	 */
+	if (NEED_V4(client)
+	    && ((client->find->query_pending & DNS_ADBFIND_INET) == 0)) {
+		ns_lwdclient_log(50, "client %p ipv4 satisfied by find %p",
+				 client, client->find);
+		claimed = ISC_TRUE;
+		client->v4find = client->find;
+	}
+
+	/*
+	 * Did we get our answer to V6 addresses?
+	 */
+	if (NEED_V6(client)
+	    && ((client->find->query_pending & DNS_ADBFIND_INET6) == 0)) {
+		ns_lwdclient_log(50, "client %p ipv6 satisfied by find %p",
+				 client, client->find);
+		claimed = ISC_TRUE;
+		client->v6find = client->find;
+	}
+
+	/*
+	 * If we're going to get an event, set our internal pending flag
+	 * and return.  When we get an event back we'll do the right
+	 * thing, basically by calling this function again, perhaps with a
+	 * new target name.
+	 *
+	 * If we have both v4 and v6, and we are still getting an event,
+	 * we have a programming error, so die hard.
+	 */
+	if ((client->find->options & DNS_ADBFIND_WANTEVENT) != 0) {
+		ns_lwdclient_log(50, "event will be sent");
+		INSIST(client->v4find == NULL || client->v6find == NULL);
+		return;
+	}
+	ns_lwdclient_log(50, "no event will be sent");
+	if (claimed)
+		client->find = NULL;
+	else
+		dns_adb_destroyfind(&client->find);
+
+	/*
+	 * We seem to have everything we asked for, or at least we are
+	 * able to respond with things we've learned.
+	 */
+
+	generate_reply(client);
+}
+
+static isc_result_t
+start_find(ns_lwdclient_t *client) {
+	isc_result_t result;
+
+	/*
+	 * Initialize the real name and alias arrays in the reply we're
+	 * going to build up.
+	 */
+	init_gabn(client);
+
+	result = store_realname(client);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	restart_find(client);
+	return (ISC_R_SUCCESS);
+
+}
+
+static void
+init_gabn(ns_lwdclient_t *client) {
+	int i;
+
+	/*
+	 * Initialize the real name and alias arrays in the reply we're
+	 * going to build up.
+	 */
+	for (i = 0; i < LWRES_MAX_ALIASES; i++) {
+		client->aliases[i] = NULL;
+		client->aliaslen[i] = 0;
+	}
+	for (i = 0; i < LWRES_MAX_ADDRS; i++) {
+		client->addrs[i].family = 0;
+		client->addrs[i].length = 0;
+		memset(client->addrs[i].address, 0, LWRES_ADDR_MAXLEN);
+		LWRES_LINK_INIT(&client->addrs[i], link);
+	}
+
+	client->gabn.naliases = 0;
+	client->gabn.naddrs = 0;
+	client->gabn.realname = NULL;
+	client->gabn.aliases = client->aliases;
+	client->gabn.realnamelen = 0;
+	client->gabn.aliaslen = client->aliaslen;
+	LWRES_LIST_INIT(client->gabn.addrs);
+	client->gabn.base = NULL;
+	client->gabn.baselen = 0;
+
+	/*
+	 * Set up the internal buffer to point to the receive region.
+	 */
+	isc_buffer_init(&client->recv_buffer, client->buffer, LWRES_RECVLENGTH);
+}
+
+/*
+ * When we are called, we can be assured that:
+ *
+ *	client->sockaddr contains the address we need to reply to,
+ *
+ *	client->pkt contains the packet header data,
+ *
+ *	the packet "checks out" overall -- any MD5 hashes or crypto
+ *	bits have been verified,
+ *
+ *	"b" points to the remaining data after the packet header
+ *	was parsed off.
+ *
+ *	We are in a the RECVDONE state.
+ *
+ * From this state we will enter the SEND state if we happen to have
+ * everything we need or we need to return an error packet, or to the
+ * FINDWAIT state if we need to look things up.
+ */
+void
+ns_lwdclient_processgabn(ns_lwdclient_t *client, lwres_buffer_t *b) {
+	isc_result_t result;
+	lwres_gabnrequest_t *req;
+	ns_lwdclientmgr_t *cm;
+	isc_buffer_t namebuf;
+
+	REQUIRE(NS_LWDCLIENT_ISRECVDONE(client));
+
+	cm = client->clientmgr;
+	req = NULL;
+
+	result = lwres_gabnrequest_parse(client->clientmgr->lwctx,
+					 b, &client->pkt, &req);
+	if (result != LWRES_R_SUCCESS)
+		goto out;
+	if (req->name == NULL)
+		goto out;
+
+	isc_buffer_init(&namebuf, req->name, req->namelen);
+	isc_buffer_add(&namebuf, req->namelen);
+
+	dns_fixedname_init(&client->target_name);
+	dns_fixedname_init(&client->query_name);
+	result = dns_name_fromtext(dns_fixedname_name(&client->query_name),
+				   &namebuf, NULL, ISC_FALSE, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto out;
+	ns_lwsearchctx_init(&client->searchctx,
+			    cm->listener->manager->search,
+			    dns_fixedname_name(&client->query_name),
+			    cm->listener->manager->ndots);
+	ns_lwsearchctx_first(&client->searchctx);
+
+	client->find_wanted = req->addrtypes;
+	ns_lwdclient_log(50, "client %p looking for addrtypes %08x",
+			 client, client->find_wanted);
+
+	/*
+	 * We no longer need to keep this around.
+	 */
+	lwres_gabnrequest_free(client->clientmgr->lwctx, &req);
+
+	/*
+	 * Start the find.
+	 */
+	result = start_find(client);
+	if (result != ISC_R_SUCCESS)
+		goto out;
+
+	return;
+
+	/*
+	 * We're screwed.  Return an error packet to our caller.
+	 */
+ out:
+	if (req != NULL)
+		lwres_gabnrequest_free(client->clientmgr->lwctx, &req);
+
+	ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
+}
diff --git a/contrib/bind9/bin/named/lwdgnba.c b/contrib/bind9/bin/named/lwdgnba.c
new file mode 100644
index 0000000..21ef804
--- /dev/null
+++ b/contrib/bind9/bin/named/lwdgnba.c
@@ -0,0 +1,270 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lwdgnba.c,v 1.13.2.1.2.5 2004/03/08 04:04:19 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/socket.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/util.h>
+
+#include <dns/adb.h>
+#include <dns/byaddr.h>
+#include <dns/result.h>
+
+#include <named/types.h>
+#include <named/lwdclient.h>
+
+static void start_byaddr(ns_lwdclient_t *);
+
+static void
+byaddr_done(isc_task_t *task, isc_event_t *event) {
+	ns_lwdclient_t *client;
+	ns_lwdclientmgr_t *cm;
+	dns_byaddrevent_t *bevent;
+	int lwres;
+	lwres_buffer_t lwb;
+	dns_name_t *name;
+	isc_result_t result;
+	lwres_result_t lwresult;
+	isc_region_t r;
+	isc_buffer_t b;
+	lwres_gnbaresponse_t *gnba;
+	isc_uint16_t naliases;
+
+	UNUSED(task);
+
+	lwb.base = NULL;
+	client = event->ev_arg;
+	cm = client->clientmgr;
+	INSIST(client->byaddr == (dns_byaddr_t *)event->ev_sender);
+
+	bevent = (dns_byaddrevent_t *)event;
+	gnba = &client->gnba;
+
+	ns_lwdclient_log(50, "byaddr event result = %s",
+			 isc_result_totext(bevent->result));
+
+	result = bevent->result;
+	if (result != ISC_R_SUCCESS) {
+		dns_byaddr_destroy(&client->byaddr);
+		isc_event_free(&event);
+		bevent = NULL;
+
+		if (client->na.family != AF_INET6 ||
+		    (client->options & DNS_BYADDROPT_IPV6INT) != 0) {
+			if (result == DNS_R_NCACHENXDOMAIN ||
+			    result == DNS_R_NCACHENXRRSET ||
+			    result == DNS_R_NXDOMAIN ||
+			    result == DNS_R_NXRRSET)
+				lwresult = LWRES_R_NOTFOUND;
+			else
+				lwresult = LWRES_R_FAILURE;
+			ns_lwdclient_errorpktsend(client, lwresult);
+			return;
+		}
+
+		/*
+		 * Fall back to ip6.int reverse if the default ip6.arpa
+		 * fails.
+		 */
+		client->options |= DNS_BYADDROPT_IPV6INT;
+
+		start_byaddr(client);
+		return;
+	}
+
+	for (name = ISC_LIST_HEAD(bevent->names);
+	     name != NULL;
+	     name = ISC_LIST_NEXT(name, link))
+	{
+		b = client->recv_buffer;
+
+		result = dns_name_totext(name, ISC_TRUE, &client->recv_buffer);
+		if (result != ISC_R_SUCCESS)
+			goto out;
+		ns_lwdclient_log(50, "found name '%.*s'",
+				 (int)(client->recv_buffer.used - b.used),
+				 (char *)(b.base) + b.used);
+		if (gnba->realname == NULL) {
+			gnba->realname = (char *)(b.base) + b.used;
+			gnba->realnamelen = client->recv_buffer.used - b.used;
+		} else {
+			naliases = gnba->naliases;
+			if (naliases >= LWRES_MAX_ALIASES)
+				break;
+			gnba->aliases[naliases] = (char *)(b.base) + b.used;
+			gnba->aliaslen[naliases] =
+				client->recv_buffer.used - b.used;
+			gnba->naliases++;
+		}
+	}
+
+	dns_byaddr_destroy(&client->byaddr);
+	isc_event_free(&event);
+
+	/*
+	 * Render the packet.
+	 */
+	client->pkt.recvlength = LWRES_RECVLENGTH;
+	client->pkt.authtype = 0; /* XXXMLG */
+	client->pkt.authlength = 0;
+	client->pkt.result = LWRES_R_SUCCESS;
+
+	lwres = lwres_gnbaresponse_render(cm->lwctx,
+					  gnba, &client->pkt, &lwb);
+	if (lwres != LWRES_R_SUCCESS)
+		goto out;
+
+	r.base = lwb.base;
+	r.length = lwb.used;
+	client->sendbuf = r.base;
+	client->sendlength = r.length;
+	result = ns_lwdclient_sendreply(client, &r);
+	if (result != ISC_R_SUCCESS)
+		goto out;
+
+	NS_LWDCLIENT_SETSEND(client);
+
+	return;
+
+ out:
+	if (client->byaddr != NULL)
+		dns_byaddr_destroy(&client->byaddr);
+	if (lwb.base != NULL)
+		lwres_context_freemem(cm->lwctx,
+				      lwb.base, lwb.length);
+
+	if (event != NULL)
+		isc_event_free(&event);
+}
+
+static void
+start_byaddr(ns_lwdclient_t *client) {
+	isc_result_t result;
+	ns_lwdclientmgr_t *cm;
+
+	cm = client->clientmgr;
+
+	INSIST(client->byaddr == NULL);
+
+	result = dns_byaddr_create(cm->mctx, &client->na, cm->view,
+				   client->options, cm->task, byaddr_done,
+				   client, &client->byaddr);
+	if (result != ISC_R_SUCCESS) {
+		ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
+		return;
+	}
+}
+
+static void
+init_gnba(ns_lwdclient_t *client) {
+	int i;
+
+	/*
+	 * Initialize the real name and alias arrays in the reply we're
+	 * going to build up.
+	 */
+	for (i = 0; i < LWRES_MAX_ALIASES; i++) {
+		client->aliases[i] = NULL;
+		client->aliaslen[i] = 0;
+	}
+	for (i = 0; i < LWRES_MAX_ADDRS; i++) {
+		client->addrs[i].family = 0;
+		client->addrs[i].length = 0;
+		memset(client->addrs[i].address, 0, LWRES_ADDR_MAXLEN);
+		LWRES_LINK_INIT(&client->addrs[i], link);
+	}
+
+	client->gnba.naliases = 0;
+	client->gnba.realname = NULL;
+	client->gnba.aliases = client->aliases;
+	client->gnba.realnamelen = 0;
+	client->gnba.aliaslen = client->aliaslen;
+	client->gnba.base = NULL;
+	client->gnba.baselen = 0;
+	isc_buffer_init(&client->recv_buffer, client->buffer, LWRES_RECVLENGTH);
+}
+
+void
+ns_lwdclient_processgnba(ns_lwdclient_t *client, lwres_buffer_t *b) {
+	lwres_gnbarequest_t *req;
+	isc_result_t result;
+	isc_sockaddr_t sa;
+	ns_lwdclientmgr_t *cm;
+
+	REQUIRE(NS_LWDCLIENT_ISRECVDONE(client));
+	INSIST(client->byaddr == NULL);
+
+	cm = client->clientmgr;
+	req = NULL;
+
+	result = lwres_gnbarequest_parse(cm->lwctx,
+					 b, &client->pkt, &req);
+	if (result != LWRES_R_SUCCESS)
+		goto out;
+	if (req->addr.address == NULL)
+		goto out;
+
+	client->options = 0;
+	if (req->addr.family == LWRES_ADDRTYPE_V4) {
+		client->na.family = AF_INET;
+		if (req->addr.length != 4)
+			goto out;
+		memcpy(&client->na.type.in, req->addr.address, 4);
+	} else if (req->addr.family == LWRES_ADDRTYPE_V6) {
+		client->na.family = AF_INET6;
+		if (req->addr.length != 16)
+			goto out;
+		memcpy(&client->na.type.in6, req->addr.address, 16);
+	} else {
+		goto out;
+	}
+	isc_sockaddr_fromnetaddr(&sa, &client->na, 53);
+
+	ns_lwdclient_log(50, "client %p looking for addrtype %08x",
+			 client, req->addr.family);
+
+	/*
+	 * We no longer need to keep this around.
+	 */
+	lwres_gnbarequest_free(cm->lwctx, &req);
+
+	/*
+	 * Initialize the real name and alias arrays in the reply we're
+	 * going to build up.
+	 */
+	init_gnba(client);
+	client->options = 0;
+
+	/*
+	 * Start the find.
+	 */
+	start_byaddr(client);
+
+	return;
+
+	/*
+	 * We're screwed.  Return an error packet to our caller.
+	 */
+ out:
+	if (req != NULL)
+		lwres_gnbarequest_free(cm->lwctx, &req);
+
+	ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
+}
diff --git a/contrib/bind9/bin/named/lwdgrbn.c b/contrib/bind9/bin/named/lwdgrbn.c
new file mode 100644
index 0000000..6652265
--- /dev/null
+++ b/contrib/bind9/bin/named/lwdgrbn.c
@@ -0,0 +1,513 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lwdgrbn.c,v 1.11.208.3 2004/03/08 04:04:19 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/mem.h>
+#include <isc/socket.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/lookup.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/result.h>
+#include <dns/view.h>
+
+#include <named/types.h>
+#include <named/lwdclient.h>
+#include <named/lwresd.h>
+#include <named/lwsearch.h>
+
+static void start_lookup(ns_lwdclient_t *);
+
+static isc_result_t
+fill_array(int *pos, dns_rdataset_t *rdataset,
+	   int size, unsigned char **rdatas, lwres_uint16_t *rdatalen)
+{
+	dns_rdata_t rdata;
+	isc_result_t result;
+	isc_region_t r;
+
+	UNUSED(size);
+
+	dns_rdata_init(&rdata);
+	for (result = dns_rdataset_first(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset))
+	{
+		INSIST(*pos < size);
+		dns_rdataset_current(rdataset, &rdata);
+		dns_rdata_toregion(&rdata, &r);
+		rdatas[*pos] = r.base;
+		rdatalen[*pos] = r.length;
+		dns_rdata_reset(&rdata);
+		(*pos)++;
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+	return (result);
+}
+
+static isc_result_t
+iterate_node(lwres_grbnresponse_t *grbn, dns_db_t *db, dns_dbnode_t *node,
+	     isc_mem_t *mctx)
+{
+	int used = 0, count;
+	int size = 8, oldsize = 0;
+	unsigned char **rdatas = NULL, **oldrdatas = NULL, **newrdatas = NULL;
+	lwres_uint16_t *lens = NULL, *oldlens = NULL, *newlens = NULL;
+	dns_rdatasetiter_t *iter = NULL;
+	dns_rdataset_t set;
+	dns_ttl_t ttl = ISC_INT32_MAX;
+	lwres_uint32_t flags = LWRDATA_VALIDATED;
+	isc_result_t result = ISC_R_NOMEMORY;
+
+	result = dns_db_allrdatasets(db, node, NULL, 0, &iter);
+	if (result != ISC_R_SUCCESS)
+		goto out;
+
+	rdatas = isc_mem_get(mctx, size * sizeof(*rdatas));
+	if (rdatas == NULL)
+		goto out;
+	lens = isc_mem_get(mctx, size * sizeof(*lens));
+	if (lens == NULL)
+		goto out;
+
+	for (result = dns_rdatasetiter_first(iter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(iter))
+	{
+		result = ISC_R_NOMEMORY;
+		dns_rdataset_init(&set);
+		dns_rdatasetiter_current(iter, &set);
+
+		if (set.type != dns_rdatatype_rrsig) {
+			dns_rdataset_disassociate(&set);
+			continue;
+		}
+
+		count = dns_rdataset_count(&set);
+		if (used + count > size) {
+			/* copy & reallocate */
+			oldsize = size;
+			oldrdatas = rdatas;
+			oldlens = lens;
+			rdatas = NULL;
+			lens = NULL;
+
+			size *= 2;
+
+			rdatas = isc_mem_get(mctx, size * sizeof(*rdatas));
+			if (rdatas == NULL)
+				goto out;
+			lens = isc_mem_get(mctx, size * sizeof(*lens));
+			if (lens == NULL)
+				goto out;
+			memcpy(rdatas, oldrdatas, used * sizeof(*rdatas));
+			memcpy(lens, oldlens, used * sizeof(*lens));
+			isc_mem_put(mctx, oldrdatas,
+				    oldsize * sizeof(*oldrdatas));
+			isc_mem_put(mctx, oldlens, oldsize * sizeof(*oldlens));
+			oldrdatas = NULL;
+			oldlens = NULL;
+		}
+		if (set.ttl < ttl)
+			ttl = set.ttl;
+		if (set.trust != dns_trust_secure)
+			flags &= (~LWRDATA_VALIDATED);
+		result = fill_array(&used, &set, size, rdatas, lens);
+		dns_rdataset_disassociate(&set);
+		if (result != ISC_R_SUCCESS)
+			goto out;
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+	if (result != ISC_R_SUCCESS)
+		goto out;
+	dns_rdatasetiter_destroy(&iter);
+
+	/*
+	 * If necessary, shrink and copy the arrays.
+	 */
+	if (size != used) {
+		result = ISC_R_NOMEMORY;
+		newrdatas = isc_mem_get(mctx, used * sizeof(*rdatas));
+		if (newrdatas == NULL)
+			goto out;
+		newlens = isc_mem_get(mctx, used * sizeof(*lens));
+		if (newlens == NULL)
+			goto out;
+		memcpy(newrdatas, rdatas, used * sizeof(*rdatas));
+		memcpy(newlens, lens, used * sizeof(*lens));
+		isc_mem_put(mctx, rdatas, size * sizeof(*rdatas));
+		isc_mem_put(mctx, lens, size * sizeof(*lens));
+		grbn->rdatas = newrdatas;
+		grbn->rdatalen = newlens;
+	} else {
+		grbn->rdatas = rdatas;
+		grbn->rdatalen = lens;
+	}
+	grbn->nrdatas = used;
+	grbn->ttl = ttl;
+	grbn->flags = flags;
+	return (ISC_R_SUCCESS);
+
+ out:
+	dns_rdatasetiter_destroy(&iter);
+	if (rdatas != NULL)
+		isc_mem_put(mctx, rdatas, size * sizeof(*rdatas));
+	if (lens != NULL)
+		isc_mem_put(mctx, lens, size * sizeof(*lens));
+	if (oldrdatas != NULL)
+		isc_mem_put(mctx, oldrdatas, oldsize * sizeof(*oldrdatas));
+	if (oldlens != NULL)
+		isc_mem_put(mctx, oldlens, oldsize * sizeof(*oldlens));
+	if (newrdatas != NULL)
+		isc_mem_put(mctx, newrdatas, used * sizeof(*oldrdatas));
+	if (newlens != NULL)
+		isc_mem_put(mctx, newlens, used * sizeof(*oldlens));
+	return (result);
+}
+
+static void
+lookup_done(isc_task_t *task, isc_event_t *event) {
+	ns_lwdclient_t *client;
+	ns_lwdclientmgr_t *cm;
+	dns_lookupevent_t *levent;
+	lwres_buffer_t lwb;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+	dns_rdataset_t *sigrdataset;
+	isc_result_t result;
+	lwres_result_t lwresult;
+	isc_region_t r;
+	isc_buffer_t b;
+	lwres_grbnresponse_t *grbn;
+	int i;
+
+	UNUSED(task);
+
+	lwb.base = NULL;
+	client = event->ev_arg;
+	cm = client->clientmgr;
+	INSIST(client->lookup == (dns_lookup_t *)event->ev_sender);
+
+	levent = (dns_lookupevent_t *)event;
+	grbn = &client->grbn;
+
+	ns_lwdclient_log(50, "lookup event result = %s",
+			 isc_result_totext(levent->result));
+
+	result = levent->result;
+	if (result != ISC_R_SUCCESS) {
+		dns_lookup_destroy(&client->lookup);
+		isc_event_free(&event);
+		levent = NULL;
+
+		switch (result) {
+		case DNS_R_NXDOMAIN:
+		case DNS_R_NCACHENXDOMAIN:
+			result = ns_lwsearchctx_next(&client->searchctx);
+			if (result != ISC_R_SUCCESS)
+				lwresult = LWRES_R_NOTFOUND;
+			else {
+				start_lookup(client);
+				return;
+			}
+			break;
+		case DNS_R_NXRRSET:
+		case DNS_R_NCACHENXRRSET:
+			lwresult = LWRES_R_TYPENOTFOUND;
+			break;
+		default:
+			lwresult = LWRES_R_FAILURE;
+		}
+		ns_lwdclient_errorpktsend(client, lwresult);
+		return;
+	}
+
+	name = levent->name;
+	b = client->recv_buffer;
+
+	grbn->flags = 0;
+
+	grbn->nrdatas = 0;
+	grbn->rdatas = NULL;
+	grbn->rdatalen = NULL;
+
+	grbn->nsigs = 0;
+	grbn->sigs = NULL;
+	grbn->siglen = NULL;
+
+	result = dns_name_totext(name, ISC_TRUE, &client->recv_buffer);
+	if (result != ISC_R_SUCCESS)
+		goto out;
+	grbn->realname = (char *)isc_buffer_used(&b);
+	grbn->realnamelen = isc_buffer_usedlength(&client->recv_buffer) -
+			    isc_buffer_usedlength(&b);
+	ns_lwdclient_log(50, "found name '%.*s'", grbn->realnamelen,
+			 grbn->realname);
+
+	grbn->rdclass = cm->view->rdclass;
+	grbn->rdtype = client->rdtype;
+
+	rdataset = levent->rdataset;
+	if (rdataset != NULL) {
+		/* The normal case */
+		grbn->nrdatas = dns_rdataset_count(rdataset);
+		grbn->rdatas = isc_mem_get(cm->mctx, grbn->nrdatas *
+					   sizeof(unsigned char *));
+		if (grbn->rdatas == NULL)
+			goto out;
+		grbn->rdatalen = isc_mem_get(cm->mctx, grbn->nrdatas *
+					     sizeof(lwres_uint16_t));
+		if (grbn->rdatalen == NULL)
+			goto out;
+
+		i = 0;
+		result = fill_array(&i, rdataset, grbn->nrdatas, grbn->rdatas,
+				    grbn->rdatalen);
+		if (result != ISC_R_SUCCESS)
+			goto out;
+		INSIST(i == grbn->nrdatas);
+		grbn->ttl = rdataset->ttl;
+		if (rdataset->trust == dns_trust_secure)
+			grbn->flags |= LWRDATA_VALIDATED;
+	} else {
+		/* The SIG query case */
+		result = iterate_node(grbn, levent->db, levent->node,
+				      cm->mctx);
+		if (result != ISC_R_SUCCESS)
+			goto out;
+	}
+	ns_lwdclient_log(50, "filled in %d rdata%s", grbn->nrdatas,
+			 (grbn->nrdatas == 1) ? "" : "s");
+
+	sigrdataset = levent->sigrdataset;
+	if (sigrdataset != NULL) {
+		grbn->nsigs = dns_rdataset_count(sigrdataset);
+		grbn->sigs = isc_mem_get(cm->mctx, grbn->nsigs *
+					 sizeof(unsigned char *));
+		if (grbn->sigs == NULL)
+			goto out;
+		grbn->siglen = isc_mem_get(cm->mctx, grbn->nsigs *
+					   sizeof(lwres_uint16_t));
+		if (grbn->siglen == NULL)
+			goto out;
+
+		i = 0;
+		result = fill_array(&i, sigrdataset, grbn->nsigs, grbn->sigs,
+				    grbn->siglen);
+		if (result != ISC_R_SUCCESS)
+			goto out;
+		INSIST(i == grbn->nsigs);
+		ns_lwdclient_log(50, "filled in %d signature%s", grbn->nsigs,
+				 (grbn->nsigs == 1) ? "" : "s");
+	}
+
+	dns_lookup_destroy(&client->lookup);
+	isc_event_free(&event);
+
+	/*
+	 * Render the packet.
+	 */
+	client->pkt.recvlength = LWRES_RECVLENGTH;
+	client->pkt.authtype = 0; /* XXXMLG */
+	client->pkt.authlength = 0;
+	client->pkt.result = LWRES_R_SUCCESS;
+
+	lwresult = lwres_grbnresponse_render(cm->lwctx,
+					     grbn, &client->pkt, &lwb);
+	if (lwresult != LWRES_R_SUCCESS)
+		goto out;
+
+	isc_mem_put(cm->mctx, grbn->rdatas,
+		    grbn->nrdatas * sizeof(unsigned char *));
+	isc_mem_put(cm->mctx, grbn->rdatalen,
+		    grbn->nrdatas * sizeof(lwres_uint16_t));
+
+	if (grbn->sigs != NULL)
+		isc_mem_put(cm->mctx, grbn->sigs,
+			    grbn->nsigs * sizeof(unsigned char *));
+	if (grbn->siglen != NULL)
+		isc_mem_put(cm->mctx, grbn->siglen,
+			    grbn->nsigs * sizeof(lwres_uint16_t));
+
+	r.base = lwb.base;
+	r.length = lwb.used;
+	client->sendbuf = r.base;
+	client->sendlength = r.length;
+	result = ns_lwdclient_sendreply(client, &r);
+	if (result != ISC_R_SUCCESS)
+		goto out;
+
+	NS_LWDCLIENT_SETSEND(client);
+
+	return;
+
+ out:
+	if (grbn->rdatas != NULL)
+		isc_mem_put(cm->mctx, grbn->rdatas,
+			    grbn->nrdatas * sizeof(unsigned char *));
+	if (grbn->rdatalen != NULL)
+		isc_mem_put(cm->mctx, grbn->rdatalen,
+			    grbn->nrdatas * sizeof(lwres_uint16_t));
+
+	if (grbn->sigs != NULL)
+		isc_mem_put(cm->mctx, grbn->sigs,
+			    grbn->nsigs * sizeof(unsigned char *));
+	if (grbn->siglen != NULL)
+		isc_mem_put(cm->mctx, grbn->siglen,
+			    grbn->nsigs * sizeof(lwres_uint16_t));
+
+	if (client->lookup != NULL)
+		dns_lookup_destroy(&client->lookup);
+	if (lwb.base != NULL)
+		lwres_context_freemem(cm->lwctx, lwb.base, lwb.length);
+
+	if (event != NULL)
+		isc_event_free(&event);
+
+	ns_lwdclient_log(50, "error constructing getrrsetbyname response");
+	ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
+}
+
+static void
+start_lookup(ns_lwdclient_t *client) {
+	isc_result_t result;
+	ns_lwdclientmgr_t *cm;
+	dns_fixedname_t absname;
+
+	cm = client->clientmgr;
+
+	INSIST(client->lookup == NULL);
+
+	dns_fixedname_init(&absname);
+	result = ns_lwsearchctx_current(&client->searchctx,
+					dns_fixedname_name(&absname));
+	/*
+	 * This will return failure if relative name + suffix is too long.
+	 * In this case, just go on to the next entry in the search path.
+	 */
+	if (result != ISC_R_SUCCESS)
+		start_lookup(client);
+
+	result = dns_lookup_create(cm->mctx,
+				   dns_fixedname_name(&absname),
+				   client->rdtype, cm->view,
+				   client->options, cm->task, lookup_done,
+				   client, &client->lookup);
+	if (result != ISC_R_SUCCESS) {
+		ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
+		return;
+	}
+}
+
+static void
+init_grbn(ns_lwdclient_t *client) {
+	client->grbn.rdclass = 0;
+	client->grbn.rdtype = 0;
+	client->grbn.ttl = 0;
+	client->grbn.nrdatas = 0;
+	client->grbn.realname = NULL;
+	client->grbn.realnamelen = 0;
+	client->grbn.rdatas = 0;
+	client->grbn.rdatalen = 0;
+	client->grbn.base = NULL;
+	client->grbn.baselen = 0;
+	isc_buffer_init(&client->recv_buffer, client->buffer, LWRES_RECVLENGTH);
+}
+
+void
+ns_lwdclient_processgrbn(ns_lwdclient_t *client, lwres_buffer_t *b) {
+	lwres_grbnrequest_t *req;
+	isc_result_t result;
+	ns_lwdclientmgr_t *cm;
+	isc_buffer_t namebuf;
+
+	REQUIRE(NS_LWDCLIENT_ISRECVDONE(client));
+	INSIST(client->byaddr == NULL);
+
+	cm = client->clientmgr;
+	req = NULL;
+
+	result = lwres_grbnrequest_parse(cm->lwctx,
+					 b, &client->pkt, &req);
+	if (result != LWRES_R_SUCCESS)
+		goto out;
+	if (req->name == NULL)
+		goto out;
+
+	client->options = 0;
+	if (req->rdclass != cm->view->rdclass)
+		goto out;
+
+	if (req->rdclass == dns_rdataclass_any ||
+	    req->rdtype == dns_rdatatype_any)
+		goto out;
+
+	client->rdtype = req->rdtype;
+
+	isc_buffer_init(&namebuf, req->name, req->namelen);
+	isc_buffer_add(&namebuf, req->namelen);
+
+	dns_fixedname_init(&client->query_name);
+	result = dns_name_fromtext(dns_fixedname_name(&client->query_name),
+				   &namebuf, NULL, ISC_FALSE, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto out;
+	ns_lwsearchctx_init(&client->searchctx,
+			    cm->listener->manager->search,
+			    dns_fixedname_name(&client->query_name),
+			    cm->listener->manager->ndots);
+	ns_lwsearchctx_first(&client->searchctx);
+
+	ns_lwdclient_log(50, "client %p looking for type %d",
+			 client, client->rdtype);
+
+	/*
+	 * We no longer need to keep this around.
+	 */
+	lwres_grbnrequest_free(cm->lwctx, &req);
+
+	/*
+	 * Initialize the real name and alias arrays in the reply we're
+	 * going to build up.
+	 */
+	init_grbn(client);
+
+	/*
+	 * Start the find.
+	 */
+	start_lookup(client);
+
+	return;
+
+	/*
+	 * We're screwed.  Return an error packet to our caller.
+	 */
+ out:
+	if (req != NULL)
+		lwres_grbnrequest_free(cm->lwctx, &req);
+
+	ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
+}
diff --git a/contrib/bind9/bin/named/lwdnoop.c b/contrib/bind9/bin/named/lwdnoop.c
new file mode 100644
index 0000000..30d95ee
--- /dev/null
+++ b/contrib/bind9/bin/named/lwdnoop.c
@@ -0,0 +1,86 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lwdnoop.c,v 1.6.208.1 2004/03/06 10:21:19 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/socket.h>
+#include <isc/util.h>
+
+#include <named/types.h>
+#include <named/lwdclient.h>
+
+void
+ns_lwdclient_processnoop(ns_lwdclient_t *client, lwres_buffer_t *b) {
+	lwres_nooprequest_t *req;
+	lwres_noopresponse_t resp;
+	isc_result_t result;
+	lwres_result_t lwres;
+	isc_region_t r;
+	lwres_buffer_t lwb;
+
+	REQUIRE(NS_LWDCLIENT_ISRECVDONE(client));
+	INSIST(client->byaddr == NULL);
+
+	req = NULL;
+
+	result = lwres_nooprequest_parse(client->clientmgr->lwctx,
+					 b, &client->pkt, &req);
+	if (result != LWRES_R_SUCCESS)
+		goto out;
+
+	client->pkt.recvlength = LWRES_RECVLENGTH;
+	client->pkt.authtype = 0; /* XXXMLG */
+	client->pkt.authlength = 0;
+	client->pkt.result = LWRES_R_SUCCESS;
+
+	resp.datalength = req->datalength;
+	resp.data = req->data;
+
+	lwres = lwres_noopresponse_render(client->clientmgr->lwctx, &resp,
+					  &client->pkt, &lwb);
+	if (lwres != LWRES_R_SUCCESS)
+		goto out;
+
+	r.base = lwb.base;
+	r.length = lwb.used;
+	client->sendbuf = r.base;
+	client->sendlength = r.length;
+	result = ns_lwdclient_sendreply(client, &r);
+	if (result != ISC_R_SUCCESS)
+		goto out;
+
+	/*
+	 * We can now destroy request.
+	 */
+	lwres_nooprequest_free(client->clientmgr->lwctx, &req);
+
+	NS_LWDCLIENT_SETSEND(client);
+
+	return;
+
+ out:
+	if (req != NULL)
+		lwres_nooprequest_free(client->clientmgr->lwctx, &req);
+
+	if (lwb.base != NULL)
+		lwres_context_freemem(client->clientmgr->lwctx,
+				      lwb.base, lwb.length);
+
+	ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
+}
diff --git a/contrib/bind9/bin/named/lwresd.8 b/contrib/bind9/bin/named/lwresd.8
new file mode 100644
index 0000000..bbc177d
--- /dev/null
+++ b/contrib/bind9/bin/named/lwresd.8
@@ -0,0 +1,140 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: lwresd.8,v 1.13.208.2 2004/06/03 05:35:47 marka Exp $
+.\"
+.TH "LWRESD" "8" "June 30, 2000" "BIND9" ""
+.SH NAME
+lwresd \- lightweight resolver daemon
+.SH SYNOPSIS
+.sp
+\fBlwresd\fR [ \fB-C \fIconfig-file\fB\fR ]  [ \fB-d \fIdebug-level\fB\fR ]  [ \fB-f\fR ]  [ \fB-g\fR ]  [ \fB-i \fIpid-file\fB\fR ]  [ \fB-n \fI#cpus\fB\fR ]  [ \fB-P \fIport\fB\fR ]  [ \fB-p \fIport\fB\fR ]  [ \fB-s\fR ]  [ \fB-t \fIdirectory\fB\fR ]  [ \fB-u \fIuser\fB\fR ]  [ \fB-v\fR ] 
+.SH "DESCRIPTION"
+.PP
+\fBlwresd\fR is the daemon providing name lookup
+services to clients that use the BIND 9 lightweight resolver
+library. It is essentially a stripped-down, caching-only name
+server that answers queries using the BIND 9 lightweight
+resolver protocol rather than the DNS protocol.
+.PP
+\fBlwresd\fR listens for resolver queries on a
+UDP port on the IPv4 loopback interface, 127.0.0.1. This
+means that \fBlwresd\fR can only be used by
+processes running on the local machine. By default UDP port
+number 921 is used for lightweight resolver requests and
+responses.
+.PP
+Incoming lightweight resolver requests are decoded by the
+server which then resolves them using the DNS protocol. When
+the DNS lookup completes, \fBlwresd\fR encodes
+the answers in the lightweight resolver format and returns
+them to the client that made the request.
+.PP
+If \fI/etc/resolv.conf\fR contains any
+\fBnameserver\fR entries, \fBlwresd\fR
+sends recursive DNS queries to those servers. This is similar
+to the use of forwarders in a caching name server. If no
+\fBnameserver\fR entries are present, or if
+forwarding fails, \fBlwresd\fR resolves the
+queries autonomously starting at the root name servers, using
+a built-in list of root server hints.
+.SH "OPTIONS"
+.TP
+\fB-C \fIconfig-file\fB\fR
+Use \fIconfig-file\fR as the
+configuration file instead of the default,
+\fI/etc/resolv.conf\fR.
+.TP
+\fB-d \fIdebug-level\fB\fR
+Set the daemon's debug level to \fIdebug-level\fR.
+Debugging traces from \fBlwresd\fR become
+more verbose as the debug level increases.
+.TP
+\fB-f\fR
+Run the server in the foreground (i.e. do not daemonize).
+.TP
+\fB-g\fR
+Run the server in the foreground and force all logging
+to \fIstderr\fR.
+.TP
+\fB-n \fI#cpus\fB\fR
+Create \fI#cpus\fR worker threads
+to take advantage of multiple CPUs. If not specified,
+\fBlwresd\fR will try to determine the
+number of CPUs present and create one thread per CPU.
+If it is unable to determine the number of CPUs, a
+single worker thread will be created.
+.TP
+\fB-P \fIport\fB\fR
+Listen for lightweight resolver queries on port
+\fIport\fR. If
+not specified, the default is port 921.
+.TP
+\fB-p \fIport\fB\fR
+Send DNS lookups to port \fIport\fR. If not
+specified, the default is port 53. This provides a
+way of testing the lightweight resolver daemon with a
+name server that listens for queries on a non-standard
+port number.
+.TP
+\fB-s\fR
+Write memory usage statistics to \fIstdout\fR
+on exit.
+.sp
+.RS
+.B "Note:"
+This option is mainly of interest to BIND 9 developers
+and may be removed or changed in a future release.
+.RE
+.sp
+.TP
+\fB-t \fIdirectory\fB\fR
+\fBchroot()\fR to \fIdirectory\fR after
+processing the command line arguments, but before
+reading the configuration file.
+.sp
+.RS
+.B "Warning:"
+This option should be used in conjunction with the
+\fB-u\fR option, as chrooting a process
+running as root doesn't enhance security on most
+systems; the way \fBchroot()\fR is
+defined allows a process with root privileges to
+escape a chroot jail.
+.RE
+.sp
+.TP
+\fB-u \fIuser\fB\fR
+\fBsetuid()\fR to \fIuser\fR after completing
+privileged operations, such as creating sockets that
+listen on privileged ports.
+.TP
+\fB-v\fR
+Report the version number and exit.
+.SH "FILES"
+.TP
+\fB\fI/etc/resolv.conf\fB\fR
+The default configuration file.
+.TP
+\fB\fI/var/run/lwresd.pid\fB\fR
+The default process-id file.
+.SH "SEE ALSO"
+.PP
+\fBnamed\fR(8),
+\fBlwres\fR(3),
+\fBresolver\fR(5).
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
diff --git a/contrib/bind9/bin/named/lwresd.c b/contrib/bind9/bin/named/lwresd.c
new file mode 100644
index 0000000..9da4168
--- /dev/null
+++ b/contrib/bind9/bin/named/lwresd.c
@@ -0,0 +1,861 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lwresd.c,v 1.37.2.2.2.5 2004/03/08 04:04:19 marka Exp $ */
+
+/*
+ * Main program for the Lightweight Resolver Daemon.
+ *
+ * To paraphrase the old saying about X11, "It's not a lightweight deamon
+ * for resolvers, it's a deamon for lightweight resolvers".
+ */
+
+#include <config.h>
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/list.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/print.h>
+#include <isc/socket.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <isccfg/namedconf.h>
+
+#include <dns/log.h>
+#include <dns/result.h>
+#include <dns/view.h>
+
+#include <named/config.h>
+#include <named/globals.h>
+#include <named/log.h>
+#include <named/lwaddr.h>
+#include <named/lwresd.h>
+#include <named/lwdclient.h>
+#include <named/lwsearch.h>
+#include <named/server.h>
+
+#define LWRESD_MAGIC		ISC_MAGIC('L', 'W', 'R', 'D')
+#define VALID_LWRESD(l)		ISC_MAGIC_VALID(l, LWRESD_MAGIC)
+
+#define LWRESLISTENER_MAGIC	ISC_MAGIC('L', 'W', 'R', 'L')
+#define VALID_LWRESLISTENER(l)	ISC_MAGIC_VALID(l, LWRESLISTENER_MAGIC)
+
+/*
+ * The total number of clients we can handle will be NTASKS * NRECVS.
+ */
+#define NTASKS		2	/* tasks to create to handle lwres queries */
+#define NRECVS		2	/* max clients per task */
+
+typedef ISC_LIST(ns_lwreslistener_t) ns_lwreslistenerlist_t;
+
+static ns_lwreslistenerlist_t listeners;
+static isc_mutex_t listeners_lock;
+static isc_once_t once = ISC_ONCE_INIT;
+
+
+static void
+initialize_mutex(void) {
+	RUNTIME_CHECK(isc_mutex_init(&listeners_lock) == ISC_R_SUCCESS);
+}
+
+
+/*
+ * Wrappers around our memory management stuff, for the lwres functions.
+ */
+void *
+ns__lwresd_memalloc(void *arg, size_t size) {
+	return (isc_mem_get(arg, size));
+}
+
+void
+ns__lwresd_memfree(void *arg, void *mem, size_t size) {
+	isc_mem_put(arg, mem, size);
+}
+
+
+#define CHECK(op)						\
+	do { result = (op);					\
+		if (result != ISC_R_SUCCESS) goto cleanup;	\
+	} while (0)
+
+static isc_result_t
+buffer_putstr(isc_buffer_t *b, const char *s) {
+	unsigned int len = strlen(s);
+	if (isc_buffer_availablelength(b) <= len)
+		return (ISC_R_NOSPACE);
+	isc_buffer_putmem(b, (const unsigned char *)s, len);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Convert a resolv.conf file into a config structure.
+ */
+isc_result_t
+ns_lwresd_parseeresolvconf(isc_mem_t *mctx, cfg_parser_t *pctx,
+			   cfg_obj_t **configp)
+{
+	char text[4096];
+	char str[16];
+	isc_buffer_t b;
+	lwres_context_t *lwctx = NULL;
+	lwres_conf_t *lwc = NULL;
+	isc_sockaddr_t sa;
+	isc_netaddr_t na;
+	int i;
+	isc_result_t result;
+	lwres_result_t lwresult;
+
+	lwctx = NULL;
+	lwresult = lwres_context_create(&lwctx, mctx, ns__lwresd_memalloc,
+					ns__lwresd_memfree,
+					LWRES_CONTEXT_SERVERMODE);
+	if (lwresult != LWRES_R_SUCCESS) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+	lwresult = lwres_conf_parse(lwctx, lwresd_g_resolvconffile);
+	if (lwresult != LWRES_R_SUCCESS) {
+		result = DNS_R_SYNTAX;
+		goto cleanup;
+	}
+
+	lwc = lwres_conf_get(lwctx);
+	INSIST(lwc != NULL);
+
+	isc_buffer_init(&b, text, sizeof(text));
+
+	CHECK(buffer_putstr(&b, "options {\n"));
+
+	/*
+	 * Build the list of forwarders.
+	 */
+	if (lwc->nsnext > 0) {
+		CHECK(buffer_putstr(&b, "\tforwarders {\n"));
+
+		for (i = 0; i < lwc->nsnext; i++) {
+			CHECK(lwaddr_sockaddr_fromlwresaddr(
+							&sa,
+							&lwc->nameservers[i],
+							ns_g_port));
+			isc_netaddr_fromsockaddr(&na, &sa);
+			CHECK(buffer_putstr(&b, "\t\t"));
+			CHECK(isc_netaddr_totext(&na, &b));
+			CHECK(buffer_putstr(&b, ";\n"));
+		}
+		CHECK(buffer_putstr(&b, "\t};\n"));
+	}
+
+	/*
+	 * Build the sortlist
+	 */
+	if (lwc->sortlistnxt > 0) {
+		CHECK(buffer_putstr(&b, "\tsortlist {\n"));
+		CHECK(buffer_putstr(&b, "\t\t{\n"));
+		CHECK(buffer_putstr(&b, "\t\t\tany;\n"));
+		CHECK(buffer_putstr(&b, "\t\t\t{\n"));
+		for (i = 0; i < lwc->sortlistnxt; i++) {
+			lwres_addr_t *lwaddr = &lwc->sortlist[i].addr;
+			lwres_addr_t *lwmask = &lwc->sortlist[i].mask;
+			unsigned int mask;
+
+			CHECK(lwaddr_sockaddr_fromlwresaddr(&sa, lwmask, 0));
+			isc_netaddr_fromsockaddr(&na, &sa);
+			result = isc_netaddr_masktoprefixlen(&na, &mask);
+			if (result != ISC_R_SUCCESS) {
+				char addrtext[ISC_NETADDR_FORMATSIZE];
+				isc_netaddr_format(&na, addrtext,
+						   sizeof(addrtext));
+				isc_log_write(ns_g_lctx,
+					      NS_LOGCATEGORY_GENERAL,
+					      NS_LOGMODULE_LWRESD,
+					      ISC_LOG_ERROR,
+					      "processing sortlist: '%s' is "
+					      "not a valid netmask",
+					      addrtext);
+				goto cleanup;
+			}
+
+			CHECK(lwaddr_sockaddr_fromlwresaddr(&sa, lwaddr, 0));
+			isc_netaddr_fromsockaddr(&na, &sa);
+
+			CHECK(buffer_putstr(&b, "\t\t\t\t"));
+			CHECK(isc_netaddr_totext(&na, &b));
+			snprintf(str, sizeof(str), "%u", mask);
+			CHECK(buffer_putstr(&b, "/"));
+			CHECK(buffer_putstr(&b, str));
+			CHECK(buffer_putstr(&b, ";\n"));
+		}
+		CHECK(buffer_putstr(&b, "\t\t\t};\n"));
+		CHECK(buffer_putstr(&b, "\t\t};\n"));
+		CHECK(buffer_putstr(&b, "\t};\n"));
+	}
+
+	CHECK(buffer_putstr(&b, "};\n\n"));
+
+	CHECK(buffer_putstr(&b, "lwres {\n"));
+
+	/*
+	 * Build the search path
+	 */
+	if (lwc->searchnxt > 0) {
+		if (lwc->searchnxt > 0) {
+			CHECK(buffer_putstr(&b, "\tsearch {\n"));
+			for (i = 0; i < lwc->searchnxt; i++) {
+				CHECK(buffer_putstr(&b, "\t\t\""));
+				CHECK(buffer_putstr(&b, lwc->search[i]));
+			        CHECK(buffer_putstr(&b, "\";\n"));
+			}
+			CHECK(buffer_putstr(&b, "\t};\n"));
+		}
+	}
+
+	/*
+	 * Build the ndots line
+	 */
+	if (lwc->ndots != 1) {
+		CHECK(buffer_putstr(&b, "\tndots "));
+		snprintf(str, sizeof(str), "%u", lwc->ndots);
+		CHECK(buffer_putstr(&b, str));
+		CHECK(buffer_putstr(&b, ";\n"));
+	}
+
+	/*
+	 * Build the listen-on line
+	 */
+	if (lwc->lwnext > 0) {
+		CHECK(buffer_putstr(&b, "\tlisten-on {\n"));
+
+		for (i = 0; i < lwc->lwnext; i++) {
+			CHECK(lwaddr_sockaddr_fromlwresaddr(&sa,
+							    &lwc->lwservers[i],
+							    0));
+			isc_netaddr_fromsockaddr(&na, &sa);
+			CHECK(buffer_putstr(&b, "\t\t"));
+			CHECK(isc_netaddr_totext(&na, &b));
+			CHECK(buffer_putstr(&b, ";\n"));
+		}
+		CHECK(buffer_putstr(&b, "\t};\n"));
+	}
+
+	CHECK(buffer_putstr(&b, "};\n"));
+
+#if 0
+	printf("%.*s\n",
+	       (int)isc_buffer_usedlength(&b),
+	       (char *)isc_buffer_base(&b));
+#endif
+
+	lwres_conf_clear(lwctx);
+	lwres_context_destroy(&lwctx);
+
+	return (cfg_parse_buffer(pctx, &b, &cfg_type_namedconf, configp));
+
+ cleanup:
+
+	if (lwctx != NULL) {
+		lwres_conf_clear(lwctx);
+		lwres_context_destroy(&lwctx);
+	}
+
+	return (result);
+}
+
+
+/*
+ * Handle lwresd manager objects
+ */
+isc_result_t
+ns_lwdmanager_create(isc_mem_t *mctx, cfg_obj_t *lwres,
+		     ns_lwresd_t **lwresdp)
+{
+	ns_lwresd_t *lwresd;
+	const char *vname;
+	dns_rdataclass_t vclass;
+	cfg_obj_t *obj, *viewobj, *searchobj;
+	cfg_listelt_t *element;
+	isc_result_t result;
+
+	INSIST(lwresdp != NULL && *lwresdp == NULL);
+
+	lwresd = isc_mem_get(mctx, sizeof(ns_lwresd_t));
+	if (lwresd == NULL)
+		return (ISC_R_NOMEMORY);
+
+	lwresd->mctx = NULL;
+	isc_mem_attach(mctx, &lwresd->mctx);
+	lwresd->view = NULL;
+	lwresd->search = NULL;
+	lwresd->refs = 1;
+
+	obj = NULL;
+	(void)cfg_map_get(lwres, "ndots", &obj);
+	if (obj != NULL)
+		lwresd->ndots = cfg_obj_asuint32(obj);
+	else
+		lwresd->ndots = 1;
+
+	RUNTIME_CHECK(isc_mutex_init(&lwresd->lock) == ISC_R_SUCCESS);
+
+	lwresd->shutting_down = ISC_FALSE;
+
+	viewobj = NULL;
+	(void)cfg_map_get(lwres, "view", &viewobj);
+	if (viewobj != NULL) {
+		vname = cfg_obj_asstring(cfg_tuple_get(viewobj, "name"));
+		obj = cfg_tuple_get(viewobj, "class");
+		result = ns_config_getclass(obj, dns_rdataclass_in, &vclass);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+	} else {
+		vname = "_default";
+		vclass = dns_rdataclass_in;
+	}
+
+	result = dns_viewlist_find(&ns_g_server->viewlist, vname, vclass,
+				   &lwresd->view);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_LWRESD, ISC_LOG_WARNING,
+			      "couldn't find view %s", vname);
+		goto fail;
+	}
+
+	searchobj = NULL;
+	(void)cfg_map_get(lwres, "search", &searchobj);
+	if (searchobj != NULL) {
+		lwresd->search = NULL;
+		result = ns_lwsearchlist_create(lwresd->mctx,
+						&lwresd->search);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_LWRESD, ISC_LOG_WARNING,
+				      "couldn't create searchlist");
+			goto fail;
+		}
+		for (element = cfg_list_first(searchobj);
+		     element != NULL;
+		     element = cfg_list_next(element))
+		{
+			cfg_obj_t *search;
+			char *searchstr;
+			isc_buffer_t namebuf;
+			dns_fixedname_t fname;
+			dns_name_t *name;
+
+			search = cfg_listelt_value(element);
+			searchstr = cfg_obj_asstring(search);
+
+			dns_fixedname_init(&fname);
+			name = dns_fixedname_name(&fname);
+			isc_buffer_init(&namebuf, searchstr,
+					strlen(searchstr));
+			isc_buffer_add(&namebuf, strlen(searchstr));
+			result = dns_name_fromtext(name, &namebuf,
+						   dns_rootname, ISC_FALSE,
+						   NULL);
+			if (result != ISC_R_SUCCESS) {
+				isc_log_write(ns_g_lctx,
+					      NS_LOGCATEGORY_GENERAL,
+					      NS_LOGMODULE_LWRESD,
+					      ISC_LOG_WARNING,
+					      "invalid name %s in searchlist",
+					      searchstr);
+				continue;
+			}
+
+			result = ns_lwsearchlist_append(lwresd->search, name);
+			if (result != ISC_R_SUCCESS) {
+				isc_log_write(ns_g_lctx,
+					      NS_LOGCATEGORY_GENERAL,
+					      NS_LOGMODULE_LWRESD,
+					      ISC_LOG_WARNING,
+					      "couldn't update searchlist");
+				goto fail;
+			}
+		}
+	}
+
+	lwresd->magic = LWRESD_MAGIC;
+
+	*lwresdp = lwresd;
+	return (ISC_R_SUCCESS);
+
+ fail:
+	if (lwresd->view != NULL)
+		dns_view_detach(&lwresd->view);
+	if (lwresd->search != NULL)
+		ns_lwsearchlist_detach(&lwresd->search);
+	if (lwresd->mctx != NULL)
+		isc_mem_detach(&lwresd->mctx);
+	return (result);
+}
+
+void
+ns_lwdmanager_attach(ns_lwresd_t *source, ns_lwresd_t **targetp) {
+	INSIST(VALID_LWRESD(source));
+	INSIST(targetp != NULL && *targetp == NULL);
+
+	LOCK(&source->lock);
+	source->refs++;
+	UNLOCK(&source->lock);
+
+	*targetp = source;
+}
+
+void
+ns_lwdmanager_detach(ns_lwresd_t **lwresdp) {
+	ns_lwresd_t *lwresd;
+	isc_mem_t *mctx;
+	isc_boolean_t done = ISC_FALSE;
+
+	INSIST(lwresdp != NULL && *lwresdp != NULL);
+	INSIST(VALID_LWRESD(*lwresdp));
+
+	lwresd = *lwresdp;
+	*lwresdp = NULL;
+
+	LOCK(&lwresd->lock);
+	INSIST(lwresd->refs > 0);
+	lwresd->refs--;
+	if (lwresd->refs == 0)
+		done = ISC_TRUE;
+	UNLOCK(&lwresd->lock);
+
+	if (!done)
+		return;
+
+	dns_view_detach(&lwresd->view);
+	if (lwresd->search != NULL)
+		ns_lwsearchlist_detach(&lwresd->search);
+	mctx = lwresd->mctx;
+	lwresd->magic = 0;
+	isc_mem_put(mctx, lwresd, sizeof(*lwresd));
+	isc_mem_detach(&mctx);
+}
+
+
+/*
+ * Handle listener objects
+ */
+void
+ns_lwreslistener_attach(ns_lwreslistener_t *source,
+			ns_lwreslistener_t **targetp)
+{
+	INSIST(VALID_LWRESLISTENER(source));
+	INSIST(targetp != NULL && *targetp == NULL);
+
+	LOCK(&source->lock);
+	source->refs++;
+	UNLOCK(&source->lock);
+
+	*targetp = source;
+}
+
+void
+ns_lwreslistener_detach(ns_lwreslistener_t **listenerp) {
+	ns_lwreslistener_t *listener;
+	isc_mem_t *mctx;
+	isc_boolean_t done = ISC_FALSE;
+
+	INSIST(listenerp != NULL && *listenerp != NULL);
+	INSIST(VALID_LWRESLISTENER(*listenerp));
+
+	listener = *listenerp;
+
+	LOCK(&listener->lock);
+	INSIST(listener->refs > 0);
+	listener->refs--;
+	if (listener->refs == 0)
+		done = ISC_TRUE;
+	UNLOCK(&listener->lock);
+
+	if (!done)
+		return;
+
+	if (listener->manager != NULL)
+		ns_lwdmanager_detach(&listener->manager);
+
+	if (listener->sock != NULL)
+		isc_socket_detach(&listener->sock);
+
+	listener->magic = 0;
+	mctx = listener->mctx;
+	isc_mem_put(mctx, listener, sizeof(*listener));
+	isc_mem_detach(&mctx);
+	listenerp = NULL;
+}
+
+static isc_result_t
+listener_create(isc_mem_t *mctx, ns_lwresd_t *lwresd,
+		ns_lwreslistener_t **listenerp)
+{
+	ns_lwreslistener_t *listener;
+
+	REQUIRE(listenerp != NULL && *listenerp == NULL);
+
+	listener = isc_mem_get(mctx, sizeof(ns_lwreslistener_t));
+	if (listener == NULL)
+		return (ISC_R_NOMEMORY);
+	RUNTIME_CHECK(isc_mutex_init(&listener->lock) == ISC_R_SUCCESS);
+
+	listener->magic = LWRESLISTENER_MAGIC;
+	listener->refs = 1;
+
+	listener->sock = NULL;
+
+	listener->manager = NULL;
+	ns_lwdmanager_attach(lwresd, &listener->manager);
+
+	listener->mctx = NULL;
+	isc_mem_attach(mctx, &listener->mctx);
+
+	ISC_LINK_INIT(listener, link);
+	ISC_LIST_INIT(listener->cmgrs);
+
+	*listenerp = listener;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+listener_bind(ns_lwreslistener_t *listener, isc_sockaddr_t *address) {
+	isc_socket_t *sock = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+	int pf;
+
+	pf = isc_sockaddr_pf(address);
+	if ((pf == AF_INET && isc_net_probeipv4() != ISC_R_SUCCESS) ||
+	    (pf == AF_INET6 && isc_net_probeipv6() != ISC_R_SUCCESS))
+		return (ISC_R_FAMILYNOSUPPORT);
+
+	listener->address = *address;
+
+	if (isc_sockaddr_getport(&listener->address) == 0) {
+		in_port_t port;
+		port = lwresd_g_listenport;
+		if (port == 0)
+			port = LWRES_UDP_PORT;
+		isc_sockaddr_setport(&listener->address, port);
+	}
+
+	sock = NULL;
+	result = isc_socket_create(ns_g_socketmgr, pf,
+				   isc_sockettype_udp, &sock);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_LWRESD, ISC_LOG_WARNING,
+			      "failed to create lwres socket: %s",
+			      isc_result_totext(result));
+		return (result);
+	}
+
+	result = isc_socket_bind(sock, &listener->address);
+	if (result != ISC_R_SUCCESS) {
+		char socktext[ISC_SOCKADDR_FORMATSIZE];
+		isc_sockaddr_format(&listener->address, socktext,
+				    sizeof(socktext));
+		isc_socket_detach(&sock);
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_LWRESD, ISC_LOG_WARNING,
+			      "failed to add lwres socket: %s: %s",
+			      socktext, isc_result_totext(result));
+		return (result);
+	}
+	listener->sock = sock;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+listener_copysock(ns_lwreslistener_t *oldlistener,
+		  ns_lwreslistener_t *newlistener)
+{
+	newlistener->address = oldlistener->address;
+	isc_socket_attach(oldlistener->sock, &newlistener->sock);
+}
+
+static isc_result_t
+listener_startclients(ns_lwreslistener_t *listener) {
+	ns_lwdclientmgr_t *cm;
+	unsigned int i;
+	isc_result_t result;
+
+	/*
+	 * Create the client managers.
+	 */
+	result = ISC_R_SUCCESS;
+	for (i = 0; i < NTASKS && result == ISC_R_SUCCESS; i++)
+		result = ns_lwdclientmgr_create(listener, NRECVS,
+						ns_g_taskmgr);
+
+	/*
+	 * Ensure that we have created at least one.
+	 */
+	if (ISC_LIST_EMPTY(listener->cmgrs))
+		return (result);
+
+	/*
+	 * Walk the list of clients and start each one up.
+	 */
+	LOCK(&listener->lock);
+	cm = ISC_LIST_HEAD(listener->cmgrs);
+	while (cm != NULL) {
+		result = ns_lwdclient_startrecv(cm);
+		if (result != ISC_R_SUCCESS)
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_LWRESD, ISC_LOG_ERROR,
+				      "could not start lwres "
+				      "client handler: %s",
+				      isc_result_totext(result));
+		cm = ISC_LIST_NEXT(cm, link);
+	}
+	UNLOCK(&listener->lock);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+listener_shutdown(ns_lwreslistener_t *listener) {
+	ns_lwdclientmgr_t *cm;
+
+	cm = ISC_LIST_HEAD(listener->cmgrs);
+	while (cm != NULL) {
+		isc_task_shutdown(cm->task);
+		cm = ISC_LIST_NEXT(cm, link);
+	}
+}
+
+static isc_result_t
+find_listener(isc_sockaddr_t *address, ns_lwreslistener_t **listenerp) {
+	ns_lwreslistener_t *listener;
+
+	INSIST(listenerp != NULL && *listenerp == NULL);
+
+	for (listener = ISC_LIST_HEAD(listeners);
+	     listener != NULL;
+	     listener = ISC_LIST_NEXT(listener, link))
+	{
+		if (!isc_sockaddr_equal(address, &listener->address))
+			continue;
+		*listenerp = listener;
+		return (ISC_R_SUCCESS);
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+void
+ns_lwreslistener_unlinkcm(ns_lwreslistener_t *listener, ns_lwdclientmgr_t *cm)
+{
+	REQUIRE(VALID_LWRESLISTENER(listener));
+
+	LOCK(&listener->lock);
+	ISC_LIST_UNLINK(listener->cmgrs, cm, link);
+	UNLOCK(&listener->lock);
+}
+
+void
+ns_lwreslistener_linkcm(ns_lwreslistener_t *listener, ns_lwdclientmgr_t *cm) {
+	REQUIRE(VALID_LWRESLISTENER(listener));
+
+	/*
+	 * This does no locking, since it's called early enough that locking
+	 * isn't needed.
+	 */
+	ISC_LIST_APPEND(listener->cmgrs, cm, link);
+}
+
+static isc_result_t
+configure_listener(isc_sockaddr_t *address, ns_lwresd_t *lwresd,
+		   isc_mem_t *mctx, ns_lwreslistenerlist_t *newlisteners)
+{
+	ns_lwreslistener_t *listener, *oldlistener = NULL;
+	char socktext[ISC_SOCKADDR_FORMATSIZE];
+	isc_result_t result;
+
+	(void)find_listener(address, &oldlistener);
+	listener = NULL;
+	result = listener_create(mctx, lwresd, &listener);
+	if (result != ISC_R_SUCCESS) {
+		isc_sockaddr_format(address, socktext, sizeof(socktext));
+		isc_log_write(ns_g_lctx, ISC_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_LWRESD, ISC_LOG_WARNING,
+			      "lwres failed to configure %s: %s",
+			      socktext, isc_result_totext(result));
+		return (result);
+	}
+
+	/*
+	 * If there's already a listener, don't rebind the socket.
+	 */
+	if (oldlistener == NULL) {
+		result = listener_bind(listener, address);
+		if (result != ISC_R_SUCCESS) {
+			ns_lwreslistener_detach(&listener);
+			return (ISC_R_SUCCESS);
+		}
+	} else
+		listener_copysock(oldlistener, listener);
+
+	result = listener_startclients(listener);
+	if (result != ISC_R_SUCCESS) {
+		isc_sockaddr_format(address, socktext, sizeof(socktext));
+		isc_log_write(ns_g_lctx, ISC_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_LWRESD, ISC_LOG_WARNING,
+			      "lwres: failed to start %s: %s", socktext,
+			      isc_result_totext(result));
+		ns_lwreslistener_detach(&listener);
+		return (ISC_R_SUCCESS);
+	}
+
+	if (oldlistener != NULL) {
+		/*
+		 * Remove the old listener from the old list and shut it down.
+		 */
+		ISC_LIST_UNLINK(listeners, oldlistener, link);
+		listener_shutdown(oldlistener);
+		ns_lwreslistener_detach(&oldlistener);
+	} else {
+		isc_sockaddr_format(address, socktext, sizeof(socktext));
+		isc_log_write(ns_g_lctx, ISC_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_LWRESD, ISC_LOG_NOTICE,
+			      "lwres listening on %s", socktext);
+	}
+
+	ISC_LIST_APPEND(*newlisteners, listener, link);
+	return (result);
+}
+
+isc_result_t
+ns_lwresd_configure(isc_mem_t *mctx, cfg_obj_t *config) {
+	cfg_obj_t *lwreslist = NULL;
+	cfg_obj_t *lwres = NULL;
+	cfg_obj_t *listenerslist = NULL;
+	cfg_listelt_t *element = NULL;
+	ns_lwreslistener_t *listener;
+	ns_lwreslistenerlist_t newlisteners;
+	isc_result_t result;
+	char socktext[ISC_SOCKADDR_FORMATSIZE];
+	isc_sockaddr_t *addrs = NULL;
+	ns_lwresd_t *lwresd = NULL;
+	isc_uint32_t count = 0;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(config != NULL);
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize_mutex) == ISC_R_SUCCESS);
+
+	ISC_LIST_INIT(newlisteners);
+
+	result = cfg_map_get(config, "lwres", &lwreslist);
+	if (result != ISC_R_SUCCESS)
+		return (ISC_R_SUCCESS);
+
+	LOCK(&listeners_lock);
+	/*
+	 * Run through the new lwres address list, noting sockets that
+	 * are already being listened on and moving them to the new list.
+	 *
+	 * Identifying duplicates addr/port combinations is left to either
+	 * the underlying config code, or to the bind attempt getting an
+	 * address-in-use error.
+	 */
+	for (element = cfg_list_first(lwreslist);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		in_port_t port;
+
+		lwres = cfg_listelt_value(element);
+		CHECK(ns_lwdmanager_create(mctx, lwres, &lwresd));
+
+		port = lwresd_g_listenport;
+		if (port == 0)
+			port = LWRES_UDP_PORT;
+
+		listenerslist = NULL;
+		(void)cfg_map_get(lwres, "listen-on", &listenerslist);
+		if (listenerslist == NULL) {
+			struct in_addr localhost;
+			isc_sockaddr_t address;
+
+			localhost.s_addr = htonl(INADDR_LOOPBACK);
+			isc_sockaddr_fromin(&address, &localhost, port);
+			CHECK(configure_listener(&address, lwresd, mctx,
+						 &newlisteners));
+		} else {
+			isc_uint32_t i;
+
+			CHECK(ns_config_getiplist(config, listenerslist,
+						  port, mctx, &addrs, &count));
+			for (i = 0; i < count; i++)
+				CHECK(configure_listener(&addrs[i], lwresd,
+							 mctx, &newlisteners));
+			ns_config_putiplist(mctx, &addrs, count);
+		}
+		ns_lwdmanager_detach(&lwresd);
+	}
+
+	/*
+	 * Shutdown everything on the listeners list, and remove them from
+	 * the list.  Then put all of the new listeners on it.
+	 */
+
+	while (!ISC_LIST_EMPTY(listeners)) {
+		listener = ISC_LIST_HEAD(listeners);
+		ISC_LIST_UNLINK(listeners, listener, link);
+
+		isc_sockaddr_format(&listener->address,
+				    socktext, sizeof(socktext));
+
+		listener_shutdown(listener);
+		ns_lwreslistener_detach(&listener);
+
+		isc_log_write(ns_g_lctx, ISC_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_LWRESD, ISC_LOG_NOTICE,
+			      "lwres no longer listening on %s", socktext);
+	}
+
+ cleanup:
+	ISC_LIST_APPENDLIST(listeners, newlisteners, link);
+
+	if (addrs != NULL)
+		ns_config_putiplist(mctx, &addrs, count);
+
+	if (lwresd != NULL)
+		ns_lwdmanager_detach(&lwresd);
+
+	UNLOCK(&listeners_lock);
+
+	return (result);
+}
+
+void
+ns_lwresd_shutdown(void) {
+	ns_lwreslistener_t *listener;
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize_mutex) == ISC_R_SUCCESS);
+
+	while (!ISC_LIST_EMPTY(listeners)) {
+		listener = ISC_LIST_HEAD(listeners);
+		ISC_LIST_UNLINK(listeners, listener, link);
+		ns_lwreslistener_detach(&listener);
+	}
+}
diff --git a/contrib/bind9/bin/named/lwresd.docbook b/contrib/bind9/bin/named/lwresd.docbook
new file mode 100644
index 0000000..46314c2
--- /dev/null
+++ b/contrib/bind9/bin/named/lwresd.docbook
@@ -0,0 +1,300 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000, 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwresd.docbook,v 1.6.208.2 2004/06/03 02:24:57 marka Exp $ -->
+
+<refentry>
+  <refentryinfo>
+    <date>June 30, 2000</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>lwresd</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>lwresd</application></refname>
+    <refpurpose>lightweight resolver daemon</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>lwresd</command>
+      <arg><option>-C <replaceable class="parameter">config-file</replaceable></option></arg>
+      <arg><option>-d <replaceable class="parameter">debug-level</replaceable></option></arg>
+      <arg><option>-f</option></arg>
+      <arg><option>-g</option></arg>
+      <arg><option>-i <replaceable class="parameter">pid-file</replaceable></option></arg>
+      <arg><option>-n <replaceable class="parameter">#cpus</replaceable></option></arg>
+      <arg><option>-P <replaceable class="parameter">port</replaceable></option></arg>
+      <arg><option>-p <replaceable class="parameter">port</replaceable></option></arg>
+      <arg><option>-s</option></arg>
+      <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg><option>-u <replaceable class="parameter">user</replaceable></option></arg>
+      <arg><option>-v</option></arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+	<command>lwresd</command> is the daemon providing name lookup
+	services to clients that use the BIND 9 lightweight resolver
+	library.  It is essentially a stripped-down, caching-only name
+	server that answers queries using the BIND 9 lightweight
+	resolver protocol rather than the DNS protocol.
+    </para>
+    <para>
+	<command>lwresd</command> listens for resolver queries on a
+	UDP port on the IPv4 loopback interface, 127.0.0.1.  This
+	means that <command>lwresd</command> can only be used by
+	processes running on the local machine.  By default UDP port
+	number 921 is used for lightweight resolver requests and
+	responses.
+    </para>
+    <para>
+	Incoming lightweight resolver requests are decoded by the
+	server which then resolves them using the DNS protocol.  When
+	the DNS lookup completes, <command>lwresd</command> encodes
+	the answers in the lightweight resolver format and returns
+	them to the client that made the request.
+    </para>
+    <para>
+	If <filename>/etc/resolv.conf</filename> contains any
+	<option>nameserver</option> entries, <command>lwresd</command>
+	sends recursive DNS queries to those servers.  This is similar
+	to the use of forwarders in a caching name server.  If no
+	<option>nameserver</option> entries are present, or if
+	forwarding fails, <command>lwresd</command> resolves the
+	queries autonomously starting at the root name servers, using
+	a built-in list of root server hints.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>OPTIONS</title>
+
+    <variablelist>
+      <varlistentry>
+	<term>-C <replaceable class="parameter">config-file</replaceable></term>
+	<listitem>
+	  <para>
+		Use <replaceable
+		class="parameter">config-file</replaceable> as the
+		configuration file instead of the default,
+		<filename>/etc/resolv.conf</filename>.
+          </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-d <replaceable class="parameter">debug-level</replaceable></term>
+	<listitem>
+	  <para>
+		Set the daemon's debug level to <replaceable
+		class="parameter">debug-level</replaceable>.
+		Debugging traces from <command>lwresd</command> become
+		more verbose as the debug level increases.
+          </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-f</term>
+	<listitem>
+	  <para>
+		Run the server in the foreground (i.e. do not daemonize).
+          </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-g</term>
+	<listitem>
+	  <para>
+		Run the server in the foreground and force all logging
+		to <filename>stderr</filename>.
+          </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-n <replaceable class="parameter">#cpus</replaceable></term>
+	<listitem>
+	  <para>
+		Create <replaceable
+		class="parameter">#cpus</replaceable> worker threads
+		to take advantage of multiple CPUs.  If not specified,
+		<command>lwresd</command> will try to determine the
+		number of CPUs present and create one thread per CPU.
+		If it is unable to determine the number of CPUs, a
+		single worker thread will be created.
+          </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-P <replaceable class="parameter">port</replaceable></term>
+	<listitem>
+	  <para>
+		Listen for lightweight resolver queries on port
+		<replaceable class="parameter">port</replaceable>.  If
+		not specified, the default is port 921.
+          </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-p <replaceable class="parameter">port</replaceable></term>
+	<listitem>
+	  <para>
+		Send DNS lookups to port <replaceable
+		class="parameter">port</replaceable>.  If not
+		specified, the default is port 53.  This provides a
+		way of testing the lightweight resolver daemon with a
+		name server that listens for queries on a non-standard
+		port number.
+          </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-s</term>
+	<listitem>
+	  <para>
+		Write memory usage statistics to <filename>stdout</filename>
+		on exit.
+          </para>
+	  <note>
+	    <para>
+		This option is mainly of interest to BIND 9 developers
+		and may be removed or changed in a future release.
+	    </para>
+	  </note>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-t <replaceable class="parameter">directory</replaceable></term>
+	<listitem>
+	  <para>
+		<function>chroot()</function> to <replaceable
+		class="parameter">directory</replaceable> after
+		processing the command line arguments, but before
+		reading the configuration file.
+          </para>
+	  <warning>
+	    <para>
+		This option should be used in conjunction with the
+		<option>-u</option> option, as chrooting a process
+		running as root doesn't enhance security on most
+		systems; the way <function>chroot()</function> is
+		defined allows a process with root privileges to
+		escape a chroot jail.
+	    </para>
+	  </warning>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-u <replaceable class="parameter">user</replaceable></term>
+	<listitem>
+	  <para>
+		<function>setuid()</function> to <replaceable
+		class="parameter">user</replaceable> after completing
+		privileged operations, such as creating sockets that
+		listen on privileged ports.
+          </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-v</term>
+	<listitem>
+	  <para>
+		Report the version number and exit.
+          </para>
+	</listitem>
+      </varlistentry>
+
+    </variablelist>
+
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <variablelist>
+
+      <varlistentry>
+	<term><filename>/etc/resolv.conf</filename></term>
+	<listitem>
+	  <para>
+		The default configuration file.
+          </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term><filename>/var/run/lwresd.pid</filename></term>
+	<listitem>
+	  <para>
+		The default process-id file.
+          </para>
+	</listitem>
+      </varlistentry>
+
+    </variablelist>
+
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para>
+	<citerefentry>
+	  <refentrytitle>named</refentrytitle>
+	  <manvolnum>8</manvolnum>
+        </citerefentry>,
+	<citerefentry>
+	  <refentrytitle>lwres</refentrytitle>
+	  <manvolnum>3</manvolnum>
+        </citerefentry>,
+	<citerefentry>
+	  <refentrytitle>resolver</refentrytitle>
+	  <manvolnum>5</manvolnum>
+        </citerefentry>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para>
+	<corpauthor>Internet Systems Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry>
+
+
+<!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/bin/named/lwresd.html b/contrib/bind9/bin/named/lwresd.html
new file mode 100644
index 0000000..afe7af2
--- /dev/null
+++ b/contrib/bind9/bin/named/lwresd.html
@@ -0,0 +1,497 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000, 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwresd.html,v 1.4.2.1.4.3 2004/08/22 23:38:59 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>lwresd</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+><SPAN
+CLASS="APPLICATION"
+>lwresd</SPAN
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><SPAN
+CLASS="APPLICATION"
+>lwresd</SPAN
+>&nbsp;--&nbsp;lightweight resolver daemon</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>lwresd</B
+>  [<VAR
+CLASS="OPTION"
+>-C <VAR
+CLASS="REPLACEABLE"
+>config-file</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-d <VAR
+CLASS="REPLACEABLE"
+>debug-level</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-f</VAR
+>] [<VAR
+CLASS="OPTION"
+>-g</VAR
+>] [<VAR
+CLASS="OPTION"
+>-i <VAR
+CLASS="REPLACEABLE"
+>pid-file</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-n <VAR
+CLASS="REPLACEABLE"
+>#cpus</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-P <VAR
+CLASS="REPLACEABLE"
+>port</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-p <VAR
+CLASS="REPLACEABLE"
+>port</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-s</VAR
+>] [<VAR
+CLASS="OPTION"
+>-t <VAR
+CLASS="REPLACEABLE"
+>directory</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-u <VAR
+CLASS="REPLACEABLE"
+>user</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-v</VAR
+>]</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN48"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>	<B
+CLASS="COMMAND"
+>lwresd</B
+> is the daemon providing name lookup
+	services to clients that use the BIND 9 lightweight resolver
+	library.  It is essentially a stripped-down, caching-only name
+	server that answers queries using the BIND 9 lightweight
+	resolver protocol rather than the DNS protocol.
+    </P
+><P
+>	<B
+CLASS="COMMAND"
+>lwresd</B
+> listens for resolver queries on a
+	UDP port on the IPv4 loopback interface, 127.0.0.1.  This
+	means that <B
+CLASS="COMMAND"
+>lwresd</B
+> can only be used by
+	processes running on the local machine.  By default UDP port
+	number 921 is used for lightweight resolver requests and
+	responses.
+    </P
+><P
+>	Incoming lightweight resolver requests are decoded by the
+	server which then resolves them using the DNS protocol.  When
+	the DNS lookup completes, <B
+CLASS="COMMAND"
+>lwresd</B
+> encodes
+	the answers in the lightweight resolver format and returns
+	them to the client that made the request.
+    </P
+><P
+>	If <TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+> contains any
+	<VAR
+CLASS="OPTION"
+>nameserver</VAR
+> entries, <B
+CLASS="COMMAND"
+>lwresd</B
+>
+	sends recursive DNS queries to those servers.  This is similar
+	to the use of forwarders in a caching name server.  If no
+	<VAR
+CLASS="OPTION"
+>nameserver</VAR
+> entries are present, or if
+	forwarding fails, <B
+CLASS="COMMAND"
+>lwresd</B
+> resolves the
+	queries autonomously starting at the root name servers, using
+	a built-in list of root server hints.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN63"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-C <VAR
+CLASS="REPLACEABLE"
+>config-file</VAR
+></DT
+><DD
+><P
+>		Use <VAR
+CLASS="REPLACEABLE"
+>config-file</VAR
+> as the
+		configuration file instead of the default,
+		<TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+>.
+          </P
+></DD
+><DT
+>-d <VAR
+CLASS="REPLACEABLE"
+>debug-level</VAR
+></DT
+><DD
+><P
+>		Set the daemon's debug level to <VAR
+CLASS="REPLACEABLE"
+>debug-level</VAR
+>.
+		Debugging traces from <B
+CLASS="COMMAND"
+>lwresd</B
+> become
+		more verbose as the debug level increases.
+          </P
+></DD
+><DT
+>-f</DT
+><DD
+><P
+>		Run the server in the foreground (i.e. do not daemonize).
+          </P
+></DD
+><DT
+>-g</DT
+><DD
+><P
+>		Run the server in the foreground and force all logging
+		to <TT
+CLASS="FILENAME"
+>stderr</TT
+>.
+          </P
+></DD
+><DT
+>-n <VAR
+CLASS="REPLACEABLE"
+>#cpus</VAR
+></DT
+><DD
+><P
+>		Create <VAR
+CLASS="REPLACEABLE"
+>#cpus</VAR
+> worker threads
+		to take advantage of multiple CPUs.  If not specified,
+		<B
+CLASS="COMMAND"
+>lwresd</B
+> will try to determine the
+		number of CPUs present and create one thread per CPU.
+		If it is unable to determine the number of CPUs, a
+		single worker thread will be created.
+          </P
+></DD
+><DT
+>-P <VAR
+CLASS="REPLACEABLE"
+>port</VAR
+></DT
+><DD
+><P
+>		Listen for lightweight resolver queries on port
+		<VAR
+CLASS="REPLACEABLE"
+>port</VAR
+>.  If
+		not specified, the default is port 921.
+          </P
+></DD
+><DT
+>-p <VAR
+CLASS="REPLACEABLE"
+>port</VAR
+></DT
+><DD
+><P
+>		Send DNS lookups to port <VAR
+CLASS="REPLACEABLE"
+>port</VAR
+>.  If not
+		specified, the default is port 53.  This provides a
+		way of testing the lightweight resolver daemon with a
+		name server that listens for queries on a non-standard
+		port number.
+          </P
+></DD
+><DT
+>-s</DT
+><DD
+><P
+>		Write memory usage statistics to <TT
+CLASS="FILENAME"
+>stdout</TT
+>
+		on exit.
+          </P
+><DIV
+CLASS="NOTE"
+><BLOCKQUOTE
+CLASS="NOTE"
+><P
+><B
+>Note: </B
+>		This option is mainly of interest to BIND 9 developers
+		and may be removed or changed in a future release.
+	    </P
+></BLOCKQUOTE
+></DIV
+></DD
+><DT
+>-t <VAR
+CLASS="REPLACEABLE"
+>directory</VAR
+></DT
+><DD
+><P
+>		<CODE
+CLASS="FUNCTION"
+>chroot()</CODE
+> to <VAR
+CLASS="REPLACEABLE"
+>directory</VAR
+> after
+		processing the command line arguments, but before
+		reading the configuration file.
+          </P
+><DIV
+CLASS="WARNING"
+><P
+></P
+><TABLE
+CLASS="WARNING"
+BORDER="1"
+WIDTH="90%"
+><TR
+><TD
+ALIGN="CENTER"
+><B
+>Warning</B
+></TD
+></TR
+><TR
+><TD
+ALIGN="LEFT"
+><P
+>		This option should be used in conjunction with the
+		<VAR
+CLASS="OPTION"
+>-u</VAR
+> option, as chrooting a process
+		running as root doesn't enhance security on most
+		systems; the way <CODE
+CLASS="FUNCTION"
+>chroot()</CODE
+> is
+		defined allows a process with root privileges to
+		escape a chroot jail.
+	    </P
+></TD
+></TR
+></TABLE
+></DIV
+></DD
+><DT
+>-u <VAR
+CLASS="REPLACEABLE"
+>user</VAR
+></DT
+><DD
+><P
+>		<CODE
+CLASS="FUNCTION"
+>setuid()</CODE
+> to <VAR
+CLASS="REPLACEABLE"
+>user</VAR
+> after completing
+		privileged operations, such as creating sockets that
+		listen on privileged ports.
+          </P
+></DD
+><DT
+>-v</DT
+><DD
+><P
+>		Report the version number and exit.
+          </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN137"
+></A
+><H2
+>FILES</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+></DT
+><DD
+><P
+>		The default configuration file.
+          </P
+></DD
+><DT
+><TT
+CLASS="FILENAME"
+>/var/run/lwresd.pid</TT
+></DT
+><DD
+><P
+>		The default process-id file.
+          </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN150"
+></A
+><H2
+>SEE ALSO</H2
+><P
+>	<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>named</SPAN
+>(8)</SPAN
+>,
+	<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres</SPAN
+>(3)</SPAN
+>,
+	<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>resolver</SPAN
+>(5)</SPAN
+>.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN162"
+></A
+><H2
+>AUTHOR</H2
+><P
+>	Internet Systems Consortium
+    </P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/bin/named/lwsearch.c b/contrib/bind9/bin/named/lwsearch.c
new file mode 100644
index 0000000..8b9ea52
--- /dev/null
+++ b/contrib/bind9/bin/named/lwsearch.c
@@ -0,0 +1,199 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lwsearch.c,v 1.7.208.1 2004/03/06 10:21:20 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/result.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dns/name.h>
+#include <dns/types.h>
+
+#include <named/lwsearch.h>
+#include <named/types.h>
+
+#define LWSEARCHLIST_MAGIC		ISC_MAGIC('L', 'W', 'S', 'L')
+#define VALID_LWSEARCHLIST(l)		ISC_MAGIC_VALID(l, LWSEARCHLIST_MAGIC)
+
+isc_result_t
+ns_lwsearchlist_create(isc_mem_t *mctx, ns_lwsearchlist_t **listp) {
+	ns_lwsearchlist_t *list;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(listp != NULL && *listp == NULL);
+
+	list = isc_mem_get(mctx, sizeof(ns_lwsearchlist_t));
+	if (list == NULL)
+		return (ISC_R_NOMEMORY);
+	
+	RUNTIME_CHECK(isc_mutex_init(&list->lock) == ISC_R_SUCCESS);
+	list->mctx = NULL;
+	isc_mem_attach(mctx, &list->mctx);
+	list->refs = 1;
+	ISC_LIST_INIT(list->names);
+	list->magic = LWSEARCHLIST_MAGIC;
+
+	*listp = list;
+	return (ISC_R_SUCCESS);
+}
+
+void
+ns_lwsearchlist_attach(ns_lwsearchlist_t *source, ns_lwsearchlist_t **target) {
+	REQUIRE(VALID_LWSEARCHLIST(source));
+	REQUIRE(target != NULL && *target == NULL);
+
+	LOCK(&source->lock);
+	INSIST(source->refs > 0);
+	source->refs++;
+	INSIST(source->refs != 0);
+	UNLOCK(&source->lock);
+
+	*target = source;
+}
+
+void
+ns_lwsearchlist_detach(ns_lwsearchlist_t **listp) {
+	ns_lwsearchlist_t *list;
+	isc_mem_t *mctx;
+
+	REQUIRE(listp != NULL);
+	list = *listp;
+	REQUIRE(VALID_LWSEARCHLIST(list));
+
+	LOCK(&list->lock);
+	INSIST(list->refs > 0);
+	list->refs--;
+	UNLOCK(&list->lock);
+
+	*listp = NULL;
+	if (list->refs != 0)
+		return;
+
+	mctx = list->mctx;
+	while (!ISC_LIST_EMPTY(list->names)) {
+		dns_name_t *name = ISC_LIST_HEAD(list->names);
+		ISC_LIST_UNLINK(list->names, name, link);
+		dns_name_free(name, list->mctx);
+		isc_mem_put(list->mctx, name, sizeof(dns_name_t));
+	}
+	list->magic = 0;
+	isc_mem_put(mctx, list, sizeof(ns_lwsearchlist_t));
+	isc_mem_detach(&mctx);
+}
+
+isc_result_t
+ns_lwsearchlist_append(ns_lwsearchlist_t *list, dns_name_t *name) {
+	dns_name_t *newname;
+	isc_result_t result;
+
+	REQUIRE(VALID_LWSEARCHLIST(list));
+	REQUIRE(name != NULL);
+
+	newname = isc_mem_get(list->mctx, sizeof(dns_name_t));
+	if (newname == NULL)
+		return (ISC_R_NOMEMORY);
+	dns_name_init(newname, NULL);
+	result = dns_name_dup(name, list->mctx, newname);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(list->mctx, newname, sizeof(dns_name_t));
+		return (result);
+	}
+	ISC_LINK_INIT(newname, link);
+	ISC_LIST_APPEND(list->names, newname, link);
+	return (ISC_R_SUCCESS);
+}
+
+void
+ns_lwsearchctx_init(ns_lwsearchctx_t *sctx, ns_lwsearchlist_t *list,
+		    dns_name_t *name, unsigned int ndots)
+{
+	INSIST(sctx != NULL);
+	sctx->relname = name;
+	sctx->searchname = NULL;
+	sctx->doneexact = ISC_FALSE;
+	sctx->exactfirst = ISC_FALSE;
+	sctx->ndots = ndots;
+	if (dns_name_isabsolute(name) || list == NULL) {
+		sctx->list = NULL;
+		return;
+	}
+	sctx->list = list;
+	sctx->searchname = ISC_LIST_HEAD(sctx->list->names);
+	if (dns_name_countlabels(name) > ndots)
+		sctx->exactfirst = ISC_TRUE;
+}
+
+void
+ns_lwsearchctx_first(ns_lwsearchctx_t *sctx) {
+	REQUIRE(sctx != NULL);
+	UNUSED(sctx);
+}
+
+isc_result_t
+ns_lwsearchctx_next(ns_lwsearchctx_t *sctx) {
+	REQUIRE(sctx != NULL);
+
+	if (sctx->list == NULL)
+		return (ISC_R_NOMORE);
+
+	if (sctx->searchname == NULL) {
+		INSIST (!sctx->exactfirst || sctx->doneexact);
+		if (sctx->exactfirst || sctx->doneexact)
+			return (ISC_R_NOMORE);
+		sctx->doneexact = ISC_TRUE;
+	} else {
+		if (sctx->exactfirst && !sctx->doneexact)
+			sctx->doneexact = ISC_TRUE;
+		else {
+			sctx->searchname = ISC_LIST_NEXT(sctx->searchname,
+							 link);
+			if (sctx->searchname == NULL && sctx->doneexact)
+				return (ISC_R_NOMORE);
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+ns_lwsearchctx_current(ns_lwsearchctx_t *sctx, dns_name_t *absname) {
+	dns_name_t *tname;
+	isc_boolean_t useexact = ISC_FALSE;
+
+	REQUIRE(sctx != NULL);
+
+	if (sctx->list == NULL ||
+	    sctx->searchname == NULL ||
+	    (sctx->exactfirst && !sctx->doneexact))
+		useexact = ISC_TRUE;
+
+	if (useexact) {
+		if (dns_name_isabsolute(sctx->relname))
+			tname = NULL;
+		else
+			tname = dns_rootname;
+	} else
+		tname = sctx->searchname;
+
+	return (dns_name_concatenate(sctx->relname, tname, absname, NULL));
+}
diff --git a/contrib/bind9/bin/named/main.c b/contrib/bind9/bin/named/main.c
new file mode 100644
index 0000000..432afe5
--- /dev/null
+++ b/contrib/bind9/bin/named/main.c
@@ -0,0 +1,884 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: main.c,v 1.119.2.3.2.16 2004/09/01 07:16:35 marka Exp $ */
+
+#include <config.h>
+
+#include <ctype.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/app.h>
+#include <isc/commandline.h>
+#include <isc/dir.h>
+#include <isc/entropy.h>
+#include <isc/file.h>
+#include <isc/hash.h>
+#include <isc/os.h>
+#include <isc/platform.h>
+#include <isc/resource.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <isccc/result.h>
+
+#include <dns/dispatch.h>
+#include <dns/name.h>
+#include <dns/result.h>
+#include <dns/view.h>
+
+#include <dst/result.h>
+
+#ifdef HAVE_LIBSCF
+#include <libscf.h>
+#endif
+
+/*
+ * Defining NS_MAIN provides storage declarations (rather than extern)
+ * for variables in named/globals.h.
+ */
+#define NS_MAIN 1
+
+#include <named/builtin.h>
+#include <named/control.h>
+#include <named/globals.h>	/* Explicit, though named/log.h includes it. */
+#include <named/interfacemgr.h>
+#include <named/log.h>
+#include <named/os.h>
+#include <named/server.h>
+#include <named/lwresd.h>
+#include <named/main.h>
+
+/*
+ * Include header files for database drivers here.
+ */
+/* #include "xxdb.h" */
+
+static isc_boolean_t	want_stats = ISC_FALSE;
+static char		program_name[ISC_DIR_NAMEMAX] = "named";
+static char		absolute_conffile[ISC_DIR_PATHMAX];
+static char		saved_command_line[512];
+static char		version[512];
+
+void
+ns_main_earlywarning(const char *format, ...) {
+	va_list args;
+
+	va_start(args, format);
+	if (ns_g_lctx != NULL) {
+		isc_log_vwrite(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			       NS_LOGMODULE_MAIN, ISC_LOG_WARNING,
+			       format, args);
+	} else {
+		fprintf(stderr, "%s: ", program_name);
+		vfprintf(stderr, format, args);
+		fprintf(stderr, "\n");
+		fflush(stderr);
+	}
+	va_end(args);
+}
+
+void
+ns_main_earlyfatal(const char *format, ...) {
+	va_list args;
+
+	va_start(args, format);
+	if (ns_g_lctx != NULL) {
+		isc_log_vwrite(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			       NS_LOGMODULE_MAIN, ISC_LOG_CRITICAL,
+			       format, args);
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			       NS_LOGMODULE_MAIN, ISC_LOG_CRITICAL,
+			       "exiting (due to early fatal error)");
+	} else {
+		fprintf(stderr, "%s: ", program_name);
+		vfprintf(stderr, format, args);
+		fprintf(stderr, "\n");
+		fflush(stderr);
+	}
+	va_end(args);
+
+	exit(1);
+}
+
+static void
+assertion_failed(const char *file, int line, isc_assertiontype_t type,
+		 const char *cond)
+{
+	/*
+	 * Handle assertion failures.
+	 */
+
+	if (ns_g_lctx != NULL) {
+		/*
+		 * Reset the assetion callback in case it is the log
+		 * routines causing the assertion.
+		 */
+		isc_assertion_setcallback(NULL);
+
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_MAIN, ISC_LOG_CRITICAL,
+			      "%s:%d: %s(%s) failed", file, line,
+			      isc_assertion_typetotext(type), cond);
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_MAIN, ISC_LOG_CRITICAL,
+			      "exiting (due to assertion failure)");
+	} else {
+		fprintf(stderr, "%s:%d: %s(%s) failed\n",
+			file, line, isc_assertion_typetotext(type), cond);
+		fflush(stderr);
+	}
+
+	if (ns_g_coreok)
+		abort();
+	exit(1);
+}
+
+static void
+library_fatal_error(const char *file, int line, const char *format,
+		    va_list args) ISC_FORMAT_PRINTF(3, 0);
+
+static void
+library_fatal_error(const char *file, int line, const char *format,
+		    va_list args)
+{
+	/*
+	 * Handle isc_error_fatal() calls from our libraries.
+	 */
+
+	if (ns_g_lctx != NULL) {
+		/*
+		 * Reset the error callback in case it is the log
+		 * routines causing the assertion.
+		 */
+		isc_error_setfatal(NULL);
+
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_MAIN, ISC_LOG_CRITICAL,
+			      "%s:%d: fatal error:", file, line);
+		isc_log_vwrite(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			       NS_LOGMODULE_MAIN, ISC_LOG_CRITICAL,
+			       format, args);
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_MAIN, ISC_LOG_CRITICAL,
+			      "exiting (due to fatal error in library)");
+	} else {
+		fprintf(stderr, "%s:%d: fatal error: ", file, line);
+		vfprintf(stderr, format, args);
+		fprintf(stderr, "\n");
+		fflush(stderr);
+	}
+
+	if (ns_g_coreok)
+		abort();
+	exit(1);
+}
+
+static void
+library_unexpected_error(const char *file, int line, const char *format,
+			 va_list args) ISC_FORMAT_PRINTF(3, 0);
+
+static void
+library_unexpected_error(const char *file, int line, const char *format,
+			 va_list args)
+{
+	/*
+	 * Handle isc_error_unexpected() calls from our libraries.
+	 */
+
+	if (ns_g_lctx != NULL) {
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_MAIN, ISC_LOG_ERROR,
+			      "%s:%d: unexpected error:", file, line);
+		isc_log_vwrite(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			       NS_LOGMODULE_MAIN, ISC_LOG_ERROR,
+			       format, args);
+	} else {
+		fprintf(stderr, "%s:%d: fatal error: ", file, line);
+		vfprintf(stderr, format, args);
+		fprintf(stderr, "\n");
+		fflush(stderr);
+	}
+}
+
+static void
+lwresd_usage(void) {
+	fprintf(stderr,
+		"usage: lwresd [-4|-6] [-c conffile | -C resolvconffile] "
+		"[-d debuglevel]\n"
+		"              [-f|-g] [-n number_of_cpus] [-p port] "
+		"[-P listen-port] [-s]\n"
+		"              [-t chrootdir] [-u username] [-i pidfile]\n"
+		"              [-m {usage|trace|record}]\n");
+}
+
+static void
+usage(void) {
+	if (ns_g_lwresdonly) {
+		lwresd_usage();
+		return;
+	}
+	fprintf(stderr,
+		"usage: named [-4|-6] [-c conffile] [-d debuglevel] "
+		"[-f|-g] [-n number_of_cpus]\n"
+		"             [-p port] [-s] [-t chrootdir] [-u username]\n"
+		"             [-m {usage|trace|record}]\n");
+}
+
+static void
+save_command_line(int argc, char *argv[]) {
+	int i;
+	char *src;
+	char *dst;
+	char *eob;
+	const char truncated[] = "...";
+	isc_boolean_t quoted = ISC_FALSE;
+
+	dst = saved_command_line;
+	eob = saved_command_line + sizeof(saved_command_line);
+
+	for (i = 1; i < argc && dst < eob; i++) {
+		*dst++ = ' ';
+
+		src = argv[i];
+		while (*src != '\0' && dst < eob) {
+			/*
+			 * This won't perfectly produce a shell-independent
+			 * pastable command line in all circumstances, but
+			 * comes close, and for practical purposes will
+			 * nearly always be fine.
+			 */
+			if (quoted || isalnum(*src & 0xff) ||
+			    *src == '-' || *src == '_' ||
+			    *src == '.' || *src == '/') {
+				*dst++ = *src++;
+				quoted = ISC_FALSE;
+			} else {
+				*dst++ = '\\';
+				quoted = ISC_TRUE;
+			}
+		}
+	}
+
+	INSIST(sizeof(saved_command_line) >= sizeof(truncated));
+
+	if (dst == eob)
+		strcpy(eob - sizeof(truncated), truncated);
+	else
+		*dst = '\0';
+}
+
+static int
+parse_int(char *arg, const char *desc) {
+	char *endp;
+	int tmp;
+	long int ltmp;
+
+	ltmp = strtol(arg, &endp, 10);
+	tmp = (int) ltmp;
+	if (*endp != '\0')
+		ns_main_earlyfatal("%s '%s' must be numeric", desc, arg);
+	if (tmp < 0 || tmp != ltmp)
+		ns_main_earlyfatal("%s '%s' out of range", desc, arg);
+	return (tmp);
+}
+
+static struct flag_def {
+	const char *name;
+	unsigned int value;
+} mem_debug_flags[] = {
+	{ "trace",  ISC_MEM_DEBUGTRACE },
+	{ "record", ISC_MEM_DEBUGRECORD },
+	{ "usage", ISC_MEM_DEBUGUSAGE },
+	{ NULL, 0 }
+};
+
+static void
+set_flags(const char *arg, struct flag_def *defs, unsigned int *ret) {
+	for (;;) {
+		const struct flag_def *def;
+		const char *end = strchr(arg, ',');
+		int arglen;
+		if (end == NULL)
+			end = arg + strlen(arg);
+		arglen = end - arg;
+		for (def = defs; def->name != NULL; def++) {
+			if (arglen == (int)strlen(def->name) &&
+			    memcmp(arg, def->name, arglen) == 0) {
+				*ret |= def->value;
+				goto found;
+			}
+		}
+		ns_main_earlyfatal("unrecognized flag '%.*s'", arglen, arg);
+	 found:
+		if (*end == '\0')
+			break;
+		arg = end + 1;
+	}
+}
+
+static void
+parse_command_line(int argc, char *argv[]) {
+	int ch;
+	int port;
+	isc_boolean_t disable6 = ISC_FALSE;
+	isc_boolean_t disable4 = ISC_FALSE;
+
+	save_command_line(argc, argv);
+
+	isc_commandline_errprint = ISC_FALSE;
+	while ((ch = isc_commandline_parse(argc, argv,
+			           "46c:C:d:fgi:lm:n:N:p:P:st:u:vx:")) != -1) {
+		switch (ch) {
+		case '4':
+			if (disable4)
+				ns_main_earlyfatal("cannot specify -4 and -6");
+			if (isc_net_probeipv4() != ISC_R_SUCCESS)
+				ns_main_earlyfatal("IPv4 not supported by OS");
+			isc_net_disableipv6();
+			disable6 = ISC_TRUE;
+			break;
+		case '6':
+			if (disable6)
+				ns_main_earlyfatal("cannot specify -4 and -6");
+			if (isc_net_probeipv6() != ISC_R_SUCCESS)
+				ns_main_earlyfatal("IPv6 not supported by OS");
+			isc_net_disableipv4();
+			disable4 = ISC_TRUE;
+			break;
+		case 'c':
+			ns_g_conffile = isc_commandline_argument;
+			lwresd_g_conffile = isc_commandline_argument;
+			if (lwresd_g_useresolvconf)
+				ns_main_earlyfatal("cannot specify -c and -C");
+			ns_g_conffileset = ISC_TRUE;
+			break;
+		case 'C':
+			lwresd_g_resolvconffile = isc_commandline_argument;
+			if (ns_g_conffileset)
+				ns_main_earlyfatal("cannot specify -c and -C");
+			lwresd_g_useresolvconf = ISC_TRUE;
+			break;
+		case 'd':
+			ns_g_debuglevel = parse_int(isc_commandline_argument,
+						    "debug level");
+			break;
+		case 'f':
+			ns_g_foreground = ISC_TRUE;
+			break;
+		case 'g':
+			ns_g_foreground = ISC_TRUE;
+			ns_g_logstderr = ISC_TRUE;
+			break;
+		/* XXXBEW -i should be removed */
+		case 'i':
+			lwresd_g_defaultpidfile = isc_commandline_argument;
+			break;
+		case 'l':
+			ns_g_lwresdonly = ISC_TRUE;
+			break;
+		case 'm':
+			set_flags(isc_commandline_argument, mem_debug_flags,
+				  &isc_mem_debugging);
+			break;
+		case 'N': /* Deprecated. */
+		case 'n':
+			ns_g_cpus = parse_int(isc_commandline_argument,
+					      "number of cpus");
+			if (ns_g_cpus == 0)
+				ns_g_cpus = 1;
+			break;
+		case 'p':
+			port = parse_int(isc_commandline_argument, "port");
+			if (port < 1 || port > 65535)
+				ns_main_earlyfatal("port '%s' out of range",
+						   isc_commandline_argument);
+			ns_g_port = port;
+			break;
+		/* XXXBEW Should -P be removed? */
+		case 'P':
+			port = parse_int(isc_commandline_argument, "port");
+			if (port < 1 || port > 65535)
+				ns_main_earlyfatal("port '%s' out of range",
+						   isc_commandline_argument);
+			lwresd_g_listenport = port;
+			break;
+		case 's':
+			/* XXXRTH temporary syntax */
+			want_stats = ISC_TRUE;
+			break;
+		case 't':
+			/* XXXJAB should we make a copy? */
+			ns_g_chrootdir = isc_commandline_argument;
+			break;
+		case 'u':
+			ns_g_username = isc_commandline_argument;
+			break;
+		case 'v':
+			printf("BIND %s\n", ns_g_version);
+			exit(0);
+		case '?':
+			usage();
+			ns_main_earlyfatal("unknown option '-%c'",
+					   isc_commandline_option);
+		default:
+			ns_main_earlyfatal("parsing options returned %d", ch);
+		}
+	}
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+
+	if (argc > 0) {
+		usage();
+		ns_main_earlyfatal("extra command line arguments");
+	}
+}
+
+static isc_result_t
+create_managers(void) {
+	isc_result_t result;
+#ifdef ISC_PLATFORM_USETHREADS
+	unsigned int cpus_detected;
+#endif
+
+#ifdef ISC_PLATFORM_USETHREADS
+	cpus_detected = isc_os_ncpus();
+	if (ns_g_cpus == 0)
+		ns_g_cpus = cpus_detected;
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
+		      ISC_LOG_INFO, "found %u CPU%s, using %u worker thread%s",
+		      cpus_detected, cpus_detected == 1 ? "" : "s",
+		      ns_g_cpus, ns_g_cpus == 1 ? "" : "s");
+#else
+	ns_g_cpus = 1;
+#endif
+	result = isc_taskmgr_create(ns_g_mctx, ns_g_cpus, 0, &ns_g_taskmgr);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "ns_taskmgr_create() failed: %s",
+				 isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	result = isc_timermgr_create(ns_g_mctx, &ns_g_timermgr);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "ns_timermgr_create() failed: %s",
+				 isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	result = isc_socketmgr_create(ns_g_mctx, &ns_g_socketmgr);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_socketmgr_create() failed: %s",
+				 isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	result = isc_entropy_create(ns_g_mctx, &ns_g_entropy);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_entropy_create() failed: %s",
+				 isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	result = isc_hash_create(ns_g_mctx, ns_g_entropy, DNS_NAME_MAXWIRE);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_hash_create() failed: %s",
+				 isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+destroy_managers(void) {
+	ns_lwresd_shutdown();
+
+	isc_entropy_detach(&ns_g_entropy);
+	if (ns_g_fallbackentropy != NULL)
+		isc_entropy_detach(&ns_g_fallbackentropy);
+
+	/*
+	 * isc_taskmgr_destroy() will block until all tasks have exited,
+	 */
+	isc_taskmgr_destroy(&ns_g_taskmgr);
+	isc_timermgr_destroy(&ns_g_timermgr);
+	isc_socketmgr_destroy(&ns_g_socketmgr);
+
+	/*
+	 * isc_hash_destroy() cannot be called as long as a resolver may be
+	 * running.  Calling this after isc_taskmgr_destroy() ensures the
+	 * call is safe.
+	 */
+	isc_hash_destroy();
+}
+
+static void
+setup(void) {
+	isc_result_t result;
+
+	/*
+	 * Get the user and group information before changing the root
+	 * directory, so the administrator does not need to keep a copy
+	 * of the user and group databases in the chroot'ed environment.
+	 */
+	ns_os_inituserinfo(ns_g_username);
+
+	/*
+	 * Initialize time conversion information
+	 */
+	ns_os_tzset();
+
+	ns_os_opendevnull();
+
+#ifdef PATH_RANDOMDEV
+	/*
+	 * Initialize system's random device as fallback entropy source
+	 * if running chroot'ed.
+	 */
+	if (ns_g_chrootdir != NULL) {
+		result = isc_entropy_create(ns_g_mctx, &ns_g_fallbackentropy);
+		if (result != ISC_R_SUCCESS)
+			ns_main_earlyfatal("isc_entropy_create() failed: %s",
+					   isc_result_totext(result));
+
+		result = isc_entropy_createfilesource(ns_g_fallbackentropy,
+						      PATH_RANDOMDEV);
+		if (result != ISC_R_SUCCESS) {
+			ns_main_earlywarning("could not open pre-chroot "
+					     "entropy source %s: %s",
+					     PATH_RANDOMDEV,
+					     isc_result_totext(result));
+			isc_entropy_detach(&ns_g_fallbackentropy);
+		}
+	}
+#endif
+
+	ns_os_chroot(ns_g_chrootdir);
+
+	/*
+	 * For operating systems which have a capability mechanism, now
+	 * is the time to switch to minimal privs and change our user id.
+	 * On traditional UNIX systems, this call will be a no-op, and we
+	 * will change the user ID after reading the config file the first
+	 * time.  (We need to read the config file to know which possibly
+	 * privileged ports to bind() to.)
+	 */
+	ns_os_minprivs();
+
+	result = ns_log_init(ISC_TF(ns_g_username != NULL));
+	if (result != ISC_R_SUCCESS)
+		ns_main_earlyfatal("ns_log_init() failed: %s",
+				   isc_result_totext(result));
+
+	/*
+	 * Now is the time to daemonize (if we're not running in the
+	 * foreground).  We waited until now because we wanted to get
+	 * a valid logging context setup.  We cannot daemonize any later,
+	 * because calling create_managers() will create threads, which
+	 * would be lost after fork().
+	 */
+	if (!ns_g_foreground)
+		ns_os_daemonize();
+
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+		      ISC_LOG_NOTICE, "starting BIND %s%s", ns_g_version,
+		      saved_command_line);
+
+	/*
+	 * Get the initial resource limits.
+	 */
+	(void)isc_resource_getlimit(isc_resource_stacksize,
+				    &ns_g_initstacksize);
+	(void)isc_resource_getlimit(isc_resource_datasize,
+				    &ns_g_initdatasize);
+	(void)isc_resource_getlimit(isc_resource_coresize,
+				    &ns_g_initcoresize);
+	(void)isc_resource_getlimit(isc_resource_openfiles,
+				    &ns_g_initopenfiles);
+
+	/*
+	 * If the named configuration filename is relative, prepend the current
+	 * directory's name before possibly changing to another directory.
+	 */
+	if (! isc_file_isabsolute(ns_g_conffile)) {
+		result = isc_file_absolutepath(ns_g_conffile,
+					       absolute_conffile,
+					       sizeof(absolute_conffile));
+		if (result != ISC_R_SUCCESS)
+			ns_main_earlyfatal("could not construct absolute path of "
+					   "configuration file: %s", 
+					   isc_result_totext(result));
+		ns_g_conffile = absolute_conffile;
+	}
+
+	result = create_managers();
+	if (result != ISC_R_SUCCESS)
+		ns_main_earlyfatal("create_managers() failed: %s",
+				   isc_result_totext(result));
+
+	ns_builtin_init();
+
+	/*
+	 * Add calls to register sdb drivers here.
+	 */
+	/* xxdb_init(); */
+
+	ns_server_create(ns_g_mctx, &ns_g_server);
+}
+
+static void
+cleanup(void) {
+	destroy_managers();
+
+	ns_server_destroy(&ns_g_server);
+
+	ns_builtin_deinit();
+
+	/*
+	 * Add calls to unregister sdb drivers here.
+	 */
+	/* xxdb_clear(); */
+
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+		      ISC_LOG_NOTICE, "exiting");
+	ns_log_shutdown();
+}
+
+static char *memstats = NULL;
+
+void
+ns_main_setmemstats(const char *filename) {
+	/*
+	 * Caller has to ensure locking.
+	 */
+
+	if (memstats != NULL) {
+		free(memstats);
+		memstats = NULL;
+	}
+	if (filename == NULL)
+		return;
+	memstats = malloc(strlen(filename) + 1);
+	if (memstats)
+		strcpy(memstats, filename);
+}
+
+#ifdef HAVE_LIBSCF
+/*
+ * Get FMRI for the current named process
+ */
+static char *
+scf_get_ins_name(void) {
+	scf_handle_t *h = NULL;
+	int namelen;
+	char *ins_name;
+
+	if ((h = scf_handle_create(SCF_VERSION)) == NULL) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "scf_handle_create() failed: %s",
+				 scf_strerror(scf_error()));
+		return (NULL);
+	}
+
+	if (scf_handle_bind(h) == -1) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "scf_handle_bind() failed: %s",
+				 scf_strerror(scf_error()));
+		scf_handle_destroy(h);
+		return (NULL);
+	}
+
+	if ((namelen = scf_myname(h, NULL, 0)) == -1) {
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_MAIN, ISC_LOG_INFO,
+			      "scf_myname() failed: %s",
+			      scf_strerror(scf_error()));
+		scf_handle_destroy(h);
+		return (NULL);
+	}
+
+	if ((ins_name = malloc(namelen + 1)) == NULL) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "scf_get_ins_named() memory "
+				 "allocation failed: %s",
+				 isc_result_totext(ISC_R_NOMEMORY));
+		scf_handle_destroy(h);
+		return (NULL);
+	}
+
+	if (scf_myname(h, ins_name, namelen + 1) == -1) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "scf_myname() failed: %s",
+				 scf_strerror(scf_error()));
+		scf_handle_destroy(h);
+		free(ins_name);
+		return (NULL);
+	}
+
+	scf_handle_destroy(h);
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+		      ISC_LOG_INFO, "instance name:%s", ins_name);
+
+	return (ins_name);
+}
+
+static void
+scf_cleanup(void) {
+	char *s;
+	char *ins_name;
+
+	if ((ins_name = scf_get_ins_name()) != NULL) {
+		if ((s = smf_get_state(ins_name)) != NULL) {
+			if ((strcmp(SCF_STATE_STRING_ONLINE, s) == 0) ||
+			    (strcmp(SCF_STATE_STRING_DEGRADED, s) == 0)) {
+				if (smf_disable_instance(ins_name, 0) != 0) {
+				    UNEXPECTED_ERROR(__FILE__, __LINE__,
+					"smf_disable_instance() failed: %s",
+					scf_strerror(scf_error()));
+				}
+			}
+			free(s);
+		} else {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "smf_get_state() failed: %s",
+					 scf_strerror(scf_error()));
+		}
+		free(ins_name);
+	}
+}
+#endif
+
+int
+main(int argc, char *argv[]) {
+	isc_result_t result;
+
+	/*
+	 * Record version in core image.
+	 * strings named.core | grep "named version:"
+	 */
+	strlcat(version,
+#ifdef __DATE__
+		"named version: BIND " VERSION " (" __DATE__ ")",
+#else
+		"named version: BIND " VERSION,
+#endif
+		sizeof(version));
+	result = isc_file_progname(*argv, program_name, sizeof(program_name));
+	if (result != ISC_R_SUCCESS)
+		ns_main_earlyfatal("program name too long");
+
+	if (strcmp(program_name, "lwresd") == 0)
+		ns_g_lwresdonly = ISC_TRUE;
+
+	isc_assertion_setcallback(assertion_failed);
+	isc_error_setfatal(library_fatal_error);
+	isc_error_setunexpected(library_unexpected_error);
+
+	ns_os_init(program_name);
+
+	result = isc_app_start();
+	if (result != ISC_R_SUCCESS)
+		ns_main_earlyfatal("isc_app_start() failed: %s",
+				   isc_result_totext(result));
+
+	dns_result_register();
+	dst_result_register();
+	isccc_result_register();
+
+	parse_command_line(argc, argv);
+
+	/*
+	 * Warn about common configuration error.
+	 */
+	if (ns_g_chrootdir != NULL) {
+		int len = strlen(ns_g_chrootdir);
+		if (strncmp(ns_g_chrootdir, ns_g_conffile, len) == 0 &&
+		    (ns_g_conffile[len] == '/' || ns_g_conffile[len] == '\\'))
+			ns_main_earlywarning("config filename (-c %s) contains "
+					     "chroot path (-t %s)",
+					     ns_g_conffile, ns_g_chrootdir);
+	}
+
+	result = isc_mem_create(0, 0, &ns_g_mctx);
+	if (result != ISC_R_SUCCESS)
+		ns_main_earlyfatal("isc_mem_create() failed: %s",
+				   isc_result_totext(result));
+
+	setup();
+
+	/*
+	 * Start things running and then wait for a shutdown request
+	 * or reload.
+	 */
+	do {
+		result = isc_app_run();
+
+		if (result == ISC_R_RELOAD) {
+			ns_server_reloadwanted(ns_g_server);
+		} else if (result != ISC_R_SUCCESS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "isc_app_run(): %s",
+					 isc_result_totext(result));
+			/*
+			 * Force exit.
+			 */
+			result = ISC_R_SUCCESS;
+		}
+	} while (result != ISC_R_SUCCESS);
+
+#ifdef HAVE_LIBSCF
+	scf_cleanup();
+#endif
+
+	cleanup();
+
+	if (want_stats) {
+		isc_mem_stats(ns_g_mctx, stdout);
+		isc_mutex_stats(stdout);
+	}
+	if (memstats != NULL) {
+		FILE *fp = NULL;
+		result = isc_stdio_open(memstats, "w", &fp);
+		if (result == ISC_R_SUCCESS) {
+			isc_mem_stats(ns_g_mctx, fp);
+			isc_mutex_stats(fp);
+			isc_stdio_close(fp);
+		}
+	}
+	isc_mem_destroy(&ns_g_mctx);
+
+	ns_main_setmemstats(NULL);
+
+	isc_app_finish();
+
+	ns_os_closedevnull();
+
+	ns_os_shutdown();
+
+	return (0);
+}
diff --git a/contrib/bind9/bin/named/named.8 b/contrib/bind9/bin/named/named.8
new file mode 100644
index 0000000..cd120dd
--- /dev/null
+++ b/contrib/bind9/bin/named/named.8
@@ -0,0 +1,177 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: named.8,v 1.17.208.3 2004/06/03 05:35:47 marka Exp $
+.\"
+.TH "NAMED" "8" "June 30, 2000" "BIND9" ""
+.SH NAME
+named \- Internet domain name server
+.SH SYNOPSIS
+.sp
+\fBnamed\fR [ \fB-4\fR ]  [ \fB-6\fR ]  [ \fB-c \fIconfig-file\fB\fR ]  [ \fB-d \fIdebug-level\fB\fR ]  [ \fB-f\fR ]  [ \fB-g\fR ]  [ \fB-n \fI#cpus\fB\fR ]  [ \fB-p \fIport\fB\fR ]  [ \fB-s\fR ]  [ \fB-t \fIdirectory\fB\fR ]  [ \fB-u \fIuser\fB\fR ]  [ \fB-v\fR ]  [ \fB-x \fIcache-file\fB\fR ] 
+.SH "DESCRIPTION"
+.PP
+\fBnamed\fR is a Domain Name System (DNS) server,
+part of the BIND 9 distribution from ISC. For more
+information on the DNS, see RFCs 1033, 1034, and 1035.
+.PP
+When invoked without arguments, \fBnamed\fR will
+read the default configuration file
+\fI/etc/named.conf\fR, read any initial
+data, and listen for queries.
+.SH "OPTIONS"
+.TP
+\fB-4\fR
+Use IPv4 only even if the host machine is capable of IPv6.
+\fB-4\fR and \fB-6\fR are mutually
+exclusive.
+.TP
+\fB-6\fR
+Use IPv6 only even if the host machine is capable of IPv4.
+\fB-4\fR and \fB-6\fR are mutually
+exclusive.
+.TP
+\fB-c \fIconfig-file\fB\fR
+Use \fIconfig-file\fR as the
+configuration file instead of the default,
+\fI/etc/named.conf\fR. To
+ensure that reloading the configuration file continues
+to work after the server has changed its working
+directory due to to a possible
+\fBdirectory\fR option in the configuration
+file, \fIconfig-file\fR should be
+an absolute pathname.
+.TP
+\fB-d \fIdebug-level\fB\fR
+Set the daemon's debug level to \fIdebug-level\fR.
+Debugging traces from \fBnamed\fR become
+more verbose as the debug level increases.
+.TP
+\fB-f\fR
+Run the server in the foreground (i.e. do not daemonize).
+.TP
+\fB-g\fR
+Run the server in the foreground and force all logging
+to \fIstderr\fR.
+.TP
+\fB-n \fI#cpus\fB\fR
+Create \fI#cpus\fR worker threads
+to take advantage of multiple CPUs. If not specified,
+\fBnamed\fR will try to determine the
+number of CPUs present and create one thread per CPU.
+If it is unable to determine the number of CPUs, a
+single worker thread will be created.
+.TP
+\fB-p \fIport\fB\fR
+Listen for queries on port \fIport\fR. If not
+specified, the default is port 53.
+.TP
+\fB-s\fR
+Write memory usage statistics to \fIstdout\fR on exit.
+.sp
+.RS
+.B "Note:"
+This option is mainly of interest to BIND 9 developers
+and may be removed or changed in a future release.
+.RE
+.sp
+.TP
+\fB-t \fIdirectory\fB\fR
+\fBchroot()\fR to \fIdirectory\fR after
+processing the command line arguments, but before
+reading the configuration file.
+.sp
+.RS
+.B "Warning:"
+This option should be used in conjunction with the
+\fB-u\fR option, as chrooting a process
+running as root doesn't enhance security on most
+systems; the way \fBchroot()\fR is
+defined allows a process with root privileges to
+escape a chroot jail.
+.RE
+.sp
+.TP
+\fB-u \fIuser\fB\fR
+\fBsetuid()\fR to \fIuser\fR after completing
+privileged operations, such as creating sockets that
+listen on privileged ports.
+.sp
+.RS
+.B "Note:"
+On Linux, \fBnamed\fR uses the kernel's
+capability mechanism to drop all root privileges
+except the ability to \fBbind()\fR to a
+privileged port and set process resource limits.
+Unfortunately, this means that the \fB-u\fR
+option only works when \fBnamed\fR is run
+on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or
+later, since previous kernels did not allow privileges
+to be retained after \fBsetuid()\fR.
+.RE
+.sp
+.TP
+\fB-v\fR
+Report the version number and exit.
+.TP
+\fB-x \fIcache-file\fB\fR
+Load data from \fIcache-file\fR into the
+cache of the default view.
+.sp
+.RS
+.B "Warning:"
+This option must not be used. It is only of interest
+to BIND 9 developers and may be removed or changed in a
+future release.
+.RE
+.sp
+.SH "SIGNALS"
+.PP
+In routine operation, signals should not be used to control
+the nameserver; \fBrndc\fR should be used
+instead.
+.TP
+\fBSIGHUP\fR
+Force a reload of the server.
+.TP
+\fBSIGINT, SIGTERM\fR
+Shut down the server.
+.PP
+The result of sending any other signals to the server is undefined.
+.PP
+.SH "CONFIGURATION"
+.PP
+The \fBnamed\fR configuration file is too complex
+to describe in detail here. A complete description is
+provided in the \fIBIND 9 Administrator Reference
+Manual\fR.
+.SH "FILES"
+.TP
+\fB\fI/etc/named.conf\fB\fR
+The default configuration file.
+.TP
+\fB\fI/var/run/named.pid\fB\fR
+The default process-id file.
+.SH "SEE ALSO"
+.PP
+\fIRFC 1033\fR,
+\fIRFC 1034\fR,
+\fIRFC 1035\fR,
+\fBrndc\fR(8),
+\fBlwresd\fR(8),
+\fIBIND 9 Administrator Reference Manual\fR.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
diff --git a/contrib/bind9/bin/named/named.conf.5 b/contrib/bind9/bin/named/named.conf.5
new file mode 100644
index 0000000..1755d5c
--- /dev/null
+++ b/contrib/bind9/bin/named/named.conf.5
@@ -0,0 +1,474 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: named.conf.5,v 1.1.4.2 2004/08/21 07:35:01 marka Exp $
+.\"
+.TH "NAMED.CONF" "5" "Aug 13, 2004" "BIND9" ""
+.SH NAME
+named.conf \- configuration file for named
+.SH SYNOPSIS
+.sp
+\fBnamed.conf\fR
+.SH "DESCRIPTION"
+.PP
+\fInamed.conf\fR is the configuration file for
+\fBnamed\fR. Statements are enclosed
+in braces and terminated with a semi-colon. Clauses in
+the statements are also semi-colon terminated. The usual
+comment styles are supported:
+.PP
+C style: /* */
+.PP
+C++ style: // to end of line
+.PP
+Unix style: # to end of line
+.SH "ACL"
+.sp
+.nf
+acl \fIstring\fR { \fIaddress_match_element\fR; ... };
+.sp
+.fi
+.SH "KEY"
+.sp
+.nf
+key \fIdomain_name\fR {
+	algorithm \fIstring\fR;
+	secret \fIstring\fR;
+};
+.sp
+.fi
+.SH "MASTERS"
+.sp
+.nf
+masters \fIstring\fR [ port \fIinteger\fR ] {
+	( \fImasters\fR | \fIipv4_address\fR [port \fIinteger\fR] |
+	\fIipv6_address\fR [port \fIinteger\fR] ) [ key \fIstring\fR ]; ...
+};
+.sp
+.fi
+.SH "SERVER"
+.sp
+.nf
+server ( \fIipv4_address\fR | \fIipv6_address\fR ) {
+	bogus \fIboolean\fR;
+	edns \fIboolean\fR;
+	provide-ixfr \fIboolean\fR;
+	request-ixfr \fIboolean\fR;
+	keys \fIserver_key\fR;
+	transfers \fIinteger\fR;
+	transfer-format ( many-answers | one-answer );
+	transfer-source ( \fIipv4_address\fR | * )
+		[ port ( \fIinteger\fR | * ) ];
+	transfer-source-v6 ( \fIipv6_address\fR | * )
+		[ port ( \fIinteger\fR | * ) ];
+
+	support-ixfr \fIboolean\fR; // obsolete
+};
+.sp
+.fi
+.SH "TRUSTED-KEYS"
+.sp
+.nf
+trusted-keys {
+	\fIdomain_name\fR \fIflags\fR \fIprotocol\fR \fIalgorithm\fR \fIkey\fR; ... 
+};
+.sp
+.fi
+.SH "CONTROLS"
+.sp
+.nf
+controls {
+	inet ( \fIipv4_address\fR | \fIipv6_address\fR | * )
+		[ port ( \fIinteger\fR | * ) ]
+		allow { \fIaddress_match_element\fR; ... }
+		[ keys { \fIstring\fR; ... } ];
+	unix \fIunsupported\fR; // not implemented
+};
+.sp
+.fi
+.SH "LOGGING"
+.sp
+.nf
+logging {
+	channel \fIstring\fR {
+		file \fIlog_file\fR;
+		syslog \fIoptional_facility\fR;
+		null;
+		stderr;
+		severity \fIlog_severity\fR;
+		print-time \fIboolean\fR;
+		print-severity \fIboolean\fR;
+		print-category \fIboolean\fR;
+	};
+	category \fIstring\fR { \fIstring\fR; ... };
+};
+.sp
+.fi
+.SH "LWRES"
+.sp
+.nf
+lwres {
+	listen-on [ port \fIinteger\fR ] {
+		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ...
+	};
+	view \fIstring\fR \fIoptional_class\fR;
+	search { \fIstring\fR; ... };
+	ndots \fIinteger\fR;
+};
+.sp
+.fi
+.SH "OPTIONS"
+.sp
+.nf
+options {
+	avoid-v4-udp-ports { \fIport\fR; ... };
+	avoid-v6-udp-ports { \fIport\fR; ... };
+	blackhole { \fIaddress_match_element\fR; ... };
+	coresize \fIsize\fR;
+	datasize \fIsize\fR;
+	directory \fIquoted_string\fR;
+	dump-file \fIquoted_string\fR;
+	files \fIsize\fR;
+	heartbeat-interval \fIinteger\fR;
+	host-statistics \fIboolean\fR; // not implemented
+	hostname ( \fIquoted_string\fR | none );
+	interface-interval \fIinteger\fR;
+	listen-on [ port \fIinteger\fR ] { \fIaddress_match_element\fR; ... };
+	listen-on-v6 [ port \fIinteger\fR ] { \fIaddress_match_element\fR; ... };
+	match-mapped-addresses \fIboolean\fR;
+	memstatistics-file \fIquoted_string\fR;
+	pid-file ( \fIquoted_string\fR | none );
+	port \fIinteger\fR;
+	querylog \fIboolean\fR;
+	recursing-file \fIquoted_string\fR;
+	random-device \fIquoted_string\fR;
+	recursive-clients \fIinteger\fR;
+	serial-query-rate \fIinteger\fR;
+	server-id ( \fIquoted_string\fR | none |;
+	stacksize \fIsize\fR;
+	statistics-file \fIquoted_string\fR;
+	statistics-interval \fIinteger\fR; // not yet implemented
+	tcp-clients \fIinteger\fR;
+	tcp-listen-queue \fIinteger\fR;
+	tkey-dhkey \fIquoted_string\fR \fIinteger\fR;
+	tkey-gssapi-credential \fIquoted_string\fR;
+	tkey-domain \fIquoted_string\fR;
+	transfers-per-ns \fIinteger\fR;
+	transfers-in \fIinteger\fR;
+	transfers-out \fIinteger\fR;
+	use-ixfr \fIboolean\fR;
+	version ( \fIquoted_string\fR | none );
+	allow-recursion { \fIaddress_match_element\fR; ... };
+	sortlist { \fIaddress_match_element\fR; ... };
+	topology { \fIaddress_match_element\fR; ... }; // not implemented
+	auth-nxdomain \fIboolean\fR; // default changed
+	minimal-responses \fIboolean\fR;
+	recursion \fIboolean\fR;
+	rrset-order {
+		[ class \fIstring\fR ] [ type \fIstring\fR ]
+		[ name \fIquoted_string\fR ] \fIstring\fR \fIstring\fR; ...
+	};
+	provide-ixfr \fIboolean\fR;
+	request-ixfr \fIboolean\fR;
+	rfc2308-type1 \fIboolean\fR; // not yet implemented
+	additional-from-auth \fIboolean\fR;
+	additional-from-cache \fIboolean\fR;
+	query-source \fIquerysource4\fR;
+	query-source-v6 \fIquerysource6\fR;
+	cleaning-interval \fIinteger\fR;
+	min-roots \fIinteger\fR; // not implemented
+	lame-ttl \fIinteger\fR;
+	max-ncache-ttl \fIinteger\fR;
+	max-cache-ttl \fIinteger\fR;
+	transfer-format ( many-answers | one-answer );
+	max-cache-size \fIsize_no_default\fR;
+	check-names ( master | slave | response )
+		( fail | warn | ignore );
+	cache-file \fIquoted_string\fR;
+	suppress-initial-notify \fIboolean\fR; // not yet implemented
+	preferred-glue \fIstring\fR;
+	dual-stack-servers [ port \fIinteger\fR ] {
+		( \fIquoted_string\fR [port \fIinteger\fR] |
+		\fIipv4_address\fR [port \fIinteger\fR] |
+		\fIipv6_address\fR [port \fIinteger\fR] ); ...
+	}
+	edns-udp-size \fIinteger\fR;
+	root-delegation-only [ exclude { \fIquoted_string\fR; ... } ];
+	disable-algorithms \fIstring\fR { \fIstring\fR; ... };
+	dnssec-enable \fIboolean\fR;
+	dnssec-lookaside \fIstring\fR trust-anchor \fIstring\fR;
+	dnssec-must-be-secure \fIstring\fR \fIboolean\fR;
+
+	dialup \fIdialuptype\fR;
+	ixfr-from-differences \fIixfrdiff\fR;
+
+	allow-query { \fIaddress_match_element\fR; ... };
+	allow-transfer { \fIaddress_match_element\fR; ... };
+	allow-update-forwarding { \fIaddress_match_element\fR; ... };
+
+	notify \fInotifytype\fR;
+	notify-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
+	notify-source-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
+	also-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR )
+		[ port \fIinteger\fR ]; ... };
+	allow-notify { \fIaddress_match_element\fR; ... };
+
+	forward ( first | only );
+	forwarders [ port \fIinteger\fR ] {
+		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ...
+	};
+
+	max-journal-size \fIsize_no_default\fR;
+	max-transfer-time-in \fIinteger\fR;
+	max-transfer-time-out \fIinteger\fR;
+	max-transfer-idle-in \fIinteger\fR;
+	max-transfer-idle-out \fIinteger\fR;
+	max-retry-time \fIinteger\fR;
+	min-retry-time \fIinteger\fR;
+	max-refresh-time \fIinteger\fR;
+	min-refresh-time \fIinteger\fR;
+	multi-master \fIboolean\fR;
+	sig-validity-interval \fIinteger\fR;
+
+	transfer-source ( \fIipv4_address\fR | * )
+		[ port ( \fIinteger\fR | * ) ];
+	transfer-source-v6 ( \fIipv6_address\fR | * )
+		[ port ( \fIinteger\fR | * ) ];
+
+	alt-transfer-source ( \fIipv4_address\fR | * )
+		[ port ( \fIinteger\fR | * ) ];
+	alt-transfer-source-v6 ( \fIipv6_address\fR | * )
+		[ port ( \fIinteger\fR | * ) ];
+	use-alt-transfer-source \fIboolean\fR;
+
+	zone-statistics \fIboolean\fR;
+	key-directory \fIquoted_string\fR;
+
+	allow-v6-synthesis { \fIaddress_match_element\fR; ... }; // obsolete
+	deallocate-on-exit \fIboolean\fR; // obsolete
+	fake-iquery \fIboolean\fR; // obsolete
+	fetch-glue \fIboolean\fR; // obsolete
+	has-old-clients \fIboolean\fR; // obsolete
+	maintain-ixfr-base \fIboolean\fR; // obsolete
+	max-ixfr-log-size \fIsize\fR; // obsolete
+	multiple-cnames \fIboolean\fR; // obsolete
+	named-xfer \fIquoted_string\fR; // obsolete
+	serial-queries \fIinteger\fR; // obsolete
+	treat-cr-as-space \fIboolean\fR; // obsolete
+	use-id-pool \fIboolean\fR; // obsolete
+};
+.sp
+.fi
+.SH "VIEW"
+.sp
+.nf
+view \fIstring\fR \fIoptional_class\fR {
+	match-clients { \fIaddress_match_element\fR; ... };
+	match-destinations { \fIaddress_match_element\fR; ... };
+	match-recursive-only \fIboolean\fR;
+
+	key \fIstring\fR {
+		algorithm \fIstring\fR;
+		secret \fIstring\fR;
+	};
+
+	zone \fIstring\fR \fIoptional_class\fR {
+		...
+	};
+
+	server ( \fIipv4_address\fR | \fIipv6_address\fR ) {
+		...
+	};
+
+	trusted-keys {
+		\fIstring\fR \fIinteger\fR \fIinteger\fR \fIinteger\fR \fIquoted_string\fR; ...
+	};
+
+	allow-recursion { \fIaddress_match_element\fR; ... };
+	sortlist { \fIaddress_match_element\fR; ... };
+	topology { \fIaddress_match_element\fR; ... }; // not implemented
+	auth-nxdomain \fIboolean\fR; // default changed
+	minimal-responses \fIboolean\fR;
+	recursion \fIboolean\fR;
+	rrset-order {
+		[ class \fIstring\fR ] [ type \fIstring\fR ]
+		[ name \fIquoted_string\fR ] \fIstring\fR \fIstring\fR; ...
+	};
+	provide-ixfr \fIboolean\fR;
+	request-ixfr \fIboolean\fR;
+	rfc2308-type1 \fIboolean\fR; // not yet implemented
+	additional-from-auth \fIboolean\fR;
+	additional-from-cache \fIboolean\fR;
+	query-source \fIquerysource4\fR;
+	query-source-v6 \fIquerysource6\fR;
+	cleaning-interval \fIinteger\fR;
+	min-roots \fIinteger\fR; // not implemented
+	lame-ttl \fIinteger\fR;
+	max-ncache-ttl \fIinteger\fR;
+	max-cache-ttl \fIinteger\fR;
+	transfer-format ( many-answers | one-answer );
+	max-cache-size \fIsize_no_default\fR;
+	check-names ( master | slave | response )
+		( fail | warn | ignore );
+	cache-file \fIquoted_string\fR;
+	suppress-initial-notify \fIboolean\fR; // not yet implemented
+	preferred-glue \fIstring\fR;
+	dual-stack-servers [ port \fIinteger\fR ] {
+		( \fIquoted_string\fR [port \fIinteger\fR] |
+		\fIipv4_address\fR [port \fIinteger\fR] |
+		\fIipv6_address\fR [port \fIinteger\fR] ); ...
+	};
+	edns-udp-size \fIinteger\fR;
+	root-delegation-only [ exclude { \fIquoted_string\fR; ... } ];
+	disable-algorithms \fIstring\fR { \fIstring\fR; ... };
+	dnssec-enable \fIboolean\fR;
+	dnssec-lookaside \fIstring\fR trust-anchor \fIstring\fR;
+
+	dnssec-must-be-secure \fIstring\fR \fIboolean\fR;
+	dialup \fIdialuptype\fR;
+	ixfr-from-differences \fIixfrdiff\fR;
+
+	allow-query { \fIaddress_match_element\fR; ... };
+	allow-transfer { \fIaddress_match_element\fR; ... };
+	allow-update-forwarding { \fIaddress_match_element\fR; ... };
+
+	notify \fInotifytype\fR;
+	notify-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
+	notify-source-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
+	also-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR )
+		[ port \fIinteger\fR ]; ... };
+	allow-notify { \fIaddress_match_element\fR; ... };
+
+	forward ( first | only );
+	forwarders [ port \fIinteger\fR ] {
+		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ...
+	};
+
+	max-journal-size \fIsize_no_default\fR;
+	max-transfer-time-in \fIinteger\fR;
+	max-transfer-time-out \fIinteger\fR;
+	max-transfer-idle-in \fIinteger\fR;
+	max-transfer-idle-out \fIinteger\fR;
+	max-retry-time \fIinteger\fR;
+	min-retry-time \fIinteger\fR;
+	max-refresh-time \fIinteger\fR;
+	min-refresh-time \fIinteger\fR;
+	multi-master \fIboolean\fR;
+	sig-validity-interval \fIinteger\fR;
+
+	transfer-source ( \fIipv4_address\fR | * )
+		[ port ( \fIinteger\fR | * ) ];
+	transfer-source-v6 ( \fIipv6_address\fR | * )
+		[ port ( \fIinteger\fR | * ) ];
+
+	alt-transfer-source ( \fIipv4_address\fR | * )
+		[ port ( \fIinteger\fR | * ) ];
+	alt-transfer-source-v6 ( \fIipv6_address\fR | * )
+		[ port ( \fIinteger\fR | * ) ];
+	use-alt-transfer-source \fIboolean\fR;
+
+	zone-statistics \fIboolean\fR;
+	key-directory \fIquoted_string\fR;
+
+	allow-v6-synthesis { \fIaddress_match_element\fR; ... }; // obsolete
+	fetch-glue \fIboolean\fR; // obsolete
+	maintain-ixfr-base \fIboolean\fR; // obsolete
+	max-ixfr-log-size \fIsize\fR; // obsolete
+};
+.sp
+.fi
+.SH "ZONE"
+.sp
+.nf
+zone \fIstring\fR \fIoptional_class\fR {
+	type ( master | slave | stub | hint |
+		forward | delegation-only );
+	file \fIquoted_string\fR;
+
+	masters [ port \fIinteger\fR ] {
+		( \fImasters\fR |
+		\fIipv4_address\fR [port \fIinteger\fR] |
+		\fIipv6_address\fR [ port \fIinteger\fR ] ) [ key \fIstring\fR ]; ...
+	};
+
+	database \fIstring\fR;
+	delegation-only \fIboolean\fR;
+	check-names ( fail | warn | ignore );
+	dialup \fIdialuptype\fR;
+	ixfr-from-differences \fIboolean\fR;
+
+	allow-query { \fIaddress_match_element\fR; ... };
+	allow-transfer { \fIaddress_match_element\fR; ... };
+	allow-update { \fIaddress_match_element\fR; ... };
+	allow-update-forwarding { \fIaddress_match_element\fR; ... };
+	update-policy {
+		( grant | deny ) \fIstring\fR
+		( name | subdomain | wildcard | self ) \fIstring\fR
+		\fIrrtypelist\fR; ...
+	};
+
+	notify \fInotifytype\fR;
+	notify-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
+	notify-source-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
+	also-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR )
+		[ port \fIinteger\fR ]; ... };
+	allow-notify { \fIaddress_match_element\fR; ... };
+
+	forward ( first | only );
+	forwarders [ port \fIinteger\fR ] {
+		( \fIipv4_address\fR | \fIipv6_address\fR ) [ port \fIinteger\fR ]; ...
+	};
+
+	max-journal-size \fIsize_no_default\fR;
+	max-transfer-time-in \fIinteger\fR;
+	max-transfer-time-out \fIinteger\fR;
+	max-transfer-idle-in \fIinteger\fR;
+	max-transfer-idle-out \fIinteger\fR;
+	max-retry-time \fIinteger\fR;
+	min-retry-time \fIinteger\fR;
+	max-refresh-time \fIinteger\fR;
+	min-refresh-time \fIinteger\fR;
+	multi-master \fIboolean\fR;
+	sig-validity-interval \fIinteger\fR;
+
+	transfer-source ( \fIipv4_address\fR | * )
+		[ port ( \fIinteger\fR | * ) ];
+	transfer-source-v6 ( \fIipv6_address\fR | * )
+		[ port ( \fIinteger\fR | * ) ];
+
+	alt-transfer-source ( \fIipv4_address\fR | * )
+		[ port ( \fIinteger\fR | * ) ];
+	alt-transfer-source-v6 ( \fIipv6_address\fR | * )
+		[ port ( \fIinteger\fR | * ) ];
+	use-alt-transfer-source \fIboolean\fR;
+
+	zone-statistics \fIboolean\fR;
+	key-directory \fIquoted_string\fR;
+
+	ixfr-base \fIquoted_string\fR; // obsolete
+	ixfr-tmp-file \fIquoted_string\fR; // obsolete
+	maintain-ixfr-base \fIboolean\fR; // obsolete
+	max-ixfr-log-size \fIsize\fR; // obsolete
+	pubkey \fIinteger\fR \fIinteger\fR \fIinteger\fR \fIquoted_string\fR; // obsolete
+};
+.sp
+.fi
+.SH "FILES"
+.PP
+\fI/etc/named.conf\fR
+.SH "SEE ALSO"
+.PP
+\fBnamed\fR(8),
+\fBrndc\fR(8),
+\fBBIND 9 Adminstrators Reference Manual\fR.
diff --git a/contrib/bind9/bin/named/named.conf.docbook b/contrib/bind9/bin/named/named.conf.docbook
new file mode 100644
index 0000000..ba6ac12
--- /dev/null
+++ b/contrib/bind9/bin/named/named.conf.docbook
@@ -0,0 +1,532 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: named.conf.docbook,v 1.1.4.1 2004/08/20 22:02:38 marka Exp $ -->
+
+<refentry>
+  <refentryinfo>
+    <date>Aug 13, 2004</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><filename>named.conf</filename></refentrytitle>
+    <manvolnum>5</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><filename>named.conf</filename></refname>
+    <refpurpose>configuration file for named</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>named.conf</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+	<filename>named.conf</filename> is the configuration file for
+	<command>named</command>.  Statements are enclosed
+	in braces and terminated with a semi-colon.  Clauses in
+	the statements are also semi-colon terminated.  The usual
+	comment styles are supported:
+    </para>
+    <para>
+	C style: /* */
+    </para>
+    <para>
+	C++ style: // to end of line
+    </para>
+    <para>
+	Unix style: # to end of line
+    </para>
+  </refsect1>
+
+<refsect1>
+<title>ACL</title>
+<LITERALLAYOUT>
+acl <replaceable>string</replaceable> { <replaceable>address_match_element</replaceable>; ... };
+
+</LITERALLAYOUT>
+</refsect1>
+
+<refsect1>
+<title>KEY</title>
+<LITERALLAYOUT>
+key <replaceable>domain_name</replaceable> {
+	algorithm <replaceable>string</replaceable>;
+	secret <replaceable>string</replaceable>;
+};
+</LITERALLAYOUT>
+</refsect1>
+
+<refsect1>
+<title>MASTERS</title>
+<LITERALLAYOUT>
+masters <replaceable>string</replaceable> <optional> port <replaceable>integer</replaceable> </optional> {
+	( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
+	<replaceable>ipv6_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> ) <optional> key <replaceable>string</replaceable> </optional>; ...
+};
+</LITERALLAYOUT>
+</refsect1>
+
+<refsect1>
+<title>SERVER</title>
+<LITERALLAYOUT>
+server ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) {
+	bogus <replaceable>boolean</replaceable>;
+	edns <replaceable>boolean</replaceable>;
+	provide-ixfr <replaceable>boolean</replaceable>;
+	request-ixfr <replaceable>boolean</replaceable>;
+	keys <replaceable>server_key</replaceable>;
+	transfers <replaceable>integer</replaceable>;
+	transfer-format ( many-answers | one-answer );
+	transfer-source ( <replaceable>ipv4_address</replaceable> | * )
+		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
+	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
+		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
+
+	support-ixfr <replaceable>boolean</replaceable>; // obsolete
+};
+</LITERALLAYOUT>
+</refsect1>
+
+<refsect1>
+<title>TRUSTED-KEYS</title>
+<LITERALLAYOUT>
+trusted-keys {
+	<replaceable>domain_name</replaceable> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ... 
+};
+</LITERALLAYOUT>
+</refsect1>
+
+<refsect1>
+<title>CONTROLS</title>
+<LITERALLAYOUT>
+controls {
+	inet ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> | * )
+		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>
+		allow { <replaceable>address_match_element</replaceable>; ... }
+		<optional> keys { <replaceable>string</replaceable>; ... } </optional>;
+	unix <replaceable>unsupported</replaceable>; // not implemented
+};
+</LITERALLAYOUT>
+</refsect1>
+
+<refsect1>
+<title>LOGGING</title>
+<LITERALLAYOUT>
+logging {
+	channel <replaceable>string</replaceable> {
+		file <replaceable>log_file</replaceable>;
+		syslog <replaceable>optional_facility</replaceable>;
+		null;
+		stderr;
+		severity <replaceable>log_severity</replaceable>;
+		print-time <replaceable>boolean</replaceable>;
+		print-severity <replaceable>boolean</replaceable>;
+		print-category <replaceable>boolean</replaceable>;
+	};
+	category <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
+};
+</LITERALLAYOUT>
+</refsect1>
+
+<refsect1>
+<title>LWRES</title>
+<LITERALLAYOUT>
+lwres {
+	listen-on <optional> port <replaceable>integer</replaceable> </optional> {
+		( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ...
+	};
+	view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>;
+	search { <replaceable>string</replaceable>; ... };
+	ndots <replaceable>integer</replaceable>;
+};
+</LITERALLAYOUT>
+</refsect1>
+
+<refsect1>
+<title>OPTIONS</title>
+<LITERALLAYOUT>
+options {
+	avoid-v4-udp-ports { <replaceable>port</replaceable>; ... };
+	avoid-v6-udp-ports { <replaceable>port</replaceable>; ... };
+	blackhole { <replaceable>address_match_element</replaceable>; ... };
+	coresize <replaceable>size</replaceable>;
+	datasize <replaceable>size</replaceable>;
+	directory <replaceable>quoted_string</replaceable>;
+	dump-file <replaceable>quoted_string</replaceable>;
+	files <replaceable>size</replaceable>;
+	heartbeat-interval <replaceable>integer</replaceable>;
+	host-statistics <replaceable>boolean</replaceable>; // not implemented
+	hostname ( <replaceable>quoted_string</replaceable> | none );
+	interface-interval <replaceable>integer</replaceable>;
+	listen-on <optional> port <replaceable>integer</replaceable> </optional> { <replaceable>address_match_element</replaceable>; ... };
+	listen-on-v6 <optional> port <replaceable>integer</replaceable> </optional> { <replaceable>address_match_element</replaceable>; ... };
+	match-mapped-addresses <replaceable>boolean</replaceable>;
+	memstatistics-file <replaceable>quoted_string</replaceable>;
+	pid-file ( <replaceable>quoted_string</replaceable> | none );
+	port <replaceable>integer</replaceable>;
+	querylog <replaceable>boolean</replaceable>;
+	recursing-file <replaceable>quoted_string</replaceable>;
+	random-device <replaceable>quoted_string</replaceable>;
+	recursive-clients <replaceable>integer</replaceable>;
+	serial-query-rate <replaceable>integer</replaceable>;
+	server-id ( <replaceable>quoted_string</replaceable> | none |;
+	stacksize <replaceable>size</replaceable>;
+	statistics-file <replaceable>quoted_string</replaceable>;
+	statistics-interval <replaceable>integer</replaceable>; // not yet implemented
+	tcp-clients <replaceable>integer</replaceable>;
+	tcp-listen-queue <replaceable>integer</replaceable>;
+	tkey-dhkey <replaceable>quoted_string</replaceable> <replaceable>integer</replaceable>;
+	tkey-gssapi-credential <replaceable>quoted_string</replaceable>;
+	tkey-domain <replaceable>quoted_string</replaceable>;
+	transfers-per-ns <replaceable>integer</replaceable>;
+	transfers-in <replaceable>integer</replaceable>;
+	transfers-out <replaceable>integer</replaceable>;
+	use-ixfr <replaceable>boolean</replaceable>;
+	version ( <replaceable>quoted_string</replaceable> | none );
+	allow-recursion { <replaceable>address_match_element</replaceable>; ... };
+	sortlist { <replaceable>address_match_element</replaceable>; ... };
+	topology { <replaceable>address_match_element</replaceable>; ... }; // not implemented
+	auth-nxdomain <replaceable>boolean</replaceable>; // default changed
+	minimal-responses <replaceable>boolean</replaceable>;
+	recursion <replaceable>boolean</replaceable>;
+	rrset-order {
+		<optional> class <replaceable>string</replaceable> </optional> <optional> type <replaceable>string</replaceable> </optional>
+		<optional> name <replaceable>quoted_string</replaceable> </optional> <replaceable>string</replaceable> <replaceable>string</replaceable>; ...
+	};
+	provide-ixfr <replaceable>boolean</replaceable>;
+	request-ixfr <replaceable>boolean</replaceable>;
+	rfc2308-type1 <replaceable>boolean</replaceable>; // not yet implemented
+	additional-from-auth <replaceable>boolean</replaceable>;
+	additional-from-cache <replaceable>boolean</replaceable>;
+	query-source <replaceable>querysource4</replaceable>;
+	query-source-v6 <replaceable>querysource6</replaceable>;
+	cleaning-interval <replaceable>integer</replaceable>;
+	min-roots <replaceable>integer</replaceable>; // not implemented
+	lame-ttl <replaceable>integer</replaceable>;
+	max-ncache-ttl <replaceable>integer</replaceable>;
+	max-cache-ttl <replaceable>integer</replaceable>;
+	transfer-format ( many-answers | one-answer );
+	max-cache-size <replaceable>size_no_default</replaceable>;
+	check-names ( master | slave | response )
+		( fail | warn | ignore );
+	cache-file <replaceable>quoted_string</replaceable>;
+	suppress-initial-notify <replaceable>boolean</replaceable>; // not yet implemented
+	preferred-glue <replaceable>string</replaceable>;
+	dual-stack-servers <optional> port <replaceable>integer</replaceable> </optional> {
+		( <replaceable>quoted_string</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
+		<replaceable>ipv4_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
+		<replaceable>ipv6_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> ); ...
+	}
+	edns-udp-size <replaceable>integer</replaceable>;
+	root-delegation-only <optional> exclude { <replaceable>quoted_string</replaceable>; ... } </optional>;
+	disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
+	dnssec-enable <replaceable>boolean</replaceable>;
+	dnssec-lookaside <replaceable>string</replaceable> trust-anchor <replaceable>string</replaceable>;
+	dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
+
+	dialup <replaceable>dialuptype</replaceable>;
+	ixfr-from-differences <replaceable>ixfrdiff</replaceable>;
+
+	allow-query { <replaceable>address_match_element</replaceable>; ... };
+	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
+	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
+
+	notify <replaceable>notifytype</replaceable>;
+	notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
+	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
+	also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> )
+		<optional> port <replaceable>integer</replaceable> </optional>; ... };
+	allow-notify { <replaceable>address_match_element</replaceable>; ... };
+
+	forward ( first | only );
+	forwarders <optional> port <replaceable>integer</replaceable> </optional> {
+		( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ...
+	};
+
+	max-journal-size <replaceable>size_no_default</replaceable>;
+	max-transfer-time-in <replaceable>integer</replaceable>;
+	max-transfer-time-out <replaceable>integer</replaceable>;
+	max-transfer-idle-in <replaceable>integer</replaceable>;
+	max-transfer-idle-out <replaceable>integer</replaceable>;
+	max-retry-time <replaceable>integer</replaceable>;
+	min-retry-time <replaceable>integer</replaceable>;
+	max-refresh-time <replaceable>integer</replaceable>;
+	min-refresh-time <replaceable>integer</replaceable>;
+	multi-master <replaceable>boolean</replaceable>;
+	sig-validity-interval <replaceable>integer</replaceable>;
+
+	transfer-source ( <replaceable>ipv4_address</replaceable> | * )
+		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
+	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
+		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
+
+	alt-transfer-source ( <replaceable>ipv4_address</replaceable> | * )
+		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
+	alt-transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
+		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
+	use-alt-transfer-source <replaceable>boolean</replaceable>;
+
+	zone-statistics <replaceable>boolean</replaceable>;
+	key-directory <replaceable>quoted_string</replaceable>;
+
+	allow-v6-synthesis { <replaceable>address_match_element</replaceable>; ... }; // obsolete
+	deallocate-on-exit <replaceable>boolean</replaceable>; // obsolete
+	fake-iquery <replaceable>boolean</replaceable>; // obsolete
+	fetch-glue <replaceable>boolean</replaceable>; // obsolete
+	has-old-clients <replaceable>boolean</replaceable>; // obsolete
+	maintain-ixfr-base <replaceable>boolean</replaceable>; // obsolete
+	max-ixfr-log-size <replaceable>size</replaceable>; // obsolete
+	multiple-cnames <replaceable>boolean</replaceable>; // obsolete
+	named-xfer <replaceable>quoted_string</replaceable>; // obsolete
+	serial-queries <replaceable>integer</replaceable>; // obsolete
+	treat-cr-as-space <replaceable>boolean</replaceable>; // obsolete
+	use-id-pool <replaceable>boolean</replaceable>; // obsolete
+};
+</LITERALLAYOUT>
+</refsect1>
+
+<refsect1>
+<title>VIEW</title>
+<LITERALLAYOUT>
+view <replaceable>string</replaceable> <replaceable>optional_class</replaceable> {
+	match-clients { <replaceable>address_match_element</replaceable>; ... };
+	match-destinations { <replaceable>address_match_element</replaceable>; ... };
+	match-recursive-only <replaceable>boolean</replaceable>;
+
+	key <replaceable>string</replaceable> {
+		algorithm <replaceable>string</replaceable>;
+		secret <replaceable>string</replaceable>;
+	};
+
+	zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable> {
+		...
+	};
+
+	server ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) {
+		...
+	};
+
+	trusted-keys {
+		<replaceable>string</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; ...
+	};
+
+	allow-recursion { <replaceable>address_match_element</replaceable>; ... };
+	sortlist { <replaceable>address_match_element</replaceable>; ... };
+	topology { <replaceable>address_match_element</replaceable>; ... }; // not implemented
+	auth-nxdomain <replaceable>boolean</replaceable>; // default changed
+	minimal-responses <replaceable>boolean</replaceable>;
+	recursion <replaceable>boolean</replaceable>;
+	rrset-order {
+		<optional> class <replaceable>string</replaceable> </optional> <optional> type <replaceable>string</replaceable> </optional>
+		<optional> name <replaceable>quoted_string</replaceable> </optional> <replaceable>string</replaceable> <replaceable>string</replaceable>; ...
+	};
+	provide-ixfr <replaceable>boolean</replaceable>;
+	request-ixfr <replaceable>boolean</replaceable>;
+	rfc2308-type1 <replaceable>boolean</replaceable>; // not yet implemented
+	additional-from-auth <replaceable>boolean</replaceable>;
+	additional-from-cache <replaceable>boolean</replaceable>;
+	query-source <replaceable>querysource4</replaceable>;
+	query-source-v6 <replaceable>querysource6</replaceable>;
+	cleaning-interval <replaceable>integer</replaceable>;
+	min-roots <replaceable>integer</replaceable>; // not implemented
+	lame-ttl <replaceable>integer</replaceable>;
+	max-ncache-ttl <replaceable>integer</replaceable>;
+	max-cache-ttl <replaceable>integer</replaceable>;
+	transfer-format ( many-answers | one-answer );
+	max-cache-size <replaceable>size_no_default</replaceable>;
+	check-names ( master | slave | response )
+		( fail | warn | ignore );
+	cache-file <replaceable>quoted_string</replaceable>;
+	suppress-initial-notify <replaceable>boolean</replaceable>; // not yet implemented
+	preferred-glue <replaceable>string</replaceable>;
+	dual-stack-servers <optional> port <replaceable>integer</replaceable> </optional> {
+		( <replaceable>quoted_string</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
+		<replaceable>ipv4_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
+		<replaceable>ipv6_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> ); ...
+	};
+	edns-udp-size <replaceable>integer</replaceable>;
+	root-delegation-only <optional> exclude { <replaceable>quoted_string</replaceable>; ... } </optional>;
+	disable-algorithms <replaceable>string</replaceable> { <replaceable>string</replaceable>; ... };
+	dnssec-enable <replaceable>boolean</replaceable>;
+	dnssec-lookaside <replaceable>string</replaceable> trust-anchor <replaceable>string</replaceable>;
+
+	dnssec-must-be-secure <replaceable>string</replaceable> <replaceable>boolean</replaceable>;
+	dialup <replaceable>dialuptype</replaceable>;
+	ixfr-from-differences <replaceable>ixfrdiff</replaceable>;
+
+	allow-query { <replaceable>address_match_element</replaceable>; ... };
+	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
+	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
+
+	notify <replaceable>notifytype</replaceable>;
+	notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
+	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
+	also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> )
+		<optional> port <replaceable>integer</replaceable> </optional>; ... };
+	allow-notify { <replaceable>address_match_element</replaceable>; ... };
+
+	forward ( first | only );
+	forwarders <optional> port <replaceable>integer</replaceable> </optional> {
+		( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ...
+	};
+
+	max-journal-size <replaceable>size_no_default</replaceable>;
+	max-transfer-time-in <replaceable>integer</replaceable>;
+	max-transfer-time-out <replaceable>integer</replaceable>;
+	max-transfer-idle-in <replaceable>integer</replaceable>;
+	max-transfer-idle-out <replaceable>integer</replaceable>;
+	max-retry-time <replaceable>integer</replaceable>;
+	min-retry-time <replaceable>integer</replaceable>;
+	max-refresh-time <replaceable>integer</replaceable>;
+	min-refresh-time <replaceable>integer</replaceable>;
+	multi-master <replaceable>boolean</replaceable>;
+	sig-validity-interval <replaceable>integer</replaceable>;
+
+	transfer-source ( <replaceable>ipv4_address</replaceable> | * )
+		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
+	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
+		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
+
+	alt-transfer-source ( <replaceable>ipv4_address</replaceable> | * )
+		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
+	alt-transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
+		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
+	use-alt-transfer-source <replaceable>boolean</replaceable>;
+
+	zone-statistics <replaceable>boolean</replaceable>;
+	key-directory <replaceable>quoted_string</replaceable>;
+
+	allow-v6-synthesis { <replaceable>address_match_element</replaceable>; ... }; // obsolete
+	fetch-glue <replaceable>boolean</replaceable>; // obsolete
+	maintain-ixfr-base <replaceable>boolean</replaceable>; // obsolete
+	max-ixfr-log-size <replaceable>size</replaceable>; // obsolete
+};
+</LITERALLAYOUT>
+</refsect1>
+
+<refsect1>
+<title>ZONE</title>
+<LITERALLAYOUT>
+zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable> {
+	type ( master | slave | stub | hint |
+		forward | delegation-only );
+	file <replaceable>quoted_string</replaceable>;
+
+	masters <optional> port <replaceable>integer</replaceable> </optional> {
+		( <replaceable>masters</replaceable> |
+		<replaceable>ipv4_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
+		<replaceable>ipv6_address</replaceable> <optional> port <replaceable>integer</replaceable> </optional> ) <optional> key <replaceable>string</replaceable> </optional>; ...
+	};
+
+	database <replaceable>string</replaceable>;
+	delegation-only <replaceable>boolean</replaceable>;
+	check-names ( fail | warn | ignore );
+	dialup <replaceable>dialuptype</replaceable>;
+	ixfr-from-differences <replaceable>boolean</replaceable>;
+
+	allow-query { <replaceable>address_match_element</replaceable>; ... };
+	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
+	allow-update { <replaceable>address_match_element</replaceable>; ... };
+	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
+	update-policy {
+		( grant | deny ) <replaceable>string</replaceable>
+		( name | subdomain | wildcard | self ) <replaceable>string</replaceable>
+		<replaceable>rrtypelist</replaceable>; ...
+	};
+
+	notify <replaceable>notifytype</replaceable>;
+	notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
+	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
+	also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> )
+		<optional> port <replaceable>integer</replaceable> </optional>; ... };
+	allow-notify { <replaceable>address_match_element</replaceable>; ... };
+
+	forward ( first | only );
+	forwarders <optional> port <replaceable>integer</replaceable> </optional> {
+		( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> ) <optional> port <replaceable>integer</replaceable> </optional>; ...
+	};
+
+	max-journal-size <replaceable>size_no_default</replaceable>;
+	max-transfer-time-in <replaceable>integer</replaceable>;
+	max-transfer-time-out <replaceable>integer</replaceable>;
+	max-transfer-idle-in <replaceable>integer</replaceable>;
+	max-transfer-idle-out <replaceable>integer</replaceable>;
+	max-retry-time <replaceable>integer</replaceable>;
+	min-retry-time <replaceable>integer</replaceable>;
+	max-refresh-time <replaceable>integer</replaceable>;
+	min-refresh-time <replaceable>integer</replaceable>;
+	multi-master <replaceable>boolean</replaceable>;
+	sig-validity-interval <replaceable>integer</replaceable>;
+
+	transfer-source ( <replaceable>ipv4_address</replaceable> | * )
+		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
+	transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
+		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
+
+	alt-transfer-source ( <replaceable>ipv4_address</replaceable> | * )
+		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
+	alt-transfer-source-v6 ( <replaceable>ipv6_address</replaceable> | * )
+		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
+	use-alt-transfer-source <replaceable>boolean</replaceable>;
+
+	zone-statistics <replaceable>boolean</replaceable>;
+	key-directory <replaceable>quoted_string</replaceable>;
+
+	ixfr-base <replaceable>quoted_string</replaceable>; // obsolete
+	ixfr-tmp-file <replaceable>quoted_string</replaceable>; // obsolete
+	maintain-ixfr-base <replaceable>boolean</replaceable>; // obsolete
+	max-ixfr-log-size <replaceable>size</replaceable>; // obsolete
+	pubkey <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>integer</replaceable> <replaceable>quoted_string</replaceable>; // obsolete
+};
+</LITERALLAYOUT>
+</refsect1>
+
+<refsect1>
+<title>FILES</title>
+<para>
+<filename>/etc/named.conf</filename>
+</para>
+</refsect1>
+
+<refsect1>
+<title>SEE ALSO</title>
+<para>
+<citerefentry>
+<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+</citerefentry>,
+<citerefentry>
+<refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
+</citerefentry>,
+<citerefentry>
+<refentrytitle>BIND 9 Adminstrators Reference Manual</refentrytitle>
+</citerefentry>.
+</para>
+</refsect1>
+
+</refentry>
+<!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/bin/named/named.conf.html b/contrib/bind9/bin/named/named.conf.html
new file mode 100644
index 0000000..9991522
--- /dev/null
+++ b/contrib/bind9/bin/named/named.conf.html
@@ -0,0 +1,1893 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: named.conf.html,v 1.1.4.3 2004/08/22 23:38:59 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>named.conf</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+><TT
+CLASS="FILENAME"
+>named.conf</TT
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><TT
+CLASS="FILENAME"
+>named.conf</TT
+>&nbsp;--&nbsp;configuration file for named</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>named.conf</B
+> </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN16"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>	<TT
+CLASS="FILENAME"
+>named.conf</TT
+> is the configuration file for
+	<B
+CLASS="COMMAND"
+>named</B
+>.  Statements are enclosed
+	in braces and terminated with a semi-colon.  Clauses in
+	the statements are also semi-colon terminated.  The usual
+	comment styles are supported:
+    </P
+><P
+>	C style: /* */
+    </P
+><P
+>	C++ style: // to end of line
+    </P
+><P
+>	Unix style: # to end of line
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN24"
+></A
+><H2
+>ACL</H2
+><P
+CLASS="LITERALLAYOUT"
+>acl&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>address_match_element</VAR
+>;&nbsp;...&nbsp;};<br>&#13;</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN29"
+></A
+><H2
+>KEY</H2
+><P
+CLASS="LITERALLAYOUT"
+>key&nbsp;<VAR
+CLASS="REPLACEABLE"
+>domain_name</VAR
+>&nbsp;{<br>
+	algorithm&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>;<br>
+	secret&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>;<br>
+};</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN35"
+></A
+><H2
+>MASTERS</H2
+><P
+CLASS="LITERALLAYOUT"
+>masters&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>&nbsp;[<SPAN
+CLASS="OPTIONAL"
+> port <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> </SPAN
+>]&nbsp;{<br>
+	(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>masters</VAR
+>&nbsp;|&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv4_address</VAR
+>&nbsp;[<SPAN
+CLASS="OPTIONAL"
+>port <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+></SPAN
+>]&nbsp;|<br>
+	<VAR
+CLASS="REPLACEABLE"
+>ipv6_address</VAR
+>&nbsp;[<SPAN
+CLASS="OPTIONAL"
+>port <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+></SPAN
+>]&nbsp;)&nbsp;[<SPAN
+CLASS="OPTIONAL"
+> key <VAR
+CLASS="REPLACEABLE"
+>string</VAR
+> </SPAN
+>];&nbsp;...<br>
+};</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN50"
+></A
+><H2
+>SERVER</H2
+><P
+CLASS="LITERALLAYOUT"
+>server&nbsp;(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv4_address</VAR
+>&nbsp;|&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv6_address</VAR
+>&nbsp;)&nbsp;{<br>
+	bogus&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+	edns&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+	provide-ixfr&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+	request-ixfr&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+	keys&nbsp;<VAR
+CLASS="REPLACEABLE"
+>server_key</VAR
+>;<br>
+	transfers&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	transfer-format&nbsp;(&nbsp;many-answers&nbsp;|&nbsp;one-answer&nbsp;);<br>
+	transfer-source&nbsp;(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv4_address</VAR
+>&nbsp;|&nbsp;*&nbsp;)<br>
+		[<SPAN
+CLASS="OPTIONAL"
+> port ( <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> | * ) </SPAN
+>];<br>
+	transfer-source-v6&nbsp;(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv6_address</VAR
+>&nbsp;|&nbsp;*&nbsp;)<br>
+		[<SPAN
+CLASS="OPTIONAL"
+> port ( <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> | * ) </SPAN
+>];<br>
+<br>
+	support-ixfr&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;&nbsp;//&nbsp;obsolete<br>
+};</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN68"
+></A
+><H2
+>TRUSTED-KEYS</H2
+><P
+CLASS="LITERALLAYOUT"
+>trusted-keys&nbsp;{<br>
+	<VAR
+CLASS="REPLACEABLE"
+>domain_name</VAR
+>&nbsp;<VAR
+CLASS="REPLACEABLE"
+>flags</VAR
+>&nbsp;<VAR
+CLASS="REPLACEABLE"
+>protocol</VAR
+>&nbsp;<VAR
+CLASS="REPLACEABLE"
+>algorithm</VAR
+>&nbsp;<VAR
+CLASS="REPLACEABLE"
+>key</VAR
+>;&nbsp;...&nbsp;<br>
+};</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN76"
+></A
+><H2
+>CONTROLS</H2
+><P
+CLASS="LITERALLAYOUT"
+>controls&nbsp;{<br>
+	inet&nbsp;(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv4_address</VAR
+>&nbsp;|&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv6_address</VAR
+>&nbsp;|&nbsp;*&nbsp;)<br>
+		[<SPAN
+CLASS="OPTIONAL"
+> port ( <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> | * ) </SPAN
+>]<br>
+		allow&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>address_match_element</VAR
+>;&nbsp;...&nbsp;}<br>
+		[<SPAN
+CLASS="OPTIONAL"
+> keys { <VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>; ... } </SPAN
+>];<br>
+	unix&nbsp;<VAR
+CLASS="REPLACEABLE"
+>unsupported</VAR
+>;&nbsp;//&nbsp;not&nbsp;implemented<br>
+};</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN87"
+></A
+><H2
+>LOGGING</H2
+><P
+CLASS="LITERALLAYOUT"
+>logging&nbsp;{<br>
+	channel&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>&nbsp;{<br>
+		file&nbsp;<VAR
+CLASS="REPLACEABLE"
+>log_file</VAR
+>;<br>
+		syslog&nbsp;<VAR
+CLASS="REPLACEABLE"
+>optional_facility</VAR
+>;<br>
+		null;<br>
+		stderr;<br>
+		severity&nbsp;<VAR
+CLASS="REPLACEABLE"
+>log_severity</VAR
+>;<br>
+		print-time&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+		print-severity&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+		print-category&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+	};<br>
+	category&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>;&nbsp;...&nbsp;};<br>
+};</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN99"
+></A
+><H2
+>LWRES</H2
+><P
+CLASS="LITERALLAYOUT"
+>lwres&nbsp;{<br>
+	listen-on&nbsp;[<SPAN
+CLASS="OPTIONAL"
+> port <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> </SPAN
+>]&nbsp;{<br>
+		(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv4_address</VAR
+>&nbsp;|&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv6_address</VAR
+>&nbsp;)&nbsp;[<SPAN
+CLASS="OPTIONAL"
+> port <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> </SPAN
+>];&nbsp;...<br>
+	};<br>
+	view&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>&nbsp;<VAR
+CLASS="REPLACEABLE"
+>optional_class</VAR
+>;<br>
+	search&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>;&nbsp;...&nbsp;};<br>
+	ndots&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+};</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN112"
+></A
+><H2
+>OPTIONS</H2
+><P
+CLASS="LITERALLAYOUT"
+>options&nbsp;{<br>
+	avoid-v4-udp-ports&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>port</VAR
+>;&nbsp;...&nbsp;};<br>
+	avoid-v6-udp-ports&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>port</VAR
+>;&nbsp;...&nbsp;};<br>
+	blackhole&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>address_match_element</VAR
+>;&nbsp;...&nbsp;};<br>
+	coresize&nbsp;<VAR
+CLASS="REPLACEABLE"
+>size</VAR
+>;<br>
+	datasize&nbsp;<VAR
+CLASS="REPLACEABLE"
+>size</VAR
+>;<br>
+	directory&nbsp;<VAR
+CLASS="REPLACEABLE"
+>quoted_string</VAR
+>;<br>
+	dump-file&nbsp;<VAR
+CLASS="REPLACEABLE"
+>quoted_string</VAR
+>;<br>
+	files&nbsp;<VAR
+CLASS="REPLACEABLE"
+>size</VAR
+>;<br>
+	heartbeat-interval&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	host-statistics&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;&nbsp;//&nbsp;not&nbsp;implemented<br>
+	hostname&nbsp;(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>quoted_string</VAR
+>&nbsp;|&nbsp;none&nbsp;);<br>
+	interface-interval&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	listen-on&nbsp;[<SPAN
+CLASS="OPTIONAL"
+> port <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> </SPAN
+>]&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>address_match_element</VAR
+>;&nbsp;...&nbsp;};<br>
+	listen-on-v6&nbsp;[<SPAN
+CLASS="OPTIONAL"
+> port <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> </SPAN
+>]&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>address_match_element</VAR
+>;&nbsp;...&nbsp;};<br>
+	match-mapped-addresses&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+	memstatistics-file&nbsp;<VAR
+CLASS="REPLACEABLE"
+>quoted_string</VAR
+>;<br>
+	pid-file&nbsp;(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>quoted_string</VAR
+>&nbsp;|&nbsp;none&nbsp;);<br>
+	port&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	querylog&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+	recursing-file&nbsp;<VAR
+CLASS="REPLACEABLE"
+>quoted_string</VAR
+>;<br>
+	random-device&nbsp;<VAR
+CLASS="REPLACEABLE"
+>quoted_string</VAR
+>;<br>
+	recursive-clients&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	serial-query-rate&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	server-id&nbsp;(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>quoted_string</VAR
+>&nbsp;|&nbsp;none&nbsp;|;<br>
+	stacksize&nbsp;<VAR
+CLASS="REPLACEABLE"
+>size</VAR
+>;<br>
+	statistics-file&nbsp;<VAR
+CLASS="REPLACEABLE"
+>quoted_string</VAR
+>;<br>
+	statistics-interval&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;&nbsp;//&nbsp;not&nbsp;yet&nbsp;implemented<br>
+	tcp-clients&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	tcp-listen-queue&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	tkey-dhkey&nbsp;<VAR
+CLASS="REPLACEABLE"
+>quoted_string</VAR
+>&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	tkey-gssapi-credential&nbsp;<VAR
+CLASS="REPLACEABLE"
+>quoted_string</VAR
+>;<br>
+	tkey-domain&nbsp;<VAR
+CLASS="REPLACEABLE"
+>quoted_string</VAR
+>;<br>
+	transfers-per-ns&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	transfers-in&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	transfers-out&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	use-ixfr&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+	version&nbsp;(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>quoted_string</VAR
+>&nbsp;|&nbsp;none&nbsp;);<br>
+	allow-recursion&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>address_match_element</VAR
+>;&nbsp;...&nbsp;};<br>
+	sortlist&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>address_match_element</VAR
+>;&nbsp;...&nbsp;};<br>
+	topology&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>address_match_element</VAR
+>;&nbsp;...&nbsp;};&nbsp;//&nbsp;not&nbsp;implemented<br>
+	auth-nxdomain&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;&nbsp;//&nbsp;default&nbsp;changed<br>
+	minimal-responses&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+	recursion&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+	rrset-order&nbsp;{<br>
+		[<SPAN
+CLASS="OPTIONAL"
+> class <VAR
+CLASS="REPLACEABLE"
+>string</VAR
+> </SPAN
+>]&nbsp;[<SPAN
+CLASS="OPTIONAL"
+> type <VAR
+CLASS="REPLACEABLE"
+>string</VAR
+> </SPAN
+>]<br>
+		[<SPAN
+CLASS="OPTIONAL"
+> name <VAR
+CLASS="REPLACEABLE"
+>quoted_string</VAR
+> </SPAN
+>]&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>;&nbsp;...<br>
+	};<br>
+	provide-ixfr&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+	request-ixfr&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+	rfc2308-type1&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;&nbsp;//&nbsp;not&nbsp;yet&nbsp;implemented<br>
+	additional-from-auth&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+	additional-from-cache&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+	query-source&nbsp;<VAR
+CLASS="REPLACEABLE"
+>querysource4</VAR
+>;<br>
+	query-source-v6&nbsp;<VAR
+CLASS="REPLACEABLE"
+>querysource6</VAR
+>;<br>
+	cleaning-interval&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	min-roots&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;&nbsp;//&nbsp;not&nbsp;implemented<br>
+	lame-ttl&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	max-ncache-ttl&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	max-cache-ttl&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	transfer-format&nbsp;(&nbsp;many-answers&nbsp;|&nbsp;one-answer&nbsp;);<br>
+	max-cache-size&nbsp;<VAR
+CLASS="REPLACEABLE"
+>size_no_default</VAR
+>;<br>
+	check-names&nbsp;(&nbsp;master&nbsp;|&nbsp;slave&nbsp;|&nbsp;response&nbsp;)<br>
+		(&nbsp;fail&nbsp;|&nbsp;warn&nbsp;|&nbsp;ignore&nbsp;);<br>
+	cache-file&nbsp;<VAR
+CLASS="REPLACEABLE"
+>quoted_string</VAR
+>;<br>
+	suppress-initial-notify&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;&nbsp;//&nbsp;not&nbsp;yet&nbsp;implemented<br>
+	preferred-glue&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>;<br>
+	dual-stack-servers&nbsp;[<SPAN
+CLASS="OPTIONAL"
+> port <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> </SPAN
+>]&nbsp;{<br>
+		(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>quoted_string</VAR
+>&nbsp;[<SPAN
+CLASS="OPTIONAL"
+>port <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+></SPAN
+>]&nbsp;|<br>
+		<VAR
+CLASS="REPLACEABLE"
+>ipv4_address</VAR
+>&nbsp;[<SPAN
+CLASS="OPTIONAL"
+>port <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+></SPAN
+>]&nbsp;|<br>
+		<VAR
+CLASS="REPLACEABLE"
+>ipv6_address</VAR
+>&nbsp;[<SPAN
+CLASS="OPTIONAL"
+>port <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+></SPAN
+>]&nbsp;);&nbsp;...<br>
+	}<br>
+	edns-udp-size&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	root-delegation-only&nbsp;[<SPAN
+CLASS="OPTIONAL"
+> exclude { <VAR
+CLASS="REPLACEABLE"
+>quoted_string</VAR
+>; ... } </SPAN
+>];<br>
+	disable-algorithms&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>;&nbsp;...&nbsp;};<br>
+	dnssec-enable&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+	dnssec-lookaside&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>&nbsp;trust-anchor&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>;<br>
+	dnssec-must-be-secure&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+<br>
+	dialup&nbsp;<VAR
+CLASS="REPLACEABLE"
+>dialuptype</VAR
+>;<br>
+	ixfr-from-differences&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ixfrdiff</VAR
+>;<br>
+<br>
+	allow-query&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>address_match_element</VAR
+>;&nbsp;...&nbsp;};<br>
+	allow-transfer&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>address_match_element</VAR
+>;&nbsp;...&nbsp;};<br>
+	allow-update-forwarding&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>address_match_element</VAR
+>;&nbsp;...&nbsp;};<br>
+<br>
+	notify&nbsp;<VAR
+CLASS="REPLACEABLE"
+>notifytype</VAR
+>;<br>
+	notify-source&nbsp;(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv4_address</VAR
+>&nbsp;|&nbsp;*&nbsp;)&nbsp;[<SPAN
+CLASS="OPTIONAL"
+> port ( <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> | * ) </SPAN
+>];<br>
+	notify-source-v6&nbsp;(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv6_address</VAR
+>&nbsp;|&nbsp;*&nbsp;)&nbsp;[<SPAN
+CLASS="OPTIONAL"
+> port ( <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> | * ) </SPAN
+>];<br>
+	also-notify&nbsp;[<SPAN
+CLASS="OPTIONAL"
+> port <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> </SPAN
+>]&nbsp;{&nbsp;(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv4_address</VAR
+>&nbsp;|&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv6_address</VAR
+>&nbsp;)<br>
+		[<SPAN
+CLASS="OPTIONAL"
+> port <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> </SPAN
+>];&nbsp;...&nbsp;};<br>
+	allow-notify&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>address_match_element</VAR
+>;&nbsp;...&nbsp;};<br>
+<br>
+	forward&nbsp;(&nbsp;first&nbsp;|&nbsp;only&nbsp;);<br>
+	forwarders&nbsp;[<SPAN
+CLASS="OPTIONAL"
+> port <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> </SPAN
+>]&nbsp;{<br>
+		(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv4_address</VAR
+>&nbsp;|&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv6_address</VAR
+>&nbsp;)&nbsp;[<SPAN
+CLASS="OPTIONAL"
+> port <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> </SPAN
+>];&nbsp;...<br>
+	};<br>
+<br>
+	max-journal-size&nbsp;<VAR
+CLASS="REPLACEABLE"
+>size_no_default</VAR
+>;<br>
+	max-transfer-time-in&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	max-transfer-time-out&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	max-transfer-idle-in&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	max-transfer-idle-out&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	max-retry-time&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	min-retry-time&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	max-refresh-time&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	min-refresh-time&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	multi-master&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+	sig-validity-interval&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+<br>
+	transfer-source&nbsp;(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv4_address</VAR
+>&nbsp;|&nbsp;*&nbsp;)<br>
+		[<SPAN
+CLASS="OPTIONAL"
+> port ( <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> | * ) </SPAN
+>];<br>
+	transfer-source-v6&nbsp;(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv6_address</VAR
+>&nbsp;|&nbsp;*&nbsp;)<br>
+		[<SPAN
+CLASS="OPTIONAL"
+> port ( <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> | * ) </SPAN
+>];<br>
+<br>
+	alt-transfer-source&nbsp;(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv4_address</VAR
+>&nbsp;|&nbsp;*&nbsp;)<br>
+		[<SPAN
+CLASS="OPTIONAL"
+> port ( <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> | * ) </SPAN
+>];<br>
+	alt-transfer-source-v6&nbsp;(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv6_address</VAR
+>&nbsp;|&nbsp;*&nbsp;)<br>
+		[<SPAN
+CLASS="OPTIONAL"
+> port ( <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> | * ) </SPAN
+>];<br>
+	use-alt-transfer-source&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+<br>
+	zone-statistics&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+	key-directory&nbsp;<VAR
+CLASS="REPLACEABLE"
+>quoted_string</VAR
+>;<br>
+<br>
+	allow-v6-synthesis&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>address_match_element</VAR
+>;&nbsp;...&nbsp;};&nbsp;//&nbsp;obsolete<br>
+	deallocate-on-exit&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;&nbsp;//&nbsp;obsolete<br>
+	fake-iquery&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;&nbsp;//&nbsp;obsolete<br>
+	fetch-glue&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;&nbsp;//&nbsp;obsolete<br>
+	has-old-clients&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;&nbsp;//&nbsp;obsolete<br>
+	maintain-ixfr-base&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;&nbsp;//&nbsp;obsolete<br>
+	max-ixfr-log-size&nbsp;<VAR
+CLASS="REPLACEABLE"
+>size</VAR
+>;&nbsp;//&nbsp;obsolete<br>
+	multiple-cnames&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;&nbsp;//&nbsp;obsolete<br>
+	named-xfer&nbsp;<VAR
+CLASS="REPLACEABLE"
+>quoted_string</VAR
+>;&nbsp;//&nbsp;obsolete<br>
+	serial-queries&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;&nbsp;//&nbsp;obsolete<br>
+	treat-cr-as-space&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;&nbsp;//&nbsp;obsolete<br>
+	use-id-pool&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;&nbsp;//&nbsp;obsolete<br>
+};</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN271"
+></A
+><H2
+>VIEW</H2
+><P
+CLASS="LITERALLAYOUT"
+>view&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>&nbsp;<VAR
+CLASS="REPLACEABLE"
+>optional_class</VAR
+>&nbsp;{<br>
+	match-clients&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>address_match_element</VAR
+>;&nbsp;...&nbsp;};<br>
+	match-destinations&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>address_match_element</VAR
+>;&nbsp;...&nbsp;};<br>
+	match-recursive-only&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+<br>
+	key&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>&nbsp;{<br>
+		algorithm&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>;<br>
+		secret&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>;<br>
+	};<br>
+<br>
+	zone&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>&nbsp;<VAR
+CLASS="REPLACEABLE"
+>optional_class</VAR
+>&nbsp;{<br>
+		...<br>
+	};<br>
+<br>
+	server&nbsp;(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv4_address</VAR
+>&nbsp;|&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv6_address</VAR
+>&nbsp;)&nbsp;{<br>
+		...<br>
+	};<br>
+<br>
+	trusted-keys&nbsp;{<br>
+		<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>&nbsp;<VAR
+CLASS="REPLACEABLE"
+>quoted_string</VAR
+>;&nbsp;...<br>
+	};<br>
+<br>
+	allow-recursion&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>address_match_element</VAR
+>;&nbsp;...&nbsp;};<br>
+	sortlist&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>address_match_element</VAR
+>;&nbsp;...&nbsp;};<br>
+	topology&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>address_match_element</VAR
+>;&nbsp;...&nbsp;};&nbsp;//&nbsp;not&nbsp;implemented<br>
+	auth-nxdomain&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;&nbsp;//&nbsp;default&nbsp;changed<br>
+	minimal-responses&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+	recursion&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+	rrset-order&nbsp;{<br>
+		[<SPAN
+CLASS="OPTIONAL"
+> class <VAR
+CLASS="REPLACEABLE"
+>string</VAR
+> </SPAN
+>]&nbsp;[<SPAN
+CLASS="OPTIONAL"
+> type <VAR
+CLASS="REPLACEABLE"
+>string</VAR
+> </SPAN
+>]<br>
+		[<SPAN
+CLASS="OPTIONAL"
+> name <VAR
+CLASS="REPLACEABLE"
+>quoted_string</VAR
+> </SPAN
+>]&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>;&nbsp;...<br>
+	};<br>
+	provide-ixfr&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+	request-ixfr&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+	rfc2308-type1&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;&nbsp;//&nbsp;not&nbsp;yet&nbsp;implemented<br>
+	additional-from-auth&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+	additional-from-cache&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+	query-source&nbsp;<VAR
+CLASS="REPLACEABLE"
+>querysource4</VAR
+>;<br>
+	query-source-v6&nbsp;<VAR
+CLASS="REPLACEABLE"
+>querysource6</VAR
+>;<br>
+	cleaning-interval&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	min-roots&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;&nbsp;//&nbsp;not&nbsp;implemented<br>
+	lame-ttl&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	max-ncache-ttl&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	max-cache-ttl&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	transfer-format&nbsp;(&nbsp;many-answers&nbsp;|&nbsp;one-answer&nbsp;);<br>
+	max-cache-size&nbsp;<VAR
+CLASS="REPLACEABLE"
+>size_no_default</VAR
+>;<br>
+	check-names&nbsp;(&nbsp;master&nbsp;|&nbsp;slave&nbsp;|&nbsp;response&nbsp;)<br>
+		(&nbsp;fail&nbsp;|&nbsp;warn&nbsp;|&nbsp;ignore&nbsp;);<br>
+	cache-file&nbsp;<VAR
+CLASS="REPLACEABLE"
+>quoted_string</VAR
+>;<br>
+	suppress-initial-notify&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;&nbsp;//&nbsp;not&nbsp;yet&nbsp;implemented<br>
+	preferred-glue&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>;<br>
+	dual-stack-servers&nbsp;[<SPAN
+CLASS="OPTIONAL"
+> port <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> </SPAN
+>]&nbsp;{<br>
+		(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>quoted_string</VAR
+>&nbsp;[<SPAN
+CLASS="OPTIONAL"
+>port <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+></SPAN
+>]&nbsp;|<br>
+		<VAR
+CLASS="REPLACEABLE"
+>ipv4_address</VAR
+>&nbsp;[<SPAN
+CLASS="OPTIONAL"
+>port <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+></SPAN
+>]&nbsp;|<br>
+		<VAR
+CLASS="REPLACEABLE"
+>ipv6_address</VAR
+>&nbsp;[<SPAN
+CLASS="OPTIONAL"
+>port <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+></SPAN
+>]&nbsp;);&nbsp;...<br>
+	};<br>
+	edns-udp-size&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	root-delegation-only&nbsp;[<SPAN
+CLASS="OPTIONAL"
+> exclude { <VAR
+CLASS="REPLACEABLE"
+>quoted_string</VAR
+>; ... } </SPAN
+>];<br>
+	disable-algorithms&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>;&nbsp;...&nbsp;};<br>
+	dnssec-enable&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+	dnssec-lookaside&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>&nbsp;trust-anchor&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>;<br>
+<br>
+	dnssec-must-be-secure&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+	dialup&nbsp;<VAR
+CLASS="REPLACEABLE"
+>dialuptype</VAR
+>;<br>
+	ixfr-from-differences&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ixfrdiff</VAR
+>;<br>
+<br>
+	allow-query&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>address_match_element</VAR
+>;&nbsp;...&nbsp;};<br>
+	allow-transfer&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>address_match_element</VAR
+>;&nbsp;...&nbsp;};<br>
+	allow-update-forwarding&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>address_match_element</VAR
+>;&nbsp;...&nbsp;};<br>
+<br>
+	notify&nbsp;<VAR
+CLASS="REPLACEABLE"
+>notifytype</VAR
+>;<br>
+	notify-source&nbsp;(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv4_address</VAR
+>&nbsp;|&nbsp;*&nbsp;)&nbsp;[<SPAN
+CLASS="OPTIONAL"
+> port ( <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> | * ) </SPAN
+>];<br>
+	notify-source-v6&nbsp;(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv6_address</VAR
+>&nbsp;|&nbsp;*&nbsp;)&nbsp;[<SPAN
+CLASS="OPTIONAL"
+> port ( <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> | * ) </SPAN
+>];<br>
+	also-notify&nbsp;[<SPAN
+CLASS="OPTIONAL"
+> port <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> </SPAN
+>]&nbsp;{&nbsp;(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv4_address</VAR
+>&nbsp;|&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv6_address</VAR
+>&nbsp;)<br>
+		[<SPAN
+CLASS="OPTIONAL"
+> port <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> </SPAN
+>];&nbsp;...&nbsp;};<br>
+	allow-notify&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>address_match_element</VAR
+>;&nbsp;...&nbsp;};<br>
+<br>
+	forward&nbsp;(&nbsp;first&nbsp;|&nbsp;only&nbsp;);<br>
+	forwarders&nbsp;[<SPAN
+CLASS="OPTIONAL"
+> port <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> </SPAN
+>]&nbsp;{<br>
+		(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv4_address</VAR
+>&nbsp;|&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv6_address</VAR
+>&nbsp;)&nbsp;[<SPAN
+CLASS="OPTIONAL"
+> port <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> </SPAN
+>];&nbsp;...<br>
+	};<br>
+<br>
+	max-journal-size&nbsp;<VAR
+CLASS="REPLACEABLE"
+>size_no_default</VAR
+>;<br>
+	max-transfer-time-in&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	max-transfer-time-out&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	max-transfer-idle-in&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	max-transfer-idle-out&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	max-retry-time&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	min-retry-time&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	max-refresh-time&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	min-refresh-time&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	multi-master&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+	sig-validity-interval&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+<br>
+	transfer-source&nbsp;(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv4_address</VAR
+>&nbsp;|&nbsp;*&nbsp;)<br>
+		[<SPAN
+CLASS="OPTIONAL"
+> port ( <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> | * ) </SPAN
+>];<br>
+	transfer-source-v6&nbsp;(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv6_address</VAR
+>&nbsp;|&nbsp;*&nbsp;)<br>
+		[<SPAN
+CLASS="OPTIONAL"
+> port ( <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> | * ) </SPAN
+>];<br>
+<br>
+	alt-transfer-source&nbsp;(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv4_address</VAR
+>&nbsp;|&nbsp;*&nbsp;)<br>
+		[<SPAN
+CLASS="OPTIONAL"
+> port ( <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> | * ) </SPAN
+>];<br>
+	alt-transfer-source-v6&nbsp;(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv6_address</VAR
+>&nbsp;|&nbsp;*&nbsp;)<br>
+		[<SPAN
+CLASS="OPTIONAL"
+> port ( <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> | * ) </SPAN
+>];<br>
+	use-alt-transfer-source&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+<br>
+	zone-statistics&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+	key-directory&nbsp;<VAR
+CLASS="REPLACEABLE"
+>quoted_string</VAR
+>;<br>
+<br>
+	allow-v6-synthesis&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>address_match_element</VAR
+>;&nbsp;...&nbsp;};&nbsp;//&nbsp;obsolete<br>
+	fetch-glue&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;&nbsp;//&nbsp;obsolete<br>
+	maintain-ixfr-base&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;&nbsp;//&nbsp;obsolete<br>
+	max-ixfr-log-size&nbsp;<VAR
+CLASS="REPLACEABLE"
+>size</VAR
+>;&nbsp;//&nbsp;obsolete<br>
+};</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN397"
+></A
+><H2
+>ZONE</H2
+><P
+CLASS="LITERALLAYOUT"
+>zone&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>&nbsp;<VAR
+CLASS="REPLACEABLE"
+>optional_class</VAR
+>&nbsp;{<br>
+	type&nbsp;(&nbsp;master&nbsp;|&nbsp;slave&nbsp;|&nbsp;stub&nbsp;|&nbsp;hint&nbsp;|<br>
+		forward&nbsp;|&nbsp;delegation-only&nbsp;);<br>
+	file&nbsp;<VAR
+CLASS="REPLACEABLE"
+>quoted_string</VAR
+>;<br>
+<br>
+	masters&nbsp;[<SPAN
+CLASS="OPTIONAL"
+> port <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> </SPAN
+>]&nbsp;{<br>
+		(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>masters</VAR
+>&nbsp;|<br>
+		<VAR
+CLASS="REPLACEABLE"
+>ipv4_address</VAR
+>&nbsp;[<SPAN
+CLASS="OPTIONAL"
+>port <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+></SPAN
+>]&nbsp;|<br>
+		<VAR
+CLASS="REPLACEABLE"
+>ipv6_address</VAR
+>&nbsp;[<SPAN
+CLASS="OPTIONAL"
+> port <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> </SPAN
+>]&nbsp;)&nbsp;[<SPAN
+CLASS="OPTIONAL"
+> key <VAR
+CLASS="REPLACEABLE"
+>string</VAR
+> </SPAN
+>];&nbsp;...<br>
+	};<br>
+<br>
+	database&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+>;<br>
+	delegation-only&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+	check-names&nbsp;(&nbsp;fail&nbsp;|&nbsp;warn&nbsp;|&nbsp;ignore&nbsp;);<br>
+	dialup&nbsp;<VAR
+CLASS="REPLACEABLE"
+>dialuptype</VAR
+>;<br>
+	ixfr-from-differences&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+<br>
+	allow-query&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>address_match_element</VAR
+>;&nbsp;...&nbsp;};<br>
+	allow-transfer&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>address_match_element</VAR
+>;&nbsp;...&nbsp;};<br>
+	allow-update&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>address_match_element</VAR
+>;&nbsp;...&nbsp;};<br>
+	allow-update-forwarding&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>address_match_element</VAR
+>;&nbsp;...&nbsp;};<br>
+	update-policy&nbsp;{<br>
+		(&nbsp;grant&nbsp;|&nbsp;deny&nbsp;)&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+><br>
+		(&nbsp;name&nbsp;|&nbsp;subdomain&nbsp;|&nbsp;wildcard&nbsp;|&nbsp;self&nbsp;)&nbsp;<VAR
+CLASS="REPLACEABLE"
+>string</VAR
+><br>
+		<VAR
+CLASS="REPLACEABLE"
+>rrtypelist</VAR
+>;&nbsp;...<br>
+	};<br>
+<br>
+	notify&nbsp;<VAR
+CLASS="REPLACEABLE"
+>notifytype</VAR
+>;<br>
+	notify-source&nbsp;(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv4_address</VAR
+>&nbsp;|&nbsp;*&nbsp;)&nbsp;[<SPAN
+CLASS="OPTIONAL"
+> port ( <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> | * ) </SPAN
+>];<br>
+	notify-source-v6&nbsp;(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv6_address</VAR
+>&nbsp;|&nbsp;*&nbsp;)&nbsp;[<SPAN
+CLASS="OPTIONAL"
+> port ( <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> | * ) </SPAN
+>];<br>
+	also-notify&nbsp;[<SPAN
+CLASS="OPTIONAL"
+> port <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> </SPAN
+>]&nbsp;{&nbsp;(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv4_address</VAR
+>&nbsp;|&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv6_address</VAR
+>&nbsp;)<br>
+		[<SPAN
+CLASS="OPTIONAL"
+> port <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> </SPAN
+>];&nbsp;...&nbsp;};<br>
+	allow-notify&nbsp;{&nbsp;<VAR
+CLASS="REPLACEABLE"
+>address_match_element</VAR
+>;&nbsp;...&nbsp;};<br>
+<br>
+	forward&nbsp;(&nbsp;first&nbsp;|&nbsp;only&nbsp;);<br>
+	forwarders&nbsp;[<SPAN
+CLASS="OPTIONAL"
+> port <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> </SPAN
+>]&nbsp;{<br>
+		(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv4_address</VAR
+>&nbsp;|&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv6_address</VAR
+>&nbsp;)&nbsp;[<SPAN
+CLASS="OPTIONAL"
+> port <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> </SPAN
+>];&nbsp;...<br>
+	};<br>
+<br>
+	max-journal-size&nbsp;<VAR
+CLASS="REPLACEABLE"
+>size_no_default</VAR
+>;<br>
+	max-transfer-time-in&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	max-transfer-time-out&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	max-transfer-idle-in&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	max-transfer-idle-out&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	max-retry-time&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	min-retry-time&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	max-refresh-time&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	min-refresh-time&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+	multi-master&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+	sig-validity-interval&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>;<br>
+<br>
+	transfer-source&nbsp;(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv4_address</VAR
+>&nbsp;|&nbsp;*&nbsp;)<br>
+		[<SPAN
+CLASS="OPTIONAL"
+> port ( <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> | * ) </SPAN
+>];<br>
+	transfer-source-v6&nbsp;(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv6_address</VAR
+>&nbsp;|&nbsp;*&nbsp;)<br>
+		[<SPAN
+CLASS="OPTIONAL"
+> port ( <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> | * ) </SPAN
+>];<br>
+<br>
+	alt-transfer-source&nbsp;(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv4_address</VAR
+>&nbsp;|&nbsp;*&nbsp;)<br>
+		[<SPAN
+CLASS="OPTIONAL"
+> port ( <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> | * ) </SPAN
+>];<br>
+	alt-transfer-source-v6&nbsp;(&nbsp;<VAR
+CLASS="REPLACEABLE"
+>ipv6_address</VAR
+>&nbsp;|&nbsp;*&nbsp;)<br>
+		[<SPAN
+CLASS="OPTIONAL"
+> port ( <VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+> | * ) </SPAN
+>];<br>
+	use-alt-transfer-source&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+<br>
+	zone-statistics&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;<br>
+	key-directory&nbsp;<VAR
+CLASS="REPLACEABLE"
+>quoted_string</VAR
+>;<br>
+<br>
+	ixfr-base&nbsp;<VAR
+CLASS="REPLACEABLE"
+>quoted_string</VAR
+>;&nbsp;//&nbsp;obsolete<br>
+	ixfr-tmp-file&nbsp;<VAR
+CLASS="REPLACEABLE"
+>quoted_string</VAR
+>;&nbsp;//&nbsp;obsolete<br>
+	maintain-ixfr-base&nbsp;<VAR
+CLASS="REPLACEABLE"
+>boolean</VAR
+>;&nbsp;//&nbsp;obsolete<br>
+	max-ixfr-log-size&nbsp;<VAR
+CLASS="REPLACEABLE"
+>size</VAR
+>;&nbsp;//&nbsp;obsolete<br>
+	pubkey&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>&nbsp;<VAR
+CLASS="REPLACEABLE"
+>integer</VAR
+>&nbsp;<VAR
+CLASS="REPLACEABLE"
+>quoted_string</VAR
+>;&nbsp;//&nbsp;obsolete<br>
+};</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN479"
+></A
+><H2
+>FILES</H2
+><P
+><TT
+CLASS="FILENAME"
+>/etc/named.conf</TT
+></P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN483"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>named</SPAN
+>(8)</SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>rndc</SPAN
+>(8)</SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>BIND 9 Adminstrators Reference Manual</SPAN
+></SPAN
+>.</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/bin/named/named.docbook b/contrib/bind9/bin/named/named.docbook
new file mode 100644
index 0000000..754f1a0
--- /dev/null
+++ b/contrib/bind9/bin/named/named.docbook
@@ -0,0 +1,370 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: named.docbook,v 1.5.98.3 2004/06/03 02:24:57 marka Exp $ -->
+
+<refentry>
+  <refentryinfo>
+    <date>June 30, 2000</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>named</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>named</application></refname>
+    <refpurpose>Internet domain name server</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>named</command>
+      <arg><option>-4</option></arg>
+      <arg><option>-6</option></arg>
+      <arg><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
+      <arg><option>-d <replaceable class="parameter">debug-level</replaceable></option></arg>
+      <arg><option>-f</option></arg>
+      <arg><option>-g</option></arg>
+      <arg><option>-n <replaceable class="parameter">#cpus</replaceable></option></arg>
+      <arg><option>-p <replaceable class="parameter">port</replaceable></option></arg>
+      <arg><option>-s</option></arg>
+      <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg><option>-u <replaceable class="parameter">user</replaceable></option></arg>
+      <arg><option>-v</option></arg>
+      <arg><option>-x <replaceable class="parameter">cache-file</replaceable></option></arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+	<command>named</command> is a Domain Name System (DNS) server,
+	part of the BIND 9 distribution from ISC.  For more
+	information on the DNS, see RFCs 1033, 1034, and 1035.
+    </para>
+    <para>
+	When invoked without arguments, <command>named</command> will
+	read the default configuration file
+	<filename>/etc/named.conf</filename>, read any initial
+	data, and listen for queries.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>OPTIONS</title>
+
+    <variablelist>
+      <varlistentry>
+	<term>-4</term>
+	<listitem>
+	  <para>
+		Use IPv4 only even if the host machine is capable of IPv6.
+		<option>-4</option> and <option>-6</option> are mutually
+		exclusive.
+          </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-6</term>
+	<listitem>
+	  <para>
+		Use IPv6 only even if the host machine is capable of IPv4.
+		<option>-4</option> and <option>-6</option> are mutually
+		exclusive.
+          </para>
+	</listitem>
+      </varlistentry>
+      <varlistentry>
+	<term>-c <replaceable class="parameter">config-file</replaceable></term>
+	<listitem>
+	  <para>
+		Use <replaceable
+		class="parameter">config-file</replaceable> as the
+		configuration file instead of the default,
+		<filename>/etc/named.conf</filename>.  To
+		ensure that reloading the configuration file continues
+		to work after the server has changed its working
+		directory due to to a possible
+		<option>directory</option> option in the configuration
+		file, <replaceable
+		class="parameter">config-file</replaceable> should be
+		an absolute pathname.
+          </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-d <replaceable class="parameter">debug-level</replaceable></term>
+	<listitem>
+	  <para>
+		Set the daemon's debug level to <replaceable
+		class="parameter">debug-level</replaceable>.
+		Debugging traces from <command>named</command> become
+		more verbose as the debug level increases.
+          </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-f</term>
+	<listitem>
+	  <para>
+		Run the server in the foreground (i.e. do not daemonize).
+          </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-g</term>
+	<listitem>
+	  <para>
+		Run the server in the foreground and force all logging
+		to <filename>stderr</filename>.
+          </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-n <replaceable class="parameter">#cpus</replaceable></term>
+	<listitem>
+	  <para>
+		Create <replaceable
+		class="parameter">#cpus</replaceable> worker threads
+		to take advantage of multiple CPUs.  If not specified,
+		<command>named</command> will try to determine the
+		number of CPUs present and create one thread per CPU.
+		If it is unable to determine the number of CPUs, a
+		single worker thread will be created.
+          </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-p <replaceable class="parameter">port</replaceable></term>
+	<listitem>
+	  <para>
+		Listen for queries on port <replaceable
+		class="parameter">port</replaceable>.  If not
+		specified, the default is port 53.
+          </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-s</term>
+	<listitem>
+	  <para>
+		Write memory usage statistics to <filename>stdout</filename> on exit.
+          </para>
+	  <note>
+	    <para>
+		This option is mainly of interest to BIND 9 developers
+		and may be removed or changed in a future release.
+	    </para>
+	  </note>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-t <replaceable class="parameter">directory</replaceable></term>
+	<listitem>
+	  <para>
+		<function>chroot()</function> to <replaceable
+		class="parameter">directory</replaceable> after
+		processing the command line arguments, but before
+		reading the configuration file.
+          </para>
+	  <warning>
+	    <para>
+		This option should be used in conjunction with the
+		<option>-u</option> option, as chrooting a process
+		running as root doesn't enhance security on most
+		systems; the way <function>chroot()</function> is
+		defined allows a process with root privileges to
+		escape a chroot jail.
+	    </para>
+	  </warning>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-u <replaceable class="parameter">user</replaceable></term>
+	<listitem>
+	  <para>
+		<function>setuid()</function> to <replaceable
+		class="parameter">user</replaceable> after completing
+		privileged operations, such as creating sockets that
+		listen on privileged ports.
+          </para>
+	  <note>
+	    <para>
+		On Linux, <command>named</command> uses the kernel's
+		capability mechanism to drop all root privileges
+		except the ability to <function>bind()</function> to a
+		privileged port and set process resource limits.
+		Unfortunately, this means that the <option>-u</option>
+		option only works when <command>named</command> is run
+		on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or
+		later, since previous kernels did not allow privileges
+		to be retained after <function>setuid()</function>.
+	    </para>
+	  </note>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-v</term>
+	<listitem>
+	  <para>
+		Report the version number and exit.
+          </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-x <replaceable class="parameter">cache-file</replaceable></term>
+	<listitem>
+	  <para>
+		Load data from <replaceable
+		class="parameter">cache-file</replaceable> into the
+		cache of the default view.
+          </para>
+	  <warning>
+	    <para>
+		This option must not be used.  It is only of interest
+		to BIND 9 developers and may be removed or changed in a
+		future release.
+	    </para>
+	  </warning>
+	</listitem>
+      </varlistentry>
+
+    </variablelist>
+
+  </refsect1>
+
+  <refsect1>
+    <title>SIGNALS</title>
+    <para>
+	In routine operation, signals should not be used to control
+	the nameserver; <command>rndc</command> should be used
+	instead.
+    </para>
+
+    <variablelist>
+
+      <varlistentry>
+	<term>SIGHUP</term>
+	<listitem>
+	  <para>
+		Force a reload of the server.
+          </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>SIGINT, SIGTERM</term>
+	<listitem>
+	  <para>
+		Shut down the server.
+          </para>
+	</listitem>
+      </varlistentry>
+
+    </variablelist>
+
+    <para>
+	The result of sending any other signals to the server is undefined.
+    </para>
+
+  </refsect1>
+
+  <refsect1>
+    <title>CONFIGURATION</title>
+    <para>
+	The <command>named</command> configuration file is too complex
+	to describe in detail here.  A complete description is
+	provided in the <citetitle>BIND 9 Administrator Reference
+	Manual</citetitle>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <variablelist>
+
+      <varlistentry>
+	<term><filename>/etc/named.conf</filename></term>
+	<listitem>
+	  <para>
+		The default configuration file.
+          </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term><filename>/var/run/named.pid</filename></term>
+	<listitem>
+	  <para>
+		The default process-id file.
+          </para>
+	</listitem>
+      </varlistentry>
+
+    </variablelist>
+
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para>
+	<citetitle>RFC 1033</citetitle>,
+	<citetitle>RFC 1034</citetitle>,
+	<citetitle>RFC 1035</citetitle>,
+	<citerefentry>
+	  <refentrytitle>rndc</refentrytitle>
+	  <manvolnum>8</manvolnum>
+        </citerefentry>,
+	<citerefentry>
+	  <refentrytitle>lwresd</refentrytitle>
+	  <manvolnum>8</manvolnum>
+        </citerefentry>,
+	<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para>
+	<corpauthor>Internet Systems Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry>
+
+
+<!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/bin/named/named.html b/contrib/bind9/bin/named/named.html
new file mode 100644
index 0000000..8ee16e6
--- /dev/null
+++ b/contrib/bind9/bin/named/named.html
@@ -0,0 +1,625 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: named.html,v 1.4.2.1.4.4 2004/08/22 23:38:59 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>named</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+><SPAN
+CLASS="APPLICATION"
+>named</SPAN
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><SPAN
+CLASS="APPLICATION"
+>named</SPAN
+>&nbsp;--&nbsp;Internet domain name server</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>named</B
+>  [<VAR
+CLASS="OPTION"
+>-4</VAR
+>] [<VAR
+CLASS="OPTION"
+>-6</VAR
+>] [<VAR
+CLASS="OPTION"
+>-c <VAR
+CLASS="REPLACEABLE"
+>config-file</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-d <VAR
+CLASS="REPLACEABLE"
+>debug-level</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-f</VAR
+>] [<VAR
+CLASS="OPTION"
+>-g</VAR
+>] [<VAR
+CLASS="OPTION"
+>-n <VAR
+CLASS="REPLACEABLE"
+>#cpus</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-p <VAR
+CLASS="REPLACEABLE"
+>port</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-s</VAR
+>] [<VAR
+CLASS="OPTION"
+>-t <VAR
+CLASS="REPLACEABLE"
+>directory</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-u <VAR
+CLASS="REPLACEABLE"
+>user</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-v</VAR
+>] [<VAR
+CLASS="OPTION"
+>-x <VAR
+CLASS="REPLACEABLE"
+>cache-file</VAR
+></VAR
+>]</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN49"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>	<B
+CLASS="COMMAND"
+>named</B
+> is a Domain Name System (DNS) server,
+	part of the BIND 9 distribution from ISC.  For more
+	information on the DNS, see RFCs 1033, 1034, and 1035.
+    </P
+><P
+>	When invoked without arguments, <B
+CLASS="COMMAND"
+>named</B
+> will
+	read the default configuration file
+	<TT
+CLASS="FILENAME"
+>/etc/named.conf</TT
+>, read any initial
+	data, and listen for queries.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN56"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-4</DT
+><DD
+><P
+>		Use IPv4 only even if the host machine is capable of IPv6.
+		<VAR
+CLASS="OPTION"
+>-4</VAR
+> and <VAR
+CLASS="OPTION"
+>-6</VAR
+> are mutually
+		exclusive.
+          </P
+></DD
+><DT
+>-6</DT
+><DD
+><P
+>		Use IPv6 only even if the host machine is capable of IPv4.
+		<VAR
+CLASS="OPTION"
+>-4</VAR
+> and <VAR
+CLASS="OPTION"
+>-6</VAR
+> are mutually
+		exclusive.
+          </P
+></DD
+><DT
+>-c <VAR
+CLASS="REPLACEABLE"
+>config-file</VAR
+></DT
+><DD
+><P
+>		Use <VAR
+CLASS="REPLACEABLE"
+>config-file</VAR
+> as the
+		configuration file instead of the default,
+		<TT
+CLASS="FILENAME"
+>/etc/named.conf</TT
+>.  To
+		ensure that reloading the configuration file continues
+		to work after the server has changed its working
+		directory due to to a possible
+		<VAR
+CLASS="OPTION"
+>directory</VAR
+> option in the configuration
+		file, <VAR
+CLASS="REPLACEABLE"
+>config-file</VAR
+> should be
+		an absolute pathname.
+          </P
+></DD
+><DT
+>-d <VAR
+CLASS="REPLACEABLE"
+>debug-level</VAR
+></DT
+><DD
+><P
+>		Set the daemon's debug level to <VAR
+CLASS="REPLACEABLE"
+>debug-level</VAR
+>.
+		Debugging traces from <B
+CLASS="COMMAND"
+>named</B
+> become
+		more verbose as the debug level increases.
+          </P
+></DD
+><DT
+>-f</DT
+><DD
+><P
+>		Run the server in the foreground (i.e. do not daemonize).
+          </P
+></DD
+><DT
+>-g</DT
+><DD
+><P
+>		Run the server in the foreground and force all logging
+		to <TT
+CLASS="FILENAME"
+>stderr</TT
+>.
+          </P
+></DD
+><DT
+>-n <VAR
+CLASS="REPLACEABLE"
+>#cpus</VAR
+></DT
+><DD
+><P
+>		Create <VAR
+CLASS="REPLACEABLE"
+>#cpus</VAR
+> worker threads
+		to take advantage of multiple CPUs.  If not specified,
+		<B
+CLASS="COMMAND"
+>named</B
+> will try to determine the
+		number of CPUs present and create one thread per CPU.
+		If it is unable to determine the number of CPUs, a
+		single worker thread will be created.
+          </P
+></DD
+><DT
+>-p <VAR
+CLASS="REPLACEABLE"
+>port</VAR
+></DT
+><DD
+><P
+>		Listen for queries on port <VAR
+CLASS="REPLACEABLE"
+>port</VAR
+>.  If not
+		specified, the default is port 53.
+          </P
+></DD
+><DT
+>-s</DT
+><DD
+><P
+>		Write memory usage statistics to <TT
+CLASS="FILENAME"
+>stdout</TT
+> on exit.
+          </P
+><DIV
+CLASS="NOTE"
+><BLOCKQUOTE
+CLASS="NOTE"
+><P
+><B
+>Note: </B
+>		This option is mainly of interest to BIND 9 developers
+		and may be removed or changed in a future release.
+	    </P
+></BLOCKQUOTE
+></DIV
+></DD
+><DT
+>-t <VAR
+CLASS="REPLACEABLE"
+>directory</VAR
+></DT
+><DD
+><P
+>		<CODE
+CLASS="FUNCTION"
+>chroot()</CODE
+> to <VAR
+CLASS="REPLACEABLE"
+>directory</VAR
+> after
+		processing the command line arguments, but before
+		reading the configuration file.
+          </P
+><DIV
+CLASS="WARNING"
+><P
+></P
+><TABLE
+CLASS="WARNING"
+BORDER="1"
+WIDTH="90%"
+><TR
+><TD
+ALIGN="CENTER"
+><B
+>Warning</B
+></TD
+></TR
+><TR
+><TD
+ALIGN="LEFT"
+><P
+>		This option should be used in conjunction with the
+		<VAR
+CLASS="OPTION"
+>-u</VAR
+> option, as chrooting a process
+		running as root doesn't enhance security on most
+		systems; the way <CODE
+CLASS="FUNCTION"
+>chroot()</CODE
+> is
+		defined allows a process with root privileges to
+		escape a chroot jail.
+	    </P
+></TD
+></TR
+></TABLE
+></DIV
+></DD
+><DT
+>-u <VAR
+CLASS="REPLACEABLE"
+>user</VAR
+></DT
+><DD
+><P
+>		<CODE
+CLASS="FUNCTION"
+>setuid()</CODE
+> to <VAR
+CLASS="REPLACEABLE"
+>user</VAR
+> after completing
+		privileged operations, such as creating sockets that
+		listen on privileged ports.
+          </P
+><DIV
+CLASS="NOTE"
+><BLOCKQUOTE
+CLASS="NOTE"
+><P
+><B
+>Note: </B
+>		On Linux, <B
+CLASS="COMMAND"
+>named</B
+> uses the kernel's
+		capability mechanism to drop all root privileges
+		except the ability to <CODE
+CLASS="FUNCTION"
+>bind()</CODE
+> to a
+		privileged port and set process resource limits.
+		Unfortunately, this means that the <VAR
+CLASS="OPTION"
+>-u</VAR
+>
+		option only works when <B
+CLASS="COMMAND"
+>named</B
+> is run
+		on kernel 2.2.18 or later, or kernel 2.3.99-pre3 or
+		later, since previous kernels did not allow privileges
+		to be retained after <CODE
+CLASS="FUNCTION"
+>setuid()</CODE
+>.
+	    </P
+></BLOCKQUOTE
+></DIV
+></DD
+><DT
+>-v</DT
+><DD
+><P
+>		Report the version number and exit.
+          </P
+></DD
+><DT
+>-x <VAR
+CLASS="REPLACEABLE"
+>cache-file</VAR
+></DT
+><DD
+><P
+>		Load data from <VAR
+CLASS="REPLACEABLE"
+>cache-file</VAR
+> into the
+		cache of the default view.
+          </P
+><DIV
+CLASS="WARNING"
+><P
+></P
+><TABLE
+CLASS="WARNING"
+BORDER="1"
+WIDTH="90%"
+><TR
+><TD
+ALIGN="CENTER"
+><B
+>Warning</B
+></TD
+></TR
+><TR
+><TD
+ALIGN="LEFT"
+><P
+>		This option must not be used.  It is only of interest
+		to BIND 9 developers and may be removed or changed in a
+		future release.
+	    </P
+></TD
+></TR
+></TABLE
+></DIV
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN153"
+></A
+><H2
+>SIGNALS</H2
+><P
+>	In routine operation, signals should not be used to control
+	the nameserver; <B
+CLASS="COMMAND"
+>rndc</B
+> should be used
+	instead.
+    </P
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>SIGHUP</DT
+><DD
+><P
+>		Force a reload of the server.
+          </P
+></DD
+><DT
+>SIGINT, SIGTERM</DT
+><DD
+><P
+>		Shut down the server.
+          </P
+></DD
+></DL
+></DIV
+><P
+>	The result of sending any other signals to the server is undefined.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN167"
+></A
+><H2
+>CONFIGURATION</H2
+><P
+>	The <B
+CLASS="COMMAND"
+>named</B
+> configuration file is too complex
+	to describe in detail here.  A complete description is
+	provided in the <I
+CLASS="CITETITLE"
+>BIND 9 Administrator Reference
+	Manual</I
+>.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN172"
+></A
+><H2
+>FILES</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><TT
+CLASS="FILENAME"
+>/etc/named.conf</TT
+></DT
+><DD
+><P
+>		The default configuration file.
+          </P
+></DD
+><DT
+><TT
+CLASS="FILENAME"
+>/var/run/named.pid</TT
+></DT
+><DD
+><P
+>		The default process-id file.
+          </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN185"
+></A
+><H2
+>SEE ALSO</H2
+><P
+>	<I
+CLASS="CITETITLE"
+>RFC 1033</I
+>,
+	<I
+CLASS="CITETITLE"
+>RFC 1034</I
+>,
+	<I
+CLASS="CITETITLE"
+>RFC 1035</I
+>,
+	<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>rndc</SPAN
+>(8)</SPAN
+>,
+	<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwresd</SPAN
+>(8)</SPAN
+>,
+	<I
+CLASS="CITETITLE"
+>BIND 9 Administrator Reference Manual</I
+>.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN198"
+></A
+><H2
+>AUTHOR</H2
+><P
+>	Internet Systems Consortium
+    </P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/bin/named/notify.c b/contrib/bind9/bin/named/notify.c
new file mode 100644
index 0000000..e3c5b2a
--- /dev/null
+++ b/contrib/bind9/bin/named/notify.c
@@ -0,0 +1,162 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: notify.c,v 1.24.2.2.2.7 2004/08/28 06:25:30 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/log.h>
+#include <isc/print.h>
+
+#include <dns/message.h>
+#include <dns/rdataset.h>
+#include <dns/result.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+#include <dns/zt.h>
+
+#include <named/log.h>
+#include <named/notify.h>
+
+/*
+ * This module implements notify as in RFC 1996.
+ */
+
+static void
+notify_log(ns_client_t *client, int level, const char *fmt, ...) {
+	va_list ap;
+
+	va_start(ap, fmt);
+	ns_client_logv(client, DNS_LOGCATEGORY_NOTIFY, NS_LOGMODULE_NOTIFY,
+		       level, fmt, ap);
+	va_end(ap);
+}
+
+static void
+respond(ns_client_t *client, isc_result_t result) {
+	dns_rcode_t rcode;
+	dns_message_t *message;
+	isc_result_t msg_result;
+
+	message = client->message;
+	rcode = dns_result_torcode(result);
+
+	msg_result = dns_message_reply(message, ISC_TRUE);
+	if (msg_result != ISC_R_SUCCESS)
+		msg_result = dns_message_reply(message, ISC_FALSE);
+	if (msg_result != ISC_R_SUCCESS) {
+		ns_client_next(client, msg_result);
+		return;
+	}
+	message->rcode = rcode;
+	if (rcode == dns_rcode_noerror)
+		message->flags |= DNS_MESSAGEFLAG_AA;
+	else
+		message->flags &= ~DNS_MESSAGEFLAG_AA;
+	ns_client_send(client);
+}
+
+void
+ns_notify_start(ns_client_t *client) {
+	dns_message_t *request = client->message;
+	isc_result_t result;
+	dns_name_t *zonename;
+	dns_rdataset_t *zone_rdataset;
+	dns_zone_t *zone = NULL;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char tsigbuf[DNS_NAME_FORMATSIZE + sizeof(": TSIG ''")];
+	dns_name_t *tsigname;
+
+	/*
+	 * Interpret the question section.
+	 */
+	result = dns_message_firstname(request, DNS_SECTION_QUESTION);
+	if (result != ISC_R_SUCCESS) {
+		notify_log(client, ISC_LOG_NOTICE,
+			   "notify question section empty");
+		goto formerr;
+	}
+
+	/*
+	 * The question section must contain exactly one question.
+	 */
+	zonename = NULL;
+	dns_message_currentname(request, DNS_SECTION_QUESTION, &zonename);
+	zone_rdataset = ISC_LIST_HEAD(zonename->list);
+	if (ISC_LIST_NEXT(zone_rdataset, link) != NULL) {
+		notify_log(client, ISC_LOG_NOTICE,
+			   "notify question section contains multiple RRs");
+		goto formerr;
+	}
+
+	/* The zone section must have exactly one name. */
+	result = dns_message_nextname(request, DNS_SECTION_ZONE);
+	if (result != ISC_R_NOMORE) {
+		notify_log(client, ISC_LOG_NOTICE,
+			   "notify question section contains multiple RRs");
+		goto formerr;
+	}
+
+	/* The one rdataset must be an SOA. */
+	if (zone_rdataset->type != dns_rdatatype_soa) {
+		notify_log(client, ISC_LOG_NOTICE,
+			   "notify question section contains no SOA");
+		goto formerr;
+	}
+
+	tsigname = NULL;
+	if (dns_message_gettsig(request, &tsigname) != NULL) {
+		dns_name_format(tsigname, namebuf, sizeof(namebuf));
+		snprintf(tsigbuf, sizeof(tsigbuf), ": TSIG '%s'", namebuf);
+	} else
+		tsigbuf[0] = '\0';
+	dns_name_format(zonename, namebuf, sizeof(namebuf));
+	result = dns_zt_find(client->view->zonetable, zonename, 0, NULL,
+			     &zone);
+	if (result != ISC_R_SUCCESS)
+		goto notauth;
+
+	switch (dns_zone_gettype(zone)) {
+	case dns_zone_master:
+	case dns_zone_slave:
+	case dns_zone_stub:	/* Allow dialup passive to work. */
+		notify_log(client, ISC_LOG_INFO,
+			   "received notify for zone '%s'%s", namebuf, tsigbuf);
+		respond(client, dns_zone_notifyreceive(zone,
+			ns_client_getsockaddr(client), request));
+		break;
+	default:
+		goto notauth;
+	}
+	dns_zone_detach(&zone);
+	return;
+
+ notauth:
+	notify_log(client, ISC_LOG_NOTICE,
+		   "received notify for zone '%s'%s: not authoritative",
+		   namebuf, tsigbuf);
+	result = DNS_R_NOTAUTH;
+	goto failure;
+
+ formerr:
+	result = DNS_R_FORMERR;
+
+ failure:
+	if (zone != NULL)
+		dns_zone_detach(&zone);
+	respond(client, result);
+}
diff --git a/contrib/bind9/bin/named/query.c b/contrib/bind9/bin/named/query.c
new file mode 100644
index 0000000..a5411af
--- /dev/null
+++ b/contrib/bind9/bin/named/query.c
@@ -0,0 +1,3539 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: query.c,v 1.198.2.13.4.30 2004/06/30 14:13:05 marka Exp $ */
+
+#include <config.h>
+
+#include <string.h>
+
+#include <isc/mem.h>
+#include <isc/util.h>
+
+#include <dns/adb.h>
+#include <dns/byaddr.h>
+#include <dns/db.h>
+#include <dns/events.h>
+#include <dns/message.h>
+#include <dns/order.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/stats.h>
+#include <dns/tkey.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+#include <dns/zt.h>
+
+#include <named/client.h>
+#include <named/log.h>
+#include <named/server.h>
+#include <named/sortlist.h>
+#include <named/xfrout.h>
+
+#define PARTIALANSWER(c)	(((c)->query.attributes & \
+				  NS_QUERYATTR_PARTIALANSWER) != 0)
+#define USECACHE(c)		(((c)->query.attributes & \
+				  NS_QUERYATTR_CACHEOK) != 0)
+#define RECURSIONOK(c)		(((c)->query.attributes & \
+				  NS_QUERYATTR_RECURSIONOK) != 0)
+#define RECURSING(c)		(((c)->query.attributes & \
+				  NS_QUERYATTR_RECURSING) != 0)
+#define CACHEGLUEOK(c)		(((c)->query.attributes & \
+				  NS_QUERYATTR_CACHEGLUEOK) != 0)
+#define WANTRECURSION(c)	(((c)->query.attributes & \
+				  NS_QUERYATTR_WANTRECURSION) != 0)
+#define WANTDNSSEC(c)		(((c)->attributes & \
+				  NS_CLIENTATTR_WANTDNSSEC) != 0)
+#define NOAUTHORITY(c)		(((c)->query.attributes & \
+				  NS_QUERYATTR_NOAUTHORITY) != 0)
+#define NOADDITIONAL(c)		(((c)->query.attributes & \
+				  NS_QUERYATTR_NOADDITIONAL) != 0)
+#define SECURE(c)		(((c)->query.attributes & \
+				  NS_QUERYATTR_SECURE) != 0)
+
+#if 0
+#define CTRACE(m)       isc_log_write(ns_g_lctx, \
+				      NS_LOGCATEGORY_CLIENT, \
+				      NS_LOGMODULE_QUERY, \
+				      ISC_LOG_DEBUG(3), \
+				      "client %p: %s", client, (m))
+#define QTRACE(m)       isc_log_write(ns_g_lctx, \
+				      NS_LOGCATEGORY_GENERAL, \
+				      NS_LOGMODULE_QUERY, \
+				      ISC_LOG_DEBUG(3), \
+				      "query %p: %s", query, (m))
+#else
+#define CTRACE(m) ((void)m)
+#define QTRACE(m) ((void)m)
+#endif
+
+#define DNS_GETDB_NOEXACT 0x01U
+#define DNS_GETDB_NOLOG 0x02U
+#define DNS_GETDB_PARTIAL 0x04U
+
+static void
+query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype);
+
+/*
+ * Increment query statistics counters.
+ */
+static inline void
+inc_stats(ns_client_t *client, dns_statscounter_t counter) {
+	dns_zone_t *zone = client->query.authzone;
+
+	REQUIRE(counter < DNS_STATS_NCOUNTERS);
+
+	ns_g_server->querystats[counter]++;
+
+	if (zone != NULL) {
+		isc_uint64_t *zonestats = dns_zone_getstatscounters(zone);
+		if (zonestats != NULL)
+			zonestats[counter]++;
+	}
+}
+
+static void
+query_send(ns_client_t *client) {
+	dns_statscounter_t counter;
+	if (client->message->rcode == dns_rcode_noerror) {
+		if (ISC_LIST_EMPTY(client->message->sections[DNS_SECTION_ANSWER])) {
+			if (client->query.isreferral) {
+				counter = dns_statscounter_referral;
+			} else {
+				counter = dns_statscounter_nxrrset;
+			}
+		} else {
+			counter = dns_statscounter_success;
+		}
+	} else if (client->message->rcode == dns_rcode_nxdomain) {
+		counter = dns_statscounter_nxdomain;
+	} else {
+		/* We end up here in case of YXDOMAIN, and maybe others */
+		counter = dns_statscounter_failure;
+	}
+	inc_stats(client, counter);
+	ns_client_send(client);
+}
+
+static void
+query_error(ns_client_t *client, isc_result_t result) {
+	inc_stats(client, dns_statscounter_failure);
+	ns_client_error(client, result);
+}
+
+static void
+query_next(ns_client_t *client, isc_result_t result) {
+	inc_stats(client, dns_statscounter_failure);
+	ns_client_next(client, result);
+}
+
+static inline void
+query_maybeputqname(ns_client_t *client) {
+	if (client->query.restarts > 0) {
+		/*
+		 * client->query.qname was dynamically allocated.
+		 */
+		dns_message_puttempname(client->message,
+					&client->query.qname);
+		client->query.qname = NULL;
+	}
+}
+
+static inline void
+query_freefreeversions(ns_client_t *client, isc_boolean_t everything) {
+	ns_dbversion_t *dbversion, *dbversion_next;
+	unsigned int i;
+
+	for (dbversion = ISC_LIST_HEAD(client->query.freeversions), i = 0;
+	     dbversion != NULL;
+	     dbversion = dbversion_next, i++)
+	{
+		dbversion_next = ISC_LIST_NEXT(dbversion, link);
+		/*
+		 * If we're not freeing everything, we keep the first three
+		 * dbversions structures around.
+		 */
+		if (i > 3 || everything) {
+			ISC_LIST_UNLINK(client->query.freeversions, dbversion,
+					link);
+			isc_mem_put(client->mctx, dbversion,
+				    sizeof(*dbversion));
+		}
+	}
+}
+
+void
+ns_query_cancel(ns_client_t *client) {
+	LOCK(&client->query.fetchlock);
+	if (client->query.fetch != NULL) {
+		dns_resolver_cancelfetch(client->query.fetch);
+
+		client->query.fetch = NULL;
+	}
+	UNLOCK(&client->query.fetchlock);
+}
+
+static inline void
+query_reset(ns_client_t *client, isc_boolean_t everything) {
+	isc_buffer_t *dbuf, *dbuf_next;
+	ns_dbversion_t *dbversion, *dbversion_next;
+
+	/*
+	 * Reset the query state of a client to its default state.
+	 */
+
+	/*
+	 * Cancel the fetch if it's running.
+	 */
+	ns_query_cancel(client);
+
+	/*
+	 * Cleanup any active versions.
+	 */
+	for (dbversion = ISC_LIST_HEAD(client->query.activeversions);
+	     dbversion != NULL;
+	     dbversion = dbversion_next) {
+		dbversion_next = ISC_LIST_NEXT(dbversion, link);
+		dns_db_closeversion(dbversion->db, &dbversion->version,
+				    ISC_FALSE);
+		dns_db_detach(&dbversion->db);
+		ISC_LIST_INITANDAPPEND(client->query.freeversions,
+				      dbversion, link);
+	}
+	ISC_LIST_INIT(client->query.activeversions);
+
+	if (client->query.authdb != NULL)
+		dns_db_detach(&client->query.authdb);
+	if (client->query.authzone != NULL)
+		dns_zone_detach(&client->query.authzone);
+
+	query_freefreeversions(client, everything);
+
+	for (dbuf = ISC_LIST_HEAD(client->query.namebufs);
+	     dbuf != NULL;
+	     dbuf = dbuf_next) {
+		dbuf_next = ISC_LIST_NEXT(dbuf, link);
+		if (dbuf_next != NULL || everything) {
+			ISC_LIST_UNLINK(client->query.namebufs, dbuf, link);
+			isc_buffer_free(&dbuf);
+		}
+	}
+
+	query_maybeputqname(client);
+
+	client->query.attributes = (NS_QUERYATTR_RECURSIONOK |
+				    NS_QUERYATTR_CACHEOK |
+				    NS_QUERYATTR_SECURE);
+	client->query.restarts = 0;
+	client->query.timerset = ISC_FALSE;
+	client->query.origqname = NULL;
+	client->query.qname = NULL;
+	client->query.dboptions = 0;
+	client->query.fetchoptions = 0;
+	client->query.gluedb = NULL;
+	client->query.authdbset = ISC_FALSE;
+	client->query.isreferral = ISC_FALSE;
+}
+
+static void
+query_next_callback(ns_client_t *client) {
+	query_reset(client, ISC_FALSE);
+}
+
+void
+ns_query_free(ns_client_t *client) {
+	query_reset(client, ISC_TRUE);
+}
+
+static inline isc_result_t
+query_newnamebuf(ns_client_t *client) {
+	isc_buffer_t *dbuf;
+	isc_result_t result;
+
+	CTRACE("query_newnamebuf");
+	/*
+	 * Allocate a name buffer.
+	 */
+
+	dbuf = NULL;
+	result = isc_buffer_allocate(client->mctx, &dbuf, 1024);
+	if (result != ISC_R_SUCCESS) {
+		CTRACE("query_newnamebuf: isc_buffer_allocate failed: done");
+		return (result);
+	}
+	ISC_LIST_APPEND(client->query.namebufs, dbuf, link);
+
+	CTRACE("query_newnamebuf: done");
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_buffer_t *
+query_getnamebuf(ns_client_t *client) {
+	isc_buffer_t *dbuf;
+	isc_result_t result;
+	isc_region_t r;
+
+	CTRACE("query_getnamebuf");
+	/*
+	 * Return a name buffer with space for a maximal name, allocating
+	 * a new one if necessary.
+	 */
+
+	if (ISC_LIST_EMPTY(client->query.namebufs)) {
+		result = query_newnamebuf(client);
+		if (result != ISC_R_SUCCESS) {
+		    CTRACE("query_getnamebuf: query_newnamebuf failed: done");
+			return (NULL);
+		}
+	}
+
+	dbuf = ISC_LIST_TAIL(client->query.namebufs);
+	INSIST(dbuf != NULL);
+	isc_buffer_availableregion(dbuf, &r);
+	if (r.length < 255) {
+		result = query_newnamebuf(client);
+		if (result != ISC_R_SUCCESS) {
+		    CTRACE("query_getnamebuf: query_newnamebuf failed: done");
+			return (NULL);
+
+		}
+		dbuf = ISC_LIST_TAIL(client->query.namebufs);
+		isc_buffer_availableregion(dbuf, &r);
+		INSIST(r.length >= 255);
+	}
+	CTRACE("query_getnamebuf: done");
+	return (dbuf);
+}
+
+static inline void
+query_keepname(ns_client_t *client, dns_name_t *name, isc_buffer_t *dbuf) {
+	isc_region_t r;
+
+	CTRACE("query_keepname");
+	/*
+	 * 'name' is using space in 'dbuf', but 'dbuf' has not yet been
+	 * adjusted to take account of that.  We do the adjustment.
+	 */
+
+	REQUIRE((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) != 0);
+
+	dns_name_toregion(name, &r);
+	isc_buffer_add(dbuf, r.length);
+	dns_name_setbuffer(name, NULL);
+	client->query.attributes &= ~NS_QUERYATTR_NAMEBUFUSED;
+}
+
+static inline void
+query_releasename(ns_client_t *client, dns_name_t **namep) {
+	dns_name_t *name = *namep;
+
+	/*
+	 * 'name' is no longer needed.  Return it to our pool of temporary
+	 * names.  If it is using a name buffer, relinquish its exclusive
+	 * rights on the buffer.
+	 */
+
+	CTRACE("query_releasename");
+	if (dns_name_hasbuffer(name)) {
+		INSIST((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED)
+		       != 0);
+		client->query.attributes &= ~NS_QUERYATTR_NAMEBUFUSED;
+	}
+	dns_message_puttempname(client->message, namep);
+	CTRACE("query_releasename: done");
+}
+
+static inline dns_name_t *
+query_newname(ns_client_t *client, isc_buffer_t *dbuf,
+	      isc_buffer_t *nbuf)
+{
+	dns_name_t *name;
+	isc_region_t r;
+	isc_result_t result;
+
+	REQUIRE((client->query.attributes & NS_QUERYATTR_NAMEBUFUSED) == 0);
+
+	CTRACE("query_newname");
+	name = NULL;
+	result = dns_message_gettempname(client->message, &name);
+	if (result != ISC_R_SUCCESS) {
+		CTRACE("query_newname: dns_message_gettempname failed: done");
+		return (NULL);
+	}
+	isc_buffer_availableregion(dbuf, &r);
+	isc_buffer_init(nbuf, r.base, r.length);
+	dns_name_init(name, NULL);
+	dns_name_setbuffer(name, nbuf);
+	client->query.attributes |= NS_QUERYATTR_NAMEBUFUSED;
+
+	CTRACE("query_newname: done");
+	return (name);
+}
+
+static inline dns_rdataset_t *
+query_newrdataset(ns_client_t *client) {
+	dns_rdataset_t *rdataset;
+	isc_result_t result;
+
+	CTRACE("query_newrdataset");
+	rdataset = NULL;
+	result = dns_message_gettemprdataset(client->message, &rdataset);
+	if (result != ISC_R_SUCCESS) {
+	  CTRACE("query_newrdataset: "
+		 "dns_message_gettemprdataset failed: done");
+		return (NULL);
+	}
+	dns_rdataset_init(rdataset);
+
+	CTRACE("query_newrdataset: done");
+	return (rdataset);
+}
+
+static inline void
+query_putrdataset(ns_client_t *client, dns_rdataset_t **rdatasetp) {
+	dns_rdataset_t *rdataset = *rdatasetp;
+
+	CTRACE("query_putrdataset");
+	if (rdataset != NULL) {
+		if (dns_rdataset_isassociated(rdataset))
+			dns_rdataset_disassociate(rdataset);
+		dns_message_puttemprdataset(client->message, rdatasetp);
+	}
+	CTRACE("query_putrdataset: done");
+}
+
+
+static inline isc_result_t
+query_newdbversion(ns_client_t *client, unsigned int n) {
+	unsigned int i;
+	ns_dbversion_t *dbversion;
+
+	for (i = 0; i < n; i++) {
+		dbversion = isc_mem_get(client->mctx, sizeof(*dbversion));
+		if (dbversion != NULL) {
+			dbversion->db = NULL;
+			dbversion->version = NULL;
+			ISC_LIST_INITANDAPPEND(client->query.freeversions,
+					      dbversion, link);
+		} else {
+			/*
+			 * We only return ISC_R_NOMEMORY if we couldn't
+			 * allocate anything.
+			 */
+			if (i == 0)
+				return (ISC_R_NOMEMORY);
+			else
+				return (ISC_R_SUCCESS);
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline ns_dbversion_t *
+query_getdbversion(ns_client_t *client) {
+	isc_result_t result;
+	ns_dbversion_t *dbversion;
+
+	if (ISC_LIST_EMPTY(client->query.freeversions)) {
+		result = query_newdbversion(client, 1);
+		if (result != ISC_R_SUCCESS)
+			return (NULL);
+	}
+	dbversion = ISC_LIST_HEAD(client->query.freeversions);
+	INSIST(dbversion != NULL);
+	ISC_LIST_UNLINK(client->query.freeversions, dbversion, link);
+
+	return (dbversion);
+}
+
+isc_result_t
+ns_query_init(ns_client_t *client) {
+	isc_result_t result;
+
+	ISC_LIST_INIT(client->query.namebufs);
+	ISC_LIST_INIT(client->query.activeversions);
+	ISC_LIST_INIT(client->query.freeversions);
+	client->query.restarts = 0;
+	client->query.timerset = ISC_FALSE;
+	client->query.qname = NULL;
+	result = isc_mutex_init(&client->query.fetchlock);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	client->query.fetch = NULL;
+	client->query.authdb = NULL;
+	client->query.authzone = NULL;
+	client->query.authdbset = ISC_FALSE;
+	client->query.isreferral = ISC_FALSE;	
+	query_reset(client, ISC_FALSE);
+	result = query_newdbversion(client, 3);
+	if (result != ISC_R_SUCCESS) {
+		DESTROYLOCK(&client->query.fetchlock);
+		return (result);
+	}
+	result = query_newnamebuf(client);
+	if (result != ISC_R_SUCCESS)
+		query_freefreeversions(client, ISC_TRUE);
+
+	return (result);
+}
+
+static inline ns_dbversion_t *
+query_findversion(ns_client_t *client, dns_db_t *db,
+		  isc_boolean_t *newzonep)
+{
+	ns_dbversion_t *dbversion;
+
+	/*
+	 * We may already have done a query related to this
+	 * database.  If so, we must be sure to make subsequent
+	 * queries from the same version.
+	 */
+	for (dbversion = ISC_LIST_HEAD(client->query.activeversions);
+	     dbversion != NULL;
+	     dbversion = ISC_LIST_NEXT(dbversion, link)) {
+		if (dbversion->db == db)
+			break;
+	}
+
+	if (dbversion == NULL) {
+		/*
+		 * This is a new zone for this query.  Add it to
+		 * the active list.
+		 */
+		dbversion = query_getdbversion(client);
+		if (dbversion == NULL)
+			return (NULL);
+		dns_db_attach(db, &dbversion->db);
+		dns_db_currentversion(db, &dbversion->version);
+		dbversion->queryok = ISC_FALSE;
+		ISC_LIST_APPEND(client->query.activeversions,
+				dbversion, link);
+		*newzonep = ISC_TRUE;
+	} else
+		*newzonep = ISC_FALSE;
+
+	return (dbversion);
+}
+
+static inline isc_result_t
+query_getzonedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
+		unsigned int options, dns_zone_t **zonep, dns_db_t **dbp,
+		dns_dbversion_t **versionp)
+{
+	isc_result_t result;
+	isc_boolean_t check_acl, new_zone;
+	dns_acl_t *queryacl;
+	ns_dbversion_t *dbversion;
+	unsigned int ztoptions;
+	dns_zone_t *zone = NULL;
+	dns_db_t *db = NULL;
+	isc_boolean_t partial = ISC_FALSE;
+
+	REQUIRE(zonep != NULL && *zonep == NULL);
+	REQUIRE(dbp != NULL && *dbp == NULL);
+
+	/*
+	 * Find a zone database to answer the query.
+	 */
+	ztoptions = ((options & DNS_GETDB_NOEXACT) != 0) ?
+		DNS_ZTFIND_NOEXACT : 0;
+
+	result = dns_zt_find(client->view->zonetable, name, ztoptions, NULL,
+			     &zone);
+	if (result == DNS_R_PARTIALMATCH)
+		partial = ISC_TRUE;
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
+		result = dns_zone_getdb(zone, &db);
+
+	if (result != ISC_R_SUCCESS)		
+		goto fail;
+
+	/*
+	 * This limits our searching to the zone where the first name
+	 * (the query target) was looked for.  This prevents following
+	 * CNAMES or DNAMES into other zones and prevents returning 
+	 * additional data from other zones.
+	 */
+	if (!client->view->additionalfromauth &&
+	    client->query.authdbset &&
+	    db != client->query.authdb)
+		goto refuse;
+
+	/*
+	 * If the zone has an ACL, we'll check it, otherwise
+	 * we use the view's "allow-query" ACL.  Each ACL is only checked
+	 * once per query.
+	 *
+	 * Also, get the database version to use.
+	 */
+
+	check_acl = ISC_TRUE;	/* Keep compiler happy. */
+	queryacl = NULL;
+
+	/*
+	 * Get the current version of this database.
+	 */
+	dbversion = query_findversion(client, db, &new_zone);
+	if (dbversion == NULL) {
+		result = DNS_R_SERVFAIL;
+		goto fail;
+	}
+	if (new_zone) {
+		check_acl = ISC_TRUE;
+	} else if (!dbversion->queryok) {
+		goto refuse;
+	} else {
+		check_acl = ISC_FALSE;
+	}
+
+	queryacl = dns_zone_getqueryacl(zone);
+	if (queryacl == NULL) {
+		queryacl = client->view->queryacl;
+		if ((client->query.attributes &
+		     NS_QUERYATTR_QUERYOKVALID) != 0) {
+			/*
+			 * We've evaluated the view's queryacl already.  If
+			 * NS_QUERYATTR_QUERYOK is set, then the client is
+			 * allowed to make queries, otherwise the query should
+			 * be refused.
+			 */
+			check_acl = ISC_FALSE;
+			if ((client->query.attributes &
+			     NS_QUERYATTR_QUERYOK) == 0)
+				goto refuse;
+		} else {
+			/*
+			 * We haven't evaluated the view's queryacl yet.
+			 */
+			check_acl = ISC_TRUE;
+		}
+	}
+
+	if (check_acl) {
+		isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0);
+
+		result = ns_client_checkaclsilent(client, queryacl, ISC_TRUE);
+		if (log) {
+			char msg[NS_CLIENT_ACLMSGSIZE("query")];
+			if (result == ISC_R_SUCCESS) {
+				if (isc_log_wouldlog(ns_g_lctx,
+						     ISC_LOG_DEBUG(3)))
+				{
+					ns_client_aclmsg("query", name, qtype,
+							 client->view->rdclass,
+							 msg, sizeof(msg));
+					ns_client_log(client,
+						      DNS_LOGCATEGORY_SECURITY,
+						      NS_LOGMODULE_QUERY,
+						      ISC_LOG_DEBUG(3),
+						      "%s approved", msg);
+				}
+		    	} else {
+				ns_client_aclmsg("query", name, qtype,
+						 client->view->rdclass,
+						 msg, sizeof(msg));
+				ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+					      NS_LOGMODULE_QUERY, ISC_LOG_INFO,
+					      "%s denied", msg);
+			}
+		}
+
+		if (queryacl == client->view->queryacl) {
+			if (result == ISC_R_SUCCESS) {
+				/*
+				 * We were allowed by the default
+				 * "allow-query" ACL.  Remember this so we
+				 * don't have to check again.
+				 */
+				client->query.attributes |=
+					NS_QUERYATTR_QUERYOK;
+			}
+			/*
+			 * We've now evaluated the view's query ACL, and
+			 * the NS_QUERYATTR_QUERYOK attribute is now valid.
+			 */
+			client->query.attributes |= NS_QUERYATTR_QUERYOKVALID;
+		}
+
+		if (result != ISC_R_SUCCESS)
+			goto refuse;
+	}
+
+	/* Approved. */
+
+	/*
+	 * Remember the result of the ACL check so we
+	 * don't have to check again.
+	 */
+	dbversion->queryok = ISC_TRUE;
+
+	/* Transfer ownership. */
+	*zonep = zone;
+	*dbp = db;
+	*versionp = dbversion->version;
+
+	if (partial && (options & DNS_GETDB_PARTIAL) != 0)
+		return (DNS_R_PARTIALMATCH);
+	return (ISC_R_SUCCESS);
+
+ refuse:
+	result = DNS_R_REFUSED;
+ fail:
+	if (zone != NULL)
+		dns_zone_detach(&zone);
+	if (db != NULL)
+		dns_db_detach(&db);
+
+	return (result);
+}
+
+static inline isc_result_t
+query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
+		 dns_db_t **dbp, unsigned int options)
+{
+	isc_result_t result;
+	isc_boolean_t check_acl;
+	dns_db_t *db = NULL;
+
+	REQUIRE(dbp != NULL && *dbp == NULL);
+
+	/*
+	 * Find a cache database to answer the query.
+	 * This may fail with DNS_R_REFUSED if the client
+	 * is not allowed to use the cache.
+	 */
+
+	if (!USECACHE(client))
+		return (DNS_R_REFUSED);
+	dns_db_attach(client->view->cachedb, &db);
+
+	if ((client->query.attributes &
+	     NS_QUERYATTR_QUERYOKVALID) != 0) {
+		/*
+		 * We've evaluated the view's queryacl already.  If
+		 * NS_QUERYATTR_QUERYOK is set, then the client is
+		 * allowed to make queries, otherwise the query should
+		 * be refused.
+		 */
+		check_acl = ISC_FALSE;
+		if ((client->query.attributes &
+		     NS_QUERYATTR_QUERYOK) == 0)
+			goto refuse;
+	} else {
+		/*
+		 * We haven't evaluated the view's queryacl yet.
+		 */
+		check_acl = ISC_TRUE;
+	}
+
+	if (check_acl) {
+		isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0);
+		char msg[NS_CLIENT_ACLMSGSIZE("query (cache)")];
+		
+		result = ns_client_checkaclsilent(client,
+						  client->view->queryacl,
+						  ISC_TRUE);
+		if (result == ISC_R_SUCCESS) {
+			/*
+			 * We were allowed by the default
+			 * "allow-query" ACL.  Remember this so we
+			 * don't have to check again.
+			 */
+			client->query.attributes |=
+				NS_QUERYATTR_QUERYOK;
+			if (log && isc_log_wouldlog(ns_g_lctx,
+						     ISC_LOG_DEBUG(3)))
+			{
+				ns_client_aclmsg("query (cache)", name, qtype,
+						 client->view->rdclass,
+						 msg, sizeof(msg));
+				ns_client_log(client,
+					      DNS_LOGCATEGORY_SECURITY,
+					      NS_LOGMODULE_QUERY,
+					      ISC_LOG_DEBUG(3),
+					      "%s approved", msg);
+			}
+		} else if (log) {
+			ns_client_aclmsg("query (cache)", name, qtype,
+					 client->view->rdclass, msg,
+					 sizeof(msg));
+			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+				      NS_LOGMODULE_QUERY, ISC_LOG_INFO,
+				      "%s denied", msg);
+		}
+		/*
+		 * We've now evaluated the view's query ACL, and
+		 * the NS_QUERYATTR_QUERYOK attribute is now valid.
+		 */
+		client->query.attributes |= NS_QUERYATTR_QUERYOKVALID;
+
+		if (result != ISC_R_SUCCESS)
+			goto refuse;
+	}
+
+	/* Approved. */
+
+	/* Transfer ownership. */
+	*dbp = db;
+
+	return (ISC_R_SUCCESS);
+
+ refuse:
+	result = DNS_R_REFUSED;
+
+	if (db != NULL)
+		dns_db_detach(&db);
+
+	return (result);
+}
+
+
+static inline isc_result_t
+query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
+	    unsigned int options, dns_zone_t **zonep, dns_db_t **dbp,
+	    dns_dbversion_t **versionp, isc_boolean_t *is_zonep)
+{
+	isc_result_t result;
+
+	result = query_getzonedb(client, name, qtype, options,
+				 zonep, dbp, versionp);
+	if (result == ISC_R_SUCCESS) {
+		*is_zonep = ISC_TRUE;
+	} else if (result == ISC_R_NOTFOUND) {
+		result = query_getcachedb(client, name, qtype, dbp, options);
+		*is_zonep = ISC_FALSE;
+	}
+	return (result);
+}
+
+static inline isc_boolean_t
+query_isduplicate(ns_client_t *client, dns_name_t *name,
+		  dns_rdatatype_t type, dns_name_t **mnamep)
+{
+	dns_section_t section;
+	dns_name_t *mname = NULL;
+	isc_result_t result;
+
+	CTRACE("query_isduplicate");
+
+	for (section = DNS_SECTION_ANSWER;
+	     section <= DNS_SECTION_ADDITIONAL;
+	     section++) {
+		result = dns_message_findname(client->message, section,
+					      name, type, 0, &mname, NULL);
+		if (result == ISC_R_SUCCESS) {
+			/*
+			 * We've already got this RRset in the response.
+			 */
+			CTRACE("query_isduplicate: true: done");
+			return (ISC_TRUE);
+		} else if (result == DNS_R_NXRRSET) {
+			/*
+			 * The name exists, but the rdataset does not.
+			 */
+			if (section == DNS_SECTION_ADDITIONAL)
+				break;
+		} else
+			RUNTIME_CHECK(result == DNS_R_NXDOMAIN);
+		mname = NULL;
+	}
+
+	/*
+	 * If the dns_name_t we're looking up is already in the message,
+	 * we don't want to trigger the caller's name replacement logic.
+	 */
+	if (name == mname)
+		mname = NULL;
+
+	*mnamep = mname;
+
+	CTRACE("query_isduplicate: false: done");
+	return (ISC_FALSE);
+}
+
+static isc_result_t
+query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
+	ns_client_t *client = arg;
+	isc_result_t result, eresult;
+	dns_dbnode_t *node;
+	dns_db_t *db;
+	dns_name_t *fname, *mname;
+	dns_rdataset_t *rdataset, *sigrdataset, *trdataset;
+	isc_buffer_t *dbuf;
+	isc_buffer_t b;
+	dns_dbversion_t *version;
+	isc_boolean_t added_something, need_addname;
+	dns_zone_t *zone;
+	dns_rdatatype_t type;
+
+	REQUIRE(NS_CLIENT_VALID(client));
+	REQUIRE(qtype != dns_rdatatype_any);
+
+	if (!WANTDNSSEC(client) && dns_rdatatype_isdnssec(qtype))
+		return (ISC_R_SUCCESS);
+
+	CTRACE("query_addadditional");
+
+	/*
+	 * Initialization.
+	 */
+	eresult = ISC_R_SUCCESS;
+	fname = NULL;
+	rdataset = NULL;
+	sigrdataset = NULL;
+	trdataset = NULL;
+	db = NULL;
+	version = NULL;
+	node = NULL;
+	added_something = ISC_FALSE;
+	need_addname = ISC_FALSE;
+	zone = NULL;
+
+	/*
+	 * We treat type A additional section processing as if it
+	 * were "any address type" additional section processing.
+	 * To avoid multiple lookups, we do an 'any' database
+	 * lookup and iterate over the node.
+	 */
+	if (qtype == dns_rdatatype_a)
+		type = dns_rdatatype_any;
+	else
+		type = qtype;
+
+	/*
+	 * Get some resources.
+	 */
+	dbuf = query_getnamebuf(client);
+	if (dbuf == NULL)
+		goto cleanup;
+	fname = query_newname(client, dbuf, &b);
+	rdataset = query_newrdataset(client);
+	if (fname == NULL || rdataset == NULL)
+		goto cleanup;
+	if (WANTDNSSEC(client)) {
+		sigrdataset = query_newrdataset(client);
+		if (sigrdataset == NULL)
+			goto cleanup;
+	}
+
+	/*
+	 * Look for a zone database that might contain authoritative
+	 * additional data.
+	 */
+	result = query_getzonedb(client, name, qtype, DNS_GETDB_NOLOG,
+				 &zone, &db, &version);
+	if (result != ISC_R_SUCCESS)
+		goto try_cache;
+
+	CTRACE("query_addadditional: db_find");
+
+	/*
+	 * Since we are looking for authoritative data, we do not set
+	 * the GLUEOK flag.  Glue will be looked for later, but not
+	 * necessarily in the same database.
+	 */
+	node = NULL;
+	result = dns_db_find(db, name, version, type, client->query.dboptions,
+			     client->now, &node, fname, rdataset,
+			     sigrdataset);
+	if (result == ISC_R_SUCCESS)
+		goto found;
+
+	if (dns_rdataset_isassociated(rdataset))
+		dns_rdataset_disassociate(rdataset);
+	if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset))
+		dns_rdataset_disassociate(sigrdataset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	version = NULL;
+	dns_db_detach(&db);
+
+	/*
+	 * No authoritative data was found.  The cache is our next best bet.
+	 */
+
+ try_cache:
+	result = query_getcachedb(client, name, qtype, &db, DNS_GETDB_NOLOG);
+	if (result != ISC_R_SUCCESS)
+		/*
+		 * Most likely the client isn't allowed to query the cache.
+		 */
+		goto try_glue;
+
+	result = dns_db_find(db, name, version, type,  client->query.dboptions,
+			     client->now, &node, fname, rdataset,
+			     sigrdataset);
+	if (result == ISC_R_SUCCESS)
+		goto found;
+
+	if (dns_rdataset_isassociated(rdataset))
+		dns_rdataset_disassociate(rdataset);
+	if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset))
+		dns_rdataset_disassociate(sigrdataset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	dns_db_detach(&db);
+
+ try_glue:
+	/*
+	 * No cached data was found.  Glue is our last chance.
+	 * RFC1035 sayeth:
+	 *
+	 *	NS records cause both the usual additional section
+	 *	processing to locate a type A record, and, when used
+	 *	in a referral, a special search of the zone in which
+	 *	they reside for glue information.
+	 *
+	 * This is the "special search".  Note that we must search
+	 * the zone where the NS record resides, not the zone it
+	 * points to, and that we only do the search in the delegation
+	 * case (identified by client->query.gluedb being set).
+	 */
+
+	if (client->query.gluedb == NULL)
+		goto cleanup;
+
+	/*
+	 * Don't poision caches using the bailiwick protection model.
+	 */
+	if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb)))
+		goto cleanup;
+
+	dns_db_attach(client->query.gluedb, &db);
+	result = dns_db_find(db, name, version, type,
+			     client->query.dboptions | DNS_DBFIND_GLUEOK,
+			     client->now, &node, fname, rdataset,
+			     sigrdataset);
+	if (!(result == ISC_R_SUCCESS ||
+	      result == DNS_R_ZONECUT ||
+	      result == DNS_R_GLUE))
+		goto cleanup;
+
+ found:
+	/*
+	 * We have found a potential additional data rdataset, or
+	 * at least a node to iterate over.
+	 */
+	query_keepname(client, fname, dbuf);
+
+	/*
+	 * If we have an rdataset, add it to the additional data
+	 * section.
+	 */
+	mname = NULL;
+	if (dns_rdataset_isassociated(rdataset) &&
+	    !query_isduplicate(client, fname, type, &mname)) {
+		if (mname != NULL) {
+			query_releasename(client, &fname);
+			fname = mname;
+		} else
+			need_addname = ISC_TRUE;
+		ISC_LIST_APPEND(fname->list, rdataset, link);
+		trdataset = rdataset;
+		rdataset = NULL;
+		added_something = ISC_TRUE;
+		/*
+		 * Note: we only add SIGs if we've added the type they cover,
+		 * so we do not need to check if the SIG rdataset is already
+		 * in the response.
+		 */
+		if (sigrdataset != NULL &&
+		    dns_rdataset_isassociated(sigrdataset))
+		{
+			ISC_LIST_APPEND(fname->list, sigrdataset, link);
+			sigrdataset = NULL;
+		}
+	}
+
+	if (qtype == dns_rdatatype_a) {
+		/*
+		 * We now go looking for A and AAAA records, along with
+		 * their signatures.
+		 *
+		 * XXXRTH  This code could be more efficient.
+		 */
+		if (rdataset != NULL) {
+			if (dns_rdataset_isassociated(rdataset))
+				dns_rdataset_disassociate(rdataset);
+		} else {
+			rdataset = query_newrdataset(client);
+			if (rdataset == NULL)
+				goto addname;
+		}
+		if (sigrdataset != NULL) {
+			if (dns_rdataset_isassociated(sigrdataset))
+				dns_rdataset_disassociate(sigrdataset);
+		} else if (WANTDNSSEC(client)) {
+			sigrdataset = query_newrdataset(client);
+			if (sigrdataset == NULL)
+				goto addname;
+		}
+		result = dns_db_findrdataset(db, node, version,
+					     dns_rdatatype_a, 0,
+					     client->now, rdataset,
+					     sigrdataset);
+		if (result == DNS_R_NCACHENXDOMAIN)
+			goto addname;
+		if (result == DNS_R_NCACHENXRRSET) {
+			dns_rdataset_disassociate(rdataset);
+			/*
+			 * Negative cache entries don't have sigrdatasets.
+			 */
+			INSIST(sigrdataset == NULL ||
+			       ! dns_rdataset_isassociated(sigrdataset));
+		}
+		if (result == ISC_R_SUCCESS) {
+			mname = NULL;
+			if (!query_isduplicate(client, fname,
+					       dns_rdatatype_a, &mname)) {
+				if (mname != NULL) {
+					query_releasename(client, &fname);
+					fname = mname;
+				} else
+					need_addname = ISC_TRUE;
+				ISC_LIST_APPEND(fname->list, rdataset, link);
+				added_something = ISC_TRUE;
+				if (sigrdataset != NULL &&
+				    dns_rdataset_isassociated(sigrdataset))
+				{
+					ISC_LIST_APPEND(fname->list,
+							sigrdataset, link);
+					sigrdataset =
+						query_newrdataset(client);
+				}
+				rdataset = query_newrdataset(client);
+				if (rdataset == NULL)
+					goto addname;
+				if (WANTDNSSEC(client) && sigrdataset == NULL)
+					goto addname;
+			} else {
+				dns_rdataset_disassociate(rdataset);
+				if (sigrdataset != NULL &&
+				    dns_rdataset_isassociated(sigrdataset))
+					dns_rdataset_disassociate(sigrdataset);
+			}
+		}
+		result = dns_db_findrdataset(db, node, version,
+					     dns_rdatatype_aaaa, 0,
+					     client->now, rdataset,
+					     sigrdataset);
+		if (result == DNS_R_NCACHENXDOMAIN)
+			goto addname;
+		if (result == DNS_R_NCACHENXRRSET) {
+			dns_rdataset_disassociate(rdataset);
+			INSIST(sigrdataset == NULL ||
+			       ! dns_rdataset_isassociated(sigrdataset));
+		}
+		if (result == ISC_R_SUCCESS) {
+			mname = NULL;
+			if (!query_isduplicate(client, fname,
+					       dns_rdatatype_aaaa, &mname)) {
+				if (mname != NULL) {
+					query_releasename(client, &fname);
+					fname = mname;
+				} else
+					need_addname = ISC_TRUE;
+				ISC_LIST_APPEND(fname->list, rdataset, link);
+				added_something = ISC_TRUE;
+				if (sigrdataset != NULL &&
+				    dns_rdataset_isassociated(sigrdataset))
+				{
+					ISC_LIST_APPEND(fname->list,
+							sigrdataset, link);
+					sigrdataset = NULL;
+				}
+				rdataset = NULL;
+			}
+		}
+	}
+
+ addname:
+	CTRACE("query_addadditional: addname");
+	/*
+	 * If we haven't added anything, then we're done.
+	 */
+	if (!added_something)
+		goto cleanup;
+
+	/*
+	 * We may have added our rdatasets to an existing name, if so, then
+	 * need_addname will be ISC_FALSE.  Whether we used an existing name
+	 * or a new one, we must set fname to NULL to prevent cleanup.
+	 */
+	if (need_addname)
+		dns_message_addname(client->message, fname,
+				    DNS_SECTION_ADDITIONAL);
+	fname = NULL;
+
+	/*
+	 * In a few cases, we want to add additional data for additional
+	 * data.  It's simpler to just deal with special cases here than
+	 * to try to create a general purpose mechanism and allow the
+	 * rdata implementations to do it themselves.
+	 *
+	 * This involves recursion, but the depth is limited.  The
+	 * most complex case is adding a SRV rdataset, which involves
+	 * recursing to add address records, which in turn can cause
+	 * recursion to add KEYs.
+	 */
+	if (type == dns_rdatatype_a || type == dns_rdatatype_aaaa) {
+		/*
+		 * RFC 2535 section 3.5 says that when A or AAAA records are
+		 * retrieved as additional data, any KEY RRs for the owner name
+		 * should be added to the additional data section.
+		 *
+		 * XXXRTH  We should lower the priority here.  Alternatively,
+		 * we could raise the priority of glue records.
+		 */
+		eresult = query_addadditional(client, name, dns_rdatatype_dnskey);
+ 	} else if (type == dns_rdatatype_srv && trdataset != NULL) {
+		/*
+		 * If we're adding SRV records to the additional data
+		 * section, it's helpful if we add the SRV additional data
+		 * as well.
+		 */
+		eresult = dns_rdataset_additionaldata(trdataset,
+						      query_addadditional,
+						      client);
+	}
+
+ cleanup:
+	CTRACE("query_addadditional: cleanup");
+	query_putrdataset(client, &rdataset);
+	if (sigrdataset != NULL)
+		query_putrdataset(client, &sigrdataset);
+	if (fname != NULL)
+		query_releasename(client, &fname);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	if (db != NULL)
+		dns_db_detach(&db);
+	if (zone != NULL)
+		dns_zone_detach(&zone);
+
+	CTRACE("query_addadditional: done");
+	return (eresult);
+}
+
+static inline void
+query_addrdataset(ns_client_t *client, dns_name_t *fname,
+		  dns_rdataset_t *rdataset)
+{
+	dns_rdatatype_t type = rdataset->type;
+
+	/*
+	 * Add 'rdataset' and any pertinent additional data to
+	 * 'fname', a name in the response message for 'client'.
+	 */
+
+	CTRACE("query_addrdataset");
+
+	ISC_LIST_APPEND(fname->list, rdataset, link);
+
+	if (client->view->order != NULL)
+		rdataset->attributes |= dns_order_find(client->view->order,
+						       fname, rdataset->type,
+						       rdataset->rdclass);
+	if (NOADDITIONAL(client))
+		return;
+
+	/*
+	 * Add additional data.
+	 *
+	 * We don't care if dns_rdataset_additionaldata() fails.
+	 */
+	(void)dns_rdataset_additionaldata(rdataset,
+					  query_addadditional, client);
+	/*
+	 * RFC 2535 section 3.5 says that when NS, SOA, A, or AAAA records
+	 * are retrieved, any KEY RRs for the owner name should be added
+	 * to the additional data section.  We treat A6 records the same way.
+	 *
+	 * We don't care if query_addadditional() fails.
+	 */
+	if (type == dns_rdatatype_ns || type == dns_rdatatype_soa ||
+	    type == dns_rdatatype_a || type == dns_rdatatype_aaaa ||
+	    type == dns_rdatatype_a6) {
+		/*
+		 * XXXRTH  We should lower the priority here.  Alternatively,
+		 * we could raise the priority of glue records.
+		 */
+		(void)query_addadditional(client, fname, dns_rdatatype_dnskey);
+	}
+	CTRACE("query_addrdataset: done");
+}
+
+static void
+query_addrrset(ns_client_t *client, dns_name_t **namep,
+	       dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp,
+	       isc_buffer_t *dbuf, dns_section_t section)
+{
+	dns_name_t *name, *mname;
+	dns_rdataset_t *rdataset, *mrdataset, *sigrdataset;
+	isc_result_t result;
+
+	/*
+	 * To the current response for 'client', add the answer RRset
+	 * '*rdatasetp' and an optional signature set '*sigrdatasetp', with
+	 * owner name '*namep', to section 'section', unless they are
+	 * already there.  Also add any pertinent additional data.
+	 *
+	 * If 'dbuf' is not NULL, then '*namep' is the name whose data is
+	 * stored in 'dbuf'.  In this case, query_addrrset() guarantees that
+	 * when it returns the name will either have been kept or released.
+	 */
+	CTRACE("query_addrrset");
+	name = *namep;
+	rdataset = *rdatasetp;
+	if (sigrdatasetp != NULL)
+		sigrdataset = *sigrdatasetp;
+	else
+		sigrdataset = NULL;
+	mname = NULL;
+	mrdataset = NULL;
+	result = dns_message_findname(client->message, section,
+				      name, rdataset->type, rdataset->covers,
+				      &mname, &mrdataset);
+	if (result == ISC_R_SUCCESS) {
+		/*
+		 * We've already got an RRset of the given name and type.
+		 * There's nothing else to do;
+		 */
+		CTRACE("query_addrrset: dns_message_findname succeeded: done");
+		if (dbuf != NULL)
+			query_releasename(client, namep);
+		return;
+	} else if (result == DNS_R_NXDOMAIN) {
+		/*
+		 * The name doesn't exist.
+		 */
+		if (dbuf != NULL)
+			query_keepname(client, name, dbuf);
+		dns_message_addname(client->message, name, section);
+		*namep = NULL;
+		mname = name;
+	} else {
+		RUNTIME_CHECK(result == DNS_R_NXRRSET);
+		if (dbuf != NULL)
+			query_releasename(client, namep);
+	}
+
+	if (rdataset->trust != dns_trust_secure &&
+	    (section == DNS_SECTION_ANSWER ||
+	     section == DNS_SECTION_AUTHORITY))
+		client->query.attributes &= ~NS_QUERYATTR_SECURE;
+	/*
+	 * Note: we only add SIGs if we've added the type they cover, so
+	 * we do not need to check if the SIG rdataset is already in the
+	 * response.
+	 */
+	query_addrdataset(client, mname, rdataset);
+	*rdatasetp = NULL;
+	if (sigrdataset != NULL && dns_rdataset_isassociated(sigrdataset)) {
+		/*
+		 * We have a signature.  Add it to the response.
+		 */
+		ISC_LIST_APPEND(mname->list, sigrdataset, link);
+		*sigrdatasetp = NULL;
+	}
+	CTRACE("query_addrrset: done");
+}
+
+static inline isc_result_t
+query_addsoa(ns_client_t *client, dns_db_t *db, isc_boolean_t zero_ttl) {
+	dns_name_t *name, *fname;
+	dns_dbnode_t *node;
+	isc_result_t result, eresult;
+	dns_fixedname_t foundname;
+	dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
+	dns_rdataset_t **sigrdatasetp = NULL;
+
+	CTRACE("query_addsoa");
+	/*
+	 * Initialization.
+	 */
+	eresult = ISC_R_SUCCESS;
+	name = NULL;
+	rdataset = NULL;
+	node = NULL;
+	dns_fixedname_init(&foundname);
+	fname = dns_fixedname_name(&foundname);
+
+	/*
+	 * Get resources and make 'name' be the database origin.
+	 */
+	result = dns_message_gettempname(client->message, &name);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	dns_name_init(name, NULL);
+	dns_name_clone(dns_db_origin(db), name);
+	rdataset = query_newrdataset(client);
+	if (rdataset == NULL) {
+		eresult = DNS_R_SERVFAIL;
+		goto cleanup;
+	}
+	if (WANTDNSSEC(client)) {
+		sigrdataset = query_newrdataset(client);
+		if (sigrdataset == NULL) {
+			eresult = DNS_R_SERVFAIL;
+			goto cleanup;
+		}
+	}
+
+	/*
+	 * Find the SOA.
+	 */
+	result = dns_db_find(db, name, NULL, dns_rdatatype_soa,
+			     client->query.dboptions, 0, &node,
+			     fname, rdataset, sigrdataset);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * This is bad.  We tried to get the SOA RR at the zone top
+		 * and it didn't work!
+		 */
+		eresult = DNS_R_SERVFAIL;
+	} else {
+		/*
+		 * Extract the SOA MINIMUM.
+		 */
+		dns_rdata_soa_t soa;
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		result = dns_rdataset_first(rdataset);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		dns_rdataset_current(rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &soa, NULL);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+
+		if (zero_ttl) {
+			rdataset->ttl = 0;
+			if (sigrdataset != NULL)
+				sigrdataset->ttl = 0;
+		}
+
+		/*
+		 * Add the SOA and its SIG to the response, with the
+		 * TTLs adjusted per RFC2308 section 3.
+		 */
+		if (rdataset->ttl > soa.minimum)
+			rdataset->ttl = soa.minimum;
+		if (sigrdataset != NULL && sigrdataset->ttl > soa.minimum)
+			sigrdataset->ttl = soa.minimum;
+
+		if (sigrdataset != NULL)
+			sigrdatasetp = &sigrdataset;
+		else
+			sigrdatasetp = NULL;
+		query_addrrset(client, &name, &rdataset, sigrdatasetp, NULL,
+			       DNS_SECTION_AUTHORITY);
+	}
+
+ cleanup:
+	query_putrdataset(client, &rdataset);
+	if (sigrdataset != NULL)
+		query_putrdataset(client, &sigrdataset);
+	if (name != NULL)
+		query_releasename(client, &name);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+
+	return (eresult);
+}
+
+static inline isc_result_t
+query_addns(ns_client_t *client, dns_db_t *db) {
+	dns_name_t *name, *fname;
+	dns_dbnode_t *node;
+	isc_result_t result, eresult;
+	dns_fixedname_t foundname;
+	dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
+	dns_rdataset_t **sigrdatasetp = NULL;
+
+	CTRACE("query_addns");
+	/*
+	 * Initialization.
+	 */
+	eresult = ISC_R_SUCCESS;
+	name = NULL;
+	rdataset = NULL;
+	node = NULL;
+	dns_fixedname_init(&foundname);
+	fname = dns_fixedname_name(&foundname);
+
+	/*
+	 * Get resources and make 'name' be the database origin.
+	 */
+	result = dns_message_gettempname(client->message, &name);
+	if (result != ISC_R_SUCCESS) {
+		CTRACE("query_addns: dns_message_gettempname failed: done");
+		return (result);
+	}
+	dns_name_init(name, NULL);
+	dns_name_clone(dns_db_origin(db), name);
+	rdataset = query_newrdataset(client);
+	if (rdataset == NULL) {
+		CTRACE("query_addns: query_newrdataset failed");
+		eresult = DNS_R_SERVFAIL;
+		goto cleanup;
+	}
+	if (WANTDNSSEC(client)) {
+		sigrdataset = query_newrdataset(client);
+		if (sigrdataset == NULL) {
+			CTRACE("query_addns: query_newrdataset failed");
+			eresult = DNS_R_SERVFAIL;
+			goto cleanup;
+		}
+	}
+
+	/*
+	 * Find the NS rdataset.
+	 */
+	CTRACE("query_addns: calling dns_db_find");
+	result = dns_db_find(db, name, NULL, dns_rdatatype_ns,
+			     client->query.dboptions, 0, &node,
+			     fname, rdataset, sigrdataset);
+	CTRACE("query_addns: dns_db_find complete");
+	if (result != ISC_R_SUCCESS) {
+		CTRACE("query_addns: dns_db_find failed");
+		/*
+		 * This is bad.  We tried to get the NS rdataset at the zone
+		 * top and it didn't work!
+		 */
+		eresult = DNS_R_SERVFAIL;
+	} else {
+		if (sigrdataset != NULL)
+			sigrdatasetp = &sigrdataset;
+		else
+			sigrdatasetp = NULL;
+		query_addrrset(client, &name, &rdataset, sigrdatasetp, NULL,
+			       DNS_SECTION_AUTHORITY);
+	}
+
+ cleanup:
+	CTRACE("query_addns: cleanup");
+	query_putrdataset(client, &rdataset);
+	if (sigrdataset != NULL)
+		query_putrdataset(client, &sigrdataset);
+	if (name != NULL)
+		query_releasename(client, &name);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+
+	CTRACE("query_addns: done");
+	return (eresult);
+}
+
+static inline isc_result_t
+query_addcnamelike(ns_client_t *client, dns_name_t *qname, dns_name_t *tname,
+		   dns_trust_t trust, dns_name_t **anamep, dns_rdatatype_t type)
+{
+	dns_rdataset_t *rdataset;
+	dns_rdatalist_t *rdatalist;
+	dns_rdata_t *rdata;
+	isc_result_t result;
+	isc_region_t r;
+
+	/*
+	 * We assume the name data referred to by tname won't go away.
+	 */
+
+	REQUIRE(anamep != NULL);
+
+	rdatalist = NULL;
+	result = dns_message_gettemprdatalist(client->message, &rdatalist);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	rdata = NULL;
+	result = dns_message_gettemprdata(client->message, &rdata);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	rdataset = NULL;
+	result = dns_message_gettemprdataset(client->message, &rdataset);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	dns_rdataset_init(rdataset);
+	result = dns_name_dup(qname, client->mctx, *anamep);
+	if (result != ISC_R_SUCCESS) {
+		dns_message_puttemprdataset(client->message, &rdataset);
+		return (result);
+	}
+
+	rdatalist->type = type;
+	rdatalist->covers = 0;
+	rdatalist->rdclass = client->message->rdclass;
+	rdatalist->ttl = 0;
+
+	dns_name_toregion(tname, &r);
+	rdata->data = r.base;
+	rdata->length = r.length;
+	rdata->rdclass = client->message->rdclass;
+	rdata->type = type;
+
+	ISC_LIST_INIT(rdatalist->rdata);
+	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset)
+		      == ISC_R_SUCCESS);
+	rdataset->trust = trust;
+
+	query_addrrset(client, anamep, &rdataset, NULL, NULL,
+		       DNS_SECTION_ANSWER);
+
+	if (rdataset != NULL) {
+		if (dns_rdataset_isassociated(rdataset))
+			dns_rdataset_disassociate(rdataset);
+		dns_message_puttemprdataset(client->message, &rdataset);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+query_addbestns(ns_client_t *client) {
+	dns_db_t *db, *zdb;
+	dns_dbnode_t *node;
+	dns_name_t *fname, *zfname;
+	dns_rdataset_t *rdataset, *sigrdataset, *zrdataset, *zsigrdataset;
+	isc_boolean_t is_zone, use_zone;
+	isc_buffer_t *dbuf;
+	isc_result_t result;
+	dns_dbversion_t *version;
+	dns_zone_t *zone;
+	isc_buffer_t b;
+
+	CTRACE("query_addbestns");
+	fname = NULL;
+	zfname = NULL;
+	rdataset = NULL;
+	zrdataset = NULL;
+	sigrdataset = NULL;
+	zsigrdataset = NULL;
+	node = NULL;
+	db = NULL;
+	zdb = NULL;
+	version = NULL;
+	zone = NULL;
+	is_zone = ISC_FALSE;
+	use_zone = ISC_FALSE;
+
+	/*
+	 * Find the right database.
+	 */
+	result = query_getdb(client, client->query.qname, dns_rdatatype_ns, 0,
+			     &zone, &db, &version, &is_zone);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+ db_find:
+	/*
+	 * We'll need some resources...
+	 */
+	dbuf = query_getnamebuf(client);
+	if (dbuf == NULL)
+		goto cleanup;
+	fname = query_newname(client, dbuf, &b);
+	rdataset = query_newrdataset(client);
+	if (fname == NULL || rdataset == NULL)
+		goto cleanup;
+	if (WANTDNSSEC(client)) {
+		sigrdataset = query_newrdataset(client);
+		if (sigrdataset == NULL)
+			goto cleanup;
+	}
+
+	/*
+	 * Now look for the zonecut.
+	 */
+	if (is_zone) {
+		result = dns_db_find(db, client->query.qname, version,
+				     dns_rdatatype_ns, client->query.dboptions,
+				     client->now, &node, fname,
+				     rdataset, sigrdataset);
+		if (result != DNS_R_DELEGATION)
+			goto cleanup;
+		if (USECACHE(client)) {
+			query_keepname(client, fname, dbuf);
+			zdb = db;
+			zfname = fname;
+			fname = NULL;
+			zrdataset = rdataset;
+			rdataset = NULL;
+			zsigrdataset = sigrdataset;
+			sigrdataset = NULL;
+			dns_db_detachnode(db, &node);
+			version = NULL;
+			db = NULL;
+			dns_db_attach(client->view->cachedb, &db);
+			is_zone = ISC_FALSE;
+			goto db_find;
+		}
+	} else {
+		result = dns_db_findzonecut(db, client->query.qname,
+					    client->query.dboptions,
+					    client->now, &node, fname,
+					    rdataset, sigrdataset);
+		if (result == ISC_R_SUCCESS) {
+			if (zfname != NULL &&
+			    !dns_name_issubdomain(fname, zfname)) {
+				/*
+				 * We found a zonecut in the cache, but our
+				 * zone delegation is better.
+				 */
+				use_zone = ISC_TRUE;
+			}
+		} else if (result == ISC_R_NOTFOUND && zfname != NULL) {
+			/*
+			 * We didn't find anything in the cache, but we
+			 * have a zone delegation, so use it.
+			 */
+			use_zone = ISC_TRUE;
+		} else
+			goto cleanup;
+	}
+
+	if (use_zone) {
+		query_releasename(client, &fname);
+		fname = zfname;
+		zfname = NULL;
+		/*
+		 * We've already done query_keepname() on
+		 * zfname, so we must set dbuf to NULL to
+		 * prevent query_addrrset() from trying to
+		 * call query_keepname() again.
+		 */
+		dbuf = NULL;
+		query_putrdataset(client, &rdataset);
+		if (sigrdataset != NULL)
+			query_putrdataset(client, &sigrdataset);
+		rdataset = zrdataset;
+		zrdataset = NULL;
+		sigrdataset = zsigrdataset;
+		zsigrdataset = NULL;
+	}
+
+	if ((client->query.dboptions & DNS_DBFIND_PENDINGOK) == 0 &&
+	    (rdataset->trust == dns_trust_pending ||
+	     (sigrdataset != NULL && sigrdataset->trust == dns_trust_pending)))
+		goto cleanup;
+
+	if (WANTDNSSEC(client) && SECURE(client) &&
+	    (rdataset->trust == dns_trust_glue ||
+	     (sigrdataset != NULL && sigrdataset->trust == dns_trust_glue)))
+		goto cleanup;
+
+	query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf,
+		       DNS_SECTION_AUTHORITY);
+
+ cleanup:
+	if (rdataset != NULL)
+		query_putrdataset(client, &rdataset);
+	if (sigrdataset != NULL)
+		query_putrdataset(client, &sigrdataset);
+	if (fname != NULL)
+		query_releasename(client, &fname);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	if (db != NULL)
+		dns_db_detach(&db);
+	if (zone != NULL)
+		dns_zone_detach(&zone);
+	if (zdb != NULL) {
+		query_putrdataset(client, &zrdataset);
+		if (zsigrdataset != NULL)
+			query_putrdataset(client, &zsigrdataset);
+		if (zfname != NULL)
+			query_releasename(client, &zfname);
+		dns_db_detach(&zdb);
+	}
+}
+
+static void
+query_addds(ns_client_t *client, dns_db_t *db, dns_dbnode_t *node) {
+	dns_name_t *rname;
+	dns_rdataset_t *rdataset, *sigrdataset;
+	isc_result_t result;
+
+	CTRACE("query_addds");
+	rname = NULL;
+	rdataset = NULL;
+	sigrdataset = NULL;
+
+	/*
+	 * We'll need some resources...
+	 */
+	rdataset = query_newrdataset(client);
+	sigrdataset = query_newrdataset(client);
+	if (rdataset == NULL || sigrdataset == NULL)
+		goto cleanup;
+
+	/*
+	 * Look for the DS record, which may or may not be present.
+	 */
+	result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ds, 0,
+				     client->now, rdataset, sigrdataset);
+	/*
+	 * If we didn't find it, look for an NSEC. */
+	if (result == ISC_R_NOTFOUND)
+		result = dns_db_findrdataset(db, node, NULL,
+					     dns_rdatatype_nsec, 0, client->now,
+					     rdataset, sigrdataset);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
+		goto cleanup;
+	if (!dns_rdataset_isassociated(rdataset) ||
+	    !dns_rdataset_isassociated(sigrdataset))
+		goto cleanup;
+
+	/*
+	 * We've already added the NS record, so if the name's not there,
+	 * we have other problems.  Use this name rather than calling
+	 * query_addrrset().
+	 */
+	result = dns_message_firstname(client->message, DNS_SECTION_AUTHORITY);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	rname = NULL;
+	dns_message_currentname(client->message, DNS_SECTION_AUTHORITY,
+				&rname);
+	result = dns_message_findtype(rname, dns_rdatatype_ns, 0, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	ISC_LIST_APPEND(rname->list, rdataset, link);
+	ISC_LIST_APPEND(rname->list, sigrdataset, link);
+	rdataset = NULL;
+	sigrdataset = NULL;
+
+ cleanup:
+	if (rdataset != NULL)
+		query_putrdataset(client, &rdataset);
+	if (sigrdataset != NULL)
+		query_putrdataset(client, &sigrdataset);
+}
+
+static void
+query_addwildcardproof(ns_client_t *client, dns_db_t *db,
+		       dns_name_t *name, isc_boolean_t ispositive)
+{
+	isc_buffer_t *dbuf, b;
+	dns_name_t *fname;
+	dns_rdataset_t *rdataset, *sigrdataset;
+	dns_fixedname_t wfixed;
+	dns_name_t *wname;
+	dns_dbnode_t *node;
+	unsigned int options;
+	unsigned int olabels, nlabels;
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_nsec_t nsec;
+	isc_boolean_t have_wname;
+	int order;
+
+	CTRACE("query_addwildcardproof");
+	fname = NULL;
+	rdataset = NULL;
+	sigrdataset = NULL;
+	node = NULL;
+
+	/*
+	 * Get the NOQNAME proof then if !ispositve
+	 * get the NOWILDCARD proof.
+	 *
+	 * DNS_DBFIND_NOWILD finds the NSEC records that covers the
+	 * name ignoring any wildcard.  From the owner and next names
+	 * of this record you can compute which wildcard (if it exists)
+	 * will match by finding the longest common suffix of the
+	 * owner name and next names with the qname and prefixing that
+	 * with the wildcard label.
+	 *
+	 * e.g.
+	 *   Given:
+	 *	example SOA
+	 *	example NSEC b.example
+	 * 	b.example A
+	 * 	b.example NSEC a.d.example
+	 * 	a.d.example A
+	 * 	a.d.example NSEC g.f.example
+	 * 	g.f.example A
+	 * 	g.f.example NSEC z.i.example
+	 * 	z.i.example A
+	 * 	z.i.example NSEC example
+	 *
+	 *   QNAME:
+	 *   a.example -> example NSEC b.example
+	 * 	owner common example
+	 * 	next common example
+	 * 	wild *.example
+	 *   d.b.example -> b.example NSEC a.d.example
+	 *	owner common b.example
+	 *	next common example
+	 *	wild *.b.example
+	 *   a.f.example -> a.d.example NSEC g.f.example
+	 *	owner common example
+	 *	next common f.example
+	 *	wild *.f.example
+	 *  j.example -> z.i.example NSEC example
+	 *	owner common example
+	 * 	next common example
+	 *	wild *.f.example
+	 */
+	options = client->query.dboptions | DNS_DBFIND_NOWILD;
+	dns_fixedname_init(&wfixed);
+	wname = dns_fixedname_name(&wfixed);
+ again:
+	have_wname = ISC_FALSE;
+	/*
+	 * We'll need some resources...
+	 */
+	dbuf = query_getnamebuf(client);
+	if (dbuf == NULL)
+		goto cleanup;
+	fname = query_newname(client, dbuf, &b);
+	rdataset = query_newrdataset(client);
+	sigrdataset = query_newrdataset(client);
+	if (fname == NULL || rdataset == NULL || sigrdataset == NULL)
+		goto cleanup;
+
+	result = dns_db_find(db, name, NULL, dns_rdatatype_nsec, options,
+			     0, &node, fname, rdataset, sigrdataset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	if (result == DNS_R_NXDOMAIN) {
+		if (!ispositive)
+			result = dns_rdataset_first(rdataset);
+		if (result == ISC_R_SUCCESS) {
+			dns_rdataset_current(rdataset, &rdata);
+			result = dns_rdata_tostruct(&rdata, &nsec, NULL);
+		}
+		if (result == ISC_R_SUCCESS) {
+			(void)dns_name_fullcompare(name, fname, &order,
+						   &olabels);
+			(void)dns_name_fullcompare(name, &nsec.next, &order,
+						   &nlabels);
+			if (olabels > nlabels)
+				dns_name_split(name, olabels, NULL, wname);
+			else
+				dns_name_split(name, nlabels, NULL, wname);
+			result = dns_name_concatenate(dns_wildcardname,
+						      wname, wname, NULL);
+			if (result == ISC_R_SUCCESS)
+				have_wname = ISC_TRUE;
+			dns_rdata_freestruct(&nsec);
+		}
+		query_addrrset(client, &fname, &rdataset, &sigrdataset,
+			       dbuf, DNS_SECTION_AUTHORITY);
+	}
+	if (rdataset != NULL)
+		query_putrdataset(client, &rdataset);
+	if (sigrdataset != NULL)
+		query_putrdataset(client, &sigrdataset);
+	if (fname != NULL)
+		query_releasename(client, &fname);
+	if (have_wname) {
+		ispositive = ISC_TRUE;	/* prevent loop */
+		if (!dns_name_equal(name, wname)) {
+			name = wname;
+			goto again;
+		}
+	} 
+ cleanup:
+	if (rdataset != NULL)
+		query_putrdataset(client, &rdataset);
+	if (sigrdataset != NULL)
+		query_putrdataset(client, &sigrdataset);
+	if (fname != NULL)
+		query_releasename(client, &fname);
+}
+
+static void
+query_addnxrrsetnsec(ns_client_t *client, dns_db_t *db, dns_name_t **namep,
+		    dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp)
+{
+	dns_name_t *name;
+	dns_rdataset_t *sigrdataset;
+	dns_rdata_t sigrdata;
+	dns_rdata_rrsig_t sig;
+	unsigned int labels;
+	isc_buffer_t *dbuf, b;
+	dns_name_t *fname;
+	isc_result_t result;
+
+	name = *namep;
+	if ((name->attributes & DNS_NAMEATTR_WILDCARD) == 0) {
+		query_addrrset(client, namep, rdatasetp, sigrdatasetp,
+			       NULL, DNS_SECTION_AUTHORITY);
+		return;
+	}
+
+	if (sigrdatasetp == NULL)
+		return;
+	sigrdataset = *sigrdatasetp;
+	if (sigrdataset == NULL || !dns_rdataset_isassociated(sigrdataset))
+		return;
+	result = dns_rdataset_first(sigrdataset);
+	if (result != ISC_R_SUCCESS)
+		return;
+	dns_rdata_init(&sigrdata);
+	dns_rdataset_current(sigrdataset, &sigrdata);
+	result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
+	if (result != ISC_R_SUCCESS)
+		return;
+
+	labels = dns_name_countlabels(name);
+	if ((unsigned int)sig.labels + 1 >= labels)
+		return;
+
+	/* XXX */
+	query_addwildcardproof(client, db,
+			       client->query.qname,
+			       ISC_TRUE);
+
+	/*
+	 * We'll need some resources...
+	 */
+	dbuf = query_getnamebuf(client);
+	if (dbuf == NULL)
+		return;
+	fname = query_newname(client, dbuf, &b);
+	if (fname == NULL)
+		return;
+	dns_name_split(name, sig.labels + 1, NULL, fname);
+	/* This will succeed, since we've stripped labels. */
+	RUNTIME_CHECK(dns_name_concatenate(dns_wildcardname, fname, fname,
+					   NULL) == ISC_R_SUCCESS);
+	query_addrrset(client, &fname, rdatasetp, sigrdatasetp,
+		       dbuf, DNS_SECTION_AUTHORITY);
+}
+
+static void
+query_resume(isc_task_t *task, isc_event_t *event) {
+	dns_fetchevent_t *devent = (dns_fetchevent_t *)event;
+	ns_client_t *client;
+	isc_boolean_t fetch_cancelled, client_shuttingdown;
+
+	/*
+	 * Resume a query after recursion.
+	 */
+
+	UNUSED(task);
+
+	REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
+	client = devent->ev_arg;
+	REQUIRE(NS_CLIENT_VALID(client));
+	REQUIRE(task == client->task);
+	REQUIRE(RECURSING(client));
+
+	LOCK(&client->query.fetchlock);
+	if (client->query.fetch != NULL) {
+		/*
+		 * This is the fetch we've been waiting for.
+		 */
+		INSIST(devent->fetch == client->query.fetch);
+		client->query.fetch = NULL;
+		fetch_cancelled = ISC_FALSE;
+		/*
+		 * Update client->now.
+		 */
+		isc_stdtime_get(&client->now);
+	} else {
+		/*
+		 * This is a fetch completion event for a cancelled fetch.
+		 * Clean up and don't resume the find.
+		 */
+		fetch_cancelled = ISC_TRUE;
+	}
+	UNLOCK(&client->query.fetchlock);
+	INSIST(client->query.fetch == NULL);
+
+	client->query.attributes &= ~NS_QUERYATTR_RECURSING;
+	dns_resolver_destroyfetch(&devent->fetch);
+
+	/*
+	 * If this client is shutting down, or this transaction
+	 * has timed out, do not resume the find.
+	 */
+	client_shuttingdown = ns_client_shuttingdown(client);
+	if (fetch_cancelled || client_shuttingdown) {
+		if (devent->node != NULL)
+			dns_db_detachnode(devent->db, &devent->node);
+		if (devent->db != NULL)
+			dns_db_detach(&devent->db);
+		query_putrdataset(client, &devent->rdataset);
+		if (devent->sigrdataset != NULL)
+			query_putrdataset(client, &devent->sigrdataset);
+		isc_event_free(&event);
+		if (fetch_cancelled)
+			query_error(client, DNS_R_SERVFAIL);
+		else
+			query_next(client, ISC_R_CANCELED);
+		/*
+		 * This may destroy the client.
+		 */
+		ns_client_detach(&client);
+	} else {
+		query_find(client, devent, 0);
+	}
+}
+
+static isc_result_t
+query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain,
+	      dns_rdataset_t *nameservers)
+{
+	isc_result_t result;
+	dns_rdataset_t *rdataset, *sigrdataset;
+
+	inc_stats(client, dns_statscounter_recursion);
+
+	/*
+	 * We are about to recurse, which means that this client will
+	 * be unavailable for serving new requests for an indeterminate
+	 * amount of time.  If this client is currently responsible
+	 * for handling incoming queries, set up a new client
+	 * object to handle them while we are waiting for a
+	 * response.  There is no need to replace TCP clients
+	 * because those have already been replaced when the
+	 * connection was accepted (if allowed by the TCP quota).
+	 */
+	if (client->recursionquota == NULL) {
+		isc_boolean_t killoldest = ISC_FALSE;
+		result = isc_quota_attach(&ns_g_server->recursionquota,
+					  &client->recursionquota);
+		if (result == ISC_R_SOFTQUOTA) {
+			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+				      NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
+				      "recursive-clients limit exceeded, "
+				      "aborting oldest query");
+			killoldest = ISC_TRUE;
+			result = ISC_R_SUCCESS;
+		}
+		if (dns_resolver_nrunning(client->view->resolver) >
+		    (unsigned int)ns_g_server->recursionquota.max)
+			result = ISC_R_QUOTA;
+		if (result == ISC_R_SUCCESS && !client->mortal &&
+		    (client->attributes & NS_CLIENTATTR_TCP) == 0)
+			result = ns_client_replace(client);
+		if (result != ISC_R_SUCCESS) {
+			ns_client_log(client, NS_LOGCATEGORY_CLIENT,
+				      NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
+				      "no more recursive clients: %s",
+				      isc_result_totext(result));
+			if (client->recursionquota != NULL)
+				isc_quota_detach(&client->recursionquota);
+			return (result);
+		}
+		ns_client_recursing(client, killoldest);
+	}
+
+	/*
+	 * Invoke the resolver.
+	 */
+	REQUIRE(nameservers == NULL || nameservers->type == dns_rdatatype_ns);
+	REQUIRE(client->query.fetch == NULL);
+
+	rdataset = query_newrdataset(client);
+	if (rdataset == NULL)
+		return (ISC_R_NOMEMORY);
+	if (WANTDNSSEC(client)) {
+		sigrdataset = query_newrdataset(client);
+		if (sigrdataset == NULL) {
+			query_putrdataset(client, &rdataset);
+			return (ISC_R_NOMEMORY);
+		}
+	} else
+		sigrdataset = NULL;
+
+	if (client->query.timerset == ISC_FALSE)
+		ns_client_settimeout(client, 60);
+	result = dns_resolver_createfetch(client->view->resolver,
+					  client->query.qname,
+					  qtype, qdomain, nameservers,
+					  NULL, client->query.fetchoptions,
+					  client->task,
+					  query_resume, client,
+					  rdataset, sigrdataset,
+					  &client->query.fetch);
+
+	if (result == ISC_R_SUCCESS) {
+		/*
+		 * Record that we're waiting for an event.  A client which
+		 * is shutting down will not be destroyed until all the
+		 * events have been received.
+		 */
+	} else {
+		query_putrdataset(client, &rdataset);
+		if (sigrdataset != NULL)
+			query_putrdataset(client, &sigrdataset);
+	}
+
+	return (result);
+}
+
+#define MAX_RESTARTS 16
+
+#define QUERY_ERROR(r) \
+do { \
+	eresult = r; \
+	want_restart = ISC_FALSE; \
+} while (0)
+
+/*
+ * Extract a network address from the RDATA of an A or AAAA
+ * record.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOTIMPLEMENTED	The rdata is not a known address type.
+ */
+static isc_result_t
+rdata_tonetaddr(dns_rdata_t *rdata, isc_netaddr_t *netaddr) {
+	struct in_addr ina;
+	struct in6_addr in6a;
+	
+	switch (rdata->type) {
+	case dns_rdatatype_a:
+		INSIST(rdata->length == 4);
+		memcpy(&ina.s_addr, rdata->data, 4);
+		isc_netaddr_fromin(netaddr, &ina);
+		return (ISC_R_SUCCESS);
+	case dns_rdatatype_aaaa:
+		INSIST(rdata->length == 16);
+		memcpy(in6a.s6_addr, rdata->data, 16);
+		isc_netaddr_fromin6(netaddr, &in6a);
+		return (ISC_R_SUCCESS);
+	default:
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+}
+
+/*
+ * Find the sort order of 'rdata' in the topology-like
+ * ACL forming the second element in a 2-element top-level
+ * sortlist statement.
+ */
+static int
+query_sortlist_order_2element(dns_rdata_t *rdata, void *arg) {
+	isc_netaddr_t netaddr;
+
+	if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS)
+		return (INT_MAX);
+	return (ns_sortlist_addrorder2(&netaddr, arg));
+}
+
+/*
+ * Find the sort order of 'rdata' in the matching element
+ * of a 1-element top-level sortlist statement.
+ */
+static int
+query_sortlist_order_1element(dns_rdata_t *rdata, void *arg) {
+	isc_netaddr_t netaddr;
+
+	if (rdata_tonetaddr(rdata, &netaddr) != ISC_R_SUCCESS)
+		return (INT_MAX);
+	return (ns_sortlist_addrorder1(&netaddr, arg));
+}
+
+/*
+ * Find the sortlist statement that applies to 'client' and set up
+ * the sortlist info in in client->message appropriately.
+ */
+static void
+setup_query_sortlist(ns_client_t *client) {
+	isc_netaddr_t netaddr;
+	dns_rdatasetorderfunc_t order = NULL;
+	void *order_arg = NULL;
+	
+	isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
+	switch (ns_sortlist_setup(client->view->sortlist,
+			       &netaddr, &order_arg)) {
+	case NS_SORTLISTTYPE_1ELEMENT:
+		order = query_sortlist_order_1element;
+		break;
+	case NS_SORTLISTTYPE_2ELEMENT:
+		order = query_sortlist_order_2element;
+		break;
+	case NS_SORTLISTTYPE_NONE:
+		order = NULL;
+		break;
+	default:
+		INSIST(0);
+		break;
+	}
+	dns_message_setsortorder(client->message, order, order_arg);
+}
+
+static void
+query_addnoqnameproof(ns_client_t *client, dns_rdataset_t *rdataset) {
+	isc_buffer_t *dbuf, b;
+	dns_name_t *fname;
+	dns_rdataset_t *nsec, *nsecsig;
+	isc_result_t result = ISC_R_NOMEMORY;
+
+	CTRACE("query_addnoqnameproof");
+
+	fname = NULL;
+	nsec = NULL;
+	nsecsig = NULL;
+
+	dbuf = query_getnamebuf(client);
+	if (dbuf == NULL)
+		goto cleanup;
+	fname = query_newname(client, dbuf, &b);
+	nsec = query_newrdataset(client);
+	nsecsig = query_newrdataset(client);
+	if (fname == NULL || nsec == NULL || nsecsig == NULL)
+		goto cleanup;
+
+	result = dns_rdataset_getnoqname(rdataset, fname, nsec, nsecsig);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	query_addrrset(client, &fname, &nsec, &nsecsig, dbuf,
+		       DNS_SECTION_AUTHORITY);
+
+ cleanup:
+	if (nsec != NULL)
+                query_putrdataset(client, &nsec);
+        if (nsecsig != NULL)
+                query_putrdataset(client, &nsecsig);
+        if (fname != NULL)
+                query_releasename(client, &fname);
+}
+
+/*
+ * Do the bulk of query processing for the current query of 'client'.
+ * If 'event' is non-NULL, we are returning from recursion and 'qtype'
+ * is ignored.  Otherwise, 'qtype' is the query type.
+ */
+static void
+query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
+{
+	dns_db_t *db, *zdb;
+	dns_dbnode_t *node;
+	dns_rdatatype_t type;
+	dns_name_t *fname, *zfname, *tname, *prefix;
+	dns_rdataset_t *rdataset, *trdataset;
+	dns_rdataset_t *sigrdataset, *zrdataset, *zsigrdataset;
+	dns_rdataset_t **sigrdatasetp;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdatasetiter_t *rdsiter;
+	isc_boolean_t want_restart, authoritative, is_zone, need_wildcardproof;
+	unsigned int n, nlabels;
+	dns_namereln_t namereln;
+	int order;
+	isc_buffer_t *dbuf;
+	isc_buffer_t b;
+	isc_result_t result, eresult;
+	dns_fixedname_t fixed;
+	dns_fixedname_t wildcardname;
+	dns_dbversion_t *version;
+	dns_zone_t *zone;
+	dns_rdata_cname_t cname;
+	dns_rdata_dname_t dname;
+	unsigned int options;
+	isc_boolean_t empty_wild;
+	dns_rdataset_t *noqname;
+
+	CTRACE("query_find");
+
+	/*
+	 * One-time initialization.
+	 *
+	 * It's especially important to initialize anything that the cleanup
+	 * code might cleanup.
+	 */
+
+	eresult = ISC_R_SUCCESS;
+	fname = NULL;
+	zfname = NULL;
+	rdataset = NULL;
+	zrdataset = NULL;
+	sigrdataset = NULL;
+	zsigrdataset = NULL;
+	node = NULL;
+	db = NULL;
+	zdb = NULL;
+	version = NULL;
+	zone = NULL;
+	need_wildcardproof = ISC_FALSE;
+	empty_wild = ISC_FALSE;
+	options = 0;
+
+	if (event != NULL) {
+		/*
+		 * We're returning from recursion.  Restore the query context
+		 * and resume.
+		 */
+
+		want_restart = ISC_FALSE;
+		authoritative = ISC_FALSE;
+		is_zone = ISC_FALSE;
+
+		qtype = event->qtype;
+		if (qtype == dns_rdatatype_rrsig)
+			type = dns_rdatatype_any;
+		else
+			type = qtype;
+		db = event->db;
+		node = event->node;
+		rdataset = event->rdataset;
+		sigrdataset = event->sigrdataset;
+
+		/*
+		 * We'll need some resources...
+		 */
+		dbuf = query_getnamebuf(client);
+		if (dbuf == NULL) {
+			QUERY_ERROR(DNS_R_SERVFAIL);
+			goto cleanup;
+		}
+		fname = query_newname(client, dbuf, &b);
+		if (fname == NULL) {
+			QUERY_ERROR(DNS_R_SERVFAIL);
+			goto cleanup;
+		}
+		tname = dns_fixedname_name(&event->foundname);
+		result = dns_name_copy(tname, fname, NULL);
+		if (result != ISC_R_SUCCESS) {
+			QUERY_ERROR(DNS_R_SERVFAIL);
+			goto cleanup;
+		}
+
+		result = event->result;
+
+		goto resume;
+	}
+	
+	/*
+	 * Not returning from recursion.
+	 */
+
+	/*
+	 * If it's a SIG query, we'll iterate the node.
+	 */
+	if (qtype == dns_rdatatype_rrsig)
+		type = dns_rdatatype_any;
+	else
+		type = qtype;
+
+ restart:
+	CTRACE("query_find: restart");
+	want_restart = ISC_FALSE;
+	authoritative = ISC_FALSE;
+	version = NULL;
+	need_wildcardproof = ISC_FALSE;
+
+	if (client->view->checknames &&
+	    !dns_rdata_checkowner(client->query.qname,
+				  client->message->rdclass,
+				  qtype, ISC_FALSE)) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+		char typename[DNS_RDATATYPE_FORMATSIZE];
+		char classname[DNS_RDATACLASS_FORMATSIZE];
+
+		dns_name_format(client->query.qname, namebuf, sizeof(namebuf));
+		dns_rdatatype_format(qtype, typename, sizeof(typename));
+		dns_rdataclass_format(client->message->rdclass, classname,
+				      sizeof(classname));
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_QUERY, ISC_LOG_ERROR,
+			      "check-names failure %s/%s/%s", namebuf,
+			      typename, classname);
+		QUERY_ERROR(DNS_R_REFUSED);
+		goto cleanup;
+	}
+
+	/*
+	 * First we must find the right database.
+	 */
+	options = 0;
+	if (dns_rdatatype_atparent(qtype) &&
+	    !dns_name_equal(client->query.qname, dns_rootname))
+		options |= DNS_GETDB_NOEXACT;
+	result = query_getdb(client, client->query.qname, qtype, options,
+			     &zone, &db, &version, &is_zone);
+	if ((result != ISC_R_SUCCESS || !is_zone) && !RECURSIONOK(client) &&
+	    (options & DNS_GETDB_NOEXACT) != 0 && qtype == dns_rdatatype_ds) {
+		/*
+		 * Look to see if we are authoritative for the
+		 * child zone if the query type is DS.
+		 */
+		dns_db_t *tdb = NULL;
+		dns_zone_t *tzone = NULL;
+		dns_dbversion_t *tversion = NULL;
+		isc_result_t tresult;
+
+		tresult = query_getzonedb(client, client->query.qname, qtype,
+					 DNS_GETDB_PARTIAL, &tzone, &tdb,
+					 &tversion);
+		if (tresult == ISC_R_SUCCESS) {
+			options &= ~DNS_GETDB_NOEXACT;
+			query_putrdataset(client, &rdataset);
+			if (db != NULL)
+				dns_db_detach(&db);
+			if (zone != NULL)
+				dns_zone_detach(&zone);
+			version = tversion;
+			db = tdb;
+			zone = tzone;
+			is_zone = ISC_TRUE;
+			result = ISC_R_SUCCESS;
+		} else {
+			if (tdb != NULL)
+				dns_db_detach(&tdb);
+			if (tzone != NULL)
+				dns_zone_detach(&tzone);
+		}
+	}
+	if (result != ISC_R_SUCCESS) {
+		if (result == DNS_R_REFUSED)
+			QUERY_ERROR(DNS_R_REFUSED);
+		else
+			QUERY_ERROR(DNS_R_SERVFAIL);
+		goto cleanup;
+	}
+
+	if (is_zone)
+		authoritative = ISC_TRUE;
+       
+	if (event == NULL && client->query.restarts == 0) {
+		if (is_zone) {
+			dns_zone_attach(zone, &client->query.authzone);
+			dns_db_attach(db, &client->query.authdb);
+		}
+		client->query.authdbset = ISC_TRUE;
+	}
+
+ db_find:
+	CTRACE("query_find: db_find");
+	/*
+	 * We'll need some resources...
+	 */
+	dbuf = query_getnamebuf(client);
+	if (dbuf == NULL) {
+		QUERY_ERROR(DNS_R_SERVFAIL);
+		goto cleanup;
+	}
+	fname = query_newname(client, dbuf, &b);
+	rdataset = query_newrdataset(client);
+	if (fname == NULL || rdataset == NULL) {
+		QUERY_ERROR(DNS_R_SERVFAIL);
+		goto cleanup;
+	}
+	if (WANTDNSSEC(client)) {
+		sigrdataset = query_newrdataset(client);
+		if (sigrdataset == NULL) {
+			QUERY_ERROR(DNS_R_SERVFAIL);
+			goto cleanup;
+		}
+	}
+
+	/*
+	 * Now look for an answer in the database.
+	 */
+	result = dns_db_find(db, client->query.qname, version, type,
+			     client->query.dboptions, client->now,
+			     &node, fname, rdataset, sigrdataset);
+
+ resume:
+	CTRACE("query_find: resume");
+	switch (result) {
+	case ISC_R_SUCCESS:
+		/*
+		 * This case is handled in the main line below.
+		 */
+		break;
+	case DNS_R_GLUE:
+	case DNS_R_ZONECUT:
+		/*
+		 * These cases are handled in the main line below.
+		 */
+		INSIST(is_zone);
+		authoritative = ISC_FALSE;
+		break;
+	case ISC_R_NOTFOUND:
+		/*
+		 * The cache doesn't even have the root NS.  Get them from
+		 * the hints DB.
+		 */
+		INSIST(!is_zone);
+		if (db != NULL)
+			dns_db_detach(&db);
+
+		if (client->view->hints == NULL) {
+			/* We have no hints. */
+			result = ISC_R_FAILURE;
+		} else {
+			dns_db_attach(client->view->hints, &db);
+			result = dns_db_find(db, dns_rootname,
+					     NULL, dns_rdatatype_ns,
+					     0, client->now, &node, fname,
+					     rdataset, sigrdataset);
+		}
+		if (result != ISC_R_SUCCESS) {
+			/*
+			 * Nonsensical root hints may require cleanup.
+			 */
+			if (dns_rdataset_isassociated(rdataset))
+				dns_rdataset_disassociate(rdataset);
+			if (sigrdataset != NULL &&
+			    dns_rdataset_isassociated(sigrdataset))
+				dns_rdataset_disassociate(sigrdataset);
+			if (node != NULL)
+				dns_db_detachnode(db, &node);
+
+			/*
+			 * We don't have any root server hints, but
+			 * we may have working forwarders, so try to
+			 * recurse anyway.
+			 */
+			if (RECURSIONOK(client)) {
+				result = query_recurse(client, qtype,
+						       NULL, NULL);
+				if (result == ISC_R_SUCCESS)
+					client->query.attributes |=
+						NS_QUERYATTR_RECURSING;
+				else {
+					/* Unable to recurse. */
+					QUERY_ERROR(DNS_R_SERVFAIL);
+				}
+				goto cleanup;
+			} else {
+				/* Unable to give root server referral. */
+				QUERY_ERROR(DNS_R_SERVFAIL);
+				goto cleanup;
+			}
+		}
+		/*
+		 * XXXRTH  We should trigger root server priming here.
+		 */
+		/* FALLTHROUGH */
+	case DNS_R_DELEGATION:
+		authoritative = ISC_FALSE;
+		if (is_zone) {
+			/*
+			 * Look to see if we are authoritative for the
+			 * child zone if the query type is DS.
+			 */
+			if (!RECURSIONOK(client) &&
+			    (options & DNS_GETDB_NOEXACT) != 0 &&
+			    qtype == dns_rdatatype_ds) {
+				dns_db_t *tdb = NULL;
+				dns_zone_t *tzone = NULL;
+				dns_dbversion_t *tversion = NULL;
+				result = query_getzonedb(client,
+							 client->query.qname,
+							 qtype,
+							 DNS_GETDB_PARTIAL,
+							 &tzone, &tdb,
+							 &tversion);
+				if (result == ISC_R_SUCCESS) {
+					options &= ~DNS_GETDB_NOEXACT;
+					query_putrdataset(client, &rdataset);
+					if (sigrdataset != NULL)
+						query_putrdataset(client,
+								  &sigrdataset);
+					if (fname != NULL)
+						query_releasename(client,
+								  &fname);
+					if (node != NULL)
+						dns_db_detachnode(db, &node);
+					if (db != NULL)
+						dns_db_detach(&db);
+					if (zone != NULL)
+						dns_zone_detach(&zone);
+					version = tversion;
+					db = tdb;
+					zone = tzone;
+					authoritative = ISC_TRUE;
+					goto db_find;
+				}
+				if (tdb != NULL)
+					dns_db_detach(&tdb);
+				if (tzone != NULL)
+					dns_zone_detach(&tzone);
+			}
+			/*
+			 * We're authoritative for an ancestor of QNAME.
+			 */
+			if (!USECACHE(client) || !RECURSIONOK(client)) {
+				/*
+				 * If we don't have a cache, this is the best
+				 * answer.
+				 *
+				 * If the client is making a nonrecursive
+				 * query we always give out the authoritative
+				 * delegation.  This way even if we get
+				 * junk in our cache, we won't fail in our
+				 * role as the delegating authority if another
+				 * nameserver asks us about a delegated
+				 * subzone.
+				 *
+				 * We enable the retrieval of glue for this
+				 * database by setting client->query.gluedb.
+				 */
+				client->query.gluedb = db;
+				client->query.isreferral = ISC_TRUE;
+				/*
+				 * We must ensure NOADDITIONAL is off,
+				 * because the generation of
+				 * additional data is required in
+				 * delegations.
+				 */
+				client->query.attributes &=
+					~NS_QUERYATTR_NOADDITIONAL;
+				if (sigrdataset != NULL)
+					sigrdatasetp = &sigrdataset;
+				else
+					sigrdatasetp = NULL;
+				query_addrrset(client, &fname,
+					       &rdataset, sigrdatasetp,
+					       dbuf, DNS_SECTION_AUTHORITY);
+				client->query.gluedb = NULL;
+				if (WANTDNSSEC(client) && dns_db_issecure(db))
+					query_addds(client, db, node);
+			} else {
+				/*
+				 * We might have a better answer or delegation
+				 * in the cache.  We'll remember the current
+				 * values of fname, rdataset, and sigrdataset.
+				 * We'll then go looking for QNAME in the
+				 * cache.  If we find something better, we'll
+				 * use it instead.
+				 */
+				query_keepname(client, fname, dbuf);
+				zdb = db;
+				zfname = fname;
+				fname = NULL;
+				zrdataset = rdataset;
+				rdataset = NULL;
+				zsigrdataset = sigrdataset;
+				sigrdataset = NULL;
+				dns_db_detachnode(db, &node);
+				version = NULL;
+				db = NULL;
+				dns_db_attach(client->view->cachedb, &db);
+				is_zone = ISC_FALSE;
+				goto db_find;
+			}
+		} else {
+			if (zfname != NULL &&
+			    !dns_name_issubdomain(fname, zfname)) {
+				/*
+				 * We've already got a delegation from
+				 * authoritative data, and it is better
+				 * than what we found in the cache.  Use
+				 * it instead of the cache delegation.
+				 */
+				query_releasename(client, &fname);
+				fname = zfname;
+				zfname = NULL;
+				/*
+				 * We've already done query_keepname() on
+				 * zfname, so we must set dbuf to NULL to
+				 * prevent query_addrrset() from trying to
+				 * call query_keepname() again.
+				 */
+				dbuf = NULL;
+				query_putrdataset(client, &rdataset);
+				if (sigrdataset != NULL)
+					query_putrdataset(client,
+							  &sigrdataset);
+				rdataset = zrdataset;
+				zrdataset = NULL;
+				sigrdataset = zsigrdataset;
+				zsigrdataset = NULL;
+				/*
+				 * We don't clean up zdb here because we
+				 * may still need it.  It will get cleaned
+				 * up by the main cleanup code.
+				 */
+			}
+
+			if (RECURSIONOK(client)) {
+				/*
+				 * Recurse!
+				 */
+				if (dns_rdatatype_atparent(type))
+					result = query_recurse(client, qtype,
+							       NULL, NULL);
+				else
+					result = query_recurse(client, qtype,
+							       fname, rdataset);
+				if (result == ISC_R_SUCCESS)
+					client->query.attributes |=
+						NS_QUERYATTR_RECURSING;
+				else
+					QUERY_ERROR(DNS_R_SERVFAIL);
+			} else {
+				/*
+				 * This is the best answer.
+				 */
+				client->query.attributes |=
+					NS_QUERYATTR_CACHEGLUEOK;
+				client->query.gluedb = zdb;
+				client->query.isreferral = ISC_TRUE;
+				/*
+				 * We must ensure NOADDITIONAL is off,
+				 * because the generation of
+				 * additional data is required in
+				 * delegations.
+				 */
+				client->query.attributes &=
+					~NS_QUERYATTR_NOADDITIONAL;
+				if (sigrdataset != NULL)
+					sigrdatasetp = &sigrdataset;
+				else
+					sigrdatasetp = NULL;
+				query_addrrset(client, &fname,
+					       &rdataset, sigrdatasetp,
+					       dbuf, DNS_SECTION_AUTHORITY);
+				client->query.gluedb = NULL;
+				client->query.attributes &=
+					~NS_QUERYATTR_CACHEGLUEOK;
+				if (WANTDNSSEC(client))
+					query_addds(client, db, node);
+			}
+		}
+		goto cleanup;
+	case DNS_R_EMPTYNAME:
+		result = DNS_R_NXRRSET;
+		/* FALLTHROUGH */
+	case DNS_R_NXRRSET:
+		INSIST(is_zone);
+		if (dns_rdataset_isassociated(rdataset)) {
+			/*
+			 * If we've got a NSEC record, we need to save the
+			 * name now because we're going call query_addsoa()
+			 * below, and it needs to use the name buffer.
+			 */
+			query_keepname(client, fname, dbuf);
+		} else {
+			/*
+			 * We're not going to use fname, and need to release
+			 * our hold on the name buffer so query_addsoa()
+			 * may use it.
+			 */
+			query_releasename(client, &fname);
+		}
+		/*
+		 * Add SOA.
+		 */
+		result = query_addsoa(client, db, ISC_FALSE);
+		if (result != ISC_R_SUCCESS) {
+			QUERY_ERROR(result);
+			goto cleanup;
+		}
+		/*
+		 * Add NSEC record if we found one.
+		 */
+		if (WANTDNSSEC(client)) {
+			if (dns_rdataset_isassociated(rdataset))
+				query_addnxrrsetnsec(client, db, &fname,
+						    &rdataset, &sigrdataset);
+		}
+		goto cleanup;
+	case DNS_R_EMPTYWILD:
+		empty_wild = ISC_TRUE;
+		/* FALLTHROUGH */
+	case DNS_R_NXDOMAIN:
+		INSIST(is_zone);
+		if (dns_rdataset_isassociated(rdataset)) {
+			/*
+			 * If we've got a NSEC record, we need to save the
+			 * name now because we're going call query_addsoa()
+			 * below, and it needs to use the name buffer.
+			 */
+			query_keepname(client, fname, dbuf);
+		} else {
+			/*
+			 * We're not going to use fname, and need to release
+			 * our hold on the name buffer so query_addsoa()
+			 * may use it.
+			 */
+			query_releasename(client, &fname);
+		}
+		/*
+		 * Add SOA.  If the query was for a SOA record force the
+		 * ttl to zero so that it is possible for clients to find
+		 * the containing zone of a arbitary name with a stub
+		 * resolver and not have it cached.
+		 */
+		if (qtype == dns_rdatatype_soa)
+			result = query_addsoa(client, db, ISC_TRUE);
+		else
+			result = query_addsoa(client, db, ISC_FALSE);
+		if (result != ISC_R_SUCCESS) {
+			QUERY_ERROR(result);
+			goto cleanup;
+		}
+		/*
+		 * Add NSEC record if we found one.
+		 */
+		if (dns_rdataset_isassociated(rdataset)) {
+			if (WANTDNSSEC(client)) {
+				query_addrrset(client, &fname, &rdataset,
+					       &sigrdataset,
+					       NULL, DNS_SECTION_AUTHORITY);
+				query_addwildcardproof(client, db,
+						       client->query.qname,
+						       ISC_FALSE);
+			}
+		}
+		/*
+		 * Set message rcode.
+		 */
+		if (empty_wild)
+			client->message->rcode = dns_rcode_noerror;
+		else
+			client->message->rcode = dns_rcode_nxdomain;
+		goto cleanup;
+	case DNS_R_NCACHENXDOMAIN:
+	case DNS_R_NCACHENXRRSET:
+		INSIST(!is_zone);
+		authoritative = ISC_FALSE;
+		/*
+		 * Set message rcode, if required.
+		 */
+		if (result == DNS_R_NCACHENXDOMAIN)
+			client->message->rcode = dns_rcode_nxdomain;
+		/*
+		 * We don't call query_addrrset() because we don't need any
+		 * of its extra features (and things would probably break!).
+		 */
+		query_keepname(client, fname, dbuf);
+		dns_message_addname(client->message, fname,
+				    DNS_SECTION_AUTHORITY);
+		ISC_LIST_APPEND(fname->list, rdataset, link);
+		fname = NULL;
+		rdataset = NULL;
+		goto cleanup;
+	case DNS_R_CNAME:
+		/*
+		 * Keep a copy of the rdataset.  We have to do this because
+		 * query_addrrset may clear 'rdataset' (to prevent the
+		 * cleanup code from cleaning it up).
+		 */
+		trdataset = rdataset;
+		/*
+		 * Add the CNAME to the answer section.
+		 */
+		if (sigrdataset != NULL)
+			sigrdatasetp = &sigrdataset;
+		else
+			sigrdatasetp = NULL;
+		if (WANTDNSSEC(client) &&
+		    (fname->attributes & DNS_NAMEATTR_WILDCARD) != 0)
+		{
+			dns_fixedname_init(&wildcardname);
+			dns_name_copy(fname, dns_fixedname_name(&wildcardname),
+				      NULL);
+			need_wildcardproof = ISC_TRUE;
+		}
+		if ((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0 &&
+		     WANTDNSSEC(client))
+			noqname = rdataset;
+		else
+			noqname = NULL;
+		query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf,
+			       DNS_SECTION_ANSWER);
+		if (noqname != NULL)
+			query_addnoqnameproof(client, noqname);
+		/*
+		 * We set the PARTIALANSWER attribute so that if anything goes
+		 * wrong later on, we'll return what we've got so far.
+		 */
+		client->query.attributes |= NS_QUERYATTR_PARTIALANSWER;
+		/*
+		 * Reset qname to be the target name of the CNAME and restart
+		 * the query.
+		 */
+		tname = NULL;
+		result = dns_message_gettempname(client->message, &tname);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		result = dns_rdataset_first(trdataset);
+		if (result != ISC_R_SUCCESS) {
+			dns_message_puttempname(client->message, &tname);
+			goto cleanup;
+		}
+		dns_rdataset_current(trdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &cname, NULL);
+		dns_rdata_reset(&rdata);
+		if (result != ISC_R_SUCCESS) {
+			dns_message_puttempname(client->message, &tname);
+			goto cleanup;
+		}
+		dns_name_init(tname, NULL);
+		result = dns_name_dup(&cname.cname, client->mctx, tname);
+		if (result != ISC_R_SUCCESS) {
+			dns_message_puttempname(client->message, &tname);
+			dns_rdata_freestruct(&cname);
+			goto cleanup;
+		}
+		dns_rdata_freestruct(&cname);
+		query_maybeputqname(client);
+		client->query.qname = tname;
+		want_restart = ISC_TRUE;
+		goto addauth;
+	case DNS_R_DNAME:
+		/*
+		 * Compare the current qname to the found name.  We need
+		 * to know how many labels and bits are in common because
+		 * we're going to have to split qname later on.
+		 */
+		namereln = dns_name_fullcompare(client->query.qname, fname,
+						&order, &nlabels);
+		INSIST(namereln == dns_namereln_subdomain);
+		/*
+		 * Keep a copy of the rdataset.  We have to do this because
+		 * query_addrrset may clear 'rdataset' (to prevent the
+		 * cleanup code from cleaning it up).
+		 */
+		trdataset = rdataset;
+		/*
+		 * Add the DNAME to the answer section.
+		 */
+		if (sigrdataset != NULL)
+			sigrdatasetp = &sigrdataset;
+		else
+			sigrdatasetp = NULL;
+		if (WANTDNSSEC(client) &&
+		    (fname->attributes & DNS_NAMEATTR_WILDCARD) != 0)
+		{
+			dns_fixedname_init(&wildcardname);
+			dns_name_copy(fname, dns_fixedname_name(&wildcardname),
+				      NULL);
+			need_wildcardproof = ISC_TRUE;
+		}
+		query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf,
+			       DNS_SECTION_ANSWER);
+		/*
+		 * We set the PARTIALANSWER attribute so that if anything goes
+		 * wrong later on, we'll return what we've got so far.
+		 */
+		client->query.attributes |= NS_QUERYATTR_PARTIALANSWER;
+		/*
+		 * Get the target name of the DNAME.
+		 */
+		tname = NULL;
+		result = dns_message_gettempname(client->message, &tname);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		result = dns_rdataset_first(trdataset);
+		if (result != ISC_R_SUCCESS) {
+			dns_message_puttempname(client->message, &tname);
+			goto cleanup;
+		}
+		dns_rdataset_current(trdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &dname, NULL);
+		dns_rdata_reset(&rdata);
+		if (result != ISC_R_SUCCESS) {
+			dns_message_puttempname(client->message, &tname);
+			goto cleanup;
+		}
+		dns_name_init(tname, NULL);
+		dns_name_clone(&dname.dname, tname);
+		dns_rdata_freestruct(&dname);
+		/*
+		 * Construct the new qname.
+		 */
+		dns_fixedname_init(&fixed);
+		prefix = dns_fixedname_name(&fixed);
+		dns_name_split(client->query.qname, nlabels, prefix, NULL);
+		INSIST(fname == NULL);
+		dbuf = query_getnamebuf(client);
+		if (dbuf == NULL) {
+			dns_message_puttempname(client->message, &tname);
+			goto cleanup;
+		}
+		fname = query_newname(client, dbuf, &b);
+		if (fname == NULL) {
+			dns_message_puttempname(client->message, &tname);
+			goto cleanup;
+		}
+		result = dns_name_concatenate(prefix, tname, fname, NULL);
+		if (result != ISC_R_SUCCESS) {
+			dns_message_puttempname(client->message, &tname);
+			if (result == ISC_R_NOSPACE) {
+				/*
+				 * RFC 2672, section 4.1, subsection 3c says
+				 * we should return YXDOMAIN if the constructed
+				 * name would be too long.
+				 */
+				client->message->rcode = dns_rcode_yxdomain;
+			}
+			goto cleanup;
+		}
+		query_keepname(client, fname, dbuf);
+		/*
+		 * Synthesize a CNAME for this DNAME.
+		 *
+		 * We want to synthesize a CNAME since if we don't
+		 * then older software that doesn't understand DNAME
+		 * will not chain like it should.
+		 *
+		 * We do not try to synthesize a signature because we hope
+		 * that security aware servers will understand DNAME.  Also,
+		 * even if we had an online key, making a signature
+		 * on-the-fly is costly, and not really legitimate anyway
+		 * since the synthesized CNAME is NOT in the zone.
+		 */
+		dns_name_init(tname, NULL);
+		(void)query_addcnamelike(client, client->query.qname, fname,
+					 trdataset->trust, &tname,
+					 dns_rdatatype_cname);
+		if (tname != NULL)
+			dns_message_puttempname(client->message, &tname);
+		/*
+		 * Switch to the new qname and restart.
+		 */
+		query_maybeputqname(client);
+		client->query.qname = fname;
+		fname = NULL;
+		want_restart = ISC_TRUE;
+		goto addauth;
+	default:
+		/*
+		 * Something has gone wrong.
+		 */
+		QUERY_ERROR(DNS_R_SERVFAIL);
+		goto cleanup;
+	}
+
+	if (WANTDNSSEC(client) &&
+	    (fname->attributes & DNS_NAMEATTR_WILDCARD) != 0)
+	{
+		dns_fixedname_init(&wildcardname);
+		dns_name_copy(fname, dns_fixedname_name(&wildcardname), NULL);
+		need_wildcardproof = ISC_TRUE;
+	}
+
+	if (type == dns_rdatatype_any) {
+		/*
+		 * XXXRTH  Need to handle zonecuts with special case
+		 * code.
+		 */
+		n = 0;
+		rdsiter = NULL;
+		result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
+		if (result != ISC_R_SUCCESS) {
+			QUERY_ERROR(DNS_R_SERVFAIL);
+			goto cleanup;
+		}
+		/*
+		 * Calling query_addrrset() with a non-NULL dbuf is going
+		 * to either keep or release the name.  We don't want it to
+		 * release fname, since we may have to call query_addrrset()
+		 * more than once.  That means we have to call query_keepname()
+		 * now, and pass a NULL dbuf to query_addrrset().
+		 *
+		 * If we do a query_addrrset() below, we must set fname to
+		 * NULL before leaving this block, otherwise we might try to
+		 * cleanup fname even though we're using it!
+		 */
+		query_keepname(client, fname, dbuf);
+		tname = fname;
+		result = dns_rdatasetiter_first(rdsiter);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdatasetiter_current(rdsiter, rdataset);
+			if ((qtype == dns_rdatatype_any ||
+			     rdataset->type == qtype) && rdataset->type != 0) {
+				query_addrrset(client,
+					       fname != NULL ? &fname : &tname,
+					       &rdataset, NULL,
+					       NULL, DNS_SECTION_ANSWER);
+				n++;
+				INSIST(tname != NULL);
+				/*
+				 * rdataset is non-NULL only in certain pathological
+				 * cases involving DNAMEs.
+				 */
+				if (rdataset != NULL)
+					query_putrdataset(client, &rdataset);
+				rdataset = query_newrdataset(client);
+				if (rdataset == NULL)
+					break;
+			} else {
+				/*
+				 * We're not interested in this rdataset.
+				 */
+				dns_rdataset_disassociate(rdataset);
+			}
+			result = dns_rdatasetiter_next(rdsiter);
+		}
+
+		if (fname != NULL)
+			dns_message_puttempname(client->message, &fname);
+
+		if (n == 0) {
+			/*
+			 * We didn't match any rdatasets.
+			 */
+			if (qtype == dns_rdatatype_rrsig &&
+			    result == ISC_R_NOMORE) {
+				/*
+				 * XXXRTH  If this is a secure zone and we
+				 * didn't find any SIGs, we should generate
+				 * an error unless we were searching for
+				 * glue.  Ugh.
+				 */
+				/*
+				 * We were searching for SIG records in
+				 * a nonsecure zone.  Send a "no error,
+				 * no data" response.
+				 */
+				/*
+				 * Add SOA.
+				 */
+				result = query_addsoa(client, db, ISC_FALSE);
+				if (result == ISC_R_SUCCESS)
+					result = ISC_R_NOMORE;
+			} else {
+				/*
+				 * Something went wrong.
+				 */
+				result = DNS_R_SERVFAIL;
+			}
+		}
+		dns_rdatasetiter_destroy(&rdsiter);
+		if (result != ISC_R_NOMORE) {
+			QUERY_ERROR(DNS_R_SERVFAIL);
+			goto cleanup;
+		}
+	} else {
+		/*
+		 * This is the "normal" case -- an ordinary question to which
+		 * we know the answer.
+		 */
+		if (sigrdataset != NULL)
+			sigrdatasetp = &sigrdataset;
+		else
+			sigrdatasetp = NULL;
+		if ((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0 &&
+		     WANTDNSSEC(client))
+			noqname = rdataset;
+		else
+			noqname = NULL;
+		query_addrrset(client, &fname, &rdataset, sigrdatasetp, dbuf,
+			       DNS_SECTION_ANSWER);
+		if (noqname != NULL)
+			query_addnoqnameproof(client, noqname);
+		/*
+		 * We shouldn't ever fail to add 'rdataset'
+		 * because it's already in the answer.
+		 */
+		INSIST(rdataset == NULL);
+	}
+
+ addauth:
+	CTRACE("query_find: addauth");
+	/*
+	 * Add NS records to the authority section (if we haven't already
+	 * added them to the answer section).
+	 */
+	if (!want_restart && !NOAUTHORITY(client)) {
+		if (is_zone) {
+			if (!((qtype == dns_rdatatype_ns ||
+			       qtype == dns_rdatatype_any) &&
+			      dns_name_equal(client->query.qname,
+					     dns_db_origin(db))))
+				(void)query_addns(client, db);
+		} else if (qtype != dns_rdatatype_ns) {
+			if (fname != NULL)
+				query_releasename(client, &fname);
+			query_addbestns(client);
+		}
+	}
+
+	/*
+	 * Add NSEC records to the authority section if they're needed for
+	 * DNSSEC wildcard proofs.
+	 */
+	if (need_wildcardproof && dns_db_issecure(db))
+		query_addwildcardproof(client, db,
+				       dns_fixedname_name(&wildcardname),
+				       ISC_TRUE);
+ cleanup:
+	CTRACE("query_find: cleanup");
+	/*
+	 * General cleanup.
+	 */
+	if (rdataset != NULL)
+		query_putrdataset(client, &rdataset);
+	if (sigrdataset != NULL)
+		query_putrdataset(client, &sigrdataset);
+	if (fname != NULL)
+		query_releasename(client, &fname);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	if (db != NULL)
+		dns_db_detach(&db);
+	if (zone != NULL)
+		dns_zone_detach(&zone);
+	if (zdb != NULL) {
+		query_putrdataset(client, &zrdataset);
+		if (zsigrdataset != NULL)
+			query_putrdataset(client, &zsigrdataset);
+		if (zfname != NULL)
+			query_releasename(client, &zfname);
+		dns_db_detach(&zdb);
+	}
+	if (event != NULL)
+		isc_event_free(ISC_EVENT_PTR(&event));
+
+	/*
+	 * AA bit.
+	 */
+	if (client->query.restarts == 0 && !authoritative) {
+		/*
+		 * We're not authoritative, so we must ensure the AA bit
+		 * isn't set.
+		 */
+		client->message->flags &= ~DNS_MESSAGEFLAG_AA;
+	}
+
+	/*
+	 * Restart the query?
+	 */
+	if (want_restart && client->query.restarts < MAX_RESTARTS) {
+		client->query.restarts++;
+		goto restart;
+	}
+
+	if (eresult != ISC_R_SUCCESS &&
+	    (!PARTIALANSWER(client) || WANTRECURSION(client))) {
+		/*
+		 * If we don't have any answer to give the client,
+		 * or if the client requested recursion and thus wanted
+		 * the complete answer, send an error response.
+		 */
+		 query_error(client, eresult);
+		 ns_client_detach(&client);
+	} else if (!RECURSING(client)) {
+		/*
+		 * We are done.  Set up sortlist data for the message
+		 * rendering code, make a final tweak to the AA bit if the
+		 * auth-nxdomain config option says so, then render and
+		 * send the response.
+		 */
+		setup_query_sortlist(client);
+
+		if (client->message->rcode == dns_rcode_nxdomain &&
+		    client->view->auth_nxdomain == ISC_TRUE)
+			client->message->flags |= DNS_MESSAGEFLAG_AA;
+
+		query_send(client);
+		ns_client_detach(&client);
+	}
+	CTRACE("query_find: done");
+}
+
+static inline void
+log_query(ns_client_t *client) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char typename[DNS_RDATATYPE_FORMATSIZE];
+	char classname[DNS_RDATACLASS_FORMATSIZE];
+	dns_rdataset_t *rdataset;
+	int level = ISC_LOG_INFO;
+
+	if (! isc_log_wouldlog(ns_g_lctx, level))
+		return;
+
+	rdataset = ISC_LIST_HEAD(client->query.qname->list);
+	INSIST(rdataset != NULL);
+	dns_name_format(client->query.qname, namebuf, sizeof(namebuf));
+	dns_rdataclass_format(rdataset->rdclass, classname, sizeof(classname));
+	dns_rdatatype_format(rdataset->type, typename, sizeof(typename));
+
+	ns_client_log(client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY,
+		      level, "query: %s %s %s %s%s%s", namebuf, classname,
+		      typename, WANTRECURSION(client) ? "+" : "-",
+		      (client->signer != NULL) ? "S": "",
+		      (client->opt != NULL) ? "E" : "");
+}
+
+void
+ns_query_start(ns_client_t *client) {
+	isc_result_t result;
+	dns_message_t *message = client->message;
+	dns_rdataset_t *rdataset;
+	ns_client_t *qclient;
+	dns_rdatatype_t qtype;
+
+	CTRACE("ns_query_start");
+
+	/*
+	 * Ensure that appropriate cleanups occur.
+	 */
+	client->next = query_next_callback;
+
+	/*
+	 * Behave as if we don't support DNSSEC if not enabled.
+	 */
+	if (!client->view->enablednssec) {
+		message->flags &= ~DNS_MESSAGEFLAG_CD;
+		client->extflags &= ~DNS_MESSAGEEXTFLAG_DO;
+	}
+
+	if ((message->flags & DNS_MESSAGEFLAG_RD) != 0)
+		client->query.attributes |= NS_QUERYATTR_WANTRECURSION;
+	
+	if ((client->extflags & DNS_MESSAGEEXTFLAG_DO) != 0)
+		client->attributes |= NS_CLIENTATTR_WANTDNSSEC;
+	
+	if (client->view->minimalresponses)
+		client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
+					     NS_QUERYATTR_NOADDITIONAL);
+
+	if ((client->view->cachedb == NULL)
+	    || (!client->view->additionalfromcache)) {
+		/*
+		 * We don't have a cache.  Turn off cache support and
+		 * recursion.
+		 */
+		client->query.attributes &=
+			~(NS_QUERYATTR_RECURSIONOK|NS_QUERYATTR_CACHEOK);
+	} else if ((client->attributes & NS_CLIENTATTR_RA) == 0 ||
+		   (message->flags & DNS_MESSAGEFLAG_RD) == 0) {
+		/*
+		 * If the client isn't allowed to recurse (due to
+		 * "recursion no", the allow-recursion ACL, or the
+		 * lack of a resolver in this view), or if it
+		 * doesn't want recursion, turn recursion off.
+		 */
+		client->query.attributes &= ~NS_QUERYATTR_RECURSIONOK;
+	}
+
+	/*
+	 * Get the question name.
+	 */
+	result = dns_message_firstname(message, DNS_SECTION_QUESTION);
+	if (result != ISC_R_SUCCESS) {
+		query_error(client, result);
+		return;
+	}
+	dns_message_currentname(message, DNS_SECTION_QUESTION,
+				&client->query.qname);
+	client->query.origqname = client->query.qname;
+	result = dns_message_nextname(message, DNS_SECTION_QUESTION);
+	if (result != ISC_R_NOMORE) {
+		if (result == ISC_R_SUCCESS) {
+			/*
+			 * There's more than one QNAME in the question
+			 * section.
+			 */
+			query_error(client, DNS_R_FORMERR);
+		} else
+			query_error(client, result);
+		return;
+	}
+
+	if (ns_g_server->log_queries)
+		log_query(client);
+
+	/*
+	 * Check for multiple question queries, since edns1 is dead.
+	 */
+	if (message->counts[DNS_SECTION_QUESTION] > 1) {
+		query_error(client, DNS_R_FORMERR);
+		return;
+	}
+
+	/*
+	 * Check for meta-queries like IXFR and AXFR.
+	 */
+	rdataset = ISC_LIST_HEAD(client->query.qname->list);
+	INSIST(rdataset != NULL);
+	qtype = rdataset->type;
+	if (dns_rdatatype_ismeta(qtype)) {
+		switch (qtype) {
+		case dns_rdatatype_any:
+			break; /* Let query_find handle it. */
+		case dns_rdatatype_ixfr:
+		case dns_rdatatype_axfr:
+			ns_xfr_start(client, rdataset->type);
+			return;
+		case dns_rdatatype_maila:
+		case dns_rdatatype_mailb:
+			query_error(client, DNS_R_NOTIMP);
+			return;
+		case dns_rdatatype_tkey:
+			result = dns_tkey_processquery(client->message,
+						ns_g_server->tkeyctx,
+						client->view->dynamickeys);
+			if (result == ISC_R_SUCCESS)
+				query_send(client);
+			else
+				query_error(client, result);
+			return;
+		default: /* TSIG, etc. */
+			query_error(client, DNS_R_FORMERR);
+			return;
+		}
+	}
+
+	/*
+	 * If the client has requested that DNSSEC checking be disabled,
+	 * allow lookups to return pending data and instruct the resolver
+	 * to return data before validation has completed.
+	 */
+	if (message->flags & DNS_MESSAGEFLAG_CD ||
+	    qtype == dns_rdatatype_rrsig)
+	{
+		client->query.dboptions |= DNS_DBFIND_PENDINGOK;
+		client->query.fetchoptions |= DNS_FETCHOPT_NOVALIDATE;
+	}
+
+	/*
+	 * Allow glue NS records to be added to the authority section
+	 * if the answer is secure.
+	 */
+	if (message->flags & DNS_MESSAGEFLAG_CD)
+		client->query.attributes &= ~NS_QUERYATTR_SECURE;
+
+	/*
+	 * This is an ordinary query.
+	 */
+	result = dns_message_reply(message, ISC_TRUE);
+	if (result != ISC_R_SUCCESS) {
+		query_next(client, result);
+		return;
+	}
+
+	/*
+	 * Assume authoritative response until it is known to be
+	 * otherwise.
+	 */
+	message->flags |= DNS_MESSAGEFLAG_AA;
+
+	/*
+	 * Set AD.  We must clear it if we add non-validated data to a
+	 * response.
+	 */
+	if (client->view->enablednssec)
+		message->flags |= DNS_MESSAGEFLAG_AD;
+
+	qclient = NULL;
+	ns_client_attach(client, &qclient);
+	query_find(qclient, NULL, qtype);
+}
diff --git a/contrib/bind9/bin/named/server.c b/contrib/bind9/bin/named/server.c
new file mode 100644
index 0000000..9080376
--- /dev/null
+++ b/contrib/bind9/bin/named/server.c
@@ -0,0 +1,4089 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: server.c,v 1.339.2.15.2.56 2004/06/18 04:39:48 marka Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/app.h>
+#include <isc/base64.h>
+#include <isc/dir.h>
+#include <isc/entropy.h>
+#include <isc/file.h>
+#include <isc/hash.h>
+#include <isc/lex.h>
+#include <isc/parseint.h>
+#include <isc/print.h>
+#include <isc/resource.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <isccfg/namedconf.h>
+
+#include <bind9/check.h>
+
+#include <dns/adb.h>
+#include <dns/cache.h>
+#include <dns/db.h>
+#include <dns/dispatch.h>
+#include <dns/forward.h>
+#include <dns/journal.h>
+#include <dns/keytable.h>
+#include <dns/master.h>
+#include <dns/masterdump.h>
+#include <dns/order.h>
+#include <dns/peer.h>
+#include <dns/portlist.h>
+#include <dns/rdataclass.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/resolver.h>
+#include <dns/rootns.h>
+#include <dns/secalg.h>
+#include <dns/stats.h>
+#include <dns/tkey.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+#include <dns/zt.h>
+
+#include <dst/dst.h>
+#include <dst/result.h>
+
+#include <named/client.h>
+#include <named/config.h>
+#include <named/control.h>
+#include <named/interfacemgr.h>
+#include <named/log.h>
+#include <named/logconf.h>
+#include <named/lwresd.h>
+#include <named/main.h>
+#include <named/os.h>
+#include <named/server.h>
+#include <named/tkeyconf.h>
+#include <named/tsigconf.h>
+#include <named/zoneconf.h>
+
+/*
+ * Check an operation for failure.  Assumes that the function
+ * using it has a 'result' variable and a 'cleanup' label.
+ */
+#define CHECK(op) \
+	do { result = (op); 				  	 \
+	       if (result != ISC_R_SUCCESS) goto cleanup; 	 \
+	} while (0)
+
+#define CHECKM(op, msg) \
+	do { result = (op); 				  	  \
+	       if (result != ISC_R_SUCCESS) {			  \
+			isc_log_write(ns_g_lctx,		  \
+				      NS_LOGCATEGORY_GENERAL,	  \
+				      NS_LOGMODULE_SERVER,	  \
+				      ISC_LOG_ERROR,		  \
+				      "%s: %s", msg,		  \
+				      isc_result_totext(result)); \
+			goto cleanup;				  \
+		}						  \
+	} while (0)						  \
+
+#define CHECKMF(op, msg, file) \
+	do { result = (op); 				  	  \
+	       if (result != ISC_R_SUCCESS) {			  \
+			isc_log_write(ns_g_lctx,		  \
+				      NS_LOGCATEGORY_GENERAL,	  \
+				      NS_LOGMODULE_SERVER,	  \
+				      ISC_LOG_ERROR,		  \
+				      "%s '%s': %s", msg, file,	  \
+				      isc_result_totext(result)); \
+			goto cleanup;				  \
+		}						  \
+	} while (0)						  \
+
+#define CHECKFATAL(op, msg) \
+	do { result = (op); 				  	  \
+	       if (result != ISC_R_SUCCESS)			  \
+			fatal(msg, result);			  \
+	} while (0)						  \
+
+struct ns_dispatch {
+	isc_sockaddr_t			addr;
+	unsigned int			dispatchgen;
+	dns_dispatch_t			*dispatch;
+	ISC_LINK(struct ns_dispatch)	link;
+};
+
+struct dumpcontext {
+	isc_mem_t			*mctx;
+	isc_boolean_t			dumpcache;
+	isc_boolean_t			dumpzones;
+	FILE				*fp;
+	ISC_LIST(struct viewlistentry)	viewlist;
+	struct viewlistentry		*view;
+	struct zonelistentry		*zone;
+	dns_dumpctx_t			*mdctx;
+	dns_db_t			*db;
+	dns_db_t			*cache;
+	isc_task_t			*task;
+	dns_dbversion_t			*version;
+};
+
+struct viewlistentry {
+	dns_view_t			*view;
+	ISC_LINK(struct viewlistentry)	link;
+	ISC_LIST(struct zonelistentry)	zonelist;
+};
+
+struct zonelistentry {
+	dns_zone_t			*zone;
+	ISC_LINK(struct zonelistentry)	link;
+};
+
+static void
+fatal(const char *msg, isc_result_t result);
+
+static void
+ns_server_reload(isc_task_t *task, isc_event_t *event);
+
+static isc_result_t
+ns_listenelt_fromconfig(cfg_obj_t *listener, cfg_obj_t *config,
+			ns_aclconfctx_t *actx,
+			isc_mem_t *mctx, ns_listenelt_t **target);
+static isc_result_t
+ns_listenlist_fromconfig(cfg_obj_t *listenlist, cfg_obj_t *config,
+			 ns_aclconfctx_t *actx,
+			 isc_mem_t *mctx, ns_listenlist_t **target);
+
+static isc_result_t
+configure_forward(cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
+		  cfg_obj_t *forwarders, cfg_obj_t *forwardtype);
+
+static isc_result_t
+configure_alternates(cfg_obj_t *config, dns_view_t *view,
+		     cfg_obj_t *alternates);
+
+static isc_result_t
+configure_zone(cfg_obj_t *config, cfg_obj_t *zconfig, cfg_obj_t *vconfig,
+	       isc_mem_t *mctx, dns_view_t *view,
+	       ns_aclconfctx_t *aclconf);
+
+static void
+end_reserved_dispatches(ns_server_t *server, isc_boolean_t all);
+
+/*
+ * Configure a single view ACL at '*aclp'.  Get its configuration by
+ * calling 'getvcacl' (for per-view configuration) and maybe 'getscacl'
+ * (for a global default).
+ */
+static isc_result_t
+configure_view_acl(cfg_obj_t *vconfig, cfg_obj_t *config,
+		   const char *aclname, ns_aclconfctx_t *actx,
+		   isc_mem_t *mctx, dns_acl_t **aclp)
+{
+	isc_result_t result;
+	cfg_obj_t *maps[3];
+	cfg_obj_t *aclobj = NULL;
+	int i = 0;
+
+	if (*aclp != NULL)
+		dns_acl_detach(aclp);
+	if (vconfig != NULL)
+		maps[i++] = cfg_tuple_get(vconfig, "options");
+	if (config != NULL) {
+		cfg_obj_t *options = NULL;
+		(void)cfg_map_get(config, "options", &options);
+		if (options != NULL)
+			maps[i++] = options;
+	}
+	maps[i] = NULL;
+
+	result = ns_config_get(maps, aclname, &aclobj);
+	if (aclobj == NULL)
+		/*
+		 * No value available.  *aclp == NULL.
+		 */
+		return (ISC_R_SUCCESS);
+
+	result = ns_acl_fromconfig(aclobj, config, actx, mctx, aclp);
+
+	return (result);
+}
+
+static isc_result_t
+configure_view_dnsseckey(cfg_obj_t *vconfig, cfg_obj_t *key,
+			 dns_keytable_t *keytable, isc_mem_t *mctx)
+{
+	dns_rdataclass_t viewclass;
+	dns_rdata_dnskey_t keystruct;
+	isc_uint32_t flags, proto, alg;
+	char *keystr, *keynamestr;
+	unsigned char keydata[4096];
+	isc_buffer_t keydatabuf;
+	unsigned char rrdata[4096];
+	isc_buffer_t rrdatabuf;
+	isc_region_t r;
+	dns_fixedname_t fkeyname;
+	dns_name_t *keyname;
+	isc_buffer_t namebuf;
+	isc_result_t result;
+	dst_key_t *dstkey = NULL;
+
+	flags = cfg_obj_asuint32(cfg_tuple_get(key, "flags"));
+	proto = cfg_obj_asuint32(cfg_tuple_get(key, "protocol"));
+	alg = cfg_obj_asuint32(cfg_tuple_get(key, "algorithm"));
+	keyname = dns_fixedname_name(&fkeyname);
+	keynamestr = cfg_obj_asstring(cfg_tuple_get(key, "name"));
+
+	if (vconfig == NULL)
+		viewclass = dns_rdataclass_in;
+	else {
+		cfg_obj_t *classobj = cfg_tuple_get(vconfig, "class");
+		CHECK(ns_config_getclass(classobj, dns_rdataclass_in,
+					 &viewclass));
+	}
+	keystruct.common.rdclass = viewclass;
+	keystruct.common.rdtype = dns_rdatatype_dnskey;
+	/*
+	 * The key data in keystruct is not dynamically allocated.
+	 */
+	keystruct.mctx = NULL;
+
+	ISC_LINK_INIT(&keystruct.common, link);
+
+	if (flags > 0xffff)
+		CHECKM(ISC_R_RANGE, "key flags");
+	if (proto > 0xff)
+		CHECKM(ISC_R_RANGE, "key protocol");
+	if (alg > 0xff)
+		CHECKM(ISC_R_RANGE, "key algorithm");
+	keystruct.flags = (isc_uint16_t)flags;
+	keystruct.protocol = (isc_uint8_t)proto;
+	keystruct.algorithm = (isc_uint8_t)alg;
+
+	isc_buffer_init(&keydatabuf, keydata, sizeof(keydata));
+	isc_buffer_init(&rrdatabuf, rrdata, sizeof(rrdata));
+
+	keystr = cfg_obj_asstring(cfg_tuple_get(key, "key"));
+	CHECK(isc_base64_decodestring(keystr, &keydatabuf));
+	isc_buffer_usedregion(&keydatabuf, &r);
+	keystruct.datalen = r.length;
+	keystruct.data = r.base;
+
+	CHECK(dns_rdata_fromstruct(NULL,
+				   keystruct.common.rdclass,
+				   keystruct.common.rdtype,
+				   &keystruct, &rrdatabuf));
+	dns_fixedname_init(&fkeyname);
+	isc_buffer_init(&namebuf, keynamestr, strlen(keynamestr));
+	isc_buffer_add(&namebuf, strlen(keynamestr));
+	CHECK(dns_name_fromtext(keyname, &namebuf,
+				dns_rootname, ISC_FALSE,
+				NULL));
+	CHECK(dst_key_fromdns(keyname, viewclass, &rrdatabuf,
+			      mctx, &dstkey));
+
+	CHECK(dns_keytable_add(keytable, &dstkey));
+	INSIST(dstkey == NULL);
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (result == DST_R_NOCRYPTO) {
+		cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
+			    "ignoring trusted key for '%s': no crypto support",
+			    keynamestr);
+		result = ISC_R_SUCCESS;
+	} else {
+		cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
+			    "configuring trusted key for '%s': %s",
+			    keynamestr, isc_result_totext(result));
+		result = ISC_R_FAILURE;
+	}
+
+	if (dstkey != NULL)
+		dst_key_free(&dstkey);
+
+	return (result);
+}
+
+/*
+ * Configure DNSSEC keys for a view.  Currently used only for
+ * the security roots.
+ *
+ * The per-view configuration values and the server-global defaults are read
+ * from 'vconfig' and 'config'.  The variable to be configured is '*target'.
+ */
+static isc_result_t
+configure_view_dnsseckeys(cfg_obj_t *vconfig, cfg_obj_t *config,
+			  isc_mem_t *mctx, dns_keytable_t **target)
+{
+	isc_result_t result;
+	cfg_obj_t *keys = NULL;
+	cfg_obj_t *voptions = NULL;
+	cfg_listelt_t *element, *element2;
+	cfg_obj_t *keylist;
+	cfg_obj_t *key;
+	dns_keytable_t *keytable = NULL;
+
+	CHECK(dns_keytable_create(mctx, &keytable));
+
+	if (vconfig != NULL)
+		voptions = cfg_tuple_get(vconfig, "options");
+
+	keys = NULL;
+	if (voptions != NULL)
+		(void)cfg_map_get(voptions, "trusted-keys", &keys);
+	if (keys == NULL)
+		(void)cfg_map_get(config, "trusted-keys", &keys);
+
+	for (element = cfg_list_first(keys);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		keylist = cfg_listelt_value(element);
+		for (element2 = cfg_list_first(keylist);
+		     element2 != NULL;
+		     element2 = cfg_list_next(element2))
+		{
+			key = cfg_listelt_value(element2);
+			CHECK(configure_view_dnsseckey(vconfig, key,
+						       keytable, mctx));
+		}
+	}
+
+	dns_keytable_detach(target);
+	*target = keytable; /* Transfer ownership. */
+	keytable = NULL;
+	result = ISC_R_SUCCESS;
+	
+ cleanup:
+	return (result);
+}
+
+static isc_result_t
+mustbesecure(cfg_obj_t *mbs, dns_resolver_t *resolver)
+{
+	cfg_listelt_t *element;
+	cfg_obj_t *obj;
+	const char *str;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	isc_boolean_t value;
+	isc_result_t result;
+	isc_buffer_t b;
+	
+	dns_fixedname_init(&fixed);
+	name = dns_fixedname_name(&fixed);
+	for (element = cfg_list_first(mbs);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		obj = cfg_listelt_value(element);
+		str = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
+		isc_buffer_init(&b, str, strlen(str));
+		isc_buffer_add(&b, strlen(str));
+		CHECK(dns_name_fromtext(name, &b, dns_rootname,
+					ISC_FALSE, NULL));
+		value = cfg_obj_asboolean(cfg_tuple_get(obj, "value"));
+		CHECK(dns_resolver_setmustbesecure(resolver, name, value));
+	}
+
+	result = ISC_R_SUCCESS;
+	
+ cleanup:
+	return (result);
+}
+
+/*
+ * Get a dispatch appropriate for the resolver of a given view.
+ */
+static isc_result_t
+get_view_querysource_dispatch(cfg_obj_t **maps,
+			      int af, dns_dispatch_t **dispatchp)
+{
+	isc_result_t result;
+	dns_dispatch_t *disp;
+	isc_sockaddr_t sa;
+	unsigned int attrs, attrmask;
+	cfg_obj_t *obj = NULL;
+
+	/*
+	 * Make compiler happy.
+	 */
+	result = ISC_R_FAILURE;
+
+	switch (af) {
+	case AF_INET:
+		result = ns_config_get(maps, "query-source", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+
+		break;
+	case AF_INET6:
+		result = ns_config_get(maps, "query-source-v6", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		break;
+	default:
+		INSIST(0);
+	}
+
+	sa = *(cfg_obj_assockaddr(obj));
+	INSIST(isc_sockaddr_pf(&sa) == af);
+
+	/*
+	 * If we don't support this address family, we're done!
+	 */
+	switch (af) {
+	case AF_INET:
+		result = isc_net_probeipv4();
+		break;
+	case AF_INET6:
+		result = isc_net_probeipv6();
+		break;
+	default:
+		INSIST(0);
+	}
+	if (result != ISC_R_SUCCESS)
+		return (ISC_R_SUCCESS);
+
+	/*
+	 * Try to find a dispatcher that we can share.
+	 */
+	attrs = 0;
+	attrs |= DNS_DISPATCHATTR_UDP;
+	switch (af) {
+	case AF_INET:
+		attrs |= DNS_DISPATCHATTR_IPV4;
+		break;
+	case AF_INET6:
+		attrs |= DNS_DISPATCHATTR_IPV6;
+		break;
+	}
+	attrmask = 0;
+	attrmask |= DNS_DISPATCHATTR_UDP;
+	attrmask |= DNS_DISPATCHATTR_TCP;
+	attrmask |= DNS_DISPATCHATTR_IPV4;
+	attrmask |= DNS_DISPATCHATTR_IPV6;
+
+	disp = NULL;
+	result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr,
+				     ns_g_taskmgr, &sa, 4096,
+				     1000, 32768, 16411, 16433,
+				     attrs, attrmask, &disp);
+	if (result != ISC_R_SUCCESS) {
+		isc_sockaddr_t any;
+		char buf[ISC_SOCKADDR_FORMATSIZE];
+
+		switch (af) {
+		case AF_INET:
+			isc_sockaddr_any(&any);
+			break;
+		case AF_INET6:
+			isc_sockaddr_any6(&any);
+			break;
+		}
+		if (isc_sockaddr_equal(&sa, &any))
+			return (ISC_R_SUCCESS);
+		isc_sockaddr_format(&sa, buf, sizeof(buf));
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "could not get query source dispatcher (%s)",
+			      buf);
+		return (result);
+	}
+
+	*dispatchp = disp;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+configure_order(dns_order_t *order, cfg_obj_t *ent) {
+	dns_rdataclass_t rdclass;
+	dns_rdatatype_t rdtype;
+	cfg_obj_t *obj;
+	dns_fixedname_t fixed;
+	unsigned int mode = 0;
+	const char *str;
+	isc_buffer_t b;
+	isc_result_t result;
+
+	result = ns_config_getclass(cfg_tuple_get(ent, "class"),
+				    dns_rdataclass_any, &rdclass);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = ns_config_gettype(cfg_tuple_get(ent, "type"),
+				   dns_rdatatype_any, &rdtype);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	obj = cfg_tuple_get(ent, "name");
+	if (cfg_obj_isstring(obj)) 
+		str = cfg_obj_asstring(obj);
+	else
+		str = "*";
+	isc_buffer_init(&b, str, strlen(str));
+	isc_buffer_add(&b, strlen(str));
+	dns_fixedname_init(&fixed);
+	result = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
+				  dns_rootname, ISC_FALSE, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	obj = cfg_tuple_get(ent, "ordering");
+	INSIST(cfg_obj_isstring(obj));
+	str = cfg_obj_asstring(obj);
+	if (!strcasecmp(str, "fixed"))
+		mode = DNS_RDATASETATTR_FIXEDORDER;
+	else if (!strcasecmp(str, "random"))
+		mode = DNS_RDATASETATTR_RANDOMIZE;
+	else if (!strcasecmp(str, "cyclic"))
+		mode = 0;
+	else
+		INSIST(0);
+
+	return (dns_order_add(order, dns_fixedname_name(&fixed),
+			      rdtype, rdclass, mode));
+}
+
+static isc_result_t
+configure_peer(cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
+	isc_sockaddr_t *sa;
+	isc_netaddr_t na;
+	dns_peer_t *peer;
+	cfg_obj_t *obj;
+	char *str;
+	isc_result_t result;
+
+	sa = cfg_obj_assockaddr(cfg_map_getname(cpeer));
+	isc_netaddr_fromsockaddr(&na, sa);
+
+	peer = NULL;
+	result = dns_peer_new(mctx, &na, &peer);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	obj = NULL;
+	(void)cfg_map_get(cpeer, "bogus", &obj);
+	if (obj != NULL)
+		CHECK(dns_peer_setbogus(peer, cfg_obj_asboolean(obj)));
+
+	obj = NULL;
+	(void)cfg_map_get(cpeer, "provide-ixfr", &obj);
+	if (obj != NULL)
+		CHECK(dns_peer_setprovideixfr(peer, cfg_obj_asboolean(obj)));
+
+	obj = NULL;
+	(void)cfg_map_get(cpeer, "request-ixfr", &obj);
+	if (obj != NULL)
+		CHECK(dns_peer_setrequestixfr(peer, cfg_obj_asboolean(obj)));
+
+	obj = NULL;
+	(void)cfg_map_get(cpeer, "edns", &obj);
+	if (obj != NULL)
+		CHECK(dns_peer_setsupportedns(peer, cfg_obj_asboolean(obj)));
+
+	obj = NULL;
+	(void)cfg_map_get(cpeer, "transfers", &obj);
+	if (obj != NULL)
+		CHECK(dns_peer_settransfers(peer, cfg_obj_asuint32(obj)));
+
+	obj = NULL;
+	(void)cfg_map_get(cpeer, "transfer-format", &obj);
+	if (obj != NULL) {
+		str = cfg_obj_asstring(obj);
+		if (strcasecmp(str, "many-answers") == 0)
+			CHECK(dns_peer_settransferformat(peer,
+							 dns_many_answers));
+		else if (strcasecmp(str, "one-answer") == 0)
+			CHECK(dns_peer_settransferformat(peer,
+							 dns_one_answer));
+		else
+			INSIST(0);
+	}
+
+	obj = NULL;
+	(void)cfg_map_get(cpeer, "keys", &obj);
+	if (obj != NULL) {
+		result = dns_peer_setkeybycharp(peer, cfg_obj_asstring(obj));
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
+
+	obj = NULL;
+	if (isc_sockaddr_pf(sa) == AF_INET)
+		(void)cfg_map_get(cpeer, "transfer-source", &obj);
+	else
+		(void)cfg_map_get(cpeer, "transfer-source-v6", &obj);
+	if (obj != NULL) {
+		result = dns_peer_settransfersource(peer,
+						    cfg_obj_assockaddr(obj));
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
+	*peerp = peer;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	dns_peer_detach(&peer);
+	return (result);
+}
+
+static isc_result_t
+disable_algorithms(cfg_obj_t *disabled, dns_resolver_t *resolver) {
+	isc_result_t result;
+	cfg_obj_t *algorithms;
+	cfg_listelt_t *element;
+	const char *str;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	isc_buffer_t b;
+
+	dns_fixedname_init(&fixed);
+	name = dns_fixedname_name(&fixed);
+	str = cfg_obj_asstring(cfg_tuple_get(disabled, "name"));
+	isc_buffer_init(&b, str, strlen(str));
+	isc_buffer_add(&b, strlen(str));
+	CHECK(dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL));
+
+	algorithms = cfg_tuple_get(disabled, "algorithms");
+	for (element = cfg_list_first(algorithms);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		isc_textregion_t r;
+		dns_secalg_t alg;
+
+		r.base = cfg_obj_asstring(cfg_listelt_value(element));
+		r.length = strlen(r.base);
+
+		result = dns_secalg_fromtext(&alg, &r);
+		if (result != ISC_R_SUCCESS) {
+			isc_uint8_t ui;
+			result = isc_parse_uint8(&ui, r.base, 10);
+			alg = ui;
+		}
+		if (result != ISC_R_SUCCESS) {
+			cfg_obj_log(cfg_listelt_value(element),
+				    ns_g_lctx, ISC_LOG_ERROR,
+				    "invalid algorithm");
+			CHECK(result);
+		}
+		CHECK(dns_resolver_disable_algorithm(resolver, name, alg));
+	}
+ cleanup:
+	return (result);
+}
+
+/*
+ * Configure 'view' according to 'vconfig', taking defaults from 'config'
+ * where values are missing in 'vconfig'.
+ *
+ * When configuring the default view, 'vconfig' will be NULL and the
+ * global defaults in 'config' used exclusively.
+ */
+static isc_result_t
+configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
+	       isc_mem_t *mctx, ns_aclconfctx_t *actx,
+	       isc_boolean_t need_hints)
+{
+	cfg_obj_t *maps[4];
+	cfg_obj_t *cfgmaps[3];
+	cfg_obj_t *options = NULL;
+	cfg_obj_t *voptions = NULL;
+	cfg_obj_t *forwardtype;
+	cfg_obj_t *forwarders;
+	cfg_obj_t *alternates;
+	cfg_obj_t *zonelist;
+	cfg_obj_t *disabled;
+	cfg_obj_t *obj;
+	cfg_listelt_t *element;
+	in_port_t port;
+	dns_cache_t *cache = NULL;
+	isc_result_t result;
+	isc_uint32_t max_adb_size;
+	isc_uint32_t max_cache_size;
+	isc_uint32_t lame_ttl;
+	dns_tsig_keyring_t *ring;
+	dns_view_t *pview = NULL;	/* Production view */
+	isc_mem_t *cmctx;
+	dns_dispatch_t *dispatch4 = NULL;
+	dns_dispatch_t *dispatch6 = NULL;
+	isc_boolean_t reused_cache = ISC_FALSE;
+	int i;
+	const char *str;
+	dns_order_t *order = NULL;
+	isc_uint32_t udpsize;
+	unsigned int check = 0;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	cmctx = NULL;
+
+	if (config != NULL)
+		(void)cfg_map_get(config, "options", &options);
+
+	i = 0;
+	if (vconfig != NULL) {
+		voptions = cfg_tuple_get(vconfig, "options");
+		maps[i++] = voptions;
+	}
+	if (options != NULL)
+		maps[i++] = options;
+	maps[i++] = ns_g_defaults;
+	maps[i] = NULL;
+
+	i = 0;
+	if (voptions != NULL)
+		cfgmaps[i++] = voptions;
+	if (config != NULL)
+		cfgmaps[i++] = config;
+	cfgmaps[i] = NULL;
+
+	/*
+	 * Set the view's port number for outgoing queries.
+	 */
+	CHECKM(ns_config_getport(config, &port), "port");
+	dns_view_setdstport(view, port);
+
+	/*
+	 * Configure the zones.
+	 */
+	zonelist = NULL;
+	if (voptions != NULL)
+		(void)cfg_map_get(voptions, "zone", &zonelist);
+	else
+		(void)cfg_map_get(config, "zone", &zonelist);
+	for (element = cfg_list_first(zonelist);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		cfg_obj_t *zconfig = cfg_listelt_value(element);
+		CHECK(configure_zone(config, zconfig, vconfig, mctx, view,
+				     actx));
+	}
+
+	/*
+	 * Configure the view's cache.  Try to reuse an existing
+	 * cache if possible, otherwise create a new cache.
+	 * Note that the ADB is not preserved in either case.
+	 *
+	 * XXX Determining when it is safe to reuse a cache is
+	 * tricky.  When the view's configuration changes, the cached
+	 * data may become invalid because it reflects our old
+	 * view of the world.  As more view attributes become
+	 * configurable, we will have to add code here to check
+	 * whether they have changed in ways that could
+	 * invalidate the cache.
+	 */
+	result = dns_viewlist_find(&ns_g_server->viewlist,
+				   view->name, view->rdclass,
+				   &pview);
+	if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
+		goto cleanup;
+	if (pview != NULL) {
+		INSIST(pview->cache != NULL);
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(3),
+			      "reusing existing cache");
+		reused_cache = ISC_TRUE;
+		dns_cache_attach(pview->cache, &cache);
+		dns_view_detach(&pview);
+	} else {
+		CHECK(isc_mem_create(0, 0, &cmctx));
+		CHECK(dns_cache_create(cmctx, ns_g_taskmgr, ns_g_timermgr,
+				       view->rdclass, "rbt", 0, NULL, &cache));
+	}
+	dns_view_setcache(view, cache);
+
+	/*
+	 * cache-file cannot be inherited if views are present, but this
+	 * should be caught by the configuration checking stage.
+	 */
+	obj = NULL;
+	result = ns_config_get(maps, "cache-file", &obj);
+	if (result == ISC_R_SUCCESS && strcmp(view->name, "_bind") != 0) {
+		CHECK(dns_cache_setfilename(cache, cfg_obj_asstring(obj)));
+		if (!reused_cache)
+			CHECK(dns_cache_load(cache));
+	}
+
+	obj = NULL;
+	result = ns_config_get(maps, "cleaning-interval", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	dns_cache_setcleaninginterval(cache, cfg_obj_asuint32(obj) * 60);
+
+	obj = NULL;
+	result = ns_config_get(maps, "max-cache-size", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	if (cfg_obj_isstring(obj)) {
+		str = cfg_obj_asstring(obj);
+		INSIST(strcasecmp(str, "unlimited") == 0);
+		max_cache_size = ISC_UINT32_MAX;
+	} else {
+		isc_resourcevalue_t value;
+		value = cfg_obj_asuint64(obj);
+		if (value > ISC_UINT32_MAX) {
+			cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
+				    "'max-cache-size "
+				    "%" ISC_PRINT_QUADFORMAT "d' is too large",
+				    value);
+			result = ISC_R_RANGE;
+			goto cleanup;
+		}
+		max_cache_size = (isc_uint32_t)value;
+	}
+	dns_cache_setcachesize(cache, max_cache_size);
+
+	dns_cache_detach(&cache);
+
+	/*
+	 * Check-names.
+	 */
+	obj = NULL;
+	result = ns_checknames_get(maps, "response", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+
+	str = cfg_obj_asstring(obj);
+	if (strcasecmp(str, "fail") == 0) {
+		check = DNS_RESOLVER_CHECKNAMES |
+			DNS_RESOLVER_CHECKNAMESFAIL;
+		view->checknames = ISC_TRUE;
+	} else if (strcasecmp(str, "warn") == 0) {
+		check = DNS_RESOLVER_CHECKNAMES;
+		view->checknames = ISC_FALSE;
+	} else if (strcasecmp(str, "ignore") == 0) {
+		check = 0;
+		view->checknames = ISC_FALSE;
+	} else
+		INSIST(0);
+
+	/*
+	 * Resolver.
+	 *
+	 * XXXRTH  Hardwired number of tasks.
+	 */
+	CHECK(get_view_querysource_dispatch(maps, AF_INET, &dispatch4));
+	CHECK(get_view_querysource_dispatch(maps, AF_INET6, &dispatch6));
+	if (dispatch4 == NULL && dispatch6 == NULL) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "unable to obtain neither an IPv4 nor"
+				 " an IPv6 dispatch");
+		result = ISC_R_UNEXPECTED;
+		goto cleanup;
+	}
+	CHECK(dns_view_createresolver(view, ns_g_taskmgr, 31,
+				      ns_g_socketmgr, ns_g_timermgr,
+				      check, ns_g_dispatchmgr,
+				      dispatch4, dispatch6));
+
+	/*
+	 * Set the ADB cache size to 1/8th of the max-cache-size.
+	 */
+	max_adb_size = 0;
+	if (max_cache_size != 0) {
+		max_adb_size = max_cache_size / 8;
+		if (max_adb_size == 0)
+			max_adb_size = 1;	/* Force minimum. */
+	}
+	dns_adb_setadbsize(view->adb, max_adb_size);
+
+	/*
+	 * Set resolver's lame-ttl.
+	 */
+	obj = NULL;
+	result = ns_config_get(maps, "lame-ttl", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	lame_ttl = cfg_obj_asuint32(obj);
+	if (lame_ttl > 1800)
+		lame_ttl = 1800;
+	dns_resolver_setlamettl(view->resolver, lame_ttl);
+	
+	/*
+	 * Set the resolver's EDNS UDP size.
+	 */
+	obj = NULL;
+	result = ns_config_get(maps, "edns-udp-size", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	udpsize = cfg_obj_asuint32(obj);
+	if (udpsize < 512)
+		udpsize = 512;
+	if (udpsize > 4096)
+		udpsize = 4096;
+	dns_resolver_setudpsize(view->resolver, (isc_uint16_t)udpsize);
+	
+	/*
+	 * Set supported DNSSEC algorithms.
+	 */
+	dns_resolver_reset_algorithms(view->resolver);
+	disabled = NULL;
+	(void)ns_config_get(maps, "disable-algorithms", &disabled);
+	if (disabled != NULL) {
+		for (element = cfg_list_first(disabled);
+		     element != NULL;
+		     element = cfg_list_next(element))
+			CHECK(disable_algorithms(cfg_listelt_value(element),
+						 view->resolver));
+	}
+
+	/*
+	 * A global or view "forwarders" option, if present,
+	 * creates an entry for "." in the forwarding table.
+	 */
+	forwardtype = NULL;
+	forwarders = NULL;
+	(void)ns_config_get(maps, "forward", &forwardtype);
+	(void)ns_config_get(maps, "forwarders", &forwarders);
+	if (forwarders != NULL)
+		CHECK(configure_forward(config, view, dns_rootname, 
+					forwarders, forwardtype));
+
+	/*
+	 * Dual Stack Servers.
+	 */
+	alternates = NULL;
+	(void)ns_config_get(maps, "dual-stack-servers", &alternates);
+	if (alternates != NULL)
+		CHECK(configure_alternates(config, view, alternates));
+
+	/*
+	 * We have default hints for class IN if we need them.
+	 */
+	if (view->rdclass == dns_rdataclass_in && view->hints == NULL)
+		dns_view_sethints(view, ns_g_server->in_roothints);
+
+	/*
+	 * If we still have no hints, this is a non-IN view with no
+	 * "hints zone" configured.  Issue a warning, except if this
+	 * is a root server.  Root servers never need to consult 
+	 * their hints, so it's no point requiring users to configure
+	 * them.
+	 */
+	if (view->hints == NULL) {
+		dns_zone_t *rootzone = NULL;
+		(void)dns_view_findzone(view, dns_rootname, &rootzone);
+		if (rootzone != NULL) {
+			dns_zone_detach(&rootzone);
+			need_hints = ISC_FALSE;
+		}
+		if (need_hints)
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
+				      "no root hints for view '%s'",
+				      view->name);
+	}
+
+	/*
+	 * Configure the view's TSIG keys.
+	 */
+	ring = NULL;
+	CHECK(ns_tsigkeyring_fromconfig(config, vconfig, view->mctx, &ring));
+	dns_view_setkeyring(view, ring);
+
+	/*
+	 * Configure the view's peer list.
+	 */
+	{
+		cfg_obj_t *peers = NULL;
+		cfg_listelt_t *element;
+		dns_peerlist_t *newpeers = NULL;
+
+		(void)ns_config_get(cfgmaps, "server", &peers);
+		CHECK(dns_peerlist_new(mctx, &newpeers));
+		for (element = cfg_list_first(peers);
+		     element != NULL;
+		     element = cfg_list_next(element))
+		{
+			cfg_obj_t *cpeer = cfg_listelt_value(element);
+			dns_peer_t *peer;
+
+			CHECK(configure_peer(cpeer, mctx, &peer));
+			dns_peerlist_addpeer(newpeers, peer);
+			dns_peer_detach(&peer);
+		}
+		dns_peerlist_detach(&view->peers);
+		view->peers = newpeers; /* Transfer ownership. */
+	}
+
+	/*
+	 *	Configure the views rrset-order.
+	 */
+	{
+		cfg_obj_t *rrsetorder = NULL;
+		cfg_listelt_t *element;
+
+		(void)ns_config_get(maps, "rrset-order", &rrsetorder);
+		CHECK(dns_order_create(mctx, &order));
+		for (element = cfg_list_first(rrsetorder);
+		     element != NULL;
+		     element = cfg_list_next(element))
+		{
+			cfg_obj_t *ent = cfg_listelt_value(element);
+
+			CHECK(configure_order(order, ent));
+		}
+		if (view->order != NULL)
+			dns_order_detach(&view->order);
+		dns_order_attach(order, &view->order);
+		dns_order_detach(&order);
+	}
+	/*
+	 * Copy the aclenv object.
+	 */
+	dns_aclenv_copy(&view->aclenv, &ns_g_server->aclenv);
+
+	/*
+	 * Configure the "match-clients" and "match-destinations" ACL.
+	 */
+	CHECK(configure_view_acl(vconfig, config, "match-clients", actx,
+				 ns_g_mctx, &view->matchclients));
+	CHECK(configure_view_acl(vconfig, config, "match-destinations", actx,
+				 ns_g_mctx, &view->matchdestinations));
+
+	/*
+	 * Configure the "match-recursive-only" option.
+	 */
+	obj = NULL;
+	(void) ns_config_get(maps, "match-recursive-only", &obj);
+	if (obj != NULL && cfg_obj_asboolean(obj))
+		view->matchrecursiveonly = ISC_TRUE;
+	else
+		view->matchrecursiveonly = ISC_FALSE;
+
+	/*
+	 * Configure other configurable data.
+	 */
+	obj = NULL;
+	result = ns_config_get(maps, "recursion", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->recursion = cfg_obj_asboolean(obj);
+
+	obj = NULL;
+	result = ns_config_get(maps, "auth-nxdomain", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->auth_nxdomain = cfg_obj_asboolean(obj);
+
+	obj = NULL;
+	result = ns_config_get(maps, "minimal-responses", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->minimalresponses = cfg_obj_asboolean(obj);
+
+	obj = NULL;
+	result = ns_config_get(maps, "transfer-format", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	str = cfg_obj_asstring(obj);
+	if (strcasecmp(str, "many-answers") == 0)
+		view->transfer_format = dns_many_answers;
+	else if (strcasecmp(str, "one-answer") == 0)
+		view->transfer_format = dns_one_answer;
+	else
+		INSIST(0);
+	
+	/*
+	 * Set sources where additional data and CNAME/DNAME
+	 * targets for authoritative answers may be found.
+	 */
+	obj = NULL;
+	result = ns_config_get(maps, "additional-from-auth", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->additionalfromauth = cfg_obj_asboolean(obj);
+	if (view->recursion && ! view->additionalfromauth) {
+		cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
+			    "'additional-from-auth no' is only supported "
+			    "with 'recursion no'");
+		view->additionalfromauth = ISC_TRUE;
+	}
+
+	obj = NULL;
+	result = ns_config_get(maps, "additional-from-cache", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->additionalfromcache = cfg_obj_asboolean(obj);
+	if (view->recursion && ! view->additionalfromcache) {
+		cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
+			    "'additional-from-cache no' is only supported "
+			    "with 'recursion no'");
+		view->additionalfromcache = ISC_TRUE;
+	}
+
+	CHECK(configure_view_acl(vconfig, config, "allow-query",
+				 actx, ns_g_mctx, &view->queryacl));
+
+	if (strcmp(view->name, "_bind") != 0)
+		CHECK(configure_view_acl(vconfig, config, "allow-recursion",
+					 actx, ns_g_mctx, &view->recursionacl));
+
+	/*
+	 * Warning if both "recursion no;" and allow-recursion are active
+	 * except for "allow-recursion { none; };".
+	 */
+	if (!view->recursion && view->recursionacl != NULL &&
+	    (view->recursionacl->length != 1 ||
+	     view->recursionacl->elements[0].type != dns_aclelementtype_any ||
+	     view->recursionacl->elements[0].negative != ISC_TRUE)) {
+		const char *forview = " for view ";
+		const char *viewname = view->name;
+
+		if (!strcmp(view->name, "_bind") ||
+		    !strcmp(view->name, "_default")) {
+			forview = "";
+			viewname = "";
+		}
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
+			      "both \"recursion no;\" and \"allow-recursion\" "
+			      "active%s%s", forview, viewname);
+	}
+
+	CHECK(configure_view_acl(vconfig, config, "sortlist",
+				 actx, ns_g_mctx, &view->sortlist));
+
+	obj = NULL;
+	result = ns_config_get(maps, "request-ixfr", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->requestixfr = cfg_obj_asboolean(obj);
+
+	obj = NULL;
+	result = ns_config_get(maps, "provide-ixfr", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->provideixfr = cfg_obj_asboolean(obj);
+			
+	obj = NULL;
+	result = ns_config_get(maps, "dnssec-enable", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->enablednssec = cfg_obj_asboolean(obj);
+
+	obj = NULL;
+	result = ns_config_get(maps, "dnssec-lookaside", &obj);
+	if (result == ISC_R_SUCCESS) {
+		for (element = cfg_list_first(obj);
+		     element != NULL;
+		     element = cfg_list_next(element))
+		{
+			const char *str;
+			isc_buffer_t b;
+			dns_name_t *dlv;
+
+			obj = cfg_listelt_value(element);
+#if 0
+			dns_fixedname_t fixed;
+			dns_name_t *name;
+
+			/*
+			 * When we support multiple dnssec-lookaside
+			 * entries this is how to find the domain to be
+			 * checked. XXXMPA
+			 */
+			dns_fixedname_init(&fixed);
+			name = dns_fixedname_name(&fixed);
+			str = cfg_obj_asstring(cfg_tuple_get(obj,
+							     "domain"));
+			isc_buffer_init(&b, str, strlen(str));
+			isc_buffer_add(&b, strlen(str));
+			CHECK(dns_name_fromtext(name, &b, dns_rootname,
+						ISC_TRUE, NULL));
+#endif
+			str = cfg_obj_asstring(cfg_tuple_get(obj,
+							     "trust-anchor"));
+			isc_buffer_init(&b, str, strlen(str));
+			isc_buffer_add(&b, strlen(str));
+			dlv = dns_fixedname_name(&view->dlv_fixed);
+			CHECK(dns_name_fromtext(dlv, &b, dns_rootname,
+						ISC_TRUE, NULL));
+			view->dlv = dns_fixedname_name(&view->dlv_fixed);
+		}
+	} else
+		view->dlv = NULL;
+
+	/*
+	 * For now, there is only one kind of trusted keys, the
+	 * "security roots".
+	 */
+	if (view->enablednssec) {
+		CHECK(configure_view_dnsseckeys(vconfig, config, mctx,
+						&view->secroots));
+		dns_resolver_resetmustbesecure(view->resolver);
+		obj = NULL;
+		result = ns_config_get(maps, "dnssec-must-be-secure", &obj);
+		if (result == ISC_R_SUCCESS)
+			CHECK(mustbesecure(obj, view->resolver));
+	}
+
+	obj = NULL;
+	result = ns_config_get(maps, "max-cache-ttl", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->maxcachettl = cfg_obj_asuint32(obj);
+
+	obj = NULL;
+	result = ns_config_get(maps, "max-ncache-ttl", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->maxncachettl = cfg_obj_asuint32(obj);
+	if (view->maxncachettl > 7 * 24 * 3600)
+		view->maxncachettl = 7 * 24 * 3600;
+
+	obj = NULL;
+	result = ns_config_get(maps, "preferred-glue", &obj);
+	if (result == ISC_R_SUCCESS) {
+		str = cfg_obj_asstring(obj);
+		if (strcasecmp(str, "a") == 0)
+			view->preferred_glue = dns_rdatatype_a;
+		else if (strcasecmp(str, "aaaa") == 0)
+			view->preferred_glue = dns_rdatatype_aaaa;
+		else
+			view->preferred_glue = 0;
+	} else
+		view->preferred_glue = 0;
+
+	obj = NULL;
+	result = ns_config_get(maps, "root-delegation-only", &obj);
+	if (result == ISC_R_SUCCESS) {
+		dns_view_setrootdelonly(view, ISC_TRUE);
+		if (!cfg_obj_isvoid(obj)) {
+			dns_fixedname_t fixed;
+			dns_name_t *name;
+			isc_buffer_t b;
+			char *str;
+			cfg_obj_t *exclude;
+
+			dns_fixedname_init(&fixed);
+			name = dns_fixedname_name(&fixed);
+			for (element = cfg_list_first(obj);
+			     element != NULL;
+			     element = cfg_list_next(element)) {
+				exclude = cfg_listelt_value(element);
+				str = cfg_obj_asstring(exclude);
+				isc_buffer_init(&b, str, strlen(str));
+				isc_buffer_add(&b, strlen(str));
+				CHECK(dns_name_fromtext(name, &b, dns_rootname,
+							ISC_FALSE, NULL));
+				CHECK(dns_view_excludedelegationonly(view,
+								     name));
+			}
+		}
+	} else
+		dns_view_setrootdelonly(view, ISC_FALSE);
+
+	result = ISC_R_SUCCESS;
+
+ cleanup:
+	if (dispatch4 != NULL)
+		dns_dispatch_detach(&dispatch4);
+	if (dispatch6 != NULL)
+		dns_dispatch_detach(&dispatch6);
+	if (order != NULL)
+		dns_order_detach(&order);
+	if (cmctx != NULL)
+		isc_mem_detach(&cmctx);
+
+	if (cache != NULL)
+		dns_cache_detach(&cache);
+
+	return (result);
+}
+
+static isc_result_t
+configure_hints(dns_view_t *view, const char *filename) {
+	isc_result_t result;
+	dns_db_t *db;
+
+	db = NULL;
+	result = dns_rootns_create(view->mctx, view->rdclass, filename, &db);
+	if (result == ISC_R_SUCCESS) {
+		dns_view_sethints(view, db);
+		dns_db_detach(&db);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+configure_alternates(cfg_obj_t *config, dns_view_t *view,
+		     cfg_obj_t *alternates)
+{
+	cfg_obj_t *portobj;
+	cfg_obj_t *addresses;
+	cfg_listelt_t *element;
+	isc_result_t result = ISC_R_SUCCESS;
+	in_port_t port;
+
+	/*
+	 * Determine which port to send requests to.
+	 */
+	if (ns_g_lwresdonly && ns_g_port != 0)
+		port = ns_g_port;
+	else
+		CHECKM(ns_config_getport(config, &port), "port");
+
+	if (alternates != NULL) {
+		portobj = cfg_tuple_get(alternates, "port");
+		if (cfg_obj_isuint32(portobj)) {
+			isc_uint32_t val = cfg_obj_asuint32(portobj);
+			if (val > ISC_UINT16_MAX) {
+				cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
+					    "port '%u' out of range", val);
+				return (ISC_R_RANGE);
+			}
+			port = (in_port_t) val;
+		}
+	}
+
+	addresses = NULL;
+	if (alternates != NULL)
+		addresses = cfg_tuple_get(alternates, "addresses");
+
+	for (element = cfg_list_first(addresses);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		cfg_obj_t *alternate = cfg_listelt_value(element);
+		isc_sockaddr_t sa;
+
+		if (!cfg_obj_issockaddr(alternate)) {
+			dns_fixedname_t fixed;
+			dns_name_t *name;
+			char *str = cfg_obj_asstring(cfg_tuple_get(alternate,
+								   "name"));
+			isc_buffer_t buffer;
+			in_port_t myport = port;
+
+			isc_buffer_init(&buffer, str, strlen(str));
+			isc_buffer_add(&buffer, strlen(str));
+			dns_fixedname_init(&fixed);
+			name = dns_fixedname_name(&fixed);
+			CHECK(dns_name_fromtext(name, &buffer, dns_rootname,
+						ISC_FALSE, NULL));
+
+			portobj = cfg_tuple_get(alternate, "port");
+			if (cfg_obj_isuint32(portobj)) {
+				isc_uint32_t val = cfg_obj_asuint32(portobj);
+				if (val > ISC_UINT16_MAX) {
+					cfg_obj_log(portobj, ns_g_lctx,
+						    ISC_LOG_ERROR,
+						    "port '%u' out of range",
+						     val);
+					return (ISC_R_RANGE);
+				}
+				myport = (in_port_t) val;
+			}
+			CHECK(dns_resolver_addalternate(view->resolver, NULL,
+							name, myport));
+			continue;
+		}
+
+		sa = *cfg_obj_assockaddr(alternate);
+		if (isc_sockaddr_getport(&sa) == 0)
+			isc_sockaddr_setport(&sa, port);
+		CHECK(dns_resolver_addalternate(view->resolver, &sa,
+						NULL, 0));
+	}
+
+ cleanup:
+	return (result);
+}
+
+static isc_result_t
+configure_forward(cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
+		  cfg_obj_t *forwarders, cfg_obj_t *forwardtype)
+{
+	cfg_obj_t *portobj;
+	cfg_obj_t *faddresses;
+	cfg_listelt_t *element;
+	dns_fwdpolicy_t fwdpolicy = dns_fwdpolicy_none;
+	isc_sockaddrlist_t addresses;
+	isc_sockaddr_t *sa;
+	isc_result_t result;
+	in_port_t port;
+
+	/*
+	 * Determine which port to send forwarded requests to.
+	 */
+	if (ns_g_lwresdonly && ns_g_port != 0)
+		port = ns_g_port;
+	else
+		CHECKM(ns_config_getport(config, &port), "port");
+
+	if (forwarders != NULL) {
+		portobj = cfg_tuple_get(forwarders, "port");
+		if (cfg_obj_isuint32(portobj)) {
+			isc_uint32_t val = cfg_obj_asuint32(portobj);
+			if (val > ISC_UINT16_MAX) {
+				cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
+					    "port '%u' out of range", val);
+				return (ISC_R_RANGE);
+			}
+			port = (in_port_t) val;
+		}
+	}
+
+	faddresses = NULL;
+	if (forwarders != NULL)
+		faddresses = cfg_tuple_get(forwarders, "addresses");
+
+	ISC_LIST_INIT(addresses);
+
+	for (element = cfg_list_first(faddresses);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		cfg_obj_t *forwarder = cfg_listelt_value(element);
+		sa = isc_mem_get(view->mctx, sizeof(isc_sockaddr_t));
+		if (sa == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+		*sa = *cfg_obj_assockaddr(forwarder);
+		if (isc_sockaddr_getport(sa) == 0)
+			isc_sockaddr_setport(sa, port);
+		ISC_LINK_INIT(sa, link);
+		ISC_LIST_APPEND(addresses, sa, link);
+	}
+
+	if (ISC_LIST_EMPTY(addresses)) {
+		if (forwardtype != NULL)
+			cfg_obj_log(forwarders, ns_g_lctx, ISC_LOG_WARNING,
+				    "no forwarders seen; disabling "
+				    "forwarding");
+		fwdpolicy = dns_fwdpolicy_none;
+	} else {
+		if (forwardtype == NULL)
+			fwdpolicy = dns_fwdpolicy_first;
+		else {
+			char *forwardstr = cfg_obj_asstring(forwardtype);
+			if (strcasecmp(forwardstr, "first") == 0)
+				fwdpolicy = dns_fwdpolicy_first;
+			else if (strcasecmp(forwardstr, "only") == 0)
+				fwdpolicy = dns_fwdpolicy_only;
+			else
+				INSIST(0);
+		}
+	}
+
+	result = dns_fwdtable_add(view->fwdtable, origin, &addresses,
+				  fwdpolicy);
+	if (result != ISC_R_SUCCESS) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+		dns_name_format(origin, namebuf, sizeof(namebuf));
+		cfg_obj_log(forwarders, ns_g_lctx, ISC_LOG_WARNING,
+			    "could not set up forwarding for domain '%s': %s",
+			    namebuf, isc_result_totext(result));
+		goto cleanup;
+	}
+
+	result = ISC_R_SUCCESS;
+
+ cleanup:
+
+	while (!ISC_LIST_EMPTY(addresses)) {
+		sa = ISC_LIST_HEAD(addresses);
+		ISC_LIST_UNLINK(addresses, sa, link);
+		isc_mem_put(view->mctx, sa, sizeof(isc_sockaddr_t));
+	}
+
+	return (result);
+}
+
+/*
+ * Create a new view and add it to the list.
+ *
+ * If 'vconfig' is NULL, create the default view.
+ *
+ * The view created is attached to '*viewp'.
+ */
+static isc_result_t
+create_view(cfg_obj_t *vconfig, dns_viewlist_t *viewlist, dns_view_t **viewp) {
+	isc_result_t result;
+	const char *viewname;
+	dns_rdataclass_t viewclass;
+	dns_view_t *view = NULL;
+
+	if (vconfig != NULL) {
+		cfg_obj_t *classobj = NULL;
+
+		viewname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
+		classobj = cfg_tuple_get(vconfig, "class");
+		result = ns_config_getclass(classobj, dns_rdataclass_in,
+					    &viewclass);
+	} else {
+		viewname = "_default";
+		viewclass = dns_rdataclass_in;
+	}
+	result = dns_viewlist_find(viewlist, viewname, viewclass, &view);
+	if (result == ISC_R_SUCCESS)
+		return (ISC_R_EXISTS);
+	if (result != ISC_R_NOTFOUND)
+		return (result);
+	INSIST(view == NULL);
+
+	result = dns_view_create(ns_g_mctx, viewclass, viewname, &view);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	ISC_LIST_APPEND(*viewlist, view, link);
+	dns_view_attach(view, viewp);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Configure or reconfigure a zone.
+ */
+static isc_result_t
+configure_zone(cfg_obj_t *config, cfg_obj_t *zconfig, cfg_obj_t *vconfig,
+	       isc_mem_t *mctx, dns_view_t *view,
+	       ns_aclconfctx_t *aclconf)
+{
+	dns_view_t *pview = NULL;	/* Production view */
+	dns_zone_t *zone = NULL;	/* New or reused zone */
+	dns_zone_t *dupzone = NULL;
+	cfg_obj_t *options = NULL;
+	cfg_obj_t *zoptions = NULL;
+	cfg_obj_t *typeobj = NULL;
+	cfg_obj_t *forwarders = NULL;
+	cfg_obj_t *forwardtype = NULL;
+	cfg_obj_t *only = NULL;
+	isc_result_t result;
+	isc_result_t tresult;
+	isc_buffer_t buffer;
+	dns_fixedname_t fixorigin;
+	dns_name_t *origin;
+	const char *zname;
+	dns_rdataclass_t zclass;
+	const char *ztypestr;
+
+	options = NULL;
+	(void)cfg_map_get(config, "options", &options);
+
+	zoptions = cfg_tuple_get(zconfig, "options");
+
+	/*
+	 * Get the zone origin as a dns_name_t.
+	 */
+	zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
+	isc_buffer_init(&buffer, zname, strlen(zname));
+	isc_buffer_add(&buffer, strlen(zname));
+	dns_fixedname_init(&fixorigin);
+	CHECK(dns_name_fromtext(dns_fixedname_name(&fixorigin),
+				&buffer, dns_rootname, ISC_FALSE, NULL));
+	origin = dns_fixedname_name(&fixorigin);
+
+	CHECK(ns_config_getclass(cfg_tuple_get(zconfig, "class"),
+				 view->rdclass, &zclass));
+	if (zclass != view->rdclass) {
+		const char *vname = NULL;
+		if (vconfig != NULL)
+			vname = cfg_obj_asstring(cfg_tuple_get(vconfig,
+							       "name"));
+		else
+			vname = "<default view>";
+	
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "zone '%s': wrong class for view '%s'",
+			      zname, vname);
+		result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	(void)cfg_map_get(zoptions, "type", &typeobj);
+	if (typeobj == NULL) {
+		cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
+			    "zone '%s' 'type' not specified", zname);
+		return (ISC_R_FAILURE);
+	}
+	ztypestr = cfg_obj_asstring(typeobj);
+
+	/*
+	 * "hints zones" aren't zones.  If we've got one,
+	 * configure it and return.
+	 */
+	if (strcasecmp(ztypestr, "hint") == 0) {
+		cfg_obj_t *fileobj = NULL;
+		if (cfg_map_get(zoptions, "file", &fileobj) != ISC_R_SUCCESS) {
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "zone '%s': 'file' not specified",
+				      zname);
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+		if (dns_name_equal(origin, dns_rootname)) {
+			char *hintsfile = cfg_obj_asstring(fileobj);
+
+			result = configure_hints(view, hintsfile);
+			if (result != ISC_R_SUCCESS) {
+				isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+					      NS_LOGMODULE_SERVER,
+					      ISC_LOG_ERROR,
+					      "could not configure root hints "
+					      "from '%s': %s", hintsfile,
+					      isc_result_totext(result));
+				goto cleanup;
+			}
+			/*
+			 * Hint zones may also refer to delegation only points.
+			 */
+			only = NULL;
+			tresult = cfg_map_get(zoptions, "delegation-only",
+					      &only);
+			if (tresult == ISC_R_SUCCESS && cfg_obj_asboolean(only))
+				CHECK(dns_view_adddelegationonly(view, origin));
+		} else {
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
+				      "ignoring non-root hint zone '%s'",
+				      zname);
+			result = ISC_R_SUCCESS;
+		}
+		/* Skip ordinary zone processing. */
+		goto cleanup;
+	}
+
+	/*
+	 * "forward zones" aren't zones either.  Translate this syntax into
+	 * the appropriate selective forwarding configuration and return.
+	 */
+	if (strcasecmp(ztypestr, "forward") == 0) {
+		forwardtype = NULL;
+		forwarders = NULL;
+
+		(void)cfg_map_get(zoptions, "forward", &forwardtype);
+		(void)cfg_map_get(zoptions, "forwarders", &forwarders);
+		result = configure_forward(config, view, origin, forwarders,
+					   forwardtype);
+		goto cleanup;
+	}
+
+	/*
+	 * "delegation-only zones" aren't zones either.
+	 */
+	if (strcasecmp(ztypestr, "delegation-only") == 0) {
+		result = dns_view_adddelegationonly(view, origin);
+		goto cleanup;
+	}
+
+	/*
+	 * Check for duplicates in the new zone table.
+	 */
+	result = dns_view_findzone(view, origin, &dupzone);
+	if (result == ISC_R_SUCCESS) {
+		/*
+		 * We already have this zone!
+		 */
+		cfg_obj_log(zconfig, ns_g_lctx, ISC_LOG_ERROR,
+			    "zone '%s' already exists", zname);
+		dns_zone_detach(&dupzone);
+		result = ISC_R_EXISTS;
+		goto cleanup;
+	}
+	INSIST(dupzone == NULL);
+
+	/*
+	 * See if we can reuse an existing zone.  This is
+	 * only possible if all of these are true:
+	 *   - The zone's view exists
+	 *   - A zone with the right name exists in the view
+	 *   - The zone is compatible with the config
+	 *     options (e.g., an existing master zone cannot
+	 *     be reused if the options specify a slave zone)
+	 */
+	result = dns_viewlist_find(&ns_g_server->viewlist,
+				   view->name, view->rdclass,
+				   &pview);
+	if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
+		goto cleanup;
+	if (pview != NULL)
+		result = dns_view_findzone(pview, origin, &zone);
+	if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
+		goto cleanup;
+	if (zone != NULL) {
+		if (! ns_zone_reusable(zone, zconfig))
+			dns_zone_detach(&zone);
+	}
+
+	if (zone != NULL) {
+		/*
+		 * We found a reusable zone.  Make it use the
+		 * new view.
+		 */
+		dns_zone_setview(zone, view);
+	} else {
+		/*
+		 * We cannot reuse an existing zone, we have
+		 * to create a new one.
+		 */
+		CHECK(dns_zone_create(&zone, mctx));
+		CHECK(dns_zone_setorigin(zone, origin));
+		dns_zone_setview(zone, view);
+		CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
+	}
+
+	/*
+	 * If the zone contains a 'forwarders' statement, configure
+	 * selective forwarding.
+	 */
+	forwarders = NULL;
+	if (cfg_map_get(zoptions, "forwarders", &forwarders) == ISC_R_SUCCESS)
+	{
+		forwardtype = NULL;
+		(void)cfg_map_get(zoptions, "forward", &forwardtype);
+		CHECK(configure_forward(config, view, origin, forwarders,
+					forwardtype));
+	}
+
+	/*
+	 * Stub and forward zones may also refer to delegation only points.
+	 */
+	only = NULL;
+	if (cfg_map_get(zoptions, "delegation-only", &only) == ISC_R_SUCCESS)
+	{
+		if (cfg_obj_asboolean(only))
+			CHECK(dns_view_adddelegationonly(view, origin));
+	}
+
+	/*
+	 * Configure the zone.
+	 */
+	CHECK(ns_zone_configure(config, vconfig, zconfig, aclconf, zone));
+
+	/*
+	 * Add the zone to its view in the new view list.
+	 */
+	CHECK(dns_view_addzone(view, zone));
+
+ cleanup:
+	if (zone != NULL)
+		dns_zone_detach(&zone);
+	if (pview != NULL)
+		dns_view_detach(&pview);
+
+	return (result);
+}
+
+/*
+ * Configure a single server quota.
+ */
+static void
+configure_server_quota(cfg_obj_t **maps, const char *name, isc_quota_t *quota)
+{
+	cfg_obj_t *obj = NULL;
+	isc_result_t result;
+
+	result = ns_config_get(maps, name, &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	quota->max = cfg_obj_asuint32(obj);
+}
+
+/*
+ * This function is called as soon as the 'directory' statement has been
+ * parsed.  This can be extended to support other options if necessary.
+ */
+static isc_result_t
+directory_callback(const char *clausename, cfg_obj_t *obj, void *arg) {
+	isc_result_t result;
+	char *directory;
+
+	REQUIRE(strcasecmp("directory", clausename) == 0);
+
+	UNUSED(arg);
+	UNUSED(clausename);
+
+	/*
+	 * Change directory.
+	 */
+	directory = cfg_obj_asstring(obj);
+
+	if (! isc_file_ischdiridempotent(directory))
+		cfg_obj_log(obj, ns_g_lctx, ISC_LOG_WARNING,
+			    "option 'directory' contains relative path '%s'",
+			    directory);
+
+	result = isc_dir_chdir(directory);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
+			    "change directory to '%s' failed: %s",
+			    directory, isc_result_totext(result));
+		return (result);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+scan_interfaces(ns_server_t *server, isc_boolean_t verbose) {
+	isc_boolean_t match_mapped = server->aclenv.match_mapped;
+
+	ns_interfacemgr_scan(server->interfacemgr, verbose);
+	/*
+	 * Update the "localhost" and "localnets" ACLs to match the
+	 * current set of network interfaces.
+	 */
+	dns_aclenv_copy(&server->aclenv,
+			ns_interfacemgr_getaclenv(server->interfacemgr));
+
+	server->aclenv.match_mapped = match_mapped;
+}
+
+static isc_result_t
+add_listenelt(isc_mem_t *mctx, ns_listenlist_t *list, isc_sockaddr_t *addr) {
+	ns_listenelt_t *lelt = NULL;
+	dns_acl_t *src_acl = NULL;
+	dns_aclelement_t aelt;
+	isc_result_t result;
+	isc_sockaddr_t any_sa6;
+
+	REQUIRE(isc_sockaddr_pf(addr) == AF_INET6);
+
+	isc_sockaddr_any6(&any_sa6);
+	if (!isc_sockaddr_equal(&any_sa6, addr)) {
+		aelt.type = dns_aclelementtype_ipprefix;
+		aelt.negative = ISC_FALSE;
+		aelt.u.ip_prefix.prefixlen = 128;
+		isc_netaddr_fromin6(&aelt.u.ip_prefix.address,
+				    &addr->type.sin6.sin6_addr);
+
+		result = dns_acl_create(mctx, 1, &src_acl);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		result = dns_acl_appendelement(src_acl, &aelt);
+		if (result != ISC_R_SUCCESS)
+			goto clean;
+
+		result = ns_listenelt_create(mctx, isc_sockaddr_getport(addr),
+					     src_acl, &lelt);
+		if (result != ISC_R_SUCCESS)
+			goto clean;
+		ISC_LIST_APPEND(list->elts, lelt, link);
+	}
+
+	return (ISC_R_SUCCESS);
+
+ clean:
+	INSIST(lelt == NULL);
+	if (src_acl != NULL)
+		dns_acl_detach(&src_acl);
+
+	return (result);
+}
+
+/*
+ * Make a list of xxx-source addresses and call ns_interfacemgr_adjust()
+ * to update the listening interfaces accordingly.
+ * We currently only consider IPv6, because this only affects IPv6 wildcard
+ * sockets.
+ */
+static void
+adjust_interfaces(ns_server_t *server, isc_mem_t *mctx) {
+	isc_result_t result;
+	ns_listenlist_t *list = NULL;
+	dns_view_t *view;
+	dns_zone_t *zone, *next;
+	isc_sockaddr_t addr, *addrp;
+
+	result = ns_listenlist_create(mctx, &list);
+	if (result != ISC_R_SUCCESS)
+		return;
+
+	for (view = ISC_LIST_HEAD(server->viewlist);
+	     view != NULL;
+	     view = ISC_LIST_NEXT(view, link)) {
+		dns_dispatch_t *dispatch6;
+
+		dispatch6 = dns_resolver_dispatchv6(view->resolver);
+		INSIST(dispatch6 != NULL);
+		result = dns_dispatch_getlocaladdress(dispatch6, &addr);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+		result = add_listenelt(mctx, list, &addr);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+	}
+
+	zone = NULL;
+	for (result = dns_zone_first(server->zonemgr, &zone);
+	     result == ISC_R_SUCCESS;
+	     next = NULL, result = dns_zone_next(zone, &next), zone = next) {
+		dns_view_t *zoneview;
+
+		/*
+		 * At this point the zone list may contain a stale zone
+		 * just removed from the configuration.  To see the validity,
+		 * check if the corresponding view is in our current view list.
+		 */
+		zoneview = dns_zone_getview(zone);
+		INSIST(zoneview != NULL);
+		for (view = ISC_LIST_HEAD(server->viewlist);
+		     view != NULL && view != zoneview;
+		     view = ISC_LIST_NEXT(view, link))
+			;
+		if (view == NULL)
+			continue;
+
+		addrp = dns_zone_getnotifysrc6(zone);
+		result = add_listenelt(mctx, list, addrp);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+
+		addrp = dns_zone_getxfrsource6(zone);
+		result = add_listenelt(mctx, list, addrp);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+	}
+
+	ns_interfacemgr_adjust(server->interfacemgr, list, ISC_TRUE);
+	
+ clean:
+	ns_listenlist_detach(&list);
+	return;
+
+ fail:
+	/*
+	 * Even when we failed the procedure, most of other interfaces
+	 * should work correctly.  We therefore just warn it.
+	 */
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+		      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
+		      "could not adjust the listen-on list; "
+		      "some interfaces may not work");
+	goto clean;
+}
+
+/*
+ * This event callback is invoked to do periodic network
+ * interface scanning.
+ */
+static void
+interface_timer_tick(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	ns_server_t *server = (ns_server_t *) event->ev_arg;
+	INSIST(task == server->task);
+	UNUSED(task);
+	isc_event_free(&event);
+	/*
+	 * XXX should scan interfaces unlocked and get exclusive access
+	 * only to replace ACLs.
+	 */
+	result = isc_task_beginexclusive(server->task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	scan_interfaces(server, ISC_FALSE);
+	isc_task_endexclusive(server->task);
+}
+
+static void
+heartbeat_timer_tick(isc_task_t *task, isc_event_t *event) {
+	ns_server_t *server = (ns_server_t *) event->ev_arg;
+	dns_view_t *view;
+
+	UNUSED(task);
+	isc_event_free(&event);
+	view = ISC_LIST_HEAD(server->viewlist);
+	while (view != NULL) {
+		dns_view_dialup(view);
+		view = ISC_LIST_NEXT(view, link);
+	}
+}
+
+/*
+ * Replace the current value of '*field', a dynamically allocated
+ * string or NULL, with a dynamically allocated copy of the
+ * null-terminated string pointed to by 'value', or NULL.
+ */
+static isc_result_t
+setstring(ns_server_t *server, char **field, const char *value) {
+	char *copy;
+
+	if (value != NULL) {
+		copy = isc_mem_strdup(server->mctx, value);
+		if (copy == NULL)
+			return (ISC_R_NOMEMORY);
+	} else {
+		copy = NULL;
+	}
+
+	if (*field != NULL)
+		isc_mem_free(server->mctx, *field);
+
+	*field = copy;
+	return (ISC_R_SUCCESS);
+}	
+
+/*
+ * Replace the current value of '*field', a dynamically allocated
+ * string or NULL, with another dynamically allocated string
+ * or NULL if whether 'obj' is a string or void value, respectively.
+ */
+static isc_result_t
+setoptstring(ns_server_t *server, char **field, cfg_obj_t *obj) {
+	if (cfg_obj_isvoid(obj))
+		return (setstring(server, field, NULL));
+	else
+		return (setstring(server, field, cfg_obj_asstring(obj)));
+}
+
+static void
+set_limit(cfg_obj_t **maps, const char *configname, const char *description,
+	  isc_resource_t resourceid, isc_resourcevalue_t defaultvalue)
+{
+	cfg_obj_t *obj = NULL;
+	char *resource;
+	isc_resourcevalue_t value;
+	isc_result_t result;
+
+	if (ns_config_get(maps, configname, &obj) != ISC_R_SUCCESS)
+		return;
+
+	if (cfg_obj_isstring(obj)) {
+		resource = cfg_obj_asstring(obj);
+		if (strcasecmp(resource, "unlimited") == 0)
+			value = ISC_RESOURCE_UNLIMITED;
+		else {
+			INSIST(strcasecmp(resource, "default") == 0);
+			value = defaultvalue;
+		}
+	} else
+		value = cfg_obj_asuint64(obj);
+
+	result = isc_resource_setlimit(resourceid, value);
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
+		      result == ISC_R_SUCCESS ?
+		      	ISC_LOG_DEBUG(3) : ISC_LOG_WARNING,
+		      "set maximum %s to %" ISC_PRINT_QUADFORMAT "d: %s",
+		      description, value, isc_result_totext(result));
+}
+
+#define SETLIMIT(cfgvar, resource, description) \
+	set_limit(maps, cfgvar, description, isc_resource_ ## resource, \
+		  ns_g_init ## resource)
+
+static void
+set_limits(cfg_obj_t **maps) {
+	SETLIMIT("stacksize", stacksize, "stack size");
+	SETLIMIT("datasize", datasize, "data size");
+	SETLIMIT("coresize", coresize, "core size");
+	SETLIMIT("files", openfiles, "open files");
+}
+
+static isc_result_t
+portlist_fromconf(dns_portlist_t *portlist, unsigned int family,
+		  cfg_obj_t *ports)
+{
+	cfg_listelt_t *element;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	for (element = cfg_list_first(ports);
+	     element != NULL;
+	     element = cfg_list_next(element)) {
+		cfg_obj_t *obj = cfg_listelt_value(element);
+		in_port_t port = (in_port_t)cfg_obj_asuint32(obj);
+		
+		result = dns_portlist_add(portlist, family, port);
+		if (result != ISC_R_SUCCESS)
+			break;
+	}
+	return (result);
+}
+
+static isc_result_t
+load_configuration(const char *filename, ns_server_t *server,
+		   isc_boolean_t first_time)
+{
+	isc_result_t result;
+	cfg_parser_t *parser = NULL;
+	cfg_obj_t *config;
+	cfg_obj_t *options;
+	cfg_obj_t *views;
+	cfg_obj_t *obj;
+	cfg_obj_t *v4ports, *v6ports;
+	cfg_obj_t *maps[3];
+	cfg_obj_t *builtin_views;
+	cfg_listelt_t *element;
+	dns_view_t *view = NULL;
+	dns_view_t *view_next;
+	dns_viewlist_t viewlist;
+	dns_viewlist_t tmpviewlist;
+	ns_aclconfctx_t aclconfctx;
+	isc_uint32_t interface_interval;
+	isc_uint32_t heartbeat_interval;
+	isc_uint32_t udpsize;
+	in_port_t listen_port;
+	int i;
+
+	ns_aclconfctx_init(&aclconfctx);
+	ISC_LIST_INIT(viewlist);
+
+	/* Ensure exclusive access to configuration data. */
+	result = isc_task_beginexclusive(server->task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);	
+
+	/*
+	 * Parse the global default pseudo-config file.
+	 */
+	if (first_time) {
+		CHECK(ns_config_parsedefaults(ns_g_parser, &ns_g_config));
+		RUNTIME_CHECK(cfg_map_get(ns_g_config, "options",
+					  &ns_g_defaults) ==
+			      ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Parse the configuration file using the new config code.
+	 */
+	result = ISC_R_FAILURE;
+	config = NULL;
+
+	/*
+	 * Unless this is lwresd with the -C option, parse the config file.
+	 */
+	if (!(ns_g_lwresdonly && lwresd_g_useresolvconf)) {
+		isc_log_write(ns_g_lctx,
+			      NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
+			      ISC_LOG_INFO, "loading configuration from '%s'",
+			      filename);
+		CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &parser));
+		cfg_parser_setcallback(parser, directory_callback, NULL);
+		result = cfg_parse_file(parser, filename, &cfg_type_namedconf,
+					&config);
+	}
+
+	/*
+	 * If this is lwresd with the -C option, or lwresd with no -C or -c
+	 * option where the above parsing failed, parse resolv.conf.
+	 */
+	if (ns_g_lwresdonly &&
+	    (lwresd_g_useresolvconf ||
+	     (!ns_g_conffileset && result == ISC_R_FILENOTFOUND)))
+	{
+		isc_log_write(ns_g_lctx,
+			      NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
+			      ISC_LOG_INFO, "loading configuration from '%s'",
+			      lwresd_g_resolvconffile);
+		if (parser != NULL)
+			cfg_parser_destroy(&parser);
+		CHECK(cfg_parser_create(ns_g_mctx, ns_g_lctx, &parser));
+		result = ns_lwresd_parseeresolvconf(ns_g_mctx, parser,
+						    &config);
+	}
+	CHECK(result);
+
+	/*
+	 * Check the validity of the configuration.
+	 */
+	CHECK(bind9_check_namedconf(config, ns_g_lctx, ns_g_mctx));
+
+	/*
+	 * Fill in the maps array, used for resolving defaults.
+	 */
+	i = 0;
+	options = NULL;
+	result = cfg_map_get(config, "options", &options);
+	if (result == ISC_R_SUCCESS)
+		maps[i++] = options;
+	maps[i++] = ns_g_defaults;
+	maps[i++] = NULL;
+
+	/*
+	 * Set process limits, which (usually) needs to be done as root.
+	 */
+	set_limits(maps);
+
+	/*
+	 * Configure various server options.
+	 */
+	configure_server_quota(maps, "transfers-out", &server->xfroutquota);
+	configure_server_quota(maps, "tcp-clients", &server->tcpquota);
+	configure_server_quota(maps, "recursive-clients",
+			       &server->recursionquota);
+
+	CHECK(configure_view_acl(NULL, config, "blackhole", &aclconfctx,
+				 ns_g_mctx, &server->blackholeacl));
+	if (server->blackholeacl != NULL)
+		dns_dispatchmgr_setblackhole(ns_g_dispatchmgr,
+					     server->blackholeacl);
+
+	obj = NULL;
+	result = ns_config_get(maps, "match-mapped-addresses", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	server->aclenv.match_mapped = cfg_obj_asboolean(obj);
+
+	v4ports = NULL;
+	v6ports = NULL;
+	(void)ns_config_get(maps, "avoid-v4-udp-ports", &v4ports);
+	(void)ns_config_get(maps, "avoid-v6-udp-ports", &v6ports);
+	if (v4ports != NULL || v6ports != NULL) {
+		dns_portlist_t *portlist = NULL;
+		result = dns_portlist_create(ns_g_mctx, &portlist);
+		if (result == ISC_R_SUCCESS && v4ports != NULL)
+			result = portlist_fromconf(portlist, AF_INET, v4ports);
+		if (result == ISC_R_SUCCESS && v6ports != NULL)
+			portlist_fromconf(portlist, AF_INET6, v6ports);
+		if (result == ISC_R_SUCCESS)
+			dns_dispatchmgr_setblackportlist(ns_g_dispatchmgr, portlist);
+		if (portlist != NULL)
+			dns_portlist_detach(&portlist);
+		CHECK(result);
+	} else
+		dns_dispatchmgr_setblackportlist(ns_g_dispatchmgr, NULL);
+
+	/*
+	 * Set the EDNS UDP size when we don't match a view.
+	 */
+	obj = NULL;
+	result = ns_config_get(maps, "edns-udp-size", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	udpsize = cfg_obj_asuint32(obj);
+	if (udpsize < 512)
+		udpsize = 512;
+	if (udpsize > 4096)
+		udpsize = 4096;
+	ns_g_udpsize = (isc_uint16_t)udpsize;
+
+	/*
+	 * Configure the zone manager.
+	 */
+	obj = NULL;
+	result = ns_config_get(maps, "transfers-in", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	dns_zonemgr_settransfersin(server->zonemgr, cfg_obj_asuint32(obj));
+
+	obj = NULL;
+	result = ns_config_get(maps, "transfers-per-ns", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	dns_zonemgr_settransfersperns(server->zonemgr, cfg_obj_asuint32(obj));
+
+	obj = NULL;
+	result = ns_config_get(maps, "serial-query-rate", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	dns_zonemgr_setserialqueryrate(server->zonemgr, cfg_obj_asuint32(obj));
+
+	/*
+	 * Determine which port to use for listening for incoming connections.
+	 */
+	if (ns_g_port != 0)
+		listen_port = ns_g_port;
+	else
+		CHECKM(ns_config_getport(config, &listen_port), "port");
+
+	/*
+	 * Find the listen queue depth.
+	 */
+	obj = NULL;
+	result = ns_config_get(maps, "tcp-listen-queue", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	ns_g_listen = cfg_obj_asuint32(obj);
+	if (ns_g_listen < 3)
+		ns_g_listen = 3;
+
+	/*
+	 * Configure the interface manager according to the "listen-on"
+	 * statement.
+	 */
+	{
+		cfg_obj_t *clistenon = NULL;
+		ns_listenlist_t *listenon = NULL;
+
+		clistenon = NULL;
+		/*
+		 * Even though listen-on is present in the default
+		 * configuration, we can't use it here, since it isn't
+		 * used if we're in lwresd mode.  This way is easier.
+		 */
+		if (options != NULL)
+			(void)cfg_map_get(options, "listen-on", &clistenon);
+		if (clistenon != NULL) {
+			result = ns_listenlist_fromconfig(clistenon,
+							  config,
+							  &aclconfctx,
+							  ns_g_mctx,
+							  &listenon);
+		} else if (!ns_g_lwresdonly) {
+			/*
+			 * Not specified, use default.
+			 */
+			CHECK(ns_listenlist_default(ns_g_mctx, listen_port,
+						    ISC_TRUE, &listenon));
+		}
+		if (listenon != NULL) {
+			ns_interfacemgr_setlistenon4(server->interfacemgr,
+						     listenon);
+			ns_listenlist_detach(&listenon);
+		}
+	}
+	/*
+	 * Ditto for IPv6.
+	 */
+	{
+		cfg_obj_t *clistenon = NULL;
+		ns_listenlist_t *listenon = NULL;
+
+		if (options != NULL)
+			(void)cfg_map_get(options, "listen-on-v6", &clistenon);
+		if (clistenon != NULL) {
+			result = ns_listenlist_fromconfig(clistenon,
+							  config,
+							  &aclconfctx,
+							  ns_g_mctx,
+							  &listenon);
+		} else if (!ns_g_lwresdonly) {
+			/*
+			 * Not specified, use default.
+			 */
+			CHECK(ns_listenlist_default(ns_g_mctx, listen_port,
+						    ISC_FALSE, &listenon));
+		}
+		if (listenon != NULL) {
+			ns_interfacemgr_setlistenon6(server->interfacemgr,
+						     listenon);
+			ns_listenlist_detach(&listenon);
+		}
+	}
+
+	/*
+	 * Rescan the interface list to pick up changes in the
+	 * listen-on option.  It's important that we do this before we try
+	 * to configure the query source, since the dispatcher we use might
+	 * be shared with an interface.
+	 */
+	scan_interfaces(server, ISC_TRUE);
+
+	/*
+	 * Arrange for further interface scanning to occur periodically
+	 * as specified by the "interface-interval" option.
+	 */
+	obj = NULL;
+	result = ns_config_get(maps, "interface-interval", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	interface_interval = cfg_obj_asuint32(obj) * 60;
+	if (interface_interval == 0) {
+		CHECK(isc_timer_reset(server->interface_timer,
+				      isc_timertype_inactive,
+				      NULL, NULL, ISC_TRUE));
+	} else if (server->interface_interval != interface_interval) {
+		isc_interval_t interval;
+		isc_interval_set(&interval, interface_interval, 0);
+		CHECK(isc_timer_reset(server->interface_timer,
+				      isc_timertype_ticker,
+				      NULL, &interval, ISC_FALSE));
+	}
+	server->interface_interval = interface_interval;
+
+	/*
+	 * Configure the dialup heartbeat timer.
+	 */
+	obj = NULL;
+	result = ns_config_get(maps, "heartbeat-interval", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	heartbeat_interval = cfg_obj_asuint32(obj) * 60;
+	if (heartbeat_interval == 0) {
+		CHECK(isc_timer_reset(server->heartbeat_timer,
+				      isc_timertype_inactive,
+				      NULL, NULL, ISC_TRUE));
+	} else if (server->heartbeat_interval != heartbeat_interval) {
+		isc_interval_t interval;
+		isc_interval_set(&interval, heartbeat_interval, 0);
+		CHECK(isc_timer_reset(server->heartbeat_timer,
+				      isc_timertype_ticker,
+				      NULL, &interval, ISC_FALSE));
+	}
+	server->heartbeat_interval = heartbeat_interval;
+
+	/*
+	 * Configure and freeze all explicit views.  Explicit
+	 * views that have zones were already created at parsing
+	 * time, but views with no zones must be created here.
+	 */
+	views = NULL;
+	(void)cfg_map_get(config, "view", &views);
+	for (element = cfg_list_first(views);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		cfg_obj_t *vconfig = cfg_listelt_value(element);
+		view = NULL;
+
+		CHECK(create_view(vconfig, &viewlist, &view));
+		INSIST(view != NULL);
+		CHECK(configure_view(view, config, vconfig,
+				     ns_g_mctx, &aclconfctx, ISC_TRUE));
+		dns_view_freeze(view);
+		dns_view_detach(&view);
+	}
+
+	/*
+	 * Make sure we have a default view if and only if there
+	 * were no explicit views.
+	 */
+	if (views == NULL) {
+		/*
+		 * No explicit views; there ought to be a default view.
+		 * There may already be one created as a side effect
+		 * of zone statements, or we may have to create one.
+		 * In either case, we need to configure and freeze it.
+		 */
+		CHECK(create_view(NULL, &viewlist, &view));
+		CHECK(configure_view(view, config, NULL, ns_g_mctx,
+				     &aclconfctx, ISC_TRUE));
+		dns_view_freeze(view);
+		dns_view_detach(&view);
+	}
+
+	/*
+	 * Create (or recreate) the built-in views.  Currently
+	 * there is only one, the _bind view.
+	 */
+	builtin_views = NULL;
+	RUNTIME_CHECK(cfg_map_get(ns_g_config, "view",
+				  &builtin_views) == ISC_R_SUCCESS);
+	for (element = cfg_list_first(builtin_views);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		cfg_obj_t *vconfig = cfg_listelt_value(element);
+		CHECK(create_view(vconfig, &viewlist, &view));
+		CHECK(configure_view(view, config, vconfig, ns_g_mctx,
+				     &aclconfctx, ISC_FALSE));
+		dns_view_freeze(view);
+		dns_view_detach(&view);
+		view = NULL;
+	}
+
+	/*
+	 * Swap our new view list with the production one.
+	 */
+	tmpviewlist = server->viewlist;
+	server->viewlist = viewlist;
+	viewlist = tmpviewlist;
+
+	/*
+	 * Load the TKEY information from the configuration.
+	 */
+	if (options != NULL) {
+		dns_tkeyctx_t *t = NULL;
+		CHECKM(ns_tkeyctx_fromconfig(options, ns_g_mctx, ns_g_entropy,
+					     &t),
+		       "configuring TKEY");
+		if (server->tkeyctx != NULL)
+			dns_tkeyctx_destroy(&server->tkeyctx);
+		server->tkeyctx = t;
+	}
+
+	/*
+	 * Bind the control port(s).
+	 */
+	CHECKM(ns_controls_configure(ns_g_server->controls, config,
+				     &aclconfctx),
+	       "binding control channel(s)");
+
+	/*
+	 * Bind the lwresd port(s).
+	 */
+	CHECKM(ns_lwresd_configure(ns_g_mctx, config),
+	       "binding lightweight resolver ports");
+
+	/*
+	 * Open the source of entropy.
+	 */
+	if (first_time) {
+		obj = NULL;
+		result = ns_config_get(maps, "random-device", &obj);
+		if (result != ISC_R_SUCCESS) {
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+				      "no source of entropy found");
+		} else {
+			const char *randomdev = cfg_obj_asstring(obj);
+			result = isc_entropy_createfilesource(ns_g_entropy,
+							      randomdev);
+			if (result != ISC_R_SUCCESS)
+				isc_log_write(ns_g_lctx,
+					      NS_LOGCATEGORY_GENERAL,
+					      NS_LOGMODULE_SERVER,
+					      ISC_LOG_INFO,
+					      "could not open entropy source "
+					      "%s: %s",
+					      randomdev,
+					      isc_result_totext(result));
+#ifdef PATH_RANDOMDEV
+			if (ns_g_fallbackentropy != NULL) {
+				if (result != ISC_R_SUCCESS) {
+					isc_log_write(ns_g_lctx,
+						      NS_LOGCATEGORY_GENERAL,
+						      NS_LOGMODULE_SERVER,
+						      ISC_LOG_INFO,
+						      "using pre-chroot entropy source "
+						      "%s",
+						      PATH_RANDOMDEV);
+					isc_entropy_detach(&ns_g_entropy);
+					isc_entropy_attach(ns_g_fallbackentropy,
+							   &ns_g_entropy);
+				}
+				isc_entropy_detach(&ns_g_fallbackentropy);
+			}
+#endif
+		}
+	}
+
+	/*
+	 * Relinquish root privileges.
+	 */
+	if (first_time)
+		ns_os_changeuser();
+
+	/*
+	 * Configure the logging system.
+	 *
+	 * Do this after changing UID to make sure that any log
+	 * files specified in named.conf get created by the
+	 * unprivileged user, not root.
+	 */
+	if (ns_g_logstderr) {
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "ignoring config file logging "
+			      "statement due to -g option");
+	} else {
+		cfg_obj_t *logobj = NULL;
+		isc_logconfig_t *logc = NULL;
+
+		CHECKM(isc_logconfig_create(ns_g_lctx, &logc),
+		       "creating new logging configuration");
+
+		logobj = NULL;
+		(void)cfg_map_get(config, "logging", &logobj);
+		if (logobj != NULL) {
+			CHECKM(ns_log_configure(logc, logobj),
+			       "configuring logging");
+		} else {
+			CHECKM(ns_log_setdefaultchannels(logc),
+			       "setting up default logging channels");
+			CHECKM(ns_log_setunmatchedcategory(logc),
+			       "setting up default 'category unmatched'");
+			CHECKM(ns_log_setdefaultcategory(logc),
+			       "setting up default 'category default'");
+		}
+
+		result = isc_logconfig_use(ns_g_lctx, logc);
+		if (result != ISC_R_SUCCESS) {
+			isc_logconfig_destroy(&logc);
+			CHECKM(result, "installing logging configuration");
+		}
+
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(1),
+			      "now using logging configuration from "
+			      "config file");
+	}
+
+	/*
+	 * Set the default value of the query logging flag depending
+	 * whether a "queries" category has been defined.  This is
+	 * a disgusting hack, but we need to do this for BIND 8
+	 * compatibility.
+	 */
+	if (first_time) {
+		cfg_obj_t *logobj = NULL;
+		cfg_obj_t *categories = NULL;
+
+		obj = NULL;
+		if (ns_config_get(maps, "querylog", &obj) == ISC_R_SUCCESS) {
+			server->log_queries = cfg_obj_asboolean(obj);
+		} else {
+
+			(void)cfg_map_get(config, "logging", &logobj);
+			if (logobj != NULL)
+				(void)cfg_map_get(logobj, "category",
+						  &categories);
+			if (categories != NULL) {
+				cfg_listelt_t *element;
+				for (element = cfg_list_first(categories);
+				     element != NULL;
+				     element = cfg_list_next(element))
+				{
+					cfg_obj_t *catobj;
+					char *str;
+
+					obj = cfg_listelt_value(element);
+					catobj = cfg_tuple_get(obj, "name");
+					str = cfg_obj_asstring(catobj);
+					if (strcasecmp(str, "queries") == 0)
+						server->log_queries = ISC_TRUE;
+				}
+			}
+		}
+	}
+
+	obj = NULL;
+	if (ns_config_get(maps, "pid-file", &obj) == ISC_R_SUCCESS)
+		if (cfg_obj_isvoid(obj))
+			ns_os_writepidfile(NULL, first_time);
+		else
+			ns_os_writepidfile(cfg_obj_asstring(obj), first_time);
+	else if (ns_g_lwresdonly)
+		ns_os_writepidfile(lwresd_g_defaultpidfile, first_time);
+	else
+		ns_os_writepidfile(ns_g_defaultpidfile, first_time);
+	
+	obj = NULL;
+	if (options != NULL &&
+	    cfg_map_get(options, "memstatistics-file", &obj) == ISC_R_SUCCESS)
+		ns_main_setmemstats(cfg_obj_asstring(obj));
+	else
+		ns_main_setmemstats(NULL);
+
+	obj = NULL;
+	result = ns_config_get(maps, "statistics-file", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	CHECKM(setstring(server, &server->statsfile, cfg_obj_asstring(obj)),
+	       "strdup");
+
+	obj = NULL;
+	result = ns_config_get(maps, "dump-file", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	CHECKM(setstring(server, &server->dumpfile, cfg_obj_asstring(obj)),
+	       "strdup");
+
+	obj = NULL;
+	result = ns_config_get(maps, "recursing-file", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	CHECKM(setstring(server, &server->recfile, cfg_obj_asstring(obj)),
+	       "strdup");
+
+	obj = NULL;
+	result = ns_config_get(maps, "version", &obj);
+	if (result == ISC_R_SUCCESS) {
+		CHECKM(setoptstring(server, &server->version, obj), "strdup");
+		server->version_set = ISC_TRUE;
+	} else {
+		server->version_set = ISC_FALSE;
+	}
+
+	obj = NULL;
+	result = ns_config_get(maps, "hostname", &obj);
+	if (result == ISC_R_SUCCESS) {
+		CHECKM(setoptstring(server, &server->hostname, obj), "strdup");
+		server->hostname_set = ISC_TRUE;
+	} else {
+		server->hostname_set = ISC_FALSE;
+	}
+
+	obj = NULL;
+	result = ns_config_get(maps, "server-id", &obj);
+	server->server_usehostname = ISC_FALSE;
+	if (result == ISC_R_SUCCESS && cfg_obj_isboolean(obj)) {
+		server->server_usehostname = ISC_TRUE;
+	} else if (result == ISC_R_SUCCESS) {
+		CHECKM(setoptstring(server, &server->server_id, obj), "strdup");
+	} else {
+		result = setoptstring(server, &server->server_id, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	}
+
+	obj = NULL;
+	result = ns_config_get(maps, "flush-zones-on-shutdown", &obj);
+	if (result == ISC_R_SUCCESS) {
+		server->flushonshutdown = cfg_obj_asboolean(obj);
+	} else {
+		server->flushonshutdown = ISC_FALSE;
+	}
+
+	result = ISC_R_SUCCESS;
+
+ cleanup:
+	ns_aclconfctx_destroy(&aclconfctx);
+
+	if (parser != NULL) {
+		if (config != NULL)
+			cfg_obj_destroy(parser, &config);
+		cfg_parser_destroy(&parser);
+	}
+
+	if (view != NULL)
+		dns_view_detach(&view);
+
+	/*
+	 * This cleans up either the old production view list
+	 * or our temporary list depending on whether they
+	 * were swapped above or not.
+	 */
+	for (view = ISC_LIST_HEAD(viewlist);
+	     view != NULL;
+	     view = view_next) {
+		view_next = ISC_LIST_NEXT(view, link);
+		ISC_LIST_UNLINK(viewlist, view, link);
+		dns_view_detach(&view);
+
+	}
+
+	/*
+	 * Adjust the listening interfaces in accordance with the source
+	 * addresses specified in views and zones.
+	 */
+	if (isc_net_probeipv6() == ISC_R_SUCCESS)
+		adjust_interfaces(server, ns_g_mctx);
+
+	/* Relinquish exclusive access to configuration data. */
+	isc_task_endexclusive(server->task);
+
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
+		      ISC_LOG_DEBUG(1), "load_configuration: %s",
+		      isc_result_totext(result));
+
+	return (result);
+}
+
+static isc_result_t
+load_zones(ns_server_t *server, isc_boolean_t stop) {
+	isc_result_t result;
+	dns_view_t *view;
+
+	result = isc_task_beginexclusive(server->task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	/*
+	 * Load zone data from disk.
+	 */
+	for (view = ISC_LIST_HEAD(server->viewlist);
+	     view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		CHECK(dns_view_load(view, stop));
+	}
+
+	/*
+	 * Force zone maintenance.  Do this after loading
+	 * so that we know when we need to force AXFR of
+	 * slave zones whose master files are missing.
+	 */
+	CHECK(dns_zonemgr_forcemaint(server->zonemgr));
+ cleanup:
+	isc_task_endexclusive(server->task);	
+	return (result);
+}
+
+static isc_result_t
+load_new_zones(ns_server_t *server, isc_boolean_t stop) {
+	isc_result_t result;
+	dns_view_t *view;
+
+	result = isc_task_beginexclusive(server->task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	/*
+	 * Load zone data from disk.
+	 */
+	for (view = ISC_LIST_HEAD(server->viewlist);
+	     view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		CHECK(dns_view_loadnew(view, stop));
+	}
+	/*
+	 * Force zone maintenance.  Do this after loading
+	 * so that we know when we need to force AXFR of
+	 * slave zones whose master files are missing.
+	 */
+	dns_zonemgr_resumexfrs(server->zonemgr);
+ cleanup:
+	isc_task_endexclusive(server->task);	
+	return (result);
+}
+
+static void
+run_server(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	ns_server_t *server = (ns_server_t *)event->ev_arg;
+
+	UNUSED(task);
+
+	isc_event_free(&event);
+
+	CHECKFATAL(dns_dispatchmgr_create(ns_g_mctx, ns_g_entropy,
+					  &ns_g_dispatchmgr),
+		   "creating dispatch manager");
+
+	CHECKFATAL(ns_interfacemgr_create(ns_g_mctx, ns_g_taskmgr,
+					  ns_g_socketmgr, ns_g_dispatchmgr,
+					  &server->interfacemgr),
+		   "creating interface manager");
+
+	CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive,
+				    NULL, NULL, server->task,
+				    interface_timer_tick,
+				    server, &server->interface_timer),
+		   "creating interface timer");
+
+	CHECKFATAL(isc_timer_create(ns_g_timermgr, isc_timertype_inactive,
+				    NULL, NULL, server->task,
+				    heartbeat_timer_tick,
+				    server, &server->heartbeat_timer),
+		   "creating heartbeat timer");
+
+	CHECKFATAL(cfg_parser_create(ns_g_mctx, NULL, &ns_g_parser),
+		   "creating default configuration parser");
+
+	if (ns_g_lwresdonly)
+		CHECKFATAL(load_configuration(lwresd_g_conffile, server,
+					      ISC_TRUE),
+			   "loading configuration");
+	else
+		CHECKFATAL(load_configuration(ns_g_conffile, server, ISC_TRUE),
+			   "loading configuration");
+
+	isc_hash_init();
+
+	CHECKFATAL(load_zones(server, ISC_FALSE),
+		   "loading zones");
+
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
+		      ISC_LOG_INFO, "running");
+}
+
+void 
+ns_server_flushonshutdown(ns_server_t *server, isc_boolean_t flush) {
+
+	REQUIRE(NS_SERVER_VALID(server));
+
+	server->flushonshutdown = flush;
+}
+
+static void
+shutdown_server(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	dns_view_t *view, *view_next;
+	ns_server_t *server = (ns_server_t *)event->ev_arg;
+	isc_boolean_t flush = server->flushonshutdown;
+
+	UNUSED(task);
+	INSIST(task == server->task);
+
+	result = isc_task_beginexclusive(server->task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
+		      ISC_LOG_INFO, "shutting down%s",
+		      flush ? ": flushing changes" : "");
+
+	ns_controls_shutdown(server->controls);
+	end_reserved_dispatches(server, ISC_TRUE);
+
+	cfg_obj_destroy(ns_g_parser, &ns_g_config);
+	cfg_parser_destroy(&ns_g_parser);
+
+	for (view = ISC_LIST_HEAD(server->viewlist);
+	     view != NULL;
+	     view = view_next) {
+		view_next = ISC_LIST_NEXT(view, link);
+		ISC_LIST_UNLINK(server->viewlist, view, link);
+		if (flush)
+			dns_view_flushanddetach(&view);
+		else
+			dns_view_detach(&view);
+	}
+
+	isc_timer_detach(&server->interface_timer);
+	isc_timer_detach(&server->heartbeat_timer);
+
+	ns_interfacemgr_shutdown(server->interfacemgr);
+	ns_interfacemgr_detach(&server->interfacemgr);
+
+	dns_dispatchmgr_destroy(&ns_g_dispatchmgr);
+
+	dns_zonemgr_shutdown(server->zonemgr);
+
+	if (server->blackholeacl != NULL)
+		dns_acl_detach(&server->blackholeacl);
+
+	dns_db_detach(&server->in_roothints);
+
+	isc_task_endexclusive(server->task);
+
+	isc_task_detach(&server->task);
+
+	isc_event_free(&event);
+}
+
+void
+ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
+	isc_result_t result;
+
+	ns_server_t *server = isc_mem_get(mctx, sizeof(*server));
+	if (server == NULL)
+		fatal("allocating server object", ISC_R_NOMEMORY);
+
+	server->mctx = mctx;
+	server->task = NULL;
+
+	/* Initialize configuration data with default values. */
+
+	result = isc_quota_init(&server->xfroutquota, 10);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	result = isc_quota_init(&server->tcpquota, 10);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	result = isc_quota_init(&server->recursionquota, 100);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	isc_quota_soft(&server->recursionquota, ISC_FALSE);
+
+	result = dns_aclenv_init(mctx, &server->aclenv);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	/* Initialize server data structures. */
+	server->zonemgr = NULL;
+	server->interfacemgr = NULL;
+	ISC_LIST_INIT(server->viewlist);
+	server->in_roothints = NULL;
+	server->blackholeacl = NULL;
+
+	CHECKFATAL(dns_rootns_create(mctx, dns_rdataclass_in, NULL,
+				     &server->in_roothints),
+		   "setting up root hints");
+
+	CHECKFATAL(isc_mutex_init(&server->reload_event_lock),
+		   "initializing reload event lock");
+	server->reload_event =
+		isc_event_allocate(ns_g_mctx, server,
+				   NS_EVENT_RELOAD,
+				   ns_server_reload,
+				   server,
+				   sizeof(isc_event_t));
+	CHECKFATAL(server->reload_event == NULL ?
+		   ISC_R_NOMEMORY : ISC_R_SUCCESS,
+		   "allocating reload event");
+
+	CHECKFATAL(dst_lib_init(ns_g_mctx, ns_g_entropy, ISC_ENTROPY_GOODONLY),
+		   "initializing DST");
+
+	server->tkeyctx = NULL;
+	CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy,
+				      &server->tkeyctx),
+		   "creating TKEY context");
+
+	/*
+	 * Setup the server task, which is responsible for coordinating
+	 * startup and shutdown of the server.
+	 */
+	CHECKFATAL(isc_task_create(ns_g_taskmgr, 0, &server->task),
+		   "creating server task");
+	isc_task_setname(server->task, "server", server);
+	CHECKFATAL(isc_task_onshutdown(server->task, shutdown_server, server),
+		   "isc_task_onshutdown");
+	CHECKFATAL(isc_app_onrun(ns_g_mctx, server->task, run_server, server),
+		   "isc_app_onrun");
+
+	server->interface_timer = NULL;
+	server->heartbeat_timer = NULL;
+	
+	server->interface_interval = 0;
+	server->heartbeat_interval = 0;
+
+	CHECKFATAL(dns_zonemgr_create(ns_g_mctx, ns_g_taskmgr, ns_g_timermgr,
+				      ns_g_socketmgr, &server->zonemgr),
+		   "dns_zonemgr_create");
+
+	server->statsfile = isc_mem_strdup(server->mctx, "named.stats");
+	CHECKFATAL(server->statsfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
+		   "isc_mem_strdup");
+	server->querystats = NULL;
+
+	server->dumpfile = isc_mem_strdup(server->mctx, "named_dump.db");
+	CHECKFATAL(server->dumpfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
+		   "isc_mem_strdup");
+
+	server->recfile = isc_mem_strdup(server->mctx, "named.recursing");
+	CHECKFATAL(server->recfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
+		   "isc_mem_strdup");
+
+	server->hostname_set = ISC_FALSE;
+	server->hostname = NULL;
+	server->version_set = ISC_FALSE;	
+	server->version = NULL;
+	server->server_usehostname = ISC_FALSE;
+	server->server_id = NULL;
+
+	CHECKFATAL(dns_stats_alloccounters(ns_g_mctx, &server->querystats),
+		   "dns_stats_alloccounters");
+
+	server->flushonshutdown = ISC_FALSE;
+	server->log_queries = ISC_FALSE;
+
+	server->controls = NULL;
+	CHECKFATAL(ns_controls_create(server, &server->controls),
+		   "ns_controls_create");
+	server->dispatchgen = 0;
+	ISC_LIST_INIT(server->dispatches);
+
+	server->magic = NS_SERVER_MAGIC;
+	*serverp = server;
+}
+
+void
+ns_server_destroy(ns_server_t **serverp) {
+	ns_server_t *server = *serverp;
+	REQUIRE(NS_SERVER_VALID(server));
+
+	ns_controls_destroy(&server->controls);
+
+	dns_stats_freecounters(server->mctx, &server->querystats);
+
+	isc_mem_free(server->mctx, server->statsfile);
+	isc_mem_free(server->mctx, server->dumpfile);
+	isc_mem_free(server->mctx, server->recfile);
+
+	if (server->version != NULL)
+		isc_mem_free(server->mctx, server->version);
+	if (server->hostname != NULL)
+		isc_mem_free(server->mctx, server->hostname);
+	if (server->server_id != NULL)
+		isc_mem_free(server->mctx, server->server_id);
+
+	dns_zonemgr_detach(&server->zonemgr);
+
+	if (server->tkeyctx != NULL)
+		dns_tkeyctx_destroy(&server->tkeyctx);
+
+	dst_lib_destroy();
+
+	isc_event_free(&server->reload_event);
+
+	INSIST(ISC_LIST_EMPTY(server->viewlist));
+
+	dns_aclenv_destroy(&server->aclenv);
+
+	isc_quota_destroy(&server->recursionquota);
+	isc_quota_destroy(&server->tcpquota);
+	isc_quota_destroy(&server->xfroutquota);
+
+	server->magic = 0;
+	isc_mem_put(server->mctx, server, sizeof(*server));
+	*serverp = NULL;
+}
+
+static void
+fatal(const char *msg, isc_result_t result) {
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
+		      ISC_LOG_CRITICAL, "%s: %s", msg,
+		      isc_result_totext(result));
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER,
+		      ISC_LOG_CRITICAL, "exiting (due to fatal error)");
+	exit(1);
+}
+
+static void
+start_reserved_dispatches(ns_server_t *server) {
+
+	REQUIRE(NS_SERVER_VALID(server));
+
+	server->dispatchgen++;
+}
+
+static void
+end_reserved_dispatches(ns_server_t *server, isc_boolean_t all) {
+	ns_dispatch_t *dispatch, *nextdispatch;
+
+	REQUIRE(NS_SERVER_VALID(server));
+
+	for (dispatch = ISC_LIST_HEAD(server->dispatches);
+	     dispatch != NULL;
+	     dispatch = nextdispatch) {
+		nextdispatch = ISC_LIST_NEXT(dispatch, link);
+		if (!all && server->dispatchgen == dispatch-> dispatchgen)
+			continue;
+		ISC_LIST_UNLINK(server->dispatches, dispatch, link);
+		dns_dispatch_detach(&dispatch->dispatch);
+		isc_mem_put(server->mctx, dispatch, sizeof(*dispatch));
+	}
+}
+
+void
+ns_add_reserved_dispatch(ns_server_t *server, isc_sockaddr_t *addr) {
+	ns_dispatch_t *dispatch;
+	in_port_t port;
+	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+	isc_result_t result;
+	unsigned int attrs, attrmask;
+
+	REQUIRE(NS_SERVER_VALID(server));
+
+	port = isc_sockaddr_getport(addr);
+	if (port == 0 || port >= 1024)
+		return;
+
+	for (dispatch = ISC_LIST_HEAD(server->dispatches);
+	     dispatch != NULL;
+	     dispatch = ISC_LIST_NEXT(dispatch, link)) {
+		if (isc_sockaddr_equal(&dispatch->addr, addr))
+			break;
+	}
+	if (dispatch != NULL) {
+		dispatch->dispatchgen = server->dispatchgen;
+		return;
+	}
+
+	dispatch = isc_mem_get(server->mctx, sizeof(*dispatch));
+	if (dispatch == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+	dispatch->addr = *addr;
+	dispatch->dispatchgen = server->dispatchgen;
+	dispatch->dispatch = NULL;
+
+	attrs = 0;
+	attrs |= DNS_DISPATCHATTR_UDP;
+	switch (isc_sockaddr_pf(addr)) {
+	case AF_INET:
+		attrs |= DNS_DISPATCHATTR_IPV4;
+		break;
+	case AF_INET6:
+		attrs |= DNS_DISPATCHATTR_IPV6;
+		break;
+	default:
+		result = ISC_R_NOTIMPLEMENTED;
+		goto cleanup;
+	}
+	attrmask = 0;
+	attrmask |= DNS_DISPATCHATTR_UDP;
+	attrmask |= DNS_DISPATCHATTR_TCP;
+	attrmask |= DNS_DISPATCHATTR_IPV4;
+	attrmask |= DNS_DISPATCHATTR_IPV6;
+
+	result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr,
+				     ns_g_taskmgr, &dispatch->addr, 4096,
+				     1000, 32768, 16411, 16433,
+				     attrs, attrmask, &dispatch->dispatch); 
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	ISC_LIST_INITANDPREPEND(server->dispatches, dispatch, link);
+
+	return;
+
+ cleanup:
+	if (dispatch != NULL)
+		isc_mem_put(server->mctx, dispatch, sizeof(*dispatch));
+	isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf));
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+		      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
+		      "unable to create dispatch for reserved port %s: %s",
+		      addrbuf, isc_result_totext(result));
+}
+
+
+static isc_result_t
+loadconfig(ns_server_t *server) {
+	isc_result_t result;
+	start_reserved_dispatches(server);
+	result = load_configuration(ns_g_lwresdonly ?
+				    lwresd_g_conffile : ns_g_conffile,
+				    server,
+				    ISC_FALSE);
+	if (result == ISC_R_SUCCESS)
+		end_reserved_dispatches(server, ISC_FALSE);
+	else
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "reloading configuration failed: %s",
+			      isc_result_totext(result));
+	return (result);
+}
+
+static isc_result_t
+reload(ns_server_t *server) {
+	isc_result_t result;
+	CHECK(loadconfig(server));
+
+	result = load_zones(server, ISC_FALSE);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "reloading zones failed: %s",
+			      isc_result_totext(result));
+	}
+ cleanup:
+	return (result);
+}
+
+static void
+reconfig(ns_server_t *server) {
+	isc_result_t result;
+	CHECK(loadconfig(server));
+
+	result = load_new_zones(server, ISC_FALSE);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "loading new zones failed: %s",
+			      isc_result_totext(result));
+	}
+ cleanup: ;
+}
+
+/*
+ * Handle a reload event (from SIGHUP).
+ */
+static void
+ns_server_reload(isc_task_t *task, isc_event_t *event) {
+	ns_server_t *server = (ns_server_t *)event->ev_arg;
+
+	INSIST(task = server->task);
+	UNUSED(task);
+
+	(void)reload(server);
+
+	LOCK(&server->reload_event_lock);
+	INSIST(server->reload_event == NULL);
+	server->reload_event = event;
+	UNLOCK(&server->reload_event_lock);
+}
+
+void
+ns_server_reloadwanted(ns_server_t *server) {
+	LOCK(&server->reload_event_lock);
+	if (server->reload_event != NULL)
+		isc_task_send(server->task, &server->reload_event);
+	UNLOCK(&server->reload_event_lock);
+}
+
+static char *
+next_token(char **stringp, const char *delim) {
+	char *res;
+
+	do {
+		res = strsep(stringp, delim);
+		if (res == NULL)
+			break;
+	} while (*res == '\0');
+	return (res);
+}                       
+
+/*
+ * Find the zone specified in the control channel command 'args',
+ * if any.  If a zone is specified, point '*zonep' at it, otherwise
+ * set '*zonep' to NULL.
+ */
+static isc_result_t
+zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep) {
+	char *input, *ptr;
+	const char *zonetxt;
+	char *classtxt;
+	const char *viewtxt = NULL;
+	dns_fixedname_t name;
+	isc_result_t result;
+	isc_buffer_t buf;
+	dns_view_t *view = NULL;
+	dns_rdataclass_t rdclass;
+
+	REQUIRE(zonep != NULL && *zonep == NULL);
+
+	input = args;
+
+	/* Skip the command name. */
+	ptr = next_token(&input, " \t");
+	if (ptr == NULL)
+		return (ISC_R_UNEXPECTEDEND);
+
+	/* Look for the zone name. */
+	zonetxt = next_token(&input, " \t");
+	if (zonetxt == NULL)
+		return (ISC_R_SUCCESS);
+
+	/* Look for the optional class name. */
+	classtxt = next_token(&input, " \t");
+	if (classtxt != NULL) {
+		/* Look for the optional view name. */
+		viewtxt = next_token(&input, " \t");
+	}
+
+	isc_buffer_init(&buf, zonetxt, strlen(zonetxt));
+	isc_buffer_add(&buf, strlen(zonetxt));
+	dns_fixedname_init(&name);
+	result = dns_name_fromtext(dns_fixedname_name(&name),
+				   &buf, dns_rootname, ISC_FALSE, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto fail1;
+
+	if (classtxt != NULL) {
+		isc_textregion_t r;
+		r.base = classtxt;
+		r.length = strlen(classtxt);
+		result = dns_rdataclass_fromtext(&rdclass, &r);
+		if (result != ISC_R_SUCCESS)
+			goto fail1;
+	} else {
+		rdclass = dns_rdataclass_in;
+	}
+	
+	if (viewtxt == NULL)
+		viewtxt = "_default";
+	result = dns_viewlist_find(&server->viewlist, viewtxt,
+				   rdclass, &view);
+	if (result != ISC_R_SUCCESS)
+		goto fail1;
+	
+	result = dns_zt_find(view->zonetable, dns_fixedname_name(&name),
+			     0, NULL, zonep);
+	/* Partial match? */
+	if (result != ISC_R_SUCCESS && *zonep != NULL)
+		dns_zone_detach(zonep);
+	dns_view_detach(&view);
+ fail1:
+	return (result);
+}
+
+/*
+ * Act on a "retransfer" command from the command channel.
+ */
+isc_result_t
+ns_server_retransfercommand(ns_server_t *server, char *args) {
+	isc_result_t result;
+	dns_zone_t *zone = NULL;
+	dns_zonetype_t type;
+	
+	result = zone_from_args(server, args, &zone);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (zone == NULL)
+		return (ISC_R_UNEXPECTEDEND);
+	type = dns_zone_gettype(zone);
+	if (type == dns_zone_slave || type == dns_zone_stub)
+		dns_zone_forcereload(zone);
+	else
+		result = ISC_R_NOTFOUND;
+	dns_zone_detach(&zone);
+	return (result);
+}	
+
+/*
+ * Act on a "reload" command from the command channel.
+ */
+isc_result_t
+ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text) {
+	isc_result_t result;
+	dns_zone_t *zone = NULL;
+	dns_zonetype_t type;
+	const char *msg = NULL;
+	
+	result = zone_from_args(server, args, &zone);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (zone == NULL) {
+		result = reload(server);
+		if (result == ISC_R_SUCCESS)
+			msg = "server reload successful";
+	} else {
+		type = dns_zone_gettype(zone);
+		if (type == dns_zone_slave || type == dns_zone_stub) {
+			dns_zone_refresh(zone);
+			msg = "zone refresh queued";
+		} else {
+			result = dns_zone_load(zone);
+			dns_zone_detach(&zone);
+			switch (result) {	
+			case ISC_R_SUCCESS:
+				 msg = "zone reload successful";
+				 break;
+			case DNS_R_CONTINUE:
+				msg = "zone reload queued";
+				result = ISC_R_SUCCESS;
+				break;
+			case DNS_R_UPTODATE:
+				msg = "zone reload up-to-date";
+				result = ISC_R_SUCCESS;
+				break;
+			default:
+				/* failure message will be generated by rndc */
+				break;
+			}
+		}
+	}
+	if (msg != NULL && strlen(msg) < isc_buffer_availablelength(text))
+		isc_buffer_putmem(text, (const unsigned char *)msg,
+				  strlen(msg) + 1);
+	return (result);
+}	
+
+/*
+ * Act on a "reconfig" command from the command channel.
+ */
+isc_result_t
+ns_server_reconfigcommand(ns_server_t *server, char *args) {
+	UNUSED(args);
+
+	reconfig(server);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Act on a "refresh" command from the command channel.
+ */
+isc_result_t
+ns_server_refreshcommand(ns_server_t *server, char *args, isc_buffer_t *text) {
+	isc_result_t result;
+	dns_zone_t *zone = NULL;
+	const unsigned char msg[] = "zone refresh queued";
+
+	result = zone_from_args(server, args, &zone);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (zone == NULL)
+		return (ISC_R_UNEXPECTEDEND);
+	
+	dns_zone_refresh(zone);
+	dns_zone_detach(&zone);
+	if (sizeof(msg) <= isc_buffer_availablelength(text))
+		isc_buffer_putmem(text, msg, sizeof(msg));
+
+	return (ISC_R_SUCCESS);
+}	
+
+isc_result_t
+ns_server_togglequerylog(ns_server_t *server) {
+	server->log_queries = server->log_queries ? ISC_FALSE : ISC_TRUE;
+	
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "query logging is now %s",
+		      server->log_queries ? "on" : "off");
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+ns_listenlist_fromconfig(cfg_obj_t *listenlist, cfg_obj_t *config,
+			 ns_aclconfctx_t *actx,
+			 isc_mem_t *mctx, ns_listenlist_t **target)
+{
+	isc_result_t result;
+	cfg_listelt_t *element;
+	ns_listenlist_t *dlist = NULL;
+
+	REQUIRE(target != NULL && *target == NULL);
+
+	result = ns_listenlist_create(mctx, &dlist);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	for (element = cfg_list_first(listenlist);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		ns_listenelt_t *delt = NULL;
+		cfg_obj_t *listener = cfg_listelt_value(element);
+		result = ns_listenelt_fromconfig(listener, config, actx,
+						 mctx, &delt);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		ISC_LIST_APPEND(dlist->elts, delt, link);
+	}
+	*target = dlist;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	ns_listenlist_detach(&dlist);
+	return (result);
+}
+
+/*
+ * Create a listen list from the corresponding configuration
+ * data structure.
+ */
+static isc_result_t
+ns_listenelt_fromconfig(cfg_obj_t *listener, cfg_obj_t *config,
+			ns_aclconfctx_t *actx,
+			isc_mem_t *mctx, ns_listenelt_t **target)
+{
+	isc_result_t result;
+	cfg_obj_t *portobj;
+	in_port_t port;
+	ns_listenelt_t *delt = NULL;
+	REQUIRE(target != NULL && *target == NULL);
+
+	portobj = cfg_tuple_get(listener, "port");
+	if (!cfg_obj_isuint32(portobj)) {
+		if (ns_g_port != 0) {
+			port = ns_g_port;
+		} else {
+			result = ns_config_getport(config, &port);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+		}
+	} else {
+		if (cfg_obj_asuint32(portobj) >= ISC_UINT16_MAX) {
+			cfg_obj_log(portobj, ns_g_lctx, ISC_LOG_ERROR,
+				    "port value '%u' is out of range",
+				    cfg_obj_asuint32(portobj));
+			return (ISC_R_RANGE);
+		}
+		port = (in_port_t)cfg_obj_asuint32(portobj);
+	}
+
+	result = ns_listenelt_create(mctx, port, NULL, &delt);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = ns_acl_fromconfig(cfg_tuple_get(listener, "acl"),
+				   config, actx, mctx, &delt->acl);
+	if (result != ISC_R_SUCCESS) {
+		ns_listenelt_destroy(delt);
+		return (result);
+	}
+	*target = delt;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+ns_server_dumpstats(ns_server_t *server) {
+	isc_result_t result;
+	dns_zone_t *zone, *next;
+	isc_stdtime_t now;
+	FILE *fp = NULL;
+	int i;
+	int ncounters;
+
+	isc_stdtime_get(&now);
+
+	CHECKMF(isc_stdio_open(server->statsfile, "a", &fp),
+		"could not open statistics dump file", server->statsfile);
+	
+	ncounters = DNS_STATS_NCOUNTERS;
+	fprintf(fp, "+++ Statistics Dump +++ (%lu)\n", (unsigned long)now);
+	
+	for (i = 0; i < ncounters; i++)
+		fprintf(fp, "%s %" ISC_PRINT_QUADFORMAT "u\n",
+			dns_statscounter_names[i],
+			server->querystats[i]);
+	
+	zone = NULL;
+	for (result = dns_zone_first(server->zonemgr, &zone);
+	     result == ISC_R_SUCCESS;
+	     next = NULL, result = dns_zone_next(zone, &next), zone = next)
+	{
+		isc_uint64_t *zonestats = dns_zone_getstatscounters(zone);
+		if (zonestats != NULL) {
+			char zonename[DNS_NAME_FORMATSIZE];
+			dns_view_t *view;
+			char *viewname;
+			
+			dns_name_format(dns_zone_getorigin(zone),
+					zonename, sizeof(zonename));
+			view = dns_zone_getview(zone);
+			viewname = view->name;
+			for (i = 0; i < ncounters; i++) {
+				fprintf(fp, "%s %" ISC_PRINT_QUADFORMAT
+					"u %s",
+					dns_statscounter_names[i],
+					zonestats[i],
+					zonename);
+				if (strcmp(viewname, "_default") != 0)
+					fprintf(fp, " %s", viewname);
+				fprintf(fp, "\n");
+			}
+		}
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+	CHECK(result);
+	
+	fprintf(fp, "--- Statistics Dump --- (%lu)\n", (unsigned long)now);
+
+ cleanup:
+	if (fp != NULL)
+		(void)isc_stdio_close(fp);
+	return (result);
+}
+
+static isc_result_t
+add_zone_tolist(dns_zone_t *zone, void *uap) {
+	struct dumpcontext *dctx = uap;
+	struct zonelistentry *zle;
+
+	zle = isc_mem_get(dctx->mctx, sizeof *zle);
+	if (zle ==  NULL)
+		return (ISC_R_NOMEMORY);
+	zle->zone = NULL;
+	dns_zone_attach(zone, &zle->zone);
+	ISC_LINK_INIT(zle, link);
+	ISC_LIST_APPEND(ISC_LIST_TAIL(dctx->viewlist)->zonelist, zle, link);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+add_view_tolist(struct dumpcontext *dctx, dns_view_t *view) {
+	struct viewlistentry *vle;
+	isc_result_t result = ISC_R_SUCCESS;
+	
+	vle = isc_mem_get(dctx->mctx, sizeof *vle);
+	if (vle == NULL)
+		return (ISC_R_NOMEMORY);
+	vle->view = NULL;
+	dns_view_attach(view, &vle->view);
+	ISC_LINK_INIT(vle, link);
+	ISC_LIST_INIT(vle->zonelist);
+	ISC_LIST_APPEND(dctx->viewlist, vle, link);
+	if (dctx->dumpzones)
+		result = dns_zt_apply(view->zonetable, ISC_TRUE,
+				      add_zone_tolist, dctx);
+	return (result);
+}
+
+static void
+dumpcontext_destroy(struct dumpcontext *dctx) {
+	struct viewlistentry *vle;
+	struct zonelistentry *zle;
+
+	vle = ISC_LIST_HEAD(dctx->viewlist);
+	while (vle != NULL) {
+		ISC_LIST_UNLINK(dctx->viewlist, vle, link);
+		zle = ISC_LIST_HEAD(vle->zonelist);
+		while (zle != NULL) {
+			ISC_LIST_UNLINK(vle->zonelist, zle, link);
+			dns_zone_detach(&zle->zone);
+			isc_mem_put(dctx->mctx, zle, sizeof *zle);
+			zle = ISC_LIST_HEAD(vle->zonelist);
+		}
+		dns_view_detach(&vle->view);
+		isc_mem_put(dctx->mctx, vle, sizeof *vle);
+		vle = ISC_LIST_HEAD(dctx->viewlist);
+	}
+	if (dctx->version != NULL)
+		dns_db_closeversion(dctx->db, &dctx->version, ISC_FALSE);
+	if (dctx->db != NULL)
+		dns_db_detach(&dctx->db);
+	if (dctx->cache != NULL)
+		dns_db_detach(&dctx->cache);
+	if (dctx->task != NULL)
+		isc_task_detach(&dctx->task);
+	if (dctx->fp != NULL)
+		(void)isc_stdio_close(dctx->fp);
+	if (dctx->mdctx != NULL)
+		dns_dumpctx_detach(&dctx->mdctx);
+	isc_mem_put(dctx->mctx, dctx, sizeof *dctx);
+}
+
+static void
+dumpdone(void *arg, isc_result_t result) {
+	struct dumpcontext *dctx = arg;
+	char buf[1024+32];
+	const dns_master_style_t *style;
+	
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	if (dctx->mdctx != NULL)
+		dns_dumpctx_detach(&dctx->mdctx);
+	if (dctx->view == NULL) {
+		dctx->view = ISC_LIST_HEAD(dctx->viewlist);
+		if (dctx->view == NULL)
+			goto done;
+		INSIST(dctx->zone == NULL);
+	}
+ nextview:
+	fprintf(dctx->fp, ";\n; Start view %s\n;\n", dctx->view->view->name);
+	if (dctx->zone == NULL && dctx->cache == NULL && dctx->dumpcache) {
+		style = &dns_master_style_cache;
+		/* start cache dump */
+		if (dctx->view->view->cachedb != NULL)
+			dns_db_attach(dctx->view->view->cachedb, &dctx->cache);
+		if (dctx->cache != NULL) {
+
+			fprintf(dctx->fp, ";\n; Cache dump of view '%s'\n;\n",
+				dctx->view->view->name);
+			result = dns_master_dumptostreaminc(dctx->mctx,
+							    dctx->cache, NULL,
+							    style, dctx->fp,
+							    dctx->task,
+							    dumpdone, dctx,
+							    &dctx->mdctx);
+			if (result == DNS_R_CONTINUE)
+				return;
+			if (result == ISC_R_NOTIMPLEMENTED)
+				fprintf(dctx->fp, "; %s\n",
+					dns_result_totext(result));
+			else if (result != ISC_R_SUCCESS)
+				goto cleanup;
+		}
+	}
+	if (dctx->cache != NULL) {
+		dns_adb_dump(dctx->view->view->adb, dctx->fp);
+		dns_db_detach(&dctx->cache);
+	}
+	if (dctx->dumpzones) {
+		style = &dns_master_style_full;
+ nextzone:
+		if (dctx->version != NULL)
+			dns_db_closeversion(dctx->db, &dctx->version,
+					    ISC_FALSE);
+		if (dctx->db != NULL)
+			dns_db_detach(&dctx->db);
+		if (dctx->zone == NULL)
+			dctx->zone = ISC_LIST_HEAD(dctx->view->zonelist);
+		else
+			dctx->zone = ISC_LIST_NEXT(dctx->zone, link);
+		if (dctx->zone != NULL) {
+			/* start zone dump */
+			dns_zone_name(dctx->zone->zone, buf, sizeof(buf));
+			fprintf(dctx->fp, ";\n; Zone dump of '%s'\n;\n", buf);
+			result = dns_zone_getdb(dctx->zone->zone, &dctx->db);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(dctx->fp, "; %s\n",
+					dns_result_totext(result));
+				goto nextzone;
+			}
+			dns_db_currentversion(dctx->db, &dctx->version);
+			result = dns_master_dumptostreaminc(dctx->mctx,
+							    dctx->db,
+							    dctx->version,
+							    style, dctx->fp,
+							    dctx->task,
+							    dumpdone, dctx,
+							    &dctx->mdctx);
+			if (result == DNS_R_CONTINUE)
+				return;
+			if (result == ISC_R_NOTIMPLEMENTED)
+				fprintf(dctx->fp, "; %s\n",
+					dns_result_totext(result));
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+		}
+	}
+	if (dctx->view != NULL)
+		dctx->view = ISC_LIST_NEXT(dctx->view, link);
+	if (dctx->view != NULL)
+		goto nextview;
+ done:
+	fprintf(dctx->fp, "; Dump complete\n");
+	result = isc_stdio_flush(dctx->fp);
+	if (result == ISC_R_SUCCESS)
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "dumpdb complete");
+ cleanup:
+	if (result != ISC_R_SUCCESS)
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "dumpdb failed: %s", dns_result_totext(result));
+	dumpcontext_destroy(dctx);
+}
+
+
+isc_result_t
+ns_server_dumpdb(ns_server_t *server, char *args) {
+	struct dumpcontext *dctx = NULL;
+	dns_view_t *view;
+	isc_result_t result;
+	char *ptr;
+	const char *sep;
+
+	dctx = isc_mem_get(server->mctx, sizeof(*dctx));
+	if (dctx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	dctx->mctx = server->mctx;
+	dctx->dumpcache = ISC_TRUE;
+	dctx->dumpzones = ISC_FALSE;
+	dctx->fp = NULL;
+	ISC_LIST_INIT(dctx->viewlist);
+	dctx->view = NULL;
+	dctx->zone = NULL;
+	dctx->cache = NULL;
+	dctx->mdctx = NULL;
+	dctx->db = NULL;
+	dctx->cache = NULL;
+	dctx->task = NULL;
+	dctx->version = NULL;
+	isc_task_attach(server->task, &dctx->task);
+
+	CHECKMF(isc_stdio_open(server->dumpfile, "w", &dctx->fp),
+		"could not open dump file", server->dumpfile);
+
+	/* Skip the command name. */
+	ptr = next_token(&args, " \t");
+	if (ptr == NULL)
+		return (ISC_R_UNEXPECTEDEND);
+
+	sep = (args == NULL) ? "" : ": ";
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "dumpdb started%s%s", sep, (args != NULL) ? args : "");
+
+	ptr = next_token(&args, " \t");
+	if (ptr != NULL && strcmp(ptr, "-all") == 0) {
+		dctx->dumpzones = ISC_TRUE;
+		dctx->dumpcache = ISC_TRUE;
+		ptr = next_token(&args, " \t");
+	} else if (ptr != NULL && strcmp(ptr, "-cache") == 0) {
+		dctx->dumpzones = ISC_FALSE;
+		dctx->dumpcache = ISC_TRUE;
+		ptr = next_token(&args, " \t");
+	} else if (ptr != NULL && strcmp(ptr, "-zones") == 0) {
+		dctx->dumpzones = ISC_TRUE;
+		dctx->dumpcache = ISC_FALSE;
+		ptr = next_token(&args, " \t");
+	} 
+
+	for (view = ISC_LIST_HEAD(server->viewlist);
+	     view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		if (ptr != NULL && strcmp(view->name, ptr) != 0)
+			continue;
+		CHECK(add_view_tolist(dctx, view));
+	}
+	dumpdone(dctx, ISC_R_SUCCESS);
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (dctx != NULL)
+		dumpcontext_destroy(dctx);
+	return (result);
+}
+
+isc_result_t
+ns_server_dumprecursing(ns_server_t *server) {
+	FILE *fp = NULL;
+	isc_result_t result;
+
+	CHECKMF(isc_stdio_open(server->recfile, "w", &fp),
+		"could not open dump file", server->recfile);
+	fprintf(fp,";\n; Recursing Queries\n;\n");
+	ns_interfacemgr_dumprecursing(fp, server->interfacemgr);
+	fprintf(fp, "; Dump complete\n");
+
+ cleanup:
+	if (fp != NULL)
+		result = isc_stdio_close(fp);
+	return (result);
+}
+
+isc_result_t
+ns_server_setdebuglevel(ns_server_t *server, char *args) {
+	char *ptr;
+	char *levelstr;
+	char *endp;
+	long newlevel;
+
+	UNUSED(server);
+
+	/* Skip the command name. */
+	ptr = next_token(&args, " \t");
+	if (ptr == NULL)
+		return (ISC_R_UNEXPECTEDEND);
+
+	/* Look for the new level name. */
+	levelstr = next_token(&args, " \t");
+	if (levelstr == NULL) {
+		if (ns_g_debuglevel < 99)
+			ns_g_debuglevel++;
+	} else {
+		newlevel = strtol(levelstr, &endp, 10);
+		if (*endp != '\0' || newlevel < 0 || newlevel > 99)
+			return (ISC_R_RANGE);
+		ns_g_debuglevel = (unsigned int)newlevel;
+	}
+	isc_log_setdebuglevel(ns_g_lctx, ns_g_debuglevel);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+ns_server_flushcache(ns_server_t *server, char *args) {
+	char *ptr, *viewname;
+	dns_view_t *view;
+	isc_boolean_t flushed = ISC_FALSE;
+	isc_result_t result;
+
+	/* Skip the command name. */
+	ptr = next_token(&args, " \t");
+	if (ptr == NULL)
+		return (ISC_R_UNEXPECTEDEND);
+
+	/* Look for the view name. */
+	viewname = next_token(&args, " \t");
+
+	result = isc_task_beginexclusive(server->task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	for (view = ISC_LIST_HEAD(server->viewlist);
+	     view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		if (viewname != NULL && strcasecmp(viewname, view->name) != 0)
+			continue;
+		result = dns_view_flushcache(view);
+		if (result != ISC_R_SUCCESS)
+			goto out;
+		flushed = ISC_TRUE;
+	}
+	if (flushed)
+		result = ISC_R_SUCCESS;
+	else
+		result = ISC_R_FAILURE;
+ out:
+	isc_task_endexclusive(server->task);	
+	return (result);
+}
+
+isc_result_t
+ns_server_flushname(ns_server_t *server, char *args) {
+	char *ptr, *target, *viewname;
+	dns_view_t *view;
+	isc_boolean_t flushed = ISC_FALSE;
+	isc_result_t result;
+	isc_buffer_t b;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+
+	/* Skip the command name. */
+	ptr = next_token(&args, " \t");
+	if (ptr == NULL)
+		return (ISC_R_UNEXPECTEDEND);
+
+	/* Find the domain name to flush. */
+	target = next_token(&args, " \t");
+	if (target == NULL)
+		return (ISC_R_UNEXPECTEDEND);
+
+	isc_buffer_init(&b, target, strlen(target));
+	isc_buffer_add(&b, strlen(target));
+	dns_fixedname_init(&fixed);
+	name = dns_fixedname_name(&fixed);
+	result = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/* Look for the view name. */
+	viewname = next_token(&args, " \t");
+
+	result = isc_task_beginexclusive(server->task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	flushed = ISC_TRUE;
+	for (view = ISC_LIST_HEAD(server->viewlist);
+	     view != NULL;
+	     view = ISC_LIST_NEXT(view, link))
+	{
+		if (viewname != NULL && strcasecmp(viewname, view->name) != 0)
+			continue;
+		result = dns_view_flushname(view, name);
+		if (result != ISC_R_SUCCESS)
+			flushed = ISC_FALSE;
+	}
+	if (flushed)
+		result = ISC_R_SUCCESS;
+	else
+		result = ISC_R_FAILURE;
+	isc_task_endexclusive(server->task);	
+	return (result);
+}
+
+isc_result_t
+ns_server_status(ns_server_t *server, isc_buffer_t *text) {
+	int zonecount, xferrunning, xferdeferred, soaqueries;
+	unsigned int n;
+
+	zonecount = dns_zonemgr_getcount(server->zonemgr, DNS_ZONESTATE_ANY);
+	xferrunning = dns_zonemgr_getcount(server->zonemgr,
+					   DNS_ZONESTATE_XFERRUNNING);
+	xferdeferred = dns_zonemgr_getcount(server->zonemgr,
+					    DNS_ZONESTATE_XFERDEFERRED);
+	soaqueries = dns_zonemgr_getcount(server->zonemgr,
+					  DNS_ZONESTATE_SOAQUERY);
+	n = snprintf((char *)isc_buffer_used(text),
+		     isc_buffer_availablelength(text),
+		     "number of zones: %u\n"
+		     "debug level: %d\n"
+		     "xfers running: %u\n"
+		     "xfers deferred: %u\n"
+		     "soa queries in progress: %u\n"
+		     "query logging is %s\n"
+		     "recursive clients: %d/%d\n"
+		     "tcp clients: %d/%d\n"
+		     "server is up and running",
+		     zonecount, ns_g_debuglevel, xferrunning, xferdeferred,
+		     soaqueries, server->log_queries ? "ON" : "OFF",
+		     server->recursionquota.used, server->recursionquota.max,
+		     server->tcpquota.used, server->tcpquota.max);
+	if (n >= isc_buffer_availablelength(text))
+		return (ISC_R_NOSPACE);
+	isc_buffer_add(text, n);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Act on a "freeze" or "unfreeze" command from the command channel.
+ */
+isc_result_t
+ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args) {
+	isc_result_t result;
+	dns_zone_t *zone = NULL;
+	dns_zonetype_t type;
+	char classstr[DNS_RDATACLASS_FORMATSIZE];
+	char zonename[DNS_NAME_FORMATSIZE];
+	dns_view_t *view;
+	char *journal;
+	const char *vname, *sep;
+	isc_boolean_t frozen;
+	
+	result = zone_from_args(server, args, &zone);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (zone == NULL)
+		return (ISC_R_UNEXPECTEDEND);
+	type = dns_zone_gettype(zone);
+	if (type != dns_zone_master) {
+		dns_zone_detach(&zone);
+		return (ISC_R_NOTFOUND);
+	}
+
+	frozen = dns_zone_getupdatedisabled(zone);
+	if (freeze) {
+		if (frozen)
+			result = DNS_R_FROZEN;
+		if (result == ISC_R_SUCCESS)
+			result = dns_zone_flush(zone);
+		if (result == ISC_R_SUCCESS) {
+			journal = dns_zone_getjournal(zone);
+			if (journal != NULL)
+				(void)isc_file_remove(journal);
+		}
+	} else {
+		if (frozen) {
+			result = dns_zone_load(zone);
+			if (result == DNS_R_CONTINUE ||
+			    result == DNS_R_UPTODATE)
+				result = ISC_R_SUCCESS;
+		}
+	}
+	if (result == ISC_R_SUCCESS)
+		dns_zone_setupdatedisabled(zone, freeze);
+
+	view = dns_zone_getview(zone);
+	if (strcmp(view->name, "_bind") == 0 ||
+	    strcmp(view->name, "_default") == 0)
+	{
+		vname = "";
+		sep = "";
+	} else {
+		vname = view->name;
+		sep = " ";
+	}
+	dns_rdataclass_format(dns_zone_getclass(zone), classstr,
+			      sizeof(classstr));
+	dns_name_format(dns_zone_getorigin(zone),
+			zonename, sizeof(zonename));
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "%s zone '%s/%s'%s%s: %s",
+		      freeze ? "freezing" : "unfreezing",
+		      zonename, classstr, sep, vname,
+		      isc_result_totext(result));
+	dns_zone_detach(&zone);
+	return (result);
+}
diff --git a/contrib/bind9/bin/named/sortlist.c b/contrib/bind9/bin/named/sortlist.c
new file mode 100644
index 0000000..0098fe7
--- /dev/null
+++ b/contrib/bind9/bin/named/sortlist.c
@@ -0,0 +1,162 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: sortlist.c,v 1.5.12.4 2004/03/08 04:04:19 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/mem.h>
+#include <isc/util.h>
+
+#include <dns/acl.h>
+#include <dns/result.h>
+
+#include <named/globals.h>
+#include <named/server.h>
+#include <named/sortlist.h>
+
+ns_sortlisttype_t
+ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr, void **argp) {
+	unsigned int i;
+
+	if (acl == NULL)
+		goto dont_sort;
+
+	for (i = 0; i < acl->length; i++) {
+		/*
+		 * 'e' refers to the current 'top level statement'
+		 * in the sortlist (see ARM).
+		 */
+		dns_aclelement_t *e = &acl->elements[i];
+		dns_aclelement_t *try_elt;
+		dns_aclelement_t *order_elt = NULL;
+		dns_aclelement_t *matched_elt = NULL;
+
+		if (e->type == dns_aclelementtype_nestedacl) {
+			dns_acl_t *inner = e->u.nestedacl;
+
+			if (inner->length < 1 || inner->length > 2)
+				goto dont_sort;
+			if (inner->elements[0].negative)
+				goto dont_sort;
+			try_elt = &inner->elements[0];
+			if (inner->length == 2)
+				order_elt = &inner->elements[1];
+		} else {
+			/*
+			 * BIND 8 allows bare elements at the top level
+			 * as an undocumented feature.
+			 */
+			try_elt = e;
+		}
+
+		if (dns_aclelement_match(clientaddr, NULL, try_elt,
+					 &ns_g_server->aclenv,
+					 &matched_elt)) {
+			if (order_elt != NULL) {
+				if (order_elt->type ==
+				    dns_aclelementtype_nestedacl) {
+					*argp = order_elt->u.nestedacl;
+					return (NS_SORTLISTTYPE_2ELEMENT);
+				} else if (order_elt->type ==
+					   dns_aclelementtype_localhost &&
+					   ns_g_server->aclenv.localhost != NULL) {
+					*argp = ns_g_server->aclenv.localhost;
+					return (NS_SORTLISTTYPE_2ELEMENT);
+				} else if (order_elt->type ==
+					   dns_aclelementtype_localnets &&
+					   ns_g_server->aclenv.localnets != NULL) {
+					*argp = ns_g_server->aclenv.localnets;
+					return (NS_SORTLISTTYPE_2ELEMENT);
+				} else {
+					/*
+					 * BIND 8 allows a bare IP prefix as
+					 * the 2nd element of a 2-element
+					 * sortlist statement.
+					 */
+					*argp = order_elt;
+					return (NS_SORTLISTTYPE_1ELEMENT);
+				}
+			} else {
+				INSIST(matched_elt != NULL);
+				*argp = matched_elt;
+				return (NS_SORTLISTTYPE_1ELEMENT);
+			}
+		}
+	}
+
+	/* No match; don't sort. */
+ dont_sort:
+	*argp = NULL;
+	return (NS_SORTLISTTYPE_NONE);
+}
+
+int
+ns_sortlist_addrorder2(isc_netaddr_t *addr, void *arg) {
+	dns_acl_t *sortacl = (dns_acl_t *) arg;
+	int match;
+
+	(void)dns_acl_match(addr, NULL, sortacl,
+			    &ns_g_server->aclenv,
+			    &match, NULL);
+	if (match > 0)
+		return (match);
+	else if (match < 0)
+		return (INT_MAX - (-match));
+	else
+		return (INT_MAX / 2);
+}
+
+int
+ns_sortlist_addrorder1(isc_netaddr_t *addr, void *arg) {
+	dns_aclelement_t *matchelt = (dns_aclelement_t *) arg;
+	if (dns_aclelement_match(addr, NULL, matchelt,
+				 &ns_g_server->aclenv,
+				 NULL)) {
+		return (0);
+	} else {
+		return (INT_MAX);
+	}
+}
+
+void
+ns_sortlist_byaddrsetup(dns_acl_t *sortlist_acl, isc_netaddr_t *client_addr,
+		       dns_addressorderfunc_t *orderp,
+		       void **argp)
+{
+	ns_sortlisttype_t sortlisttype;
+
+	sortlisttype = ns_sortlist_setup(sortlist_acl, client_addr, argp);
+
+	switch (sortlisttype) {
+	case NS_SORTLISTTYPE_1ELEMENT:
+		*orderp = ns_sortlist_addrorder1;
+		break;
+	case NS_SORTLISTTYPE_2ELEMENT:
+		*orderp = ns_sortlist_addrorder2;
+		break;
+	case NS_SORTLISTTYPE_NONE:
+		*orderp = NULL;
+		break;
+	default:
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "unexpected return from ns_sortlist_setup(): "
+				 "%d", sortlisttype);
+		break;
+	}
+}
+
diff --git a/contrib/bind9/bin/named/tkeyconf.c b/contrib/bind9/bin/named/tkeyconf.c
new file mode 100644
index 0000000..7fc13f3
--- /dev/null
+++ b/contrib/bind9/bin/named/tkeyconf.c
@@ -0,0 +1,118 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: tkeyconf.c,v 1.19.208.2 2004/06/11 00:30:51 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/buffer.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/mem.h>
+
+#include <isccfg/cfg.h>
+
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/name.h>
+#include <dns/tkey.h>
+
+#include <dst/gssapi.h>
+
+#include <named/tkeyconf.h>
+
+#define RETERR(x) do { \
+	result = (x); \
+	if (result != ISC_R_SUCCESS) \
+		goto failure; \
+	} while (0)
+
+
+isc_result_t
+ns_tkeyctx_fromconfig(cfg_obj_t *options, isc_mem_t *mctx, isc_entropy_t *ectx,
+		       dns_tkeyctx_t **tctxp)
+{
+	isc_result_t result;
+	dns_tkeyctx_t *tctx = NULL;
+	char *s;
+	isc_uint32_t n;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	isc_buffer_t b;
+	cfg_obj_t *obj;
+	int type;
+
+	result = dns_tkeyctx_create(mctx, ectx, &tctx);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	obj = NULL;
+	result = cfg_map_get(options, "tkey-dhkey", &obj);
+	if (result == ISC_R_SUCCESS) {
+		s = cfg_obj_asstring(cfg_tuple_get(obj, "name"));
+		n = cfg_obj_asuint32(cfg_tuple_get(obj, "keyid"));
+		isc_buffer_init(&b, s, strlen(s));
+		isc_buffer_add(&b, strlen(s));
+		dns_fixedname_init(&fname);
+		name = dns_fixedname_name(&fname);
+		RETERR(dns_name_fromtext(name, &b, dns_rootname,
+					 ISC_FALSE, NULL));
+		type = DST_TYPE_PUBLIC|DST_TYPE_PRIVATE|DST_TYPE_KEY;
+		RETERR(dst_key_fromfile(name, (dns_keytag_t) n, DNS_KEYALG_DH,
+					type, NULL, mctx, &tctx->dhkey));
+	}
+
+	obj = NULL;
+	result = cfg_map_get(options, "tkey-domain", &obj);
+	if (result == ISC_R_SUCCESS) {
+		s = cfg_obj_asstring(obj);
+		isc_buffer_init(&b, s, strlen(s));
+		isc_buffer_add(&b, strlen(s));
+		dns_fixedname_init(&fname);
+		name = dns_fixedname_name(&fname);
+		RETERR(dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE,
+					 NULL));
+		tctx->domain = isc_mem_get(mctx, sizeof(dns_name_t));
+		if (tctx->domain == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto failure;
+		}
+		dns_name_init(tctx->domain, NULL);
+		RETERR(dns_name_dup(name, mctx, tctx->domain));
+	}
+
+	obj = NULL;
+	result = cfg_map_get(options, "tkey-gssapi-credential", &obj);
+	if (result == ISC_R_SUCCESS) {
+		s = cfg_obj_asstring(obj);
+		isc_buffer_init(&b, s, strlen(s));
+		isc_buffer_add(&b, strlen(s));
+		dns_fixedname_init(&fname);
+		name = dns_fixedname_name(&fname);
+		RETERR(dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE,
+					 NULL));
+		RETERR(dst_gssapi_acquirecred(name, ISC_FALSE,
+					      &tctx->gsscred));
+	}
+
+	*tctxp = tctx;
+	return (ISC_R_SUCCESS);
+
+ failure:
+	dns_tkeyctx_destroy(&tctx);
+	return (result);
+}
+
diff --git a/contrib/bind9/bin/named/tsigconf.c b/contrib/bind9/bin/named/tsigconf.c
new file mode 100644
index 0000000..38524c3
--- /dev/null
+++ b/contrib/bind9/bin/named/tsigconf.c
@@ -0,0 +1,170 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: tsigconf.c,v 1.21.208.4 2004/03/08 04:04:19 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+
+#include <isccfg/cfg.h>
+
+#include <dns/tsig.h>
+#include <dns/result.h>
+
+#include <named/log.h>
+
+#include <named/config.h>
+#include <named/tsigconf.h>
+
+static isc_result_t
+add_initial_keys(cfg_obj_t *list, dns_tsig_keyring_t *ring, isc_mem_t *mctx) {
+	cfg_listelt_t *element;
+	cfg_obj_t *key = NULL;
+	char *keyid = NULL;
+	unsigned char *secret = NULL;
+	int secretalloc = 0;
+	int secretlen = 0;
+	isc_result_t ret;
+	isc_stdtime_t now;
+
+	for (element = cfg_list_first(list);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		cfg_obj_t *algobj = NULL;
+		cfg_obj_t *secretobj = NULL;
+		dns_name_t keyname;
+		dns_name_t *alg;
+		char *algstr;
+		char keynamedata[1024];
+		isc_buffer_t keynamesrc, keynamebuf;
+		char *secretstr;
+		isc_buffer_t secretbuf;
+
+		key = cfg_listelt_value(element);
+		keyid = cfg_obj_asstring(cfg_map_getname(key));
+
+		algobj = NULL;
+		secretobj = NULL;
+		(void)cfg_map_get(key, "algorithm", &algobj);
+		(void)cfg_map_get(key, "secret", &secretobj);
+		INSIST(algobj != NULL && secretobj != NULL);
+
+		/*
+		 * Create the key name.
+		 */
+		dns_name_init(&keyname, NULL);
+		isc_buffer_init(&keynamesrc, keyid, strlen(keyid));
+		isc_buffer_add(&keynamesrc, strlen(keyid));
+		isc_buffer_init(&keynamebuf, keynamedata, sizeof(keynamedata));
+		ret = dns_name_fromtext(&keyname, &keynamesrc, dns_rootname,
+					ISC_TRUE, &keynamebuf);
+		if (ret != ISC_R_SUCCESS)
+			goto failure;
+
+		/*
+		 * Create the algorithm.
+		 */
+		algstr = cfg_obj_asstring(algobj);
+		if (ns_config_getkeyalgorithm(algstr, &alg) != ISC_R_SUCCESS) {
+			cfg_obj_log(algobj, ns_g_lctx, ISC_LOG_ERROR,
+				    "key '%s': the only supported algorithm "
+				    "is hmac-md5", keyid);
+			ret = DNS_R_BADALG;
+			goto failure;
+		}
+
+		secretstr = cfg_obj_asstring(secretobj);
+		secretalloc = secretlen = strlen(secretstr) * 3 / 4;
+		secret = isc_mem_get(mctx, secretlen);
+		if (secret == NULL) {
+			ret = ISC_R_NOMEMORY;
+			goto failure;
+		}
+		isc_buffer_init(&secretbuf, secret, secretlen);
+		ret = isc_base64_decodestring(secretstr, &secretbuf);
+		if (ret != ISC_R_SUCCESS)
+			goto failure;
+		secretlen = isc_buffer_usedlength(&secretbuf);
+
+		isc_stdtime_get(&now);
+		ret = dns_tsigkey_create(&keyname, alg, secret, secretlen,
+					 ISC_FALSE, NULL, now, now,
+					 mctx, ring, NULL);
+		isc_mem_put(mctx, secret, secretalloc);
+		secret = NULL;
+		if (ret != ISC_R_SUCCESS)
+			goto failure;
+	}
+
+	return (ISC_R_SUCCESS);
+
+ failure:
+	cfg_obj_log(key, ns_g_lctx, ISC_LOG_ERROR,
+		    "configuring key '%s': %s", keyid,
+		    isc_result_totext(ret));
+
+	if (secret != NULL)
+		isc_mem_put(mctx, secret, secretalloc);
+	return (ret);
+
+}
+
+isc_result_t
+ns_tsigkeyring_fromconfig(cfg_obj_t *config, cfg_obj_t *vconfig,
+			  isc_mem_t *mctx, dns_tsig_keyring_t **ringp)
+{
+	cfg_obj_t *maps[3];
+	cfg_obj_t *keylist;
+	dns_tsig_keyring_t *ring = NULL;
+	isc_result_t result;
+	int i;
+
+	i = 0;
+	if (config != NULL)
+		maps[i++] = config;
+	if (vconfig != NULL)
+		maps[i++] = cfg_tuple_get(vconfig, "options");
+	maps[i] = NULL;
+
+	result = dns_tsigkeyring_create(mctx, &ring);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	for (i = 0; ; i++) {
+		if (maps[i] == NULL)
+			break;
+		keylist = NULL;
+		result = cfg_map_get(maps[i], "key", &keylist);
+		if (result != ISC_R_SUCCESS)
+			continue;
+		result = add_initial_keys(keylist, ring, mctx);
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+	}
+
+	*ringp = ring;
+	return (ISC_R_SUCCESS);
+
+ failure:
+	dns_tsigkeyring_destroy(&ring);
+	return (result);
+}
diff --git a/contrib/bind9/bin/named/unix/Makefile.in b/contrib/bind9/bin/named/unix/Makefile.in
new file mode 100644
index 0000000..60ce968
--- /dev/null
+++ b/contrib/bind9/bin/named/unix/Makefile.in
@@ -0,0 +1,36 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1999-2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.6.12.3 2004/03/08 09:04:15 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I${srcdir}/include -I${srcdir}/../include \
+		${DNS_INCLUDES} ${ISC_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+OBJS =		os.@O@
+
+SRCS =		os.c
+
+TARGETS =	${OBJS}
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/bin/named/unix/include/named/os.h b/contrib/bind9/bin/named/unix/include/named/os.h
new file mode 100644
index 0000000..a9fbcb7
--- /dev/null
+++ b/contrib/bind9/bin/named/unix/include/named/os.h
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: os.h,v 1.14.2.2.8.8 2004/03/08 04:04:21 marka Exp $ */
+
+#ifndef NS_OS_H
+#define NS_OS_H 1
+
+#include <isc/types.h>
+
+void
+ns_os_init(const char *progname);
+
+void
+ns_os_daemonize(void);
+
+void
+ns_os_opendevnull(void);
+
+void
+ns_os_closedevnull(void);
+
+void
+ns_os_chroot(const char *root);
+
+void
+ns_os_inituserinfo(const char *username);
+
+void
+ns_os_changeuser(void);
+
+void
+ns_os_minprivs(void);
+
+void
+ns_os_writepidfile(const char *filename, isc_boolean_t first_time);
+
+void
+ns_os_shutdown(void);
+
+isc_result_t
+ns_os_gethostname(char *buf, size_t len);
+
+void
+ns_os_shutdownmsg(char *command, isc_buffer_t *text);
+
+void
+ns_os_tzset(void);
+
+#endif /* NS_OS_H */
diff --git a/contrib/bind9/bin/named/unix/os.c b/contrib/bind9/bin/named/unix/os.c
new file mode 100644
index 0000000..7df7f3b
--- /dev/null
+++ b/contrib/bind9/bin/named/unix/os.c
@@ -0,0 +1,630 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: os.c,v 1.46.2.4.8.16 2004/05/04 03:19:42 marka Exp $ */
+
+#include <config.h>
+#include <stdarg.h>
+
+#include <sys/types.h>	/* dev_t FreeBSD 2.1 */
+#include <sys/stat.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <grp.h>		/* Required for initgroups() on IRIX. */
+#include <pwd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <syslog.h>
+#ifdef HAVE_TZSET
+#include <time.h>
+#endif
+#include <unistd.h>
+
+#include <isc/buffer.h>
+#include <isc/file.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/strerror.h>
+#include <isc/string.h>
+
+#include <named/main.h>
+#include <named/os.h>
+
+static char *pidfile = NULL;
+static int devnullfd = -1;
+
+#ifndef ISC_FACILITY
+#define ISC_FACILITY LOG_DAEMON
+#endif
+
+/*
+ * If there's no <linux/capability.h>, we don't care about <sys/prctl.h>
+ */
+#ifndef HAVE_LINUX_CAPABILITY_H
+#undef HAVE_SYS_PRCTL_H
+#endif
+
+/*
+ * Linux defines:
+ *	(T) HAVE_LINUXTHREADS
+ *	(C) HAVE_LINUX_CAPABILITY_H
+ *	(P) HAVE_SYS_PRCTL_H
+ * The possible cases are:
+ *	none:	setuid() normally
+ *	T:	no setuid()
+ *	C:	setuid() normally, drop caps (keep CAP_SETUID)
+ *	T+C:	no setuid(), drop caps (don't keep CAP_SETUID)
+ *	T+C+P:	setuid() early, drop caps (keep CAP_SETUID)
+ *	C+P:	setuid() normally, drop caps (keep CAP_SETUID)
+ *	P:	not possible
+ *	T+P:	not possible
+ *
+ * if (C)
+ *	caps = BIND_SERVICE + CHROOT + SETGID
+ *	if ((T && C && P) || !T)
+ *		caps += SETUID
+ *	endif
+ *	capset(caps)
+ * endif
+ * if (T && C && P && -u)
+ *	setuid()
+ * else if (T && -u)
+ *	fail
+ * --> start threads
+ * if (!T && -u)
+ *	setuid()
+ * if (C && (P || !-u))
+ *	caps = BIND_SERVICE
+ *	capset(caps)
+ * endif
+ *
+ * It will be nice when Linux threads work properly with setuid().
+ */
+
+#ifdef HAVE_LINUXTHREADS
+static pid_t mainpid = 0;
+#endif
+
+static struct passwd *runas_pw = NULL;
+static isc_boolean_t done_setuid = ISC_FALSE;
+
+#ifdef HAVE_LINUX_CAPABILITY_H
+
+static isc_boolean_t non_root = ISC_FALSE;
+static isc_boolean_t non_root_caps = ISC_FALSE;
+
+/*
+ * We define _LINUX_FS_H to prevent it from being included.  We don't need
+ * anything from it, and the files it includes cause warnings with 2.2
+ * kernels, and compilation failures (due to conflicts between <linux/string.h>
+ * and <string.h>) on 2.3 kernels.
+ */
+#define _LINUX_FS_H
+
+#include <sys/syscall.h>	/* Required for syscall(). */
+#include <linux/capability.h>	/* Required for _LINUX_CAPABILITY_VERSION. */
+
+#ifdef HAVE_SYS_PRCTL_H
+#include <sys/prctl.h>		/* Required for prctl(). */
+
+/*
+ * If the value of PR_SET_KEEPCAPS is not in <sys/prctl.h>, define it
+ * here.  This allows setuid() to work on systems running a new enough
+ * kernel but with /usr/include/linux pointing to "standard" kernel
+ * headers.
+ */
+#ifndef PR_SET_KEEPCAPS
+#define PR_SET_KEEPCAPS 8
+#endif
+
+#endif /* HAVE_SYS_PRCTL_H */
+
+#ifndef SYS_capset
+#ifndef __NR_capset
+#include <asm/unistd.h> /* Slackware 4.0 needs this. */
+#endif
+#define SYS_capset __NR_capset
+#endif
+
+static void
+linux_setcaps(unsigned int caps) {
+	struct __user_cap_header_struct caphead;
+	struct __user_cap_data_struct cap;
+	char strbuf[ISC_STRERRORSIZE];
+
+	if ((getuid() != 0 && !non_root_caps) || non_root)
+		return;
+
+	memset(&caphead, 0, sizeof(caphead));
+	caphead.version = _LINUX_CAPABILITY_VERSION;
+	caphead.pid = 0;
+	memset(&cap, 0, sizeof(cap));
+	cap.effective = caps;
+	cap.permitted = caps;
+	cap.inheritable = caps;
+	if (syscall(SYS_capset, &caphead, &cap) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		ns_main_earlyfatal("capset failed: %s", strbuf);
+	}
+}
+
+static void
+linux_initialprivs(void) {
+	unsigned int caps;
+
+	/*
+	 * We don't need most privileges, so we drop them right away.
+	 * Later on linux_minprivs() will be called, which will drop our
+	 * capabilities to the minimum needed to run the server.
+	 */
+
+	caps = 0;
+
+	/*
+	 * We need to be able to bind() to privileged ports, notably port 53!
+	 */
+	caps |= (1 << CAP_NET_BIND_SERVICE);
+
+	/*
+	 * We need chroot() initially too.
+	 */
+	caps |= (1 << CAP_SYS_CHROOT);
+
+#if defined(HAVE_SYS_PRCTL_H) || !defined(HAVE_LINUXTHREADS)
+	/*
+	 * We can setuid() only if either the kernel supports keeping
+	 * capabilities after setuid() (which we don't know until we've
+	 * tried) or we're not using threads.  If either of these is
+	 * true, we want the setuid capability.
+	 */
+	caps |= (1 << CAP_SETUID);
+#endif
+
+	/*
+	 * Since we call initgroups, we need this.
+	 */
+	caps |= (1 << CAP_SETGID);
+
+	/*
+	 * Without this, we run into problems reading a configuration file
+	 * owned by a non-root user and non-world-readable on startup.
+	 */
+	caps |= (1 << CAP_DAC_READ_SEARCH);
+
+	/*
+	 * XXX  We might want to add CAP_SYS_RESOURCE, though it's not
+	 *      clear it would work right given the way linuxthreads work.
+	 * XXXDCL But since we need to be able to set the maximum number
+	 * of files, the stack size, data size, and core dump size to
+	 * support named.conf options, this is now being added to test.
+	 */
+	caps |= (1 << CAP_SYS_RESOURCE);
+
+	linux_setcaps(caps);
+}
+
+static void
+linux_minprivs(void) {
+	unsigned int caps;
+
+	/*
+	 * Drop all privileges except the ability to bind() to privileged
+	 * ports.
+	 *
+	 * It's important that we drop CAP_SYS_CHROOT.  If we didn't, it
+	 * chroot() could be used to escape from the chrooted area.
+	 */
+
+	caps = 0;
+	caps |= (1 << CAP_NET_BIND_SERVICE);
+
+	/*
+	 * XXX  We might want to add CAP_SYS_RESOURCE, though it's not
+	 *      clear it would work right given the way linuxthreads work.
+	 * XXXDCL But since we need to be able to set the maximum number
+	 * of files, the stack size, data size, and core dump size to
+	 * support named.conf options, this is now being added to test.
+	 */
+	caps |= (1 << CAP_SYS_RESOURCE);
+
+	linux_setcaps(caps);
+}
+
+#ifdef HAVE_SYS_PRCTL_H
+static void
+linux_keepcaps(void) {
+	char strbuf[ISC_STRERRORSIZE];
+	/*
+	 * Ask the kernel to allow us to keep our capabilities after we
+	 * setuid().
+	 */
+
+	if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) {
+		if (errno != EINVAL) {
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			ns_main_earlyfatal("prctl() failed: %s", strbuf);
+		}
+	} else {
+		non_root_caps = ISC_TRUE;
+		if (getuid() != 0)
+			non_root = ISC_TRUE;
+	}
+}
+#endif
+
+#endif	/* HAVE_LINUX_CAPABILITY_H */
+
+
+static void
+setup_syslog(const char *progname) {
+	int options;
+
+	options = LOG_PID;
+#ifdef LOG_NDELAY
+	options |= LOG_NDELAY;
+#endif
+	openlog(isc_file_basename(progname), options, ISC_FACILITY);
+}
+
+void
+ns_os_init(const char *progname) {
+	setup_syslog(progname);
+#ifdef HAVE_LINUX_CAPABILITY_H
+	linux_initialprivs();
+#endif
+#ifdef HAVE_LINUXTHREADS
+	mainpid = getpid();
+#endif
+#ifdef SIGXFSZ
+	signal(SIGXFSZ, SIG_IGN);
+#endif
+}
+
+void
+ns_os_daemonize(void) {
+	pid_t pid;
+	char strbuf[ISC_STRERRORSIZE];
+
+	pid = fork();
+	if (pid == -1) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		ns_main_earlyfatal("fork(): %s", strbuf);
+	}
+	if (pid != 0)
+		_exit(0);
+
+	/*
+	 * We're the child.
+	 */
+
+#ifdef HAVE_LINUXTHREADS
+	mainpid = getpid();
+#endif
+
+	if (setsid() == -1) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		ns_main_earlyfatal("setsid(): %s", strbuf);
+	}
+
+	/*
+	 * Try to set stdin, stdout, and stderr to /dev/null, but press
+	 * on even if it fails.
+	 *
+	 * XXXMLG The close() calls here are unneeded on all but NetBSD, but
+	 * are harmless to include everywhere.  dup2() is supposed to close
+	 * the FD if it is in use, but unproven-pthreads-0.16 is broken
+	 * and will end up closing the wrong FD.  This will be fixed eventually,
+	 * and these calls will be removed.
+	 */
+	if (devnullfd != -1) {
+		if (devnullfd != STDIN_FILENO) {
+			(void)close(STDIN_FILENO);
+			(void)dup2(devnullfd, STDIN_FILENO);
+		}
+		if (devnullfd != STDOUT_FILENO) {
+			(void)close(STDOUT_FILENO);
+			(void)dup2(devnullfd, STDOUT_FILENO);
+		}
+		if (devnullfd != STDERR_FILENO) {
+			(void)close(STDERR_FILENO);
+			(void)dup2(devnullfd, STDERR_FILENO);
+		}
+	}
+}
+
+void
+ns_os_opendevnull(void) {
+	devnullfd = open("/dev/null", O_RDWR, 0);
+}
+
+void
+ns_os_closedevnull(void) {
+	if (devnullfd != STDIN_FILENO &&
+	    devnullfd != STDOUT_FILENO &&
+	    devnullfd != STDERR_FILENO) {
+		close(devnullfd);
+		devnullfd = -1;
+	}
+}
+
+static isc_boolean_t
+all_digits(const char *s) {
+	if (*s == '\0')
+		return (ISC_FALSE);
+	while (*s != '\0') {
+		if (!isdigit((*s)&0xff))
+			return (ISC_FALSE);
+		s++;
+	}
+	return (ISC_TRUE);
+}
+
+void
+ns_os_chroot(const char *root) {
+	char strbuf[ISC_STRERRORSIZE];
+	if (root != NULL) {
+		if (chroot(root) < 0) {
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			ns_main_earlyfatal("chroot(): %s", strbuf);
+		}
+		if (chdir("/") < 0) {
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			ns_main_earlyfatal("chdir(/): %s", strbuf);
+		}
+	}
+}
+
+void
+ns_os_inituserinfo(const char *username) {
+	char strbuf[ISC_STRERRORSIZE];
+	if (username == NULL)
+		return;
+
+	if (all_digits(username))
+		runas_pw = getpwuid((uid_t)atoi(username));
+	else
+		runas_pw = getpwnam(username);
+	endpwent();
+
+	if (runas_pw == NULL)
+		ns_main_earlyfatal("user '%s' unknown", username);
+
+	if (getuid() == 0) {
+		if (initgroups(runas_pw->pw_name, runas_pw->pw_gid) < 0) {
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			ns_main_earlyfatal("initgroups(): %s", strbuf);
+		}
+	}
+
+}
+
+void
+ns_os_changeuser(void) {
+	char strbuf[ISC_STRERRORSIZE];
+	if (runas_pw == NULL || done_setuid)
+		return;
+
+	done_setuid = ISC_TRUE;
+
+#ifdef HAVE_LINUXTHREADS
+#ifdef HAVE_LINUX_CAPABILITY_H
+	if (!non_root_caps)
+#endif
+		ns_main_earlyfatal(
+		   "-u not supported on Linux kernels older than "
+		   "2.3.99-pre3 or 2.2.18 when using threads");
+#endif
+
+	if (setgid(runas_pw->pw_gid) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		ns_main_earlyfatal("setgid(): %s", strbuf);
+	}
+
+	if (setuid(runas_pw->pw_uid) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		ns_main_earlyfatal("setuid(): %s", strbuf);
+	}
+
+#if defined(HAVE_LINUX_CAPABILITY_H) && !defined(HAVE_LINUXTHREADS)
+	linux_minprivs();
+#endif
+}
+
+void
+ns_os_minprivs(void) {
+#ifdef HAVE_SYS_PRCTL_H
+	linux_keepcaps();
+#endif
+
+#ifdef HAVE_LINUXTHREADS
+	ns_os_changeuser(); /* Call setuid() before threads are started */
+#endif
+
+#if defined(HAVE_LINUX_CAPABILITY_H) && defined(HAVE_LINUXTHREADS)
+	linux_minprivs();
+#endif
+}
+
+static int
+safe_open(const char *filename, isc_boolean_t append) {
+	int fd;
+	struct stat sb;
+
+	if (stat(filename, &sb) == -1) {
+		if (errno != ENOENT)
+			return (-1);
+	} else if ((sb.st_mode & S_IFREG) == 0) {
+		errno = EOPNOTSUPP;
+		return (-1);
+	}
+
+	if (append)
+		fd = open(filename, O_WRONLY|O_CREAT|O_APPEND,
+			  S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
+	else {
+		(void)unlink(filename);
+		fd = open(filename, O_WRONLY|O_CREAT|O_EXCL,
+			  S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
+	}
+	return (fd);
+}
+
+static void
+cleanup_pidfile(void) {
+	if (pidfile != NULL) {
+		(void)unlink(pidfile);
+		free(pidfile);
+	}
+	pidfile = NULL;
+}
+
+void
+ns_os_writepidfile(const char *filename, isc_boolean_t first_time) {
+	int fd;
+	FILE *lockfile;
+	size_t len;
+	pid_t pid;
+	char strbuf[ISC_STRERRORSIZE];
+	void (*report)(const char *, ...);
+
+	/*
+	 * The caller must ensure any required synchronization.
+	 */
+
+	report = first_time ? ns_main_earlyfatal : ns_main_earlywarning;
+
+	cleanup_pidfile();
+
+	if (filename == NULL)
+		return;
+
+	len = strlen(filename);
+	pidfile = malloc(len + 1);
+	if (pidfile == NULL) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		(*report)("couldn't malloc '%s': %s", filename, strbuf);
+		return;
+	}
+	/* This is safe. */
+	strcpy(pidfile, filename);
+
+	fd = safe_open(filename, ISC_FALSE);
+	if (fd < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		(*report)("couldn't open pid file '%s': %s", filename, strbuf);
+		free(pidfile);
+		pidfile = NULL;
+		return;
+	}
+	lockfile = fdopen(fd, "w");
+	if (lockfile == NULL) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		(*report)("could not fdopen() pid file '%s': %s",
+			  filename, strbuf);
+		(void)close(fd);
+		cleanup_pidfile();
+		return;
+	}
+#ifdef HAVE_LINUXTHREADS
+	pid = mainpid;
+#else
+	pid = getpid();
+#endif
+	if (fprintf(lockfile, "%ld\n", (long)pid) < 0) {
+		(*report)("fprintf() to pid file '%s' failed", filename);
+		(void)fclose(lockfile);
+		cleanup_pidfile();
+		return;
+	}
+	if (fflush(lockfile) == EOF) {
+		(*report)("fflush() to pid file '%s' failed", filename);
+		(void)fclose(lockfile);
+		cleanup_pidfile();
+		return;
+	}
+	(void)fclose(lockfile);
+}
+
+void
+ns_os_shutdown(void) {
+	closelog();
+	cleanup_pidfile();
+}
+
+isc_result_t
+ns_os_gethostname(char *buf, size_t len) {
+	int n;
+
+	n = gethostname(buf, len);
+	return ((n == 0) ? ISC_R_SUCCESS : ISC_R_FAILURE);
+}
+
+static char *
+next_token(char **stringp, const char *delim) {
+	char *res;
+
+	do {
+		res = strsep(stringp, delim);
+		if (res == NULL)
+			break;
+	} while (*res == '\0');
+	return (res);
+}
+
+void
+ns_os_shutdownmsg(char *command, isc_buffer_t *text) {
+	char *input, *ptr;
+	unsigned int n;
+	pid_t pid;
+
+	input = command;
+
+	/* Skip the command name. */
+	ptr = next_token(&input, " \t");
+	if (ptr == NULL)
+		return;
+
+	ptr = next_token(&input, " \t");
+	if (ptr == NULL)
+		return;
+	
+	if (strcmp(ptr, "-p") != 0)
+		return;
+
+#ifdef HAVE_LINUXTHREADS
+	pid = mainpid;
+#else
+	pid = getpid();
+#endif
+
+	n = snprintf((char *)isc_buffer_used(text),
+		     isc_buffer_availablelength(text),
+		     "pid: %ld", (long)pid);
+	/* Only send a message if it is complete. */
+	if (n < isc_buffer_availablelength(text))
+		isc_buffer_add(text, n);
+}
+
+void
+ns_os_tzset(void) {
+#ifdef HAVE_TZSET
+	tzset();
+#endif
+}
diff --git a/contrib/bind9/bin/named/update.c b/contrib/bind9/bin/named/update.c
new file mode 100644
index 0000000..24779b3
--- /dev/null
+++ b/contrib/bind9/bin/named/update.c
@@ -0,0 +1,2811 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: update.c,v 1.88.2.5.2.23 2004/07/23 02:56:52 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/taskpool.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/diff.h>
+#include <dns/dnssec.h>
+#include <dns/events.h>
+#include <dns/fixedname.h>
+#include <dns/journal.h>
+#include <dns/message.h>
+#include <dns/nsec.h>
+#include <dns/rdataclass.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatatype.h>
+#include <dns/soa.h>
+#include <dns/ssu.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+#include <dns/zt.h>
+
+#include <named/client.h>
+#include <named/log.h>
+#include <named/update.h>
+
+/*
+ * This module implements dynamic update as in RFC2136.
+ */
+
+/*
+  XXX TODO:
+  - document strict minimality
+*/
+
+/**************************************************************************/
+
+/*
+ * Log level for tracing dynamic update protocol requests.
+ */
+#define LOGLEVEL_PROTOCOL	ISC_LOG_INFO
+
+/*
+ * Log level for low-level debug tracing.
+ */
+#define LOGLEVEL_DEBUG 		ISC_LOG_DEBUG(8)
+
+/*
+ * Check an operation for failure.  These macros all assume that
+ * the function using them has a 'result' variable and a 'failure'
+ * label.
+ */
+#define CHECK(op) \
+	do { result = (op); 				  	 \
+	       if (result != ISC_R_SUCCESS) goto failure; 	 \
+	} while (0)
+
+/*
+ * Fail unconditionally with result 'code', which must not
+ * be ISC_R_SUCCESS.  The reason for failure presumably has
+ * been logged already.
+ *
+ * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
+ */
+
+#define FAIL(code) \
+	do {							\
+		result = (code);				\
+		if (result != ISC_R_SUCCESS) goto failure;	\
+	} while (0)
+
+/*
+ * Fail unconditionally and log as a client error.
+ * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
+ */
+#define FAILC(code, msg) \
+	do {							\
+		const char *_what = "failed";			\
+		result = (code);				\
+		switch (result) {				\
+		case DNS_R_NXDOMAIN:				\
+		case DNS_R_YXDOMAIN:				\
+		case DNS_R_YXRRSET:				\
+		case DNS_R_NXRRSET:				\
+			_what = "unsuccessful";			\
+		}						\
+		update_log(client, zone, LOGLEVEL_PROTOCOL,   	\
+			      "update %s: %s (%s)", _what,	\
+		      	      msg, isc_result_totext(result));	\
+		if (result != ISC_R_SUCCESS) goto failure;	\
+	} while (0)
+
+#define FAILN(code, name, msg) \
+	do {								\
+		const char *_what = "failed";				\
+		result = (code);					\
+		switch (result) {					\
+		case DNS_R_NXDOMAIN:					\
+		case DNS_R_YXDOMAIN:					\
+		case DNS_R_YXRRSET:					\
+		case DNS_R_NXRRSET:					\
+			_what = "unsuccessful";				\
+		}							\
+		if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) {	\
+			char _nbuf[DNS_NAME_FORMATSIZE];		\
+			dns_name_format(name, _nbuf, sizeof(_nbuf));	\
+			update_log(client, zone, LOGLEVEL_PROTOCOL,   	\
+				   "update %s: %s: %s (%s)", _what, _nbuf, \
+				   msg, isc_result_totext(result));	\
+		}							\
+		if (result != ISC_R_SUCCESS) goto failure;		\
+	} while (0)
+
+#define FAILNT(code, name, type, msg) \
+	do {								\
+		const char *_what = "failed";				\
+		result = (code);					\
+		switch (result) {					\
+		case DNS_R_NXDOMAIN:					\
+		case DNS_R_YXDOMAIN:					\
+		case DNS_R_YXRRSET:					\
+		case DNS_R_NXRRSET:					\
+			_what = "unsuccessful";				\
+		}							\
+		if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) {	\
+			char _nbuf[DNS_NAME_FORMATSIZE];		\
+			char _tbuf[DNS_RDATATYPE_FORMATSIZE];		\
+			dns_name_format(name, _nbuf, sizeof(_nbuf));	\
+			dns_rdatatype_format(type, _tbuf, sizeof(_tbuf)); \
+			update_log(client, zone, LOGLEVEL_PROTOCOL,   	\
+				   "update %s: %s/%s: %s (%s)",		\
+				   _what, _nbuf, _tbuf, msg,		\
+				   isc_result_totext(result));		\
+		}							\
+		if (result != ISC_R_SUCCESS) goto failure;		\
+	} while (0)
+/*
+ * Fail unconditionally and log as a server error.
+ * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
+ */
+#define FAILS(code, msg) \
+	do {							\
+		result = (code);				\
+		update_log(client, zone, LOGLEVEL_PROTOCOL,	\
+			      "error: %s: %s", 			\
+			      msg, isc_result_totext(result));	\
+		if (result != ISC_R_SUCCESS) goto failure;	\
+	} while (0)
+
+/**************************************************************************/
+
+typedef struct rr rr_t;
+
+struct rr {
+	/* dns_name_t name; */
+	isc_uint32_t 		ttl;
+	dns_rdata_t 		rdata;
+};
+
+typedef struct update_event update_event_t;
+
+struct update_event {
+	ISC_EVENT_COMMON(update_event_t);
+	dns_zone_t 		*zone;
+	isc_result_t		result;
+	dns_message_t		*answer;
+};
+
+/**************************************************************************/
+/*
+ * Forward declarations.
+ */
+
+static void update_action(isc_task_t *task, isc_event_t *event);
+static void updatedone_action(isc_task_t *task, isc_event_t *event);
+static isc_result_t send_forward_event(ns_client_t *client, dns_zone_t *zone);
+static void forward_done(isc_task_t *task, isc_event_t *event);
+
+/**************************************************************************/
+
+static void
+update_log(ns_client_t *client, dns_zone_t *zone,
+	   int level, const char *fmt, ...) ISC_FORMAT_PRINTF(4, 5);
+
+static void
+update_log(ns_client_t *client, dns_zone_t *zone,
+	   int level, const char *fmt, ...)
+{
+	va_list ap;
+	char message[4096];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char classbuf[DNS_RDATACLASS_FORMATSIZE];
+
+	if (client == NULL || zone == NULL)
+		return;
+
+	if (isc_log_wouldlog(ns_g_lctx, level) == ISC_FALSE)
+		return;
+
+	dns_name_format(dns_zone_getorigin(zone), namebuf,
+			sizeof(namebuf));
+	dns_rdataclass_format(dns_zone_getclass(zone), classbuf,
+			      sizeof(classbuf));
+
+	va_start(ap, fmt);
+	vsnprintf(message, sizeof(message), fmt, ap);
+	va_end(ap);
+
+	ns_client_log(client, NS_LOGCATEGORY_UPDATE, NS_LOGMODULE_UPDATE,
+		      level, "updating zone '%s/%s': %s",
+		      namebuf, classbuf, message);
+}
+
+static isc_result_t
+checkupdateacl(ns_client_t *client, dns_acl_t *acl, const char *message,
+	       dns_name_t *zonename, isc_boolean_t slave)
+{
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char classbuf[DNS_RDATACLASS_FORMATSIZE];
+	int level = ISC_LOG_ERROR;
+	const char *msg = "denied";
+	isc_result_t result;
+
+	if (slave && acl == NULL) {
+		result = DNS_R_NOTIMP;
+		level = ISC_LOG_DEBUG(3);
+		msg = "disabled";
+	} else
+		result = ns_client_checkaclsilent(client, acl, ISC_FALSE);
+
+	if (result == ISC_R_SUCCESS) {
+		level = ISC_LOG_DEBUG(3);
+		msg = "approved";
+	}
+
+	dns_name_format(zonename, namebuf, sizeof(namebuf));
+	dns_rdataclass_format(client->view->rdclass, classbuf,
+			      sizeof(classbuf));
+
+	ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
+			      NS_LOGMODULE_UPDATE, level, "%s '%s/%s' %s",
+			      message, namebuf, classbuf, msg);
+	return (result);
+}
+
+/*
+ * Update a single RR in version 'ver' of 'db' and log the
+ * update in 'diff'.
+ *
+ * Ensures:
+ *   '*tuple' == NULL.  Either the tuple is freed, or its
+ *         ownership has been transferred to the diff.
+ */
+static isc_result_t
+do_one_tuple(dns_difftuple_t **tuple,
+	     dns_db_t *db, dns_dbversion_t *ver,
+	     dns_diff_t *diff)
+{
+	dns_diff_t temp_diff;
+	isc_result_t result;
+
+	/*
+	 * Create a singleton diff.
+	 */
+	dns_diff_init(diff->mctx, &temp_diff);
+	ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
+
+	/*
+	 * Apply it to the database.
+	 */
+	result = dns_diff_apply(&temp_diff, db, ver);
+	ISC_LIST_UNLINK(temp_diff.tuples, *tuple, link);
+	if (result != ISC_R_SUCCESS) {
+		dns_difftuple_free(tuple);
+		return (result);
+	}
+
+	/*
+	 * Merge it into the current pending journal entry.
+	 */
+	dns_diff_appendminimal(diff, tuple);
+
+	/*
+	 * Do not clear temp_diff.
+	 */
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Perform the updates in 'updates' in version 'ver' of 'db' and log the
+ * update in 'diff'.
+ *
+ * Ensures:
+ *   'updates' is empty.
+ */
+static isc_result_t
+do_diff(dns_diff_t *updates, dns_db_t *db, dns_dbversion_t *ver,
+	dns_diff_t *diff)
+{
+	isc_result_t result;
+	while (! ISC_LIST_EMPTY(updates->tuples)) {
+		dns_difftuple_t *t = ISC_LIST_HEAD(updates->tuples);
+		ISC_LIST_UNLINK(updates->tuples, t, link);
+		CHECK(do_one_tuple(&t, db, ver, diff));
+	}
+	return (ISC_R_SUCCESS);
+
+ failure:
+	dns_diff_clear(diff);
+	return (result);
+}
+
+static isc_result_t
+update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
+	      dns_diffop_t op, dns_name_t *name,
+	      dns_ttl_t ttl, dns_rdata_t *rdata)
+{
+	dns_difftuple_t *tuple = NULL;
+	isc_result_t result;
+	result = dns_difftuple_create(diff->mctx, op,
+				      name, ttl, rdata, &tuple);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	return (do_one_tuple(&tuple, db, ver, diff));
+}
+
+/**************************************************************************/
+/*
+ * Callback-style iteration over rdatasets and rdatas.
+ *
+ * foreach_rrset() can be used to iterate over the RRsets
+ * of a name and call a callback function with each
+ * one.  Similarly, foreach_rr() can be used to iterate
+ * over the individual RRs at name, optionally restricted
+ * to RRs of a given type.
+ *
+ * The callback functions are called "actions" and take
+ * two arguments: a void pointer for passing arbitrary
+ * context information, and a pointer to the current RRset
+ * or RR.  By convention, their names end in "_action".
+ */
+
+/*
+ * XXXRTH  We might want to make this public somewhere in libdns.
+ */
+
+/*
+ * Function type for foreach_rrset() iterator actions.
+ */
+typedef isc_result_t rrset_func(void *data, dns_rdataset_t *rrset);
+
+/*
+ * Function type for foreach_rr() iterator actions.
+ */
+typedef isc_result_t rr_func(void *data, rr_t *rr);
+
+/*
+ * Internal context struct for foreach_node_rr().
+ */
+typedef struct {
+	rr_func *	rr_action;
+	void *		rr_action_data;
+} foreach_node_rr_ctx_t;
+
+/*
+ * Internal helper function for foreach_node_rr().
+ */
+static isc_result_t
+foreach_node_rr_action(void *data, dns_rdataset_t *rdataset) {
+	isc_result_t result;
+	foreach_node_rr_ctx_t *ctx = data;
+	for (result = dns_rdataset_first(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset))
+	{
+		rr_t rr = { 0, DNS_RDATA_INIT };
+		
+		dns_rdataset_current(rdataset, &rr.rdata);
+		rr.ttl = rdataset->ttl;
+		result = (*ctx->rr_action)(ctx->rr_action_data, &rr);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	if (result != ISC_R_NOMORE)
+		return (result);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * For each rdataset of 'name' in 'ver' of 'db', call 'action'
+ * with the rdataset and 'action_data' as arguments.  If the name
+ * does not exist, do nothing.
+ *
+ * If 'action' returns an error, abort iteration and return the error.
+ */
+static isc_result_t
+foreach_rrset(dns_db_t *db,
+	      dns_dbversion_t *ver,
+	      dns_name_t *name,
+	      rrset_func *action,
+	      void *action_data)
+{
+	isc_result_t result;
+	dns_dbnode_t *node;
+	dns_rdatasetiter_t *iter;
+
+	node = NULL;
+	result = dns_db_findnode(db, name, ISC_FALSE, &node);
+	if (result == ISC_R_NOTFOUND)
+		return (ISC_R_SUCCESS);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	iter = NULL;
+	result = dns_db_allrdatasets(db, node, ver,
+				     (isc_stdtime_t) 0, &iter);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_node;
+
+	for (result = dns_rdatasetiter_first(iter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(iter))
+	{
+		dns_rdataset_t rdataset;
+
+		dns_rdataset_init(&rdataset);
+		dns_rdatasetiter_current(iter, &rdataset);
+
+		result = (*action)(action_data, &rdataset);
+
+		dns_rdataset_disassociate(&rdataset);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_iterator;
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+ cleanup_iterator:
+	dns_rdatasetiter_destroy(&iter);
+
+ cleanup_node:
+	dns_db_detachnode(db, &node);
+
+	return (result);
+}
+
+/*
+ * For each RR of 'name' in 'ver' of 'db', call 'action'
+ * with the RR and 'action_data' as arguments.  If the name
+ * does not exist, do nothing.
+ *
+ * If 'action' returns an error, abort iteration
+ * and return the error.
+ */
+static isc_result_t
+foreach_node_rr(dns_db_t *db,
+	    dns_dbversion_t *ver,
+	    dns_name_t *name,
+	    rr_func *rr_action,
+	    void *rr_action_data)
+{
+	foreach_node_rr_ctx_t ctx;
+	ctx.rr_action = rr_action;
+	ctx.rr_action_data = rr_action_data;
+	return (foreach_rrset(db, ver, name,
+			      foreach_node_rr_action, &ctx));
+}
+
+
+/*
+ * For each of the RRs specified by 'db', 'ver', 'name', 'type',
+ * (which can be dns_rdatatype_any to match any type), and 'covers', call
+ * 'action' with the RR and 'action_data' as arguments. If the name
+ * does not exist, or if no RRset of the given type exists at the name,
+ * do nothing.
+ *
+ * If 'action' returns an error, abort iteration and return the error.
+ */
+static isc_result_t
+foreach_rr(dns_db_t *db,
+	   dns_dbversion_t *ver,
+	   dns_name_t *name,
+	   dns_rdatatype_t type,
+	   dns_rdatatype_t covers,
+	   rr_func *rr_action,
+	   void *rr_action_data)
+{
+
+	isc_result_t result;
+	dns_dbnode_t *node;
+	dns_rdataset_t rdataset;
+
+	if (type == dns_rdatatype_any)
+		return (foreach_node_rr(db, ver, name,
+					rr_action, rr_action_data));
+
+	node = NULL;
+	result = dns_db_findnode(db, name, ISC_FALSE, &node);
+	if (result == ISC_R_NOTFOUND)
+		return (ISC_R_SUCCESS);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, ver, type, covers,
+				     (isc_stdtime_t) 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		result = ISC_R_SUCCESS;
+		goto cleanup_node;
+	}
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_node;
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		rr_t rr = { 0, DNS_RDATA_INIT };
+		dns_rdataset_current(&rdataset, &rr.rdata);
+		rr.ttl = rdataset.ttl;
+		result = (*rr_action)(rr_action_data, &rr);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_rdataset;
+	}
+	if (result != ISC_R_NOMORE)
+		goto cleanup_rdataset;
+	result = ISC_R_SUCCESS;
+
+ cleanup_rdataset:
+	dns_rdataset_disassociate(&rdataset);
+ cleanup_node:
+	dns_db_detachnode(db, &node);
+
+	return (result);
+}
+
+/**************************************************************************/
+/*
+ * Various tests on the database contents (for prerequisites, etc).
+ */
+
+/*
+ * Function type for predicate functions that compare a database RR 'db_rr'
+ * against an update RR 'update_rr'.
+ */
+typedef isc_boolean_t rr_predicate(dns_rdata_t *update_rr, dns_rdata_t *db_rr);
+
+/*
+ * Helper function for rrset_exists().
+ */
+static isc_result_t
+rrset_exists_action(void *data, rr_t *rr) {
+	UNUSED(data);
+	UNUSED(rr);
+	return (ISC_R_EXISTS);
+}
+
+/*
+ * Utility macro for RR existence checking functions.
+ *
+ * If the variable 'result' has the value ISC_R_EXISTS or
+ * ISC_R_SUCCESS, set *exists to ISC_TRUE or ISC_FALSE,
+ * respectively, and return success.
+ *
+ * If 'result' has any other value, there was a failure.
+ * Return the failure result code and do not set *exists.
+ *
+ * This would be more readable as "do { if ... } while(0)",
+ * but that form generates tons of warnings on Solaris 2.6.
+ */
+#define RETURN_EXISTENCE_FLAG 				\
+	return ((result == ISC_R_EXISTS) ? 		\
+		(*exists = ISC_TRUE, ISC_R_SUCCESS) : 	\
+		((result == ISC_R_SUCCESS) ?		\
+		 (*exists = ISC_FALSE, ISC_R_SUCCESS) :	\
+		 result))
+
+/*
+ * Set '*exists' to true iff an rrset of the given type exists,
+ * to false otherwise.
+ */
+static isc_result_t
+rrset_exists(dns_db_t *db, dns_dbversion_t *ver,
+	     dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers,
+	     isc_boolean_t *exists)
+{
+	isc_result_t result;
+	result = foreach_rr(db, ver, name, type, covers,
+			    rrset_exists_action, NULL);
+	RETURN_EXISTENCE_FLAG;
+}
+
+/*
+ * Helper function for cname_incompatible_rrset_exists.
+ */
+static isc_result_t
+cname_compatibility_action(void *data, dns_rdataset_t *rrset) {
+	UNUSED(data);
+	if (rrset->type != dns_rdatatype_cname &&
+	    ! dns_rdatatype_isdnssec(rrset->type))
+		return (ISC_R_EXISTS);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Check whether there is an rrset incompatible with adding a CNAME RR,
+ * i.e., anything but another CNAME (which can be replaced) or a
+ * DNSSEC RR (which can coexist).
+ *
+ * If such an incompatible rrset exists, set '*exists' to ISC_TRUE.
+ * Otherwise, set it to ISC_FALSE.
+ */
+static isc_result_t
+cname_incompatible_rrset_exists(dns_db_t *db, dns_dbversion_t *ver,
+				dns_name_t *name, isc_boolean_t *exists) {
+	isc_result_t result;
+	result = foreach_rrset(db, ver, name,
+			       cname_compatibility_action, NULL);
+	RETURN_EXISTENCE_FLAG;
+}
+
+/*
+ * Helper function for rr_count().
+ */
+static isc_result_t
+count_rr_action(void *data, rr_t *rr) {
+	int *countp = data;
+	UNUSED(rr);
+	(*countp)++;
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Count the number of RRs of 'type' belonging to 'name' in 'ver' of 'db'.
+ */
+static isc_result_t
+rr_count(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	 dns_rdatatype_t type, dns_rdatatype_t covers, int *countp)
+{
+	*countp = 0;
+	return (foreach_rr(db, ver, name, type, covers,
+			   count_rr_action, countp));
+}
+
+/*
+ * Context struct and helper function for name_exists().
+ */
+
+static isc_result_t
+name_exists_action(void *data, dns_rdataset_t *rrset) {
+	UNUSED(data);
+	UNUSED(rrset);
+	return (ISC_R_EXISTS);
+}
+
+/*
+ * Set '*exists' to true iff the given name exists, to false otherwise.
+ */
+static isc_result_t
+name_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	    isc_boolean_t *exists)
+{
+	isc_result_t result;
+	result = foreach_rrset(db, ver, name,
+			       name_exists_action, NULL);
+	RETURN_EXISTENCE_FLAG;
+}
+
+typedef struct {
+	dns_name_t *name, *signer;
+	dns_ssutable_t *table;
+} ssu_check_t;
+
+static isc_result_t
+ssu_checkrule(void *data, dns_rdataset_t *rrset) {
+	ssu_check_t *ssuinfo = data;
+	isc_boolean_t result;
+
+	/*
+	 * If we're deleting all records, it's ok to delete RRSIG and NSEC even
+	 * if we're normally not allowed to.
+	 */
+	if (rrset->type == dns_rdatatype_rrsig ||
+	    rrset->type == dns_rdatatype_nsec)
+		return (ISC_TRUE);
+	result = dns_ssutable_checkrules(ssuinfo->table, ssuinfo->signer,
+					 ssuinfo->name, rrset->type);
+	return (result == ISC_TRUE ? ISC_R_SUCCESS : ISC_R_FAILURE);
+}
+
+static isc_boolean_t
+ssu_checkall(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	     dns_ssutable_t *ssutable, dns_name_t *signer)
+{
+	isc_result_t result;
+	ssu_check_t ssuinfo;
+
+	ssuinfo.name = name;
+	ssuinfo.table = ssutable;
+	ssuinfo.signer = signer;
+	result = foreach_rrset(db, ver, name, ssu_checkrule, &ssuinfo);
+	return (ISC_TF(result == ISC_R_SUCCESS));
+}
+
+/**************************************************************************/
+/*
+ * Checking of "RRset exists (value dependent)" prerequisites.
+ *
+ * In the RFC2136 section 3.2.5, this is the pseudocode involving
+ * a variable called "temp", a mapping of <name, type> tuples to rrsets.
+ *
+ * Here, we represent the "temp" data structure as (non-minimial) "dns_diff_t"
+ * where each typle has op==DNS_DIFFOP_EXISTS.
+ */
+
+
+/*
+ * Append a tuple asserting the existence of the RR with
+ * 'name' and 'rdata' to 'diff'.
+ */
+static isc_result_t
+temp_append(dns_diff_t *diff, dns_name_t *name, dns_rdata_t *rdata) {
+	isc_result_t result;
+	dns_difftuple_t *tuple = NULL;
+
+	REQUIRE(DNS_DIFF_VALID(diff));
+	CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_EXISTS,
+				      name, 0, rdata, &tuple));
+	ISC_LIST_APPEND(diff->tuples, tuple, link);
+ failure:
+	return (result);
+}
+
+/*
+ * Compare two rdatasets represented as sorted lists of tuples.
+ * All list elements must have the same owner name and type.
+ * Return ISC_R_SUCCESS if the rdatasets are equal, rcode(dns_rcode_nxrrset)
+ * if not.
+ */
+static isc_result_t
+temp_check_rrset(dns_difftuple_t *a, dns_difftuple_t *b) {
+	for (;;) {
+		if (a == NULL || b == NULL)
+			break;
+		INSIST(a->op == DNS_DIFFOP_EXISTS &&
+		       b->op == DNS_DIFFOP_EXISTS);
+		INSIST(a->rdata.type == b->rdata.type);
+		INSIST(dns_name_equal(&a->name, &b->name));
+		if (dns_rdata_compare(&a->rdata, &b->rdata) != 0)
+			return (DNS_R_NXRRSET);
+		a = ISC_LIST_NEXT(a, link);
+		b = ISC_LIST_NEXT(b, link);
+	}
+	if (a != NULL || b != NULL)
+		return (DNS_R_NXRRSET);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * A comparison function defining the sorting order for the entries
+ * in the "temp" data structure.  The major sort key is the owner name,
+ * followed by the type and rdata.
+ */
+static int
+temp_order(const void *av, const void *bv) {
+	dns_difftuple_t const * const *ap = av;
+	dns_difftuple_t const * const *bp = bv;
+	dns_difftuple_t const *a = *ap;
+	dns_difftuple_t const *b = *bp;
+	int r;
+	r = dns_name_compare(&a->name, &b->name);
+	if (r != 0)
+		return (r);
+	r = (b->rdata.type - a->rdata.type);
+	if (r != 0)
+		return (r);
+	r = dns_rdata_compare(&a->rdata, &b->rdata);
+	return (r);
+}
+
+/*
+ * Check the "RRset exists (value dependent)" prerequisite information
+ * in 'temp' against the contents of the database 'db'.
+ *
+ * Return ISC_R_SUCCESS if the prerequisites are satisfied,
+ * rcode(dns_rcode_nxrrset) if not.
+ *
+ * 'temp' must be pre-sorted.
+ */
+
+static isc_result_t
+temp_check(isc_mem_t *mctx, dns_diff_t *temp, dns_db_t *db,
+	   dns_dbversion_t *ver, dns_name_t *tmpname, dns_rdatatype_t *typep)
+{
+	isc_result_t result;
+	dns_name_t *name;
+	dns_dbnode_t *node;
+	dns_difftuple_t *t;
+	dns_diff_t trash;
+
+	dns_diff_init(mctx, &trash);
+
+	/*
+	 * For each name and type in the prerequisites,
+	 * construct a sorted rdata list of the corresponding
+	 * database contents, and compare the lists.
+	 */
+	t = ISC_LIST_HEAD(temp->tuples);
+	while (t != NULL) {
+		name = &t->name;
+		(void)dns_name_copy(name, tmpname, NULL);
+		*typep = t->rdata.type;
+
+		/* A new unique name begins here. */
+		node = NULL;
+		result = dns_db_findnode(db, name, ISC_FALSE, &node);
+		if (result == ISC_R_NOTFOUND)
+			return (DNS_R_NXRRSET);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+
+		/* A new unique type begins here. */
+		while (t != NULL && dns_name_equal(&t->name, name)) {
+			dns_rdatatype_t type, covers;
+			dns_rdataset_t rdataset;
+			dns_diff_t d_rrs; /* Database RRs with
+						this name and type */
+ 			dns_diff_t u_rrs; /* Update RRs with
+						this name and type */
+
+			*typep = type = t->rdata.type;
+			if (type == dns_rdatatype_rrsig ||
+			    type == dns_rdatatype_sig)
+				covers = dns_rdata_covers(&t->rdata);
+			else
+				covers = 0;
+
+			/*
+			 * Collect all database RRs for this name and type
+			 * onto d_rrs and sort them.
+			 */
+			dns_rdataset_init(&rdataset);
+			result = dns_db_findrdataset(db, node, ver, type,
+						     covers, (isc_stdtime_t) 0,
+						     &rdataset, NULL);
+			if (result != ISC_R_SUCCESS) {
+				dns_db_detachnode(db, &node);
+				return (DNS_R_NXRRSET);
+			}
+
+			dns_diff_init(mctx, &d_rrs);
+			dns_diff_init(mctx, &u_rrs);
+
+			for (result = dns_rdataset_first(&rdataset);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(&rdataset))
+			{
+				dns_rdata_t rdata = DNS_RDATA_INIT;
+				dns_rdataset_current(&rdataset, &rdata);
+				result = temp_append(&d_rrs, name, &rdata);
+				if (result != ISC_R_SUCCESS)
+					goto failure;
+			}
+			if (result != ISC_R_NOMORE)
+				goto failure;
+			result = dns_diff_sort(&d_rrs, temp_order);
+			if (result != ISC_R_SUCCESS)
+				goto failure;
+
+			/*
+			 * Collect all update RRs for this name and type
+			 * onto u_rrs.  No need to sort them here -
+			 * they are already sorted.
+			 */
+			while (t != NULL &&
+			       dns_name_equal(&t->name, name) &&
+			       t->rdata.type == type)
+			{
+				dns_difftuple_t *next =
+					ISC_LIST_NEXT(t, link);
+				ISC_LIST_UNLINK(temp->tuples, t, link);
+				ISC_LIST_APPEND(u_rrs.tuples, t, link);
+				t = next;
+			}
+
+			/* Compare the two sorted lists. */
+			result = temp_check_rrset(ISC_LIST_HEAD(u_rrs.tuples),
+						  ISC_LIST_HEAD(d_rrs.tuples));
+			if (result != ISC_R_SUCCESS)
+				goto failure;
+
+			/*
+			 * We are done with the tuples, but we can't free
+			 * them yet because "name" still points into one
+			 * of them.  Move them on a temporary list.
+			 */
+			ISC_LIST_APPENDLIST(trash.tuples, u_rrs.tuples, link);
+			ISC_LIST_APPENDLIST(trash.tuples, d_rrs.tuples, link);
+			dns_rdataset_disassociate(&rdataset);
+
+			continue;
+
+		    failure:
+			dns_diff_clear(&d_rrs);
+			dns_diff_clear(&u_rrs);
+			dns_diff_clear(&trash);
+			dns_rdataset_disassociate(&rdataset);
+			dns_db_detachnode(db, &node);
+			return (result);
+		}
+
+		dns_db_detachnode(db, &node);
+	}
+
+	dns_diff_clear(&trash);
+	return (ISC_R_SUCCESS);
+}
+
+/**************************************************************************/
+/*
+ * Conditional deletion of RRs.
+ */
+
+/*
+ * Context structure for delete_if().
+ */
+
+typedef struct {
+	rr_predicate *predicate;
+	dns_db_t *db;
+	dns_dbversion_t *ver;
+	dns_diff_t *diff;
+	dns_name_t *name;
+	dns_rdata_t *update_rr;
+} conditional_delete_ctx_t;
+
+/*
+ * Predicate functions for delete_if().
+ */
+
+/*
+ * Return true iff 'update_rr' is neither a SOA nor an NS RR.
+ */
+static isc_boolean_t
+type_not_soa_nor_ns_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
+	UNUSED(update_rr);
+	return ((db_rr->type != dns_rdatatype_soa &&
+		 db_rr->type != dns_rdatatype_ns) ?
+		ISC_TRUE : ISC_FALSE);
+}
+
+/*
+ * Return true always.
+ */
+static isc_boolean_t
+true_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
+	UNUSED(update_rr);
+	UNUSED(db_rr);
+	return (ISC_TRUE);
+}
+
+/*
+ * Return true iff the two RRs have identical rdata.
+ */
+static isc_boolean_t
+rr_equal_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
+	/*
+	 * XXXRTH  This is not a problem, but we should consider creating
+	 *         dns_rdata_equal() (that used dns_name_equal()), since it
+	 *         would be faster.  Not a priority.
+	 */
+	return (dns_rdata_compare(update_rr, db_rr) == 0 ?
+		ISC_TRUE : ISC_FALSE);
+}
+
+/*
+ * Return true iff 'update_rr' should replace 'db_rr' according
+ * to the special RFC2136 rules for CNAME, SOA, and WKS records.
+ *
+ * RFC2136 does not mention NSEC or DNAME, but multiple NSECs or DNAMEs
+ * make little sense, so we replace those, too.
+ */
+static isc_boolean_t
+replaces_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
+	if (db_rr->type != update_rr->type)
+		return (ISC_FALSE);
+	if (db_rr->type == dns_rdatatype_cname)
+		return (ISC_TRUE);
+	if (db_rr->type == dns_rdatatype_dname)
+		return (ISC_TRUE);
+	if (db_rr->type == dns_rdatatype_soa)
+		return (ISC_TRUE);
+	if (db_rr->type == dns_rdatatype_nsec)
+		return (ISC_TRUE);
+	if (db_rr->type == dns_rdatatype_wks) {
+		/*
+		 * Compare the address and protocol fields only.  These
+		 * form the first five bytes of the RR data.  Do a
+		 * raw binary comparison; unpacking the WKS RRs using
+		 * dns_rdata_tostruct() might be cleaner in some ways,
+		 * but it would require us to pass around an mctx.
+		 */
+		INSIST(db_rr->length >= 5 && update_rr->length >= 5);
+		return (memcmp(db_rr->data, update_rr->data, 5) == 0 ?
+			ISC_TRUE : ISC_FALSE);
+	}
+	return (ISC_FALSE);
+}
+
+/*
+ * Internal helper function for delete_if().
+ */
+static isc_result_t
+delete_if_action(void *data, rr_t *rr) {
+	conditional_delete_ctx_t *ctx = data;
+	if ((*ctx->predicate)(ctx->update_rr, &rr->rdata)) {
+		isc_result_t result;
+		result = update_one_rr(ctx->db, ctx->ver, ctx->diff,
+				       DNS_DIFFOP_DEL, ctx->name,
+				       rr->ttl, &rr->rdata);
+		return (result);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+}
+
+/*
+ * Conditionally delete RRs.  Apply 'predicate' to the RRs
+ * specified by 'db', 'ver', 'name', and 'type' (which can
+ * be dns_rdatatype_any to match any type).  Delete those
+ * RRs for which the predicate returns true, and log the
+ * deletions in 'diff'.
+ */
+static isc_result_t
+delete_if(rr_predicate *predicate,
+	  dns_db_t *db,
+	  dns_dbversion_t *ver,
+	  dns_name_t *name,
+	  dns_rdatatype_t type,
+	  dns_rdatatype_t covers,
+	  dns_rdata_t *update_rr,
+	  dns_diff_t *diff)
+{
+	conditional_delete_ctx_t ctx;
+	ctx.predicate = predicate;
+	ctx.db = db;
+	ctx.ver = ver;
+	ctx.diff = diff;
+	ctx.name = name;
+	ctx.update_rr = update_rr;
+	return (foreach_rr(db, ver, name, type, covers,
+			   delete_if_action, &ctx));
+}
+
+/**************************************************************************/
+/*
+ * Prepare an RR for the addition of the new RR 'ctx->update_rr',
+ * with TTL 'ctx->update_rr_ttl', to its rdataset, by deleting
+ * the RRs if it is replaced by the new RR or has a conflicting TTL.
+ * The necessary changes are appended to ctx->del_diff and ctx->add_diff;
+ * we need to do all deletions before any additions so that we don't run
+ * into transient states with conflicting TTLs.
+ */
+
+typedef struct {
+	dns_db_t *db;
+	dns_dbversion_t *ver;
+	dns_diff_t *diff;
+	dns_name_t *name;
+	dns_rdata_t *update_rr;
+	dns_ttl_t update_rr_ttl;
+	isc_boolean_t ignore_add;
+	dns_diff_t del_diff;
+	dns_diff_t add_diff;
+} add_rr_prepare_ctx_t;
+
+static isc_result_t
+add_rr_prepare_action(void *data, rr_t *rr) {
+	isc_result_t result = ISC_R_SUCCESS;	
+	add_rr_prepare_ctx_t *ctx = data;
+	dns_difftuple_t *tuple = NULL;
+	isc_boolean_t equal;
+
+	/*
+	 * If the update RR is a "duplicate" of the update RR,
+	 * the update should be silently ignored.
+	 */
+	equal = ISC_TF(dns_rdata_compare(&rr->rdata, ctx->update_rr) == 0);
+	if (equal && rr->ttl == ctx->update_rr_ttl) {
+		ctx->ignore_add = ISC_TRUE;
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * If this RR is "equal" to the update RR, it should
+	 * be deleted before the update RR is added.
+	 */
+	if (replaces_p(ctx->update_rr, &rr->rdata)) {
+		CHECK(dns_difftuple_create(ctx->del_diff.mctx,
+					   DNS_DIFFOP_DEL, ctx->name,
+					   rr->ttl,
+					   &rr->rdata,
+					   &tuple));
+		dns_diff_append(&ctx->del_diff, &tuple);
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * If this RR differs in TTL from the update RR,
+	 * its TTL must be adjusted.
+	 */
+	if (rr->ttl != ctx->update_rr_ttl) {
+		CHECK(dns_difftuple_create(ctx->del_diff.mctx,
+					   DNS_DIFFOP_DEL, ctx->name,
+					   rr->ttl,
+					   &rr->rdata,
+					   &tuple));
+		dns_diff_append(&ctx->del_diff, &tuple);
+		if (!equal) {
+			CHECK(dns_difftuple_create(ctx->add_diff.mctx,
+						   DNS_DIFFOP_ADD, ctx->name,
+						   ctx->update_rr_ttl,
+						   &rr->rdata,
+						   &tuple));
+			dns_diff_append(&ctx->add_diff, &tuple);
+		}
+	}
+ failure:
+	return (result);
+}
+
+/**************************************************************************/
+/*
+ * Miscellaneous subroutines.
+ */
+
+/*
+ * Extract a single update RR from 'section' of dynamic update message
+ * 'msg', with consistency checking.
+ *
+ * Stores the owner name, rdata, and TTL of the update RR at 'name',
+ * 'rdata', and 'ttl', respectively.
+ */
+static void
+get_current_rr(dns_message_t *msg, dns_section_t section,
+	       dns_rdataclass_t zoneclass,
+	       dns_name_t **name, dns_rdata_t *rdata, dns_rdatatype_t *covers,
+	       dns_ttl_t *ttl,
+	       dns_rdataclass_t *update_class)
+{
+	dns_rdataset_t *rdataset;
+	isc_result_t result;
+	dns_message_currentname(msg, section, name);
+	rdataset = ISC_LIST_HEAD((*name)->list);
+	INSIST(rdataset != NULL);
+	INSIST(ISC_LIST_NEXT(rdataset, link) == NULL);
+	*covers = rdataset->covers;
+	*ttl = rdataset->ttl;
+	result = dns_rdataset_first(rdataset);
+	INSIST(result == ISC_R_SUCCESS);
+	dns_rdataset_current(rdataset, rdata);
+	INSIST(dns_rdataset_next(rdataset) == ISC_R_NOMORE);
+	*update_class = rdata->rdclass;
+	rdata->rdclass = zoneclass;
+}
+
+/*
+ * Increment the SOA serial number of database 'db', version 'ver'.
+ * Replace the SOA record in the database, and log the
+ * change in 'diff'.
+ */
+
+	/*
+	 * XXXRTH  Failures in this routine will be worth logging, when
+	 *         we have a logging system.  Failure to find the zonename
+	 *	   or the SOA rdataset warrant at least an UNEXPECTED_ERROR().
+	 */
+
+static isc_result_t
+increment_soa_serial(dns_db_t *db, dns_dbversion_t *ver,
+		     dns_diff_t *diff, isc_mem_t *mctx)
+{
+	dns_difftuple_t *deltuple = NULL;
+	dns_difftuple_t *addtuple = NULL;
+	isc_uint32_t serial;
+	isc_result_t result;
+
+	CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_DEL, &deltuple));
+	CHECK(dns_difftuple_copy(deltuple, &addtuple));
+	addtuple->op = DNS_DIFFOP_ADD;
+
+	serial = dns_soa_getserial(&addtuple->rdata);
+
+	/* RFC1982 */
+	serial = (serial + 1) & 0xFFFFFFFF;
+	if (serial == 0)
+		serial = 1;
+
+	dns_soa_setserial(serial, &addtuple->rdata);
+	CHECK(do_one_tuple(&deltuple, db, ver, diff));
+	CHECK(do_one_tuple(&addtuple, db, ver, diff));
+	result = ISC_R_SUCCESS;
+
+ failure:
+	if (addtuple != NULL)
+		dns_difftuple_free(&addtuple);
+	if (deltuple != NULL)
+		dns_difftuple_free(&deltuple);
+	return (result);
+}
+
+/*
+ * Check that the new SOA record at 'update_rdata' does not
+ * illegally cause the SOA serial number to decrease or stay
+ * unchanged relative to the existing SOA in 'db'.
+ *
+ * Sets '*ok' to ISC_TRUE if the update is legal, ISC_FALSE if not.
+ *
+ * William King points out that RFC2136 is inconsistent about
+ * the case where the serial number stays unchanged:
+ *
+ *   section 3.4.2.2 requires a server to ignore a SOA update request
+ *   if the serial number on the update SOA is less_than_or_equal to
+ *   the zone SOA serial.
+ *
+ *   section 3.6 requires a server to ignore a SOA update request if
+ *   the serial is less_than the zone SOA serial.
+ *
+ * Paul says 3.4.2.2 is correct.
+ *
+ */
+static isc_result_t
+check_soa_increment(dns_db_t *db, dns_dbversion_t *ver,
+		    dns_rdata_t *update_rdata,
+		    isc_boolean_t *ok)
+{
+	isc_uint32_t db_serial;
+	isc_uint32_t update_serial;
+	isc_result_t result;
+
+	update_serial = dns_soa_getserial(update_rdata);
+
+	result = dns_db_getsoaserial(db, ver, &db_serial);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (DNS_SERIAL_GE(db_serial, update_serial)) {
+		*ok = ISC_FALSE;
+	} else {
+		*ok = ISC_TRUE;
+	}
+
+	return (ISC_R_SUCCESS);
+
+}
+
+/**************************************************************************/
+/*
+ * Incremental updating of NSECs and RRSIGs.
+ */
+
+#define MAXZONEKEYS 32	/* Maximum number of zone keys supported. */
+
+/*
+ * We abuse the dns_diff_t type to represent a set of domain names
+ * affected by the update.
+ */
+static isc_result_t
+namelist_append_name(dns_diff_t *list, dns_name_t *name) {
+	isc_result_t result;
+	dns_difftuple_t *tuple = NULL;
+	static dns_rdata_t dummy_rdata = { NULL, 0, 0, 0, 0,
+					   { (void*)(-1), (void*)(-1) } };
+	CHECK(dns_difftuple_create(list->mctx, DNS_DIFFOP_EXISTS, name, 0,
+				   &dummy_rdata, &tuple));
+	dns_diff_append(list, &tuple);
+ failure:
+	return (result);
+}
+
+static isc_result_t
+namelist_append_subdomain(dns_db_t *db, dns_name_t *name, dns_diff_t *affected)
+{
+	isc_result_t result;
+	dns_fixedname_t fixedname;
+	dns_name_t *child;
+	dns_dbiterator_t *dbit = NULL;
+
+	dns_fixedname_init(&fixedname);
+	child = dns_fixedname_name(&fixedname);
+
+	CHECK(dns_db_createiterator(db, ISC_FALSE, &dbit));
+
+	for (result = dns_dbiterator_seek(dbit, name);
+	     result == ISC_R_SUCCESS;
+	     result = dns_dbiterator_next(dbit))
+	{
+		dns_dbnode_t *node = NULL;
+		CHECK(dns_dbiterator_current(dbit, &node, child));
+		dns_db_detachnode(db, &node);
+		if (! dns_name_issubdomain(child, name))
+			break;
+		CHECK(namelist_append_name(affected, child));
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+ failure:
+	if (dbit != NULL)
+		dns_dbiterator_destroy(&dbit);
+	return (result);
+}
+
+
+
+/*
+ * Helper function for non_nsec_rrset_exists().
+ */
+static isc_result_t
+is_non_nsec_action(void *data, dns_rdataset_t *rrset) {
+	UNUSED(data);
+	if (!(rrset->type == dns_rdatatype_nsec ||
+	      (rrset->type == dns_rdatatype_rrsig &&
+	       rrset->covers == dns_rdatatype_nsec)))
+		return (ISC_R_EXISTS);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Check whether there is an rrset other than a NSEC or RRSIG NSEC,
+ * i.e., anything that justifies the continued existence of a name
+ * after a secure update.
+ *
+ * If such an rrset exists, set '*exists' to ISC_TRUE.
+ * Otherwise, set it to ISC_FALSE.
+ */
+static isc_result_t
+non_nsec_rrset_exists(dns_db_t *db, dns_dbversion_t *ver,
+		     dns_name_t *name, isc_boolean_t *exists)
+{
+	isc_result_t result;
+	result = foreach_rrset(db, ver, name,
+			       is_non_nsec_action, NULL);
+	RETURN_EXISTENCE_FLAG;
+}
+
+/*
+ * A comparison function for sorting dns_diff_t:s by name.
+ */
+static int
+name_order(const void *av, const void *bv) {
+	dns_difftuple_t const * const *ap = av;
+	dns_difftuple_t const * const *bp = bv;
+	dns_difftuple_t const *a = *ap;
+	dns_difftuple_t const *b = *bp;
+	return (dns_name_compare(&a->name, &b->name));
+}
+
+static isc_result_t
+uniqify_name_list(dns_diff_t *list) {
+	isc_result_t result;
+	dns_difftuple_t *p, *q;
+
+	CHECK(dns_diff_sort(list, name_order));
+
+	p = ISC_LIST_HEAD(list->tuples);
+	while (p != NULL) {
+		do {
+			q = ISC_LIST_NEXT(p, link);
+			if (q == NULL || ! dns_name_equal(&p->name, &q->name))
+				break;
+			ISC_LIST_UNLINK(list->tuples, q, link);
+			dns_difftuple_free(&q);
+		} while (1);
+		p = ISC_LIST_NEXT(p, link);
+	}
+ failure:
+	return (result);
+}
+
+
+static isc_result_t
+is_glue(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	isc_boolean_t *flag)
+{
+	isc_result_t result;
+	dns_fixedname_t foundname;
+	dns_fixedname_init(&foundname);
+	result = dns_db_find(db, name, ver, dns_rdatatype_any,
+			     DNS_DBFIND_GLUEOK | DNS_DBFIND_NOWILD,
+			     (isc_stdtime_t) 0, NULL,
+			     dns_fixedname_name(&foundname),
+			     NULL, NULL);
+	if (result == ISC_R_SUCCESS) {
+		*flag = ISC_FALSE;
+		return (ISC_R_SUCCESS);
+	} else if (result == DNS_R_ZONECUT) {
+		/*
+		 * We are at the zonecut.  The name will have an NSEC, but
+		 * non-delegation will be omitted from the type bit map.
+		 */
+		*flag = ISC_FALSE;
+		return (ISC_R_SUCCESS);
+	} else if (result == DNS_R_GLUE || result == DNS_R_DNAME) {
+		*flag = ISC_TRUE;
+		return (ISC_R_SUCCESS);
+	} else {
+		return (result);
+	}
+}
+
+/*
+ * Find the next/previous name that has a NSEC record.
+ * In other words, skip empty database nodes and names that
+ * have had their NSECs removed because they are obscured by
+ * a zone cut.
+ */
+static isc_result_t
+next_active(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
+	    dns_dbversion_t *ver, dns_name_t *oldname, dns_name_t *newname,
+	    isc_boolean_t forward)
+{
+	isc_result_t result;
+	dns_dbiterator_t *dbit = NULL;
+	isc_boolean_t has_nsec;
+	unsigned int wraps = 0;
+
+	CHECK(dns_db_createiterator(db, ISC_FALSE, &dbit));
+
+	CHECK(dns_dbiterator_seek(dbit, oldname));
+	do {
+		dns_dbnode_t *node = NULL;
+
+		if (forward)
+			result = dns_dbiterator_next(dbit);
+		else
+			result = dns_dbiterator_prev(dbit);
+		if (result == ISC_R_NOMORE) {
+			/*
+			 * Wrap around.
+			 */
+			if (forward)
+				CHECK(dns_dbiterator_first(dbit));
+			else
+				CHECK(dns_dbiterator_last(dbit));
+			wraps++;
+			if (wraps == 2) {
+				update_log(client, zone, ISC_LOG_ERROR,
+					   "secure zone with no NSECs");
+				result = DNS_R_BADZONE;
+				goto failure;
+			}
+		}
+		CHECK(dns_dbiterator_current(dbit, &node, newname));
+		dns_db_detachnode(db, &node);
+
+		/*
+		 * The iterator may hold the tree lock, and
+		 * rrset_exists() calls dns_db_findnode() which
+		 * may try to reacquire it.  To avoid deadlock
+		 * we must pause the iterator first.
+		 */
+		CHECK(dns_dbiterator_pause(dbit));
+		CHECK(rrset_exists(db, ver, newname,
+				   dns_rdatatype_nsec, 0, &has_nsec));
+
+	} while (! has_nsec);
+ failure:
+	if (dbit != NULL)
+		dns_dbiterator_destroy(&dbit);
+
+	return (result);
+}
+
+/*
+ * Add a NSEC record for "name", recording the change in "diff".
+ * The existing NSEC is removed.
+ */
+static isc_result_t
+add_nsec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
+	dns_dbversion_t *ver, dns_name_t *name, dns_diff_t *diff)
+{
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	unsigned char buffer[DNS_NSEC_BUFFERSIZE];
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_difftuple_t *tuple = NULL;
+	dns_fixedname_t fixedname;
+	dns_name_t *target;
+
+	dns_fixedname_init(&fixedname);
+	target = dns_fixedname_name(&fixedname);
+
+	/*
+	 * Find the successor name, aka NSEC target.
+	 */
+	CHECK(next_active(client, zone, db, ver, name, target, ISC_TRUE));
+
+	/*
+	 * Create the NSEC RDATA.
+	 */
+	CHECK(dns_db_findnode(db, name, ISC_FALSE, &node));
+	dns_rdata_init(&rdata);
+	CHECK(dns_nsec_buildrdata(db, ver, node, target, buffer, &rdata));
+	dns_db_detachnode(db, &node);
+
+	/*
+	 * Delete the old NSEC and record the change.
+	 */
+	CHECK(delete_if(true_p, db, ver, name, dns_rdatatype_nsec, 0,
+			NULL, diff));
+	/*
+	 * Add the new NSEC and record the change.
+	 */
+	CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name,
+				   3600,	/* XXXRTH */
+				   &rdata, &tuple));
+	CHECK(do_one_tuple(&tuple, db, ver, diff));
+	INSIST(tuple == NULL);
+
+ failure:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (result);
+}
+
+/*
+ * Add a placeholder NSEC record for "name", recording the change in "diff".
+ */
+static isc_result_t
+add_placeholder_nsec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+		    dns_diff_t *diff) {
+	isc_result_t result;
+	dns_difftuple_t *tuple = NULL;
+	isc_region_t r;
+	unsigned char data[1] = { 0 }; /* The root domain, no bits. */
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+
+	r.base = data;
+	r.length = sizeof(data);
+	dns_rdata_fromregion(&rdata, dns_db_class(db), dns_rdatatype_nsec, &r);
+	CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name, 0,
+				   &rdata, &tuple));
+	CHECK(do_one_tuple(&tuple, db, ver, diff));
+ failure:
+	return (result);
+}
+
+static isc_result_t
+find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+	       isc_mem_t *mctx, unsigned int maxkeys,
+	       dst_key_t **keys, unsigned int *nkeys)
+{
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	const char *directory = dns_zone_getkeydirectory(zone);
+	CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
+	CHECK(dns_dnssec_findzonekeys2(db, ver, node, dns_db_origin(db),
+				       directory, mctx, maxkeys, keys, nkeys));
+ failure:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (result);
+}
+
+/*
+ * Add RRSIG records for an RRset, recording the change in "diff".
+ */
+static isc_result_t
+add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	 dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys,
+	 unsigned int nkeys, isc_mem_t *mctx, isc_stdtime_t inception,
+	 isc_stdtime_t expire)
+{
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t sig_rdata = DNS_RDATA_INIT;
+	isc_buffer_t buffer;
+	unsigned char data[1024]; /* XXX */
+	unsigned int i;
+
+	dns_rdataset_init(&rdataset);
+	isc_buffer_init(&buffer, data, sizeof(data));
+
+	/* Get the rdataset to sign. */
+	CHECK(dns_db_findnode(db, name, ISC_FALSE, &node));
+	CHECK(dns_db_findrdataset(db, node, ver, type, 0,
+				  (isc_stdtime_t) 0,
+				  &rdataset, NULL));
+	dns_db_detachnode(db, &node);
+
+	for (i = 0; i < nkeys; i++) {
+		/* Calculate the signature, creating a RRSIG RDATA. */
+		CHECK(dns_dnssec_sign(name, &rdataset, keys[i],
+				      &inception, &expire,
+				      mctx, &buffer, &sig_rdata));
+
+		/* Update the database and journal with the RRSIG. */
+		/* XXX inefficient - will cause dataset merging */
+		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADD, name,
+				    rdataset.ttl, &sig_rdata));
+		dns_rdata_reset(&sig_rdata);
+	}
+
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (result);
+}
+
+/*
+ * Update RRSIG and NSEC records affected by an update.  The original
+ * update, including the SOA serial update but exluding the RRSIG & NSEC
+ * changes, is in "diff" and has already been applied to "newver" of "db".
+ * The database version prior to the update is "oldver".
+ *
+ * The necessary RRSIG and NSEC changes will be applied to "newver"
+ * and added (as a minimal diff) to "diff".
+ *
+ * The RRSIGs generated will be valid for 'sigvalidityinterval' seconds.
+ */
+static isc_result_t
+update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
+		  dns_dbversion_t *oldver, dns_dbversion_t *newver,
+		  dns_diff_t *diff, isc_uint32_t sigvalidityinterval)
+{
+	isc_result_t result;
+	dns_difftuple_t *t;
+	dns_diff_t diffnames;
+	dns_diff_t affected;
+	dns_diff_t sig_diff;
+	dns_diff_t nsec_diff;
+	dns_diff_t nsec_mindiff;
+	isc_boolean_t flag;
+	dst_key_t *zone_keys[MAXZONEKEYS];
+	unsigned int nkeys = 0;
+	unsigned int i;
+	isc_stdtime_t now, inception, expire;
+
+	dns_diff_init(client->mctx, &diffnames);
+	dns_diff_init(client->mctx, &affected);
+
+	dns_diff_init(client->mctx, &sig_diff);
+	dns_diff_init(client->mctx, &nsec_diff);
+	dns_diff_init(client->mctx, &nsec_mindiff);
+
+	result = find_zone_keys(zone, db, newver, client->mctx,
+				MAXZONEKEYS, zone_keys, &nkeys);
+	if (result != ISC_R_SUCCESS) {
+		update_log(client, zone, ISC_LOG_ERROR,
+			   "could not get zone keys for secure dynamic update");
+		goto failure;
+	}
+
+	isc_stdtime_get(&now);
+	inception = now - 3600; /* Allow for some clock skew. */
+	expire = now + sigvalidityinterval;
+
+	/*
+	 * Find all RRsets directly affected by the update, and
+	 * update their RRSIGs.  Also build a list of names affected
+	 * by the update in "diffnames".
+	 */
+	CHECK(dns_diff_sort(diff, temp_order));
+
+	t = ISC_LIST_HEAD(diff->tuples);
+	while (t != NULL) {
+		dns_name_t *name = &t->name;
+		/* Now "name" is a new, unique name affected by the update. */
+
+		CHECK(namelist_append_name(&diffnames, name));
+
+		while (t != NULL && dns_name_equal(&t->name, name)) {
+			dns_rdatatype_t type;
+			type = t->rdata.type;
+
+			/*
+			 * Now "name" and "type" denote a new unique RRset
+			 * affected by the update.
+			 */
+
+			/* Don't sign RRSIGs. */
+			if (type == dns_rdatatype_rrsig)
+				goto skip;
+
+			/*
+			 * Delete all old RRSIGs covering this type, since they
+			 * are all invalid when the signed RRset has changed.
+			 * We may not be able to recreate all of them - tough.
+			 */
+			CHECK(delete_if(true_p, db, newver, name,
+					dns_rdatatype_rrsig, type,
+					NULL, &sig_diff));
+
+			/*
+			 * If this RRset still exists after the update,
+			 * add a new signature for it.
+			 */
+			CHECK(rrset_exists(db, newver, name, type, 0, &flag));
+			if (flag) {
+				CHECK(add_sigs(db, newver, name, type,
+					       &sig_diff, zone_keys, nkeys,
+					       client->mctx, inception,
+					       expire));
+			}
+		skip:
+			/* Skip any other updates to the same RRset. */
+			while (t != NULL &&
+			       dns_name_equal(&t->name, name) &&
+			       t->rdata.type == type)
+			{
+				t = ISC_LIST_NEXT(t, link);
+			}
+		}
+	}
+
+	/* Remove orphaned NSECs and RRSIG NSECs. */
+	for (t = ISC_LIST_HEAD(diffnames.tuples);
+	     t != NULL;
+	     t = ISC_LIST_NEXT(t, link))
+	{
+		CHECK(non_nsec_rrset_exists(db, newver, &t->name, &flag));
+		if (! flag) {
+			CHECK(delete_if(true_p, db, newver, &t->name,
+					dns_rdatatype_any, 0,
+					NULL, &sig_diff));
+		}
+	}
+
+	/*
+	 * When a name is created or deleted, its predecessor needs to
+	 * have its NSEC updated.
+	 */
+	for (t = ISC_LIST_HEAD(diffnames.tuples);
+	     t != NULL;
+	     t = ISC_LIST_NEXT(t, link))
+	{
+		isc_boolean_t existed, exists;
+		dns_fixedname_t fixedname;
+		dns_name_t *prevname;
+
+		dns_fixedname_init(&fixedname);
+		prevname = dns_fixedname_name(&fixedname);
+
+		CHECK(name_exists(db, oldver, &t->name, &existed));
+		CHECK(name_exists(db, newver, &t->name, &exists));
+		if (exists == existed)
+			continue;
+
+		/*
+		 * Find the predecessor.
+		 * When names become obscured or unobscured in this update
+		 * transaction, we may find the wrong predecessor because
+		 * the NSECs have not yet been updated to reflect the delegation
+		 * change.  This should not matter because in this case,
+		 * the correct predecessor is either the delegation node or
+		 * a newly unobscured node, and those nodes are on the
+		 * "affected" list in any case.
+		 */
+		CHECK(next_active(client, zone, db, newver,
+				  &t->name, prevname, ISC_FALSE));
+		CHECK(namelist_append_name(&affected, prevname));
+	}
+
+	/*
+	 * Find names potentially affected by delegation changes
+	 * (obscured by adding an NS or DNAME, or unobscured by
+	 * removing one).
+	 */
+	for (t = ISC_LIST_HEAD(diffnames.tuples);
+	     t != NULL;
+	     t = ISC_LIST_NEXT(t, link))
+	{
+		isc_boolean_t ns_existed, dname_existed;
+		isc_boolean_t ns_exists, dname_exists;
+
+		CHECK(rrset_exists(db, oldver, &t->name, dns_rdatatype_ns, 0,
+				   &ns_existed));
+		CHECK(rrset_exists(db, oldver, &t->name, dns_rdatatype_dname, 0,
+				   &dname_existed));
+		CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_ns, 0,
+				   &ns_exists));
+		CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_dname, 0,
+				   &dname_exists));
+		if ((ns_exists || dname_exists) == (ns_existed || dname_existed))
+			continue;
+		/*
+		 * There was a delegation change.  Mark all subdomains
+		 * of t->name as potentially needing a NSEC update.
+		 */
+		CHECK(namelist_append_subdomain(db, &t->name, &affected));
+	}
+
+	ISC_LIST_APPENDLIST(affected.tuples, diffnames.tuples, link);
+	INSIST(ISC_LIST_EMPTY(diffnames.tuples));
+
+	CHECK(uniqify_name_list(&affected));
+
+	/*
+	 * Determine which names should have NSECs, and delete/create
+	 * NSECs to make it so.  We don't know the final NSEC targets yet,
+	 * so we just create placeholder NSECs with arbitrary contents
+	 * to indicate that their respective owner names should be part of
+	 * the NSEC chain.
+	 */
+	for (t = ISC_LIST_HEAD(affected.tuples);
+	     t != NULL;
+	     t = ISC_LIST_NEXT(t, link))
+	{
+		isc_boolean_t exists;
+		CHECK(name_exists(db, newver, &t->name, &exists));
+		if (! exists)
+			continue;
+		CHECK(is_glue(db, newver, &t->name, &flag));
+		if (flag) {
+			/*
+			 * This name is obscured.  Delete any
+			 * existing NSEC record.
+			 */
+			CHECK(delete_if(true_p, db, newver, &t->name,
+					dns_rdatatype_nsec, 0,
+					NULL, &nsec_diff));
+		} else {
+			/*
+			 * This name is not obscured.  It should have a NSEC.
+			 */
+			CHECK(rrset_exists(db, newver, &t->name,
+					   dns_rdatatype_nsec, 0, &flag));
+			if (! flag)
+				CHECK(add_placeholder_nsec(db, newver, &t->name,
+							  diff));
+		}
+	}
+
+	/*
+	 * Now we know which names are part of the NSEC chain.
+	 * Make them all point at their correct targets.
+	 */
+	for (t = ISC_LIST_HEAD(affected.tuples);
+	     t != NULL;
+	     t = ISC_LIST_NEXT(t, link))
+	{
+		CHECK(rrset_exists(db, newver, &t->name,
+				   dns_rdatatype_nsec, 0, &flag));
+		if (flag) {
+			/*
+			 * There is a NSEC, but we don't know if it is correct.
+			 * Delete it and create a correct one to be sure.
+			 * If the update was unnecessary, the diff minimization
+			 * will take care of eliminating it from the journal,
+			 * IXFRs, etc.
+			 *
+			 * The RRSIG bit should always be set in the NSECs
+			 * we generate, because they will all get RRSIG NSECs.
+			 * (XXX what if the zone keys are missing?).
+			 * Because the RRSIG NSECs have not necessarily been
+			 * created yet, the correctness of the bit mask relies
+			 * on the assumption that NSECs are only created if
+			 * there is other data, and if there is other data,
+			 * there are other RRSIGs.
+			 */
+			CHECK(add_nsec(client, zone, db, newver,
+				      &t->name, &nsec_diff));
+		}
+	}
+
+	/*
+	 * Minimize the set of NSEC updates so that we don't
+	 * have to regenerate the RRSIG NSECs for NSECs that were
+	 * replaced with identical ones.
+	 */
+	while ((t = ISC_LIST_HEAD(nsec_diff.tuples)) != NULL) {
+		ISC_LIST_UNLINK(nsec_diff.tuples, t, link);
+		dns_diff_appendminimal(&nsec_mindiff, &t);
+	}
+
+	/* Update RRSIG NSECs. */
+	for (t = ISC_LIST_HEAD(nsec_mindiff.tuples);
+	     t != NULL;
+	     t = ISC_LIST_NEXT(t, link))
+	{
+		if (t->op == DNS_DIFFOP_DEL) {
+			CHECK(delete_if(true_p, db, newver, &t->name,
+					dns_rdatatype_rrsig, dns_rdatatype_nsec,
+					NULL, &sig_diff));
+		} else if (t->op == DNS_DIFFOP_ADD) {
+			CHECK(add_sigs(db, newver, &t->name, dns_rdatatype_nsec,
+				       &sig_diff, zone_keys, nkeys,
+				       client->mctx, inception, expire));
+		} else {
+			INSIST(0);
+		}
+	}
+
+	/* Record our changes for the journal. */
+	while ((t = ISC_LIST_HEAD(sig_diff.tuples)) != NULL) {
+		ISC_LIST_UNLINK(sig_diff.tuples, t, link);
+		dns_diff_appendminimal(diff, &t);
+	}
+	while ((t = ISC_LIST_HEAD(nsec_mindiff.tuples)) != NULL) {
+		ISC_LIST_UNLINK(nsec_mindiff.tuples, t, link);
+		dns_diff_appendminimal(diff, &t);
+	}
+
+	INSIST(ISC_LIST_EMPTY(sig_diff.tuples));
+	INSIST(ISC_LIST_EMPTY(nsec_diff.tuples));
+	INSIST(ISC_LIST_EMPTY(nsec_mindiff.tuples));
+
+ failure:
+	dns_diff_clear(&sig_diff);
+	dns_diff_clear(&nsec_diff);
+	dns_diff_clear(&nsec_mindiff);
+
+	dns_diff_clear(&affected);
+	dns_diff_clear(&diffnames);
+
+	for (i = 0; i < nkeys; i++)
+		dst_key_free(&zone_keys[i]);
+
+	return (result);
+}
+
+
+/**************************************************************************/
+/*
+ * The actual update code in all its glory.  We try to follow
+ * the RFC2136 pseudocode as closely as possible.
+ */
+
+static isc_result_t
+send_update_event(ns_client_t *client, dns_zone_t *zone) {
+	isc_result_t result = ISC_R_SUCCESS;
+	update_event_t *event = NULL;
+	isc_task_t *zonetask = NULL;
+	ns_client_t *evclient;
+
+	event = (update_event_t *)
+		isc_event_allocate(client->mctx, client, DNS_EVENT_UPDATE,
+				   update_action, NULL, sizeof(*event));
+	if (event == NULL)
+		FAIL(ISC_R_NOMEMORY);
+	event->zone = zone;
+	event->result = ISC_R_SUCCESS;
+
+	evclient = NULL;
+	ns_client_attach(client, &evclient);
+	INSIST(client->nupdates == 0);
+	client->nupdates++;
+	event->ev_arg = evclient;
+
+	dns_zone_gettask(zone, &zonetask);
+	isc_task_send(zonetask, ISC_EVENT_PTR(&event));
+
+ failure:
+	if (event != NULL)
+		isc_event_free(ISC_EVENT_PTR(&event));
+	return (result);
+}
+
+static void
+respond(ns_client_t *client, isc_result_t result) {
+	isc_result_t msg_result;
+
+	msg_result = dns_message_reply(client->message, ISC_TRUE);
+	if (msg_result != ISC_R_SUCCESS)
+		goto msg_failure;
+	client->message->rcode = dns_result_torcode(result);
+
+	ns_client_send(client);
+	return;
+
+ msg_failure:
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_UPDATE, NS_LOGMODULE_UPDATE,
+		      ISC_LOG_ERROR,
+		      "could not create update response message: %s",
+		      isc_result_totext(msg_result));
+	ns_client_next(client, msg_result);
+}
+
+void
+ns_update_start(ns_client_t *client, isc_result_t sigresult) {
+	dns_message_t *request = client->message;
+	isc_result_t result;
+	dns_name_t *zonename;
+	dns_rdataset_t *zone_rdataset;
+	dns_zone_t *zone = NULL;
+
+	/*
+	 * Interpret the zone section.
+	 */
+	result = dns_message_firstname(request, DNS_SECTION_ZONE);
+	if (result != ISC_R_SUCCESS)
+		FAILC(DNS_R_FORMERR,
+		      "update zone section empty");
+
+	/*
+	 * The zone section must contain exactly one "question", and
+	 * it must be of type SOA.
+	 */
+	zonename = NULL;
+	dns_message_currentname(request, DNS_SECTION_ZONE, &zonename);
+	zone_rdataset = ISC_LIST_HEAD(zonename->list);
+	if (zone_rdataset->type != dns_rdatatype_soa)
+		FAILC(DNS_R_FORMERR,
+		      "update zone section contains non-SOA");
+	if (ISC_LIST_NEXT(zone_rdataset, link) != NULL)
+		FAILC(DNS_R_FORMERR,
+		      "update zone section contains multiple RRs");
+
+	/* The zone section must have exactly one name. */
+	result = dns_message_nextname(request, DNS_SECTION_ZONE);
+	if (result != ISC_R_NOMORE)
+		FAILC(DNS_R_FORMERR,
+		      "update zone section contains multiple RRs");
+
+	result = dns_zt_find(client->view->zonetable, zonename, 0, NULL,
+			     &zone);
+	if (result != ISC_R_SUCCESS)
+		FAILC(DNS_R_NOTAUTH,
+		      "not authoritative for update zone");
+
+	switch(dns_zone_gettype(zone)) {
+	case dns_zone_master:
+		/*
+		 * We can now fail due to a bad signature as we now know
+		 * that we are the master.
+		 */
+		if (sigresult != ISC_R_SUCCESS)
+			FAIL(sigresult);
+		CHECK(send_update_event(client, zone));
+		break;
+	case dns_zone_slave:
+		CHECK(checkupdateacl(client, dns_zone_getforwardacl(zone),
+				     "update forwarding", zonename, ISC_TRUE));
+		CHECK(send_forward_event(client, zone));
+		break;
+	default:
+		FAILC(DNS_R_NOTAUTH,
+		      "not authoritative for update zone");
+	}
+	return;
+
+ failure:
+	/*
+	 * We failed without having sent an update event to the zone.
+	 * We are still in the client task context, so we can
+	 * simply give an error response without switching tasks.
+	 */
+	respond(client, result);
+	if (zone != NULL)
+		dns_zone_detach(&zone);
+}
+
+/*
+ * DS records are not allowed to exist without corresponding NS records,
+ * draft-ietf-dnsext-delegation-signer-11.txt, 2.2 Protocol Change,
+ * "DS RRsets MUST NOT appear at non-delegation points or at a zone's apex".
+ */
+
+static isc_result_t
+remove_orphaned_ds(dns_db_t *db, dns_dbversion_t *newver, dns_diff_t *diff) {
+	isc_result_t result;
+	isc_boolean_t ns_exists, ds_exists;
+	dns_difftuple_t *t;
+
+	for (t = ISC_LIST_HEAD(diff->tuples);
+	     t != NULL;
+	     t = ISC_LIST_NEXT(t, link)) {
+		if (t->op != DNS_DIFFOP_DEL ||
+		    t->rdata.type != dns_rdatatype_ns)
+			continue;
+		CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_ns, 0,
+				   &ns_exists));
+		if (ns_exists)
+			continue;
+		CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_ds, 0,
+				   &ds_exists));
+		if (!ds_exists)
+			continue;
+		CHECK(delete_if(true_p, db, newver, &t->name,
+				dns_rdatatype_ds, 0, NULL, diff));
+	}
+	return (ISC_R_SUCCESS);
+
+ failure:
+	return (result);
+}
+
+static void
+update_action(isc_task_t *task, isc_event_t *event) {
+	update_event_t *uev = (update_event_t *) event;
+	dns_zone_t *zone = uev->zone;
+	ns_client_t *client = (ns_client_t *)event->ev_arg;
+
+	isc_result_t result;
+	dns_db_t *db = NULL;
+	dns_dbversion_t *oldver = NULL;
+	dns_dbversion_t *ver = NULL;
+	dns_diff_t diff; 	/* Pending updates. */
+	dns_diff_t temp; 	/* Pending RR existence assertions. */
+	isc_boolean_t soa_serial_changed = ISC_FALSE;
+	isc_mem_t *mctx = client->mctx;
+	dns_rdatatype_t covers;
+	dns_message_t *request = client->message;
+	dns_rdataclass_t zoneclass;
+	dns_name_t *zonename;
+	dns_ssutable_t *ssutable = NULL;
+	dns_fixedname_t tmpnamefixed;
+	dns_name_t *tmpname = NULL;
+
+	INSIST(event->ev_type == DNS_EVENT_UPDATE);
+
+	dns_diff_init(mctx, &diff);
+	dns_diff_init(mctx, &temp);
+
+	CHECK(dns_zone_getdb(zone, &db));
+	zonename = dns_db_origin(db);
+	zoneclass = dns_db_class(db);
+	dns_zone_getssutable(zone, &ssutable);
+	dns_db_currentversion(db, &oldver);
+	CHECK(dns_db_newversion(db, &ver));
+
+	/*
+	 * Check prerequisites.
+	 */
+
+	for (result = dns_message_firstname(request, DNS_SECTION_PREREQUISITE);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(request, DNS_SECTION_PREREQUISITE))
+	{
+		dns_name_t *name = NULL;
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_ttl_t ttl;
+		dns_rdataclass_t update_class;
+		isc_boolean_t flag;
+
+		get_current_rr(request, DNS_SECTION_PREREQUISITE, zoneclass,
+			       &name, &rdata, &covers, &ttl, &update_class);
+
+		if (ttl != 0)
+			FAILC(DNS_R_FORMERR, "prerequisite TTL is not zero");
+
+		if (! dns_name_issubdomain(name, zonename))
+			FAILN(DNS_R_NOTZONE, name,
+				"prerequisite name is out of zone");
+
+		if (update_class == dns_rdataclass_any) {
+			if (rdata.length != 0)
+				FAILC(DNS_R_FORMERR,
+				      "class ANY prerequisite "
+				      "RDATA is not empty");
+			if (rdata.type == dns_rdatatype_any) {
+				CHECK(name_exists(db, ver, name, &flag));
+				if (! flag) {
+					FAILN(DNS_R_NXDOMAIN, name,
+					      "'name in use' prerequisite "
+					      "not satisfied");
+				}
+			} else {
+				CHECK(rrset_exists(db, ver, name,
+						   rdata.type, covers, &flag));
+				if (! flag) {
+					/* RRset does not exist. */
+					FAILNT(DNS_R_NXRRSET, name, rdata.type,
+					"'rrset exists (value independent)' "
+					"prerequisite not satisfied");
+				}
+			}
+		} else if (update_class == dns_rdataclass_none) {
+			if (rdata.length != 0)
+				FAILC(DNS_R_FORMERR,
+				      "class NONE prerequisite "
+				      "RDATA is not empty");
+			if (rdata.type == dns_rdatatype_any) {
+				CHECK(name_exists(db, ver, name, &flag));
+				if (flag) {
+					FAILN(DNS_R_YXDOMAIN, name,
+					      "'name not in use' prerequisite "
+					      "not satisfied");
+				}
+			} else {
+				CHECK(rrset_exists(db, ver, name,
+						   rdata.type, covers, &flag));
+				if (flag) {
+					/* RRset exists. */
+					FAILNT(DNS_R_YXRRSET, name, rdata.type,
+					       "'rrset does not exist' "
+					       "prerequisite not satisfied");
+				}
+			}
+		} else if (update_class == zoneclass) {
+			/* "temp<rr.name, rr.type> += rr;" */
+			result = temp_append(&temp, name, &rdata);
+			if (result != ISC_R_SUCCESS) {
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "temp entry creation failed: %s",
+						 dns_result_totext(result));
+				FAIL(ISC_R_UNEXPECTED);
+			}
+		} else {
+			FAILC(DNS_R_FORMERR, "malformed prerequisite");
+		}
+	}
+	if (result != ISC_R_NOMORE)
+		FAIL(result);
+
+
+	/*
+	 * Perform the final check of the "rrset exists (value dependent)"
+	 * prerequisites.
+	 */
+	if (ISC_LIST_HEAD(temp.tuples) != NULL) {
+		dns_rdatatype_t type;
+
+		/*
+		 * Sort the prerequisite records by owner name,
+		 * type, and rdata.
+		 */
+		result = dns_diff_sort(&temp, temp_order);
+		if (result != ISC_R_SUCCESS)
+			FAILC(result, "'RRset exists (value dependent)' "
+			      "prerequisite not satisfied");
+
+		dns_fixedname_init(&tmpnamefixed);
+		tmpname = dns_fixedname_name(&tmpnamefixed);
+		result = temp_check(mctx, &temp, db, ver, tmpname, &type);
+		if (result != ISC_R_SUCCESS)
+			FAILNT(result, tmpname, type,
+			       "'RRset exists (value dependent)' "
+			       "prerequisite not satisfied");
+	}
+
+	update_log(client, zone, LOGLEVEL_DEBUG,
+		   "prerequisites are OK");
+
+	/*
+	 * Check Requestor's Permissions.  It seems a bit silly to do this
+	 * only after prerequisite testing, but that is what RFC2136 says.
+	 */
+	result = ISC_R_SUCCESS;
+	if (ssutable == NULL)
+		CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone),
+				     "update", zonename, ISC_FALSE));
+	else if (client->signer == NULL)
+		CHECK(checkupdateacl(client, NULL, "update", zonename,
+				     ISC_FALSE));
+	
+	if (dns_zone_getupdatedisabled(zone))
+		FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled");
+
+	/*
+	 * Perform the Update Section Prescan.
+	 */
+
+	for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(request, DNS_SECTION_UPDATE))
+	{
+		dns_name_t *name = NULL;
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_ttl_t ttl;
+		dns_rdataclass_t update_class;
+		get_current_rr(request, DNS_SECTION_UPDATE, zoneclass,
+			       &name, &rdata, &covers, &ttl, &update_class);
+
+		if (! dns_name_issubdomain(name, zonename))
+			FAILC(DNS_R_NOTZONE,
+			      "update RR is outside zone");
+		if (update_class == zoneclass) {
+			/*
+			 * Check for meta-RRs.  The RFC2136 pseudocode says
+			 * check for ANY|AXFR|MAILA|MAILB, but the text adds
+			 * "or any other QUERY metatype"
+			 */
+			if (dns_rdatatype_ismeta(rdata.type)) {
+				FAILC(DNS_R_FORMERR,
+				      "meta-RR in update");
+			}
+			result = dns_zone_checknames(zone, name, &rdata);
+			if (result != ISC_R_SUCCESS)
+				FAIL(DNS_R_REFUSED);
+		} else if (update_class == dns_rdataclass_any) {
+			if (ttl != 0 || rdata.length != 0 ||
+			    (dns_rdatatype_ismeta(rdata.type) &&
+			     rdata.type != dns_rdatatype_any))
+				FAILC(DNS_R_FORMERR,
+				      "meta-RR in update");
+		} else if (update_class == dns_rdataclass_none) {
+			if (ttl != 0 ||
+			    dns_rdatatype_ismeta(rdata.type))
+				FAILC(DNS_R_FORMERR,
+				      "meta-RR in update");
+		} else {
+			update_log(client, zone, ISC_LOG_WARNING,
+				   "update RR has incorrect class %d",
+				   update_class);
+			FAIL(DNS_R_FORMERR);
+		}
+		/*
+		 * draft-ietf-dnsind-simple-secure-update-01 says
+		 * "Unlike traditional dynamic update, the client
+		 * is forbidden from updating NSEC records."
+		 */
+		if (dns_db_issecure(db)) {
+			if (rdata.type == dns_rdatatype_nsec) {
+				FAILC(DNS_R_REFUSED,
+				      "explicit NSEC updates are not allowed "
+				      "in secure zones");
+			}
+			else if (rdata.type == dns_rdatatype_rrsig) {
+				FAILC(DNS_R_REFUSED,
+				      "explicit RRSIG updates are currently not "
+				      "supported in secure zones");
+			}
+		}
+
+		if (ssutable != NULL && client->signer != NULL) {
+			if (rdata.type != dns_rdatatype_any) {
+				if (!dns_ssutable_checkrules(ssutable,
+							     client->signer,
+							     name, rdata.type))
+					FAILC(DNS_R_REFUSED,
+					      "rejected by secure update");
+			}
+			else {
+				if (!ssu_checkall(db, ver, name, ssutable,
+						  client->signer))
+					FAILC(DNS_R_REFUSED,
+					      "rejected by secure update");
+			}
+		}
+	}
+	if (result != ISC_R_NOMORE)
+		FAIL(result);
+
+	update_log(client, zone, LOGLEVEL_DEBUG,
+		   "update section prescan OK");
+
+	/*
+	 * Process the Update Section.
+	 */
+
+	for (result = dns_message_firstname(request, DNS_SECTION_UPDATE);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(request, DNS_SECTION_UPDATE))
+	{
+		dns_name_t *name = NULL;
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_ttl_t ttl;
+		dns_rdataclass_t update_class;
+		isc_boolean_t flag;
+
+		get_current_rr(request, DNS_SECTION_UPDATE, zoneclass,
+			       &name, &rdata, &covers, &ttl, &update_class);
+
+		if (update_class == zoneclass) {
+
+			/*
+			 * RFC 1123 doesn't allow MF and MD in master zones.				 */
+			if (rdata.type == dns_rdatatype_md ||
+			    rdata.type == dns_rdatatype_mf) {
+				char typebuf[DNS_RDATATYPE_FORMATSIZE];
+
+				dns_rdatatype_format(rdata.type, typebuf,
+						     sizeof(typebuf));
+				update_log(client, zone, LOGLEVEL_PROTOCOL,
+					   "attempt to add %s ignored",
+					   typebuf);
+				continue;
+			}
+			if (rdata.type == dns_rdatatype_ns &&
+			    dns_name_iswildcard(name)) {
+				update_log(client, zone,
+					   LOGLEVEL_PROTOCOL,
+					   "attempt to add wildcard NS record"
+					   "ignored");
+				continue;
+			}
+			if (rdata.type == dns_rdatatype_cname) {
+				CHECK(cname_incompatible_rrset_exists(db, ver,
+								      name,
+								      &flag));
+				if (flag) {
+					update_log(client, zone,
+						   LOGLEVEL_PROTOCOL,
+						   "attempt to add CNAME "
+						   "alongside non-CNAME "
+						   "ignored");
+					continue;
+				}
+			} else {
+				CHECK(rrset_exists(db, ver, name,
+						   dns_rdatatype_cname, 0,
+						   &flag));
+				if (flag &&
+				    ! dns_rdatatype_isdnssec(rdata.type))
+				{
+					update_log(client, zone,
+						   LOGLEVEL_PROTOCOL,
+						   "attempt to add non-CNAME "
+						   "alongside CNAME ignored");
+					continue;
+				}
+			}
+			if (rdata.type == dns_rdatatype_soa) {
+				isc_boolean_t ok;
+				CHECK(rrset_exists(db, ver, name,
+						   dns_rdatatype_soa, 0,
+						   &flag));
+				if (! flag) {
+					update_log(client, zone,
+						   LOGLEVEL_PROTOCOL,
+						   "attempt to create 2nd "
+						   "SOA ignored");
+					continue;
+				}
+				CHECK(check_soa_increment(db, ver, &rdata,
+							  &ok));
+				if (! ok) {
+					update_log(client, zone,
+						   LOGLEVEL_PROTOCOL,
+						   "SOA update failed to "
+						   "increment serial, "
+						   "ignoring it");
+					continue;
+				}
+				soa_serial_changed = ISC_TRUE;
+			}
+
+			if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) {
+				char namestr[DNS_NAME_FORMATSIZE];
+				char typestr[DNS_RDATATYPE_FORMATSIZE];
+				dns_name_format(name, namestr,
+						sizeof(namestr));
+				dns_rdatatype_format(rdata.type, typestr,
+						     sizeof(typestr));
+				update_log(client, zone,
+					   LOGLEVEL_PROTOCOL,
+					   "adding an RR at '%s' %s",
+					   namestr, typestr);
+			}
+
+			/* Prepare the affected RRset for the addition. */
+			{
+				add_rr_prepare_ctx_t ctx;
+				ctx.db = db;
+				ctx.ver = ver;
+				ctx.diff = &diff;
+				ctx.name = name;
+				ctx.update_rr = &rdata;
+				ctx.update_rr_ttl = ttl;
+				ctx.ignore_add = ISC_FALSE;
+				dns_diff_init(mctx, &ctx.del_diff);
+				dns_diff_init(mctx, &ctx.add_diff);
+				CHECK(foreach_rr(db, ver, name, rdata.type,
+						 covers, add_rr_prepare_action,
+						 &ctx));
+
+				if (ctx.ignore_add) {
+					dns_diff_clear(&ctx.del_diff);
+					dns_diff_clear(&ctx.add_diff);
+				} else {
+					CHECK(do_diff(&ctx.del_diff, db, ver, &diff));
+					CHECK(do_diff(&ctx.add_diff, db, ver, &diff));
+					CHECK(update_one_rr(db, ver, &diff,
+							    DNS_DIFFOP_ADD,
+							    name, ttl, &rdata));
+				}
+			}
+		} else if (update_class == dns_rdataclass_any) {
+			if (rdata.type == dns_rdatatype_any) {
+				if (isc_log_wouldlog(ns_g_lctx,
+						     LOGLEVEL_PROTOCOL))
+				{
+					char namestr[DNS_NAME_FORMATSIZE];
+					dns_name_format(name, namestr,
+							sizeof(namestr));
+					update_log(client, zone,
+						   LOGLEVEL_PROTOCOL,
+						   "delete all rrsets from "
+						   "name '%s'", namestr);
+				}
+				if (dns_name_equal(name, zonename)) {
+					CHECK(delete_if(type_not_soa_nor_ns_p,
+							db, ver, name,
+							dns_rdatatype_any, 0,
+							&rdata, &diff));
+				} else {
+					CHECK(delete_if(true_p, db, ver, name,
+							dns_rdatatype_any, 0,
+							&rdata, &diff));
+				}
+			} else if (dns_name_equal(name, zonename) &&
+				   (rdata.type == dns_rdatatype_soa ||
+				    rdata.type == dns_rdatatype_ns)) {
+				update_log(client, zone,
+					   LOGLEVEL_PROTOCOL,
+					   "attempt to delete all SOA "
+					   "or NS records ignored");
+				continue;
+			} else {
+				if (isc_log_wouldlog(ns_g_lctx,
+						     LOGLEVEL_PROTOCOL))
+				{
+					char namestr[DNS_NAME_FORMATSIZE];
+					char typestr[DNS_RDATATYPE_FORMATSIZE];
+					dns_name_format(name, namestr,
+							sizeof(namestr));
+					dns_rdatatype_format(rdata.type,
+							     typestr,
+							     sizeof(typestr));
+					update_log(client, zone,
+						   LOGLEVEL_PROTOCOL,
+						   "deleting rrset at '%s' %s",
+						   namestr, typestr);
+				}
+				CHECK(delete_if(true_p, db, ver, name,
+						rdata.type, covers, &rdata,
+						&diff));
+			}
+		} else if (update_class == dns_rdataclass_none) {
+			/*
+			 * The (name == zonename) condition appears in
+			 * RFC2136 3.4.2.4 but is missing from the pseudocode.
+			 */
+			if (dns_name_equal(name, zonename)) {
+				if (rdata.type == dns_rdatatype_soa) {
+					update_log(client, zone,
+						   LOGLEVEL_PROTOCOL,
+						   "attempt to delete SOA "
+						   "ignored");
+					continue;
+				}
+				if (rdata.type == dns_rdatatype_ns) {
+					int count;
+					CHECK(rr_count(db, ver, name,
+						       dns_rdatatype_ns,
+						       0, &count));
+					if (count == 1) {
+						update_log(client, zone,
+							   LOGLEVEL_PROTOCOL,
+							   "attempt to "
+							   "delete last "
+							   "NS ignored");
+						continue;
+					}
+				}
+			}
+			update_log(client, zone,
+				   LOGLEVEL_PROTOCOL,
+				   "deleting an RR");
+			CHECK(delete_if(rr_equal_p, db, ver, name,
+					rdata.type, covers, &rdata, &diff));
+		}
+	}
+	if (result != ISC_R_NOMORE)
+		FAIL(result);
+
+	/*
+	 * If any changes were made, increment the SOA serial number,
+	 * update RRSIGs and NSECs (if zone is secure), and write the update
+	 * to the journal.
+	 */
+	if (! ISC_LIST_EMPTY(diff.tuples)) {
+		char *journalfile;
+		dns_journal_t *journal;
+
+		/*
+		 * Increment the SOA serial, but only if it was not
+		 * changed as a result of an update operation.
+		 */
+		if (! soa_serial_changed) {
+			CHECK(increment_soa_serial(db, ver, &diff, mctx));
+		}
+
+		CHECK(remove_orphaned_ds(db, ver, &diff));
+
+		if (dns_db_issecure(db)) {
+			result = update_signatures(client, zone, db, oldver,
+						   ver, &diff,
+					 dns_zone_getsigvalidityinterval(zone));
+			if (result != ISC_R_SUCCESS) {
+				update_log(client, zone,
+					   ISC_LOG_ERROR,
+					   "RRSIG/NSEC update failed: %s",
+					   isc_result_totext(result));
+				goto failure;
+			}
+		}
+
+		journalfile = dns_zone_getjournal(zone);
+		if (journalfile != NULL) {
+			update_log(client, zone, LOGLEVEL_DEBUG,
+				   "writing journal %s", journalfile);
+
+			journal = NULL;
+			result = dns_journal_open(mctx, journalfile,
+						  ISC_TRUE, &journal);
+			if (result != ISC_R_SUCCESS)
+				FAILS(result, "journal open failed");
+
+			result = dns_journal_write_transaction(journal, &diff);
+			if (result != ISC_R_SUCCESS) {
+				dns_journal_destroy(&journal);
+				FAILS(result, "journal write failed");
+			}
+
+			dns_journal_destroy(&journal);
+		}
+
+		/*
+		 * XXXRTH  Just a note that this committing code will have
+		 *	   to change to handle databases that need two-phase
+		 *	   commit, but this isn't a priority.
+		 */
+		update_log(client, zone, LOGLEVEL_DEBUG,
+			   "committing update transaction");
+		dns_db_closeversion(db, &ver, ISC_TRUE);
+
+		/*
+		 * Mark the zone as dirty so that it will be written to disk.
+		 */
+		dns_zone_markdirty(zone);
+
+		/*
+		 * Notify slaves of the change we just made.
+		 */
+		dns_zone_notify(zone);
+	} else {
+		update_log(client, zone, LOGLEVEL_DEBUG, "redundant request");
+		dns_db_closeversion(db, &ver, ISC_TRUE);
+	}
+	result = ISC_R_SUCCESS;
+	goto common;
+
+ failure:
+	/*
+	 * The reason for failure should have been logged at this point.
+	 */
+	if (ver != NULL) {
+		update_log(client, zone, LOGLEVEL_DEBUG, 
+			   "rolling back");
+		dns_db_closeversion(db, &ver, ISC_FALSE);
+	}
+
+ common:
+	dns_diff_clear(&temp);
+	dns_diff_clear(&diff);
+
+	if (oldver != NULL)
+		dns_db_closeversion(db, &oldver, ISC_FALSE);
+
+	if (db != NULL)
+		dns_db_detach(&db);
+
+	if (ssutable != NULL)
+		dns_ssutable_detach(&ssutable);
+
+	if (zone != NULL)
+		dns_zone_detach(&zone);
+
+	isc_task_detach(&task);
+	uev->result = result;
+	uev->ev_type = DNS_EVENT_UPDATEDONE;
+	uev->ev_action = updatedone_action;
+	isc_task_send(client->task, &event);
+	INSIST(event == NULL);
+}
+
+static void
+updatedone_action(isc_task_t *task, isc_event_t *event) {
+	update_event_t *uev = (update_event_t *) event;
+	ns_client_t *client = (ns_client_t *) event->ev_arg;
+
+	UNUSED(task);
+
+	INSIST(event->ev_type == DNS_EVENT_UPDATEDONE);
+	INSIST(task == client->task);
+
+	INSIST(client->nupdates > 0);
+	client->nupdates--;
+	respond(client, uev->result);
+	ns_client_detach(&client);
+	isc_event_free(&event);
+}
+
+/*
+ * Update forwarding support.
+ */
+
+static void
+forward_fail(isc_task_t *task, isc_event_t *event) {
+        ns_client_t *client = (ns_client_t *)event->ev_arg;
+
+	UNUSED(task);
+
+	INSIST(client->nupdates > 0);
+	client->nupdates--;
+	respond(client, DNS_R_SERVFAIL);
+	ns_client_detach(&client);
+	isc_event_free(&event);
+}
+
+
+static void
+forward_callback(void *arg, isc_result_t result, dns_message_t *answer) {
+	update_event_t *uev = arg;
+	ns_client_t *client = uev->ev_arg;
+
+	if (result != ISC_R_SUCCESS) {
+		INSIST(answer == NULL);
+		uev->ev_type = DNS_EVENT_UPDATEDONE;
+		uev->ev_action = forward_fail;
+	} else {
+		uev->ev_type = DNS_EVENT_UPDATEDONE;
+		uev->ev_action = forward_done;
+		uev->answer = answer;
+	}
+	isc_task_send(client->task, ISC_EVENT_PTR(&uev));
+}
+
+static void
+forward_done(isc_task_t *task, isc_event_t *event) {
+	update_event_t *uev = (update_event_t *) event;
+	ns_client_t *client = (ns_client_t *)event->ev_arg;
+
+	UNUSED(task);
+
+	INSIST(client->nupdates > 0);
+	client->nupdates--;
+	ns_client_sendraw(client, uev->answer);
+	dns_message_destroy(&uev->answer);
+	isc_event_free(&event);
+	ns_client_detach(&client);
+}
+
+static void
+forward_action(isc_task_t *task, isc_event_t *event) {
+	update_event_t *uev = (update_event_t *) event;
+	dns_zone_t *zone = uev->zone;
+	ns_client_t *client = (ns_client_t *)event->ev_arg;
+	isc_result_t result;
+
+	result = dns_zone_forwardupdate(zone, client->message,
+					forward_callback, event);
+	if (result != ISC_R_SUCCESS) {
+		uev->ev_type = DNS_EVENT_UPDATEDONE;
+		uev->ev_action = forward_fail;
+		isc_task_send(client->task, &event);
+	}
+	dns_zone_detach(&zone);
+	isc_task_detach(&task);
+}
+
+static isc_result_t
+send_forward_event(ns_client_t *client, dns_zone_t *zone) {
+	isc_result_t result = ISC_R_SUCCESS;
+	update_event_t *event = NULL;
+	isc_task_t *zonetask = NULL;
+	ns_client_t *evclient;
+
+	event = (update_event_t *)
+		isc_event_allocate(client->mctx, client, DNS_EVENT_UPDATE,
+				   forward_action, NULL, sizeof(*event));
+	if (event == NULL)
+		FAIL(ISC_R_NOMEMORY);
+	event->zone = zone;
+	event->result = ISC_R_SUCCESS;
+
+	evclient = NULL;
+	ns_client_attach(client, &evclient);
+	INSIST(client->nupdates == 0);
+	client->nupdates++;
+	event->ev_arg = evclient;
+
+	dns_zone_gettask(zone, &zonetask);
+	isc_task_send(zonetask, ISC_EVENT_PTR(&event));
+
+ failure:
+	if (event != NULL)
+		isc_event_free(ISC_EVENT_PTR(&event));
+	return (result);
+}
diff --git a/contrib/bind9/bin/named/xfrout.c b/contrib/bind9/bin/named/xfrout.c
new file mode 100644
index 0000000..9fb2697
--- /dev/null
+++ b/contrib/bind9/bin/named/xfrout.c
@@ -0,0 +1,1718 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: xfrout.c,v 1.101.2.5.2.10 2004/04/02 06:08:17 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/formatcheck.h>
+#include <isc/mem.h>
+#include <isc/timer.h>
+#include <isc/print.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/fixedname.h>
+#include <dns/journal.h>
+#include <dns/message.h>
+#include <dns/peer.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/result.h>
+#include <dns/soa.h>
+#include <dns/timer.h>
+#include <dns/tsig.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+#include <dns/zt.h>
+
+#include <named/client.h>
+#include <named/log.h>
+#include <named/server.h>
+#include <named/xfrout.h>
+
+/*
+ * Outgoing AXFR and IXFR.
+ */
+
+/*
+ * TODO:
+ *  - IXFR over UDP
+ */
+
+#define XFROUT_COMMON_LOGARGS \
+	ns_g_lctx, DNS_LOGCATEGORY_XFER_OUT, NS_LOGMODULE_XFER_OUT
+
+#define XFROUT_PROTOCOL_LOGARGS \
+	XFROUT_COMMON_LOGARGS, ISC_LOG_INFO
+
+#define XFROUT_DEBUG_LOGARGS(n) \
+	XFROUT_COMMON_LOGARGS, ISC_LOG_DEBUG(n)
+
+#define XFROUT_RR_LOGARGS \
+	XFROUT_COMMON_LOGARGS, XFROUT_RR_LOGLEVEL
+
+#define XFROUT_RR_LOGLEVEL	ISC_LOG_DEBUG(8)
+
+/*
+ * Fail unconditionally and log as a client error.
+ * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
+ */
+#define FAILC(code, msg) \
+	do {							\
+		result = (code);				\
+		ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT, \
+			   NS_LOGMODULE_XFER_OUT, ISC_LOG_INFO, \
+			   "bad zone transfer request: %s (%s)", \
+		      	   msg, isc_result_totext(code));	\
+		if (result != ISC_R_SUCCESS) goto failure;	\
+	} while (0)
+
+#define FAILQ(code, msg, question, rdclass) \
+	do {							\
+		char _buf1[DNS_NAME_FORMATSIZE];		\
+		char _buf2[DNS_RDATACLASS_FORMATSIZE]; 		\
+		result = (code);				\
+		dns_name_format(question, _buf1, sizeof(_buf1));  \
+		dns_rdataclass_format(rdclass, _buf2, sizeof(_buf2)); \
+		ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT, \
+			   NS_LOGMODULE_XFER_OUT, ISC_LOG_INFO, \
+			   "bad zone transfer request: '%s/%s': %s (%s)", \
+		      	   _buf1, _buf2, msg, isc_result_totext(code));	\
+		if (result != ISC_R_SUCCESS) goto failure;	\
+	} while (0)
+
+#define CHECK(op) \
+     	do { result = (op); 					\
+		if (result != ISC_R_SUCCESS) goto failure; 	\
+	} while (0)
+
+/**************************************************************************/
+/*
+ * A db_rr_iterator_t is an iterator that iterates over an entire database,
+ * returning one RR at a time, in some arbitrary order.
+ */
+
+typedef struct db_rr_iterator db_rr_iterator_t;
+
+struct db_rr_iterator {
+	isc_result_t		result;
+	dns_db_t		*db;
+    	dns_dbiterator_t 	*dbit;
+	dns_dbversion_t 	*ver;
+	isc_stdtime_t		now;
+	dns_dbnode_t		*node;
+	dns_fixedname_t		fixedname;
+    	dns_rdatasetiter_t 	*rdatasetit;
+	dns_rdataset_t 		rdataset;
+	dns_rdata_t		rdata;
+};
+
+static isc_result_t
+db_rr_iterator_init(db_rr_iterator_t *it, dns_db_t *db, dns_dbversion_t *ver,
+		    isc_stdtime_t now);
+
+static isc_result_t
+db_rr_iterator_first(db_rr_iterator_t *it);
+
+static isc_result_t
+db_rr_iterator_next(db_rr_iterator_t *it);
+
+static void
+db_rr_iterator_current(db_rr_iterator_t *it, dns_name_t **name,
+		       isc_uint32_t *ttl, dns_rdata_t **rdata);
+
+static void
+db_rr_iterator_destroy(db_rr_iterator_t *it);
+
+static isc_result_t
+db_rr_iterator_init(db_rr_iterator_t *it, dns_db_t *db, dns_dbversion_t *ver,
+		    isc_stdtime_t now)
+{
+	isc_result_t result;
+	it->db = db;
+	it->dbit = NULL;
+	it->ver = ver;
+	it->now = now;
+	it->node = NULL;
+	result = dns_db_createiterator(it->db, ISC_FALSE, &it->dbit);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	it->rdatasetit = NULL;
+	dns_rdata_init(&it->rdata);
+	dns_rdataset_init(&it->rdataset);
+	dns_fixedname_init(&it->fixedname);
+	INSIST(! dns_rdataset_isassociated(&it->rdataset));
+	it->result = ISC_R_SUCCESS;
+	return (it->result);
+}
+
+static isc_result_t
+db_rr_iterator_first(db_rr_iterator_t *it) {
+	it->result = dns_dbiterator_first(it->dbit);
+	/*
+	 * The top node may be empty when out of zone glue exists.
+	 * Walk the tree to find the first node with data.
+	 */
+	while (it->result == ISC_R_SUCCESS) {
+		it->result = dns_dbiterator_current(it->dbit, &it->node,
+				    dns_fixedname_name(&it->fixedname));
+		if (it->result != ISC_R_SUCCESS)
+			return (it->result);
+
+		it->result = dns_db_allrdatasets(it->db, it->node,
+						 it->ver, it->now,
+						 &it->rdatasetit);
+		if (it->result != ISC_R_SUCCESS)
+			return (it->result);
+
+		it->result = dns_rdatasetiter_first(it->rdatasetit);
+		if (it->result != ISC_R_SUCCESS) {
+			/*
+			 * This node is empty. Try next node.
+			 */
+			dns_rdatasetiter_destroy(&it->rdatasetit);
+			dns_db_detachnode(it->db, &it->node);
+			it->result = dns_dbiterator_next(it->dbit);
+			continue;
+		}
+		dns_rdatasetiter_current(it->rdatasetit, &it->rdataset);
+
+		it->result = dns_rdataset_first(&it->rdataset);
+		return (it->result);
+	}
+	return (it->result);
+}
+
+
+static isc_result_t
+db_rr_iterator_next(db_rr_iterator_t *it) {
+	if (it->result != ISC_R_SUCCESS)
+		return (it->result);
+
+	INSIST(it->dbit != NULL);
+	INSIST(it->node != NULL);
+	INSIST(it->rdatasetit != NULL);
+
+	it->result = dns_rdataset_next(&it->rdataset);
+	if (it->result == ISC_R_NOMORE) {
+		dns_rdataset_disassociate(&it->rdataset);
+		it->result = dns_rdatasetiter_next(it->rdatasetit);
+		/*
+		 * The while loop body is executed more than once
+		 * only when an empty dbnode needs to be skipped.
+		 */
+		while (it->result == ISC_R_NOMORE) {
+			dns_rdatasetiter_destroy(&it->rdatasetit);
+			dns_db_detachnode(it->db, &it->node);
+			it->result = dns_dbiterator_next(it->dbit);
+			if (it->result == ISC_R_NOMORE) {
+				/* We are at the end of the entire database. */
+				return (it->result);
+			}
+			if (it->result != ISC_R_SUCCESS)
+				return (it->result);
+			it->result = dns_dbiterator_current(it->dbit,
+				    &it->node,
+				    dns_fixedname_name(&it->fixedname));
+			if (it->result != ISC_R_SUCCESS)
+				return (it->result);
+			it->result = dns_db_allrdatasets(it->db, it->node,
+					 it->ver, it->now,
+					 &it->rdatasetit);
+			if (it->result != ISC_R_SUCCESS)
+				return (it->result);
+			it->result = dns_rdatasetiter_first(it->rdatasetit);
+		}
+		if (it->result != ISC_R_SUCCESS)
+			return (it->result);
+		dns_rdatasetiter_current(it->rdatasetit, &it->rdataset);
+		it->result = dns_rdataset_first(&it->rdataset);
+		if (it->result != ISC_R_SUCCESS)
+			return (it->result);
+	}
+	return (it->result);
+}
+
+static void
+db_rr_iterator_pause(db_rr_iterator_t *it) {
+	RUNTIME_CHECK(dns_dbiterator_pause(it->dbit) == ISC_R_SUCCESS);
+}
+
+static void
+db_rr_iterator_destroy(db_rr_iterator_t *it) {
+	if (dns_rdataset_isassociated(&it->rdataset))
+		dns_rdataset_disassociate(&it->rdataset);
+	if (it->rdatasetit != NULL)
+		dns_rdatasetiter_destroy(&it->rdatasetit);
+	if (it->node != NULL)
+		dns_db_detachnode(it->db, &it->node);
+	dns_dbiterator_destroy(&it->dbit);
+}
+
+static void
+db_rr_iterator_current(db_rr_iterator_t *it, dns_name_t **name,
+		      isc_uint32_t *ttl, dns_rdata_t **rdata)
+{
+	REQUIRE(name != NULL && *name == NULL);
+	REQUIRE(it->result == ISC_R_SUCCESS);
+	*name = dns_fixedname_name(&it->fixedname);
+	*ttl = it->rdataset.ttl;
+	dns_rdata_reset(&it->rdata);
+	dns_rdataset_current(&it->rdataset, &it->rdata);
+	*rdata = &it->rdata;
+}
+
+/**************************************************************************/
+
+/* Log an RR (for debugging) */
+
+static void
+log_rr(dns_name_t *name, dns_rdata_t *rdata, isc_uint32_t ttl) {
+	isc_result_t result;
+	isc_buffer_t buf;
+	char mem[2000];
+	dns_rdatalist_t rdl;
+	dns_rdataset_t rds;
+	dns_rdata_t rd = DNS_RDATA_INIT;
+
+	rdl.type = rdata->type;
+	rdl.rdclass = rdata->rdclass;
+	rdl.ttl = ttl;
+	ISC_LIST_INIT(rdl.rdata);
+	ISC_LINK_INIT(&rdl, link);
+	dns_rdataset_init(&rds);
+	dns_rdata_init(&rd);
+	dns_rdata_clone(rdata, &rd);
+	ISC_LIST_APPEND(rdl.rdata, &rd, link);
+	RUNTIME_CHECK(dns_rdatalist_tordataset(&rdl, &rds) == ISC_R_SUCCESS);
+
+	isc_buffer_init(&buf, mem, sizeof(mem));
+	result = dns_rdataset_totext(&rds, name,
+				     ISC_FALSE, ISC_FALSE, &buf);
+
+	/*
+	 * We could use xfrout_log(), but that would produce
+	 * very long lines with a repetitive prefix.
+	 */
+	if (result == ISC_R_SUCCESS) {
+		/*
+		 * Get rid of final newline.
+		 */
+		INSIST(buf.used >= 1 &&
+		       ((char *) buf.base)[buf.used - 1] == '\n');
+		buf.used--;
+		
+		isc_log_write(XFROUT_RR_LOGARGS, "%.*s",
+			      (int)isc_buffer_usedlength(&buf),
+			      (char *)isc_buffer_base(&buf));
+	} else {
+		isc_log_write(XFROUT_RR_LOGARGS, "<RR too large to print>");
+	}
+}
+
+/**************************************************************************/
+/*
+ * An 'rrstream_t' is a polymorphic iterator that returns
+ * a stream of resource records.  There are multiple implementations,
+ * e.g. for generating AXFR and IXFR records streams.
+ */
+
+typedef struct rrstream_methods rrstream_methods_t;
+
+typedef struct rrstream {
+	isc_mem_t 		*mctx;
+	rrstream_methods_t	*methods;
+} rrstream_t;
+
+struct rrstream_methods {
+	isc_result_t 		(*first)(rrstream_t *);
+	isc_result_t 		(*next)(rrstream_t *);
+	void			(*current)(rrstream_t *,
+					   dns_name_t **,
+					   isc_uint32_t *,
+					   dns_rdata_t **);
+	void	 		(*pause)(rrstream_t *);
+	void 			(*destroy)(rrstream_t **);
+};
+
+static void
+rrstream_noop_pause(rrstream_t *rs) {
+	UNUSED(rs);
+}
+
+/**************************************************************************/
+/*
+ * An 'ixfr_rrstream_t' is an 'rrstream_t' that returns
+ * an IXFR-like RR stream from a journal file.
+ *
+ * The SOA at the beginning of each sequence of additions
+ * or deletions are included in the stream, but the extra
+ * SOAs at the beginning and end of the entire transfer are
+ * not included.
+ */
+
+typedef struct ixfr_rrstream {
+	rrstream_t		common;
+	dns_journal_t 		*journal;
+} ixfr_rrstream_t;
+
+/* Forward declarations. */
+static void
+ixfr_rrstream_destroy(rrstream_t **sp);
+
+static rrstream_methods_t ixfr_rrstream_methods;
+
+/*
+ * Returns: anything dns_journal_open() or dns_journal_iter_init()
+ * may return.
+ */
+
+static isc_result_t
+ixfr_rrstream_create(isc_mem_t *mctx,
+		     const char *journal_filename,
+		     isc_uint32_t begin_serial,
+		     isc_uint32_t end_serial,
+		     rrstream_t **sp)
+{
+	ixfr_rrstream_t *s;
+	isc_result_t result;
+
+	INSIST(sp != NULL && *sp == NULL);
+
+	s = isc_mem_get(mctx, sizeof(*s));
+	if (s == NULL)
+		return (ISC_R_NOMEMORY);
+	s->common.mctx = mctx;
+	s->common.methods = &ixfr_rrstream_methods;
+	s->journal = NULL;
+
+	CHECK(dns_journal_open(mctx, journal_filename,
+			       ISC_FALSE, &s->journal));
+	CHECK(dns_journal_iter_init(s->journal, begin_serial, end_serial));
+
+	*sp = (rrstream_t *) s;
+	return (ISC_R_SUCCESS);
+
+ failure:
+	ixfr_rrstream_destroy((rrstream_t **) (void *)&s);
+	return (result);
+}
+
+static isc_result_t
+ixfr_rrstream_first(rrstream_t *rs) {
+	ixfr_rrstream_t *s = (ixfr_rrstream_t *) rs;
+	return (dns_journal_first_rr(s->journal));
+}
+
+static isc_result_t
+ixfr_rrstream_next(rrstream_t *rs) {
+	ixfr_rrstream_t *s = (ixfr_rrstream_t *) rs;
+	return (dns_journal_next_rr(s->journal));
+}
+
+static void
+ixfr_rrstream_current(rrstream_t *rs,
+		       dns_name_t **name, isc_uint32_t *ttl,
+		       dns_rdata_t **rdata)
+{
+	ixfr_rrstream_t *s = (ixfr_rrstream_t *) rs;
+	dns_journal_current_rr(s->journal, name, ttl, rdata);
+}
+
+static void
+ixfr_rrstream_destroy(rrstream_t **rsp) {
+	ixfr_rrstream_t *s = (ixfr_rrstream_t *) *rsp;
+	if (s->journal != 0)
+		dns_journal_destroy(&s->journal);
+	isc_mem_put(s->common.mctx, s, sizeof(*s));
+}
+
+static rrstream_methods_t ixfr_rrstream_methods = {
+	ixfr_rrstream_first,
+	ixfr_rrstream_next,
+	ixfr_rrstream_current,
+	rrstream_noop_pause,
+	ixfr_rrstream_destroy
+};
+
+/**************************************************************************/
+/*
+ * An 'axfr_rrstream_t' is an 'rrstream_t' that returns
+ * an AXFR-like RR stream from a database.
+ *
+ * The SOAs at the beginning and end of the transfer are
+ * not included in the stream.
+ */
+
+typedef struct axfr_rrstream {
+	rrstream_t		common;
+	db_rr_iterator_t	it;
+	isc_boolean_t		it_valid;
+} axfr_rrstream_t;
+
+/*
+ * Forward declarations.
+ */
+static void
+axfr_rrstream_destroy(rrstream_t **rsp);
+
+static rrstream_methods_t axfr_rrstream_methods;
+
+static isc_result_t
+axfr_rrstream_create(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *ver,
+		     rrstream_t **sp)
+{
+	axfr_rrstream_t *s;
+	isc_result_t result;
+
+	INSIST(sp != NULL && *sp == NULL);
+
+	s = isc_mem_get(mctx, sizeof(*s));
+	if (s == NULL)
+		return (ISC_R_NOMEMORY);
+	s->common.mctx = mctx;
+	s->common.methods = &axfr_rrstream_methods;
+	s->it_valid = ISC_FALSE;
+
+	CHECK(db_rr_iterator_init(&s->it, db, ver, 0));
+	s->it_valid = ISC_TRUE;
+
+	*sp = (rrstream_t *) s;
+	return (ISC_R_SUCCESS);
+
+ failure:
+	axfr_rrstream_destroy((rrstream_t **) (void *)&s);
+	return (result);
+}
+
+static isc_result_t
+axfr_rrstream_first(rrstream_t *rs) {
+	axfr_rrstream_t *s = (axfr_rrstream_t *) rs;
+	isc_result_t result;
+	result = db_rr_iterator_first(&s->it);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	/* Skip SOA records. */
+	for (;;) {
+		dns_name_t *name_dummy = NULL;
+		isc_uint32_t ttl_dummy;
+		dns_rdata_t *rdata = NULL;
+		db_rr_iterator_current(&s->it, &name_dummy,
+				      &ttl_dummy, &rdata);
+		if (rdata->type != dns_rdatatype_soa)
+			break;
+		result = db_rr_iterator_next(&s->it);
+		if (result != ISC_R_SUCCESS)
+			break;
+	}
+	return (result);
+}
+
+static isc_result_t
+axfr_rrstream_next(rrstream_t *rs) {
+	axfr_rrstream_t *s = (axfr_rrstream_t *) rs;
+	isc_result_t result;
+
+	/* Skip SOA records. */
+	for (;;) {
+		dns_name_t *name_dummy = NULL;
+		isc_uint32_t ttl_dummy;
+		dns_rdata_t *rdata = NULL;
+		result = db_rr_iterator_next(&s->it);
+		if (result != ISC_R_SUCCESS)
+			break;
+		db_rr_iterator_current(&s->it, &name_dummy,
+				      &ttl_dummy, &rdata);
+		if (rdata->type != dns_rdatatype_soa)
+			break;
+	}
+	return (result);
+}
+
+static void
+axfr_rrstream_current(rrstream_t *rs, dns_name_t **name, isc_uint32_t *ttl,
+		      dns_rdata_t **rdata)
+{
+	axfr_rrstream_t *s = (axfr_rrstream_t *) rs;
+	db_rr_iterator_current(&s->it, name, ttl, rdata);
+}
+
+static void
+axfr_rrstream_pause(rrstream_t *rs) {
+	axfr_rrstream_t *s = (axfr_rrstream_t *) rs;
+	db_rr_iterator_pause(&s->it);
+}
+
+static void
+axfr_rrstream_destroy(rrstream_t **rsp) {
+	axfr_rrstream_t *s = (axfr_rrstream_t *) *rsp;
+	if (s->it_valid)
+		db_rr_iterator_destroy(&s->it);
+	isc_mem_put(s->common.mctx, s, sizeof(*s));
+}
+
+static rrstream_methods_t axfr_rrstream_methods = {
+	axfr_rrstream_first,
+	axfr_rrstream_next,
+	axfr_rrstream_current,
+	axfr_rrstream_pause,
+	axfr_rrstream_destroy
+};
+
+/**************************************************************************/
+/*
+ * An 'soa_rrstream_t' is a degenerate 'rrstream_t' that returns
+ * a single SOA record.
+ */
+
+typedef struct soa_rrstream {
+	rrstream_t		common;
+	dns_difftuple_t 	*soa_tuple;
+} soa_rrstream_t;
+
+/*
+ * Forward declarations.
+ */
+static void
+soa_rrstream_destroy(rrstream_t **rsp);
+
+static rrstream_methods_t soa_rrstream_methods;
+
+static isc_result_t
+soa_rrstream_create(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *ver,
+		    rrstream_t **sp)
+{
+	soa_rrstream_t *s;
+	isc_result_t result;
+
+	INSIST(sp != NULL && *sp == NULL);
+
+	s = isc_mem_get(mctx, sizeof(*s));
+	if (s == NULL)
+		return (ISC_R_NOMEMORY);
+	s->common.mctx = mctx;
+	s->common.methods = &soa_rrstream_methods;
+	s->soa_tuple = NULL;
+
+	CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_EXISTS,
+				    &s->soa_tuple));
+
+	*sp = (rrstream_t *) s;
+	return (ISC_R_SUCCESS);
+
+ failure:
+	soa_rrstream_destroy((rrstream_t **) (void *)&s);
+	return (result);
+}
+
+static isc_result_t
+soa_rrstream_first(rrstream_t *rs) {
+	UNUSED(rs);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+soa_rrstream_next(rrstream_t *rs) {
+	UNUSED(rs);
+	return (ISC_R_NOMORE);
+}
+
+static void
+soa_rrstream_current(rrstream_t *rs, dns_name_t **name, isc_uint32_t *ttl,
+		     dns_rdata_t **rdata)
+{
+	soa_rrstream_t *s = (soa_rrstream_t *) rs;
+	*name = &s->soa_tuple->name;
+	*ttl = s->soa_tuple->ttl;
+	*rdata = &s->soa_tuple->rdata;
+}
+
+static void
+soa_rrstream_destroy(rrstream_t **rsp) {
+	soa_rrstream_t *s = (soa_rrstream_t *) *rsp;
+	if (s->soa_tuple != NULL)
+		dns_difftuple_free(&s->soa_tuple);
+	isc_mem_put(s->common.mctx, s, sizeof(*s));
+}
+
+static rrstream_methods_t soa_rrstream_methods = {
+	soa_rrstream_first,
+	soa_rrstream_next,
+	soa_rrstream_current,
+	rrstream_noop_pause,
+	soa_rrstream_destroy
+};
+
+/**************************************************************************/
+/*
+ * A 'compound_rrstream_t' objects owns a soa_rrstream
+ * and another rrstream, the "data stream".  It returns
+ * a concatenated stream consisting of the soa_rrstream, then
+ * the data stream, then the soa_rrstream again.
+ *
+ * The component streams are owned by the compound_rrstream_t
+ * and are destroyed with it.
+ */
+
+typedef struct compound_rrstream {
+	rrstream_t		common;
+	rrstream_t		*components[3];
+	int			state;
+	isc_result_t		result;
+} compound_rrstream_t;
+
+/*
+ * Forward declarations.
+ */
+static void
+compound_rrstream_destroy(rrstream_t **rsp);
+
+static isc_result_t
+compound_rrstream_next(rrstream_t *rs);
+
+static rrstream_methods_t compound_rrstream_methods;
+
+/*
+ * Requires:
+ *	soa_stream != NULL && *soa_stream != NULL
+ *	data_stream != NULL && *data_stream != NULL
+ *	sp != NULL && *sp == NULL
+ *
+ * Ensures:
+ *	*soa_stream == NULL
+ *	*data_stream == NULL
+ *	*sp points to a valid compound_rrstream_t
+ *	The soa and data streams will be destroyed
+ *	when the compound_rrstream_t is destroyed.
+ */
+static isc_result_t
+compound_rrstream_create(isc_mem_t *mctx, rrstream_t **soa_stream,
+			 rrstream_t **data_stream, rrstream_t **sp)
+{
+	compound_rrstream_t *s;
+
+	INSIST(sp != NULL && *sp == NULL);
+
+	s = isc_mem_get(mctx, sizeof(*s));
+	if (s == NULL)
+		return (ISC_R_NOMEMORY);
+	s->common.mctx = mctx;
+	s->common.methods = &compound_rrstream_methods;
+	s->components[0] = *soa_stream;
+	s->components[1] = *data_stream;
+	s->components[2] = *soa_stream;
+	s->state = -1;
+	s->result = ISC_R_FAILURE;
+
+	*soa_stream = NULL;
+	*data_stream = NULL;
+	*sp = (rrstream_t *) s;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+compound_rrstream_first(rrstream_t *rs) {
+	compound_rrstream_t *s = (compound_rrstream_t *) rs;
+	s->state = 0;
+	do {
+		rrstream_t *curstream = s->components[s->state];
+		s->result = curstream->methods->first(curstream);
+	} while (s->result == ISC_R_NOMORE && s->state < 2);
+	return (s->result);
+}
+
+static isc_result_t
+compound_rrstream_next(rrstream_t *rs) {
+	compound_rrstream_t *s = (compound_rrstream_t *) rs;
+	rrstream_t *curstream = s->components[s->state];
+	s->result = curstream->methods->next(curstream);
+	while (s->result == ISC_R_NOMORE) {
+		/*
+		 * Make sure locks held by the current stream
+		 * are released before we switch streams.
+		 */
+		curstream->methods->pause(curstream);
+		if (s->state == 2)
+			return (ISC_R_NOMORE);
+		s->state++;
+		curstream = s->components[s->state];
+		s->result = curstream->methods->first(curstream);
+	}
+	return (s->result);
+}
+
+static void
+compound_rrstream_current(rrstream_t *rs, dns_name_t **name, isc_uint32_t *ttl,
+			  dns_rdata_t **rdata)
+{
+	compound_rrstream_t *s = (compound_rrstream_t *) rs;
+	rrstream_t *curstream;
+	INSIST(0 <= s->state && s->state < 3);
+	INSIST(s->result == ISC_R_SUCCESS);
+	curstream = s->components[s->state];
+	curstream->methods->current(curstream, name, ttl, rdata);
+}
+
+static void
+compound_rrstream_pause(rrstream_t *rs)
+{
+	compound_rrstream_t *s = (compound_rrstream_t *) rs;
+	rrstream_t *curstream;
+	INSIST(0 <= s->state && s->state < 3);
+	curstream = s->components[s->state];
+	curstream->methods->pause(curstream);
+}
+
+static void
+compound_rrstream_destroy(rrstream_t **rsp) {
+	compound_rrstream_t *s = (compound_rrstream_t *) *rsp;
+	s->components[0]->methods->destroy(&s->components[0]);
+	s->components[1]->methods->destroy(&s->components[1]);
+	s->components[2] = NULL; /* Copy of components[0]. */
+	isc_mem_put(s->common.mctx, s, sizeof(*s));
+}
+
+static rrstream_methods_t compound_rrstream_methods = {
+	compound_rrstream_first,
+	compound_rrstream_next,
+	compound_rrstream_current,
+	compound_rrstream_pause,
+	compound_rrstream_destroy
+};
+
+/**************************************************************************/
+/*
+ * An 'xfrout_ctx_t' contains the state of an outgoing AXFR or IXFR
+ * in progress.
+ */
+
+typedef struct {
+	isc_mem_t 		*mctx;
+	ns_client_t		*client;
+	unsigned int 		id;		/* ID of request */
+	dns_name_t		*qname;		/* Question name of request */
+	dns_rdatatype_t		qtype;		/* dns_rdatatype_{a,i}xfr */
+	dns_rdataclass_t	qclass;
+	dns_db_t 		*db;
+	dns_dbversion_t 	*ver;
+	isc_quota_t		*quota;
+	rrstream_t 		*stream;	/* The XFR RR stream */
+	isc_boolean_t		end_of_stream;	/* EOS has been reached */
+	isc_buffer_t 		buf;		/* Buffer for message owner
+						   names and rdatas */
+	isc_buffer_t 		txlenbuf;	/* Transmit length buffer */
+	isc_buffer_t		txbuf;		/* Transmit message buffer */
+	void 			*txmem;
+	unsigned int 		txmemlen;
+	unsigned int		nmsg;		/* Number of messages sent */
+	dns_tsigkey_t		*tsigkey;	/* Key used to create TSIG */
+	isc_buffer_t		*lasttsig;	/* the last TSIG */
+	isc_boolean_t		many_answers;
+	int			sends;		/* Send in progress */
+	isc_boolean_t		shuttingdown;
+	const char		*mnemonic;	/* Style of transfer */
+} xfrout_ctx_t;
+
+static isc_result_t
+xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client,
+		  unsigned int id, dns_name_t *qname, dns_rdatatype_t qtype,
+		  dns_rdataclass_t qclass,
+		  dns_db_t *db, dns_dbversion_t *ver, isc_quota_t *quota,
+		  rrstream_t *stream, dns_tsigkey_t *tsigkey,
+		  isc_buffer_t *lasttsig,
+		  unsigned int maxtime,
+		  unsigned int idletime,
+		  isc_boolean_t many_answers,
+		  xfrout_ctx_t **xfrp);
+
+static void
+sendstream(xfrout_ctx_t *xfr);
+
+static void
+xfrout_senddone(isc_task_t *task, isc_event_t *event);
+
+static void
+xfrout_fail(xfrout_ctx_t *xfr, isc_result_t result, const char *msg);
+
+static void
+xfrout_maybe_destroy(xfrout_ctx_t *xfr);
+
+static void
+xfrout_ctx_destroy(xfrout_ctx_t **xfrp);
+
+static void
+xfrout_client_shutdown(void *arg, isc_result_t result);
+
+static void
+xfrout_log1(ns_client_t *client, dns_name_t *zonename,
+	    dns_rdataclass_t rdclass, int level,
+	    const char *fmt, ...) ISC_FORMAT_PRINTF(5, 6);
+
+static void
+xfrout_log(xfrout_ctx_t *xfr, unsigned int level, const char *fmt, ...)
+	   ISC_FORMAT_PRINTF(3, 4);
+
+/**************************************************************************/
+
+void
+ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
+	isc_result_t result;
+	dns_name_t *question_name;
+	dns_rdataset_t *question_rdataset;
+	dns_zone_t *zone = NULL;
+	dns_db_t *db = NULL;
+	dns_dbversion_t *ver = NULL;
+	dns_rdataclass_t question_class;
+	rrstream_t *soa_stream = NULL;
+	rrstream_t *data_stream = NULL;
+	rrstream_t *stream = NULL;
+	dns_difftuple_t *current_soa_tuple = NULL;
+	dns_name_t *soa_name;
+	dns_rdataset_t *soa_rdataset;
+	dns_rdata_t soa_rdata = DNS_RDATA_INIT;
+	isc_boolean_t have_soa = ISC_FALSE;
+	const char *mnemonic = NULL;
+	isc_mem_t *mctx = client->mctx;
+	dns_message_t *request = client->message;
+	xfrout_ctx_t *xfr = NULL;
+	isc_quota_t *quota = NULL;
+	dns_transfer_format_t format = client->view->transfer_format;
+	isc_netaddr_t na;
+	dns_peer_t *peer = NULL;
+	isc_buffer_t *tsigbuf = NULL;
+	char *journalfile;
+	char msg[NS_CLIENT_ACLMSGSIZE("zone transfer")];
+	char keyname[DNS_NAME_FORMATSIZE];
+	isc_boolean_t is_poll = ISC_FALSE;
+
+	switch (reqtype) {
+	case dns_rdatatype_axfr:
+		mnemonic = "AXFR";
+		break;
+	case dns_rdatatype_ixfr:
+		mnemonic = "IXFR";
+		break;
+	default:
+		INSIST(0);
+		break;
+	}
+
+	ns_client_log(client,
+		      DNS_LOGCATEGORY_XFER_OUT, NS_LOGMODULE_XFER_OUT,
+		      ISC_LOG_DEBUG(6), "%s request", mnemonic);
+	/*
+	 * Apply quota.
+	 */
+	result = isc_quota_attach(&ns_g_server->xfroutquota, &quota);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(XFROUT_COMMON_LOGARGS, ISC_LOG_WARNING,
+			      "%s request denied: %s", mnemonic,
+			      isc_result_totext(result));
+		goto failure;
+	}
+
+	/*
+	 * Interpret the question section.
+	 */
+	result = dns_message_firstname(request, DNS_SECTION_QUESTION);
+	INSIST(result == ISC_R_SUCCESS);
+
+	/*
+	 * The question section must contain exactly one question, and
+	 * it must be for AXFR/IXFR as appropriate.
+	 */
+	question_name = NULL;
+	dns_message_currentname(request, DNS_SECTION_QUESTION, &question_name);
+	question_rdataset = ISC_LIST_HEAD(question_name->list);
+	question_class = question_rdataset->rdclass;
+	INSIST(question_rdataset->type == reqtype);
+	if (ISC_LIST_NEXT(question_rdataset, link) != NULL)
+		FAILC(DNS_R_FORMERR, "multiple questions");
+	result = dns_message_nextname(request, DNS_SECTION_QUESTION);
+	if (result != ISC_R_NOMORE)
+		FAILC(DNS_R_FORMERR, "multiple questions");
+
+	result = dns_zt_find(client->view->zonetable, question_name, 0, NULL,
+			     &zone);
+	if (result != ISC_R_SUCCESS)
+		FAILQ(DNS_R_NOTAUTH, "non-authoritative zone",
+		      question_name, question_class);
+	switch(dns_zone_gettype(zone)) {
+	case dns_zone_master:
+	case dns_zone_slave:
+		break;	/* Master and slave zones are OK for transfer. */
+	default:
+		FAILQ(DNS_R_NOTAUTH, "non-authoritative zone",
+		      question_name, question_class);
+	}
+	CHECK(dns_zone_getdb(zone, &db));
+	dns_db_currentversion(db, &ver);
+
+	xfrout_log1(client, question_name, question_class, ISC_LOG_DEBUG(6),
+		    "%s question section OK", mnemonic);
+
+	/*
+	 * Check the authority section.  Look for a SOA record with
+	 * the same name and class as the question.
+	 */
+	for (result = dns_message_firstname(request, DNS_SECTION_AUTHORITY);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(request, DNS_SECTION_AUTHORITY))
+	{
+		soa_name = NULL;
+		dns_message_currentname(request, DNS_SECTION_AUTHORITY,
+					&soa_name);
+
+		/*
+		 * Ignore data whose owner name is not the zone apex.
+		 */
+		if (! dns_name_equal(soa_name, question_name))
+			continue;
+
+		for (soa_rdataset = ISC_LIST_HEAD(soa_name->list);
+		     soa_rdataset != NULL;
+		     soa_rdataset = ISC_LIST_NEXT(soa_rdataset, link))
+		{
+			/*
+			 * Ignore non-SOA data.
+			 */
+			if (soa_rdataset->type != dns_rdatatype_soa)
+				continue;
+			if (soa_rdataset->rdclass != question_class)
+				continue;
+
+			CHECK(dns_rdataset_first(soa_rdataset));
+			dns_rdataset_current(soa_rdataset, &soa_rdata);
+			result = dns_rdataset_next(soa_rdataset);
+			if (result == ISC_R_SUCCESS)
+				FAILC(DNS_R_FORMERR,
+				      "IXFR authority section "
+				      "has multiple SOAs");
+			have_soa = ISC_TRUE;
+			goto got_soa;
+		}
+	}
+ got_soa:
+	if (result != ISC_R_NOMORE)
+		CHECK(result);
+
+	xfrout_log1(client, question_name, question_class, ISC_LOG_DEBUG(6),
+		    "%s authority section OK", mnemonic);
+
+	/*
+	 * Decide whether to allow this transfer.
+	 */
+	ns_client_aclmsg("zone transfer", question_name, reqtype,
+			 client->view->rdclass, msg, sizeof(msg));
+	CHECK(ns_client_checkacl(client, msg,
+				 dns_zone_getxfracl(zone), ISC_TRUE,
+				 ISC_LOG_ERROR));
+
+	/*
+	 * AXFR over UDP is not possible.
+	 */
+	if (reqtype == dns_rdatatype_axfr &&
+	    (client->attributes & NS_CLIENTATTR_TCP) == 0)
+		FAILC(DNS_R_FORMERR, "attempted AXFR over UDP");
+
+	/*
+	 * Look up the requesting server in the peer table.
+	 */
+	isc_netaddr_fromsockaddr(&na, &client->peeraddr);
+	(void)dns_peerlist_peerbyaddr(client->view->peers, &na, &peer);
+
+	/*
+	 * Decide on the transfer format (one-answer or many-answers).
+	 */
+	if (peer != NULL)
+		(void)dns_peer_gettransferformat(peer, &format);
+
+	/*
+	 * Get a dynamically allocated copy of the current SOA.
+	 */
+	CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_EXISTS,
+				    &current_soa_tuple));
+
+	if (reqtype == dns_rdatatype_ixfr) {
+		isc_uint32_t begin_serial, current_serial;
+		isc_boolean_t provide_ixfr;
+
+		/*
+		 * Outgoing IXFR may have been disabled for this peer
+		 * or globally.
+		 */
+		provide_ixfr = client->view->provideixfr;
+		if (peer != NULL)
+			(void) dns_peer_getprovideixfr(peer, &provide_ixfr);
+		if (provide_ixfr == ISC_FALSE)
+			goto axfr_fallback;
+
+		if (! have_soa)
+			FAILC(DNS_R_FORMERR,
+			      "IXFR request missing SOA");
+
+		begin_serial = dns_soa_getserial(&soa_rdata);
+		current_serial = dns_soa_getserial(&current_soa_tuple->rdata);
+
+		/*
+		 * RFC1995 says "If an IXFR query with the same or
+		 * newer version number than that of the server
+		 * is received, it is replied to with a single SOA
+		 * record of the server's current version, just as
+		 * in AXFR".  The claim about AXFR is incorrect,
+		 * but other than that, we do as the RFC says.
+		 *
+		 * Sending a single SOA record is also how we refuse
+		 * IXFR over UDP (currently, we always do).
+		 */
+		if (DNS_SERIAL_GE(begin_serial, current_serial) ||
+		    (client->attributes & NS_CLIENTATTR_TCP) == 0)
+		{
+			CHECK(soa_rrstream_create(mctx, db, ver, &stream));
+			is_poll = ISC_TRUE;
+			goto have_stream;
+		}
+		journalfile = dns_zone_getjournal(zone);
+		if (journalfile != NULL)
+			result = ixfr_rrstream_create(mctx,
+						      journalfile,
+						      begin_serial,
+						      current_serial,
+						      &data_stream);
+		else
+			result = ISC_R_NOTFOUND;
+		if (result == ISC_R_NOTFOUND ||
+		    result == ISC_R_RANGE) {
+			xfrout_log1(client, question_name, question_class,
+				    ISC_LOG_DEBUG(4),
+				    "IXFR version not in journal, "
+				    "falling back to AXFR");
+			mnemonic = "AXFR-style IXFR";
+			goto axfr_fallback;
+		}
+		CHECK(result);
+	} else {
+	axfr_fallback:
+		CHECK(axfr_rrstream_create(mctx, db, ver,
+					   &data_stream));
+	}
+
+	/*
+	 * Bracket the the data stream with SOAs.
+	 */
+	CHECK(soa_rrstream_create(mctx, db, ver, &soa_stream));
+	CHECK(compound_rrstream_create(mctx, &soa_stream, &data_stream,
+				       &stream));
+	soa_stream = NULL;
+	data_stream = NULL;
+
+ have_stream:
+	CHECK(dns_message_getquerytsig(request, mctx, &tsigbuf));
+	/*
+	 * Create the xfrout context object.  This transfers the ownership
+	 * of "stream", "db", "ver", and "quota" to the xfrout context object.
+	 */
+	CHECK(xfrout_ctx_create(mctx, client, request->id, question_name,
+				reqtype, question_class, db, ver, quota,
+				stream, dns_message_gettsigkey(request),
+				tsigbuf,
+				dns_zone_getmaxxfrout(zone),
+				dns_zone_getidleout(zone),
+				(format == dns_many_answers) ?
+					ISC_TRUE : ISC_FALSE,
+				&xfr));
+	xfr->mnemonic = mnemonic;
+	stream = NULL;
+	quota = NULL;
+
+	CHECK(xfr->stream->methods->first(xfr->stream));
+
+	if (xfr->tsigkey != NULL) {
+		dns_name_format(&xfr->tsigkey->name, keyname, sizeof(keyname));
+	} else
+		keyname[0] = '\0';
+	if (is_poll)
+		xfrout_log1(client, question_name, question_class,
+			    ISC_LOG_DEBUG(1), "IXFR poll up to date%s%s",
+			    (xfr->tsigkey != NULL) ? ": TSIG " : "", keyname);
+	else
+		xfrout_log1(client, question_name, question_class,
+			    ISC_LOG_INFO, "%s started%s%s", mnemonic,
+			    (xfr->tsigkey != NULL) ? ": TSIG " : "", keyname);
+
+	/*
+	 * Hand the context over to sendstream().  Set xfr to NULL;
+	 * sendstream() is responsible for either passing the
+	 * context on to a later event handler or destroying it.
+	 */
+	sendstream(xfr);
+	xfr = NULL;
+
+	result = ISC_R_SUCCESS;
+
+ failure:
+	if (quota != NULL)
+		isc_quota_detach(&quota);
+	if (current_soa_tuple != NULL)
+		dns_difftuple_free(&current_soa_tuple);
+	if (stream != NULL)
+		stream->methods->destroy(&stream);
+	if (soa_stream != NULL)
+		soa_stream->methods->destroy(&soa_stream);
+	if (data_stream != NULL)
+		data_stream->methods->destroy(&data_stream);
+	if (ver != NULL)
+		dns_db_closeversion(db, &ver, ISC_FALSE);
+	if (db != NULL)
+		dns_db_detach(&db);
+	if (zone != NULL)
+		dns_zone_detach(&zone);
+	/* XXX kludge */
+	if (xfr != NULL) {
+		xfrout_fail(xfr, result, "setting up zone transfer");
+	} else if (result != ISC_R_SUCCESS) {
+		ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT,
+			      NS_LOGMODULE_XFER_OUT,
+			      ISC_LOG_DEBUG(3), "zone transfer setup failed");
+		ns_client_error(client, result);
+	}
+}
+
+static isc_result_t
+xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client, unsigned int id,
+		  dns_name_t *qname, dns_rdatatype_t qtype,
+		  dns_rdataclass_t qclass,
+		  dns_db_t *db, dns_dbversion_t *ver, isc_quota_t *quota,
+		  rrstream_t *stream, dns_tsigkey_t *tsigkey,
+		  isc_buffer_t *lasttsig, unsigned int maxtime,
+		  unsigned int idletime, isc_boolean_t many_answers,
+		  xfrout_ctx_t **xfrp)
+{
+	xfrout_ctx_t *xfr;
+	isc_result_t result;
+	unsigned int len;
+	void *mem;
+
+	INSIST(xfrp != NULL && *xfrp == NULL);
+	xfr = isc_mem_get(mctx, sizeof(*xfr));
+	if (xfr == NULL)
+		return (ISC_R_NOMEMORY);
+	xfr->mctx = mctx;
+	xfr->client = NULL;
+	ns_client_attach(client, &xfr->client);
+	xfr->id = id;
+	xfr->qname = qname;
+	xfr->qtype = qtype;
+	xfr->qclass = qclass;
+	xfr->db = NULL;
+	xfr->ver = NULL;
+	dns_db_attach(db, &xfr->db);
+	dns_db_attachversion(db, ver, &xfr->ver);
+	xfr->end_of_stream = ISC_FALSE;
+	xfr->tsigkey = tsigkey;
+	xfr->lasttsig = lasttsig;
+	xfr->txmem = NULL;
+	xfr->txmemlen = 0;
+	xfr->nmsg = 0;
+	xfr->many_answers = many_answers,
+	xfr->sends = 0;
+	xfr->shuttingdown = ISC_FALSE;
+	xfr->mnemonic = NULL;
+	xfr->buf.base = NULL;
+	xfr->buf.length = 0;
+	xfr->txmem = NULL;
+	xfr->txmemlen = 0;
+	xfr->stream = NULL;
+	xfr->quota = NULL;
+
+	/*
+	 * Allocate a temporary buffer for the uncompressed response
+	 * message data.  The size should be no more than 65535 bytes
+	 * so that the compressed data will fit in a TCP message,
+	 * and no less than 65535 bytes so that an almost maximum-sized
+	 * RR will fit.  Note that although 65535-byte RRs are allowed
+	 * in principle, they cannot be zone-transferred (at least not
+	 * if uncompressible), because the message and RR headers would
+	 * push the size of the TCP message over the 65536 byte limit.
+	 */
+	len = 65535;
+	mem = isc_mem_get(mctx, len);
+	if (mem == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto failure;
+	}
+	isc_buffer_init(&xfr->buf, mem, len);
+
+	/*
+	 * Allocate another temporary buffer for the compressed
+	 * response message and its TCP length prefix.
+	 */
+	len = 2 + 65535;
+	mem = isc_mem_get(mctx, len);
+	if (mem == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto failure;
+	}
+	isc_buffer_init(&xfr->txlenbuf, mem, 2);
+	isc_buffer_init(&xfr->txbuf, (char *) mem + 2, len - 2);
+	xfr->txmem = mem;
+	xfr->txmemlen = len;
+
+	CHECK(dns_timer_setidle(xfr->client->timer,
+				maxtime, idletime, ISC_FALSE));
+
+	/*
+	 * Register a shutdown callback with the client, so that we
+	 * can stop the transfer immediately when the client task
+	 * gets a shutdown event.
+	 */
+	xfr->client->shutdown = xfrout_client_shutdown;
+	xfr->client->shutdown_arg = xfr;
+	/*
+	 * These MUST be after the last "goto failure;" / CHECK to
+	 * prevent a double free by the caller.
+	 */
+	xfr->quota = quota;
+	xfr->stream = stream;
+
+	*xfrp = xfr;
+	return (ISC_R_SUCCESS);
+
+failure:
+	xfrout_ctx_destroy(&xfr);
+	return (result);
+}
+
+
+/*
+ * Arrange to send as much as we can of "stream" without blocking.
+ *
+ * Requires:
+ *	The stream iterator is initialized and points at an RR,
+ *      or possiby at the end of the stream (that is, the
+ *      _first method of the iterator has been called).
+ */
+static void
+sendstream(xfrout_ctx_t *xfr) {
+	dns_message_t *tcpmsg = NULL;
+	dns_message_t *msg = NULL; /* Client message if UDP, tcpmsg if TCP */
+	isc_result_t result;
+	isc_region_t used;
+	isc_region_t region;
+	dns_rdataset_t *qrdataset;
+	dns_name_t *msgname = NULL;
+	dns_rdata_t *msgrdata = NULL;
+	dns_rdatalist_t *msgrdl = NULL;
+	dns_rdataset_t *msgrds = NULL;
+	dns_compress_t cctx;
+	isc_boolean_t cleanup_cctx = ISC_FALSE;
+
+	int n_rrs;
+
+	isc_buffer_clear(&xfr->buf);
+	isc_buffer_clear(&xfr->txlenbuf);
+	isc_buffer_clear(&xfr->txbuf);
+
+	if ((xfr->client->attributes & NS_CLIENTATTR_TCP) == 0) {
+		/*
+		 * In the UDP case, we put the response data directly into
+		 * the client message.
+		 */
+		msg = xfr->client->message;
+		CHECK(dns_message_reply(msg, ISC_TRUE));
+	} else {
+		/*
+		 * TCP. Build a response dns_message_t, temporarily storing
+		 * the raw, uncompressed owner names and RR data contiguously
+		 * in xfr->buf.  We know that if the uncompressed data fits
+		 * in xfr->buf, the compressed data will surely fit in a TCP
+		 * message.
+		 */
+
+		CHECK(dns_message_create(xfr->mctx,
+					 DNS_MESSAGE_INTENTRENDER, &tcpmsg));
+		msg = tcpmsg;
+
+		msg->id = xfr->id;
+		msg->rcode = dns_rcode_noerror;
+		msg->flags = DNS_MESSAGEFLAG_QR | DNS_MESSAGEFLAG_AA;
+		if ((xfr->client->attributes & NS_CLIENTATTR_RA) != 0)
+			msg->flags |= DNS_MESSAGEFLAG_RA;
+		CHECK(dns_message_settsigkey(msg, xfr->tsigkey));
+		CHECK(dns_message_setquerytsig(msg, xfr->lasttsig));
+		if (xfr->lasttsig != NULL)
+			isc_buffer_free(&xfr->lasttsig);
+
+		/*
+		 * Include a question section in the first message only.
+		 * BIND 8.2.1 will not recognize an IXFR if it does not
+		 * have a question section.
+		 */
+		if (xfr->nmsg == 0) {
+			dns_name_t *qname = NULL;
+			isc_region_t r;
+
+			/*
+			 * Reserve space for the 12-byte message header
+			 * and 4 bytes of question.
+			 */
+			isc_buffer_add(&xfr->buf, 12 + 4);
+
+			qrdataset = NULL;
+			result = dns_message_gettemprdataset(msg, &qrdataset);
+			if (result != ISC_R_SUCCESS)
+				goto failure;
+			dns_rdataset_init(qrdataset);
+			dns_rdataset_makequestion(qrdataset,
+					xfr->client->message->rdclass,
+					xfr->qtype);
+
+			result = dns_message_gettempname(msg, &qname);
+			if (result != ISC_R_SUCCESS)
+				goto failure;
+			dns_name_init(qname, NULL);
+			isc_buffer_availableregion(&xfr->buf, &r);
+			INSIST(r.length >= xfr->qname->length);
+			r.length = xfr->qname->length;
+			isc_buffer_putmem(&xfr->buf, xfr->qname->ndata,
+					  xfr->qname->length);
+			dns_name_fromregion(qname, &r);
+			ISC_LIST_INIT(qname->list);
+			ISC_LIST_APPEND(qname->list, qrdataset, link);
+
+			dns_message_addname(msg, qname, DNS_SECTION_QUESTION);
+		}
+		else
+			msg->tcp_continuation = 1;
+	}
+
+	/*
+	 * Try to fit in as many RRs as possible, unless "one-answer"
+	 * format has been requested.
+	 */
+	for (n_rrs = 0; ; n_rrs++) {
+		dns_name_t *name = NULL;
+		isc_uint32_t ttl;
+		dns_rdata_t *rdata = NULL;
+
+		unsigned int size;
+		isc_region_t r;
+
+		msgname = NULL;
+		msgrdata = NULL;
+		msgrdl = NULL;
+		msgrds = NULL;
+
+		xfr->stream->methods->current(xfr->stream,
+					      &name, &ttl, &rdata);
+		size = name->length + 10 + rdata->length;
+		isc_buffer_availableregion(&xfr->buf, &r);
+		if (size >= r.length) {
+			/*
+			 * RR would not fit.  If there are other RRs in the
+			 * buffer, send them now and leave this RR to the
+			 * next message.  If this RR overflows the buffer
+			 * all by itself, fail.
+			 *
+			 * In theory some RRs might fit in a TCP message
+			 * when compressed even if they do not fit when
+			 * uncompressed, but surely we don't want
+			 * to send such monstrosities to an unsuspecting
+			 * slave.
+			 */
+			if (n_rrs == 0) {
+				xfrout_log(xfr, ISC_LOG_WARNING,
+					   "RR too large for zone transfer "
+					   "(%d bytes)", size);
+				/* XXX DNS_R_RRTOOLARGE? */
+				result = ISC_R_NOSPACE;
+				goto failure;
+			}
+			break;
+		}
+
+		if (isc_log_wouldlog(ns_g_lctx, XFROUT_RR_LOGLEVEL))
+			log_rr(name, rdata, ttl); /* XXX */
+
+		result = dns_message_gettempname(msg, &msgname);
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+		dns_name_init(msgname, NULL);
+		isc_buffer_availableregion(&xfr->buf, &r);
+		INSIST(r.length >= name->length);
+		r.length = name->length;
+		isc_buffer_putmem(&xfr->buf, name->ndata, name->length);
+		dns_name_fromregion(msgname, &r);
+
+		/* Reserve space for RR header. */
+		isc_buffer_add(&xfr->buf, 10);
+
+		result = dns_message_gettemprdata(msg, &msgrdata);
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+		isc_buffer_availableregion(&xfr->buf, &r);
+		r.length = rdata->length;
+		isc_buffer_putmem(&xfr->buf, rdata->data, rdata->length);
+		dns_rdata_init(msgrdata);
+		dns_rdata_fromregion(msgrdata,
+				     rdata->rdclass, rdata->type, &r);
+
+		result = dns_message_gettemprdatalist(msg, &msgrdl);
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+		msgrdl->type = rdata->type;
+		msgrdl->rdclass = rdata->rdclass;
+		msgrdl->ttl = ttl;
+		ISC_LINK_INIT(msgrdl, link);
+		ISC_LIST_INIT(msgrdl->rdata);
+		ISC_LIST_APPEND(msgrdl->rdata, msgrdata, link);
+
+		result = dns_message_gettemprdataset(msg, &msgrds);
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+		dns_rdataset_init(msgrds);
+		result = dns_rdatalist_tordataset(msgrdl, msgrds);
+		INSIST(result == ISC_R_SUCCESS);
+
+		ISC_LIST_APPEND(msgname->list, msgrds, link);
+
+		dns_message_addname(msg, msgname, DNS_SECTION_ANSWER);
+		msgname = NULL;
+
+		result = xfr->stream->methods->next(xfr->stream);
+		if (result == ISC_R_NOMORE) {
+			xfr->end_of_stream = ISC_TRUE;
+			break;
+		}
+		CHECK(result);
+
+		if (! xfr->many_answers)
+			break;
+	}
+
+	if ((xfr->client->attributes & NS_CLIENTATTR_TCP) != 0) {
+		CHECK(dns_compress_init(&cctx, -1, xfr->mctx));
+		cleanup_cctx = ISC_TRUE;
+		CHECK(dns_message_renderbegin(msg, &cctx, &xfr->txbuf));
+		CHECK(dns_message_rendersection(msg, DNS_SECTION_QUESTION, 0));
+		CHECK(dns_message_rendersection(msg, DNS_SECTION_ANSWER, 0));
+		CHECK(dns_message_renderend(msg));
+		dns_compress_invalidate(&cctx);
+		cleanup_cctx = ISC_FALSE;
+
+		isc_buffer_usedregion(&xfr->txbuf, &used);
+		isc_buffer_putuint16(&xfr->txlenbuf,
+				     (isc_uint16_t)used.length);
+		region.base = xfr->txlenbuf.base;
+		region.length = 2 + used.length;
+		xfrout_log(xfr, ISC_LOG_DEBUG(8),
+			   "sending TCP message of %d bytes",
+			   used.length);
+		CHECK(isc_socket_send(xfr->client->tcpsocket, /* XXX */
+				      &region, xfr->client->task,
+				      xfrout_senddone,
+				      xfr));
+		xfr->sends++;
+	} else {
+		xfrout_log(xfr, ISC_LOG_DEBUG(8), "sending IXFR UDP response");
+		ns_client_send(xfr->client);
+		xfr->stream->methods->pause(xfr->stream);
+		xfrout_ctx_destroy(&xfr);
+		return;
+	}
+
+	/* Advance lasttsig to be the last TSIG generated */
+	CHECK(dns_message_getquerytsig(msg, xfr->mctx, &xfr->lasttsig));
+
+	xfr->nmsg++;
+
+ failure:
+	if (msgname != NULL) {
+		if (msgrds != NULL) {
+			if (dns_rdataset_isassociated(msgrds))
+				dns_rdataset_disassociate(msgrds);
+			dns_message_puttemprdataset(msg, &msgrds);
+		}
+		if (msgrdl != NULL) {
+			ISC_LIST_UNLINK(msgrdl->rdata, msgrdata, link);
+			dns_message_puttemprdatalist(msg, &msgrdl);
+		}
+		if (msgrdata != NULL)
+			dns_message_puttemprdata(msg, &msgrdata);
+		dns_message_puttempname(msg, &msgname);
+	}
+
+	if (tcpmsg != NULL)
+		dns_message_destroy(&tcpmsg);
+
+	if (cleanup_cctx)
+		dns_compress_invalidate(&cctx);
+	/*
+	 * Make sure to release any locks held by database
+	 * iterators before returning from the event handler.
+	 */
+	xfr->stream->methods->pause(xfr->stream);
+	
+	if (result == ISC_R_SUCCESS)
+		return;
+
+	xfrout_fail(xfr, result, "sending zone data");
+}
+
+static void
+xfrout_ctx_destroy(xfrout_ctx_t **xfrp) {
+	xfrout_ctx_t *xfr = *xfrp;
+
+	INSIST(xfr->sends == 0);
+
+	xfr->client->shutdown = NULL;
+	xfr->client->shutdown_arg = NULL;
+
+	if (xfr->stream != NULL)
+		xfr->stream->methods->destroy(&xfr->stream);
+	if (xfr->buf.base != NULL)
+		isc_mem_put(xfr->mctx, xfr->buf.base, xfr->buf.length);
+	if (xfr->txmem != NULL)
+		isc_mem_put(xfr->mctx, xfr->txmem, xfr->txmemlen);
+	if (xfr->lasttsig != NULL)
+		isc_buffer_free(&xfr->lasttsig);
+	if (xfr->quota != NULL)
+		isc_quota_detach(&xfr->quota);
+	if (xfr->ver != NULL)
+		dns_db_closeversion(xfr->db, &xfr->ver, ISC_FALSE);
+	if (xfr->db != NULL)
+		dns_db_detach(&xfr->db);
+
+	ns_client_detach(&xfr->client);
+
+	isc_mem_put(xfr->mctx, xfr, sizeof(*xfr));
+
+	*xfrp = NULL;
+}
+
+static void
+xfrout_senddone(isc_task_t *task, isc_event_t *event) {
+	isc_socketevent_t *sev = (isc_socketevent_t *)event;
+	xfrout_ctx_t *xfr = (xfrout_ctx_t *)event->ev_arg;
+	isc_result_t evresult = sev->result;
+
+	UNUSED(task);
+
+	INSIST(event->ev_type == ISC_SOCKEVENT_SENDDONE);
+
+	isc_event_free(&event);
+	xfr->sends--;
+	INSIST(xfr->sends == 0);
+
+	(void)isc_timer_touch(xfr->client->timer);
+	if (xfr->shuttingdown == ISC_TRUE) {
+		xfrout_maybe_destroy(xfr);
+	} else if (evresult != ISC_R_SUCCESS) {
+		xfrout_fail(xfr, evresult, "send");
+	} else if (xfr->end_of_stream == ISC_FALSE) {
+		sendstream(xfr);
+	} else {
+		/* End of zone transfer stream. */
+		xfrout_log(xfr, ISC_LOG_INFO, "%s ended", xfr->mnemonic);
+		ns_client_next(xfr->client, ISC_R_SUCCESS);
+		xfrout_ctx_destroy(&xfr);
+	}
+}
+
+static void
+xfrout_fail(xfrout_ctx_t *xfr, isc_result_t result, const char *msg) {
+	xfr->shuttingdown = ISC_TRUE;
+	xfrout_log(xfr, ISC_LOG_ERROR, "%s: %s",
+		   msg, isc_result_totext(result));
+	xfrout_maybe_destroy(xfr);
+}
+
+static void
+xfrout_maybe_destroy(xfrout_ctx_t *xfr) {
+	INSIST(xfr->shuttingdown == ISC_TRUE);
+	if (xfr->sends > 0) {
+		/*
+		 * If we are currently sending, cancel it and wait for
+		 * cancel event before destroying the context.
+		 */
+		isc_socket_cancel(xfr->client->tcpsocket, xfr->client->task,
+				  ISC_SOCKCANCEL_SEND);
+	} else {
+		ns_client_next(xfr->client, ISC_R_CANCELED);
+		xfrout_ctx_destroy(&xfr);
+	}
+}
+
+static void
+xfrout_client_shutdown(void *arg, isc_result_t result) {
+	xfrout_ctx_t *xfr = (xfrout_ctx_t *) arg;
+	xfrout_fail(xfr, result, "aborted");
+}
+
+/*
+ * Log outgoing zone transfer messages in a format like
+ * <client>: transfer of <zone>: <message>
+ */
+
+static void
+xfrout_logv(ns_client_t *client, dns_name_t *zonename,
+	    dns_rdataclass_t rdclass, int level, const char *fmt, va_list ap)
+     ISC_FORMAT_PRINTF(5, 0);
+
+static void
+xfrout_logv(ns_client_t *client, dns_name_t *zonename,
+	    dns_rdataclass_t rdclass, int level, const char *fmt, va_list ap)
+{
+	char msgbuf[2048];
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char classbuf[DNS_RDATACLASS_FORMATSIZE];
+
+	dns_name_format(zonename, namebuf, sizeof(namebuf));
+	dns_rdataclass_format(rdclass, classbuf, sizeof(classbuf));
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT,
+		      NS_LOGMODULE_XFER_OUT, level,
+		      "transfer of '%s/%s': %s", namebuf, classbuf, msgbuf);
+}
+
+/*
+ * Logging function for use when a xfrout_ctx_t has not yet been created.
+ */
+static void
+xfrout_log1(ns_client_t *client, dns_name_t *zonename,
+	    dns_rdataclass_t rdclass, int level, const char *fmt, ...) {
+	va_list ap;
+	va_start(ap, fmt);
+	xfrout_logv(client, zonename, rdclass, level, fmt, ap);
+	va_end(ap);
+}
+
+/*
+ * Logging function for use when there is a xfrout_ctx_t.
+ */
+static void
+xfrout_log(xfrout_ctx_t *xfr, unsigned int level, const char *fmt, ...) {
+	va_list ap;
+	va_start(ap, fmt);
+	xfrout_logv(xfr->client, xfr->qname, xfr->qclass, level, fmt, ap);
+	va_end(ap);
+}
diff --git a/contrib/bind9/bin/named/zoneconf.c b/contrib/bind9/bin/named/zoneconf.c
new file mode 100644
index 0000000..afafa53
--- /dev/null
+++ b/contrib/bind9/bin/named/zoneconf.c
@@ -0,0 +1,729 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: zoneconf.c,v 1.87.2.4.10.13 2004/04/20 14:12:09 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/buffer.h>
+#include <isc/file.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/util.h>
+
+#include <dns/acl.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/name.h>
+#include <dns/rdatatype.h>
+#include <dns/ssu.h>
+#include <dns/view.h>
+#include <dns/zone.h>
+
+#include <named/config.h>
+#include <named/globals.h>
+#include <named/log.h>
+#include <named/server.h>
+#include <named/zoneconf.h>
+
+/*
+ * These are BIND9 server defaults, not necessarily identical to the
+ * library defaults defined in zone.c.
+ */
+#define RETERR(x) do { \
+	isc_result_t _r = (x); \
+	if (_r != ISC_R_SUCCESS) \
+		return (_r); \
+	} while (0)
+
+/*
+ * Convenience function for configuring a single zone ACL.
+ */
+static isc_result_t
+configure_zone_acl(cfg_obj_t *zconfig, cfg_obj_t *vconfig, cfg_obj_t *config,
+		   const char *aclname, ns_aclconfctx_t *actx,
+		   dns_zone_t *zone, 
+		   void (*setzacl)(dns_zone_t *, dns_acl_t *),
+		   void (*clearzacl)(dns_zone_t *))
+{
+	isc_result_t result;
+	cfg_obj_t *maps[4];
+	cfg_obj_t *aclobj = NULL;
+	int i = 0;
+	dns_acl_t *dacl = NULL;
+
+	if (zconfig != NULL)
+		maps[i++] = cfg_tuple_get(zconfig, "options");
+	if (vconfig != NULL)
+		maps[i++] = cfg_tuple_get(vconfig, "options");
+	if (config != NULL) {
+		cfg_obj_t *options = NULL;
+		(void)cfg_map_get(config, "options", &options);
+		if (options != NULL)
+			maps[i++] = options;
+	}
+	maps[i] = NULL;
+
+	result = ns_config_get(maps, aclname, &aclobj);
+	if (aclobj == NULL) {
+		(*clearzacl)(zone);
+		return (ISC_R_SUCCESS);
+	}
+
+	result = ns_acl_fromconfig(aclobj, config, actx,
+				   dns_zone_getmctx(zone), &dacl);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	(*setzacl)(zone, dacl);
+	dns_acl_detach(&dacl);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Parse the zone update-policy statement.
+ */
+static isc_result_t
+configure_zone_ssutable(cfg_obj_t *zconfig, dns_zone_t *zone) {
+	cfg_obj_t *updatepolicy = NULL;
+	cfg_listelt_t *element, *element2;
+	dns_ssutable_t *table = NULL;
+	isc_mem_t *mctx = dns_zone_getmctx(zone);
+	isc_result_t result;
+
+	(void)cfg_map_get(zconfig, "update-policy", &updatepolicy);
+	if (updatepolicy == NULL)
+		return (ISC_R_SUCCESS);
+
+	result = dns_ssutable_create(mctx, &table);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	for (element = cfg_list_first(updatepolicy);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		cfg_obj_t *stmt = cfg_listelt_value(element);
+		cfg_obj_t *mode = cfg_tuple_get(stmt, "mode");
+		cfg_obj_t *identity = cfg_tuple_get(stmt, "identity");
+		cfg_obj_t *matchtype = cfg_tuple_get(stmt, "matchtype");
+		cfg_obj_t *dname = cfg_tuple_get(stmt, "name");
+		cfg_obj_t *typelist = cfg_tuple_get(stmt, "types");
+		char *str;
+		isc_boolean_t grant = ISC_FALSE;
+		unsigned int mtype = DNS_SSUMATCHTYPE_NAME;
+		dns_fixedname_t fname, fident;
+		isc_buffer_t b;
+		dns_rdatatype_t *types;
+		unsigned int i, n;
+
+		str = cfg_obj_asstring(mode);
+		if (strcasecmp(str, "grant") == 0)
+			grant = ISC_TRUE;
+		else if (strcasecmp(str, "deny") == 0)
+			grant = ISC_FALSE;
+		else
+			INSIST(0);
+
+		str = cfg_obj_asstring(matchtype);
+		if (strcasecmp(str, "name") == 0)
+			mtype = DNS_SSUMATCHTYPE_NAME;
+		else if (strcasecmp(str, "subdomain") == 0)
+			mtype = DNS_SSUMATCHTYPE_SUBDOMAIN;
+		else if (strcasecmp(str, "wildcard") == 0)
+			mtype = DNS_SSUMATCHTYPE_WILDCARD;
+		else if (strcasecmp(str, "self") == 0)
+			mtype = DNS_SSUMATCHTYPE_SELF;
+		else
+			INSIST(0);
+
+		dns_fixedname_init(&fident);
+		str = cfg_obj_asstring(identity);
+		isc_buffer_init(&b, str, strlen(str));
+		isc_buffer_add(&b, strlen(str));
+		result = dns_name_fromtext(dns_fixedname_name(&fident), &b,
+					   dns_rootname, ISC_FALSE, NULL);
+		if (result != ISC_R_SUCCESS) {
+			cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR,
+				    "'%s' is not a valid name", str);
+			goto cleanup;
+		}
+
+		dns_fixedname_init(&fname);
+		str = cfg_obj_asstring(dname);
+		isc_buffer_init(&b, str, strlen(str));
+		isc_buffer_add(&b, strlen(str));
+		result = dns_name_fromtext(dns_fixedname_name(&fname), &b,
+					   dns_rootname, ISC_FALSE, NULL);
+		if (result != ISC_R_SUCCESS) {
+			cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR,
+				    "'%s' is not a valid name", str);
+			goto cleanup;
+		}
+
+		n = ns_config_listcount(typelist);
+		if (n == 0)
+			types = NULL;
+		else {
+			types = isc_mem_get(mctx, n * sizeof(dns_rdatatype_t));
+			if (types == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto cleanup;
+			}
+		}
+
+		i = 0;
+		for (element2 = cfg_list_first(typelist);
+		     element2 != NULL;
+		     element2 = cfg_list_next(element2))
+		{
+			cfg_obj_t *typeobj;
+			isc_textregion_t r;
+
+			INSIST(i < n);
+
+			typeobj = cfg_listelt_value(element2);
+			str = cfg_obj_asstring(typeobj);
+			r.base = str;
+			r.length = strlen(str);
+
+			result = dns_rdatatype_fromtext(&types[i++], &r);
+			if (result != ISC_R_SUCCESS) {
+				cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR,
+					    "'%s' is not a valid type", str);
+				isc_mem_put(mctx, types,
+					    n * sizeof(dns_rdatatype_t));
+				goto cleanup;
+			}
+		}
+		INSIST(i == n);
+
+		result = dns_ssutable_addrule(table, grant,
+					      dns_fixedname_name(&fident),
+					      mtype,
+					      dns_fixedname_name(&fname),
+					      n, types);
+		if (types != NULL)
+			isc_mem_put(mctx, types, n * sizeof(dns_rdatatype_t));
+		if (result != ISC_R_SUCCESS) {
+			goto cleanup;
+		}
+
+	}
+
+	result = ISC_R_SUCCESS;
+	dns_zone_setssutable(zone, table);
+
+ cleanup:
+	dns_ssutable_detach(&table);
+	return (result);
+}
+
+/*
+ * Convert a config file zone type into a server zone type.
+ */
+static inline dns_zonetype_t
+zonetype_fromconfig(cfg_obj_t *map) {
+	cfg_obj_t *obj = NULL;
+	isc_result_t result;
+
+	result = cfg_map_get(map, "type", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	return (ns_config_getzonetype(obj));
+}
+
+/*
+ * Helper function for strtoargv().  Pardon the gratuitous recursion.
+ */
+static isc_result_t
+strtoargvsub(isc_mem_t *mctx, char *s, unsigned int *argcp,
+	     char ***argvp, unsigned int n)
+{
+	isc_result_t result;
+	
+	/* Discard leading whitespace. */
+	while (*s == ' ' || *s == '\t')
+		s++;
+	
+	if (*s == '\0') {
+		/* We have reached the end of the string. */
+		*argcp = n;
+		*argvp = isc_mem_get(mctx, n * sizeof(char *));
+		if (*argvp == NULL)
+			return (ISC_R_NOMEMORY);
+	} else {
+		char *p = s;
+		while (*p != ' ' && *p != '\t' && *p != '\0')
+			p++;
+		if (*p != '\0')
+			*p++ = '\0';
+
+		result = strtoargvsub(mctx, p, argcp, argvp, n + 1);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		(*argvp)[n] = s;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Tokenize the string "s" into whitespace-separated words,
+ * return the number of words in '*argcp' and an array
+ * of pointers to the words in '*argvp'.  The caller
+ * must free the array using isc_mem_put().  The string
+ * is modified in-place.
+ */
+static isc_result_t
+strtoargv(isc_mem_t *mctx, char *s, unsigned int *argcp, char ***argvp) {
+	return (strtoargvsub(mctx, s, argcp, argvp, 0));
+}
+
+static void
+checknames(dns_zonetype_t ztype, cfg_obj_t **maps, cfg_obj_t **objp) {
+	const char *zone = NULL;
+	isc_result_t result;
+
+	switch (ztype) {
+	case dns_zone_slave: zone = "slave"; break;
+	case dns_zone_master: zone = "master"; break;
+	default:
+		INSIST(0);
+	}
+	result = ns_checknames_get(maps, zone, objp);
+	INSIST(result == ISC_R_SUCCESS);
+}
+
+isc_result_t
+ns_zone_configure(cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_t *zconfig,
+		  ns_aclconfctx_t *ac, dns_zone_t *zone)
+{
+	isc_result_t result;
+	char *zname;
+	dns_rdataclass_t zclass;
+	dns_rdataclass_t vclass;
+	cfg_obj_t *maps[5];
+	cfg_obj_t *zoptions = NULL;
+	cfg_obj_t *options = NULL;
+	cfg_obj_t *obj;
+	const char *filename = NULL;
+	dns_notifytype_t notifytype = dns_notifytype_yes;
+	isc_sockaddr_t *addrs;
+	dns_name_t **keynames;
+	isc_uint32_t count;
+	char *cpval;
+	unsigned int dbargc;
+	char **dbargv;
+	static char default_dbtype[] = "rbt";
+	isc_mem_t *mctx = dns_zone_getmctx(zone);
+	dns_dialuptype_t dialup = dns_dialuptype_no;
+	dns_zonetype_t ztype;
+	int i;
+	isc_int32_t journal_size;
+	isc_boolean_t multi;
+	isc_boolean_t alt;
+	dns_view_t *view;
+	isc_boolean_t check = ISC_FALSE, fail = ISC_FALSE;
+
+	i = 0;
+	if (zconfig != NULL) {
+		zoptions = cfg_tuple_get(zconfig, "options");
+		maps[i++] = zoptions;
+	}
+	if (vconfig != NULL)
+		maps[i++] = cfg_tuple_get(vconfig, "options");
+	if (config != NULL) {
+		(void)cfg_map_get(config, "options", &options);
+		if (options != NULL)
+			maps[i++] = options;
+	}
+	maps[i++] = ns_g_defaults;
+	maps[i++] = NULL;
+
+	if (vconfig != NULL)
+		RETERR(ns_config_getclass(cfg_tuple_get(vconfig, "class"),
+					  dns_rdataclass_in, &vclass));
+	else
+		vclass = dns_rdataclass_in;
+
+	/*
+	 * Configure values common to all zone types.
+	 */
+
+	zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
+
+	RETERR(ns_config_getclass(cfg_tuple_get(zconfig, "class"),
+				  vclass, &zclass));
+	dns_zone_setclass(zone, zclass);
+
+	ztype = zonetype_fromconfig(zoptions);
+	dns_zone_settype(zone, ztype);
+
+	obj = NULL;
+	result = cfg_map_get(zoptions, "database", &obj);
+	if (result == ISC_R_SUCCESS)
+		cpval = cfg_obj_asstring(obj);
+	else
+		cpval = default_dbtype;
+	RETERR(strtoargv(mctx, cpval, &dbargc, &dbargv));
+	/*
+	 * ANSI C is strange here.  There is no logical reason why (char **)
+	 * cannot be promoted automatically to (const char * const *) by the
+	 * compiler w/o generating a warning.
+	 */
+	RETERR(dns_zone_setdbtype(zone, dbargc, (const char * const *)dbargv));
+	isc_mem_put(mctx, dbargv, dbargc * sizeof(*dbargv));
+
+	obj = NULL;
+	result = cfg_map_get(zoptions, "file", &obj);
+	if (result == ISC_R_SUCCESS)
+		filename = cfg_obj_asstring(obj);
+	RETERR(dns_zone_setfile(zone, filename));
+
+	if (ztype == dns_zone_slave)
+		RETERR(configure_zone_acl(zconfig, vconfig, config,
+					  "allow-notify", ac, zone,
+					  dns_zone_setnotifyacl,
+					  dns_zone_clearnotifyacl));
+	/*
+	 * XXXAG This probably does not make sense for stubs.
+	 */
+	RETERR(configure_zone_acl(zconfig, vconfig, config,
+				  "allow-query", ac, zone,
+				  dns_zone_setqueryacl,
+				  dns_zone_clearqueryacl));
+
+	obj = NULL;
+	result = ns_config_get(maps, "dialup", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	if (cfg_obj_isboolean(obj)) {
+		if (cfg_obj_asboolean(obj))
+			dialup = dns_dialuptype_yes;
+		else
+			dialup = dns_dialuptype_no;
+	} else {
+		char *dialupstr = cfg_obj_asstring(obj);
+		if (strcasecmp(dialupstr, "notify") == 0)
+			dialup = dns_dialuptype_notify;
+		else if (strcasecmp(dialupstr, "notify-passive") == 0)
+			dialup = dns_dialuptype_notifypassive;
+		else if (strcasecmp(dialupstr, "refresh") == 0)
+			dialup = dns_dialuptype_refresh;
+		else if (strcasecmp(dialupstr, "passive") == 0)
+			dialup = dns_dialuptype_passive;
+		else
+			INSIST(0);
+	}
+	dns_zone_setdialup(zone, dialup);
+
+	obj = NULL;
+	result = ns_config_get(maps, "zone-statistics", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	RETERR(dns_zone_setstatistics(zone, cfg_obj_asboolean(obj)));
+
+	/*
+	 * Configure master functionality.  This applies
+	 * to primary masters (type "master") and slaves
+	 * acting as masters (type "slave"), but not to stubs.
+	 */
+	if (ztype != dns_zone_stub) {
+		obj = NULL;
+		result = ns_config_get(maps, "notify", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		if (cfg_obj_isboolean(obj)) {
+			if (cfg_obj_asboolean(obj))
+				notifytype = dns_notifytype_yes;
+			else
+				notifytype = dns_notifytype_no;
+		} else {
+			char *notifystr = cfg_obj_asstring(obj);
+			if (strcasecmp(notifystr, "explicit") == 0)
+				notifytype = dns_notifytype_explicit;
+			else
+				INSIST(0);
+		}
+		dns_zone_setnotifytype(zone, notifytype);
+
+		obj = NULL;
+		result = ns_config_get(maps, "also-notify", &obj);
+		if (result == ISC_R_SUCCESS) {
+			isc_sockaddr_t *addrs = NULL;
+			isc_uint32_t addrcount;
+			result = ns_config_getiplist(config, obj, 0, mctx,
+						     &addrs, &addrcount);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			result = dns_zone_setalsonotify(zone, addrs,
+							addrcount);
+			ns_config_putiplist(mctx, &addrs, addrcount);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+		} else
+			RETERR(dns_zone_setalsonotify(zone, NULL, 0));
+
+		obj = NULL;
+		result = ns_config_get(maps, "notify-source", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		RETERR(dns_zone_setnotifysrc4(zone, cfg_obj_assockaddr(obj)));
+		ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
+
+		obj = NULL;
+		result = ns_config_get(maps, "notify-source-v6", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		RETERR(dns_zone_setnotifysrc6(zone, cfg_obj_assockaddr(obj)));
+		ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
+
+		RETERR(configure_zone_acl(zconfig, vconfig, config,
+					  "allow-transfer", ac, zone,
+					  dns_zone_setxfracl,
+					  dns_zone_clearxfracl));
+
+		obj = NULL;
+		result = ns_config_get(maps, "max-transfer-time-out", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setmaxxfrout(zone, cfg_obj_asuint32(obj) * 60);
+
+		obj = NULL;
+		result = ns_config_get(maps, "max-transfer-idle-out", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setidleout(zone, cfg_obj_asuint32(obj) * 60);
+
+		obj = NULL;
+		result =  ns_config_get(maps, "max-journal-size", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setjournalsize(zone, -1);
+		if (cfg_obj_isstring(obj)) {
+			const char *str = cfg_obj_asstring(obj);
+			INSIST(strcasecmp(str, "unlimited") == 0);
+			journal_size = ISC_UINT32_MAX / 2;
+		} else {
+			isc_resourcevalue_t value;
+			value = cfg_obj_asuint64(obj);
+			if (value > ISC_UINT32_MAX / 2) {
+				cfg_obj_log(obj, ns_g_lctx,
+					    ISC_LOG_ERROR,
+					    "'max-journal-size "
+					    "%" ISC_PRINT_QUADFORMAT "d' "
+					    "is too large",
+					    value);
+				RETERR(ISC_R_RANGE);
+			}
+			journal_size = (isc_uint32_t)value;
+		}
+		dns_zone_setjournalsize(zone, journal_size);
+
+		obj = NULL;
+		result = ns_config_get(maps, "ixfr-from-differences", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setoption(zone, DNS_ZONEOPT_IXFRFROMDIFFS,
+				   cfg_obj_asboolean(obj));
+
+		checknames(ztype, maps, &obj);
+		INSIST(obj != NULL);
+		if (strcasecmp(cfg_obj_asstring(obj), "warn") == 0) {
+			fail = ISC_FALSE;
+			check = ISC_TRUE;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "fail") == 0) {
+			fail = check = ISC_TRUE;
+		} else if (strcasecmp(cfg_obj_asstring(obj), "ignore") == 0) {
+			fail = check = ISC_FALSE;
+		} else
+			INSIST(0);
+		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMES, check);
+		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKNAMESFAIL, fail);
+	}
+
+	/*
+	 * Configure update-related options.  These apply to
+	 * primary masters only.
+	 */
+	if (ztype == dns_zone_master) {
+		dns_acl_t *updateacl;
+		RETERR(configure_zone_acl(zconfig, vconfig, config,
+					  "allow-update", ac, zone,
+					  dns_zone_setupdateacl,
+					  dns_zone_clearupdateacl));
+		
+		updateacl = dns_zone_getupdateacl(zone);
+		if (updateacl != NULL  && dns_acl_isinsecure(updateacl))
+			isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
+				      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
+				      "zone '%s' allows updates by IP "
+				      "address, which is insecure",
+				      zname);
+		
+		RETERR(configure_zone_ssutable(zoptions, zone));
+
+		obj = NULL;
+		result = ns_config_get(maps, "sig-validity-interval", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setsigvalidityinterval(zone,
+						cfg_obj_asuint32(obj) * 86400);
+
+		obj = NULL;
+		result = ns_config_get(maps, "key-directory", &obj);
+		if (result == ISC_R_SUCCESS) {
+			filename = cfg_obj_asstring(obj);
+			if (!isc_file_isabsolute(filename)) {
+				cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
+					    "key-directory '%s' "
+					    "is not absolute", filename);
+				return (ISC_R_FAILURE);
+			}
+			RETERR(dns_zone_setkeydirectory(zone, filename));
+		}
+
+	} else if (ztype == dns_zone_slave) {
+		RETERR(configure_zone_acl(zconfig, vconfig, config,
+					  "allow-update-forwarding", ac, zone,
+					  dns_zone_setforwardacl,
+					  dns_zone_clearforwardacl));
+	}
+
+	/*
+	 * Configure slave functionality.
+	 */
+	switch (ztype) {
+	case dns_zone_slave:
+	case dns_zone_stub:
+		obj = NULL;
+		result = cfg_map_get(zoptions, "masters", &obj);
+		if (obj != NULL) {
+			addrs = NULL;
+			keynames = NULL;
+			RETERR(ns_config_getipandkeylist(config, obj, mctx,
+							 &addrs, &keynames,
+							 &count));
+			result = dns_zone_setmasterswithkeys(zone, addrs,
+							     keynames, count);
+			ns_config_putipandkeylist(mctx, &addrs, &keynames,
+						  count);
+		} else
+			result = dns_zone_setmasters(zone, NULL, 0);
+		RETERR(result);
+
+		multi = ISC_FALSE;
+		if (count > 1) {
+			obj = NULL;
+			result = ns_config_get(maps, "multi-master", &obj);
+			INSIST(result == ISC_R_SUCCESS);
+			multi = cfg_obj_asboolean(obj);
+		}
+		dns_zone_setoption(zone, DNS_ZONEOPT_MULTIMASTER, multi);
+
+		obj = NULL;
+		result = ns_config_get(maps, "max-transfer-time-in", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setmaxxfrin(zone, cfg_obj_asuint32(obj) * 60);
+
+		obj = NULL;
+		result = ns_config_get(maps, "max-transfer-idle-in", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setidlein(zone, cfg_obj_asuint32(obj) * 60);
+
+		obj = NULL;
+		result = ns_config_get(maps, "max-refresh-time", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setmaxrefreshtime(zone, cfg_obj_asuint32(obj));
+
+		obj = NULL;
+		result = ns_config_get(maps, "min-refresh-time", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setminrefreshtime(zone, cfg_obj_asuint32(obj));
+
+		obj = NULL;
+		result = ns_config_get(maps, "max-retry-time", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setmaxretrytime(zone, cfg_obj_asuint32(obj));
+
+		obj = NULL;
+		result = ns_config_get(maps, "min-retry-time", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setminretrytime(zone, cfg_obj_asuint32(obj));
+
+		obj = NULL;
+		result = ns_config_get(maps, "transfer-source", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		RETERR(dns_zone_setxfrsource4(zone, cfg_obj_assockaddr(obj)));
+		ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
+
+		obj = NULL;
+		result = ns_config_get(maps, "transfer-source-v6", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		RETERR(dns_zone_setxfrsource6(zone, cfg_obj_assockaddr(obj)));
+		ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
+
+		obj = NULL;
+		result = ns_config_get(maps, "alt-transfer-source", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		RETERR(dns_zone_setaltxfrsource4(zone, cfg_obj_assockaddr(obj)));
+
+		obj = NULL;
+		result = ns_config_get(maps, "alt-transfer-source-v6", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		RETERR(dns_zone_setaltxfrsource6(zone, cfg_obj_assockaddr(obj)));
+
+		obj = NULL;
+		(void)ns_config_get(maps, "use-alt-transfer-source", &obj);
+		if (obj == NULL) {
+			/*
+			 * Default off when views are in use otherwise
+			 * on for BIND 8 compatibility.
+			 */
+			view = dns_zone_getview(zone);
+			if (view != NULL && strcmp(view->name, "_default") == 0)
+				alt = ISC_TRUE;
+			else
+				alt = ISC_FALSE;
+		} else
+			alt = cfg_obj_asboolean(obj);
+		dns_zone_setoption(zone, DNS_ZONEOPT_USEALTXFRSRC, alt);
+
+		break;
+
+	default:
+		break;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_boolean_t
+ns_zone_reusable(dns_zone_t *zone, cfg_obj_t *zconfig) {
+	cfg_obj_t *zoptions = NULL;
+	cfg_obj_t *obj = NULL;
+	const char *cfilename;
+	const char *zfilename;
+
+	zoptions = cfg_tuple_get(zconfig, "options");
+
+	if (zonetype_fromconfig(zoptions) != dns_zone_gettype(zone))
+		return (ISC_FALSE);
+
+	obj = NULL;
+	(void)cfg_map_get(zoptions, "file", &obj);
+	if (obj != NULL)
+		cfilename = cfg_obj_asstring(obj);
+	else
+		cfilename = NULL;
+	zfilename = dns_zone_getfile(zone);
+	if (!((cfilename == NULL && zfilename == NULL) ||
+	      (cfilename != NULL && zfilename != NULL &&
+	       strcmp(cfilename, zfilename) == 0)))
+	    return (ISC_FALSE);
+
+	return (ISC_TRUE);
+}
diff --git a/contrib/bind9/bin/nsupdate/Makefile.in b/contrib/bind9/bin/nsupdate/Makefile.in
new file mode 100644
index 0000000..2652628
--- /dev/null
+++ b/contrib/bind9/bin/nsupdate/Makefile.in
@@ -0,0 +1,83 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2000-2002  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.15.12.10 2004/07/20 07:01:49 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
+		${ISC_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+LWRESLIBS =	../../lib/lwres/liblwres.@A@
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+BIND9LIBS =	../../lib/bind9/libbind9.@A@
+ISCLIBS =	../../lib/isc/libisc.@A@
+ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+
+LWRESDEPLIBS =	../../lib/lwres/liblwres.@A@
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
+
+DEPLIBS =	${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS}
+
+LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCLIBS} ${ISCCFGLIBS} @LIBS@
+
+SUBDIRS =
+
+TARGETS =	nsupdate@EXEEXT@
+
+OBJS =		nsupdate.@O@
+
+UOBJS =
+
+SRCS =		nsupdate.c
+
+MANPAGES =	nsupdate.8
+
+HTMLPAGES =	nsupdate.html
+
+MANOBJS =	${MANPAGES} ${HTMLPAGES}
+
+@BIND9_MAKE_RULES@
+
+nsupdate@EXEEXT@: nsupdate.@O@ ${UOBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ nsupdate.@O@ ${UOBJS} ${LIBS}
+
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+	rm -f ${MANOBJS}
+
+clean distclean::
+	rm -f ${TARGETS}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
+
+install:: nsupdate@EXEEXT@ installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} nsupdate@EXEEXT@ ${DESTDIR}${bindir}
+	${INSTALL_DATA} ${srcdir}/nsupdate.8 ${DESTDIR}${mandir}/man8
diff --git a/contrib/bind9/bin/nsupdate/nsupdate.8 b/contrib/bind9/bin/nsupdate/nsupdate.8
new file mode 100644
index 0000000..7828db2
--- /dev/null
+++ b/contrib/bind9/bin/nsupdate/nsupdate.8
@@ -0,0 +1,369 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2003  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: nsupdate.8,v 1.24.2.2.2.5 2004/03/08 09:04:15 marka Exp $
+.\"
+.TH "NSUPDATE" "8" "Jun 30, 2000" "BIND9" ""
+.SH NAME
+nsupdate \- Dynamic DNS update utility
+.SH SYNOPSIS
+.sp
+\fBnsupdate\fR [ \fB-d\fR ]  [ \fB [ -y \fIkeyname:secret\fB ]  [ -k \fIkeyfile\fB ] \fR ]  [ \fB-t \fItimeout\fB\fR ]  [ \fB-u \fIudptimeout\fB\fR ]  [ \fB-r \fIudpretries\fB\fR ]  [ \fB-v\fR ]  [ \fBfilename\fR ] 
+.SH "DESCRIPTION"
+.PP
+\fBnsupdate\fR
+is used to submit Dynamic DNS Update requests as defined in RFC2136
+to a name server.
+This allows resource records to be added or removed from a zone
+without manually editing the zone file.
+A single update request can contain requests to add or remove more than one
+resource record.
+.PP
+Zones that are under dynamic control via
+\fBnsupdate\fR
+or a DHCP server should not be edited by hand.
+Manual edits could
+conflict with dynamic updates and cause data to be lost.
+.PP
+The resource records that are dynamically added or removed with
+\fBnsupdate\fR
+have to be in the same zone.
+Requests are sent to the zone's master server.
+This is identified by the MNAME field of the zone's SOA record.
+.PP
+The
+\fB-d\fR
+option makes
+\fBnsupdate\fR
+operate in debug mode.
+This provides tracing information about the update requests that are
+made and the replies received from the name server.
+.PP
+Transaction signatures can be used to authenticate the Dynamic DNS
+updates.
+These use the TSIG resource record type described in RFC2845 or the
+SIG(0) record described in RFC3535 and RFC2931.
+TSIG relies on a shared secret that should only be known to
+\fBnsupdate\fR and the name server.
+Currently, the only supported encryption algorithm for TSIG is
+HMAC-MD5, which is defined in RFC 2104.
+Once other algorithms are defined for TSIG, applications will need to
+ensure they select the appropriate algorithm as well as the key when
+authenticating each other.
+For instance suitable
+\fBkey\fR
+and
+\fBserver\fR
+statements would be added to
+\fI/etc/named.conf\fR
+so that the name server can associate the appropriate secret key
+and algorithm with the IP address of the
+client application that will be using TSIG authentication.
+SIG(0) uses public key cryptography. To use a SIG(0) key, the public
+key must be stored in a KEY record in a zone served by the name server.
+\fBnsupdate\fR
+does not read
+\fI/etc/named.conf\fR.
+.PP
+\fBnsupdate\fR
+uses the
+\fB-y\fR
+or
+\fB-k\fR
+option (with an HMAC-MD5 key) to provide the shared secret needed to generate
+a TSIG record for authenticating Dynamic DNS update requests.
+These options are mutually exclusive.
+With the
+\fB-k\fR
+option,
+\fBnsupdate\fR
+reads the shared secret from the file
+\fIkeyfile\fR,
+whose name is of the form 
+\fIK{name}.+157.+{random}.private\fR.
+For historical
+reasons, the file 
+\fIK{name}.+157.+{random}.key\fR
+must also be present. When the
+\fB-y\fR
+option is used, a signature is generated from
+\fIkeyname:secret.\fR
+\fIkeyname\fR
+is the name of the key,
+and
+\fIsecret\fR
+is the base64 encoded shared secret.
+Use of the
+\fB-y\fR
+option is discouraged because the shared secret is supplied as a command
+line argument in clear text.
+This may be visible in the output from
+\fBps\fR(1)
+or in a history file maintained by the user's shell.
+.PP
+The \fB-k\fR may also be used to specify a SIG(0) key used
+to authenticate Dynamic DNS update requests. In this case, the key
+specified is not an HMAC-MD5 key.
+.PP
+By default
+\fBnsupdate\fR
+uses UDP to send update requests to the name server unless they are too
+large to fit in a UDP request in which case TCP will be used.
+The
+\fB-v\fR
+option makes
+\fBnsupdate\fR
+use a TCP connection.
+This may be preferable when a batch of update requests is made.
+.PP
+The \fB-t\fR option sets the maximum time a update request can
+take before it is aborted. The default is 300 seconds. Zero can be used
+to disable the timeout.
+.PP
+The \fB-u\fR option sets the UDP retry interval. The default is
+3 seconds. If zero the interval will be computed from the timeout interval
+and number of UDP retries.
+.PP
+The \fB-r\fR option sets the number of UDP retries. The default is
+3. If zero only one update request will be made.
+.SH "INPUT FORMAT"
+.PP
+\fBnsupdate\fR
+reads input from
+\fIfilename\fR
+or standard input.
+Each command is supplied on exactly one line of input.
+Some commands are for administrative purposes.
+The others are either update instructions or prerequisite checks on the
+contents of the zone.
+These checks set conditions that some name or set of
+resource records (RRset) either exists or is absent from the zone.
+These conditions must be met if the entire update request is to succeed.
+Updates will be rejected if the tests for the prerequisite conditions fail.
+.PP
+Every update request consists of zero or more prerequisites
+and zero or more updates.
+This allows a suitably authenticated update request to proceed if some
+specified resource records are present or missing from the zone.
+A blank input line (or the \fBsend\fR command) causes the
+accumulated commands to be sent as one Dynamic DNS update request to the
+name server.
+.PP
+The command formats and their meaning are as follows:
+.TP
+\fBserver servername [ port ]\fR
+Sends all dynamic update requests to the name server
+\fIservername\fR.
+When no server statement is provided,
+\fBnsupdate\fR
+will send updates to the master server of the correct zone.
+The MNAME field of that zone's SOA record will identify the master
+server for that zone.
+\fIport\fR
+is the port number on
+\fIservername\fR
+where the dynamic update requests get sent.
+If no port number is specified, the default DNS port number of 53 is
+used.
+.TP
+\fBlocal address [ port ]\fR
+Sends all dynamic update requests using the local
+\fIaddress\fR.
+When no local statement is provided,
+\fBnsupdate\fR
+will send updates using an address and port chosen by the system.
+\fIport\fR
+can additionally be used to make requests come from a specific port.
+If no port number is specified, the system will assign one.
+.TP
+\fBzone zonename\fR
+Specifies that all updates are to be made to the zone
+\fIzonename\fR.
+If no
+\fIzone\fR
+statement is provided,
+\fBnsupdate\fR
+will attempt determine the correct zone to update based on the rest of the input.
+.TP
+\fBclass classname\fR
+Specify the default class.
+If no \fIclass\fR is specified the default class is
+\fIIN\fR.
+.TP
+\fBkey name secret\fR
+Specifies that all updates are to be TSIG signed using the
+\fIkeyname\fR \fIkeysecret\fR pair.
+The \fBkey\fR command
+overrides any key specified on the command line via
+\fB-y\fR or \fB-k\fR.
+.TP
+\fBprereq nxdomain domain-name\fR
+Requires that no resource record of any type exists with name
+\fIdomain-name\fR.
+.TP
+\fBprereq yxdomain domain-name\fR
+Requires that
+\fIdomain-name\fR
+exists (has as at least one resource record, of any type).
+.TP
+\fBprereq nxrrset domain-name [ class ]  type\fR
+Requires that no resource record exists of the specified
+\fItype\fR,
+\fIclass\fR
+and
+\fIdomain-name\fR.
+If
+\fIclass\fR
+is omitted, IN (internet) is assumed.
+.TP
+\fBprereq yxrrset domain-name [ class ]  type\fR
+This requires that a resource record of the specified
+\fItype\fR,
+\fIclass\fR
+and
+\fIdomain-name\fR
+must exist.
+If
+\fIclass\fR
+is omitted, IN (internet) is assumed.
+.TP
+\fBprereq yxrrset domain-name [ class ]  type data\fI...\fB\fR
+The
+\fIdata\fR
+from each set of prerequisites of this form
+sharing a common
+\fItype\fR,
+\fIclass\fR,
+and 
+\fIdomain-name\fR
+are combined to form a set of RRs. This set of RRs must
+exactly match the set of RRs existing in the zone at the
+given 
+\fItype\fR,
+\fIclass\fR,
+and 
+\fIdomain-name\fR.
+The
+\fIdata\fR
+are written in the standard text representation of the resource record's
+RDATA.
+.TP
+\fBupdate delete domain-name [ ttl ]  [ class ]  [ type  [ data\fI...\fB ]  ]\fR
+Deletes any resource records named
+\fIdomain-name\fR.
+If
+\fItype\fR
+and
+\fIdata\fR
+is provided, only matching resource records will be removed.
+The internet class is assumed if
+\fIclass\fR
+is not supplied. The
+\fIttl\fR
+is ignored, and is only allowed for compatibility.
+.TP
+\fBupdate add domain-name ttl [ class ]  type data\fI...\fB\fR
+Adds a new resource record with the specified
+\fIttl\fR,
+\fIclass\fR
+and
+\fIdata\fR.
+.TP
+\fBshow\fR
+Displays the current message, containing all of the prerequisites and
+updates specified since the last send.
+.TP
+\fBsend\fR
+Sends the current message. This is equivalent to entering a blank line.
+.TP
+\fBanswer\fR
+Displays the answer.
+.PP
+Lines beginning with a semicolon are comments and are ignored.
+.SH "EXAMPLES"
+.PP
+The examples below show how
+\fBnsupdate\fR
+could be used to insert and delete resource records from the
+\fBexample.com\fR
+zone.
+Notice that the input in each example contains a trailing blank line so that
+a group of commands are sent as one dynamic update request to the
+master name server for
+\fBexample.com\fR.
+.sp
+.nf
+# nsupdate
+> update delete oldhost.example.com A
+> update add newhost.example.com 86400 A 172.16.1.1
+> send
+.sp
+.fi
+.PP
+Any A records for
+\fBoldhost.example.com\fR
+are deleted.
+and an A record for
+\fBnewhost.example.com\fR
+it IP address 172.16.1.1 is added.
+The newly-added record has a 1 day TTL (86400 seconds)
+.sp
+.nf
+# nsupdate
+> prereq nxdomain nickname.example.com
+> update add nickname.example.com 86400 CNAME somehost.example.com
+> send
+.sp
+.fi
+.PP
+The prerequisite condition gets the name server to check that there
+are no resource records of any type for
+\fBnickname.example.com\fR.
+If there are, the update request fails.
+If this name does not exist, a CNAME for it is added.
+This ensures that when the CNAME is added, it cannot conflict with the
+long-standing rule in RFC1034 that a name must not exist as any other
+record type if it exists as a CNAME.
+(The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have
+RRSIG, DNSKEY and NSEC records.)
+.SH "FILES"
+.TP
+\fB/etc/resolv.conf\fR
+used to identify default name server
+.TP
+\fBK{name}.+157.+{random}.key\fR
+base-64 encoding of HMAC-MD5 key created by
+\fBdnssec-keygen\fR(8).
+.TP
+\fBK{name}.+157.+{random}.private\fR
+base-64 encoding of HMAC-MD5 key created by
+\fBdnssec-keygen\fR(8).
+.SH "SEE ALSO"
+.PP
+\fBRFC2136\fR,
+\fBRFC3007\fR,
+\fBRFC2104\fR,
+\fBRFC2845\fR,
+\fBRFC1034\fR,
+\fBRFC2535\fR,
+\fBRFC2931\fR,
+\fBnamed\fR(8),
+\fBdnssec-keygen\fR(8).
+.SH "BUGS"
+.PP
+The TSIG key is redundantly stored in two separate files.
+This is a consequence of nsupdate using the DST library
+for its cryptographic operations, and may change in future
+releases.
diff --git a/contrib/bind9/bin/nsupdate/nsupdate.c b/contrib/bind9/bin/nsupdate/nsupdate.c
new file mode 100644
index 0000000..cb30a5f
--- /dev/null
+++ b/contrib/bind9/bin/nsupdate/nsupdate.c
@@ -0,0 +1,1983 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: nsupdate.c,v 1.103.2.15.2.16 2004/06/17 01:00:38 sra Exp $ */
+
+#include <config.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <limits.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <isc/app.h>
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/entropy.h>
+#include <isc/event.h>
+#include <isc/hash.h>
+#include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/parseint.h>
+#include <isc/region.h>
+#include <isc/sockaddr.h>
+#include <isc/socket.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/dispatch.h>
+#include <dns/dnssec.h>
+#include <dns/events.h>
+#include <dns/fixedname.h>
+#include <dns/masterdump.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/rcode.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/request.h>
+#include <dns/result.h>
+#include <dns/tsig.h>
+
+#include <dst/dst.h>
+
+#include <lwres/lwres.h>
+#include <lwres/net.h>
+
+#include <bind9/getaddresses.h>
+
+#ifdef HAVE_ADDRINFO
+#ifdef HAVE_GETADDRINFO
+#ifdef HAVE_GAISTRERROR
+#define USE_GETADDRINFO
+#endif
+#endif
+#endif
+
+#ifndef USE_GETADDRINFO
+#ifndef ISC_PLATFORM_NONSTDHERRNO
+extern int h_errno;
+#endif
+#endif
+
+#define MAXCMD (4 * 1024)
+#define MAXWIRE (64 * 1024)
+#define PACKETSIZE ((64 * 1024) - 1)
+#define INITTEXT (2 * 1024)
+#define MAXTEXT (128 * 1024)
+#define FIND_TIMEOUT 5
+#define TTL_MAX 2147483647U	/* Maximum signed 32 bit integer. */
+
+#define DNSDEFAULTPORT 53
+
+#ifndef RESOLV_CONF
+#define RESOLV_CONF "/etc/resolv.conf"
+#endif
+
+static isc_boolean_t debugging = ISC_FALSE, ddebugging = ISC_FALSE;
+static isc_boolean_t memdebugging = ISC_FALSE;
+static isc_boolean_t have_ipv4 = ISC_FALSE;
+static isc_boolean_t have_ipv6 = ISC_FALSE;
+static isc_boolean_t is_dst_up = ISC_FALSE;
+static isc_boolean_t usevc = ISC_FALSE;
+static isc_taskmgr_t *taskmgr = NULL;
+static isc_task_t *global_task = NULL;
+static isc_event_t *global_event = NULL;
+static isc_mem_t *mctx = NULL;
+static dns_dispatchmgr_t *dispatchmgr = NULL;
+static dns_requestmgr_t *requestmgr = NULL;
+static isc_socketmgr_t *socketmgr = NULL;
+static isc_timermgr_t *timermgr = NULL;
+static dns_dispatch_t *dispatchv4 = NULL;
+static dns_dispatch_t *dispatchv6 = NULL;
+static dns_message_t *updatemsg = NULL;
+static dns_fixedname_t fuserzone;
+static dns_name_t *userzone = NULL;
+static dns_tsigkey_t *tsigkey = NULL;
+static dst_key_t *sig0key;
+static lwres_context_t *lwctx = NULL;
+static lwres_conf_t *lwconf;
+static isc_sockaddr_t *servers;
+static int ns_inuse = 0;
+static int ns_total = 0;
+static isc_sockaddr_t *userserver = NULL;
+static isc_sockaddr_t *localaddr = NULL;
+static char *keystr = NULL, *keyfile = NULL;
+static isc_entropy_t *entp = NULL;
+static isc_boolean_t shuttingdown = ISC_FALSE;
+static FILE *input;
+static isc_boolean_t interactive = ISC_TRUE;
+static isc_boolean_t seenerror = ISC_FALSE;
+static const dns_master_style_t *style;
+static int requests = 0;
+static unsigned int timeout = 300;
+static unsigned int udp_timeout = 3;
+static unsigned int udp_retries = 3;
+static dns_rdataclass_t defaultclass = dns_rdataclass_in;
+static dns_rdataclass_t zoneclass = dns_rdataclass_none;
+static dns_message_t *answer = NULL;
+
+typedef struct nsu_requestinfo {
+	dns_message_t *msg;
+	isc_sockaddr_t *addr;
+} nsu_requestinfo_t;
+
+static void
+sendrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+	    dns_message_t *msg, dns_request_t **request);
+static void
+fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
+
+static void
+debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
+
+static void
+ddebug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
+
+#define STATUS_MORE	(isc_uint16_t)0
+#define STATUS_SEND	(isc_uint16_t)1
+#define STATUS_QUIT	(isc_uint16_t)2
+#define STATUS_SYNTAX	(isc_uint16_t)3
+
+static dns_rdataclass_t
+getzoneclass(void) {
+	if (zoneclass == dns_rdataclass_none)
+		zoneclass = defaultclass;
+	return (zoneclass);
+}
+
+static isc_boolean_t
+setzoneclass(dns_rdataclass_t rdclass) {
+	if (zoneclass == dns_rdataclass_none ||
+	    rdclass == dns_rdataclass_none)
+		zoneclass = rdclass;
+	if (zoneclass != rdclass)
+		return (ISC_FALSE);
+	return (ISC_TRUE);
+}
+
+static void
+fatal(const char *format, ...) {
+	va_list args;
+
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+	exit(1);
+}
+
+static void
+debug(const char *format, ...) {
+	va_list args;
+
+	if (debugging) {
+		va_start(args, format);
+		vfprintf(stderr, format, args);
+		va_end(args);
+		fprintf(stderr, "\n");
+	}
+}
+
+static void
+ddebug(const char *format, ...) {
+	va_list args;
+
+	if (ddebugging) {
+		va_start(args, format);
+		vfprintf(stderr, format, args);
+		va_end(args);
+		fprintf(stderr, "\n");
+	}
+}
+
+static inline void
+check_result(isc_result_t result, const char *msg) {
+	if (result != ISC_R_SUCCESS)
+		fatal("%s: %s", msg, isc_result_totext(result));
+}
+
+static void *
+mem_alloc(void *arg, size_t size) {
+	return (isc_mem_get(arg, size));
+}
+
+static void
+mem_free(void *arg, void *mem, size_t size) {
+	isc_mem_put(arg, mem, size);
+}
+
+static char *
+nsu_strsep(char **stringp, const char *delim) {
+	char *string = *stringp;
+	char *s;
+	const char *d;
+	char sc, dc;
+
+	if (string == NULL)
+		return (NULL);
+
+	for (; *string != '\0'; string++) {
+		sc = *string;
+		for (d = delim; (dc = *d) != '\0'; d++) {
+			if (sc == dc)
+				break;
+		}
+		if (dc == 0)
+			break;
+	}
+
+	for (s = string; *s != '\0'; s++) {
+		sc = *s;
+		for (d = delim; (dc = *d) != '\0'; d++) {
+			if (sc == dc) {
+				*s++ = '\0';
+				*stringp = s;
+				return (string);
+			}
+		}
+	}
+	*stringp = NULL;
+	return (string);
+}
+
+static void
+reset_system(void) {
+	isc_result_t result;
+
+	ddebug("reset_system()");
+	/* If the update message is still around, destroy it */
+	if (updatemsg != NULL)
+		dns_message_reset(updatemsg, DNS_MESSAGE_INTENTRENDER);
+	else {
+		result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER,
+					    &updatemsg);
+		check_result(result, "dns_message_create");
+	}
+	updatemsg->opcode = dns_opcode_update;
+}
+
+static void
+setup_keystr(void) {
+	unsigned char *secret = NULL;
+	int secretlen;
+	isc_buffer_t secretbuf;
+	isc_result_t result;
+	isc_buffer_t keynamesrc;
+	char *secretstr;
+	char *s;
+	dns_fixedname_t fkeyname;
+	dns_name_t *keyname;
+
+	dns_fixedname_init(&fkeyname);
+	keyname = dns_fixedname_name(&fkeyname);
+
+	debug("Creating key...");
+
+	s = strchr(keystr, ':');
+	if (s == NULL || s == keystr || *s == 0)
+		fatal("key option must specify keyname:secret");
+	secretstr = s + 1;
+
+	isc_buffer_init(&keynamesrc, keystr, s - keystr);
+	isc_buffer_add(&keynamesrc, s - keystr);
+
+	debug("namefromtext");
+	result = dns_name_fromtext(keyname, &keynamesrc, dns_rootname,
+				   ISC_FALSE, NULL);
+	check_result(result, "dns_name_fromtext");
+
+	secretlen = strlen(secretstr) * 3 / 4;
+	secret = isc_mem_allocate(mctx, secretlen);
+	if (secret == NULL)
+		fatal("out of memory");
+
+	isc_buffer_init(&secretbuf, secret, secretlen);
+	result = isc_base64_decodestring(secretstr, &secretbuf);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "could not create key from %s: %s\n",
+			keystr, isc_result_totext(result));
+		goto failure;
+	}
+
+	secretlen = isc_buffer_usedlength(&secretbuf);
+
+	debug("keycreate");
+	result = dns_tsigkey_create(keyname, dns_tsig_hmacmd5_name,
+				    secret, secretlen, ISC_TRUE, NULL,
+				    0, 0, mctx, NULL, &tsigkey);
+	if (result != ISC_R_SUCCESS)
+		fprintf(stderr, "could not create key from %s: %s\n",
+			keystr, dns_result_totext(result));
+ failure:
+	if (secret != NULL)
+		isc_mem_free(mctx, secret);
+}
+
+static void
+setup_keyfile(void) {
+	dst_key_t *dstkey = NULL;
+	isc_result_t result;
+
+	debug("Creating key...");
+
+	result = dst_key_fromnamedfile(keyfile,
+				       DST_TYPE_PRIVATE | DST_TYPE_KEY, mctx,
+				       &dstkey);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "could not read key from %s: %s\n",
+			keyfile, isc_result_totext(result));
+		return;
+	}
+	if (dst_key_alg(dstkey) == DST_ALG_HMACMD5) {
+		result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
+						   dns_tsig_hmacmd5_name,
+						   dstkey, ISC_FALSE, NULL,
+						   0, 0, mctx, NULL, &tsigkey);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "could not create key from %s: %s\n",
+				keyfile, isc_result_totext(result));
+			dst_key_free(&dstkey);
+			return;
+		}
+	} else
+		sig0key = dstkey;
+}
+
+static void
+doshutdown(void) {
+	isc_task_detach(&global_task);
+
+	if (userserver != NULL)
+		isc_mem_put(mctx, userserver, sizeof(isc_sockaddr_t));
+
+	if (localaddr != NULL)
+		isc_mem_put(mctx, localaddr, sizeof(isc_sockaddr_t));
+
+	if (tsigkey != NULL) {
+		ddebug("Freeing TSIG key");
+		dns_tsigkey_detach(&tsigkey);
+	}
+
+	if (sig0key != NULL) {
+		ddebug("Freeing SIG(0) key");
+		dst_key_free(&sig0key);
+	}
+
+	if (updatemsg != NULL)
+		dns_message_destroy(&updatemsg);
+
+	if (is_dst_up) {
+		ddebug("Destroy DST lib");
+		dst_lib_destroy();
+		is_dst_up = ISC_FALSE;
+	}
+
+	if (entp != NULL) {
+		ddebug("Detach from entropy");
+		isc_entropy_detach(&entp);
+	}
+
+	lwres_conf_clear(lwctx);
+	lwres_context_destroy(&lwctx);
+
+	isc_mem_put(mctx, servers, ns_total * sizeof(isc_sockaddr_t));
+
+	ddebug("Destroying request manager");
+	dns_requestmgr_detach(&requestmgr);
+
+	ddebug("Freeing the dispatchers");
+	if (have_ipv4)
+		dns_dispatch_detach(&dispatchv4);
+	if (have_ipv6)
+		dns_dispatch_detach(&dispatchv6);
+
+	ddebug("Shutting down dispatch manager");
+	dns_dispatchmgr_destroy(&dispatchmgr);
+
+}
+
+static void
+maybeshutdown(void) {
+	ddebug("Shutting down request manager");
+	dns_requestmgr_shutdown(requestmgr);
+
+	if (requests != 0)
+		return;
+
+	doshutdown();
+}
+
+static void
+shutdown_program(isc_task_t *task, isc_event_t *event) {
+	REQUIRE(task == global_task);
+	UNUSED(task);
+
+	ddebug("shutdown_program()");
+	isc_event_free(&event);
+
+	shuttingdown = ISC_TRUE;
+	maybeshutdown();
+}
+
+static void
+setup_system(void) {
+	isc_result_t result;
+	isc_sockaddr_t bind_any, bind_any6;
+	lwres_result_t lwresult;
+	unsigned int attrs, attrmask;
+	int i;
+
+	ddebug("setup_system()");
+
+	dns_result_register();
+
+	result = isc_net_probeipv4();
+	if (result == ISC_R_SUCCESS)
+		have_ipv4 = ISC_TRUE;
+
+	result = isc_net_probeipv6();
+	if (result == ISC_R_SUCCESS)
+		have_ipv6 = ISC_TRUE;
+
+	if (!have_ipv4 && !have_ipv6)
+		fatal("could not find either IPv4 or IPv6");
+
+	result = isc_mem_create(0, 0, &mctx);
+	check_result(result, "isc_mem_create");
+
+	lwresult = lwres_context_create(&lwctx, mctx, mem_alloc, mem_free, 1);
+	if (lwresult != LWRES_R_SUCCESS)
+		fatal("lwres_context_create failed");
+
+	(void)lwres_conf_parse(lwctx, RESOLV_CONF);
+	lwconf = lwres_conf_get(lwctx);
+
+	ns_total = lwconf->nsnext;
+	if (ns_total <= 0) {
+		/* No name servers in resolv.conf; default to loopback. */
+		struct in_addr localhost;
+		ns_total = 1;
+		servers = isc_mem_get(mctx, ns_total * sizeof(isc_sockaddr_t));
+		if (servers == NULL)
+			fatal("out of memory");
+		localhost.s_addr = htonl(INADDR_LOOPBACK);
+		isc_sockaddr_fromin(&servers[0], &localhost, DNSDEFAULTPORT);
+	} else {
+		servers = isc_mem_get(mctx, ns_total * sizeof(isc_sockaddr_t));
+		if (servers == NULL)
+			fatal("out of memory");
+		for (i = 0; i < ns_total; i++) {
+			if (lwconf->nameservers[i].family == LWRES_ADDRTYPE_V4) {
+				struct in_addr in4;
+				memcpy(&in4, lwconf->nameservers[i].address, 4);
+				isc_sockaddr_fromin(&servers[i], &in4, DNSDEFAULTPORT);
+			} else {
+				struct in6_addr in6;
+				memcpy(&in6, lwconf->nameservers[i].address, 16);
+				isc_sockaddr_fromin6(&servers[i], &in6,
+						     DNSDEFAULTPORT);
+			}
+		}
+	}
+
+	result = isc_entropy_create(mctx, &entp);
+	check_result(result, "isc_entropy_create");
+
+	result = isc_hash_create(mctx, entp, DNS_NAME_MAXWIRE);
+	check_result(result, "isc_hash_create");
+	isc_hash_init();
+
+	result = dns_dispatchmgr_create(mctx, entp, &dispatchmgr);
+	check_result(result, "dns_dispatchmgr_create");
+
+	result = isc_socketmgr_create(mctx, &socketmgr);
+	check_result(result, "dns_socketmgr_create");
+
+	result = isc_timermgr_create(mctx, &timermgr);
+	check_result(result, "dns_timermgr_create");
+
+	result = isc_taskmgr_create(mctx, 1, 0, &taskmgr);
+	check_result(result, "isc_taskmgr_create");
+
+	result = isc_task_create(taskmgr, 0, &global_task);
+	check_result(result, "isc_task_create");
+
+	result = isc_task_onshutdown(global_task, shutdown_program, NULL);
+	check_result(result, "isc_task_onshutdown");
+
+	result = dst_lib_init(mctx, entp, 0);
+	check_result(result, "dst_lib_init");
+	is_dst_up = ISC_TRUE;
+
+	attrmask = DNS_DISPATCHATTR_UDP | DNS_DISPATCHATTR_TCP;
+	attrmask |= DNS_DISPATCHATTR_IPV4 | DNS_DISPATCHATTR_IPV6;
+
+	if (have_ipv6) {
+		attrs = DNS_DISPATCHATTR_UDP;
+		attrs |= DNS_DISPATCHATTR_MAKEQUERY;
+		attrs |= DNS_DISPATCHATTR_IPV6;
+		isc_sockaddr_any6(&bind_any6);
+		result = dns_dispatch_getudp(dispatchmgr, socketmgr, taskmgr,
+					     &bind_any6, PACKETSIZE,
+					     4, 2, 3, 5,
+					     attrs, attrmask, &dispatchv6);
+		check_result(result, "dns_dispatch_getudp (v6)");
+	}
+
+	if (have_ipv4) {
+		attrs = DNS_DISPATCHATTR_UDP;
+		attrs |= DNS_DISPATCHATTR_MAKEQUERY;
+		attrs |= DNS_DISPATCHATTR_IPV4;
+		isc_sockaddr_any(&bind_any);
+		result = dns_dispatch_getudp(dispatchmgr, socketmgr, taskmgr,
+					     &bind_any, PACKETSIZE,
+					     4, 2, 3, 5,
+					     attrs, attrmask, &dispatchv4);
+		check_result(result, "dns_dispatch_getudp (v4)");
+	}
+
+	result = dns_requestmgr_create(mctx, timermgr,
+				       socketmgr, taskmgr, dispatchmgr,
+				       dispatchv4, dispatchv6, &requestmgr);
+	check_result(result, "dns_requestmgr_create");
+
+	if (keystr != NULL)
+		setup_keystr();
+	else if (keyfile != NULL)
+		setup_keyfile();
+}
+
+static void
+get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) {
+	int count;
+	isc_result_t result;
+
+	isc_app_block();
+	result = bind9_getaddresses(host, port, sockaddr, 1, &count);
+	isc_app_unblock();
+	if (result != ISC_R_SUCCESS)
+		fatal("couldn't get address for '%s': %s",
+		      host, isc_result_totext(result));
+	INSIST(count == 1);
+}
+
+static void
+parse_args(int argc, char **argv) {
+	int ch;
+	isc_result_t result;
+
+	debug("parse_args");
+	while ((ch = isc_commandline_parse(argc, argv, "dDMy:vk:r:t:u:")) != -1)
+	{
+		switch (ch) {
+		case 'd':
+			debugging = ISC_TRUE;
+			break;
+		case 'D': /* was -dd */
+			debugging = ISC_TRUE;
+			ddebugging = ISC_TRUE;
+			break;
+		case 'M': /* was -dm */
+			debugging = ISC_TRUE;
+			ddebugging = ISC_TRUE;
+			memdebugging = ISC_TRUE;
+			isc_mem_debugging = ISC_MEM_DEBUGTRACE |
+					    ISC_MEM_DEBUGRECORD;
+			break;
+		case 'y':
+			keystr = isc_commandline_argument;
+			break;
+		case 'v':
+			usevc = ISC_TRUE;
+			break;
+		case 'k':
+			keyfile = isc_commandline_argument;
+			break;
+		case 't':
+			result = isc_parse_uint32(&timeout,
+						  isc_commandline_argument, 10);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "bad timeout '%s'\n",						isc_commandline_argument);
+				exit(1);
+			}
+			if (timeout == 0)
+				timeout = ULONG_MAX;
+			break;
+		case 'u':
+			result = isc_parse_uint32(&udp_timeout,
+						  isc_commandline_argument, 10);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "bad udp timeout '%s'\n",						isc_commandline_argument);
+				exit(1);
+			}
+			if (udp_timeout == 0)
+				udp_timeout = ULONG_MAX;
+			break;
+		case 'r':
+			result = isc_parse_uint32(&udp_retries,
+						  isc_commandline_argument, 10);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "bad udp retries '%s'\n",						isc_commandline_argument);
+				exit(1);
+			}
+			break;
+		default:
+			fprintf(stderr, "%s: invalid argument -%c\n",
+				argv[0], ch);
+			fprintf(stderr, "usage: nsupdate [-d] "
+				"[-y keyname:secret | -k keyfile] [-v] "
+				"[filename]\n");
+			exit(1);
+		}
+	}
+	if (keyfile != NULL && keystr != NULL) {
+		fprintf(stderr, "%s: cannot specify both -k and -y\n",
+			argv[0]);
+		exit(1);
+	}
+
+	if (argv[isc_commandline_index] != NULL) {
+		if (strcmp(argv[isc_commandline_index], "-") == 0) {
+			input = stdin;
+		} else {
+			result = isc_stdio_open(argv[isc_commandline_index],
+						"r", &input);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "could not open '%s': %s\n",
+					argv[isc_commandline_index],
+					isc_result_totext(result));
+				exit(1);
+			}
+		}
+		interactive = ISC_FALSE;
+	}
+}
+
+static isc_uint16_t
+parse_name(char **cmdlinep, dns_message_t *msg, dns_name_t **namep) {
+	isc_result_t result;
+	char *word;
+	isc_buffer_t *namebuf = NULL;
+	isc_buffer_t source;
+
+	word = nsu_strsep(cmdlinep, " \t\r\n");
+	if (*word == 0) {
+		fprintf(stderr, "could not read owner name\n");
+		return (STATUS_SYNTAX);
+	}
+
+	result = dns_message_gettempname(msg, namep);
+	check_result(result, "dns_message_gettempname");
+	result = isc_buffer_allocate(mctx, &namebuf, DNS_NAME_MAXWIRE);
+	check_result(result, "isc_buffer_allocate");
+	dns_name_init(*namep, NULL);
+	dns_name_setbuffer(*namep, namebuf);
+	dns_message_takebuffer(msg, &namebuf);
+	isc_buffer_init(&source, word, strlen(word));
+	isc_buffer_add(&source, strlen(word));
+	result = dns_name_fromtext(*namep, &source, dns_rootname,
+				   ISC_FALSE, NULL);
+	check_result(result, "dns_name_fromtext");
+	isc_buffer_invalidate(&source);
+	return (STATUS_MORE);
+}
+
+static isc_uint16_t
+parse_rdata(char **cmdlinep, dns_rdataclass_t rdataclass,
+	    dns_rdatatype_t rdatatype, dns_message_t *msg,
+	    dns_rdata_t *rdata)
+{
+	char *cmdline = *cmdlinep;
+	isc_buffer_t source, *buf = NULL, *newbuf = NULL;
+	isc_region_t r;
+	isc_lex_t *lex = NULL;
+	dns_rdatacallbacks_t callbacks;
+	isc_result_t result;
+
+	while (*cmdline != 0 && isspace((unsigned char)*cmdline))
+		cmdline++;
+
+	if (*cmdline != 0) {
+		dns_rdatacallbacks_init(&callbacks);
+		result = isc_lex_create(mctx, strlen(cmdline), &lex);
+		check_result(result, "isc_lex_create");
+		isc_buffer_init(&source, cmdline, strlen(cmdline));
+		isc_buffer_add(&source, strlen(cmdline));
+		result = isc_lex_openbuffer(lex, &source);
+		check_result(result, "isc_lex_openbuffer");
+		result = isc_buffer_allocate(mctx, &buf, MAXWIRE);
+		check_result(result, "isc_buffer_allocate");
+		result = dns_rdata_fromtext(rdata, rdataclass, rdatatype, lex,
+					    dns_rootname, 0, mctx, buf,
+					    &callbacks);
+		isc_lex_destroy(&lex);
+		if (result == ISC_R_SUCCESS) {
+			isc_buffer_usedregion(buf, &r);
+			result = isc_buffer_allocate(mctx, &newbuf, r.length);
+			check_result(result, "isc_buffer_allocate");
+			isc_buffer_putmem(newbuf, r.base, r.length);
+			isc_buffer_usedregion(newbuf, &r);
+			dns_rdata_fromregion(rdata, rdataclass, rdatatype, &r);
+			isc_buffer_free(&buf);
+			dns_message_takebuffer(msg, &newbuf);
+		} else {
+			fprintf(stderr, "invalid rdata format: %s\n",
+				isc_result_totext(result));
+			isc_buffer_free(&buf);
+			return (STATUS_SYNTAX);
+		}
+	} else {
+		rdata->flags = DNS_RDATA_UPDATE;
+	}
+	*cmdlinep = cmdline;
+	return (STATUS_MORE);
+}
+
+static isc_uint16_t
+make_prereq(char *cmdline, isc_boolean_t ispositive, isc_boolean_t isrrset) {
+	isc_result_t result;
+	char *word;
+	dns_name_t *name = NULL;
+	isc_textregion_t region;
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdatalist_t *rdatalist = NULL;
+	dns_rdataclass_t rdataclass;
+	dns_rdatatype_t rdatatype;
+	dns_rdata_t *rdata = NULL;
+	isc_uint16_t retval;
+
+	ddebug("make_prereq()");
+
+	/*
+	 * Read the owner name
+	 */
+	retval = parse_name(&cmdline, updatemsg, &name);
+	if (retval != STATUS_MORE)
+		return (retval);
+
+	/*
+	 * If this is an rrset prereq, read the class or type.
+	 */
+	if (isrrset) {
+		word = nsu_strsep(&cmdline, " \t\r\n");
+		if (*word == 0) {
+			fprintf(stderr, "could not read class or type\n");
+			goto failure;
+		}
+		region.base = word;
+		region.length = strlen(word);
+		result = dns_rdataclass_fromtext(&rdataclass, &region);
+		if (result == ISC_R_SUCCESS) {
+			if (!setzoneclass(rdataclass)) {
+				fprintf(stderr, "class mismatch: %s\n", word);
+				goto failure;
+			}
+			/*
+			 * Now read the type.
+			 */
+			word = nsu_strsep(&cmdline, " \t\r\n");
+			if (*word == 0) {
+				fprintf(stderr, "could not read type\n");
+				goto failure;
+			}
+			region.base = word;
+			region.length = strlen(word);
+			result = dns_rdatatype_fromtext(&rdatatype, &region);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "invalid type: %s\n", word);
+				goto failure;
+			}
+		} else {
+			rdataclass = getzoneclass();
+			result = dns_rdatatype_fromtext(&rdatatype, &region);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "invalid type: %s\n", word);
+				goto failure;
+			}
+		}
+	} else
+		rdatatype = dns_rdatatype_any;
+
+	result = dns_message_gettemprdata(updatemsg, &rdata);
+	check_result(result, "dns_message_gettemprdata");
+
+	rdata->data = NULL;
+	rdata->length = 0;
+
+	if (isrrset && ispositive) {
+		retval = parse_rdata(&cmdline, rdataclass, rdatatype,
+				     updatemsg, rdata);
+		if (retval != STATUS_MORE)
+			goto failure;
+	} else
+		rdata->flags = DNS_RDATA_UPDATE;
+
+	result = dns_message_gettemprdatalist(updatemsg, &rdatalist);
+	check_result(result, "dns_message_gettemprdatalist");
+	result = dns_message_gettemprdataset(updatemsg, &rdataset);
+	check_result(result, "dns_message_gettemprdataset");
+	dns_rdatalist_init(rdatalist);
+	rdatalist->type = rdatatype;
+	if (ispositive) {
+		if (isrrset && rdata->data != NULL)
+			rdatalist->rdclass = rdataclass;
+		else
+			rdatalist->rdclass = dns_rdataclass_any;
+	} else
+		rdatalist->rdclass = dns_rdataclass_none;
+	rdatalist->covers = 0;
+	rdatalist->ttl = 0;
+	rdata->rdclass = rdatalist->rdclass;
+	rdata->type = rdatatype;
+	ISC_LIST_INIT(rdatalist->rdata);
+	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	dns_rdataset_init(rdataset);
+	dns_rdatalist_tordataset(rdatalist, rdataset);
+	ISC_LIST_INIT(name->list);
+	ISC_LIST_APPEND(name->list, rdataset, link);
+	dns_message_addname(updatemsg, name, DNS_SECTION_PREREQUISITE);
+	return (STATUS_MORE);
+
+ failure:
+	if (name != NULL)
+		dns_message_puttempname(updatemsg, &name);
+	return (STATUS_SYNTAX);
+}
+
+static isc_uint16_t
+evaluate_prereq(char *cmdline) {
+	char *word;
+	isc_boolean_t ispositive, isrrset;
+
+	ddebug("evaluate_prereq()");
+	word = nsu_strsep(&cmdline, " \t\r\n");
+	if (*word == 0) {
+		fprintf(stderr, "could not read operation code\n");
+		return (STATUS_SYNTAX);
+	}
+	if (strcasecmp(word, "nxdomain") == 0) {
+		ispositive = ISC_FALSE;
+		isrrset = ISC_FALSE;
+	} else if (strcasecmp(word, "yxdomain") == 0) {
+		ispositive = ISC_TRUE;
+		isrrset = ISC_FALSE;
+	} else if (strcasecmp(word, "nxrrset") == 0) {
+		ispositive = ISC_FALSE;
+		isrrset = ISC_TRUE;
+	} else if (strcasecmp(word, "yxrrset") == 0) {
+		ispositive = ISC_TRUE;
+		isrrset = ISC_TRUE;
+	} else {
+		fprintf(stderr, "incorrect operation code: %s\n", word);
+		return (STATUS_SYNTAX);
+	}
+	return (make_prereq(cmdline, ispositive, isrrset));
+}
+
+static isc_uint16_t
+evaluate_server(char *cmdline) {
+	char *word, *server;
+	long port;
+
+	word = nsu_strsep(&cmdline, " \t\r\n");
+	if (*word == 0) {
+		fprintf(stderr, "could not read server name\n");
+		return (STATUS_SYNTAX);
+	}
+	server = word;
+
+	word = nsu_strsep(&cmdline, " \t\r\n");
+	if (*word == 0)
+		port = DNSDEFAULTPORT;
+	else {
+		char *endp;
+		port = strtol(word, &endp, 10);
+		if (*endp != 0) {
+			fprintf(stderr, "port '%s' is not numeric\n", word);
+			return (STATUS_SYNTAX);
+		} else if (port < 1 || port > 65535) {
+			fprintf(stderr, "port '%s' is out of range "
+				"(1 to 65535)\n", word);
+			return (STATUS_SYNTAX);
+		}
+	}
+
+	if (userserver == NULL) {
+		userserver = isc_mem_get(mctx, sizeof(isc_sockaddr_t));
+		if (userserver == NULL)
+			fatal("out of memory");
+	}
+
+	get_address(server, (in_port_t)port, userserver);
+
+	return (STATUS_MORE);
+}
+
+static isc_uint16_t
+evaluate_local(char *cmdline) {
+	char *word, *local;
+	long port;
+	struct in_addr in4;
+	struct in6_addr in6;
+
+	word = nsu_strsep(&cmdline, " \t\r\n");
+	if (*word == 0) {
+		fprintf(stderr, "could not read server name\n");
+		return (STATUS_SYNTAX);
+	}
+	local = word;
+
+	word = nsu_strsep(&cmdline, " \t\r\n");
+	if (*word == 0)
+		port = 0;
+	else {
+		char *endp;
+		port = strtol(word, &endp, 10);
+		if (*endp != 0) {
+			fprintf(stderr, "port '%s' is not numeric\n", word);
+			return (STATUS_SYNTAX);
+		} else if (port < 1 || port > 65535) {
+			fprintf(stderr, "port '%s' is out of range "
+				"(1 to 65535)\n", word);
+			return (STATUS_SYNTAX);
+		}
+	}
+
+	if (localaddr == NULL) {
+		localaddr = isc_mem_get(mctx, sizeof(isc_sockaddr_t));
+		if (localaddr == NULL)
+			fatal("out of memory");
+	}
+
+	if (have_ipv6 && inet_pton(AF_INET6, local, &in6) == 1)
+		isc_sockaddr_fromin6(localaddr, &in6, (in_port_t)port);
+	else if (have_ipv4 && inet_pton(AF_INET, local, &in4) == 1)
+		isc_sockaddr_fromin(localaddr, &in4, (in_port_t)port);
+	else {
+		fprintf(stderr, "invalid address %s", local);
+		return (STATUS_SYNTAX);
+	}
+
+	return (STATUS_MORE);
+}
+
+static isc_uint16_t
+evaluate_key(char *cmdline) {
+	char *namestr;
+	char *secretstr;
+	isc_buffer_t b;
+	isc_result_t result;
+	dns_fixedname_t fkeyname;
+	dns_name_t *keyname;
+	int secretlen;
+	unsigned char *secret = NULL;
+	isc_buffer_t secretbuf;
+
+	namestr = nsu_strsep(&cmdline, " \t\r\n");
+	if (*namestr == 0) {
+		fprintf(stderr, "could not read key name\n");
+		return (STATUS_SYNTAX);
+	}
+
+	dns_fixedname_init(&fkeyname);
+	keyname = dns_fixedname_name(&fkeyname);
+
+	isc_buffer_init(&b, namestr, strlen(namestr));
+	isc_buffer_add(&b, strlen(namestr));
+	result = dns_name_fromtext(keyname, &b, dns_rootname, ISC_FALSE, NULL);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "could not parse key name\n");
+		return (STATUS_SYNTAX);
+	}
+
+	secretstr = nsu_strsep(&cmdline, "\r\n");
+	if (*secretstr == 0) {
+		fprintf(stderr, "could not read key secret\n");
+		return (STATUS_SYNTAX);
+	}
+	secretlen = strlen(secretstr) * 3 / 4;
+	secret = isc_mem_allocate(mctx, secretlen);
+	if (secret == NULL)
+		fatal("out of memory");
+	
+	isc_buffer_init(&secretbuf, secret, secretlen);
+	result = isc_base64_decodestring(secretstr, &secretbuf);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "could not create key from %s: %s\n",
+			secretstr, isc_result_totext(result));
+		isc_mem_free(mctx, secret);
+		return (STATUS_SYNTAX);
+	}
+	secretlen = isc_buffer_usedlength(&secretbuf);
+
+	if (tsigkey != NULL)
+		dns_tsigkey_detach(&tsigkey);
+	result = dns_tsigkey_create(keyname, dns_tsig_hmacmd5_name,
+				    secret, secretlen, ISC_TRUE, NULL, 0, 0,
+				    mctx, NULL, &tsigkey);
+	isc_mem_free(mctx, secret);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "could not create key from %s %s: %s\n",
+			namestr, secretstr, dns_result_totext(result));
+		return (STATUS_SYNTAX);
+	}
+	return (STATUS_MORE);
+}
+
+static isc_uint16_t
+evaluate_zone(char *cmdline) {
+	char *word;
+	isc_buffer_t b;
+	isc_result_t result;
+
+	word = nsu_strsep(&cmdline, " \t\r\n");
+	if (*word == 0) {
+		fprintf(stderr, "could not read zone name\n");
+		return (STATUS_SYNTAX);
+	}
+
+	dns_fixedname_init(&fuserzone);
+	userzone = dns_fixedname_name(&fuserzone);
+	isc_buffer_init(&b, word, strlen(word));
+	isc_buffer_add(&b, strlen(word));
+	result = dns_name_fromtext(userzone, &b, dns_rootname, ISC_FALSE,
+				   NULL);
+	if (result != ISC_R_SUCCESS) {
+		userzone = NULL; /* Lest it point to an invalid name */
+		fprintf(stderr, "could not parse zone name\n");
+		return (STATUS_SYNTAX);
+	}
+
+	return (STATUS_MORE);
+}
+
+static isc_uint16_t
+evaluate_class(char *cmdline) {
+	char *word;
+	isc_textregion_t r;
+	isc_result_t result;
+	dns_rdataclass_t rdclass;
+
+	word = nsu_strsep(&cmdline, " \t\r\n");
+	if (*word == 0) {
+		fprintf(stderr, "could not read class name\n");
+		return (STATUS_SYNTAX);
+	}
+
+	r.base = word;
+        r.length = strlen(word);
+        result = dns_rdataclass_fromtext(&rdclass, &r);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "could not parse class name: %s\n", word);
+		return (STATUS_SYNTAX);
+	}
+	switch (rdclass) {
+	case dns_rdataclass_none:
+	case dns_rdataclass_any:
+	case dns_rdataclass_reserved0:
+		fprintf(stderr, "bad default class: %s\n", word);
+		return (STATUS_SYNTAX);
+	default:
+		defaultclass = rdclass;
+	}
+
+	return (STATUS_MORE);
+}
+
+static isc_uint16_t
+update_addordelete(char *cmdline, isc_boolean_t isdelete) {
+	isc_result_t result;
+	dns_name_t *name = NULL;
+	isc_uint32_t ttl;
+	char *word;
+	dns_rdataclass_t rdataclass;
+	dns_rdatatype_t rdatatype;
+	dns_rdata_t *rdata = NULL;
+	dns_rdatalist_t *rdatalist = NULL;
+	dns_rdataset_t *rdataset = NULL;
+	isc_textregion_t region;
+	isc_uint16_t retval;
+
+	ddebug("update_addordelete()");
+
+	/*
+	 * Read the owner name.
+	 */
+	retval = parse_name(&cmdline, updatemsg, &name);
+	if (retval != STATUS_MORE)
+		return (retval);
+
+	result = dns_message_gettemprdata(updatemsg, &rdata);
+	check_result(result, "dns_message_gettemprdata");
+
+	rdata->rdclass = 0;
+	rdata->type = 0;
+	rdata->data = NULL;
+	rdata->length = 0;
+
+	/*
+	 * If this is an add, read the TTL and verify that it's in range.
+	 * If it's a delete, ignore a TTL if present (for compatibility).
+	 */
+	word = nsu_strsep(&cmdline, " \t\r\n");
+	if (*word == 0) {
+		if (!isdelete) {
+			fprintf(stderr, "could not read owner ttl\n");
+			goto failure;
+		}
+		else {
+			ttl = 0;
+			rdataclass = dns_rdataclass_any;
+			rdatatype = dns_rdatatype_any;
+			rdata->flags = DNS_RDATA_UPDATE;
+			goto doneparsing;
+		}
+	}
+	result = isc_parse_uint32(&ttl, word, 10);
+	if (result != ISC_R_SUCCESS) {
+		if (isdelete) {
+			ttl = 0;
+			goto parseclass;
+		} else {
+			fprintf(stderr, "ttl '%s': %s\n", word,
+				isc_result_totext(result));
+			goto failure;
+		}
+	}
+
+	if (isdelete)
+		ttl = 0;
+	else if (ttl > TTL_MAX) {
+		fprintf(stderr, "ttl '%s' is out of range (0 to %u)\n",
+			word, TTL_MAX);
+		goto failure;
+	}
+
+	/*
+	 * Read the class or type.
+	 */
+	word = nsu_strsep(&cmdline, " \t\r\n");
+ parseclass:
+	if (*word == 0) {
+		if (isdelete) {
+			rdataclass = dns_rdataclass_any;
+			rdatatype = dns_rdatatype_any;
+			rdata->flags = DNS_RDATA_UPDATE;
+			goto doneparsing;
+		} else {
+			fprintf(stderr, "could not read class or type\n");
+			goto failure;
+		}
+	}
+	region.base = word;
+	region.length = strlen(word);
+	result = dns_rdataclass_fromtext(&rdataclass, &region);
+	if (result == ISC_R_SUCCESS) {
+		if (!setzoneclass(rdataclass)) {
+			fprintf(stderr, "class mismatch: %s\n", word);
+			goto failure;
+		}
+		/*
+		 * Now read the type.
+		 */
+		word = nsu_strsep(&cmdline, " \t\r\n");
+		if (*word == 0) {
+			if (isdelete) {
+				rdataclass = dns_rdataclass_any;
+				rdatatype = dns_rdatatype_any;
+				rdata->flags = DNS_RDATA_UPDATE;
+				goto doneparsing;
+			} else {
+				fprintf(stderr, "could not read type\n");
+				goto failure;
+			}
+		}
+		region.base = word;
+		region.length = strlen(word);
+		result = dns_rdatatype_fromtext(&rdatatype, &region);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "'%s' is not a valid type: %s\n",
+				word, isc_result_totext(result));
+			goto failure;
+		}
+	} else {
+		rdataclass = getzoneclass();
+		result = dns_rdatatype_fromtext(&rdatatype, &region);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "'%s' is not a valid class or type: "
+				"%s\n", word, isc_result_totext(result));
+			goto failure;
+		}
+	}
+
+	retval = parse_rdata(&cmdline, rdataclass, rdatatype, updatemsg,
+			     rdata);
+	if (retval != STATUS_MORE)
+		goto failure;
+
+	if (isdelete) {
+		if ((rdata->flags & DNS_RDATA_UPDATE) != 0)
+			rdataclass = dns_rdataclass_any;
+		else
+			rdataclass = dns_rdataclass_none;
+	} else {
+		if ((rdata->flags & DNS_RDATA_UPDATE) != 0) {
+			fprintf(stderr, "could not read rdata\n");
+			goto failure;
+		}
+	}
+
+ doneparsing:
+
+	result = dns_message_gettemprdatalist(updatemsg, &rdatalist);
+	check_result(result, "dns_message_gettemprdatalist");
+	result = dns_message_gettemprdataset(updatemsg, &rdataset);
+	check_result(result, "dns_message_gettemprdataset");
+	dns_rdatalist_init(rdatalist);
+	rdatalist->type = rdatatype;
+	rdatalist->rdclass = rdataclass;
+	rdatalist->covers = rdatatype;
+	rdatalist->ttl = (dns_ttl_t)ttl;
+	ISC_LIST_INIT(rdatalist->rdata);
+	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	dns_rdataset_init(rdataset);
+	dns_rdatalist_tordataset(rdatalist, rdataset);
+	ISC_LIST_INIT(name->list);
+	ISC_LIST_APPEND(name->list, rdataset, link);
+	dns_message_addname(updatemsg, name, DNS_SECTION_UPDATE);
+	return (STATUS_MORE);
+
+ failure:
+	if (name != NULL)
+		dns_message_puttempname(updatemsg, &name);
+	if (rdata != NULL)
+		dns_message_puttemprdata(updatemsg, &rdata);
+	return (STATUS_SYNTAX);
+}
+
+static isc_uint16_t
+evaluate_update(char *cmdline) {
+	char *word;
+	isc_boolean_t isdelete;
+
+	ddebug("evaluate_update()");
+	word = nsu_strsep(&cmdline, " \t\r\n");
+	if (*word == 0) {
+		fprintf(stderr, "could not read operation code\n");
+		return (STATUS_SYNTAX);
+	}
+	if (strcasecmp(word, "delete") == 0)
+		isdelete = ISC_TRUE;
+	else if (strcasecmp(word, "add") == 0)
+		isdelete = ISC_FALSE;
+	else {
+		fprintf(stderr, "incorrect operation code: %s\n", word);
+		return (STATUS_SYNTAX);
+	}
+	return (update_addordelete(cmdline, isdelete));
+}
+
+static void
+show_message(dns_message_t *msg) {
+	isc_result_t result;
+	isc_buffer_t *buf = NULL;
+	int bufsz;
+
+	ddebug("show_message()");
+	bufsz = INITTEXT;
+	do { 
+		if (bufsz > MAXTEXT) {
+			fprintf(stderr, "could not allocate large enough "
+				"buffer to display message\n");
+			exit(1);
+		}
+		if (buf != NULL)
+			isc_buffer_free(&buf);
+		result = isc_buffer_allocate(mctx, &buf, bufsz);
+		check_result(result, "isc_buffer_allocate");
+		result = dns_message_totext(msg, style, 0, buf);
+		bufsz *= 2;
+	} while (result == ISC_R_NOSPACE);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "could not convert message to text format.\n");
+		isc_buffer_free(&buf);
+		return;
+	}
+	printf("Outgoing update query:\n%.*s",
+	       (int)isc_buffer_usedlength(buf),
+	       (char*)isc_buffer_base(buf));
+	isc_buffer_free(&buf);
+}
+
+
+static isc_uint16_t
+get_next_command(void) {
+	char cmdlinebuf[MAXCMD];
+	char *cmdline;
+	char *word;
+
+	ddebug("get_next_command()");
+	if (interactive)
+		fprintf(stdout, "> ");
+	isc_app_block();
+	cmdline = fgets(cmdlinebuf, MAXCMD, input);
+	isc_app_unblock();
+	if (cmdline == NULL)
+		return (STATUS_QUIT);
+	word = nsu_strsep(&cmdline, " \t\r\n");
+
+	if (feof(input))
+		return (STATUS_QUIT);
+	if (*word == 0)
+		return (STATUS_SEND);
+	if (word[0] == ';')
+		return (STATUS_MORE);
+	if (strcasecmp(word, "quit") == 0)
+		return (STATUS_QUIT);
+	if (strcasecmp(word, "prereq") == 0)
+		return (evaluate_prereq(cmdline));
+	if (strcasecmp(word, "update") == 0)
+		return (evaluate_update(cmdline));
+	if (strcasecmp(word, "server") == 0)
+		return (evaluate_server(cmdline));
+	if (strcasecmp(word, "local") == 0)
+		return (evaluate_local(cmdline));
+	if (strcasecmp(word, "zone") == 0)
+		return (evaluate_zone(cmdline));
+	if (strcasecmp(word, "class") == 0)
+		return (evaluate_class(cmdline));
+	if (strcasecmp(word, "send") == 0)
+		return (STATUS_SEND);
+	if (strcasecmp(word, "show") == 0) {
+		show_message(updatemsg);
+		return (STATUS_MORE);
+	}
+	if (strcasecmp(word, "answer") == 0) {
+		if (answer != NULL)
+			show_message(answer);
+		return (STATUS_MORE);
+	}
+	if (strcasecmp(word, "key") == 0)
+		return (evaluate_key(cmdline));
+	fprintf(stderr, "incorrect section name: %s\n", word);
+	return (STATUS_SYNTAX);
+}
+
+static isc_boolean_t
+user_interaction(void) {
+	isc_uint16_t result = STATUS_MORE;
+
+	ddebug("user_interaction()");
+	while ((result == STATUS_MORE) || (result == STATUS_SYNTAX))
+		result = get_next_command();
+	if (result == STATUS_SEND)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+
+}
+
+static void
+done_update(void) {
+	isc_event_t *event = global_event;
+	ddebug("done_update()");
+	isc_task_send(global_task, &event);
+}
+
+static void
+check_tsig_error(dns_rdataset_t *rdataset, isc_buffer_t *b) {
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_any_tsig_t tsig;
+
+	result = dns_rdataset_first(rdataset);
+	check_result(result, "dns_rdataset_first");
+	dns_rdataset_current(rdataset, &rdata);
+	result = dns_rdata_tostruct(&rdata, &tsig, NULL);
+	check_result(result, "dns_rdata_tostruct");
+	if (tsig.error != 0) {
+		if (isc_buffer_remaininglength(b) < 1)
+		      check_result(ISC_R_NOSPACE, "isc_buffer_remaininglength");
+		isc__buffer_putstr(b, "(" /*)*/);
+		result = dns_tsigrcode_totext(tsig.error, b);
+		check_result(result, "dns_tsigrcode_totext");
+		if (isc_buffer_remaininglength(b) < 1)
+		      check_result(ISC_R_NOSPACE, "isc_buffer_remaininglength");
+		isc__buffer_putstr(b,  /*(*/ ")");
+	}
+}
+
+static void
+update_completed(isc_task_t *task, isc_event_t *event) {
+	dns_requestevent_t *reqev = NULL;
+	isc_result_t result;
+	dns_request_t *request;
+
+	UNUSED(task);
+
+	ddebug("update_completed()");
+
+	requests--;
+
+	REQUIRE(event->ev_type == DNS_EVENT_REQUESTDONE);
+	reqev = (dns_requestevent_t *)event;
+	request = reqev->request;
+
+	if (shuttingdown) {
+		dns_request_destroy(&request);
+		isc_event_free(&event);
+		maybeshutdown();
+		return;
+	}
+
+	if (reqev->result != ISC_R_SUCCESS) {
+		fprintf(stderr, "; Communication with server failed: %s\n",
+			isc_result_totext(reqev->result));
+		seenerror = ISC_TRUE;
+		goto done;
+	}
+
+	result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &answer);
+	check_result(result, "dns_message_create");
+	result = dns_request_getresponse(request, answer,
+					 DNS_MESSAGEPARSE_PRESERVEORDER);
+	switch (result) {
+	case ISC_R_SUCCESS:
+		break;
+	case DNS_R_CLOCKSKEW:
+	case DNS_R_EXPECTEDTSIG:
+	case DNS_R_TSIGERRORSET:
+	case DNS_R_TSIGVERIFYFAILURE:
+	case DNS_R_UNEXPECTEDTSIG:
+		fprintf(stderr, "; TSIG error with server: %s\n",
+			isc_result_totext(result));
+		seenerror = ISC_TRUE;
+		break;
+	default:
+		check_result(result, "dns_request_getresponse");
+	}
+
+	if (answer->rcode != dns_rcode_noerror) {
+		seenerror = ISC_TRUE;
+		if (!debugging) {
+			char buf[64];
+			isc_buffer_t b;
+			dns_rdataset_t *rds;
+			
+			isc_buffer_init(&b, buf, sizeof(buf) - 1);
+			result = dns_rcode_totext(answer->rcode, &b);
+			check_result(result, "dns_rcode_totext");
+			rds = dns_message_gettsig(answer, NULL);
+			if (rds != NULL)
+				check_tsig_error(rds, &b);
+			fprintf(stderr, "update failed: %.*s\n",
+				(int)isc_buffer_usedlength(&b), buf);
+		}
+	}
+	if (debugging) {
+		isc_buffer_t *buf = NULL;
+		int bufsz;
+
+		bufsz = INITTEXT;
+		do { 
+			if (bufsz > MAXTEXT) {
+				fprintf(stderr, "could not allocate large "
+					"enough buffer to display message\n");
+				exit(1);
+			}
+			if (buf != NULL)
+				isc_buffer_free(&buf);
+			result = isc_buffer_allocate(mctx, &buf, bufsz);
+			check_result(result, "isc_buffer_allocate");
+			result = dns_message_totext(answer, style, 0, buf);
+			bufsz *= 2;
+		} while (result == ISC_R_NOSPACE);
+		check_result(result, "dns_message_totext");
+		fprintf(stderr, "\nReply from update query:\n%.*s\n",
+			(int)isc_buffer_usedlength(buf),
+			(char*)isc_buffer_base(buf));
+		isc_buffer_free(&buf);
+	}
+ done:
+	dns_request_destroy(&request);
+	isc_event_free(&event);
+	done_update();
+}
+
+static void
+send_update(dns_name_t *zonename, isc_sockaddr_t *master,
+	    isc_sockaddr_t *srcaddr)
+{
+	isc_result_t result;
+	dns_request_t *request = NULL;
+	dns_name_t *name = NULL;
+	dns_rdataset_t *rdataset = NULL;
+	unsigned int options = 0;
+
+	ddebug("send_update()");
+
+	result = dns_message_gettempname(updatemsg, &name);
+	check_result(result, "dns_message_gettempname");
+	dns_name_init(name, NULL);
+	dns_name_clone(zonename, name);
+	result = dns_message_gettemprdataset(updatemsg, &rdataset);
+	check_result(result, "dns_message_gettemprdataset");
+	dns_rdataset_makequestion(rdataset, getzoneclass(), dns_rdatatype_soa);
+	ISC_LIST_INIT(name->list);
+	ISC_LIST_APPEND(name->list, rdataset, link);
+	dns_message_addname(updatemsg, name, DNS_SECTION_ZONE);
+
+	if (usevc)
+		options |= DNS_REQUESTOPT_TCP;
+	if (tsigkey == NULL && sig0key != NULL) {
+		result = dns_message_setsig0key(updatemsg, sig0key);
+		check_result(result, "dns_message_setsig0key");
+	}
+	if (debugging) {
+		char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+
+		isc_sockaddr_format(master, addrbuf, sizeof(addrbuf));
+		fprintf(stderr, "Sending update to %s\n", addrbuf);
+	}
+	result = dns_request_createvia3(requestmgr, updatemsg, srcaddr,
+					master, options, tsigkey, timeout,
+					udp_timeout, udp_retries, global_task,
+					update_completed, NULL, &request);
+	check_result(result, "dns_request_createvia3");
+
+	if (debugging)
+		show_message(updatemsg);
+
+	requests++;
+}
+
+static void
+recvsoa(isc_task_t *task, isc_event_t *event) {
+	dns_requestevent_t *reqev = NULL;
+	dns_request_t *request = NULL;
+	isc_result_t result, eresult;
+	dns_message_t *rcvmsg = NULL;
+	dns_section_t section;
+	dns_name_t *name = NULL;
+	dns_rdataset_t *soaset = NULL;
+	dns_rdata_soa_t soa;
+	dns_rdata_t soarr = DNS_RDATA_INIT;
+	int pass = 0;
+	dns_name_t master;
+	isc_sockaddr_t *serveraddr, tempaddr;
+	dns_name_t *zonename;
+	nsu_requestinfo_t *reqinfo;
+	dns_message_t *soaquery = NULL;
+	isc_sockaddr_t *addr;
+	isc_boolean_t seencname = ISC_FALSE;
+
+	UNUSED(task);
+
+	ddebug("recvsoa()");
+
+	requests--;
+	
+	REQUIRE(event->ev_type == DNS_EVENT_REQUESTDONE);
+	reqev = (dns_requestevent_t *)event;
+	request = reqev->request;
+	eresult = reqev->result;
+	reqinfo = reqev->ev_arg;
+	soaquery = reqinfo->msg;
+	addr = reqinfo->addr;
+
+	if (shuttingdown) {
+		dns_request_destroy(&request);
+		dns_message_destroy(&soaquery);
+		isc_mem_put(mctx, reqinfo, sizeof(nsu_requestinfo_t));
+		isc_event_free(&event);
+		maybeshutdown();
+		return;
+	}
+
+	if (eresult != ISC_R_SUCCESS) {
+		char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+
+		isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf));
+		fprintf(stderr, "; Communication with %s failed: %s\n",
+		       addrbuf, isc_result_totext(eresult));
+		if (userserver != NULL)
+			fatal("could not talk to specified name server");
+		else if (++ns_inuse >= lwconf->nsnext)
+			fatal("could not talk to any default name server");
+		ddebug("Destroying request [%p]", request);
+		dns_request_destroy(&request);
+		dns_message_renderreset(soaquery);
+		sendrequest(localaddr, &servers[ns_inuse], soaquery, &request);
+		isc_mem_put(mctx, reqinfo, sizeof(nsu_requestinfo_t));
+		isc_event_free(&event);
+		setzoneclass(dns_rdataclass_none);
+		return;
+	}
+	isc_mem_put(mctx, reqinfo, sizeof(nsu_requestinfo_t));
+
+	isc_event_free(&event);
+	reqev = NULL;
+
+	ddebug("About to create rcvmsg");
+	result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &rcvmsg);
+	check_result(result, "dns_message_create");
+	result = dns_request_getresponse(request, rcvmsg,
+					 DNS_MESSAGEPARSE_PRESERVEORDER);
+	if (result == DNS_R_TSIGERRORSET && userserver != NULL) {
+		dns_message_destroy(&rcvmsg);
+		ddebug("Destroying request [%p]", request);
+		dns_request_destroy(&request);
+		reqinfo = isc_mem_get(mctx, sizeof(nsu_requestinfo_t));
+		if (reqinfo == NULL)
+			fatal("out of memory");
+		reqinfo->msg = soaquery;
+		reqinfo->addr = addr;
+		dns_message_renderreset(soaquery);
+		ddebug("retrying soa request without TSIG");
+		result = dns_request_createvia3(requestmgr, soaquery,
+						localaddr, addr, 0, NULL,
+						FIND_TIMEOUT * 20,
+						FIND_TIMEOUT * 20, 3,
+						global_task, recvsoa, reqinfo,
+						&request);
+		check_result(result, "dns_request_createvia");
+		requests++;
+		return;
+	}
+	check_result(result, "dns_request_getresponse");
+	section = DNS_SECTION_ANSWER;
+	if (debugging) {
+		isc_buffer_t *buf = NULL;
+		int bufsz;
+		bufsz = INITTEXT;
+		do {
+			if (buf != NULL)
+				isc_buffer_free(&buf);
+			if (bufsz > MAXTEXT) {
+				fprintf(stderr, "could not allocate enough "
+					 "space for debugging message\n");
+				exit(1);
+			}
+			result = isc_buffer_allocate(mctx, &buf, bufsz);
+			check_result(result, "isc_buffer_allocate");
+			result = dns_message_totext(rcvmsg, style, 0, buf);
+		} while (result == ISC_R_NOSPACE);
+		check_result(result, "dns_message_totext");
+		fprintf(stderr, "Reply from SOA query:\n%.*s\n",
+			(int)isc_buffer_usedlength(buf),
+			(char*)isc_buffer_base(buf));
+		isc_buffer_free(&buf);
+	}
+
+	if (rcvmsg->rcode != dns_rcode_noerror &&
+	    rcvmsg->rcode != dns_rcode_nxdomain)
+		fatal("response to SOA query was unsuccessful");
+
+ lookforsoa:
+	if (pass == 0)
+		section = DNS_SECTION_ANSWER;
+	else if (pass == 1)
+		section = DNS_SECTION_AUTHORITY;
+	else
+		fatal("response to SOA query didn't contain an SOA");
+
+
+	result = dns_message_firstname(rcvmsg, section);
+	if (result != ISC_R_SUCCESS) {
+		pass++;
+		goto lookforsoa;
+	}
+	while (result == ISC_R_SUCCESS) {
+		name = NULL;
+		dns_message_currentname(rcvmsg, section, &name);
+		soaset = NULL;
+		result = dns_message_findtype(name, dns_rdatatype_soa, 0,
+					      &soaset);
+		if (result == ISC_R_SUCCESS)
+			break;
+		if (section == DNS_SECTION_ANSWER) {
+			dns_rdataset_t *tset = NULL;
+			if (dns_message_findtype(name, dns_rdatatype_cname, 0,
+						 &tset) == ISC_R_SUCCESS
+			    ||
+			    dns_message_findtype(name, dns_rdatatype_dname, 0,
+						 &tset) == ISC_R_SUCCESS
+			    )
+			{
+				seencname = ISC_TRUE;
+				break;
+			}
+		}
+				
+		result = dns_message_nextname(rcvmsg, section);
+	}
+
+	if (soaset == NULL && !seencname) {
+		pass++;
+		goto lookforsoa;
+	}
+
+	if (seencname) {
+		dns_name_t tname;
+		unsigned int nlabels;
+
+		result = dns_message_firstname(soaquery, DNS_SECTION_QUESTION);
+		INSIST(result == ISC_R_SUCCESS);
+		name = NULL;
+		dns_message_currentname(soaquery, DNS_SECTION_QUESTION, &name);
+		nlabels = dns_name_countlabels(name);
+		if (nlabels == 1)
+			fatal("could not find enclosing zone");
+		dns_name_init(&tname, NULL);
+		dns_name_getlabelsequence(name, 1, nlabels - 1, &tname);
+		dns_name_clone(&tname, name);
+		dns_request_destroy(&request);
+		dns_message_renderreset(soaquery);
+		if (userserver != NULL)
+			sendrequest(localaddr, userserver, soaquery, &request);
+		else
+			sendrequest(localaddr, &servers[ns_inuse], soaquery,
+				    &request);
+		goto out;
+	}
+
+	if (debugging) {
+		char namestr[DNS_NAME_FORMATSIZE];
+		dns_name_format(name, namestr, sizeof(namestr));
+		fprintf(stderr, "Found zone name: %s\n", namestr);
+	}
+
+	result = dns_rdataset_first(soaset);
+	check_result(result, "dns_rdataset_first");
+
+	dns_rdata_init(&soarr);
+	dns_rdataset_current(soaset, &soarr);
+	result = dns_rdata_tostruct(&soarr, &soa, NULL);
+	check_result(result, "dns_rdata_tostruct");
+
+	dns_name_init(&master, NULL);
+	dns_name_clone(&soa.origin, &master);
+
+	if (userzone != NULL)
+		zonename = userzone;
+	else
+		zonename = name;
+
+	if (debugging) {
+		char namestr[DNS_NAME_FORMATSIZE];
+		dns_name_format(&master, namestr, sizeof(namestr));
+		fprintf(stderr, "The master is: %s\n", namestr);
+	}
+
+	if (userserver != NULL)
+		serveraddr = userserver;
+	else {
+		char serverstr[DNS_NAME_MAXTEXT+1];
+		isc_buffer_t buf;
+
+		isc_buffer_init(&buf, serverstr, sizeof(serverstr));
+		result = dns_name_totext(&master, ISC_TRUE, &buf);
+		check_result(result, "dns_name_totext");
+		serverstr[isc_buffer_usedlength(&buf)] = 0;
+		get_address(serverstr, DNSDEFAULTPORT, &tempaddr);
+		serveraddr = &tempaddr;
+	}
+
+	send_update(zonename, serveraddr, localaddr);
+
+	dns_message_destroy(&soaquery);
+	dns_request_destroy(&request);
+
+ out:
+	setzoneclass(dns_rdataclass_none);
+	dns_rdata_freestruct(&soa);
+	dns_message_destroy(&rcvmsg);
+	ddebug("Out of recvsoa");
+}
+
+static void
+sendrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+	    dns_message_t *msg, dns_request_t **request)
+{
+	isc_result_t result;
+	nsu_requestinfo_t *reqinfo;
+
+	reqinfo = isc_mem_get(mctx, sizeof(nsu_requestinfo_t));
+	if (reqinfo == NULL)
+		fatal("out of memory");
+	reqinfo->msg = msg;
+	reqinfo->addr = destaddr;
+	result = dns_request_createvia3(requestmgr, msg, srcaddr, destaddr, 0,
+					(userserver != NULL) ? tsigkey : NULL,
+					FIND_TIMEOUT * 20, FIND_TIMEOUT, 3,
+					global_task, recvsoa, reqinfo, request);
+	check_result(result, "dns_request_createvia");
+	requests++;
+}
+
+static void
+start_update(void) {
+	isc_result_t result;
+	dns_rdataset_t *rdataset = NULL;
+	dns_name_t *name = NULL;
+	dns_request_t *request = NULL;
+	dns_message_t *soaquery = NULL;
+	dns_name_t *firstname;
+	dns_section_t section = DNS_SECTION_UPDATE;
+
+	ddebug("start_update()");
+
+	if (answer != NULL)
+		dns_message_destroy(&answer);
+	result = dns_message_firstname(updatemsg, section);
+	if (result == ISC_R_NOMORE) {
+		section = DNS_SECTION_PREREQUISITE;
+		result = dns_message_firstname(updatemsg, section);
+	}
+	if (result != ISC_R_SUCCESS) {
+		done_update();
+		return;
+	}
+
+	if (userzone != NULL && userserver != NULL) {
+		send_update(userzone, userserver, localaddr);
+		setzoneclass(dns_rdataclass_none);
+		return;
+	}
+
+	result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER,
+				    &soaquery);
+	check_result(result, "dns_message_create");
+
+	soaquery->flags |= DNS_MESSAGEFLAG_RD;
+
+	result = dns_message_gettempname(soaquery, &name);
+	check_result(result, "dns_message_gettempname");
+
+	result = dns_message_gettemprdataset(soaquery, &rdataset);
+	check_result(result, "dns_message_gettemprdataset");
+
+	dns_rdataset_makequestion(rdataset, getzoneclass(), dns_rdatatype_soa);
+
+	firstname = NULL;
+	dns_message_currentname(updatemsg, section, &firstname);
+	dns_name_init(name, NULL);
+	dns_name_clone(firstname, name);
+
+	ISC_LIST_INIT(name->list);
+	ISC_LIST_APPEND(name->list, rdataset, link);
+	dns_message_addname(soaquery, name, DNS_SECTION_QUESTION);
+
+	if (userserver != NULL)
+		sendrequest(localaddr, userserver, soaquery, &request);
+	else {
+		ns_inuse = 0;
+		sendrequest(localaddr, &servers[ns_inuse], soaquery, &request);
+	}
+}
+
+static void
+cleanup(void) {
+	ddebug("cleanup()");
+
+	if (answer != NULL)
+		dns_message_destroy(&answer);
+	ddebug("Shutting down task manager");
+	isc_taskmgr_destroy(&taskmgr);
+
+	ddebug("Destroying event");
+	isc_event_free(&global_event);
+
+	ddebug("Shutting down socket manager");
+	isc_socketmgr_destroy(&socketmgr);
+
+	ddebug("Shutting down timer manager");
+	isc_timermgr_destroy(&timermgr);
+
+	ddebug("Destroying hash context");
+	isc_hash_destroy();
+
+	ddebug("Destroying memory context");
+	if (memdebugging)
+		isc_mem_stats(mctx, stderr);
+	isc_mem_destroy(&mctx);
+}
+
+static void
+getinput(isc_task_t *task, isc_event_t *event) {
+	isc_boolean_t more;
+
+	UNUSED(task);
+
+	if (shuttingdown) {
+		maybeshutdown();
+		return;
+	}
+
+	if (global_event == NULL)
+		global_event = event;
+
+	reset_system();
+	more = user_interaction();
+	if (!more) {
+		isc_app_shutdown();
+		return;
+	}
+	start_update();
+	return;
+}
+
+int
+main(int argc, char **argv) {
+	isc_result_t result;
+	style = &dns_master_style_debug;
+
+	input = stdin;
+
+	interactive = ISC_TF(isatty(0));
+
+	isc_app_start();
+
+	parse_args(argc, argv);
+
+	setup_system();
+
+	result = isc_app_onrun(mctx, global_task, getinput, NULL);
+	check_result(result, "isc_app_onrun");
+
+	(void)isc_app_run();
+
+	cleanup();
+
+	isc_app_finish();
+
+	if (seenerror)
+		return (2);
+	else
+		return (0);
+}
diff --git a/contrib/bind9/bin/nsupdate/nsupdate.docbook b/contrib/bind9/bin/nsupdate/nsupdate.docbook
new file mode 100644
index 0000000..7d23333
--- /dev/null
+++ b/contrib/bind9/bin/nsupdate/nsupdate.docbook
@@ -0,0 +1,629 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001-2003  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: nsupdate.docbook,v 1.8.2.3.2.8 2004/03/08 04:04:23 marka Exp $ -->
+
+<refentry>
+<refentryinfo>
+<date>Jun 30, 2000</date>
+</refentryinfo>
+<refmeta>
+<refentrytitle>nsupdate</refentrytitle>
+<manvolnum>8</manvolnum>
+<refmiscinfo>BIND9</refmiscinfo>
+</refmeta>
+<refnamediv>
+<refname>nsupdate</refname>
+<refpurpose>Dynamic DNS update utility</refpurpose>
+</refnamediv>
+<refsynopsisdiv>
+<cmdsynopsis>
+<command>nsupdate</command>
+<arg><option>-d</option></arg>
+<group>
+  <arg><option>-y <replaceable class="parameter">keyname:secret</replaceable></option></arg>
+  <arg><option>-k <replaceable class="parameter">keyfile</replaceable></option></arg>
+</group>
+<arg><option>-t <replaceable class="parameter">timeout</replaceable></option></arg>
+<arg><option>-u <replaceable class="parameter">udptimeout</replaceable></option></arg>
+<arg><option>-r <replaceable class="parameter">udpretries</replaceable></option></arg>
+<arg><option>-v</option></arg>
+<arg>filename</arg>
+</cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+<title>DESCRIPTION</title>
+<para>
+<command>nsupdate</command>
+is used to submit Dynamic DNS Update requests as defined in RFC2136
+to a name server.
+This allows resource records to be added or removed from a zone
+without manually editing the zone file.
+A single update request can contain requests to add or remove more than one
+resource record.
+</para>
+<para>
+Zones that are under dynamic control via
+<command>nsupdate</command>
+or a DHCP server should not be edited by hand.
+Manual edits could
+conflict with dynamic updates and cause data to be lost.
+</para>
+<para>
+The resource records that are dynamically added or removed with
+<command>nsupdate</command>
+have to be in the same zone.
+Requests are sent to the zone's master server.
+This is identified by the MNAME field of the zone's SOA record.
+</para>
+<para>
+The
+<option>-d</option>
+option makes
+<command>nsupdate</command>
+operate in debug mode.
+This provides tracing information about the update requests that are
+made and the replies received from the name server.
+</para>
+<para>
+Transaction signatures can be used to authenticate the Dynamic DNS
+updates.
+These use the TSIG resource record type described in RFC2845 or the
+SIG(0) record described in RFC3535 and RFC2931.
+TSIG relies on a shared secret that should only be known to
+<command>nsupdate</command> and the name server.
+Currently, the only supported encryption algorithm for TSIG is
+HMAC-MD5, which is defined in RFC 2104.
+Once other algorithms are defined for TSIG, applications will need to
+ensure they select the appropriate algorithm as well as the key when
+authenticating each other.
+For instance suitable
+<type>key</type>
+and
+<type>server</type>
+statements would be added to
+<filename>/etc/named.conf</filename>
+so that the name server can associate the appropriate secret key
+and algorithm with the IP address of the
+client application that will be using TSIG authentication.
+SIG(0) uses public key cryptography.  To use a SIG(0) key, the public
+key must be stored in a KEY record in a zone served by the name server.
+<command>nsupdate</command>
+does not read
+<filename>/etc/named.conf</filename>.
+</para>
+<para>
+<command>nsupdate</command>
+uses the
+<option>-y</option>
+or
+<option>-k</option>
+option (with an HMAC-MD5 key) to provide the shared secret needed to generate
+a TSIG record for authenticating Dynamic DNS update requests.
+These options are mutually exclusive.
+With the
+<option>-k</option>
+option,
+<command>nsupdate</command>
+reads the shared secret from the file
+<parameter>keyfile</parameter>,
+whose name is of the form 
+<filename>K{name}.+157.+{random}.private</filename>.
+For historical
+reasons, the file 
+<filename>K{name}.+157.+{random}.key</filename>
+must also be present.  When the
+<option>-y</option>
+option is used, a signature is generated from
+<parameter>keyname:secret.</parameter>
+<parameter>keyname</parameter>
+is the name of the key,
+and
+<parameter>secret</parameter>
+is the base64 encoded shared secret.
+Use of the
+<option>-y</option>
+option is discouraged because the shared secret is supplied as a command
+line argument in clear text.
+This may be visible in the output from
+<citerefentry>
+<refentrytitle>ps</refentrytitle><manvolnum>1
+</manvolnum>
+</citerefentry>
+or in a history file maintained by the user's shell.
+</para>
+<para>
+The <option>-k</option> may also be used to specify a SIG(0) key used
+to authenticate Dynamic DNS update requests.  In this case, the key
+specified is not an HMAC-MD5 key.
+</para>
+<para>
+By default
+<command>nsupdate</command>
+uses UDP to send update requests to the name server unless they are too
+large to fit in a UDP request in which case TCP will be used.
+The
+<option>-v</option>
+option makes
+<command>nsupdate</command>
+use a TCP connection.
+This may be preferable when a batch of update requests is made.
+</para>
+<para>The <option>-t</option> option sets the maximum time a update request can
+take before it is aborted.  The default is 300 seconds.  Zero can be used
+to disable the timeout.
+</para>
+<para>The <option>-u</option> option sets the UDP retry interval.  The default is
+3 seconds.  If zero the interval will be computed from the timeout interval
+and number of UDP retries.
+</para>
+<para>The <option>-r</option> option sets the number of UDP retries. The default is
+3.  If zero only one update request will be made.
+</para>
+</refsect1>
+
+<refsect1>
+<title>INPUT FORMAT</title>
+<para>
+<command>nsupdate</command>
+reads input from
+<parameter>filename</parameter>
+or standard input.
+Each command is supplied on exactly one line of input.
+Some commands are for administrative purposes.
+The others are either update instructions or prerequisite checks on the
+contents of the zone.
+These checks set conditions that some name or set of
+resource records (RRset) either exists or is absent from the zone.
+These conditions must be met if the entire update request is to succeed.
+Updates will be rejected if the tests for the prerequisite conditions fail.
+</para>
+<para>
+Every update request consists of zero or more prerequisites
+and zero or more updates.
+This allows a suitably authenticated update request to proceed if some
+specified resource records are present or missing from the zone.
+A blank input line (or the <command>send</command> command) causes the
+accumulated commands to be sent as one Dynamic DNS update request to the
+name server.
+</para>
+<para>
+The command formats and their meaning are as follows:
+<variablelist>
+<varlistentry><term>
+<cmdsynopsis>
+<command>server</command>
+<arg choice="req">servername</arg>
+<arg choice="opt">port</arg>
+</cmdsynopsis>
+</term>
+<listitem>
+<para>
+Sends all dynamic update requests to the name server
+<parameter>servername</parameter>.
+When no server statement is provided,
+<command>nsupdate</command>
+will send updates to the master server of the correct zone.
+The MNAME field of that zone's SOA record will identify the master
+server for that zone.
+<parameter>port</parameter>
+is the port number on
+<parameter>servername</parameter>
+where the dynamic update requests get sent.
+If no port number is specified, the default DNS port number of 53 is
+used.
+</para>
+
+<varlistentry><term>
+<cmdsynopsis>
+<command>local</command>
+<arg choice="req">address</arg>
+<arg choice="opt">port</arg>
+</cmdsynopsis>
+</term>
+<listitem>
+<para>
+Sends all dynamic update requests using the local
+<parameter>address</parameter>.
+
+When no local statement is provided,
+<command>nsupdate</command>
+will send updates using an address and port chosen by the system.
+<parameter>port</parameter>
+can additionally be used to make requests come from a specific port.
+If no port number is specified, the system will assign one.
+
+<varlistentry><term>
+<cmdsynopsis>
+<command>zone</command>
+<arg choice="req">zonename</arg>
+</cmdsynopsis>
+</term>
+<listitem>
+<para>
+Specifies that all updates are to be made to the zone
+<parameter>zonename</parameter>.
+If no
+<parameter>zone</parameter>
+statement is provided,
+<command>nsupdate</command>
+will attempt determine the correct zone to update based on the rest of the input.
+</para>
+</listitem>
+</varlistentry>
+
+<varlistentry><term>
+<cmdsynopsis>
+<command>class</command>
+<arg choice="req">classname</arg>
+</cmdsynopsis>
+</term>
+<listitem>
+<para>
+Specify the default class.
+If no <parameter>class</parameter> is specified the default class is
+<parameter>IN</parameter>.
+</para>
+</listitem>
+</varlistentry>
+
+<varlistentry><term>
+<cmdsynopsis>
+<command>key</command>
+<arg choice="req">name</arg>
+<arg choice="req">secret</arg>
+</cmdsynopsis>
+</term>
+<listitem>
+<para>
+Specifies that all updates are to be TSIG signed using the
+<parameter>keyname</parameter> <parameter>keysecret</parameter> pair.
+The <command>key</command> command
+overrides any key specified on the command line via
+<option>-y</option> or <option>-k</option>.
+</para>
+</listitem>
+</varlistentry>
+
+<varlistentry><term>
+<cmdsynopsis>
+<command>prereq nxdomain</command>
+<arg choice="req">domain-name</arg>
+</cmdsynopsis>
+</term>
+<listitem>
+<para>
+Requires that no resource record of any type exists with name
+<parameter>domain-name</parameter>.
+</para>
+</listitem>
+</varlistentry>
+
+
+<varlistentry><term>
+<cmdsynopsis>
+<command>prereq yxdomain</command>
+<arg choice="req">domain-name</arg>
+</cmdsynopsis>
+</term>
+<listitem>
+<para>
+Requires that
+<parameter>domain-name</parameter>
+exists (has as at least one resource record, of any type).
+</para>
+</listitem>
+</varlistentry>
+
+<varlistentry><term>
+<cmdsynopsis>
+<command>prereq nxrrset</command>
+<arg choice="req">domain-name</arg>
+<arg choice="opt">class</arg>
+<arg choice="req">type</arg>
+</cmdsynopsis>
+</term>
+<listitem>
+<para>
+Requires that no resource record exists of the specified
+<parameter>type</parameter>,
+<parameter>class</parameter>
+and
+<parameter>domain-name</parameter>.
+If
+<parameter>class</parameter>
+is omitted, IN (internet) is assumed.
+</para>
+</listitem>
+</varlistentry>
+
+
+<varlistentry><term>
+<cmdsynopsis>
+<command>prereq yxrrset</command>
+<arg choice="req">domain-name</arg>
+<arg choice="opt">class</arg>
+<arg choice="req">type</arg>
+</cmdsynopsis>
+</term>
+<listitem>
+<para>
+This requires that a resource record of the specified
+<parameter>type</parameter>,
+<parameter>class</parameter>
+and
+<parameter>domain-name</parameter>
+must exist.
+If
+<parameter>class</parameter>
+is omitted, IN (internet) is assumed.
+</para>
+</listitem>
+</varlistentry>
+
+<varlistentry><term>
+<cmdsynopsis>
+<command>prereq yxrrset</command>
+<arg choice="req">domain-name</arg>
+<arg choice="opt">class</arg>
+<arg choice="req">type</arg>
+<arg choice="req" rep="repeat">data</arg>
+</cmdsynopsis>
+</term>
+<listitem>
+<para>
+The
+<parameter>data</parameter>
+from each set of prerequisites of this form
+sharing a common
+<parameter>type</parameter>,
+<parameter>class</parameter>,
+and 
+<parameter>domain-name</parameter>
+are combined to form a set of RRs.  This set of RRs must
+exactly match the set of RRs existing in the zone at the
+given 
+<parameter>type</parameter>,
+<parameter>class</parameter>,
+and 
+<parameter>domain-name</parameter>.
+The
+<parameter>data</parameter>
+are written in the standard text representation of the resource record's
+RDATA.
+</para>
+</listitem>
+</varlistentry>
+
+<varlistentry><term>
+<cmdsynopsis>
+<command>update delete</command>
+<arg choice="req">domain-name</arg>
+<arg choice="opt">ttl</arg>
+<arg choice="opt">class</arg>
+<arg choice="opt">type <arg choice="opt" rep="repeat">data</arg></arg>
+</cmdsynopsis>
+</term>
+<listitem>
+<para>
+Deletes any resource records named
+<parameter>domain-name</parameter>.
+If
+<parameter>type</parameter>
+and
+<parameter>data</parameter>
+is provided, only matching resource records will be removed.
+The internet class is assumed if
+<parameter>class</parameter>
+is not supplied.  The
+<parameter>ttl</parameter>
+is ignored, and is only allowed for compatibility.
+</para>
+</listitem>
+</varlistentry>
+
+<varlistentry><term>
+<cmdsynopsis>
+<command>update add</command>
+<arg choice="req">domain-name</arg>
+<arg choice="req">ttl</arg>
+<arg choice="opt">class</arg>
+<arg choice="req">type</arg>
+<arg choice="req" rep="repeat">data</arg>
+</cmdsynopsis>
+</term>
+<listitem>
+<para>
+Adds a new resource record with the specified
+<parameter>ttl</parameter>,
+<parameter>class</parameter>
+and
+<parameter>data</parameter>.
+</para>
+</listitem>
+</varlistentry>
+
+<varlistentry><term>
+<cmdsynopsis>
+<command>show</command>
+</cmdsynopsis>
+</term>
+<listitem>
+<para>
+Displays the current message, containing all of the prerequisites and
+updates specified since the last send.
+</para>
+</listitem>
+</varlistentry>
+
+<varlistentry><term>
+<cmdsynopsis>
+<command>send</command>
+</cmdsynopsis>
+</term>
+<listitem>
+<para>
+Sends the current message.  This is equivalent to entering a blank line.
+</para>
+</listitem>
+
+<varlistentry><term>
+<cmdsynopsis>
+<command>answer</command>
+</cmdsynopsis>
+</term>
+<listitem>
+<para>
+Displays the answer.
+</para>
+</listitem>
+
+</variablelist>
+
+<para>
+Lines beginning with a semicolon are comments and are ignored.
+</para>
+
+</refsect1>
+
+<refsect1>
+<title>EXAMPLES</title>
+<para>
+The examples below show how
+<command>nsupdate</command>
+could be used to insert and delete resource records from the
+<type>example.com</type>
+zone.
+Notice that the input in each example contains a trailing blank line so that
+a group of commands are sent as one dynamic update request to the
+master name server for
+<type>example.com</type>.
+
+<programlisting>
+# nsupdate
+> update delete oldhost.example.com A
+> update add newhost.example.com 86400 A 172.16.1.1
+> send
+</programlisting>
+</para>
+<para>
+Any A records for
+<type>oldhost.example.com</type>
+are deleted.
+and an A record for
+<type>newhost.example.com</type>
+it IP address 172.16.1.1 is added.
+The newly-added record has a 1 day TTL (86400 seconds)
+<programlisting>
+# nsupdate
+> prereq nxdomain nickname.example.com
+> update add nickname.example.com 86400 CNAME somehost.example.com
+> send
+</programlisting>
+</para>
+<para>
+The prerequisite condition gets the name server to check that there
+are no resource records of any type for
+<type>nickname.example.com</type>.
+
+If there are, the update request fails.
+If this name does not exist, a CNAME for it is added.
+This ensures that when the CNAME is added, it cannot conflict with the
+long-standing rule in RFC1034 that a name must not exist as any other
+record type if it exists as a CNAME.
+(The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have
+RRSIG, DNSKEY and NSEC records.)
+</para>
+</refsect1>
+
+<refsect1>
+<title>FILES</title>
+
+<variablelist>
+<varlistentry><term><constant>/etc/resolv.conf</constant></term>
+<listitem>
+<para>
+used to identify default name server
+</para>
+</listitem>
+
+<varlistentry><term><constant>K{name}.+157.+{random}.key</constant></term>
+<listitem>
+<para>
+base-64 encoding of HMAC-MD5 key created by
+<citerefentry>
+<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
+</citerefentry>.
+</para>
+</listitem>
+
+<varlistentry><term><constant>K{name}.+157.+{random}.private</constant></term>
+<listitem>
+<para>
+base-64 encoding of HMAC-MD5 key created by
+<citerefentry>
+<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
+</citerefentry>.
+</para>
+</listitem>
+</variablelist>
+</refsect1>
+
+<refsect1>
+<title>SEE ALSO</title>
+<para>
+<citerefentry>
+<refentrytitle>RFC2136</refentrytitle>
+</citerefentry>,
+<citerefentry>
+<refentrytitle>RFC3007</refentrytitle>
+</citerefentry>,
+<citerefentry>
+<refentrytitle>RFC2104</refentrytitle>
+</citerefentry>,
+<citerefentry>
+<refentrytitle>RFC2845</refentrytitle>
+</citerefentry>,
+<citerefentry>
+<refentrytitle>RFC1034</refentrytitle>
+</citerefentry>,
+<citerefentry>
+<refentrytitle>RFC2535</refentrytitle>
+</citerefentry>,
+<citerefentry>
+<refentrytitle>RFC2931</refentrytitle>
+</citerefentry>,
+<citerefentry>
+<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+</citerefentry>,
+<citerefentry>
+<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
+</citerefentry>.
+
+</refsect1>
+<refsect1>
+<title>BUGS</title>
+<para>
+The TSIG key is redundantly stored in two separate files.
+This is a consequence of nsupdate using the DST library
+for its cryptographic operations, and may change in future
+releases.
+</para>
+</refsect1>
+</refentry>
diff --git a/contrib/bind9/bin/nsupdate/nsupdate.html b/contrib/bind9/bin/nsupdate/nsupdate.html
new file mode 100644
index 0000000..f9cb98c
--- /dev/null
+++ b/contrib/bind9/bin/nsupdate/nsupdate.html
@@ -0,0 +1,962 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001-2003  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: nsupdate.html,v 1.9.2.3.2.5 2004/08/22 23:38:59 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>nsupdate</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+>nsupdate</H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>nsupdate&nbsp;--&nbsp;Dynamic DNS update utility</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN11"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>nsupdate</B
+>  [<VAR
+CLASS="OPTION"
+>-d</VAR
+>] [<VAR
+CLASS="OPTION"
+>-y <VAR
+CLASS="REPLACEABLE"
+>keyname:secret</VAR
+></VAR
+> | <VAR
+CLASS="OPTION"
+>-k <VAR
+CLASS="REPLACEABLE"
+>keyfile</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-t <VAR
+CLASS="REPLACEABLE"
+>timeout</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-u <VAR
+CLASS="REPLACEABLE"
+>udptimeout</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-r <VAR
+CLASS="REPLACEABLE"
+>udpretries</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-v</VAR
+>] [filename]</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN35"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+><B
+CLASS="COMMAND"
+>nsupdate</B
+>
+is used to submit Dynamic DNS Update requests as defined in RFC2136
+to a name server.
+This allows resource records to be added or removed from a zone
+without manually editing the zone file.
+A single update request can contain requests to add or remove more than one
+resource record.</P
+><P
+>Zones that are under dynamic control via
+<B
+CLASS="COMMAND"
+>nsupdate</B
+>
+or a DHCP server should not be edited by hand.
+Manual edits could
+conflict with dynamic updates and cause data to be lost.</P
+><P
+>The resource records that are dynamically added or removed with
+<B
+CLASS="COMMAND"
+>nsupdate</B
+>
+have to be in the same zone.
+Requests are sent to the zone's master server.
+This is identified by the MNAME field of the zone's SOA record.</P
+><P
+>The
+<VAR
+CLASS="OPTION"
+>-d</VAR
+>
+option makes
+<B
+CLASS="COMMAND"
+>nsupdate</B
+>
+operate in debug mode.
+This provides tracing information about the update requests that are
+made and the replies received from the name server.</P
+><P
+>Transaction signatures can be used to authenticate the Dynamic DNS
+updates.
+These use the TSIG resource record type described in RFC2845 or the
+SIG(0) record described in RFC3535 and RFC2931.
+TSIG relies on a shared secret that should only be known to
+<B
+CLASS="COMMAND"
+>nsupdate</B
+> and the name server.
+Currently, the only supported encryption algorithm for TSIG is
+HMAC-MD5, which is defined in RFC 2104.
+Once other algorithms are defined for TSIG, applications will need to
+ensure they select the appropriate algorithm as well as the key when
+authenticating each other.
+For instance suitable
+<SPAN
+CLASS="TYPE"
+>key</SPAN
+>
+and
+<SPAN
+CLASS="TYPE"
+>server</SPAN
+>
+statements would be added to
+<TT
+CLASS="FILENAME"
+>/etc/named.conf</TT
+>
+so that the name server can associate the appropriate secret key
+and algorithm with the IP address of the
+client application that will be using TSIG authentication.
+SIG(0) uses public key cryptography.  To use a SIG(0) key, the public
+key must be stored in a KEY record in a zone served by the name server.
+<B
+CLASS="COMMAND"
+>nsupdate</B
+>
+does not read
+<TT
+CLASS="FILENAME"
+>/etc/named.conf</TT
+>.</P
+><P
+><B
+CLASS="COMMAND"
+>nsupdate</B
+>
+uses the
+<VAR
+CLASS="OPTION"
+>-y</VAR
+>
+or
+<VAR
+CLASS="OPTION"
+>-k</VAR
+>
+option (with an HMAC-MD5 key) to provide the shared secret needed to generate
+a TSIG record for authenticating Dynamic DNS update requests.
+These options are mutually exclusive.
+With the
+<VAR
+CLASS="OPTION"
+>-k</VAR
+>
+option,
+<B
+CLASS="COMMAND"
+>nsupdate</B
+>
+reads the shared secret from the file
+<VAR
+CLASS="PARAMETER"
+>keyfile</VAR
+>,
+whose name is of the form 
+<TT
+CLASS="FILENAME"
+>K{name}.+157.+{random}.private</TT
+>.
+For historical
+reasons, the file 
+<TT
+CLASS="FILENAME"
+>K{name}.+157.+{random}.key</TT
+>
+must also be present.  When the
+<VAR
+CLASS="OPTION"
+>-y</VAR
+>
+option is used, a signature is generated from
+<VAR
+CLASS="PARAMETER"
+>keyname:secret.</VAR
+>
+<VAR
+CLASS="PARAMETER"
+>keyname</VAR
+>
+is the name of the key,
+and
+<VAR
+CLASS="PARAMETER"
+>secret</VAR
+>
+is the base64 encoded shared secret.
+Use of the
+<VAR
+CLASS="OPTION"
+>-y</VAR
+>
+option is discouraged because the shared secret is supplied as a command
+line argument in clear text.
+This may be visible in the output from
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>ps</SPAN
+>(1)</SPAN
+>
+or in a history file maintained by the user's shell.</P
+><P
+>The <VAR
+CLASS="OPTION"
+>-k</VAR
+> may also be used to specify a SIG(0) key used
+to authenticate Dynamic DNS update requests.  In this case, the key
+specified is not an HMAC-MD5 key.</P
+><P
+>By default
+<B
+CLASS="COMMAND"
+>nsupdate</B
+>
+uses UDP to send update requests to the name server unless they are too
+large to fit in a UDP request in which case TCP will be used.
+The
+<VAR
+CLASS="OPTION"
+>-v</VAR
+>
+option makes
+<B
+CLASS="COMMAND"
+>nsupdate</B
+>
+use a TCP connection.
+This may be preferable when a batch of update requests is made.</P
+><P
+>The <VAR
+CLASS="OPTION"
+>-t</VAR
+> option sets the maximum time a update request can
+take before it is aborted.  The default is 300 seconds.  Zero can be used
+to disable the timeout.</P
+><P
+>The <VAR
+CLASS="OPTION"
+>-u</VAR
+> option sets the UDP retry interval.  The default is
+3 seconds.  If zero the interval will be computed from the timeout interval
+and number of UDP retries.</P
+><P
+>The <VAR
+CLASS="OPTION"
+>-r</VAR
+> option sets the number of UDP retries. The default is
+3.  If zero only one update request will be made.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN82"
+></A
+><H2
+>INPUT FORMAT</H2
+><P
+><B
+CLASS="COMMAND"
+>nsupdate</B
+>
+reads input from
+<VAR
+CLASS="PARAMETER"
+>filename</VAR
+>
+or standard input.
+Each command is supplied on exactly one line of input.
+Some commands are for administrative purposes.
+The others are either update instructions or prerequisite checks on the
+contents of the zone.
+These checks set conditions that some name or set of
+resource records (RRset) either exists or is absent from the zone.
+These conditions must be met if the entire update request is to succeed.
+Updates will be rejected if the tests for the prerequisite conditions fail.</P
+><P
+>Every update request consists of zero or more prerequisites
+and zero or more updates.
+This allows a suitably authenticated update request to proceed if some
+specified resource records are present or missing from the zone.
+A blank input line (or the <B
+CLASS="COMMAND"
+>send</B
+> command) causes the
+accumulated commands to be sent as one Dynamic DNS update request to the
+name server.</P
+><P
+>The command formats and their meaning are as follows:
+<P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><P
+><B
+CLASS="COMMAND"
+>server</B
+>  {servername} [port]</P
+></DT
+><DD
+><P
+>Sends all dynamic update requests to the name server
+<VAR
+CLASS="PARAMETER"
+>servername</VAR
+>.
+When no server statement is provided,
+<B
+CLASS="COMMAND"
+>nsupdate</B
+>
+will send updates to the master server of the correct zone.
+The MNAME field of that zone's SOA record will identify the master
+server for that zone.
+<VAR
+CLASS="PARAMETER"
+>port</VAR
+>
+is the port number on
+<VAR
+CLASS="PARAMETER"
+>servername</VAR
+>
+where the dynamic update requests get sent.
+If no port number is specified, the default DNS port number of 53 is
+used.</P
+></DD
+><DT
+><P
+><B
+CLASS="COMMAND"
+>local</B
+>  {address} [port]</P
+></DT
+><DD
+><P
+>Sends all dynamic update requests using the local
+<VAR
+CLASS="PARAMETER"
+>address</VAR
+>.
+
+When no local statement is provided,
+<B
+CLASS="COMMAND"
+>nsupdate</B
+>
+will send updates using an address and port chosen by the system.
+<VAR
+CLASS="PARAMETER"
+>port</VAR
+>
+can additionally be used to make requests come from a specific port.
+If no port number is specified, the system will assign one.&#13;</P
+></DD
+><DT
+><P
+><B
+CLASS="COMMAND"
+>zone</B
+>  {zonename}</P
+></DT
+><DD
+><P
+>Specifies that all updates are to be made to the zone
+<VAR
+CLASS="PARAMETER"
+>zonename</VAR
+>.
+If no
+<VAR
+CLASS="PARAMETER"
+>zone</VAR
+>
+statement is provided,
+<B
+CLASS="COMMAND"
+>nsupdate</B
+>
+will attempt determine the correct zone to update based on the rest of the input.</P
+></DD
+><DT
+><P
+><B
+CLASS="COMMAND"
+>class</B
+>  {classname}</P
+></DT
+><DD
+><P
+>Specify the default class.
+If no <VAR
+CLASS="PARAMETER"
+>class</VAR
+> is specified the default class is
+<VAR
+CLASS="PARAMETER"
+>IN</VAR
+>.</P
+></DD
+><DT
+><P
+><B
+CLASS="COMMAND"
+>key</B
+>  {name} {secret}</P
+></DT
+><DD
+><P
+>Specifies that all updates are to be TSIG signed using the
+<VAR
+CLASS="PARAMETER"
+>keyname</VAR
+> <VAR
+CLASS="PARAMETER"
+>keysecret</VAR
+> pair.
+The <B
+CLASS="COMMAND"
+>key</B
+> command
+overrides any key specified on the command line via
+<VAR
+CLASS="OPTION"
+>-y</VAR
+> or <VAR
+CLASS="OPTION"
+>-k</VAR
+>.</P
+></DD
+><DT
+><P
+><B
+CLASS="COMMAND"
+>prereq nxdomain</B
+>  {domain-name}</P
+></DT
+><DD
+><P
+>Requires that no resource record of any type exists with name
+<VAR
+CLASS="PARAMETER"
+>domain-name</VAR
+>.</P
+></DD
+><DT
+><P
+><B
+CLASS="COMMAND"
+>prereq yxdomain</B
+>  {domain-name}</P
+></DT
+><DD
+><P
+>Requires that
+<VAR
+CLASS="PARAMETER"
+>domain-name</VAR
+>
+exists (has as at least one resource record, of any type).</P
+></DD
+><DT
+><P
+><B
+CLASS="COMMAND"
+>prereq nxrrset</B
+>  {domain-name} [class] {type}</P
+></DT
+><DD
+><P
+>Requires that no resource record exists of the specified
+<VAR
+CLASS="PARAMETER"
+>type</VAR
+>,
+<VAR
+CLASS="PARAMETER"
+>class</VAR
+>
+and
+<VAR
+CLASS="PARAMETER"
+>domain-name</VAR
+>.
+If
+<VAR
+CLASS="PARAMETER"
+>class</VAR
+>
+is omitted, IN (internet) is assumed.</P
+></DD
+><DT
+><P
+><B
+CLASS="COMMAND"
+>prereq yxrrset</B
+>  {domain-name} [class] {type}</P
+></DT
+><DD
+><P
+>This requires that a resource record of the specified
+<VAR
+CLASS="PARAMETER"
+>type</VAR
+>,
+<VAR
+CLASS="PARAMETER"
+>class</VAR
+>
+and
+<VAR
+CLASS="PARAMETER"
+>domain-name</VAR
+>
+must exist.
+If
+<VAR
+CLASS="PARAMETER"
+>class</VAR
+>
+is omitted, IN (internet) is assumed.</P
+></DD
+><DT
+><P
+><B
+CLASS="COMMAND"
+>prereq yxrrset</B
+>  {domain-name} [class] {type} {data...}</P
+></DT
+><DD
+><P
+>The
+<VAR
+CLASS="PARAMETER"
+>data</VAR
+>
+from each set of prerequisites of this form
+sharing a common
+<VAR
+CLASS="PARAMETER"
+>type</VAR
+>,
+<VAR
+CLASS="PARAMETER"
+>class</VAR
+>,
+and 
+<VAR
+CLASS="PARAMETER"
+>domain-name</VAR
+>
+are combined to form a set of RRs.  This set of RRs must
+exactly match the set of RRs existing in the zone at the
+given 
+<VAR
+CLASS="PARAMETER"
+>type</VAR
+>,
+<VAR
+CLASS="PARAMETER"
+>class</VAR
+>,
+and 
+<VAR
+CLASS="PARAMETER"
+>domain-name</VAR
+>.
+The
+<VAR
+CLASS="PARAMETER"
+>data</VAR
+>
+are written in the standard text representation of the resource record's
+RDATA.</P
+></DD
+><DT
+><P
+><B
+CLASS="COMMAND"
+>update delete</B
+>  {domain-name} [ttl] [class] [type  [data...]]</P
+></DT
+><DD
+><P
+>Deletes any resource records named
+<VAR
+CLASS="PARAMETER"
+>domain-name</VAR
+>.
+If
+<VAR
+CLASS="PARAMETER"
+>type</VAR
+>
+and
+<VAR
+CLASS="PARAMETER"
+>data</VAR
+>
+is provided, only matching resource records will be removed.
+The internet class is assumed if
+<VAR
+CLASS="PARAMETER"
+>class</VAR
+>
+is not supplied.  The
+<VAR
+CLASS="PARAMETER"
+>ttl</VAR
+>
+is ignored, and is only allowed for compatibility.</P
+></DD
+><DT
+><P
+><B
+CLASS="COMMAND"
+>update add</B
+>  {domain-name} {ttl} [class] {type} {data...}</P
+></DT
+><DD
+><P
+>Adds a new resource record with the specified
+<VAR
+CLASS="PARAMETER"
+>ttl</VAR
+>,
+<VAR
+CLASS="PARAMETER"
+>class</VAR
+>
+and
+<VAR
+CLASS="PARAMETER"
+>data</VAR
+>.</P
+></DD
+><DT
+><P
+><B
+CLASS="COMMAND"
+>show</B
+> </P
+></DT
+><DD
+><P
+>Displays the current message, containing all of the prerequisites and
+updates specified since the last send.</P
+></DD
+><DT
+><P
+><B
+CLASS="COMMAND"
+>send</B
+> </P
+></DT
+><DD
+><P
+>Sends the current message.  This is equivalent to entering a blank line.</P
+></DD
+><DT
+><P
+><B
+CLASS="COMMAND"
+>answer</B
+> </P
+></DT
+><DD
+><P
+>Displays the answer.</P
+></DD
+></DL
+></DIV
+>&#13;</P
+><P
+>Lines beginning with a semicolon are comments and are ignored.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN255"
+></A
+><H2
+>EXAMPLES</H2
+><P
+>The examples below show how
+<B
+CLASS="COMMAND"
+>nsupdate</B
+>
+could be used to insert and delete resource records from the
+<SPAN
+CLASS="TYPE"
+>example.com</SPAN
+>
+zone.
+Notice that the input in each example contains a trailing blank line so that
+a group of commands are sent as one dynamic update request to the
+master name server for
+<SPAN
+CLASS="TYPE"
+>example.com</SPAN
+>.
+
+<PRE
+CLASS="PROGRAMLISTING"
+># nsupdate
+&#62; update delete oldhost.example.com A
+&#62; update add newhost.example.com 86400 A 172.16.1.1
+&#62; send</PRE
+></P
+><P
+>Any A records for
+<SPAN
+CLASS="TYPE"
+>oldhost.example.com</SPAN
+>
+are deleted.
+and an A record for
+<SPAN
+CLASS="TYPE"
+>newhost.example.com</SPAN
+>
+it IP address 172.16.1.1 is added.
+The newly-added record has a 1 day TTL (86400 seconds)
+<PRE
+CLASS="PROGRAMLISTING"
+># nsupdate
+&#62; prereq nxdomain nickname.example.com
+&#62; update add nickname.example.com 86400 CNAME somehost.example.com
+&#62; send</PRE
+></P
+><P
+>The prerequisite condition gets the name server to check that there
+are no resource records of any type for
+<SPAN
+CLASS="TYPE"
+>nickname.example.com</SPAN
+>.
+
+If there are, the update request fails.
+If this name does not exist, a CNAME for it is added.
+This ensures that when the CNAME is added, it cannot conflict with the
+long-standing rule in RFC1034 that a name must not exist as any other
+record type if it exists as a CNAME.
+(The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have
+RRSIG, DNSKEY and NSEC records.)</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN268"
+></A
+><H2
+>FILES</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><CODE
+CLASS="CONSTANT"
+>/etc/resolv.conf</CODE
+></DT
+><DD
+><P
+>used to identify default name server</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>K{name}.+157.+{random}.key</CODE
+></DT
+><DD
+><P
+>base-64 encoding of HMAC-MD5 key created by
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-keygen</SPAN
+>(8)</SPAN
+>.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>K{name}.+157.+{random}.private</CODE
+></DT
+><DD
+><P
+>base-64 encoding of HMAC-MD5 key created by
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-keygen</SPAN
+>(8)</SPAN
+>.</P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN292"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>RFC2136</SPAN
+></SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>RFC3007</SPAN
+></SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>RFC2104</SPAN
+></SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>RFC2845</SPAN
+></SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>RFC1034</SPAN
+></SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>RFC2535</SPAN
+></SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>RFC2931</SPAN
+></SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>named</SPAN
+>(8)</SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-keygen</SPAN
+>(8)</SPAN
+>.&#13;</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN315"
+></A
+><H2
+>BUGS</H2
+><P
+>The TSIG key is redundantly stored in two separate files.
+This is a consequence of nsupdate using the DST library
+for its cryptographic operations, and may change in future
+releases.</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/bin/rndc/Makefile.in b/contrib/bind9/bin/rndc/Makefile.in
new file mode 100644
index 0000000..e677315
--- /dev/null
+++ b/contrib/bind9/bin/rndc/Makefile.in
@@ -0,0 +1,102 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2000-2002  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.32.2.3.8.8 2004/07/20 07:01:50 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
+	${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+ISCCCLIBS =	../../lib/isccc/libisccc.@A@
+ISCLIBS =	../../lib/isc/libisc.@A@
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+BIND9LIBS =	../../lib/bind9/libbind9.@A@
+
+ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
+ISCCCDEPLIBS =	../../lib/isccc/libisccc.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
+
+RNDCLIBS =	${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@
+RNDCDEPLIBS =	${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS}
+
+CONFLIBS =	${DNSLIBS} ${ISCLIBS} @LIBS@
+CONFDEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
+
+SUBDIRS =	unix
+
+TARGETS =	rndc@EXEEXT@ rndc-confgen@EXEEXT@
+
+MANPAGES =	rndc.8 rndc-confgen.8 rndc.conf.5
+
+HTMLPAGES =	rndc.html rndc-confgen.html rndc.conf.html
+
+MANOBJS =	${MANPAGES} ${HTMLPAGES}
+
+UOBJS =		unix/os.@O@
+
+@BIND9_MAKE_RULES@
+
+rndc.@O@: rndc.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-DRNDC_CONFFILE=\"${sysconfdir}/rndc.conf\" \
+		-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
+		-c ${srcdir}/rndc.c
+
+rndc-confgen.@O@: rndc-confgen.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
+		-c ${srcdir}/rndc-confgen.c
+
+rndc@EXEEXT@: rndc.@O@ util.@O@ ${RNDCDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rndc.@O@ util.@O@ \
+		${RNDCLIBS}
+
+rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ ${UOBJS} ${CONFDEPLIBS} 
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ rndc-confgen.@O@ util.@O@ \
+		${UOBJS} ${CONFLIBS}
+
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+	rm -f ${MANOBJS}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
+
+install:: rndc@EXEEXT@ rndc-confgen@EXEEXT@ installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc@EXEEXT@ ${DESTDIR}${sbindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir}
+	${INSTALL_DATA} ${srcdir}/rndc.8 ${DESTDIR}${mandir}/man8
+	${INSTALL_DATA} ${srcdir}/rndc-confgen.8 ${DESTDIR}${mandir}/man8
+	${INSTALL_DATA} ${srcdir}/rndc.conf.5 ${DESTDIR}${mandir}/man5
+
+clean distclean maintainer-clean::
+	rm -f ${TARGETS}
diff --git a/contrib/bind9/bin/rndc/include/rndc/os.h b/contrib/bind9/bin/rndc/include/rndc/os.h
new file mode 100644
index 0000000..b5ade47
--- /dev/null
+++ b/contrib/bind9/bin/rndc/include/rndc/os.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: os.h,v 1.4.206.1 2004/03/06 10:21:33 marka Exp $ */
+
+#ifndef RNDC_OS_H
+#define RNDC_OS_H 1
+
+#include <isc/lang.h>
+#include <stdio.h>
+
+ISC_LANG_BEGINDECLS
+
+FILE *safe_create(const char *filename);
+/*
+ * Open 'filename' for writing, truncate if necessary.  If the file was
+ * created ensure that only the owner can read/write it.
+ */
+
+int set_user(FILE *fd, const char *user);
+/*
+ * Set the owner of the file refernced by 'fd' to 'user'.
+ * Returns:
+ *   0 		success
+ *   -1 	insufficient permissions, or 'user' does not exist.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif
diff --git a/contrib/bind9/bin/rndc/rndc-confgen.8 b/contrib/bind9/bin/rndc/rndc-confgen.8
new file mode 100644
index 0000000..b12e90c
--- /dev/null
+++ b/contrib/bind9/bin/rndc/rndc-confgen.8
@@ -0,0 +1,140 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2001-2003  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: rndc-confgen.8,v 1.3.2.5.2.3 2004/06/03 05:35:48 marka Exp $
+.\"
+.TH "RNDC-CONFGEN" "8" "Aug 27, 2001" "BIND9" ""
+.SH NAME
+rndc-confgen \- rndc key generation tool
+.SH SYNOPSIS
+.sp
+\fBrndc-confgen\fR [ \fB-a\fR ]  [ \fB-b \fIkeysize\fB\fR ]  [ \fB-c \fIkeyfile\fB\fR ]  [ \fB-h\fR ]  [ \fB-k \fIkeyname\fB\fR ]  [ \fB-p \fIport\fB\fR ]  [ \fB-r \fIrandomfile\fB\fR ]  [ \fB-s \fIaddress\fB\fR ]  [ \fB-t \fIchrootdir\fB\fR ]  [ \fB-u \fIuser\fB\fR ] 
+.SH "DESCRIPTION"
+.PP
+\fBrndc-confgen\fR generates configuration files
+for \fBrndc\fR. It can be used as a
+convenient alternative to writing the
+\fIrndc.conf\fR file
+and the corresponding \fBcontrols\fR
+and \fBkey\fR
+statements in \fInamed.conf\fR by hand.
+Alternatively, it can be run with the \fB-a\fR
+option to set up a \fIrndc.key\fR file and
+avoid the need for a \fIrndc.conf\fR file
+and a \fBcontrols\fR statement altogether.
+.SH "OPTIONS"
+.TP
+\fB-a\fR
+Do automatic \fBrndc\fR configuration.
+This creates a file \fIrndc.key\fR
+in \fI/etc\fR (or whatever
+sysconfdir
+was specified as when BIND was built)
+that is read by both \fBrndc\fR
+and \fBnamed\fR on startup. The
+\fIrndc.key\fR file defines a default
+command channel and authentication key allowing
+\fBrndc\fR to communicate with
+\fBnamed\fR on the local host
+with no further configuration. 
+
+Running \fBrndc-confgen -a\fR allows
+BIND 9 and \fBrndc\fR to be used as drop-in
+replacements for BIND 8 and \fBndc\fR,
+with no changes to the existing BIND 8
+\fInamed.conf\fR file.
+
+If a more elaborate configuration than that
+generated by \fBrndc-confgen -a\fR
+is required, for example if rndc is to be used remotely,
+you should run \fBrndc-confgen\fR without the
+\fB-a\fR option and set up a
+\fIrndc.conf\fR and
+\fInamed.conf\fR
+as directed.
+.TP
+\fB-b \fIkeysize\fB\fR
+Specifies the size of the authentication key in bits.
+Must be between 1 and 512 bits; the default is 128.
+.TP
+\fB-c \fIkeyfile\fB\fR
+Used with the \fB-a\fR option to specify
+an alternate location for \fIrndc.key\fR.
+.TP
+\fB-h\fR
+Prints a short summary of the options and arguments to
+\fBrndc-confgen\fR.
+.TP
+\fB-k \fIkeyname\fB\fR
+Specifies the key name of the rndc authentication key.
+This must be a valid domain name.
+The default is rndc-key.
+.TP
+\fB-p \fIport\fB\fR
+Specifies the command channel port where \fBnamed\fR
+listens for connections from \fBrndc\fR.
+The default is 953.
+.TP
+\fB-r \fIrandomfile\fB\fR
+Specifies a source of random data for generating the
+authorization. If the operating
+system does not provide a \fI/dev/random\fR
+or equivalent device, the default source of randomness
+is keyboard input. \fIrandomdev\fR specifies
+the name of a character device or file containing random
+data to be used instead of the default. The special value
+\fIkeyboard\fR indicates that keyboard
+input should be used.
+.TP
+\fB-s \fIaddress\fB\fR
+Specifies the IP address where \fBnamed\fR
+listens for command channel connections from
+\fBrndc\fR. The default is the loopback
+address 127.0.0.1.
+.TP
+\fB-t \fIchrootdir\fB\fR
+Used with the \fB-a\fR option to specify
+a directory where \fBnamed\fR will run
+chrooted. An additional copy of the \fIrndc.key\fR
+will be written relative to this directory so that
+it will be found by the chrooted \fBnamed\fR.
+.TP
+\fB-u \fIuser\fB\fR
+Used with the \fB-a\fR option to set the owner
+of the \fIrndc.key\fR file generated. If
+\fB-t\fR is also specified only the file in
+the chroot area has its owner changed.
+.SH "EXAMPLES"
+.PP
+To allow \fBrndc\fR to be used with
+no manual configuration, run
+.PP
+\fBrndc-confgen -a\fR
+.PP
+To print a sample \fIrndc.conf\fR file and
+corresponding \fBcontrols\fR and \fBkey\fR
+statements to be manually inserted into \fInamed.conf\fR,
+run
+.PP
+\fBrndc-confgen\fR
+.SH "SEE ALSO"
+.PP
+\fBrndc\fR(8),
+\fBrndc.conf\fR(5),
+\fBnamed\fR(8),
+\fIBIND 9 Administrator Reference Manual\fR.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
diff --git a/contrib/bind9/bin/rndc/rndc-confgen.c b/contrib/bind9/bin/rndc/rndc-confgen.c
new file mode 100644
index 0000000..ef0d497
--- /dev/null
+++ b/contrib/bind9/bin/rndc/rndc-confgen.c
@@ -0,0 +1,323 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rndc-confgen.c,v 1.9.2.6.2.4 2004/03/06 10:21:31 marka Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+#include <stdarg.h>
+
+#include <isc/assertions.h>
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/entropy.h>
+#include <isc/file.h>
+#include <isc/keyboard.h>
+#include <isc/mem.h>
+#include <isc/net.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dns/name.h>
+
+#include <dst/dst.h>
+#include <rndc/os.h>
+
+#include "util.h"
+
+#define DEFAULT_KEYLENGTH	128		/* Bits. */
+#define DEFAULT_KEYNAME		"rndc-key"
+#define DEFAULT_SERVER		"127.0.0.1"
+#define DEFAULT_PORT		953
+
+static char program[256];
+char *progname;
+
+isc_boolean_t verbose = ISC_FALSE;
+
+const char *keyfile, *keydef;
+
+static void
+usage(int status) {
+
+	fprintf(stderr, "\
+Usage:\n\
+ %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
+[-s addr] [-t chrootdir] [-u user]\n\
+  -a:		generate just the key clause and write it to keyfile (%s)\n\
+  -b bits:	from 1 through 512, default %d; total length of the secret\n\
+  -c keyfile:	specify an alternate key file (requires -a)\n\
+  -k keyname:	the name as it will be used  in named.conf and rndc.conf\n\
+  -p port:	the port named will listen on and rndc will connect to\n\
+  -r randomfile: a file containing random data\n\
+  -s addr:	the address to which rndc should connect\n\
+  -t chrootdir:	write a keyfile in chrootdir as well (requires -a)\n\
+  -u user:	set the keyfile owner to \"user\" (requires -a)\n",
+		progname, keydef, DEFAULT_KEYLENGTH);
+
+	exit (status);
+}
+
+/*
+ * Write an rndc.key file to 'keyfile'.  If 'user' is non-NULL,
+ * make that user the owner of the file.  The key will have
+ * the name 'keyname' and the secret in the buffer 'secret'.
+ */
+static void
+write_key_file(const char *keyfile, const char *user,
+	       const char *keyname, isc_buffer_t *secret )
+{
+	FILE *fd;
+
+	fd = safe_create(keyfile);
+	if (fd == NULL)
+		fatal( "unable to create \"%s\"\n", keyfile);
+	if (user != NULL) {
+		if (set_user(fd, user) == -1)
+			fatal("unable to set file owner\n");
+	}
+	fprintf(fd, "key \"%s\" {\n\talgorithm hmac-md5;\n"
+		"\tsecret \"%.*s\";\n};\n", keyname,
+		(int)isc_buffer_usedlength(secret),
+		(char *)isc_buffer_base(secret));
+	fflush(fd);
+	if (ferror(fd))
+		fatal("write to %s failed\n", keyfile);
+	if (fclose(fd))
+		fatal("fclose(%s) failed\n", keyfile);
+	fprintf(stderr, "wrote key file \"%s\"\n", keyfile);
+}
+
+int
+main(int argc, char **argv) {
+	isc_boolean_t show_final_mem = ISC_FALSE;
+	isc_buffer_t key_rawbuffer;
+	isc_buffer_t key_txtbuffer;
+	isc_region_t key_rawregion;
+	isc_mem_t *mctx = NULL;
+	isc_entropy_t *ectx = NULL;
+	isc_entropysource_t *entropy_source = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+	dst_key_t *key = NULL;
+	const char *keyname = NULL;
+	const char *randomfile = NULL;
+	const char *serveraddr = NULL;
+	char key_rawsecret[64];
+	char key_txtsecret[256];
+	char *p;
+	int ch;
+	int port;
+	int keysize;
+	int entropy_flags = 0;
+	int open_keyboard = ISC_ENTROPY_KEYBOARDMAYBE;
+	struct in_addr addr4_dummy;
+	struct in6_addr addr6_dummy;
+	char *chrootdir = NULL;
+	char *user = NULL;
+	isc_boolean_t keyonly = ISC_FALSE;
+	int len;
+
+ 	keydef = keyfile = RNDC_KEYFILE;
+
+	result = isc_file_progname(*argv, program, sizeof(program));
+	if (result != ISC_R_SUCCESS)
+		memcpy(program, "rndc-confgen", 13);
+	progname = program;
+
+	keyname = DEFAULT_KEYNAME;
+	keysize = DEFAULT_KEYLENGTH;
+	serveraddr = DEFAULT_SERVER;
+	port = DEFAULT_PORT;
+
+	while ((ch = isc_commandline_parse(argc, argv,
+					   "ab:c:hk:Mmp:r:s:t:u:Vy")) != -1) {
+		switch (ch) {
+		case 'a':
+			keyonly = ISC_TRUE;
+			break;
+		case 'b':
+			keysize = strtol(isc_commandline_argument, &p, 10);
+			if (*p != '\0' || keysize < 0)
+				fatal("-b requires a non-negative number");
+			if (keysize < 1 || keysize > 512)
+				fatal("-b must be in the range 1 through 512");
+			break;
+		case 'c':
+			keyfile = isc_commandline_argument;
+			break;
+		case 'h':
+			usage(0);
+		case 'k':
+		case 'y':	/* Compatible with rndc -y. */
+			keyname = isc_commandline_argument;
+			break;
+		case 'M':
+			isc_mem_debugging = ISC_MEM_DEBUGTRACE;
+			break;
+
+		case 'm':
+			show_final_mem = ISC_TRUE;
+			break;
+		case 'p':
+			port = strtol(isc_commandline_argument, &p, 10);
+			if (*p != '\0' || port < 0 || port > 65535)
+				fatal("port '%s' out of range",
+				      isc_commandline_argument);
+			break;
+		case 'r':
+			randomfile = isc_commandline_argument;
+			break;
+		case 's':
+			serveraddr = isc_commandline_argument;
+			if (inet_pton(AF_INET, serveraddr, &addr4_dummy) != 1 &&
+			    inet_pton(AF_INET6, serveraddr, &addr6_dummy) != 1)
+				fatal("-s should be an IPv4 or IPv6 address");
+			break;
+		case 't':
+			chrootdir = isc_commandline_argument;
+			break;
+		case 'u':
+			user = isc_commandline_argument;
+			break;
+		case 'V':
+			verbose = ISC_TRUE;
+			break;
+		case '?':
+			usage(1);
+			break;
+		default:
+			fatal("unexpected error parsing command arguments: "
+			      "got %c\n", ch);
+			break;
+		}
+	}
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+
+	if (argc > 0)
+		usage(1);
+
+	DO("create memory context", isc_mem_create(0, 0, &mctx));
+
+	DO("create entropy context", isc_entropy_create(mctx, &ectx));
+
+	if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
+		randomfile = NULL;
+		open_keyboard = ISC_ENTROPY_KEYBOARDYES;
+	}
+	DO("start entropy source", isc_entropy_usebestsource(ectx,
+							     &entropy_source,
+							     randomfile,
+							     open_keyboard));
+
+	entropy_flags = ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY;
+
+	DO("initialize dst library", dst_lib_init(mctx, ectx, entropy_flags));
+
+	DO("generate key", dst_key_generate(dns_rootname, DST_ALG_HMACMD5,
+					    keysize, 0, 0,
+					    DNS_KEYPROTO_ANY,
+					    dns_rdataclass_in, mctx, &key));
+
+	isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
+
+	DO("dump key to buffer", dst_key_tobuffer(key, &key_rawbuffer));
+
+	isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
+	isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
+
+	DO("bsse64 encode secret", isc_base64_totext(&key_rawregion, -1, "",
+						     &key_txtbuffer));
+
+	/*
+	 * Shut down the entropy source now so the "stop typing" message
+	 * does not muck with the output.
+	 */
+	if (entropy_source != NULL)
+		isc_entropy_destroysource(&entropy_source);
+
+	if (key != NULL)
+		dst_key_free(&key);
+
+	isc_entropy_detach(&ectx);
+	dst_lib_destroy();
+
+	if (keyonly) {
+		write_key_file(keyfile, chrootdir == NULL ? user : NULL,
+			       keyname, &key_txtbuffer);
+
+		if (chrootdir != NULL) {
+			char *buf;
+			len = strlen(chrootdir) + strlen(keyfile) + 2;
+			buf = isc_mem_get(mctx, len);
+			if (buf == NULL)
+				fatal("isc_mem_get(%d) failed\n", len);
+			snprintf(buf, len, "%s/%s", chrootdir, keyfile);
+			
+			write_key_file(buf, user, keyname, &key_txtbuffer);
+			isc_mem_put(mctx, buf, len);
+		}
+	} else {
+		printf("\
+# Start of rndc.conf\n\
+key \"%s\" {\n\
+	algorithm hmac-md5;\n\
+	secret \"%.*s\";\n\
+};\n\
+\n\
+options {\n\
+	default-key \"%s\";\n\
+	default-server %s;\n\
+	default-port %d;\n\
+};\n\
+# End of rndc.conf\n\
+\n\
+# Use with the following in named.conf, adjusting the allow list as needed:\n\
+# key \"%s\" {\n\
+# 	algorithm hmac-md5;\n\
+# 	secret \"%.*s\";\n\
+# };\n\
+# \n\
+# controls {\n\
+# 	inet %s port %d\n\
+# 		allow { %s; } keys { \"%s\"; };\n\
+# };\n\
+# End of named.conf\n",
+		       keyname,
+		       (int)isc_buffer_usedlength(&key_txtbuffer),
+		       (char *)isc_buffer_base(&key_txtbuffer),
+		       keyname, serveraddr, port,
+		       keyname,
+		       (int)isc_buffer_usedlength(&key_txtbuffer),
+		       (char *)isc_buffer_base(&key_txtbuffer),
+		       serveraddr, port, serveraddr, keyname);
+	}
+
+	if (show_final_mem)
+		isc_mem_stats(mctx, stderr);
+
+	isc_mem_destroy(&mctx);
+
+	return (0);
+}
diff --git a/contrib/bind9/bin/rndc/rndc-confgen.docbook b/contrib/bind9/bin/rndc/rndc-confgen.docbook
new file mode 100644
index 0000000..272de459
--- /dev/null
+++ b/contrib/bind9/bin/rndc/rndc-confgen.docbook
@@ -0,0 +1,273 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: rndc-confgen.docbook,v 1.3.2.1.4.3 2004/06/03 02:24:58 marka Exp $ -->
+
+<refentry>
+  <refentryinfo>
+    <date>Aug 27, 2001</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>rndc-confgen</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>rndc-confgen</application></refname>
+    <refpurpose>rndc key generation tool</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>rndc-confgen</command>
+      <arg><option>-a</option></arg>
+      <arg><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
+      <arg><option>-c <replaceable class="parameter">keyfile</replaceable></option></arg>
+      <arg><option>-h</option></arg>
+      <arg><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
+      <arg><option>-p <replaceable class="parameter">port</replaceable></option></arg>
+      <arg><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
+      <arg><option>-s <replaceable class="parameter">address</replaceable></option></arg>
+      <arg><option>-t <replaceable class="parameter">chrootdir</replaceable></option></arg>
+      <arg><option>-u <replaceable class="parameter">user</replaceable></option></arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+        <command>rndc-confgen</command> generates configuration files
+	for <command>rndc</command>.  It can be used as a
+        convenient alternative to writing the
+        <filename>rndc.conf</filename> file
+        and the corresponding <command>controls</command>
+        and <command>key</command>
+	statements in <filename>named.conf</filename> by hand.
+        Alternatively, it can be run with the <command>-a</command>
+        option to set up a <filename>rndc.key</filename> file and
+        avoid the need for a <filename>rndc.conf</filename> file
+        and a <command>controls</command> statement altogether.
+    </para>
+
+  </refsect1>
+
+  <refsect1>
+    <title>OPTIONS</title>
+
+    <variablelist>
+      <varlistentry>
+        <term>-a</term>
+	<listitem>
+	  <para>
+	      Do automatic <command>rndc</command> configuration.
+	      This creates a file <filename>rndc.key</filename>
+	      in <filename>/etc</filename> (or whatever
+              <varname>sysconfdir</varname>
+	      was specified as when <acronym>BIND</acronym> was built)
+              that is read by both <command>rndc</command>
+              and <command>named</command> on startup.  The
+	      <filename>rndc.key</filename> file defines a default
+              command channel and authentication key allowing
+	      <command>rndc</command> to communicate with
+	      <command>named</command> on the local host
+	      with no further configuration.  
+	  </para>
+	  <para>
+	      Running <command>rndc-confgen -a</command> allows
+	      BIND 9 and <command>rndc</command> to be used as drop-in
+	      replacements for BIND 8 and <command>ndc</command>,
+	      with no changes to the existing BIND 8
+	      <filename>named.conf</filename> file.
+	  </para>
+          <para>
+	      If a more elaborate configuration than that
+	      generated by <command>rndc-confgen -a</command>
+	      is required, for example if rndc is to be used remotely,
+	      you should run <command>rndc-confgen</command> without the
+	      <command>-a</command> option and set up a
+	      <filename>rndc.conf</filename> and
+	      <filename>named.conf</filename>
+	      as directed.
+          </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-b <replaceable class="parameter">keysize</replaceable></term>
+	<listitem>
+	  <para>
+	       Specifies the size of the authentication key in bits.
+	       Must be between 1 and 512 bits; the default is 128.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-c <replaceable class="parameter">keyfile</replaceable></term>
+	<listitem>
+	  <para>
+	       Used with the <command>-a</command> option to specify
+	       an alternate location for <filename>rndc.key</filename>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-h</term>
+	<listitem>
+	  <para>
+	       Prints a short summary of the options and arguments to
+	       <command>rndc-confgen</command>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-k <replaceable class="parameter">keyname</replaceable></term>
+	<listitem>
+	  <para>
+	       Specifies the key name of the rndc authentication key.
+	       This must be a valid domain name.
+	       The default is <constant>rndc-key</constant>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-p <replaceable class="parameter">port</replaceable></term>
+	<listitem>
+	  <para>
+	       Specifies the command channel port where <command>named</command>
+	       listens for connections from <command>rndc</command>.
+	       The default is 953.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-r <replaceable class="parameter">randomfile</replaceable></term>
+	<listitem>
+	  <para>
+	       Specifies a source of random data for generating the
+	       authorization.  If the operating
+	       system does not provide a <filename>/dev/random</filename>
+	       or equivalent device, the default source of randomness
+	       is keyboard input.  <filename>randomdev</filename> specifies
+	       the name of a character device or file containing random
+	       data to be used instead of the default.  The special value
+	       <filename>keyboard</filename> indicates that keyboard
+	       input should be used.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-s <replaceable class="parameter">address</replaceable></term>
+	<listitem>
+	  <para>
+	       Specifies the IP address where <command>named</command>
+	       listens for command channel connections from
+	       <command>rndc</command>.  The default is the loopback
+	       address 127.0.0.1.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-t <replaceable class="parameter">chrootdir</replaceable></term>
+	<listitem>
+	  <para>
+	       Used with the <command>-a</command> option to specify
+	       a directory where <command>named</command> will run
+	       chrooted.  An additional copy of the <filename>rndc.key</filename>
+	       will be written relative to this directory so that
+	       it will be found by the chrooted <command>named</command>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-u <replaceable class="parameter">user</replaceable></term>
+	<listitem>
+	  <para>
+	       Used with the <command>-a</command> option to set the owner
+	       of the <filename>rndc.key</filename> file generated.  If
+	       <command>-t</command> is also specified only the file in
+	       the chroot area has its owner changed.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>EXAMPLES</title>
+    <para>
+        To allow <command>rndc</command> to be used with
+	no manual configuration, run
+    </para>
+    <para>
+        <userinput>rndc-confgen -a</userinput>
+    </para>
+    <para>
+        To print a sample <filename>rndc.conf</filename> file and
+	corresponding <command>controls</command> and <command>key</command>
+	statements to be manually inserted into <filename>named.conf</filename>,
+	run
+    </para>
+    <para>
+        <userinput>rndc-confgen</userinput>
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>rndc</refentrytitle>
+	<manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>rndc.conf</refentrytitle>
+	<manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>named</refentrytitle>
+	<manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para>
+        <corpauthor>Internet Systems Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry>
+
+<!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/contrib/bind9/bin/rndc/rndc-confgen.html b/contrib/bind9/bin/rndc/rndc-confgen.html
new file mode 100644
index 0000000..7292be2
--- /dev/null
+++ b/contrib/bind9/bin/rndc/rndc-confgen.html
@@ -0,0 +1,538 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001-2003  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: rndc-confgen.html,v 1.3.2.5.2.4 2004/08/22 23:39:00 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>rndc-confgen</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+><SPAN
+CLASS="APPLICATION"
+>rndc-confgen</SPAN
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><SPAN
+CLASS="APPLICATION"
+>rndc-confgen</SPAN
+>&nbsp;--&nbsp;rndc key generation tool</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>rndc-confgen</B
+>  [<VAR
+CLASS="OPTION"
+>-a</VAR
+>] [<VAR
+CLASS="OPTION"
+>-b <VAR
+CLASS="REPLACEABLE"
+>keysize</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-c <VAR
+CLASS="REPLACEABLE"
+>keyfile</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-h</VAR
+>] [<VAR
+CLASS="OPTION"
+>-k <VAR
+CLASS="REPLACEABLE"
+>keyname</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-p <VAR
+CLASS="REPLACEABLE"
+>port</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-r <VAR
+CLASS="REPLACEABLE"
+>randomfile</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-s <VAR
+CLASS="REPLACEABLE"
+>address</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-t <VAR
+CLASS="REPLACEABLE"
+>chrootdir</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-u <VAR
+CLASS="REPLACEABLE"
+>user</VAR
+></VAR
+>]</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN44"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>        <B
+CLASS="COMMAND"
+>rndc-confgen</B
+> generates configuration files
+	for <B
+CLASS="COMMAND"
+>rndc</B
+>.  It can be used as a
+        convenient alternative to writing the
+        <TT
+CLASS="FILENAME"
+>rndc.conf</TT
+> file
+        and the corresponding <B
+CLASS="COMMAND"
+>controls</B
+>
+        and <B
+CLASS="COMMAND"
+>key</B
+>
+	statements in <TT
+CLASS="FILENAME"
+>named.conf</TT
+> by hand.
+        Alternatively, it can be run with the <B
+CLASS="COMMAND"
+>-a</B
+>
+        option to set up a <TT
+CLASS="FILENAME"
+>rndc.key</TT
+> file and
+        avoid the need for a <TT
+CLASS="FILENAME"
+>rndc.conf</TT
+> file
+        and a <B
+CLASS="COMMAND"
+>controls</B
+> statement altogether.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN57"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-a</DT
+><DD
+><P
+>	      Do automatic <B
+CLASS="COMMAND"
+>rndc</B
+> configuration.
+	      This creates a file <TT
+CLASS="FILENAME"
+>rndc.key</TT
+>
+	      in <TT
+CLASS="FILENAME"
+>/etc</TT
+> (or whatever
+              <VAR
+CLASS="VARNAME"
+>sysconfdir</VAR
+>
+	      was specified as when <ACRONYM
+CLASS="ACRONYM"
+>BIND</ACRONYM
+> was built)
+              that is read by both <B
+CLASS="COMMAND"
+>rndc</B
+>
+              and <B
+CLASS="COMMAND"
+>named</B
+> on startup.  The
+	      <TT
+CLASS="FILENAME"
+>rndc.key</TT
+> file defines a default
+              command channel and authentication key allowing
+	      <B
+CLASS="COMMAND"
+>rndc</B
+> to communicate with
+	      <B
+CLASS="COMMAND"
+>named</B
+> on the local host
+	      with no further configuration.  
+	  </P
+><P
+>	      Running <B
+CLASS="COMMAND"
+>rndc-confgen -a</B
+> allows
+	      BIND 9 and <B
+CLASS="COMMAND"
+>rndc</B
+> to be used as drop-in
+	      replacements for BIND 8 and <B
+CLASS="COMMAND"
+>ndc</B
+>,
+	      with no changes to the existing BIND 8
+	      <TT
+CLASS="FILENAME"
+>named.conf</TT
+> file.
+	  </P
+><P
+>	      If a more elaborate configuration than that
+	      generated by <B
+CLASS="COMMAND"
+>rndc-confgen -a</B
+>
+	      is required, for example if rndc is to be used remotely,
+	      you should run <B
+CLASS="COMMAND"
+>rndc-confgen</B
+> without the
+	      <B
+CLASS="COMMAND"
+>-a</B
+> option and set up a
+	      <TT
+CLASS="FILENAME"
+>rndc.conf</TT
+> and
+	      <TT
+CLASS="FILENAME"
+>named.conf</TT
+>
+	      as directed.
+          </P
+></DD
+><DT
+>-b <VAR
+CLASS="REPLACEABLE"
+>keysize</VAR
+></DT
+><DD
+><P
+>	       Specifies the size of the authentication key in bits.
+	       Must be between 1 and 512 bits; the default is 128.
+	  </P
+></DD
+><DT
+>-c <VAR
+CLASS="REPLACEABLE"
+>keyfile</VAR
+></DT
+><DD
+><P
+>	       Used with the <B
+CLASS="COMMAND"
+>-a</B
+> option to specify
+	       an alternate location for <TT
+CLASS="FILENAME"
+>rndc.key</TT
+>.
+	  </P
+></DD
+><DT
+>-h</DT
+><DD
+><P
+>	       Prints a short summary of the options and arguments to
+	       <B
+CLASS="COMMAND"
+>rndc-confgen</B
+>.
+	  </P
+></DD
+><DT
+>-k <VAR
+CLASS="REPLACEABLE"
+>keyname</VAR
+></DT
+><DD
+><P
+>	       Specifies the key name of the rndc authentication key.
+	       This must be a valid domain name.
+	       The default is <CODE
+CLASS="CONSTANT"
+>rndc-key</CODE
+>.
+	  </P
+></DD
+><DT
+>-p <VAR
+CLASS="REPLACEABLE"
+>port</VAR
+></DT
+><DD
+><P
+>	       Specifies the command channel port where <B
+CLASS="COMMAND"
+>named</B
+>
+	       listens for connections from <B
+CLASS="COMMAND"
+>rndc</B
+>.
+	       The default is 953.
+	  </P
+></DD
+><DT
+>-r <VAR
+CLASS="REPLACEABLE"
+>randomfile</VAR
+></DT
+><DD
+><P
+>	       Specifies a source of random data for generating the
+	       authorization.  If the operating
+	       system does not provide a <TT
+CLASS="FILENAME"
+>/dev/random</TT
+>
+	       or equivalent device, the default source of randomness
+	       is keyboard input.  <TT
+CLASS="FILENAME"
+>randomdev</TT
+> specifies
+	       the name of a character device or file containing random
+	       data to be used instead of the default.  The special value
+	       <TT
+CLASS="FILENAME"
+>keyboard</TT
+> indicates that keyboard
+	       input should be used.
+	  </P
+></DD
+><DT
+>-s <VAR
+CLASS="REPLACEABLE"
+>address</VAR
+></DT
+><DD
+><P
+>	       Specifies the IP address where <B
+CLASS="COMMAND"
+>named</B
+>
+	       listens for command channel connections from
+	       <B
+CLASS="COMMAND"
+>rndc</B
+>.  The default is the loopback
+	       address 127.0.0.1.
+	  </P
+></DD
+><DT
+>-t <VAR
+CLASS="REPLACEABLE"
+>chrootdir</VAR
+></DT
+><DD
+><P
+>	       Used with the <B
+CLASS="COMMAND"
+>-a</B
+> option to specify
+	       a directory where <B
+CLASS="COMMAND"
+>named</B
+> will run
+	       chrooted.  An additional copy of the <TT
+CLASS="FILENAME"
+>rndc.key</TT
+>
+	       will be written relative to this directory so that
+	       it will be found by the chrooted <B
+CLASS="COMMAND"
+>named</B
+>.
+	  </P
+></DD
+><DT
+>-u <VAR
+CLASS="REPLACEABLE"
+>user</VAR
+></DT
+><DD
+><P
+>	       Used with the <B
+CLASS="COMMAND"
+>-a</B
+> option to set the owner
+	       of the <TT
+CLASS="FILENAME"
+>rndc.key</TT
+> file generated.  If
+	       <B
+CLASS="COMMAND"
+>-t</B
+> is also specified only the file in
+	       the chroot area has its owner changed.
+	  </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN147"
+></A
+><H2
+>EXAMPLES</H2
+><P
+>        To allow <B
+CLASS="COMMAND"
+>rndc</B
+> to be used with
+	no manual configuration, run
+    </P
+><P
+>        <KBD
+CLASS="USERINPUT"
+>rndc-confgen -a</KBD
+>
+    </P
+><P
+>        To print a sample <TT
+CLASS="FILENAME"
+>rndc.conf</TT
+> file and
+	corresponding <B
+CLASS="COMMAND"
+>controls</B
+> and <B
+CLASS="COMMAND"
+>key</B
+>
+	statements to be manually inserted into <TT
+CLASS="FILENAME"
+>named.conf</TT
+>,
+	run
+    </P
+><P
+>        <KBD
+CLASS="USERINPUT"
+>rndc-confgen</KBD
+>
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN160"
+></A
+><H2
+>SEE ALSO</H2
+><P
+>      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>rndc</SPAN
+>(8)</SPAN
+>,
+      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>rndc.conf</SPAN
+>(5)</SPAN
+>,
+      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>named</SPAN
+>(8)</SPAN
+>,
+      <I
+CLASS="CITETITLE"
+>BIND 9 Administrator Reference Manual</I
+>.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN173"
+></A
+><H2
+>AUTHOR</H2
+><P
+>        Internet Systems Consortium
+    </P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/bin/rndc/rndc.8 b/contrib/bind9/bin/rndc/rndc.8
new file mode 100644
index 0000000..356883b
--- /dev/null
+++ b/contrib/bind9/bin/rndc/rndc.8
@@ -0,0 +1,118 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: rndc.8,v 1.24.206.2 2004/06/03 05:35:49 marka Exp $
+.\"
+.TH "RNDC" "8" "June 30, 2000" "BIND9" ""
+.SH NAME
+rndc \- name server control utility
+.SH SYNOPSIS
+.sp
+\fBrndc\fR [ \fB-c \fIconfig-file\fB\fR ]  [ \fB-k \fIkey-file\fB\fR ]  [ \fB-s \fIserver\fB\fR ]  [ \fB-p \fIport\fB\fR ]  [ \fB-V\fR ]  [ \fB-y \fIkey_id\fB\fR ]  \fBcommand\fR
+.SH "DESCRIPTION"
+.PP
+\fBrndc\fR controls the operation of a name
+server. It supersedes the \fBndc\fR utility
+that was provided in old BIND releases. If
+\fBrndc\fR is invoked with no command line
+options or arguments, it prints a short summary of the
+supported commands and the available options and their
+arguments.
+.PP
+\fBrndc\fR communicates with the name server
+over a TCP connection, sending commands authenticated with
+digital signatures. In the current versions of
+\fBrndc\fR and \fBnamed\fR named
+the only supported authentication algorithm is HMAC-MD5,
+which uses a shared secret on each end of the connection.
+This provides TSIG-style authentication for the command
+request and the name server's response. All commands sent
+over the channel must be signed by a key_id known to the
+server.
+.PP
+\fBrndc\fR reads a configuration file to
+determine how to contact the name server and decide what
+algorithm and key it should use.
+.SH "OPTIONS"
+.TP
+\fB-c \fIconfig-file\fB\fR
+Use \fIconfig-file\fR
+as the configuration file instead of the default,
+\fI/etc/rndc.conf\fR.
+.TP
+\fB-k \fIkey-file\fB\fR
+Use \fIkey-file\fR
+as the key file instead of the default,
+\fI/etc/rndc.key\fR. The key in
+\fI/etc/rndc.key\fR will be used to authenticate
+commands sent to the server if the \fIconfig-file\fR
+does not exist.
+.TP
+\fB-s \fIserver\fB\fR
+\fIserver\fR is
+the name or address of the server which matches a
+server statement in the configuration file for
+\fBrndc\fR. If no server is supplied on the
+command line, the host named by the default-server clause
+in the option statement of the configuration file will be
+used.
+.TP
+\fB-p \fIport\fB\fR
+Send commands to TCP port
+\fIport\fR instead
+of BIND 9's default control channel port, 953.
+.TP
+\fB-V\fR
+Enable verbose logging.
+.TP
+\fB-y \fIkeyid\fB\fR
+Use the key \fIkeyid\fR
+from the configuration file.
+\fIkeyid\fR must be
+known by named with the same algorithm and secret string
+in order for control message validation to succeed.
+If no \fIkeyid\fR
+is specified, \fBrndc\fR will first look
+for a key clause in the server statement of the server
+being used, or if no server statement is present for that
+host, then the default-key clause of the options statement.
+Note that the configuration file contains shared secrets
+which are used to send authenticated control commands
+to name servers. It should therefore not have general read
+or write access.
+.PP
+For the complete set of commands supported by \fBrndc\fR,
+see the BIND 9 Administrator Reference Manual or run
+\fBrndc\fR without arguments to see its help message.
+.PP
+.SH "LIMITATIONS"
+.PP
+\fBrndc\fR does not yet support all the commands of
+the BIND 8 \fBndc\fR utility.
+.PP
+There is currently no way to provide the shared secret for a
+\fBkey_id\fR without using the configuration file.
+.PP
+Several error messages could be clearer.
+.SH "SEE ALSO"
+.PP
+\fBrndc.conf\fR(5),
+\fBnamed\fR(8),
+\fBnamed.conf\fR(5)
+\fBndc\fR(8),
+\fIBIND 9 Administrator Reference Manual\fR.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
diff --git a/contrib/bind9/bin/rndc/rndc.c b/contrib/bind9/bin/rndc/rndc.c
new file mode 100644
index 0000000..9ea07ac
--- /dev/null
+++ b/contrib/bind9/bin/rndc/rndc.c
@@ -0,0 +1,687 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rndc.c,v 1.77.2.5.2.12 2004/03/08 04:04:23 marka Exp $ */
+
+/*
+ * Principal Author: DCL
+ */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/app.h>
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/file.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/random.h>
+#include <isc/socket.h>
+#include <isc/stdtime.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include <isccfg/namedconf.h>
+
+#include <isccc/alist.h>
+#include <isccc/base64.h>
+#include <isccc/cc.h>
+#include <isccc/ccmsg.h>
+#include <isccc/result.h>
+#include <isccc/sexpr.h>
+#include <isccc/types.h>
+#include <isccc/util.h>
+
+#include <bind9/getaddresses.h>
+
+#include "util.h"
+
+#define SERVERADDRS 10
+
+char *progname;
+isc_boolean_t verbose;
+
+static const char *admin_conffile;
+static const char *admin_keyfile;
+static const char *version = VERSION;
+static const char *servername = NULL;
+static isc_sockaddr_t serveraddrs[SERVERADDRS];
+static int nserveraddrs;
+static int currentaddr = 0;
+static unsigned int remoteport = 0;
+static isc_socketmgr_t *socketmgr = NULL;
+static unsigned char databuf[2048];
+static isccc_ccmsg_t ccmsg;
+static isccc_region_t secret;
+static isc_boolean_t failed = ISC_FALSE;
+static isc_mem_t *mctx;
+static int sends, recvs, connects;
+static char *command;
+static char *args;
+static char program[256];
+static isc_socket_t *sock = NULL;
+static isc_uint32_t serial;
+
+static void rndc_startconnect(isc_sockaddr_t *addr, isc_task_t *task);
+
+static void
+usage(int status) {
+	fprintf(stderr, "\
+Usage: %s [-c config] [-s server] [-p port]\n\
+        [-k key-file ] [-y key] [-V] command\n\
+\n\
+command is one of the following:\n\
+\n\
+  reload	Reload configuration file and zones.\n\
+  reload zone [class [view]]\n\
+		Reload a single zone.\n\
+  refresh zone [class [view]]\n\
+		Schedule immediate maintenance for a zone.\n\
+  retransfer zone [class [view]]\n\
+		Retransfer a single zone without checking serial number.\n\
+  freeze zone [class [view]]\n\
+  		Suspend updates to a dynamic zone.\n\
+  unfreeze zone [class [view]]\n\
+  		Enable updates to a frozen dynamic zone and reload it.\n\
+  reconfig	Reload configuration file and new zones only.\n\
+  stats		Write server statistics to the statistics file.\n\
+  querylog	Toggle query logging.\n\
+  dumpdb	Dump cache(s) to the dump file (named_dump.db).\n\
+  stop		Save pending updates to master files and stop the server.\n\
+  stop -p	Save pending updates to master files and stop the server\n\
+		reporting process id.\n\
+  halt		Stop the server without saving pending updates.\n\
+  halt -p	Stop the server without saving pending updates reporting\n\
+		process id.\n\
+  trace		Increment debugging level by one.\n\
+  trace level	Change the debugging level.\n\
+  notrace	Set debugging level to 0.\n\
+  flush 	Flushes all of the server's caches.\n\
+  flush [view]	Flushes the server's cache for a view.\n\
+  flushname name [view]\n\
+		Flush the given name from the server's cache(s)\n\
+  status	Display status of the server.\n\
+  recursing	Dump the queries that are currently recursing (named.recursing)\n\
+  *restart	Restart the server.\n\
+\n\
+* == not yet implemented\n\
+Version: %s\n",
+		progname, version);
+
+	exit(status);
+}
+
+static void
+get_addresses(const char *host, in_port_t port) {
+	isc_result_t result;
+
+	isc_app_block();
+	result = bind9_getaddresses(servername, port,
+				    serveraddrs, SERVERADDRS, &nserveraddrs);
+	isc_app_unblock();
+	if (result != ISC_R_SUCCESS)
+		fatal("couldn't get address for '%s': %s",
+		      host, isc_result_totext(result));
+	INSIST(nserveraddrs > 0);
+}
+
+static void
+rndc_senddone(isc_task_t *task, isc_event_t *event) {
+	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
+
+	UNUSED(task);
+
+	sends--;
+	if (sevent->result != ISC_R_SUCCESS)
+		fatal("send failed: %s", isc_result_totext(sevent->result));
+	isc_event_free(&event);
+}
+
+static void
+rndc_recvdone(isc_task_t *task, isc_event_t *event) {
+	isccc_sexpr_t *response = NULL;
+	isccc_sexpr_t *data;
+	isccc_region_t source;
+	char *errormsg = NULL;
+	char *textmsg = NULL;
+	isc_result_t result;
+
+	recvs--;
+
+	if (ccmsg.result == ISC_R_EOF)
+		fatal("connection to remote host closed\n"
+		      "This may indicate that the remote server is using "
+		      "an older version of \n"
+		      "the command protocol, this host is not authorized "
+		      "to connect,\nor the key is invalid.");
+
+	if (ccmsg.result != ISC_R_SUCCESS)
+		fatal("recv failed: %s", isc_result_totext(ccmsg.result));
+
+	source.rstart = isc_buffer_base(&ccmsg.buffer);
+	source.rend = isc_buffer_used(&ccmsg.buffer);
+
+	DO("parse message", isccc_cc_fromwire(&source, &response, &secret));
+
+	data = isccc_alist_lookup(response, "_data");
+	if (data == NULL)
+		fatal("no data section in response");
+	result = isccc_cc_lookupstring(data, "err", &errormsg);
+	if (result == ISC_R_SUCCESS) {
+		failed = ISC_TRUE;
+		fprintf(stderr, "%s: '%s' failed: %s\n",
+			progname, command, errormsg);
+	}
+	else if (result != ISC_R_NOTFOUND)
+		fprintf(stderr, "%s: parsing response failed: %s\n",
+			progname, isc_result_totext(result));
+
+	result = isccc_cc_lookupstring(data, "text", &textmsg);
+	if (result == ISC_R_SUCCESS)
+		printf("%s\n", textmsg);
+	else if (result != ISC_R_NOTFOUND)
+		fprintf(stderr, "%s: parsing response failed: %s\n",
+			progname, isc_result_totext(result));
+
+	isc_event_free(&event);
+	isccc_sexpr_free(&response);
+	isc_socket_detach(&sock);
+	isc_task_shutdown(task);
+	RUNTIME_CHECK(isc_app_shutdown() == ISC_R_SUCCESS);
+}
+
+static void
+rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
+	isccc_sexpr_t *response = NULL;
+	isccc_sexpr_t *_ctrl;
+	isccc_region_t source;
+	isc_result_t result;
+	isc_uint32_t nonce;
+	isccc_sexpr_t *request = NULL;
+	isccc_time_t now;
+	isc_region_t r;
+	isccc_sexpr_t *data;
+	isccc_region_t message;
+	isc_uint32_t len;
+	isc_buffer_t b;
+
+	recvs--;
+
+	if (ccmsg.result == ISC_R_EOF)
+		fatal("connection to remote host closed\n"
+		      "This may indicate that the remote server is using "
+		      "an older version of \n"
+		      "the command protocol, this host is not authorized "
+		      "to connect,\nor the key is invalid.");
+
+	if (ccmsg.result != ISC_R_SUCCESS)
+		fatal("recv failed: %s", isc_result_totext(ccmsg.result));
+
+	source.rstart = isc_buffer_base(&ccmsg.buffer);
+	source.rend = isc_buffer_used(&ccmsg.buffer);
+
+	DO("parse message", isccc_cc_fromwire(&source, &response, &secret));
+
+	_ctrl = isccc_alist_lookup(response, "_ctrl");
+	if (_ctrl == NULL)
+		fatal("_ctrl section missing");
+	nonce = 0;
+	if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS)
+		nonce = 0;
+
+	isc_stdtime_get(&now);
+
+	DO("create message", isccc_cc_createmessage(1, NULL, NULL, ++serial,
+						    now, now + 60, &request));
+	data = isccc_alist_lookup(request, "_data");
+	if (data == NULL)
+		fatal("_data section missing");
+	if (isccc_cc_definestring(data, "type", args) == NULL)
+		fatal("out of memory");
+	if (nonce != 0) {
+		_ctrl = isccc_alist_lookup(request, "_ctrl");
+		if (_ctrl == NULL)
+			fatal("_ctrl section missing");
+		if (isccc_cc_defineuint32(_ctrl, "_nonce", nonce) == NULL)
+			fatal("out of memory");
+	}
+	message.rstart = databuf + 4;
+	message.rend = databuf + sizeof(databuf);
+	DO("render message", isccc_cc_towire(request, &message, &secret));
+	len = sizeof(databuf) - REGION_SIZE(message);
+	isc_buffer_init(&b, databuf, 4);
+	isc_buffer_putuint32(&b, len - 4);
+	r.length = len;
+	r.base = databuf;
+
+	isccc_ccmsg_cancelread(&ccmsg);
+	DO("schedule recv", isccc_ccmsg_readmessage(&ccmsg, task,
+						    rndc_recvdone, NULL));
+	recvs++;
+	DO("send message", isc_socket_send(sock, &r, task, rndc_senddone,
+					   NULL));
+	sends++;
+
+	isc_event_free(&event);
+	isccc_sexpr_free(&response);
+	return;
+}
+
+static void
+rndc_connected(isc_task_t *task, isc_event_t *event) {
+	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
+	isccc_sexpr_t *request = NULL;
+	isccc_sexpr_t *data;
+	isccc_time_t now;
+	isccc_region_t message;
+	isc_region_t r;
+	isc_uint32_t len;
+	isc_buffer_t b;
+	isc_result_t result;
+
+	connects--;
+
+	if (sevent->result != ISC_R_SUCCESS) {
+		if (sevent->result != ISC_R_CANCELED &&
+		    currentaddr < nserveraddrs)
+		{
+			notify("connection failed: %s",
+			       isc_result_totext(sevent->result));
+			isc_socket_detach(&sock);
+			isc_event_free(&event);
+			rndc_startconnect(&serveraddrs[currentaddr++], task);
+			return;
+		} else
+			fatal("connect failed: %s",
+			      isc_result_totext(sevent->result));
+	}
+
+	isc_stdtime_get(&now);
+	DO("create message", isccc_cc_createmessage(1, NULL, NULL, ++serial,
+						    now, now + 60, &request));
+	data = isccc_alist_lookup(request, "_data");
+	if (data == NULL)
+		fatal("_data section missing");
+	if (isccc_cc_definestring(data, "type", "null") == NULL)
+		fatal("out of memory");
+	message.rstart = databuf + 4;
+	message.rend = databuf + sizeof(databuf);
+	DO("render message", isccc_cc_towire(request, &message, &secret));
+	len = sizeof(databuf) - REGION_SIZE(message);
+	isc_buffer_init(&b, databuf, 4);
+	isc_buffer_putuint32(&b, len - 4);
+	r.length = len;
+	r.base = databuf;
+
+	isccc_ccmsg_init(mctx, sock, &ccmsg);
+	isccc_ccmsg_setmaxsize(&ccmsg, 1024);
+
+	DO("schedule recv", isccc_ccmsg_readmessage(&ccmsg, task,
+						    rndc_recvnonce, NULL));
+	recvs++;
+	DO("send message", isc_socket_send(sock, &r, task, rndc_senddone,
+					   NULL));
+	sends++;
+	isc_event_free(&event);
+}
+
+static void
+rndc_startconnect(isc_sockaddr_t *addr, isc_task_t *task) {
+	isc_result_t result;
+
+	char socktext[ISC_SOCKADDR_FORMATSIZE];
+
+	isc_sockaddr_format(addr, socktext, sizeof(socktext));
+
+	notify("using server %s (%s)", servername, socktext);
+
+	DO("create socket", isc_socket_create(socketmgr,
+					      isc_sockaddr_pf(addr),
+					      isc_sockettype_tcp, &sock));
+	DO("connect", isc_socket_connect(sock, addr, task, rndc_connected,
+					 NULL));
+	connects++;
+}
+
+static void
+rndc_start(isc_task_t *task, isc_event_t *event) {
+	isc_event_free(&event);
+
+	get_addresses(servername, (in_port_t) remoteport);
+
+	currentaddr = 0;
+	rndc_startconnect(&serveraddrs[currentaddr++], task);
+}
+
+static void
+parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
+	     cfg_parser_t **pctxp, cfg_obj_t **configp)
+{
+	isc_result_t result;
+	const char *conffile = admin_conffile;
+	cfg_obj_t *defkey = NULL;
+	cfg_obj_t *options = NULL;
+	cfg_obj_t *servers = NULL;
+	cfg_obj_t *server = NULL;
+	cfg_obj_t *keys = NULL;
+	cfg_obj_t *key = NULL;
+	cfg_obj_t *defport = NULL;
+	cfg_obj_t *secretobj = NULL;
+	cfg_obj_t *algorithmobj = NULL;
+	cfg_obj_t *config = NULL;
+	cfg_listelt_t *elt;
+	const char *secretstr;
+	const char *algorithm;
+	static char secretarray[1024];
+	const cfg_type_t *conftype = &cfg_type_rndcconf;
+	isc_boolean_t key_only = ISC_FALSE;
+
+	if (! isc_file_exists(conffile)) {
+		conffile = admin_keyfile;
+		conftype = &cfg_type_rndckey;
+
+		if (! isc_file_exists(conffile))
+			fatal("neither %s nor %s was found",
+			      admin_conffile, admin_keyfile);
+		key_only = ISC_TRUE;
+	}
+
+	DO("create parser", cfg_parser_create(mctx, log, pctxp));
+
+	/*
+	 * The parser will output its own errors, so DO() is not used.
+	 */
+	result = cfg_parse_file(*pctxp, conffile, conftype, &config);
+	if (result != ISC_R_SUCCESS)
+		fatal("could not load rndc configuration");
+
+	if (!key_only)
+		(void)cfg_map_get(config, "options", &options);
+
+	if (key_only && servername == NULL)
+		servername = "127.0.0.1";
+	else if (servername == NULL && options != NULL) {
+		cfg_obj_t *defserverobj = NULL;
+		(void)cfg_map_get(options, "default-server", &defserverobj);
+		if (defserverobj != NULL)
+			servername = cfg_obj_asstring(defserverobj);
+	}
+
+	if (servername == NULL)
+		fatal("no server specified and no default");
+
+	if (!key_only) {
+		(void)cfg_map_get(config, "server", &servers);
+		if (servers != NULL) {
+			for (elt = cfg_list_first(servers);
+			     elt != NULL; 
+			     elt = cfg_list_next(elt))
+			{
+				const char *name;
+				server = cfg_listelt_value(elt);
+				name = cfg_obj_asstring(cfg_map_getname(server));
+				if (strcasecmp(name, servername) == 0)
+					break;
+				server = NULL;
+			}
+		}
+	}
+
+	/*
+	 * Look for the name of the key to use.
+	 */
+	if (keyname != NULL)
+		;		/* Was set on command line, do nothing. */
+	else if (server != NULL) {
+		DO("get key for server", cfg_map_get(server, "key", &defkey));
+		keyname = cfg_obj_asstring(defkey);
+	} else if (options != NULL) {
+		DO("get default key", cfg_map_get(options, "default-key",
+						  &defkey));
+		keyname = cfg_obj_asstring(defkey);
+	} else if (!key_only)
+		fatal("no key for server and no default");
+
+	/*
+	 * Get the key's definition.
+	 */
+	if (key_only)
+		DO("get key", cfg_map_get(config, "key", &key));
+	else {
+		DO("get config key list", cfg_map_get(config, "key", &keys));
+		for (elt = cfg_list_first(keys);
+		     elt != NULL; 
+		     elt = cfg_list_next(elt))
+		{
+			key = cfg_listelt_value(elt);
+			if (strcasecmp(cfg_obj_asstring(cfg_map_getname(key)),
+				       keyname) == 0)
+				break;
+		}
+		if (elt == NULL)
+			fatal("no key definition for name %s", keyname);
+	}
+	(void)cfg_map_get(key, "secret", &secretobj);
+	(void)cfg_map_get(key, "algorithm", &algorithmobj);
+	if (secretobj == NULL || algorithmobj == NULL)
+		fatal("key must have algorithm and secret");
+
+	secretstr = cfg_obj_asstring(secretobj);
+	algorithm = cfg_obj_asstring(algorithmobj);
+
+	if (strcasecmp(algorithm, "hmac-md5") != 0)
+		fatal("unsupported algorithm: %s", algorithm);
+
+	secret.rstart = (unsigned char *)secretarray;
+	secret.rend = (unsigned char *)secretarray + sizeof(secretarray);
+	DO("decode base64 secret", isccc_base64_decode(secretstr, &secret));
+	secret.rend = secret.rstart;
+	secret.rstart = (unsigned char *)secretarray;
+
+	/*
+	 * Find the port to connect to.
+	 */
+	if (remoteport != 0)
+		;		/* Was set on command line, do nothing. */
+	else {
+		if (server != NULL)
+			(void)cfg_map_get(server, "port", &defport);
+		if (defport == NULL && options != NULL)
+			(void)cfg_map_get(options, "default-port", &defport);
+	}
+	if (defport != NULL) {
+		remoteport = cfg_obj_asuint32(defport);
+		if (remoteport > 65535 || remoteport == 0)
+			fatal("port %d out of range", remoteport);
+	} else if (remoteport == 0)
+		remoteport = NS_CONTROL_PORT;
+
+	*configp = config;
+}
+
+int
+main(int argc, char **argv) {
+	isc_boolean_t show_final_mem = ISC_FALSE;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_taskmgr_t *taskmgr = NULL;
+	isc_task_t *task = NULL;
+	isc_log_t *log = NULL;
+	isc_logconfig_t *logconfig = NULL;
+	isc_logdestination_t logdest;
+	cfg_parser_t *pctx = NULL;
+	cfg_obj_t *config = NULL;
+	const char *keyname = NULL;
+	char *p;
+	size_t argslen;
+	int ch;
+	int i;
+
+	result = isc_file_progname(*argv, program, sizeof(program));
+	if (result != ISC_R_SUCCESS)
+		memcpy(program, "rndc", 5);
+	progname = program;
+
+	admin_conffile = RNDC_CONFFILE;
+	admin_keyfile = RNDC_KEYFILE;
+
+	result = isc_app_start();
+	if (result != ISC_R_SUCCESS)
+		fatal("isc_app_start() failed: %s", isc_result_totext(result));
+
+	while ((ch = isc_commandline_parse(argc, argv, "c:k:Mmp:s:Vy:"))
+	       != -1) {
+		switch (ch) {
+		case 'c':
+			admin_conffile = isc_commandline_argument;
+			break;
+
+		case 'k':
+			admin_keyfile = isc_commandline_argument;
+			break;
+
+		case 'M':
+			isc_mem_debugging = ISC_MEM_DEBUGTRACE;
+			break;
+
+		case 'm':
+			show_final_mem = ISC_TRUE;
+			break;
+
+		case 'p':
+			remoteport = atoi(isc_commandline_argument);
+			if (remoteport > 65535 || remoteport == 0)
+				fatal("port '%s' out of range",
+				      isc_commandline_argument);
+			break;
+
+		case 's':
+			servername = isc_commandline_argument;
+			break;
+		case 'V':
+			verbose = ISC_TRUE;
+			break;
+		case 'y':
+			keyname = isc_commandline_argument;
+			break;
+		case '?':
+			usage(0);
+			break;
+		default:
+			fatal("unexpected error parsing command arguments: "
+			      "got %c\n", ch);
+			break;
+		}
+	}
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+
+	if (argc < 1)
+		usage(1);
+
+	isc_random_get(&serial);
+
+	DO("create memory context", isc_mem_create(0, 0, &mctx));
+	DO("create socket manager", isc_socketmgr_create(mctx, &socketmgr));
+	DO("create task manager", isc_taskmgr_create(mctx, 1, 0, &taskmgr));
+	DO("create task", isc_task_create(taskmgr, 0, &task));
+
+	DO("create logging context", isc_log_create(mctx, &log, &logconfig));
+	isc_log_setcontext(log);
+	DO("setting log tag", isc_log_settag(logconfig, progname));
+	logdest.file.stream = stderr;
+	logdest.file.name = NULL;
+	logdest.file.versions = ISC_LOG_ROLLNEVER;
+	logdest.file.maximum_size = 0;
+	DO("creating log channel",
+	   isc_log_createchannel(logconfig, "stderr",
+		   		 ISC_LOG_TOFILEDESC, ISC_LOG_INFO, &logdest,
+				 ISC_LOG_PRINTTAG|ISC_LOG_PRINTLEVEL));
+	DO("enabling log channel", isc_log_usechannel(logconfig, "stderr",
+						      NULL, NULL));
+
+	parse_config(mctx, log, keyname, &pctx, &config);
+
+	isccc_result_register();
+
+	command = *argv;
+
+	/*
+	 * Convert argc/argv into a space-delimited command string
+	 * similar to what the user might enter in interactive mode
+	 * (if that were implemented).
+	 */
+	argslen = 0;
+	for (i = 0; i < argc; i++)
+		argslen += strlen(argv[i]) + 1;
+
+	args = isc_mem_get(mctx, argslen);
+	if (args == NULL)
+		DO("isc_mem_get", ISC_R_NOMEMORY);
+
+	p = args;
+	for (i = 0; i < argc; i++) {
+		size_t len = strlen(argv[i]);
+		memcpy(p, argv[i], len);
+		p += len;
+		*p++ = ' ';
+	}
+
+	p--;
+	*p++ = '\0';
+	INSIST(p == args + argslen);
+
+	notify("%s", command);
+
+	if (strcmp(command, "restart") == 0)
+		fatal("'%s' is not implemented", command);
+
+	DO("post event", isc_app_onrun(mctx, task, rndc_start, NULL));
+
+	result = isc_app_run();
+	if (result != ISC_R_SUCCESS)
+		fatal("isc_app_run() failed: %s", isc_result_totext(result));
+
+	if (connects > 0 || sends > 0 || recvs > 0)
+		isc_socket_cancel(sock, task, ISC_SOCKCANCEL_ALL);
+
+	isc_task_detach(&task);
+	isc_taskmgr_destroy(&taskmgr);
+	isc_socketmgr_destroy(&socketmgr);
+	isc_log_destroy(&log);
+	isc_log_setcontext(NULL);
+
+	cfg_obj_destroy(pctx, &config);
+	cfg_parser_destroy(&pctx);
+
+	isc_mem_put(mctx, args, argslen);
+	isccc_ccmsg_invalidate(&ccmsg);
+
+	if (show_final_mem)
+		isc_mem_stats(mctx, stderr);
+
+	isc_mem_destroy(&mctx);
+
+	if (failed)
+		return (1);
+
+	return (0);
+}
diff --git a/contrib/bind9/bin/rndc/rndc.conf b/contrib/bind9/bin/rndc/rndc.conf
new file mode 100644
index 0000000..1dc5607
--- /dev/null
+++ b/contrib/bind9/bin/rndc/rndc.conf
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rndc.conf,v 1.7.206.1 2004/03/06 10:21:32 marka Exp $ */
+
+/*
+ * Sample rndc configuration file.
+ */
+
+options {
+        default-server  localhost;
+        default-key     "key";
+};
+
+server localhost {
+        key     "key";
+};
+
+key "key" {
+        algorithm       hmac-md5;
+        secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
+};
diff --git a/contrib/bind9/bin/rndc/rndc.conf.5 b/contrib/bind9/bin/rndc/rndc.conf.5
new file mode 100644
index 0000000..5b61cfb
--- /dev/null
+++ b/contrib/bind9/bin/rndc/rndc.conf.5
@@ -0,0 +1,142 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: rndc.conf.5,v 1.21.206.2 2004/06/03 05:35:50 marka Exp $
+.\"
+.TH "RNDC.CONF" "5" "June 30, 2000" "BIND9" ""
+.SH NAME
+rndc.conf \- rndc configuration file
+.SH SYNOPSIS
+.sp
+\fBrndc.conf\fR
+.SH "DESCRIPTION"
+.PP
+\fIrndc.conf\fR is the configuration file
+for \fBrndc\fR, the BIND 9 name server control
+utility. This file has a similar structure and syntax to
+\fInamed.conf\fR. Statements are enclosed
+in braces and terminated with a semi-colon. Clauses in
+the statements are also semi-colon terminated. The usual
+comment styles are supported:
+.PP
+C style: /* */
+.PP
+C++ style: // to end of line
+.PP
+Unix style: # to end of line
+.PP
+\fIrndc.conf\fR is much simpler than
+\fInamed.conf\fR. The file uses three
+statements: an options statement, a server statement
+and a key statement.
+.PP
+The \fBoptions\fR statement contains three clauses.
+The \fBdefault-server\fR clause is followed by the
+name or address of a name server. This host will be used when
+no name server is given as an argument to
+\fBrndc\fR. The \fBdefault-key\fR
+clause is followed by the name of a key which is identified by
+a \fBkey\fR statement. If no
+\fBkeyid\fR is provided on the rndc command line,
+and no \fBkey\fR clause is found in a matching
+\fBserver\fR statement, this default key will be
+used to authenticate the server's commands and responses. The
+\fBdefault-port\fR clause is followed by the port
+to connect to on the remote name server. If no
+\fBport\fR option is provided on the rndc command
+line, and no \fBport\fR clause is found in a
+matching \fBserver\fR statement, this default port
+will be used to connect.
+.PP
+After the \fBserver\fR keyword, the server statement
+includes a string which is the hostname or address for a name
+server. The statement has two possible clauses:
+\fBkey\fR and \fBport\fR. The key name must
+match the name of a key statement in the file. The port number
+specifies the port to connect to.
+.PP
+The \fBkey\fR statement begins with an identifying
+string, the name of the key. The statement has two clauses.
+\fBalgorithm\fR identifies the encryption algorithm
+for \fBrndc\fR to use; currently only HMAC-MD5 is
+supported. This is followed by a secret clause which contains
+the base-64 encoding of the algorithm's encryption key. The
+base-64 string is enclosed in double quotes.
+.PP
+There are two common ways to generate the base-64 string for the
+secret. The BIND 9 program \fBrndc-confgen\fR can
+be used to generate a random key, or the
+\fBmmencode\fR program, also known as
+\fBmimencode\fR, can be used to generate a base-64
+string from known input. \fBmmencode\fR does not
+ship with BIND 9 but is available on many systems. See the
+EXAMPLE section for sample command lines for each.
+.SH "EXAMPLE"
+.sp
+.nf
+    options {
+        default-server  localhost;
+        default-key     samplekey;
+      };
+
+      server localhost {
+        key             samplekey;
+      };
+
+      key samplekey {
+        algorithm       hmac-md5;
+        secret          "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
+      };
+    
+.sp
+.fi
+.PP
+In the above example, \fBrndc\fR will by default use
+the server at localhost (127.0.0.1) and the key called samplekey.
+Commands to the localhost server will use the samplekey key, which
+must also be defined in the server's configuration file with the
+same name and secret. The key statement indicates that samplekey
+uses the HMAC-MD5 algorithm and its secret clause contains the
+base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.
+.PP
+To generate a random secret with \fBrndc-confgen\fR:
+.PP
+\fBrndc-confgen\fR
+.PP
+A complete \fIrndc.conf\fR file, including the
+randomly generated key, will be written to the standard
+output. Commented out \fBkey\fR and
+\fBcontrols\fR statements for
+\fInamed.conf\fR are also printed.
+.PP
+To generate a base-64 secret with \fBmmencode\fR:
+.PP
+\fBecho "known plaintext for a secret" | mmencode\fR
+.SH "NAME SERVER CONFIGURATION"
+.PP
+The name server must be configured to accept rndc connections and
+to recognize the key specified in the \fIrndc.conf\fR
+file, using the controls statement in \fInamed.conf\fR.
+See the sections on the \fBcontrols\fR statement in the
+BIND 9 Administrator Reference Manual for details.
+.SH "SEE ALSO"
+.PP
+\fBrndc\fR(8),
+\fBrndc-confgen\fR(8),
+\fBmmencode\fR(1),
+\fIBIND 9 Administrator Reference Manual\fR.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
diff --git a/contrib/bind9/bin/rndc/rndc.conf.docbook b/contrib/bind9/bin/rndc/rndc.conf.docbook
new file mode 100644
index 0000000..95f158b
--- /dev/null
+++ b/contrib/bind9/bin/rndc/rndc.conf.docbook
@@ -0,0 +1,210 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: rndc.conf.docbook,v 1.4.206.2 2004/06/03 02:24:58 marka Exp $ -->
+
+<refentry>
+  <refentryinfo>
+    <date>June 30, 2000</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><filename>rndc.conf</filename></refentrytitle>
+    <manvolnum>5</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><filename>rndc.conf</filename></refname>
+    <refpurpose>rndc configuration file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>rndc.conf</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+        <filename>rndc.conf</filename> is the configuration file
+	for <command>rndc</command>, the BIND 9 name server control
+	utility.  This file has a similar structure and syntax to
+	<filename>named.conf</filename>.  Statements are enclosed
+	in braces and terminated with a semi-colon.  Clauses in
+	the statements are also semi-colon terminated.  The usual
+	comment styles are supported:
+    </para>
+    <para>
+        C style: /* */
+    </para>
+    <para>
+        C++ style: // to end of line
+    </para>
+    <para>
+        Unix style: # to end of line
+    </para>
+    <para>
+        <filename>rndc.conf</filename> is much simpler than
+	<filename>named.conf</filename>.  The file uses three
+	statements: an options statement, a server statement
+	and a key statement.
+    </para>
+    <para>
+        The <option>options</option> statement contains three clauses.
+	The <option>default-server</option> clause is followed by the
+	name or address of a name server.  This host will be used when
+	no name server is given as an argument to
+	<command>rndc</command>.  The <option>default-key</option>
+	clause is followed by the name of a key which is identified by
+	a <option>key</option> statement.  If no
+	<option>keyid</option> is provided on the rndc command line,
+	and no <option>key</option> clause is found in a matching
+	<option>server</option> statement, this default key will be
+	used to authenticate the server's commands and responses.  The
+	<option>default-port</option> clause is followed by the port
+	to connect to on the remote name server.  If no
+	<option>port</option> option is provided on the rndc command
+	line, and no <option>port</option> clause is found in a
+	matching <option>server</option> statement, this default port
+	will be used to connect.
+    </para>
+    <para>
+        After the <option>server</option> keyword, the server statement
+	includes a string which is the hostname or address for a name
+	server.  The statement has two possible clauses:
+	<option>key</option> and <option>port</option>. The key name must
+	match the name of a key statement in the file.  The port number
+	specifies the port to connect to.
+    </para>
+    <para>
+        The <option>key</option> statement begins with an identifying
+	string, the name of the key.  The statement has two clauses.
+	<option>algorithm</option> identifies the encryption algorithm
+	for <command>rndc</command> to use; currently only HMAC-MD5 is
+	supported.  This is followed by a secret clause which contains
+	the base-64 encoding of the algorithm's encryption key.  The
+	base-64 string is enclosed in double quotes.
+    </para>
+    <para>
+        There are two common ways to generate the base-64 string for the
+	secret.  The BIND 9 program <command>rndc-confgen</command> can
+	be used to generate a random key, or the
+	<command>mmencode</command> program, also known as
+	<command>mimencode</command>, can be used to generate a base-64
+	string from known input.  <command>mmencode</command> does not
+	ship with BIND 9 but is available on many systems.  See the
+	EXAMPLE section for sample command lines for each.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>EXAMPLE</title>
+
+    <programlisting>
+    options {
+        default-server  localhost;
+        default-key     samplekey;
+      };
+
+      server localhost {
+        key             samplekey;
+      };
+
+      key samplekey {
+        algorithm       hmac-md5;
+        secret          "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
+      };
+    </programlisting>
+
+    <para>
+        In the above example, <command>rndc</command> will by default use
+	the server at localhost (127.0.0.1) and the key called samplekey.
+	Commands to the localhost server will use the samplekey key, which
+	must also be defined in the server's configuration file with the
+	same name and secret.  The key statement indicates that samplekey
+	uses the HMAC-MD5 algorithm and its secret clause contains the
+	base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.
+    </para>
+    <para>
+        To generate a random secret with <command>rndc-confgen</command>:
+    </para>
+    <para>
+        <userinput>rndc-confgen</userinput>
+    </para>
+    <para>
+        A complete <filename>rndc.conf</filename> file, including the
+        randomly generated key, will be written to the standard
+        output.  Commented out <option>key</option> and
+        <option>controls</option> statements for
+        <filename>named.conf</filename> are also printed.
+    </para>
+    <para>
+        To generate a base-64 secret with <command>mmencode</command>:
+    </para>
+    <para>
+        <userinput>echo "known plaintext for a secret" | mmencode</userinput>
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>NAME SERVER CONFIGURATION</title>
+    <para>
+        The name server must be configured to accept rndc connections and
+	to recognize the key specified in the <filename>rndc.conf</filename>
+	file, using the controls statement in <filename>named.conf</filename>.
+	See the sections on the <option>controls</option> statement in the
+	BIND 9 Administrator Reference Manual for details.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>rndc</refentrytitle>
+	<manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>rndc-confgen</refentrytitle>
+	<manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>mmencode</refentrytitle>
+	<manvolnum>1</manvolnum>
+      </citerefentry>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para>
+        <corpauthor>Internet Systems Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry>
+
+<!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
+
diff --git a/contrib/bind9/bin/rndc/rndc.conf.html b/contrib/bind9/bin/rndc/rndc.conf.html
new file mode 100644
index 0000000..ea087c8
--- /dev/null
+++ b/contrib/bind9/bin/rndc/rndc.conf.html
@@ -0,0 +1,377 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: rndc.conf.html,v 1.5.2.1.4.3 2004/08/22 23:39:00 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>rndc.conf</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+><TT
+CLASS="FILENAME"
+>rndc.conf</TT
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><TT
+CLASS="FILENAME"
+>rndc.conf</TT
+>&nbsp;--&nbsp;rndc configuration file</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>rndc.conf</B
+> </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN16"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>        <TT
+CLASS="FILENAME"
+>rndc.conf</TT
+> is the configuration file
+	for <B
+CLASS="COMMAND"
+>rndc</B
+>, the BIND 9 name server control
+	utility.  This file has a similar structure and syntax to
+	<TT
+CLASS="FILENAME"
+>named.conf</TT
+>.  Statements are enclosed
+	in braces and terminated with a semi-colon.  Clauses in
+	the statements are also semi-colon terminated.  The usual
+	comment styles are supported:
+    </P
+><P
+>        C style: /* */
+    </P
+><P
+>        C++ style: // to end of line
+    </P
+><P
+>        Unix style: # to end of line
+    </P
+><P
+>        <TT
+CLASS="FILENAME"
+>rndc.conf</TT
+> is much simpler than
+	<TT
+CLASS="FILENAME"
+>named.conf</TT
+>.  The file uses three
+	statements: an options statement, a server statement
+	and a key statement.
+    </P
+><P
+>        The <VAR
+CLASS="OPTION"
+>options</VAR
+> statement contains three clauses.
+	The <VAR
+CLASS="OPTION"
+>default-server</VAR
+> clause is followed by the
+	name or address of a name server.  This host will be used when
+	no name server is given as an argument to
+	<B
+CLASS="COMMAND"
+>rndc</B
+>.  The <VAR
+CLASS="OPTION"
+>default-key</VAR
+>
+	clause is followed by the name of a key which is identified by
+	a <VAR
+CLASS="OPTION"
+>key</VAR
+> statement.  If no
+	<VAR
+CLASS="OPTION"
+>keyid</VAR
+> is provided on the rndc command line,
+	and no <VAR
+CLASS="OPTION"
+>key</VAR
+> clause is found in a matching
+	<VAR
+CLASS="OPTION"
+>server</VAR
+> statement, this default key will be
+	used to authenticate the server's commands and responses.  The
+	<VAR
+CLASS="OPTION"
+>default-port</VAR
+> clause is followed by the port
+	to connect to on the remote name server.  If no
+	<VAR
+CLASS="OPTION"
+>port</VAR
+> option is provided on the rndc command
+	line, and no <VAR
+CLASS="OPTION"
+>port</VAR
+> clause is found in a
+	matching <VAR
+CLASS="OPTION"
+>server</VAR
+> statement, this default port
+	will be used to connect.
+    </P
+><P
+>        After the <VAR
+CLASS="OPTION"
+>server</VAR
+> keyword, the server statement
+	includes a string which is the hostname or address for a name
+	server.  The statement has two possible clauses:
+	<VAR
+CLASS="OPTION"
+>key</VAR
+> and <VAR
+CLASS="OPTION"
+>port</VAR
+>. The key name must
+	match the name of a key statement in the file.  The port number
+	specifies the port to connect to.
+    </P
+><P
+>        The <VAR
+CLASS="OPTION"
+>key</VAR
+> statement begins with an identifying
+	string, the name of the key.  The statement has two clauses.
+	<VAR
+CLASS="OPTION"
+>algorithm</VAR
+> identifies the encryption algorithm
+	for <B
+CLASS="COMMAND"
+>rndc</B
+> to use; currently only HMAC-MD5 is
+	supported.  This is followed by a secret clause which contains
+	the base-64 encoding of the algorithm's encryption key.  The
+	base-64 string is enclosed in double quotes.
+    </P
+><P
+>        There are two common ways to generate the base-64 string for the
+	secret.  The BIND 9 program <B
+CLASS="COMMAND"
+>rndc-confgen</B
+> can
+	be used to generate a random key, or the
+	<B
+CLASS="COMMAND"
+>mmencode</B
+> program, also known as
+	<B
+CLASS="COMMAND"
+>mimencode</B
+>, can be used to generate a base-64
+	string from known input.  <B
+CLASS="COMMAND"
+>mmencode</B
+> does not
+	ship with BIND 9 but is available on many systems.  See the
+	EXAMPLE section for sample command lines for each.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN54"
+></A
+><H2
+>EXAMPLE</H2
+><PRE
+CLASS="PROGRAMLISTING"
+>    options {
+        default-server  localhost;
+        default-key     samplekey;
+      };
+
+      server localhost {
+        key             samplekey;
+      };
+
+      key samplekey {
+        algorithm       hmac-md5;
+        secret          "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
+      };
+    </PRE
+><P
+>        In the above example, <B
+CLASS="COMMAND"
+>rndc</B
+> will by default use
+	the server at localhost (127.0.0.1) and the key called samplekey.
+	Commands to the localhost server will use the samplekey key, which
+	must also be defined in the server's configuration file with the
+	same name and secret.  The key statement indicates that samplekey
+	uses the HMAC-MD5 algorithm and its secret clause contains the
+	base-64 encoding of the HMAC-MD5 secret enclosed in double quotes.
+    </P
+><P
+>        To generate a random secret with <B
+CLASS="COMMAND"
+>rndc-confgen</B
+>:
+    </P
+><P
+>        <KBD
+CLASS="USERINPUT"
+>rndc-confgen</KBD
+>
+    </P
+><P
+>        A complete <TT
+CLASS="FILENAME"
+>rndc.conf</TT
+> file, including the
+        randomly generated key, will be written to the standard
+        output.  Commented out <VAR
+CLASS="OPTION"
+>key</VAR
+> and
+        <VAR
+CLASS="OPTION"
+>controls</VAR
+> statements for
+        <TT
+CLASS="FILENAME"
+>named.conf</TT
+> are also printed.
+    </P
+><P
+>        To generate a base-64 secret with <B
+CLASS="COMMAND"
+>mmencode</B
+>:
+    </P
+><P
+>        <KBD
+CLASS="USERINPUT"
+>echo "known plaintext for a secret" | mmencode</KBD
+>
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN72"
+></A
+><H2
+>NAME SERVER CONFIGURATION</H2
+><P
+>        The name server must be configured to accept rndc connections and
+	to recognize the key specified in the <TT
+CLASS="FILENAME"
+>rndc.conf</TT
+>
+	file, using the controls statement in <TT
+CLASS="FILENAME"
+>named.conf</TT
+>.
+	See the sections on the <VAR
+CLASS="OPTION"
+>controls</VAR
+> statement in the
+	BIND 9 Administrator Reference Manual for details.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN78"
+></A
+><H2
+>SEE ALSO</H2
+><P
+>      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>rndc</SPAN
+>(8)</SPAN
+>,
+      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>rndc-confgen</SPAN
+>(8)</SPAN
+>,
+      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>mmencode</SPAN
+>(1)</SPAN
+>,
+      <I
+CLASS="CITETITLE"
+>BIND 9 Administrator Reference Manual</I
+>.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN91"
+></A
+><H2
+>AUTHOR</H2
+><P
+>        Internet Systems Consortium
+    </P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/bin/rndc/rndc.docbook b/contrib/bind9/bin/rndc/rndc.docbook
new file mode 100644
index 0000000..d4529cc
--- /dev/null
+++ b/contrib/bind9/bin/rndc/rndc.docbook
@@ -0,0 +1,228 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: rndc.docbook,v 1.7.206.2 2004/06/03 02:24:58 marka Exp $ -->
+
+<refentry>
+  <refentryinfo>
+    <date>June 30, 2000</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>rndc</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>rndc</application></refname>
+    <refpurpose>name server control utility</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>rndc</command>
+      <arg><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
+      <arg><option>-k <replaceable class="parameter">key-file</replaceable></option></arg>
+      <arg><option>-s <replaceable class="parameter">server</replaceable></option></arg>
+      <arg><option>-p <replaceable class="parameter">port</replaceable></option></arg>
+      <arg><option>-V</option></arg>
+      <arg><option>-y <replaceable class="parameter">key_id</replaceable></option></arg>
+      <arg choice="req">command</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+        <command>rndc</command> controls the operation of a name
+	server.  It supersedes the <command>ndc</command> utility
+	that was provided in old BIND releases.  If
+	<command>rndc</command> is invoked with no command line
+	options or arguments, it prints a short summary of the
+	supported commands and the available options and their
+	arguments.
+    </para>
+    <para>
+        <command>rndc</command> communicates with the name server
+	over a TCP connection, sending commands authenticated with
+	digital signatures.  In the current versions of
+	<command>rndc</command> and <command>named</command> named
+        the only supported authentication algorithm is HMAC-MD5,
+	which uses a shared secret on each end of the connection.
+	This provides TSIG-style authentication for the command
+	request and the name server's response.  All commands sent
+	over the channel must be signed by a key_id known to the
+	server.
+    </para>
+    <para>
+        <command>rndc</command> reads a configuration file to
+	determine how to contact the name server and decide what
+	algorithm and key it should use.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>OPTIONS</title>
+
+    <variablelist>
+      <varlistentry>
+        <term>-c <replaceable class="parameter">config-file</replaceable></term>
+	<listitem>
+	  <para>
+	      Use <replaceable class="parameter">config-file</replaceable>
+	      as the configuration file instead of the default,
+	      <filename>/etc/rndc.conf</filename>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-k <replaceable class="parameter">key-file</replaceable></term>
+	<listitem>
+	  <para>
+	      Use <replaceable class="parameter">key-file</replaceable>
+	      as the key file instead of the default,
+	      <filename>/etc/rndc.key</filename>.  The key in
+	      <filename>/etc/rndc.key</filename> will be used to authenticate
+	      commands sent to the server if the <replaceable class="parameter">config-file</replaceable>
+	      does not exist.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-s <replaceable class="parameter">server</replaceable></term>
+	<listitem>
+	  <para>
+	       <replaceable class="parameter">server</replaceable> is
+	       the name or address of the server which matches a
+	       server statement in the configuration file for
+	       <command>rndc</command>.  If no server is supplied on the
+	       command line, the host named by the default-server clause
+	       in the option statement of the configuration file will be
+	       used.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-p <replaceable class="parameter">port</replaceable></term>
+	<listitem>
+	  <para>
+	       Send commands to TCP port
+	       <replaceable class="parameter">port</replaceable> instead
+	       of BIND 9's default control channel port, 953.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-V</term>
+	<listitem>
+	  <para>
+	       Enable verbose logging.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-y <replaceable class="parameter">keyid</replaceable></term>
+	<listitem>
+	  <para>
+	       Use the key <replaceable class="parameter">keyid</replaceable>
+	       from the configuration file.
+	       <replaceable class="parameter">keyid</replaceable> must be
+	       known by named with the same algorithm and secret string
+	       in order for control message validation to succeed.
+	       If no <replaceable class="parameter">keyid</replaceable>
+	       is specified, <command>rndc</command> will first look
+	       for a key clause in the server statement of the server
+	       being used, or if no server statement is present for that
+	       host, then the default-key clause of the options statement.
+	       Note that the configuration file contains shared secrets
+	       which are used to send authenticated control commands
+	       to name servers.  It should therefore not have general read
+	       or write access.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+    </variablelist>
+
+    <para>
+      For the complete set of commands supported by <command>rndc</command>,
+      see the BIND 9 Administrator Reference Manual or run
+      <command>rndc</command> without arguments to see its help message.
+    </para>
+
+  </refsect1>
+
+  <refsect1>
+    <title>LIMITATIONS</title>
+    <para>
+        <command>rndc</command> does not yet support all the commands of
+	the BIND 8 <command>ndc</command> utility.
+    </para>
+    <para>
+        There is currently no way to provide the shared secret for a
+        <option>key_id</option> without using the configuration file.
+    </para>
+    <para>
+        Several error messages could be clearer.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>rndc.conf</refentrytitle>
+	<manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>named</refentrytitle>
+	<manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>named.conf</refentrytitle>
+	<manvolnum>5</manvolnum>
+      </citerefentry>
+      <citerefentry>
+        <refentrytitle>ndc</refentrytitle>
+	<manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para>
+        <corpauthor>Internet Systems Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry>
+
+<!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
+
diff --git a/contrib/bind9/bin/rndc/rndc.html b/contrib/bind9/bin/rndc/rndc.html
new file mode 100644
index 0000000..56f1aa1
--- /dev/null
+++ b/contrib/bind9/bin/rndc/rndc.html
@@ -0,0 +1,388 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: rndc.html,v 1.7.2.1.4.3 2004/08/22 23:39:00 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>rndc</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+><SPAN
+CLASS="APPLICATION"
+>rndc</SPAN
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><SPAN
+CLASS="APPLICATION"
+>rndc</SPAN
+>&nbsp;--&nbsp;name server control utility</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>rndc</B
+>  [<VAR
+CLASS="OPTION"
+>-c <VAR
+CLASS="REPLACEABLE"
+>config-file</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-k <VAR
+CLASS="REPLACEABLE"
+>key-file</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-s <VAR
+CLASS="REPLACEABLE"
+>server</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-p <VAR
+CLASS="REPLACEABLE"
+>port</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-V</VAR
+>] [<VAR
+CLASS="OPTION"
+>-y <VAR
+CLASS="REPLACEABLE"
+>key_id</VAR
+></VAR
+>] {command}</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN34"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>        <B
+CLASS="COMMAND"
+>rndc</B
+> controls the operation of a name
+	server.  It supersedes the <B
+CLASS="COMMAND"
+>ndc</B
+> utility
+	that was provided in old BIND releases.  If
+	<B
+CLASS="COMMAND"
+>rndc</B
+> is invoked with no command line
+	options or arguments, it prints a short summary of the
+	supported commands and the available options and their
+	arguments.
+    </P
+><P
+>        <B
+CLASS="COMMAND"
+>rndc</B
+> communicates with the name server
+	over a TCP connection, sending commands authenticated with
+	digital signatures.  In the current versions of
+	<B
+CLASS="COMMAND"
+>rndc</B
+> and <B
+CLASS="COMMAND"
+>named</B
+> named
+        the only supported authentication algorithm is HMAC-MD5,
+	which uses a shared secret on each end of the connection.
+	This provides TSIG-style authentication for the command
+	request and the name server's response.  All commands sent
+	over the channel must be signed by a key_id known to the
+	server.
+    </P
+><P
+>        <B
+CLASS="COMMAND"
+>rndc</B
+> reads a configuration file to
+	determine how to contact the name server and decide what
+	algorithm and key it should use.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN46"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-c <VAR
+CLASS="REPLACEABLE"
+>config-file</VAR
+></DT
+><DD
+><P
+>	      Use <VAR
+CLASS="REPLACEABLE"
+>config-file</VAR
+>
+	      as the configuration file instead of the default,
+	      <TT
+CLASS="FILENAME"
+>/etc/rndc.conf</TT
+>.
+	  </P
+></DD
+><DT
+>-k <VAR
+CLASS="REPLACEABLE"
+>key-file</VAR
+></DT
+><DD
+><P
+>	      Use <VAR
+CLASS="REPLACEABLE"
+>key-file</VAR
+>
+	      as the key file instead of the default,
+	      <TT
+CLASS="FILENAME"
+>/etc/rndc.key</TT
+>.  The key in
+	      <TT
+CLASS="FILENAME"
+>/etc/rndc.key</TT
+> will be used to authenticate
+	      commands sent to the server if the <VAR
+CLASS="REPLACEABLE"
+>config-file</VAR
+>
+	      does not exist.
+	  </P
+></DD
+><DT
+>-s <VAR
+CLASS="REPLACEABLE"
+>server</VAR
+></DT
+><DD
+><P
+>	       <VAR
+CLASS="REPLACEABLE"
+>server</VAR
+> is
+	       the name or address of the server which matches a
+	       server statement in the configuration file for
+	       <B
+CLASS="COMMAND"
+>rndc</B
+>.  If no server is supplied on the
+	       command line, the host named by the default-server clause
+	       in the option statement of the configuration file will be
+	       used.
+	  </P
+></DD
+><DT
+>-p <VAR
+CLASS="REPLACEABLE"
+>port</VAR
+></DT
+><DD
+><P
+>	       Send commands to TCP port
+	       <VAR
+CLASS="REPLACEABLE"
+>port</VAR
+> instead
+	       of BIND 9's default control channel port, 953.
+	  </P
+></DD
+><DT
+>-V</DT
+><DD
+><P
+>	       Enable verbose logging.
+	  </P
+></DD
+><DT
+>-y <VAR
+CLASS="REPLACEABLE"
+>keyid</VAR
+></DT
+><DD
+><P
+>	       Use the key <VAR
+CLASS="REPLACEABLE"
+>keyid</VAR
+>
+	       from the configuration file.
+	       <VAR
+CLASS="REPLACEABLE"
+>keyid</VAR
+> must be
+	       known by named with the same algorithm and secret string
+	       in order for control message validation to succeed.
+	       If no <VAR
+CLASS="REPLACEABLE"
+>keyid</VAR
+>
+	       is specified, <B
+CLASS="COMMAND"
+>rndc</B
+> will first look
+	       for a key clause in the server statement of the server
+	       being used, or if no server statement is present for that
+	       host, then the default-key clause of the options statement.
+	       Note that the configuration file contains shared secrets
+	       which are used to send authenticated control commands
+	       to name servers.  It should therefore not have general read
+	       or write access.
+	  </P
+></DD
+></DL
+></DIV
+><P
+>      For the complete set of commands supported by <B
+CLASS="COMMAND"
+>rndc</B
+>,
+      see the BIND 9 Administrator Reference Manual or run
+      <B
+CLASS="COMMAND"
+>rndc</B
+> without arguments to see its help message.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN94"
+></A
+><H2
+>LIMITATIONS</H2
+><P
+>        <B
+CLASS="COMMAND"
+>rndc</B
+> does not yet support all the commands of
+	the BIND 8 <B
+CLASS="COMMAND"
+>ndc</B
+> utility.
+    </P
+><P
+>        There is currently no way to provide the shared secret for a
+        <VAR
+CLASS="OPTION"
+>key_id</VAR
+> without using the configuration file.
+    </P
+><P
+>        Several error messages could be clearer.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN102"
+></A
+><H2
+>SEE ALSO</H2
+><P
+>      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>rndc.conf</SPAN
+>(5)</SPAN
+>,
+      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>named</SPAN
+>(8)</SPAN
+>,
+      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>named.conf</SPAN
+>(5)</SPAN
+>
+      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>ndc</SPAN
+>(8)</SPAN
+>,
+      <I
+CLASS="CITETITLE"
+>BIND 9 Administrator Reference Manual</I
+>.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN118"
+></A
+><H2
+>AUTHOR</H2
+><P
+>        Internet Systems Consortium
+    </P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/bin/rndc/unix/Makefile.in b/contrib/bind9/bin/rndc/unix/Makefile.in
new file mode 100644
index 0000000..0409a18
--- /dev/null
+++ b/contrib/bind9/bin/rndc/unix/Makefile.in
@@ -0,0 +1,36 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.1.12.3 2004/03/08 04:04:24 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I${srcdir}/include -I${srcdir}/../include \
+		${DNS_INCLUDES} ${ISC_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+OBJS =		os.@O@
+
+SRCS =		os.c
+
+TARGETS =	${OBJS}
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/bin/rndc/unix/os.c b/contrib/bind9/bin/rndc/unix/os.c
new file mode 100644
index 0000000..1adfdee
--- /dev/null
+++ b/contrib/bind9/bin/rndc/unix/os.c
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: os.c,v 1.5.206.1 2004/03/06 10:21:33 marka Exp $ */
+
+#include <config.h>
+
+#include <rndc/os.h>
+
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <pwd.h>
+#include <errno.h>
+#include <stdio.h>
+#include <sys/stat.h>
+
+int
+set_user(FILE *fd, const char *user) {
+	struct passwd *pw;
+
+	pw = getpwnam(user);
+	if (pw == NULL) {
+		errno = EINVAL;
+		return (-1);
+	}
+	return (fchown(fileno(fd), pw->pw_uid, -1));
+}
+
+FILE *
+safe_create(const char *filename) {
+	int fd;
+	FILE *f;
+        struct stat sb;
+	int flags = O_WRONLY;
+
+        if (stat(filename, &sb) == -1) {
+                if (errno != ENOENT)
+			return (NULL);
+		flags = O_WRONLY | O_CREAT | O_EXCL;
+        } else if ((sb.st_mode & S_IFREG) == 0) {
+		errno = EOPNOTSUPP;
+		return (NULL);
+	} else
+		flags = O_WRONLY | O_TRUNC;
+
+	fd = open(filename, flags, S_IRUSR | S_IWUSR);
+	if (fd == -1)
+		return (NULL);
+	f = fdopen(fd, "w");
+	if (f == NULL)
+		close(fd);
+	return (f);
+}
diff --git a/contrib/bind9/bin/rndc/util.c b/contrib/bind9/bin/rndc/util.c
new file mode 100644
index 0000000..249cbe2
--- /dev/null
+++ b/contrib/bind9/bin/rndc/util.c
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: util.c,v 1.2.206.1 2004/03/06 10:21:32 marka Exp $ */
+
+#include <config.h>
+
+#include <stdarg.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+#include <isc/boolean.h>
+
+#include "util.h"
+
+extern isc_boolean_t verbose;
+extern const char *progname;
+
+void
+notify(const char *fmt, ...) {
+	va_list ap;
+
+	if (verbose) {
+		va_start(ap, fmt);
+		vfprintf(stderr, fmt, ap);
+		va_end(ap);
+		fputs("\n", stderr);
+	}
+}
+
+void            
+fatal(const char *format, ...) {
+	va_list args;
+
+	fprintf(stderr, "%s: ", progname);
+	va_start(args, format);
+	vfprintf(stderr, format, args);
+	va_end(args);
+	fprintf(stderr, "\n");
+	exit(1);
+}               
diff --git a/contrib/bind9/bin/rndc/util.h b/contrib/bind9/bin/rndc/util.h
new file mode 100644
index 0000000..3c19cd4
--- /dev/null
+++ b/contrib/bind9/bin/rndc/util.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: util.h,v 1.5.206.1 2004/03/06 10:21:32 marka Exp $ */
+
+#ifndef RNDC_UTIL_H
+#define RNDC_UTIL_H 1
+
+#include <isc/lang.h>
+
+#include <isc/formatcheck.h>
+
+#define NS_CONTROL_PORT		953
+
+#undef DO
+#define DO(name, function) \
+	do { \
+		result = function; \
+		if (result != ISC_R_SUCCESS) \
+			fatal("%s: %s", name, isc_result_totext(result)); \
+		else \
+			notify("%s", name); \
+	} while (0)
+
+ISC_LANG_BEGINDECLS
+
+void
+notify(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2);
+
+void            
+fatal(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
+
+ISC_LANG_ENDDECLS
+
+#endif /* RNDC_UTIL_H */
diff --git a/contrib/bind9/config.guess b/contrib/bind9/config.guess
new file mode 100644
index 0000000..6e51082
--- /dev/null
+++ b/contrib/bind9/config.guess
@@ -0,0 +1,1435 @@
+#! /bin/sh
+# Attempt to guess a canonical system name.
+#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
+#   2000, 2001, 2002, 2003 Free Software Foundation, Inc.
+
+timestamp='2004-01-24'
+
+# This file is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# Originally written by Per Bothner <per@bothner.com>.
+# Please send patches to <config-patches@gnu.org>.  Submit a context
+# diff and a properly formatted ChangeLog entry.
+#
+# This script attempts to guess a canonical system name similar to
+# config.sub.  If it succeeds, it prints the system name on stdout, and
+# exits with 0.  Otherwise, it exits with 1.
+#
+# The plan is that this can be called by configure scripts if you
+# don't specify an explicit build system type.
+
+me=`echo "$0" | sed -e 's,.*/,,'`
+
+usage="\
+Usage: $0 [OPTION]
+
+Output the configuration name of the system \`$me' is run on.
+
+Operation modes:
+  -h, --help         print this help, then exit
+  -t, --time-stamp   print date of last modification, then exit
+  -v, --version      print version number, then exit
+
+Report bugs and patches to <config-patches@gnu.org>."
+
+version="\
+GNU config.guess ($timestamp)
+
+Originally written by Per Bothner.
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001
+Free Software Foundation, Inc.
+
+This is free software; see the source for copying conditions.  There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
+
+help="
+Try \`$me --help' for more information."
+
+# Parse command line
+while test $# -gt 0 ; do
+  case $1 in
+    --time-stamp | --time* | -t )
+       echo "$timestamp" ; exit 0 ;;
+    --version | -v )
+       echo "$version" ; exit 0 ;;
+    --help | --h* | -h )
+       echo "$usage"; exit 0 ;;
+    -- )     # Stop option processing
+       shift; break ;;
+    - )	# Use stdin as input.
+       break ;;
+    -* )
+       echo "$me: invalid option $1$help" >&2
+       exit 1 ;;
+    * )
+       break ;;
+  esac
+done
+
+if test $# != 0; then
+  echo "$me: too many arguments$help" >&2
+  exit 1
+fi
+
+trap 'exit 1' 1 2 15
+
+# CC_FOR_BUILD -- compiler used by this script. Note that the use of a
+# compiler to aid in system detection is discouraged as it requires
+# temporary files to be created and, as you can see below, it is a
+# headache to deal with in a portable fashion.
+
+# Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still
+# use `HOST_CC' if defined, but it is deprecated.
+
+# Portable tmp directory creation inspired by the Autoconf team.
+
+set_cc_for_build='
+trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ;
+trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ;
+: ${TMPDIR=/tmp} ;
+ { tmp=`(umask 077 && mktemp -d -q "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } ||
+ { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } ||
+ { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } ||
+ { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ;
+dummy=$tmp/dummy ;
+tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ;
+case $CC_FOR_BUILD,$HOST_CC,$CC in
+ ,,)    echo "int x;" > $dummy.c ;
+	for c in cc gcc c89 c99 ; do
+	  if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then
+	     CC_FOR_BUILD="$c"; break ;
+	  fi ;
+	done ;
+	if test x"$CC_FOR_BUILD" = x ; then
+	  CC_FOR_BUILD=no_compiler_found ;
+	fi
+	;;
+ ,,*)   CC_FOR_BUILD=$CC ;;
+ ,*,*)  CC_FOR_BUILD=$HOST_CC ;;
+esac ;'
+
+# This is needed to find uname on a Pyramid OSx when run in the BSD universe.
+# (ghazi@noc.rutgers.edu 1994-08-24)
+if (test -f /.attbin/uname) >/dev/null 2>&1 ; then
+	PATH=$PATH:/.attbin ; export PATH
+fi
+
+UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown
+UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown
+UNAME_SYSTEM=`(uname -s) 2>/dev/null`  || UNAME_SYSTEM=unknown
+UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
+
+# Note: order is significant - the case branches are not exclusive.
+
+case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
+    *:NetBSD:*:*)
+	# NetBSD (nbsd) targets should (where applicable) match one or
+	# more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*,
+	# *-*-netbsdecoff* and *-*-netbsd*.  For targets that recently
+	# switched to ELF, *-*-netbsd* would select the old
+	# object file format.  This provides both forward
+	# compatibility and a consistent mechanism for selecting the
+	# object file format.
+	#
+	# Note: NetBSD doesn't particularly care about the vendor
+	# portion of the name.  We always set it to "unknown".
+	sysctl="sysctl -n hw.machine_arch"
+	UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \
+	    /usr/sbin/$sysctl 2>/dev/null || echo unknown)`
+	case "${UNAME_MACHINE_ARCH}" in
+	    armeb) machine=armeb-unknown ;;
+	    arm*) machine=arm-unknown ;;
+	    sh3el) machine=shl-unknown ;;
+	    sh3eb) machine=sh-unknown ;;
+	    *) machine=${UNAME_MACHINE_ARCH}-unknown ;;
+	esac
+	# The Operating System including object format, if it has switched
+	# to ELF recently, or will in the future.
+	case "${UNAME_MACHINE_ARCH}" in
+	    arm*|i386|m68k|ns32k|sh3*|sparc|vax)
+		eval $set_cc_for_build
+		if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
+			| grep __ELF__ >/dev/null
+		then
+		    # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout).
+		    # Return netbsd for either.  FIX?
+		    os=netbsd
+		else
+		    os=netbsdelf
+		fi
+		;;
+	    *)
+	        os=netbsd
+		;;
+	esac
+	# The OS release
+	# Debian GNU/NetBSD machines have a different userland, and
+	# thus, need a distinct triplet. However, they do not need
+	# kernel version information, so it can be replaced with a
+	# suitable tag, in the style of linux-gnu.
+	case "${UNAME_VERSION}" in
+	    Debian*)
+		release='-gnu'
+		;;
+	    *)
+		release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
+		;;
+	esac
+	# Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM:
+	# contains redundant information, the shorter form:
+	# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
+	echo "${machine}-${os}${release}"
+	exit 0 ;;
+    amiga:OpenBSD:*:*)
+	echo m68k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    arc:OpenBSD:*:*)
+	echo mipsel-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    hp300:OpenBSD:*:*)
+	echo m68k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    mac68k:OpenBSD:*:*)
+	echo m68k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    macppc:OpenBSD:*:*)
+	echo powerpc-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    mvme68k:OpenBSD:*:*)
+	echo m68k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    mvme88k:OpenBSD:*:*)
+	echo m88k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    mvmeppc:OpenBSD:*:*)
+	echo powerpc-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    pegasos:OpenBSD:*:*)
+	echo powerpc-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    pmax:OpenBSD:*:*)
+	echo mipsel-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    sgi:OpenBSD:*:*)
+	echo mipseb-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    sun3:OpenBSD:*:*)
+	echo m68k-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    wgrisc:OpenBSD:*:*)
+	echo mipsel-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    *:OpenBSD:*:*)
+	echo ${UNAME_MACHINE}-unknown-openbsd${UNAME_RELEASE}
+	exit 0 ;;
+    alpha:OSF1:*:*)
+	if test $UNAME_RELEASE = "V4.0"; then
+		UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'`
+	fi
+	# According to Compaq, /usr/sbin/psrinfo has been available on
+	# OSF/1 and Tru64 systems produced since 1995.  I hope that
+	# covers most systems running today.  This code pipes the CPU
+	# types through head -n 1, so we only detect the type of CPU 0.
+	ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^  The alpha \(.*\) processor.*$/\1/p' | head -n 1`
+	case "$ALPHA_CPU_TYPE" in
+	    "EV4 (21064)")
+		UNAME_MACHINE="alpha" ;;
+	    "EV4.5 (21064)")
+		UNAME_MACHINE="alpha" ;;
+	    "LCA4 (21066/21068)")
+		UNAME_MACHINE="alpha" ;;
+	    "EV5 (21164)")
+		UNAME_MACHINE="alphaev5" ;;
+	    "EV5.6 (21164A)")
+		UNAME_MACHINE="alphaev56" ;;
+	    "EV5.6 (21164PC)")
+		UNAME_MACHINE="alphapca56" ;;
+	    "EV5.7 (21164PC)")
+		UNAME_MACHINE="alphapca57" ;;
+	    "EV6 (21264)")
+		UNAME_MACHINE="alphaev6" ;;
+	    "EV6.7 (21264A)")
+		UNAME_MACHINE="alphaev67" ;;
+	    "EV6.8CB (21264C)")
+		UNAME_MACHINE="alphaev68" ;;
+	    "EV6.8AL (21264B)")
+		UNAME_MACHINE="alphaev68" ;;
+	    "EV6.8CX (21264D)")
+		UNAME_MACHINE="alphaev68" ;;
+	    "EV6.9A (21264/EV69A)")
+		UNAME_MACHINE="alphaev69" ;;
+	    "EV7 (21364)")
+		UNAME_MACHINE="alphaev7" ;;
+	    "EV7.9 (21364A)")
+		UNAME_MACHINE="alphaev79" ;;
+	esac
+	# A Vn.n version is a released version.
+	# A Tn.n version is a released field test version.
+	# A Xn.n version is an unreleased experimental baselevel.
+	# 1.2 uses "1.2" for uname -r.
+	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[VTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+	exit 0 ;;
+    Alpha*:OpenVMS:*:*)
+	echo alpha-hp-vms
+	exit 0 ;;
+    Alpha\ *:Windows_NT*:*)
+	# How do we know it's Interix rather than the generic POSIX subsystem?
+	# Should we change UNAME_MACHINE based on the output of uname instead
+	# of the specific Alpha model?
+	echo alpha-pc-interix
+	exit 0 ;;
+    21064:Windows_NT:50:3)
+	echo alpha-dec-winnt3.5
+	exit 0 ;;
+    Amiga*:UNIX_System_V:4.0:*)
+	echo m68k-unknown-sysv4
+	exit 0;;
+    *:[Aa]miga[Oo][Ss]:*:*)
+	echo ${UNAME_MACHINE}-unknown-amigaos
+	exit 0 ;;
+    *:[Mm]orph[Oo][Ss]:*:*)
+	echo ${UNAME_MACHINE}-unknown-morphos
+	exit 0 ;;
+    *:OS/390:*:*)
+	echo i370-ibm-openedition
+	exit 0 ;;
+    *:OS400:*:*)
+        echo powerpc-ibm-os400
+	exit 0 ;;
+    arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
+	echo arm-acorn-riscix${UNAME_RELEASE}
+	exit 0;;
+    SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*)
+	echo hppa1.1-hitachi-hiuxmpp
+	exit 0;;
+    Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*)
+	# akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE.
+	if test "`(/bin/universe) 2>/dev/null`" = att ; then
+		echo pyramid-pyramid-sysv3
+	else
+		echo pyramid-pyramid-bsd
+	fi
+	exit 0 ;;
+    NILE*:*:*:dcosx)
+	echo pyramid-pyramid-svr4
+	exit 0 ;;
+    DRS?6000:unix:4.0:6*)
+	echo sparc-icl-nx6
+	exit 0 ;;
+    DRS?6000:UNIX_SV:4.2*:7*)
+	case `/usr/bin/uname -p` in
+	    sparc) echo sparc-icl-nx7 && exit 0 ;;
+	esac ;;
+    sun4H:SunOS:5.*:*)
+	echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit 0 ;;
+    sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*)
+	echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit 0 ;;
+    i86pc:SunOS:5.*:*)
+	echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit 0 ;;
+    sun4*:SunOS:6*:*)
+	# According to config.sub, this is the proper way to canonicalize
+	# SunOS6.  Hard to guess exactly what SunOS6 will be like, but
+	# it's likely to be more like Solaris than SunOS4.
+	echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit 0 ;;
+    sun4*:SunOS:*:*)
+	case "`/usr/bin/arch -k`" in
+	    Series*|S4*)
+		UNAME_RELEASE=`uname -v`
+		;;
+	esac
+	# Japanese Language versions have a version number like `4.1.3-JL'.
+	echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'`
+	exit 0 ;;
+    sun3*:SunOS:*:*)
+	echo m68k-sun-sunos${UNAME_RELEASE}
+	exit 0 ;;
+    sun*:*:4.2BSD:*)
+	UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
+	test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3
+	case "`/bin/arch`" in
+	    sun3)
+		echo m68k-sun-sunos${UNAME_RELEASE}
+		;;
+	    sun4)
+		echo sparc-sun-sunos${UNAME_RELEASE}
+		;;
+	esac
+	exit 0 ;;
+    aushp:SunOS:*:*)
+	echo sparc-auspex-sunos${UNAME_RELEASE}
+	exit 0 ;;
+    # The situation for MiNT is a little confusing.  The machine name
+    # can be virtually everything (everything which is not
+    # "atarist" or "atariste" at least should have a processor
+    # > m68000).  The system name ranges from "MiNT" over "FreeMiNT"
+    # to the lowercase version "mint" (or "freemint").  Finally
+    # the system name "TOS" denotes a system which is actually not
+    # MiNT.  But MiNT is downward compatible to TOS, so this should
+    # be no problem.
+    atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*)
+        echo m68k-atari-mint${UNAME_RELEASE}
+	exit 0 ;;
+    atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*)
+	echo m68k-atari-mint${UNAME_RELEASE}
+        exit 0 ;;
+    *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*)
+        echo m68k-atari-mint${UNAME_RELEASE}
+	exit 0 ;;
+    milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*)
+        echo m68k-milan-mint${UNAME_RELEASE}
+        exit 0 ;;
+    hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*)
+        echo m68k-hades-mint${UNAME_RELEASE}
+        exit 0 ;;
+    *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*)
+        echo m68k-unknown-mint${UNAME_RELEASE}
+        exit 0 ;;
+    m68k:machten:*:*)
+	echo m68k-apple-machten${UNAME_RELEASE}
+	exit 0 ;;
+    powerpc:machten:*:*)
+	echo powerpc-apple-machten${UNAME_RELEASE}
+	exit 0 ;;
+    RISC*:Mach:*:*)
+	echo mips-dec-mach_bsd4.3
+	exit 0 ;;
+    RISC*:ULTRIX:*:*)
+	echo mips-dec-ultrix${UNAME_RELEASE}
+	exit 0 ;;
+    VAX*:ULTRIX*:*:*)
+	echo vax-dec-ultrix${UNAME_RELEASE}
+	exit 0 ;;
+    2020:CLIX:*:* | 2430:CLIX:*:*)
+	echo clipper-intergraph-clix${UNAME_RELEASE}
+	exit 0 ;;
+    mips:*:*:UMIPS | mips:*:*:RISCos)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+#ifdef __cplusplus
+#include <stdio.h>  /* for printf() prototype */
+	int main (int argc, char *argv[]) {
+#else
+	int main (argc, argv) int argc; char *argv[]; {
+#endif
+	#if defined (host_mips) && defined (MIPSEB)
+	#if defined (SYSTYPE_SYSV)
+	  printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0);
+	#endif
+	#if defined (SYSTYPE_SVR4)
+	  printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0);
+	#endif
+	#if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD)
+	  printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0);
+	#endif
+	#endif
+	  exit (-1);
+	}
+EOF
+	$CC_FOR_BUILD -o $dummy $dummy.c \
+	  && $dummy `echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` \
+	  && exit 0
+	echo mips-mips-riscos${UNAME_RELEASE}
+	exit 0 ;;
+    Motorola:PowerMAX_OS:*:*)
+	echo powerpc-motorola-powermax
+	exit 0 ;;
+    Motorola:*:4.3:PL8-*)
+	echo powerpc-harris-powermax
+	exit 0 ;;
+    Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*)
+	echo powerpc-harris-powermax
+	exit 0 ;;
+    Night_Hawk:Power_UNIX:*:*)
+	echo powerpc-harris-powerunix
+	exit 0 ;;
+    m88k:CX/UX:7*:*)
+	echo m88k-harris-cxux7
+	exit 0 ;;
+    m88k:*:4*:R4*)
+	echo m88k-motorola-sysv4
+	exit 0 ;;
+    m88k:*:3*:R3*)
+	echo m88k-motorola-sysv3
+	exit 0 ;;
+    AViiON:dgux:*:*)
+        # DG/UX returns AViiON for all architectures
+        UNAME_PROCESSOR=`/usr/bin/uname -p`
+	if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ]
+	then
+	    if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \
+	       [ ${TARGET_BINARY_INTERFACE}x = x ]
+	    then
+		echo m88k-dg-dgux${UNAME_RELEASE}
+	    else
+		echo m88k-dg-dguxbcs${UNAME_RELEASE}
+	    fi
+	else
+	    echo i586-dg-dgux${UNAME_RELEASE}
+	fi
+ 	exit 0 ;;
+    M88*:DolphinOS:*:*)	# DolphinOS (SVR3)
+	echo m88k-dolphin-sysv3
+	exit 0 ;;
+    M88*:*:R3*:*)
+	# Delta 88k system running SVR3
+	echo m88k-motorola-sysv3
+	exit 0 ;;
+    XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3)
+	echo m88k-tektronix-sysv3
+	exit 0 ;;
+    Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD)
+	echo m68k-tektronix-bsd
+	exit 0 ;;
+    *:IRIX*:*:*)
+	echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'`
+	exit 0 ;;
+    ????????:AIX?:[12].1:2)   # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX.
+	echo romp-ibm-aix      # uname -m gives an 8 hex-code CPU id
+	exit 0 ;;              # Note that: echo "'`uname -s`'" gives 'AIX '
+    i*86:AIX:*:*)
+	echo i386-ibm-aix
+	exit 0 ;;
+    ia64:AIX:*:*)
+	if [ -x /usr/bin/oslevel ] ; then
+		IBM_REV=`/usr/bin/oslevel`
+	else
+		IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
+	fi
+	echo ${UNAME_MACHINE}-ibm-aix${IBM_REV}
+	exit 0 ;;
+    *:AIX:2:3)
+	if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then
+		eval $set_cc_for_build
+		sed 's/^		//' << EOF >$dummy.c
+		#include <sys/systemcfg.h>
+
+		main()
+			{
+			if (!__power_pc())
+				exit(1);
+			puts("powerpc-ibm-aix3.2.5");
+			exit(0);
+			}
+EOF
+		$CC_FOR_BUILD -o $dummy $dummy.c && $dummy && exit 0
+		echo rs6000-ibm-aix3.2.5
+	elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then
+		echo rs6000-ibm-aix3.2.4
+	else
+		echo rs6000-ibm-aix3.2
+	fi
+	exit 0 ;;
+    *:AIX:*:[45])
+	IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'`
+	if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then
+		IBM_ARCH=rs6000
+	else
+		IBM_ARCH=powerpc
+	fi
+	if [ -x /usr/bin/oslevel ] ; then
+		IBM_REV=`/usr/bin/oslevel`
+	else
+		IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE}
+	fi
+	echo ${IBM_ARCH}-ibm-aix${IBM_REV}
+	exit 0 ;;
+    *:AIX:*:*)
+	echo rs6000-ibm-aix
+	exit 0 ;;
+    ibmrt:4.4BSD:*|romp-ibm:BSD:*)
+	echo romp-ibm-bsd4.4
+	exit 0 ;;
+    ibmrt:*BSD:*|romp-ibm:BSD:*)            # covers RT/PC BSD and
+	echo romp-ibm-bsd${UNAME_RELEASE}   # 4.3 with uname added to
+	exit 0 ;;                           # report: romp-ibm BSD 4.3
+    *:BOSX:*:*)
+	echo rs6000-bull-bosx
+	exit 0 ;;
+    DPX/2?00:B.O.S.:*:*)
+	echo m68k-bull-sysv3
+	exit 0 ;;
+    9000/[34]??:4.3bsd:1.*:*)
+	echo m68k-hp-bsd
+	exit 0 ;;
+    hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*)
+	echo m68k-hp-bsd4.4
+	exit 0 ;;
+    9000/[34678]??:HP-UX:*:*)
+	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
+	case "${UNAME_MACHINE}" in
+	    9000/31? )            HP_ARCH=m68000 ;;
+	    9000/[34]?? )         HP_ARCH=m68k ;;
+	    9000/[678][0-9][0-9])
+		if [ -x /usr/bin/getconf ]; then
+		    sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
+                    sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
+                    case "${sc_cpu_version}" in
+                      523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
+                      528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
+                      532)                      # CPU_PA_RISC2_0
+                        case "${sc_kernel_bits}" in
+                          32) HP_ARCH="hppa2.0n" ;;
+                          64) HP_ARCH="hppa2.0w" ;;
+			  '') HP_ARCH="hppa2.0" ;;   # HP-UX 10.20
+                        esac ;;
+                    esac
+		fi
+		if [ "${HP_ARCH}" = "" ]; then
+		    eval $set_cc_for_build
+		    sed 's/^              //' << EOF >$dummy.c
+
+              #define _HPUX_SOURCE
+              #include <stdlib.h>
+              #include <unistd.h>
+
+              int main ()
+              {
+              #if defined(_SC_KERNEL_BITS)
+                  long bits = sysconf(_SC_KERNEL_BITS);
+              #endif
+                  long cpu  = sysconf (_SC_CPU_VERSION);
+
+                  switch (cpu)
+              	{
+              	case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
+              	case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
+              	case CPU_PA_RISC2_0:
+              #if defined(_SC_KERNEL_BITS)
+              	    switch (bits)
+              		{
+              		case 64: puts ("hppa2.0w"); break;
+              		case 32: puts ("hppa2.0n"); break;
+              		default: puts ("hppa2.0"); break;
+              		} break;
+              #else  /* !defined(_SC_KERNEL_BITS) */
+              	    puts ("hppa2.0"); break;
+              #endif
+              	default: puts ("hppa1.0"); break;
+              	}
+                  exit (0);
+              }
+EOF
+		    (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
+		    test -z "$HP_ARCH" && HP_ARCH=hppa
+		fi ;;
+	esac
+	if [ ${HP_ARCH} = "hppa2.0w" ]
+	then
+	    # avoid double evaluation of $set_cc_for_build
+	    test -n "$CC_FOR_BUILD" || eval $set_cc_for_build
+	    if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E -) | grep __LP64__ >/dev/null
+	    then
+		HP_ARCH="hppa2.0w"
+	    else
+		HP_ARCH="hppa64"
+	    fi
+	fi
+	echo ${HP_ARCH}-hp-hpux${HPUX_REV}
+	exit 0 ;;
+    ia64:HP-UX:*:*)
+	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
+	echo ia64-hp-hpux${HPUX_REV}
+	exit 0 ;;
+    3050*:HI-UX:*:*)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#include <unistd.h>
+	int
+	main ()
+	{
+	  long cpu = sysconf (_SC_CPU_VERSION);
+	  /* The order matters, because CPU_IS_HP_MC68K erroneously returns
+	     true for CPU_PA_RISC1_0.  CPU_IS_PA_RISC returns correct
+	     results, however.  */
+	  if (CPU_IS_PA_RISC (cpu))
+	    {
+	      switch (cpu)
+		{
+		  case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break;
+		  case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break;
+		  case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break;
+		  default: puts ("hppa-hitachi-hiuxwe2"); break;
+		}
+	    }
+	  else if (CPU_IS_HP_MC68K (cpu))
+	    puts ("m68k-hitachi-hiuxwe2");
+	  else puts ("unknown-hitachi-hiuxwe2");
+	  exit (0);
+	}
+EOF
+	$CC_FOR_BUILD -o $dummy $dummy.c && $dummy && exit 0
+	echo unknown-hitachi-hiuxwe2
+	exit 0 ;;
+    9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* )
+	echo hppa1.1-hp-bsd
+	exit 0 ;;
+    9000/8??:4.3bsd:*:*)
+	echo hppa1.0-hp-bsd
+	exit 0 ;;
+    *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*)
+	echo hppa1.0-hp-mpeix
+	exit 0 ;;
+    hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* )
+	echo hppa1.1-hp-osf
+	exit 0 ;;
+    hp8??:OSF1:*:*)
+	echo hppa1.0-hp-osf
+	exit 0 ;;
+    i*86:OSF1:*:*)
+	if [ -x /usr/sbin/sysversion ] ; then
+	    echo ${UNAME_MACHINE}-unknown-osf1mk
+	else
+	    echo ${UNAME_MACHINE}-unknown-osf1
+	fi
+	exit 0 ;;
+    parisc*:Lites*:*:*)
+	echo hppa1.1-hp-lites
+	exit 0 ;;
+    C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
+	echo c1-convex-bsd
+        exit 0 ;;
+    C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*)
+	if getsysinfo -f scalar_acc
+	then echo c32-convex-bsd
+	else echo c2-convex-bsd
+	fi
+        exit 0 ;;
+    C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*)
+	echo c34-convex-bsd
+        exit 0 ;;
+    C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*)
+	echo c38-convex-bsd
+        exit 0 ;;
+    C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*)
+	echo c4-convex-bsd
+        exit 0 ;;
+    CRAY*Y-MP:*:*:*)
+	echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit 0 ;;
+    CRAY*[A-Z]90:*:*:*)
+	echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \
+	| sed -e 's/CRAY.*\([A-Z]90\)/\1/' \
+	      -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \
+	      -e 's/\.[^.]*$/.X/'
+	exit 0 ;;
+    CRAY*TS:*:*:*)
+	echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit 0 ;;
+    CRAY*T3E:*:*:*)
+	echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit 0 ;;
+    CRAY*SV1:*:*:*)
+	echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit 0 ;;
+    *:UNICOS/mp:*:*)
+	echo nv1-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit 0 ;;
+    F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
+	FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+        FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
+        echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
+        exit 0 ;;
+    5000:UNIX_System_V:4.*:*)
+        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+        FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
+        echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
+	exit 0 ;;
+    i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
+	echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
+	exit 0 ;;
+    sparc*:BSD/OS:*:*)
+	echo sparc-unknown-bsdi${UNAME_RELEASE}
+	exit 0 ;;
+    *:BSD/OS:*:*)
+	echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
+	exit 0 ;;
+    *:FreeBSD:*:*)
+	# Determine whether the default compiler uses glibc.
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#include <features.h>
+	#if __GLIBC__ >= 2
+	LIBC=gnu
+	#else
+	LIBC=
+	#endif
+EOF
+	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=`
+	# GNU/KFreeBSD systems have a "k" prefix to indicate we are using
+	# FreeBSD's kernel, but not the complete OS.
+	case ${LIBC} in gnu) kernel_only='k' ;; esac
+	echo ${UNAME_MACHINE}-unknown-${kernel_only}freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`${LIBC:+-$LIBC}
+	exit 0 ;;
+    i*:CYGWIN*:*)
+	echo ${UNAME_MACHINE}-pc-cygwin
+	exit 0 ;;
+    i*:MINGW*:*)
+	echo ${UNAME_MACHINE}-pc-mingw32
+	exit 0 ;;
+    i*:PW*:*)
+	echo ${UNAME_MACHINE}-pc-pw32
+	exit 0 ;;
+    x86:Interix*:[34]*)
+	echo i586-pc-interix${UNAME_RELEASE}|sed -e 's/\..*//'
+	exit 0 ;;
+    [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*)
+	echo i${UNAME_MACHINE}-pc-mks
+	exit 0 ;;
+    i*:Windows_NT*:* | Pentium*:Windows_NT*:*)
+	# How do we know it's Interix rather than the generic POSIX subsystem?
+	# It also conflicts with pre-2.0 versions of AT&T UWIN. Should we
+	# UNAME_MACHINE based on the output of uname instead of i386?
+	echo i586-pc-interix
+	exit 0 ;;
+    i*:UWIN*:*)
+	echo ${UNAME_MACHINE}-pc-uwin
+	exit 0 ;;
+    p*:CYGWIN*:*)
+	echo powerpcle-unknown-cygwin
+	exit 0 ;;
+    prep*:SunOS:5.*:*)
+	echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
+	exit 0 ;;
+    *:GNU:*:*)
+	# the GNU system
+	echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
+	exit 0 ;;
+    *:GNU/*:*:*)
+	# other systems with GNU libc and userland
+	echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu
+	exit 0 ;;
+    i*86:Minix:*:*)
+	echo ${UNAME_MACHINE}-pc-minix
+	exit 0 ;;
+    arm*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit 0 ;;
+    cris:Linux:*:*)
+	echo cris-axis-linux-gnu
+	exit 0 ;;
+    ia64:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit 0 ;;
+    m68*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit 0 ;;
+    mips:Linux:*:*)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#undef CPU
+	#undef mips
+	#undef mipsel
+	#if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
+	CPU=mipsel
+	#else
+	#if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
+	CPU=mips
+	#else
+	CPU=
+	#endif
+	#endif
+EOF
+	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=`
+	test x"${CPU}" != x && echo "${CPU}-unknown-linux-gnu" && exit 0
+	;;
+    mips64:Linux:*:*)
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#undef CPU
+	#undef mips64
+	#undef mips64el
+	#if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL)
+	CPU=mips64el
+	#else
+	#if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB)
+	CPU=mips64
+	#else
+	CPU=
+	#endif
+	#endif
+EOF
+	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=`
+	test x"${CPU}" != x && echo "${CPU}-unknown-linux-gnu" && exit 0
+	;;
+    ppc:Linux:*:*)
+	echo powerpc-unknown-linux-gnu
+	exit 0 ;;
+    ppc64:Linux:*:*)
+	echo powerpc64-unknown-linux-gnu
+	exit 0 ;;
+    alpha:Linux:*:*)
+	case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in
+	  EV5)   UNAME_MACHINE=alphaev5 ;;
+	  EV56)  UNAME_MACHINE=alphaev56 ;;
+	  PCA56) UNAME_MACHINE=alphapca56 ;;
+	  PCA57) UNAME_MACHINE=alphapca56 ;;
+	  EV6)   UNAME_MACHINE=alphaev6 ;;
+	  EV67)  UNAME_MACHINE=alphaev67 ;;
+	  EV68*) UNAME_MACHINE=alphaev68 ;;
+        esac
+	objdump --private-headers /bin/sh | grep ld.so.1 >/dev/null
+	if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi
+	echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC}
+	exit 0 ;;
+    parisc:Linux:*:* | hppa:Linux:*:*)
+	# Look for CPU level
+	case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in
+	  PA7*) echo hppa1.1-unknown-linux-gnu ;;
+	  PA8*) echo hppa2.0-unknown-linux-gnu ;;
+	  *)    echo hppa-unknown-linux-gnu ;;
+	esac
+	exit 0 ;;
+    parisc64:Linux:*:* | hppa64:Linux:*:*)
+	echo hppa64-unknown-linux-gnu
+	exit 0 ;;
+    s390:Linux:*:* | s390x:Linux:*:*)
+	echo ${UNAME_MACHINE}-ibm-linux
+	exit 0 ;;
+    sh64*:Linux:*:*)
+    	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit 0 ;;
+    sh*:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit 0 ;;
+    sparc:Linux:*:* | sparc64:Linux:*:*)
+	echo ${UNAME_MACHINE}-unknown-linux-gnu
+	exit 0 ;;
+    x86_64:Linux:*:*)
+	echo x86_64-unknown-linux-gnu
+	exit 0 ;;
+    i*86:Linux:*:*)
+	# The BFD linker knows what the default object file format is, so
+	# first see if it will tell us. cd to the root directory to prevent
+	# problems with other programs or directories called `ld' in the path.
+	# Set LC_ALL=C to ensure ld outputs messages in English.
+	ld_supported_targets=`cd /; LC_ALL=C ld --help 2>&1 \
+			 | sed -ne '/supported targets:/!d
+				    s/[ 	][ 	]*/ /g
+				    s/.*supported targets: *//
+				    s/ .*//
+				    p'`
+        case "$ld_supported_targets" in
+	  elf32-i386)
+		TENTATIVE="${UNAME_MACHINE}-pc-linux-gnu"
+		;;
+	  a.out-i386-linux)
+		echo "${UNAME_MACHINE}-pc-linux-gnuaout"
+		exit 0 ;;
+	  coff-i386)
+		echo "${UNAME_MACHINE}-pc-linux-gnucoff"
+		exit 0 ;;
+	  "")
+		# Either a pre-BFD a.out linker (linux-gnuoldld) or
+		# one that does not give us useful --help.
+		echo "${UNAME_MACHINE}-pc-linux-gnuoldld"
+		exit 0 ;;
+	esac
+	# Determine whether the default compiler is a.out or elf
+	eval $set_cc_for_build
+	sed 's/^	//' << EOF >$dummy.c
+	#include <features.h>
+	#ifdef __ELF__
+	# ifdef __GLIBC__
+	#  if __GLIBC__ >= 2
+	LIBC=gnu
+	#  else
+	LIBC=gnulibc1
+	#  endif
+	# else
+	LIBC=gnulibc1
+	# endif
+	#else
+	#ifdef __INTEL_COMPILER
+	LIBC=gnu
+	#else
+	LIBC=gnuaout
+	#endif
+	#endif
+	#ifdef __dietlibc__
+	LIBC=dietlibc
+	#endif
+EOF
+	eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=`
+	test x"${LIBC}" != x && echo "${UNAME_MACHINE}-pc-linux-${LIBC}" && exit 0
+	test x"${TENTATIVE}" != x && echo "${TENTATIVE}" && exit 0
+	;;
+    i*86:DYNIX/ptx:4*:*)
+	# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.
+	# earlier versions are messed up and put the nodename in both
+	# sysname and nodename.
+	echo i386-sequent-sysv4
+	exit 0 ;;
+    i*86:UNIX_SV:4.2MP:2.*)
+        # Unixware is an offshoot of SVR4, but it has its own version
+        # number series starting with 2...
+        # I am not positive that other SVR4 systems won't match this,
+	# I just have to hope.  -- rms.
+        # Use sysv4.2uw... so that sysv4* matches it.
+	echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
+	exit 0 ;;
+    i*86:OS/2:*:*)
+	# If we were able to find `uname', then EMX Unix compatibility
+	# is probably installed.
+	echo ${UNAME_MACHINE}-pc-os2-emx
+	exit 0 ;;
+    i*86:XTS-300:*:STOP)
+	echo ${UNAME_MACHINE}-unknown-stop
+	exit 0 ;;
+    i*86:atheos:*:*)
+	echo ${UNAME_MACHINE}-unknown-atheos
+	exit 0 ;;
+	i*86:syllable:*:*)
+	echo ${UNAME_MACHINE}-pc-syllable
+	exit 0 ;;
+    i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*)
+	echo i386-unknown-lynxos${UNAME_RELEASE}
+	exit 0 ;;
+    i*86:*DOS:*:*)
+	echo ${UNAME_MACHINE}-pc-msdosdjgpp
+	exit 0 ;;
+    i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*)
+	UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'`
+	if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then
+		echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL}
+	else
+		echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL}
+	fi
+	exit 0 ;;
+    i*86:*:5:[78]*)
+	case `/bin/uname -X | grep "^Machine"` in
+	    *486*)	     UNAME_MACHINE=i486 ;;
+	    *Pentium)	     UNAME_MACHINE=i586 ;;
+	    *Pent*|*Celeron) UNAME_MACHINE=i686 ;;
+	esac
+	echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION}
+	exit 0 ;;
+    i*86:*:3.2:*)
+	if test -f /usr/options/cb.name; then
+		UNAME_REL=`sed -n 's/.*Version //p' </usr/options/cb.name`
+		echo ${UNAME_MACHINE}-pc-isc$UNAME_REL
+	elif /bin/uname -X 2>/dev/null >/dev/null ; then
+		UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')`
+		(/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486
+		(/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \
+			&& UNAME_MACHINE=i586
+		(/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \
+			&& UNAME_MACHINE=i686
+		(/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \
+			&& UNAME_MACHINE=i686
+		echo ${UNAME_MACHINE}-pc-sco$UNAME_REL
+	else
+		echo ${UNAME_MACHINE}-pc-sysv32
+	fi
+	exit 0 ;;
+    pc:*:*:*)
+	# Left here for compatibility:
+        # uname -m prints for DJGPP always 'pc', but it prints nothing about
+        # the processor, so we play safe by assuming i386.
+	echo i386-pc-msdosdjgpp
+        exit 0 ;;
+    Intel:Mach:3*:*)
+	echo i386-pc-mach3
+	exit 0 ;;
+    paragon:*:*:*)
+	echo i860-intel-osf1
+	exit 0 ;;
+    i860:*:4.*:*) # i860-SVR4
+	if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then
+	  echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4
+	else # Add other i860-SVR4 vendors below as they are discovered.
+	  echo i860-unknown-sysv${UNAME_RELEASE}  # Unknown i860-SVR4
+	fi
+	exit 0 ;;
+    mini*:CTIX:SYS*5:*)
+	# "miniframe"
+	echo m68010-convergent-sysv
+	exit 0 ;;
+    mc68k:UNIX:SYSTEM5:3.51m)
+	echo m68k-convergent-sysv
+	exit 0 ;;
+    M680?0:D-NIX:5.3:*)
+	echo m68k-diab-dnix
+	exit 0 ;;
+    M68*:*:R3V[567]*:*)
+	test -r /sysV68 && echo 'm68k-motorola-sysv' && exit 0 ;;
+    3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0)
+	OS_REL=''
+	test -r /etc/.relid \
+	&& OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid`
+	/bin/uname -p 2>/dev/null | grep 86 >/dev/null \
+	  && echo i486-ncr-sysv4.3${OS_REL} && exit 0
+	/bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \
+	  && echo i586-ncr-sysv4.3${OS_REL} && exit 0 ;;
+    3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*)
+        /bin/uname -p 2>/dev/null | grep 86 >/dev/null \
+          && echo i486-ncr-sysv4 && exit 0 ;;
+    m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*)
+	echo m68k-unknown-lynxos${UNAME_RELEASE}
+	exit 0 ;;
+    mc68030:UNIX_System_V:4.*:*)
+	echo m68k-atari-sysv4
+	exit 0 ;;
+    TSUNAMI:LynxOS:2.*:*)
+	echo sparc-unknown-lynxos${UNAME_RELEASE}
+	exit 0 ;;
+    rs6000:LynxOS:2.*:*)
+	echo rs6000-unknown-lynxos${UNAME_RELEASE}
+	exit 0 ;;
+    PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.0*:*)
+	echo powerpc-unknown-lynxos${UNAME_RELEASE}
+	exit 0 ;;
+    SM[BE]S:UNIX_SV:*:*)
+	echo mips-dde-sysv${UNAME_RELEASE}
+	exit 0 ;;
+    RM*:ReliantUNIX-*:*:*)
+	echo mips-sni-sysv4
+	exit 0 ;;
+    RM*:SINIX-*:*:*)
+	echo mips-sni-sysv4
+	exit 0 ;;
+    *:SINIX-*:*:*)
+	if uname -p 2>/dev/null >/dev/null ; then
+		UNAME_MACHINE=`(uname -p) 2>/dev/null`
+		echo ${UNAME_MACHINE}-sni-sysv4
+	else
+		echo ns32k-sni-sysv
+	fi
+	exit 0 ;;
+    PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort
+                      # says <Richard.M.Bartel@ccMail.Census.GOV>
+        echo i586-unisys-sysv4
+        exit 0 ;;
+    *:UNIX_System_V:4*:FTX*)
+	# From Gerald Hewes <hewes@openmarket.com>.
+	# How about differentiating between stratus architectures? -djm
+	echo hppa1.1-stratus-sysv4
+	exit 0 ;;
+    *:*:*:FTX*)
+	# From seanf@swdc.stratus.com.
+	echo i860-stratus-sysv4
+	exit 0 ;;
+    *:VOS:*:*)
+	# From Paul.Green@stratus.com.
+	echo hppa1.1-stratus-vos
+	exit 0 ;;
+    mc68*:A/UX:*:*)
+	echo m68k-apple-aux${UNAME_RELEASE}
+	exit 0 ;;
+    news*:NEWS-OS:6*:*)
+	echo mips-sony-newsos6
+	exit 0 ;;
+    R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
+	if [ -d /usr/nec ]; then
+	        echo mips-nec-sysv${UNAME_RELEASE}
+	else
+	        echo mips-unknown-sysv${UNAME_RELEASE}
+	fi
+        exit 0 ;;
+    BeBox:BeOS:*:*)	# BeOS running on hardware made by Be, PPC only.
+	echo powerpc-be-beos
+	exit 0 ;;
+    BeMac:BeOS:*:*)	# BeOS running on Mac or Mac clone, PPC only.
+	echo powerpc-apple-beos
+	exit 0 ;;
+    BePC:BeOS:*:*)	# BeOS running on Intel PC compatible.
+	echo i586-pc-beos
+	exit 0 ;;
+    SX-4:SUPER-UX:*:*)
+	echo sx4-nec-superux${UNAME_RELEASE}
+	exit 0 ;;
+    SX-5:SUPER-UX:*:*)
+	echo sx5-nec-superux${UNAME_RELEASE}
+	exit 0 ;;
+    SX-6:SUPER-UX:*:*)
+	echo sx6-nec-superux${UNAME_RELEASE}
+	exit 0 ;;
+    Power*:Rhapsody:*:*)
+	echo powerpc-apple-rhapsody${UNAME_RELEASE}
+	exit 0 ;;
+    *:Rhapsody:*:*)
+	echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE}
+	exit 0 ;;
+    *:Darwin:*:*)
+	case `uname -p` in
+	    *86) UNAME_PROCESSOR=i686 ;;
+	    powerpc) UNAME_PROCESSOR=powerpc ;;
+	esac
+	echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE}
+	exit 0 ;;
+    *:procnto*:*:* | *:QNX:[0123456789]*:*)
+	UNAME_PROCESSOR=`uname -p`
+	if test "$UNAME_PROCESSOR" = "x86"; then
+		UNAME_PROCESSOR=i386
+		UNAME_MACHINE=pc
+	fi
+	echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE}
+	exit 0 ;;
+    *:QNX:*:4*)
+	echo i386-pc-qnx
+	exit 0 ;;
+    NSR-?:NONSTOP_KERNEL:*:*)
+	echo nsr-tandem-nsk${UNAME_RELEASE}
+	exit 0 ;;
+    *:NonStop-UX:*:*)
+	echo mips-compaq-nonstopux
+	exit 0 ;;
+    BS2000:POSIX*:*:*)
+	echo bs2000-siemens-sysv
+	exit 0 ;;
+    DS/*:UNIX_System_V:*:*)
+	echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE}
+	exit 0 ;;
+    *:Plan9:*:*)
+	# "uname -m" is not consistent, so use $cputype instead. 386
+	# is converted to i386 for consistency with other x86
+	# operating systems.
+	if test "$cputype" = "386"; then
+	    UNAME_MACHINE=i386
+	else
+	    UNAME_MACHINE="$cputype"
+	fi
+	echo ${UNAME_MACHINE}-unknown-plan9
+	exit 0 ;;
+    *:TOPS-10:*:*)
+	echo pdp10-unknown-tops10
+	exit 0 ;;
+    *:TENEX:*:*)
+	echo pdp10-unknown-tenex
+	exit 0 ;;
+    KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*)
+	echo pdp10-dec-tops20
+	exit 0 ;;
+    XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*)
+	echo pdp10-xkl-tops20
+	exit 0 ;;
+    *:TOPS-20:*:*)
+	echo pdp10-unknown-tops20
+	exit 0 ;;
+    *:ITS:*:*)
+	echo pdp10-unknown-its
+	exit 0 ;;
+    SEI:*:*:SEIUX)
+        echo mips-sei-seiux${UNAME_RELEASE}
+	exit 0 ;;
+    *:DragonFly:*:*)
+	echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
+	exit 0 ;;
+esac
+
+#echo '(No uname command or uname output not recognized.)' 1>&2
+#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2
+
+eval $set_cc_for_build
+cat >$dummy.c <<EOF
+#ifdef _SEQUENT_
+# include <sys/types.h>
+# include <sys/utsname.h>
+#endif
+main ()
+{
+#if defined (sony)
+#if defined (MIPSEB)
+  /* BFD wants "bsd" instead of "newsos".  Perhaps BFD should be changed,
+     I don't know....  */
+  printf ("mips-sony-bsd\n"); exit (0);
+#else
+#include <sys/param.h>
+  printf ("m68k-sony-newsos%s\n",
+#ifdef NEWSOS4
+          "4"
+#else
+	  ""
+#endif
+         ); exit (0);
+#endif
+#endif
+
+#if defined (__arm) && defined (__acorn) && defined (__unix)
+  printf ("arm-acorn-riscix"); exit (0);
+#endif
+
+#if defined (hp300) && !defined (hpux)
+  printf ("m68k-hp-bsd\n"); exit (0);
+#endif
+
+#if defined (NeXT)
+#if !defined (__ARCHITECTURE__)
+#define __ARCHITECTURE__ "m68k"
+#endif
+  int version;
+  version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`;
+  if (version < 4)
+    printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version);
+  else
+    printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version);
+  exit (0);
+#endif
+
+#if defined (MULTIMAX) || defined (n16)
+#if defined (UMAXV)
+  printf ("ns32k-encore-sysv\n"); exit (0);
+#else
+#if defined (CMU)
+  printf ("ns32k-encore-mach\n"); exit (0);
+#else
+  printf ("ns32k-encore-bsd\n"); exit (0);
+#endif
+#endif
+#endif
+
+#if defined (__386BSD__)
+  printf ("i386-pc-bsd\n"); exit (0);
+#endif
+
+#if defined (sequent)
+#if defined (i386)
+  printf ("i386-sequent-dynix\n"); exit (0);
+#endif
+#if defined (ns32000)
+  printf ("ns32k-sequent-dynix\n"); exit (0);
+#endif
+#endif
+
+#if defined (_SEQUENT_)
+    struct utsname un;
+
+    uname(&un);
+
+    if (strncmp(un.version, "V2", 2) == 0) {
+	printf ("i386-sequent-ptx2\n"); exit (0);
+    }
+    if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */
+	printf ("i386-sequent-ptx1\n"); exit (0);
+    }
+    printf ("i386-sequent-ptx\n"); exit (0);
+
+#endif
+
+#if defined (vax)
+# if !defined (ultrix)
+#  include <sys/param.h>
+#  if defined (BSD)
+#   if BSD == 43
+      printf ("vax-dec-bsd4.3\n"); exit (0);
+#   else
+#    if BSD == 199006
+      printf ("vax-dec-bsd4.3reno\n"); exit (0);
+#    else
+      printf ("vax-dec-bsd\n"); exit (0);
+#    endif
+#   endif
+#  else
+    printf ("vax-dec-bsd\n"); exit (0);
+#  endif
+# else
+    printf ("vax-dec-ultrix\n"); exit (0);
+# endif
+#endif
+
+#if defined (alliant) && defined (i860)
+  printf ("i860-alliant-bsd\n"); exit (0);
+#endif
+
+  exit (1);
+}
+EOF
+
+$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && $dummy && exit 0
+
+# Apollos put the system type in the environment.
+
+test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit 0; }
+
+# Convex versions that predate uname can use getsysinfo(1)
+
+if [ -x /usr/convex/getsysinfo ]
+then
+    case `getsysinfo -f cpu_type` in
+    c1*)
+	echo c1-convex-bsd
+	exit 0 ;;
+    c2*)
+	if getsysinfo -f scalar_acc
+	then echo c32-convex-bsd
+	else echo c2-convex-bsd
+	fi
+	exit 0 ;;
+    c34*)
+	echo c34-convex-bsd
+	exit 0 ;;
+    c38*)
+	echo c38-convex-bsd
+	exit 0 ;;
+    c4*)
+	echo c4-convex-bsd
+	exit 0 ;;
+    esac
+fi
+
+cat >&2 <<EOF
+$0: unable to guess system type
+
+This script, last modified $timestamp, has failed to recognize
+the operating system you are using. It is advised that you
+download the most up to date version of the config scripts from
+
+    ftp://ftp.gnu.org/pub/gnu/config/
+
+If the version you run ($0) is already up to date, please
+send the following data and any information you think might be
+pertinent to <config-patches@gnu.org> in order to provide the needed
+information to handle your system.
+
+config.guess timestamp = $timestamp
+
+uname -m = `(uname -m) 2>/dev/null || echo unknown`
+uname -r = `(uname -r) 2>/dev/null || echo unknown`
+uname -s = `(uname -s) 2>/dev/null || echo unknown`
+uname -v = `(uname -v) 2>/dev/null || echo unknown`
+
+/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null`
+/bin/uname -X     = `(/bin/uname -X) 2>/dev/null`
+
+hostinfo               = `(hostinfo) 2>/dev/null`
+/bin/universe          = `(/bin/universe) 2>/dev/null`
+/usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null`
+/bin/arch              = `(/bin/arch) 2>/dev/null`
+/usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null`
+/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null`
+
+UNAME_MACHINE = ${UNAME_MACHINE}
+UNAME_RELEASE = ${UNAME_RELEASE}
+UNAME_SYSTEM  = ${UNAME_SYSTEM}
+UNAME_VERSION = ${UNAME_VERSION}
+EOF
+
+exit 1
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "timestamp='"
+# time-stamp-format: "%:y-%02m-%02d"
+# time-stamp-end: "'"
+# End:
diff --git a/contrib/bind9/config.sub b/contrib/bind9/config.sub
new file mode 100644
index 0000000..463186d
--- /dev/null
+++ b/contrib/bind9/config.sub
@@ -0,0 +1,1537 @@
+#! /bin/sh
+# Configuration validation subroutine script.
+#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999,
+#   2000, 2001, 2002, 2003 Free Software Foundation, Inc.
+
+timestamp='2004-01-05'
+
+# This file is (in principle) common to ALL GNU software.
+# The presence of a machine in this file suggests that SOME GNU software
+# can handle that machine.  It does not imply ALL GNU software can.
+#
+# This file is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330,
+# Boston, MA 02111-1307, USA.
+
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# Please send patches to <config-patches@gnu.org>.  Submit a context
+# diff and a properly formatted ChangeLog entry.
+#
+# Configuration subroutine to validate and canonicalize a configuration type.
+# Supply the specified configuration type as an argument.
+# If it is invalid, we print an error message on stderr and exit with code 1.
+# Otherwise, we print the canonical config type on stdout and succeed.
+
+# This file is supposed to be the same for all GNU packages
+# and recognize all the CPU types, system types and aliases
+# that are meaningful with *any* GNU software.
+# Each package is responsible for reporting which valid configurations
+# it does not support.  The user should be able to distinguish
+# a failure to support a valid configuration from a meaningless
+# configuration.
+
+# The goal of this file is to map all the various variations of a given
+# machine specification into a single specification in the form:
+#	CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM
+# or in some cases, the newer four-part form:
+#	CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM
+# It is wrong to echo any other type of specification.
+
+me=`echo "$0" | sed -e 's,.*/,,'`
+
+usage="\
+Usage: $0 [OPTION] CPU-MFR-OPSYS
+       $0 [OPTION] ALIAS
+
+Canonicalize a configuration name.
+
+Operation modes:
+  -h, --help         print this help, then exit
+  -t, --time-stamp   print date of last modification, then exit
+  -v, --version      print version number, then exit
+
+Report bugs and patches to <config-patches@gnu.org>."
+
+version="\
+GNU config.sub ($timestamp)
+
+Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001
+Free Software Foundation, Inc.
+
+This is free software; see the source for copying conditions.  There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
+
+help="
+Try \`$me --help' for more information."
+
+# Parse command line
+while test $# -gt 0 ; do
+  case $1 in
+    --time-stamp | --time* | -t )
+       echo "$timestamp" ; exit 0 ;;
+    --version | -v )
+       echo "$version" ; exit 0 ;;
+    --help | --h* | -h )
+       echo "$usage"; exit 0 ;;
+    -- )     # Stop option processing
+       shift; break ;;
+    - )	# Use stdin as input.
+       break ;;
+    -* )
+       echo "$me: invalid option $1$help"
+       exit 1 ;;
+
+    *local*)
+       # First pass through any local machine types.
+       echo $1
+       exit 0;;
+
+    * )
+       break ;;
+  esac
+done
+
+case $# in
+ 0) echo "$me: missing argument$help" >&2
+    exit 1;;
+ 1) ;;
+ *) echo "$me: too many arguments$help" >&2
+    exit 1;;
+esac
+
+# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any).
+# Here we must recognize all the valid KERNEL-OS combinations.
+maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
+case $maybe_os in
+  nto-qnx* | linux-gnu* | linux-dietlibc | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | \
+  kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | storm-chaos* | os2-emx* | rtmk-nova*)
+    os=-$maybe_os
+    basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
+    ;;
+  *)
+    basic_machine=`echo $1 | sed 's/-[^-]*$//'`
+    if [ $basic_machine != $1 ]
+    then os=`echo $1 | sed 's/.*-/-/'`
+    else os=; fi
+    ;;
+esac
+
+### Let's recognize common machines as not being operating systems so
+### that things like config.sub decstation-3100 work.  We also
+### recognize some manufacturers as not being operating systems, so we
+### can provide default operating systems below.
+case $os in
+	-sun*os*)
+		# Prevent following clause from handling this invalid input.
+		;;
+	-dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \
+	-att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \
+	-unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \
+	-convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\
+	-c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \
+	-harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \
+	-apple | -axis)
+		os=
+		basic_machine=$1
+		;;
+	-sim | -cisco | -oki | -wec | -winbond)
+		os=
+		basic_machine=$1
+		;;
+	-scout)
+		;;
+	-wrs)
+		os=-vxworks
+		basic_machine=$1
+		;;
+	-chorusos*)
+		os=-chorusos
+		basic_machine=$1
+		;;
+ 	-chorusrdb)
+ 		os=-chorusrdb
+		basic_machine=$1
+ 		;;
+	-hiux*)
+		os=-hiuxwe2
+		;;
+	-sco5)
+		os=-sco3.2v5
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco4)
+		os=-sco3.2v4
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco3.2.[4-9]*)
+		os=`echo $os | sed -e 's/sco3.2./sco3.2v/'`
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco3.2v[4-9]*)
+		# Don't forget version if it is 3.2v4 or newer.
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-sco*)
+		os=-sco3.2v2
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-udk*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-isc)
+		os=-isc2.2
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-clix*)
+		basic_machine=clipper-intergraph
+		;;
+	-isc*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
+	-lynx*)
+		os=-lynxos
+		;;
+	-ptx*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'`
+		;;
+	-windowsnt*)
+		os=`echo $os | sed -e 's/windowsnt/winnt/'`
+		;;
+	-psos*)
+		os=-psos
+		;;
+	-mint | -mint[0-9]*)
+		basic_machine=m68k-atari
+		os=-mint
+		;;
+esac
+
+# Decode aliases for certain CPU-COMPANY combinations.
+case $basic_machine in
+	# Recognize the basic CPU types without company name.
+	# Some are omitted here because they have special meanings below.
+	1750a | 580 \
+	| a29k \
+	| alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \
+	| alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \
+	| am33_2.0 \
+	| arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr \
+	| c4x | clipper \
+	| d10v | d30v | dlx | dsp16xx \
+	| fr30 | frv \
+	| h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \
+	| i370 | i860 | i960 | ia64 \
+	| ip2k | iq2000 \
+	| m32r | m68000 | m68k | m88k | mcore \
+	| mips | mipsbe | mipseb | mipsel | mipsle \
+	| mips16 \
+	| mips64 | mips64el \
+	| mips64vr | mips64vrel \
+	| mips64orion | mips64orionel \
+	| mips64vr4100 | mips64vr4100el \
+	| mips64vr4300 | mips64vr4300el \
+	| mips64vr5000 | mips64vr5000el \
+	| mipsisa32 | mipsisa32el \
+	| mipsisa32r2 | mipsisa32r2el \
+	| mipsisa64 | mipsisa64el \
+	| mipsisa64r2 | mipsisa64r2el \
+	| mipsisa64sb1 | mipsisa64sb1el \
+	| mipsisa64sr71k | mipsisa64sr71kel \
+	| mipstx39 | mipstx39el \
+	| mn10200 | mn10300 \
+	| msp430 \
+	| ns16k | ns32k \
+	| openrisc | or32 \
+	| pdp10 | pdp11 | pj | pjl \
+	| powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \
+	| pyramid \
+	| sh | sh[1234] | sh[23]e | sh[34]eb | shbe | shle | sh[1234]le | sh3ele \
+	| sh64 | sh64le \
+	| sparc | sparc64 | sparc86x | sparclet | sparclite | sparcv9 | sparcv9b \
+	| strongarm \
+	| tahoe | thumb | tic4x | tic80 | tron \
+	| v850 | v850e \
+	| we32k \
+	| x86 | xscale | xstormy16 | xtensa \
+	| z8k)
+		basic_machine=$basic_machine-unknown
+		;;
+	m6811 | m68hc11 | m6812 | m68hc12)
+		# Motorola 68HC11/12.
+		basic_machine=$basic_machine-unknown
+		os=-none
+		;;
+	m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k)
+		;;
+
+	# We use `pc' rather than `unknown'
+	# because (1) that's what they normally are, and
+	# (2) the word "unknown" tends to confuse beginning users.
+	i*86 | x86_64)
+	  basic_machine=$basic_machine-pc
+	  ;;
+	# Object if more than one company name word.
+	*-*-*)
+		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
+		exit 1
+		;;
+	# Recognize the basic CPU types with company name.
+	580-* \
+	| a29k-* \
+	| alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \
+	| alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \
+	| alphapca5[67]-* | alpha64pca5[67]-* | arc-* \
+	| arm-*  | armbe-* | armle-* | armeb-* | armv*-* \
+	| avr-* \
+	| bs2000-* \
+	| c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \
+	| clipper-* | cydra-* \
+	| d10v-* | d30v-* | dlx-* \
+	| elxsi-* \
+	| f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \
+	| h8300-* | h8500-* \
+	| hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \
+	| i*86-* | i860-* | i960-* | ia64-* \
+	| ip2k-* | iq2000-* \
+	| m32r-* \
+	| m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \
+	| m88110-* | m88k-* | mcore-* \
+	| mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \
+	| mips16-* \
+	| mips64-* | mips64el-* \
+	| mips64vr-* | mips64vrel-* \
+	| mips64orion-* | mips64orionel-* \
+	| mips64vr4100-* | mips64vr4100el-* \
+	| mips64vr4300-* | mips64vr4300el-* \
+	| mips64vr5000-* | mips64vr5000el-* \
+	| mipsisa32-* | mipsisa32el-* \
+	| mipsisa32r2-* | mipsisa32r2el-* \
+	| mipsisa64-* | mipsisa64el-* \
+	| mipsisa64r2-* | mipsisa64r2el-* \
+	| mipsisa64sb1-* | mipsisa64sb1el-* \
+	| mipsisa64sr71k-* | mipsisa64sr71kel-* \
+	| mipstx39-* | mipstx39el-* \
+	| msp430-* \
+	| none-* | np1-* | nv1-* | ns16k-* | ns32k-* \
+	| orion-* \
+	| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
+	| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \
+	| pyramid-* \
+	| romp-* | rs6000-* \
+	| sh-* | sh[1234]-* | sh[23]e-* | sh[34]eb-* | shbe-* \
+	| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
+	| sparc-* | sparc64-* | sparc86x-* | sparclet-* | sparclite-* \
+	| sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \
+	| tahoe-* | thumb-* \
+	| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
+	| tron-* \
+	| v850-* | v850e-* | vax-* \
+	| we32k-* \
+	| x86-* | x86_64-* | xps100-* | xscale-* | xstormy16-* \
+	| xtensa-* \
+	| ymp-* \
+	| z8k-*)
+		;;
+	# Recognize the various machine names and aliases which stand
+	# for a CPU type and a company and sometimes even an OS.
+	386bsd)
+		basic_machine=i386-unknown
+		os=-bsd
+		;;
+	3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc)
+		basic_machine=m68000-att
+		;;
+	3b*)
+		basic_machine=we32k-att
+		;;
+	a29khif)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+	adobe68k)
+		basic_machine=m68010-adobe
+		os=-scout
+		;;
+	alliant | fx80)
+		basic_machine=fx80-alliant
+		;;
+	altos | altos3068)
+		basic_machine=m68k-altos
+		;;
+	am29k)
+		basic_machine=a29k-none
+		os=-bsd
+		;;
+	amd64)
+		basic_machine=x86_64-pc
+		;;
+	amd64-*)
+		basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	amdahl)
+		basic_machine=580-amdahl
+		os=-sysv
+		;;
+	amiga | amiga-*)
+		basic_machine=m68k-unknown
+		;;
+	amigaos | amigados)
+		basic_machine=m68k-unknown
+		os=-amigaos
+		;;
+	amigaunix | amix)
+		basic_machine=m68k-unknown
+		os=-sysv4
+		;;
+	apollo68)
+		basic_machine=m68k-apollo
+		os=-sysv
+		;;
+	apollo68bsd)
+		basic_machine=m68k-apollo
+		os=-bsd
+		;;
+	aux)
+		basic_machine=m68k-apple
+		os=-aux
+		;;
+	balance)
+		basic_machine=ns32k-sequent
+		os=-dynix
+		;;
+	c90)
+		basic_machine=c90-cray
+		os=-unicos
+		;;
+	convex-c1)
+		basic_machine=c1-convex
+		os=-bsd
+		;;
+	convex-c2)
+		basic_machine=c2-convex
+		os=-bsd
+		;;
+	convex-c32)
+		basic_machine=c32-convex
+		os=-bsd
+		;;
+	convex-c34)
+		basic_machine=c34-convex
+		os=-bsd
+		;;
+	convex-c38)
+		basic_machine=c38-convex
+		os=-bsd
+		;;
+	cray | j90)
+		basic_machine=j90-cray
+		os=-unicos
+		;;
+	crds | unos)
+		basic_machine=m68k-crds
+		;;
+	cris | cris-* | etrax*)
+		basic_machine=cris-axis
+		;;
+	da30 | da30-*)
+		basic_machine=m68k-da30
+		;;
+	decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn)
+		basic_machine=mips-dec
+		;;
+	decsystem10* | dec10*)
+		basic_machine=pdp10-dec
+		os=-tops10
+		;;
+	decsystem20* | dec20*)
+		basic_machine=pdp10-dec
+		os=-tops20
+		;;
+	delta | 3300 | motorola-3300 | motorola-delta \
+	      | 3300-motorola | delta-motorola)
+		basic_machine=m68k-motorola
+		;;
+	delta88)
+		basic_machine=m88k-motorola
+		os=-sysv3
+		;;
+	dpx20 | dpx20-*)
+		basic_machine=rs6000-bull
+		os=-bosx
+		;;
+	dpx2* | dpx2*-bull)
+		basic_machine=m68k-bull
+		os=-sysv3
+		;;
+	ebmon29k)
+		basic_machine=a29k-amd
+		os=-ebmon
+		;;
+	elxsi)
+		basic_machine=elxsi-elxsi
+		os=-bsd
+		;;
+	encore | umax | mmax)
+		basic_machine=ns32k-encore
+		;;
+	es1800 | OSE68k | ose68k | ose | OSE)
+		basic_machine=m68k-ericsson
+		os=-ose
+		;;
+	fx2800)
+		basic_machine=i860-alliant
+		;;
+	genix)
+		basic_machine=ns32k-ns
+		;;
+	gmicro)
+		basic_machine=tron-gmicro
+		os=-sysv
+		;;
+	go32)
+		basic_machine=i386-pc
+		os=-go32
+		;;
+	h3050r* | hiux*)
+		basic_machine=hppa1.1-hitachi
+		os=-hiuxwe2
+		;;
+	h8300hms)
+		basic_machine=h8300-hitachi
+		os=-hms
+		;;
+	h8300xray)
+		basic_machine=h8300-hitachi
+		os=-xray
+		;;
+	h8500hms)
+		basic_machine=h8500-hitachi
+		os=-hms
+		;;
+	harris)
+		basic_machine=m88k-harris
+		os=-sysv3
+		;;
+	hp300-*)
+		basic_machine=m68k-hp
+		;;
+	hp300bsd)
+		basic_machine=m68k-hp
+		os=-bsd
+		;;
+	hp300hpux)
+		basic_machine=m68k-hp
+		os=-hpux
+		;;
+	hp3k9[0-9][0-9] | hp9[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hp9k2[0-9][0-9] | hp9k31[0-9])
+		basic_machine=m68000-hp
+		;;
+	hp9k3[2-9][0-9])
+		basic_machine=m68k-hp
+		;;
+	hp9k6[0-9][0-9] | hp6[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hp9k7[0-79][0-9] | hp7[0-79][0-9])
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k78[0-9] | hp78[0-9])
+		# FIXME: really hppa2.0-hp
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893)
+		# FIXME: really hppa2.0-hp
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[0-9][13679] | hp8[0-9][13679])
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[0-9][0-9] | hp8[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hppa-next)
+		os=-nextstep3
+		;;
+	hppaosf)
+		basic_machine=hppa1.1-hp
+		os=-osf
+		;;
+	hppro)
+		basic_machine=hppa1.1-hp
+		os=-proelf
+		;;
+	i370-ibm* | ibm*)
+		basic_machine=i370-ibm
+		;;
+# I'm not sure what "Sysv32" means.  Should this be sysv3.2?
+	i*86v32)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv32
+		;;
+	i*86v4*)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv4
+		;;
+	i*86v)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-sysv
+		;;
+	i*86sol2)
+		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
+		os=-solaris2
+		;;
+	i386mach)
+		basic_machine=i386-mach
+		os=-mach
+		;;
+	i386-vsta | vsta)
+		basic_machine=i386-unknown
+		os=-vsta
+		;;
+	iris | iris4d)
+		basic_machine=mips-sgi
+		case $os in
+		    -irix*)
+			;;
+		    *)
+			os=-irix4
+			;;
+		esac
+		;;
+	isi68 | isi)
+		basic_machine=m68k-isi
+		os=-sysv
+		;;
+	m88k-omron*)
+		basic_machine=m88k-omron
+		;;
+	magnum | m3230)
+		basic_machine=mips-mips
+		os=-sysv
+		;;
+	merlin)
+		basic_machine=ns32k-utek
+		os=-sysv
+		;;
+	mingw32)
+		basic_machine=i386-pc
+		os=-mingw32
+		;;
+	miniframe)
+		basic_machine=m68000-convergent
+		;;
+	*mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*)
+		basic_machine=m68k-atari
+		os=-mint
+		;;
+	mips3*-*)
+		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`
+		;;
+	mips3*)
+		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown
+		;;
+	mmix*)
+		basic_machine=mmix-knuth
+		os=-mmixware
+		;;
+	monitor)
+		basic_machine=m68k-rom68k
+		os=-coff
+		;;
+	morphos)
+		basic_machine=powerpc-unknown
+		os=-morphos
+		;;
+	msdos)
+		basic_machine=i386-pc
+		os=-msdos
+		;;
+	mvs)
+		basic_machine=i370-ibm
+		os=-mvs
+		;;
+	ncr3000)
+		basic_machine=i486-ncr
+		os=-sysv4
+		;;
+	netbsd386)
+		basic_machine=i386-unknown
+		os=-netbsd
+		;;
+	netwinder)
+		basic_machine=armv4l-rebel
+		os=-linux
+		;;
+	news | news700 | news800 | news900)
+		basic_machine=m68k-sony
+		os=-newsos
+		;;
+	news1000)
+		basic_machine=m68030-sony
+		os=-newsos
+		;;
+	news-3600 | risc-news)
+		basic_machine=mips-sony
+		os=-newsos
+		;;
+	necv70)
+		basic_machine=v70-nec
+		os=-sysv
+		;;
+	next | m*-next )
+		basic_machine=m68k-next
+		case $os in
+		    -nextstep* )
+			;;
+		    -ns2*)
+		      os=-nextstep2
+			;;
+		    *)
+		      os=-nextstep3
+			;;
+		esac
+		;;
+	nh3000)
+		basic_machine=m68k-harris
+		os=-cxux
+		;;
+	nh[45]000)
+		basic_machine=m88k-harris
+		os=-cxux
+		;;
+	nindy960)
+		basic_machine=i960-intel
+		os=-nindy
+		;;
+	mon960)
+		basic_machine=i960-intel
+		os=-mon960
+		;;
+	nonstopux)
+		basic_machine=mips-compaq
+		os=-nonstopux
+		;;
+	np1)
+		basic_machine=np1-gould
+		;;
+	nv1)
+		basic_machine=nv1-cray
+		os=-unicosmp
+		;;
+	nsr-tandem)
+		basic_machine=nsr-tandem
+		;;
+	op50n-* | op60c-*)
+		basic_machine=hppa1.1-oki
+		os=-proelf
+		;;
+	or32 | or32-*)
+		basic_machine=or32-unknown
+		os=-coff
+		;;
+	os400)
+		basic_machine=powerpc-ibm
+		os=-os400
+		;;
+	OSE68000 | ose68000)
+		basic_machine=m68000-ericsson
+		os=-ose
+		;;
+	os68k)
+		basic_machine=m68k-none
+		os=-os68k
+		;;
+	pa-hitachi)
+		basic_machine=hppa1.1-hitachi
+		os=-hiuxwe2
+		;;
+	paragon)
+		basic_machine=i860-intel
+		os=-osf
+		;;
+	pbd)
+		basic_machine=sparc-tti
+		;;
+	pbb)
+		basic_machine=m68k-tti
+		;;
+	pc532 | pc532-*)
+		basic_machine=ns32k-pc532
+		;;
+	pentium | p5 | k5 | k6 | nexgen | viac3)
+		basic_machine=i586-pc
+		;;
+	pentiumpro | p6 | 6x86 | athlon | athlon_*)
+		basic_machine=i686-pc
+		;;
+	pentiumii | pentium2 | pentiumiii | pentium3)
+		basic_machine=i686-pc
+		;;
+	pentium4)
+		basic_machine=i786-pc
+		;;
+	pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*)
+		basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentiumpro-* | p6-* | 6x86-* | athlon-*)
+		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*)
+		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pentium4-*)
+		basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	pn)
+		basic_machine=pn-gould
+		;;
+	power)	basic_machine=power-ibm
+		;;
+	ppc)	basic_machine=powerpc-unknown
+		;;
+	ppc-*)	basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ppcle | powerpclittle | ppc-le | powerpc-little)
+		basic_machine=powerpcle-unknown
+		;;
+	ppcle-* | powerpclittle-*)
+		basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ppc64)	basic_machine=powerpc64-unknown
+		;;
+	ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ppc64le | powerpc64little | ppc64-le | powerpc64-little)
+		basic_machine=powerpc64le-unknown
+		;;
+	ppc64le-* | powerpc64little-*)
+		basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'`
+		;;
+	ps2)
+		basic_machine=i386-ibm
+		;;
+	pw32)
+		basic_machine=i586-unknown
+		os=-pw32
+		;;
+	rom68k)
+		basic_machine=m68k-rom68k
+		os=-coff
+		;;
+	rm[46]00)
+		basic_machine=mips-siemens
+		;;
+	rtpc | rtpc-*)
+		basic_machine=romp-ibm
+		;;
+	s390 | s390-*)
+		basic_machine=s390-ibm
+		;;
+	s390x | s390x-*)
+		basic_machine=s390x-ibm
+		;;
+	sa29200)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+	sb1)
+		basic_machine=mipsisa64sb1-unknown
+		;;
+	sb1el)
+		basic_machine=mipsisa64sb1el-unknown
+		;;
+	sei)
+		basic_machine=mips-sei
+		os=-seiux
+		;;
+	sequent)
+		basic_machine=i386-sequent
+		;;
+	sh)
+		basic_machine=sh-hitachi
+		os=-hms
+		;;
+	sh64)
+		basic_machine=sh64-unknown
+		;;
+	sparclite-wrs | simso-wrs)
+		basic_machine=sparclite-wrs
+		os=-vxworks
+		;;
+	sps7)
+		basic_machine=m68k-bull
+		os=-sysv2
+		;;
+	spur)
+		basic_machine=spur-unknown
+		;;
+	st2000)
+		basic_machine=m68k-tandem
+		;;
+	stratus)
+		basic_machine=i860-stratus
+		os=-sysv4
+		;;
+	sun2)
+		basic_machine=m68000-sun
+		;;
+	sun2os3)
+		basic_machine=m68000-sun
+		os=-sunos3
+		;;
+	sun2os4)
+		basic_machine=m68000-sun
+		os=-sunos4
+		;;
+	sun3os3)
+		basic_machine=m68k-sun
+		os=-sunos3
+		;;
+	sun3os4)
+		basic_machine=m68k-sun
+		os=-sunos4
+		;;
+	sun4os3)
+		basic_machine=sparc-sun
+		os=-sunos3
+		;;
+	sun4os4)
+		basic_machine=sparc-sun
+		os=-sunos4
+		;;
+	sun4sol2)
+		basic_machine=sparc-sun
+		os=-solaris2
+		;;
+	sun3 | sun3-*)
+		basic_machine=m68k-sun
+		;;
+	sun4)
+		basic_machine=sparc-sun
+		;;
+	sun386 | sun386i | roadrunner)
+		basic_machine=i386-sun
+		;;
+	sv1)
+		basic_machine=sv1-cray
+		os=-unicos
+		;;
+	symmetry)
+		basic_machine=i386-sequent
+		os=-dynix
+		;;
+	t3e)
+		basic_machine=alphaev5-cray
+		os=-unicos
+		;;
+	t90)
+		basic_machine=t90-cray
+		os=-unicos
+		;;
+	tic54x | c54x*)
+		basic_machine=tic54x-unknown
+		os=-coff
+		;;
+	tic55x | c55x*)
+		basic_machine=tic55x-unknown
+		os=-coff
+		;;
+	tic6x | c6x*)
+		basic_machine=tic6x-unknown
+		os=-coff
+		;;
+	tx39)
+		basic_machine=mipstx39-unknown
+		;;
+	tx39el)
+		basic_machine=mipstx39el-unknown
+		;;
+	toad1)
+		basic_machine=pdp10-xkl
+		os=-tops20
+		;;
+	tower | tower-32)
+		basic_machine=m68k-ncr
+		;;
+	tpf)
+		basic_machine=s390x-ibm
+		os=-tpf
+		;;
+	udi29k)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+	ultra3)
+		basic_machine=a29k-nyu
+		os=-sym1
+		;;
+	v810 | necv810)
+		basic_machine=v810-nec
+		os=-none
+		;;
+	vaxv)
+		basic_machine=vax-dec
+		os=-sysv
+		;;
+	vms)
+		basic_machine=vax-dec
+		os=-vms
+		;;
+	vpp*|vx|vx-*)
+		basic_machine=f301-fujitsu
+		;;
+	vxworks960)
+		basic_machine=i960-wrs
+		os=-vxworks
+		;;
+	vxworks68)
+		basic_machine=m68k-wrs
+		os=-vxworks
+		;;
+	vxworks29k)
+		basic_machine=a29k-wrs
+		os=-vxworks
+		;;
+	w65*)
+		basic_machine=w65-wdc
+		os=-none
+		;;
+	w89k-*)
+		basic_machine=hppa1.1-winbond
+		os=-proelf
+		;;
+	xps | xps100)
+		basic_machine=xps100-honeywell
+		;;
+	ymp)
+		basic_machine=ymp-cray
+		os=-unicos
+		;;
+	z8k-*-coff)
+		basic_machine=z8k-unknown
+		os=-sim
+		;;
+	none)
+		basic_machine=none-none
+		os=-none
+		;;
+
+# Here we handle the default manufacturer of certain CPU types.  It is in
+# some cases the only manufacturer, in others, it is the most popular.
+	w89k)
+		basic_machine=hppa1.1-winbond
+		;;
+	op50n)
+		basic_machine=hppa1.1-oki
+		;;
+	op60c)
+		basic_machine=hppa1.1-oki
+		;;
+	romp)
+		basic_machine=romp-ibm
+		;;
+	rs6000)
+		basic_machine=rs6000-ibm
+		;;
+	vax)
+		basic_machine=vax-dec
+		;;
+	pdp10)
+		# there are many clones, so DEC is not a safe bet
+		basic_machine=pdp10-unknown
+		;;
+	pdp11)
+		basic_machine=pdp11-dec
+		;;
+	we32k)
+		basic_machine=we32k-att
+		;;
+	sh3 | sh4 | sh[34]eb | sh[1234]le | sh[23]ele)
+		basic_machine=sh-unknown
+		;;
+	sh64)
+		basic_machine=sh64-unknown
+		;;
+	sparc | sparcv9 | sparcv9b)
+		basic_machine=sparc-sun
+		;;
+	cydra)
+		basic_machine=cydra-cydrome
+		;;
+	orion)
+		basic_machine=orion-highlevel
+		;;
+	orion105)
+		basic_machine=clipper-highlevel
+		;;
+	mac | mpw | mac-mpw)
+		basic_machine=m68k-apple
+		;;
+	pmac | pmac-mpw)
+		basic_machine=powerpc-apple
+		;;
+	*-unknown)
+		# Make sure to match an already-canonicalized machine name.
+		;;
+	*)
+		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
+		exit 1
+		;;
+esac
+
+# Here we canonicalize certain aliases for manufacturers.
+case $basic_machine in
+	*-digital*)
+		basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'`
+		;;
+	*-commodore*)
+		basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'`
+		;;
+	*)
+		;;
+esac
+
+# Decode manufacturer-specific aliases for certain operating systems.
+
+if [ x"$os" != x"" ]
+then
+case $os in
+        # First match some system type aliases
+        # that might get confused with valid system types.
+	# -solaris* is a basic system type, with this one exception.
+	-solaris1 | -solaris1.*)
+		os=`echo $os | sed -e 's|solaris1|sunos4|'`
+		;;
+	-solaris)
+		os=-solaris2
+		;;
+	-svr4*)
+		os=-sysv4
+		;;
+	-unixware*)
+		os=-sysv4.2uw
+		;;
+	-gnu/linux*)
+		os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'`
+		;;
+	# First accept the basic system types.
+	# The portable systems comes first.
+	# Each alternative MUST END IN A *, to match a version number.
+	# -sysv* is not here because it comes later, after sysvr4.
+	-gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \
+	      | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\
+	      | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \
+	      | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
+	      | -aos* \
+	      | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
+	      | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
+	      | -hiux* | -386bsd* | -knetbsd* | -netbsd* | -openbsd* | -kfreebsd* | -freebsd* | -riscix* \
+	      | -lynxos* | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
+	      | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
+	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
+	      | -chorusos* | -chorusrdb* \
+	      | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
+	      | -mingw32* | -linux-gnu* | -linux-uclibc* | -uxpv* | -beos* | -mpeix* | -udk* \
+	      | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
+	      | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \
+	      | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \
+	      | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
+	      | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
+	      | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly*)
+	# Remember, each alternative MUST END IN *, to match a version number.
+		;;
+	-qnx*)
+		case $basic_machine in
+		    x86-* | i*86-*)
+			;;
+		    *)
+			os=-nto$os
+			;;
+		esac
+		;;
+	-nto-qnx*)
+		;;
+	-nto*)
+		os=`echo $os | sed -e 's|nto|nto-qnx|'`
+		;;
+	-sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \
+	      | -windows* | -osx | -abug | -netware* | -os9* | -beos* \
+	      | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*)
+		;;
+	-mac*)
+		os=`echo $os | sed -e 's|mac|macos|'`
+		;;
+	-linux-dietlibc)
+		os=-linux-dietlibc
+		;;
+	-linux*)
+		os=`echo $os | sed -e 's|linux|linux-gnu|'`
+		;;
+	-sunos5*)
+		os=`echo $os | sed -e 's|sunos5|solaris2|'`
+		;;
+	-sunos6*)
+		os=`echo $os | sed -e 's|sunos6|solaris3|'`
+		;;
+	-opened*)
+		os=-openedition
+		;;
+        -os400*)
+		os=-os400
+		;;
+	-wince*)
+		os=-wince
+		;;
+	-osfrose*)
+		os=-osfrose
+		;;
+	-osf*)
+		os=-osf
+		;;
+	-utek*)
+		os=-bsd
+		;;
+	-dynix*)
+		os=-bsd
+		;;
+	-acis*)
+		os=-aos
+		;;
+	-atheos*)
+		os=-atheos
+		;;
+	-syllable*)
+		os=-syllable
+		;;
+	-386bsd)
+		os=-bsd
+		;;
+	-ctix* | -uts*)
+		os=-sysv
+		;;
+	-nova*)
+		os=-rtmk-nova
+		;;
+	-ns2 )
+		os=-nextstep2
+		;;
+	-nsk*)
+		os=-nsk
+		;;
+	# Preserve the version number of sinix5.
+	-sinix5.*)
+		os=`echo $os | sed -e 's|sinix|sysv|'`
+		;;
+	-sinix*)
+		os=-sysv4
+		;;
+        -tpf*)
+		os=-tpf
+		;;
+	-triton*)
+		os=-sysv3
+		;;
+	-oss*)
+		os=-sysv3
+		;;
+	-svr4)
+		os=-sysv4
+		;;
+	-svr3)
+		os=-sysv3
+		;;
+	-sysvr4)
+		os=-sysv4
+		;;
+	# This must come after -sysvr4.
+	-sysv*)
+		;;
+	-ose*)
+		os=-ose
+		;;
+	-es1800*)
+		os=-ose
+		;;
+	-xenix)
+		os=-xenix
+		;;
+	-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
+		os=-mint
+		;;
+	-aros*)
+		os=-aros
+		;;
+	-kaos*)
+		os=-kaos
+		;;
+	-none)
+		;;
+	*)
+		# Get rid of the `-' at the beginning of $os.
+		os=`echo $os | sed 's/[^-]*-//'`
+		echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2
+		exit 1
+		;;
+esac
+else
+
+# Here we handle the default operating systems that come with various machines.
+# The value should be what the vendor currently ships out the door with their
+# machine or put another way, the most popular os provided with the machine.
+
+# Note that if you're going to try to match "-MANUFACTURER" here (say,
+# "-sun"), then you have to tell the case statement up towards the top
+# that MANUFACTURER isn't an operating system.  Otherwise, code above
+# will signal an error saying that MANUFACTURER isn't an operating
+# system, and we'll never get to this point.
+
+case $basic_machine in
+	*-acorn)
+		os=-riscix1.2
+		;;
+	arm*-rebel)
+		os=-linux
+		;;
+	arm*-semi)
+		os=-aout
+		;;
+    c4x-* | tic4x-*)
+        os=-coff
+        ;;
+	# This must come before the *-dec entry.
+	pdp10-*)
+		os=-tops20
+		;;
+	pdp11-*)
+		os=-none
+		;;
+	*-dec | vax-*)
+		os=-ultrix4.2
+		;;
+	m68*-apollo)
+		os=-domain
+		;;
+	i386-sun)
+		os=-sunos4.0.2
+		;;
+	m68000-sun)
+		os=-sunos3
+		# This also exists in the configure program, but was not the
+		# default.
+		# os=-sunos4
+		;;
+	m68*-cisco)
+		os=-aout
+		;;
+	mips*-cisco)
+		os=-elf
+		;;
+	mips*-*)
+		os=-elf
+		;;
+	or32-*)
+		os=-coff
+		;;
+	*-tti)	# must be before sparc entry or we get the wrong os.
+		os=-sysv3
+		;;
+	sparc-* | *-sun)
+		os=-sunos4.1.1
+		;;
+	*-be)
+		os=-beos
+		;;
+	*-ibm)
+		os=-aix
+		;;
+	*-wec)
+		os=-proelf
+		;;
+	*-winbond)
+		os=-proelf
+		;;
+	*-oki)
+		os=-proelf
+		;;
+	*-hp)
+		os=-hpux
+		;;
+	*-hitachi)
+		os=-hiux
+		;;
+	i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent)
+		os=-sysv
+		;;
+	*-cbm)
+		os=-amigaos
+		;;
+	*-dg)
+		os=-dgux
+		;;
+	*-dolphin)
+		os=-sysv3
+		;;
+	m68k-ccur)
+		os=-rtu
+		;;
+	m88k-omron*)
+		os=-luna
+		;;
+	*-next )
+		os=-nextstep
+		;;
+	*-sequent)
+		os=-ptx
+		;;
+	*-crds)
+		os=-unos
+		;;
+	*-ns)
+		os=-genix
+		;;
+	i370-*)
+		os=-mvs
+		;;
+	*-next)
+		os=-nextstep3
+		;;
+	*-gould)
+		os=-sysv
+		;;
+	*-highlevel)
+		os=-bsd
+		;;
+	*-encore)
+		os=-bsd
+		;;
+	*-sgi)
+		os=-irix
+		;;
+	*-siemens)
+		os=-sysv4
+		;;
+	*-masscomp)
+		os=-rtu
+		;;
+	f30[01]-fujitsu | f700-fujitsu)
+		os=-uxpv
+		;;
+	*-rom68k)
+		os=-coff
+		;;
+	*-*bug)
+		os=-coff
+		;;
+	*-apple)
+		os=-macos
+		;;
+	*-atari*)
+		os=-mint
+		;;
+	*)
+		os=-none
+		;;
+esac
+fi
+
+# Here we handle the case where we know the os, and the CPU type, but not the
+# manufacturer.  We pick the logical manufacturer.
+vendor=unknown
+case $basic_machine in
+	*-unknown)
+		case $os in
+			-riscix*)
+				vendor=acorn
+				;;
+			-sunos*)
+				vendor=sun
+				;;
+			-aix*)
+				vendor=ibm
+				;;
+			-beos*)
+				vendor=be
+				;;
+			-hpux*)
+				vendor=hp
+				;;
+			-mpeix*)
+				vendor=hp
+				;;
+			-hiux*)
+				vendor=hitachi
+				;;
+			-unos*)
+				vendor=crds
+				;;
+			-dgux*)
+				vendor=dg
+				;;
+			-luna*)
+				vendor=omron
+				;;
+			-genix*)
+				vendor=ns
+				;;
+			-mvs* | -opened*)
+				vendor=ibm
+				;;
+			-os400*)
+				vendor=ibm
+				;;
+			-ptx*)
+				vendor=sequent
+				;;
+			-tpf*)
+				vendor=ibm
+				;;
+			-vxsim* | -vxworks* | -windiss*)
+				vendor=wrs
+				;;
+			-aux*)
+				vendor=apple
+				;;
+			-hms*)
+				vendor=hitachi
+				;;
+			-mpw* | -macos*)
+				vendor=apple
+				;;
+			-*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*)
+				vendor=atari
+				;;
+			-vos*)
+				vendor=stratus
+				;;
+		esac
+		basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"`
+		;;
+esac
+
+echo $basic_machine$os
+exit 0
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "timestamp='"
+# time-stamp-format: "%:y-%02m-%02d"
+# time-stamp-end: "'"
+# End:
diff --git a/contrib/bind9/configure.in b/contrib/bind9/configure.in
new file mode 100644
index 0000000..d1ca87c
--- /dev/null
+++ b/contrib/bind9/configure.in
@@ -0,0 +1,2180 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1998-2003  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+dnl
+AC_DIVERT_PUSH(1)dnl
+esyscmd([sed "s/^/# /" COPYRIGHT])dnl
+AC_DIVERT_POP()dnl
+
+AC_REVISION($Revision: 1.294.2.23.2.30 $)
+
+AC_INIT(lib/dns/name.c)
+AC_PREREQ(2.13)
+
+AC_CONFIG_HEADER(config.h)
+AC_CONFIG_SUBDIRS(lib/bind)
+
+AC_CANONICAL_HOST
+
+AC_PROG_MAKE_SET
+AC_PROG_RANLIB
+AC_PROG_INSTALL
+
+AC_SUBST(STD_CINCLUDES)
+AC_SUBST(STD_CDEFINES)
+AC_SUBST(STD_CWARNINGS)
+AC_SUBST(CCOPT)
+
+AC_PATH_PROG(AR, ar)
+ARFLAGS="cruv"
+AC_SUBST(AR)
+AC_SUBST(ARFLAGS)
+
+# The POSIX ln(1) program.  Non-POSIX systems may substitute
+# "copy" or something.
+LN=ln
+AC_SUBST(LN)
+
+case "$AR" in
+	"")
+		AC_MSG_ERROR([
+ar program not found.  Please fix your PATH to include the directory in
+which ar resides, or set AR in the environment with the full path to ar.
+])
+
+		;;
+esac
+
+#
+# Etags.
+#
+AC_PATH_PROGS(ETAGS, etags emacs-etags)
+
+#
+# Some systems, e.g. RH7, have the Exuberant Ctags etags instead of
+# GNU emacs etags, and it requires the -L flag.
+#
+if test "X$ETAGS" != "X"; then
+	AC_MSG_CHECKING(for Exuberant Ctags etags)
+	if $ETAGS --version 2>&1 | grep 'Exuberant Ctags' >/dev/null 2>&1; then
+		AC_MSG_RESULT(yes)
+		ETAGS="$ETAGS -L"
+	else
+		AC_MSG_RESULT(no)
+	fi
+fi
+AC_SUBST(ETAGS)
+
+#
+# Perl is optional; it is used only by some of the system test scripts.
+#
+AC_PATH_PROGS(PERL, perl5 perl)
+AC_SUBST(PERL)
+
+#
+# Special processing of paths depending on whether --prefix,
+# --sysconfdir or --localstatedir arguments were given.  What's
+# desired is some compatibility with the way previous versions
+# of BIND built; they defaulted to /usr/local for most parts of
+# the installation, but named.boot/named.conf was in /etc
+# and named.pid was in /var/run.
+#
+# So ... if none of --prefix, --sysconfdir or --localstatedir are
+# specified, set things up that way.  If --prefix is given, use
+# it for sysconfdir and localstatedir the way configure normally
+# would.  To change the prefix for everything but leave named.conf
+# in /etc or named.pid in /var/run, then do this the usual configure way:
+# ./configure --prefix=/somewhere --sysconfdir=/etc
+# ./configure --prefix=/somewhere --localstatedir=/var
+#
+# To put named.conf and named.pid in /usr/local with everything else,
+# set the prefix explicitly to /usr/local even though that's the default:
+# ./configure --prefix=/usr/local
+#
+case "$prefix" in
+        NONE)
+                case "$sysconfdir" in
+                        '${prefix}/etc')
+                                sysconfdir=/etc
+                                ;;
+                esac
+                case "$localstatedir" in
+                        '${prefix}/var')
+                                localstatedir=/var
+                                ;;
+                esac
+                ;;
+esac
+
+#
+# Make sure INSTALL uses an absolute path, else it will be wrong in all
+# Makefiles, since they use make/rules.in and INSTALL will be adjusted by
+# configure based on the location of the file where it is substituted.
+# Since in BIND9 INSTALL is only substituted into make/rules.in, an immediate
+# subdirectory of install-sh, This relative path will be wrong for all
+# directories more than one level down from install-sh.
+#
+case "$INSTALL" in
+	/*)
+                ;;
+        *)
+                #
+                # Not all systems have dirname.
+                #
+                changequote({, })
+                ac_dir="`echo $INSTALL | sed 's%/[^/]*$%%'`"
+                changequote([, ])
+
+                ac_prog="`echo $INSTALL | sed 's%.*/%%'`"
+                test "$ac_dir" = "$ac_prog" && ac_dir=.
+                test -d "$ac_dir" && ac_dir="`(cd \"$ac_dir\" && pwd)`"
+                INSTALL="$ac_dir/$ac_prog"
+                ;;
+esac
+
+#
+# On these hosts, we really want to use cc, not gcc, even if it is
+# found.  The gcc that these systems have will not correctly handle
+# pthreads.
+#
+# However, if the user sets $CC to be something, let that override
+# our change.
+#
+if test "X$CC" = "X" ; then
+	case "$host" in
+		*-dec-osf*)
+			CC="cc"
+			;;
+		*-solaris*)
+                        # Use Sun's cc if it is available, but watch
+                        # out for /usr/ucb/cc; it will never be the right
+                        # compiler to use.
+                        #
+                        # If setting CC here fails, the AC_PROG_CC done
+                        # below might still find gcc.
+			IFS="${IFS=	}"; ac_save_ifs="$IFS"; IFS=":"
+			for ac_dir in $PATH; do
+				test -z "$ac_dir" && ac_dir=.
+				case "$ac_dir" in
+				/usr/ucb)
+					# exclude
+					;;
+				*)
+					if test -f "$ac_dir/cc"; then
+						CC="$ac_dir/cc"
+						break
+					fi
+					;;
+				esac
+			done
+			IFS="$ac_save_ifs"
+			;;
+		*-hp-hpux*)
+			CC="cc"
+			;;
+		mips-sgi-irix*)
+			CC="cc"
+			;;
+	esac
+fi
+
+AC_PROG_CC
+
+#
+# gcc's optimiser is broken at -02 for ultrasparc
+#
+if test "$ac_env_CFLAGS_set" != set -a "X$GCC" = "Xyes"; then
+	case "$host" in
+	sparc-*)
+		CCFLAGS="-g -O1"
+		;;
+	esac
+fi
+
+#
+# OS dependent CC flags
+#
+case "$host" in
+	# OSF 5.0: recv/send are only avaliable with -D_POSIX_PII_SOCKET or
+	# -D_XOPEN_SOURCE_EXTENDED.
+	*-dec-osf*)
+		STD_CDEFINES="$STD_CDEFINES -D_POSIX_PII_SOCKET"
+		CPPFLAGS="$CPPFLAGS -D_POSIX_PII_SOCKET"
+		;;
+	#HP-UX: need -D_XOPEN_SOURCE_EXTENDED and -lxnet for CMSG macros
+	*-hp-hpux*)
+		STD_CDEFINES="$STD_CDEFINES -D_XOPEN_SOURCE_EXTENDED"
+		CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE_EXTENDED"
+		LIBS="-lxnet $LIBS"
+		;;
+	# Solaris: need -D_XPG4_2 and -D__EXTENSIONS__ for CMSG macros
+	*-solaris*)
+		STD_CDEFINES="$STD_CDEFINES -D_XPG4_2 -D__EXTENSIONS__"
+		CPPFLAGS="$CPPFLAGS -D_XPG4_2 -D__EXTENSIONS__"
+		;;
+esac
+
+AC_HEADER_STDC
+
+AC_CHECK_HEADERS(fcntl.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h,,,
+[$ac_includes_default
+#ifdef HAVE_SYS_PARAM_H
+# include <sys/param.h>
+#endif
+])
+
+AC_C_CONST
+AC_C_INLINE
+AC_CHECK_FUNC(sysctlbyname, AC_DEFINE(HAVE_SYSCTLBYNAME))
+
+#
+# UnixWare 7.1.1 with the feature supplement to the UDK compiler
+# is reported to not support "static inline" (RT #1212).
+#
+AC_MSG_CHECKING(for static inline breakage)
+AC_TRY_COMPILE(, [
+		foo1();
+	}
+
+	static inline int foo1() {
+		return 0;
+	}
+
+	static inline int foo2() {
+		return foo1();
+	],
+	[AC_MSG_RESULT(no)],
+	[AC_MSG_RESULT(yes)
+         AC_DEFINE(inline, )])
+
+AC_TYPE_SIZE_T
+AC_CHECK_TYPE(ssize_t, int)
+AC_HEADER_TIME
+AC_MSG_CHECKING(for long long)
+AC_TRY_COMPILE([],[long long i = 0; return (0);],
+	[AC_MSG_RESULT(yes)
+		ISC_PLATFORM_HAVELONGLONG="#define ISC_PLATFORM_HAVELONGLONG 1"],
+	[AC_MSG_RESULT(no)
+		ISC_PLATFORM_HAVELONGLONG="#undef ISC_PLATFORM_HAVELONGLONG"])
+AC_SUBST(ISC_PLATFORM_HAVELONGLONG)
+
+#
+# check if we have lifconf
+#
+AC_MSG_CHECKING(for struct lifconf)
+AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <net/if.h>
+],
+[
+struct lifconf lifconf;
+lifconf.lifc_len = 0;
+]
+,
+	[AC_MSG_RESULT(yes)
+		ISC_PLATFORM_HAVELIFCONF="#define ISC_PLATFORM_HAVELIFCONF 1"],
+	[AC_MSG_RESULT(no)
+		ISC_PLATFORM_HAVELIFCONF="#undef ISC_PLATFORM_HAVELIFCONF"])
+AC_SUBST(ISC_PLATFORM_HAVELIFCONF)
+
+
+#
+# check if we need to #include sys/select.h explicitly
+#
+case $ac_cv_header_unistd_h in
+yes)
+AC_MSG_CHECKING(if unistd.h or sys/types.h defines fd_set)
+AC_TRY_COMPILE([
+#include <sys/types.h> /* Ultrix */
+#include <unistd.h>],
+[fd_set read_set; return (0);],
+	[AC_MSG_RESULT(yes)
+	 ISC_PLATFORM_NEEDSYSSELECTH="#undef ISC_PLATFORM_NEEDSYSSELECTH"
+	 LWRES_PLATFORM_NEEDSYSSELECTH="#undef LWRES_PLATFORM_NEEDSYSSELECTH"],
+	[AC_MSG_RESULT(no)
+	case $ac_cv_header_sys_select_h in
+	yes)
+         ISC_PLATFORM_NEEDSYSSELECTH="#define ISC_PLATFORM_NEEDSYSSELECTH 1"
+	 LWRES_PLATFORM_NEEDSYSSELECTH="#define LWRES_PLATFORM_NEEDSYSSELECTH 1"
+		;;
+	no)
+		AC_MSG_ERROR([need either working unistd.h or sys/select.h])
+		;;
+	esac
+	])
+	;;
+no)
+	case $ac_cv_header_sys_select_h in
+	yes)
+             ISC_PLATFORM_NEEDSYSSELECTH="#define ISC_PLATFORM_NEEDSYSSELECTH 1"
+	     LWRES_PLATFORM_NEEDSYSSELECTH="#define LWRES_PLATFORM_NEEDSYSSELECTH 1"
+		;;
+	no)
+		AC_MSG_ERROR([need either unistd.h or sys/select.h])
+		;;
+	esac
+	;;
+esac
+AC_SUBST(ISC_PLATFORM_NEEDSYSSELECTH)
+AC_SUBST(LWRES_PLATFORM_NEEDSYSSELECTH)
+
+#
+# Find the machine's endian flavor.
+#
+AC_C_BIGENDIAN
+
+#
+# was --with-openssl specified?
+#
+AC_MSG_CHECKING(for OpenSSL library)
+AC_ARG_WITH(openssl,
+[  --with-openssl[=PATH]   Build with OpenSSL [yes|no|path].
+                          (Required for DNSSEC)],
+    use_openssl="$withval", use_openssl="auto")
+
+case "$use_openssl" in
+	no)
+		AC_MSG_RESULT(no)
+		DST_OPENSSL_INC=""
+		USE_OPENSSL=""
+		;;
+	*)
+		if test "$use_openssl" = "yes" -o "$use_openssl" = "auto"
+		then
+		    	# User did not specify a path - guess it
+			openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg"
+			for d in $openssldirs
+			do
+				if test -f $d/include/openssl/opensslv.h
+				then
+				 	use_openssl=$d
+					break
+				fi
+			done
+			if test "$use_openssl" = "yes"
+			then
+			    	AC_MSG_RESULT(not found)
+				AC_MSG_ERROR(
+[OpenSSL was not found in any of $openssldirs; use --with-openssl=/path])
+			elif test "$use_openssl" = "auto"
+			then
+				DST_OPENSSL_INC=""
+				USE_OPENSSL=""
+				AC_MSG_RESULT(not found)
+				break
+			fi
+		fi
+		USE_OPENSSL='-DOPENSSL'
+		if test "$use_openssl" = "/usr"
+		then
+			DST_OPENSSL_INC=""
+			DNS_OPENSSL_LIBS="-lcrypto"
+		else
+			DST_OPENSSL_INC="-I$use_openssl/include"
+			case $host in
+			*-solaris*)
+				DNS_OPENSSL_LIBS="-L$use_openssl/lib -R$use_openssl/lib -lcrypto"
+				;;
+			*)
+				DNS_OPENSSL_LIBS="-L$use_openssl/lib -lcrypto"
+				;;
+			esac
+		fi
+		AC_MSG_RESULT(using openssl from $use_openssl/lib and $use_openssl/include)
+
+		saved_cflags="$CFLAGS"
+		saved_libs="$LIBS"
+		CFLAGS="$CFLAGS $DST_OPENSSL_INC"
+		LIBS="$LIBS $DNS_OPENSSL_LIBS"
+		AC_MSG_CHECKING(whether linking with OpenSSL works)
+		AC_TRY_RUN([
+#include <openssl/err.h>
+int main() {
+	ERR_clear_error();
+	return (0);
+}
+],
+	        [AC_MSG_RESULT(yes)],
+		[AC_MSG_RESULT(no)
+		 AC_MSG_ERROR(Could not run test program using OpenSSL from
+$use_openssl/lib and $use_openssl/include.
+Please check the argument to --with-openssl and your
+shared library configuration (e.g., LD_LIBRARY_PATH).)],
+		[AC_MSG_RESULT(assuming it does work on target platform)])
+
+		AC_MSG_CHECKING(whether linking with OpenSSL requires -ldl)
+		AC_TRY_LINK([
+#include <openssl/err.h>],
+[ DSO_METHOD_dlfcn(); ],
+		[AC_MSG_RESULT(no)],
+		[LIBS="$LIBS -ldl"
+		AC_TRY_LINK([
+#include <openssl/err.h>
+],[ DSO_METHOD_dlfcn(); ],
+		[AC_MSG_RESULT(yes)
+		DNS_OPENSSL_LIBS="$DNS_OPENSSL_LIBS -ldl"
+		],
+		 [AC_MSG_RESULT(unknown)
+		 AC_MSG_ERROR(OpenSSL has unsupported dynamic loading)],
+		[AC_MSG_RESULT(assuming it does work on target platform)])
+		],
+		[AC_MSG_RESULT(assuming it does work on target platform)]
+		)
+		 
+#
+#	OpenSSLDie is new with CERT CS-2002-23.  If we see it we have may
+#	have a patched library otherwise check that we are greater than
+#	the fixed versions
+#
+		AC_CHECK_FUNC(OpenSSLDie,
+		AC_MSG_CHECKING(OpenSSL library version)
+		AC_TRY_RUN([
+#include <stdio.h>
+#include <openssl/opensslv.h>
+int main() {
+        if (OPENSSL_VERSION_NUMBER >= 0x0090581fL)
+                return (0);
+	printf("\n\nFound   OPENSSL_VERSION_NUMBER %#010x\n",
+		OPENSSL_VERSION_NUMBER);
+	printf("Require OPENSSL_VERSION_NUMBER 0x0090581f or greater\n\n");
+        return (1);
+}
+],
+	        [AC_MSG_RESULT(ok)],
+		[AC_MSG_RESULT(not compatible)
+		 AC_MSG_ERROR(you need OpenSSL 0.9.5a or newer)],
+		[AC_MSG_RESULT(assuming target platform has compatible version)])
+		,
+	        AC_MSG_RESULT(did not find fixes for CERT CA-2002-23)
+		AC_MSG_CHECKING(OpenSSL library version)
+		AC_TRY_RUN([
+#include <stdio.h>
+#include <openssl/opensslv.h>
+int main() {
+        if ((OPENSSL_VERSION_NUMBER >= 0x0090605fL &&
+	     OPENSSL_VERSION_NUMBER < 0x009070000L) ||
+	     OPENSSL_VERSION_NUMBER >= 0x00907003L)
+                return (0);
+	printf("\n\nFound   OPENSSL_VERSION_NUMBER %#010x\n",
+		OPENSSL_VERSION_NUMBER);
+	printf("Require OPENSSL_VERSION_NUMBER 0x0090605f or greater (0.9.6e)\n"
+	       "Require OPENSSL_VERSION_NUMBER 0x00907003 or greater (0.9.7-beta2)\n\n");
+        return (1);
+}
+],
+	        [AC_MSG_RESULT(ok)],
+		[AC_MSG_RESULT(not compatible)
+		 AC_MSG_ERROR(you need OpenSSL 0.9.6e/0.9.7-beta2 (or newer): CERT CA-2002-23)],
+		[AC_MSG_RESULT(assuming target platform has compatible version)]))
+		AC_MSG_CHECKING(for OpenSSL DSA support)
+		if test -f $use_openssl/include/openssl/dsa.h
+		then
+			AC_DEFINE(HAVE_OPENSSL_DSA)
+			AC_MSG_RESULT(yes)
+		else
+			AC_MSG_RESULT(no)
+		fi
+		CFLAGS="$saved_cflags"
+		LIBS="$saved_libs"
+		;;
+esac
+
+#
+# This would include the system openssl path (and linker options to use
+# it as needed) if it is found.
+#
+
+AC_SUBST(USE_OPENSSL)
+AC_SUBST(DST_OPENSSL_INC)
+DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_OPENSSL_LIBS"
+
+#
+# was --with-gssapi specified?
+#
+#AC_MSG_CHECKING(for GSSAPI library)
+#AC_ARG_WITH(gssapi,
+#[  --with-gssapi=PATH   Specify path for system-supplied GSSAPI],
+#    use_gssapi="$withval", use_gssapi="no")
+#
+#case "$use_gssapi" in
+#	no)
+#		USE_GSSAPI=''
+#		DST_GSSAPI_INC=''
+#		DNS_GSSAPI_LIBS=''
+#		AC_MSG_RESULT(not specified)
+#		;;
+#	yes)
+#		AC_MSG_ERROR([--with-gssapi must specify a path])
+#		;;
+#	*)
+#		USE_GSSAPI='-DGSSAPI'
+#		DST_GSSAPI_INC="-I$use_gssapi/include"
+#		DNS_GSSAPI_LIBS="-L$use_gssapi/lib -lgssapi_krb5"
+#		AC_MSG_RESULT(using gssapi from $use_gssapi/lib and $use_gssapi/include)
+#		;;
+#esac
+
+USE_GSSAPI=''
+DST_GSSAPI_INC=''
+DNS_GSSAPI_LIBS=''
+
+AC_SUBST(USE_GSSAPI)
+AC_SUBST(DST_GSSAPI_INC)
+DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_GSSAPI_LIBS"
+
+#
+# Applications linking with libdns also need to link with these libraries.
+#
+
+AC_SUBST(DNS_CRYPTO_LIBS)
+
+#
+# was --with-randomdev specified?
+#
+AC_MSG_CHECKING(for random device)
+AC_ARG_WITH(randomdev,
+[  --with-randomdev=PATH Specify path for random device],
+    use_randomdev="$withval", use_randomdev="unspec")
+
+case "$use_randomdev" in
+	unspec)
+		case "$host" in
+			*-openbsd*)
+				devrandom=/dev/arandom
+				;;
+			*)
+				devrandom=/dev/random
+				;;
+		esac
+		AC_MSG_RESULT($devrandom)
+		AC_CHECK_FILE($devrandom,
+			      AC_DEFINE_UNQUOTED(PATH_RANDOMDEV,
+						 "$devrandom"),)
+		;;
+	yes)
+		AC_MSG_ERROR([--with-randomdev must specify a path])
+		;;
+	no)
+		AC_MSG_RESULT(disabled)
+		;;
+	*)
+		AC_DEFINE_UNQUOTED(PATH_RANDOMDEV, "$use_randomdev")
+		AC_MSG_RESULT(using "$use_randomdev")
+		;;
+esac
+
+#
+# Do we have arc4random() ?
+#
+AC_CHECK_FUNC(arc4random, AC_DEFINE(HAVE_ARC4RANDOM))
+
+#
+# Begin pthreads checking.
+#
+# First, decide whether to use multithreading or not.
+#
+# Enable multithreading by default on systems where it is known
+# to work well, and where debugging of multithreaded programs
+# is supported.
+#
+
+AC_MSG_CHECKING(whether to build with thread support)
+
+case $host in
+*-dec-osf*)
+	use_threads=true ;;
+[*-solaris2.[0-6]])
+	# Thread signals are broken on Solaris 2.6; they are sometimes
+	# delivered to the wrong thread.
+	use_threads=false ;;
+*-solaris*)
+	use_threads=true ;;
+*-ibm-aix*)
+	use_threads=true ;;
+*-hp-hpux10*)
+	use_threads=false ;;
+*-hp-hpux11*)
+	use_threads=true ;;
+*-sgi-irix*)
+	use_threads=true ;;
+*-sco-sysv*uw*|*-*-sysv*UnixWare*)
+        # UnixWare
+	use_threads=false ;;
+*-*-sysv*OpenUNIX*)
+        # UnixWare
+	use_threads=true ;;
+*-netbsd*)
+	if test -r /usr/lib/libpthread.so ; then
+	    use_threads=true
+	else
+	    # Socket I/O optimizations introduced in 9.2 expose a
+	    # bug in unproven-pthreads; see PR #12650
+	    use_threads=false
+	fi
+	;;
+*-openbsd*)
+	# OpenBSD users have reported that named dumps core on
+	# startup when built with threads.
+	use_threads=false ;;
+*-freebsd*)
+	use_threads=false ;;
+*-bsdi[234]*)
+	# Thread signals do not work reliably on some versions of BSD/OS.
+	use_threads=false ;;
+*-bsdi5*)
+	use_threads=true ;;
+*-linux*)
+   	# Threads are disabled on Linux by default because most
+	# Linux kernels produce unusable core dumps from multithreaded
+	# programs, and because of limitations in setuid().
+	use_threads=false ;;	
+*)
+	use_threads=false ;;
+esac
+
+AC_ARG_ENABLE(threads,
+	[  --enable-threads	enable multithreading])
+case "$enable_threads" in
+	yes)
+		use_threads=true
+		;;
+	no)
+		use_threads=false
+		;;
+	'')
+		# Use system-dependent default
+		;;
+	*)
+	    	AC_MSG_ERROR([--enable-threads takes yes or no])
+		;;
+esac
+
+if $use_threads
+then
+	AC_MSG_RESULT(yes)
+else
+	AC_MSG_RESULT(no)	
+fi
+
+if $use_threads
+then
+	#
+	# Search for / configure pthreads in a system-dependent fashion.
+	#
+	case "$host" in
+	  *-netbsd*)
+		# NetBSD has multiple pthreads implementations.	 The
+		# recommended one to use is "unproven-pthreads".  The
+		# older "mit-pthreads" may also work on some NetBSD
+		# versions.  The PTL2 thread library does not
+		# currently work with bind9, but can be chosen with
+		# the --with-ptl2 option for those who wish to
+		# experiment with it.
+		CC="gcc"
+		AC_MSG_CHECKING(which NetBSD thread library to use)
+
+		AC_ARG_WITH(ptl2,
+[  --with-ptl2		on NetBSD, use the ptl2 thread library (experimental)],
+		    use_ptl2="$withval", use_ptl2="no")
+
+		: ${LOCALBASE:=/usr/pkg}
+
+		if test "X$use_ptl2" = "Xyes"
+		then
+			AC_MSG_RESULT(PTL2)
+			AC_MSG_WARN(
+[linking with PTL2 is highly experimental and not expected to work])
+			CC=ptlgcc
+		else
+			if test -r /usr/lib/libpthread.so
+			then
+				AC_MSG_RESULT(native)
+				LIBS="-lpthread $LIBS"
+			else
+				if test ! -d $LOCALBASE/pthreads
+				then
+					AC_MSG_RESULT(none)
+					AC_MSG_ERROR("could not find thread libraries")
+				fi
+
+				if $use_threads
+				then
+					AC_MSG_RESULT(mit-pthreads/unproven-pthreads)
+					pkg="$LOCALBASE/pthreads"
+					lib1="-L$pkg/lib -Wl,-R$pkg/lib"
+					lib2="-lpthread -lm -lgcc -lpthread"
+					LIBS="$lib1 $lib2 $LIBS"
+					CPPFLAGS="$CPPFLAGS -I$pkg/include"
+					STD_CINCLUDES="$STD_CINCLUDES -I$pkg/include"
+				fi
+			fi
+		fi
+		;;
+		*)
+			AC_CHECK_LIB(pthread, pthread_create,,
+				AC_CHECK_LIB(pthread, __pthread_create,,
+				AC_CHECK_LIB(pthread, __pthread_create_system,,
+				AC_CHECK_LIB(c_r, pthread_create,,
+				AC_CHECK_LIB(c, pthread_create,,
+				AC_MSG_ERROR("could not find thread libraries"))))))
+		;;
+	esac
+fi
+
+if $use_threads
+then
+	#
+	# We'd like to use sigwait() too
+	#
+	AC_CHECK_LIB(c, sigwait,
+		     AC_DEFINE(HAVE_SIGWAIT),
+		     AC_CHECK_LIB(pthread, sigwait,
+				  AC_DEFINE(HAVE_SIGWAIT),
+				  AC_CHECK_LIB(pthread, _Psigwait,
+					       AC_DEFINE(HAVE_SIGWAIT),))
+	)
+
+	AC_CHECK_FUNC(pthread_attr_getstacksize,
+		      AC_DEFINE(HAVE_PTHREAD_ATTR_GETSTACKSIZE),)
+
+	AC_CHECK_FUNC(pthread_attr_setstacksize,
+		      AC_DEFINE(HAVE_PTHREAD_ATTR_SETSTACKSIZE),)
+
+	#
+	# Additional OS-specific issues related to pthreads and sigwait.
+	#
+	case "$host" in
+		#
+		# One more place to look for sigwait.
+		#
+		*-freebsd*)
+			AC_CHECK_LIB(c_r, sigwait, AC_DEFINE(HAVE_SIGWAIT),)
+			;;
+		#
+		# BSDI 3.0 through 4.0.1 needs pthread_init() to be
+		# called before certain pthreads calls.	 This is deprecated
+		# in BSD/OS 4.1.
+		#
+		*-bsdi3.*|*-bsdi4.0*)
+			AC_DEFINE(NEED_PTHREAD_INIT)
+			;;
+		#
+		# LinuxThreads requires some changes to the way we
+		# deal with signals.
+		#
+		*-linux*)
+			AC_DEFINE(HAVE_LINUXTHREADS)
+			;;
+		#
+		# Ensure the right sigwait() semantics on Solaris and make
+		# sure we call pthread_setconcurrency.
+		#
+		*-solaris*)
+			AC_DEFINE(_POSIX_PTHREAD_SEMANTICS)
+			AC_CHECK_FUNC(pthread_setconcurrency,
+				      AC_DEFINE(CALL_PTHREAD_SETCONCURRENCY))
+			;;
+		#
+		# UnixWare does things its own way.
+		#
+		*-sco-sysv*uw*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
+			AC_DEFINE(HAVE_UNIXWARE_SIGWAIT)
+			;;
+	esac
+
+	#
+	# Look for sysconf to allow detection of the number of processors.
+	#
+	AC_CHECK_FUNC(sysconf, AC_DEFINE(HAVE_SYSCONF),)
+
+	if test "X$GCC" = "Xyes"; then
+		case "$host" in
+		*-freebsd*)
+			CC="$CC -pthread"
+			CCOPT="$CCOPT -pthread"
+			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+			;;
+		*-openbsd*)
+			CC="$CC -pthread"
+			CCOPT="$CCOPT -pthread"
+			;;
+		*-solaris*)
+			LIBS="$LIBS -lthread"
+			;;
+		*-ibm-aix*)
+			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+			;;
+		esac
+	else
+		case $host in
+		*-dec-osf*)
+			CC="$CC -pthread"
+			CCOPT="$CCOPT -pthread"
+			;;
+		*-solaris*)
+			CC="$CC -mt"
+			CCOPT="$CCOPT -mt"
+			;;
+		*-ibm-aix*)
+			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+			;;
+		*-sco-sysv*uw*|*-*-sysv*UnixWare*)
+			CC="$CC -Kthread"
+			CCOPT="$CCOPT -Kthread"
+			;;
+		*-*-sysv*OpenUNIX*)
+			CC="$CC -Kpthread"
+			CCOPT="$CCOPT -Kpthread"
+			;;
+		esac
+	fi
+	ALWAYS_DEFINES="-D_REENTRANT"
+	ISC_PLATFORM_USETHREADS="#define ISC_PLATFORM_USETHREADS 1"
+	thread_dir=pthreads
+else
+	ISC_PLATFORM_USETHREADS="#undef ISC_PLATFORM_USETHREADS"
+	thread_dir=nothreads
+	ALWAYS_DEFINES=""
+fi
+
+AC_SUBST(ALWAYS_DEFINES)
+AC_SUBST(ISC_PLATFORM_USETHREADS)
+
+ISC_THREAD_DIR=$thread_dir
+AC_SUBST(ISC_THREAD_DIR)
+
+#
+# In solaris 10, SMF can manage named service
+#
+AC_CHECK_LIB(scf, smf_enable_instance)
+
+#
+# flockfile is usually provided by pthreads, but we may want to use it
+# even if compiled with --disable-threads.  getc_unlocked might also not
+# be defined.
+#
+AC_CHECK_FUNC(flockfile, AC_DEFINE(HAVE_FLOCKFILE),)
+AC_CHECK_FUNC(getc_unlocked, AC_DEFINE(HAVE_GETCUNLOCKED),)
+
+# 
+# Indicate what the final decision was regarding threads.
+#
+AC_MSG_CHECKING(whether to build with threads)
+if $use_threads; then
+	AC_MSG_RESULT(yes)
+else
+	AC_MSG_RESULT(no)
+fi
+
+# 
+# End of pthreads stuff.
+#
+
+#
+# Large File
+#
+AC_ARG_ENABLE(largefile, [  --enable-largefile	  64-bit file support],
+	      want_largefile="yes", want_largefile="no")
+case $want_largefile in
+	yes)
+		ALWAYS_DEFINES="$ALWAYS_DEFINES -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64"
+		;;
+	*)
+		;;
+esac
+
+#
+# Additional compiler settings.
+#
+MKDEPCC="$CC"
+MKDEPCFLAGS="-M"
+IRIX_DNSSEC_WARNINGS_HACK=""
+
+if test "X$GCC" = "Xyes"; then
+	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat"
+else
+	case $host in
+	*-dec-osf*)
+		CC="$CC -std"
+		CCOPT="$CCOPT -std"
+		MKDEPCC="$CC"
+		;;
+	*-hp-hpux*)
+		CC="$CC -Ae -z"
+		# The version of the C compiler that constantly warns about
+                # 'const' as well as alignment issues is unfortunately not
+                # able to be discerned via the version of the operating
+                # system, nor does cc have a version flag.
+		case "`$CC +W 123 2>&1`" in
+		*Unknown?option*)
+			STD_CWARNINGS="+w1"
+			;;
+		*)
+			# Turn off the pointlessly noisy warnings.
+			STD_CWARNINGS="+w1 +W 474,530"
+			;;
+		esac
+		CCOPT="$CCOPT -Ae -z"
+		LIBS="-Wl,+vnocompatwarnings $LIBS"
+		MKDEPPROG='cc -Ae -E -Wp,-M >/dev/null 2>>$TMP'
+		;;
+	*-sgi-irix*)
+		STD_CWARNINGS="-fullwarn -woff 1209"
+		#
+		# Silence more than 250 instances of
+		#   "prototyped function redeclared without prototype"
+		# and 11 instances of
+		#   "variable ... was set but never used"
+		# from lib/dns/sec/openssl.
+		#
+		IRIX_DNSSEC_WARNINGS_HACK="-woff 1692,1552"
+		;;
+	*-solaris*)
+		MKDEPCFLAGS="-xM"
+		;;
+	*-sco-sysv*uw*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
+                # UnixWare
+		CC="$CC -w"
+		;;
+	esac
+fi
+
+AC_SUBST(MKDEPCC)
+AC_SUBST(MKDEPCFLAGS)
+AC_SUBST(MKDEPPROG)
+AC_SUBST(IRIX_DNSSEC_WARNINGS_HACK)
+
+#
+# NLS
+#
+AC_CHECK_FUNC(catgets, AC_DEFINE(HAVE_CATGETS),)
+
+#
+# -lxnet buys us one big porting headache...  standards, gotta love 'em.
+#
+# AC_CHECK_LIB(xnet, socket, ,
+#    AC_CHECK_LIB(socket, socket)
+#    AC_CHECK_LIB(nsl, inet_ntoa)
+# )
+#
+# Use this for now, instead:
+#
+case "$host" in
+	mips-sgi-irix*)
+		;;
+	*)
+		AC_CHECK_LIB(socket, socket)
+		AC_CHECK_LIB(nsl, inet_ntoa)
+		;;
+esac
+
+#
+# Purify support
+#
+AC_MSG_CHECKING(whether to use purify)
+AC_ARG_WITH(purify,
+	[  --with-purify[=PATH]	use Rational purify],
+	use_purify="$withval", use_purify="no")
+
+case "$use_purify" in
+	no)
+		;;
+	yes)
+		AC_PATH_PROG(purify_path, purify, purify)
+		;;
+	*)
+		purify_path="$use_purify"
+		;;
+esac
+
+case "$use_purify" in
+	no)
+		AC_MSG_RESULT(no)
+		PURIFY=""
+		;;
+	*)
+		if test -f $purify_path || test $purify_path = purify; then
+			AC_MSG_RESULT($purify_path)
+			PURIFYFLAGS="`echo $PURIFYOPTIONS`"
+			PURIFY="$purify_path $PURIFYFLAGS"
+		else
+			AC_MSG_ERROR([$purify_path not found.
+
+Please choose the proper path with the following command:
+
+    configure --with-purify=PATH
+])
+		fi
+		;;
+esac
+
+AC_SUBST(PURIFY)
+
+#
+# GNU libtool support
+#
+AC_ARG_WITH(libtool,
+	    [  --with-libtool	use GNU libtool (following indented options supported)],
+	    use_libtool="$withval", use_libtool="no")
+
+case $use_libtool in
+	yes)
+		AM_PROG_LIBTOOL
+		O=lo
+		A=la
+		LIBTOOL_MKDEP_SED='s;\.o;\.lo;'
+		LIBTOOL_MODE_COMPILE='--mode=compile'
+		LIBTOOL_MODE_INSTALL='--mode=install'
+		LIBTOOL_MODE_LINK='--mode=link'
+		;;
+	*)
+		O=o
+		A=a
+		LIBTOOL=
+		AC_SUBST(LIBTOOL)
+		LIBTOOL_MKDEP_SED=
+		LIBTOOL_MODE_COMPILE=
+		LIBTOOL_MODE_INSTALL=
+		LIBTOOL_MODE_LINK=
+		;;
+esac
+
+#
+# File name extension for static archive files, for those few places
+# where they are treated differently from dynamic ones.
+#
+SA=a
+
+AC_SUBST(O)
+AC_SUBST(A)
+AC_SUBST(SA)
+AC_SUBST(LIBTOOL_MKDEP_SED)
+AC_SUBST(LIBTOOL_MODE_COMPILE)
+AC_SUBST(LIBTOOL_MODE_INSTALL)
+AC_SUBST(LIBTOOL_MODE_LINK)
+
+#
+# build libbind?
+#
+AC_ARG_ENABLE(libbind,
+	[  --enable-libbind		build libbind [default=no]])
+
+case "$enable_libbind" in
+	yes)
+		LIBBIND=lib/bind
+		AC_SUBST(LIBBIND)
+		;;
+	no|'')
+		;;
+esac
+
+#
+# Here begins a very long section to determine the system's networking
+# capabilities.  The order of the tests is signficant.
+#
+
+#
+# IPv6
+#
+AC_ARG_ENABLE(ipv6,
+	[  --enable-ipv6		use IPv6 [default=autodetect]])
+
+case "$enable_ipv6" in
+	yes|''|autodetect)
+		AC_DEFINE(WANT_IPV6)
+		;;
+	no)
+		;;
+esac
+
+#
+# We do the IPv6 compilation checking after libtool so that we can put
+# the right suffix on the files.
+#
+AC_MSG_CHECKING(for IPv6 structures)
+AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>],
+[struct sockaddr_in6 sin6; return (0);],
+	[AC_MSG_RESULT(yes)
+	 found_ipv6=yes],
+	[AC_MSG_RESULT(no)
+	 found_ipv6=no])
+
+#
+# See whether IPv6 support is provided via a Kame add-on.
+# This is done before other IPv6 linking tests to LIBS is properly set.
+#
+AC_MSG_CHECKING(for Kame IPv6 support)
+AC_ARG_WITH(kame,
+	[  --with-kame[=PATH]	use Kame IPv6 [default path /usr/local/v6]],
+	use_kame="$withval", use_kame="no")
+
+case "$use_kame" in
+	no)
+		;;
+	yes)
+		kame_path=/usr/local/v6
+		;;
+	*)
+		kame_path="$use_kame"
+		;;
+esac
+
+case "$use_kame" in
+	no)
+		AC_MSG_RESULT(no)
+		;;
+	*)
+		if test -f $kame_path/lib/libinet6.a; then
+			AC_MSG_RESULT($kame_path/lib/libinet6.a)
+			LIBS="-L$kame_path/lib -linet6 $LIBS"
+		else
+			AC_MSG_ERROR([$kame_path/lib/libinet6.a not found.
+
+Please choose the proper path with the following command:
+
+    configure --with-kame=PATH
+])
+		fi
+		;;
+esac
+
+#
+# Whether netinet6/in6.h is needed has to be defined in isc/platform.h.
+# Including it on Kame-using platforms is very bad, though, because
+# Kame uses #error against direct inclusion.   So include it on only
+# the platform that is otherwise broken without it -- BSD/OS 4.0 through 4.1.
+# This is done before the in6_pktinfo check because that's what
+# netinet6/in6.h is needed for.
+#
+changequote({, })
+case "$host" in
+*-bsdi4.[01]*)
+	ISC_PLATFORM_NEEDNETINET6IN6H="#define ISC_PLATFORM_NEEDNETINET6IN6H 1"
+	LWRES_PLATFORM_NEEDNETINET6IN6H="#define LWRES_PLATFORM_NEEDNETINET6IN6H 1"
+	isc_netinet6in6_hack="#include <netinet6/in6.h>"
+	;;
+*)
+	ISC_PLATFORM_NEEDNETINET6IN6H="#undef ISC_PLATFORM_NEEDNETINET6IN6H"
+	LWRES_PLATFORM_NEEDNETINET6IN6H="#undef LWRES_PLATFORM_NEEDNETINET6IN6H"
+	isc_netinet6in6_hack=""
+	;;
+esac
+changequote([, ])
+
+#
+# This is similar to the netinet6/in6.h issue.
+#
+case "$host" in
+*-sco-sysv*uw*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
+        # UnixWare
+	ISC_PLATFORM_NEEDNETINETIN6H="#define ISC_PLATFORM_NEEDNETINETIN6H 1"
+	LWRES_PLATFORM_NEEDNETINETIN6H="#define LWRES_PLATFORM_NEEDNETINETIN6H 1"
+        ISC_PLATFORM_FIXIN6ISADDR="#define ISC_PLATFORM_FIXIN6ISADDR 1"
+	isc_netinetin6_hack="#include <netinet/in6.h>"
+	;;
+*)
+	ISC_PLATFORM_NEEDNETINETIN6H="#undef ISC_PLATFORM_NEEDNETINETIN6H"
+	LWRES_PLATFORM_NEEDNETINETIN6H="#undef LWRES_PLATFORM_NEEDNETINETIN6H"
+        ISC_PLATFORM_FIXIN6ISADDR="#undef ISC_PLATFORM_FIXIN6ISADDR"
+	isc_netinetin6_hack=""
+	;;
+esac
+
+#
+# Now delve deeper into the suitability of the IPv6 support.
+#
+case "$found_ipv6" in
+	yes)
+		ISC_PLATFORM_HAVEIPV6="#define ISC_PLATFORM_HAVEIPV6 1"
+		LWRES_PLATFORM_HAVEIPV6="#define LWRES_PLATFORM_HAVEIPV6 1"
+
+		AC_MSG_CHECKING(for in6_addr)
+		AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+$isc_netinetin6_hack
+$isc_netinet6in6_hack
+],
+[struct in6_addr in6; return (0);],
+		[AC_MSG_RESULT(yes)
+		 ISC_PLATFORM_HAVEINADDR6="#undef ISC_PLATFORM_HAVEINADDR6"
+		 LWRES_PLATFORM_HAVEINADDR6="#undef LWRES_PLATFORM_HAVEINADDR6"
+		 isc_in_addr6_hack=""],
+		[AC_MSG_RESULT(no)
+		 ISC_PLATFORM_HAVEINADDR6="#define ISC_PLATFORM_HAVEINADDR6 1"
+		 LWRES_PLATFORM_HAVEINADDR6="#define LWRES_PLATFORM_HAVEINADDR6 1"
+		 isc_in_addr6_hack="#define in6_addr in_addr6"])
+
+		AC_MSG_CHECKING(for in6addr_any)
+		AC_TRY_LINK([
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+$isc_netinetin6_hack
+$isc_netinet6in6_hack
+$isc_in_addr6_hack
+],
+		[struct in6_addr in6; in6 = in6addr_any; return (in6.s6_addr[0]);],
+			[AC_MSG_RESULT(yes)
+			 ISC_PLATFORM_NEEDIN6ADDRANY="#undef ISC_PLATFORM_NEEDIN6ADDRANY"
+			 LWRES_PLATFORM_NEEDIN6ADDRANY="#undef LWRES_PLATFORM_NEEDIN6ADDRANY"],
+			[AC_MSG_RESULT(no)
+			 ISC_PLATFORM_NEEDIN6ADDRANY="#define ISC_PLATFORM_NEEDIN6ADDRANY 1"
+			 LWRES_PLATFORM_NEEDIN6ADDRANY="#define LWRES_PLATFORM_NEEDIN6ADDRANY 1"])
+
+		AC_MSG_CHECKING(for in6addr_loopback)
+		AC_TRY_LINK([
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+$isc_netinetin6_hack
+$isc_netinet6in6_hack
+$isc_in_addr6_hack
+],
+		[struct in6_addr in6; in6 = in6addr_loopback; return (in6.s6_addr[0]);],
+			[AC_MSG_RESULT(yes)
+			 ISC_PLATFORM_NEEDIN6ADDRLOOPBACK="#undef ISC_PLATFORM_NEEDIN6ADDRLOOPBACK"
+			 LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK="#undef LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK"],
+			[AC_MSG_RESULT(no)
+			 ISC_PLATFORM_NEEDIN6ADDRLOOPBACK="#define ISC_PLATFORM_NEEDIN6ADDRLOOPBACK 1"
+			 LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK="#define LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK 1"])
+
+		AC_MSG_CHECKING(for sin6_scope_id in struct sockaddr_in6)
+		AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+$isc_netinetin6_hack
+$isc_netinet6in6_hack
+],
+		[struct sockaddr_in6 xyzzy; xyzzy.sin6_scope_id = 0; return (0);],
+			[AC_MSG_RESULT(yes)
+			 ISC_PLATFORM_HAVESCOPEID="#define ISC_PLATFORM_HAVESCOPEID 1"
+			 result="#define LWRES_HAVE_SIN6_SCOPE_ID 1"],
+			[AC_MSG_RESULT(no)
+			 ISC_PLATFORM_HAVESCOPEID="#undef ISC_PLATFORM_HAVESCOPEID"
+			 result="#undef LWRES_HAVE_SIN6_SCOPE_ID"])
+		LWRES_HAVE_SIN6_SCOPE_ID="$result"
+
+		AC_MSG_CHECKING(for in6_pktinfo)
+		AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+$isc_netinetin6_hack
+$isc_netinet6in6_hack
+],
+		[struct in6_pktinfo xyzzy; return (0);],
+			[AC_MSG_RESULT(yes)
+			 ISC_PLATFORM_HAVEIN6PKTINFO="#define ISC_PLATFORM_HAVEIN6PKTINFO 1"],
+			[AC_MSG_RESULT(no -- disabling runtime ipv6 support)
+			 ISC_PLATFORM_HAVEIN6PKTINFO="#undef ISC_PLATFORM_HAVEIN6PKTINFO"])
+		;;
+	no)
+		ISC_PLATFORM_HAVEIPV6="#undef ISC_PLATFORM_HAVEIPV6"
+		LWRES_PLATFORM_HAVEIPV6="#undef LWRES_PLATFORM_HAVEIPV6"
+		ISC_PLATFORM_NEEDIN6ADDRANY="#undef ISC_PLATFORM_NEEDIN6ADDRANY"
+		LWRES_PLATFORM_NEEDIN6ADDRANY="#undef LWRES_PLATFORM_NEEDIN6ADDRANY"
+		ISC_PLATFORM_HAVEIN6PKTINFO="#undef ISC_PLATFORM_HAVEIN6PKTINFO"
+		LWRES_HAVE_SIN6_SCOPE_ID="#define LWRES_HAVE_SIN6_SCOPE_ID 1"
+		ISC_PLATFORM_HAVESCOPEID="#define ISC_PLATFORM_HAVESCOPEID 1"
+		ISC_IPV6_H="ipv6.h"
+		ISC_IPV6_O="ipv6.$O"
+		ISC_ISCIPV6_O="unix/ipv6.$O"
+		ISC_IPV6_C="ipv6.c"
+		;;
+esac
+
+AC_SUBST(ISC_PLATFORM_HAVEIPV6)
+AC_SUBST(LWRES_PLATFORM_HAVEIPV6)
+AC_SUBST(ISC_PLATFORM_NEEDNETINETIN6H)
+AC_SUBST(LWRES_PLATFORM_NEEDNETINETIN6H)
+AC_SUBST(ISC_PLATFORM_NEEDNETINET6IN6H)
+AC_SUBST(LWRES_PLATFORM_NEEDNETINET6IN6H)
+AC_SUBST(ISC_PLATFORM_HAVEINADDR6)
+AC_SUBST(LWRES_PLATFORM_HAVEINADDR6)
+AC_SUBST(ISC_PLATFORM_NEEDIN6ADDRANY)
+AC_SUBST(LWRES_PLATFORM_NEEDIN6ADDRANY)
+AC_SUBST(ISC_PLATFORM_NEEDIN6ADDRLOOPBACK)
+AC_SUBST(LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK)
+AC_SUBST(ISC_PLATFORM_HAVEIN6PKTINFO)
+AC_SUBST(ISC_PLATFORM_FIXIN6ISADDR)
+AC_SUBST(ISC_IPV6_H)
+AC_SUBST(ISC_IPV6_O)
+AC_SUBST(ISC_ISCIPV6_O)
+AC_SUBST(ISC_IPV6_C)
+AC_SUBST(LWRES_HAVE_SIN6_SCOPE_ID)
+AC_SUBST(ISC_PLATFORM_HAVESCOPEID)
+
+AC_MSG_CHECKING([for struct if_laddrreq])
+AC_TRY_LINK([
+#include <sys/types.h>
+#include <net/if6.h>
+],[ struct if_laddrreq a; ],
+	[AC_MSG_RESULT(yes)
+	ISC_PLATFORM_HAVEIF_LADDRREQ="#define ISC_PLATFORM_HAVEIF_LADDRREQ 1"],
+	[AC_MSG_RESULT(no)
+	ISC_PLATFORM_HAVEIF_LADDRREQ="#undef ISC_PLATFORM_HAVEIF_LADDRREQ"])
+AC_SUBST(ISC_PLATFORM_HAVEIF_LADDRREQ)
+
+AC_MSG_CHECKING([for struct if_laddrconf])
+AC_TRY_LINK([
+#include <sys/types.h>
+#include <net/if6.h>
+],[ struct if_laddrconf a; ],
+	[AC_MSG_RESULT(yes)
+	ISC_PLATFORM_HAVEIF_LADDRCONF="#define ISC_PLATFORM_HAVEIF_LADDRCONF 1"],
+	[AC_MSG_RESULT(no)
+	ISC_PLATFORM_HAVEIF_LADDRCONF="#undef ISC_PLATFORM_HAVEIF_LADDRCONF"])
+AC_SUBST(ISC_PLATFORM_HAVEIF_LADDRCONF)
+
+#
+# Check for network functions that are often missing.  We do this
+# after the libtool checking, so we can put the right suffix on
+# the files.  It also needs to come after checking for a Kame add-on,
+# which provides some (all?) of the desired functions.
+#
+
+AC_MSG_CHECKING([for inet_ntop with IPv6 support])
+AC_TRY_RUN([
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+main() {
+char a[16],b[64]; return(inet_ntop(AF_INET6, a, b, sizeof(b)) == (char*)0);}],
+        [AC_MSG_RESULT(yes)
+        ISC_PLATFORM_NEEDNTOP="#undef ISC_PLATFORM_NEEDNTOP"],
+
+        [AC_MSG_RESULT(no)
+        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_ntop.$O"
+        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_ntop.c"
+        ISC_PLATFORM_NEEDNTOP="#define ISC_PLATFORM_NEEDNTOP 1"])
+
+
+# On NetBSD 1.4.2 and maybe others, inet_pton() incorrectly accepts
+# addresses with less than four octets, like "1.2.3".  Also leading
+# zeros should also be rejected.
+
+AC_MSG_CHECKING([for working inet_pton with IPv6 support])
+AC_TRY_RUN([
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+main() { char a[16]; return (inet_pton(AF_INET, "1.2.3", a) == 1 ? 1 :
+			     inet_pton(AF_INET, "1.2.3.04", a) == 1 ? 1 : 
+			     (inet_pton(AF_INET6, "::1.2.3.4", a) != 1)); }],
+        [AC_MSG_RESULT(yes)
+        ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON"],
+        [AC_MSG_RESULT(no)
+        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_pton.$O"
+        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_pton.c"
+        ISC_PLATFORM_NEEDPTON="#define ISC_PLATFORM_NEEDPTON 1"],
+	[AC_MSG_RESULT(assuming target platform has working inet_pton)
+	ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON"])
+
+AC_MSG_CHECKING([for inet_aton])
+AC_TRY_LINK([
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>],
+        [struct in_addr in; inet_aton(0, &in); return (0);],
+        [AC_MSG_RESULT(yes)
+        ISC_PLATFORM_NEEDATON="#undef ISC_PLATFORM_NEEDATON"],
+
+        [AC_MSG_RESULT(no)
+        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_aton.$O"
+        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_aton.c"
+        ISC_PLATFORM_NEEDATON="#define ISC_PLATFORM_NEEDATON 1"])
+
+AC_SUBST(ISC_PLATFORM_NEEDNTOP)
+AC_SUBST(ISC_PLATFORM_NEEDPTON)
+AC_SUBST(ISC_PLATFORM_NEEDATON)
+
+#
+# Look for a 4.4BSD-style sa_len member in struct sockaddr.
+#
+case "$host" in
+	*-dec-osf*)
+		# Turn on 4.4BSD style sa_len support.
+		AC_DEFINE(_SOCKADDR_LEN)
+		;;
+esac
+
+AC_MSG_CHECKING(for sa_len in struct sockaddr)
+AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/socket.h>],
+[struct sockaddr sa; sa.sa_len = 0; return (0);],
+	[AC_MSG_RESULT(yes)
+	ISC_PLATFORM_HAVESALEN="#define ISC_PLATFORM_HAVESALEN 1"
+	LWRES_PLATFORM_HAVESALEN="#define LWRES_PLATFORM_HAVESALEN 1"],
+	[AC_MSG_RESULT(no)
+	ISC_PLATFORM_HAVESALEN="#undef ISC_PLATFORM_HAVESALEN"
+	LWRES_PLATFORM_HAVESALEN="#undef LWRES_PLATFORM_HAVESALEN"])
+AC_SUBST(ISC_PLATFORM_HAVESALEN)
+AC_SUBST(LWRES_PLATFORM_HAVESALEN)
+
+#
+# Look for a 4.4BSD or 4.3BSD struct msghdr
+#
+AC_MSG_CHECKING(for struct msghdr flavor)
+AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/socket.h>],
+[struct msghdr msg; msg.msg_flags = 0; return (0);],
+	[AC_MSG_RESULT(4.4BSD)
+	ISC_PLATFORM_MSGHDRFLAVOR="#define ISC_NET_BSD44MSGHDR 1"],
+	[AC_MSG_RESULT(4.3BSD)
+	ISC_PLATFORM_MSGHDRFLAVOR="#define ISC_NET_BSD43MSGHDR 1"])
+AC_SUBST(ISC_PLATFORM_MSGHDRFLAVOR)
+
+#
+# Look for in_port_t.
+#
+AC_MSG_CHECKING(for type in_port_t)
+AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <netinet/in.h>],
+[in_port_t port = 25; return (0);],
+	[AC_MSG_RESULT(yes)
+	ISC_PLATFORM_NEEDPORTT="#undef ISC_PLATFORM_NEEDPORTT"],
+        [AC_MSG_RESULT(no)
+	ISC_PLATFORM_NEEDPORTT="#define ISC_PLATFORM_NEEDPORTT 1"])
+AC_SUBST(ISC_PLATFORM_NEEDPORTT)
+
+#
+# Check for addrinfo
+#
+AC_MSG_CHECKING(for struct addrinfo)
+AC_TRY_COMPILE([
+#include <netdb.h>],
+[struct addrinfo a; return (0);],
+	[AC_MSG_RESULT(yes)
+	ISC_LWRES_NEEDADDRINFO="#undef ISC_LWRES_NEEDADDRINFO"
+	AC_DEFINE(HAVE_ADDRINFO)],
+	[AC_MSG_RESULT(no)
+	ISC_LWRES_NEEDADDRINFO="#define ISC_LWRES_NEEDADDRINFO 1"])
+AC_SUBST(ISC_LWRES_NEEDADDRINFO)
+
+#
+# Check for rrsetinfo
+#
+AC_MSG_CHECKING(for struct rrsetinfo)
+AC_TRY_COMPILE([
+#include <netdb.h>],
+[struct rrsetinfo r; return (0);],
+	[AC_MSG_RESULT(yes)
+	ISC_LWRES_NEEDRRSETINFO="#undef ISC_LWRES_NEEDRRSETINFO"],
+	[AC_MSG_RESULT(no)
+	ISC_LWRES_NEEDRRSETINFO="#define ISC_LWRES_NEEDRRSETINFO 1"])
+AC_SUBST(ISC_LWRES_NEEDRRSETINFO)
+
+AC_MSG_CHECKING(for int sethostent)
+AC_TRY_COMPILE([
+#include <netdb.h>],
+[int i = sethostent(0); return(0);],
+	[AC_MSG_RESULT(yes)
+	ISC_LWRES_SETHOSTENTINT="#define ISC_LWRES_SETHOSTENTINT 1"],
+	[AC_MSG_RESULT(no)
+	ISC_LWRES_SETHOSTENTINT="#undef ISC_LWRES_SETHOSTENTINT"])
+AC_SUBST(ISC_LWRES_SETHOSTENTINT)
+
+AC_MSG_CHECKING(for int endhostent)
+AC_TRY_COMPILE([
+#include <netdb.h>],
+[int i = endhostent(); return(0);],
+	[AC_MSG_RESULT(yes)
+	ISC_LWRES_ENDHOSTENTINT="#define ISC_LWRES_ENDHOSTENTINT 1"],
+	[AC_MSG_RESULT(no)
+	ISC_LWRES_ENDHOSTENTINT="#undef ISC_LWRES_ENDHOSTENTINT"])
+AC_SUBST(ISC_LWRES_ENDHOSTENTINT)
+
+AC_MSG_CHECKING(for getnetbyaddr(in_addr_t, ...))
+AC_TRY_COMPILE([
+#include <netdb.h>
+struct netent *getnetbyaddr(in_addr_t, int);],
+[],
+	[AC_MSG_RESULT(yes)
+	ISC_LWRES_GETNETBYADDRINADDR="#define ISC_LWRES_GETNETBYADDRINADDR 1"],
+	[AC_MSG_RESULT(no)
+	ISC_LWRES_GETNETBYADDRINADDR="#undef ISC_LWRES_GETNETBYADDRINADDR"])
+AC_SUBST(ISC_LWRES_GETNETBYADDRINADDR)
+
+AC_MSG_CHECKING(for int setnetent)
+AC_TRY_COMPILE([
+#include <netdb.h>],
+[int i = setnetent(0); return(0);],
+	[AC_MSG_RESULT(yes)
+	ISC_LWRES_SETNETENTINT="#define ISC_LWRES_SETNETENTINT 1"],
+	[AC_MSG_RESULT(no)
+	ISC_LWRES_SETNETENTINT="#undef ISC_LWRES_SETNETENTINT"])
+AC_SUBST(ISC_LWRES_SETNETENTINT)
+
+AC_MSG_CHECKING(for int endnetent)
+AC_TRY_COMPILE([
+#include <netdb.h>],
+[int i = endnetent(); return(0);],
+	[AC_MSG_RESULT(yes)
+	ISC_LWRES_ENDNETENTINT="#define ISC_LWRES_ENDNETENTINT 1"],
+	[AC_MSG_RESULT(no)
+	ISC_LWRES_ENDNETENTINT="#undef ISC_LWRES_ENDNETENTINT"])
+AC_SUBST(ISC_LWRES_ENDNETENTINT)
+
+AC_MSG_CHECKING(for gethostbyaddr(const void *, size_t, ...))
+AC_TRY_COMPILE([
+#include <netdb.h>
+struct hostent *gethostbyaddr(const void *, size_t, int);],
+[return(0);],
+	[AC_MSG_RESULT(yes)
+	ISC_LWRES_GETHOSTBYADDRVOID="#define ISC_LWRES_GETHOSTBYADDRVOID 1"],
+	[AC_MSG_RESULT(no)
+	ISC_LWRES_GETHOSTBYADDRVOID="#undef ISC_LWRES_GETHOSTBYADDRVOID"])
+AC_SUBST(ISC_LWRES_GETHOSTBYADDRVOID)
+
+AC_MSG_CHECKING(for h_errno in netdb.h)
+AC_TRY_COMPILE([
+#include <netdb.h>],
+[h_errno = 1; return(0);],
+	[AC_MSG_RESULT(yes)
+	ISC_LWRES_NEEDHERRNO="#undef ISC_LWRES_NEEDHERRNO"],
+	[AC_MSG_RESULT(no)
+	ISC_LWRES_NEEDHERRNO="#define ISC_LWRES_NEEDHERRNO 1"])
+AC_SUBST(ISC_LWRES_NEEDHERRNO)
+
+AC_CHECK_FUNC(getipnodebyname,
+        [ISC_LWRES_GETIPNODEPROTO="#undef ISC_LWRES_GETIPNODEPROTO"],
+        [ISC_LWRES_GETIPNODEPROTO="#define ISC_LWRES_GETIPNODEPROTO 1"])
+AC_CHECK_FUNC(getnameinfo,
+        [ISC_LWRES_GETNAMEINFOPROTO="#undef ISC_LWRES_GETNAMEINFOPROTO"],
+        [ISC_LWRES_GETNAMEINFOPROTO="#define ISC_LWRES_GETNAMEINFOPROTO 1"])
+AC_CHECK_FUNC(getaddrinfo,
+        [ISC_LWRES_GETADDRINFOPROTO="#undef ISC_LWRES_GETADDRINFOPROTO"
+	AC_DEFINE(HAVE_GETADDRINFO)],
+        [ISC_LWRES_GETADDRINFOPROTO="#define ISC_LWRES_GETADDRINFOPROTO 1"])
+AC_CHECK_FUNC(gai_strerror, AC_DEFINE(HAVE_GAISTRERROR))
+AC_SUBST(ISC_LWRES_GETIPNODEPROTO)
+AC_SUBST(ISC_LWRES_GETADDRINFOPROTO)
+AC_SUBST(ISC_LWRES_GETNAMEINFOPROTO)
+
+AC_ARG_ENABLE(getifaddrs,
+[  --enable-getifaddrs    Enable the use of getifaddrs() [[yes|no|glibc]].
+             glibc: Use getifaddrs() in glibc if you know it supports IPv6.],
+    want_getifaddrs="$enableval",  want_getifaddrs="yes")
+
+case $want_getifaddrs in
+yes|glibc)
+#
+# Do we have getifaddrs() ?
+#
+case $host in
+*-linux*)
+	# Some recent versions of glibc support getifaddrs() which does not
+	# provide AF_INET6 addresses while the function provided by the USAGI
+	# project handles the AF_INET6 case correctly.  We need to avoid
+	# using the former but prefer the latter unless overridden by
+	# --enable-getifaddrs=glibc.
+	if test $use_getifaddrs = glibc
+	then
+		AC_CHECK_FUNC(getifaddrs, AC_DEFINE(HAVE_GETIFADDRS))
+	else
+		save_LIBS="$LIBS"
+		LIBS="-L/usr/local/v6/lib $LIBS"
+		AC_CHECK_LIB(inet6, getifaddrs,
+			LIBS="$LIBS -linet6"
+			AC_DEFINE(HAVE_GETIFADDRS),
+			LIBS=${save_LIBS})
+	fi
+	;;
+*)
+	AC_CHECK_FUNC(getifaddrs, AC_DEFINE(HAVE_GETIFADDRS))
+	;;
+esac
+;;
+no)
+;;
+esac
+
+#
+# Look for a sysctl call to get the list of network interfaces.
+#
+case $ac_cv_header_sys_sysctl_h in
+yes)
+AC_MSG_CHECKING(for interface list sysctl)
+AC_EGREP_CPP(found_rt_iflist, [
+#include <sys/param.h>
+#include <sys/sysctl.h>
+#include <sys/socket.h>
+#ifdef NET_RT_IFLIST
+found_rt_iflist
+#endif
+],
+	[AC_MSG_RESULT(yes)
+	 AC_DEFINE(HAVE_IFLIST_SYSCTL)],
+	[AC_MSG_RESULT(no)])
+;;
+esac
+
+#
+# Check for some other useful functions that are not ever-present.
+#
+
+# We test for strsep() using AC_TRY_LINK instead of AC_CHECK_FUNC
+# because AIX 4.3.3 with patches for bos.adt.include to version 4.3.3.77
+# reportedly defines strsep() without declaring it in <string.h> when
+# -D_LINUX_SOURCE_COMPAT is not defined [RT #2190], and
+# AC_CHECK_FUNC() incorrectly succeeds because it declares
+# the function itself.
+AC_MSG_CHECKING(for correctly declared strsep())
+AC_TRY_LINK([#include <string.h>], [char *sp; char *foo = strsep(&sp, ".");],
+	[AC_MSG_RESULT(yes); ISC_PLATFORM_NEEDSTRSEP="#undef ISC_PLATFORM_NEEDSTRSEP"],
+	[AC_MSG_RESULT(no); ISC_PLATFORM_NEEDSTRSEP="#define ISC_PLATFORM_NEEDSTRSEP 1"])
+AC_SUBST(ISC_PLATFORM_NEEDSTRSEP)
+
+AC_CHECK_FUNC(memmove,
+	[ISC_PLATFORM_NEEDMEMMOVE="#undef ISC_PLATFORM_NEEDMEMMOVE"],
+	[ISC_PLATFORM_NEEDMEMMOVE="#define ISC_PLATFORM_NEEDMEMMOVE 1"])
+AC_SUBST(ISC_PLATFORM_NEEDMEMMOVE)
+
+AC_CHECK_FUNC(strtoul,
+	[ISC_PLATFORM_NEEDSTRTOUL="#undef ISC_PLATFORM_NEEDSTRTOUL"],
+	[ISC_PLATFORM_NEEDSTRTOUL="#define ISC_PLATFORM_NEEDSTRTOUL 1"])
+AC_SUBST(ISC_PLATFORM_NEEDSTRTOUL)
+
+AC_CHECK_FUNC(strlcpy,
+	[ISC_PLATFORM_NEEDSTRLCPY="#undef ISC_PLATFORM_NEEDSTRLCPY"],
+	[ISC_PLATFORM_NEEDSTRLCPY="#define ISC_PLATFORM_NEEDSTRLCPY 1"])
+AC_SUBST(ISC_PLATFORM_NEEDSTRLCPY)
+
+AC_CHECK_FUNC(strlcat,
+	[ISC_PLATFORM_NEEDSTRLCAT="#undef ISC_PLATFORM_NEEDSTRLCAT"],
+	[ISC_PLATFORM_NEEDSTRLCAT="#define ISC_PLATFORM_NEEDSTRLCAT 1"])
+AC_SUBST(ISC_PLATFORM_NEEDSTRLCAT)
+
+ISC_PRINT_OBJS=
+ISC_PRINT_SRCS=
+AC_MSG_CHECKING(sprintf)
+AC_TRY_COMPILE([
+#include <stdio.h>
+],
+[ char buf[2]; return(*sprintf(buf,"x"));],
+[
+ISC_PRINT_OBJS="print.$O"
+ISC_PRINT_SRCS="print.c"
+ISC_PLATFORM_NEEDSPRINTF="#define ISC_PLATFORM_NEEDSPRINTF"
+LWRES_PLATFORM_NEEDSPRINTF="#define LWRES_PLATFORM_NEEDSPRINTF"
+],
+[ISC_PLATFORM_NEEDSPRINTF="#undef ISC_PLATFORM_NEEDSPRINTF"
+ LWRES_PLATFORM_NEEDSPRINTF="#undef LWRES_PLATFORM_NEEDSPRINTF"]
+)
+AC_SUBST(ISC_PLATFORM_NEEDSPRINTF)
+AC_SUBST(LWRES_PLATFORM_NEEDSPRINTF)
+
+AC_CHECK_FUNC(vsnprintf,
+	[ISC_PLATFORM_NEEDVSNPRINTF="#undef ISC_PLATFORM_NEEDVSNPRINTF"
+	 LWRES_PLATFORM_NEEDVSNPRINTF="#undef LWRES_PLATFORM_NEEDVSNPRINTF"],
+	[ISC_PRINT_OBJS="print.$O"
+	 ISC_PRINT_SRCS="print.c"
+	 ISC_PLATFORM_NEEDVSNPRINTF="#define ISC_PLATFORM_NEEDVSNPRINTF 1"
+	 LWRES_PLATFORM_NEEDVSNPRINTF="#define LWRES_PLATFORM_NEEDVSNPRINTF 1"])
+AC_SUBST(ISC_PLATFORM_NEEDVSNPRINTF)
+AC_SUBST(LWRES_PLATFORM_NEEDVSNPRINTF)
+ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS $ISC_PRINT_OBJS"
+ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS $ISC_PRINT_SRCS"
+
+AC_CHECK_FUNC(strerror, AC_DEFINE(HAVE_STRERROR))
+
+AC_SUBST(ISC_EXTRA_OBJS)
+AC_SUBST(ISC_EXTRA_SRCS)
+
+# Determine the printf format characters to use when printing
+# values of type isc_int64_t. This will normally be "ll", but where
+# the compiler treats "long long" as a alias for "long" and printf
+# doesn't know about "long long" use "l".  Hopefully the sprintf
+# will produce a inconsistant result in the later case.  If the compiler
+# fails due to seeing "%lld" we fall back to "l".
+#
+# Win32 uses "%I64d", but that's defined elsewhere since we don't use
+# configure on Win32.
+#
+AC_MSG_CHECKING(printf format modifier for 64-bit integers)
+AC_TRY_RUN([
+#include <stdio.h>
+main() {
+	long long int j = 0;
+	char buf[100];
+	buf[0] = 0;
+	sprintf(buf, "%lld", j);
+	exit((sizeof(long long int) != sizeof(long int))? 0 :
+	     (strcmp(buf, "0") != 0));
+} 
+],
+	[AC_MSG_RESULT(ll)
+	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "ll"'],
+	[AC_MSG_RESULT(l)
+	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "l"'],
+	[AC_MSG_RESULT(assuming target platform uses ll)
+	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "ll"'])
+AC_SUBST(ISC_PLATFORM_QUADFORMAT)
+
+#
+# Security Stuff
+#
+AC_CHECK_FUNC(chroot, AC_DEFINE(HAVE_CHROOT))
+AC_ARG_ENABLE(linux-caps,
+	[  --disable-linux-caps	disable linux capabilities])
+case "$enable_linux_caps" in
+	yes|'')
+		AC_CHECK_HEADERS(linux/capability.h)
+		;;
+	no)
+		;;
+esac
+AC_CHECK_HEADERS(sys/prctl.h)
+
+#
+# Time Zone Stuff
+#
+AC_CHECK_FUNC(tzset, AC_DEFINE(HAVE_TZSET))
+
+#
+# BSD/OS, and perhaps some others, don't define rlim_t.
+#
+AC_MSG_CHECKING(for type rlim_t)
+AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/resource.h>],
+[rlim_t rl = 19671212; return (0);],
+[AC_MSG_RESULT(yes)
+ ISC_PLATFORM_RLIMITTYPE="#define ISC_PLATFORM_RLIMITTYPE rlim_t"],
+[AC_MSG_RESULT(no)
+
+AC_MSG_CHECKING(type of rlim_cur)
+AC_TRY_RUN([
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+main() { struct rlimit r; exit(!(sizeof(r.rlim_cur) == sizeof(int)));}],
+[AC_MSG_RESULT(int)
+ISC_PLATFORM_RLIMITTYPE="#define ISC_PLATFORM_RLIMITTYPE int"],
+[
+AC_TRY_RUN([
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+main() { struct rlimit r; exit(!(sizeof(r.rlim_cur) == sizeof(long int)));}],
+[AC_MSG_RESULT(long int)
+ISC_PLATFORM_RLIMITTYPE="#define ISC_PLATFORM_RLIMITTYPE long int"],
+[
+AC_TRY_RUN([
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+main() { struct rlimit r; exit((!sizeof(r.rlim_cur) == sizeof(long long int)));}],
+[AC_MSG_RESULT(long long int)
+ISC_PLATFORM_RLIMITTYPE="#define ISC_PLATFORM_RLIMITTYPE long long int"],
+[AC_MSG_ERROR([unable to determine sizeof rlim_cur])
+],[AC_MSG_ERROR(this cannot happen)])
+],[AC_MSG_ERROR(this cannot happen)])
+],[AC_MSG_ERROR(cannot determine type of rlim_cur when cross compiling - define rlim_t)])
+])
+AC_SUBST(ISC_PLATFORM_RLIMITTYPE)
+
+#
+# Compaq TruCluster requires more code for handling cluster IP aliases
+#
+case "$host" in
+	*-dec-osf*)
+		AC_CHECK_LIB(clua, clua_getaliasaddress, LIBS="-lclua $LIBS")
+		AC_CHECK_FUNC(clua_getaliasaddress,
+				AC_DEFINE(HAVE_TRUCLUSTER, 1,
+					[Define if running under Compaq TruCluster]))
+		;;
+	*)
+		;;
+esac
+
+#
+# Microsoft has their own way of handling shared libraries that requires
+# additional qualifiers on extern variables.  Unix systems don't need it.
+#
+AC_SUBST(ISC_PLATFORM_USEDECLSPEC)
+ISC_PLATFORM_USEDECLSPEC="#undef ISC_PLATFORM_USEDECLSPEC"
+AC_SUBST(LWRES_PLATFORM_USEDECLSPEC)
+LWRES_PLATFORM_USEDECLSPEC="#undef LWRES_PLATFORM_USEDECLSPEC"
+
+#
+# Random remaining OS-specific issues involving compiler warnings.
+# XXXDCL print messages to indicate some compensation is being done?
+#
+AC_SUBST(ISC_PLATFORM_BRACEPTHREADONCEINIT)
+ISC_PLATFORM_BRACEPTHREADONCEINIT="#undef ISC_PLATFORM_BRACEPTHREADONCEINIT"
+
+case "$host" in
+	*-bsdi3.1*)
+		hack_shutup_sputaux=yes
+		;;
+	*-bsdi4.0*)
+		hack_shutup_sigwait=yes
+		hack_shutup_sputaux=yes
+		;;
+	[*-bsdi4.[12]*])
+		hack_shutup_stdargcast=yes
+		;;
+	[*-solaris2.[89]])
+		hack_shutup_pthreadonceinit=yes
+		;;
+esac
+
+case "$hack_shutup_pthreadonceinit" in
+	yes)
+		#
+		# Shut up PTHREAD_ONCE_INIT unbraced initializer warnings.
+		#
+		ISC_PLATFORM_BRACEPTHREADONCEINIT="#define ISC_PLATFORM_BRACEPTHREADONCEINIT 1"
+		;;
+esac
+
+case "$hack_shutup_sigwait" in
+	yes)
+		#
+		# Shut up a -Wmissing-prototypes warning for sigwait().
+		#
+		AC_DEFINE(SHUTUP_SIGWAIT)
+		;;
+esac
+
+case "$hack_shutup_sputaux" in
+	yes)
+		#
+		# Shut up a -Wmissing-prototypes warning from <stdio.h>.
+		#
+		AC_DEFINE(SHUTUP_SPUTAUX)
+		;;
+esac
+
+case "$hack_shutup_stdargcast" in
+	yes)
+		#
+		# Shut up a -Wcast-qual warning from va_start().
+		#
+		AC_DEFINE(SHUTUP_STDARG_CAST)
+		;;
+esac
+
+#
+# Check for if_nametoindex() for IPv6 scoped addresses support
+#
+AC_CHECK_FUNC(if_nametoindex, ac_cv_have_if_nametoindex=yes,
+		ac_cv_have_if_nametoindex=no)
+case $ac_cv_have_if_nametoindex in
+no)
+	case "$host" in
+  	*-hp-hpux*)
+  		AC_CHECK_LIB(ipv6, if_nametoindex,
+				ac_cv_have_if_nametoindex=yes
+				LIBS="-lipv6 $LIBS",)
+  	;;
+	esac
+esac
+case $ac_cv_have_if_nametoindex in
+yes)
+	ISC_PLATFORM_HAVEIFNAMETOINDEX="#define ISC_PLATFORM_HAVEIFNAMETOINDEX 1"
+	;;
+*)
+	ISC_PLATFORM_HAVEIFNAMETOINDEX="#undef ISC_PLATFORM_HAVEIFNAMETOINDEX"
+	;;
+esac
+AC_SUBST(ISC_PLATFORM_HAVEIFNAMETOINDEX)
+
+#
+# The following sections deal with tools used for formatting
+# the documentation.  They are all optional, unless you are
+# a developer editing the documentation source.
+#
+
+# Directory trees where SGML files are commonly found.
+sgmltrees="/usr/pkg/share/sgml /usr/local/share/sgml /usr/share/sgml"
+
+#
+# Look for openjade.  Plain jade is no longer supported.
+#
+
+AC_PATH_PROGS(OPENJADE, openjade, openjade)
+AC_SUBST(OPENJADE)
+
+#
+# Look for TeX.
+#
+
+AC_PATH_PROGS(JADETEX, jadetex, jadetex)
+AC_SUBST(JADETEX)
+
+AC_PATH_PROGS(PDFJADETEX, pdfjadetex, pdfjadetex)
+AC_SUBST(PDFJADETEX)
+
+#
+# Subroutine for searching for an ordinary file (e.g., a stylesheet)
+# in a number of directories:
+#
+#   NOM_PATH_FILE(VARIABLE, FILENAME, DIRECTORIES)
+#
+# If the file FILENAME is found in one of the DIRECTORIES, the shell
+# variable VARIABLE is defined to its absolute pathname.  Otherwise, 
+# it is set to FILENAME, with no directory prefix (that's not terribly
+# useful, but looks less confusing in substitutions than leaving it
+# empty).  The variable VARIABLE will be substituted into output files.
+# 
+
+AC_DEFUN(NOM_PATH_FILE, [
+$1=""
+AC_MSG_CHECKING(for $2)
+for d in $3
+do
+	f=$d/$2
+	if test -f $f
+	then
+		$1=$f
+		AC_MSG_RESULT($f)
+		break
+	fi
+done
+if test "X[$]$1" = "X"
+then
+	AC_MSG_RESULT("not found");
+	$1=$2
+fi
+AC_SUBST($1)
+])
+
+#
+# Look for the SGML catalog.
+# Its location varies, so far we have seen:
+#
+# 	NetBSD 	/usr/pkg/share/sgml/docbook/catalog
+# 	FreeBSD	/usr/local/share/sgml/docbook/catalog
+#	Linux	/usr/local/share/dsssl/docbook/catalog
+#		/usr/share/sgml/docbook/dsssl-stylesheets/catalog
+#
+catalogpath=""
+for d in $sgmltrees 
+do
+	catalogpath="$catalogpath $d"
+	for s in docbook/dsssl-stylesheets
+	do
+		catalogpath="$catalogpath $d/$s"
+	done
+done
+NOM_PATH_FILE(SGMLCATALOG, catalog, $catalogpath)
+
+#
+# Look for the HTML stylesheet html/docbook.dsl, used for
+# formatting man pages in HTML.  Its location varies,
+# so far we have seen:
+#
+# 	NetBSD 	/usr/pkg/share/sgml/docbook/dsssl/modular/
+# 	FreeBSD	/usr/local/share/sgml/docbook/dsssl/modular/
+#	Linux	/usr/local/share/dsssl/docbook/
+#		/usr/share/sgml/docbook/dsssl-stylesheets/
+#
+# Ditto for the print stylesheet print/docbook.dsl.
+#
+
+stylepath=""
+for d in $sgmltrees 
+do
+	for s in docbook/dsssl/modular dsssl/docbook docbook/dsssl-stylesheets
+	do
+		stylepath="$stylepath $d/$s"
+	done
+done
+NOM_PATH_FILE(HTMLSTYLE, html/docbook.dsl, $stylepath)
+NOM_PATH_FILE(PRINTSTYLE, print/docbook.dsl, $stylepath)
+
+#
+# Look for XML declarations.
+# Its location varies, so far we have seen:
+#
+# 	NetBSD 	/usr/pkg/share/sgml/docbook/dsssl/modular/dtds/decls/
+# 	FreeBSD	/usr/local/share/sgml/docbook/dsssl/modular/dtds/decls/
+#	Linux	/usr/local/share/dsssl/docbook/dtds/decls/
+#		/usr/share/sgml/docbook/dsssl-stylesheets/dtds/decls/
+#
+
+xmlpath=""
+for d in $sgmltrees 
+do
+	for s in docbook/dsssl/modular dsssl/docbook docbook/dsssl-stylesheets
+	do
+		xmlpath="$xmlpath $d/$s"
+	done
+done
+NOM_PATH_FILE(XMLDCL, dtds/decls/xml.dcl, $xmlpath)
+
+#
+# Look for docbook2man-spec.pl
+#
+
+NOM_PATH_FILE(DOCBOOK2MANSPEC, docbook2X/docbook2man-spec.pl, $sgmltrees)
+
+#
+# Substitutions
+#
+AC_SUBST(BIND9_TOP_BUILDDIR)
+BIND9_TOP_BUILDDIR=`pwd`
+
+AC_SUBST(BIND9_ISC_BUILDINCLUDE)
+AC_SUBST(BIND9_ISCCC_BUILDINCLUDE)
+AC_SUBST(BIND9_ISCCFG_BUILDINCLUDE)
+AC_SUBST(BIND9_DNS_BUILDINCLUDE)
+AC_SUBST(BIND9_LWRES_BUILDINCLUDE)
+AC_SUBST(BIND9_BIND9_BUILDINCLUDE)
+if test "X$srcdir" != "X"; then
+	BIND9_ISC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isc/include"
+	BIND9_ISCCC_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccc/include"
+	BIND9_ISCCFG_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/isccfg/include"
+	BIND9_DNS_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/dns/include"
+	BIND9_LWRES_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/lwres/include"
+	BIND9_BIND9_BUILDINCLUDE="-I${BIND9_TOP_BUILDDIR}/lib/bind9/include"
+else
+	BIND9_ISC_BUILDINCLUDE=""
+	BIND9_ISCCC_BUILDINCLUDE=""
+	BIND9_ISCCFG_BUILDINCLUDE=""
+	BIND9_DNS_BUILDINCLUDE=""
+	BIND9_LWRES_BUILDINCLUDE=""
+	BIND9_BIND9_BUILDINCLUDE=""
+fi
+
+AC_SUBST_FILE(BIND9_MAKE_INCLUDES)
+BIND9_MAKE_INCLUDES=$BIND9_TOP_BUILDDIR/make/includes
+
+AC_SUBST_FILE(BIND9_MAKE_RULES)
+BIND9_MAKE_RULES=$BIND9_TOP_BUILDDIR/make/rules
+
+. $srcdir/version
+BIND9_VERSION="VERSION=${MAJORVER}.${MINORVER}.${PATCHVER}${RELEASETYPE}${RELEASEVER}"
+AC_SUBST(BIND9_VERSION)
+
+AC_SUBST_FILE(LIBISC_API)
+LIBISC_API=$srcdir/lib/isc/api
+
+AC_SUBST_FILE(LIBISCCC_API)
+LIBISCCC_API=$srcdir/lib/isccc/api
+
+AC_SUBST_FILE(LIBISCCFG_API)
+LIBISCCFG_API=$srcdir/lib/isccfg/api
+
+AC_SUBST_FILE(LIBDNS_API)
+LIBDNS_API=$srcdir/lib/dns/api
+
+AC_SUBST_FILE(LIBBIND9_API)
+LIBBIND9_API=$srcdir/lib/bind9/api
+
+AC_SUBST_FILE(LIBLWRES_API)
+LIBLWRES_API=$srcdir/lib/lwres/api
+
+AC_OUTPUT(
+	make/rules
+	make/includes
+	Makefile
+	make/Makefile
+	make/mkdep
+	lib/Makefile
+	lib/isc/Makefile
+	lib/isc/include/Makefile
+	lib/isc/include/isc/Makefile
+	lib/isc/include/isc/platform.h
+	lib/isc/unix/Makefile
+	lib/isc/unix/include/Makefile
+	lib/isc/unix/include/isc/Makefile
+	lib/isc/nls/Makefile
+	lib/isc/$thread_dir/Makefile
+	lib/isc/$thread_dir/include/Makefile
+	lib/isc/$thread_dir/include/isc/Makefile
+	lib/isccc/Makefile
+	lib/isccc/include/Makefile
+	lib/isccc/include/isccc/Makefile
+	lib/isccfg/Makefile
+	lib/isccfg/include/Makefile
+	lib/isccfg/include/isccfg/Makefile
+	lib/dns/Makefile
+	lib/dns/include/Makefile
+	lib/dns/include/dns/Makefile
+	lib/dns/sec/Makefile
+	lib/dns/sec/dst/Makefile
+	lib/dns/sec/dst/include/Makefile
+	lib/dns/sec/dst/include/dst/Makefile
+	lib/bind9/Makefile
+	lib/bind9/include/Makefile
+	lib/bind9/include/bind9/Makefile
+	lib/lwres/Makefile
+	lib/lwres/include/Makefile
+	lib/lwres/include/lwres/Makefile
+	lib/lwres/include/lwres/netdb.h
+	lib/lwres/include/lwres/platform.h
+	lib/lwres/man/Makefile
+	lib/lwres/unix/Makefile
+	lib/lwres/unix/include/Makefile
+	lib/lwres/unix/include/lwres/Makefile
+	lib/tests/Makefile
+	lib/tests/include/Makefile
+	lib/tests/include/tests/Makefile
+	bin/Makefile
+	bin/check/Makefile
+	bin/named/Makefile
+	bin/named/unix/Makefile
+	bin/rndc/Makefile
+	bin/rndc/unix/Makefile
+	bin/dig/Makefile
+	bin/nsupdate/Makefile
+	bin/tests/Makefile
+	bin/tests/names/Makefile
+	bin/tests/master/Makefile
+	bin/tests/rbt/Makefile
+	bin/tests/db/Makefile
+	bin/tests/tasks/Makefile
+	bin/tests/timers/Makefile
+	bin/tests/dst/Makefile
+	bin/tests/mem/Makefile
+	bin/tests/net/Makefile
+	bin/tests/sockaddr/Makefile
+	bin/tests/system/Makefile
+	bin/tests/system/conf.sh
+	bin/tests/system/lwresd/Makefile
+	bin/tests/system/tkey/Makefile
+	bin/tests/headerdep_test.sh
+	bin/dnssec/Makefile
+	doc/Makefile
+	doc/arm/Makefile
+	doc/arm/nominum-docbook-html.dsl
+	doc/arm/nominum-docbook-print.dsl
+	doc/arm/validate.sh
+	doc/misc/Makefile
+	docutil/docbook2man-wrapper.sh
+	isc-config.sh
+)
+chmod a+x isc-config.sh
+
+# Tell Emacs to edit this file in shell mode.
+# Local Variables:
+# mode: sh
+# End:
diff --git a/contrib/bind9/doc/Makefile.in b/contrib/bind9/doc/Makefile.in
new file mode 100644
index 0000000..e7dd9ca
--- /dev/null
+++ b/contrib/bind9/doc/Makefile.in
@@ -0,0 +1,29 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2000, 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.4.206.1 2004/03/06 13:16:14 marka Exp $
+
+# This Makefile is a placeholder.  It exists merely to make
+# sure that its directory gets created in the object directory
+# tree when doing a build using separate object directories.
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS = arm misc
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/doc/arm/Bv9ARM-book.xml b/contrib/bind9/doc/arm/Bv9ARM-book.xml
new file mode 100644
index 0000000..2a03a9e
--- /dev/null
+++ b/contrib/bind9/doc/arm/Bv9ARM-book.xml
@@ -0,0 +1,6571 @@
+
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
+               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd">
+
+<!-- File: $Id: Bv9ARM-book.xml,v 1.155.2.27.2.49 2004/08/16 00:55:29 marka Exp $ -->
+
+<book>
+<title>BIND 9 Administrator Reference Manual</title>
+
+<bookinfo>
+<copyright>
+<year>2004</year>
+<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+</copyright>
+<copyright>
+<year>2000-2003</year>
+<holder>Internet Software Consortium</holder>
+</copyright>
+</bookinfo>
+
+  <chapter id="ch01">
+  <title>Introduction </title>
+  <para>The Internet Domain Name System (<acronym>DNS</acronym>) consists of the syntax
+  to specify the names of entities in the Internet in a hierarchical
+  manner, the rules used for delegating authority over names, and the
+  system implementation that actually maps names to Internet
+  addresses.  <acronym>DNS</acronym> data is maintained in a group of distributed
+  hierarchical databases.</para>
+
+  <sect1>
+    <title>Scope of Document</title>
+
+    <para>The Berkeley Internet Name Domain (<acronym>BIND</acronym>) implements an
+    domain name server for a number of operating systems. This
+    document provides basic information about the installation and
+    care of the Internet Software Consortium (<acronym>ISC</acronym>)
+    <acronym>BIND</acronym> version 9 software package for system
+    administrators.</para>
+
+    <para>This version of the manual corresponds to BIND version 9.3.</para>
+    
+  </sect1>
+  <sect1><title>Organization of This Document</title>
+    <para>In this document, <emphasis>Section 1</emphasis> introduces
+    the basic <acronym>DNS</acronym> and <acronym>BIND</acronym> concepts. <emphasis>Section 2</emphasis>
+    describes resource requirements for running <acronym>BIND</acronym> in various
+    environments. Information in <emphasis>Section 3</emphasis> is
+    <emphasis>task-oriented</emphasis> in its presentation and is
+    organized functionally, to aid in the process of installing the
+    <acronym>BIND</acronym> 9 software. The task-oriented section is followed by
+    <emphasis>Section 4</emphasis>, which contains more advanced
+    concepts that the system administrator may need for implementing
+    certain options. <emphasis>Section 5</emphasis>
+    describes the <acronym>BIND</acronym> 9 lightweight
+    resolver.  The contents of <emphasis>Section 6</emphasis> are
+    organized as in a reference manual to aid in the ongoing
+    maintenance of the software. <emphasis>Section 7
+    </emphasis>addresses security considerations, and
+    <emphasis>Section 8</emphasis> contains troubleshooting help. The
+    main body of the document is followed by several
+    <emphasis>Appendices</emphasis> which contain useful reference
+    information, such as a <emphasis>Bibliography</emphasis> and
+    historic information related to <acronym>BIND</acronym> and the Domain Name
+    System.</para>
+  </sect1>
+  <sect1><title>Conventions Used in This Document</title>
+
+    <para>In this document, we use the following general typographic
+    conventions:</para>
+
+<informaltable>
+        <tgroup cols = "2">
+          <colspec colname = "1" colnum = "1" colwidth = "3.000in"/>
+          <colspec colname = "2" colnum = "2" colwidth = "2.625in"/>
+          <tbody>
+            <row>
+              <entry colname = "1">
+<para><emphasis>To
+describe:</emphasis></para></entry>
+              <entry colname = "2">
+<para><emphasis>We use the style:</emphasis></para></entry>
+            </row>
+            <row>
+              <entry colname = "1">
+<para>a pathname, filename, URL, hostname,
+mailing list name, or new term or concept</para></entry>
+              <entry colname = "2"><para><filename>Fixed width</filename></para></entry>
+            </row>
+            <row>
+              <entry colname = "1"><para>literal user
+input</para></entry>
+              <entry colname = "2"><para><userinput>Fixed Width Bold</userinput></para></entry>
+            </row>
+            <row>
+              <entry colname = "1"><para>program output</para></entry>
+              <entry colname = "2"><para><computeroutput>Fixed Width</computeroutput></para></entry>
+            </row>
+          </tbody>
+        </tgroup>
+</informaltable>
+
+    <para>The following conventions are used in descriptions of the
+<acronym>BIND</acronym> configuration file:<informaltable colsep = "0" frame = "all" rowsep = "0">
+        <tgroup cols = "2" colsep = "0" rowsep = "0"
+                tgroupstyle = "2Level-table">
+          <colspec colname = "1" colnum = "1" colsep = "0" colwidth = "3.000in"/>
+          <colspec colname = "2" colnum = "2" colsep = "0" colwidth = "2.625in"/>
+          <tbody>
+            <row rowsep = "0">
+              <entry colname = "1" colsep = "1" rowsep = "1"><para><emphasis>To
+describe:</emphasis></para></entry>
+              <entry colname = "2" rowsep = "1"><para><emphasis>We use the style:</emphasis></para></entry>
+            </row>
+            <row rowsep = "0">
+              <entry colname = "1" colsep = "1" rowsep = "1"><para>keywords</para></entry>
+              <entry colname = "2" rowsep = "1"><para><literal>Fixed Width</literal></para></entry>
+            </row>
+            <row rowsep = "0">
+              <entry colname = "1" colsep = "1" rowsep = "1"><para>variables</para></entry>
+              <entry colname = "2" rowsep = "1"><para><varname>Fixed Width</varname></para></entry>
+            </row>
+<row rowsep = "0">
+<entry colname = "1" colsep = "1"><para>Optional input</para></entry>
+                <entry colname = "2"><para><optional>Text is enclosed in square brackets</optional></para></entry>
+</row>
+</tbody>
+</tgroup></informaltable></para></sect1>
+<sect1><title>The Domain Name System (<acronym>DNS</acronym>)</title>
+<para>The purpose of this document is to explain the installation
+and upkeep of the <acronym>BIND</acronym> software package, and we
+begin by reviewing the fundamentals of the Domain Name System
+(<acronym>DNS</acronym>) as they relate to <acronym>BIND</acronym>.
+</para>
+
+<sect2>
+<title>DNS Fundamentals</title>
+
+<para>The Domain Name System (DNS) is the hierarchical, distributed
+database.  It stores information for mapping Internet host names to IP
+addresses and vice versa, mail routing information, and other data
+used by Internet applications.</para>
+
+<para>Clients look up information in the DNS by calling a
+<emphasis>resolver</emphasis> library, which sends queries to one or
+more <emphasis>name servers</emphasis> and interprets the responses.
+The <acronym>BIND</acronym> 9 software distribution contains a
+name server, <command>named</command>, and two resolver
+libraries, <command>liblwres</command> and <command>libbind</command>.
+</para>
+
+</sect2><sect2>
+<title>Domains and Domain Names</title>
+
+<para>The data stored in the DNS is identified by <emphasis>domain
+names</emphasis> that are organized as a tree according to
+organizational or administrative boundaries. Each node of the tree,
+called a <emphasis>domain</emphasis>, is given a label. The domain name of the
+node is the concatenation of all the labels on the path from the
+node to the <emphasis>root</emphasis> node.  This is represented
+in written form as a string of labels listed from right to left and
+separated by dots. A label need only be unique within its parent
+domain.</para>
+
+<para>For example, a domain name for a host at the
+company <emphasis>Example, Inc.</emphasis> could be
+<literal>mail.example.com</literal>,
+where <literal>com</literal> is the
+top level domain to which
+<literal>ourhost.example.com</literal> belongs,
+<literal>example</literal> is
+a subdomain of <literal>com</literal>, and
+<literal>ourhost</literal> is the
+name of the host.</para>
+
+<para>For administrative purposes, the name space is partitioned into
+areas called <emphasis>zones</emphasis>, each starting at a node and
+extending down to the leaf nodes or to nodes where other zones start.
+The data for each zone is stored in a <emphasis>name
+server</emphasis>, which answers queries about the zone using the
+<emphasis>DNS protocol</emphasis>.
+</para>
+
+<para>The data associated with each domain name is stored in the
+form of <emphasis>resource records</emphasis> (<acronym>RR</acronym>s).
+Some of the supported resource record types are described in
+<xref linkend="types_of_resource_records_and_when_to_use_them"/>.</para>
+
+<para>For more detailed information about the design of the DNS and
+the DNS protocol, please refer to the standards documents listed in
+<xref linkend="rfcs"/>.</para>
+</sect2>
+
+<sect2><title>Zones</title>
+<para>To properly operate a name server, it is important to understand
+the difference between a <emphasis>zone</emphasis>
+and a <emphasis>domain</emphasis>.</para>
+
+<para>As we stated previously, a zone is a point of delegation in
+the <acronym>DNS</acronym> tree. A zone consists of
+those contiguous parts of the domain
+tree for which a name server has complete information and over which
+it has authority. It contains all domain names from a certain point
+downward in the domain tree except those which are delegated to
+other zones. A delegation point is marked by one or more
+<emphasis>NS records</emphasis> in the
+parent zone, which should be matched by equivalent NS records at
+the root of the delegated zone.</para>
+
+<para>For instance, consider the <literal>example.com</literal>
+domain which includes names
+such as <literal>host.aaa.example.com</literal> and
+<literal>host.bbb.example.com</literal> even though
+the <literal>example.com</literal> zone includes
+only delegations for the <literal>aaa.example.com</literal> and
+<literal>bbb.example.com</literal> zones.  A zone can map
+exactly to a single domain, but could also include only part of a
+domain, the rest of which could be delegated to other
+name servers. Every name in the <acronym>DNS</acronym> tree is a
+<emphasis>domain</emphasis>, even if it is
+<emphasis>terminal</emphasis>, that is, has no
+<emphasis>subdomains</emphasis>.  Every subdomain is a domain and
+every domain except the root is also a subdomain. The terminology is
+not intuitive and we suggest that you read RFCs 1033, 1034 and 1035 to
+gain a complete understanding of this difficult and subtle
+topic.</para>
+
+<para>Though <acronym>BIND</acronym> is called a "domain name server",
+it deals primarily in terms of zones. The master and slave
+declarations in the <filename>named.conf</filename> file specify
+zones, not domains. When you ask some other site if it is willing to
+be a slave server for your <emphasis>domain</emphasis>, you are
+actually asking for slave service for some collection of zones.</para>
+</sect2>
+
+<sect2><title>Authoritative Name Servers</title>
+
+<para>Each zone is served by at least
+one <emphasis>authoritative name server</emphasis>,
+which contains the complete data for the zone.
+To make the DNS tolerant of server and network failures,
+most zones have two or more authoritative servers.
+</para>
+
+<para>Responses from authoritative servers have the "authoritative
+answer" (AA) bit set in the response packets.  This makes them 
+easy to identify when debugging DNS configurations using tools like
+<command>dig</command> (<xref linkend="diagnostic_tools"/>).</para>
+
+<sect3><title>The Primary Master</title>
+
+<para>
+The authoritative server where the master copy of the zone data is maintained is
+called the <emphasis>primary master</emphasis> server, or simply the
+<emphasis>primary</emphasis>.  It loads the zone contents from some
+local file edited by humans or perhaps generated mechanically from
+some other local file which is edited by humans.  This file is called
+the <emphasis>zone file</emphasis> or <emphasis>master file</emphasis>.</para>
+</sect3>
+
+<sect3><title>Slave Servers</title>
+<para>The other authoritative servers, the <emphasis>slave</emphasis>
+servers (also known as <emphasis>secondary</emphasis> servers) load
+the zone contents from another server using a replication process
+known as a <emphasis>zone transfer</emphasis>.  Typically the data are
+transferred directly from the primary master, but it is also possible
+to transfer it from another slave.  In other words, a slave server
+may itself act as a master to a subordinate slave server.</para>
+</sect3>
+
+<sect3><title>Stealth Servers</title>
+
+<para>Usually all of the zone's authoritative servers are listed in 
+NS records in the parent zone.  These NS records constitute
+a <emphasis>delegation</emphasis> of the zone from the parent.
+The authoritative servers are also listed in the zone file itself,
+at the <emphasis>top level</emphasis> or <emphasis>apex</emphasis>
+of the zone.  You can list servers in the zone's top-level NS
+records that are not in the parent's NS delegation, but you cannot
+list servers in the parent's delegation that are not present at
+the zone's top level.</para>
+
+<para>A <emphasis>stealth server</emphasis> is a server that is
+authoritative for a zone but is not listed in that zone's NS
+records.  Stealth servers can be used for keeping a local copy of a
+zone to speed up access to the zone's records or to make sure that the
+zone is available even if all the "official" servers for the zone are
+inaccessible.</para>
+
+<para>A configuration where the primary master server itself is a
+stealth server is often referred to as a "hidden primary"
+configuration.  One use for this configuration is when the primary master
+is behind a firewall and therefore unable to communicate directly
+with the outside world.</para>
+
+</sect3>
+
+</sect2>
+<sect2>
+
+<title>Caching Name Servers</title>
+
+<para>The resolver libraries provided by most operating systems are 
+<emphasis>stub resolvers</emphasis>, meaning that they are not capable of
+performing the full DNS resolution process by themselves by talking
+directly to the authoritative servers.  Instead, they rely on a local
+name server to perform the resolution on their behalf.  Such a server
+is called a <emphasis>recursive</emphasis> name server; it performs
+<emphasis>recursive lookups</emphasis> for local clients.</para>
+
+<para>To improve performance, recursive servers cache the results of
+the lookups they perform.  Since the processes of recursion and
+caching are intimately connected, the terms
+<emphasis>recursive server</emphasis> and
+<emphasis>caching server</emphasis> are often used synonymously.</para>
+
+<para>The length of time for which a record may be retained in
+in the cache of a caching name server is controlled by the 
+Time To Live (TTL) field associated with each resource record.
+</para>
+
+<sect3><title>Forwarding</title>
+
+<para>Even a caching name server does not necessarily perform
+the complete recursive lookup itself.  Instead, it can
+<emphasis>forward</emphasis> some or all of the queries
+that it cannot satisfy from its cache to another caching name server,
+commonly referred to as a <emphasis>forwarder</emphasis>.
+</para>
+
+<para>There may be one or more forwarders,
+and they are queried in turn until the list is exhausted or an answer
+is found. Forwarders are typically used when you do not
+wish all the servers at a given site to interact directly with the rest of
+the Internet servers. A typical scenario would involve a number
+of internal <acronym>DNS</acronym> servers and an Internet firewall. Servers unable
+to pass packets through the firewall would forward to the server
+that can do it, and that server would query the Internet <acronym>DNS</acronym> servers
+on the internal server's behalf. An added benefit of using the forwarding
+feature is that the central machine develops a much more complete
+cache of information that all the clients can take advantage
+of.</para>
+</sect3>
+
+</sect2>
+
+<sect2><title>Name Servers in Multiple Roles</title>
+
+<para>The <acronym>BIND</acronym> name server can simultaneously act as
+a master for some zones, a slave for other zones, and as a caching
+(recursive) server for a set of local clients.</para>
+
+<para>However, since the functions of authoritative name service
+and caching/recursive name service are logically separate, it is
+often advantageous to run them on separate server machines.
+
+A server that only provides authoritative name service
+(an <emphasis>authoritative-only</emphasis> server) can run with
+recursion disabled, improving reliability and security.
+
+A server that is not authoritative for any zones and only provides
+recursive service to local
+clients (a <emphasis>caching-only</emphasis> server)
+does not need to be reachable from the Internet at large and can
+be placed inside a firewall.</para>
+
+    </sect2>
+  </sect1>
+
+</chapter>
+
+<chapter id="ch02"><title><acronym>BIND</acronym> Resource Requirements</title>
+
+<sect1>
+<title>Hardware requirements</title>
+
+<para><acronym>DNS</acronym> hardware requirements have traditionally been quite modest.
+For many installations, servers that have been pensioned off from
+active duty have performed admirably as <acronym>DNS</acronym> servers.</para>
+<para>The DNSSEC and IPv6 features of <acronym>BIND</acronym> 9 may prove to be quite
+CPU intensive however, so organizations that make heavy use of these
+features may wish to consider larger systems for these applications.
+<acronym>BIND</acronym> 9 is fully multithreaded, allowing full utilization of
+multiprocessor systems for installations that need it.</para></sect1>
+<sect1><title>CPU Requirements</title>
+<para>CPU requirements for <acronym>BIND</acronym> 9 range from i486-class machines
+for serving of static zones without caching, to enterprise-class
+machines if you intend to process many dynamic updates and DNSSEC
+signed zones, serving many thousands of queries per second.</para></sect1>
+
+<sect1><title>Memory Requirements</title>
+<para>The memory of the server has to be large enough to fit the
+cache and zones loaded off disk.  The <command>max-cache-size</command>
+option can be used to limit the amount of memory used by the cache,
+at the expense of reducing cache hit rates and causing more <acronym>DNS</acronym>
+traffic. It is still good practice to have enough memory to load
+all zone and cache data into memory &mdash; unfortunately, the best way
+to determine this for a given installation is to watch the name server
+in operation. After a few weeks the server process should reach
+a relatively stable size where entries are expiring from the cache as
+fast as they are being inserted.</para></sect1>
+
+<sect1><title>Name Server Intensive Environment Issues</title>
+<para>For name server intensive environments, there are two alternative
+configurations that may be used. The first is where clients and
+any second-level internal name servers query a main name server, which
+has enough memory to build a large cache. This approach minimizes
+the bandwidth used by external name lookups. The second alternative
+is to set up second-level internal name servers to make queries independently.
+In this configuration, none of the individual machines needs to
+have as much memory or CPU power as in the first alternative, but
+this has the disadvantage of making many more external queries,
+as none of the name servers share their cached data.</para></sect1>
+
+<sect1><title>Supported Operating Systems</title>
+<para>ISC <acronym>BIND</acronym> 9 compiles and runs on a large number
+of Unix-like operating system and on Windows NT / 2000.  For an up-to-date
+list of supported systems, see the README file in the top level directory
+of the BIND 9 source distribution.</para>
+</sect1>
+</chapter>
+
+<chapter id="ch03">
+<title>Name Server Configuration</title>
+<para>In this section we provide some suggested configurations along
+with guidelines for their use. We also address the topic of reasonable
+option setting.</para>
+
+<sect1 id="sample_configuration">
+<title>Sample Configurations</title>
+<sect2>
+<title>A Caching-only Name Server</title>
+<para>The following sample configuration is appropriate for a caching-only
+name server for use by clients internal to a corporation.  All queries
+from outside clients are refused using the <command>allow-query</command>
+option.  Alternatively, the same effect could be achieved using suitable
+firewall rules.</para>
+
+<programlisting>
+// Two corporate subnets we wish to allow queries from.
+acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
+options {
+     directory "/etc/namedb";           // Working directory
+     allow-query { corpnets; };
+};
+// Provide a reverse mapping for the loopback address 127.0.0.1
+zone "0.0.127.in-addr.arpa" {
+     type master;
+     file "localhost.rev";
+     notify no;
+};
+</programlisting>
+</sect2>
+
+<sect2>
+<title>An Authoritative-only Name Server</title>
+<para>This sample configuration is for an authoritative-only server
+that is the master server for "<filename>example.com</filename>"
+and a slave for the subdomain "<filename>eng.example.com</filename>".</para>
+
+<programlisting>
+options {
+     directory "/etc/namedb";           // Working directory
+     allow-query { any; };              // This is the default
+     recursion no;                      // Do not provide recursive service
+};
+
+// Provide a reverse mapping for the loopback address 127.0.0.1
+zone "0.0.127.in-addr.arpa" {
+     type master;
+     file "localhost.rev";
+     notify no;
+};
+// We are the master server for example.com
+zone "example.com" {
+     type master;
+     file "example.com.db";
+     // IP addresses of slave servers allowed to transfer example.com
+     allow-transfer {
+          192.168.4.14;
+          192.168.5.53;
+     };
+};
+// We are a slave server for eng.example.com
+zone "eng.example.com" {
+     type slave;
+     file "eng.example.com.bk";
+     // IP address of eng.example.com master server
+     masters { 192.168.4.12; };
+};
+</programlisting>
+</sect2>
+</sect1>
+
+<sect1>
+<title>Load Balancing</title>
+
+<para>A primitive form of load balancing can be achieved in
+the <acronym>DNS</acronym> by using multiple A records for one name.</para>
+
+<para>For example, if you have three WWW servers with network addresses
+of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
+following means that clients will connect to each machine one third
+of the time:</para>
+
+<informaltable colsep = "0" rowsep = "0">
+<tgroup cols = "5" colsep = "0" rowsep = "0" tgroupstyle = "2Level-table">
+<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
+<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "0.500in"/>
+<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "0.750in"/>
+<colspec colname = "4" colnum = "4" colsep = "0" colwidth = "0.750in"/>
+<colspec colname = "5" colnum = "5" colsep = "0" colwidth = "2.028in"/>
+<tbody>
+<row rowsep = "0">
+<entry colname = "1"><para>Name</para></entry>
+<entry colname = "2"><para>TTL</para></entry>
+<entry colname = "3"><para>CLASS</para></entry>
+<entry colname = "4"><para>TYPE</para></entry>
+<entry colname = "5"><para>Resource Record (RR) Data</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><literal>www</literal></para></entry>
+<entry colname = "2"><para><literal>600</literal></para></entry>
+<entry colname = "3"><para><literal>IN</literal></para></entry>
+<entry colname = "4"><para><literal>A</literal></para></entry>
+<entry colname = "5"><para><literal>10.0.0.1</literal></para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para></para></entry>
+<entry colname = "2"><para><literal>600</literal></para></entry>
+<entry colname = "3"><para><literal>IN</literal></para></entry>
+<entry colname = "4"><para><literal>A</literal></para></entry>
+<entry colname = "5"><para><literal>10.0.0.2</literal></para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para></para></entry>
+<entry colname = "2"><para><literal>600</literal></para></entry>
+<entry colname = "3"><para><literal>IN</literal></para></entry>
+<entry colname = "4"><para><literal>A</literal></para></entry>
+<entry colname = "5"><para><literal>10.0.0.3</literal></para></entry>
+          </row>
+        </tbody>
+      </tgroup>
+    </informaltable>
+    <para>When a resolver queries for these records, <acronym>BIND</acronym> will rotate
+    them and respond to the query with the records in a different
+    order.  In the example above, clients will randomly receive
+    records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
+    will use the first record returned and discard the rest.</para>
+    <para>For more detail on ordering responses, check the
+    <command>rrset-order</command> substatement in the
+    <command>options</command> statement, see
+    <xref endterm="rrset_ordering_title" linkend="rrset_ordering"/>.
+    This substatement is not supported in
+    <acronym>BIND</acronym> 9, and only the ordering scheme described above is
+    available.</para>
+
+</sect1>
+
+<sect1>
+<title>Name Server Operations</title>
+
+<sect2>
+<title>Tools for Use With the Name Server Daemon</title>
+<para>There are several indispensable diagnostic, administrative
+and monitoring tools available to the system administrator for controlling
+and debugging the name server daemon. We describe several in this
+section </para>
+<sect3 id="diagnostic_tools">
+<title>Diagnostic Tools</title>
+<para>The <command>dig</command>, <command>host</command>, and
+<command>nslookup</command> programs are all command line tools
+for manually querying name servers.  They differ in style and
+output format.
+</para>
+
+<variablelist>
+<varlistentry>
+<term id="dig"><command>dig</command></term>
+<listitem>
+<para>The domain information groper (<command>dig</command>)
+is the most versatile and complete of these lookup tools.
+It has two modes: simple interactive
+mode for a single query, and batch mode which executes a query for
+each in a list of several query lines. All query options are accessible
+from the command line.</para>
+<cmdsynopsis label="Usage">
+        <command>dig</command>
+        <arg>@<replaceable>server</replaceable></arg>
+        <arg choice="plain"><replaceable>domain</replaceable></arg>
+        <arg><replaceable>query-type</replaceable></arg>
+        <arg><replaceable>query-class</replaceable></arg>
+        <arg>+<replaceable>query-option</replaceable></arg>
+        <arg>-<replaceable>dig-option</replaceable></arg>
+        <arg>%<replaceable>comment</replaceable></arg>
+</cmdsynopsis>
+<para>The usual simple use of dig will take the form</para>
+<simpara><command>dig @server domain query-type query-class</command></simpara>
+<para>For more information and a list of available commands and
+options, see the <command>dig</command> man page.</para>
+</listitem>
+</varlistentry>
+
+<varlistentry>
+<term><command>host</command></term>
+<listitem>
+<para>The <command>host</command> utility emphasizes simplicity
+and ease of use.  By default, it converts
+between host names and Internet addresses, but its functionality
+can be extended with the use of options.</para>
+<cmdsynopsis label="Usage">
+        <command>host</command>
+        <arg>-aCdlrTwv</arg>
+        <arg>-c <replaceable>class</replaceable></arg>
+        <arg>-N <replaceable>ndots</replaceable></arg>
+        <arg>-t <replaceable>type</replaceable></arg>
+        <arg>-W <replaceable>timeout</replaceable></arg>
+        <arg>-R <replaceable>retries</replaceable></arg>
+        <arg choice="plain"><replaceable>hostname</replaceable></arg>
+        <arg><replaceable>server</replaceable></arg>
+</cmdsynopsis>
+<para>For more information and a list of available commands and
+options, see the <command>host</command> man page.</para>
+</listitem>
+</varlistentry>
+
+<varlistentry>
+<term><command>nslookup</command></term>
+<listitem>
+<para><command>nslookup</command> has two modes: interactive
+and non-interactive. Interactive mode allows the user to query name servers
+for information about various hosts and domains or to print a list
+of hosts in a domain. Non-interactive mode is used to print just
+the name and requested information for a host or domain.</para>
+<cmdsynopsis label="Usage">
+        <command>nslookup</command>
+        <arg rep="repeat">-option</arg>
+        <group>
+                <arg><replaceable>host-to-find</replaceable></arg>
+                <arg>- <arg>server</arg></arg>
+        </group>
+</cmdsynopsis>
+<para>Interactive mode is entered when no arguments are given (the
+default name server will be used) or when the first argument is a
+hyphen (`-') and the second argument is the host name or Internet address
+of a name server.</para>
+<para>Non-interactive mode is used when the name or Internet address
+of the host to be looked up is given as the first argument. The
+optional second argument specifies the host name or address of a name server.</para>
+<para>Due to its arcane user interface and frequently inconsistent
+behavior, we do not recommend the use of <command>nslookup</command>.
+Use <command>dig</command> instead.</para>
+</listitem>
+
+</varlistentry>
+</variablelist>
+</sect3>
+
+<sect3 id="admin_tools">
+        <title>Administrative Tools</title>
+        <para>Administrative tools play an integral part in the management
+of a server.</para>
+        <variablelist>
+          <varlistentry id="named-checkconf" xreflabel="Named Configuration Checking application">
+            <term><command>named-checkconf</command></term>
+            <listitem>
+              <para>The <command>named-checkconf</command> program
+              checks the syntax of a <filename>named.conf</filename> file.</para>
+              <cmdsynopsis label="Usage">
+                <command>named-checkconf</command>
+                <arg>-t <replaceable>directory</replaceable></arg>
+                <arg><replaceable>filename</replaceable></arg>
+              </cmdsynopsis>
+            </listitem>
+          </varlistentry>
+          <varlistentry id="named-checkzone" xreflabel="Zone Checking application">
+            <term><command>named-checkzone</command></term>
+            <listitem>
+              <para>The <command>named-checkzone</command> program checks a master file for
+              syntax and consistency.</para>
+              <cmdsynopsis label="Usage">
+                <command>named-checkzone</command>
+                <arg>-dq</arg>
+                <arg>-c <replaceable>class</replaceable></arg>
+                <arg choice="plain"><replaceable>zone</replaceable></arg>
+                <arg><replaceable>filename</replaceable></arg>
+              </cmdsynopsis>
+            </listitem>
+          </varlistentry>
+          <varlistentry id="rndc" xreflabel="Remote Name Daemon Control application">
+            <term><command>rndc</command></term>
+            <listitem>
+              <para>The remote name daemon control
+              (<command>rndc</command>) program allows the system
+              administrator to control the operation of a name server.
+              If you run <command>rndc</command> without any options
+              it will display a usage message as follows:</para>
+              <cmdsynopsis label="Usage">
+                <command>rndc</command>
+                <arg>-c <replaceable>config</replaceable></arg>
+                <arg>-s <replaceable>server</replaceable></arg>
+                <arg>-p <replaceable>port</replaceable></arg>
+                <arg>-y <replaceable>key</replaceable></arg>
+                <arg choice="plain"><replaceable>command</replaceable></arg>
+                <arg rep="repeat"><replaceable>command</replaceable></arg>
+              </cmdsynopsis>
+              <para><command>command</command> is one of the following:</para>
+
+<variablelist>
+
+   <varlistentry><term><userinput>reload</userinput></term>
+   <listitem><para>Reload configuration file and zones.</para></listitem>
+   </varlistentry>
+
+   <varlistentry><term><userinput>reload <replaceable>zone</replaceable>
+       <optional><replaceable>class</replaceable>
+           <optional><replaceable>view</replaceable></optional></optional></userinput></term>
+   <listitem><para>Reload the given zone.</para></listitem>
+   </varlistentry>
+
+   <varlistentry><term><userinput>refresh <replaceable>zone</replaceable>
+       <optional><replaceable>class</replaceable>
+           <optional><replaceable>view</replaceable></optional></optional></userinput></term>
+   <listitem><para>Schedule zone maintenance for the given zone.</para></listitem>
+   </varlistentry>
+
+   <varlistentry><term><userinput>retransfer <replaceable>zone</replaceable>
+       <optional><replaceable>class</replaceable>
+           <optional><replaceable>view</replaceable></optional></optional></userinput></term>
+   <listitem><para>Retransfer the given zone from the master.</para></listitem>
+   </varlistentry>
+
+   <varlistentry><term><userinput>freeze <replaceable>zone</replaceable>
+       <optional><replaceable>class</replaceable>
+           <optional><replaceable>view</replaceable></optional></optional></userinput></term>
+   <listitem><para>Suspend updates to a dynamic zone.  This allows manual
+    edits to be made to a zone normally updated by dynamic update.  It
+    also causes changes in the journal file to be synced into the master
+    and the journal file to be removed.  All dynamic update attempts will
+    be refused while the zone is frozen.</para></listitem>
+   </varlistentry>
+
+   <varlistentry><term><userinput>unfreeze <replaceable>zone</replaceable>
+       <optional><replaceable>class</replaceable>
+           <optional><replaceable>view</replaceable></optional></optional></userinput></term>
+   <listitem><para>Enable updates to a frozen dynamic zone.  This causes
+    the server to reload the zone from disk, and re-enables dynamic updates
+    after the load has completed.  After a zone is unfrozen, dynamic updates
+    will no longer be refused.</para></listitem>
+   </varlistentry>
+
+   <varlistentry><term><userinput>reconfig</userinput></term>
+   <listitem><para>Reload the configuration file and load new zones,
+   but do not reload existing zone files even if they have changed.
+   This is faster than a full <command>reload</command> when there
+   is a large number of zones because it avoids the need to examine the
+   modification times of the zones files.
+   </para></listitem>
+   </varlistentry>
+
+   <varlistentry><term><userinput>stats</userinput></term>
+   <listitem><para>Write server statistics to the statistics file.</para></listitem>
+   </varlistentry>
+
+   <varlistentry><term><userinput>querylog</userinput></term>
+   <listitem><para>Toggle query logging. Query logging can also be enabled
+   by explicitly directing the <command>queries</command>
+   <command>category</command> to a <command>channel</command> in the
+   <command>logging</command> section of
+   <filename>named.conf</filename>.</para></listitem></varlistentry>
+
+   <varlistentry><term><userinput>dumpdb</userinput></term>
+   <listitem><para>Dump the server's caches to the dump file. </para></listitem></varlistentry>
+
+   <varlistentry><term><userinput>stop</userinput></term>
+   <listitem><para>Stop the server,
+   making sure any recent changes
+   made through dynamic update or IXFR are first saved to the master files
+   of the updated zones.</para></listitem></varlistentry>
+
+   <varlistentry><term><userinput>halt</userinput></term>
+   <listitem><para>Stop the server immediately.  Recent changes
+   made through dynamic update or IXFR are not saved to the master files,
+   but will be rolled forward from the journal files when the server
+   is restarted.</para></listitem></varlistentry>
+
+   <varlistentry><term><userinput>trace</userinput></term>
+   <listitem><para>Increment the servers debugging level by one. </para></listitem></varlistentry>
+
+   <varlistentry><term><userinput>trace <replaceable>level</replaceable></userinput></term>
+   <listitem><para>Sets the server's debugging level to an explicit
+   value.</para></listitem></varlistentry>
+
+   <varlistentry><term><userinput>notrace</userinput></term>
+   <listitem><para>Sets the server's debugging level to 0.</para></listitem></varlistentry>
+
+   <varlistentry><term><userinput>flush</userinput></term>
+   <listitem><para>Flushes the server's cache.</para></listitem></varlistentry>
+
+   <varlistentry><term><userinput>status</userinput></term>
+   <listitem><para>Display status of the server.
+Note the number of zones includes the internal <command>bind/CH</command> zone
+and the default <command>./IN</command> hint zone if there is not a
+explicit root zone configured.</para></listitem></varlistentry>
+
+</variablelist>
+
+<para>In <acronym>BIND</acronym> 9.2, <command>rndc</command>
+supports all the commands of the BIND 8 <command>ndc</command>
+utility except <command>ndc start</command> and
+<command>ndc restart</command>, which were also
+not supported in <command>ndc</command>'s channel mode.</para>
+
+<para>A configuration file is required, since all
+communication with the server is authenticated with
+digital signatures that rely on a shared secret, and
+there is no way to provide that secret other than with a
+configuration file.  The default location for the
+<command>rndc</command> configuration file is
+<filename>/etc/rndc.conf</filename>, but an alternate
+location can be specified with the <option>-c</option>
+option.  If the configuration file is not found,
+<command>rndc</command> will also look in
+<filename>/etc/rndc.key</filename> (or whatever
+<varname>sysconfdir</varname> was defined when
+the <acronym>BIND</acronym> build was configured).
+The <filename>rndc.key</filename> file is generated by
+running <command>rndc-confgen -a</command> as described in
+<xref linkend="controls_statement_definition_and_usage"/>.</para>
+
+<para>The format of the configuration file is similar to
+that of <filename>named.conf</filename>, but limited to
+only four statements, the <command>options</command>,
+<command>key</command>, <command>server</command> and
+<command>include</command>
+statements.  These statements are what associate the
+secret keys to the servers with which they are meant to
+be shared.  The order of statements is not
+significant.</para>
+
+<para>The <command>options</command> statement has three clauses:
+<command>default-server</command>, <command>default-key</command>, 
+and <command>default-port</command>.
+<command>default-server</command> takes a
+host name or address argument  and represents the server that will
+be contacted if no <option>-s</option>
+option is provided on the command line.  
+<command>default-key</command> takes
+the name of a key as its argument, as defined by a <command>key</command> statement.
+<command>default-port</command> specifies the port to which
+<command>rndc</command> should connect if no
+port is given on the command line or in a
+<command>server</command> statement.</para>
+
+<para>The <command>key</command> statement defines an key to be used
+by <command>rndc</command> when authenticating with
+<command>named</command>.  Its syntax is identical to the
+<command>key</command> statement in named.conf.
+The keyword <userinput>key</userinput> is
+followed by a key name, which must be a valid
+domain name, though it need not actually be hierarchical; thus,
+a string like "<userinput>rndc_key</userinput>" is a valid name.
+The <command>key</command> statement has two clauses:
+<command>algorithm</command> and <command>secret</command>.
+While the configuration parser will accept any string as the argument
+to algorithm, currently only the string "<userinput>hmac-md5</userinput>"
+has any meaning.  The secret is a base-64 encoded string.</para>
+
+<para>The <command>server</command> statement associates a key
+defined using the <command>key</command> statement with a server.
+The keyword <userinput>server</userinput> is followed by a
+host name or address.  The <command>server</command> statement
+has two clauses: <command>key</command> and <command>port</command>.
+The <command>key</command> clause specifies the name of the key
+to be used when communicating with this server, and the
+<command>port</command> clause can be used to
+specify the port <command>rndc</command> should connect
+to on the server.</para>
+
+<para>A sample minimal configuration file is as follows:</para>
+<programlisting>
+key rndc_key {
+     algorithm "hmac-md5";
+     secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
+};
+options {
+     default-server 127.0.0.1;
+     default-key    rndc_key;
+};
+</programlisting>
+
+<para>This file, if installed as <filename>/etc/rndc.conf</filename>,
+would allow the command:</para>
+
+<para><prompt>$ </prompt><userinput>rndc reload</userinput></para>
+
+<para>to connect to 127.0.0.1 port 953 and cause the name server
+to reload, if a name server on the local machine were running with
+following controls statements:</para>
+<programlisting>
+controls {
+        inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
+};
+</programlisting>
+<para>and it had an identical key statement for
+<literal>rndc_key</literal>.</para>
+
+<para>Running the <command>rndc-confgen</command> program will
+conveniently create a <filename>rndc.conf</filename>
+file for you, and also display the
+corresponding <command>controls</command> statement that you need to
+add to <filename>named.conf</filename>.  Alternatively,
+you can run <command>rndc-confgen -a</command> to set up
+a <filename>rndc.key</filename> file and not modify 
+<filename>named.conf</filename> at all.
+</para>
+
+            </listitem>
+          </varlistentry>
+        </variablelist>
+
+      </sect3>
+    </sect2>
+<sect2>
+
+<title>Signals</title>
+<para>Certain UNIX signals cause the name server to take specific
+actions, as described in the following table.  These signals can
+be sent using the <command>kill</command> command.</para>
+<informaltable frame = "all" ><tgroup cols = "2">
+<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.125in"/>
+<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.000in"/>
+<tbody>
+<row rowsep = "0">
+<entry colname = "1"><para><command>SIGHUP</command></para></entry>
+<entry colname = "2"><para>Causes the server to read <filename>named.conf</filename> and
+reload the database. </para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>SIGTERM</command></para></entry>
+<entry colname = "2"><para>Causes the server to clean up and exit.</para></entry>
+            </row>
+            <row rowsep = "0">
+              <entry colname = "1">
+<para><command>SIGINT</command></para>
+</entry>
+              <entry colname = "2"><para>Causes the server to clean up and exit.</para></entry>
+            </row>
+          </tbody>
+        </tgroup>
+      </informaltable>
+    </sect2>
+  </sect1>
+  </chapter>
+
+<chapter id="ch04">
+<title>Advanced DNS Features</title>
+
+<sect1 id="notify">
+
+<title>Notify</title>
+<para><acronym>DNS</acronym> NOTIFY is a mechanism that allows master
+servers to notify their slave servers of changes to a zone's data. In
+response to a <command>NOTIFY</command> from a master server, the
+slave will check to see that its version of the zone is the
+current version and, if not, initiate a zone transfer.</para>
+
+<para><acronym>DNS</acronym>
+For more information about
+<command>NOTIFY</command>, see the description of the
+<command>notify</command> option in <xref linkend="boolean_options"/> and
+the description of the zone option <command>also-notify</command> in
+<xref linkend="zone_transfers"/>.  The <command>NOTIFY</command>
+protocol is specified in RFC 1996.
+</para>
+
+</sect1>
+
+<sect1 id="dynamic_update">
+<title>Dynamic Update</title>
+
+    <para>Dynamic Update is a method for adding, replacing or deleting
+    records in a master server by sending it a special form of DNS
+    messages.  The format and meaning of these messages is specified
+    in RFC 2136.</para>
+
+    <para>Dynamic update is enabled on a zone-by-zone basis, by
+    including an <command>allow-update</command> or
+    <command>update-policy</command> clause in the
+    <command>zone</command> statement.</para>
+
+    <para>Updating of secure zones (zones using DNSSEC) follows
+    RFC 3007: RRSIG and NSEC records affected by updates are automatically
+    regenerated by the server using an online zone key.
+    Update authorization is based
+    on transaction signatures and an explicit server policy.</para>
+
+    <sect2 id="journal">
+    <title>The journal file</title>
+
+    <para>All changes made to a zone using dynamic update are stored in the
+    zone's journal file.  This file is automatically created by the
+    server when when the first dynamic update takes place.  The name of
+    the journal file is formed by appending the
+    extension <filename>.jnl</filename> to the
+    name of the corresponding zone file.  The journal file is in a
+    binary format and should not be edited manually.</para>
+
+    <para>The server will also occasionally write ("dump")
+    the complete contents of the updated zone to its zone file.
+    This is not done immediately after
+    each dynamic update, because that would be too slow when a large
+    zone is updated frequently.  Instead, the dump is delayed by
+    up to 15 minutes, allowing additional updates to take place.</para>
+
+    <para>When a server is restarted after a shutdown or crash, it will replay
+    the journal file to incorporate into the zone any updates that took
+    place after the last zone dump.</para>
+
+    <para>Changes that result from incoming incremental zone transfers are also
+    journalled in a similar way.</para>
+
+    <para>The zone files of dynamic zones cannot normally be edited by
+    hand because they are not guaranteed to contain the most recent
+    dynamic changes - those are only in the journal file.
+    The only way to ensure that the zone file of a dynamic zone
+    is up to date is to run <command>rndc stop</command>.</para>
+
+    <para>If you have to make changes to a dynamic zone
+    manually, the following procedure will work: Disable dynamic updates
+    to the zone using
+    <command>rndc freeze <replaceable>zone</replaceable></command>.
+    This will also remove the zone's <filename>.jnl</filename> file
+    and update the master file.  Edit the zone file.  Run
+    <command>rndc unfreeze <replaceable>zone</replaceable></command>
+    to reload the changed zone and re-enable dynamic updates.</para>
+
+  </sect2>
+    
+</sect1>
+    
+<sect1 id="incremental_zone_transfers">
+<title>Incremental Zone Transfers (IXFR)</title>
+
+<para>The incremental zone transfer (IXFR) protocol is a way for
+slave servers to transfer only changed data, instead of having to
+transfer the entire zone. The IXFR protocol is specified in RFC
+1995. See <xref linkend="proposed_standards"/>.</para>
+
+<para>When acting as a master, <acronym>BIND</acronym> 9
+supports IXFR for those zones
+where the necessary change history information is available. These
+include master zones maintained by dynamic update and slave zones
+whose data was obtained by IXFR.  For manually maintained master
+zones, and for slave zones obtained by performing a full zone 
+transfer (AXFR), IXFR is supported only if the option
+<command>ixfr-from-differences</command> is set
+to <userinput>yes</userinput>.
+</para>
+
+<para>When acting as a slave, <acronym>BIND</acronym> 9 will 
+attempt to use IXFR unless
+it is explicitly disabled. For more information about disabling
+IXFR, see the description of the <command>request-ixfr</command> clause
+of the <command>server</command> statement.</para>
+</sect1>
+
+<sect1><title>Split DNS</title>
+<para>Setting up different views, or visibility, of the DNS space to
+internal and external resolvers is usually referred to as a <emphasis>Split
+DNS</emphasis> setup. There are several reasons an organization
+would want to set up its DNS this way.</para>
+<para>One common reason for setting up a DNS system this way is
+to hide "internal" DNS information from "external" clients on the
+Internet. There is some debate as to whether or not this is actually useful.
+Internal DNS information leaks out in many ways (via email headers,
+for example) and most savvy "attackers" can find the information
+they need using other means.</para>
+<para>Another common reason for setting up a Split DNS system is
+to allow internal networks that are behind filters or in RFC 1918
+space (reserved IP space, as documented in RFC 1918) to resolve DNS
+on the Internet. Split DNS can also be used to allow mail from outside
+back in to the internal network.</para>
+<para>Here is an example of a split DNS setup:</para>
+<para>Let's say a company named <emphasis>Example, Inc.</emphasis>
+(<literal>example.com</literal>)
+has several corporate sites that have an internal network with reserved
+Internet Protocol (IP) space and an external demilitarized zone (DMZ),
+or "outside" section of a network, that is available to the public.</para>
+<para><emphasis>Example, Inc.</emphasis> wants its internal clients
+to be able to resolve external hostnames and to exchange mail with
+people on the outside. The company also wants its internal resolvers
+to have access to certain internal-only zones that are not available
+at all outside of the internal network.</para>
+<para>In order to accomplish this, the company will set up two sets
+of name servers. One set will be on the inside network (in the reserved
+IP space) and the other set will be on bastion hosts, which are "proxy"
+hosts that can talk to both sides of its network, in the DMZ.</para>
+<para>The internal servers will be configured to forward all queries,
+except queries for <filename>site1.internal</filename>, <filename>site2.internal</filename>, <filename>site1.example.com</filename>,
+and <filename>site2.example.com</filename>, to the servers in the
+DMZ. These internal servers will have complete sets of information
+for <filename>site1.example.com</filename>, <filename>site2.example.com</filename>,<emphasis> </emphasis><filename>site1.internal</filename>,
+and <filename>site2.internal</filename>.</para>
+<para>To protect the <filename>site1.internal</filename> and <filename>site2.internal</filename> domains,
+the internal name servers must be configured to disallow all queries
+to these domains from any external hosts, including the bastion
+hosts.</para>
+<para>The external servers, which are on the bastion hosts, will
+be configured to serve the "public" version of the <filename>site1</filename> and <filename>site2.example.com</filename> zones.
+This could include things such as the host records for public servers
+(<filename>www.example.com</filename> and <filename>ftp.example.com</filename>),
+and mail exchange (MX)  records (<filename>a.mx.example.com</filename> and <filename>b.mx.example.com</filename>).</para>
+<para>In addition, the public <filename>site1</filename> and <filename>site2.example.com</filename> zones
+should have special MX records that contain wildcard (`*') records
+pointing to the bastion hosts. This is needed because external mail
+servers do not have any other way of looking up how to deliver mail
+to those internal hosts. With the wildcard records, the mail will
+be delivered to the bastion host, which can then forward it on to
+internal hosts.</para>
+<para>Here's an example of a wildcard MX record:</para>
+<programlisting><literal>*   IN MX 10 external1.example.com.</literal></programlisting>
+<para>Now that they accept mail on behalf of anything in the internal
+network, the bastion hosts will need to know how to deliver mail
+to internal hosts. In order for this to work properly, the resolvers on
+the bastion hosts will need to be configured to point to the internal
+name servers for DNS resolution.</para>
+<para>Queries for internal hostnames will be answered by the internal
+servers, and queries for external hostnames will be forwarded back
+out to the DNS servers on the bastion hosts.</para>
+<para>In order for all this to work properly, internal clients will
+need to be configured to query <emphasis>only</emphasis> the internal
+name servers for DNS queries. This could also be enforced via selective
+filtering on the network.</para>
+<para>If everything has been set properly, <emphasis>Example, Inc.</emphasis>'s
+internal clients will now be able to:</para>
+<itemizedlist><listitem>
+        <simpara>Look up any hostnames in the <literal>site1</literal> and 
+<literal>site2.example.com</literal> zones.</simpara></listitem>
+<listitem>
+        <simpara>Look up any hostnames in the <literal>site1.internal</literal> and 
+<literal>site2.internal</literal> domains.</simpara></listitem>
+<listitem>
+        <simpara>Look up any hostnames on the Internet.</simpara></listitem>
+<listitem>
+        <simpara>Exchange mail with internal AND external people.</simpara></listitem></itemizedlist>
+<para>Hosts on the Internet will be able to:</para>
+<itemizedlist><listitem>
+        <simpara>Look up any hostnames in the <literal>site1</literal> and 
+<literal>site2.example.com</literal> zones.</simpara></listitem>
+<listitem>
+        <simpara>Exchange mail with anyone in the <literal>site1</literal> and 
+<literal>site2.example.com</literal> zones.</simpara></listitem></itemizedlist>
+
+    <para>Here is an example configuration for the setup we just
+    described above. Note that this is only configuration information;
+    for information on how to configure your zone files, see <xref
+    linkend="sample_configuration"/></para>
+
+<para>Internal DNS server config:</para>
+<programlisting>
+
+acl internals { 172.16.72.0/24; 192.168.1.0/24; };
+
+acl externals { <varname>bastion-ips-go-here</varname>; };
+
+options {
+    ...
+    ...
+    forward only;
+    forwarders {                                // forward to external servers
+        <varname>bastion-ips-go-here</varname>; 
+    };
+    allow-transfer { none; };                   // sample allow-transfer (no one)
+    allow-query { internals; externals; };      // restrict query access
+    allow-recursion { internals; };             // restrict recursion
+    ...
+    ...
+};
+
+zone "site1.example.com" {                      // sample master zone
+  type master;
+  file "m/site1.example.com";
+  forwarders { };                               // do normal iterative
+                                                // resolution (do not forward)
+  allow-query { internals; externals; };
+  allow-transfer { internals; };
+};
+
+zone "site2.example.com" {                      // sample slave zone
+  type slave;
+  file "s/site2.example.com";
+  masters { 172.16.72.3; };
+  forwarders { };
+  allow-query { internals; externals; };
+  allow-transfer { internals; };
+};
+
+zone "site1.internal" {
+  type master;
+  file "m/site1.internal";
+  forwarders { };
+  allow-query { internals; };
+  allow-transfer { internals; }
+};
+
+zone "site2.internal" {
+  type slave;
+  file "s/site2.internal";
+  masters { 172.16.72.3; };
+  forwarders { };
+  allow-query { internals };
+  allow-transfer { internals; }
+};
+</programlisting>
+    <para>External (bastion host) DNS server config:</para>
+<programlisting>
+acl internals { 172.16.72.0/24; 192.168.1.0/24; };
+
+acl externals { bastion-ips-go-here; };
+
+options {
+  ...
+  ...
+  allow-transfer { none; };                     // sample allow-transfer (no one)
+  allow-query { internals; externals; };        // restrict query access
+  allow-recursion { internals; externals; };    // restrict recursion
+  ...
+  ...
+};
+
+zone "site1.example.com" {                      // sample slave zone
+  type master;
+  file "m/site1.foo.com";
+  allow-query { any; };
+  allow-transfer { internals; externals; };
+};
+
+zone "site2.example.com" {
+  type slave;
+  file "s/site2.foo.com";
+  masters { another_bastion_host_maybe; };
+  allow-query { any; };
+  allow-transfer { internals; externals; }
+};
+</programlisting>
+<para>In the <filename>resolv.conf</filename> (or equivalent) on
+the bastion host(s):</para>
+<programlisting>
+search ...
+nameserver 172.16.72.2
+nameserver 172.16.72.3
+nameserver 172.16.72.4
+</programlisting>
+</sect1>
+<sect1 id="tsig"><title>TSIG</title>
+<para>This is a short guide to setting up Transaction SIGnatures
+(TSIG) based transaction security in <acronym>BIND</acronym>. It describes changes
+to the configuration file as well as what changes are required for
+different features, including the process of creating transaction
+keys and using transaction signatures with <acronym>BIND</acronym>.</para>
+<para><acronym>BIND</acronym> primarily supports TSIG for server to server communication.
+This includes zone transfer, notify, and recursive query messages.
+Resolvers based on newer versions of <acronym>BIND</acronym> 8 have limited support
+for TSIG.</para>
+
+    <para>TSIG might be most useful for dynamic update. A primary
+    server for a dynamic zone should use access control to control
+    updates, but IP-based access control is insufficient.
+    The cryptographic access control provided by TSIG
+    is far superior. The <command>nsupdate</command>
+    program supports TSIG via the <option>-k</option> and
+    <option>-y</option> command line options.</para>
+
+<sect2><title>Generate Shared Keys for Each Pair of Hosts</title>
+<para>A shared secret is generated to be shared between <emphasis>host1</emphasis> and <emphasis>host2</emphasis>.
+An arbitrary key name is chosen: "host1-host2.". The key name must
+be the same on both hosts.</para>
+<sect3><title>Automatic Generation</title>
+<para>The following command will generate a 128 bit (16 byte) HMAC-MD5
+key as described above. Longer keys are better, but shorter keys
+are easier to read. Note that the maximum key length is 512 bits;
+keys longer than that will be digested with MD5 to produce a 128
+bit key.</para>
+        <para><userinput>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</userinput></para>
+<para>The key is in the file <filename>Khost1-host2.+157+00000.private</filename>.
+Nothing directly uses this file, but the base-64 encoded string
+following "<literal>Key:</literal>"
+can be extracted from the file and used as a shared secret:</para>
+<programlisting>Key: La/E5CjG9O+os1jq0a2jdA==</programlisting>
+<para>The string "<literal>La/E5CjG9O+os1jq0a2jdA==</literal>" can
+be used as the shared secret.</para></sect3>
+<sect3><title>Manual Generation</title>
+<para>The shared secret is simply a random sequence of bits, encoded
+in base-64. Most ASCII strings are valid base-64 strings (assuming
+the length is a multiple of 4 and only valid characters are used),
+so the shared secret can be manually generated.</para>
+<para>Also, a known string can be run through <command>mmencode</command> or
+a similar program to generate base-64 encoded data.</para></sect3></sect2>
+<sect2><title>Copying the Shared Secret to Both Machines</title>
+<para>This is beyond the scope of DNS. A secure transport mechanism
+should be used. This could be secure FTP, ssh, telephone, etc.</para></sect2>
+<sect2><title>Informing the Servers of the Key's Existence</title>
+<para>Imagine <emphasis>host1</emphasis> and <emphasis>host 2</emphasis> are
+both servers. The following is added to each server's <filename>named.conf</filename> file:</para>
+<programlisting>
+key host1-host2. {
+  algorithm hmac-md5;
+  secret "La/E5CjG9O+os1jq0a2jdA==";
+};
+</programlisting>
+<para>The algorithm, hmac-md5, is the only one supported by <acronym>BIND</acronym>.
+The secret is the one generated above. Since this is a secret, it
+is recommended that either <filename>named.conf</filename> be non-world
+readable, or the key directive be added to a non-world readable
+file that is included by <filename>named.conf</filename>.</para>
+<para>At this point, the key is recognized. This means that if the
+server receives a message signed by this key, it can verify the
+signature. If the signature is successfully verified, the
+response is signed by the same key.</para></sect2>
+
+<sect2><title>Instructing the Server to Use the Key</title>
+<para>Since keys are shared between two hosts only, the server must
+be told when keys are to be used. The following is added to the <filename>named.conf</filename> file
+for <emphasis>host1</emphasis>, if the IP address of <emphasis>host2</emphasis> is
+10.1.2.3:</para>
+<programlisting>
+server 10.1.2.3 {
+  keys { host1-host2. ;};
+};
+</programlisting>
+<para>Multiple keys may be present, but only the first is used.
+This directive does not contain any secrets, so it may be in a world-readable
+file.</para>
+<para>If <emphasis>host1</emphasis> sends a message that is a request
+to that address, the message will be signed with the specified key. <emphasis>host1</emphasis> will
+expect any responses to signed messages to be signed with the same
+key.</para>
+<para>A similar statement must be present in <emphasis>host2</emphasis>'s
+configuration file (with <emphasis>host1</emphasis>'s address) for <emphasis>host2</emphasis> to
+sign request messages to <emphasis>host1</emphasis>.</para></sect2>
+<sect2><title>TSIG Key Based Access Control</title>
+<para><acronym>BIND</acronym> allows IP addresses and ranges to be specified in ACL
+definitions and
+<command>allow-{ query | transfer | update }</command> directives.
+This has been extended to allow TSIG keys also. The above key would
+be denoted <command>key host1-host2.</command></para>
+<para>An example of an allow-update directive would be:</para>
+<programlisting>
+allow-update { key host1-host2. ;};
+</programlisting>
+
+      <para>This allows dynamic updates to succeed only if the request
+      was signed by a key named
+      "<command>host1-host2.</command>".</para> <para>You may want to read about the more
+      powerful <command>update-policy</command> statement in <xref
+      linkend="dynamic_update_policies"/>.</para>
+
+    </sect2>
+    <sect2>
+      <title>Errors</title>
+
+      <para>The processing of TSIG signed messages can result in
+      several errors. If a signed message is sent to a non-TSIG aware
+      server, a FORMERR will be returned, since the server will not
+      understand the record. This is a result of misconfiguration,
+      since the server must be explicitly configured to send a TSIG
+      signed message to a specific server.</para>
+
+      <para>If a TSIG aware server receives a message signed by an
+      unknown key, the response will be unsigned with the TSIG
+      extended error code set to BADKEY. If a TSIG aware server
+      receives a message with a signature that does not validate, the
+      response will be unsigned with the TSIG extended error code set
+      to BADSIG. If a TSIG aware server receives a message with a time
+      outside of the allowed range, the response will be signed with
+      the TSIG extended error code set to BADTIME, and the time values
+      will be adjusted so that the response can be successfully
+      verified. In any of these cases, the message's rcode is set to
+      NOTAUTH.</para>
+
+    </sect2>
+  </sect1>
+  <sect1>
+    <title>TKEY</title>
+
+    <para><command>TKEY</command> is a mechanism for automatically
+    generating a shared secret between two hosts.  There are several
+    "modes" of <command>TKEY</command> that specify how the key is
+    generated or assigned.  <acronym>BIND</acronym> 9
+    implements only one of these modes,
+    the Diffie-Hellman key exchange.  Both hosts are required to have
+    a Diffie-Hellman KEY record (although this record is not required
+    to be present in a zone).  The <command>TKEY</command> process
+    must use signed messages, signed either by TSIG or SIG(0).  The
+    result of <command>TKEY</command> is a shared secret that can be
+    used to sign messages with TSIG.  <command>TKEY</command> can also
+    be used to delete shared secrets that it had previously
+    generated.</para>
+
+    <para>The <command>TKEY</command> process is initiated by a client
+    or server by sending a signed <command>TKEY</command> query
+    (including any appropriate KEYs) to a TKEY-aware server.  The
+    server response, if it indicates success, will contain a
+    <command>TKEY</command> record and any appropriate keys.  After
+    this exchange, both participants have enough information to
+    determine the shared secret; the exact process depends on the
+    <command>TKEY</command> mode.  When using the Diffie-Hellman
+    <command>TKEY</command> mode, Diffie-Hellman keys are exchanged,
+    and the shared secret is derived by both participants.</para>
+  
+  </sect1>
+  <sect1>
+    <title>SIG(0)</title>
+
+    <para><acronym>BIND</acronym> 9 partially supports DNSSEC SIG(0)
+    transaction signatures as specified in RFC 2535 and RFC2931.  SIG(0)
+    uses public/private keys to authenticate messages.  Access control
+    is performed in the same manner as TSIG keys; privileges can be
+    granted or denied based on the key name.</para>
+
+    <para>When a SIG(0) signed message is received, it will only be
+    verified if the key is known and trusted by the server; the server
+    will not attempt to locate and/or validate the key.</para>
+
+    <para>SIG(0) signing of multiple-message TCP streams is not
+    supported.</para>
+
+    <para>The only tool shipped with <acronym>BIND</acronym> 9 that
+    generates SIG(0) signed messages is <command>nsupdate</command>.</para>
+
+  </sect1>
+  <sect1 id="DNSSEC">
+    <title>DNSSEC</title>
+
+    <para>Cryptographic authentication of DNS information is possible
+    through the DNS Security (<emphasis>DNSSEC-bis</emphasis>) extensions,
+    defined in RFC &lt;TBA&gt;. This section describes the creation and use
+    of DNSSEC signed zones.</para>
+
+    <para>In order to set up a DNSSEC secure zone, there are a series
+    of steps which must be followed.  <acronym>BIND</acronym> 9 ships
+    with several tools
+    that are used in this process, which are explained in more detail
+    below.  In all cases, the <option>-h</option> option prints a
+    full list of parameters.  Note that the DNSSEC tools require the
+    keyset files to be in the working directory or the
+    directory specified by the <option>-h</option> option, and
+    that the tools shipped with BIND 9.2.x and earlier are not compatible
+    with the current ones.</para>
+
+    <para>There must also be communication with the administrators of
+    the parent and/or child zone to transmit keys.  A zone's security
+    status must be indicated by the parent zone for a DNSSEC capable 
+    resolver to trust its data.  This is done through the presense
+    or absence of a <literal>DS</literal> record at the delegation
+    point.</para>
+
+    <para>For other servers to trust data in this zone, they must
+    either be statically configured with this zone's zone key or the
+    zone key of another zone above this one in the DNS tree.</para>
+
+    <sect2>
+      <title>Generating Keys</title>
+
+      <para>The <command>dnssec-keygen</command> program is used to
+      generate keys.</para>
+
+      <para>A secure zone must contain one or more zone keys.  The
+      zone keys will sign all other records in the zone, as well as
+      the zone keys of any secure delegated zones.  Zone keys must
+      have the same name as the zone, a name type of
+      <command>ZONE</command>, and must be usable for authentication.
+      It is recommended that zone keys use a cryptographic algorithm
+      designated as "mandatory to implement" by the IETF; currently
+      the only one is RSASHA1.</para>
+
+      <para>The following command will generate a 768 bit RSASHA1 key for
+      the <filename>child.example</filename> zone:</para>
+
+      <para><userinput>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</userinput></para>
+
+      <para>Two output files will be produced:
+      <filename>Kchild.example.+005+12345.key</filename> and
+      <filename>Kchild.example.+005+12345.private</filename> (where
+      12345 is an example of a key tag).  The key file names contain
+      the key name (<filename>child.example.</filename>), algorithm (3
+      is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in this case).
+      The private key (in the <filename>.private</filename> file) is
+      used to generate signatures, and the public key (in the
+      <filename>.key</filename> file) is used for signature
+      verification.</para>
+
+      <para>To generate another key with the same properties (but with
+      a different key tag), repeat the above command.</para>
+
+      <para>The public keys should be inserted into the zone file by
+      including the <filename>.key</filename> files using
+      <command>$INCLUDE</command> statements.
+      </para>
+
+    </sect2>
+    <sect2>
+      <title>Signing the Zone</title>
+
+      <para>The <command>dnssec-signzone</command> program is used to
+      sign a zone.</para>
+
+      <para>Any <filename>keyset</filename> files corresponding
+      to secure subzones should be present.  The zone signer will
+      generate <literal>NSEC</literal> and <literal>RRSIG</literal>
+      records for the zone, as well as <literal>DS</literal> for
+      the child zones if <literal>'-d'</literal> is specified.
+      If <literal>'-d'</literal> is not specified then DS RRsets for
+      the secure child zones need to be added manually.</para>
+
+      <para>The following command signs the zone, assuming it is in a
+      file called <filename>zone.child.example</filename>.  By
+      default, all zone keys which have an available private key are
+      used to generate signatures.</para>
+
+<para><userinput>dnssec-signzone -o child.example zone.child.example</userinput></para>
+
+      <para>One output file is produced:
+      <filename>zone.child.example.signed</filename>.  This file
+      should be referenced by <filename>named.conf</filename> as the
+      input file for the zone.</para>
+
+      <para><command>dnssec-signzone</command> will also produce a
+      keyset and dsset files and optionally a dlvset file.  These
+      are used to provide the parent zone administators with the
+      <literal>DNSKEYs</literal> (or their corresponding <literal>DS</literal>
+      records) that are the secure entry point to the zone.</para>
+
+    </sect2>
+
+<sect2><title>Configuring Servers</title>
+
+<para>Unlike <acronym>BIND</acronym> 8, 
+<acronym>BIND</acronym> 9 does not verify signatures on load,
+so zone keys for authoritative zones do not need to be specified
+in the configuration file.</para>
+
+<para>The public key for any security root must be present in
+the configuration file's <command>trusted-keys</command>
+statement, as described later in this document. </para>
+
+</sect2>
+
+</sect1>
+  <sect1>
+    <title>IPv6 Support in <acronym>BIND</acronym> 9</title>
+
+    <para><acronym>BIND</acronym> 9 fully supports all currently defined forms of IPv6
+    name to address and address to name lookups.  It will also use
+    IPv6 addresses to make queries when running on an IPv6 capable
+    system.</para>
+
+    <para>For forward lookups, <acronym>BIND</acronym> 9 supports only AAAA
+    records.  The use of A6 records is deprecated by RFC 3363, and the
+    support for forward lookups in <acronym>BIND</acronym> 9 is
+    removed accordingly.
+    However, authoritative <acronym>BIND</acronym> 9 name servers still
+    load zone files containing A6 records correctly, answer queries
+    for A6 records, and accept zone transfer for a zone containing A6
+    records.</para>
+
+    <para>For IPv6 reverse lookups, <acronym>BIND</acronym> 9 supports
+    the traditional "nibble" format used in the
+    <emphasis>ip6.arpa</emphasis> domain, as well as the older, deprecated
+    <emphasis>ip6.int</emphasis> domain.
+    <acronym>BIND</acronym> 9 formerly
+    supported the "binary label" (also known as "bitstring") format.
+    The support of binary labels, however, is now completely removed
+    according to the changes in RFC 3363.
+    Any applications in <acronym>BIND</acronym> 9 do not understand
+    the format any more, and will return an error if given.
+    In particular, an authoritative <acronym>BIND</acronym> 9 name
+    server rejects to load a zone file containing binary labels.</para>
+
+    <para>For an overview of the format and structure of IPv6 addresses,
+    see <xref linkend="ipv6addresses"/>.</para>
+
+    <sect2>
+      <title>Address Lookups Using AAAA Records</title>
+
+      <para>The AAAA record is a parallel to the IPv4 A record.  It
+      specifies the entire address in a single record.  For
+      example,</para>
+
+<programlisting>
+$ORIGIN example.com.
+host            3600    IN      AAAA    2001:db8::1
+</programlisting>
+
+        <para>It is recommended that IPv4-in-IPv6 mapped addresses not
+        be used.  If a host has an IPv4 address, use an A record, not
+        a AAAA, with <literal>::ffff:192.168.42.1</literal> as the
+        address.</para>
+    </sect2>
+    <sect2>
+      <title>Address to Name Lookups Using Nibble Format</title>
+
+      <para>When looking up an address in nibble format, the address
+      components are simply reversed, just as in IPv4, and
+      <literal>ip6.arpa.</literal> is appended to the resulting name.
+      For example, the following would provide reverse name lookup for
+      a host with address
+      <literal>2001:db8::1</literal>.</para>
+
+<programlisting>
+$ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
+1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0   14400 IN      PTR     host.example.com.
+</programlisting>
+    </sect2>
+  </sect1>
+  </chapter>
+
+  <chapter id="ch05"><title>The <acronym>BIND</acronym> 9 Lightweight Resolver</title>
+<sect1><title>The Lightweight Resolver Library</title>
+<para>Traditionally applications have been linked with a stub resolver
+library that sends recursive DNS queries to a local caching name
+server.</para>
+<para>IPv6 once introduced new complexity into the resolution process,
+such as following A6 chains and DNAME records, and simultaneous
+lookup of IPv4 and IPv6 addresses.  Though most of the complexity was
+then removed, these are hard or impossible
+to implement in a traditional stub resolver.</para>
+<para>Instead, <acronym>BIND</acronym> 9 provides resolution services to local clients
+using a combination of a lightweight resolver library and a resolver
+daemon process running on the local host.  These communicate using
+a simple UDP-based protocol, the "lightweight resolver protocol"
+that is distinct from and simpler than the full DNS protocol.</para></sect1>
+<sect1 id="lwresd"><title>Running a Resolver Daemon</title>
+
+<para>To use the lightweight resolver interface, the system must
+run the resolver daemon <command>lwresd</command> or a local
+name server configured with a <command>lwres</command> statement.</para>
+
+<para>By default, applications using the lightweight resolver library will make
+UDP requests to the IPv4 loopback address (127.0.0.1) on port 921.  The
+address can be overridden by <command>lwserver</command> lines in
+<filename>/etc/resolv.conf</filename>.</para>
+
+<para>The daemon currently only looks in the DNS, but in the future
+it may use other sources such as <filename>/etc/hosts</filename>,
+NIS, etc.</para>
+
+<para>The <command>lwresd</command> daemon is essentially a
+caching-only name server that responds to requests using the lightweight
+resolver protocol rather than the DNS protocol.  Because it needs
+to run on each host, it is designed to require no or minimal configuration.
+Unless configured otherwise, it uses the name servers listed on
+<command>nameserver</command> lines in <filename>/etc/resolv.conf</filename>
+as forwarders, but is also capable of doing the resolution autonomously if
+none are specified.</para>
+<para>The <command>lwresd</command> daemon may also be configured with a
+<filename>named.conf</filename> style configuration file, in
+<filename>/etc/lwresd.conf</filename> by default.  A name server may also
+be configured to act as a lightweight resolver daemon using the
+<command>lwres</command> statement in <filename>named.conf</filename>.</para>
+
+</sect1></chapter>
+
+<chapter id="ch06"><title><acronym>BIND</acronym> 9 Configuration Reference</title>
+
+<para><acronym>BIND</acronym> 9 configuration is broadly similar
+to <acronym>BIND</acronym> 8; however, there are a few new areas
+of configuration, such as views. <acronym>BIND</acronym>
+8 configuration files should work with few alterations in <acronym>BIND</acronym>
+9, although more complex configurations should be reviewed to check
+if they can be more efficiently implemented using the new features
+found in <acronym>BIND</acronym> 9.</para>
+
+<para><acronym>BIND</acronym> 4 configuration files can be converted to the new format
+using the shell script
+<filename>contrib/named-bootconf/named-bootconf.sh</filename>.</para>
+<sect1 id="configuration_file_elements"><title>Configuration File Elements</title>
+<para>Following is a list of elements used throughout the <acronym>BIND</acronym> configuration
+file documentation:</para>
+<informaltable colsep = "0"  rowsep = "0"><tgroup cols = "2"
+    colsep = "0" rowsep = "0" tgroupstyle = "2Level-table">
+<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.855in"/>
+<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.770in"/>
+<tbody>
+<row rowsep = "0">
+<entry colname = "1"><para><varname>acl_name</varname></para></entry>
+<entry colname = "2"><para>The name of an <varname>address_match_list</varname> as
+defined by the <command>acl</command> statement.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><varname>address_match_list</varname></para></entry>
+<entry colname = "2"><para>A list of one or more <varname>ip_addr</varname>, 
+<varname>ip_prefix</varname>, <varname>key_id</varname>, 
+or <varname>acl_name</varname> elements, see
+<xref linkend="address_match_lists"/>.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><varname>domain_name</varname></para></entry>
+<entry colname = "2"><para>A quoted string which will be used as
+a DNS name, for example "<literal>my.test.domain</literal>".</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><varname>dotted_decimal</varname></para></entry>
+<entry colname = "2"><para>One to four integers valued 0 through
+255 separated by dots (`.'), such as <command>123</command>, 
+<command>45.67</command> or <command>89.123.45.67</command>.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><varname>ip4_addr</varname></para></entry>
+<entry colname = "2"><para>An IPv4 address with exactly four elements
+in <varname>dotted_decimal</varname> notation.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><varname>ip6_addr</varname></para></entry>
+<entry colname = "2"><para>An IPv6 address, such as <command>2001:db8::1234</command>.
+IPv6 scoped addresses that have ambiguity on their scope zones must be
+disambiguated by an appropriate zone ID with the percent character
+(`%') as delimiter.
+It is strongly recommended to use string zone names rather than
+numeric identifiers, in order to be robust against system
+configuration changes.
+However, since there is no standard mapping for such names and
+identifier values, currently only interface names as link identifiers
+are supported, assuming one-to-one mapping between interfaces and links.
+For example, a link-local address <command>fe80::1</command> on the
+link attached to the interface <command>ne0</command>
+can be specified as <command>fe80::1%ne0</command>.
+Note that on most systems link-local addresses always have the
+ambiguity, and need to be disambiguated.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><varname>ip_addr</varname></para></entry>
+<entry colname = "2"><para>An <varname>ip4_addr</varname> or <varname>ip6_addr</varname>.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><varname>ip_port</varname></para></entry>
+<entry colname = "2"><para>An IP port <varname>number</varname>.
+<varname>number</varname> is limited to 0 through 65535, with values
+below 1024 typically restricted to use by processes running as root.
+In some cases an asterisk (`*') character can be used as a placeholder to
+select a random high-numbered port.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><varname>ip_prefix</varname></para></entry>
+<entry colname = "2"><para>An IP network specified as an <varname>ip_addr</varname>,
+followed by a slash (`/') and then the number of bits in the netmask.
+Trailing zeros in a <varname>ip_addr</varname> may omitted.
+For example, <command>127/8</command> is the network <command>127.0.0.0</command> with
+netmask <command>255.0.0.0</command> and <command>1.2.3.0/28</command> is
+network <command>1.2.3.0</command> with netmask <command>255.255.255.240</command>.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><varname>key_id</varname></para></entry>
+<entry colname = "2"><para>A <varname>domain_name</varname> representing
+the name of a shared key, to be used for transaction security.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><varname>key_list</varname></para></entry>
+<entry colname = "2"><para>A list of one or more <varname>key_id</varname>s,
+separated by semicolons and ending with a semicolon.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><varname>number</varname></para></entry>
+<entry colname = "2"><para>A non-negative 32 bit integer
+(i.e., a number between 0 and 4294967295, inclusive).
+Its acceptable value might further
+be limited by the context in which it is used.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><varname>path_name</varname></para></entry>
+<entry colname = "2"><para>A quoted string which will be used as
+a pathname, such as <filename>zones/master/my.test.domain</filename>.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><varname>size_spec</varname></para></entry>
+<entry colname = "2"><para>A number, the word <userinput>unlimited</userinput>,
+or the word <userinput>default</userinput>.</para><para>
+An <varname>unlimited</varname> <varname>size_spec</varname> requests unlimited
+use, or the maximum available amount. A <varname>default size_spec</varname> uses
+the limit that was in force when the server was started.</para><para>A <varname>number</varname> can
+optionally be followed by a scaling factor: <userinput>K</userinput> or <userinput>k</userinput> for
+kilobytes, <userinput>M</userinput> or <userinput>m</userinput> for
+megabytes, and <userinput>G</userinput> or <userinput>g</userinput> for gigabytes,
+which scale by 1024, 1024*1024, and 1024*1024*1024 respectively.</para>
+<para>The value must be representable as a 64-bit unsigned integer
+(0 to 18446744073709551615, inclusive).
+Using <varname>unlimited</varname> is the best way
+to safely set a really large number.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><varname>yes_or_no</varname></para></entry>
+<entry colname = "2"><para>Either <userinput>yes</userinput> or <userinput>no</userinput>.
+The words <userinput>true</userinput> and <userinput>false</userinput> are
+also accepted, as are the numbers <userinput>1</userinput> and <userinput>0</userinput>.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><varname>dialup_option</varname></para></entry>
+<entry colname = "2"><para>One of <userinput>yes</userinput>,
+<userinput>no</userinput>, <userinput>notify</userinput>,
+<userinput>notify-passive</userinput>, <userinput>refresh</userinput> or
+<userinput>passive</userinput>.
+When used in a zone, <userinput>notify-passive</userinput>,
+<userinput>refresh</userinput>, and <userinput>passive</userinput>
+are restricted to slave and stub zones.</para></entry>
+</row>
+</tbody>
+</tgroup></informaltable>
+<sect2 id="address_match_lists"><title>Address Match Lists</title>
+<sect3><title>Syntax</title>
+        <programlisting><varname>address_match_list</varname> = address_match_list_element ;
+  <optional> address_match_list_element; ... </optional>
+<varname>address_match_list_element</varname> = <optional> ! </optional> (ip_address <optional>/length</optional> |
+   key key_id | acl_name | { address_match_list } )
+</programlisting>
+</sect3>
+<sect3><title>Definition and Usage</title>
+<para>Address match lists are primarily used to determine access
+control for various server operations. They are also used in
+the <command>listen-on</command> and <command>sortlist</command>
+statements. The elements
+which constitute an address match list can be any of the following:</para>
+<itemizedlist><listitem>
+            <simpara>an IP address (IPv4 or IPv6)</simpara></listitem>
+<listitem>
+            <simpara>an IP prefix (in `/' notation)</simpara></listitem>
+<listitem>
+            <simpara>a key ID, as defined by the <command>key</command> statement</simpara></listitem>
+<listitem>
+            <simpara>the name of an address match list previously defined with
+the <command>acl</command> statement</simpara></listitem>
+<listitem>
+            <simpara>a nested address match list enclosed in braces</simpara></listitem></itemizedlist>
+
+<para>Elements can be negated with a leading exclamation mark (`!'),
+and the match list names "any", "none", "localhost", and "localnets"
+are predefined. More information on those names can be found in
+the description of the acl statement.</para>
+
+<para>The addition of the key clause made the name of this syntactic
+element something of a misnomer, since security keys can be used
+to validate access without regard to a host or network address. Nonetheless,
+the term "address match list" is still used throughout the documentation.</para>
+
+<para>When a given IP address or prefix is compared to an address
+match list, the list is traversed in order until an element matches.
+The interpretation of a match depends on whether the list is being used
+for access control, defining listen-on ports, or in a sortlist,
+and whether the element was negated.</para>
+
+<para>When used as an access control list, a non-negated match allows
+access and a negated match denies access. If there is no match,
+access is denied. The clauses <command>allow-notify</command>,
+<command>allow-query</command>, <command>allow-transfer</command>,
+<command>allow-update</command>, <command>allow-update-forwarding</command>,
+and <command>blackhole</command> all
+use address match lists  this. Similarly, the listen-on option will cause
+the server to not accept queries on any of the machine's addresses
+which do not match the list.</para>
+
+<para>Because of the first-match aspect of the algorithm, an element
+that defines a subset of another element in the list should come
+before the broader element, regardless of whether either is negated. For
+example, in
+<command>1.2.3/24; ! 1.2.3.13;</command> the 1.2.3.13 element is
+completely useless because the algorithm will match any lookup for
+1.2.3.13 to the 1.2.3/24 element.
+Using <command>! 1.2.3.13; 1.2.3/24</command> fixes
+that problem by having 1.2.3.13 blocked by the negation but all
+other 1.2.3.* hosts fall through.</para>
+</sect3>
+</sect2>
+
+<sect2>
+<title>Comment Syntax</title>
+
+<para>The <acronym>BIND</acronym> 9 comment syntax allows for comments to appear
+anywhere that white space may appear in a <acronym>BIND</acronym> configuration
+file. To appeal to programmers of all kinds, they can be written
+in the C, C++, or shell/perl style.</para>
+
+<sect3>
+<title>Syntax</title>
+
+<para><programlisting>/* This is a <acronym>BIND</acronym> comment as in C */</programlisting>
+<programlisting>// This is a <acronym>BIND</acronym> comment as in C++</programlisting>
+<programlisting># This is a <acronym>BIND</acronym> comment as in common UNIX shells and perl</programlisting>
+      </para>
+      </sect3>
+      <sect3>
+        <title>Definition and Usage</title>
+<para>Comments may appear anywhere that whitespace may appear in
+a <acronym>BIND</acronym> configuration file.</para>
+<para>C-style comments start with the two characters /* (slash,
+star) and end with */ (star, slash). Because they are completely
+delimited with these characters, they can be used to comment only
+a portion of a line or to span multiple lines.</para>
+<para>C-style comments cannot be nested. For example, the following
+is not valid because the entire comment ends with the first */:</para>
+        <para><programlisting>/* This is the start of a comment.
+   This is still part of the comment.
+/* This is an incorrect attempt at nesting a comment. */
+   This is no longer in any comment. */
+</programlisting></para>
+
+<para>C++-style comments start with the two characters // (slash,
+slash) and continue to the end of the physical line. They cannot
+be continued across multiple physical lines; to have one logical
+comment span multiple lines, each line must use the // pair.</para>
+<para>For example:</para>
+        <para><programlisting>// This is the start of a comment.  The next line
+// is a new comment, even though it is logically
+// part of the previous comment.
+</programlisting></para>
+<para>Shell-style (or perl-style, if you prefer) comments start
+with the character <literal>#</literal> (number sign) and continue to the end of the
+physical line, as in C++ comments.</para>
+<para>For example:</para>
+
+<para><programlisting># This is the start of a comment.  The next line
+# is a new comment, even though it is logically
+# part of the previous comment.
+</programlisting>
+</para>
+
+<warning>
+   <para>You cannot use the semicolon (`;') character
+   to start a comment such as you would in a zone file. The
+   semicolon indicates the end of a configuration
+   statement.</para>
+</warning>
+</sect3>
+</sect2>
+</sect1>
+
+<sect1 id="Configuration_File_Grammar">
+<title>Configuration File Grammar</title>
+
+    <para>A <acronym>BIND</acronym> 9 configuration consists of statements and comments.
+    Statements end with a semicolon. Statements and comments are the
+    only elements that can appear without enclosing braces. Many
+    statements contain a block of sub-statements, which are also
+    terminated with a semicolon.</para>
+
+    <para>The following statements are supported:</para>
+
+    <informaltable colsep = "0"  rowsep = "0">
+      <tgroup cols = "2" colsep = "0" rowsep = "0" tgroupstyle =
+              "2Level-table">
+        <colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.336in"/>
+        <colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.778in"/>
+        <tbody>
+          <row rowsep = "0">
+            <entry colname = "1"><para><command>acl</command></para></entry>
+            <entry colname = "2"><para>defines a named IP address
+matching list, for access control and other uses.</para></entry>
+          </row>
+          <row rowsep = "0">
+            <entry colname = "1"><para><command>controls</command></para></entry>
+            <entry colname = "2"><para>declares control channels to be used
+by the <command>rndc</command> utility.</para></entry>
+          </row>
+          <row rowsep = "0">
+            <entry colname = "1"><para><command>include</command></para></entry>
+            <entry colname = "2"><para>includes a file.</para></entry>
+          </row>
+          <row rowsep = "0">
+            <entry colname = "1"><para><command>key</command></para></entry>
+            <entry colname = "2"><para>specifies key information for use in
+authentication and authorization using TSIG.</para></entry>
+          </row>
+          <row rowsep = "0">
+            <entry colname = "1"><para><command>logging</command></para></entry>
+            <entry colname = "2"><para>specifies what the server logs, and where
+the log messages are sent.</para></entry>
+          </row>
+          <row rowsep = "0">
+            <entry colname = "1"><para><command>lwres</command></para></entry>
+            <entry colname = "2"><para>configures <command>named</command> to
+also act as a light weight resolver daemon (<command>lwresd</command>).</para></entry>
+          </row>
+          <row rowsep = "0">
+            <entry colname = "1"><para><command>masters</command></para></entry>
+            <entry colname = "2"><para>defines a named masters list for
+inclusion in stub and slave zone masters clauses.</para></entry>
+          </row>
+          <row rowsep = "0">
+            <entry colname = "1"><para><command>options</command></para></entry>
+            <entry colname = "2"><para>controls global server configuration
+options and sets defaults for other statements.</para></entry>
+          </row>
+          <row rowsep = "0">
+            <entry colname = "1"><para><command>server</command></para></entry>
+            <entry colname = "2"><para>sets certain configuration options on
+a per-server basis.</para></entry>
+          </row>
+          <row rowsep = "0">
+            <entry colname = "1"><para><command>trusted-keys</command></para></entry>
+            <entry colname = "2"><para>defines trusted DNSSEC keys.</para></entry>
+          </row>
+          <row rowsep = "0">
+            <entry colname = "1"><para><command>view</command></para></entry>
+            <entry colname = "2"><para>defines a view.</para></entry>
+          </row>
+          <row rowsep = "0">
+            <entry colname = "1"><para><command>zone</command></para></entry>
+            <entry colname = "2"><para>defines a zone.</para></entry>
+          </row>
+        </tbody>
+      </tgroup></informaltable>
+    
+    <para>The <command>logging</command> and
+    <command>options</command> statements may only occur once per
+    configuration.</para>
+
+    <sect2>
+      <title><command>acl</command> Statement Grammar</title>
+
+      <programlisting><command>acl</command> acl-name { 
+    address_match_list 
+};
+</programlisting>
+    </sect2>
+    <sect2 id="acl">
+      <title><command>acl</command> Statement Definition and
+Usage</title>
+
+      <para>The <command>acl</command> statement assigns a symbolic
+      name to an address match list. It gets its name from a primary
+      use of address match lists: Access Control Lists (ACLs).</para>
+
+      <para>Note that an address match list's name must be defined
+      with <command>acl</command> before it can be used elsewhere; no
+      forward references are allowed.</para>
+
+      <para>The following ACLs are built-in:</para>
+
+<informaltable colsep = "0"  rowsep = "0"><tgroup cols = "2"
+    colsep = "0" rowsep = "0" tgroupstyle = "3Level-table">
+<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.130in"/>
+<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.000in"/>
+<tbody>
+<row rowsep = "0">
+<entry colname = "1"><para><command>any</command></para></entry>
+<entry colname = "2"><para>Matches all hosts.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>none</command></para></entry>
+<entry colname = "2"><para>Matches no hosts.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>localhost</command></para></entry>
+<entry colname = "2"><para>Matches the IPv4 and IPv6 addresses of all network
+interfaces on the system.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>localnets</command></para></entry>
+<entry colname = "2"><para>Matches any host on an IPv4 or IPv6 network
+for which the system has an interface.
+Some systems do not provide a way to determine the prefix lengths of
+local IPv6 addresses.
+In such a case, <command>localnets</command> only matches the local
+IPv6 addresses, just like <command>localhost</command>.
+</para></entry>
+</row>
+</tbody>
+</tgroup></informaltable>
+
+</sect2>
+<sect2>
+      <title><command>controls</command> Statement Grammar</title>
+<programlisting><command>controls</command> {
+   inet ( ip_addr | * ) <optional> port ip_port </optional> allow { <replaceable> address_match_list </replaceable> }
+                keys { <replaceable> key_list </replaceable> };
+   <optional> inet ...; </optional>
+};
+</programlisting>
+</sect2>
+
+<sect2 id="controls_statement_definition_and_usage">
+<title><command>controls</command> Statement Definition and Usage</title>
+
+      <para>The <command>controls</command> statement declares control
+      channels to be used by system administrators to control the
+      operation of the name server. These control channels are
+      used by the <command>rndc</command> utility to send commands to
+      and retrieve non-DNS results from a name server.</para>
+
+      <para>An <command>inet</command> control channel is a TCP
+      socket listening at the specified
+      <command>ip_port</command> on the specified
+      <command>ip_addr</command>, which can be an IPv4 or IPv6
+      address.  An <command>ip_addr</command>
+      of <literal>*</literal> is interpreted as the IPv4 wildcard
+      address; connections will be accepted on any of the system's
+      IPv4 addresses.  To listen on the IPv6 wildcard address,
+      use an <command>ip_addr</command> of <literal>::</literal>.
+      If you will only use <command>rndc</command> on the local host,
+      using the loopback address (<literal>127.0.0.1</literal>
+      or <literal>::1</literal>) is recommended for maximum
+      security.
+      </para>
+
+      <para>
+      If no port is specified, port 953
+      is used.  "<literal>*</literal>" cannot be used for
+      <command>ip_port</command>.</para>
+
+      <para>The ability to issue commands over the control channel is
+      restricted by the <command>allow</command> and
+      <command>keys</command> clauses. Connections to the control
+      channel are permitted based on the
+      <command>address_match_list</command>.  This is for simple
+      IP address based filtering only; any <command>key_id</command>
+      elements of the <command>address_match_list</command> are
+      ignored.
+      </para>
+
+      <para>The primary authorization mechanism of the command
+      channel is the <command>key_list</command>, which contains
+      a list of <command>key_id</command>s.
+      Each <command>key_id</command> in
+      the <command>key_list</command> is authorized to execute
+      commands over the control channel.
+      See <xref linkend="rndc"/> in
+      <xref linkend="admin_tools"/>) for information about
+      configuring keys in <command>rndc</command>.</para>
+
+<para>
+If no <command>controls</command> statement is present,
+<command>named</command> will set up a default
+control channel listening on the loopback address 127.0.0.1
+and its IPv6 counterpart ::1.
+In this case, and also when the <command>controls</command> statement
+is present but does not have a <command>keys</command> clause,
+<command>named</command> will attempt to load the command channel key
+from the file <filename>rndc.key</filename> in
+<filename>/etc</filename> (or whatever <varname>sysconfdir</varname>
+was specified as when <acronym>BIND</acronym> was built).
+To create a <filename>rndc.key</filename> file, run
+<userinput>rndc-confgen -a</userinput>.
+</para>
+
+      <para>The <filename>rndc.key</filename> feature was created to
+      ease the transition of systems from <acronym>BIND</acronym> 8,
+      which did not have digital signatures on its command channel messages
+      and thus did not have a <command>keys</command> clause.
+
+It makes it possible to use an existing <acronym>BIND</acronym> 8
+configuration file in <acronym>BIND</acronym> 9 unchanged,
+and still have <command>rndc</command> work the same way
+<command>ndc</command> worked in BIND 8, simply by executing the
+command <userinput>rndc-confgen -a</userinput> after BIND 9 is
+installed.
+</para>
+
+      <para>
+      Since the <filename>rndc.key</filename> feature
+      is only intended to allow the backward-compatible usage of
+      <acronym>BIND</acronym> 8 configuration files, this feature does not
+      have a high degree of configurability.  You cannot easily change
+      the key name or the size of the secret, so you should make a
+      <filename>rndc.conf</filename> with your own key if you wish to change
+      those things.  The <filename>rndc.key</filename> file also has its
+      permissions set such that only the owner of the file (the user that
+      <command>named</command> is running as) can access it.  If you
+      desire greater flexibility in allowing other users to access
+      <command>rndc</command> commands then you need to create an
+      <filename>rndc.conf</filename> and make it group readable by a group
+      that contains the users who should have access.</para>
+
+      <para>The UNIX control channel type of <acronym>BIND</acronym> 8 is not supported
+      in <acronym>BIND</acronym> 9, and is not expected to be added in future
+      releases.  If it is present in the controls statement from a
+      <acronym>BIND</acronym> 8 configuration file, it is ignored
+      and a warning is logged.</para>
+
+<para>
+To disable the command channel, use an empty <command>controls</command>
+statement: <command>controls { };</command>.
+</para>
+
+    </sect2>
+    <sect2>
+      <title><command>include</command> Statement Grammar</title>
+      <programlisting>include <replaceable>filename</replaceable>;</programlisting>
+    </sect2>
+    <sect2>
+      <title><command>include</command> Statement Definition and Usage</title>
+
+      <para>The <command>include</command> statement inserts the
+      specified file at the point where the <command>include</command>
+      statement is encountered. The <command>include</command>
+      statement facilitates the administration of configuration files
+      by permitting the reading or writing of some things but not
+      others. For example, the statement could include private keys
+      that are readable only by the name server.</para>
+
+    </sect2>
+    <sect2>
+      <title><command>key</command> Statement Grammar</title>
+<programlisting>key <replaceable>key_id</replaceable> {
+    algorithm <replaceable>string</replaceable>;
+    secret <replaceable>string</replaceable>;
+};
+</programlisting>
+    </sect2>
+
+<sect2>
+<title><command>key</command> Statement Definition and Usage</title>
+
+<para>The <command>key</command> statement defines a shared
+secret key for use with TSIG (see <xref linkend="tsig"/>)
+or the command channel
+(see <xref linkend="controls_statement_definition_and_usage"/>).
+</para>
+
+<para>
+The <command>key</command> statement can occur at the top level
+of the configuration file or inside a <command>view</command> 
+statement.  Keys defined in top-level <command>key</command>
+statements can be used in all views.  Keys intended for use in
+a <command>controls</command> statement
+(see <xref linkend="controls_statement_definition_and_usage"/>)
+must be defined at the top level.
+</para>
+
+<para>The <replaceable>key_id</replaceable>, also known as the
+key name, is a domain name uniquely identifying the key. It can
+be used in a <command>server</command>
+statement to cause requests sent to that
+server to be signed with this key, or in address match lists to
+verify that incoming requests have been signed with a key
+matching this name, algorithm, and secret.</para>
+
+<para>The <replaceable>algorithm_id</replaceable> is a string
+that specifies a security/authentication algorithm. The only
+algorithm currently supported with TSIG authentication is
+<literal>hmac-md5</literal>.  The
+<replaceable>secret_string</replaceable> is the secret to be
+used by the algorithm, and is treated as a base-64 encoded
+string.</para>
+
+</sect2>
+    <sect2>
+      <title><command>logging</command> Statement Grammar</title>
+      <programlisting><command>logging</command> {
+   [ <command>channel</command> <replaceable>channel_name</replaceable> {
+     ( <command>file</command> <replaceable>path name</replaceable>
+         [ <command>versions</command> ( <replaceable>number</replaceable> | <literal>unlimited</literal> ) ]
+         [ <command>size</command> <replaceable>size spec</replaceable> ]
+       | <command>syslog</command> <replaceable>syslog_facility</replaceable>
+       | <command>stderr</command>
+       | <command>null</command> );
+     [ <command>severity</command> (<option>critical</option> | <option>error</option> | <option>warning</option> | <option>notice</option> |
+                 <option>info</option> | <option>debug</option> [ <replaceable>level</replaceable> ] | <option>dynamic</option> ); ]
+     [ <command>print-category</command> <option>yes</option> or <option>no</option>; ]
+     [ <command>print-severity</command> <option>yes</option> or <option>no</option>; ]
+     [ <command>print-time</command> <option>yes</option> or <option>no</option>; ]
+   }; ]
+   [ <command>category</command> <replaceable>category_name</replaceable> {
+     <replaceable>channel_name</replaceable> ; [ <replaceable>channel_nam</replaceable>e ; ... ]
+   }; ]
+   ...
+};
+</programlisting>
+</sect2>
+
+<sect2>
+<title><command>logging</command> Statement Definition and Usage</title>
+
+<para>The <command>logging</command> statement configures a wide
+variety of logging options for the name server. Its <command>channel</command> phrase
+associates output methods, format options and severity levels with
+a name that can then be used with the <command>category</command> phrase
+to select how various classes of messages are logged.</para>
+<para>Only one <command>logging</command> statement is used to define
+as many channels and categories as are wanted. If there is no <command>logging</command> statement,
+the logging configuration will be:</para>
+
+<programlisting>logging {
+     category default { default_syslog; default_debug; };
+     category unmatched { null; };
+};
+</programlisting>
+
+<para>In <acronym>BIND</acronym> 9, the logging configuration is only established when
+the entire configuration file has been parsed.  In <acronym>BIND</acronym> 8, it was
+established as soon as the <command>logging</command> statement
+was parsed. When the server is starting up, all logging messages
+regarding syntax errors in the configuration file go to the default
+channels, or to standard error if the "<option>-g</option>" option
+was specified.</para>
+
+<sect3>
+<title>The <command>channel</command> Phrase</title>
+
+<para>All log output goes to one or more <emphasis>channels</emphasis>;
+you can make as many of them as you want.</para>
+
+<para>Every channel definition must include a destination clause that
+says whether messages selected for the channel go to a file, to a
+particular syslog facility, to the standard error stream, or are
+discarded. It can optionally also limit the message severity level
+that will be accepted by the channel (the default is
+<command>info</command>), and whether to include a
+<command>named</command>-generated time stamp, the category name
+and/or severity level (the default is not to include any).</para>
+
+<para>The <command>null</command> destination clause 
+causes all messages sent to the channel to be discarded;
+in that case, other options for the channel are meaningless.</para>
+
+<para>The <command>file</command> destination clause directs the channel
+to a disk file.  It can include limitations
+both on how large the file is allowed to become, and how many versions
+of the file will be saved each time the file is opened.</para>
+
+<para>If you use the <command>versions</command> log file option, then
+<command>named</command> will retain that many backup versions of the file by
+renaming them when opening.  For example, if you choose to keep 3 old versions
+of the file <filename>lamers.log</filename> then just before it is opened
+<filename>lamers.log.1</filename> is renamed to
+<filename>lamers.log.2</filename>, <filename>lamers.log.0</filename> is renamed
+to <filename>lamers.log.1</filename>, and <filename>lamers.log</filename> is
+renamed to <filename>lamers.log.0</filename>.
+You can say <command>versions unlimited</command> to not limit
+the number of versions.
+If a <command>size</command> option is associated with the log file,
+then renaming is only done when the file being opened exceeds the
+indicated size.  No backup versions are kept by default; any existing
+log file is simply appended.</para>
+
+<para>The <command>size</command> option for files is used to limit log
+growth. If the file ever exceeds the size, then <command>named</command> will
+stop writing to the file unless it has a <command>versions</command> option
+associated with it.  If backup versions are kept, the files are rolled as
+described above and a new one begun.  If there is no
+<command>versions</command> option, no more data will be written to the log
+until some out-of-band mechanism removes or truncates the log to less than the
+maximum size.  The default behavior is not to limit the size of the
+file.</para>
+
+<para>Example usage of the <command>size</command> and
+<command>versions</command> options:</para>
+
+<programlisting>channel an_example_channel {
+    file "example.log" versions 3 size 20m;
+    print-time yes;
+    print-category yes;
+};
+</programlisting>
+
+<para>The <command>syslog</command> destination clause directs the
+channel to the system log.  Its argument is a
+syslog facility as described in the <command>syslog</command> man
+page. Known facilities are <command>kern</command>, <command>user</command>,
+<command>mail</command>, <command>daemon</command>, <command>auth</command>,
+<command>syslog</command>, <command>lpr</command>, <command>news</command>,
+<command>uucp</command>, <command>cron</command>, <command>authpriv</command>,
+<command>ftp</command>, <command>local0</command>, <command>local1</command>,
+<command>local2</command>, <command>local3</command>, <command>local4</command>,
+<command>local5</command>, <command>local6</command> and
+<command>local7</command>, however not all facilities are supported on
+all operating systems.
+How <command>syslog</command> will handle messages sent to
+this facility is described in the <command>syslog.conf</command> man
+page. If you have a system which uses a very old version of <command>syslog</command> that
+only uses two arguments to the <command>openlog()</command> function,
+then this clause is silently ignored.</para>
+<para>The <command>severity</command> clause works like <command>syslog</command>'s
+"priorities", except that they can also be used if you are writing
+straight to a file rather than using <command>syslog</command>.
+Messages which are not at least of the severity level given will
+not be selected for the channel; messages of higher severity levels
+will be accepted.</para>
+<para>If you are using <command>syslog</command>, then the <command>syslog.conf</command> priorities
+will also determine what eventually passes through. For example,
+defining a channel facility and severity as <command>daemon</command> and <command>debug</command> but
+only logging <command>daemon.warning</command> via <command>syslog.conf</command> will
+cause messages of severity <command>info</command> and <command>notice</command> to
+be dropped. If the situation were reversed, with <command>named</command> writing
+messages of only <command>warning</command> or higher, then <command>syslogd</command> would
+print all messages it received from the channel.</para>
+
+<para>The <command>stderr</command> destination clause directs the
+channel to the server's standard error stream.  This is intended for
+use when the server is running as a foreground process, for example
+when debugging a configuration.</para>
+
+<para>The server can supply extensive debugging information when
+it is in debugging mode. If the server's global debug level is greater
+than zero, then debugging mode will be active. The global debug
+level is set either by starting the <command>named</command> server
+with the <option>-d</option> flag followed by a positive integer,
+or by running <command>rndc trace</command>.
+The global debug level
+can be set to zero, and debugging mode turned off, by running <command>ndc
+notrace</command>. All debugging messages in the server have a debug
+level, and higher debug levels give more detailed output. Channels
+that specify a specific debug severity, for example:</para>
+<programlisting>channel specific_debug_level {
+    file "foo";
+    severity debug 3;
+};
+</programlisting>
+        <para>will get debugging output of level 3 or less any time the
+server is in debugging mode, regardless of the global debugging
+level. Channels with <command>dynamic</command> severity use the
+server's global debug level to determine what messages to print.</para>
+        <para>If <command>print-time</command> has been turned on, then
+the date and time will be logged. <command>print-time</command> may
+be specified for a <command>syslog</command> channel, but is usually
+pointless since <command>syslog</command> also prints the date and
+time. If <command>print-category</command> is requested, then the
+category of the message will be logged as well. Finally, if <command>print-severity</command> is
+on, then the severity level of the message will be logged. The <command>print-</command> options may
+be used in any combination, and will always be printed in the following
+order: time, category, severity. Here is an example where all three <command>print-</command> options
+are on:</para>
+
+<para><computeroutput>28-Feb-2000 15:05:32.863 general: notice: running</computeroutput></para>
+
+<para>There are four predefined channels that are used for
+<command>named</command>'s default logging as follows. How they are
+used is described in <xref linkend="the_category_phrase"/>.
+</para>
+
+<programlisting>channel default_syslog {
+    syslog daemon;                      // send to syslog's daemon
+                                        // facility
+    severity info;                      // only send priority info
+                                        // and higher
+};
+
+channel default_debug {
+    file "named.run";                   // write to named.run in
+                                        // the working directory
+                                        // Note: stderr is used instead
+                                        // of "named.run"
+                                        // if the server is started
+                                        // with the '-f' option.
+    severity dynamic;                   // log at the server's
+                                        // current debug level
+};
+
+channel default_stderr {
+    stderr;                             // writes to stderr
+    severity info;                      // only send priority info
+                                        // and higher
+};
+
+channel null {
+   null;                                // toss anything sent to
+                                        // this channel
+};
+</programlisting>
+
+<para>The <command>default_debug</command> channel has the special
+property that it only produces output when the server's debug level is
+nonzero.  It normally writes to a file <filename>named.run</filename>
+in the server's working directory.</para>
+
+<para>For security reasons, when the "<option>-u</option>"
+command line option is used, the <filename>named.run</filename> file
+is created only after <command>named</command> has changed to the
+new UID, and any debug output generated while <command>named</command> is
+starting up and still running as root is discarded.  If you need
+to capture this output, you must run the server with the "<option>-g</option>"
+option and redirect standard error to a file.</para>
+
+<para>Once a channel is defined, it cannot be redefined. Thus you
+cannot alter the built-in channels directly, but you can modify
+the default logging by pointing categories at channels you have defined.</para>
+</sect3>
+
+<sect3 id="the_category_phrase"><title>The <command>category</command> Phrase</title>
+
+<para>There are many categories, so you can send the logs you want
+to see wherever you want, without seeing logs you don't want. If
+you don't specify a list of channels for a category, then log messages
+in that category will be sent to the <command>default</command> category
+instead. If you don't specify a default category, the following
+"default default" is used:</para>
+<programlisting>category default { default_syslog; default_debug; };
+</programlisting>
+<para>As an example, let's say you want to log security events to
+a file, but you also want keep the default logging behavior. You'd
+specify the following:</para>
+<programlisting>channel my_security_channel {
+    file "my_security_file";
+    severity info;
+};
+category security {
+    my_security_channel;
+    default_syslog;
+    default_debug;
+};</programlisting>
+<para>To discard all messages in a category, specify the <command>null</command> channel:</para>
+<programlisting>category xfer-out { null; };
+category notify { null; };
+</programlisting>
+<para>Following are the available categories and brief descriptions
+of the types of log information they contain. More
+categories may be added in future <acronym>BIND</acronym> releases.</para>
+<informaltable
+    colsep = "0" rowsep = "0"><tgroup cols = "2"
+    colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
+<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.150in"/>
+<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.350in"/>
+<tbody>
+<row rowsep = "0">
+<entry colname = "1"><para><command>default</command></para></entry>
+<entry colname = "2"><para>The default category defines the logging
+options for those categories where no specific configuration has been
+defined.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>general</command></para></entry>
+<entry colname = "2"><para>The catch-all. Many things still aren't
+classified into categories, and they all end up here.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>database</command></para></entry>
+<entry colname = "2"><para>Messages relating to the databases used
+internally by the name server to store zone and cache data.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>security</command></para></entry>
+<entry colname = "2"><para>Approval and denial of requests.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>config</command></para></entry>
+<entry colname = "2"><para>Configuration file parsing and processing.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>resolver</command></para></entry>
+<entry colname = "2"><para>DNS resolution, such as the recursive
+lookups performed on behalf of clients by a caching name server.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>xfer-in</command></para></entry>
+<entry colname = "2"><para>Zone transfers the server is receiving.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>xfer-out</command></para></entry>
+<entry colname = "2"><para>Zone transfers the server is sending.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>notify</command></para></entry>
+<entry colname = "2"><para>The NOTIFY protocol.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>client</command></para></entry>
+<entry colname = "2"><para>Processing of client requests.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>unmatched</command></para></entry>
+<entry colname = "2"><para>Messages that named was unable to determine the
+class of or for which there was no matching <command>view</command>.
+A one line summary is also logged to the <command>client</command> category.
+This category is best sent to a file or stderr, by default it is sent to
+the <command>null</command> channel.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>network</command></para></entry>
+<entry colname = "2"><para>Network operations.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>update</command></para></entry>
+<entry colname = "2"><para>Dynamic updates.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>update-security</command></para></entry>
+<entry colname = "2"><para>Approval and denial of update requests.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>queries</command></para></entry>
+<entry colname = "2"><para>Specify where queries should be logged to.</para>
+<para>
+At startup, specifing the category <command>queries</command> will also
+enable query logging unless <command>querylog</command> option has been
+specified.
+</para>
+<para>
+The query log entry reports the client's IP address and port number.  The
+query name, class and type.  It also reports whether the Recursion Desired
+flag was set (+ if set, - if not set), EDNS was in use (E) or if the
+query was signed (S).</para>
+<programlisting><computeroutput>client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</computeroutput>
+<computeroutput>client ::1#62537: query: www.example.net IN AAAA -SE</computeroutput>
+</programlisting>
+</entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>dispatch</command></para></entry>
+<entry colname = "2"><para>Dispatching of incoming packets to the
+server modules where they are to be processed.
+</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>dnssec</command></para></entry>
+<entry colname = "2"><para>DNSSEC and TSIG protocol processing.
+</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>lame-servers</command></para></entry>
+<entry colname = "2"><para>Lame servers.  These are misconfigurations
+in remote servers, discovered by BIND 9 when trying to query
+those servers during resolution.
+</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>delegation-only</command></para></entry>
+<entry colname = "2"><para>Delegation only.  Logs queries that have have
+been forced to NXDOMAIN as the result of a delegation-only zone or
+a <command>delegation-only</command> in a hint or stub zone declaration.
+</para></entry>
+</row>
+</tbody>
+</tgroup></informaltable>
+</sect3>
+</sect2>
+
+<sect2>
+<title><command>lwres</command> Statement Grammar</title>
+
+<para> This is the grammar of the <command>lwres</command>
+statement in the <filename>named.conf</filename> file:</para>
+
+<programlisting><command>lwres</command> {
+    <optional> listen-on { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
+    <optional> view <replaceable>view_name</replaceable>; </optional>
+    <optional> search { <replaceable>domain_name</replaceable> ; <optional> <replaceable>domain_name</replaceable> ; ... </optional> }; </optional>
+    <optional> ndots <replaceable>number</replaceable>; </optional>
+};
+</programlisting>
+
+</sect2>
+<sect2>
+<title><command>lwres</command> Statement Definition and Usage</title>
+
+<para>The <command>lwres</command> statement configures the name
+server to also act as a lightweight resolver server, see
+<xref linkend="lwresd"/>.  There may be be multiple
+<command>lwres</command> statements configuring
+lightweight resolver servers with different properties.</para>
+
+<para>The <command>listen-on</command> statement specifies a list of
+addresses (and ports) that this instance of a lightweight resolver daemon
+should accept requests on.  If no port is specified, port 921 is used.
+If this statement is omitted, requests will be accepted on 127.0.0.1,
+port 921.</para>
+
+<para>The <command>view</command> statement binds this instance of a
+lightweight resolver daemon to a view in the DNS namespace, so that the
+response will be constructed in the same manner as a normal DNS query
+matching this view.  If this statement is omitted, the default view is
+used, and if there is no default view, an error is triggered.</para>
+
+<para>The <command>search</command> statement is equivalent to the
+<command>search</command> statement in
+<filename>/etc/resolv.conf</filename>.  It provides a list of domains
+which are appended to relative names in queries.</para>
+
+<para>The <command>ndots</command> statement is equivalent to the
+<command>ndots</command> statement in
+<filename>/etc/resolv.conf</filename>.  It indicates the minimum
+number of dots in a relative domain name that should result in an
+exact match lookup before search path elements are appended.</para>
+</sect2>
+<sect2>
+      <title><command>masters</command> Statement Grammar</title>
+<programlisting>
+<command>masters</command> <replaceable>name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> } ; 
+</programlisting>
+</sect2>
+<sect2>
+      <title><command>masters</command> Statement Definition and Usage </title>
+<para><command>masters</command> lists allow for a common set of masters
+to be easily used by multiple stub and slave zones.</para>
+</sect2>
+<sect2>
+<title><command>options</command> Statement Grammar</title>
+
+<para>This is the grammar of the <command>options</command>
+statement in the <filename>named.conf</filename> file:</para>
+
+<programlisting>options {
+    <optional> version <replaceable>version_string</replaceable>; </optional>
+    <optional> hostname <replaceable>hostname_string</replaceable>; </optional>
+    <optional> server-id <replaceable>server_id_string</replaceable>; </optional>
+    <optional> directory <replaceable>path_name</replaceable>; </optional>
+    <optional> key-directory <replaceable>path_name</replaceable>; </optional>
+    <optional> named-xfer <replaceable>path_name</replaceable>; </optional>
+    <optional> tkey-domain <replaceable>domainname</replaceable>; </optional>
+    <optional> tkey-dhkey <replaceable>key_name</replaceable> <replaceable>key_tag</replaceable>; </optional>
+    <optional> dump-file <replaceable>path_name</replaceable>; </optional>
+    <optional> memstatistics-file <replaceable>path_name</replaceable>; </optional>
+    <optional> pid-file <replaceable>path_name</replaceable>; </optional>
+    <optional> statistics-file <replaceable>path_name</replaceable>; </optional>
+    <optional> zone-statistics <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> auth-nxdomain <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> deallocate-on-exit <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> dialup <replaceable>dialup_option</replaceable>; </optional>
+    <optional> fake-iquery <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> fetch-glue <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> flush-zones-on-shutdown <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> has-old-clients <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> host-statistics <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> minimal-responses <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> multiple-cnames <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable>; </optional>
+    <optional> recursion <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> rfc2308-type1 <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> use-id-pool <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> dnssec-enable <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> dnssec-lookaside <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable>; </optional>
+    <optional> dnssec-must-be-secure <replaceable>domain yes_or_no</replaceable>; </optional>
+    <optional> forward ( <replaceable>only</replaceable> | <replaceable>first</replaceable> ); </optional>
+    <optional> forwarders { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
+    <optional> dual-stack-servers <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>domain_name</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ) ; ... }; </optional>
+    <optional> check-names ( <replaceable>master</replaceable> | <replaceable>slave</replaceable> | <replaceable> response</replaceable> )( <replaceable>warn</replaceable> | <replaceable>fail</replaceable> | <replaceable>ignore</replaceable> ); </optional>
+    <optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> allow-recursion { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> allow-v6-synthesis { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> blackhole { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> avoid-v4-udp-ports { <replaceable>port_list</replaceable> }; </optional>
+    <optional> avoid-v6-udp-ports { <replaceable>port_list</replaceable> }; </optional>
+    <optional> listen-on <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> listen-on-v6 <optional> port <replaceable>ip_port</replaceable> </optional> { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> query-source <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
+    <optional> query-source-v6 <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
+    <optional> max-transfer-time-in <replaceable>number</replaceable>; </optional>
+    <optional> max-transfer-time-out <replaceable>number</replaceable>; </optional>
+    <optional> max-transfer-idle-in <replaceable>number</replaceable>; </optional>
+    <optional> max-transfer-idle-out <replaceable>number</replaceable>; </optional>
+    <optional> tcp-clients <replaceable>number</replaceable>; </optional>
+    <optional> recursive-clients <replaceable>number</replaceable>; </optional>
+    <optional> serial-query-rate <replaceable>number</replaceable>; </optional>
+    <optional> serial-queries <replaceable>number</replaceable>; </optional>
+    <optional> tcp-listen-queue <replaceable>number</replaceable>; </optional>
+    <optional> transfer-format <replaceable>( one-answer | many-answers )</replaceable>; </optional>
+    <optional> transfers-in  <replaceable>number</replaceable>; </optional>
+    <optional> transfers-out <replaceable>number</replaceable>; </optional>
+    <optional> transfers-per-ns <replaceable>number</replaceable>; </optional>
+    <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+    <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+    <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+    <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+    <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+    <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+    <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
+    <optional> max-ixfr-log-size <replaceable>number</replaceable>; </optional>
+    <optional> max-journal-size <replaceable>size_spec</replaceable>; </optional>
+    <optional> coresize <replaceable>size_spec</replaceable> ; </optional>
+    <optional> datasize <replaceable>size_spec</replaceable> ; </optional>
+    <optional> files <replaceable>size_spec</replaceable> ; </optional>
+    <optional> stacksize <replaceable>size_spec</replaceable> ; </optional>
+    <optional> cleaning-interval <replaceable>number</replaceable>; </optional>
+    <optional> heartbeat-interval <replaceable>number</replaceable>; </optional>
+    <optional> interface-interval <replaceable>number</replaceable>; </optional>
+    <optional> statistics-interval <replaceable>number</replaceable>; </optional>
+    <optional> topology { <replaceable>address_match_list</replaceable> }</optional>;
+    <optional> sortlist { <replaceable>address_match_list</replaceable> }</optional>;
+    <optional> rrset-order { <replaceable>order_spec</replaceable> ; <optional> <replaceable>order_spec</replaceable> ; ... </optional> </optional> };
+    <optional> lame-ttl <replaceable>number</replaceable>; </optional>
+    <optional> max-ncache-ttl <replaceable>number</replaceable>; </optional>
+    <optional> max-cache-ttl <replaceable>number</replaceable>; </optional>
+    <optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
+    <optional> min-roots <replaceable>number</replaceable>; </optional>
+    <optional> use-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
+    <optional> provide-ixfr <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> request-ixfr <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> treat-cr-as-space <replaceable>yes_or_no</replaceable> ; </optional>
+    <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
+    <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
+    <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
+    <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
+    <optional> port <replaceable>ip_port</replaceable>; </optional>
+    <optional> additional-from-auth <replaceable>yes_or_no</replaceable> ; </optional>
+    <optional> additional-from-cache <replaceable>yes_or_no</replaceable> ; </optional>
+    <optional> random-device <replaceable>path_name</replaceable> ; </optional>
+    <optional> max-cache-size <replaceable>size_spec</replaceable> ; </optional>
+    <optional> match-mapped-addresses <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> preferred-glue ( <replaceable>A</replaceable> | <replaceable>AAAA</replaceable> | <replaceable>NONE</replaceable> ); </optional>
+    <optional> edns-udp-size <replaceable>number</replaceable>; </optional>
+    <optional> root-delegation-only <optional> exclude { <replaceable>namelist</replaceable> } </optional> ; </optional>
+    <optional> querylog <replaceable>yes_or_no</replaceable> ; </optional>
+};
+    <optional> disable-algorithms <replaceable>domain</replaceable> { <replaceable>algorithm</replaceable>; <optional> <replaceable>algorithm</replaceable>; </optional> }; </optional>
+</programlisting>
+</sect2>
+
+<sect2 id="options"><title><command>options</command> Statement Definition and Usage</title>
+
+<para>The <command>options</command> statement sets up global options
+to be used by <acronym>BIND</acronym>. This statement may appear only
+once in a configuration file. If there is no <command>options</command>
+statement, an options block with each option set to its default will
+be used.</para>
+
+<variablelist>
+
+<varlistentry><term><command>directory</command></term>
+<listitem><para>The working directory of the server.
+Any non-absolute pathnames in the configuration file will be taken
+as relative to this directory. The default location for most server
+output files (e.g. <filename>named.run</filename>) is this directory.
+If a directory is not specified, the working directory defaults
+to `<filename>.</filename>', the directory from which the server
+was started. The directory specified should be an absolute path.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>key-directory</command></term>
+<listitem><para>When performing dynamic update of secure zones, the
+directory where the public and private key files should be found,
+if different than the current working directory.  The directory specified
+must be an absolute path.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>named-xfer</command></term>
+<listitem><para><emphasis>This option is obsolete.</emphasis>
+It was used in <acronym>BIND</acronym> 8 to
+specify the pathname to the <command>named-xfer</command> program.
+In <acronym>BIND</acronym> 9, no separate <command>named-xfer</command> program is
+needed; its functionality is built into the name server.</para>
+
+</listitem></varlistentry>
+
+<varlistentry><term><command>tkey-domain</command></term>
+<listitem><para>The domain appended to the names of all
+shared keys generated with <command>TKEY</command>. When a client
+requests a <command>TKEY</command> exchange, it may or may not specify
+the desired name for the key. If present, the name of the shared
+key will be "<varname>client specified part</varname>" + 
+"<varname>tkey-domain</varname>".
+Otherwise, the name of the shared key will be "<varname>random hex
+digits</varname>" + "<varname>tkey-domain</varname>". In most cases,
+the <command>domainname</command> should be the server's domain
+name.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>tkey-dhkey</command></term>
+<listitem><para>The Diffie-Hellman key used by the server
+to generate shared keys with clients using the Diffie-Hellman mode
+of <command>TKEY</command>. The server must be able to load the
+public and private keys from files in the working directory. In
+most cases, the keyname should be the server's host name.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>dump-file</command></term>
+<listitem><para>The pathname of the file the server dumps
+the database to when instructed to do so with
+<command>rndc dumpdb</command>.
+If not specified, the default is <filename>named_dump.db</filename>.</para>
+</listitem></varlistentry>
+<varlistentry><term><command>memstatistics-file</command></term>
+<listitem><para>The pathname of the file the server writes memory
+usage statistics to on exit. If not specified,
+the default is <filename>named.memstats</filename>.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>pid-file</command></term>
+<listitem><para>The pathname of the file the server writes its process ID
+in. If not specified, the default is <filename>/var/run/named.pid</filename>.
+The pid-file is used by programs that want to send signals to the running
+name server. Specifying <command>pid-file none</command> disables the
+use of a PID file &mdash; no file will be written and any
+existing one will be removed.  Note that <command>none</command>
+is a keyword, not a file name, and therefore is not enclosed in
+double quotes.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>statistics-file</command></term>
+<listitem><para>The pathname of the file the server appends statistics
+to when instructed to do so using <command>rndc stats</command>.
+If not specified, the default is <filename>named.stats</filename> in the
+server's current directory.  The format of the file is described
+in <xref linkend="statsfile"/></para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>port</command></term>
+<listitem><para>
+The UDP/TCP port number the server uses for 
+receiving and sending DNS protocol traffic.
+The default is 53.  This option is mainly intended for server testing;
+a server using a port other than 53 will not be able to communicate with
+the global DNS.
+</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>random-device</command></term>
+<listitem><para>
+The source of entropy to be used by the server.  Entropy is primarily needed
+for DNSSEC operations, such as TKEY transactions and dynamic update of signed
+zones.  This options specifies the device (or file) from which to read
+entropy.  If this is a file, operations requiring entropy will fail when the
+file has been exhausted.  If not specified, the default value is
+<filename>/dev/random</filename>
+(or equivalent) when present, and none otherwise.  The
+<command>random-device</command> option takes effect during
+the initial configuration load at server startup time and
+is ignored on subsequent reloads.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>preferred-glue</command></term>
+<listitem><para>
+If specified the listed type (A or AAAA) will be emitted before other glue
+in the additional section of a query response.
+The default is not to preference any type (NONE).
+</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>root-delegation-only</command></term>
+<listitem><para>
+Turn on enforcement of delegation-only in TLDs and root zones with an optional
+exclude list.
+</para>
+<para>
+Note some TLDs are NOT delegation only (e.g. "DE", "LV", "US" and "MUSEUM").
+</para>
+<programlisting>
+options {
+	root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
+};
+</programlisting>
+</listitem></varlistentry>
+
+<varlistentry><term><command>disable-algorithms</command></term>
+<listitem><para>
+Disable the specified DNSSEC algorithms at and below the specified name.
+Multiple <command>disable-algorithms</command> statements are allowed.
+Only the most specific will be applied.
+</para></listitem></varlistentry>
+
+<varlistentry><term><command>dnssec-lookaside</command></term>
+<listitem><para>
+When set <command>dnssec-lookaside</command> provides the
+validator with an alternate method to validate DNSKEY records at the
+top of a zone.  When a DNSKEY is at or below a domain specified by the
+deepest <command>dnssec-lookaside</command>, and the normal dnssec validation
+has left the key untrusted, the trust-anchor will be append to the key
+name and a DLV record will be looked up to see if it can validate the
+key.  If the DLV record validates a DNSKEY (similarly to the way a DS
+record does) the DNSKEY RRset is deemed to be trusted.
+</para></listitem></varlistentry>
+
+<varlistentry><term><command>dnssec-must-be-secure</command></term>
+<listitem><para>
+Specify heirachies which must / may not be secure (signed and validated).
+If <userinput>yes</userinput> then named will only accept answers if they
+are secure.
+If <userinput>no</userinput> then normal dnssec validation applies
+allowing for insecure answers to be accepted.
+The specified domain must be under a <command>trusted-key</command> or
+<command>dnssec-lookaside</command> must be active.
+</para></listitem></varlistentry>
+
+</variablelist>
+
+<sect3 id="boolean_options"><title>Boolean Options</title>
+
+<variablelist>
+
+<varlistentry><term><command>auth-nxdomain</command></term>
+<listitem><para>If <userinput>yes</userinput>, then the <command>AA</command> bit
+is always set on NXDOMAIN responses, even if the server is not actually
+authoritative. The default is <userinput>no</userinput>; this is
+a change from <acronym>BIND</acronym> 8. If you are using very old DNS software, you
+may need to set it to <userinput>yes</userinput>.</para></listitem></varlistentry>
+
+<varlistentry><term><command>deallocate-on-exit</command></term>
+<listitem><para>This option was used in <acronym>BIND</acronym> 8 to enable checking
+for memory leaks on exit. <acronym>BIND</acronym> 9 ignores the option and always performs
+the checks.</para></listitem></varlistentry>
+
+<varlistentry><term><command>dialup</command></term>
+<listitem><para>If <userinput>yes</userinput>, then the
+server treats all zones as if they are doing zone transfers across
+a dial on demand dialup link, which can be brought up by traffic
+originating from this server. This has different effects according
+to zone type and concentrates the zone maintenance so that it all
+happens in a short interval, once every <command>heartbeat-interval</command> and
+hopefully during the one call. It also suppresses some of the normal
+zone maintenance traffic. The default is <userinput>no</userinput>.</para>
+<para>The <command>dialup</command> option
+may also be specified in the <command>view</command> and 
+<command>zone</command> statements,
+in which case it overrides the global <command>dialup</command>
+option.</para>
+<para>If the zone is a master zone then the server will send out a NOTIFY 
+request to all the slaves (default). This should trigger the zone serial
+number check in the slave (providing it supports NOTIFY) allowing the slave
+to verify the zone while the connection is active.
+The set of servers to which NOTIFY is sent can be controlled by
+<command>notify</command> and <command>also-notify</command>.</para>
+<para>If the
+zone is a slave or stub zone, then the server will suppress the regular
+"zone up to date" (refresh) queries and only perform them when the
+<command>heartbeat-interval</command> expires in addition to sending
+NOTIFY requests.</para><para>Finer control can be achieved by using
+<userinput>notify</userinput> which only sends NOTIFY messages,
+<userinput>notify-passive</userinput> which sends NOTIFY messages and
+suppresses the normal refresh queries, <userinput>refresh</userinput>
+which suppresses normal refresh processing and sends refresh queries 
+when the <command>heartbeat-interval</command> expires, and
+<userinput>passive</userinput> which just disables normal refresh
+processing.</para>
+
+<informaltable colsep = "0" rowsep = "0">
+<tgroup cols = "4" colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
+<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.150in"/>
+<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "1.150in"/>
+<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "1.150in"/>
+<colspec colname = "4" colnum = "4" colsep = "0" colwidth = "1.150in"/>
+<tbody>
+<row rowsep = "0">
+<entry colname = "1"><para>dialup mode</para></entry>
+<entry colname = "2"><para>normal refresh</para></entry>
+<entry colname = "3"><para>heart-beat refresh</para></entry>
+<entry colname = "4"><para>heart-beat notify</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>no</command> (default)</para></entry>
+<entry colname = "2"><para>yes</para></entry>
+<entry colname = "3"><para>no</para></entry>
+<entry colname = "4"><para>no</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>yes</command></para></entry>
+<entry colname = "2"><para>no</para></entry>
+<entry colname = "3"><para>yes</para></entry>
+<entry colname = "4"><para>yes</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>notify</command></para></entry>
+<entry colname = "2"><para>yes</para></entry>
+<entry colname = "3"><para>no</para></entry>
+<entry colname = "4"><para>yes</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>refresh</command></para></entry>
+<entry colname = "2"><para>no</para></entry>
+<entry colname = "3"><para>yes</para></entry>
+<entry colname = "4"><para>no</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>passive</command></para></entry>
+<entry colname = "2"><para>no</para></entry>
+<entry colname = "3"><para>no</para></entry>
+<entry colname = "4"><para>no</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>notify-passive</command></para></entry>
+<entry colname = "2"><para>no</para></entry>
+<entry colname = "3"><para>no</para></entry>
+<entry colname = "4"><para>yes</para></entry>
+</row>
+</tbody>
+</tgroup></informaltable>
+
+<para>Note that normal NOTIFY processing is not affected by
+<command>dialup</command>.</para>
+
+</listitem></varlistentry>
+
+<varlistentry><term><command>fake-iquery</command></term>
+<listitem><para>In <acronym>BIND</acronym> 8, this option
+enabled simulating the obsolete DNS query type
+IQUERY. <acronym>BIND</acronym> 9 never does IQUERY simulation.
+</para></listitem></varlistentry>
+
+<varlistentry><term><command>fetch-glue</command></term>
+<listitem><para>This option is obsolete.
+In BIND 8, <userinput>fetch-glue yes</userinput>
+caused the server to attempt to fetch glue resource records it
+didn't have when constructing the additional
+data section of a response.  This is now considered a bad idea
+and BIND 9 never does it.</para></listitem></varlistentry>
+
+<varlistentry><term><command>flush-zones-on-shutdown</command></term>
+<listitem><para>When the nameserver exits due receiving SIGTERM,
+flush / do not flush any pending zone writes.  The default is
+<command>flush-zones-on-shutdown</command> <userinput>no</userinput>.
+</para></listitem></varlistentry>
+
+<varlistentry><term><command>has-old-clients</command></term>
+<listitem><para>This option was incorrectly implemented
+in <acronym>BIND</acronym> 8, and is ignored by <acronym>BIND</acronym> 9.
+To achieve the intended effect
+of
+<command>has-old-clients</command> <userinput>yes</userinput>, specify
+the two separate options <command>auth-nxdomain</command> <userinput>yes</userinput>
+and <command>rfc2308-type1</command> <userinput>no</userinput> instead.
+</para></listitem></varlistentry>
+
+<varlistentry><term><command>host-statistics</command></term>
+<listitem><para>In BIND 8, this enables keeping of
+statistics for every host that the name server interacts with.
+Not implemented in BIND 9.
+</para></listitem></varlistentry>
+
+<varlistentry><term><command>maintain-ixfr-base</command></term>
+<listitem><para><emphasis>This option is obsolete</emphasis>.
+ It was used in <acronym>BIND</acronym> 8 to determine whether a transaction log was
+kept for Incremental Zone Transfer. <acronym>BIND</acronym> 9 maintains a transaction
+log whenever possible.  If you need to disable outgoing incremental zone
+transfers, use <command>provide-ixfr</command> <userinput>no</userinput>.
+</para></listitem></varlistentry>
+
+<varlistentry><term><command>minimal-responses</command></term>
+<listitem><para>If <userinput>yes</userinput>, then when generating
+responses the server will only add records to the authority and
+additional data sections when they are required (e.g. delegations,
+negative responses).  This may improve the performance of the server.
+The default is <userinput>no</userinput>.
+</para></listitem></varlistentry>
+
+<varlistentry><term><command>multiple-cnames</command></term>
+<listitem><para>This option was used in <acronym>BIND</acronym> 8 to allow
+a domain name to have multiple CNAME records in violation of the
+DNS standards.  <acronym>BIND</acronym> 9.2 always strictly
+enforces the CNAME rules both in master files and dynamic updates.
+</para></listitem></varlistentry>
+
+<varlistentry><term><command>notify</command></term>
+<listitem><para>If <userinput>yes</userinput> (the default),
+DNS NOTIFY messages are sent when a zone the server is authoritative for
+changes, see <xref linkend="notify"/>.  The messages are sent to the
+servers listed in the zone's NS records (except the master server identified
+in the SOA MNAME field), and to any servers listed in the
+<command>also-notify</command> option.
+</para><para>
+If <userinput>explicit</userinput>, notifies are sent only to
+servers explicitly listed using <command>also-notify</command>.
+If <userinput>no</userinput>, no notifies are sent.
+</para><para>
+The <command>notify</command> option may also be
+specified in the <command>zone</command> statement,
+in which case it overrides the <command>options notify</command> statement.
+It would only be necessary to turn off this option if it caused slaves
+to crash.</para></listitem></varlistentry>
+
+<varlistentry><term><command>recursion</command></term>
+<listitem><para>If <userinput>yes</userinput>, and a
+DNS query requests recursion, then the server will attempt to do
+all the work required to answer the query. If recursion is off
+and the server does not already know the answer, it will return a
+referral response. The default is <userinput>yes</userinput>.
+Note that setting <command>recursion no</command> does not prevent
+clients from getting data from the server's cache; it only
+prevents new data from being cached as an effect of client queries.
+Caching may still occur as an effect the server's internal
+operation, such as NOTIFY address lookups.
+See also <command>fetch-glue</command> above.
+</para></listitem></varlistentry>
+
+<varlistentry><term><command>rfc2308-type1</command></term>
+<listitem><para>Setting this to <userinput>yes</userinput> will
+cause the server to send NS records along with the SOA record for negative
+answers. The default is <userinput>no</userinput>.</para>
+<note><simpara>Not yet implemented in <acronym>BIND</acronym> 9.</simpara></note>
+</listitem></varlistentry>
+
+<varlistentry><term><command>use-id-pool</command></term>
+<listitem><para><emphasis>This option is obsolete</emphasis>.
+<acronym>BIND</acronym> 9 always allocates query IDs from a pool.
+</para></listitem></varlistentry>
+
+<varlistentry><term><command>zone-statistics</command></term>
+<listitem><para>If <userinput>yes</userinput>, the server will collect
+statistical data on all zones (unless specifically turned off
+on a per-zone basis by specifying <command>zone-statistics no</command>
+in the <command>zone</command> statement).  These statistics may be accessed
+using <command>rndc stats</command>, which will dump them to the file listed
+in the <command>statistics-file</command>.  See also <xref linkend="statsfile"/>.
+</para></listitem></varlistentry>
+
+<varlistentry><term><command>use-ixfr</command></term>
+<listitem><para><emphasis>This option is obsolete</emphasis>.
+If you need to disable IXFR to a particular server or servers see
+the information on the <command>provide-ixfr</command> option
+in <xref linkend="server_statement_definition_and_usage"/>. See also
+<xref linkend="incremental_zone_transfers"/>.
+</para></listitem></varlistentry>
+
+<varlistentry><term><command>provide-ixfr</command></term>
+<listitem>
+<para>
+See the description of
+<command>provide-ixfr</command> in
+<xref linkend="server_statement_definition_and_usage"/>
+</para></listitem></varlistentry>
+
+<varlistentry><term><command>request-ixfr</command></term>
+<listitem>
+<para>
+See the description of
+<command>request-ixfr</command> in
+<xref linkend="server_statement_definition_and_usage"/>
+</para></listitem></varlistentry>
+
+<varlistentry><term><command>treat-cr-as-space</command></term>
+<listitem><para>This option was used in <acronym>BIND</acronym> 8 to make
+the server treat carriage return ("<command>\r</command>") characters the same way
+as a space or tab character,
+to facilitate loading of zone files on a UNIX system that were generated
+on an NT or DOS machine. In <acronym>BIND</acronym> 9, both UNIX "<command>\n</command>"
+and NT/DOS "<command>\r\n</command>" newlines are always accepted,
+and the option is ignored.</para></listitem></varlistentry>
+
+<varlistentry>
+<term><command>additional-from-auth</command></term>
+<term><command>additional-from-cache</command></term>
+<listitem>
+
+<para>
+These options control the behavior of an authoritative server when
+answering queries which have additional data, or when following CNAME
+and DNAME chains.
+</para>
+
+<para>
+When both of these options are set to <userinput>yes</userinput> 
+(the default) and a
+query is being answered from authoritative data (a zone
+configured into the server), the additional data section of the
+reply will be filled in using data from other authoritative zones
+and from the cache.  In some situations this is undesirable, such
+as when there is concern over the correctness of the cache, or
+in servers where slave zones may be added and modified by
+untrusted third parties.  Also, avoiding
+the search for this additional data will speed up server operations
+at the possible expense of additional queries to resolve what would
+otherwise be provided in the additional section.
+</para>
+
+<para>
+For example, if a query asks for an MX record for host <literal>foo.example.com</literal>,
+and the record found is "<literal>MX 10 mail.example.net</literal>", normally the address
+records (A and AAAA) for <literal>mail.example.net</literal> will be provided as well,
+if known, even though they are not in the example.com zone.
+Setting these options to <command>no</command> disables this behavior and makes
+the server only search for additional data in the zone it answers from.
+</para>
+
+<para>
+These options are intended for use in authoritative-only 
+servers, or in authoritative-only views.  Attempts to set
+them to <command>no</command> without also specifying
+<command>recursion no</command> will cause the server to
+ignore the options and log a warning message.
+</para>
+
+<para>
+Specifying <command>additional-from-cache no</command> actually
+disables the use of the cache not only for additional data lookups
+but also when looking up the answer.  This is usually the desired
+behavior in an authoritative-only server where the correctness of
+the cached data is an issue.
+</para>
+
+<para>
+When a name server is non-recursively queried for a name that is not
+below the apex of any served zone, it normally answers with an
+"upwards referral" to the root servers or the servers of some other
+known parent of the query name.  Since the data in an upwards referral
+comes from the cache, the server will not be able to provide upwards
+referrals when <command>additional-from-cache no</command>
+has been specified.  Instead, it will respond to such queries
+with REFUSED.  This should not cause any problems since
+upwards referrals are not required for the resolution process.
+</para>
+
+</listitem></varlistentry>
+
+<varlistentry><term><command>match-mapped-addresses</command></term>
+<listitem><para>If <userinput>yes</userinput>, then an
+IPv4-mapped IPv6 address will match any address match
+list entries that match the corresponding IPv4 address.
+Enabling this option is sometimes useful on IPv6-enabled Linux
+systems, to work around a kernel quirk that causes IPv4
+TCP connections such as zone transfers to be accepted
+on an IPv6 socket using mapped addresses, causing
+address match lists designed for IPv4 to fail to match.
+The use of this option for any other purpose is discouraged.
+</para></listitem></varlistentry>
+
+<varlistentry><term><command>ixfr-from-differences</command></term>
+<listitem>
+<para>
+When 'yes' and the server loads a new version of a master
+zone from its zone file or receives a new version of a slave
+file by a non-incremental zone transfer, it will compare
+the new version to the previous one and calculate a set
+of differences.  The differences are then logged in the
+zone's journal file such that the changes can be transmitted
+to downstream slaves as an incremental zone transfer.
+</para><para>
+By allowing incremental zone transfers to be used for
+non-dynamic zones, this option saves bandwidth at the
+expense of increased CPU and memory consumption at the master.
+In particular, if the new version of a zone is completely
+different from the previous one, the set of differences
+will be of a size comparable to the combined size of the
+old and new zone version, and the server will need to
+temporarily allocate memory to hold this complete
+difference set.
+</para></listitem></varlistentry>
+
+<varlistentry><term><command>multi-master</command></term>
+<listitem>
+<para>
+This should be set when you have multiple masters for a zone and the
+addresses refer to different machines.  If 'yes' named will not log
+when the serial number on the master is less than what named currently
+has.  The default is <userinput>no</userinput>.
+</para></listitem></varlistentry>
+
+<varlistentry><term><command>dnssec-enable</command></term>
+<listitem>
+<para>
+Enable DNSSEC support in named.  Unless set to <userinput>yes</userinput>
+named behaves as if it does not support DNSSEC.
+The default is <userinput>no</userinput>.
+</para></listitem></varlistentry>
+
+<varlistentry><term><command>querylog</command></term>
+<listitem>
+<para>
+Specify whether query logging should be started when named start.
+If <command>querylog</command> is not specified then the query logging
+is determined by the presence of the logging category <command>queries</command>.
+</para></listitem></varlistentry>
+
+</variablelist>
+
+</sect3>
+
+<sect3><title>Forwarding</title>
+<para>The forwarding facility can be used to create a large site-wide
+cache on a few servers, reducing traffic over links to external
+name servers. It can also be used to allow queries by servers that
+do not have direct access to the Internet, but wish to look up exterior
+names anyway. Forwarding occurs only on those queries for which
+the server is not authoritative and does not have the answer in
+its cache.</para>
+
+<variablelist>
+<varlistentry><term><command>forward</command></term>
+<listitem><para>This option is only meaningful if the
+forwarders list is not empty. A value of <varname>first</varname>,
+the default, causes the server to query the forwarders first, and
+if that doesn't answer the question the server will then look for
+the answer itself. If <varname>only</varname> is specified, the
+server will only query the forwarders.
+</para></listitem></varlistentry>
+
+<varlistentry><term><command>forwarders</command></term>
+<listitem><para>Specifies the IP addresses to be used
+for forwarding. The default is the empty list (no forwarding).
+</para></listitem></varlistentry>
+
+</variablelist>
+
+<para>Forwarding can also be configured on a per-domain basis, allowing
+for the global forwarding options to be overridden in a variety
+of ways. You can set particular domains to use different forwarders,
+or have a different <command>forward only/first</command> behavior,
+or not forward at all, see <xref linkend="zone_statement_grammar"/>.</para>
+</sect3>
+
+<sect3><title>Dual-stack Servers</title>
+<para>Dual-stack servers are used as servers of last resort to work around
+problems in reachability due the lack of support for either IPv4 or IPv6
+on the host machine.</para>
+
+<variablelist>
+<varlistentry><term><command>dual-stack-servers</command></term>
+<listitem><para>Specifies host names / addresses of machines with access to
+both IPv4 and IPv6 transports. If a hostname is used the server must be able
+to resolve the name using only the transport it has.  If the machine is dual
+stacked then the <command>dual-stack-servers</command> have no effect unless
+access to a transport has been disabled on the command line
+(e.g. <command>named -4</command>).</para></listitem>
+</varlistentry>
+</variablelist>
+</sect3>
+
+<sect3 id="access_control"><title>Access Control</title>
+
+<para>Access to the server can be restricted based on the IP address
+of the requesting system. See <xref linkend="address_match_lists"/> for
+details on how to specify IP address lists.</para>
+
+<variablelist>
+
+<varlistentry><term><command>allow-notify</command></term>
+<listitem><para>Specifies which hosts are allowed to
+notify this server, a slave, of zone changes in addition
+to the zone masters.
+<command>allow-notify</command> may also be specified in the
+<command>zone</command> statement, in which case it overrides the
+<command>options allow-notify</command> statement.  It is only meaningful
+for a slave zone.  If not specified, the default is to process notify messages
+only from a zone's master.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>allow-query</command></term>
+<listitem><para>Specifies which hosts are allowed to
+ask ordinary DNS questions. <command>allow-query</command> may also
+be specified in the <command>zone</command> statement, in which
+case it overrides the <command>options allow-query</command> statement. If
+not specified, the default is to allow queries from all hosts.</para>
+</listitem></varlistentry>
+
+
+<varlistentry><term><command>allow-recursion</command></term>
+<listitem><para>Specifies which hosts are allowed to
+make recursive queries through this server. If not specified, the
+default is to allow recursive queries from all hosts. 
+Note that disallowing recursive queries for a host does not prevent the
+host from retrieving data that is already in the server's cache.
+</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>allow-update-forwarding</command></term>
+<listitem><para>Specifies which hosts are allowed to
+submit Dynamic DNS updates to slave zones to be forwarded to the
+master.  The default is <userinput>{ none; }</userinput>, which 
+means that no update forwarding will be performed.  To enable
+update forwarding, specify
+<userinput>allow-update-forwarding { any; };</userinput>.
+Specifying values other than <userinput>{ none; }</userinput> or
+<userinput>{ any; }</userinput> is usually counterproductive, since
+the responsibility for update access control should rest with the 
+master server, not the slaves.</para>
+<para>Note that enabling the update forwarding feature on a slave server
+may expose master servers relying on insecure IP address based
+access control to attacks; see <xref linkend="dynamic_update_security"/>
+for more details.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>allow-v6-synthesis</command></term>
+<listitem><para>This option was introduced for the smooth transition from AAAA
+to A6 and from "nibble labels" to binary labels.
+However, since both A6 and binary labels were then deprecated,
+this option was also deprecated.
+It is now ignored with some warning messages.
+</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>allow-transfer</command></term>
+<listitem><para>Specifies which hosts are allowed to
+receive zone transfers from the server. <command>allow-transfer</command> may
+also be specified in the <command>zone</command> statement, in which
+case it overrides the <command>options allow-transfer</command> statement.
+If not specified, the default is to allow transfers to all hosts.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>blackhole</command></term>
+<listitem><para>Specifies a list of addresses that the
+server will not accept queries from or use to resolve a query. Queries
+from these addresses will not be responded to. The default is <userinput>none</userinput>.</para>
+</listitem></varlistentry>
+
+</variablelist>
+
+</sect3>
+
+<sect3><title>Interfaces</title>
+<para>The interfaces and ports that the server will answer queries
+from may be specified using the <command>listen-on</command> option. <command>listen-on</command> takes
+an optional port, and an <varname>address_match_list</varname>.
+The server will listen on all interfaces allowed by the address
+match list. If a port is not specified, port 53 will be used.</para>
+<para>Multiple <command>listen-on</command> statements are allowed.
+For example,</para>
+
+<programlisting>listen-on { 5.6.7.8; };
+listen-on port 1234 { !1.2.3.4; 1.2/16; };
+</programlisting>
+
+<para>will enable the name server on port 53 for the IP address
+5.6.7.8, and on port 1234 of an address on the machine in net
+1.2 that is not 1.2.3.4.</para>
+
+<para>If no <command>listen-on</command> is specified, the
+server will listen on port 53 on all interfaces.</para>
+
+<para>The <command>listen-on-v6</command> option is used to
+specify the interfaces and the ports on which the server will listen
+for incoming queries sent using IPv6.</para>
+
+<para>When <programlisting>{ any; }</programlisting> is specified
+as the <varname>address_match_list</varname> for the
+<command>listen-on-v6</command> option,
+the server does not bind a separate socket to each IPv6 interface
+address as it does for IPv4 if the operating system has enough API
+support for IPv6 (specifically if it conforms to RFC 3493 and RFC 3542).
+Instead, it listens on the IPv6 wildcard address.
+If the system only has incomplete API support for IPv6, however,
+the behavior is the same as that for IPv4.</para>
+
+<para>A list of particular IPv6 addresses can also be specified, in which case
+the server listens on a separate socket for each specified address,
+regardless of whether the desired API is supported by the system.</para>
+
+<para>Multiple <command>listen-on-v6</command> options can be used.
+For example,</para>
+
+<programlisting>listen-on-v6 { any; };
+listen-on-v6 port 1234 { !2001:db8::/32; any; };
+</programlisting>
+
+<para>will enable the name server on port 53 for any IPv6 addresses
+(with a single wildcard socket),
+and on port 1234 of IPv6 addresses that is not in the prefix
+2001:db8::/32 (with separate sockets for each matched address.)</para>
+
+<para>To make the server not listen on any IPv6 address, use</para>
+<programlisting>listen-on-v6 { none; };
+</programlisting>
+<para>If no <command>listen-on-v6</command> option is specified,
+the server will not listen on any IPv6 address.</para></sect3>
+
+<sect3><title>Query Address</title>
+<para>If the server doesn't know the answer to a question, it will
+query other name servers. <command>query-source</command> specifies
+the address and port used for such queries. For queries sent over
+IPv6, there is a separate <command>query-source-v6</command> option.
+If <command>address</command> is <command>*</command> or is omitted,
+a wildcard IP address (<command>INADDR_ANY</command>) will be used.
+If <command>port</command> is <command>*</command> or is omitted,
+a random unprivileged port will be used, <command>avoid-v4-udp-ports</command>
+and <command>avoid-v6-udp-ports</command> can be used to prevent named
+from selecting certain ports. The defaults are</para>
+<programlisting>query-source address * port *;
+query-source-v6 address * port *;
+</programlisting>
+<note>
+<para>The address specified in the <command>query-source</command> option
+is used for both UDP and TCP queries, but the port applies only to 
+UDP queries.  TCP queries always use a random
+unprivileged port.</para></note>
+<note>
+<para>See also <command>transfer-source</command> and
+<command>notify-source</command>.</para></note>
+</sect3>
+
+<sect3 id="zone_transfers"><title>Zone Transfers</title>
+<para><acronym>BIND</acronym> has mechanisms in place to facilitate zone transfers
+and set limits on the amount of load that transfers place on the
+system. The following options apply to zone transfers.</para>
+
+<variablelist>
+
+<varlistentry><term><command>also-notify</command></term>
+<listitem><para>Defines a global list of IP addresses of name servers
+that are also sent NOTIFY messages whenever a fresh copy of the
+zone is loaded, in addition to the servers listed in the zone's NS records.
+This helps to ensure that copies of the zones will
+quickly converge on stealth servers. If an <command>also-notify</command> list
+is given in a <command>zone</command> statement, it will override
+the <command>options also-notify</command> statement. When a <command>zone notify</command> statement
+is set to <command>no</command>, the IP addresses in the global <command>also-notify</command> list will
+not be sent NOTIFY messages for that zone. The default is the empty
+list (no global notification list).</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>max-transfer-time-in</command></term>
+<listitem><para>Inbound zone transfers running longer than
+this many minutes will be terminated. The default is 120 minutes
+(2 hours).  The maximum value is 28 days (40320 minutes).</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>max-transfer-idle-in</command></term>
+<listitem><para>Inbound zone transfers making no progress
+in this many minutes will be terminated. The default is 60 minutes
+(1 hour).  The maximum value is 28 days (40320 minutes).</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>max-transfer-time-out</command></term>
+<listitem><para>Outbound zone transfers running longer than
+this many minutes will be terminated. The default is 120 minutes
+(2 hours).  The maximum value is 28 days (40320 minutes).</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>max-transfer-idle-out</command></term>
+<listitem><para>Outbound zone transfers making no progress
+in this many minutes will be terminated.  The default is 60 minutes (1
+hour).  The maximum value is 28 days (40320 minutes).</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>serial-query-rate</command></term>
+<listitem><para>Slave servers will periodically query master servers
+to find out if zone serial numbers have changed. Each such query uses
+a minute amount of the slave server's network bandwidth.  To limit the
+amount of bandwidth used, BIND 9 limits the rate at which queries are
+sent.  The value of the <command>serial-query-rate</command> option,
+an integer, is the maximum number of queries sent per second.
+The default is 20.
+</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>serial-queries</command></term>
+<listitem><para>In BIND 8, the <command>serial-queries</command> option
+set the maximum number of concurrent serial number queries
+allowed to be outstanding at any given time.
+BIND 9 does not limit the number of outstanding
+serial queries and ignores the <command>serial-queries</command> option.
+Instead, it limits the rate at which the queries are sent
+as defined using the <command>serial-query-rate</command> option.
+</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>transfer-format</command></term>
+<listitem>
+
+<para>
+Zone transfers can be sent using two different formats,
+<command>one-answer</command> and <command>many-answers</command>.
+The <command>transfer-format</command> option is used
+on the master server to determine which format it sends.
+<command>one-answer</command> uses one DNS message per
+resource record transferred.
+<command>many-answers</command> packs as many resource records as
+possible into a message. <command>many-answers</command> is more
+efficient, but is only supported by relatively new slave servers,
+such as <acronym>BIND</acronym> 9, <acronym>BIND</acronym> 8.x and patched
+versions of <acronym>BIND</acronym> 4.9.5. The default is
+<command>many-answers</command>. <command>transfer-format</command>
+may be overridden on a per-server basis by using the
+<command>server</command> statement.
+</para>
+
+</listitem></varlistentry>
+
+<varlistentry><term><command>transfers-in</command></term>
+<listitem><para>The maximum number of inbound zone transfers
+that can be running concurrently. The default value is <literal>10</literal>.
+Increasing <command>transfers-in</command> may speed up the convergence
+of slave zones, but it also may increase the load on the local system.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>transfers-out</command></term>
+<listitem><para>The maximum number of outbound zone transfers
+that can be running concurrently. Zone transfer requests in excess
+of the limit will be refused. The default value is <literal>10</literal>.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>transfers-per-ns</command></term>
+<listitem><para>The maximum number of inbound zone transfers
+that can be concurrently transferring from a given remote name server.
+The default value is <literal>2</literal>. Increasing <command>transfers-per-ns</command> may
+speed up the convergence of slave zones, but it also may increase
+the load on the remote name server. <command>transfers-per-ns</command> may
+be overridden on a per-server basis by using the <command>transfers</command> phrase
+of the <command>server</command> statement.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>transfer-source</command></term>
+<listitem><para><command>transfer-source</command> determines
+which local address will be bound to IPv4 TCP connections used to
+fetch zones transferred inbound by the server.  It also determines
+the source IPv4 address, and optionally the UDP port, used for the
+refresh queries and forwarded dynamic updates.  If not set, it defaults
+to a system controlled value which will usually be the address of
+the interface "closest to" the remote end. This address must appear
+in the remote end's <command>allow-transfer</command> option for
+the zone being transferred, if one is specified. This statement
+sets the <command>transfer-source</command> for all zones, but can
+be overridden on a per-view or per-zone basis by including a
+<command>transfer-source</command> statement within the
+<command>view</command> or <command>zone</command> block
+in the configuration file.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>transfer-source-v6</command></term>
+<listitem><para>The same as <command>transfer-source</command>,
+except zone transfers are performed using IPv6.</para>
+              </listitem></varlistentry>
+
+<varlistentry><term><command>alt-transfer-source</command></term>
+<listitem><para>An alternate transfer source if the one listed in
+<command>transfer-source</command> fails and
+<command>use-alt-transfer-source</command> is set.</para>
+              </listitem></varlistentry>
+
+<varlistentry><term><command>alt-transfer-source-v6</command></term>
+<listitem><para>An alternate transfer source if the one listed in
+<command>transfer-source-v6</command> fails and
+<command>use-alt-transfer-source</command> is set.</para>
+              </listitem></varlistentry>
+
+<varlistentry><term><command>use-alt-transfer-source</command></term>
+<listitem><para>Use the alternate transfer sources or not.  If views are
+specified this defaults to <command>no</command> otherwise it defaults to
+<command>yes</command> (for BIND 8 compatibility).</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>notify-source</command></term>
+<listitem><para><command>notify-source</command> determines
+which local source address, and optionally UDP port, will be used to
+send NOTIFY messages.
+This address must appear in the slave server's <command>masters</command>
+zone clause or in an <command>allow-notify</command> clause.
+This statement sets the <command>notify-source</command> for all zones,
+but can be overridden on a per-zone / per-view basis by including a
+<command>notify-source</command> statement within the <command>zone</command>
+or <command>view</command> block in the configuration file.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>notify-source-v6</command></term>
+<listitem><para>Like <command>notify-source</command>,
+but applies to notify messages sent to IPv6 addresses.</para>
+</listitem></varlistentry>
+
+</variablelist>
+
+</sect3>
+
+<sect3>
+<title>Bad UDP Port Lists</title>
+<para>
+<command>avoid-v4-udp-ports</command> and <command>avoid-v6-udp-ports</command>
+specify a list of IPv4 and IPv6 UDP ports that will not be used as system
+assigned source ports for UDP sockets.  These lists prevent named
+from choosing as its random source port a port that is blocked by
+your firewall.  If a query went out with such a source port, the
+answer would not get by the firewall and the name server would have
+to query again.
+</para>
+</sect3>
+
+<sect3>
+<title>Operating System Resource Limits</title>
+
+<para>The server's usage of many system resources can be limited.
+Scaled values are allowed when specifying resource limits.  For
+example, <command>1G</command> can be used instead of
+<command>1073741824</command> to specify a limit of one
+gigabyte. <command>unlimited</command> requests unlimited use, or the
+maximum available amount. <command>default</command> uses the limit
+that was in force when the server was started. See the description of
+<command>size_spec</command> in <xref
+linkend="configuration_file_elements"/>.</para>
+
+<para>The following options set operating system resource limits for
+the name server process.  Some operating systems don't support some or
+any of the limits. On such systems, a warning will be issued if the
+unsupported limit is used.</para>
+
+<variablelist>
+
+<varlistentry><term><command>coresize</command></term>
+<listitem><para>The maximum size of a core dump. The default
+is <literal>default</literal>.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>datasize</command></term>
+<listitem><para>The maximum amount of data memory the server
+may use. The default is <literal>default</literal>.
+This is a hard limit on server memory usage.
+If the server attempts to allocate memory in excess of this
+limit, the allocation will fail, which may in turn leave
+the server unable to perform DNS service.  Therefore,
+this option is rarely useful as a way of limiting the
+amount of memory used by the server, but it can be used
+to raise an operating system data size limit that is
+too small by default.  If you wish to limit the amount
+of memory used by the server, use the
+<command>max-cache-size</command> and 
+<command>recursive-clients</command>
+options instead.
+</para></listitem></varlistentry>
+
+<varlistentry><term><command>files</command></term>
+<listitem><para>The maximum number of files the server
+may have open concurrently. The default is <literal>unlimited</literal>.
+</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>stacksize</command></term>
+<listitem><para>The maximum amount of stack memory the server
+may use. The default is <literal>default</literal>.</para>
+</listitem></varlistentry>
+
+</variablelist>
+
+</sect3>
+
+<sect3>
+<title>Server  Resource Limits</title>
+
+<para>The following options set limits on the server's
+resource consumption that are enforced internally by the
+server rather than the operating system.</para>
+
+<variablelist>
+
+<varlistentry><term><command>max-ixfr-log-size</command></term>
+<listitem><para>This option is obsolete; it is accepted
+and ignored for BIND 8 compatibility.  The option
+<command>max-journal-size</command> performs a similar
+function in BIND 8.
+</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>max-journal-size</command></term>
+<listitem><para>Sets a maximum size for each journal file
+(<xref linkend="journal"/>).  When the journal file approaches
+the specified size, some of the oldest transactions in the journal
+will be automatically removed.  The default is
+<literal>unlimited</literal>.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>recursive-clients</command></term>
+<listitem><para>The maximum number of simultaneous recursive lookups
+the server will perform on behalf of clients.  The default is
+<literal>1000</literal>.  Because each recursing client uses a fair
+bit of memory, on the order of 20 kilobytes, the value of the
+<command>recursive-clients</command> option may have to be decreased
+on hosts with limited memory.
+</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>tcp-clients</command></term>
+<listitem><para>The maximum number of simultaneous client TCP
+connections that the server will accept.
+The default is <literal>100</literal>.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>max-cache-size</command></term>
+<listitem><para>The maximum amount of memory to use for the
+server's cache, in bytes.  When the amount of data in the cache
+reaches this limit, the server will cause records to expire
+prematurely so that the limit is not exceeded.  In a server with
+multiple views, the limit applies separately to the cache of each
+view.  The default is <literal>unlimited</literal>, meaning that 
+records are purged from the cache only when their TTLs expire.
+</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>tcp-listen-queue</command></term>
+<listitem><para>The listen queue depth.  The default and minimum is 3.
+If the kernel supports the accept filter "dataready" this also controls how
+many TCP connections that will be queued in kernel space waiting for
+some data before being passed to accept.  Values less than 3 will be
+silently raised.
+</para>
+</listitem></varlistentry>
+
+</variablelist>
+
+</sect3>
+
+<sect3><title>Periodic Task Intervals</title>
+
+<variablelist>
+
+<varlistentry><term><command>cleaning-interval</command></term>
+<listitem><para>The server will remove expired resource records
+from the cache every <command>cleaning-interval</command> minutes.
+The default is 60 minutes.  The maximum value is 28 days (40320 minutes).
+If set to 0, no  periodic cleaning will occur.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>heartbeat-interval</command></term>
+<listitem><para>The server will perform zone maintenance tasks
+for all zones marked as <command>dialup</command> whenever this
+interval expires. The default is 60 minutes. Reasonable values are up
+to 1 day (1440 minutes).  The maximum value is 28 days (40320 minutes).
+If set to 0, no zone maintenance for these zones will occur.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>interface-interval</command></term>
+<listitem><para>The server will scan the network interface list
+every <command>interface-interval</command> minutes. The default
+is 60 minutes. The maximum value is 28 days (40320 minutes).
+If set to 0, interface scanning will only occur when
+the configuration file is  loaded. After the scan, the server will
+begin listening for queries on any newly discovered
+interfaces (provided they are allowed by the
+<command>listen-on</command> configuration), and will
+stop listening on interfaces that have gone away.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>statistics-interval</command></term>
+<listitem><para>Name server statistics will be logged
+every <command>statistics-interval</command> minutes. The default is 
+60. The maximum value is 28 days (40320 minutes).
+If set to 0, no statistics will be logged.</para><note>
+<simpara>Not yet implemented in <acronym>BIND</acronym>9.</simpara></note>
+</listitem></varlistentry>
+
+</variablelist>
+
+</sect3>
+
+<sect3 id="topology"><title>Topology</title>
+
+<para>All other things being equal, when the server chooses a name server
+to query from a list of name servers, it prefers the one that is
+topologically closest to itself. The <command>topology</command> statement
+takes an <command>address_match_list</command> and interprets it
+in a special way. Each top-level list element is assigned a distance.
+Non-negated elements get a distance based on their position in the
+list, where the closer the match is to the start of the list, the
+shorter the distance is between it and the server. A negated match
+will be assigned the maximum distance from the server. If there
+is no match, the address will get a distance which is further than
+any non-negated list element, and closer than any negated element.
+For example,</para>
+<programlisting>topology {
+    10/8;
+    !1.2.3/24;
+    { 1.2/16; 3/8; };
+};</programlisting>
+<para>will prefer servers on network 10 the most, followed by hosts
+on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
+exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
+is preferred least of all.</para>
+<para>The default topology is</para>
+<programlisting>    topology { localhost; localnets; };
+</programlisting>
+<note><simpara>The <command>topology</command> option
+is not implemented in <acronym>BIND</acronym> 9.
+</simpara></note>
+</sect3>
+
+<sect3 id="the_sortlist_statement">
+
+<title>The <command>sortlist</command> Statement</title>
+
+<para>The response to a DNS query may consist of multiple resource
+records (RRs) forming a resource records set (RRset).
+The name server will normally return the
+RRs within the RRset in an indeterminate order
+(but see the <command>rrset-order</command>
+statement in <xref linkend="rrset_ordering"/>).
+The client resolver code should rearrange the RRs as appropriate,
+that is, using any addresses on the local net in preference to other addresses.
+However, not all resolvers can do this or are correctly configured.
+When a client is using a local server the sorting can be performed
+in the server, based on the client's address. This only requires
+configuring the name servers, not all the clients.</para>
+
+<para>The <command>sortlist</command> statement (see below) takes
+an <command>address_match_list</command> and interprets it even
+more specifically than the <command>topology</command> statement
+does (<xref linkend="topology"/>).
+Each top level statement in the <command>sortlist</command> must
+itself be an explicit <command>address_match_list</command> with
+one or two elements. The first element (which may be an IP address,
+an IP prefix, an ACL name or a nested <command>address_match_list</command>)
+of each top level list is checked against the source address of
+the query until a match is found.</para>
+<para>Once the source address of the query has been matched, if
+the top level statement contains only one element, the actual primitive
+element that matched the source address is used to select the address
+in the response to move to the beginning of the response. If the
+statement is a list of two elements, then the second element is
+treated the same as the <command>address_match_list</command> in
+a <command>topology</command> statement. Each top level element
+is assigned a distance and the address in the response with the minimum
+distance is moved to the beginning of the response.</para>
+<para>In the following example, any queries received from any of
+the addresses of the host itself will get responses preferring addresses
+on any of the locally connected networks. Next most preferred are addresses
+on the 192.168.1/24 network, and after that either the 192.168.2/24
+or
+192.168.3/24 network with no preference shown between these two
+networks. Queries received from a host on the 192.168.1/24 network
+will prefer other addresses on that network to the 192.168.2/24
+and
+192.168.3/24 networks. Queries received from a host on the 192.168.4/24
+or the 192.168.5/24 network will only prefer other addresses on
+their directly connected networks.</para>
+<programlisting>sortlist {
+    { localhost;                                   // IF   the local host
+        { localnets;                               // THEN first fit on the
+            192.168.1/24;                          //   following nets
+            { 192.168.2/24; 192.168.3/24; }; }; };
+    { 192.168.1/24;                                // IF   on class C 192.168.1
+        { 192.168.1/24;                            // THEN use .1, or .2 or .3
+            { 192.168.2/24; 192.168.3/24; }; }; };
+    { 192.168.2/24;                                // IF   on class C 192.168.2
+        { 192.168.2/24;                            // THEN use .2, or .1 or .3
+            { 192.168.1/24; 192.168.3/24; }; }; };
+    { 192.168.3/24;                                // IF   on class C 192.168.3
+        { 192.168.3/24;                            // THEN use .3, or .1 or .2
+            { 192.168.1/24; 192.168.2/24; }; }; };
+    { { 192.168.4/24; 192.168.5/24; };             // if .4 or .5, prefer that net
+    };
+};</programlisting>
+<para>The following example will give reasonable behavior for the
+local host and hosts on directly connected networks. It is similar
+to the behavior of the address sort in <acronym>BIND</acronym> 4.9.x. Responses sent
+to queries from the local host will favor any of the directly connected
+networks. Responses sent to queries from any other hosts on a directly
+connected network will prefer addresses on that same network. Responses
+to other queries will not be sorted.</para>
+<programlisting>sortlist {
+           { localhost; localnets; };
+           { localnets; };
+};
+</programlisting>
+</sect3>
+<sect3 id="rrset_ordering"><title id="rrset_ordering_title">RRset Ordering</title>
+<para>When multiple records are returned in an answer it may be
+useful to configure the order of the records placed into the response.
+The <command>rrset-order</command> statement permits configuration
+of the ordering of the records in a multiple record response.
+See also the <command>sortlist</command> statement,
+<xref linkend="the_sortlist_statement"/>.
+</para>
+
+<para>An <command>order_spec</command> is defined as follows:</para>
+<programlisting><optional> class <replaceable>class_name</replaceable> </optional><optional> type <replaceable>type_name</replaceable> </optional><optional> name <replaceable>"domain_name"</replaceable></optional>
+      order <replaceable>ordering</replaceable>
+</programlisting>
+<para>If no class is specified, the default is <command>ANY</command>.
+If no type is specified, the default is <command>ANY</command>.
+If no name is specified, the default is "<command>*</command>".</para>
+<para>The legal values for <command>ordering</command> are:</para>
+<informaltable colsep = "0" rowsep = "0"><tgroup cols = "2"
+    colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
+<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.750in"/>
+<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.750in"/>
+<tbody>
+<row rowsep = "0">
+<entry colname = "1"><para><command>fixed</command></para></entry>
+<entry colname = "2"><para>Records are returned in the order they
+are defined in the zone file.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>random</command></para></entry>
+<entry colname = "2"><para>Records are returned in some random order.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>cyclic</command></para></entry>
+<entry colname = "2"><para>Records are returned in a round-robin
+order.</para></entry>
+</row>
+</tbody>
+</tgroup></informaltable>
+<para>For example:</para>
+<programlisting>rrset-order {
+   class IN type A name "host.example.com" order random;
+   order cyclic;
+};
+</programlisting>
+<para>will cause any responses for type A records in class IN that
+have "<literal>host.example.com</literal>" as a suffix, to always be returned
+in random order. All other records are returned in cyclic order.</para>
+<para>If multiple <command>rrset-order</command> statements appear,
+they are not combined &mdash; the last one applies.</para>
+
+<note>
+<simpara>The <command>rrset-order</command> statement
+is not yet fully implemented in <acronym>BIND</acronym> 9.
+BIND 9 currently does not support "fixed" ordering.
+</simpara></note>
+</sect3>
+
+<sect3 id="tuning"><title>Tuning</title>
+
+<variablelist>
+
+<varlistentry><term><command>lame-ttl</command></term>
+<listitem><para>Sets the number of seconds to cache a
+lame server indication. 0 disables caching. (This is
+<emphasis role="bold">NOT</emphasis> recommended.)
+Default is <literal>600</literal> (10 minutes). Maximum value is 
+<literal>1800</literal> (30 minutes).</para>
+
+</listitem></varlistentry>
+
+<varlistentry><term><command>max-ncache-ttl</command></term>
+<listitem><para>To reduce network traffic and increase performance
+the server stores negative answers. <command>max-ncache-ttl</command> is
+used to set a maximum retention time for these answers in the server
+in seconds. The default
+<command>max-ncache-ttl</command> is <literal>10800</literal> seconds (3 hours).
+<command>max-ncache-ttl</command> cannot exceed 7 days and will
+be silently truncated to 7 days if set to a greater value.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>max-cache-ttl</command></term>
+<listitem><para><command>max-cache-ttl</command> sets
+the maximum time for which the server will cache ordinary (positive)
+answers. The default is one week (7 days).</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>min-roots</command></term>
+<listitem><para>The minimum number of root servers that
+is required for a request for the root servers to be accepted. Default
+is <userinput>2</userinput>.</para>
+<note>
+<simpara>Not implemented in <acronym>BIND</acronym>9.</simpara></note>
+</listitem></varlistentry>
+
+<varlistentry><term><command>sig-validity-interval</command></term>
+<listitem><para>Specifies the number of days into the
+future when DNSSEC signatures automatically generated as a result
+of dynamic updates (<xref linkend="dynamic_update"/>)
+will expire. The default is <literal>30</literal> days.
+The maximum value is 10 years (3660 days). The signature
+inception time is unconditionally set to one hour before the current time
+to allow for a limited amount of clock skew.</para>
+</listitem></varlistentry>
+
+<varlistentry>
+<term><command>min-refresh-time</command></term>
+<term><command>max-refresh-time</command></term>
+<term><command>min-retry-time</command></term>
+<term><command>max-retry-time</command></term>
+<listitem><para>
+These options control the server's behavior on refreshing a zone
+(querying for SOA changes) or retrying failed transfers.
+Usually the SOA values for the zone are used, but these values
+are set by the master, giving slave server administrators little
+control over their contents.
+</para><para>
+These options allow the administrator to set a minimum and maximum
+refresh and retry time either per-zone, per-view, or globally.
+These options are valid for slave and stub zones,
+and clamp the SOA refresh and retry times to the specified values.
+</para></listitem></varlistentry>
+
+<varlistentry>
+<term><command>edns-udp-size</command></term>
+<listitem><para>
+<command>edns-udp-size</command> sets the advertised EDNS UDP buffer
+size.  Valid values are 512 to 4096 (values outside this range will be
+silently adjusted).  The default value is 4096.  The usual reason for
+setting edns-udp-size to a non default value it to get UDP answers to
+pass through broken firewalls that block fragmented packets and/or
+block UDP packets that are greater than 512 bytes.
+</para></listitem></varlistentry>
+</variablelist>
+
+</sect3>
+
+<sect3 id="builtin">
+<title>Built-in server information zones</title>
+
+<para>The server provides some helpful diagnostic information
+through a number of built-in zones under the
+pseudo-top-level-domain <literal>bind</literal> in the
+<command>CHAOS</command> class.  These zones are part of a
+built-in view (see <xref linkend="view_statement_grammar"/>) of class
+<command>CHAOS</command> which is separate from the default view of
+class <command>IN</command>; therefore, any global server options
+such as <command>allow-query</command> do not apply the these zones.
+If you feel the need to disable these zones, use the options
+below, or hide the built-in <command>CHAOS</command> view by
+defining an explicit view of class <command>CHAOS</command>
+that matches all clients.</para>
+
+<variablelist>
+
+<varlistentry><term><command>version</command></term>
+<listitem><para>The version the server should report
+via a query of the name <literal>version.bind</literal>
+with type <command>TXT</command>, class <command>CHAOS</command>.
+The default is the real version number of this server.
+Specifying <command>version none</command>
+disables processing of the queries.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>hostname</command></term>
+<listitem><para>The hostname the server should report via a query of
+the name <filename>hostname.bind</filename>
+with type <command>TXT</command>, class <command>CHAOS</command>.
+This defaults to the hostname of the machine hosting the name server as
+found by gethostname().  The primary purpose of such queries is to
+identify which of a group of anycast servers is actually
+answering your queries.  Specifying <command>hostname none;</command>
+disables processing of the queries.</para> 
+</listitem></varlistentry>
+
+<varlistentry><term><command>server-id</command></term>
+<listitem><para>The ID of the server should report via a query of
+the name <filename>ID.SERVER</filename>
+with type <command>TXT</command>, class <command>CHAOS</command>.
+The primary purpose of such queries is to
+identify which of a group of anycast servers is actually
+answering your queries.  Specifying <command>server-id none;</command>
+disables processing of the queries.
+Specifying <command>server-id hostname;</command> will cause named to
+use the hostname as found by gethostname().
+The default <command>server-id</command> is <command>none</command>.
+</para> 
+</listitem></varlistentry>
+
+</variablelist>
+
+</sect3>
+
+<sect3 id="statsfile">
+<title>The Statistics File</title>
+
+<para>The statistics file generated by <acronym>BIND</acronym> 9
+is similar, but not identical, to that
+generated by <acronym>BIND</acronym> 8.
+</para>
+<para>The statistics dump begins with the line <command>+++ Statistics Dump
++++ (973798949)</command>, where the number in parentheses is a standard
+Unix-style timestamp, measured as seconds since January 1, 1970.  Following
+that line are a series of lines containing a counter type, the value of the
+counter, optionally a zone name, and optionally a view name.
+The lines without view and zone listed are global statistics for the entire server.
+Lines with a zone and view name for the given view and zone (the view name is
+omitted for the default view).  The statistics dump ends
+with the line <command>--- Statistics Dump --- (973798949)</command>, where the
+number is identical to the number in the beginning line.</para>
+<para>The following statistics counters are maintained:</para>
+<informaltable
+    colsep = "0" rowsep = "0"><tgroup cols = "2"
+    colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
+<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.150in"/>
+<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.350in"/>
+<tbody>
+<row rowsep = "0">
+<entry colname = "1"><para><command>success</command></para></entry>
+<entry colname = "2"><para>The number of
+successful queries made to the server or zone.  A successful query
+is defined as query which returns a NOERROR response with at least
+one answer RR.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>referral</command></para></entry>
+<entry colname = "2"><para>The number of queries which resulted
+in referral responses.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>nxrrset</command></para></entry>
+<entry colname = "2"><para>The number of queries which resulted in
+NOERROR responses with no data.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>nxdomain</command></para></entry>
+<entry colname = "2"><para>The number
+of queries which resulted in NXDOMAIN responses.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>failure</command></para></entry>
+<entry colname = "2"><para>The number of queries which resulted in a
+failure response other than those above.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><command>recursion</command></para></entry>
+<entry colname = "2"><para>The number of queries which caused the server
+to perform recursion in order to find the final answer.</para></entry>
+</row>
+</tbody>
+</tgroup></informaltable>
+
+<para>
+Each query received by the server will cause exactly one of
+<command>success</command>,
+<command>referral</command>,
+<command>nxrrset</command>,
+<command>nxdomain</command>, or
+<command>failure</command>
+to be incremented, and may additionally cause the
+<command>recursion</command> counter to be incremented.
+</para>
+
+</sect3>
+
+</sect2>
+
+<sect2 id="server_statement_grammar">
+<title><command>server</command> Statement Grammar</title>
+
+<programlisting>server <replaceable>ip_addr</replaceable> {
+    <optional> bogus <replaceable>yes_or_no</replaceable> ; </optional>
+    <optional> provide-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
+    <optional> request-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
+    <optional> edns <replaceable>yes_or_no</replaceable> ; </optional>
+    <optional> transfers <replaceable>number</replaceable> ; </optional>
+    <optional> transfer-format <replaceable>( one-answer | many-answers )</replaceable> ; ]</optional>
+    <optional> keys <replaceable>{ string ; <optional> string ; <optional>...</optional></optional> }</replaceable> ; </optional>
+    <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+    <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+};
+</programlisting>
+
+</sect2>
+
+<sect2 id="server_statement_definition_and_usage">
+<title><command>server</command> Statement Definition and Usage</title>
+
+<para>The <command>server</command> statement defines characteristics
+to be associated with a remote name server.</para>
+
+<para>
+The <command>server</command> statement can occur at the top level of the
+configuration file or inside a <command>view</command> statement.  
+If a <command>view</command> statement contains
+one or more <command>server</command> statements, only those
+apply to the view and any top-level ones are ignored.
+If a view contains no <command>server</command> statements,
+any top-level <command>server</command> statements are used as
+defaults.
+</para>
+
+<para>If you discover that a remote server is giving out bad data,
+marking it as bogus will prevent further queries to it. The default
+value of <command>bogus</command> is <command>no</command>.</para>
+<para>The <command>provide-ixfr</command> clause determines whether
+the local server, acting as master, will respond with an incremental
+zone transfer when the given remote server, a slave, requests it.
+If set to <command>yes</command>, incremental transfer will be provided
+whenever possible. If set to <command>no</command>, all transfers
+to the remote server will be non-incremental. If not set, the value
+of the <command>provide-ixfr</command> option in the view or
+global options block is used as a default.</para>
+
+<para>The <command>request-ixfr</command> clause determines whether
+the local server, acting as a slave, will request incremental zone
+transfers from the given remote server, a master. If not set, the
+value of the <command>request-ixfr</command> option in the view or
+global options block is used as a default.</para>
+
+<para>IXFR requests to servers that do not support IXFR will automatically
+fall back to AXFR.  Therefore, there is no need to manually list
+which servers support IXFR and which ones do not; the global default
+of <command>yes</command> should always work.
+The purpose of the <command>provide-ixfr</command> and
+<command>request-ixfr</command> clauses is
+to make it possible to disable the use of IXFR even when both master
+and slave claim to support it, for example if one of the servers
+is buggy and crashes or corrupts data when IXFR is used.</para>
+
+<para>The <command>edns</command> clause determines whether the local server
+will attempt to use EDNS when communicating with the remote server.  The
+default is <command>yes</command>.</para>
+
+<para>The server supports two zone transfer methods. The first, <command>one-answer</command>,
+uses one DNS message per resource record transferred. <command>many-answers</command> packs
+as many resource records as possible into a message. <command>many-answers</command> is
+more efficient, but is only known to be understood by <acronym>BIND</acronym> 9, <acronym>BIND</acronym>
+8.x, and patched versions of <acronym>BIND</acronym> 4.9.5. You can specify which method
+to use for a server with the <command>transfer-format</command> option.
+If <command>transfer-format</command> is not specified, the <command>transfer-format</command> specified
+by the <command>options</command> statement will be used.</para>
+
+<para><command>transfers</command> is used to limit the number of
+concurrent inbound zone transfers from the specified server. If
+no <command>transfers</command> clause is specified, the limit is
+set according to the <command>transfers-per-ns</command> option.</para>
+
+<para>The <command>keys</command> clause identifies a
+<command>key_id</command> defined by the <command>key</command> statement,
+to be used for transaction security (TSIG, <xref linkend="tsig"/>)
+when talking to the remote server. 
+When a request is sent to the remote server, a request signature
+will be generated using the key specified here and appended to the
+message. A request originating from the remote server is not required
+to be signed by this key.</para>
+
+<para>Although the grammar of the <command>keys</command> clause
+allows for multiple keys, only a single key per server is currently
+supported.</para>
+
+<para>The <command>transfer-source</command> and
+<command>transfer-source-v6</command> clauses specify the IPv4 and IPv6 source
+address to be used for zone transfer with the remote server, respectively.
+For an IPv4 remote server, only <command>transfer-source</command> can
+be specified.
+Similarly, for an IPv6 remote server, only
+<command>transfer-source-v6</command> can be specified.
+Form more details, see the description of
+<command>transfer-source</command> and
+<command>transfer-source-v6</command> in
+<xref linkend="zone_transfers"/>.</para>
+
+</sect2>
+
+<sect2><title><command>trusted-keys</command> Statement Grammar</title>
+<programlisting>trusted-keys {
+    <replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ;
+    <optional> <replaceable>string</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; <optional>...</optional></optional>
+};
+</programlisting>
+</sect2>
+<sect2><title><command>trusted-keys</command> Statement Definition
+and Usage</title>
+<para>The <command>trusted-keys</command> statement defines DNSSEC
+security roots. DNSSEC is described in <xref linkend="DNSSEC"/>. A security root is defined when the public key for a non-authoritative
+zone is known, but cannot be securely obtained through DNS, either
+because it is the  DNS root zone or because its parent zone is unsigned.
+Once a key has been configured as a trusted key, it is treated as
+if it had been validated and proven secure. The resolver attempts
+DNSSEC validation on all DNS data in subdomains of a security root.</para>
+<para>The <command>trusted-keys</command> statement can contain
+multiple key entries, each consisting of the key's domain name,
+flags, protocol, algorithm, and the base-64 representation of the
+key data.</para></sect2>
+
+<sect2 id="view_statement_grammar">
+<title><command>view</command> Statement Grammar</title>
+<programlisting>view <replaceable>view_name</replaceable> 
+      <optional><replaceable>class</replaceable></optional> {
+      match-clients { <replaceable>address_match_list</replaceable> } ;
+      match-destinations { <replaceable>address_match_list</replaceable> } ;
+      match-recursive-only <replaceable>yes_or_no</replaceable> ;
+      <optional> <replaceable>view_option</replaceable>; ...</optional>
+      <optional> <replaceable>zone_statement</replaceable>; ...</optional>
+};
+</programlisting></sect2>
+<sect2><title><command>view</command> Statement Definition and Usage</title>
+
+<para>The <command>view</command> statement is a powerful new feature
+of <acronym>BIND</acronym> 9 that lets a name server answer a DNS query differently
+depending on who is asking. It is particularly useful for implementing
+split DNS setups without having to run multiple servers.</para>
+
+<para>Each <command>view</command> statement defines a view of the
+DNS namespace that will be seen by a subset of clients.  A client matches
+a view if its source IP address matches the 
+<varname>address_match_list</varname> of the view's
+<command>match-clients</command> clause and its destination IP address matches
+the <varname>address_match_list</varname> of the view's
+<command>match-destinations</command> clause.  If not specified, both
+<command>match-clients</command> and <command>match-destinations</command>
+default to matching all addresses.  In addition to checking IP addresses
+<command>match-clients</command> and <command>match-destinations</command>
+can also take <command>keys</command> which provide an mechanism for the
+client to select the view.  A view can also be specified
+as <command>match-recursive-only</command>, which means that only recursive
+requests from matching clients will match that view.
+The order of the <command>view</command> statements is significant &mdash;
+a client request will be resolved in the context of the first
+<command>view</command> that it matches.</para>
+
+<para>Zones defined within a <command>view</command> statement will
+be only be accessible to clients that match the <command>view</command>.
+ By defining a zone of the same name in multiple views, different
+zone data can be given to different clients, for example, "internal"
+and "external" clients in a split DNS setup.</para>
+
+<para>Many of the options given in the <command>options</command> statement
+can also be used within a <command>view</command> statement, and then
+apply only when resolving queries with that view.  When no view-specific
+value is given, the value in the <command>options</command> statement
+is used as a default.  Also, zone options can have default values specified
+in the <command>view</command> statement; these view-specific defaults
+take precedence over those in the <command>options</command> statement.</para>
+
+<para>Views are class specific.  If no class is given, class IN
+is assumed.  Note that all non-IN views must contain a hint zone,
+since only the IN class has compiled-in default hints.</para>
+
+<para>If there are no <command>view</command> statements in the config
+file, a default view that matches any client is automatically created
+in class IN. Any <command>zone</command> statements specified on
+the top level of the configuration file are considered to be part of
+this default view, and the <command>options</command> statement will
+apply to the default view. If any explicit <command>view</command>
+statements are present, all <command>zone</command> statements must
+occur inside <command>view</command> statements.</para>
+
+<para>Here is an example of a typical split DNS setup implemented
+using <command>view</command> statements.</para>
+<programlisting>view "internal" {
+      // This should match our internal networks.
+      match-clients { 10.0.0.0/8; };
+
+      // Provide recursive service to internal clients only.
+      recursion yes;
+
+      // Provide a complete view of the example.com zone
+      // including addresses of internal hosts.
+      zone "example.com" {
+            type master;
+            file "example-internal.db";
+      };
+};
+
+view "external" {
+      // Match all clients not matched by the previous view.
+      match-clients { any; };
+
+      // Refuse recursive service to external clients.
+      recursion no;
+
+      // Provide a restricted view of the example.com zone
+      // containing only publicly accessible hosts.
+      zone "example.com" {
+           type master;
+           file "example-external.db";
+      };
+};
+</programlisting>
+</sect2>
+<sect2 id="zone_statement_grammar"><title><command>zone</command>
+Statement Grammar</title>
+      <programlisting>zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> <optional>{ 
+    type ( master | slave | hint | stub | forward | delegation-only ) ;
+    <optional> allow-notify { <replaceable>address_match_list</replaceable> } ; </optional>
+    <optional> allow-query { <replaceable>address_match_list</replaceable> } ; </optional>
+    <optional> allow-transfer { <replaceable>address_match_list</replaceable> } ; </optional>
+    <optional> allow-update { <replaceable>address_match_list</replaceable> } ; </optional>
+    <optional> update-policy { <replaceable>update_policy_rule</replaceable> <optional>...</optional> } ; </optional>
+    <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> } ; </optional>
+    <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
+    <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
+    <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
+    <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
+    <optional> file <replaceable>string</replaceable> ; </optional>
+    <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
+    <optional> forwarders { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
+    <optional> ixfr-base <replaceable>string</replaceable> ; </optional>
+    <optional> ixfr-tmp-file <replaceable>string</replaceable> ; </optional>
+    <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable> ; </optional>
+    <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> } ; </optional>
+    <optional> max-ixfr-log-size <replaceable>number</replaceable> ; </optional>
+    <optional> max-transfer-idle-in <replaceable>number</replaceable> ; </optional>
+    <optional> max-transfer-idle-out <replaceable>number</replaceable> ; </optional>
+    <optional> max-transfer-time-in <replaceable>number</replaceable> ; </optional>
+    <optional> max-transfer-time-out <replaceable>number</replaceable> ; </optional>
+    <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> ; </optional>
+    <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
+    <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+    <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+    <optional> alt-transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+    <optional> alt-transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+    <optional> use-alt-transfer-source <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+    <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+    <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
+    <optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
+    <optional> database <replaceable>string</replaceable> ; </optional>
+    <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
+    <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
+    <optional> min-retry-time <replaceable>number</replaceable> ; </optional>
+    <optional> max-retry-time <replaceable>number</replaceable> ; </optional>
+    <optional> multi-master <replaceable>yes_or_no</replaceable> ; </optional>
+    <optional> key-directory <replaceable>path_name</replaceable>; </optional>
+
+}</optional>;
+</programlisting>
+</sect2>
+<sect2><title><command>zone</command> Statement Definition and Usage</title>
+<sect3><title>Zone Types</title>
+<informaltable colsep = "0" rowsep = "0">
+<tgroup cols = "2" colsep = "0" rowsep = "0"
+    tgroupstyle = "3Level-table">
+<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.908in"/>
+<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.217in"/>
+<tbody>
+<row rowsep = "0">
+<entry colname = "1"><para><varname>master</varname></para></entry>
+<entry colname = "2"><para>The server has a master copy of the data
+for the zone and will be able to provide authoritative answers for
+it.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><varname>slave</varname></para></entry>
+<entry colname = "2"><para>A slave zone is a replica of a master
+zone. The <command>masters</command> list specifies one or more IP addresses
+of master servers that the slave contacts to update its copy of the zone.
+Masters list elements can also be names of other masters lists.
+By default, transfers are made from port 53 on the servers; this can
+be changed for all servers by specifying a port number before the
+list of IP addresses, or on a per-server basis after the IP address.
+Authentication to the master can also be done with per-server TSIG keys.
+If a file is specified, then the
+replica will be written to this file whenever the zone is changed,
+and reloaded from this file on a server restart. Use of a file is
+recommended, since it often speeds server start-up and eliminates
+a needless waste of bandwidth. Note that for large numbers (in the
+tens or hundreds of thousands) of zones per server, it is best to
+use a two level naming scheme for zone file names. For example,
+a slave server for the zone <literal>example.com</literal> might place
+the zone contents into a file called
+<filename>ex/example.com</filename> where <filename>ex/</filename> is
+just the first two letters of the zone name. (Most operating systems
+behave very slowly if you put 100 000 files into
+a single directory.)</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><varname>stub</varname></para></entry>
+<entry colname = "2"><para>A stub zone is similar to a slave zone,
+except that it replicates only the NS records of a master zone instead
+of the entire zone. Stub zones are not a standard part of the DNS;
+they are a feature specific to the <acronym>BIND</acronym> implementation.
+</para>
+
+<para>Stub zones can be used to eliminate the need for glue NS record
+in a parent zone at the expense of maintaining a stub zone entry and
+a set of name server addresses in <filename>named.conf</filename>.
+This usage is not recommended for new configurations, and BIND 9
+supports it only in a limited way.
+In <acronym>BIND</acronym> 4/8, zone transfers of a parent zone
+included the NS records from stub children of that zone. This meant
+that, in some cases, users could get away with configuring child stubs
+only in the master server for the parent zone. <acronym>BIND</acronym>
+9 never mixes together zone data from different zones in this
+way. Therefore, if a <acronym>BIND</acronym> 9 master serving a parent
+zone has child stub zones configured, all the slave servers for the
+parent zone also need to have the same child stub zones
+configured.</para>
+
+<para>Stub zones can also be used as a way of forcing the resolution
+of a given domain to use a particular set of authoritative servers.
+For example, the caching name servers on a private network using
+RFC1981 addressing may be configured with stub zones for
+<literal>10.in-addr.arpa</literal>
+to use a set of internal name servers as the authoritative
+servers for that domain.</para>
+</entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><varname>forward</varname></para></entry>
+<entry colname = "2"><para>A "forward zone" is a way to configure
+forwarding on a per-domain basis.  A <command>zone</command> statement
+of type <command>forward</command> can contain a <command>forward</command> and/or <command>forwarders</command> statement,
+which will apply to queries within the domain given by the zone
+name. If no <command>forwarders</command> statement is present or
+an empty list for <command>forwarders</command> is given, then no
+forwarding will be done for the domain, canceling the effects of
+any forwarders in the <command>options</command> statement. Thus
+if you want to use this type of zone to change the behavior of the
+global <command>forward</command> option (that is, "forward first
+to", then "forward only", or vice versa, but want to use the same
+servers as set globally) you need to re-specify the global forwarders.</para>
+</entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><varname>hint</varname></para></entry>
+<entry colname = "2"><para>The initial set of root name servers is
+specified using a "hint zone". When the server starts up, it uses
+the root hints to find a root name server and get the most recent
+list of root name servers. If no hint zone is specified for class
+IN, the server uses a compiled-in default set of root servers hints.
+Classes other than IN have no built-in defaults hints.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><varname>delegation-only</varname></para></entry>
+<entry colname = "2"><para>This is used to enforce the delegation only
+status of infrastructure zones (e.g. COM, NET, ORG).  Any answer that
+is received without a explicit or implicit delegation in the authority
+section will be treated as NXDOMAIN.  This does not apply to the zone
+apex.  This SHOULD NOT be applied to leaf zones.</para>
+<para><varname>delegation-only</varname> has no effect on answers received
+from forwarders.</para></entry>
+</row>
+</tbody>
+</tgroup></informaltable></sect3>
+
+<sect3><title>Class</title>
+<para>The zone's name may optionally be followed by a class. If
+a class is not specified, class <literal>IN</literal> (for <varname>Internet</varname>),
+is assumed. This is correct for the vast majority of cases.</para>
+<para>The <literal>hesiod</literal> class is
+named for an information service from MIT's Project Athena. It is
+used to share information about various systems databases, such
+as users, groups, printers and so on. The keyword 
+<literal>HS</literal> is
+a synonym for hesiod.</para>
+<para>Another MIT development is CHAOSnet, a LAN protocol created
+in the mid-1970s. Zone data for it can be specified with the <literal>CHAOS</literal> class.</para></sect3>
+<sect3>
+
+<title>Zone Options</title>
+
+<variablelist>
+
+<varlistentry><term><command>allow-notify</command></term>
+<listitem><para>See the description of
+<command>allow-notify</command> in <xref linkend="access_control"/></para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>allow-query</command></term>
+<listitem><para>See the description of
+<command>allow-query</command> in <xref linkend="access_control"/></para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>allow-transfer</command></term>
+<listitem><para>See the description of <command>allow-transfer</command>
+in <xref linkend="access_control"/>.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>allow-update</command></term>
+<listitem><para>Specifies which hosts are allowed to
+submit Dynamic DNS updates for master zones. The default is to deny
+updates from all hosts.  Note that allowing updates based
+on the requestor's IP address is insecure; see
+<xref linkend="dynamic_update_security"/> for details.
+</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>update-policy</command></term>
+<listitem><para>Specifies a "Simple Secure Update" policy. See
+<xref linkend="dynamic_update_policies"/>.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>allow-update-forwarding</command></term>
+<listitem><para>See the description of <command>allow-update-forwarding</command>
+in <xref linkend="access_control"/>.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>also-notify</command></term>
+<listitem><para>Only meaningful if <command>notify</command> is
+active for this zone. The set of machines that will receive a 
+<literal>DNS NOTIFY</literal> message
+for this zone is made up of all the listed name servers (other than
+the primary master) for the zone plus any IP addresses specified
+with <command>also-notify</command>. A port may be specified
+with each <command>also-notify</command> address to send the notify
+messages to a port other than the default of 53.
+<command>also-notify</command> is not meaningful for stub zones.
+The default is the empty list.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>check-names</command></term>
+<listitem><para>
+This option is used to restrict the character set and syntax of
+certain domain names in master files and/or DNS responses received from the
+network.
+</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>database</command></term>
+<listitem><para>Specify the type of database to be used for storing the
+zone data.  The string following the <command>database</command> keyword
+is interpreted as a list of whitespace-delimited words.  The first word
+identifies the database type, and any subsequent words are passed
+as arguments to the database to be interpreted in a way specific
+to the database type.</para>
+<para>The default is <userinput>"rbt"</userinput>, BIND 9's native in-memory
+red-black-tree database.  This database does not take arguments.</para>
+<para>Other values are possible if additional database drivers
+have been linked into the server.  Some sample drivers are included
+with the distribution but none are linked in by default.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>dialup</command></term>
+<listitem><para>See the description of
+<command>dialup</command> in <xref linkend="boolean_options"/>.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>delegation-only</command></term>
+<listitem><para>The flag only applies to hint and stub zones.  If set
+to <userinput>yes</userinput> then the zone will also be treated as if it
+is also a delegation-only type zone.
+</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>forward</command></term>
+<listitem><para>Only meaningful if the zone has a forwarders
+list. The <command>only</command> value causes the lookup to fail
+after trying the forwarders and getting no answer, while <command>first</command> would
+allow a normal lookup to be tried.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>forwarders</command></term>
+<listitem><para>Used to override the list of global forwarders.
+If it is not specified in a zone of type <command>forward</command>,
+no forwarding is done for the zone; the global options are not used.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>ixfr-base</command></term>
+<listitem><para>Was used in <acronym>BIND</acronym> 8 to specify the name
+of the transaction log (journal) file for dynamic update and IXFR.
+<acronym>BIND</acronym> 9 ignores the option and constructs the name of the journal
+file by appending "<filename>.jnl</filename>" to the name of the
+zone file.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>ixfr-tmp-file</command></term>
+<listitem><para>Was an undocumented option in <acronym>BIND</acronym> 8.
+Ignored in <acronym>BIND</acronym> 9.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>max-transfer-time-in</command></term>
+<listitem><para>See the description of
+<command>max-transfer-time-in</command> in <xref linkend="zone_transfers"/>.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>max-transfer-idle-in</command></term>
+<listitem><para>See the description of
+<command>max-transfer-idle-in</command> in <xref linkend="zone_transfers"/>.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>max-transfer-time-out</command></term>
+<listitem><para>See the description of
+<command>max-transfer-time-out</command> in <xref linkend="zone_transfers"/>.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>max-transfer-idle-out</command></term>
+<listitem><para>See the description of
+<command>max-transfer-idle-out</command> in <xref linkend="zone_transfers"/>.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>notify</command></term>
+<listitem><para>See the description of
+<command>notify</command> in <xref linkend="boolean_options"/>.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>pubkey</command></term>
+<listitem><para>In <acronym>BIND</acronym> 8, this option was intended for specifying
+a public zone key for verification of signatures in DNSSEC signed
+zones when they are loaded from disk. <acronym>BIND</acronym> 9 does not verify signatures
+on load and ignores the option.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>zone-statistics</command></term>
+<listitem><para>If <userinput>yes</userinput>, the server will keep statistical
+information for this zone, which can be dumped to the
+<command>statistics-file</command> defined in the server options.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>sig-validity-interval</command></term>
+<listitem><para>See the description of
+<command>sig-validity-interval</command> in <xref linkend="tuning"/>.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>transfer-source</command></term>
+<listitem><para>See the description of
+<command>transfer-source</command> in <xref linkend="zone_transfers"/>
+</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>transfer-source-v6</command></term>
+<listitem><para>See the description of
+<command>transfer-source-v6</command> in <xref linkend="zone_transfers"/>
+</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>alt-transfer-source</command></term>
+<listitem><para>See the description of
+<command>alt-transfer-source</command> in <xref linkend="zone_transfers"/>
+</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>alt-transfer-source-v6</command></term>
+<listitem><para>See the description of
+<command>alt-transfer-source-v6</command> in <xref linkend="zone_transfers"/>
+</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>use-alt-transfer-source</command></term>
+<listitem><para>See the description of
+<command>use-alt-transfer-source</command> in <xref linkend="zone_transfers"/>
+</para>
+</listitem></varlistentry>
+
+
+<varlistentry><term><command>notify-source</command></term>
+<listitem><para>See the description of
+<command>notify-source</command> in <xref linkend="zone_transfers"/>
+</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>notify-source-v6</command></term>
+<listitem><para>See the description of
+<command>notify-source-v6</command> in <xref linkend="zone_transfers"/>.
+</para>
+</listitem></varlistentry>
+
+<varlistentry>
+<term><command>min-refresh-time</command></term>
+<term><command>max-refresh-time</command></term>
+<term><command>min-retry-time</command></term>
+<term><command>max-retry-time</command></term>
+<listitem><para>
+See the description in <xref linkend="tuning"/>.
+</para></listitem></varlistentry>
+
+<varlistentry><term><command>ixfr-from-differences</command></term>
+<listitem><para>See the description of
+<command>ixfr-from-differences</command> in <xref linkend="boolean_options"/>.</para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>key-directory</command></term>
+<listitem><para>See the description of
+<command>key-directory</command> in <xref linkend="options"/></para>
+</listitem></varlistentry>
+
+<varlistentry><term><command>multi-master</command></term>
+<listitem><para>See the description of
+<command>multi-master</command> in <xref linkend="boolean_options"/>.</para>
+</listitem></varlistentry>
+
+</variablelist>
+
+</sect3>
+<sect3 id="dynamic_update_policies"><title>Dynamic Update Policies</title>
+<para><acronym>BIND</acronym> 9 supports two alternative methods of granting clients
+the right to perform dynamic updates to a zone, 
+configured by the <command>allow-update</command> and
+<command>update-policy</command> option, respectively.</para>
+<para>The <command>allow-update</command> clause works the same
+way as in previous versions of <acronym>BIND</acronym>. It grants given clients the
+permission to update any record of any name in the zone.</para>
+<para>The <command>update-policy</command> clause is new in <acronym>BIND</acronym>
+9 and allows more fine-grained control over what updates are allowed.
+A set of rules is specified, where each rule either grants or denies
+permissions for one or more names to be updated by one or more identities.
+ If the dynamic update request message is signed (that is, it includes
+either a TSIG or SIG(0) record), the identity of the signer can
+be determined.</para>
+<para>Rules are specified in the <command>update-policy</command> zone
+option, and are only meaningful for master zones.  When the <command>update-policy</command> statement
+is present, it is a configuration error for the <command>allow-update</command> statement
+to be present.  The <command>update-policy</command> statement only
+examines the signer of a message; the source address is not relevant.</para>
+<para>This is how a rule definition looks:</para>
+<programlisting>
+( <command>grant</command> | <command>deny</command> ) <replaceable>identity</replaceable> <replaceable>nametype</replaceable> <replaceable>name</replaceable> <optional> <replaceable>types</replaceable> </optional>
+</programlisting>
+<para>Each rule grants or denies privileges.  Once a message has
+successfully matched a rule, the operation is immediately granted
+or denied and no further rules are examined.  A rule is matched
+when the signer matches the identity field, the name matches the
+name field in accordance with the nametype field, and the type matches
+the types specified in the type field.</para>
+
+<para>The identity field specifies a name or a wildcard name.  Normally, this
+is the name of the TSIG or SIG(0) key used to sign the update request.  When a
+TKEY exchange has been used to create a shared secret, the identity of the
+shared secret is the same as the identity of the key used to authenticate the
+TKEY exchange.  When the <replaceable>identity</replaceable> field specifies a
+wildcard name, it is subject to DNS wildcard expansion, so the rule will apply
+to multiple identities.  The <replaceable>identity</replaceable> field must
+contain a fully qualified domain name.</para>
+
+<para>The <replaceable>nametype</replaceable> field has 4 values:
+<varname>name</varname>, <varname>subdomain</varname>,
+<varname>wildcard</varname>, and <varname>self</varname>.
+</para>
+<informaltable>
+            <tgroup cols = "2" colsep = "0"
+    rowsep = "0" tgroupstyle = "4Level-table">
+<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.819in"/>
+<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.681in"/>
+<tbody>
+<row rowsep = "0">
+<entry colname = "1"><para><varname>name</varname></para></entry>
+<entry colname = "2"><para>Exact-match semantics.  This rule matches when the
+name being updated is identical to the contents of the
+<replaceable>name</replaceable> field.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><varname>subdomain</varname></para></entry>
+<entry colname = "2"><para>This rule matches when the name being updated
+is a subdomain of, or identical to, the contents of the
+<replaceable>name</replaceable> field.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><varname>wildcard</varname></para></entry>
+<entry colname = "2"><para>The <replaceable>name</replaceable> field is
+subject to DNS wildcard expansion, and this rule matches when the name
+being updated name is a valid expansion of the wildcard.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><varname>self</varname></para></entry>
+<entry colname = "2"><para>This rule matches when the name being updated
+matches the contents of the <replaceable>identity</replaceable> field.
+The <replaceable>name</replaceable> field is ignored, but should be
+the same as the <replaceable>identity</replaceable> field.  The
+<varname>self</varname> nametype is most useful when allowing using
+one key per name to update, where the key has the same name as the name
+to be updated.  The <replaceable>identity</replaceable> would be
+specified as <constant>*</constant> in this case.</para></entry>
+</row>
+</tbody>
+</tgroup></informaltable>
+
+<para>In all cases, the <replaceable>name</replaceable> field must
+specify a fully qualified domain name.</para>
+
+<para>If no types are explicitly specified, this rule matches all types except
+SIG, NS, SOA, and NXT. Types may be specified by name, including
+"ANY" (ANY matches all types except NXT, which can never be updated).
+Note that when an attempt is made to delete all records associated with a
+name, the rules are checked for each existing record type.
+</para>
+      </sect3>
+    </sect2>
+  </sect1>
+  <sect1>
+    <title>Zone File</title>
+    <sect2 id="types_of_resource_records_and_when_to_use_them">
+      <title>Types of Resource Records and When to Use Them</title>
+<para>This section, largely borrowed from RFC 1034, describes the
+concept of a Resource Record (RR) and explains when each is used.
+Since the publication of RFC 1034, several new RRs have been identified
+and implemented in the DNS. These are also included.</para>
+      <sect3>
+        <title>Resource Records</title>
+
+        <para>A domain name identifies a node.  Each node has a set of
+        resource information, which may be empty.  The set of resource
+        information associated with a particular name is composed of
+        separate RRs. The order of RRs in a set is not significant and
+        need not be preserved by name servers, resolvers, or other
+        parts of the DNS. However, sorting of multiple RRs is
+        permitted for optimization purposes, for example, to specify
+        that a particular nearby server be tried first. See <xref
+        linkend="the_sortlist_statement"/> and <xref
+        linkend="rrset_ordering"/>.</para>
+
+<para>The components of a Resource Record are:</para>
+<informaltable colsep = "0"
+    rowsep = "0"><tgroup cols = "2" colsep = "0"
+    rowsep = "0" tgroupstyle = "4Level-table">
+<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.000in"/>
+<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.500in"/>
+<tbody>
+<row rowsep = "0">
+<entry colname = "1"><para>owner name</para></entry>
+<entry colname = "2"><para>the domain name where the RR is found.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>type</para></entry>
+<entry colname = "2"><para>an encoded 16 bit value that specifies
+the type of the resource record.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>TTL</para></entry>
+<entry colname = "2"><para>the time to live of the RR. This field
+is a 32 bit integer in units of seconds, and is primarily used by
+resolvers when they cache RRs. The TTL describes how long a RR can
+be cached before it should be discarded.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>class</para></entry>
+<entry colname = "2"><para>an encoded 16 bit value that identifies
+a protocol family or instance of a protocol.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>RDATA</para></entry>
+<entry colname = "2"><para>the resource data.  The format of the
+data is type (and sometimes class) specific.</para></entry>
+</row>
+</tbody>
+</tgroup></informaltable>
+<para>The following are <emphasis>types</emphasis> of valid RRs:</para>
+<informaltable colsep = "0"
+    rowsep = "0"><tgroup cols = "2" colsep = "0"
+    rowsep = "0" tgroupstyle = "4Level-table">
+<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
+<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.625in"/>
+<tbody>
+<row rowsep = "0">
+<entry colname = "1"><para>A</para></entry>
+<entry colname = "2"><para>a host address.  In the IN class, this is a
+32-bit IP address.  Described in RFC 1035.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>AAAA</para></entry>
+<entry colname = "2"><para>IPv6 address.  Described in RFC 1886.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>A6</para></entry>
+<entry colname = "2"><para>IPv6 address.  This can be a partial
+address (a suffix) and an indirection to the name where the rest of the
+address (the prefix) can be found.  Experimental.  Described in RFC 2874.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>AFSDB</para></entry>
+<entry colname = "2"><para>location of AFS database servers.
+Experimental.  Described in RFC 1183.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>APL</para></entry>
+<entry colname = "2"><para>address prefix list.  Experimental.
+Described in RFC 3123.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>CERT</para></entry>
+<entry colname = "2"><para>holds a digital certificate.
+Described in RFC 2538.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>CNAME</para></entry>
+<entry colname = "2"><para>identifies the canonical name of an alias.
+Described in RFC 1035.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>DNAME</para></entry>
+<entry colname = "2"><para>Replaces the domain name specified with
+another name to be looked up, effectively aliasing an entire
+subtree of the domain name space rather than a single record
+as in the case of the CNAME RR.
+Described in RFC 2672.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>GPOS</para></entry>
+<entry colname = "2"><para>Specifies the global position.  Superseded by LOC.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>HINFO</para></entry>
+<entry colname = "2"><para>identifies the CPU and OS used by a host.
+Described in RFC 1035.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>ISDN</para></entry>
+<entry colname = "2"><para>representation of ISDN addresses.
+Experimental.  Described in RFC 1183.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>KEY</para></entry>
+<entry colname = "2"><para>stores a public key associated with a
+DNS name.  Described in RFC 2535.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>KX</para></entry>
+<entry colname = "2"><para>identifies a key exchanger for this
+DNS name.  Described in RFC 2230.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>LOC</para></entry>
+<entry colname = "2"><para>for storing GPS info.  Described in RFC 1876.
+Experimental.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>MX</para></entry>
+<entry colname = "2"><para>identifies a mail exchange for the domain.
+a 16 bit preference value (lower is better)
+followed by the host name of the mail exchange.
+Described in RFC 974, RFC 1035.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>NAPTR</para></entry>
+<entry colname = "2"><para>name authority pointer.  Described in RFC 2915.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>NSAP</para></entry>
+<entry colname = "2"><para>a network service access point.
+Described in RFC 1706.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>NS</para></entry>
+<entry colname = "2"><para>the authoritative name server for the
+domain.  Described in RFC 1035.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>NXT</para></entry>
+<entry colname = "2"><para>used in DNSSEC to securely indicate that
+RRs with an owner name in a certain name interval do not exist in
+a zone and indicate what RR types are present for an existing name.
+Described in RFC 2535.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>PTR</para></entry>
+<entry colname = "2"><para>a pointer to another part of the domain
+name space.  Described in RFC 1035.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>PX</para></entry>
+<entry colname = "2"><para>provides mappings between RFC 822 and X.400
+addresses.  Described in RFC 2163.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>RP</para></entry>
+<entry colname = "2"><para>information on persons responsible
+for the domain.  Experimental.  Described in RFC 1183.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>RT</para></entry>
+<entry colname = "2"><para>route-through binding for hosts that
+do not have their own direct wide area network addresses.
+Experimental.  Described in RFC 1183.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>SIG</para></entry>
+<entry colname = "2"><para>("signature") contains data authenticated
+in the secure DNS.  Described in RFC 2535.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>SOA</para></entry>
+<entry colname = "2"><para>identifies the start of a zone of authority.
+Described in RFC 1035.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>SRV</para></entry>
+<entry colname = "2"><para>information about well known network
+services (replaces WKS).  Described in RFC 2782.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>TXT</para></entry>
+<entry colname = "2"><para>text records.  Described in RFC 1035.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>WKS</para></entry>
+<entry colname = "2"><para>information about which well known
+network services, such as SMTP, that a domain supports. Historical.
+</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>X25</para></entry>
+<entry colname = "2"><para>representation of X.25 network addresses.
+Experimental.  Described in RFC 1183.</para></entry>
+</row>
+</tbody>
+</tgroup></informaltable>
+<para>The following <emphasis>classes</emphasis> of resource records
+are currently valid in the DNS:</para><informaltable colsep = "0"
+    rowsep = "0"><tgroup cols = "2" colsep = "0" rowsep = "0"
+    tgroupstyle = "4Level-table">
+<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
+<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "3.625in"/>
+<tbody>
+
+<row rowsep = "0">
+<entry colname = "1"><para>IN</para></entry>
+<entry colname = "2"><para>The Internet.</para></entry>
+</row>
+
+<row rowsep = "0">
+<entry colname = "1"><para>CH</para></entry>
+<entry colname = "2"><para>
+CHAOSnet, a LAN protocol created at MIT in the mid-1970s.
+Rarely used for its historical purpose, but reused for BIND's
+built-in server information zones, e.g.,
+<literal>version.bind</literal>.
+</para></entry>
+</row>
+
+<row rowsep = "0">
+<entry colname = "1"><para>HS</para></entry>
+<entry colname = "2"><para>
+Hesiod, an information service
+developed by MIT's Project Athena. It is used to share information
+about various systems databases, such as users, groups, printers
+and so on.
+</para></entry>
+</row>
+
+</tbody>
+</tgroup></informaltable>
+
+<para>The owner name is often implicit, rather than forming an integral
+part of the RR.  For example, many name servers internally form tree
+or hash structures for the name space, and chain RRs off nodes.
+ The remaining RR parts are the fixed header (type, class, TTL)
+which is consistent for all RRs, and a variable part (RDATA) that
+fits the needs of the resource being described.</para>
+<para>The meaning of the TTL field is a time limit on how long an
+RR can be kept in a cache.  This limit does not apply to authoritative
+data in zones; it is also timed out, but by the refreshing policies
+for the zone.  The TTL is assigned by the administrator for the
+zone where the data originates.  While short TTLs can be used to
+minimize caching, and a zero TTL prohibits caching, the realities
+of Internet performance suggest that these times should be on the
+order of days for the typical host.  If a change can be anticipated,
+the TTL can be reduced prior to the change to minimize inconsistency
+during the change, and then increased back to its former value following
+the change.</para>
+<para>The data in the RDATA section of RRs is carried as a combination
+of binary strings and domain names.  The domain names are frequently
+used as "pointers" to other data in the DNS.</para></sect3>
+<sect3><title>Textual expression of RRs</title>
+<para>RRs are represented in binary form in the packets of the DNS
+protocol, and are usually represented in highly encoded form when
+stored in a name server or resolver.  In the examples provided in
+RFC 1034, a style similar to that used in master files was employed
+in order to show the contents of RRs.  In this format, most RRs
+are shown on a single line, although continuation lines are possible
+using parentheses.</para>
+<para>The start of the line gives the owner of the RR.  If a line
+begins with a blank, then the owner is assumed to be the same as
+that of the previous RR.  Blank lines are often included for readability.</para>
+<para>Following the owner, we list the TTL, type, and class of the
+RR.  Class and type use the mnemonics defined above, and TTL is
+an integer before the type field.  In order to avoid ambiguity in
+parsing, type and class mnemonics are disjoint, TTLs are integers,
+and the type mnemonic is always last. The IN class and TTL values
+are often omitted from examples in the interests of clarity.</para>
+<para>The resource data or RDATA section of the RR are given using
+knowledge of the typical representation for the data.</para>
+<para>For example, we might show the RRs carried in a message as:</para> <informaltable
+    colsep = "0" rowsep = "0"><tgroup cols = "3"
+    colsep = "0" rowsep = "0" tgroupstyle = "4Level-table">
+<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.381in"/>
+<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "1.020in"/>
+<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "2.099in"/>
+<tbody>
+<row rowsep = "0">
+<entry colname = "1"><para><literal>ISI.EDU.</literal></para></entry>
+<entry colname = "2"><para><literal>MX</literal></para></entry>
+<entry colname = "3"><para><literal>10 VENERA.ISI.EDU.</literal></para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para></para></entry>
+<entry colname = "2"><para><literal>MX</literal></para></entry>
+<entry colname = "3"><para><literal>10 VAXA.ISI.EDU</literal></para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><literal>VENERA.ISI.EDU</literal></para></entry>
+<entry colname = "2"><para><literal>A</literal></para></entry>
+<entry colname = "3"><para><literal>128.9.0.32</literal></para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para></para></entry>
+<entry colname = "2"><para><literal>A</literal></para></entry>
+<entry colname = "3"><para><literal>10.1.0.52</literal></para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><literal>VAXA.ISI.EDU</literal></para></entry>
+<entry colname = "2"><para><literal>A</literal></para></entry>
+<entry colname = "3"><para><literal>10.2.0.27</literal></para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para></para></entry>
+<entry colname = "2"><para><literal>A</literal></para></entry>
+<entry colname = "3"><para><literal>128.9.0.33</literal></para></entry>
+</row>
+</tbody>
+</tgroup></informaltable>
+<para>The MX RRs have an RDATA section which consists of a 16 bit
+number followed by a domain name.  The address RRs use a standard
+IP address format to contain a 32 bit internet address.</para>
+<para>This example shows six RRs, with two RRs at each of three
+domain names.</para>
+<para>Similarly we might see:</para><informaltable colsep = "0"
+    rowsep = "0"><tgroup cols = "3" colsep = "0" rowsep = "0"
+    tgroupstyle = "4Level-table">
+<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.491in"/>
+<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "1.067in"/>
+<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "2.067in"/>
+<tbody>
+<row rowsep = "0">
+<entry colname = "1"><para><literal>XX.LCS.MIT.EDU. IN</literal></para></entry>
+<entry colname = "2"><para><literal>A</literal></para></entry>
+<entry colname = "3"><para><literal>10.0.0.44</literal></para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><literal>CH</literal></para></entry>
+<entry colname = "2"><para><literal>A</literal></para></entry>
+<entry colname = "3"><para><literal>MIT.EDU. 2420</literal></para></entry>
+</row>
+</tbody>
+</tgroup></informaltable>
+<para>This example shows two addresses for <literal>XX.LCS.MIT.EDU</literal>,
+each of a different class.</para></sect3></sect2>
+
+<sect2><title>Discussion of MX Records</title>
+
+<para>As described above, domain servers store information as a
+series of resource records, each of which contains a particular
+piece of information about a given domain name (which is usually,
+but not always, a host). The simplest way to think of a RR is as
+a typed pair of data, a domain name matched with a relevant datum,
+and stored with some additional type information to help systems 
+determine when the RR is relevant.</para>
+
+<para>MX records are used to control delivery of email. The data
+specified in the record is a priority and a domain name. The priority
+controls the order in which email delivery is attempted, with the
+lowest number first. If two priorities are the same, a server is
+chosen randomly. If no servers at a given priority are responding,
+the mail transport agent will fall back to the next largest priority.
+Priority numbers do not have any absolute meaning &mdash; they are relevant
+only respective to other MX records for that domain name. The domain
+name given is the machine to which the mail will be delivered. It <emphasis>must</emphasis> have
+an associated A record &mdash; CNAME is not sufficient.</para>
+<para>For a given domain, if there is both a CNAME record and an
+MX record, the MX record is in error, and will be ignored. Instead,
+the mail will be delivered to the server specified in the MX record
+pointed to by the CNAME.</para>
+<informaltable colsep = "0" rowsep = "0"><tgroup cols = "5"
+    colsep = "0" rowsep = "0" tgroupstyle = "3Level-table">
+<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.708in"/>
+<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "0.444in"/>
+<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "0.444in"/>
+<colspec colname = "4" colnum = "4" colsep = "0" colwidth = "0.976in"/>
+<colspec colname = "5" colnum = "5" colsep = "0" colwidth = "1.553in"/>
+<tbody>
+<row rowsep = "0">
+<entry colname = "1"><para><literal>example.com.</literal></para></entry>
+<entry colname = "2"><para><literal>IN</literal></para></entry>
+<entry colname = "3"><para><literal>MX</literal></para></entry>
+<entry colname = "4"><para><literal>10</literal></para></entry>
+<entry colname = "5"><para><literal>mail.example.com.</literal></para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para></para></entry>
+<entry colname = "2"><para><literal>IN</literal></para></entry>
+<entry colname = "3"><para><literal>MX</literal></para></entry>
+<entry colname = "4"><para><literal>10</literal></para></entry>
+<entry colname = "5"><para><literal>mail2.example.com.</literal></para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para></para></entry>
+<entry colname = "2"><para><literal>IN</literal></para></entry>
+<entry colname = "3"><para><literal>MX</literal></para></entry>
+<entry colname = "4"><para><literal>20</literal></para></entry>
+<entry colname = "5"><para><literal>mail.backup.org.</literal></para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><literal>mail.example.com.</literal></para></entry>
+<entry colname = "2"><para><literal>IN</literal></para></entry>
+<entry colname = "3"><para><literal>A</literal></para></entry>
+<entry colname = "4"><para><literal>10.0.0.1</literal></para></entry>
+<entry colname = "5"><para></para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><literal>mail2.example.com.</literal></para></entry>
+<entry colname = "2"><para><literal>IN</literal></para></entry>
+<entry colname = "3"><para><literal>A</literal></para></entry>
+<entry colname = "4"><para><literal>10.0.0.2</literal></para></entry>
+<entry colname = "5"><para></para></entry>
+</row>
+</tbody>
+</tgroup></informaltable><para>For example:</para>
+<para>Mail delivery will be attempted to <literal>mail.example.com</literal> and
+<literal>mail2.example.com</literal> (in
+any order), and if neither of those succeed, delivery to <literal>mail.backup.org</literal> will
+be attempted.</para></sect2>
+<sect2 id="Setting_TTLs"><title>Setting TTLs</title>
+<para>The time to live of the RR field is a 32 bit integer represented
+in units of seconds, and is primarily used by resolvers when they
+cache RRs. The TTL describes how long a RR can be cached before it
+should be discarded. The following three types of TTL are currently
+used in a zone file.</para>
+<informaltable colsep = "0" rowsep = "0"><tgroup cols = "2"
+    colsep = "0" rowsep = "0" tgroupstyle = "3Level-table">
+<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.750in"/>
+<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.375in"/>
+<tbody>
+<row rowsep = "0">
+<entry colname = "1"><para>SOA</para></entry>
+<entry colname = "2"><para>The last field in the SOA is the negative
+caching TTL. This controls how long other servers will cache no-such-domain
+(NXDOMAIN) responses from you.</para><para>The maximum time for
+negative caching is 3 hours (3h).</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>$TTL</para></entry>
+<entry colname = "2"><para>The $TTL directive at the top of the
+zone file (before the SOA) gives a default TTL for every RR without
+a specific TTL set.</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>RR TTLs</para></entry>
+<entry colname = "2"><para>Each RR can have a TTL as the second
+field in the RR, which will control how long other servers can cache
+the it.</para></entry>
+</row>
+</tbody>
+</tgroup></informaltable>
+<para>All of these TTLs default to units of seconds, though units
+can be explicitly specified, for example, <literal>1h30m</literal>. </para></sect2>
+<sect2><title>Inverse Mapping in IPv4</title>
+<para>Reverse name resolution (that is, translation from IP address
+to name) is achieved by means of the <emphasis>in-addr.arpa</emphasis> domain
+and PTR records. Entries in the in-addr.arpa domain are made in
+least-to-most significant order, read left to right. This is the
+opposite order to the way IP addresses are usually written. Thus,
+a machine with an IP address of 10.1.2.3 would have a corresponding
+in-addr.arpa name of
+3.2.1.10.in-addr.arpa. This name should have a PTR resource record
+whose data field is the name of the machine or, optionally, multiple
+PTR records if the machine has more than one name. For example,
+in the <optional>example.com</optional> domain:</para>
+<informaltable colsep = "0" rowsep = "0">
+<tgroup cols = "2" colsep = "0" rowsep = "0"
+    tgroupstyle = "3Level-table">
+<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.125in"/>
+<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.000in"/>
+<tbody>
+<row rowsep = "0">
+<entry colname = "1"><para><literal>$ORIGIN</literal></para></entry>
+<entry colname = "2"><para><literal>2.1.10.in-addr.arpa</literal></para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para><literal>3</literal></para></entry>
+<entry colname = "2"><para><literal>IN PTR foo.example.com.</literal></para></entry>
+</row>
+</tbody>
+</tgroup></informaltable>
+      <note>
+<para>The <command>$ORIGIN</command> lines in the examples
+are for providing context to the examples only-they do not necessarily
+appear in the actual usage. They are only used here to indicate
+that the example is relative to the listed origin.</para></note></sect2>
+<sect2><title>Other Zone File Directives</title>
+<para>The Master File Format was initially defined in RFC 1035 and
+has subsequently been extended. While the Master File Format itself
+is class independent all records in a Master File must be of the same
+class.</para>
+<para>Master File Directives include <command>$ORIGIN</command>, <command>$INCLUDE</command>,
+and <command>$TTL.</command></para>
+<sect3><title>The <command>$ORIGIN</command> Directive</title>
+<para>Syntax: <command>$ORIGIN
+</command><replaceable>domain-name</replaceable> <optional> <replaceable>comment</replaceable></optional></para>
+<para><command>$ORIGIN</command> sets the domain name that will
+be appended to any unqualified records. When a zone is first read
+in there is an implicit <command>$ORIGIN</command> &#60;<varname>zone-name</varname>><command>.</command> The
+current <command>$ORIGIN</command> is appended to the domain specified
+in the <command>$ORIGIN</command> argument if it is not absolute.</para>
+<programlisting><literal>$ORIGIN example.com.
+WWW     CNAME   MAIN-SERVER</literal></programlisting>
+<para>is equivalent to</para>
+<programlisting><literal>WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.</literal></programlisting></sect3>
+<sect3><title>The <command>$INCLUDE</command> Directive</title>
+<para>Syntax: <command>$INCLUDE</command>
+<replaceable>filename</replaceable> <optional>
+<replaceable>origin</replaceable> </optional> <optional> <replaceable>comment</replaceable> </optional></para>
+<para>Read and process the file <filename>filename</filename> as
+if it were included into the file at this point.  If <command>origin</command> is
+specified the file is processed with <command>$ORIGIN</command> set
+to that value, otherwise the current <command>$ORIGIN</command> is
+used.</para>
+<para>The origin and the current domain name
+revert to the values they had prior to the <command>$INCLUDE</command> once
+the file has been read.</para>
+<note><para>
+RFC 1035 specifies that the current origin should be restored after
+an <command>$INCLUDE</command>, but it is silent on whether the current
+domain name should also be restored.  BIND 9 restores both of them.
+This could be construed as a deviation from RFC 1035, a feature, or both.
+</para></note>
+</sect3>
+<sect3><title>The <command>$TTL</command> Directive</title>
+<para>Syntax: <command>$TTL</command>
+<replaceable>default-ttl</replaceable> <optional>
+<replaceable>comment</replaceable> </optional></para>
+<para>Set the default Time To Live (TTL) for subsequent records
+with undefined TTLs. Valid TTLs are of the range 0-2147483647 seconds.</para>
+<para><command>$TTL</command> is defined in RFC 2308.</para></sect3></sect2>
+<sect2><title><acronym>BIND</acronym> Master File Extension: the  <command>$GENERATE</command> Directive</title>
+        <para>Syntax: <command>$GENERATE</command> <replaceable>range</replaceable> <replaceable>lhs</replaceable> <optional><replaceable>ttl</replaceable></optional> <optional><replaceable>class</replaceable></optional> <replaceable>type</replaceable> <replaceable>rhs</replaceable> <optional> <replaceable>comment</replaceable> </optional></para>
+<para><command>$GENERATE</command> is used to create a series of
+resource records that only differ from each other by an iterator. <command>$GENERATE</command> can
+be used to easily generate the sets of records required to support
+sub /24 reverse delegations described in RFC 2317: Classless IN-ADDR.ARPA
+delegation.</para>
+<programlisting><literal>$ORIGIN 0.0.192.IN-ADDR.ARPA.
+$GENERATE 1-2 0 NS SERVER$.EXAMPLE.
+$GENERATE 1-127 $ CNAME $.0</literal></programlisting>
+<para>is equivalent to</para>
+<programlisting><literal>0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE.
+0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
+1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
+2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
+...
+127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
+</literal></programlisting>
+      <informaltable colsep = "0" rowsep = "0">
+        <tgroup cols = "2" colsep = "0" rowsep = "0" tgroupstyle = "3Level-table">
+          <colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.875in"/>
+          <colspec colname = "2" colnum = "2" colsep = "0" colwidth = "4.250in"/>
+          <tbody>
+            <row rowsep = "0">
+              <entry colname = "1"><para><command>range</command></para></entry>
+              <entry colname = "2"><para>This can be one of two forms: start-stop
+or start-stop/step. If the first form is used then step is set to
+        1. All of start, stop and step must be positive.</para></entry>
+      </row>
+        <row rowsep = "0">
+          <entry colname = "1"><para><command>lhs</command></para></entry>
+          <entry colname = "2"><para><command>lhs</command> describes the
+owner name of the resource records to be created.      Any single <command>$</command> symbols
+within the <command>lhs</command> side are replaced by the iterator
+value.
+To get a $ in the output you need to escape the <command>$</command>
+using a backslash <command>\</command>,
+e.g. <command>\$</command>. The <command>$</command> may optionally be followed
+by modifiers which change the offset from the iterator, field width and base. 
+Modifiers are introduced by a <command>{</command> immediately following the
+<command>$</command> as <command>${offset[,width[,base]]}</command>.
+e.g. <command>${-20,3,d}</command> which subtracts 20 from the current value,
+prints the result as a decimal in a zero padded field of with 3.  Available
+output forms are decimal (<command>d</command>), octal (<command>o</command>)
+and hexadecimal (<command>x</command> or <command>X</command> for uppercase).
+The default modifier is <command>${0,0,d}</command>.
+If the <command>lhs</command> is not
+absolute, the current <command>$ORIGIN</command> is appended to
+the name.</para>
+<para>For compatibility with earlier versions <command>$$</command> is still
+recognized a indicating a literal $ in the output.</para></entry>
+        </row>
+        <row rowsep = "0">
+          <entry colname = "1"><para><command>ttl</command></para></entry>
+          <entry colname = "2"><para><command>ttl</command> specifies the
+	  ttl of the generated records. If not specified this will be
+	  inherited using the normal ttl inheritance rules.</para>
+	  <para><command>class</command> and <command>ttl</command> can be
+	  entered in either order.</para></entry>
+	</row>
+        <row rowsep = "0">
+          <entry colname = "1"><para><command>class</command></para></entry>
+          <entry colname = "2"><para><command>class</command> specifies the
+	  class of the generated records.  This must match the zone class if
+	  it is specified.</para>
+	  <para><command>class</command> and <command>ttl</command> can be
+	  entered in either order.</para></entry>
+	</row>
+        <row rowsep = "0">
+          <entry colname = "1"><para><command>type</command></para></entry>
+          <entry colname = "2"><para>At present the only supported types are
+PTR, CNAME, DNAME, A, AAAA and NS.</para></entry>
+        </row>
+        <row rowsep = "0">
+          <entry colname = "1"><para><command>rhs</command></para></entry>
+          <entry colname = "2"><para>rhs is a domain name. It is processed
+similarly to lhs.</para></entry>
+        </row>
+      </tbody>
+      </tgroup></informaltable>
+      <para>The <command>$GENERATE</command> directive is a <acronym>BIND</acronym> extension
+and not part of the standard zone file format.</para>
+      <para>BIND 8 does not support the optional TTL and CLASS fields.</para>
+    </sect2>
+  </sect1>
+</chapter>
+<chapter id="ch07"><title><acronym>BIND</acronym> 9 Security Considerations</title>
+<sect1 id="Access_Control_Lists"><title>Access Control Lists</title>
+<para>Access Control Lists (ACLs), are address match lists that
+you can set up and nickname for future use in <command>allow-notify</command>,
+<command>allow-query</command>, <command>allow-recursion</command>,
+<command>blackhole</command>, <command>allow-transfer</command>,
+etc.</para>
+<para>Using ACLs allows you to have finer control over who can access
+your name server, without cluttering up your config files with huge
+lists of IP addresses.</para>
+<para>It is a <emphasis>good idea</emphasis> to use ACLs, and to
+control access to your server. Limiting access to your server by
+outside parties can help prevent spoofing and DoS attacks against
+your server.</para>
+<para>Here is an example of how to properly apply ACLs:</para>
+<programlisting>
+// Set up an ACL named "bogusnets" that will block RFC1918 space,
+// which is commonly used in spoofing attacks.
+acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
+// Set up an ACL called our-nets. Replace this with the real IP numbers.
+acl our-nets { x.x.x.x/24; x.x.x.x/21; }; 
+options {
+  ...
+  ...
+  allow-query { our-nets; };
+  allow-recursion { our-nets; };
+  ...
+  blackhole { bogusnets; };
+  ...
+};
+zone "example.com" {
+  type master;
+  file "m/example.com";
+  allow-query { any; };
+};
+</programlisting>
+<para>This allows recursive queries of the server from the outside
+unless recursion has been previously disabled.</para>
+<para>For more information on how to use ACLs to protect your server,
+see the <emphasis>AUSCERT</emphasis> advisory at
+<ulink url="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</ulink></para></sect1>
+<sect1><title><command>chroot</command> and <command>setuid</command> (for
+UNIX servers)</title>
+<para>On UNIX servers, it is possible to run <acronym>BIND</acronym> in a <emphasis>chrooted</emphasis> environment
+(<command>chroot()</command>) by specifying the "<option>-t</option>"
+option. This can help improve system security by placing <acronym>BIND</acronym> in
+a "sandbox", which will limit the damage done if a server is compromised.</para>
+<para>Another useful feature in the UNIX version of <acronym>BIND</acronym> is the
+ability to run the daemon as an unprivileged user ( <option>-u</option> <replaceable>user</replaceable> ).
+We suggest running as an unprivileged user when using the <command>chroot</command> feature.</para>
+<para>Here is an example command line to load <acronym>BIND</acronym> in a <command>chroot()</command> sandbox, 
+<command>/var/named</command>, and to run <command>named</command> <command>setuid</command> to
+user 202:</para>
+<para><userinput>/usr/local/bin/named -u 202 -t /var/named</userinput></para>
+
+<sect2><title>The <command>chroot</command> Environment</title>
+
+<para>In order for a <command>chroot()</command> environment to
+work properly in a particular directory
+(for example, <filename>/var/named</filename>),
+you will need to set up an environment that includes everything
+<acronym>BIND</acronym> needs to run.
+From <acronym>BIND</acronym>'s point of view, <filename>/var/named</filename> is
+the root of the filesystem.  You will need to adjust the values of options like
+like <command>directory</command> and <command>pid-file</command> to account
+for this.
+</para>
+<para>
+Unlike with earlier versions of BIND, you will typically
+<emphasis>not</emphasis> need to compile <command>named</command>
+statically nor install shared libraries under the new root.
+However, depending on your operating system, you may need
+to set up things like
+<filename>/dev/zero</filename>,
+<filename>/dev/random</filename>,
+<filename>/dev/log</filename>, and/or
+<filename>/etc/localtime</filename>.
+</para>
+</sect2>
+
+<sect2><title>Using the <command>setuid</command> Function</title>
+
+<para>Prior to running the <command>named</command> daemon, use
+the <command>touch</command> utility (to change file access and
+modification times) or the <command>chown</command> utility (to
+set the user id and/or group id) on files
+to which you want <acronym>BIND</acronym>
+to write.  Note that if the <command>named</command> daemon is running as an
+unprivileged user, it will not be able to bind to new restricted ports if the
+server is reloaded.</para>
+</sect2>
+</sect1>
+
+<sect1 id="dynamic_update_security"><title>Dynamic Update Security</title> 
+
+<para>Access to the dynamic
+update facility should be strictly limited.  In earlier versions of
+<acronym>BIND</acronym> the only way to do this was based on the IP
+address of the host requesting the update, by listing an IP address or
+network prefix in the <command>allow-update</command> zone option.
+This method is insecure since the source address of the update UDP packet
+is easily forged.  Also note that if the IP addresses allowed by the
+<command>allow-update</command> option include the address of a slave
+server which performs forwarding of dynamic updates, the master can be
+trivially attacked by sending the update to the slave, which will
+forward it to the master with its own source IP address causing the
+master to approve it without question.</para>
+
+<para>For these reasons, we strongly recommend that updates be
+cryptographically authenticated by means of transaction signatures
+(TSIG).  That is, the <command>allow-update</command> option should
+list only TSIG key names, not IP addresses or network
+prefixes. Alternatively, the new <command>update-policy</command>
+option can be used.</para>
+
+<para>Some sites choose to keep all dynamically updated DNS data
+in a subdomain and delegate that subdomain to a separate zone. This
+way, the top-level zone containing critical data such as the IP addresses
+of public web and mail servers need not allow dynamic update at
+all.</para>
+
+</sect1></chapter>
+
+<chapter id="ch08">
+  <title>Troubleshooting</title>
+  <sect1>
+    <title>Common Problems</title>
+    <sect2>
+      <title>It's not working; how can I figure out what's wrong?</title>
+
+      <para>The best solution to solving installation and
+      configuration issues is to take preventative measures by setting
+      up logging files beforehand. The log files provide a
+      source of hints and information that can be used to figure out
+      what went wrong and how to fix the problem.</para>
+
+    </sect2>
+  </sect1>
+  <sect1>
+    <title>Incrementing and Changing the Serial Number</title>
+
+    <para>Zone serial numbers are just numbers-they aren't date
+    related.  A lot of people set them to a number that represents a
+    date, usually of the form YYYYMMDDRR. A number of people have been
+    testing these numbers for Y2K compliance and have set the number
+    to the year 2000 to see if it will work. They then try to restore
+    the old serial number. This will cause problems because serial
+    numbers are used to indicate that a zone has been updated. If the
+    serial number on the slave server is lower than the serial number
+    on the master, the slave server will attempt to update its copy of
+    the zone.</para>
+
+    <para>Setting the serial number to a lower number on the master
+    server than the slave server means that the slave will not perform
+    updates to its copy of the zone.</para>
+
+    <para>The solution to this is to add 2147483647 (2^31-1) to the
+    number, reload the zone and make sure all slaves have updated to
+    the new zone serial number, then reset the number to what you want
+    it to be, and reload the zone again.</para>
+
+  </sect1>
+  <sect1>
+    <title>Where Can I Get Help?</title>
+
+      <para>The Internet Software Consortium (<acronym>ISC</acronym>) offers a wide range
+    of support and service agreements for <acronym>BIND</acronym> and <acronym>DHCP</acronym> servers. Four
+    levels of premium support are available and each level includes
+    support for all <acronym>ISC</acronym> programs, significant discounts on products
+    and training, and a recognized priority on bug fixes and
+    non-funded feature requests. In addition, <acronym>ISC</acronym> offers a standard
+    support agreement package which includes services ranging from bug
+    fix announcements to remote support. It also includes training in
+    <acronym>BIND</acronym> and <acronym>DHCP</acronym>.</para>
+
+    <para>To discuss arrangements for support, contact
+    <ulink url="mailto:info@isc.org">info@isc.org</ulink> or visit the
+    <acronym>ISC</acronym> web page at <ulink
+    url="http://www.isc.org/services/support/">http://www.isc.org/services/support/</ulink>
+    to read more.</para>
+  </sect1>
+</chapter>
+<appendix id="ch09">
+  <title>Appendices</title>
+  <sect1>
+    <title>Acknowledgments</title>
+    <sect2>
+      <title>A Brief History of the <acronym>DNS</acronym> and <acronym>BIND</acronym></title>
+
+      <para>Although the "official" beginning of the Domain Name
+      System occurred in 1984 with the publication of RFC 920, the
+      core of the new system was described in 1983 in RFCs 882 and
+      883. From 1984 to 1987, the ARPAnet (the precursor to today's
+      Internet) became a testbed of experimentation for developing the
+      new naming/addressing scheme in an rapidly expanding,
+      operational network environment.  New RFCs were written and
+      published in 1987 that modified the original documents to
+      incorporate improvements based on the working model. RFC 1034,
+      "Domain Names-Concepts and Facilities", and RFC 1035, "Domain
+      Names-Implementation and Specification" were published and
+      became the standards upon which all <acronym>DNS</acronym> implementations are
+      built.
+</para>
+
+      <para>The first working domain name server, called "Jeeves", was
+written in 1983-84 by Paul Mockapetris for operation on DEC Tops-20
+machines located at the University of Southern California's Information
+Sciences Institute (USC-ISI) and SRI International's Network Information
+Center (SRI-NIC). A <acronym>DNS</acronym> server for Unix machines, the Berkeley Internet
+Name Domain (<acronym>BIND</acronym>) package, was written soon after by a group of
+graduate students at the University of California at Berkeley under
+a grant from the US Defense Advanced Research Projects Administration
+(DARPA). Versions of <acronym>BIND</acronym> through 4.8.3 were maintained by the Computer
+Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
+Painter, David Riggle and Songnian Zhou made up the initial <acronym>BIND</acronym>
+project team. After that, additional work on the software package
+was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment Corporation
+employee on loan to the CSRG, worked on <acronym>BIND</acronym> for 2 years, from 1985
+to 1987. Many other people also contributed to <acronym>BIND</acronym> development
+during that time: Doug Kingston, Craig Partridge, Smoot Carl-Mitchell,
+Mike Muuss, Jim Bloom and Mike Schwartz. <acronym>BIND</acronym> maintenance was subsequently
+handled by Mike Karels and O. Kure.</para>
+      <para><acronym>BIND</acronym> versions 4.9 and 4.9.1 were released by Digital Equipment
+Corporation (now Compaq Computer Corporation). Paul Vixie, then
+a DEC employee, became <acronym>BIND</acronym>'s primary caretaker. Paul was assisted
+by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan Beecher, Andrew
+Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
+Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
+Wolfhugel, and others.</para>
+      <para><acronym>BIND</acronym> Version 4.9.2 was sponsored by Vixie Enterprises. Paul
+Vixie became <acronym>BIND</acronym>'s principal architect/programmer.</para>
+      <para><acronym>BIND</acronym> versions from 4.9.3 onward have been developed and maintained
+by the Internet Software Consortium with support being provided
+by ISC's sponsors. As co-architects/programmers, Bob Halley and
+Paul Vixie released the first production-ready version of <acronym>BIND</acronym> version
+8 in May 1997.</para>
+      <para><acronym>BIND</acronym> development work is made possible today by the sponsorship
+of several corporations, and by the tireless work efforts of numerous
+individuals.</para>
+    </sect2>
+  </sect1>
+<sect1 id="historical_dns_information">
+
+<title>General <acronym>DNS</acronym> Reference Information</title>
+    <sect2 id="ipv6addresses">
+      <title>IPv6 addresses (AAAA)</title>
+      <para>IPv6 addresses are 128-bit identifiers for interfaces and
+sets of interfaces which were introduced in the <acronym>DNS</acronym> to facilitate
+scalable Internet routing. There are three types of addresses: <emphasis>Unicast</emphasis>,
+an identifier for a single interface; <emphasis>Anycast</emphasis>,
+an identifier for a set of interfaces; and <emphasis>Multicast</emphasis>,
+an identifier for a set of interfaces. Here we describe the global
+Unicast address scheme. For more information, see RFC 2374.</para>
+<para>The aggregatable global Unicast address format is as follows:</para>
+<informaltable colsep = "0" rowsep = "0"><tgroup cols = "6"
+    colsep = "0" rowsep = "0" tgroupstyle = "1Level-table">
+<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "0.477in"/>
+<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "0.501in"/>
+<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "0.523in"/>
+<colspec colname = "4" colnum = "4" colsep = "0" colwidth = "0.731in"/>
+<colspec colname = "5" colnum = "5" colsep = "0" colwidth = "1.339in"/>
+<colspec colname = "6" colnum = "6" colsep = "0" colwidth = "2.529in"/>
+<tbody>
+<row rowsep = "0">
+<entry colname = "1" colsep = "1" rowsep = "1"><para>3</para></entry>
+<entry colname = "2" colsep = "1" rowsep = "1"><para>13</para></entry>
+<entry colname = "3" colsep = "1" rowsep = "1"><para>8</para></entry>
+<entry colname = "4" colsep = "1" rowsep = "1"><para>24</para></entry>
+<entry colname = "5" colsep = "1" rowsep = "1"><para>16</para></entry>
+<entry colname = "6" rowsep = "1"><para>64 bits</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1" colsep = "1"><para>FP</para></entry>
+<entry colname = "2" colsep = "1"><para>TLA ID</para></entry>
+<entry colname = "3" colsep = "1"><para>RES</para></entry>
+<entry colname = "4" colsep = "1"><para>NLA ID</para></entry>
+<entry colname = "5" colsep = "1"><para>SLA ID</para></entry>
+<entry colname = "6"><para>Interface ID</para></entry>
+</row>
+<row rowsep = "0">
+<entry nameend = "4" namest = "1"><para>&#60;------ Public Topology
+------></para></entry>
+<entry colname = "5"><para></para></entry>
+<entry colname = "6"><para></para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para></para></entry>
+<entry colname = "2"><para></para></entry>
+<entry colname = "3"><para></para></entry>
+<entry colname = "4"><para></para></entry>
+<entry colname = "5"><para>&#60;-Site Topology-></para></entry>
+<entry colname = "6"><para></para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para></para></entry>
+<entry colname = "2"><para></para></entry>
+<entry colname = "3"><para></para></entry>
+<entry colname = "4"><para></para></entry>
+<entry colname = "5"><para></para></entry>
+<entry colname = "6"><para>&#60;------ Interface Identifier ------></para></entry>
+</row>
+</tbody>
+</tgroup></informaltable>
+      <para>Where
+<informaltable colsep = "0"  rowsep = "0"><tgroup
+    cols = "3" colsep = "0" rowsep = "0" tgroupstyle = "2Level-table">
+<colspec colname = "1" colnum = "1" colsep = "0" colwidth = "1.375in"/>
+<colspec colname = "2" colnum = "2" colsep = "0" colwidth = "0.250in"/>
+<colspec colname = "3" colnum = "3" colsep = "0" colwidth = "3.500in"/>
+<tbody>
+<row rowsep = "0">
+<entry colname = "1"><para>FP</para></entry>
+<entry colname = "2"><para>=</para></entry>
+<entry colname = "3"><para>Format Prefix (001)</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>TLA ID</para></entry>
+<entry colname = "2"><para>=</para></entry>
+<entry colname = "3"><para>Top-Level Aggregation Identifier</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>RES</para></entry>
+<entry colname = "2"><para>=</para></entry>
+<entry colname = "3"><para>Reserved for future use</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>NLA ID</para></entry>
+<entry colname = "2"><para>=</para></entry>
+<entry colname = "3"><para>Next-Level Aggregation Identifier</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>SLA ID</para></entry>
+<entry colname = "2"><para>=</para></entry>
+<entry colname = "3"><para>Site-Level Aggregation Identifier</para></entry>
+</row>
+<row rowsep = "0">
+<entry colname = "1"><para>INTERFACE ID</para></entry>
+<entry colname = "2"><para>=</para></entry>
+<entry colname = "3"><para>Interface Identifier</para></entry>
+</row>
+</tbody>
+</tgroup></informaltable></para>
+      <para>The <emphasis>Public Topology</emphasis> is provided by the
+upstream provider or ISP, and (roughly) corresponds to the IPv4 <emphasis>network</emphasis> section
+of the address range. The <emphasis>Site Topology</emphasis> is
+where you can subnet this space, much the same as subnetting an
+IPv4 /16 network into /24 subnets. The <emphasis>Interface Identifier</emphasis> is
+the address of an individual interface on a given network. (With
+IPv6, addresses belong to interfaces rather than machines.)</para>
+      <para>The subnetting capability of IPv6 is much more flexible than
+that of IPv4: subnetting can now be carried out on bit boundaries,
+in much the same way as Classless InterDomain Routing (CIDR).</para>
+<para>The Interface Identifier must be unique on that network. On
+ethernet networks, one way to ensure this is to set the address
+to the first three bytes of the hardware address, "FFFE", then the
+last three bytes of the hardware address. The lowest significant
+bit of the first byte should then be complemented. Addresses are
+written as 32-bit blocks separated with a colon, and leading zeros
+of a block may be omitted, for example:</para>
+<para><command>2001:db8:201:9:a00:20ff:fe81:2b32</command></para>
+<para>IPv6 address specifications are likely to contain long strings
+of zeros, so the architects have included a shorthand for specifying
+them. The double colon (`::') indicates the longest possible string
+of zeros that can fit, and can be used only once in an address.</para>
+    </sect2>
+  </sect1>
+  <sect1 id="bibliography">
+    <title>Bibliography (and Suggested Reading)</title>
+    <sect2 id="rfcs">
+      <title>Request for Comments (RFCs)</title>
+      <para>Specification documents for the Internet protocol suite, including
+the <acronym>DNS</acronym>, are published as part of the Request for Comments (RFCs)
+series of technical notes. The standards themselves are defined
+by the Internet Engineering Task Force (IETF) and the Internet Engineering
+Steering Group (IESG). RFCs can be obtained online via FTP at 
+<ulink url="ftp://www.isi.edu/in-notes/">ftp://www.isi.edu/in-notes/RFC<replaceable>xxx</replaceable>.txt</ulink> (where <replaceable>xxx</replaceable> is
+the number of the RFC). RFCs are also available via the Web at
+<ulink url="http://www.ietf.org/rfc/">http://www.ietf.org/rfc/</ulink>.
+</para>
+      <bibliography>
+        <bibliodiv>
+          <!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
+          <title>Standards</title>
+          <biblioentry>
+            <abbrev>RFC974</abbrev>
+            <author>
+              <surname>Partridge</surname>
+              <firstname>C.</firstname>
+            </author>
+            <title>Mail Routing and the Domain System</title>
+            <pubdate>January 1986</pubdate>
+          </biblioentry>
+          <biblioentry>
+            <abbrev>RFC1034</abbrev>
+            <author>
+              <surname>Mockapetris</surname>
+              <firstname>P.V.</firstname>
+            </author> 
+            <title>Domain Names &mdash; Concepts and Facilities</title>
+            <pubdate>November 1987</pubdate>
+          </biblioentry>
+          <biblioentry>
+            <abbrev>RFC1035</abbrev>
+            <author>
+              <surname>Mockapetris</surname>
+              <firstname>P. V.</firstname>
+            </author> <title>Domain Names &mdash; Implementation and
+Specification</title>
+            <pubdate>November 1987</pubdate>
+          </biblioentry>
+        </bibliodiv>
+        <bibliodiv id="proposed_standards" xreflabel="Proposed Standards">
+
+          <title>Proposed Standards</title>
+          <!-- one of (BIBLIOENTRY BIBLIOMIXED) -->
+          <biblioentry>
+            <abbrev>RFC2181</abbrev>
+            <author>
+              <surname>Elz</surname>
+              <firstname>R., R. Bush</firstname>
+            </author>
+            <title>Clarifications to the <acronym>DNS</acronym> Specification</title>
+            <pubdate>July 1997</pubdate>
+          </biblioentry>
+          <biblioentry>
+            <abbrev>RFC2308</abbrev>
+            <author>
+              <surname>Andrews</surname>
+              <firstname>M.</firstname>
+            </author>
+            <title>Negative Caching of <acronym>DNS</acronym> Queries</title>
+            <pubdate>March 1998</pubdate>
+          </biblioentry>
+          <biblioentry>
+            <abbrev>RFC1995</abbrev>
+            <author>
+              <surname>Ohta</surname>
+              <firstname>M.</firstname>
+            </author>
+            <title>Incremental Zone Transfer in <acronym>DNS</acronym></title>
+            <pubdate>August 1996</pubdate>
+          </biblioentry>
+          <biblioentry>
+            <abbrev>RFC1996</abbrev>
+            <author>
+              <surname>Vixie</surname>
+              <firstname>P.</firstname>
+            </author>
+            <title>A Mechanism for Prompt Notification of Zone Changes</title>
+            <pubdate>August 1996</pubdate>
+          </biblioentry>
+          <biblioentry>
+            <abbrev>RFC2136</abbrev>
+            <authorgroup>
+              <author>
+                <surname>Vixie</surname>
+                <firstname>P.</firstname>
+              </author>
+              <author>
+                <firstname>S.</firstname>
+                <surname>Thomson</surname>
+              </author>
+              <author>
+                <firstname>Y.</firstname>
+                <surname>Rekhter</surname>
+              </author>
+              <author>
+                <firstname>J.</firstname>
+                <surname>Bound</surname>
+              </author>
+            </authorgroup> 
+            <title>Dynamic Updates in the Domain Name System</title>
+            <pubdate>April 1997</pubdate>
+          </biblioentry>
+          <biblioentry>
+            <abbrev>RFC2845</abbrev>
+            <authorgroup>
+              <author>
+                <surname>Vixie</surname>
+                <firstname>P.</firstname>
+              </author>
+              <author>
+                <firstname>O.</firstname>
+                <surname>Gudmundsson</surname>
+              </author>
+              <author>
+                <firstname>D.</firstname>
+                <surname>Eastlake</surname>
+                <lineage>3rd</lineage></author>
+              <author>
+                <firstname>B.</firstname>
+                <surname>Wellington</surname>
+              </author></authorgroup>
+            <title>Secret Key Transaction Authentication for <acronym>DNS</acronym> (TSIG)</title>
+            <pubdate>May 2000</pubdate>
+          </biblioentry>
+        </bibliodiv>
+        <bibliodiv>
+          <title>Proposed Standards Still Under Development</title>
+          <note>
+            <para><emphasis>Note:</emphasis> the following list of
+RFCs are undergoing major revision by the IETF.</para>
+          </note>
+          <biblioentry>
+            <abbrev>RFC1886</abbrev>
+            <authorgroup>
+              <author>
+                <surname>Thomson</surname>
+                <firstname>S.</firstname>
+              </author>
+              <author>
+                <firstname>C.</firstname>
+                <surname>Huitema</surname>
+              </author>
+            </authorgroup>
+            <title><acronym>DNS</acronym> Extensions to support IP version 6</title>
+            <pubdate>December 1995</pubdate>
+          </biblioentry>
+          <biblioentry>
+            <abbrev>RFC2065</abbrev>
+            <authorgroup>
+              <author>
+                <surname>Eastlake</surname>
+                <lineage>3rd</lineage>
+                <firstname>D.</firstname>
+              </author>
+              <author>
+                <firstname>C.</firstname>
+                <surname>Kaufman</surname>
+              </author>
+            </authorgroup>
+            <title>Domain Name System Security Extensions</title>
+            <pubdate>January 1997</pubdate>
+          </biblioentry>
+          <biblioentry>
+            <abbrev>RFC2137</abbrev>
+            <author>
+              <surname>Eastlake</surname>
+              <lineage>3rd</lineage>
+              <firstname>D.</firstname>
+            </author>
+            <title>Secure Domain Name System Dynamic Update</title>
+            <pubdate>April 1997</pubdate>
+          </biblioentry>
+        </bibliodiv>
+        <bibliodiv>
+          <title>Other Important RFCs About <acronym>DNS</acronym> Implementation</title>
+          <biblioentry>
+            <abbrev>RFC1535</abbrev>
+            <author>
+              <surname>Gavron</surname>
+              <firstname>E.</firstname>
+            </author>
+            <title>A Security Problem and Proposed Correction With Widely Deployed <acronym>DNS</acronym> Software.</title>
+            <pubdate>October 1993</pubdate>
+          </biblioentry>
+          <biblioentry>
+            <abbrev>RFC1536</abbrev>
+            <authorgroup>
+              <author>
+                <surname>Kumar</surname>
+                <firstname>A.</firstname>
+              </author>
+              <author>
+                <firstname>J.</firstname>
+                <surname>Postel</surname>
+              </author>
+              <author>
+                <firstname>C.</firstname>
+                <surname>Neuman</surname></author>
+              <author>
+                <firstname>P.</firstname>
+                <surname>Danzig</surname>
+              </author>
+              <author>
+                <firstname>S.</firstname>
+                <surname>Miller</surname>
+              </author>
+            </authorgroup>
+            <title>Common <acronym>DNS</acronym> Implementation Errors and Suggested Fixes</title>
+            <pubdate>October 1993</pubdate>
+          </biblioentry>
+          <biblioentry>
+            <abbrev>RFC1982</abbrev>
+            <authorgroup>
+              <author>
+                <surname>Elz</surname>
+                <firstname>R.</firstname>
+              </author>
+              <author>
+                <firstname>R.</firstname>
+                <surname>Bush</surname>
+              </author>
+            </authorgroup>
+            <title>Serial Number Arithmetic</title>
+            <pubdate>August 1996</pubdate>
+          </biblioentry>
+        </bibliodiv>
+        <bibliodiv>
+          <title>Resource Record Types</title>
+          <biblioentry>
+            <abbrev>RFC1183</abbrev>
+            <authorgroup>
+              <author>
+                <surname>Everhart</surname>
+                <firstname>C.F.</firstname>
+              </author>
+              <author>
+                <firstname>L. A.</firstname>
+                <surname>Mamakos</surname>
+              </author>
+              <author>
+                <firstname>R.</firstname>
+                <surname>Ullmann</surname>
+              </author>
+              <author>
+                <firstname>P.</firstname>
+                <surname>Mockapetris</surname>
+              </author>
+            </authorgroup>
+            <title>New <acronym>DNS</acronym> RR Definitions</title>
+            <pubdate>October 1990</pubdate>
+          </biblioentry>
+          <biblioentry>
+            <abbrev>RFC1706</abbrev>
+            <authorgroup>
+              <author>
+                <surname>Manning</surname>
+                <firstname>B.</firstname>
+              </author>
+              <author>
+                <firstname>R.</firstname>
+                <surname>Colella</surname>
+              </author>
+            </authorgroup>
+            <title><acronym>DNS</acronym> NSAP Resource Records</title>
+            <pubdate>October 1994</pubdate>
+          </biblioentry>
+          <biblioentry>
+            <abbrev>RFC2168</abbrev>
+            <authorgroup>
+              <author>
+                <surname>Daniel</surname>
+                <firstname>R.</firstname>
+              </author>
+              <author>
+                <firstname>M.</firstname>
+                <surname>Mealling</surname>
+              </author>
+            </authorgroup>
+            <title>Resolution of Uniform Resource Identifiers using
+the Domain Name System</title>
+            <pubdate>June 1997</pubdate>
+          </biblioentry>
+          <biblioentry>
+            <abbrev>RFC1876</abbrev>
+            <authorgroup>
+              <author>
+                <surname>Davis</surname>
+                <firstname>C.</firstname>
+              </author>
+              <author>
+                <firstname>P.</firstname>
+                <surname>Vixie</surname>
+              </author>
+              <author>
+                <firstname>T.</firstname>
+                <firstname>Goodwin</firstname>
+              </author>
+              <author>
+                <firstname>I.</firstname>
+                <surname>Dickinson</surname>
+              </author>
+            </authorgroup> 
+            <title>A Means for Expressing Location Information in the Domain
+Name System</title>
+            <pubdate>January 1996</pubdate>
+          </biblioentry>
+          <biblioentry>
+            <abbrev>RFC2052</abbrev>
+            <authorgroup>
+              <author>
+                <surname>Gulbrandsen</surname>
+                <firstname>A.</firstname>
+              </author>
+              <author>
+                <firstname>P.</firstname>
+                <surname>Vixie</surname>
+              </author>
+            </authorgroup>
+            <title>A <acronym>DNS</acronym> RR for Specifying the Location of
+Services.</title>
+            <pubdate>October 1996</pubdate>
+          </biblioentry>
+          <biblioentry>
+            <abbrev>RFC2163</abbrev>
+            <author>
+              <surname>Allocchio</surname>
+              <firstname>A.</firstname>
+            </author>
+            <title>Using the Internet <acronym>DNS</acronym> to Distribute MIXER
+Conformant Global Address Mapping</title>
+            <pubdate>January 1998</pubdate>
+          </biblioentry>
+          <biblioentry>
+            <abbrev>RFC2230</abbrev>
+            <author>
+              <surname>Atkinson</surname>
+              <firstname>R.</firstname>
+            </author>
+            <title>Key Exchange Delegation Record for the <acronym>DNS</acronym></title>
+            <pubdate>October 1997</pubdate>
+          </biblioentry>
+        </bibliodiv>
+        <bibliodiv>
+          <title><acronym>DNS</acronym> and the Internet</title>
+          <biblioentry>
+            <abbrev>RFC1101</abbrev>
+            <author>
+              <surname>Mockapetris</surname>
+              <firstname>P. V.</firstname>
+            </author>
+            <title><acronym>DNS</acronym> Encoding of Network Names and Other Types</title>
+            <pubdate>April 1989</pubdate>
+          </biblioentry>
+          <biblioentry>
+            <abbrev>RFC1123</abbrev>
+            <author>
+              <surname>Braden</surname>
+              <surname>R.</surname>
+            </author>
+            <title>Requirements for Internet Hosts - Application and Support</title>
+            <pubdate>October 1989</pubdate>
+          </biblioentry>
+          <biblioentry>
+            <abbrev>RFC1591</abbrev>
+            <author>
+              <surname>Postel</surname>
+              <firstname>J.</firstname></author>
+            <title>Domain Name System Structure and Delegation</title>
+            <pubdate>March 1994</pubdate></biblioentry>
+          <biblioentry>
+            <abbrev>RFC2317</abbrev>
+            <authorgroup>
+              <author>
+                <surname>Eidnes</surname>
+                <firstname>H.</firstname>
+              </author>
+              <author>
+                <firstname>G.</firstname>
+                <surname>de Groot</surname>
+              </author>
+              <author>
+                <firstname>P.</firstname>
+                <surname>Vixie</surname>
+              </author>
+            </authorgroup>
+            <title>Classless IN-ADDR.ARPA Delegation</title>
+            <pubdate>March 1998</pubdate>
+          </biblioentry>
+        </bibliodiv>
+        <bibliodiv>
+          <title><acronym>DNS</acronym> Operations</title>
+          <biblioentry>
+            <abbrev>RFC1537</abbrev>
+            <author>
+              <surname>Beertema</surname>
+              <firstname>P.</firstname>
+            </author>
+            <title>Common <acronym>DNS</acronym> Data File Configuration Errors</title>
+            <pubdate>October 1993</pubdate>
+          </biblioentry>
+          <biblioentry>
+            <abbrev>RFC1912</abbrev>
+            <author>
+              <surname>Barr</surname>
+              <firstname>D.</firstname>
+            </author>
+            <title>Common <acronym>DNS</acronym> Operational and Configuration Errors</title>
+            <pubdate>February 1996</pubdate>
+          </biblioentry>
+          <biblioentry>
+            <abbrev>RFC2010</abbrev>
+            <authorgroup>
+              <author>
+                <surname>Manning</surname>
+                <firstname>B.</firstname>
+              </author>
+              <author>
+                <firstname>P.</firstname>
+                <surname>Vixie</surname>
+              </author>
+            </authorgroup>
+            <title>Operational Criteria for Root Name Servers.</title>
+            <pubdate>October 1996</pubdate>
+          </biblioentry>
+          <biblioentry>
+            <abbrev>RFC2219</abbrev>
+            <authorgroup>
+              <author>
+                <surname>Hamilton</surname>
+                <firstname>M.</firstname>
+              </author>
+              <author>
+                <firstname>R.</firstname>
+                <surname>Wright</surname>
+              </author>
+            </authorgroup>
+            <title>Use of <acronym>DNS</acronym> Aliases for Network Services.</title>
+            <pubdate>October 1997</pubdate>
+          </biblioentry>
+        </bibliodiv>
+        <bibliodiv>
+          <title>Other <acronym>DNS</acronym>-related RFCs</title>
+          <note>
+            <para>Note: the following list of RFCs, although
+<acronym>DNS</acronym>-related, are not concerned with implementing software.</para>
+          </note>
+          <biblioentry>
+            <abbrev>RFC1464</abbrev>
+            <author>
+              <surname>Rosenbaum</surname>
+              <firstname>R.</firstname>
+            </author>
+            <title>Using the Domain Name System To Store Arbitrary String Attributes</title>
+            <pubdate>May 1993</pubdate>
+          </biblioentry>
+          <biblioentry>
+            <abbrev>RFC1713</abbrev>
+            <author>
+              <surname>Romao</surname>
+              <firstname>A.</firstname>
+            </author>
+            <title>Tools for <acronym>DNS</acronym> Debugging</title>
+            <pubdate>November 1994</pubdate></biblioentry>
+          <biblioentry>
+            <abbrev>RFC1794</abbrev>
+            <author>
+              <surname>Brisco</surname>
+              <firstname>T.</firstname>
+            </author>
+            <title><acronym>DNS</acronym> Support for Load Balancing</title>
+            <pubdate>April 1995</pubdate>
+          </biblioentry>
+          <biblioentry>
+            <abbrev>RFC2240</abbrev>
+            <author>
+              <surname>Vaughan</surname>
+              <firstname>O.</firstname></author>
+            <title>A Legal Basis for Domain Name Allocation</title>
+            <pubdate>November 1997</pubdate>
+          </biblioentry>
+          <biblioentry>
+            <abbrev>RFC2345</abbrev>
+            <authorgroup>
+              <author>
+                <surname>Klensin</surname>
+                <firstname>J.</firstname>
+              </author>
+              <author>
+                <firstname>T.</firstname>
+                <surname>Wolf</surname>
+              </author>
+              <author>
+                <firstname>G.</firstname>
+                <surname>Oglesby</surname>
+              </author>
+            </authorgroup>
+            <title>Domain Names and Company Name Retrieval</title>
+            <pubdate>May 1998</pubdate>
+          </biblioentry>
+          <biblioentry>
+            <abbrev>RFC2352</abbrev>
+            <author>
+              <surname>Vaughan</surname>
+              <firstname>O.</firstname>
+            </author>
+            <title>A Convention For Using Legal Names as Domain Names</title>
+            <pubdate>May 1998</pubdate>
+          </biblioentry>
+        </bibliodiv>
+        <bibliodiv>
+          <title>Obsolete and Unimplemented Experimental RRs</title>
+          <biblioentry>
+            <abbrev>RFC1712</abbrev>
+            <authorgroup>
+              <author>
+                <surname>Farrell</surname>
+                <firstname>C.</firstname>
+              </author>
+              <author>
+                <firstname>M.</firstname>
+                <surname>Schulze</surname>
+              </author>
+              <author>
+                <firstname>S.</firstname>
+                <surname>Pleitner</surname>
+              </author>
+              <author>
+                <firstname>D.</firstname>
+                <surname>Baldoni</surname>
+              </author>
+            </authorgroup>
+            <title><acronym>DNS</acronym> Encoding of Geographical
+Location</title>
+            <pubdate>November 1994</pubdate>
+          </biblioentry>
+        </bibliodiv>
+      </bibliography>
+    </sect2>
+    <sect2 id="internet_drafts">
+      <title>Internet Drafts</title>
+      <para>Internet Drafts (IDs) are rough-draft working documents of
+the Internet Engineering Task Force. They are, in essence, RFCs
+in the preliminary stages of development. Implementors are cautioned not
+to regard IDs as archival, and they should not be quoted or cited
+in any formal documents unless accompanied by the disclaimer that
+they are "works in progress." IDs have a lifespan of six months
+after which they are deleted unless updated by their authors.
+</para>
+    </sect2>
+    <sect2>
+      <title>Other Documents About <acronym>BIND</acronym></title>
+      <para></para>
+      <bibliography>
+        <biblioentry>
+          <authorgroup>
+            <author>
+              <surname>Albitz</surname>
+              <firstname>Paul</firstname>
+            </author>
+            <author>
+              <firstname>Cricket</firstname>
+              <surname>Liu</surname>
+            </author>
+          </authorgroup>
+          <title><acronym>DNS</acronym> and <acronym>BIND</acronym></title>
+          <copyright>
+            <year>1998</year>
+            <holder>Sebastopol, CA: O'Reilly and Associates</holder>
+          </copyright>
+        </biblioentry>
+      </bibliography>
+    </sect2>
+  </sect1>
+
+</appendix>
+
+</book>
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch01.html b/contrib/bind9/doc/arm/Bv9ARM.ch01.html
new file mode 100644
index 0000000..5b3659e
--- /dev/null
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch01.html
@@ -0,0 +1,1131 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>Introduction </TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
+REL="HOME"
+TITLE="BIND 9 Administrator Reference Manual"
+HREF="Bv9ARM.html"><LINK
+REL="PREVIOUS"
+TITLE="BIND 9 Administrator Reference Manual"
+HREF="Bv9ARM.html"><LINK
+REL="NEXT"
+TITLE="BIND Resource Requirements"
+HREF="Bv9ARM.ch02.html"></HEAD
+><BODY
+CLASS="chapter"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>BIND 9 Administrator Reference Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.ch02.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="chapter"
+><H1
+><A
+NAME="ch01"
+></A
+>Chapter 1. Introduction </H1
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+>1.1. <A
+HREF="Bv9ARM.ch01.html#AEN15"
+>Scope of Document</A
+></DT
+><DT
+>1.2. <A
+HREF="Bv9ARM.ch01.html#AEN22"
+>Organization of This Document</A
+></DT
+><DT
+>1.3. <A
+HREF="Bv9ARM.ch01.html#AEN42"
+>Conventions Used in This Document</A
+></DT
+><DT
+>1.4. <A
+HREF="Bv9ARM.ch01.html#AEN107"
+>The Domain Name System (<ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+>)</A
+></DT
+></DL
+></DIV
+><P
+>The Internet Domain Name System (<ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+>) consists of the syntax
+  to specify the names of entities in the Internet in a hierarchical
+  manner, the rules used for delegating authority over names, and the
+  system implementation that actually maps names to Internet
+  addresses.  <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> data is maintained in a group of distributed
+  hierarchical databases.</P
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN15"
+>1.1. Scope of Document</A
+></H1
+><P
+>The Berkeley Internet Name Domain (<ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+>) implements an
+    domain name server for a number of operating systems. This
+    document provides basic information about the installation and
+    care of the Internet Software Consortium (<ACRONYM
+CLASS="acronym"
+>ISC</ACRONYM
+>)
+    <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> version 9 software package for system
+    administrators.</P
+><P
+>This version of the manual corresponds to BIND version 9.3.</P
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN22"
+>1.2. Organization of This Document</A
+></H1
+><P
+>In this document, <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Section 1</I
+></SPAN
+> introduces
+    the basic <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> and <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> concepts. <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Section 2</I
+></SPAN
+>
+    describes resource requirements for running <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> in various
+    environments. Information in <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Section 3</I
+></SPAN
+> is
+    <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>task-oriented</I
+></SPAN
+> in its presentation and is
+    organized functionally, to aid in the process of installing the
+    <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 software. The task-oriented section is followed by
+    <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Section 4</I
+></SPAN
+>, which contains more advanced
+    concepts that the system administrator may need for implementing
+    certain options. <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Section 5</I
+></SPAN
+>
+    describes the <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 lightweight
+    resolver.  The contents of <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Section 6</I
+></SPAN
+> are
+    organized as in a reference manual to aid in the ongoing
+    maintenance of the software. <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Section 7
+    </I
+></SPAN
+>addresses security considerations, and
+    <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Section 8</I
+></SPAN
+> contains troubleshooting help. The
+    main body of the document is followed by several
+    <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Appendices</I
+></SPAN
+> which contain useful reference
+    information, such as a <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Bibliography</I
+></SPAN
+> and
+    historic information related to <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> and the Domain Name
+    System.</P
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN42"
+>1.3. Conventions Used in This Document</A
+></H1
+><P
+>In this document, we use the following general typographic
+    conventions:</P
+><DIV
+CLASS="informaltable"
+><P
+></P
+><A
+NAME="AEN45"
+></A
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+>&#13;<P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>To
+describe:</I
+></SPAN
+></P
+></TD
+><TD
+>&#13;<P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>We use the style:</I
+></SPAN
+></P
+></TD
+></TR
+><TR
+><TD
+>&#13;<P
+>a pathname, filename, URL, hostname,
+mailing list name, or new term or concept</P
+></TD
+><TD
+><P
+><TT
+CLASS="filename"
+>Fixed width</TT
+></P
+></TD
+></TR
+><TR
+><TD
+><P
+>literal user
+input</P
+></TD
+><TD
+><P
+><KBD
+CLASS="userinput"
+>Fixed Width Bold</KBD
+></P
+></TD
+></TR
+><TR
+><TD
+><P
+>program output</P
+></TD
+><TD
+><P
+><SAMP
+CLASS="computeroutput"
+>Fixed Width</SAMP
+></P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>The following conventions are used in descriptions of the
+<ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> configuration file:<DIV
+CLASS="informaltable"
+><P
+></P
+><A
+NAME="AEN77"
+></A
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+><P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>To
+describe:</I
+></SPAN
+></P
+></TD
+><TD
+><P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>We use the style:</I
+></SPAN
+></P
+></TD
+></TR
+><TR
+><TD
+><P
+>keywords</P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>Fixed Width</VAR
+></P
+></TD
+></TR
+><TR
+><TD
+><P
+>variables</P
+></TD
+><TD
+><P
+><VAR
+CLASS="varname"
+>Fixed Width</VAR
+></P
+></TD
+></TR
+><TR
+><TD
+><P
+>Optional input</P
+></TD
+><TD
+><P
+>[<SPAN
+CLASS="optional"
+>Text is enclosed in square brackets</SPAN
+>]</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+></P
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN107"
+>1.4. The Domain Name System (<ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+>)</A
+></H1
+><P
+>The purpose of this document is to explain the installation
+and upkeep of the <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> software package, and we
+begin by reviewing the fundamentals of the Domain Name System
+(<ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+>) as they relate to <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+>.
+</P
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN114"
+>1.4.1. DNS Fundamentals</A
+></H2
+><P
+>The Domain Name System (DNS) is the hierarchical, distributed
+database.  It stores information for mapping Internet host names to IP
+addresses and vice versa, mail routing information, and other data
+used by Internet applications.</P
+><P
+>Clients look up information in the DNS by calling a
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>resolver</I
+></SPAN
+> library, which sends queries to one or
+more <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>name servers</I
+></SPAN
+> and interprets the responses.
+The <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 software distribution contains a
+name server, <B
+CLASS="command"
+>named</B
+>, and two resolver
+libraries, <B
+CLASS="command"
+>liblwres</B
+> and <B
+CLASS="command"
+>libbind</B
+>.
+</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN124"
+>1.4.2. Domains and Domain Names</A
+></H2
+><P
+>The data stored in the DNS is identified by <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>domain
+names</I
+></SPAN
+> that are organized as a tree according to
+organizational or administrative boundaries. Each node of the tree,
+called a <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>domain</I
+></SPAN
+>, is given a label. The domain name of the
+node is the concatenation of all the labels on the path from the
+node to the <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>root</I
+></SPAN
+> node.  This is represented
+in written form as a string of labels listed from right to left and
+separated by dots. A label need only be unique within its parent
+domain.</P
+><P
+>For example, a domain name for a host at the
+company <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Example, Inc.</I
+></SPAN
+> could be
+<VAR
+CLASS="literal"
+>mail.example.com</VAR
+>,
+where <VAR
+CLASS="literal"
+>com</VAR
+> is the
+top level domain to which
+<VAR
+CLASS="literal"
+>ourhost.example.com</VAR
+> belongs,
+<VAR
+CLASS="literal"
+>example</VAR
+> is
+a subdomain of <VAR
+CLASS="literal"
+>com</VAR
+>, and
+<VAR
+CLASS="literal"
+>ourhost</VAR
+> is the
+name of the host.</P
+><P
+>For administrative purposes, the name space is partitioned into
+areas called <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>zones</I
+></SPAN
+>, each starting at a node and
+extending down to the leaf nodes or to nodes where other zones start.
+The data for each zone is stored in a <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>name
+server</I
+></SPAN
+>, which answers queries about the zone using the
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>DNS protocol</I
+></SPAN
+>.
+</P
+><P
+>The data associated with each domain name is stored in the
+form of <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>resource records</I
+></SPAN
+> (<ACRONYM
+CLASS="acronym"
+>RR</ACRONYM
+>s).
+Some of the supported resource record types are described in
+<A
+HREF="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them"
+>Section 6.3.1</A
+>.</P
+><P
+>For more detailed information about the design of the DNS and
+the DNS protocol, please refer to the standards documents listed in
+<A
+HREF="Bv9ARM.ch09.html#rfcs"
+>Section A.3.1</A
+>.</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN148"
+>1.4.3. Zones</A
+></H2
+><P
+>To properly operate a name server, it is important to understand
+the difference between a <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>zone</I
+></SPAN
+>
+and a <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>domain</I
+></SPAN
+>.</P
+><P
+>As we stated previously, a zone is a point of delegation in
+the <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> tree. A zone consists of
+those contiguous parts of the domain
+tree for which a name server has complete information and over which
+it has authority. It contains all domain names from a certain point
+downward in the domain tree except those which are delegated to
+other zones. A delegation point is marked by one or more
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>NS records</I
+></SPAN
+> in the
+parent zone, which should be matched by equivalent NS records at
+the root of the delegated zone.</P
+><P
+>For instance, consider the <VAR
+CLASS="literal"
+>example.com</VAR
+>
+domain which includes names
+such as <VAR
+CLASS="literal"
+>host.aaa.example.com</VAR
+> and
+<VAR
+CLASS="literal"
+>host.bbb.example.com</VAR
+> even though
+the <VAR
+CLASS="literal"
+>example.com</VAR
+> zone includes
+only delegations for the <VAR
+CLASS="literal"
+>aaa.example.com</VAR
+> and
+<VAR
+CLASS="literal"
+>bbb.example.com</VAR
+> zones.  A zone can map
+exactly to a single domain, but could also include only part of a
+domain, the rest of which could be delegated to other
+name servers. Every name in the <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> tree is a
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>domain</I
+></SPAN
+>, even if it is
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>terminal</I
+></SPAN
+>, that is, has no
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>subdomains</I
+></SPAN
+>.  Every subdomain is a domain and
+every domain except the root is also a subdomain. The terminology is
+not intuitive and we suggest that you read RFCs 1033, 1034 and 1035 to
+gain a complete understanding of this difficult and subtle
+topic.</P
+><P
+>Though <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> is called a "domain name server",
+it deals primarily in terms of zones. The master and slave
+declarations in the <TT
+CLASS="filename"
+>named.conf</TT
+> file specify
+zones, not domains. When you ask some other site if it is willing to
+be a slave server for your <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>domain</I
+></SPAN
+>, you are
+actually asking for slave service for some collection of zones.</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN171"
+>1.4.4. Authoritative Name Servers</A
+></H2
+><P
+>Each zone is served by at least
+one <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>authoritative name server</I
+></SPAN
+>,
+which contains the complete data for the zone.
+To make the DNS tolerant of server and network failures,
+most zones have two or more authoritative servers.
+</P
+><P
+>Responses from authoritative servers have the "authoritative
+answer" (AA) bit set in the response packets.  This makes them 
+easy to identify when debugging DNS configurations using tools like
+<B
+CLASS="command"
+>dig</B
+> (<A
+HREF="Bv9ARM.ch03.html#diagnostic_tools"
+>Section 3.3.1.1</A
+>).</P
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN178"
+>1.4.4.1. The Primary Master</A
+></H3
+><P
+>&#13;The authoritative server where the master copy of the zone data is maintained is
+called the <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>primary master</I
+></SPAN
+> server, or simply the
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>primary</I
+></SPAN
+>.  It loads the zone contents from some
+local file edited by humans or perhaps generated mechanically from
+some other local file which is edited by humans.  This file is called
+the <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>zone file</I
+></SPAN
+> or <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>master file</I
+></SPAN
+>.</P
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN185"
+>1.4.4.2. Slave Servers</A
+></H3
+><P
+>The other authoritative servers, the <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>slave</I
+></SPAN
+>
+servers (also known as <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>secondary</I
+></SPAN
+> servers) load
+the zone contents from another server using a replication process
+known as a <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>zone transfer</I
+></SPAN
+>.  Typically the data are
+transferred directly from the primary master, but it is also possible
+to transfer it from another slave.  In other words, a slave server
+may itself act as a master to a subordinate slave server.</P
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN191"
+>1.4.4.3. Stealth Servers</A
+></H3
+><P
+>Usually all of the zone's authoritative servers are listed in 
+NS records in the parent zone.  These NS records constitute
+a <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>delegation</I
+></SPAN
+> of the zone from the parent.
+The authoritative servers are also listed in the zone file itself,
+at the <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>top level</I
+></SPAN
+> or <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>apex</I
+></SPAN
+>
+of the zone.  You can list servers in the zone's top-level NS
+records that are not in the parent's NS delegation, but you cannot
+list servers in the parent's delegation that are not present at
+the zone's top level.</P
+><P
+>A <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>stealth server</I
+></SPAN
+> is a server that is
+authoritative for a zone but is not listed in that zone's NS
+records.  Stealth servers can be used for keeping a local copy of a
+zone to speed up access to the zone's records or to make sure that the
+zone is available even if all the "official" servers for the zone are
+inaccessible.</P
+><P
+>A configuration where the primary master server itself is a
+stealth server is often referred to as a "hidden primary"
+configuration.  One use for this configuration is when the primary master
+is behind a firewall and therefore unable to communicate directly
+with the outside world.</P
+></DIV
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN200"
+>1.4.5. Caching Name Servers</A
+></H2
+><P
+>The resolver libraries provided by most operating systems are 
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>stub resolvers</I
+></SPAN
+>, meaning that they are not capable of
+performing the full DNS resolution process by themselves by talking
+directly to the authoritative servers.  Instead, they rely on a local
+name server to perform the resolution on their behalf.  Such a server
+is called a <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>recursive</I
+></SPAN
+> name server; it performs
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>recursive lookups</I
+></SPAN
+> for local clients.</P
+><P
+>To improve performance, recursive servers cache the results of
+the lookups they perform.  Since the processes of recursion and
+caching are intimately connected, the terms
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>recursive server</I
+></SPAN
+> and
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>caching server</I
+></SPAN
+> are often used synonymously.</P
+><P
+>The length of time for which a record may be retained in
+in the cache of a caching name server is controlled by the 
+Time To Live (TTL) field associated with each resource record.
+</P
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN210"
+>1.4.5.1. Forwarding</A
+></H3
+><P
+>Even a caching name server does not necessarily perform
+the complete recursive lookup itself.  Instead, it can
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>forward</I
+></SPAN
+> some or all of the queries
+that it cannot satisfy from its cache to another caching name server,
+commonly referred to as a <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>forwarder</I
+></SPAN
+>.
+</P
+><P
+>There may be one or more forwarders,
+and they are queried in turn until the list is exhausted or an answer
+is found. Forwarders are typically used when you do not
+wish all the servers at a given site to interact directly with the rest of
+the Internet servers. A typical scenario would involve a number
+of internal <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> servers and an Internet firewall. Servers unable
+to pass packets through the firewall would forward to the server
+that can do it, and that server would query the Internet <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> servers
+on the internal server's behalf. An added benefit of using the forwarding
+feature is that the central machine develops a much more complete
+cache of information that all the clients can take advantage
+of.</P
+></DIV
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN218"
+>1.4.6. Name Servers in Multiple Roles</A
+></H2
+><P
+>The <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> name server can simultaneously act as
+a master for some zones, a slave for other zones, and as a caching
+(recursive) server for a set of local clients.</P
+><P
+>However, since the functions of authoritative name service
+and caching/recursive name service are logically separate, it is
+often advantageous to run them on separate server machines.
+
+A server that only provides authoritative name service
+(an <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>authoritative-only</I
+></SPAN
+> server) can run with
+recursion disabled, improving reliability and security.
+
+A server that is not authoritative for any zones and only provides
+recursive service to local
+clients (a <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>caching-only</I
+></SPAN
+> server)
+does not need to be reachable from the Internet at large and can
+be placed inside a firewall.</P
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="Bv9ARM.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="Bv9ARM.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch02.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>BIND 9 Administrator Reference Manual</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> Resource Requirements</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch02.html b/contrib/bind9/doc/arm/Bv9ARM.ch02.html
new file mode 100644
index 0000000..0b293c7
--- /dev/null
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch02.html
@@ -0,0 +1,284 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>BIND Resource Requirements</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
+REL="HOME"
+TITLE="BIND 9 Administrator Reference Manual"
+HREF="Bv9ARM.html"><LINK
+REL="PREVIOUS"
+TITLE="Introduction "
+HREF="Bv9ARM.ch01.html"><LINK
+REL="NEXT"
+TITLE="Name Server Configuration"
+HREF="Bv9ARM.ch03.html"></HEAD
+><BODY
+CLASS="chapter"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>BIND 9 Administrator Reference Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.ch01.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.ch03.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="chapter"
+><H1
+><A
+NAME="ch02"
+></A
+>Chapter 2. <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> Resource Requirements</H1
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+>2.1. <A
+HREF="Bv9ARM.ch02.html#AEN228"
+>Hardware requirements</A
+></DT
+><DT
+>2.2. <A
+HREF="Bv9ARM.ch02.html#AEN236"
+>CPU Requirements</A
+></DT
+><DT
+>2.3. <A
+HREF="Bv9ARM.ch02.html#AEN240"
+>Memory Requirements</A
+></DT
+><DT
+>2.4. <A
+HREF="Bv9ARM.ch02.html#AEN245"
+>Name Server Intensive Environment Issues</A
+></DT
+><DT
+>2.5. <A
+HREF="Bv9ARM.ch02.html#AEN248"
+>Supported Operating Systems</A
+></DT
+></DL
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN228"
+>2.1. Hardware requirements</A
+></H1
+><P
+><ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> hardware requirements have traditionally been quite modest.
+For many installations, servers that have been pensioned off from
+active duty have performed admirably as <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> servers.</P
+><P
+>The DNSSEC and IPv6 features of <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 may prove to be quite
+CPU intensive however, so organizations that make heavy use of these
+features may wish to consider larger systems for these applications.
+<ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 is fully multithreaded, allowing full utilization of
+multiprocessor systems for installations that need it.</P
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN236"
+>2.2. CPU Requirements</A
+></H1
+><P
+>CPU requirements for <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 range from i486-class machines
+for serving of static zones without caching, to enterprise-class
+machines if you intend to process many dynamic updates and DNSSEC
+signed zones, serving many thousands of queries per second.</P
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN240"
+>2.3. Memory Requirements</A
+></H1
+><P
+>The memory of the server has to be large enough to fit the
+cache and zones loaded off disk.  The <B
+CLASS="command"
+>max-cache-size</B
+>
+option can be used to limit the amount of memory used by the cache,
+at the expense of reducing cache hit rates and causing more <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+>
+traffic. It is still good practice to have enough memory to load
+all zone and cache data into memory &#8212; unfortunately, the best way
+to determine this for a given installation is to watch the name server
+in operation. After a few weeks the server process should reach
+a relatively stable size where entries are expiring from the cache as
+fast as they are being inserted.</P
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN245"
+>2.4. Name Server Intensive Environment Issues</A
+></H1
+><P
+>For name server intensive environments, there are two alternative
+configurations that may be used. The first is where clients and
+any second-level internal name servers query a main name server, which
+has enough memory to build a large cache. This approach minimizes
+the bandwidth used by external name lookups. The second alternative
+is to set up second-level internal name servers to make queries independently.
+In this configuration, none of the individual machines needs to
+have as much memory or CPU power as in the first alternative, but
+this has the disadvantage of making many more external queries,
+as none of the name servers share their cached data.</P
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN248"
+>2.5. Supported Operating Systems</A
+></H1
+><P
+>ISC <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 compiles and runs on a large number
+of Unix-like operating system and on Windows NT / 2000.  For an up-to-date
+list of supported systems, see the README file in the top level directory
+of the BIND 9 source distribution.</P
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch01.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="Bv9ARM.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch03.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Introduction</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Name Server Configuration</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch03.html b/contrib/bind9/doc/arm/Bv9ARM.ch03.html
new file mode 100644
index 0000000..204d64c
--- /dev/null
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch03.html
@@ -0,0 +1,1458 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>Name Server Configuration</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
+REL="HOME"
+TITLE="BIND 9 Administrator Reference Manual"
+HREF="Bv9ARM.html"><LINK
+REL="PREVIOUS"
+TITLE="BIND Resource Requirements"
+HREF="Bv9ARM.ch02.html"><LINK
+REL="NEXT"
+TITLE="Advanced DNS Features"
+HREF="Bv9ARM.ch04.html"></HEAD
+><BODY
+CLASS="chapter"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>BIND 9 Administrator Reference Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.ch02.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.ch04.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="chapter"
+><H1
+><A
+NAME="ch03"
+></A
+>Chapter 3. Name Server Configuration</H1
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+>3.1. <A
+HREF="Bv9ARM.ch03.html#sample_configuration"
+>Sample Configurations</A
+></DT
+><DT
+>3.2. <A
+HREF="Bv9ARM.ch03.html#AEN268"
+>Load Balancing</A
+></DT
+><DT
+>3.3. <A
+HREF="Bv9ARM.ch03.html#AEN345"
+>Name Server Operations</A
+></DT
+></DL
+></DIV
+><P
+>In this section we provide some suggested configurations along
+with guidelines for their use. We also address the topic of reasonable
+option setting.</P
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="sample_configuration"
+>3.1. Sample Configurations</A
+></H1
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN257"
+>3.1.1. A Caching-only Name Server</A
+></H2
+><P
+>The following sample configuration is appropriate for a caching-only
+name server for use by clients internal to a corporation.  All queries
+from outside clients are refused using the <B
+CLASS="command"
+>allow-query</B
+>
+option.  Alternatively, the same effect could be achieved using suitable
+firewall rules.</P
+><PRE
+CLASS="programlisting"
+>&#13;// Two corporate subnets we wish to allow queries from.
+acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
+options {
+     directory "/etc/namedb";           // Working directory
+     allow-query { corpnets; };
+};
+// Provide a reverse mapping for the loopback address 127.0.0.1
+zone "0.0.127.in-addr.arpa" {
+     type master;
+     file "localhost.rev";
+     notify no;
+};
+</PRE
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN262"
+>3.1.2. An Authoritative-only Name Server</A
+></H2
+><P
+>This sample configuration is for an authoritative-only server
+that is the master server for "<TT
+CLASS="filename"
+>example.com</TT
+>"
+and a slave for the subdomain "<TT
+CLASS="filename"
+>eng.example.com</TT
+>".</P
+><PRE
+CLASS="programlisting"
+>&#13;options {
+     directory "/etc/namedb";           // Working directory
+     allow-query { any; };              // This is the default
+     recursion no;                      // Do not provide recursive service
+};
+
+// Provide a reverse mapping for the loopback address 127.0.0.1
+zone "0.0.127.in-addr.arpa" {
+     type master;
+     file "localhost.rev";
+     notify no;
+};
+// We are the master server for example.com
+zone "example.com" {
+     type master;
+     file "example.com.db";
+     // IP addresses of slave servers allowed to transfer example.com
+     allow-transfer {
+          192.168.4.14;
+          192.168.5.53;
+     };
+};
+// We are a slave server for eng.example.com
+zone "eng.example.com" {
+     type slave;
+     file "eng.example.com.bk";
+     // IP address of eng.example.com master server
+     masters { 192.168.4.12; };
+};
+</PRE
+></DIV
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN268"
+>3.2. Load Balancing</A
+></H1
+><P
+>A primitive form of load balancing can be achieved in
+the <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> by using multiple A records for one name.</P
+><P
+>For example, if you have three WWW servers with network addresses
+of 10.0.0.1, 10.0.0.2 and 10.0.0.3, a set of records such as the
+following means that clients will connect to each machine one third
+of the time:</P
+><DIV
+CLASS="informaltable"
+><P
+></P
+><A
+NAME="AEN273"
+></A
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+><P
+>Name</P
+></TD
+><TD
+><P
+>TTL</P
+></TD
+><TD
+><P
+>CLASS</P
+></TD
+><TD
+><P
+>TYPE</P
+></TD
+><TD
+><P
+>Resource Record (RR) Data</P
+></TD
+></TR
+><TR
+><TD
+><P
+><VAR
+CLASS="literal"
+>www</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>600</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>IN</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>A</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>10.0.0.1</VAR
+></P
+></TD
+></TR
+><TR
+><TD
+><P
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>600</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>IN</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>A</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>10.0.0.2</VAR
+></P
+></TD
+></TR
+><TR
+><TD
+><P
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>600</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>IN</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>A</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>10.0.0.3</VAR
+></P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>When a resolver queries for these records, <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> will rotate
+    them and respond to the query with the records in a different
+    order.  In the example above, clients will randomly receive
+    records in the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Most clients
+    will use the first record returned and discard the rest.</P
+><P
+>For more detail on ordering responses, check the
+    <B
+CLASS="command"
+>rrset-order</B
+> substatement in the
+    <B
+CLASS="command"
+>options</B
+> statement, see
+    <A
+HREF="Bv9ARM.ch06.html#rrset_ordering"
+><I
+>RRset Ordering</I
+></A
+>.
+    This substatement is not supported in
+    <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9, and only the ordering scheme described above is
+    available.</P
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN345"
+>3.3. Name Server Operations</A
+></H1
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN347"
+>3.3.1. Tools for Use With the Name Server Daemon</A
+></H2
+><P
+>There are several indispensable diagnostic, administrative
+and monitoring tools available to the system administrator for controlling
+and debugging the name server daemon. We describe several in this
+section </P
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="diagnostic_tools"
+>3.3.1.1. Diagnostic Tools</A
+></H3
+><P
+>The <B
+CLASS="command"
+>dig</B
+>, <B
+CLASS="command"
+>host</B
+>, and
+<B
+CLASS="command"
+>nslookup</B
+> programs are all command line tools
+for manually querying name servers.  They differ in style and
+output format.
+</P
+><P
+></P
+><DIV
+CLASS="variablelist"
+><DL
+><DT
+><B
+CLASS="command"
+>dig</B
+></DT
+><DD
+><P
+>The domain information groper (<B
+CLASS="command"
+>dig</B
+>)
+is the most versatile and complete of these lookup tools.
+It has two modes: simple interactive
+mode for a single query, and batch mode which executes a query for
+each in a list of several query lines. All query options are accessible
+from the command line.</P
+><P
+><B
+CLASS="command"
+>dig</B
+>  [@<VAR
+CLASS="replaceable"
+>server</VAR
+>]  <VAR
+CLASS="replaceable"
+>domain</VAR
+>  [<VAR
+CLASS="replaceable"
+>query-type</VAR
+>] [<VAR
+CLASS="replaceable"
+>query-class</VAR
+>] [+<VAR
+CLASS="replaceable"
+>query-option</VAR
+>] [-<VAR
+CLASS="replaceable"
+>dig-option</VAR
+>] [%<VAR
+CLASS="replaceable"
+>comment</VAR
+>]</P
+><P
+>The usual simple use of dig will take the form</P
+><P
+><B
+CLASS="command"
+>dig @server domain query-type query-class</B
+></P
+><P
+>For more information and a list of available commands and
+options, see the <B
+CLASS="command"
+>dig</B
+> man page.</P
+></DD
+><DT
+><B
+CLASS="command"
+>host</B
+></DT
+><DD
+><P
+>The <B
+CLASS="command"
+>host</B
+> utility emphasizes simplicity
+and ease of use.  By default, it converts
+between host names and Internet addresses, but its functionality
+can be extended with the use of options.</P
+><P
+><B
+CLASS="command"
+>host</B
+>  [-aCdlrTwv] [-c <VAR
+CLASS="replaceable"
+>class</VAR
+>] [-N <VAR
+CLASS="replaceable"
+>ndots</VAR
+>] [-t <VAR
+CLASS="replaceable"
+>type</VAR
+>] [-W <VAR
+CLASS="replaceable"
+>timeout</VAR
+>] [-R <VAR
+CLASS="replaceable"
+>retries</VAR
+>]  <VAR
+CLASS="replaceable"
+>hostname</VAR
+>  [<VAR
+CLASS="replaceable"
+>server</VAR
+>]</P
+><P
+>For more information and a list of available commands and
+options, see the <B
+CLASS="command"
+>host</B
+> man page.</P
+></DD
+><DT
+><B
+CLASS="command"
+>nslookup</B
+></DT
+><DD
+><P
+><B
+CLASS="command"
+>nslookup</B
+> has two modes: interactive
+and non-interactive. Interactive mode allows the user to query name servers
+for information about various hosts and domains or to print a list
+of hosts in a domain. Non-interactive mode is used to print just
+the name and requested information for a host or domain.</P
+><P
+><B
+CLASS="command"
+>nslookup</B
+>  [-option...] [<VAR
+CLASS="replaceable"
+>host-to-find</VAR
+> | -  [server]]</P
+><P
+>Interactive mode is entered when no arguments are given (the
+default name server will be used) or when the first argument is a
+hyphen (`-') and the second argument is the host name or Internet address
+of a name server.</P
+><P
+>Non-interactive mode is used when the name or Internet address
+of the host to be looked up is given as the first argument. The
+optional second argument specifies the host name or address of a name server.</P
+><P
+>Due to its arcane user interface and frequently inconsistent
+behavior, we do not recommend the use of <B
+CLASS="command"
+>nslookup</B
+>.
+Use <B
+CLASS="command"
+>dig</B
+> instead.</P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="admin_tools"
+>3.3.1.2. Administrative Tools</A
+></H3
+><P
+>Administrative tools play an integral part in the management
+of a server.</P
+><P
+></P
+><DIV
+CLASS="variablelist"
+><DL
+><DT
+><A
+NAME="named-checkconf"
+></A
+><B
+CLASS="command"
+>named-checkconf</B
+></DT
+><DD
+><P
+>The <B
+CLASS="command"
+>named-checkconf</B
+> program
+              checks the syntax of a <TT
+CLASS="filename"
+>named.conf</TT
+> file.</P
+><P
+><B
+CLASS="command"
+>named-checkconf</B
+>  [-t <VAR
+CLASS="replaceable"
+>directory</VAR
+>] [<VAR
+CLASS="replaceable"
+>filename</VAR
+>]</P
+></DD
+><DT
+><A
+NAME="named-checkzone"
+></A
+><B
+CLASS="command"
+>named-checkzone</B
+></DT
+><DD
+><P
+>The <B
+CLASS="command"
+>named-checkzone</B
+> program checks a master file for
+              syntax and consistency.</P
+><P
+><B
+CLASS="command"
+>named-checkzone</B
+>  [-dq] [-c <VAR
+CLASS="replaceable"
+>class</VAR
+>]  <VAR
+CLASS="replaceable"
+>zone</VAR
+>  [<VAR
+CLASS="replaceable"
+>filename</VAR
+>]</P
+></DD
+><DT
+><A
+NAME="rndc"
+></A
+><B
+CLASS="command"
+>rndc</B
+></DT
+><DD
+><P
+>The remote name daemon control
+              (<B
+CLASS="command"
+>rndc</B
+>) program allows the system
+              administrator to control the operation of a name server.
+              If you run <B
+CLASS="command"
+>rndc</B
+> without any options
+              it will display a usage message as follows:</P
+><P
+><B
+CLASS="command"
+>rndc</B
+>  [-c <VAR
+CLASS="replaceable"
+>config</VAR
+>] [-s <VAR
+CLASS="replaceable"
+>server</VAR
+>] [-p <VAR
+CLASS="replaceable"
+>port</VAR
+>] [-y <VAR
+CLASS="replaceable"
+>key</VAR
+>]  <VAR
+CLASS="replaceable"
+>command</VAR
+>  [<VAR
+CLASS="replaceable"
+>command</VAR
+>...]</P
+><P
+><B
+CLASS="command"
+>command</B
+> is one of the following:</P
+><P
+></P
+><DIV
+CLASS="variablelist"
+><DL
+><DT
+><KBD
+CLASS="userinput"
+>reload</KBD
+></DT
+><DD
+><P
+>Reload configuration file and zones.</P
+></DD
+><DT
+><KBD
+CLASS="userinput"
+>reload <VAR
+CLASS="replaceable"
+>zone</VAR
+>
+       [<SPAN
+CLASS="optional"
+><VAR
+CLASS="replaceable"
+>class</VAR
+>
+           [<SPAN
+CLASS="optional"
+><VAR
+CLASS="replaceable"
+>view</VAR
+></SPAN
+>]</SPAN
+>]</KBD
+></DT
+><DD
+><P
+>Reload the given zone.</P
+></DD
+><DT
+><KBD
+CLASS="userinput"
+>refresh <VAR
+CLASS="replaceable"
+>zone</VAR
+>
+       [<SPAN
+CLASS="optional"
+><VAR
+CLASS="replaceable"
+>class</VAR
+>
+           [<SPAN
+CLASS="optional"
+><VAR
+CLASS="replaceable"
+>view</VAR
+></SPAN
+>]</SPAN
+>]</KBD
+></DT
+><DD
+><P
+>Schedule zone maintenance for the given zone.</P
+></DD
+><DT
+><KBD
+CLASS="userinput"
+>retransfer <VAR
+CLASS="replaceable"
+>zone</VAR
+>
+       [<SPAN
+CLASS="optional"
+><VAR
+CLASS="replaceable"
+>class</VAR
+>
+           [<SPAN
+CLASS="optional"
+><VAR
+CLASS="replaceable"
+>view</VAR
+></SPAN
+>]</SPAN
+>]</KBD
+></DT
+><DD
+><P
+>Retransfer the given zone from the master.</P
+></DD
+><DT
+><KBD
+CLASS="userinput"
+>freeze <VAR
+CLASS="replaceable"
+>zone</VAR
+>
+       [<SPAN
+CLASS="optional"
+><VAR
+CLASS="replaceable"
+>class</VAR
+>
+           [<SPAN
+CLASS="optional"
+><VAR
+CLASS="replaceable"
+>view</VAR
+></SPAN
+>]</SPAN
+>]</KBD
+></DT
+><DD
+><P
+>Suspend updates to a dynamic zone.  This allows manual
+    edits to be made to a zone normally updated by dynamic update.  It
+    also causes changes in the journal file to be synced into the master
+    and the journal file to be removed.  All dynamic update attempts will
+    be refused while the zone is frozen.</P
+></DD
+><DT
+><KBD
+CLASS="userinput"
+>unfreeze <VAR
+CLASS="replaceable"
+>zone</VAR
+>
+       [<SPAN
+CLASS="optional"
+><VAR
+CLASS="replaceable"
+>class</VAR
+>
+           [<SPAN
+CLASS="optional"
+><VAR
+CLASS="replaceable"
+>view</VAR
+></SPAN
+>]</SPAN
+>]</KBD
+></DT
+><DD
+><P
+>Enable updates to a frozen dynamic zone.  This causes
+    the server to reload the zone from disk, and re-enables dynamic updates
+    after the load has completed.  After a zone is unfrozen, dynamic updates
+    will no longer be refused.</P
+></DD
+><DT
+><KBD
+CLASS="userinput"
+>reconfig</KBD
+></DT
+><DD
+><P
+>Reload the configuration file and load new zones,
+   but do not reload existing zone files even if they have changed.
+   This is faster than a full <B
+CLASS="command"
+>reload</B
+> when there
+   is a large number of zones because it avoids the need to examine the
+   modification times of the zones files.
+   </P
+></DD
+><DT
+><KBD
+CLASS="userinput"
+>stats</KBD
+></DT
+><DD
+><P
+>Write server statistics to the statistics file.</P
+></DD
+><DT
+><KBD
+CLASS="userinput"
+>querylog</KBD
+></DT
+><DD
+><P
+>Toggle query logging. Query logging can also be enabled
+   by explicitly directing the <B
+CLASS="command"
+>queries</B
+>
+   <B
+CLASS="command"
+>category</B
+> to a <B
+CLASS="command"
+>channel</B
+> in the
+   <B
+CLASS="command"
+>logging</B
+> section of
+   <TT
+CLASS="filename"
+>named.conf</TT
+>.</P
+></DD
+><DT
+><KBD
+CLASS="userinput"
+>dumpdb</KBD
+></DT
+><DD
+><P
+>Dump the server's caches to the dump file. </P
+></DD
+><DT
+><KBD
+CLASS="userinput"
+>stop</KBD
+></DT
+><DD
+><P
+>Stop the server,
+   making sure any recent changes
+   made through dynamic update or IXFR are first saved to the master files
+   of the updated zones.</P
+></DD
+><DT
+><KBD
+CLASS="userinput"
+>halt</KBD
+></DT
+><DD
+><P
+>Stop the server immediately.  Recent changes
+   made through dynamic update or IXFR are not saved to the master files,
+   but will be rolled forward from the journal files when the server
+   is restarted.</P
+></DD
+><DT
+><KBD
+CLASS="userinput"
+>trace</KBD
+></DT
+><DD
+><P
+>Increment the servers debugging level by one. </P
+></DD
+><DT
+><KBD
+CLASS="userinput"
+>trace <VAR
+CLASS="replaceable"
+>level</VAR
+></KBD
+></DT
+><DD
+><P
+>Sets the server's debugging level to an explicit
+   value.</P
+></DD
+><DT
+><KBD
+CLASS="userinput"
+>notrace</KBD
+></DT
+><DD
+><P
+>Sets the server's debugging level to 0.</P
+></DD
+><DT
+><KBD
+CLASS="userinput"
+>flush</KBD
+></DT
+><DD
+><P
+>Flushes the server's cache.</P
+></DD
+><DT
+><KBD
+CLASS="userinput"
+>status</KBD
+></DT
+><DD
+><P
+>Display status of the server.
+Note the number of zones includes the internal <B
+CLASS="command"
+>bind/CH</B
+> zone
+and the default <B
+CLASS="command"
+>./IN</B
+> hint zone if there is not a
+explicit root zone configured.</P
+></DD
+></DL
+></DIV
+><P
+>In <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9.2, <B
+CLASS="command"
+>rndc</B
+>
+supports all the commands of the BIND 8 <B
+CLASS="command"
+>ndc</B
+>
+utility except <B
+CLASS="command"
+>ndc start</B
+> and
+<B
+CLASS="command"
+>ndc restart</B
+>, which were also
+not supported in <B
+CLASS="command"
+>ndc</B
+>'s channel mode.</P
+><P
+>A configuration file is required, since all
+communication with the server is authenticated with
+digital signatures that rely on a shared secret, and
+there is no way to provide that secret other than with a
+configuration file.  The default location for the
+<B
+CLASS="command"
+>rndc</B
+> configuration file is
+<TT
+CLASS="filename"
+>/etc/rndc.conf</TT
+>, but an alternate
+location can be specified with the <VAR
+CLASS="option"
+>-c</VAR
+>
+option.  If the configuration file is not found,
+<B
+CLASS="command"
+>rndc</B
+> will also look in
+<TT
+CLASS="filename"
+>/etc/rndc.key</TT
+> (or whatever
+<VAR
+CLASS="varname"
+>sysconfdir</VAR
+> was defined when
+the <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> build was configured).
+The <TT
+CLASS="filename"
+>rndc.key</TT
+> file is generated by
+running <B
+CLASS="command"
+>rndc-confgen -a</B
+> as described in
+<A
+HREF="Bv9ARM.ch06.html#controls_statement_definition_and_usage"
+>Section 6.2.4</A
+>.</P
+><P
+>The format of the configuration file is similar to
+that of <TT
+CLASS="filename"
+>named.conf</TT
+>, but limited to
+only four statements, the <B
+CLASS="command"
+>options</B
+>,
+<B
+CLASS="command"
+>key</B
+>, <B
+CLASS="command"
+>server</B
+> and
+<B
+CLASS="command"
+>include</B
+>
+statements.  These statements are what associate the
+secret keys to the servers with which they are meant to
+be shared.  The order of statements is not
+significant.</P
+><P
+>The <B
+CLASS="command"
+>options</B
+> statement has three clauses:
+<B
+CLASS="command"
+>default-server</B
+>, <B
+CLASS="command"
+>default-key</B
+>, 
+and <B
+CLASS="command"
+>default-port</B
+>.
+<B
+CLASS="command"
+>default-server</B
+> takes a
+host name or address argument  and represents the server that will
+be contacted if no <VAR
+CLASS="option"
+>-s</VAR
+>
+option is provided on the command line.  
+<B
+CLASS="command"
+>default-key</B
+> takes
+the name of a key as its argument, as defined by a <B
+CLASS="command"
+>key</B
+> statement.
+<B
+CLASS="command"
+>default-port</B
+> specifies the port to which
+<B
+CLASS="command"
+>rndc</B
+> should connect if no
+port is given on the command line or in a
+<B
+CLASS="command"
+>server</B
+> statement.</P
+><P
+>The <B
+CLASS="command"
+>key</B
+> statement defines an key to be used
+by <B
+CLASS="command"
+>rndc</B
+> when authenticating with
+<B
+CLASS="command"
+>named</B
+>.  Its syntax is identical to the
+<B
+CLASS="command"
+>key</B
+> statement in named.conf.
+The keyword <KBD
+CLASS="userinput"
+>key</KBD
+> is
+followed by a key name, which must be a valid
+domain name, though it need not actually be hierarchical; thus,
+a string like "<KBD
+CLASS="userinput"
+>rndc_key</KBD
+>" is a valid name.
+The <B
+CLASS="command"
+>key</B
+> statement has two clauses:
+<B
+CLASS="command"
+>algorithm</B
+> and <B
+CLASS="command"
+>secret</B
+>.
+While the configuration parser will accept any string as the argument
+to algorithm, currently only the string "<KBD
+CLASS="userinput"
+>hmac-md5</KBD
+>"
+has any meaning.  The secret is a base-64 encoded string.</P
+><P
+>The <B
+CLASS="command"
+>server</B
+> statement associates a key
+defined using the <B
+CLASS="command"
+>key</B
+> statement with a server.
+The keyword <KBD
+CLASS="userinput"
+>server</KBD
+> is followed by a
+host name or address.  The <B
+CLASS="command"
+>server</B
+> statement
+has two clauses: <B
+CLASS="command"
+>key</B
+> and <B
+CLASS="command"
+>port</B
+>.
+The <B
+CLASS="command"
+>key</B
+> clause specifies the name of the key
+to be used when communicating with this server, and the
+<B
+CLASS="command"
+>port</B
+> clause can be used to
+specify the port <B
+CLASS="command"
+>rndc</B
+> should connect
+to on the server.</P
+><P
+>A sample minimal configuration file is as follows:</P
+><PRE
+CLASS="programlisting"
+>&#13;key rndc_key {
+     algorithm "hmac-md5";
+     secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
+};
+options {
+     default-server 127.0.0.1;
+     default-key    rndc_key;
+};
+</PRE
+><P
+>This file, if installed as <TT
+CLASS="filename"
+>/etc/rndc.conf</TT
+>,
+would allow the command:</P
+><P
+><SAMP
+CLASS="prompt"
+>$ </SAMP
+><KBD
+CLASS="userinput"
+>rndc reload</KBD
+></P
+><P
+>to connect to 127.0.0.1 port 953 and cause the name server
+to reload, if a name server on the local machine were running with
+following controls statements:</P
+><PRE
+CLASS="programlisting"
+>&#13;controls {
+        inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
+};
+</PRE
+><P
+>and it had an identical key statement for
+<VAR
+CLASS="literal"
+>rndc_key</VAR
+>.</P
+><P
+>Running the <B
+CLASS="command"
+>rndc-confgen</B
+> program will
+conveniently create a <TT
+CLASS="filename"
+>rndc.conf</TT
+>
+file for you, and also display the
+corresponding <B
+CLASS="command"
+>controls</B
+> statement that you need to
+add to <TT
+CLASS="filename"
+>named.conf</TT
+>.  Alternatively,
+you can run <B
+CLASS="command"
+>rndc-confgen -a</B
+> to set up
+a <TT
+CLASS="filename"
+>rndc.key</TT
+> file and not modify 
+<TT
+CLASS="filename"
+>named.conf</TT
+> at all.
+</P
+></DD
+></DL
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN679"
+>3.3.2. Signals</A
+></H2
+><P
+>Certain UNIX signals cause the name server to take specific
+actions, as described in the following table.  These signals can
+be sent using the <B
+CLASS="command"
+>kill</B
+> command.</P
+><DIV
+CLASS="informaltable"
+><P
+></P
+><A
+NAME="AEN683"
+></A
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>SIGHUP</B
+></P
+></TD
+><TD
+><P
+>Causes the server to read <TT
+CLASS="filename"
+>named.conf</TT
+> and
+reload the database. </P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>SIGTERM</B
+></P
+></TD
+><TD
+><P
+>Causes the server to clean up and exit.</P
+></TD
+></TR
+><TR
+><TD
+>&#13;<P
+><B
+CLASS="command"
+>SIGINT</B
+></P
+>
+</TD
+><TD
+><P
+>Causes the server to clean up and exit.</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch02.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="Bv9ARM.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch04.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> Resource Requirements</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Advanced DNS Features</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch04.html b/contrib/bind9/doc/arm/Bv9ARM.ch04.html
new file mode 100644
index 0000000..a1f90b4
--- /dev/null
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch04.html
@@ -0,0 +1,1602 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>Advanced DNS Features</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
+REL="HOME"
+TITLE="BIND 9 Administrator Reference Manual"
+HREF="Bv9ARM.html"><LINK
+REL="PREVIOUS"
+TITLE="Name Server Configuration"
+HREF="Bv9ARM.ch03.html"><LINK
+REL="NEXT"
+TITLE="The BIND 9 Lightweight Resolver"
+HREF="Bv9ARM.ch05.html"></HEAD
+><BODY
+CLASS="chapter"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>BIND 9 Administrator Reference Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.ch03.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.ch05.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="chapter"
+><H1
+><A
+NAME="ch04"
+></A
+>Chapter 4. Advanced DNS Features</H1
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+>4.1. <A
+HREF="Bv9ARM.ch04.html#notify"
+>Notify</A
+></DT
+><DT
+>4.2. <A
+HREF="Bv9ARM.ch04.html#dynamic_update"
+>Dynamic Update</A
+></DT
+><DT
+>4.3. <A
+HREF="Bv9ARM.ch04.html#incremental_zone_transfers"
+>Incremental Zone Transfers (IXFR)</A
+></DT
+><DT
+>4.4. <A
+HREF="Bv9ARM.ch04.html#AEN757"
+>Split DNS</A
+></DT
+><DT
+>4.5. <A
+HREF="Bv9ARM.ch04.html#tsig"
+>TSIG</A
+></DT
+><DT
+>4.6. <A
+HREF="Bv9ARM.ch04.html#AEN917"
+>TKEY</A
+></DT
+><DT
+>4.7. <A
+HREF="Bv9ARM.ch04.html#AEN932"
+>SIG(0)</A
+></DT
+><DT
+>4.8. <A
+HREF="Bv9ARM.ch04.html#DNSSEC"
+>DNSSEC</A
+></DT
+><DT
+>4.9. <A
+HREF="Bv9ARM.ch04.html#AEN1001"
+>IPv6 Support in <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9</A
+></DT
+></DL
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="notify"
+>4.1. Notify</A
+></H1
+><P
+><ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> NOTIFY is a mechanism that allows master
+servers to notify their slave servers of changes to a zone's data. In
+response to a <B
+CLASS="command"
+>NOTIFY</B
+> from a master server, the
+slave will check to see that its version of the zone is the
+current version and, if not, initiate a zone transfer.</P
+><P
+><ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+>
+For more information about
+<B
+CLASS="command"
+>NOTIFY</B
+>, see the description of the
+<B
+CLASS="command"
+>notify</B
+> option in <A
+HREF="Bv9ARM.ch06.html#boolean_options"
+>Section 6.2.16.1</A
+> and
+the description of the zone option <B
+CLASS="command"
+>also-notify</B
+> in
+<A
+HREF="Bv9ARM.ch06.html#zone_transfers"
+>Section 6.2.16.7</A
+>.  The <B
+CLASS="command"
+>NOTIFY</B
+>
+protocol is specified in RFC 1996.
+</P
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="dynamic_update"
+>4.2. Dynamic Update</A
+></H1
+><P
+>Dynamic Update is a method for adding, replacing or deleting
+    records in a master server by sending it a special form of DNS
+    messages.  The format and meaning of these messages is specified
+    in RFC 2136.</P
+><P
+>Dynamic update is enabled on a zone-by-zone basis, by
+    including an <B
+CLASS="command"
+>allow-update</B
+> or
+    <B
+CLASS="command"
+>update-policy</B
+> clause in the
+    <B
+CLASS="command"
+>zone</B
+> statement.</P
+><P
+>Updating of secure zones (zones using DNSSEC) follows
+    RFC 3007: RRSIG and NSEC records affected by updates are automatically
+    regenerated by the server using an online zone key.
+    Update authorization is based
+    on transaction signatures and an explicit server policy.</P
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="journal"
+>4.2.1. The journal file</A
+></H2
+><P
+>All changes made to a zone using dynamic update are stored in the
+    zone's journal file.  This file is automatically created by the
+    server when when the first dynamic update takes place.  The name of
+    the journal file is formed by appending the
+    extension <TT
+CLASS="filename"
+>.jnl</TT
+> to the
+    name of the corresponding zone file.  The journal file is in a
+    binary format and should not be edited manually.</P
+><P
+>The server will also occasionally write ("dump")
+    the complete contents of the updated zone to its zone file.
+    This is not done immediately after
+    each dynamic update, because that would be too slow when a large
+    zone is updated frequently.  Instead, the dump is delayed by
+    up to 15 minutes, allowing additional updates to take place.</P
+><P
+>When a server is restarted after a shutdown or crash, it will replay
+    the journal file to incorporate into the zone any updates that took
+    place after the last zone dump.</P
+><P
+>Changes that result from incoming incremental zone transfers are also
+    journalled in a similar way.</P
+><P
+>The zone files of dynamic zones cannot normally be edited by
+    hand because they are not guaranteed to contain the most recent
+    dynamic changes - those are only in the journal file.
+    The only way to ensure that the zone file of a dynamic zone
+    is up to date is to run <B
+CLASS="command"
+>rndc stop</B
+>.</P
+><P
+>If you have to make changes to a dynamic zone
+    manually, the following procedure will work: Disable dynamic updates
+    to the zone using
+    <B
+CLASS="command"
+>rndc freeze <VAR
+CLASS="replaceable"
+>zone</VAR
+></B
+>.
+    This will also remove the zone's <TT
+CLASS="filename"
+>.jnl</TT
+> file
+    and update the master file.  Edit the zone file.  Run
+    <B
+CLASS="command"
+>rndc unfreeze <VAR
+CLASS="replaceable"
+>zone</VAR
+></B
+>
+    to reload the changed zone and re-enable dynamic updates.</P
+></DIV
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="incremental_zone_transfers"
+>4.3. Incremental Zone Transfers (IXFR)</A
+></H1
+><P
+>The incremental zone transfer (IXFR) protocol is a way for
+slave servers to transfer only changed data, instead of having to
+transfer the entire zone. The IXFR protocol is specified in RFC
+1995. See <A
+HREF="Bv9ARM.ch09.html#proposed_standards"
+>Proposed Standards</A
+>.</P
+><P
+>When acting as a master, <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9
+supports IXFR for those zones
+where the necessary change history information is available. These
+include master zones maintained by dynamic update and slave zones
+whose data was obtained by IXFR.  For manually maintained master
+zones, and for slave zones obtained by performing a full zone 
+transfer (AXFR), IXFR is supported only if the option
+<B
+CLASS="command"
+>ixfr-from-differences</B
+> is set
+to <KBD
+CLASS="userinput"
+>yes</KBD
+>.
+</P
+><P
+>When acting as a slave, <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 will 
+attempt to use IXFR unless
+it is explicitly disabled. For more information about disabling
+IXFR, see the description of the <B
+CLASS="command"
+>request-ixfr</B
+> clause
+of the <B
+CLASS="command"
+>server</B
+> statement.</P
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN757"
+>4.4. Split DNS</A
+></H1
+><P
+>Setting up different views, or visibility, of the DNS space to
+internal and external resolvers is usually referred to as a <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Split
+DNS</I
+></SPAN
+> setup. There are several reasons an organization
+would want to set up its DNS this way.</P
+><P
+>One common reason for setting up a DNS system this way is
+to hide "internal" DNS information from "external" clients on the
+Internet. There is some debate as to whether or not this is actually useful.
+Internal DNS information leaks out in many ways (via email headers,
+for example) and most savvy "attackers" can find the information
+they need using other means.</P
+><P
+>Another common reason for setting up a Split DNS system is
+to allow internal networks that are behind filters or in RFC 1918
+space (reserved IP space, as documented in RFC 1918) to resolve DNS
+on the Internet. Split DNS can also be used to allow mail from outside
+back in to the internal network.</P
+><P
+>Here is an example of a split DNS setup:</P
+><P
+>Let's say a company named <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Example, Inc.</I
+></SPAN
+>
+(<VAR
+CLASS="literal"
+>example.com</VAR
+>)
+has several corporate sites that have an internal network with reserved
+Internet Protocol (IP) space and an external demilitarized zone (DMZ),
+or "outside" section of a network, that is available to the public.</P
+><P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Example, Inc.</I
+></SPAN
+> wants its internal clients
+to be able to resolve external hostnames and to exchange mail with
+people on the outside. The company also wants its internal resolvers
+to have access to certain internal-only zones that are not available
+at all outside of the internal network.</P
+><P
+>In order to accomplish this, the company will set up two sets
+of name servers. One set will be on the inside network (in the reserved
+IP space) and the other set will be on bastion hosts, which are "proxy"
+hosts that can talk to both sides of its network, in the DMZ.</P
+><P
+>The internal servers will be configured to forward all queries,
+except queries for <TT
+CLASS="filename"
+>site1.internal</TT
+>, <TT
+CLASS="filename"
+>site2.internal</TT
+>, <TT
+CLASS="filename"
+>site1.example.com</TT
+>,
+and <TT
+CLASS="filename"
+>site2.example.com</TT
+>, to the servers in the
+DMZ. These internal servers will have complete sets of information
+for <TT
+CLASS="filename"
+>site1.example.com</TT
+>, <TT
+CLASS="filename"
+>site2.example.com</TT
+>,<SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+> </I
+></SPAN
+><TT
+CLASS="filename"
+>site1.internal</TT
+>,
+and <TT
+CLASS="filename"
+>site2.internal</TT
+>.</P
+><P
+>To protect the <TT
+CLASS="filename"
+>site1.internal</TT
+> and <TT
+CLASS="filename"
+>site2.internal</TT
+> domains,
+the internal name servers must be configured to disallow all queries
+to these domains from any external hosts, including the bastion
+hosts.</P
+><P
+>The external servers, which are on the bastion hosts, will
+be configured to serve the "public" version of the <TT
+CLASS="filename"
+>site1</TT
+> and <TT
+CLASS="filename"
+>site2.example.com</TT
+> zones.
+This could include things such as the host records for public servers
+(<TT
+CLASS="filename"
+>www.example.com</TT
+> and <TT
+CLASS="filename"
+>ftp.example.com</TT
+>),
+and mail exchange (MX)  records (<TT
+CLASS="filename"
+>a.mx.example.com</TT
+> and <TT
+CLASS="filename"
+>b.mx.example.com</TT
+>).</P
+><P
+>In addition, the public <TT
+CLASS="filename"
+>site1</TT
+> and <TT
+CLASS="filename"
+>site2.example.com</TT
+> zones
+should have special MX records that contain wildcard (`*') records
+pointing to the bastion hosts. This is needed because external mail
+servers do not have any other way of looking up how to deliver mail
+to those internal hosts. With the wildcard records, the mail will
+be delivered to the bastion host, which can then forward it on to
+internal hosts.</P
+><P
+>Here's an example of a wildcard MX record:</P
+><PRE
+CLASS="programlisting"
+><VAR
+CLASS="literal"
+>*   IN MX 10 external1.example.com.</VAR
+></PRE
+><P
+>Now that they accept mail on behalf of anything in the internal
+network, the bastion hosts will need to know how to deliver mail
+to internal hosts. In order for this to work properly, the resolvers on
+the bastion hosts will need to be configured to point to the internal
+name servers for DNS resolution.</P
+><P
+>Queries for internal hostnames will be answered by the internal
+servers, and queries for external hostnames will be forwarded back
+out to the DNS servers on the bastion hosts.</P
+><P
+>In order for all this to work properly, internal clients will
+need to be configured to query <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>only</I
+></SPAN
+> the internal
+name servers for DNS queries. This could also be enforced via selective
+filtering on the network.</P
+><P
+>If everything has been set properly, <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Example, Inc.</I
+></SPAN
+>'s
+internal clients will now be able to:</P
+><P
+></P
+><UL
+><LI
+><P
+>Look up any hostnames in the <VAR
+CLASS="literal"
+>site1</VAR
+> and 
+<VAR
+CLASS="literal"
+>site2.example.com</VAR
+> zones.</P
+></LI
+><LI
+><P
+>Look up any hostnames in the <VAR
+CLASS="literal"
+>site1.internal</VAR
+> and 
+<VAR
+CLASS="literal"
+>site2.internal</VAR
+> domains.</P
+></LI
+><LI
+><P
+>Look up any hostnames on the Internet.</P
+></LI
+><LI
+><P
+>Exchange mail with internal AND external people.</P
+></LI
+></UL
+><P
+>Hosts on the Internet will be able to:</P
+><P
+></P
+><UL
+><LI
+><P
+>Look up any hostnames in the <VAR
+CLASS="literal"
+>site1</VAR
+> and 
+<VAR
+CLASS="literal"
+>site2.example.com</VAR
+> zones.</P
+></LI
+><LI
+><P
+>Exchange mail with anyone in the <VAR
+CLASS="literal"
+>site1</VAR
+> and 
+<VAR
+CLASS="literal"
+>site2.example.com</VAR
+> zones.</P
+></LI
+></UL
+><P
+>Here is an example configuration for the setup we just
+    described above. Note that this is only configuration information;
+    for information on how to configure your zone files, see <A
+HREF="Bv9ARM.ch03.html#sample_configuration"
+>Section 3.1</A
+></P
+><P
+>Internal DNS server config:</P
+><PRE
+CLASS="programlisting"
+>&#13;
+acl internals { 172.16.72.0/24; 192.168.1.0/24; };
+
+acl externals { <VAR
+CLASS="varname"
+>bastion-ips-go-here</VAR
+>; };
+
+options {
+    ...
+    ...
+    forward only;
+    forwarders {                                // forward to external servers
+        <VAR
+CLASS="varname"
+>bastion-ips-go-here</VAR
+>; 
+    };
+    allow-transfer { none; };                   // sample allow-transfer (no one)
+    allow-query { internals; externals; };      // restrict query access
+    allow-recursion { internals; };             // restrict recursion
+    ...
+    ...
+};
+
+zone "site1.example.com" {                      // sample master zone
+  type master;
+  file "m/site1.example.com";
+  forwarders { };                               // do normal iterative
+                                                // resolution (do not forward)
+  allow-query { internals; externals; };
+  allow-transfer { internals; };
+};
+
+zone "site2.example.com" {                      // sample slave zone
+  type slave;
+  file "s/site2.example.com";
+  masters { 172.16.72.3; };
+  forwarders { };
+  allow-query { internals; externals; };
+  allow-transfer { internals; };
+};
+
+zone "site1.internal" {
+  type master;
+  file "m/site1.internal";
+  forwarders { };
+  allow-query { internals; };
+  allow-transfer { internals; }
+};
+
+zone "site2.internal" {
+  type slave;
+  file "s/site2.internal";
+  masters { 172.16.72.3; };
+  forwarders { };
+  allow-query { internals };
+  allow-transfer { internals; }
+};
+</PRE
+><P
+>External (bastion host) DNS server config:</P
+><PRE
+CLASS="programlisting"
+>&#13;acl internals { 172.16.72.0/24; 192.168.1.0/24; };
+
+acl externals { bastion-ips-go-here; };
+
+options {
+  ...
+  ...
+  allow-transfer { none; };                     // sample allow-transfer (no one)
+  allow-query { internals; externals; };        // restrict query access
+  allow-recursion { internals; externals; };    // restrict recursion
+  ...
+  ...
+};
+
+zone "site1.example.com" {                      // sample slave zone
+  type master;
+  file "m/site1.foo.com";
+  allow-query { any; };
+  allow-transfer { internals; externals; };
+};
+
+zone "site2.example.com" {
+  type slave;
+  file "s/site2.foo.com";
+  masters { another_bastion_host_maybe; };
+  allow-query { any; };
+  allow-transfer { internals; externals; }
+};
+</PRE
+><P
+>In the <TT
+CLASS="filename"
+>resolv.conf</TT
+> (or equivalent) on
+the bastion host(s):</P
+><PRE
+CLASS="programlisting"
+>&#13;search ...
+nameserver 172.16.72.2
+nameserver 172.16.72.3
+nameserver 172.16.72.4
+</PRE
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="tsig"
+>4.5. TSIG</A
+></H1
+><P
+>This is a short guide to setting up Transaction SIGnatures
+(TSIG) based transaction security in <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+>. It describes changes
+to the configuration file as well as what changes are required for
+different features, including the process of creating transaction
+keys and using transaction signatures with <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+>.</P
+><P
+><ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> primarily supports TSIG for server to server communication.
+This includes zone transfer, notify, and recursive query messages.
+Resolvers based on newer versions of <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 8 have limited support
+for TSIG.</P
+><P
+>TSIG might be most useful for dynamic update. A primary
+    server for a dynamic zone should use access control to control
+    updates, but IP-based access control is insufficient.
+    The cryptographic access control provided by TSIG
+    is far superior. The <B
+CLASS="command"
+>nsupdate</B
+>
+    program supports TSIG via the <VAR
+CLASS="option"
+>-k</VAR
+> and
+    <VAR
+CLASS="option"
+>-y</VAR
+> command line options.</P
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN848"
+>4.5.1. Generate Shared Keys for Each Pair of Hosts</A
+></H2
+><P
+>A shared secret is generated to be shared between <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>host1</I
+></SPAN
+> and <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>host2</I
+></SPAN
+>.
+An arbitrary key name is chosen: "host1-host2.". The key name must
+be the same on both hosts.</P
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN853"
+>4.5.1.1. Automatic Generation</A
+></H3
+><P
+>The following command will generate a 128 bit (16 byte) HMAC-MD5
+key as described above. Longer keys are better, but shorter keys
+are easier to read. Note that the maximum key length is 512 bits;
+keys longer than that will be digested with MD5 to produce a 128
+bit key.</P
+><P
+><KBD
+CLASS="userinput"
+>dnssec-keygen -a hmac-md5 -b 128 -n HOST host1-host2.</KBD
+></P
+><P
+>The key is in the file <TT
+CLASS="filename"
+>Khost1-host2.+157+00000.private</TT
+>.
+Nothing directly uses this file, but the base-64 encoded string
+following "<VAR
+CLASS="literal"
+>Key:</VAR
+>"
+can be extracted from the file and used as a shared secret:</P
+><PRE
+CLASS="programlisting"
+>Key: La/E5CjG9O+os1jq0a2jdA==</PRE
+><P
+>The string "<VAR
+CLASS="literal"
+>La/E5CjG9O+os1jq0a2jdA==</VAR
+>" can
+be used as the shared secret.</P
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN864"
+>4.5.1.2. Manual Generation</A
+></H3
+><P
+>The shared secret is simply a random sequence of bits, encoded
+in base-64. Most ASCII strings are valid base-64 strings (assuming
+the length is a multiple of 4 and only valid characters are used),
+so the shared secret can be manually generated.</P
+><P
+>Also, a known string can be run through <B
+CLASS="command"
+>mmencode</B
+> or
+a similar program to generate base-64 encoded data.</P
+></DIV
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN869"
+>4.5.2. Copying the Shared Secret to Both Machines</A
+></H2
+><P
+>This is beyond the scope of DNS. A secure transport mechanism
+should be used. This could be secure FTP, ssh, telephone, etc.</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN872"
+>4.5.3. Informing the Servers of the Key's Existence</A
+></H2
+><P
+>Imagine <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>host1</I
+></SPAN
+> and <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>host 2</I
+></SPAN
+> are
+both servers. The following is added to each server's <TT
+CLASS="filename"
+>named.conf</TT
+> file:</P
+><PRE
+CLASS="programlisting"
+>&#13;key host1-host2. {
+  algorithm hmac-md5;
+  secret "La/E5CjG9O+os1jq0a2jdA==";
+};
+</PRE
+><P
+>The algorithm, hmac-md5, is the only one supported by <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+>.
+The secret is the one generated above. Since this is a secret, it
+is recommended that either <TT
+CLASS="filename"
+>named.conf</TT
+> be non-world
+readable, or the key directive be added to a non-world readable
+file that is included by <TT
+CLASS="filename"
+>named.conf</TT
+>.</P
+><P
+>At this point, the key is recognized. This means that if the
+server receives a message signed by this key, it can verify the
+signature. If the signature is successfully verified, the
+response is signed by the same key.</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN884"
+>4.5.4. Instructing the Server to Use the Key</A
+></H2
+><P
+>Since keys are shared between two hosts only, the server must
+be told when keys are to be used. The following is added to the <TT
+CLASS="filename"
+>named.conf</TT
+> file
+for <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>host1</I
+></SPAN
+>, if the IP address of <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>host2</I
+></SPAN
+> is
+10.1.2.3:</P
+><PRE
+CLASS="programlisting"
+>&#13;server 10.1.2.3 {
+  keys { host1-host2. ;};
+};
+</PRE
+><P
+>Multiple keys may be present, but only the first is used.
+This directive does not contain any secrets, so it may be in a world-readable
+file.</P
+><P
+>If <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>host1</I
+></SPAN
+> sends a message that is a request
+to that address, the message will be signed with the specified key. <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>host1</I
+></SPAN
+> will
+expect any responses to signed messages to be signed with the same
+key.</P
+><P
+>A similar statement must be present in <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>host2</I
+></SPAN
+>'s
+configuration file (with <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>host1</I
+></SPAN
+>'s address) for <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>host2</I
+></SPAN
+> to
+sign request messages to <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>host1</I
+></SPAN
+>.</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN900"
+>4.5.5. TSIG Key Based Access Control</A
+></H2
+><P
+><ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> allows IP addresses and ranges to be specified in ACL
+definitions and
+<B
+CLASS="command"
+>allow-{ query | transfer | update }</B
+> directives.
+This has been extended to allow TSIG keys also. The above key would
+be denoted <B
+CLASS="command"
+>key host1-host2.</B
+></P
+><P
+>An example of an allow-update directive would be:</P
+><PRE
+CLASS="programlisting"
+>&#13;allow-update { key host1-host2. ;};
+</PRE
+><P
+>This allows dynamic updates to succeed only if the request
+      was signed by a key named
+      "<B
+CLASS="command"
+>host1-host2.</B
+>".</P
+><P
+>You may want to read about the more
+      powerful <B
+CLASS="command"
+>update-policy</B
+> statement in <A
+HREF="Bv9ARM.ch06.html#dynamic_update_policies"
+>Section 6.2.24.4</A
+>.</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN913"
+>4.5.6. Errors</A
+></H2
+><P
+>The processing of TSIG signed messages can result in
+      several errors. If a signed message is sent to a non-TSIG aware
+      server, a FORMERR will be returned, since the server will not
+      understand the record. This is a result of misconfiguration,
+      since the server must be explicitly configured to send a TSIG
+      signed message to a specific server.</P
+><P
+>If a TSIG aware server receives a message signed by an
+      unknown key, the response will be unsigned with the TSIG
+      extended error code set to BADKEY. If a TSIG aware server
+      receives a message with a signature that does not validate, the
+      response will be unsigned with the TSIG extended error code set
+      to BADSIG. If a TSIG aware server receives a message with a time
+      outside of the allowed range, the response will be signed with
+      the TSIG extended error code set to BADTIME, and the time values
+      will be adjusted so that the response can be successfully
+      verified. In any of these cases, the message's rcode is set to
+      NOTAUTH.</P
+></DIV
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN917"
+>4.6. TKEY</A
+></H1
+><P
+><B
+CLASS="command"
+>TKEY</B
+> is a mechanism for automatically
+    generating a shared secret between two hosts.  There are several
+    "modes" of <B
+CLASS="command"
+>TKEY</B
+> that specify how the key is
+    generated or assigned.  <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9
+    implements only one of these modes,
+    the Diffie-Hellman key exchange.  Both hosts are required to have
+    a Diffie-Hellman KEY record (although this record is not required
+    to be present in a zone).  The <B
+CLASS="command"
+>TKEY</B
+> process
+    must use signed messages, signed either by TSIG or SIG(0).  The
+    result of <B
+CLASS="command"
+>TKEY</B
+> is a shared secret that can be
+    used to sign messages with TSIG.  <B
+CLASS="command"
+>TKEY</B
+> can also
+    be used to delete shared secrets that it had previously
+    generated.</P
+><P
+>The <B
+CLASS="command"
+>TKEY</B
+> process is initiated by a client
+    or server by sending a signed <B
+CLASS="command"
+>TKEY</B
+> query
+    (including any appropriate KEYs) to a TKEY-aware server.  The
+    server response, if it indicates success, will contain a
+    <B
+CLASS="command"
+>TKEY</B
+> record and any appropriate keys.  After
+    this exchange, both participants have enough information to
+    determine the shared secret; the exact process depends on the
+    <B
+CLASS="command"
+>TKEY</B
+> mode.  When using the Diffie-Hellman
+    <B
+CLASS="command"
+>TKEY</B
+> mode, Diffie-Hellman keys are exchanged,
+    and the shared secret is derived by both participants.</P
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN932"
+>4.7. SIG(0)</A
+></H1
+><P
+><ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 partially supports DNSSEC SIG(0)
+    transaction signatures as specified in RFC 2535 and RFC2931.  SIG(0)
+    uses public/private keys to authenticate messages.  Access control
+    is performed in the same manner as TSIG keys; privileges can be
+    granted or denied based on the key name.</P
+><P
+>When a SIG(0) signed message is received, it will only be
+    verified if the key is known and trusted by the server; the server
+    will not attempt to locate and/or validate the key.</P
+><P
+>SIG(0) signing of multiple-message TCP streams is not
+    supported.</P
+><P
+>The only tool shipped with <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 that
+    generates SIG(0) signed messages is <B
+CLASS="command"
+>nsupdate</B
+>.</P
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="DNSSEC"
+>4.8. DNSSEC</A
+></H1
+><P
+>Cryptographic authentication of DNS information is possible
+    through the DNS Security (<SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>DNSSEC-bis</I
+></SPAN
+>) extensions,
+    defined in RFC &#60;TBA&#62;. This section describes the creation and use
+    of DNSSEC signed zones.</P
+><P
+>In order to set up a DNSSEC secure zone, there are a series
+    of steps which must be followed.  <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 ships
+    with several tools
+    that are used in this process, which are explained in more detail
+    below.  In all cases, the <VAR
+CLASS="option"
+>-h</VAR
+> option prints a
+    full list of parameters.  Note that the DNSSEC tools require the
+    keyset files to be in the working directory or the
+    directory specified by the <VAR
+CLASS="option"
+>-h</VAR
+> option, and
+    that the tools shipped with BIND 9.2.x and earlier are not compatible
+    with the current ones.</P
+><P
+>There must also be communication with the administrators of
+    the parent and/or child zone to transmit keys.  A zone's security
+    status must be indicated by the parent zone for a DNSSEC capable 
+    resolver to trust its data.  This is done through the presense
+    or absence of a <VAR
+CLASS="literal"
+>DS</VAR
+> record at the delegation
+    point.</P
+><P
+>For other servers to trust data in this zone, they must
+    either be statically configured with this zone's zone key or the
+    zone key of another zone above this one in the DNS tree.</P
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN952"
+>4.8.1. Generating Keys</A
+></H2
+><P
+>The <B
+CLASS="command"
+>dnssec-keygen</B
+> program is used to
+      generate keys.</P
+><P
+>A secure zone must contain one or more zone keys.  The
+      zone keys will sign all other records in the zone, as well as
+      the zone keys of any secure delegated zones.  Zone keys must
+      have the same name as the zone, a name type of
+      <B
+CLASS="command"
+>ZONE</B
+>, and must be usable for authentication.
+      It is recommended that zone keys use a cryptographic algorithm
+      designated as "mandatory to implement" by the IETF; currently
+      the only one is RSASHA1.</P
+><P
+>The following command will generate a 768 bit RSASHA1 key for
+      the <TT
+CLASS="filename"
+>child.example</TT
+> zone:</P
+><P
+><KBD
+CLASS="userinput"
+>dnssec-keygen -a RSASHA1 -b 768 -n ZONE child.example.</KBD
+></P
+><P
+>Two output files will be produced:
+      <TT
+CLASS="filename"
+>Kchild.example.+005+12345.key</TT
+> and
+      <TT
+CLASS="filename"
+>Kchild.example.+005+12345.private</TT
+> (where
+      12345 is an example of a key tag).  The key file names contain
+      the key name (<TT
+CLASS="filename"
+>child.example.</TT
+>), algorithm (3
+      is DSA, 1 is RSAMD5, 5 is RSASHA1, etc.), and the key tag (12345 in this case).
+      The private key (in the <TT
+CLASS="filename"
+>.private</TT
+> file) is
+      used to generate signatures, and the public key (in the
+      <TT
+CLASS="filename"
+>.key</TT
+> file) is used for signature
+      verification.</P
+><P
+>To generate another key with the same properties (but with
+      a different key tag), repeat the above command.</P
+><P
+>The public keys should be inserted into the zone file by
+      including the <TT
+CLASS="filename"
+>.key</TT
+> files using
+      <B
+CLASS="command"
+>$INCLUDE</B
+> statements.
+      </P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN972"
+>4.8.2. Signing the Zone</A
+></H2
+><P
+>The <B
+CLASS="command"
+>dnssec-signzone</B
+> program is used to
+      sign a zone.</P
+><P
+>Any <TT
+CLASS="filename"
+>keyset</TT
+> files corresponding
+      to secure subzones should be present.  The zone signer will
+      generate <VAR
+CLASS="literal"
+>NSEC</VAR
+> and <VAR
+CLASS="literal"
+>RRSIG</VAR
+>
+      records for the zone, as well as <VAR
+CLASS="literal"
+>DS</VAR
+> for
+      the child zones if <VAR
+CLASS="literal"
+>'-d'</VAR
+> is specified.
+      If <VAR
+CLASS="literal"
+>'-d'</VAR
+> is not specified then DS RRsets for
+      the secure child zones need to be added manually.</P
+><P
+>The following command signs the zone, assuming it is in a
+      file called <TT
+CLASS="filename"
+>zone.child.example</TT
+>.  By
+      default, all zone keys which have an available private key are
+      used to generate signatures.</P
+><P
+><KBD
+CLASS="userinput"
+>dnssec-signzone -o child.example zone.child.example</KBD
+></P
+><P
+>One output file is produced:
+      <TT
+CLASS="filename"
+>zone.child.example.signed</TT
+>.  This file
+      should be referenced by <TT
+CLASS="filename"
+>named.conf</TT
+> as the
+      input file for the zone.</P
+><P
+><B
+CLASS="command"
+>dnssec-signzone</B
+> will also produce a
+      keyset and dsset files and optionally a dlvset file.  These
+      are used to provide the parent zone administators with the
+      <VAR
+CLASS="literal"
+>DNSKEYs</VAR
+> (or their corresponding <VAR
+CLASS="literal"
+>DS</VAR
+>
+      records) that are the secure entry point to the zone.</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN994"
+>4.8.3. Configuring Servers</A
+></H2
+><P
+>Unlike <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 8, 
+<ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 does not verify signatures on load,
+so zone keys for authoritative zones do not need to be specified
+in the configuration file.</P
+><P
+>The public key for any security root must be present in
+the configuration file's <B
+CLASS="command"
+>trusted-keys</B
+>
+statement, as described later in this document. </P
+></DIV
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN1001"
+>4.9. IPv6 Support in <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9</A
+></H1
+><P
+><ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 fully supports all currently defined forms of IPv6
+    name to address and address to name lookups.  It will also use
+    IPv6 addresses to make queries when running on an IPv6 capable
+    system.</P
+><P
+>For forward lookups, <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 supports only AAAA
+    records.  The use of A6 records is deprecated by RFC 3363, and the
+    support for forward lookups in <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 is
+    removed accordingly.
+    However, authoritative <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 name servers still
+    load zone files containing A6 records correctly, answer queries
+    for A6 records, and accept zone transfer for a zone containing A6
+    records.</P
+><P
+>For IPv6 reverse lookups, <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 supports
+    the traditional "nibble" format used in the
+    <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>ip6.arpa</I
+></SPAN
+> domain, as well as the older, deprecated
+    <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>ip6.int</I
+></SPAN
+> domain.
+    <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 formerly
+    supported the "binary label" (also known as "bitstring") format.
+    The support of binary labels, however, is now completely removed
+    according to the changes in RFC 3363.
+    Any applications in <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 do not understand
+    the format any more, and will return an error if given.
+    In particular, an authoritative <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 name
+    server rejects to load a zone file containing binary labels.</P
+><P
+>For an overview of the format and structure of IPv6 addresses,
+    see <A
+HREF="Bv9ARM.ch09.html#ipv6addresses"
+>Section A.2.1</A
+>.</P
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1019"
+>4.9.1. Address Lookups Using AAAA Records</A
+></H2
+><P
+>The AAAA record is a parallel to the IPv4 A record.  It
+      specifies the entire address in a single record.  For
+      example,</P
+><PRE
+CLASS="programlisting"
+>&#13;$ORIGIN example.com.
+host            3600    IN      AAAA    2001:db8::1
+</PRE
+><P
+>It is recommended that IPv4-in-IPv6 mapped addresses not
+        be used.  If a host has an IPv4 address, use an A record, not
+        a AAAA, with <VAR
+CLASS="literal"
+>::ffff:192.168.42.1</VAR
+> as the
+        address.</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1025"
+>4.9.2. Address to Name Lookups Using Nibble Format</A
+></H2
+><P
+>When looking up an address in nibble format, the address
+      components are simply reversed, just as in IPv4, and
+      <VAR
+CLASS="literal"
+>ip6.arpa.</VAR
+> is appended to the resulting name.
+      For example, the following would provide reverse name lookup for
+      a host with address
+      <VAR
+CLASS="literal"
+>2001:db8::1</VAR
+>.</P
+><PRE
+CLASS="programlisting"
+>&#13;$ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
+1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0   14400 IN      PTR     host.example.com.
+</PRE
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch03.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="Bv9ARM.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch05.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Name Server Configuration</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>The <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 Lightweight Resolver</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch05.html b/contrib/bind9/doc/arm/Bv9ARM.ch05.html
new file mode 100644
index 0000000..2ae7f2e
--- /dev/null
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch05.html
@@ -0,0 +1,265 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>The BIND 9 Lightweight Resolver</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
+REL="HOME"
+TITLE="BIND 9 Administrator Reference Manual"
+HREF="Bv9ARM.html"><LINK
+REL="PREVIOUS"
+TITLE="Advanced DNS Features"
+HREF="Bv9ARM.ch04.html"><LINK
+REL="NEXT"
+TITLE="BIND 9 Configuration Reference"
+HREF="Bv9ARM.ch06.html"></HEAD
+><BODY
+CLASS="chapter"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>BIND 9 Administrator Reference Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.ch04.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.ch06.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="chapter"
+><H1
+><A
+NAME="ch05"
+></A
+>Chapter 5. The <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 Lightweight Resolver</H1
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+>5.1. <A
+HREF="Bv9ARM.ch05.html#AEN1034"
+>The Lightweight Resolver Library</A
+></DT
+><DT
+>5.2. <A
+HREF="Bv9ARM.ch05.html#lwresd"
+>Running a Resolver Daemon</A
+></DT
+></DL
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN1034"
+>5.1. The Lightweight Resolver Library</A
+></H1
+><P
+>Traditionally applications have been linked with a stub resolver
+library that sends recursive DNS queries to a local caching name
+server.</P
+><P
+>IPv6 once introduced new complexity into the resolution process,
+such as following A6 chains and DNAME records, and simultaneous
+lookup of IPv4 and IPv6 addresses.  Though most of the complexity was
+then removed, these are hard or impossible
+to implement in a traditional stub resolver.</P
+><P
+>Instead, <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 provides resolution services to local clients
+using a combination of a lightweight resolver library and a resolver
+daemon process running on the local host.  These communicate using
+a simple UDP-based protocol, the "lightweight resolver protocol"
+that is distinct from and simpler than the full DNS protocol.</P
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="lwresd"
+>5.2. Running a Resolver Daemon</A
+></H1
+><P
+>To use the lightweight resolver interface, the system must
+run the resolver daemon <B
+CLASS="command"
+>lwresd</B
+> or a local
+name server configured with a <B
+CLASS="command"
+>lwres</B
+> statement.</P
+><P
+>By default, applications using the lightweight resolver library will make
+UDP requests to the IPv4 loopback address (127.0.0.1) on port 921.  The
+address can be overridden by <B
+CLASS="command"
+>lwserver</B
+> lines in
+<TT
+CLASS="filename"
+>/etc/resolv.conf</TT
+>.</P
+><P
+>The daemon currently only looks in the DNS, but in the future
+it may use other sources such as <TT
+CLASS="filename"
+>/etc/hosts</TT
+>,
+NIS, etc.</P
+><P
+>The <B
+CLASS="command"
+>lwresd</B
+> daemon is essentially a
+caching-only name server that responds to requests using the lightweight
+resolver protocol rather than the DNS protocol.  Because it needs
+to run on each host, it is designed to require no or minimal configuration.
+Unless configured otherwise, it uses the name servers listed on
+<B
+CLASS="command"
+>nameserver</B
+> lines in <TT
+CLASS="filename"
+>/etc/resolv.conf</TT
+>
+as forwarders, but is also capable of doing the resolution autonomously if
+none are specified.</P
+><P
+>The <B
+CLASS="command"
+>lwresd</B
+> daemon may also be configured with a
+<TT
+CLASS="filename"
+>named.conf</TT
+> style configuration file, in
+<TT
+CLASS="filename"
+>/etc/lwresd.conf</TT
+> by default.  A name server may also
+be configured to act as a lightweight resolver daemon using the
+<B
+CLASS="command"
+>lwres</B
+> statement in <TT
+CLASS="filename"
+>named.conf</TT
+>.</P
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch04.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="Bv9ARM.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch06.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Advanced DNS Features</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 Configuration Reference</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch06.html b/contrib/bind9/doc/arm/Bv9ARM.ch06.html
new file mode 100644
index 0000000..a83ec38
--- /dev/null
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch06.html
@@ -0,0 +1,11479 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>BIND 9 Configuration Reference</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
+REL="HOME"
+TITLE="BIND 9 Administrator Reference Manual"
+HREF="Bv9ARM.html"><LINK
+REL="PREVIOUS"
+TITLE="The BIND 9 Lightweight Resolver"
+HREF="Bv9ARM.ch05.html"><LINK
+REL="NEXT"
+TITLE="BIND 9 Security Considerations"
+HREF="Bv9ARM.ch07.html"></HEAD
+><BODY
+CLASS="chapter"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>BIND 9 Administrator Reference Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.ch05.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.ch07.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="chapter"
+><H1
+><A
+NAME="ch06"
+></A
+>Chapter 6. <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 Configuration Reference</H1
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+>6.1. <A
+HREF="Bv9ARM.ch06.html#configuration_file_elements"
+>Configuration File Elements</A
+></DT
+><DT
+>6.2. <A
+HREF="Bv9ARM.ch06.html#Configuration_File_Grammar"
+>Configuration File Grammar</A
+></DT
+><DT
+>6.3. <A
+HREF="Bv9ARM.ch06.html#AEN4015"
+>Zone File</A
+></DT
+></DL
+></DIV
+><P
+><ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 configuration is broadly similar
+to <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 8; however, there are a few new areas
+of configuration, such as views. <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+>
+8 configuration files should work with few alterations in <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+>
+9, although more complex configurations should be reviewed to check
+if they can be more efficiently implemented using the new features
+found in <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9.</P
+><P
+><ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 4 configuration files can be converted to the new format
+using the shell script
+<TT
+CLASS="filename"
+>contrib/named-bootconf/named-bootconf.sh</TT
+>.</P
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="configuration_file_elements"
+>6.1. Configuration File Elements</A
+></H1
+><P
+>Following is a list of elements used throughout the <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> configuration
+file documentation:</P
+><DIV
+CLASS="informaltable"
+><P
+></P
+><A
+NAME="AEN1076"
+></A
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+><P
+><VAR
+CLASS="varname"
+>acl_name</VAR
+></P
+></TD
+><TD
+><P
+>The name of an <VAR
+CLASS="varname"
+>address_match_list</VAR
+> as
+defined by the <B
+CLASS="command"
+>acl</B
+> statement.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><VAR
+CLASS="varname"
+>address_match_list</VAR
+></P
+></TD
+><TD
+><P
+>A list of one or more <VAR
+CLASS="varname"
+>ip_addr</VAR
+>, 
+<VAR
+CLASS="varname"
+>ip_prefix</VAR
+>, <VAR
+CLASS="varname"
+>key_id</VAR
+>, 
+or <VAR
+CLASS="varname"
+>acl_name</VAR
+> elements, see
+<A
+HREF="Bv9ARM.ch06.html#address_match_lists"
+>Section 6.1.1</A
+>.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><VAR
+CLASS="varname"
+>domain_name</VAR
+></P
+></TD
+><TD
+><P
+>A quoted string which will be used as
+a DNS name, for example "<VAR
+CLASS="literal"
+>my.test.domain</VAR
+>".</P
+></TD
+></TR
+><TR
+><TD
+><P
+><VAR
+CLASS="varname"
+>dotted_decimal</VAR
+></P
+></TD
+><TD
+><P
+>One to four integers valued 0 through
+255 separated by dots (`.'), such as <B
+CLASS="command"
+>123</B
+>, 
+<B
+CLASS="command"
+>45.67</B
+> or <B
+CLASS="command"
+>89.123.45.67</B
+>.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><VAR
+CLASS="varname"
+>ip4_addr</VAR
+></P
+></TD
+><TD
+><P
+>An IPv4 address with exactly four elements
+in <VAR
+CLASS="varname"
+>dotted_decimal</VAR
+> notation.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><VAR
+CLASS="varname"
+>ip6_addr</VAR
+></P
+></TD
+><TD
+><P
+>An IPv6 address, such as <B
+CLASS="command"
+>2001:db8::1234</B
+>.
+IPv6 scoped addresses that have ambiguity on their scope zones must be
+disambiguated by an appropriate zone ID with the percent character
+(`%') as delimiter.
+It is strongly recommended to use string zone names rather than
+numeric identifiers, in order to be robust against system
+configuration changes.
+However, since there is no standard mapping for such names and
+identifier values, currently only interface names as link identifiers
+are supported, assuming one-to-one mapping between interfaces and links.
+For example, a link-local address <B
+CLASS="command"
+>fe80::1</B
+> on the
+link attached to the interface <B
+CLASS="command"
+>ne0</B
+>
+can be specified as <B
+CLASS="command"
+>fe80::1%ne0</B
+>.
+Note that on most systems link-local addresses always have the
+ambiguity, and need to be disambiguated.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><VAR
+CLASS="varname"
+>ip_addr</VAR
+></P
+></TD
+><TD
+><P
+>An <VAR
+CLASS="varname"
+>ip4_addr</VAR
+> or <VAR
+CLASS="varname"
+>ip6_addr</VAR
+>.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><VAR
+CLASS="varname"
+>ip_port</VAR
+></P
+></TD
+><TD
+><P
+>An IP port <VAR
+CLASS="varname"
+>number</VAR
+>.
+<VAR
+CLASS="varname"
+>number</VAR
+> is limited to 0 through 65535, with values
+below 1024 typically restricted to use by processes running as root.
+In some cases an asterisk (`*') character can be used as a placeholder to
+select a random high-numbered port.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><VAR
+CLASS="varname"
+>ip_prefix</VAR
+></P
+></TD
+><TD
+><P
+>An IP network specified as an <VAR
+CLASS="varname"
+>ip_addr</VAR
+>,
+followed by a slash (`/') and then the number of bits in the netmask.
+Trailing zeros in a <VAR
+CLASS="varname"
+>ip_addr</VAR
+> may omitted.
+For example, <B
+CLASS="command"
+>127/8</B
+> is the network <B
+CLASS="command"
+>127.0.0.0</B
+> with
+netmask <B
+CLASS="command"
+>255.0.0.0</B
+> and <B
+CLASS="command"
+>1.2.3.0/28</B
+> is
+network <B
+CLASS="command"
+>1.2.3.0</B
+> with netmask <B
+CLASS="command"
+>255.255.255.240</B
+>.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><VAR
+CLASS="varname"
+>key_id</VAR
+></P
+></TD
+><TD
+><P
+>A <VAR
+CLASS="varname"
+>domain_name</VAR
+> representing
+the name of a shared key, to be used for transaction security.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><VAR
+CLASS="varname"
+>key_list</VAR
+></P
+></TD
+><TD
+><P
+>A list of one or more <VAR
+CLASS="varname"
+>key_id</VAR
+>s,
+separated by semicolons and ending with a semicolon.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><VAR
+CLASS="varname"
+>number</VAR
+></P
+></TD
+><TD
+><P
+>A non-negative 32 bit integer
+(i.e., a number between 0 and 4294967295, inclusive).
+Its acceptable value might further
+be limited by the context in which it is used.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><VAR
+CLASS="varname"
+>path_name</VAR
+></P
+></TD
+><TD
+><P
+>A quoted string which will be used as
+a pathname, such as <TT
+CLASS="filename"
+>zones/master/my.test.domain</TT
+>.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><VAR
+CLASS="varname"
+>size_spec</VAR
+></P
+></TD
+><TD
+><P
+>A number, the word <KBD
+CLASS="userinput"
+>unlimited</KBD
+>,
+or the word <KBD
+CLASS="userinput"
+>default</KBD
+>.</P
+><P
+>&#13;An <VAR
+CLASS="varname"
+>unlimited</VAR
+> <VAR
+CLASS="varname"
+>size_spec</VAR
+> requests unlimited
+use, or the maximum available amount. A <VAR
+CLASS="varname"
+>default size_spec</VAR
+> uses
+the limit that was in force when the server was started.</P
+><P
+>A <VAR
+CLASS="varname"
+>number</VAR
+> can
+optionally be followed by a scaling factor: <KBD
+CLASS="userinput"
+>K</KBD
+> or <KBD
+CLASS="userinput"
+>k</KBD
+> for
+kilobytes, <KBD
+CLASS="userinput"
+>M</KBD
+> or <KBD
+CLASS="userinput"
+>m</KBD
+> for
+megabytes, and <KBD
+CLASS="userinput"
+>G</KBD
+> or <KBD
+CLASS="userinput"
+>g</KBD
+> for gigabytes,
+which scale by 1024, 1024*1024, and 1024*1024*1024 respectively.</P
+>
+<P
+>The value must be representable as a 64-bit unsigned integer
+(0 to 18446744073709551615, inclusive).
+Using <VAR
+CLASS="varname"
+>unlimited</VAR
+> is the best way
+to safely set a really large number.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><VAR
+CLASS="varname"
+>yes_or_no</VAR
+></P
+></TD
+><TD
+><P
+>Either <KBD
+CLASS="userinput"
+>yes</KBD
+> or <KBD
+CLASS="userinput"
+>no</KBD
+>.
+The words <KBD
+CLASS="userinput"
+>true</KBD
+> and <KBD
+CLASS="userinput"
+>false</KBD
+> are
+also accepted, as are the numbers <KBD
+CLASS="userinput"
+>1</KBD
+> and <KBD
+CLASS="userinput"
+>0</KBD
+>.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><VAR
+CLASS="varname"
+>dialup_option</VAR
+></P
+></TD
+><TD
+><P
+>One of <KBD
+CLASS="userinput"
+>yes</KBD
+>,
+<KBD
+CLASS="userinput"
+>no</KBD
+>, <KBD
+CLASS="userinput"
+>notify</KBD
+>,
+<KBD
+CLASS="userinput"
+>notify-passive</KBD
+>, <KBD
+CLASS="userinput"
+>refresh</KBD
+> or
+<KBD
+CLASS="userinput"
+>passive</KBD
+>.
+When used in a zone, <KBD
+CLASS="userinput"
+>notify-passive</KBD
+>,
+<KBD
+CLASS="userinput"
+>refresh</KBD
+>, and <KBD
+CLASS="userinput"
+>passive</KBD
+>
+are restricted to slave and stub zones.</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="address_match_lists"
+>6.1.1. Address Match Lists</A
+></H2
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN1241"
+>6.1.1.1. Syntax</A
+></H3
+><PRE
+CLASS="programlisting"
+><VAR
+CLASS="varname"
+>address_match_list</VAR
+> = address_match_list_element ;
+  [<SPAN
+CLASS="optional"
+> address_match_list_element; ... </SPAN
+>]
+<VAR
+CLASS="varname"
+>address_match_list_element</VAR
+> = [<SPAN
+CLASS="optional"
+> ! </SPAN
+>] (ip_address [<SPAN
+CLASS="optional"
+>/length</SPAN
+>] |
+   key key_id | acl_name | { address_match_list } )
+</PRE
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN1249"
+>6.1.1.2. Definition and Usage</A
+></H3
+><P
+>Address match lists are primarily used to determine access
+control for various server operations. They are also used in
+the <B
+CLASS="command"
+>listen-on</B
+> and <B
+CLASS="command"
+>sortlist</B
+>
+statements. The elements
+which constitute an address match list can be any of the following:</P
+><P
+></P
+><UL
+><LI
+><P
+>an IP address (IPv4 or IPv6)</P
+></LI
+><LI
+><P
+>an IP prefix (in `/' notation)</P
+></LI
+><LI
+><P
+>a key ID, as defined by the <B
+CLASS="command"
+>key</B
+> statement</P
+></LI
+><LI
+><P
+>the name of an address match list previously defined with
+the <B
+CLASS="command"
+>acl</B
+> statement</P
+></LI
+><LI
+><P
+>a nested address match list enclosed in braces</P
+></LI
+></UL
+><P
+>Elements can be negated with a leading exclamation mark (`!'),
+and the match list names "any", "none", "localhost", and "localnets"
+are predefined. More information on those names can be found in
+the description of the acl statement.</P
+><P
+>The addition of the key clause made the name of this syntactic
+element something of a misnomer, since security keys can be used
+to validate access without regard to a host or network address. Nonetheless,
+the term "address match list" is still used throughout the documentation.</P
+><P
+>When a given IP address or prefix is compared to an address
+match list, the list is traversed in order until an element matches.
+The interpretation of a match depends on whether the list is being used
+for access control, defining listen-on ports, or in a sortlist,
+and whether the element was negated.</P
+><P
+>When used as an access control list, a non-negated match allows
+access and a negated match denies access. If there is no match,
+access is denied. The clauses <B
+CLASS="command"
+>allow-notify</B
+>,
+<B
+CLASS="command"
+>allow-query</B
+>, <B
+CLASS="command"
+>allow-transfer</B
+>,
+<B
+CLASS="command"
+>allow-update</B
+>, <B
+CLASS="command"
+>allow-update-forwarding</B
+>,
+and <B
+CLASS="command"
+>blackhole</B
+> all
+use address match lists  this. Similarly, the listen-on option will cause
+the server to not accept queries on any of the machine's addresses
+which do not match the list.</P
+><P
+>Because of the first-match aspect of the algorithm, an element
+that defines a subset of another element in the list should come
+before the broader element, regardless of whether either is negated. For
+example, in
+<B
+CLASS="command"
+>1.2.3/24; ! 1.2.3.13;</B
+> the 1.2.3.13 element is
+completely useless because the algorithm will match any lookup for
+1.2.3.13 to the 1.2.3/24 element.
+Using <B
+CLASS="command"
+>! 1.2.3.13; 1.2.3/24</B
+> fixes
+that problem by having 1.2.3.13 blocked by the negation but all
+other 1.2.3.* hosts fall through.</P
+></DIV
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1280"
+>6.1.2. Comment Syntax</A
+></H2
+><P
+>The <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 comment syntax allows for comments to appear
+anywhere that white space may appear in a <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> configuration
+file. To appeal to programmers of all kinds, they can be written
+in the C, C++, or shell/perl style.</P
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN1285"
+>6.1.2.1. Syntax</A
+></H3
+><P
+><PRE
+CLASS="programlisting"
+>/* This is a <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> comment as in C */</PRE
+>
+<PRE
+CLASS="programlisting"
+>// This is a <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> comment as in C++</PRE
+>
+<PRE
+CLASS="programlisting"
+># This is a <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> comment as in common UNIX shells and perl</PRE
+>
+      </P
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN1294"
+>6.1.2.2. Definition and Usage</A
+></H3
+><P
+>Comments may appear anywhere that whitespace may appear in
+a <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> configuration file.</P
+><P
+>C-style comments start with the two characters /* (slash,
+star) and end with */ (star, slash). Because they are completely
+delimited with these characters, they can be used to comment only
+a portion of a line or to span multiple lines.</P
+><P
+>C-style comments cannot be nested. For example, the following
+is not valid because the entire comment ends with the first */:</P
+><P
+><PRE
+CLASS="programlisting"
+>/* This is the start of a comment.
+   This is still part of the comment.
+/* This is an incorrect attempt at nesting a comment. */
+   This is no longer in any comment. */
+</PRE
+></P
+><P
+>C++-style comments start with the two characters // (slash,
+slash) and continue to the end of the physical line. They cannot
+be continued across multiple physical lines; to have one logical
+comment span multiple lines, each line must use the // pair.</P
+><P
+>For example:</P
+><P
+><PRE
+CLASS="programlisting"
+>// This is the start of a comment.  The next line
+// is a new comment, even though it is logically
+// part of the previous comment.
+</PRE
+></P
+><P
+>Shell-style (or perl-style, if you prefer) comments start
+with the character <VAR
+CLASS="literal"
+>#</VAR
+> (number sign) and continue to the end of the
+physical line, as in C++ comments.</P
+><P
+>For example:</P
+><P
+><PRE
+CLASS="programlisting"
+># This is the start of a comment.  The next line
+# is a new comment, even though it is logically
+# part of the previous comment.
+</PRE
+>
+</P
+><DIV
+CLASS="warning"
+><P
+></P
+><TABLE
+CLASS="warning"
+BORDER="1"
+WIDTH="100%"
+><TR
+><TD
+ALIGN="CENTER"
+><B
+>Warning</B
+></TD
+></TR
+><TR
+><TD
+ALIGN="LEFT"
+><P
+>You cannot use the semicolon (`;') character
+   to start a comment such as you would in a zone file. The
+   semicolon indicates the end of a configuration
+   statement.</P
+></TD
+></TR
+></TABLE
+></DIV
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="Configuration_File_Grammar"
+>6.2. Configuration File Grammar</A
+></H1
+><P
+>A <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 configuration consists of statements and comments.
+    Statements end with a semicolon. Statements and comments are the
+    only elements that can appear without enclosing braces. Many
+    statements contain a block of sub-statements, which are also
+    terminated with a semicolon.</P
+><P
+>The following statements are supported:</P
+><DIV
+CLASS="informaltable"
+><P
+></P
+><A
+NAME="AEN1318"
+></A
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>acl</B
+></P
+></TD
+><TD
+><P
+>defines a named IP address
+matching list, for access control and other uses.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>controls</B
+></P
+></TD
+><TD
+><P
+>declares control channels to be used
+by the <B
+CLASS="command"
+>rndc</B
+> utility.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>include</B
+></P
+></TD
+><TD
+><P
+>includes a file.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>key</B
+></P
+></TD
+><TD
+><P
+>specifies key information for use in
+authentication and authorization using TSIG.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>logging</B
+></P
+></TD
+><TD
+><P
+>specifies what the server logs, and where
+the log messages are sent.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>lwres</B
+></P
+></TD
+><TD
+><P
+>configures <B
+CLASS="command"
+>named</B
+> to
+also act as a light weight resolver daemon (<B
+CLASS="command"
+>lwresd</B
+>).</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>masters</B
+></P
+></TD
+><TD
+><P
+>defines a named masters list for
+inclusion in stub and slave zone masters clauses.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>options</B
+></P
+></TD
+><TD
+><P
+>controls global server configuration
+options and sets defaults for other statements.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>server</B
+></P
+></TD
+><TD
+><P
+>sets certain configuration options on
+a per-server basis.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>trusted-keys</B
+></P
+></TD
+><TD
+><P
+>defines trusted DNSSEC keys.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>view</B
+></P
+></TD
+><TD
+><P
+>defines a view.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>zone</B
+></P
+></TD
+><TD
+><P
+>defines a zone.</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>The <B
+CLASS="command"
+>logging</B
+> and
+    <B
+CLASS="command"
+>options</B
+> statements may only occur once per
+    configuration.</P
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1401"
+>6.2.1. <B
+CLASS="command"
+>acl</B
+> Statement Grammar</A
+></H2
+><PRE
+CLASS="programlisting"
+><B
+CLASS="command"
+>acl</B
+> acl-name { 
+    address_match_list 
+};
+</PRE
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="acl"
+>6.2.2. <B
+CLASS="command"
+>acl</B
+> Statement Definition and
+Usage</A
+></H2
+><P
+>The <B
+CLASS="command"
+>acl</B
+> statement assigns a symbolic
+      name to an address match list. It gets its name from a primary
+      use of address match lists: Access Control Lists (ACLs).</P
+><P
+>Note that an address match list's name must be defined
+      with <B
+CLASS="command"
+>acl</B
+> before it can be used elsewhere; no
+      forward references are allowed.</P
+><P
+>The following ACLs are built-in:</P
+><DIV
+CLASS="informaltable"
+><P
+></P
+><A
+NAME="AEN1414"
+></A
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>any</B
+></P
+></TD
+><TD
+><P
+>Matches all hosts.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>none</B
+></P
+></TD
+><TD
+><P
+>Matches no hosts.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>localhost</B
+></P
+></TD
+><TD
+><P
+>Matches the IPv4 and IPv6 addresses of all network
+interfaces on the system.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>localnets</B
+></P
+></TD
+><TD
+><P
+>Matches any host on an IPv4 or IPv6 network
+for which the system has an interface.
+Some systems do not provide a way to determine the prefix lengths of
+local IPv6 addresses.
+In such a case, <B
+CLASS="command"
+>localnets</B
+> only matches the local
+IPv6 addresses, just like <B
+CLASS="command"
+>localhost</B
+>.
+</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1445"
+>6.2.3. <B
+CLASS="command"
+>controls</B
+> Statement Grammar</A
+></H2
+><PRE
+CLASS="programlisting"
+><B
+CLASS="command"
+>controls</B
+> {
+   inet ( ip_addr | * ) [<SPAN
+CLASS="optional"
+> port ip_port </SPAN
+>] allow { <VAR
+CLASS="replaceable"
+> address_match_list </VAR
+> }
+                keys { <VAR
+CLASS="replaceable"
+> key_list </VAR
+> };
+   [<SPAN
+CLASS="optional"
+> inet ...; </SPAN
+>]
+};
+</PRE
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="controls_statement_definition_and_usage"
+>6.2.4. <B
+CLASS="command"
+>controls</B
+> Statement Definition and Usage</A
+></H2
+><P
+>The <B
+CLASS="command"
+>controls</B
+> statement declares control
+      channels to be used by system administrators to control the
+      operation of the name server. These control channels are
+      used by the <B
+CLASS="command"
+>rndc</B
+> utility to send commands to
+      and retrieve non-DNS results from a name server.</P
+><P
+>An <B
+CLASS="command"
+>inet</B
+> control channel is a TCP
+      socket listening at the specified
+      <B
+CLASS="command"
+>ip_port</B
+> on the specified
+      <B
+CLASS="command"
+>ip_addr</B
+>, which can be an IPv4 or IPv6
+      address.  An <B
+CLASS="command"
+>ip_addr</B
+>
+      of <VAR
+CLASS="literal"
+>*</VAR
+> is interpreted as the IPv4 wildcard
+      address; connections will be accepted on any of the system's
+      IPv4 addresses.  To listen on the IPv6 wildcard address,
+      use an <B
+CLASS="command"
+>ip_addr</B
+> of <VAR
+CLASS="literal"
+>::</VAR
+>.
+      If you will only use <B
+CLASS="command"
+>rndc</B
+> on the local host,
+      using the loopback address (<VAR
+CLASS="literal"
+>127.0.0.1</VAR
+>
+      or <VAR
+CLASS="literal"
+>::1</VAR
+>) is recommended for maximum
+      security.
+      </P
+><P
+>&#13;      If no port is specified, port 953
+      is used.  "<VAR
+CLASS="literal"
+>*</VAR
+>" cannot be used for
+      <B
+CLASS="command"
+>ip_port</B
+>.</P
+><P
+>The ability to issue commands over the control channel is
+      restricted by the <B
+CLASS="command"
+>allow</B
+> and
+      <B
+CLASS="command"
+>keys</B
+> clauses. Connections to the control
+      channel are permitted based on the
+      <B
+CLASS="command"
+>address_match_list</B
+>.  This is for simple
+      IP address based filtering only; any <B
+CLASS="command"
+>key_id</B
+>
+      elements of the <B
+CLASS="command"
+>address_match_list</B
+> are
+      ignored.
+      </P
+><P
+>The primary authorization mechanism of the command
+      channel is the <B
+CLASS="command"
+>key_list</B
+>, which contains
+      a list of <B
+CLASS="command"
+>key_id</B
+>s.
+      Each <B
+CLASS="command"
+>key_id</B
+> in
+      the <B
+CLASS="command"
+>key_list</B
+> is authorized to execute
+      commands over the control channel.
+      See <A
+HREF="Bv9ARM.ch03.html#rndc"
+>Remote Name Daemon Control application</A
+> in
+      <A
+HREF="Bv9ARM.ch03.html#admin_tools"
+>Section 3.3.1.2</A
+>) for information about
+      configuring keys in <B
+CLASS="command"
+>rndc</B
+>.</P
+><P
+>&#13;If no <B
+CLASS="command"
+>controls</B
+> statement is present,
+<B
+CLASS="command"
+>named</B
+> will set up a default
+control channel listening on the loopback address 127.0.0.1
+and its IPv6 counterpart ::1.
+In this case, and also when the <B
+CLASS="command"
+>controls</B
+> statement
+is present but does not have a <B
+CLASS="command"
+>keys</B
+> clause,
+<B
+CLASS="command"
+>named</B
+> will attempt to load the command channel key
+from the file <TT
+CLASS="filename"
+>rndc.key</TT
+> in
+<TT
+CLASS="filename"
+>/etc</TT
+> (or whatever <VAR
+CLASS="varname"
+>sysconfdir</VAR
+>
+was specified as when <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> was built).
+To create a <TT
+CLASS="filename"
+>rndc.key</TT
+> file, run
+<KBD
+CLASS="userinput"
+>rndc-confgen -a</KBD
+>.
+</P
+><P
+>The <TT
+CLASS="filename"
+>rndc.key</TT
+> feature was created to
+      ease the transition of systems from <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 8,
+      which did not have digital signatures on its command channel messages
+      and thus did not have a <B
+CLASS="command"
+>keys</B
+> clause.
+
+It makes it possible to use an existing <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 8
+configuration file in <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 unchanged,
+and still have <B
+CLASS="command"
+>rndc</B
+> work the same way
+<B
+CLASS="command"
+>ndc</B
+> worked in BIND 8, simply by executing the
+command <KBD
+CLASS="userinput"
+>rndc-confgen -a</KBD
+> after BIND 9 is
+installed.
+</P
+><P
+>&#13;      Since the <TT
+CLASS="filename"
+>rndc.key</TT
+> feature
+      is only intended to allow the backward-compatible usage of
+      <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 8 configuration files, this feature does not
+      have a high degree of configurability.  You cannot easily change
+      the key name or the size of the secret, so you should make a
+      <TT
+CLASS="filename"
+>rndc.conf</TT
+> with your own key if you wish to change
+      those things.  The <TT
+CLASS="filename"
+>rndc.key</TT
+> file also has its
+      permissions set such that only the owner of the file (the user that
+      <B
+CLASS="command"
+>named</B
+> is running as) can access it.  If you
+      desire greater flexibility in allowing other users to access
+      <B
+CLASS="command"
+>rndc</B
+> commands then you need to create an
+      <TT
+CLASS="filename"
+>rndc.conf</TT
+> and make it group readable by a group
+      that contains the users who should have access.</P
+><P
+>The UNIX control channel type of <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 8 is not supported
+      in <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9, and is not expected to be added in future
+      releases.  If it is present in the controls statement from a
+      <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 8 configuration file, it is ignored
+      and a warning is logged.</P
+><P
+>&#13;To disable the command channel, use an empty <B
+CLASS="command"
+>controls</B
+>
+statement: <B
+CLASS="command"
+>controls { };</B
+>.
+</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1524"
+>6.2.5. <B
+CLASS="command"
+>include</B
+> Statement Grammar</A
+></H2
+><PRE
+CLASS="programlisting"
+>include <VAR
+CLASS="replaceable"
+>filename</VAR
+>;</PRE
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1529"
+>6.2.6. <B
+CLASS="command"
+>include</B
+> Statement Definition and Usage</A
+></H2
+><P
+>The <B
+CLASS="command"
+>include</B
+> statement inserts the
+      specified file at the point where the <B
+CLASS="command"
+>include</B
+>
+      statement is encountered. The <B
+CLASS="command"
+>include</B
+>
+      statement facilitates the administration of configuration files
+      by permitting the reading or writing of some things but not
+      others. For example, the statement could include private keys
+      that are readable only by the name server.</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1536"
+>6.2.7. <B
+CLASS="command"
+>key</B
+> Statement Grammar</A
+></H2
+><PRE
+CLASS="programlisting"
+>key <VAR
+CLASS="replaceable"
+>key_id</VAR
+> {
+    algorithm <VAR
+CLASS="replaceable"
+>string</VAR
+>;
+    secret <VAR
+CLASS="replaceable"
+>string</VAR
+>;
+};
+</PRE
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1543"
+>6.2.8. <B
+CLASS="command"
+>key</B
+> Statement Definition and Usage</A
+></H2
+><P
+>The <B
+CLASS="command"
+>key</B
+> statement defines a shared
+secret key for use with TSIG (see <A
+HREF="Bv9ARM.ch04.html#tsig"
+>Section 4.5</A
+>)
+or the command channel
+(see <A
+HREF="Bv9ARM.ch06.html#controls_statement_definition_and_usage"
+>Section 6.2.4</A
+>).
+</P
+><P
+>&#13;The <B
+CLASS="command"
+>key</B
+> statement can occur at the top level
+of the configuration file or inside a <B
+CLASS="command"
+>view</B
+> 
+statement.  Keys defined in top-level <B
+CLASS="command"
+>key</B
+>
+statements can be used in all views.  Keys intended for use in
+a <B
+CLASS="command"
+>controls</B
+> statement
+(see <A
+HREF="Bv9ARM.ch06.html#controls_statement_definition_and_usage"
+>Section 6.2.4</A
+>)
+must be defined at the top level.
+</P
+><P
+>The <VAR
+CLASS="replaceable"
+>key_id</VAR
+>, also known as the
+key name, is a domain name uniquely identifying the key. It can
+be used in a <B
+CLASS="command"
+>server</B
+>
+statement to cause requests sent to that
+server to be signed with this key, or in address match lists to
+verify that incoming requests have been signed with a key
+matching this name, algorithm, and secret.</P
+><P
+>The <VAR
+CLASS="replaceable"
+>algorithm_id</VAR
+> is a string
+that specifies a security/authentication algorithm. The only
+algorithm currently supported with TSIG authentication is
+<VAR
+CLASS="literal"
+>hmac-md5</VAR
+>.  The
+<VAR
+CLASS="replaceable"
+>secret_string</VAR
+> is the secret to be
+used by the algorithm, and is treated as a base-64 encoded
+string.</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1563"
+>6.2.9. <B
+CLASS="command"
+>logging</B
+> Statement Grammar</A
+></H2
+><PRE
+CLASS="programlisting"
+><B
+CLASS="command"
+>logging</B
+> {
+   [ <B
+CLASS="command"
+>channel</B
+> <VAR
+CLASS="replaceable"
+>channel_name</VAR
+> {
+     ( <B
+CLASS="command"
+>file</B
+> <VAR
+CLASS="replaceable"
+>path name</VAR
+>
+         [ <B
+CLASS="command"
+>versions</B
+> ( <VAR
+CLASS="replaceable"
+>number</VAR
+> | <VAR
+CLASS="literal"
+>unlimited</VAR
+> ) ]
+         [ <B
+CLASS="command"
+>size</B
+> <VAR
+CLASS="replaceable"
+>size spec</VAR
+> ]
+       | <B
+CLASS="command"
+>syslog</B
+> <VAR
+CLASS="replaceable"
+>syslog_facility</VAR
+>
+       | <B
+CLASS="command"
+>stderr</B
+>
+       | <B
+CLASS="command"
+>null</B
+> );
+     [ <B
+CLASS="command"
+>severity</B
+> (<VAR
+CLASS="option"
+>critical</VAR
+> | <VAR
+CLASS="option"
+>error</VAR
+> | <VAR
+CLASS="option"
+>warning</VAR
+> | <VAR
+CLASS="option"
+>notice</VAR
+> |
+                 <VAR
+CLASS="option"
+>info</VAR
+> | <VAR
+CLASS="option"
+>debug</VAR
+> [ <VAR
+CLASS="replaceable"
+>level</VAR
+> ] | <VAR
+CLASS="option"
+>dynamic</VAR
+> ); ]
+     [ <B
+CLASS="command"
+>print-category</B
+> <VAR
+CLASS="option"
+>yes</VAR
+> or <VAR
+CLASS="option"
+>no</VAR
+>; ]
+     [ <B
+CLASS="command"
+>print-severity</B
+> <VAR
+CLASS="option"
+>yes</VAR
+> or <VAR
+CLASS="option"
+>no</VAR
+>; ]
+     [ <B
+CLASS="command"
+>print-time</B
+> <VAR
+CLASS="option"
+>yes</VAR
+> or <VAR
+CLASS="option"
+>no</VAR
+>; ]
+   }; ]
+   [ <B
+CLASS="command"
+>category</B
+> <VAR
+CLASS="replaceable"
+>category_name</VAR
+> {
+     <VAR
+CLASS="replaceable"
+>channel_name</VAR
+> ; [ <VAR
+CLASS="replaceable"
+>channel_nam</VAR
+>e ; ... ]
+   }; ]
+   ...
+};
+</PRE
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1603"
+>6.2.10. <B
+CLASS="command"
+>logging</B
+> Statement Definition and Usage</A
+></H2
+><P
+>The <B
+CLASS="command"
+>logging</B
+> statement configures a wide
+variety of logging options for the name server. Its <B
+CLASS="command"
+>channel</B
+> phrase
+associates output methods, format options and severity levels with
+a name that can then be used with the <B
+CLASS="command"
+>category</B
+> phrase
+to select how various classes of messages are logged.</P
+><P
+>Only one <B
+CLASS="command"
+>logging</B
+> statement is used to define
+as many channels and categories as are wanted. If there is no <B
+CLASS="command"
+>logging</B
+> statement,
+the logging configuration will be:</P
+><PRE
+CLASS="programlisting"
+>logging {
+     category default { default_syslog; default_debug; };
+     category unmatched { null; };
+};
+</PRE
+><P
+>In <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9, the logging configuration is only established when
+the entire configuration file has been parsed.  In <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 8, it was
+established as soon as the <B
+CLASS="command"
+>logging</B
+> statement
+was parsed. When the server is starting up, all logging messages
+regarding syntax errors in the configuration file go to the default
+channels, or to standard error if the "<VAR
+CLASS="option"
+>-g</VAR
+>" option
+was specified.</P
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN1619"
+>6.2.10.1. The <B
+CLASS="command"
+>channel</B
+> Phrase</A
+></H3
+><P
+>All log output goes to one or more <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>channels</I
+></SPAN
+>;
+you can make as many of them as you want.</P
+><P
+>Every channel definition must include a destination clause that
+says whether messages selected for the channel go to a file, to a
+particular syslog facility, to the standard error stream, or are
+discarded. It can optionally also limit the message severity level
+that will be accepted by the channel (the default is
+<B
+CLASS="command"
+>info</B
+>), and whether to include a
+<B
+CLASS="command"
+>named</B
+>-generated time stamp, the category name
+and/or severity level (the default is not to include any).</P
+><P
+>The <B
+CLASS="command"
+>null</B
+> destination clause 
+causes all messages sent to the channel to be discarded;
+in that case, other options for the channel are meaningless.</P
+><P
+>The <B
+CLASS="command"
+>file</B
+> destination clause directs the channel
+to a disk file.  It can include limitations
+both on how large the file is allowed to become, and how many versions
+of the file will be saved each time the file is opened.</P
+><P
+>If you use the <B
+CLASS="command"
+>versions</B
+> log file option, then
+<B
+CLASS="command"
+>named</B
+> will retain that many backup versions of the file by
+renaming them when opening.  For example, if you choose to keep 3 old versions
+of the file <TT
+CLASS="filename"
+>lamers.log</TT
+> then just before it is opened
+<TT
+CLASS="filename"
+>lamers.log.1</TT
+> is renamed to
+<TT
+CLASS="filename"
+>lamers.log.2</TT
+>, <TT
+CLASS="filename"
+>lamers.log.0</TT
+> is renamed
+to <TT
+CLASS="filename"
+>lamers.log.1</TT
+>, and <TT
+CLASS="filename"
+>lamers.log</TT
+> is
+renamed to <TT
+CLASS="filename"
+>lamers.log.0</TT
+>.
+You can say <B
+CLASS="command"
+>versions unlimited</B
+> to not limit
+the number of versions.
+If a <B
+CLASS="command"
+>size</B
+> option is associated with the log file,
+then renaming is only done when the file being opened exceeds the
+indicated size.  No backup versions are kept by default; any existing
+log file is simply appended.</P
+><P
+>The <B
+CLASS="command"
+>size</B
+> option for files is used to limit log
+growth. If the file ever exceeds the size, then <B
+CLASS="command"
+>named</B
+> will
+stop writing to the file unless it has a <B
+CLASS="command"
+>versions</B
+> option
+associated with it.  If backup versions are kept, the files are rolled as
+described above and a new one begun.  If there is no
+<B
+CLASS="command"
+>versions</B
+> option, no more data will be written to the log
+until some out-of-band mechanism removes or truncates the log to less than the
+maximum size.  The default behavior is not to limit the size of the
+file.</P
+><P
+>Example usage of the <B
+CLASS="command"
+>size</B
+> and
+<B
+CLASS="command"
+>versions</B
+> options:</P
+><PRE
+CLASS="programlisting"
+>channel an_example_channel {
+    file "example.log" versions 3 size 20m;
+    print-time yes;
+    print-category yes;
+};
+</PRE
+><P
+>The <B
+CLASS="command"
+>syslog</B
+> destination clause directs the
+channel to the system log.  Its argument is a
+syslog facility as described in the <B
+CLASS="command"
+>syslog</B
+> man
+page. Known facilities are <B
+CLASS="command"
+>kern</B
+>, <B
+CLASS="command"
+>user</B
+>,
+<B
+CLASS="command"
+>mail</B
+>, <B
+CLASS="command"
+>daemon</B
+>, <B
+CLASS="command"
+>auth</B
+>,
+<B
+CLASS="command"
+>syslog</B
+>, <B
+CLASS="command"
+>lpr</B
+>, <B
+CLASS="command"
+>news</B
+>,
+<B
+CLASS="command"
+>uucp</B
+>, <B
+CLASS="command"
+>cron</B
+>, <B
+CLASS="command"
+>authpriv</B
+>,
+<B
+CLASS="command"
+>ftp</B
+>, <B
+CLASS="command"
+>local0</B
+>, <B
+CLASS="command"
+>local1</B
+>,
+<B
+CLASS="command"
+>local2</B
+>, <B
+CLASS="command"
+>local3</B
+>, <B
+CLASS="command"
+>local4</B
+>,
+<B
+CLASS="command"
+>local5</B
+>, <B
+CLASS="command"
+>local6</B
+> and
+<B
+CLASS="command"
+>local7</B
+>, however not all facilities are supported on
+all operating systems.
+How <B
+CLASS="command"
+>syslog</B
+> will handle messages sent to
+this facility is described in the <B
+CLASS="command"
+>syslog.conf</B
+> man
+page. If you have a system which uses a very old version of <B
+CLASS="command"
+>syslog</B
+> that
+only uses two arguments to the <B
+CLASS="command"
+>openlog()</B
+> function,
+then this clause is silently ignored.</P
+><P
+>The <B
+CLASS="command"
+>severity</B
+> clause works like <B
+CLASS="command"
+>syslog</B
+>'s
+"priorities", except that they can also be used if you are writing
+straight to a file rather than using <B
+CLASS="command"
+>syslog</B
+>.
+Messages which are not at least of the severity level given will
+not be selected for the channel; messages of higher severity levels
+will be accepted.</P
+><P
+>If you are using <B
+CLASS="command"
+>syslog</B
+>, then the <B
+CLASS="command"
+>syslog.conf</B
+> priorities
+will also determine what eventually passes through. For example,
+defining a channel facility and severity as <B
+CLASS="command"
+>daemon</B
+> and <B
+CLASS="command"
+>debug</B
+> but
+only logging <B
+CLASS="command"
+>daemon.warning</B
+> via <B
+CLASS="command"
+>syslog.conf</B
+> will
+cause messages of severity <B
+CLASS="command"
+>info</B
+> and <B
+CLASS="command"
+>notice</B
+> to
+be dropped. If the situation were reversed, with <B
+CLASS="command"
+>named</B
+> writing
+messages of only <B
+CLASS="command"
+>warning</B
+> or higher, then <B
+CLASS="command"
+>syslogd</B
+> would
+print all messages it received from the channel.</P
+><P
+>The <B
+CLASS="command"
+>stderr</B
+> destination clause directs the
+channel to the server's standard error stream.  This is intended for
+use when the server is running as a foreground process, for example
+when debugging a configuration.</P
+><P
+>The server can supply extensive debugging information when
+it is in debugging mode. If the server's global debug level is greater
+than zero, then debugging mode will be active. The global debug
+level is set either by starting the <B
+CLASS="command"
+>named</B
+> server
+with the <VAR
+CLASS="option"
+>-d</VAR
+> flag followed by a positive integer,
+or by running <B
+CLASS="command"
+>rndc trace</B
+>.
+The global debug level
+can be set to zero, and debugging mode turned off, by running <B
+CLASS="command"
+>ndc
+notrace</B
+>. All debugging messages in the server have a debug
+level, and higher debug levels give more detailed output. Channels
+that specify a specific debug severity, for example:</P
+><PRE
+CLASS="programlisting"
+>channel specific_debug_level {
+    file "foo";
+    severity debug 3;
+};
+</PRE
+><P
+>will get debugging output of level 3 or less any time the
+server is in debugging mode, regardless of the global debugging
+level. Channels with <B
+CLASS="command"
+>dynamic</B
+> severity use the
+server's global debug level to determine what messages to print.</P
+><P
+>If <B
+CLASS="command"
+>print-time</B
+> has been turned on, then
+the date and time will be logged. <B
+CLASS="command"
+>print-time</B
+> may
+be specified for a <B
+CLASS="command"
+>syslog</B
+> channel, but is usually
+pointless since <B
+CLASS="command"
+>syslog</B
+> also prints the date and
+time. If <B
+CLASS="command"
+>print-category</B
+> is requested, then the
+category of the message will be logged as well. Finally, if <B
+CLASS="command"
+>print-severity</B
+> is
+on, then the severity level of the message will be logged. The <B
+CLASS="command"
+>print-</B
+> options may
+be used in any combination, and will always be printed in the following
+order: time, category, severity. Here is an example where all three <B
+CLASS="command"
+>print-</B
+> options
+are on:</P
+><P
+><SAMP
+CLASS="computeroutput"
+>28-Feb-2000 15:05:32.863 general: notice: running</SAMP
+></P
+><P
+>There are four predefined channels that are used for
+<B
+CLASS="command"
+>named</B
+>'s default logging as follows. How they are
+used is described in <A
+HREF="Bv9ARM.ch06.html#the_category_phrase"
+>Section 6.2.10.2</A
+>.
+</P
+><PRE
+CLASS="programlisting"
+>channel default_syslog {
+    syslog daemon;                      // send to syslog's daemon
+                                        // facility
+    severity info;                      // only send priority info
+                                        // and higher
+};
+
+channel default_debug {
+    file "named.run";                   // write to named.run in
+                                        // the working directory
+                                        // Note: stderr is used instead
+                                        // of "named.run"
+                                        // if the server is started
+                                        // with the '-f' option.
+    severity dynamic;                   // log at the server's
+                                        // current debug level
+};
+
+channel default_stderr {
+    stderr;                             // writes to stderr
+    severity info;                      // only send priority info
+                                        // and higher
+};
+
+channel null {
+   null;                                // toss anything sent to
+                                        // this channel
+};
+</PRE
+><P
+>The <B
+CLASS="command"
+>default_debug</B
+> channel has the special
+property that it only produces output when the server's debug level is
+nonzero.  It normally writes to a file <TT
+CLASS="filename"
+>named.run</TT
+>
+in the server's working directory.</P
+><P
+>For security reasons, when the "<VAR
+CLASS="option"
+>-u</VAR
+>"
+command line option is used, the <TT
+CLASS="filename"
+>named.run</TT
+> file
+is created only after <B
+CLASS="command"
+>named</B
+> has changed to the
+new UID, and any debug output generated while <B
+CLASS="command"
+>named</B
+> is
+starting up and still running as root is discarded.  If you need
+to capture this output, you must run the server with the "<VAR
+CLASS="option"
+>-g</VAR
+>"
+option and redirect standard error to a file.</P
+><P
+>Once a channel is defined, it cannot be redefined. Thus you
+cannot alter the built-in channels directly, but you can modify
+the default logging by pointing categories at channels you have defined.</P
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="the_category_phrase"
+>6.2.10.2. The <B
+CLASS="command"
+>category</B
+> Phrase</A
+></H3
+><P
+>There are many categories, so you can send the logs you want
+to see wherever you want, without seeing logs you don't want. If
+you don't specify a list of channels for a category, then log messages
+in that category will be sent to the <B
+CLASS="command"
+>default</B
+> category
+instead. If you don't specify a default category, the following
+"default default" is used:</P
+><PRE
+CLASS="programlisting"
+>category default { default_syslog; default_debug; };
+</PRE
+><P
+>As an example, let's say you want to log security events to
+a file, but you also want keep the default logging behavior. You'd
+specify the following:</P
+><PRE
+CLASS="programlisting"
+>channel my_security_channel {
+    file "my_security_file";
+    severity info;
+};
+category security {
+    my_security_channel;
+    default_syslog;
+    default_debug;
+};</PRE
+><P
+>To discard all messages in a category, specify the <B
+CLASS="command"
+>null</B
+> channel:</P
+><PRE
+CLASS="programlisting"
+>category xfer-out { null; };
+category notify { null; };
+</PRE
+><P
+>Following are the available categories and brief descriptions
+of the types of log information they contain. More
+categories may be added in future <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> releases.</P
+><DIV
+CLASS="informaltable"
+><P
+></P
+><A
+NAME="AEN1743"
+></A
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>default</B
+></P
+></TD
+><TD
+><P
+>The default category defines the logging
+options for those categories where no specific configuration has been
+defined.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>general</B
+></P
+></TD
+><TD
+><P
+>The catch-all. Many things still aren't
+classified into categories, and they all end up here.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>database</B
+></P
+></TD
+><TD
+><P
+>Messages relating to the databases used
+internally by the name server to store zone and cache data.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>security</B
+></P
+></TD
+><TD
+><P
+>Approval and denial of requests.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>config</B
+></P
+></TD
+><TD
+><P
+>Configuration file parsing and processing.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>resolver</B
+></P
+></TD
+><TD
+><P
+>DNS resolution, such as the recursive
+lookups performed on behalf of clients by a caching name server.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>xfer-in</B
+></P
+></TD
+><TD
+><P
+>Zone transfers the server is receiving.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>xfer-out</B
+></P
+></TD
+><TD
+><P
+>Zone transfers the server is sending.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>notify</B
+></P
+></TD
+><TD
+><P
+>The NOTIFY protocol.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>client</B
+></P
+></TD
+><TD
+><P
+>Processing of client requests.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>unmatched</B
+></P
+></TD
+><TD
+><P
+>Messages that named was unable to determine the
+class of or for which there was no matching <B
+CLASS="command"
+>view</B
+>.
+A one line summary is also logged to the <B
+CLASS="command"
+>client</B
+> category.
+This category is best sent to a file or stderr, by default it is sent to
+the <B
+CLASS="command"
+>null</B
+> channel.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>network</B
+></P
+></TD
+><TD
+><P
+>Network operations.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>update</B
+></P
+></TD
+><TD
+><P
+>Dynamic updates.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>update-security</B
+></P
+></TD
+><TD
+><P
+>Approval and denial of update requests.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>queries</B
+></P
+></TD
+><TD
+><P
+>Specify where queries should be logged to.</P
+>
+<P
+>&#13;At startup, specifing the category <B
+CLASS="command"
+>queries</B
+> will also
+enable query logging unless <B
+CLASS="command"
+>querylog</B
+> option has been
+specified.
+</P
+>
+<P
+>&#13;The query log entry reports the client's IP address and port number.  The
+query name, class and type.  It also reports whether the Recursion Desired
+flag was set (+ if set, - if not set), EDNS was in use (E) or if the
+query was signed (S).</P
+>
+<PRE
+CLASS="programlisting"
+><SAMP
+CLASS="computeroutput"
+>client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</SAMP
+>
+<SAMP
+CLASS="computeroutput"
+>client ::1#62537: query: www.example.net IN AAAA -SE</SAMP
+>
+</PRE
+>
+</TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>dispatch</B
+></P
+></TD
+><TD
+><P
+>Dispatching of incoming packets to the
+server modules where they are to be processed.
+</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>dnssec</B
+></P
+></TD
+><TD
+><P
+>DNSSEC and TSIG protocol processing.
+</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>lame-servers</B
+></P
+></TD
+><TD
+><P
+>Lame servers.  These are misconfigurations
+in remote servers, discovered by BIND 9 when trying to query
+those servers during resolution.
+</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>delegation-only</B
+></P
+></TD
+><TD
+><P
+>Delegation only.  Logs queries that have have
+been forced to NXDOMAIN as the result of a delegation-only zone or
+a <B
+CLASS="command"
+>delegation-only</B
+> in a hint or stub zone declaration.
+</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1873"
+>6.2.11. <B
+CLASS="command"
+>lwres</B
+> Statement Grammar</A
+></H2
+><P
+> This is the grammar of the <B
+CLASS="command"
+>lwres</B
+>
+statement in the <TT
+CLASS="filename"
+>named.conf</TT
+> file:</P
+><PRE
+CLASS="programlisting"
+><B
+CLASS="command"
+>lwres</B
+> {
+    [<SPAN
+CLASS="optional"
+> listen-on { <VAR
+CLASS="replaceable"
+>ip_addr</VAR
+> [<SPAN
+CLASS="optional"
+>port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+></SPAN
+>] ; [<SPAN
+CLASS="optional"
+> <VAR
+CLASS="replaceable"
+>ip_addr</VAR
+> [<SPAN
+CLASS="optional"
+>port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+></SPAN
+>] ; ... </SPAN
+>] }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> view <VAR
+CLASS="replaceable"
+>view_name</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> search { <VAR
+CLASS="replaceable"
+>domain_name</VAR
+> ; [<SPAN
+CLASS="optional"
+> <VAR
+CLASS="replaceable"
+>domain_name</VAR
+> ; ... </SPAN
+>] }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> ndots <VAR
+CLASS="replaceable"
+>number</VAR
+>; </SPAN
+>]
+};
+</PRE
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1897"
+>6.2.12. <B
+CLASS="command"
+>lwres</B
+> Statement Definition and Usage</A
+></H2
+><P
+>The <B
+CLASS="command"
+>lwres</B
+> statement configures the name
+server to also act as a lightweight resolver server, see
+<A
+HREF="Bv9ARM.ch05.html#lwresd"
+>Section 5.2</A
+>.  There may be be multiple
+<B
+CLASS="command"
+>lwres</B
+> statements configuring
+lightweight resolver servers with different properties.</P
+><P
+>The <B
+CLASS="command"
+>listen-on</B
+> statement specifies a list of
+addresses (and ports) that this instance of a lightweight resolver daemon
+should accept requests on.  If no port is specified, port 921 is used.
+If this statement is omitted, requests will be accepted on 127.0.0.1,
+port 921.</P
+><P
+>The <B
+CLASS="command"
+>view</B
+> statement binds this instance of a
+lightweight resolver daemon to a view in the DNS namespace, so that the
+response will be constructed in the same manner as a normal DNS query
+matching this view.  If this statement is omitted, the default view is
+used, and if there is no default view, an error is triggered.</P
+><P
+>The <B
+CLASS="command"
+>search</B
+> statement is equivalent to the
+<B
+CLASS="command"
+>search</B
+> statement in
+<TT
+CLASS="filename"
+>/etc/resolv.conf</TT
+>.  It provides a list of domains
+which are appended to relative names in queries.</P
+><P
+>The <B
+CLASS="command"
+>ndots</B
+> statement is equivalent to the
+<B
+CLASS="command"
+>ndots</B
+> statement in
+<TT
+CLASS="filename"
+>/etc/resolv.conf</TT
+>.  It indicates the minimum
+number of dots in a relative domain name that should result in an
+exact match lookup before search path elements are appended.</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1916"
+>6.2.13. <B
+CLASS="command"
+>masters</B
+> Statement Grammar</A
+></H2
+><PRE
+CLASS="programlisting"
+>&#13;<B
+CLASS="command"
+>masters</B
+> <VAR
+CLASS="replaceable"
+>name</VAR
+> [<SPAN
+CLASS="optional"
+>port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+></SPAN
+>] { ( <VAR
+CLASS="replaceable"
+>masters_list</VAR
+> | <VAR
+CLASS="replaceable"
+>ip_addr</VAR
+> [<SPAN
+CLASS="optional"
+>port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+></SPAN
+>] [<SPAN
+CLASS="optional"
+>key <VAR
+CLASS="replaceable"
+>key</VAR
+></SPAN
+>] ) ; [<SPAN
+CLASS="optional"
+>...</SPAN
+>] } ; 
+</PRE
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1931"
+>6.2.14. <B
+CLASS="command"
+>masters</B
+> Statement Definition and Usage</A
+></H2
+><P
+><B
+CLASS="command"
+>masters</B
+> lists allow for a common set of masters
+to be easily used by multiple stub and slave zones.</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN1936"
+>6.2.15. <B
+CLASS="command"
+>options</B
+> Statement Grammar</A
+></H2
+><P
+>This is the grammar of the <B
+CLASS="command"
+>options</B
+>
+statement in the <TT
+CLASS="filename"
+>named.conf</TT
+> file:</P
+><PRE
+CLASS="programlisting"
+>options {
+    [<SPAN
+CLASS="optional"
+> version <VAR
+CLASS="replaceable"
+>version_string</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> hostname <VAR
+CLASS="replaceable"
+>hostname_string</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> server-id <VAR
+CLASS="replaceable"
+>server_id_string</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> directory <VAR
+CLASS="replaceable"
+>path_name</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> key-directory <VAR
+CLASS="replaceable"
+>path_name</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> named-xfer <VAR
+CLASS="replaceable"
+>path_name</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> tkey-domain <VAR
+CLASS="replaceable"
+>domainname</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> tkey-dhkey <VAR
+CLASS="replaceable"
+>key_name</VAR
+> <VAR
+CLASS="replaceable"
+>key_tag</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> dump-file <VAR
+CLASS="replaceable"
+>path_name</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> memstatistics-file <VAR
+CLASS="replaceable"
+>path_name</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> pid-file <VAR
+CLASS="replaceable"
+>path_name</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> statistics-file <VAR
+CLASS="replaceable"
+>path_name</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> zone-statistics <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> auth-nxdomain <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> deallocate-on-exit <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> dialup <VAR
+CLASS="replaceable"
+>dialup_option</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> fake-iquery <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> fetch-glue <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> flush-zones-on-shutdown <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> has-old-clients <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> host-statistics <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> minimal-responses <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> multiple-cnames <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> notify <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+> | <VAR
+CLASS="replaceable"
+>explicit</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> recursion <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> rfc2308-type1 <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> use-id-pool <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> maintain-ixfr-base <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> dnssec-enable <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> dnssec-lookaside <VAR
+CLASS="replaceable"
+>domain</VAR
+> trust-anchor <VAR
+CLASS="replaceable"
+>domain</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> dnssec-must-be-secure <VAR
+CLASS="replaceable"
+>domain yes_or_no</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> forward ( <VAR
+CLASS="replaceable"
+>only</VAR
+> | <VAR
+CLASS="replaceable"
+>first</VAR
+> ); </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> forwarders { <VAR
+CLASS="replaceable"
+>ip_addr</VAR
+> [<SPAN
+CLASS="optional"
+>port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+></SPAN
+>] ; [<SPAN
+CLASS="optional"
+> <VAR
+CLASS="replaceable"
+>ip_addr</VAR
+> [<SPAN
+CLASS="optional"
+>port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+></SPAN
+>] ; ... </SPAN
+>] }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> dual-stack-servers [<SPAN
+CLASS="optional"
+>port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+></SPAN
+>] { ( <VAR
+CLASS="replaceable"
+>domain_name</VAR
+> [<SPAN
+CLASS="optional"
+>port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+></SPAN
+>] | <VAR
+CLASS="replaceable"
+>ip_addr</VAR
+> [<SPAN
+CLASS="optional"
+>port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+></SPAN
+>] ) ; ... }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> check-names ( <VAR
+CLASS="replaceable"
+>master</VAR
+> | <VAR
+CLASS="replaceable"
+>slave</VAR
+> | <VAR
+CLASS="replaceable"
+> response</VAR
+> )( <VAR
+CLASS="replaceable"
+>warn</VAR
+> | <VAR
+CLASS="replaceable"
+>fail</VAR
+> | <VAR
+CLASS="replaceable"
+>ignore</VAR
+> ); </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> allow-notify { <VAR
+CLASS="replaceable"
+>address_match_list</VAR
+> }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> allow-query { <VAR
+CLASS="replaceable"
+>address_match_list</VAR
+> }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> allow-transfer { <VAR
+CLASS="replaceable"
+>address_match_list</VAR
+> }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> allow-recursion { <VAR
+CLASS="replaceable"
+>address_match_list</VAR
+> }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> allow-update-forwarding { <VAR
+CLASS="replaceable"
+>address_match_list</VAR
+> }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> allow-v6-synthesis { <VAR
+CLASS="replaceable"
+>address_match_list</VAR
+> }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> blackhole { <VAR
+CLASS="replaceable"
+>address_match_list</VAR
+> }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> avoid-v4-udp-ports { <VAR
+CLASS="replaceable"
+>port_list</VAR
+> }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> avoid-v6-udp-ports { <VAR
+CLASS="replaceable"
+>port_list</VAR
+> }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> listen-on [<SPAN
+CLASS="optional"
+> port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+> </SPAN
+>] { <VAR
+CLASS="replaceable"
+>address_match_list</VAR
+> }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> listen-on-v6 [<SPAN
+CLASS="optional"
+> port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+> </SPAN
+>] { <VAR
+CLASS="replaceable"
+>address_match_list</VAR
+> }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> query-source [<SPAN
+CLASS="optional"
+> address ( <VAR
+CLASS="replaceable"
+>ip_addr</VAR
+> | <VAR
+CLASS="replaceable"
+>*</VAR
+> ) </SPAN
+>] [<SPAN
+CLASS="optional"
+> port ( <VAR
+CLASS="replaceable"
+>ip_port</VAR
+> | <VAR
+CLASS="replaceable"
+>*</VAR
+> ) </SPAN
+>]; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> query-source-v6 [<SPAN
+CLASS="optional"
+> address ( <VAR
+CLASS="replaceable"
+>ip_addr</VAR
+> | <VAR
+CLASS="replaceable"
+>*</VAR
+> ) </SPAN
+>] [<SPAN
+CLASS="optional"
+> port ( <VAR
+CLASS="replaceable"
+>ip_port</VAR
+> | <VAR
+CLASS="replaceable"
+>*</VAR
+> ) </SPAN
+>]; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-transfer-time-in <VAR
+CLASS="replaceable"
+>number</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-transfer-time-out <VAR
+CLASS="replaceable"
+>number</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-transfer-idle-in <VAR
+CLASS="replaceable"
+>number</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-transfer-idle-out <VAR
+CLASS="replaceable"
+>number</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> tcp-clients <VAR
+CLASS="replaceable"
+>number</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> recursive-clients <VAR
+CLASS="replaceable"
+>number</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> serial-query-rate <VAR
+CLASS="replaceable"
+>number</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> serial-queries <VAR
+CLASS="replaceable"
+>number</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> tcp-listen-queue <VAR
+CLASS="replaceable"
+>number</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> transfer-format <VAR
+CLASS="replaceable"
+>( one-answer | many-answers )</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> transfers-in  <VAR
+CLASS="replaceable"
+>number</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> transfers-out <VAR
+CLASS="replaceable"
+>number</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> transfers-per-ns <VAR
+CLASS="replaceable"
+>number</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> transfer-source (<VAR
+CLASS="replaceable"
+>ip4_addr</VAR
+> | <CODE
+CLASS="constant"
+>*</CODE
+>) [<SPAN
+CLASS="optional"
+>port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+></SPAN
+>] ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> transfer-source-v6 (<VAR
+CLASS="replaceable"
+>ip6_addr</VAR
+> | <CODE
+CLASS="constant"
+>*</CODE
+>) [<SPAN
+CLASS="optional"
+>port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+></SPAN
+>] ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> alt-transfer-source (<VAR
+CLASS="replaceable"
+>ip4_addr</VAR
+> | <CODE
+CLASS="constant"
+>*</CODE
+>) [<SPAN
+CLASS="optional"
+>port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+></SPAN
+>] ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> alt-transfer-source-v6 (<VAR
+CLASS="replaceable"
+>ip6_addr</VAR
+> | <CODE
+CLASS="constant"
+>*</CODE
+>) [<SPAN
+CLASS="optional"
+>port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+></SPAN
+>] ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> use-alt-transfer-source <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> notify-source (<VAR
+CLASS="replaceable"
+>ip4_addr</VAR
+> | <CODE
+CLASS="constant"
+>*</CODE
+>) [<SPAN
+CLASS="optional"
+>port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+></SPAN
+>] ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> notify-source-v6 (<VAR
+CLASS="replaceable"
+>ip6_addr</VAR
+> | <CODE
+CLASS="constant"
+>*</CODE
+>) [<SPAN
+CLASS="optional"
+>port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+></SPAN
+>] ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> also-notify { <VAR
+CLASS="replaceable"
+>ip_addr</VAR
+> [<SPAN
+CLASS="optional"
+>port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+></SPAN
+>] ; [<SPAN
+CLASS="optional"
+> <VAR
+CLASS="replaceable"
+>ip_addr</VAR
+> [<SPAN
+CLASS="optional"
+>port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+></SPAN
+>] ; ... </SPAN
+>] }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-ixfr-log-size <VAR
+CLASS="replaceable"
+>number</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-journal-size <VAR
+CLASS="replaceable"
+>size_spec</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> coresize <VAR
+CLASS="replaceable"
+>size_spec</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> datasize <VAR
+CLASS="replaceable"
+>size_spec</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> files <VAR
+CLASS="replaceable"
+>size_spec</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> stacksize <VAR
+CLASS="replaceable"
+>size_spec</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> cleaning-interval <VAR
+CLASS="replaceable"
+>number</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> heartbeat-interval <VAR
+CLASS="replaceable"
+>number</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> interface-interval <VAR
+CLASS="replaceable"
+>number</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> statistics-interval <VAR
+CLASS="replaceable"
+>number</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> topology { <VAR
+CLASS="replaceable"
+>address_match_list</VAR
+> }</SPAN
+>];
+    [<SPAN
+CLASS="optional"
+> sortlist { <VAR
+CLASS="replaceable"
+>address_match_list</VAR
+> }</SPAN
+>];
+    [<SPAN
+CLASS="optional"
+> rrset-order { <VAR
+CLASS="replaceable"
+>order_spec</VAR
+> ; [<SPAN
+CLASS="optional"
+> <VAR
+CLASS="replaceable"
+>order_spec</VAR
+> ; ... </SPAN
+>] </SPAN
+>] };
+    [<SPAN
+CLASS="optional"
+> lame-ttl <VAR
+CLASS="replaceable"
+>number</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-ncache-ttl <VAR
+CLASS="replaceable"
+>number</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-cache-ttl <VAR
+CLASS="replaceable"
+>number</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> sig-validity-interval <VAR
+CLASS="replaceable"
+>number</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> min-roots <VAR
+CLASS="replaceable"
+>number</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> use-ixfr <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> provide-ixfr <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> request-ixfr <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> treat-cr-as-space <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> min-refresh-time <VAR
+CLASS="replaceable"
+>number</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-refresh-time <VAR
+CLASS="replaceable"
+>number</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> min-retry-time <VAR
+CLASS="replaceable"
+>number</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-retry-time <VAR
+CLASS="replaceable"
+>number</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> additional-from-auth <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> additional-from-cache <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> random-device <VAR
+CLASS="replaceable"
+>path_name</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-cache-size <VAR
+CLASS="replaceable"
+>size_spec</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> match-mapped-addresses <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> preferred-glue ( <VAR
+CLASS="replaceable"
+>A</VAR
+> | <VAR
+CLASS="replaceable"
+>AAAA</VAR
+> | <VAR
+CLASS="replaceable"
+>NONE</VAR
+> ); </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> edns-udp-size <VAR
+CLASS="replaceable"
+>number</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> root-delegation-only [<SPAN
+CLASS="optional"
+> exclude { <VAR
+CLASS="replaceable"
+>namelist</VAR
+> } </SPAN
+>] ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> querylog <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+> ; </SPAN
+>]
+};
+    [<SPAN
+CLASS="optional"
+> disable-algorithms <VAR
+CLASS="replaceable"
+>domain</VAR
+> { <VAR
+CLASS="replaceable"
+>algorithm</VAR
+>; [<SPAN
+CLASS="optional"
+> <VAR
+CLASS="replaceable"
+>algorithm</VAR
+>; </SPAN
+>] }; </SPAN
+>]
+</PRE
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="options"
+>6.2.16. <B
+CLASS="command"
+>options</B
+> Statement Definition and Usage</A
+></H2
+><P
+>The <B
+CLASS="command"
+>options</B
+> statement sets up global options
+to be used by <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+>. This statement may appear only
+once in a configuration file. If there is no <B
+CLASS="command"
+>options</B
+>
+statement, an options block with each option set to its default will
+be used.</P
+><P
+></P
+><DIV
+CLASS="variablelist"
+><DL
+><DT
+><B
+CLASS="command"
+>directory</B
+></DT
+><DD
+><P
+>The working directory of the server.
+Any non-absolute pathnames in the configuration file will be taken
+as relative to this directory. The default location for most server
+output files (e.g. <TT
+CLASS="filename"
+>named.run</TT
+>) is this directory.
+If a directory is not specified, the working directory defaults
+to `<TT
+CLASS="filename"
+>.</TT
+>', the directory from which the server
+was started. The directory specified should be an absolute path.</P
+></DD
+><DT
+><B
+CLASS="command"
+>key-directory</B
+></DT
+><DD
+><P
+>When performing dynamic update of secure zones, the
+directory where the public and private key files should be found,
+if different than the current working directory.  The directory specified
+must be an absolute path.</P
+></DD
+><DT
+><B
+CLASS="command"
+>named-xfer</B
+></DT
+><DD
+><P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>This option is obsolete.</I
+></SPAN
+>
+It was used in <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 8 to
+specify the pathname to the <B
+CLASS="command"
+>named-xfer</B
+> program.
+In <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9, no separate <B
+CLASS="command"
+>named-xfer</B
+> program is
+needed; its functionality is built into the name server.</P
+></DD
+><DT
+><B
+CLASS="command"
+>tkey-domain</B
+></DT
+><DD
+><P
+>The domain appended to the names of all
+shared keys generated with <B
+CLASS="command"
+>TKEY</B
+>. When a client
+requests a <B
+CLASS="command"
+>TKEY</B
+> exchange, it may or may not specify
+the desired name for the key. If present, the name of the shared
+key will be "<VAR
+CLASS="varname"
+>client specified part</VAR
+>" + 
+"<VAR
+CLASS="varname"
+>tkey-domain</VAR
+>".
+Otherwise, the name of the shared key will be "<VAR
+CLASS="varname"
+>random hex
+digits</VAR
+>" + "<VAR
+CLASS="varname"
+>tkey-domain</VAR
+>". In most cases,
+the <B
+CLASS="command"
+>domainname</B
+> should be the server's domain
+name.</P
+></DD
+><DT
+><B
+CLASS="command"
+>tkey-dhkey</B
+></DT
+><DD
+><P
+>The Diffie-Hellman key used by the server
+to generate shared keys with clients using the Diffie-Hellman mode
+of <B
+CLASS="command"
+>TKEY</B
+>. The server must be able to load the
+public and private keys from files in the working directory. In
+most cases, the keyname should be the server's host name.</P
+></DD
+><DT
+><B
+CLASS="command"
+>dump-file</B
+></DT
+><DD
+><P
+>The pathname of the file the server dumps
+the database to when instructed to do so with
+<B
+CLASS="command"
+>rndc dumpdb</B
+>.
+If not specified, the default is <TT
+CLASS="filename"
+>named_dump.db</TT
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>memstatistics-file</B
+></DT
+><DD
+><P
+>The pathname of the file the server writes memory
+usage statistics to on exit. If not specified,
+the default is <TT
+CLASS="filename"
+>named.memstats</TT
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>pid-file</B
+></DT
+><DD
+><P
+>The pathname of the file the server writes its process ID
+in. If not specified, the default is <TT
+CLASS="filename"
+>/var/run/named.pid</TT
+>.
+The pid-file is used by programs that want to send signals to the running
+name server. Specifying <B
+CLASS="command"
+>pid-file none</B
+> disables the
+use of a PID file &#8212; no file will be written and any
+existing one will be removed.  Note that <B
+CLASS="command"
+>none</B
+>
+is a keyword, not a file name, and therefore is not enclosed in
+double quotes.</P
+></DD
+><DT
+><B
+CLASS="command"
+>statistics-file</B
+></DT
+><DD
+><P
+>The pathname of the file the server appends statistics
+to when instructed to do so using <B
+CLASS="command"
+>rndc stats</B
+>.
+If not specified, the default is <TT
+CLASS="filename"
+>named.stats</TT
+> in the
+server's current directory.  The format of the file is described
+in <A
+HREF="Bv9ARM.ch06.html#statsfile"
+>Section 6.2.16.17</A
+></P
+></DD
+><DT
+><B
+CLASS="command"
+>port</B
+></DT
+><DD
+><P
+>&#13;The UDP/TCP port number the server uses for 
+receiving and sending DNS protocol traffic.
+The default is 53.  This option is mainly intended for server testing;
+a server using a port other than 53 will not be able to communicate with
+the global DNS.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>random-device</B
+></DT
+><DD
+><P
+>&#13;The source of entropy to be used by the server.  Entropy is primarily needed
+for DNSSEC operations, such as TKEY transactions and dynamic update of signed
+zones.  This options specifies the device (or file) from which to read
+entropy.  If this is a file, operations requiring entropy will fail when the
+file has been exhausted.  If not specified, the default value is
+<TT
+CLASS="filename"
+>/dev/random</TT
+>
+(or equivalent) when present, and none otherwise.  The
+<B
+CLASS="command"
+>random-device</B
+> option takes effect during
+the initial configuration load at server startup time and
+is ignored on subsequent reloads.</P
+></DD
+><DT
+><B
+CLASS="command"
+>preferred-glue</B
+></DT
+><DD
+><P
+>&#13;If specified the listed type (A or AAAA) will be emitted before other glue
+in the additional section of a query response.
+The default is not to preference any type (NONE).
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>root-delegation-only</B
+></DT
+><DD
+><P
+>&#13;Turn on enforcement of delegation-only in TLDs and root zones with an optional
+exclude list.
+</P
+><P
+>&#13;Note some TLDs are NOT delegation only (e.g. "DE", "LV", "US" and "MUSEUM").
+</P
+><PRE
+CLASS="programlisting"
+>&#13;options {
+	root-delegation-only exclude { "de"; "lv"; "us"; "museum"; };
+};
+</PRE
+></DD
+><DT
+><B
+CLASS="command"
+>disable-algorithms</B
+></DT
+><DD
+><P
+>&#13;Disable the specified DNSSEC algorithms at and below the specified name.
+Multiple <B
+CLASS="command"
+>disable-algorithms</B
+> statements are allowed.
+Only the most specific will be applied.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>dnssec-lookaside</B
+></DT
+><DD
+><P
+>&#13;When set <B
+CLASS="command"
+>dnssec-lookaside</B
+> provides the
+validator with an alternate method to validate DNSKEY records at the
+top of a zone.  When a DNSKEY is at or below a domain specified by the
+deepest <B
+CLASS="command"
+>dnssec-lookaside</B
+>, and the normal dnssec validation
+has left the key untrusted, the trust-anchor will be append to the key
+name and a DLV record will be looked up to see if it can validate the
+key.  If the DLV record validates a DNSKEY (similarly to the way a DS
+record does) the DNSKEY RRset is deemed to be trusted.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>dnssec-must-be-secure</B
+></DT
+><DD
+><P
+>&#13;Specify heirachies which must / may not be secure (signed and validated).
+If <KBD
+CLASS="userinput"
+>yes</KBD
+> then named will only accept answers if they
+are secure.
+If <KBD
+CLASS="userinput"
+>no</KBD
+> then normal dnssec validation applies
+allowing for insecure answers to be accepted.
+The specified domain must be under a <B
+CLASS="command"
+>trusted-key</B
+> or
+<B
+CLASS="command"
+>dnssec-lookaside</B
+> must be active.
+</P
+></DD
+></DL
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="boolean_options"
+>6.2.16.1. Boolean Options</A
+></H3
+><P
+></P
+><DIV
+CLASS="variablelist"
+><DL
+><DT
+><B
+CLASS="command"
+>auth-nxdomain</B
+></DT
+><DD
+><P
+>If <KBD
+CLASS="userinput"
+>yes</KBD
+>, then the <B
+CLASS="command"
+>AA</B
+> bit
+is always set on NXDOMAIN responses, even if the server is not actually
+authoritative. The default is <KBD
+CLASS="userinput"
+>no</KBD
+>; this is
+a change from <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 8. If you are using very old DNS software, you
+may need to set it to <KBD
+CLASS="userinput"
+>yes</KBD
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>deallocate-on-exit</B
+></DT
+><DD
+><P
+>This option was used in <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 8 to enable checking
+for memory leaks on exit. <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 ignores the option and always performs
+the checks.</P
+></DD
+><DT
+><B
+CLASS="command"
+>dialup</B
+></DT
+><DD
+><P
+>If <KBD
+CLASS="userinput"
+>yes</KBD
+>, then the
+server treats all zones as if they are doing zone transfers across
+a dial on demand dialup link, which can be brought up by traffic
+originating from this server. This has different effects according
+to zone type and concentrates the zone maintenance so that it all
+happens in a short interval, once every <B
+CLASS="command"
+>heartbeat-interval</B
+> and
+hopefully during the one call. It also suppresses some of the normal
+zone maintenance traffic. The default is <KBD
+CLASS="userinput"
+>no</KBD
+>.</P
+><P
+>The <B
+CLASS="command"
+>dialup</B
+> option
+may also be specified in the <B
+CLASS="command"
+>view</B
+> and 
+<B
+CLASS="command"
+>zone</B
+> statements,
+in which case it overrides the global <B
+CLASS="command"
+>dialup</B
+>
+option.</P
+><P
+>If the zone is a master zone then the server will send out a NOTIFY 
+request to all the slaves (default). This should trigger the zone serial
+number check in the slave (providing it supports NOTIFY) allowing the slave
+to verify the zone while the connection is active.
+The set of servers to which NOTIFY is sent can be controlled by
+<B
+CLASS="command"
+>notify</B
+> and <B
+CLASS="command"
+>also-notify</B
+>.</P
+><P
+>If the
+zone is a slave or stub zone, then the server will suppress the regular
+"zone up to date" (refresh) queries and only perform them when the
+<B
+CLASS="command"
+>heartbeat-interval</B
+> expires in addition to sending
+NOTIFY requests.</P
+><P
+>Finer control can be achieved by using
+<KBD
+CLASS="userinput"
+>notify</KBD
+> which only sends NOTIFY messages,
+<KBD
+CLASS="userinput"
+>notify-passive</KBD
+> which sends NOTIFY messages and
+suppresses the normal refresh queries, <KBD
+CLASS="userinput"
+>refresh</KBD
+>
+which suppresses normal refresh processing and sends refresh queries 
+when the <B
+CLASS="command"
+>heartbeat-interval</B
+> expires, and
+<KBD
+CLASS="userinput"
+>passive</KBD
+> which just disables normal refresh
+processing.</P
+><DIV
+CLASS="informaltable"
+><P
+></P
+><A
+NAME="AEN2390"
+></A
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+><P
+>dialup mode</P
+></TD
+><TD
+><P
+>normal refresh</P
+></TD
+><TD
+><P
+>heart-beat refresh</P
+></TD
+><TD
+><P
+>heart-beat notify</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>no</B
+> (default)</P
+></TD
+><TD
+><P
+>yes</P
+></TD
+><TD
+><P
+>no</P
+></TD
+><TD
+><P
+>no</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>yes</B
+></P
+></TD
+><TD
+><P
+>no</P
+></TD
+><TD
+><P
+>yes</P
+></TD
+><TD
+><P
+>yes</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>notify</B
+></P
+></TD
+><TD
+><P
+>yes</P
+></TD
+><TD
+><P
+>no</P
+></TD
+><TD
+><P
+>yes</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>refresh</B
+></P
+></TD
+><TD
+><P
+>no</P
+></TD
+><TD
+><P
+>yes</P
+></TD
+><TD
+><P
+>no</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>passive</B
+></P
+></TD
+><TD
+><P
+>no</P
+></TD
+><TD
+><P
+>no</P
+></TD
+><TD
+><P
+>no</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>notify-passive</B
+></P
+></TD
+><TD
+><P
+>no</P
+></TD
+><TD
+><P
+>no</P
+></TD
+><TD
+><P
+>yes</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>Note that normal NOTIFY processing is not affected by
+<B
+CLASS="command"
+>dialup</B
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>fake-iquery</B
+></DT
+><DD
+><P
+>In <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 8, this option
+enabled simulating the obsolete DNS query type
+IQUERY. <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 never does IQUERY simulation.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>fetch-glue</B
+></DT
+><DD
+><P
+>This option is obsolete.
+In BIND 8, <KBD
+CLASS="userinput"
+>fetch-glue yes</KBD
+>
+caused the server to attempt to fetch glue resource records it
+didn't have when constructing the additional
+data section of a response.  This is now considered a bad idea
+and BIND 9 never does it.</P
+></DD
+><DT
+><B
+CLASS="command"
+>flush-zones-on-shutdown</B
+></DT
+><DD
+><P
+>When the nameserver exits due receiving SIGTERM,
+flush / do not flush any pending zone writes.  The default is
+<B
+CLASS="command"
+>flush-zones-on-shutdown</B
+> <KBD
+CLASS="userinput"
+>no</KBD
+>.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>has-old-clients</B
+></DT
+><DD
+><P
+>This option was incorrectly implemented
+in <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 8, and is ignored by <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9.
+To achieve the intended effect
+of
+<B
+CLASS="command"
+>has-old-clients</B
+> <KBD
+CLASS="userinput"
+>yes</KBD
+>, specify
+the two separate options <B
+CLASS="command"
+>auth-nxdomain</B
+> <KBD
+CLASS="userinput"
+>yes</KBD
+>
+and <B
+CLASS="command"
+>rfc2308-type1</B
+> <KBD
+CLASS="userinput"
+>no</KBD
+> instead.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>host-statistics</B
+></DT
+><DD
+><P
+>In BIND 8, this enables keeping of
+statistics for every host that the name server interacts with.
+Not implemented in BIND 9.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>maintain-ixfr-base</B
+></DT
+><DD
+><P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>This option is obsolete</I
+></SPAN
+>.
+ It was used in <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 8 to determine whether a transaction log was
+kept for Incremental Zone Transfer. <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 maintains a transaction
+log whenever possible.  If you need to disable outgoing incremental zone
+transfers, use <B
+CLASS="command"
+>provide-ixfr</B
+> <KBD
+CLASS="userinput"
+>no</KBD
+>.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>minimal-responses</B
+></DT
+><DD
+><P
+>If <KBD
+CLASS="userinput"
+>yes</KBD
+>, then when generating
+responses the server will only add records to the authority and
+additional data sections when they are required (e.g. delegations,
+negative responses).  This may improve the performance of the server.
+The default is <KBD
+CLASS="userinput"
+>no</KBD
+>.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>multiple-cnames</B
+></DT
+><DD
+><P
+>This option was used in <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 8 to allow
+a domain name to have multiple CNAME records in violation of the
+DNS standards.  <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9.2 always strictly
+enforces the CNAME rules both in master files and dynamic updates.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>notify</B
+></DT
+><DD
+><P
+>If <KBD
+CLASS="userinput"
+>yes</KBD
+> (the default),
+DNS NOTIFY messages are sent when a zone the server is authoritative for
+changes, see <A
+HREF="Bv9ARM.ch04.html#notify"
+>Section 4.1</A
+>.  The messages are sent to the
+servers listed in the zone's NS records (except the master server identified
+in the SOA MNAME field), and to any servers listed in the
+<B
+CLASS="command"
+>also-notify</B
+> option.
+</P
+><P
+>&#13;If <KBD
+CLASS="userinput"
+>explicit</KBD
+>, notifies are sent only to
+servers explicitly listed using <B
+CLASS="command"
+>also-notify</B
+>.
+If <KBD
+CLASS="userinput"
+>no</KBD
+>, no notifies are sent.
+</P
+><P
+>&#13;The <B
+CLASS="command"
+>notify</B
+> option may also be
+specified in the <B
+CLASS="command"
+>zone</B
+> statement,
+in which case it overrides the <B
+CLASS="command"
+>options notify</B
+> statement.
+It would only be necessary to turn off this option if it caused slaves
+to crash.</P
+></DD
+><DT
+><B
+CLASS="command"
+>recursion</B
+></DT
+><DD
+><P
+>If <KBD
+CLASS="userinput"
+>yes</KBD
+>, and a
+DNS query requests recursion, then the server will attempt to do
+all the work required to answer the query. If recursion is off
+and the server does not already know the answer, it will return a
+referral response. The default is <KBD
+CLASS="userinput"
+>yes</KBD
+>.
+Note that setting <B
+CLASS="command"
+>recursion no</B
+> does not prevent
+clients from getting data from the server's cache; it only
+prevents new data from being cached as an effect of client queries.
+Caching may still occur as an effect the server's internal
+operation, such as NOTIFY address lookups.
+See also <B
+CLASS="command"
+>fetch-glue</B
+> above.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>rfc2308-type1</B
+></DT
+><DD
+><P
+>Setting this to <KBD
+CLASS="userinput"
+>yes</KBD
+> will
+cause the server to send NS records along with the SOA record for negative
+answers. The default is <KBD
+CLASS="userinput"
+>no</KBD
+>.</P
+><DIV
+CLASS="note"
+><BLOCKQUOTE
+CLASS="note"
+><P
+><B
+>Note: </B
+>Not yet implemented in <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9.</P
+></BLOCKQUOTE
+></DIV
+></DD
+><DT
+><B
+CLASS="command"
+>use-id-pool</B
+></DT
+><DD
+><P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>This option is obsolete</I
+></SPAN
+>.
+<ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 always allocates query IDs from a pool.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>zone-statistics</B
+></DT
+><DD
+><P
+>If <KBD
+CLASS="userinput"
+>yes</KBD
+>, the server will collect
+statistical data on all zones (unless specifically turned off
+on a per-zone basis by specifying <B
+CLASS="command"
+>zone-statistics no</B
+>
+in the <B
+CLASS="command"
+>zone</B
+> statement).  These statistics may be accessed
+using <B
+CLASS="command"
+>rndc stats</B
+>, which will dump them to the file listed
+in the <B
+CLASS="command"
+>statistics-file</B
+>.  See also <A
+HREF="Bv9ARM.ch06.html#statsfile"
+>Section 6.2.16.17</A
+>.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>use-ixfr</B
+></DT
+><DD
+><P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>This option is obsolete</I
+></SPAN
+>.
+If you need to disable IXFR to a particular server or servers see
+the information on the <B
+CLASS="command"
+>provide-ixfr</B
+> option
+in <A
+HREF="Bv9ARM.ch06.html#server_statement_definition_and_usage"
+>Section 6.2.18</A
+>. See also
+<A
+HREF="Bv9ARM.ch04.html#incremental_zone_transfers"
+>Section 4.3</A
+>.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>provide-ixfr</B
+></DT
+><DD
+><P
+>&#13;See the description of
+<B
+CLASS="command"
+>provide-ixfr</B
+> in
+<A
+HREF="Bv9ARM.ch06.html#server_statement_definition_and_usage"
+>Section 6.2.18</A
+>
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>request-ixfr</B
+></DT
+><DD
+><P
+>&#13;See the description of
+<B
+CLASS="command"
+>request-ixfr</B
+> in
+<A
+HREF="Bv9ARM.ch06.html#server_statement_definition_and_usage"
+>Section 6.2.18</A
+>
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>treat-cr-as-space</B
+></DT
+><DD
+><P
+>This option was used in <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 8 to make
+the server treat carriage return ("<B
+CLASS="command"
+>\r</B
+>") characters the same way
+as a space or tab character,
+to facilitate loading of zone files on a UNIX system that were generated
+on an NT or DOS machine. In <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9, both UNIX "<B
+CLASS="command"
+>\n</B
+>"
+and NT/DOS "<B
+CLASS="command"
+>\r\n</B
+>" newlines are always accepted,
+and the option is ignored.</P
+></DD
+><DT
+><B
+CLASS="command"
+>additional-from-auth</B
+>, <B
+CLASS="command"
+>additional-from-cache</B
+></DT
+><DD
+><P
+>&#13;These options control the behavior of an authoritative server when
+answering queries which have additional data, or when following CNAME
+and DNAME chains.
+</P
+><P
+>&#13;When both of these options are set to <KBD
+CLASS="userinput"
+>yes</KBD
+> 
+(the default) and a
+query is being answered from authoritative data (a zone
+configured into the server), the additional data section of the
+reply will be filled in using data from other authoritative zones
+and from the cache.  In some situations this is undesirable, such
+as when there is concern over the correctness of the cache, or
+in servers where slave zones may be added and modified by
+untrusted third parties.  Also, avoiding
+the search for this additional data will speed up server operations
+at the possible expense of additional queries to resolve what would
+otherwise be provided in the additional section.
+</P
+><P
+>&#13;For example, if a query asks for an MX record for host <VAR
+CLASS="literal"
+>foo.example.com</VAR
+>,
+and the record found is "<VAR
+CLASS="literal"
+>MX 10 mail.example.net</VAR
+>", normally the address
+records (A and AAAA) for <VAR
+CLASS="literal"
+>mail.example.net</VAR
+> will be provided as well,
+if known, even though they are not in the example.com zone.
+Setting these options to <B
+CLASS="command"
+>no</B
+> disables this behavior and makes
+the server only search for additional data in the zone it answers from.
+</P
+><P
+>&#13;These options are intended for use in authoritative-only 
+servers, or in authoritative-only views.  Attempts to set
+them to <B
+CLASS="command"
+>no</B
+> without also specifying
+<B
+CLASS="command"
+>recursion no</B
+> will cause the server to
+ignore the options and log a warning message.
+</P
+><P
+>&#13;Specifying <B
+CLASS="command"
+>additional-from-cache no</B
+> actually
+disables the use of the cache not only for additional data lookups
+but also when looking up the answer.  This is usually the desired
+behavior in an authoritative-only server where the correctness of
+the cached data is an issue.
+</P
+><P
+>&#13;When a name server is non-recursively queried for a name that is not
+below the apex of any served zone, it normally answers with an
+"upwards referral" to the root servers or the servers of some other
+known parent of the query name.  Since the data in an upwards referral
+comes from the cache, the server will not be able to provide upwards
+referrals when <B
+CLASS="command"
+>additional-from-cache no</B
+>
+has been specified.  Instead, it will respond to such queries
+with REFUSED.  This should not cause any problems since
+upwards referrals are not required for the resolution process.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>match-mapped-addresses</B
+></DT
+><DD
+><P
+>If <KBD
+CLASS="userinput"
+>yes</KBD
+>, then an
+IPv4-mapped IPv6 address will match any address match
+list entries that match the corresponding IPv4 address.
+Enabling this option is sometimes useful on IPv6-enabled Linux
+systems, to work around a kernel quirk that causes IPv4
+TCP connections such as zone transfers to be accepted
+on an IPv6 socket using mapped addresses, causing
+address match lists designed for IPv4 to fail to match.
+The use of this option for any other purpose is discouraged.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>ixfr-from-differences</B
+></DT
+><DD
+><P
+>&#13;When 'yes' and the server loads a new version of a master
+zone from its zone file or receives a new version of a slave
+file by a non-incremental zone transfer, it will compare
+the new version to the previous one and calculate a set
+of differences.  The differences are then logged in the
+zone's journal file such that the changes can be transmitted
+to downstream slaves as an incremental zone transfer.
+</P
+><P
+>&#13;By allowing incremental zone transfers to be used for
+non-dynamic zones, this option saves bandwidth at the
+expense of increased CPU and memory consumption at the master.
+In particular, if the new version of a zone is completely
+different from the previous one, the set of differences
+will be of a size comparable to the combined size of the
+old and new zone version, and the server will need to
+temporarily allocate memory to hold this complete
+difference set.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>multi-master</B
+></DT
+><DD
+><P
+>&#13;This should be set when you have multiple masters for a zone and the
+addresses refer to different machines.  If 'yes' named will not log
+when the serial number on the master is less than what named currently
+has.  The default is <KBD
+CLASS="userinput"
+>no</KBD
+>.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>dnssec-enable</B
+></DT
+><DD
+><P
+>&#13;Enable DNSSEC support in named.  Unless set to <KBD
+CLASS="userinput"
+>yes</KBD
+>
+named behaves as if it does not support DNSSEC.
+The default is <KBD
+CLASS="userinput"
+>no</KBD
+>.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>querylog</B
+></DT
+><DD
+><P
+>&#13;Specify whether query logging should be started when named start.
+If <B
+CLASS="command"
+>querylog</B
+> is not specified then the query logging
+is determined by the presence of the logging category <B
+CLASS="command"
+>queries</B
+>.
+</P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN2669"
+>6.2.16.2. Forwarding</A
+></H3
+><P
+>The forwarding facility can be used to create a large site-wide
+cache on a few servers, reducing traffic over links to external
+name servers. It can also be used to allow queries by servers that
+do not have direct access to the Internet, but wish to look up exterior
+names anyway. Forwarding occurs only on those queries for which
+the server is not authoritative and does not have the answer in
+its cache.</P
+><P
+></P
+><DIV
+CLASS="variablelist"
+><DL
+><DT
+><B
+CLASS="command"
+>forward</B
+></DT
+><DD
+><P
+>This option is only meaningful if the
+forwarders list is not empty. A value of <VAR
+CLASS="varname"
+>first</VAR
+>,
+the default, causes the server to query the forwarders first, and
+if that doesn't answer the question the server will then look for
+the answer itself. If <VAR
+CLASS="varname"
+>only</VAR
+> is specified, the
+server will only query the forwarders.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>forwarders</B
+></DT
+><DD
+><P
+>Specifies the IP addresses to be used
+for forwarding. The default is the empty list (no forwarding).
+</P
+></DD
+></DL
+></DIV
+><P
+>Forwarding can also be configured on a per-domain basis, allowing
+for the global forwarding options to be overridden in a variety
+of ways. You can set particular domains to use different forwarders,
+or have a different <B
+CLASS="command"
+>forward only/first</B
+> behavior,
+or not forward at all, see <A
+HREF="Bv9ARM.ch06.html#zone_statement_grammar"
+>Section 6.2.23</A
+>.</P
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN2688"
+>6.2.16.3. Dual-stack Servers</A
+></H3
+><P
+>Dual-stack servers are used as servers of last resort to work around
+problems in reachability due the lack of support for either IPv4 or IPv6
+on the host machine.</P
+><P
+></P
+><DIV
+CLASS="variablelist"
+><DL
+><DT
+><B
+CLASS="command"
+>dual-stack-servers</B
+></DT
+><DD
+><P
+>Specifies host names / addresses of machines with access to
+both IPv4 and IPv6 transports. If a hostname is used the server must be able
+to resolve the name using only the transport it has.  If the machine is dual
+stacked then the <B
+CLASS="command"
+>dual-stack-servers</B
+> have no effect unless
+access to a transport has been disabled on the command line
+(e.g. <B
+CLASS="command"
+>named -4</B
+>).</P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="access_control"
+>6.2.16.4. Access Control</A
+></H3
+><P
+>Access to the server can be restricted based on the IP address
+of the requesting system. See <A
+HREF="Bv9ARM.ch06.html#address_match_lists"
+>Section 6.1.1</A
+> for
+details on how to specify IP address lists.</P
+><P
+></P
+><DIV
+CLASS="variablelist"
+><DL
+><DT
+><B
+CLASS="command"
+>allow-notify</B
+></DT
+><DD
+><P
+>Specifies which hosts are allowed to
+notify this server, a slave, of zone changes in addition
+to the zone masters.
+<B
+CLASS="command"
+>allow-notify</B
+> may also be specified in the
+<B
+CLASS="command"
+>zone</B
+> statement, in which case it overrides the
+<B
+CLASS="command"
+>options allow-notify</B
+> statement.  It is only meaningful
+for a slave zone.  If not specified, the default is to process notify messages
+only from a zone's master.</P
+></DD
+><DT
+><B
+CLASS="command"
+>allow-query</B
+></DT
+><DD
+><P
+>Specifies which hosts are allowed to
+ask ordinary DNS questions. <B
+CLASS="command"
+>allow-query</B
+> may also
+be specified in the <B
+CLASS="command"
+>zone</B
+> statement, in which
+case it overrides the <B
+CLASS="command"
+>options allow-query</B
+> statement. If
+not specified, the default is to allow queries from all hosts.</P
+></DD
+><DT
+><B
+CLASS="command"
+>allow-recursion</B
+></DT
+><DD
+><P
+>Specifies which hosts are allowed to
+make recursive queries through this server. If not specified, the
+default is to allow recursive queries from all hosts. 
+Note that disallowing recursive queries for a host does not prevent the
+host from retrieving data that is already in the server's cache.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>allow-update-forwarding</B
+></DT
+><DD
+><P
+>Specifies which hosts are allowed to
+submit Dynamic DNS updates to slave zones to be forwarded to the
+master.  The default is <KBD
+CLASS="userinput"
+>{ none; }</KBD
+>, which 
+means that no update forwarding will be performed.  To enable
+update forwarding, specify
+<KBD
+CLASS="userinput"
+>allow-update-forwarding { any; };</KBD
+>.
+Specifying values other than <KBD
+CLASS="userinput"
+>{ none; }</KBD
+> or
+<KBD
+CLASS="userinput"
+>{ any; }</KBD
+> is usually counterproductive, since
+the responsibility for update access control should rest with the 
+master server, not the slaves.</P
+><P
+>Note that enabling the update forwarding feature on a slave server
+may expose master servers relying on insecure IP address based
+access control to attacks; see <A
+HREF="Bv9ARM.ch07.html#dynamic_update_security"
+>Section 7.3</A
+>
+for more details.</P
+></DD
+><DT
+><B
+CLASS="command"
+>allow-v6-synthesis</B
+></DT
+><DD
+><P
+>This option was introduced for the smooth transition from AAAA
+to A6 and from "nibble labels" to binary labels.
+However, since both A6 and binary labels were then deprecated,
+this option was also deprecated.
+It is now ignored with some warning messages.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>allow-transfer</B
+></DT
+><DD
+><P
+>Specifies which hosts are allowed to
+receive zone transfers from the server. <B
+CLASS="command"
+>allow-transfer</B
+> may
+also be specified in the <B
+CLASS="command"
+>zone</B
+> statement, in which
+case it overrides the <B
+CLASS="command"
+>options allow-transfer</B
+> statement.
+If not specified, the default is to allow transfers to all hosts.</P
+></DD
+><DT
+><B
+CLASS="command"
+>blackhole</B
+></DT
+><DD
+><P
+>Specifies a list of addresses that the
+server will not accept queries from or use to resolve a query. Queries
+from these addresses will not be responded to. The default is <KBD
+CLASS="userinput"
+>none</KBD
+>.</P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN2755"
+>6.2.16.5. Interfaces</A
+></H3
+><P
+>The interfaces and ports that the server will answer queries
+from may be specified using the <B
+CLASS="command"
+>listen-on</B
+> option. <B
+CLASS="command"
+>listen-on</B
+> takes
+an optional port, and an <VAR
+CLASS="varname"
+>address_match_list</VAR
+>.
+The server will listen on all interfaces allowed by the address
+match list. If a port is not specified, port 53 will be used.</P
+><P
+>Multiple <B
+CLASS="command"
+>listen-on</B
+> statements are allowed.
+For example,</P
+><PRE
+CLASS="programlisting"
+>listen-on { 5.6.7.8; };
+listen-on port 1234 { !1.2.3.4; 1.2/16; };
+</PRE
+><P
+>will enable the name server on port 53 for the IP address
+5.6.7.8, and on port 1234 of an address on the machine in net
+1.2 that is not 1.2.3.4.</P
+><P
+>If no <B
+CLASS="command"
+>listen-on</B
+> is specified, the
+server will listen on port 53 on all interfaces.</P
+><P
+>The <B
+CLASS="command"
+>listen-on-v6</B
+> option is used to
+specify the interfaces and the ports on which the server will listen
+for incoming queries sent using IPv6.</P
+><P
+>When <PRE
+CLASS="programlisting"
+>{ any; }</PRE
+> is specified
+as the <VAR
+CLASS="varname"
+>address_match_list</VAR
+> for the
+<B
+CLASS="command"
+>listen-on-v6</B
+> option,
+the server does not bind a separate socket to each IPv6 interface
+address as it does for IPv4 if the operating system has enough API
+support for IPv6 (specifically if it conforms to RFC 3493 and RFC 3542).
+Instead, it listens on the IPv6 wildcard address.
+If the system only has incomplete API support for IPv6, however,
+the behavior is the same as that for IPv4.</P
+><P
+>A list of particular IPv6 addresses can also be specified, in which case
+the server listens on a separate socket for each specified address,
+regardless of whether the desired API is supported by the system.</P
+><P
+>Multiple <B
+CLASS="command"
+>listen-on-v6</B
+> options can be used.
+For example,</P
+><PRE
+CLASS="programlisting"
+>listen-on-v6 { any; };
+listen-on-v6 port 1234 { !2001:db8::/32; any; };
+</PRE
+><P
+>will enable the name server on port 53 for any IPv6 addresses
+(with a single wildcard socket),
+and on port 1234 of IPv6 addresses that is not in the prefix
+2001:db8::/32 (with separate sockets for each matched address.)</P
+><P
+>To make the server not listen on any IPv6 address, use</P
+><PRE
+CLASS="programlisting"
+>listen-on-v6 { none; };
+</PRE
+><P
+>If no <B
+CLASS="command"
+>listen-on-v6</B
+> option is specified,
+the server will not listen on any IPv6 address.</P
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN2782"
+>6.2.16.6. Query Address</A
+></H3
+><P
+>If the server doesn't know the answer to a question, it will
+query other name servers. <B
+CLASS="command"
+>query-source</B
+> specifies
+the address and port used for such queries. For queries sent over
+IPv6, there is a separate <B
+CLASS="command"
+>query-source-v6</B
+> option.
+If <B
+CLASS="command"
+>address</B
+> is <B
+CLASS="command"
+>*</B
+> or is omitted,
+a wildcard IP address (<B
+CLASS="command"
+>INADDR_ANY</B
+>) will be used.
+If <B
+CLASS="command"
+>port</B
+> is <B
+CLASS="command"
+>*</B
+> or is omitted,
+a random unprivileged port will be used, <B
+CLASS="command"
+>avoid-v4-udp-ports</B
+>
+and <B
+CLASS="command"
+>avoid-v6-udp-ports</B
+> can be used to prevent named
+from selecting certain ports. The defaults are</P
+><PRE
+CLASS="programlisting"
+>query-source address * port *;
+query-source-v6 address * port *;
+</PRE
+><DIV
+CLASS="note"
+><BLOCKQUOTE
+CLASS="note"
+><P
+><B
+>Note: </B
+>The address specified in the <B
+CLASS="command"
+>query-source</B
+> option
+is used for both UDP and TCP queries, but the port applies only to 
+UDP queries.  TCP queries always use a random
+unprivileged port.</P
+></BLOCKQUOTE
+></DIV
+><DIV
+CLASS="note"
+><BLOCKQUOTE
+CLASS="note"
+><P
+><B
+>Note: </B
+>See also <B
+CLASS="command"
+>transfer-source</B
+> and
+<B
+CLASS="command"
+>notify-source</B
+>.</P
+></BLOCKQUOTE
+></DIV
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="zone_transfers"
+>6.2.16.7. Zone Transfers</A
+></H3
+><P
+><ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> has mechanisms in place to facilitate zone transfers
+and set limits on the amount of load that transfers place on the
+system. The following options apply to zone transfers.</P
+><P
+></P
+><DIV
+CLASS="variablelist"
+><DL
+><DT
+><B
+CLASS="command"
+>also-notify</B
+></DT
+><DD
+><P
+>Defines a global list of IP addresses of name servers
+that are also sent NOTIFY messages whenever a fresh copy of the
+zone is loaded, in addition to the servers listed in the zone's NS records.
+This helps to ensure that copies of the zones will
+quickly converge on stealth servers. If an <B
+CLASS="command"
+>also-notify</B
+> list
+is given in a <B
+CLASS="command"
+>zone</B
+> statement, it will override
+the <B
+CLASS="command"
+>options also-notify</B
+> statement. When a <B
+CLASS="command"
+>zone notify</B
+> statement
+is set to <B
+CLASS="command"
+>no</B
+>, the IP addresses in the global <B
+CLASS="command"
+>also-notify</B
+> list will
+not be sent NOTIFY messages for that zone. The default is the empty
+list (no global notification list).</P
+></DD
+><DT
+><B
+CLASS="command"
+>max-transfer-time-in</B
+></DT
+><DD
+><P
+>Inbound zone transfers running longer than
+this many minutes will be terminated. The default is 120 minutes
+(2 hours).  The maximum value is 28 days (40320 minutes).</P
+></DD
+><DT
+><B
+CLASS="command"
+>max-transfer-idle-in</B
+></DT
+><DD
+><P
+>Inbound zone transfers making no progress
+in this many minutes will be terminated. The default is 60 minutes
+(1 hour).  The maximum value is 28 days (40320 minutes).</P
+></DD
+><DT
+><B
+CLASS="command"
+>max-transfer-time-out</B
+></DT
+><DD
+><P
+>Outbound zone transfers running longer than
+this many minutes will be terminated. The default is 120 minutes
+(2 hours).  The maximum value is 28 days (40320 minutes).</P
+></DD
+><DT
+><B
+CLASS="command"
+>max-transfer-idle-out</B
+></DT
+><DD
+><P
+>Outbound zone transfers making no progress
+in this many minutes will be terminated.  The default is 60 minutes (1
+hour).  The maximum value is 28 days (40320 minutes).</P
+></DD
+><DT
+><B
+CLASS="command"
+>serial-query-rate</B
+></DT
+><DD
+><P
+>Slave servers will periodically query master servers
+to find out if zone serial numbers have changed. Each such query uses
+a minute amount of the slave server's network bandwidth.  To limit the
+amount of bandwidth used, BIND 9 limits the rate at which queries are
+sent.  The value of the <B
+CLASS="command"
+>serial-query-rate</B
+> option,
+an integer, is the maximum number of queries sent per second.
+The default is 20.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>serial-queries</B
+></DT
+><DD
+><P
+>In BIND 8, the <B
+CLASS="command"
+>serial-queries</B
+> option
+set the maximum number of concurrent serial number queries
+allowed to be outstanding at any given time.
+BIND 9 does not limit the number of outstanding
+serial queries and ignores the <B
+CLASS="command"
+>serial-queries</B
+> option.
+Instead, it limits the rate at which the queries are sent
+as defined using the <B
+CLASS="command"
+>serial-query-rate</B
+> option.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>transfer-format</B
+></DT
+><DD
+><P
+>&#13;Zone transfers can be sent using two different formats,
+<B
+CLASS="command"
+>one-answer</B
+> and <B
+CLASS="command"
+>many-answers</B
+>.
+The <B
+CLASS="command"
+>transfer-format</B
+> option is used
+on the master server to determine which format it sends.
+<B
+CLASS="command"
+>one-answer</B
+> uses one DNS message per
+resource record transferred.
+<B
+CLASS="command"
+>many-answers</B
+> packs as many resource records as
+possible into a message. <B
+CLASS="command"
+>many-answers</B
+> is more
+efficient, but is only supported by relatively new slave servers,
+such as <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9, <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 8.x and patched
+versions of <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 4.9.5. The default is
+<B
+CLASS="command"
+>many-answers</B
+>. <B
+CLASS="command"
+>transfer-format</B
+>
+may be overridden on a per-server basis by using the
+<B
+CLASS="command"
+>server</B
+> statement.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>transfers-in</B
+></DT
+><DD
+><P
+>The maximum number of inbound zone transfers
+that can be running concurrently. The default value is <VAR
+CLASS="literal"
+>10</VAR
+>.
+Increasing <B
+CLASS="command"
+>transfers-in</B
+> may speed up the convergence
+of slave zones, but it also may increase the load on the local system.</P
+></DD
+><DT
+><B
+CLASS="command"
+>transfers-out</B
+></DT
+><DD
+><P
+>The maximum number of outbound zone transfers
+that can be running concurrently. Zone transfer requests in excess
+of the limit will be refused. The default value is <VAR
+CLASS="literal"
+>10</VAR
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>transfers-per-ns</B
+></DT
+><DD
+><P
+>The maximum number of inbound zone transfers
+that can be concurrently transferring from a given remote name server.
+The default value is <VAR
+CLASS="literal"
+>2</VAR
+>. Increasing <B
+CLASS="command"
+>transfers-per-ns</B
+> may
+speed up the convergence of slave zones, but it also may increase
+the load on the remote name server. <B
+CLASS="command"
+>transfers-per-ns</B
+> may
+be overridden on a per-server basis by using the <B
+CLASS="command"
+>transfers</B
+> phrase
+of the <B
+CLASS="command"
+>server</B
+> statement.</P
+></DD
+><DT
+><B
+CLASS="command"
+>transfer-source</B
+></DT
+><DD
+><P
+><B
+CLASS="command"
+>transfer-source</B
+> determines
+which local address will be bound to IPv4 TCP connections used to
+fetch zones transferred inbound by the server.  It also determines
+the source IPv4 address, and optionally the UDP port, used for the
+refresh queries and forwarded dynamic updates.  If not set, it defaults
+to a system controlled value which will usually be the address of
+the interface "closest to" the remote end. This address must appear
+in the remote end's <B
+CLASS="command"
+>allow-transfer</B
+> option for
+the zone being transferred, if one is specified. This statement
+sets the <B
+CLASS="command"
+>transfer-source</B
+> for all zones, but can
+be overridden on a per-view or per-zone basis by including a
+<B
+CLASS="command"
+>transfer-source</B
+> statement within the
+<B
+CLASS="command"
+>view</B
+> or <B
+CLASS="command"
+>zone</B
+> block
+in the configuration file.</P
+></DD
+><DT
+><B
+CLASS="command"
+>transfer-source-v6</B
+></DT
+><DD
+><P
+>The same as <B
+CLASS="command"
+>transfer-source</B
+>,
+except zone transfers are performed using IPv6.</P
+></DD
+><DT
+><B
+CLASS="command"
+>alt-transfer-source</B
+></DT
+><DD
+><P
+>An alternate transfer source if the one listed in
+<B
+CLASS="command"
+>transfer-source</B
+> fails and
+<B
+CLASS="command"
+>use-alt-transfer-source</B
+> is set.</P
+></DD
+><DT
+><B
+CLASS="command"
+>alt-transfer-source-v6</B
+></DT
+><DD
+><P
+>An alternate transfer source if the one listed in
+<B
+CLASS="command"
+>transfer-source-v6</B
+> fails and
+<B
+CLASS="command"
+>use-alt-transfer-source</B
+> is set.</P
+></DD
+><DT
+><B
+CLASS="command"
+>use-alt-transfer-source</B
+></DT
+><DD
+><P
+>Use the alternate transfer sources or not.  If views are
+specified this defaults to <B
+CLASS="command"
+>no</B
+> otherwise it defaults to
+<B
+CLASS="command"
+>yes</B
+> (for BIND 8 compatibility).</P
+></DD
+><DT
+><B
+CLASS="command"
+>notify-source</B
+></DT
+><DD
+><P
+><B
+CLASS="command"
+>notify-source</B
+> determines
+which local source address, and optionally UDP port, will be used to
+send NOTIFY messages.
+This address must appear in the slave server's <B
+CLASS="command"
+>masters</B
+>
+zone clause or in an <B
+CLASS="command"
+>allow-notify</B
+> clause.
+This statement sets the <B
+CLASS="command"
+>notify-source</B
+> for all zones,
+but can be overridden on a per-zone / per-view basis by including a
+<B
+CLASS="command"
+>notify-source</B
+> statement within the <B
+CLASS="command"
+>zone</B
+>
+or <B
+CLASS="command"
+>view</B
+> block in the configuration file.</P
+></DD
+><DT
+><B
+CLASS="command"
+>notify-source-v6</B
+></DT
+><DD
+><P
+>Like <B
+CLASS="command"
+>notify-source</B
+>,
+but applies to notify messages sent to IPv6 addresses.</P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN2948"
+>6.2.16.8. Bad UDP Port Lists</A
+></H3
+><P
+>&#13;<B
+CLASS="command"
+>avoid-v4-udp-ports</B
+> and <B
+CLASS="command"
+>avoid-v6-udp-ports</B
+>
+specify a list of IPv4 and IPv6 UDP ports that will not be used as system
+assigned source ports for UDP sockets.  These lists prevent named
+from choosing as its random source port a port that is blocked by
+your firewall.  If a query went out with such a source port, the
+answer would not get by the firewall and the name server would have
+to query again.
+</P
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN2953"
+>6.2.16.9. Operating System Resource Limits</A
+></H3
+><P
+>The server's usage of many system resources can be limited.
+Scaled values are allowed when specifying resource limits.  For
+example, <B
+CLASS="command"
+>1G</B
+> can be used instead of
+<B
+CLASS="command"
+>1073741824</B
+> to specify a limit of one
+gigabyte. <B
+CLASS="command"
+>unlimited</B
+> requests unlimited use, or the
+maximum available amount. <B
+CLASS="command"
+>default</B
+> uses the limit
+that was in force when the server was started. See the description of
+<B
+CLASS="command"
+>size_spec</B
+> in <A
+HREF="Bv9ARM.ch06.html#configuration_file_elements"
+>Section 6.1</A
+>.</P
+><P
+>The following options set operating system resource limits for
+the name server process.  Some operating systems don't support some or
+any of the limits. On such systems, a warning will be issued if the
+unsupported limit is used.</P
+><P
+></P
+><DIV
+CLASS="variablelist"
+><DL
+><DT
+><B
+CLASS="command"
+>coresize</B
+></DT
+><DD
+><P
+>The maximum size of a core dump. The default
+is <VAR
+CLASS="literal"
+>default</VAR
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>datasize</B
+></DT
+><DD
+><P
+>The maximum amount of data memory the server
+may use. The default is <VAR
+CLASS="literal"
+>default</VAR
+>.
+This is a hard limit on server memory usage.
+If the server attempts to allocate memory in excess of this
+limit, the allocation will fail, which may in turn leave
+the server unable to perform DNS service.  Therefore,
+this option is rarely useful as a way of limiting the
+amount of memory used by the server, but it can be used
+to raise an operating system data size limit that is
+too small by default.  If you wish to limit the amount
+of memory used by the server, use the
+<B
+CLASS="command"
+>max-cache-size</B
+> and 
+<B
+CLASS="command"
+>recursive-clients</B
+>
+options instead.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>files</B
+></DT
+><DD
+><P
+>The maximum number of files the server
+may have open concurrently. The default is <VAR
+CLASS="literal"
+>unlimited</VAR
+>.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>stacksize</B
+></DT
+><DD
+><P
+>The maximum amount of stack memory the server
+may use. The default is <VAR
+CLASS="literal"
+>default</VAR
+>.</P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN2990"
+>6.2.16.10. Server  Resource Limits</A
+></H3
+><P
+>The following options set limits on the server's
+resource consumption that are enforced internally by the
+server rather than the operating system.</P
+><P
+></P
+><DIV
+CLASS="variablelist"
+><DL
+><DT
+><B
+CLASS="command"
+>max-ixfr-log-size</B
+></DT
+><DD
+><P
+>This option is obsolete; it is accepted
+and ignored for BIND 8 compatibility.  The option
+<B
+CLASS="command"
+>max-journal-size</B
+> performs a similar
+function in BIND 8.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>max-journal-size</B
+></DT
+><DD
+><P
+>Sets a maximum size for each journal file
+(<A
+HREF="Bv9ARM.ch04.html#journal"
+>Section 4.2.1</A
+>).  When the journal file approaches
+the specified size, some of the oldest transactions in the journal
+will be automatically removed.  The default is
+<VAR
+CLASS="literal"
+>unlimited</VAR
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>recursive-clients</B
+></DT
+><DD
+><P
+>The maximum number of simultaneous recursive lookups
+the server will perform on behalf of clients.  The default is
+<VAR
+CLASS="literal"
+>1000</VAR
+>.  Because each recursing client uses a fair
+bit of memory, on the order of 20 kilobytes, the value of the
+<B
+CLASS="command"
+>recursive-clients</B
+> option may have to be decreased
+on hosts with limited memory.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>tcp-clients</B
+></DT
+><DD
+><P
+>The maximum number of simultaneous client TCP
+connections that the server will accept.
+The default is <VAR
+CLASS="literal"
+>100</VAR
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>max-cache-size</B
+></DT
+><DD
+><P
+>The maximum amount of memory to use for the
+server's cache, in bytes.  When the amount of data in the cache
+reaches this limit, the server will cause records to expire
+prematurely so that the limit is not exceeded.  In a server with
+multiple views, the limit applies separately to the cache of each
+view.  The default is <VAR
+CLASS="literal"
+>unlimited</VAR
+>, meaning that 
+records are purged from the cache only when their TTLs expire.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>tcp-listen-queue</B
+></DT
+><DD
+><P
+>The listen queue depth.  The default and minimum is 3.
+If the kernel supports the accept filter "dataready" this also controls how
+many TCP connections that will be queued in kernel space waiting for
+some data before being passed to accept.  Values less than 3 will be
+silently raised.
+</P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN3031"
+>6.2.16.11. Periodic Task Intervals</A
+></H3
+><P
+></P
+><DIV
+CLASS="variablelist"
+><DL
+><DT
+><B
+CLASS="command"
+>cleaning-interval</B
+></DT
+><DD
+><P
+>The server will remove expired resource records
+from the cache every <B
+CLASS="command"
+>cleaning-interval</B
+> minutes.
+The default is 60 minutes.  The maximum value is 28 days (40320 minutes).
+If set to 0, no  periodic cleaning will occur.</P
+></DD
+><DT
+><B
+CLASS="command"
+>heartbeat-interval</B
+></DT
+><DD
+><P
+>The server will perform zone maintenance tasks
+for all zones marked as <B
+CLASS="command"
+>dialup</B
+> whenever this
+interval expires. The default is 60 minutes. Reasonable values are up
+to 1 day (1440 minutes).  The maximum value is 28 days (40320 minutes).
+If set to 0, no zone maintenance for these zones will occur.</P
+></DD
+><DT
+><B
+CLASS="command"
+>interface-interval</B
+></DT
+><DD
+><P
+>The server will scan the network interface list
+every <B
+CLASS="command"
+>interface-interval</B
+> minutes. The default
+is 60 minutes. The maximum value is 28 days (40320 minutes).
+If set to 0, interface scanning will only occur when
+the configuration file is  loaded. After the scan, the server will
+begin listening for queries on any newly discovered
+interfaces (provided they are allowed by the
+<B
+CLASS="command"
+>listen-on</B
+> configuration), and will
+stop listening on interfaces that have gone away.</P
+></DD
+><DT
+><B
+CLASS="command"
+>statistics-interval</B
+></DT
+><DD
+><P
+>Name server statistics will be logged
+every <B
+CLASS="command"
+>statistics-interval</B
+> minutes. The default is 
+60. The maximum value is 28 days (40320 minutes).
+If set to 0, no statistics will be logged.</P
+><DIV
+CLASS="note"
+><BLOCKQUOTE
+CLASS="note"
+><P
+><B
+>Note: </B
+>Not yet implemented in <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+>9.</P
+></BLOCKQUOTE
+></DIV
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="topology"
+>6.2.16.12. Topology</A
+></H3
+><P
+>All other things being equal, when the server chooses a name server
+to query from a list of name servers, it prefers the one that is
+topologically closest to itself. The <B
+CLASS="command"
+>topology</B
+> statement
+takes an <B
+CLASS="command"
+>address_match_list</B
+> and interprets it
+in a special way. Each top-level list element is assigned a distance.
+Non-negated elements get a distance based on their position in the
+list, where the closer the match is to the start of the list, the
+shorter the distance is between it and the server. A negated match
+will be assigned the maximum distance from the server. If there
+is no match, the address will get a distance which is further than
+any non-negated list element, and closer than any negated element.
+For example,</P
+><PRE
+CLASS="programlisting"
+>topology {
+    10/8;
+    !1.2.3/24;
+    { 1.2/16; 3/8; };
+};</PRE
+><P
+>will prefer servers on network 10 the most, followed by hosts
+on network 1.2.0.0 (netmask 255.255.0.0) and network 3, with the
+exception of hosts on network 1.2.3 (netmask 255.255.255.0), which
+is preferred least of all.</P
+><P
+>The default topology is</P
+><PRE
+CLASS="programlisting"
+>    topology { localhost; localnets; };
+</PRE
+><DIV
+CLASS="note"
+><BLOCKQUOTE
+CLASS="note"
+><P
+><B
+>Note: </B
+>The <B
+CLASS="command"
+>topology</B
+> option
+is not implemented in <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9.
+</P
+></BLOCKQUOTE
+></DIV
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="the_sortlist_statement"
+>6.2.16.13. The <B
+CLASS="command"
+>sortlist</B
+> Statement</A
+></H3
+><P
+>The response to a DNS query may consist of multiple resource
+records (RRs) forming a resource records set (RRset).
+The name server will normally return the
+RRs within the RRset in an indeterminate order
+(but see the <B
+CLASS="command"
+>rrset-order</B
+>
+statement in <A
+HREF="Bv9ARM.ch06.html#rrset_ordering"
+>Section 6.2.16.14</A
+>).
+The client resolver code should rearrange the RRs as appropriate,
+that is, using any addresses on the local net in preference to other addresses.
+However, not all resolvers can do this or are correctly configured.
+When a client is using a local server the sorting can be performed
+in the server, based on the client's address. This only requires
+configuring the name servers, not all the clients.</P
+><P
+>The <B
+CLASS="command"
+>sortlist</B
+> statement (see below) takes
+an <B
+CLASS="command"
+>address_match_list</B
+> and interprets it even
+more specifically than the <B
+CLASS="command"
+>topology</B
+> statement
+does (<A
+HREF="Bv9ARM.ch06.html#topology"
+>Section 6.2.16.12</A
+>).
+Each top level statement in the <B
+CLASS="command"
+>sortlist</B
+> must
+itself be an explicit <B
+CLASS="command"
+>address_match_list</B
+> with
+one or two elements. The first element (which may be an IP address,
+an IP prefix, an ACL name or a nested <B
+CLASS="command"
+>address_match_list</B
+>)
+of each top level list is checked against the source address of
+the query until a match is found.</P
+><P
+>Once the source address of the query has been matched, if
+the top level statement contains only one element, the actual primitive
+element that matched the source address is used to select the address
+in the response to move to the beginning of the response. If the
+statement is a list of two elements, then the second element is
+treated the same as the <B
+CLASS="command"
+>address_match_list</B
+> in
+a <B
+CLASS="command"
+>topology</B
+> statement. Each top level element
+is assigned a distance and the address in the response with the minimum
+distance is moved to the beginning of the response.</P
+><P
+>In the following example, any queries received from any of
+the addresses of the host itself will get responses preferring addresses
+on any of the locally connected networks. Next most preferred are addresses
+on the 192.168.1/24 network, and after that either the 192.168.2/24
+or
+192.168.3/24 network with no preference shown between these two
+networks. Queries received from a host on the 192.168.1/24 network
+will prefer other addresses on that network to the 192.168.2/24
+and
+192.168.3/24 networks. Queries received from a host on the 192.168.4/24
+or the 192.168.5/24 network will only prefer other addresses on
+their directly connected networks.</P
+><PRE
+CLASS="programlisting"
+>sortlist {
+    { localhost;                                   // IF   the local host
+        { localnets;                               // THEN first fit on the
+            192.168.1/24;                          //   following nets
+            { 192.168.2/24; 192.168.3/24; }; }; };
+    { 192.168.1/24;                                // IF   on class C 192.168.1
+        { 192.168.1/24;                            // THEN use .1, or .2 or .3
+            { 192.168.2/24; 192.168.3/24; }; }; };
+    { 192.168.2/24;                                // IF   on class C 192.168.2
+        { 192.168.2/24;                            // THEN use .2, or .1 or .3
+            { 192.168.1/24; 192.168.3/24; }; }; };
+    { 192.168.3/24;                                // IF   on class C 192.168.3
+        { 192.168.3/24;                            // THEN use .3, or .1 or .2
+            { 192.168.1/24; 192.168.2/24; }; }; };
+    { { 192.168.4/24; 192.168.5/24; };             // if .4 or .5, prefer that net
+    };
+};</PRE
+><P
+>The following example will give reasonable behavior for the
+local host and hosts on directly connected networks. It is similar
+to the behavior of the address sort in <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 4.9.x. Responses sent
+to queries from the local host will favor any of the directly connected
+networks. Responses sent to queries from any other hosts on a directly
+connected network will prefer addresses on that same network. Responses
+to other queries will not be sorted.</P
+><PRE
+CLASS="programlisting"
+>sortlist {
+           { localhost; localnets; };
+           { localnets; };
+};
+</PRE
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="rrset_ordering"
+>6.2.16.14. RRset Ordering</A
+></H3
+><P
+>When multiple records are returned in an answer it may be
+useful to configure the order of the records placed into the response.
+The <B
+CLASS="command"
+>rrset-order</B
+> statement permits configuration
+of the ordering of the records in a multiple record response.
+See also the <B
+CLASS="command"
+>sortlist</B
+> statement,
+<A
+HREF="Bv9ARM.ch06.html#the_sortlist_statement"
+>Section 6.2.16.13</A
+>.
+</P
+><P
+>An <B
+CLASS="command"
+>order_spec</B
+> is defined as follows:</P
+><PRE
+CLASS="programlisting"
+>[<SPAN
+CLASS="optional"
+> class <VAR
+CLASS="replaceable"
+>class_name</VAR
+> </SPAN
+>][<SPAN
+CLASS="optional"
+> type <VAR
+CLASS="replaceable"
+>type_name</VAR
+> </SPAN
+>][<SPAN
+CLASS="optional"
+> name <VAR
+CLASS="replaceable"
+>"domain_name"</VAR
+></SPAN
+>]
+      order <VAR
+CLASS="replaceable"
+>ordering</VAR
+>
+</PRE
+><P
+>If no class is specified, the default is <B
+CLASS="command"
+>ANY</B
+>.
+If no type is specified, the default is <B
+CLASS="command"
+>ANY</B
+>.
+If no name is specified, the default is "<B
+CLASS="command"
+>*</B
+>".</P
+><P
+>The legal values for <B
+CLASS="command"
+>ordering</B
+> are:</P
+><DIV
+CLASS="informaltable"
+><P
+></P
+><A
+NAME="AEN3119"
+></A
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>fixed</B
+></P
+></TD
+><TD
+><P
+>Records are returned in the order they
+are defined in the zone file.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>random</B
+></P
+></TD
+><TD
+><P
+>Records are returned in some random order.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>cyclic</B
+></P
+></TD
+><TD
+><P
+>Records are returned in a round-robin
+order.</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>For example:</P
+><PRE
+CLASS="programlisting"
+>rrset-order {
+   class IN type A name "host.example.com" order random;
+   order cyclic;
+};
+</PRE
+><P
+>will cause any responses for type A records in class IN that
+have "<VAR
+CLASS="literal"
+>host.example.com</VAR
+>" as a suffix, to always be returned
+in random order. All other records are returned in cyclic order.</P
+><P
+>If multiple <B
+CLASS="command"
+>rrset-order</B
+> statements appear,
+they are not combined &#8212; the last one applies.</P
+><DIV
+CLASS="note"
+><BLOCKQUOTE
+CLASS="note"
+><P
+><B
+>Note: </B
+>The <B
+CLASS="command"
+>rrset-order</B
+> statement
+is not yet fully implemented in <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9.
+BIND 9 currently does not support "fixed" ordering.
+</P
+></BLOCKQUOTE
+></DIV
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="tuning"
+>6.2.16.15. Tuning</A
+></H3
+><P
+></P
+><DIV
+CLASS="variablelist"
+><DL
+><DT
+><B
+CLASS="command"
+>lame-ttl</B
+></DT
+><DD
+><P
+>Sets the number of seconds to cache a
+lame server indication. 0 disables caching. (This is
+<SPAN
+CLASS="bold"
+><B
+CLASS="emphasis"
+>NOT</B
+></SPAN
+> recommended.)
+Default is <VAR
+CLASS="literal"
+>600</VAR
+> (10 minutes). Maximum value is 
+<VAR
+CLASS="literal"
+>1800</VAR
+> (30 minutes).</P
+></DD
+><DT
+><B
+CLASS="command"
+>max-ncache-ttl</B
+></DT
+><DD
+><P
+>To reduce network traffic and increase performance
+the server stores negative answers. <B
+CLASS="command"
+>max-ncache-ttl</B
+> is
+used to set a maximum retention time for these answers in the server
+in seconds. The default
+<B
+CLASS="command"
+>max-ncache-ttl</B
+> is <VAR
+CLASS="literal"
+>10800</VAR
+> seconds (3 hours).
+<B
+CLASS="command"
+>max-ncache-ttl</B
+> cannot exceed 7 days and will
+be silently truncated to 7 days if set to a greater value.</P
+></DD
+><DT
+><B
+CLASS="command"
+>max-cache-ttl</B
+></DT
+><DD
+><P
+><B
+CLASS="command"
+>max-cache-ttl</B
+> sets
+the maximum time for which the server will cache ordinary (positive)
+answers. The default is one week (7 days).</P
+></DD
+><DT
+><B
+CLASS="command"
+>min-roots</B
+></DT
+><DD
+><P
+>The minimum number of root servers that
+is required for a request for the root servers to be accepted. Default
+is <KBD
+CLASS="userinput"
+>2</KBD
+>.</P
+><DIV
+CLASS="note"
+><BLOCKQUOTE
+CLASS="note"
+><P
+><B
+>Note: </B
+>Not implemented in <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+>9.</P
+></BLOCKQUOTE
+></DIV
+></DD
+><DT
+><B
+CLASS="command"
+>sig-validity-interval</B
+></DT
+><DD
+><P
+>Specifies the number of days into the
+future when DNSSEC signatures automatically generated as a result
+of dynamic updates (<A
+HREF="Bv9ARM.ch04.html#dynamic_update"
+>Section 4.2</A
+>)
+will expire. The default is <VAR
+CLASS="literal"
+>30</VAR
+> days.
+The maximum value is 10 years (3660 days). The signature
+inception time is unconditionally set to one hour before the current time
+to allow for a limited amount of clock skew.</P
+></DD
+><DT
+><B
+CLASS="command"
+>min-refresh-time</B
+>, <B
+CLASS="command"
+>max-refresh-time</B
+>, <B
+CLASS="command"
+>min-retry-time</B
+>, <B
+CLASS="command"
+>max-retry-time</B
+></DT
+><DD
+><P
+>&#13;These options control the server's behavior on refreshing a zone
+(querying for SOA changes) or retrying failed transfers.
+Usually the SOA values for the zone are used, but these values
+are set by the master, giving slave server administrators little
+control over their contents.
+</P
+><P
+>&#13;These options allow the administrator to set a minimum and maximum
+refresh and retry time either per-zone, per-view, or globally.
+These options are valid for slave and stub zones,
+and clamp the SOA refresh and retry times to the specified values.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>edns-udp-size</B
+></DT
+><DD
+><P
+>&#13;<B
+CLASS="command"
+>edns-udp-size</B
+> sets the advertised EDNS UDP buffer
+size.  Valid values are 512 to 4096 (values outside this range will be
+silently adjusted).  The default value is 4096.  The usual reason for
+setting edns-udp-size to a non default value it to get UDP answers to
+pass through broken firewalls that block fragmented packets and/or
+block UDP packets that are greater than 512 bytes.
+</P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="builtin"
+>6.2.16.16. Built-in server information zones</A
+></H3
+><P
+>The server provides some helpful diagnostic information
+through a number of built-in zones under the
+pseudo-top-level-domain <VAR
+CLASS="literal"
+>bind</VAR
+> in the
+<B
+CLASS="command"
+>CHAOS</B
+> class.  These zones are part of a
+built-in view (see <A
+HREF="Bv9ARM.ch06.html#view_statement_grammar"
+>Section 6.2.21</A
+>) of class
+<B
+CLASS="command"
+>CHAOS</B
+> which is separate from the default view of
+class <B
+CLASS="command"
+>IN</B
+>; therefore, any global server options
+such as <B
+CLASS="command"
+>allow-query</B
+> do not apply the these zones.
+If you feel the need to disable these zones, use the options
+below, or hide the built-in <B
+CLASS="command"
+>CHAOS</B
+> view by
+defining an explicit view of class <B
+CLASS="command"
+>CHAOS</B
+>
+that matches all clients.</P
+><P
+></P
+><DIV
+CLASS="variablelist"
+><DL
+><DT
+><B
+CLASS="command"
+>version</B
+></DT
+><DD
+><P
+>The version the server should report
+via a query of the name <VAR
+CLASS="literal"
+>version.bind</VAR
+>
+with type <B
+CLASS="command"
+>TXT</B
+>, class <B
+CLASS="command"
+>CHAOS</B
+>.
+The default is the real version number of this server.
+Specifying <B
+CLASS="command"
+>version none</B
+>
+disables processing of the queries.</P
+></DD
+><DT
+><B
+CLASS="command"
+>hostname</B
+></DT
+><DD
+><P
+>The hostname the server should report via a query of
+the name <TT
+CLASS="filename"
+>hostname.bind</TT
+>
+with type <B
+CLASS="command"
+>TXT</B
+>, class <B
+CLASS="command"
+>CHAOS</B
+>.
+This defaults to the hostname of the machine hosting the name server as
+found by gethostname().  The primary purpose of such queries is to
+identify which of a group of anycast servers is actually
+answering your queries.  Specifying <B
+CLASS="command"
+>hostname none;</B
+>
+disables processing of the queries.</P
+></DD
+><DT
+><B
+CLASS="command"
+>server-id</B
+></DT
+><DD
+><P
+>The ID of the server should report via a query of
+the name <TT
+CLASS="filename"
+>ID.SERVER</TT
+>
+with type <B
+CLASS="command"
+>TXT</B
+>, class <B
+CLASS="command"
+>CHAOS</B
+>.
+The primary purpose of such queries is to
+identify which of a group of anycast servers is actually
+answering your queries.  Specifying <B
+CLASS="command"
+>server-id none;</B
+>
+disables processing of the queries.
+Specifying <B
+CLASS="command"
+>server-id hostname;</B
+> will cause named to
+use the hostname as found by gethostname().
+The default <B
+CLASS="command"
+>server-id</B
+> is <B
+CLASS="command"
+>none</B
+>.
+</P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="statsfile"
+>6.2.16.17. The Statistics File</A
+></H3
+><P
+>The statistics file generated by <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9
+is similar, but not identical, to that
+generated by <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 8.
+</P
+><P
+>The statistics dump begins with the line <B
+CLASS="command"
+>+++ Statistics Dump
++++ (973798949)</B
+>, where the number in parentheses is a standard
+Unix-style timestamp, measured as seconds since January 1, 1970.  Following
+that line are a series of lines containing a counter type, the value of the
+counter, optionally a zone name, and optionally a view name.
+The lines without view and zone listed are global statistics for the entire server.
+Lines with a zone and view name for the given view and zone (the view name is
+omitted for the default view).  The statistics dump ends
+with the line <B
+CLASS="command"
+>--- Statistics Dump --- (973798949)</B
+>, where the
+number is identical to the number in the beginning line.</P
+><P
+>The following statistics counters are maintained:</P
+><DIV
+CLASS="informaltable"
+><P
+></P
+><A
+NAME="AEN3263"
+></A
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>success</B
+></P
+></TD
+><TD
+><P
+>The number of
+successful queries made to the server or zone.  A successful query
+is defined as query which returns a NOERROR response with at least
+one answer RR.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>referral</B
+></P
+></TD
+><TD
+><P
+>The number of queries which resulted
+in referral responses.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>nxrrset</B
+></P
+></TD
+><TD
+><P
+>The number of queries which resulted in
+NOERROR responses with no data.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>nxdomain</B
+></P
+></TD
+><TD
+><P
+>The number
+of queries which resulted in NXDOMAIN responses.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>failure</B
+></P
+></TD
+><TD
+><P
+>The number of queries which resulted in a
+failure response other than those above.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>recursion</B
+></P
+></TD
+><TD
+><P
+>The number of queries which caused the server
+to perform recursion in order to find the final answer.</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>&#13;Each query received by the server will cause exactly one of
+<B
+CLASS="command"
+>success</B
+>,
+<B
+CLASS="command"
+>referral</B
+>,
+<B
+CLASS="command"
+>nxrrset</B
+>,
+<B
+CLASS="command"
+>nxdomain</B
+>, or
+<B
+CLASS="command"
+>failure</B
+>
+to be incremented, and may additionally cause the
+<B
+CLASS="command"
+>recursion</B
+> counter to be incremented.
+</P
+></DIV
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="server_statement_grammar"
+>6.2.17. <B
+CLASS="command"
+>server</B
+> Statement Grammar</A
+></H2
+><PRE
+CLASS="programlisting"
+>server <VAR
+CLASS="replaceable"
+>ip_addr</VAR
+> {
+    [<SPAN
+CLASS="optional"
+> bogus <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> provide-ixfr <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> request-ixfr <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> edns <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> transfers <VAR
+CLASS="replaceable"
+>number</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> transfer-format <VAR
+CLASS="replaceable"
+>( one-answer | many-answers )</VAR
+> ; ]</SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> keys <VAR
+CLASS="replaceable"
+>{ string ; [<SPAN
+CLASS="optional"
+> string ; [<SPAN
+CLASS="optional"
+>...</SPAN
+>]</SPAN
+>] }</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> transfer-source (<VAR
+CLASS="replaceable"
+>ip4_addr</VAR
+> | <CODE
+CLASS="constant"
+>*</CODE
+>) [<SPAN
+CLASS="optional"
+>port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+></SPAN
+>] ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> transfer-source-v6 (<VAR
+CLASS="replaceable"
+>ip6_addr</VAR
+> | <CODE
+CLASS="constant"
+>*</CODE
+>) [<SPAN
+CLASS="optional"
+>port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+></SPAN
+>] ; </SPAN
+>]
+};
+</PRE
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="server_statement_definition_and_usage"
+>6.2.18. <B
+CLASS="command"
+>server</B
+> Statement Definition and Usage</A
+></H2
+><P
+>The <B
+CLASS="command"
+>server</B
+> statement defines characteristics
+to be associated with a remote name server.</P
+><P
+>&#13;The <B
+CLASS="command"
+>server</B
+> statement can occur at the top level of the
+configuration file or inside a <B
+CLASS="command"
+>view</B
+> statement.  
+If a <B
+CLASS="command"
+>view</B
+> statement contains
+one or more <B
+CLASS="command"
+>server</B
+> statements, only those
+apply to the view and any top-level ones are ignored.
+If a view contains no <B
+CLASS="command"
+>server</B
+> statements,
+any top-level <B
+CLASS="command"
+>server</B
+> statements are used as
+defaults.
+</P
+><P
+>If you discover that a remote server is giving out bad data,
+marking it as bogus will prevent further queries to it. The default
+value of <B
+CLASS="command"
+>bogus</B
+> is <B
+CLASS="command"
+>no</B
+>.</P
+><P
+>The <B
+CLASS="command"
+>provide-ixfr</B
+> clause determines whether
+the local server, acting as master, will respond with an incremental
+zone transfer when the given remote server, a slave, requests it.
+If set to <B
+CLASS="command"
+>yes</B
+>, incremental transfer will be provided
+whenever possible. If set to <B
+CLASS="command"
+>no</B
+>, all transfers
+to the remote server will be non-incremental. If not set, the value
+of the <B
+CLASS="command"
+>provide-ixfr</B
+> option in the view or
+global options block is used as a default.</P
+><P
+>The <B
+CLASS="command"
+>request-ixfr</B
+> clause determines whether
+the local server, acting as a slave, will request incremental zone
+transfers from the given remote server, a master. If not set, the
+value of the <B
+CLASS="command"
+>request-ixfr</B
+> option in the view or
+global options block is used as a default.</P
+><P
+>IXFR requests to servers that do not support IXFR will automatically
+fall back to AXFR.  Therefore, there is no need to manually list
+which servers support IXFR and which ones do not; the global default
+of <B
+CLASS="command"
+>yes</B
+> should always work.
+The purpose of the <B
+CLASS="command"
+>provide-ixfr</B
+> and
+<B
+CLASS="command"
+>request-ixfr</B
+> clauses is
+to make it possible to disable the use of IXFR even when both master
+and slave claim to support it, for example if one of the servers
+is buggy and crashes or corrupts data when IXFR is used.</P
+><P
+>The <B
+CLASS="command"
+>edns</B
+> clause determines whether the local server
+will attempt to use EDNS when communicating with the remote server.  The
+default is <B
+CLASS="command"
+>yes</B
+>.</P
+><P
+>The server supports two zone transfer methods. The first, <B
+CLASS="command"
+>one-answer</B
+>,
+uses one DNS message per resource record transferred. <B
+CLASS="command"
+>many-answers</B
+> packs
+as many resource records as possible into a message. <B
+CLASS="command"
+>many-answers</B
+> is
+more efficient, but is only known to be understood by <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9, <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+>
+8.x, and patched versions of <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 4.9.5. You can specify which method
+to use for a server with the <B
+CLASS="command"
+>transfer-format</B
+> option.
+If <B
+CLASS="command"
+>transfer-format</B
+> is not specified, the <B
+CLASS="command"
+>transfer-format</B
+> specified
+by the <B
+CLASS="command"
+>options</B
+> statement will be used.</P
+><P
+><B
+CLASS="command"
+>transfers</B
+> is used to limit the number of
+concurrent inbound zone transfers from the specified server. If
+no <B
+CLASS="command"
+>transfers</B
+> clause is specified, the limit is
+set according to the <B
+CLASS="command"
+>transfers-per-ns</B
+> option.</P
+><P
+>The <B
+CLASS="command"
+>keys</B
+> clause identifies a
+<B
+CLASS="command"
+>key_id</B
+> defined by the <B
+CLASS="command"
+>key</B
+> statement,
+to be used for transaction security (TSIG, <A
+HREF="Bv9ARM.ch04.html#tsig"
+>Section 4.5</A
+>)
+when talking to the remote server. 
+When a request is sent to the remote server, a request signature
+will be generated using the key specified here and appended to the
+message. A request originating from the remote server is not required
+to be signed by this key.</P
+><P
+>Although the grammar of the <B
+CLASS="command"
+>keys</B
+> clause
+allows for multiple keys, only a single key per server is currently
+supported.</P
+><P
+>The <B
+CLASS="command"
+>transfer-source</B
+> and
+<B
+CLASS="command"
+>transfer-source-v6</B
+> clauses specify the IPv4 and IPv6 source
+address to be used for zone transfer with the remote server, respectively.
+For an IPv4 remote server, only <B
+CLASS="command"
+>transfer-source</B
+> can
+be specified.
+Similarly, for an IPv6 remote server, only
+<B
+CLASS="command"
+>transfer-source-v6</B
+> can be specified.
+Form more details, see the description of
+<B
+CLASS="command"
+>transfer-source</B
+> and
+<B
+CLASS="command"
+>transfer-source-v6</B
+> in
+<A
+HREF="Bv9ARM.ch06.html#zone_transfers"
+>Section 6.2.16.7</A
+>.</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN3402"
+>6.2.19. <B
+CLASS="command"
+>trusted-keys</B
+> Statement Grammar</A
+></H2
+><PRE
+CLASS="programlisting"
+>trusted-keys {
+    <VAR
+CLASS="replaceable"
+>string</VAR
+> <VAR
+CLASS="replaceable"
+>number</VAR
+> <VAR
+CLASS="replaceable"
+>number</VAR
+> <VAR
+CLASS="replaceable"
+>number</VAR
+> <VAR
+CLASS="replaceable"
+>string</VAR
+> ;
+    [<SPAN
+CLASS="optional"
+> <VAR
+CLASS="replaceable"
+>string</VAR
+> <VAR
+CLASS="replaceable"
+>number</VAR
+> <VAR
+CLASS="replaceable"
+>number</VAR
+> <VAR
+CLASS="replaceable"
+>number</VAR
+> <VAR
+CLASS="replaceable"
+>string</VAR
+> ; [<SPAN
+CLASS="optional"
+>...</SPAN
+>]</SPAN
+>]
+};
+</PRE
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN3418"
+>6.2.20. <B
+CLASS="command"
+>trusted-keys</B
+> Statement Definition
+and Usage</A
+></H2
+><P
+>The <B
+CLASS="command"
+>trusted-keys</B
+> statement defines DNSSEC
+security roots. DNSSEC is described in <A
+HREF="Bv9ARM.ch04.html#DNSSEC"
+>Section 4.8</A
+>. A security root is defined when the public key for a non-authoritative
+zone is known, but cannot be securely obtained through DNS, either
+because it is the  DNS root zone or because its parent zone is unsigned.
+Once a key has been configured as a trusted key, it is treated as
+if it had been validated and proven secure. The resolver attempts
+DNSSEC validation on all DNS data in subdomains of a security root.</P
+><P
+>The <B
+CLASS="command"
+>trusted-keys</B
+> statement can contain
+multiple key entries, each consisting of the key's domain name,
+flags, protocol, algorithm, and the base-64 representation of the
+key data.</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="view_statement_grammar"
+>6.2.21. <B
+CLASS="command"
+>view</B
+> Statement Grammar</A
+></H2
+><PRE
+CLASS="programlisting"
+>view <VAR
+CLASS="replaceable"
+>view_name</VAR
+> 
+      [<SPAN
+CLASS="optional"
+><VAR
+CLASS="replaceable"
+>class</VAR
+></SPAN
+>] {
+      match-clients { <VAR
+CLASS="replaceable"
+>address_match_list</VAR
+> } ;
+      match-destinations { <VAR
+CLASS="replaceable"
+>address_match_list</VAR
+> } ;
+      match-recursive-only <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+> ;
+      [<SPAN
+CLASS="optional"
+> <VAR
+CLASS="replaceable"
+>view_option</VAR
+>; ...</SPAN
+>]
+      [<SPAN
+CLASS="optional"
+> <VAR
+CLASS="replaceable"
+>zone_statement</VAR
+>; ...</SPAN
+>]
+};
+</PRE
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN3440"
+>6.2.22. <B
+CLASS="command"
+>view</B
+> Statement Definition and Usage</A
+></H2
+><P
+>The <B
+CLASS="command"
+>view</B
+> statement is a powerful new feature
+of <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 that lets a name server answer a DNS query differently
+depending on who is asking. It is particularly useful for implementing
+split DNS setups without having to run multiple servers.</P
+><P
+>Each <B
+CLASS="command"
+>view</B
+> statement defines a view of the
+DNS namespace that will be seen by a subset of clients.  A client matches
+a view if its source IP address matches the 
+<VAR
+CLASS="varname"
+>address_match_list</VAR
+> of the view's
+<B
+CLASS="command"
+>match-clients</B
+> clause and its destination IP address matches
+the <VAR
+CLASS="varname"
+>address_match_list</VAR
+> of the view's
+<B
+CLASS="command"
+>match-destinations</B
+> clause.  If not specified, both
+<B
+CLASS="command"
+>match-clients</B
+> and <B
+CLASS="command"
+>match-destinations</B
+>
+default to matching all addresses.  In addition to checking IP addresses
+<B
+CLASS="command"
+>match-clients</B
+> and <B
+CLASS="command"
+>match-destinations</B
+>
+can also take <B
+CLASS="command"
+>keys</B
+> which provide an mechanism for the
+client to select the view.  A view can also be specified
+as <B
+CLASS="command"
+>match-recursive-only</B
+>, which means that only recursive
+requests from matching clients will match that view.
+The order of the <B
+CLASS="command"
+>view</B
+> statements is significant &#8212;
+a client request will be resolved in the context of the first
+<B
+CLASS="command"
+>view</B
+> that it matches.</P
+><P
+>Zones defined within a <B
+CLASS="command"
+>view</B
+> statement will
+be only be accessible to clients that match the <B
+CLASS="command"
+>view</B
+>.
+ By defining a zone of the same name in multiple views, different
+zone data can be given to different clients, for example, "internal"
+and "external" clients in a split DNS setup.</P
+><P
+>Many of the options given in the <B
+CLASS="command"
+>options</B
+> statement
+can also be used within a <B
+CLASS="command"
+>view</B
+> statement, and then
+apply only when resolving queries with that view.  When no view-specific
+value is given, the value in the <B
+CLASS="command"
+>options</B
+> statement
+is used as a default.  Also, zone options can have default values specified
+in the <B
+CLASS="command"
+>view</B
+> statement; these view-specific defaults
+take precedence over those in the <B
+CLASS="command"
+>options</B
+> statement.</P
+><P
+>Views are class specific.  If no class is given, class IN
+is assumed.  Note that all non-IN views must contain a hint zone,
+since only the IN class has compiled-in default hints.</P
+><P
+>If there are no <B
+CLASS="command"
+>view</B
+> statements in the config
+file, a default view that matches any client is automatically created
+in class IN. Any <B
+CLASS="command"
+>zone</B
+> statements specified on
+the top level of the configuration file are considered to be part of
+this default view, and the <B
+CLASS="command"
+>options</B
+> statement will
+apply to the default view. If any explicit <B
+CLASS="command"
+>view</B
+>
+statements are present, all <B
+CLASS="command"
+>zone</B
+> statements must
+occur inside <B
+CLASS="command"
+>view</B
+> statements.</P
+><P
+>Here is an example of a typical split DNS setup implemented
+using <B
+CLASS="command"
+>view</B
+> statements.</P
+><PRE
+CLASS="programlisting"
+>view "internal" {
+      // This should match our internal networks.
+      match-clients { 10.0.0.0/8; };
+
+      // Provide recursive service to internal clients only.
+      recursion yes;
+
+      // Provide a complete view of the example.com zone
+      // including addresses of internal hosts.
+      zone "example.com" {
+            type master;
+            file "example-internal.db";
+      };
+};
+
+view "external" {
+      // Match all clients not matched by the previous view.
+      match-clients { any; };
+
+      // Refuse recursive service to external clients.
+      recursion no;
+
+      // Provide a restricted view of the example.com zone
+      // containing only publicly accessible hosts.
+      zone "example.com" {
+           type master;
+           file "example-external.db";
+      };
+};
+</PRE
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="zone_statement_grammar"
+>6.2.23. <B
+CLASS="command"
+>zone</B
+>
+Statement Grammar</A
+></H2
+><PRE
+CLASS="programlisting"
+>zone <VAR
+CLASS="replaceable"
+>zone_name</VAR
+> [<SPAN
+CLASS="optional"
+><VAR
+CLASS="replaceable"
+>class</VAR
+></SPAN
+>] [<SPAN
+CLASS="optional"
+>{ 
+    type ( master | slave | hint | stub | forward | delegation-only ) ;
+    [<SPAN
+CLASS="optional"
+> allow-notify { <VAR
+CLASS="replaceable"
+>address_match_list</VAR
+> } ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> allow-query { <VAR
+CLASS="replaceable"
+>address_match_list</VAR
+> } ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> allow-transfer { <VAR
+CLASS="replaceable"
+>address_match_list</VAR
+> } ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> allow-update { <VAR
+CLASS="replaceable"
+>address_match_list</VAR
+> } ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> update-policy { <VAR
+CLASS="replaceable"
+>update_policy_rule</VAR
+> [<SPAN
+CLASS="optional"
+>...</SPAN
+>] } ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> allow-update-forwarding { <VAR
+CLASS="replaceable"
+>address_match_list</VAR
+> } ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> also-notify { <VAR
+CLASS="replaceable"
+>ip_addr</VAR
+> [<SPAN
+CLASS="optional"
+>port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+></SPAN
+>] ; [<SPAN
+CLASS="optional"
+> <VAR
+CLASS="replaceable"
+>ip_addr</VAR
+> [<SPAN
+CLASS="optional"
+>port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+></SPAN
+>] ; ... </SPAN
+>] }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> check-names (<CODE
+CLASS="constant"
+>warn</CODE
+>|<CODE
+CLASS="constant"
+>fail</CODE
+>|<CODE
+CLASS="constant"
+>ignore</CODE
+>) ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> dialup <VAR
+CLASS="replaceable"
+>dialup_option</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> delegation-only <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> file <VAR
+CLASS="replaceable"
+>string</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> forward (<CODE
+CLASS="constant"
+>only</CODE
+>|<CODE
+CLASS="constant"
+>first</CODE
+>) ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> forwarders { <VAR
+CLASS="replaceable"
+>ip_addr</VAR
+> [<SPAN
+CLASS="optional"
+>port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+></SPAN
+>] ; [<SPAN
+CLASS="optional"
+> <VAR
+CLASS="replaceable"
+>ip_addr</VAR
+> [<SPAN
+CLASS="optional"
+>port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+></SPAN
+>] ; ... </SPAN
+>] }; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> ixfr-base <VAR
+CLASS="replaceable"
+>string</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> ixfr-tmp-file <VAR
+CLASS="replaceable"
+>string</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> maintain-ixfr-base <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> masters [<SPAN
+CLASS="optional"
+>port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+></SPAN
+>] { ( <VAR
+CLASS="replaceable"
+>masters_list</VAR
+> | <VAR
+CLASS="replaceable"
+>ip_addr</VAR
+> [<SPAN
+CLASS="optional"
+>port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+></SPAN
+>] [<SPAN
+CLASS="optional"
+>key <VAR
+CLASS="replaceable"
+>key</VAR
+></SPAN
+>] ) ; [<SPAN
+CLASS="optional"
+>...</SPAN
+>] } ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-ixfr-log-size <VAR
+CLASS="replaceable"
+>number</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-transfer-idle-in <VAR
+CLASS="replaceable"
+>number</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-transfer-idle-out <VAR
+CLASS="replaceable"
+>number</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-transfer-time-in <VAR
+CLASS="replaceable"
+>number</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-transfer-time-out <VAR
+CLASS="replaceable"
+>number</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> notify <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+> | <VAR
+CLASS="replaceable"
+>explicit</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> pubkey <VAR
+CLASS="replaceable"
+>number</VAR
+> <VAR
+CLASS="replaceable"
+>number</VAR
+> <VAR
+CLASS="replaceable"
+>number</VAR
+> <VAR
+CLASS="replaceable"
+>string</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> transfer-source (<VAR
+CLASS="replaceable"
+>ip4_addr</VAR
+> | <CODE
+CLASS="constant"
+>*</CODE
+>) [<SPAN
+CLASS="optional"
+>port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+></SPAN
+>] ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> transfer-source-v6 (<VAR
+CLASS="replaceable"
+>ip6_addr</VAR
+> | <CODE
+CLASS="constant"
+>*</CODE
+>) [<SPAN
+CLASS="optional"
+>port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+></SPAN
+>] ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> alt-transfer-source (<VAR
+CLASS="replaceable"
+>ip4_addr</VAR
+> | <CODE
+CLASS="constant"
+>*</CODE
+>) [<SPAN
+CLASS="optional"
+>port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+></SPAN
+>] ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> alt-transfer-source-v6 (<VAR
+CLASS="replaceable"
+>ip6_addr</VAR
+> | <CODE
+CLASS="constant"
+>*</CODE
+>) [<SPAN
+CLASS="optional"
+>port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+></SPAN
+>] ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> use-alt-transfer-source <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+>; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> notify-source (<VAR
+CLASS="replaceable"
+>ip4_addr</VAR
+> | <CODE
+CLASS="constant"
+>*</CODE
+>) [<SPAN
+CLASS="optional"
+>port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+></SPAN
+>] ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> notify-source-v6 (<VAR
+CLASS="replaceable"
+>ip6_addr</VAR
+> | <CODE
+CLASS="constant"
+>*</CODE
+>) [<SPAN
+CLASS="optional"
+>port <VAR
+CLASS="replaceable"
+>ip_port</VAR
+></SPAN
+>] ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> zone-statistics <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> sig-validity-interval <VAR
+CLASS="replaceable"
+>number</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> database <VAR
+CLASS="replaceable"
+>string</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> min-refresh-time <VAR
+CLASS="replaceable"
+>number</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-refresh-time <VAR
+CLASS="replaceable"
+>number</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> min-retry-time <VAR
+CLASS="replaceable"
+>number</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> max-retry-time <VAR
+CLASS="replaceable"
+>number</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> multi-master <VAR
+CLASS="replaceable"
+>yes_or_no</VAR
+> ; </SPAN
+>]
+    [<SPAN
+CLASS="optional"
+> key-directory <VAR
+CLASS="replaceable"
+>path_name</VAR
+>; </SPAN
+>]
+
+}</SPAN
+>];
+</PRE
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN3614"
+>6.2.24. <B
+CLASS="command"
+>zone</B
+> Statement Definition and Usage</A
+></H2
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN3617"
+>6.2.24.1. Zone Types</A
+></H3
+><DIV
+CLASS="informaltable"
+><P
+></P
+><A
+NAME="AEN3619"
+></A
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+><P
+><VAR
+CLASS="varname"
+>master</VAR
+></P
+></TD
+><TD
+><P
+>The server has a master copy of the data
+for the zone and will be able to provide authoritative answers for
+it.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><VAR
+CLASS="varname"
+>slave</VAR
+></P
+></TD
+><TD
+><P
+>A slave zone is a replica of a master
+zone. The <B
+CLASS="command"
+>masters</B
+> list specifies one or more IP addresses
+of master servers that the slave contacts to update its copy of the zone.
+Masters list elements can also be names of other masters lists.
+By default, transfers are made from port 53 on the servers; this can
+be changed for all servers by specifying a port number before the
+list of IP addresses, or on a per-server basis after the IP address.
+Authentication to the master can also be done with per-server TSIG keys.
+If a file is specified, then the
+replica will be written to this file whenever the zone is changed,
+and reloaded from this file on a server restart. Use of a file is
+recommended, since it often speeds server start-up and eliminates
+a needless waste of bandwidth. Note that for large numbers (in the
+tens or hundreds of thousands) of zones per server, it is best to
+use a two level naming scheme for zone file names. For example,
+a slave server for the zone <VAR
+CLASS="literal"
+>example.com</VAR
+> might place
+the zone contents into a file called
+<TT
+CLASS="filename"
+>ex/example.com</TT
+> where <TT
+CLASS="filename"
+>ex/</TT
+> is
+just the first two letters of the zone name. (Most operating systems
+behave very slowly if you put 100 000 files into
+a single directory.)</P
+></TD
+></TR
+><TR
+><TD
+><P
+><VAR
+CLASS="varname"
+>stub</VAR
+></P
+></TD
+><TD
+><P
+>A stub zone is similar to a slave zone,
+except that it replicates only the NS records of a master zone instead
+of the entire zone. Stub zones are not a standard part of the DNS;
+they are a feature specific to the <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> implementation.
+</P
+>
+
+<P
+>Stub zones can be used to eliminate the need for glue NS record
+in a parent zone at the expense of maintaining a stub zone entry and
+a set of name server addresses in <TT
+CLASS="filename"
+>named.conf</TT
+>.
+This usage is not recommended for new configurations, and BIND 9
+supports it only in a limited way.
+In <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 4/8, zone transfers of a parent zone
+included the NS records from stub children of that zone. This meant
+that, in some cases, users could get away with configuring child stubs
+only in the master server for the parent zone. <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+>
+9 never mixes together zone data from different zones in this
+way. Therefore, if a <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 master serving a parent
+zone has child stub zones configured, all the slave servers for the
+parent zone also need to have the same child stub zones
+configured.</P
+>
+
+<P
+>Stub zones can also be used as a way of forcing the resolution
+of a given domain to use a particular set of authoritative servers.
+For example, the caching name servers on a private network using
+RFC1981 addressing may be configured with stub zones for
+<VAR
+CLASS="literal"
+>10.in-addr.arpa</VAR
+>
+to use a set of internal name servers as the authoritative
+servers for that domain.</P
+>
+</TD
+></TR
+><TR
+><TD
+><P
+><VAR
+CLASS="varname"
+>forward</VAR
+></P
+></TD
+><TD
+><P
+>A "forward zone" is a way to configure
+forwarding on a per-domain basis.  A <B
+CLASS="command"
+>zone</B
+> statement
+of type <B
+CLASS="command"
+>forward</B
+> can contain a <B
+CLASS="command"
+>forward</B
+> and/or <B
+CLASS="command"
+>forwarders</B
+> statement,
+which will apply to queries within the domain given by the zone
+name. If no <B
+CLASS="command"
+>forwarders</B
+> statement is present or
+an empty list for <B
+CLASS="command"
+>forwarders</B
+> is given, then no
+forwarding will be done for the domain, canceling the effects of
+any forwarders in the <B
+CLASS="command"
+>options</B
+> statement. Thus
+if you want to use this type of zone to change the behavior of the
+global <B
+CLASS="command"
+>forward</B
+> option (that is, "forward first
+to", then "forward only", or vice versa, but want to use the same
+servers as set globally) you need to re-specify the global forwarders.</P
+>
+</TD
+></TR
+><TR
+><TD
+><P
+><VAR
+CLASS="varname"
+>hint</VAR
+></P
+></TD
+><TD
+><P
+>The initial set of root name servers is
+specified using a "hint zone". When the server starts up, it uses
+the root hints to find a root name server and get the most recent
+list of root name servers. If no hint zone is specified for class
+IN, the server uses a compiled-in default set of root servers hints.
+Classes other than IN have no built-in defaults hints.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><VAR
+CLASS="varname"
+>delegation-only</VAR
+></P
+></TD
+><TD
+><P
+>This is used to enforce the delegation only
+status of infrastructure zones (e.g. COM, NET, ORG).  Any answer that
+is received without a explicit or implicit delegation in the authority
+section will be treated as NXDOMAIN.  This does not apply to the zone
+apex.  This SHOULD NOT be applied to leaf zones.</P
+>
+<P
+><VAR
+CLASS="varname"
+>delegation-only</VAR
+> has no effect on answers received
+from forwarders.</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN3682"
+>6.2.24.2. Class</A
+></H3
+><P
+>The zone's name may optionally be followed by a class. If
+a class is not specified, class <VAR
+CLASS="literal"
+>IN</VAR
+> (for <VAR
+CLASS="varname"
+>Internet</VAR
+>),
+is assumed. This is correct for the vast majority of cases.</P
+><P
+>The <VAR
+CLASS="literal"
+>hesiod</VAR
+> class is
+named for an information service from MIT's Project Athena. It is
+used to share information about various systems databases, such
+as users, groups, printers and so on. The keyword 
+<VAR
+CLASS="literal"
+>HS</VAR
+> is
+a synonym for hesiod.</P
+><P
+>Another MIT development is CHAOSnet, a LAN protocol created
+in the mid-1970s. Zone data for it can be specified with the <VAR
+CLASS="literal"
+>CHAOS</VAR
+> class.</P
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN3692"
+>6.2.24.3. Zone Options</A
+></H3
+><P
+></P
+><DIV
+CLASS="variablelist"
+><DL
+><DT
+><B
+CLASS="command"
+>allow-notify</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>allow-notify</B
+> in <A
+HREF="Bv9ARM.ch06.html#access_control"
+>Section 6.2.16.4</A
+></P
+></DD
+><DT
+><B
+CLASS="command"
+>allow-query</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>allow-query</B
+> in <A
+HREF="Bv9ARM.ch06.html#access_control"
+>Section 6.2.16.4</A
+></P
+></DD
+><DT
+><B
+CLASS="command"
+>allow-transfer</B
+></DT
+><DD
+><P
+>See the description of <B
+CLASS="command"
+>allow-transfer</B
+>
+in <A
+HREF="Bv9ARM.ch06.html#access_control"
+>Section 6.2.16.4</A
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>allow-update</B
+></DT
+><DD
+><P
+>Specifies which hosts are allowed to
+submit Dynamic DNS updates for master zones. The default is to deny
+updates from all hosts.  Note that allowing updates based
+on the requestor's IP address is insecure; see
+<A
+HREF="Bv9ARM.ch07.html#dynamic_update_security"
+>Section 7.3</A
+> for details.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>update-policy</B
+></DT
+><DD
+><P
+>Specifies a "Simple Secure Update" policy. See
+<A
+HREF="Bv9ARM.ch06.html#dynamic_update_policies"
+>Section 6.2.24.4</A
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>allow-update-forwarding</B
+></DT
+><DD
+><P
+>See the description of <B
+CLASS="command"
+>allow-update-forwarding</B
+>
+in <A
+HREF="Bv9ARM.ch06.html#access_control"
+>Section 6.2.16.4</A
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>also-notify</B
+></DT
+><DD
+><P
+>Only meaningful if <B
+CLASS="command"
+>notify</B
+> is
+active for this zone. The set of machines that will receive a 
+<VAR
+CLASS="literal"
+>DNS NOTIFY</VAR
+> message
+for this zone is made up of all the listed name servers (other than
+the primary master) for the zone plus any IP addresses specified
+with <B
+CLASS="command"
+>also-notify</B
+>. A port may be specified
+with each <B
+CLASS="command"
+>also-notify</B
+> address to send the notify
+messages to a port other than the default of 53.
+<B
+CLASS="command"
+>also-notify</B
+> is not meaningful for stub zones.
+The default is the empty list.</P
+></DD
+><DT
+><B
+CLASS="command"
+>check-names</B
+></DT
+><DD
+><P
+>&#13;This option is used to restrict the character set and syntax of
+certain domain names in master files and/or DNS responses received from the
+network.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>database</B
+></DT
+><DD
+><P
+>Specify the type of database to be used for storing the
+zone data.  The string following the <B
+CLASS="command"
+>database</B
+> keyword
+is interpreted as a list of whitespace-delimited words.  The first word
+identifies the database type, and any subsequent words are passed
+as arguments to the database to be interpreted in a way specific
+to the database type.</P
+><P
+>The default is <KBD
+CLASS="userinput"
+>"rbt"</KBD
+>, BIND 9's native in-memory
+red-black-tree database.  This database does not take arguments.</P
+><P
+>Other values are possible if additional database drivers
+have been linked into the server.  Some sample drivers are included
+with the distribution but none are linked in by default.</P
+></DD
+><DT
+><B
+CLASS="command"
+>dialup</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>dialup</B
+> in <A
+HREF="Bv9ARM.ch06.html#boolean_options"
+>Section 6.2.16.1</A
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>delegation-only</B
+></DT
+><DD
+><P
+>The flag only applies to hint and stub zones.  If set
+to <KBD
+CLASS="userinput"
+>yes</KBD
+> then the zone will also be treated as if it
+is also a delegation-only type zone.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>forward</B
+></DT
+><DD
+><P
+>Only meaningful if the zone has a forwarders
+list. The <B
+CLASS="command"
+>only</B
+> value causes the lookup to fail
+after trying the forwarders and getting no answer, while <B
+CLASS="command"
+>first</B
+> would
+allow a normal lookup to be tried.</P
+></DD
+><DT
+><B
+CLASS="command"
+>forwarders</B
+></DT
+><DD
+><P
+>Used to override the list of global forwarders.
+If it is not specified in a zone of type <B
+CLASS="command"
+>forward</B
+>,
+no forwarding is done for the zone; the global options are not used.</P
+></DD
+><DT
+><B
+CLASS="command"
+>ixfr-base</B
+></DT
+><DD
+><P
+>Was used in <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 8 to specify the name
+of the transaction log (journal) file for dynamic update and IXFR.
+<ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 ignores the option and constructs the name of the journal
+file by appending "<TT
+CLASS="filename"
+>.jnl</TT
+>" to the name of the
+zone file.</P
+></DD
+><DT
+><B
+CLASS="command"
+>ixfr-tmp-file</B
+></DT
+><DD
+><P
+>Was an undocumented option in <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 8.
+Ignored in <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9.</P
+></DD
+><DT
+><B
+CLASS="command"
+>max-transfer-time-in</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>max-transfer-time-in</B
+> in <A
+HREF="Bv9ARM.ch06.html#zone_transfers"
+>Section 6.2.16.7</A
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>max-transfer-idle-in</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>max-transfer-idle-in</B
+> in <A
+HREF="Bv9ARM.ch06.html#zone_transfers"
+>Section 6.2.16.7</A
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>max-transfer-time-out</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>max-transfer-time-out</B
+> in <A
+HREF="Bv9ARM.ch06.html#zone_transfers"
+>Section 6.2.16.7</A
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>max-transfer-idle-out</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>max-transfer-idle-out</B
+> in <A
+HREF="Bv9ARM.ch06.html#zone_transfers"
+>Section 6.2.16.7</A
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>notify</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>notify</B
+> in <A
+HREF="Bv9ARM.ch06.html#boolean_options"
+>Section 6.2.16.1</A
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>pubkey</B
+></DT
+><DD
+><P
+>In <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 8, this option was intended for specifying
+a public zone key for verification of signatures in DNSSEC signed
+zones when they are loaded from disk. <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 does not verify signatures
+on load and ignores the option.</P
+></DD
+><DT
+><B
+CLASS="command"
+>zone-statistics</B
+></DT
+><DD
+><P
+>If <KBD
+CLASS="userinput"
+>yes</KBD
+>, the server will keep statistical
+information for this zone, which can be dumped to the
+<B
+CLASS="command"
+>statistics-file</B
+> defined in the server options.</P
+></DD
+><DT
+><B
+CLASS="command"
+>sig-validity-interval</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>sig-validity-interval</B
+> in <A
+HREF="Bv9ARM.ch06.html#tuning"
+>Section 6.2.16.15</A
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>transfer-source</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>transfer-source</B
+> in <A
+HREF="Bv9ARM.ch06.html#zone_transfers"
+>Section 6.2.16.7</A
+>
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>transfer-source-v6</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>transfer-source-v6</B
+> in <A
+HREF="Bv9ARM.ch06.html#zone_transfers"
+>Section 6.2.16.7</A
+>
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>alt-transfer-source</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>alt-transfer-source</B
+> in <A
+HREF="Bv9ARM.ch06.html#zone_transfers"
+>Section 6.2.16.7</A
+>
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>alt-transfer-source-v6</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>alt-transfer-source-v6</B
+> in <A
+HREF="Bv9ARM.ch06.html#zone_transfers"
+>Section 6.2.16.7</A
+>
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>use-alt-transfer-source</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>use-alt-transfer-source</B
+> in <A
+HREF="Bv9ARM.ch06.html#zone_transfers"
+>Section 6.2.16.7</A
+>
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>notify-source</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>notify-source</B
+> in <A
+HREF="Bv9ARM.ch06.html#zone_transfers"
+>Section 6.2.16.7</A
+>
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>notify-source-v6</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>notify-source-v6</B
+> in <A
+HREF="Bv9ARM.ch06.html#zone_transfers"
+>Section 6.2.16.7</A
+>.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>min-refresh-time</B
+>, <B
+CLASS="command"
+>max-refresh-time</B
+>, <B
+CLASS="command"
+>min-retry-time</B
+>, <B
+CLASS="command"
+>max-retry-time</B
+></DT
+><DD
+><P
+>&#13;See the description in <A
+HREF="Bv9ARM.ch06.html#tuning"
+>Section 6.2.16.15</A
+>.
+</P
+></DD
+><DT
+><B
+CLASS="command"
+>ixfr-from-differences</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>ixfr-from-differences</B
+> in <A
+HREF="Bv9ARM.ch06.html#boolean_options"
+>Section 6.2.16.1</A
+>.</P
+></DD
+><DT
+><B
+CLASS="command"
+>key-directory</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>key-directory</B
+> in <A
+HREF="Bv9ARM.ch06.html#options"
+>Section 6.2.16</A
+></P
+></DD
+><DT
+><B
+CLASS="command"
+>multi-master</B
+></DT
+><DD
+><P
+>See the description of
+<B
+CLASS="command"
+>multi-master</B
+> in <A
+HREF="Bv9ARM.ch06.html#boolean_options"
+>Section 6.2.16.1</A
+>.</P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="dynamic_update_policies"
+>6.2.24.4. Dynamic Update Policies</A
+></H3
+><P
+><ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 supports two alternative methods of granting clients
+the right to perform dynamic updates to a zone, 
+configured by the <B
+CLASS="command"
+>allow-update</B
+> and
+<B
+CLASS="command"
+>update-policy</B
+> option, respectively.</P
+><P
+>The <B
+CLASS="command"
+>allow-update</B
+> clause works the same
+way as in previous versions of <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+>. It grants given clients the
+permission to update any record of any name in the zone.</P
+><P
+>The <B
+CLASS="command"
+>update-policy</B
+> clause is new in <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+>
+9 and allows more fine-grained control over what updates are allowed.
+A set of rules is specified, where each rule either grants or denies
+permissions for one or more names to be updated by one or more identities.
+ If the dynamic update request message is signed (that is, it includes
+either a TSIG or SIG(0) record), the identity of the signer can
+be determined.</P
+><P
+>Rules are specified in the <B
+CLASS="command"
+>update-policy</B
+> zone
+option, and are only meaningful for master zones.  When the <B
+CLASS="command"
+>update-policy</B
+> statement
+is present, it is a configuration error for the <B
+CLASS="command"
+>allow-update</B
+> statement
+to be present.  The <B
+CLASS="command"
+>update-policy</B
+> statement only
+examines the signer of a message; the source address is not relevant.</P
+><P
+>This is how a rule definition looks:</P
+><PRE
+CLASS="programlisting"
+>&#13;( <B
+CLASS="command"
+>grant</B
+> | <B
+CLASS="command"
+>deny</B
+> ) <VAR
+CLASS="replaceable"
+>identity</VAR
+> <VAR
+CLASS="replaceable"
+>nametype</VAR
+> <VAR
+CLASS="replaceable"
+>name</VAR
+> [<SPAN
+CLASS="optional"
+> <VAR
+CLASS="replaceable"
+>types</VAR
+> </SPAN
+>]
+</PRE
+><P
+>Each rule grants or denies privileges.  Once a message has
+successfully matched a rule, the operation is immediately granted
+or denied and no further rules are examined.  A rule is matched
+when the signer matches the identity field, the name matches the
+name field in accordance with the nametype field, and the type matches
+the types specified in the type field.</P
+><P
+>The identity field specifies a name or a wildcard name.  Normally, this
+is the name of the TSIG or SIG(0) key used to sign the update request.  When a
+TKEY exchange has been used to create a shared secret, the identity of the
+shared secret is the same as the identity of the key used to authenticate the
+TKEY exchange.  When the <VAR
+CLASS="replaceable"
+>identity</VAR
+> field specifies a
+wildcard name, it is subject to DNS wildcard expansion, so the rule will apply
+to multiple identities.  The <VAR
+CLASS="replaceable"
+>identity</VAR
+> field must
+contain a fully qualified domain name.</P
+><P
+>The <VAR
+CLASS="replaceable"
+>nametype</VAR
+> field has 4 values:
+<VAR
+CLASS="varname"
+>name</VAR
+>, <VAR
+CLASS="varname"
+>subdomain</VAR
+>,
+<VAR
+CLASS="varname"
+>wildcard</VAR
+>, and <VAR
+CLASS="varname"
+>self</VAR
+>.
+</P
+><DIV
+CLASS="informaltable"
+><P
+></P
+><A
+NAME="AEN3974"
+></A
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+><P
+><VAR
+CLASS="varname"
+>name</VAR
+></P
+></TD
+><TD
+><P
+>Exact-match semantics.  This rule matches when the
+name being updated is identical to the contents of the
+<VAR
+CLASS="replaceable"
+>name</VAR
+> field.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><VAR
+CLASS="varname"
+>subdomain</VAR
+></P
+></TD
+><TD
+><P
+>This rule matches when the name being updated
+is a subdomain of, or identical to, the contents of the
+<VAR
+CLASS="replaceable"
+>name</VAR
+> field.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><VAR
+CLASS="varname"
+>wildcard</VAR
+></P
+></TD
+><TD
+><P
+>The <VAR
+CLASS="replaceable"
+>name</VAR
+> field is
+subject to DNS wildcard expansion, and this rule matches when the name
+being updated name is a valid expansion of the wildcard.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><VAR
+CLASS="varname"
+>self</VAR
+></P
+></TD
+><TD
+><P
+>This rule matches when the name being updated
+matches the contents of the <VAR
+CLASS="replaceable"
+>identity</VAR
+> field.
+The <VAR
+CLASS="replaceable"
+>name</VAR
+> field is ignored, but should be
+the same as the <VAR
+CLASS="replaceable"
+>identity</VAR
+> field.  The
+<VAR
+CLASS="varname"
+>self</VAR
+> nametype is most useful when allowing using
+one key per name to update, where the key has the same name as the name
+to be updated.  The <VAR
+CLASS="replaceable"
+>identity</VAR
+> would be
+specified as <CODE
+CLASS="constant"
+>*</CODE
+> in this case.</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>In all cases, the <VAR
+CLASS="replaceable"
+>name</VAR
+> field must
+specify a fully qualified domain name.</P
+><P
+>If no types are explicitly specified, this rule matches all types except
+SIG, NS, SOA, and NXT. Types may be specified by name, including
+"ANY" (ANY matches all types except NXT, which can never be updated).
+Note that when an attempt is made to delete all records associated with a
+name, the rules are checked for each existing record type.
+</P
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN4015"
+>6.3. Zone File</A
+></H1
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="types_of_resource_records_and_when_to_use_them"
+>6.3.1. Types of Resource Records and When to Use Them</A
+></H2
+><P
+>This section, largely borrowed from RFC 1034, describes the
+concept of a Resource Record (RR) and explains when each is used.
+Since the publication of RFC 1034, several new RRs have been identified
+and implemented in the DNS. These are also included.</P
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN4020"
+>6.3.1.1. Resource Records</A
+></H3
+><P
+>A domain name identifies a node.  Each node has a set of
+        resource information, which may be empty.  The set of resource
+        information associated with a particular name is composed of
+        separate RRs. The order of RRs in a set is not significant and
+        need not be preserved by name servers, resolvers, or other
+        parts of the DNS. However, sorting of multiple RRs is
+        permitted for optimization purposes, for example, to specify
+        that a particular nearby server be tried first. See <A
+HREF="Bv9ARM.ch06.html#the_sortlist_statement"
+>Section 6.2.16.13</A
+> and <A
+HREF="Bv9ARM.ch06.html#rrset_ordering"
+>Section 6.2.16.14</A
+>.</P
+><P
+>The components of a Resource Record are:</P
+><DIV
+CLASS="informaltable"
+><P
+></P
+><A
+NAME="AEN4026"
+></A
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+><P
+>owner name</P
+></TD
+><TD
+><P
+>the domain name where the RR is found.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>type</P
+></TD
+><TD
+><P
+>an encoded 16 bit value that specifies
+the type of the resource record.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>TTL</P
+></TD
+><TD
+><P
+>the time to live of the RR. This field
+is a 32 bit integer in units of seconds, and is primarily used by
+resolvers when they cache RRs. The TTL describes how long a RR can
+be cached before it should be discarded.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>class</P
+></TD
+><TD
+><P
+>an encoded 16 bit value that identifies
+a protocol family or instance of a protocol.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>RDATA</P
+></TD
+><TD
+><P
+>the resource data.  The format of the
+data is type (and sometimes class) specific.</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>The following are <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>types</I
+></SPAN
+> of valid RRs:</P
+><DIV
+CLASS="informaltable"
+><P
+></P
+><A
+NAME="AEN4058"
+></A
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+><P
+>A</P
+></TD
+><TD
+><P
+>a host address.  In the IN class, this is a
+32-bit IP address.  Described in RFC 1035.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>AAAA</P
+></TD
+><TD
+><P
+>IPv6 address.  Described in RFC 1886.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>A6</P
+></TD
+><TD
+><P
+>IPv6 address.  This can be a partial
+address (a suffix) and an indirection to the name where the rest of the
+address (the prefix) can be found.  Experimental.  Described in RFC 2874.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>AFSDB</P
+></TD
+><TD
+><P
+>location of AFS database servers.
+Experimental.  Described in RFC 1183.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>APL</P
+></TD
+><TD
+><P
+>address prefix list.  Experimental.
+Described in RFC 3123.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>CERT</P
+></TD
+><TD
+><P
+>holds a digital certificate.
+Described in RFC 2538.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>CNAME</P
+></TD
+><TD
+><P
+>identifies the canonical name of an alias.
+Described in RFC 1035.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>DNAME</P
+></TD
+><TD
+><P
+>Replaces the domain name specified with
+another name to be looked up, effectively aliasing an entire
+subtree of the domain name space rather than a single record
+as in the case of the CNAME RR.
+Described in RFC 2672.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>GPOS</P
+></TD
+><TD
+><P
+>Specifies the global position.  Superseded by LOC.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>HINFO</P
+></TD
+><TD
+><P
+>identifies the CPU and OS used by a host.
+Described in RFC 1035.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>ISDN</P
+></TD
+><TD
+><P
+>representation of ISDN addresses.
+Experimental.  Described in RFC 1183.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>KEY</P
+></TD
+><TD
+><P
+>stores a public key associated with a
+DNS name.  Described in RFC 2535.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>KX</P
+></TD
+><TD
+><P
+>identifies a key exchanger for this
+DNS name.  Described in RFC 2230.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>LOC</P
+></TD
+><TD
+><P
+>for storing GPS info.  Described in RFC 1876.
+Experimental.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>MX</P
+></TD
+><TD
+><P
+>identifies a mail exchange for the domain.
+a 16 bit preference value (lower is better)
+followed by the host name of the mail exchange.
+Described in RFC 974, RFC 1035.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>NAPTR</P
+></TD
+><TD
+><P
+>name authority pointer.  Described in RFC 2915.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>NSAP</P
+></TD
+><TD
+><P
+>a network service access point.
+Described in RFC 1706.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>NS</P
+></TD
+><TD
+><P
+>the authoritative name server for the
+domain.  Described in RFC 1035.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>NXT</P
+></TD
+><TD
+><P
+>used in DNSSEC to securely indicate that
+RRs with an owner name in a certain name interval do not exist in
+a zone and indicate what RR types are present for an existing name.
+Described in RFC 2535.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>PTR</P
+></TD
+><TD
+><P
+>a pointer to another part of the domain
+name space.  Described in RFC 1035.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>PX</P
+></TD
+><TD
+><P
+>provides mappings between RFC 822 and X.400
+addresses.  Described in RFC 2163.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>RP</P
+></TD
+><TD
+><P
+>information on persons responsible
+for the domain.  Experimental.  Described in RFC 1183.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>RT</P
+></TD
+><TD
+><P
+>route-through binding for hosts that
+do not have their own direct wide area network addresses.
+Experimental.  Described in RFC 1183.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>SIG</P
+></TD
+><TD
+><P
+>("signature") contains data authenticated
+in the secure DNS.  Described in RFC 2535.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>SOA</P
+></TD
+><TD
+><P
+>identifies the start of a zone of authority.
+Described in RFC 1035.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>SRV</P
+></TD
+><TD
+><P
+>information about well known network
+services (replaces WKS).  Described in RFC 2782.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>TXT</P
+></TD
+><TD
+><P
+>text records.  Described in RFC 1035.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>WKS</P
+></TD
+><TD
+><P
+>information about which well known
+network services, such as SMTP, that a domain supports. Historical.
+</P
+></TD
+></TR
+><TR
+><TD
+><P
+>X25</P
+></TD
+><TD
+><P
+>representation of X.25 network addresses.
+Experimental.  Described in RFC 1183.</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>The following <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>classes</I
+></SPAN
+> of resource records
+are currently valid in the DNS:</P
+><DIV
+CLASS="informaltable"
+><P
+></P
+><A
+NAME="AEN4210"
+></A
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+><P
+>IN</P
+></TD
+><TD
+><P
+>The Internet.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>CH</P
+></TD
+><TD
+><P
+>&#13;CHAOSnet, a LAN protocol created at MIT in the mid-1970s.
+Rarely used for its historical purpose, but reused for BIND's
+built-in server information zones, e.g.,
+<VAR
+CLASS="literal"
+>version.bind</VAR
+>.
+</P
+></TD
+></TR
+><TR
+><TD
+><P
+>HS</P
+></TD
+><TD
+><P
+>&#13;Hesiod, an information service
+developed by MIT's Project Athena. It is used to share information
+about various systems databases, such as users, groups, printers
+and so on.
+</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>The owner name is often implicit, rather than forming an integral
+part of the RR.  For example, many name servers internally form tree
+or hash structures for the name space, and chain RRs off nodes.
+ The remaining RR parts are the fixed header (type, class, TTL)
+which is consistent for all RRs, and a variable part (RDATA) that
+fits the needs of the resource being described.</P
+><P
+>The meaning of the TTL field is a time limit on how long an
+RR can be kept in a cache.  This limit does not apply to authoritative
+data in zones; it is also timed out, but by the refreshing policies
+for the zone.  The TTL is assigned by the administrator for the
+zone where the data originates.  While short TTLs can be used to
+minimize caching, and a zero TTL prohibits caching, the realities
+of Internet performance suggest that these times should be on the
+order of days for the typical host.  If a change can be anticipated,
+the TTL can be reduced prior to the change to minimize inconsistency
+during the change, and then increased back to its former value following
+the change.</P
+><P
+>The data in the RDATA section of RRs is carried as a combination
+of binary strings and domain names.  The domain names are frequently
+used as "pointers" to other data in the DNS.</P
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN4234"
+>6.3.1.2. Textual expression of RRs</A
+></H3
+><P
+>RRs are represented in binary form in the packets of the DNS
+protocol, and are usually represented in highly encoded form when
+stored in a name server or resolver.  In the examples provided in
+RFC 1034, a style similar to that used in master files was employed
+in order to show the contents of RRs.  In this format, most RRs
+are shown on a single line, although continuation lines are possible
+using parentheses.</P
+><P
+>The start of the line gives the owner of the RR.  If a line
+begins with a blank, then the owner is assumed to be the same as
+that of the previous RR.  Blank lines are often included for readability.</P
+><P
+>Following the owner, we list the TTL, type, and class of the
+RR.  Class and type use the mnemonics defined above, and TTL is
+an integer before the type field.  In order to avoid ambiguity in
+parsing, type and class mnemonics are disjoint, TTLs are integers,
+and the type mnemonic is always last. The IN class and TTL values
+are often omitted from examples in the interests of clarity.</P
+><P
+>The resource data or RDATA section of the RR are given using
+knowledge of the typical representation for the data.</P
+><P
+>For example, we might show the RRs carried in a message as:</P
+><DIV
+CLASS="informaltable"
+><P
+></P
+><A
+NAME="AEN4241"
+></A
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+><P
+><VAR
+CLASS="literal"
+>ISI.EDU.</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>MX</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>10 VENERA.ISI.EDU.</VAR
+></P
+></TD
+></TR
+><TR
+><TD
+><P
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>MX</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>10 VAXA.ISI.EDU</VAR
+></P
+></TD
+></TR
+><TR
+><TD
+><P
+><VAR
+CLASS="literal"
+>VENERA.ISI.EDU</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>A</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>128.9.0.32</VAR
+></P
+></TD
+></TR
+><TR
+><TD
+><P
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>A</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>10.1.0.52</VAR
+></P
+></TD
+></TR
+><TR
+><TD
+><P
+><VAR
+CLASS="literal"
+>VAXA.ISI.EDU</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>A</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>10.2.0.27</VAR
+></P
+></TD
+></TR
+><TR
+><TD
+><P
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>A</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>128.9.0.33</VAR
+></P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>The MX RRs have an RDATA section which consists of a 16 bit
+number followed by a domain name.  The address RRs use a standard
+IP address format to contain a 32 bit internet address.</P
+><P
+>This example shows six RRs, with two RRs at each of three
+domain names.</P
+><P
+>Similarly we might see:</P
+><DIV
+CLASS="informaltable"
+><P
+></P
+><A
+NAME="AEN4307"
+></A
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+><P
+><VAR
+CLASS="literal"
+>XX.LCS.MIT.EDU. IN</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>A</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>10.0.0.44</VAR
+></P
+></TD
+></TR
+><TR
+><TD
+><P
+><VAR
+CLASS="literal"
+>CH</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>A</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>MIT.EDU. 2420</VAR
+></P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>This example shows two addresses for <VAR
+CLASS="literal"
+>XX.LCS.MIT.EDU</VAR
+>,
+each of a different class.</P
+></DIV
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN4335"
+>6.3.2. Discussion of MX Records</A
+></H2
+><P
+>As described above, domain servers store information as a
+series of resource records, each of which contains a particular
+piece of information about a given domain name (which is usually,
+but not always, a host). The simplest way to think of a RR is as
+a typed pair of data, a domain name matched with a relevant datum,
+and stored with some additional type information to help systems 
+determine when the RR is relevant.</P
+><P
+>MX records are used to control delivery of email. The data
+specified in the record is a priority and a domain name. The priority
+controls the order in which email delivery is attempted, with the
+lowest number first. If two priorities are the same, a server is
+chosen randomly. If no servers at a given priority are responding,
+the mail transport agent will fall back to the next largest priority.
+Priority numbers do not have any absolute meaning &#8212; they are relevant
+only respective to other MX records for that domain name. The domain
+name given is the machine to which the mail will be delivered. It <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>must</I
+></SPAN
+> have
+an associated A record &#8212; CNAME is not sufficient.</P
+><P
+>For a given domain, if there is both a CNAME record and an
+MX record, the MX record is in error, and will be ignored. Instead,
+the mail will be delivered to the server specified in the MX record
+pointed to by the CNAME.</P
+><DIV
+CLASS="informaltable"
+><P
+></P
+><A
+NAME="AEN4341"
+></A
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+><P
+><VAR
+CLASS="literal"
+>example.com.</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>IN</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>MX</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>10</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>mail.example.com.</VAR
+></P
+></TD
+></TR
+><TR
+><TD
+><P
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>IN</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>MX</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>10</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>mail2.example.com.</VAR
+></P
+></TD
+></TR
+><TR
+><TD
+><P
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>IN</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>MX</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>20</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>mail.backup.org.</VAR
+></P
+></TD
+></TR
+><TR
+><TD
+><P
+><VAR
+CLASS="literal"
+>mail.example.com.</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>IN</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>A</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>10.0.0.1</VAR
+></P
+></TD
+><TD
+><P
+></P
+></TD
+></TR
+><TR
+><TD
+><P
+><VAR
+CLASS="literal"
+>mail2.example.com.</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>IN</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>A</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>10.0.0.2</VAR
+></P
+></TD
+><TD
+><P
+></P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>For example:</P
+><P
+>Mail delivery will be attempted to <VAR
+CLASS="literal"
+>mail.example.com</VAR
+> and
+<VAR
+CLASS="literal"
+>mail2.example.com</VAR
+> (in
+any order), and if neither of those succeed, delivery to <VAR
+CLASS="literal"
+>mail.backup.org</VAR
+> will
+be attempted.</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="Setting_TTLs"
+>6.3.3. Setting TTLs</A
+></H2
+><P
+>The time to live of the RR field is a 32 bit integer represented
+in units of seconds, and is primarily used by resolvers when they
+cache RRs. The TTL describes how long a RR can be cached before it
+should be discarded. The following three types of TTL are currently
+used in a zone file.</P
+><DIV
+CLASS="informaltable"
+><P
+></P
+><A
+NAME="AEN4433"
+></A
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+><P
+>SOA</P
+></TD
+><TD
+><P
+>The last field in the SOA is the negative
+caching TTL. This controls how long other servers will cache no-such-domain
+(NXDOMAIN) responses from you.</P
+><P
+>The maximum time for
+negative caching is 3 hours (3h).</P
+></TD
+></TR
+><TR
+><TD
+><P
+>$TTL</P
+></TD
+><TD
+><P
+>The $TTL directive at the top of the
+zone file (before the SOA) gives a default TTL for every RR without
+a specific TTL set.</P
+></TD
+></TR
+><TR
+><TD
+><P
+>RR TTLs</P
+></TD
+><TD
+><P
+>Each RR can have a TTL as the second
+field in the RR, which will control how long other servers can cache
+the it.</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>All of these TTLs default to units of seconds, though units
+can be explicitly specified, for example, <VAR
+CLASS="literal"
+>1h30m</VAR
+>. </P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN4456"
+>6.3.4. Inverse Mapping in IPv4</A
+></H2
+><P
+>Reverse name resolution (that is, translation from IP address
+to name) is achieved by means of the <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>in-addr.arpa</I
+></SPAN
+> domain
+and PTR records. Entries in the in-addr.arpa domain are made in
+least-to-most significant order, read left to right. This is the
+opposite order to the way IP addresses are usually written. Thus,
+a machine with an IP address of 10.1.2.3 would have a corresponding
+in-addr.arpa name of
+3.2.1.10.in-addr.arpa. This name should have a PTR resource record
+whose data field is the name of the machine or, optionally, multiple
+PTR records if the machine has more than one name. For example,
+in the [<SPAN
+CLASS="optional"
+>example.com</SPAN
+>] domain:</P
+><DIV
+CLASS="informaltable"
+><P
+></P
+><A
+NAME="AEN4461"
+></A
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+><P
+><VAR
+CLASS="literal"
+>$ORIGIN</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>2.1.10.in-addr.arpa</VAR
+></P
+></TD
+></TR
+><TR
+><TD
+><P
+><VAR
+CLASS="literal"
+>3</VAR
+></P
+></TD
+><TD
+><P
+><VAR
+CLASS="literal"
+>IN PTR foo.example.com.</VAR
+></P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><DIV
+CLASS="note"
+><BLOCKQUOTE
+CLASS="note"
+><P
+><B
+>Note: </B
+>The <B
+CLASS="command"
+>$ORIGIN</B
+> lines in the examples
+are for providing context to the examples only-they do not necessarily
+appear in the actual usage. They are only used here to indicate
+that the example is relative to the listed origin.</P
+></BLOCKQUOTE
+></DIV
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN4483"
+>6.3.5. Other Zone File Directives</A
+></H2
+><P
+>The Master File Format was initially defined in RFC 1035 and
+has subsequently been extended. While the Master File Format itself
+is class independent all records in a Master File must be of the same
+class.</P
+><P
+>Master File Directives include <B
+CLASS="command"
+>$ORIGIN</B
+>, <B
+CLASS="command"
+>$INCLUDE</B
+>,
+and <B
+CLASS="command"
+>$TTL.</B
+></P
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN4490"
+>6.3.5.1. The <B
+CLASS="command"
+>$ORIGIN</B
+> Directive</A
+></H3
+><P
+>Syntax: <B
+CLASS="command"
+>$ORIGIN
+</B
+><VAR
+CLASS="replaceable"
+>domain-name</VAR
+> [<SPAN
+CLASS="optional"
+> <VAR
+CLASS="replaceable"
+>comment</VAR
+></SPAN
+>]</P
+><P
+><B
+CLASS="command"
+>$ORIGIN</B
+> sets the domain name that will
+be appended to any unqualified records. When a zone is first read
+in there is an implicit <B
+CLASS="command"
+>$ORIGIN</B
+> &#60;<VAR
+CLASS="varname"
+>zone-name</VAR
+>&#62;<B
+CLASS="command"
+>.</B
+> The
+current <B
+CLASS="command"
+>$ORIGIN</B
+> is appended to the domain specified
+in the <B
+CLASS="command"
+>$ORIGIN</B
+> argument if it is not absolute.</P
+><PRE
+CLASS="programlisting"
+><VAR
+CLASS="literal"
+>$ORIGIN example.com.
+WWW     CNAME   MAIN-SERVER</VAR
+></PRE
+><P
+>is equivalent to</P
+><PRE
+CLASS="programlisting"
+><VAR
+CLASS="literal"
+>WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.</VAR
+></PRE
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN4510"
+>6.3.5.2. The <B
+CLASS="command"
+>$INCLUDE</B
+> Directive</A
+></H3
+><P
+>Syntax: <B
+CLASS="command"
+>$INCLUDE</B
+>
+<VAR
+CLASS="replaceable"
+>filename</VAR
+> [<SPAN
+CLASS="optional"
+>&#13;<VAR
+CLASS="replaceable"
+>origin</VAR
+> </SPAN
+>] [<SPAN
+CLASS="optional"
+> <VAR
+CLASS="replaceable"
+>comment</VAR
+> </SPAN
+>]</P
+><P
+>Read and process the file <TT
+CLASS="filename"
+>filename</TT
+> as
+if it were included into the file at this point.  If <B
+CLASS="command"
+>origin</B
+> is
+specified the file is processed with <B
+CLASS="command"
+>$ORIGIN</B
+> set
+to that value, otherwise the current <B
+CLASS="command"
+>$ORIGIN</B
+> is
+used.</P
+><P
+>The origin and the current domain name
+revert to the values they had prior to the <B
+CLASS="command"
+>$INCLUDE</B
+> once
+the file has been read.</P
+><DIV
+CLASS="note"
+><BLOCKQUOTE
+CLASS="note"
+><P
+><B
+>Note: </B
+>
+RFC 1035 specifies that the current origin should be restored after
+an <B
+CLASS="command"
+>$INCLUDE</B
+>, but it is silent on whether the current
+domain name should also be restored.  BIND 9 restores both of them.
+This could be construed as a deviation from RFC 1035, a feature, or both.
+</P
+></BLOCKQUOTE
+></DIV
+></DIV
+><DIV
+CLASS="sect3"
+><H3
+CLASS="sect3"
+><A
+NAME="AEN4530"
+>6.3.5.3. The <B
+CLASS="command"
+>$TTL</B
+> Directive</A
+></H3
+><P
+>Syntax: <B
+CLASS="command"
+>$TTL</B
+>
+<VAR
+CLASS="replaceable"
+>default-ttl</VAR
+> [<SPAN
+CLASS="optional"
+>&#13;<VAR
+CLASS="replaceable"
+>comment</VAR
+> </SPAN
+>]</P
+><P
+>Set the default Time To Live (TTL) for subsequent records
+with undefined TTLs. Valid TTLs are of the range 0-2147483647 seconds.</P
+><P
+><B
+CLASS="command"
+>$TTL</B
+> is defined in RFC 2308.</P
+></DIV
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN4541"
+>6.3.6. <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> Master File Extension: the  <B
+CLASS="command"
+>$GENERATE</B
+> Directive</A
+></H2
+><P
+>Syntax: <B
+CLASS="command"
+>$GENERATE</B
+> <VAR
+CLASS="replaceable"
+>range</VAR
+> <VAR
+CLASS="replaceable"
+>lhs</VAR
+> [<SPAN
+CLASS="optional"
+><VAR
+CLASS="replaceable"
+>ttl</VAR
+></SPAN
+>] [<SPAN
+CLASS="optional"
+><VAR
+CLASS="replaceable"
+>class</VAR
+></SPAN
+>] <VAR
+CLASS="replaceable"
+>type</VAR
+> <VAR
+CLASS="replaceable"
+>rhs</VAR
+> [<SPAN
+CLASS="optional"
+> <VAR
+CLASS="replaceable"
+>comment</VAR
+> </SPAN
+>]</P
+><P
+><B
+CLASS="command"
+>$GENERATE</B
+> is used to create a series of
+resource records that only differ from each other by an iterator. <B
+CLASS="command"
+>$GENERATE</B
+> can
+be used to easily generate the sets of records required to support
+sub /24 reverse delegations described in RFC 2317: Classless IN-ADDR.ARPA
+delegation.</P
+><PRE
+CLASS="programlisting"
+><VAR
+CLASS="literal"
+>$ORIGIN 0.0.192.IN-ADDR.ARPA.
+$GENERATE 1-2 0 NS SERVER$.EXAMPLE.
+$GENERATE 1-127 $ CNAME $.0</VAR
+></PRE
+><P
+>is equivalent to</P
+><PRE
+CLASS="programlisting"
+><VAR
+CLASS="literal"
+>0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE.
+0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
+1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
+2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
+...
+127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
+</VAR
+></PRE
+><DIV
+CLASS="informaltable"
+><P
+></P
+><A
+NAME="AEN4565"
+></A
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>range</B
+></P
+></TD
+><TD
+><P
+>This can be one of two forms: start-stop
+or start-stop/step. If the first form is used then step is set to
+        1. All of start, stop and step must be positive.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>lhs</B
+></P
+></TD
+><TD
+><P
+><B
+CLASS="command"
+>lhs</B
+> describes the
+owner name of the resource records to be created.      Any single <B
+CLASS="command"
+>$</B
+> symbols
+within the <B
+CLASS="command"
+>lhs</B
+> side are replaced by the iterator
+value.
+To get a $ in the output you need to escape the <B
+CLASS="command"
+>$</B
+>
+using a backslash <B
+CLASS="command"
+>\</B
+>,
+e.g. <B
+CLASS="command"
+>\$</B
+>. The <B
+CLASS="command"
+>$</B
+> may optionally be followed
+by modifiers which change the offset from the iterator, field width and base. 
+Modifiers are introduced by a <B
+CLASS="command"
+>{</B
+> immediately following the
+<B
+CLASS="command"
+>$</B
+> as <B
+CLASS="command"
+>${offset[,width[,base]]}</B
+>.
+e.g. <B
+CLASS="command"
+>${-20,3,d}</B
+> which subtracts 20 from the current value,
+prints the result as a decimal in a zero padded field of with 3.  Available
+output forms are decimal (<B
+CLASS="command"
+>d</B
+>), octal (<B
+CLASS="command"
+>o</B
+>)
+and hexadecimal (<B
+CLASS="command"
+>x</B
+> or <B
+CLASS="command"
+>X</B
+> for uppercase).
+The default modifier is <B
+CLASS="command"
+>${0,0,d}</B
+>.
+If the <B
+CLASS="command"
+>lhs</B
+> is not
+absolute, the current <B
+CLASS="command"
+>$ORIGIN</B
+> is appended to
+the name.</P
+>
+<P
+>For compatibility with earlier versions <B
+CLASS="command"
+>$$</B
+> is still
+recognized a indicating a literal $ in the output.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>ttl</B
+></P
+></TD
+><TD
+><P
+><B
+CLASS="command"
+>ttl</B
+> specifies the
+	  ttl of the generated records. If not specified this will be
+	  inherited using the normal ttl inheritance rules.</P
+>
+	  <P
+><B
+CLASS="command"
+>class</B
+> and <B
+CLASS="command"
+>ttl</B
+> can be
+	  entered in either order.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>class</B
+></P
+></TD
+><TD
+><P
+><B
+CLASS="command"
+>class</B
+> specifies the
+	  class of the generated records.  This must match the zone class if
+	  it is specified.</P
+>
+	  <P
+><B
+CLASS="command"
+>class</B
+> and <B
+CLASS="command"
+>ttl</B
+> can be
+	  entered in either order.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>type</B
+></P
+></TD
+><TD
+><P
+>At present the only supported types are
+PTR, CNAME, DNAME, A, AAAA and NS.</P
+></TD
+></TR
+><TR
+><TD
+><P
+><B
+CLASS="command"
+>rhs</B
+></P
+></TD
+><TD
+><P
+>rhs is a domain name. It is processed
+similarly to lhs.</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>The <B
+CLASS="command"
+>$GENERATE</B
+> directive is a <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> extension
+and not part of the standard zone file format.</P
+><P
+>BIND 8 does not support the optional TTL and CLASS fields.</P
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch05.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="Bv9ARM.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch07.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>The <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 Lightweight Resolver</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 Security Considerations</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch07.html b/contrib/bind9/doc/arm/Bv9ARM.ch07.html
new file mode 100644
index 0000000..a7c4707
--- /dev/null
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch07.html
@@ -0,0 +1,500 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>BIND 9 Security Considerations</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
+REL="HOME"
+TITLE="BIND 9 Administrator Reference Manual"
+HREF="Bv9ARM.html"><LINK
+REL="PREVIOUS"
+TITLE="BIND 9 Configuration Reference"
+HREF="Bv9ARM.ch06.html"><LINK
+REL="NEXT"
+TITLE="Troubleshooting"
+HREF="Bv9ARM.ch08.html"></HEAD
+><BODY
+CLASS="chapter"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>BIND 9 Administrator Reference Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.ch06.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.ch08.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="chapter"
+><H1
+><A
+NAME="ch07"
+></A
+>Chapter 7. <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 Security Considerations</H1
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+>7.1. <A
+HREF="Bv9ARM.ch07.html#Access_Control_Lists"
+>Access Control Lists</A
+></DT
+><DT
+>7.2. <A
+HREF="Bv9ARM.ch07.html#AEN4658"
+><B
+CLASS="command"
+>chroot</B
+> and <B
+CLASS="command"
+>setuid</B
+> (for
+UNIX servers)</A
+></DT
+><DT
+>7.3. <A
+HREF="Bv9ARM.ch07.html#dynamic_update_security"
+>Dynamic Update Security</A
+></DT
+></DL
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="Access_Control_Lists"
+>7.1. Access Control Lists</A
+></H1
+><P
+>Access Control Lists (ACLs), are address match lists that
+you can set up and nickname for future use in <B
+CLASS="command"
+>allow-notify</B
+>,
+<B
+CLASS="command"
+>allow-query</B
+>, <B
+CLASS="command"
+>allow-recursion</B
+>,
+<B
+CLASS="command"
+>blackhole</B
+>, <B
+CLASS="command"
+>allow-transfer</B
+>,
+etc.</P
+><P
+>Using ACLs allows you to have finer control over who can access
+your name server, without cluttering up your config files with huge
+lists of IP addresses.</P
+><P
+>It is a <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>good idea</I
+></SPAN
+> to use ACLs, and to
+control access to your server. Limiting access to your server by
+outside parties can help prevent spoofing and DoS attacks against
+your server.</P
+><P
+>Here is an example of how to properly apply ACLs:</P
+><PRE
+CLASS="programlisting"
+>&#13;// Set up an ACL named "bogusnets" that will block RFC1918 space,
+// which is commonly used in spoofing attacks.
+acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
+// Set up an ACL called our-nets. Replace this with the real IP numbers.
+acl our-nets { x.x.x.x/24; x.x.x.x/21; }; 
+options {
+  ...
+  ...
+  allow-query { our-nets; };
+  allow-recursion { our-nets; };
+  ...
+  blackhole { bogusnets; };
+  ...
+};
+zone "example.com" {
+  type master;
+  file "m/example.com";
+  allow-query { any; };
+};
+</PRE
+><P
+>This allows recursive queries of the server from the outside
+unless recursion has been previously disabled.</P
+><P
+>For more information on how to use ACLs to protect your server,
+see the <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>AUSCERT</I
+></SPAN
+> advisory at
+<A
+HREF="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos"
+TARGET="_top"
+>ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</A
+></P
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN4658"
+>7.2. <B
+CLASS="command"
+>chroot</B
+> and <B
+CLASS="command"
+>setuid</B
+> (for
+UNIX servers)</A
+></H1
+><P
+>On UNIX servers, it is possible to run <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> in a <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>chrooted</I
+></SPAN
+> environment
+(<B
+CLASS="command"
+>chroot()</B
+>) by specifying the "<VAR
+CLASS="option"
+>-t</VAR
+>"
+option. This can help improve system security by placing <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> in
+a "sandbox", which will limit the damage done if a server is compromised.</P
+><P
+>Another useful feature in the UNIX version of <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> is the
+ability to run the daemon as an unprivileged user ( <VAR
+CLASS="option"
+>-u</VAR
+> <VAR
+CLASS="replaceable"
+>user</VAR
+> ).
+We suggest running as an unprivileged user when using the <B
+CLASS="command"
+>chroot</B
+> feature.</P
+><P
+>Here is an example command line to load <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> in a <B
+CLASS="command"
+>chroot()</B
+> sandbox, 
+<B
+CLASS="command"
+>/var/named</B
+>, and to run <B
+CLASS="command"
+>named</B
+> <B
+CLASS="command"
+>setuid</B
+> to
+user 202:</P
+><P
+><KBD
+CLASS="userinput"
+>/usr/local/bin/named -u 202 -t /var/named</KBD
+></P
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN4681"
+>7.2.1. The <B
+CLASS="command"
+>chroot</B
+> Environment</A
+></H2
+><P
+>In order for a <B
+CLASS="command"
+>chroot()</B
+> environment to
+work properly in a particular directory
+(for example, <TT
+CLASS="filename"
+>/var/named</TT
+>),
+you will need to set up an environment that includes everything
+<ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> needs to run.
+From <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+>'s point of view, <TT
+CLASS="filename"
+>/var/named</TT
+> is
+the root of the filesystem.  You will need to adjust the values of options like
+like <B
+CLASS="command"
+>directory</B
+> and <B
+CLASS="command"
+>pid-file</B
+> to account
+for this.
+</P
+><P
+>&#13;Unlike with earlier versions of BIND, you will typically
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>not</I
+></SPAN
+> need to compile <B
+CLASS="command"
+>named</B
+>
+statically nor install shared libraries under the new root.
+However, depending on your operating system, you may need
+to set up things like
+<TT
+CLASS="filename"
+>/dev/zero</TT
+>,
+<TT
+CLASS="filename"
+>/dev/random</TT
+>,
+<TT
+CLASS="filename"
+>/dev/log</TT
+>, and/or
+<TT
+CLASS="filename"
+>/etc/localtime</TT
+>.
+</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN4699"
+>7.2.2. Using the <B
+CLASS="command"
+>setuid</B
+> Function</A
+></H2
+><P
+>Prior to running the <B
+CLASS="command"
+>named</B
+> daemon, use
+the <B
+CLASS="command"
+>touch</B
+> utility (to change file access and
+modification times) or the <B
+CLASS="command"
+>chown</B
+> utility (to
+set the user id and/or group id) on files
+to which you want <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+>
+to write.  Note that if the <B
+CLASS="command"
+>named</B
+> daemon is running as an
+unprivileged user, it will not be able to bind to new restricted ports if the
+server is reloaded.</P
+></DIV
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="dynamic_update_security"
+>7.3. Dynamic Update Security</A
+></H1
+><P
+>Access to the dynamic
+update facility should be strictly limited.  In earlier versions of
+<ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> the only way to do this was based on the IP
+address of the host requesting the update, by listing an IP address or
+network prefix in the <B
+CLASS="command"
+>allow-update</B
+> zone option.
+This method is insecure since the source address of the update UDP packet
+is easily forged.  Also note that if the IP addresses allowed by the
+<B
+CLASS="command"
+>allow-update</B
+> option include the address of a slave
+server which performs forwarding of dynamic updates, the master can be
+trivially attacked by sending the update to the slave, which will
+forward it to the master with its own source IP address causing the
+master to approve it without question.</P
+><P
+>For these reasons, we strongly recommend that updates be
+cryptographically authenticated by means of transaction signatures
+(TSIG).  That is, the <B
+CLASS="command"
+>allow-update</B
+> option should
+list only TSIG key names, not IP addresses or network
+prefixes. Alternatively, the new <B
+CLASS="command"
+>update-policy</B
+>
+option can be used.</P
+><P
+>Some sites choose to keep all dynamically updated DNS data
+in a subdomain and delegate that subdomain to a separate zone. This
+way, the top-level zone containing critical data such as the IP addresses
+of public web and mail servers need not allow dynamic update at
+all.</P
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch06.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="Bv9ARM.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch08.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 Configuration Reference</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Troubleshooting</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch08.html b/contrib/bind9/doc/arm/Bv9ARM.ch08.html
new file mode 100644
index 0000000..fe173a8
--- /dev/null
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch08.html
@@ -0,0 +1,272 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>Troubleshooting</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
+REL="HOME"
+TITLE="BIND 9 Administrator Reference Manual"
+HREF="Bv9ARM.html"><LINK
+REL="PREVIOUS"
+TITLE="BIND 9 Security Considerations"
+HREF="Bv9ARM.ch07.html"><LINK
+REL="NEXT"
+TITLE="Appendices"
+HREF="Bv9ARM.ch09.html"></HEAD
+><BODY
+CLASS="chapter"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>BIND 9 Administrator Reference Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.ch07.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.ch09.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="chapter"
+><H1
+><A
+NAME="ch08"
+></A
+>Chapter 8. Troubleshooting</H1
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+>8.1. <A
+HREF="Bv9ARM.ch08.html#AEN4720"
+>Common Problems</A
+></DT
+><DT
+>8.2. <A
+HREF="Bv9ARM.ch08.html#AEN4725"
+>Incrementing and Changing the Serial Number</A
+></DT
+><DT
+>8.3. <A
+HREF="Bv9ARM.ch08.html#AEN4730"
+>Where Can I Get Help?</A
+></DT
+></DL
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN4720"
+>8.1. Common Problems</A
+></H1
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN4722"
+>8.1.1. It's not working; how can I figure out what's wrong?</A
+></H2
+><P
+>The best solution to solving installation and
+      configuration issues is to take preventative measures by setting
+      up logging files beforehand. The log files provide a
+      source of hints and information that can be used to figure out
+      what went wrong and how to fix the problem.</P
+></DIV
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN4725"
+>8.2. Incrementing and Changing the Serial Number</A
+></H1
+><P
+>Zone serial numbers are just numbers-they aren't date
+    related.  A lot of people set them to a number that represents a
+    date, usually of the form YYYYMMDDRR. A number of people have been
+    testing these numbers for Y2K compliance and have set the number
+    to the year 2000 to see if it will work. They then try to restore
+    the old serial number. This will cause problems because serial
+    numbers are used to indicate that a zone has been updated. If the
+    serial number on the slave server is lower than the serial number
+    on the master, the slave server will attempt to update its copy of
+    the zone.</P
+><P
+>Setting the serial number to a lower number on the master
+    server than the slave server means that the slave will not perform
+    updates to its copy of the zone.</P
+><P
+>The solution to this is to add 2147483647 (2^31-1) to the
+    number, reload the zone and make sure all slaves have updated to
+    the new zone serial number, then reset the number to what you want
+    it to be, and reload the zone again.</P
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN4730"
+>8.3. Where Can I Get Help?</A
+></H1
+><P
+>The Internet Software Consortium (<ACRONYM
+CLASS="acronym"
+>ISC</ACRONYM
+>) offers a wide range
+    of support and service agreements for <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> and <ACRONYM
+CLASS="acronym"
+>DHCP</ACRONYM
+> servers. Four
+    levels of premium support are available and each level includes
+    support for all <ACRONYM
+CLASS="acronym"
+>ISC</ACRONYM
+> programs, significant discounts on products
+    and training, and a recognized priority on bug fixes and
+    non-funded feature requests. In addition, <ACRONYM
+CLASS="acronym"
+>ISC</ACRONYM
+> offers a standard
+    support agreement package which includes services ranging from bug
+    fix announcements to remote support. It also includes training in
+    <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> and <ACRONYM
+CLASS="acronym"
+>DHCP</ACRONYM
+>.</P
+><P
+>To discuss arrangements for support, contact
+    <A
+HREF="mailto:info@isc.org"
+TARGET="_top"
+>info@isc.org</A
+> or visit the
+    <ACRONYM
+CLASS="acronym"
+>ISC</ACRONYM
+> web page at <A
+HREF="http://www.isc.org/services/support/"
+TARGET="_top"
+>http://www.isc.org/services/support/</A
+>
+    to read more.</P
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch07.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="Bv9ARM.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch09.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 Security Considerations</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Appendices</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch09.html b/contrib/bind9/doc/arm/Bv9ARM.ch09.html
new file mode 100644
index 0000000..130257c
--- /dev/null
+++ b/contrib/bind9/doc/arm/Bv9ARM.ch09.html
@@ -0,0 +1,1587 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>Appendices</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
+REL="HOME"
+TITLE="BIND 9 Administrator Reference Manual"
+HREF="Bv9ARM.html"><LINK
+REL="PREVIOUS"
+TITLE="Troubleshooting"
+HREF="Bv9ARM.ch08.html"></HEAD
+><BODY
+CLASS="appendix"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="NAVHEADER"
+><TABLE
+SUMMARY="Header navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TH
+COLSPAN="3"
+ALIGN="center"
+>BIND 9 Administrator Reference Manual</TH
+></TR
+><TR
+><TD
+WIDTH="10%"
+ALIGN="left"
+VALIGN="bottom"
+><A
+HREF="Bv9ARM.ch08.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="80%"
+ALIGN="center"
+VALIGN="bottom"
+></TD
+><TD
+WIDTH="10%"
+ALIGN="right"
+VALIGN="bottom"
+>&nbsp;</TD
+></TR
+></TABLE
+><HR
+ALIGN="LEFT"
+WIDTH="100%"></DIV
+><DIV
+CLASS="appendix"
+><H1
+><A
+NAME="ch09"
+></A
+>Appendix A. Appendices</H1
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+>A.1. <A
+HREF="Bv9ARM.ch09.html#AEN4746"
+>Acknowledgments</A
+></DT
+><DT
+>A.2. <A
+HREF="Bv9ARM.ch09.html#historical_dns_information"
+>General <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> Reference Information</A
+></DT
+><DT
+>A.3. <A
+HREF="Bv9ARM.ch09.html#bibliography"
+>Bibliography (and Suggested Reading)</A
+></DT
+></DL
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="AEN4746"
+>A.1. Acknowledgments</A
+></H1
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN4748"
+>A.1.1. A Brief History of the <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> and <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+></A
+></H2
+><P
+>Although the "official" beginning of the Domain Name
+      System occurred in 1984 with the publication of RFC 920, the
+      core of the new system was described in 1983 in RFCs 882 and
+      883. From 1984 to 1987, the ARPAnet (the precursor to today's
+      Internet) became a testbed of experimentation for developing the
+      new naming/addressing scheme in an rapidly expanding,
+      operational network environment.  New RFCs were written and
+      published in 1987 that modified the original documents to
+      incorporate improvements based on the working model. RFC 1034,
+      "Domain Names-Concepts and Facilities", and RFC 1035, "Domain
+      Names-Implementation and Specification" were published and
+      became the standards upon which all <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> implementations are
+      built.
+</P
+><P
+>The first working domain name server, called "Jeeves", was
+written in 1983-84 by Paul Mockapetris for operation on DEC Tops-20
+machines located at the University of Southern California's Information
+Sciences Institute (USC-ISI) and SRI International's Network Information
+Center (SRI-NIC). A <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> server for Unix machines, the Berkeley Internet
+Name Domain (<ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+>) package, was written soon after by a group of
+graduate students at the University of California at Berkeley under
+a grant from the US Defense Advanced Research Projects Administration
+(DARPA). Versions of <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> through 4.8.3 were maintained by the Computer
+Systems Research Group (CSRG) at UC Berkeley. Douglas Terry, Mark
+Painter, David Riggle and Songnian Zhou made up the initial <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+>
+project team. After that, additional work on the software package
+was done by Ralph Campbell. Kevin Dunlap, a Digital Equipment Corporation
+employee on loan to the CSRG, worked on <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> for 2 years, from 1985
+to 1987. Many other people also contributed to <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> development
+during that time: Doug Kingston, Craig Partridge, Smoot Carl-Mitchell,
+Mike Muuss, Jim Bloom and Mike Schwartz. <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> maintenance was subsequently
+handled by Mike Karels and O. Kure.</P
+><P
+><ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> versions 4.9 and 4.9.1 were released by Digital Equipment
+Corporation (now Compaq Computer Corporation). Paul Vixie, then
+a DEC employee, became <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+>'s primary caretaker. Paul was assisted
+by Phil Almquist, Robert Elz, Alan Barrett, Paul Albitz, Bryan Beecher, Andrew
+Partan, Andy Cherenson, Tom Limoncelli, Berthold Paffrath, Fuat
+Baran, Anant Kumar, Art Harkin, Win Treese, Don Lewis, Christophe
+Wolfhugel, and others.</P
+><P
+><ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> Version 4.9.2 was sponsored by Vixie Enterprises. Paul
+Vixie became <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+>'s principal architect/programmer.</P
+><P
+><ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> versions from 4.9.3 onward have been developed and maintained
+by the Internet Software Consortium with support being provided
+by ISC's sponsors. As co-architects/programmers, Bob Halley and
+Paul Vixie released the first production-ready version of <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> version
+8 in May 1997.</P
+><P
+><ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> development work is made possible today by the sponsorship
+of several corporations, and by the tireless work efforts of numerous
+individuals.</P
+></DIV
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="historical_dns_information"
+>A.2. General <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> Reference Information</A
+></H1
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="ipv6addresses"
+>A.2.1. IPv6 addresses (AAAA)</A
+></H2
+><P
+>IPv6 addresses are 128-bit identifiers for interfaces and
+sets of interfaces which were introduced in the <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> to facilitate
+scalable Internet routing. There are three types of addresses: <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Unicast</I
+></SPAN
+>,
+an identifier for a single interface; <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Anycast</I
+></SPAN
+>,
+an identifier for a set of interfaces; and <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Multicast</I
+></SPAN
+>,
+an identifier for a set of interfaces. Here we describe the global
+Unicast address scheme. For more information, see RFC 2374.</P
+><P
+>The aggregatable global Unicast address format is as follows:</P
+><DIV
+CLASS="informaltable"
+><P
+></P
+><A
+NAME="AEN4784"
+></A
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+><P
+>3</P
+></TD
+><TD
+><P
+>13</P
+></TD
+><TD
+><P
+>8</P
+></TD
+><TD
+><P
+>24</P
+></TD
+><TD
+><P
+>16</P
+></TD
+><TD
+><P
+>64 bits</P
+></TD
+></TR
+><TR
+><TD
+><P
+>FP</P
+></TD
+><TD
+><P
+>TLA ID</P
+></TD
+><TD
+><P
+>RES</P
+></TD
+><TD
+><P
+>NLA ID</P
+></TD
+><TD
+><P
+>SLA ID</P
+></TD
+><TD
+><P
+>Interface ID</P
+></TD
+></TR
+><TR
+><TD
+COLSPAN="4"
+><P
+>&#60;------ Public Topology
+------&#62;</P
+></TD
+><TD
+><P
+></P
+></TD
+><TD
+><P
+></P
+></TD
+></TR
+><TR
+><TD
+><P
+></P
+></TD
+><TD
+><P
+></P
+></TD
+><TD
+><P
+></P
+></TD
+><TD
+><P
+></P
+></TD
+><TD
+><P
+>&#60;-Site Topology-&#62;</P
+></TD
+><TD
+><P
+></P
+></TD
+></TR
+><TR
+><TD
+><P
+></P
+></TD
+><TD
+><P
+></P
+></TD
+><TD
+><P
+></P
+></TD
+><TD
+><P
+></P
+></TD
+><TD
+><P
+></P
+></TD
+><TD
+><P
+>&#60;------ Interface Identifier ------&#62;</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+><P
+>Where
+<DIV
+CLASS="informaltable"
+><P
+></P
+><A
+NAME="AEN4853"
+></A
+><TABLE
+CELLPADDING="3"
+BORDER="1"
+CLASS="CALSTABLE"
+><TBODY
+><TR
+><TD
+><P
+>FP</P
+></TD
+><TD
+><P
+>=</P
+></TD
+><TD
+><P
+>Format Prefix (001)</P
+></TD
+></TR
+><TR
+><TD
+><P
+>TLA ID</P
+></TD
+><TD
+><P
+>=</P
+></TD
+><TD
+><P
+>Top-Level Aggregation Identifier</P
+></TD
+></TR
+><TR
+><TD
+><P
+>RES</P
+></TD
+><TD
+><P
+>=</P
+></TD
+><TD
+><P
+>Reserved for future use</P
+></TD
+></TR
+><TR
+><TD
+><P
+>NLA ID</P
+></TD
+><TD
+><P
+>=</P
+></TD
+><TD
+><P
+>Next-Level Aggregation Identifier</P
+></TD
+></TR
+><TR
+><TD
+><P
+>SLA ID</P
+></TD
+><TD
+><P
+>=</P
+></TD
+><TD
+><P
+>Site-Level Aggregation Identifier</P
+></TD
+></TR
+><TR
+><TD
+><P
+>INTERFACE ID</P
+></TD
+><TD
+><P
+>=</P
+></TD
+><TD
+><P
+>Interface Identifier</P
+></TD
+></TR
+></TBODY
+></TABLE
+><P
+></P
+></DIV
+></P
+><P
+>The <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Public Topology</I
+></SPAN
+> is provided by the
+upstream provider or ISP, and (roughly) corresponds to the IPv4 <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>network</I
+></SPAN
+> section
+of the address range. The <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Site Topology</I
+></SPAN
+> is
+where you can subnet this space, much the same as subnetting an
+IPv4 /16 network into /24 subnets. The <SPAN
+CLASS="emphasis"
+><I
+CLASS="emphasis"
+>Interface Identifier</I
+></SPAN
+> is
+the address of an individual interface on a given network. (With
+IPv6, addresses belong to interfaces rather than machines.)</P
+><P
+>The subnetting capability of IPv6 is much more flexible than
+that of IPv4: subnetting can now be carried out on bit boundaries,
+in much the same way as Classless InterDomain Routing (CIDR).</P
+><P
+>The Interface Identifier must be unique on that network. On
+ethernet networks, one way to ensure this is to set the address
+to the first three bytes of the hardware address, "FFFE", then the
+last three bytes of the hardware address. The lowest significant
+bit of the first byte should then be complemented. Addresses are
+written as 32-bit blocks separated with a colon, and leading zeros
+of a block may be omitted, for example:</P
+><P
+><B
+CLASS="command"
+>2001:db8:201:9:a00:20ff:fe81:2b32</B
+></P
+><P
+>IPv6 address specifications are likely to contain long strings
+of zeros, so the architects have included a shorthand for specifying
+them. The double colon (`::') indicates the longest possible string
+of zeros that can fit, and can be used only once in an address.</P
+></DIV
+></DIV
+><DIV
+CLASS="sect1"
+><H1
+CLASS="sect1"
+><A
+NAME="bibliography"
+>A.3. Bibliography (and Suggested Reading)</A
+></H1
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="rfcs"
+>A.3.1. Request for Comments (RFCs)</A
+></H2
+><P
+>Specification documents for the Internet protocol suite, including
+the <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+>, are published as part of the Request for Comments (RFCs)
+series of technical notes. The standards themselves are defined
+by the Internet Engineering Task Force (IETF) and the Internet Engineering
+Steering Group (IESG). RFCs can be obtained online via FTP at 
+<A
+HREF="ftp://www.isi.edu/in-notes/"
+TARGET="_top"
+>ftp://www.isi.edu/in-notes/RFC<VAR
+CLASS="replaceable"
+>xxx</VAR
+>.txt</A
+> (where <VAR
+CLASS="replaceable"
+>xxx</VAR
+> is
+the number of the RFC). RFCs are also available via the Web at
+<A
+HREF="http://www.ietf.org/rfc/"
+TARGET="_top"
+>http://www.ietf.org/rfc/</A
+>.
+</P
+><H3
+><A
+NAME="AEN4921"
+>Bibliography</A
+></H3
+><H2
+CLASS="bibliodiv"
+><A
+NAME="AEN4922"
+>Standards</A
+></H2
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN4924"
+></A
+><P
+>[RFC974]&nbsp;<SPAN
+CLASS="AUTHOR"
+>C. Partridge</SPAN
+>, <I
+>Mail Routing and the Domain System</I
+>, January 1986.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN4931"
+></A
+><P
+>[RFC1034]&nbsp;<SPAN
+CLASS="AUTHOR"
+>P.V. Mockapetris</SPAN
+>, <I
+>Domain Names &#8212; Concepts and Facilities</I
+>, November 1987.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN4938"
+></A
+><P
+>[RFC1035]&nbsp;<SPAN
+CLASS="AUTHOR"
+>P. V. Mockapetris</SPAN
+>, <I
+>Domain Names &#8212; Implementation and
+Specification</I
+>, November 1987.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><H2
+CLASS="bibliodiv"
+><A
+NAME="proposed_standards"
+>Proposed Standards</A
+></H2
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN4947"
+></A
+><P
+>[RFC2181]&nbsp;<SPAN
+CLASS="AUTHOR"
+>R., R. Bush Elz</SPAN
+>, <I
+>Clarifications to the <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> Specification</I
+>, July 1997.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN4955"
+></A
+><P
+>[RFC2308]&nbsp;<SPAN
+CLASS="AUTHOR"
+>M. Andrews</SPAN
+>, <I
+>Negative Caching of <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> Queries</I
+>, March 1998.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN4963"
+></A
+><P
+>[RFC1995]&nbsp;<SPAN
+CLASS="AUTHOR"
+>M. Ohta</SPAN
+>, <I
+>Incremental Zone Transfer in <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+></I
+>, August 1996.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN4971"
+></A
+><P
+>[RFC1996]&nbsp;<SPAN
+CLASS="AUTHOR"
+>P. Vixie</SPAN
+>, <I
+>A Mechanism for Prompt Notification of Zone Changes</I
+>, August 1996.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN4978"
+></A
+><P
+>[RFC2136]&nbsp;<SPAN
+CLASS="AUTHOR"
+>P. Vixie, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>S. Thomson, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>Y. Rekhter, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and J. Bound</SPAN
+>, <I
+>Dynamic Updates in the Domain Name System</I
+>, April 1997.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN4995"
+></A
+><P
+>[RFC2845]&nbsp;<SPAN
+CLASS="AUTHOR"
+>P. Vixie, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>O. Gudmundsson, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>D. Eastlake, 3rd, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and B. Wellington</SPAN
+>, <I
+>Secret Key Transaction Authentication for <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> (TSIG)</I
+>, May 2000.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><H2
+CLASS="bibliodiv"
+><A
+NAME="AEN5014"
+>Proposed Standards Still Under Development</A
+></H2
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5019"
+></A
+><P
+>[RFC1886]&nbsp;<SPAN
+CLASS="AUTHOR"
+>S. Thomson </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and C. Huitema</SPAN
+>, <I
+><ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> Extensions to support IP version 6</I
+>, December 1995.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5031"
+></A
+><P
+>[RFC2065]&nbsp;<SPAN
+CLASS="AUTHOR"
+>D. Eastlake, 3rd </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and C. Kaufman</SPAN
+>, <I
+>Domain Name System Security Extensions</I
+>, January 1997.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5043"
+></A
+><P
+>[RFC2137]&nbsp;<SPAN
+CLASS="AUTHOR"
+>D. Eastlake, 3rd</SPAN
+>, <I
+>Secure Domain Name System Dynamic Update</I
+>, April 1997.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><H2
+CLASS="bibliodiv"
+><A
+NAME="AEN5051"
+>Other Important RFCs About <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> Implementation</A
+></H2
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5054"
+></A
+><P
+>[RFC1535]&nbsp;<SPAN
+CLASS="AUTHOR"
+>E. Gavron</SPAN
+>, <I
+>A Security Problem and Proposed Correction With Widely Deployed <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> Software.</I
+>, October 1993.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5062"
+></A
+><P
+>[RFC1536]&nbsp;<SPAN
+CLASS="AUTHOR"
+>A. Kumar, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>J. Postel, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>C. Neuman, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>P. Danzig, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and S. Miller</SPAN
+>, <I
+>Common <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> Implementation Errors and Suggested Fixes</I
+>, October 1993.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5083"
+></A
+><P
+>[RFC1982]&nbsp;<SPAN
+CLASS="AUTHOR"
+>R. Elz </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and R. Bush</SPAN
+>, <I
+>Serial Number Arithmetic</I
+>, August 1996.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><H2
+CLASS="bibliodiv"
+><A
+NAME="AEN5094"
+>Resource Record Types</A
+></H2
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5096"
+></A
+><P
+>[RFC1183]&nbsp;<SPAN
+CLASS="AUTHOR"
+>C.F. Everhart, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>L. A. Mamakos, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>R. Ullmann, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and P. Mockapetris</SPAN
+>, <I
+>New <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> RR Definitions</I
+>, October 1990.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5114"
+></A
+><P
+>[RFC1706]&nbsp;<SPAN
+CLASS="AUTHOR"
+>B. Manning </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and R. Colella</SPAN
+>, <I
+><ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> NSAP Resource Records</I
+>, October 1994.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5126"
+></A
+><P
+>[RFC2168]&nbsp;<SPAN
+CLASS="AUTHOR"
+>R. Daniel </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and M. Mealling</SPAN
+>, <I
+>Resolution of Uniform Resource Identifiers using
+the Domain Name System</I
+>, June 1997.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5137"
+></A
+><P
+>[RFC1876]&nbsp;<SPAN
+CLASS="AUTHOR"
+>C. Davis, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>P. Vixie, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>T., </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and I. Dickinson</SPAN
+>, <I
+>A Means for Expressing Location Information in the Domain
+Name System</I
+>, January 1996.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5154"
+></A
+><P
+>[RFC2052]&nbsp;<SPAN
+CLASS="AUTHOR"
+>A. Gulbrandsen </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and P. Vixie</SPAN
+>, <I
+>A <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> RR for Specifying the Location of
+Services.</I
+>, October 1996.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5166"
+></A
+><P
+>[RFC2163]&nbsp;<SPAN
+CLASS="AUTHOR"
+>A. Allocchio</SPAN
+>, <I
+>Using the Internet <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> to Distribute MIXER
+Conformant Global Address Mapping</I
+>, January 1998.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5174"
+></A
+><P
+>[RFC2230]&nbsp;<SPAN
+CLASS="AUTHOR"
+>R. Atkinson</SPAN
+>, <I
+>Key Exchange Delegation Record for the <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+></I
+>, October 1997.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><H2
+CLASS="bibliodiv"
+><A
+NAME="AEN5182"
+><ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> and the Internet</A
+></H2
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5185"
+></A
+><P
+>[RFC1101]&nbsp;<SPAN
+CLASS="AUTHOR"
+>P. V. Mockapetris</SPAN
+>, <I
+><ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> Encoding of Network Names and Other Types</I
+>, April 1989.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5193"
+></A
+><P
+>[RFC1123]&nbsp;<SPAN
+CLASS="AUTHOR"
+>Braden</SPAN
+>, <I
+>Requirements for Internet Hosts - Application and Support</I
+>, October 1989.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5200"
+></A
+><P
+>[RFC1591]&nbsp;<SPAN
+CLASS="AUTHOR"
+>J. Postel</SPAN
+>, <I
+>Domain Name System Structure and Delegation</I
+>, March 1994.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5207"
+></A
+><P
+>[RFC2317]&nbsp;<SPAN
+CLASS="AUTHOR"
+>H. Eidnes, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>G. de Groot, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and P. Vixie</SPAN
+>, <I
+>Classless IN-ADDR.ARPA Delegation</I
+>, March 1998.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><H2
+CLASS="bibliodiv"
+><A
+NAME="AEN5221"
+><ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> Operations</A
+></H2
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5224"
+></A
+><P
+>[RFC1537]&nbsp;<SPAN
+CLASS="AUTHOR"
+>P. Beertema</SPAN
+>, <I
+>Common <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> Data File Configuration Errors</I
+>, October 1993.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5232"
+></A
+><P
+>[RFC1912]&nbsp;<SPAN
+CLASS="AUTHOR"
+>D. Barr</SPAN
+>, <I
+>Common <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> Operational and Configuration Errors</I
+>, February 1996.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5240"
+></A
+><P
+>[RFC2010]&nbsp;<SPAN
+CLASS="AUTHOR"
+>B. Manning </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and P. Vixie</SPAN
+>, <I
+>Operational Criteria for Root Name Servers.</I
+>, October 1996.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5251"
+></A
+><P
+>[RFC2219]&nbsp;<SPAN
+CLASS="AUTHOR"
+>M. Hamilton </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and R. Wright</SPAN
+>, <I
+>Use of <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> Aliases for Network Services.</I
+>, October 1997.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><H2
+CLASS="bibliodiv"
+><A
+NAME="AEN5263"
+>Other <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+>-related RFCs</A
+></H2
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5269"
+></A
+><P
+>[RFC1464]&nbsp;<SPAN
+CLASS="AUTHOR"
+>R. Rosenbaum</SPAN
+>, <I
+>Using the Domain Name System To Store Arbitrary String Attributes</I
+>, May 1993.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5276"
+></A
+><P
+>[RFC1713]&nbsp;<SPAN
+CLASS="AUTHOR"
+>A. Romao</SPAN
+>, <I
+>Tools for <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> Debugging</I
+>, November 1994.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5284"
+></A
+><P
+>[RFC1794]&nbsp;<SPAN
+CLASS="AUTHOR"
+>T. Brisco</SPAN
+>, <I
+><ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> Support for Load Balancing</I
+>, April 1995.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5292"
+></A
+><P
+>[RFC2240]&nbsp;<SPAN
+CLASS="AUTHOR"
+>O. Vaughan</SPAN
+>, <I
+>A Legal Basis for Domain Name Allocation</I
+>, November 1997.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5299"
+></A
+><P
+>[RFC2345]&nbsp;<SPAN
+CLASS="AUTHOR"
+>J. Klensin, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>T. Wolf, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and G. Oglesby</SPAN
+>, <I
+>Domain Names and Company Name Retrieval</I
+>, May 1998.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5313"
+></A
+><P
+>[RFC2352]&nbsp;<SPAN
+CLASS="AUTHOR"
+>O. Vaughan</SPAN
+>, <I
+>A Convention For Using Legal Names as Domain Names</I
+>, May 1998.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+><H2
+CLASS="bibliodiv"
+><A
+NAME="AEN5320"
+>Obsolete and Unimplemented Experimental RRs</A
+></H2
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5322"
+></A
+><P
+>[RFC1712]&nbsp;<SPAN
+CLASS="AUTHOR"
+>C. Farrell, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>M. Schulze, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>S. Pleitner, </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and D. Baldoni</SPAN
+>, <I
+><ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> Encoding of Geographical
+Location</I
+>, November 1994.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="internet_drafts"
+>A.3.2. Internet Drafts</A
+></H2
+><P
+>Internet Drafts (IDs) are rough-draft working documents of
+the Internet Engineering Task Force. They are, in essence, RFCs
+in the preliminary stages of development. Implementors are cautioned not
+to regard IDs as archival, and they should not be quoted or cited
+in any formal documents unless accompanied by the disclaimer that
+they are "works in progress." IDs have a lifespan of six months
+after which they are deleted unless updated by their authors.
+</P
+></DIV
+><DIV
+CLASS="sect2"
+><H2
+CLASS="sect2"
+><A
+NAME="AEN5343"
+>A.3.3. Other Documents About <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+></A
+></H2
+><P
+></P
+><H3
+><A
+NAME="AEN5347"
+>Bibliography</A
+></H3
+><DIV
+CLASS="biblioentry"
+><A
+NAME="AEN5348"
+></A
+><P
+><SPAN
+CLASS="AUTHOR"
+>Paul Albitz </SPAN
+><SPAN
+CLASS="AUTHOR"
+>and Cricket Liu</SPAN
+>, <I
+><ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> and <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+></I
+>, 1998.</P
+><DIV
+CLASS="BIBLIOENTRYBLOCK"
+STYLE="margin-left: 0.5in"
+></DIV
+></DIV
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch08.html"
+ACCESSKEY="P"
+>Prev</A
+></TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+><A
+HREF="Bv9ARM.html"
+ACCESSKEY="H"
+>Home</A
+></TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>&nbsp;</TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>Troubleshooting</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>&nbsp;</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/contrib/bind9/doc/arm/Bv9ARM.html b/contrib/bind9/doc/arm/Bv9ARM.html
new file mode 100644
index 0000000..bf8b49e
--- /dev/null
+++ b/contrib/bind9/doc/arm/Bv9ARM.html
@@ -0,0 +1,851 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>BIND 9 Administrator Reference Manual</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
+REL="NEXT"
+TITLE="Introduction "
+HREF="Bv9ARM.ch01.html"></HEAD
+><BODY
+CLASS="book"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><DIV
+CLASS="BOOK"
+><A
+NAME="AEN1"
+></A
+><DIV
+CLASS="TITLEPAGE"
+><H1
+CLASS="title"
+><A
+NAME="AEN1"
+>BIND 9 Administrator Reference Manual</A
+></H1
+><P
+CLASS="copyright"
+>Copyright &copy; 2004 Internet Systems Consortium, Inc. ("ISC")</P
+><P
+CLASS="copyright"
+>Copyright &copy; 2000-2003 Internet Software Consortium</P
+><HR></DIV
+><DIV
+CLASS="TOC"
+><DL
+><DT
+><B
+>Table of Contents</B
+></DT
+><DT
+>1. <A
+HREF="Bv9ARM.ch01.html"
+>Introduction</A
+></DT
+><DD
+><DL
+><DT
+>1.1. <A
+HREF="Bv9ARM.ch01.html#AEN15"
+>Scope of Document</A
+></DT
+><DT
+>1.2. <A
+HREF="Bv9ARM.ch01.html#AEN22"
+>Organization of This Document</A
+></DT
+><DT
+>1.3. <A
+HREF="Bv9ARM.ch01.html#AEN42"
+>Conventions Used in This Document</A
+></DT
+><DT
+>1.4. <A
+HREF="Bv9ARM.ch01.html#AEN107"
+>The Domain Name System (<ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+>)</A
+></DT
+><DD
+><DL
+><DT
+>1.4.1. <A
+HREF="Bv9ARM.ch01.html#AEN114"
+>DNS Fundamentals</A
+></DT
+><DT
+>1.4.2. <A
+HREF="Bv9ARM.ch01.html#AEN124"
+>Domains and Domain Names</A
+></DT
+><DT
+>1.4.3. <A
+HREF="Bv9ARM.ch01.html#AEN148"
+>Zones</A
+></DT
+><DT
+>1.4.4. <A
+HREF="Bv9ARM.ch01.html#AEN171"
+>Authoritative Name Servers</A
+></DT
+><DT
+>1.4.5. <A
+HREF="Bv9ARM.ch01.html#AEN200"
+>Caching Name Servers</A
+></DT
+><DT
+>1.4.6. <A
+HREF="Bv9ARM.ch01.html#AEN218"
+>Name Servers in Multiple Roles</A
+></DT
+></DL
+></DD
+></DL
+></DD
+><DT
+>2. <A
+HREF="Bv9ARM.ch02.html"
+><ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> Resource Requirements</A
+></DT
+><DD
+><DL
+><DT
+>2.1. <A
+HREF="Bv9ARM.ch02.html#AEN228"
+>Hardware requirements</A
+></DT
+><DT
+>2.2. <A
+HREF="Bv9ARM.ch02.html#AEN236"
+>CPU Requirements</A
+></DT
+><DT
+>2.3. <A
+HREF="Bv9ARM.ch02.html#AEN240"
+>Memory Requirements</A
+></DT
+><DT
+>2.4. <A
+HREF="Bv9ARM.ch02.html#AEN245"
+>Name Server Intensive Environment Issues</A
+></DT
+><DT
+>2.5. <A
+HREF="Bv9ARM.ch02.html#AEN248"
+>Supported Operating Systems</A
+></DT
+></DL
+></DD
+><DT
+>3. <A
+HREF="Bv9ARM.ch03.html"
+>Name Server Configuration</A
+></DT
+><DD
+><DL
+><DT
+>3.1. <A
+HREF="Bv9ARM.ch03.html#sample_configuration"
+>Sample Configurations</A
+></DT
+><DD
+><DL
+><DT
+>3.1.1. <A
+HREF="Bv9ARM.ch03.html#AEN257"
+>A Caching-only Name Server</A
+></DT
+><DT
+>3.1.2. <A
+HREF="Bv9ARM.ch03.html#AEN262"
+>An Authoritative-only Name Server</A
+></DT
+></DL
+></DD
+><DT
+>3.2. <A
+HREF="Bv9ARM.ch03.html#AEN268"
+>Load Balancing</A
+></DT
+><DT
+>3.3. <A
+HREF="Bv9ARM.ch03.html#AEN345"
+>Name Server Operations</A
+></DT
+><DD
+><DL
+><DT
+>3.3.1. <A
+HREF="Bv9ARM.ch03.html#AEN347"
+>Tools for Use With the Name Server Daemon</A
+></DT
+><DT
+>3.3.2. <A
+HREF="Bv9ARM.ch03.html#AEN679"
+>Signals</A
+></DT
+></DL
+></DD
+></DL
+></DD
+><DT
+>4. <A
+HREF="Bv9ARM.ch04.html"
+>Advanced DNS Features</A
+></DT
+><DD
+><DL
+><DT
+>4.1. <A
+HREF="Bv9ARM.ch04.html#notify"
+>Notify</A
+></DT
+><DT
+>4.2. <A
+HREF="Bv9ARM.ch04.html#dynamic_update"
+>Dynamic Update</A
+></DT
+><DD
+><DL
+><DT
+>4.2.1. <A
+HREF="Bv9ARM.ch04.html#journal"
+>The journal file</A
+></DT
+></DL
+></DD
+><DT
+>4.3. <A
+HREF="Bv9ARM.ch04.html#incremental_zone_transfers"
+>Incremental Zone Transfers (IXFR)</A
+></DT
+><DT
+>4.4. <A
+HREF="Bv9ARM.ch04.html#AEN757"
+>Split DNS</A
+></DT
+><DT
+>4.5. <A
+HREF="Bv9ARM.ch04.html#tsig"
+>TSIG</A
+></DT
+><DD
+><DL
+><DT
+>4.5.1. <A
+HREF="Bv9ARM.ch04.html#AEN848"
+>Generate Shared Keys for Each Pair of Hosts</A
+></DT
+><DT
+>4.5.2. <A
+HREF="Bv9ARM.ch04.html#AEN869"
+>Copying the Shared Secret to Both Machines</A
+></DT
+><DT
+>4.5.3. <A
+HREF="Bv9ARM.ch04.html#AEN872"
+>Informing the Servers of the Key's Existence</A
+></DT
+><DT
+>4.5.4. <A
+HREF="Bv9ARM.ch04.html#AEN884"
+>Instructing the Server to Use the Key</A
+></DT
+><DT
+>4.5.5. <A
+HREF="Bv9ARM.ch04.html#AEN900"
+>TSIG Key Based Access Control</A
+></DT
+><DT
+>4.5.6. <A
+HREF="Bv9ARM.ch04.html#AEN913"
+>Errors</A
+></DT
+></DL
+></DD
+><DT
+>4.6. <A
+HREF="Bv9ARM.ch04.html#AEN917"
+>TKEY</A
+></DT
+><DT
+>4.7. <A
+HREF="Bv9ARM.ch04.html#AEN932"
+>SIG(0)</A
+></DT
+><DT
+>4.8. <A
+HREF="Bv9ARM.ch04.html#DNSSEC"
+>DNSSEC</A
+></DT
+><DD
+><DL
+><DT
+>4.8.1. <A
+HREF="Bv9ARM.ch04.html#AEN952"
+>Generating Keys</A
+></DT
+><DT
+>4.8.2. <A
+HREF="Bv9ARM.ch04.html#AEN972"
+>Signing the Zone</A
+></DT
+><DT
+>4.8.3. <A
+HREF="Bv9ARM.ch04.html#AEN994"
+>Configuring Servers</A
+></DT
+></DL
+></DD
+><DT
+>4.9. <A
+HREF="Bv9ARM.ch04.html#AEN1001"
+>IPv6 Support in <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9</A
+></DT
+><DD
+><DL
+><DT
+>4.9.1. <A
+HREF="Bv9ARM.ch04.html#AEN1019"
+>Address Lookups Using AAAA Records</A
+></DT
+><DT
+>4.9.2. <A
+HREF="Bv9ARM.ch04.html#AEN1025"
+>Address to Name Lookups Using Nibble Format</A
+></DT
+></DL
+></DD
+></DL
+></DD
+><DT
+>5. <A
+HREF="Bv9ARM.ch05.html"
+>The <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 Lightweight Resolver</A
+></DT
+><DD
+><DL
+><DT
+>5.1. <A
+HREF="Bv9ARM.ch05.html#AEN1034"
+>The Lightweight Resolver Library</A
+></DT
+><DT
+>5.2. <A
+HREF="Bv9ARM.ch05.html#lwresd"
+>Running a Resolver Daemon</A
+></DT
+></DL
+></DD
+><DT
+>6. <A
+HREF="Bv9ARM.ch06.html"
+><ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 Configuration Reference</A
+></DT
+><DD
+><DL
+><DT
+>6.1. <A
+HREF="Bv9ARM.ch06.html#configuration_file_elements"
+>Configuration File Elements</A
+></DT
+><DD
+><DL
+><DT
+>6.1.1. <A
+HREF="Bv9ARM.ch06.html#address_match_lists"
+>Address Match Lists</A
+></DT
+><DT
+>6.1.2. <A
+HREF="Bv9ARM.ch06.html#AEN1280"
+>Comment Syntax</A
+></DT
+></DL
+></DD
+><DT
+>6.2. <A
+HREF="Bv9ARM.ch06.html#Configuration_File_Grammar"
+>Configuration File Grammar</A
+></DT
+><DD
+><DL
+><DT
+>6.2.1. <A
+HREF="Bv9ARM.ch06.html#AEN1401"
+><B
+CLASS="command"
+>acl</B
+> Statement Grammar</A
+></DT
+><DT
+>6.2.2. <A
+HREF="Bv9ARM.ch06.html#acl"
+><B
+CLASS="command"
+>acl</B
+> Statement Definition and
+Usage</A
+></DT
+><DT
+>6.2.3. <A
+HREF="Bv9ARM.ch06.html#AEN1445"
+><B
+CLASS="command"
+>controls</B
+> Statement Grammar</A
+></DT
+><DT
+>6.2.4. <A
+HREF="Bv9ARM.ch06.html#controls_statement_definition_and_usage"
+><B
+CLASS="command"
+>controls</B
+> Statement Definition and Usage</A
+></DT
+><DT
+>6.2.5. <A
+HREF="Bv9ARM.ch06.html#AEN1524"
+><B
+CLASS="command"
+>include</B
+> Statement Grammar</A
+></DT
+><DT
+>6.2.6. <A
+HREF="Bv9ARM.ch06.html#AEN1529"
+><B
+CLASS="command"
+>include</B
+> Statement Definition and Usage</A
+></DT
+><DT
+>6.2.7. <A
+HREF="Bv9ARM.ch06.html#AEN1536"
+><B
+CLASS="command"
+>key</B
+> Statement Grammar</A
+></DT
+><DT
+>6.2.8. <A
+HREF="Bv9ARM.ch06.html#AEN1543"
+><B
+CLASS="command"
+>key</B
+> Statement Definition and Usage</A
+></DT
+><DT
+>6.2.9. <A
+HREF="Bv9ARM.ch06.html#AEN1563"
+><B
+CLASS="command"
+>logging</B
+> Statement Grammar</A
+></DT
+><DT
+>6.2.10. <A
+HREF="Bv9ARM.ch06.html#AEN1603"
+><B
+CLASS="command"
+>logging</B
+> Statement Definition and Usage</A
+></DT
+><DT
+>6.2.11. <A
+HREF="Bv9ARM.ch06.html#AEN1873"
+><B
+CLASS="command"
+>lwres</B
+> Statement Grammar</A
+></DT
+><DT
+>6.2.12. <A
+HREF="Bv9ARM.ch06.html#AEN1897"
+><B
+CLASS="command"
+>lwres</B
+> Statement Definition and Usage</A
+></DT
+><DT
+>6.2.13. <A
+HREF="Bv9ARM.ch06.html#AEN1916"
+><B
+CLASS="command"
+>masters</B
+> Statement Grammar</A
+></DT
+><DT
+>6.2.14. <A
+HREF="Bv9ARM.ch06.html#AEN1931"
+><B
+CLASS="command"
+>masters</B
+> Statement Definition and Usage</A
+></DT
+><DT
+>6.2.15. <A
+HREF="Bv9ARM.ch06.html#AEN1936"
+><B
+CLASS="command"
+>options</B
+> Statement Grammar</A
+></DT
+><DT
+>6.2.16. <A
+HREF="Bv9ARM.ch06.html#options"
+><B
+CLASS="command"
+>options</B
+> Statement Definition and Usage</A
+></DT
+><DT
+>6.2.17. <A
+HREF="Bv9ARM.ch06.html#server_statement_grammar"
+><B
+CLASS="command"
+>server</B
+> Statement Grammar</A
+></DT
+><DT
+>6.2.18. <A
+HREF="Bv9ARM.ch06.html#server_statement_definition_and_usage"
+><B
+CLASS="command"
+>server</B
+> Statement Definition and Usage</A
+></DT
+><DT
+>6.2.19. <A
+HREF="Bv9ARM.ch06.html#AEN3402"
+><B
+CLASS="command"
+>trusted-keys</B
+> Statement Grammar</A
+></DT
+><DT
+>6.2.20. <A
+HREF="Bv9ARM.ch06.html#AEN3418"
+><B
+CLASS="command"
+>trusted-keys</B
+> Statement Definition
+and Usage</A
+></DT
+><DT
+>6.2.21. <A
+HREF="Bv9ARM.ch06.html#view_statement_grammar"
+><B
+CLASS="command"
+>view</B
+> Statement Grammar</A
+></DT
+><DT
+>6.2.22. <A
+HREF="Bv9ARM.ch06.html#AEN3440"
+><B
+CLASS="command"
+>view</B
+> Statement Definition and Usage</A
+></DT
+><DT
+>6.2.23. <A
+HREF="Bv9ARM.ch06.html#zone_statement_grammar"
+><B
+CLASS="command"
+>zone</B
+>
+Statement Grammar</A
+></DT
+><DT
+>6.2.24. <A
+HREF="Bv9ARM.ch06.html#AEN3614"
+><B
+CLASS="command"
+>zone</B
+> Statement Definition and Usage</A
+></DT
+></DL
+></DD
+><DT
+>6.3. <A
+HREF="Bv9ARM.ch06.html#AEN4015"
+>Zone File</A
+></DT
+><DD
+><DL
+><DT
+>6.3.1. <A
+HREF="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them"
+>Types of Resource Records and When to Use Them</A
+></DT
+><DT
+>6.3.2. <A
+HREF="Bv9ARM.ch06.html#AEN4335"
+>Discussion of MX Records</A
+></DT
+><DT
+>6.3.3. <A
+HREF="Bv9ARM.ch06.html#Setting_TTLs"
+>Setting TTLs</A
+></DT
+><DT
+>6.3.4. <A
+HREF="Bv9ARM.ch06.html#AEN4456"
+>Inverse Mapping in IPv4</A
+></DT
+><DT
+>6.3.5. <A
+HREF="Bv9ARM.ch06.html#AEN4483"
+>Other Zone File Directives</A
+></DT
+><DT
+>6.3.6. <A
+HREF="Bv9ARM.ch06.html#AEN4541"
+><ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> Master File Extension: the  <B
+CLASS="command"
+>$GENERATE</B
+> Directive</A
+></DT
+></DL
+></DD
+></DL
+></DD
+><DT
+>7. <A
+HREF="Bv9ARM.ch07.html"
+><ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+> 9 Security Considerations</A
+></DT
+><DD
+><DL
+><DT
+>7.1. <A
+HREF="Bv9ARM.ch07.html#Access_Control_Lists"
+>Access Control Lists</A
+></DT
+><DT
+>7.2. <A
+HREF="Bv9ARM.ch07.html#AEN4658"
+><B
+CLASS="command"
+>chroot</B
+> and <B
+CLASS="command"
+>setuid</B
+> (for
+UNIX servers)</A
+></DT
+><DD
+><DL
+><DT
+>7.2.1. <A
+HREF="Bv9ARM.ch07.html#AEN4681"
+>The <B
+CLASS="command"
+>chroot</B
+> Environment</A
+></DT
+><DT
+>7.2.2. <A
+HREF="Bv9ARM.ch07.html#AEN4699"
+>Using the <B
+CLASS="command"
+>setuid</B
+> Function</A
+></DT
+></DL
+></DD
+><DT
+>7.3. <A
+HREF="Bv9ARM.ch07.html#dynamic_update_security"
+>Dynamic Update Security</A
+></DT
+></DL
+></DD
+><DT
+>8. <A
+HREF="Bv9ARM.ch08.html"
+>Troubleshooting</A
+></DT
+><DD
+><DL
+><DT
+>8.1. <A
+HREF="Bv9ARM.ch08.html#AEN4720"
+>Common Problems</A
+></DT
+><DD
+><DL
+><DT
+>8.1.1. <A
+HREF="Bv9ARM.ch08.html#AEN4722"
+>It's not working; how can I figure out what's wrong?</A
+></DT
+></DL
+></DD
+><DT
+>8.2. <A
+HREF="Bv9ARM.ch08.html#AEN4725"
+>Incrementing and Changing the Serial Number</A
+></DT
+><DT
+>8.3. <A
+HREF="Bv9ARM.ch08.html#AEN4730"
+>Where Can I Get Help?</A
+></DT
+></DL
+></DD
+><DT
+>A. <A
+HREF="Bv9ARM.ch09.html"
+>Appendices</A
+></DT
+><DD
+><DL
+><DT
+>A.1. <A
+HREF="Bv9ARM.ch09.html#AEN4746"
+>Acknowledgments</A
+></DT
+><DD
+><DL
+><DT
+>A.1.1. <A
+HREF="Bv9ARM.ch09.html#AEN4748"
+>A Brief History of the <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> and <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+></A
+></DT
+></DL
+></DD
+><DT
+>A.2. <A
+HREF="Bv9ARM.ch09.html#historical_dns_information"
+>General <ACRONYM
+CLASS="acronym"
+>DNS</ACRONYM
+> Reference Information</A
+></DT
+><DD
+><DL
+><DT
+>A.2.1. <A
+HREF="Bv9ARM.ch09.html#ipv6addresses"
+>IPv6 addresses (AAAA)</A
+></DT
+></DL
+></DD
+><DT
+>A.3. <A
+HREF="Bv9ARM.ch09.html#bibliography"
+>Bibliography (and Suggested Reading)</A
+></DT
+><DD
+><DL
+><DT
+>A.3.1. <A
+HREF="Bv9ARM.ch09.html#rfcs"
+>Request for Comments (RFCs)</A
+></DT
+><DT
+>A.3.2. <A
+HREF="Bv9ARM.ch09.html#internet_drafts"
+>Internet Drafts</A
+></DT
+><DT
+>A.3.3. <A
+HREF="Bv9ARM.ch09.html#AEN5343"
+>Other Documents About <ACRONYM
+CLASS="acronym"
+>BIND</ACRONYM
+></A
+></DT
+></DL
+></DD
+></DL
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="NAVFOOTER"
+><HR
+ALIGN="LEFT"
+WIDTH="100%"><TABLE
+SUMMARY="Footer navigation table"
+WIDTH="100%"
+BORDER="0"
+CELLPADDING="0"
+CELLSPACING="0"
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+><A
+HREF="Bv9ARM.ch01.html"
+ACCESSKEY="N"
+>Next</A
+></TD
+></TR
+><TR
+><TD
+WIDTH="33%"
+ALIGN="left"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="34%"
+ALIGN="center"
+VALIGN="top"
+>&nbsp;</TD
+><TD
+WIDTH="33%"
+ALIGN="right"
+VALIGN="top"
+>Introduction</TD
+></TR
+></TABLE
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
diff --git a/contrib/bind9/doc/arm/Makefile.in b/contrib/bind9/doc/arm/Makefile.in
new file mode 100644
index 0000000..ede9342
--- /dev/null
+++ b/contrib/bind9/doc/arm/Makefile.in
@@ -0,0 +1,69 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001, 2002  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.8.2.2.8.3 2004/03/08 09:04:24 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_MAKE_RULES@
+
+MANOBJS = Bv9ARM.html
+
+distclean::
+	rm -f validate.sh
+	rm -f nominum-docbook-html.dsl nominum-docbook-print.dsl
+	rm -f HTML.index HTML.manifest
+
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+	rm -f *.html
+
+Bv9ARM.html: Bv9ARM-book.xml nominum-docbook-html.dsl
+	${OPENJADE} -v \
+	    -c ${SGMLCATALOG} \
+	    -t sgml \
+	    -d ./nominum-docbook-html.dsl \
+	    ${XMLDCL} ./Bv9ARM-book.xml
+	rm -f HTML.index HTML.manifest
+
+Bv9ARM-book.rtf: Bv9ARM-book.xml nominum-docbook-print.dsl
+	${OPENJADE} -v \
+	    -c ${SGMLCATALOG} \
+	    -t rtf \
+	    -d ./nominum-docbook-print.dsl \
+	    ${XMLDCL} ./Bv9ARM-book.xml
+
+Bv9ARM-book.tex: Bv9ARM-book.xml nominum-docbook-print.dsl
+	${OPENJADE} -v \
+	     -c ${SGMLCATALOG} \
+	     -d ./nominum-docbook-print.dsl \
+	     -t tex \
+	     ${XMLDCL} ./Bv9ARM-book.xml
+
+Bv9ARM-book.dvi: Bv9ARM-book.tex
+	rm -f Bv9ARM-book.aux Bv9ARM-book.dvi Bv9ARM-book.log
+	${JADETEX} ./Bv9ARM-book.tex || true
+	${JADETEX} ./Bv9ARM-book.tex || true
+	${JADETEX} ./Bv9ARM-book.tex || true
+
+Bv9ARM-book.pdf: Bv9ARM-book.tex
+	rm -f Bv9ARM-book.aux Bv9ARM-book.pdf Bv9ARM-book.log
+	${PDFJADETEX} ./Bv9ARM-book.tex || true
+	${PDFJADETEX} ./Bv9ARM-book.tex || true
+	${PDFJADETEX} ./Bv9ARM-book.tex || true
+
diff --git a/contrib/bind9/doc/arm/README-SGML b/contrib/bind9/doc/arm/README-SGML
new file mode 100644
index 0000000..8e7bc4e
--- /dev/null
+++ b/contrib/bind9/doc/arm/README-SGML
@@ -0,0 +1,329 @@
+Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 2000, 2001  Internet Software Consortium.
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+The BIND v9 ARM master document is now kept in DocBook XML format.
+
+Version: $Id: README-SGML,v 1.16.206.1 2004/03/06 13:16:14 marka Exp $
+
+The entire ARM is in the single file:
+
+    Bv9ARM-book.xml
+
+All of the other documents - HTML, PDF, etc - are generated from this
+master source.
+
+This file attempts to describe what tools are necessary for the
+maintenance of this document as well as the generation of the
+alternate formats of this document.
+
+This file will also spend a very little time describing the XML and
+SGML headers so you can understand a bit what you may need to do to be
+able to work with this document in any fashion other than simply
+editing it. 
+
+We will spend almost no time on the actual tags and how to write an
+XML DocBook compliant document. If you are at all familiar with SGML
+or HTML it will be very evident. You only need to know what the tags
+are and how to use them. You can find a good resource either for this
+either online or in printed form:
+
+    DocBook: The Definitive Guide
+    By Norman Walsh and Leonard Muellner
+    ISBN: 156592-580-7
+    1st Edition, October 1999
+    Copyright (C) 1999 by O'Reilly & Associates, Inc. All rights reserved.
+
+The book is available online in HTML format:
+
+    http://docbook.org/
+
+and buried in:
+
+    http://www.nwalsh.com/docbook/defguide/index.html
+
+A lot of useful stuff is at NWalsh's site in general. You may also
+want to look at:
+
+    http://www.xml.com/
+
+The BIND v9 ARM is based on the XML 4.0 DocBook DTD. Every XML and
+SGML document begins with a prefix that tells where to find the file
+that describes the meaning and structure of the tags used in the rest
+of the document.
+
+For our XML DocBook 4.0 based document this prefix looks like this:
+
+    <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
+		   "/usr/local/share/xml/dtd/docbook/docbookx.dtd">
+
+This "DOCTYPE" statement has three parts, of which we are only using
+two:
+
+o The highest level term that represents this document (in this case
+  it is "book"
+
+o The identifier that tells us which DTD to use. This identifier has
+  two parts, the "Formal Public Identifier" (or FPI) and the system
+  identifier. In SGML you can have either a FPI or a SYSTEM identifier
+  but you have to have at least one of them. In XML you have to have a
+  SYSTEM identifier.
+
+FP & SYSTEM identifiers - These are names/lookups for the actual
+DTD. The FPI is a globally unique name that should, on a properly
+configured system, tell you exactly what DTD to use. The SYSTEM
+identifier gives an absolute location for the DTD. In XML these are
+supposed to be properly formatted URL's.
+
+SGML has these things called "catalogs" that are files that map FPI's
+in to actual files. A "catalog" can also be used to remap a SYSTEM
+identifier so you can say something like: "http://www.oasis.org/foo"
+is actually "/usr/local/share/xml/foo.dtd"
+
+When you use various SGML/XML tools they need to be configured to look
+at the same "catalog" files so that as you move from tool to tool they
+all refer to the same DTD for the same document.
+
+We will be spending most of our configuration time making sure our
+tools use the same "catalog" files and that we have the same DTD's
+installed on our machines. XML's requirement of the SYSTEM identifier
+over the FPI will probably lead to more problems as it does not
+guarantee that everyone is using the same DTD.
+
+I did my initial work with the "sgmltools" the XML 4.0 DocBook DTD and
+"jade" or "openjade."
+
+You can get the 4.0 XML DocBook DTD from:
+
+    http://www.docbook.org/xml/4.0/
+
+(download the .zip file.) NOTE: We will eventually be changing the
+SYSTEM identifier to the recommended value of:
+
+    http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd
+
+NOTE: Under FreeBSD this is the package: 
+
+    /usr/ports/textproc/docbook-xml
+
+NetBSD instructions are coming soon.
+
+With packages listed below installed under FreeBSD the "catalog" file
+that all the tools refer to at least one is in:
+
+    /usr/local/share/sgml/catalog
+
+In order for our SYSTEM identifier for the XML DocBook dtd to be found
+I create a new catalog file at the top of the XML directory created on
+FreeBSD:
+
+   /usr/local/share/xml/catalog
+
+This file has one line:
+
+   SYSTEM "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd" "/usr/local/share/xml/dtd/docbook/docbookx.dtd"
+
+Then in the main "catalog" I have it include this XML catalog:
+
+   CATALOG "/usr/local/share/xml/catalog"
+
+
+On your systems you need to replace "/usr/local/share" with your
+prefix root (probably /usr/pkg under NetBSD.)
+
+NOTE: The URL used above is supposed to the be the proper one for this
+XML DocBook DTD... but there is nothing at that URL so you really do
+need the "SYSTEM" identifier mapping in your catalog (or make the
+SYSTEM identifier in your document refer to the real location of the
+file on your local system.)
+
+HOW TO VALIDATE A DOCUMENT:
+
+I use the sgmltools "nsgmls" document validator. Since we are using
+XML we need to use the XML declarations, which are installed as part
+of the modular DSSL style sheets:
+
+    nsgmls -sv /usr/local/share/sgml/docbook/dsssl/modular/dtds/decls/xml.dcl \
+	   Bv9ARM-book.xml
+
+A convenient shell script "validate.sh" is now generated by configure
+to invoke the above command with the correct system-dependent paths.
+
+The SGML tools can be found at:
+
+    ftp://ftp.us.sgmltools.org/pub/SGMLtools/v2.0/source/ \
+    ftp://ftp.nllgg.nl/pub/SGMLtools/v2.0/source/
+
+FreeBSD package for these is: 
+
+    /usr/ports/textproc/sgmltools
+
+HOW TO RENDER A DOCUMENT AS HTML or TeX:
+
+o Generate html doc with:
+
+    openjade -v -d ./nominum-docbook-html.dsl \
+	 -t sgml \
+	 /usr/local/share/sgml/docbook/dsssl/modular/dtds/decls/xml.dcl \
+	 Bv9ARM-book.xml
+
+A convenient shell script "genhtml.sh" is now generated by configure to
+invoke the above command with the correct system-dependent paths.
+
+On NetBSD there is no port for "openjade" however "jade" does still
+work. However you need to specify the "catalog" file to use for style
+sheets on the command line AND you need to have a default "catalog"
+mapping where to find various DTDs. It seems that "jade" installed out
+of the box on NetBSD does not use a globally defined "catalog" file
+for mapping PUBLIC identifiers in to SYSTEM identifiers.
+
+So you need to have a "catalog" file in your current working directory
+that has in it this: (these are probably more entries than you need!)
+
+     CATALOG "/usr/pkg/share/sgml/iso8879/catalog"
+     CATALOG "/usr/pkg/share/sgml/docbook/2.4.1/catalog"
+     CATALOG "/usr/pkg/share/sgml/docbook/3.0/catalog"
+     CATALOG "/usr/pkg/share/sgml/docbook/3.1/catalog"
+     CATALOG "/usr/pkg/share/sgml/jade/catalog"
+     CATALOG "/usr/local/share/xml/catalog"
+
+(These would all be "/usr/local" on FreeBSD)
+
+So the command for jade on NetBSD will look like this:
+
+jade -v -c /usr/pkg/share/sgml/catalog -t sgml \
+     -d ./nominum-docbook-html.dsl \
+     /usr/pkg/share/sgml/docbook/dsssl/modular/dtds/decls/xml.dcl \
+     ./Bv9ARM-book.xml
+
+Furthermore, since the style sheet subset we define has in it a hard
+coded path to the style sheet is based, it is actually generated by
+configure from a .in file so that it will contain the correct
+system-dependent path: where on FreeBSD the second line reads:
+
+    <!ENTITY dbstyle SYSTEM "/usr/local/share/sgml/docbook/dsssl/modular/html/docbook.dsl" CDATA DSSSL>
+  
+On NetBSD it needs to read:
+
+    <!ENTITY dbstyle SYSTEM "/usr/pkg/share/sgml/docbook/dsssl/modular/html/docbook.dsl" CDATA DSSSL>
+
+NOTE: This is usually solved by having this style sheet modification
+be installed in a system directory and have it reference the style
+sheet it is based on via a relative path.
+
+o Generate TeX documentation:
+
+openjade -d ./nominum-docbook-print.dsl -t tex -v \
+     /usr/local/share/sgml/docbook/dsssl/modular/dtds/decls/xml.dcl \
+     Bv9ARM-book.xml
+
+If you have "jade" installed instead of "openjade" then use that as
+the command. There is little difference, openjade has some bug fixes
+and is in more active development.
+
+To convert the resulting TeX file in to a DVI file you need to do:
+
+    tex "&jadetex" Bv9ARM-book.tex
+
+You can also directly generate the pdf file via:
+
+    pdftex "&pdfjadetex" Bv9ARM-book.tex
+
+The scripts "genpdf.sh" and "gendvi." have been added to simply
+generating the  PDF and DVI output. These substitute the correct paths
+of NetBSD & FreeBSD. You still need to have TeX, jadeTeX, and pdfTeX
+installed and configured properly for these to work.
+
+You will need to up both the "pool_size" and "hash_extra" variables in
+your texmf.cnf file and regenerate them. See below.
+
+You can see that I am using a DSSSL style sheet for DocBook. Actually
+two different ones - one for rendering html, and one for 'print'
+media.
+
+NOTE: For HTML we are using a Nominum DSSSL style instead of the
+default one (all it does is change the chunking to the chapter level
+and makes the files end with ".html" instead of ".htm" so far.) If you
+want to use the plain jane DSSSL style sheet replace the:
+
+    -d ./nominum-docbook-html.dsl
+
+with
+
+    -d /usr/local/share/sgml/docbook/dsssl/modular/html/docbook.dsl
+
+This style sheet will attempt to reference the one above.
+
+I am currently working on fixing these up so that it works the same on
+our various systems. The main trick is knowing which DTD's and DSSSL
+stylesheets you have installed, installing the right ones, and
+configuring a CATALOG that refers to them in the same way. We will
+probably end up putting our CATALOG's in the same place and then we
+should be able to generate and validate our documents with a minimal
+number of command line arguments.
+
+When running these commands you will get a lot of messages about a
+bunch of general entities not being defined and having no default
+entity. You can ignore those for now.
+
+Also with the style sheets we have and jade as it is you will get
+messages about "xref to title" being unsupported. You can ignore these
+for now as well.
+
+=== Getting the various tools installed on FreeBSD
+(NetBSD coming soon..)
+
+o On freebsd you need to install the following packages:
+  o print/teTeX
+  o textproc/openjade
+  o textproc/docbook
+  o textproc/docbook-xml
+  o textproc/dsssl-docbook-modular
+  o textproc/dtd-catalogs
+
+o on freebsd you need to make some entities visible to the docbook xml
+  dtd by making a symlink (can probably be done with a catalog too)
+  ln -s /usr/local/share/xml/entity /usr/local/share/xml/dtd/docbook/ent
+
+o you may need to edit /usr/local/share/sgml/catalog and add the line:
+
+  CATALOG "/usr/local/share/sgml/openjade/catalog"
+
+o add "hugelatex," Enlarge pool sizes, install the jadetex TeX driver
+  file.
+
+  cd /usr/local/share/texmf/web2c/
+  sudo cp texmf.cnf texmf.cnf.bak
+
+  o edit the lines in texmf.cnf with these keys to these values:
+
+                  main_memory = 1100000
+                  hash_extra = 15000
+                  pool_size = 500000
+                  string_vacancies = 45000
+                  max_strings = 55000
+                  pool_free = 47500
+                  nest_size = 500
+                  param_size = 1500
+                  save_size = 5000
+                  stack_size = 1500
+
+  sudo tex -ini -progname=hugelatex -fmt=hugelatex latex.ltx
+  sudo texconfig init
+  sudo texhash
+
+  o For the jadetex macros you will need I recommend you get a more
+    current version than what is packaged with openjade or jade.
+
+    Checkout http://www.tug.org/applications/jadetex/
+    
+    Unzip the file you get from there (should be jadetex-2.20 or
+    newer.) 
+
+    In the directory you unzip: 
+
+      sudo make install
+      sudo texhash
+
+    NOTE: In the most uptodate "ports" for FreeBSD, jadetext is 2.20+
+    so on this platform you should be set as of 2001.01.08.
diff --git a/contrib/bind9/doc/arm/isc.color.gif b/contrib/bind9/doc/arm/isc.color.gif
new file mode 100644
index 0000000..09c327c
--- /dev/null
+++ b/contrib/bind9/doc/arm/isc.color.gif
diff --git a/contrib/bind9/doc/arm/nominum-docbook-html.dsl.in b/contrib/bind9/doc/arm/nominum-docbook-html.dsl.in
new file mode 100644
index 0000000..33fc938
--- /dev/null
+++ b/contrib/bind9/doc/arm/nominum-docbook-html.dsl.in
@@ -0,0 +1,148 @@
+<!DOCTYPE style-sheet PUBLIC "-//James Clark//DTD DSSSL Style Sheet//EN" [
+<!ENTITY dbstyle SYSTEM "@HTMLSTYLE@" CDATA DSSSL>
+]>
+
+<style-sheet>
+<style-specification use="docbook">
+<style-specification-body>
+
+<!-- ;; your stuff goes here... -->
+
+(define %html-prefix% 
+  ;; Add the specified prefix to HTML output filenames
+  "Bv9ARM.")
+
+(define %use-id-as-filename%
+  ;; Use ID attributes as name for component HTML files?
+  #t)
+
+(define %root-filename%
+  ;; Name for the root HTML document
+  "Bv9ARM")
+
+(define %section-autolabel%
+  ;; REFENTRY section-autolabel
+  ;; PURP Are sections enumerated?
+  ;; DESC
+  ;; If true, unlabeled sections will be enumerated.
+  ;; /DESC
+  ;; AUTHOR N/A
+  ;; /REFENTRY
+  #t)
+
+(define %html-ext% 
+  ;; REFENTRY html-ext
+  ;; PURP Default extension for HTML output files
+  ;; DESC
+  ;; The default extension for HTML output files.
+  ;; /DESC
+  ;; AUTHOR N/A
+  ;; /REFENTRY
+  ".html")
+
+(define nochunks
+  ;; REFENTRY nochunks
+  ;; PURP Suppress chunking of output pages
+  ;; DESC
+  ;; If true, the entire source document is formatted as a single HTML
+  ;; document and output on stdout.
+  ;; (This option can conveniently be set with '-V nochunks' on the 
+  ;; Jade command line).
+  ;; /DESC
+  ;; AUTHOR N/A
+  ;; /REFENTRY
+  #f)
+
+(define rootchunk
+  ;; REFENTRY rootchunk
+  ;; PURP Make a chunk for the root element when nochunks is used
+  ;; DESC
+  ;; If true, a chunk will be created for the root element, even though
+  ;; nochunks is specified. This option has no effect if nochunks is not
+  ;; true.
+  ;; (This option can conveniently be set with '-V rootchunk' on the 
+  ;; Jade command line).
+  ;; /DESC
+  ;; AUTHOR N/A
+  ;; /REFENTRY
+  #t)
+
+(define html-index
+  ;; REFENTRY html-index
+  ;; PURP HTML indexing?
+  ;; DESC
+  ;; Turns on HTML indexing.  If true, then index data will be written
+  ;; to the file defined by 'html-index-filename'.  This data can be
+  ;; collated and turned into a DocBook index with bin/collateindex.pl.
+  ;; /DESC
+  ;; AUTHOR N/A
+  ;; /REFENTRY
+  #t)
+
+(define html-manifest
+  ;; REFENTRY html-manifest
+  ;; PURP Write a manifest?
+  ;; DESC
+  ;; If not '#f' then the list of HTML files created by the stylesheet
+  ;; will be written to the file named by 'html-manifest-filename'.
+  ;; /DESC
+  ;; AUTHOR N/A
+  ;; /REFENTRY
+  #t)
+
+(define (chunk-element-list)
+  (list (normalize "preface")
+	(normalize "chapter")
+	(normalize "appendix") 
+	(normalize "article")
+	(normalize "glossary")
+	(normalize "bibliography")
+	(normalize "index")
+	(normalize "colophon")
+	(normalize "setindex")
+	(normalize "reference")
+	(normalize "refentry")
+	(normalize "part")
+	(normalize "book") ;; just in case nothing else matches...
+	(normalize "set")  ;; sets are definitely chunks...
+	))
+
+;
+; Add some cell padding to tables so that they don't look so cramped
+; in Netscape.
+;
+; The following definition was cut-and-pasted from dbtable.dsl and the 
+; single line containing the word CELLPADDING was added.
+;
+(element tgroup
+  (let* ((wrapper   (parent (current-node)))
+	 (frameattr (attribute-string (normalize "frame") wrapper))
+	 (pgwide    (attribute-string (normalize "pgwide") wrapper))
+	 (footnotes (select-elements (descendants (current-node)) 
+				     (normalize "footnote")))
+	 (border (if (equal? frameattr (normalize "none"))
+		     '(("BORDER" "0"))
+		     '(("BORDER" "1"))))
+	 (width (if (equal? pgwide "1")
+		    (list (list "WIDTH" ($table-width$)))
+		    '()))
+	 (head (select-elements (children (current-node)) (normalize "thead")))
+	 (body (select-elements (children (current-node)) (normalize "tbody")))
+	 (feet (select-elements (children (current-node)) (normalize "tfoot"))))
+    (make element gi: "TABLE"
+	  attributes: (append
+		       '(("CELLPADDING" "3"))
+		       border
+		       width
+		       (if %cals-table-class%
+			   (list (list "CLASS" %cals-table-class%))
+			   '()))
+	  (process-node-list head)
+	  (process-node-list body)
+	  (process-node-list feet)
+	  (make-table-endnotes))))
+
+</style-specification-body>
+</style-specification>
+<external-specification id="docbook" document="dbstyle">
+</style-sheet>
diff --git a/contrib/bind9/doc/arm/nominum-docbook-print.dsl.in b/contrib/bind9/doc/arm/nominum-docbook-print.dsl.in
new file mode 100644
index 0000000..511d6c4
--- /dev/null
+++ b/contrib/bind9/doc/arm/nominum-docbook-print.dsl.in
@@ -0,0 +1,42 @@
+<!DOCTYPE style-sheet PUBLIC "-//James Clark//DTD DSSSL Style Sheet//EN" [
+<!ENTITY dbstyle SYSTEM "@PRINTSTYLE@" CDATA DSSSL>
+]>
+
+
+<style-sheet>
+<style-specification use="docbook">
+<style-specification-body>
+
+<!-- ;; your stuff goes here... -->
+
+(define %generate-book-titlepage% #t)
+
+(define %section-autolabel%
+  ;; REFENTRY section-autolabel
+  ;; PURP Are sections enumerated?
+  ;; DESC
+  ;; If true, unlabeled sections will be enumerated.
+  ;; /DESC
+  ;; AUTHOR N/A
+  ;; /REFENTRY
+  #t)
+
+;; Margins around cell contents
+;; (define %cals-cell-before-row-margin% 20pt)
+;; (define %cals-cell-after-row-margin% 20pt)
+
+;; seems to be a bug in JadeTeX -- we get a wierd indent on table
+;;   cells for the first line only.  This is a workaround.
+;; Adam Di Carlo, adam@onshore.com
+(define %cals-cell-before-column-margin% 5pt)
+(define %cals-cell-after-column-margin% 5pt)
+
+;; Inheritable start and end indent for cell contents
+(define %cals-cell-content-start-indent% 5pt)
+(define %cals-cell-content-end-indent% 5pt)
+
+
+</style-specification-body>
+</style-specification>
+<external-specification id="docbook" document="dbstyle">
+</style-sheet>
diff --git a/contrib/bind9/doc/arm/validate.sh.in b/contrib/bind9/doc/arm/validate.sh.in
new file mode 100644
index 0000000..f50d8a0
--- /dev/null
+++ b/contrib/bind9/doc/arm/validate.sh.in
@@ -0,0 +1,21 @@
+#!/bin/sh
+#
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2000, 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: validate.sh.in,v 1.2.206.1 2004/03/06 13:16:14 marka Exp $
+
+nsgmls -sv @SGMLDIR@/docbook/dsssl/modular/dtds/decls/xml.dcl \
+       Bv9ARM-book.xml
diff --git a/contrib/bind9/doc/draft/draft-baba-dnsext-acl-reqts-01.txt b/contrib/bind9/doc/draft/draft-baba-dnsext-acl-reqts-01.txt
new file mode 100644
index 0000000..1030e57
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-baba-dnsext-acl-reqts-01.txt
@@ -0,0 +1,336 @@
+
+
+
+
+Internet-Draft                                                   T. Baba
+Expires: March 11, 2004                                         NTT Data
+                                                      September 11, 2003
+
+
+         Requirements for Access Control in Domain Name Systems
+                   draft-baba-dnsext-acl-reqts-01.txt
+
+Status of this Memo
+
+   This document is an Internet-Draft and is subject to all provisions
+   of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/1id-abstracts.html
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html
+
+   Distribution of this memo is unlimited.
+
+   This Internet-Draft will expire on March 11, 2004.
+
+Abstract
+
+   This document describes the requirements for access control
+   mechanisms in the Domain Name System (DNS), which authenticate
+   clients and then allow or deny access to resource records in the
+   zone according to the access control list (ACL).
+
+1. Introduction
+
+   The Domain Name System (DNS) is a hierarchical, distributed, highly
+   available database used for bi-directional mapping between domain
+   names and IP addresses, for email routing, and for other information
+   [RFC1034, 1035].  DNS security extensions (DNSSEC) have been defined
+   to authenticate the data in DNS and provide key distribution services
+   using SIG, KEY, and NXT resource records (RRs) [RFC2535].
+
+
+
+Baba                     Expires March 11, 2004                 [Page 1]
+
+Internet-Draft       DNS Access Control Requirements      September 2003
+
+
+   At the 28th IETF Meeting in Houston in 1993, DNS security design team
+   started a discussion about DNSSEC and agreed to accept the assumption
+   that "DNS data is public".  Accordingly, confidentiality for queries
+   or responses is not provided by DNSSEC, nor are any sort of access
+   control lists or other means to differentiate inquirers.  However,
+   about ten years has passed, access control in DNS has been more
+   important than before.  Currently, new RRs are proposed to add new
+   functionality to DNS such as ENUM [RFC2916].  Such new RRs may
+   contain private information.  Thus, DNS access control will be
+   needed.
+
+   Furthermore, with DNS access control mechanism, access from
+   unauthorized clients can be blocked when they perform DNS name
+   resolution.  Thus, for example, Denial of Service (DoS) attacks
+   against a server used by a closed user group can be prevented using
+   this mechanism if IP address of the server is not revealed by other
+   sources.
+
+   This document describes the requirements for access control
+   mechanisms in DNS.
+
+2. Terminology
+
+   AC-aware client
+      This is the client that understands the DNS access control
+      extensions. This client may be an end host which has a stub
+      resolver, or a cashing/recursive name server which has a
+      full-service resolver.
+
+   AC-aware server
+      This is the authoritative name server that understands the DNS
+      access control extensions.
+
+   ACE
+      An Access Control Entry.  This is the smallest unit of access
+      control policy.  It grants or denies a given set of access
+      rights to a set of principals.  An ACE is a component of an ACL,
+      which is associated with a resource.
+
+   ACL
+      An Access Control List.  This contains all of the access control
+      policies which are directly associated with a particular
+      resource.  These policies are expressed as ACEs.
+
+   Client
+      A program or host which issues DNS requests and accepts its
+      responses. A client may be an end host or a cashing/recursive name
+      server.
+
+
+
+Baba                     Expires March 11, 2004                 [Page 2]
+
+Internet-Draft       DNS Access Control Requirements      September 2003
+
+
+   RRset
+      All resource records (RRs) having the same NAME, CLASS and TYPE
+      are called a Resource Record Set (RRset).
+
+3. Requirements
+
+   This section describes the requirements for access control in DNS.
+
+3.1 Authentication
+
+3.1.1 Client Authentication Mechanism
+
+   The AC-aware server must identify AC-aware clients based on IP
+   address and/or domain name (user ID or host name), and must
+   authenticate them using strong authentication mechanism such as
+   digital signature or message authentication code (MAC).
+
+   SIG(0) RR [RFC2931] contains a domain name associated with sender's
+   public key in its signer's name field, and TSIG RR [RFC2845] also
+   contains a domain name associated with shared secret key in its key
+   name field.  Each of these domain names can be a host name or a user
+   name, and can be used as a sender's identifier for access control.
+   Furthermore, SIG(0) uses digital signatures, and TSIG uses MACs for
+   message authentication.  These mechanisms can be used to authenticate
+   AC-aware clients.
+
+   Server authentication may be also provided.
+
+3.1.2 End-to-End Authentication
+
+   In current DNS model, caching/recursive name servers are deployed
+   between end hosts and authoritative name servers.  Although
+   authoritative servers can authenticate caching/recursive name servers
+   using SIG(0) or TSIG, they cannot authenticate end hosts behind them.
+   For end-to-end authentication, the mechanism for an end host to
+   discover the target authoritative name server and directly access to
+   it bypassing caching/recursive name servers is needed.  For example,
+   an end host can get the IP addresses of the authoritative name
+   servers by retrieving NS RRs for the zone via local caching/recursive
+   name server.
+
+   In many enterprise networks, however, there are firewalls that block
+   all DNS packets other than those going to/from the particular
+   caching/recursive servers.  To deal with this problem, one can
+   implement packet forwarding function on the caching/recursive servers
+   and enable end-to-end authentication via the caching/recursive
+   servers.
+
+
+
+
+Baba                     Expires March 11, 2004                 [Page 3]
+
+Internet-Draft       DNS Access Control Requirements      September 2003
+
+
+3.1.3 Authentication Key Retrieval
+
+   Keys which are used to authenticate clients should be able to be
+   automatically retrieved.  The KEY RR is used to store a public key
+   for a zone or a host that is associated with a domain name.  SIG(0)
+   RR uses a public key in KEY RR for verifying the signature.  If
+   DNSSEC is available, the KEY RR would be protected by the SIG RR.
+   KEY RR or newly defined RR can be used to automatic key retrieval.
+
+3.2 Confidentiality
+
+3.2.1 Data Encryption
+
+   To avoid disclosure to eavesdroppers, the response containing the
+   RRsets which are restricted to access from particular users should be
+   encrypted.  Currently, no encryption mechanism is specified in DNS.
+   Therefore, new RRs should be defined for DNS message encryption.
+   Instead, IPsec [RFC2401] can be used to provide confidentiality if
+   name server and resolver can set up security associations dynamically
+   using IPsec API [IPSECAPI] when encryption is required.
+
+   In case encryption is applied, entire DNS message including DNS
+   header should be encrypted to hide information including error code.
+
+   Query encryption may be also provided for hiding query information.
+
+3.2.2 Key Exchange
+
+   If DNS message encryption is provided, automatic key exchange
+   mechanism should be also provided.  [RFC2930] specifies a TKEY RR
+   that can be used to establish and delete shared secret keys used by
+   TSIG between a client and a server.  With minor extensions, TKEY can
+   be used to establish shared secret keys used for message encryption.
+
+3.2.3 Caching
+
+   The RRset that is restricted to access from particular users must not
+   be cached.  To avoid caching, the TTL of the RR that is restricted to
+   access should be set to zero during transit.
+
+3.3 Access Control
+
+3.3.1 Granularity of Access Control
+
+   Control of access on a per-user/per-host granularity must be
+   supported.  Control of access to individual RRset (not just the
+   entire zone) must be also supported.  However, SOA, NS, SIG, NXT,
+   KEY, and DS RRs must be publicly accessible to avoid unexpected
+   results.
+   
+
+Baba                     Expires March 11, 2004                 [Page 4]
+
+Internet-Draft       DNS Access Control Requirements      September 2003
+
+
+3.3.2 ACL Representation
+
+   Access Control List (ACL) format must be standardized so that both
+   the primary and secondary AC-aware servers can recognize the same
+   ACL.  Although ACL may appear in or out of zone data, it must be
+   transferred to the secondary AC-aware server with associated zone
+   data.  It is a good idea to contain ACL in zone data, because ACL can
+   be transferred with zone data using existing zone transfer mechanisms
+   automatically.  However, ACL must not be published except for
+   authorized secondary master servers.
+   
+   In zone data master files, ACL should be specified using TXT RRs or
+   newly defined RRs.  In each access control entry (ACE), authorized
+   entities (host or user) must be described using domain name (host
+   name, user name, or IP address in in-addr.arpa/ip6.arpa format).
+   There may be other access control attributes such as access time.
+
+   It must be possible to create publicly readable entries, which may be
+   read even by unauthenticated clients.
+
+3.3.3 Zone/ACL Transfer
+
+   As mentioned above, ACL should be transferred from a primary AC-aware
+   server to a secondary AC-aware server with associated zone data.
+   When an AC-aware server receives a zone/ACL transfer request, the
+   server must authenticate the client, and should encrypt the zone
+   data and associated ACL during transfer.
+
+3.4 Backward/co-existence Compatibility
+
+   Any new protocols to be defined for access control in DNS must be
+   backward compatible with existing DNS protocol.  AC-aware servers
+   must be able to process normal DNS query without authentication, and
+   must respond if retrieving RRset is publicly accessible.
+   
+   Modifications to root/gTLD/ccTLD name servers are not allowed.
+
+4. Security Considerations
+
+   This document discusses the requirements for access control
+   mechanisms in DNS.
+
+5. Acknowledgements
+
+   This work is funded by the Telecommunications Advancement
+   Organization of Japan (TAO).
+
+   The author would like to thank the members of the NTT DATA network
+   security team for their important contribution to this work.
+
+
+Baba                     Expires March 11, 2004                 [Page 5]
+
+Internet-Draft       DNS Access Control Requirements      September 2003
+
+
+6. References
+
+   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
+              STD 13, RFC 1034, November 1987.
+
+   [RFC1035]  Mockapetris, P., "Domain names - implementation and
+              specification", STD 13, RFC 1035, November 1987.
+
+   [RFC2401]  Kent, S. and R. Atkinson, "Security Architecture for the
+              Internet Protocol", RFC 2401, November 1998.
+
+   [RFC2535]  Eastlake, D., "Domain Name System Security Extensions",
+              RFC 2535, March 1999.
+
+   [RFC2845]  Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
+              "Secret Key Transaction Authentication for DNS (TSIG)", 
+              RFC 2845, May 2000.
+
+   [RFC2916]  Faltstrom, P., "E.164 number and DNS", RFC 2916,
+              September 2000.
+
+   [RFC2930]  Eastlake, D., "Secret Key Establishment for DNS (TKEY RR)",
+              RFC 2930, September 2000.
+
+   [RFC2931]  Eastlake, D., "DNS Request and Transaction Signatures
+              (SIG(0)s)", RFC 2931, September 2000.
+
+   [IPSECAPI] Sommerfeld, W., "Requirements for an IPsec API",
+              draft-ietf-ipsp-ipsec-apireq-00.txt, June 2003, Work in
+              Progress.
+
+
+Author's Address
+
+   Tatsuya Baba
+   NTT Data Corporation
+   Research and Development Headquarters
+   Kayabacho Tower, 1-21-2, Shinkawa, Chuo-ku,
+   Tokyo 104-0033, Japan
+   
+   Tel: +81 3 3523 8081
+   Fax: +81 3 3523 8090
+   Email: babatt@nttdata.co.jp
+
+
+
+
+
+
+
+
+Baba                     Expires March 11, 2004                 [Page 6]
diff --git a/contrib/bind9/doc/draft/draft-daigle-napstr-04.txt b/contrib/bind9/doc/draft/draft-daigle-napstr-04.txt
new file mode 100644
index 0000000..fffa8a5
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-daigle-napstr-04.txt
@@ -0,0 +1,1232 @@
+
+
+Network Working Group                                          L. Daigle
+Internet-Draft                                                 A. Newton
+Expires: August 15, 2004                                  VeriSign, Inc.
+                                                       February 15, 2004
+
+
+    Domain-based Application Service Location Using SRV RRs and the
+              Dynamic Delegation Discovery Service (DDDS)
+                       draft-daigle-napstr-04.txt
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on August 15, 2004.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2004).  All Rights Reserved.
+
+Abstract
+
+   This memo defines a generalized mechanism for application service
+   naming that allows service location without relying on rigid domain
+   naming conventions (so-called name hacks).  The proposal defines a
+   Dynamic Delegation Discovery System (DDDS) Application to map domain
+   name, application service name, and application protocol to target
+   server and port, dynamically.
+
+
+
+
+
+
+
+Daigle & Newton          Expires August 15, 2004                [Page 1]
+
+Internet-Draft           draft-daigle-napstr-04            February 2004
+
+
+Table of Contents
+
+   1.    Introduction . . . . . . . . . . . . . . . . . . . . . . . .  4
+   2.    Straightforward-NAPTR (S-NAPTR) Specification  . . . . . . .  4
+   2.1   Key Terms  . . . . . . . . . . . . . . . . . . . . . . . . .  4
+   2.2   S-NAPTR DDDS Application Usage . . . . . . . . . . . . . . .  5
+   2.2.1 Ordering and Preference  . . . . . . . . . . . . . . . . . .  5
+   2.2.2 Matching and non-Matching NAPTR Records  . . . . . . . . . .  5
+   2.2.3 Terminal and Non-Terminal NAPTR Records  . . . . . . . . . .  5
+   2.2.4 S-NAPTR and Successive Resolution  . . . . . . . . . . . . .  6
+   2.2.5 Clients Supporting Multiple Protocols  . . . . . . . . . . .  6
+   3.    Guidelines . . . . . . . . . . . . . . . . . . . . . . . . .  7
+   3.1   Guidelines for Application Protocol Developers . . . . . . .  7
+   3.1.1 Registration of application service and protocol tags  . . .  7
+   3.1.2 Definition of conditions for retry/failure . . . . . . . . .  8
+   3.1.3 Server identification and handshake  . . . . . . . . . . . .  8
+   3.2   Guidelines for Domain Administrators . . . . . . . . . . . .  8
+   3.3   Guidelines for Client Software Writers . . . . . . . . . . .  9
+   4.    Illustrations  . . . . . . . . . . . . . . . . . . . . . . .  9
+   4.1   Use Cases  . . . . . . . . . . . . . . . . . . . . . . . . .  9
+   4.2   Service Discovery within a Domain  . . . . . . . . . . . . . 10
+   4.3   Multiple Protocols . . . . . . . . . . . . . . . . . . . . . 10
+   4.4   Remote Hosting . . . . . . . . . . . . . . . . . . . . . . . 11
+   4.5   Sets of NAPTR RRs  . . . . . . . . . . . . . . . . . . . . . 12
+   4.6   Sample sequence diagram  . . . . . . . . . . . . . . . . . . 12
+   5.    Motivation and Discussion  . . . . . . . . . . . . . . . . . 14
+   5.1   So, why not just SRV records?  . . . . . . . . . . . . . . . 15
+   5.2   So, why not just NAPTR records?  . . . . . . . . . . . . . . 15
+   6.    IANA Considerations  . . . . . . . . . . . . . . . . . . . . 16
+   7.    Security Considerations  . . . . . . . . . . . . . . . . . . 16
+   8.    Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 17
+         References . . . . . . . . . . . . . . . . . . . . . . . . . 17
+         Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 18
+   A.    Application Service Location Application of DDDS . . . . . . 18
+   A.1   Application Unique String  . . . . . . . . . . . . . . . . . 18
+   A.2   First Well Known Rule  . . . . . . . . . . . . . . . . . . . 18
+   A.3   Expected Output  . . . . . . . . . . . . . . . . . . . . . . 18
+   A.4   Flags  . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
+   A.5   Service Parameters . . . . . . . . . . . . . . . . . . . . . 19
+   A.5.1 Application Services . . . . . . . . . . . . . . . . . . . . 19
+   A.5.2 Application Protocols  . . . . . . . . . . . . . . . . . . . 20
+   A.6   Valid Rules  . . . . . . . . . . . . . . . . . . . . . . . . 20
+   A.7   Valid Databases  . . . . . . . . . . . . . . . . . . . . . . 20
+   B.    Pseudo pseudocode for S-NAPTR  . . . . . . . . . . . . . . . 20
+   B.1   Finding the first (best) target  . . . . . . . . . . . . . . 20
+   B.2   Finding subsequent targets . . . . . . . . . . . . . . . . . 21
+         Full Copyright Statement . . . . . . . . . . . . . . . . . . 23
+
+
+
+
+Daigle & Newton          Expires August 15, 2004                [Page 2]
+
+Internet-Draft           draft-daigle-napstr-04            February 2004
+
+
+1. Introduction
+
+   This memo defines a generalized mechanism for application service
+   naming that allows service location without relying on rigid domain
+   naming conventions (so-called name hacks).  The proposal defines a
+   Dynamic Delegation Discovery System (DDDS -- see [6]) Application to
+   map domain name, application service name, and application protocol
+   to target server and port, dynamically.
+
+   As discussed in Section 5, existing approaches to using DNS records
+   to dynamically determining the current host for a given application
+   service are limited in terms of the use cases supported.  To address
+   some of the limitations, this document defines a DDDS Application to
+   map service+protocol+domain to specific server addresses using both
+   NAPTR [7] and SRV ([5]) DNS resource records.  This can be viewed as
+   a more general version of the use of SRV and/or a very restricted
+   application of the use of NAPTR resource records.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in RFC2119 ([2]).
+
+2. Straightforward-NAPTR (S-NAPTR) Specification
+
+   The precise details of the specification of this DDDS application are
+   given in Appendix A.  This section defines the usage of the DDDS
+   application.
+
+2.1 Key Terms
+
+   An "application service" is a generic term for some type of
+   application, indpendent of the protocol that may be used to offer it.
+   Each application service will be associated with an IANA-registered
+   tag.  For example, instant messaging is a type of application
+   service, which can be implemented by many different application-layer
+   protocols, and the tag "IM" (used as an illustration here) could be
+   registered for it.
+
+   An "application protocol" is used to implement the application
+   service.  These are also associated with IANA-registered tags.  In
+   the case where multiple transports are available for the application,
+   separate tags should be defined for each transport.
+
+   The intention is that the combination of application service and
+   protocol tags should be specific enough that finding a known pair
+   (e.g., "IM:ProtC") is sufficient for a client to identify a server
+   with which it can communicate.
+
+
+
+
+Daigle & Newton          Expires August 15, 2004                [Page 3]
+
+Internet-Draft           draft-daigle-napstr-04            February 2004
+
+
+   Some protocols support multiple application services.  For example,
+   LDAP is an application protocol, and can be found supporting various
+   services (e.g., "whitepages", "directory enabled networking", etc).
+
+2.2 S-NAPTR DDDS Application Usage
+
+   As outlined in Appendix A, NAPTR records are used to store
+   application service+protocol information for a given domain.
+   Following the DDDS standard, these records are looked up,  and the
+   rewrite rules (contained in the NAPTR records) are used to determine
+   the successive DNS lookups, until a desirable target is found.
+
+   For the rest of this section, refer to the set of NAPTR resource
+   records for example.com shown in the figure below.
+
+   example.com.
+   ;;       order pref flags service     regexp replacement
+   IN NAPTR 100   10   ""    "WP:whois++" ""    bunyip.example.
+   IN NAPTR 100   20   "s"   "WP:ldap"    ""    _ldap._tcp.myldap.example.com.
+   IN NAPTR 200   10   ""    "IM:protA"   ""    someisp.example.
+   IN NAPTR 200   30   "a"   "IM:protB"   ""    myprotB.example.com.
+
+
+2.2.1 Ordering and Preference
+
+   A client retrieves all of the NAPTR records associated with the
+   target domain name (example.com, above).  These are to be sorted in
+   terms of increasing ORDER, and increasing PREF within each ORDER.
+
+2.2.2 Matching and non-Matching NAPTR Records
+
+   Starting with the first sorted NAPTR record, the client examines the
+   SERVICE field to find a match.  In the case of the S-NAPTR DDDS
+   application, that means a SERVICE field that includes the tags for
+   the desired application service and a supported application protocol.
+
+   If more than one NAPTR record matches, they are processed in
+   increasing sort order.
+
+2.2.3 Terminal and Non-Terminal NAPTR Records
+
+   A NAPTR record with an empty FLAG field is "non-terminal".  That is,
+   more NAPTR RR lookups are to be performed.  Thus, to process a NAPTR
+   record with an empty FLAG field in S-NAPTR, the REPLACEMENT field is
+   used as the target of the next DNS lookup -- for NAPTR RRs.
+
+   In S-NAPTR, the only terminal flags are "S" and "A".  These are
+   called "terminal" NAPTR lookups because they denote the end of the
+
+
+
+Daigle & Newton          Expires August 15, 2004                [Page 4]
+
+Internet-Draft           draft-daigle-napstr-04            February 2004
+
+
+   DDDS/NAPTR processing rules.  In the case of an "S" flag, the
+   REPLACEMENT field is used as the target of a DNS query for SRV RRs,
+   and normal SRV processing is applied.  In the case of an "A" flag, an
+   address record is sought for the REPLACEMENT field target (and the
+   default protocol port is assumed).
+
+2.2.4 S-NAPTR and Successive Resolution
+
+   As shown in the example NAPTR RR set above, it is possible to have
+   multiple possible targets for a single application service+protocol
+   pair.  These are to be pursued in order until a server is
+   successfully contacted or all possible matching NAPTR records have
+   been successively pursued to terminal lookups and servers contacted.
+   That is, a client must backtrack and attempt other resolution paths
+   in the case of failure.
+
+   "Failure" is declared, and backtracking must be used when
+
+   o  the designated remote server (host and port) fail to provide
+      appropriate security credentials for the *originating* domain
+
+   o  connection to the designated remote server otherwise fails -- the
+      specifics terms of which are defined when an application protocol
+      is registered
+
+   o  the S-NAPTR-designated DNS lookup fails to yield expected results
+      -- e.g., no A RR for an "A" target, no SRV record for an "S"
+      target, or no NAPTR record with appropriate application service
+      and protocol for a NAPTR lookup.  Except in the case of the very
+      first NAPTR lookup, this last is a configuration error:  the fact
+      that example.com has a NAPTR record pointing to "bunyip.example"
+      for the "WP:Whois++" service and protocol means the administrator
+      of example.com believes that service exists.  If bunyip.example
+      has no "WP:Whois++" NAPTR record, the application client MUST
+      backtrack and try the next available "WP:Whois++" option from
+      example.com.  As there is none, the whole resolution fails.
+
+   An application client first queries for the NAPTR RRs for the domain
+   of a named application service.  The application client MUST select
+   one protocol to choose The PREF field of the NAPTR RRs may be used by
+   the domain administrator to The first DNS query is for the NAPTR RRs
+   in the original target domain (example.com, above).
+
+2.2.5 Clients Supporting Multiple Protocols
+
+   In the case of an application client that supports more than one
+   protocol for a given application service, it MUST pursue S-NAPTR
+   resolution completely for one protocol before trying another.j It MAY
+
+
+
+Daigle & Newton          Expires August 15, 2004                [Page 5]
+
+Internet-Draft           draft-daigle-napstr-04            February 2004
+
+
+   choose which protocol to try first based on its own preference, or
+   from the PREF ranking in the first set of NAPTR records (i.e., those
+   for the target named domain).    However, the chosen protocol MUST be
+   listed in that first NAPTR RR set.
+
+   That is, what the client MUST NOT do is start looking for one
+   protocol, observe that a successive NAPTR RR set supports another of
+   its preferred protocols, and continue the S-NAPTR resolution based on
+   that protocol.  For example, even if someisp.example offers the "IM"
+   service with protocol "ProtB", there is no reason to believe it does
+   so on behalf of example.com (since there is no such pointer in
+   example.com's NAPTR RR set).
+
+3. Guidelines
+
+3.1 Guidelines for Application Protocol Developers
+
+   The purpose of S-NAPTR is to provide application standards developers
+   with a more powerful framework (than SRV RRs alone) for naming
+   service targets, without requiring each application protocol (or
+   service) standard to define a separate DDDS application.
+
+   Note that this approach is intended specifically for use when it
+   makes sense to associate services with particular domain names (e.g.,
+   e-mail addresses, SIP addresses, etc).  A non-goal is having all
+   manner of label mapped into domain names in order to use this.
+
+   Specifically not addressed in this document is how to select the
+   domain for which the service+protocol is being sought.  It is up to
+   other conventions to define how that might be used (e.g., instant
+   messaging standards can define what domain to use from IM URIs, how
+   to step down from foobar.example.com to example.com, and so on, if
+   that is applicable).
+
+   Although this document proposes a DDDS application that does not use
+   all the features of NAPTR resource records, it does not mean to imply
+   that DNS resolvers should fail to implement all aspects of the NAPTR
+   RR standard.  A DDDS application is a client use convention.
+
+   The rest of this section outlines the specific elements that protocol
+   developers must determine and document in order to make use of S-
+   NAPTR.
+
+3.1.1 Registration of application service and protocol tags
+
+   Application protocol developers that wish to make use of S-NAPTR must
+   make provision to register any relevant application service and
+   application protocol tags, as described in Section 6.
+
+
+
+Daigle & Newton          Expires August 15, 2004                [Page 6]
+
+Internet-Draft           draft-daigle-napstr-04            February 2004
+
+
+3.1.2 Definition of conditions for retry/failure
+
+   One other important aspect that must be defined is the expected
+   behaviour for interacting with the servers that are reached via S-
+   NAPTR.  Specifically,  under what circumstances should the client
+   retry a target that was found via S-NAPTR?  What should it consider a
+   failure that causes it to return to the S-NAPTR process to determine
+   the next serviceable target (a less preferred target)?
+
+   For example, if the client gets a "connection refused" from a server,
+   should it retry for some (protocol-dependent) period of time?  Or,
+   should it try the next-preferred target in the S-NAPTR chain of
+   resolution?  Should it only try the next-preferred target if it
+   receives a protocol-specific permanent error message?
+
+   The most important thing is to select one expected behaviour and
+   document it as part of the use of S-NAPTR.
+
+   As noted earlier, failure to provide appropriate credentials to
+   identify the server as being authoritative for the original taret
+   domain is always considered a failure condition.
+
+3.1.3 Server identification and handshake
+
+   As noted in Section 7, use of the DNS for server location increases
+   the importance of using protocol-specific handshakes to determine and
+   confirm the identity of the server that is eventually reached.
+
+   Therefore, application protocol developers using S-NAPTR should
+   identify the mechanics of the expected identification handshake when
+   the client connects to a server found through S-NAPTR.
+
+3.2 Guidelines for Domain Administrators
+
+   Although S-NAPTR aims to provide a "straightforward" application of
+   DDDS and use of NAPTR records, it is still possible to create very
+   complex chains and dependencies with the NAPTR and SRV records.
+
+   Therefore, domain administrators are called upon to use S-NAPTR with
+   as much restraint as possible, while still achieving their service
+   design goals.
+
+   The complete set of NAPTR, SRV and A RRs that are "reachable" through
+   the S-NAPTR process for a particular application service can be
+   thought of as a "tree".  Each NAPTR RR retrieved points to more NAPTR
+   or SRV records; each SRV record points to several A record lookups.
+   Even though a particular client can "prune" the tree to use only
+   those records referring to application protocols supported by the
+
+
+
+Daigle & Newton          Expires August 15, 2004                [Page 7]
+
+Internet-Draft           draft-daigle-napstr-04            February 2004
+
+
+   client, the tree could be quite deep, and retracing the tree to retry
+   other targets can become expensive if the tree has many branches.
+
+   Therefore,
+
+   o  Fewer branches is better:  for both NAPTR and SRV records, provide
+      different targets with varying preferences where appropriate
+      (e.g., to provide backup services, etc), but don't look for
+      reasons to provide more.
+
+   o  Shallower is better:  avoid using NAPTR records to "rename"
+      services within a zone.  Use NAPTR records to identify services
+      hosted elsewhere (i.e., where you cannot reasonably provide the
+      SRV records in your own zone).
+
+
+3.3 Guidelines for Client Software Writers
+
+   To properly understand DDDS/NAPTR, an implementor must read [6].
+   However, the most important aspect to keep in mind is that, if one
+   target fails to work for the application, it is expected that the
+   application will continue through the S-NAPTR tree to try the (less
+   preferred) alternatives.
+
+4. Illustrations
+
+4.1 Use Cases
+
+   The basic intended use cases for which S-NAPTR has been developed
+   are:
+
+   o  Service discovery within a domain.  For example, this can be used
+      to find the "authoritative" server for some type of service within
+      a domain (see the specific example in Section 4.2).
+
+   o  Multiple protocols.  This is increasingly common as new
+      application services are defined.  This includes the case of
+      instant messaging (a service) which can be offered with multiple
+      protocols (see Section 4.3).
+
+   o  Remote hosting.  Each of the above use cases applies within the
+      administration of a single domain.  However, one domain operator
+      may elect to engage another organization to provide an application
+      service.  See Section 4.4 for an example that cannot be served by
+      SRV records alone.
+
+
+
+
+
+
+Daigle & Newton          Expires August 15, 2004                [Page 8]
+
+Internet-Draft           draft-daigle-napstr-04            February 2004
+
+
+4.2 Service Discovery within a Domain
+
+   There are occasions when it is useful to be able to determine the
+   "authoritative" server for a given application service within a
+   domain.  This is "discovery", because there is no a priori knowledge
+   as to whether or where the service is offered; it is therefore
+   important to determine the location and characteristics of the
+   offered service.
+
+   For example, there is growing discussion of having a generic
+   mechanism for locating the keys or certificates associated with
+   particular application (servers) operated in (or for) a particular
+   domain.  Here's a hypothetical case for storing application key or
+   certificate data for a given domain.  The premise is that some
+   credentials registry (CredReg) service has been defined to be a leaf
+   node service holding the keys/certs for the servers operated by (or
+   for) the domain.  Furthermore, it is assumed that more than one
+   protocol is available to provide the service for a particular domain.
+   This DDDS-based approach is used to find the CredReg server that
+   holds the information.
+
+   Thus, the set of NAPTR records for thinkingcat.example might look
+   like this:
+
+   thinkingcat.example.
+   ;;       order pref flags service                 regexp  replacement
+   IN NAPTR 100   10   ""    "CREDREG:ldap:iris-beep" ""     theserver.thinkingcat.example.
+
+   Note that another domain, offering the same application service,
+   might offer it using a different set of application protocols:
+
+   anotherdomain.example.
+   ;;       order pref flags service                    regexp replacement
+   IN NAPTR 100   10   ""    "CREDREG:iris-lw:iris-beep" ""    foo.anotherdomain.example.
+
+
+4.3 Multiple Protocols
+
+   As it stands, there are several different protocols proposed for
+   offering "instant message" services.  Assuming that "IM" was
+   registered as an application service, this DDDS application could be
+   used to determine the available services for delivering to a target.
+
+   Two particular features of instant messaging should be noted:
+
+   1.  gatewaying is expected to bridge communications across protocols
+
+   2.  instant messaging servers are likely to be operated out of a
+
+
+
+Daigle & Newton          Expires August 15, 2004                [Page 9]
+
+Internet-Draft           draft-daigle-napstr-04            February 2004
+
+
+       different domain than the instant messaging address, and servers
+       of different protocols may be offered by independent
+       organizations
+
+   For example, "thinkingcat.example" may support its own servers for
+   the "ProtA" instant messaging protocol, but rely on outsourcing from
+   "example.com" for "ProtC" and "ProtB" servers.
+
+   Using this DDDS-based approach, thinkingcat.example can indicate a
+   preference ranking for the different types of servers for the instant
+   messaging service, and yet the out-sourcer can independently rank the
+   preference and ordering of servers.  This independence is not
+   achievable through the use of SRV records alone.
+
+   Thus, to find the IM services for thinkingcat.example, the NAPTR
+   records for thinkingcat.example are retrieved:
+
+   thinkingcat.example.
+   ;;	order pref flags service   regexp replacement
+   IN NAPTR 100  10   "s"   "IM:ProtA" ""    _ProtA._tcp.thinkingcat.example.
+   IN NAPTR 100  20   "s"   "IM:ProtB" ""    _ProtB._tcp.example.com.
+   IN NAPTR 100  30   "s"   "IM:ProtC" ""    _ProtC._tcp.example.com.
+
+   and then the administrators at example.com can manage the preference
+   rankings of the servers they use to support the ProtB service:
+
+   _ProtB._tcp.example.com.
+    ;;    Pref Weight Port  Target
+   IN SRV 10    0     10001 bigiron.example.com
+   IN SRV 20    0     10001 backup.im.example.com
+   IN SRV 30    0     10001 nuclearfallout.australia-isp.example
+
+
+4.4 Remote Hosting
+
+   In the Instant Message hosting example in Section 4.3, the service
+   owner (thinkingcat.example) had to host pointers to the hosting
+   service's SRV records in the thinkingcat.example domain.
+
+   A better way to approach this is to have one NAPTR RR in the
+   thinkingcat.example domain pointing to all the hosted services, and
+   the hosting domain has NAPTR records for each service to map them to
+   whatever local hosts it chooses (and may change from time to time).
+
+
+
+
+
+
+
+
+Daigle & Newton          Expires August 15, 2004               [Page 10]
+
+Internet-Draft           draft-daigle-napstr-04            February 2004
+
+
+   thinkingcat.example.
+   ;;      order pref flags service         regexp replacement
+   IN NAPTR 100  10   "s"   "IM:ProtA"       ""    _ProtA._tcp.thinkingcat.example.
+   IN NAPTR 100  20   ""    "IM:ProtB:ProtC" ""    thinkingcat.example.com.
+
+
+   and then the administrators at example.com can break out the
+   individual application protocols and manage the preference rankings
+   of the servers they use to support the ProtB service (as before):
+
+   thinkingcat.example.com.
+   ;;      order pref flags service   regexp  replacement
+   IN NAPTR 100  10   "s"   "IM:ProtC" ""     _ProtC._tcp.example.com.
+   IN NAPTR 100  20   "s"   "IM:ProtB" ""     _ProtB._tcp.example.com.
+
+
+
+   _ProtC._tcp.example.com.
+    ;;    Pref Weight Port  Target
+   IN SRV 10    0     10001 bigiron.example.com
+   IN SRV 20    0     10001 backup.im.example.com
+   IN SRV 30    0     10001 nuclearfallout.australia-isp.example
+
+
+4.5 Sets of NAPTR RRs
+
+   Note that the above sections assumed that there was one service
+   available (via S-NAPTR) per domain.  Often, that will not be the
+   case.  Assuming thinkingcat.example had the CredReg service set up as
+   described in Section 4.2 and the instant messaging service set up as
+   described in Section 4.4, then a client querying for the NAPTR RR set
+   from thinkingcat.com would get the following answer:
+
+   thinkingcat.example.
+   ;;       order pref flags service          regexp  replacement
+   IN NAPTR 100   10   "s"   "IM:ProtA"        ""     _ProtA._tcp.thinkingcat.example.
+   IN NAPTR 100   20   ""    "IM:ProtB:ProtC:" ""     thinkingcat.example.com.
+   IN NAPTR 200   10   ""    "CREDREG:ldap:iris-beep" "" bouncer.thinkingcat.example.
+
+   Sorting them by increasing "ORDER", the client would look through the
+   SERVICE strings to determine if there was a NAPTR RR that matched the
+   application service it was looking for, with an application protocol
+   it could use.  The first (lowest PREF) record that so matched is the
+   one the client would use to continue.
+
+4.6 Sample sequence diagram
+
+   Consider the example in Section 4.3.  Visually, the sequence of steps
+
+
+
+Daigle & Newton          Expires August 15, 2004               [Page 11]
+
+Internet-Draft           draft-daigle-napstr-04            February 2004
+
+
+   required for the client to reach the final server for a "ProtB"
+   service for IM for the thinkingcat.example domain is as follows:
+
+
+   Client   NS for                NS for
+            thinkingcat.example   example.com    backup.im.example.com
+                |                     |                  |
+     1 -------->|                     |                  |
+     2 <--------|                     |                  |
+     3 ------------------------------>|                  |
+     4 <------------------------------|                  |
+     5 ------------------------------>|                  |
+     6 <------------------------------|                  |
+     7 ------------------------------>|                  |
+     8 <------------------------------|                  |
+     9 ------------------------------------------------->|
+    10 <-------------------------------------------------|
+    11 ------------------------------------------------->|
+    12 <-------------------------------------------------|
+   (...)
+
+
+
+   1.  the name server (NS) for thinkingcat.example is reached with a
+        request for all NAPTR records
+
+   2.  the server responds with the NAPTR records shown in Section 4.3.
+
+   3.  the second NAPTR record matches the desired criteria; that has an
+        "s" flag and a replacement fields of "_ProtB._tcp.example.com".
+        So, the client looks up SRV records for that target, ultimately
+        making the request of the NS for example.com.
+
+   4.  the response includes the SRV records listed in Section 4.3.
+
+   5.  the client attempts to reach the server with the lowest PREF in
+        the SRV list -- looking up the A record for the SRV record's
+        target (bigiron.example.com).
+
+   6.  the example.com NS responds with an error message -- no such
+        machine!
+
+   7.  the client attempts to reach the second server in the SRV list,
+        and looks up the A record for backup.im.example.com
+
+   8.  the client gets the A record with the IP address for
+        backup.im.example.com from example.com's NS.
+
+
+
+
+Daigle & Newton          Expires August 15, 2004               [Page 12]
+
+Internet-Draft           draft-daigle-napstr-04            February 2004
+
+
+   9.  the client connects to that IP address, on port 10001 (from the
+        SRV record), using ProtB over tcp.
+
+   10.  the server responds with an "OK" message.
+
+   11.  the client uses ProtB to challenge that this server has
+        credentials to operate the service for the original domain
+        (thinkingcat.example)
+
+   12.  the server responds, and the rest is IM.
+
+
+5. Motivation and Discussion
+
+   Increasingly, application protocol standards are using domain names
+   to identify server targets, and stipulating that clients should look
+   up SRV resource records to determine the host and port providing the
+   server.  This enables a distinction between naming an application
+   service target and actually hosting the server.  It also increases
+   flexibility in hosting the target service:
+
+   o  the server may be operated by a completely different organization
+      without having to list the details of that organization's DNS
+      setup (SRVs)
+
+   o  multiple instances can be set up (e.g., for load balancing or
+      secondaries)
+
+   o  it can be moved from time to time without disrupting clients'
+      access, etc.
+
+   This is quite useful, but Section 5.1 outlines some of the
+   limitations inherent in the approach.
+
+   That is, while SRV records can be used to map from a specific service
+   name and protocol for a specific domain to a specific server, SRV
+   records are limited to one layer of indirection, and are focused on
+   server administration rather than on application naming.  And, while
+   the DDDS specification and use of NAPTR allows multiple levels of
+   redirection before locating the target server machine with an SRV
+   record, this proposal requires only a subset of NAPTR strictly bound
+   to domain names, without making use of the REGEXP field of NAPTR.
+   These restrictions make the client's resolution process much more
+   predictable and efficient than with some potential uses of NAPTR
+   records.  This is dubbed "S-NAPTR" -- a "S"traightforward use of
+   NAPTR records.
+
+
+
+
+
+Daigle & Newton          Expires August 15, 2004               [Page 13]
+
+Internet-Draft           draft-daigle-napstr-04            February 2004
+
+
+5.1 So, why not just SRV records?
+
+   An expected question at this point is: this is so similar in
+   structure to SRV records, why are we doing this with DDDS/NAPTR?
+
+   Limitations of SRV include:
+
+   o  SRV provides a single layer of indirection -- the outcome of an
+      SRV lookup is a new domain name for which the A RR is to be found.
+
+   o  the purpose of SRV is focused on individual server administration,
+      not application naming: as stated in [5] "The SRV RR allows
+      administrators to use several servers for a single domain, to move
+      services from host to host with little fuss, and to designate some
+      hosts as primary servers for a service and others as backups."
+
+   o  target servers by "service" (e.g., "ldap") and "protocol" (e.g.,
+      "tcp") in a given domain.  The definition of these terms implies
+      specific things (e.g., that protocol should be one of UDP or TCP)
+      without being precise.  Restriction to UDP and TCP is insufficient
+      for the uses described here.
+
+   The basic answer is that SRV records provide mappings from protocol
+   names to host and port.  The use cases described herein require an
+   additional layer -- from some service label to servers that may in
+   fact be hosted within different administrative domains.  We could
+   tweak SRV to say that the next lookup could be something other than
+   an address record, but that is more complex than is necessary for
+   most applications of SRV.
+
+5.2 So, why not just NAPTR records?
+
+   That's a trick question.  NAPTR records cannot appear in the wild --
+   see [6].  They must be part of a DDDS application.
+
+   The purpose here is to define a single, common mechanism (the DDDS
+   application) to use NAPTR when all that is desired is simple DNS-
+   based location of services.  This should be easy for applications to
+   use -- some simple IANA registrations and it's done.
+
+   Also, NAPTR has very powerful tools for expressing "rewrite" rules.
+   That power (==complexity) makes some protocol designers and service
+   administrators nervous.  The concern is that it can translate into
+   unintelligible, noodle-like rule sets that are difficult to test and
+   administer.
+
+   This proposed DDDS application specifically uses a subset of NAPTR's
+   abilities.  Only "replacement" expressions are allowed, not "regular
+
+
+
+Daigle & Newton          Expires August 15, 2004               [Page 14]
+
+Internet-Draft           draft-daigle-napstr-04            February 2004
+
+
+   expressions".
+
+6. IANA Considerations
+
+   This document calls for 2 IANA registries:  one for application
+   service tags, and one for application protocol tags.
+
+   Application service and protocol tags should be defined in an RFC
+   (unless the "x-" experimental form is used, in which case they are
+   unregistered).  There are no restrictions placed on the tags other
+   than that they must conform with the syntax defined below (Appendix
+   A.5).  The IANA registries should list the tags and the RFC that
+   defines their use.
+
+7. Security Considerations
+
+   The security of this approach to application service location is only
+   as good as the security of the DNS servers along the way.  If any of
+   them is compromised, bogus NAPTR and SRV records could be inserted to
+   redirect clients to unintended destinations.  This problem is hardly
+   unique to S-NAPTR (or NAPTR in general).
+
+   To protect against DNS-vectored attacks, applications should define
+   some form of end-to-end authentication to ensure that the correct
+   destination has been reached.  Many application protocols such as
+   HTTPS, BEEP, IMAP, etc...  define the necessary handshake mechansims
+   to accomplish this task.
+
+   The basic mechanism works in the following way:
+
+   1.  During some portion of the protocol handshake, the client sends
+       to the server the original name of the desired destination (i.e.
+       no transformations that may have resulted from NAPTR
+       replacements, SRV targets, or CNAME changes).  In certain cases
+       where the application protocol does not have such a feature but
+       TLS may be used, it is possible to use the "server_name" TLS
+       extension.
+
+   2.  The server sends back to the client a credential with the
+       appropriate name.  For X.509 certificates, the name would either
+       be in the subjectDN or subjectAltName fields.  For Kerberos, the
+       name would be a service principle name.
+
+   3.  Using the matching semantics defined by the application protocol,
+       the client compares the name in the credential with the name sent
+       to the server.
+
+   4.  If the names match, there is reasonable assurance that the
+
+
+
+Daigle & Newton          Expires August 15, 2004               [Page 15]
+
+Internet-Draft           draft-daigle-napstr-04            February 2004
+
+
+       correct end point has been reached.
+
+   It is important to note that this document does not define either the
+   handshake mechanism, the specific credenential naming fields, nor the
+   name matching semantics.  Definitions of S-NAPTR for particular
+   application protocols MUST define these.
+
+8. Acknowledgements
+
+   Many thanks to Dave Blacka, Patrik Faltstrom, Sally Floyd for
+   discussion and input that has (hopefully!) provoked clarifying
+   revisions of this document.
+
+References
+
+   [1]  Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform Resource
+        Identifiers (URI): Generic Syntax", RFC 2396, August 1998.
+
+   [2]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
+        Levels", BCP 14, RFC 2119, March 1997.
+
+   [3]  Crocker, D. and P. Overell, "Augmented BNF for Syntax
+        Specifications: ABNF", RFC 2234, November 1997.
+
+   [4]  Eastlake, D., "Domain Name System Security Extensions", RFC
+        2535, March 1999.
+
+   [5]  Gulbrandsen, A., Vixie, P. and L. Esibov, "A DNS RR for
+        specifying the location of services (DNS SRV)", RFC 2782,
+        February 2000.
+
+   [6]  Mealling, M., "Dynamic Delegation Discovery System (DDDS) Part
+        One: The Comprehensive DDDS", RFC 3401, October 2002.
+
+   [7]  Mealling, M., "Dynamic Delegation Discovery System (DDDS) Part
+        Three: The Domain Name System (DNS) Database", RFC 3403, October
+        2002.
+
+   [8]  Mealling, M., "Dynamic Delegation Discovery System (DDDS) Part
+        Four: The Uniform Resource Identifiers (URI)", RFC 3404, October
+        2002.
+
+
+
+
+
+
+
+
+
+
+Daigle & Newton          Expires August 15, 2004               [Page 16]
+
+Internet-Draft           draft-daigle-napstr-04            February 2004
+
+
+Authors' Addresses
+
+   Leslie Daigle
+   VeriSign, Inc.
+   21355 Ridgetop Circle
+   Dulles, VA  20166
+   US
+
+   EMail: leslie@verisignlabs.com; leslie@thinkingcat.com
+
+
+   Andrew Newton
+   VeriSign, Inc.
+   21355 Ridgetop Circle
+   Dulles, VA  20166
+   US
+
+   EMail: anewton@verisignlabs.com
+
+Appendix A. Application Service Location Application of DDDS
+
+   This section defines the DDDS application, as described in [6].
+
+A.1 Application Unique String
+
+   The Application Unique String is domain label for which an
+   authoritative server for a particular service is sought.
+
+A.2 First Well Known Rule
+
+   The "First Well Known Rule" is identity -- that is, the output of the
+   rule is the Application Unique String, the domain label for which the
+   authoritative server for a particular service is sought.
+
+A.3 Expected Output
+
+   The expected output of this Application is the information necessary
+   to connect to authoritative server(s) (host, port, protocol) for an
+   application service within a given a given domain.
+
+A.4 Flags
+
+   This DDDS Application uses only 2 of the Flags defined for the
+   URI/URN Resolution Application ([8]): "S" and "A".  No other Flags
+   are valid.
+
+   Both are for terminal lookups.  This means that the Rule is the last
+   one and that the flag determines what the next stage should be.  The
+
+
+
+Daigle & Newton          Expires August 15, 2004               [Page 17]
+
+Internet-Draft           draft-daigle-napstr-04            February 2004
+
+
+   "S" flag means that the output of this Rule is a domain label for
+   which one or more SRV [5] records exist.  "A" means that the output
+   of the Rule is a domain name and should be used to lookup address
+   records for that domain.
+
+   Consistent with the DDDS algorithm, if the Flag string is empty the
+   next lookup is for another NAPTR record (for the replacement target).
+
+A.5 Service Parameters
+
+   Service Parameters for this Application take the form of a string of
+   characters that follow this ABNF ([3]):
+
+      service-parms = [ [app-service] *(":" app-protocol)]
+      app-service   = experimental-service  / iana-registered-service
+      app-protocol  = experimental-protocol / iana-registered-protocol
+      experimental-service      = "x-" 1*30ALPHANUMSYM
+      experimental-protocol     = "x-" 1*30ALPHANUMSYM
+      iana-registered-service   = ALPHA *31ALPHANUMSYM
+      iana-registered-protocol  = ALPHA *31ALPHANUM
+      ALPHA         =  %x41-5A / %x61-7A   ; A-Z / a-z
+      DIGIT         =  %x30-39 ; 0-9
+      SYM           =  %x2B / %x2D / %x2E  ; "+" / "-" / "."
+      ALPHANUMSYM   =  ALPHA / DIGIT / SYM
+      ; The app-service and app-protocol tags are limited to 32
+      ; characters and must start with an alphabetic character.
+      ; The service-parms are considered case-insensitive.
+
+   Thus, the Service Parameters may consist of an empty string, just an
+   app-service, or an app-service with one or more app-protocol
+   specifications separated by the ":" symbol.
+
+   Note that this is similar to, but not the same as the syntax used in
+   the URI DDDS application ([8]).  The DDDS DNS database requires each
+   DDDS application to define the syntax of allowable service strings.
+   The syntax here is expanded to allow the characters that are valid in
+   any URI scheme name (see [1]).  Since "+" (the separator used in the
+   RFC3404 service parameter string) is an allowed character for URI
+   scheme names, ":" is chosen as the separator here.
+
+A.5.1 Application Services
+
+   The "app-service" must be a registered service [this will be an IANA
+   registry; this is not the IANA port registry, because we want to
+   define services for which there is no single protocol, and we don't
+   want to use up port space for nothing].
+
+
+
+
+
+Daigle & Newton          Expires August 15, 2004               [Page 18]
+
+Internet-Draft           draft-daigle-napstr-04            February 2004
+
+
+A.5.2 Application Protocols
+
+   The protocol identifiers that are valid for the "app-protocol"
+   production are any standard, registered protocols [IANA registry
+   again -- is this the list of well known/registered ports?].
+
+A.6 Valid Rules
+
+   Only substitution Rules are permitted for this application.  That is,
+   no regular expressions are allowed.
+
+A.7 Valid Databases
+
+   At present only one DDDS Database is specified for this Application.
+   [7] specifies a DDDS Database that uses the NAPTR DNS resource record
+   to contain the rewrite rules.  The Keys for this database are encoded
+   as domain-names.
+
+   The First Well Known Rule produces a domain name, and this is the Key
+   that is used for the first lookup -- the NAPTR records for that
+   domain are requested.
+
+   DNS servers MAY interpret Flag values and use that information to
+   include appropriate NAPTR, SRV or A records in the Additional
+   Information portion of the DNS packet.  Clients are encouraged to
+   check for additional information but are not required to do so.  See
+   the Additional Information Processing section of [7] for more
+   information on NAPTR records and the Additional Information section
+   of a DNS response packet.
+
+Appendix B. Pseudo pseudocode for S-NAPTR
+
+B.1 Finding the first (best) target
+
+   Assuming the client supports 1 protocol for a particular application
+   service, the following pseudocode outlines the expected process to
+   find the first (best) target for the client, using S-NAPTR.
+
+
+    target = [initial domain]
+    naptr-done = false
+
+    while (not naptr-done)
+     {
+      NAPTR-RRset = [DNSlookup of NAPTR RRs for target]
+      [sort NAPTR-RRset by ORDER, and PREF within each ORDER]
+      rr-done = false
+      cur-rr = [first NAPTR RR]
+
+
+
+Daigle & Newton          Expires August 15, 2004               [Page 19]
+
+Internet-Draft           draft-daigle-napstr-04            February 2004
+
+
+      while (not rr-done)
+         if ([SERVICE field of cur-rr contains desired application
+              service and application protocol])
+            rr-done = true
+            target= [REPLACEMENT target of NAPTR RR]
+         else
+            cur-rr = [next rr in list]
+
+         if (not empty [FLAG in cur-rr])
+            naptr-done = true
+     }
+
+    port = -1
+
+    if ([FLAG in cur-rr is "S"])
+     {
+      SRV-RRset = [DNSlookup of SRV RRs for target]
+      [sort SRV-RRset based on PREF]
+      target = [target of first RR of SRV-RRset]
+      port = [port in first RR of SRV-RRset]
+     }
+
+    ; now, whether it was an "S" or an "A" in the NAPTR, we
+    ; have the target for an A record lookup
+
+    host = [DNSlookup of target]
+
+    return (host, port)
+
+
+
+B.2 Finding subsequent targets
+
+   The pseudocode in Appendix B is crafted to find the first, most
+   preferred, host-port pair for a particular application service an
+   protocol.  If, for any reason, that host-port pair did not work
+   (connection refused, application-level error), the client is expected
+   to try the next host-port in the S-NAPTR tree.
+
+   The pseudocode above does not permit retries -- once complete, it
+   sheds all context of where in the S-NAPTR tree it finished.
+   Therefore, client software writers could
+
+   o  entwine the application-specific protocol with the DNS lookup and
+      RRset processing described in the pseudocode and continue the S-
+      NAPTR processing if the application code fails to connect to a
+      located host-port pair;
+
+
+
+
+Daigle & Newton          Expires August 15, 2004               [Page 20]
+
+Internet-Draft           draft-daigle-napstr-04            February 2004
+
+
+   o  use callbacks for the S-NAPTR processing;
+
+   o  use an S-NAPTR resolution routine that finds *all* valid servers
+      for the required application service and protocol from the
+      originating domain, and provides them in sorted order for the
+      application to try in order.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Daigle & Newton          Expires August 15, 2004               [Page 21]
+
+Internet-Draft           draft-daigle-napstr-04            February 2004
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2004).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Daigle & Newton          Expires August 15, 2004               [Page 22]
+
diff --git a/contrib/bind9/doc/draft/draft-danisch-dns-rr-smtp-03.txt b/contrib/bind9/doc/draft/draft-danisch-dns-rr-smtp-03.txt
new file mode 100644
index 0000000..4a01d91
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-danisch-dns-rr-smtp-03.txt
@@ -0,0 +1,1960 @@
+
+
+
+INTERNET-DRAFT                                           Hadmut Danisch
+Category: Experimental                                         Oct 2003
+Expires: Apr 1, 2004
+
+ The RMX DNS RR and method for lightweight SMTP sender authorization
+                   draft-danisch-dns-rr-smtp-03.txt
+
+Status of this Memo
+
+   This document is an Internet-Draft and is subject to all provisions
+   of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six
+   months and may be updated, replaced, or obsoleted by other
+   documents at any time.  It is inappropriate to use Internet-Drafts
+   as reference material or to cite them other than as "work in
+   progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/1id-abstracts.html
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html
+
+Abstract
+
+   This memo introduces a new authorization scheme for SMTP e-mail
+   transport. It is designed to be a simple and robust protection
+   against e-mail fraud, spam and worms. It is based solely on
+   organisational security mechanisms and does not require but still
+   allow use of cryptography. This memo also focuses on security and
+   privacy problems and requirements in context of spam defense. In
+   contrast to prior versions of the draft a new RR type is not
+   required anymore.
+
+
+
+
+
+
+
+
+
+
+
+
+Hadmut Danisch                Experimental                      [Page 1]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+                           Table of Contents
+
+
+1.  General Issues . . . . . . . . . . . . . . . . . . . . . . . . .   4
+2.  Problem and threat description . . . . . . . . . . . . . . . . .   4
+    2.1.  Mail sender forgery  . . . . . . . . . . . . . . . . . . .   4
+          2.1.1  Definition of sender forgery  . . . . . . . . . . .   4
+          2.1.2  Spam  . . . . . . . . . . . . . . . . . . . . . . .   5
+          2.1.3  E-Mail Worms  . . . . . . . . . . . . . . . . . . .   5
+          2.1.4  E-Mail spoofing and fraud . . . . . . . . . . . . .   5
+    2.2.  Indirect damage caused by forgery  . . . . . . . . . . . .   6
+    2.3.  Technical problem analysis . . . . . . . . . . . . . . . .   6
+    2.4.  Shortcomings of cryptographical approaches . . . . . . . .   7
+3.  A DNS based sender address verification  . . . . . . . . . . . .   7
+    3.1.  Overview . . . . . . . . . . . . . . . . . . . . . . . . .   7
+    3.2.  Envelope vs. header sender address . . . . . . . . . . . .   9
+    3.3.  Domain part vs. full sender address  . . . . . . . . . . .   9
+4.  Mapping of E-Mail addresses to DNS names . . . . . . . . . . . .  10
+    4.1.  Domain part only . . . . . . . . . . . . . . . . . . . . .  10
+    4.2.  Full address . . . . . . . . . . . . . . . . . . . . . . .  11
+    4.3.  Empty address  . . . . . . . . . . . . . . . . . . . . . .  11
+5.  Mandatory entry types and their syntax . . . . . . . . . . . . .  11
+    5.1.  Overall structure  . . . . . . . . . . . . . . . . . . . .  11
+    5.2.  Unused . . . . . . . . . . . . . . . . . . . . . . . . . .  12
+    5.3.  IPv4 and IPv6 address ranges . . . . . . . . . . . . . . .  12
+    5.4.  DNS Hostname . . . . . . . . . . . . . . . . . . . . . . .  13
+          5.4.1  Road warriors and DynDNS entries  . . . . . . . . .  13
+    5.5.  APL Reference  . . . . . . . . . . . . . . . . . . . . . .  14
+    5.6.  Domain Member  . . . . . . . . . . . . . . . . . . . . . .  14
+    5.7.  Full Address Query . . . . . . . . . . . . . . . . . . . .  15
+    5.8.  DNS mapped authorization . . . . . . . . . . . . . . . . .  15
+    5.9.  RMX reference  . . . . . . . . . . . . . . . . . . . . . .  16
+6.  Optional and experimental entry types  . . . . . . . . . . . . .  16
+    6.1.  TLS fingerprint  . . . . . . . . . . . . . . . . . . . . .  16
+    6.2.  TLS and LDAP . . . . . . . . . . . . . . . . . . . . . . .  16
+    6.3.  PGP or S/MIME signature  . . . . . . . . . . . . . . . . .  16
+    6.4.  Transparent Challenge/Response . . . . . . . . . . . . . .  17
+    6.5.  SASL Challenge/Response  . . . . . . . . . . . . . . . . .  17
+7.  Encoding . . . . . . . . . . . . . . . . . . . . . . . . . . . .  17
+    7.1.  Alternative encoding as TXT records  . . . . . . . . . . .  17
+    7.2.  RMX Records  . . . . . . . . . . . . . . . . . . . . . . .  17
+          7.2.1  Overall structure . . . . . . . . . . . . . . . . .  18
+          7.2.2  Record encoding . . . . . . . . . . . . . . . . . .  18
+          7.2.3  Encoding of IPv4 and IPv6 address ranges  . . . . .  18
+          7.2.4  Encoding of DNS . . . . . . . . . . . . . . . . . .  18
+          7.2.5  Encoding of unused and full query . . . . . . . . .  19
+          7.2.6  Additional Records  . . . . . . . . . . . . . . . .  19
+8.  Message Headers  . . . . . . . . . . . . . . . . . . . . . . . .  19
+
+
+
+Hadmut Danisch                Experimental                      [Page 2]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+9.  SMTP error messages  . . . . . . . . . . . . . . . . . . . . . .  20
+10.  Message relaying and forwarding . . . . . . . . . . . . . . . .  20
+    10.1.  Problem description . . . . . . . . . . . . . . . . . . .  20
+    10.2.  Trusted relaying/forwarding . . . . . . . . . . . . . . .  21
+    10.3.  Untrusted relaying/forwarding . . . . . . . . . . . . . .  21
+11.  Security Considerations . . . . . . . . . . . . . . . . . . . .  22
+    11.1.  Draft specific considerations . . . . . . . . . . . . . .  22
+          11.1.1  Authentication strength  . . . . . . . . . . . . .  22
+          11.1.2  Where Authentication and Authorization end . . . .  22
+          11.1.3  Vulnerability of DNS . . . . . . . . . . . . . . .  23
+          11.1.4  Sneaking RMX attack?   . . . . . . . . . . . . . .  25
+          11.1.5  Open SMTP relays . . . . . . . . . . . . . . . . .  25
+          11.1.6  Unforged Spam  . . . . . . . . . . . . . . . . . .  25
+          11.1.7  Reliability of Whois Entries . . . . . . . . . . .  26
+          11.1.8  Hazards for Freedom of Speech  . . . . . . . . . .  26
+    11.2.  General Considerations about spam defense . . . . . . . .  27
+          11.2.1  Action vs. reaction  . . . . . . . . . . . . . . .  27
+          11.2.2  Content based Denial of Service attacks  . . . . .  27
+12.  Privacy Considerations  . . . . . . . . . . . . . . . . . . . .  28
+    12.1.  Draft specific considerations . . . . . . . . . . . . . .  28
+          12.1.1  No content leaking . . . . . . . . . . . . . . . .  28
+          12.1.2  Message reception and sender domain  . . . . . . .  28
+          12.1.3  Network structure  . . . . . . . . . . . . . . . .  29
+          12.1.4  Owner information distribution . . . . . . . . . .  29
+    12.2.  General Considerations about spam defense . . . . . . . .  29
+          12.2.1  Content leaking of content filters . . . . . . . .  29
+          12.2.2  Black- and Whitelists  . . . . . . . . . . . . . .  30
+13.  Deployment Considerations . . . . . . . . . . . . . . . . . . .  30
+    13.1.  Compatibility . . . . . . . . . . . . . . . . . . . . . .  30
+          13.1.1  Compatibility with old mail receivers  . . . . . .  30
+          13.1.2  Compatibility with old mail senders  . . . . . . .  30
+          13.1.3  Compatibility with old DNS clients . . . . . . . .  30
+          13.1.4  Compatibility with old DNS servers . . . . . . . .  30
+    13.2.  Enforcement policy  . . . . . . . . . . . . . . . . . . .  31
+14.  General considerations about fighting spam  . . . . . . . . . .  31
+    14.1.  The economical problem  . . . . . . . . . . . . . . . . .  31
+    14.2.  The POP problem . . . . . . . . . . . . . . . . . . . . .  32
+    14.3.  The network structure problem . . . . . . . . . . . . . .  33
+    14.4.  The mentality problem . . . . . . . . . . . . . . . . . .  33
+    14.5.  The identity problem  . . . . . . . . . . . . . . . . . .  33
+    14.6.  The multi-legislation problem . . . . . . . . . . . . . .  34
+Implementation and further Information . . . . . . . . . . . . . . .  34
+References . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  34
+Draft History  . . . . . . . . . . . . . . . . . . . . . . . . . . .  35
+Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . .  35
+
+
+
+
+
+
+Hadmut Danisch                Experimental                      [Page 3]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+1.  General Issues
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in
+   this document are to be interpreted as described in RFC 2119 [1].
+
+2.  Problem and threat description
+
+2.1.  Mail sender forgery
+
+   The amount of e-mails with forged sender addresses has dramatically
+   increased. As a consequence, damages and annoyances caused by such
+   e-mails increased as well. In the majority of examined e-mails the
+   domain name of the envelope sender address was forged, and the e-
+   mail was sent from an IP address which does not belong to a network
+   used by the actual owner of the domain.
+
+2.1.1.  Definition of sender forgery
+
+   As discussions, comments to prior versions of this draft, and
+   different approaches to stop forgery showed, different perceptions
+   of "mail forgery" exist. For example, there are mechanisms to
+   verify e-mail addresses for mailing lists, web servers, or to stop
+   spam, which do send a message with a random number to the given
+   address and expect the user to send a reply. Here, someone is
+   considered to be allowed to use a particular e-mail address, if and
+   only if he is able to receive informations sent to this address,
+   and is able to reply to such a message. While this definition
+   appears to be quite plausible and natural, it can't be used for a
+   simple technical solution. Sending back a challenge and expecting a
+   reply is simply too much overhead and time delay, and not every
+   authorized sender is able or willing to reply (e.g. because he went
+   offline or is not a human).
+
+   Within the scope of this memo, sender forgery means that the
+   initiator of an e-mail transfer (which is the original sender in
+   contrast to relays) uses a sender address which he was not
+   authorized to use. Being authorized to use an address means that
+   the owner (administrator) of the internet domain has given
+   permission, i.e. agrees with the use of the address by that
+   particular sender. This memo will cover both the permission of the
+   full e-mail address and the domain part only for simplicity.
+
+   Within context of Internet and SMTP, the sender address usually
+   occurs twice, once as the envelope sender address in SMTP, and once
+   as the address given in the RFC822 mail header. While the following
+   considerations apply to both addresses in principle, it is
+   important to stress that both addresses have distinct semantics and
+
+
+
+Hadmut Danisch                Experimental                      [Page 4]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+   are not neccessarily the same. The envelope address identifies the
+   initiator of the transport, while the header identifies the author
+   of the message content. Since this memo deals with the message
+   transport only and completely ignores the message content, the
+   method should naturally be applied to the envelope sender address.
+
+2.1.2.  Spam
+
+   A common and well known problem is the dramatic increase of
+   unsolicited e-mail, commonly called "spam". Again, the majority of
+   examined e-mails had forged sender addresses.  The abused domains
+   were mainly those of common webmailers as hotmail or yahoo, or
+   well-known companies.
+
+   Unfortunately, there is no accurate definition of spam availabe
+   yet, and neither are the concise technical criterions to filter or
+   block spam with technical mechanisms. There are efforts to design
+   content based filters, but these filters are expensive in
+   calculation time (and sometimes money), and they do not reliably
+   provide predictable results. Usually they give false positives
+   and/or require user interaction. Content filters in general suffer
+   from a design problem described later in this memo.  Therefore,
+   this proposal does not use the content based approach to block
+   spam.
+
+   As analysis of spam messages showed, most of spam messages were
+   sent with forged envelope sender addresses. This has mainly three
+   reasons.  The first reason is, that spam senders usually do not
+   want to be contacted by e-mail. The second reason is, that they do
+   not want to be blacklisted easily. The third reason is, that spam
+   is or is going to be unlawful in many countries, and the sender
+   does not want to reveal his identity. Therefore, spam is considered
+   to be a special case of sender forgery.
+
+2.1.3.  E-Mail Worms
+
+   Another example of sender forgery is the reproduction of e-mail
+   worms. Most worms do choose random sender addresses, e.g.  using
+   the addresses found in mailboxes on the infected system. In most
+   cases analyzed by the author, the e-mails sent by the reproduction
+   process can also be categorized as forged, since the infected
+   system would under normal circumstances not be authorized to send
+   e-mails with such e-mail addresses. So forgery does not require a
+   malicious human to be directly involved. This memo covers any kind
+   of e-mail sender address forgery, included those generated by
+   malicious software.
+
+2.1.4.  E-Mail spoofing and fraud
+
+
+
+Hadmut Danisch                Experimental                      [Page 5]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+   Forging e-mail sender addresses for fraud or other kinds of
+   deception ("human engineering") has also dramatically increased.
+   There are many known cases where single or mass e-mails were sent
+   with wrong sender addresses, pretending to come from service
+   provider, software manufacturers etc., and asking the receiver to
+   install any software or patches, or to reply with any confidential
+   information. The Internet is becoming more and more a scene of
+   crime, and so are it's services, including e-mail. It is obvious
+   that crime based on e-mail is eased by the fact that SMTP allows
+   arbitrary sender address spoofing.
+
+2.2.  Indirect damage caused by forgery
+
+   As observed by the author, mass mails and worms with forged sender
+   addresses can cause a severe damage for the real owner of the
+   abused sender addresses. If a sender A is sending an e-mail to the
+   receiver B, pretending to be C by using a sender address of C's
+   domain, then C has currently no chance to prevent this, since C's
+   machines and software are not involved in any way in the delivery
+   process between A and B.  B will nevertheless send any error
+   messages (virus/spam alert, "no such user", etc.) to C, erroneously
+   assuming that the message was sent by C. The author found several
+   cases where this flood of error messages caused a severe denial of
+   service or a dramatic increase of costs, e.g. when C was
+   downloading the e-mail through expensive or low bandwidth
+   connections (e.g. modem or mobile phones), or where disk space was
+   limited. The author examined mass mailings, where several tens or
+   hundreds of thousands of messages were sent to several addresses
+   around the world, where these messages caused only annoyance. But
+   since several thousands of these addresses were invalid or didn't
+   accept the message, the owner of the DNS domain which was abused by
+   the spammer to forge sender addresses was flooded for several
+   months with thousands of error messages, jamming the e-mail system
+   and causing severe costs and damages.
+
+   As a consequence, when A sends a message to B, pretending to be C,
+   there must be any mechanism to allow C to inform B about the fact,
+   that A is not authorized to use C as a sender address. This is what
+   this memo is about.
+
+2.3.  Technical problem analysis
+
+   Why does e-mail forgery actually exist? Because of the lack of the
+   Simple Mail Transfer Protocol SMTP[2] to provide any kind of sender
+   authentication, authorisation, or verification. This protocol was
+   designed at a time where security was not an issue. Efforts have
+   been made to block forged e-mails by requiring the sender address
+   domain part to be resolvable.  This method provides protection from
+
+
+
+Hadmut Danisch                Experimental                      [Page 6]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+   e-mails with non-existing sender domains, and indeed, for some time
+   it blocked most spam e-mails. However, since attackers and spam
+   senders began to abuse existing domain names, this method was
+   rendered ineffective.
+
+2.4.  Shortcomings of cryptographical approaches
+
+   At a first glance, the problem of sender address forgery might
+   appear to be solvable with cryptographic methods such as challenge
+   response authentications or digital signatures. A deeper analysis
+   shows that only a small, closed user group could be covered with
+   cryptographical methods. Any method used to stop spam forgery must
+   be suitable to detect forgery not only for a small number of
+   particular addresses, but for all addresses on the world. An
+   attacker does not need to know the secrets belonging to a
+   particular address. It is sufficient to be able to forge any
+   address and thus to know any secret key. Since there are several
+   hundreds of millions of users, there will always be a large amount
+   of compromised keys, thus spoiling any common cryptographic method.
+   Furthermore, cryptography has proven to be far too complicated and
+   error prone to be commonly administered and reliably implemented.
+   Many e-mail and DNS administrators do not have the knowledge
+   required to deal with cryptographic mechanisms. Many legislations
+   do not allow the general deployment of cryptography and a directory
+   service with public keys. For these reasons, cryptography is
+   applicable only to a small and closed group of users, but not to
+   all participants of the e-mail service.
+
+3.  A DNS based sender address verification
+
+3.1.  Overview
+
+   To gain improvement in e-mail authenticity while keeping as much
+   SMTP compatibility as possible, a method is suggested which doesn't
+   change SMTP at all.
+
+   The idea is to store informations about how to verify who is
+   authorized to transmit e-mails through SMTP with a particular
+   sender address (either full address or - for simplicity - only the
+   domain part of the address) in a directory service, which is
+   currently the DNS. To be precise, the verification consists of two
+   steps, the classical pair of authentication and authorization:
+
+   The first step is the authentication. While several methods are
+   possible to perform authentication (see below), the most important
+   and robust method is the verification of the sender's IP address.
+   This is done implicitely by TCP/IP and the TCP sequence number. The
+   authenticated identity is the IP address. It has to be stressed
+
+
+
+Hadmut Danisch                Experimental                      [Page 7]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+   that this TCP/IP "authentication" is a weak authentication and
+   vulnerable to several attacks. It is nevertheless sufficient for
+   this purpose, especially for blocking spam. It doesn't take any
+   implementation and it doesn't cost: It is already there, it is a
+   functionality of TCP/IP. An incoming SMTP connection based on
+   TCP/IP already carries the sender's IP address without any
+   modification of SMTP. See below (section Entry types) for more
+   details about authentication methods.
+
+   The second step is the authorization. It is based on the identity
+   given by the previous authentication step, e.g. the IP address of
+   the originator of the incoming SMTP connection,  and on the
+   envelope sender address. The mechanism proposed in this memo
+   answers the question "Is that particular sender (IP address,...)
+   allowed to send with that sender address" by querying and
+   processing informations stored in a directory service, which is
+   DNS.
+
+   When the sender has issued the "MAIL FROM:" SMTP command, the
+   receiving mail transfer agent (MTA) can - and modern MTAs do -
+   perform some authorization checks, e.g. run a local rule database
+   or check whether the sender domain is resolvable.
+
+   The suggested method is to let the DNS server for the sender domain
+   provide informations about who - this means for example which IP
+   address - is authorized to use an address or a domain as a part of
+   it.  After receiving the "MAIL FROM:" SMTP command, the receiving
+   MTA can verify, whether e. g. the IP address of the sending MTA is
+   authorized to send mails with this domain name. Therefore, a list
+   of entries with authorized IP addresses or other informations is
+   provided by the authoritative DNS server of that domain. The entry
+   types are described in the subsequent chapters. Some of these
+   methods are
+
+     - An IPv4 or IPv6 network address and mask
+     - A fully qualified domain name referring to an A record
+     - A fully qualified domain name referring to an APL record
+
+   RMX records of these types would look like this:
+
+      somedomain.de.      IN RMX ipv4:10.0.0.0/8
+      rmxtest.de.         IN RMX host:relay.provider.com
+      danisch.de.         IN RMX apl:relays.rackland.de
+      relays.rackland.de. IN APL 1:213.133.101.23/32 1:1.2.3.0/24
+
+   where the machine with the example address 213.133.101.23 and the
+   machines in the example subnet 1.2.3.0/24 are the only machines
+   allowed to send e-mails with an envelope sender address of domain
+
+
+
+Hadmut Danisch                Experimental                      [Page 8]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+   danisch.de. Since the APL records do not necessarily belong to the
+   same domain or zone table as the RMX records, this easily allows to
+   refer to APL records defined by someone else, e.g. the internet
+   access or server hosting provider, thus reducing administrative
+   overhead to a minimum. In the example given above, the domain
+   danisch.de and several other domains are hosted by the service
+   provider Rackland. So if the relay structure of Rackland is
+   modified, only the zone of rackland.de needs to be modified. The
+   domain owners don't need to care about such details.
+
+3.2.  Envelope vs. header sender address
+
+   Questions were raised why the proposed mechanism is based on the
+   envelope sender address, and not on the sender address given in the
+   message header. Technically, both can be used. Actually, it makes
+   sense to use the envelope address.
+
+   In common, the header sender address identifies the author of the
+   content, while the envelope sender tells who caused the
+   transmission.  The approach proposed in this memo is transmission
+   based, not content based. We can not authorize the author of a
+   message if we don't have contact with him, if the message does not
+   already contain a signature. In contrast, the sending MTA is linked
+   to an IP address which can be used for authentication. This
+   mechanism might not be very strong, but it is available and
+   sufficient to solve today's e-mail security problems.
+
+   Some people argued that it is the header address and not the sender
+   address, which is displayed in common mail readers (MUAs), and
+   where the receiver believes the mail comes from. That's true, but
+   it doesn't help. There are many cases where the header sender
+   differs from the envelope sender for good reasons (see below in the
+   consequences chapter for the discussion about relaying).  Relaying,
+   mailing lists etc. require to replace the sender address used for
+   RMX. If this were the header address, the message header would have
+   to be modified. This is undesirable.
+
+3.3.  Domain part vs. full sender address
+
+   Former versions of this draft were limited to the domain part of
+   the sender address. The first reason is that it is common and MX-
+   like, to lookup only the domain part of an e-mail address in DNS.
+   The second reason is, that it was left to the private business of
+   the domain administration to handle details of user verification.
+   The idea was that the domain administration takes care to verify
+   the left part of an e-mail address with an arbitrary method of
+   their individual taste. RMX was originally designed to ignore the
+   left part of the address and to expect the domain administration to
+
+
+
+Hadmut Danisch                Experimental                      [Page 9]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+   take over responsibility for enforcing their policy. If, e.g., a
+   spam message arrived and passed the RMX mechanism, it is known to
+   be authorized by the domain administration and they can be blamed,
+   no matter what is on the left side of the sender address - it's
+   their private problem what happens on the left side of the @. By
+   far the most of the comments to prior versions of this draft agreed
+   with that. A few comments asked for a finer granularity.
+
+   And indeed, there is no technical reason against a finer
+   granularity.  All it takes is a mapping from a given envelope
+   sender address to a DNS name, and the RMX lookup for that
+   particular e-mail address could be done instead of a lookup for the
+   domain part only.  However, to my knowledge, most domain
+   administrators would not like to provide an RMX entry for every
+   single e-mail address. In many cases, this would also overload DNS
+   servers.
+
+   It is to be discussed how to cover both views. One method could be
+   to query the full address, and if no RMX records were found to
+   query the domain part only. A different approach would be to query
+   the domain part only, and if it's RMX record contain a special
+   entry, then a new query for the full address is triggered. A third
+   way would be to always query the full address and to leave the
+   problem to the wildcard mechanism of DNS. This still has to be
+   discussed and will be described in future versions of this draft.
+
+
+
+
+
+
+
+
+
+
+
+4.  Mapping of E-Mail addresses to DNS names
+
+   To perform the RMX query, a mapping is needed from E-Mail addresses
+   to DNS fully qualified domain names.
+
+   This chapter is under development and just a first approach.
+
+4.1.  Domain part only
+
+   Mapping of the domain part is trivial, since the domain part of an
+   e-mail address itself is a valid DNS name and does not need
+   translation. It might be nevertheless desirable to distinguish the
+
+
+
+Hadmut Danisch                Experimental                     [Page 10]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+   RMX entries from other entries, depending of the encoding of the
+   records. If the RMX entries are encoded in TXT record types, they
+   might collide with other uses of TXT records.  It might be
+   necessary to prepend the domain part with a special prefix, e.g.
+   _rmx. So the e-mail address some.user@example.com could be mapped
+   to example.com or _rmx.example.com.
+
+4.2.  Full address
+
+   Mapping a full address is slightly more difficult. The @ sign must
+   be unambiguously translated, and therefore can not be simply
+   translated into a dot. The e-mail addresses some.user@example.com
+   and some@user.example.com must have different mappings. Therefore,
+   the @ sign could be translated into _rmx, implicitely assuming that
+   this is not an allowed domain name component of normal domain
+   names. Then the rightmost _rmx in the mapped DNS name always
+   corresponds to the @ sign. some.user@example.com would e translated
+   into some.user._rmx.example.com and can be covered by a wildcard
+   entry like *._rmx.example.com.
+
+   Character encoding and character sets are still to be discussed.
+
+4.3.  Empty address
+
+   Unfortunately, SMTP allows empty envelope sender addresses to be
+   used for error messages. Empty sender addresses can therefore not
+   be prohibited. As observed, a significant amount of spam was sent
+   with such an empty sender address. To solve this problem, the host
+   name given in the HELO or EHLO command is taken to lookup the RMX
+   records instead. This makes sense, since such messages were
+   generated by the machine, not a human.
+
+
+
+
+5.  Mandatory entry types and their syntax
+
+   The entry types described in this section MUST be supported by any
+   implementation of this draft.
+
+5.1.  Overall structure
+
+   Similar to APL, an RMX record is just a concatenation of zero or
+   more RMX entries. The entries within one record form an ordered
+   rule base as commonly usual in packet filtes and firewall rulesets,
+   i. e. they are processed one ofter another until the first entry
+   matches. This entry determines the result of the query. Once a
+   matching entry is found, the RMX processing is finished.
+
+
+
+Hadmut Danisch                Experimental                     [Page 11]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+   For any domain name there should not exist more than a single RMX
+   record. Due to the structure of DNS, it is nevertheless possible to
+   have more than a single RMX record. Multiple RMX records are
+   treated as a single record consisting of the concatenation of all
+   records. While the entries in a record are ordered, the records are
+   not ordered and may be processed in arbitrary order. If the order
+   of the entries matters, it is the zone maintainer's responsibility
+   to keep those entries in a single record. For example, there are
+   negative entries, which exclude IP addresses from authorization.
+   It is important that these entries are processed before positive
+   entries giving permission to a wider address range. Since order is
+   guaranteed only within a record, corresponding negative and
+   positive entries must be put in the same record.
+
+   An RMX record may consist of one or more entries, where the entries
+   are separated by whitespace. An entry must not contain white space.
+   Each entry consists of an optional exclamation sign, a tag, a
+   colon, and the entry data:
+
+      [!] TAG : ENTRY-SPECIFIC-DATA
+
+   If the entry starts with an exclamation sign, the entry is negated.
+   See the entry type description below for details.
+
+   The TAG is the mnemonic type identifier or the decimal number of
+   the entry. The TAG is case-insensitive. It is immediately followed
+   by a colon.
+
+   The syntax and semantics of ENTRY-SPECIFIC-DATA depends of the the
+   entry type. See description below.
+
+   Example:
+
+      danisch.de.  IN RMX apl:relays.rackland.de !ipv4:1.2.3.5
+   ipv4:1.2.3.0/24
+
+5.2.  Unused
+
+   This is a primitive entry which just says that this sender address
+   will never be used as a sender address under any circumstances.
+   Example:
+
+   testdomain.danisch.de    IN RMX unused:
+
+5.3.  IPv4 and IPv6 address ranges
+
+   These entry types contain a bit sequence representing a CIDR
+   address part. If that bit sequence matches the given IP address,
+
+
+
+Hadmut Danisch                Experimental                     [Page 12]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+   authorization is granted or denied, depending on the negation flag.
+
+   The entry is prepended with the tag "IPv4" or "IPv6". The colon is
+   followed with an IPv4 or IPv6 address in standard notation,
+   optionally followed by a slash and a mask length. If the negation
+   flag is set, then the given address range is excluded.  Examples:
+
+   danisch.de   IN RMX ipv4:213.133.101.23 ipv6:fe00::0
+                IN RMX ipv4:10.0.0.0/8     ipv6:fec0::0/16
+                IN RMX !ipv4:1.2.3.4
+
+   (Please note that it does not make much sense to use
+   RFC1918-Addresses in RMX records, this is just to give a syntax
+   example.)
+
+
+5.4.  DNS Hostname
+
+   This entry type simply contains a regular DNS name, which is to be
+   resolved as a host name (fetch the A record or IPv6 equivalent). If
+   the given IP address matches the result, authorization is granted
+   or denied, depending on the negation flag.  It is still to be
+   defined how to treat unresolvable entries.
+
+   The entry is prepended with the tag "host", followed by a colon and
+   the hostname. Examples:
+
+   danisch.de  IN RMX host:relay.provider.de
+               IN RMX !host:badmachine.domain.de apl:relays.domain.de
+
+5.4.1.  Road warriors and DynDNS entries
+
+   Several people argued against RMX that it would break their
+   existing installation which delivers e-mail from dynamically
+   assigned IP addresses, because their IP providers didn't assign a
+   static address, or because they are a road warrior, plugging their
+   notebook in any hotel room on the world.
+
+   RMX provides a simple solution. If such a machine has a dynamically
+   updated DNS entry (e.g. DynDNS), all it takes is an RMX entry of
+   the hostname type pointing to this dynamic DNS entry.
+
+   The cleaner solution would be to deliver mail the same way as it is
+   received: If downloaded by POP from a central relay with a static
+   address, where the MX points to, then it would be a good idea to
+   deliver e-mail the same way in reverse direction. Unfortunately,
+   plain POP does not support uploading yet.
+
+
+
+
+Hadmut Danisch                Experimental                     [Page 13]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+5.5.  APL Reference
+
+   This entry type simply contains a regular DNS name, which is to be
+   resolved as an APL record index  (fetch the APL record).  If the
+   given IP address positively  matches the APL, authorization is
+   granted. Details of the semantic (espially when the negation bit is
+   set) are still to be defined.  It is still to be defined how to
+   treat unresolvable entries.
+
+   The entry is prepended with the tag "host", followed by a colon and
+   the hostname. Example:
+
+   danisch.de     IN RMX apl:relays.rackland.de
+
+5.6.  Domain Member
+
+   In many cases it is desirable to cover all hosts of a given domain
+   with an RMX record without the need to duplicate the list of these
+   hosts. This entry type does it (thanks to Eric A. Hall for pointing
+   out this entry type).  It contains a regular DNS name.
+
+   If this entry type is given, a reverse DNS query for the IP address
+   of the sending MTA is performed to find its official fully
+   qualified domain name. To prevent spoofing, this domain name is
+   accepted only if a subsequent address query to the given domain
+   name points to exactly the IP address of the sending MTA (the usual
+   procedure to verify PTR records).
+
+   The entry matches if the fully qualified domain name of the sending
+   MTA ends in the given domain. The negation flag works as usual.
+
+   The tag for this entry type is "domain". After the colon the domain
+   name is given, but might be empty, thus pointing to itself.
+   Example:
+
+      somedomain.org  IN RMX domain:somedomain.org domain:provider.com
+
+   would authorize all machines which's hostname can be verified
+   through an PTR and A query, and which ends in "somedomain.org" or
+   "provider.com".
+
+   With such an entry, large companies with different networks can
+   easily be covered with just a single and simple RMX entry.
+   Obviously, it requires proper PTR records.
+
+   As a special shortcut, the DNS name may be empty. In this case the
+   domain name of the zone itself is taken. Thus, with a very simple
+   entry of the type
+
+
+
+Hadmut Danisch                Experimental                     [Page 14]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+     somecompany.com  IN RMX domain:
+
+   a company could authorize all machines which's IP addresses map to
+   DNS names end in somecompany.com, which applies in the majority of
+   companies.
+
+
+
+
+5.7.  Full Address Query
+
+   As described above, RMX records will in most cases apply to the
+   domain part of the sender address. In special cases it might be
+   desirable to query the RMX record for a particular address.  An RMX
+   entry of the Full Address Query type may occur in a domain RMX
+   record only. It signals that the RMX record for the full address is
+   to be fetched and processed.
+
+   This entry type does not take arguments. The negation flag is not
+   supported. The tag is "full".
+
+   If such a full address query is to be performed, the mail address
+   must be mapped to a valid and non-ambiguos DNS name. This mapping
+   is still to be defined. It is not sufficient to simply replace the
+   @ with a dot, because of case sensitivity, character sets, etc. The
+   e-mail addresses
+
+      john.doe@example.org
+      John.Doe@example.org
+      john@doe.example.org
+
+   must all be mapped to different DNS entries. This entry type might
+   vanish in future versions of the draft, depending on the discussion
+   about whether to query the domain name part only or the full
+   address.
+
+5.8.  DNS mapped authorization
+
+   As I learned from comments to prior versions of the draft and from
+   alternative proposals, many users wish to have a DNS mapped
+   authorization table, i. e. the client queries a DNS entry of the
+   form a.b.c.d.domain, where a.b.c.d is the sender's IP address.
+   Since people wish to have this, RMX will now include such a mapping
+   entry. The entry has a parameter giving the DNS domain name where
+   to look at. If the parameter is empty, then the same domain is
+   taken as for the RMX lookup.
+
+   As this is currently under construction and discussion in an IETF
+
+
+
+Hadmut Danisch                Experimental                     [Page 15]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+   group, details will be published in future versions of this draft.
+
+5.9.  RMX reference
+
+   This entry type has no parameters. It means that all those machines
+   are authorized, which are pointed to by an MX record.
+
+6.  Optional and experimental entry types
+
+   The following subsections roughly describe further entry types
+   which might not be supported by all implementations and might not
+   be allowed in all legislations. These methods might vanish in
+   future versions of the draft and are just considerations about what
+   to include in RMX and what to not include. The main purpose of this
+   section is to start discussion about such entry types.
+
+   The disadvantage of the following methods is that they violate the
+   basic idea of RMX, i. e. to be simple, robust, easy to implement
+   and easy to administer. I personally do not believe that it is a
+   good idea or even feasible to implement cryptography for a world
+   wide e-mail transfer network. Keep in mind that cryptographic keys
+   can be copied.  If only <0.1% of cryptographic keys were revealed,
+   this completely compromises and spoils RMX. Cryptography is simply
+   the wrong tool for the problem RMX is intended to solve. I
+   nevertheless like to discuss these methods.
+
+6.1.  TLS fingerprint
+
+   The sender is considered to be authorized if the message was
+   transmitted through SMTP and TLS, and the sender used a certificate
+   matching the fingerprint given in the RMX record.
+
+6.2.  TLS and LDAP
+
+   This means that the receiver should perform an LDAP query for the
+   sender address (through the LDAP SRV record or given in the RMX
+   record), fetch the X.509 certificate for the sender. The sender is
+   considered to be authorized when the message was transmitted
+   through SMTP and TLS using this certificate.
+
+6.3.  PGP or S/MIME signature
+
+   It would be possible to accept a message only if it was signed with
+   PGP or S/MIME with a key which's fingerprint is given in the RMX
+   record or to be fetched from LDAP or any PGP database.  This is
+   just for discussion, since it violates the idea of RMX to focus on
+   the transport, not on the content. It would also allow replay
+   attacks and not cover the envelope sender address or message
+
+
+
+Hadmut Danisch                Experimental                     [Page 16]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+   header.
+
+6.4.  Transparent Challenge/Response
+
+   It would also be possible to implement a challenge-response
+   mechanism without modifying the syntax of SMTP. For example, the
+   receiving MTA could issue a challenge with it's very first greeting
+   message, the sending MTA could hide the response in the HELO
+   parameter and when the receiving MTA later learns the sender
+   envelope address, it could verify the response based on
+   informations in the RMX record.
+
+6.5.  SASL Challenge/Response
+
+   Modern SMTP implementations already include a SASL mechanisms,
+   which easily allows to plugin new authentication mechanisms. While
+   common SASL mechanisms require to use a previously shared password,
+   a new mechanism could perform a challenge response authentication
+   as a SASL method.
+
+
+
+
+
+
+7.  Encoding
+
+7.1.  Alternative encoding as TXT records
+
+   The main objection against the prior versions of this draft was
+   that it requires a new RR entry type and upgrading all DNS servers.
+
+   Therefore and alternative encoding is proposed. Instead of using a
+   new RR type, the TXT record type is used to contain the RMX record.
+   The records would simply look as described in the entry type
+   chapters above, e.g.
+
+      _rmx.danisch.de.   IN TXT "apl:relays.rackland.de"
+
+   To allow smooth introduction of RMX without the need to immediately
+   upgrade all DNS servers, all clients (which have to be newly
+   installed anyway) MUST support both the TXT and the RMX records. A
+   client has to perform an ANY or a TXT and a RMX query. Servers/zone
+   tables may currently use TXT entries but SHOULD use RMX entries in
+   future.
+
+7.2.  RMX Records
+
+
+
+
+Hadmut Danisch                Experimental                     [Page 17]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+7.2.1.  Overall structure
+
+   Each entry starts with an octet containting the entry type and the
+   negation flag:
+
+      +---+---+---+---+---+---+---+---+------
+      | N |    Entry Type Code        | Parameters...
+      +---+---+---+---+---+---+---+---+------
+
+      N           If this bit (MSB) is set, an IP address
+                  matching this entry is not authorized,
+                  but explicitely rejected. See entry
+                  type descriptions for details.
+
+      Entry Type  A 7bit number simply determining the entry
+                  type.
+
+
+   Currently, entries do not have an explicit length field, the entry
+   length is determined implicitely by the entry type. Applications
+   are required to abort if an unknown entry type is found, instead of
+   skipping unknown entries.
+
+7.2.2.  Record encoding
+
+   A RMX record is simply a concatenation of RMX entries.
+
+7.2.3.  Encoding of IPv4 and IPv6 address ranges
+
+   After the entry type tag as described above, one octet follows
+   giving the length L of the bit sequence. Then a sequence of exactly
+   as many octets follows as needed to carry L bits of information (=
+   trunc((L+7)/8) ).
+
+      +---+---+---+---+---+---+---+---+
+      | N | Entry Type Code  (1 or 2) |
+      +---+---+---+---+---+---+---+---+
+      |         Length Field L        |
+      +---+---+---+---+---+---+---+---+
+      |           Bit Field           |
+      /        ((L+7)/8) Octets       /
+      +---+---+---+---+---+---+---+---+
+
+
+7.2.4.  Encoding of DNS
+
+   After the entry type tag immediately follows a DNS encoded and
+   compressed [3] domain name.
+
+
+
+Hadmut Danisch                Experimental                     [Page 18]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+      +---+---+---+---+---+---+---+---+
+      | N |  Entry Type Code  (3..5)  |
+      +---+---+---+---+---+---+---+---+
+      |         Length Field L        |
+      +---+---+---+---+---+---+---+---+
+      |  Encoded DNS                  |
+      /  Name as described in RFC1035 /
+      +---+---+---+---+---+---+---+---+
+
+   In contrast to earlier versions of this draft, the DNS name cannot
+   be compressed, since this would cause decompression errors when a
+   DNS server is part of the query chain which does not know this
+   particular RR type.
+
+7.2.5.  Encoding of unused and full query
+
+   These entries do not contain parameters and does not allow the
+   negation flag.  So the encoding is quite simple:
+
+      +---+---+---+---+---+---+---+---+
+      | 0 |  Entry Type Code  (6 or 7)|
+      +---+---+---+---+---+---+---+---+
+
+
+
+7.2.6.  Additional Records
+
+   In order to avoid the need of a second query to resolve the given
+   host name, a DNS server should enclose the A record for that domain
+   name in the additional section of the additional section of the DNS
+   reply, if the server happens to be authoritative.
+
+   In order to avoid the need of a second query to resolve the given
+   host name, a DNS server should enclose the APL record for that
+   domain name in the additional section of the additional section of
+   the DNS reply, if the server happens to be authoritative.
+
+
+
+8.  Message Headers
+
+   An RMX query must be followed by any kind of action depending on
+   the RMX result. One action might be to reject the message.  Another
+   action might be to add a header line to the message body, thus
+   allowing MUAs and delivery programs to filter or sort messages.
+
+   In future, the RMX result might be melted into the Received: header
+   line.
+
+
+
+Hadmut Danisch                Experimental                     [Page 19]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+   The details of such entries are to be discussed. As a proposal the
+   following form is suggested:
+
+     X-RMX: RESULT addr ADDRESS by HOST on DATE mechanism MECHANISM
+
+   where
+
+   RESULT is one of "Granted", "Denied", "NotInRMX", "NoRMX",
+   "TempFail", "BadData", "Trusted".
+
+   ADDRESS is the IP address of the sending machine
+
+   HOST is the name of the machine performing the RMX query.
+
+   DATE is the date of the query.
+
+   MECHANISM is the RMX method used to authorize the sender.
+
+
+
+9.  SMTP error messages
+
+   If a message is rejected because of RMX records, an error message
+   should be issued which explains the details.  It is to be discussed
+   whether new SMTP error codes are to be defined.
+
+
+10.  Message relaying and forwarding
+
+10.1.  Problem description
+
+   Message forwarding and relaying means that an MTA which received an
+   e-mail by SMTP does not deliver it locally, but resends the message
+   - usually unchanged except for an additional Received header line
+   and maybe the recipient's address rewritten - to the next SMTP MTA.
+   Message forwarding is an essential functionality of e-mail
+   transport services, for example:
+
+     - Message transport from outer MX relay to the intranet
+     - Message forwarding and Cc-ing by .forward or .procmail-alike
+       mechanisms
+     - Mailing list processing
+     - Message reception by mail relays with low MX priority,
+       usually provided by third parties as a stand-by service
+       in case of relay failure or maintenance
+     - "Forwarding" and "Bouncing" as a MUA functionality
+
+   In all these cases a message is sent by SMTP from a host which is
+
+
+
+Hadmut Danisch                Experimental                     [Page 20]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+   not covered by the original sender domain's RMX records.  While the
+   RMX records would forbid accepting this message, it still must be
+   accepted. The following subsections explain how to cope with
+   relaying.
+
+10.2.  Trusted relaying/forwarding
+
+   In some cases the receiving MTA trusts the sending MTA to not fake
+   messages and to already have checked the RMX records at message
+   reception. As a typical example, a company might have an outer mail
+   relay which receives messages from the Internet and checks the RMX
+   records. This relay then forwards the messages to the different
+   department's mail servers. It does not make sense for these
+   department mail servers to check the RMX record, since the RMX
+   records have already been checked and - since the message was
+   relayed by the outer relay - always would deny the message. In this
+   case there is a trust relationship between the department relays
+   and the outer relay.  So RMX checking is turned off for trusted
+   relays. In this example, the department relays would not check
+   messages from the outer relay (but for intranet security, they
+   could still check RMX records of the other departments sub-domains
+   to avoid internal forgery between departments).
+
+   Another common example are the low-priority MX relays, which
+   receive and cache e-mails when the high-priority relays are down.
+   In this case, the high-priority relay would trust the low-priority
+   relay to have verified the sender authorization and would not
+   perform another RMX verification (which would obviously fail).
+
+   When a relay forwards a message to a trusting machine, the envelope
+   sender address should remain unchanged.
+
+10.3.  Untrusted relaying/forwarding
+
+   If the receiving MTA does not trust the forwarding MTA, then there
+   is no chance to leave the sender envelope address unchanged. At a
+   first glance this might appear impracticable, but this is
+   absolutely necessary. If an untrusted MTA could claim to have
+   forwarded a message from a foreign sender address, it could have
+   forged the message as well. Spammers and forgers would just have to
+   act as such a relay.
+
+   Therefore, it is required that, when performing untrusted
+   forwarding, the envelope sender address has to be replaced by the
+   sender address of someone responsible for the relaying mechanism,
+   e.g. the owner of the mailing list or the mail address of the user
+   who's .forward caused the transmission. It is important to stress
+   that untrusted relaying/forwarding means taking over responsibility
+
+
+
+Hadmut Danisch                Experimental                     [Page 21]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+   for the message.  It is the idea of RMX records to tie
+   responsibility to message transmission. Untrusted relaying without
+   replacing the sender address would mean to transmit without taking
+   responsibility.
+
+   The disadvantage is that the original sender address is lost.
+   Therefore, whenever a sender address replacement happens, the
+   Received-Line must contain the old address. Many of today's MTAs
+   already insert the envelope recipient address, but not the sender
+   address into the Received header line. It seems reasonable to
+   require every Received line to include both the sender and
+   recipient address of the incoming SMTP connection.
+
+
+11.  Security Considerations
+
+11.1.  Draft specific considerations
+
+11.1.1.  Authentication strength
+
+   It is important to stress, that the suggested method does not
+   provide high level security and does not completely prevent forged
+   e-mails or spam under any circumstances. It is a robust, but not
+   highly reliable and completely secure security mechanism. Keep in
+   mind that it is based on DNS, and DNS is not secure today.
+   Authorization is based on the IP address. The very same machine
+   with the very same IP address could be authorized to send e-mail
+   with a given sender address and sending spam at the same time.
+   Maybe because several users are logged in. Or because several
+   customers use the same relay of the same ISP, where one customer
+   could use the sender address of a different customer. It is up to
+   the ISP to prevent this or not. Machines can still be hijacked.
+   Spammers are also domain owners. They can simply use their own
+   domain and authorize themselves. You will always find people on the
+   world who do not care about security and open their relays and RMX
+   records for others to abuse them.  RMX is to be considered as a
+   very cheap and simple light weight mechanism, which can
+   nevertheless provide a significant improvement in mail security
+   against a certain class of attacks, until a successor of SMTP has
+   been defined and commonly accepted.
+
+11.1.2.  Where Authentication and Authorization end
+
+   Previous versions of RMX records did not cover the local part of
+   the e-mail address, i.e. what's on the left side of the @ sign.
+   This is still to be discussed. Authentication and authorization are
+   limited to the sending MTA's IP address. The authentication is
+   limited to the TCP functionality, which is sufficient for light
+
+
+
+Hadmut Danisch                Experimental                     [Page 22]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+   weight authentication. The RMX records authorize the IP address of
+   the sending host only, not the particular sender of the message. So
+   if a machine is authorized to use sender addresses of more than a
+   single domain, the authentication scheme does not prevent that any
+   user on this machine can send with any of these domains. RMX is not
+   a substitute for the host security of the involved machines.
+
+   The proposed authentication scheme can be seen as a "half way
+   authentication": It does not track back an e-mail to the effective
+   sender. It tracks only half of the way, i. e. it tracks back to the
+   domain and it's DNS administrators who authorized that particular
+   sender IP address to use it for sending e-mail. How the party
+   responsible for that domain performs user authentication, whom it
+   grants access to, how it helds people responsible for abuse, is
+   completely left as the private business of those who are in charge
+   of that domain. So this draft does not interfere with the domain's
+   individual security policy or any legislation about such policies.
+   On the other hand, the proposed authentication scheme does not give
+   any statement about the nature and quality of the domain's security
+   policy. This is an essential feature of the proposal: E-mail
+   authentication must be deployed world wide, otherwise it won't do
+   the job. Any security scheme interfering with the local
+   legislations or the domain's security policy will not be accepted
+   and can't effectively deployed. Therefore, the security policy must
+   remain the domain's private business, no matter how lousy the
+   policy might be.
+
+   In order to achieve this and to make use of the only existing world
+   wide Internet directory scheme (DNS), the approach of this proposal
+   is to just ignore the local part of the sender address (i.e. what's
+   left of the @ part) and limit view to the domain part. After all,
+   that's what we do anyway when delivering to a given address with
+   SMTP.
+
+11.1.3.  Vulnerability of DNS
+
+   DNS is an essential part of the proposed authentication scheme,
+   since it requires any directory service, and DNS is currently the
+   only one available. Unfortunately, DNS is vulnerable and can be
+   spoofed and poisoned. This flaw is commonly known and weakens many
+   network services, but for reasons beyond that draft DNS has not
+   been significantly improved yet. After the first version of this
+   draft, I received several comments who asked me not to use DNS
+   because of its lack of security. I took this into consideration,
+   but came to the conclusion that this is unfeasible: Any
+   authentication scheme linked to some kind of symbolic identity (in
+   this case the domain name) needs some kind of infrastructure and
+   trusted assignment. There are basically two ways to do it: Do it
+
+
+
+Hadmut Danisch                Experimental                     [Page 23]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+   yourself and trust nobody else, or let someone else do it. There
+   are methods to do it the former way, e.g. to give someone some kind
+   of authentication information after a first successful e-mail
+   exchange, e.g. some kind of cookie or special e-mail address. This
+   is certainly interesting and powerful, but it does not solve the
+   problem on a world wide scale and is far to complicated and error
+   prone for the average user, i. e. 99% of the users.
+
+   The latter method to let someone else do the symbolic name
+   assignment and create the authentication framework is well known.
+   It context of public key cryptography, this is called a Public Key
+   Infrastructure (PKI). On of the best known facts about PKIs is
+   that, until now, we don't have any covering a significant part of
+   the Internet. And we won't have any in near future. The complexity
+   is far too high, it is too expensive, and it involves cooperation
+   of every single user, which is simply unrealistic and extremely
+   error prone. So what do we have we can use? All we have is the DNS
+   and the Whois database. And we have countries who don't allow
+   cryptography. So the proposal was designed to use DNS without
+   cryptography. It does not avoid DNS because of its vulnerability,
+   it asks for a better DNS, but accepts the DNS as it is for the
+   moment. Currently there are two main threats caused by the DNS
+   weakness:
+
+      - A spammer/forger could spoof DNS in order to gain false
+        authorization to send fake e-mails.
+
+      - An attacker could spoof DNS in order to block delivery from
+        authorized machines, i. e. perform a Denial of Service attack.
+
+   The first one is rather unrealistic, because it would require an
+   average spammer to poison a significant part of the DNS servers of
+   its victims. A spammer sending messages to one million receipients
+   would need to poison at least 1-10% which is 10,000 to 100,000
+   receipient's DNS servers. This should be unfeasible in most cases.
+
+   In contrast, the second threat is a severe one. If an attacker
+   wanted to block messages from one company to another, he just needs
+   to poison the recipients DNS server with a wrong RMX record in
+   order to make the recipient's SMTP machine reject all messages. And
+   this is feasible since the attacker needs to poison only a single
+   DNS server. But does this make SMTP more vulnerable? No. Because
+   the attacker can already do even more without RMX. By poisoning the
+   sender's DNS server with wrong MX records, the attacker can also
+   block message delivery or even redirect the messages to the
+   attacker's machine, thus preventing any delivery error messages and
+   furthermore getting access to the messages.
+
+
+
+
+Hadmut Danisch                Experimental                     [Page 24]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+   As a consequence, e-mail delivery by SMTP requires a better DNS
+   anyway. The requirements are not significantly expanded by RMX.
+
+11.1.4.  Sneaking RMX attack?
+
+   While writing a test implementation, a certain kind of attack came
+   into my mind. I'm still not sure, whether this attack is possible
+   on any DNS server, but I believe it should be mentioned:
+
+   Imagine an unauthorized sender is sending a forged mail (e.g.
+   spam).  At connection time, before querying the RMX record, the
+   receiving MTA usually performs a PTR query for the IP address of
+   the sending MTA. If the sender has control over the authoritative
+   name server for that particular IP address, the sender could give a
+   normal PTR answer, but could append a wrong RMX, APL, or A record
+   in the additional section of the query. A subsequent RMX query
+   could receive wrong DNS data if the DNS server used by the
+   receiving MTA accepted those forged records.
+
+11.1.5.  Open SMTP relays
+
+   Open SMTP relays (i.e. machines who accept any e-mail message from
+   anyone and deliver to the world) abused by spammers are a one of
+   the main problems of spam defense and sender backtracking. In most
+   cases this problem just vanishes because foreign open relay
+   machines will not be covered by the RMX records of the forged
+   sender address. But there are two special cases:
+
+   If the spammer knows about a domain which authorizes this
+   particular machine, that domain can be used for forgery. But in
+   this case, the IP address of the relay machine and the RMX records
+   of the domain track back to the persons responsible. Both can be
+   demanded to fix the relay or remove the RMX record for this
+   machine. An open relay is a security flaw like leaving the machine
+   open for everybody to login and send random mails from inside. Once
+   the administrative persons refuse to solve the problem, they can be
+   identified as spammers and held responsible.
+
+   The second special case is when a domain authorizes all IP
+   addresses by having the network 0.0.0.0/0 in the RMX/APL record. In
+   this case, open relays don't make things worse. It's up to the
+   recipient's MTA to reject mails from domains with loose security
+   policies.
+
+11.1.6.  Unforged Spam
+
+   This proposal does not prevent spam (which is, by the way, not yet
+   exactly defined), it prevents forgery. Since spam is against law
+
+
+
+Hadmut Danisch                Experimental                     [Page 25]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+   and violates the recipients rights, spam depends on untracability
+   of the sender. In practice the sender forges the sender address
+   (other cases see below). This proposal is designed to detect such
+   forgeries.
+
+   However, the RMX approach is rendered ineffective, if the sender
+   doesn't forge. If the sender uses just a normal address of it's own
+   domain, this is just a plain, normal e-mail, which needs to be let
+   through. Since it is up to the human's taste whether this is spam
+   or not, there's no technical way to reliably identify this as spam.
+   But since the sender domain is known, this domain can be
+   blacklisted or legal steps can be gone into.
+
+11.1.7.  Reliability of Whois Entries
+
+   Once the RMX infrastructure gets deployed, what's the security
+   gain?  It allows to determine the domain which's DNS zone
+   authorized the sending machine. What's that good for? There are
+   some immediate uses of the domain name, e.g. in black- and
+   whitelisting. But in most cases this is just the starting point of
+   further investigations, either performed automatically before
+   message acceptance, or manually after spam has been received and
+   complainted about.
+
+   The next step after determining the domain is determining the
+   people responsible for this domain. This can sometimes be achieved
+   by querying the Whois databases. Unfortunately, many whois entries
+   are useless because they are incomplete, wrong, obsolete, or in
+   uncommon languages. Furthermore, there are several formats of
+   address informations which make it difficult to automatically
+   extract the address. Sometimes the whois entry identifies the
+   provider and not the owner of the domain. Whois servers are not
+   built for high availability and sometimes unreachable.
+
+   Therefore, a mandatory standard is required about the contents and
+   the format of whois entries, and the availability of the servers.
+   After receiving the MAIL FROM SMTP command with the sender envelope
+   address, the receiving MTA could check the RMX record and Whois
+   entry. If it doesn't point to a real human, the message could be
+   rejected and an error message like "Ask your provider to fix your
+   Whois entry" could be issued. Obviously, domain providers must be
+   held responsible for wrong entries. It might still be acceptable to
+   allow anonymous domains, i. e. domains which don't point to a
+   responsible human. But it is the receivers choice to accept e-mails
+   from such domains or not.
+
+11.1.8.  Hazards for Freedom of Speech
+
+
+
+
+Hadmut Danisch                Experimental                     [Page 26]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+   Currently, some governments try to enforce limitations of internet
+   traffic in order to cut unwanted content providers from the
+   network. Some of these governments try to hide a whole country
+   behind firewalls, others try to force Internet providers to poison
+   DNS servers with wrong A records for web servers, e.g. one county
+   administration in Germany tries to do so. If message reception
+   depends on DNS entries, the same governments will try to block not
+   only HTTP, but SMTP also.
+
+   However, since most MTAs already reject messages from unresolvable
+   domain names this is not a new threat.
+
+11.2.  General Considerations about spam defense
+
+   After discussing security requirements of the proposal, now the
+   security advantages of the RMX approach over content based filters
+   will be explained. Basically, there are three kinds of content
+   filters:
+
+      - Those who upload the message or some digest to an external
+        third party and ask "Is this spam"?
+
+      - Those who download a set of patterns and rules from a third
+        party and apply this set to incoming messages in order to
+        determine whether it is spam.
+
+      - Those who are independent and don't contact any third party,
+        but try to learn themselves what is spam and what isn't.
+
+
+   The message filters provided by some e-mail service providers are
+   usually not a kind of their own, but a combination of the first two
+   kinds.
+
+11.2.1.  Action vs. reaction
+
+   Content filters suffer from a fundamental design problem: They are
+   late. They need to see some content of the same kind before in
+   order to learn and to block further distribution.
+
+   This works for viruses and worms, which redistribute. This doesn't
+   work for spam, since spam is usually not redistributed after the
+   first delivery. When the filters have learned or downloaded new
+   pattern sets, it's too late.
+
+   This proposal does not have this problem.
+
+11.2.2.  Content based Denial of Service attacks
+
+
+
+Hadmut Danisch                Experimental                     [Page 27]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+   All three kinds of content filters, but especially the second and
+   the third kind are vulnerable to content based Denial of Service
+   attacks.
+
+   If some kind of third party (e.g. non-democratic government,
+   intellectual property warriors, religious groups, military, secret
+   services, patriots, public relation agents, etc.) wants certain
+   contents not to be distributed, they could either poison the
+   pattern/rule databases or feed wrong sets to particular receivers.
+
+   Such pattern/rule sets are the perfect tool for censoring e-mail
+   traffic and denial of service attacks by governments and other
+   parties, and a similar threat are virus filters. E. g. the content
+   industry could demand to teach all virus and spam filters to delete
+   all e-mails containing the URL of an MP3 web server outside the
+   legislations. Software manufacturers could try to block all e-mails
+   containing software license keys, thus trying to make unallowed
+   distribution more difficult. Governments could try to block
+   distribution of unwanted informations.
+
+   This proposal does not have this problem.
+
+
+12.  Privacy Considerations
+
+   (It was proposed on the 56th IETF meeting to have a privacy section
+   in drafts and RFCs.)
+
+12.1.  Draft specific considerations
+
+12.1.1.  No content leaking
+
+   Since the RMX approach doesn't touch the contents of a message in
+   any way, there is obviously no way of leaking out any information
+   about the content of the message. RMX is based solely on the
+   envelope recipient address. However, methods to fix problems not
+   covered by RMX might allow content leaking, e.g. if the acceptance
+   of a message with an empty sender address requires the reference to
+   the message id of an e-mail recently sent, this allows an attacker
+   to verify whether a certain message was delivered from there.
+
+12.1.2.  Message reception and sender domain
+
+   Message delivery triggers RMX and APL requests by the recipient.
+   Thus, the admin of the DNS server or an eavesdropper could learn
+   that the given machine has just received a message with a sender
+   from this address, even if the SMTP traffic itself had been
+   encrypted.
+
+
+
+Hadmut Danisch                Experimental                     [Page 28]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+   However, most of today's MTAs do query the MX and A records of the
+   domain after the MAIL FROM command, so this is not a real new
+   threat.
+
+12.1.3.  Network structure
+
+   Since RMX and its associated APL records provide a complete list of
+   all IP addresses of hosts authorized to send messages from this
+   address, they do reveal informations about the network structure
+   and maybe the lifestyle of the domain owner, since a growing number
+   of domains are owned by single persons or families. E.g. the RMX
+   records could reveal where someone has his job or spends his time
+   at weekends.
+
+   If such informations are to be kept secret, it is the user's job to
+   not sent e-mails from there and to relay them from non-compromising
+   IP addresses.
+
+12.1.4.  Owner information distribution
+
+   As described above, RMX depends partly on the reliability of the
+   whois database entries. It does not make anonymous domains
+   impossible, but it requires to keep the database entries "true", i.
+   e. if a whois entry does not contain informations about the
+   responsible person, this must be unambigously labeled as anonymous.
+   It must not contain fake names and addresses to pretend a non-
+   existing person. However, since most Internet users on the world
+   feel extremely annoyed by spam, they will urge their MTA admin to
+   reject messages from anonymous domains. The domain owner will have
+   the choice to either remain anonymous but be not able to send e-
+   mail to everyone in the world, or to be able but to reveal his
+   identity to everyone on the world.
+
+   It would be possible to provide whois-like services only to
+   recipients of recent messages, but this would make things too
+   complicated to be commonly adopted.
+
+12.2.  General Considerations about spam defense
+
+12.2.1.  Content leaking of content filters
+
+   As described above in the Security chapter, there are spam filters
+   which inherently allow leakage of the message body. Those filters
+   upload either the message body, or in most cases just some kind of
+   checksum to a third party, which replies whether this is to be seen
+   as spam or not. The idea is to keep a databases of all digests of
+   all messages.  If a message is sent more often than some threshold,
+   it is to be considered as a mass mail and therefore tagged as spam.
+
+
+
+Hadmut Danisch                Experimental                     [Page 29]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+   While the digest itself does not reveal the content of the message,
+   it perfectly reveals where a particular message has been delivered
+   to. If a government finds just a single unwanted message, if a
+   software manufacturer finds a single message with a stolen product
+   license key, if someone finds a message with unpatriotic content,
+   it takes just a single database lookup to get a list of all people
+   who received this particular message. Content filters with digest
+   upload are the perfect "Big Brother".
+
+12.2.2.  Black- and Whitelists
+
+   Some proposals against spam are based on a central database of
+   white- or blacklisted IP addresses, Sender names, Message IDs or
+   whatever. Again, there is a central database which learns who has
+   received which e-mail or from which sender with every query. This
+   allows tracking relations between persons, which is also a breach
+   of privacy.
+
+
+
+13.  Deployment Considerations
+
+13.1.  Compatibility
+
+13.1.1.  Compatibility with old mail receivers
+
+   Since the suggested extension doesn't change the SMTP protocol at
+   all, it is fully compatible with old mail receivers. They simply
+   don't ask for the RMX records and don't perform the check.
+
+13.1.2.  Compatibility with old mail senders
+
+   Since the SMTP protocol is unchanged and the SMTP sender is not
+   involved in the check, the method is fully compatible with old mail
+   senders.
+
+13.1.3.  Compatibility with old DNS clients
+
+   Since the RMX is a new RR, the existing DNS protocol and zone
+   informations remain completely untouched.
+
+   If RMX is provided as a TXT record instead, it must be ensured that
+   no other software is misinterpreting this entry.
+
+13.1.4.  Compatibility with old DNS servers
+
+   Full compatibility: If the server does not support RMX records, RMX
+   in TXT records can be used.
+
+
+
+Hadmut Danisch                Experimental                     [Page 30]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+13.2.  Enforcement policy
+
+   Obviously, for reasons of backward compatibility and smooth
+   introduction of this scheme, RMX records can't be required
+   immediately. Domains without RMX records must temporarily be
+   treated the same way as they are treated right now, i.e. e-mail
+   must be accepted from anywhere. But once the scheme becomes
+   sufficiently widespread, mail relays can start to refuse e-mails
+   with sender addresses from domains without RMX records, thus
+   forcing the owner of the domain to include a statement of
+   authorization into the domain's zone table.  Domain owners will
+   still be free to have an RMX record with a network and mask
+   0.0.0.0/0, i.e. to allow e-mails with that domain from everywhere.
+   On the other hand, mail receivers will be free to refuse mails from
+   domains without RMX records or RMX records which are too loose.
+   Advanced MTAs might have a configuration option to set the maximum
+   number of IP addresses authorized to use a domain. E-mails from a
+   domain, which's RMX records exceed this limit, would be rejected.
+   For example, a relay could reject e-mails from domains which
+   authorize more than 8 IP addresses. That allows to accept e-mails
+   only from domains with a reasonable security policy.
+
+
+
+14.  General considerations about fighting spam
+
+   Is there a concise technical solution against spam? Yes.
+
+   Will it be deployed? Certainly not.
+
+   Why not? Because of the strong non-technical interests of several
+   parties against a solution to the problem, as described below.
+   Since these are non-technical reasons, they might be beyond the
+   scope of such a draft. But since they are the main problems that
+   prevent fighting spam, it is unavoidable to address them. This
+   chapter exists temporarily only and should support the discussion
+   of solutions. It is not supposed to be included in a later RFC.
+
+14.1.  The economical problem
+
+   As has been recently illustrated in the initial session of the
+   IRTF's Anti Spam Research Group (ASRG) on the 56th IETF meeting,
+   sending spam is a business with significant revenues.
+
+   But a much bigger business is selling Anti-Spam software. This is a
+   billion dollar market, and it is rapidly growing. Any simple and
+   effective solution against spam would defeat revenues and drive
+   several companies into bankrupt, would make consultants jobless.
+
+
+
+Hadmut Danisch                Experimental                     [Page 31]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+   Therefore, spam is essential for the Anti-Spam business. If there
+   is no spam, then no Anti-Spam software can be sold, similar to the
+   Anti-Virus business. There are extremely strong efforts to keep
+   this market growing. Viruses, Worms, and now spam are just perfect
+   to keep this market alive: It is not sufficient to just buy a
+   software. Databases need to be updated continuously, thus making
+   the cash flow continuously. Have a single, simple, and permanent
+   solution to the problem and - boom - this billion dollar market is
+   dead.
+
+   That's one of the reasons why people are expected to live with
+   spam. They have to live with it to make them buy Anti-Spam
+   software.  Content filters are perfect products to keep this market
+   alive.
+
+14.2.  The POP problem
+
+   Another problem is the history of mail delivery. Once upon a time,
+   there used to be very few SMTP relays which handled the e-mail
+   traffic of all the world, and everybody was happy with that. Then
+   odd things like Personal Computers, which are sometimes switched
+   off, portable computers, dynamicly assigned IP addresses, IP access
+   from hotel rooms, etc. was invented, and people became unhappy,
+   because SMTP does not support delivery to such machines. To make
+   them happy again, the Post Office Protocol[4] was invented, which
+   turned the last part of message delivery from SMTP's push style
+   into a pull style, thus making virtually every computer on the
+   world with any random IP address a potential receiver of mails for
+   random domains. Unfortunately, only receiving e-mail was covered,
+   but sending e-mail was left to SMTP.
+
+   The result is that today we have only very few SMTP relays pointed
+   to by MX records, but an extreme number of hosts sending e-mail
+   with SMTP from any IP address with sender addresses from any
+   domain. Mail delivery has become very asymmetric. Insecurity,
+   especially forgeability, has become an essential part of mail
+   transport.
+
+   That problem could easily be fixed: Use protocols which allow
+   uploading of messages to be delivered. If a host doesn't receive
+   messages by SMTP, it shouldn't deliver by SMTP.  Mail delivery
+   should go the same way back that incoming mail went in.  This is
+   not a limitation to those people on the road who plug their
+   portable computer in any hotel room's phone plug and use any
+   provider. If there is a POP server granting download access from
+   anywhere, then the same server should be ready to accept uploading
+   of outgoing messages.
+
+
+
+
+Hadmut Danisch                Experimental                     [Page 32]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+   But as I saw from the comments on the first version of this draft,
+   people religiously insist on sending e-mail with their domain from
+   any computer with any IP address in the world, e.g. when visiting a
+   friend using her computer. It appears to be impossible to convince
+   people that stopping mail forgery requires every one of them to
+   give up forging.
+
+14.3.  The network structure problem
+
+   A subsequent problem is that many organisations failed to implement
+   a proper mail delivery structure and heavily based their network on
+   this asymmetry. I received harsh comments from Universities who
+   were unable to give their network a good structure. While they do
+   have a central mail relay for incoming mail to the universities
+   domain, they developed a structure where every member of the
+   University randomly sends e-mails with that University's domain as
+   a sender address from home or everywhere in the world with any
+   dynamically assigned IP address from any provider. So this domain
+   is to be used from every possible IP address on earth, and they are
+   unable to operate any authentication scheme. Furthermore, they were
+   unable to understand that such a policy heavily supports spam and
+   that they have to expect that people don't accept such e-mails
+   anymore once they become blacklisted.
+
+   As long as organisations insist on having such policies, spammers
+   will have a perfect playground.
+
+14.4.  The mentality problem
+
+   Another problem is the mentality of many internet users of certain
+   countries. I received harsh comments from people who strongly
+   insisted on the freedom to send any e-mail with any sender address
+   from anywhere, and who heavily refused any kind of authentication
+   step or any limitation, because they claimed that this would
+   infringe their constitutional "Freedom of speech". They are
+   undeviatingly convinced that "Freedom of speech" guarantees their
+   right to talk to everybody with any sender address, and that is has
+   to be kept the recipient's own problem to sort out what he doesn't
+   want to read - on the recipient's expense.
+
+   It requires a clear statement that the constitutional "Freedom of
+   Speech" does not cover molesting people with unsolicited e-mail
+   with forged sender address.
+
+14.5.  The identity problem
+
+   How does one fight against mail forgery? With authentication.  What
+   is authentication? In simple words: Making sure that the sender's
+
+
+
+Hadmut Danisch                Experimental                     [Page 33]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+   real identity meets the recipients idea of who is the sender, based
+   on the sender address which came with the message.
+
+   What is identity? It is the main problem. Several countries have
+   different ideas of "identity", which turn out to be somehow
+   incompatible. In some countries people have identity cards and
+   never change their name and birthday. Identities are created by
+   human birth, not by identity changes. Other countries do not have
+   such a tight idea about identity. People's temporary identity is
+   based on nothing more than a driving license and a social security
+   number.  With this background, it is virtually impossible to create
+   a trustworthy PKI covering all Internet users. I learned that it is
+   extremely difficult to convince some people to give up random e-
+   mail sending.
+
+14.6.  The multi-legislation problem
+
+   Many proposals about fighting spam are feasible under certain
+   legislations only, and are inacceptable under some of the
+   legislations. But a world wide applicable method is required.
+   That's why the approach to ask everone on the world to sign
+   messages with cryptographic keys is not feasible.
+
+
+Implementation and further Information
+
+   Further informations and a test implementation are available at
+
+      http://www.danisch.de/work/security/antispam.html
+      http://www.danisch.de/software/rmx/
+
+
+   Additional informations and a technology overview are also
+   available at
+
+      http://www.mikerubel.org/computers/rmx_records/
+
+
+References
+
+
+
+1.   S. Bradner, "Key words for use in RFCs to Indicate Requirement Lev-
+     els," RFC 2119 (March 1997).
+
+2.   J. Klensin, "Simple Mail Transfer Protocol," RFC 2821 (April 2001).
+
+
+
+
+
+Hadmut Danisch                Experimental                     [Page 34]
+
+INTERNET-DRAFT                 DNS RMX RR                       Oct 2003
+
+
+3.   P. Mockapetris, "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION,"
+     RFC 1035 (November 1987).
+
+4.   J. Myers, M. Rose, "Post Office Protocol - Version 3," RFC 1939
+     (May 1996).
+
+
+Draft History
+
+   00  Dec 2002
+   01  Apr 2003
+   02  Jun 2003
+   03  Oct 2003
+
+Author's Address
+
+   Hadmut Danisch
+
+   Tennesseeallee 58
+   76149 Karlsruhe
+   Germany
+
+   Phone:  ++49-721-843004 or ++49-351-4850477
+   E-Mail: rfc@danisch.de
+
+Comments
+
+   Please send comments to rfc@danisch.de.
+
+Expiry
+
+   This drafts expires on Apr 1, 2004.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hadmut Danisch                Experimental                     [Page 35]
+
diff --git a/contrib/bind9/doc/draft/draft-dnsext-opcode-discover-02.txt b/contrib/bind9/doc/draft/draft-dnsext-opcode-discover-02.txt
new file mode 100644
index 0000000..7b5e8cc
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-dnsext-opcode-discover-02.txt
@@ -0,0 +1,241 @@
+
+IETF DNSEXT WG                                             Bill Manning
+draft-dnsext-opcode-discover-02.txt                              ep.net
+                                                             Paul Vixie
+                                                                    ISC
+                                                            13 Oct 2003
+
+
+                         The DISCOVER opcode
+
+This document is an Internet-Draft and is subject to all provisions of
+Section 10 of RFC2026.
+
+Comments may be submitted to the group mailing list at "mdns@zocalo.net"
+or the authors.
+
+Distribution of this memo is unlimited.
+
+Internet-Drafts are working documents of the Internet Engineering Task
+Force (IETF), its areas, and its working groups.  Note that other groups
+may also distribute working documents as Internet-Drafts.
+
+Internet-Drafts are draft documents valid for a maximum of six months and
+may be updated, replaced, or obsoleted by other documents at any time.  It
+is inappropriate to use Internet-Drafts as reference material or to cite
+them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+The capitalized keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+document are to be interpreted as described in RFC 2119
+
+0. Abstract:
+
+   The QUERY opcode in the DNS is designed for unicast. With the
+   development of multicast capabilities in the DNS, it is desireable
+   to have a more robust opcode for server interactions since a single
+   request may generate replies from multiple responders. So DISCOVER
+   is defined to deal with replies from multiple responders.
+
+   As such, this document extends the core DNS specifications to allow
+   clients to have a method for coping with replies from multiple
+   responders. Use of this new opcode may facilitate DNS operations in
+   modern networking topologies. A prototype of the DISCOVER opcode
+   was developed during the TBDS project (1999-2000), funded under DARPA
+   grant F30602-99-1-0523.
+
+1. Introduction:
+
+   This document describes an experimental extension to the DNS to receive
+   multiple responses which is the likely result when using DNS that has
+   enabled multicast queries.  This approach was developed as part of the
+   TBDS research project, funded under DARPA grant F30602-99-1-0523.  The
+   full processing rules used by TBDS are documented here for possible
+   incorporation in a future revision of the DNS specification."
+
+2. Method:
+
+        DISCOVER works like QUERY except:
+
+        1. it can be sent to a broadcast or multicast destination. QUERY
+           isn't defined for non-unicast, and arguably shouldn't be.
+
+        2. the Question section, if present, has <QNAME=zonename,QTYPE=SOA>
+           tuples. TBDS tried to augment this structure as follows:
+           <QNAME=service,QTYPE=SRV>. While this worked for our purposes in
+           TBDS, it is cleaner to place the SRV question in a separate pass.
+
+        3. if QDCOUNT equals 0 then only servers willing to do recursion should
+           answer. Other servers must silently discard the DISCOVER request.
+
+        4. if QDCOUNT is not equal to 0 then only servers who are authoritative
+           for the zones named by some QNAME should answer.
+
+        5. responses may echo the request's Question section or leave it blank,
+           just like QUERY.
+
+        6. responses have standard Answer, Authority, and Additional sections.
+           e.g. the response is the same as that to a QUERY. It is desireable
+           that zero content answers not be sent to avoid badly formed or
+           unfulfilled requests. Responses should be sent to the unicast
+           address of the requester and the source address should reflect
+           the unicast address of the responder.
+
+   Example usage for gethostby{name,addr}-style requestors:
+
+        Compute the zone name of the enclosing in-addr.arpa, ip6.int, or
+        ip6.arpa domain.
+
+        DISCOVER whether anyone in-scope is authoritative for this zone.
+
+                If so, query these authoritative servers for local
+                in-addr/ip6 names.
+
+        If not, DISCOVER whether there are recursive servers available.
+
+                If so, query these recursive servers for local
+                in-addr/ip6 names.
+
+        So, a node will issue a multicast request with the DISCOVER opcode at
+        some particular multicast scope.  Then determine, from the replies,
+        whether there are any DNS servers which are authoritative (or support
+        recursion) for the zone. Replies to DISCOVER requests MUST set the
+        Recursion Available (RA) flag in the DNS message header.
+
+        It is important to recognize that a requester must be prepared to
+        receive multiple replies from multiple responders. We expect that
+        there will be a single response per responder.
+
+        Once one learns a host's FQDN by the above means, repeat the process
+        for discovering the closest enclosing authoritative server of such
+        local name.
+
+        Cache all NS and A data learned in this process, respecting TTL's.
+
+   TBDS usage for SRV requestors:
+
+        Do the gethostbyaddr() and gethostbyname() on one's own link-local
+        address, using the above process.
+
+        Assume that the closest enclosing zone for which an authority server
+        answers an in-scope DISCOVER packet is "this host's parent domain".
+
+        Compute the SRV name as _service._transport.*.parentdomain.
+
+        This is a change to the definition as defined in RFC 1034.
+        A wildcard label ("*") in the QNAME used in a DNS message with
+        opcode DISCOVER SHOULD be evaluated with special rules.  The
+        wildcard matches any label for which the DNS server data is
+        authoritative.  For example 'x.*.example.com.' would match
+        'x.y.example.com.' and 'x.yy.example.com.' provided that the
+        server was authoritative for 'example.com.'  In this particular
+        case, we suggest the follwing considerations be made:
+
+   getservbyname() can be satisfied by issuing a request with
+   this computed SRV name.  This structure can be
+   populated by values returned from a request as follows:
+
+        s_name    The name of the service, "_service" without the
+                  preceding underscore.
+        s_aliases The names returned in the SRV RRs in replies
+                  to the query.
+        s_port    The port number in the SRV RRs replies to the
+                  query.  If these port numbers disagree - one
+                  of the port numbers is chosen, and only those
+                  names which correspond are returned.
+        s_proto   The transport protocol from named by the
+                  "_transport" label, without the preceding
+                  underscore.
+
+        Send SRV query for this name to discovered local authoritative servers.
+
+     Usage for disconnected networks with no authoritative servers:
+
+        Hosts should run a "stub server" which acts as though its FQDN is a
+        zone name.  Computed SOA gives the host's FQDN as MNAME, "." as the
+        ANAME, seconds-since-1Jan2000 as the SERIAL, low constants for EXPIRE
+        and the other timers.  Compute NS as the host's FQDN.  Compute the
+        glue as the host's link-local address. Or Hosts may run a
+        "DNS stub server" which acts as though its FQDN is a zone name.  The
+        rules governing the behavior of this stub server are given elsewhere
+        [1] [2].
+
+        Such stub servers should answer DISCOVER packets for its zone, and
+        will be found by the iterative "discover closest enclosing authority
+        server" by DISCOVER clients, either in the gethostbyname() or SRV
+        cases described above.  Note that stub servers only answer with
+        zone names which exactly match QNAME's, not with zone names which
+        are owned by QNAME's.
+
+   The main deviation from the DNS[3][4] model is that a host (like, say, a
+   printer offering LPD services) has a DNS server which answers authoritatively
+   for something which hasn't been delegated to it.  However, the only way that
+   such DNS servers can be discovered is with a new opcode, DISCOVER, which
+   is explicitly defined to discover undelegated zones for tightly scoped
+   purposes.  Therefore this isn't officially a violation of DNS's coherency
+   principles. In some cases a responder to DISCOVER may not be traditional
+   DNS software, it could be special purpose software.
+
+3. IANA Considerations
+
+        As a new opcode, the IANA will need to assign a numeric value
+        for the memnonic. The last OPCODE assigned was "5", for UPDATE.
+        Test implementations have used OPCODE "6".
+
+4. Security Considerations
+
+        No new security considerations are known to be introduced with any new
+        opcode, however using multicast for service discovery has the potential
+        for denial of service, primarly from flooding attacks. It may also be
+        possible to enable deliberate misconfiguration of clients simply by
+        running a malicious DNS resolver that claims to be authoritative for
+        things that it is not. One possible way to mitigate this effect is by
+        use of credentials, such as CERT resource records within an RR set.
+        The TBDS project took this approach.
+
+5. Attribution:
+
+        This material was generated in discussions on the mdns mailing list
+hosted by Zocalo in March 2000. Updated by discussion in September/October
+2003.  David Lawrence, Scott Rose, Stuart Cheshire, Bill Woodcock,
+Erik Guttman, Bill Manning and Paul Vixie were active contributors.
+
+6. Author's Address
+
+   Bill Manning
+   PO 12317
+   Marina del Rey, CA. 90295
+   +1.310.322.8102
+   bmanning@karoshi.com
+
+   Paul Vixie
+   Internet Software Consortium
+   950 Charter Street
+   Redwood City, CA 94063
+   +1 650 779 7001
+   <vixie@isc.org>
+
+7. References
+
+Informational References:
+
+[1]  Esibov, L., Aboba, B., Thaler, D., "Multicast DNS",
+        draft-ietf-dnsext-mdns-00.txt, November 2000. Expired
+
+[2] Woodcock, B., Manning, B., "Multicast Domain Name Service",
+        draft-manning-dnsext-mdns-00.txt,  August 2000.  Expired.
+
+Normative References:
+[3]  Mockapetris, P., "DOMAIN NAMES - CONCEPTS AND FACILITIES",
+        RFC 1034, November 1987.
+[4]  Mockapetris, P., "DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION",
+        RFC 1035, November 1987
+
+        ----------------------------EOL-----------------------
+
diff --git a/contrib/bind9/doc/draft/draft-durand-dnsop-dynreverse-00.txt b/contrib/bind9/doc/draft/draft-durand-dnsop-dynreverse-00.txt
new file mode 100644
index 0000000..224e7ad1
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-durand-dnsop-dynreverse-00.txt
@@ -0,0 +1,240 @@
+Internet Engineering Task Force                             Alain Durand
+INTERNET-DRAFT                                          SUN Microsystems
+Feb 21, 2003
+Expires Aug 2, 2003
+
+
+
+                Dynamic reverse DNS for IPv6
+              <draft-durand-dnsop-dynreverse-00.txt>
+
+
+
+Status of this memo
+
+
+   This memo provides information to the Internet community.  It does
+   not specify an Internet standard of any kind.  This memo is in full
+   conformance with all provisions of Section 10 of RFC2026 [RFC2026].
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+
+
+Abstract
+
+   This document describes a method to dynamically generate PTR records
+   and corresponding A or AAAA records when the reverse path DNS tree is
+   not populated.
+
+   A special domain dynrev.arpa. is reserved for that purpose.
+
+
+1. Introduction
+
+   In IPv4, the reverse path tree of the DNS under in-addr.arpa.
+   although not perfectly maintained, is still mostly usable and its
+   existence is important for a number of applications that relies on
+   its existence and decent status.  Some applications performs some
+   (very) weak security checks based on it. Mail relays relies on it for
+   some anti-spams checks an some FTP server will not let you in unless
+   your IP address resolve properly with a PTR record.
+
+   IPv6 addresses being much longer (and cumbersome) than IPv4
+   addresses, it is to fear that the reverse path tree under ip6.arpa.
+   would not be as well maintained.  Also, tools like 6to4, Isatap and
+   others have made creative use of the 128 bits of an IPv6 address to
+   automatically embed an IPv4 address to enable seamless connection to
+   the IPv6 Internet. However, no provision has been made to make sure
+   the reverse path tree gets automatically updated as well for those
+   new IPv6 addresses.  One step furter, RFC3041 describes a mechanism
+   to basically use random bits in the bottom part of an IPv6 address to
+   preserver anonymity. If those addresses are to resolve in the reverse
+   path tree, it obviously has to be with anonymous data as well.
+   Another point to note is that home customer ISPs in IPv4 have a
+   current practice to pre-populate the reverse path tree with names
+   automatically derived from the IP addresses. This practice is no
+   longer possible in IPv6, where IP address allocation is not dense as
+   it is the case in IPv4. The mere size of typical customer allocation
+   (2^48 according to the recommendation of RFC3177) makes it
+   impossible.
+
+   Applications that check the existence of PTR records usually follow
+   this by checking if the name pointed by the PTR resolve in a A (or
+   AAAA for IPv6) that match the original IP address. Thus the forward
+   path tree must also include the corresponding data.
+
+   One simple approach of this problem is to simply declare the usage of
+   the reverse path DNS as described above obsolete.  The author believe
+   this is too strong an approach for now.
+
+   Similarly, a completely different approach would be to deprecate the
+   usage of DNS for the reverse tree altogether and replace it by
+   something inspired from ICMP name-info messages. The author believes
+   that this approached is an important departure from the current
+   practise and thus not very realistic.  Also, there are some concerns
+   about the the security implications of this method as any node could
+   easily impersonate any name. This approach would fundamentally change
+   the underlying assumption of "I trust what has been put in the DNS by
+   the local administrators" to "I trust what has been configured on
+   each machine I query directly".
+
+
+
+2. Dynamic record generation
+
+   If static pre-population of the tree is not possible anymore and data
+   still need to be returned to applications using getnameinfo(), the
+   alternative is dynamic record generation.  This can be done is two
+   places: in the DNS servers responsible for the allocated space (/64
+   or /48) in the ip6.arpa. domain.  or in the DNS resolvers (either the
+   sub resolver library or the recursive DNS server).
+
+   2.1. On the resolver side.
+
+   The resolver, either in the recursive DNS server or in the stub
+   library could theoretically generate this data.
+
+   In case DNSsec is in place, the recursive DNS server would have to
+   pretend these records are authentic.
+
+   If the synthesis is done in the stub-resolver library, no record
+   needs to be actually generated, only the right information needs to
+   be passed to getnameinfo() and getaddrinfo().  If the synthesis is
+   done in the recursive DNS server, no modification is required to
+   existing stub resolvers.
+
+
+2.2. On the server side.
+
+   PTR records could be generated automatically by the server
+   responsible for the reverse path tree of an IPv6 prefix (a /64 or /48
+   prefixes or basically anything in between) when static data is not
+   available.
+
+   There could be impact on DNSsec as the zone or some parts of the zone
+   may need to be resigned each time a DNS query is made for an
+   unpopulated address. This can be seen as a DOS attack on a DNSsec
+   zone, so server side synthesis is not recommended if DNSsec is
+   deployed.
+
+
+
+3. Synthesis
+
+   The algorithm is simple: Do the normal queries. If the query returns
+   No such domain, replace this answer by the synthetized one if
+   possible.
+
+3.1. PTR synthesis
+
+   The synthetized PTR for a DNS string [X] is simply [X].dynrev.arpa.
+   where [X] is any valid DNS name.
+
+   The fact that the synthetized PTR points to the dynrev.arpa. domain
+   is an indication to the applications that this record has been
+   dynamically generated.
+
+
+3.2. A synthesis
+
+   If [X] is in the form a.b.c.d.in-addr.arpa, one can synthetized an A
+   record for the string [X].dynrev.arpa. which value is d.c.b.a. with
+   a,b,c & d being integer [0..255]
+
+
+3.3. AAAA synthesis
+
+   If [X] is in the form
+   a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.s.t.u.v.w.x.y.z.A.B.C.D.E.F.in-
+   addr.arpa, one can synthetized a AAAA record for the string
+   [X].dynrev.arpa. which value is
+   FEDC:BAzy:xwvu:tsrq:ponm:lkji:hgfe:dcba with
+   a,b,c....x,y,z,A,B,C,D,E,F being hexadecimal digits.
+
+
+3.4. Server side synthesis
+
+   If synthesis is done on the server side, PTR could be set not to use
+   the dynrev.arpa domain but the local domain name instead.  It culd be
+   for instance dynrev.mydomain.com.
+
+   Note also that server side synthesis is not incompatible with
+   resolver side synthesis.
+
+
+
+4. IANA considerations
+
+   The dynrev.arpa. domain is reserved for the purpose of this document.
+
+
+
+5. Security considerations
+
+   Section 2. discusses the the interactions with DNSsec.
+
+
+
+6. Authors addresses
+
+   Alain Durand
+   SUN Microsystems, Inc
+   17, Network Circle
+   UMPK17-202
+   Menlo Park, CA 94025
+   USA
+   Mail: Alain.Durand@sun.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-axfr-clarify-05.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-axfr-clarify-05.txt
new file mode 100644
index 0000000..f0ce70a
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-axfr-clarify-05.txt
@@ -0,0 +1,393 @@
+
+
+
+INTERNET-DRAFT                                      Andreas Gustafsson
+draft-ietf-dnsext-axfr-clarify-05.txt                     Nominum Inc.
+                                                         November 2002
+
+
+               DNS Zone Transfer Protocol Clarifications
+
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+Abstract
+
+   In the Domain Name System, zone data is replicated among
+   authoritative DNS servers by means of the "zone transfer" protocol,
+   also known as the "AXFR" protocol.  This memo clarifies, updates, and
+   adds missing detail to the original AXFR protocol specification in
+   RFC1034.
+
+1. Introduction
+
+   The original definition of the DNS zone transfer protocol consists of
+   a single paragraph in [RFC1034] section 4.3.5 and some additional
+   notes in [RFC1035] section 6.3.  It is not sufficiently detailed to
+   serve as the sole basis for constructing interoperable
+   implementations.  This document is an attempt to provide a more
+   complete definition of the protocol.  Where the text in RFC1034
+   conflicts with existing practice, the existing practice has been
+   codified in the interest of interoperability.
+
+
+
+
+Expires May 2003                                                [Page 1]
+
+draft-ietf-dnsext-axfr-clarify-05.txt                      November 2002
+
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC 2119].
+
+2. The zone transfer request
+
+   To initiate a zone transfer, the slave server sends a zone transfer
+   request to the master server over a reliable transport such as TCP.
+   The form of this request is specified in sufficient detail in RFC1034
+   and needs no further clarification.
+
+   Implementers are advised that one server implementation in widespread
+   use sends AXFR requests where the TCP message envelope size exceeds
+   the DNS request message size by two octets.
+
+3. The zone transfer response
+
+   If the master server is unable or unwilling to provide a zone
+   transfer, it MUST respond with a single DNS message containing an
+   appropriate RCODE other than NOERROR.  If the master is not
+   authoritative for the requested zone, the RCODE SHOULD be 9
+   (NOTAUTH).
+
+   Slave servers should note that some master server implementations
+   will simply close the connection when denying the slave access to the
+   zone.  Therefore, slaves MAY interpret an immediate graceful close of
+   the TCP connection as equivalent to a "Refused" response (RCODE 5).
+
+   If a zone transfer can be provided, the master server sends one or
+   more DNS messages containing the zone data as described below.
+
+3.1. Multiple answers per message
+
+   The zone data in a zone transfer response is a sequence of answer
+   RRs.  These RRs are transmitted in the answer section(s) of one or
+   more DNS response messages.
+
+   The AXFR protocol definition in RFC1034 does not make a clear
+   distinction between response messages and answer RRs.  Historically,
+   DNS servers always transmitted a single answer RR per message.  This
+   encoding is wasteful due to the overhead of repeatedly sending DNS
+   message headers and the loss of domain name compression
+   opportunities.  To improve efficiency, some newer servers support a
+   mode where multiple RRs are transmitted in a single DNS response
+   message.
+
+   A master MAY transmit multiple answer RRs per response message up to
+   the largest number that will fit within the 65535 byte limit on TCP
+
+
+
+Expires May 2003                                                [Page 2]
+
+draft-ietf-dnsext-axfr-clarify-05.txt                      November 2002
+
+
+   DNS message size.  In the case of a small zone, this can cause the
+   entire transfer to be transmitted in a single response message.
+
+   Slaves MUST accept messages containing any number of answer RRs.  For
+   compatibility with old slaves, masters that support sending multiple
+   answers per message SHOULD be configurable to revert to the
+   historical mode of one answer per message, and the configuration
+   SHOULD be settable on a per-slave basis.
+
+3.2. DNS message header contents
+
+   RFC1034 does not specify the contents of the DNS message header of
+   the zone transfer response messages.  The header of each message MUST
+   be as follows:
+
+       ID      Copy from request
+       QR      1
+       OPCODE  QUERY
+       AA      1, but MAY be 0 when RCODE is not NOERROR
+       TC      0
+       RD      Copy from request, or 0
+       RA      Set according to availability of recursion, or 0
+       Z       0
+       AD      0
+       CD      0
+       RCODE   NOERROR on success, error code otherwise
+
+   The slave MUST check the RCODE in each message and abort the transfer
+   if it is not NOERROR.  It SHOULD check the ID of the first message
+   received and abort the transfer if it does not match the ID of the
+   request.  The ID SHOULD be ignored in subsequent messages, and fields
+   other than RCODE and ID SHOULD be ignored in all messages, to ensure
+   interoperability with certain older implementations which transmit
+   incorrect or arbitrary values in these fields.
+
+3.3. Additional section and SIG processing
+
+   Zone transfer responses are not subject to any kind of additional
+   section processing or automatic inclusion of SIG records.  SIG RRs in
+   the zone data are treated exactly the same as any other RR type.
+
+3.4. The question section
+
+   RFC1034 does not specify whether zone transfer response messages have
+   a question section or not.  The initial message of a zone transfer
+   response SHOULD have a question section identical to that in the
+   request.  Subsequent messages SHOULD NOT have a question section,
+   though the final message MAY.  The receiving slave server MUST accept
+
+
+
+Expires May 2003                                                [Page 3]
+
+draft-ietf-dnsext-axfr-clarify-05.txt                      November 2002
+
+
+   any combination of messages with and without a question section.
+
+3.5. The authority section
+
+   The master server MUST transmit messages with an empty authority
+   section.  Slaves MUST ignore any authority section contents they may
+   receive from masters that do not comply with this requirement.
+
+3.6. The additional section
+
+   The additional section MAY contain additional RRs such as transaction
+   signatures.  The slave MUST ignore any unexpected RRs in the
+   additional section.  It MUST NOT treat additional section RRs as zone
+   data.
+
+4. Zone data
+
+   The purpose of the zone transfer mechanism is to exactly replicate at
+   each slave the set of RRs associated with a particular zone at its
+   primary master.  An RR is associated with a zone by being loaded from
+   the master file of that zone at the primary master server, or by some
+   other, equivalent method for configuring zone data.
+
+   This replication shall be complete and unaltered, regardless of how
+   many and which intermediate masters/slaves are involved, and
+   regardless of what other zones those intermediate masters/slaves do
+   or do not serve, and regardless of what data may be cached in
+   resolvers associated with the intermediate masters/slaves.
+
+   Therefore, in a zone transfer the master MUST send exactly those
+   records that are associated with the zone, whether or not their owner
+   names would be considered to be "in" the zone for purposes of
+   resolution, and whether or not they would be eligible for use as glue
+   in responses.  The transfer MUST NOT include any RRs that are not
+   associated with the zone, such as RRs associated with zones other
+   than the one being transferred or present in the cache of the local
+   resolver, even if their owner names are in the zone being transferred
+   or are pointed to by NS records in the zone being transferred.
+
+   The slave MUST associate the RRs received in a zone transfer with the
+   specific zone being transferred, and maintain that association for
+   purposes of acting as a master in outgoing transfers.
+
+5. Transmission order
+
+   RFC1034 states that "The first and last messages must contain the
+   data for the top authoritative node of the zone".  This is not
+   consistent with existing practice.  All known master implementations
+
+
+
+Expires May 2003                                                [Page 4]
+
+draft-ietf-dnsext-axfr-clarify-05.txt                      November 2002
+
+
+   send, and slave implementations expect to receive, the zone's SOA RR
+   as the first and last record of the transfer.
+
+   Therefore, the quoted sentence is hereby superseded by the sentence
+   "The first and last RR transmitted must be the SOA record of the
+   zone".
+
+   The initial and final SOA record MUST be identical, with the possible
+   exception of case and compression.  In particular, they MUST have the
+   same serial number.  The slave MUST consider the transfer to be
+   complete when, and only when, it has received the message containing
+   the second SOA record.
+
+   The transmission order of all other RRs in the zone is undefined.
+   Each of them SHOULD be transmitted only once, and slaves MUST ignore
+   any duplicate RRs received.
+
+6. Security Considerations
+
+   The zone transfer protocol as defined in [RFC1034] and clarified by
+   this memo does not have any built-in mechanisms for the slave to
+   securely verify the identity of the master server and the integrity
+   of the transferred zone data.  The use of a cryptographic mechanism
+   for ensuring authenticity and integrity, such as TSIG [RFC2845],
+   IPSEC, or TLS, is RECOMMENDED.
+
+   The zone transfer protocol allows read-only public access to the
+   complete zone data.  Since data in the DNS is public by definition,
+   this is generally acceptable.  Sites that wish to avoid disclosing
+   their full zone data MAY restrict zone transfer access to authorized
+   slaves.
+
+   These clarifications are not believed to themselves introduce any new
+   security problems, nor to solve any existing ones.
+
+Acknowledgements
+
+   Many people have contributed input and commentary to earlier versions
+   of this document, including but not limited to Bob Halley, Dan
+   Bernstein, Eric A. Hall, Josh Littlefield, Kevin Darcy, Robert Elz,
+   Levon Esibov, Mark Andrews, Michael Patton, Peter Koch, Sam
+   Trenholme, and Brian Wellington.
+
+References
+
+   [RFC1034] - Domain Names - Concepts and Facilities, P. Mockapetris,
+   November 1987.
+
+
+
+
+Expires May 2003                                                [Page 5]
+
+draft-ietf-dnsext-axfr-clarify-05.txt                      November 2002
+
+
+   [RFC1035] - Domain Names - Implementation and Specifications, P.
+   Mockapetris, November 1987.
+
+   [RFC2119] - Key words for use in RFCs to Indicate Requirement Levels,
+   S. Bradner, BCP 14, March 1997.
+
+   [RFC2845] - Secret Key Transaction Authentication for DNS (TSIG).  P.
+   Vixie, O. Gudmundsson, D. Eastlake, B. Wellington, May 2000.
+
+Author's Address
+
+   Andreas Gustafsson
+   Nominum Inc.
+   2385 Bay Rd
+   Redwood City, CA 94063
+   USA
+
+   Phone: +1 650 381 6004
+
+   Email: gson@nominum.com
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2000 - 2002).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implmentation may be prepared, copied, published and
+   distributed, in whole or in part, without restriction of any kind,
+   provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+
+
+
+Expires May 2003                                                [Page 6]
+
+draft-ietf-dnsext-axfr-clarify-05.txt                      November 2002
+
+
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Expires May 2003                                                [Page 7]
+
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-dhcid-rr-08.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-dhcid-rr-08.txt
new file mode 100644
index 0000000..0977661
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-dhcid-rr-08.txt
@@ -0,0 +1,561 @@
+
+
+DNSEXT                                                          M. Stapp
+Internet-Draft                                       Cisco Systems, Inc.
+Expires: January 14, 2005                                       T. Lemon
+                                                           A. Gustafsson
+                                                           Nominum, Inc.
+                                                           July 16, 2004
+
+
+           A DNS RR for Encoding DHCP Information (DHCID RR)
+                  <draft-ietf-dnsext-dhcid-rr-08.txt>
+
+Status of this Memo
+
+   This document is an Internet-Draft and is subject to all provisions
+   of section 3 of RFC 3667.  By submitting this Internet-Draft, each
+   author represents that any applicable patent or other IPR claims of
+   which he or she is aware have been or will be disclosed, and any of
+   which he or she become aware will be disclosed, in accordance with
+   RFC 3668.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as
+   Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at http://
+   www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on January 14, 2005.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2004).  All Rights Reserved.
+
+Abstract
+
+   It is possible for multiple DHCP clients to attempt to update the
+   same DNS FQDN as they obtain DHCP leases.  Whether the DHCP server or
+   the clients themselves perform the DNS updates, conflicts can arise.
+   To resolve such conflicts, "Resolution of DNS Name Conflicts" [1]
+   proposes storing client identifiers in the DNS to unambiguously
+
+
+
+Stapp, et al.           Expires January 14, 2005                [Page 1]
+
+Internet-Draft                The DHCID RR                     July 2004
+
+
+   associate domain names with the DHCP clients to which they refer.
+   This memo defines a distinct RR type for this purpose for use by DHCP
+   clients and servers, the "DHCID" RR.
+
+Table of Contents
+
+   1.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
+   2.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
+   3.  The DHCID RR . . . . . . . . . . . . . . . . . . . . . . . . .  3
+     3.1   DHCID RDATA format . . . . . . . . . . . . . . . . . . . .  4
+     3.2   DHCID Presentation Format  . . . . . . . . . . . . . . . .  4
+     3.3   The DHCID RR Type Codes  . . . . . . . . . . . . . . . . .  4
+     3.4   Computation of the RDATA . . . . . . . . . . . . . . . . .  4
+     3.5   Examples . . . . . . . . . . . . . . . . . . . . . . . . .  5
+       3.5.1   Example 1  . . . . . . . . . . . . . . . . . . . . . .  6
+       3.5.2   Example 2  . . . . . . . . . . . . . . . . . . . . . .  6
+   4.  Use of the DHCID RR  . . . . . . . . . . . . . . . . . . . . .  6
+   5.  Updater Behavior . . . . . . . . . . . . . . . . . . . . . . .  6
+   6.  Security Considerations  . . . . . . . . . . . . . . . . . . .  7
+   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  7
+   8.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .  7
+   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . .  8
+   9.1   Normative References . . . . . . . . . . . . . . . . . . . .  8
+   9.2   Informative References . . . . . . . . . . . . . . . . . . .  8
+       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . .  9
+       Intellectual Property and Copyright Statements . . . . . . . . 10
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Stapp, et al.           Expires January 14, 2005                [Page 2]
+
+Internet-Draft                The DHCID RR                     July 2004
+
+
+1.  Terminology
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in RFC 2119 [2].
+
+2.  Introduction
+
+   A set of procedures to allow DHCP [7] clients and servers to
+   automatically update the DNS (RFC 1034 [3], RFC 1035 [4]) is proposed
+   in "Resolution of DNS Name Conflicts" [1].
+
+   Conflicts can arise if multiple DHCP clients wish to use the same DNS
+   name.  To resolve such conflicts, "Resolution of DNS Name Conflicts"
+   [1] proposes storing client identifiers in the DNS to unambiguously
+   associate domain names with the DHCP clients using them.  In the
+   interest of clarity, it is preferable for this DHCP information to
+   use a distinct RR type.  This memo defines a distinct RR for this
+   purpose for use by DHCP clients or servers, the "DHCID" RR.
+
+   In order to avoid exposing potentially sensitive identifying
+   information, the data stored is the result of a one-way MD5 [5] hash
+   computation.  The hash includes information from the DHCP client's
+   REQUEST message as well as the domain name itself, so that the data
+   stored in the DHCID RR will be dependent on both the client
+   identification used in the DHCP protocol interaction and the domain
+   name.  This means that the DHCID RDATA will vary if a single client
+   is associated over time with more than one name.  This makes it
+   difficult to 'track' a client as it is associated with various domain
+   names.
+
+   The MD5 hash algorithm has been shown to be weaker than the SHA-1
+   algorithm; it could therefore be argued that SHA-1 is a better
+   choice.  However, SHA-1 is significantly slower than MD5.  A
+   successful attack of MD5's weakness does not reveal the original data
+   that was used to generate the signature, but rather provides a new
+   set of input data that will produce the same signature.  Because we
+   are using the MD5 hash to conceal the original data, the fact that an
+   attacker could produce a different plaintext resulting in the same
+   MD5 output is not significant concern.
+
+3.  The DHCID RR
+
+   The DHCID RR is defined with mnemonic DHCID and type code [TBD].  The
+   DHCID RR is only defined in the IN class.  DHCID RRs cause no
+   additional section processing.  The DHCID RR is not a singleton type.
+
+
+
+
+
+Stapp, et al.           Expires January 14, 2005                [Page 3]
+
+Internet-Draft                The DHCID RR                     July 2004
+
+
+3.1  DHCID RDATA format
+
+   The RDATA section of a DHCID RR in transmission contains RDLENGTH
+   bytes of binary data.  The format of this data and its interpretation
+   by DHCP servers and clients are described below.
+
+   DNS software should consider the RDATA section to be opaque.  DHCP
+   clients or servers use the DHCID RR to associate a DHCP client's
+   identity with a DNS name, so that multiple DHCP clients and servers
+   may deterministically perform dynamic DNS updates to the same zone.
+   From the updater's perspective, the DHCID resource record RDATA
+   consists of a 16-bit identifier type, in network byte order, followed
+   by one or more bytes representing the actual identifier:
+
+     	< 16 bits >	DHCP identifier used
+     	< n bytes >	MD5 digest
+
+
+3.2  DHCID Presentation Format
+
+   In DNS master files, the RDATA is represented as a single block in
+   base 64 encoding identical to that used for representing binary data
+   in RFC 2535 [8].  The data may be divided up into any number of white
+   space separated substrings, down to single base 64 digits, which are
+   concatenated to form the complete RDATA.  These substrings can span
+   lines using the standard parentheses.
+
+3.3  The DHCID RR Type Codes
+
+   The DHCID RR Type Code specifies what data from the DHCP client's
+   request was used as input into the hash function.  The type codes are
+   defined in a registry maintained by IANA, as specified in Section 7.
+   The initial list of assigned values for the type code is:
+
+   0x0000 = htype, chaddr from a DHCPv4 client's DHCPREQUEST [7].
+   0x0001 = The data portion from a DHCPv4 client's Client Identifier
+      option [9].
+   0x0002 = The client's DUID (i.e., the data portion of a DHCPv6
+      client's Client Identifier option [10] or the DUID field from a
+      DHCPv4 client's Client Identifier option [12]).
+
+   0x0003 - 0xfffe = Available to be assigned by IANA.
+
+   0xffff = RESERVED
+
+3.4  Computation of the RDATA
+
+   The DHCID RDATA is formed by concatenating the two type bytes with
+
+
+
+Stapp, et al.           Expires January 14, 2005                [Page 4]
+
+Internet-Draft                The DHCID RR                     July 2004
+
+
+   some variable-length identifying data.
+
+       < type > < data >
+
+   The RDATA for all type codes other than 0xffff, which is reserved for
+   future expansion, is formed by concatenating the two type bytes and a
+   16-byte MD5 hash value.  The input to the hash function is defined to
+   be:
+
+       data = MD5(< identifier > < FQDN >)
+
+   The FQDN is represented in the buffer in unambiguous canonical form
+   as described in RFC 2535 [8], section 8.1.  The type code and the
+   identifier are related as specified in Section 3.3: the type code
+   describes the source of the identifier.
+
+   When the updater is using the client's link-layer address as the
+   identifier, the first two bytes of the DHCID RDATA MUST be zero.  To
+   generate the rest of the resource record, the updater computes a
+   one-way hash using the MD5 algorithm across a buffer containing the
+   client's network hardware type, link-layer address, and the FQDN
+   data.  Specifically, the first byte of the buffer contains the
+   network hardware type as it appeared in the DHCP 'htype' field of the
+   client's DHCPREQUEST message.  All of the significant bytes of the
+   chaddr field in the client's DHCPREQUEST message follow, in the same
+   order in which the bytes appear in the DHCPREQUEST message.  The
+   number of significant bytes in the 'chaddr' field is specified in the
+   'hlen' field of the DHCPREQUEST message.  The FQDN data, as specified
+   above, follows.
+
+   When the updater is using the DHCPv4 Client Identifier option sent by
+   the client in its DHCPREQUEST message, the first two bytes of the
+   DHCID RR MUST be 0x0001, in network byte order.  The rest of the
+   DHCID RR MUST contain the results of computing an MD5 hash across the
+   payload of the option, followed by the FQDN.  The payload of the
+   option consists of the bytes of the option following the option code
+   and length.
+
+   When the updater is using the DHCPv6 DUID sent by the client in its
+   REQUEST message, the first two bytes of the DHCID RR MUST be 0x0002,
+   in network byte order.  The rest of the DHCID RR MUST contain the
+   results of computing an MD5 hash across the payload of the option,
+   followed by the FQDN.  The payload of the option consists of the
+   bytes of the option following the option code and length.
+
+3.5  Examples
+
+
+
+
+
+Stapp, et al.           Expires January 14, 2005                [Page 5]
+
+Internet-Draft                The DHCID RR                     July 2004
+
+
+3.5.1  Example 1
+
+   A DHCP server allocating the IPv4 address 10.0.0.1 to a client with
+   Ethernet MAC address 01:02:03:04:05:06 using domain name
+   "client.example.com" uses the client's link-layer address to identify
+   the client.  The DHCID RDATA is composed by setting the two type
+   bytes to zero, and performing an MD5 hash computation across a buffer
+   containing the Ethernet MAC type byte, 0x01, the six bytes of MAC
+   address, and the domain name (represented as specified in Section
+   3.4).
+
+     client.example.com.	A   	10.0.0.1
+     client.example.com. 	DHCID 	AAAUMru0ZM5OK/PdVAJgZ/HU
+
+
+3.5.2  Example 2
+
+   A DHCP server allocates the IPv4 address 10.0.12.99 to a client which
+   included the DHCP client-identifier option data 01:07:08:09:0a:0b:0c
+   in its DHCP request.  The server updates the name "chi.example.com"
+   on the client's behalf, and uses the DHCP client identifier option
+   data as input in forming a DHCID RR.  The DHCID RDATA is formed by
+   setting the two type bytes to the value 0x0001, and performing an MD5
+   hash computation across a buffer containing the seven bytes from the
+   client-id option and the FQDN (represented as specified in Section
+   3.4).
+
+     chi.example.com.	A    	10.0.12.99
+     chi.example.com.	DHCID 	AAHdd5jiQ3kEjANDm82cbObk\012
+
+
+4.  Use of the DHCID RR
+
+   This RR MUST NOT be used for any purpose other than that detailed in
+   "Resolution of DNS Name Conflicts" [1].  Although this RR contains
+   data that is opaque to DNS servers, the data must be consistent
+   across all entities that update and interpret this record.
+   Therefore, new data formats may only be defined through actions of
+   the DHC Working Group, as a result of revising [1].
+
+5.  Updater Behavior
+
+   The data in the DHCID RR allows updaters to determine whether more
+   than one DHCP client desires to use a particular FQDN.  This allows
+   site administrators to establish policy about DNS updates.  The DHCID
+   RR does not establish any policy itself.
+
+   Updaters use data from a DHCP client's request and the domain name
+
+
+
+Stapp, et al.           Expires January 14, 2005                [Page 6]
+
+Internet-Draft                The DHCID RR                     July 2004
+
+
+   that the client desires to use to compute a client identity hash, and
+   then compare that hash to the data in any DHCID RRs on the name that
+   they wish to associate with the client's IP address.  If an updater
+   discovers DHCID RRs whose RDATA does not match the client identity
+   that they have computed, the updater SHOULD conclude that a different
+   client is currently associated with the name in question.  The
+   updater SHOULD then proceed according to the site's administrative
+   policy.  That policy might dictate that a different name be selected,
+   or it might permit the updater to continue.
+
+6.  Security Considerations
+
+   The DHCID record as such does not introduce any new security problems
+   into the DNS.  In order to avoid exposing private information about
+   DHCP clients to public scrutiny, a one-way hash is used to obscure
+   all client information.  In order to make it difficult to 'track' a
+   client by examining the names associated with a particular hash
+   value, the FQDN is included in the hash computation.  Thus, the RDATA
+   is dependent on both the DHCP client identification data and on each
+   FQDN associated with the client.
+
+   Administrators should be wary of permitting unsecured DNS updates to
+   zones which are exposed to the global Internet.  Both DHCP clients
+   and servers SHOULD use some form of update authentication (e.g., TSIG
+   [11]) when performing DNS updates.
+
+7.  IANA Considerations
+
+   IANA is requested to allocate an RR type number for the DHCID record
+   type.
+
+   This specification defines a new number-space for the 16-bit type
+   codes associated with the DHCID RR.  IANA is requested to establish a
+   registry of the values for this number-space.
+
+   Three initial values are assigned in Section 3.3, and the value
+   0xFFFF is reserved for future use.  New DHCID RR type codes are
+   tentatively assigned after the specification for the associated type
+   code, published as an Internet Draft, has received expert review by a
+   designated expert.  The final assignment of DHCID RR type codes is
+   through Standards Action, as defined in RFC 2434 [6].
+
+8.  Acknowledgements
+
+   Many thanks to Josh Littlefield, Olafur Gudmundsson, Bernie Volz, and
+   Ralph Droms for their review and suggestions.
+
+
+
+
+
+Stapp, et al.           Expires January 14, 2005                [Page 7]
+
+Internet-Draft                The DHCID RR                     July 2004
+
+
+9.  References
+
+9.1  Normative References
+
+   [1]  Stapp, M. and B. Volz, "Resolution of DNS Name Conflicts Among
+        DHCP Clients (draft-ietf-dhc-dns-resolution-*)", July 2004.
+
+   [2]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
+        Levels", BCP 14, RFC 2119, March 1997.
+
+   [3]  Mockapetris, P., "Domain names - concepts and facilities", STD
+        13, RFC 1034, November 1987.
+
+   [4]  Mockapetris, P., "Domain names - implementation and
+        specification", STD 13, RFC 1035, November 1987.
+
+   [5]  Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April
+        1992.
+
+   [6]  Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
+        Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
+
+9.2  Informative References
+
+   [7]   Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
+         March 1997.
+
+   [8]   Eastlake, D., "Domain Name System Security Extensions", RFC
+         2535, March 1999.
+
+   [9]   Alexander, S. and R. Droms, "DHCP Options and BOOTP Vendor
+         Extensions", RFC 2132, March 1997.
+
+   [10]  Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C. and M.
+         Carney, "Dynamic Host Configuration Protocol for IPv6
+         (DHCPv6)", RFC 3315, July 2003.
+
+   [11]  Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
+         "Secret Key Transaction Authentication for DNS (TSIG)", RFC
+         2845, May 2000.
+
+   [12]  Lemon, T. and B. Sommerfeld, "Node-Specific Client Identifiers
+         for DHCPv4 (draft-ietf-dhc-3315id-for-v4-*)", February 2004.
+
+
+
+
+
+
+
+
+Stapp, et al.           Expires January 14, 2005                [Page 8]
+
+Internet-Draft                The DHCID RR                     July 2004
+
+
+Authors' Addresses
+
+   Mark Stapp
+   Cisco Systems, Inc.
+   1414 Massachusetts Ave.
+   Boxborough, MA  01719
+   USA
+
+   Phone: 978.936.1535
+   EMail: mjs@cisco.com
+
+
+   Ted Lemon
+   Nominum, Inc.
+   950 Charter St.
+   Redwood City, CA  94063
+   USA
+
+   EMail: mellon@nominum.com
+
+
+   Andreas Gustafsson
+   Nominum, Inc.
+   950 Charter St.
+   Redwood City, CA  94063
+   USA
+
+   EMail: gson@nominum.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Stapp, et al.           Expires January 14, 2005                [Page 9]
+
+Internet-Draft                The DHCID RR                     July 2004
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+   Copyright (C) The Internet Society (2004).  This document is subject
+   to the rights, licenses and restrictions contained in BCP 78, and
+   except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+Stapp, et al.           Expires January 14, 2005               [Page 10]
+
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-2535typecode-change-06.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-2535typecode-change-06.txt
new file mode 100644
index 0000000..bcc2b4e
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-2535typecode-change-06.txt
@@ -0,0 +1,442 @@
+
+
+INTERNET-DRAFT                                             Samuel Weiler
+Expires: June 2004                                     December 15, 2003
+Updates: RFC 2535, [DS]
+
+	 Legacy Resolver Compatibility for Delegation Signer
+	 draft-ietf-dnsext-dnssec-2535typecode-change-06.txt
+
+Status of this Memo
+
+   This document is an Internet-Draft and is subject to all provisions
+   of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as
+   Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six
+   months and may be updated, replaced, or obsoleted by other
+   documents at any time.  It is inappropriate to use Internet-Drafts
+   as reference material or to cite them other than as "work in
+   progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/1id-abstracts.html
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html
+
+   Comments should be sent to the author or to the DNSEXT WG mailing
+   list: namedroppers@ops.ietf.org
+
+Abstract
+
+   As the DNS Security (DNSSEC) specifications have evolved, the
+   syntax and semantics of the DNSSEC resource records (RRs) have
+   changed.  Many deployed nameservers understand variants of these
+   semantics.  Dangerous interactions can occur when a resolver that
+   understands an earlier version of these semantics queries an
+   authoritative server that understands the new delegation signer
+   semantics, including at least one failure scenario that will cause
+   an unsecured zone to be unresolvable.  This document changes the
+   type codes and mnemonics of the DNSSEC RRs (SIG, KEY, and NXT) to
+   avoid those interactions.
+
+Changes between 05 and 06:
+
+   Signifigantly reworked the IANA section -- went back to one
+   algorithm registry.
+
+   Removed Diffie-Hellman from the list of zone-signing algorithms
+   (leaving only DSA, RSA/SHA-1, and private algorithms).
+
+   Added a DNSKEY flags field registry.
+
+Changes between 04 and 05:
+
+   IESG approved publication.
+
+   Cleaned up an internal reference in the acknowledgements section.
+
+   Retained KEY and SIG for TKEY, too.  Added TKEY (2930) reference.
+
+   Changed the names of both new registries.  Added algorithm
+   mnemonics to the new zone signing algorithm registry.  Minor
+   rewording in the IANA section for clarity.
+
+   Cleaned up formatting of references.  Replaced unknown-rr draft
+   references with RFC3597.  Bumped DS version number.
+
+Changes between 03 and 04:
+
+   Clarified that RRSIG(0) may be defined by standards action.
+
+   Created a new algorithm registry and renamed the old algorithm
+   registry for SIG(0) only.  Added references to the appropriate
+   crypto algorithm and format specifications.
+
+   Several minor rephrasings.
+
+Changes between 02 and 03:
+
+   KEY (as well as SIG) retained for SIG(0) use only.
+
+Changes between 01 and 02:
+
+   SIG(0) still uses SIG, not RRSIG.  Added 2931 reference.
+
+   Domain names embedded in NSECs and RRSIGs are not compressible and
+   are not downcased.  Added unknown-rrs reference (as informative).
+
+   Simplified the last paragraph of section 3 (NSEC doesn't always
+   signal a negative answer).
+
+   Changed the suggested type code assignments.
+
+   Added 2119 reference.
+
+   Added definitions of "unsecure delegation" and "unsecure referral",
+   since they're not clearly defined elsewhere.
+
+   Moved 2065 to informative references, not normative.
+
+1. Introduction
+
+   The DNSSEC protocol has been through many iterations whose syntax
+   and semantics are not completely compatible.  This has occurred as
+   part of the ordinary process of proposing a protocol, implementing
+   it, testing it in the increasingly complex and diverse environment
+   of the Internet, and refining the definitions of the initial
+   Proposed Standard.  In the case of DNSSEC, the process has been
+   complicated by DNS's criticality and wide deployment and the need
+   to add security while minimizing daily operational complexity.
+
+   A weak area for previous DNS specifications has been lack of detail
+   in specifying resolver behavior, leaving implementors largely on
+   their own to determine many details of resolver function.  This,
+   combined with the number of iterations the DNSSEC spec has been
+   through, has resulted in fielded code with a wide variety of
+   behaviors.  This variety makes it difficult to predict how a
+   protocol change will be handled by all deployed resolvers.  The
+   risk that a change will cause unacceptable or even catastrophic
+   failures makes it difficult to design and deploy a protocol change.
+   One strategy for managing that risk is to structure protocol
+   changes so that existing resolvers can completely ignore input that
+   might confuse them or trigger undesirable failure modes.
+
+   This document addresses a specific problem caused by Delegation
+   Signer's [DS] introduction of new semantics for the NXT RR that are
+   incompatible with the semantics in RFC 2535 [RFC2535].  Answers
+   provided by DS-aware servers can trigger an unacceptable failure
+   mode in some resolvers that implement RFC 2535, which provides a
+   great disincentive to sign zones with DS.  The changes defined in
+   this document allow for the incremental deployment of DS.
+
+1.1 Terminology
+
+   In this document, the term "unsecure delegation" means any
+   delegation for which no DS record appears at the parent.  An
+   "unsecure referral" is an answer from the parent containing an NS
+   RRset and a proof that no DS record exists for that name.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC2119].
+
+1.2 The Problem
+
+   Delegation Signer introduces new semantics for the NXT RR that are
+   incompatible with the semantics in RFC 2535.  In RFC 2535, NXT
+   records were only required to be returned as part of a
+   non-existence proof.  With DS, an unsecure referral returns, in
+   addition to the NS, a proof of non-existence of a DS RR in the form
+   of an NXT and SIG(NXT).  RFC 2535 didn't specify how a resolver was
+   to interpret a response with both an NS and an NXT in the authority
+   section, RCODE=0, and AA=0.  Some widely deployed 2535-aware
+   resolvers interpret any answer with an NXT as a proof of
+   non-existence of the requested record.  This results in unsecure
+   delegations being invisible to 2535-aware resolvers and violates
+   the basic architectural principle that DNSSEC must do no harm --
+   the signing of zones must not prevent the resolution of unsecured
+   delegations.
+
+2. Possible Solutions
+
+   This section presents several solutions that were considered.
+   Section 3 describes the one selected.
+
+2.1. Change SIG, KEY, and NXT type codes
+
+   To avoid the problem described above, legacy (RFC2535-aware)
+   resolvers need to be kept from seeing unsecure referrals that
+   include NXT records in the authority section.  The simplest way to
+   do that is to change the type codes for SIG, KEY, and NXT.
+
+   The obvious drawback to this is that new resolvers will not be able
+   to validate zones signed with the old RRs.  This problem already
+   exists, however, because of the changes made by DS, and resolvers
+   that understand the old RRs (and have compatibility issues with DS)
+   are far more prevalent than 2535-signed zones.
+
+2.2. Change a subset of type codes
+
+   The observed problem with unsecure referrals could be addressed by
+   changing only the NXT type code or another subset of the type codes
+   that includes NXT.  This has the virtue of apparent simplicity, but
+   it risks introducing new problems or not going far enough.  It's
+   quite possible that more incompatibilities exist between DS and
+   earlier semantics.  Legacy resolvers may also be confused by seeing
+   records they recognize (SIG and KEY) while being unable to find
+   NXTs.  Although it may seem unnecessary to fix that which is not
+   obviously broken, it's far cleaner to change all of the type codes
+   at once.  This will leave legacy resolvers and tools completely
+   blinded to DNSSEC -- they will see only unknown RRs.
+
+2.3. Replace the DO bit
+
+   Another way to keep legacy resolvers from ever seeing DNSSEC
+   records with DS semantics is to have authoritative servers only
+   send that data to DS-aware resolvers.  It's been proposed that
+   assigning a new EDNS0 flag bit to signal DS-awareness (tentatively
+   called "DA"), and having authoritative servers send DNSSEC data
+   only in response to queries with the DA bit set, would accomplish
+   this.  This bit would presumably supplant the DO bit described in
+   RFC 3225.
+
+   This solution is sufficient only if all 2535-aware resolvers zero
+   out EDNS0 flags that they don't understand.  If one passed through
+   the DA bit unchanged, it would still see the new semantics, and it
+   would probably fail to see unsecure delegations.  Since it's
+   impractical to know how every DNS implementation handles unknown
+   EDNS0 flags, this is not a universal solution.  It could, though,
+   be considered in addition to changing the RR type codes.
+
+2.4. Increment the EDNS version
+
+   Another possible solution is to increment the EDNS version number
+   as defined in RFC 2671 [RFC2671], on the assumption that all
+   existing implementations will reject higher versions than they
+   support, and retain the DO bit as the signal for DNSSEC awareness.
+   This approach has not been tested.
+
+2.5. Do nothing
+
+   There is a large deployed base of DNS resolvers that understand
+   DNSSEC as defined by the standards track RFC 2535 and RFC 2065
+   and, due to under specification in those documents, interpret any
+   answer with an NXT as a non-existence proof.  So long as that is
+   the case, zone owners will have a strong incentive to not sign any
+   zones that contain unsecure delegations, lest those delegations be
+   invisible to such a large installed base.  This will dramatically
+   slow DNSSEC adoption.
+
+   Unfortunately, without signed zones there's no clear incentive for
+   operators of resolvers to upgrade their software to support the new
+   version of DNSSEC, as defined in [DS].  Historical data suggests
+   that resolvers are rarely upgraded, and that old nameserver code
+   never dies.
+
+   Rather than wait years for resolvers to be upgraded through natural
+   processes before signing zones with unsecure delegations,
+   addressing this problem with a protocol change will immediately
+   remove the disincentive for signing zones and allow widespread
+   deployment of DNSSEC.
+
+3. Protocol changes
+
+   This document changes the type codes of SIG, KEY, and NXT.  This
+   approach is the cleanest and safest of those discussed above,
+   largely because the behavior of resolvers that receive unknown type
+   codes is well understood.  This approach has also received the most
+   testing.
+
+   To avoid operational confusion, it's also necessary to change the
+   mnemonics for these RRs.  DNSKEY will be the replacement for KEY,
+   with the mnemonic indicating that these keys are not for
+   application use, per [RFC3445].  RRSIG (Resource Record SIGnature)
+   will replace SIG, and NSEC (Next SECure) will replace NXT.  These
+   new types completely replace the old types, except that SIG(0)
+   [RFC2931] and TKEY [RFC2930] will continue to use SIG and KEY.
+
+   The new types will have exactly the same syntax and semantics as
+   specified for SIG, KEY, and NXT in RFC 2535 and [DS] except for
+   the following:
+
+      1) Consistent with [RFC3597], domain names embedded in
+      RRSIG and NSEC RRs MUST NOT be compressed,
+
+      2) Embedded domain names in RRSIG and NSEC RRs are not downcased
+      for purposes of DNSSEC canonical form and ordering nor for
+      equality comparison, and
+
+      3) An RRSIG with a type-covered field of zero has undefined
+      semantics.  The meaning of such a resource record may only be
+      defined by IETF Standards Action.
+
+   If a resolver receives the old types, it SHOULD treat them as
+   unknown RRs and SHOULD NOT assign any special meaning to them or
+   give them any special treatment.  It MUST NOT use them for DNSSEC
+   validations or other DNS operational decision making.  For example,
+   a resolver MUST NOT use DNSKEYs to validate SIGs or use KEYs to
+   validate RRSIGs.  If SIG, KEY, or NXT RRs are included in a zone,
+   they MUST NOT receive special treatment.  As an example, if a SIG
+   is included in a signed zone, there MUST be an RRSIG for it.
+   Authoritative servers may wish to give error messages when loading
+   zones containing SIG or NXT records (KEY records may be included
+   for SIG(0) or TKEY).
+
+   As a clarification to previous documents, some positive responses,
+   particularly wildcard proofs and unsecure referrals, will contain
+   NSEC RRs.  Resolvers MUST NOT treat answers with NSEC RRs as
+   negative answers merely because they contain an NSEC.
+
+4. IANA Considerations
+
+4.1 DNS Resource Record Types
+
+   This document updates the IANA registry for DNS Resource Record
+   Types by assigning types 46, 47, and 48 to the RRSIG, NSEC, and
+   DNSKEY RRs, respectively.
+
+   Types 24 and 25 (SIG and KEY) are retained for SIG(0) [RFC2931] and
+   TKEY [RFC2930] use only.
+
+   Type 30 (NXT) should be marked as Obsolete.
+
+4.2 DNS Security Algorithm Numbers
+
+   To allow zone signing (DNSSEC) and transaction security mechanisms
+   (SIG(0) and TKEY) to use different sets of algorithms, the existing
+   "DNS Security Algorithm Numbers" registry is modified to include
+   the applicability of each algorithm.  Specifically, two new columns
+   are added to the registry, showing whether each algorithm may be
+   used for zone signing, transaction security mechanisms, or both.
+   Only algorithms usable for zone signing may be used in DNSKEY,
+   RRSIG, and DS RRs.  Only algorithms usable for SIG(0) and/or TSIG
+   may be used in SIG and KEY RRs.
+
+   All currently defined algorithms remain usable for transaction
+   security mechanisms.  Only RSA/SHA-1, DSA/SHA-1, and private
+   algorithms (types 253 and 254) may be used for zone signing.  Note
+   that the registry does not contain the requirement level of each
+   algorithm, only whether or not an algorithm may be used for the
+   given purposes.  For example, RSA/MD5, while allowed for
+   transaction security mechanisms, is NOT RECOMMENDED, per RFC3110.
+
+   Additionally, the presentation format algorithm mnemonics from
+   RFC2535 Section 7 are added to the registry.  This document assigns
+   RSA/SHA-1 the mnemonic RSASHA1.
+
+   As before, assignment of new algorithms in this registry requires
+   IETF Standards Action.  Additionally, modification of algorithm
+   mnemonics or applicability requires IETF Standards Action.
+   Documents defining a new algorithm must address the applicability
+   of the algorithm and should assign a presentation mnemonic to the
+   algorithm.
+
+4.3 DNSKEY Flags
+
+   Like the KEY resource record, DNSKEY contains a 16-bit flags field.
+   This document creates a new registry for the DNSKEY flags field.
+
+   Initially, this registry only contains an assignment for bit 7 (the
+   ZONE bit).  Bits 0-6 and 8-15 are available for assignment by IETF
+   Standards Action.
+
+4.4 DNSKEY Protocol Octet
+
+   Like the KEY resource record, DNSKEY contains an eight bit protocol
+   field.  The only defined value for this field is 3 (DNSSEC).  No
+   other values are allowed, hence no IANA registry is needed for this
+   field.
+
+5. Security Considerations
+
+   The changes introduced here do not materially affect security.
+   The implications of trying to use both new and legacy types
+   together are not well understood, and attempts to do so would
+   probably lead to unintended and dangerous results.
+
+   Changing type codes will leave code paths in legacy resolvers that
+   are never exercised.  Unexercised code paths are a frequent source
+   of security holes, largely because those code paths do not get
+   frequent scrutiny.
+
+   Doing nothing, as described in section 2.5, will slow DNSSEC
+   deployment.  While this does not decrease security, it also fails
+   to increase it.
+
+6. Normative references
+
+   [RFC2535] Eastlake, D., "Domain Name System Security Extensions",
+             RFC 2535, March 1999.
+
+   [DS]      Gudmundsson, O., "Delegation Signer Resource Record",
+             draft-ietf-dnsext-delegation-signer-15.txt, work in
+             progress, June 2003.
+
+   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+             Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC2931] Eastlake, D., "DNS Request and Transaction Signatures
+             (SIG(0)s)", RFC 2931, September 2000.
+
+   [RFC2930] Eastlake, D., "Secret Key Establishment for DNS (TKEY
+             RR)", RFC 2930, September 2000.
+
+   [RFC2536] Eastlake, D., "DSA KEYs and SIGs in the Domain Name
+             System (DNS)", RFC 2436, March 1999.
+
+   [RFC2539] Eastlake, D., "Storage of Diffie-Hellman Keys in the
+             Domain Name System (DNS)", RFC 2539, March 1999.
+
+   [RFC3110] Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the
+             Domain Name System (DNS)", RFC 3110, May 2001.
+
+7. Informative References
+
+   [RFC2065] Eastlake, D. and C. Kaufman, "Domain Name System Security
+             Extensions", RFC 2065, January 1997.
+
+   [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
+	     2671, August 1999.
+
+   [RFC3225] Conrad, D., "Indicating Resolver Support of DNSSEC", RFC
+             3225, December 2001.
+
+   [RFC2929] Eastlake, D., E. Brunner-Williams, and B. Manning,
+	     "Domain Name System (DNS) IANA Considerations", BCP 42,
+	     RFC 2929, September 2000.
+
+   [RFC3445] Massey, D., and S. Rose, "Limiting the Scope of the KEY
+	     Resource Record (RR)", RFC 3445, December 2002.
+
+   [RFC3597] Gustafsson, A., "Handling of Unknown DNS Resource
+             Record (RR) Types", RFC 3597, September 2003.
+
+8. Acknowledgments
+
+   The changes introduced here and the analysis of alternatives had
+   many contributors.  With apologies to anyone overlooked, those
+   include: Micheal Graff, John Ihren, Olaf Kolkman, Mark Kosters, Ed
+   Lewis, Bill Manning, and Suzanne Woolf.
+
+   Thanks to Jakob Schlyter and Mark Andrews for identifying the
+   incompatibility described in section 1.2.
+
+   In addition to the above, the author would like to thank Scott
+   Rose, Olafur Gudmundsson, and Sandra Murphy for their substantive
+   comments.
+
+9. Author's Address
+
+   Samuel Weiler
+   SPARTA, Inc.
+   7075 Samuel Morse Drive
+   Columbia, MD 21046
+   USA
+   weiler@tislabs.com
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-intro-11.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-intro-11.txt
new file mode 100644
index 0000000..0783e7b
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-intro-11.txt
@@ -0,0 +1,1457 @@
+
+
+DNS Extensions                                                 R. Arends
+Internet-Draft                                      Telematica Instituut
+Expires: January 13, 2005                                     R. Austein
+                                                                     ISC
+                                                               M. Larson
+                                                                VeriSign
+                                                               D. Massey
+                                                                 USC/ISI
+                                                                 S. Rose
+                                                                    NIST
+                                                           July 15, 2004
+
+
+               DNS Security Introduction and Requirements
+                   draft-ietf-dnsext-dnssec-intro-11
+
+Status of this Memo
+
+   By submitting this Internet-Draft, I certify that any applicable
+   patent or other IPR claims of which I am aware have been disclosed,
+   and any of which I become aware will be disclosed, in accordance with
+   RFC 3668.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as
+   Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on January 13, 2005.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2004).  All Rights Reserved.
+
+Abstract
+
+   The Domain Name System Security Extensions (DNSSEC) add data origin
+   authentication and data integrity to the Domain Name System.  This
+
+
+
+Arends, et al.          Expires January 13, 2005                [Page 1]
+
+Internet-Draft    DNSSEC Introduction and Requirements         July 2004
+
+
+   document introduces these extensions, and describes their
+   capabilities and limitations.  This document also discusses the
+   services that the DNS security extensions do and do not provide.
+   Last, this document describes the interrelationships between the
+   group of documents that collectively describe DNSSEC.
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
+   2.  Definitions of Important DNSSEC Terms  . . . . . . . . . . . .  4
+   3.  Services Provided by DNS Security  . . . . . . . . . . . . . .  8
+     3.1   Data Origin Authentication and Data Integrity  . . . . . .  8
+     3.2   Authenticating Name and Type Non-Existence . . . . . . . .  9
+   4.  Services Not Provided by DNS Security  . . . . . . . . . . . . 11
+   5.  Scope of the DNSSEC Document Set and Last Hop Issues . . . . . 12
+   6.  Resolver Considerations  . . . . . . . . . . . . . . . . . . . 14
+   7.  Stub Resolver Considerations . . . . . . . . . . . . . . . . . 15
+   8.  Zone Considerations  . . . . . . . . . . . . . . . . . . . . . 16
+     8.1   TTL values vs. RRSIG validity period . . . . . . . . . . . 16
+     8.2   New Temporal Dependency Issues for Zones . . . . . . . . . 16
+   9.  Name Server Considerations . . . . . . . . . . . . . . . . . . 17
+   10.   DNS Security Document Family . . . . . . . . . . . . . . . . 18
+   11.   IANA Considerations  . . . . . . . . . . . . . . . . . . . . 19
+   12.   Security Considerations  . . . . . . . . . . . . . . . . . . 20
+   13.   Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22
+   14.   References . . . . . . . . . . . . . . . . . . . . . . . . . 23
+   14.1  Normative References . . . . . . . . . . . . . . . . . . . . 23
+   14.2  Informative References . . . . . . . . . . . . . . . . . . . 23
+       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 25
+       Intellectual Property and Copyright Statements . . . . . . . . 26
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005                [Page 2]
+
+Internet-Draft    DNSSEC Introduction and Requirements         July 2004
+
+
+1.  Introduction
+
+   This document introduces the Domain Name System Security Extensions
+   (DNSSEC).  This document and its two companion documents
+   ([I-D.ietf-dnsext-dnssec-records] and
+   [I-D.ietf-dnsext-dnssec-protocol]) update, clarify, and refine the
+   security extensions defined in RFC 2535 [RFC2535] and its
+   predecessors.  These security extensions consist of a set of new
+   resource record types and modifications to the existing DNS protocol
+   [RFC1035].  The new records and protocol modifications are not fully
+   described in this document, but are described in a family of
+   documents outlined in Section 10.  Section 3 and Section 4 describe
+   the capabilities and limitations of the security extensions in
+   greater detail.  Section 5 discusses the scope of the document set.
+   Section 6, Section 7, Section 8, and Section 9 discuss the effect
+   that these security extensions will have on resolvers, stub
+   resolvers, zones and name servers.
+
+   This document and its two companions update and obsolete RFCs 2535
+   [RFC2535], 3008 [RFC3008], 3090 [RFC3090], 3445 [RFC3445], 3655
+   [RFC3655], 3658 [RFC3658], 3755 [RFC3755], and the Work in Progress
+   [I-D.ietf-dnsext-nsec-rdata].  This document set also updates, but
+   does not obsolete, RFCs 1034 [RFC1034], 1035 [RFC1035], 2136
+   [RFC2136], 2181 [RFC2181], 2308 [RFC2308], 3597 [RFC3597], and parts
+   of 3226 [RFC3226] (dealing with DNSSEC).
+
+   The DNS security extensions provide origin authentication and
+   integrity protection for DNS data, as well as a means of public key
+   distribution.  These extensions do not provide confidentiality.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005                [Page 3]
+
+Internet-Draft    DNSSEC Introduction and Requirements         July 2004
+
+
+2.  Definitions of Important DNSSEC Terms
+
+   This section defines a number of terms used in this document set.
+   Since this is intended to be useful as a reference while reading the
+   rest of the document set, first-time readers may wish to skim this
+   section quickly, read the rest of this document, then come back to
+   this section.
+
+   Authentication Chain: An alternating sequence of DNSKEY RRsets and DS
+      RRsets forms a chain of signed data, with each link in the chain
+      vouching for the next.  A DNSKEY RR is used to verify the
+      signature covering a DS RR and allows the DS RR to be
+      authenticated.  The DS RR contains a hash of another DNSKEY RR and
+      this new DNSKEY RR is authenticated by matching the hash in the DS
+      RR.  This new DNSKEY RR in turn authenticates another DNSKEY RRset
+      and, in turn, some DNSKEY RR in this set may be used to
+      authenticate another DS RR and so forth until the chain finally
+      ends with a DNSKEY RR whose corresponding private key signs the
+      desired DNS data.  For example, the root DNSKEY RRset can be used
+      to authenticate the DS RRset for "example."  The "example." DS
+      RRset contains a hash that matches some "example." DNSKEY, and
+      this DNSKEY's corresponding private key signs the "example."
+      DNSKEY RRset.  Private key counterparts of the "example." DNSKEY
+      RRset sign data records such as "www.example." as well as DS RRs
+      for delegations such as "subzone.example."
+
+   Authentication Key: A public key that a security-aware resolver has
+      verified and can therefore use to authenticate data.  A
+      security-aware resolver can obtain authentication keys in three
+      ways.  First, the resolver is generally configured to know about
+      at least one public key; this configured data is usually either
+      the public key itself or a hash of the public key as found in the
+      DS RR (see "trust anchor").  Second, the resolver may use an
+      authenticated public key to verify a DS RR and the DNSKEY RR to
+      which the DS RR refers.  Third, the resolver may be able to
+      determine that a new public key has been signed by the private key
+      corresponding to another public key which the resolver has
+      verified.  Note that the resolver must always be guided by local
+      policy when deciding whether to authenticate a new public key,
+      even if the local policy is simply to authenticate any new public
+      key for which the resolver is able verify the signature.
+
+   Delegation Point: Term used to describe the name at the parental side
+      of a zone cut.  That is, the delegation point for "foo.example"
+      would be the foo.example node in the "example" zone (as opposed to
+      the zone apex of the "foo.example" zone).
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005                [Page 4]
+
+Internet-Draft    DNSSEC Introduction and Requirements         July 2004
+
+
+   Island of Security: Term used to describe a signed, delegated zone
+      that does not have an authentication chain from its delegating
+      parent.  That is, there is no DS RR containing a hash of a DNSKEY
+      RR for the island in its delegating parent zone (see
+      [I-D.ietf-dnsext-dnssec-records]).  An island of security is
+      served by security-aware name servers and may provide
+      authentication chains to any delegated child zones.  Responses
+      from an island of security or its descendents can only be
+      authenticated if its authentication keys can be authenticated by
+      some trusted means out of band from the DNS protocol.
+
+   Key Signing Key (KSK): An authentication key that corresponds to a
+      private key used to sign one or more other authentication keys for
+      a given zone.  Typically, the private key corresponding to a key
+      signing key will sign a zone signing key, which in turn has a
+      corresponding private key which will sign other zone data.  Local
+      policy may require the zone signing key to be changed frequently,
+      while the key signing key may have a longer validity period in
+      order to provide a more stable secure entry point into the zone.
+      Designating an authentication key as a key signing key is purely
+      an operational issue: DNSSEC validation does not distinguish
+      between key signing keys and other DNSSEC authentication keys, and
+      it is possible to use a single key as both a key signing key and a
+      zone signing key.  Key signing keys are discussed in more detail
+      in [RFC3757].  Also see: zone signing key.
+
+   Non-Validating Security-Aware Stub Resolver: A security-aware stub
+      resolver which trusts one or more security-aware recursive name
+      servers to perform most of the tasks discussed in this document
+      set on its behalf.  In particular, a non-validating security-aware
+      stub resolver is an entity which sends DNS queries, receives DNS
+      responses, and is capable of establishing an appropriately secured
+      channel to a security-aware recursive name server which will
+      provide these services on behalf of the security-aware stub
+      resolver.  See also: security-aware stub resolver, validating
+      security-aware stub resolver.
+
+   Non-Validating Stub Resolver: A less tedious term for a
+      non-validating security-aware stub resolver.
+
+   Security-Aware Name Server: An entity acting in the role of a name
+      server (defined in section 2.4 of [RFC1034]) that understands the
+      DNS security extensions defined in this document set.  In
+      particular, a security-aware name server is an entity which
+      receives DNS queries, sends DNS responses, supports the EDNS0
+      [RFC2671] message size extension and the DO bit [RFC3225], and
+      supports the RR types and message header bits defined in this
+      document set.
+
+
+
+Arends, et al.          Expires January 13, 2005                [Page 5]
+
+
+   Security-Aware Recursive Name Server: An entity which acts in both
+      the security-aware name server and security-aware resolver roles.
+      A more cumbersome equivalent phrase would be "a security-aware
+      name server which offers recursive service".
+
+   Security-Aware Resolver: An entity acting in the role of a resolver
+      (defined in section 2.4 of [RFC1034]) which understands the DNS
+      security extensions defined in this document set.  In particular,
+      a security-aware resolver is an entity which sends DNS queries,
+      receives DNS responses, supports the EDNS0 [RFC2671] message size
+      extension and the DO bit [RFC3225], and is capable of using the RR
+      types and message header bits defined in this document set to
+      provide DNSSEC services.
+
+   Security-Aware Stub Resolver: An entity acting in the role of a stub
+      resolver (defined in section 5.3.1 of [RFC1034]) which has enough
+      of an understanding the DNS security extensions defined in this
+      document set to provide additional services not available from a
+      security-oblivious stub resolver.  Security-aware stub resolvers
+      may be either "validating" or "non-validating" depending on
+      whether the stub resolver attempts to verify DNSSEC signatures on
+      its own or trusts a friendly security-aware name server to do so.
+      See also: validating stub resolver, non-validating stub resolver.
+
+   Security-Oblivious <anything>: An <anything> that is not
+      "security-aware".
+
+   Signed Zone: A zone whose RRsets are signed and which contains
+      properly constructed DNSKEY, RRSIG, NSEC and (optionally) DS
+      records.
+
+   Trust Anchor: A configured DNSKEY RR or DS RR hash of a DNSKEY RR.  A
+      validating security-aware resolver uses this public key or hash as
+      a starting point for building the authentication chain to a signed
+      DNS response.  In general, a validating resolver will need to
+      obtain the initial values of its trust anchors via some secure or
+      trusted means outside the DNS protocol.  Presence of a trust
+      anchor also implies that the resolver should expect the zone to
+      which the trust anchor points to be signed.
+
+   Unsigned Zone: A zone that is not signed.
+
+   Validating Security-Aware Stub Resolver: A security-aware resolver
+      that sends queries in recursive mode but which performs signature
+      validation on its own rather than just blindly trusting an
+      upstream security-aware recursive name server.  See also:
+      security-aware stub resolver, non-validating security-aware stub
+      resolver.
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005                [Page 6]
+
+Internet-Draft    DNSSEC Introduction and Requirements         July 2004
+
+
+   Validating Stub Resolver: A less tedious term for a validating
+      security-aware stub resolver.
+
+   Zone Signing Key (ZSK): An authentication key that corresponds to a
+      private key used to sign a zone.  Typically a zone signing key
+      will be part of the same DNSKEY RRset as the key signing key whose
+      corresponding private key signs this DNSKEY RRset, but the zone
+      signing key is used for a slightly different purpose, and may
+      differ from the key signing key in other ways, such as validity
+      lifetime.  Designating an authentication key as a zone signing key
+      is purely an operational issue: DNSSEC validation does not
+      distinguish between zone signing keys and other DNSSEC
+      authentication keys, and it is possible to use a single key as
+      both a key signing key and a zone signing key.  See also: key
+      signing key.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005                [Page 7]
+
+Internet-Draft    DNSSEC Introduction and Requirements         July 2004
+
+
+3.  Services Provided by DNS Security
+
+   The Domain Name System (DNS) security extensions provide origin
+   authentication and integrity assurance services for DNS data,
+   including mechanisms for authenticated denial of existence of DNS
+   data.  These mechanisms are described below.
+
+   These mechanisms require changes to the DNS protocol.  DNSSEC adds
+   four new resource record types (RRSIG, DNSKEY, DS and NSEC) and two
+   new message header bits (CD and AD).  In order to support the larger
+   DNS message sizes that result from adding the DNSSEC RRs, DNSSEC also
+   requires EDNS0 support [RFC2671].  Finally, DNSSEC requires support
+   for the DO bit [RFC3225], so that a security-aware resolver can
+   indicate in its queries that it wishes to receive DNSSEC RRs in
+   response messages.
+
+   These services protect against most of the threats to the Domain Name
+   System described in [I-D.ietf-dnsext-dns-threats].
+
+3.1  Data Origin Authentication and Data Integrity
+
+   DNSSEC provides authentication by associating cryptographically
+   generated digital signatures with DNS RRsets.  These digital
+   signatures are stored in a new resource record, the RRSIG record.
+   Typically, there will be a single private key that signs a zone's
+   data, but multiple keys are possible: for example, there may be keys
+   for each of several different digital signature algorithms.  If a
+   security-aware resolver reliably learns a zone's public key, it can
+   authenticate that zone's signed data.  An important DNSSEC concept is
+   that the key that signs a zone's data is associated with the zone
+   itself and not with the zone's authoritative name servers (public
+   keys for DNS transaction authentication mechanisms may also appear in
+   zones, as described in [RFC2931], but DNSSEC itself is concerned with
+   object security of DNS data, not channel security of DNS
+   transactions.  The keys associated with transaction security may be
+   stored in different RR types.  See [RFC3755] for details.).
+
+   A security-aware resolver can learn a zone's public key either by
+   having a trust anchor configured into the resolver or by normal DNS
+   resolution.  To allow the latter, public keys are stored in a new
+   type of resource record, the DNSKEY RR.  Note that the private keys
+   used to sign zone data must be kept secure, and should be stored
+   offline when practical to do so.  To discover a public key reliably
+   via DNS resolution, the target key itself needs to be signed by
+   either a configured authentication key or another key that has been
+   authenticated previously.  Security-aware resolvers authenticate zone
+   information by forming an authentication chain from a newly learned
+   public key back to a previously known authentication public key,
+
+
+
+Arends, et al.          Expires January 13, 2005                [Page 8]
+
+Internet-Draft    DNSSEC Introduction and Requirements         July 2004
+
+
+   which in turn either has been configured into the resolver or must
+   have been learned and verified previously.  Therefore, the resolver
+   must be configured with at least one trust anchor.  If the configured
+   key is a zone signing key, then it will authenticate the associated
+   zone; if the configured key is a key signing key, it will
+   authenticate a zone signing key.  If the resolver has been configured
+   with the hash of a key rather than the key itself, the resolver may
+   need to obtain the key via a DNS query.  To help security-aware
+   resolvers establish this authentication chain, security-aware name
+   servers attempt to send the signature(s) needed to authenticate a
+   zone's public key(s) in the DNS reply message along with the public
+   key itself, provided there is space available in the message.
+
+   The Delegation Signer (DS) RR type simplifies some of the
+   administrative tasks involved in signing delegations across
+   organizational boundaries.  The DS RRset resides at a delegation
+   point in a parent zone and indicates the public key(s) corresponding
+   to the private key(s) used to self-sign the DNSKEY RRset at the
+   delegated child zone's apex.  The administrator of the child zone, in
+   turn, uses the private key(s) corresponding to one or more of the
+   public keys in this DNSKEY RRset to sign the child zone's data.  The
+   typical authentication chain is therefore
+   DNSKEY->[DS->DNSKEY]*->RRset, where "*" denotes zero or more
+   DS->DNSKEY subchains.  DNSSEC permits more complex authentication
+   chains, such as additional layers of DNSKEY RRs signing other DNSKEY
+   RRs within a zone.
+
+   A security-aware resolver normally constructs this authentication
+   chain from the root of the DNS hierarchy down to the leaf zones based
+   on configured knowledge of the public key for the root.  Local
+   policy, however, may also allow a security-aware resolver to use one
+   or more configured public keys (or hashes of public keys) other than
+   the root public key, or may not provide configured knowledge of the
+   root public key, or may prevent the resolver from using particular
+   public keys for arbitrary reasons even if those public keys are
+   properly signed with verifiable signatures.  DNSSEC provides
+   mechanisms by which a security-aware resolver can determine whether
+   an RRset's signature is "valid" within the meaning of DNSSEC.  In the
+   final analysis however, authenticating both DNS keys and data is a
+   matter of local policy, which may extend or even override the
+   protocol extensions defined in this document set.  See Section 5 for
+   further discussion.
+
+3.2  Authenticating Name and Type Non-Existence
+
+   The security mechanism described in Section 3.1 only provides a way
+   to sign existing RRsets in a zone.  The problem of providing negative
+   responses with the same level of authentication and integrity
+
+
+
+Arends, et al.          Expires January 13, 2005                [Page 9]
+
+Internet-Draft    DNSSEC Introduction and Requirements         July 2004
+
+
+   requires the use of another new resource record type, the NSEC
+   record.  The NSEC record allows a security-aware resolver to
+   authenticate a negative reply for either name or type non-existence
+   via the same mechanisms used to authenticate other DNS replies.  Use
+   of NSEC records requires a canonical representation and ordering for
+   domain names in zones.  Chains of NSEC records explicitly describe
+   the gaps, or "empty space", between domain names in a zone, as well
+   as listing the types of RRsets present at existing names.  Each NSEC
+   record is signed and authenticated using the mechanisms described in
+   Section 3.1.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 10]
+
+Internet-Draft    DNSSEC Introduction and Requirements         July 2004
+
+
+4.  Services Not Provided by DNS Security
+
+   DNS was originally designed with the assumptions that the DNS will
+   return the same answer to any given query regardless of who may have
+   issued the query, and that all data in the DNS is thus visible.
+   Accordingly, DNSSEC is not designed to provide confidentiality,
+   access control lists, or other means of differentiating between
+   inquirers.
+
+   DNSSEC provides no protection against denial of service attacks.
+   Security-aware resolvers and security-aware name servers are
+   vulnerable to an additional class of denial of service attacks based
+   on cryptographic operations.  Please see Section 12 for details.
+
+   The DNS security extensions provide data and origin authentication
+   for DNS data.  The mechanisms outlined above are not designed to
+   protect operations such as zone transfers and dynamic update
+   [RFC3007].  Message authentication schemes described in [RFC2845] and
+   [RFC2931] address security operations that pertain to these
+   transactions.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 11]
+
+Internet-Draft    DNSSEC Introduction and Requirements         July 2004
+
+
+5.  Scope of the DNSSEC Document Set and Last Hop Issues
+
+   The specification in this document set defines the behavior for zone
+   signers and security-aware name servers and resolvers in such a way
+   that the validating entities can unambiguously determine the state of
+   the data.
+
+   A validating resolver can determine these 4 states:
+
+   Secure: The validating resolver has a trust anchor, a chain of trust
+      and is able to verify all the signatures in the response.
+
+   Insecure: The validating resolver has a trust anchor, a chain of
+      trust, and, at some delegation point, signed proof of the
+      non-existence of a DS record.  That indicates that subsequent
+      branches in the tree are provably insecure.  A validating resolver
+      may have local policy to mark parts of the domain space as
+      insecure.
+
+   Bogus: The validating resolver has a trust anchor and there is a
+      secure delegation which is indicating that subsidiary data will be
+      signed, but the response fails to validate due to one or more
+      reasons: missing signatures, expired signatures, signatures with
+      unsupported algorithms, data missing which the relevant NSEC RR
+      says should be present, and so forth.
+
+   Indeterminate: There is no trust anchor which would indicate that a
+      specific portion of the tree is secure.  This is the default
+      operation mode.
+
+   This specification only defines how security aware name servers can
+   signal non-validating stub resolvers that data was found to be bogus
+   (using RCODE=2, "Server Failure" -- see
+   [I-D.ietf-dnsext-dnssec-protocol]).
+
+   There is a mechanism for security aware name servers to signal
+   security-aware stub resolvers that data was found to be secure (using
+   the AD bit, see [I-D.ietf-dnsext-dnssec-protocol]).
+
+   This specification does not define a format for communicating why
+   responses were found to be bogus or marked as insecure.  The current
+   signaling mechanism does not distinguish between indeterminate and
+   insecure.
+
+   A method for signaling advanced error codes and policy between a
+   security aware stub resolver and security aware recursive nameservers
+   is a topic for future work, as is the interface between a security
+   aware resolver and the applications that use it.  Note, however, that
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 12]
+
+Internet-Draft    DNSSEC Introduction and Requirements         July 2004
+
+
+   the lack of the specification of such communication does not prohibit
+   deployment of signed zones or the deployment of security aware
+   recursive name servers that prohibit propagation of bogus data to the
+   applications.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 13]
+
+Internet-Draft    DNSSEC Introduction and Requirements         July 2004
+
+
+6.  Resolver Considerations
+
+   A security-aware resolver needs to be able to perform cryptographic
+   functions necessary to verify digital signatures using at least the
+   mandatory-to-implement algorithm(s).  Security-aware resolvers must
+   also be capable of forming an authentication chain from a newly
+   learned zone back to an authentication key, as described above.  This
+   process might require additional queries to intermediate DNS zones to
+   obtain necessary DNSKEY, DS and RRSIG records.  A security-aware
+   resolver should be configured with at least one trust anchor as the
+   starting point from which it will attempt to establish authentication
+   chains.
+
+   If a security-aware resolver is separated from the relevant
+   authoritative name servers by a recursive name server or by any sort
+   of device which acts as a proxy for DNS, and if the recursive name
+   server or proxy is not security-aware, the security-aware resolver
+   may not be capable of operating in a secure mode.  For example, if a
+   security-aware resolver's packets are routed through a network
+   address translation device that includes a DNS proxy which is not
+   security-aware, the security-aware resolver may find it difficult or
+   impossible to obtain or validate signed DNS data.
+
+   If a security-aware resolver must rely on an unsigned zone or a name
+   server that is not security aware, the resolver may not be able to
+   validate DNS responses, and will need a local policy on whether to
+   accept unverified responses.
+
+   A security-aware resolver should take a signature's validation period
+   into consideration when determining the TTL of data in its cache, to
+   avoid caching signed data beyond the validity period of the
+   signature, but should also allow for the possibility that the
+   security-aware resolver's own clock is wrong.  Thus, a security-aware
+   resolver which is part of a security-aware recursive name server will
+   need to pay careful attention to the DNSSEC "checking disabled" (CD)
+   bit [I-D.ietf-dnsext-dnssec-records].  This is in order to avoid
+   blocking valid signatures from getting through to other
+   security-aware resolvers which are clients of this recursive name
+   server.  See [I-D.ietf-dnsext-dnssec-protocol] for how a secure
+   recursive server handles queries with the CD bit set.
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 14]
+
+Internet-Draft    DNSSEC Introduction and Requirements         July 2004
+
+
+7.  Stub Resolver Considerations
+
+   Although not strictly required to do so by the protocol, most DNS
+   queries originate from stub resolvers.  Stub resolvers, by
+   definition, are minimal DNS resolvers which use recursive query mode
+   to offload most of the work of DNS resolution to a recursive name
+   server.  Given the widespread use of stub resolvers, the DNSSEC
+   architecture has to take stub resolvers into account, but the
+   security features needed in a stub resolver differ in some respects
+   from those needed in a full security-aware resolver.
+
+   Even a security-oblivious stub resolver may get some benefit from
+   DNSSEC if the recursive name servers it uses are security-aware, but
+   for the stub resolver to place any real reliance on DNSSEC services,
+   the stub resolver must trust both the recursive name servers in
+   question and the communication channels between itself and those name
+   servers.  The first of these issues is a local policy issue: in
+   essence, a security-oblivious stub resolver has no real choice but to
+   place itself at the mercy of the recursive name servers that it uses,
+   since it does not perform DNSSEC validity checks on its own.  The
+   second issue requires some kind of channel security mechanism; proper
+   use of DNS transaction authentication mechanisms such as SIG(0) or
+   TSIG would suffice, as would appropriate use of IPsec, and particular
+   implementations may have other choices available, such as operating
+   system specific interprocess communication mechanisms.
+   Confidentiality is not needed for this channel, but data integrity
+   and message authentication are.
+
+   A security-aware stub resolver that does trust both its recursive
+   name servers and its communication channel to them may choose to
+   examine the setting of the AD bit in the message header of the
+   response messages it receives.  The stub resolver can use this flag
+   bit as a hint to find out whether the recursive name server was able
+   to validate signatures for all of the data in the Answer and
+   Authority sections of the response.
+
+   There is one more step that a security-aware stub resolver can take
+   if, for whatever reason, it is not able to establish a useful trust
+   relationship with the recursive name servers which it uses: it can
+   perform its own signature validation, by setting the Checking
+   Disabled (CD) bit in its query messages.  A validating stub resolver
+   is thus able to treat the DNSSEC signatures as a trust relationship
+   between the zone administrator and the stub resolver itself.
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 15]
+
+Internet-Draft    DNSSEC Introduction and Requirements         July 2004
+
+
+8.  Zone Considerations
+
+   There are several differences between signed and unsigned zones.  A
+   signed zone will contain additional security-related records (RRSIG,
+   DNSKEY, DS and NSEC records).  RRSIG and NSEC records may be
+   generated by a signing process prior to serving the zone.  The RRSIG
+   records that accompany zone data have defined inception and
+   expiration times, which establish a validity period for the
+   signatures and the zone data the signatures cover.
+
+8.1  TTL values vs. RRSIG validity period
+
+   It is important to note the distinction between a RRset's TTL value
+   and the signature validity period specified by the RRSIG RR covering
+   that RRset.  DNSSEC does not change the definition or function of the
+   TTL value, which is intended to maintain database coherency in
+   caches.  A caching resolver purges RRsets from its cache no later
+   than the end of the time period specified by the TTL fields of those
+   RRsets, regardless of whether or not the resolver is security-aware.
+
+   The inception and expiration fields in the RRSIG RR
+   [I-D.ietf-dnsext-dnssec-records], on the other hand, specify the time
+   period during which the signature can be used to validate the covered
+   RRset.  The signatures associated with signed zone data are only
+   valid for the time period specified by these fields in the RRSIG RRs
+   in question.  TTL values cannot extend the validity period of signed
+   RRsets in a resolver's cache, but the resolver may use the time
+   remaining before expiration of the signature validity period of a
+   signed RRset as an upper bound for the TTL of the signed RRset and
+   its associated RRSIG RR in the resolver's cache.
+
+8.2  New Temporal Dependency Issues for Zones
+
+   Information in a signed zone has a temporal dependency which did not
+   exist in the original DNS protocol.  A signed zone requires regular
+   maintenance to ensure that each RRset in the zone has a current valid
+   RRSIG RR.  The signature validity period of an RRSIG RR is an
+   interval during which the signature for one particular signed RRset
+   can be considered valid, and the signatures of different RRsets in a
+   zone may expire at different times.  Re-signing one or more RRsets in
+   a zone will change one or more RRSIG RRs, which in turn will require
+   incrementing the zone's SOA serial number to indicate that a zone
+   change has occurred and re-signing the SOA RRset itself.  Thus,
+   re-signing any RRset in a zone may also trigger DNS NOTIFY messages
+   and zone transfers operations.
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 16]
+
+Internet-Draft    DNSSEC Introduction and Requirements         July 2004
+
+
+9.  Name Server Considerations
+
+   A security-aware name server should include the appropriate DNSSEC
+   records (RRSIG, DNSKEY, DS and NSEC) in all responses to queries from
+   resolvers which have signaled their willingness to receive such
+   records via use of the DO bit in the EDNS header, subject to message
+   size limitations.  Since inclusion of these DNSSEC RRs could easily
+   cause UDP message truncation and fallback to TCP, a security-aware
+   name server must also support the EDNS "sender's UDP payload"
+   mechanism.
+
+   If possible, the private half of each DNSSEC key pair should be kept
+   offline, but this will not be possible for a zone for which DNS
+   dynamic update has been enabled.  In the dynamic update case, the
+   primary master server for the zone will have to re-sign the zone when
+   updated, so the private key corresponding to the zone signing key
+   will have to be kept online.  This is an example of a situation where
+   the ability to separate the zone's DNSKEY RRset into zone signing
+   key(s) and key signing key(s) may be useful, since the key signing
+   key(s) in such a case can still be kept offline and may have a longer
+   useful lifetime than the zone signing key(s).
+
+   DNSSEC, by itself, is not enough to protect the integrity of an
+   entire zone during zone transfer operations, since even a signed zone
+   contains some unsigned, nonauthoritative data if the zone has any
+   children.  Therefore, zone maintenance operations will require some
+   additional mechanisms (most likely some form of channel security,
+   such as TSIG, SIG(0), or IPsec).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 17]
+
+Internet-Draft    DNSSEC Introduction and Requirements         July 2004
+
+
+10.  DNS Security Document Family
+
+   The DNSSEC document set can be partitioned into several main groups,
+   under the larger umbrella of the DNS base protocol documents.
+
+   The "DNSSEC protocol document set" refers to the three documents
+   which form the core of the DNS security extensions:
+   1.  DNS Security Introduction and Requirements (this document)
+   2.  Resource Records for DNS Security Extensions
+       [I-D.ietf-dnsext-dnssec-records]
+   3.  Protocol Modifications for the DNS Security Extensions
+       [I-D.ietf-dnsext-dnssec-protocol]
+
+   Additionally, any document that would add to, or change the core DNS
+   Security extensions would fall into this category.  This includes any
+   future work on the communication between security-aware stub
+   resolvers and upstream security-aware recursive name servers.
+
+   The "Digital Signature Algorithm Specification" document set refers
+   to the group of documents that describe how specific digital
+   signature algorithms should be implemented to fit the DNSSEC resource
+   record format.  Each document in this set deals with a specific
+   digital signature algorithm.
+
+   The "Transaction Authentication Protocol" document set refers to the
+   group of documents that deal with DNS message authentication,
+   including secret key establishment and verification.  While not
+   strictly part of the DNSSEC specification as defined in this set of
+   documents, this group is noted because of its relationship to DNSSEC.
+
+   The final document set, "New Security Uses", refers to documents that
+   seek to use proposed DNS Security extensions for other security
+   related purposes.  DNSSEC does not provide any direct security for
+   these new uses, but may be used to support them.  Documents that fall
+   in this category include the use of DNS in the storage and
+   distribution of certificates [RFC2538].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 18]
+
+Internet-Draft    DNSSEC Introduction and Requirements         July 2004
+
+
+11.  IANA Considerations
+
+   This overview document introduces no new IANA considerations.  Please
+   see [I-D.ietf-dnsext-dnssec-records] for a complete review of the
+   IANA considerations introduced by DNSSEC.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 19]
+
+Internet-Draft    DNSSEC Introduction and Requirements         July 2004
+
+
+12.  Security Considerations
+
+   This document introduces the DNS security extensions and describes
+   the document set that contains the new security records and DNS
+   protocol modifications.  The extensions provide data origin
+   authentication and data integrity using digital signatures over
+   resource record sets.This document discusses the capabilities and
+   limitations of these extensions.
+
+   In order for a security-aware resolver to validate a DNS response,
+   all zones along the path from the trusted starting point to the zone
+   containing the response zones must be signed, and all name servers
+   and resolvers involved in the resolution process must be
+   security-aware, as defined in this document set.  A security-aware
+   resolver cannot verify responses originating from an unsigned zone,
+   from a zone not served by a security-aware name server, or for any
+   DNS data which the resolver is only able to obtain through a
+   recursive name server which is not security-aware.  If there is a
+   break in the authentication chain such that a security-aware resolver
+   cannot obtain and validate the authentication keys it needs, then the
+   security-aware resolver cannot validate the affected DNS data.
+
+   This document briefly discusses other methods of adding security to a
+   DNS query, such as using a channel secured by IPsec or using a DNS
+   transaction authentication mechanism, but transaction security is not
+   part of DNSSEC per se.
+
+   A non-validating security-aware stub resolver, by definition, does
+   not perform DNSSEC signature validation on its own, and thus is
+   vulnerable both to attacks on (and by) the security-aware recursive
+   name servers which perform these checks on its behalf and also to
+   attacks on its communication with those security-aware recursive name
+   servers.  Non-validating security-aware stub resolvers should use
+   some form of channel security to defend against the latter threat.
+   The only known defense against the former threat would be for the
+   security-aware stub resolver to perform its own signature validation,
+   at which point, again by definition, it would no longer be a
+   non-validating security-aware stub resolver.
+
+   DNSSEC does not protect against denial of service attacks.  DNSSEC
+   makes DNS vulnerable to a new class of denial of service attacks
+   based on cryptographic operations against security-aware resolvers
+   and security-aware name servers, since an attacker can attempt to use
+   DNSSEC mechanisms to consume a victim's resources.  This class of
+   attacks takes at least two forms.  An attacker may be able to consume
+   resources in a security-aware resolver's signature validation code by
+   tampering with RRSIG RRs in response messages or by constructing
+   needlessly complex signature chains.  An attacker may also be able to
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 20]
+
+Internet-Draft    DNSSEC Introduction and Requirements         July 2004
+
+
+   consume resources in a security-aware name server which supports DNS
+   dynamic update, by sending a stream of update messages that force the
+   security-aware name server to re-sign some RRsets in the zone more
+   frequently than would otherwise be necessary.
+
+   DNSSEC does not provide confidentiality, due to a deliberate design
+   choice.
+
+   DNSSEC introduces the ability for a hostile party to enumerate all
+   the names in a zone by following the NSEC chain.  NSEC RRs assert
+   which names do not exist in a zone by linking from existing name to
+   existing name along a canonical ordering of all the names within a
+   zone.  Thus, an attacker can query these NSEC RRs in sequence to
+   obtain all the names in a zone.  While not an attack on the DNS
+   itself, this could allow an attacker to map network hosts or other
+   resources by enumerating the contents of a zone.
+
+   DNSSEC introduces significant additional complexity to the DNS, and
+   thus introduces many new opportunities for implementation bugs and
+   misconfigured zones.  In particular, enabling DNSSEC signature
+   validation in a resolver may cause entire legitimate zones to become
+   effectively unreachable due to DNSSEC configuration errors or bugs.
+
+   DNSSEC does not protect against tampering with unsigned zone data.
+   Non-authoritative data at zone cuts (glue and NS RRs in the parent
+   zone) are not signed.  This does not pose a problem when validating
+   the authentication chain, but does mean that the non-authoritative
+   data itself is vulnerable to tampering during zone transfer
+   operations.  Thus, while DNSSEC can provide data origin
+   authentication and data integrity for RRsets, it cannot do so for
+   zones, and other mechanisms must be used to protect zone transfer
+   operations.
+
+   Please see [I-D.ietf-dnsext-dnssec-records] and
+   [I-D.ietf-dnsext-dnssec-protocol] for additional security
+   considerations.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 21]
+
+Internet-Draft    DNSSEC Introduction and Requirements         July 2004
+
+
+13.  Acknowledgements
+
+   This document was created from the input and ideas of the members of
+   the DNS Extensions Working Group.  While explicitly listing everyone
+   who has contributed during the decade during which DNSSEC has been
+   under development would be an impossible task, the editors would
+   particularly like to thank the following people for their
+   contributions to and comments on this document set: Jaap Akkerhuis,
+   Mark Andrews, Derek Atkins, Roy Badami, Alan Barrett, Dan Bernstein,
+   David Blacka, Len Budney, Randy Bush, Francis Dupont, Donald
+   Eastlake, Robert Elz, Miek Gieben, Michael Graff, Olafur Gudmundsson,
+   Gilles Guette, Andreas Gustafsson, Jun-ichiro itojun Hagino, Phillip
+   Hallam-Baker, Bob Halley, Ted Hardie, Walter Howard, Greg Hudson,
+   Christian Huitema, Johan Ihren, Stephen Jacob, Jelte Jansen, Simon
+   Josefsson, Andris Kalnozols, Peter Koch, Olaf Kolkman, Mark Kosters,
+   Suresh Krishnaswamy, Ben Laurie, David Lawrence, Ted Lemon, Ed Lewis,
+   Ted Lindgreen, Josh Littlefield, Rip Loomis, Bill Manning, Russ
+   Mundy, Mans Nilsson, Masataka Ohta, Mike Patton, Rob Payne, Jim Reid,
+   Michael Richardson, Erik Rozendaal, Marcos Sanz, Pekka Savola, Jakob
+   Schlyter, Mike StJohns, Paul Vixie, Sam Weiler, Brian Wellington, and
+   Suzanne Woolf.
+
+   No doubt the above list is incomplete.  We apologize to anyone we
+   left out.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 22]
+
+Internet-Draft    DNSSEC Introduction and Requirements         July 2004
+
+
+14.  References
+
+14.1  Normative References
+
+   [I-D.ietf-dnsext-dnssec-protocol]
+              Arends, R., Austein, R., Larson, M., Massey, D. and S.
+              Rose, "Protocol Modifications for the DNS Security
+              Extensions", draft-ietf-dnsext-dnssec-protocol-06 (work in
+              progress), May 2004.
+
+   [I-D.ietf-dnsext-dnssec-records]
+              Arends, R., Austein, R., Larson, M., Massey, D. and S.
+              Rose, "Resource Records for DNS Security Extensions",
+              draft-ietf-dnsext-dnssec-records-08 (work in progress),
+              May 2004.
+
+   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
+              STD 13, RFC 1034, November 1987.
+
+   [RFC1035]  Mockapetris, P., "Domain names - implementation and
+              specification", STD 13, RFC 1035, November 1987.
+
+   [RFC2535]  Eastlake, D., "Domain Name System Security Extensions",
+              RFC 2535, March 1999.
+
+   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
+              2671, August 1999.
+
+   [RFC3225]  Conrad, D., "Indicating Resolver Support of DNSSEC", RFC
+              3225, December 2001.
+
+   [RFC3226]  Gudmundsson, O., "DNSSEC and IPv6 A6 aware server/resolver
+              message size requirements", RFC 3226, December 2001.
+
+   [RFC3445]  Massey, D. and S. Rose, "Limiting the Scope of the KEY
+              Resource Record (RR)", RFC 3445, December 2002.
+
+14.2  Informative References
+
+   [I-D.ietf-dnsext-dns-threats]
+              Atkins, D. and R. Austein, "Threat Analysis Of The Domain
+              Name System", draft-ietf-dnsext-dns-threats-07 (work in
+              progress), April 2004.
+
+   [I-D.ietf-dnsext-nsec-rdata]
+              Schlyter, J., "DNSSEC NSEC RDATA Format",
+              draft-ietf-dnsext-nsec-rdata-06 (work in progress), May
+              2004.
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 23]
+
+Internet-Draft    DNSSEC Introduction and Requirements         July 2004
+
+
+   [RFC2136]  Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic
+              Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
+              April 1997.
+
+   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
+              Specification", RFC 2181, July 1997.
+
+   [RFC2308]  Andrews, M., "Negative Caching of DNS Queries (DNS
+              NCACHE)", RFC 2308, March 1998.
+
+   [RFC2538]  Eastlake, D. and O. Gudmundsson, "Storing Certificates in
+              the Domain Name System (DNS)", RFC 2538, March 1999.
+
+   [RFC2845]  Vixie, P., Gudmundsson, O., Eastlake, D. and B.
+              Wellington, "Secret Key Transaction Authentication for DNS
+              (TSIG)", RFC 2845, May 2000.
+
+   [RFC2931]  Eastlake, D., "DNS Request and Transaction Signatures (
+              SIG(0)s)", RFC 2931, September 2000.
+
+   [RFC3007]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
+              Update", RFC 3007, November 2000.
+
+   [RFC3008]  Wellington, B., "Domain Name System Security (DNSSEC)
+              Signing Authority", RFC 3008, November 2000.
+
+   [RFC3090]  Lewis, E., "DNS Security Extension Clarification on Zone
+              Status", RFC 3090, March 2001.
+
+   [RFC3597]  Gustafsson, A., "Handling of Unknown DNS Resource Record
+              (RR) Types", RFC 3597, September 2003.
+
+   [RFC3655]  Wellington, B. and O. Gudmundsson, "Redefinition of DNS
+              Authenticated Data (AD) bit", RFC 3655, November 2003.
+
+   [RFC3658]  Gudmundsson, O., "Delegation Signer (DS) Resource Record
+              (RR)", RFC 3658, December 2003.
+
+   [RFC3755]  Weiler, S., "Legacy Resolver Compatibility for Delegation
+              Signer", RFC 3755, April 2004.
+
+   [RFC3757]  Kolkman, O., Schlyter, J. and E. Lewis, "KEY RR Secure
+              Entry Point Flag", RFC 3757, April 2004.
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 24]
+
+Internet-Draft    DNSSEC Introduction and Requirements         July 2004
+
+
+Authors' Addresses
+
+   Roy Arends
+   Telematica Instituut
+   Drienerlolaan 5
+   7522 NB  Enschede
+   NL
+
+   EMail: roy.arends@telin.nl
+
+
+   Rob Austein
+   Internet Systems Consortium
+   950 Charter Street
+   Redwood City, CA  94063
+   USA
+
+   EMail: sra@isc.org
+
+
+   Matt Larson
+   VeriSign, Inc.
+   21345 Ridgetop Circle
+   Dulles, VA  20166-6503
+   USA
+
+   EMail: mlarson@verisign.com
+
+
+   Dan Massey
+   USC Information Sciences Institute
+   3811 N. Fairfax Drive
+   Arlington, VA  22203
+   USA
+
+   EMail: masseyd@isi.edu
+
+
+   Scott Rose
+   National Institute for Standards and Technology
+   100 Bureau Drive
+   Gaithersburg, MD  20899-8920
+   USA
+
+   EMail: scott.rose@nist.gov
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 25]
+
+Internet-Draft    DNSSEC Introduction and Requirements         July 2004
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+   Copyright (C) The Internet Society (2004).  This document is subject
+   to the rights, licenses and restrictions contained in BCP 78, and
+   except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 26]
+
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-protocol-07.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-protocol-07.txt
new file mode 100644
index 0000000..5728b35
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-protocol-07.txt
@@ -0,0 +1,3193 @@
+
+
+DNS Extensions                                                 R. Arends
+Internet-Draft                                      Telematica Instituut
+Expires: January 13, 2005                                      M. Larson
+                                                                VeriSign
+                                                              R. Austein
+                                                                     ISC
+                                                               D. Massey
+                                                                 USC/ISI
+                                                                 S. Rose
+                                                                    NIST
+                                                           July 15, 2004
+
+
+         Protocol Modifications for the DNS Security Extensions
+                  draft-ietf-dnsext-dnssec-protocol-07
+
+Status of this Memo
+
+   By submitting this Internet-Draft, I certify that any applicable
+   patent or other IPR claims of which I am aware have been disclosed,
+   and any of which I become aware will be disclosed, in accordance with
+   RFC 3668.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as
+   Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on January 13, 2005.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2004).  All Rights Reserved.
+
+Abstract
+
+   This document is part of a family of documents which describe the DNS
+   Security Extensions (DNSSEC).  The DNS Security Extensions are a
+
+
+
+Arends, et al.          Expires January 13, 2005                [Page 1]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+   collection of new resource records and protocol modifications which
+   add data origin authentication and data integrity to the DNS.  This
+   document describes the DNSSEC protocol modifications.  This document
+   defines the concept of a signed zone, along with the requirements for
+   serving and resolving using DNSSEC.  These techniques allow a
+   security-aware resolver to authenticate both DNS resource records and
+   authoritative DNS error indications.
+
+   This document obsoletes RFC 2535 and incorporates changes from all
+   updates to RFC 2535.
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
+     1.1   Background and Related Documents . . . . . . . . . . . . .  4
+     1.2   Reserved Words . . . . . . . . . . . . . . . . . . . . . .  4
+   2.  Zone Signing . . . . . . . . . . . . . . . . . . . . . . . . .  5
+     2.1   Including DNSKEY RRs in a Zone . . . . . . . . . . . . . .  5
+     2.2   Including RRSIG RRs in a Zone  . . . . . . . . . . . . . .  5
+     2.3   Including NSEC RRs in a Zone . . . . . . . . . . . . . . .  6
+     2.4   Including DS RRs in a Zone . . . . . . . . . . . . . . . .  7
+     2.5   Changes to the CNAME Resource Record.  . . . . . . . . . .  7
+     2.6   DNSSEC RR Types Appearing at Zone Cuts.  . . . . . . . . .  8
+     2.7   Example of a Secure Zone . . . . . . . . . . . . . . . . .  8
+   3.  Serving  . . . . . . . . . . . . . . . . . . . . . . . . . . .  9
+     3.1   Authoritative Name Servers . . . . . . . . . . . . . . . . 10
+       3.1.1   Including RRSIG RRs in a Response  . . . . . . . . . . 10
+       3.1.2   Including DNSKEY RRs In a Response . . . . . . . . . . 11
+       3.1.3   Including NSEC RRs In a Response . . . . . . . . . . . 11
+       3.1.4   Including DS RRs In a Response . . . . . . . . . . . . 14
+       3.1.5   Responding to Queries for Type AXFR or IXFR  . . . . . 15
+       3.1.6   The AD and CD Bits in an Authoritative Response  . . . 16
+     3.2   Recursive Name Servers . . . . . . . . . . . . . . . . . . 17
+       3.2.1   The DO bit . . . . . . . . . . . . . . . . . . . . . . 17
+       3.2.2   The CD bit . . . . . . . . . . . . . . . . . . . . . . 17
+       3.2.3   The AD bit . . . . . . . . . . . . . . . . . . . . . . 18
+     3.3   Example DNSSEC Responses . . . . . . . . . . . . . . . . . 18
+   4.  Resolving  . . . . . . . . . . . . . . . . . . . . . . . . . . 19
+     4.1   EDNS Support . . . . . . . . . . . . . . . . . . . . . . . 19
+     4.2   Signature Verification Support . . . . . . . . . . . . . . 19
+     4.3   Determining Security Status of Data  . . . . . . . . . . . 20
+     4.4   Configured Trust Anchors . . . . . . . . . . . . . . . . . 20
+     4.5   Response Caching . . . . . . . . . . . . . . . . . . . . . 21
+     4.6   Handling of the CD and AD bits . . . . . . . . . . . . . . 22
+     4.7   Caching BAD Data . . . . . . . . . . . . . . . . . . . . . 22
+     4.8   Synthesized CNAMEs . . . . . . . . . . . . . . . . . . . . 23
+     4.9   Stub resolvers . . . . . . . . . . . . . . . . . . . . . . 23
+       4.9.1   Handling of the DO Bit . . . . . . . . . . . . . . . . 23
+
+
+
+Arends, et al.          Expires January 13, 2005                [Page 2]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+       4.9.2   Handling of the CD Bit . . . . . . . . . . . . . . . . 23
+       4.9.3   Handling of the AD Bit . . . . . . . . . . . . . . . . 24
+   5.  Authenticating DNS Responses . . . . . . . . . . . . . . . . . 25
+     5.1   Special Considerations for Islands of Security . . . . . . 26
+     5.2   Authenticating Referrals . . . . . . . . . . . . . . . . . 26
+     5.3   Authenticating an RRset Using an RRSIG RR  . . . . . . . . 27
+       5.3.1   Checking the RRSIG RR Validity . . . . . . . . . . . . 28
+       5.3.2   Reconstructing the Signed Data . . . . . . . . . . . . 28
+       5.3.3   Checking the Signature . . . . . . . . . . . . . . . . 30
+       5.3.4   Authenticating A Wildcard Expanded RRset Positive
+               Response . . . . . . . . . . . . . . . . . . . . . . . 31
+     5.4   Authenticated Denial of Existence  . . . . . . . . . . . . 31
+     5.5   Resolver Behavior When Signatures Do Not Validate  . . . . 32
+     5.6   Authentication Example . . . . . . . . . . . . . . . . . . 32
+   6.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 33
+   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 34
+   8.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 35
+   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 36
+   9.1   Normative References . . . . . . . . . . . . . . . . . . . . 36
+   9.2   Informative References . . . . . . . . . . . . . . . . . . . 36
+       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 37
+   A.  Signed Zone Example  . . . . . . . . . . . . . . . . . . . . . 39
+   B.  Example Responses  . . . . . . . . . . . . . . . . . . . . . . 45
+     B.1   Answer . . . . . . . . . . . . . . . . . . . . . . . . . . 45
+     B.2   Name Error . . . . . . . . . . . . . . . . . . . . . . . . 46
+     B.3   No Data Error  . . . . . . . . . . . . . . . . . . . . . . 47
+     B.4   Referral to Signed Zone  . . . . . . . . . . . . . . . . . 48
+     B.5   Referral to Unsigned Zone  . . . . . . . . . . . . . . . . 49
+     B.6   Wildcard Expansion . . . . . . . . . . . . . . . . . . . . 50
+     B.7   Wildcard No Data Error . . . . . . . . . . . . . . . . . . 51
+     B.8   DS Child Zone No Data Error  . . . . . . . . . . . . . . . 52
+   C.  Authentication Examples  . . . . . . . . . . . . . . . . . . . 54
+     C.1   Authenticating An Answer . . . . . . . . . . . . . . . . . 54
+       C.1.1   Authenticating the example DNSKEY RR . . . . . . . . . 54
+     C.2   Name Error . . . . . . . . . . . . . . . . . . . . . . . . 55
+     C.3   No Data Error  . . . . . . . . . . . . . . . . . . . . . . 55
+     C.4   Referral to Signed Zone  . . . . . . . . . . . . . . . . . 55
+     C.5   Referral to Unsigned Zone  . . . . . . . . . . . . . . . . 55
+     C.6   Wildcard Expansion . . . . . . . . . . . . . . . . . . . . 56
+     C.7   Wildcard No Data Error . . . . . . . . . . . . . . . . . . 56
+     C.8   DS Child Zone No Data Error  . . . . . . . . . . . . . . . 56
+       Intellectual Property and Copyright Statements . . . . . . . . 57
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005                [Page 3]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+1.  Introduction
+
+   The DNS Security Extensions (DNSSEC) are a collection of new resource
+   records and protocol modifications which add data origin
+   authentication and data integrity to the DNS.  This document defines
+   the DNSSEC protocol modifications.  Section 2 of this document
+   defines the concept of a signed zone and lists the requirements for
+   zone signing.  Section 3 describes the modifications to authoritative
+   name server behavior necessary to handle signed zones.  Section 4
+   describes the behavior of entities which include security-aware
+   resolver functions.  Finally, Section 5 defines how to use DNSSEC RRs
+   to authenticate a response.
+
+1.1  Background and Related Documents
+
+   The reader is assumed to be familiar with the basic DNS concepts
+   described in [RFC1034] and [RFC1035].
+
+   This document is part of a family of documents that define DNSSEC.
+   An introduction to DNSSEC and definition of common terms can be found
+   in [I-D.ietf-dnsext-dnssec-intro]; the reader is assumed to be
+   familiar with this document.  A definition of the DNSSEC resource
+   records can be found in [I-D.ietf-dnsext-dnssec-records].
+
+1.2  Reserved Words
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in RFC 2119.  [RFC2119].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005                [Page 4]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+2.  Zone Signing
+
+   DNSSEC introduces the concept of signed zones.  A signed zone
+   includes DNSKEY, RRSIG, NSEC and (optionally) DS records according to
+   the rules specified in Section 2.1, Section 2.2, Section 2.3 and
+   Section 2.4, respectively.  A zone that does not include these
+   records according to the rules in this section is an unsigned zone.
+
+   DNSSEC requires a change to the definition of the CNAME resource
+   record [RFC1035].  Section 2.5 changes the CNAME RR to allow RRSIG
+   and NSEC RRs to appear at the same owner name as a CNAME RR.
+
+   DNSSEC specifies the placement of two new RR types, NSEC and DS,
+   which can be placed at the parental side of a zone cut (that is, at a
+   delegation point).  This is an exception to the general prohibition
+   against putting data in the parent zone at a zone cut.  Section 2.6
+   describes this change.
+
+2.1  Including DNSKEY RRs in a Zone
+
+   To sign a zone, the zone's administrator generates one or more
+   public/private key pairs and uses the private key(s) to sign
+   authoritative RRsets in the zone.  For each private key used to
+   create RRSIG RRs in a zone, the zone SHOULD include a zone DNSKEY RR
+   containing the corresponding public key.  A zone key DNSKEY RR MUST
+   have the Zone Key bit of the flags RDATA field set -- see Section
+   2.1.1 of [I-D.ietf-dnsext-dnssec-records].  Public keys associated
+   with other DNS operations MAY be stored in DNSKEY RRs that are not
+   marked as zone keys but MUST NOT be used to verify RRSIGs.
+
+   If the zone administrator intends a signed zone to be usable other
+   than as an island of security, the zone apex MUST contain at least
+   one DNSKEY RR to act as a secure entry point into the zone.  This
+   secure entry point could then be used as the target of a secure
+   delegation via a corresponding DS RR in the parent zone (see
+   [I-D.ietf-dnsext-dnssec-records]).
+
+2.2  Including RRSIG RRs in a Zone
+
+   For each authoritative RRset in a signed zone, there MUST be at least
+   one RRSIG record that meets all of the following requirements:
+   o  The RRSIG owner name is equal to the RRset owner name;
+   o  The RRSIG class is equal to the RRset class;
+   o  The RRSIG Type Covered field is equal to the RRset type;
+   o  The RRSIG Original TTL field is equal to the TTL of the RRset;
+   o  The RRSIG RR's TTL is equal to the TTL of the RRset;
+   o  The RRSIG Labels field is equal to the number of labels in the
+      RRset owner name, not counting the null root label and not
+
+
+
+Arends, et al.          Expires January 13, 2005                [Page 5]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+      counting the leftmost label if it is a wildcard;
+   o  The RRSIG Signer's Name field is equal to the name of the zone
+      containing the RRset; and
+   o  The RRSIG Algorithm, Signer's Name, and Key Tag fields identify a
+      zone key DNSKEY record at the zone apex.
+
+   The process for constructing the RRSIG RR for a given RRset is
+   described in [I-D.ietf-dnsext-dnssec-records].  An RRset MAY have
+   multiple RRSIG RRs associated with it.
+
+   An RRSIG RR itself MUST NOT be signed, since signing an RRSIG RR
+   would add no value and would create an infinite loop in the signing
+   process.
+
+   The NS RRset that appears at the zone apex name MUST be signed, but
+   the NS RRsets that appear at delegation points (that is, the NS
+   RRsets in the parent zone that delegate the name to the child zone's
+   name servers) MUST NOT be signed.  Glue address RRsets associated
+   with delegations MUST NOT be signed.
+
+   There MUST be an RRSIG for each RRset using at least one DNSKEY of
+   each algorithm in the zone apex DNSKEY RRset.  The apex DNSKEY RRset
+   itself MUST be signed by each algorithm appearing in the DS RRset
+   located at the delegating parent (if any).
+
+2.3  Including NSEC RRs in a Zone
+
+   Each owner name in the zone which has authoritative data or a
+   delegation point NS RRset MUST have an NSEC resource record.  The
+   format of NSEC RRs and the process for constructing the NSEC RR for a
+   given name is described in [I-D.ietf-dnsext-dnssec-records].
+
+   The TTL value for any NSEC RR SHOULD be the same as the minimum TTL
+   value field in the zone SOA RR.
+
+   An NSEC record (and its associated RRSIG RRset) MUST NOT be the only
+   RRset at any particular owner name.  That is, the signing process
+   MUST NOT create NSEC or RRSIG RRs for owner names nodes which were
+   not the owner name of any RRset before the zone was signed.  The main
+   reasons for this are a desire for namespace consistency between
+   signed and unsigned versions of the same zone and a desire to reduce
+   the risk of response inconsistency in security oblivious recursive
+   name servers.
+
+   The type bitmap of every NSEC resource record in a signed zone MUST
+   indicate the presence of both the NSEC record itself and its
+   corresponding RRSIG record.
+
+
+
+
+Arends, et al.          Expires January 13, 2005                [Page 6]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+   The difference between the set of owner names that require RRSIG
+   records and the set of owner names that require NSEC records is
+   subtle and worth highlighting.  RRSIG records are present at the
+   owner names of all authoritative RRsets.  NSEC records are present at
+   the owner names of all names for which the signed zone is
+   authoritative and also at the owner names of delegations from the
+   signed zone to its children.  Neither NSEC nor RRSIG records are
+   present (in the parent zone) at the owner names of glue address
+   RRsets.  Note, however, that this distinction is for the most part is
+   only visible during the zone signing process, because NSEC RRsets are
+   authoritative data, and are therefore signed, thus any owner name
+   which has an NSEC RRset will have RRSIG RRs as well in the signed
+   zone.
+
+   The bitmap for the NSEC RR at a delegation point requires special
+   attention.  Bits corresponding to the delegation NS RRset and any
+   RRsets for which the parent zone has authoritative data MUST be set;
+   bits corresponding to any non-NS RRset for which the parent is not
+   authoritative MUST be clear.
+
+2.4  Including DS RRs in a Zone
+
+   The DS resource record establishes authentication chains between DNS
+   zones.  A DS RRset SHOULD be present at a delegation point when the
+   child zone is signed.  The DS RRset MAY contain multiple records,
+   each referencing a public key in the child zone used to verify the
+   RRSIGs in that zone.  All DS RRsets in a zone MUST be signed and DS
+   RRsets MUST NOT appear at a zone's apex.
+
+   A DS RR SHOULD point to a DNSKEY RR which is present in the child's
+   apex DNSKEY RRset, and the child's apex DNSKEY RRset SHOULD be signed
+   by the corresponding private key.
+
+   The TTL of a DS RRset SHOULD match the TTL of the delegating NS RRset
+   (that is, the NS RRset from the same zone containing the DS RRset).
+
+   Construction of a DS RR requires knowledge of the corresponding
+   DNSKEY RR in the child zone, which implies communication between the
+   child and parent zones.  This communication is an operational matter
+   not covered by this document.
+
+2.5  Changes to the CNAME Resource Record.
+
+   If a CNAME RRset is present at a name in a signed zone, appropriate
+   RRSIG and NSEC RRsets are REQUIRED at that name.  A KEY RRset at that
+   name for secure dynamic update purposes is also allowed.  Other types
+   MUST NOT be present at that name.
+
+
+
+
+Arends, et al.          Expires January 13, 2005                [Page 7]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+   This is a modification to the original CNAME definition given in
+   [RFC1034].  The original definition of the CNAME RR did not allow any
+   other types to coexist with a CNAME record, but a signed zone
+   requires NSEC and RRSIG RRs for every authoritative name.  To resolve
+   this conflict, this specification modifies the definition of the
+   CNAME resource record to allow it to coexist with NSEC and RRSIG RRs.
+
+2.6  DNSSEC RR Types Appearing at Zone Cuts.
+
+   DNSSEC introduced two new RR types that are unusual in that they can
+   appear at the parental side of a zone cut.  At the parental side of a
+   zone cut (that is, at a delegation point), NSEC RRs are REQUIRED at
+   the owner name.  A DS RR could also be present if the zone being
+   delegated is signed and wishes to have a chain of authentication to
+   the parent zone.  This is an exception to the original DNS
+   specification ([RFC1034]) which states that only NS RRsets could
+   appear at the parental side of a zone cut.
+
+   This specification updates the original DNS specification to allow
+   NSEC and DS RR types at the parent side of a zone cut.  These RRsets
+   are authoritative for the parent when they appear at the parent side
+   of a zone cut.
+
+2.7  Example of a Secure Zone
+
+   Appendix A shows a complete example of a small signed zone.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005                [Page 8]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+3.  Serving
+
+   This section describes the behavior of entities that include
+   security-aware name server functions.  In many cases such functions
+   will be part of a security-aware recursive name server, but a
+   security-aware authoritative name server has some of the same
+   requirements.  Functions specific to security-aware recursive name
+   servers are described in Section 3.2; functions specific to
+   authoritative servers are described in Section 3.1.
+
+   The terms "SNAME", "SCLASS", and "STYPE" in the following discussion
+   are as used in [RFC1034].
+
+   A security-aware name server MUST support the EDNS0 [RFC2671] message
+   size extension, MUST support a message size of at least 1220 octets,
+   and SHOULD support a message size of 4000 octets [RFC3226].
+
+   A security-aware name server which receives a DNS query that does not
+   include the EDNS OPT pseudo-RR or that has the DO bit clear MUST
+   treat the RRSIG, DNSKEY, and NSEC RRs as it would any other RRset,
+   and MUST NOT perform any of the additional processing described
+   below.  Since the DS RR type has the peculiar property of only
+   existing in the parent zone at delegation points, DS RRs always
+   require some special processing, as described in Section 3.1.4.1.
+
+   Security aware name servers that receive explicit queries for
+   security RR types which match the content of more than one zone that
+   it serves (for example, NSEC and RRSIG RRs above and below a
+   delegation point where the server is authoritative for both zones)
+   should behave self-consistently.  The name server MAY return one of
+   the following:
+   o  The above-delegation RRsets
+   o  The below-delegation RRsets
+   o  Both above and below-delegation RRsets
+   o  Empty answer section (no records)
+   o  Some other response
+   o  An error
+   As long as the response is always consistent for each query to the
+   name server.
+
+   DNSSEC allocates two new bits in the DNS message header: the CD
+   (Checking Disabled) bit and the AD (Authentic Data) bit.  The CD bit
+   is controlled by resolvers; a security-aware name server MUST copy
+   the CD bit from a query into the corresponding response.  The AD bit
+   is controlled by name servers; a security-aware name server MUST
+   ignore the setting of the AD bit in queries.  See Section 3.1.6,
+   Section 3.2.2, Section 3.2.3, Section 4, and Section 4.9 for details
+   on the behavior of these bits.
+
+
+
+Arends, et al.          Expires January 13, 2005                [Page 9]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+   A security aware name server which synthesizes CNAME RRs from DNAME
+   RRs as described in [RFC2672] SHOULD NOT generate signatures for the
+   synthesized CNAME RRs.
+
+3.1  Authoritative Name Servers
+
+   Upon receiving a relevant query that has the EDNS [RFC2671] OPT
+   pseudo-RR DO bit [RFC3225] set, a security-aware authoritative name
+   server for a signed zone MUST include additional RRSIG, NSEC, and DS
+   RRs according to the following rules:
+   o  RRSIG RRs that can be used to authenticate a response MUST be
+      included in the response according to the rules in Section 3.1.1;
+   o  NSEC RRs that can be used to provide authenticated denial of
+      existence MUST be included in the response automatically according
+      to the rules in Section 3.1.3;
+   o  Either a DS RRset or an NSEC RR proving that no DS RRs exist MUST
+      be included in referrals automatically according to the rules in
+      Section 3.1.4.
+
+   These rules only apply to responses the semantics of which convey
+   information about the presence or absence of resource records.  That
+   is, these rules are not intended to rule out responses such as RCODE
+   4 ("Not Implemented") or RCODE 5 ("Refused").
+
+   DNSSEC does not change the DNS zone transfer protocol.  Section 3.1.5
+   discusses zone transfer requirements.
+
+3.1.1  Including RRSIG RRs in a Response
+
+   When responding to a query that has the DO bit set, a security-aware
+   authoritative name server SHOULD attempt to send RRSIG RRs that a
+   security-aware resolver can use to authenticate the RRsets in the
+   response.  A name server SHOULD make every attempt to keep the RRset
+   and its associated RRSIG(s) together in a response.  Inclusion of
+   RRSIG RRs in a response is subject to the following rules:
+   o  When placing a signed RRset in the Answer section, the name server
+      MUST also place its RRSIG RRs in the Answer section.  The RRSIG
+      RRs have a higher priority for inclusion than any other RRsets
+      that may need to be included.  If space does not permit inclusion
+      of these RRSIG RRs, the name server MUST set the TC bit.
+   o  When placing a signed RRset in the Authority section, the name
+      server MUST also place its RRSIG RRs in the Authority section.
+      The RRSIG RRs have a higher priority for inclusion than any other
+      RRsets that may need to be included.  If space does not permit
+      inclusion of these RRSIG RRs, the name server MUST set the TC bit.
+   o  When placing a signed RRset in the Additional section, the name
+      server MUST also place its RRSIG RRs in the Additional section.
+      If space does not permit inclusion of both the RRset and its
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 10]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+      associated RRSIG RRs, the name server MAY drop the RRSIG RRs.  If
+      this happens, the name server MUST NOT set the TC bit solely
+      because these RRSIG RRs didn't fit.
+
+3.1.2  Including DNSKEY RRs In a Response
+
+   When responding to a query that has the DO bit set and that requests
+   the SOA or NS RRs at the apex of a signed zone, a security-aware
+   authoritative name server for that zone MAY return the zone apex
+   DNSKEY RRset in the Additional section.  In this situation, the
+   DNSKEY RRset and associated RRSIG RRs have lower priority than any
+   other information that would be placed in the additional section.
+   The name server SHOULD NOT include the DNSKEY RRset unless there is
+   enough space in the response message for both the DNSKEY RRset and
+   its associated RRSIG RR(s).  If there is not enough space to include
+   these DNSKEY and RRSIG RRs, the name server MUST omit them and MUST
+   NOT set the TC bit solely because these RRs didn't fit (see Section
+   3.1.1).
+
+3.1.3  Including NSEC RRs In a Response
+
+   When responding to a query that has the DO bit set, a security-aware
+   authoritative name server for a signed zone MUST include NSEC RRs in
+   each of the following cases:
+
+   No Data: The zone contains RRsets that exactly match <SNAME, SCLASS>,
+      but does not contain any RRsets that exactly match <SNAME, SCLASS,
+      STYPE>.
+
+   Name Error: The zone does not contain any RRsets that match <SNAME,
+      SCLASS> either exactly or via wildcard name expansion.
+
+   Wildcard Answer: The zone does not contain any RRsets that exactly
+      match <SNAME, SCLASS> but does contain an RRset that matches
+      <SNAME, SCLASS, STYPE> via wildcard name expansion.
+
+   Wildcard No Data: The zone does not contain any RRsets that exactly
+      match <SNAME, SCLASS>, does contain one or more RRsets that match
+      <SNAME, SCLASS> via wildcard name expansion, but does not contain
+      any RRsets that match <SNAME, SCLASS, STYPE> via wildcard name
+      expansion.
+
+   In each of these cases, the name server includes NSEC RRs in the
+   response to prove that an exact match for <SNAME, SCLASS, STYPE> was
+   not present in the zone and that the response that the name server is
+   returning is correct given the data that are in the zone.
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 11]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+3.1.3.1  Including NSEC RRs: No Data Response
+
+   If the zone contains RRsets matching <SNAME, SCLASS> but contains no
+   RRset matching <SNAME, SCLASS, STYPE>, then the name server MUST
+   include the NSEC RR for <SNAME, SCLASS> along with its associated
+   RRSIG RR(s) in the Authority section of the response (see Section
+   3.1.1).  If space does not permit inclusion of the NSEC RR or its
+   associated RRSIG RR(s), the name server MUST set the TC bit (see
+   Section 3.1.1).
+
+   Since the search name exists, wildcard name expansion does not apply
+   to this query, and a single signed NSEC RR suffices to prove the
+   requested RR type does not exist.
+
+3.1.3.2  Including NSEC RRs: Name Error Response
+
+   If the zone does not contain any RRsets matching <SNAME, SCLASS>
+   either exactly or via wildcard name expansion, then the name server
+   MUST include the following NSEC RRs in the Authority section, along
+   with their associated RRSIG RRs:
+   o  An NSEC RR proving that there is no exact match for <SNAME,
+      SCLASS>; and
+   o  An NSEC RR proving that the zone contains no RRsets that would
+      match <SNAME, SCLASS> via wildcard name expansion.
+
+   In some cases a single NSEC RR may prove both of these points, in
+   that case the name server SHOULD only include the NSEC RR and its
+   RRSIG RR(s) once in the Authority section.
+
+   If space does not permit inclusion of these NSEC and RRSIG RRs, the
+   name server MUST set the TC bit (see Section 3.1.1).
+
+   The owner names of these NSEC and RRSIG RRs are not subject to
+   wildcard name expansion when these RRs are included in the Authority
+   section of the response.
+
+   Note that this form of response includes cases in which SNAME
+   corresponds to an empty non-terminal name within the zone (a name
+   which is not the owner name for any RRset but which is the parent
+   name of one or more RRsets).
+
+3.1.3.3  Including NSEC RRs: Wildcard Answer Response
+
+   If the zone does not contain any RRsets which exactly match <SNAME,
+   SCLASS> but does contain an RRset which matches <SNAME, SCLASS,
+   STYPE> via wildcard name expansion, the name server MUST include the
+   wildcard-expanded answer and the corresponding wildcard-expanded
+   RRSIG RRs in the Answer section, and MUST include in the Authority
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 12]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+   section an NSEC RR and associated RRSIG RR(s) proving that the zone
+   does not contain a closer match for <SNAME, SCLASS>.  If space does
+   not permit inclusion of the answer, NSEC and RRSIG RRs, the name
+   server MUST set the TC bit (see Section 3.1.1).
+
+3.1.3.4  Including NSEC RRs: Wildcard No Data Response
+
+   This case is a combination of the previous cases.  The zone does not
+   contain an exact match for <SNAME, SCLASS>, and while the zone does
+   contain RRsets which match <SNAME, SCLASS> via wildcard expansion,
+   none of those RRsets match STYPE.  The name server MUST include the
+   following NSEC RRs in the Authority section, along with their
+   associated RRSIG RRs:
+   o  An NSEC RR proving that there are no RRsets matching STYPE at the
+      wildcard owner name which matched <SNAME, SCLASS> via wildcard
+      expansion; and
+   o  An NSEC RR proving that there are no RRsets in the zone which
+      would have been a closer match for <SNAME, SCLASS>.
+
+   In some cases a single NSEC RR may prove both of these points, in
+   which case the name server SHOULD only include the NSEC RR and its
+   RRSIG RR(s) once in the Authority section.
+
+   The owner names of these NSEC and RRSIG RRs are not subject to
+   wildcard name expansion when these RRs are included in the Authority
+   section of the response.
+
+   If space does not permit inclusion of these NSEC and RRSIG RRs, the
+   name server MUST set the TC bit (see Section 3.1.1).
+
+3.1.3.5  Finding The Right NSEC RRs
+
+   As explained above, there are several situations in which a
+   security-aware authoritative name server needs to locate an NSEC RR
+   which proves that no RRsets matching a particular SNAME exist.
+   Locating such an NSEC RR within an authoritative zone is relatively
+   simple, at least in concept.  The following discussion assumes that
+   the name server is authoritative for the zone which would have held
+   the nonexistent RRsets matching SNAME.  The algorithm below is
+   written for clarity, not efficiency.
+
+   To find the NSEC which proves that no RRsets matching name N exist in
+   the zone Z which would have held them, construct sequence S
+   consisting of the owner names of every RRset in Z, sorted into
+   canonical order [I-D.ietf-dnsext-dnssec-records], with no duplicate
+   names.  Find the name M which would have immediately preceded N in S
+   if any RRsets with owner name N had existed.  M is the owner name of
+   the NSEC RR which proves that no RRsets exist with owner name N.
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 13]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+   The algorithm for finding the NSEC RR which proves that a given name
+   is not covered by any applicable wildcard is similar, but requires an
+   extra step.  More precisely, the algorithm for finding the NSEC
+   proving that no RRsets exist with the applicable wildcard name is
+   precisely the same as the algorithm for finding the NSEC RR which
+   proves that RRsets with any other owner name do not exist: the part
+   that's missing is how to determine the name of the nonexistent
+   applicable wildcard.  In practice, this is easy, because the
+   authoritative name server has already checked for the presence of
+   precisely this wildcard name as part of step (1)(c) of the normal
+   lookup algorithm described in Section 4.3.2 of [RFC1034].
+
+3.1.4  Including DS RRs In a Response
+
+   When responding to a query which has the DO bit set, a security-aware
+   authoritative name server returning a referral includes DNSSEC data
+   along with the NS RRset.
+
+   If a DS RRset is present at the delegation point, the name server
+   MUST return both the DS RRset and its associated RRSIG RR(s) in the
+   Authority section along with the NS RRset.  The name server MUST
+   place the NS RRset before the DS RRset and its associated RRSIG
+   RR(s).
+
+   If no DS RRset is present at the delegation point, the name server
+   MUST return both the NSEC RR which proves that the DS RRset is not
+   present and the NSEC RR's associated RRSIG RR(s) along with the NS
+   RRset.  The name server MUST place the NS RRset before the NSEC RRset
+   and its associated RRSIG RR(s).
+
+   Including these DS, NSEC, and RRSIG RRs increases the size of
+   referral messages, and may cause some or all glue RRs to be omitted.
+   If space does not permit inclusion of the DS or NSEC RRset and
+   associated RRSIG RRs, the name server MUST set the TC bit (see
+   Section 3.1.1).
+
+3.1.4.1  Responding to Queries for DS RRs
+
+   The DS resource record type is unusual in that it appears only on the
+   parent zone's side of a zone cut.  For example, the DS RRset for the
+   delegation of "foo.example" is stored in the "example" zone rather
+   than in the "foo.example" zone.  This requires special processing
+   rules for both name servers and resolvers, since the name server for
+   the child zone is authoritative for the name at the zone cut by the
+   normal DNS rules but the child zone does not contain the DS RRset.
+
+   A security-aware resolver sends queries to the parent zone when
+   looking for a needed DS RR at a delegation point (see Section 4.2).
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 14]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+   However, special rules are necessary to avoid confusing
+   security-oblivious resolvers which might become involved in
+   processing such a query (for example, in a network configuration that
+   forces a security-aware resolver to channel its queries through a
+   security-oblivious recursive name server).  The rest of this section
+   describes how a security-aware name server processes DS queries in
+   order to avoid this problem.
+
+   The need for special processing by a security-aware name server only
+   arises when all the following conditions are met:
+   o  the name server has received a query for the DS RRset at a zone
+      cut; and
+   o  the name server is authoritative for the child zone; and
+   o  the name server is not authoritative for the parent zone; and
+   o  the name server does not offer recursion.
+
+   In all other cases, the name server either has some way of obtaining
+   the DS RRset or could not have been expected to have the DS RRset
+   even by the pre-DNSSEC processing rules, so the name server can
+   return either the DS RRset or an error response according to the
+   normal processing rules.
+
+   If all of the above conditions are met, however, the name server is
+   authoritative for SNAME but cannot supply the requested RRset.  In
+   this case, the name server MUST return an authoritative "no data"
+   response showing that the DS RRset does not exist in the child zone's
+   apex.  See Appendix B.8 for an example of such a response.
+
+3.1.5  Responding to Queries for Type AXFR or IXFR
+
+   DNSSEC does not change the DNS zone transfer process.  A signed zone
+   will contain RRSIG, DNSKEY, NSEC, and DS resource records, but these
+   records have no special meaning with respect to a zone transfer
+   operation.
+
+   An authoritative name server is not required to verify that a zone is
+   properly signed before sending or accepting a zone transfer.
+   However, an authoritative name server MAY choose to reject the entire
+   zone transfer if the zone fails meets any of the signing requirements
+   described in Section 2.  The primary objective of a zone transfer is
+   to ensure that all authoritative name servers have identical copies
+   of the zone.  An authoritative name server that chooses to perform
+   its own zone validation MUST NOT selectively reject some RRs and
+   accept others.
+
+   DS RRsets appear only on the parental side of a zone cut and are
+   authoritative data in the parent zone.  As with any other
+   authoritative RRset, the DS RRset MUST be included in zone transfers
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 15]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+   of the zone in which the RRset is authoritative data: in the case of
+   the DS RRset, this is the parent zone.
+
+   NSEC RRs appear in both the parent and child zones at a zone cut, and
+   are authoritative data in both the parent and child zones.  The
+   parental and child NSEC RRs at a zone cut are never identical to each
+   other, since the NSEC RR in the child zone's apex will always
+   indicate the presence of the child zone's SOA RR while the parental
+   NSEC RR at the zone cut will never indicate the presence of an SOA
+   RR.  As with any other authoritative RRs, NSEC RRs MUST be included
+   in zone transfers of the zone in which they are authoritative data:
+   the parental NSEC RR at a zone cut MUST be included zone transfers of
+   the parent zone, while the NSEC at the zone apex of the child zone
+   MUST be included in zone transfers of the child zone.
+
+   RRSIG RRs appear in both the parent and child zones at a zone cut,
+   and are authoritative in whichever zone contains the authoritative
+   RRset for which the RRSIG RR provides the signature.  That is, the
+   RRSIG RR for a DS RRset or a parental NSEC RR at a zone cut will be
+   authoritative in the parent zone, while the RRSIG for any RRset in
+   the child zone's apex will be authoritative in the child zone.
+   Parental and child RRSIG RRs at a zone cut will never be identical to
+   each other, since the Signer's Name field of an RRSIG RR in the child
+   zone's apex will indicate a DNSKEY RR in the child zone's apex while
+   the same field of a parental RRSIG RR at the zone cut will indicate a
+   DNSKEY RR in the parent zone's apex.  As with any other authoritative
+   RRs, RRSIG RRs MUST be included in zone transfers of the zone in
+   which they are authoritative data.
+
+3.1.6  The AD and CD Bits in an Authoritative Response
+
+   The CD and AD bits are designed for use in communication between
+   security-aware resolvers and security-aware recursive name servers.
+   These bits are for the most part not relevant to query processing by
+   security-aware authoritative name servers.
+
+   A security-aware name server does not perform signature validation
+   for authoritative data during query processing even when the CD bit
+   is clear.  A security-aware name server SHOULD clear the CD bit when
+   composing an authoritative response.
+
+   A security-aware name server MUST NOT set the AD bit in a response
+   unless the name server considers all RRsets in the Answer and
+   Authority sections of the response to be authentic.  A security-aware
+   name server's local policy MAY consider data from an authoritative
+   zone to be authentic without further validation, but the name server
+   MUST NOT do so unless the name server obtained the authoritative zone
+   via secure means (such as a secure zone transfer mechanism), and MUST
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 16]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+   NOT do so unless this behavior has been configured explicitly.
+
+   A security-aware name server which supports recursion MUST follow the
+   rules for the CD and AD bits given in Section 3.2 when generating a
+   response that involves data obtained via recursion.
+
+3.2  Recursive Name Servers
+
+   As explained in [I-D.ietf-dnsext-dnssec-intro], a security-aware
+   recursive name server is an entity which acts in both the
+   security-aware name server and security-aware resolver roles.  This
+   section uses the terms "name server side" and "resolver side" to
+   refer to the code within a security-aware recursive name server which
+   implements the security-aware name server role and the code which
+   implements the security-aware resolver role, respectively.
+
+   The resolver side follows the usual rules for caching and negative
+   caching which would apply to any security-aware resolver.
+
+3.2.1  The DO bit
+
+   The resolver side of a security-aware recursive name server MUST set
+   the DO bit when sending requests, regardless of the state of the DO
+   bit in the initiating request received by the name server side.  If
+   the DO bit in an initiating query is not set, the name server side
+   MUST strip any authenticating DNSSEC RRs from the response, but MUST
+   NOT strip any DNSSEC RR types that the initiating query explicitly
+   requested.
+
+3.2.2  The CD bit
+
+   The CD bit exists in order to allow a security-aware resolver to
+   disable signature validation in a security-aware name server's
+   processing of a particular query.
+
+   The name server side MUST copy the setting of the CD bit from a query
+   to the corresponding response.
+
+   The name server side of a security-aware recursive name server MUST
+   pass the sense of the CD bit to the resolver side along with the rest
+   of an initiating query, so that the resolver side will know whether
+   or not it is required to verify the response data it returns to the
+   name server side.  If the CD bit is set, it indicates that the
+   originating resolver is willing to perform whatever authentication
+   its local policy requires, thus the resolver side of the recursive
+   name server need not perform authentication on the RRsets in the
+   response.  When the CD bit is set the recursive name server SHOULD,
+   if possible, return the requested data to the originating resolver
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 17]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+   even if the recursive name server's local authentication policy would
+   reject the records in question.  That is, by setting the CD bit, the
+   originating resolver has indicated that it takes responsibility for
+   performing its own authentication, and the recursive name server
+   should not interfere.
+
+   If the resolver side implements a BAD cache (see Section 4.7) and the
+   name server side receives a query which matches an entry in the
+   resolver side's BAD cache, the name server side's response depends on
+   the sense of the CD bit in the original query.  If the CD bit is set,
+   the name server side SHOULD return the data from the BAD cache; if
+   the CD bit is not set, the name server side MUST return RCODE 2
+   (server failure).
+
+   The intent of the above rule is to provide the raw data to clients
+   which are capable of performing their own signature verification
+   checks while protecting clients which depend on the resolver side of
+   a security-aware recursive name server to perform such checks.
+   Several of the possible reasons why signature validation might fail
+   involve conditions which may not apply equally to the recursive name
+   server and the client which invoked it: for example, the recursive
+   name server's clock may be set incorrectly, or the client may have
+   knowledge of a relevant island of security which the recursive name
+   server does not share.  In such cases, "protecting" a client which is
+   capable of performing its own signature validation from ever seeing
+   the "bad" data does not help the client.
+
+3.2.3  The AD bit
+
+   The name server side of a security-aware recursive name server MUST
+   NOT set the AD bit in a response unless the name server considers all
+   RRsets in the Answer and Authority sections of the response to be
+   authentic.  The name server side SHOULD set the AD bit if and only if
+   the resolver side considers all RRsets in the Answer section and any
+   relevant negative response RRs in the Authority section to be
+   authentic.  The resolver side MUST follow the procedure described in
+   Section 5 to determine whether the RRs in question are authentic.
+   However, for backwards compatibility, a recursive name server MAY set
+   the AD bit when a response includes unsigned CNAME RRs if those CNAME
+   RRs demonstrably could have been synthesized from an authentic DNAME
+   RR which is also included in the response according to the synthesis
+   rules described in [RFC2672].
+
+3.3  Example DNSSEC Responses
+
+   See Appendix B for example response packets.
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 18]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+4.  Resolving
+
+   This section describes the behavior of entities that include
+   security-aware resolver functions.  In many cases such functions will
+   be part of a security-aware recursive name server, but a stand-alone
+   security-aware resolver has many of the same requirements.  Functions
+   specific to security-aware recursive name servers are described in
+   Section 3.2.
+
+4.1  EDNS Support
+
+   A security-aware resolver MUST include an EDNS [RFC2671] OPT
+   pseudo-RR with the DO [RFC3225] bit set when sending queries.
+
+   A security-aware resolver MUST support a message size of at least
+   1220 octets, SHOULD support a message size of 4000 octets, and MUST
+   advertise the supported message size using the "sender's UDP payload
+   size" field in the EDNS OPT pseudo-RR.  A security-aware resolver
+   MUST handle fragmented UDP packets correctly regardless of whether
+   any such fragmented packets were received via IPv4 or IPv6.  Please
+   see [RFC3226] for discussion of these requirements.
+
+4.2  Signature Verification Support
+
+   A security-aware resolver MUST support the signature verification
+   mechanisms described in Section 5, and SHOULD apply them to every
+   received response except when:
+   o  The security-aware resolver is part of a security-aware recursive
+      name server, and the response is the result of recursion on behalf
+      of a query received with the CD bit set;
+   o  The response is the result of a query generated directly via some
+      form of application interface which instructed the security-aware
+      resolver not to perform validation for this query; or
+   o  Validation for this query has been disabled by local policy.
+
+   A security-aware resolver's support for signature verification MUST
+   include support for verification of wildcard owner names.
+
+   Security aware resolvers MAY query for missing security RRs in an
+   attempt to perform validation; implementations that choose to do so
+   must be aware that the answers received may not be sufficient to
+   validate the original response.
+
+   When attempting to retrieve missing NSEC RRs which reside on the
+   parental side at a zone cut, a security-aware iterative-mode resolver
+   MUST query the name servers for the parent zone, not the child zone.
+
+   When attempting to retrieve a missing DS, a security-aware
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 19]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+   iterative-mode resolver MUST query the name servers for the parent
+   zone, not the child zone.  As explained in Section 3.1.4.1,
+   security-aware name servers need to apply special processing rules to
+   handle the DS RR, and in some situations the resolver may also need
+   to apply special rules to locate the name servers for the parent zone
+   if the resolver does not already have the parent's NS RRset.  To
+   locate the parent NS RRset, the resolver can start with the
+   delegation name, strip off the leftmost label, and query for an NS
+   RRset by that name; if no NS RRset is present at that name, the
+   resolver then strips of the leftmost remaining label and retries the
+   query for that name, repeating this process of walking up the tree
+   until it either finds the NS RRset or runs out of labels.
+
+4.3  Determining Security Status of Data
+
+   A security-aware resolver MUST be able to determine whether or not it
+   should expect a particular RRset to be signed.  More precisely, a
+   security-aware resolver must be able to distinguish between four
+   cases:
+
+   Secure: An RRset for which the resolver is able to build a chain of
+      signed DNSKEY and DS RRs from a trusted security anchor to the
+      RRset.  In this case, the RRset should be signed, and is subject
+      to signature validation as described above.
+
+   Insecure: An RRset for which the resolver knows that it has no chain
+      of signed DNSKEY and DS RRs from any trusted starting point to the
+      RRset.  This can occur when the target RRset lies in an unsigned
+      zone or in a descendent of an unsigned zone.  In this case, the
+      RRset may or may not be signed, but the resolver will not be able
+      to verify the signature.
+
+   Bogus: An RRset for which the resolver believes that it ought to be
+      able to establish a chain of trust but is unable to do so, either
+      due to signatures that for some reason fail to validate or due to
+      missing data which the relevant DNSSEC RRs indicate should be
+      present.  This case may indicate an attack, but may also indicate
+      a configuration error or some form of data corruption.
+
+   Indeterminate: An RRset for which the resolver is not able to
+      determine whether or not the RRset should be signed, because the
+      resolver is not able to obtain the necessary DNSSEC RRs.  This can
+      occur when the security-aware resolver is not able to contact
+      security-aware name servers for the relevant zones.
+
+4.4  Configured Trust Anchors
+
+   A security-aware resolver MUST be capable of being configured with at
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 20]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+   least one trusted public key or DS RR, and SHOULD be capable of being
+   configured with multiple trusted public keys or DS RRs.  Since a
+   security-aware resolver will not be able to validate signatures
+   without such a configured trust anchor, the resolver SHOULD have some
+   reasonably robust mechanism for obtaining such keys when it boots;
+   examples of such a mechanism would be some form of non-volatile
+   storage (such as a disk drive) or some form of trusted local network
+   configuration mechanism.
+
+   Note that trust anchors also covers key material that is updated in a
+   secure manner.  This secure manner could be through physical media, a
+   key exchange protocol, or some other out of band means.
+
+4.5  Response Caching
+
+   A security-aware resolver SHOULD cache each response as a single
+   atomic entry containing the entire answer, including the named RRset
+   and any associated DNSSEC RRs.  The resolver SHOULD discard the
+   entire atomic entry when any of the RRs contained in it expire.  In
+   most cases the appropriate cache index for the atomic entry will be
+   the triple <QNAME, QTYPE, QCLASS>, but in cases such as the response
+   form described in Section 3.1.3.2 the appropriate cache index will be
+   the double <QNAME,QCLASS>.
+
+   The reason for these recommendations is that, between the initial
+   query and the expiration of the data from the cache, the
+   authoritative data might have been changed (for example, via dynamic
+   update).
+
+   There are two situations for which this is relevant:
+   1.  By using the RRSIG record, it is possible to deduce that an
+       answer was synthesized from a wildcard.  A security aware
+       recursive name server could store this wildcard data and use it
+       to generate positive responses to queries other than the name for
+       which the original answer was first received.
+   2.  NSEC RRs received to prove the non-existence of a name could be
+       reused by a security aware resolver to prove the non-existence of
+       any name in the name range it spans.
+
+   In theory, a resolver could use wildcards or NSEC RRs to generate
+   positive and negative responses (respectively) until the TTL or
+   signatures on the records in question expire.  However, it seems
+   prudent for resolvers to avoid blocking new authoritative data or
+   synthesizing new data on their own.  Resolvers which follow this
+   recommendation will have a more consistent view of the namespace.
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 21]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+4.6  Handling of the CD and AD bits
+
+   A security-aware resolver MAY set a query's CD bit in order to
+   indicate that the resolver takes responsibility for performing
+   whatever authentication its local policy requires on the RRsets in
+   the response.  See Section 3.2 for the effect this bit has on the
+   behavior of security-aware recursive name servers.
+
+   A security-aware resolver MUST clear the AD bit when composing query
+   messages to protect against buggy name servers which blindly copy
+   header bits which they do not understand from the query message to
+   the response message.
+
+   A resolver MUST disregard the meaning of the CD and AD bits in a
+   response unless the response was obtained using a secure channel or
+   the resolver was specifically configured to regard the message header
+   bits without using a secure channel.
+
+4.7  Caching BAD Data
+
+   While many validation errors will be transient, some are likely to be
+   more persistent, such as those caused by administrative error
+   (failure to re-sign a zone, clock skew, and so forth).  Since
+   requerying will not help in these cases, validating resolvers might
+   generate a significant amount of unnecessary DNS traffic as a result
+   of repeated queries for RRsets with persistent validation failures.
+
+   To prevent such unnecessary DNS traffic, security-aware resolvers MAY
+   cache data with invalid signatures, with some restrictions.
+   Conceptually, caching such data is similar to negative caching
+   [RFC2308], except that instead of caching a valid negative response,
+   the resolver is caching the fact that a particular answer failed to
+   validate.  This document refers to a cache of data with invalid
+   signatures as a "BAD cache".
+
+   Resolvers which implement a BAD cache MUST take steps to prevent the
+   cache from being useful as a denial-of-service attack amplifier.  In
+   particular:
+   o  Since RRsets which fail to validate do not have trustworthy TTLs,
+      the implementation MUST assign a TTL.  This TTL SHOULD be small,
+      in order to mitigate the effect of caching the results of an
+      attack.
+   o  In order to prevent caching of a transient validation failure
+      (which might be the result of an attack), resolvers SHOULD track
+      queries that result in validation failures, and SHOULD only answer
+      from the BAD cache after the number of times that responses to
+      queries for that particular <QNAME, QTYPE, QCLASS> have failed to
+      validate exceeds a threshold value.
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 22]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+   Resolvers MUST NOT return RRsets from the BAD cache unless the
+   resolver is not required to validate the signatures of the RRsets in
+   question under the rules given in Section 4.2 of this document.  See
+   Section 3.2.2 for discussion of how the responses returned by a
+   security-aware recursive name server interact with a BAD cache.
+
+4.8  Synthesized CNAMEs
+
+   A validating security-aware resolver MUST treat the signature of a
+   valid signed DNAME RR as also covering unsigned CNAME RRs which could
+   have been synthesized from the DNAME RR as described in [RFC2672], at
+   least to the extent of not rejecting a response message solely
+   because it contains such CNAME RRs.  The resolver MAY retain such
+   CNAME RRs in its cache or in the answers it hands back, but is not
+   required to do so.
+
+4.9  Stub resolvers
+
+   A security-aware stub resolver MUST support the DNSSEC RR types, at
+   least to the extent of not mishandling responses just because they
+   contain DNSSEC RRs.
+
+4.9.1  Handling of the DO Bit
+
+   A non-validating security-aware stub resolver MAY include the DNSSEC
+   RRs returned by a security-aware recursive name server as part of the
+   data that the stub resolver hands back to the application which
+   invoked it but is not required to do so.  A non-validating stub
+   resolver that wishes to do this will need to set the DO bit in
+   receive DNSSEC RRs from the recursive name server.
+
+   A validating security-aware stub resolver MUST set the DO bit, since
+   otherwise it will not receive the DNSSEC RRs it needs to perform
+   signature validation.
+
+4.9.2  Handling of the CD Bit
+
+   A non-validating security-aware stub resolver SHOULD NOT set the CD
+   bit when sending queries unless requested by the application layer,
+   since by definition, a non-validating stub resolver depends on the
+   security-aware recursive name server to perform validation on its
+   behalf.
+
+   A validating security-aware stub resolver SHOULD set the CD bit,
+   since otherwise the security-aware recursive name server will answer
+   the query using the name server's local policy, which may prevent the
+   stub resolver from receiving data which would be acceptable to the
+   stub resolver's local policy.
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 23]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+4.9.3  Handling of the AD Bit
+
+   A non-validating security-aware stub resolver MAY chose to examine
+   the setting of the AD bit in response messages that it receives in
+   order to determine whether the security-aware recursive name server
+   which sent the response claims to have cryptographically verified the
+   data in the Answer and Authority sections of the response message.
+   Note, however, that the responses received by a security-aware stub
+   resolver are heavily dependent on the local policy of the
+   security-aware recursive name server, so as a practical matter there
+   may be little practical value to checking the status of the AD bit
+   except perhaps as a debugging aid.  In any case, a security-aware
+   stub resolver MUST NOT place any reliance on signature validation
+   allegedly performed on its behalf except when the security-aware stub
+   resolver obtained the data in question from a trusted security-aware
+   recursive name server via a secure channel.
+
+   A validating security-aware stub resolver SHOULD NOT examine the
+   setting of the AD bit in response messages, since, by definition, the
+   stub resolver performs its own signature validation regardless of the
+   setting of the AD bit.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 24]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+5.  Authenticating DNS Responses
+
+   In order to use DNSSEC RRs for authentication, a security-aware
+   resolver requires configured knowledge of at least one authenticated
+   DNSKEY or DS RR.  The process for obtaining and authenticating this
+   initial trust anchors is achieved via some external mechanism.  For
+   example, a resolver could use some off-line authenticated exchange to
+   obtain a zone's DNSKEY RR or obtain a DS RR that identifies and
+   authenticates a zone's DNSKEY RR.  The remainder of this section
+   assumes that the resolver has somehow obtained an initial set of
+   trust anchors.
+
+   An initial DNSKEY RR can be used to authenticate a zone's apex DNSKEY
+   RRset.  To authenticate an apex DNSKEY RRset using an initial key,
+   the resolver MUST:
+   1.  Verify that the initial DNSKEY RR appears in the apex DNSKEY
+       RRset, and verify that the DNSKEY RR MUST have the Zone Key Flag
+       (DNSKEY RDATA bit 7) set.
+   2.  Verify that there is some RRSIG RR that covers the apex DNSKEY
+       RRset, and that the combination of the RRSIG RR and the initial
+       DNSKEY RR authenticates the DNSKEY RRset.  The process for using
+       an RRSIG RR to authenticate an RRset is described in Section 5.3.
+
+   Once the resolver has authenticated the apex DNSKEY RRset using an
+   initial DNSKEY RR, delegations from that zone can be authenticated
+   using DS RRs.  This allows a resolver to start from an initial key,
+   and use DS RRsets to proceed recursively down the DNS tree obtaining
+   other apex DNSKEY RRsets.  If the resolver were configured with a
+   root DNSKEY RR, and if every delegation had a DS RR associated with
+   it, then the resolver could obtain and validate any apex DNSKEY
+   RRset.  The process of using DS RRs to authenticate referrals is
+   described in Section 5.2.
+
+   Once the resolver has authenticated a zone's apex DNSKEY RRset,
+   Section 5.3 shows how the resolver can use DNSKEY RRs in the apex
+   DNSKEY RRset and RRSIG RRs from the zone to authenticate any other
+   RRsets in the zone.  Section 5.4 shows how the resolver can use
+   authenticated NSEC RRsets from the zone to prove that an RRset is not
+   present in the zone.
+
+   When a resolver indicates support for DNSSEC (by setting the DO bit),
+   a security-aware name server should attempt to provide the necessary
+   DNSKEY, RRSIG, NSEC, and DS RRsets in a response (see Section 3).
+   However, a security-aware resolver may still receive a response that
+   that lacks the appropriate DNSSEC RRs, whether due to configuration
+   issues such as an upstream security-oblivious recursive name server
+   that accidentally interferes with DNSSEC RRs or due to a deliberate
+   attack in which an adversary forges a response, strips DNSSEC RRs
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 25]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+   from a response, or modifies a query so that DNSSEC RRs appear not to
+   be requested.  The absence of DNSSEC data in a response MUST NOT by
+   itself be taken as an indication that no authentication information
+   exists.
+
+   A resolver SHOULD expect authentication information from signed
+   zones.  A resolver SHOULD believe that a zone is signed if the
+   resolver has been configured with public key information for the
+   zone, or if the zone's parent is signed and the delegation from the
+   parent contains a DS RRset.
+
+5.1  Special Considerations for Islands of Security
+
+   Islands of security (see [I-D.ietf-dnsext-dnssec-intro]) are signed
+   zones for which it is not possible to construct an authentication
+   chain to the zone from its parent.  Validating signatures within an
+   island of security requires the validator to have some other means of
+   obtaining an initial authenticated zone key for the island.  If a
+   validator cannot obtain such a key, it SHOULD switch to operating as
+   if the zones in the island of security are unsigned.
+
+   All the normal processes for validating responses apply to islands of
+   security.  The only difference between normal validation and
+   validation within an island of security is in how the validator
+   obtains a trust anchor for the authentication chain.
+
+5.2  Authenticating Referrals
+
+   Once the apex DNSKEY RRset for a signed parent zone has been
+   authenticated, DS RRsets can be used to authenticate the delegation
+   to a signed child zone.  A DS RR identifies a DNSKEY RR in the child
+   zone's apex DNSKEY RRset, and contains a cryptographic digest of the
+   child zone's DNSKEY RR.  A strong cryptographic digest algorithm
+   ensures that an adversary can not easily generate a DNSKEY RR that
+   matches the digest.  Thus, authenticating the digest allows a
+   resolver to authenticate the matching DNSKEY RR.  The resolver can
+   then use this child DNSKEY RR to authenticate the entire child apex
+   DNSKEY RRset.
+
+   Given a DS RR for a delegation, the child zone's apex DNSKEY RRset
+   can be authenticated if all of the following hold:
+   o  The DS RR has been authenticated using some DNSKEY RR in the
+      parent's apex DNSKEY RRset (see Section 5.3);
+   o  The Algorithm and Key Tag in the DS RR match the Algorithm field
+      and the key tag of a DNSKEY RR in the child zone's apex DNSKEY
+      RRset and, when hashed using the digest algorithm specified in the
+      DS RR's Digest Type field, results in a digest value that matches
+      the Digest field of the DS RR; and
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 26]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+   o  The matching DNSKEY RR in the child zone has the Zone Flag bit
+      set, the corresponding private key has signed the child zone's
+      apex DNSKEY RRset, and the resulting RRSIG RR authenticates the
+      child zone's apex DNSKEY RRset.
+
+   If the referral from the parent zone did not contain a DS RRset, the
+   response should have included a signed NSEC RRset proving that no DS
+   RRset exists for the delegated name (see Section 3.1.4).  A
+   security-aware resolver MUST query the name servers for the parent
+   zone for the DS RRset if the referral includes neither a DS RRset nor
+   a NSEC RRset proving that the DS RRset does not exist (see Section
+   4).
+
+   If the validator authenticates an NSEC RRset that proves that no DS
+   RRset is present for this zone, then there is no authentication path
+   leading from the parent to the child.  If the resolver has an initial
+   DNSKEY or DS RR that belongs to the child zone or to any delegation
+   below the child zone, this initial DNSKEY or DS RR MAY be used to
+   re-establish an authentication path.  If no such initial DNSKEY or DS
+   RR exists, the validator can not authenticate RRsets in or below the
+   child zone.
+
+   If the validator does not support any of the algorithms listed in an
+   authenticated DS RRset, then the resolver has no supported
+   authentication path leading from the parent to the child.  The
+   resolver should treat this case as it would the case of an
+   authenticated NSEC RRset proving that no DS RRset exists, as
+   described above.
+
+   Note that, for a signed delegation, there are two NSEC RRs associated
+   with the delegated name.  One NSEC RR resides in the parent zone, and
+   can be used to prove whether a DS RRset exists for the delegated
+   name.  The second NSEC RR resides in the child zone, and identifies
+   which RRsets are present at the apex of the child zone.  The parent
+   NSEC RR and child NSEC RR can always be distinguished, since the SOA
+   bit will be set in the child NSEC RR and clear in the parent NSEC RR.
+   A security-aware resolver MUST use the parent NSEC RR when attempting
+   to prove that a DS RRset does not exist.
+
+   If the resolver does not support any of the algorithms listed in an
+   authenticated DS RRset, then the resolver will not be able to verify
+   the authentication path to the child zone.  In this case, the
+   resolver SHOULD treat the child zone as if it were unsigned.
+
+5.3  Authenticating an RRset Using an RRSIG RR
+
+   A validator can use an RRSIG RR and its corresponding DNSKEY RR to
+   attempt to authenticate RRsets.  The validator first checks the RRSIG
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 27]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+   RR to verify that it covers the RRset, has a valid time interval, and
+   identifies a valid DNSKEY RR.  The validator then constructs the
+   canonical form of the signed data by appending the RRSIG RDATA
+   (excluding the Signature Field) with the canonical form of the
+   covered RRset.  Finally, the validator uses the public key and
+   signature to authenticate the signed data.  Section 5.3.1, Section
+   5.3.2, and Section 5.3.3 describe each step in detail.
+
+5.3.1  Checking the RRSIG RR Validity
+
+   A security-aware resolver can use an RRSIG RR to authenticate an
+   RRset if all of the following conditions hold:
+   o  The RRSIG RR and the RRset MUST have the same owner name and the
+      same class;
+   o  The RRSIG RR's Signer's Name field MUST be the name of the zone
+      that contains the RRset;
+   o  The RRSIG RR's Type Covered field MUST equal the RRset's type;
+   o  The number of labels in the RRset owner name MUST be greater than
+      or equal to the value in the RRSIG RR's Labels field;
+   o  The validator's notion of the current time MUST be less than or
+      equal to the time listed in the RRSIG RR's Expiration field;
+   o  The validator's notion of the current time MUST be greater than or
+      equal to the time listed in the RRSIG RR's Inception field;
+   o  The RRSIG RR's Signer's Name, Algorithm, and Key Tag fields MUST
+      match the owner name, algorithm, and key tag for some DNSKEY RR in
+      the zone's apex DNSKEY RRset;
+   o  The matching DNSKEY RR MUST be present in the zone's apex DNSKEY
+      RRset, and MUST have the Zone Flag bit (DNSKEY RDATA Flag bit 7)
+      set.
+
+   It is possible for more than one DNSKEY RR to match the conditions
+   above.  In this case, the validator cannot predetermine which DNSKEY
+   RR to use to authenticate the signature, MUST try each matching
+   DNSKEY RR until either the signature is validated or the validator
+   has run out of matching public keys to try.
+
+   Note that this authentication process is only meaningful if the
+   validator authenticates the DNSKEY RR before using it to validate
+   signatures.  The matching DNSKEY RR is considered to be authentic if:
+   o  The apex DNSKEY RRset containing the DNSKEY RR is considered
+      authentic; or
+   o  The RRset covered by the RRSIG RR is the apex DNSKEY RRset itself,
+      and the DNSKEY RR either matches an authenticated DS RR from the
+      parent zone or matches a trust anchor.
+
+5.3.2  Reconstructing the Signed Data
+
+   Once the RRSIG RR has met the validity requirements described in
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 28]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+   Section 5.3.1, the validator needs to reconstruct the original signed
+   data.  The original signed data includes RRSIG RDATA (excluding the
+   Signature field) and the canonical form of the RRset.  Aside from
+   being ordered, the canonical form of the RRset might also differ from
+   the received RRset due to DNS name compression, decremented TTLs, or
+   wildcard expansion.  The validator should use the following to
+   reconstruct the original signed data:
+
+         signed_data = RRSIG_RDATA | RR(1) | RR(2)...  where
+
+            "|" denotes concatenation
+
+            RRSIG_RDATA is the wire format of the RRSIG RDATA fields
+               with the Signature field excluded and the Signer's Name
+               in canonical form.
+
+            RR(i) = name | type | class | OrigTTL | RDATA length | RDATA
+
+               name is calculated according to the function below
+
+               class is the RRset's class
+
+               type is the RRset type and all RRs in the class
+
+               OrigTTL is the value from the RRSIG Original TTL field
+
+               All names in the RDATA field are in canonical form
+
+               The set of all RR(i) is sorted into canonical order.
+
+            To calculate the name:
+               let rrsig_labels = the value of the RRSIG Labels field
+
+               let fqdn = RRset's fully qualified domain name in
+                               canonical form
+
+               let fqdn_labels = Label count of the fqdn above.
+
+               if rrsig_labels = fqdn_labels,
+                   name = fqdn
+
+               if rrsig_labels < fqdn_labels,
+                  name = "*." | the rightmost rrsig_label labels of the
+                                fqdn
+
+               if rrsig_labels > fqdn_labels
+                  the RRSIG RR did not pass the necessary validation
+                  checks and MUST NOT be used to authenticate this
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 29]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+                  RRset.
+
+   The canonical forms for names and RRsets are defined in
+   [I-D.ietf-dnsext-dnssec-records].
+
+   NSEC RRsets at a delegation boundary require special processing.
+   There are two distinct NSEC RRsets associated with a signed delegated
+   name.  One NSEC RRset resides in the parent zone, and specifies which
+   RRset are present at the parent zone.  The second NSEC RRset resides
+   at the child zone, and identifies which RRsets are present at the
+   apex in the child zone.  The parent NSEC RRset and child NSEC RRset
+   can always be distinguished since only the child NSEC RRs will
+   specify an SOA RRset exists at the name.  When reconstructing the
+   original NSEC RRset for the delegation from the parent zone, the NSEC
+   RRs MUST NOT be combined with NSEC RRs from the child zone, and when
+   reconstructing the original NSEC RRset for the apex of the child
+   zone, the NSEC RRs MUST NOT be combined with NSEC RRs from the parent
+   zone.
+
+   Note also that each of the two NSEC RRsets at a delegation point has
+   a corresponding RRSIG RR with an owner name matching the delegated
+   name, and each of these RRSIG RRs is authoritative data associated
+   with the same zone that contains the corresponding NSEC RRset.  If
+   necessary, a resolver can tell these RRSIG RRs apart by checking the
+   Signer's Name field.
+
+5.3.3  Checking the Signature
+
+   Once the resolver has validated the RRSIG RR as described in Section
+   5.3.1 and reconstructed the original signed data as described in
+   Section 5.3.2, the validator can attempt to use the cryptographic
+   signature to authenticate the signed data, and thus (finally!)
+   authenticate the RRset.
+
+   The Algorithm field in the RRSIG RR identifies the cryptographic
+   algorithm used to generate the signature.  The signature itself is
+   contained in the Signature field of the RRSIG RDATA, and the public
+   key used to verify the signature is contained in the Public Key field
+   of the matching DNSKEY RR(s) (found in Section 5.3.1).
+   [I-D.ietf-dnsext-dnssec-records] provides a list of algorithm types
+   and provides pointers to the documents that define each algorithm's
+   use.
+
+   Note that it is possible for more than one DNSKEY RR to match the
+   conditions in Section 5.3.1.  In this case, the validator can only
+   determine which DNSKEY RR by trying each matching public key until
+   the validator either succeeds in validating the signature or runs out
+   of keys to try.
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 30]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+   If the Labels field of the RRSIG RR is not equal to the number of
+   labels in the RRset's fully qualified owner name, then the RRset is
+   either invalid or the result of wildcard expansion.  The resolver
+   MUST verify that wildcard expansion was applied properly before
+   considering the RRset to be authentic.  Section 5.3.4 describes how
+   to determine whether a wildcard was applied properly.
+
+   If other RRSIG RRs also cover this RRset, the local resolver security
+   policy determines whether the resolver also needs to test these RRSIG
+   RRs, and determines how to resolve conflicts if these RRSIG RRs lead
+   to differing results.
+
+   If the resolver accepts the RRset as authentic, the validator MUST
+   set the TTL of the RRSIG RR and each RR in the authenticated RRset to
+   a value no greater than the minimum of:
+   o  The RRset's TTL as received in the response;
+   o  The RRSIG RR's TTL as received in the response;
+   o  The value in the RRSIG RR's Original TTL field; and
+   o  The difference of the RRSIG RR's Signature Expiration time and the
+      current time.
+
+5.3.4  Authenticating A Wildcard Expanded RRset Positive Response
+
+   If the number of labels in an RRset's owner name is greater than the
+   Labels field of the covering RRSIG RR, then the RRset and its
+   covering RRSIG RR were created as a result of wildcard expansion.
+   Once the validator has verified the signature as described in Section
+   5.3, it must take additional steps to verify the non-existence of an
+   exact match or closer wildcard match for the query.  Section 5.4
+   discusses these steps.
+
+   Note that the response received by the resolver should include all
+   NSEC RRs needed to authenticate the response (see Section 3.1.3).
+
+5.4  Authenticated Denial of Existence
+
+   A resolver can use authenticated NSEC RRs to prove that an RRset is
+   not present in a signed zone.  Security-aware name servers should
+   automatically include any necessary NSEC RRs for signed zones in
+   their responses to security-aware resolvers.
+
+   Denial of existence is determined by the following rules:
+   o  If the requested RR name matches the owner name of an
+      authenticated NSEC RR, then the NSEC RR's type bit map field lists
+      all RR types present at that owner name, and a resolver can prove
+      that the requested RR type does not exist by checking for the RR
+      type in the bit map.  If the number of labels in an authenticated
+      NSEC RR's owner name equals the Labels field of the covering RRSIG
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 31]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+      RR, then the existence of the NSEC RR proves that wildcard
+      expansion could not have been used to match the request.
+   o  If the requested RR name would appear after an authenticated NSEC
+      RR's owner name and before the name listed in that NSEC RR's Next
+      Domain Name field according to the canonical DNS name order
+      defined in [I-D.ietf-dnsext-dnssec-records], then no RRsets with
+      the requested name exist in the zone.  However, it is possible
+      that a wildcard could be used to match the requested RR owner name
+      and type, so proving that the requested RRset does not exist also
+      requires proving that no possible wildcard RRset exists that could
+      have been used to generate a positive response.
+
+   In addition, security-aware resolvers MUST authenticate the NSEC
+   RRsets that comprise the non-existence proof as described in Section
+   5.3.
+
+   To prove non-existence of an RRset, the resolver must be able to
+   verify both that the queried RRset does not exist and that no
+   relevant wildcard RRset exists.  Proving this may require more than
+   one NSEC RRset from the zone.  If the complete set of necessary NSEC
+   RRsets is not present in a response (perhaps due to message
+   truncation), then a security-aware resolver MUST resend the query in
+   order to attempt to obtain the full collection of NSEC RRs necessary
+   to verify non-existence of the requested RRset.  As with all DNS
+   operations, however, the resolver MUST bound the work it puts into
+   answering any particular query.
+
+   Since a validated NSEC RR proves the existence of both itself and its
+   corresponding RRSIG RR, a validator MUST ignore the settings of the
+   NSEC and RRSIG bits in an NSEC RR.
+
+5.5  Resolver Behavior When Signatures Do Not Validate
+
+   If for whatever reason none of the RRSIGs can be validated, the
+   response SHOULD be considered BAD.  If the validation was being done
+   to service a recursive query, the name server MUST return RCODE 2 to
+   the originating client.  However, it MUST return the full response if
+   and only if the original query had the CD bit set.  See also Section
+   4.7 on caching responses that do not validate.
+
+5.6  Authentication Example
+
+   Appendix C shows an example the authentication process.
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 32]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+6.  IANA Considerations
+
+   [I-D.ietf-dnsext-dnssec-records] contains a review of the IANA
+   considerations introduced by DNSSEC.  The additional IANA
+   considerations discussed in this document:
+
+   [RFC2535] reserved the CD and AD bits in the message header.  The
+   meaning of the AD bit was redefined in [RFC3655] and the meaning of
+   both the CD and AD bit are restated in this document.  No new bits in
+   the DNS message header are defined in this document.
+
+   [RFC2671] introduced EDNS and [RFC3225] reserved the DNSSEC OK bit
+   and defined its use.  The use is restated but not altered in this
+   document.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 33]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+7.  Security Considerations
+
+   This document describes how the DNS security extensions use public
+   key cryptography to sign and authenticate DNS resource record sets.
+   Please see [I-D.ietf-dnsext-dnssec-intro] for terminology and general
+   security considerations related to DNSSEC; see
+   [I-D.ietf-dnsext-dnssec-intro] for considerations specific to the
+   DNSSEC resource record types.
+
+   An active attacker who can set the CD bit in a DNS query message or
+   the AD bit in a DNS response message can use these bits to defeat the
+   protection which DNSSEC attempts to provide to security-oblivious
+   recursive-mode resolvers.  For this reason, use of these control bits
+   by a security-aware recursive-mode resolver requires a secure
+   channel.  See Section 3.2.2 and Section 4.9 for further discussion.
+
+   The protocol described in this document attempts to extend the
+   benefits of DNSSEC to security-oblivious stub resolvers.  However,
+   since recovery from validation failures is likely to be specific to
+   particular applications, the facilities that DNSSEC provides for stub
+   resolvers may prove inadequate.  Operators of security-aware
+   recursive name servers will need to pay close attention to the
+   behavior of the applications which use their services when choosing a
+   local validation policy; failure to do so could easily result in the
+   recursive name server accidentally denying service to the clients it
+   is intended to support.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 34]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+8.  Acknowledgements
+
+   This document was created from the input and ideas of the members of
+   the DNS Extensions Working Group and working group mailing list.  The
+   editors would like to express their thanks for the comments and
+   suggestions received during the revision of these security extension
+   specifications.  While explicitly listing everyone who has
+   contributed during the decade during which DNSSEC has been under
+   development would be an impossible task,
+   [I-D.ietf-dnsext-dnssec-intro] includes a list of some of the
+   participants who were kind enough to comment on these documents.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 35]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+9.  References
+
+9.1  Normative References
+
+   [I-D.ietf-dnsext-dnssec-intro]
+              Arends, R., Austein, R., Larson, M., Massey, D. and S.
+              Rose, "DNS Security Introduction and Requirements",
+              draft-ietf-dnsext-dnssec-intro-10 (work in progress), May
+              2004.
+
+   [I-D.ietf-dnsext-dnssec-records]
+              Arends, R., Austein, R., Larson, M., Massey, D. and S.
+              Rose, "Resource Records for DNS Security Extensions",
+              draft-ietf-dnsext-dnssec-records-08 (work in progress),
+              May 2004.
+
+   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
+              STD 13, RFC 1034, November 1987.
+
+   [RFC1035]  Mockapetris, P., "Domain names - implementation and
+              specification", STD 13, RFC 1035, November 1987.
+
+   [RFC1982]  Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982,
+              August 1996.
+
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
+              Specification", RFC 2181, July 1997.
+
+   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
+              2671, August 1999.
+
+   [RFC2672]  Crawford, M., "Non-Terminal DNS Name Redirection", RFC
+              2672, August 1999.
+
+   [RFC3225]  Conrad, D., "Indicating Resolver Support of DNSSEC", RFC
+              3225, December 2001.
+
+   [RFC3226]  Gudmundsson, O., "DNSSEC and IPv6 A6 aware server/resolver
+              message size requirements", RFC 3226, December 2001.
+
+9.2  Informative References
+
+   [I-D.ietf-dnsext-nsec-rdata]
+              Schlyter, J., "DNSSEC NSEC RDATA Format",
+              draft-ietf-dnsext-nsec-rdata-06 (work in progress), May
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 36]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+              2004.
+
+   [RFC2308]  Andrews, M., "Negative Caching of DNS Queries (DNS
+              NCACHE)", RFC 2308, March 1998.
+
+   [RFC2535]  Eastlake, D., "Domain Name System Security Extensions",
+              RFC 2535, March 1999.
+
+   [RFC2930]  Eastlake, D., "Secret Key Establishment for DNS (TKEY
+              RR)", RFC 2930, September 2000.
+
+   [RFC2931]  Eastlake, D., "DNS Request and Transaction Signatures (
+              SIG(0)s)", RFC 2931, September 2000.
+
+   [RFC3655]  Wellington, B. and O. Gudmundsson, "Redefinition of DNS
+              Authenticated Data (AD) bit", RFC 3655, November 2003.
+
+   [RFC3658]  Gudmundsson, O., "Delegation Signer (DS) Resource Record
+              (RR)", RFC 3658, December 2003.
+
+
+Authors' Addresses
+
+   Roy Arends
+   Telematica Instituut
+   Drienerlolaan 5
+   7522 NB  Enschede
+   NL
+
+   EMail: roy.arends@telin.nl
+
+
+   Matt Larson
+   VeriSign, Inc.
+   21345 Ridgetop Circle
+   Dulles, VA  20166-6503
+   USA
+
+   EMail: mlarson@verisign.com
+
+
+   Rob Austein
+   Internet Systems Consortium
+   950 Charter Street
+   Redwood City, CA  94063
+   USA
+
+   EMail: sra@isc.org
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 37]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+   Dan Massey
+   USC Information Sciences Institute
+   3811 N. Fairfax Drive
+   Arlington, VA  22203
+   USA
+
+   EMail: masseyd@isi.edu
+
+
+   Scott Rose
+   National Institute for Standards and Technology
+   100 Bureau Drive
+   Gaithersburg, MD  20899-8920
+   USA
+
+   EMail: scott.rose@nist.gov
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 38]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+Appendix A.  Signed Zone Example
+
+   The following example shows a (small) complete signed zone.
+
+   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
+                              1081539377
+                              3600
+                              300
+                              3600000
+                              3600
+                              )
+                  3600 RRSIG  SOA 5 1 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              ONx0k36rcjaxYtcNgq6iQnpNV5+drqYAsC9h
+                              7TSJaHCqbhE67Sr6aH2xDUGcqQWu/n0UVzrF
+                              vkgO9ebarZ0GWDKcuwlM6eNB5SiX2K74l5LW
+                              DA7S/Un/IbtDq4Ay8NMNLQI7Dw7n4p8/rjkB
+                              jV7j86HyQgM5e7+miRAz8V01b0I= )
+                  3600 NS     ns1.example.
+                  3600 NS     ns2.example.
+                  3600 RRSIG  NS 5 1 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              gl13F00f2U0R+SWiXXLHwsMY+qStYy5k6zfd
+                              EuivWc+wd1fmbNCyql0Tk7lHTX6UOxc8AgNf
+                              4ISFve8XqF4q+o9qlnqIzmppU3LiNeKT4FZ8
+                              RO5urFOvoMRTbQxW3U0hXWuggE4g3ZpsHv48
+                              0HjMeRaZB/FRPGfJPajngcq6Kwg= )
+                  3600 MX     1 xx.example.
+                  3600 RRSIG  MX 5 1 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              HyDHYVT5KHSZ7HtO/vypumPmSZQrcOP3tzWB
+                              2qaKkHVPfau/DgLgS/IKENkYOGL95G4N+NzE
+                              VyNU8dcTOckT+ChPcGeVjguQ7a3Ao9Z/ZkUO
+                              6gmmUW4b89rz1PUxW4jzUxj66PTwoVtUU/iM
+                              W6OISukd1EQt7a0kygkg+PEDxdI= )
+                  3600 NSEC   a.example. NS SOA MX RRSIG NSEC DNSKEY
+                  3600 RRSIG  NSEC 5 1 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              O0k558jHhyrC97ISHnislm4kLMW48C7U7cBm
+                              FTfhke5iVqNRVTB1STLMpgpbDIC9hcryoO0V
+                              Z9ME5xPzUEhbvGnHd5sfzgFVeGxr5Nyyq4tW
+                              SDBgIBiLQUv1ivy29vhXy7WgR62dPrZ0PWvm
+                              jfFJ5arXf4nPxp/kEowGgBRzY/U= )
+                  3600 DNSKEY 256 3 5 (
+                              AQOy1bZVvpPqhg4j7EJoM9rI3ZmyEx2OzDBV
+                              rZy/lvI5CQePxXHZS4i8dANH4DX3tbHol61e
+                              k8EFMcsGXxKciJFHyhl94C+NwILQdzsUlSFo
+                              vBZsyl/NX6yEbtw/xN9ZNcrbYvgjjZ/UVPZI
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 39]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+                              ySFNsgEYvh0z2542lzMKR4Dh8uZffQ==
+                              )
+                  3600 DNSKEY 257 3 5 (
+                              AQOeX7+baTmvpVHb2CcLnL1dMRWbuscRvHXl
+                              LnXwDzvqp4tZVKp1sZMepFb8MvxhhW3y/0QZ
+                              syCjczGJ1qk8vJe52iOhInKROVLRwxGpMfzP
+                              RLMlGybr51bOV/1se0ODacj3DomyB4QB5gKT
+                              Yot/K9alk5/j8vfd4jWCWD+E1Sze0Q==
+                              )
+                  3600 RRSIG  DNSKEY 5 1 3600 20040509183619 (
+                              20040409183619 9465 example.
+                              ZxgauAuIj+k1YoVEOSlZfx41fcmKzTFHoweZ
+                              xYnz99JVQZJ33wFS0Q0jcP7VXKkaElXk9nYJ
+                              XevO/7nAbo88iWsMkSpSR6jWzYYKwfrBI/L9
+                              hjYmyVO9m6FjQ7uwM4dCP/bIuV/DKqOAK9NY
+                              NC3AHfvCV1Tp4VKDqxqG7R5tTVM= )
+                  3600 RRSIG  DNSKEY 5 1 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              eGL0s90glUqcOmloo/2y+bSzyEfKVOQViD9Z
+                              DNhLz/Yn9CQZlDVRJffACQDAUhXpU/oP34ri
+                              bKBpysRXosczFrKqS5Oa0bzMOfXCXup9qHAp
+                              eFIku28Vqfr8Nt7cigZLxjK+u0Ws/4lIRjKk
+                              7z5OXogYVaFzHKillDt3HRxHIZM= )
+   a.example.     3600 IN NS  ns1.a.example.
+                  3600 IN NS  ns2.a.example.
+                  3600 DS     57855 5 1 (
+                              B6DCD485719ADCA18E5F3D48A2331627FDD3
+                              636B )
+                  3600 RRSIG  DS 5 2 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              oXIKit/QtdG64J/CB+Gi8dOvnwRvqrto1AdQ
+                              oRkAN15FP3iZ7suB7gvTBmXzCjL7XUgQVcoH
+                              kdhyCuzp8W9qJHgRUSwKKkczSyuL64nhgjuD
+                              EML8l9wlWVsl7PR2VnZduM9bLyBhaaPmRKX/
+                              Fm+v6ccF2EGNLRiY08kdkz+XHHo= )
+                  3600 NSEC   ai.example. NS DS RRSIG NSEC
+                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              cOlYgqJLqlRqmBQ3iap2SyIsK4O5aqpKSoba
+                              U9fQ5SMApZmHfq3AgLflkrkXRXvgxTQSKkG2
+                              039/cRUs6Jk/25+fi7Xr5nOVJsb0lq4zsB3I
+                              BBdjyGDAHE0F5ROJj87996vJupdm1fbH481g
+                              sdkOW6Zyqtz3Zos8N0BBkEx+2G4= )
+   ns1.a.example. 3600 IN A   192.0.2.5
+   ns2.a.example. 3600 IN A   192.0.2.6
+   ai.example.    3600 IN A   192.0.2.9
+                  3600 RRSIG  A 5 2 3600 20040509183619 (
+                              20040409183619 38519 example.
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 40]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+                              pAOtzLP2MU0tDJUwHOKE5FPIIHmdYsCgTb5B
+                              ERGgpnJluA9ixOyf6xxVCgrEJW0WNZSsJicd
+                              hBHXfDmAGKUajUUlYSAH8tS4ZnrhyymIvk3u
+                              ArDu2wfT130e9UHnumaHHMpUTosKe22PblOy
+                              6zrTpg9FkS0XGVmYRvOTNYx2HvQ= )
+                  3600 HINFO  "KLH-10" "ITS"
+                  3600 RRSIG  HINFO 5 2 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              Iq/RGCbBdKzcYzlGE4ovbr5YcB+ezxbZ9W0l
+                              e/7WqyvhOO9J16HxhhL7VY/IKmTUY0GGdcfh
+                              ZEOCkf4lEykZF9NPok1/R/fWrtzNp8jobuY7
+                              AZEcZadp1WdDF3jc2/ndCa5XZhLKD3JzOsBw
+                              FvL8sqlS5QS6FY/ijFEDnI4RkZA= )
+                  3600 AAAA   2001:db8::f00:baa9
+                  3600 RRSIG  AAAA 5 2 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              nLcpFuXdT35AcE+EoafOUkl69KB+/e56XmFK
+                              kewXG2IadYLKAOBIoR5+VoQV3XgTcofTJNsh
+                              1rnF6Eav2zpZB3byI6yo2bwY8MNkr4A7cL9T
+                              cMmDwV/hWFKsbGBsj8xSCN/caEL2CWY/5XP2
+                              sZM6QjBBLmukH30+w1z3h8PUP2o= )
+                  3600 NSEC   b.example. A HINFO AAAA RRSIG NSEC
+                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              QoshyPevLcJ/xcRpEtMft1uoIrcrieVcc9pG
+                              CScIn5Glnib40T6ayVOimXwdSTZ/8ISXGj4p
+                              P8Sh0PlA6olZQ84L453/BUqB8BpdOGky4hsN
+                              3AGcLEv1Gr0QMvirQaFcjzOECfnGyBm+wpFL
+                              AhS+JOVfDI/79QtyTI0SaDWcg8U= )
+   b.example.     3600 IN NS  ns1.b.example.
+                  3600 IN NS  ns2.b.example.
+                  3600 NSEC   ns1.example. NS RRSIG NSEC
+                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              GNuxHn844wfmUhPzGWKJCPY5ttEX/RfjDoOx
+                              9ueK1PtYkOWKOOdiJ/PJKCYB3hYX+858dDWS
+                              xb2qnV/LSTCNVBnkm6owOpysY97MVj5VQEWs
+                              0lm9tFoqjcptQkmQKYPrwUnCSNwvvclSF1xZ
+                              vhRXgWT7OuFXldoCG6TfVFMs9xE= )
+   ns1.b.example. 3600 IN A   192.0.2.7
+   ns2.b.example. 3600 IN A   192.0.2.8
+   ns1.example.   3600 IN A   192.0.2.1
+                  3600 RRSIG  A 5 2 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              F1C9HVhIcs10cZU09G5yIVfKJy5yRQQ3qVet
+                              5pGhp82pzhAOMZ3K22JnmK4c+IjUeFp/to06
+                              im5FVpHtbFisdjyPq84bhTv8vrXt5AB1wNB+
+                              +iAqvIfdgW4sFNC6oADb1hK8QNauw9VePJhK
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 41]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+                              v/iVXSYC0b7mPSU+EOlknFpVECs= )
+                  3600 NSEC   ns2.example. A RRSIG NSEC
+                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              I4hj+Kt6+8rCcHcUdolks2S+Wzri9h3fHas8
+                              1rGN/eILdJHN7JpV6lLGPIh/8fIBkfvdyWnB
+                              jjf1q3O7JgYO1UdI7FvBNWqaaEPJK3UkddBq
+                              ZIaLi8Qr2XHkjq38BeQsbp8X0+6h4ETWSGT8
+                              IZaIGBLryQWGLw6Y6X8dqhlnxJM= )
+   ns2.example.   3600 IN A   192.0.2.2
+                  3600 RRSIG  A 5 2 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              V7cQRw1TR+knlaL1z/psxlS1PcD37JJDaCMq
+                              Qo6/u1qFQu6x+wuDHRH22Ap9ulJPQjFwMKOu
+                              yfPGQPC8KzGdE3vt5snFEAoE1Vn3mQqtu7SO
+                              6amIjk13Kj/jyJ4nGmdRIc/3cM3ipXFhNTKq
+                              rdhx8SZ0yy4ObIRzIzvBFLiSS8o= )
+                  3600 NSEC   *.w.example. A RRSIG NSEC
+                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              N0QzHvaJf5NRw1rE9uxS1Ltb2LZ73Qb9bKGE
+                              VyaISkqzGpP3jYJXZJPVTq4UVEsgT3CgeHvb
+                              3QbeJ5Dfb2V9NGCHj/OvF/LBxFFWwhLwzngH
+                              l+bQAgAcMsLu/nL3nDi1y/JSQjAcdZNDl4bw
+                              Ymx28EtgIpo9A0qmP08rMBqs1Jw= )
+   *.w.example.   3600 IN MX  1 ai.example.
+                  3600 RRSIG  MX 5 2 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              OMK8rAZlepfzLWW75Dxd63jy2wswESzxDKG2
+                              f9AMN1CytCd10cYISAxfAdvXSZ7xujKAtPbc
+                              tvOQ2ofO7AZJ+d01EeeQTVBPq4/6KCWhqe2X
+                              TjnkVLNvvhnc0u28aoSsG0+4InvkkOHknKxw
+                              4kX18MMR34i8lC36SR5xBni8vHI= )
+                  3600 NSEC   x.w.example. MX RRSIG NSEC
+                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              r/mZnRC3I/VIcrelgIcteSxDhtsdlTDt8ng9
+                              HSBlABOlzLxQtfgTnn8f+aOwJIAFe1Ee5RvU
+                              5cVhQJNP5XpXMJHfyps8tVvfxSAXfahpYqtx
+                              91gsmcV/1V9/bZAG55CefP9cM4Z9Y9NT9XQ8
+                              s1InQ2UoIv6tJEaaKkP701j8OLA= )
+   x.w.example.   3600 IN MX  1 xx.example.
+                  3600 RRSIG  MX 5 3 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              Il2WTZ+Bkv+OytBx4LItNW5mjB4RCwhOO8y1
+                              XzPHZmZUTVYL7LaA63f6T9ysVBzJRI3KRjAP
+                              H3U1qaYnDoN1DrWqmi9RJe4FoObkbcdm7P3I
+                              kx70ePCoFgRz1Yq+bVVXCvGuAU4xALv3W/Y1
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 42]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+                              jNSlwZ2mSWKHfxFQxPtLj8s32+k= )
+                  3600 NSEC   x.y.w.example. MX RRSIG NSEC
+                  3600 RRSIG  NSEC 5 3 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              aRbpHftxggzgMXdDlym9SsADqMZovZZl2QWK
+                              vw8J0tZEUNQByH5Qfnf5N1FqH/pS46UA7A4E
+                              mcWBN9PUA1pdPY6RVeaRlZlCr1IkVctvbtaI
+                              NJuBba/VHm+pebTbKcAPIvL9tBOoh+to1h6e
+                              IjgiM8PXkBQtxPq37wDKALkyn7Q= )
+   x.y.w.example. 3600 IN MX  1 xx.example.
+                  3600 RRSIG  MX 5 4 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              k2bJHbwP5LH5qN4is39UiPzjAWYmJA38Hhia
+                              t7i9t7nbX/e0FPnvDSQXzcK7UL+zrVA+3MDj
+                              q1ub4q3SZgcbLMgexxIW3Va//LVrxkP6Xupq
+                              GtOB9prkK54QTl/qZTXfMQpW480YOvVknhvb
+                              +gLcMZBnHJ326nb/TOOmrqNmQQE= )
+                  3600 NSEC   xx.example. MX RRSIG NSEC
+                  3600 RRSIG  NSEC 5 4 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              OvE6WUzN2ziieJcvKPWbCAyXyP6ef8cr6Csp
+                              ArVSTzKSquNwbezZmkU7E34o5lmb6CWSSSpg
+                              xw098kNUFnHcQf/LzY2zqRomubrNQhJTiDTX
+                              a0ArunJQCzPjOYq5t0SLjm6qp6McJI1AP5Vr
+                              QoKqJDCLnoAlcPOPKAm/jJkn3jk= )
+   xx.example.    3600 IN A   192.0.2.10
+                  3600 RRSIG  A 5 2 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              kBF4YxMGWF0D8r0cztL+2fWWOvN1U/GYSpYP
+                              7SoKoNQ4fZKyk+weWGlKLIUM+uE1zjVTPXoa
+                              0Z6WG0oZp46rkl1EzMcdMgoaeUzzAJ2BMq+Y
+                              VdxG9IK1yZkYGY9AgbTOGPoAgbJyO9EPULsx
+                              kbIDV6GPPSZVusnZU6OMgdgzHV4= )
+                  3600 HINFO  "KLH-10" "TOPS-20"
+                  3600 RRSIG  HINFO 5 2 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              GY2PLSXmMHkWHfLdggiox8+chWpeMNJLkML0
+                              t+U/SXSUsoUdR91KNdNUkTDWamwcF8oFRjhq
+                              BcPZ6EqrF+vl5v5oGuvSF7U52epfVTC+wWF8
+                              3yCUeUw8YklhLWlvk8gQ15YKth0ITQy8/wI+
+                              RgNvuwbioFSEuv2pNlkq0goYxNY= )
+                  3600 AAAA   2001:db8::f00:baaa
+                  3600 RRSIG  AAAA 5 2 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              Zzj0yodDxcBLnnOIwDsuKo5WqiaK24DlKg9C
+                              aGaxDFiKgKobUj2jilYQHpGFn2poFRetZd4z
+                              ulyQkssz2QHrVrPuTMS22knudCiwP4LWpVTr
+                              U4zfeA+rDz9stmSBP/4PekH/x2IoAYnwctd/
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 43]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+                              xS9cL2QgW7FChw16mzlkH6/vsfs= )
+                  3600 NSEC   example. A HINFO AAAA RRSIG NSEC
+                  3600 RRSIG  NSEC 5 2 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              ZFWUln6Avc8bmGl5GFjD3BwT530DUZKHNuoY
+                              9A8lgXYyrxu+pqgFiRVbyZRQvVB5pccEOT3k
+                              mvHgEa/HzbDB4PIYY79W+VHrgOxzdQGGCZzi
+                              asXrpSGOWwSOElghPnMIi8xdF7qtCntr382W
+                              GghLahumFIpg4MO3LS/prgzVVWo= )
+
+   The apex DNSKEY set includes two DNSKEY RRs, and the DNSKEY RDATA
+   Flags indicate that each of these DNSKEY RRs is a zone key.  One of
+   these DNSKEY RRs also has the SEP flag set and has been used to sign
+   the apex DNSKEY RRset; this is the key which should be hashed to
+   generate a DS record to be inserted into the parent zone.  The other
+   DNSKEY is used to sign all the other RRsets in the zone.
+
+   The zone includes a wildcard entry "*.w.example".  Note that the name
+   "*.w.example" is used in constructing NSEC chains, and that the RRSIG
+   covering the "*.w.example" MX RRset has a label count of 2.
+
+   The zone also includes two delegations.  The delegation to
+   "b.example" includes an NS RRset, glue address records, and an NSEC
+   RR; note that only the NSEC RRset is signed.  The delegation to
+   "a.example" provides a DS RR; note that only the NSEC and DS RRsets
+   are signed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 44]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+Appendix B.  Example Responses
+
+   The examples in this section show response messages using the signed
+   zone example in Appendix A.
+
+B.1  Answer
+
+   A successful query to an authoritative server.
+
+   ;; Header: QR AA DO RCODE=0
+   ;;
+   ;; Question
+   x.w.example.        IN MX
+
+   ;; Answer
+   x.w.example.   3600 IN MX  1 xx.example.
+   x.w.example.   3600 RRSIG  MX 5 3 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              Il2WTZ+Bkv+OytBx4LItNW5mjB4RCwhOO8y1
+                              XzPHZmZUTVYL7LaA63f6T9ysVBzJRI3KRjAP
+                              H3U1qaYnDoN1DrWqmi9RJe4FoObkbcdm7P3I
+                              kx70ePCoFgRz1Yq+bVVXCvGuAU4xALv3W/Y1
+                              jNSlwZ2mSWKHfxFQxPtLj8s32+k= )
+
+   ;; Authority
+   example.       3600 NS     ns1.example.
+   example.       3600 NS     ns2.example.
+   example.       3600 RRSIG  NS 5 1 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              gl13F00f2U0R+SWiXXLHwsMY+qStYy5k6zfd
+                              EuivWc+wd1fmbNCyql0Tk7lHTX6UOxc8AgNf
+                              4ISFve8XqF4q+o9qlnqIzmppU3LiNeKT4FZ8
+                              RO5urFOvoMRTbQxW3U0hXWuggE4g3ZpsHv48
+                              0HjMeRaZB/FRPGfJPajngcq6Kwg= )
+
+   ;; Additional
+   xx.example.    3600 IN A   192.0.2.10
+   xx.example.    3600 RRSIG  A 5 2 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              kBF4YxMGWF0D8r0cztL+2fWWOvN1U/GYSpYP
+                              7SoKoNQ4fZKyk+weWGlKLIUM+uE1zjVTPXoa
+                              0Z6WG0oZp46rkl1EzMcdMgoaeUzzAJ2BMq+Y
+                              VdxG9IK1yZkYGY9AgbTOGPoAgbJyO9EPULsx
+                              kbIDV6GPPSZVusnZU6OMgdgzHV4= )
+   xx.example.    3600 AAAA   2001:db8::f00:baaa
+   xx.example.    3600 RRSIG  AAAA 5 2 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              Zzj0yodDxcBLnnOIwDsuKo5WqiaK24DlKg9C
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 45]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+                              aGaxDFiKgKobUj2jilYQHpGFn2poFRetZd4z
+                              ulyQkssz2QHrVrPuTMS22knudCiwP4LWpVTr
+                              U4zfeA+rDz9stmSBP/4PekH/x2IoAYnwctd/
+                              xS9cL2QgW7FChw16mzlkH6/vsfs= )
+   ns1.example.   3600 IN A   192.0.2.1
+   ns1.example.   3600 RRSIG  A 5 2 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              F1C9HVhIcs10cZU09G5yIVfKJy5yRQQ3qVet
+                              5pGhp82pzhAOMZ3K22JnmK4c+IjUeFp/to06
+                              im5FVpHtbFisdjyPq84bhTv8vrXt5AB1wNB+
+                              +iAqvIfdgW4sFNC6oADb1hK8QNauw9VePJhK
+                              v/iVXSYC0b7mPSU+EOlknFpVECs= )
+   ns2.example.   3600 IN A   192.0.2.2
+   ns2.example.   3600 RRSIG  A 5 2 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              V7cQRw1TR+knlaL1z/psxlS1PcD37JJDaCMq
+                              Qo6/u1qFQu6x+wuDHRH22Ap9ulJPQjFwMKOu
+                              yfPGQPC8KzGdE3vt5snFEAoE1Vn3mQqtu7SO
+                              6amIjk13Kj/jyJ4nGmdRIc/3cM3ipXFhNTKq
+                              rdhx8SZ0yy4ObIRzIzvBFLiSS8o= )
+
+
+B.2  Name Error
+
+   An authoritative name error.  The NSEC RRs prove that the name does
+   not exist and that no covering wildcard exists.
+
+   ;; Header: QR AA DO RCODE=3
+   ;;
+   ;; Question
+   ml.example.         IN A
+
+   ;; Answer
+   ;; (empty)
+
+   ;; Authority
+   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
+                              1081539377
+                              3600
+                              300
+                              3600000
+                              3600
+                              )
+   example.       3600 RRSIG  SOA 5 1 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              ONx0k36rcjaxYtcNgq6iQnpNV5+drqYAsC9h
+                              7TSJaHCqbhE67Sr6aH2xDUGcqQWu/n0UVzrF
+                              vkgO9ebarZ0GWDKcuwlM6eNB5SiX2K74l5LW
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 46]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+                              DA7S/Un/IbtDq4Ay8NMNLQI7Dw7n4p8/rjkB
+                              jV7j86HyQgM5e7+miRAz8V01b0I= )
+   b.example.     3600 NSEC   ns1.example. NS RRSIG NSEC
+   b.example.     3600 RRSIG  NSEC 5 2 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              GNuxHn844wfmUhPzGWKJCPY5ttEX/RfjDoOx
+                              9ueK1PtYkOWKOOdiJ/PJKCYB3hYX+858dDWS
+                              xb2qnV/LSTCNVBnkm6owOpysY97MVj5VQEWs
+                              0lm9tFoqjcptQkmQKYPrwUnCSNwvvclSF1xZ
+                              vhRXgWT7OuFXldoCG6TfVFMs9xE= )
+   example.       3600 NSEC   a.example. NS SOA MX RRSIG NSEC DNSKEY
+   example.       3600 RRSIG  NSEC 5 1 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              O0k558jHhyrC97ISHnislm4kLMW48C7U7cBm
+                              FTfhke5iVqNRVTB1STLMpgpbDIC9hcryoO0V
+                              Z9ME5xPzUEhbvGnHd5sfzgFVeGxr5Nyyq4tW
+                              SDBgIBiLQUv1ivy29vhXy7WgR62dPrZ0PWvm
+                              jfFJ5arXf4nPxp/kEowGgBRzY/U= )
+
+   ;; Additional
+   ;; (empty)
+
+
+B.3  No Data Error
+
+   A "no data" response.  The NSEC RR proves that the name exists and
+   that the requested RR type does not.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 47]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+   ;; Header: QR AA DO RCODE=0
+   ;;
+   ;; Question
+   ns1.example.        IN MX
+
+   ;; Answer
+   ;; (empty)
+
+   ;; Authority
+   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
+                              1081539377
+                              3600
+                              300
+                              3600000
+                              3600
+                              )
+   example.       3600 RRSIG  SOA 5 1 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              ONx0k36rcjaxYtcNgq6iQnpNV5+drqYAsC9h
+                              7TSJaHCqbhE67Sr6aH2xDUGcqQWu/n0UVzrF
+                              vkgO9ebarZ0GWDKcuwlM6eNB5SiX2K74l5LW
+                              DA7S/Un/IbtDq4Ay8NMNLQI7Dw7n4p8/rjkB
+                              jV7j86HyQgM5e7+miRAz8V01b0I= )
+   ns1.example.   3600 NSEC   ns2.example. A RRSIG NSEC
+   ns1.example.   3600 RRSIG  NSEC 5 2 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              I4hj+Kt6+8rCcHcUdolks2S+Wzri9h3fHas8
+                              1rGN/eILdJHN7JpV6lLGPIh/8fIBkfvdyWnB
+                              jjf1q3O7JgYO1UdI7FvBNWqaaEPJK3UkddBq
+                              ZIaLi8Qr2XHkjq38BeQsbp8X0+6h4ETWSGT8
+                              IZaIGBLryQWGLw6Y6X8dqhlnxJM= )
+
+   ;; Additional
+   ;; (empty)
+
+
+B.4  Referral to Signed Zone
+
+   Referral to a signed zone.  The DS RR contains the data which the
+   resolver will need to validate the corresponding DNSKEY RR in the
+   child zone's apex.
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 48]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+   ;; Header: QR DO RCODE=0
+   ;;
+   ;; Question
+   mc.a.example.       IN MX
+
+   ;; Answer
+   ;; (empty)
+
+   ;; Authority
+   a.example.     3600 IN NS  ns1.a.example.
+   a.example.     3600 IN NS  ns2.a.example.
+   a.example.     3600 DS     57855 5 1 (
+                              B6DCD485719ADCA18E5F3D48A2331627FDD3
+                              636B )
+   a.example.     3600 RRSIG  DS 5 2 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              oXIKit/QtdG64J/CB+Gi8dOvnwRvqrto1AdQ
+                              oRkAN15FP3iZ7suB7gvTBmXzCjL7XUgQVcoH
+                              kdhyCuzp8W9qJHgRUSwKKkczSyuL64nhgjuD
+                              EML8l9wlWVsl7PR2VnZduM9bLyBhaaPmRKX/
+                              Fm+v6ccF2EGNLRiY08kdkz+XHHo= )
+
+   ;; Additional
+   ns1.a.example. 3600 IN A   192.0.2.5
+   ns2.a.example. 3600 IN A   192.0.2.6
+
+
+B.5  Referral to Unsigned Zone
+
+   Referral to an unsigned zone.  The NSEC RR proves that no DS RR for
+   this delegation exists in the parent zone.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 49]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+   ;; Header: QR DO RCODE=0
+   ;;
+   ;; Question
+   mc.b.example.       IN MX
+
+   ;; Answer
+   ;; (empty)
+
+   ;; Authority
+   b.example.     3600 IN NS  ns1.b.example.
+   b.example.     3600 IN NS  ns2.b.example.
+   b.example.     3600 NSEC   ns1.example. NS RRSIG NSEC
+   b.example.     3600 RRSIG  NSEC 5 2 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              GNuxHn844wfmUhPzGWKJCPY5ttEX/RfjDoOx
+                              9ueK1PtYkOWKOOdiJ/PJKCYB3hYX+858dDWS
+                              xb2qnV/LSTCNVBnkm6owOpysY97MVj5VQEWs
+                              0lm9tFoqjcptQkmQKYPrwUnCSNwvvclSF1xZ
+                              vhRXgWT7OuFXldoCG6TfVFMs9xE= )
+
+   ;; Additional
+   ns1.b.example. 3600 IN A   192.0.2.7
+   ns2.b.example. 3600 IN A   192.0.2.8
+
+
+B.6  Wildcard Expansion
+
+   A successful query which was answered via wildcard expansion.  The
+   label count in the answer's RRSIG RR indicates that a wildcard RRset
+   was expanded to produce this response, and the NSEC RR proves that no
+   closer match exists in the zone.
+
+   ;; Header: QR AA DO RCODE=0
+   ;;
+   ;; Question
+   a.z.w.example.      IN MX
+
+   ;; Answer
+   a.z.w.example. 3600 IN MX  1 ai.example.
+   a.z.w.example. 3600 RRSIG  MX 5 2 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              OMK8rAZlepfzLWW75Dxd63jy2wswESzxDKG2
+                              f9AMN1CytCd10cYISAxfAdvXSZ7xujKAtPbc
+                              tvOQ2ofO7AZJ+d01EeeQTVBPq4/6KCWhqe2X
+                              TjnkVLNvvhnc0u28aoSsG0+4InvkkOHknKxw
+                              4kX18MMR34i8lC36SR5xBni8vHI= )
+
+   ;; Authority
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 50]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+   example.       3600 NS     ns1.example.
+   example.       3600 NS     ns2.example.
+   example.       3600 RRSIG  NS 5 1 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              gl13F00f2U0R+SWiXXLHwsMY+qStYy5k6zfd
+                              EuivWc+wd1fmbNCyql0Tk7lHTX6UOxc8AgNf
+                              4ISFve8XqF4q+o9qlnqIzmppU3LiNeKT4FZ8
+                              RO5urFOvoMRTbQxW3U0hXWuggE4g3ZpsHv48
+                              0HjMeRaZB/FRPGfJPajngcq6Kwg= )
+   x.y.w.example. 3600 NSEC   xx.example. MX RRSIG NSEC
+   x.y.w.example. 3600 RRSIG  NSEC 5 4 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              OvE6WUzN2ziieJcvKPWbCAyXyP6ef8cr6Csp
+                              ArVSTzKSquNwbezZmkU7E34o5lmb6CWSSSpg
+                              xw098kNUFnHcQf/LzY2zqRomubrNQhJTiDTX
+                              a0ArunJQCzPjOYq5t0SLjm6qp6McJI1AP5Vr
+                              QoKqJDCLnoAlcPOPKAm/jJkn3jk= )
+
+   ;; Additional
+   ai.example.    3600 IN A   192.0.2.9
+   ai.example.    3600 RRSIG  A 5 2 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              pAOtzLP2MU0tDJUwHOKE5FPIIHmdYsCgTb5B
+                              ERGgpnJluA9ixOyf6xxVCgrEJW0WNZSsJicd
+                              hBHXfDmAGKUajUUlYSAH8tS4ZnrhyymIvk3u
+                              ArDu2wfT130e9UHnumaHHMpUTosKe22PblOy
+                              6zrTpg9FkS0XGVmYRvOTNYx2HvQ= )
+   ai.example.    3600 AAAA   2001:db8::f00:baa9
+   ai.example.    3600 RRSIG  AAAA 5 2 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              nLcpFuXdT35AcE+EoafOUkl69KB+/e56XmFK
+                              kewXG2IadYLKAOBIoR5+VoQV3XgTcofTJNsh
+                              1rnF6Eav2zpZB3byI6yo2bwY8MNkr4A7cL9T
+                              cMmDwV/hWFKsbGBsj8xSCN/caEL2CWY/5XP2
+                              sZM6QjBBLmukH30+w1z3h8PUP2o= )
+
+
+B.7  Wildcard No Data Error
+
+   A "no data" response for a name covered by a wildcard.  The NSEC RRs
+   prove that the matching wildcard name does not have any RRs of the
+   requested type and that no closer match exists in the zone.
+
+   ;; Header: QR AA DO RCODE=0
+   ;;
+   ;; Question
+   a.z.w.example.      IN AAAA
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 51]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+   ;; Answer
+   ;; (empty)
+
+   ;; Authority
+   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
+                              1081539377
+                              3600
+                              300
+                              3600000
+                              3600
+                              )
+   example.       3600 RRSIG  SOA 5 1 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              ONx0k36rcjaxYtcNgq6iQnpNV5+drqYAsC9h
+                              7TSJaHCqbhE67Sr6aH2xDUGcqQWu/n0UVzrF
+                              vkgO9ebarZ0GWDKcuwlM6eNB5SiX2K74l5LW
+                              DA7S/Un/IbtDq4Ay8NMNLQI7Dw7n4p8/rjkB
+                              jV7j86HyQgM5e7+miRAz8V01b0I= )
+   x.y.w.example. 3600 NSEC   xx.example. MX RRSIG NSEC
+   x.y.w.example. 3600 RRSIG  NSEC 5 4 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              OvE6WUzN2ziieJcvKPWbCAyXyP6ef8cr6Csp
+                              ArVSTzKSquNwbezZmkU7E34o5lmb6CWSSSpg
+                              xw098kNUFnHcQf/LzY2zqRomubrNQhJTiDTX
+                              a0ArunJQCzPjOYq5t0SLjm6qp6McJI1AP5Vr
+                              QoKqJDCLnoAlcPOPKAm/jJkn3jk= )
+   *.w.example.   3600 NSEC   x.w.example. MX RRSIG NSEC
+   *.w.example.   3600 RRSIG  NSEC 5 2 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              r/mZnRC3I/VIcrelgIcteSxDhtsdlTDt8ng9
+                              HSBlABOlzLxQtfgTnn8f+aOwJIAFe1Ee5RvU
+                              5cVhQJNP5XpXMJHfyps8tVvfxSAXfahpYqtx
+                              91gsmcV/1V9/bZAG55CefP9cM4Z9Y9NT9XQ8
+                              s1InQ2UoIv6tJEaaKkP701j8OLA= )
+
+   ;; Additional
+   ;; (empty)
+
+
+B.8  DS Child Zone No Data Error
+
+   A "no data" response for a QTYPE=DS query which was mistakenly sent
+   to a name server for the child zone.
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 52]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+   ;; Header: QR AA DO RCODE=0
+   ;;
+   ;; Question
+   example.            IN DS
+
+   ;; Answer
+   ;; (empty)
+
+   ;; Authority
+   example.       3600 IN SOA ns1.example. bugs.x.w.example. (
+                              1081539377
+                              3600
+                              300
+                              3600000
+                              3600
+                              )
+   example.       3600 RRSIG  SOA 5 1 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              ONx0k36rcjaxYtcNgq6iQnpNV5+drqYAsC9h
+                              7TSJaHCqbhE67Sr6aH2xDUGcqQWu/n0UVzrF
+                              vkgO9ebarZ0GWDKcuwlM6eNB5SiX2K74l5LW
+                              DA7S/Un/IbtDq4Ay8NMNLQI7Dw7n4p8/rjkB
+                              jV7j86HyQgM5e7+miRAz8V01b0I= )
+   example.       3600 NSEC   a.example. NS SOA MX RRSIG NSEC DNSKEY
+   example.       3600 RRSIG  NSEC 5 1 3600 20040509183619 (
+                              20040409183619 38519 example.
+                              O0k558jHhyrC97ISHnislm4kLMW48C7U7cBm
+                              FTfhke5iVqNRVTB1STLMpgpbDIC9hcryoO0V
+                              Z9ME5xPzUEhbvGnHd5sfzgFVeGxr5Nyyq4tW
+                              SDBgIBiLQUv1ivy29vhXy7WgR62dPrZ0PWvm
+                              jfFJ5arXf4nPxp/kEowGgBRzY/U= )
+
+   ;; Additional
+   ;; (empty)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 53]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+Appendix C.  Authentication Examples
+
+   The examples in this section show how the response messages in
+   Appendix B are authenticated.
+
+C.1  Authenticating An Answer
+
+   The query in section Appendix B.1 returned an MX RRset for
+   "x.w.example.com".  The corresponding RRSIG indicates the MX RRset
+   was signed by an "example" DNSKEY with algorithm 5 and key tag 38519.
+   The resolver needs the corresponding DNSKEY RR in order to
+   authenticate this answer.  The discussion below describes how a
+   resolver might obtain this DNSKEY RR.
+
+   The RRSIG indicates the original TTL of the MX RRset was 3600 and,
+   for the purpose of authentication, the current TTL is replaced by
+   3600.  The RRSIG labels field value of 3 indicates the answer was not
+   the result of wildcard expansion.  The "x.w.example.com" MX RRset is
+   placed in canonical form and, assuming the current time falls between
+   the signature inception and expiration dates, the signature is
+   authenticated.
+
+C.1.1  Authenticating the example DNSKEY RR
+
+   This example shows the logical authentication process that starts
+   from the a configured root DNSKEY (or DS RR) and moves down the tree
+   to authenticate the desired "example" DNSKEY RR.  Note the logical
+   order is presented for clarity and an implementation may choose to
+   construct the authentication as referrals are received or may choose
+   to construct the authentication chain only after all RRsets have been
+   obtained, or in any other combination it sees fit.  The example here
+   demonstrates only the logical process and does not dictate any
+   implementation rules.
+
+   We assume the resolver starts with an configured DNSKEY RR for the
+   root zone (or a configured DS RR for the root zone).  The resolver
+   checks this configured DNSKEY RR is present in the root DNSKEY RRset
+   (or the DS RR matches some DNSKEY in the root DNSKEY RRset), this
+   DNSKEY RR has signed the root DNSKEY RRset and the signature lifetime
+   is valid.  If all these conditions are met, all keys in the DNSKEY
+   RRset are considered authenticated.  The resolver then uses one (or
+   more) of the root DNSKEY RRs to authenticate the "example" DS RRset.
+   Note the resolver may need to query the root zone to obtain the root
+   DNSKEY RRset or "example" DS RRset.
+
+   Once the DS RRset has been authenticated using the root DNSKEY, the
+   resolver checks the "example" DNSKEY RRset for some "example" DNSKEY
+   RR that matches one of the authenticated "example" DS RRs.  If such a
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 54]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+   matching "example" DNSKEY is found, the resolver checks this DNSKEY
+   RR has signed the "example" DNSKEY RRset and the signature lifetime
+   is valid.  If all these conditions are met, all keys in the "example"
+   DNSKEY RRset are considered authenticated.
+
+   Finally the resolver checks that some DNSKEY RR in the "example"
+   DNSKEY RRset uses algorithm 5 and has a key tag of 38519.  This
+   DNSKEY is used to authenticated the RRSIG included in the response.
+   If multiple "example" DNSKEY RRs match this algorithm and key tag,
+   then each DNSKEY RR is tried and the answer is authenticated if any
+   of the matching DNSKEY RRs validates the signature as described
+   above.
+
+C.2  Name Error
+
+   The query in section Appendix B.2 returned NSEC RRs that prove the
+   requested data does not exist and no wildcard applies.  The negative
+   reply is authenticated by verifying both NSEC RRs.  The NSEC RRs are
+   authenticated in a manner identical to that of the MX RRset discussed
+   above.
+
+C.3  No Data Error
+
+   The query in section Appendix B.3 returned an NSEC RR that proves the
+   requested name exists, but the requested RR type does not exist.  The
+   negative reply is authenticated by verifying the NSEC RR.  The NSEC
+   RR is authenticated in a manner identical to that of the MX RRset
+   discussed above.
+
+C.4  Referral to Signed Zone
+
+   The query in section Appendix B.4 returned a referral to the signed
+   "a.example." zone.  The DS RR is authenticated in a manner identical
+   to that of the MX RRset discussed above.  This DS RR is used to
+   authenticate the "a.example" DNSKEY RRset.
+
+   Once the "a.example" DS RRset has been authenticated using the
+   "example" DNSKEY, the resolver checks the "a.example" DNSKEY RRset
+   for some "a.example" DNSKEY RR that matches the DS RR.  If such a
+   matching "a.example" DNSKEY is found, the resolver checks this DNSKEY
+   RR has signed the "a.example" DNSKEY RRset and the signature lifetime
+   is valid.  If all these conditions are met, all keys in the
+   "a.example" DNSKEY RRset are considered authenticated.
+
+C.5  Referral to Unsigned Zone
+
+   The query in section Appendix B.5 returned a referral to an unsigned
+   "b.example." zone.  The NSEC proves that no authentication leads from
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 55]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+   "example" to "b.example" and the NSEC RR is authenticated in a manner
+   identical to that of the MX RRset discussed above.
+
+C.6  Wildcard Expansion
+
+   The query in section Appendix B.6 returned an answer that was
+   produced as a result of wildcard expansion.  The RRset expanded as
+   the similar to The corresponding RRSIG indicates the MX RRset was
+   signed by an "example" DNSKEY with algorithm 5 and key tag 38519.
+   The RRSIG indicates the original TTL of the MX RRset was 3600 and,
+   for the purpose of authentication, the current TTL is replaced by
+   3600.  The RRSIG labels field value of 2 indicates the answer the
+   result of wildcard expansion since the "a.z.w.example" name contains
+   4 labels.  The name "a.z.w.w.example" is replaced by "*.w.example",
+   the MX RRset is placed in canonical form and, assuming the current
+   time falls between the signature inception and expiration dates, the
+   signature is authenticated.
+
+   The NSEC proves that no closer match (exact or closer wildcard) could
+   have been used to answer this query and the NSEC RR must also be
+   authenticated before the answer is considered valid.
+
+C.7  Wildcard No Data Error
+
+   The query in section Appendix B.7 returned NSEC RRs that prove the
+   requested data does not exist and no wildcard applies.  The negative
+   reply is authenticated by verifying both NSEC RRs.
+
+C.8  DS Child Zone No Data Error
+
+   The query in section Appendix B.8 returned NSEC RRs that shows the
+   requested was answered by a child server ("example" server).  The
+   NSEC RR indicates the presence of an SOA RR, showing the answer is
+   from the child .  Queries for the "example" DS RRset should be sent
+   to the parent servers ("root" servers).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 56]
+
+Internet-Draft       DNSSEC Protocol Modifications             July 2004
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+   Copyright (C) The Internet Society (2004).  This document is subject
+   to the rights, licenses and restrictions contained in BCP 78, and
+   except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 57]
+
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-records-09.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-records-09.txt
new file mode 100644
index 0000000..79a1728
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-dnssec-records-09.txt
@@ -0,0 +1,1849 @@
+
+
+DNS Extensions                                                 R. Arends
+Internet-Draft                                      Telematica Instituut
+Expires: January 13, 2005                                     R. Austein
+                                                                     ISC
+                                                               M. Larson
+                                                                VeriSign
+                                                               D. Massey
+                                                                 USC/ISI
+                                                                 S. Rose
+                                                                    NIST
+                                                           July 15, 2004
+
+
+            Resource Records for the DNS Security Extensions
+                  draft-ietf-dnsext-dnssec-records-09
+
+Status of this Memo
+
+   By submitting this Internet-Draft, I certify that any applicable
+   patent or other IPR claims of which I am aware have been disclosed,
+   and any of which I become aware will be disclosed, in accordance with
+   RFC 3668.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as
+   Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on January 13, 2005.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2004).  All Rights Reserved.
+
+Abstract
+
+   This document is part of a family of documents that describes the DNS
+   Security Extensions (DNSSEC).  The DNS Security Extensions are a
+
+
+
+Arends, et al.          Expires January 13, 2005                [Page 1]
+
+Internet-Draft          DNSSEC Resource Records                July 2004
+
+
+   collection of resource records and protocol modifications that
+   provide source authentication for the DNS.  This document defines the
+   public key (DNSKEY), delegation signer (DS), resource record digital
+   signature (RRSIG), and authenticated denial of existence (NSEC)
+   resource records.  The purpose and format of each resource record is
+   described in detail, and an example of each resource record is given.
+
+   This document obsoletes RFC 2535 and incorporates changes from all
+   updates to RFC 2535.
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
+     1.1   Background and Related Documents . . . . . . . . . . . . .  4
+     1.2   Reserved Words . . . . . . . . . . . . . . . . . . . . . .  4
+   2.  The DNSKEY Resource Record . . . . . . . . . . . . . . . . . .  5
+     2.1   DNSKEY RDATA Wire Format . . . . . . . . . . . . . . . . .  5
+       2.1.1   The Flags Field  . . . . . . . . . . . . . . . . . . .  5
+       2.1.2   The Protocol Field . . . . . . . . . . . . . . . . . .  6
+       2.1.3   The Algorithm Field  . . . . . . . . . . . . . . . . .  6
+       2.1.4   The Public Key Field . . . . . . . . . . . . . . . . .  6
+       2.1.5   Notes on DNSKEY RDATA Design . . . . . . . . . . . . .  6
+     2.2   The DNSKEY RR Presentation Format  . . . . . . . . . . . .  6
+     2.3   DNSKEY RR Example  . . . . . . . . . . . . . . . . . . . .  7
+   3.  The RRSIG Resource Record  . . . . . . . . . . . . . . . . . .  8
+     3.1   RRSIG RDATA Wire Format  . . . . . . . . . . . . . . . . .  8
+       3.1.1   The Type Covered Field . . . . . . . . . . . . . . . .  9
+       3.1.2   The Algorithm Number Field . . . . . . . . . . . . . .  9
+       3.1.3   The Labels Field . . . . . . . . . . . . . . . . . . .  9
+       3.1.4   Original TTL Field . . . . . . . . . . . . . . . . . . 10
+       3.1.5   Signature Expiration and Inception Fields  . . . . . . 10
+       3.1.6   The Key Tag Field  . . . . . . . . . . . . . . . . . . 10
+       3.1.7   The Signer's Name Field  . . . . . . . . . . . . . . . 11
+       3.1.8   The Signature Field  . . . . . . . . . . . . . . . . . 11
+     3.2   The RRSIG RR Presentation Format . . . . . . . . . . . . . 12
+     3.3   RRSIG RR Example . . . . . . . . . . . . . . . . . . . . . 12
+   4.  The NSEC Resource Record . . . . . . . . . . . . . . . . . . . 14
+     4.1   NSEC RDATA Wire Format . . . . . . . . . . . . . . . . . . 14
+       4.1.1   The Next Domain Name Field . . . . . . . . . . . . . . 14
+       4.1.2   The Type Bit Maps Field  . . . . . . . . . . . . . . . 15
+       4.1.3   Inclusion of Wildcard Names in NSEC RDATA  . . . . . . 16
+     4.2   The NSEC RR Presentation Format  . . . . . . . . . . . . . 16
+     4.3   NSEC RR Example  . . . . . . . . . . . . . . . . . . . . . 16
+   5.  The DS Resource Record . . . . . . . . . . . . . . . . . . . . 18
+     5.1   DS RDATA Wire Format . . . . . . . . . . . . . . . . . . . 18
+       5.1.1   The Key Tag Field  . . . . . . . . . . . . . . . . . . 19
+       5.1.2   The Algorithm Field  . . . . . . . . . . . . . . . . . 19
+       5.1.3   The Digest Type Field  . . . . . . . . . . . . . . . . 19
+
+
+
+Arends, et al.          Expires January 13, 2005                [Page 2]
+
+Internet-Draft          DNSSEC Resource Records                July 2004
+
+
+       5.1.4   The Digest Field . . . . . . . . . . . . . . . . . . . 19
+     5.2   Processing of DS RRs When Validating Responses . . . . . . 19
+     5.3   The DS RR Presentation Format  . . . . . . . . . . . . . . 20
+     5.4   DS RR Example  . . . . . . . . . . . . . . . . . . . . . . 20
+   6.  Canonical Form and Order of Resource Records . . . . . . . . . 21
+     6.1   Canonical DNS Name Order . . . . . . . . . . . . . . . . . 21
+     6.2   Canonical RR Form  . . . . . . . . . . . . . . . . . . . . 21
+     6.3   Canonical RR Ordering Within An RRset  . . . . . . . . . . 22
+   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 23
+   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 24
+   9.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 25
+   10.   References . . . . . . . . . . . . . . . . . . . . . . . . . 26
+   10.1  Normative References . . . . . . . . . . . . . . . . . . . . 26
+   10.2  Informative References . . . . . . . . . . . . . . . . . . . 27
+       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 27
+   A.  DNSSEC Algorithm and Digest Types  . . . . . . . . . . . . . . 29
+     A.1   DNSSEC Algorithm Types . . . . . . . . . . . . . . . . . . 29
+       A.1.1   Private Algorithm Types  . . . . . . . . . . . . . . . 29
+     A.2   DNSSEC Digest Types  . . . . . . . . . . . . . . . . . . . 30
+   B.  Key Tag Calculation  . . . . . . . . . . . . . . . . . . . . . 31
+     B.1   Key Tag for Algorithm 1 (RSA/MD5)  . . . . . . . . . . . . 32
+       Intellectual Property and Copyright Statements . . . . . . . . 33
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005                [Page 3]
+
+Internet-Draft          DNSSEC Resource Records                July 2004
+
+
+1.  Introduction
+
+   The DNS Security Extensions (DNSSEC) introduce four new DNS resource
+   record types: DNSKEY, RRSIG, NSEC, and DS.  This document defines the
+   purpose of each resource record (RR), the RR's RDATA format, and its
+   presentation format (ASCII representation).
+
+1.1  Background and Related Documents
+
+   The reader is assumed to be familiar with the basic DNS concepts
+   described in [RFC1034], [RFC1035] and subsequent RFCs that update
+   them:  [RFC2136], [RFC2181] and [RFC2308].
+
+   This document is part of a family of documents that define the DNS
+   security extensions.  The DNS security extensions (DNSSEC) are a
+   collection of resource records and DNS protocol modifications that
+   add source authentication and data integrity to the Domain Name
+   System (DNS).  An introduction to DNSSEC and definitions of common
+   terms can be found in [I-D.ietf-dnsext-dnssec-intro]; the reader is
+   assumed to be familiar with this document.  A description of DNS
+   protocol modifications can be found in
+   [I-D.ietf-dnsext-dnssec-protocol].
+
+   This document defines the DNSSEC resource records.
+
+1.2  Reserved Words
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in RFC 2119 [RFC2119].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005                [Page 4]
+
+Internet-Draft          DNSSEC Resource Records                July 2004
+
+
+2.  The DNSKEY Resource Record
+
+   DNSSEC uses public key cryptography to sign and authenticate DNS
+   resource record sets (RRsets).  The public keys are stored in DNSKEY
+   resource records and are used in the DNSSEC authentication process
+   described in [I-D.ietf-dnsext-dnssec-protocol]: A zone signs its
+   authoritative RRsets using a private key and stores the corresponding
+   public key in a DNSKEY RR.  A resolver can then use the public key to
+   authenticate signatures covering the RRsets in the zone.
+
+   The DNSKEY RR is not intended as a record for storing arbitrary
+   public keys and MUST NOT be used to store certificates or public keys
+   that do not directly relate to the DNS infrastructure.
+
+   The Type value for the DNSKEY RR type is 48.
+
+   The DNSKEY RR is class independent.
+
+   The DNSKEY RR has no special TTL requirements.
+
+2.1  DNSKEY RDATA Wire Format
+
+   The RDATA for a DNSKEY RR consists of a 2 octet Flags Field, a 1
+   octet Protocol Field, a 1 octet Algorithm Field, and the Public Key
+   Field.
+
+                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |              Flags            |    Protocol   |   Algorithm   |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   /                                                               /
+   /                            Public Key                         /
+   /                                                               /
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+2.1.1  The Flags Field
+
+   Bit 7 of the Flags field is the Zone Key flag.  If bit 7 has value 1,
+   then the DNSKEY record holds a DNS zone key and the DNSKEY RR's owner
+   name MUST be the name of a zone.  If bit 7 has value 0, then the
+   DNSKEY record holds some other type of DNS public key and MUST NOT be
+   used to verify RRSIGs that cover RRsets.
+
+   Bit 15 of the Flags field is the Secure Entry Point flag, described
+   in [RFC3757].  If bit 15 has value 1, then the DNSKEY record holds a
+   key intended for use as a secure entry point.  This flag is only
+
+
+
+Arends, et al.          Expires January 13, 2005                [Page 5]
+
+Internet-Draft          DNSSEC Resource Records                July 2004
+
+
+   intended to be to a hint to zone signing or debugging software as to
+   the intended use of this DNSKEY record; validators MUST NOT alter
+   their behavior during the signature validation process in any way
+   based on the setting of this bit.  This also means a DNSKEY RR with
+   the SEP bit set would also need the Zone Key flag set in order to
+   legally be able to generate signatures.  A DNSKEY RR with the SEP set
+   and the Zone Key flag not set MUST NOT be used to verify RRSIGs that
+   cover RRsets.
+
+   Bits 0-6 and 8-14 are reserved: these bits MUST have value 0 upon
+   creation of the DNSKEY RR, and MUST be ignored upon reception.
+
+2.1.2  The Protocol Field
+
+   The Protocol Field MUST have value 3 and the DNSKEY RR MUST be
+   treated as invalid during signature verification if found to be some
+   value other than 3.
+
+2.1.3  The Algorithm Field
+
+   The Algorithm field identifies the public key's cryptographic
+   algorithm and determines the format of the Public Key field.  A list
+   of DNSSEC algorithm types can be found in Appendix A.1
+
+2.1.4  The Public Key Field
+
+   The Public Key Field holds the public key material.  The format
+   depends on the algorithm of the key being stored and are described in
+   separate documents.
+
+2.1.5  Notes on DNSKEY RDATA Design
+
+   Although the Protocol Field always has value 3, it is retained for
+   backward compatibility with early versions of the KEY record.
+
+2.2  The DNSKEY RR Presentation Format
+
+   The presentation format of the RDATA portion is as follows:
+
+   The Flag field MUST be represented as an unsigned decimal integer.
+   Given the currently defined flags, the possible values are: 0, 256,
+   or 257.
+
+   The Protocol Field MUST be represented as an unsigned decimal integer
+   with a value of 3.
+
+   The Algorithm field MUST be represented either as an unsigned decimal
+   integer or as an algorithm mnemonic as specified in Appendix A.1.
+
+
+
+Arends, et al.          Expires January 13, 2005                [Page 6]
+
+Internet-Draft          DNSSEC Resource Records                July 2004
+
+
+   The Public Key field MUST be represented as a Base64 encoding of the
+   Public Key.  Whitespace is allowed within the Base64 text.  For a
+   definition of Base64 encoding, see [RFC3548].
+
+2.3  DNSKEY RR Example
+
+   The following DNSKEY RR stores a DNS zone key for example.com.
+
+   example.com. 86400 IN DNSKEY 256 3 5 ( AQPSKmynfzW4kyBv015MUG2DeIQ3
+                                          Cbl+BBZH4b/0PY1kxkmvHjcZc8no
+                                          kfzj31GajIQKY+5CptLr3buXA10h
+                                          WqTkF7H6RfoRqXQeogmMHfpftf6z
+                                          Mv1LyBUgia7za6ZEzOJBOztyvhjL
+                                          742iU/TpPSEDhm2SNKLijfUppn1U
+                                          aNvv4w==  )
+
+   The first four text fields specify the owner name, TTL, Class, and RR
+   type (DNSKEY).  Value 256 indicates that the Zone Key bit (bit 7) in
+   the Flags field has value 1.  Value 3 is the fixed Protocol value.
+   Value 5 indicates the public key algorithm.  Appendix A.1 identifies
+   algorithm type 5 as RSA/SHA1 and indicates that the format of the
+   RSA/SHA1 public key field is defined in [RFC3110].  The remaining
+   text is a Base64 encoding of the public key.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005                [Page 7]
+
+Internet-Draft          DNSSEC Resource Records                July 2004
+
+
+3.  The RRSIG Resource Record
+
+   DNSSEC uses public key cryptography to sign and authenticate DNS
+   resource record sets (RRsets).  Digital signatures are stored in
+   RRSIG resource records and are used in the DNSSEC authentication
+   process described in [I-D.ietf-dnsext-dnssec-protocol].  A validator
+   can use these RRSIG RRs to authenticate RRsets from the zone.  The
+   RRSIG RR MUST only be used to carry verification material (digital
+   signatures) used to secure DNS operations.
+
+   An RRSIG record contains the signature for an RRset with a particular
+   name, class, and type.  The RRSIG RR specifies a validity interval
+   for the signature and uses the Algorithm, the Signer's Name, and the
+   Key Tag to identify the DNSKEY RR containing the public key that a
+   validator can use to verify the signature.
+
+   Because every authoritative RRset in a zone must be protected by a
+   digital signature, RRSIG RRs must be present for names containing a
+   CNAME RR.  This is a change to the traditional DNS specification
+   [RFC1034] that stated that if a CNAME is present for a name, it is
+   the only type allowed at that name.  A RRSIG and NSEC (see Section 4)
+   MUST exist for the same name as a CNAME resource record in a signed
+   zone.
+
+   The Type value for the RRSIG RR type is 46.
+
+   The RRSIG RR is class independent.
+
+   An RRSIG RR MUST have the same class as the RRset it covers.
+
+   The TTL value of an RRSIG RR MUST match the TTL value of the RRset it
+   covers.  This is an exception to the [RFC2181] rules for TTL values
+   of individual RRs within a RRset: individual RRSIG with the same
+   owner name will have different TTL values if the RRsets they cover
+   have different TTL values.
+
+3.1  RRSIG RDATA Wire Format
+
+   The RDATA for an RRSIG RR consists of a 2 octet Type Covered field, a
+   1 octet Algorithm field, a 1 octet Labels field, a 4 octet Original
+   TTL field, a 4 octet Signature Expiration field, a 4 octet Signature
+   Inception field, a 2 octet Key tag, the Signer's Name field, and the
+   Signature field.
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005                [Page 8]
+
+Internet-Draft          DNSSEC Resource Records                July 2004
+
+
+                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |        Type Covered           |  Algorithm    |     Labels    |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |                         Original TTL                          |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |                      Signature Expiration                     |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |                      Signature Inception                      |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |            Key Tag            |                               /
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+         Signer's Name         /
+   /                                                               /
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   /                                                               /
+   /                            Signature                          /
+   /                                                               /
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+3.1.1  The Type Covered Field
+
+   The Type Covered field identifies the type of the RRset that is
+   covered by this RRSIG record.
+
+3.1.2  The Algorithm Number Field
+
+   The Algorithm Number field identifies the cryptographic algorithm
+   used to create the signature.  A list of DNSSEC algorithm types can
+   be found in Appendix A.1
+
+3.1.3  The Labels Field
+
+   The Labels field specifies the number of labels in the original RRSIG
+   RR owner name.  The significance of this field is that a validator
+   uses it to determine if the answer was synthesized from a wildcard.
+   If so, it can be used to determine what owner name was used in
+   generating the signature.
+
+   To validate a signature, the validator needs the original owner name
+   that was used to create the signature.  If the original owner name
+   contains a wildcard label ("*"), the owner name may have been
+   expanded by the server during the response process, in which case the
+   validator will need to reconstruct the original owner name in order
+   to validate the signature.  [I-D.ietf-dnsext-dnssec-protocol]
+   describes how to use the Labels field to reconstruct the original
+   owner name.
+
+
+
+Arends, et al.          Expires January 13, 2005                [Page 9]
+
+Internet-Draft          DNSSEC Resource Records                July 2004
+
+
+   The value of the Labels field MUST NOT count either the null (root)
+   label that terminates the owner name or the wildcard label (if
+   present).  The value of the Labels field MUST be less than or equal
+   to the number of labels in the RRSIG owner name.  For example,
+   "www.example.com." has a Labels field value of 3, and
+   "*.example.com." has a Labels field value of 2.  Root (".") has a
+   Labels field value of 0.
+
+   Although the wildcard label is not included in the count stored in
+   the Labels field of the RRSIG RR, the wildcard label is part of the
+   RRset's owner name when generating or verifying the signature.
+
+3.1.4  Original TTL Field
+
+   The Original TTL field specifies the TTL of the covered RRset as it
+   appears in the authoritative zone.
+
+   The Original TTL field is necessary because a caching resolver
+   decrements the TTL value of a cached RRset.  In order to validate a
+   signature, a validator requires the original TTL.
+   [I-D.ietf-dnsext-dnssec-protocol] describes how to use the Original
+   TTL field value to reconstruct the original TTL.
+
+3.1.5  Signature Expiration and Inception Fields
+
+   The Signature Expiration and Inception fields specify a validity
+   period for the signature.  The RRSIG record MUST NOT be used for
+   authentication prior to the inception date and MUST NOT be used for
+   authentication after the expiration date.
+
+   Signature Expiration and Inception field values are in POSIX.1 time
+   format: a 32-bit unsigned number of seconds elapsed since 1 January
+   1970 00:00:00 UTC, ignoring leap seconds, in network byte order.  The
+   longest interval which can be expressed by this format without
+   wrapping is approximately 136 years.  An RRSIG RR can have an
+   Expiration field value which is numerically smaller than the
+   Inception field value if the expiration field value is near the
+   32-bit wrap-around point or if the signature is long lived.  Because
+   of this, all comparisons involving these fields MUST use "Serial
+   number arithmetic" as defined in [RFC1982].  As a direct consequence,
+   the values contained in these fields cannot refer to dates more than
+   68 years in either the past or the future.
+
+3.1.6  The Key Tag Field
+
+   The Key Tag field contains the key tag value of the DNSKEY RR that
+   validates this signature, in network byte order.  Appendix B explains
+   how to calculate Key Tag values.
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 10]
+
+Internet-Draft          DNSSEC Resource Records                July 2004
+
+
+3.1.7  The Signer's Name Field
+
+   The Signer's Name field value identifies the owner name of the DNSKEY
+   RR which a validator is supposed to use to validate this signature.
+   The Signer's Name field MUST contain the name of the zone of the
+   covered RRset.  A sender MUST NOT use DNS name compression on the
+   Signer's Name field when transmitting a RRSIG RR.
+
+3.1.8  The Signature Field
+
+   The Signature field contains the cryptographic signature that covers
+   the RRSIG RDATA (excluding the Signature field) and the RRset
+   specified by the RRSIG owner name, RRSIG class, and RRSIG Type
+   Covered field.  The format of this field depends on the algorithm in
+   use and these formats are described in separate companion documents.
+
+3.1.8.1  Signature Calculation
+
+   A signature covers the RRSIG RDATA (excluding the Signature Field)
+   and covers the data RRset specified by the RRSIG owner name, RRSIG
+   class, and RRSIG Type Covered fields.  The RRset is in canonical form
+   (see Section 6) and the set RR(1),...RR(n) is signed as follows:
+
+         signature = sign(RRSIG_RDATA | RR(1) | RR(2)... ) where
+
+            "|" denotes concatenation;
+
+            RRSIG_RDATA is the wire format of the RRSIG RDATA fields
+               with the Signer's Name field in canonical form and
+               the Signature field excluded;
+
+            RR(i) = owner | type | class | TTL | RDATA length | RDATA
+
+               "owner" is the fully qualified owner name of the RRset in
+               canonical form (for RRs with wildcard owner names, the
+               wildcard label is included in the owner name);
+
+               Each RR MUST have the same owner name as the RRSIG RR;
+
+               Each RR MUST have the same class as the RRSIG RR;
+
+               Each RR in the RRset MUST have the RR type listed in the
+               RRSIG RR's Type Covered field;
+
+               Each RR in the RRset MUST have the TTL listed in the
+               RRSIG Original TTL Field;
+
+               Any DNS names in the RDATA field of each RR MUST be in
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 11]
+
+Internet-Draft          DNSSEC Resource Records                July 2004
+
+
+               canonical form; and
+
+               The RRset MUST be sorted in canonical order.
+
+   See Section 6.2 and Section 6.3 for details on canonical form and
+   ordering of RRsets.
+
+3.2  The RRSIG RR Presentation Format
+
+   The presentation format of the RDATA portion is as follows:
+
+   The Type Covered field is represented as a RR type mnemonic.  When
+   the mnemonic is not known, the TYPE representation as described in
+   [RFC3597] (section 5) MUST be used.
+
+   The Algorithm field value MUST be represented either as an unsigned
+   decimal integer or as an algorithm mnemonic as specified in Appendix
+   A.1.
+
+   The Labels field value MUST be represented as an unsigned decimal
+   integer.
+
+   The Original TTL field value MUST be represented as an unsigned
+   decimal integer.
+
+   The Signature Expiration Time and Inception Time field values MUST be
+   represented either as seconds since 1 January 1970 00:00:00 UTC or in
+   the form YYYYMMDDHHmmSS in UTC, where:
+      YYYY is the year (0001-9999, but see Section 3.1.5);
+      MM is the month number (01-12);
+      DD is the day of the month (01-31);
+      HH is the hour in 24 hours notation (00-23);
+      mm is the minute (00-59); and
+      SS is the second (00-59).
+
+   The Key Tag field MUST be represented as an unsigned decimal integer.
+
+   The Signer's Name field value MUST be represented as a domain name.
+
+   The Signature field is represented as a Base64 encoding of the
+   signature.  Whitespace is allowed within the Base64 text.  See
+   Section 2.2.
+
+3.3  RRSIG RR Example
+
+   The following RRSIG RR stores the signature for the A RRset of
+   host.example.com:
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 12]
+
+Internet-Draft          DNSSEC Resource Records                July 2004
+
+
+   host.example.com. 86400 IN RRSIG A 5 3 86400 20030322173103 (
+                                  20030220173103 2642 example.com.
+                                  oJB1W6WNGv+ldvQ3WDG0MQkg5IEhjRip8WTr
+                                  PYGv07h108dUKGMeDPKijVCHX3DDKdfb+v6o
+                                  B9wfuh3DTJXUAfI/M0zmO/zz8bW0Rznl8O3t
+                                  GNazPwQKkRN20XPXV6nwwfoXmJQbsLNrLfkG
+                                  J5D6fwFm8nN+6pBzeDQfsS3Ap3o= )
+
+   The first four fields specify the owner name, TTL, Class, and RR type
+   (RRSIG).  The "A" represents the Type Covered field.  The value 5
+   identifies the algorithm used (RSA/SHA1) to create the signature.
+   The value 3 is the number of Labels in the original owner name.  The
+   value 86400 in the RRSIG RDATA is the Original TTL for the covered A
+   RRset.  20030322173103 and 20030220173103 are the expiration and
+   inception dates, respectively.  2642 is the Key Tag, and example.com.
+   is the Signer's Name.  The remaining text is a Base64 encoding of the
+   signature.
+
+   Note that combination of RRSIG RR owner name, class, and Type Covered
+   indicate that this RRSIG covers the "host.example.com" A RRset.  The
+   Label value of 3 indicates that no wildcard expansion was used.  The
+   Algorithm, Signer's Name, and Key Tag indicate this signature can be
+   authenticated using an example.com zone DNSKEY RR whose algorithm is
+   5 and key tag is 2642.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 13]
+
+Internet-Draft          DNSSEC Resource Records                July 2004
+
+
+4.  The NSEC Resource Record
+
+   The NSEC resource record lists two separate things: the next owner
+   name (in the canonical ordering of the zone) which contains
+   authoritative data or a delegation point NS RRset, and the set of RR
+   types present at the NSEC RR's owner name.  The complete set of NSEC
+   RRs in a zone both indicate which authoritative RRsets exist in a
+   zone and also form a chain of authoritative owner names in the zone.
+   This information is used to provide authenticated denial of existence
+   for DNS data, as described in [I-D.ietf-dnsext-dnssec-protocol].
+
+   Because every authoritative name in a zone must be part of the NSEC
+   chain, NSEC RRs must be present for names containing a CNAME RR.
+   This is a change to the traditional DNS specification [RFC1034] that
+   stated that if a CNAME is present for a name, it is the only type
+   allowed at that name.  An RRSIG (see Section 3) and NSEC MUST exist
+   for the same name as a CNAME resource record in a signed zone.
+
+   See [I-D.ietf-dnsext-dnssec-protocol] for discussion of how a zone
+   signer determines precisely which NSEC RRs it needs to include in a
+   zone.
+
+   The type value for the NSEC RR is 47.
+
+   The NSEC RR is class independent.
+
+   The NSEC RR SHOULD have the same TTL value as the SOA minimum TTL
+   field.  This is in the spirit of negative caching [RFC2308].
+
+4.1  NSEC RDATA Wire Format
+
+   The RDATA of the NSEC RR is as shown below:
+
+                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   /                      Next Domain Name                         /
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   /                       Type Bit Maps                           /
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+4.1.1  The Next Domain Name Field
+
+   The Next Domain field contains the next owner name (in the canonical
+   ordering of the zone) which has authoritative data or contains a
+   delegation point NS RRset; see Section 6.1 for an explanation of
+   canonical ordering.  The value of the Next Domain Name field in the
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 14]
+
+Internet-Draft          DNSSEC Resource Records                July 2004
+
+
+   last NSEC record in the zone is the name of the zone apex (the owner
+   name of the zone's SOA RR).  This indicates that the owner name of
+   the NSEC RR is the last name in the canonical ordering of the zone.
+
+   A sender MUST NOT use DNS name compression on the Next Domain Name
+   field when transmitting an NSEC RR.
+
+   Owner names of RRsets not authoritative for the given zone (such as
+   glue records) MUST NOT be listed in the Next Domain Name unless at
+   least one authoritative RRset exists at the same owner name.
+
+4.1.2  The Type Bit Maps Field
+
+   The Type Bit Maps field identifies the RRset types which exist at the
+   NSEC RR's owner name.
+
+   The RR type space is split into 256 window blocks, each representing
+   the low-order 8 bits of the 16-bit RR type space.  Each block that
+   has at least one active RR type is encoded using a single octet
+   window number (from 0 to 255), a single octet bitmap length (from 1
+   to 32) indicating the number of octets used for the window block's
+   bitmap, and up to 32 octets (256 bits) of bitmap.
+
+   Blocks are present in the NSEC RR RDATA in increasing numerical
+   order.
+
+      Type Bit Maps Field = ( Window Block # | Bitmap Length | Bitmap )+
+
+      where "|" denotes concatenation.
+
+   Each bitmap encodes the low-order 8 bits of RR types within the
+   window block, in network bit order.  The first bit is bit 0.  For
+   window block 0, bit 1 corresponds to RR type 1 (A), bit 2 corresponds
+   to RR type 2 (NS), and so forth.  For window block 1, bit 1
+   corresponds to RR type 257, bit 2 to RR type 258.  If a bit is set,
+   it indicates that an RRset of that type is present for the NSEC RR's
+   owner name.  If a bit is clear, it indicates that no RRset of that
+   type is present for the NSEC RR's owner name.
+
+   Bits representing pseudo-types MUST be clear, since they do not
+   appear in zone data.  If encountered, they MUST be ignored upon
+   reading.
+
+   Blocks with no types present MUST NOT be included.  Trailing zero
+   octets in the bitmap MUST be omitted.  The length of each block's
+   bitmap is determined by the type code with the largest numerical
+   value, within that block, among the set of RR types present at the
+   NSEC RR's owner name.  Trailing zero octets not specified MUST be
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 15]
+
+Internet-Draft          DNSSEC Resource Records                July 2004
+
+
+   interpreted as zero octets.
+
+   The bitmap for the NSEC RR at a delegation point requires special
+   attention.  Bits corresponding to the delegation NS RRset and the RR
+   types for which the parent zone has authoritative data MUST be set;
+   bits corresponding to any non-NS RRset for which the parent is not
+   authoritative MUST be clear.
+
+   A zone MUST NOT include an NSEC RR for any domain name that only
+   holds glue records.
+
+4.1.3  Inclusion of Wildcard Names in NSEC RDATA
+
+   If a wildcard owner name appears in a zone, the wildcard label ("*")
+   is treated as a literal symbol and is treated the same as any other
+   owner name for purposes of generating NSEC RRs.  Wildcard owner names
+   appear in the Next Domain Name field without any wildcard expansion.
+   [I-D.ietf-dnsext-dnssec-protocol] describes the impact of wildcards
+   on authenticated denial of existence.
+
+4.2  The NSEC RR Presentation Format
+
+   The presentation format of the RDATA portion is as follows:
+
+   The Next Domain Name field is represented as a domain name.
+
+   The Type Bit Maps field is represented as a sequence of RR type
+   mnemonics.  When the mnemonic is not known, the TYPE representation
+   as described in [RFC3597] (section 5) MUST be used.
+
+4.3  NSEC RR Example
+
+   The following NSEC RR identifies the RRsets associated with
+   alfa.example.com.  and identifies the next authoritative name after
+   alfa.example.com.
+
+   alfa.example.com. 86400 IN NSEC host.example.com. (
+                                   A MX RRSIG NSEC TYPE1234 )
+
+   The first four text fields specify the name, TTL, Class, and RR type
+   (NSEC).  The entry host.example.com.  is the next authoritative name
+   after alfa.example.com.  in canonical order.  The A, MX, RRSIG, NSEC,
+   and TYPE1234 mnemonics indicate there are A, MX, RRSIG, NSEC, and
+   TYPE1234 RRsets associated with the name alfa.example.com.
+
+   The RDATA section of the NSEC RR above would be encoded as:
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 16]
+
+Internet-Draft          DNSSEC Resource Records                July 2004
+
+
+            0x04 'h'  'o'  's'  't'
+            0x07 'e'  'x'  'a'  'm'  'p'  'l'  'e'
+            0x03 'c'  'o'  'm'  0x00
+            0x00 0x06 0x40 0x01 0x00 0x00 0x00 0x03
+            0x04 0x1b 0x00 0x00 0x00 0x00 0x00 0x00
+            0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
+            0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
+            0x00 0x00 0x00 0x00 0x20
+
+   Assuming that the validator can authenticate this NSEC record, it
+   could be used to prove that beta.example.com does not exist, or could
+   be used to prove there is no AAAA record associated with
+   alfa.example.com.  Authenticated denial of existence is discussed in
+   [I-D.ietf-dnsext-dnssec-protocol].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 17]
+
+Internet-Draft          DNSSEC Resource Records                July 2004
+
+
+5.  The DS Resource Record
+
+   The DS Resource Record refers to a DNSKEY RR and is used in the DNS
+   DNSKEY authentication process.  A DS RR refers to a DNSKEY RR by
+   storing the key tag, algorithm number, and a digest of the DNSKEY RR.
+   Note that while the digest should be sufficient to identify the
+   public key, storing the key tag and key algorithm helps make the
+   identification process more efficient.  By authenticating the DS
+   record, a resolver can authenticate the DNSKEY RR to which the DS
+   record points.  The key authentication process is described in
+   [I-D.ietf-dnsext-dnssec-protocol].
+
+   The DS RR and its corresponding DNSKEY RR have the same owner name,
+   but they are stored in different locations.  The DS RR appears only
+   on the upper (parental) side of a delegation, and is authoritative
+   data in the parent zone.  For example, the DS RR for "example.com" is
+   stored in the "com" zone (the parent zone) rather than in the
+   "example.com" zone (the child zone).  The corresponding DNSKEY RR is
+   stored in the "example.com" zone (the child zone).  This simplifies
+   DNS zone management and zone signing, but introduces special response
+   processing requirements for the DS RR; these are described in
+   [I-D.ietf-dnsext-dnssec-protocol].
+
+   The type number for the DS record is 43.
+
+   The DS resource record is class independent.
+
+   The DS RR has no special TTL requirements.
+
+5.1  DS RDATA Wire Format
+
+   The RDATA for a DS RR consists of a 2 octet Key Tag field, a one
+   octet Algorithm field, a one octet Digest Type field, and a Digest
+   field.
+
+                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |           Key Tag             |  Algorithm    |  Digest Type  |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   /                                                               /
+   /                            Digest                             /
+   /                                                               /
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 18]
+
+Internet-Draft          DNSSEC Resource Records                July 2004
+
+
+5.1.1  The Key Tag Field
+
+   The Key Tag field lists the key tag of the DNSKEY RR referred to by
+   the DS record, in network byte order.
+
+   The Key Tag used by the DS RR is identical to the Key Tag used by
+   RRSIG RRs.  Appendix B describes how to compute a Key Tag.
+
+5.1.2  The Algorithm Field
+
+   The Algorithm field lists the algorithm number of the DNSKEY RR
+   referred to by the DS record.
+
+   The algorithm number used by the DS RR is identical to the algorithm
+   number used by RRSIG and DNSKEY RRs.  Appendix A.1 lists the
+   algorithm number types.
+
+5.1.3  The Digest Type Field
+
+   The DS RR refers to a DNSKEY RR by including a digest of that DNSKEY
+   RR.  The Digest Type field identifies the algorithm used to construct
+   the digest.  Appendix A.2 lists the possible digest algorithm types.
+
+5.1.4  The Digest Field
+
+   The DS record refers to a DNSKEY RR by including a digest of that
+   DNSKEY RR.
+
+   The digest is calculated by concatenating the canonical form of the
+   fully qualified owner name of the DNSKEY RR with the DNSKEY RDATA,
+   and then applying the digest algorithm.
+
+     digest = digest_algorithm( DNSKEY owner name | DNSKEY RDATA);
+
+      "|" denotes concatenation
+
+     DNSKEY RDATA = Flags | Protocol | Algorithm | Public Key.
+
+
+   The size of the digest may vary depending on the digest algorithm and
+   DNSKEY RR size.  As of the time of writing, the only defined digest
+   algorithm is SHA-1, which produces a 20 octet digest.
+
+5.2  Processing of DS RRs When Validating Responses
+
+   The DS RR links the authentication chain across zone boundaries, so
+   the DS RR requires extra care in processing.  The DNSKEY RR referred
+   to in the DS RR MUST be a DNSSEC zone key.  The DNSKEY RR Flags MUST
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 19]
+
+Internet-Draft          DNSSEC Resource Records                July 2004
+
+
+   have Flags bit 7 set.  If the DNSKEY flags do not indicate a DNSSEC
+   zone key, the DS RR (and DNSKEY RR it references) MUST NOT be used in
+   the validation process.
+
+5.3  The DS RR Presentation Format
+
+   The presentation format of the RDATA portion is as follows:
+
+   The Key Tag field MUST be represented as an unsigned decimal integer.
+
+   The Algorithm field MUST be represented either as an unsigned decimal
+   integer or as an algorithm mnemonic specified in Appendix A.1.
+
+   The Digest Type field MUST be represented as an unsigned decimal
+   integer.
+
+   The Digest MUST be represented as a sequence of case-insensitive
+   hexadecimal digits.  Whitespace is allowed within the hexadecimal
+   text.
+
+5.4  DS RR Example
+
+   The following example shows a DNSKEY RR and its corresponding DS RR.
+
+   dskey.example.com. 86400 IN DNSKEY 256 3 5 ( AQOeiiR0GOMYkDshWoSKz9Xz
+                                             fwJr1AYtsmx3TGkJaNXVbfi/
+                                             2pHm822aJ5iI9BMzNXxeYCmZ
+                                             DRD99WYwYqUSdjMmmAphXdvx
+                                             egXd/M5+X7OrzKBaMbCVdFLU
+                                             Uh6DhweJBjEVv5f2wwjM9Xzc
+                                             nOf+EPbtG9DMBmADjFDc2w/r
+                                             ljwvFw==
+                                             ) ;  key id = 60485
+
+   dskey.example.com. 86400 IN DS 60485 5 1 ( 2BB183AF5F22588179A53B0A
+                                              98631FAD1A292118 )
+
+
+   The first four text fields specify the name, TTL, Class, and RR type
+   (DS).  Value 60485 is the key tag for the corresponding
+   "dskey.example.com." DNSKEY RR, and value 5 denotes the algorithm
+   used by this "dskey.example.com." DNSKEY RR.  The value 1 is the
+   algorithm used to construct the digest, and the rest of the RDATA
+   text is the digest in hexadecimal.
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 20]
+
+Internet-Draft          DNSSEC Resource Records                July 2004
+
+
+6.  Canonical Form and Order of Resource Records
+
+   This section defines a canonical form for resource records, a
+   canonical ordering of DNS names, and a canonical ordering of resource
+   records within an RRset.  A canonical name order is required to
+   construct the NSEC name chain.  A canonical RR form and ordering
+   within an RRset are required to construct and verify RRSIG RRs.
+
+6.1  Canonical DNS Name Order
+
+   For purposes of DNS security, owner names are ordered by treating
+   individual labels as unsigned left-justified octet strings.  The
+   absence of a octet sorts before a zero value octet, and upper case
+   US-ASCII letters are treated as if they were lower case US-ASCII
+   letters.
+
+   To compute the canonical ordering of a set of DNS names, start by
+   sorting the names according to their most significant (rightmost)
+   labels.  For names in which the most significant label is identical,
+   continue sorting according to their next most significant label, and
+   so forth.
+
+   For example, the following names are sorted in canonical DNS name
+   order.  The most significant label is "example".  At this level,
+   "example" sorts first, followed by names ending in "a.example", then
+   names ending "z.example".  The names within each level are sorted in
+   the same way.
+
+             example
+             a.example
+             yljkjljk.a.example
+             Z.a.example
+             zABC.a.EXAMPLE
+             z.example
+             \001.z.example
+             *.z.example
+             \200.z.example
+
+
+6.2  Canonical RR Form
+
+   For purposes of DNS security, the canonical form of an RR is the wire
+   format of the RR where:
+   1.  Every domain name in the RR is fully expanded (no DNS name
+       compression) and fully qualified;
+   2.  All uppercase US-ASCII letters in the owner name of the RR are
+       replaced by the corresponding lowercase US-ASCII letters;
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 21]
+
+Internet-Draft          DNSSEC Resource Records                July 2004
+
+
+   3.  If the type of the RR is NS, MD, MF, CNAME, SOA, MB, MG, MR, PTR,
+       HINFO, MINFO, MX, HINFO, RP, AFSDB, RT, SIG, PX, NXT, NAPTR, KX,
+       SRV, DNAME, A6, RRSIG or NSEC, all uppercase US-ASCII letters in
+       the DNS names contained within the RDATA are replaced by the
+       corresponding lowercase US-ASCII letters;
+   4.  If the owner name of the RR is a wildcard name, the owner name is
+       in its original unexpanded form, including the "*" label (no
+       wildcard substitution); and
+   5.  The RR's TTL is set to its original value as it appears in the
+       originating authoritative zone or the Original TTL field of the
+       covering RRSIG RR.
+
+6.3  Canonical RR Ordering Within An RRset
+
+   For purposes of DNS security, RRs with the same owner name, class,
+   and type are sorted by treating the RDATA portion of the canonical
+   form of each RR as a left-justified unsigned octet sequence where the
+   absence of an octet sorts before a zero octet.
+
+   [RFC2181] specifies that an RRset is not allowed to contain duplicate
+   records (multiple RRs with the same owner name, class, type, and
+   RDATA).  Therefore, if an implementation detects duplicate RRs when
+   putting the RRset in canonical form, the implementation MUST treat
+   this as a protocol error.  If the implementation chooses to handle
+   this protocol error in the spirit of the robustness principle (being
+   liberal in what it accepts), the implementation MUST remove all but
+   one of the duplicate RR(s) for purposes of calculating the canonical
+   form of the RRset.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 22]
+
+Internet-Draft          DNSSEC Resource Records                July 2004
+
+
+7.  IANA Considerations
+
+   This document introduces no new IANA considerations, because all of
+   the protocol parameters used in this document have already been
+   assigned by previous specifications.  However, since the evolution of
+   DNSSEC has been long and somewhat convoluted, this section attempts
+   to describe the current state of the IANA registries and other
+   protocol parameters which are (or once were) related to DNSSEC.
+
+   Please refer to [I-D.ietf-dnsext-dnssec-protocol] for additional IANA
+   considerations.
+
+   DNS Resource Record Types: [RFC2535] assigned types 24, 25, and 30 to
+      the SIG, KEY, and NXT RRs, respectively.  [RFC3658] assigned DNS
+      Resource Record Type 43 to DS.  [RFC3755] assigned types 46, 47,
+      and 48 to the RRSIG, NSEC, and DNSKEY RRs, respectively.
+      [RFC3755] also marked type 30 (NXT) as Obsolete, and restricted
+      use of types 24 (SIG) and 25 (KEY) to the "SIG(0)" transaction
+      security protocol described in [RFC2931] and the transaction KEY
+      Resource Record described in [RFC2930].
+
+   DNS Security Algorithm Numbers: [RFC2535] created an IANA registry
+      for DNSSEC Resource Record Algorithm field numbers, and assigned
+      values 1-4 and 252-255.  [RFC3110] assigned value 5.  [RFC3755]
+      altered this registry to include flags for each entry regarding
+      its use with the DNS security extensions.  Each algorithm entry
+      could refer to an algorithm that can be used for zone signing,
+      transaction security (see [RFC2931]) or both.  Values 6-251 are
+      available for assignment by IETF standards action.  See Appendix A
+      for a full listing of the DNS Security Algorithm Numbers entries
+      at the time of writing and their status of use in DNSSEC.
+
+      [RFC3658] created an IANA registry for DNSSEC DS Digest Types, and
+      assigned value 0 to reserved and value 1 to SHA-1.
+
+   KEY Protocol Values: [RFC2535] created an IANA Registry for KEY
+      Protocol Values, but [RFC3445] re-assigned all values other than 3
+      to reserved and closed this IANA registry.  The registry remains
+      closed, and all KEY and DNSKEY records are required to have
+      Protocol Octet value of 3.
+
+   Flag bits in the KEY and DNSKEY RRs: [RFC3755] created an IANA
+      registry for the DNSSEC KEY and DNSKEY RR flag bits.  Initially,
+      this registry only contains an assignment for bit 7 (the ZONE bit)
+      and a reservation for bit 15 for the Secure Entry Point flag (SEP
+      bit) [RFC3757].  Bits 0-6 and 8-14 are available for assignment by
+      IETF Standards Action.
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 23]
+
+Internet-Draft          DNSSEC Resource Records                July 2004
+
+
+8.  Security Considerations
+
+   This document describes the format of four DNS resource records used
+   by the DNS security extensions, and presents an algorithm for
+   calculating a key tag for a public key.  Other than the items
+   described below, the resource records themselves introduce no
+   security considerations.  Please see [I-D.ietf-dnsext-dnssec-intro]
+   and [I-D.ietf-dnsext-dnssec-protocol] for additional security
+   considerations related to the use of these records.
+
+   The DS record points to a DNSKEY RR using a cryptographic digest, the
+   key algorithm type and a key tag.  The DS record is intended to
+   identify an existing DNSKEY RR, but it is theoretically possible for
+   an attacker to generate a DNSKEY that matches all the DS fields.  The
+   probability of constructing such a matching DNSKEY depends on the
+   type of digest algorithm in use.  The only currently defined digest
+   algorithm is SHA-1, and the working group believes that constructing
+   a public key which would match the algorithm, key tag, and SHA-1
+   digest given in a DS record would be a sufficiently difficult problem
+   that such an attack is not a serious threat at this time.
+
+   The key tag is used to help select DNSKEY resource records
+   efficiently, but it does not uniquely identify a single DNSKEY
+   resource record.  It is possible for two distinct DNSKEY RRs to have
+   the same owner name, the same algorithm type, and the same key tag.
+   An implementation which uses only the key tag to select a DNSKEY RR
+   might select the wrong public key in some circumstances.
+
+   The table of algorithms in Appendix A and the key tag calculation
+   algorithms in Appendix B include the RSA/MD5 algorithm for
+   completeness, but the RSA/MD5 algorithm is NOT RECOMMENDED, as
+   explained in [RFC3110].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 24]
+
+Internet-Draft          DNSSEC Resource Records                July 2004
+
+
+9.  Acknowledgments
+
+   This document was created from the input and ideas of the members of
+   the DNS Extensions Working Group and working group mailing list.  The
+   editors would like to express their thanks for the comments and
+   suggestions received during the revision of these security extension
+   specifications.  While explicitly listing everyone who has
+   contributed during the decade during which DNSSEC has been under
+   development would be an impossible task,
+   [I-D.ietf-dnsext-dnssec-intro] includes a list of some of the
+   participants who were kind enough to comment on these documents.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 25]
+
+Internet-Draft          DNSSEC Resource Records                July 2004
+
+
+10.  References
+
+10.1  Normative References
+
+   [I-D.ietf-dnsext-dnssec-intro]
+              Arends, R., Austein, R., Larson, M., Massey, D. and S.
+              Rose, "DNS Security Introduction and Requirements",
+              draft-ietf-dnsext-dnssec-intro-10 (work in progress), May
+              2004.
+
+   [I-D.ietf-dnsext-dnssec-protocol]
+              Arends, R., Austein, R., Larson, M., Massey, D. and S.
+              Rose, "Protocol Modifications for the DNS Security
+              Extensions", draft-ietf-dnsext-dnssec-protocol-06 (work in
+              progress), May 2004.
+
+   [RFC1034]  Mockapetris, P., "Domain names - concepts and facilities",
+              STD 13, RFC 1034, November 1987.
+
+   [RFC1035]  Mockapetris, P., "Domain names - implementation and
+              specification", STD 13, RFC 1035, November 1987.
+
+   [RFC1982]  Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982,
+              August 1996.
+
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC2136]  Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic
+              Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
+              April 1997.
+
+   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
+              Specification", RFC 2181, July 1997.
+
+   [RFC2308]  Andrews, M., "Negative Caching of DNS Queries (DNS
+              NCACHE)", RFC 2308, March 1998.
+
+   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
+              2671, August 1999.
+
+   [RFC2931]  Eastlake, D., "DNS Request and Transaction Signatures (
+              SIG(0)s)", RFC 2931, September 2000.
+
+   [RFC3110]  Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain
+              Name System (DNS)", RFC 3110, May 2001.
+
+   [RFC3445]  Massey, D. and S. Rose, "Limiting the Scope of the KEY
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 26]
+
+Internet-Draft          DNSSEC Resource Records                July 2004
+
+
+              Resource Record (RR)", RFC 3445, December 2002.
+
+   [RFC3548]  Josefsson, S., "The Base16, Base32, and Base64 Data
+              Encodings", RFC 3548, July 2003.
+
+   [RFC3597]  Gustafsson, A., "Handling of Unknown DNS Resource Record
+              (RR) Types", RFC 3597, September 2003.
+
+   [RFC3658]  Gudmundsson, O., "Delegation Signer (DS) Resource Record
+              (RR)", RFC 3658, December 2003.
+
+   [RFC3755]  Weiler, S., "Legacy Resolver Compatibility for Delegation
+              Signer", RFC 3755, April 2004.
+
+   [RFC3757]  Kolkman, O., Schlyter, J. and E. Lewis, "KEY RR Secure
+              Entry Point Flag", RFC 3757, April 2004.
+
+10.2  Informative References
+
+   [I-D.ietf-dnsext-nsec-rdata]
+              Schlyter, J., "DNSSEC NSEC RDATA Format",
+              draft-ietf-dnsext-nsec-rdata-06 (work in progress), May
+              2004.
+
+   [RFC2535]  Eastlake, D., "Domain Name System Security Extensions",
+              RFC 2535, March 1999.
+
+   [RFC2930]  Eastlake, D., "Secret Key Establishment for DNS (TKEY
+              RR)", RFC 2930, September 2000.
+
+
+Authors' Addresses
+
+   Roy Arends
+   Telematica Instituut
+   Drienerlolaan 5
+   7522 NB  Enschede
+   NL
+
+   EMail: roy.arends@telin.nl
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 27]
+
+Internet-Draft          DNSSEC Resource Records                July 2004
+
+
+   Rob Austein
+   Internet Systems Consortium
+   950 Charter Street
+   Redwood City, CA  94063
+   USA
+
+   EMail: sra@isc.org
+
+
+   Matt Larson
+   VeriSign, Inc.
+   21345 Ridgetop Circle
+   Dulles, VA  20166-6503
+   USA
+
+   EMail: mlarson@verisign.com
+
+
+   Dan Massey
+   USC Information Sciences Institute
+   3811 N. Fairfax Drive
+   Arlington, VA  22203
+   USA
+
+   EMail: masseyd@isi.edu
+
+
+   Scott Rose
+   National Institute for Standards and Technology
+   100 Bureau Drive
+   Gaithersburg, MD  20899-8920
+   USA
+
+   EMail: scott.rose@nist.gov
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 28]
+
+Internet-Draft          DNSSEC Resource Records                July 2004
+
+
+Appendix A.  DNSSEC Algorithm and Digest Types
+
+   The DNS security extensions are designed to be independent of the
+   underlying cryptographic algorithms.  The DNSKEY, RRSIG, and DS
+   resource records all use a DNSSEC Algorithm Number to identify the
+   cryptographic algorithm in use by the resource record.  The DS
+   resource record also specifies a Digest Algorithm Number to identify
+   the digest algorithm used to construct the DS record.  The currently
+   defined Algorithm and Digest Types are listed below.  Additional
+   Algorithm or Digest Types could be added as advances in cryptography
+   warrant.
+
+   A DNSSEC aware resolver or name server MUST implement all MANDATORY
+   algorithms.
+
+A.1  DNSSEC Algorithm Types
+
+   The DNSKEY, RRSIG, and DS RRs use an 8-bit number used to identify
+   the security algorithm being used.  These values are stored in the
+   "Algorithm number" field in the resource record RDATA.
+
+   Some algorithms are usable only for zone signing (DNSSEC), some only
+   for transaction security mechanisms (SIG(0) and TSIG), and some for
+   both.  Those usable for zone signing may appear in DNSKEY, RRSIG, and
+   DS RRs.  Those usable for transaction security would be present in
+   SIG(0) and KEY RRs as described in [RFC2931]
+
+                                Zone
+   Value Algorithm [Mnemonic]  Signing  References   Status
+   ----- -------------------- --------- ----------  ---------
+     0   reserved
+     1   RSA/MD5 [RSAMD5]         n      RFC 2537   NOT RECOMMENDED
+     2   Diffie-Hellman [DH]      n      RFC 2539    -
+     3   DSA/SHA-1 [DSA]          y      RFC 2536   OPTIONAL
+     4   Elliptic Curve [ECC]              TBA       -
+     5   RSA/SHA-1 [RSASHA1]      y      RFC 3110   MANDATORY
+   252   Indirect [INDIRECT]      n                  -
+   253   Private [PRIVATEDNS]     y      see below  OPTIONAL
+   254   Private [PRIVATEOID]     y      see below  OPTIONAL
+   255   reserved
+
+   6 - 251  Available for assignment by IETF Standards Action.
+
+A.1.1  Private Algorithm Types
+
+   Algorithm number 253 is reserved for private use and will never be
+   assigned to a specific algorithm.  The public key area in the DNSKEY
+   RR and the signature area in the RRSIG RR begin with a wire encoded
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 29]
+
+Internet-Draft          DNSSEC Resource Records                July 2004
+
+
+   domain name, which MUST NOT be compressed.  The domain name indicates
+   the private algorithm to use and the remainder of the public key area
+   is determined by that algorithm.  Entities should only use domain
+   names they control to designate their private algorithms.
+
+   Algorithm number 254 is reserved for private use and will never be
+   assigned to a specific algorithm.  The public key area in the DNSKEY
+   RR and the signature area in the RRSIG RR begin with an unsigned
+   length byte followed by a BER encoded Object Identifier (ISO OID) of
+   that length.  The OID indicates the private algorithm in use and the
+   remainder of the area is whatever is required by that algorithm.
+   Entities should only use OIDs they control to designate their private
+   algorithms.
+
+A.2  DNSSEC Digest Types
+
+   A "Digest Type" field in the DS resource record types identifies the
+   cryptographic digest algorithm used by the resource record.  The
+   following table lists the currently defined digest algorithm types.
+
+              VALUE   Algorithm                 STATUS
+                0      Reserved                   -
+                1      SHA-1                   MANDATORY
+              2-255    Unassigned                 -
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 30]
+
+Internet-Draft          DNSSEC Resource Records                July 2004
+
+
+Appendix B.  Key Tag Calculation
+
+   The Key Tag field in the RRSIG and DS resource record types provides
+   a mechanism for selecting a public key efficiently.  In most cases, a
+   combination of owner name, algorithm, and key tag can efficiently
+   identify a DNSKEY record.  Both the RRSIG and DS resource records
+   have corresponding DNSKEY records.  The Key Tag field in the RRSIG
+   and DS records can be used to help select the corresponding DNSKEY RR
+   efficiently when more than one candidate DNSKEY RR is available.
+
+   However, it is essential to note that the key tag is not a unique
+   identifier.  It is theoretically possible for two distinct DNSKEY RRs
+   to have the same owner name, the same algorithm, and the same key
+   tag.  The key tag is used to limit the possible candidate keys, but
+   it does not uniquely identify a DNSKEY record.  Implementations MUST
+   NOT assume that the key tag uniquely identifies a DNSKEY RR.
+
+   The key tag is the same for all DNSKEY algorithm types except
+   algorithm 1 (please see Appendix B.1 for the definition of the key
+   tag for algorithm 1).  The key tag algorithm is the sum of the wire
+   format of the DNSKEY RDATA broken into 2 octet groups.  First the
+   RDATA (in wire format) is treated as a series of 2 octet groups,
+   these groups are then added together ignoring any carry bits.
+
+   A reference implementation of the key tag algorithm is as an ANSI C
+   function is given below with the RDATA portion of the DNSKEY RR is
+   used as input.  It is not necessary to use the following reference
+   code verbatim, but the numerical value of the Key Tag MUST be
+   identical to what the reference implementation would generate for the
+   same input.
+
+   Please note that the algorithm for calculating the Key Tag is almost
+   but not completely identical to the familiar ones complement checksum
+   used in many other Internet protocols.  Key Tags MUST be calculated
+   using the algorithm described here rather than the ones complement
+   checksum.
+
+   The following ANSI C reference implementation calculates the value of
+   a Key Tag.  This reference implementation applies to all algorithm
+   types except algorithm 1 (see Appendix B.1).  The input is the wire
+   format of the RDATA portion of the DNSKEY RR.  The code is written
+   for clarity, not efficiency.
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 31]
+
+Internet-Draft          DNSSEC Resource Records                July 2004
+
+
+   /*
+    * Assumes that int is at least 16 bits.
+    * First octet of the key tag is the most significant 8 bits of the
+    * return value;
+    * Second octet of the key tag is the least significant 8 bits of the
+    * return value.
+    */
+
+   unsigned int
+   keytag (
+           unsigned char key[],  /* the RDATA part of the DNSKEY RR */
+           unsigned int keysize  /* the RDLENGTH */
+          )
+   {
+           unsigned long ac;     /* assumed to be 32 bits or larger */
+           int i;                /* loop index */
+
+           for ( ac = 0, i = 0; i < keysize; ++i )
+                   ac += (i & 1) ? key[i] : key[i] << 8;
+           ac += (ac >> 16) & 0xFFFF;
+           return ac & 0xFFFF;
+   }
+
+
+B.1  Key Tag for Algorithm 1 (RSA/MD5)
+
+   The key tag for algorithm 1 (RSA/MD5) is defined differently than the
+   key tag for all other algorithms, for historical reasons.  For a
+   DNSKEY RR with algorithm 1, the key tag is defined to be the most
+   significant 16 bits of the least significant 24 bits in the public
+   key modulus (in other words, the 4th to last and 3rd to last octets
+   of the public key modulus).
+
+   Please note that Algorithm 1 is NOT RECOMMENDED.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 32]
+
+Internet-Draft          DNSSEC Resource Records                July 2004
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+   Copyright (C) The Internet Society (2004).  This document is subject
+   to the rights, licenses and restrictions contained in BCP 78, and
+   except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+Arends, et al.          Expires January 13, 2005               [Page 33]
+
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-insensitive-04.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-insensitive-04.txt
new file mode 100644
index 0000000..4cfd417
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-insensitive-04.txt
@@ -0,0 +1,639 @@
+
+INTERNET-DRAFT                                    Donald E. Eastlake 3rd
+Clarifies STD0013                                  Motorola Laboratories
+Expires December 2004                                          July 2004
+
+
+
+       Domain Name System (DNS) Case Insensitivity Clarification
+       ------ ---- ------ ----- ---- ------------- -------------
+                 <draft-ietf-dnsext-insensitive-04.txt>
+
+                         Donald E. Eastlake 3rd
+
+
+
+Status of This Document
+
+   By submitting this Internet-Draft, I certify that any applicable
+   patent or other IPR claims of which I am aware have been disclosed,
+   and any of which I become aware will be disclosed, in accordance with
+   RFC 3668.
+
+   Distribution of this document is unlimited. Comments should be sent
+   to the DNSEXT working group at namedroppers@ops.ietf.org.
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC 2026.  Internet-Drafts are
+   working documents of the Internet Engineering Task Force (IETF), its
+   areas, and its working groups.  Note that other groups may also
+   distribute working documents as Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-
+   Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+
+
+Abstract
+
+   Domain Name System (DNS) names are "case insensitive". This document
+   explains exactly what that means and provides a clear specification
+   of the rules. This clarification should not have any interoperability
+   consequences.
+
+
+
+
+
+
+
+D. Eastlake 3rd                                                 [Page 1]
+
+
+INTERNET-DRAFT                                    DNS Case Insensitivity
+
+
+Acknowledgements
+
+   The contributions to this document of Rob Austein, Olafur
+   Gudmundsson, Daniel J. Anderson, Alan Barrett, Marc Blanchet, Dana,
+   Andreas Gustafsson, Andrew Main, and Scott Seligman are gratefully
+   acknowledged.
+
+
+
+Table of Contents
+
+      Status of This Document....................................1
+      Abstract...................................................1
+
+      Acknowledgements...........................................2
+      Table of Contents..........................................2
+
+      1. Introduction............................................3
+      2. Case Insensitivity of DNS Labels........................3
+      2.1 Escaping Unusual DNS Label Octets......................3
+      2.2 Example Labels with Escapes............................4
+      3. Name Lookup, Label Types, and CLASS.....................4
+      3.1 Original DNS Label Types...............................5
+      3.2 Extended Label Type Case Insensitivity Considerations..5
+      3.3 CLASS Case Insensitivity Considerations................5
+      4. Case on Input and Output................................6
+      4.1 DNS Output Case Preservation...........................6
+      4.2 DNS Input Case Preservation............................6
+      5. Internationalized Domain Names..........................7
+      6. Security Considerations.................................7
+
+      Copyright and Disclaimer...................................9
+      Normative References.......................................9
+      Informative References....................................10
+      -02 to -03 Changes........................................10
+      -03 to -04 Changes........................................11
+      Author's Address..........................................11
+      Expiration and File Name..................................11
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+D. Eastlake 3rd                                                 [Page 2]
+
+
+INTERNET-DRAFT                                    DNS Case Insensitivity
+
+
+1. Introduction
+
+   The Domain Name System (DNS) is the global hierarchical replicated
+   distributed database system for Internet addressing, mail proxy, and
+   other information. Each node in the DNS tree has a name consisting of
+   zero or more labels [STD 13][RFC 1591, 2606] that are treated in a
+   case insensitive fashion. This document clarifies the meaning of
+   "case insensitive" for the DNS.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC 2119].
+
+
+
+2. Case Insensitivity of DNS Labels
+
+   DNS was specified in the era of [ASCII]. DNS names were expected to
+   look like most host names or Internet email address right halves (the
+   part after the at-sign, "@") or be numeric as in the in-addr.arpa
+   part of the DNS name space. For example,
+
+       foo.example.net.
+       aol.com.
+       www.gnu.ai.mit.edu.
+   or  69.2.0.192.in-addr.arpa.
+
+   Case varied alternatives to the above would be DNS names like
+
+       Foo.ExamplE.net.
+       AOL.COM.
+       WWW.gnu.AI.mit.EDU.
+   or  69.2.0.192.in-ADDR.ARPA.
+
+   However, the individual octets of which DNS names consist are not
+   limited to valid ASCII character codes. They are 8-bit bytes and all
+   values are allowed. Many applications, however, interpret them as
+   ASCII characters.
+
+
+
+2.1 Escaping Unusual DNS Label Octets
+
+   In Master Files [STD 13] and other human readable and writable ASCII
+   contexts, an escape is needed for the byte value for period (0x2E,
+   ".") and all octet values outside of the inclusive range of 0x21
+   ("!")  to 0x7E ("~"). That is to say, 0x2E and all octet values in
+   the two inclusive ranges 0x00 to 0x20 and 0x7F to 0xFF.
+
+   One typographic convention for octets that do not correspond to an
+
+
+D. Eastlake 3rd                                                 [Page 3]
+
+
+INTERNET-DRAFT                                    DNS Case Insensitivity
+
+
+   ASCII printing graphic is to use a back-slash followed by the value
+   of the octet as an unsigned integer represented by exactly three
+   decimal digits.
+
+   The same convention can be used for printing ASCII characters so that
+   they will be treated as a normal label character.  This includes the
+   back-slash character used in this convention itself which can be
+   expressed as \092 or \\ and the special label separator period (".")
+   which can be expressed as and \046 or \.  respectively. It is
+   advisable to avoid using a backslash to quote an immediately
+   following non-printing ASCII character code to avoid implementation
+   difficulties.
+
+   A back-slash followed by only one or two decimal digits is undefined.
+   A back-slash followed by four decimal digits produces two octets, the
+   first octet having the value of the first three digits considered as
+   a decimal number and the second octet being the character code for
+   the fourth decimal digit.
+
+
+
+2.2 Example Labels with Escapes
+
+   The first example below shows embedded spaces and a period (".")
+   within a label. The second one show a 5 octet label where the second
+   octet has all bits zero, the third is a backslash, and the fourth
+   octet has all bits one.
+
+         Donald\032E\.\032Eastlake\0323rd.example.
+   and   a\000\\\255z.example.
+
+
+
+3. Name Lookup, Label Types, and CLASS
+
+   The design decision was made that comparisons on name lookup for DNS
+   queries should be case insensitive [STD 13]. That is to say, a lookup
+   string octet with a value in the inclusive range of 0x41 to 0x5A, the
+   upper case ASCII letters, MUST match the identical value and also
+   match the corresponding value in the inclusive range 0x61 to 0x7A,
+   the lower case ASCII letters. And a lookup string octet with a lower
+   case ASCII letter value MUST similarly match the identical value and
+   also match the corresponding value in the upper case ASCII letter
+   range.
+
+   (Historical Note: the terms "upper case" and "lower case" were
+   invented after movable type.  The terms originally referred to the
+   two font trays for storing, in partitioned areas, the different
+   physical type elements.  Before movable type, the nearest equivalent
+   terms were "majuscule" and "minuscule".)
+
+
+D. Eastlake 3rd                                                 [Page 4]
+
+
+INTERNET-DRAFT                                    DNS Case Insensitivity
+
+
+   One way to implement this rule would be, when comparing octets, to
+   subtract 0x20 from all octets in the inclusive range 0x61 to 0x7A
+   before the comparison. Such an operation is commonly known as "case
+   folding" but implementation via case folding is not required. Note
+   that the DNS case insensitivity does NOT correspond to the case
+   folding specified in iso-8859-1 or iso-8859-2. For example, the
+   octets 0xDD (\221) and 0xFD (\253) do NOT match although in other
+   contexts, where they are interpreted as the upper and lower case
+   version of "Y" with an acute accent, they might.
+
+
+
+3.1 Original DNS Label Types
+
+   DNS labels in wire encoded names have a type associated with them.
+   The original DNS standard [RFC 1035] had only two types. ASCII
+   labels, with a length of from zero to 63 octets, and indirect labels
+   which consist of an offset pointer to a name location elsewhere in
+   the wire encoding on a DNS message. (The ASCII label of length zero
+   is reserved for use as the name of the root node of the name tree.)
+   ASCII labels follow the ASCII case conventions described herein and,
+   as stated above, can actually contain arbitrary byte values. Indirect
+   labels are, in effect, replaced by the name to which they point which
+   is then treated with the case insensitivity rules in this document.
+
+
+
+3.2 Extended Label Type Case Insensitivity Considerations
+
+   DNS was extended by [RFC 2671] to have additional label type numbers
+   available. (The only such type defined so far is the BINARY type [RFC
+   2673].)
+
+   The ASCII case insensitivity conventions only apply to ASCII labels,
+   that is to say, label type 0x0, whether appearing directly or invoked
+   by indirect labels.
+
+
+
+3.3 CLASS Case Insensitivity Considerations
+
+   As described in [STD 13] and [RFC 2929], DNS has an additional axis
+   for data location called CLASS. The only CLASS in global use at this
+   time is the "IN" or Internet CLASS.
+
+   The handling of DNS label case is not CLASS dependent.
+
+
+
+
+
+
+D. Eastlake 3rd                                                 [Page 5]
+
+
+INTERNET-DRAFT                                    DNS Case Insensitivity
+
+
+4. Case on Input and Output
+
+   While ASCII label comparisons are case insensitive, [STD 13] says
+   case MUST be preserved on output, and preserved when convenient on
+   input. However, this means less than it would appear since the
+   preservation of case on output is NOT required when output is
+   optimized by the use of indirect labels, as explained below.
+
+
+
+4.1 DNS Output Case Preservation
+
+   [STD 13] views the DNS namespace as a node tree. ASCII output is as
+   if a name was marshaled by taking the label on the node whose name is
+   to be output, converting it to a typographically encoded ASCII
+   string, walking up the tree outputting each label encountered, and
+   preceding all labels but the first with a period ("."). Wire output
+   follows the same sequence but each label is wire encoded and no
+   periods inserted. No "case conversion" or "case folding" is done
+   during such output operations, thus "preserving" case.  However, to
+   optimize output, indirect labels may be used to point to names
+   elsewhere in the DNS answer. In determining whether the name to be
+   pointed to, for example the QNAME, is the "same" as the remainder of
+   the name being optimized, the case insensitive comparison specified
+   above is done. Thus such optimization MAY easily destroy the output
+   preservation of case. This type of optimization is commonly called
+   "name compression".
+
+
+
+4.2 DNS Input Case Preservation
+
+   Originally, DNS input came from an ASCII Master File as defined in
+   [STD 13] or a zone transfer.  DNS Dynamic update and incremental zone
+   transfers [RFC 1995] have been added as a source of DNS data [RFC
+   2136, 3007]. When a node in the DNS name tree is created by any of
+   such inputs, no case conversion is done. Thus the case of ASCII
+   labels is preserved if they are for nodes being created. However,
+   when a name label is input for a node that already exist in DNS data
+   being held, the situation is more complex. Implementations may retain
+   the case first input for such a label or allow new input to override
+   the old case or even maintain separate copies preserving the input
+   case.
+
+   For example, if data with owner name "foo.bar.example" is input and
+   then later data with owner name "xyz.BAR.example" is input, the name
+   of the label on the "bar.example" node, i.e. "bar", might or might
+   not be changed to "BAR" or the actual input case could be preserved.
+   Thus later retrieval of data stored under "xyz.bar.example" in this
+   case can easily return data with "xyz.BAR.example".  The same
+
+
+D. Eastlake 3rd                                                 [Page 6]
+
+
+INTERNET-DRAFT                                    DNS Case Insensitivity
+
+
+   considerations apply when inputting multiple data records with owner
+   names differing only in case. For example, if an "A" record is stored
+   as the first resourced record under owner name "xyz.BAR.example" and
+   then a second "A" record is stored under "XYZ.BAR.example", the
+   second MAY be stored with the first (lower case initial label) name
+   or the second MAY override the first so that only an upper case
+   initial label is retained or both capitalizations MAY be kept.
+
+   Note that the order of insertion into a server database of the DNS
+   name tree nodes that appear in a Master File is not defined so that
+   the results of inconsistent capitalization in a Master File are
+   unpredictable output capitalization.
+
+
+
+5. Internationalized Domain Names
+
+   A scheme has been adopted for "internationalized domain names" and
+   "internationalized labels" as described in [RFC 3490, 3454, 3491, and
+   3492]. It makes most of [UNICODE] available through a separate
+   application level transformation from internationalized domain name
+   to DNS domain name and from DNS domain name to internationalized
+   domain name. Any case insensitivity that internationalized domain
+   names and labels have varies depending on the script and is handled
+   entirely as part of the transformation described in [RFC 3454] and
+   [RFC 3491] which should be seen for further details.  This is not a
+   part of the DNS as standardized in STD 13.
+
+
+
+6. Security Considerations
+
+   The equivalence of certain DNS label types with case differences, as
+   clarified in this document, can lead to security problems. For
+   example, a user could be confused by believing two domain names
+   differing only in case were actually different names.
+
+   Furthermore, a domain name may be used in contexts other than the
+   DNS.  It could be used as a case sensitive index into some data base
+   system. Or it could be interpreted as binary data by some integrity
+   or authentication code system. These problems can usually be handled
+   by using a standardized or "canonical" form of the DNS ASCII type
+   labels, that is, always mapping the ASCII letter value octets in
+   ASCII labels to some specific pre-chosen case, either upper case or
+   lower case. An example of a canonical form for domain names (and also
+   a canonical ordering for them) appears in Section 8 of [RFC 2535].
+   See also [RFC 3597].
+
+   Finally, a non-DNS name may be stored into DNS with the false
+   expectation that case will always be preserved. For example, although
+
+
+D. Eastlake 3rd                                                 [Page 7]
+
+
+INTERNET-DRAFT                                    DNS Case Insensitivity
+
+
+   this would be quite rare, on a system with case sensitive email
+   address local parts, an attempt to store two "RP" records that
+   differed only in case would probably produce unexpected results that
+   might have security implications. That is because the entire email
+   address, including the possibly case sensitive local or left hand
+   part, is encoded into a DNS name in a readable fashion where the case
+   of some letters might be changed on output as described above.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+D. Eastlake 3rd                                                 [Page 8]
+
+
+INTERNET-DRAFT                                    DNS Case Insensitivity
+
+
+Copyright and Disclaimer
+
+   Copyright (C) The Internet Society 2004.  This document is subject to
+   the rights, licenses and restrictions contained in BCP 78, and except
+   as set forth therein, the authors retain all their rights.
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+Normative References
+
+   [ASCII] - ANSI, "USA Standard Code for Information Interchange",
+   X3.4, American National Standards Institute: New York, 1968.
+
+   [RFC 1034, 1035] - See [STD 13].
+
+   [RFC 1995] - M. Ohta, "Incremental Zone Transfer in DNS", August
+   1996.
+
+   [RFC 2119] - S. Bradner, "Key words for use in RFCs to Indicate
+   Requirement Levels", March 1997.
+
+   [RFC 2136] - P. Vixie, Ed., S. Thomson, Y. Rekhter, J. Bound,
+   "Dynamic Updates in the Domain Name System (DNS UPDATE)", April 1997.
+
+   [RFC 2535] - D. Eastlake, "Domain Name System Security Extensions",
+   March 1999.
+
+   [RFC 3007] - B. Wellington, "Secure Domain Name System (DNS) Dynamic
+   Update", November 2000.
+
+   [RFC 3597] - Andreas Gustafsson, "Handling of Unknown DNS RR Types",
+   draft-ietf-dnsext-unknown-rrs-05.txt, March 2003.
+
+   [STD 13]
+       - P. Mockapetris, "Domain names - concepts and facilities", RFC
+   1034, November 1987.
+       - P. Mockapetris, "Domain names - implementation and
+   specification", RFC 1035, November 1987.
+
+
+
+
+
+
+D. Eastlake 3rd                                                 [Page 9]
+
+
+INTERNET-DRAFT                                    DNS Case Insensitivity
+
+
+Informative References
+
+   [RFC 1591] - J. Postel, "Domain Name System Structure and
+   Delegation", March 1994.
+
+   [RFC 2606] - D. Eastlake, A. Panitz, "Reserved Top Level DNS Names",
+   June 1999.
+
+   [RFC 2929] - D. Eastlake, E. Brunner-Williams, B. Manning, "Domain
+   Name System (DNS) IANA Considerations", September 2000.
+
+   [RFC 2671] - P. Vixie, "Extension mechanisms for DNS (EDNS0)", August
+   1999.
+
+   [RFC 2673] - M. Crawford, "Binary Labels in the Domain Name System",
+   August 1999.
+
+   [RFC 3092] - D. Eastlake 3rd, C. Manros, E. Raymond, "Etymology of
+   Foo", 1 April 2001.
+
+   [RFC 3454] - P. Hoffman, M. Blanchet, "Preparation of
+   Internationalized String ("stringprep")", December 2002.
+
+   [RFC 3490] - P. Faltstrom, P. Hoffman, A. Costello,
+   "Internationalizing Domain Names in Applications (IDNA)", March 2003.
+
+   [RFC 3491] - P. Hoffman, M. Blanchet, "Nameprep: A Stringprep Profile
+   for Internationalized Domain Names (IDN)", March 2003.
+
+   [RFC 3492] - A. Costello, "Punycode: A Bootstring encoding of Unicode
+   for Internationalized Domain Names in Applications (IDNA)", March
+   2003.
+
+   [UNICODE] - The Unicode Consortium, "The Unicode Standard",
+   <http://www.unicode.org/unicode/standard/standard.html>.
+
+
+
+-02 to -03 Changes
+
+   The following changes were made between draft version -02 and -03:
+
+   1. Add internationalized domain name section and references.
+
+   2. Change to indicate that later input of a label for an existing DNS
+   name tree node may or may not be normalized to the earlier input or
+   override it or both may be preserved.
+
+   3. Numerous minor wording changes.
+
+
+
+D. Eastlake 3rd                                                [Page 10]
+
+
+INTERNET-DRAFT                                    DNS Case Insensitivity
+
+
+-03 to -04 Changes
+
+   The following changes were made between draft version -03 and -04:
+
+   1. Change to conform to the new IPR, Copyright, etc., notice
+   requirements.
+
+   2. Change in some section headers for clarity.
+
+   3. Drop section on wildcards.
+
+   4. Add emphasis on loss of case preservation due to name compression.
+
+   5. Add references to RFCs 1995 and 3092.
+
+
+
+Author's Address
+
+   Donald E. Eastlake 3rd
+   Motorola Laboratories
+   155 Beaver Street
+   Milford, MA 01757 USA
+
+   Telephone:   +1 508-786-7554 (w)
+                +1 508-634-2066 (h)
+   EMail:       Donald.Eastlake@motorola.com
+
+
+
+Expiration and File Name
+
+   This draft expires December 2004.
+
+   Its file name is draft-ietf-dnsext-insensitive-04.txt.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+D. Eastlake 3rd                                                [Page 11]
+
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-interop3597-01.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-interop3597-01.txt
new file mode 100644
index 0000000..123d3cc
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-interop3597-01.txt
@@ -0,0 +1,335 @@
+
+DNS Extensions Working Group                                 J. Schlyter
+Internet-Draft                                           August 24, 2004
+Expires: February 22, 2005
+
+
+                     RFC 3597 Interoperability Report
+                   draft-ietf-dnsext-interop3597-01.txt
+
+Status of this Memo
+
+    By submitting this Internet-Draft, I certify that any applicable
+    patent or other IPR claims of which I am aware have been disclosed,
+    and any of which I become aware will be disclosed, in accordance with
+    RFC 3667.
+
+    Internet-Drafts are working documents of the Internet Engineering
+    Task Force (IETF), its areas, and its working groups. Note that other
+    groups may also distribute working documents as Internet-Drafts.
+
+    Internet-Drafts are draft documents valid for a maximum of six months
+    and may be updated, replaced, or obsoleted by other documents at any
+    time. It is inappropriate to use Internet-Drafts as reference
+    material or to cite them other than as "work in progress."
+
+    The list of current Internet-Drafts can be accessed at http://
+    www.ietf.org/ietf/1id-abstracts.txt.
+
+    The list of Internet-Draft Shadow Directories can be accessed at
+    http://www.ietf.org/shadow.html.
+
+    This Internet-Draft will expire on February 22, 2005.
+
+Copyright Notice
+
+    Copyright (C) The Internet Society (2004). All Rights Reserved.
+
+Abstract
+
+    This memo documents the result from the RFC 3597 (Handling of Unknown
+    DNS Resource Record Types) interoperability testing.
+
+
+
+
+
+
+
+
+
+
+
+
+Schlyter               Expires February 22, 2005                [Page 1]
+
+Internet-Draft      RFC 3597 Interoperability Report         August 2004
+
+
+Table of Contents
+
+    1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
+    2.  Implementations  . . . . . . . . . . . . . . . . . . . . . . .  3
+    3.  Tests  . . . . . . . . . . . . . . . . . . . . . . . . . . . .  3
+    3.1 Authoritative Primary Name Server  . . . . . . . . . . . . . .  3
+    3.2 Authoritative Secondary Name Server  . . . . . . . . . . . . .  3
+    3.3 Full Recursive Resolver  . . . . . . . . . . . . . . . . . . .  3
+    3.4 Stub Resolver  . . . . . . . . . . . . . . . . . . . . . . . .  3
+    3.5 DNSSEC Signer  . . . . . . . . . . . . . . . . . . . . . . . .  4
+    4.  Problems found . . . . . . . . . . . . . . . . . . . . . . . .  4
+    5.  Summary  . . . . . . . . . . . . . . . . . . . . . . . . . . .  4
+        Normative References . . . . . . . . . . . . . . . . . . . . .  4
+        Author's Address . . . . . . . . . . . . . . . . . . . . . . .  4
+    A.  Test zone data . . . . . . . . . . . . . . . . . . . . . . . .  5
+        Intellectual Property and Copyright Statements . . . . . . . .  6
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Schlyter               Expires February 22, 2005                [Page 2]
+
+Internet-Draft      RFC 3597 Interoperability Report         August 2004
+
+
+1. Introduction
+
+    This memo documents the result from the RFC 3597 (Handling of Unknown
+    DNS Resource Record Types) interoperability testing.  The test was
+    performed during June and July 2004 by request of the IETF DNS
+    Extensions Working Group.
+
+2. Implementations
+
+    The following is a list, in alphabetic order, of implementations for
+    compliance of RFC 3597:
+
+       DNSJava 1.6.4
+       ISC BIND 8.4.5rc4
+       ISC BIND 9.3.0rc2
+       NSD 2.1.1
+       Net::DNS 0.47 patchlevel 1
+       Nominum ANS 2.2.1.0.d
+
+    These implementations covers the following functions (number of
+    implementations tested for each function in paranthesis):
+
+       Authoritative Name Servers (4)
+       Full Recursive Resolver (2)
+       Stub Resolver (4)
+       DNSSEC Zone Signers (2)
+
+3. Tests
+
+3.1 Authoritative Primary Name Server
+
+    The test zone data (Appendix A) was loaded into the name server
+    implementation and the server was queried for the loaded information.
+
+3.2 Authoritative Secondary Name Server
+
+    The test zone data (Appendix A) was transferred using AXFR from
+    another name server implementation and the server was queried for the
+    transferred information.
+
+3.3 Full Recursive Resolver
+
+    A recursive resolver was queried for resource records from a domain
+    with the test zone data (Appendix A).
+
+3.4 Stub Resolver
+
+    A stub resolver was used to query resource records from a domain with
+
+
+
+Schlyter               Expires February 22, 2005                [Page 3]
+
+Internet-Draft      RFC 3597 Interoperability Report         August 2004
+
+
+    the test zone data (Appendix A).
+
+3.5 DNSSEC Signer
+
+    A DNSSEC signer was used to sign a zone with test zone data (Appendix
+    A).
+
+4. Problems found
+
+    Two implementations had problems with text presentation of zero
+    length RDATA.
+
+    One implementation had problems with text presentation of RR type
+    code and classes >= 4096.
+
+    Bug reports were filed for problems found.
+
+5. Summary
+
+    Unknown type codes works in the tested authoritative servers,
+    recursive resolvers and stub clients.
+
+    No changes are needed to advance RFC 3597 to draft standard.
+
+Normative References
+
+    [1]  Gustafsson, A., "Handling of Unknown DNS Resource Record (RR)
+         Types", RFC 3597, September 2003.
+
+
+Author's Address
+
+    Jakob Schlyter
+
+    EMail: jakob@rfc.se
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Schlyter               Expires February 22, 2005                [Page 4]
+
+Internet-Draft      RFC 3597 Interoperability Report         August 2004
+
+
+Appendix A. Test zone data
+
+    ; A-record encoded as TYPE1
+    a  TYPE1  \# 4 7f000001
+    a  TYPE1  192.0.2.1
+    a  A      \# 4 7f000002
+
+    ; draft-ietf-secsh-dns-05.txt
+    sshfp  TYPE44  \# 22 01 01 c691e90714a1629d167de8e5ee0021f12a7eaa1e
+
+    ; bogus test record (from RFC 3597)
+    type731    TYPE731    \# 6 abcd (
+                               ef 01 23 45 )
+
+    ; zero length RDATA (from RFC 3597)
+    type62347  TYPE62347  \# 0
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Schlyter               Expires February 22, 2005                [Page 5]
+
+Internet-Draft      RFC 3597 Interoperability Report         August 2004
+
+
+Intellectual Property Statement
+
+    The IETF takes no position regarding the validity or scope of any
+    Intellectual Property Rights or other rights that might be claimed to
+    pertain to the implementation or use of the technology described in
+    this document or the extent to which any license under such rights
+    might or might not be available; nor does it represent that it has
+    made any independent effort to identify any such rights. Information
+    on the IETF's procedures with respect to rights in IETF Documents can
+    be found in BCP 78 and BCP 79.
+
+    Copies of IPR disclosures made to the IETF Secretariat and any
+    assurances of licenses to be made available, or the result of an
+    attempt made to obtain a general license or permission for the use of
+    such proprietary rights by implementers or users of this
+    specification can be obtained from the IETF on-line IPR repository at
+    http://www.ietf.org/ipr.
+
+    The IETF invites any interested party to bring to its attention any
+    copyrights, patents or patent applications, or other proprietary
+    rights that may cover technology that may be required to implement
+    this standard. Please address the information to the IETF at
+    ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+    This document and the information contained herein are provided on an
+    "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+    OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+    ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+    INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+    INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+    WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+    Copyright (C) The Internet Society (2004). This document is subject
+    to the rights, licenses and restrictions contained in BCP 78, and
+    except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+    Funding for the RFC Editor function is currently provided by the
+    Internet Society.
+
+
+
+
+Schlyter               Expires February 22, 2005                [Page 6]
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-keyrr-key-signing-flag-12.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-keyrr-key-signing-flag-12.txt
new file mode 100644
index 0000000..6bffb70
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-keyrr-key-signing-flag-12.txt
@@ -0,0 +1,560 @@
+
+DNS Extensions                                                O. Kolkman
+Internet-Draft                                                  RIPE NCC
+Expires: June 17, 2004                                       J. Schlyter
+
+                                                                E. Lewis
+                                                                    ARIN
+                                                       December 18, 2003
+
+
+                   DNSKEY RR Secure Entry Point Flag
+              draft-ietf-dnsext-keyrr-key-signing-flag-12
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups. Note that other
+   groups may also distribute working documents as Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time. It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at http://
+   www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on June 17, 2004.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+Abstract
+
+   With the Delegation Signer (DS) resource record the concept of a
+   public key acting as a secure entry point has been introduced. During
+   exchanges of public keys with the parent there is a need to
+   differentiate secure entry point keys from other public keys in the
+   DNSKEY resource record (RR) set.  A flag bit in the DNSKEY RR is
+   defined to indicate that DNSKEY is to be used as a secure entry
+   point. The flag bit is intended to assist in operational procedures
+   to correctly generate DS resource records, or to indicate what
+   DNSKEYs are intended for static configuration. The flag bit is not to
+
+
+
+Kolkman, et al.          Expires June 17, 2004                  [Page 1]
+
+Internet-Draft     DNSKEY RR Secure Entry Point Flag       December 2003
+
+
+   be used in the DNS verification protocol. This document updates RFC
+   2535 and RFC 3445.
+
+Table of Contents
+
+   1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 3
+   2. The Secure Entry Point (SEP) Flag  . . . . . . . . . . . . . . . 4
+   3. DNSSEC Protocol Changes  . . . . . . . . . . . . . . . . . . . . 5
+   4. Operational Guidelines . . . . . . . . . . . . . . . . . . . . . 5
+   5. Security Considerations  . . . . . . . . . . . . . . . . . . . . 6
+   6. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . . 6
+   7. Internationalization Considerations  . . . . . . . . . . . . . . 6
+   8. Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . . 6
+      Normative References . . . . . . . . . . . . . . . . . . . . . . 7
+      Informative References . . . . . . . . . . . . . . . . . . . . . 7
+      Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7
+      Intellectual Property and Copyright Statements . . . . . . . . . 9
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman, et al.          Expires June 17, 2004                  [Page 2]
+
+Internet-Draft     DNSKEY RR Secure Entry Point Flag       December 2003
+
+
+1. Introduction
+
+   "All keys are equal but some keys are more equal than others" [6]
+
+   With the definition of the Delegation Signer Resource Record (DS RR)
+   [5] it has become important to differentiate between the keys in the
+   DNSKEY RR set that are (to be) pointed to by parental DS RRs and the
+   other keys in the DNSKEY RR set.  We refer to these public keys as
+   Secure Entry Point (SEP) keys.  A SEP key either used to generate a
+   DS RR or is distributed to resolvers that use the key as the root of
+   a trusted subtree[3].
+
+   In early deployment tests, the use of two (kinds of) key pairs for
+   each zone has been prevalent.  For one kind of key pair the private
+   key is used to sign just the zone's DNSKEY resource record (RR) set.
+   Its public key is intended to be referenced by a DS RR at the parent
+   or configured statically in a resolver.  The private key of the other
+   kind of key pair is used to sign the rest of the zone's data sets.
+   The former key pair is called a key-signing key (KSK) and the latter
+   is called a zone-signing key (ZSK).  In practice there have been
+   usually one of each kind of key pair, but there will be multiples of
+   each at times.
+
+   It should be noted that division of keys pairs into KSK's and ZSK's
+   is not mandatory in any definition of DNSSEC, not even with the
+   introduction of the DS RR.  But, in testing, this distinction has
+   been helpful when designing key roll over (key super-cession)
+   schemes.  Given that the distinction has proven helpful, the labels
+   KSK and ZSK have begun to stick.
+
+   There is a need to differentiate the public keys for the key pairs
+   that are used for key signing from keys that are not used key signing
+   (KSKs vs ZSKs). This need is driven by knowing which DNSKEYs are to
+   be sent for generating DS RRs, which DNSKEYs are to be distributed to
+   resolvers, and which keys are fed to the signer application at the
+   appropriate time.
+
+   In other words, the SEP bit provides an in-band method to communicate
+   a DNSKEY RR's intended use to third parties. As an example we present
+   3 use cases in which the bit is useful:
+
+      The parent is a registry, the parent and the child use secured DNS
+      queries and responses, with a preexisting trust-relation, or plain
+      DNS over a secured channel to exchange the child's  DNSKEY RR
+      sets. Since a DNSKEY RR set will contain a complete DNSKEY RRset
+      the SEP bit can be used to isolate the DNSKEYs for which a DS RR
+      needs to be created.
+
+
+
+
+Kolkman, et al.          Expires June 17, 2004                  [Page 3]
+
+Internet-Draft     DNSKEY RR Secure Entry Point Flag       December 2003
+
+
+      An administrator has configured a DNSKEY as root for a trusted
+      subtree into security aware resolver. Using a special purpose tool
+      that queries for the KEY RRs from that domain's apex, the
+      administrator will be able to notice the roll over of the trusted
+      anchor by a change of the subset of KEY RRs with the DS flag set.
+
+      A signer might use the SEP bit on the public key to determine
+      which private key to use to exclusively sign the DNSKEY RRset and
+      which private key to use to sign the other RRsets in the zone.
+
+   As demonstrated in the above examples it is important to be able to
+   differentiate the SEP keys from the other keys in a DNSKEY RR set in
+   the flow between signer and (parental) key-collector and in the flow
+   between the signer and the resolver configuration. The SEP flag is to
+   be of no interest to the flow between the verifier and the
+   authoritative data store.
+
+   The reason for the term "SEP" is a result of the observation that the
+   distinction between KSK and ZSK key pairs is made by the signer, a
+   key pair could be used as both a KSK and a ZSK at the same time. To
+   be clear, the term SEP was coined to lessen the confusion caused by
+   the overlap. ( Once this label was applied, it had the side effect of
+   removing the temptation to have both a KSK flag bit and a ZSK flag
+   bit.)
+
+   The key words "MAY","MAY NOT", "MUST", "MUST NOT", "REQUIRED",
+   "RECOMMENDED", "SHOULD", and "SHOULD NOT" in this document are to be
+   interpreted as described in RFC2119 [1].
+
+2. The Secure Entry Point (SEP) Flag
+
+
+                           1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |              flags          |S|   protocol    |   algorithm   |
+      |                             |E|               |               |
+      |                             |P|               |               |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |                                                               /
+      /                        public key                             /
+      /                                                               /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+                                DNSKEY RR Format
+
+
+
+
+
+
+Kolkman, et al.          Expires June 17, 2004                  [Page 4]
+
+Internet-Draft     DNSKEY RR Secure Entry Point Flag       December 2003
+
+
+   This document assigns the 15'th bit in the flags field as the secure
+   entry point (SEP) bit.  If the the bit is set to 1 the key is
+   intended to be used as secure entry point key.  One SHOULD NOT assign
+   special meaning to the key if the bit is set to 0.  Operators can
+   recognize the secure entry point key by the even or odd-ness of the
+   decimal representation of the flag field.
+
+3. DNSSEC Protocol Changes
+
+   The bit MUST NOT be used during the resolving and verification
+   process. The SEP flag is only used to provide a hint about the
+   different administrative properties of the key and therefore the use
+   of the SEP flag does not change the DNS resolution protocol or the
+   resolution process.
+
+4. Operational Guidelines
+
+   The SEP bit is set by the key-pair-generator and MAY be used by the
+   zone signer to decide whether the public part of the key pair is to
+   be prepared for input to a DS RR generation function.  The SEP bit is
+   recommended to be set (to 1) whenever the public key of the key pair
+   will be distributed to the parent zone to build the authentication
+   chain or if the public key is to be distributed for static
+   configuration in verifiers.
+
+   When a key pair is created, the operator needs to indicate whether
+   the SEP bit is to be set in the DNSKEY RR.  As the SEP bit is within
+   the data that is used to compute the 'key tag field' in the SIG RR,
+   changing the SEP bit will change the identity of the key within DNS.
+   In other words, once a key is used to generate signatures, the
+   setting of the SEP bit is to remain constant. If not, a verifier will
+   not be able to find the relevant KEY RR.
+
+   When signing a zone, it is intended that the key(s) with the SEP bit
+   set (if such keys exist) are used to sign the KEY RR set of the zone.
+   The same key can be used to sign the rest of the zone data too.  It
+   is conceivable that not all keys with a SEP bit set will sign the
+   DNSKEY RR set, such keys might be pending retirement or not yet in
+   use.
+
+   When verifying a RR set, the SEP bit is not intended to play a role.
+   How the key is used by the verifier is not intended to be a
+   consideration at key creation time.
+
+   Although the SEP flag provides a hint on which public key is to be
+   used as trusted root, administrators can choose to ignore the fact
+   that a DNSKEY has its SEP bit set or not when configuring a trusted
+   root for their resolvers.
+
+
+
+Kolkman, et al.          Expires June 17, 2004                  [Page 5]
+
+Internet-Draft     DNSKEY RR Secure Entry Point Flag       December 2003
+
+
+   Using the SEP flag a key roll over can be automated. The parent can
+   use an existing trust relation to verify DNSKEY RR sets in which a
+   new DNSKEY RR with the SEP flag appears.
+
+5. Security Considerations
+
+   As stated in Section 3 the flag is not to be used in the resolution
+   protocol or to determine the security status of a key. The flag is to
+   be used for administrative purposes only.
+
+   No trust in a key should be inferred from this flag - trust MUST be
+   inferred from an existing chain of trust or an out-of-band exchange.
+
+   Since this flag might be used for automating public key exchanges, we
+   think the following consideration is in place.
+
+   Automated mechanisms for roll over of the DS RR might be vulnerable
+   to a class of replay attacks.  This might happen after a public key
+   exchange where a DNSKEY RR set, containing two DNSKEY RRs with the
+   SEP flag set, is sent to the parent.  The parent verifies the DNSKEY
+   RR set with the existing trust relation and creates the new DS RR
+   from the DNSKEY RR that the current DS RR is not pointing to.  This
+   key exchange might be replayed. Parents are encouraged to implement a
+   replay defense. A simple defense can be based on a registry of keys
+   that have been used to generate DS RRs during the most recent roll
+   over. These same considerations apply to entities that configure keys
+   in resolvers.
+
+6. IANA Considerations
+
+   The flag bits  in the DNSKEY RR are assigned by IETF consensus and
+   registered in the DNSKEY Flags registry (created by [4]). This
+   document assigns the 15th bit in the DNSKEY RR as the Secure Entry
+   Point (SEP) bit.
+
+7. Internationalization Considerations
+
+   Although SEP is a popular acronym in many different languages, there
+   are no internationalization considerations.
+
+8. Acknowledgments
+
+   The ideas documented in this document are inspired by communications
+   we had with numerous people and ideas published by other folk. Among
+   others Mark Andrews, Rob Austein, Miek Gieben, Olafur Gudmundsson,
+   Daniel Karrenberg, Dan Massey, Scott Rose, Marcos Sanz and Sam Weiler
+   have contributed ideas and provided feedback.
+
+
+
+
+Kolkman, et al.          Expires June 17, 2004                  [Page 6]
+
+Internet-Draft     DNSKEY RR Secure Entry Point Flag       December 2003
+
+
+   This document saw the light during a workshop on DNSSEC operations
+   hosted by USC/ISI in August 2002.
+
+Normative References
+
+   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
+        Levels", BCP 14, RFC 2119, March 1997.
+
+   [2]  Eastlake, D., "Domain Name System Security Extensions", RFC
+        2535, March 1999.
+
+   [3]  Lewis, E., "DNS Security Extension Clarification on Zone
+        Status", RFC 3090, March 2001.
+
+   [4]  Weiler, S., "Legacy Resolver Compatibility for Delegation
+        Signer", draft-ietf-dnsext-dnssec-2535typecode-change-05 (work
+        in progress), October 2003.
+
+Informative References
+
+   [5]  Gudmundsson, O., "Delegation Signer Resource Record",
+        draft-ietf-dnsext-delegation-signer-15 (work in progress), June
+        2003.
+
+   [6]  Orwell, G. and R. Steadman (illustrator), "Animal Farm; a Fairy
+        Story", ISBN 0151002177 (50th anniversary edition), April 1996.
+
+
+Authors' Addresses
+
+   Olaf M. Kolkman
+   RIPE NCC
+   Singel 256
+   Amsterdam  1016 AB
+   NL
+
+   Phone: +31 20 535 4444
+   EMail: olaf@ripe.net
+   URI:   http://www.ripe.net/
+
+
+   Jakob Schlyter
+   Karl Gustavsgatan 15
+   Goteborg  SE-411 25
+   Sweden
+
+   EMail: jakob@schlyter.se
+
+
+
+
+Kolkman, et al.          Expires June 17, 2004                  [Page 7]
+
+Internet-Draft     DNSKEY RR Secure Entry Point Flag       December 2003
+
+
+   Edward P. Lewis
+   ARIN
+   3635 Concorde Parkway Suite 200
+   Chantilly, VA  20151
+   US
+
+   Phone: +1 703 227 9854
+   EMail: edlewis@arin.net
+   URI:   http://www.arin.net/
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman, et al.          Expires June 17, 2004                  [Page 8]
+
+Internet-Draft     DNSKEY RR Secure Entry Point Flag       December 2003
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   intellectual property or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; neither does it represent that it
+   has made any effort to identify any such rights. Information on the
+   IETF's procedures with respect to rights in standards-track and
+   standards-related documentation can be found in BCP-11. Copies of
+   claims of rights made available for publication and any assurances of
+   licenses to be made available, or the result of an attempt made to
+   obtain a general license or permission for the use of such
+   proprietary rights by implementors or users of this specification can
+   be obtained from the IETF Secretariat.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights which may cover technology that may be required to practice
+   this standard. Please address the information to the IETF Executive
+   Director.
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works. However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assignees.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+
+
+
+Kolkman, et al.          Expires June 17, 2004                  [Page 9]
+
+Internet-Draft     DNSKEY RR Secure Entry Point Flag       December 2003
+
+
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Acknowledgment
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kolkman, et al.          Expires June 17, 2004                 [Page 10]
+
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-mdns-33.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-mdns-33.txt
new file mode 100644
index 0000000..8dcacc8
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-mdns-33.txt
@@ -0,0 +1,1559 @@
+
+
+
+
+
+
+DNSEXT Working Group                                        Levon Esibov
+INTERNET-DRAFT                                             Bernard Aboba
+Category: Standards Track                                    Dave Thaler
+<draft-ietf-dnsext-mdns-33.txt>                                Microsoft
+18 July 2004
+
+
+              Linklocal Multicast Name Resolution (LLMNR)
+
+   By submitting this Internet-Draft, I certify that any applicable
+   patent or other IPR claims of which I am aware have been disclosed,
+   and any of which I become aware will be disclosed, in accordance with
+   RFC 3668.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on January 2, 2005.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society 2004.  All rights reserved.
+
+Abstract
+
+   Today, with the rise of home networking, there are an increasing
+   number of ad-hoc networks operating without a Domain Name System
+   (DNS) server.  The goal of Link-Local Multicast Name Resolution
+   (LLMNR) is to enable name resolution in scenarios in which
+   conventional DNS name resolution is not possible.  LLMNR supports all
+   current and future DNS formats, types and classes, while operating on
+   a separate port from DNS, and with a distinct resolver cache.  Since
+   LLMNR only operates on the local link, it cannot be considered a
+   substitute for DNS.
+
+
+
+
+Esibov, Aboba & Thaler       Standards Track                    [Page 1]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                     18 July 2004
+
+
+Table of Contents
+
+1.     Introduction ..........................................    3
+   1.1       Requirements ....................................    4
+   1.2       Terminology .....................................    4
+2.     Name resolution using LLMNR ...........................    4
+   2.1       LLMNR packet format .............................    6
+   2.2       Sender behavior .................................    8
+   2.3       Responder behavior ..............................    8
+   2.4       Unicast queries .................................   11
+   2.5       Off-link detection ..............................   11
+   2.6       Responder responsibilities ......................   12
+   2.7       Retransmission and jitter .......................   13
+   2.8       DNS TTL .........................................   13
+   2.9       Use of the authority and additional sections ....   14
+3.     Usage model ...........................................   14
+   3.1       LLMNR configuration .............................   15
+4.     Conflict resolution ...................................   16
+   4.1       Considerations for multiple interfaces ..........   18
+   4.2       API issues ......................................   19
+5.     Security considerations ...............................   20
+   5.1       Scope restriction ...............................   20
+   5.2       Usage restriction ...............................   21
+   5.3       Cache and port separation .......................   22
+   5.4       Authentication ..................................   22
+6.     IANA considerations ...................................   22
+7.     References ............................................   22
+   7.1       Normative References ............................   22
+   7.2       Informative References ..........................   23
+Acknowledgments ..............................................   24
+Authors' Addresses ...........................................   25
+Intellectual Property Statement ..............................   25
+Disclaimer of Validity .......................................   26
+Full Copyright Statement .....................................   26
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Esibov, Aboba & Thaler       Standards Track                    [Page 2]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                     18 July 2004
+
+
+1.  Introduction
+
+   This document discusses Link Local Multicast Name Resolution (LLMNR),
+   which utilizes the DNS packet format and supports all current and
+   future DNS formats, types and classes.  LLMNR operates on a separate
+   port from the Domain Name System (DNS), with a distinct resolver
+   cache.
+
+   The goal of LLMNR is to enable name resolution in scenarios in which
+   conventional DNS name resolution is not possible.  These include
+   scenarios in which hosts are not configured with the address of a DNS
+   server, where configured DNS servers do not reply to a query, or
+   where they respond with errors, as described in Section 2.  Since
+   LLMNR only operates on the local link, it cannot be considered a
+   substitute for DNS.
+
+   Link-scope multicast addresses are used to prevent propagation of
+   LLMNR traffic across routers, potentially flooding the network.
+   LLMNR queries can also be sent to a unicast address, as described in
+   Section 2.4.
+
+   Propagation of LLMNR packets on the local link is considered
+   sufficient to enable name resolution in small networks.  The
+   assumption is that if a network has a gateway, then the network is
+   able to provide DNS server configuration.   Configuration issues are
+   discussed in Section 3.1.
+
+   In the future, it may be desirable to consider use of multicast name
+   resolution with multicast scopes beyond the link-scope.  This could
+   occur if LLMNR deployment is successful, the need arises for
+   multicast name resolution beyond the link-scope, or multicast routing
+   becomes ubiquitous.  For example, expanded support for multicast name
+   resolution might be required for mobile ad-hoc networking scenarios,
+   or where no DNS server is available that is authoritative for the
+   names of local hosts, and can support dynamic DNS, such as in
+   wireless hotspots.
+
+   Once we have experience in LLMNR deployment in terms of
+   administrative issues, usability and impact on the network, it will
+   be possible to reevaluate which multicast scopes are appropriate for
+   use with multicast name resolution.
+
+   Service discovery in general, as well as discovery of DNS servers
+   using LLMNR in particular, is outside of the scope of this document,
+   as is name resolution over non-multicast capable media.
+
+
+
+
+
+
+Esibov, Aboba & Thaler       Standards Track                    [Page 3]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                     18 July 2004
+
+
+1.1.  Requirements
+
+   In this document, several words are used to signify the requirements
+   of the specification.  The key words "MUST", "MUST NOT", "REQUIRED",
+   "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY",
+   and "OPTIONAL" in this document are to be interpreted as described in
+   [RFC2119].
+
+1.2.  Terminology
+
+   This document assumes familiarity with DNS terminology defined in
+   [RFC1035].  Other terminology used in this document includes:
+
+Positively Resolved
+     Responses with RCODE set to zero are referred to in this document
+     as "positively resolved".
+
+Routable Address
+     An address other than a Link-Local address.  This includes globally
+     routable addresses, as well as private addresses.
+
+Reachable
+     An address is considered reachable over a link if either an ARP or
+     neighbor discovery cache entry exists for the address on the link.
+
+Responder
+     A host that listens to LLMNR queries, and responds to those for
+     which it is authoritative.
+
+Sender
+     A host that sends an LLMNR query.
+
+2.  Name resolution using LLMNR
+
+   LLMNR is a peer-to-peer name resolution protocol that is not intended
+   as a replacement for DNS.  LLMNR queries are sent to and received on
+   port 5355.  IPv4 administratively scoped multicast usage is specified
+   in "Administratively Scoped IP Multicast" [RFC2365].  The IPv4 link-
+   scope multicast address a given responder listens to, and to which a
+   sender sends queries, is 224.0.0.252.  The IPv6 link-scope multicast
+   address a given responder listens to, and to which a sender sends all
+   queries, is FF02:0:0:0:0:0:1:3.
+
+   Typically a host is configured as both an LLMNR sender and a
+   responder.  A host MAY be configured as a sender, but not a
+   responder.  However, a host configured as a responder MUST act as a
+   sender to verify the uniqueness of names as described in Section 4.
+   This document does not specify how names are chosen or configured.
+
+
+
+Esibov, Aboba & Thaler       Standards Track                    [Page 4]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                     18 July 2004
+
+
+   This may occur via any mechanism, including DHCPv4 [RFC2131] or
+   DHCPv6 [RFC3315].
+
+   LLMNR usage MAY be configured manually or automatically on a per
+   interface basis.  By default, LLMNR responders SHOULD be enabled on
+   all interfaces, at all times.  Enabling LLMNR for use in situations
+   where a DNS server has been configured will result in a change in
+   default behavior without a simultaneous update to configuration
+   information. Where this is considered undesirable, LLMNR SHOULD NOT
+   be enabled by default, so that hosts will neither listen on the link-
+   scope multicast address, nor will they send queries to that address.
+
+   An LLMNR sender may send a request for any name.  However, by
+   default, LLMNR requests SHOULD be sent only when one of the following
+   conditions are met:
+
+   [1] No manual or automatic DNS configuration has been
+       performed.  If an interface has been configured with DNS
+       server address(es),  then LLMNR SHOULD NOT be used as the
+       primary name resolution mechanism on that interface, although
+       it MAY be used as a name resolution mechanism of last resort.
+
+   [2] DNS servers do not respond.
+
+   [3] DNS servers respond to a DNS query with RCODE=3
+       (Authoritative Name Error) or RCODE=0, and an empty
+       answer section.
+
+   A typical sequence of events for LLMNR usage is as follows:
+
+   [a]  DNS servers are not configured or do not respond to a
+        DNS query, or respond with RCODE=3, or RCODE=0 and an
+        empty answer section.
+
+   [b]  An LLMNR sender sends an LLMNR query to the link-scope
+        multicast address(es) defined in Section 2, unless a
+        unicast query is indicated.  A sender SHOULD send LLMNR
+        queries for PTR RRs via unicast, as specified in Section 2.4.
+
+   [c]  A responder responds to this query only if it is authoritative
+        for the domain name in the query.  A responder responds to a
+        multicast query by sending a unicast UDP response to the sender.
+        Unicast queries are responded to as indicated in Section 2.4.
+
+   [d]  Upon reception of the response, the sender processes it.
+
+   Further details of sender and responder behavior are provided in the
+   sections that follow.
+
+
+
+Esibov, Aboba & Thaler       Standards Track                    [Page 5]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                     18 July 2004
+
+
+2.1.  LLMNR packet format
+
+   LLMNR utilizes the DNS packet format defined in [RFC1035] Section 4
+   for both queries and responses.  LLMNR implementations SHOULD send
+   UDP queries and responses only as large as are known to be
+   permissible without causing fragmentation.  When in doubt a maximum
+   packet size of 512 octets SHOULD be used.  LLMNR implementations MUST
+   accept UDP queries and responses as large as permitted by the link
+   MTU.
+
+2.1.1.  LLMNR header format
+
+   LLMNR queries and responses utilize the DNS header format defined in
+   [RFC1035] with exceptions noted below:
+
+                                   1  1  1  1  1  1
+     0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+   +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+   |                      ID                       |
+   +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+   |QR|   Opcode  | Z|TC| Z| Z| Z| Z| Z|   RCODE   |
+   +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+   |                    QDCOUNT                    |
+   +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+   |                    ANCOUNT                    |
+   +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+   |                    NSCOUNT                    |
+   +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+   |                    ARCOUNT                    |
+   +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+   where:
+
+ID   A 16 bit identifier assigned by the program that generates any kind
+     of query.  This identifier is copied from the query to the response
+     and can be used by the sender to match responses to outstanding
+     queries. The ID field in a query SHOULD be set to a pseudo-random
+     value.
+
+QR   A one bit field that specifies whether this message is an LLMNR
+     query (0), or an LLMNR response (1).
+
+OPCODE
+     A four bit field that specifies the kind of query in this message.
+     This value is set by the originator of a query and copied into the
+     response.  This specification defines the behavior of standard
+     queries and responses (opcode value of zero).  Future
+     specifications may define the use of other opcodes with LLMNR.
+
+
+
+Esibov, Aboba & Thaler       Standards Track                    [Page 6]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                     18 July 2004
+
+
+     LLMNR senders and responders MUST support standard queries (opcode
+     value of zero).  LLMNR queries with unsupported OPCODE values MUST
+     be silently discarded by responders.
+
+TC   TrunCation - specifies that this message was truncated due to
+     length greater than that permitted on the transmission channel.
+     The TC bit MUST NOT be set in an LLMNR query and if set is ignored
+     by an LLMNR responder.  If the TC bit is set an LLMNR response,
+     then the sender MAY use the response if it contains all necessary
+     information, or the sender MAY discard the response and resend the
+     LLMNR query over TCP using the unicast address of the responder as
+     the destination address.  See  [RFC2181] and Section 2.4 of this
+     specification for further discussion of the TC bit.
+
+Z    Reserved for future use.  Implementations of this specification
+     MUST set these bits to zero in both queries and responses.  If
+     these bits are set in a LLMNR query or response, implementations of
+     this specification MUST ignore them.  Since reserved bits could
+     conceivably be used for different purposes than in DNS,
+     implementors are advised not to enable processing of these bits in
+     an LLMNR implementation starting from a DNS code base.
+
+RCODE
+     Response code -- this 4 bit field is set as part of LLMNR
+     responses.  In an LLMNR query, the RCODE MUST be zero, and is
+     ignored by the responder.  The response to a multicast LLMNR query
+     MUST have RCODE set to zero.  A sender MUST silently discard an
+     LLMNR response with a non-zero RCODE sent in response to a
+     multicast query.
+
+     If an LLMNR responder is authoritative for the name in a multicast
+     query, but an error is encountered, the responder SHOULD send an
+     LLMNR response with an RCODE of zero, no RRs in the answer section,
+     and the TC bit set.  This will cause the query to be resent using
+     TCP, and allow the inclusion of a non-zero RCODE in the response to
+     the TCP query.  Responding with the TC bit set is preferrable to
+     not sending a response, since it enables errors to be diagnosed.
+
+     Since LLMNR responders only respond to LLMNR queries for names for
+     which they are authoritative, LLMNR responders MUST NOT respond
+     with an RCODE of 3; instead, they should not respond at all.
+
+     LLMNR implementations MUST support EDNS0 [RFC2671] and extended
+     RCODE values.
+
+QDCOUNT
+     An unsigned 16 bit integer specifying the number of entries in the
+     question section. A sender MUST place only one question into the
+
+
+
+Esibov, Aboba & Thaler       Standards Track                    [Page 7]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                     18 July 2004
+
+
+     question section of an LLMNR query.  LLMNR responders MUST silently
+     discard LLMNR queries with QDCOUNT not equal to one.  LLMNR senders
+     MUST silently discard LLMNR responses with QDCOUNT not equal to
+     one.
+
+ANCOUNT
+     An unsigned 16 bit integer specifying the number of resource
+     records in the answer section.  LLMNR responders MUST silently
+     discard LLMNR queries with ANCOUNT not equal to zero.
+
+NSCOUNT
+     An unsigned 16 bit integer specifying the number of name server
+     resource records in the authority records section.  Authority
+     record section processing is described in Section 2.9.
+
+ARCOUNT
+     An unsigned 16 bit integer specifying the number of resource
+     records in the additional records section.  Additional record
+     section processing is described in Section 2.9.
+
+2.2.  Sender behavior
+
+   A sender may send an LLMNR query for any legal resource record  type
+   (e.g.  A, AAAA, SRV, etc.) to the link-scope multicast address.
+
+   As described in Section 2.4, a sender may also send a unicast query.
+   Sections 2 and 3 describe the circumstances in which LLMNR queries
+   may be sent.
+
+   The sender MUST anticipate receiving no replies to some LLMNR
+   queries, in the event that no responders are available within the
+   link-scope or in the event no positive non-null responses exist for
+   the transmitted query.  If no positive response is received, a
+   resolver treats it as a response that no records of the specified
+   type and class exist for the specified name (it is treated the same
+   as a response with RCODE=0 and an empty answer section).
+
+   Since the responder may order the RRs in the response so as to
+   indicate preference, the sender SHOULD preserve ordering in the
+   response to the querying application.
+
+2.3.  Responder behavior
+
+   An LLMNR response MUST be sent to the sender via unicast.
+
+   Upon configuring an IP address responders typically will synthesize
+   corresponding A, AAAA and PTR RRs so as to be able to respond to
+   LLMNR queries for these RRs.  An SOA RR is synthesized only when a
+
+
+
+Esibov, Aboba & Thaler       Standards Track                    [Page 8]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                     18 July 2004
+
+
+   responder has another RR as well;  the SOA RR MUST NOT be the only RR
+   that a responder has.  However, in general whether RRs are manually
+   or automatically created is an implementation decision.
+
+   For example, a host configured to have computer name "host1" and to
+   be a member of the "example.com" domain, and with IPv4 address
+   10.1.1.1 and IPv6 address 2001:0DB8::1:2:3:FF:FE:4:5:6 might be
+   authoritative for the following records:
+
+   host1. IN A 10.1.1.1
+   IN AAAA 2001:0DB8::1:2:3:FF:FE:4:5:6
+
+   host1.example.com. IN A 10.1.1.1
+   IN AAAA 2001:0DB8::1:2:3:FF:FE:4:5:6
+
+   1.1.1.10.in-addr.arpa. IN PTR host1.
+   IN PTR host1.example.com.
+
+   6.0.5.0.4.0.E.F.F.F.3.0.2.0.1.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa
+   IN PTR host1.
+   IN PTR host1.example.com
+
+   An LLMNR responder might be further manually configured with the name
+   of a local mail server with an MX RR included in the "host1." and
+   "host1.example.com." records.
+
+   In responding to queries:
+
+[a]  Responders MUST listen on UDP port 5355 on the link-scope multicast
+     address(es) defined in Section 2, and on UDP and TCP port 5355 on
+     the unicast address(es) that could be set as the source address(es)
+     when the responder responds to the LLMNR query.
+
+[b]  Responders MUST direct responses to the port from which the query
+     was sent.  When queries are received via TCP this is an inherent
+     part of the transport protocol.  For queries received by UDP the
+     responder MUST take note of the source port and use that as the
+     destination port in the response.  Responses SHOULD always be sent
+     from the port to which they were directed.
+
+[c]  Responders MUST respond to LLMNR queries for names and addresses
+     they are authoritative for.  This applies to both forward and
+     reverse lookups.
+
+[d]  Responders MUST NOT respond to LLMNR queries for names they are not
+     authoritative for.
+
+
+
+
+
+Esibov, Aboba & Thaler       Standards Track                    [Page 9]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                     18 July 2004
+
+
+[e]  Responders MUST NOT respond using cached data.
+
+[f]  If a DNS server is running on a host that supports LLMNR, the DNS
+     server MUST respond to LLMNR queries only for the RRSets relating
+     to the host on which the server is running, but MUST NOT respond
+     for other records for which the server is authoritative.  DNS
+     servers also MUST NOT send LLMNR queries in order to resolve DNS
+     queries.
+
+[g]  If a responder is authoritative for a name, it MAY respond with
+     RCODE=0 and an empty answer section, if the type of query does not
+     match a RR that the responder has.
+
+   As an example, a host configured to respond to LLMNR queries for the
+   name "foo.example.com."  is authoritative for the name
+   "foo.example.com.".  On receiving an LLMNR query for an A RR with the
+   name "foo.example.com." the host authoritatively responds with A
+   RR(s) that contain IP address(es) in the RDATA of the resource
+   record.  If the responder has a AAAA RR, but no A RR, and an A RR
+   query is received, the responder would respond with RCODE=0 and an
+   empty answer section.
+
+   In conventional DNS terminology a DNS server authoritative for a zone
+   is authoritative for all the domain names under the zone apex except
+   for the branches delegated into separate zones.  Contrary to
+   conventional DNS terminology, an LLMNR responder is authoritative
+   only for the zone apex.
+
+   For example the host "foo.example.com." is not authoritative for the
+   name "child.foo.example.com." unless the host is configured with
+   multiple names, including "foo.example.com."  and
+   "child.foo.example.com.".  As a result, "foo.example.com." cannot
+   reply to an LLMNR query for "child.foo.example.com." with RCODE=3
+   (authoritative name error).  The purpose of limiting the name
+   authority scope of a responder is to prevent complications that could
+   be caused by coexistence of two or more hosts with the names
+   representing child and parent (or grandparent) nodes in the DNS tree,
+   for example, "foo.example.com." and "child.foo.example.com.".
+
+   In this example (unless this limitation is introduced) an LLMNR query
+   for an A resource record for the name "child.foo.example.com." would
+   result in two authoritative responses: RCODE=3 (authoritative name
+   error) received from "foo.example.com.", and a requested A record -
+   from "child.foo.example.com.".  To prevent this ambiguity, LLMNR
+   enabled hosts could perform a dynamic update of the parent (or
+   grandparent) zone with a delegation to a child zone.  In this example
+   a host "child.foo.example.com." would send a dynamic update for the
+   NS and glue A record to "foo.example.com.", but this approach
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 10]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                     18 July 2004
+
+
+   significantly complicates implementation of LLMNR and would not be
+   acceptable for lightweight hosts.
+
+2.4.  Unicast queries and responses
+
+   Unicast queries SHOULD be sent when:
+
+   [a] A sender repeats a query after it received a response
+       with the TC bit set to the previous LLMNR multicast query, or
+
+   [b] The sender queries for a PTR RR of a fully formed IP address
+       within the "in-addr.arpa" or "ip6.arpa" zones.
+
+   Unicast LLMNR queries MUST be done using TCP and the responses MUST
+   be sent using the same TCP connection as the query.  Senders MUST
+   support sending TCP queries, and responders MUST support listening
+   for TCP queries. If the sender of a TCP query receives a response to
+   that query not using TCP, the response MUST be silently discarded.
+
+   Unicast UDP queries MUST be silently discarded.
+
+   If TCP connection setup cannot be completed in order to send a
+   unicast TCP query, this is treated as a response that no records of
+   the specified type and class exist for the specified name (it is
+   treated the same as a response with RCODE=0 and an empty answer
+   section).
+
+2.5.  "Off link" detection
+
+   For IPv4, an "on link" address is defined as a link-local address
+   [IPv4Link] or an address whose prefix belongs to a subnet on the
+   local link.  For IPv6 [RFC2460] an "on link" address is either a
+   link-local address, defined in [RFC2373], or an address whose prefix
+   belongs to a subnet on the local link.
+
+   A sender MUST select a source address for LLMNR queries that is "on
+   link".  The destination address of an LLMNR query MUST be a link-
+   scope multicast address or an "on link" unicast address.
+
+   A responder MUST select a source address for responses that is "on
+   link". The destination address of an LLMNR response MUST be an "on
+   link" unicast address.
+
+   On receiving an LLMNR query, the responder MUST check whether it was
+   sent to a LLMNR multicast addresses defined in Section 2.  If it was
+   sent to another multicast address, then the query MUST be silently
+   discarded.
+
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 11]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                     18 July 2004
+
+
+   Section 2.4 discusses use of TCP for LLMNR queries and responses.  In
+   composing an LLMNR query using TCP, the sender MUST set the Hop Limit
+   field in the IPv6 header and the TTL field in the IPv4 header of the
+   response to one (1).  The responder SHOULD set the TTL or Hop Limit
+   settings on the TCP listen socket to one (1) so that SYN-ACK packets
+   will have TTL (IPv4) or Hop Limit (IPv6) set to one (1). This
+   prevents an incoming connection from off-link since the sender will
+   not receive a SYN-ACK from the responder.
+
+   For UDP queries and responses the Hop Limit field in the IPv6 header,
+   and the TTL field in the IPV4 header MAY be set to any value.
+   However, it is RECOMMENDED that the value 255 be used for
+   compatibility with Apple Rendezvous.
+
+   Implementation note:
+
+      In the sockets API for IPv4 [POSIX], the IP_TTL and
+      IP_MULTICAST_TTL socket options are used to set the TTL of
+      outgoing unicast and multicast packets. The IP_RECVTTL socket
+      option is available on some platforms to retrieve the IPv4 TTL of
+      received packets with recvmsg().  [RFC2292] specifies similar
+      options for setting and retrieving the IPv6 Hop Limit.
+
+2.6.  Responder responsibilities
+
+   It is the responsibility of the responder to ensure that RRs returned
+   in LLMNR responses MUST only include values that are valid on the
+   local interface, such as IPv4 or IPv6 addresses valid on the local
+   link or names defended using the mechanism described in Section 4.
+   In particular:
+
+   [a] If a link-scope IPv6 address is returned in a AAAA RR,
+       that address MUST be valid on the local link over which
+       LLMNR is used.
+
+   [b] If an IPv4 address is returned, it MUST be reachable
+       through the link over which LLMNR is used.
+
+   [c] If a name is returned (for example in a CNAME, MX
+       or SRV RR), the name MUST be resolvable on the local
+       link over which LLMNR is used.
+
+   Routable addresses MUST be included first in the response, if
+   available.  This encourages use of routable address(es) for
+   establishment of new connections.
+
+
+
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 12]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                     18 July 2004
+
+
+2.7.  Retransmission and jitter
+
+   An LLMNR sender uses the timeout interval LLMNR_TIMEOUT to determine
+   when to retransmit an LLMNR query and how long to collect responses
+   to an LLMNR query.
+
+   If an LLMNR query sent over UDP is not resolved within LLMNR_TIMEOUT,
+   then a sender MAY repeat the transmission of the query in order to
+   assure that it was received by a host capable of responding to it.
+   Retransmission of UDP queries SHOULD NOT be attempted more than 3
+   times. Where LLMNR queries are sent using TCP, retransmission is
+   handled by the transport layer.
+
+   Because an LLMNR sender cannot know in advance if a query sent using
+   multicast will receive no response, one response, or more than one
+   response, the sender SHOULD wait for LLMNR_TIMEOUT in order to
+   collect all possible responses, rather than considering the multicast
+   query answered after the first response is received. A unicast query
+   sender considers the query answered after the first response is
+   received, so that it only waits for LLMNR_TIMEOUT if no response has
+   been received.
+
+   An LLMNR sender SHOULD dynamically compute the value of LLMNR_TIMEOUT
+   for each transmission. It is suggested that the computation of
+   LLMNR_TIMEOUT be based on the response times for earlier LLMNR
+   queries sent on the same interface.
+
+   For example, the algorithms described in RFC 2988 [RFC2988]
+   (including exponential backoff) compute an RTO, which is used as the
+   value of LLMNR_TIMEOUT.  Smaller values MAY be used for the initial
+   RTO (discussed in Section 2 of [RFC2988], paragraph 2.1), the minimum
+   RTO (discussed in Section 2 of [RFC2988], paragraph 2.4), and the
+   maximum RTO (discussed in Section 2 of [RFC2988], paragraph 2.5).
+
+   Recommended values are an initial RTO of 1 second, a minimum RTO of
+   200ms, and a maximum RTO of 5 seconds.  In order to avoid
+   synchronization, the transmission of each LLMNR query and response
+   SHOULD delayed by a time randomly selected from the interval 0 to 100
+   ms.  This delay MAY be avoided by responders responding with RRs
+   which they have previously determined to be UNIQUE (see Section 4 for
+   details).
+
+2.8.  DNS TTL
+
+   The responder should use a pre-configured TTL value in the records
+   returned an LLMNR response.  A default value of 30 seconds is
+   RECOMMENDED.  In highly dynamic environments (such as mobile ad-hoc
+   networks), the TTL value may need to be reduced.
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 13]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                     18 July 2004
+
+
+   Due to the TTL minimalization necessary when caching an RRset, all
+   TTLs in an RRset MUST be set to the same value.
+
+2.9.  Use of the authority and additional sections
+
+   Unlike the DNS, LLMNR is a peer-to-peer protocol and does not have a
+   concept of delegation.  In LLMNR, the NS resource record type may be
+   stored and queried for like any other type, but it has no special
+   delegation semantics as it does in the DNS.  Responders MAY have NS
+   records associated with the names for which they are authoritative,
+   but they SHOULD NOT include these NS records in the authority
+   sections of responses.
+
+   Responders SHOULD insert an SOA record into the authority section of
+   a negative response, to facilitate negative caching as specified in
+   [RFC2308].  The owner name of this SOA record MUST be equal to the
+   query name.
+
+   Responders SHOULD NOT perform DNS additional section processing,
+   except as required for EDNS0 and DNSSEC.
+
+   Senders MUST NOT cache RRs from the authority or additional section
+   of a response as answers, though they may be used for other purposes
+   such as negative caching.
+
+3.  Usage model
+
+   Since LLMNR is a secondary name resolution mechanism, its usage is in
+   part determined by the behavior of DNS implementations.  This
+   document does not specify any changes to DNS resolver behavior, such
+   as searchlist processing or retransmission/failover policy.  However,
+   robust DNS resolver implementations are more likely to avoid
+   unnecessary LLMNR queries.
+
+   As noted in [DNSPerf], even when DNS servers are configured, a
+   significant fraction of DNS queries do not receive a response, or
+   result in negative responses due to missing inverse mappings or NS
+   records that point to nonexistent or inappropriate hosts.  This has
+   the potential to result in a large number of unnecessary LLMNR
+   queries.
+
+   [RFC1536] describes common DNS implementation errors and fixes.  If
+   the proposed fixes are implemented, unnecessary LLMNR queries will be
+   reduced substantially, and so implementation of [RFC1536] is
+   recommended.
+
+   For example, [RFC1536] Section 1 describes issues with retransmission
+   and recommends implementation of a retransmission policy based on
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 14]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                     18 July 2004
+
+
+   round trip estimates, with exponential backoff.  [RFC1536] Section 4
+   describes issues with failover, and recommends that resolvers try
+   another server when they don't receive a response to a query.  These
+   policies are likely to avoid unnecessary LLMNR queries.
+
+   [RFC1536] Section 3 describes zero answer bugs, which if addressed
+   will also reduce unnecessary LLMNR queries.
+
+   [RFC1536] Section 6 describes name error bugs and recommended
+   searchlist processing that will reduce unnecessary RCODE=3
+   (authoritative name) errors, thereby also reducing unnecessary LLMNR
+   queries.
+
+3.1.  LLMNR configuration
+
+   Since IPv4 and IPv6 utilize distinct configuration mechanisms, it is
+   possible for a dual stack host to be configured with the address of a
+   DNS server over IPv4, while remaining unconfigured with a DNS server
+   suitable for use over IPv6.
+
+   In these situations, a dual stack host will send AAAA queries to the
+   configured DNS server over IPv4.  However, an IPv6-only host
+   unconfigured with a DNS server suitable for use over IPv6 will be
+   unable to resolve names using DNS.  Automatic IPv6 DNS configuration
+   mechanisms (such as [RFC3315] and [DNSDisc]) are not yet widely
+   deployed, and not all DNS servers support IPv6. Therefore lack of
+   IPv6 DNS configuration may be a common problem in the short term, and
+   LLMNR may prove useful in enabling linklocal name resolution over
+   IPv6.
+
+   Where a DHCPv4 server is available but not a DHCPv6 server [RFC3315],
+   IPv6-only hosts may not be configured with a DNS server.  Where there
+   is no DNS server authoritative for the name of a host or the
+   authoritative DNS server does not support dynamic client update over
+   IPv6 or DHCPv6-based dynamic update, then an IPv6-only host will not
+   be able to do DNS dynamic update, and other hosts will not be able to
+   resolve its name.
+
+   For example, if the configured DNS server responds to AAAA RR queries
+   sent over IPv4 or IPv6 with an authoritative name error (RCODE=3),
+   then it will not be possible to resolve the names of IPv6-only hosts.
+   In this situation, LLMNR over IPv6 can be used for local name
+   resolution.
+
+   Similarly, if a DHCPv4 server is available providing DNS server
+   configuration, and DNS server(s) exist which are authoritative for
+   the A RRs of local hosts and support either dynamic client update
+   over IPv4 or DHCPv4-based dynamic update, then the names of local
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 15]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                     18 July 2004
+
+
+   IPv4 hosts can be resolved over IPv4 without LLMNR.  However,  if no
+   DNS server is authoritative for the names of local hosts, or the
+   authoritative DNS server(s) do not support dynamic update, then LLMNR
+   enables linklocal name resolution over IPv4.
+
+   Where DHCPv4 or DHCPv6 is implemented, DHCP options can be used to
+   configure LLMNR on an interface.  The LLMNR Enable Option, described
+   in [LLMNREnable], can be used to explicitly enable or disable use of
+   LLMNR on an interface.  The LLMNR Enable Option does not determine
+   whether or in which order DNS itself is used for name resolution.
+   The order in which various name resolution mechanisms should be used
+   can be specified using the Name Service Search Option (NSSO) for DHCP
+   [RFC2937], using the LLMNR Enable Option code carried in the NSSO
+   data.
+
+   It is possible that DNS configuration mechanisms will go in and out
+   of service.  In these circumstances, it is possible for hosts within
+   an administrative domain to be inconsistent in their DNS
+   configuration.
+
+   For example, where DHCP is used for configuring DNS servers, one or
+   more DHCP servers can fail.  As a result, hosts configured prior to
+   the outage will be configured with a DNS server, while hosts
+   configured after the outage will not.  Alternatively, it is possible
+   for the DNS configuration mechanism to continue functioning while
+   configured DNS servers fail.
+
+   Unless unconfigured hosts periodically retry configuration, an outage
+   in the DNS configuration mechanism will result in hosts continuing to
+   use LLMNR even once the outage is repaired.  Since LLMNR only enables
+   linklocal name resolution, this represents an unnecessary degradation
+   in capabilities.  As a result, it is recommended that hosts without a
+   configured DNS server periodically attempt to obtain DNS
+   configuration.  For example, where DHCP is used for DNS
+   configuration, [RFC2131] recommends a maximum retry interval of 64
+   seconds.  In the absence of other guidance, a default retry interval
+   of one (1) minute is RECOMMENDED.
+
+4.  Conflict resolution
+
+   The sender MUST anticipate receiving multiple replies to the same
+   LLMNR query, in the event that several LLMNR enabled computers
+   receive the query and respond with valid answers.  When this occurs,
+   the responses may first be concatenated, and then treated in the same
+   manner that multiple RRs received from the same DNS server would; the
+   sender perceives no inherent conflict in the receipt of multiple
+   responses.
+
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 16]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                     18 July 2004
+
+
+   There are some scenarios when multiple responders MAY respond to the
+   same query.  There are other scenarios when only one responder MAY
+   respond to a query.  Resource records for which the latter queries
+   are submitted are referred as UNIQUE throughout this document.  The
+   uniqueness of a resource record depends on a nature of the name in
+   the query and type of the query.  For example it is expected that:
+
+      - multiple hosts may respond to a query for an SRV type record
+      - multiple hosts may respond to a query for an A or AAAA type
+        record for a cluster name (assigned to multiple hosts in
+        the cluster)
+      - only a single host may respond to a query for an A or AAAA
+        type record for a name.
+
+   Every responder that responds to an LLMNR query AND includes a UNIQUE
+   record in the response:
+
+   [1]  MUST verify that there is no other host within the
+        scope of the LLMNR query propagation that can return
+        a resource record for the same name, type and class.
+
+   [2]  MUST NOT include a UNIQUE resource record in the
+        response without having verified its uniqueness.
+
+   Where a host is configured to issue LLMNR queries on more than one
+   interface, each interface should have its own independent LLMNR
+   cache.  For each UNIQUE resource record in a given interface's
+   configuration, the host MUST verify resource record uniqueness on
+   that interface.  To accomplish this, the host MUST send an LLMNR
+   query for each UNIQUE resource record.
+
+   By default, a host SHOULD be configured to behave as though all RRs
+   are UNIQUE.  Uniqueness verification is carried out when the host:
+
+     - starts up or is rebooted
+     - wakes from sleep (if the network interface was inactive during sleep)
+     - is configured to respond to the LLMNR queries on an interface
+       enabled for transmission and reception of IP traffic
+     - is configured to respond to the LLMNR queries using additional
+       UNIQUE resource records
+     - detects that an interface is connected and is usable
+       (e.g. an IEEE 802 hardware link-state change indicating
+       that a cable was attached or completion of authentication
+       (and if needed, association) with a wireless base station
+       or adhoc network
+
+   When a host that has a UNIQUE record receives an LLMNR query for that
+   record, the host MUST respond.  After the client receives a response,
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 17]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                     18 July 2004
+
+
+   it MUST check whether the response arrived on an interface different
+   from the one on which the query was sent.  If the response arrives on
+   a different interface, the client can use the UNIQUE resource record
+   in response to LLMNR queries.  If not, then it MUST NOT use the
+   UNIQUE resource record in response to LLMNR queries.
+
+   The name conflict detection mechanism doesn't prevent name conflicts
+   when previously partitioned segments are connected by a bridge. In
+   order to minimize the chance of conflicts in such a situation, it is
+   recommended that steps be taken to ensure name uniqueness. For
+   example, the name could be chosen randomly from a large pool of
+   potential names, or the name could be assigned via a process designed
+   to guarantee uniqueness.
+
+   When name conflicts are detected, they SHOULD be logged.  To detect
+   duplicate use of a name, an administrator can use a name resolution
+   utility which employs LLMNR and lists both responses and responders.
+   This would allow an administrator to diagnose behavior and
+   potentially to intervene and reconfigure LLMNR responders who should
+   not be configured to respond to the same name.
+
+4.1.  Considerations for Multiple Interfaces
+
+   A multi-homed host may elect to configure LLMNR on only one of its
+   active interfaces.  In many situations this will be adequate.
+   However, should a host need to configure LLMNR on more than one of
+   its active interfaces, there are some additional precautions it MUST
+   take.  Implementers who are not planning to support LLMNR on multiple
+   interfaces simultaneously may skip this section.
+
+   A multi-homed host checks the uniqueness of UNIQUE records as
+   described in Section 4.  The situation is illustrated in figure 1.
+
+        ----------  ----------
+         |      |    |      |
+        [A]    [myhost]   [myhost]
+
+      Figure 1.  Link-scope name conflict
+
+   In this situation, the multi-homed myhost will probe for, and defend,
+   its host name on both interfaces.  A conflict will be detected on one
+   interface, but not the other.  The multi-homed myhost will not be
+   able to respond with a host RR for "myhost" on the interface on the
+   right (see Figure 1).  The multi-homed host may, however, be
+   configured to use the "myhost" name on the interface on the left.
+
+   Since names are only unique per-link, hosts on different links could
+   be using the same name.  If an LLMNR client sends requests over
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 18]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                     18 July 2004
+
+
+   multiple interfaces, and receives replies from more than one, the
+   result returned to the client is defined by the implementation.  The
+   situation is illustrated in figure 2.
+
+        ----------  ----------
+         |      |    |     |
+        [A]    [myhost]   [A]
+
+
+      Figure 2.  Off-segment name conflict
+
+   If host myhost is configured to use LLMNR on both interfaces, it will
+   send LLMNR queries on both interfaces.  When host myhost sends a
+   query for the host RR for name "A" it will receive a response from
+   hosts on both interfaces.
+
+   Host myhost cannot distinguish between the situation shown in Figure
+   2, and that shown in Figure 3 where no conflict exists.
+
+                [A]
+               |   |
+           -----   -----
+               |   |
+              [myhost]
+
+      Figure 3.  Multiple paths to same host
+
+   This illustrates that the proposed name conflict resolution mechanism
+   does not support detection or resolution of conflicts between hosts
+   on different links.  This problem can also occur with unicast DNS
+   when a multi-homed host is connected to two different networks with
+   separated name spaces.  It is not the intent of this document to
+   address the issue of uniqueness of names within DNS.
+
+4.2.  API issues
+
+   [RFC2553] provides an API which can partially solve the name
+   ambiguity problem for applications written to use this API, since the
+   sockaddr_in6 structure exposes the scope within which each scoped
+   address exists, and this structure can be used for both IPv4 (using
+   v4-mapped IPv6 addresses) and IPv6 addresses.
+
+   Following the example in Figure 2, an application on 'myhost' issues
+   the request getaddrinfo("A", ...) with ai_family=AF_INET6 and
+   ai_flags=AI_ALL|AI_V4MAPPED.  LLMNR requests will be sent from both
+   interfaces and the resolver library will return a list containing
+   multiple addrinfo structures, each with an associated sockaddr_in6
+   structure.  This list will thus contain the IPv4 and IPv6 addresses
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 19]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                     18 July 2004
+
+
+   of both hosts responding to the name 'A'.  Link-local addresses will
+   have a sin6_scope_id value that disambiguates which interface is used
+   to reach the address.  Of course, to the application, Figures 2 and 3
+   are still indistinguishable, but this API allows the application to
+   communicate successfully with any address in the list.
+
+5.  Security Considerations
+
+   LLMNR is by nature a peer-to-peer name resolution protocol. It is
+   therefore inherently more vulnerable than DNS, since existing DNS
+   security mechanisms are difficult to apply to LLMNR. While tools
+   exist to alllow an attacker to spoof a response to a DNS query,
+   spoofing a response to an LLMNR query is easier since the query is
+   sent to a link-scope multicast address, where every host on the
+   logical link will be made aware of it.
+
+   In order to address the security vulnerabilities, the following
+   mechanisms are contemplated:
+
+      [1]  Scope restrictions.
+      [2]  Usage restrictions.
+      [3]  Cache and port separation.
+      [4]  Authentication.
+
+   These techniques are described in the following sections.
+
+5.1.  Scope restriction
+
+   With LLMNR it is possible that hosts will allocate conflicting names
+   for a period of time, or that attackers will attempt to deny service
+   to other hosts by allocating the same name. Such attacks also allow
+   hosts to receive packets destined for other hosts.
+
+   Since LLMNR is typically deployed in situations where no trust model
+   can be assumed, it is likely that LLMNR queries and responses will be
+   unauthenticated.  In the absence of authentication, LLMNR reduces the
+   exposure to such threats by utilizing UDP queries sent to a link-
+   scope multicast address, as well as setting the TTL (IPv4) or Hop
+   Limit (IPv6) fields to one (1) on TCP queries and responses.
+
+   Using a TTL of one (1) to set up a TCP connection in order to send a
+   unicast LLMNR query reduces the likelihood of both denial of service
+   attacks and spoofed responses.  Checking that an LLMNR query is sent
+   to a link-scope multicast address should prevent spoofing of
+   multicast queries by off-link attackers.
+
+   While this limits the ability of off-link attackers to spoof LLMNR
+   queries and responses, it does not eliminate it. For example, it is
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 20]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                     18 July 2004
+
+
+   possible for an attacker to spoof a response to a frequent query
+   (such as an A or AAAA query for a popular Internet host), and by
+   using a TTL or Hop Limit field larger than one (1), for the forged
+   response to reach the LLMNR sender.
+
+   When LLMNR queries are sent to a link-scope multicast address, it is
+   possible that some routers may not properly implement link-scope
+   multicast, or that link-scope multicast addresses may leak into the
+   multicast routing system.
+
+   Setting the IPv6 Hop Limit or IPv4 TTL field to a value larger than
+   one in an LLMNR UDP response may enable denial of service attacks
+   across the Internet.  However, since LLMNR responders only respond to
+   queries for which they are authoritative, and LLMNR does not provide
+   wildcard query support, it is believed that this threat is minimal.
+
+   There also are scenarios such as public "hotspots" where attackers
+   can be present on the same link.  These threats are most serious in
+   wireless networks such as 802.11, since attackers on a wired network
+   will require physical access to the home network, while wireless
+   attackers may reside outside the home.  Link-layer security can be of
+   assistance against these threats if it is available.
+
+5.2.  Usage restriction
+
+   As noted in Sections 2 and 3, LLMNR is intended for usage in a
+   limited set of scenarios.
+
+   If an LLMNR query is sent whenever a DNS server does not respond in a
+   timely way, then an attacker can poison the LLMNR cache by responding
+   to the query with incorrect information.  To some extent, these
+   vulnerabilities exist today, since DNS response spoofing tools are
+   available that can allow an attacker to respond to a query more
+   quickly than a distant DNS server.
+
+   Since LLMNR queries are sent and responded to on the local-link, an
+   attacker will need to respond more quickly to provide its own
+   response prior to arrival of the response from a legitimate
+   responder. If an LLMNR query is sent for an off-link host, spoofing a
+   response in a timely way is not difficult, since a legitimate
+   response will never be received.
+
+   The vulnerability is more serious if LLMNR is given higher priority
+   than DNS among the enabled name resolution mechanisms. In such a
+   configuration, a denial of service attack on the DNS server would not
+   be necessary in order to poison the LLMNR cache, since LLMNR queries
+   would be sent even when the DNS server is available. In addition, the
+   LLMNR cache, once poisoned, would take precedence over the DNS cache,
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 21]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                     18 July 2004
+
+
+   eliminating the benefits of cache separation. As a result, LLMNR is
+   only used as a name resolution mechanism of last resort.
+
+5.3.  Cache and port separation
+
+   In order to prevent responses to LLMNR queries from polluting the DNS
+   cache, LLMNR implementations MUST use a distinct, isolated cache for
+   LLMNR on each interface. The use of separate caches is most effective
+   when LLMNR is used as a name resolution mechanism of last resort,
+   since this minimizes the opportunities for poisoning the LLMNR cache,
+   and decreases reliance on it.
+
+   LLMNR operates on a separate port from DNS, reducing the likelihood
+   that a DNS server will unintentionally respond to an LLMNR query.
+
+5.4.  Authentication
+
+   LLMNR implementations may not support DNSSEC or TSIG, and as a
+   result, responses to LLMNR queries may be unauthenticated.  If
+   authentication is desired, and a pre-arranged security configuration
+   is possible, then IPsec ESP with a null-transform MAY be used to
+   authenticate LLMNR responses.  In a small network without a
+   certificate authority, this can be most easily accomplished through
+   configuration of a group pre-shared key for trusted hosts.
+
+6.  IANA Considerations
+
+   This specification creates one new name space:  the reserved bits in
+   the LLMNR header.  These are allocated by IETF Consensus, in
+   accordance with BCP 26 [RFC2434].
+
+   LLMNR requires allocation of port 5355 for both TCP and UDP.
+
+   LLMNR requires allocation of link-scope multicast IPv4 address
+   224.0.0.252, as well as link-scope multicast IPv6 address
+   FF02:0:0:0:0:0:1:3.
+
+7.  References
+
+7.1.  Normative References
+
+[RFC1035] Mockapetris, P., "Domain Names - Implementation and
+          Specification", RFC 1035, November 1987.
+
+[RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
+          April 1992.
+
+
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 22]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                     18 July 2004
+
+
+[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+          Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
+          Specification", RFC 2181, July 1997.
+
+[RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)",
+          RFC 2308, March 1998.
+
+[RFC2365] Meyer, D., "Administratively Scoped IP Multicast", BCP 23, RFC
+          2365, July 1998.
+
+[RFC2373] Hinden, R. and S. Deering, "IP Version 6 Addressing
+          Architecture", RFC 2373, July 1998.
+
+[RFC2434] Alvestrand, H. and T. Narten, "Guidelines for Writing an IANA
+          Considerations Section in RFCs", BCP 26, RFC 2434, October
+          1998.
+
+[RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6
+          (IPv6) Specification", RFC 2460, December 1998.
+
+[RFC2535] Eastlake, D., "Domain Name System Security Extensions", RFC
+          2535, March 1999.
+
+[RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC 2671,
+          August 1999.
+
+[RFC2988] Paxson, V. and M. Allman, "Computing TCP's Retransmission
+          Timer", RFC 2988, November 2000.
+
+7.2.  Informative References
+
+[RFC1536] Kumar, A., et. al., "DNS Implementation Errors and Suggested
+          Fixes", RFC 1536, October 1993.
+
+[RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
+          March 1997.
+
+[RFC2136] Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic
+          Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
+          April 1997.
+
+[RFC2292] Stevens, W. and M. Thomas, "Advanced Sockets API for IPv6",
+          RFC 2292, February 1998.
+
+[RFC2553] Gilligan, R., Thomson, S., Bound, J. and W. Stevens, "Basic
+          Socket Interface Extensions for IPv6", RFC 2553, March 1999.
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 23]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                     18 July 2004
+
+
+[RFC2937] Smith, C., "The Name Service Search Option for DHCP", RFC
+          2937, September 2000.
+
+[RFC3315] Droms, R., et al., "Dynamic Host Configuration Protocol for
+          IPv6 (DHCPv6)", RFC 3315, July 2003.
+
+[DNSPerf] Jung, J., et al., "DNS Performance and the Effectiveness of
+          Caching", IEEE/ACM Transactions on Networking, Volume 10,
+          Number 5, pp. 589, October 2002.
+
+[DNSDisc] Durand, A., Hagino, I. and D. Thaler, "Well known site local
+          unicast addresses to communicate with recursive DNS servers",
+          Internet draft (work in progress), draft-ietf-ipv6-dns-
+          discovery-07.txt, October 2002.
+
+[IPV4Link]
+          Cheshire, S., Aboba, B. and E. Guttman, "Dynamic Configuration
+          of IPv4 Link-Local Addresses", Internet draft (work in
+          progress), draft-ietf-zeroconf-ipv4-linklocal-15.txt, May
+          2004.
+
+[POSIX]   IEEE Std. 1003.1-2001 Standard for Information Technology --
+          Portable Operating System Interface (POSIX). Open Group
+          Technical Standard: Base Specifications, Issue 6, December
+          2001.  ISO/IEC 9945:2002.  http://www.opengroup.org/austin
+
+[LLMNREnable]
+          Guttman, E., "DHCP LLMNR Enable Option", Internet draft (work
+          in progress), draft-guttman-mdns-enable-02.txt, April 2002.
+
+[NodeInfo]
+          Crawford, M., "IPv6 Node Information Queries", Internet draft
+          (work in progress), draft-ietf-ipn-gwg-icmp-name-
+          lookups-09.txt, May 2002.
+
+Acknowledgments
+
+   This work builds upon original work done on multicast DNS by Bill
+   Manning and Bill Woodcock. Bill Manning's work was funded under DARPA
+   grant #F30602-99-1-0523. The authors gratefully acknowledge their
+   contribution to the current specification.  Constructive input has
+   also been received from Mark Andrews, Stuart Cheshire, Randy Bush,
+   Robert Elz, Rob Austein, James Gilroy, Olafur Gudmundsson, Erik
+   Guttman, Myron Hattig, Thomas Narten, Christian Huitema, Erik
+   Nordmark, Sander Van-Valkenburg, Tomohide Nagashima, Brian Zill,
+   Keith Moore and Markku Savela.
+
+
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 24]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                     18 July 2004
+
+
+Authors' Addresses
+
+   Levon Esibov
+   Microsoft Corporation
+   One Microsoft Way
+   Redmond, WA 98052
+
+   EMail: levone@microsoft.com
+
+   Bernard Aboba
+   Microsoft Corporation
+   One Microsoft Way
+   Redmond, WA 98052
+
+   Phone: +1 425 706 6605
+   EMail: bernarda@microsoft.com
+
+   Dave Thaler
+   Microsoft Corporation
+   One Microsoft Way
+   Redmond, WA 98052
+
+   Phone: +1 425 703 8835
+   EMail: dthaler@microsoft.com
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   intellectual property or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; neither does it represent that it
+   has made any effort to identify any such rights.  Information on the
+   IETF's procedures with respect to rights in standards-track and
+   standards-related documentation can be found in BCP-11.  Copies of
+   claims of rights made available for publication and any assurances of
+   licenses to be made available, or the result of an attempt made to
+   obtain a general license or permission for the use of such
+   proprietary rights by implementors or users of this specification can
+   be obtained from the IETF Secretariat.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights which may cover technology that may be required to practice
+   this standard.  Please address the information to the IETF Executive
+   Director.
+
+
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 25]
+
+
+
+
+
+INTERNET-DRAFT                    LLMNR                     18 July 2004
+
+
+Disclaimer of Validity
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Copyright Statement
+
+   Copyright (C) The Internet Society (2004).  This document is subject
+   to the rights, licenses and restrictions contained in BCP 78, and
+   except as set forth therein, the authors retain all their rights.
+
+Open Issues
+
+   Open issues with this specification are tracked on the following web
+   site:
+
+   http://www.drizzle.com/~aboba/DNSEXT/llmnrissues.html
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Esibov, Aboba & Thaler       Standards Track                   [Page 26]
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-tkey-renewal-mode-04.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-tkey-renewal-mode-04.txt
new file mode 100644
index 0000000..c5c3b84
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-tkey-renewal-mode-04.txt
@@ -0,0 +1,1235 @@
+
+
+
+
+
+
+DNSEXT Working Group                                        Yuji Kamite
+INTERNET-DRAFT                                       NTT Communications
+<draft-ietf-dnsext-tkey-renewal-mode-04.txt>            Masaya Nakayama
+Expires: Aug. 2004                              The University of Tokyo
+                                                              Feb. 2004
+
+
+
+
+                      TKEY Secret Key Renewal Mode
+
+
+Status of this Memo
+
+  This document is an Internet-Draft and is in full conformance with all
+  provisions of Section 10 of RFC2026.
+
+  Internet-Drafts are working documents of the Internet Engineering Task
+  Force (IETF), its areas, and its working groups.  Note that other
+  groups may also distribute working documents as Internet-Drafts.
+
+  Internet-Drafts are draft documents valid for a maximum of six months
+  and may be updated, replaced, or obsoleted by other documents at any
+  time.  It is inappropriate to use Internet-Drafts as reference
+  material or to cite them other than as ``work in progress.''
+
+  The list of current Internet-Drafts can be accessed at
+  http://www.ietf.org/ietf/1id-abstracts.txt
+
+  The list of Internet-Draft Shadow Directories can be accessed at
+  http://www.ietf.org/shadow.html
+
+
+Abstract
+
+   This document defines a new mode in TKEY and proposes an atomic
+   method for changing secret keys used for TSIG periodically.
+   Originally, TKEY provides methods of setting up shared secrets other
+   than manual exchange, but it cannot control timing of key renewal
+   very well though it can add or delete shared keys separately. This
+   proposal is a systematical key renewal procedure intended for
+   preventing signing DNS messages with old and non-safe keys
+   permanently.
+
+
+
+
+
+
+
+
+Kamite, et. al.                                                 [Page 1]
+
+INTERNET-DRAFT                                                 Feb. 2004
+
+
+                           Table of Contents
+
+
+1  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . .   3
+  1.1  Defined Words . . . . . . . . . . . . . . . . . . . . . . . .   3
+  1.2  New Format and Assigned Numbers . . . . . . . . . . . . . . .   4
+  1.3  Overview of Secret Key Renewal Mode . . . . . . . . . . . . .   4
+2  Shared Secret Key Renewal . . . . . . . . . . . . . . . . . . . .   5
+  2.1  Key Usage Time Check  . . . . . . . . . . . . . . . . . . . .   5
+  2.2  Partial Revocation  . . . . . . . . . . . . . . . . . . . . .   6
+  2.3  Key Renewal Message Exchange  . . . . . . . . . . . . . . . .   7
+    2.3.1  Query for Key Renewal . . . . . . . . . . . . . . . . . .   7
+    2.3.2  Response for Key Renewal  . . . . . . . . . . . . . . . .   7
+    2.3.3  Attributes of Generated Key . . . . . . . . . . . . . . .   8
+    2.3.4  TKEY RR structure . . . . . . . . . . . . . . . . . . . .   8
+  2.4  Key Adoption  . . . . . . . . . . . . . . . . . . . . . . . .  10
+    2.4.1  Query for Key Adoption  . . . . . . . . . . . . . . . . .  10
+    2.4.2  Response for Key Adoption . . . . . . . . . . . . . . . .  10
+  2.5  Keying Schemes  . . . . . . . . . . . . . . . . . . . . . . .  11
+    2.5.1  DH Exchange for Key Renewal . . . . . . . . . . . . . . .  11
+    2.5.2  Server Assigned Keying for Key Renewal  . . . . . . . . .  12
+    2.5.3  Resolver Assigned Keying for Key Renewal  . . . . . . . .  13
+  2.6  Considerations about Non-compliant Hosts  . . . . . . . . . .  14
+3  Secret Storage  . . . . . . . . . . . . . . . . . . . . . . . . .  15
+4  Compulsory Key Revocation . . . . . . . . . . . . . . . . . . . .  15
+  4.1  Compulsory Key Revocation by Server . . . . . . . . . . . . .  15
+  4.2  Authentication Methods Considerations . . . . . . . . . . . .  15
+5  Special Considerations for Two Servers' Case  . . . . . . . . . .  16
+  5.1  To Cope with Collisions of Renewal Requests . . . . . . . . .  16
+6  Key Name Considerations . . . . . . . . . . . . . . . . . . . . .  17
+7  Example Usage of Secret Key Renewal Mode  . . . . . . . . . . . .  17
+8  Security Considerations . . . . . . . . . . . . . . . . . . . . .  20
+9  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . .  20
+10 Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . . .  21
+11 References  . . . . . . . . . . . . . . . . . . . . . . . . . . .  21
+Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . .  22
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kamite, et. al.                                                 [Page 2]
+
+INTERNET-DRAFT                                                 Feb. 2004
+
+
+1.  Introduction
+
+   TSIG [RFC2845] provides DNS message integrity and the
+   request/transaction authentication by means of message authentication
+   codes (MAC). TSIG is a practical solution in view of calculation
+   speed and availability. However, TSIG does not have exchanging
+   mechanism of shared secret keys between server and resolver, and
+   administrators might have to exchange secret keys manually. TKEY
+   [RFC2930] is introduced to solve such problem and it can exchange
+   secrets for TSIG via networks.
+
+   In various modes of TKEY, a server and a resolver can add or delete a
+   secret key be means of TKEY message exchange. However, the existing
+   TKEY does not care fully about the management of keys which became
+   too old, or dangerous after long time usage.
+
+   It is ideal that the number of secret which a pair of hosts share
+   should be limited only one, because having too many keys for the same
+   purpose might not only be a burden to resolvers for managing and
+   distinguishing according to servers to query, but also does not seem
+   to be safe in terms of storage and protection against attackers.
+   Moreover, perhaps holding old keys long time might give attackers
+   chances to compromise by scrupulous calculation.
+
+   Therefore, when a new shared secret is established by TKEY, the
+   previous old secret should be revoked immediately. To accomplish
+   this, DNS servers must support a protocol for key renewal. This
+   document specifies procedure to refresh secret keys between two hosts
+   which is defined within the framework of TKEY, and it is called "TKEY
+   Secret Key Renewal Mode".
+
+   The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", "MAY" and
+   "OPTIONAL" in this document are to be interpreted as described in
+   [RFC2119].
+
+
+1.1.  Defined Words
+
+   * Inception Time: Beginning of the shared secret key lifetime. This
+   value is determined when the key is generated.
+
+   * Expiry Limit: Time limit of the key's validity. This value is
+   determined when a new key is generated. After Expiry Limit, server
+   and client (resolver) must not authenticate TSIG signed with the key.
+   Therefore, Renewal to the next key should be carried out before
+   Expiry Limit.
+
+   * Partial Revocation Time: Time when server judges the key is too old
+
+
+
+Kamite, et. al.                                                 [Page 3]
+
+INTERNET-DRAFT                                                 Feb. 2004
+
+
+   and must be updated. It must be between Inception Time and Expiry
+   Limit.  This value is determined by server freely following its
+   security policy. e.g., If the time from Inception to Partial
+   Revocation is short, renewal will be carried out more often, which
+   might be safer.
+
+   * Revocation Time: Time when the key becomes invalid and can be
+   removed. This value is not determined in advance because it is the
+   actual time when revocation is completed.
+
+   * Adoption Time: Time when the new key is adopted as the next key
+   formally. After Adoption, the key is valid and server and client can
+   generate or verify TSIG making use of it. Adoption Time also means
+   the time when it becomes possible to remove the previous key, so
+   Revocation and Adoption are usually done at the same time.
+
+
+                  Partial
+    Inception     Revocation    Revocation         Expiry Limit
+     |                |              |             |
+     |----------------|- - - - - - >>|- (revoked) -|
+     |                |              |             |
+    previous key      |      |       |
+                             |- - - -|-------------------->> time
+                             |       |               new key
+                         Inception   Adoption
+
+
+1.2.  New Format and Assigned Numbers
+
+   TSIG
+         ERROR = (PartialRevoke), TBD
+
+   TKEY
+         Mode  = (server assignment for key renewal), TBD
+         Mode  = (Diffie-Hellman exchange for key renewal), TBD
+         Mode  = (resolver assignment for key renewal), TBD
+         Mode  = (key adoption), TBD
+
+
+1.3.  Overview of Secret Key Renewal Mode
+
+   When a server receives a query from a client signed with a TSIG key,
+   It always checks if the present time is within the range of usage
+   duration it considers safe. If it is judged that the key is too old,
+   i.e., after Partial Revocation Time, the server comes to be in
+   Partial Revocation state about the key, and this key is called
+   partially revoked.
+
+
+
+Kamite, et. al.                                                 [Page 4]
+
+INTERNET-DRAFT                                                 Feb. 2004
+
+
+   In this state, if a client sends a normal query (e.g., question about
+   A RR) other than TKEY Renewal request with TSIG signed with the old
+   key, the server returns an error message to notify that the time to
+   renew has come. This is called "PartialRevoke" error message. It is
+   server's choice whether it returns PartialRevoke or not. If and only
+   if the server is ready for changing its own key, it decides to return
+   PartialRevoke.
+
+   The client which got this error is able to notice that it is
+   necessary to refresh the secret. To make a new shared secret, it
+   sends a TKEY Renewal request, in which several keying methods are
+   available. It can make use of TSIG authentication signed with the
+   partially revoked key mentioned above.
+
+   After new secret establishment, the client sends a TKEY Adoption
+   request for renewal confirmation. This can also be authenticated with
+   the partially revoked key. If this is admitted by the server, the new
+   key is formally adopted, and at the same time the corresponding old
+   secret is invalidated. Then the client can send the first query again
+   signed with the new key.
+
+   Key renewal procedure is executed based on two-phase commit
+   mechanism. The first phase is the TKEY Renewal request and its
+   response, which means preparatory confirmation for key update. The
+   second phase is Adoption request and its response. If the server gets
+   request and client receives the response successfully, they can
+   finish renewal process. If any error happens and renewal process
+   fails during these phases, client should roll back to the beginning
+   of the first phase, and send TKEY Renewal request again. This
+   rollback can be done until the Expiry Limit of the key.
+
+
+2.  Shared Secret Key Renewal
+
+   Suppose a server and a client agree to change their TSIG keys
+   periodically. Key renewal procedure is defined between two hosts.
+
+2.1.  Key Usage Time Check
+
+   Whenever a server receives a query with TSIG and can find a key that
+   is used for signing it, the server checks its Inception Time, Partial
+   Revocation Time and Expiry Limit (this information is usually
+   memorized by the server).
+
+   When the present time is before Inception Time, the server MUST NOT
+   verify TSIG with the key, and server acts the same way as when the
+   key used by the client is not recognized. It follows [RFC2845] 4.5.1.
+
+
+
+
+Kamite, et. al.                                                 [Page 5]
+
+INTERNET-DRAFT                                                 Feb. 2004
+
+
+   When the present time is equal to Inception Time, or between
+   Inception Time and Partial Revocation Time, the behavior of the
+   server is the same as when a valid key is found. It follows [RFC2845]
+   4.5.2 and 4.5.3.
+
+   When the present time is the same as the Partial Revocation Time, or
+   between the Partial Revocation Time and Expiry Limit, the server
+   comes to be in Partial Revocation state about the TSIG key and
+   behaves according to the next section.
+
+   When the present time is the same as the Expiry Time or after it, the
+   server MUST NOT verify TSIG with the key, and returns error messages
+   in the same way as when the key used by the client is not recognized.
+   It follows [RFC2845] 4.5.1.
+
+
+2.2.  Partial Revocation
+
+   In Partial Revocation state, we say the server has partially revoked
+   the key and the key has become a "partially revoked key".
+
+   If server has received a query signed with the partially revoked key
+   for TKEY Renewal request (See section 2.3.) or Key Adoption request
+   (See section 2.4.), then server does proper process following each
+   specification. If it is for TKEY key deletion request ([RFC2930]
+   4.2), server MAY process usual deletion operation defined therein.
+
+   If server receives other types of query signed with the partially
+   revoked key, and both the corresponding MAC and signed TIME are
+   verified, then server begins returning answer whose TSIG error code
+   is "PartialRevoke" (See section 9.). Server MUST randomly but with
+   increasing frequency return PartialRevoke when in the Partial
+   Revocation state.
+
+   Server can decide when it actually sends PartialRevoke, checking if
+   it is appropriate time for renewal. Server MUST NOT return
+   PartialRevoke if this is apart long lived TSIG transaction (such as
+   AXFR) that started before the Partial Revocation Time.
+
+   If the client receives PartialRevoke and understands it, then it MUST
+   retry the query with the old key unless a new key has been adopted.
+   Client SHOULD start the process to renew the TSIG key. For key
+   renewal procedure, see details in Section 2.3 and 2.4.
+
+   PartialRevoke period (i.e., time while server returns PartialRevoke
+   randomely) SHOULD be small, say 2-5% of key lifetime. This is
+   server's choice.
+
+
+
+
+Kamite, et. al.                                                 [Page 6]
+
+INTERNET-DRAFT                                                 Feb. 2004
+
+
+   Server MUST keep track of clients ignoring PartialRevoke, thus
+   indicating ignorance of this TKEY mode.
+
+   PartialRevoke error messages have the role to inform clients of the
+   keys' partial revocation and urge them to send TKEY Renewal requests.
+   These error responses MUST be signed with those partial revoked keys
+   if the queries are signed with them. They are sent only when the
+   signing keys are found to be partially revoked. If the MAC of TSIG
+   cannot be verified with the partially revoked keys, servers MUST NOT
+   return PartialRevoke error with MAC, but MUST return another error
+   such as "BADSIG" without MAC (following [RFC2845] 4.5.3); in other
+   words, a server informs its key's partial revocation only when the
+   MAC in the received query is valid.
+
+
+2.3.  Key Renewal Message Exchange
+
+2.3.1.  Query for Key Renewal
+
+   If a client has received a PartialRevoke error and authenticated the
+   response based on TSIG MAC, it sends a TKEY query for Key Renewal (in
+   this document, we call it Renewal request, too.) to the server. The
+   request MUST be signed with TSIG or SIG(0) [RFC2931] for
+   authentication. If TSIG is selected, the client can sign it with the
+   partial revoked key.
+
+   Key Renewal can use one of several keying methods which is indicated
+   in "Mode" field of TKEY RR, and its message structure is dependent on
+   that method.
+
+
+2.3.2.  Response for Key Renewal
+
+   The server which has received Key Renewal request first tries to
+   verify TSIG or SIG(0) accompanying it. If the TSIG is signed and
+   verified with the partially revoked key, the request MUST be
+   authenticated.
+
+   After authentication, server must check existing old key's validity.
+   If the partially revoked key indicated in the request TKEY's OldName
+   and OldAlgorithm field (See section 2.3.4.) does not exist at the
+   server, "BADKEY" [RFC2845] is given in Error field for response. If
+   any other error happens, server returns appropriate error messages
+   following the specification described in section 2.5. If there are no
+   errors, server returns a Key Renewal answer. This answer MUST be
+   signed with TSIG or SIG(0) for authentication.
+
+   When this answer is successfully returned and no error is detected by
+
+
+
+Kamite, et. al.                                                 [Page 7]
+
+INTERNET-DRAFT                                                 Feb. 2004
+
+
+   client, a new shared secret can be established. The details of
+   concrete keying procedure are given in the section 2.5.
+
+   Note:
+      Sometimes Adoption message and new Renewal request will cross on
+      the wire. In this case the newly generated key Adoption message is
+      resent.
+
+
+2.3.3.  Attributes of Generated Key
+
+   As a result of this message exchange, client comes to know the newly
+   generated key's attributes such as key's name, Inception Time and
+   Expiry Limit. They are decided by the server and told to the client;
+   in particular, however, once the server has decided Expiry Limit and
+   returned a response, it should obey the decision as far as it can. In
+   other words, they SHOULD NOT change time values for checking Expiry
+   Limit in the future without any special reason, such as security
+   issue like "Emergency Compulsory Revocation" described in section 8.
+
+   On the other hand, Partial Revocation Time of this generated key is
+   not decided based on the request, and not informed to the client. The
+   server can determine any value as long as it is between Inception
+   Time and Expiry Limit. However, the period from Inception to Partial
+   Revocation SHOULD be fixed as the server side's configuration or be
+   set the same as the corresponding old key's one.
+
+   Note:
+      Even if client sends Key Renewal request though the key described
+      in OldName has not been partially revoked yet, server does renewal
+      processes.  At the moment when the server accepts such requests
+      with valid authentication, it MUST forcibly consider the key is
+      already partially revoked, that is, the key's Partial Revocation
+      Time must be changed into the present time (i.e., the time when
+      the server receives the request).
+
+
+2.3.4.  TKEY RR structure
+
+   TKEY RR for Key Renewal message has the structure given below. In
+   principle, format and definition for each field follows [RFC2930].
+   Note that each keying scheme sometimes needs different interpretation
+   of RDATA field; for detail, see section 2.5.
+
+        Field        Type         Comment
+        -------      ------       -------
+        NAME         domain       used for a new key, see below
+        TYPE         u_int16_t    (defined in [RFC2930])
+
+
+
+Kamite, et. al.                                                 [Page 8]
+
+INTERNET-DRAFT                                                 Feb. 2004
+
+
+        CLASS        u_int16_t    (defined in [RFC2930])
+        TTL          u_int32_t    (defined in [RFC2930])
+        RDLEN        u_int16_t    (defined in [RFC2930])
+        RDATA:
+         Algorithm:   domain       algorithm for a new key
+         Inception:   u_int32_t    about the keying material
+         Expiration:  u_int32_t    about the keying material
+         Mode:        u_int16_t    scheme for key agreement
+                                   see section 9.
+         Error:       u_int16_t    see description below
+         Key Size:    u_int16_t    see description below
+         Key Data:    octet-stream
+         Other Size:  u_int16_t    (defined in [RFC2930])
+                                   size of other data
+         Other Data:               newly defined: see description below
+
+
+     For "NAME" field, both non-root and root name are allowed. It may
+     be used for a new key's name in the same manner as [RFC2930] 2.1.
+
+     "Algorithm" specifies which algorithm is used for agreed keying
+     material, which is used for identification of the next key.
+
+     "Inception" and "Expiration" are used for the valid period of
+     keying material. The meanings differ somewhat according to whether
+     the message is request or answer, and its keying scheme.
+
+     "Key Data" has different meanings according to keying schemes.
+
+     "Mode" field stores the value in accordance with the keying method,
+     and see section 2.5. Servers and clients supporting TKEY Renewal
+     method MUST implement "Diffie-Hellman exchange for key renewal"
+     scheme. All other modes are OPTIONAL.
+
+     "Error" is an extended RCODE which includes "PartialRevoke" value
+     too. See section 9.
+
+     "Other Data" field has the structure given below.  They describe
+     attributes of the key to be renewed.
+
+        in Other Data filed:
+
+          Field          Type     Comment
+          -------        ------   -------
+          OldNAME        domain   name of the old key
+          OldAlgorithm   domain   algorithm of the old key
+
+
+
+
+
+Kamite, et. al.                                                 [Page 9]
+
+INTERNET-DRAFT                                                 Feb. 2004
+
+
+          "OldName" indicates the name of the previous key (usually,
+          this is partially revoked key's name that client noticed by
+          PartialRevoke answer from server), and "OldAlogirthm"
+          indicates its algorithm.
+
+
+2.4.  Key Adoption
+
+2.4.1.  Query for Key Adoption
+
+   After receiving a TKEY Renewal answer, the client gets the same
+   secret as the server. Then, it sends a TKEY Adoption request. The
+   request's question section's QNAME field is the same as the NAME
+   filed of TKEY written below. In additional section, there is one TKEY
+   RR that has the structure and values described below.
+
+     "NAME" field is the new key's name to be adopted which was already
+     generated by Renewal message exchange. "Algorithm" is its
+     algorithm. "Inception" means the key's Inception Time, and
+     "Expiration" means Expiry Limit.
+
+     "Mode" field is the value of "key adoption". See section 9.
+
+     "Other Data" field in Adoption has the same structure as that of
+     Renewal request message. "OldName" means the previous old key, and
+     "OldAlogirthm" means its algorithm.
+
+   Key Adoption request MUST be signed with TSIG or SIG(0) for
+   authentication. The client can sign TSIG with the previous key. Note
+   that until Adoption is finished, the new key is treated as invalid,
+   thus it cannot be used for authentication immediately.
+
+
+2.4.2.  Response for Key Adoption
+
+   The server which has received Adoption request, it verifies TSIG or
+   SIG(0) accompanying it. If the TSIG is signed with the partially
+   revoked key and can be verified, the message MUST be authenticated.
+
+   If the next new key indicated by the request TKEY's "NAME" is not
+   present at the server, BADNAME [RFC2845] is given in Error field and
+   the error message is returned.
+
+   If the next key exists but it has not been adopted formally yet, the
+   server confirms the previous key's existence indicated by the
+   "OldName" and "OldAlgorithm" field. If it succeeds, the server
+   executes Adoption of the next key and Revocation of the previous key.
+   Response message duplicates the request's TKEY RR with NOERROR,
+
+
+
+Kamite, et. al.                                                [Page 10]
+
+INTERNET-DRAFT                                                 Feb. 2004
+
+
+   including "OldName" and "OldAlgorithm" that indicate the revoked key.
+
+   If the next key exists but it is already adopted, the server returns
+   a response message regardless of the substance of the request TKEY's
+   "OldName". In this response, Response TKEY RR has the same data as
+   the request's one except as to its "Other Data" that is changed into
+   null (i.e., "Other Size" is zero), which is intended for telling the
+   client that the previous key name was ignored, and the new key is
+   already available.
+
+   Client sometimes has to retry Adoption request. Suppose the client
+   sent request signed with the partially revoked key, but its response
+   did not return successfully (e.g., due to the drop of UDP packet).
+   Client will probably retry Adoption request; however, the request
+   will be refused in the form of TSIG "BADKEY" error because the
+   previous key was already revoked. In this case, client will
+   retransmit Adoption request signed with the next key, and expect a
+   response which has null "Other Data" for confirming the completion of
+   renewal.
+
+
+2.5.  Keying Schemes
+
+   In Renewal message exchanges, there are no limitations as to which
+   keying method is actually used. The specification of keying
+   algorithms is independent of the general procedure of Renewal that is
+   described in section 2.3.
+
+   Now this document specifies three algorithms in this section, but
+   other future documents can make extensions defining other methods.
+
+
+2.5.1.  DH Exchange for Key Renewal
+
+   This scheme is defined as an extended method of [RFC2930] 4.1. This
+   specification only describes the difference from it and special
+   notice; assume that all other points, such as keying material
+   computation, are the exactly same as the specification of [RFC2930]
+   4.1.
+
+   Query
+      In Renewal request for type TKEY with this mode, there is one TKEY
+      RR and one KEY RR in the additional information section. KEY RR is
+      the client's Diffie-Hellman public key [RFC2539].
+
+      QNAME in question section is the same as that of "NAME" field in
+      TKEY RR, i.e., it means the requested new key's name.
+
+
+
+
+Kamite, et. al.                                                [Page 11]
+
+INTERNET-DRAFT                                                 Feb. 2004
+
+
+      TKEY "Mode" field stores the value of "DH exchange for key
+      renewal". See section 9.
+
+      TKEY "Inception" and "Expiration" are those requested for the
+      keying material, that is, requested usage period of a new key.
+
+      TKEY "Key Data" is used as a random, following [RFC2930] 4.1.
+
+   Response
+      The server which received this request first verifies the TSIG,
+      SIG(0) or DNSSEC lookup of KEY RR used. After authentication, the
+      old key's existence validity is checked, following section 2.3. If
+      any incompatible DH key is found in the request, "BADKEY"
+      [RFC2845] is given in Error field for response. "FORMERR" is given
+      if the query included no DH KEY.
+
+      If there are no errors, the server processes a response according
+      to Diffie-Hellman algorithm and returns the answer. In this
+      answer, there is one TKEY RR in answer section and KEY RR(s) in
+      additional section.
+
+      As long as no error has occurred, all values of TKEY are equal to
+      that of the request message except TKEY NAME, TKEY RDLEN, RDATA's
+      Inception, Expiration, Key Size and Key Data.
+
+      TKEY "NAME" field in the answer specifies the name of newly
+      produced key which the client MUST use.
+
+      TKEY "Inception" and "Expiration" mean the periods of the produced
+      key usage. "Inception" is set to be the time when the new key is
+      actually generated or the time before it, and it will be regarded
+      as Inception Time. "Expiration" is determined by the server, and
+      it will be regarded as Expiry Limit.
+
+      TKEY "Key Data" is used as an additional nonce, following
+      [RFC2930] 4.1.
+
+      The resolver supplied Diffie-Hellman KEY RR SHOULD be echoed in
+      the additional section and a server Diffie-Hellman KEY RR will
+      also be present in the answer section, following [RFC2930] 4.1.
+
+
+2.5.2.  Server Assigned Keying for Key Renewal
+
+   This scheme is defined as an extended method of [RFC2930] 4.4. This
+   specification only describes the difference from it and special
+   notice; assume that all other points, such as secret encrypting
+   method, are the exactly same as the specification of [RFC2930] 4.4.
+
+
+
+Kamite, et. al.                                                [Page 12]
+
+INTERNET-DRAFT                                                 Feb. 2004
+
+
+   Query
+      In Renewal request for type TKEY with this mode, there is one TKEY
+      RR and one KEY RR in the additional information section. KEY RR is
+      used in encrypting the response.
+
+      QNAME in question section is the same as that of "NAME" field in
+      TKEY RR, i.e., it means the requested new key's name.
+
+      TKEY "Mode" field stores the value of "server assignment for key
+      renewal". See section 9.
+
+      TKEY "Inception" and "Expiration" are those requested for the
+      keying material, that is, requested usage period of a new key.
+
+      TKEY "Key Data" is provided following the specification of
+      [RFC2930] 4.4.
+
+   Response
+      The server which received this request first verifies the TSIG,
+      SIG(0) or DNSSEC lookup of KEY RR used. After authentication, the
+      old key's existence validity is checked, following section 2.3.
+      "FORMERR" is given if the query specified no encryption key.
+
+      If there are no errors, the server response contains one TKEY RR
+      in the answer section, and echoes the KEY RR provided in the query
+      in the additional information section.
+
+      TKEY "NAME" field in the answer specifies the name of newly
+      produced key which the client MUST use.
+
+      TKEY "Inception" and "Expiration" mean the periods of the produced
+      key usage. "Inception" is set to be the time when the new key is
+      actually generated or the time before it, and it will be regarded
+      as Inception Time. "Expiration" is determined by the server, and
+      it will be regarded as Expiry Limit.
+
+      TKEY "Key Data" is the assigned keying data encrypted under the
+      public key in the resolver provided KEY RR, which is the same as
+      [RFC2930] 4.4.
+
+
+2.5.3.  Resolver Assigned Keying for Key Renewal
+
+   This scheme is defined as an extended method of [RFC2930] 4.5. This
+   specification only describes the difference from it and special
+   notice; assume that all other points, such as secret encrypting
+   method, are the exactly same as the specification of [RFC2930] 4.5.
+
+
+
+
+Kamite, et. al.                                                [Page 13]
+
+INTERNET-DRAFT                                                 Feb. 2004
+
+
+   Query
+      In Renewal request for type TKEY with this mode, there is one TKEY
+      RR and one KEY RR in the additional information section. TKEY RR
+      has the encrypted keying material and KEY RR is the server public
+      key used to encrypt the data.
+
+      QNAME in question section is the same as that of "NAME" field in
+      TKEY RR, i.e., it means the requested new key's name.
+
+      TKEY "Mode" field stores the value of "resolver assignment for key
+      renewal". See section 9.
+
+      TKEY "Inception" and "Expiration" are those requested for the
+      keying material, that is, requested usage period of a new key.
+
+      TKEY "Key Data" is the encrypted keying material.
+
+   Response
+      The server which received this request first verifies the TSIG,
+      SIG(0) or DNSSEC lookup of KEY RR used. After authentication, the
+      old key's existence validity is checked, following section 2.3.
+      "FORMERR" is given if the server does not have the corresponding
+      private key for the KEY RR that was shown sin the request.
+
+      If there are no errors, the server returns a response. The
+      response contains a TKEY RR in the answer section to tell the
+      shared key's name and its usage time values.
+
+      TKEY "NAME" field in the answer specifies the name of newly
+      produced key which the client MUST use.
+
+      TKEY "Inception" and "Expiration" mean the periods of the produced
+      key usage. "Inception" is set to be the time when the new key is
+      actually generated or the time before it, and it will be regarded
+      as Inception Time. "Expiration" is determined by the server, and
+      it will be regarded as Expiry Limit.
+
+
+2.6.  Considerations about Non-compliant Hosts
+
+   Key Renewal requests and responses must be exchanged between hosts
+   which can understand them and do proper processes. PartialRevoke
+   error messages will be only ignored if they should be returned to
+   non-compliant hosts.
+
+   Note that server does not inform actively the necessity of renewal to
+   clients, but inform it as responses invoked by client's query.
+   Server needs not care whether the PartialRevoke errors has reached
+
+
+
+Kamite, et. al.                                                [Page 14]
+
+INTERNET-DRAFT                                                 Feb. 2004
+
+
+   client or not. If client has not received yet because of any reasons
+   such as packet drops, it will resend the queries, and finally will be
+   able to get PartialRevoke information.
+
+
+3.  Secret Storage
+
+   Every server keeps all secrets and attached information, e.g.,
+   Inception Time, Expiry Limit, etc. safely to be able to recover from
+   unexpected stop. To accomplish this, formally adopted keys SHOULD be
+   memorized not only on memory, but also be stored in the form of some
+   files. It will become more secure if they are stored in ecrypted
+   form.
+
+
+4.  Compulsory Key Revocation
+
+4.1.  Compulsory Key Revocation by Server
+
+   There is a rare but possible case that although servers have already
+   partially revoked keys, clients do not try to send any Renewal
+   requests. If this state continues, in the future it will become the
+   time of Expiry Limit. After Expiry Limit, the keys will be expired
+   and completely removed, so this is called Compulsory Key Revocation
+   by server.
+
+   If Expiry Limit is too distant from the Partial Revocation Time, then
+   even though very long time passes, clients will be able to refresh
+   secrets only if they add TSIG signed with those old partially revoked
+   keys into requests, which is not safe.
+
+   On the other hand, if Expiry Limit is too close to Partial Revocation
+   Time, perhaps clients might not be able to notice their keys' Partial
+   Revocation by getting "PartialRevoke" errors.
+
+   Therefore, servers should set proper Expiry Limit to their keys,
+   considering both their keys' safety, and enough time for clients to
+   send requests and process renewal.
+
+
+4.2.  Authentication Methods Considerations
+
+   It might be ideal to provide both SIG(0) and TSIG as authentication
+   methods. For example:
+
+     A client and a server start SIG(0) authentication at first, to
+     establish TSIG shared keys by means of "Query for Diffie-Hellman
+     Exchanged Keying" as described in [RFC2930] 4.1. Once they get
+
+
+
+Kamite, et. al.                                                [Page 15]
+
+INTERNET-DRAFT                                                 Feb. 2004
+
+
+     shared secret, they keep using TSIG for queries and responses.
+     After a while the server returns a "ParitalRevoke" error and they
+     begin a key renewal process. Both TSIG signed with partially
+     revoked keys and SIG(0) are okay for authentication, but TSIG would
+     be easier to use considering calculation efficiency.
+
+     Suppose now client is halted for long time with some reason.
+     Because server does not execute any renewal process, it will
+     finally do Compulsory Revocation. Even if client restarts and sends
+     a key Renewal request, it will fail because old key is already
+     deleted at server.
+
+     At this moment, however, if client also uses SIG(0) as another
+     authentication method, it can make a new shared key again and
+     recover successfully by sending "Query for Diffie-Hellman Exchanged
+     Keying" with SIG(0).
+
+
+5.  Special Considerations for Two servers' Case
+
+   This section refers to the case where both hosts are DNS servers
+   which can act as full resolvers as well and using one shared key
+   only. If one server (called Server A) wants to refresh a shared key
+   (called "Key A-B"), it will await a TKEY Renewal request from the
+   other server (called Server B). However, perhaps Server A wants to
+   refresh the key right now.
+
+   In this case, Server A is allowed to send a Renewal request to Server
+   B, if Server A knows the Key A-B is too old and wants to renew it
+   immediately.
+
+   Note that the initiative in key renewal belongs to Server A because
+   it can notice the Partial Revocation Time and decide key renewal. If
+   Server B has information about Partial Revocation Time as well, it
+   can also decide for itself to send Renewal request to Server A.
+   However, it is not essential for both two servers have information
+   about key renewal timing.
+
+5.1.  To Cope with Collisions of Renewal Requests
+
+   At least one of two hosts which use Key Renewal must know their key
+   renewal information such as Partial Revocation Time. It is okay that
+   both hosts have it.
+
+   Provided that both two servers know key renewal timing information,
+   there is possibility for them to begin partial revocation and sending
+   Renewal requests to each other at the same time. Such collisions will
+   not happen so often because Renewal requests are usually invoked when
+
+
+
+Kamite, et. al.                                                [Page 16]
+
+INTERNET-DRAFT                                                 Feb. 2004
+
+
+   hosts want to send queries, but it is possible.
+
+   When one of two servers tries to send Renewal requests, it MUST
+   protect old secrets that it has partially revoked and prevent it from
+   being refreshed by any requests from the other server (i.e., it must
+   lock the old secret during the process of renewal). While the server
+   is sending Renewal requests and waiting responses, it ignores the
+   other server's Renewal requests.
+
+   Therefore, servers might fail to change secrets by means of their own
+   requests to others. After failure they will try to resend, but they
+   should wait for random delays by the next retries. If they get any
+   Renewal requests from others while they are waiting, their shared
+   keys may be refreshed, then they do not need to send any Renewal
+   requests now for themselves.
+
+
+6.  Key Name Considerations
+
+   Since both servers and clients have only to distinguish new secrets
+   and old ones, keys' names do not need to be specified strictly.
+   However, it is recommended that some serial number or key generation
+   time be added to the name and that the names of keys between the same
+   pair of hosts should have some common labels among their keys. For
+   example, suppose A.example.com. and B.example.com. share the key
+   "<serial number>.A.example.com.B.example.com." such as
+   "10010.A.example.com.B.example.com.". After key renewal, they change
+   their secret and name into "10011.A.example.com.B.example.com."
+
+   Servers and clients must be able to use keys properly for each query.
+   Because TSIG secret keys themselves do not have any particular IDs to
+   be distinguished and would be identified by their names and
+   algorithm, it must be understood correctly what keys are refreshed.
+
+
+7.  Example Usage of Secret Key Renewal Mode
+
+   This is an example of Renewal mode usage where a Server,
+   server.example.com, and a Client, client.exmple.com have an initial
+   shared secret key named "00.client.example.com.server.example.com".
+
+     (1) The time values for key
+     "00.client.example.com.server.example.com" was set as follows:
+     Inception Time is at 1:00, Expiry Limit is at 21:00.
+
+     (2) At Server, renewal time has been set: Partial Revocation Time
+     is at 20:00.
+
+
+
+
+Kamite, et. al.                                                [Page 17]
+
+INTERNET-DRAFT                                                 Feb. 2004
+
+
+     (3) Suppose the present time is 19:55. If Client sends a query
+     signed with key "00.client.example.com.server.example.com" to ask
+     the IP address of "www.example.com", finally it will get a proper
+     answer from Server with valid TSIG (NOERROR).
+
+     (4) At 20:05. Client sends a query to ask the IP address of
+     "www2.example.com". It is signed with key
+     "00.client.example.com.server.example.com". Server returns an
+     answer for the IP address. However, server has begun retuning
+     PartialRevoke Error randomely. This answer includes valid TSIG MAC
+     signed with "00.client.example.com.server.example.com", and its
+     Error Code indicates PartialRevoke. Client understands that the
+     current key is partially revoked.
+
+     (5) At 20:06. Client sends a Renewal request to Server. This
+     request is signed with key
+     "00.client.example.com.server.example.com". It includes data such
+     as:
+
+      Question Section:
+         QNAME = 01.client.example.com. (Client can set this freely)
+         TYPE  = TKEY
+
+      Additional Section:
+         01.client.example.com. TKEY
+          Algorithm    = hmac-md5-sig-alg.reg.int.
+          Inception    = (value meaning 20:00)
+          Expiration   = (value meaning next day's 16:00)
+          Mode         = (DH exchange for key renewal)
+          OldName      = 00.client.example.com.server.example.com.
+          OldAlgorithm = hmac-md5-sig-alg.reg.int.
+
+      Additional Section also contains a KEY RR for DH and a TSIG RR.
+
+     (6) As soon as Server receives this request, it verifies TSIG. It
+     is signed with the partially revoked key
+     "00.client.example.com.server.example.com". and Server accepts the
+     request. It creates a new key by Diffie-Hellman calculation and
+     returns an answer which includes data such as:
+
+      Answer Section:
+         01.client.example.com.server.example.com. TKEY
+          Algorithm    = hmac-md5-sig-alg.reg.int.
+          Inception    = (value meaning 20:00)
+          Expiration   = (value meaning next day's 16:00)
+          Mode         = (DH exchange for key renewal)
+          OldName      = 00.client.example.com.server.example.com.
+          OldAlgorithm = hmac-md5-sig-alg.reg.int.
+
+
+
+Kamite, et. al.                                                [Page 18]
+
+INTERNET-DRAFT                                                 Feb. 2004
+
+
+     Answer Section also contains KEY RRs for DH.
+
+      Additional Section also contains a TSIG RR.
+     This response is signed with key
+     "00.client.example.com.server.example.com" without error.
+
+     At the same time, Server decides to set the Partial Revocation Time
+     of this new key "01.client.example.com.server.example.com." as next
+     day's 15:00.
+
+     (7) Client gets the response and checks TSIG MAC, and calculates
+     Diffie-Hellman. It will get a new key, and it has been named
+     "01.client.example.com.server.example.com" by Server.
+
+     (8) At 20:07. Client sends an Adoption request to Server. This
+     request is signed with the previous key
+     "00.client.example.com.server.example.com". It includes:
+
+      Question Section:
+         QNAME = 01.client.example.com.server.example.com.
+         TYPE  = TKEY
+
+      Additional Section:
+         01.client.example.com.server.example.com. TKEY
+          Algorithm    = hmac-md5-sig-alg.reg.int.
+          Inception    = (value meaning 20:00)
+          Expiration   = (value meaning next day's 16:00)
+          Mode         = (key adoption)
+          OldName      = 00.client.example.com.server.example.com.
+          OldAlgorithm = hmac-md5-sig-alg.reg.int.
+
+     Additional Section also contains a TSIG RR.
+
+     (9) Server verifies the query's TSIG. It is signed with the
+     previous key and authenticated. It returns a response whose TKEY RR
+     is the same as the request's one. The response is signed with key
+     "00.client.example.com.server.example.com.". As soon as the
+     response is sent, Server revokes and removes the previous key. At
+     the same time, key "01.client.example.com.server.example.com." is
+     validated.
+
+     (10) Client acknowledges the success of Adoption by receiving the
+     response.  Then, it retries to send an original question about
+     "www2.example.com". It is signed with the adopted key
+     "01.client.example.com.server.example.com", so Server authenticates
+     it and returns an answer.
+
+
+
+
+
+Kamite, et. al.                                                [Page 19]
+
+INTERNET-DRAFT                                                 Feb. 2004
+
+
+     (11) This key is used until next day's 15:00. After that, it will
+     be partially revoked again.
+
+
+8.  Security Considerations
+
+   This document considers about how to refresh shared secret. Secret
+   changed by this method is used at servers in support of TSIG
+   [RFC2845].
+
+   [RFC2104] says that current attacks to HMAC do not indicate a
+   specific recommended frequency for key changes but periodic key
+   refreshment is a fundamental security practice that helps against
+   potential weaknesses of the function and keys, and limits the damage
+   of an exposed key. TKEY Secret Key Renewal provides the method of
+   periodical key refreshment.
+
+   In TKEY Secret Key Renewal, clients need to send two requests
+   (Renewal and Adoption) and spend time to finish their key renewal
+   processes. Thus the usage period of secrets should be considered
+   carefully based on both TKEY processing performance and security.
+
+   This document specifies the procedure of periodical key renewal, but
+   actually there is possibility for servers to have no choice other
+   than revoking their secret keys immediately especially when the keys
+   are found to be compromised by attackers. This is called "Emergency
+   Compulsory Revocation". For example, suppose the original Expiry
+   Limit was set at 21:00, Partial Revocation Time at 20:00 and
+   Inception Time at 1:00.  if at 11:00 the key is found to be
+   compromised, the server sets Expiry Limit forcibly to be 11:00 or
+   before it.
+
+   Consequently, once Compulsory Revocation (See section 4.) is carried
+   out, normal renewal process described in this document cannot be done
+   any more as far as the key is concerned. However, after such
+   accidents happened, the two hosts are able to establish secret keys
+   and begin renewal procedure only if they have other (non-compromised)
+   shared TSIG keys or safe SIG(0) keys for the authentication of
+   initial secret establishment such as Diffie-Hellman Exchanged Keying.
+
+
+9.  IANA Considerations
+
+   IANA needs to allocate a value for "DH exchange for key renewal",
+   "server assignment for key renewal", "resolver assignment for key
+   renewal" and "key adoption" in the mode filed of TKEY. It also needs
+   to allocate a value for "PartialRevoke" from the extended RCODE
+   space.
+
+
+
+Kamite, et. al.                                                [Page 20]
+
+INTERNET-DRAFT                                                 Feb. 2004
+
+
+10.  Acknowledgement
+
+   The authors would like to thank Olafur Gudmundsson, whose helpful
+   input and comments contributed greatly to this document.
+
+
+11.  References
+
+[RFC2104]
+     H. Krawczyk, M.Bellare, R. Canetti, "Keyed-Hashing for Message
+     Authentication", RFC2104, February 1997.
+
+[RFC2119]
+     Bradner, S., "Key words for use in RFCs to Indicate Requirement
+     Levels", RFC 2119, March 1997.
+
+[RFC2539]
+     D. Eastlake 3rd, "Storage of Diffie-Hellman Keys in the Domain Name
+     System (DNS)", RFC 2539, March 1999.
+
+[RFC2845]
+     Vixie, P., Gudmundsson, O., Eastlake, D. and B.  Wellington,
+     "Secret Key Transaction Authentication for DNS (TSIG)", RFC 2845,
+     May 2000.
+
+[RFC2930]
+     D. Eastlake 3rd, ``Secret Key Establishment for DNS (TKEY RR)'',
+     RFC 2930, September 2000.
+
+[RFC2931]
+     D. Eastlake 3rd, "DNS Request and Transaction Signatures (SIG(0)s
+     )", RFC 2931, September 2000.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kamite, et. al.                                                [Page 21]
+
+INTERNET-DRAFT                                                 Feb. 2004
+
+
+Authors' Addresses
+
+   Yuji Kamite
+   NTT Communications Corporation
+   Tokyo Opera City Tower
+   3-20-2 Nishi Shinjuku, Shinjuku-ku, Tokyo
+   163-1421, Japan
+   EMail: y.kamite@ntt.com
+
+
+   Masaya Nakayama
+   Information Technology Center, The University of Tokyo
+   2-11-16 Yayoi, Bunkyo-ku, Tokyo
+   113-8658, Japan
+   EMail: nakayama@nc.u-tokyo.ac.jp
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kamite, et. al.                                                [Page 22]
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-tsig-sha-00.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-tsig-sha-00.txt
new file mode 100644
index 0000000..1133b0c
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-tsig-sha-00.txt
@@ -0,0 +1,466 @@
+
+
+INTERNET-DRAFT                                    Donald E. Eastlake 3rd
+UPDATES RFC 2845                                   Motorola Laboratories
+Expires: February 2005                                       August 2004
+
+
+                  HMAC SHA TSIG Algorithm Identifiers
+                  ---- --- ---- --------- -----------
+                  <draft-ietf-dnsext-tsig-sha-00.txt>
+
+
+Status of This Document
+
+   By submitting this Internet-Draft, I certify that any applicable
+   patent or other IPR claims of which I am aware have been disclosed,
+   or will be disclosed, and any of which I become aware will be
+   disclosed, in accordance with RFC 3668.
+
+   This draft is intended to be become a Proposed Standard RFC.
+   Distribution of this document is unlimited. Comments should be sent
+   to the DNSEXT working group mailing list <namedroppers@ops.ietf.org>.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than a "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/1id-abstracts.html
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html
+
+
+Abstract
+
+   Use of the TSIG DNS resource record requires specification of a
+   cryptographic message authentication code.  Currently identifiers
+   have been specified only for the HMAC-MD5 and GSS TSIG algorithms.
+   This document standardizes identifiers for additional HMAC SHA TSIG
+   algorithms and standardizes how to specify the truncation of HMAC
+   values.
+
+
+Copyright Notice
+
+   Copyright (C) The Internet Society 2004. All Rights Reserved.
+
+
+
+
+D. Eastlake 3rd                                                 [Page 1]
+
+
+INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
+
+
+Table of Contents
+
+      Status of This Document....................................1
+      Abstract...................................................1
+      Copyright Notice...........................................1
+
+      Table of Contents..........................................2
+
+      1. Introduction............................................3
+
+      2. Algorithms and Identifiers..............................4
+
+      3. Specifying Truncation...................................5
+
+      4. IANA Considerations.....................................6
+      5. Security Considerations.................................6
+      6. Copyright and Disclaimer................................6
+
+      7. Normative References....................................7
+      8. Informative References..................................7
+
+      Authors Address............................................8
+      Expiration and File Name...................................8
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+D. Eastlake 3rd                                                 [Page 2]
+
+
+INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
+
+
+1. Introduction
+
+   [RFC 2845] specifies a TSIG Resource Record (RR) that can be used to
+   authenticate DNS queries and responses. This RR contains a domain
+   name syntax data item which names the authentication algorithm used.
+   [RFC 2845] defines the HMAC-MD5.SIG-ALG.REG.INT name for
+   authentication codes using the HMAC [RFC 2104] algorithm with the MD5
+   [RFC 1321] hash algorithm. IANA has also registered "gss-tsig" as an
+   identifier for TSIG authentication where the cryptographic operations
+   are delegated to GSS [RFC 3645].
+
+   In section 2, this document specifies additional names for TSIG
+   authentication algorithms based on US NIST SHA algorithms and HMAC.
+
+   In section 3, this document specifies the meaning of inequality
+   between the normal output size of the specified hash function and the
+   length of MAC (message authentication code) data given in the TSIG
+   RR. In particular, it specifies that a shorter length field value
+   specifies truncation and a longer length field is an error.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+D. Eastlake 3rd                                                 [Page 3]
+
+
+INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
+
+
+2. Algorithms and Identifiers
+
+   TSIG Resource Records (RRs) [RFC 2845] are used to authenticate DNS
+   queries and responses.  They are intended to be efficient symmetric
+   authentication codes based on a shared secret. (Asymmetric signatures
+   can be provided using the SIG RR [RFC 2931]. In particular, SIG(0)
+   can be used for transaction signatures.) Used with a strong hash
+   function, HMAC [RFC 2104] provides a way to calculate such symmetric
+   authentication codes. The only specified HMAC based TSIG algorithm
+   identifier has been HMAC-MD5.SIG-ALG.REG.INT based on MD5 [RFC 1321].
+
+   The use of SHA-1 [FIPS 180-1, RFC 3174], which is a 160 bit hash, as
+   compared with the 128 bits for MD5, and additional hash algorithms in
+   the SHA family [FIPS 180-2, RFC sha224] with 224, 256, 384, and 512
+   bits, may be preferred in some case. Use of TSIG between a DNS
+   resolver and server is by mutual agreement. That agreement can
+   include the support of additional algorithms.
+
+   For completeness in relation to HMAC based algorithms, the current
+   HMAC-MD5.SIG-ALG.REG.INT identifier is included in the table below.
+   Implementations which support TSIG MUST implement HMAC MD5, SHOULD
+   implement HMAC SHA-1, and MAY implement gss-tsig and the other
+   algorithms listed below.
+
+         Mandatory      HMAC-MD5.SIG-ALG.REG.INT
+         Recommended    hmac-sha1
+         Optional       hmac-sha224
+         Optional       hmac-sha256
+         Optional       hamc-sha384
+         Optional       hmac-sha512
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+D. Eastlake 3rd                                                 [Page 4]
+
+
+INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
+
+
+3. Specifying Truncation
+
+   In some cases, it is reasonable to truncate the output of HMAC and
+   use the truncated value for authentication. HMAC SHA-1 truncated to
+   96 bits is an optional available in several IETF protocols including
+   IPSEC and TLS.
+
+   The TSIG RR [RFC 2845] includes a "MAC size" field, which gives the
+   size of the MAC field in octets. But [RFC 2845] does not specify what
+   to do if this MAC size differs from the length of the output of HMAC
+   for a particular hash function.
+
+   The specification for TSIG handling is changed as follows:
+
+   1. If The "MAC size" field is larger than the HMAC output length or
+      is zero: This case MUST NOT be generated and if received MUST
+      cause the packet to be dropped and RCODE 1 (FORMERR) to be
+      returned.
+
+   2. If the "MAC size" field equals the HMAC output length: Operation
+      is as described in [RFC 2845].
+
+   3. If the "MAC size" field is less than the HMAC output length but is
+      not zero: This is sent when the signer has truncated the HMAC
+      output as described in RFC 2104, taking initial octets and
+      discarding trailing octets. TSIG truncation can only be to an
+      integral number of octets. On receipt of a packet with truncation
+      thus indicated, the locally calculated MAC is similarly truncated
+      and only the truncated values compared for authentication.
+
+   TSIG implementations SHOULD implement SHA-1 truncated to 96 bits (12
+   octets) and MAY implement any or all other truncations valid under
+   case 3 above.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+D. Eastlake 3rd                                                 [Page 5]
+
+
+INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
+
+
+4. IANA Considerations
+
+   This document, on approval for publication as a standards track RFC,
+   registers the new TSIG algorithm identifiers listed in Section 2 with
+   IANA.
+
+
+
+5. Security Considerations
+
+   For all of the message authentication code algorithms listed herein,
+   those producing longer values are believed to be stronger; however,
+   while there are some arguments that mild truncation can strengthen a
+   MAC by reducing the information available to an attacker, excessive
+   truncation clearly weakens authentication by reducing the number of
+   bits an attacker has to try to force. See [RFC 2104] which recommends
+   that ah HMAC never be truncated to less than half its length nor to
+   less than 80 bits (10 octets).
+
+   See also the Security Considerations section of [RFC 2845].
+
+
+
+6. Copyright and Disclaimer
+
+   Copyright (C) The Internet Society 2004.  This document is subject to
+   the rights, licenses and restrictions contained in BCP 78 and except
+   as set forth therein, the authors retain all their rights.
+
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+D. Eastlake 3rd                                                 [Page 6]
+
+
+INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
+
+
+7. Normative References
+
+   [FIPS 180-2] - "Secure Hash Standard", (SHA-1/256/384/512) US Federal
+   Information Processing Standard, Draft, 1 August 2002.
+
+   [RFC 1321] - Rivest, R., "The MD5 Message-Digest Algorithm ", RFC
+   1321, April 1992.
+
+   [RFC 2104] - Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
+   Hashing for Message Authentication", RFC 2104, February 1997.
+
+   [RFC 2434] - Narten, T. and H. Alvestrand, "Guidelines for Writing an
+   IANA Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
+
+   [RFC 2845] - Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
+   Wellington, "Secret Key Transaction Authentication for DNS (TSIG)",
+   RFC 2845, May 2000.
+
+   [RFC sha224] - "A 224-bit One-way Hash Function: SHA-224", R.
+   Housley, December 2003, work in progress, draft-ietf-pkix-
+   sha224-*.txt.
+
+
+
+8. Informative References.
+
+   [FIPS 180-1] - Secure Hash Standard, (SHA-1) US Federal Information
+   Processing Standard, 17 April 1995.
+
+   [RFC 2931] - Eastlake 3rd, D., "DNS Request and Transaction
+   Signatures ( SIG(0)s )", RFC 2931, September 2000.
+
+   [RFC 3174] - Eastlake 3rd, D. and P. Jones, "US Secure Hash Algorithm
+   1 (SHA1)", RFC 3174, September 2001.
+
+   [RFC 3645] - Kwan, S., Garg, P., Gilroy, J., Esibov, L., Westhead,
+   J., and R. Hall, "Generic Security Service Algorithm for Secret Key
+   Transaction Authentication for DNS (GSS-TSIG)", RFC 3645, October
+   2003.
+
+
+
+
+
+
+
+
+
+
+
+
+
+D. Eastlake 3rd                                                 [Page 7]
+
+
+INTERNET-DRAFT                                 HMAC-SHA TSIG Identifiers
+
+
+Authors Address
+
+   Donald E. Eastlake 3rd
+   Motorola Laboratories
+   155 Beaver Street
+   Milford, MA 01757 USA
+
+   Telephone:   +1-508-786-7554 (w)
+                +1-508-634-2066 (h)
+   EMail:       Donald.Eastlake@motorola.com
+
+
+
+Expiration and File Name
+
+   This draft expires in February 2005.
+
+   Its file name is draft-ietf-dnsext-tsig-sha-00.txt
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+D. Eastlake 3rd                                                 [Page 8]
+
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsext-wcard-clarify-02.txt b/contrib/bind9/doc/draft/draft-ietf-dnsext-wcard-clarify-02.txt
new file mode 100644
index 0000000..d65fa71
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsext-wcard-clarify-02.txt
@@ -0,0 +1,1010 @@
+
+
+
+
+
+
+dnsext Working Group                                           B. Halley
+Internet Draft                                                   Nominum
+Expiration Date: March 2004
+                                                                E. Lewis
+                                                                    ARIN
+
+                                                          September 2003
+
+
+                Clarifying the Role of Wild Card Domains
+                       in the Domain Name System
+
+
+                 draft-ietf-dnsext-wcard-clarify-02.txt
+
+Status of this Memo
+
+   This document is an Internet-Draft and is subject to all provisions
+   of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   To view the list Internet-Draft Shadow Directories, see
+   http://www.ietf.org/shadow.html.
+
+Abstract
+
+   The definition of wild cards is recast from the original in RFC 1034,
+   in words that are more specific and in line with RFC 2119.  This
+   document is meant to supplement the definition in RFC 1034 and to
+   alter neither the spirit nor intent of that definition.
+
+
+
+
+
+
+
+
+
+Halley & Lewis            [Expires March 2004]                  [Page 1]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+Table of Contents
+
+          Abstract  ................................................   1
+    1     Introduction  ............................................   2
+    1.1   Document Limits  .........................................   3
+    1.2   Existence  ...............................................   4
+    1.3   An Example  ..............................................   4
+    1.4   Empty Non-terminals  .....................................   5
+    1.5   Terminology  .............................................   6
+    2     Defining the Wild Card Domain Name  ......................   7
+    3     Defining Existence  ......................................   8
+    4     Impact of a Wild Card In a Query or in RDATA  ............   8
+    5     Impact of a Wild Card Domain On a Response  ..............   9
+    6     Considerations with Special Types  .......................  12
+    6.1   SOA RR's at a Wild Card Domain Name  .....................  12
+    6.2   NS RR's at a Wild Card Domain Name  ......................  12
+    6.3   CNAME RR's at a Wild Card Domain Name  ...................  13
+    6.4   DNAME RR's at a Wild Card Domain Name  ...................  13
+    7     Security Considerations  .................................  14
+    8     References  ..............................................  14
+    9     Others Contributing to This Document  ....................  14
+   10     Editors  .................................................  15
+          Appendix A: Subdomains of Wild Card Domain Names  ........  16
+          Full Copyright Statement  ................................  18
+          Acknowledgement  .........................................  18
+
+
+
+
+1. Introduction
+
+   The first section of this document will give a crisp overview of what
+   is begin defined, as well as the motivation rewording of an original
+   document and making a change to bring the specification in line with
+   implementations.  Examples are included to help orient the reader.
+
+   Wild card domain names are defined in Section 4.3.3. of RFC 1034 as
+   "instructions for synthesizing RRs." [RFC1034].  The meaning of this
+   is that a specific, special domain name is used to construct
+   responses in instances in which the query name is not otherwise
+   represented in a zone.
+
+   A wild card domain name has a specific range of influence on query
+   names (QNAMEs) within a given class, which is rooted at the domain
+   name containing the wild card label, and is limited by explicit
+   entries, zone cuts and empty non-terminal domains (see section 1.3 of
+   this document).
+
+
+
+
+Halley & Lewis            [Expires March 2004]                  [Page 2]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+   Note that a wild card domain name has no special impact on the search
+   for a query type (QTYPE).  If a domain name is found that matches the
+   QNAME (exact or a wild card) but the QTYPE is not found at that
+   point, the proper response is that there is no data available.  The
+   search does not continue on to seek other wild cards that might match
+   the QTYPE.  To illustrate, a wild card owning an MX RR does not
+   'cover' other names in the zone that own an A RR.  There are certain
+   special case RR types that will be singled out for discussion, the
+   SOA RR, NS RR, CNAME RR, and DNAME RR.
+
+   Why is this document needed?  Empirical evidence suggests that the
+   words in RFC 1034 are not clear enough.  There exist a number of
+   implementations that have strayed (each differently) from that
+   definition.  There also exists a misconception of operators that the
+   wild card can be used to add a specific RR type to all names, such as
+   the MX RR example cited above.  This document is also needed as input
+   to efforts to extend DNS, such as the DNS Security Extensions [RFC
+   2535].  Lack of a clear base specification has proven to result in
+   extension documents that have unpredictable consequences.  (This is
+   true in general, not just for DNS.)
+
+   Another reason this clarification is needed is to answer questions
+   regarding authenticated denial of existence, a service introduced in
+   the DNS Security Extensions [RFC 2535].  Prior to the work leading up
+   to this document, it had been feared that a large number of proof
+   records (NXTs) might be needed in each reply because of the unknown
+   number of potential wild card domains that were thought to be
+   applicable.  One outcome of this fear is a now discontinued document
+   solving a problem that is now known not to exist.  I.e., this
+   clarification has the impact of defending against unwarranted
+   protocol surgery.  It is not "yet another" effort to just rewrite the
+   early specifications for the sake of purity.
+
+   Although the effort to define the DNS Security Extensions has
+   prompted this document, the clarifications herein relate to basic DNS
+   only.  No DNS Security Extensions considerations are mentioned in the
+   document.
+
+1.1. Document Limits
+
+   This document limits itself to reinforcing the concepts in RFC 1034.
+   In the effort to do this, a few issues have been discussed that
+   change parts of what is in RFC 1034.  The discussions have been held
+   within the DNS Extensions Working Group.
+
+
+
+
+
+
+
+Halley & Lewis            [Expires March 2004]                  [Page 3]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+   Briefly, the issues raised include:
+     - The lack of clarity in the definition of domain name existence
+     - Implications of a wild card domain name owning any of the
+       following resource record sets: DNAME [RFC 2672], CNAME, NS, and
+       SOA
+     - Whether RFC 1034 meant to allow special processing of CNAME RR's
+       owned by wild card domain names
+
+1.2. Existence
+
+   The notion that a domain name 'exists' will arise numerous times in
+   this discussion.  RFC 1034 raises the issue of existence in a number
+   of places, usually in reference to non-existence and often in
+   reference to processing involving wild card domain names.  RFC 1034
+   contains algorithms that describe how domain names impact the
+   preparation of an answer and does define wild cards as a means of
+   synthesizing answers.  Because of this a discussion on wild card
+   domain names has to start with the issue of existence.
+
+   To help clarify the topic of wild cards, a positive definition of
+   existence is needed.  Complicating matters, though, is the
+   realization that existence is relative.  To an authoritative server,
+   a domain name exists if the domain name plays a role following the
+   algorithms of preparing a response.  To a resolver, a domain name
+   exists if there is any data available corresponding to the name.  The
+   difference between the two is the synthesis of records according to a
+   wild card.
+
+   For the purposes of this document, the point of view of an
+   authoritative server is adopted.  A domain name is said to exist if
+   it plays a role in the execution of the algorithms in RFC 1034.
+
+1.3. An Example
+
+   For example, consider this wild card domain name: *.example.  Any
+   query name under example. is a candidate to be matched (answered) by
+   this wild card, i.e., to have an response returned that is
+   synthesized from the wild card's RR sets.  Although any name is a
+   candidate, not all queries will match.
+
+
+
+
+
+
+
+
+
+
+
+
+Halley & Lewis            [Expires March 2004]                  [Page 4]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+   To further illustrate this, consider this zone:
+
+             $ORIGIN example.
+             @                IN  SOA
+                                  NS
+                                  NS
+             *                    TXT "this is a wild card"
+                                  MX  10 mailhost.example.
+             host1                A   10.0.0.1
+             _ssh._tcp.host1      SRV
+             _ssh._tcp.host2      SRV
+             subdel               NS
+
+
+   The following queries would be synthesized from the wild card:
+
+        QNAME=host3.example. QTYPE=MX, QCLASS=IN
+             the answer will be a "host3.example. IN MX ..."
+        QNAME=host3.example. QTYPE=A, QCLASS=IN
+             the answer will reflect "no error, but no data"
+             because there is no A RR set at '*'
+
+   The following queries would not be synthesized from the wild card:
+
+        QNAME=host1.example., QTYPE=MX, QCLASS=IN
+             because host1.example. exists
+        QNAME=_telnet._tcp.host1.example., QTYPE=SRV, QCLASS=IN
+             because _tcp.host1.example. exists (without data)
+        QNAME=_telnet._tcp.host2.example., QTYPE=SRV, QCLASS=IN
+             because host2.example. exists (without data)
+        QNAME=host.subdel.example., QTYPE=A, QCLASS=IN
+             because subdel.example. exists and is a zone cut
+
+   To the server, the following domains are considered to exist in the
+   zone: *, host1, _tcp.host1, _ssh._tcp.host1, host2, _tcp.host2,
+   _ssh._tcp.host2, and subdel.  To a resolver, many more domains appear
+   to exist via the synthesis of the wild card.
+
+1.4. Empty Non-terminals
+
+   Empty non-terminals are domain names that own no data but have
+   subdomains.  This is defined in section 3.1 of RFC 1034:
+
+#    The domain name space is a tree structure.  Each node and leaf on the
+#    tree corresponds to a resource set (which may be empty).  The domain
+#    system makes no distinctions between the uses of the interior nodes and
+#    leaves, and this memo uses the term "node" to refer to both.
+
+
+
+
+Halley & Lewis            [Expires March 2004]                  [Page 5]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+   The parenthesized "which may be empty" specifies that empty non-
+   terminals are explicitly recognized.  According to the definition of
+   existence in this document, empty non-terminals do exist at the
+   server.
+
+   Carefully reading the above paragraph can lead to an interpretation
+   that all possible domains exist - up to the suggested limit of 255
+   octets for a domain name [RFC 1035].  For example, www.example. may
+   have an A RR, and as far as is practically concerned, is a leaf of
+   the domain tree.  But the definition can be taken to mean that
+   sub.www.example. also exists, albeit with no data.  By extension, all
+   possible domains exist, from the root on down.  As RFC 1034 also
+   defines "an authoritative name error indicating that the name does
+   not exist" in section 4.3.1, this is not the intent of the original
+   document.
+
+   RFC1034's wording is to be clarified by adding the following
+   paragraph:
+
+        A node is considered to have an impact on the algorithms of
+        4.3.2 if it is a leaf node with any resource sets or an interior
+        node, with or without a resource set, that has a subdomain that
+        is a leaf node with a resource set.  A QNAME and QCLASS matching
+        an existing node never results in a response return code of
+        authoritative name error.
+
+   The terminology in the above paragraph is chosen to remain as close
+   to that in the original document.  The term "with" is a alternate
+   form for "owning" in this case, hence "a leaf node owning resources
+   sets, or an interior node, owning or not owning any resource set,
+   that has a leaf node owning a resource set as a subdomain," is the
+   proper interpretation of the middle sentence.
+
+   As an aside, an "authoritative name error" has been called NXDOMAIN
+   in some RFCs, such as RFC 2136 [RFC 2136].  NXDOMAIN is the mnemonic
+   assigned to such an error by at least one implementation of DNS.  As
+   this mnemonic is specific to implementations, it is avoided in the
+   remainder of this document.
+
+1.5. Terminology
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in the document entitled
+   "Key words for use in RFCs to Indicate Requirement Levels." [RFC2119]
+
+   Requirements are denoted by paragraphs that begin with with the
+   following convention: 'R'<sect>.<count>.
+
+
+
+Halley & Lewis            [Expires March 2004]                  [Page 6]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+   Quotations of RFC 1034 (as has already been done once above) are
+   denoted by a '#' in the leftmost column.
+
+2. Defining the Wild Card Domain Name
+
+   A wild card domain name is defined by having the initial label be:
+
+        0000 0001 0010 1010 (binary) = 0x01 0x2a (hexadecimal)
+
+   This defines domain names that may play a role in being a wild card,
+   that is, being a source for synthesized answers.  Domain names
+   conforming to this definition that appear in queries and RDATA
+   sections do not have any special role.  These cases will be described
+   in more detail in following sections.
+
+   R2.1 A domain name that is to be interpreted as a wild card MUST
+        begin with a label of '0000 0001 0010 1010' in binary.
+
+   The first octet is the normal label type and length for a 1 octet
+   long label, the second octet is the ASCII representation [RFC 20] for
+   the '*' character.  In RFC 1034, ASCII encoding is assumed to be the
+   character encoding.
+
+   In the master file formats used in RFCs, a "*" is a legal
+   representation for the wild card label.  Even if the "*" is escaped,
+   it is still interpreted as the wild card when it is the only
+   character in the label.
+
+   R2.2 A server MUST treat a wild card domain name as the basis of
+        synthesized answers regardless of any "escape" sequences in the
+        input format.
+
+   RFC 1034 and RFC 1035 ignore the case in which a domain name might be
+   "the*.example.com." The interpretation is that this domain name in a
+   zone would only match queries for "the*.example.com" and not have any
+   other role.
+
+   Note: By virtue of this definition, a wild card domain name may have
+   a subdomain.  The subdomain (or sub-subdomain) itself may also be a
+   wild card.  E.g., *.*.example. is a wild card, so is *.sub.*.example.
+   More discussion on this is given in Appendix A.
+
+
+
+
+
+
+
+
+
+
+Halley & Lewis            [Expires March 2004]                  [Page 7]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+3. Defining Existence
+
+   As described in the Introduction, a precise definition of existence
+   is needed.
+
+   R3.1 An authoritative server MUST treat a domain name as existing
+        during the execution of the algorithms in RFC 1034 when the
+        domain name conforms to the following definition.  A domain name
+        is defined to exist if the domain name owns data and/or has a
+        subdomain that exists.
+
+   Note that at a zone boundary, the domain name owns data, including
+   the NS RR set.  At the delegating server, the NS RR set is not
+   authoritative, but that is of no consequence here.  The domain name
+   owns data, therefore, it exists.
+
+   R3.2 An authoritative server MUST treat a domain name that has
+        neither a resource record set nor an existing subdomain as non-
+        existent when executing the algorithm in section 4.3.2. of RFC
+        1034.
+
+   A note on terminology.  A domain transcends zones, i.e., all DNS data
+   is in the root domain but segmented into zones of control.  In this
+   document, there are references to a "domain name" in the context of
+   existing "in a zone." In this usage, a domain name is the root of a
+   domain, not the entire domain.  The domain's root point is said to
+   "exist in a zone" if the zone is authoritative for the name.  RR sets
+   existing in a domain need not be owned by the domain's root domain
+   name, but are owned by other domain names in the domain.
+
+4. Impact of a Wild Card In a Query or in RDATA
+
+   When a wild card domain name appears in a question, e.g., the query
+   name is "*.example.", the response in no way differs from any other
+   query.  In other words, the wild card label in a QNAME has no special
+   meaning, and query processing will proceed using '*' as a literal
+   query name.
+
+   R4.1 A wild card domain name acting as a QNAME MUST be treated as any
+        other QNAME, there MUST be no special processing accorded it.
+
+   If a wild card domain name appears in the RDATA of a CNAME RR or any
+   other RR that has a domain name in it, the same rule applies.  In the
+   instance of a CNAME RR, the wild card domain name is used in the same
+   manner of as being the original QNAME.  For other RR's, rules vary
+   regarding what is done with the domain name(s) appearing in them, in
+   no case does the wild card hold special meaning.
+
+
+
+
+Halley & Lewis            [Expires March 2004]                  [Page 8]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+   R4.2 A wild card domain name appearing in any RR's RDATA MUST be
+        treated as any other domain name in that situation, there MUST
+        be no special processing accorded it.
+
+5. Impact of a Wild Card Domain On a Response
+
+   The description of how wild cards impact response generation is in
+   RFC 1034, section 4.3.2.  That passage contains the algorithm
+   followed by a server in constructing a response.  Within that
+   algorithm, step 3, part 'c' defines the behavior of the wild card.
+   The algorithm is directly quoted in lines that begin with a '#' sign.
+   Commentary is interleaved.
+
+   There is a documentation issue deserving some explanation.  The
+   algorithm in RFC 1034, section 4.3.2. is not intended to be pseudo
+   code, i.e., it's steps are not intended to be followed in strict
+   order.  The "algorithm" is a suggestion.  As such, in step 3, parts
+   a, b, and c, do not have to be implemented in that order.
+
+   Another issue needing explanation is that RFC 1034 is a full
+   standard.  There is another RFC, RFC 2672, which makes, or proposes
+   an adjustment to RFC 1034's section 4.3.2 for the sake of the DNAME
+   RR.  RFC 2672 is a proposed standard.  The dilemma in writing these
+   clarifications is knowing which document is the one being clarified.
+   Fortunately, the difference between RFC 1034 and RFC 2672 is not
+   significant with respect to wild card synthesis, so this document
+   will continue to state that it is clarifying RFC 1034.  If RFC 2672
+   progresses along the standards track, it will need to refer to
+   modifying RFC 1034's algorithm as amended here.
+
+   The context of part 'c' is that the search is progressing label by
+   label through the QNAME.  (Note that the data being searched is the
+   authoritative data in the server, the cache is searched in step 4.)
+   Step 3's part 'a' covers the case that the QNAME has been matched in
+   full, regardless of the presence of a CNAME RR.  Step 'b' covers
+   crossing a cut point, resulting in a referral.  All that is left is
+   to look for the wild card.
+
+   Step 3 of the algorithm also assumes that the search is looking in
+   the zone closest to the answer, i.e., in the same class as QCLASS and
+   as close to the authority as possible on this server.  If the zone is
+   not the authority, then a referral is given, possibly one indicating
+   lameness.
+
+
+
+
+
+
+
+
+Halley & Lewis            [Expires March 2004]                  [Page 9]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+#         c. If at some label, a match is impossible (i.e., the
+#            corresponding label does not exist), look to see if a
+#            the "*" label exists.
+
+   The above paragraph refers to finding the domain name that exists in
+   the zone and that most encloses the QNAME.  Such a domain name will
+   mark the boundary of candidate wild card domain names that might be
+   used to synthesize an answer.  (Remember that at this point, if the
+   most enclosing name is the same as the QNAME, part 'a' would have
+   recorded an exact match.)  The existence of the enclosing name means
+   that no wild card name higher in the tree is a candidate to answer
+   the query.
+
+   Once the closest enclosing node is identified, there's the matter of
+   what exists below it.  It may have subdomains, but none will be
+   closer to the QNAME.  One of the subdomains just might be a wild
+   card.  If it exists, this is the only wild card eligible to be used
+   to synthesize an answer for the query.  Even if the closest enclosing
+   node conforms to the syntax rule in section 2 for being a wild card
+   domain name, the closest enclosing node is not eligible to be a
+   source of a synthesized answer.
+
+   The only wild card domain name that is a candidate to synthesize an
+   answer will be the "*" subdomain of the closest enclosing domain
+   name.  Three possibilities can happen.  The "*" subdomain does not
+   exist, the "*" subdomain does but does not have an RR set of the same
+   type as the QTYPE, or it exists and has the desired RR set.
+
+   For the sake of brevity, the closest enclosing node can be referred
+   to as the "closest encloser." The closest encloser is the most
+   important concept in this clarification.  Describing the closest
+   encloser is a bit tricky, but it is an easy concept.
+
+   To find the closest encloser, you have to first locate the zone that
+   is the authority for the query name.  This eliminates the need to be
+   concerned that the closest encloser is a cut point.  In addition, we
+   can assume too that the query name does not exist, hence the closest
+   encloser is not equal to the query name.  We can assume away these
+   two cases because they are handled in steps 2, 3a and 3b of section
+   4.3.2.'s algorithm.
+
+   What is left is to identify the existing domain name that would have
+   been up the tree (closer to the root) from the query name.  Knowing
+   that an exact match is impossible, if there is a "*" label descending
+   from the unique closest encloser, this is the one and only wild card
+   from which an answer can be synthesized for the query.
+
+
+
+
+
+Halley & Lewis            [Expires March 2004]                 [Page 10]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+   To illustrate, using the example in section 1.2 of this document, the
+   following chart shows QNAMEs and the closest enclosers.  In
+   Appendix A there is another chart showing unusual cases.
+
+        QNAME                        Closest Encloser     Wild Card Source
+        host3.example.               example.             *.example.
+        _telnet._tcp.host1.example.  _tcp.host1.example.  no wild card
+        _telnet._tcp.host2.example.  host2.example.       no wild card
+        _telnet._tcp.host3.example.  example.             *.example.
+        _chat._udp.host3.example.    example.             *.example.
+
+   Note that host1.subdel.example. is in a subzone, so the search for it
+   ends in a referral in part 'b', thus does not enter into finding a
+   closest encloser.
+
+   The fact that a closest encloser will be the only superdomain that
+   can have a candidate wild card will have an impact when it comes to
+   designing authenticated denial of existence proofs.
+
+#            If the "*" label does not exist, check whether the name
+#            we are looking for is the original QNAME in the query
+#            or a name we have followed due to a CNAME.  If the name
+#            is original, set an authoritative name error in the
+#            response and exit.  Otherwise just exit.
+
+   The above passage says that if there is not even a wild card domain
+   name to match at this point (failing to find an explicit answer
+   elsewhere), we are to return an authoritative name error at this
+   point.  If we were following a CNAME, the specification is unclear,
+   but seems to imply that a no error return code is appropriate, with
+   just the CNAME RR (or sequence of CNAME RRs) in the answer section.
+
+#            If the "*" label does exist, match RRs at that node
+#            against QTYPE.  If any match, copy them into the answer
+#            section, but set the owner of the RR to be QNAME, and
+#            not the node with the "*" label.  Go to step 6.
+
+   This final paragraph covers the role of the QTYPE in the process.
+   Note that if no resource record set matches the QTYPE the result is
+   that no data is copied, but the search still ceases ("Go to step
+   6.").  In the following section, a suggested change is made to this,
+   under the heading "CNAME RRs at a Wild Card Domain Name."
+
+
+
+
+
+
+
+
+
+Halley & Lewis            [Expires March 2004]                 [Page 11]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+6. Considerations with Special Types
+
+   For the purposes of this section, "special" means that a record
+   induces processing at the server beyond simple lookup.  The special
+   types in this section are SOA, NS, CNAME, and DNAME.  SOA is special
+   because it is used as a zone marker and has an impact on step 2 of
+   the algorithm in 4.3.2.  NS denotes a cut point and has an impact on
+   step 3b.  CNAME redirects the query and is mentioned in steps 3a and
+   3b.  DNAME is a "CNAME generator."
+
+6.1. SOA RR's at a Wild Card Domain Name
+
+   If the owner of an SOA record conforms to the basic rules of owning
+   an SOA RR (meaning it is the apex of a zone) the impact on the search
+   algorithm is not in section 3c (where records are synthesized) as
+   would be expected.  The impact is really in step 2 of the algorithm,
+   the choice of zone.
+
+   We are no longer talking about whether or not an SOA RR can be
+   synthesized in a response because we are shifting attention to step
+   2.  We are now talking about what it means for a name server to
+   synthesize a zone for a response.  To date, no implementation has
+   done this.  Thinking ahead though, anyone choosing to pursue this
+   would have to be aware that a server would have to be able to
+   distinguish between queries for data it will have to synthesize and
+   queries that ought to be treated as if they were prompted by a lame
+   delegation.
+
+   It is not a protocol error to have an SOA RR owned by a wild card
+   domain name, just as it is not an error to have zone name be
+   syntactically equivalent to a domain name.  However, this situation
+   requires careful consideration of how a server chooses the
+   appropriate zone for an answer.  And an SOA RR is not able to be
+   synthesized as in step 3c.
+
+6.2. NS RR's at a Wild Card Domain Name
+
+   Complimentary to the issue of an SOA RR owned by a wild card domain
+   name is the issue of NS RR's owned by a wild card domain name.  In
+   this instance, each machine being referred to in the RDATA of the NS
+   RR has to be able to understand the impact of this on step 2, the
+   choosing of the authoritative zone.
+
+   Referring to the same machine in such a NS RR will probably not work
+   well.  This is because the server may become confused as to whether
+   the query name ought to be answered by the zone owning the NS RR in
+   question or a synthesized zone.  (It isn't known in advance that the
+   query name will invoke the wild card synthesis.)
+
+
+
+Halley & Lewis            [Expires March 2004]                 [Page 12]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+   The status of other RR's owned by a wild card domain name is the same
+   as if the owner name was not a wild card domain name.  I.e., when
+   there is a NS RR at a wild card domain name, other records are
+   treated as being below the zone cut.
+
+   Is it not a protocol error to have a NS RR owned by a wild card
+   domian name, complimentary to the case of a SOA RR.  However, for
+   this to work, an implementation has to know how to synthesize a zone.
+
+6.3. CNAME RR's at a Wild Card Domain Name
+
+   The issue of CNAME RR's owned by wild card domain names has prompted
+   a suggested change to the last paragraph of step 3c of the algorithm
+   in 4.3.2.  The changed text is this:
+
+        If the "*" label does exist and if the data at the node is a
+        CNAME and QTYPE doesn't match CNAME, copy the CNAME RR into the
+        answer section of the response, set the owner of the CNAME RR to
+        be QNAME, and then change QNAME to the canonical name in the
+        CNAME RR, and go back to step 1.
+
+        If the "*" label does exist and either QTYPE is CNAME or the
+        data at the node is not a CNAME, then match RRs at that node
+        against QTYPE.  If any match, copy them into the answer section,
+        but set the owner of the RR to be QNAME, and not the node with
+        the "*" label.  Go to step 6.
+
+   Apologies if the above isn't clear, but an attempt was made to stitch
+   together the passage using just the phrases in section 3a and 3c of
+   the algorithm so as to preserve the original flavor.
+
+   In case the passage as suggested isn't clear enough, the intent is to
+   make "landing" at a wild card name and finding a CNAME the same as if
+   this happened as a result of a direct match.  I.e., Finding a CNAME
+   at the name matched in step 3c is supposed to have the same impact as
+   finding the CNAME in step 3a.
+
+6.4. DNAME RR's at a Wild Card Domain Name
+
+   The specification of the DNAME RR, which is at the proposed level of
+   standardization, is not as mature as the full standard in RFC 1034.
+   Because of this, or the reason for this is, there appears to be a
+   host of issues with that definition and it's rewrite of the algorithm
+   in 4.3.2.  For the time being, when it comes to wild card processing
+   issues, a DNAME can be considered to be a CNAME synthesizer.  A DNAME
+   at a wild card domain name is effectively the same as a CNAME at a
+   wild card domain name.
+
+
+
+
+Halley & Lewis            [Expires March 2004]                 [Page 13]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+7. Security Considerations
+
+   This document is refining the specifications to make it more likely
+   that security can be added to DNS.  No functional additions are being
+   made, just refining what is considered proper to allow the DNS,
+   security of the DNS, and extending the DNS to be more predictable.
+
+8. References
+
+   Normative References
+
+   [RFC 20] ASCII Format for Network Interchange, V.G. Cerf, Oct-16-1969
+
+   [RFC 1034] Domain Names - Concepts and Facilities, P.V. Mockapetris,
+               Nov-01-1987
+
+   [RFC 1035] Domain Names - Implementation and Specification, P.V
+               Mockapetris, Nov-01-1987
+
+   [RFC 2119] Key Words for Use in RFCs to Indicate Requirement Levels, S
+               Bradner, March 1997
+
+   Informative References
+
+   [RFC 2136] Dynamic Updates in the Domain Name System (DNS UPDATE), P. Vixie,
+               Ed., S. Thomson, Y. Rekhter, J. Bound, April 1997
+
+   [RFC 2535] Domain Name System Security Extensions, D. Eastlake, March 1999
+
+   [RFC 2672] Non-Terminal DNS Name Redirection, M. Crawford, August 1999
+
+9. Others Contributing to This Document
+
+   Others who have directly caused text to appear in the document: Paul
+   Vixie and Olaf Kolkman.  Many others have indirect influences on the
+   content.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Halley & Lewis            [Expires March 2004]                 [Page 14]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+10. Editors
+
+        Name:         Bob Halley
+        Affiliation:  Nominum, Inc.
+        Address:      2385 Bay Road, Redwood City, CA 94063 USA
+        Phone:        +1-650-381-6016
+        EMail:        Bob.Halley@nominum.com
+
+        Name:         Edward Lewis
+        Affiliation:  ARIN
+        Address:      3635 Concorde Pkwy, Suite 200, Chantilly, VA 20151 USA
+        Phone:        +1-703-227-9854
+        Email:        edlewis@arin.net
+
+   Comments on this document can be sent to the editors or the mailing
+   list for the DNSEXT WG, namedroppers@ops.ietf.org.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Halley & Lewis            [Expires March 2004]                 [Page 15]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+Appendix A: Subdomains of Wild Card Domain Names
+
+   In reading the definition of section 2 carefully, it is possible to
+   rationalize unusual names as legal.  In the example given,
+   *.example. could have subdomains of *.sub.*.example. and even the
+   more direct *.*.example.  (The implication here is that these domain
+   names own explicit resource records sets.)  Although defining these
+   names is not easy to justify, it is important that implementions
+   account for the possibility.  This section will give some further
+   guidence on handling these names.
+
+   The first thing to realize is that by all definitions, subdomains of
+   wild card domain names are legal.  In analyzing them, one realizes
+   that they cause no harm by their existence.  Because of this, they
+   are allowed to exist, i.e., there are no special case rules made to
+   disallow them.  The reason for not preventing these names is that the
+   prevention would just introduce more code paths to put into
+   implementations.
+
+   The concept of "closest enclosing" existing names is important to
+   keep in mind.  It is also important to realize that a wild card
+   domain name can be a closest encloser of a query name.  For example,
+   if *.*.example. is defined in a zone, and the query name is
+   a.*.example., then the closest enclosing domain name is *.example.
+   Keep in mind that the closest encloser is not eligible to be a source
+   of synthesized answers, just the subdomain of it that has the first
+   label "*".
+
+   To illustrate this, the following chart shows some matches.  Assume
+   that the names *.example., *.*.example., and *.sub.*.example. are
+   defined in the zone.
+
+        QNAME               Closest Encloser  Wild Card Source
+        a.example.          example.          *.example.
+        b.a.example.        example.          *.example.
+        a.*.example.        *.example.        *.*.example.
+        b.a.*.example.      *.example.        *.*.example.
+        b.a.*.*.example.    *.*.example.      no wild card
+        a.sub.*.example.    sub.*.example.    *.sub.*.example.
+        b.a.sub.*.example.  sub.*.example.    *.sub.*.example.
+        a.*.sub.*.example.  *.sub.*.example.  no wild card
+        *.a.example.        example.          *.example.
+        a.sub.b.example.    example.          *.example.
+
+   Recall that the closest encloser itself cannot be the wild card.
+   Therefore the match for b.a.*.*.example. has no applicable wild card.
+
+
+
+
+
+Halley & Lewis            [Expires March 2004]                 [Page 16]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+   Finally, if a query name is sub.*.example., any answer available will
+   come from an exact name match for sub.*.example.  No wild card
+   synthesis is performed in this case.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Halley & Lewis            [Expires March 2004]                 [Page 17]
+
+Internet Draft   draft-ietf-dnsext-wcard-clarify-02.txt   September 2003
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society 2003.  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Halley & Lewis            [Expires March 2004]                 [Page 18]
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsop-bad-dns-res-02.txt b/contrib/bind9/doc/draft/draft-ietf-dnsop-bad-dns-res-02.txt
new file mode 100644
index 0000000..e9943015
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsop-bad-dns-res-02.txt
@@ -0,0 +1,1120 @@
+
+
+DNS Operations                                                 M. Larson
+Internet-Draft                                                 P. Barber
+Expires: August 16, 2004                                        VeriSign
+                                                       February 16, 2004
+
+
+                  Observed DNS Resolution Misbehavior
+                    draft-ietf-dnsop-bad-dns-res-02
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups. Note that other
+   groups may also distribute working documents as Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time. It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at http://
+   www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on August 16, 2004.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2004). All Rights Reserved.
+
+Abstract
+
+   This Internet-Draft describes DNS name server and resolver behavior
+   that results in a significant query volume sent to the root and
+   top-level domain (TLD) name servers.  In some cases we recommend
+   minor additions to the DNS protocol specification and corresponding
+   changes in name server implementations to alleviate these unnecessary
+   queries. The recommendations made in this document are a direct
+   byproduct of observation and analysis of abnormal query traffic
+   patterns seen at two of the thirteen root name servers and all
+   thirteen com/net TLD name servers.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+
+
+
+Larson & Barber         Expires August 16, 2004                 [Page 1]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+   document are to be interpreted as described in RFC 2119 [1].
+
+Table of Contents
+
+   1.     Introduction . . . . . . . . . . . . . . . . . . . . . . .   3
+   2.     Observed name server misbehavior . . . . . . . . . . . . .   4
+   2.1    Aggressive requerying for delegation information . . . . .   4
+   2.1.1  Recommendation . . . . . . . . . . . . . . . . . . . . . .   5
+   2.2    Repeated queries to lame servers . . . . . . . . . . . . .   5
+   2.2.1  Recommendation . . . . . . . . . . . . . . . . . . . . . .   6
+   2.3    Inability to follow multiple levels of out-of-zone glue  .   6
+   2.3.1  Recommendation . . . . . . . . . . . . . . . . . . . . . .   7
+   2.4    Aggressive retransmission when fetching glue . . . . . . .   7
+   2.4.1  Recommendation . . . . . . . . . . . . . . . . . . . . . .   8
+   2.5    Aggressive retransmission behind firewalls . . . . . . . .   8
+   2.5.1  Recommendation . . . . . . . . . . . . . . . . . . . . . .   8
+   2.6    Misconfigured NS records . . . . . . . . . . . . . . . . .   9
+   2.6.1  Recommendation . . . . . . . . . . . . . . . . . . . . . .  10
+   2.7    Name server records with zero TTL  . . . . . . . . . . . .  10
+   2.7.1  Recommendation . . . . . . . . . . . . . . . . . . . . . .  11
+   2.8    Unnecessary dynamic update messages  . . . . . . . . . . .  11
+   2.8.1  Recommendation . . . . . . . . . . . . . . . . . . . . . .  11
+   2.9    Queries for domain names resembling IP addresses . . . . .  12
+   2.9.1  Recommendation . . . . . . . . . . . . . . . . . . . . . .  12
+   2.10   Misdirected recursive queries  . . . . . . . . . . . . . .  12
+   2.10.1 Recommendation . . . . . . . . . . . . . . . . . . . . . .  13
+   2.11   Suboptimal name server selection algorithm . . . . . . . .  13
+   2.11.1 Recommendation . . . . . . . . . . . . . . . . . . . . . .  13
+   3.     IANA considerations  . . . . . . . . . . . . . . . . . . .  15
+   4.     Security considerations  . . . . . . . . . . . . . . . . .  16
+   5.     Internationalization considerations  . . . . . . . . . . .  17
+          Normative References . . . . . . . . . . . . . . . . . . .  18
+          Authors' Addresses . . . . . . . . . . . . . . . . . . . .  18
+          Intellectual Property and Copyright Statements . . . . . .  19
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Larson & Barber         Expires August 16, 2004                 [Page 2]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+1. Introduction
+
+   Observation of query traffic received by two root name servers and
+   the thirteen com/net TLD name servers has revealed that a large
+   proportion of the total traffic often consists of "requeries".  A
+   requery is the same question (<qname, qtype, qclass>) asked
+   repeatedly at an unexpectedly high rate.  We have observed requeries
+   from both a single IP address and multiple IP addresses.
+
+   By analyzing requery events we have found that the cause of the
+   duplicate traffic is almost always a deficient name server, stub
+   resolver and/or application implementation combined with an
+   operational anomaly.  The implementation deficiencies we have
+   identified to date include well-intentioned recovery attempts gone
+   awry, insufficient caching of failures, early abort when multiple
+   levels of glue records must be followed, and aggressive retry by stub
+   resolvers and/or applications.  Anomalies that we have seen trigger
+   requery events include lame delegations, unusual glue records, and
+   anything that makes all authoritative name servers for a zone
+   unreachable (DoS attacks, crashes, maintenance, routing failures,
+   congestion, etc.).
+
+   In the following sections, we provide a detailed explanation of the
+   observed behavior and recommend changes that will reduce the requery
+   rate.  Some of the changes recommended affect the core DNS protocol
+   specification, described principally in RFC 1034 [2], RFC 1035 [3]
+   and RFC 2181 [4].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Larson & Barber         Expires August 16, 2004                 [Page 3]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+2. Observed name server misbehavior
+
+2.1 Aggressive requerying for delegation information
+
+   There can be times when every name server in a zone's NS RRset is
+   unreachable (e.g., during a network outage), unavailable (e.g., the
+   name server process is not running on the server host) or
+   misconfigured (e.g., the name server is not authoritative for the
+   given zone, also known as "lame").  Consider a recursive name server
+   that attempts to resolve a query for a domain name in such a zone and
+   discovers that none of the zone's name servers can provide an answer.
+   We have observed a recursive name server implementation that then
+   verifies the zone's NS RRset in its cache by querying for the zone's
+   delegation information: it sends a query for the zone's NS RRset to
+   one of the parent zone's name servers.
+
+   For example, suppose that "example.com" has the following NS RRset:
+
+     example.com.   IN   NS   ns1.example.com.
+     example.com.   IN   NS   ns2.example.com.
+
+   Upon receipt of a query for "www.example.com" and assuming that
+   neither "ns1.example.com" nor "ns2.example.com" can provide an
+   answer, this recursive name server implementation immediately queries
+   a "com" zone name server for the "example.com" NS RRset to verify it
+   has the proper delegation information.  This name server
+   implementation performs this query to a zone's parent zone for each
+   recursive query it receives that fails because of a completely
+   unresponsive set of name servers for the target zone.  Consider the
+   effect when a popular zone experiences a catastrophic failure of all
+   its name servers: now every recursive query for domain names in that
+   zone sent to this name server implementation results in a query to
+   the failed zone's parent name servers.  On one occasion when several
+   dozen popular zones became unreachable, the query load on the com/net
+   name servers increased by 50%.
+
+   We believe this verification query is not reasonable.  Consider the
+   circumstances: When a recursive name server is resolving a query for
+   a domain name in a zone it has not previously searched, it uses the
+   list of name servers in the referral from the target zone's parent.
+   If on its first attempt to search the target zone, none of the name
+   servers in the referral is reachable, a verification query to the
+   parent is pointless: this query to the parent would come so quickly
+   on the heels of the referral that it would be almost certain to
+   contain the same list of name servers.  The chance of discovering any
+   new information is slim.
+
+   The other possibility is that the recursive name server successfully
+
+
+
+Larson & Barber         Expires August 16, 2004                 [Page 4]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+   contacts one of the target zone's name servers and then caches the NS
+   RRset from the authority section of a response, the proper behavior
+   according to section 5.4.1 of RFC 2181 [4], because the NS RRset from
+   the target zone is more trustworthy than delegation information from
+   the parent zone.  If, while processing a subsequent recursive query,
+   the recursing name server discovers that none of the name servers
+   specified in the cached NS RRset is available or authoritative,
+   querying the parent would be wrong.  An NS RRset from the parent zone
+   would now be less trustworthy than data already in the cache.
+
+   For this query of the parent zone to be useful, the target zone's
+   entire set of name servers would have to change AND the former set of
+   name servers would have to be deconfigured and/or decommissioned AND
+   the delegation information in the parent zone would have to be
+   updated with the new set of name servers, all within the TTL of the
+   target zone's NS RRset.  We believe this scenario is uncommon:
+   administrative best practices dictate that changes to a zone's set of
+   name servers happen gradually, with servers that are removed from the
+   NS RRset left authoritative for the zone as long as possible.  The
+   scenarios that we can envision that would benefit from the parent
+   requery behavior do not outweigh its damaging effects.
+
+2.1.1 Recommendation
+
+   Name servers offering recursion MUST NOT send a query for the NS
+   RRset of a non-responsive zone to any of the name servers for that
+   zone's parent zone.  For the purposes of this injunction, a
+   non-responsive zone is defined as a zone for which every name server
+   listed in the zone's NS RRset:
+
+   1.  is not authoritative for the zone (i.e., lame), or,
+
+   2.  returns a server failure response (RCODE=2), or,
+
+   3.  is dead or unreachable according to section 7.2 of RFC 2308 [5].
+
+
+2.2 Repeated queries to lame servers
+
+   Section 2.1 describes a catastrophic failure: when every name server
+   for a zone is unable to provide an answer for one reason or another.
+   A more common occurrence is a subset of a zone's name servers being
+   unavailable or misconfigured.  Different failure modes have different
+   expected durations.  Some symptoms indicate problems that are
+   potentially transient: various types of ICMP unreachable messages
+   because a name server process is not running or a host or network is
+   unreachable, or a complete lack of a response to a query.  Such
+   responses could be the result of a host rebooting or temporary
+
+
+
+Larson & Barber         Expires August 16, 2004                 [Page 5]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+   outages; these events don't necessarily require any human
+   intervention and can be reasonably expected to be temporary.
+
+   Other symptoms clearly indicate a condition requiring human
+   intervention, such as lame server: if a name server is misconfigured
+   and not authoritative for a zone delegated to it, it is reasonable to
+   assume that this condition has potential to last longer than
+   unreachability or unresponsiveness.  Consequently, repeated queries
+   to known lame servers are not useful.  In this case of a condition
+   with potential to persist for a long time, a better practice would be
+   to maintain a list of known lame servers and avoid querying them
+   repeatedly in a short interval.
+
+2.2.1 Recommendation
+
+   Recursive name servers SHOULD cache name servers that they discover
+   are not authoritative for zones delegated to them (i.e. lame
+   servers). Lame servers MUST be cached against the specific query
+   tuple <zone name, class, server IP address>.  Zone name can be
+   derived from the owner name of the NS record that was referenced to
+   query the name server that was discovered to be lame.
+   Implementations that perform lame server caching MUST refrain from
+   sending queries to known lame servers based on a time interval from
+   when the server is discovered to be lame.  A minimum interval of
+   thirty minutes is RECOMMENDED.
+
+2.3 Inability to follow multiple levels of out-of-zone glue
+
+   Some recursive name server implementations are unable to follow more
+   than one level of out-of-zone glue.  For example, consider the
+   following delegations:
+
+     foo.example.        IN   NS   ns1.example.com.
+     foo.example.        IN   NS   ns2.example.com.
+
+     example.com.        IN   NS   ns1.test.example.net.
+     example.com.        IN   NS   ns2.test.example.net.
+
+     test.example.net.   IN   NS   ns1.test.example.net.
+     test.example.net.   IN   NS   ns2.test.example.net.
+
+   A name server processing a recursive query for "www.foo.example" must
+   follow two levels of indirection, first obtaining address records for
+   "ns1.test.example.net" and/or "ns2.test.example.net" in order to
+   obtain address records for "ns1.example.com" and/or "ns2.example.com"
+   in order to query those name servers for the address records of
+   "www.foo.example".  While this situation may appear contrived, we
+   have seen multiple similar occurrences and expect more as new generic
+
+
+
+Larson & Barber         Expires August 16, 2004                 [Page 6]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+   top-level domains (gTLDs) become active.  We anticipate many zones in
+   the new gTLDs will use name servers in other gTLDs, increasing the
+   amount of inter-zone glue.
+
+2.3.1 Recommendation
+
+   Clearly constructing a delegation that relies on multiple levels of
+   out-of-zone glue is not a good administrative practice.  This issue
+   could be mitigated with an operational injunction in an RFC to
+   refrain from construction of such delegations.  In our opinion the
+   practice is widespread enough to merit clarifications to the DNS
+   protocol specification to permit it on a limited basis.
+
+   Name servers offering recursion SHOULD be able to handle at least
+   three levels of indirection resulting from out-of-zone glue.
+
+2.4 Aggressive retransmission when fetching glue
+
+   When an authoritative name server responds with a referral, it
+   includes NS records in the authority section of the response.
+   According to the algorithm in section 4.3.2 of RFC 1034 [2], the name
+   server should also "put whatever addresses are available into the
+   additional section, using glue RRs if the addresses are not available
+   from authoritative data or the cache."  Some name server
+   implementations take this address inclusion a step further with a
+   feature called "glue fetching".  A name server that implements glue
+   fetching attempts to include A records for every NS record in the
+   authority section.  If necessary, the name server issues multiple
+   queries of its own to obtain any missing A records.
+
+   Problems with glue fetching can arise in the context of
+   "authoritative-only" name servers, which only serve authoritative
+   data and ignore requests for recursion.  Such a server will not
+   generate any queries of its own.  Instead it answers non-recursive
+   queries from resolvers looking for information in zones it serves.
+   With glue fetching enabled, however, an authoritative server will
+   generate queries whenever it needs to look up an unknown address
+   record to complete the additional section of a response.
+
+   We have observed situations where a glue-fetching name server can
+   send queries that reach other name servers, but apparently is
+   prevented from receiving the responses.  For example, perhaps the
+   name server is authoritative-only and therefore its administrators
+   expect it to receive only queries.  Perhaps unaware of glue fetching
+   and presuming that the name server will generate no queries, its
+   administrators place the name server behind a network device that
+   prevents it from receiving responses.  If this is the case, all
+   glue-fetching queries will go answered.
+
+
+
+Larson & Barber         Expires August 16, 2004                 [Page 7]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+   We have observed name server implementations that retry excessively
+   when glue-fetching queries are unanswered.  A single com/net name
+   server has received hundreds of queries per second from a single name
+   server.  Judging from the specific queries received and based on
+   additional analysis, we believe these queries result from overly
+   aggressive glue fetching.
+
+2.4.1 Recommendation
+
+   Implementers whose name servers support glue fetching should take
+   care to avoid sending queries at excessive rates.  Implementations
+   should support throttling logic to detect when queries are sent but
+   no responses are received.
+
+2.5 Aggressive retransmission behind firewalls
+
+   A common occurrence and one of the largest sources of repeated
+   queries at the com/net and root name servers appears to result from
+   resolvers behind misconfigured firewalls.  In this situation, a
+   recursive name server is apparently allowed to send queries through a
+   firewall to other name servers, but not receive the responses.  The
+   result is more queries than necessary because of retransmission, all
+   of which are useless because the responses are never received.  Just
+   as with the glue-fetching scenario described in Section 2.4, the
+   queries are sometimes sent at excessive rates.  To make matters
+   worse, sometimes the responses, sent in reply to legitimate queries,
+   trigger an alarm on the originator's intrusion detection system.  We
+   are frequently contacted by administrators responding to such alarms
+   who believe our name servers are attacking their systems.
+
+   Not only do some resolvers in this situation retransmit queries at an
+   excessive rate, but they continue to do so for days or even weeks.
+   This scenario could result from an organization with multiple
+   recursive name servers, only a subset of whose traffic is improperly
+   filtered in this manner.  Stub resolvers in the organization could be
+   configured to query multiple name servers.  Consider the case where a
+   stub resolver queries a filtered name server first.  This name server
+   sends one or more queries whose replies are filtered, so it can't
+   respond to the stub resolver, which times out.  The resolver
+   retransmits to a name server that is able to provide an answer.
+   Since resolution ultimately succeeds the underlying problem might not
+   be recognized or corrected.  A popular stub resolver has a very
+   aggressive retransmission schedule, including simultaneous queries to
+   multiple name servers, which could explain how such a situation could
+   persist without being detected.
+
+2.5.1 Recommendation
+
+
+
+
+Larson & Barber         Expires August 16, 2004                 [Page 8]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+   The most obvious recommendation is that administrators should take
+   care not to place recursive name servers behind a firewall that
+   prohibits queries to pass through but not the resulting replies.
+
+   Name servers should take care to avoid sending queries at excessive
+   rates.  Implementations should support throttling logic to detect
+   when queries are sent but no responses are received.
+
+2.6 Misconfigured NS records
+
+   Sometimes a zone administrator forgets to add the trailing dot on the
+   domain names in the RDATA of a zone's NS records.  Consider this
+   fragment of the zone file for "example.com":
+
+     $ORIGIN example.com.
+     example.com.      3600   IN   NS   ns1.example.com  ; Note missing
+     example.com.      3600   IN   NS   ns2.example.com  ; trailing dots
+
+   The zone's authoritative servers will parse the NS RDATA as
+   "ns1.example.com.example.com" and "ns2.example.com.example.com" and
+   return NS records with this incorrect RDATA in responses, including
+   typically the authority section of every response containing records
+   from the "example.com" zone.
+
+   Now consider a typical sequence of queries.  A recursive name server
+   attempting to resolve A records for "www.example.com" with no cached
+   information for this zone will query a "com" authoritative server.
+   The "com" server responds with a referral to the "example.com" zone,
+   consisting of NS records with valid RDATA and associated glue
+   records. (This example assumes that the "example.com" zone
+   information is correct in the "com" zone.)  The recursive name server
+   caches the NS RRset from the "com" server and follows the referral by
+   querying one of the "example.com" authoritative servers.  This server
+   responds with the "www.example.com" A record in the answer section
+   and, typically, the "example.com" NS records in the authority section
+   and, if space in the message remains, glue A records in the
+   additional section. According to Section 5.4 of RFC 2181 [4], NS
+   records in the authority section of an authoritative answer are more
+   trustworthy than NS records from the authority section of a
+   non-authoritative answer.  Thus the "example.com" NS RRset just
+   received from the "example.com" authoritative server displaces the
+   "example.com" NS RRset received moments ago from the "com"
+   authoritative server.
+
+   But the "example.com" zone contains the erroneous NS RRset as shown
+   in the example above.  Subsequent queries for names in "example.com"
+   will cause the server to attempt to use the incorrect NS records and
+   so the server will try to resolve the nonexistent names
+
+
+
+Larson & Barber         Expires August 16, 2004                 [Page 9]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+   "ns1.example.com.example.com" and "ns2.example.com.example.com".  In
+   this example, since all of the zone's name servers are named in the
+   zone itself (i.e., "ns1.example.com.example.com" and
+   "ns2.example.com.example.com" both end in "example.com") and all are
+   bogus, the recursive server cannot reach any "example.com" name
+   servers.  Therefore attempts to resolve these names result in A
+   record queries to the "com' authoritative servers.  Queries for such
+   obviously bogus glue A records occur frequently at the com/net name
+   servers.
+
+2.6.1 Recommendation
+
+   An authoritative server can detect this situation.  A trailing dot
+   missing from an NS record's RDATA always results by definition in a
+   name server name that is in the zone.  But any in-zone name server
+   should have a corresponding glue A record also in the zone.  An
+   authoritative name server should report an error when a zone's NS
+   record references an in-zone name server without a corresponding glue
+   A record.
+
+2.7 Name server records with zero TTL
+
+   Sometimes a popular com/net subdomain's zone is configured with a TTL
+   of zero on the zone's NS records, which prohibits these records from
+   being cached and will result in a higher query volume to the zone's
+   authoritative servers.  The zone's administrator should understand
+   the consequences of such a configuration and provision resources
+   accordingly.  A zero TTL on the zone's NS RRset, however, carries
+   additional consequences beyond the zone itself: if a recursive name
+   server cannot cache a zone's NS records because of a zero TTL, it
+   will be forced to query that zone's parent's name servers each time
+   it resolves a name in the zone.  The com/net authoritative servers do
+   see an increased query load when a popular com/net subdomain's zone
+   is configured with a TTL of zero on the zone's NS records.
+
+   A zero TTL on an RRset expected to change frequently is extreme but
+   permissible.  A zone's NS RRset is a special case, however, because
+   changes to it must be coordinated with the zone's parent.  In most
+   zone parent/child relationships we are aware of, there is typically
+   some delay involved in effecting changes.  Further, changes to the
+   set of a zone's authoritative name servers (and therefore to the
+   zone's NS RRset) are typically relatively rare: providing reliable
+   authoritative service requires a reasonably stable set of servers.
+   Therefore an extremely low or zero TTL on a zone's NS RRset rarely
+   makes sense, except in anticipation of an upcoming change.  In this
+   case, when the zone's administrator has planned a change and does not
+   want recursive name servers throughout the Internet to cache the NS
+   RRset for a long period of time, a low TTL is reasonable.
+
+
+
+Larson & Barber         Expires August 16, 2004                [Page 10]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+2.7.1 Recommendation
+
+   Because of the additional load placed on a zone's parent's
+   authoritative servers imposed by a zero TTL on a zone's NS RRset,
+   under such circumstances authoritative name servers should issue a
+   warning when loading a zone or refuse to load the zone altogether.
+
+2.8 Unnecessary dynamic update messages
+
+   The UPDATE message specified in RFC 2136 [6] allows an authorized
+   agent to update a zone's data on an authoritative name server using a
+   DNS message sent over the network.  Consider the case of an agent
+   desiring to add a particular resource record. Because of zone cuts,
+   the agent does not necessarily know the proper zone to which the
+   record should be added.  The dynamic update process requires that the
+   agent determine the appropriate zone so the UPDATE message can be
+   sent to one of the zone's authoritative servers (typically the
+   primary master as specified in the zone's SOA MNAME field).
+
+   The appropriate zone to update is the closest enclosing zone, which
+   is the lowest zone in the name space.  The closest enclosing zone
+   cannot be determined only by inspecting the domain name of the record
+   to be updated, since zone cuts can occur anywhere.  One way to
+   determine the closest enclosing zone involves working up the name
+   space tree and sending repeated UPDATE messages until success.  For
+   example, consider an agent attempting to add an A record with the
+   name "foo.bar.example.com".  The agent could first attempt to update
+   the "foo.bar.example.com" zone.  If the attempt failed, the update
+   could be directed to the "bar.example.com" zone, then the
+   "example.com" zone, then the "com" zone, and finally the root zone.
+
+   A popular dynamic agent follows this algorithm.  The result is many
+   UPDATE messages received by the root name servers, the com/net
+   authoritative servers, and presumably other TLD authoritative
+   servers. A reasonable question is why the algorithm proceeds with
+   sending updates all the way to TLD and root name servers.  In
+   enterprise DNS architectures with an "internal root" design, there
+   could conceivably be private, non-public TLD or root zones that would
+   be the appropriate target for a dynamic update.  However, we question
+   if designing an algorithm to accommodate these limited cases is worth
+   the load it places on the public DNS in the form of unnecessary
+   UPDATE messages.
+
+2.8.1 Recommendation
+
+   Dynamic update agents should not attempt to send UPDATE messages to
+   authoritative servers for TLD zones or the root zone by default.  If
+   this functionality is supported, it should be require specific action
+
+
+
+Larson & Barber         Expires August 16, 2004                [Page 11]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+   by a user to be enabled.
+
+2.9 Queries for domain names resembling IP addresses
+
+   The root name servers receive a significant number of A record
+   queries where the qname is an IP address.  The source of these
+   queries is unknown.  It could be attributed to situations where a
+   user believes an application will accept either a domain name or an
+   IP address in a given configuration option.  The user enters an IP
+   address, but the application assumes any input is a domain name and
+   attempts to resolve it, resulting in an A record lookup.  There could
+   also be applications that produce such queries in a misguided attempt
+   to reverse map IP addresses.
+
+   These queries result in Name Error (RCODE=3) responses.  A recursive
+   name server can negatively cache such responses, but each response
+   requires a separate cache entry, i.e., a negative cache entry for the
+   domain name "192.0.2.1" does not prevent a subsequent query for the
+   domain name "192.0.2.2".
+
+2.9.1 Recommendation
+
+   It would be desirable for the root name servers not to have to answer
+   these queries: they unnecessarily consume CPU resources and network
+   bandwidth.  One possibility is for recursive name server
+   implementations to produce the Name Error response directly.  We
+   suggest that implementors consider the option of synthesizing Name
+   Error responses at the recursive name server.  The server could claim
+   authority for synthesized TLD zones corresponding to the first octet
+   of every possible IP address, e.g. 1., 2., through 255.  This
+   behavior could be configurable in the (probably unlikely) event that
+   numeric TLDs are ever put into use.
+
+   Another option is to delegate these numeric TLDs from the root zone
+   to a separate set of servers to absorb the traffic.  The "blackhole
+   servers" used by the the AS 112 Project [8], which are currently
+   delegated the in-addr.arpa zones corresponding to RFC 1918 [7]
+   private use address space, would be a possible choice to receive
+   these delegations.
+
+2.10 Misdirected recursive queries
+
+   The root name servers receive a significant number of recursive
+   queries (i.e., queries with the RD bit set in the header).  Since
+   none of the root servers offer recursion, the servers' response in
+   such a situation ignores the request for recursion and the response
+   probably does not contain the data the querier anticipated.  Some of
+   these queries result from users configuring stub resolvers to query a
+
+
+
+Larson & Barber         Expires August 16, 2004                [Page 12]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+   root server.  (This situation is not hypothetical: we have received
+   complaints from users when this configuration does not work as
+   hoped.) Of course, users should not direct stub resolvers to use name
+   servers that do not offer recursion, but we are not aware of any stub
+   resolver implementation that offers any feedback to the user when so
+   configured, aside from simply "not working".
+
+2.10.1 Recommendation
+
+   When the IP address of a (supposedly) recursive name server is
+   configured in a stub resolver using an interactive user interface,
+   the resolver could send a test query to verify that the server
+   supports recursion (i.e., the response has the RA bit set in the
+   header).  The user could be immediately notified if the server is
+   non-recursive.
+
+   The stub resolver could also report an error, either through a user
+   interface or in a log file, if the queried server does not support
+   recursion.  Error reporting should be throttled to avoid a
+   notification or log message for every response from a non-recursive
+   server.
+
+2.11 Suboptimal name server selection algorithm
+
+   An entire document could be devoted to the topic of problems with
+   different implementations of the recursive resolution algorithm.  The
+   entire process of recursion is woefully underspecified, requiring
+   each implementor to design an algorithm.  Sometimes implementors make
+   poor design choices that could be avoided if a suggested algorithm
+   and best practices were documented, but that is a topic for another
+   document.
+
+   Some deficiencies cause significant operational impact and are
+   therefore worth mentioning here.  One of these is name server
+   selection by a recursive name server.  When a recursive name server
+   wants to contact one of a zone's authoritative name servers, how does
+   it choose from the NS records listed in the zone's NS RRset?  If the
+   selection mechanism is suboptimal, queries are not spread evenly
+   among a zone's authoritative servers.  The details of the selection
+   mechanism are up to the implementor, but we offer some suggestions.
+
+2.11.1 Recommendation
+
+   This list is not conclusive, but reflects the changes that would
+   produce the most impact in terms of reducing disproportionate query
+   load among a zone's authoritative servers.  I.e., these changes would
+   help spread the query load evenly.
+
+
+
+
+Larson & Barber         Expires August 16, 2004                [Page 13]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+   o  Do not make assumptions based on NS RRset order: all NS RRs should
+      be treated equally.  (In the case of the "com" zone, for example,
+      most of the root servers return the NS record for
+      "a.gtld-servers.net" first in the authority section of referrals.
+      As a result, this server receives disproportionately more traffic
+      than the other 12 authoritative servers for "com".)
+
+   o  Use all NS records in an RRset.  (For example, we are aware of
+      implementations that hard-coded information for a subset of the
+      root servers.)
+
+   o  Maintain state and favor the best-performing of a zone's
+      authoritative servers.  A good definition of performance is
+      response time. Non-responsive servers can be penalized with an
+      extremely high response time.
+
+   o  Do not lock onto the best-performing of a zone's name servers.  A
+      recursive name server should periodically check the performance of
+      all of a zone's name servers to adjust its determination of the
+      best-performing one.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Larson & Barber         Expires August 16, 2004                [Page 14]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+3. IANA considerations
+
+   There are no new IANA considerations introduced by this
+   Internet-Draft.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Larson & Barber         Expires August 16, 2004                [Page 15]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+4. Security considerations
+
+   Name server and resolver misbehaviors identical or similar to those
+   discussed in this document expose the root and TLD name servers to
+   increased risk of both intentional and unintentional denial of
+   service.
+
+   We believe that implementation of the recommendations offered in this
+   document will reduce the amount of unnecessary traffic seen at root
+   and TLD name servers, thus reducing the opportunity for an attacker
+   to use such queries to his or her advantage.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Larson & Barber         Expires August 16, 2004                [Page 16]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+5. Internationalization considerations
+
+   We do not believe this document introduces any new
+   internationalization considerations to the DNS protocol
+   specification.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Larson & Barber         Expires August 16, 2004                [Page 17]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+Normative References
+
+   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
+        Levels", BCP 14, RFC 2119, March 1997.
+
+   [2]  Mockapetris, P., "Domain names - concepts and facilities", STD
+        13, RFC 1034, November 1987.
+
+   [3]  Mockapetris, P., "Domain names - implementation and
+        specification", STD 13, RFC 1035, November 1987.
+
+   [4]  Elz, R. and R. Bush, "Clarifications to the DNS Specification",
+        RFC 2181, July 1997.
+
+   [5]  Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", RFC
+        2308, March 1998.
+
+   [6]  Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic
+        Updates in the Domain Name System (DNS UPDATE)", RFC 2136, April
+        1997.
+
+   [7]  Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G. and E.
+        Lear, "Address Allocation for Private Internets", BCP 5, RFC
+        1918, February 1996.
+
+   [8]  <http://www.as112.net>
+
+
+Authors' Addresses
+
+   Matt Larson
+   VeriSign, Inc.
+   21345 Ridgetop Circle
+   Dulles, VA  20166-6503
+   USA
+
+   EMail: mlarson@verisign.com
+
+
+   Piet Barber
+   VeriSign, Inc.
+   21345 Ridgetop Circle
+   Dulles, VA  20166-6503
+   USA
+
+   EMail: pbarber@verisign.com
+
+
+
+
+
+Larson & Barber         Expires August 16, 2004                [Page 18]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   intellectual property or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; neither does it represent that it
+   has made any effort to identify any such rights. Information on the
+   IETF's procedures with respect to rights in standards-track and
+   standards-related documentation can be found in BCP-11. Copies of
+   claims of rights made available for publication and any assurances of
+   licenses to be made available, or the result of an attempt made to
+   obtain a general license or permission for the use of such
+   proprietary rights by implementors or users of this specification can
+   be obtained from the IETF Secretariat.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights which may cover technology that may be required to practice
+   this standard. Please address the information to the IETF Executive
+   Director.
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2004). All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works. However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assignees.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+
+
+
+Larson & Barber         Expires August 16, 2004                [Page 19]
+
+Internet-Draft    Observed DNS Resolution Misbehavior      February 2004
+
+
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Larson & Barber         Expires August 16, 2004                [Page 20]
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-01.txt b/contrib/bind9/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-01.txt
new file mode 100644
index 0000000..0481517
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsop-dnssec-operational-practices-01.txt
@@ -0,0 +1,1344 @@
+

+DNSOP                                                         O. Kolkman

+Internet-Draft                                                  RIPE NCC

+Expires: August 30, 2004                                       R. Gieben

+                                                              NLnet Labs

+                                                              March 2004

+

+

+                      DNSSEC Operational Practices

+         draft-ietf-dnsop-dnssec-operational-practices-01.txt

+

+Status of this Memo

+

+   This document is an Internet-Draft and is in full conformance with

+   all provisions of Section 10 of RFC2026.

+

+   Internet-Drafts are working documents of the Internet Engineering

+   Task Force (IETF), its areas, and its working groups. Note that other

+   groups may also distribute working documents as Internet-Drafts.

+

+   Internet-Drafts are draft documents valid for a maximum of six months

+   and may be updated, replaced, or obsoleted by other documents at any

+   time. It is inappropriate to use Internet-Drafts as reference

+   material or to cite them other than as "work in progress."

+

+   The list of current Internet-Drafts can be accessed at http://

+   www.ietf.org/ietf/1id-abstracts.txt.

+

+   The list of Internet-Draft Shadow Directories can be accessed at

+   http://www.ietf.org/shadow.html.

+

+   This Internet-Draft will expire on August 30, 2004.

+

+Copyright Notice

+

+   Copyright (C) The Internet Society (2004). All Rights Reserved.

+

+Abstract

+

+   This document describes a set of practices for operating a DNSSEC

+   aware environment.  The target audience is zone administrators

+   deploying DNSSEC that need a guide to help them chose appropriate

+   values for DNSSEC parameters.  It also discusses operational matters

+   such as key rollovers, KSK and ZSK considerations and related

+   matters.

+

+

+

+

+

+

+

+

+Kolkman & Gieben        Expires August 30, 2004                 [Page 1]

+

+Internet-Draft        DNSSEC Operational Practices            March 2004

+

+

+Table of Contents

+

+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3

+     1.1   The Use of the Term 'key'  . . . . . . . . . . . . . . . .  3

+     1.2   Keeping the Chain of Trust Intact  . . . . . . . . . . . .  3

+   2.  Time in DNSSEC . . . . . . . . . . . . . . . . . . . . . . . .  4

+     2.1   Time Definitions . . . . . . . . . . . . . . . . . . . . .  4

+     2.2   Time Considerations  . . . . . . . . . . . . . . . . . . .  5

+   3.  Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  6

+     3.1   Motivations for the KSK and ZSK Functions  . . . . . . . .  7

+     3.2   Key Security Considerations  . . . . . . . . . . . . . . .  8

+       3.2.1   Key Validity Period  . . . . . . . . . . . . . . . . .  8

+       3.2.2   Key Algorithm  . . . . . . . . . . . . . . . . . . . .  8

+       3.2.3   Key Sizes  . . . . . . . . . . . . . . . . . . . . . .  8

+     3.3   Key Rollovers  . . . . . . . . . . . . . . . . . . . . . .  9

+       3.3.1   Zone-signing Key Rollovers . . . . . . . . . . . . . . 10

+       3.3.2   Key-signing Key Rollovers  . . . . . . . . . . . . . . 13

+   4.  Planning for Emergency Key Rollover  . . . . . . . . . . . . . 14

+     4.1   KSK Compromise . . . . . . . . . . . . . . . . . . . . . . 15

+     4.2   ZSK Compromise . . . . . . . . . . . . . . . . . . . . . . 15

+     4.3   Compromises of Keys Anchored in Resolvers  . . . . . . . . 16

+   5.  Parental Policies  . . . . . . . . . . . . . . . . . . . . . . 16

+     5.1   Initial Key Exchanges and Parental Policies

+           Considerations . . . . . . . . . . . . . . . . . . . . . . 16

+     5.2   Storing Keys So Hashes Can Be Regenerated  . . . . . . . . 16

+     5.3   Security Lameness Checks . . . . . . . . . . . . . . . . . 17

+     5.4   DS Signature Validity Period . . . . . . . . . . . . . . . 17

+   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 17

+   7.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 17

+   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 18

+   8.1   Normative References . . . . . . . . . . . . . . . . . . . . 18

+   8.2   Informative References . . . . . . . . . . . . . . . . . . . 18

+       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 19

+   A.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . . 19

+   B.  Zone-signing Key Rollover Howto  . . . . . . . . . . . . . . . 20

+   C.  Typographic Conventions  . . . . . . . . . . . . . . . . . . . 20

+   D.  Document Details and Changes . . . . . . . . . . . . . . . . . 22

+     D.1   draft-ietf-dnsop-dnssec-operational-practices-00 . . . . . 22

+     D.2   draft-ietf-dnsop-dnssec-operational-practices-01 . . . . . 22

+       Intellectual Property and Copyright Statements . . . . . . . . 23

+

+

+

+

+

+

+

+

+

+

+

+Kolkman & Gieben        Expires August 30, 2004                 [Page 2]

+

+Internet-Draft        DNSSEC Operational Practices            March 2004

+

+

+1.  Introduction

+

+   During workshops and early operational deployment tests, operators

+   and system administrators gained experience about operating DNSSEC

+   aware DNS services.  This document translates these experiences into

+   a set of practices for zone administrators. At the time of writing,

+   there exists very little experience with DNSSEC in production

+   environments, this document should therefore explicitly not be seen

+   as represented 'Best Current Practices'.

+

+   The procedures herein are focused on the maintenance of signed zones

+   (i.e. signing and publishing zones on authoritative servers). It is

+   intended that maintenance of zones such as resigning or key rollovers

+   be transparent to any verifying clients on the Internet.

+

+   The structure of this document is as follows: It begins with

+   discussing some of the considerations with respect to timing

+   parameters of DNS in relation to DNSSEC (Section 2). Aspects of key

+   management such as key rollover schemes are described in Section 3.

+   Emergency rollover considerations are addressed in Section 4.  The

+   typographic conventions used in this document are explained in

+   Appendix C.

+

+   Since this is a document with operational suggestions and there are

+   no protocol specifications, the RFC2119 [5] language does not apply.

+

+1.1  The Use of the Term 'key'

+

+   It is assumed that the reader is familiar with the concept of

+   asymmetric keys on which DNSSEC is based (Public Key Cryptography

+   [Ref to Schneider?]). Therefore, this document will use the term

+   'key' rather loosely. Where it is written that 'a key is used to sign

+   data' it is assumed that the reader understands that it is the

+   private part of the key-pair that is used for signing. It is also

+   assumed that the reader understands that the public part of the

+   key-pair is published in the DNSKEY resource record and that it is

+   used in key-exchanges.

+

+1.2  Keeping the Chain of Trust Intact

+

+   Maintaining a valid chain of trust is important because broken chains

+   of trust will result in data being marked as bogus, which may cause

+   entire (sub)domains to become invisible to verifying clients. The

+   administrators of secured zones have to realise that their zone is,

+   to their clients, part of a chain of trust.

+

+   As mentioned in the introduction, the procedures herein are intended

+   to ensure maintenance of zones, such as resigning or key rollovers,

+

+

+

+Kolkman & Gieben        Expires August 30, 2004                 [Page 3]

+

+Internet-Draft        DNSSEC Operational Practices            March 2004

+

+

+   be transparent to the verifying clients on the Internet.

+   Administrators of secured zones will have to keep in mind that data

+   published on an authoritative primary server will not be immediately

+   seen by verifying clients; it may take some time for the data to be

+   transfered to other secondary authoritative nameservers, during which

+   period clients may be fetching data from caching non-authoritative

+   servers.  For the verifying clients it is important that  data from

+   secured zones can be used to build chains of trust regardless of

+   whether the  data came directly from an authoritative server, a

+   caching nameserver or some middle box. Only by carefully using the

+   available timing parameters can a zone administrator  assure that the

+   data necessary for verification can be obtained.

+

+   The responsibility for maintaining the chain of trust is shared by

+   administrators of secured zones in the chain of trust. This is most

+   obvious in the case of a 'key compromise' when a trade off between

+   maintaining a valid chain of trust and the fact that the key has been

+   stolen, must be made.

+

+   The zone administrator will have to make a tradeoff between keeping

+   the chain of trust intact  -thereby allowing for attacks with the

+   compromised key- or to deliberately break the chain of trust thereby

+   making secured subdomains invisible to security aware resolvers. Also

+   see Section 4.

+

+2.  Time in DNSSEC

+

+   Without DNSSEC all times in DNS are relative. The SOA's refresh,

+   retry and expiration timers are counters that are used to determine

+   the time elapsed after a slave server syncronised (or tried to

+   syncronise) with a master server. The Time to Live (TTL) value and

+   the SOA minimum TTL parameter [6] are used to determine how long a

+   forwarder should cache data after it has been fetched from an

+   authoritative server. DNSSEC introduces the notion of an absolute

+   time in the DNS. Signatures in DNSSEC have an expiration date after

+   which the signature is marked as invalid and the signed data is to be

+   considered bogus.

+

+2.1  Time Definitions

+

+   In this document we will be using a number of time related terms.

+   Within the context of this document the following definitions apply:

+   o  "Signature validity period"

+         The period that a signature is valid. It starts at the time

+         specified in the signature inception field of the RRSIG RR and

+         ends at the time specified in the expiration field of the RRSIG

+         RR.

+

+

+

+

+Kolkman & Gieben        Expires August 30, 2004                 [Page 4]

+

+Internet-Draft        DNSSEC Operational Practices            March 2004

+

+

+   o  "Signature publication period"

+         Time after which a signature (made with a specific key) is

+         replaced with a new signature (made with the same key). This

+         replacement takes place by publishing the relevant RRSIG in the

+         master zone file.  If a signature is published at time T0 and a

+         new signature is published at time T1, the signature

+         publication period is T1 - T0.

+         If all signatures are refreshed at zone (re)signing then the

+         signature publication period is equal signature validity

+         period.

+   o  "Maximum/Minimum Zone TTL"

+         The maximum or minimum value of all the TTLs in a zone.

+

+2.2  Time Considerations

+

+   Because of the expiration of signatures, one should consider the

+   following.

+   o  The Maximum Zone TTL of your zone data should be a fraction of

+      your signature validity period.

+         If the TTL would be of similar order as the signature validity

+         period, then all RRsets fetched during the validity period

+         would be cached until the signature expiration time.  As a

+         result query load on authoritative servers would peak at

+         signature expiration time.

+         To avoid query load peaks we suggest the TTL on all the RRs in

+         your zone to be at least a few times smaller than your

+         signature validity period.

+   o  The signature publication period should be at least one maximum

+      TTL smaller than the signature validity period.

+         Resigning a zone shortly before the end of the signature

+         validity period may cause simultaneous expiration of data from

+         caches. This in turn may lead to peaks in the load on

+         authoritative servers.

+   o  The Minimum zone TTL should be long enough to both fetch and

+      verify all the RRs in the authentication chain.

+            1. During validation, some data may expire before the

+            validation is complete. The validator should be able to keep

+            all data, until is completed. This applies to all RRs needed

+            to complete the chain of trust: DSs, DNSKEYs, RRSIGs, and

+            the final answers i.e. the RR that is returned for the

+            initial query.

+            2. Frequent verification causes load on recursive

+            nameservers. Data at delegation points, DSs, DNSKEYs and

+            RRSIGs benefit from caching. The TTL on those should be

+            relatively long.

+

+

+

+

+

+

+Kolkman & Gieben        Expires August 30, 2004                 [Page 5]

+

+Internet-Draft        DNSSEC Operational Practices            March 2004

+

+

+         We have seen events where data needed for verification of an

+         authentication chain had expired from caches.

+         We suggest the TTL on DNSKEY and DSs to be between ten minutes

+         and one hour.  We recommend zone administrators to chose TTLs

+         longer than half a minute.

+         [Editor's Note: this observation could be implementation

+         specific. We are not sure if we should leave this item]

+   o  Slave servers will need to be able to fetch newly signed zones

+      well before the data expires from your zone.

+         'Better no answers than bad answers.'

+         If a properly implemented slave server is not able to contact a

+         master server for an extended period the data will at some

+         point expire and the slave server will not hand out any data.

+         If the server serves a DNSSEC zone than it may well happen that

+         the signatures expire well before the SOA expiration timer

+         counts down to zero. It is not possible to completely prevent

+         this from happening by tweaking the SOA parameters. However,

+         the effects can be minimized where the SOA expiration time is

+         equal or smaller than the signature validity period.

+         The consequence of an authoritative server not being able to

+         update a zone, whilst that zone includes expired signaturs, is

+         that non-secure resolvers will continue to be able to resolve

+         data served by the particular slave servers. Security aware

+         resolvers will experience problems.

+         We suggest the SOA expiration timer being approximately one

+         third or one fourth of the signature validity period. It will

+         allow problems with transfers from the master server to be

+         noticed before the actual signature time out.

+         We suggest that operators of nameservers with slave zones

+         develop 'watch dogs' to spot upcoming signature expirations in

+         slave zones, and take appropriate action.

+         When determining the value for the expiration parameter one has

+         to take the following into account: What are the chances that

+         all my secondary zones expire; How quickly can I reach an

+         administrator and load a valid zone? All these arguments are

+         not DNSSEC specific.

+

+3.  Keys

+

+   In the DNSSEC protocol there is only one type of key, the zone key.

+   With this key, the data in a zone is signed.

+

+   To make zone re-signing and key rollovers procedures easier to

+   implement, it is possible to use one or more keys as Key Signing Keys

+   (KSK) these keys will only sign the apex DNSKEY RRs in a zone. Other

+   keys can be used to sign all the RRsets in a zone and are referred to

+   as Zone Signing Keys (ZSK). In this document we assume that KSKs are

+   the subset of keys that are used for key exchanges with the parents

+

+

+

+Kolkman & Gieben        Expires August 30, 2004                 [Page 6]

+

+Internet-Draft        DNSSEC Operational Practices            March 2004

+

+

+   and potentially for configuration as trusted anchors - the so called

+   Secure Entry Point keys (SEP). In this document we assume a

+   one-to-one mapping between KSK and SEP keys and we assume the SEP

+   flag [4] to be set on KSKs.

+

+3.1  Motivations for the KSK and ZSK Functions

+

+   Differentiating between the KSK to ZSK functions has several

+   advantages:

+

+   o  Making the KSK stronger (i.e. using more bits in the key material)

+      has little operational impact since it is only used to sign a

+      small fraction of the zone data.

+   o  As the KSK is only used to sign a keyset, which is most probably

+      updated less frequently than other data in the zone, it can be

+      stored separately from (and thus in a safer location than) the

+      ZSK.

+   o  A KSK can be used for longer periods.

+   o  No parent/child interaction is required when ZSKs are updated.

+

+   The KSK is used less than ZSK, once a keyset is signed with the KSK

+   all the keys in the keyset can be used as ZSK. If a ZSK is

+   compromised, it can be simply dropped from the keyset. The new keyset

+   is then resigned with the KSK.

+

+   Given the assumption that for KSKs the SEP flag is set, the KSK can

+   be distinguished from a ZSK by examining the flag field in the DNSKEY

+   RR. If the flag field is an odd number it is a KSK if it is an even

+   number it is a ZSK e.g. a value of 256 and a key signing key has 257.

+

+   The zone-signing key can be used to sign all the data in a zone on a

+   regular basis. When a zone-signing key is to be rolled, no

+   interaction with the parent is needed.  This allows for relatively

+   short "Signature Validity Periods". That is, Signature Validity

+   Periods of the order of days.

+

+   The key-signing key is only to be used to sign the Key RR set from

+   the zone apex. If a key-signing key is to be rolled over, there will

+   be interactions with parties other than the zone administrator such

+   as the registry of the parent zone or administrators of verifying

+   resolvers that have the particular key configured as trusted entry

+   points. Hence, the "Key Usage Time" of these keys can and should be

+   made much longer. Although, given a long enough key, the "Key Usage

+   Time" can be on the order of years we suggest to plan for a "Key

+   Usage Time" of the order of a few months so that a key rollover

+   remains an operational routine.

+

+

+

+

+

+Kolkman & Gieben        Expires August 30, 2004                 [Page 7]

+

+Internet-Draft        DNSSEC Operational Practices            March 2004

+

+

+3.2  Key Security Considerations

+

+   Keys in DNSSEC have a number of parameters which should all be chosen

+   with care, the most important once are: size, algorithm and the key

+   validity period (its lifetime).

+

+3.2.1  Key Validity Period

+

+   RFC2541 [2] describes a number of considerations with respect to the

+   security of keys. The document deals with the generation, lifetime,

+   size and storage of private keys.

+

+   In Section 3 of RFC2541 [2] there are some suggestions for a key

+   validity period: 13 months for long-lived keys and 36 days for

+   transaction keys but suggestions for key sizes are not made.

+

+   If we say long-lived keys are key-signing keys and transactions keys

+   are zone-signing keys, these recommendations will lead to rollovers

+   occurring frequently enough to become part of 'operational habits';

+   the procedure does not have to be reinvented every time a key is

+   replaced.

+

+3.2.2  Key Algorithm

+

+   We recommend you choose RSA/SHA-1 as the preferred algorithm for the

+   key. RSA has been developed in an open and transparent manner. As the

+   patent on RSA expired in 2001, its use is now also free. The current

+   known attacks on RSA can be defeated by making your key longer. As

+   the MD5 hashing algorithm is showing (theoretical) cracks, we

+   recommend the usage of SHA1.

+

+3.2.3  Key Sizes

+

+   When choosing key sizes, zone administrators will need to take into

+   account how long a key will be used and how much data will be signed

+   during the key publication period. It is hard to give precise

+   recommendations but Lenstra and Verheul [9] supplied the following

+   table with lower bound estimates for cryptographic key sizes. Their

+   recommendations are based on a set of explicitly formulated parameter

+   settings, combined with existing data points about cryptosystems. For

+   details we refer to the original paper.

+

+   [Editor's Note: DSA???]

+

+

+

+

+

+

+

+

+Kolkman & Gieben        Expires August 30, 2004                 [Page 8]

+

+Internet-Draft        DNSSEC Operational Practices            March 2004

+

+

+   	Year		RSA Key Sizes	Elliptic Curve Key Size

+   	2000		952			132

+   	2001		990			135

+   	2002		1028			139

+   	2003		1068			140

+   	2004		1108			143

+

+   	2005		1149			147

+   	2006		1191			148

+   	2007		1235			152

+   	2008		1279			155

+   	2009		1323			157

+

+

+   	2010		1369			160

+   	2011		1416			163

+   	2012		1464			165

+   	2013		1513			168

+   	2014		1562			172

+

+   	2015		1613			173

+   	2016		1664			177

+   	2017		1717			180

+   	2018		1771			181

+   	2019		1825			185

+

+

+   	2020		1881			188

+   	2021		1937			190

+   	2022		1995			193

+   	2023		2054			197

+   	2024		2113			198

+

+   	2025		2174			202

+   	2026		2236			205

+   	2027		2299			207

+   	2028		2362			210

+   	2029		2427			213

+

+   For example, should you wish your key to last three years from 2003,

+   check the RSA keysize values for 2006 in this table. In this case

+   1191.

+

+3.3  Key Rollovers

+

+   Key rollovers are a fact of life when using DNSSEC. A DNSSEC key

+   cannot be used forever (see RFC2541 [2] and Section 3.2 ).  Zone

+   administrators who are in the process of rolling their keys have to

+

+

+

+Kolkman & Gieben        Expires August 30, 2004                 [Page 9]

+

+Internet-Draft        DNSSEC Operational Practices            March 2004

+

+

+   take into account that data published in previous versions of their

+   zone still lives in caches. When deploying DNSSEC, this becomes an

+   important consideration; ignoring data that may be in caches may lead

+   to loss of service for clients.

+

+   The most pressing example of this is when zone material signed with

+   an old key is being validated by a resolver which does not have the

+   old zone key cached. If the old key is no longer present in the

+   current zone, this validation fails, marking the data bogus.

+   Alternatively, an attempt could be made to validate data which is

+   signed with a new key against an old key that lives in a local cache,

+   also resulting in data being marked bogus.

+

+   To appreciate the situation one could think of a number of

+   authoritative servers that may not be instantaneously running the

+   same version of a zone and a security aware non-recursive resolver

+   that sits behind security aware caching forwarders.

+

+   Note that KSK rollovers and ZSK rollovers are different. A zone-key

+   rollover can be handled in two different ways: pre-publish (Section

+   Section 3.3.1.1) and double signature (Section Section 3.3.1.2). The

+   pre-publish technique works because the key-signing key stays the

+   same during this ZSK rollover. With this KSK a cache is able to

+   validate the new keyset of a zone. With a KSK rollover a cache can

+   not validate the new keyset, because it does not trust the new KSK.

+

+   [Editors note: This needs more verbose explanation, nobody will

+   appreciate the situation just yet. Help with text and examples is

+   appreciated]

+

+3.3.1  Zone-signing Key Rollovers

+

+   For zone-signing key rollovers there are two ways to make sure that

+   during the rollover data still cached can be verified with the new

+   keysets or newly generated signatures can be verified with the keys

+   still in caches. One schema uses double signatures, it is described

+   in Section 3.3.1.2, the other uses key pre-publication (Section

+   3.3.1.1). The pros, cons and recommendations are described in Section

+   3.3.1.3.

+

+3.3.1.1  Pre-publish Keyset Rollover

+

+   This section shows how to perform a ZSK rollover without the need to

+   sign all the data in a zone twice - the so called "prepublish

+   rollover". We recommend this method because it has advantages in the

+   case of key compromise. If the old key is compromised, the new key

+   has already been distributed in the DNS. The zone administrator is

+   then able to quickly switch to the new key and remove the compromised

+

+

+

+Kolkman & Gieben        Expires August 30, 2004                [Page 10]

+

+Internet-Draft        DNSSEC Operational Practices            March 2004

+

+

+   key from the zone. Another major advantage is that the zone size does

+   not double, as is the case with the double signature ZSK rollover. A

+   small "HOWTO" for this kind of rollover can be found in Appendix B.

+

+       normal          pre-roll         roll            after

+

+       SOA0            SOA1             SOA2            SOA3

+       RRSIG10(SOA0)   RRSIG10(SOA1)    RRSIG11(SOA2)   RRSIG11(SOA3)

+

+       DNSKEY1         DNSKEY1          DNSKEY1         DNSKEY1

+       DNSKEY10        DNSKEY10         DNSKEY10        DNSKEY11

+                       DNSKEY11         DNSKEY11

+       RRSIG1 (DNSKEY) RRSIG1 (DNSKEY)  RRSIG1(DNSKEY)  RRSIG1 (DNSKEY)

+       RRSIG10(DNSKEY) RRSIG10(DNSKEY)  RRSIG11(DNSKEY) RRSIG11(DNSKEY)

+

+

+   normal: Version 0 of the zone: DNSKEY 1 is the key-signing key.

+      DNSKEY 10 is used to sign all the data of the zone, the

+      zone-signing key.

+   pre-roll: DNSKEY 11 is introduced into the keyset. Note that no

+      signatures are generated with this key yet, but this does not

+      secure against brute force attacks on the public key.  The minimum

+      duration of this pre-roll phase is the time it takes for the data

+      to propagate to the authoritative servers plus TTL value of the

+      keyset. This equates to two times the Maximum Zone TTL.

+   roll: At the rollover stage (SOA serial 1) DNSKEY 11 is used to sign

+      the data in the zone exclusively  (i.e. all the signatures from

+      DNSKEY 10 are removed from the zone). DNSKEY 10 remains published

+      in the keyset. This way data that was loaded into caches from

+      version 1 of the zone can still be verified with key sets fetched

+      from version 2 of the zone.

+      The minimum time that the keyset including DNSKEY 10 is to be

+      published is the time that it takes for zone data from the

+      previous version of the zone to expire from old caches i.e. the

+      time it takes for this zone to propagate to all authoritative

+      servers plus the Maximum Zone TTL value of any of the data in the

+      previous version of the zone.

+   after: DNSKEY 10 is removed from the zone. The keyset, now only

+      containing DNSKEY 11 is resigned with the DNSKEY 1.

+

+   The above scheme can be simplified by always publishing the "future"

+   key immediately after the rollover. The scheme would look as follows

+   (we show two rollovers); the future key is introduced in "after" as

+   DNSKEY 12 and again a newer one, numbered 13, in "2nd after":

+

+

+

+

+

+

+

+Kolkman & Gieben        Expires August 30, 2004                [Page 11]

+

+Internet-Draft        DNSSEC Operational Practices            March 2004

+

+

+       normal          roll            after           2nd roll        2nd after

+

+       SOA0            SOA2            SOA3            SOA4            SOA5

+       RRSIG10(SOA0)   RRSIG11(SOA2)   RRSIG11(SOA3)   RRSIG12(SOA4)   RRSIG12(SOA5)

+

+       DNSKEY1         DNSKEY1         DNSKEY1         DNSKEY1         DNSKEY1

+       DNSKEY10        DNSKEY10        DNSKEY11        DNSKEY11        DNSKEY12

+       DNSKEY11        DNSKEY11        DNSKEY12        DNSKEY12        DNSKEY13

+       RRSIG1(DNSKEY)  RRSIG1 (DNSKEY) RRSIG1(DNSKEY)  RRSIG1(DNSKEY)  RRSIG1(DNSKEY)

+       RRSIG10(DNSKEY) RRSIG11(DNSKEY) RRSIG11(DNSKEY) RRSIG12(DNSKEY) RRSIG12(DNSKEY)

+

+

+   Note that the key introduced after the rollover is not used for

+   production yet; the private key can thus be stored in a physically

+   secure manner and does not need to be 'fetched' every time a zone

+   needs to be signed.

+

+   This scheme has the benefit that the key that is intended for future

+   use: immediately during an emergency rollover assuming that the

+   private key was stored in a physically secure manner.

+

+3.3.1.2  Double Signature Zone-signing Key Rollover

+

+   This section shows how to perform a ZSK key rollover using the double

+   zone data signature scheme, aptly named "double sig rollover".

+

+   During the rollover stage the new version of the zone file will need

+   to propagate to all authoritative servers and the data that exists in

+   (distant) caches will need to expire, this will take at least the

+   maximum Zone TTL .

+

+       normal              roll              after

+

+       SOA0                SOA1              SOA2

+       RRSIG10(SOA0)       RRSIG10(SOA1)     RRSIG11(SOA2)

+                           RRSIG11(SOA1)

+

+       DNSKEY1             DNSKEY1           DNSKEY1

+       DNSKEY10            DNSKEY10          DNSKEY11

+                           DNSKEY11

+       RRSIG1(DNSKEY)      RRSIG1(DNSKEY)    RRSIG1(DNSKEY)

+       RRSIG10(DNSKEY)     RRSIG10(DNSKEY)   RRSIG11(DNSKEY)

+                           RRSIG11(DNSKEY)

+

+   normal: Version 0 of the zone: DNSKEY 1 is the key-signing key.

+      DNSKEY 10 is used to sign all the data of the zone, the

+      zone-signing key.

+

+

+

+

+Kolkman & Gieben        Expires August 30, 2004                [Page 12]

+

+Internet-Draft        DNSSEC Operational Practices            March 2004

+

+

+   roll: At the rollover stage (SOA serial 1) DNSKEY 11 is introduced

+      into the keyset and all the data in the zone is signed with DNSKEY

+      10 and DNSKEY 11. The rollover period will need to exist until all

+      data from version 0 of the zone has expired from remote caches.

+      This will take at least the maximum Zone TTL of version 0 of the

+      zone.

+   after: DNSKEY 10 is removed from the zone. All the signatures from

+      DNSKEY 10 are removed from the zone. The keyset, now only

+      containing DNSKEY 11, is resigned with DNSKEY 1.

+

+   At every instance the data from the previous version of the zone can

+   be verified with the key from the current version and vice verse. The

+   data from the current version can be verified with the data from the

+   previous version of the zone. The duration of the rollover phase and

+   the period between rollovers should be at least the "Maximum Zone

+   TTL".

+

+   Making sure that the rollover phase lasts until the signature

+   expiration time of the data in version 0 of the zone is recommended.

+   However, this date could be considerably longer than the Maximum Zone

+   TTL, making the rollover a lengthy procedure.

+

+   Note that in this example we assumed that the zone was not modified

+   during the rollover. New data can be introduced in the zone as long

+   as it is signed with both keys.

+

+3.3.1.3  Pros and Cons of the Schemes

+

+   Prepublish-keyset rollover: This rollover does not involve signing

+      the zone data twice. Instead, just before the actual rollover, the

+      new key is published in the keyset and thus available for

+      cryptanalysis attacks. A small disavantage is that this process

+      requires four steps. Also the prepublish scheme will not work for

+      KSKs as explained in Section 3.3.

+   Double signature rollover: The drawback of this signing scheme is

+      that during the rollover the number of signatures in your zone

+      doubles, this may be prohibitive if you have very big zones.  An

+      advantage is that it only requires three steps.

+

+3.3.2  Key-signing Key Rollovers

+

+   For the rollover of a key-signing key the same considerations as for

+   the rollover of a zone-signing key apply. However we can use a double

+   signature scheme to guarantee that old data (only the apex keyset) in

+   caches can be verified with a new keyset and vice versa.

+

+   Since only the keyset is signed with a KSK, zone size considerations

+   do not apply.

+

+

+

+Kolkman & Gieben        Expires August 30, 2004                [Page 13]

+

+Internet-Draft        DNSSEC Operational Practices            March 2004

+

+

+       normal          roll            after

+

+       SOA0            SOA1            SOA2

+       RRSIG10(SOA0)   RRSIG10(SOA1)   RRSIG10(SOA2)

+

+       DNSKEY1         DNSKEY1         DNSKEY2

+                       DNSKEY2

+       DNSKEY10        DNSKEY10        DNSKEY10

+       RRSIG1 (DNSKEY) RRSIG1 (DNSKEY) RRSIG2(DNSKEY)

+                       RRSIG2 (DNSKEY)

+       RRSIG10(DNSKEY) RRSIG10(DNSKEY) RRSIG10(DNSKEY)

+

+   normal: Version 0 of the zone.  The parental DS points to DNSKEY1.

+      Before the rollover starts the child will have to verify what the

+      TTL is of the DS RR that points to DNSKEY1 - it is needed during

+      the rollover and we refer to the value as TTL_DS.

+   roll: During the rollover phase the zone administrator generates a

+      second KSK, DNSKEY2. The key is provided to the parent and the

+      child will have to wait until a new DS RR has been generated that

+      points to DNSKEY2. After that DS RR has been published on _all_

+      servers authoritative for the parents zone, the zone administrator

+      has to wait at least TTL_DS to make sure that the old DS RR has

+      expired from distant caches.

+   after: DNSKEY1 has been removed.

+

+   The scenario above puts the responsibility for maintaining a valid

+   chain of trust with the child. It also is based on the premises that

+   the parent only has one DS RR (per algorithm) per zone. St John [The

+   draft has expired] proposed a mechanism where using an established

+   trust relation, the interaction can be performed in-band. In this

+   mechanism there are periods where there are two DS RRs at the parent.

+

+   [Editors note: We probably need to mention more]

+

+4.  Planning for Emergency Key Rollover

+

+   This section deals with preparation for a possible key compromise.

+   Our advice is to have a documented procedure ready for when a key

+   compromise is suspected or confirmed.

+

+   [Editors note: We are much in favor of a rollover tactic that keeps

+   the authentication chain intact as long as possible. This means that

+   one has to take all the regular rollover properties into account.]

+

+   When the private material of one of your keys is compromised it can

+   be used for as long as a valid authentication chain exists.  An

+   authentication chain remains intact for:

+

+

+

+

+Kolkman & Gieben        Expires August 30, 2004                [Page 14]

+

+Internet-Draft        DNSSEC Operational Practices            March 2004

+

+

+   o  as long as a signature over the compromised key in the

+      authentication chain is valid,

+   o  as long as a parental DS RR (and signature) points to the

+      compromised key,

+   o  as long as the key is anchored in a resolver and is used as a

+      starting point for validation. (This is the hardest to update.)

+   While an authentication chain to your compromised key exists, your

+   name-space is vulnerable to abuse by the malicious key holder (i.e.

+   the owner of the compromised key). Zone operators have to make a

+   trade off if the abuse of the compromised key is worse than having

+   data in caches that cannot be validated. If the zone operator chooses

+   to break the authentication chain to the compromised key, data in

+   caches signed with this key cannot be validated. However, if the zone

+   administrator chooses to take the path of a regular roll-over, the

+   malicious key holder can spoof data so that it appears to be valid,

+   note that this kind of attack will usually be localised in the

+   Internet topology.

+

+

+4.1  KSK Compromise

+

+   When the KSK has been compromised the parent must be notified as soon

+   as possible using secure means. The keyset of the zone should be

+   resigned as soon as possible. Care must be taken to not break the

+   authentication chain. The local zone can only be resigned with the

+   new KSK after the parent's zone has been updated with the new KSK.

+   Before this update takes place it would be best to drop the security

+   status of a zone all together: the parent removes the DS of the child

+   at the next zone update.  After that the child can be made secure

+   again.

+

+   An additional danger of a key compromise is that the compromised key

+   can be used to facilitate a legitimate DNSKEY/DS and/or nameserver

+   rollover at the parent. When that happens the domain can be in

+   dispute. An out of band and secure notify mechanism to contact a

+   parent is needed in this case.

+

+4.2  ZSK Compromise

+

+   Primarily because there is no parental interaction required when a

+   ZSK is compromised, the situation is less severe than with with a KSK

+   compromise.  The zone must still be resigned with a new ZSK as soon

+   as possible. As this is a local operation and requires no

+   communication between the parent and child this can be achieved

+   fairly quickly. However, one has to take into account that just as

+   with a normal rollover the immediate disappearance from the old

+   compromised key may lead to verification problems. The

+   pre-publication scheme as discussed above minimises such problems.

+

+

+

+Kolkman & Gieben        Expires August 30, 2004                [Page 15]

+

+Internet-Draft        DNSSEC Operational Practices            March 2004

+

+

+4.3  Compromises of Keys Anchored in Resolvers

+

+   A key can also be pre-configured in resolvers. If DNSSEC is rolled

+   out as planned the root key should be pre-configured in every secure

+   aware resolver on the planet. [Editors Note: add more about

+   authentication of a newly received  resolver key]

+

+   If trust-anchor keys are compromised, the resolvers using these keys

+   should be notified of this fact. Zone administrators may consider

+   setting up a mailing list to communicate the fact that a SEP key is

+   about to be rolled over. This communication will of course need to be

+   authenticated e.g. by using digital signatures.

+

+5.  Parental Policies

+

+5.1  Initial Key Exchanges and Parental Policies Considerations

+

+   The initial key exchange is always subject to the policies set by the

+   parent (or its registry). When designing a key exchange policy one

+   should take into account that the authentication and authorisation

+   mechanisms used during a key exchange should be as strong as the

+   authentication and authorisation mechanisms used for the exchange of

+   delegation information between parent and child.

+

+   Using the DNS itself as the source for the actual DNSKEY material,

+   with an off-band check on the validity of the DNSKEY, has the benefit

+   that it reduces the chances of user error. A parental DNSKEY download

+   tool can make use of the SEP bit [4] to select the proper key from a

+   DNSSEC keyset; thereby reducing the chance that the wrong DNSKEY is

+   sent. It can validate the self-signature over a key; thereby

+   verifying the ownership of the private key material. Fetching the

+   DNSKEY from the DNS ensures that the child will not become bogus once

+   the parent publishes the DS RR indicating the child is secure.

+

+   Note: the off-band verification is still needed when the key-material

+   is fetched by a tool. The parent can not be sure whether the DNSKEY

+   RRs have been spoofed.

+

+5.2  Storing Keys So Hashes Can Be Regenerated

+

+   When designing a registry system one should consider if the DNSKEYs

+   and/or the corresponding DSs are stored. Storing DNSKEYs will help

+   during troubleshooting while the overhead of calculating DS records

+   from them is minimal.

+

+   Having an out-of-band mechanism, such as a Whois database, to find

+   out which keys are used to generate DS Resource Records for specific

+   owners may also help with troubleshooting.

+

+

+

+Kolkman & Gieben        Expires August 30, 2004                [Page 16]

+

+Internet-Draft        DNSSEC Operational Practices            March 2004

+

+

+5.3  Security Lameness Checks

+

+   Security Lameness is defined as what happens when a parent has a DS

+   Resource Record pointing to a non-existing DNSKEY RR. During key

+   exchange a parent should make sure that the child's key is actually

+   configured in the DNS before publishing a DS RR in its zone. Failure

+   to do so would render the child's zone being marked as bogus.

+

+   Child zones should be very careful removing DNSKEY material,

+   specifically SEP keys, for which a DS RR exists.

+

+   Once a zone is "security lame" a fix (e.g. by removing a DS RR) will

+   take time to propagate through the DNS.

+

+5.4  DS Signature Validity Period

+

+   Since the DS can be replayed as long as it has a valid signature a

+   short signature validity period over the DS minimises the time a

+   child is vulnerable in the case of a compromise of the child's

+   KSK(s).  A signature validity period that is too short introduces the

+   possibility that a zone is marked bogus in case of a configuration

+   error in the signer; there may not be enough time to fix the problems

+   before signatures expire.  Something as mundane as operator

+   unavailability during weekends shows the need for DS signature

+   lifetimes longer than 2 days. We recommend the minimum for a DS

+   signature validity period to be a few days.

+

+   The maximum signature lifetime of the DS record depends on how long

+   child zones are willing to be vulnerable after a key compromise. We

+   consider a signature validity period of around one week to be a good

+   compromise between the operational constraints of the parent and

+   minimising damage for the child.

+

+6.  Security Considerations

+

+   DNSSEC adds data integrity to the DNS. This document tries to assess

+   considerations to operate a stable and secure DNSSEC service. Not

+   taking into account the 'data propagation' properties in the DNS will

+   cause validation failures and may make secured zones unavailable to

+   security aware resolvers.

+

+7.  Acknowledgments

+

+   We, the folk mentioned as authors, only acted as editors. Most of the

+   ideas in this draft were the result of collective efforts during

+   workshops, discussions and try outs.

+

+   At the risk of forgetting individuals who where the original

+

+

+

+Kolkman & Gieben        Expires August 30, 2004                [Page 17]

+

+Internet-Draft        DNSSEC Operational Practices            March 2004

+

+

+   contributors of the ideas we would like to acknowledge people who

+   where actively involved in the compilation of this document. In

+   random order: Olafur Gudmundsson, Wesley Griffin, Michael Richardson,

+   Scott Rose, Rick van Rein, Tim McGinnis, Gilles Guette and Olivier

+   Courtay, Sam Weiler.

+

+   Emma Bretherick and Adrian Bedford corrected many of the spelling and

+   style issues.

+

+   Kolkman and Gieben take the blame for introducing all miscakes(SIC).

+

+8.  References

+

+8.1  Normative References

+

+   [1]  Eastlake, D., "Domain Name System Security Extensions", RFC

+        2535, March 1999.

+

+   [2]  Eastlake, D., "DNS Security Operational Considerations", RFC

+        2541, March 1999.

+

+   [3]  Lewis, E., "DNS Security Extension Clarification on Zone

+        Status", RFC 3090, March 2001.

+

+   [4]  Lewis, E., Kolkman, O. and J. Schlyter, "KEY RR Key-Signing Key

+        (KSK) Flag", draft-ietf-dnsext-keyrr-key-signing-flag-06 (work

+        in progress), February 2003.

+

+8.2  Informative References

+

+   [5]  Bradner, S., "Key words for use in RFCs to Indicate Requirement

+        Levels", BCP 14, RFC 2119, March 1997.

+

+   [6]  Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", RFC

+        2308, March 1998.

+

+   [7]  Gudmundsson, O., "Delegation Signer Resource Record",

+        draft-ietf-dnsext-delegation-signer-13 (work in progress), March

+        2003.

+

+   [8]  Arends, R., "Protocol Modifications for the DNS Security

+        Extensions", draft-ietf-dnsext-dnssec-protocol-01 (work in

+        progress), March 2003.

+

+   [9]  Lenstra, A. and E. Verheul, "Selecting Cryptographic Key Sizes",

+        The Journal of Cryptology 14 (255-293), 2001.

+

+

+

+

+

+Kolkman & Gieben        Expires August 30, 2004                [Page 18]

+

+Internet-Draft        DNSSEC Operational Practices            March 2004

+

+

+Authors' Addresses

+

+   Olaf M. Kolkman

+   RIPE NCC

+   Singel 256

+   Amsterdam  1016 AB

+   The Netherlands

+

+   Phone: +31 20 535 4444

+   EMail: olaf@ripe.net

+   URI:   http://www.ripe.net/

+

+

+   Miek Gieben

+   NLnet Labs

+   Kruislaan 419

+   Amsterdam  1098 VA

+   The Netherlands

+

+   EMail: miek@nlnetlabs.nl

+   URI:   http://www.nlnetlabs.nl

+

+Appendix A.  Terminology

+

+   In this document there is some jargon used that is defined in other

+   documents. In most cases we have not copied the text from the

+   documents defining the terms but given a more elaborate explanation

+   of the meaning. Note that these explanations should not be seen as

+   authoritative.

+

+   Private and Public Keys: DNSSEC secures the DNS through the use of

+      public key cryptography. Public key cryptography is based on the

+      existence of two keys, a public key and a private key. The public

+      keys are published in the DNS by use of the DNSKEY Resource Record

+      (DNSKEY RR). Private keys should remain private i.e. should not be

+      exposed to parties not-authorised to do the actual signing.

+   Signer: The system that has access to the private key material and

+      signs the Resource Record sets in a zone. A signer may be

+      configured to sign only parts of the zone e.g. only those RRsets

+      for which existing signatures are about to expire.

+   KSK: A Key-Signing Key (KSK) is a key that is used exclusively for

+      signing the apex keyset.  The fact that a key is a KSK is only

+      relevant to the signing tool.

+   ZSK: A Zone Signing Key (ZSK) is a key that is used for signing all

+      data in a zone.  The fact that a key is a ZSK is only relevant to

+      the signing tool.

+

+

+

+

+

+Kolkman & Gieben        Expires August 30, 2004                [Page 19]

+

+Internet-Draft        DNSSEC Operational Practices            March 2004

+

+

+   SEP Key: A KSK that has a parental DS record pointing to it. Note:

+      this is not enforced in the protocol. A SEP Key with no parental

+      DS is security lame.

+   Anchored Key: A DNSKEY configured in resolvers around the globe. This

+      Key is hard to update, hence the term anchored.

+   Bogus: [Editors Note: a reference here] An RRset in DNSSEC is marked

+      "Bogus" when a signature of a RRset does not validate against the

+      DNSKEY. Even if the key itself was not marked Bogus. A cache may

+      choose to cache Bogus data for various reasons.

+   Singing the Zone File: The term used for the event where an

+      administrator joyfully signs its zone file while producing melodic

+      sound patterns.

+   Zone Administrator: The 'role' that is responsible for signing a zone

+      and publishing it on the primary authoritative server.

+

+Appendix B.  Zone-signing Key Rollover Howto

+

+   Using the pre-published signature scheme and the most conservative

+   method to assure oneself that data does not live in distant caches

+   here follows the "HOWTO". [WES: has some comments about this]

+   Key notation:

+   Step 0: The preparation: Create two keys and publish both in your

+      keyset.  Mark one of the keys as "active" and the other as

+      "published". Use the "active" key for signing your zone data.

+      Store the private part of the "published" key, preferably

+      off-line.

+   Step 1: Determine expiration: At the beginning of the rollover make a

+      note of the highest expiration time of signatures in your zone

+      file created with the current key marked as "active".

+      Wait until the expiration time marked in Step 1 has passed

+   Step 2: Then start using the key that was marked as "published" to

+      sign your data i.e. mark it as "active". Stop using the key that

+      was marked as "active", mark it as "rolled".

+   Step 3: It is safe to engage in a new rollover (Step 1) after at

+      least one "signature validity period".

+

+Appendix C.  Typographic Conventions

+

+   The following typographic conventions are used in this document:

+   Key notation: A key is denoted by KEYx, where x is a number, x could

+      be thought of as the key id.

+   RRset notations: RRs are only denoted by the type. All other

+      information - owner, class, rdata and TTL - is left out. Thus:

+      example.com 3600 IN A 192.168.1.1 is reduced to: A. RRsets are a

+      list of RRs. A example of this would be: A1,A2, specifying the

+      RRset containing two A records. This could again be abbreviated to

+      just: A.

+

+

+

+

+Kolkman & Gieben        Expires August 30, 2004                [Page 20]

+

+Internet-Draft        DNSSEC Operational Practices            March 2004

+

+

+   Signature notation: Signatures are denoted as RRSIGx(RRset), which

+      means that RRset is signed with DNSKEYx.

+   Zone representation: Using the above notation we have simplified the

+      representation of a signed zone by leaving out all unnecessary

+      details such as the names and by  representing all data by "SOAx"

+   SOA representation: SOA's are represented as SOAx, where x is the

+      serial number.

+   Using this notation the following zone :

+

+

+   example.net.      600     IN SOA  ns.example.net. ernie.example.net. (

+                                     10         ; serial

+                                     450        ; refresh (7 minutes 30 seconds)

+                                     600        ; retry (10 minutes)

+                                     345600     ; expire (4 days)

+                                     300        ; minimum (5 minutes)

+                                     )

+                     600     RRSIG   SOA 5 2 600 20130522213204 (

+                                     20130422213204 14 example.net.

+                                     cmL62SI6iAX46xGNQAdQ... )

+                     600     NS      a.iana-servers.net.

+                     600     NS      b.iana-servers.net.

+                     600     RRSIG   NS 5 2 600 20130507213204 (

+                                     20130407213204 14 example.net.

+                                     SO5epiJei19AjXoUpFnQ ... )

+                     3600    DNSKEY  256 3 5 (

+                                     EtRB9MP5/AvOuVO0I8XDxy0...

+                                     ) ; key id = 14

+                     3600    DNSKEY  256 3 5 (

+                                     gsPW/Yy19GzYIY+Gnr8HABU...

+                                     ) ; key id = 15

+                     3600    RRSIG   DNSKEY 5 2 3600 20130522213204 (

+                                     20130422213204 14 example.net.

+                                     J4zCe8QX4tXVGjV4e1r9... )

+                     3600    RRSIG   DNSKEY 5 2 3600 20130522213204 (

+                                     20130422213204 15 example.net.

+                                     keVDCOpsSeDReyV6O... )

+                     600     NSEC    a.example.net. NS SOA TXT RRSIG DNSKEY NSEC

+                     600     RRSIG   NSEC 5 2 600 20130507213204 (

+                                     20130407213204 14 example.net.

+                                     obj3HEp1GjnmhRjX... )

+   a.example.net.    600     IN TXT  "A label"

+                     600     RRSIG   TXT 5 3 600 20130507213204 (

+                                     20130407213204 14 example.net.

+                                     IkDMlRdYLmXH7QJnuF3v... )

+                     600     NSEC    b.example.com. TXT RRSIG NSEC

+                     600     RRSIG   NSEC 5 3 600 20130507213204 (

+                                     20130407213204 14 example.net.

+

+

+

+Kolkman & Gieben        Expires August 30, 2004                [Page 21]

+

+Internet-Draft        DNSSEC Operational Practices            March 2004

+

+

+                                     bZMjoZ3bHjnEz0nIsPMM... )

+

+                     ...

+

+

+    is reduced to the following represenation:

+

+       SOA10

+       RRSIG14(SOA10)

+

+       DNSKEY14

+       DNSKEY15

+

+       RRSIG14(KEY)

+       RRSIG15(KEY)

+

+    The rest of the zone data has the same signature as the SOA record,

+   i.e a RRSIG created with DNSKEY 14.

+

+Appendix D.  Document Details and Changes

+

+   This section is to be removed by the RFC editor if and when the

+   document is published.

+

+   $Header: /var/cvs/dnssec-key/

+   draft-ietf-dnsop-dnssec-operational-practices.xml,v 1.22 2004/05/12

+   08:29:11 dnssec Exp $

+

+D.1  draft-ietf-dnsop-dnssec-operational-practices-00

+

+   Submission as working group document. This document is a modified and

+   updated version of draft-kolkman-dnssec-operational-practices-00.

+

+D.2  draft-ietf-dnsop-dnssec-operational-practices-01

+

+   changed the definition of "Bogus" to reflect the one in the protocol

+   draft.

+

+   Bad to Bogus

+

+   Style and spelling corrections

+

+   KSK - SEP mapping made explicit.

+

+   Updates from Sam Weiler added

+

+

+

+

+

+

+Kolkman & Gieben        Expires August 30, 2004                [Page 22]

+

+Internet-Draft        DNSSEC Operational Practices            March 2004

+

+

+Intellectual Property Statement

+

+   The IETF takes no position regarding the validity or scope of any

+   intellectual property or other rights that might be claimed to

+   pertain to the implementation or use of the technology described in

+   this document or the extent to which any license under such rights

+   might or might not be available; neither does it represent that it

+   has made any effort to identify any such rights. Information on the

+   IETF's procedures with respect to rights in standards-track and

+   standards-related documentation can be found in BCP-11. Copies of

+   claims of rights made available for publication and any assurances of

+   licenses to be made available, or the result of an attempt made to

+   obtain a general license or permission for the use of such

+   proprietary rights by implementors or users of this specification can

+   be obtained from the IETF Secretariat.

+

+   The IETF invites any interested party to bring to its attention any

+   copyrights, patents or patent applications, or other proprietary

+   rights which may cover technology that may be required to practice

+   this standard. Please address the information to the IETF Executive

+   Director.

+

+

+Full Copyright Statement

+

+   Copyright (C) The Internet Society (2004). All Rights Reserved.

+

+   This document and translations of it may be copied and furnished to

+   others, and derivative works that comment on or otherwise explain it

+   or assist in its implementation may be prepared, copied, published

+   and distributed, in whole or in part, without restriction of any

+   kind, provided that the above copyright notice and this paragraph are

+   included on all such copies and derivative works. However, this

+   document itself may not be modified in any way, such as by removing

+   the copyright notice or references to the Internet Society or other

+   Internet organizations, except as needed for the purpose of

+   developing Internet standards in which case the procedures for

+   copyrights defined in the Internet Standards process must be

+   followed, or as required to translate it into languages other than

+   English.

+

+   The limited permissions granted above are perpetual and will not be

+   revoked by the Internet Society or its successors or assignees.

+

+   This document and the information contained herein is provided on an

+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING

+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING

+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION

+

+

+

+Kolkman & Gieben        Expires August 30, 2004                [Page 23]

+

+Internet-Draft        DNSSEC Operational Practices            March 2004

+

+

+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF

+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

+

+

+Acknowledgment

+

+   Funding for the RFC Editor function is currently provided by the

+   Internet Society.

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+Kolkman & Gieben        Expires August 30, 2004                [Page 24]

+

+

diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsop-ipv6-dns-configuration-02.txt b/contrib/bind9/doc/draft/draft-ietf-dnsop-ipv6-dns-configuration-02.txt
new file mode 100644
index 0000000..42c3c0b
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsop-ipv6-dns-configuration-02.txt
@@ -0,0 +1,1321 @@
+
+DNS Operations WG                                                     
+Internet-Draft                                         J. Jeong (ed.) 
+                                                                 ETRI 
+                                                                      
+Expires: January 2005                                    18 July 2004 
+    
+    
+      IPv6 Host Configuration of DNS Server Information Approaches 
+             draft-ietf-dnsop-ipv6-dns-configuration-02.txt 
+    
+    
+Status of this Memo 
+    
+   By submitting this Internet-Draft, I certify that any applicable 
+   patent or other IPR claims of which I am aware have been disclosed,
+   and any of which we become aware will be disclosed, in accordance 
+   with RFC3668. 
+    
+   Internet-Drafts are working documents of the Internet Engineering 
+   Task Force (IETF), its areas, and its working groups.  Note that 
+   other groups may also distribute working documents as Internet-
+   Drafts. 
+    
+   Internet-Drafts are draft documents valid for a maximum of six 
+   months and may be updated, replaced, or obsoleted by other 
+   documents at any time.  It is inappropriate to use Internet-Drafts 
+   as reference material or to cite them other than as "work in 
+   progress." 
+    
+   The list of current Internet-Drafts can be accessed at 
+   http://www.ietf.org/ietf/1id-abstracts.txt. 
+    
+   The list of Internet-Draft Shadow Directories can be accessed at 
+   http://www.ietf.org/shadow.html. 
+    
+   This Internet-Draft will expire on January 17, 2005. 
+    
+Copyright Notice 
+    
+   Copyright (C) The Internet Society (2004). All Rights Reserved. 
+    
+Abstract 
+    
+   This document describes three approaches for IPv6 recursive DNS 
+   server address configuration.  It details the operational 
+   attributes of three solutions: RA option, DHCPv6 option, and Well-
+   known anycast addresses for recursive DNS servers.  Additionally, 
+   it suggests four deployment scenarios considering multi-solution 
+   resolution.  Therefore, this document will give the audience a 
+
+ 
+ 
+Jeong, et al.             Expires - January 2005              [Page 1] 
+ 
+Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
+ 
+ 
+   guideline of IPv6 DNS configuration to select approaches suitable 
+   for their host DNS configuration. 
+    
+Table of Contents 
+    
+   1. Introduction...................................................3
+   2. Terminology....................................................3
+   3. IPv6 DNS Configuration Approaches..............................3
+      3.1 RA Option..................................................3
+          3.1.1 Advantages...........................................4
+          3.1.2 Disadvantages........................................5
+          3.1.3 Observations.........................................5
+      3.2 DHCPv6 Option..............................................6
+          3.2.1 Advantages...........................................7
+          3.2.2 Disadvantages........................................8
+          3.2.3 Observations.........................................9
+      3.3 Well-known Anycast Addresses...............................9
+          3.3.1 Advantages...........................................9
+          3.3.2 Disadvantages.......................................10
+          3.3.3 Observations........................................10
+   4. Interworking among IPv6 DNS Configuration Approaches..........11
+   5. Deployment Scenarios..........................................12
+      5.1 ISP Network...............................................12
+          5.1.1 RA Option Approach..................................12
+          5.1.2 DHCPv6 Option Approach..............................13
+          5.1.3 Well-known Addresses Approach.......................13
+      5.2 Enterprise Network........................................14
+      5.3 3GPP Network..............................................14
+          5.3.1 Currently Available Mechanisms and Recommendations..15
+          5.3.2 RA Extension........................................16
+          5.3.3 Stateless DHCPv6....................................16
+          5.3.4 Well-known Addresses................................17
+          5.3.5 Recommendations.....................................17
+      5.4 Unmanaged Network.........................................18
+          5.4.1 Case A: Gateway does not provide IPv6 at all........18
+          5.4.2 Case B: A dual-stack gateway connected to a dual-stack
+                        ISP.........................................18
+          5.4.3 Case C: A dual-stack gateway connected to an IPv4-only
+                        ISP.........................................19
+          5.4.4 Case D: A gateway connected to an IPv6-only ISP.....19
+   6. Security Considerations.......................................19
+   7. Acknowledgements..............................................19
+   8. Normative References..........................................20
+   9. Informative References........................................20
+   10. Authors' Addresses...........................................21
+   Intellectual Property Statement..................................23
+   Full Copyright Statement.........................................23
+   Acknowledgement..................................................24
+ 
+ 
+Jeong, et al.             Expires - January 2005              [Page 2] 
+ 
+Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
+ 
+ 
+    
+1. Introduction 
+    
+   Neighbor Discovery (ND) for IP Version 6 and IPv6 Stateless Address 
+   Autoconfiguration provide ways to configure either fixed or mobile 
+   nodes with one or more IPv6 addresses, default routes and some 
+   other parameters [3][4].  To support access to additional services 
+   in the Internet that are identified by a DNS name, such as a web 
+   server, the configuration of at least one recursive DNS server is 
+   also needed for DNS name resolution. 
+    
+   This document describes three approaches of recursive DNS server 
+   address configuration for IPv6 host: (a) RA option [8], (b) DHCPv6 
+   option [5]-[7], and (c) Well-known anycast addresses for recursive 
+   DNS servers [9].  Also, it suggests applicable scenarios for four 
+   kinds of networks: (a) ISP network, (b) Enterprise network, (c) 
+   3GPP network, and (d) Unmanaged network. 
+    
+   This document is just an analysis of each possible approach, and 
+   does not make any recommendation on particular one or on a 
+   combination of particular ones.  Some approaches may even not be 
+   adopted at all as a result of further discussion. 
+    
+   Therefore, the objective of this document is to help the audience 
+   select approaches suitable for IPv6 host configuration of recursive 
+   DNS server. 
+    
+2. Terminology 
+    
+   This document uses the terminology described in [3]-[9].  In 
+   addition, a new term is defined below: 
+    
+   Recursive DNS Server (RDNSS)    A Recursive DNS Server is a name 
+                                   server that offers the recursive 
+                                   service of DNS name resolution. 
+    
+3. IPv6 DNS Configuration Approaches 
+    
+   In this section, the operational attributes of three solutions are 
+   described in detail. 
+     
+3.1 RA Option 
+    
+   RA approach is to define a new ND option called RDNSS option that 
+   contains a recursive DNS server address.  Existing ND transport 
+   mechanisms (i.e., advertisements and solicitations) are used.  This 
+   works in the same way that nodes learn about routers and prefixes, 
+   etc.  An IPv6 host can configure the IPv6 addresses of one or more 
+ 
+ 
+Jeong, et al.             Expires - January 2005              [Page 3] 
+ 
+Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
+ 
+ 
+   RDNSSes via RA message periodically sent by router or solicited by 
+   a Router Solicitation (RS) [8].  This approach needs RDNSS 
+   information to be configured in the routers doing the 
+   advertisements.  The configuration of RDNSS address can be 
+   performed manually by operator or other ways, such as automatic 
+   configuration through DHCPv6 client running on the router.  When 
+   advertising more than one RDNSS options, an RA message includes as 
+   many RDNSS options as RDNSSes.  Through ND protocol and RDNSS 
+   option along with prefix information option, an IPv6 host can 
+   perform its network configuration of its IPv6 address and RDNSS 
+   simultaneously [3][4].  The RA option for RDNSS can be used on any 
+   network that supports the use of ND.  However, RA approach performs
+   poorly in some wireless environments where RA message is used for 
+   IPv6 address autoconfiguration, such as WLAN networks. 
+    
+   The RA approach is useful in some non-WLAN mobile environments 
+   where the addresses of the RDNSSes are changing because the RA 
+   option includes a lifetime field.  This can be configured to a 
+   value that will require the client to time out the entry and switch 
+   over to another RDNSS address [8].  However, from the viewpoint of 
+   implementation, lifetime would seem to make matters a bit more 
+   complex.  Instead of just writing DNS configuration file, such as 
+   resolv.conf for the list of RDNSS addresses, we have to have a 
+   daemon around (or a program that is called at the defined 
+   intervals) that keeps monitoring the lifetime of RDNSSes all the 
+   time. 
+    
+   The preference value of RDNSS, included in RDNSS option, allows 
+   IPv6 hosts to select primary RDNSS among several RDNSSes; this can 
+   be used for load balancing of RDNSSes [8]. 
+    
+3.1.1 Advantages 
+    
+   The RA option for RDNSS has a number of advantages.  These include: 
+    
+   1) The RA option is an extension of existing ND/Autoconfig  
+   mechanisms [3][4], and does not require a change in the base ND 
+   protocol. 
+    
+   2) This approach, like ND, works well on a variety of link types  
+   including point-to-point links, point-to-multipoint, and multi-
+   point (i.e., Ethernet LANs), etc.  RFC2461 [3] states, however, 
+   that there may be some link type on which ND is not possible; on 
+   such a link, some other mechanism will be needed for DNS 
+   configuration. 
+    
+   3) All of the information a host needs to run basic Internet  
+   applications such as email, the web, ftp, etc., can be performed 
+ 
+ 
+Jeong, et al.             Expires - January 2005              [Page 4] 
+ 
+Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
+ 
+ 
+   with the addition of this option to ND and address auto-
+   configuration.  The use of a single mechanism is more reliable and 
+   easier to provide than when the RDNSS information is learned via 
+   another protocol mechanism.  Debugging problems when multiple 
+   protocol mechanisms are being used is harder and much more complex.
+    
+   4) This mechanism works over a broad range of scenarios and 
+   leverages IPv6 ND.  This works well on links that support broadcast
+   reliably (e.g., Ethernet LANs) but not necessarily on other links 
+   (e.g., Wireless LANs).  Also, this works well on links that are 
+   high performance (e.g., Ethernet LANs) and low performance (e.g., 
+   Cellular networks).  In the latter case, combining the RDNSS 
+   information with the other information in the RA, the host can 
+   learn all of the information needed to use most Internet 
+   applications such as the web in a single packet.  This not only 
+   saves bandwidth where this is an issue, but also minimizes the 
+   delay to learn the RDNSS information. 
+    
+   5) The RA approach could be used as a model for other similar types 
+   of configuration information.  New RA options for other server 
+   addresses that are common to all clients on a subnet would be easy 
+   to define.  This includes things like NTP servers, SIP servers, etc.
+    
+3.1.2 Disadvantages 
+    
+   1) ND is mostly implemented in kernel part of operating system.  
+   Therefore, if ND supports the configuration of some additional 
+   services, such as DNS, NTP and SIP servers, ND should be extended 
+   in kernel part.  DHCPv6, however, has more flexibility for 
+   extension of service discovery because it is an application layer 
+   protocol. 
+    
+   2) The current ND framework should be modified due to the 
+   synchronization between another ND cache for RDNSSes in kernel 
+   space and DNS configuration file in user space.  Because it is 
+   unacceptable to write and rewrite the DNS configuration file (e.g.,
+   resolv.conf) from the kernel, another approach is needed.  One 
+   simple approach to solve this is to have a daemon listening to what 
+   the kernel conveys, and to have the daemon do these steps, but such 
+   a daemon is not necessary with the current ND framework. 
+    
+   3) It is necessary to configure RDNSS addresses at least at one 
+   router on every link where this information needs to be configured 
+   by RA option. 
+    
+3.1.3 Observations 
+    
+
+ 
+ 
+Jeong, et al.             Expires - January 2005              [Page 5] 
+ 
+Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
+ 
+ 
+   The proposed RDNSS RA option along with IPv6 ND and Auto-
+   configuration allows a host to obtain all of the information it 
+   needs to access basic Internet services like the web, email, ftp, 
+   etc.  This is preferable in environments where hosts use RAs to 
+   autoconfigure their addresses and all hosts on the subnet share the
+   same router and server addresses.  If the configuration information
+   can be obtained from a single mechanism, it is preferable because 
+   it does not add additional delay, and it uses a minimum of 
+   bandwidth.  Environments like this include homes, public cellular 
+   networks, and enterprise environments where no per host 
+   configuration is needed, but exclude public WLAN hot spots. 
+    
+   DHCPv6 is preferable where it is being used for address 
+   configuration and if there is a need for host specific 
+   configuration [5]-[7].  Environments like this are most likely 
+   enterprise environments where the local administration chooses to 
+   have per host configuration control. 
+    
+   Note: the observation section is based on what the proponents of 
+   each approach think makes a good overall solution. 
+    
+3.2 DHCPv6 Option 
+    
+   DHCPv6 [5] includes the "DNS Recursive Name Server" option, through
+   which a host can obtain a list of IP addresses of recursive DNS 
+   servers [7].  The DNS Recursive Name Server option carries a list 
+   of IPv6 addresses of RDNSSes to which the host may send DNS queries.
+   The DNS servers are listed in the order of preference for use by 
+   the DNS resolver on the host. 
+    
+   The DNS Recursive Name Server option can be carried in any DHCPv6 
+   Reply message, in response to either a Request or an Information-
+   request message.  Thus, the DNS Recursive Name Server option can be
+   used either when DHCPv6 is used for address assignment, or when 
+   DHCPv6 is used only for other configuration information as 
+   stateless DHCPv6 [6]. 
+    
+   Stateless DHCPv6 can be deployed either using DHCPv6 servers 
+   running on general-purpose computers, or on router hardware.  
+   Several router vendors currently implement stateless DHCPv6 servers.
+   Deploying stateless DHCPv6 in routers has the advantage that no 
+   special hardware is required, and should work well for networks 
+   where DHCPv6 is needed for very straightforward configuration of 
+   network devices. 
+    
+   However, routers can also act as DHCPv6 relay agents.  In this case,
+   the DHCPv6 server need not be on the router - it can be on a 
+   general purpose computer.  This has the potential to give the 
+ 
+ 
+Jeong, et al.             Expires - January 2005              [Page 6] 
+ 
+Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
+ 
+ 
+   operator of the DHCPv6 server more flexibility in how the DHCPv6 
+   server responds to individual clients - clients can easily be given
+   different configuration information based on their identity, or for
+   any other reason.  Nothing precludes adding this flexibility to a 
+   router, but generally in current practice, DHCP servers running on 
+   general-purpose hosts tend to have more configuration options than 
+   those that are embedded in routers. 
+    
+   DHCPv6 currently provides a mechanism for reconfiguring DHCPv6 
+   clients that use stateful configuration assignment.  To do this, 
+   the DHCPv6 server sends a Reconfigure message to the client.  The 
+   client validates the Reconfigure message, and then contacts the 
+   DHCPv6 server to obtain updated configuration information.  Using 
+   this mechanism, it is currently possible to propagate new 
+   configuration information to DHCPv6 clients as this information 
+   changes. 
+    
+   The DHC Working Group is currently studying an additional mechanism
+   through which configuration information, including the list of 
+   RDNSSes, can be updated.  The Lifetime Option for DHCPv6 [10], 
+   assigns a lifetime to configuration information obtained through 
+   DHCPv6.  At the expiration of the lifetime, the host contacts the 
+   DHCPv6 server to obtain updated configuration information, 
+   including the list of RDNSSes.  This lifetime gives the network 
+   administrator another mechanism to configure hosts with new RDNSSes
+   by controlling the time at which the host refreshes the list. 
+    
+   The DHC Working Group has also discussed the possibility of 
+   defining an extension to DHCPv6 that would allow the use of 
+   multicast to provide configuration information to multiple hosts 
+   with a single DHCPv6 message.  Because of the lack of deployment 
+   experience, the WG has deferred consideration of multicast DHCPv6 
+   configuration at this time.  Experience with DHCPv4 has not 
+   identified a requirement for multicast message delivery, even in 
+   large service provider networks with tens of thousands of hosts 
+   that may initiate a DHCPv4 message exchange simultaneously. 
+    
+3.2.1 Advantages 
+    
+   The DHCPv6 option for RDNSS has a number of advantages.  These 
+   include: 
+    
+   1) DHCPv6 currently provides a general mechanism for conveying 
+   network configuration information to clients.  So configuring 
+   DHCPv6 servers allows the network administrator to configure 
+   RDNSSes along with the addresses of other network services, as well
+   as location-specific information like time zones. 
+    
+ 
+ 
+Jeong, et al.             Expires - January 2005              [Page 7] 
+ 
+Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
+ 
+ 
+   2) As a consequence, when the network administrator goes to 
+   configure DHCPv6, all the configuration information can be managed 
+   through a single service, typically with a single user interface 
+   and a single configuration database. 
+    
+   3) DHCPv6 allows for the configuration of a host with information 
+   specific to that host, so that hosts on the same link can be  
+   configured with different RDNSSes as well as other configuration 
+   information.  This capability is important in some network 
+   deployments such as service provider networks or WiFi hot spots. 
+    
+   4) A mechanism exists for extending DHCPv6 to support the 
+   transmission of additional configuration that has not yet been 
+   anticipated. 
+    
+   5) Hosts that require other configuration information such as the 
+   addresses of SIP servers and NTP servers are likely to need DHCPv6 
+   for other configuration information. 
+    
+   6) The specification for configuration of RDNSSes through DHCPv6 is
+   available as an RFC.  No new protocol extensions such as new 
+   options are necessary. 
+    
+   7) Interoperability among independent implementations has been 
+   demonstrated. 
+    
+3.2.2 Disadvantages 
+    
+   The DHCPv6 option for RDNSS has a few disadvantages.  These 
+   include: 
+    
+   1) Update currently requires message from server (however, see 
+   [10]). 
+    
+   2) Because DNS information is not contained in RA message, the host
+   must receive two messages from the router, and must transmit at  
+   least one message to the router.  On networks where bandwidth is at
+   a premium, this is a disadvantage, although on most networks it is 
+   not a practical concern. 
+    
+   3) Increased latency for initial configuration - in addition to  
+   waiting for an RA message, the client must now exchange packets  
+   with a DHCPv6 server; even if it is locally installed on a router,  
+   this will slightly extend the time required to configure the client.
+   For clients that are moving rapidly from one network to another, 
+   this will be a disadvantage. 
+    
+
+ 
+ 
+Jeong, et al.             Expires - January 2005              [Page 8] 
+ 
+Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
+ 
+ 
+3.2.3 Observations 
+    
+   In the general case, on general-purpose networks, stateless DHCPv6 
+   provides significant advantages and no significant disadvantages.  
+   Even in the case where bandwidth is at a premium and low latency is
+   desired, if hosts require other configuration information in 
+   addition to a list of RDNSSes or if hosts must be configured 
+   selectively, those hosts will use DHCPv6 and the use of the DHCPv6 
+   DNS recursive name server option will be advantageous. 
+    
+   However, we are aware of some applications where it would be 
+   preferable to put the RDNSS information into an RA packet; for 
+   example, on a cell phone network, where bandwidth is at a premium 
+   and extremely low latency is desired.  The final DNS configuration 
+   draft should be written so as to allow these special applications 
+   to be handled using DNS information in the RA packet. 
+    
+3.3 Well-known Anycast Addresses 
+    
+   First of all, the well-known anycast addresses approach is much 
+   different from that discussed in IPv6 Working Group in the past. 
+    
+   The approach with well-known anycast addresses is to set well-known
+   anycast addresses in clients' resolver configuration files from the
+   beginning, say, as factory default.  Thus, there is no transport 
+   mechanism and no packet format [9]. 
+    
+   An anycast address is an address shared by multiple servers (in 
+   this case, the servers are RDNSSes).  Request from a client to the 
+   anycast address is routed to a server selected by the routing 
+   system.  However, it is a bad idea to mandate "site" boundary on 
+   anycast addresses, because most users just do not have their own 
+   servers and want to access their ISPs' across their site boundaries.
+   Larger sites may also depend on their ISPs or may have their own 
+   RDNSSes within "site" boundaries. 
+    
+   It should be noted that "anycast" in this memo is simpler than that
+   of RFC1546 [11] and RFC3513 [12] where it is assumed to be 
+   prohibited to have multiple servers on a single link sharing an 
+   anycast address.  That is, on a link, anycast address is assumed to 
+   be unique.  DNS clients today already have redundancy by having 
+   multiple well-known anycast addresses configured as RDNSS addresses.
+   There is no point to have multiple RDNSSes sharing an anycast 
+   address on a single link. 
+    
+3.3.1 Advantages 
+    
+
+ 
+ 
+Jeong, et al.             Expires - January 2005              [Page 9] 
+ 
+Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
+ 
+ 
+   The basic advantage of the well-known addresses approach is that it
+   uses no transport mechanism.  Thus, 
+   1) There is no delay to get response and no further delay by packet
+   losses. 
+    
+   2) The approach can be combined with any other configuration 
+   mechanisms including but not limited to factory default 
+   configuration, RA-based approach and DHCP based approach. 
+    
+   3) The approach works over any environment where DNS works. 
+    
+   Another advantage is that the approach needs to configure DNS 
+   servers as a router, but nothing else.  Considering that DNS 
+   servers do need configuration, the amount of overall configuration 
+   effort is proportional to the number of the DNS servers and scales 
+   linearly.  It should be noted that, in the simplest case where a 
+   subscriber to an ISP does not have any DNS server, the subscriber 
+   naturally access DNS servers of the ISP even though the subscriber 
+   and the ISP do nothing and there is no protocol to exchange DNS 
+   server information between the subscriber and the ISP. 
+    
+3.3.2 Disadvantages 
+    
+   Well-known anycast addresses approach requires that DNS servers (or
+   routers near it as a proxy) act as routers to advertise their 
+   anycast addresses to the routing system, which requires some 
+   configuration (see the last paragraph of the previous section on 
+   the scalability of the effort). 
+    
+3.3.3 Observations 
+    
+   If other approaches are used in addition, the well-known anycast 
+   addresses should also be set in RA or DHCP configuration files to 
+   reduce configuration effort of users.
+    
+   Redundancy by multiple RDNSSes is better provided by multiple 
+   servers having different anycast addresses than multiple servers 
+   sharing same anycast address because the former approach allows 
+   stale servers to still generate routes to their anycast addresses. 
+   Thus, in a routing domain (or domains sharing DNS servers), there 
+   will be only one server having an anycast address unless the domain
+   is so large that load distribution is necessary. 
+    
+   Small ISPs will operate one RDNSS at each anycast address which is 
+   shared by all the subscribers.  Large ISPs may operate multiple 
+   RDNSSes at each anycast address to distribute and reduce load, 
+   where boundary between RDNSSes may be fixed (redundancy is still 
+   provided by multiple addresses) or change dynamically.  DNS packets
+ 
+ 
+Jeong, et al.             Expires - January 2005             [Page 10] 
+ 
+Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
+ 
+ 
+   with the well-known anycast addresses are not expected (though not 
+   prohibited) to cross ISP boundaries, as ISPs are expected to be 
+   able to take care of themselves. 
+    
+   Because "anycast" in this memo is simpler than that of RFC1546 [11]
+   and RFC3513 [12] where it is assumed to be administratively 
+   prohibited to have multiple servers on a single link sharing an 
+   anycast address, anycast in this memo should be implemented as 
+   UNICAST of RFC2461 [3] and RFC3513 [12].  As a result, ND-related 
+   instability disappears.  Thus, anycast in well-known anycast 
+   addresses approach can and should use the anycast address as a 
+   source unicast (according to RFC3513 [12]) address of packets of 
+   UDP and TCP responses.  With TCP, if route flips and packets to an 
+   anycast address are routed to a new server, it is expected that the
+   flip is detected by ICMP or sequence number inconsistency and the 
+   TCP connection is reset and retried.
+    
+4. Interworking among IPv6 DNS Configuration Approaches 
+    
+   Three approaches can work together for IPv6 host configuration of 
+   RDNSS.  This section shows a consideration on how these approaches 
+   can interwork each other. 
+    
+   For ordering between RA and DHCP approaches, O (Other stateful 
+   configuration) flag in RA message can be used [8].  If no RDNSS 
+   option is included, an IPv6 Host may perform DNS configuration 
+   through DHCPv6 [5]-[7] regardless of whether the O flag is set or 
+   not. 
+    
+   The well-known anycast addresses approach fully interworks with the
+   other approaches.  That is, the other approaches can remove 
+   configuration effort on servers by using the well-known addresses 
+   as the default configuration.  Moreover, clients preconfigured with
+   well-known anycast addresses can be further configured to use other
+   approaches to override the well-known addresses, if configuration 
+   information from other approaches are available.  That is, all the 
+   clients should have the well-known anycast addresses preconfigured,
+   in the case where there are no other mechanisms available.  In 
+   order to fly anycast approach with the other solutions, there are 
+   three options. 
+    
+   The first option is that well-known addresses are used as last 
+   resort, when an IPv6 host can not get RDNSS information through RA 
+   and DHCP.  The well-known anycast addresses have to be pre-
+   configured in IPv6 hosts' resolver configuration files. 
+    
+
+
+ 
+ 
+Jeong, et al.             Expires - January 2005             [Page 11] 
+ 
+Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
+ 
+ 
+   The second is that an IPv6 host can configure well-known addresses 
+   as the most preferable in its configuration file even though either
+   RA option or DHCP option is available. 
+    
+   The last is that the well-known anycast addresses can be set in RA 
+   or DHCP configuration to reduce configuration effort of users.  
+   According to either RA or DHCP mechanism, the well-known addresses 
+   can be obtained by IPv6 host.  Because this approach is the most 
+   convenient for users, the last option is recommended. 
+ 
+   Note: this section does not necessarily mean this document suggests
+   adopting all these three approaches and making them interwork in 
+   the way described here.  In fact, some approaches may even not be 
+   adopted at all as a result of further discussion. 
+    
+5. Deployment Scenarios 
+    
+   Regarding DNS configuration on the IPv6 host, several mechanisms 
+   have being considered at the DNSOP Working Group such as RA option,
+   DHCPv6 option and well-known preconfigured anycast addresses as of 
+   today, and this document is a final result from the long thread.  
+   In this section, we suggest four applicable scenarios of three 
+   approaches for IPv6 DNS configuration. 
+    
+   Note: in the applicable scenarios, authors do not implicitly push 
+   any specific approaches into the restricted environments.  No 
+   enforcement is in each scenario and all mentioned scenarios are 
+   probable.  The main objective of this work is to provide a useful 
+   guideline of IPv6 DNS configuration. 
+    
+5.1 ISP Network 
+    
+   A characteristic of ISP network is that multiple Customer Premises 
+   Equipment (CPE) devices are connected to IPv6 PE (Provider Edge) 
+   routers and each PE connects multiple CPE devices to the backbone 
+   network infrastructure [13].  The CPEs may be hosts or routers. 
+    
+   In the case where the CPE is a router, there is a customer network 
+   that is connected to the ISP backbone through the CPE.  Typically, 
+   each customer network gets a different IPv6 prefix from an IPv6 PE 
+   router, but the same RDNSS configuration will be distributed. 
+    
+   This section discusses how the different approaches to distributing
+   DNS information are compared in an ISP network. 
+    
+5.1.1 RA Option Approach 
+    
+
+ 
+ 
+Jeong, et al.             Expires - January 2005             [Page 12] 
+ 
+Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
+ 
+ 
+   When the CPE is a host, the RA option for RDNSS can be used to 
+   allow the CPE to get RDNSS information as well as /64 prefix 
+   information for stateless address autoconfiguration at the same 
+   time when the host is attached to a new subnet [8].  Because an 
+   IPv6 host must receive at least one RA message for stateless 
+   address autoconfiguration and router configuration, the host could 
+   receive RDNSS configuration information in that RA without the 
+   overhead of an additional message exchange. 
+    
+   When the CPE is a router, the CPE may accept the RDNSS information 
+   from the RA on the interface connected to the ISP, and copy that 
+   information into the RAs advertised in the customer network. 
+    
+   This approach is more valuable in the mobile host scenario, in 
+   which the host must receive at least an RA message for detecting a 
+   new network, than in other scenarios generally although 
+   administrator should configure RDNSS information on the routers.  
+   Secure ND [14] can provide extended security when using RA message.
+    
+5.1.2 DHCPv6 Option Approach 
+    
+   DHCPv6 can be used for RDNSS configuration through the use of the 
+   DNS option, and can provide other configuration information in the 
+   same message with RDNSS configuration [5]-[7].  DHCPv6 DNS option 
+   is already in place for DHCPv6 as RFC 3646 [7] and moreover DHCPv6-
+   lite or stateless DHCP [6] is nowhere as complex as a full DHCPv6 
+   implementation.  DHCP is a client-server model protocol, so ISP can
+   handle user identification on its network intentionally, and also 
+   authenticated DHCP [15] can be used for secure message exchange. 
+    
+   The expected model for deployment of IPv6 service by ISPs is to 
+   assign a prefix to each customer, which will be used by the 
+   customer gateway to assign a /64 prefix to each network in the 
+   customer's network.  Prefix delegation with DHCP (DHCPv6 PD) has 
+   already been adopted by ISPs for automating the assignment of the 
+   customer prefix to the customer gateway [17].  DNS configuration 
+   can be carried in the same DHCPv6 message exchange used for DHCPv6 
+   to efficiently provide that information, along with any other 
+   configuration information needed by the customer gateway or 
+   customer network.  This service model can be useful to Home or SOHO
+   subscribers.  The Home or SOHO gateway, which is a customer gateway
+   for ISP, can then pass that RDNSS configuration information to the 
+   hosts in the customer network through DHCP. 
+    
+5.1.3 Well-known Addresses Approach 
+    
+   Well-known anycast addresses approach is also a feasible and simple
+   mechanism for ISP [9].  The use of well-known anycast addresses 
+ 
+ 
+Jeong, et al.             Expires - January 2005             [Page 13] 
+ 
+Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
+ 
+ 
+   avoids some of the security risks in rogue messages sent through an
+   external protocol like RA or DHCPv6.  The configuration of hosts 
+   for the use of well-known anycast addresses requires no protocol or
+   manual configuration, but the configuration of routing for the 
+   anycast addresses requires intervention on the part of the network
+   administrator.  Also, the number of special addresses would be 
+   equal to the number of RDNSSes that could be made available to 
+   subscribers. 
+    
+5.2 Enterprise Network 
+    
+   Enterprise network is defined as a network that has multiple 
+   internal links, one or more router connections, to one or more 
+   Providers and is actively managed by a network operations entity 
+   [16].  An enterprise network can get network prefixes from ISP by 
+   either manual configuration or prefix delegation [17].  In most 
+   cases, because an enterprise network manages its own DNS domains, 
+   it operates its own DNS servers for the domains.  These DNS servers
+   within enterprise network process recursive DNS name resolution 
+   requests of IPv6 hosts as RDNSS.  RDNSS configuration in enterprise
+   network can be performed like in Section 4, in which three 
+   approaches can be used together. 
+    
+   IPv6 host can decide which approach is or may be used in its subnet
+   with O flag in RA message [8].  As the first option in Section 4, 
+   well-known anycast addresses can be used as a last resort when 
+   RDNSS information can not be obtained through either RA option or 
+   DHCP option.  This case needs IPv6 hosts to preconfigure the well-
+   known anycast addresses in their DNS configuration files. 
+    
+   When the enterprise prefers well-known anycast approach to the 
+   others, IPv6 hosts should preconfigure the well-known anycast 
+   addresses like in the first option. 
+    
+   The last option, a more convenient and transparent way, does not 
+   need IPv6 hosts to preconfigure the well-known anycast addresses 
+   because the addresses are delivered to IPv6 hosts through either RA
+   option or DHCPv6 option as if they were unicast addresses.  This 
+   way is most recommended for the sake of user's convenience. 
+    
+5.3 3GPP Network 
+    
+   IPv6 DNS configuration is a missing part of IPv6 autoconfiguration 
+   and an important part of the basic IPv6 functionality in the 3GPP 
+   User Equipment (UE).  Higher level description of the 3GPP 
+   architecture can be found in [18], and transition to IPv6 in 3GPP 
+   networks is analyzed in [19] and [20]. 
+    
+ 
+ 
+Jeong, et al.             Expires - January 2005             [Page 14] 
+ 
+Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
+ 
+ 
+   In 3GPP architecture, there is a dedicated link between the UE and 
+   the GGSN called the Packet Data Protocol (PDP) Context.  This link 
+   is created through the PDP Context activation procedure [21].  
+   There is a separate PDP context type for IPv4 and IPv6 traffic.  If
+   a 3GPP UE user is communicating using IPv6 (having an active IPv6 
+   PDP context), it can not be assumed that (s)he has simultaneously 
+   active IPv4 PDP context, and DNS queries could be done using IPv4. 
+   A 3GPP UE can thus be an IPv6 node, and it needs to somehow 
+   discover the address of the RDNSS.  Before IP-based services (e.g.,
+   web browsing or e-mail) can be used, the IPv6 (and IPv4) RDNSS 
+   addresses need to be discovered in the 3GPP UE. 
+    
+   Section 5.3.1 briefly summarizes currently available mechanisms in 
+   3GPP networks and recommendations.  5.3.2 analyzes the Router  
+   Advertisement based solution, 5.3.3 analyzes the Stateless DHCPv6 
+   mechanism, and 5.3.4 analyzes the Well-known addresses approach.  
+   Section 5.3.5 finally summarizes the recommendations. 
+    
+5.3.1 Currently Available Mechanisms and Recommendations 
+    
+   3GPP has defined a mechanism, in which RDNSS addresses can be  
+   received in the PDP context activation (a control plane mechanism).
+   That is called the Protocol Configuration Options Information  
+   Element (PCO-IE) mechanism [22].  The RDNSS addresses can also be 
+   received over the air (using text messages), or typed in manually 
+   in the UE.  Note that the two last mechanisms are not very well  
+   scalable.  The UE user most probably does not want to type IPv6 
+   RDNSS addresses manually in his/her UE.  The use of well-known 
+   addresses is briefly discussed in section 5.3.4. 
+    
+   It is seen that the mechanisms above most probably are not  
+   sufficient for the 3GPP environment.  IPv6 is intended to operate 
+   in a zero-configuration manner, no matter what the underlying 
+   network infrastructure is.  Typically, the RDNSS address is needed 
+   to make an IPv6 node operational - and the DNS configuration should
+   be as simple as the address autoconfiguration mechanism.  It must 
+   also be noted that there will be additional IP interfaces in some 
+   near future 3GPP UEs, e.g., Wireless LAN (WLAN), and 3GPP-specific 
+   DNS configuration mechanisms (such as PCO-IE [22]) do not work for 
+   those IP interfaces.  In other words, a good IPv6 DNS configuration
+   mechanism should also work in a multi-access network environment. 
+    
+   From 3GPP point of view, the best IPv6 DNS configuration solution 
+   is feasible for a very large number of IPv6-capable UEs (can be 
+   even hundreds of millions in one operator's network), is automatic 
+   and thus requires no user action.  It is suggested to standardize a
+   lightweight, stateless mechanism that works in all network  
+   environments.  The solution could then be used for 3GPP, 3GPP2, 
+ 
+ 
+Jeong, et al.             Expires - January 2005             [Page 15] 
+ 
+Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
+ 
+ 
+   WLAN and other access network technologies.  A light, stateless 
+   IPv6 DNS configuration mechanism is thus not only needed in 3GPP 
+   networks, but also 3GPP networks and UEs would certainly benefit 
+   from the new mechanism. 
+    
+5.3.2 RA Extension 
+    
+   Router Advertisement extension [8] is a lightweight IPv6 DNS  
+   configuration mechanism that requires minor changes in 3GPP UE IPv6
+   stack and Gateway GPRS Support Node (GGSN, the default router in  
+   the 3GPP architecture) IPv6 stack.  This solution can be specified 
+   in the IETF (no action needed in the 3GPP) and taken in use in 3GPP 
+   UEs and GGSNs. 
+    
+   In this solution, an IPv6-capable UE configures DNS information  
+   via RA message sent by its default router (GGSN), i.e., RDNSS 
+   option for recursive DNS server is included in the RA message.  
+   This solution is easily scalable for a very large number of UEs.  
+   The operator can configure the RDNSS addresses in the GGSN as a 
+   part of normal GGSN configuration.  The IPv6 RDNSS address is 
+   received in the Router Advertisement, and an extra Round Trip Time
+   (RTT) for asking RDNSS addresses can be avoided. 
+    
+   If thinking about cons, this mechanism still requires 
+   standardization effort in the IETF, and the end nodes and routers 
+   need to support this mechanism.  The equipment software update 
+   should, however, be pretty straightforward, and new IPv6 equipment 
+   could support RA extension already from the beginning. 
+    
+5.3.3 Stateless DHCPv6 
+    
+   DHCPv6-based solution needs the implementation of Stateless DHCP  
+   [6] and DHCPv6 DNS options [7] in the UE, and a DHCPv6 server in  
+   the operator's network.  A possible configuration is such that the
+   GGSN works as a DHCP relay. 
+    
+   Pros for Stateless DHCPv6-based solution are 
+   1) Stateless DHCPv6 is a standardized mechanism. 
+    
+   2) DHCPv6 can be used for receiving other configuration information
+   than RDNSS addresses, e.g., SIP server addresses. 
+    
+   3) DHCPv6 works in different network environments. 
+    
+   4) When DHCPv6 service is deployed through a single, centralized 
+   server, the RDNSS configuration information can be updated by the 
+   network administrator at a single source. 
+    
+ 
+ 
+Jeong, et al.             Expires - January 2005             [Page 16] 
+ 
+Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
+ 
+ 
+   Some issues with DHCPv6 in 3GPP networks are listed below: 
+   1) DHCPv6 requires an additional server in the network unless the 
+   (Stateless) DHCPv6 functionality is integrated into an existing 
+   router already, and it is one box more to be maintained. 
+    
+   2) DHCPv6 is not necessarily needed for 3GPP UE IPv6 addressing 
+   (3GPP Stateless Address Autoconfiguration is typically used), and 
+   not automatically implemented in 3GPP IPv6 UEs. 
+    
+   3) Scalability and reliability of DHCPv6 in very large 3GPP 
+   networks (with tens or hundreds of millions of UEs) may be an issue,
+   at least the redundancy needs to be taken care of.  However, if the 
+   DHCPv6 service is integrated into the network elements, such as 
+   router operating system, scalability and reliability is comparable 
+   with other DNS configuration approaches. 
+    
+   4) It is sub-optimal to utilize the radio resources in 3GPP 
+   networks for DHCPv6 messages if there is a simpler alternative 
+   available. 
+    
+      a) Use of Stateless DHCPv6 adds one round trip delay to the case
+      in which the UE can start transmitting data right after the 
+      Router Advertisement. 
+    
+   5) If the DNS information (suddenly) changes, Stateless DHCPv6 can 
+   not automatically update the UE, see [23]. 
+    
+5.3.4 Well-known Addresses 
+    
+   Using well-known addresses is also a feasible and a light mechanism
+   for 3GPP UEs.  Those well-known addresses can be preconfigured in  
+   the UE software and the operator makes the corresponding  
+   configuration on the network side.  So this is a very easy 
+   mechanism for the UE, but requires some configuration work in the 
+   network.  When using well-known addresses, UE forwards queries to 
+   any of the preconfigured addresses.  In the current proposal [9], 
+   IPv6 anycast addresses are suggested. 
+    
+   Note: IPv6 DNS configuration proposal based on the use of well-
+   known site-local addresses developed at the IPv6 Working Group was
+   seen as a feasible mechanism for 3GPP UEs, but opposition by some 
+   people in the IETF and finally deprecating IPv6 site-local 
+   addresses made it impossible to standardize it.  Note that this 
+   mechanism is implemented in some existing operating systems today 
+   (also in some 3GPP UEs) as a last resort of IPv6 DNS configuration.
+    
+5.3.5 Recommendations  
+    
+ 
+ 
+Jeong, et al.             Expires - January 2005             [Page 17] 
+ 
+Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
+ 
+ 
+   It is suggested that a lightweight, stateless DNS configuration 
+   mechanism is specified as soon as possible.  From 3GPP UE's and 
+   networks' point of view, Router Advertisement based mechanism looks
+   most promising.  The sooner a light, stateless mechanism is 
+   specified, the sooner we can get rid of using well-known site-local
+   addresses for IPv6 DNS configuration. 
+    
+5.4 Unmanaged Network 
+    
+   There are 4 deployment scenarios of interest in unmanaged networks 
+   [24]: 
+    
+   1) A gateway which does not provide IPv6 at all; 
+    
+   2) A dual-stack gateway connected to a dual-stack ISP; 
+    
+   3) A dual-stack gateway connected to an IPv4-only ISP; and 
+    
+   4) A gateway connected to an IPv6-only ISP. 
+    
+5.4.1 Case A: Gateway does not provide IPv6 at all 
+    
+   In this case, the gateway does not provide IPv6; the ISP may or may
+   not provide IPv6.  Automatic or Configured tunnels are the 
+   recommended transition mechanisms for this scenario. 
+    
+   The case where dual-stack hosts behind an NAT, that need access to 
+   an IPv6 RDNSS, can not be entirely ruled out.  The DNS 
+   configuration mechanism has to work over the tunnel, and the 
+   underlying tunneling mechanism could be implementing NAT traversal.
+   The tunnel server assumes the role of a relay (both for DHCP and 
+   Well-known anycast addresses approaches). 
+    
+   RA-based mechanism is relatively straightforward in its operation, 
+   assuming the tunnel server is also the IPv6 router emitting RAs. 
+   Well-known anycast addresses approach seems also simple in 
+   operation across the tunnel, but the deployment model using Well-
+   known anycast addresses in a tunneled environment is unclear or not 
+   well understood. 
+    
+5.4.2 Case B: A dual-stack gateway connected to a dual-stack ISP 
+    
+   This is similar to a typical IPv4 home user scenario, where DNS 
+   configuration parameters are obtained using DHCP.  Except that 
+   Stateless DHCPv6 is used, as opposed to the IPv4 scenario where the
+   DHCP server is stateful (maintains the state for clients). 
+    
+
+ 
+ 
+Jeong, et al.             Expires - January 2005             [Page 18] 
+ 
+Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
+ 
+ 
+5.4.3 Case C: A dual-stack gateway connected to an IPv4-only ISP 
+    
+   This is similar to Case B.  If a gateway provides IPv6 connectivity
+   by managing tunnels, then it is also supposed to provide access to 
+   an RDNSS.  Like this, the tunnel for IPv6 connectivity originates 
+   from the dual-stack gateway instead of the host. 
+    
+5.4.4 Case D: A gateway connected to an IPv6-only ISP 
+    
+   This is similar to Case B. 
+    
+6. Security Considerations 
+    
+   As security requirements depend solely on applications and are 
+   different application by application, there can be no generic 
+   requirement defined at higher IP or lower application layer of DNS.
+    
+   However, it should be noted that cryptographic security requires 
+   configured secret information that full autoconfiguration and 
+   cryptographic security are mutually exclusive.  People insisting on
+   secure full autoconfiguration will get false security, false 
+   autoconfiguration or both. 
+    
+   In some deployment scenario [19], where cryptographic security is 
+   required for applications, secret information for the cryptographic
+   security is preconfigured through which application specific 
+   configuration data, including those for DNS, can be securely 
+   configured.  It should be noted that if applications requiring 
+   cryptographic security depend on DNS, the applications also require
+   cryptographic security to DNS.  Therefore, the full auto-
+   configuration of DNS is not acceptable. 
+    
+   However, with full autoconfiguration, weaker but still reasonable 
+   security is being widely accepted and will continue to be 
+   acceptable.  That is, with full autoconfiguration, which means 
+   there is no cryptographic security for the autoconfiguration, it is
+   already assumed that local environment is secure enough that 
+   information from local autoconfiguration server has acceptable 
+   security even without cryptographic security.  Thus, communication 
+   between a local DNS client and a local DNS server has the 
+   acceptable security. 
+    
+   For security considerations of each approach, refer to the 
+   corresponding drafts [5]-[9]. 
+    
+7. Acknowledgements 
+    
+
+ 
+ 
+Jeong, et al.             Expires - January 2005             [Page 19] 
+ 
+Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
+ 
+ 
+   This draft has greatly benefited from inputs by David Meyer, Rob 
+   Austein, Tatuya Jinmei, Pekka Savola, Tim Chown, Luc Beloeil, 
+   Christian Huitema, and Thomas Narten.  The authors appreciate their
+   contribution. 
+    
+8. Normative References 
+    
+   [1]  S. Bradner, "Intellectual Property Rights in IETF Technology",
+        RFC 3668, February 2004.  
+    
+   [2]  S. Bradner, "IETF Rights in Contributions", RFC 3667, February
+        2004. 
+    
+   [3]  T. Narten, E. Nordmark and W. Simpson, "Neighbor Discovery for
+        IP Version 6 (IPv6)", RFC 2461, December 1998. 
+    
+   [4]  S. Thomson and T. Narten, "IPv6 Stateless Address 
+        Autoconfiguration", RFC 2462, December 1998. 
+    
+   [5]  R. Droms et al., "Dynamic Host Configuration Protocol for IPv6
+        (DHCPv6)", RFC 3315, July 2003. 
+    
+   [6]  R. Droms, "Stateless Dynamic Host Configuration Protocol 
+        (DHCP) Service for IPv6", RFC 3736, April 2004. 
+    
+   [7]  R. Droms et al., "DNS Configuration options for Dynamic Host 
+        Configuration Protocol for IPv6 (DHCPv6)", RFC 3646, December 
+        2003. 
+    
+9. Informative References 
+    
+   [8]  J. Jeong, S. Park, L. Beloeil and S. Madanapalli, "IPv6 DNS 
+        Discovery based on Router Advertisement", draft-jeong-dnsop-
+        ipv6-dns-discovery-02.txt, July 2004. 
+    
+   [9]  M. Ohta, "Preconfigured DNS Server Addresses", draft-ohta-
+        preconfigured-dns-01.txt, February 2004. 
+    
+   [10] S. Venaas and T. Chown, "Lifetime Option for DHCPv6", draft-
+        ietf-dhc-lifetime-00.txt, March 2004. 
+    
+   [11] C. Partridge, T. Mendez and W. Milliken, "Host Anycasting 
+        Service", RFC 1546, November 1993. 
+    
+   [12] R. Hinden and S. Deering, "Internet Protocol Version 6 (IPv6)
+        Addressing Architecture", RFC 3513, April 2003. 
+    
+
+ 
+ 
+Jeong, et al.             Expires - January 2005             [Page 20] 
+ 
+Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
+ 
+ 
+   [13] M. Lind et al., "Scenarios and Analysis for Introduction IPv6
+        into ISP Networks", draft-ietf-v6ops-isp-scenarios-analysis-
+        02.txt, April 2004. 
+    
+   [14] J. Arkko et al., "SEcure Neighbor Discovery (SEND)", draft-
+        ietf-send-ndopt-05.txt, April 2004. 
+    
+   [15] R. Droms and W. Arbaugh, "Authentication for DHCP Messages", 
+        RFC 3118, June 2001. 
+    
+   [16] J. Bound et al., "IPv6 Enterprise Network Scenarios", draft-
+        ietf-v6ops-ent-scenarios-01.txt, February 2004. 
+    
+   [17] O. Troan and R. Droms, "IPv6 Prefix Options for Dynamic Host 
+        Configuration Protocol (DHCP) version 6", RFC 3633, December 
+        2003. 
+    
+   [18] M. Wasserman, Ed., "Recommendations for IPv6 in 3GPP     
+        Standards", RFC 3314, September 2002. 
+    
+   [19] J. Soininen, Ed., "Transition Scenarios for 3GPP Networks", 
+        RFC 3574, August 2003. 
+    
+   [20] J. Wiljakka, Ed., "Analysis on IPv6 Transition in 3GPP     
+        Networks", draft-ietf-v6ops-3gpp-analysis-09.txt, March 2004. 
+    
+   [21] 3GPP TS 23.060 V5.4.0, "General Packet Radio Service (GPRS); 
+        Service description; Stage 2 (Release 5)", December 2002. 
+    
+   [22] 3GPP TS 24.008 V5.8.0, "Mobile radio interface Layer 3 
+        specification; Core network protocols; Stage 3 (Release 5)",
+        June 2003. 
+    
+   [23] T. Chown, S. Venaas and A. Vijayabhaskar, "Renumbering  
+        Requirements for Stateless DHCPv6", draft-ietf-dhc-stateless-
+        dhcpv6-renumbering-00.txt, March 2004. 
+    
+   [24] C. Huitema et al., "Unmanaged Networks IPv6 Transition 
+        Scenarios", RFC 3750, April 2004. 
+    
+10. Authors' Addresses 
+    
+   Jaehoon Paul Jeong, Editor 
+   ETRI / PEC 
+   161 Gajeong-dong, Yuseong-gu 
+   Daejeon 305-350 
+   Korea 
+    
+ 
+ 
+Jeong, et al.             Expires - January 2005             [Page 21] 
+ 
+Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
+ 
+ 
+   Phone: +82 42 860 1664 
+   Fax: +82 42 861 5404 
+   EMail: paul@etri.re.kr 
+    
+   Ralph Droms 
+   Cisco Systems 
+   1414 Massachusetts Ave. 
+   Boxboro, MA 01719 
+   USA 
+    
+   Phone: +1 978 936 1674 
+   EMail: rdroms@cisco.com 
+    
+   Robert M. Hinden 
+   Nokia 
+   313 Fairchild Drive 
+   Mountain View, CA 94043 
+   USA 
+    
+   Phone: +1 650 625 2004 
+   EMail: bob.hinden@nokia.com 
+    
+   Ted Lemon 
+   Nominum, Inc. 
+   950 Charter Street 
+   Redwood City, CA 94043 
+   USA 
+    
+   EMail: Ted.Lemon@nominum.com 
+    
+   Masataka Ohta 
+   Graduate School of Information Science and Engineering 
+   Tokyo Institute of Technology 
+   2-12-1, O-okayama, Meguro-ku 
+   Tokyo 152-8552 
+   Japan 
+    
+   Phone: +81 3 5734 3299 
+   Fax: +81 3 5734 3299 
+   EMail: mohta@necom830.hpcl.titech.ac.jp 
+    
+   Soohong Daniel Park 
+   Mobile Platform Laboratory, SAMSUNG Electronics 
+   416, Maetan-3dong, Paldal-gu, Suwon 
+   Gyeonggi-Do 
+   Korea 
+    
+   Phone: +82 31 200 4508 
+ 
+ 
+Jeong, et al.             Expires - January 2005             [Page 22] 
+ 
+Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
+ 
+ 
+   EMail: soohong.park@samsung.com 
+    
+   Suresh Satapati 
+   Cisco Systems, Inc. 
+   San Jose, CA 95134 
+   USA 
+    
+   EMail: satapati@cisco.com 
+    
+   Juha Wiljakka 
+   Nokia 
+   Visiokatu 3 
+   FIN-33720 TAMPERE 
+   Finland 
+    
+   Phone: +358 7180 48372 
+   EMail: juha.wiljakka@nokia.com 
+    
+Intellectual Property Statement 
+    
+   The following intellectual property notice is copied from RFC3668,
+   Section 5. 
+    
+   The IETF takes no position regarding the validity or scope of any 
+   Intellectual Property Rights or other rights that might be claimed 
+   to pertain to the implementation or use of the technology described
+   in this document or the extent to which any license under such 
+   rights might or might not be available; nor does it represent that 
+   it has made any independent effort to identify any such rights.  
+   Information on the procedures with respect to rights in RFC 
+   documents can be found in BCP 78 and BCP 79. 
+    
+   Copies of IPR disclosures made to the IETF Secretariat and any 
+   assurances of licenses to be made available, or the result of an 
+   attempt made to obtain a general license or permission for the use 
+   of such proprietary rights by implementers or users of this 
+   specification can be obtained from the IETF on-line IPR repository 
+   at http://www.ietf.org/ipr. 
+    
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary 
+   rights that may cover technology that may be required to implement 
+   this standard.  Please address the information to the IETF at ietf-
+   ipr@ietf.org. 
+    
+Full Copyright Statement 
+    
+
+ 
+ 
+Jeong, et al.             Expires - January 2005             [Page 23] 
+ 
+Internet-Draft     IPv6 Host Configuration of DNS Server     July 2004 
+ 
+ 
+   The following copyright notice is copied from RFC3667, Section 5.4.
+   It describes the applicable copyright for this document. 
+    
+   Copyright (C) The Internet Society (2004).  This document is 
+   subject to the rights, licenses and restrictions contained in BCP 
+   78, and except as set forth therein, the authors retain all their 
+   rights. 
+    
+   This document and the information contained herein are provided on 
+   an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE 
+   REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND 
+   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, 
+   EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT 
+   THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR 
+   ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A 
+   PARTICULAR PURPOSE. 
+    
+Acknowledgement 
+    
+   Funding for the RFC Editor function is currently provided by the 
+   Internet Society. 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 
+ 
+Jeong, et al.             Expires - January 2005             [Page 24] 
+
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsop-ipv6-dns-issues-09.txt b/contrib/bind9/doc/draft/draft-ietf-dnsop-ipv6-dns-issues-09.txt
new file mode 100644
index 0000000..b14f711
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsop-ipv6-dns-issues-09.txt
@@ -0,0 +1,1969 @@
+
+
+DNS Operations WG                                              A. Durand
+Internet-Draft                                    SUN Microsystems, Inc.
+Expires: February 7, 2005                                       J. Ihren
+                                                              Autonomica
+                                                               P. Savola
+                                                               CSC/FUNET
+                                                          August 9, 2004
+
+
+
+          Operational Considerations and Issues with IPv6 DNS
+                draft-ietf-dnsop-ipv6-dns-issues-09.txt
+
+
+Status of this Memo
+
+
+   This document is an Internet-Draft and is subject to all provisions
+   of section 3 of RFC 3667.  By submitting this Internet-Draft, each
+   author represents that any applicable patent or other IPR claims of
+   which he or she is aware have been or will be disclosed, and any of
+   which he or she become aware will be disclosed, in accordance with
+   RFC 3668.
+
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as
+   Internet-Drafts.
+
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+
+   The list of current Internet-Drafts can be accessed at http://
+   www.ietf.org/ietf/1id-abstracts.txt.
+
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+
+   This Internet-Draft will expire on February 7, 2005.
+
+
+Copyright Notice
+
+
+   Copyright (C) The Internet Society (2004).  All Rights Reserved.
+
+
+Abstract
+
+
+   This memo presents operational considerations and issues with IPv6
+   Domain Name System (DNS), including a summary of special IPv6
+   addresses, documentation of known DNS implementation misbehaviour,
+   recommendations and considerations on how to perform DNS naming for
+
+
+
+
+Durand, et al.          Expires February 7, 2005                [Page 1]
+Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
+
+
+
+   service provisioning and for DNS resolver IPv6 support,
+   considerations for DNS updates for both the forward and reverse
+   trees, and miscellaneous issues.  This memo is aimed to include a
+   summary of information about IPv6 DNS considerations for those who
+   have experience with IPv4 DNS.
+
+
+Table of Contents
+
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
+     1.1   Representing IPv6 Addresses in DNS Records . . . . . . . .  4
+     1.2   Independence of DNS Transport and DNS Records  . . . . . .  4
+     1.3   Avoiding IPv4/IPv6 Name Space Fragmentation  . . . . . . .  5
+     1.4   Query Type '*' and A/AAAA Records  . . . . . . . . . . . .  5
+   2.  DNS Considerations about Special IPv6 Addresses  . . . . . . .  5
+     2.1   Limited-scope Addresses  . . . . . . . . . . . . . . . . .  6
+     2.2   Temporary Addresses  . . . . . . . . . . . . . . . . . . .  6
+     2.3   6to4 Addresses . . . . . . . . . . . . . . . . . . . . . .  6
+     2.4   Other Transition Mechanisms  . . . . . . . . . . . . . . .  6
+   3.  Observed DNS Implementation Misbehaviour . . . . . . . . . . .  7
+     3.1   Misbehaviour of DNS Servers and Load-balancers . . . . . .  7
+     3.2   Misbehaviour of DNS Resolvers  . . . . . . . . . . . . . .  7
+   4.  Recommendations for Service Provisioning using DNS . . . . . .  8
+     4.1   Use of Service Names instead of Node Names . . . . . . . .  8
+     4.2   Separate vs the Same Service Names for IPv4 and IPv6 . . .  8
+     4.3   Adding the Records Only when Fully IPv6-enabled  . . . . .  9
+     4.4   Behaviour of Additional Data in IPv4/IPv6 Environments . . 10
+       4.4.1   Description of Additional Data Scenarios . . . . . . . 10
+       4.4.2   Discussion of the Problems . . . . . . . . . . . . . . 11
+     4.5   The Use of TTL for IPv4 and IPv6 RRs . . . . . . . . . . . 12
+     4.6   IPv6 Transport Guidelines for DNS Servers  . . . . . . . . 13
+   5.  Recommendations for DNS Resolver IPv6 Support  . . . . . . . . 13
+     5.1   DNS Lookups May Query IPv6 Records Prematurely . . . . . . 14
+     5.2   Obtaining a List of DNS Recursive Resolvers  . . . . . . . 15
+     5.3   IPv6 Transport Guidelines for Resolvers  . . . . . . . . . 16
+   6.  Considerations about Forward DNS Updating  . . . . . . . . . . 16
+     6.1   Manual or Custom DNS Updates . . . . . . . . . . . . . . . 16
+     6.2   Dynamic DNS  . . . . . . . . . . . . . . . . . . . . . . . 17
+   7.  Considerations about Reverse DNS Updating  . . . . . . . . . . 18
+     7.1   Applicability of Reverse DNS . . . . . . . . . . . . . . . 18
+     7.2   Manual or Custom DNS Updates . . . . . . . . . . . . . . . 19
+     7.3   DDNS with Stateless Address Autoconfiguration  . . . . . . 19
+     7.4   DDNS with DHCP . . . . . . . . . . . . . . . . . . . . . . 20
+     7.5   DDNS with Dynamic Prefix Delegation  . . . . . . . . . . . 21
+   8.  Miscellaneous DNS Considerations . . . . . . . . . . . . . . . 22
+     8.1   NAT-PT with DNS-ALG  . . . . . . . . . . . . . . . . . . . 22
+     8.2   Renumbering Procedures and Applications' Use of DNS  . . . 22
+   9.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 22
+   10.   Security Considerations  . . . . . . . . . . . . . . . . . . 22
+
+
+
+
+Durand, et al.          Expires February 7, 2005                [Page 2]
+Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
+
+
+
+   11.   References . . . . . . . . . . . . . . . . . . . . . . . . . 23
+   11.1  Normative References . . . . . . . . . . . . . . . . . . . . 23
+   11.2  Informative References . . . . . . . . . . . . . . . . . . . 25
+       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 27
+   A.  Site-local Addressing Considerations for DNS . . . . . . . . . 28
+   B.  Issues about Additional Data or TTL  . . . . . . . . . . . . . 28
+       Intellectual Property and Copyright Statements . . . . . . . . 30
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Durand, et al.          Expires February 7, 2005                [Page 3]
+Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
+
+
+
+1.  Introduction
+
+
+   This memo presents operational considerations and issues with IPv6
+   DNS; it is meant to be an extensive summary and a list of pointers
+   for more information about IPv6 DNS considerations for those with
+   experience with IPv4 DNS.
+
+
+   The purpose of this document is to give information about various
+   issues and considerations related to DNS operations with IPv6; it is
+   not meant to be a normative specification or standard for IPv6 DNS.
+
+
+   The first section gives a brief overview of how IPv6 addresses and
+   names are represented in the DNS, how transport protocols and
+   resource records (don't) relate, and what IPv4/IPv6 name space
+   fragmentation means and how to avoid it; all of these are described
+   at more length in other documents.
+
+
+   The second section summarizes the special IPv6 address types and how
+   they relate to DNS.  The third section describes observed DNS
+   implementation misbehaviours which have a varying effect on the use
+   of IPv6 records with DNS.  The fourth section lists recommendations
+   and considerations for provisioning services with DNS.  The fifth
+   section in turn looks at recommendations and considerations about
+   providing IPv6 support in the resolvers.  The sixth and seventh
+   sections describe considerations with forward and reverse DNS
+   updates, respectively.  The eighth section introduces several
+   miscellaneous IPv6 issues relating to DNS for which no better place
+   has been found in this memo.  Appendix A looks briefly at the
+   requirements for site-local addressing.
+
+
+1.1  Representing IPv6 Addresses in DNS Records
+
+
+   In the forward zones, IPv6 addresses are represented using AAAA
+   records.  In the reverse zones, IPv6 address are represented using
+   PTR records in the nibble format under the ip6.arpa.  tree.  See
+   [RFC3596] for more about IPv6 DNS usage, and [RFC3363] or [RFC3152]
+   for background information.
+
+
+   In particular one should note that the use of A6 records in the
+   forward tree or Bitlabels in the reverse tree is not recommended
+   [RFC3363].  Using DNAME records is not recommended in the reverse
+   tree in conjunction with A6 records; the document did not mean to
+   take a stance on any other use of DNAME records [RFC3364].
+
+
+1.2  Independence of DNS Transport and DNS Records
+
+
+   DNS has been designed to present a single, globally unique name space
+   [RFC2826].  This property should be maintained, as described here and
+
+
+
+
+Durand, et al.          Expires February 7, 2005                [Page 4]
+Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
+
+
+
+   in Section 1.3.
+
+
+   The IP version used to transport the DNS queries and responses is
+   independent of the records being queried: AAAA records can be queried
+   over IPv4, and A records over IPv6.  The DNS servers must not make
+   any assumptions about what data to return for Answer and Authority
+   sections based on the underlying transport used in a query.
+
+
+   However, there is some debate whether the addresses in Additional
+   section could be selected or filtered using hints obtained from which
+   transport was being used; this has some obvious problems because in
+   many cases the transport protocol does not correlate with the
+   requests, and because a "bad" answer is in a way worse than no answer
+   at all (consider the case where the client is led to believe that a
+   name received in the additional record does not have any AAAA records
+   at all).
+
+
+   As stated in [RFC3596]:
+
+
+      The IP protocol version used for querying resource records is
+      independent of the protocol version of the resource records; e.g.,
+      IPv4 transport can be used to query IPv6 records and vice versa.
+
+
+
+1.3  Avoiding IPv4/IPv6 Name Space Fragmentation
+
+
+   To avoid the DNS name space from fragmenting into parts where some
+   parts of DNS are only visible using IPv4 (or IPv6) transport, the
+   recommendation is to always keep at least one authoritative server
+   IPv4-enabled, and to ensure that recursive DNS servers support IPv4.
+   See DNS IPv6 transport guidelines
+   [I-D.ietf-dnsop-ipv6-transport-guidelines] for more information.
+
+
+1.4  Query Type '*' and A/AAAA Records
+
+
+   QTYPE=* is typically only used for debugging or management purposes;
+   it is worth keeping in mind that QTYPE=* ("ANY" queries) only return
+   any available RRsets, not *all* the RRsets, because the caches do not
+   necessarily have all the RRsets and have no way of guaranteeing that
+   they have all the RRsets.  Therefore, to get both A and AAAA records
+   reliably, two separate queries must be made.
+
+
+2.  DNS Considerations about Special IPv6 Addresses
+
+
+   There are a couple of IPv6 address types which are somewhat special;
+   these are considered here.
+
+
+
+
+
+
+Durand, et al.          Expires February 7, 2005                [Page 5]
+Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
+
+
+
+2.1  Limited-scope Addresses
+
+
+   The IPv6 addressing architecture [RFC3513] includes two kinds of
+   local-use addresses: link-local (fe80::/10) and site-local (fec0::/
+   10).  The site-local addresses have been deprecated
+   [I-D.ietf-ipv6-deprecate-site-local], and are only discussed in
+   Appendix A.
+
+
+   Link-local addresses should never be published in DNS (whether in
+   forward or reverse tree), because they have only local (to the
+   connected link) significance
+   [I-D.ietf-dnsop-dontpublish-unreachable].
+
+
+2.2  Temporary Addresses
+
+
+   Temporary addresses defined in RFC3041 [RFC3041] (sometimes called
+   "privacy addresses") use a random number as the interface identifier.
+   Publishing (useful) DNS records relating to such addresses would
+   defeat the purpose of the mechanism and is not recommended.  However,
+   it would still be possible to return a non-identifiable name (e.g.,
+   the IPv6 address in hexadecimal format), as described in [RFC3041].
+
+
+2.3  6to4 Addresses
+
+
+   6to4 [RFC3056] specifies an automatic tunneling mechanism which maps
+   a public IPv4 address V4ADDR to an IPv6 prefix 2002:V4ADDR::/48.
+
+
+   If the reverse DNS population would be desirable (see Section 7.1 for
+   applicability), there are a number of possible ways to do so
+   [I-D.moore-6to4-dns], some more applicable than the others.
+
+
+   The main proposal [I-D.huston-6to4-reverse-dns] aims to design an
+   autonomous reverse-delegation system that anyone being capable of
+   communicating using a specific 6to4 address would be able to set up a
+   reverse delegation to the corresponding 6to4 prefix.  This could be
+   deployed by e.g., Regional Internet Registries (RIRs).  This is a
+   practical solution, but may have some scalability concerns.
+
+
+2.4  Other Transition Mechanisms
+
+
+   6to4, above, is mentioned as a case of an IPv6 transition mechanism
+   requiring special considerations.  In general, mechanisms which
+   include a special prefix may need a custom solution; otherwise, for
+   example when IPv4 address is embedded as the suffix or not embedded
+   at all, special solutions are likely not needed.  This is why only
+   6to4 and Teredo [I-D.huitema-v6ops-teredo] are described.
+
+
+   Note that it does not seem feasible to provide reverse DNS with
+
+
+
+
+Durand, et al.          Expires February 7, 2005                [Page 6]
+Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
+
+
+
+   another automatic tunneling mechanism, Teredo; this is because the
+   IPv6 address is based on the IPv4 address and UDP port of the current
+   NAT mapping which is likely to be relatively short-lived.
+
+
+3.  Observed DNS Implementation Misbehaviour
+
+
+   Several classes of misbehaviour in DNS servers, load-balancers and
+   resolvers have been observed.  Most of these are rather generic, not
+   only applicable to IPv6 -- but in some cases, the consequences of
+   this misbehaviour are extremely severe in IPv6 environments and
+   deserve to be mentioned.
+
+
+3.1  Misbehaviour of DNS Servers and Load-balancers
+
+
+   There are several classes of misbehaviour in certain DNS servers and
+   load-balancers which have been noticed and documented
+   [I-D.ietf-dnsop-misbehavior-against-aaaa]: some implementations
+   silently drop queries for unimplemented DNS records types, or provide
+   wrong answers to such queries (instead of a proper negative reply).
+   While typically these issues are not limited to AAAA records, the
+   problems are aggravated by the fact that AAAA records are being
+   queried instead of (mainly) A records.
+
+
+   The problems are serious because when looking up a DNS name, typical
+   getaddrinfo() implementations, with AF_UNSPEC hint given, first try
+   to query the AAAA records of the name, and after receiving a
+   response, query the A records.  This is done in a serial fashion --
+   if the first query is never responded to (instead of properly
+   returning a negative answer), significant timeouts will occur.
+
+
+   In consequence, this is an enormous problem for IPv6 deployments, and
+   in some cases, IPv6 support in the software has even been disabled
+   due to these problems.
+
+
+   The solution is to fix or retire those misbehaving implementations,
+   but that is likely not going to be effective.  There are some
+   possible ways to mitigate the problem, e.g., by performing the
+   lookups somewhat in parallel and reducing the timeout as long as at
+   least one answer has been received; but such methods remain to be
+   investigated; slightly more on this is included in Section 5.
+
+
+3.2  Misbehaviour of DNS Resolvers
+
+
+   Several classes of misbehaviour have also been noticed in DNS
+   resolvers [I-D.ietf-dnsop-bad-dns-res].  However, these do not seem
+   to directly impair IPv6 use, and are only referred to for
+   completeness.
+
+
+
+
+
+Durand, et al.          Expires February 7, 2005                [Page 7]
+Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
+
+
+
+4.  Recommendations for Service Provisioning using DNS
+
+
+   When names are added in the DNS to facilitate a service, there are
+   several general guidelines to consider to be able to do it as
+   smoothly as possible.
+
+
+4.1  Use of Service Names instead of Node Names
+
+
+   When a node provides multiple services which should not be
+   fate-sharing, or might support different IP versions, one should keep
+   them logically separate in the DNS.  Using SRV records [RFC2782]
+   would avoid these problems.  Unfortunately, those are not
+   sufficiently widely used to be applicable in most cases.  Hence an
+   operation technique is to use service names instead of node names
+   (or, "hostnames").  This operational technique is not specific to
+   IPv6, but required to understand the considerations described in
+   Section 4.2 and Section 4.3.
+
+
+   For example, assume a node named "pobox.example.com" provides both
+   SMTP and IMAP service.  Instead of configuring the MX records to
+   point at "pobox.example.com", and configuring the mail clients to
+   look up the mail via IMAP from "pobox.example.com", one should use
+   e.g., "smtp.example.com" for SMTP (for both message submission and
+   mail relaying between SMTP servers) and "imap.example.com" for IMAP.
+   Note that in the specific case of SMTP relaying, the server itself
+   must typically also be configured to know all its names to ensure
+   loops do not occur.  DNS can provide a layer of indirection between
+   service names and where the service actually is, and using which
+   addresses.  (Obviously, when wanting to reach a specific node, one
+   should use the hostname rather than a service name.)
+
+
+   This is a good practice with IPv4 as well, because it provides more
+   flexibility and enables easier migration of services from one host to
+   another.  A specific reason why this is relevant for IPv6 is that the
+   different services may have a different level of IPv6 support -- that
+   is, one node providing multiple services might want to enable just
+   one service to be IPv6-visible while keeping some others as
+   IPv4-only, improving flexibility.
+
+
+4.2  Separate vs the Same Service Names for IPv4 and IPv6
+
+
+   The service naming can be achieved in basically two ways: when a
+   service is named "service.example.com" for IPv4, the IPv6-enabled
+   service could be either added to "service.example.com", or added
+   separately under a different name, e.g., in a sub-domain, like,
+   "service.ipv6.example.com".
+
+
+   These two methods have different characteristics.  Using a different
+
+
+
+
+Durand, et al.          Expires February 7, 2005                [Page 8]
+Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
+
+
+
+   name allows for easier service piloting, minimizing the disturbance
+   to the "regular" users of IPv4 service; however, the service would
+   not be used transparently, without the user/application explicitly
+   finding it and asking for it -- which would be a disadvantage in most
+   cases.  When the different name is under a sub-domain, if the
+   services are deployed within a restricted network (e.g., inside an
+   enterprise), it's possible to prefer them transparently, at least to
+   a degree, by modifying the DNS search path; however, this is a
+   suboptimal solution.  Using the same service name is the "long-term"
+   solution, but may degrade performance for those clients whose IPv6
+   performance is lower than IPv4, or does not work as well (see Section
+   4.3 for more).
+
+
+   In most cases, it makes sense to pilot or test a service using
+   separate service names, and move to the use of the same name when
+   confident enough that the service level will not degrade for the
+   users unaware of IPv6.
+
+
+4.3  Adding the Records Only when Fully IPv6-enabled
+
+
+   The recommendation is that AAAA records for a service should not be
+   added to the DNS until all of following are true:
+
+
+   1.  The address is assigned to the interface on the node.
+
+
+   2.  The address is configured on the interface.
+
+
+   3.  The interface is on a link which is connected to the IPv6
+       infrastructure.
+
+
+   In addition, if the AAAA record is added for the node, instead of
+   service as recommended, all the services of the node should be
+   IPv6-enabled prior to adding the resource record.
+
+
+   For example, if an IPv6 node is isolated from an IPv6 perspective
+   (e.g., it is not connected to IPv6 Internet) constraint #3 would mean
+   that it should not have an address in the DNS.
+
+
+   Consider the case of two dual-stack nodes, which both have IPv6
+   enabled, but the server does not have (global) IPv6 connectivity.  As
+   the client looks up the server's name, only A records are returned
+   (if the recommendations above are followed), and no IPv6
+   communication, which would have been unsuccessful, is even attempted.
+
+
+   The issues are not always so black-and-white.  Usually it's important
+   if the service offered using both protocols is of roughly equal
+   quality, using the appropriate metrics for the service (e.g.,
+   latency, throughput, low packet loss, general reliability, etc.) --
+
+
+
+
+Durand, et al.          Expires February 7, 2005                [Page 9]
+Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
+
+
+
+   this is typically very important especially for interactive or
+   real-time services.  In many cases, the quality of IPv6 connectivity
+   may not yet be equal to that of IPv4, at least globally -- this has
+   to be taken into consideration when enabling services
+   [I-D.savola-v6ops-6bone-mess].
+
+
+4.4  Behaviour of Additional Data in IPv4/IPv6 Environments
+
+
+4.4.1  Description of Additional Data Scenarios
+
+
+   Consider the case where the query name is so long, the number of the
+   additional records is so high, or for other reasons that the entire
+   response would not fit in a single UDP packet.  In some cases, the
+   responder truncates the response with the TC bit being set (leading
+   to a retry with TCP), in order for the querier to get the entire
+   response later.
+
+
+   There are two kinds of additional data:
+
+
+   1.  glue, i.e., "critical" additional data; this must be included in
+       all scenarios, with all the RRsets as possible, and
+
+
+   2.  "courtesy" additional data; this could be sent in full, with only
+       a few RRsets, or with no RRsets, and can be fetched separately as
+       well, but at the cost of additional queries.  This data must
+       never cause setting of the TC bit.
+
+
+   The responding server can algorithmically determine which type the
+   additional data is by checking whether it's at or below a zone cut.
+
+
+   Meanwhile, resource record sets (RRsets) are never "broken up", so if
+   a name has 4 A records and 5 AAAA records, you can either return all
+   9, all 4 A records, all 5 AAAA records or nothing.  In particular,
+   notice that for the "critical" additional data getting all the RRsets
+   can be critical.
+
+
+   An example of the "courtesy" additional data is A/AAAA records in
+   conjunction of MX records as shown in Section 4.5; an example of the
+   "critical" additional data is shown below (where getting both the A
+   and AAAA RRsets is critical):
+
+
+      child.example.com.    IN   NS ns.child.example.com.
+      ns.child.example.com. IN    A 192.0.2.1
+      ns.child.example.com. IN AAAA 2001:db8::1
+
+
+   When there is too much courtesy additional data, some or all of it
+   need to be removed [RFC2181]; if some is left in the response, the
+   issue is which data should be retained.  When there is too much
+
+
+
+
+Durand, et al.          Expires February 7, 2005               [Page 10]
+Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
+
+
+
+   critical additional data, TC bit will have to be set, and some or all
+   of it need to be removed; if some is left in the response, the issue
+   is which data should be retained.
+
+
+   If the implementation decides to keep as much data as possible, it
+   might be tempting to use the transport of the DNS query as a hint in
+   either of these cases: return the AAAA records if the query was done
+   over IPv6, or return the A records if the query was done over IPv4.
+   However, this breaks the model of independence of DNS transport and
+   resource records, as noted in Section 1.2.
+
+
+   It is worth remembering that often the host using the records is
+   different from the node requesting them from the authoritative DNS
+   server (or even a caching resolver).  So, whichever version the
+   requestor (e.g., a recursive server in the middle) uses makes no
+   difference to the ultimate user of the records, whose transport
+   capabilities might differ from those of the requestor.  This might
+   result in e.g., inappropriately returning A records to an IPv6-only
+   node, going through a translation, or opening up another IP-level
+   session (e.g., a PDP context [I-D.ietf-v6ops-3gpp-analysis]).
+   Therefore, at least in many scenarios, it would be very useful if the
+   information returned would be consistent and complete -- or if that
+   is not feasible, return no misleading information but rather leave it
+   to the client to query again.
+
+
+4.4.2  Discussion of the Problems
+
+
+   As noted above, the temptation for omitting only some of the
+   additional data based on the transport of the query could be
+   problematic.  In particular, there appears to be little justification
+   for doing so in the case of "courtesy" data.
+
+
+   However, with critical additional data, the alternatives are either
+   returning nothing (and requiring a retry with TCP) or returning
+   something (possibly obviating the need for a retry with TCP).  If the
+   process for selecting "something" from the critical data would
+   otherwise be practically "flipping the coin" between A and AAAA
+   records, it could be argued that if one looked at the transport of
+   the query, it would have a larger possibility of being right than
+   just 50/50.  In other words, if the returned critical additional data
+   would have to be selected somehow, using something more sophisticated
+   than a random process would seem justifiable.
+
+
+   The problem of too much additional data seems to be an operational
+   one: the zone administrator entering too many records which will be
+   returned either truncated or missing some RRsets to the users.  A
+   protocol fix for this is using EDNS0 [RFC2671] to signal the capacity
+   for larger UDP packet sizes, pushing up the relevant threshold.
+
+
+
+
+Durand, et al.          Expires February 7, 2005               [Page 11]
+Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
+
+
+
+   Further, DNS server implementations should rather omit courtesy
+   additional data completely rather than including only some RRsets
+   [RFC2181].  An operational fix for this is having the DNS server
+   implementations return a warning when the administrators create zones
+   which would result in too much additional data being returned.
+   Further, DNS server implementations should warn of or disallow such
+   zone configurations which are recursive or otherwise difficult to
+   manage by the protocol.
+
+
+   Additionally, to avoid the case where an application would not get an
+   address at all due to some of "courtesy" additional data being
+   omitted, the resolvers should be able to query the specific records
+   of the desired protocol, not just rely on getting all the required
+   RRsets in the additional section.
+
+
+4.5  The Use of TTL for IPv4 and IPv6 RRs
+
+
+   In the previous section, we discussed a danger with queries,
+   potentially leading to omitting RRsets from the additional section;
+   this could happen to both critical and "courtesy" additional data.
+   This section discusses another problem with the latter, leading to
+   omitting RRsets in cached data, highlighted in the IPv4/IPv6
+   environment.
+
+
+   The behaviour of DNS caching when different TTL values are used for
+   different RRsets of the same name requires explicit discussion.  For
+   example, let's consider a part of a zone:
+
+
+      example.com.        300    IN    MX     foo.example.com.
+      foo.example.com.    300    IN    A      192.0.2.1
+      foo.example.com.    100    IN    AAAA   2001:db8::1
+
+
+   When a caching resolver asks for the MX record of example.com, it
+   gets back "foo.example.com".  It may also get back either one or both
+   of the A and AAAA records in the additional section.  So, there are
+   three cases about returning records for the MX in the additional
+   section:
+
+
+   1.  We get back no A or AAAA RRsets: this is the simplest case,
+       because then we have to query which information is required
+       explicitly, guaranteeing that we get all the information we're
+       interested in.
+
+
+   2.  We get back all the RRsets: this is an optimization as there is
+       no need to perform more queries, causing lower latency.  However,
+       it is impossible to guarantee that in fact we would always get
+       back all the records (the only way to ensure that is to send a
+       AAAA query for the name after getting the cached reply with A
+
+
+
+
+Durand, et al.          Expires February 7, 2005               [Page 12]
+Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
+
+
+
+       records or vice versa).
+
+
+   3.  We only get back A or AAAA RRsets even if both existed: this is
+       indistinguishable from the previous case, and may have problems
+       at least in certain environments as described in the previous
+       section.
+
+
+   As the third case was considered in the previous section, we assume
+   we get back both A and AAAA records of foo.example.com, or the stub
+   resolver explicitly asks, in two separate queries, both A and AAAA
+   records.
+
+
+   After 100 seconds, the AAAA record is removed from the cache(s)
+   because its TTL expired.  It could be argued to be useful for the
+   caching resolvers to discard the A record when the shorter TTL (in
+   this case, for the AAAA record) expires; this would avoid the
+   situation where there would be a window of 200 seconds when
+   incomplete information is returned from the cache.  The behaviour in
+   this scenario is unspecified.
+
+
+   To simplify the situation, it might help to use the same TTL for all
+   the resource record sets referring to the same name, unless there is
+   a particular reason for not doing so.  However, there are some
+   scenarios (e.g., when renumbering IPv6 but keeping IPv4 intact) where
+   a different strategy is preferable.
+
+
+   Thus, applications that use the response should not rely on a
+   particular TTL configuration.  For example, even if an application
+   gets a response that only has the A record in the example described
+   above, it should be still aware that there could be a AAAA record for
+   "foo.example.com".  That is, the application should try to fetch the
+   missing records itself if it needs the record.
+
+
+4.6  IPv6 Transport Guidelines for DNS Servers
+
+
+   As described in Section 1.3 and
+   [I-D.ietf-dnsop-ipv6-transport-guidelines], there should continue to
+   be at least one authoritative IPv4 DNS server for every zone, even if
+   the zone has only IPv6 records.  (Note that obviously, having more
+   servers with robust connectivity would be preferable, but this is the
+   minimum recommendation; also see [RFC2182].)
+
+
+5.  Recommendations for DNS Resolver IPv6 Support
+
+
+   When IPv6 is enabled on a node, there are several things to consider
+   to ensure that the process is as smooth as possible.
+
+
+
+
+
+
+Durand, et al.          Expires February 7, 2005               [Page 13]
+Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
+
+
+
+5.1  DNS Lookups May Query IPv6 Records Prematurely
+
+
+   The system library that implements the getaddrinfo() function for
+   looking up names is a critical piece when considering the robustness
+   of enabling IPv6; it may come in basically three flavours:
+
+
+   1.  The system library does not know whether IPv6 has been enabled in
+       the kernel of the operating system: it may start looking up AAAA
+       records with getaddrinfo() and AF_UNSPEC hint when the system is
+       upgraded to a system library version which supports IPv6.
+
+
+   2.  The system library might start to perform IPv6 queries with
+       getaddrinfo() only when IPv6 has been enabled in the kernel.
+       However, this does not guarantee that there exists any useful
+       IPv6 connectivity (e.g., the node could be isolated from the
+       other IPv6 networks, only having link-local addresses).
+
+
+   3.  The system library might implement a toggle which would apply
+       some heuristics to the "IPv6-readiness" of the node before
+       starting to perform queries; for example, it could check whether
+       only link-local IPv6 address(es) exists, or if at least one
+       global IPv6 address exists.
+
+
+   First, let us consider generic implications of unnecessary queries
+   for AAAA records: when looking up all the records in the DNS, AAAA
+   records are typically tried first, and then A records.  These are
+   done in serial, and the A query is not performed until a response is
+   received to the AAAA query.  Considering the misbehaviour of DNS
+   servers and load-balancers, as described in Section 3.1, the look-up
+   delay for AAAA may incur additional unnecessary latency, and
+   introduce a component of unreliability.
+
+
+   One option here could be to do the queries partially in parallel; for
+   example, if the final response to the AAAA query is not received in
+   0.5 seconds, start performing the A query while waiting for the
+   result (immediate parallelism might be unoptimal, at least without
+   information sharing between the look-up threads, as that would
+   probably lead to duplicate non-cached delegation chain lookups).
+
+
+   An additional concern is the address selection, which may, in some
+   circumstances, prefer AAAA records over A records even when the node
+   does not have any IPv6 connectivity [I-D.ietf-v6ops-v6onbydefault].
+   In some cases, the implementation may attempt to connect or send a
+   datagram on a physical link [I-D.ietf-v6ops-onlinkassumption],
+   incurring very long protocol timeouts, instead of quickly failing
+   back to IPv4.
+
+
+   Now, we can consider the issues specific to each of the three
+
+
+
+
+Durand, et al.          Expires February 7, 2005               [Page 14]
+Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
+
+
+
+   possibilities:
+
+
+   In the first case, the node performs a number of completely useless
+   DNS lookups as it will not be able to use the returned AAAA records
+   anyway.  (The only exception is where the application desires to know
+   what's in the DNS, but not use the result for communication.)  One
+   should be able to disable these unnecessary queries, for both latency
+   and reliability reasons.  However, as IPv6 has not been enabled, the
+   connections to IPv6 addresses fail immediately, and if the
+   application is programmed properly, the application can fall
+   gracefully back to IPv4 [I-D.ietf-v6ops-application-transition].
+
+
+   The second case is similar to the first, except it happens to a
+   smaller set of nodes when IPv6 has been enabled but connectivity has
+   not been provided yet; similar considerations apply, with the
+   exception that IPv6 records, when returned, will be actually tried
+   first which may typically lead to long timeouts.
+
+
+   The third case is a bit more complex: optimizing away the DNS lookups
+   with only link-locals is probably safe (but may be desirable with
+   different lookup services which getaddrinfo() may support), as the
+   link-locals are typically automatically generated when IPv6 is
+   enabled, and do not indicate any form of IPv6 connectivity.  That is,
+   performing DNS lookups only when a non-link-local address has been
+   configured on any interface could be beneficial -- this would be an
+   indication that either the address has been configured either from a
+   router advertisement, DHCPv6 [RFC3315], or manually.  Each would
+   indicate at least some form of IPv6 connectivity, even though there
+   would not be guarantees of it.
+
+
+   These issues should be analyzed at more depth, and the fixes found
+   consensus on, perhaps in a separate document.
+
+
+5.2  Obtaining a List of DNS Recursive Resolvers
+
+
+   In scenarios where DHCPv6 is available, a host can discover a list of
+   DNS recursive resolvers through DHCPv6 "DNS Recursive Name Server"
+   option [RFC3646].  This option can be passed to a host through a
+   subset of DHCPv6 [RFC3736].
+
+
+   The IETF is considering the development of alternative mechanisms for
+   obtaining the list of DNS recursive name servers when DHCPv6 is
+   unavailable or inappropriate.  No decision about taking on this
+   development work has been reached as of this writing (Aug 2004)
+   [I-D.ietf-dnsop-ipv6-dns-configuration].
+
+
+   In scenarios where DHCPv6 is unavailable or inappropriate, mechanisms
+   under consideration for development include the use of well-known
+
+
+
+
+Durand, et al.          Expires February 7, 2005               [Page 15]
+Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
+
+
+
+   addresses [I-D.ohta-preconfigured-dns] and the use of Router
+   Advertisements to convey the information
+   [I-D.jeong-dnsop-ipv6-dns-discovery].
+
+
+   Note that even though IPv6 DNS resolver discovery is a recommended
+   procedure, it is not required for dual-stack nodes in dual-stack
+   networks as IPv6 DNS records can be queried over IPv4 as well as
+   IPv6.  Obviously, nodes which are meant to function without manual
+   configuration in IPv6-only networks must implement the DNS resolver
+   discovery function.
+
+
+5.3  IPv6 Transport Guidelines for Resolvers
+
+
+   As described in Section 1.3 and
+   [I-D.ietf-dnsop-ipv6-transport-guidelines], the recursive resolvers
+   should be IPv4-only or dual-stack to be able to reach any IPv4-only
+   DNS server.  Note that this requirement is also fulfilled by an
+   IPv6-only stub resolver pointing to a dual-stack recursive DNS
+   resolver.
+
+
+6.  Considerations about Forward DNS Updating
+
+
+   While the topic how to enable updating the forward DNS, i.e., the
+   mapping from names to the correct new addresses, is not specific to
+   IPv6, it should be considered especially due to the advent of
+   Stateless Address Autoconfiguration [RFC2462].
+
+
+   Typically forward DNS updates are more manageable than doing them in
+   the reverse DNS, because the updater can often be assumed to "own" a
+   certain DNS name -- and we can create a form of security relationship
+   with the DNS name and the node which is allowed to update it to point
+   to a new address.
+
+
+   A more complex form of DNS updates -- adding a whole new name into a
+   DNS zone, instead of updating an existing name -- is considered out
+   of scope for this memo as it could require zone-wide authentication.
+   Adding a new name in the forward zone is a problem which is still
+   being explored with IPv4, and IPv6 does not seem to add much new in
+   that area.
+
+
+6.1  Manual or Custom DNS Updates
+
+
+   The DNS mappings can also be maintained by hand, in a semi-automatic
+   fashion or by running non-standardized protocols.  These are not
+   considered at more length in this memo.
+
+
+
+
+
+
+
+Durand, et al.          Expires February 7, 2005               [Page 16]
+Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
+
+
+
+6.2  Dynamic DNS
+
+
+   Dynamic DNS updates (DDNS) [RFC2136][RFC3007] is a standardized
+   mechanism for dynamically updating the DNS.  It works equally well
+   with stateless address autoconfiguration (SLAAC), DHCPv6 or manual
+   address configuration.  It is important to consider how each of these
+   behave if IP address-based authentication, instead of stronger
+   mechanisms [RFC3007], was used in the updates.
+
+
+   1.  manual addresses are static and can be configured
+
+
+   2.  DHCPv6 addresses could be reasonably static or dynamic, depending
+       on the deployment, and could or could not be configured on the
+       DNS server for the long term
+
+
+   3.  SLAAC addresses are typically stable for a long time, but could
+       require work to be configured and maintained.
+
+
+   As relying on IP addresses for Dynamic DNS is rather insecure at
+   best, stronger authentication should always be used; however, this
+   requires that the authorization keying will be explicitly configured
+   using unspecified operational methods.
+
+
+   Note that with DHCP it is also possible that the DHCP server updates
+   the DNS, not the host.  The host might only indicate in the DHCP
+   exchange which hostname it would prefer, and the DHCP server would
+   make the appropriate updates.  Nonetheless, while this makes setting
+   up a secure channel between the updater and the DNS server easier, it
+   does not help much with "content" security, i.e., whether the
+   hostname was acceptable -- if the DNS server does not include
+   policies, they must be included in the DHCP server (e.g., a regular
+   host should not be able to state that its name is "www.example.com").
+   DHCP-initiated DDNS updates have been extensively described in
+   [I-D.ietf-dhc-ddns-resolution], [I-D.ietf-dhc-fqdn-option] and
+   [I-D.ietf-dnsext-dhcid-rr].
+
+
+   The nodes must somehow be configured with the information about the
+   servers where they will attempt to update their addresses, sufficient
+   security material for authenticating themselves to the server, and
+   the hostname they will be updating.  Unless otherwise configured, the
+   first could be obtained by looking up the authoritative name servers
+   for the hostname; the second must be configured explicitly unless one
+   chooses to trust the IP address-based authentication (not a good
+   idea); and lastly, the nodename is typically pre-configured somehow
+   on the node, e.g., at install time.
+
+
+   Care should be observed when updating the addresses not to use longer
+   TTLs for addresses than are preferred lifetimes for the addresses, so
+
+
+
+
+Durand, et al.          Expires February 7, 2005               [Page 17]
+Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
+
+
+
+   that if the node is renumbered in a managed fashion, the amount of
+   stale DNS information is kept to the minimum.  That is, if the
+   preferred lifetime of an address expires, the TTL of the record needs
+   be modified unless it was already done before the expiration.  For
+   better flexibility, the DNS TTL should be much shorter (e.g., a half
+   or a third) than the lifetime of an address; that way, the node can
+   start lowering the DNS TTL if it seems like the address has not been
+   renewed/refreshed in a while.  Some discussion on how an
+   administrator could manage the DNS TTL is included in
+   [I-D.ietf-v6ops-renumbering-procedure]; this could be applied to
+   (smart) hosts as well.
+
+
+7.  Considerations about Reverse DNS Updating
+
+
+   Updating the reverse DNS zone may be difficult because of the split
+   authority over an address.  However, first we have to consider the
+   applicability of reverse DNS in the first place.
+
+
+7.1  Applicability of Reverse DNS
+
+
+   Today, some applications use reverse DNS to either look up some hints
+   about the topological information associated with an address (e.g.
+   resolving web server access logs), or as a weak form of a security
+   check, to get a feel whether the user's network administrator has
+   "authorized" the use of the address (on the premises that adding a
+   reverse record for an address would signal some form of
+   authorization).
+
+
+   One additional, maybe slightly more useful usage is ensuring that the
+   reverse and forward DNS contents match (by looking up the pointer to
+   the name by the IP address from the reverse tree, and ensuring that a
+   record under the name in the forward tree points to the IP address)
+   and correspond to a configured name or domain.  As a security check,
+   it is typically accompanied by other mechanisms, such as a user/
+   password login; the main purpose of the reverse+forward DNS check is
+   to weed out the majority of unauthorized users, and if someone
+   managed to bypass the checks, he would still need to authenticate
+   "properly".
+
+
+   It may also be desirable to store IPsec keying material corresponding
+   to an IP address to the reverse DNS, as justified and described in
+   [I-D.ietf-ipseckey-rr].
+
+
+   It is not clear whether it makes sense to require or recommend that
+   reverse DNS records be updated.  In many cases, it would just make
+   more sense to use proper mechanisms for security (or topological
+   information lookup) in the first place.  At minimum, the applications
+   which use it as a generic authorization (in the sense that a record
+
+
+
+
+Durand, et al.          Expires February 7, 2005               [Page 18]
+Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
+
+
+
+   exists at all) should be modified as soon as possible to avoid such
+   lookups completely.
+
+
+   The applicability is discussed at more length in
+   [I-D.ietf-dnsop-inaddr-required].
+
+
+7.2  Manual or Custom DNS Updates
+
+
+   Reverse DNS can of course be updated using manual or custom methods.
+   These are not further described here, except for one special case.
+
+
+   One way to deploy reverse DNS would be to use wildcard records, for
+   example, by configuring one name for a subnet (/64) or a site (/48).
+   As a concrete example, a site (or the site's ISP) could configure the
+   reverses of the prefix 2001:db8:f00::/48 to point to one name using a
+   wildcard record like "*.0.0.f.0.8.b.d.0.1.0.0.2.ip6.arpa.  IN PTR
+   site.example.com." Naturally, such a name could not be verified from
+   the forward DNS, but would at least provide some form of "topological
+   information" or "weak authorization" if that is really considered to
+   be useful.  Note that this is not actually updating the DNS as such,
+   as the whole point is to avoid DNS updates completely by manually
+   configuring a generic name.
+
+
+7.3  DDNS with Stateless Address Autoconfiguration
+
+
+   Dynamic reverse DNS with SLAAC is simpler than forward DNS updates in
+   some regard, while being more difficult in another, as described
+   below.
+
+
+   The address space administrator decides whether the hosts are trusted
+   to update their reverse DNS records or not.  If they are, a simple
+   address-based authorization is typically sufficient (i.e., check that
+   the DNS update is done from the same IP address as the record being
+   updated); stronger security can also be used [RFC3007].  If they
+   aren't allowed to update the reverses, no update can occur.  (Such
+   address-based update authorization operationally requires that
+   ingress filtering [RFC3704] has been set up at the border of the site
+   where the updates occur, and as close to the updater as possible.)
+
+
+   Address-based authorization is simpler with reverse DNS (as there is
+   a connection between the record and the address) than with forward
+   DNS.  However, when a stronger form of security is used, forward DNS
+   updates are simpler to manage because the host can be assumed to have
+   an association with the domain.  Note that the user may roam to
+   different networks, and does not necessarily have any association
+   with the owner of that address space -- so, assuming stronger form of
+   authorization for reverse DNS updates than an address association is
+   generally unfeasible.
+
+
+
+
+Durand, et al.          Expires February 7, 2005               [Page 19]
+Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
+
+
+
+   Moreover, the reverse zones must be cleaned up by an unspecified
+   janitorial process: the node does not typically know a priori that it
+   will be disconnected, and cannot send a DNS update using the correct
+   source address to remove a record.
+
+
+   A problem with defining the clean-up process is that it is difficult
+   to ensure that a specific IP address and the corresponding record are
+   no longer being used.  Considering the huge address space, and the
+   unlikelihood of collision within 64 bits of the interface
+   identifiers, a process which would remove the record after no traffic
+   has been seen from a node in a long period of time (e.g., a month or
+   year) might be one possible approach.
+
+
+   To insert or update the record, the node must discover the DNS server
+   to send the update to somehow, similar to as discussed in Section
+   6.2.  One way to automate this is looking up the DNS server
+   authoritative (e.g., through SOA record) for the IP address being
+   updated, but the security material (unless the IP address-based
+   authorization is trusted) must also be established by some other
+   means.
+
+
+   One should note that Cryptographically Generated Addresses
+   [I-D.ietf-send-cga] (CGAs) may require a slightly different kind of
+   treatment.  CGAs are addresses where the interface identifier is
+   calculated from a public key, a modifier (used as a nonce), the
+   subnet prefix, and other data.  Depending on the usage profile, CGAs
+   might or might not be changed periodically due to e.g., privacy
+   reasons.  As the CGA address is not predicatable, a reverse record
+   can only reasonably be inserted in the DNS by the node which
+   generates the address.
+
+
+7.4  DDNS with DHCP
+
+
+   With DHCPv4, the reverse DNS name is typically already inserted to
+   the DNS that reflects to the name (e.g., "dhcp-67.example.com").  One
+   can assume similar practice may become commonplace with DHCPv6 as
+   well; all such mappings would be pre-configured, and would require no
+   updating.
+
+
+   If a more explicit control is required, similar considerations as
+   with SLAAC apply, except for the fact that typically one must update
+   a reverse DNS record instead of inserting one (if an address
+   assignment policy that reassigns disused addresses is adopted) and
+   updating a record seems like a slightly more difficult thing to
+   secure.  However, it is yet uncertain how DHCPv6 is going to be used
+   for address assignment.
+
+
+   Note that when using DHCP, either the host or the DHCP server could
+
+
+
+
+Durand, et al.          Expires February 7, 2005               [Page 20]
+Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
+
+
+
+   perform the DNS updates; see the implications in Section 6.2.
+
+
+   If disused addresses were to be reassigned, host-based DDNS reverse
+   updates would need policy considerations for DNS record modification,
+   as noted above.  On the other hand, if disused address were not to be
+   assigned, host-based DNS reverse updates would have similar
+   considerations as SLAAC in Section 7.3.  Server-based updates have
+   similar properties except that the janitorial process could be
+   integrated with DHCP address assignment.
+
+
+7.5  DDNS with Dynamic Prefix Delegation
+
+
+   In cases where a prefix, instead of an address, is being used and
+   updated, one should consider what is the location of the server where
+   DDNS updates are made.  That is, where the DNS server is located:
+
+
+   1.  At the same organization as the prefix delegator.
+
+
+   2.  At the site where the prefixes are delegated to.  In this case,
+       the authority of the DNS reverse zone corresponding to the
+       delegated prefix is also delegated to the site.
+
+
+   3.  Elsewhere; this implies a relationship between the site and where
+       DNS server is located, and such a relationship should be rather
+       straightforward to secure as well.  Like in the previous case,
+       the authority of the DNS reverse zone is also delegated.
+
+
+   In the first case, managing the reverse DNS (delegation) is simpler
+   as the DNS server and the prefix delegator are in the same
+   administrative domain (as there is no need to delegate anything at
+   all); alternatively, the prefix delegator might forgo DDNS reverse
+   capability altogether, and use e.g., wildcard records (as described
+   in Section 7.2).  In the other cases, it can be slighly more
+   difficult, particularly as the site will have to configure the DNS
+   server to be authoritative for the delegated reverse zone, implying
+   automatic configuration of the DNS server -- as the prefix may be
+   dynamic.
+
+
+   Managing the DDNS reverse updates is typically simple in the second
+   case, as the updated server is located at the local site, and
+   arguably IP address-based authentication could be sufficient (or if
+   not, setting up security relationships would be simpler).  As there
+   is an explicit (security) relationship between the parties in the
+   third case, setting up the security relationships to allow reverse
+   DDNS updates should be rather straightforward as well (but IP
+   address-based authentication might not be acceptable).  In the first
+   case, however, setting up and managing such relationships might be a
+   lot more difficult.
+
+
+
+
+Durand, et al.          Expires February 7, 2005               [Page 21]
+Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
+
+
+
+8.  Miscellaneous DNS Considerations
+
+
+   This section describes miscellaneous considerations about DNS which
+   seem related to IPv6, for which no better place has been found in
+   this document.
+
+
+8.1  NAT-PT with DNS-ALG
+
+
+   The DNS-ALG component of NAT-PT mangles A records  to look like AAAA
+   records to the IPv6-only nodes.  Numerous problems have been
+   identified with DNS-ALG [I-D.durand-v6ops-natpt-dns-alg-issues].
+   This is a strong reason not to use NAT-PT in the first place.
+
+
+8.2  Renumbering Procedures and Applications' Use of DNS
+
+
+   One of the most difficult problems of systematic IP address
+   renumbering procedures [I-D.ietf-v6ops-renumbering-procedure] is that
+   an application which looks up a DNS name disregards information such
+   as TTL, and uses the result obtained from DNS as long as it happens
+   to be stored in the memory of the application.  For applications
+   which run for a long time, this could be days, weeks or even months;
+   some applications may be clever enough to organize the data
+   structures and functions in such a manner that look-ups get refreshed
+   now and then.
+
+
+   While the issue appears to have a clear solution, "fix the
+   applications", practically this is not reasonable immediate advice;
+   the TTL information is not typically available in the APIs and
+   libraries (so, the advice becomes "fix the applications, APIs and
+   libraries"), and a lot more analysis is needed on how to practically
+   go about to achieve the ultimate goal of avoiding using the names
+   longer than expected.
+
+
+9.  Acknowledgements
+
+
+   Some recommendations (Section 4.3, Section 5.1) about IPv6 service
+   provisioning were moved here from [I-D.ietf-v6ops-mech-v2] by Erik
+   Nordmark and Bob Gilligan.  Havard Eidnes and Michael Patton provided
+   useful feedback and improvements.  Scott Rose, Rob Austein, Masataka
+   Ohta, and Mark Andrews helped in clarifying the issues regarding
+   additional data and the use of TTL.  Jefsey Morfin, Ralph Droms,
+   Peter Koch, Jinmei Tatuya, Iljitsch van Beijnum, Edward Lewis, and
+   Rob Austein provided useful feedback during the WG last call.  Thomas
+   Narten provided extensive feedback during the IESG evaluation.
+
+
+10.  Security Considerations
+
+
+   This document reviews the operational procedures for IPv6 DNS
+
+
+
+
+Durand, et al.          Expires February 7, 2005               [Page 22]
+Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
+
+
+
+   operations and does not have security considerations in itself.
+
+
+   However, it is worth noting that in particular with Dynamic DNS
+   Updates, security models based on the source address validation are
+   very weak and cannot be recommended -- they could only be considered
+   in the environments where ingress filtering [RFC3704] has been
+   deployed.  On the other hand, it should be noted that setting up an
+   authorization mechanism (e.g., a shared secret, or public-private
+   keys) between a node and the DNS server has to be done manually, and
+   may require quite a bit of time and expertise.
+
+
+   To re-emphasize which was already stated, the reverse+forward DNS
+   check provides very weak security at best, and the only
+   (questionable) security-related use for them may be in conjunction
+   with other mechanisms when authenticating a user.
+
+
+11.  References
+
+
+11.1  Normative References
+
+
+   [I-D.ietf-dnsop-ipv6-dns-configuration]
+              Jeong, J., "IPv6 Host Configuration of DNS Server
+              Information Approaches",
+              draft-ietf-dnsop-ipv6-dns-configuration-02 (work in
+              progress), July 2004.
+
+
+   [I-D.ietf-dnsop-ipv6-transport-guidelines]
+              Durand, A. and J. Ihren, "DNS IPv6 transport operational
+              guidelines", draft-ietf-dnsop-ipv6-transport-guidelines-02
+              (work in progress), March 2004.
+
+
+   [I-D.ietf-dnsop-misbehavior-against-aaaa]
+              Morishita, Y. and T. Jinmei, "Common Misbehavior against
+              DNS Queries for IPv6 Addresses",
+              draft-ietf-dnsop-misbehavior-against-aaaa-01 (work in
+              progress), April 2004.
+
+
+   [I-D.ietf-ipv6-deprecate-site-local]
+              Huitema, C. and B. Carpenter, "Deprecating Site Local
+              Addresses", draft-ietf-ipv6-deprecate-site-local-03 (work
+              in progress), March 2004.
+
+
+   [I-D.ietf-v6ops-application-transition]
+              Shin, M., "Application Aspects of IPv6 Transition",
+              draft-ietf-v6ops-application-transition-03 (work in
+              progress), June 2004.
+
+
+   [I-D.ietf-v6ops-renumbering-procedure]
+
+
+
+
+Durand, et al.          Expires February 7, 2005               [Page 23]
+Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
+
+
+
+              Baker, F., Lear, E. and R. Droms, "Procedures for
+              Renumbering an IPv6 Network without a Flag Day",
+              draft-ietf-v6ops-renumbering-procedure-01 (work in
+              progress), July 2004.
+
+
+   [RFC2136]  Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic
+              Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
+              April 1997.
+
+
+   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
+              Specification", RFC 2181, July 1997.
+
+
+   [RFC2182]  Elz, R., Bush, R., Bradner, S. and M. Patton, "Selection
+              and Operation of Secondary DNS Servers", BCP 16, RFC 2182,
+              July 1997.
+
+
+   [RFC2462]  Thomson, S. and T. Narten, "IPv6 Stateless Address
+              Autoconfiguration", RFC 2462, December 1998.
+
+
+   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
+              2671, August 1999.
+
+
+   [RFC3007]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
+              Update", RFC 3007, November 2000.
+
+
+   [RFC3041]  Narten, T. and R. Draves, "Privacy Extensions for
+              Stateless Address Autoconfiguration in IPv6", RFC 3041,
+              January 2001.
+
+
+   [RFC3056]  Carpenter, B. and K. Moore, "Connection of IPv6 Domains
+              via IPv4 Clouds", RFC 3056, February 2001.
+
+
+   [RFC3152]  Bush, R., "Delegation of IP6.ARPA", BCP 49, RFC 3152,
+              August 2001.
+
+
+   [RFC3315]  Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C. and
+              M. Carney, "Dynamic Host Configuration Protocol for IPv6
+              (DHCPv6)", RFC 3315, July 2003.
+
+
+   [RFC3363]  Bush, R., Durand, A., Fink, B., Gudmundsson, O. and T.
+              Hain, "Representing Internet Protocol version 6 (IPv6)
+              Addresses in the Domain Name System (DNS)", RFC 3363,
+              August 2002.
+
+
+   [RFC3364]  Austein, R., "Tradeoffs in Domain Name System (DNS)
+              Support for Internet Protocol version 6 (IPv6)", RFC 3364,
+              August 2002.
+
+
+
+
+
+Durand, et al.          Expires February 7, 2005               [Page 24]
+Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
+
+
+
+   [RFC3513]  Hinden, R. and S. Deering, "Internet Protocol Version 6
+              (IPv6) Addressing Architecture", RFC 3513, April 2003.
+
+
+   [RFC3596]  Thomson, S., Huitema, C., Ksinant, V. and M. Souissi, "DNS
+              Extensions to Support IP Version 6", RFC 3596, October
+              2003.
+
+
+   [RFC3646]  Droms, R., "DNS Configuration options for Dynamic Host
+              Configuration Protocol for IPv6 (DHCPv6)", RFC 3646,
+              December 2003.
+
+
+   [RFC3736]  Droms, R., "Stateless Dynamic Host Configuration Protocol
+              (DHCP) Service for IPv6", RFC 3736, April 2004.
+
+
+11.2  Informative References
+
+
+   [I-D.durand-v6ops-natpt-dns-alg-issues]
+              Durand, A., "Issues with NAT-PT DNS ALG in RFC2766",
+              draft-durand-v6ops-natpt-dns-alg-issues-00 (work in
+              progress), February 2003.
+
+
+   [I-D.huitema-v6ops-teredo]
+              Huitema, C., "Teredo: Tunneling IPv6 over UDP through
+              NATs", draft-huitema-v6ops-teredo-02 (work in progress),
+              June 2004.
+
+
+   [I-D.huston-6to4-reverse-dns]
+              Huston, G., "6to4 Reverse DNS",
+              draft-huston-6to4-reverse-dns-02 (work in progress), April
+              2004.
+
+
+   [I-D.ietf-dhc-ddns-resolution]
+              Stapp, M., "Resolution of DNS Name Conflicts Among DHCP
+              Clients", draft-ietf-dhc-ddns-resolution-07 (work in
+              progress), July 2004.
+
+
+   [I-D.ietf-dhc-fqdn-option]
+              Stapp, M. and Y. Rekhter, "The DHCP Client FQDN Option",
+              draft-ietf-dhc-fqdn-option-07 (work in progress), July
+              2004.
+
+
+   [I-D.ietf-dnsext-dhcid-rr]
+              Stapp, M., Lemon, T. and A. Gustafsson, "A DNS RR for
+              encoding DHCP information (DHCID RR)",
+              draft-ietf-dnsext-dhcid-rr-08 (work in progress), July
+              2004.
+
+
+   [I-D.ietf-dnsop-bad-dns-res]
+
+
+
+
+Durand, et al.          Expires February 7, 2005               [Page 25]
+Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
+
+
+
+              Larson, M. and P. Barber, "Observed DNS Resolution
+              Misbehavior", draft-ietf-dnsop-bad-dns-res-02 (work in
+              progress), July 2004.
+
+
+   [I-D.ietf-dnsop-dontpublish-unreachable]
+              Hazel, P., "IP Addresses that should never appear in the
+              public DNS", draft-ietf-dnsop-dontpublish-unreachable-03
+              (work in progress), February 2002.
+
+
+   [I-D.ietf-dnsop-inaddr-required]
+              Senie, D., "Requiring DNS IN-ADDR Mapping",
+              draft-ietf-dnsop-inaddr-required-05 (work in progress),
+              April 2004.
+
+
+   [I-D.ietf-ipseckey-rr]
+              Richardson, M., "A method for storing IPsec keying
+              material in DNS", draft-ietf-ipseckey-rr-11 (work in
+              progress), July 2004.
+
+
+   [I-D.ietf-ipv6-unique-local-addr]
+              Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast
+              Addresses", draft-ietf-ipv6-unique-local-addr-05 (work in
+              progress), June 2004.
+
+
+   [I-D.ietf-send-cga]
+              Aura, T., "Cryptographically Generated Addresses (CGA)",
+              draft-ietf-send-cga-06 (work in progress), April 2004.
+
+
+   [I-D.ietf-v6ops-3gpp-analysis]
+              Wiljakka, J., "Analysis on IPv6 Transition in 3GPP
+              Networks", draft-ietf-v6ops-3gpp-analysis-10 (work in
+              progress), May 2004.
+
+
+   [I-D.ietf-v6ops-mech-v2]
+              Nordmark, E. and R. Gilligan, "Basic Transition Mechanisms
+              for IPv6 Hosts and Routers", draft-ietf-v6ops-mech-v2-04
+              (work in progress), July 2004.
+
+
+   [I-D.ietf-v6ops-onlinkassumption]
+              Roy, S., Durand, A. and J. Paugh, "IPv6 Neighbor Discovery
+              On-Link Assumption Considered Harmful",
+              draft-ietf-v6ops-onlinkassumption-02 (work in progress),
+              May 2004.
+
+
+   [I-D.ietf-v6ops-v6onbydefault]
+              Roy, S., Durand, A. and J. Paugh, "Issues with Dual Stack
+              IPv6 on by Default", draft-ietf-v6ops-v6onbydefault-03
+              (work in progress), July 2004.
+
+
+
+
+Durand, et al.          Expires February 7, 2005               [Page 26]
+Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
+
+
+
+   [I-D.jeong-dnsop-ipv6-dns-discovery]
+              Jeong, J., "IPv6 DNS Discovery based on Router
+              Advertisement", draft-jeong-dnsop-ipv6-dns-discovery-02
+              (work in progress), July 2004.
+
+
+   [I-D.moore-6to4-dns]
+              Moore, K., "6to4 and DNS", draft-moore-6to4-dns-03 (work
+              in progress), October 2002.
+
+
+   [I-D.ohta-preconfigured-dns]
+              Ohta, M., "Preconfigured DNS Server Addresses",
+              draft-ohta-preconfigured-dns-01 (work in progress),
+              February 2004.
+
+
+   [I-D.savola-v6ops-6bone-mess]
+              Savola, P., "Moving from 6bone to IPv6 Internet",
+              draft-savola-v6ops-6bone-mess-01 (work in progress),
+              November 2002.
+
+
+   [RFC2766]  Tsirtsis, G. and P. Srisuresh, "Network Address
+              Translation - Protocol Translation (NAT-PT)", RFC 2766,
+              February 2000.
+
+
+   [RFC2782]  Gulbrandsen, A., Vixie, P. and L. Esibov, "A DNS RR for
+              specifying the location of services (DNS SRV)", RFC 2782,
+              February 2000.
+
+
+   [RFC2826]  Internet Architecture Board, "IAB Technical Comment on the
+              Unique DNS Root", RFC 2826, May 2000.
+
+
+   [RFC3704]  Baker, F. and P. Savola, "Ingress Filtering for Multihomed
+              Networks", BCP 84, RFC 3704, March 2004.
+
+
+
+Authors' Addresses
+
+
+   Alain Durand
+   SUN Microsystems, Inc.
+   17 Network circle UMPL17-202
+   Menlo Park, CA  94025
+   USA
+
+
+   EMail: Alain.Durand@sun.com
+
+
+
+
+
+
+
+
+
+Durand, et al.          Expires February 7, 2005               [Page 27]
+Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
+
+
+
+   Johan Ihren
+   Autonomica
+   Bellmansgatan 30
+   SE-118 47 Stockholm
+   Sweden
+
+
+   EMail: johani@autonomica.se
+
+
+
+   Pekka Savola
+   CSC/FUNET
+   Espoo
+   Finland
+
+
+   EMail: psavola@funet.fi
+
+
+Appendix A.  Site-local Addressing Considerations for DNS
+
+
+   As site-local addressing has been deprecated, the considerations for
+   site-local addressing are discussed briefly here.  Unique local
+   addressing format [I-D.ietf-ipv6-unique-local-addr] has been proposed
+   as a replacement, but being work-in-progress, it is not considered
+   further.
+
+
+   The interactions with DNS come in two flavors: forward and reverse
+   DNS.
+
+
+   To actually use site-local addresses within a site, this implies the
+   deployment of a "split-faced" or a fragmented DNS name space, for the
+   zones internal to the site, and the outsiders' view to it.  The
+   procedures to achieve this are not elaborated here.  The implication
+   is that site-local addresses must not be published in the public DNS.
+
+
+   To faciliate reverse DNS (if desired) with site-local addresses, the
+   stub resolvers must look for DNS information from the local DNS
+   servers, not e.g.  starting from the root servers, so that the
+   site-local information may be provided locally.  Note that the
+   experience of private addresses in IPv4 has shown that the root
+   servers get loaded for requests for private address lookups in any
+   case.
+
+
+Appendix B.  Issues about Additional Data or TTL
+
+
+   [[ note to the RFC-editor: remove this section upon publication.  ]]
+
+
+   This appendix tries to describe the apparent rought consensus about
+   additional data and TTL issues (sections 4.4 and 4.5), and present
+   questions when there appears to be no consensus.  The point of
+
+
+
+
+Durand, et al.          Expires February 7, 2005               [Page 28]
+Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
+
+
+
+   recording them here is to focus the discussion and get feedback.
+
+
+   Resolved:
+
+
+   a.  If some critical additional data RRsets wouldn't fit, you set the
+       TC bit even if some RRsets did fit.
+
+
+   b.  If some courtesy additional data RRsets wouldn't fit, you never
+       set the TC bit, but rather remove (at least some of) the courtesy
+       RRsets.
+
+
+   c.  DNS servers should implement sanity checks on the resulting glue,
+       e.g., to disable circular dependencies.  Then the responding
+       servers can use at-or-below-a-zone-cut criterion to determine
+       whether the additional data is critical or not.
+
+
+   Open issues (at least):
+
+
+   1.  if some critical additional data RRsets would fit, but some
+       wouldn't, and TC has to be set (see above), should one rather
+       remove the additional data that did fit, keep it, or leave
+       unspecified?
+
+
+   2.  if some courtesy additional data RRsets would fit, but some
+       wouldn't, and some will have to be removed from the response (no
+       TC is set, see above), what to do -- remove all courtesy RRsets,
+       keep all that fit, or leave unspecified?
+
+
+   3.  is it acceptable to use the transport used in the DNS query as a
+       hint which records to keep if not removing all the RRsets, if: a)
+       having to decide which critical additional data to keep, or b)
+       having to decide which courtesy additional data to keep?
+
+
+   4.  (this issue was discussed in section 4.5) if one RRset has TTL of
+       100 seconds, and another the TTL of 300 seconds, what should the
+       caching server do after 100 seconds?  Keep returning just one
+       RRset when returning additional data, or discard the other RRset
+       from the cache?
+
+
+   5.  how do we move forward from here?  If we manage to get to some
+       form of consensus, how do we record it: a) just in
+       draft-ietf-dnsop-ipv6-dns-issues (note that it's Informational
+       category only!), b) a separate BCP or similar by DNSEXT WG(?),
+       clarifying and giving recommendations, c) something else, what?
+
+
+
+
+
+
+
+
+Durand, et al.          Expires February 7, 2005               [Page 29]
+Internet-Draft    Considerations and Issues with IPv6 DNS    August 2004
+
+
+
+Intellectual Property Statement
+
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+
+
+Disclaimer of Validity
+
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+Copyright Statement
+
+
+   Copyright (C) The Internet Society (2004).  This document is subject
+   to the rights, licenses and restrictions contained in BCP 78, and
+   except as set forth therein, the authors retain all their rights.
+
+
+
+Acknowledgment
+
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+Durand, et al.          Expires February 7, 2005               [Page 30]
\ No newline at end of file
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsop-ipv6-transport-guidelines-01.txt b/contrib/bind9/doc/draft/draft-ietf-dnsop-ipv6-transport-guidelines-01.txt
new file mode 100644
index 0000000..b2e2341
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsop-ipv6-transport-guidelines-01.txt
@@ -0,0 +1,300 @@
+Internet Engineering Task Force                         A.Durand
+INTERNET-DRAFT                             SUN Microsystems,inc.
+November, 24, 2003                                      J. Ihren
+Expires May 25, 2004                                  Autonomica
+
+
+               DNS IPv6 transport operational guidelines
+          <draft-ietf-dnsop-ipv6-transport-guidelines-01.txt>
+
+
+
+Status of this Memo
+
+   This memo provides information to the Internet community. It does not
+   specify an Internet standard of any kind. This memo is in full
+   conformance with all provisions of Section 10 of RFC2026
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet- Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/1id-abstracts.html
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html
+
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2003).  All Rights Reserved.
+
+
+Abstract
+
+   This memo provides guidelines and Best Current Practice to operate
+   DNS in a world where queries and responses are carried in a mixed
+   environment of IPv4 and IPv6 networks.
+
+
+Acknowledgment
+
+   This document is the result of many conversations that happened in
+   the DNS community at IETF and elsewhere since 2001. During that
+   period of time, a number of Internet drafts have been published to
+   clarify various aspects of the issues at stake. This document focuses
+   on the conclusion of those discussions.
+
+   The authors would like to acknowledge the role of Pekka Savola in his
+   thorough review of the document.
+
+
+1. Terminology
+
+   The phrase "IPv4 name server" indicates a name server available over
+   IPv4 transport. It does not imply anything about what DNS data is
+   served. Likewise, "IPv6 name server" indicates a name server
+   available over IPv6 transport. The phrase "dual-stack DNS server"
+   indicates a DNS server that is actually configured to run both
+   protocols, IPv4 and IPv6, and not merely a server running on a system
+   capable of running both but actually configured to run only one.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [2119].
+
+
+2. Introduction to the Problem of Name Space Fragmentation:
+     following the referral chain
+
+   The caching resolver that tries to look up a name starts out at the
+   root, and follows referrals until it is referred to a nameserver that
+   is authoritative for the name.  If somewhere down the chain of
+   referrals it is referred to a nameserver that is only accessible over
+   an unavailable type of transport, a traditional nameserver is unable
+   to finish the task.
+
+   When the Internet moves from IPv4 to a mixture of IPv4 and IPv6 it is
+   only a matter of time until this starts to happen. The complete DNS
+   hierarchy then starts to fragment into a graph where authoritative
+   nameservers for certain nodes are only accessible over a certain
+   transport. What is feared is that a node using only a particular
+   version of IP, querying information about another node using the same
+   version of IP can not do it because, somewhere in the chain of
+   servers accessed during the resolution process, one or more of them
+   will only be accessible with the other version of IP.
+
+   With all DNS data only available over IPv4 transport everything is
+   simple. IPv4 resolvers can use the intended mechanism of following
+   referrals from the root and down while IPv6 resolvers have to work
+   through a "translator", i.e. they have to use a second name server on
+   a so-called "dual stack" host as a "forwarder" since they cannot
+   access the DNS data directly.
+
+   With all DNS data only available over IPv6 transport everything would
+   be equally simple, with the exception of old legacy IPv4 name servers
+   having to switch to a forwarding configuration.
+
+   However, the second situation will not arise in a foreseeable time.
+   Instead, it is expected that the transition will be from IPv4 only to
+   a mixture of IPv4 and IPv6, with DNS data of theoretically three
+   categories depending on whether it is available only over IPv4
+   transport, only over IPv6 or both.
+
+   Having DNS data available on both transports is the best situation.
+   The major question is how to ensure that it as quickly as possible
+   becomes the norm. However, while it is obvious that some DNS data
+   will only be available over v4 transport for a long time it is also
+   obvious that it is important to avoid fragmenting the name space
+   available to IPv4 only hosts. I.e. during transition it is not
+   acceptable to break the name space that we presently have available
+   for IPv4-only hosts.
+
+
+3. Policy Based Avoidance of Name Space Fragmentation
+
+   Today there are only a few DNS "zones" on the public Internet that
+   are  available over IPv6 transport, and most of them can be regarded
+   as "experimental". However, as soon as the root and top level domains
+   are available over IPv6 transport, it is reasonable to expect that it
+   will become more common to have zones served by IPv6 servers.
+
+   Having those zones served only by IPv6-only name server would not be
+   a good development, since this will fragment the previously
+   unfragmented IPv4 name space and there are strong reasons to find a
+   mechanism to avoid it.
+
+   The RECOMMENDED approach to maintain name space continuity is to use
+   administrative policies, as described in the next section.
+
+
+4. DNS IPv6 Transport RECOMMENDED Guidelines
+
+   In order to preserve name space continuity, the following administrative
+   policies are RECOMMENDED:
+      - every recursive DNS server SHOULD be either IPv4-only or dual
+      stack,
+      - every single DNS zone SHOULD be served by at least one IPv4
+      reachable DNS server.
+
+   This rules out IPv6-only DNS servers performing full recursion and
+   DNS zones served only by IPv6-only DNS servers.  However, one could
+   very well design a configuration where a chain of IPv6 only DNS
+   servers forward queries to a set of dual stack DNS servers actually
+   performing those recursive queries.  This approach could be revisited
+   if/when translation techniques between IPv4 and IPv6 were to be
+   widely deployed.
+
+   In order to help enforcing the second point, the optional operational
+   zone validation processes SHOULD ensure that there is at least one
+   IPv4 address record available for the name servers of any child
+   delegations within the zone.
+
+
+5. Security Considerations
+
+   Being a critical piece of the Internet infrastructure, the DNS is a
+   potential value target and thus should be protected.  Great care
+   should be taken not to weaken the security of DNS while introducing
+   IPv6 operation.
+
+   Keeping the DNS name space from fragmenting is a critical thing for
+   the availability and the operation of the Internet; this memo
+   addresses this issue by clear and simple operational guidelines.
+
+   The RECOMMENDED guidelines are compatible with the operation of
+   DNSSEC and do not introduce any new security issues.
+
+
+6. Author Addresses
+
+   Alain Durand
+   SUN Microsystems, Inc
+   17 Network circle UMPK17-202
+   Menlo Park, CA, 94025
+   USA
+   Mail: Alain.Durand@sun.com
+
+   Johan Ihren
+   Autonomica
+   Bellmansgatan 30
+   SE-118 47 Stockholm, Sweden
+   Mail: johani@autonomica.se
+
+
+7. Normative References
+
+   [2119]  Bradner, S., "Key Words for Use in RFCs to Indicate
+           Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+
+8. Full Copyright Statement
+
+   "Copyright (C) The Internet Society (2003).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsop-key-rollover-requirements-01.txt b/contrib/bind9/doc/draft/draft-ietf-dnsop-key-rollover-requirements-01.txt
new file mode 100644
index 0000000..2311ee6
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsop-key-rollover-requirements-01.txt
@@ -0,0 +1,391 @@
+
+DNSOP                                                          G. Guette
+Internet-Draft                                             IRISA / INRIA
+Expires: February 5, 2005                                     O. Courtay
+                                                             Thomson R&D
+                                                          August 7, 2004
+
+
+           Requirements for Automated Key Rollover in DNSSEC
+           draft-ietf-dnsop-key-rollover-requirements-01.txt
+
+Status of this Memo
+
+   By submitting this Internet-Draft, I certify that any applicable
+   patent or other IPR claims of which I am aware have been disclosed,
+   and any of which I become aware will be disclosed, in accordance with
+   RFC 3668.
+	 
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as
+   Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time. It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on February 5, 2005.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2004).  All Rights Reserved.
+
+Abstract
+
+   This document describes problems that appear during an automated
+   rollover and gives the requirements for the design of communication
+   between parent zone and child zone in an automated rollover process.
+   This document is essentially about key rollover, the rollover of
+   another Resource Record present at delegation point (NS RR) is also
+   discussed.
+
+
+
+
+
+Guette & Courtay        Expires February 5, 2005                [Page 1]
+
+Internet-Draft      Automated Rollover Requirements          August 2004
+
+
+Table of Contents
+
+   1.   Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
+   2.   The Key Rollover Process . . . . . . . . . . . . . . . . . . . 3
+   3.   Basic Requirements . . . . . . . . . . . . . . . . . . . . . . 4
+   4.   Messages authentication and information exchanged  . . . . . . 4
+   5.   Emergency Rollover . . . . . . . . . . . . . . . . . . . . . . 5
+   6.   Other Resource Record concerned by automatic rollover  . . . . 5
+   7.   Security consideration . . . . . . . . . . . . . . . . . . . . 5
+   8.   Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 5
+   9.   Normative References . . . . . . . . . . . . . . . . . . . . . 5
+        Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 6
+        Intellectual Property and Copyright Statements . . . . . . . . 7
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Guette & Courtay        Expires February 5, 2005                [Page 2]
+
+Internet-Draft      Automated Rollover Requirements          August 2004
+
+
+1.  Introduction
+
+   The DNS security extensions (DNSSEC) [4][8][7][9] uses public-key
+   cryptography and digital signatures.  It stores the public part of
+   keys in DNSKEY Resource Records (RRs).  Because old keys and
+   frequently used keys are vulnerable, they must be renewed
+   periodically.  In DNSSEC, this is the case for Zone Signing Keys
+   (ZSKs) and Key Signing Keys (KSKs) [1][2].  Automation of key
+   rollover process is necessary for large zones because there are too
+   many changes to handle a manual administration.
+
+   Let us consider for example a zone with 100000 secure delegations.
+   If the child zones change their keys once a year on average, that
+   implies 300 changes per day for the parent zone.  This amount of
+   changes are hard to manage manually.
+
+   Automated rollover is optional and resulting from an agreement
+   between the administrator of the parent zone and the administrator of
+   the child zone.  Of course, key rollover can also be done manually by
+   administrators.
+
+   This document describes the requirements for the design of messages
+   of automated key rollover process and focusses on interaction between
+   parent and child zone.
+
+2.  The Key Rollover Process
+
+   Key rollover consists in renewing the DNSSEC keys used to sign
+   resource records in a given DNS zone file.  There are two types of
+   rollover, ZSK rollovers and KSK rollovers.
+
+   In a ZSK rollover, all changes are local to the zone that renews its
+   key: there is no need to contact other zones (e.g., parent zone) to
+   propagate the performed changes because a ZSK has no associated DS
+   record in the parent zone.
+
+   In a KSK rollover, new DS RR(s) must be created and stored in the
+   parent zone.  In consequence, the child zone must contact its parent
+   zone and must notify it about the KSK change(s).
+
+   Manual key rollover exists and works [3].  The key rollover is built
+   from two parts of different nature:
+   o  An algorithm that generates new keys and signs the zone file.  It
+      could be local to the zone
+   o  The interaction between parent and child zones
+
+   One example of manual key rollover is:
+
+
+
+
+Guette & Courtay        Expires February 5, 2005                [Page 3]
+
+Internet-Draft      Automated Rollover Requirements          August 2004
+
+
+   o  The child zone creates a new KSK
+   o  The child zone waits for the creation of the DS RR in its parent
+      zone
+   o  The child zone deletes the old key.
+
+   In manual rollover, communications are managed by the zone
+   administrators and the security of these communications is out of
+   scope of DNSSEC.
+
+   Automated key rollover should use a secure communication between
+   parent and child zones.  This document concentrates on defining
+   interactions between entities present in key rollover process.
+
+3.  Basic Requirements
+
+   The main constraint to respect during a key rollover is that the
+   chain of trust MUST be preserved, even if a resolver retrieves some
+   RRs from recursive cache server.  Every RR MUST be verifiable at any
+   time, every RRs exchanged during the rollover should be authenticated
+   and their integrity should be guaranteed.
+
+   Two entities act during a KSK rollover: the child zone and its parent
+   zone.  These zones are generally managed by different administrators.
+   These administrators should agree on some parameters like
+   availability of automated rollover, the maximum delay between
+   notification of changes in the child zone and the resigning of the
+   parent zone.  The child zone needs to know this delay to schedule its
+   changes.
+
+4.  Messages authentication and information exchanged
+
+   Every exchanged message MUST be authenticated and the authentication
+   tool MUST be a DNSSEC tool such as TSIG [6], SIG(0) [5] or DNSSEC
+   request with verifiable SIG records.
+
+   Once the changes related to a KSK are made in a child zone, this zone
+   MUST notify its parent zone in order to create the new DS RR and
+   store this DS RR in parent zone file.
+
+   The parent zone MUST receive all the child keys that needs the
+   creation of associated DS RRs in the parent zone.
+
+   Some errors could occur during transmission between child zone and
+   parent zone.  Key rollover solution MUST be fault tolerant, i.e.  at
+   any time the rollover MUST be in a consistent state and all RRs MUST
+   be verifiable, even if an error occurs.  That is to say that it MUST
+   remain a valid chain of trust.
+
+
+
+
+Guette & Courtay        Expires February 5, 2005                [Page 4]
+
+Internet-Draft      Automated Rollover Requirements          August 2004
+
+
+5.  Emergency Rollover
+
+   A key of a zone might be compromised and this key MUST be changed as
+   soon as possible.  Fast changes could break the chain of trust.  The
+   part of DNS tree having this zone as apex can become unverifiable,
+   but the break of the chain of trust is necessary if we want to no one
+   can use the compromised key to spoof DNS data.
+
+   In case of emergency rollover, the administrators of parent and child
+   zones should create new key(s) and DS RR(s) as fast as possible in
+   order to reduce the time the chain of trust is broken.
+
+6.  Other Resource Record concerned by automatic rollover
+
+   NS records are also present at delegation point, so when the child
+   zone renews some NS RR, the corresponding records at delegation point
+   in parent zone (glue) MUST be updated.  NS records are concerned by
+   rollover and this rollover could be automated too.  In this case,
+   when the child zone notifies its parent zone that some NS records
+   have been changed, the parent zone MUST verify that these NS records
+   are present in child zone before doing any changes in its own zone
+   file.  This allows to avoid inconsistency between NS records at
+   delegation point and NS records present in the child zone.
+
+7.  Security consideration
+
+   This document describes requirements to design an automated key
+   rollover in DNSSEC based on DNSSEC security.  In the same way, as
+   plain DNSSEC, the automatic key rollover contains no mechanism
+   protecting against denial of service (DoS).  The security level
+   obtain after an automatic key rollover, is the security level
+   provided by DNSSEC.
+
+8.  Acknowledgments
+
+   The authors want to acknowledge Francis Dupont, Mohsen Souissi,
+   Bernard Cousin, Bertrand L‰onard and members of IDsA project for
+   their contribution to this document.
+
+9  Normative References
+
+   [1]  Gudmundsson, O., "Delegation Signer (DS) Resource Record (RR)",
+        RFC 3658, December 2003.
+
+   [2]  Kolkman, O., Schlyter, J. and E. Lewis, "Domain Name System KEY
+        (DNSKEY) Resource Record (RR) Secure Entry Point (SEP) Flag",
+        RFC 3757, May 2004.
+
+
+
+
+Guette & Courtay        Expires February 5, 2005                [Page 5]
+
+Internet-Draft      Automated Rollover Requirements          August 2004
+
+
+   [3]  Kolkman, O., "DNSSEC Operational Practices",
+        draft-ietf-dnsop-dnssec-operational-practice-01 (work in
+        progress), May 2004.
+
+   [4]  Eastlake, D., "Domain Name System Security Extensions", RFC
+        2535, March 1999.
+
+   [5]  Eastlake, D., "DNS Request and Transaction Signatures (
+        SIG(0)s)", RFC 2931, September 2000.
+
+   [6]  Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
+        "Secret Key Transaction Authentication for DNS (TSIG)", RFC
+        2845, May 2000.
+
+   [7]  Arends, R., "Resource Records for the DNS Security Extensions",
+        draft-ietf-dnsext-dnssec-records-09 (work in progress), July
+        2004.
+
+   [8]  Arends, R., Austein, R., Massey, D., Larson, M. and S. Rose,
+        "DNS Security Introduction and Requirements",
+        draft-ietf-dnsext-dnssec-intro-11 (work in progress), July 2004.
+
+   [9]  Arends, R., "Protocol Modifications for the DNS Security
+        Extensions", draft-ietf-dnsext-dnssec-protocol-07 (work in
+        progress), July 2004.
+
+
+Authors' Addresses
+
+   Gilles Guette
+   IRISA / INRIA
+   Campus de Beaulieu
+   35042  Rennes CEDEX
+   FR
+
+   EMail: gilles.guette@irisa.fr
+   URI:   http://www.irisa.fr
+
+
+   Olivier Courtay
+   Thomson R&D
+   1, avenue Belle Fontaine
+   35510  Cesson S‰vign‰ CEDEX
+   FR
+
+   EMail: olivier.courtay@thomson.net
+
+
+
+
+
+Guette & Courtay        Expires February 5, 2005                [Page 6]
+
+Internet-Draft      Automated Rollover Requirements          August 2004
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+   Copyright (C) The Internet Society (2004).  This document is subject
+   to the rights, licenses and restrictions contained in BCP 78, and
+   except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+Guette & Courtay        Expires February 5, 2005                [Page 7]
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsop-misbehavior-against-aaaa-00.txt b/contrib/bind9/doc/draft/draft-ietf-dnsop-misbehavior-against-aaaa-00.txt
new file mode 100644
index 0000000..1094275
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsop-misbehavior-against-aaaa-00.txt
@@ -0,0 +1,505 @@
+
+
+IETF DNSOP Working Group                                    Y. Morishita
+Internet-Draft                                                      JPRS
+Expires: July 11, 2004                                         T. Jinmei
+                                                                 Toshiba
+                                                        January 11, 2004
+
+
+       Common Misbehavior against DNS Queries for IPv6 Addresses
+            draft-ietf-dnsop-misbehavior-against-aaaa-00.txt
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups. Note that other
+   groups may also distribute working documents as Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time. It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at http://
+   www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on July 11, 2004.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2004). All Rights Reserved.
+
+Abstract
+
+   There is some known misbehavior of DNS authoritative servers when
+   they are queried for AAAA resource records. Such behavior can block
+   IPv4 communication which should actually be available, cause a
+   significant delay in name resolution, or even make a denial of
+   service attack. This memo describes details of the known cases and
+   discusses the effect of the cases.
+
+1. Introduction
+
+   Many DNS clients (resolvers) that support IPv6 first search for AAAA
+   Resource Records (RRs) of a target host name, and then for A RRs of
+
+
+
+Morishita & Jinmei       Expires July 11, 2004                  [Page 1]
+
+Internet-Draft    Common Misbehavior against AAAA Queries   January 2004
+
+
+   the same name. This fallback mechanism is based on the DNS
+   specifications, which if not obeyed by authoritative servers can
+   produce unpleasant results. In some cases, for example, a web browser
+   fails to connect to a web server it could otherwise. In the following
+   sections, this memo describes some typical cases of the misbehavior
+   and its (bad) effects.
+
+   Note that the misbehavior is not specific to AAAA RRs. In fact, all
+   known examples also apply to the cases of queries for MX, NS, and SOA
+   RRs. The authors even believe this can be generalized for all types
+   of queries other than those for A RRs. In this memo, however, we
+   concentrate on the case for AAAA queries, since the problem is
+   particularly severe for resolvers that support IPv6, which thus
+   affects many end users. Resolvers at end users normally send A and/or
+   AAAA queries only, and so the problem for the other cases is
+   relatively minor.
+
+2. Network Model
+
+   In this memo, we assume a typical network model of name resolution
+   environment using DNS. It consists of three components; stub
+   resolvers, caching servers, and authoritative servers. A stub
+   resolver issues a recursive query to a caching server, which then
+   handles the entire name resolution procedure recursively. The caching
+   server caches the result of the query as well as sends the result to
+   the stub resolver. The authoritative servers respond to queries for
+   names for which they have the authority, normally in a non-recursive
+   manner.
+
+3. Expected Behavior
+
+   Suppose that an authoritative server has an A RR but not a AAAA RR
+   for a host name. Then the server should return a response to a query
+   for a AAAA RR of the name with the RCODE being 0 (indicating no
+   error) and with an empty answer section [1]. Such a response
+   indicates that there is at least one RR of a different type than AAAA
+   for the queried name, and the stub resolver can then look for A RRs.
+
+   This way, the caching server can cache the fact that the queried name
+   does not have a AAAA RR (but may have other types of RRs), and thus
+   can improve the response time to further queries for a AAAA RR of the
+   name.
+
+4. Problematic Behaviors
+
+   There are some known cases at authoritative servers that do not
+   conform to the expected behavior. This section describes those
+   problematic cases.
+
+
+
+Morishita & Jinmei       Expires July 11, 2004                  [Page 2]
+
+Internet-Draft    Common Misbehavior against AAAA Queries   January 2004
+
+
+4.1 Return NXDOMAIN
+
+   This type of server returns a response with the RCODE being 3
+   (NXDOMAIN) to a query for a AAAA RR, indicating it does not have any
+   RRs of any type for the queried name.
+
+   With this response, the stub resolver may immediately give up and
+   never fall back. Even if the resolver retries with a query for an A
+   RR, the negative response for the name has been cached in the caching
+   server, and the caching server will simply return the negative
+   response. As a result, the stub resolver considers this as a fatal
+   error in name resolution.
+
+   There have been several known examples of this behavior, but all the
+   examples that the authors know have changed their behavior as of this
+   writing.
+
+4.2 Return NOTIMP
+
+   Other authoritative servers return a response with the RCODE being 4
+   (NOTIMP), indicating the servers do not support the requested type of
+   query.
+
+   This case is less harmful than the previous one; if the stub resolver
+   falls back to querying for an A RR, the caching server will process
+   the query correctly and return an appropriate response.
+
+   In this case, the caching server does not cache the fact that the
+   queried name has no AAAA RR, resulting in redundant queries for AAAA
+   RRs in the future. The behavior will waste network bandwidth and
+   increase the load of the authoritative server.
+
+   Using SERVFAIL or FORMERR would cause the same effect, though the
+   authors have not seen such implementations yet.
+
+4.3 Return a Broken Response
+
+   Another different type of authoritative servers returns broken
+   responses to AAAA queries. A known behavior of this category is to
+   return a response whose RR type is AAAA, but the length of the RDATA
+   is 4 bytes. The 4-byte data looks like the IPv4 address of the
+   queried host name. That is, the RR in the answer section would be
+   described like this:
+
+     www.bad.example. 600 IN AAAA 192.0.2.1
+
+   which is, of course, bogus (or at least meaningless).
+
+
+
+
+Morishita & Jinmei       Expires July 11, 2004                  [Page 3]
+
+Internet-Draft    Common Misbehavior against AAAA Queries   January 2004
+
+
+   A widely deployed caching server implementation transparently returns
+   the broken response (as well as caches it) to the stub resolver.
+   Another known server implementation parses the response by
+   themselves, and sends a separate response with the RCODE being 2
+   (SERVFAIL).
+
+   In either case, the broken response does not affect queries for an A
+   RR of the same name. If the stub resolver falls back to A queries, it
+   will get an appropriate response.
+
+   The latter case, however, causes the same bad effect as that
+   described in the previous section: redundant queries for AAAA RRs.
+
+4.4 Make Lame Delegation
+
+   Some authoritative servers respond to AAAA queries in a way causing
+   lame delegation. In this case the parent zone specifies that the
+   authoritative server should have the authority of a zone, but the
+   server does not return an authoritative response for AAAA queries
+   within the zone (i.e., the AA bit in the response is not set). On the
+   other hand, the authoritative server returns an authoritative
+   response for A queries.
+
+   When a caching server asks the server for AAAA RRs in the zone, it
+   recognizes the delegation is lame, and return a response with the
+   RCODE being 2 (SERVFAIL) to the stub resolver.
+
+   Furthermore, some caching servers record the authoritative server as
+   lame for the zone and will not use it for a certain period of time.
+   With this type of caching server, even if the stub resolver falls
+   back to querying for an A RR, the caching server will simply return a
+   response with the RCODE being SERVFAIL, since all the servers are
+   known to be "lame."
+
+   There is also an implementation that relaxes the behavior a little
+   bit. It basically tries to avoid using the lame server, but still
+   continues to try it as a last resort. With this type of caching
+   server, the stub resolver will get a correct response if it falls
+   back after SERVFAIL. However, this still causes redundant AAAA
+   queries as explained in the previous sections.
+
+4.5 Ignore Queries for AAAA
+
+   Some authoritative severs seem to ignore queries for a AAAA RR,
+   causing a delay at the stub resolver to fall back to a query for an A
+   RR. This behavior may even cause a fatal timeout at the resolver.
+
+
+
+
+
+Morishita & Jinmei       Expires July 11, 2004                  [Page 4]
+
+Internet-Draft    Common Misbehavior against AAAA Queries   January 2004
+
+
+5. Security Considerations
+
+   The CERT/CC pointed out that the response with NXDOMAIN described in
+   Section 4.1 can be used for a denial of service attack [2]. The same
+   argument applies to the case of "lame delegation" described in
+   Section 4.4 with a certain type of caching server.
+
+6. Acknowledgements
+
+   Erik Nordmark encouraged the authors to publish this document as an
+   Internet Draft. Akira Kato and Paul Vixie reviewed a preliminary
+   version of this document. Pekka Savola carefully reviewed a previous
+   version and provided detailed comments.
+
+Informative References
+
+   [1]  Mockapetris, P., "DOMAIN NAMES - CONCEPTS AND FACILITIES", RFC
+        1034, November 1987.
+
+   [2]  The CERT Coordination Center, "Incorrect NXDOMAIN responses from
+        AAAA queries could cause denial-of-service conditions", March
+        2003, <http://www.kb.cert.org/vuls/id/714121>.
+
+
+Authors' Addresses
+
+   MORISHITA Orange Yasuhiro
+   Research and Development Department, Japan Registry Service Co.,Ltd.
+   Fuundo Bldg 3F, 1-2 Kanda-Ogawamachi
+   Chiyoda-ku, Tokyo  101-0052
+   Japan
+
+   EMail: yasuhiro@jprs.co.jp
+
+
+   JINMEI Tatuya
+   Corporate Research & Development Center, Toshiba Corporation
+   1 Komukai Toshiba-cho, Saiwai-ku
+   Kawasaki-shi, Kanagawa  212-8582
+   Japan
+
+   EMail: jinmei@isl.rdc.toshiba.co.jp
+
+Appendix A. Live Examples
+
+   In this appendix, we show concrete implementations and domain names
+   that may cause problematic cases so that the behavior can be
+   reproduced in a practical environment. The examples are for
+
+
+
+Morishita & Jinmei       Expires July 11, 2004                  [Page 5]
+
+Internet-Draft    Common Misbehavior against AAAA Queries   January 2004
+
+
+   informational purposes only, and the authors do not intend to accuse
+   any implementations or zone administrators.
+
+   The behavior described in Section 4.2 (return NOTIMP) can be found by
+   looking for a AAAA RR of www.css.vtext.com at 66.174.3.4.
+
+   The behavior described in Section 4.3 (broken responses) can be seen
+   by querying for a AAAA RR of "www.gslb.mainichi.co.jp," which is an
+   alias of "www.mainichi.co.jp," at 210.173.172.2. The same behavior
+   can be found with the name "vip.alt.ihp.sony.co.jp," an alias of
+   "www.sony.co.jp," at 210.139.255.204.
+
+   The behavior described in Section 4.4 (lame delegation) can be found
+   by querying for a AAAA RR of "www.ual.com" at 209.87.113.4.
+
+   The behavior described in Section 4.5 (ignore queries) can be seen by
+   trying to ask for a AAAA RR of "ad.3jp.doubleclick.net," which is an
+   alias of "ad.jp.doubleclick.net," at 210.153.90.9.
+
+   Many authoritative server implementations show the expected behavior
+   described in Section 3. Some DNS load balancers reportedly have a
+   problematic behavior shown in Section 4, but the authors do not have
+   a concrete example. The CERT/CC provides a list of implementations
+   that behave as described in Section 4.1 [2].
+
+   The BIND9 caching server implementation is an example of the latter
+   cases described in Section 4.3 and Section 4.4, respectively. The
+   BIND8 caching server implementation is an example of the former case
+   described in Section 4.3. As for the issue shown in Section 4.4,
+   BIND8 caching servers prior to 8.3.5 show the behavior described as
+   the former case in this section. The versions 8.3.5 and later of
+   BIND8 caching server behave like the BIND9 caching server
+   implementation with this matter.
+
+   Regarding resolver implementations, the authors are only familiar
+   with the ones derived from the BIND implementation. These
+   implementations always fall back regardless of the RCODE; NXDOMAIN,
+   NOTIMP, or SERVFAIL. It even falls back when getting a broken
+   response. However, the behavior does not help the situation in the
+   NXDOMAIN case (see Section 4.1). Lame delegation (Section 4.4) also
+   causes a fatal error at the resolver side if the resolver is using
+   some older versions of BIND8 caching server.
+
+   The authors hear that a stub resolver routine implemented in some web
+   browsers interprets the broken response described in Section 4.3 as a
+   fatal error and does not fall back to A queries. However, we have not
+   confirmed this information.
+
+
+
+
+Morishita & Jinmei       Expires July 11, 2004                  [Page 6]
+
+Internet-Draft    Common Misbehavior against AAAA Queries   January 2004
+
+
+Appendix B. Change History
+
+   Changes since draft-morishita-dnsop-misbehavior-against-aaaa-00 are:
+
+   o  Made a separate appendix and moved live examples to appendix so
+      that we can remove them when this document is (ever) officially
+      published.
+
+   o  Revised some live examples based on the recent status.
+
+   o  Noted in introduction that the misbehavior is not specific to AAAA
+      and that this document still concentrates on the AAAA case.
+
+   o  Changed the section title of "delegation loop" to "lame
+      delegation" in order to reflect the essential point of the issue.
+      Wording on this matter was updated accordingly.
+
+   o  Updated the Acknowledgements list.
+
+   o  Changed the reference category from normative to informative (this
+      is an informational document after all).
+
+   o  Changed the draft name to an IETF dnsop working group document (as
+      agreed).
+
+   o  Applied several editorial fixes.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Morishita & Jinmei       Expires July 11, 2004                  [Page 7]
+
+Internet-Draft    Common Misbehavior against AAAA Queries   January 2004
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   intellectual property or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; neither does it represent that it
+   has made any effort to identify any such rights. Information on the
+   IETF's procedures with respect to rights in standards-track and
+   standards-related documentation can be found in BCP-11. Copies of
+   claims of rights made available for publication and any assurances of
+   licenses to be made available, or the result of an attempt made to
+   obtain a general license or permission for the use of such
+   proprietary rights by implementors or users of this specification can
+   be obtained from the IETF Secretariat.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights which may cover technology that may be required to practice
+   this standard. Please address the information to the IETF Executive
+   Director.
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2004). All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works. However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assignees.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+
+
+
+Morishita & Jinmei       Expires July 11, 2004                  [Page 8]
+
+Internet-Draft    Common Misbehavior against AAAA Queries   January 2004
+
+
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Morishita & Jinmei       Expires July 11, 2004                  [Page 9]
+
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsop-respsize-01.txt b/contrib/bind9/doc/draft/draft-ietf-dnsop-respsize-01.txt
new file mode 100644
index 0000000..f6ece88
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsop-respsize-01.txt
@@ -0,0 +1,485 @@
+   DNSOP Working Group                               Paul Vixie, ISC (Ed.)
+   INTERNET-DRAFT                                         Akira Kato, WIDE
+   <draft-ietf-dnsop-respsize-01.txt>                           July, 2004
+
+
+                           DNS Response Size Issues
+
+
+   Status of this Memo
+      This document is an Internet-Draft and is subject to all provisions
+      of section 3 of RFC 3667.  By submitting this Internet-Draft, each
+      author represents that any applicable patent or other IPR claims of
+      which we are aware have been or will be disclosed, and any of which
+      we become aware will be disclosed, in accordance with RFC 3668.
+
+
+      Internet-Drafts are working documents of the Internet Engineering
+      Task Force (IETF), its areas, and its working groups.  Note that
+      other groups may also distribute working documents as Internet-
+      Drafts.
+
+
+      Internet-Drafts are draft documents valid for a maximum of six months
+      and may be updated, replaced, or obsoleted by other documents at any
+      time.  It is inappropriate to use Internet-Drafts as reference
+      material or to cite them other than as "work in progress."
+
+
+      The list of current Internet-Drafts can be accessed at
+      http://www.ietf.org/ietf/1id-abstracts.txt
+
+
+      The list of Internet-Draft Shadow Directories can be accessed at
+      http://www.ietf.org/shadow.html.
+
+
+   Copyright Notice
+
+
+      Copyright (C) The Internet Society (2003-2004).  All Rights Reserved.
+
+
+
+
+
+                                    Abstract
+
+
+      With a mandated default minimum maximum message size of 512 octets,
+      the DNS protocol presents some special problems for zones wishing to
+      expose a moderate or high number of authority servers (NS RRs).  This
+      document explains the operational issues caused by, or related to
+      this response size limit.
+
+
+
+
+
+
+   Expires December 2004                                           [Page 1]
+   INTERNET-DRAFT                  June 2003                       RESPSIZE
+
+
+
+   1 - Introduction and Overview
+
+
+   1.1. The DNS standard (see [RFC1035 4.2.1]) limits message size to 512
+   octets.  Even though this limitation was due to the required minimum UDP
+   reassembly limit for IPv4, it is a hard DNS protocol limit and is not
+   implicitly relaxed by changes in transport, for example to IPv6.
+
+
+   1.2. The EDNS0 standard (see [RFC2671 2.3, 4.5]) permits larger
+   responses by mutual agreement of the requestor and responder.  However,
+   deployment of EDNS0 cannot be expected to reach every Internet resolver
+   in the short or medium term.  The 512 octet message size limit remains
+   in practical effect at this time.
+
+
+   1.3. Since DNS responses include a copy of the request, the space
+   available for response data is somewhat less than the full 512 octets.
+   For negative responses, there is rarely a space constraint.  For
+   positive and delegation responses, though, every octet must be carefully
+   and sparingly allocated.  This document specifically addresses
+   delegation response sizes.
+
+
+   2 - Delegation Details
+
+
+   2.1. A delegation response will include the following elements:
+
+
+      Header Section: fixed length (12 octets)
+      Question Section: original query (name, class, type)
+      Answer Section: (empty)
+      Authority Section: NS RRset (nameserver names)
+      Additional Section: A and AAAA RRsets (nameserver addresses)
+
+
+   2.2. If the total response size would exceed 512 octets, and if the data
+   that would not fit was in the question, answer, or authority section,
+   then the TC bit will be set (indicating truncation) which may cause the
+   requestor to retry using TCP, depending on what information was present
+   and what was omitted.  If a retry using TCP is needed, the total cost of
+   the transaction is much higher.
+
+
+   2.3. RRsets are never sent partially, so if truncation occurs, entire
+   RRsets are omitted.  Note that the authority section consists of a
+   single RRset.  It is absolutely essential that truncation not occur in
+   the authority section.
+
+
+
+
+
+
+
+
+   Expires December 2004                                           [Page 2]
+   INTERNET-DRAFT                  June 2003                       RESPSIZE
+
+
+
+   2.4. DNS label compression allows a domain name to be instantiated only
+   once per DNS message, and then referenced with a two-octet "pointer"
+   from other locations in that same DNS message.  If all nameserver names
+   in a message are similar (for example, all ending in ".ROOT-
+   SERVERS.NET"), then more space will be available for uncompressable data
+   (such as nameserver addresses).
+
+
+   2.5. The query name can be as long as 255 characters of presentation
+   data, which can be up to 256 octets of network data.  In this worst case
+   scenario, the question section will be 260 octets in size, which would
+   leave only 240 octets for the authority and additional sections (after
+   deducting 12 octets for the fixed length header.)
+
+
+   2.6. Average and maximum question section sizes can be predicted by the
+   zone owner, since they will know what names actually exist, and can
+   measure which ones are queried for most often.  For cost and performance
+   reasons, the majority of requests should be satisfied without truncation
+   or TCP retry.
+
+
+   2.7. Requestors who deliberately send large queries to force truncation
+   are only increasing their own costs, and cannot effectively attack the
+   resources of an authority server since the requestor would have to retry
+   using TCP to complete the attack.  An attack that always used TCP would
+   have a lower cost.
+
+
+   2.8. The minimum useful number of address records is two, since with
+   only one address, the probability that it would refer to an unreachable
+   server is too high.  Truncation which occurs after two address records
+   have been added to the additional data section is therefore less
+   operationally significant than truncation which occurs earlier.
+
+
+   2.9. The best case is no truncation.  (This is because many requestors
+   will retry using TCP by reflex, without considering whether the omitted
+   data was actually necessary.)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+   Expires December 2004                                           [Page 3]
+   INTERNET-DRAFT                  June 2003                       RESPSIZE
+
+
+
+   3 - Analysis
+
+
+   3.1. An instrumented protocol trace of a best case delegation response
+   follows.  Note that 13 servers are named, and 13 addresses are given.
+   This query was artificially designed to exactly reach the 512 octet
+   limit.
+
+
+      ;; flags: qr rd; QUERY: 1, ANS: 0, AUTH: 13, ADDIT: 13
+      ;; QUERY SECTION:
+      ;;  [23456789.123456789.123456789.\
+           123456789.123456789.123456789.com A IN]        ;; @80
+
+
+      ;; AUTHORITY SECTION:
+      com.                 86400 NS  E.GTLD-SERVERS.NET.  ;; @112
+      com.                 86400 NS  F.GTLD-SERVERS.NET.  ;; @128
+      com.                 86400 NS  G.GTLD-SERVERS.NET.  ;; @144
+      com.                 86400 NS  H.GTLD-SERVERS.NET.  ;; @160
+      com.                 86400 NS  I.GTLD-SERVERS.NET.  ;; @176
+      com.                 86400 NS  J.GTLD-SERVERS.NET.  ;; @192
+      com.                 86400 NS  K.GTLD-SERVERS.NET.  ;; @208
+      com.                 86400 NS  L.GTLD-SERVERS.NET.  ;; @224
+      com.                 86400 NS  M.GTLD-SERVERS.NET.  ;; @240
+      com.                 86400 NS  A.GTLD-SERVERS.NET.  ;; @256
+      com.                 86400 NS  B.GTLD-SERVERS.NET.  ;; @272
+      com.                 86400 NS  C.GTLD-SERVERS.NET.  ;; @288
+      com.                 86400 NS  D.GTLD-SERVERS.NET.  ;; @304
+
+
+      ;; ADDITIONAL SECTION:
+      A.GTLD-SERVERS.NET.  86400 A   192.5.6.30           ;; @320
+      B.GTLD-SERVERS.NET.  86400 A   192.33.14.30         ;; @336
+      C.GTLD-SERVERS.NET.  86400 A   192.26.92.30         ;; @352
+      D.GTLD-SERVERS.NET.  86400 A   192.31.80.30         ;; @368
+      E.GTLD-SERVERS.NET.  86400 A   192.12.94.30         ;; @384
+      F.GTLD-SERVERS.NET.  86400 A   192.35.51.30         ;; @400
+      G.GTLD-SERVERS.NET.  86400 A   192.42.93.30         ;; @416
+      H.GTLD-SERVERS.NET.  86400 A   192.54.112.30        ;; @432
+      I.GTLD-SERVERS.NET.  86400 A   192.43.172.30        ;; @448
+      J.GTLD-SERVERS.NET.  86400 A   192.48.79.30         ;; @464
+      K.GTLD-SERVERS.NET.  86400 A   192.52.178.30        ;; @480
+      L.GTLD-SERVERS.NET.  86400 A   192.41.162.30        ;; @496
+      M.GTLD-SERVERS.NET.  86400 A   192.55.83.30         ;; @512
+
+
+      ;; MSG SIZE  sent: 80  rcvd: 512
+
+
+
+
+
+
+   Expires December 2004                                           [Page 4]
+   INTERNET-DRAFT                  June 2003                       RESPSIZE
+
+
+
+   3.2. For longer query names, the number of address records supplied will
+   be lower.  Furthermore, it is only by using a common parent name (which
+   is GTLD-SERVERS.NET in this example) that all 13 addresses are able to
+   fit.  The following output from a response simulator demonstrates these
+   properties:
+
+
+      % perl respsize.pl 13 13 0
+        common name, average case: msg:303    nsaddr#13 (green)
+        common name,   worst case: msg:495    nsaddr# 1 (red)
+      uncommon name, average case: msg:457    nsaddr# 3 (orange)
+      uncommon name,   worst case: msg:649(*) nsaddr# 0 (red)
+      % perl respsize.pl 13 13 2
+        common name, average case: msg:303    nsaddr#11 (orange)
+        common name,   worst case: msg:495    nsaddr# 1 (red)
+      uncommon name, average case: msg:457    nsaddr# 2 (orange)
+      uncommon name,   worst case: msg:649(*) nsaddr# 0 (red)
+
+
+   (Note: The response simulator program is shown in Section 5.)
+
+
+   Here we use the term "green" if all address records could fit, or
+   "orange" if two or more could fit, or "red" if fewer than two could fit.
+   It's clear that without a common parent for nameserver names, much space
+   would be lost.
+
+
+   We're assuming an average query name size of 64 since that is the
+   typical average maximum size seen in trace data at the time of this
+   writing.  If Internationalized Domain Name (IDN) or any other technology
+   which results in larger query names be deployed significantly in advance
+   of EDNS, then more new measurements and new estimates will have to be
+   made.
+
+
+   4 - Conclusions
+
+
+   4.1. The current practice of giving all nameserver names a common parent
+   (such as GTLD-SERVERS.NET or ROOT-SERVERS.NET) saves space in DNS
+   responses and allows for more nameservers to be enumerated than would
+   otherwise be possible.  (Note that in this case it is wise to serve the
+   common parent domain's zone from the same servers that are named within
+   it, in order to limit external dependencies when all your eggs are in a
+   single basket.)
+
+
+   4.2. Thirteen (13) seems to be the effective maximum number of
+   nameserver names usable traditional (non-extended) DNS, assuming a
+   common parent domain name, and assuming that additional-data truncation
+   is undesirable in the average case.
+
+
+
+
+   Expires December 2004                                           [Page 5]
+   INTERNET-DRAFT                  June 2003                       RESPSIZE
+
+
+
+   4.3. Adding two to five IPv6 nameserver address records (AAAA RRs) to a
+   prototypical delegation that currently contains thirteen (13) IPv4
+   nameserver addresses (A RRs) for thirteen (13) nameserver names under a
+   common parent, would not have a significant negative operational impact
+   on the domain name system.
+
+
+   5 - Source Code
+
+
+   #!/usr/bin/perl -w
+
+
+   $asize = 2+2+2+4+2+4;
+   $aaaasize = 2+2+2+4+2+16;
+   ($nns, $na, $naaaa) = @ARGV;
+   test("common", "average", common_name_average($nns),
+        $na, $naaaa);
+   test("common", "worst", common_name_worst($nns),
+        $na, $naaaa);
+   test("uncommon", "average", uncommon_name_average($nns),
+        $na, $naaaa);
+   test("uncommon", "worst", uncommon_name_worst($nns),
+        $na, $naaaa);
+   exit 0;
+
+
+   sub test { my ($namekind, $casekind, $msg, $na, $naaaa) = @_;
+        my $nglue = numglue($msg, $na, $naaaa);
+        printf "%8s name, %7s case: msg:%3d%s nsaddr#%2d (%s)\n",
+             $namekind, $casekind,
+             $msg, ($msg > 512) ? "(*)" : "   ",
+             $nglue, ($nglue == $na + $naaaa) ? "green"
+                  : ($nglue >= 2) ? "orange"
+                       : "red";
+   }
+
+
+   sub pnum { my ($num, $tot) = @_;
+        return sprintf "%3d%s",
+   }
+
+
+   sub numglue { my ($msg, $na, $naaaa) = @_;
+        my $space = ($msg > 512) ? 0 : (512 - $msg);
+        my $num = 0;
+
+
+        while ($space && ($na || $naaaa )) {
+             if ($na) {
+                  if ($space >= $asize) {
+                       $space -= $asize;
+
+
+
+
+   Expires December 2004                                           [Page 6]
+   INTERNET-DRAFT                  June 2003                       RESPSIZE
+
+
+
+                       $num++;
+                  }
+                  $na--;
+             }
+             if ($naaaa) {
+                  if ($space >= $aaaasize) {
+                       $space -= $aaaasize;
+                       $num++;
+                  }
+                  $naaaa--;
+             }
+        }
+        return $num;
+   }
+
+
+   sub msgsize { my ($qname, $nns, $nsns) = @_;
+        return  12 +                            # header
+                $qname+2+2 +                    # query
+                0 +                             # answer
+                $nns * (4+2+2+4+2+$nsns);       # authority
+   }
+
+
+   sub average_case { my ($nns, $nsns) = @_;
+        return msgsize(64, $nns, $nsns);
+   }
+
+
+   sub worst_case { my ($nns, $nsns) = @_;
+        return msgsize(256, $nns, $nsns);
+   }
+
+
+   sub common_name_average { my ($nns) = @_;
+        return 15 + average_case($nns, 2);
+   }
+
+
+   sub common_name_worst { my ($nns) = @_;
+        return 15 + worst_case($nns, 2);
+   }
+
+
+   sub uncommon_name_average { my ($nns) = @_;
+        return average_case($nns, 15);
+   }
+
+
+   sub uncommon_name_worst { my ($nns) = @_;
+        return worst_case($nns, 15);
+   }
+
+
+
+
+   Expires December 2004                                           [Page 7]
+   INTERNET-DRAFT                  June 2003                       RESPSIZE
+
+
+
+   Security Considerations
+
+
+   The recommendations contained in this document have no known security
+   implications.
+
+
+   IANA Considerations
+
+
+   This document does not call for changes or additions to any IANA
+   registry.
+
+
+   IPR Statement
+
+
+   Copyright (C) The Internet Society (2003-2004).  This document is
+   subject to the rights, licenses and restrictions contained in BCP 78,
+   and except as set forth therein, the authors retain all their rights.
+
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR
+   IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+   Authors' Addresses
+
+
+   Paul Vixie
+      950 Charter Street
+      Redwood City, CA 94063
+      +1 650 423 1301
+      vixie@isc.org
+
+
+   Akira Kato
+      University of Tokyo, Information Technology Center
+      2-11-16 Yayoi Bunkyo
+      Tokyo 113-8658, JAPAN
+      +81 3 5841 2750
+      kato@wide.ad.jp
+
+
+
+
+
+
+
+
+
+
+   Expires December 2004                                           [Page 8] 
\ No newline at end of file
diff --git a/contrib/bind9/doc/draft/draft-ietf-dnsop-serverid-02.txt b/contrib/bind9/doc/draft/draft-ietf-dnsop-serverid-02.txt
new file mode 100644
index 0000000..b593c57
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-dnsop-serverid-02.txt
@@ -0,0 +1,617 @@
+
+
+Network Working Group                                           S. Woolf
+Internet-Draft                         Internet Systems Consortium, Inc.
+Expires: January 16, 2005                                      D. Conrad
+                                                           Nominum, Inc.
+                                                           July 18, 2004
+
+
+               Identifying an Authoritative Name `Server
+                      draft-ietf-dnsop-serverid-02
+
+Status of this Memo
+
+   This document is an Internet-Draft and is subject to all provisions
+   of section 3 of RFC 3667.  By submitting this Internet-Draft, each
+   author represents that any applicable patent or other IPR claims of
+   which he or she is aware have been or will be disclosed, and any of
+   which he or she become aware will be disclosed, in accordance with
+   RFC 3668.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as
+   Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at http://
+   www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on January 16, 2005.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2004).  All Rights Reserved.
+
+Abstract
+
+   With the increased use of DNS anycast, load balancing, and other
+   mechanisms allowing more than one DNS name server to share a single
+   IP address, it is sometimes difficult to tell which of a pool of name
+   servers has answered a particular query.  A standardized mechanism to
+   determine the identity of a name server responding to a particular
+   query would be useful, particularly as a diagnostic aid.  Existing ad
+
+
+
+Woolf & Conrad          Expires January 16, 2005                [Page 1]
+
+Internet-Draft    Identifying an Authoritative Name `Server    July 2004
+
+
+   hoc mechanisms for addressing this concern are not adequate.  This
+   document attempts to describe the common ad hoc solution to this
+   problem, including its advantages and disadvantasges, and to
+   characterize an improved mechanism.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Woolf & Conrad          Expires January 16, 2005                [Page 2]
+
+Internet-Draft    Identifying an Authoritative Name `Server    July 2004
+
+
+1.  Introduction
+
+   With the increased use of DNS anycast, load balancing, and other
+   mechanisms allowing more than one DNS name server to share a single
+   IP address, it is sometimes difficult to tell which of a pool of name
+   servers has answered a particular query.  A standardized mechanism to
+   determine the identity of a name server responding to a particular
+   query would be useful, particularly as a diagnostic aid.
+
+   Unfortunately, existing ad-hoc mechanisms for providing such
+   identification have some shortcomings, not the least of which is the
+   lack of prior analysis of exactly how such a mechanism should be
+   designed and deployed.  This document describes the existing
+   convention used in one widely deployed implementation of the DNS
+   protocol and discusses requirements for an improved solution to the
+   problem.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Woolf & Conrad          Expires January 16, 2005                [Page 3]
+
+Internet-Draft    Identifying an Authoritative Name `Server    July 2004
+
+
+2.  Rationale
+
+   Identifying which name server is responding to queries is often
+   useful, particularly in attempting to diagnose name server
+   difficulties.  However, relying on the IP address of the name server
+   has become more problematic due the deployment of various load
+   balancing solutions, including the use of shared unicast addresses as
+   documented in [RFC3258].
+
+   An unfortunate side effect of these load balancing solutions is that
+   traditional methods of determining which server is responding can be
+   unreliable.  Specifically, non-DNS methods such as ICMP ping, TCP
+   connections, or non-DNS UDP packets (e.g., as generated by tools such
+   as "traceroute"), etc., can end up going to a different server than
+   that which receives the DNS queries.
+
+   The widespread use of the existing convention suggests a need for a
+   documented, interoperable means of querying the identity of a
+   nameserver that may be part of an anycast or load-balancing cluster.
+   At the same time, however, it also has some drawbacks that argue
+   against standardizing it as it's been practiced so far.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Woolf & Conrad          Expires January 16, 2005                [Page 4]
+
+Internet-Draft    Identifying an Authoritative Name `Server    July 2004
+
+
+3.  Existing Conventions
+
+   Recent versions of the commonly deployed Berkeley Internet Name
+   Domain implementation of the DNS protocol suite from the Internet
+   Software Consortium [BIND] support a way of identifying a particular
+   server via the use of a standard, if somewhat unusual, DNS query.
+   Specifically, a query to a late model BIND server for a TXT resource
+   record in class 3 (CHAOS) for the domain name "HOSTNAME.BIND." will
+   return a string that can be configured by the name server
+   administrator to provide a unique identifier for the responding
+   server (defaulting to the value of a gethostname() call).  This
+   mechanism, which is an extension of the BIND convention of using
+   CHAOS class TXT RR queries to sub-domains of the "BIND." domain for
+   version information, has been copied by several name server vendors.
+
+   For reference, the other well-known name used by recent versions of
+   BIND within the CHAOS class "BIND." domain is "VERSION.BIND."  A
+   query for a TXT RR for this name will return an administratively re-
+   definable string which defaults to the version of the server
+   responding.
+
+3.1  Advantages
+
+   There are several valuable attributes to this mechanism, which
+   account for its usefulness.
+   1.  This mechanism is within the DNS protocol itself.  An
+       identification mechanism that relies on the DNS protocol is more
+       likely to be successful (although not guaranteed) in going to the
+       same machine as a "normal" DNS query.
+   2.  It is simple to configure.  An administrator can easily turn on
+       this feature and control the results of the relevant query.
+   3.  It allows the administrator complete control of what information
+       is given out in the response, minimizing passive leakage of
+       implementation or configuration details.  Such details are often
+       considered sensitive by infrastructure operators.
+
+3.2  Disadvantages
+
+   At the same time, there are some forbidding drawbacks to the
+   VERSION.BIND mechanism that argue against standardizing it as it
+   currently operates.
+   1.  It requires an additional query to correlate between the answer
+       to a DNS query under normal conditions and the supposed identity
+       of the server receiving the query.  There are a number of
+       situations in which this simply isn't reliable.
+   2.  It reserves an entire class in the DNS (CHAOS) for what amounts
+       to one zone.  While CHAOS class is defined in [RFC1034] and
+       [RFC1035], it's not clear that supporting it solely for this
+
+
+
+Woolf & Conrad          Expires January 16, 2005                [Page 5]
+
+Internet-Draft    Identifying an Authoritative Name `Server    July 2004
+
+
+       purpose is a good use of the namespace or of implementation
+       effort.
+   3.  It is implementation specific.  BIND is one DNS implementation.
+       At the time of this writing, it is probably the most prevalent,
+       for authoritative servers anyway.  This does not justify
+       standardizing on its ad hoc solution to a problem shared across
+       many operators and implementors.
+
+   The first of the listed disadvantages is technically the most
+   serious.  It argues for an attempt to design a good answer to the
+   problem that "I need to know what nameserver is answering my
+   queries", not simply a convenient one.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Woolf & Conrad          Expires January 16, 2005                [Page 6]
+
+Internet-Draft    Identifying an Authoritative Name `Server    July 2004
+
+
+4.  Characteristics of an Implementation Neutral Convention
+
+   The discussion above of advantages and disadvantages to the
+   HOSTNAME.BIND mechanism suggest some requirements for a better
+   solution to the server identification problem.  These are summarized
+   here as guidelines for any effort to provide appropriate protocol
+   extensions:
+   1.  The mechanism adopted MUST be in-band for the DNS protocol.  That
+       is, it needs to allow the query for the server's identifying
+       information to be part of a normal, operational query.  It SHOULD
+       also permit a separate, dedicated query for the server's
+       identifying information.
+   2.  The new mechanism should not require dedicated namespaces or
+       other reserved values outside of the existing protocol mechanisms
+       for these, i.e.  the OPT pseudo-RR.
+   3.  Support for the identification functionality SHOULD be easy to
+       implement and easy to enable.  It MUST be easy to disable and
+       SHOULD lend itself to access controls on who can query for it.
+   4.  It should be possible to return a unique identifier for a server
+       without requiring the exposure of information that may be
+       non-public and considered sensitive by the operator, such as a
+       hostname or unicast IP address maintained for administrative
+       purposes.
+   5.  The identification mechanism SHOULD NOT be
+       implementation-specific.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Woolf & Conrad          Expires January 16, 2005                [Page 7]
+
+Internet-Draft    Identifying an Authoritative Name `Server    July 2004
+
+
+5.  IANA Considerations
+
+   This document proposes no specific IANA action.  Protocol extensions,
+   if any, to meet the requirements described are out of scope for this
+   document.  Should such extensions be specified and adopted by normal
+   IETF process, the specification will include appropriate guidance to
+   IANA.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Woolf & Conrad          Expires January 16, 2005                [Page 8]
+
+Internet-Draft    Identifying an Authoritative Name `Server    July 2004
+
+
+6.  Security Considerations
+
+   Providing identifying information as to which server is responding
+   can be seen as information leakage and thus a security risk.  This
+   motivates the suggestion above that a new mechanism for server
+   identification allow the administrator to disable the functionality
+   altogether or partially restrict availability of the data.  It also
+   suggests that the serverid data should not be readily correlated with
+   a hostname or unicast IP address that may be considered private to
+   the nameserver operator's management infrastructure.
+
+   Propagation of protocol or service meta-data can sometimes expose the
+   application to denial of service or other attack.  As DNS is a
+   critically important infrastructure service for the production
+   Internet, extra care needs to be taken against this risk for
+   designers, implementors, and operators of a new mechanism for server
+   identification.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Woolf & Conrad          Expires January 16, 2005                [Page 9]
+
+Internet-Draft    Identifying an Authoritative Name `Server    July 2004
+
+
+7.  Acknowledgements
+
+   The technique for host identification documented here was initially
+   implemented by Paul Vixie of the Internet Software Consortium in the
+   Berkeley Internet Name Daemon package.  Comments and questions on
+   earlier drafts were provided by Bob Halley, Brian Wellington, Andreas
+   Gustafsson, Ted Hardie, Chris Yarnell, Randy Bush, and members of the
+   ICANN Root Server System Advisory Committee.  The newest draft takes
+   a significantly different direction from previous versions, owing to
+   discussion among contributors to the DNSOP working group and others,
+   particularly Olafur Gudmundsson, Ed Lewis, Bill Manning, Sam Weiler,
+   and Rob Austein.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Woolf & Conrad          Expires January 16, 2005               [Page 10]
+
+Internet-Draft    Identifying an Authoritative Name `Server    July 2004
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at
+   ietf-ipr@ietf.org.
+
+
+Disclaimer of Validity
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Copyright Statement
+
+   Copyright (C) The Internet Society (2004).  This document is subject
+   to the rights, licenses and restrictions contained in BCP 78, and
+   except as set forth therein, the authors retain all their rights.
+
+
+Acknowledgment
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+Woolf & Conrad          Expires January 16, 2005               [Page 11]
+
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-enum-e164-gstn-np-05.txt b/contrib/bind9/doc/draft/draft-ietf-enum-e164-gstn-np-05.txt
new file mode 100644
index 0000000..3353b3b
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-enum-e164-gstn-np-05.txt
@@ -0,0 +1,1588 @@
+
+                                                            Mark Foster 
+Internet Draft                                              Tom McGarry 
+Document: <draft-ietf-enum-e164-gstn-np-05.txt>                James Yu 
+                                                          NeuStar, Inc. 
+Category: Informational                                   June 24, 2002 
+ 
+ 
+              Number Portability in the GSTN: An Overview 
+ 
+ 
+Status of this Memo 
+ 
+   This document is an Internet-Draft and is in full conformance with 
+   all provisions of Section 10 of RFC2026 [RFC].  
+ 
+   Internet-Drafts are working documents of the Internet Engineering 
+   Task Force (IETF), its areas, and its working groups. Note that 
+   other groups may also distribute working documents as Internet-
+   Drafts. Internet-Drafts are draft documents valid for a maximum of 
+   six months and may be updated, replaced, or obsoleted by other 
+   documents at any time. It is inappropriate to use Internet- Drafts 
+   as reference material or to cite them other than as "work in 
+   progress."  
+    
+   The list of current Internet-Drafts can be accessed at 
+   http://www.ietf.org/ietf/1id-abstracts.txt. 
+     
+   The list of Internet-Draft Shadow Directories can be accessed at 
+   http://www.ietf.org/shadow.html. 
+    
+ 
+   Copyright Notice 
+ 
+      Copyright (C) The Internet Society (2002).  All rights reserved. 
+    
+    
+   Abstract 
+    
+   This document provides an overview of E.164 telephone number 
+   portability (NP) in the Global Switched Telephone Network (GSTN).    
+   NP is a regulatory imperative seeking to liberalize local telephony 
+   service competition, by enabling end-users to retain telephone 
+   numbers while changing service providers.  NP changes the 
+   fundamental nature of a dialed E.164 number from a hierarchical 
+   physical routing address to a virtual address, thereby requiring the 
+   transparent translation of the later to the former.  In addition, 
+   there are various regulatory constraints that establish relevant 
+   parameters for NP implementation, most of which are not network 
+   technology specific.  Consequently, the implementation of NP 
+   behavior consistent with applicable regulatory constraints, as well 
+   as the need for interoperation with the existing GSTN NP 
+   implementations, are relevant topics for numerous areas of IP 
+   telephony work-in-progress at IETF. 
+  
+Foster,McGarry,Yu         Expired on December 23, 2002        [Page 1] 
+
+Number Portability in the GSTN: An Overview               June 24, 2002 
+
+    
+   Table of Contents 
+    
+    1.  Introduction ...............................................  2 
+    2.  Abbreviations and Acronyms .................................  4 
+    3.  Types of Number Portability ................................  5 
+    4.  Service Provider Number Portability Schemes ................  7 
+       4.1   All Call Query (ACQ) ..................................  7 
+       4.2   Query on Release (QoR) ................................  8 
+       4.3   Call Dropback .........................................  9 
+       4.4   Onward Routing (OR) ...................................  9 
+       4.5   Comparisons of the Four Schemes ....................... 10 
+    5.  Database Queries in the NP Environment ..................... 11 
+       5.1   U.S. and Canada ....................................... 12 
+       5.2   Europe ................................................ 13 
+    6.  Call Routing in the NP Environment ......................... 14 
+       6.1   U.S. and Canada ....................................... 14 
+       6.2   Europe ................................................ 15 
+    7.  NP Implementations for Geographic E.164 Numbers ............ 17 
+    8.  Number Conservation Method Enabled By NP ................... 20 
+       8.1   Block Pooling ......................................... 20 
+       8.2   ITN Pooling ........................................... 21 
+    9.  Potential Implications ..................................... 21 
+   10.  Security Considerations .................................... 24 
+   11.  IANA Considerations ........................................ 24 
+   12.  Normative References ....................................... 24 
+   13.  Informative References ..................................... 25 
+   14.  Acknowledgement ............................................ 25 
+   15.  AuthorsË Addresses ......................................... 25 
+    
+ 
+    
+1. Introduction 
+    
+   This document provides an overview of E.164 telephone number 
+   portability in the Global Switched Telephone Network (GSTN).  There 
+   are considered to be three types of number portability (NP): service 
+   provider portability (SPNP), location portability (not to be 
+   confused with terminal mobility), and service portability. 
+    
+   Service provider portability (SPNP), the focus of the present draft, 
+   is a regulatory imperative in many countries seeking to liberalize 
+   telephony service competition, especially local service.  
+   Historically, local telephony service (as compared to long distance 
+   or international service) has been regulated as a utility-like form 
+   of service.  While a number of countries had begun liberalization 
+   (e.g. privatization, de-regulation, or re-regulation) some years 
+   ago, the advent of NP is relatively recent (since ~1995). 
+    
+   E.164 numbers can be non-geographic and geographic numbers.  Non-
+   geographic numbers do not reveal the locations information of those 
+   numbers.  Geographic E.164 numbers were intentionally designed as 
+   hierarchical routing addresses which could systematically be digit-
+   analyzed to ascertain the country, serving network provider, serving 
+  
+Foster,McGarry,Yu           Expired on December 23, 2002      [Page 2] 
+
+Number Portability in the GSTN: An Overview               June 24, 2002 
+
+   end-office switch, and specific line of the called party.  As such, 
+   without NP a subscriber wishing to change service providers would 
+   incur a number change as a consequence of being served off of a 
+   different end-office switch operated by the new service provider.  
+   The cost and convenience impact to the subscriber of changing 
+   numbers is seen as barrier to competition.  Hence NP has become 
+   associated with GSTN infrastructure enhancements associated with a 
+   competitive environment driven by regulatory directives. 
+    
+   Forms of SPNP have been deployed or are being deployed widely in the 
+   GSTN in various parts of the world, including the U.S., Canada, 
+   Western Europe, Australia, and the Pacific Rim (e.g. Hong Kong). 
+   Other regions, such as South America (e.g. Brazil) are actively 
+   considering it. 
+    
+   Implementation of NP within a national telephony infrastructure 
+   entails potentially significant changes to numbering administration, 
+   network element signaling, call routing and processing, billing, 
+   service management, and other functions. 
+    
+   NP changes the fundamental nature of a dialed E.164 number from a 
+   hierarchical physical routing address to a virtual address.  NP 
+   implementations attempt to encapsulate the impacts to the GSTN and 
+   make NP transparent to subscribers by incorporating a translation 
+   function to map a dialed, potentially ported E.164 address, into a 
+   network routing address (either a number prefix or another E.164 
+   address) which can be hierarchically routed. 
+    
+   This is roughly analogous to the use of network address translation 
+   on IP addresses to enable IP address portability by containing the 
+   impact of the address change to the edge of the network and retain 
+   the use of CIDR blocks in the core which can be route aggregated by 
+   the network service provider to the rest of the internet. 
+    
+   NP bifurcates the historical role of a subscriberËs E.164 address 
+   into two or more data elements (a dialed or virtual address, and a 
+   network routing address) that must be made available to network 
+   elements through an NP translations database, carried by forward 
+   call signaling, and recorded on call detail records.  Not only is 
+   call processing and routing affected, but also so is SS7/C7 
+   messaging.  A number of TCAP-based SS7 messaging sets utilize an 
+   E.164 address as an application-level network element address in the 
+   global title address (GTA) field of the SCCP message header.  
+   Consequently, SS7/C7 signaling transfer points (STPs) and gateways 
+   need to be able to perform n-digit global title translation (GTT) to 
+   translate a dialed E.164 address into its network address 
+   counterpart via the NP database. 
+    
+   In addition, there are various national regulatory constraints that 
+   establish relevant parameters for NP implementation, most of which 
+   are not network technology specific.  Consequently, implementations 
+   of NP behavior in IP telephony consistent with applicable regulatory 
+   constraints, as well as the need for interoperation with the 
+
+  
+Foster,McGarry,Yu           Expired on December 23, 2002      [Page 3] 
+
+Number Portability in the GSTN: An Overview               June 24, 2002 
+
+   existing GSTN NP implementations, are relevant topics for numerous 
+   areas of IP telephony work-in-progress at IETF. 
+    
+   This document describes three types of number portability and the 
+   four schemes that have been standardized to support SPNP for 
+   geographic E.164 numbersspecifically.  Following that, specific 
+   information regarding the call routing and database query 
+   implementations are described for several regions (North American 
+   and Europe) and industries (wireless vs. wireline). The Number 
+   Portability Database (NPDB) interfaces and the call routing schemes 
+   that are used in the North America and Europe are described to show 
+   the variety of standards that may be implemented worldwide.  A 
+   glance of the NP implementations worldwide is provided.  Number 
+   pooling is briefly discussed to show how NP is being enhanced in the 
+   U.S. to conserve North American area codes.  The conclusion briefly 
+   touches the potential impacts of NP on IP & Telecommunications 
+   Interoperability.  Appendix A provides some specific technical and 
+   regulatory information on NP in North America.  Appendix B describes 
+   the number portability administration process that manages the 
+   number portability database in North America. 
+    
+    
+2. Abbreviations and Acronyms 
+    
+   ACQ     All Call Query 
+   AIN     Advanced Intelligent Network 
+   AMPS    Advanced Mobile Phone System 
+   ANSI    American National Standards Institute 
+   CDMA    Code Division Multiple Access 
+   CdPA    Called Party Address 
+   CdPN    Called Party Number 
+   CH      Code Holder 
+   CMIP    Common Management Information Protocol 
+   CS1     Capability Set 1 
+   CS2     Capability Set 2 
+   DN      Directory Number 
+   DNS     Domain Name System 
+   ETSI    European Technical Standards Institute 
+   FCI     Forward Call Indicator 
+   GAP     Generic Address Parameter 
+   GMSC    Gateway Mobile Services Switching Center or Gateway Mobile 
+           Switching Center 
+   GSM     Global System for Mobile Communications 
+   GSTN    Global Switched Telephone Network 
+   GW      Gateways 
+   HLR     Home Location Register 
+   IAM     Initial Address Message 
+   IETF    Internet Engineering Task Force 
+   ILNP    Interim LNP 
+   IN      Intelligent Network 
+   INAP    Intelligent Network Application Part 
+   INP     Interim NP     
+   IP      Internet Protocol 
+   IS-41   Interim Standards Number 41 
+  
+Foster,McGarry,Yu           Expired on December 23, 2002      [Page 4] 
+
+Number Portability in the GSTN: An Overview               June 24, 2002 
+
+   ISDN    Integrated Services Digital Network 
+   ISUP    ISDN User Part 
+   ITN     Individual Telephony Number  
+   ITU     International Telecommunication Union 
+   ITU-TS  ITU-Telecommunication Sector 
+   LDAP    Lightweight Directory Access Protocol  
+   LEC     Local Exchange Carrier 
+   LERG    Local Exchange Routing Guide 
+   LNP     Local Number Portability 
+   LRN     Location Routing Number 
+   MAP     Mobile Application Part 
+   MNP     Mobile Number Portability 
+   MSRN    Mobile Station Roaming Number 
+   MTP     Message Transfer Part 
+   NANP    North American Numbering Plan 
+   NP      Number Portability 
+   NPDB    Number Portability Database 
+   NRN     Network Routing Number 
+   OR      Onward Routing 
+   OSS     Operation Support System 
+   PCS     Personal Communication Services 
+   PNTI    Ported Number Translation Indicator 
+   PODP    Public Office Dialing Plan 
+   PUC     Public Utility Commission 
+   QoR     Query on Release 
+   RN      Routing Number 
+   RTP     Return to Pivot 
+   SCCP    Signaling Connection Control Part 
+   SCP     Service Control Point  
+   SIP     Session Initiation Protocol 
+   SMR     Special Mobile Radio 
+   SMS     Service Management System 
+   SPNP    Service Provider Number Portability 
+   SRF     Signaling Relaying Function 
+   SRI     Send Routing Information 
+   SS7     Signaling System Number 7 
+   STP     Signaling Transfer Point 
+   TCAP    Transaction Capabilities Application Part 
+   TDMA    Time Division Multiple Access 
+   TN      Telephone Number 
+   TRIP    Telephony Routing Information Protocol 
+   URL     Universal Resource Locator 
+   U.S.    United States 
+    
+    
+3. Types of Number Portability 
+    
+   As there are several types of E.164 numbers (telephone numbers, or 
+   just TN) in the GSTN, there are correspondingly several types of 
+   E.164 NP in the GSTN.  First there are so-call non-geographic E.164 
+   numbers, commonly used for service-specific applications such as 
+   freephone (800 or 0800).  Portability of these numbers is called 
+   non-geographic number portability (NGNP).  NGNP, for example, was 
+   deployed in the U.S. in 1986-92. 
+  
+Foster,McGarry,Yu           Expired on December 23, 2002      [Page 5] 
+
+Number Portability in the GSTN: An Overview               June 24, 2002 
+
+    
+   Geographic number portability, which includes traditional fixed or 
+   wireline numbers as well as mobile numbers which are allocated out 
+   of geographic number range prefixes, is called NP or GNP or in the 
+   U.S. local number portability (LNP). 
+    
+   Number portability allows the telephony subscribers in the Global 
+   Switched Telephone Network (GSTN) to keep their phone numbers when 
+   they change their service providers or subscribed services, or when 
+   they move to a new location.   
+    
+   The ability to change the service provider while keeping the same 
+   phone number is called service provider portability (SPNP) also 
+   known as "operator portability." 
+    
+   The ability to change the subscriberËs fixed service location while 
+   keeping the same phone number is called location portability. 
+    
+   The ability to change the subscribed services (e.g., from the plain 
+   old telephone service to Integrated Services Digital Network (ISDN) 
+   services) while keeping the same phone number is called service 
+   portability.  Another aspect of service portability is to allow the 
+   subscribers to enjoy the subscribed services in the same way when 
+   they roam outside their home networks as is supported by the 
+   cellular/wireless networks. 
+    
+   In addition, mobile number portability (MNP) refers to specific NP 
+   implementation in mobile networks either as part of a broader NP 
+   implementation in the GSTN or on a stand-alone basis.  Where 
+   interoperation of LNP and MNP is supported, service portability 
+   between fixed and mobile service types is possible. 
+    
+   At present, SPNP has been the primary form of NP deployed due to its 
+   relevance in enabling local service competition. 
+    
+   Also in use in the GSTN are the terms interim NP (INP) or Interim 
+   LNP (ILNP) and true NP.  Interim NP usually refers to the use of 
+   remote call forwarding-like measures to forward calls to ported 
+   numbers through the donor network to the new service network.  These 
+   are considered interim relative to true NP, which seeks to remove 
+   the donor network or old service provider from the call or signaling 
+   path altogether.  Often the distinction between interim and true NP 
+   is a national regulatory matter relative to the 
+   technical/operational requirements imposed on NP in that country. 
+    
+   Implementations of true NP in certain countries (e.g. U.S., Canada, 
+   Spain, Belgium, Denmark) may pose specific requirements for IP 
+   telephony implementations as a result of regulatory and industry 
+   requirements for providing call routing and signaling independent of 
+   the donor network or last previous serving network. 
+    
+    
+    
+    
+  
+Foster,McGarry,Yu           Expired on December 23, 2002      [Page 6] 
+
+Number Portability in the GSTN: An Overview               June 24, 2002 
+
+ 
+4. Service Provider Number Portability Schemes 
+    
+   Four schemes can be used to support service provider portability and 
+   are briefly described below.  But first, some further terms are 
+   introduced. 
+    
+   The donor network is the network that first assigned a telephone 
+   number (e.g., TN +1-202-533-1234) to a subscriber, out of a number 
+   range administratively (e.g., +1 202-533) assigned to it.  The 
+   current service provider (new SP) or new serving network is the 
+   network that currently serves the ported number. The old serving 
+   network (or old SP) is the network that previously served the ported 
+   number before the number was ported to the new serving network. 
+   Since a TN can port a number of times, the old SP is not necessarily 
+   the same as the donor network, except for the first time the TN 
+   ports away, or if the TN ports back into the donor network and away 
+   again.  While the new SP and old SP roles are transitory as a TN 
+   ports around, the donor network is always the same for any 
+   particular TN based on the service provider to whom the subtending 
+   number range was administratively assigned.  See the discussion 
+   below on number pooling, as this enhancement to NP further 
+   bifurcates the role of donor network into two (the number range or 
+   code holder network, and the block holder network). 
+    
+   To simplify the illustration, all the transit networks are ignored, 
+   the originating or donor network is the one that performs the 
+   database queries or call redirection, and the dialed directory 
+   number (TN) has been ported out of the donor network before.  
+    
+   It is assumed that the old serving network, the new serving network 
+   and the donor network are different networks so as to show which 
+   networks are involved in call handling and routing and database 
+   queries in each of four schemes.  Please note that the port of the 
+   number (process of moving it from one network to another) happened 
+   prior to the call setup and is not included in the call steps.  
+   Information carried in the signaling messages to support each of the 
+   four schemes is not discussed to simplify the explanation. 
+    
+    
+4.1 All Call Query (ACQ) 
+    
+   Figure 1 shows the call steps for the ACQ scheme.  Those call steps 
+   are as follows: 
+ 
+   (1) The Originating Network receives a call from the caller and 
+       sends a query to a centrally administered Number Portability 
+       Database (NPDB), a copy of which is usually resident on a 
+       network element within its network or through a third party 
+       provider. 
+   (2) The NPDB returns the routing number associated with the dialed 
+       directory number.  The routing number is discussed later in 
+       Section 6. 
+
+  
+Foster,McGarry,Yu           Expired on December 23, 2002      [Page 7] 
+
+Number Portability in the GSTN: An Overview               June 24, 2002 
+
+   (3) The Originating Network uses the routing number to route the 
+       call to the new serving network. 
+    
+    
+   +-------------+              +-----------+    Number   +-----------+ 
+   | Centralized |              | New Serv. |    ported   | Old Serv. | 
+   |    NPDB     |    +-------->|  Network  |<------------|  Network  | 
+   +-------------+    |         +-----------+             +-----------+ 
+       ^  |           | 
+       |  |           | 
+      1|  |         3.| 
+       |  | 2.        | 
+       |  |           | 
+       |  v           | 
+    +----------+      |         +----------+           +----------+ 
+    |   Orig.  |------+         |   Donor  |           | Internal | 
+    |  Network |                |  Network |           |   NPDB   | 
+    +----------+                +----------+           +----------+ 
+    
+    
+              Figure 1 - All Call Query (ACQ) Scheme. 
+ 
+ 
+4.2 Query on Release (QoR) 
+ 
+  Figure 2 shows the call steps for the QoR scheme.  Those call steps 
+  are as follows: 
+    
+    
+   +-------------+              +-----------+    Number   +-----------+ 
+   | Centralized |              | New Serv. |    ported   | Old Serv. | 
+   |    NPDB     |              |  Network  |<------------|  Network  | 
+   +-------------+              +-----------+             +-----------+ 
+       ^  |                          ^ 
+       |  | 4.                       | 
+     3.|  |              5.          | 
+       |  |   +----------------------+ 
+       |  |   | 
+       |  v   | 
+    +----------+      2.        +----------+           +----------+ 
+    |   Orig.  |<---------------|   Donor  |           | Internal | 
+    |  Network |--------------->|  Network |           |   NPDB   | 
+    +----------+      1.        +----------+           +----------+ 
+    
+                   
+                Figure 2 - Query on Release (QoR) Scheme. 
+    
+   (1) The Originating Network receives a call from the caller and 
+       routes the call to the donor network. 
+   (2) The donor network releases the call and indicates that the 
+       dialed directory number has been ported out of that switch. 
+   (3) The Originating Network sends a query to its copy of the 
+       centrally administered NPDB. 
+
+  
+Foster,McGarry,Yu           Expired on December 23, 2002      [Page 8] 
+
+Number Portability in the GSTN: An Overview               June 24, 2002 
+
+   (4) The NPDB returns the routing number associated with the dialed 
+       directory number.   
+   (5) The Originating Network uses the routing number to route the 
+       call to the new serving network. 
+    
+    
+4.3 Call Dropback 
+    
+  Figure 3 shows the call steps for the Dropback scheme.  This scheme 
+  is also known as "Return to Pivot (RTP)."  Those call steps are as 
+  follows: 
+    
+   (1) The Originating Network receives a call from the caller and 
+       routes the call to the donor network. 
+   (2) The donor network detects that the dialed directory number has 
+       been ported out of the donor switch and checks with an internal 
+       network-specific NPDB.  
+   (3) The internal NPDB returns the routing number associated with the 
+       dialed directory number. 
+   (4) The donor network releases the call by providing the routing 
+       number. 
+   (5) The Originating Network uses the routing number to route the 
+       call to the new serving network. 
+    
+   +-------------+              +-----------+    Number   +-----------+ 
+   | Centralized |              | New Serv. |    porting  | Old Serv. | 
+   |    NPDB     |              |  Network  |<------------|  Network  | 
+   +-------------+              +-----------+             +-----------+ 
+                                    /\ 
+                                     | 
+                           5.        | 
+            +------------------------+ 
+            | 
+            | 
+    +----------+       4.       +----------+     3.    +----------+ 
+    |   Orig.  |<---------------|   Donor  |<----------| Internal | 
+    |  Network |--------------->|  Network |---------->|   NPDB   | 
+    +----------+      1.        +----------+    2.     +----------+ 
+    
+                   
+                      Figure 3 - Dropback Scheme. 
+    
+    
+4.4 Onward Routing (OR) 
+    
+  Figure 4 shows the call steps for the OR scheme.  Those call steps 
+  are as follows: 
+    
+   (1) The Originating Network receives a call from the caller and 
+       routes the call to the donor network. 
+   (2) The donor network detects that the dialed directory number has 
+       been ported out of the donor switch and checks with an internal 
+       network-specific NPDB.  
+
+  
+Foster,McGarry,Yu           Expired on December 23, 2002      [Page 9] 
+
+Number Portability in the GSTN: An Overview               June 24, 2002 
+
+   (3) The internal NPDB returns the routing number associated with the 
+       dialed directory number. 
+   (4) The donor network uses the routing number to route the call to 
+       the new serving network. 
+ 
+    
+   +-------------+              +-----------+    Number   +-----------+ 
+   | Centralized |              | New Serv. |    porting  | Old Serv. | 
+   |    NPDB     |              |  Network  |<------------|  Network  | 
+   +-------------+              +-----------+             +-----------+ 
+                                    /\ 
+                                     | 
+                                   4.| 
+                                     | 
+    +----------+                +----------+     3.    +----------+ 
+    |   Orig.  |                |   Donor  |<----------| Internal | 
+    |  Network |--------------->|  Network |---------->|   NPDB   | 
+    +----------+      1.        +----------+    2.     +----------+ 
+    
+                   
+                 Figure 4 - Onward Routing (OR) Scheme. 
+ 
+4.5 Comparisons of the Four Schemes 
+    
+   Only the ACQ scheme does not involve the donor network when routing 
+   the call to the new serving network of the dialed ported number.  
+   The other three schemes involve call setup to or signaling with the 
+   donor network.   
+    
+   Only the OR scheme requires the setup of two physical call segments, 
+   one from the Originating Network to the donor network and the other 
+   from the donor network to the new serving network.  The OR scheme is 
+   the least efficient in terms of using the network transmission 
+   facilities.  The QoR and Dropback schemes set up calls to the donor 
+   network first but release the call back to the Originating Network 
+   that then initiates a new call to the Current Serving Network.  For 
+   the QoR and Dropback schemes, circuits are still reserved one by one 
+   between the Originating Network and the donor network when the 
+   Originating Network sets up the call towards the donor network.  
+   Those circuits are released one by one when the call is released 
+   from the donor network back to the Originating Network.  The ACQ 
+   scheme is the most efficient in terms of using the switching and 
+   transmission facilities for the call. 
+    
+   Both the ACQ and QoR schemes involve Centralized NPDBs for the 
+   Originating Network to retrieve the routing information.  
+   Centralized NPDB means that the NPDB contains ported number 
+   information from multiple networks.  This is in contrast to the 
+   internal network-specific NPDB that is used for the Dropback and OR 
+   schemes.  The internal NPDB only contains information about the 
+   numbers that were ported out of the donor network.  The internal 
+   NPDB can be a stand-alone database that contains information about 
+   all or some ported-out numbers from the donor network.  It can also 
+   reside on the donor switch and only contains information about those 
+  
+Foster,McGarry,Yu           Expired on December 23, 2002      [Page 10] 
+
+Number Portability in the GSTN: An Overview               June 24, 2002 
+
+   numbers ported out of the donor switch.  In that case, no query to a 
+   stand-alone internal NPDB is required.  The donor switch for a 
+   particular phone number is the switch to which the number range is 
+   assigned from which that phone number was originally assigned. 
+    
+   For example, number ranges in the North American Numbering Plan 
+   (NANP) are usually assigned in the form of central office codes (CO 
+   codes) comprising a six-digit prefix formatted as a NPA+NXX.  Thus a 
+   switch serving +1-202-533 would typically serve +1-202-533-0000 
+   through +1-202-533-9999. In major cities, switches usually host 
+   several CO codes.  NPA stands for Numbering Plan Area that is also 
+   known as the area code.  It is three-digit long and has the format 
+   of NXX where N is any digit from 2 to 9 and X is any digit from 0 to 
+   9.  NXX in the NPA+NXX format is known as the office code that has 
+   the same format as the NPA.  When a NPA+NXX code is set as 
+   Ÿportable÷ in the Local Exchange Routing Guide (LERG), it becomes a 
+   "portable NPA+NXX" code. 
+    
+   Similarly, in other national E.164 numbering plans, number ranges 
+   cover a contiguous range of numbers within that range.  Once a 
+   number within that range has ported away from the donor network, all 
+   numbers in that range are considered potentially ported and should 
+   be queried in the NPDB. 
+    
+   The ACQ scheme has two versions.  One version is for the Originating 
+   Network to always query the NPDB when a call is received from the 
+   caller regardless whether the dialed directory number belongs to any 
+   number range that is portable or has at least one number ported out. 
+   The other version is to check whether the dialed directory number 
+   belongs to any number range that is portable or has at least one 
+   number ported out.  If yes, an NPDB query is sent. If not, no NPDB 
+   query is sent.  The former performs better when there are many 
+   portable number ranges.  The latter performs better when there are 
+   not too many portable number ranges at the expense of checking every 
+   call to see whether NPDB query is needed.  The latter ACQ scheme is 
+   similar to the QoR scheme except that the QoR scheme uses call setup 
+   and relies on the donor network to indicate "number ported out" 
+   before launching the NPDB query. 
+    
+    
+5. Database Queries in the NP Environment 
+    
+   As indicated earlier, the ACQ and QoR schemes require that a switch 
+   query the NPDB for routing information.  Various standards have been 
+   defined for the switch-to-NPDB interface.  Those interfaces with 
+   their protocol stacks are briefly described below.  The term "NPDB" 
+   is used for a stand-alone database that may support just one or some 
+   or all of the interfaces mentioned below.  The NPDB query contains 
+   the dialed directory number and the NPDB response contains the 
+   routing number.  There are certainly other information that is sent 
+   in the query and response.  The primary interest is to get the 
+   routing number from the NPDB to the switch for call routing. 
+    
+    
+  
+Foster,McGarry,Yu           Expired on December 23, 2002      [Page 11] 
+
+Number Portability in the GSTN: An Overview               June 24, 2002 
+
+5.1 U.S. and Canada 
+    
+   One of the following five NPDB interfaces can be used to query an 
+   NPDB: 
+    
+   (a) Advanced Intelligent Network (AIN) using the American National 
+       Standards Institute (ANSI)  version of the Intelligent Network 
+       Application Part (INAP) [ANSI SS] [ANSI DB].  The INAP is 
+       carried on top of the protocol stack that includes the (ANSI) 
+       Message Transfer Part (MTP) Levels 1 through 3, ANSI Signaling 
+       Connection Control Part (SCCP), and ANSI Transaction 
+       Capabilities Application Part (TCAP).  This interface can be 
+       used by the wireline or wireless switches, is specific to the NP 
+       implementation in North America, and is modeled on the Public 
+       Office Dialing Plan (PODP) trigger defined in the Advanced 
+       Intelligent Network (AIN) 0.1 call model.  
+    
+   (b) Intelligent Network (IN), which is similar to the one used for 
+       querying the 800 databases.  The IN protocol is carried on top 
+       of the protocol stack that includes the ANSI MTP Levels 1 
+       through 3, ANSI SCCP, and ANSI TCAP.  This interface can be used 
+       by the wireline or wireless switches. 
+    
+   (c) ANSI IS-41 [IS41] [ISNP], which is carried on top of the 
+       protocol stack that includes the ANSI MTP Levels 1 through 3, 
+       ANSI SCCP, and ANSI TCAP.  This interface can be used by the IS-
+       41 based cellular/Personal Communication Services (PCS) wireless 
+       switches (e.g., AMPS, TDMA and CDMA).  Cellular systems use 
+       spectrum at 800 MHz range and PCS systems use spectrum at 1900 
+       MHz range. 
+    
+   (d) Global System for Mobile Communication Mobile Application Part 
+       (GSM MAP) [GSM], which is carried on top of the protocol stack 
+       that includes the ANSI MTP Levels 1 through 3, ANSI SCCP, and 
+       International Telecommunication Union - Telecommunication Sector  
+       (ITU-TS) TCAP.  It can be used by the PCS1900 wireless switches 
+       that are based on the GSM technologies.  GSM is a series of 
+       wireless standards defined by the European Telecommunications 
+       Standards Institute (ETSI). 
+    
+   (e) ISUP triggerless translation.  NP translations are performed 
+       transparently to the switching network by the signaling network 
+       (e.g. Signaling Transfer Points (STPs) or signaling gateways).  
+       ISUP IAM messages are examined to determine if the CdPN field 
+       has already been translated, and if not, an NPDB query is 
+       performed, and the appropriate parameters in the IAM message 
+       modified to reflect the results of the translation.   The 
+       modified IAM message is forwarded by the signaling node on to 
+       the designated DPC in a transparent manner to continue call 
+       setup.  The NPDB can be integrated with the signaling node or be 
+       accessed via an API locally or by a query to a remote NPDB using 
+       a proprietary protocol or the schemes described above. 
+    
+    
+  
+Foster,McGarry,Yu           Expired on December 23, 2002      [Page 12] 
+
+Number Portability in the GSTN: An Overview               June 24, 2002 
+
+   Wireline switches have the choice of using either (a), (b), or (e).  
+   IS-41 based wireless switches have the choice of using (a), (b), 
+   (c), or (e).  PCS1900 wireless switches have the choice of using 
+   (a), (b), (d), or (e). In the United States, service provider 
+   portability will be supported by both the wireline and wireless 
+   systems, not only within the wireline or wireless domain but also 
+   across the wireline/wireless boundary.  However, this is not true in 
+   Europe where service provider portability is usually supported only 
+   within the wireline or wireless domain, not across the 
+   wireline/wireless boundary due to explicit use of service-specific 
+   number range prefixes.  The reason is to avoid caller confusion 
+   about the call charge. GSM systems in Europe are assigned 
+   distinctive destination network codes, and the caller pays a higher 
+   charge when calling a GSM directory number. 
+    
+      
+5.2 Europe 
+    
+   One of the following two interfaces can be used to query an NPDB: 
+    
+   (a) Capability Set 1 (CS1) of the ITU-TS INAP [CS1], which is 
+       carried on top of the protocol stack that includes the ITU-TS 
+       MTP Levels 1 through 3, ITU-TS SCCP, and ITU-TS TCAP. 
+    
+   (b) Capability Set 2 (CS2) of the ITU-TS INAP [CS2], which is 
+       carried on top of the protocol stack that includes the ITU-TS 
+       MTP Levels 1 through ITU-TS MTP Levels 1 through 3, ITU-TS SCCP, 
+       and ITU-TS TCAP. 
+    
+   Wireline switches have the choice of using either (a) or (b); 
+   however, all the implementations in Europe so far are based on CS1.  
+   As indicated earlier that number portability in Europe does not go 
+   across the wireline/wireless boundary.  The wireless switches can 
+   also use (a) or (b) to query the NPDBs if those NPDBs contains 
+   ported wireless directory numbers.  The term "Mobile Number 
+   Portability (MNP)" is used for the support of service provider 
+   portability by the GSM networks in Europe.  
+    
+   In most, if not all, cases in Europe, the calls to the wireless 
+   directory numbers are routed to the wireless donor network first.  
+   Over there, an internal NPDB is queried to determine whether the 
+   dialed wireless directory number has been ported out or not.  In 
+   this case, the interface to the internal NPDB is not subject to 
+   standardization. 
+
+   MNP in Europe can also be supported via MNP Signaling Relay Function 
+   (MNP-SRF).  Again, an internal NPDB or a database integrated at the 
+   MNP-SRF is used to modify the SCCP Called Party Address parameter in 
+   the GSM MAP messages so that they can be re-directed to the wireless 
+   serving network.   Call routing involving MNP will be explained in 
+   Section 6.2. 
+    
+    
+    
+  
+Foster,McGarry,Yu           Expired on December 23, 2002      [Page 13] 
+
+Number Portability in the GSTN: An Overview               June 24, 2002 
+
+6. Call Routing in the NP Environment 
+ 
+   This section discusses the call routing after the routing 
+   information has been retrieved either through an NPDB query or an 
+   internal database lookup at the donor switch, or from the Integrated 
+   Services Digital Network User Part (ISUP) signaling message (e.g., 
+   for the Dropback scheme).  For the ACQ, QoR and Dropback schemes, it 
+   is the Originating Network that has the routing information and is 
+   ready to route the call.  For the OR scheme, it is the donor network 
+   that has the routing information and is ready to route the call.   
+    
+   A number of triggering schemes may be employed that determine where 
+   in the call path the NPDB query is performed.  In the U.S. an ŸN-1÷ 
+   policy is used, which essentially says that for domestic calls, the 
+   originating local carriers performs the query, otherwise, the long 
+   distance carrier is expected to.  To ensure independence of the 
+   actual trigger policy employed in any one carrier, forward call 
+   signaling is used to flag that an NPDB query has already been 
+   performed and to therefore suppress any subsequent NP triggers that 
+   may be encountered in downstream switches, in downstream networks.  
+   This allows the earliest able network in the call path to perform 
+   the query without introducing additional costs and call setup delays 
+   were redundant queries performed downstream. 
+    
+     
+6.1 U.S. and Canada 
+    
+   In the U.S. and Canada, a ten-digit North American Numbering Plan 
+   (NANP) number called Location Routing Number (LRN) is assigned to 
+   every switch involved in NP.  In the NANP, a switch is not reachable 
+   unless it has a unique number range (CO code) assigned to it.  
+   Consequently, the LRN for a switch is always assigned out of a CO 
+   code that is assigned to that switch. 
+    
+   The LRN assigned to a switch currently serving a particular ported 
+   telephone number is returned as the network routing address in the 
+   NPDB response.  The service portability scheme that was adopted in 
+   the North America is very often referred to as the LRN scheme or 
+   method. 
+    
+   LRN serves as a network address for terminating calls served off 
+   that switch using ported numbers.  The LRN is assigned by the switch 
+   operator using any of the unique CO codes (NPA+NXX) assigned to that 
+   switch.  The LRN is considered a non-dialable address, as the same 
+   10-digit number value may be assigned to a line on that switch.  A 
+   switch may have more than one LRN. 
+    
+   During call routing/processing, a switch performs an NPDB query to 
+   obtain the LRN associated with the dialed directory number. NPDB 
+   queries are performed for all the dialed directory numbers whose 
+   NPA+NXX codes are marked as portable NPA+NXX at that switch. When 
+   formulating the ISUP Initial Address Message (IAM) to be sent to the 
+   next switch, the switch puts the ten-digit LRN in the ISUP Called 
+   Party Number (CdPN) parameter and the originally dialed directory 
+  
+Foster,McGarry,Yu           Expired on December 23, 2002      [Page 14] 
+
+Number Portability in the GSTN: An Overview               June 24, 2002 
+
+   number in the ISUP Generic Address parameter (GAP).  A new code in 
+   the GAP was defined to indicate that the address information in the 
+   GAP is the dialed directory number. A new bit in the ISUP Forward 
+   Call Indicator (FCI) parameter, the Ported Number Translation 
+   Indicator (PNTI) bit, is set to imply that NPDB query has already 
+   been performed.  All the switches in the downstream will not perform 
+   the NPDB query if the PNTI bit is set. 
+    
+   When the terminating switch receives the IAM and sees the PNTI bit 
+   in the FCI parameter set and its own LRN in the CdPN parameter, it 
+   retrieves the originally dialed directory number from the GAP and 
+   uses the dialed directory number to terminate the call. 
+    
+   A dialed directory number with a portable NPA+NXX does not imply 
+   that directory number has been ported.  The NPDBs currently do not 
+   store records for non-ported directory numbers.  In that case, the 
+   NPDB will return the same dialed directory number instead of the 
+   LRN.  The switch will then set the PNTI bit but keep the dialed 
+   directory number in the CdPN parameter. 
+    
+   In the real world environment, the Originating Network is not always 
+   the one that performs the NPDB query.  For example, it is usually 
+   the long distance carriers that query the NPDBs for long distance 
+   calls.  In that case, the Originating Network operated by the local 
+   exchange carrier (LEC) simply routes the call to the long distance 
+   carrier that is to handle that call.   A wireless network acting as 
+   the Originating Network can also route the call to the 
+   interconnected local exchange carrier network if it does not want to 
+   support the NPDB interface at its mobile switches. 
+    
+    
+6.2 Europe 
+    
+   In some European countries, a routing number is prefixed to the 
+   dialed directory number.  The ISUP CdPN parameter in the IAM will 
+   contain the routing prefix and the dialed directory number.  For 
+   example, United Kingdom uses routing prefixes with the format of 
+   5XXXXX and Italy uses C600XXXXX as the routing prefix.  The networks 
+   use the information in the ISUP CdPN parameter to route the call to 
+   the New/Current Serving Network. 
+    
+   The routing prefix can identify the Current Serving Network or the 
+   Current Serving Switch of a ported number.  For the former case, 
+   another query to the "internal" NPDB at the Current Serving Network 
+   is required to identify the Current Serving Switch before routing 
+   the call to that switch.  This shields the Current Serving Switch 
+   information for a ported number from the other networks at the 
+   expense of an additional NPDB query.  Another routing number, may be 
+   meaningful within the Current Serving Network, will replace the 
+   previously prefixed routing number in the ISUP CdPN parameter.  For 
+   the latter case, the call is routed to the Current Serving Switch 
+   without an additional NPDB query. 
+    
+
+  
+Foster,McGarry,Yu           Expired on December 23, 2002      [Page 15] 
+
+Number Portability in the GSTN: An Overview               June 24, 2002 
+
+   When the terminating switch receives the IAM and sees its own 
+   routing prefix in the CdPN parameter, it retrieves the originally 
+   dialed directory number after the routing prefix, and uses the 
+   dialed directory number to terminate the call.  
+    
+   The call routing example described above shows one of the three 
+   methods that can be used to transport the Directory Number (DN) and 
+   the Routing Number (RN) in the ISUP IAM message.  In addition, some 
+   other information may be added/modified as is listed in the ETSI 302 
+   097 document [ETSIISUP], which is based on the ITU-T Recommendation 
+   Q.769.1 [ITUISUP].  The three methods and the enhancements in the 
+   ISUP to support number portability are briefly described below 
+    
+   (a) Two separate parameters with the CdPN parameter containing the 
+      RN and a new Called Directory Number (CdDN) parameter containing 
+      the DN.  A new value for the Nature of Address (NOA) indicator in 
+      the CdPN parameter is defined to indicate that the RN is in the 
+      CdPN parameter.  The switches use the CdPN parameter to route the 
+      call as is done today. 
+    
+   (b) Two separate parameters with the CdPN parameter containing the 
+      DN and a new Network Routing Number (NRN) parameter containing 
+      the RN.  This method requires that the switches use the NRN 
+      parameter to route the call. 
+    
+   (c) Concatenated parameter with the CdPN parameter containing the RN 
+      plus the DN.  A new Nature of Address (NOA) indicator in the CdPN 
+      parameter is defined to indicate that the RN is concatenated with 
+      the DN in the CdPN parameter.  Some countries may not use new NOA 
+      value because the routing prefix does not overlap with the dialed 
+      directory numbers.  But if the routing prefix overlaps with the 
+      dialed directory numbers, a new NOA value must be assigned.  For 
+      example, Spain uses "XXXXXX" as the routing prefix to identify 
+      the new serving network and uses a new NOA value of 126. 
+    
+   There is also a network option to add a new ISUP parameter called 
+   Number Portability Forwarding Information parameter.  This parameter 
+   has a four-bit Number Portability Status Indicator field that can 
+   provide an indication whether number portability query is done for 
+   the called directory number and whether the called directory number 
+   is ported or not if the number portability query is done. 
+ 
+   Please note that all those NP enhancements for a ported number can 
+   only be used in the country that defined them.  This is because 
+   number portability is supported within a nation.  Within each 
+   nation, the telecommunications industry or the regulatory bodies can 
+   decide which method or methods to use.  Number portability related 
+   parameters and coding are usually not passed across the national 
+   boundaries unless the interconnection agreements allow that.  For 
+   example, a UK routing prefix can only be used in UK, and would cause 
+   routing problem if it appears outside UK. 
+    
+
+
+  
+Foster,McGarry,Yu           Expired on December 23, 2002      [Page 16] 
+
+Number Portability in the GSTN: An Overview               June 24, 2002 
+
+   As indicated earlier, an originating wireless network can query the 
+   NPDB and concatenate the RN with DN in the CdPN parameter and route 
+   the call directly to the Current Serving Network.   
+    
+   If NPDBs do not contain information about the wireless directory 
+   numbers, the call, originated from either a wireline or a wireless 
+   network, will be routed to the Wireless donor network.  Over there, 
+   an internal NPDB is queried to retrieve the RN that then is 
+   concatenated with the DN in the CdPN parameter. 
+    
+   There are several ways of realizing MNP.  When MNP-SRF is supported, 
+   the Gateway Mobile Services Switching Center (GMSC) at the wireless 
+   donor network, when receiving a call from the wireline network, can 
+   send the GSM MAP Send Routing Information (SRI) message to the MNP-
+   SRF.  The MNP-SRF interrogates an internal or integrated NPDB for 
+   the RN of the MNP-SRF of the wireless Current Serving Network and 
+   prefixes the RN to the dialed wireless directory number in the 
+   global title address information in the SCCP Called Party Address 
+   (CdPA) parameter.  This SRI message will be routed to the MNP-SRF of 
+   the wireless Current Serving Network, which then responds with an 
+   acknowledgement by providing the RN plus the dialed wireless 
+   directory number as the Mobile Station Roaming Number (MSRN).  The 
+   GMSC of the wireless donor network formulates the ISUP IAM with the 
+   RN plus the dialed wireless directory number in the CdPN parameter 
+   and routes the call to the wireless Current Serving Network.  A GMSC 
+   of the wireless Current Serving Network receives the call and sends 
+   an SRI message to the associated MNP-SRF where the global title 
+   address information of the SCCP CdPA parameter contains only the 
+   dialed wireless directory number.  The MNP-SRF then replaces the 
+   global title address information in the SCCP CdPA parameter with the 
+   address information associated with a Home Location Register (HLR) 
+   that hosts the dialed wireless directory number and forwards the 
+   message to that HLR after verifying that the dialed wireless 
+   directory number is a ported-in number.   The HLR then returns an 
+   acknowledgement by providing an MSRN for the GMSC to route the call 
+   to the MSC that currently serves the mobile station that is 
+   associated with the dialed wireless directory number.  Please see 
+   [MNP] for details and additional scenarios. 
+    
+    
+7. NP Implementations for Geographic E.164 Numbers 
+ 
+   This section shows the known SPNP implementations worldwide.  
+    
+   +-------------+----------------------------------------------------+ 
+   +   Country   +             SPNP Implementation                    + 
+   +-------------+----------------------------------------------------+ 
+   +  Argentina  + Analyzing operative viability now. Will determine  + 
+   +             + whether portability should be made obligatory      + 
+   +             + after a technical solution has been determined.    + 
+   +-------------+----------------------------------------------------+ 
+   +  Australia  + NP supported by wireline operators since 11/30/99. + 
+   +             + NP among wireless operators in March/April 2000,   + 
+
+  
+Foster,McGarry,Yu           Expired on December 23, 2002      [Page 17] 
+
+Number Portability in the GSTN: An Overview               June 24, 2002 
+
+   +             + but may be delayed to 1Q01. The access provider    + 
+   +             + or long distance provider has the obligation to    + 
+   +             + route the call to the correct destination. The     + 
+   +             + donor network is obligated to maintain and make    + 
+   +             + available a register of numbers ported away from   +  
+   +             + its network.  Telstra uses onward routing via an   + 
+   +             + on-switch solution.                                + 
+   +-------------+----------------------------------------------------+ 
+   +   Austria   + Uses onward routing at the donor network.  Routing + 
+   +             + prefix is "86xx" where "xx" identifies the         + 
+   +             + recipient network.                                 + 
+   +-------------+----------------------------------------------------+ 
+   +  Belgium    + ACQ selected by the industry. Routing prefix is    + 
+   +             + "Cxxxx" where "xxxx" identifies the recipient      + 
+   +             + switch. Another routing prefix is "C00xx" with "xx"+ 
+   +             + identifying the recipient network.  Plan to use NOA+ 
+   +             + to identify concatenated numbers and abandon the   + 
+   +             + hexadecimal routing prefix.                        + 
+   +-------------+----------------------------------------------------+ 
+   +  Brazil     + Considering NP for wireless users.                 + 
+   +-------------+----------------------------------------------------+ 
+   +  Chile      + There has been discussions lately on NP.           + 
+   +-------------+----------------------------------------------------+ 
+   +  Colombia   + There was an Article 3.1 on NP to support NP prior + 
+   +             + to December 31, 1999 when NP became technically    + 
+   +             + possible. Regulator has not yet issued regulations + 
+   +             + concerning this matter.                            + 
+   +-------------+----------------------------------------------------+ 
+   +  Denmark    + Uses ACQ. Routing number not passed between        + 
+   +             + operators; however, NOA is set to "112" to         + 
+   +             + indicate "ported number."  QoR can be used based   + 
+   +             + on bilateral agreements.                           +        
+   +-------------+----------------------------------------------------+ 
+   +  Finland    + Uses ACQ.  Routing prefix is "1Dxxy" where "xxy"   + 
+   +             + identifies the recipient network and service type. + 
+   +-------------+----------------------------------------------------+ 
+   +  France     + Uses onward routing.  Routing prefix is "Z0xxx"    + 
+   +             + where "xxx" identifies the recipient switch.       + 
+   +-------------+----------------------------------------------------+ 
+   +  Germany    + The originating network needs to do necessary      + 
+   +             + rerouting.  Operators decide their own solution(s).+ 
+   +             + Deutsche Telekom uses ACQ.  Routing prefix is      + 
+   +             + "Dxxx" where "xxx" identifies the recipient        + 
+   +             + network.                                           + 
+   +-------------+----------------------------------------------------+ 
+   +  Hong Kong  + Recipient network informs other networks about     + 
+   +             + ported-in numbers.  Routing prefix is "14x" where  + 
+   +             + "14x" identifies the recipient network, or a       + 
+   +             + routing number of "4x" plus 7 or 8 digits is used  +  
+   +             + where "4x" identifies the recipient network and    + 
+   +             + the rest of digits identify the called party.      + 
+   +-------------+----------------------------------------------------+ 
+   +  Ireland    + Operators choose their own solution but use onward + 
+   +             + routing now. Routing prefix is "1750" as the intra-+ 
+  
+Foster,McGarry,Yu           Expired on December 23, 2002      [Page 18] 
+
+Number Portability in the GSTN: An Overview               June 24, 2002 
+
+   +             + network routing code (network-specific) and        + 
+   +             + "1752xxx" to "1759xxx" for GNP where "xxx"         + 
+   +             + identifies the recipient switch.                   + 
+   +-------------+----------------------------------------------------+ 
+   +  Italy      + Uses onward routing. Routing prefix is "C600xxxxx" + 
+   +             + where "xxxxx" identifies the recipient switch.     + 
+   +             + Telecom Italia uses IN solution and other operators+              
+   +             + use on-switch solution.                            + 
+   +-------------+----------------------------------------------------+ 
+   +  Japan      + Uses onward routing.  Donor switch uses IN to get  + 
+   +             + routing number.                                    + 
+   +-------------+----------------------------------------------------+ 
+   +  Mexico     + NP is considered in the Telecom law; however, the  + 
+   +             + regulator (Cofetel) or the new local entrants have + 
+   +             + started no initiatives on this process.            + 
+   +-------------+----------------------------------------------------+ 
+   + Netherlands + Operators decide NP scheme to use.  Operators have + 
+   +             + chosen ACQ or QoR.  KPN implemented IN solution    + 
+   +             + similar to U.S. solution.  Routing prefix is not   + 
+   +             + passed between operators.                          + 
+   +-------------+----------------------------------------------------+ 
+   +  Norway     + OR for short-term and ACQ for long-term.  QoR is   + 
+   +             + optional. Routing prefix can be "xxx" with NOA=8,  + 
+   +             + or "142xx" with NOA=3 where "xxx" or "xx"          + 
+   +             + identifies the recipient network.                  + 
+   +------------ +----------------------------------------------------+ 
+   +  Peru       + Wireline NP may be supported in 2001.              + 
+   +-------------+----------------------------------------------------+ 
+   +  Portugal   + No NP today.                                       + 
+   +-------------+----------------------------------------------------+ 
+   +  Spain      + Uses ACQ.  Telefonica uses QoR within its network. + 
+   +             + Routing prefix is  "xxyyzz" where "xxyyzz"         + 
+   +             + identifies the recipient network.  NOA is set to   + 
+   +             + 126.                                               + 
+   +-------------+----------------------------------------------------+ 
+   +  Sweden     + Standardized the ACQ but OR for operators without  + 
+   +             + IN. Routing prefix is "xxx" with NOA=8 or "394xxx" + 
+   +             + with NOA=3 where "xxx" identifies the recipient    + 
+   +             + network. But operators decide NP scheme to use.    + 
+   +             + Telia uses onward routing between operators.       + 
+   +-------------+----------------------------------------------------+ 
+   + Switzerland + Uses OR now and QoR in 2001.  Routing prefix is    + 
+   +             + "980xxx" where "xxx" identifies the recipient      +        
+   +             + network.                                           + 
+   +-------------+----------------------------------------------------+ 
+   +  UK         + Uses onward routing. Routing prefix is "5xxxxx"    + 
+   +             + where "xxxxx" identifies the recipient switch. NOA + 
+   +             + is 126. BT uses the dropback scheme in some parts  + 
+   +             + of its network.                                    + 
+   +-------------+----------------------------------------------------+ 
+   +  US         + Uses ACQ.  "Location Routing Number (LRN)" is used + 
+   +             + in the Called Party Number parameter.  Called party+ 
+   +             + number is carried in the Generic Address Parameter + 
+   +             + Use a PNTI indicator in the Forward Call Indicator + 
+  
+Foster,McGarry,Yu           Expired on December 23, 2002      [Page 19] 
+
+Number Portability in the GSTN: An Overview               June 24, 2002 
+
+   +             + parameter to indicate that NPDB dip has been       + 
+   +             + performed.                                         + 
+   +-------------+----------------------------------------------------+ 
+    
+    
+8. Number Conservation Methods Enabled by NP 
+ 
+   In addition to porting numbers NP provides the ability for number 
+   administrators to assign numbering resources to operators in smaller 
+   increments.  Today it is common for numbering resources to be 
+   assigned to telephone operators in a large block of consecutive 
+   telephone numbers (TNs).  For example, in North America each of 
+   these blocks contains 10,000 TNs and is of the format NXX+0000 to 
+   NXX+9999.  Operators are assigned a specific NXX, or block.  That 
+   operator is referred to as the block holder.  In that block there 
+   are 10,000 TNs with line numbers ranging from 0000 to 9999.   
+    
+   Instead of assigning an entire block to the operator NP allows the 
+   administrator to assign a sub-block or even an individual telephone 
+   number.  This is referred to as block pooling and individual 
+   telephone number (ITN) pooling, respectively.  
+     
+    
+8.1 Block Pooling 
+    
+   Block Pooling refers to the process whereby the number administrator 
+   assigns a range of numbers defined by a logical sub-block of the 
+   existing block.  Using North America as an example, block pooling 
+   would allow the administrator to assign sub-blocks of 1,000 TNs to 
+   multiple operators.  That is, NXX+0000 to NXX+0999 can be assigned 
+   to operator A, NXX+1000 to NXX+1999 can be assigned to operator B, 
+   NXX-2000 to 2999 can be assigned to operator C, etc.  In this 
+   example block pooling divides one block of 10,000 TNs into ten 
+   blocks of 1,000 TNs.   
+    
+   Porting the sub-blocks from the block holder enables block pooling.  
+   Using the example above operator A is the block holder, as well as, 
+   the holder of the first sub-block, NXX+0000 to NXX+0999.  The second 
+   sub-block, NXX+1000 to NXX+1999, is ported from operator A to 
+   operator B.  The third sub-block, NXX+2000 to NXX+2999, is ported 
+   from operator A to operator C, and so on.  NP administrative 
+   processes and call processing will enable proper and efficient 
+   routing.   
+    
+   From a number administration and NP administration perspective block 
+   pooling introduces a new concept, that of the sub-block holder.  
+   Block pooling requires coordination between the number 
+   administrator, the NP administrator, the block holder, and the sub-
+   block holder.  Block pooling must be implemented in a manner that 
+   allows for NP within the sub-blocks.  Each TN can have a different 
+   serving operator, sub-block holder, and block holder. 
+      
+    
+    
+  
+Foster,McGarry,Yu           Expired on December 23, 2002      [Page 20] 
+
+Number Portability in the GSTN: An Overview               June 24, 2002 
+
+8.2 ITN Pooling 
+    
+   ITN pooling refers to the process whereby the number administrator 
+   assigns individual telephone numbers to operators.  Using the North 
+   American example, one block of 10,000 TNs can be divided into 10,000 
+   ITNs.  ITN is more commonly deployed in freephone services.   
+    
+   In ITN the block is not assigned to an operator but to a central 
+   administrator.  The administrator then assigns ITNs to operators.  
+   NP administrative processes and call processing will enable proper 
+   and efficient routing. 
+    
+ 
+9. Potential Implications 
+    
+   There are three general areas of impact to IP telephony work-in-
+   progress at IETF: 
+    
+   - Interoperation between NP in GSTN and IP telephony 
+   - NP implementation or emulation in IP telephony 
+   - Interconnection to NP administrative environment 
+    
+   A good understanding of how number portability is supported in the 
+   GSTN is important when addressing the interworking issues between 
+   IP-based networks and the GSTN.  This is especially important when 
+   the IP-based network needs to route the calls to the GSTN.  As shown 
+   in Section 5, there are a variety of standards with various protocol 
+   stacks for the switch-to-NPDB interface.  Not only that, the 
+   national variations of the protocol standards make it very 
+   complicated to deal with in a global environment.  If an entity in 
+   the IP-based network needs to query those existing NPDBs for routing 
+   number information to terminate the calls to the destination GSTN, 
+   it would be impractical, if not an impossible, job for that entity 
+   to support all those interface standards to access the NPDBs in many 
+   countries. 
+    
+   Several alternatives may address this particular problem.  One 
+   alternative is to use certain entities in the IP-based networks for 
+   dealing with NP query, similar to the International Switches that 
+   are used in the GSTN to interwork different national ISUP 
+   variations.  This will force signaling information associated with 
+   the calls to certain NP-capable networks in the terminating GSTN to 
+   be routed to those IP entities that support the NP functions.  Those 
+   IP entities then query the NPDBs in the terminating country.   This 
+   will limit the number of NPDB interfaces that certain IP entities 
+   need to support.  Another alternative can be to define a "common" 
+   interface to be supported by all the NPDBs so that all the IP 
+   entities use that standardized protocol to query them.   The 
+   existing NPDBs can support this additional interface, or new NPDBs 
+   can be deployed that contain the same information but support the 
+   common IP interface. The candidates for such a common interface 
+   include Lightweight Directory Access Protocol (LDAP) and SIP 
+   [SIP](e.g., using the SIP redirection capability).  Certainly 
+
+  
+Foster,McGarry,Yu           Expired on December 23, 2002      [Page 21] 
+
+Number Portability in the GSTN: An Overview               June 24, 2002 
+
+   another possibility is to use interworking function to convert from 
+   one protocol to another. 
+    
+   IP-based networks can handle the domestic calls between two GSTNs.  
+   If the originating GSTN has performed NPDB query, SIP will need to 
+   transport and make use of some of the ISUP signaling information 
+   even if ISUP signaling may be encapsulated in SIP.  Also, IP-based 
+   networks may perform the NPDB queries, as the N-1 carrier.  In that 
+   case, SIP also needs to transport the NP related information while 
+   the call is being routed to the destination GSTN.  There are three 
+   pieces of NP related information that SIP needs to transport.  They 
+   are 1) the called directory number, 2) a routing number, and 3) a 
+   NPDB dip indicator.  The NPDB dip indicator is needed so that the 
+   terminating GSTN will not perform another NPDB dip.  The routing 
+   number is needed so that it is used to route the call to the 
+   destination network or switch in the destination GSTN.  The called 
+   directory number is needed so that the terminating GSTN switch can 
+   terminate the call.  When the routing number is present, the NPDB 
+   dip indicator may not be present because there are cases where 
+   routing number is added for routing the call even if NP is not 
+   involved.  One issue is how to transport the NP related information 
+   via SIP.  The SIP Universal Resource Locator (URL) is one mechanism.  
+   Another better choice may be to add an extension to the "tel" URL 
+   [TEL] that is also supported by SIP.  Please see [TELNP] for the 
+   proposed extensions to the "tel" URL to support NP and freephone 
+   service.  Those extensions to the "tel" URL will be automatically 
+   supported by SIP because they can be carried as the optional 
+   parameters in the user portion of the "sip" URL. 
+    
+   For a called directory number that belongs to a country that 
+   supports NP, and if the IP-based network is to perform the NPDB 
+   query, the logical step is to perform the NPDB dip first to retrieve 
+   the routing number and use that routing number to select the correct 
+   IP telephony gateways that can reach the serving switch that serves 
+   the called directory number.  Therefore, if the "rn" parameter is 
+   present in the "tel" URL or sip URL in the SIP INVITE message, it 
+   instead of the called directory number should be used for making 
+   routing decisions assuming that no other higher priority routing-
+   related parameters such as the Ÿcic÷ are present.  If "rn" is not 
+   present, then the dialed directory number can be used as the routing 
+   number for making routing decisions.   
+    
+   Telephony Routing Information Protocol (TRIP) [TRIP] is a policy 
+   driven inter-administrative domain protocol for advertising the 
+   reachability of telephony destinations between location servers, and 
+   for advertising attributes of the routes to those destinations.  
+   With the NP in mind, it is very important to know that it is the 
+   routing number, if present, not the called directory number that 
+   should be used to check against the TRIP tables for making the 
+   routing decisions.   
+    
+   Overlap signaling exists in the GSTN today.  For a call routing from 
+   the originating GSTN to the IP-based network that involves overlap 
+   signaling, NP will impact the call processing within the IP-based 
+  
+Foster,McGarry,Yu           Expired on December 23, 2002      [Page 22] 
+
+Number Portability in the GSTN: An Overview               June 24, 2002 
+
+   networks if they must deal with the overlap signaling.  The entities 
+   in the IP-based networks that are to retrieve the NP information 
+   (e.g., the routing number) must collect a complete called directory 
+   number information before retrieving the NP information for a ported 
+   number.  Otherwise, the information retrieval won't be successful.   
+   This is an issue for the IP-based networks if the originating GSTN 
+   does not handle the overlap signaling by collecting the complete 
+   called directory number. 
+    
+   The IETF enum working group is defining the use of Domain Name 
+   System (DNS) for identifying available services associated with a 
+   particular E.164 number [ENUM].  [ENUMPO] outlines the principles 
+   for the operation of a telephone number service that resolves 
+   telephone numbers into Internet domain name addresses and service-
+   specific directory discovery.  [ENUMPO] implements a three-level 
+   approach where the first level is the mapping of the telephone 
+   number delegation tree to the authority to which the number has been 
+   delegated, the second level is the provision of the requested DNS 
+   resource records from a service registrar, and the third level is 
+   the provision of service specific data from the service provider 
+   itself.  NP certainly must be considered at the first level because 
+   the telephony service providers do not "own" or control the 
+   telephone numbers under the NP environment; therefore, they may not 
+   be the proper entities to have the authority for a given E.164 
+   number.  Not only that, there is a regulatory requirement on NP in 
+   some countries that the donor network should not be relied on to 
+   reach the delegated authority during the DNS process .  The 
+   delegated authority for a given E.164 number is likely to be an 
+   entity designated by the end user that owns/controls a specific 
+   telephone number or one that is designated by the service registrar. 
+    
+   Since the telephony service providers may have the need to use ENUM 
+   for their network-related services (e.g., map an E.164 number to a 
+   HLR Identifier in the wireless networks), their ENUM records must be 
+   collocated with those of the telephony subscribers.  If that is the 
+   case, NP will impact ENUM when a telephony subscriber who has ENUM 
+   service changes the telephony service provider.  This is because 
+   that the ENUM records from the new telephony service provider must 
+   replace those from the old telephony service provider.  To avoid the 
+   NP impact on ENUM, it is recommended that the telephony service 
+   providers use a different domain tree for their network-related 
+   service.  For example, if e164.arpa is chosen for Ÿend user÷ ENUM, a 
+   domain tree different from e164.arpa should be used for Ÿcarrier÷ 
+   ENUM. 
+    
+   The IP-based networks also may need to support some forms of number 
+   portability in the future if E.164 numbers [E164] are assigned to 
+   the IP-based end users.  One method is to assign a GSTN routing 
+   number for each IP-based network domain or entity in a NP-capable 
+   country.  This may increase the number of digits in the routing 
+   number to incorporate the IP entities and impact the existing 
+   routing in the GSTN.  Another method is to associate each IP entity 
+   with a particular GSTN gateway.  At that particular GSTN gateway, 
+   the called directory number then is used to locate the IP-entity 
+  
+Foster,McGarry,Yu           Expired on December 23, 2002      [Page 23] 
+
+Number Portability in the GSTN: An Overview               June 24, 2002 
+
+   that serves that dialed directory number.  Yet, another method can 
+   be to assign a special routing number so that the call to an end 
+   user currently served by an IP entity is routed to the nearest GSTN 
+   gateway.  The called directory number then is used to locate the IP-
+   entity that serves that dialed directory number.  A mechanism can be 
+   developed or used for the IP-based network to locate the IP entity 
+   that serves a particular dialed directory number.  Many other types 
+   of networks use E.164 numbers to identify the end users or terminals 
+   in those networks.  Number portability among GSTN, IP-based network 
+   and those various types of networks may also need to be supported in 
+   the future. 
+    
+ 
+10. Security Considerations 
+ 
+   This document does not raise any security issues. 
+ 
+ 
+11. IANA Considerations 
+ 
+   This document introduces no new values for IANA registration. 
+    
+ 
+12. Normative References  
+ 
+   [ANSI OSS] ANSI Technical Requirements No. 1, "Number Portability -
+        Operator Services Switching Systems," April 1999. 
+    
+   [ANSI SS] ANSI Technical Requirements No. 2, "Number Portability -
+        Switching Systems," April 1999. 
+             
+   [ANSI DB] ANSI Technical Requirements No. 3, "Number Portability 
+        Database and Global Title Translation," April 1999.         
+          
+   [CS1] ITU-T Q-series  Recommendations - Supplement 4, "Number 
+        portability Capability set 1 requirements for service provider 
+        portability (All call query and onward routing)," May 1998. 
+    
+   [CS2] ITU-T Q-series  Recommendations - Supplement 5, "Number 
+        portability -Capability set 2 requirements for service provider 
+        portability (Query on release and Dropback)," March 1999. 
+    
+   [E164] ITU-T Recommendation E.164, "The International Public 
+        Telecommunications Numbering Plan," 1997. 
+    
+   [ENUM] P. Falstrom, "E.164 number and DNS," RFC 2916. 
+    
+   [ETSIISUP] ETSI EN 302 097 V.1.2.2, ŸIntegrated Services Digital 
+        Network (ISDN); Signalling System No.7 (SS7); ISDN User Part 
+        (ISUP); Enhancement for support of Number Portability (NP) 
+        [ITU-T Recommendation Q.769.1 (2000), modified] 
+    
+   [GSM]  GSM 09.02: "Digital cellular telecommunications system (Phase 
+        2+); Mobile Application Part (MAP) specification". 
+  
+Foster,McGarry,Yu           Expired on December 23, 2002      [Page 24] 
+
+Number Portability in the GSTN: An Overview              March 1, 2002 
+ 
+ 
+ 
+   [IS41] TIA/EIA IS-756 Rev. A, "TIA/EIA-41-D Enhancements for 
+        Wireless Number Portability Phase II (December 1998)"Number 
+        Portability Network Support," April 1998. 
+    
+   [ITUISUP] ITU-T Recommendation Q.769.1, "Signaling System No. 7 - 
+        ISDN User Part Enhancements for the Support of Number 
+        Portability," December 1999. 
+    
+   [MNP] ETSI EN 301 716 (2000-10) European Standard 
+        (Telecommunications series) Digital cellular telecommunications 
+        system (Phase 2+); Support of Mobile Number Portability (MNP); 
+        Technical Realisation; Stage 2; (GSM 03.66 Version 7.2.0 
+        Release 1998). 
+    
+   [RFC] Scott Bradner, RFC2026, "The Internet Standards Process -- 
+        Revision 3," October 1996. 
+    
+ 
+13. Informative References  
+ 
+   [ENUMPO] A. Brown and G. Vaudreuil, "ENUM Service Specific 
+        Provisioning: Principles of Operations," draft-ietf-enum-
+        operation-02.txt, February 23, 2001. 
+    
+   [SIP] J. Rosenberg, et al., draft-ietf-sip-rfc2543bis-09.txt, "SIP: 
+        Session Initiation Protocol," February 27, 2002. 
+    
+   [TEL] H. Schulzrinne and A. Vaha-Sipila, draft-antti-rfc2806bis-
+        04.txt, "URIs for Telephone Calls," May 24, 2002. 
+ 
+   [TELNP] J. Yu, draft-yu-tel-url-05.txt, "Extensions to the "tel" URL 
+        to support Number Portability and Freephone Service," June 14, 
+        2002. 
+    
+   [TRIP] J. Rosenberg, H. Salama and M. Squire, RFC 3219, "Telephony 
+        Routing Information Protocol (TRIP)," January 2002. 
+    
+    
+14. Acknowledgment 
+    
+   The authors would like to thank Monika Muench for providing 
+   information on ISUP and MNP. 
+    
+    
+15. Authors' Addresses 
+    
+   Mark D. Foster 
+   NeuStar, Inc. 
+   1120 Vermont Avenue, NW, 
+   Suite 400 
+   Washington, D.C. 20005 
+   United States 
+  
+Foster,McGarry,Yu           Expired on August 31, 2002        [Page 25] 
+
+Number Portability in the GSTN: An Overview              March 1, 2002 
+ 
+ 
+    
+   Phone: +1-202-533-2800 
+   Fax:   +1-202-533-2987 
+   Email: mark.foster@neustar.biz 
+          
+   Tom McGarry 
+   NeuStar, Inc. 
+   1120 Vermont Avenue, NW, 
+   Suite 400 
+   Washington, D.C. 20005 
+   United States 
+    
+   Phone: +1-202-533-2810 
+   Fax:   +1-202-533-2987 
+   Email: tom.mcgarry@neustar.biz 
+    
+   James Yu 
+   NeuStar, Inc. 
+   1120 Vermont Avenue, NW,  
+   Suite 400 
+   Washington, D.C. 20005 
+   United States 
+    
+   Phone: +1-202-533-2814 
+   Fax:   +1-202-533-2987 
+   Email: james.yu@neustar.biz 
+    
+    
+    
+Full Copyright Statement 
+ 
+   "Copyright (C) The Internet Society (2002). All Rights Reserved. 
+    
+   This document and translations of it may be copied and furnished to 
+   others, and derivative works that comment on or otherwise explain it 
+   or assist in its implementation may be prepared, copied, published 
+   and distributed, in whole or in part, without restriction of any 
+   kind, provided that the above copyright notice and this paragraph 
+   are included on all such copies and derivative works. However, this 
+   document itself may not be modified in any way, such as by removing 
+   the copyright notice or references to the Internet Society or other 
+   Internet organizations, except as needed for the purpose of 
+   developing Internet standards in which case the procedures for 
+   copyrights defined in the Internet Standards process must be 
+   followed, or as required to translate it into languages other than 
+   English. 
+    
+   The limited permissions granted above are perpetual and will not be 
+   revoked by the Internet Society or its successors or assigns. 
+    
+
+  
+Foster,McGarry,Yu           Expired on August 31, 2002        [Page 26] 
+
+Number Portability in the GSTN: An Overview              March 1, 2002 
+ 
+ 
+   This document and the information contained herein is provided on an 
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 
+    
+    
+Acknowledgement 
+ 
+   Funding for the RFC Editor function is currently provided by the 
+   Internet Society. 
+ 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+  
+Foster,McGarry,Yu           Expired on August 31, 2002        [Page 27] 
+
\ No newline at end of file
diff --git a/contrib/bind9/doc/draft/draft-ietf-ipseckey-rr-09.txt b/contrib/bind9/doc/draft/draft-ietf-ipseckey-rr-09.txt
new file mode 100644
index 0000000..423a119
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-ipseckey-rr-09.txt
@@ -0,0 +1,951 @@
+
+
+IPSECKEY WG                                                M. Richardson
+Internet-Draft                                                       SSW
+|Expires: August 1, 2004                                   February 2004
+
+
+           A Method for Storing IPsec Keying Material in DNS
+|                    draft-ietf-ipseckey-rr-09.txt
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at http://
+   www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+|  This Internet-Draft will expire on August 1, 2004.
+
+Copyright Notice
+
+|  Copyright (C) The Internet Society (2004).  All Rights Reserved.
+
+Abstract
+
+|  This document describes a new resource record for Domain Name System
+|  (DNS).  This record may be used to store public keys for use in IP
+|  security (IPsec) systems.  The record also includes provisions for
+|  indicating what system should be contacted when establishing an IPsec
+|  tunnel with the entity in question.
+
+   This record replaces the functionality of the sub-type #1 of the KEY
+   Resource Record, which has been obsoleted by RFC3445.
+
+
+
+
+
+
+
+|Richardson              Expires August 1, 2004                 [Page 1]
+
+|Internet-Draft   Storing IPsec keying material in DNS     February 2004
+
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
+   1.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . .  3
+|  1.2 Use of reverse (in-addr.arpa) map  . . . . . . . . . . . . . .  3
+|  1.3 Usage Criteria . . . . . . . . . . . . . . . . . . . . . . . .  3
+|  2.  Storage formats  . . . . . . . . . . . . . . . . . . . . . . .  5
+|  2.1 IPSECKEY RDATA format  . . . . . . . . . . . . . . . . . . . .  5
+|  2.2 RDATA format - precedence  . . . . . . . . . . . . . . . . . .  5
+|  2.3 RDATA format - gateway type  . . . . . . . . . . . . . . . . .  5
+|  2.4 RDATA format - algorithm type  . . . . . . . . . . . . . . . .  6
+|  2.5 RDATA format - gateway . . . . . . . . . . . . . . . . . . . .  6
+|  2.6 RDATA format - public keys . . . . . . . . . . . . . . . . . .  6
+|  3.  Presentation formats . . . . . . . . . . . . . . . . . . . . .  8
+|  3.1 Representation of IPSECKEY RRs . . . . . . . . . . . . . . . .  8
+|  3.2 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . .  8
+|  4.  Security Considerations  . . . . . . . . . . . . . . . . . . . 10
+|  4.1 Active attacks against unsecured IPSECKEY resource records . . 10
+|  5.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 12
+|  6.  Intellectual Property Claims . . . . . . . . . . . . . . . . . 13
+|  7.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 14
+|      Normative references . . . . . . . . . . . . . . . . . . . . . 15
+|      Non-normative references . . . . . . . . . . . . . . . . . . . 16
+|      Author's Address . . . . . . . . . . . . . . . . . . . . . . . 16
+|      Full Copyright Statement . . . . . . . . . . . . . . . . . . . 17
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+|Richardson              Expires August 1, 2004                 [Page 2]
+
+|Internet-Draft   Storing IPsec keying material in DNS     February 2004
+
+
+1. Introduction
+
+   It postulated that there is an end system desiring to establish an
+   IPsec tunnel with some remote entity on the network.  This system,
+   having only a DNS name of some kind (forward, reverse or even
+   user@FQDN) needs a public key to authenticate the remote entity.  It
+   also desires some guidance about whether to contact the entity
+   directly, or whether to contact another entity, as the gateway to
+   that desired entity.
+
+   The IPSECKEY RR provides a storage mechanism for such items as the
+   public key, and the gateway information.
+
+   The type number for the IPSECKEY RR is TBD.
+
+1.1 Overview
+
+   The IPSECKEY resource record (RR) is used to publish a public key
+   that is to be associated with a Domain Name System (DNS) name for use
+   with the IPsec protocol suite.  This can be the  public key of a
+   host, network, or application (in the case of per-port keying).
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in RFC2119 [7].
+
+|1.2 Use of reverse (in-addr.arpa) map
+
+|  Often a security gateway will only have access to the IP address to
+|  which communication is desired.  It will not know the forward name.
+|  As such, it will frequently be the case that the IP address will be
+|  used an index into the reverse map.
+
+|  The lookup is done in the usual fashion as for PTR records.  The IP
+|  address' octets (IPv4) or nibbles (IPv6) are reversed and looked up
+|  under the .arpa.  zone.  Any CNAMEs or DNAMEs found SHOULD be
+|  followed.
+
+|  Note: even when the IPsec function is the end-host, often only the
+|  application will know the forward name used.  While the case where
+|  the application knows the forward name is common, the user could
+|  easily have typed in a literal IP address.  This storage mechanism
+|  does not preclude using the forward name when it is available, but
+|  does not require it.
+
+|1.3 Usage Criteria
+
+   An IPSECKEY resource record SHOULD be used in combination with DNSSEC
+
+
+
+|Richardson              Expires August 1, 2004                 [Page 3]
+
+|Internet-Draft   Storing IPsec keying material in DNS     February 2004
+
+
+   unless some other means of authenticating the IPSECKEY resource
+   record is available.
+
+   It is expected that there will often be multiple IPSECKEY resource
+   records at the same name.  This will be due to the presence of
+   multiple gateways and the need to rollover keys.
+
+   This resource record is class independent.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+|Richardson              Expires August 1, 2004                 [Page 4]
+
+|Internet-Draft   Storing IPsec keying material in DNS     February 2004
+
+
+2. Storage formats
+
+2.1 IPSECKEY RDATA format
+
+   The RDATA for an IPSECKEY RR consists of a precedence value, a
+   gateway type, a public key, algorithm type, and an optional gateway
+   address.
+
+       0                   1                   2                   3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |  precedence   | gateway type  |  algorithm  |     gateway     |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-------------+                 +
+      ~                            gateway                            ~
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |                                                               /
+      /                          public key                           /
+      /                                                               /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
+
+
+2.2 RDATA format - precedence
+
+   This is an 8-bit precedence for this record.  This is interpreted in
+   the same way as the PREFERENCE field described in section 3.3.9 of
+   RFC1035 [2].
+
+   Gateways listed in IPSECKEY records with  lower precedence are to be
+   attempted first.  Where there is a tie in precedence, the order
+   should be non-deterministic.
+
+2.3 RDATA format - gateway type
+
+   The gateway type field indicates the format of the information that
+   is stored in the gateway field.
+
+   The following values are defined:
+
+   0  No gateway is present
+
+   1  A 4-byte IPv4 address is present
+
+   2  A 16-byte IPv6 address is present
+
+   3  A wire-encoded domain name is present.  The wire-encoded format is
+      self-describing, so the length is implicit.  The domain name MUST
+      NOT be compressed.  (see section 3.3 of RFC1035 [2]).
+
+
+
+
+|Richardson              Expires August 1, 2004                 [Page 5]
+
+|Internet-Draft   Storing IPsec keying material in DNS     February 2004
+
+
+2.4 RDATA format - algorithm type
+
+   The algorithm type field identifies the public key's cryptographic
+   algorithm and determines the format of the public key field.
+
+   A value of 0 indicates that no key is present.
+
+   The following values are defined:
+
+   1  A DSA key is present, in the format defined in RFC2536 [10]
+
+   2  A RSA key is present, in the format defined in RFC3110 [11]
+
+
+2.5 RDATA format - gateway
+
+   The gateway field indicates a gateway to which an IPsec tunnel may be
+   created in order to reach the entity named by this resource record.
+
+   There are three formats:
+
+   A 32-bit IPv4 address is present in the gateway field.  The data
+   portion is an IPv4 address as described in section 3.4.1 of RFC1035
+   [2].  This is a 32-bit number in network byte order.
+
+   A 128-bit IPv6 address is present in the gateway field.  The data
+   portion is an IPv6 address as described in section 2.2 of RFC3596
+   [13].  This is a 128-bit number in network byte order.
+
+   The gateway field is a normal wire-encoded domain name, as described
+   in section 3.3 of RFC1035 [2].  Compression MUST NOT be used.
+
+2.6 RDATA format - public keys
+
+   Both of the public key types defined in this document (RSA and DSA)
+   inherit their public key formats from the corresponding KEY RR
+   formats.  Specifically, the public key field contains the algorithm-
+   specific portion of the KEY RR RDATA, which is all of the KEY RR DATA
+   after the first four octets.  This is the same portion of the KEY RR
+   that must be specified by documents that define a DNSSEC algorithm.
+   Those documents also specify a message digest to be used for
+   generation of SIG RRs; that specification is not relevant for
+   IPSECKEY RR.
+
+   Future algorithms, if they are to be used by both DNSSEC (in the KEY
+   RR) and IPSECKEY, are likely to use the same public key encodings in
+   both records.  Unless otherwise specified, the IPSECKEY public key
+   field will contain the algorithm-specific portion of the KEY RR RDATA
+
+
+
+|Richardson              Expires August 1, 2004                 [Page 6]
+
+|Internet-Draft   Storing IPsec keying material in DNS     February 2004
+
+
+   for the corresponding algorithm.  The algorithm must still be
+   designated for use by IPSECKEY, and an IPSECKEY algorithm type number
+   (which might be different than the DNSSEC algorithm number) must be
+   assigned to it.
+
+   The DSA key format is defined in RFC2536 [10]
+
+   The RSA key format is defined in RFC3110 [11], with the following
+   changes:
+
+   The earlier definition of RSA/MD5 in RFC2065 limited the exponent and
+   modulus to 2552 bits in length.  RFC3110 extended that limit to 4096
+   bits for RSA/SHA1 keys.  The IPSECKEY RR imposes no length limit on
+   RSA public keys, other than the 65535 octet limit imposed by the two-
+   octet length encoding.  This length extension is applicable only to
+   IPSECKEY and not to KEY RRs.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+|Richardson              Expires August 1, 2004                 [Page 7]
+
+|Internet-Draft   Storing IPsec keying material in DNS     February 2004
+
+
+3. Presentation formats
+
+3.1 Representation of IPSECKEY RRs
+
+   IPSECKEY RRs may appear in a zone data master file.  The precedence,
+   gateway type and algorithm and gateway fields are REQUIRED.  The
+   base64 encoded public key block is OPTIONAL; if not present, then the
+   public key field of the resource record MUST be construed as being
+   zero octets in length.
+
+   The algorithm field is an unsigned integer.  No mnemonics are
+   defined.
+
+   If no gateway is to be indicated, then the gateway type field MUST be
+   zero, and the gateway field MUST be "."
+
+   The Public Key field is represented as a Base64 encoding of the
+   Public Key.  Whitespace is allowed within the Base64 text.  For a
+   definition of Base64 encoding, see RFC3548 [6] Section 5.2.
+
+   The general presentation for the record as as follows:
+
+   IN     IPSECKEY ( precedence gateway-type algorithm
+                     gateway base64-encoded-public-key )
+
+
+3.2 Examples
+
+   An example of a node 192.0.2.38 that will accept IPsec tunnels on its
+   own behalf.
+
+   38.2.0.192.in-addr.arpa. 7200 IN     IPSECKEY ( 10 1 2
+                    192.0.2.38
+                    AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
+
+   An example of a node, 192.0.2.38 that has published its key only.
+
+   38.2.0.192.in-addr.arpa. 7200 IN     IPSECKEY ( 10 0 2
+                    .
+                    AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
+
+   An example of a node, 192.0.2.38 that has delegated authority to the
+   node 192.0.2.3.
+
+   38.2.0.192.in-addr.arpa. 7200 IN     IPSECKEY ( 10 1 2
+                    192.0.2.3
+                    AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
+
+
+
+
+|Richardson              Expires August 1, 2004                 [Page 8]
+
+|Internet-Draft   Storing IPsec keying material in DNS     February 2004
+
+
+   An example of a node, 192.0.1.38 that has delegated authority to the
+   node with the identity "mygateway.example.com".
+
+   38.1.0.192.in-addr.arpa. 7200 IN     IPSECKEY ( 10 3 2
+                    mygateway.example.com.
+                    AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
+
+   An example of a node, 2001:0DB8:0200:1:210:f3ff:fe03:4d0 that has
+   delegated authority to the node 2001:0DB8:c000:0200:2::1
+
+   $ORIGIN 1.0.0.0.0.0.2.8.B.D.0.1.0.0.2.ip6.arpa.
+   0.d.4.0.3.0.e.f.f.f.3.f.0.1.2.0 7200 IN     IPSECKEY ( 10 2 2
+                    2001:0DB8:0:8002::2000:1
+                    AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== )
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+|Richardson              Expires August 1, 2004                 [Page 9]
+
+|Internet-Draft   Storing IPsec keying material in DNS     February 2004
+
+
+4. Security Considerations
+
+   This entire memo pertains to the provision of public keying material
+   for use by key management protocols such as ISAKMP/IKE (RFC2407) [8].
+
+   The IPSECKEY resource record contains information that SHOULD be
+   communicated to the end client in an integral fashion - i.e.  free
+   from modification.  The form of this channel is up to the consumer of
+   the data - there must be a trust relationship between the end
+   consumer of this resource record and the server.  This relationship
+   may be end-to-end DNSSEC validation, a TSIG or SIG(0) channel to
+   another secure source, a secure local channel on the host, or some
+   combination of the above.
+
+   The keying material provided by the IPSECKEY resource record is not
+   sensitive to passive attacks.  The keying material may be freely
+   disclosed to any party without any impact on the security properties
+   of the resulting IPsec session: IPsec and IKE provide for defense
+   against both active and passive attacks.
+
+   Any derivative standard that makes use of this resource record MUST
+   carefully document their trust model, and why the trust model of
+   DNSSEC is appropriate, if that is the secure channel used.
+
+4.1 Active attacks against unsecured IPSECKEY resource records
+
+   This section deals with active attacks against the DNS.  These
+   attacks require that DNS requests and responses be intercepted and
+   changed.  DNSSEC is designed to defend against attacks of this kind.
+
+   The first kind of active attack is when the attacker replaces the
+   keying material with either a key under its control or with garbage.
+
+   If the attacker is not able to mount a subsequent man-in-the-middle
+   attack on the IKE negotiation after replacing the public key, then
+   this will result in a denial of service, as the authenticator used by
+   IKE would fail.
+
+   If the attacker is able to both to mount active attacks against DNS
+   and is also in a position to perform a man-in-the-middle attack on
+   IKE and IPsec negotiations, then the attacker will be in a position
+   to compromise the resulting IPsec channel.  Note that an attacker
+   must be able to perform active DNS attacks on both sides of the IKE
+   negotiation in order for this to succeed.
+
+   The second kind of active attack is one in which the attacker
+   replaces the the gateway address to point to a node under the
+   attacker's control.  The attacker can then either replace the public
+
+
+
+|Richardson              Expires August 1, 2004                [Page 10]
+
+|Internet-Draft   Storing IPsec keying material in DNS     February 2004
+
+
+   key or remove it, thus providing an IPSECKEY record of its own to
+   match the gateway address.
+
+   This later form creates a simple man-in-the-middle since the attacker
+   can then create a second tunnel to the real destination.  Note that,
+   as before, this requires that the attacker also mount an active
+   attack against the responder.
+
+   Note that the man-in-the-middle can not just forward cleartext
+   packets to the original destination.  While the destination may be
+   willing to speak in the clear, replying to the original sender, the
+   sender will have already created a policy expecting ciphertext.
+   Thus, the attacker will need to intercept traffic from both sides.
+   In some cases, the attacker may be able to accomplish the full
+   intercept by use of Network Addresss/Port Translation (NAT/NAPT)
+   technology.
+
+|  Note that risk of a man-in-the-middle attack mediated by the IPSECKEY
+|  RR only applies to cases where the gateway field of the IPSECKEY RR
+|  indicates a different entity than the owner name of the IPSECKEY RR.
+
+|  An active attack on the DNS that caused the wrong IP address to be
+|  retrieved (via forged A RR), and therefore the wrong QNAME to be
+|  queried would also result in a man-in-the-middle attack.  This
+|  situation exists independantly of whether or not the IPSECKEY RR is
+|  used.
+
+|  In cases where the end-to-end integrity of the IPSECKEY RR is
+|  suspect, the end client MUST restrict its use of the IPSECKEY RR to
+|  cases where the RR owner name matches the content of the gateway
+|  field.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+|Richardson              Expires August 1, 2004                [Page 11]
+
+|Internet-Draft   Storing IPsec keying material in DNS     February 2004
+
+
+5. IANA Considerations
+
+   This document updates the IANA Registry for DNS Resource Record Types
+   by assigning type X to the IPSECKEY record.
+
+   This document creates two new IANA registries, both specific to the
+   IPSECKEY Resource Record:
+
+   This document creates an IANA registry for the algorithm type field.
+
+   Values 0, 1 and 2 are defined in Section 2.4.  Algorithm numbers 3
+   through 255 can be assigned by IETF Consensus (see RFC2434 [5]).
+
+   This document creates an IANA registry for the gateway type field.
+
+   Values 0, 1, 2 and 3 are defined in Section 2.3.  Gateway type
+   numbers 4 through 255 can be assigned by Standards Action (see
+   RFC2434 [5]).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+|Richardson              Expires August 1, 2004                [Page 12]
+
+|Internet-Draft   Storing IPsec keying material in DNS     February 2004
+
+
+6. Intellectual Property Claims
+
+   The IETF takes no position regarding the validity or scope of any
+   intellectual property or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; neither does it represent that it
+   has made any effort to identify any such rights.  Information on the
+   IETF's procedures with respect to rights in standards-track and
+   standards-related documentation can be found in BCP-11.  Copies of
+   claims of rights made available for publication and any assurances of
+   licenses to be made available, or the result of an attempt made to
+   obtain a general license or permission for the use of such
+   proprietary rights by implementors or users of this specification can
+   be obtained from the IETF Secretariat.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights which may cover technology that may be required to practice
+   this standard.  Please address the information to the IETF Executive
+   Director.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+|Richardson              Expires August 1, 2004                [Page 13]
+
+|Internet-Draft   Storing IPsec keying material in DNS     February 2004
+
+
+7. Acknowledgments
+
+   My thanks to Paul Hoffman, Sam Weiler, Jean-Jacques Puig, Rob
+   Austein, and Olafur Gurmundsson who reviewed this document carefully.
+   Additional thanks to Olafur Gurmundsson for a reference
+   implementation.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+|Richardson              Expires August 1, 2004                [Page 14]
+
+|Internet-Draft   Storing IPsec keying material in DNS     February 2004
+
+
+Normative references
+
+   [1]  Mockapetris, P., "Domain names - concepts and facilities", STD
+        13, RFC 1034, November 1987.
+
+   [2]  Mockapetris, P., "Domain names - implementation and
+        specification", STD 13, RFC 1035, November 1987.
+
+   [3]  Bradner, S., "The Internet Standards Process -- Revision 3", BCP
+        9, RFC 2026, October 1996.
+
+   [4]  Eastlake, D. and C. Kaufman, "Domain Name System Security
+        Extensions", RFC 2065, January 1997.
+
+   [5]  Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
+        Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
+
+   [6]  Josefsson, S., "The Base16, Base32, and Base64 Data Encodings",
+        RFC 3548, July 2003.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+|Richardson              Expires August 1, 2004                [Page 15]
+
+|Internet-Draft   Storing IPsec keying material in DNS     February 2004
+
+
+Non-normative references
+
+   [7]   Bradner, S., "Key words for use in RFCs to Indicate Requirement
+         Levels", BCP 14, RFC 2119, March 1997.
+
+   [8]   Piper, D., "The Internet IP Security Domain of Interpretation
+         for ISAKMP", RFC 2407, November 1998.
+
+   [9]   Eastlake, D., "Domain Name System Security Extensions", RFC
+         2535, March 1999.
+
+   [10]  Eastlake, D., "DSA KEYs and SIGs in the Domain Name System
+         (DNS)", RFC 2536, March 1999.
+
+   [11]  Eastlake, D., "RSA/SHA-1 SIGs and RSA KEYs in the Domain Name
+         System (DNS)", RFC 3110, May 2001.
+
+   [12]  Massey, D. and S. Rose, "Limiting the Scope of the KEY Resource
+         Record (RR)", RFC 3445, December 2002.
+
+   [13]  Thomson, S., Huitema, C., Ksinant, V. and M. Souissi, "DNS
+         Extensions to Support IP Version 6", RFC 3596, October 2003.
+
+
+Author's Address
+
+   Michael C. Richardson
+   Sandelman Software Works
+   470 Dawson Avenue
+   Ottawa, ON  K1Z 5V7
+   CA
+
+   EMail: mcr@sandelman.ottawa.on.ca
+   URI:   http://www.sandelman.ottawa.on.ca/
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+|Richardson              Expires August 1, 2004                [Page 16]
+
+|Internet-Draft   Storing IPsec keying material in DNS     February 2004
+
+
+Full Copyright Statement
+
+|  Copyright (C) The Internet Society (2004).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+|Richardson              Expires August 1, 2004                [Page 17]
diff --git a/contrib/bind9/doc/draft/draft-ietf-ipv6-node-requirements-08.txt b/contrib/bind9/doc/draft/draft-ietf-ipv6-node-requirements-08.txt
new file mode 100644
index 0000000..2d5c87e
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-ipv6-node-requirements-08.txt
@@ -0,0 +1,1200 @@
+
+
+
+
+
+
+IPv6 Working Group                                 John Loughney (ed)
+Internet-Draft                                                  Nokia
+                                                     January 14, 2004
+
+Expires: July 14, 2004
+
+
+
+                         IPv6 Node Requirements
+                draft-ietf-ipv6-node-requirements-08.txt
+
+
+
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups.  Note that
+   other groups may also distribute working documents as Internet-
+   Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2003).  All Rights Reserved.
+
+Abstract
+
+   This document defines requirements for IPv6 nodes.  It is expected
+   that IPv6 will be deployed in a wide range of devices and situations.
+   Specifying the requirements for IPv6 nodes allows IPv6 to function
+   well and interoperate in a large number of situations and
+   deployments.
+
+
+
+
+
+Loughney (editor)          February 16, 2004                    [Page 1]
+
+
+
+
+
+Internet-Draft
+
+
+Table of Contents
+
+   1.   Introduction
+   1.1 Requirement Language
+   1.2  Scope of this Document
+   1.3  Description of IPv6 Nodes
+   2.   Abbreviations Used in This Document
+   3.   Sub-IP Layer
+   3.1  Transmission of IPv6 Packets over Ethernet Networks - RFC2464
+   3.2  IP version 6 over PPP - RFC2472
+   3.3  IPv6 over ATM Networks - RFC2492
+   4.   IP Layer
+   4.1  Internet Protocol Version 6 - RFC2460
+   4.2  Neighbor Discovery for IPv6 - RFC2461
+   4.3  Path MTU Discovery & Packet Size
+   4.4  ICMP for the Internet Protocol Version 6 (IPv6) - RFC2463
+   4.5  Addressing
+   4.6  Multicast Listener Discovery (MLD) for IPv6 - RFC2710
+   5.   Transport and DNS
+   5.1  Transport Layer
+   5.2  DNS
+   5.3  Dynamic Host Configuration Protocol for IPv6 (DHCPv6)
+   6.   IPv4 Support and Transition
+   6.1  Transition Mechanisms
+   7.   Mobility
+   8.   Security
+   8.1  Basic Architecture
+   8.2  Security Protocols
+   8.3  Transforms and Algorithms
+   8.4  Key Management Methods
+   9.   Router Functionality
+   9.1  General
+   10.  Network Management
+   10.1 MIBs
+   11.  Security Considerations
+   12.  References
+   12.1 Normative
+   12.2 Non-Normative
+   13.  Authors and Acknowledgements
+   14.  Editor's Address
+   Notices
+
+
+
+
+
+
+
+
+
+
+Loughney (editor)          February 16, 2004                    [Page 2]
+
+
+
+
+
+Internet-Draft
+
+
+1. Introduction
+
+   The goal of this document is to define the common functionality
+   required from both IPv6 hosts and routers.  Many IPv6 nodes will
+   implement optional or additional features, but all IPv6 nodes can be
+   expected to implement the mandatory requirements listed in this
+   document.
+
+   This document tries to avoid discussion of protocol details, and
+   references RFCs for this purpose.  In case of any conflicting text,
+   this document takes less precedence than the normative RFCs, unless
+   additional clarifying text is included in this document.
+
+   Although the document points to different specifications, it should
+   be noted that in most cases, the granularity of requirements are
+   smaller than a single specification, as many specifications define
+   multiple, independent pieces, some of which may not be mandatory.
+
+   As it is not always possible for an implementer to know the exact
+   usage of IPv6 in a node, an overriding requirement for IPv6 nodes is
+   that they should adhere to Jon Postel's Robustness Principle:
+
+      Be conservative in what you do, be liberal in what you accept from
+      others [RFC-793].
+
+1.1 Requirement Language
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in RFC 2119 [RFC-2119].
+
+1.2 Scope of this Document
+
+   IPv6 covers many specifications.  It is intended that IPv6 will be
+   deployed in many different situations and environments.  Therefore,
+   it is important to develop the requirements for IPv6 nodes, in order
+   to ensure interoperability.
+
+   This document assumes that all IPv6 nodes meet the minimum
+   requirements specified here.
+
+1.3 Description of IPv6 Nodes
+
+   From Internet Protocol, Version 6 (IPv6) Specification [RFC-2460] we
+   have the following definitions:
+
+      Description of an IPv6 Node
+
+
+
+
+Loughney (editor)          February 16, 2004                    [Page 3]
+
+
+
+
+
+Internet-Draft
+
+
+       - a device that implements IPv6
+
+      Description of an IPv6 router
+
+       - a node that forwards IPv6 packets not explicitly addressed to
+         itself.
+
+      Description of an IPv6 Host
+
+       - any node that is not a router.
+
+2. Abbreviations Used in This Document
+
+   ATM   Asynchronous Transfer Mode
+
+   AH    Authentication Header
+
+   DAD   Duplicate Address Detection
+
+   ESP   Encapsulating Security Payload
+
+   ICMP  Internet Control Message Protocol
+
+   IKE   Internet Key Exchange
+
+   MIB   Management Information Base
+
+   MLD   Multicast Listener Discovery
+
+   MTU   Maximum Transfer Unit
+
+   NA    Neighbor Advertisement
+
+   NBMA  Non-Broadcast Multiple Access
+
+   ND    Neighbor Discovery
+
+   NS    Neighbor Solicitation
+
+   NUD   Neighbor Unreachability Detection
+
+   PPP   Point-to-Point Protocol
+
+   PVC   Permanent Virtual Circuit
+
+   SVC   Switched Virtual Circuit
+
+3. Sub-IP Layer
+
+
+
+Loughney (editor)          February 16, 2004                    [Page 4]
+
+
+
+
+
+Internet-Draft
+
+
+   An IPv6 node must include support for one or more IPv6 link-layer
+   specifications.  Which link-layer specifications are included will
+   depend upon what link-layers are supported by the hardware available
+   on the system.  It is possible for a conformant IPv6 node to support
+   IPv6 on some of its interfaces and not on others.
+
+   As IPv6 is run over new layer 2 technologies, it is expected that new
+   specifications will be issued.  This section highlights some major
+   layer 2 technologies and is not intended to be complete.
+
+3.1 Transmission of IPv6 Packets over Ethernet Networks - RFC2464
+
+   Nodes supporting IPv6 over Ethernet interfaces MUST implement
+   Transmission of IPv6 Packets over Ethernet Networks [RFC-2464].
+
+3.2 IP version 6 over PPP - RFC2472
+
+   Nodes supporting IPv6 over PPP MUST implement IPv6 over PPP [RFC-
+   2472].
+
+3.3 IPv6 over ATM Networks - RFC2492
+
+   Nodes supporting IPv6 over ATM Networks MUST implement IPv6 over ATM
+   Networks [RFC-2492].  Additionally, RFC 2492 states:
+
+      A minimally conforming IPv6/ATM driver SHALL support the PVC mode
+      of operation. An IPv6/ATM driver that supports the full SVC mode
+      SHALL also support PVC mode of operation.
+
+4. IP Layer
+
+4.1 Internet Protocol Version 6 - RFC2460
+
+   The Internet Protocol Version 6 is specified in [RFC-2460]. This
+   specification MUST be supported.
+
+   Unrecognized options in Hop-by-Hop Options or Destination Options
+   extensions MUST be processed as described in RFC 2460.
+
+   The node MUST follow the packet transmission rules in RFC 2460.
+
+   Nodes MUST always be able to send, receive and process fragment
+   headers.  All conformant IPv6 implementations MUST be capable of
+   sending and receving IPv6 packets; forwarding functionality MAY be
+   supported
+
+   RFC 2460 specifies extension headers and the processing for these
+   headers.
+
+
+
+Loughney (editor)          February 16, 2004                    [Page 5]
+
+
+
+
+
+Internet-Draft
+
+
+      A full implementation of IPv6 includes implementation of the
+      following extension headers: Hop-by-Hop Options, Routing (Type 0),
+      Fragment, Destination Options, Authentication and Encapsulating
+      Security Payload. [RFC-2460]
+
+   An IPv6 node MUST be able to process these headers.  It should be
+   noted that there is some discussion about the use of Routing Headers
+   and possible security threats [IPv6-RH] caused by them.
+
+4.2 Neighbor Discovery for IPv6 - RFC2461
+
+   Neighbor Discovery SHOULD be supported.  RFC 2461 states:
+
+      "Unless specified otherwise (in a document that covers operating
+      IP over a particular link type) this document applies to all link
+      types. However, because ND uses link-layer multicast for some of
+      its services, it is possible that on some link types (e.g., NBMA
+      links) alternative protocols or mechanisms to implement those
+      services will be specified (in the appropriate document covering
+      the operation of IP over a particular link type).  The services
+      described in this document that are not directly dependent on
+      multicast, such as Redirects, Next-hop determination, Neighbor
+      Unreachability Detection, etc., are expected to be provided as
+      specified in this document.  The details of how one uses ND on
+      NBMA links is an area for further study."
+
+   Some detailed analysis of Neighbor Discovery follows:
+
+   Router Discovery is how hosts locate routers that reside on an
+   attached link. Router Discovery MUST be supported for
+   implementations.
+
+   Prefix Discovery is how hosts discover the set of address prefixes
+   that define which destinations are on-link for an attached link.
+   Prefix discovery MUST be supported for implementations. Neighbor
+   Unreachability Detection (NUD) MUST be supported for all paths
+   between hosts and neighboring nodes. It is not required for paths
+   between routers.  However, when a node receives a unicast Neighbor
+   Solicitation (NS) message (that may be a NUD's NS), the node MUST
+   respond to it (i.e. send a unicast Neighbor Advertisement).
+
+   Duplicate Address Detection MUST be supported on all links supporting
+   link-layer multicast (RFC2462 section 5.4 specifies DAD MUST take
+   place on all unicast addresses).
+
+   A host implementation MUST support sending Router Solicitations.
+
+   Receiving and processing Router Advertisements MUST be supported for
+
+
+
+Loughney (editor)          February 16, 2004                    [Page 6]
+
+
+
+
+
+Internet-Draft
+
+
+   host implementations. The ability to understand specific Router
+   Advertisement options is dependent on supporting the specification
+   where the RA is specified.
+
+   Sending and Receiving Neighbor Solicitation (NS) and Neighbor
+   Advertisement (NA) MUST be supported. NS and NA messages are required
+   for Duplicate Address Detection (DAD).
+
+   Redirect functionality SHOULD be supported. If the node is a router,
+   Redirect functionality MUST be supported.
+
+4.3 Path MTU Discovery & Packet Size
+
+4.3.1 Path MTU Discovery - RFC1981
+
+   Path MTU Discovery [RFC-1981] SHOULD be supported, though minimal
+   implementations MAY choose to not support it and avoid large packets.
+   The rules in RFC 2460 MUST be followed for packet fragmentation and
+   reassembly.
+
+4.3.2 IPv6 Jumbograms - RFC2675
+
+   IPv6 Jumbograms [RFC-2675] MAY be supported.
+
+4.4  ICMP for the Internet Protocol Version 6 (IPv6) - RFC2463
+
+   ICMPv6 [RFC-2463] MUST be supported.
+
+4.5 Addressing
+
+4.5.1 IP Version 6 Addressing Architecture - RFC3513
+
+   The IPv6 Addressing Architecture [RFC-3513] MUST be supported.
+
+4.5.2 IPv6 Stateless Address Autoconfiguration - RFC2462
+
+   IPv6 Stateless Address Autoconfiguration is defined in [RFC-2462].
+   This specification MUST be supported for nodes that are hosts.
+
+   Nodes that are routers MUST be able to generate link local addresses
+   as described in RFC 2462 [RFC-2462].
+
+   From 2462:
+
+      The autoconfiguration process specified in this document applies
+      only to hosts and not routers. Since host autoconfiguration uses
+      information advertised by routers, routers will need to be
+      configured by some other means. However, it is expected that
+
+
+
+Loughney (editor)          February 16, 2004                    [Page 7]
+
+
+
+
+
+Internet-Draft
+
+
+      routers will generate link-local addresses using the mechanism
+      described in this document. In addition, routers are expected to
+      successfully pass the Duplicate Address Detection procedure
+      described in this document on all addresses prior to assigning
+      them to an interface.
+
+   Duplicate Address Detection (DAD) MUST be supported.
+
+4.5.3 Privacy Extensions for Address Configuration in IPv6 - RFC3041
+
+   Privacy Extensions for Stateless Address Autoconfiguration [RFC-3041]
+   SHOULD be supported.  It is recommended that this behavior be
+   configurable on a connection basis within each application when
+   available.  It is noted that a number of applications do not work
+   with addresses generated with this method, while other applications
+   work quite well with them.
+
+4.5.4 Default Address Selection for IPv6 - RFC3484
+
+   The rules specified in the Default Address Selection for IPv6 [RFC-
+   3484] document MUST be implemented. It is expected that IPv6 nodes
+   will need to deal with multiple addresses.
+
+4.5.5 Stateful Address Autoconfiguration
+
+   Stateful Address Autoconfiguration MAY be supported. DHCPv6 [RFC-
+   3315] is the standard stateful address configuration protocol; see
+   section 5.3 for DHCPv6 support.
+
+   Nodes which do not support Stateful Address Autoconfiguration may be
+   unable to obtain any IPv6 addresses aside from link-local addresses
+   when it receives a router advertisement with the 'M' flag (Managed
+   address configuration) set and which contains no prefixes advertised
+   for Stateless Address Autoconfiguration (see section 4.5.2).
+   Additionally, such nodes will be unable to obtain other configuration
+   information such as the addresses of DNS servers when it is connected
+   to a link over which the node receives a router advertisement in
+   which the 'O' flag ("Other stateful configuration") is set.
+
+4.6 Multicast Listener Discovery (MLD) for IPv6 - RFC2710
+
+   Nodes that need to join multicast groups SHOULD implement MLDv2
+   [MLDv2]. However, if the node has applications, which only need
+   support for Any- Source Multicast [RFC3569], the node MAY implement
+   MLDv1 [MLDv1] instead. If the node has applications, which need
+   support for Source- Specific Multicast [RFC3569, SSMARCH], the node
+   MUST support MLDv2 [MLDv2].
+
+
+
+
+Loughney (editor)          February 16, 2004                    [Page 8]
+
+
+
+
+
+Internet-Draft
+
+
+   When MLD is used, the rules in "Source Address Selection for the
+   Multicast Listener Discovery (MLD) Protocol" [RFC-3590] MUST be
+   followed.
+
+5. Transport Layer and DNS
+
+5.1 Transport Layer
+
+5.1.1 TCP and UDP over IPv6 Jumbograms - RFC2147
+
+   This specification MUST be supported if jumbograms are implemented
+   [RFC- 2675].
+
+5.2 DNS
+
+   DNS, as described in [RFC-1034], [RFC-1035], [RFC-3152], [RFC-3363]
+   and [RFC-3596] MAY be supported.  Not all nodes will need to resolve
+   names. All nodes that need to resolve names SHOULD implement stub-
+   resolver [RFC-1034] functionality, in RFC 1034 section 5.3.1 with
+   support for:
+
+    - AAAA type Resource Records [RFC-3596];
+    - reverse addressing in ip6.arpa using PTR records [RFC-3152];
+    - EDNS0 [RFC-2671] to allow for DNS packet sizes larger than 512
+      octets.
+
+   Those nodes are RECOMMENDED to support DNS security extentions
+   [DNSSEC- INTRO], [DNSSEC-REC] and [DNSSEC-PROT].
+
+   Those nodes are NOT RECOMMENDED to support the experimental A6 and
+   DNAME Resource Records [RFC-3363].
+
+5.2.2 Format for Literal IPv6 Addresses in URL's - RFC2732
+
+   RFC 2732 MUST be supported if applications on the node use URL's.
+
+5.3 Dynamic Host Configuration Protocol for IPv6 (DHCPv6) - RFC3315
+
+5.3.1 Managed Address Configuration
+
+   Those IPv6 Nodes that use DHCP for address assignment initiate DHCP
+   to obtain IPv6 addresses and other configuration information upon
+   receipt of a Router Advertisement with the 'M' flag set, as described
+   in section 5.5.3 of RFC 2462.  In addition, in the absence of a
+   router, those IPv6 Nodes that use DHCP for address assignment MUST
+   initiate DHCP to obtain IPv6 addresses and other configuration
+   information, as described in section 5.5.2 of RFC 2462.  Those IPv6
+   nodes that do not use DHCP for address assignment can ignore the 'M'
+
+
+
+Loughney (editor)          February 16, 2004                    [Page 9]
+
+
+
+
+
+Internet-Draft
+
+
+   flag in Router Advertisements.
+
+5.3.2 Other Configuration Information
+
+   Those IPv6 Nodes that use DHCP to obtain other configuration
+   information initiate DHCP for other configuration information upon
+   receipt of a Router Advertisement with the 'O' flag set, as described
+   in section 5.5.3 of RFC 2462.  Those IPv6 nodes that do not use DHCP
+   for other configuration information can ignore the 'O' flag in Router
+   Advertisements.
+
+   An IPv6 Node can use the subset of DHCP described in [DHCPv6-SL] to
+   obtain other configuration information.
+
+6. IPv4 Support and Transition
+
+   IPv6 nodes MAY support IPv4.
+
+6.1 Transition Mechanisms
+
+6.1.1 Transition Mechanisms for IPv6 Hosts and Routers - RFC2893
+
+   If an IPv6 node implements dual stack and tunneling, then RFC2893
+   MUST be supported.
+
+   RFC 2893 is currently being updated.
+
+7. Mobile IP
+
+   The Mobile IPv6 [MIPv6] specification defines requirements for the
+   following types of nodes:
+
+       - mobile nodes
+       - correspondent nodes with support for route optimization
+       - home agents
+       - all IPv6 routers
+
+   Hosts MAY support mobile node functionality described in Section 8.5
+   of [MIPv6], including support of generic packet tunneling [RFC-2473]
+   and secure home agent communications [MIPv6-HASEC].
+
+   Hosts SHOULD support route optimization requirements for
+   correspondent nodes described in Section 8.2 of [MIPv6].
+
+   Routers SHOULD support the generic mobility-related requirements for
+   all IPv6 routers described in Section 8.3 of [MIPv6]. Routers MAY
+   support the home agent functionality described in Section 8.4 of
+   [MIPv6], including support of [RFC-2473] and [MIPv6-HASEC].
+
+
+
+Loughney (editor)          February 16, 2004                   [Page 10]
+
+
+
+
+
+Internet-Draft
+
+
+8. Security
+
+   This section describes the specification of IPsec for the IPv6 node.
+
+8.1 Basic Architecture
+
+   Security Architecture for the Internet Protocol [RFC-2401] MUST be
+   supported. RFC-2401 is being updated by the IPsec Working Group.
+
+8.2 Security Protocols
+
+   ESP [RFC-2406] MUST be supported. AH [RFC-2402] MUST be supported.
+   RFC- 2406 and RFC 2402 are being updated by the IPsec Working Group.
+
+
+8.3 Transforms and Algorithms
+
+   Current IPsec RFCs specify the support of certain transforms and
+   algorithms, NULL encryption, DES-CBC, HMAC-SHA-1-96, and HMAC-MD5-96.
+   The requirements for these are discussed first, and then additional
+   algorithms 3DES-CBC, AES-128-CBC and HMAC-SHA-256-96 are discussed.
+
+   NULL encryption algorithm [RFC-2410] MUST be supported for providing
+   integrity service and also for debugging use.
+
+   The "ESP DES-CBC Cipher Algorithm With Explicit IV" [RFC-2405] SHOULD
+   NOT be supported. Security issues related to the use of DES are
+   discussed in [DESDIFF], [DESINT], [DESCRACK]. It is still listed as
+   required by the existing IPsec RFCs, but as it is currently viewed as
+   an inherently weak algorithm, and no longer fulfills its intended
+   role.
+
+   The NULL authentication algorithm [RFC-2406] MUST be supported within
+   ESP. The use of HMAC-SHA-1-96 within AH and ESP, described in [RFC-
+   2404] MUST be supported. The use of HMAC-MD5-96 within AH and ESP,
+   described in [RFC-2403] MUST be supported. An implementer MUST refer
+   to Keyed- Hashing for Message Authentication [RFC-2104].
+
+   3DES-CBC does not suffer from the issues related to DES-CBC. 3DES-CBC
+   and ESP CBC-Mode Cipher Algorithms [RFC-2451] MAY be supported. AES-
+   CBC Cipher Algorithm [RFC-3602] MUST be supported, as it is expected
+   to be a widely available, secure algorithm that is required for
+   interoperability. It is not required by the current IPsec RFCs, but
+   is expected to become required in the future.
+
+   In addition to the above requirements, "Cryptographic Algorithm
+   Implementation Requirements For ESP And AH" [CRYPTREQ] contains the
+   current set of mandatory to implement algorithms for ESP and AH as
+
+
+
+Loughney (editor)          February 16, 2004                   [Page 11]
+
+
+
+
+
+Internet-Draft
+
+
+   well as specifying algorithms that should be implemented because they
+   may be promoted to mandatory at some future time.  It is RECOMMENDED
+   that IPv6 nodes conform to the requirements in this document.
+
+8.4 Key Management Methods
+
+   Manual keying MUST be supported.
+
+   IKE [RFC-2407] [RFC-2408] [RFC-2409] MAY be supported for unicast
+   traffic. Where key refresh, anti-replay features of AH and ESP, or
+   on- demand creation of Security Associations (SAs) is required,
+   automated keying MUST be supported. Note that the IPsec WG is working
+   on the successor to IKE [IKE2]. Key management methods for multicast
+   traffic are also being worked on by the MSEC WG.
+
+   "Cryptographic Algorithms for use in the Internet Key Exchange
+   Version 2" [IKEv2ALGO] defines the current set of mandatory to
+   implement algorithms for use of IKEv2 as well as specifying
+   algorithms that should be implemented because they made be promoted
+   to mandatory at some future time. It is RECOMMENDED that IPv6 nodes
+   implementing IKEv2 conform to the requirements in this
+   document.
+
+9. Router-Specific Functionality
+
+   This section defines general host considerations for IPv6 nodes that
+   act as routers.  Currently, this section does not discuss routing-
+   specific requirements.
+
+9.1 General
+
+9.1.1 IPv6 Router Alert Option - RFC2711
+
+
+   The IPv6 Router Alert Option [RFC-2711] is an optional IPv6 Hop-by-
+   Hop Header that is used in conjunction with some protocols (e.g.,
+   RSVP [RFC- 2205], or MLD [RFC-2710]). The Router Alert option will
+   need to be implemented whenever protocols that mandate its usage are
+   implemented. See Section 4.6.
+
+9.1.2 Neighbor Discovery for IPv6 - RFC2461
+
+   Sending Router Advertisements and processing Router Solicitation MUST
+   be supported.
+
+10. Network Management
+
+   Network Management MAY be supported by IPv6 nodes.  However, for IPv6
+
+
+
+Loughney (editor)          February 16, 2004                   [Page 12]
+
+
+
+
+
+Internet-Draft
+
+
+   nodes that are embedded devices, network management may be the only
+   possibility to control these nodes.
+
+10.1 Management Information Base Modules (MIBs)
+
+   The following two MIBs SHOULD be supported by nodes that support an
+   SNMP agent.
+
+10.1.1  IP Forwarding Table MIB
+
+   IP Forwarding Table MIB [RFC-2096BIS] SHOULD be supported by nodes
+   that support an SNMP agent.
+
+10.1.2 Management Information Base for the Internet Protocol (IP)
+
+   IP MIB [RFC-2011BIS] SHOULD be supported by nodes that support an
+   SNMP agent.
+
+11. Security Considerations
+
+   This draft does not affect the security of the Internet, but
+   implementations of IPv6 are expected to support a minimum set of
+   security features to ensure security on the Internet.  "IP Security
+   Document Roadmap" [RFC-2411] is important for everyone to read.
+
+   The security considerations in RFC2460 describe the following:
+
+      The security features of IPv6 are described in the Security
+      Architecture for the Internet Protocol [RFC-2401].
+
+12. References
+
+12.1 Normative
+
+   [CRYPTREQ]     D. Eastlake 3rd, "Cryptographic Algorithm Implementa-
+                  tion Requirements For ESP And AH", draft-ietf-ipsec-
+                  esp-ah-algorithms-01.txt, January 2004.
+
+   [IKEv2ALGO]    J. Schiller, "Cryptographic Algorithms for use in the
+                  Internet Key Exchange Version 2", draft-ietf-ipsec-
+                  ikev2-algorithms-04.txt, Work in Progress.
+
+   [DHCPv6-SL]    R. Droms, "A Guide to Implementing Stateless DHCPv6
+                  Service", draft- ietf-dhc-dhcpv6-stateless-00.txt,
+                  Work in Progress.
+
+   [MIPv6]        J. Arkko, D. Johnson and C. Perkins, "Mobility Support
+                  in IPv6", draft- ietf-mobileip-ipv6-24.txt, Work in
+
+
+
+Loughney (editor)          February 16, 2004                   [Page 13]
+
+
+
+
+
+Internet-Draft
+
+
+                  progress.
+
+   [MIPv6-HASEC]  J. Arkko, V. Devarapalli and F. Dupont, "Using IPsec
+                  to Protect Mobile IPv6 Signaling between Mobile Nodes
+                  and Home Agents", draft-ietf- mobileip-mipv6-ha-
+                  ipsec-06.txt, Work in Progress.
+
+   [MLDv2]        Vida, R. et al., "Multicast Listener Discovery Version
+                  2 (MLDv2) for IPv6", draft-vida-mld-v2-07.txt, Work in
+                  Progress.
+
+   [RFC-1035]     Mockapetris, P., "Domain names - implementation and
+                  specification", STD 13, RFC 1035, November 1987.
+
+   [RFC-1981]     McCann, J., Mogul, J. and Deering, S., "Path MTU
+                  Discovery for IP version 6", RFC 1981, August 1996.
+
+   [RFC-2096BIS]  Haberman, B. and Wasserman, M., "IP Forwarding Table
+                  MIB", draft-ietf- ipv6-rfc2096-update-07.txt, Work in
+                  Progress.
+
+   [RFC-2011BIS]  Routhier, S (ed), "Management Information Base for the
+                  Internet Protocol (IP)", draft-ietf-ipv6-rfc2011-
+                  update-07.txt, Work in progress.
+
+   [RFC-2104]     Krawczyk, K., Bellare, M., and Canetti, R., "HMAC:
+                  Keyed-Hashing for Message Authentication", RFC 2104,
+                  February 1997.
+
+   [RFC-2119]     Bradner, S., "Key words for use in RFCs to Indicate
+                  Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC-2401]     Kent, S. and Atkinson, R., "Security Architecture for
+                  the Internet Protocol", RFC 2401, November 1998.
+
+   [RFC-2402]     Kent, S. and Atkinson, R.,  "IP Authentication
+                  Header", RFC 2402, November 1998.
+
+   [RFC-2403]     Madson, C., and Glenn, R., "The Use of HMAC-MD5 within
+                  ESP and AH", RFC 2403, November 1998.
+
+   [RFC-2404]     Madson, C., and Glenn, R., "The Use of HMAC-SHA-1
+                  within ESP and AH", RFC 2404, November 1998.
+
+   [RFC-2405]     Madson, C. and Doraswamy, N., "The ESP DES-CBC Cipher
+                  Algorithm With Explicit IV", RFC 2405, November 1998.
+
+   [RFC-2406]     Kent, S. and Atkinson, R., "IP Encapsulating Security
+
+
+
+Loughney (editor)          February 16, 2004                   [Page 14]
+
+
+
+
+
+Internet-Draft
+
+
+                  Protocol (ESP)", RFC 2406, November 1998.
+
+   [RFC-2407]     Piper, D., "The Internet IP Security Domain of
+                  Interpretation for ISAKMP", RFC 2407, November 1998.
+
+   [RFC-2408]     Maughan, D., Schertler, M., Schneider, M., and Turner,
+                  J., "Internet Security Association and Key Management
+                  Protocol (ISAKMP)", RFC 2408, November 1998.
+
+   [RFC-2409]     Harkins, D., and Carrel, D., "The Internet Key
+                  Exchange (IKE)", RFC 2409, November 1998.
+
+   [RFC-2410]     Glenn, R. and Kent, S., "The NULL Encryption Algorithm
+                  and Its Use With IPsec", RFC 2410, November 1998.
+
+   [RFC-2451]     Pereira, R. and Adams, R., "The ESP CBC-Mode Cipher
+                  Algorithms", RFC 2451, November 1998.
+
+   [RFC-2460]     Deering, S. and Hinden, R., "Internet Protocol, Ver-
+                  sion 6 (IPv6) Specification", RFC 2460, December 1998.
+
+   [RFC-2461]     Narten, T., Nordmark, E. and Simpson, W., "Neighbor
+                  Discovery for IP Version 6 (IPv6)", RFC 2461, December
+                  1998.
+
+   [RFC-2462]     Thomson, S. and Narten, T., "IPv6 Stateless Address
+                  Autoconfiguration", RFC 2462.
+
+   [RFC-2463]     Conta, A. and Deering, S., "ICMP for the Internet Pro-
+                  tocol Version 6 (IPv6)", RFC 2463, December 1998.
+
+   [RFC-2472]     Haskin, D. and Allen, E., "IP version 6 over PPP", RFC
+                  2472, December 1998.
+
+   [RFC-2473]     Conta, A. and Deering, S., "Generic Packet Tunneling
+                  in IPv6 Specification", RFC 2473, December 1998.  Xxx
+                  add
+
+   [RFC-2671]     Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
+                  2671, August 1999.
+
+   [RFC-2710]     Deering, S., Fenner, W. and Haberman, B., "Multicast
+                  Listener Discovery (MLD) for IPv6", RFC 2710, October
+                  1999.
+
+   [RFC-2711]     Partridge, C. and Jackson, A., "IPv6 Router Alert
+                  Option", RFC 2711, October 1999.
+
+
+
+
+Loughney (editor)          February 16, 2004                   [Page 15]
+
+
+
+
+
+Internet-Draft
+
+
+   [RFC-3041]     Narten, T. and Draves, R., "Privacy Extensions for
+                  Stateless Address Autoconfiguration in IPv6", RFC
+                  3041, January 2001.
+
+   [RFC-3152]     Bush, R., "Delegation of IP6.ARPA", RFC 3152, August
+                  2001.
+
+   [RFC-3315]     Bound, J. et al., "Dynamic Host Configuration Protocol
+                  for IPv6 (DHCPv6)", RFC 3315, July 2003.
+
+   [RFC-3363]     Bush, R., et al., "Representing Internet Protocol ver-
+                  sion 6 (IPv6) Addresses in the Domain Name System
+                  (DNS)", RFC 3363, August 2002.
+
+   [RFC-3484]     Draves, R., "Default Address Selection for IPv6", RFC
+                  3484, February 2003.
+
+   [RFC-3513]     Hinden, R. and Deering, S. "IP Version 6 Addressing
+                  Architecture", RFC 3513, April 2003.
+
+   [RFC-3590]     Haberman, B., "Source Address Selection for the Multi-
+                  cast Listener Discovery (MLD) Protocol", RFC 3590,
+                  September 2003.
+
+   [RFC-3596]     Thomson, S., et al., "DNS Extensions to support IP
+                  version 6", RFC 3596, October 2003.
+
+   [RFC-3602]     S. Frankel, "The AES-CBC Cipher Algorithm and Its Use
+                  with IPsec", RFC 3602, September 2003.
+
+12.2 Non-Normative
+
+   [ANYCAST]      Hagino, J and Ettikan K., "An Analysis of IPv6 Anycast",
+                  draft-ietf- ipngwg-ipv6-anycast-analysis-02.txt, Work in
+                  Progress.
+
+   [DESDIFF]      Biham, E., Shamir, A., "Differential Cryptanalysis of
+                  DES-like cryptosystems", Journal of Cryptology Vol 4, Jan
+                  1991.
+
+   [DESCRACK]     Cracking DES, O'Reilly & Associates, Sebastapol, CA 2000.
+   
+   [DESINT]       Bellovin, S., "An Issue With DES-CBC When Used Without
+                  Strong Integrity", Proceedings of the 32nd IETF, Danvers,
+                  MA, April 1995.
+
+   [DHCPv6-SL]    Droms, R., "A Guide to Implementing Stateless DHCPv6 Ser-
+                  vice", draft- ietf-dhc-dhcpv6-stateless-02.txt, Work in
+
+
+
+Loughney (editor)          February 16, 2004                   [Page 16]
+
+
+
+
+
+Internet-Draft
+
+
+                  Progress.
+
+   [DNSSEC-INTRO] Arends, R., Austein, R., Larson, M., Massey, D. and Rose,
+                  S., "DNS Security Introduction and Requirements" draft-
+                  ietf-dnsext-dnssec-intro- 06.txt, Work in Progress.
+
+   [DNSSEC-REC]   Arends, R., Austein, R., Larson, M., Massey, D. and Rose,
+                  S., "Resource Records for the DNS Security Extensions",
+                  draft-ietf-dnsext-dnssec- records-04.txt, Work in Pro-
+                  gress.
+
+   [DNSSEC-PROT]  Arends, R., Austein, R., Larson, M., Massey, D. and Rose,
+                  S., "Protocol Modifications for the DNS Security Exten-
+                  sions", draft-ietf-dnsext- dnssec-protocol-02.txt, Work
+                  in Progress.
+
+   [IKE2]         Kaufman, C. (ed), "Internet Key Exchange (IKEv2) Proto-
+                  col", draft-ietf- ipsec-ikev2-10.txt, Work in Progress.
+  
+   [IPv6-RH]      P. Savola, "Security of IPv6 Routing Header and Home
+                  Address Options", draft-savola-ipv6-rh-ha-security-
+                  03.txt, Work in Progress, March 2002.
+
+   [MC-THREAT]    Ballardie A. and Crowcroft, J.; Multicast-Specific Secu-
+                  rity Threats and Counter-Measures; In Proceedings "Sympo-
+                  sium on Network and Distributed System Security", Febru-
+                  ary 1995, pp.2-16.
+
+   [RFC-793]      Postel, J., "Transmission Control Protocol", RFC 793,
+                  August 1980.
+
+   [RFC-1034]     Mockapetris, P., "Domain names - concepts and facili-
+                  ties", RFC 1034, November 1987.
+
+   [RFC-2147]     Borman, D., "TCP and UDP over IPv6 Jumbograms", RFC 2147,
+                  May 1997.
+
+   [RFC-2205]     Braden, B. (ed.), Zhang, L., Berson, S., Herzog, S. and
+                  S. Jamin, "Resource ReSerVation Protocol (RSVP)", RFC
+                  2205, September 1997.
+
+   [RFC-2464]     Crawford, M., "Transmission of IPv6 Packets over Ethernet
+                  Networks", RFC 2462, December 1998.
+
+   [RFC-2492]     G. Armitage, M. Jork, P. Schulter, G. Harter, IPv6 over
+                  ATM Networks", RFC 2492, January 1999.
+
+   [RFC-2675]     Borman, D., Deering, S. and Hinden, B., "IPv6
+
+
+
+Loughney (editor)          February 16, 2004                   [Page 17]
+
+
+
+
+
+Internet-Draft
+
+
+                  Jumbograms", RFC 2675, August 1999.
+
+   [RFC-2732]     R. Hinden, B. Carpenter, L. Masinter, "Format for Literal
+                  IPv6 Addresses in URL's", RFC 2732, December 1999.
+
+   [RFC-2851]     M. Daniele, B. Haberman, S. Routhier, J. Schoenwaelder,
+                  "Textual Conventions for Internet Network Addresses", RFC
+                  2851, June 2000.
+
+   [RFC-2893]     Gilligan, R. and Nordmark, E., "Transition Mechanisms for
+                  IPv6 Hosts and Routers", RFC 2893, August 2000.
+
+   [RFC-3569]     S. Bhattacharyya, Ed., "An Overview of Source-Specific
+                  Multicast (SSM)", RFC 3569, July 2003.
+
+   [SSM-ARCH]     H. Holbrook, B. Cain, "Source-Specific Multicast for IP",
+                  draft-ietf- ssm-arch-03.txt, Work in Progress.
+
+13. Authors and Acknowledgements
+
+   This document was written by the IPv6 Node Requirements design team:
+
+      Jari Arkko
+      [jari.arkko@ericsson.com]
+
+      Marc Blanchet
+      [marc.blanchet@viagenie.qc.ca]
+
+      Samita Chakrabarti
+      [samita.chakrabarti@eng.sun.com]
+
+      Alain Durand
+      [alain.durand@sun.com]
+
+      Gerard Gastaud
+      [gerard.gastaud@alcatel.fr]
+
+      Jun-ichiro itojun Hagino
+      [itojun@iijlab.net]
+
+      Atsushi Inoue
+      [inoue@isl.rdc.toshiba.co.jp]
+
+      Masahiro Ishiyama
+      [masahiro@isl.rdc.toshiba.co.jp]
+
+      John Loughney
+      [john.loughney@nokia.com]
+
+
+
+Loughney (editor)          February 16, 2004                   [Page 18]
+
+
+
+
+
+Internet-Draft
+
+
+      Rajiv Raghunarayan
+      [raraghun@cisco.com]
+
+      Shoichi Sakane
+      [shouichi.sakane@jp.yokogawa.com]
+
+      Dave Thaler
+      [dthaler@windows.microsoft.com]
+
+      Juha Wiljakka
+      [juha.wiljakka@Nokia.com]
+
+   The authors would like to thank Ran Atkinson, Jim Bound, Brian Car-
+   penter, Ralph Droms, Christian Huitema, Adam Machalek, Thomas Narten,
+   Juha Ollila and Pekka Savola for their comments.
+
+14. Editor's Contact Information
+
+   Comments or questions regarding this document should be sent to the
+   IPv6 Working Group mailing list (ipv6@ietf.org) or to:
+
+      John Loughney
+      Nokia Research Center
+      Itamerenkatu 11-13
+      00180 Helsinki
+      Finland
+
+      Phone: +358 50 483 6242
+      Email: John.Loughney@Nokia.com
+
+Notices
+
+   The IETF takes no position regarding the validity or scope of any
+   intellectual property or other rights that might be claimed to per-
+   tain to the implementation or use of the technology described in this
+   document or the extent to which any license under such rights might
+   or might not be available; neither does it represent that it has made
+   any effort to identify any such rights.  Information on the IETF's
+   procedures with respect to rights in standards-track and standards-
+   related documentation can be found in BCP-11.  Copies of claims of
+   rights made available for publication and any assurances of licenses
+   to be made available, or the result of an attempt made to obtain a
+   general license or permission for the use of such proprietary rights
+   by implementors or users of this specification can be obtained from
+   the IETF Secretariat.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+
+
+
+Loughney (editor)          February 16, 2004                   [Page 19]
+
+
+
+
+
+Internet-Draft
+
+
+   rights, which may cover technology that may be required to practice
+   this standard.  Please address the information to the IETF Executive
+   Director.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Loughney (editor)          February 16, 2004                   [Page 20]
+
+
diff --git a/contrib/bind9/doc/draft/draft-ietf-secsh-dns-05.txt b/contrib/bind9/doc/draft/draft-ietf-secsh-dns-05.txt
new file mode 100644
index 0000000..a272d81
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ietf-secsh-dns-05.txt
@@ -0,0 +1,614 @@
+Secure Shell Working Group                                   J. Schlyter
+Internet-Draft                                                   OpenSSH
+Expires: March 5, 2004                                        W. Griffin
+                                                                  SPARTA
+                                                       September 5, 2003
+
+
+           Using DNS to Securely Publish SSH Key Fingerprints
+                      draft-ietf-secsh-dns-05.txt
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups. Note that other
+   groups may also distribute working documents as Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time. It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   The list of current Internet-Drafts can be accessed at http://
+   www.ietf.org/ietf/1id-abstracts.txt.
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+   This Internet-Draft will expire on March 5, 2004.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+Abstract
+
+   This document describes a method to verify SSH host keys using
+   DNSSEC. The document defines a new DNS resource record that contains
+   a standard SSH key fingerprint.
+
+
+
+
+
+
+
+
+
+
+
+Schlyter & Griffin       Expires March 5, 2004                  [Page 1]
+
+Internet-Draft          DNS and SSH Fingerprints          September 2003
+
+
+Table of Contents
+
+   1.    Introduction . . . . . . . . . . . . . . . . . . . . . . . .  3
+   2.    SSH Host Key Verification  . . . . . . . . . . . . . . . . .  3
+   2.1   Method . . . . . . . . . . . . . . . . . . . . . . . . . . .  3
+   2.2   Implementation Notes . . . . . . . . . . . . . . . . . . . .  3
+   2.3   Fingerprint Matching . . . . . . . . . . . . . . . . . . . .  4
+   2.4   Authentication . . . . . . . . . . . . . . . . . . . . . . .  4
+   3.    The SSHFP Resource Record  . . . . . . . . . . . . . . . . .  4
+   3.1   The SSHFP RDATA Format . . . . . . . . . . . . . . . . . . .  5
+   3.1.1 Algorithm Number Specification . . . . . . . . . . . . . . .  5
+   3.1.2 Fingerprint Type Specification . . . . . . . . . . . . . . .  5
+   3.1.3 Fingerprint  . . . . . . . . . . . . . . . . . . . . . . . .  5
+   3.2   Presentation Format of the SSHFP RR  . . . . . . . . . . . .  6
+   4.    Security Considerations  . . . . . . . . . . . . . . . . . .  6
+   5.    IANA Considerations  . . . . . . . . . . . . . . . . . . . .  7
+         Normative References . . . . . . . . . . . . . . . . . . . .  8
+         Informational References . . . . . . . . . . . . . . . . . .  8
+         Authors' Addresses . . . . . . . . . . . . . . . . . . . . .  9
+   A.    Acknowledgements . . . . . . . . . . . . . . . . . . . . . .  9
+         Intellectual Property and Copyright Statements . . . . . . . 10
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Schlyter & Griffin       Expires March 5, 2004                  [Page 2]
+
+Internet-Draft          DNS and SSH Fingerprints          September 2003
+
+
+1. Introduction
+
+   The SSH [6] protocol provides secure remote login and other secure
+   network services over an insecure network.  The security of the
+   connection relies on the server authenticating itself to the client
+   as well as the user authenticating itself to the server.
+
+   If a connection is established to a server whose public key is not
+   already known to the client, a fingerprint of the key is presented to
+   the user for verification.  If the user decides that the fingerprint
+   is correct and accepts the key, the key is saved locally and used for
+   verification for all following connections. While some
+   security-conscious users verify the fingerprint out-of-band before
+   accepting the key, many users blindly accept the presented key.
+
+   The method described here can provide out-of-band verification by
+   looking up a fingerprint of the server public key in the DNS [1][2]
+   and using DNSSEC [5] to verify the lookup.
+
+   In order to distribute the fingerprint using DNS, this document
+   defines a new DNS resource record, "SSHFP", to carry the fingerprint.
+
+   Basic understanding of the DNS system [1][2] and the DNS security
+   extensions [5] is assumed by this document.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in RFC 2119 [3].
+
+2. SSH Host Key Verification
+
+2.1 Method
+
+   Upon connection to a SSH server, the SSH client MAY look up the SSHFP
+   resource record(s) for the host it is connecting to.  If the
+   algorithm and fingerprint of the key received from the SSH server
+   match the algorithm and fingerprint of one of the SSHFP resource
+   record(s) returned from DNS, the client MAY accept the identity of
+   the server.
+
+2.2 Implementation Notes
+
+   Client implementors SHOULD provide a configurable policy used to
+   select the order of methods used to verify a host key. This document
+   defines one method: Fingerprint storage in DNS. Another method
+   defined in the SSH Architecture [6] uses local files to store keys
+   for comparison. Other methods that could be defined in the future
+   might include storing fingerprints in LDAP or other databases. A
+
+
+
+Schlyter & Griffin       Expires March 5, 2004                  [Page 3]
+
+Internet-Draft          DNS and SSH Fingerprints          September 2003
+
+
+   configurable policy will allow administrators to determine which
+   methods they want to use and in what order the methods should be
+   prioritized. This will allow administrators to determine how much
+   trust they want to place in the different methods.
+
+   One specific scenario for having a configurable policy is where
+   clients do not use fully qualified host names to connect to servers.
+   In this scenario, the implementation SHOULD verify the host key
+   against a local database before verifying the key via the fingerprint
+   returned from DNS. This would help prevent an attacker from injecting
+   a DNS search path into the local resolver and forcing the client to
+   connect to a different host.
+
+2.3 Fingerprint Matching
+
+   The public key and the SSHFP resource record are matched together by
+   comparing algorithm number and fingerprint.
+
+      The public key algorithm and the SSHFP algorithm number MUST
+      match.
+
+      A message digest of the public key, using the message digest
+      algorithm specified in the SSHFP fingerprint type, MUST match the
+      SSHFP fingerprint.
+
+
+2.4 Authentication
+
+   A public key verified using this method MUST NOT be trusted if the
+   SSHFP resource record (RR) used for verification was not
+   authenticated by a trusted SIG RR.
+
+   Clients that do validate the DNSSEC signatures themselves SHOULD use
+   standard DNSSEC validation procedures.
+
+   Clients that do not validate the DNSSEC signatures themselves MUST
+   use a secure transport, e.g. TSIG [9], SIG(0) [10] or IPsec [8],
+   between themselves and the entity performing the signature
+   validation.
+
+3. The SSHFP Resource Record
+
+   The SSHFP resource record (RR) is used to store a fingerprint of a
+   SSH public host key that is associated with a Domain Name System
+   (DNS) name.
+
+   The RR type code for the SSHFP RR is TBA.
+
+
+
+
+Schlyter & Griffin       Expires March 5, 2004                  [Page 4]
+
+Internet-Draft          DNS and SSH Fingerprints          September 2003
+
+
+3.1 The SSHFP RDATA Format
+
+   The RDATA for a SSHFP RR consists of an algorithm number, fingerprint
+   type and the fingerprint of the public host key.
+
+         1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+         |   algorithm   |    fp type    |                               /
+         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               /
+         /                                                               /
+         /                          fingerprint                          /
+         /                                                               /
+         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+3.1.1 Algorithm Number Specification
+
+   This algorithm number octet describes the algorithm of the public
+   key.  The following values are assigned:
+
+          Value    Algorithm name
+          -----    --------------
+          0        reserved
+          1        RSA
+          2        DSS
+
+   Reserving other types requires IETF consensus [4].
+
+3.1.2 Fingerprint Type Specification
+
+   The fingerprint type octet describes the message-digest algorithm
+   used to calculate the fingerprint of the public key.  The following
+   values are assigned:
+
+          Value    Fingerprint type
+          -----    ----------------
+          0        reserved
+          1        SHA-1
+
+   Reserving other types requires IETF consensus [4].
+
+   For interoperability reasons, as few fingerprint types as possible
+   should be reserved.  The only reason to reserve additional types is
+   to increase security.
+
+3.1.3 Fingerprint
+
+
+
+
+Schlyter & Griffin       Expires March 5, 2004                  [Page 5]
+
+Internet-Draft          DNS and SSH Fingerprints          September 2003
+
+
+   The fingerprint is calculated over the public key blob as described
+   in [7].
+
+   The message-digest algorithm is presumed to produce an opaque octet
+   string output which is placed as-is in the RDATA fingerprint field.
+
+3.2 Presentation Format of the SSHFP RR
+
+   The RDATA of the presentation format of the SSHFP resource record
+   consists of two numbers (algorithm and fingerprint type) followed by
+   the fingerprint itself presented in hex, e.g:
+
+         host.example.  SSHFP 2 1 123456789abcdef67890123456789abcdef67890
+
+   The use of mnemonics instead of numbers is not allowed.
+
+4. Security Considerations
+
+   Currently, the amount of trust a user can realistically place in a
+   server key is proportional to the amount of attention paid to
+   verifying that the public key presented actually corresponds to the
+   private key of the server. If a user accepts a key without verifying
+   the fingerprint with something learned through a secured channel, the
+   connection is vulnerable to a man-in-the-middle attack.
+
+   The overall security of using SSHFP for SSH host key verification is
+   dependent on the security policies of the SSH host administrator and
+   DNS zone administrator (in transferring the fingerprint), detailed
+   aspects of how verification is done in the SSH implementation, and in
+   the client's diligence in accessing the DNS in a secure manner.
+
+   One such aspect is in which order fingerprints are looked up (e.g.
+   first checking local file and then SSHFP).  We note that in addition
+   to protecting the first-time transfer of host keys, SSHFP can
+   optionally be used for stronger host key protection.
+
+      If SSHFP is checked first, new SSH host keys may be distributed by
+      replacing the corresponding SSHFP in DNS.
+
+      If SSH host key verification can be configured to require SSHFP,
+      SSH host key revocation can be implemented by removing the
+      corresponding SSHFP from DNS.
+
+   As stated in Section 2.2, we recommend that SSH implementors provide
+   a policy mechanism to control the order of methods used for host key
+   verification. One specific scenario for having a configurable policy
+   is where clients use unqualified host names to connect to servers. In
+   this case, we recommend that SSH implementations check the host key
+
+
+
+Schlyter & Griffin       Expires March 5, 2004                  [Page 6]
+
+Internet-Draft          DNS and SSH Fingerprints          September 2003
+
+
+   against a local database before verifying the key via the fingerprint
+   returned from DNS. This would help prevent an attacker from injecting
+   a DNS search path into the local resolver and forcing the client to
+   connect to a different host.
+
+   A different approach to solve the DNS search path issue would be for
+   clients to use a trusted DNS search path, i.e., one not acquired
+   through DHCP or other autoconfiguration mechanisms. Since there is no
+   way with current DNS lookup APIs to tell whether a search path is
+   from a trusted source, the entire client system would need to be
+   configured with this trusted DNS search path.
+
+   Another dependency is on the implementation of DNSSEC itself.  As
+   stated in Section 2.4, we mandate the use of secure methods for
+   lookup and that SSHFP RRs are authenticated by trusted SIG RRs.  This
+   is especially important if SSHFP is to be used as a basis for host
+   key rollover and/or revocation, as described above.
+
+   Since DNSSEC only protects the integrity of the host key fingerprint
+   after it is signed by the DNS zone administrator, the fingerprint
+   must be transferred securely from the SSH host administrator to the
+   DNS zone administrator.  This could be done manually between the
+   administrators or automatically using secure DNS dynamic update [11]
+   between the SSH server and the nameserver.  We note that this is no
+   different from other key enrollment situations, e.g. a client sending
+   a certificate request to a certificate authority for signing.
+
+5. IANA Considerations
+
+   IANA needs to allocate a RR type code for SSHFP from the standard RR
+   type space (type 44 requested).
+
+   IANA needs to open a new registry for the SSHFP RR type for public
+   key algorithms.  Defined types are:
+
+         0 is reserved
+         1 is RSA
+         2 is DSA
+
+    Adding new reservations requires IETF consensus [4].
+
+   IANA needs to open a new registry for the SSHFP RR type for
+   fingerprint types.  Defined types are:
+
+         0 is reserved
+         1 is SHA-1
+
+    Adding new reservations requires IETF consensus [4].
+
+
+
+Schlyter & Griffin       Expires March 5, 2004                  [Page 7]
+
+Internet-Draft          DNS and SSH Fingerprints          September 2003
+
+
+Normative References
+
+   [1]  Mockapetris, P., "Domain names - concepts and facilities", STD
+        13, RFC 1034, November 1987.
+
+   [2]  Mockapetris, P., "Domain names - implementation and
+        specification", STD 13, RFC 1035, November 1987.
+
+   [3]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
+        Levels", BCP 14, RFC 2119, March 1997.
+
+   [4]  Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA
+        Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
+
+   [5]  Eastlake, D., "Domain Name System Security Extensions", RFC
+        2535, March 1999.
+
+   [6]  Ylonen, T., Kivinen, T., Saarinen, M., Rinne, T. and S.
+        Lehtinen, "SSH Protocol Architecture",
+        draft-ietf-secsh-architecture-14 (work in progress), July 2003.
+
+   [7]  Ylonen, T., Kivinen, T., Saarinen, M., Rinne, T. and S.
+        Lehtinen, "SSH Transport Layer Protocol",
+        draft-ietf-secsh-transport-16 (work in progress), July 2003.
+
+Informational References
+
+   [8]   Thayer, R., Doraswamy, N. and R. Glenn, "IP Security Document
+         Roadmap", RFC 2411, November 1998.
+
+   [9]   Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
+         "Secret Key Transaction Authentication for DNS (TSIG)", RFC
+         2845, May 2000.
+
+   [10]  Eastlake, D., "DNS Request and Transaction Signatures (
+         SIG(0)s)", RFC 2931, September 2000.
+
+   [11]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
+         Update", RFC 3007, November 2000.
+
+
+
+
+
+
+
+
+
+
+
+
+Schlyter & Griffin       Expires March 5, 2004                  [Page 8]
+
+Internet-Draft          DNS and SSH Fingerprints          September 2003
+
+
+Authors' Addresses
+
+   Jakob Schlyter
+   OpenSSH
+   812 23rd Avenue SE
+   Calgary, Alberta  T2G 1N8
+   Canada
+
+   EMail: jakob@openssh.com
+   URI:   http://www.openssh.com/
+
+
+   Wesley Griffin
+   SPARTA
+   7075 Samuel Morse Drive
+   Columbia, MD  21046
+   USA
+
+   EMail: wgriffin@sparta.com
+   URI:   http://www.sparta.com/
+
+Appendix A. Acknowledgements
+
+   The authors gratefully acknowledge, in no particular order, the
+   contributions of the following persons:
+
+      Martin Fredriksson
+
+      Olafur Gudmundsson
+
+      Edward Lewis
+
+      Bill Sommerfeld
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Schlyter & Griffin       Expires March 5, 2004                  [Page 9]
+
+Internet-Draft          DNS and SSH Fingerprints          September 2003
+
+
+Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   intellectual property or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; neither does it represent that it
+   has made any effort to identify any such rights. Information on the
+   IETF's procedures with respect to rights in standards-track and
+   standards-related documentation can be found in BCP-11. Copies of
+   claims of rights made available for publication and any assurances of
+   licenses to be made available, or the result of an attempt made to
+   obtain a general license or permission for the use of such
+   proprietary rights by implementors or users of this specification can
+   be obtained from the IETF Secretariat.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights which may cover technology that may be required to practice
+   this standard. Please address the information to the IETF Executive
+   Director.
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works. However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assignees.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+
+
+
+Schlyter & Griffin       Expires March 5, 2004                 [Page 10]
+
+Internet-Draft          DNS and SSH Fingerprints          September 2003
+
+
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Schlyter & Griffin       Expires March 5, 2004                 [Page 11]
+
diff --git a/contrib/bind9/doc/draft/draft-ihren-dnsext-threshold-validation-00.txt b/contrib/bind9/doc/draft/draft-ihren-dnsext-threshold-validation-00.txt
new file mode 100644
index 0000000..3578d2a
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-ihren-dnsext-threshold-validation-00.txt
@@ -0,0 +1,519 @@
+
+Internet Draft                                          Johan Ihren
+draft-ihren-dnsext-threshold-validation-00.txt          Autonomica
+February 2003
+Expires in six months
+
+
+                        Threshold Validation: 
+
+	 A Mechanism for Improved Trust and Redundancy for DNSSEC Keys
+
+
+Status of this Memo
+
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF), its areas, and its working groups. Note that
+   other groups may also distribute working documents as
+   Internet-Drafts.
+
+   Internet-Drafts are draft documents valid for a maximum of six
+   months and may be updated, replaced, or obsoleted by other
+   documents at any time. It is inappropriate to use Internet-Drafts
+   as reference material or to cite them other than as "work in
+   progress."
+
+   The list of current Internet-Drafts can be accessed at
+   http://www.ietf.org/ietf/1id-abstracts.txt
+
+   The list of Internet-Draft Shadow Directories can be accessed at
+   http://www.ietf.org/shadow.html.
+
+
+Abstract
+
+   This memo documents a proposal for a different method of validation
+   for DNSSEC aware resolvers. The key change is that by changing from
+   a model of one Key Signing Key, KSK, at a time to multiple KSKs it
+   will be possible to increase the aggregated trust in the signed
+   keys by leveraging from the trust associated with the different
+   signees. 
+
+   By having multiple keys to chose from validating resolvers get the
+   opportunity to use local policy to reflect actual trust in
+   different keys. For instance, it is possible to trust a single,
+   particular key ultimately, while requiring multiple valid
+   signatures by less trusted keys for validation to succeed.
+   Furthermore, with multiple KSKs there are additional redundancy
+   benefits available since it is possible to roll over different KSKs
+   at different times which may make rollover scenarios easier to
+   manage.
+
+Contents
+
+	1. Terminology
+	2. Introduction and Background
+
+	3. Trust in DNSSEC Keys
+	3.1. Key Management, Split Keys and Trust Models
+	3.2. Trust Expansion: Authentication versus Authorization
+
+	4. Proposed Semantics for Signing the KEY Resource Record 
+           Set
+	4.1. Packet Size Considerations
+
+	5. Proposed Use of Multiple "Trusted Keys" in a Validating 
+           Resolver
+	5.1. Not All Possible KSKs Need to Be Trusted
+	5.2. Possible to do Threshold Validation
+	5.3. Not All Trusted Keys Will Be Available
+
+	6. Additional Benefits from Having Multiple KSKs
+	6.1. More Robust Key Rollovers
+	6.2. Evaluation of Multiple Key Distribution Mechanisms
+
+	7. Security Considerations
+	8. IANA Considerations.
+	9. References
+	9.1. Normative.
+	9.2. Informative.
+	10. Acknowledgments.
+	11. Authors' Address
+
+
+1. Terminology
+
+   The key words "MUST", "SHALL", "REQUIRED", "SHOULD", "RECOMMENDED",
+   and "MAY" in this document are to be interpreted as described in
+   RFC 2119. 
+
+   The term "zone" refers to the unit of administrative control in the
+   Domain Name System. "Name server" denotes a DNS name server that is
+   authoritative (i.e. knows all there is to know) for a DNS zone,
+   typically the root zone. A "resolver", is a DNS "client", i.e. an
+   entity that sends DNS queries to authoritative nameservers and
+   interpret the results. A "validating resolver" is a resolver that
+   attempts to perform DNSSEC validation on data it retrieves by doing
+   DNS lookups.
+
+
+2. Introduction and Background
+
+   From a protocol perspective there is no real difference between
+   different keys in DNSSEC. They are all just keys. However, in
+   actual use there is lots of difference. First and foremost, most
+   DNSSEC keys have in-band verification. I.e. the keys are signed by
+   some other key, and this other key is in its turn also signed by
+   yet another key. This way a "chain of trust" is created. Such
+   chains have to end in what is referred to as a "trusted key" for
+   validation of DNS lookups to be possible. 
+
+   A "trusted key" is a the public part of a key that the resolver
+   acquired by some other means than by looking it up in DNS. The
+   trusted key has to be explicitly configured.
+
+   A node in the DNS hierarchy that issues such out-of-band "trusted
+   keys" is called a "security apex" and the trusted key for that apex
+   is the ultimate source of trust for all DNS lookups within that
+   entire subtree.
+
+   DNSSEC is designed to be able to work with more than on security
+   apex. These apexes will all share the problem of how to distribute
+   their "trusted keys" in a way that provides validating resolvers
+   confidence in the distributed keys. 
+
+   Maximizing that confidence is crucial to the usefulness of DNSSEC
+   and this document tries to address this issue.
+
+
+3. Trust in DNSSEC Keys
+
+   In the end the trust that a validating resolver will be able to put
+   in a key that it cannot validate within DNSSEC will have to be a
+   function of
+
+   	    * trust in the key issuer, aka the KSK holder
+
+	    * trust in the distribution method
+
+	    * trust in extra, out-of-band verification
+
+   The KSK holder needs to be trusted not to accidentally lose private
+   keys in public places. Furthermore it needs to be trusted to
+   perform correct identification of the ZSK holders in case they are
+   separate from the KSK holder itself.
+
+   The distribution mechanism can be more or less tamper-proof. If the
+   key holder publishes the public key, or perhaps just a secure
+   fingerprint of the key in a major newspaper it may be rather
+   difficult to tamper with. A key acquired that way may be easier to
+   trust than if it had just been downloaded from a web page.
+
+   Out-of-band verification can for instance be the key being signed
+   by a certificate issued by a known Certificate Authority that the
+   resolver has reason to trust.
+
+3.1. Simplicity vs Trust 
+
+   The fewer keys that are in use the simpler the key management
+   becomes. Therefore increasing the number of keys should only be
+   considered when the complexity is not the major concern. A perfect
+   example of this is the distinction between so called Key Signing
+   Keys, KSK, and Zone Signing Keys, ZSK. This distinction adds
+   overall complexity but simplifies real life operations and was an
+   overall gain since operational simplification was considered to be
+   a more crucial issue than the added complexity.
+
+   In the case of a security apex there are additional issues to
+   consider, among them
+
+      * maximizing trust in the KSK received out-of-band
+
+      * authenticating the legitimacy of the ZSKs used
+
+   In some cases this will be easy, since the same entity will manage
+   both ZSKs and KSKs (i.e. it will authenticate itself, somewhat
+   similar to a self-signed certificate). In some environments it will
+   be possible to get the trusted key installed in the resolver end by
+   decree (this would seem to be a likely method within corporate and
+   government environments).
+
+   In other cases, however, this will possibly not be sufficient. In
+   the case of the root zone this is obvious, but there may well be
+   other cases.
+
+3.2. Expanding the "Trust Base"
+
+   For a security apex where the ZSKs and KSK are not held by the same
+   entity the KSK will effectively authenticate the identity of
+   whoever does real operational zone signing. The amount of trust
+   that the data signed by a ZSK will get is directly dependent on
+   whether the end resolver trusts the KSK or not, since the resolver
+   has no OOB access to the public part of the ZSKs (for practical
+   reasons).
+
+   Since the KSK holder is distinct from the ZSK holder the obvious
+   question is whether it would then be possible to further improve
+   the situation by using multiple KSK holders and thereby expanding
+   the trust base to the union of that available to each individual
+   KSK holder. "Trust base" is an invented term intended to signify
+   the aggregate of Internet resolvers that will eventually choose to
+   trust a key issued by a particular KSK holder.
+
+   A crucial issue when considering trust expansion through addition
+   of multiple KSK holders is that the KSK holders are only used to
+   authenticate the ZSKs used for signing the zone. I.e. the function
+   performed by the KSK is basically:
+
+   	     "This is indeed the official ZSK holder for this zone,
+   	     I've verified this fact to the best of my abilitites."
+
+   Which can be thought of as similar to the service of a public
+   notary. I.e. the point with adding more KSK holders is to improve
+   the public trust in data signed by the ZSK holders by improving the
+   strength of available authentication. 
+
+   Therefore adding more KSK holders, each with their own trust base,
+   is by definition a good thing. More authentication is not
+   controversial. On the contrary, when it comes to authentication,
+   the more the merrier.
+
+   
+4. Proposed Semantics for Signing the KEY Resource Record Set
+
+   In DNSSEC according to RFC2535 all KEY Resource Records are used to
+   sign all authoritative data in the zone, including the KEY RRset
+   itself, since RFC2535 makes no distinction between Key Signing
+   Keys, KSK, and Zone Signing Keys, ZSK.  With Delegation Signer [DS]
+   it is possible to change this to the KEY RRset being signed with
+   all KSKs and ZSKs but the rest of the zone only being signed by the
+   ZSKs.
+
+   This proposal changes this one step further, by recommending that
+   the KEY RRset is only signed by the Key Signing Keys, KSK, and
+   explicitly not by the Zone Signing Keys, ZSK. The reason for this
+   is to maximize the amount of space in the DNS response packet that
+   is available for additional KSKs and signatures thereof. The rest
+   of the authoritative zone contents are as previously signed by only
+   the ZSKs.
+
+4.1. Packet Size Considerations
+
+   The reason for the change is to keep down the size of the aggregate
+   of KEY RRset plus SIG(KEY) that resolvers will need to acquire to
+   perform validation of data below a security apex. For DNSSEC data
+   to be returned the DNSSEC OK bit in the EDNS0 OPT Record has to be
+   set, and therefore the allowed packet size can be assumed to be at
+   least the EDNS0 minimum of 4000 bytes.
+
+   When querying for KEY + SIG(KEY) for "." (the case that is assumed
+   to be most crucial) the size of the response packet after the
+   change to only sign the KEY RR with the KSKs break down into a
+   rather large space of possibilities. Here are a few examples for
+   the possible alternatives for different numbers of KSKs and ZSKs
+   for some different key lengths (all RSA keys, with a public
+   exponent that is < 254). This is all based upon the size of the
+   response for the particular example of querying for
+   
+	". KEY IN"
+
+   with a response of entire KEY + SIG(KEY) with the authority and
+   additional sections empty:
+
+   	      ZSK/768 and KSK/1024   (real small)
+	      Max 12 KSK +  3 ZSK  at 3975
+	          10 KSK +  8 ZSK  at 3934
+		   8 KSK + 13 ZSK  at 3893
+
+	      ZSK/768 + KSK/1280
+	      MAX 10 KSK +  2 ZSK  at 3913
+	           8 KSK +  9 ZSK  at 3970
+                   6 KSK + 15 ZSK  at 3914
+
+	      ZSK/768 + KSK/1536
+	      MAX  8 KSK +  4 ZSK  at 3917
+                   7 KSK +  8 ZSK  at 3938
+                   6 KSK + 12 ZSK  at 3959
+
+              ZSK/768 + KSK/2048
+              MAX  6 KSK +  5 ZSK  at 3936
+                   5 KSK + 10 ZSK  at 3942
+
+              ZSK/1024 + KSK/1024
+              MAX 12 KSK +  2 ZSK  at 3943
+                  11 KSK +  4 ZSK  at 3930
+                  10 KSK +  6 ZSK  at 3917
+                   8 KSK + 10 ZSK  at 3891
+
+              ZSK/1024 + KSK/1536
+              MAX  8 KSK +  3 ZSK  at 3900
+                   7 KSK +  6 ZSK  at 3904
+                   6 KSK +  9 ZSK  at 3908
+
+              ZSK/1024 + KSK/2048
+              MAX  6 KSK +  4 ZSK  at 3951
+                   5 KSK +  8 ZSK  at 3972
+                   4 KSK + 12 ZSK  at 3993
+
+   Note that these are just examples and this document is not making
+   any recommendations on suitable choices of either key lengths nor
+   number of different keys employed at a security apex.
+
+   This document does however, based upon the above figures, make the
+   recommendation that at a security apex that expects to distribute
+   "trusted keys" the KEY RRset should only be signed with the KSKs
+   and not with the ZSKs to keep the size of the response packets
+   down.
+
+
+5. Proposed Use of Multiple "Trusted Keys" in a Validating Resolver
+
+   In DNSSEC according to RFC2535[RFC2535] validation is the process
+   of tracing a chain of signatures (and keys) upwards through the DNS
+   hierarchy until a "trusted key" is reached. If there is a known
+   trusted key present at a security apex above the starting point
+   validation becomes an exercise with a binary outcome: either the
+   validation succeeds or it fails. No intermediate states are
+   possible.
+
+   With multiple "trusted keys" (i.e. the KEY RRset for the security
+   apex signed by multiple KSKs) this changes into a more complicated
+   space of alternatives. From the perspective of complexity that may
+   be regarded as a change for the worse. However, from a perspective
+   of maximizing available trust the multiple KSKs add value to the
+   system.
+
+5.1. Possible to do Threshold Validation
+
+   With multiple KSKs a new option that opens for the security
+   concious resolver is to not trust a key individually. Instead the
+   resolver may decide to require the validated signatures to exceed a
+   threshold. For instance, given M trusted keys it is possible for
+   the resolver to require N-of-M signatures to treat the data as
+   validated.
+
+   I.e. with the following pseudo-configuration in a validating
+   resolver
+
+   	security-apex "." IN {
+	   keys { ksk-1 .... ;
+      	          ksk-2 .... ;
+	          ksk-3 .... ; 
+		  ksk-4 .... ;
+		  ksk-5 .... ;
+	        };
+	   validation {
+	      # Note that ksk-4 is not present below
+	      keys { ksk-1; ksk-2; ksk-3; ksk-5; }; 
+              # 3 signatures needed with 4 possible keys, aka 75%
+              needed-signatures 3;
+           };
+	};
+
+   we configure five trusted keys for the root zone, but require two
+   valid signatures for the top-most KEY for validation to
+   succeed. I.e.  threshold validation does not force multiple
+   signatures on the entire signature chain, only on the top-most
+   signature, closest to the security apex for which the resolver has
+   trusted keys.		    
+
+5.2. Not All Trusted Keys Will Be Available
+
+   With multiple KSKs held and managed by separate entities the end
+   resolvers will not always manage to get access to all possible
+   trusted keys. In the case of just a single KSK this would be fatal
+   to validation and necessary to avoid at whatever cost. But with
+   several fully trusted keys available the resolver can decide to
+   trust several of them individually. An example based upon more
+   pseudo-configuration:
+
+   	security-apex "." IN {
+	   keys { ksk-1 .... ;
+      	          ksk-2 .... ;
+	          ksk-3 .... ; 
+		  ksk-4 .... ;
+		  ksk-5 .... ;
+	        };
+	   validation {
+	      # Only these two keys are trusted independently
+	      keys { ksk-1; ksk-4; }; 
+              # With these keys a single signature is sufficient
+	      needed-signatures 1;
+           };
+	};
+
+   Here we have the same five keys and instruct the validating
+   resolver to fully trust data that ends up with just one signature
+   from by a fully trusted key.
+
+   The typical case where this will be useful is for the case where
+   there is a risk of the resolver not catching a rollover event by
+   one of the KSKs. By doing rollovers of different KSKs with
+   different schedules it is possible for a resolver to "survive"
+   missing a rollover without validation breaking. This improves
+   overall robustness from a management point of view.
+
+5.3. Not All Possible KSKs Need to Be Trusted
+
+   With just one key available it simply has to be trusted, since that
+   is the only option available. With multiple KSKs the validating
+   resolver immediately get the option of implementing a local policy
+   of only trusting some of the possible keys.
+
+   This local policy can be implemented either by simply not
+   configuring keys that are not trusted or, possibly, configure them
+   but specify to the resolver that certain keys are not to be
+   ultimately trusted alone.
+
+
+6. Additional Benefits from Having Multiple KSKs
+
+6.1. More Robust Key Rollovers
+
+   With only one KSK the rollover operation will be a delicate
+   operation since the new trusted key needs to reach every validating
+   resolver before the old key is retired. For this reason it is
+   expected that long periods of overlap will be needed.
+
+   With multiple KSKs this changes into a system where different
+   "series" of KSKs can have different rollover schedules, thereby
+   changing from one "big" rollover to several "smaller" rollovers.
+
+   If the resolver trusts several of the available keys individually
+   then even a failure to track a certain rollover operation within
+   the overlap period will not be fatal to validation since the other
+   available trusted keys will be sufficient.
+
+6.2. Evaluation of Multiple Key Distribution Mechanisms
+
+   Distribution of the trusted keys for the DNS root zone is
+   recognized to be a difficult problem that ...
+
+   With only one trusted key, from one single "source" to distribute
+   it will be difficult to evaluate what distribution mechanism works
+   best. With multiple KSKs, held by separate entitites it will be
+   possible to measure how large fraction of the resolver population
+   that is trusting what subsets of KSKs.
+
+
+7. Security Considerations
+
+   From a systems perspective the simplest design is arguably the
+   best, i.e. one single holder of both KSK and ZSKs. However, if that
+   is not possible in all cases a more complex scheme is needed where
+   additional trust is injected by using multiple KSK holders, each
+   contributing trust, then there are only two alternatives
+   available. The first is so called "split keys", where a single key
+   is split up among KSK holders, each contributing trust. The second
+   is the multiple KSK design outlined in this proposal.
+
+   Both these alternatives provide for threshold mechanisms. However
+   split keys makes the threshold integral to the key generating
+   mechanism (i.e. it will be a property of the keys how many
+   signatures are needed). In the case of multiple KSKs the threshold
+   validation is not a property of the keys but rather local policy in
+   the validating resolver. A benefit from this is that it is possible
+   for different resolvers to use different trust policies. Some may
+   configure threshold validation requiring multiple signatures and
+   specific keys (optimizing for security) while others may choose to
+   accept a single signature from a larger set of keys (optimizing for
+   redundancy). Since the security requirements are different it would
+   seem to be a good idea to make this choice local policy rather than
+   global policy.
+
+   Furthermore, a clear issue for validating resolvers will be how to
+   ensure that they track all rollover events for keys they
+   trust. Even with operlap during the rollover (which is clearly
+   needed) there is still a need to be exceedingly careful not to miss
+   any rollovers (or fail to acquire a new key) since without this
+   single key validation will fail. With multiple KSKs this operation
+   becomes more robust, since different KSKs may roll at different
+   times according to different rollover schedules and losing one key,
+   for whatever reason, will not be crucial unless the resolver
+   intentionally chooses to be completely dependent on that exact key.
+
+8. IANA Considerations.
+
+   NONE.
+
+
+9. References
+
+9.1. Normative.
+
+   [RFC2535] Domain Name System Security Extensions. D. Eastlake. 
+	     March 1999.
+
+   [RFC3090] DNS Security Extension Clarification on Zone Status. 
+	     E. Lewis.  March 2001.
+
+
+9.2. Informative.
+
+   [RFC3110] RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System
+	     (DNS). D.  Eastlake 3rd. May 2001.
+
+   [RFC3225] Indicating Resolver Support of DNSSEC. D. Conrad. 
+	     December 2001.
+
+   [DS]      Delegation Signer Resource Record. 
+	     O. Gudmundsson. October 2002. Work In Progress.
+
+10. Acknowledgments.
+
+   Bill Manning came up with the original idea of moving complexity
+   from the signing side down to the resolver in the form of threshold
+   validation. I've also had much appreciated help from (in no
+   particular order) Jakob Schlyter, Paul Vixie, Olafur Gudmundson and
+   Olaf Kolkman.
+
+
+11. Authors' Address
+Johan Ihren
+Autonomica AB
+Bellmansgatan 30
+SE-118 47 Stockholm, Sweden
+johani@autonomica.se
diff --git a/contrib/bind9/doc/draft/draft-kato-dnsop-local-zones-00.txt b/contrib/bind9/doc/draft/draft-kato-dnsop-local-zones-00.txt
new file mode 100644
index 0000000..d857cd9
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-kato-dnsop-local-zones-00.txt
@@ -0,0 +1,295 @@
+
+
+
+Internet Engineering Task Force                         Akira Kato, WIDE
+INTERNET-DRAFT                                           Paul Vixie, ISC
+Expires: August 24, 2003                               February 24, 2003
+
+
+          Operational Guidelines for "local" zones in the DNS
+                  draft-kato-dnsop-local-zones-00.txt
+
+Status of this Memo
+
+
+This document is an Internet-Draft and is in full conformance with all
+provisions of Section 10 of RFC2026.
+
+Internet-Drafts are working documents of the Internet Engineering Task
+Force (IETF), its areas, and its working groups.  Note that other groups
+may also distribute working documents as Internet-Drafts.
+
+Internet-Drafts are draft documents valid for a maximum of six months
+and may be updated, replaced, or obsoleted by other documents at any
+time.  It is inappropriate to use Internet-Drafts as reference material
+or to cite them other than as ``work in progress.''
+
+To view the list Internet-Draft Shadow Directories, see
+http://www.ietf.org/shadow.html.
+
+Distribution of this memo is unlimited.
+
+The internet-draft will expire in 6 months.  The date of expiration will
+be August 24, 2003.
+
+
+Abstract
+
+A large number of DNS queries regarding to the "local" zones are sent
+over the Internet in every second.  This memo describes operational
+guidelines to reduce the unnecessary DNS traffic as well as the load of
+the Root DNS Servers.
+
+1.  Introduction
+
+While it has yet been described in a RFC, .local is used to provide a
+local subspace of the DNS tree.  Formal delegation process has not been
+completed for this TLD.  In spite of this informal status, .local has
+been used in many installations regardless of the awareness of the
+users.  Usually, the local DNS servers are not authoritative to the
+.local domain, they end up to send queries to the Root DNS Servers.
+
+There are several other DNS zones which describe the "local"
+information.  .localhost has been used to describe the localhost for
+more than a couple of decades and virtually all of the DNS servers are
+configured authoritative for .localhost and its reverse zone .127.in-
+
+
+KATO                    Expires: August 24, 2003                [Page 1]
+
+
+DRAFT                        DNS local zones               February 2003
+
+addr.arpa.  However, there are other "local" zones currently used in the
+Internet or Intranets connected to the Internet through NATs or similar
+devices.
+
+At a DNS server of an university in Japan, half of the DNS queries sent
+to one of the 13 Root DNS Servers were regarding to the .local.  At
+another DNS Server running in one of the Major ISPs in Japan, the 1/4
+were .local.  If those "local" queries are able to direct other DNS
+servers than Root, or they can be resolved locally, it contributes the
+reduction of the Root DNS Servers.
+
+2.  Rationale
+
+Any DNS queries regarding to "local" names should not be sent to the DNS
+servers on the Internet.
+
+3.  Operational Guidelines
+
+Those queries should be processed at the DNS servers internal to each
+site so that the severs respond with NXDOMAIN rather than sending
+queries to the DNS servers outside.
+
+The "local" names have common DNS suffixes which are listed below:
+
+3.1.  Local host related zones:
+
+Following two zones are described in [Barr, 1996] and .localhost is also
+defined in [Eastlake, 1999] .
+
+     o .localhost
+     o .127.in-addr.arpa
+
+
+Following two zones are for the loopback address in IPv6 [Hinden, 1998]
+.  While the TLD for IPv6 reverse lookup is .arpa as defined in [Bush,
+2001] , the old TLD .int has been used for this purpose for years
+[Thomson, 1995] and many implementations still use .int.  So it is
+suggested that both zones should be provided for each IPv6 reverse
+lookup zone for a while.
+
+     o 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.int
+     o 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
+
+
+3.2.  Locally created name space
+
+While the use of .local has been proposed in several Internet-Drafts, it
+has not been described in any Internet documents with formal status.
+However, the amount of the queries for .local is much larger than
+others, it is suggested to resolve the following zone locally:
+
+
+
+
+KATO                    Expires: August 24, 2003                [Page 2]
+
+
+DRAFT                        DNS local zones               February 2003
+
+     o .local
+
+
+
+3.3.  Private or site-local addresses
+
+The following IPv4 "private" addresses [Rekhter, 1996] and IPv6 site-
+local addresses [Hinden, 1998] should be resolved locally:
+
+     o 10.in-addr.arpa
+     o 16.172.in-addr.arpa
+     o 17.172.in-addr.arpa
+     o 18.172.in-addr.arpa
+     o 19.172.in-addr.arpa
+     o 20.172.in-addr.arpa
+     o 21.172.in-addr.arpa
+     o 22.172.in-addr.arpa
+     o 23.172.in-addr.arpa
+     o 24.172.in-addr.arpa
+     o 25.172.in-addr.arpa
+     o 26.172.in-addr.arpa
+     o 27.172.in-addr.arpa
+     o 28.172.in-addr.arpa
+     o 29.172.in-addr.arpa
+     o 30.172.in-addr.arpa
+     o 31.172.in-addr.arpa
+     o 168.192.in-addr.arpa
+     o c.e.f.ip6.int
+     o d.e.f.ip6.int
+     o e.e.f.ip6.int
+     o f.e.f.ip6.int
+     o c.e.f.ip6.arpa
+     o d.e.f.ip6.arpa
+     o e.e.f.ip6.arpa
+     o f.e.f.ip6.arpa
+
+
+3.4.  Link-local addresses
+
+The link-local address blocks for IPv4 [IANA, 2002] and IPv6 [Hinden,
+1998] should be resolved locally:
+
+     o 254.169.in-addr.arpa
+     o 8.e.f.ip6.int
+     o 9.e.f.ip6.int
+     o a.e.f.ip6.int
+     o b.e.f.ip6.int
+     o 8.e.f.ip6.arpa
+     o 9.e.f.ip6.arpa
+     o a.e.f.ip6.arpa
+     o b.e.f.ip6.arpa
+
+
+
+KATO                    Expires: August 24, 2003                [Page 3]
+
+
+DRAFT                        DNS local zones               February 2003
+
+4.  Suggestions to developers
+
+4.1.  Suggestions to DNS software implementors
+
+In order to avoid unnecessary traffic, it is suggested that DNS software
+implementors provide configuration templates or default configurations
+so that the names described in the previous section are resolved locally
+rather than sent to other DNS servers in the Internet.
+
+4.2.  Suggestions to developers of NATs or similar devices
+
+There are many NAT or similar devices available in the market.
+Regardless of the availability of DNS Servers in those devices, it is
+suggested that those devices are able to filter the DNS traffic or
+respond to the DNS traffic related to "local" zones by configuration
+regardless of its ability of DNS service.  It is suggested that this
+functionality is activated by default.
+
+5.  IANA Consideration
+
+While .local TLD has yet defined officially, there are substantial
+queries to the Root DNS Servers as of writing. About 1/4 to 1/2% of the
+traffic sent to the Root DNS Servers are related to the .local zone.
+Therefore, while it is not formally defined, it is suggested that IANA
+delegates .local TLD to an organization.
+
+The AS112 Project [Vixie, ] serves authoritative DNS service for RFC1918
+address and the link-local address.  It has several DNS server instances
+around the world by using BGP Anycast [Hardie, 2002] .  So the AS112
+Project is one of the candidates to host the .local TLD.
+
+Authors' addresses
+
+     Akira Kato
+     The University of Tokyo, Information Technology Center
+     2-11-16 Yayoi Bunkyo
+     Tokyo 113-8658, JAPAN
+     Tel: +81 3-5841-2750
+     Email: kato@wide.ad.jp
+
+
+     Paul Vixie
+     Internet Software Consortium
+     950 Charter Street
+     Redwood City, CA 94063, USA
+     Tel: +1 650-779-7001
+     Email: vixie@isc.org
+
+
+
+
+
+
+
+KATO                    Expires: August 24, 2003                [Page 4]
+
+
+DRAFT                        DNS local zones               February 2003
+
+References
+
+To be filled
+
+References
+
+Barr, 1996.
+D. Barr, "Common DNS Operational and Configuration Errors" in RFC1912
+(February 1996).
+
+Eastlake, 1999.
+D. Eastlake, "Reserved Top Level DNS Names" in RFC2606 (June 1999).
+
+Hinden, 1998.
+R. Hinden and S. Deering, "IP Version 6 Addressing Architecture" in
+RFC2373 (July 1998).
+
+Bush, 2001.
+R. Bush, "Delegation of IP6.ARPA" in RFC3152 (August 2001).
+
+Thomson, 1995.
+S. Thomson and C. Huitema, "DNS Extensions to support IP version 6" in
+RFC1886 (December 1995).
+
+Rekhter, 1996.
+Y. Rekhter, B. Moskowitz, D. Karrenberg, G. J. de Groot, and E. Lear,
+"Address Allocation for Private Internets" in RFC1918 (February 1996).
+
+IANA, 2002.
+IANA, "Special-Use IPv4 Addresses" in RFC3330 (September 2002).
+
+Vixie, .
+P. Vixie, "AS112 Project" in AS112. http://www.as112.net/.
+
+Hardie, 2002.
+T. Hardie, "Distributing Authoritative Name Servers via Shared Unicast
+Addresses" in RFC3258 (April 2002).
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+KATO                    Expires: August 24, 2003                [Page 5]
+
diff --git a/contrib/bind9/doc/draft/draft-park-ipv6-extensions-dns-pnp-00.txt b/contrib/bind9/doc/draft/draft-park-ipv6-extensions-dns-pnp-00.txt
new file mode 100644
index 0000000..f9eaf26
--- /dev/null
+++ b/contrib/bind9/doc/draft/draft-park-ipv6-extensions-dns-pnp-00.txt
@@ -0,0 +1,1830 @@
+  
+  
+  
+  INTERNET-DRAFT                                       S. Daniel Park
+  Expires: October 2003                              Syam Madanapalli
+  File:                                           SAMSUNG Electronics
+  draft-park-ipv6-extensions-dns-pnp-00.txt                April 2003
+  
+  
+  
+  
+                 IPv6 Extensions for DNS Plug and Play
+  
+  
+  
+  Status of This Memo   
+  
+  This document is an Internet-Draft and is in full conformance with
+  all provisions of Section 10 of RFC2026.
+
+  Internet-Drafts are working documents of the Internet Engineering
+  Task Force (IETF), its areas, and its working groups. Note that
+  other groups may also distribute working documents as
+  Internet-Drafts.
+
+  Internet-Drafts are draft documents valid for a maximum of six
+  months and may be updated, replaced, or obsoleted by other
+  documents at any time. It is inappropriate to use Internet-Drafts
+  as reference material or to cite them other than as "work in
+  progress."
+
+  The list of current Internet-Drafts can be accessed at
+  http://www.ietf.org/ietf/1id-abstracts.txt
+
+  The list of Internet-Draft Shadow Directories can be accessed at
+  http://www.ietf.org/shadow.html.
+  
+  
+  
+  Abstract  
+  
+  This document proposes automatic configuration of domain name (FQDN)
+  for IPv6 nodes using Domain Name Auto-Configuration (called 6DNAC) as
+  a part of IPv6 plug and play feature. 6DNAC allows the automatic
+  registration of domain name and corresponding IPv6 Addresses with
+  the DNS server. In order to provide 6DNAC function, Neighbor Discovery
+  Protocol [2461] will be used. Moreover, 6DNAC does not require any
+  changes to the existing DNS system.
+  
+  
+  Table of Contents 
+  
+  1.       Introduction .............................................  3
+  2.       Terminology ..............................................  3
+  3.       6DNAC Design Principles ..................................  4
+  4.       6DNAC Overview ...........................................  4
+  5.       6DNAC Requirements .......................................  5
+  5.1.     6DANR Client Requirements ................................  5
+  5.2.     6DNAC Server Requirements ................................  6
+    
+Park & Madanapalli             Expires October 2003             [Page 1]
+
+INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003    
+    
+  6.       6DNAC Messages and Option Formats ........................  6
+  6.1.     Router Advertisement (RA) Message Format .................  6
+  6.2.     Neighbor Solicitation (NS) Message Format ................  7
+  6.3.     Neighbor Advertisement (NA) Message Format ...............  8
+  6.4.     Option Formats ...........................................  8
+  6.4.1.   DNS Zone Suffix Information Option Format ................  8
+  6.4.2.   Domain Name (FQDN) Option Format .........................  9
+  6.4.3.   Router Alert Option for 6DNAC ............................ 10
+  7.       6DNAC Operation .......................................... 10
+  7.1.     6DNAC Network Topology ................................... 11
+  7.2.     6DNAC Operational Scenarios .............................. 12
+  7.2.1.   Domain Name Registration-Success Case .................... 12
+  7.2.2.   Domain Name Registration-with DupAddrDetectTransmits=2.... 14
+  7.2.3.   Domain Name Registration-Defend Case ..................... 16
+  7.2.4.   Domain Name Registration in Retry Mode ................... 19
+  7.2.5.   Domain Name Registration when DAD Fails .................. 20
+  7.3.     DNS Zone Suffix Discovery and FQDN Construction .......... 22
+  7.3.1.   Sending Router Advertisement Messages .................... 22
+  7.3.2.   Processing Router Advertisement Messages ................. 22
+  7.3.3.   FQDN Lifetime expiry ..................................... 23
+  7.3.4.   Host Naming Algorithm .................................... 23
+  7.4.     Duplicate Domain Name Detection .......................... 23
+  7.4.1.   DAD with All Nodes Multicast Address ..................... 24
+  7.4.1.1. Sending Neighbor Solicitation Messages ................... 24
+  7.4.1.2. Processing Neighbor Solicitation Messages ................ 24
+  7.4.1.3. Sending Neighbor Advertisement Messages .................. 25
+  7.4.1.4. Processing Neighbor Advertisement Messages ............... 25
+  7.4.1.5. Pros and Cons ............................................ 25
+  7.4.2.   DAD with Router Alert Option for 6DNAC ................... 25
+  7.4.2.1. Sending Neighbor Solicitation Messages ................... 25
+  7.4.2.2. Processing Neighbor Solicitation Messages ................ 26
+  7.4.2.3. Sending Neighbor Advertisement Messages .................. 26
+  7.4.2.4. Processing Neighbor Advertisement Messages ............... 26
+  7.4.2.5. Pros and Cons ............................................ 26
+  7.4.3.   Explicit Detection of Duplicate Domain Name .............. 26
+  7.4.3.1. Sending Neighbor Solicitation Messages ................... 26
+  7.4.3.2. Processing Neighbor Solicitation Messages ................ 26
+  7.4.3.3. Sending Neighbor Advertisement Messages .................. 27
+  7.4.3.4. Processing Neighbor Advertisement Messages ............... 27
+  7.4.3.5. Pros and Cons ............................................ 27
+  7.4.4.   Retry Mode for Re-registering Domain Name ................ 27
+  7.5.     Domain Name Registration ................................. 27
+  8.       Security Consideration ................................... 27
+  9.       IANA Consideration ....................................... 28
+  10.      Acknowledgement .......................................... 28
+  11.      Intellectual Property .................................... 28
+  12.      Copyright ................................................ 28
+  13.      References ............................................... 29
+  14.      Author's Addresses ....................................... 30
+
+
+
+
+
+
+
+
+Park & Madanapalli             Expires October 2003             [Page 2]
+
+INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003  
+  
+  1. Introduction 
+  
+  Today, most networks use DNS[1034][1035] for convenience. In case of
+  IPv6, DNS is more important element because of IPv6 long addresses
+  which are difficult to remember. In addition, small networks like home
+  networks using IPv6, should be able to make network easily without
+  manual configuration. Also, these small networks may not have DHCP
+  Server, DNS Server etc. that are used to configure the network. This
+  document discusses IPv6 Domain Name Auto-Configuration(6DNAC) procedure
+  for generating and registering the Domain Name and IPv6 addresses with
+  the DNS Server automatically. In order to use 6DNAC, IPv6 nodes are
+  required to implement lightweight functions specified in this document.
+  6DNAC can be applied to all defined IPv6 unicast addresses except Link
+  local IPv6 addresses, viz: Site-local and Global addresses.
+  
+  6DNAC uses Neighbor Discovery Protocol [2461] with new additions
+  (defined in section 6) and DAD procedures for generating and 
+  registering the Domain Name with the DNS server automatically.
+  
+  
+  2. Terminology
+
+  6DNAC         - IPv6 Domain Name Auto Configuration. It can provide
+                  IPv6 hosts with Domain Name Generation and 
+                  Registration automatically.
+  
+  6DNAC Client  - An IPv6 node that can generate its own unique Domain
+                  Name. Section 3 identifies the new requirements that
+                  6DNAC places on an IPv6 node to be a 6DNAC node.
+                  
+  6DNAC Server  - An IPv6 node that can collect and registrate Domain
+                  Name and IPv6 addresses automatically. 6DNAC server
+                  uses the information from the DAD operation messages
+                  with newly defined options for the registration of the 
+                  Domain Name and IPv6 Addresses. Section 3 identifies
+                  the new requirements that 6DNAC places on an IPv6 
+                  node to be a 6DNAC server. Also 6DNAC server can have 
+                  various other functions depending on network 
+                  environment and the network operator. For instance 
+                  6DNAC Server can acts as a Gateway as well Home Server
+                  in Home Networks.
+ 
+  DAD           - Duplicate Address Detection (is defined [2461]) 
+  
+  DFQDND        - Duplicate Domain Name Detection
+
+  FQDN          - Fully Qualified Domain Name - FQDN and Domain Name are 
+                  used interchangeably in this document.
+  
+  NA            - Neighbor Advertisement message (is defined [2461]) 
+  
+  NS            - Neighbor Solicitation message (is defined [2461])
+
+  RA            - Router Advertisement message (is defined [2461]) 
+
+  SLAAC         - Stateless Address Autoconfiguration [2462].
+
+Park & Madanapalli             Expires October 2003             [Page 3]
+
+INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003  
+  
+  3. 6DNAC Design Principles
+  
+  This section discusses the design principles of 6DNAC mechanism.
+  
+  1. The new procedures for plug and play DNS should not cause changes
+     to existing DNS system. 6DNAC requires lightweight functions to be 
+     implemented only at the client side of the DNS system, and uses the 
+     existing DDNS UPDATE [2136] to communicate with DNS Servers.
+  
+  2. Introducing a new protocol will always introduce new problems. 
+     6DNAC uses the existing protocols NDP [2461] with minor extensions 
+     for generating and registering the domain name automatically 
+     without defining a new protocol
+  
+  3. Reusing proven and well understood design principles/patterns 
+     will always yield a robust system. 6DNAC is based on IPv6 Address 
+     Auotoconfiguration principle, where routers advertise the prefix
+     and host adds the interface ID to the prefix and forms the IPv6 
+     address. Domain Name (FQDN) also contains two parts: host name 
+     and DNS zone suffix. Routers can advertise the DNS zone suffix 
+     on a particular link in Router Advertisements (RA Messages) and 
+     hosts can prefix their preferred host name to the DNS zone suffix
+     and form the fully qualified domain name. Also the detection of
+     duplicate domain name is similar to Duplicate Address Detection
+     (DAD) and can be part of DAD operation itself.
+  
+  
+  4. 6DNAC Overview
+  
+  6DNAC proposes minor extensions to NDP [2461] for automatic generation
+  and registration of domain name with the DNS server. It introduces two
+  new options: DNS Zone Suffix and Fully Qualified Domain Name. DNS Zone
+  Suffix option is carried in Router Advertisement (RA) messages for
+  notifying IPv6 nodes about the valid DNS Zone Suffix on the link and
+  FQDN option in Neighbor Solicitation (NS) and Neighbor Advertisement
+  (NA) messages to detect duplicate domain name. 6DNAC consists of two
+  components: 6DNAC Client and 6DNAC Server. 6DNAC Clients generate the
+  domain name based on DNS Zone Suffix using Host Naming Algorithm (see
+  section 7.3.1) and 6DNAC Server collects and registers the DNS
+  information with the DNS Server on behalf of 6DNAC Clients.
+
+  The automatic configuration of domain name using 6DNAC consists of
+  three parts.
+
+     - DNS Zone Suffix Discovery and FQDN Construction:
+
+       IPv6 Nodes collect DNS Zone Suffix information from Router
+       Advertisements and constructs FQDN by prefixing host name to the
+       DNS Zone Suffix. The IPv6 Nodes are required to implement Host 
+       Naming Algorithm for generating host part of the FQDN in the 
+       absence of administrator.
+
+  Generation of node's FQDN within the node itself has advantages. Nodes
+  can provide forward and reverse name lookups independent of the DNS
+  System by sending queries directly to IPv6 nodes [NIQ]. Moreover Domain
+  Name is some thing that is owned by the node.
+
+Park & Madanapalli             Expires October 2003             [Page 4]
+
+INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003
+  
+     - Duplicate Domain Name Detection
+
+       All nodes are expected to go for DAD for all new IPv6 unicast
+       addresses, regardless of whether they are obtained through 
+       stateful, stateless or manual configuration. 6DNAC uses the DAD 
+       messages with new option for carrying the Domain Name along with 
+       the new IPv6 Address. 6DNAC Server captures this information and
+       updates DNS Server provided that the IPv6 Address and its domain
+       name are not duplicate. If the domain name is already in use, 
+       the 6DNAC server replies to the sender with FQDN Option in NA 
+       message indicating that the domain name is duplicate. Then the
+       node is expected to generate another domain name using host 
+       naming algorithm and go for DAD. This time the DAD is only for
+       duplicate domain name detection (DFQDND). In order to avoid
+       confusion with the normal NDP processing, the target address 
+       field of the NS message must carry the unspecified address 
+       in retry mode.  This can be repeated depending on number of
+       retries defined by the administrator in the host naming algorithm.
+
+  
+     - Domain Name Registration
+
+       6DNAC Server detects the DNS information (IPv6 Address and 
+       corresponding FQDN) from DAD/DFQDND messages and updates DNS 
+       Server using existing protocol DDNS UPDATE [2136] provided that
+       the IPv6 Address and its domain name are not duplicate.
+  
+  If an IPv6 Address is duplicate, the IPv6 node cannot perform
+  stateless address autoconfiguration repeatedly. Unlike IPv6 stateless 
+  address autoconfiguration, 6DNAC allows the automatic configuration of
+  domain name repeatedly if the domain name is duplicate depending on 
+  number of retries defined by the administrator in the host naming 
+  algorithm.
+  
+  
+  5. 6DNAC Requirements 
+  
+  Depending on the 6DNAC functionality, the IPv6 nodes implement, they
+  are called either 6DNAC Clients or 6DNAC Servers. The following 
+  sections lists the requirements that the 6DNAC Client and 6DNAC server
+  must support.
+   
+   
+  5.1. 6DANC Client Requirements
+  
+        - 6DNAC Client must recognize and process the following NDP 
+          extensions
+
+              - DNS Zone Suffix option in RA messages for generating its
+                domain name (FQDN).
+
+              - Domain Name option in NS and NA messages for detecting 
+                the duplicate domain name
+ 
+ 
+ 
+
+Park & Madanapalli             Expires October 2003             [Page 5]
+
+INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003 
+  
+        - It must generate its domain name (FQDN) based on the DNS 
+          suffix that it got from the router advertisement. And it must 
+          have a host naming algorithm for generating the host part of
+          the FQDN.
+
+        - If NA message is received with unspecified target address and
+          FQDN option, then the node must treat that the domain is 
+          duplicate.
+  
+  
+  5.2. 6DNAC Server Requirements
+  
+        - 6DNAC Server must recognize and process the following NDP
+          extensions
+      
+              - If the 6DNAC Server is a router on the link, then it
+                must advertise DNS Zone Suffix option in RA messages
+                for hosts to generate their domain name (FQDN).
+
+              - FQDN option in NS messages for detecting new DNS
+                information for of nodes on the link for which it
+                must update the AAAA RR and PTR RR in DNS Server.
+
+              - FQDN option in NA messages for notifying duplicate
+                domain name with unspecified target address.
+  
+        - 6DNAC server must update the DNS Server (both AAAA RR and
+          PTR RR) dynamically using DDNS UPDATE [2136].
+  
+        - 6DNAC server must cache this (newly detected) FQDN, Link
+          Layer Address, and IPv6 Address information, so that it can
+          decide whether it really needs to update DNS Server or not,
+          to avoid redundant updates. This information will also be
+          used for notifying the duplicate domain name.
+  
+  
+  6. 6DNAC Messages and Option Formats
+  
+  In order to achieve the plug and play DNS, 6DNAC proposes new 
+  extensions to the NDP [2461]. This section specifies the new
+  additions to NDP messages and formats of new options.
+  
+  
+  6.1. Router Advertisement (RA) Message Format
+  
+  Routers send out Router Advertisement (RA) message periodically, or
+  in response to a Router Solicitation. 6DNAC does not modify the format
+  of the RA message, but proposes new option (DNS Zone Suffix Information)
+  to be carried in RA messages.
+
+
+
+
+
+
+
+
+Park & Madanapalli             Expires October 2003             [Page 6]
+
+INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003
+  
+      0                   1                   2                   3
+      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+     |     Type      |     Code      |          Checksum             |
+     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+     | Cur Hop Limit |M|O|  Reserved |       Router Lifetime         |
+     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+     |                         Reachable Time                        |
+     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+     |                          Retrans Timer                        |
+     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+     |   Options ...                                                 |
+     /                                                               /
+     |                  DNS Zone Suffix Information                  |
+     |                                                               |
+     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+  
+  
+                          <Figure: 1 RA message>
+  
+  
+  
+  6.2. Neighbor Solicitation (NS) Message Format 
+  
+  6DNAC does not modify the format of the Neighbor Solicitation (NS)
+  message, but proposes new option (FQDN Option) to be carried in NS
+  messages. When a node is going for DAD, the node must include FQDN
+  option in NS message to participate in plug and play DNS. If the
+  node is going for Explicit Detection of Duplicate Domain Name, the
+  node must use FQDN option in NS message and unspecified address in
+  the target address field.
+  
+  
+      0                   1                   2                   3 
+      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 
+     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+     |     Type      |     Code      |          Checksum             |
+     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+     |                           Reserved                            |
+     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+     |                                                               |
+     +                                                               +
+     |                                                               |
+     +                       Target Address                          +
+     |                                                               |
+     +                                                               +
+     |                                                               |
+     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+     |   Options ...                                                 |
+     /                                                               /
+     |                         Domain Name                           |
+     |                                                               |
+     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+  
+  
+                         <Figure: 2 NS message>
+  
+Park & Madanapalli             Expires October 2003             [Page 7]
+
+INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003  
+  
+  6.3. Neighbor Advertisement (NA) Message Format 
+  
+  6DNAC does not modify the format of the Neighbor Advertisement (NA)
+  message, but proposes new option (FQDN Option) to be carried in NA
+  messages. 6DNAC Server sends NA message with FQDN option to 6DNAC
+  Client that is performing duplicate domain name detection in case
+  the domain name found to be duplicate.
+
+      0                   1                   2                   3
+      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+     |     Type      |     Code      |          Checksum             |
+     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+     |R|S|O|                     Reserved                            |
+     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+     |                                                               |
+     +                                                               +
+     |                                                               |
+     +                       Target Address                          +
+     |                                                               |
+     +                                                               +
+     |                                                               |
+     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+     |   Options ...                                                 |
+     /                                                               /
+     |                         FQDN Option                           |
+     |                                                               |
+     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+  
+  
+                          <Figure: 3 NA message> 
+  
+  
+  6.4 Option Formats
+  
+  6.4.1. DNS Zone Suffix Information Option Format
+  
+  IPv6 nodes require DNS Zone Suffix for constructing their FQDN.
+  6DNAC introduces new option for routers to advertise the DNS Zone
+  Suffix Information for IPv6 nodes on the link. The suffix information
+  should be configured into routers manually.
+
+      0                   1                   2                   3
+      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+     |     Type      |    Length     |          Reserved             |
+     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+     |                          Valid Lifetime                       |
+     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+     |                                                               |
+     /                       DNS Zone Suffix                         /
+     |                                                               |
+     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+  
+  
+                   <Figure: 4 DNS Zone Suffix Information>
+
+Park & Madanapalli             Expires October 2003             [Page 8]
+
+INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003  
+  
+  Type              [TBD]
+  
+  Length            8-bit unsigned integer. The length of the option
+                    (including the type and length fields) in units of
+                    8 octets.
+  
+  Reserved          This field is unused. It must be initialized to zero
+                    by the sender and must be ignored by the receiver.
+  
+  Valid Life Time   32-bit signed integer.  The maximum time, in 
+                    seconds, over which this suffix is valid. Nodes 
+                    should treat this as the life time for their domain
+                    name. Nodes should contact the source of this
+                    information before expiry of this time interval.
+                    A value of all one bits (0xFFFFFFFF) represents
+                    infinity.
+  
+  DNS Zone Suffix   The suffix part of the FQDN. The data in the DNS 
+                    Zone Suffix field should be encoded according to 
+                    DNS encoding rules specified in [1035].
+  
+  
+  
+  6.4.2. Domain Name (FQDN) Option Format
+  
+  
+      0                   1                   2                   3
+      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+     |     Type      |    Length     |          Reserved             |
+     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+     |                          Valid Lifetime                       |
+     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+     |                                                               |
+     +                                                               +
+     |                                                               |
+     +                       FQDN Target Address                     +
+     |                                                               |
+     +                                                               +
+     |                                                               |
+     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+     |                                                               |
+     /                         Domain Name                           /
+     |                                                               |
+     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+  
+  
+                      <Figure: 5 FQDN Information>
+  
+  Type                 [TBD]
+  
+  Length               8-bit unsigned integer. The length of the option
+                       (including the type and length fields) in units 
+                       of 8 octets.  It must be greater than 3.
+                       
+                       
+
+Park & Madanapalli             Expires October 2003             [Page 9]
+
+INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003                       
+  
+  Reserved             This field is unused. It must be initialized to
+                       zero by the sender and must be ignored by the
+                       receiver.
+  
+  Valid Life Time      32-bit signed integer.  The maximum time, in 
+                       seconds, over which this domain name is valid
+                       6DNAC should deregister this domain name at
+                       the expiry of this interval. 6DNAC clients
+                       should send updates by the expiry of this 
+                       interval. A value of all one bits (0xFFFFFFFF)
+                       represents infinity.
+
+  FQDN Target Address  The Address for which the FQDN maps to.  It 
+                       should be same as Target Address field of the 
+                       NS message in case of DAD & duplicate FQDN are
+                       running in parallel.
+
+  Domain Name          The domain name (FQDN) of the node. The data in
+                       the domain name should be encoded according to
+                       DNS encoding rules specified in [1035].
+  
+  
+  6.4.3. Router Alert Option for 6DNAC
+
+  Router Alert Option for 6DNAC is new option within the IPv6 Hop-by-Hop
+  Header for using in NDP messages.  The presence of this option in NS
+  message informs the router that this NS message is carrying Domain
+  Name information and must be processed by the 6DNAC Server on the router.
+  6DNAC Clients can use this option for sending DAD packets instead
+  of addressing the DAD packets to the all-nodes multicast address
+  when 6DNAC Server is implemented on router.
+ 
+  The Router Alert option has the following format:
+
+  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+  |0 0 0|0 0 1 0 1|0 0 0 0 0 0 1 0|        Value (2 octets)       |
+  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+                     Length = 2
+
+  Values are registered and maintained by the IANA. For 6DNAC, the 
+  value has to be assigned by IANA.
+
+  Further information about this option can be obtained from 
+  IPv6 Router Alert Option [2711].
+
+
+  7. 6DNAC Operation
+  
+  6DNAC provides mechanisms for automatic generation of domain name
+  and registering it with the DNS Server for IPv6 nodes. 6DNAC consists
+  of two components: 6DNAC Client and 6DNAC Server. All nodes that want
+  to participate in plug and play DNS are required to implement 6DNAC
+  Client functionality, and one of the IPv6 nodes is required to 
+  implement 6DNAC Server functionality. The IPv6 node that implements 
+  the 6DNAC Server functionality must know the location of the DNS 
+  Server and must be a trusted node to send DDNS UPDATE [2136] messages.
+
+Park & Madanapalli             Expires October 2003            [Page 10]
+
+INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003  
+  
+  7.1. 6DNAC Network Topology
+  
+  This section identifies the possible locations for the 6DNAC Server.
+  Note that, all nodes are required to implement 6DNAC Client 
+  functionality for constructing the domain name from the DNS Zone 
+  Suffix Information advertised by the router.  Figure 6 illustrates 
+  IPv6 host (H4) implementing 6DNAC Server functionality. In this case 
+  H4 can serve only one link (that it belongs to) for automatic 
+  registration of domain name. H4 must observe the DAD packets on the 
+  link to detect the DNS information, this requires all nodes on the 
+  link must belong to same solicited node multicast address. In general,
+  this may not be the case. So the node that is going for DAD must use
+  all nodes multicast address for DAD packets, so that the 6DNAC Server
+  (H4) can observe the DAD packets, detects IPv6 address and 
+  corresponding domain name, checks if this domain name is duplicate 
+  and finally registers the domain name with the DNS Server.
+ 
+  
+                          6DNAC Server
+      +---+                   +---+                     +----------+
+      | H1|                   | H4|<--- DDNS UPDATE --->|DNS Server|
+      +-+-+                   +-+-+                     +----+-----+
+        |                       |           +----+       +---/
+        |                       |           |    |      /
+     ---+-----+-----------+-----+-----------+ R1 +-----+
+              |           |                 |    |
+              |           |                 +----+
+            +-+-+       +-+-+
+            | H2|       | H3|
+            +---+       +---+
+  
+  
+  H1, H2, H3 - 6DNAC Clients
+  H4         - 6DNAC Server
+  R1         - Router
+  
+  
+                  <Figure: 6 Example of 6DNAC Topology>
+  
+  
+  Figure 7 shows the 6DNAC Server implemented on a router R1. In this
+  case a single 6DNAC server can serve multiple links for automatic
+  configuration of the domain name. This topology also has flexibility
+  of using DAD packets with Router Alert option instead of sending DAD
+  packets to all nodes multicast address. The routers are required to
+  process all the packets with Router Alert option as per [2711].
+
+  In case of Home Networks, R1 is will acts as a Home Gateway (CPE)
+  connected to ISP. R1 delegates the prefix from the ISP edge router.
+  After delegating the prefix the CPE can advertise the DNS Zone suffix
+  along with the prefix information to the nodes on the links to which
+  the router is connected to. Note that the R1 must be configured with
+  the DNS Zone suffix Information manually. 
+
+
+
+
+Park & Madanapalli             Expires October 2003            [Page 11]
+
+INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003
+  
+                         +---+       +---+ 
+                         | H3+       | H4|
+                         +-+-+       +-+-+
+                           |           |
+                           |   LINK2   |
+      +---+             ---+--------+--+--          +----------+
+      | H1|                         |               |DNS Server|
+      +-+-+                         |               +----+-----+
+        |                        +--+-+           -------/
+        |         LINK 1         |    |          /
+     ---+-----+------------------+ R1 +---------+
+              |                  |    |      DDNS UPDATE
+              |                  +----+
+            +-+-+             6DNAC Server
+            | H2|
+            +---+
+  
+  
+  H1, H2 - 6DNAC Clients on Link1
+  H3, H4 - 6DNAC Clients on Link2
+  R1     - Router with 6DNAC Server, serving both Link1 and Link2
+  
+  
+       <Figure: 7 Example of 6DNAC Server serving multiple links>
+  
+  
+  7.2. 6DNAC Operational Scenarios
+  
+  This section provides message sequence charts for various 6DNAC
+  operational scenarios assuming that the 6DNAC Server is implemented
+  on a router. All the scenarios assume that the normal boot up time
+  stateless address autoconfiguration of Link Local address derived
+  from the Interface Identifier has been completed successfully. And
+  it is also assumed that the router is already configured with the
+  DNS Zone Suffix Information.
+
+  
+  Legend:
+  
+  6DNAC-A, B, C  : 6DNAC Clients
+  6DNAC-S        : 6DNAC Server/Router
+  DAD            : Duplicate Address Detection
+  DFQDND         : Duplicate Domain Name Detection
+  DNS-S          : DNS Server
+  
+  
+  7.2.1. Domain Name Registration-Successful Case 
+
+  This scenario starts when a 6DNAC Client receives RA message with
+  DNS Zone Suffix and other parameters including address prefix as
+  specified in NDP [2461] and wants configure its IPv6 address (Global
+  or Site Local) and domain name. It is Assumed that the 
+  DupAddrDetectTransmits is set to 1.
+
+
+
+
+Park & Madanapalli             Expires October 2003            [Page 12]
+
+INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003
+  
+   +---------+      +---------+      +---------+
+   | 6DNAC-C |      | 6DNAC-S |      |  DNS-S  |
+   +----+----+      +----+----+      +----+----+
+        |                |                |
+        |     RA with    |                |
+        | DNS Suffix Opt |                |
+        |<---------------|                |
+        |       #1       |                |
+        |---+            |                |
+  Construct |#2          |                |
+    FQDN    |            |                |
+        |<--+            |                |
+DAD/DFQDND Starts        |                |
+        |                |                |
+        |                |                |
+        |    NS With     |                |
+        |    FQDN Opt    |                |
+        |--------------->|                |
+        |       #3       |                |
+        |                |                |
+        |                |------+         |
+        |          Create FQDN  | #4      |
+        |            <FQDN,C>   |         |
+        |                |<-----+         |
+        |                |                |
+        |                |  Register FQDN |
+        |                |--------------->|
+        |                |       #5       |
+        |   #6           |                |
+        |--------+       |                |
+   No Response   |       |                |
+  DFQDND-Success |       |                |
+        |<-------+       |                |
+        |                |                |
+        |                |                |
+        v                V                v  
+
+
+          <Figure: 8 Domain Name Generation and Registration>
+           
+  
+  #1. 6DNAC Server (Router) sends out router advertisement with DNS
+      Suffix information along with other parameters as specified in
+      NDP [2461].
+  
+  #2. 6DNAC Client processes the router advertisement and constructs
+      the FQDN by prefixing hostname to the DNS Zone Suffix. It also
+      constructs IPv6 address from the autoconfiguration prefix
+      information option.
+
+  #3. 6DNAC Client starts duplicate address & FQDN detection for the
+      IPv6 address & FQDN constructed and sends out a Neighbor
+      Solicitation message with FQDN option. 
+
+      Note that the DAD packets must be addressed to all nodes multicast
+      address if Router Alert option is not used. 
+      
+Park & Madanapalli             Expires October 2003            [Page 13]
+
+INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003          
+
+  #4. 6DNAC Server processes the Neighbor Solicitation message sent by
+      6DNAC Client as part of duplicate FQDN detection procedure and
+      creates a FQDN entry in its FQDN Cache (assuming that there is no
+      entry <FQDN,C>), where C is Link Layer Address of the 6DNAC Client.
+
+  #5.  6DNAC Server then registers FQDN and corresponding IPv6 address
+       through the existing protocol DDNS UPDATE.
+
+  #6.  6DNAC Client times out and observes that there is no response to
+       defend its duplicate FQDN detection procedure and the node is
+       successful in configuring its domain name.
+  
+  Note that, Stateless Address Autoconfiguration DAD procedure is not
+  depicted in the following message sequence chart, which simultaneously
+  happens along with duplicate FQDN detection.
+  
+
+  7.2.2. Domain Name Registration-with DupAddrDetectTransmits=2 
+
+  This scenario starts when a 6DNAC Client receives RA message with
+  DNS Zone Suffix and other parameters including address prefix as
+  specified in NDP [2461] and wants configure its IPv6 address (Global
+  or Site Local) and domain name. The node is configured with 
+  DupAddrDetectTransmits = 2 for reliability in delivering DAD messages.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Park & Madanapalli             Expires October 2003            [Page 14]
+
+INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003 
+
+   +---------+      +---------+      +---------+
+   | 6DNAC-C |      | 6DNAC-S |      |  DNS-S  |
+   +----+----+      +----+----+      +----+----+
+        |                |                |
+        |     RA with    |                |
+        | DNS Suffix Opt |                |
+        |<---------------|                |
+        |       #1       |                |
+        |---+            |                |
+  Construct |#2          |                |
+    FQDN    |            |                |
+        |<--+            |                |
+DAD/DFQDND Starts        |                |
+        |                |                |
+        |                |                |
+        |    NS With     |                |
+        |    FQDN Opt    |                |
+        |--------------->|                |
+        |       #3       |                |
+        |                |                |
+        |                |------+         |
+        |          Create FQDN  | #4      |
+        |            <FQDN,C>   |         |
+        |                |<-----+         |
+        |                |                |
+        |                |  Register FQDN |
+        |                |--------------->|
+        |                |       #5       |
+        |    NS With     |                |
+        |    FQDN Opt    |                |
+        |--------------->|                |
+        |      #6        |                |
+        |                |                |
+        |          Lookup FQDN            |
+        |          Entry exists           |
+        |                |------+         |
+        |             Ignore    | #7      |
+        |                |<-----+         |
+        |   #8           |                |
+        |--------+       |                |
+   No Response   |       |                |
+  DFQDND-Success |       |                |
+        |<-------+       |                |
+        |                |                |
+        |                |                |
+        v                V                v  
+
+  
+  
+            <Figure: 9 Verification of duplicated Domain Name>
+
+
+  Steps from #1 to #5 are same as that of scenario.7.2.1.
+  
+  #6. 6DNAC Client sends out second Neighbor Solicitation message with
+      FQDN option as part of duplicate FQDN detection.
+      
+Park & Madanapalli             Expires October 2003            [Page 15]
+
+INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003      
+
+  #7. 6DNAC Server receives and observes that the FQDN Cache exactly
+      matches with that of the NS information and ignores the NS message.
+
+  #8. 6DNAC Client times out and observes that there is no response to
+      defend its duplicate FQDN detection procedure and the node is
+      successful in configuring its domain name..
+
+  
+  7.2.3. Domain Name Registration-Defend Case 
+
+  This scenario starts when two 6DNAC Client receive RA message with
+  DNS Zone Suffix and other parameters including address prefix as
+  specified in NDP [2461] and both the nodes want configure their IPv6
+  address (Global or Site Local) and domain name. In this scenario both
+  the nodes want to have same domain name.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Park & Madanapalli             Expires October 2003            [Page 16]
+
+INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003
+
+
+
+   +---------+      +---------+      +---------+      +---------+
+   | 6DNAC-A |      | 6DNAC-S |      | 6DNAC-B |      |  DNS-S  |
+   +----+----+      +----+----+      +----+----+      +----+----+
+        |                |                |                |
+        |     RA with    |     RA with    |                |
+        | DNS Suffix Opt | DNS Suffix Opt |                |
+        |<---------------|--------------->|                |
+        |       #1       |       #1       |                |
+        |---+            |                |---+            |
+  Construct | #2         |          Construct | #2         |
+      FQDN  |            |              FQDN  |            |
+        |<--+            |                |<--+            |
+ DAD/DFQDND Starts       |         DAD/DFQDND Starts       |
+        |                |            <DELAYED>            |
+        |                |                |                |
+        |    NS with     |                |                |
+        |    FQDN Opt    |                |                |
+        |--------------->|                |                |
+        |      #3        |                |                |
+        |            No Entry             |                |
+        |                |------+         |                |
+        |          Create FQDN  | #4      |                |
+        |            <FQDN,A>   |         |                |
+        |                |<-----+         |                |
+        |                |                |                |
+        |                |         Register FQDN #5        |
+        |                |-------------------------------->|
+        |                |                |                |
+        |                |    NS with     |                |
+        |                |    FQDN Opt    |                |
+        |                |<---------------|                |
+        |                |       #6       |                |
+        |                |------+         |                |
+        |         FQDN is in use|         |                |
+        |          Defend DFQDND| #7      |                |
+        |                |<-----+         |                |
+        |                |                |                |
+        |                |    NA with     |                |
+        |                |    D-flag Set  |                |
+        |                |--------------->|                |
+        |                |       #8       |                |
+        |------+         |                |---+            |
+ No Response   | #9      |            Enter   | #10        |
+ DFQDND Success|         |          Retry Mode|            |
+        |<-----+         |                |<--+            |
+        |                |                |                |
+        v                v                v                v
+
+         
+       <Figure: 10 Multiple Hosts Requesting Same Domain Name>
+
+
+
+
+
+Park & Madanapalli             Expires October 2003            [Page 17]
+
+INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003          
+
+  #1. 6DNAC Server (Router) sends out router advertisement with DNS
+      Suffix information.
+      
+  #2. 6DNAC Clients A&B process the router advertisement and construct
+      their FQDN by prefixing hostname to the DNS Zone Suffix.  They
+      also construct IPv6 address from the autoconfiguration prefix
+      information option.
+      
+      When each host is trying to go for DAD, all hosts must have
+      random delay to avoid the traffic congestion according to [2461].
+      So here it is assumed that 6DNAC Client-A starts DAD first and
+      6DNAC Client-B starts DAD later.
+
+  #3. 6DNAC Client-A starts duplicate address & FQDN detection for the
+      IPv6 address & FQDN constructed and sends out a Neighbor
+      Solicitation message with FQDN option.
+   
+  #4. 6DNAC Server processes the Neighbor Solicitation message sent by
+      6DNAC Client-A as part of duplicate FQDN detection procedure and
+      creates a FQDN entry in its FQDN Cache (assuming that there is no
+      entry <FQDN,A>), where A is Link Layer Address of the 6DNAC Client-A.
+
+  #5. 6DNAC Server then registers FQDN and corresponding IPv6 address
+      through the existing protocol DDNS UPDATE.
+
+  #6. 6DNAC Client-B starts duplicate address & FQDN detection for the
+      IPv6 address & FQDN constructed and sends out a Neighbor Solicitation
+      message with FQDN option. 
+
+  #7. 6DNAC Server processes the Neighbor Solicitation message sent by
+      6DNAC Client-B as part of duplicate FQDN detection procedure and 
+      finds that the domain name is already in use by the 6DNAC Client-A.
+      Hence, concludes to defend the duplicate FQDN detection of 6DNAC
+      Client-B.
+
+  #8. 6DNAC Server sends out Neighbor Advertisement message with FQDN
+      option to 6DNAC Client-B to defend its duplicate FQDN detection.
+
+  #9. 6DNAC Client-A times out and observes that there is no response to
+      defend its duplicate FQDN detection procedure and the node is 
+      successful in configuring its domain name.
+
+  #10. 6DNAC Client-B observes that there is a NA with FQDN option
+       indicating that the domain name is duplicate and enters Retry
+       Mode. In retry mode, 6DNAC Client constructs another FQDN based
+       on Host Naming Algorithm. The number of retries is defined by the
+       administrator and must be a configurable value.
+  
+
+
+
+
+
+
+
+
+
+Park & Madanapalli             Expires October 2003            [Page 18]
+
+INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003  
+  
+  7.2.4. Domain Name Registration in Retry Mode
+
+  Pre-Conditions:
+
+  1. Duplicate Address Detection has succeeded 
+  2. Duplicate FQDN Detection FAILED
+  3. FQDN is the first FQDN one constructed and FAILED
+  4. FQDN2 is the second FQDN to be constructed
+  5. The Neighbor Solicitation in the 'Retry Mode'
+    carries unspecified address in its target field (NS*).
+
+   +---------+      +---------+      +---------+
+   | 6DNAC-C |      | 6DNAC-S |      |  DNS-S  |
+   +----+----+      +----+----+      +----+----+
+        |                |                |
+        |--------+       |                |
+    Construct    | #1    |                |
+    new FQDN2    |       |                |
+        |<-------+       |                |
+        |                |                |
+  DFQDND Restarts        |                |
+        |                |                |
+        |                |                |
+        |    NS* With    |                |
+        |    FQDN Opt    |                |
+        |--------------->|                |
+        |       #2       |                |
+        |                |                |
+        |            No Entry             |
+        |                |------+         |
+        |          Create FQDN  | #3      |
+        |            <FQDN2,C>  |         |
+        |                |<-----+         |
+        |                |                |
+        |                | Register FQDN2 |
+        |                |--------------->|
+        |                |       #4       |
+        |                |                |
+        |--------+       |                |
+   No Response   | #5    |                |
+  DFQDND-Success |       |                |
+        |<-------+       |                |
+        |                |                |
+        v                V                v
+
+                
+                <Figure: 11 Regeneration of Domain Name>
+                
+
+
+
+
+
+
+
+
+
+Park & Madanapalli             Expires October 2003            [Page 19]
+
+INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003
+ 
+  #1. 6DNAC Client constructs the FQDN again as per Host Naming Algorithm,
+      the DNS Zone Suffix, and it is FQDN2.
+  #2. It then starts Duplicate Detection only for Domain Name. 6DNAC
+      Client sends out NS with FQDN option and unspecified target
+      address.
+
+  #3. 6DNAC Server processes the Retry Mode NS message and finds that
+      the FQDN2 is not in use and creates Cache entry as <FQDN2, C>.
+
+  #4. It then starts registration procedures with the DNS Server.
+
+  #5. Meanwhile, 6DNAC Client timesout and observes that there is no
+      defending NA for its DFQDND NS sent out and successfully
+      configures its domain name.
+
+
+  7.2.5. Domain Name Registration when DAD Fails
+
+  Duplicate domain name detection and subsequent registration starts 
+  if and only if the DAD for IPv6 address succeeds. If the DAD for
+  IPv6 address fails then no actions are taken for domain name. When
+  DAD fails for stateless address autoconfiguration, then the domain
+  configuration starts only when the address has been configured using 
+  Stateful Address Configuration methods and the node is going on DAD
+  for this address.
+
+  This scenario starts when a 6DNAC Client receives RA message with
+  DNS Zone Suffix and other parameters including address prefix as
+  specified in NDP [2461] and wants configure its IPv6 address (Global
+  or Site Local) and domain name.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Park & Madanapalli             Expires October 2003            [Page 20]
+
+INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003
+
+   +---------+      +---------+      +---------+      +---------+
+   | 6DNAC-A |      | 6DNAC-S |      | 6DNAC-B |      |  DNS-S  |
+   +----+----+      +----+----+      +----+----+      +----+----+
+        |                |                |                |
+        |                |                |                |
+        |     RA with    |                |                |
+        | DNS Suffix Opt |                |                |
+        |<---------------|                |                |
+        |       #1       |                |                |
+        |-----+          |                |                |
+    Construct |          |                |                |
+      FQDN&   | #2       |                |                |
+    IPv6 Addr |          |                |                |
+        |<----+          |                |                |
+ DAD/DFQDND Starts       |                |                |
+        |                |                |                |
+        |                |                |                |
+        |    NS with     |                |                |
+        |    FQDN Opt    |                |                |
+        |--------------->+--------------->|                |
+        |       #3       |        #3      |                |
+        |            No Entry             |                |
+        |                |------+         |                |
+        |          Create FQDN  |         |                |
+        |            <FQDN,A>   | #4      |                |
+        |                |<-----+         |                |
+        |                |                |                |
+        |                |                |------+         |
+        |                |           My IPv6 Addr| #5      |
+        |                |                |<-----+         |
+        |                |   Defend DAD   |                |
+        |                |    with NA     |                |
+        |<---------------+<---------------|                |
+        |      #6        |       #6       |                |
+        |              Entry              |                |
+        |                |------+         |                |
+        |          Delete FQDN  | #7      |                |
+        |                |<-----+         |                |
+        |                |                |                |
+        |----+           |                |                |
+  DAD Failed | #8        |                |                |
+ Stop DFQDND |           |                |                |
+        |<---+           |                |                |
+        |                |                |                |
+        v                v                v                v
+
+                     <Figure: 12 DAD failure>
+
+  #1. 6DNAC Server sends out Router Advertisement to 6DNAC Client-A.
+
+  #2. 6DNAC Client-A constructs IPv6 Address based on the prefix and
+      FQDN as per Host Naming Algorithm. 
+
+  #3. It then starts Duplicate address & FQDN Detection, for the newly 
+      constructed IPv6 address and FQDN, and sends out DAD/DFQDND NS
+      with FQDN option.  
+
+Park & Madanapalli             Expires October 2003            [Page 21]
+
+INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003      
+
+  #4. 6DNAC Server processes the DAD/DFQDND NS message and finds 
+      that there is no entry for the FQDN in its cache. And,
+      creates Cache entry as <FQDN, A> and starts a Registration
+      timer with RegistrationWaitTime seconds.
+
+  #5. 6DNAC Client-B finds that the DAD/DFQDND-NS target address is 
+      in its unicast address list.  
+
+  #6. It then starts defending DAD by sending NA to all-nodes multicast.
+
+  #7. 6DNAC Server finds that the DAD has failed for 6DNAC Client-A.  
+      And, deletes its FQDN Cache entry <FQDN,A>.
+      
+  #8. 6DNAC Client gets defending DAD-NA and desists from DAD. 
+      And also, stops Duplicate FQDN Detection as well.
+      At this point the address must be configured using stateful 
+      methods and the domain name registration starts with the DAD
+      for the newly constructed IPv6 address.
+  
+  7.3. DNS Zone Suffix Discovery and FQDN Construction
+  
+  7.3.1. Sending Router Advertisement Messages
+
+  Routers send out Router Advertisement message periodically, 
+  or in response to a Router Solicitation. Router should include 
+  the DNS Zone Suffix Option in their advertisements. If the DNS
+  Zone Suffix changes (similar to Site Renumbering), then it should
+  advertise the Old Zone Suffix with zero Valid Lifetime and New
+  Zone Suffix with proper non-zero Valid Lifetime.  In any other
+  case, a router should not send this option twice in a single
+  router advertisement.
+
+  7.3.2. Processing Router Advertisement Messages  
+
+  For each DNS Zone Suffix Option in Router Advertisement,
+
+  a. 6DNAC node stores the Zone Suffix information in its local
+     database.  Also, constructs FQDN as per Host Naming Algorithm.
+
+  b. If the node has not configured FQDN yet,
+
+     1. If the node is going to perform DAD for either Site local or 
+        Global Address, then it should include FQDN option to perform
+        Duplicate FQDN Detection in parallel with DAD.
+
+     2. If the node has already got either Site local or Global 
+        address, then it should send out NS with FQDN option and 
+        unspecified target address to perform Duplicate FQDN 
+        Detection.
+
+  c. If the node has already configured FQDN, and if the 
+     advertisement carries two DNS Zone Suffix Options,
+     First DNS Zone Suffix should match with the configured FQDN 
+     Suffix and its Valid Lifetime must be zero. Second DNS Zone
+
+
+
+Park & Madanapalli             Expires October 2003            [Page 22]
+
+INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003
+
+
+     Suffix should have non-zero Valid Lifetime. In this case, the
+     node constructs new FQDN based on the new DNS Zone Suffix (from
+     second DNS Zone Suffix option), and perform Duplicate FQDN 
+     Detection with unspecified target address.  Also, it should
+     overwrite the old FQDN with the newly constructed FQDN.
+     
+
+  7.3.3. FQDN Lifetime expiry
+
+  6DNAC Server:  
+  It should delete the FQDN cache entry and should de-register from
+  the DNS Server.
+
+  6DNAC Client:
+  It should send update to 6DNAC Server by restarting the Duplicate 
+  FQDN Detection. 
+  
+  7.3.4. Host Naming Algorithm
+ 
+  A node constructs FQDN by combining DNS Zone Suffix and the hostname
+  as depicted in the following diagram.
+
+     +------------------+----------------------------------+
+     |     Host Name    |          Advertised Suffix       |
+     +------------------+----------------------------------+
+
+          <Figure 13: Fully Qualified Domain Name format>
+
+  A node can choose Host Name using any of the following methods:
+ 
+  a. String form of random number generated from the Interface 
+     Identifier.
+     
+  b. List of configured Host Names provided by the administrator.
+
+  
+  The number of retries must be specified in this algorithm in 
+  case of domain name duplication.
+  
+    
+  7.4. Duplicate Domain Name Detection
+  
+  The procedure for detecting duplicated FQDNs uses Neighbor
+  Solicitation and Advertisement messages as described below.
+
+  If a duplicate FQDN is detected during the procedure, the
+  FQDN cannot be assigned to the node.
+
+  An FQDN on which the DFQDND Procedure is applied is said 
+  to be tentative until the procedure has completed successfully.  
+  A tentative FQDN is not considered "assigned to the node" in the 
+  traditional sense.  That is, the node must accept Neighbor 
+  Advertisement message containing the tentative FQDN in the FQDN 
+  Option.
+
+
+Park & Madanapalli             Expires October 2003            [Page 23]
+
+INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003
+
+
+  It should also be noted that DFQDN must be performed prior to 
+  registering with DNS Server to prevent multiple nodes from using 
+  the same FQDN simultaneously. All the Duplicate Address Detection 
+  Neighbor Solicitation messages must carry Source Link Layer Address 
+  Option as specified in NDP [2461]. 
+
+  The detection of duplicate FQDN can be achieved through one of the
+  following three types of procedures.
+  
+  1. DAD with All Nodes Multicast Address
+  2. DAD with Router Alert Option for 6DNAC.
+  3. Explicit Detection of Duplicate Domain Name
+   
+  Even though three solutions are listed, authors prefer only one 
+  procedure to be followed in future based on further analysis and
+  comments received from others. 
+  
+  7.4.1. DAD with All Nodes Multicast Address
+  
+  7.4.1.1. Sending Neighbor Solicitation Messages
+
+  6DNAC Client sends Neighbor Solicitation Messages as part
+  of Duplicate Address Detection SLAAC [2462] with the following 
+  extra information and modifications:
+
+  a. Include FQDN Option in the DAD Neighbor Solicitation Message
+  b. Destination Address is set to All Nodes Multicast Address
+
+  There may be a case where DAD has succeeded but DFQDND is in Retry 
+  Mode. In such case, the Neighbor Solicitation must carry unspecified 
+  address in the ICMP target address field and new domain name in FQDN
+  option to re-try the registration of the domain name.
+
+  7.4.1.2. Processing Neighbor Solicitation Messages
+
+  6DNAC Clients must ignore the FQDN option found in any of the
+  neighbor solicitation messages.
+
+  6DNAC Server processes FQDN Option found in the Duplicate Address 
+  Detection Neighbor Solicitation Messages as described below:
+
+  Lookup FQDN Cache for the domain name in FQDN Option.
+
+  If the entry exists and 
+   i. Link Layer Address matches with SLLA option, this is the case, 
+      where node has changed its IPv6 address or updating the valid 
+      life time. 6DNAC Server updates its cache and also updates DNS
+      Server using DDNS-UPDATE. If there is no change in IPv6 address
+      or life time then no updates are sent to the DNS server. 
+
+  ii. Link Layer Address differs with SLLA option, defend the duplicate 
+      FQDN Detection by sending Neighbor Advertisement Message as 
+      described in $7.4.1.3$.
+
+
+
+Park & Madanapalli             Expires October 2003            [Page 24]
+
+INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003
+
+
+  else,
+    Lookup FQDN Cache for the Link Layer Address in SLLA Option.
+
+    If the entry exists, update the FQDN Cache and update DNS Server 
+    using DDNS-UPDATE. This is the case, where node has changed its
+    domain name (similar to Site Re-numbering).
+
+    If then entry does not exists, then it means that this is the new 
+    registration. It must create a cache entry and start Registration    
+    
+    timer with RegistrationWaitTime. At the expiry of the Registration
+    timer, it should update DNS Server with DDNS-UPDATE.
+
+  7.4.1.3. Sending Neighbor Advertisement Messages
+
+  6DNAC Server sends Neighbor Advertisement Messages as part
+  of Duplicate Address Detection SLAAC [2462] with the FQDN Option 
+  in Neighbor Advertisement message to defend duplicate FQDN 
+  detection.
+
+  There may be the case where defending of duplicate address detection 
+  is not required but defending of FQDN is required.  In such instance, 
+  the defending Neighbor Advertisement must carry FQDN and unspecified
+  address in the ICMP target address field.
+
+  7.4.1.4. Processing Neighbor Advertisement Messages
+
+  6DNAC Server must ignore the any FQDN option found any of 
+  the neighbor advertisement messages.  If the Neighbor Advertisement
+  is a DAD defending, then it must delete its FQDN Cache entry created 
+  on the reception of DAD Neighbor Solicitation message.
+
+  When 6DNAC Clients gets the duplicate address detection neighbor
+  advertisement messages with FQDN option set it means that its
+  duplicate FQDN detection failed and enters Retry Mode.
+
+  7.4.1.5. Pros and Cons
+  
+  The advantage of this procedure is that it does not need any 
+  extension header options to be included. The disadvantage of this 
+  procedure is that, it needs change in the existing DAD procedure.
+  The change is only that the DAD neighbor solicitations are to be 
+  addressed to all nodes multicast address instead of solicited 
+  node multicast address. The another disadvantage is that, it needs 
+  the existence of Duplicate Address Detection Procedure to 
+  perform duplicate FQDN detection. 
+  
+  7.4.2. DAD with Router Alert Option for 6DNAC
+
+  7.4.2.1. Sending Neighbor Solicitation Messages
+
+  6DNAC Client sends Neighbor Solicitation Messages as part
+  of Duplicate Address Detection SLAAC [2462] with the following 
+  extra information:
+
+
+Park & Madanapalli             Expires October 2003            [Page 25]
+
+INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003
+
+
+  a. Include Hop-by-Hop extension Header with Router Alert Option
+     for 6DNAC as described in IPv6 Router Alert Option[2711].
+
+  b. Include FQDN Option in the DAD Neighbor Solicitation Message
+
+  7.4.2.2. Processing Neighbor Solicitation Messages
+
+  This is same as described in $7.4.1.2$. 
+
+  7.4.2.3. Sending Neighbor Advertisement Messages
+
+  This is same as described in $7.4.1.3$. 
+
+  7.4.2.4. Processing Neighbor Advertisement Messages
+
+  This is same as described in $7.4.1.4$.
+
+  7.4.2.5. Pros and Cons
+
+  The advantage of this procedure is that it does not disturb
+  the existing implementation and their way of processing the 
+  packets.  The disadvantage is that, it needs the existence 
+  of Duplicate Address Detection Procedure to perform duplicate 
+  FQDN detection. Another disadvantage is that this procedure 
+  requires 6DNAC Server functionality to be implemented on Router.
+  However, in this case 6DNAC Server can serve multiple links.
+  
+  7.4.3. Explicit Detection of Duplicate Domain Name
+
+  In this procedure Duplicate FQDN Detection starts after completion
+  of successful Site local or Global Address configuration.
+  
+  7.4.3.1. Sending Neighbor Solicitation Messages
+
+  6DNAC Client sends Neighbor Solicitation Messages as part
+  of Duplicate FQDN Detection with the following information:
+
+  a. Include FQDN Option in the Neighbor Solicitation Message
+
+  b. Destination Address is set to All Nodes Multicast Address
+     or uses Router Alert Option for 6DNAC, when 6DNAC Server is 
+     implemented on router.
+
+  c. Target Address is set to Unspecified Address
+
+  d. Other fields are set as per DAD SLAAC [2462].
+
+  7.4.3.2. Processing Neighbor Solicitation Messages
+
+  This is same as described in $7.4.1.2$.
+
+
+
+
+
+
+Park & Madanapalli             Expires October 2003            [Page 26]
+
+INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003 
+
+
+  7.4.3.3. Sending Neighbor Advertisement Messages
+
+  This is same as described in $7.4.1.3$.
+
+  7.4.3.4. Processing Neighbor Advertisement Messages
+
+  This is same as described in $7.4.1.4$.
+
+  7.4.3.5. Pros and Cons
+
+  The advantage of this procedure is that it does not need the
+  existing duplicate address detection procedure.  This is introduced
+  as the DAD procedure is found to be redundant in when IPv6 addresses
+  are constructed from the interface ID [DIID].
+
+  Note that, if 6DNAC Clients know the address of 6DNAC Server then
+  they can directly send DFQDND-NS to 6DNAC Server. 
+
+  7.4.4. Retry Mode for Re-registering Domain Name
+
+  In retry mode, nodes construct new FQDN as per Host Naming Algorithm.
+  Then they restart Duplicate FQDN Detection as described in $7.4.3$.
+
+
+  7.5. Domain Name Registration
+  
+  6DNAC Server must be an authenticated to update the DNS Server.
+  6DNAC Server must also be configured with the DNS Server 
+  information.
+
+  6DNAC Server detects the DNS information (IPv6 Address and 
+  corresponding FQDN) from DAD/DFQDND messages and caches the
+  information. It also have an associated Registration Timer with 
+  RegistrationWaitTime to wait for the successful completion of 
+  DFQDND and update DNS Server using existing protocol DDNS UPDATE 
+  [2136].
+  
+                 
+  8. Security Consideration
+   
+  If someone wants to hijack correct Domain Name registration, they 
+  could send a NS message with incorrect or same Domain Name to the
+  6DNAC server repeatedly and server would start the Domain Name 
+  registration through above mechanism, which is a security hole. 
+  As described in [2461], a host can check validity of NDP messages.
+  If the NDP message include an IP Authentication Header, the message
+  authenticates correctly. For DNS UPDATE processing, secure DNS
+  Dynamic Update is described in [3007].
+  
+
+
+
+
+
+
+
+Park & Madanapalli             Expires October 2003            [Page 27]
+
+INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003
+
+  
+  9. IANA Consideration
+  
+  Values in the Router Alert Option are registered and maintained by
+  IANA. For 6DNAC, the value has to be assigned by IANA. Also IANA is
+  required to assign the Type values for DNS Zone Suffix Information
+  option and FADN option.
+
+  
+  10. Acknowledgement
+  
+  Special thanks are due to Badrinarayana N.S. and Christian Huitema for
+  many helpful suggestions and revisions. 
+  
+  
+  11. Intellectual Property
+
+  The following notice is copied from RFC 2026 [Bradner, 1996],
+  Section 10.4, and describes the position of the IETF concerning
+  intellectual property claims made against this document.
+
+  The IETF takes no position regarding the validity or scope of any
+  intellectual property or other rights that might be claimed to
+  pertain to the implementation or use other technology described in
+
+  this document or the extent to which any license under such rights
+  might or might not be available; neither does it represent that it
+  
+  has made any effort to identify any such rights.  Information on the
+  IETF's procedures with respect to rights in standards-track and
+  standards-related documentation can be found in BCP-11.  Copies of
+  claims of rights made available for publication and any assurances
+  of licenses to be made available, or the result of an attempt made
+  to obtain a general license or permission for the use of such
+  proprietary rights by implementers or users of this specification
+  can be obtained from the IETF Secretariat.
+
+  The IETF invites any interested party to bring to its attention any
+  copyrights, patents or patent applications, or other proprietary
+  rights which may cover technology that may be required to practice
+  this standard.  Please address the information to the IETF Executive
+  Director.
+  
+  
+  12. Copyright
+
+  The following copyright notice is copied from RFC 2026 [Bradner,
+  1996], Section 10.4, and describes the applicable copyright for this
+  document.
+
+  Copyright (C) The Internet Society July 12, 2001. All Rights
+  Reserved.
+  
+  This document and translations of it may be copied and furnished to
+  others, and derivative works that comment on or otherwise explain it
+  or assist in its implementation may be prepared, copied, published
+
+Park & Madanapalli             Expires October 2003            [Page 28]
+
+INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003
+
+
+  and distributed, in whole or in part, without restriction of any
+  kind, provided that the above copyright notice and this paragraph
+  are included on all such copies and derivative works.  However, this
+  
+  document itself may not be modified in any way, such as by removing
+  the copyright notice or references to the Internet Society or other
+  Internet organizations, except as needed for the purpose of
+  developing Internet standards in which case the procedures for
+  copyrights defined in the Internet Standards process must be
+  followed, or as required to translate it into languages other than
+  English.
+
+  The limited permissions granted above are perpetual and will not be
+  revoked by the Internet Society or its successors or assignees.
+
+  This document and the information contained herein is provided on an
+  "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+  TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+  BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+  HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+  MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+  
+  
+  13. References
+   
+  [2373]        Hinden, R. and S. Deering, "IP Version 6 Addressing 
+                Architecture", RFC 2373, July 1998. 
+       
+  [2460]        Deering, S. abd R. Hinden, "Internet Protocol, 
+                Version 6 (IPv6) Specification", RFC 2460, 
+                December 1998. 
+               
+  [2461]        Narten, T., Nordmark, E. and W. Simpson, "Neighbor 
+                Discovery for IP version 6(IPv6)", RFC 2461, December 
+                1998. 
+
+  [2462]        S. Thomson and Narten T, "IPv6 Stateless Address Auto- 
+                Configuration", RFC 2462, December 1998. 
+               
+  [2711]        C. Patridge and A.Jackson, "IPv6 Router Alert Option",
+                RFC 2711, October 1999. 
+             
+  [1034]        P. Mockapetris, "DOMAIN NAMES - CONCEPTS AND 
+                FACILITIES", RFC 1034, November 1987. 
+               
+  [1035]        P. Mockapetris, "Domain Names - Implementation and 
+                Specification" RFC 1035, November 1987. 
+
+  [2136]        P. Vixie et al., "Dynamic Updates in the Domain Name
+                System (DNS UPDATE)", RFC2136, April 1997.
+                
+  [3007]        B. Wellington, "Secure Domain Name System (DNS) Dynamic 
+                Update", RFC 3007, November 2000.
+
+
+
+Park & Madanapalli             Expires October 2003            [Page 29]
+
+INTERNET-DRAFT     IPv6 Extensions for DNS Plug and Play      April 2003
+
+                 
+  [DIID]        yokohama-dad-vs-diid.pdf
+                at http://playground.sun.com/ipng/presentations/July2002/
+                
+  [DNSISSUES]   Durand, A., "IPv6 DNS transition issues", draft-ietf-              
+                dnsop-ipv6-dns-issues-00.txt, work in progress.
+                
+  [PREFIX]      S. Miyakawa, R. Droms, "Requirements for IPv6 prefix
+                delegation", draft-ietf-ipv6-prefix-delegation-
+                requirement-01.txt, work in progress.
+   
+  [Autoreg]     H. Kitamura, "Domain Name Auto-Registration for 
+                Plugged-in IPv6 Nodes", draft-ietf-dnsext-ipv6-name-
+                auto-reg-00.txt, work in progress.
+
+  [NIQ]         Matt Crawford, "IPv6 Node Information Queries", <draft-
+                ietf-ipngwg-icmp-name-lookups-09.txt>, work in progress.
+                  
+  
+  14. Author's Addresses 
+  
+  Soohong Daniel Park 
+  Mobile Platform Laboratory, SAMSUNG Electronics, KOREA 
+  Phone: +82-31-200-3728 
+  Email:soohong.park@samsung.com
+  
+  Syam Madanapalli
+  Network Systems Division, SAMSUNG India Software Operations, INDIA
+  Phone: +91-80-5550555
+  Email:syam@samsung.com
+  
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Park & Madanapalli             Expires October 2003            [Page 30]
diff --git a/contrib/bind9/doc/draft/update b/contrib/bind9/doc/draft/update
new file mode 100644
index 0000000..6ac2090
--- /dev/null
+++ b/contrib/bind9/doc/draft/update
@@ -0,0 +1,46 @@
+#!/bin/sh
+commit=
+for i
+do
+	z=`expr "$i" : 'http://www.ietf.org/internet-drafts/\(.*\)'`
+	if test -n "$z"
+	then
+		i="$z"
+	fi
+	if test -f "$i"
+	then
+		continue
+	fi
+	pat=`echo "$i" | sed 's/...txt/??.txt/'`
+	old=`echo $pat 2> /dev/null`
+	if test "X$old" != "X$pat"
+	then
+		newer=0
+		for j in $old
+		do
+			if test $j ">" $i
+			then
+				 newer=1
+			fi
+		done
+		if test $newer = 1
+		then
+			continue;
+		fi
+	fi
+	if fetch "http://www.ietf.org/internet-drafts/$i" 
+	then
+		cvs add "$i" 
+		if test "X$old" != "X$pat"
+		then
+			rm $old
+			cvs delete $old
+			commit="$commit $old"
+		fi
+		commit="$commit $i"
+	fi
+done
+if test -n "$commit"
+then
+	cvs commit -m "new draft" $commit
+fi
diff --git a/contrib/bind9/doc/misc/Makefile.in b/contrib/bind9/doc/misc/Makefile.in
new file mode 100644
index 0000000..81f13be
--- /dev/null
+++ b/contrib/bind9/doc/misc/Makefile.in
@@ -0,0 +1,36 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.1.12.3 2004/03/08 09:04:25 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_MAKE_RULES@
+
+PERL = @PERL@
+
+MANOBJS = options
+
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+	rm -f options
+
+options: ../../bin/tests/cfg_test
+	../../bin/tests/cfg_test --named --grammar | \
+		${PERL} ${srcdir}/format-options.pl >options || \
+		rm -f options
diff --git a/contrib/bind9/doc/misc/dnssec b/contrib/bind9/doc/misc/dnssec
new file mode 100644
index 0000000..79d91cf
--- /dev/null
+++ b/contrib/bind9/doc/misc/dnssec
@@ -0,0 +1,84 @@
+Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 2000-2002  Internet Software Consortium.
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+DNSSEC Release Notes
+
+This document summarizes the state of the DNSSEC implementation in
+this release of BIND9.
+
+
+OpenSSL Library Required
+
+To support DNSSEC, BIND 9 must be linked with version 0.9.6e or newer of
+the OpenSSL library.  As of BIND 9.2, the library is no longer
+included in the distribution - it must be provided by the operating
+system or installed separately.
+
+To build BIND 9 with OpenSSL, use "configure --with-openssl".  If
+the OpenSSL library is installed in a nonstandard location, you can
+specify a path as in "configure --with-openssl=/var".
+
+
+Key Generation and Signing
+
+The tools for generating DNSSEC keys and signatures are now in the
+bin/dnssec directory.  Documentation for these programs can be found
+in doc/arm/Bv9ARM.4.html and the man pages.
+
+The random data used in generating DNSSEC keys and signatures comes
+from either /dev/random (if the OS supports it) or keyboard input.
+Alternatively, a device or file containing entropy/random data can be
+specified.
+
+
+Serving Secure Zones
+
+When acting as an authoritative name server, BIND9 includes KEY, SIG
+and NXT records in responses as specified in RFC2535 when the request
+has the DO flag set in the query.
+
+
+Secure Resolution
+
+Basic support for validation of DNSSEC signatures in responses has
+been implemented but should still be considered experimental.
+
+When acting as a caching name server, BIND9 is capable of performing
+basic DNSSEC validation of positive as well as nonexistence responses.
+This functionality is enabled by including a "trusted-keys" clause
+in the configuration file, containing the top-level zone key of the
+the DNSSEC tree.
+
+Validation of wildcard responses is not currently supported.  In
+particular, a "name does not exist" response will validate
+successfully even if it does not contain the NXT records to prove the
+nonexistence of a matching wildcard.
+
+Proof of insecure status for insecure zones delegated from secure
+zones works when the zones are completely insecure.  Privately
+secured zones delegated from secure zones will not work in all cases,
+such as when the privately secured zone is served by the same server
+as an ancestor (but not parent) zone.
+
+Handling of the CD bit in queries is now fully implemented.  Validation
+is not attempted for recursive queries if CD is set.
+
+
+Secure Dynamic Update
+
+Dynamic update of secure zones has been implemented, but may not be
+complete.  Affected NXT and SIG records are updated by the server when
+an update occurs.  Advanced access control is possible using the
+"update-policy" statement in the zone definition.
+
+
+Secure Zone Transfers
+
+BIND 9 does not implement the zone transfer security mechanisms of
+RFC2535 section 5.6, and we have no plans to implement them in the
+future as we consider them inferior to the use of TSIG or SIG(0) to
+ensure the integrity of zone transfers.
+
+
+$Id: dnssec,v 1.14.2.6.4.4 2004/03/08 09:04:25 marka Exp $
diff --git a/contrib/bind9/doc/misc/format-options.pl b/contrib/bind9/doc/misc/format-options.pl
new file mode 100644
index 0000000..5f0975a
--- /dev/null
+++ b/contrib/bind9/doc/misc/format-options.pl
@@ -0,0 +1,36 @@
+#!/usr/bin/perl
+#
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: format-options.pl,v 1.1.206.1 2004/03/06 13:16:19 marka Exp $
+
+print <<END;
+
+This is a summary of the named.conf options supported by 
+this version of BIND 9.
+
+END
+
+# Break long lines
+while (<>) {
+	s/\t/        /g;
+	if (length >= 79) {
+		m!^( *)!;
+		my $indent = $1;
+		s!^(.{0,75}) (.*)$!\1\n$indent    \2!;
+	}
+	print;
+}
diff --git a/contrib/bind9/doc/misc/ipv6 b/contrib/bind9/doc/misc/ipv6
new file mode 100644
index 0000000..dd96cd2
--- /dev/null
+++ b/contrib/bind9/doc/misc/ipv6
@@ -0,0 +1,113 @@
+Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 2000, 2001  Internet Software Consortium.
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+Currently, there are multiple interesting problems with ipv6
+implementations on various platforms.  These problems range from not
+being able to use ipv6 with bind9 (or in particular the ISC socket
+library, contained in libisc) to listen-on lists not being respected,
+to strange warnings but seemingly correct behavior of named.
+
+COMPILE-TIME ISSUES
+-------------------
+
+The socket library requires a certain level of support from the
+operating system.  In particular, it must follow the advanced ipv6
+socket API to be usable.  The systems which do not follow this will
+currently not get any warnings or errors, but ipv6 will simply not
+function on them.
+
+These systems currently include, but are not limited to:
+
+	AIX 3.4 (with ipv6 patches)
+
+
+RUN-TIME ISSUES
+---------------
+
+In the original drafts of the ipv6 RFC documents, binding an ipv6
+socket to the ipv6 wildcard address would also cause the socket to
+accept ipv4 connections and datagrams.  When an ipv4 packet is
+received on these systems, it is mapped into an ipv6 address.  For
+example, 1.2.3.4 would be mapped into ::ffff:1.2.3.4.  The intent of
+this mapping was to make transition from an ipv4-only application into
+ipv6 easier, by only requiring one socket to be open on a given port.
+
+Later, it was discovered that this was generally a bad idea.  For one,
+many firewalls will block connection to 1.2.3.4, but will let through
+::ffff:1.2.3.4.  This, of course, is bad.  Also, access control lists
+written to accept only ipv4 addresses were suddenly ignored unless
+they were rewritten to handle the ipv6 mapped addresses as well.
+
+Partly because of these problems, the latest IPv6 API introduces an
+explicit knob (the "IPV6_V6ONLY" socket option ) to turn off the ipv6
+mapped address usage.
+
+In bind9, we first check if both the advanced API and the IPV6_V6ONLY
+socket option are available.  If both of them are available, bind9
+named will bind to the ipv6 wildcard port for both TCP and UDP.
+Otherwise named will make a warning and try to bind to all available
+ipv6 addresses separately.
+
+In any case, bind9 named binds to specific addresses for ipv4 sockets.
+
+The followings are historical notes when we always bound to the ipv6
+wildcard port regardless of the availability of the API support.
+These problems should not happen with the closer checks above.
+
+
+IPV6 Sockets Accept IPV4, Specific IPV4 Addresses Bindings Fail
+---------------------------------------------------------------
+
+The only OS which seems to do this is (some kernel versions of) linux.
+If an ipv6 socket is bound to the ipv6 wildcard socket, and a specific
+ipv4 socket is later bound (say, to 1.2.3.4 port 53) the ipv4 binding
+will fail.
+
+What this means to bind9 is that the application will log warnings
+about being unable to bind to a socket because the address is already
+in use.  Since the ipv6 socket will accept ipv4 packets and map them,
+however, the ipv4 addresses continue to function.
+
+The effect is that the config file listen-on directive will not be
+respected on these systems.
+
+
+IPV6 Sockets Accept IPV4, Specific IPV4 Address Bindings Succeed
+----------------------------------------------------------------
+
+In this case, the system allows opening an ipv6 wildcard address
+socket and then binding to a more specific ipv4 address later.  An
+example of this type of system is Digital Unix with ipv6 patches
+applied.
+
+What this means to bind9 is that the application will respect
+listen-on in regards to ipv4 sockets, but it will use mapped ipv6
+addresses for any that do not match the listen-on list.  This, in
+effect, makes listen-on useless for these machines as well.
+
+
+IPV6 Sockets Do Not Accept IPV4
+-------------------------------
+
+On these systems, opening an IPV6 socket does not implicitly open any
+ipv4 sockets.  An example of these systems are NetBSD-current with the
+latest KAME patch, and other systems which use the latest KAME patches
+as their ipv6 implementation.
+
+On these systems, listen-on is fully functional, as the ipv6 socket
+only accepts ipv6 packets, and the ipv4 sockets will handle the ipv4
+packets.
+
+
+RELEVANT RFCs
+-------------
+
+3513:  Internet Protocol Version 6 (IPv6) Addressing Architecture
+
+3493:  Basic Socket Interface Extensions for IPv6
+
+3542:  Advanced Sockets Application Program Interface (API) for IPv6
+
+
+$Id: ipv6,v 1.5.206.4 2004/08/10 04:28:15 jinmei Exp $
diff --git a/contrib/bind9/doc/misc/migration b/contrib/bind9/doc/misc/migration
new file mode 100644
index 0000000..97b645a
--- /dev/null
+++ b/contrib/bind9/doc/misc/migration
@@ -0,0 +1,246 @@
+Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+                   BIND 8 to BIND 9 Migration Notes
+
+BIND 9 is designed to be mostly upwards compatible with BIND 8, but
+there is still a number of caveats you should be aware of when
+upgrading an existing BIND 8 installation to use BIND 9.
+
+
+1. Configuration File Compatibility
+
+1.1. Unimplemented Options and Changed Defaults
+
+BIND 9 supports most, but not all of the named.conf options of BIND 8.
+For a complete list of implemented options, see doc/misc/options.
+
+If your named.conf file uses an unimplemented option, named will log a
+warning message.  A message is also logged about each option whose
+default has changed unless the option is set explicitly in named.conf.
+
+The default of the "transfer-format" option has changed from
+"one-answer" to "many-answers".  If you have slave servers that do not
+understand the many-answers zone transfer format (e.g., BIND 4.9.5 or
+older) you need to explicitly specify "transfer-format one-answer;" in
+either the options block or a server statement.
+
+1.2. Handling of Configuration File Errors
+
+In BIND 9, named refuses to start if it detects an error in
+named.conf.  Earlier versions would start despite errors, causing the
+server to run with a partial configuration.  Errors detected during
+subsequent reloads do not cause the server to exit.
+
+Errors in master files do not cause the server to exit, but they
+do cause the zone not to load.
+
+1.3. Logging
+
+The set of logging categories in BIND 9 is different from that
+in BIND 8.  If you have customised your logging on a per-category
+basis, you need to modify your logging statement to use the
+new categories.
+
+Another difference is that the "logging" statement only takes effect
+after the entire named.conf file has been read.  This means that when
+the server starts up, any messages about errors in the configuration
+file are always logged to the default destination (syslog) when the
+server first starts up, regardless of the contents of the "logging"
+statement.  In BIND 8, the new logging configuration took effect
+immediately after the "logging" statement was read.
+
+1.4. Notify messages and Refresh queries
+
+The source address and port for these is now controlled by
+"notify-source" and "transfer-source", respectively, rather that
+query-source as in BIND 8.
+
+1.5. Multiple Classes.
+
+Multiple classes have to be put into explicit views for each class.
+
+
+2. Zone File Compatibility
+
+2.1. Strict RFC1035 Interpretation of TTLs in Zone Files
+
+BIND 9 strictly complies with the RFC1035 and RFC2308 rules regarding
+omitted TTLs in zone files.  Omitted TTLs are replaced by the value
+specified with the $TTL directive, or by the previous explicit TTL if
+there is no $TTL directive.
+
+If there is no $TTL directive and the first RR in the file does not
+have an explicit TTL field, the zone file is illegal according to
+RFC1035 since the TTL of the first RR is undefined.  Unfortunately,
+BIND 4 and many versions of BIND 8 accept such files without warning
+and use the value of the SOA MINTTL field as a default for missing TTL
+values.
+
+BIND 9.0 and 9.1 completely refused to load such files.  BIND 9.2
+emulates the nonstandard BIND 4/8 SOA MINTTL behaviour and loads the
+files anyway (provided the SOA is the first record in the file), but
+will issue the warning message "no TTL specified; using SOA MINTTL
+instead".
+
+To avoid problems, we recommend that you use a $TTL directive in each
+zone file.
+
+2.2. Periods in SOA Serial Numbers Deprecated
+
+Some versions of BIND allow SOA serial numbers with an embedded
+period, like "3.002", and convert them into integers in a rather
+unintuitive way.  This feature is not supported by BIND 9; serial
+numbers must be integers.
+
+2.3. Handling of Unbalanced Quotes
+
+TXT records with unbalanced quotes, like 'host TXT "foo', were not
+treated as errors in some versions of BIND.  If your zone files
+contain such records, you will get potentially confusing error
+messages like "unexpected end of file" because BIND 9 will interpret
+everything up to the next quote character as a literal string.
+
+2.4. Handling of Line Breaks
+
+Some versions of BIND accept RRs containing line breaks that are not
+properly quoted with parentheses, like the following SOA:
+
+	@	IN SOA	ns.example. hostmaster.example.
+			( 1 3600 1800 1814400 3600 )
+
+This is not legal master file syntax and will be treated as an error
+by BIND 9.  The fix is to move the opening parenthesis to the first
+line.
+
+2.5. Unimplemented BIND 8 Extensions
+
+$GENERATE: The "$$" construct for getting a literal $ into a domain
+name is deprecated.  Use \$ instead.
+
+
+3. Interoperability Impact of New Protocol Features
+
+3.1. EDNS0
+
+BIND 9 uses EDNS0 (RFC2671) to advertise its receive buffer size.  It
+also sets an EDNS flag bit in queries to indicate that it wishes to
+receive DNSSEC responses; this flag bit usage is not yet standardised,
+but we hope it will be.
+
+Most older servers that do not support EDNS0, including prior versions
+of BIND, will send a FORMERR or NOTIMP response to these queries.
+When this happens, BIND 9 will automatically retry the query without
+EDNS0.
+
+Unfortunately, there exists at least one non-BIND name server
+implementation that silently ignores these queries instead of sending
+an error response.  Resolving names in zones where all or most
+authoritative servers use this server will be very slow or fail
+completely.  We have contacted the manufacturer of the name server in
+case, and they are working on a solution.
+
+When BIND 9 communicates with a server that does support EDNS0, such as
+another BIND 9 server, responses of up to 4096 bytes may be
+transmitted as a single UDP datagram which is subject to fragmentation
+at the IP level.  If a firewall incorrectly drops IP fragments, it can
+cause resolution to slow down dramatically or fail.
+
+3.2. Zone Transfers
+
+Outgoing zone transfers now use the "many-answers" format by default.
+This format is not understood by certain old versions of BIND 4.  
+You can work around this problem using the option "transfer-format
+one-answer;", but since these old versions all have known security
+problems, the correct fix is to upgrade the slave servers.
+
+Zone transfers to Windows 2000 DNS servers sometimes fail due to a
+bug in the Windows 2000 DNS server where DNS messages larger than
+16K are not handled properly.  Obtain the latest service pack for
+Windows 2000 from Microsoft to address this issue.  In the meantime,
+the problem can be worked around by setting "transfer-format one-answer;".
+http://support.microsoft.com/default.aspx?scid=kb;en-us;297936
+
+4. Unrestricted Character Set
+
+BIND 9 does not restrict the character set of domain names - it is
+fully 8-bit clean in accordance with RFC2181 section 11.
+
+It is strongly recommended that hostnames published in the DNS follow
+the RFC952 rules, but BIND 9 will not enforce this restriction.
+
+Historically, some applications have suffered from security flaws
+where data originating from the network, such as names returned by
+gethostbyaddr(), are used with insufficient checking and may cause a
+breach of security when containing unexpected characters; see
+<http://www.cert.org/advisories/CA-96.04.corrupt_info_from_servers.html>
+for details.  Some earlier versions of BIND attempt to protect these
+flawed applications from attack by discarding data containing
+characters deemed inappropriate in host names or mail addresses, under
+the control of the "check-names" option in named.conf and/or "options
+no-check-names" in resolv.conf.  BIND 9 provides no such protection;
+if applications with these flaws are still being used, they should
+be upgraded.
+
+
+5. Server Administration Tools
+
+5.1 Ndc Replaced by Rndc
+
+The "ndc" program has been replaced by "rndc", which is capable of
+remote operation.  Unlike ndc, rndc requires a configuration file.
+The easiest way to generate a configuration file is to run
+"rndc-confgen -a"; see the man pages for rndc(8), rndc-confgen(8),
+and rndc.conf(5) for details.
+
+5.2. Nsupdate Differences
+
+The BIND 8 implementation of nsupdate had an undocumented feature
+where an update request would be broken down into multiple requests
+based upon the discovered zones that contained the records.  This
+behaviour has not been implemented in BIND 9.  Each update request
+must pertain to a single zone, but it is still possible to do multiple
+updates in a single invocation of nsupdate by terminating each update
+with an empty line or a "send" command.
+
+
+6. No Information Leakage between Zones
+
+BIND 9 stores the authoritative data for each zone in a separate data
+structure, as recommended in RFC1035 and as required by DNSSEC and
+IXFR.  When a BIND 9 server is authoritative for both a child zone and
+its parent, it will have two distinct sets of NS records at the
+delegation point: the authoritative NS records at the child's apex,
+and a set of glue NS records in the parent.
+
+BIND 8 was unable to properly distinguish between these two sets of NS
+records and would "leak" the child's NS records into the parent,
+effectively causing the parent zone to be silently modified: responses
+and zone transfers from the parent contained the child's NS records
+rather than the glue configured into the parent (if any).  In the case
+of children of type "stub", this behaviour was documented as a feature,
+allowing the glue NS records to be omitted from the parent
+configuration.
+
+Sites that were relying on this BIND 8 behaviour need to add any
+omitted glue NS records, and any necessary glue A records, to the
+parent zone.
+
+Although stub zones can no longer be used as a mechanism for injecting
+NS records into their parent zones, they are still useful as a way of
+directing queries for a given domain to a particular set of name
+servers.
+
+
+7. Umask not Modified
+
+The BIND 8 named unconditionally sets the umask to 022.  BIND 9 does
+not; the umask inherited from the parent process remains in effect.
+This may cause files created by named, such as journal files, to be
+created with different file permissions than they did in BIND 8.  If
+necessary, the umask should be set explicitly in the script used to
+start the named process.
+
+
+$Id: migration,v 1.37.2.3.2.2 2004/03/06 13:16:19 marka Exp $
diff --git a/contrib/bind9/doc/misc/migration-4to9 b/contrib/bind9/doc/misc/migration-4to9
new file mode 100644
index 0000000..fa75bac
--- /dev/null
+++ b/contrib/bind9/doc/misc/migration-4to9
@@ -0,0 +1,57 @@
+Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 2001  Internet Software Consortium.
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+$Id: migration-4to9,v 1.3.206.1 2004/03/06 13:16:19 marka Exp $
+
+		   BIND 4 to BIND 9 Migration Notes
+
+To transition from BIND 4 to BIND 9 you first need to convert your
+configuration file to the new format.  There is a conversion tool in
+contrib/named-bootconf that allows you to do this.
+
+	named-bootconf.sh < /etc/named.boot > /etc/named.conf
+
+BIND 9 uses a system assigned port for the UDP queries it makes rather
+than port 53 that BIND 4 uses.  This may conflict with some firewalls.
+The following directives in /etc/named.conf allows you to specify
+a port to use.
+
+	query-source address * port 53;
+	transfer-source * port 53;
+	notify-source * port 53;
+
+BIND 9 no longer uses the minimum field to specify the TTL of records
+without a explicit TTL.  Use the $TTL directive to specify a default TTL
+before the first record without a explicit TTL.
+
+	$TTL 3600
+	@	IN	SOA	ns1.example.com. hostmaster.example.com. (
+				2001021100
+				7200
+				1200
+				3600000
+				7200 )
+
+BIND 9 does not support multiple CNAMEs with the same owner name.
+	
+	Illegal:
+	www.example.com. CNAME host1.example.com.
+	www.example.com. CNAME host2.example.com.
+
+BIND 9 does not support "CNAMEs with other data" with the same owner name,
+ignoring the DNSSEC records (SIG, NXT, KEY) that BIND 4 did not support.
+
+	Illegal:
+	www.example.com. CNAME host1.example.com.
+	www.example.com. MX 10 host2.example.com.
+
+BIND 9 is less tolerant of errors in master files, so check your logs and
+fix any errors reported.  The named-checkzone program can also be to check
+master files.
+
+Outgoing zone transfers now use the "many-answers" format by default.
+This format is not understood by certain old versions of BIND 4.  
+You can work around this problem using the option "transfer-format
+one-answer;", but since these old versions all have known security
+problems, the correct fix is to upgrade the slave servers.
diff --git a/contrib/bind9/doc/misc/options b/contrib/bind9/doc/misc/options
new file mode 100644
index 0000000..f77e494
--- /dev/null
+++ b/contrib/bind9/doc/misc/options
@@ -0,0 +1,384 @@
+
+This is a summary of the named.conf options supported by 
+this version of BIND 9.
+
+options {
+        avoid-v4-udp-ports { <port>; ... };
+        avoid-v6-udp-ports { <port>; ... };
+        blackhole { <address_match_element>; ... };
+        coresize <size>;
+        datasize <size>;
+        deallocate-on-exit <boolean>; // obsolete
+        directory <quoted_string>;
+        dump-file <quoted_string>;
+        fake-iquery <boolean>; // obsolete
+        files <size>;
+        has-old-clients <boolean>; // obsolete
+        heartbeat-interval <integer>;
+        host-statistics <boolean>; // not implemented
+        hostname ( <quoted_string> | none );
+        interface-interval <integer>;
+        listen-on [ port <integer> ] { <address_match_element>; ... };
+        listen-on-v6 [ port <integer> ] { <address_match_element>; ... };
+        match-mapped-addresses <boolean>;
+        memstatistics-file <quoted_string>;
+        multiple-cnames <boolean>; // obsolete
+        named-xfer <quoted_string>; // obsolete
+        pid-file ( <quoted_string> | none );
+        port <integer>;
+        querylog <boolean>;
+        recursing-file <quoted_string>;
+        random-device <quoted_string>;
+        recursive-clients <integer>;
+        serial-queries <integer>; // obsolete
+        serial-query-rate <integer>;
+        server-id ( <quoted_string> | none |;
+        stacksize <size>;
+        statistics-file <quoted_string>;
+        statistics-interval <integer>; // not yet implemented
+        tcp-clients <integer>;
+        tcp-listen-queue <integer>;
+        tkey-dhkey <quoted_string> <integer>;
+        tkey-gssapi-credential <quoted_string>;
+        tkey-domain <quoted_string>;
+        transfers-per-ns <integer>;
+        transfers-in <integer>;
+        transfers-out <integer>;
+        treat-cr-as-space <boolean>; // obsolete
+        use-id-pool <boolean>; // obsolete
+        use-ixfr <boolean>;
+        version ( <quoted_string> | none );
+        allow-recursion { <address_match_element>; ... };
+        allow-v6-synthesis { <address_match_element>; ... }; // obsolete
+        sortlist { <address_match_element>; ... };
+        topology { <address_match_element>; ... }; // not implemented
+        auth-nxdomain <boolean>; // default changed
+        minimal-responses <boolean>;
+        recursion <boolean>;
+        rrset-order { [ class <string> ] [ type <string> ] [ name
+            <quoted_string> ] <string> <string>; ... };
+        provide-ixfr <boolean>;
+        request-ixfr <boolean>;
+        fetch-glue <boolean>; // obsolete
+        rfc2308-type1 <boolean>; // not yet implemented
+        additional-from-auth <boolean>;
+        additional-from-cache <boolean>;
+        query-source <querysource4>;
+        query-source-v6 <querysource6>;
+        cleaning-interval <integer>;
+        min-roots <integer>; // not implemented
+        lame-ttl <integer>;
+        max-ncache-ttl <integer>;
+        max-cache-ttl <integer>;
+        transfer-format ( many-answers | one-answer );
+        max-cache-size <size_no_default>;
+        check-names ( master | slave | response ) ( fail | warn | ignore );
+        cache-file <quoted_string>;
+        suppress-initial-notify <boolean>; // not yet implemented
+        preferred-glue <string>;
+        dual-stack-servers [ port <integer> ] { ( <quoted_string> [port
+            <integer>] | <ipv4_address> [port <integer>] | <ipv6_address> [port <integer>] ); ... };
+        edns-udp-size <integer>;
+        root-delegation-only [ exclude { <quoted_string>; ... } ];
+        disable-algorithms <string> { <string>; ... };
+        dnssec-enable <boolean>;
+        dnssec-lookaside <string> trust-anchor <string>;
+        dnssec-must-be-secure <string> <boolean>;
+        allow-query { <address_match_element>; ... };
+        allow-transfer { <address_match_element>; ... };
+        allow-update-forwarding { <address_match_element>; ... };
+        allow-notify { <address_match_element>; ... };
+        notify <notifytype>;
+        notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
+        notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
+        also-notify [ port <integer> ] { ( <ipv4_address> | <ipv6_address>
+            ) [ port <integer> ]; ... };
+        dialup <dialuptype>;
+        forward ( first | only );
+        forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
+            [ port <integer> ]; ... };
+        ixfr-from-differences <boolean>;
+        maintain-ixfr-base <boolean>; // obsolete
+        max-ixfr-log-size <size>; // obsolete
+        max-journal-size <size_no_default>;
+        max-transfer-time-in <integer>;
+        max-transfer-time-out <integer>;
+        max-transfer-idle-in <integer>;
+        max-transfer-idle-out <integer>;
+        max-retry-time <integer>;
+        min-retry-time <integer>;
+        max-refresh-time <integer>;
+        min-refresh-time <integer>;
+        multi-master <boolean>;
+        sig-validity-interval <integer>;
+        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
+        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
+        alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * )
+            ];
+        alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
+            * ) ];
+        use-alt-transfer-source <boolean>;
+        zone-statistics <boolean>;
+        key-directory <quoted_string>;
+};
+
+controls {
+        inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | *
+            ) ] allow { <address_match_element>; ... } [ keys { <string>; ... } ];
+        unix <unsupported>; // not implemented
+};
+
+acl <string> { <address_match_element>; ... };
+
+masters <string> [ port <integer> ] { ( <masters> | <ipv4_address> [port
+    <integer>] | <ipv6_address> [port <integer>] ) [ key <string> ]; ... };
+
+logging {
+        channel <string> {
+                file <log_file>;
+                syslog <optional_facility>;
+                null;
+                stderr;
+                severity <log_severity>;
+                print-time <boolean>;
+                print-severity <boolean>;
+                print-category <boolean>;
+        };
+        category <string> { <string>; ... };
+};
+
+view <string> <optional_class> {
+        match-clients { <address_match_element>; ... };
+        match-destinations { <address_match_element>; ... };
+        match-recursive-only <boolean>;
+        key <string> {
+                algorithm <string>;
+                secret <string>;
+        };
+        zone <string> <optional_class> {
+                type ( master | slave | stub | hint | forward |
+                    delegation-only );
+                allow-update { <address_match_element>; ... };
+                file <quoted_string>;
+                ixfr-base <quoted_string>; // obsolete
+                ixfr-tmp-file <quoted_string>; // obsolete
+                masters [ port <integer> ] { ( <masters> | <ipv4_address>
+                    [port <integer>] | <ipv6_address> [port <integer>] ) [ key <string> ]; ... };
+                pubkey <integer> <integer> <integer> <quoted_string>; //
+                    obsolete
+                update-policy { ( grant | deny ) <string> ( name |
+                    subdomain | wildcard | self ) <string> <rrtypelist>; ... };
+                database <string>;
+                delegation-only <boolean>;
+                check-names ( fail | warn | ignore );
+                allow-query { <address_match_element>; ... };
+                allow-transfer { <address_match_element>; ... };
+                allow-update-forwarding { <address_match_element>; ... };
+                allow-notify { <address_match_element>; ... };
+                notify <notifytype>;
+                notify-source ( <ipv4_address> | * ) [ port ( <integer> | *
+                    ) ];
+                notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer>
+                    | * ) ];
+                also-notify [ port <integer> ] { ( <ipv4_address> |
+                    <ipv6_address> ) [ port <integer> ]; ... };
+                dialup <dialuptype>;
+                forward ( first | only );
+                forwarders [ port <integer> ] { ( <ipv4_address> |
+                    <ipv6_address> ) [ port <integer> ]; ... };
+                ixfr-from-differences <boolean>;
+                maintain-ixfr-base <boolean>; // obsolete
+                max-ixfr-log-size <size>; // obsolete
+                max-journal-size <size_no_default>;
+                max-transfer-time-in <integer>;
+                max-transfer-time-out <integer>;
+                max-transfer-idle-in <integer>;
+                max-transfer-idle-out <integer>;
+                max-retry-time <integer>;
+                min-retry-time <integer>;
+                max-refresh-time <integer>;
+                min-refresh-time <integer>;
+                multi-master <boolean>;
+                sig-validity-interval <integer>;
+                transfer-source ( <ipv4_address> | * ) [ port ( <integer> |
+                    * ) ];
+                transfer-source-v6 ( <ipv6_address> | * ) [ port (
+                    <integer> | * ) ];
+                alt-transfer-source ( <ipv4_address> | * ) [ port (
+                    <integer> | * ) ];
+                alt-transfer-source-v6 ( <ipv6_address> | * ) [ port (
+                    <integer> | * ) ];
+                use-alt-transfer-source <boolean>;
+                zone-statistics <boolean>;
+                key-directory <quoted_string>;
+        };
+        server <netaddr> {
+                bogus <boolean>;
+                provide-ixfr <boolean>;
+                request-ixfr <boolean>;
+                support-ixfr <boolean>; // obsolete
+                transfers <integer>;
+                transfer-format ( many-answers | one-answer );
+                keys <server_key>;
+                edns <boolean>;
+                transfer-source ( <ipv4_address> | * ) [ port ( <integer> |
+                    * ) ];
+                transfer-source-v6 ( <ipv6_address> | * ) [ port (
+                    <integer> | * ) ];
+        };
+        trusted-keys { <string> <integer> <integer> <integer>
+            <quoted_string>; ... };
+        allow-recursion { <address_match_element>; ... };
+        allow-v6-synthesis { <address_match_element>; ... }; // obsolete
+        sortlist { <address_match_element>; ... };
+        topology { <address_match_element>; ... }; // not implemented
+        auth-nxdomain <boolean>; // default changed
+        minimal-responses <boolean>;
+        recursion <boolean>;
+        rrset-order { [ class <string> ] [ type <string> ] [ name
+            <quoted_string> ] <string> <string>; ... };
+        provide-ixfr <boolean>;
+        request-ixfr <boolean>;
+        fetch-glue <boolean>; // obsolete
+        rfc2308-type1 <boolean>; // not yet implemented
+        additional-from-auth <boolean>;
+        additional-from-cache <boolean>;
+        query-source <querysource4>;
+        query-source-v6 <querysource6>;
+        cleaning-interval <integer>;
+        min-roots <integer>; // not implemented
+        lame-ttl <integer>;
+        max-ncache-ttl <integer>;
+        max-cache-ttl <integer>;
+        transfer-format ( many-answers | one-answer );
+        max-cache-size <size_no_default>;
+        check-names ( master | slave | response ) ( fail | warn | ignore );
+        cache-file <quoted_string>;
+        suppress-initial-notify <boolean>; // not yet implemented
+        preferred-glue <string>;
+        dual-stack-servers [ port <integer> ] { ( <quoted_string> [port
+            <integer>] | <ipv4_address> [port <integer>] | <ipv6_address> [port <integer>] ); ... };
+        edns-udp-size <integer>;
+        root-delegation-only [ exclude { <quoted_string>; ... } ];
+        disable-algorithms <string> { <string>; ... };
+        dnssec-enable <boolean>;
+        dnssec-lookaside <string> trust-anchor <string>;
+        dnssec-must-be-secure <string> <boolean>;
+        allow-query { <address_match_element>; ... };
+        allow-transfer { <address_match_element>; ... };
+        allow-update-forwarding { <address_match_element>; ... };
+        allow-notify { <address_match_element>; ... };
+        notify <notifytype>;
+        notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
+        notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
+        also-notify [ port <integer> ] { ( <ipv4_address> | <ipv6_address>
+            ) [ port <integer> ]; ... };
+        dialup <dialuptype>;
+        forward ( first | only );
+        forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
+            [ port <integer> ]; ... };
+        ixfr-from-differences <boolean>;
+        maintain-ixfr-base <boolean>; // obsolete
+        max-ixfr-log-size <size>; // obsolete
+        max-journal-size <size_no_default>;
+        max-transfer-time-in <integer>;
+        max-transfer-time-out <integer>;
+        max-transfer-idle-in <integer>;
+        max-transfer-idle-out <integer>;
+        max-retry-time <integer>;
+        min-retry-time <integer>;
+        max-refresh-time <integer>;
+        min-refresh-time <integer>;
+        multi-master <boolean>;
+        sig-validity-interval <integer>;
+        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
+        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
+        alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * )
+            ];
+        alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
+            * ) ];
+        use-alt-transfer-source <boolean>;
+        zone-statistics <boolean>;
+        key-directory <quoted_string>;
+};
+
+lwres {
+        listen-on [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
+            [ port <integer> ]; ... };
+        view <string> <optional_class>;
+        search { <string>; ... };
+        ndots <integer>;
+};
+
+key <string> {
+        algorithm <string>;
+        secret <string>;
+};
+
+zone <string> <optional_class> {
+        type ( master | slave | stub | hint | forward | delegation-only );
+        allow-update { <address_match_element>; ... };
+        file <quoted_string>;
+        ixfr-base <quoted_string>; // obsolete
+        ixfr-tmp-file <quoted_string>; // obsolete
+        masters [ port <integer> ] { ( <masters> | <ipv4_address> [port
+            <integer>] | <ipv6_address> [port <integer>] ) [ key <string> ]; ... };
+        pubkey <integer> <integer> <integer> <quoted_string>; // obsolete
+        update-policy { ( grant | deny ) <string> ( name | subdomain |
+            wildcard | self ) <string> <rrtypelist>; ... };
+        database <string>;
+        delegation-only <boolean>;
+        check-names ( fail | warn | ignore );
+        allow-query { <address_match_element>; ... };
+        allow-transfer { <address_match_element>; ... };
+        allow-update-forwarding { <address_match_element>; ... };
+        allow-notify { <address_match_element>; ... };
+        notify <notifytype>;
+        notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
+        notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
+        also-notify [ port <integer> ] { ( <ipv4_address> | <ipv6_address>
+            ) [ port <integer> ]; ... };
+        dialup <dialuptype>;
+        forward ( first | only );
+        forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
+            [ port <integer> ]; ... };
+        ixfr-from-differences <boolean>;
+        maintain-ixfr-base <boolean>; // obsolete
+        max-ixfr-log-size <size>; // obsolete
+        max-journal-size <size_no_default>;
+        max-transfer-time-in <integer>;
+        max-transfer-time-out <integer>;
+        max-transfer-idle-in <integer>;
+        max-transfer-idle-out <integer>;
+        max-retry-time <integer>;
+        min-retry-time <integer>;
+        max-refresh-time <integer>;
+        min-refresh-time <integer>;
+        multi-master <boolean>;
+        sig-validity-interval <integer>;
+        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
+        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
+        alt-transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * )
+            ];
+        alt-transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> |
+            * ) ];
+        use-alt-transfer-source <boolean>;
+        zone-statistics <boolean>;
+        key-directory <quoted_string>;
+};
+
+server <netaddr> {
+        bogus <boolean>;
+        provide-ixfr <boolean>;
+        request-ixfr <boolean>;
+        support-ixfr <boolean>; // obsolete
+        transfers <integer>;
+        transfer-format ( many-answers | one-answer );
+        keys <server_key>;
+        edns <boolean>;
+        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
+        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
+};
+
+trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... };
+
diff --git a/contrib/bind9/doc/misc/rfc-compliance b/contrib/bind9/doc/misc/rfc-compliance
new file mode 100644
index 0000000..6a3fac1
--- /dev/null
+++ b/contrib/bind9/doc/misc/rfc-compliance
@@ -0,0 +1,62 @@
+Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 2001  Internet Software Consortium.
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+$Id: rfc-compliance,v 1.3.206.1 2004/03/06 13:16:20 marka Exp $
+
+BIND 9 is striving for strict compliance with IETF standards.  We
+believe this release of BIND 9 complies with the following RFCs, with
+the caveats and exceptions listed in the numbered notes below.  Note
+that a number of these RFCs do not have the status of Internet
+standards but are proposed or draft standards, experimental RFCs, 
+or Best Current Practice (BCP) documents.
+
+  RFC1034
+  RFC1035 [1] [2]
+  RFC1123
+  RFC1183
+  RFC1535
+  RFC1536
+  RFC1706
+  RFC1712
+  RFC1750
+  RFC1876
+  RFC1982
+  RFC1995
+  RFC1996
+  RFC2136
+  RFC2163
+  RFC2181
+  RFC2230
+  RFC2308
+  RFC2535 [3] [4]
+  RFC2536
+  RFC2537
+  RFC2538
+  RFC2539
+  RFC2671
+  RFC2672
+  RFC2673
+  RFC2782
+  RFC2915
+  RFC2930
+  RFC2931 [5]
+  RFC3007
+
+
+[1] Queries to zones that have failed to load return SERVFAIL rather
+than a non-authoritative response.  This is considered a feature.
+
+[2] CLASS ANY queries are not supported.  This is considered a feature.
+
+[3] Wildcard records are not supported in DNSSEC secure zones.
+
+[4] Servers authoritative for secure zones being resolved by BIND 9
+must support EDNS0 (RFC2671), and must return all relevant SIGs and
+NXTs in responses rather than relying on the resolving server to
+perform separate queries for missing SIGs and NXTs.
+
+[5] When receiving a query signed with a SIG(0), the server will only
+be able to verify the signature if it has the key in its local
+authoritative data; it will not do recursion or validation to
+retrieve unknown keys.
diff --git a/contrib/bind9/doc/misc/roadmap b/contrib/bind9/doc/misc/roadmap
new file mode 100644
index 0000000..72021b8
--- /dev/null
+++ b/contrib/bind9/doc/misc/roadmap
@@ -0,0 +1,47 @@
+Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 2000, 2001  Internet Software Consortium.
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+$Id: roadmap,v 1.1.206.1 2004/03/06 13:16:20 marka Exp $
+
+Road Map to the BIND 9 Source Tree
+
+bin/named		The name server.  This relies heavily on the
+			libraries in lib/isc and lib/dns.
+    client.c		Handling of incoming client requests
+    query.c		Query processing
+bin/rndc		The remote name daemon control program
+bin/dig			The "dig" program
+bin/dnssec		The DNSSEC signer and other DNSSEC tools
+bin/nsupdate		The "nsupdate" program
+bin/tests		Test suites and miscellaneous test programs
+bin/tests/system	System tests; see bin/tests/system/README
+lib/dns			The DNS library
+    resolver.c		The "full resolver" (performs recursive lookups)
+    validator.c		The DNSSEC validator
+    db.c		The database interface
+    sdb.c		The simple database interface
+    rbtdb.c		The red-black tree database
+lib/dns/rdata		Routines for handling the various RR types
+lib/dns/sec		Cryptographic libraries for DNSSEC
+lib/isc			The ISC library
+    task.c		Task library
+    unix/socket.c	Unix implementation of socket library
+lib/isccfg		Routines for reading and writing ISC-style
+			configuration files like named.conf and rndc.conf
+lib/isccc		The command channel library, used by rndc.
+lib/tests		Support code for the test suites.
+lib/lwres		The lightweight resolver library.
+doc/draft		Current internet-drafts pertaining to the DNS
+doc/rfc			RFCs pertaining to the DNS
+doc/misc		Miscellaneous documentation
+doc/arm			The BIND 9 Administrator Reference Manual
+doc/man			Man pages
+contrib			Contributed and other auxiliary code
+contrib/idn/mdnkit	The multilingual domain name evaluation kit
+contrib/sdb		Sample drivers for the simple database interface
+make			Makefile fragments, used by configure
+
+The library interfaces are mainly documented in the form of comments
+in the header files.  For example, the task subsystem is documented in
+lib/isc/include/isc/task.h
diff --git a/contrib/bind9/doc/misc/sdb b/contrib/bind9/doc/misc/sdb
new file mode 100644
index 0000000..0de0ab8
--- /dev/null
+++ b/contrib/bind9/doc/misc/sdb
@@ -0,0 +1,169 @@
+Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 2000, 2001  Internet Software Consortium.
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+Using the BIND 9 Simplified Database Interface
+
+This document describes the care and feeding of the BIND 9 Simplified
+Database Interface, which allows you to extend BIND 9 with new ways
+of obtaining the data that is published as DNS zones.
+
+
+The Original BIND 9 Database Interface
+
+BIND 9 has a well-defined "back-end database interface" that makes it
+possible to replace the component of the name server responsible for
+the storage and retrieval of zone data, called the "database", on a
+per-zone basis.  The default database is an in-memory, red-black-tree
+data structure commonly referred to as "rbtdb", but it is possible to
+write drivers to support any number of alternative database
+technologies such as in-memory hash tables, application specific
+persistent on-disk databases, object databases, or relational
+databases.
+
+The original BIND 9 database interface defined in <dns/db.h> is
+designed to efficiently support the full set of database functionality
+needed by a name server that implements the complete DNS protocols,
+including features such as zone transfers, dynamic update, and DNSSEC.
+Each of these aspects of name server operations places its own set of
+demands on the data store, with the result that the database API is
+quite complex and contains operations that are highly specific to the
+DNS.  For example, data are stored in a binary format, the name space
+is tree structured, and sets of data records are conceptually
+associated with DNSSEC signature sets.  For these reasons, writing a
+driver using this interface is a highly nontrivial undertaking.
+
+
+The Simplified Database Interface
+
+Many BIND users wish to provide access to various data sources through
+the DNS, but are not necessarily interested in completely replacing
+the in-memory "rbt" database or in supporting features like dynamic
+update, DNSSEC, or even zone transfers.
+
+Often, all you want is limited, read-only DNS access to an existing
+system.  For example, you may have an existing relational database
+containing hostname/address mappings and wish to provide forvard and
+reverse DNS lookups based on this information.  Or perhaps you want to
+set up a simple DNS-based load balancing system where the name server
+answers queries about a single DNS name with a dynamically changing
+set of A records.
+
+BIND 9.1 introduced a new, simplified database interface, or "sdb",
+which greatly simplifies the writing of drivers for these kinds of
+applications.
+
+
+The sdb Driver
+
+An sdb driver is an object module, typically written in C, which is
+linked into the name server and registers itself with the sdb
+subsystem.  It provides a set of callback functions, which also serve
+to advertise its capabilities.  When the name server receives DNS
+queries, invokes the callback functions to obtain the data to respond
+with.
+
+Unlike the full database interface, the sdb interface represents all
+domain names and resource records as ASCII text.
+
+
+Writing an sdb Driver
+
+When a driver is registered, it specifies its name, a list of callback
+functions, and flags.
+
+The flags specify whether the driver wants to use relative domain
+names where possible.
+
+The callback functions are as follows.  The only one that must be
+defined is lookup().
+
+  - create(zone, argc, argv, driverdata, dbdata)
+	  Create a database object for "zone".
+
+  - destroy(zone, driverdata, dbdata)
+	  Destroy the database object for "zone".
+
+  - lookup(zone, name, dbdata, lookup)
+	  Return all the records at the domain name "name".
+
+  - authority(zone, dbdata, lookup)
+	  Return the SOA and NS records at the zone apex.
+
+  - allnodes(zone, dbdata, allnodes)
+	  Return all data in the zone, for zone transfers.
+
+For more detail about these functions and their parameters, see
+bind9/lib/dns/include/dns/sdb.h.  For example drivers, see
+bind9/contrib/sdb.
+
+
+Rebuilding the Server
+
+The driver module and header file must be copied to (or linked into)
+the bind9/bin/named and bind9/bin/named/include directories
+respectively, and must be added to the DBDRIVER_OBJS and DBDRIVER_SRCS
+lines in bin/named/Makefile.in (e.g. for the timedb sample sdb driver,
+add timedb.c to DBDRIVER_SRCS and timedb.@O@ to DBDRIVER_OBJS).  If
+the driver needs additional header files or libraries in nonstandard
+places, the DBDRIVER_INCLUDES and DBDRIVER_LIBS lines should also be
+updated.
+
+Calls to dns_sdb_register() and dns_sdb_unregister() (or wrappers,
+e.g. timedb_init() and timedb_clear() for the timedb sample sdb
+driver) must be inserted into the server, in bind9/bin/named/main.c.
+Registration should be in setup(), before the call to
+ns_server_create().  Unregistration should be in cleanup(),
+after the call to ns_server_destroy().  A #include should be added
+corresponding to the driver header file.
+
+You should try doing this with one or more of the sample drivers
+before attempting to write a driver of your own.
+
+
+Configuring the Server
+
+To make a zone use a new database driver, specify a "database" option
+in its "zone" statement in named.conf.  For example, if the driver
+registers itself under the name "acmedb", you might say
+
+   zone "foo.com" {
+	   database "acmedb";
+   };
+
+You can pass arbitrary arguments to the create() function of the
+driver by adding any number of whitespace-separated words after the
+driver name:
+
+   zone "foo.com" {
+	   database "acmedb -mode sql -connect 10.0.0.1";
+   };
+
+
+Hints for Driver Writers
+
+ - If a driver is generating data on the fly, it probably should
+   not implement the allnodes() function, since a zone transfer
+   will not be meaningful.  The allnodes() function is more relevant
+   with data from a database.
+
+ - The authority() function is necessary if and only if the lookup()
+   function will not add SOA and NS records at the zone apex.  If
+   SOA and NS records are provided by the lookup() function,
+   the authority() function should be NULL.
+
+ - When a driver is registered, an opaque object can be provided.  This
+   object is passed into the database create() and destroy() functions.
+
+ - When a database is created, an opaque object can be created that
+   is associated with that database.  This object is passed into the
+   lookup(), authority(), and allnodes() functions, and is
+   destroyed by the destroy() function.
+
+
+Future Directions
+
+A future release may support dynamic loading of sdb drivers.
+
+
+$Id: sdb,v 1.5.206.1 2004/03/06 13:16:20 marka Exp $
diff --git a/contrib/bind9/doc/rfc/index b/contrib/bind9/doc/rfc/index
new file mode 100644
index 0000000..fb72ccc
--- /dev/null
+++ b/contrib/bind9/doc/rfc/index
@@ -0,0 +1,94 @@
+ 952:	DOD INTERNET HOST TABLE SPECIFICATION
+1032:	DOMAIN ADMINISTRATORS GUIDE
+1033:	DOMAIN ADMINISTRATORS OPERATIONS GUIDE
+1034:	DOMAIN NAMES - CONCEPTS AND FACILITIES
+1035:	DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION
+1101:	DNS Encoding of Network Names and Other Types
+1122:	Requirements for Internet Hosts -- Communication Layers
+1123:	Requirements for Internet Hosts -- Application and Support
+1183:	New DNS RR Definitions (AFSDB, RP, X25, ISDN and RT)
+1348:	DNS NSAP RRs
+1535:	A Security Problem and Proposed Correction
+	   With Widely Deployed DNS Software
+1536:	Common DNS Implementation Errors and Suggested Fixes
+1537:	Common DNS Data File Configuration Errors
+1591:	Domain Name System Structure and Delegation
+1611:	DNS Server MIB Extensions
+1612:	DNS Resolver MIB Extensions
+1706:	DNS NSAP Resource Records
+1712:	DNS Encoding of Geographical Location
+1750:	Randomness Recommendations for Security
+1876:	A Means for Expressing Location Information in the Domain Name System
+1886:	DNS Extensions to support IP version 6
+1982:	Serial Number Arithmetic
+1995:	Incremental Zone Transfer in DNS
+1996:	A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)
+2052:	A DNS RR for specifying the location of services (DNS SRV)
+2104:	HMAC: Keyed-Hashing for Message Authentication
+2119:	Key words for use in RFCs to Indicate Requirement Levels
+2133:	Basic Socket Interface Extensions for IPv6
+2136:	Dynamic Updates in the Domain Name System (DNS UPDATE)
+2137:	Secure Domain Name System Dynamic Update
+2163:	Using the Internet DNS to Distribute MIXER
+	 Conformant Global Address Mapping (MCGAM)
+2168:	Resolution of Uniform Resource Identifiers using the Domain Name System
+2181:	Clarifications to the DNS Specification
+2230:	Key Exchange Delegation Record for the DNS
+2308:	Negative Caching of DNS Queries (DNS NCACHE)
+2317:	Classless IN-ADDR.ARPA delegation
+2373:	IP Version 6 Addressing Architecture
+2374:	An IPv6 Aggregatable Global Unicast Address Format
+2375:	IPv6 Multicast Address Assignments
+2418:	IETF Working Group Guidelines and Procedures
+2535:	Domain Name System Security Extensions
+2536:	DSA KEYs and SIGs in the Domain Name System (DNS)
+2537:	RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)
+2538:	Storing Certificates in the Domain Name System (DNS)
+2539:	Storage of Diffie-Hellman Keys in the Domain Name System (DNS)
+2540:	Detached Domain Name System (DNS) Information
+2541:	DNS Security Operational Considerations
+2553:	Basic Socket Interface Extensions for IPv6
+2671:	Extension Mechanisms for DNS (EDNS0)
+2672:	Non-Terminal DNS Name Redirection
+2673:	Binary Labels in the Domain Name System
+2782:	A DNS RR for specifying the location of services (DNS SRV)
+2825:	A Tangled Web: Issues of I18N, Domain Names, and the
+	 Other Internet protocols
+2826:	IAB Technical Comment on the Unique DNS Root
+2845:	Secret Key Transaction Authentication for DNS (TSIG)
+2874:	DNS Extensions to Support IPv6 Address Aggregation and Renumbering
+2915:	The Naming Authority Pointer (NAPTR) DNS Resource Record
+2929:	Domain Name System (DNS) IANA Considerations
+2930:	Secret Key Establishment for DNS (TKEY RR)
+2931:	DNS Request and Transaction Signatures ( SIG(0)s )
+3007:	Secure Domain Name System (DNS) Dynamic Update
+3008:	Domain Name System Security (DNSSEC) Signing Authority
+3071:	Reflections on the DNS, RFC 1591, and Categories of Domains
+3090:	DNS Security Extension Clarification on Zone Status
+3110:	RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)
+3123:	A DNS RR Type for Lists of Address Prefixes (APL RR)
+3152:	Delegation of IP6.ARPA
+3197:	Applicability Statement for DNS MIB Extensions
+3225:	Indicating Resolver Support of DNSSEC
+3226:	DNSSEC and IPv6 A6 aware server/resolver message size requirements
+3258:	Distributing Authoritative Name Servers via Shared Unicast Addresses
+3363:	Representing Internet Protocol version 6 (IPv6)
+	 Addresses in the Domain Name System (DNS)
+3364:	Tradeoffs in Domain Name System (DNS) Support
+	 for Internet Protocol version 6 (IPv6)
+3390:	Internationalizing Domain Names In Applications (IDNA)
+3425:	Obsoleting IQUERY
+3445:	Limiting the Scope of the KEY Resource Record (RR)
+3491:	Nameprep: A Stringprep Profile for Internationalized Domain Names (IDN)
+3492:	Punycode:A Bootstring encoding of Unicode for
+	  Internationalized Domain Names in Applications (IDNA)
+3493:	Basic Socket Interface Extensions for IPv6
+3513:	Internet Protocol Version 6 (IPv6) Addressing Architecture
+3596:	DNS Extensions to Support IP Version 6
+3597:	Handling of Unknown DNS Resource Record (RR) Types
+3645:	Generic Security Service Algorithm for
+	  Secret Key Transaction Authentication for DNS (GSS-TSIG)
+3655:	Redefinition of DNS Authenticated Data (AD) bit
+3658:	Delegation Signer (DS) Resource Record (RR)
+3833:	Threat Analysis of the Domain Name System (DNS)
+3845:	DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format
diff --git a/contrib/bind9/doc/rfc/rfc1032.txt b/contrib/bind9/doc/rfc/rfc1032.txt
new file mode 100644
index 0000000..0e82721
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc1032.txt
@@ -0,0 +1,781 @@
+Network Working Group                                       M. Stahl
+Request for Comments: 1032                         SRI International
+                                                       November 1987
+
+
+                      DOMAIN ADMINISTRATORS GUIDE
+
+
+STATUS OF THIS MEMO
+
+   This memo describes procedures for registering a domain with the
+   Network Information Center (NIC) of Defense Data Network (DDN), and
+   offers guidelines on the establishment and administration of a domain
+   in accordance with the requirements specified in RFC-920.  It is
+   intended for use by domain administrators.  This memo should be used
+   in conjunction with RFC-920, which is an official policy statement of
+   the Internet Activities Board (IAB) and the Defense Advanced Research
+   Projects Agency (DARPA).  Distribution of this memo is unlimited.
+
+BACKGROUND
+
+   Domains are administrative entities that provide decentralized
+   management of host naming and addressing.  The domain-naming system
+   is distributed and hierarchical.
+
+   The NIC is designated by the Defense Communications Agency (DCA) to
+   provide registry services for the domain-naming system on the DDN and
+   DARPA portions of the Internet.
+
+   As registrar of top-level and second-level domains, as well as
+   administrator of the root domain name servers on behalf of DARPA and
+   DDN, the NIC is responsible for maintaining the root server zone
+   files and their binary equivalents.  In addition, the NIC is
+   responsible for administering the top-level domains of "ARPA," "COM,"
+   "EDU," "ORG," "GOV," and "MIL" on behalf of DCA and DARPA until it
+   becomes feasible for other appropriate organizations to assume those
+   responsibilities.
+
+   It is recommended that the guidelines described in this document be
+   used by domain administrators in the establishment and control of
+   second-level domains.
+
+THE DOMAIN ADMINISTRATOR
+
+   The role of the domain administrator (DA) is that of coordinator,
+   manager, and technician.  If his domain is established at the second
+   level or lower in the tree, the DA must register by interacting with
+   the management of the domain directly above his, making certain that
+
+
+
+Stahl                                                           [Page 1]
+
+RFC 1032              DOMAIN ADMINISTRATORS GUIDE          November 1987
+
+
+   his domain satisfies all the requirements of the administration under
+   which his domain would be situated.  To find out who has authority
+   over the name space he wishes to join, the DA can ask the NIC
+   Hostmaster.  Information on contacts for the top-level and second-
+   level domains can also be found on line in the file NETINFO:DOMAIN-
+   CONTACTS.TXT, which is available from the NIC via anonymous FTP.
+
+   The DA should be technically competent; he should understand the
+   concepts and procedures for operating a domain server, as described
+   in RFC-1034, and make sure that the service provided is reliable and
+   uninterrupted.  It is his responsibility or that of his delegate to
+   ensure that the data will be current at all times.  As a manager, the
+   DA must be able to handle complaints about service provided by his
+   domain name server.  He must be aware of the behavior of the hosts in
+   his domain, and take prompt action on reports of problems, such as
+   protocol violations or other serious misbehavior.  The administrator
+   of a domain must be a responsible person who has the authority to
+   either enforce these actions himself or delegate them to someone
+   else.
+
+   Name assignments within a domain are controlled by the DA, who should
+   verify that names are unique within his domain and that they conform
+   to standard naming conventions.  He furnishes access to names and
+   name-related information to users both inside and outside his domain.
+   He should work closely with the personnel he has designated as the
+   "technical and zone" contacts for his domain, for many administrative
+   decisions will be made on the basis of input from these people.
+
+THE DOMAIN TECHNICAL AND ZONE CONTACT
+
+   A zone consists of those contiguous parts of the domain tree for
+   which a domain server has complete information and over which it has
+   authority.  A domain server may be authoritative for more than one
+   zone.  The domain technical/zone contact is the person who tends to
+   the technical aspects of maintaining the domain's name server and
+   resolver software, and database files.  He keeps the name server
+   running, and interacts with technical people in other domains and
+   zones to solve problems that affect his zone.
+
+POLICIES
+
+   Domain or host name choices and the allocation of domain name space
+   are considered to be local matters.  In the event of conflicts, it is
+   the policy of the NIC not to get involved in local disputes or in the
+   local decision-making process.  The NIC will not act as referee in
+   disputes over such matters as who has the "right" to register a
+   particular top-level or second-level domain for an organization.  The
+   NIC considers this a private local matter that must be settled among
+
+
+
+Stahl                                                           [Page 2]
+
+RFC 1032              DOMAIN ADMINISTRATORS GUIDE          November 1987
+
+
+   the parties involved prior to their commencing the registration
+   process with the NIC.  Therefore, it is assumed that the responsible
+   person for a domain will have resolved any local conflicts among the
+   members of his domain before registering that domain with the NIC.
+   The NIC will give guidance, if requested, by answering specific
+   technical questions, but will not provide arbitration in disputes at
+   the local level.  This policy is also in keeping with the distributed
+   hierarchical nature of the domain-naming system in that it helps to
+   distribute the tasks of solving problems and handling questions.
+
+   Naming conventions for hosts should follow the rules specified in
+   RFC-952.  From a technical standpoint, domain names can be very long.
+   Each segment of a domain name may contain up to 64 characters, but
+   the NIC strongly advises DAs to choose names that are 12 characters
+   or fewer, because behind every domain system there is a human being
+   who must keep track of the names, addresses, contacts, and other data
+   in a database.  The longer the name, the more likely the data
+   maintainer is to make a mistake.  Users also will appreciate shorter
+   names.  Most people agree that short names are easier to remember and
+   type; most domain names registered so far are 12 characters or fewer.
+
+   Domain name assignments are made on a first-come-first-served basis.
+   The NIC has chosen not to register individual hosts directly under
+   the top-level domains it administers.  One advantage of the domain
+   naming system is that administration and data maintenance can be
+   delegated down a hierarchical tree.  Registration of hosts at the
+   same level in the tree as a second-level domain would dilute the
+   usefulness of this feature.  In addition, the administrator of a
+   domain is responsible for the actions of hosts within his domain.  We
+   would not want to find ourselves in the awkward position of policing
+   the actions of individual hosts.  Rather, the subdomains registered
+   under these top-level domains retain the responsibility for this
+   function.
+
+   Countries that wish to be registered as top-level domains are
+   required to name themselves after the two-letter country code listed
+   in the international standard ISO-3166.  In some cases, however, the
+   two-letter ISO country code is identical to a state code used by the
+   U.S. Postal Service.  Requests made by countries to use the three-
+   letter form of country code specified in the ISO-3166 standard will
+   be considered in such cases so as to prevent possible conflicts and
+   confusion.
+
+
+
+
+
+
+
+
+
+Stahl                                                           [Page 3]
+
+RFC 1032              DOMAIN ADMINISTRATORS GUIDE          November 1987
+
+
+HOW TO REGISTER
+
+   Obtain a domain questionnaire from the NIC hostmaster, or FTP the
+   file NETINFO:DOMAIN-TEMPLATE.TXT from host SRI-NIC.ARPA.
+
+   Fill out the questionnaire completely.  Return it via electronic mail
+   to HOSTMASTER@SRI-NIC.ARPA.
+
+   The APPENDIX to this memo contains the application form for
+   registering a top-level or second-level domain with the NIC.  It
+   supersedes the version of the questionnaire found in RFC-920.  The
+   application should be submitted by the person administratively
+   responsible for the domain, and must be filled out completely before
+   the NIC will authorize establishment of a top-level or second-level
+   domain.  The DA is responsible for keeping his domain's data current
+   with the NIC or with the registration agent with which his domain is
+   registered.  For example, the CSNET and UUCP managements act as
+   domain filters, processing domain applications for their own
+   organizations.  They pass pertinent information along periodically to
+   the NIC for incorporation into the domain database and root server
+   files.  The online file NETINFO:ALTERNATE-DOMAIN-PROCEDURE.TXT
+   outlines this procedure.  It is highly recommended that the DA review
+   this information periodically and provide any corrections or
+   additions.  Corrections should be submitted via electronic mail.
+
+WHICH DOMAIN NAME?
+
+   The designers of the domain-naming system initiated several general
+   categories of names as top-level domain names, so that each could
+   accommodate a variety of organizations.  The current top-level
+   domains registered with the DDN Network Information Center are ARPA,
+   COM, EDU, GOV, MIL, NET, and ORG, plus a number of top-level country
+   domains.  To join one of these, a DA needs to be aware of the purpose
+   for which it was intended.
+
+      "ARPA" is a temporary domain.  It is by default appended to the
+      names of hosts that have not yet joined a domain.  When the system
+      was begun in 1984, the names of all hosts in the Official DoD
+      Internet Host Table maintained by the NIC were changed by adding
+      of the label ".ARPA" in order to accelerate a transition to the
+      domain-naming system.  Another reason for the blanket name changes
+      was to force hosts to become accustomed to using the new style
+      names and to modify their network software, if necessary.  This
+      was done on a network-wide basis and was directed by DCA in DDN
+      Management Bulletin No. 22.  Hosts that fall into this domain will
+      eventually move to other branches of the domain tree.
+
+
+
+
+
+Stahl                                                           [Page 4]
+
+RFC 1032              DOMAIN ADMINISTRATORS GUIDE          November 1987
+
+
+      "COM" is meant to incorporate subdomains of companies and
+      businesses.
+
+      "EDU" was initiated to accommodate subdomains set up by
+      universities and other educational institutions.
+
+      "GOV" exists to act as parent domain for subdomains set up by
+      government agencies.
+
+      "MIL" was initiated to act as parent to subdomains that are
+      developed by military organizations.
+
+      "NET" was introduced as a parent domain for various network-type
+      organizations.  Organizations that belong within this top-level
+      domain are generic or network-specific, such as network service
+      centers and consortia.  "NET" also encompasses network
+      management-related organizations, such as information centers and
+      operations centers.
+
+      "ORG" exists as a parent to subdomains that do not clearly fall
+      within the other top-level domains.  This may include technical-
+      support groups, professional societies, or similar organizations.
+
+   One of the guidelines in effect in the domain-naming system is that a
+   host should have only one name regardless of what networks it is
+   connected to.  This implies, that, in general, domain names should
+   not include routing information or addresses.  For example, a host
+   that has one network connection to the Internet and another to BITNET
+   should use the same name when talking to either network.  For a
+   description of the syntax of domain names, please refer to Section 3
+   of RFC-1034.
+
+VERIFICATION OF DATA
+
+   The verification process can be accomplished in several ways.  One of
+   these is through the NIC WHOIS server.  If he has access to WHOIS,
+   the DA can type the command "whois domain <domain name><return>".
+   The reply from WHOIS will supply the following: the name and address
+   of the organization "owning" the domain; the name of the domain; its
+   administrative, technical, and zone contacts; the host names and
+   network addresses of sites providing name service for the domain.
+
+
+
+
+
+
+
+
+
+
+Stahl                                                           [Page 5]
+
+RFC 1032              DOMAIN ADMINISTRATORS GUIDE          November 1987
+
+
+         Example:
+
+         @whois domain rice.edu<Return>
+
+            Rice University (RICE-DOM)
+            Advanced Studies and Research
+            Houston, TX 77001
+
+            Domain Name: RICE.EDU
+
+               Administrative Contact:
+               Kennedy, Ken  (KK28)  Kennedy@LLL-CRG.ARPA (713) 527-4834
+               Technical Contact, Zone Contact:
+               Riffle, Vicky R.  (VRR)  rif@RICE.EDU
+               (713) 527-8101 ext 3844
+
+            Domain servers:
+
+            RICE.EDU                     128.42.5.1
+            PENDRAGON.CS.PURDUE.EDU      128.10.2.5
+
+
+   Alternatively, the DA can send an electronic mail message to
+   SERVICE@SRI-NIC.ARPA.  In the subject line of the message header, the
+   DA should type "whois domain <domain name>".  The requested
+   information will be returned via electronic mail.  This method is
+   convenient for sites that do not have access to the NIC WHOIS
+   service.
+
+   The initial application for domain authorization should be submitted
+   via electronic mail, if possible, to HOSTMASTER@SRI-NIC.ARPA.  The
+   questionnaire described in the appendix may be used or a separate
+   application can be FTPed from host SRI-NIC.ARPA.  The information
+   provided by the administrator will be reviewed by hostmaster
+   personnel for completeness.  There will most likely be a few
+   exchanges of correspondence via electronic mail, the preferred method
+   of communication, prior to authorization of the domain.
+
+HOW TO GET MORE INFORMATION
+
+   An informational table of the top-level domains and their root
+   servers is contained in the file NETINFO:DOMAINS.TXT online at SRI-
+   NIC.ARPA. This table can be obtained by FTPing the file.
+   Alternatively, the information can be acquired by opening a TCP or
+   UDP connection to the NIC Host Name Server, port 101 on SRI-NIC.ARPA,
+   and invoking the command "ALL-DOM".
+
+
+
+
+
+Stahl                                                           [Page 6]
+
+RFC 1032              DOMAIN ADMINISTRATORS GUIDE          November 1987
+
+
+   The following online files, all available by FTP from SRI-NIC.ARPA,
+   contain pertinent domain information:
+
+      - NETINFO:DOMAINS.TXT, a table of all top-level domains and the
+        network addresses of the machines providing domain name
+        service for them.  It is updated each time a new top-level
+        domain is approved.
+
+      - NETINFO:DOMAIN-INFO.TXT contains a concise list of all
+        top-level and second-level domain names registered with the
+        NIC and is updated monthly.
+
+      - NETINFO:DOMAIN-CONTACTS.TXT also contains a list of all the
+        top level and second-level domains, but includes the
+        administrative, technical and zone contacts for each as well.
+
+      - NETINFO:DOMAIN-TEMPLATE.TXT contains the questionnaire to be
+        completed before registering a top-level or second-level
+        domain.
+
+   For either general or specific information on the domain system, do
+   one or more of the following:
+
+      1. Send electronic mail to HOSTMASTER@SRI-NIC.ARPA
+
+      2. Call the toll-free NIC hotline at (800) 235-3155
+
+      3. Use FTP to get background RFCs and other files maintained
+         online at the NIC.  Some pertinent RFCs are listed below in
+         the REFERENCES section of this memo.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Stahl                                                           [Page 7]
+
+RFC 1032              DOMAIN ADMINISTRATORS GUIDE          November 1987
+
+
+REFERENCES
+
+   The references listed here provide important background information
+   on the domain-naming system.  Path names of the online files
+   available via anonymous FTP from the SRI-NIC.ARPA host are noted in
+   brackets.
+
+      1. Defense Communications Agency DDN Defense Communications
+         System, DDN Management Bulletin No. 22, Domain Names
+         Transition, March 1984.
+         [ DDN-NEWS:DDN-MGT-BULLETIN-22.TXT ]
+
+      2. Defense Communications Agency DDN Defense Communications
+         System, DDN Management Bulletin No. 32, Phase I of the Domain
+         Name Implementation, January 1987.
+         [ DDN-NEWS:DDN-MGT-BULLETIN-32.TXT ]
+
+      3. Harrenstien, K., M. Stahl, and E. Feinler, "Hostname
+         Server", RFC-953, DDN Network Information Center, SRI
+         International, October 1985.  [ RFC:RFC953.TXT ]
+
+      4. Harrenstien, K., M. Stahl, and E. Feinler, "Official DoD
+         Internet Host Table Specification", RFC-952, DDN Network
+         Information Center, SRI International, October 1985.
+         [ RFC:RFC952.TXT ]
+
+      5. ISO, "Codes for the Representation of Names of Countries",
+         ISO-3166, International Standards Organization, May 1981.
+         [ Not online ]
+
+      6. Lazear, W.D., "MILNET Name Domain Transition", RFC-1031,
+         Mitre Corporation, October 1987.  [ RFC:RFC1031.TXT ]
+
+      7. Lottor, M.K., "Domain Administrators Operations Guide",
+         RFC-1033, DDN Network Information Center, SRI International,
+         July 1987.  [ RFC:RFC1033.TXT ]
+
+      8. Mockapetris, P., "Domain Names - Concepts and Facilities",
+         RFC-1034, USC Information Sciences Institute, October 1987.
+         [ RFC:RFC1034.TXT ]
+
+      9. Mockapetris, P., "Domain Names - Implementation and
+         Specification", RFC-1035, USC Information Sciences Institute,
+         October 1987.  [ RFC:RFC1035.TXT ]
+
+     10. Mockapetris, P., "The Domain Name System", Proceedings of the
+         IFIP 6.5 Working Conference on Computer Message Services,
+         Nottingham, England, May 1984.  Also as ISI/RS-84-133, June
+
+
+
+Stahl                                                           [Page 8]
+
+RFC 1032              DOMAIN ADMINISTRATORS GUIDE          November 1987
+
+
+         1984.  [ Not online ]
+
+     11. Mockapetris, P., J. Postel, and P. Kirton, "Name Server
+         Design for Distributed Systems", Proceedings of the Seventh
+         International Conference on Computer Communication, October
+         30 to November 3 1984, Sidney, Australia.  Also as
+         ISI/RS-84-132, June 1984.  [ Not online ]
+
+     12. Partridge, C., "Mail Routing and the Domain System", RFC-974,
+         CSNET-CIC, BBN Laboratories, January 1986.
+         [ RFC:RFC974.TXT ]
+
+     13. Postel, J., "The Domain Names Plan and Schedule", RFC-881,
+         USC Information Sciences Institute, November 1983.
+         [ RFC:RFC881.TXT ]
+
+     14. Reynolds, J., and Postel, J., "Assigned Numbers", RFC-1010
+         USC Information Sciences Institute, May 1986.
+         [ RFC:RFC1010.TXT ]
+
+     15. Romano, S., and Stahl, M., "Internet Numbers", RFC-1020,
+         SRI, November 1987.
+         [ RFC:RFC1020.TXT ]
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Stahl                                                           [Page 9]
+
+RFC 1032              DOMAIN ADMINISTRATORS GUIDE          November 1987
+
+
+APPENDIX
+
+   The following questionnaire may be FTPed from SRI-NIC.ARPA as
+   NETINFO:DOMAIN-TEMPLATE.TXT.
+
+   ---------------------------------------------------------------------
+
+   To establish a domain, the following information must be sent to the
+   NIC Domain Registrar (HOSTMASTER@SRI-NIC.ARPA):
+
+   NOTE: The key people must have electronic mailboxes and NIC
+   "handles," unique NIC database identifiers.  If you have access to
+   "WHOIS", please check to see if you are registered and if so, make
+   sure the information is current.  Include only your handle and any
+   changes (if any) that need to be made in your entry.  If you do not
+   have access to "WHOIS", please provide all the information indicated
+   and a NIC handle will be assigned.
+
+   (1)  The name of the top-level domain to join.
+
+         For example:  COM
+
+   (2) The NIC handle of the administrative head of the organization.
+   Alternately, the person's name, title, mailing address, phone number,
+   organization, and network mailbox.  This is the contact point for
+   administrative and policy questions about the domain.  In the case of
+   a research project, this should be the principal investigator.
+
+         For example:
+
+            Administrator
+
+               Organization  The NetWorthy Corporation
+               Name          Penelope Q. Sassafrass
+               Title         President
+               Mail Address  The NetWorthy Corporation
+                             4676 Andrews Way, Suite 100
+                             Santa Clara, CA 94302-1212
+               Phone Number  (415) 123-4567
+               Net Mailbox   Sassafrass@ECHO.TNC.COM
+               NIC Handle    PQS
+
+   (3)  The NIC handle of the technical contact for the domain.
+   Alternately, the person's name, title, mailing address, phone number,
+   organization, and network mailbox.  This is the contact point for
+   problems concerning the domain or zone, as well as for updating
+   information about the domain or zone.
+
+
+
+
+Stahl                                                          [Page 10]
+
+RFC 1032              DOMAIN ADMINISTRATORS GUIDE          November 1987
+
+
+         For example:
+
+            Technical and Zone Contact
+
+               Organization  The NetWorthy Corporation
+               Name          Ansel A. Aardvark
+               Title         Executive Director
+               Mail Address  The NetWorthy Corporation
+                             4676 Andrews Way, Suite 100
+                             Santa Clara, CA. 94302-1212
+               Phone Number  (415) 123-6789
+               Net Mailbox   Aardvark@ECHO.TNC.COM
+               NIC Handle    AAA2
+
+   (4)  The name of the domain (up to 12 characters).  This is the name
+   that will be used in tables and lists associating the domain with the
+   domain server addresses.  [While, from a technical standpoint, domain
+   names can be quite long (programmers beware), shorter names are
+   easier for people to cope with.]
+
+         For example:  TNC
+
+   (5)  A description of the servers that provide the domain service for
+   translating names to addresses for hosts in this domain, and the date
+   they will be operational.
+
+         A good way to answer this question is to say "Our server is
+         supplied by person or company X and does whatever their standard
+         issue server does."
+
+            For example:  Our server is a copy of the one operated by
+            the NIC; it will be installed and made operational on
+            1 November 1987.
+
+   (6) Domains must provide at least two independent servers for the
+   domain.  Establishing the servers in physically separate locations
+   and on different PSNs is strongly recommended.  A description of the
+   server machine and its backup, including
+
+
+
+
+
+
+
+
+
+
+
+
+
+Stahl                                                          [Page 11]
+
+RFC 1032              DOMAIN ADMINISTRATORS GUIDE          November 1987
+
+
+         (a) Hardware and software (using keywords from the Assigned
+         Numbers RFC).
+
+         (b) Host domain name and network addresses (which host on which
+         network for each connected network).
+
+         (c) Any domain-style nicknames (please limit your domain-style
+         nickname request to one)
+
+         For example:
+
+            - Hardware and software
+
+               VAX-11/750  and  UNIX,    or
+               IBM-PC      and  MS-DOS,  or
+               DEC-1090    and  TOPS-20
+
+            - Host domain names and network addresses
+
+               BAR.FOO.COM 10.9.0.193 on ARPANET
+
+            - Domain-style nickname
+
+               BR.FOO.COM (same as BAR.FOO.COM 10.9.0.13 on ARPANET)
+
+   (7)  Planned mapping of names of any other network hosts, other than
+   the server machines, into the new domain's naming space.
+
+         For example:
+
+            BAR-FOO2.ARPA (10.8.0.193) -> FOO2.BAR.COM
+            BAR-FOO3.ARPA (10.7.0.193) -> FOO3.BAR.COM
+            BAR-FOO4.ARPA (10.6.0.193) -> FOO4.BAR.COM
+
+
+   (8)  An estimate of the number of hosts that will be in the domain.
+
+         (a) Initially
+         (b) Within one year
+         (c) Two years
+         (d) Five years.
+
+         For example:
+
+            (a) Initially  =   50
+            (b) One year   =  100
+            (c) Two years  =  200
+            (d) Five years =  500
+
+
+
+Stahl                                                          [Page 12]
+
+RFC 1032              DOMAIN ADMINISTRATORS GUIDE          November 1987
+
+
+   (9)  The date you expect the fully qualified domain name to become
+   the official host name in HOSTS.TXT.
+
+         Please note: If changing to a fully qualified domain name (e.g.,
+         FOO.BAR.COM) causes a change in the official host name of an
+         ARPANET or MILNET host, DCA approval must be obtained beforehand.
+         Allow 10 working days for your requested changes to be processed.
+
+         ARPANET sites should contact ARPANETMGR@DDN1.ARPA.  MILNET sites
+         should contact HOSTMASTER@SRI-NIC.ARPA, 800-235-3155, for
+         further instructions.
+
+   (10) Please describe your organization briefly.
+
+         For example: The NetWorthy Corporation is a consulting
+         organization of people working with UNIX and the C language in an
+         electronic networking environment.  It sponsors two technical
+         conferences annually and distributes a bimonthly newsletter.
+
+   ---------------------------------------------------------------------
+
+   This example of a completed application corresponds to the examples
+   found in the companion document RFC-1033, "Domain Administrators
+   Operations Guide."
+
+   (1)  The name of the top-level domain to join.
+
+            COM
+
+   (2)  The NIC handle of the administrative contact person.
+
+            NIC Handle    JAKE
+
+   (3)  The NIC handle of the domain's technical and zone
+         contact person.
+
+            NIC Handle    DLE6
+
+   (4)  The name of the domain.
+
+            SRI
+
+   (5)  A description of the servers.
+
+            Our server is the TOPS20 server JEEVES supplied by ISI; it
+            will be installed and made operational on 1 July 1987.
+
+
+
+
+
+Stahl                                                          [Page 13]
+
+RFC 1032              DOMAIN ADMINISTRATORS GUIDE          November 1987
+
+
+   (6)  A description of the server machine and its backup:
+
+            (a) Hardware and software
+
+               DEC-1090T   and  TOPS20
+               DEC-2065    and  TOPS20
+
+            (b) Host domain name and network address
+
+               KL.SRI.COM  10.1.0.2 on ARPANET, 128.18.10.6 on SRINET
+               STRIPE.SRI.COM  10.4.0.2 on ARPANET, 128.18.10.4 on SRINET
+
+            (c) Domain-style nickname
+
+               None
+
+   (7)  Planned mapping of names of any other network hosts, other than
+   the server machines, into the new domain's naming space.
+
+            SRI-Blackjack.ARPA (128.18.2.1) -> Blackjack.SRI.COM
+            SRI-CSL.ARPA (192.12.33.2) -> CSL.SRI.COM
+
+   (8)  An estimate of the number of hosts that will be directly within
+   this domain.
+
+            (a) Initially  =   50
+            (b) One year   =  100
+            (c) Two years  =  200
+            (d) Five years =  500
+
+   (9)  A date when you expect the fully qualified domain name to become
+   the official host name in HOSTS.TXT.
+
+            31 September 1987
+
+   (10)  Brief description of organization.
+
+            SRI International is an independent, nonprofit, scientific
+            research organization.  It performs basic and applied research
+            for government and commercial clients, and contributes to
+            worldwide economic, scientific, industrial, and social progress
+            through research and related services.
+
+
+
+
+
+
+
+
+
+Stahl                                                          [Page 14]
+
diff --git a/contrib/bind9/doc/rfc/rfc1033.txt b/contrib/bind9/doc/rfc/rfc1033.txt
new file mode 100644
index 0000000..37029fd
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc1033.txt
@@ -0,0 +1,1229 @@
+Network Working Group                                         M. Lottor
+Request For Comments:  1033                           SRI International
+                                                          November 1987
+
+
+                 DOMAIN ADMINISTRATORS OPERATIONS GUIDE
+
+
+
+STATUS OF THIS MEMO
+
+   This RFC provides guidelines for domain administrators in operating a
+   domain server and maintaining their portion of the hierarchical
+   database.  Familiarity with the domain system is assumed.
+   Distribution of this memo is unlimited.
+
+ACKNOWLEDGMENTS
+
+   This memo is a formatted collection of notes and excerpts from the
+   references listed at the end of this document.  Of particular mention
+   are Paul Mockapetris and Kevin Dunlap.
+
+INTRODUCTION
+
+   A domain server requires a few files to get started.  It will
+   normally have some number of boot/startup files (also known as the
+   "safety belt" files).  One section will contain a list of possible
+   root servers that the server will use to find the up-to-date list of
+   root servers.  Another section will list the zone files to be loaded
+   into the server for your local domain information.  A zone file
+   typically contains all the data for a particular domain.  This guide
+   describes the data formats that can be used in zone files and
+   suggested parameters to use for certain fields.  If you are
+   attempting to do anything advanced or tricky, consult the appropriate
+   domain RFC's for more details.
+
+   Note:  Each implementation of domain software may require different
+   files.  Zone files are standardized but some servers may require
+   other startup files.  See the appropriate documentation that comes
+   with your software.  See the appendix for some specific examples.
+
+ZONES
+
+   A zone defines the contents of a contiguous section of the domain
+   space, usually bounded by administrative boundaries.  There will
+   typically be a separate data file for each zone.  The data contained
+   in a zone file is composed of entries called Resource Records (RRs).
+
+
+
+
+Lottor                                                          [Page 1]
+
+RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
+
+
+   You may only put data in your domain server that you are
+   authoritative for.  You must not add entries for domains other than
+   your own (except for the special case of "glue records").
+
+   A domain server will probably read a file on start-up that lists the
+   zones it should load into its database.  The format of this file is
+   not standardized and is different for most domain server
+   implementations.  For each zone it will normally contain the domain
+   name of the zone and the file name that contains the data to load for
+   the zone.
+
+ROOT SERVERS
+
+   A resolver will need to find the root servers when it first starts.
+   When the resolver boots, it will typically read a list of possible
+   root servers from a file.
+
+   The resolver will cycle through the list trying to contact each one.
+   When it finds a root server, it will ask it for the current list of
+   root servers.  It will then discard the list of root servers it read
+   from the data file and replace it with the current list it received.
+
+   Root servers will not change very often.  You can get the names of
+   current root servers from the NIC.
+
+   FTP the file NETINFO:ROOT-SERVERS.TXT or send a mail request to
+   NIC@SRI-NIC.ARPA.
+
+   As of this date (June 1987) they are:
+
+           SRI-NIC.ARPA       10.0.0.51    26.0.0.73
+           C.ISI.EDU          10.0.0.52
+           BRL-AOS.ARPA       192.5.25.82  192.5.22.82   128.20.1.2
+           A.ISI.EDU          26.3.0.103
+
+RESOURCE RECORDS
+
+   Records in the zone data files are called resource records (RRs).
+   They are specified in RFC-883 and RFC-973.  An RR has a standard
+   format as shown:
+
+           <name>   [<ttl>]   [<class>]   <type>   <data>
+
+   The record is divided into fields which are separated by white space.
+
+      <name>
+
+         The name field defines what domain name applies to the given
+
+
+
+Lottor                                                          [Page 2]
+
+RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
+
+
+         RR.  In some cases the name field can be left blank and it will
+         default to the name field of the previous RR.
+
+      <ttl>
+
+         TTL stands for Time To Live.  It specifies how long a domain
+         resolver should cache the RR before it throws it out and asks a
+         domain server again.  See the section on TTL's.  If you leave
+         the TTL field blank it will default to the minimum time
+         specified in the SOA record (described later).
+
+      <class>
+
+         The class field specifies the protocol group.  If left blank it
+         will default to the last class specified.
+
+      <type>
+
+         The type field specifies what type of data is in the RR.  See
+         the section on types.
+
+      <data>
+
+         The data field is defined differently for each type and class
+         of data.  Popular RR data formats are described later.
+
+   The domain system does not guarantee to preserve the order of
+   resource records.  Listing RRs (such as multiple address records) in
+   a certain order does not guarantee they will be used in that order.
+
+   Case is preserved in names and data fields when loaded into the name
+   server.  All comparisons and lookups in the name server are case
+   insensitive.
+
+   Parenthesis ("(",")") are used to group data that crosses a line
+   boundary.
+
+   A semicolon (";") starts a comment; the remainder of the line is
+   ignored.
+
+   The asterisk ("*") is used for wildcarding.
+
+   The at-sign ("@") denotes the current default domain name.
+
+
+
+
+
+
+
+
+Lottor                                                          [Page 3]
+
+RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
+
+
+NAMES
+
+   A domain name is a sequence of labels separated by dots.
+
+   Domain names in the zone files can be one of two types, either
+   absolute or relative.  An absolute name is the fully qualified domain
+   name and is terminated with a period.  A relative name does not
+   terminate with a period, and the current default domain is appended
+   to it.  The default domain is usually the name of the domain that was
+   specified in the boot file that loads each zone.
+
+   The domain system allows a label to contain any 8-bit character.
+   Although the domain system has no restrictions, other protocols such
+   as SMTP do have name restrictions.  Because of other protocol
+   restrictions, only the following characters are recommended for use
+   in a host name (besides the dot separator):
+
+           "A-Z", "a-z", "0-9", dash and underscore
+
+TTL's  (Time To Live)
+
+   It is important that TTLs are set to appropriate values.  The TTL is
+   the time (in seconds) that a resolver will use the data it got from
+   your server before it asks your server again.  If you set the value
+   too low, your server will get loaded down with lots of repeat
+   requests.  If you set it too high, then information you change will
+   not get distributed in a reasonable amount of time.  If you leave the
+   TTL field blank, it will default to what is specified in the SOA
+   record for the zone.
+
+   Most host information does not change much over long time periods.  A
+   good way to set up your TTLs would be to set them at a high value,
+   and then lower the value if you know a change will be coming soon.
+   You might set most TTLs to anywhere between a day (86400) and a week
+   (604800).  Then, if you know some data will be changing in the near
+   future, set the TTL for that RR down to a lower value (an hour to a
+   day) until the change takes place, and then put it back up to its
+   previous value.
+
+   Also, all RRs with the same name, class, and type should have the
+   same TTL value.
+
+CLASSES
+
+   The domain system was designed to be protocol independent.  The class
+   field is used to identify the protocol group that each RR is in.
+
+   The class of interest to people using TCP/IP software is the class
+
+
+
+Lottor                                                          [Page 4]
+
+RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
+
+
+   "Internet".  Its standard designation is "IN".
+
+   A zone file should only contain RRs of the same class.
+
+TYPES
+
+   There are many defined RR types.  For a complete list, see the domain
+   specification RFCs.  Here is a list of current commonly used types.
+   The data for each type is described in the data section.
+
+                Designation                Description
+              ==========================================
+               SOA                 Start Of Authority
+               NS                  Name Server
+
+               A                   Internet Address
+               CNAME               Canonical Name (nickname pointer)
+               HINFO               Host Information
+               WKS                 Well Known Services
+
+               MX                  Mail Exchanger
+
+               PTR                 Pointer
+
+SOA  (Start Of Authority)
+
+           <name>  [<ttl>]  [<class>]  SOA  <origin>  <person>  (
+                           <serial>
+                           <refresh>
+                           <retry>
+                           <expire>
+                           <minimum> )
+
+   The Start Of Authority record designates the start of a zone.  The
+   zone ends at the next SOA record.
+
+   <name> is the name of the zone.
+
+   <origin> is the name of the host on which the master zone file
+   resides.
+
+   <person> is a mailbox for the person responsible for the zone.  It is
+   formatted like a mailing address but the at-sign that normally
+   separates the user from the host name is replaced with a dot.
+
+   <serial> is the version number of the zone file.  It should be
+   incremented anytime a change is made to data in the zone.
+
+
+
+
+Lottor                                                          [Page 5]
+
+RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
+
+
+   <refresh> is how long, in seconds, a secondary name server is to
+   check with the primary name server to see if an update is needed.  A
+   good value here would be one hour (3600).
+
+   <retry> is how long, in seconds, a secondary name server is to retry
+   after a failure to check for a refresh.  A good value here would be
+   10 minutes (600).
+
+   <expire> is the upper limit, in seconds, that a secondary name server
+   is to use the data before it expires for lack of getting a refresh.
+   You want this to be rather large, and a nice value is 3600000, about
+   42 days.
+
+   <minimum> is the minimum number of seconds to be used for TTL values
+   in RRs.  A minimum of at least a day is a good value here (86400).
+
+   There should only be one SOA record per zone.  A sample SOA record
+   would look something like:
+
+           @   IN   SOA   SRI-NIC.ARPA.   HOSTMASTER.SRI-NIC.ARPA. (
+                           45         ;serial
+                           3600       ;refresh
+                           600        ;retry
+                           3600000    ;expire
+                           86400 )    ;minimum
+
+
+NS  (Name Server)
+
+           <domain>   [<ttl>] [<class>]   NS   <server>
+
+   The NS record lists the name of a machine that provides domain
+   service for a particular domain.  The name associated with the RR is
+   the domain name and the data portion is the name of a host that
+   provides the service.  If machines SRI-NIC.ARPA and C.ISI.EDU provide
+   name lookup service for the domain COM then the following entries
+   would be used:
+
+           COM.    NS      SRI-NIC.ARPA.
+                   NS      C.ISI.EDU.
+
+   Note that the machines providing name service do not have to live in
+   the named domain.  There should be one NS record for each server for
+   a domain.  Also note that the name "COM" defaults for the second NS
+   record.
+
+   NS records for a domain exist in both the zone that delegates the
+   domain, and in the domain itself.
+
+
+
+Lottor                                                          [Page 6]
+
+RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
+
+
+GLUE RECORDS
+
+   If the name server host for a particular domain is itself inside the
+   domain, then a 'glue' record will be needed.  A glue record is an A
+   (address) RR that specifies the address of the server.  Glue records
+   are only needed in the server delegating the domain, not in the
+   domain itself.  If for example the name server for domain SRI.COM was
+   KL.SRI.COM, then the NS record would look like this, but you will
+   also need to have the following A record.
+
+           SRI.COM.	NS	KL.SRI.COM.
+           KL.SRI.COM.  A	10.1.0.2
+
+
+A  (Address)
+
+           <host>   [<ttl>] [<class>]   A   <address>
+
+   The data for an A record is an internet address in dotted decimal
+   form.  A sample A record might look like:
+
+           SRI-NIC.ARPA.           A       10.0.0.51
+
+   There should be one A record for each address of a host.
+
+CNAME ( Canonical Name)
+
+           <nickname>   [<ttl>] [<class>]   CNAME   <host>
+
+   The CNAME record is used for nicknames.  The name associated with the
+   RR is the nickname.  The data portion is the official name.  For
+   example, a machine named SRI-NIC.ARPA may want to have the nickname
+   NIC.ARPA.  In that case, the following RR would be used:
+
+           NIC.ARPA.       CNAME   SRI-NIC.ARPA.
+
+   There must not be any other RRs associated with a nickname of the
+   same class.
+
+   Nicknames are also useful when a host changes it's name.  In that
+   case, it is usually a good idea to have a CNAME pointer so that
+   people still using the old name will get to the right place.
+
+
+
+
+
+
+
+
+
+Lottor                                                          [Page 7]
+
+RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
+
+
+HINFO (Host Info)
+
+           <host>   [<ttl>] [<class>]   HINFO   <hardware>   <software>
+
+   The HINFO record gives information about a particular host.  The data
+   is two strings separated by whitespace.  The first string is a
+   hardware description and the second is software.  The hardware is
+   usually a manufacturer name followed by a dash and model designation.
+   The software string is usually the name of the operating system.
+
+   Official HINFO types can be found in the latest Assigned Numbers RFC,
+   the latest of which is RFC-1010.  The Hardware type is called the
+   Machine name and the Software type is called the System name.
+
+   Some sample HINFO records:
+
+           SRI-NIC.ARPA.           HINFO   DEC-2060 TOPS20
+           UCBARPA.Berkeley.EDU.   HINFO   VAX-11/780 UNIX
+
+
+WKS (Well Known Services)
+
+           <host> [<ttl>] [<class>] WKS <address> <protocol> <services>
+
+   The WKS record is used to list Well Known Services a host provides.
+   WKS's are defined to be services on port numbers below 256.  The WKS
+   record lists what services are available at a certain address using a
+   certain protocol.  The common protocols are TCP or UDP.  A sample WKS
+   record for a host offering the same services on all address would
+   look like:
+
+   Official protocol names can be found in the latest Assigned Numbers
+   RFC, the latest of which is RFC-1010.
+
+           SRI-NIC.ARPA.   WKS  10.0.0.51  TCP  TELNET FTP SMTP
+                           WKS  10.0.0.51  UDP  TIME
+                           WKS  26.0.0.73  TCP  TELNET FTP SMTP
+                           WKS  26.0.0.73  UDP  TIME
+
+MX (Mail Exchanger)  (See RFC-974 for more details.)
+
+           <name>   [<ttl>] [<class>]   MX   <preference>   <host>
+
+   MX records specify where mail for a domain name should be delivered.
+   There may be multiple MX records for a particular name.  The
+   preference value specifies the order a mailer should try multiple MX
+   records when delivering mail.  Zero is the highest preference.
+   Multiple records for the same name may have the same preference.
+
+
+
+Lottor                                                          [Page 8]
+
+RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
+
+
+   A host BAR.FOO.COM may want its mail to be delivered to the host
+   PO.FOO.COM and would then use the MX record:
+
+           BAR.FOO.COM.    MX      10      PO.FOO.COM.
+
+   A host BAZ.FOO.COM may want its mail to be delivered to one of three
+   different machines, in the following order:
+
+           BAZ.FOO.COM.    MX      10      PO1.FOO.COM.
+                           MX      20      PO2.FOO.COM.
+                           MX      30      PO3.FOO.COM.
+
+   An entire domain of hosts not connected to the Internet may want
+   their mail to go through a mail gateway that knows how to deliver
+   mail to them.  If they would like mail addressed to any host in the
+   domain FOO.COM to go through the mail gateway they might use:
+
+           FOO.COM.        MX       10     RELAY.CS.NET.
+           *.FOO.COM.      MX       20     RELAY.CS.NET.
+
+   Note that you can specify a wildcard in the MX record to match on
+   anything in FOO.COM, but that it won't match a plain FOO.COM.
+
+IN-ADDR.ARPA
+
+   The structure of names in the domain system is set up in a
+   hierarchical way such that the address of a name can be found by
+   tracing down the domain tree contacting a server for each label of
+   the name.  Because of this 'indexing' based on name, there is no easy
+   way to translate a host address back into its host name.
+
+   In order to do the reverse translation easily, a domain was created
+   that uses hosts' addresses as part of a name that then points to the
+   data for that host.  In this way, there is now an 'index' to hosts'
+   RRs based on their address.  This address mapping domain is called
+   IN-ADDR.ARPA.  Within that domain are subdomains for each network,
+   based on network number.  Also, for consistency and natural
+   groupings, the 4 octets of a host number are reversed.
+
+   For example, the ARPANET is net 10.  That means there is a domain
+   called 10.IN-ADDR.ARPA.  Within this domain there is a PTR RR at
+   51.0.0.10.IN-ADDR that points to the RRs for the host SRI-NIC.ARPA
+   (who's address is 10.0.0.51).  Since the NIC is also on the MILNET
+   (Net 26, address 26.0.0.73), there is also a PTR RR at 73.0.0.26.IN-
+   ADDR.ARPA that points to the same RR's for SRI-NIC.ARPA.  The format
+   of these special pointers is defined below along with the examples
+   for the NIC.
+
+
+
+
+Lottor                                                          [Page 9]
+
+RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
+
+
+PTR
+
+           <special-name>   [<ttl>] [<class>]   PTR   <name>
+
+   The PTR record is used to let special names point to some other
+   location in the domain tree.  They are mainly used in the IN-
+   ADDR.ARPA records for translation of addresses to names.  PTR's
+   should use official names and not aliases.
+
+   For example, host SRI-NIC.ARPA with addresses 10.0.0.51 and 26.0.0.73
+   would have the following records in the respective zone files for net
+   10 and net 26:
+
+           51.0.0.10.IN-ADDR.ARPA.  PTR   SRI-NIC.ARPA.
+           73.0.0.26.IN-ADDR.ARPA.  PTR   SRI-NIC.ARPA.
+
+GATEWAY PTR's
+
+   The IN-ADDR tree is also used to locate gateways on a particular
+   network.  Gateways have the same kind of PTR RRs as hosts (as above)
+   but in addition they have other PTRs used to locate them by network
+   number alone.  These records have only 1, 2, or 3 octets as part of
+   the name depending on whether they are class A, B, or C networks,
+   respectively.
+
+   Lets take the SRI-CSL gateway for example.  It connects 3 different
+   networks, one class A, one class B and one class C.  It will have the
+   standard RR's for a host in the CSL.SRI.COM zone:
+
+           GW.CSL.SRI.COM.    A    10.2.0.2
+                              A    128.18.1.1
+                              A    192.12.33.2
+
+   Also, in 3 different zones (one for each network), it will have one
+   of the following number to name translation pointers:
+
+           2.0.2.10.IN-ADDR.ARPA.      PTR   GW.CSL.SRI.COM.
+           1.1.18.128.IN-ADDR.ARPA.    PTR   GW.CSL.SRI.COM.
+           1.33.12.192.IN-ADDR.ARPA.   PTR   GW.CSL.SRI.COM.
+
+   In addition, in each of the same 3 zones will be one of the following
+   gateway location pointers:
+
+           10.IN-ADDR.ARPA.            PTR   GW.CSL.SRI.COM.
+           18.128.IN-ADDR.ARPA.        PTR   GW.CSL.SRI.COM.
+           33.12.192.IN-ADDR.ARPA.     PTR   GW.CSL.SRI.COM.
+
+
+
+
+
+Lottor                                                         [Page 10]
+
+RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
+
+
+INSTRUCTIONS
+
+   Adding a subdomain.
+
+      To add a new subdomain to your domain:
+
+         Setup the other domain server and/or the new zone file.
+
+         Add an NS record for each server of the new domain to the zone
+         file of the parent domain.
+
+         Add any necessary glue RRs.
+
+   Adding a host.
+
+      To add a new host to your zone files:
+
+         Edit the appropriate zone file for the domain the host is in.
+
+         Add an entry for each address of the host.
+
+         Optionally add CNAME, HINFO, WKS, and MX records.
+
+         Add the reverse IN-ADDR entry for each host address in the
+         appropriate zone files for each network the host in on.
+
+   Deleting a host.
+
+      To delete a host from the zone files:
+
+         Remove all the hosts' resource records from the zone file of
+         the domain the host is in.
+
+         Remove all the hosts' PTR records from the IN-ADDR zone files
+         for each network the host was on.
+
+   Adding gateways.
+
+         Follow instructions for adding a host.
+
+         Add the gateway location PTR records for each network the
+         gateway is on.
+
+   Deleting gateways.
+
+         Follow instructions for deleting a host.
+
+         Also delete the gateway location PTR records for each network
+
+
+
+Lottor                                                         [Page 11]
+
+RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
+
+
+         the gateway was on.
+
+COMPLAINTS
+
+   These are the suggested steps you should take if you are having
+   problems that you believe are caused by someone else's name server:
+
+
+   1.  Complain privately to the responsible person for the domain.  You
+   can find their mailing address in the SOA record for the domain.
+
+   2.  Complain publicly to the responsible person for the domain.
+
+   3.  Ask the NIC for the administrative person responsible for the
+   domain.  Complain.  You can also find domain contacts on the NIC in
+   the file NETINFO:DOMAIN-CONTACTS.TXT
+
+   4.  Complain to the parent domain authorities.
+
+   5.  Ask the parent authorities to excommunicate the domain.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Lottor                                                         [Page 12]
+
+RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
+
+
+EXAMPLE DOMAIN SERVER DATABASE FILES
+
+   The following examples show how zone files are set up for a typical
+   organization.  SRI will be used as the example organization.  SRI has
+   decided to divided their domain SRI.COM into a few subdomains, one
+   for each group that wants one.  The subdomains are CSL and ISTC.
+
+   Note the following interesting items:
+
+      There are both hosts and domains under SRI.COM.
+
+      CSL.SRI.COM is both a domain name and a host name.
+
+      All the domains are serviced by the same pair of domain servers.
+
+      All hosts at SRI are on net 128.18 except hosts in the CSL domain
+      which are on net 192.12.33.  Note that a domain does not have to
+      correspond to a physical network.
+
+      The examples do not necessarily correspond to actual data in use
+      by the SRI domain.
+
+                       SRI Domain Organization
+
+                               +-------+
+                               |  COM  |
+                               +-------+
+                                   |
+                               +-------+
+                               |  SRI  |
+                               +-------+
+                                   |
+                        +----------++-----------+
+                        |           |           |
+                    +-------+    +------+   +-------+
+                    |  CSL  |    | ISTC |   | Hosts |
+                    +-------+    +------+   +-------+
+                        |           |
+                    +-------+    +-------+
+                    | Hosts |    | Hosts |
+                    +-------+    +-------+
+
+
+
+
+
+
+
+
+
+
+Lottor                                                         [Page 13]
+
+RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
+
+
+   [File "CONFIG.CMD".  Since bootstrap files are not standardized, this
+   file is presented using a pseudo configuration file syntax.]
+
+   load root server list             from file ROOT.SERVERS
+   load zone SRI.COM.                from file SRI.ZONE
+   load zone CSL.SRI.COM.            from file CSL.ZONE
+   load zone ISTC.SRI.COM.           from file ISTC.ZONE
+   load zone 18.128.IN-ADDR.ARPA.    from file SRINET.ZONE
+   load zone 33.12.192.IN-ADDR.ARPA. from file SRI-CSL-NET.ZONE
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Lottor                                                         [Page 14]
+
+RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
+
+
+   [File "ROOT.SERVERS".  Again, the format of this file is not
+   standardized.]
+
+   ;list of possible root servers
+   SRI-NIC.ARPA       10.0.0.51    26.0.0.73
+   C.ISI.EDU          10.0.0.52
+   BRL-AOS.ARPA       192.5.25.82  192.5.22.82   128.20.1.2
+   A.ISI.EDU          26.3.0.103
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Lottor                                                         [Page 15]
+
+RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
+
+
+   [File "SRI.ZONE"]
+
+   SRI.COM.        IN      SOA     KL.SRI.COM. DLE.STRIPE.SRI.COM. (
+                                   870407  ;serial
+                                   1800    ;refresh every 30 minutes
+                                   600     ;retry every 10 minutes
+                                   604800  ;expire after a week
+                                   86400   ;default of an hour
+                                   )
+
+   SRI.COM.        NS      KL.SRI.COM.
+                   NS      STRIPE.SRI.COM.
+                   MX      10      KL.SRI.COM.
+
+   ;SRI.COM hosts
+
+   KL              A       10.1.0.2
+                   A       128.18.10.6
+                   MX      10      KL.SRI.COM.
+
+   STRIPE          A       10.4.0.2
+   STRIPE          A       128.18.10.4
+                   MX      10      STRIPE.SRI.COM.
+
+   NIC             CNAME   SRI-NIC.ARPA.
+
+   Blackjack       A       128.18.2.1
+                   HINFO   VAX-11/780      UNIX
+                   WKS     128.18.2.1      TCP TELNET FTP
+
+   CSL             A       192.12.33.2
+                   HINFO   FOONLY-F4       TOPS20
+                   WKS     192.12.33.2     TCP TELNET FTP SMTP FINGER
+                   MX      10      CSL.SRI.COM.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Lottor                                                         [Page 16]
+
+RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
+
+
+   [File "CSL.ZONE"]
+
+   CSL.SRI.COM.    IN      SOA     KL.SRI.COM. DLE.STRIPE.SRI.COM. (
+                                   870330  ;serial
+                                   1800    ;refresh every 30 minutes
+                                   600     ;retry every 10 minutes
+                                   604800  ;expire after a week
+                                   86400   ;default of a day
+                                   )
+
+   CSL.SRI.COM.    NS              KL.SRI.COM.
+                   NS              STRIPE.SRI.COM.
+                   A               192.12.33.2
+
+   ;CSL.SRI.COM hosts
+
+   A               CNAME   CSL.SRI.COM.
+   B               A       192.12.33.3
+                   HINFO   FOONLY-F4       TOPS20
+                   WKS     192.12.33.3     TCP TELNET FTP SMTP
+   GW              A       10.2.0.2
+                   A       192.12.33.1
+                   A       128.18.1.1
+                   HINFO   PDP-11/23       MOS
+   SMELLY          A       192.12.33.4
+                   HINFO   IMAGEN          IMAGEN
+   SQUIRREL        A       192.12.33.5
+                   HINFO   XEROX-1100      INTERLISP
+   VENUS           A       192.12.33.7
+                   HINFO   SYMBOLICS-3600  LISPM
+   HELIUM          A       192.12.33.30
+                   HINFO   SUN-3/160       UNIX
+   ARGON           A       192.12.33.31
+                   HINFO   SUN-3/75        UNIX
+   RADON           A       192.12.33.32
+                   HINFO   SUN-3/75        UNIX
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Lottor                                                         [Page 17]
+
+RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
+
+
+   [File "ISTC.ZONE"]
+
+   ISTC.SRI.COM.   IN  SOA     KL.SRI.COM. roemers.JOYCE.ISTC.SRI.COM. (
+                               870406      ;serial
+                               1800        ;refresh every 30 minutes
+                               600         ;retry every 10 minutes
+                               604800      ;expire after a week
+                               86400       ;default of a day
+                               )
+
+   ISTC.SRI.COM.   NS              KL.SRI.COM.
+                   NS              STRIPE.SRI.COM.
+                   MX              10      SPAM.ISTC.SRI.COM.
+
+   ; ISTC hosts
+
+   joyce           A       128.18.4.2
+                   HINFO   VAX-11/750 UNIX
+   bozo            A       128.18.0.6
+                   HINFO   SUN UNIX
+   sundae          A       128.18.0.11
+                   HINFO   SUN UNIX
+   tsca            A       128.18.0.201
+                   A       10.3.0.2
+                   HINFO   VAX-11/750 UNIX
+                   MX      10  TSCA.ISTC.SRI.COM.
+   tsc             CNAME   tsca
+   prmh            A       128.18.0.203
+                   A       10.2.0.51
+                   HINFO   PDP-11/44 UNIX
+   spam            A       128.18.4.3
+                   A       10.2.0.107
+                   HINFO   VAX-11/780 UNIX
+                   MX      10  SPAM.ISTC.SRI.COM.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Lottor                                                         [Page 18]
+
+RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
+
+
+   [File "SRINET.ZONE"]
+
+   18.128.IN-ADDR.ARPA.    IN  SOA  KL.SRI.COM  DLE.STRIPE.SRI.COM. (
+                               870406  ;serial
+                               1800    ;refresh every 30 minutes
+                               600     ;retry every 10 minutes
+                               604800  ;expire after a week
+                               86400   ;default of a day
+                               )
+
+   18.128.IN-ADDR.ARPA.    NS      KL.SRI.COM.
+                           NS      STRIPE.SRI.COM.
+                           PTR     GW.CSL.SRI.COM.
+
+   ; SRINET [128.18.0.0] Address Translations
+
+   ; SRI.COM Hosts
+   1.2.18.128.IN-ADDR.ARPA.        PTR     Blackjack.SRI.COM.
+
+   ; ISTC.SRI.COM Hosts
+   2.4.18.128.IN-ADDR.ARPA.        PTR     joyce.ISTC.SRI.COM.
+   6.0.18.128.IN-ADDR.ARPA.        PTR     bozo.ISTC.SRI.COM.
+   11.0.18.128.IN-ADDR.ARPA.       PTR     sundae.ISTC.SRI.COM.
+   201.0.18.128.IN-ADDR.ARPA.      PTR     tsca.ISTC.SRI.COM.
+   203.0.18.128.IN-ADDR.ARPA.      PTR     prmh.ISTC.SRI.COM.
+   3.4.18.128.IN-ADDR.ARPA.        PTR     spam.ISTC.SRI.COM.
+
+   ; CSL.SRI.COM Hosts
+   1.1.18.128.IN-ADDR.ARPA.        PTR     GW.CSL.SRI.COM.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Lottor                                                         [Page 19]
+
+RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
+
+
+   [File "SRI-CSL-NET.ZONE"]
+
+   33.12.192.IN-ADDR.ARPA. IN  SOA KL.SRI.COM  DLE.STRIPE.SRI.COM. (
+                               870404  ;serial
+                               1800    ;refresh every 30 minutes
+                               600     ;retry every 10 minutes
+                               604800  ;expire after a week
+                               86400   ;default of a day
+                               )
+
+   33.12.192.IN-ADDR.ARPA. NS      KL.SRI.COM.
+                           NS      STRIPE.SRI.COM.
+                           PTR     GW.CSL.SRI.COM.
+
+   ; SRI-CSL-NET [192.12.33.0] Address Translations
+
+   ; SRI.COM Hosts
+   2.33.12.192.IN-ADDR.ARPA.       PTR     CSL.SRI.COM.
+
+   ; CSL.SRI.COM Hosts
+   1.33.12.192.IN-ADDR.ARPA.       PTR     GW.CSL.SRI.COM.
+   3.33.12.192.IN-ADDR.ARPA.       PTR     B.CSL.SRI.COM.
+   4.33.12.192.IN-ADDR.ARPA.       PTR     SMELLY.CSL.SRI.COM.
+   5.33.12.192.IN-ADDR.ARPA.       PTR     SQUIRREL.CSL.SRI.COM.
+   7.33.12.192.IN-ADDR.ARPA.       PTR     VENUS.CSL.SRI.COM.
+   30.33.12.192.IN-ADDR.ARPA.      PTR     HELIUM.CSL.SRI.COM.
+   31.33.12.192.IN-ADDR.ARPA.      PTR     ARGON.CSL.SRI.COM.
+   32.33.12.192.IN-ADDR.ARPA.      PTR     RADON.CSL.SRI.COM.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Lottor                                                         [Page 20]
+
+RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
+
+
+APPENDIX
+
+   BIND (Berkeley Internet Name Domain server) distributed with 4.3 BSD
+   UNIX
+
+   This section describes two BIND implementation specific files; the
+   boot file and the cache file.  BIND has other options, files, and
+   specifications that are not described here.  See the Name Server
+   Operations Guide for BIND for details.
+
+   The boot file for BIND is usually called "named.boot".  This
+   corresponds to file "CONFIG.CMD" in the example section.
+
+           --------------------------------------------------------
+           cache         .                         named.ca
+           primary       SRI.COM                   SRI.ZONE
+           primary       CSL.SRI.COM               CSL.ZONE
+           primary       ISTC.SRI.COM              ISTC.ZONE
+           primary       18.128.IN-ADDR.ARPA       SRINET.ZONE
+           primary       33.12.192.IN-ADDR.ARPA    SRI-CSL-NET.ZONE
+           --------------------------------------------------------
+
+   The cache file for BIND is usually called "named.ca".  This
+   corresponds to file "ROOT.SERVERS" in the example section.
+
+           -------------------------------------------------
+           ;list of possible root servers
+           .       1          IN   NS   SRI-NIC.ARPA.
+                                   NS   C.ISI.EDU.
+                                   NS   BRL-AOS.ARPA.
+                                   NS   C.ISI.EDU.
+           ;and their addresses
+           SRI-NIC.ARPA.           A    10.0.0.51
+                                   A    26.0.0.73
+           C.ISI.EDU.              A    10.0.0.52
+           BRL-AOS.ARPA.           A    192.5.25.82
+                                   A    192.5.22.82
+                                   A    128.20.1.2
+           A.ISI.EDU.              A    26.3.0.103
+           -------------------------------------------------
+
+
+
+
+
+
+
+
+
+
+
+Lottor                                                         [Page 21]
+
+RFC 1033                DOMAIN OPERATIONS GUIDE            November 1987
+
+
+REFERENCES
+
+   [1]  Dunlap, K., "Name Server Operations Guide for BIND", CSRG,
+        Department of Electrical Engineering and Computer Sciences,
+        University of California, Berkeley, California.
+
+   [2]  Partridge, C., "Mail Routing and the Domain System", RFC-974,
+        CSNET CIC BBN Laboratories, January 1986.
+
+   [3]  Mockapetris, P., "Domains Names - Concepts and Facilities",
+        RFC-1034, USC/Information Sciences Institute, November 1987.
+
+   [4]  Mockapetris, P., "Domain Names - Implementations Specification",
+        RFC-1035, USC/Information Sciences Institute, November 1987.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Lottor                                                         [Page 22]
+
diff --git a/contrib/bind9/doc/rfc/rfc1034.txt b/contrib/bind9/doc/rfc/rfc1034.txt
new file mode 100644
index 0000000..55cdb21
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc1034.txt
@@ -0,0 +1,3077 @@
+Network Working Group                                     P. Mockapetris
+Request for Comments: 1034                                           ISI
+Obsoletes: RFCs 882, 883, 973                              November 1987
+
+
+                 DOMAIN NAMES - CONCEPTS AND FACILITIES
+
+
+
+1. STATUS OF THIS MEMO
+
+This RFC is an introduction to the Domain Name System (DNS), and omits
+many details which can be found in a companion RFC, "Domain Names -
+Implementation and Specification" [RFC-1035].  That RFC assumes that the
+reader is familiar with the concepts discussed in this memo.
+
+A subset of DNS functions and data types constitute an official
+protocol.  The official protocol includes standard queries and their
+responses and most of the Internet class data formats (e.g., host
+addresses).
+
+However, the domain system is intentionally extensible.  Researchers are
+continuously proposing, implementing and experimenting with new data
+types, query types, classes, functions, etc.  Thus while the components
+of the official protocol are expected to stay essentially unchanged and
+operate as a production service, experimental behavior should always be
+expected in extensions beyond the official protocol.  Experimental or
+obsolete features are clearly marked in these RFCs, and such information
+should be used with caution.
+
+The reader is especially cautioned not to depend on the values which
+appear in examples to be current or complete, since their purpose is
+primarily pedagogical.  Distribution of this memo is unlimited.
+
+2. INTRODUCTION
+
+This RFC introduces domain style names, their use for Internet mail and
+host address support, and the protocols and servers used to implement
+domain name facilities.
+
+2.1. The history of domain names
+
+The impetus for the development of the domain system was growth in the
+Internet:
+
+   - Host name to address mappings were maintained by the Network
+     Information Center (NIC) in a single file (HOSTS.TXT) which
+     was FTPed by all hosts [RFC-952, RFC-953].  The total network
+
+
+
+Mockapetris                                                     [Page 1]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+     bandwidth consumed in distributing a new version by this
+     scheme is proportional to the square of the number of hosts in
+     the network, and even when multiple levels of FTP are used,
+     the outgoing FTP load on the NIC host is considerable.
+     Explosive growth in the number of hosts didn't bode well for
+     the future.
+
+   - The network population was also changing in character.  The
+     timeshared hosts that made up the original ARPANET were being
+     replaced with local networks of workstations.  Local
+     organizations were administering their own names and
+     addresses, but had to wait for the NIC to change HOSTS.TXT to
+     make changes visible to the Internet at large.  Organizations
+     also wanted some local structure on the name space.
+
+   - The applications on the Internet were getting more
+     sophisticated and creating a need for general purpose name
+     service.
+
+
+The result was several ideas about name spaces and their management
+[IEN-116, RFC-799, RFC-819, RFC-830].  The proposals varied, but a
+common thread was the idea of a hierarchical name space, with the
+hierarchy roughly corresponding to organizational structure, and names
+using "."  as the character to mark the boundary between hierarchy
+levels.  A design using a distributed database and generalized resources
+was described in [RFC-882, RFC-883].  Based on experience with several
+implementations, the system evolved into the scheme described in this
+memo.
+
+The terms "domain" or "domain name" are used in many contexts beyond the
+DNS described here.  Very often, the term domain name is used to refer
+to a name with structure indicated by dots, but no relation to the DNS.
+This is particularly true in mail addressing [Quarterman 86].
+
+2.2. DNS design goals
+
+The design goals of the DNS influence its structure.  They are:
+
+   - The primary goal is a consistent name space which will be used
+     for referring to resources.  In order to avoid the problems
+     caused by ad hoc encodings, names should not be required to
+     contain network identifiers, addresses, routes, or similar
+     information as part of the name.
+
+   - The sheer size of the database and frequency of updates
+     suggest that it must be maintained in a distributed manner,
+     with local caching to improve performance.  Approaches that
+
+
+
+Mockapetris                                                     [Page 2]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+     attempt to collect a consistent copy of the entire database
+     will become more and more expensive and difficult, and hence
+     should be avoided.  The same principle holds for the structure
+     of the name space, and in particular mechanisms for creating
+     and deleting names; these should also be distributed.
+
+   - Where there tradeoffs between the cost of acquiring data, the
+     speed of updates, and the accuracy of caches, the source of
+     the data should control the tradeoff.
+
+   - The costs of implementing such a facility dictate that it be
+     generally useful, and not restricted to a single application.
+     We should be able to use names to retrieve host addresses,
+     mailbox data, and other as yet undetermined information.  All
+     data associated with a name is tagged with a type, and queries
+     can be limited to a single type.
+
+   - Because we want the name space to be useful in dissimilar
+     networks and applications, we provide the ability to use the
+     same name space with different protocol families or
+     management.  For example, host address formats differ between
+     protocols, though all protocols have the notion of address.
+     The DNS tags all data with a class as well as the type, so
+     that we can allow parallel use of different formats for data
+     of type address.
+
+   - We want name server transactions to be independent of the
+     communications system that carries them.  Some systems may
+     wish to use datagrams for queries and responses, and only
+     establish virtual circuits for transactions that need the
+     reliability (e.g., database updates, long transactions); other
+     systems will use virtual circuits exclusively.
+
+   - The system should be useful across a wide spectrum of host
+     capabilities.  Both personal computers and large timeshared
+     hosts should be able to use the system, though perhaps in
+     different ways.
+
+2.3. Assumptions about usage
+
+The organization of the domain system derives from some assumptions
+about the needs and usage patterns of its user community and is designed
+to avoid many of the the complicated problems found in general purpose
+database systems.
+
+The assumptions are:
+
+   - The size of the total database will initially be proportional
+
+
+
+Mockapetris                                                     [Page 3]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+     to the number of hosts using the system, but will eventually
+     grow to be proportional to the number of users on those hosts
+     as mailboxes and other information are added to the domain
+     system.
+
+   - Most of the data in the system will change very slowly (e.g.,
+     mailbox bindings, host addresses), but that the system should
+     be able to deal with subsets that change more rapidly (on the
+     order of seconds or minutes).
+
+   - The administrative boundaries used to distribute
+     responsibility for the database will usually correspond to
+     organizations that have one or more hosts.  Each organization
+     that has responsibility for a particular set of domains will
+     provide redundant name servers, either on the organization's
+     own hosts or other hosts that the organization arranges to
+     use.
+
+   - Clients of the domain system should be able to identify
+     trusted name servers they prefer to use before accepting
+     referrals to name servers outside of this "trusted" set.
+
+   - Access to information is more critical than instantaneous
+     updates or guarantees of consistency.  Hence the update
+     process allows updates to percolate out through the users of
+     the domain system rather than guaranteeing that all copies are
+     simultaneously updated.  When updates are unavailable due to
+     network or host failure, the usual course is to believe old
+     information while continuing efforts to update it.  The
+     general model is that copies are distributed with timeouts for
+     refreshing.  The distributor sets the timeout value and the
+     recipient of the distribution is responsible for performing
+     the refresh.  In special situations, very short intervals can
+     be specified, or the owner can prohibit copies.
+
+   - In any system that has a distributed database, a particular
+     name server may be presented with a query that can only be
+     answered by some other server.  The two general approaches to
+     dealing with this problem are "recursive", in which the first
+     server pursues the query for the client at another server, and
+     "iterative", in which the server refers the client to another
+     server and lets the client pursue the query.  Both approaches
+     have advantages and disadvantages, but the iterative approach
+     is preferred for the datagram style of access.  The domain
+     system requires implementation of the iterative approach, but
+     allows the recursive approach as an option.
+
+
+
+
+
+Mockapetris                                                     [Page 4]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+The domain system assumes that all data originates in master files
+scattered through the hosts that use the domain system.  These master
+files are updated by local system administrators.  Master files are text
+files that are read by a local name server, and hence become available
+through the name servers to users of the domain system.  The user
+programs access name servers through standard programs called resolvers.
+
+The standard format of master files allows them to be exchanged between
+hosts (via FTP, mail, or some other mechanism); this facility is useful
+when an organization wants a domain, but doesn't want to support a name
+server.  The organization can maintain the master files locally using a
+text editor, transfer them to a foreign host which runs a name server,
+and then arrange with the system administrator of the name server to get
+the files loaded.
+
+Each host's name servers and resolvers are configured by a local system
+administrator [RFC-1033].  For a name server, this configuration data
+includes the identity of local master files and instructions on which
+non-local master files are to be loaded from foreign servers.  The name
+server uses the master files or copies to load its zones.  For
+resolvers, the configuration data identifies the name servers which
+should be the primary sources of information.
+
+The domain system defines procedures for accessing the data and for
+referrals to other name servers.  The domain system also defines
+procedures for caching retrieved data and for periodic refreshing of
+data defined by the system administrator.
+
+The system administrators provide:
+
+   - The definition of zone boundaries.
+
+   - Master files of data.
+
+   - Updates to master files.
+
+   - Statements of the refresh policies desired.
+
+The domain system provides:
+
+   - Standard formats for resource data.
+
+   - Standard methods for querying the database.
+
+   - Standard methods for name servers to refresh local data from
+     foreign name servers.
+
+
+
+
+
+Mockapetris                                                     [Page 5]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+2.4. Elements of the DNS
+
+The DNS has three major components:
+
+   - The DOMAIN NAME SPACE and RESOURCE RECORDS, which are
+     specifications for a tree structured name space and data
+     associated with the names.  Conceptually, each node and leaf
+     of the domain name space tree names a set of information, and
+     query operations are attempts to extract specific types of
+     information from a particular set.  A query names the domain
+     name of interest and describes the type of resource
+     information that is desired.  For example, the Internet
+     uses some of its domain names to identify hosts; queries for
+     address resources return Internet host addresses.
+
+   - NAME SERVERS are server programs which hold information about
+     the domain tree's structure and set information.  A name
+     server may cache structure or set information about any part
+     of the domain tree, but in general a particular name server
+     has complete information about a subset of the domain space,
+     and pointers to other name servers that can be used to lead to
+     information from any part of the domain tree.  Name servers
+     know the parts of the domain tree for which they have complete
+     information; a name server is said to be an AUTHORITY for
+     these parts of the name space.  Authoritative information is
+     organized into units called ZONEs, and these zones can be
+     automatically distributed to the name servers which provide
+     redundant service for the data in a zone.
+
+   - RESOLVERS are programs that extract information from name
+     servers in response to client requests.  Resolvers must be
+     able to access at least one name server and use that name
+     server's information to answer a query directly, or pursue the
+     query using referrals to other name servers.  A resolver will
+     typically be a system routine that is directly accessible to
+     user programs; hence no protocol is necessary between the
+     resolver and the user program.
+
+These three components roughly correspond to the three layers or views
+of the domain system:
+
+   - From the user's point of view, the domain system is accessed
+     through a simple procedure or OS call to a local resolver.
+     The domain space consists of a single tree and the user can
+     request information from any section of the tree.
+
+   - From the resolver's point of view, the domain system is
+     composed of an unknown number of name servers.  Each name
+
+
+
+Mockapetris                                                     [Page 6]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+     server has one or more pieces of the whole domain tree's data,
+     but the resolver views each of these databases as essentially
+     static.
+
+   - From a name server's point of view, the domain system consists
+     of separate sets of local information called zones.  The name
+     server has local copies of some of the zones.  The name server
+     must periodically refresh its zones from master copies in
+     local files or foreign name servers.  The name server must
+     concurrently process queries that arrive from resolvers.
+
+In the interests of performance, implementations may couple these
+functions.  For example, a resolver on the same machine as a name server
+might share a database consisting of the the zones managed by the name
+server and the cache managed by the resolver.
+
+3. DOMAIN NAME SPACE and RESOURCE RECORDS
+
+3.1. Name space specifications and terminology
+
+The domain name space is a tree structure.  Each node and leaf on the
+tree corresponds to a resource set (which may be empty).  The domain
+system makes no distinctions between the uses of the interior nodes and
+leaves, and this memo uses the term "node" to refer to both.
+
+Each node has a label, which is zero to 63 octets in length.  Brother
+nodes may not have the same label, although the same label can be used
+for nodes which are not brothers.  One label is reserved, and that is
+the null (i.e., zero length) label used for the root.
+
+The domain name of a node is the list of the labels on the path from the
+node to the root of the tree.  By convention, the labels that compose a
+domain name are printed or read left to right, from the most specific
+(lowest, farthest from the root) to the least specific (highest, closest
+to the root).
+
+Internally, programs that manipulate domain names should represent them
+as sequences of labels, where each label is a length octet followed by
+an octet string.  Because all domain names end at the root, which has a
+null string for a label, these internal representations can use a length
+byte of zero to terminate a domain name.
+
+By convention, domain names can be stored with arbitrary case, but
+domain name comparisons for all present domain functions are done in a
+case-insensitive manner, assuming an ASCII character set, and a high
+order zero bit.  This means that you are free to create a node with
+label "A" or a node with label "a", but not both as brothers; you could
+refer to either using "a" or "A".  When you receive a domain name or
+
+
+
+Mockapetris                                                     [Page 7]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+label, you should preserve its case.  The rationale for this choice is
+that we may someday need to add full binary domain names for new
+services; existing services would not be changed.
+
+When a user needs to type a domain name, the length of each label is
+omitted and the labels are separated by dots (".").  Since a complete
+domain name ends with the root label, this leads to a printed form which
+ends in a dot.  We use this property to distinguish between:
+
+   - a character string which represents a complete domain name
+     (often called "absolute").  For example, "poneria.ISI.EDU."
+
+   - a character string that represents the starting labels of a
+     domain name which is incomplete, and should be completed by
+     local software using knowledge of the local domain (often
+     called "relative").  For example, "poneria" used in the
+     ISI.EDU domain.
+
+Relative names are either taken relative to a well known origin, or to a
+list of domains used as a search list.  Relative names appear mostly at
+the user interface, where their interpretation varies from
+implementation to implementation, and in master files, where they are
+relative to a single origin domain name.  The most common interpretation
+uses the root "." as either the single origin or as one of the members
+of the search list, so a multi-label relative name is often one where
+the trailing dot has been omitted to save typing.
+
+To simplify implementations, the total number of octets that represent a
+domain name (i.e., the sum of all label octets and label lengths) is
+limited to 255.
+
+A domain is identified by a domain name, and consists of that part of
+the domain name space that is at or below the domain name which
+specifies the domain.  A domain is a subdomain of another domain if it
+is contained within that domain.  This relationship can be tested by
+seeing if the subdomain's name ends with the containing domain's name.
+For example, A.B.C.D is a subdomain of B.C.D, C.D, D, and " ".
+
+3.2. Administrative guidelines on use
+
+As a matter of policy, the DNS technical specifications do not mandate a
+particular tree structure or rules for selecting labels; its goal is to
+be as general as possible, so that it can be used to build arbitrary
+applications.  In particular, the system was designed so that the name
+space did not have to be organized along the lines of network
+boundaries, name servers, etc.  The rationale for this is not that the
+name space should have no implied semantics, but rather that the choice
+of implied semantics should be left open to be used for the problem at
+
+
+
+Mockapetris                                                     [Page 8]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+hand, and that different parts of the tree can have different implied
+semantics.  For example, the IN-ADDR.ARPA domain is organized and
+distributed by network and host address because its role is to translate
+from network or host numbers to names; NetBIOS domains [RFC-1001, RFC-
+1002] are flat because that is appropriate for that application.
+
+However, there are some guidelines that apply to the "normal" parts of
+the name space used for hosts, mailboxes, etc., that will make the name
+space more uniform, provide for growth, and minimize problems as
+software is converted from the older host table.  The political
+decisions about the top levels of the tree originated in RFC-920.
+Current policy for the top levels is discussed in [RFC-1032].  MILNET
+conversion issues are covered in [RFC-1031].
+
+Lower domains which will eventually be broken into multiple zones should
+provide branching at the top of the domain so that the eventual
+decomposition can be done without renaming.  Node labels which use
+special characters, leading digits, etc., are likely to break older
+software which depends on more restrictive choices.
+
+3.3. Technical guidelines on use
+
+Before the DNS can be used to hold naming information for some kind of
+object, two needs must be met:
+
+   - A convention for mapping between object names and domain
+     names.  This describes how information about an object is
+     accessed.
+
+   - RR types and data formats for describing the object.
+
+These rules can be quite simple or fairly complex.  Very often, the
+designer must take into account existing formats and plan for upward
+compatibility for existing usage.  Multiple mappings or levels of
+mapping may be required.
+
+For hosts, the mapping depends on the existing syntax for host names
+which is a subset of the usual text representation for domain names,
+together with RR formats for describing host addresses, etc.  Because we
+need a reliable inverse mapping from address to host name, a special
+mapping for addresses into the IN-ADDR.ARPA domain is also defined.
+
+For mailboxes, the mapping is slightly more complex.  The usual mail
+address <local-part>@<mail-domain> is mapped into a domain name by
+converting <local-part> into a single label (regardles of dots it
+contains), converting <mail-domain> into a domain name using the usual
+text format for domain names (dots denote label breaks), and
+concatenating the two to form a single domain name.  Thus the mailbox
+
+
+
+Mockapetris                                                     [Page 9]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+HOSTMASTER@SRI-NIC.ARPA is represented as a domain name by
+HOSTMASTER.SRI-NIC.ARPA.  An appreciation for the reasons behind this
+design also must take into account the scheme for mail exchanges [RFC-
+974].
+
+The typical user is not concerned with defining these rules, but should
+understand that they usually are the result of numerous compromises
+between desires for upward compatibility with old usage, interactions
+between different object definitions, and the inevitable urge to add new
+features when defining the rules.  The way the DNS is used to support
+some object is often more crucial than the restrictions inherent in the
+DNS.
+
+3.4. Example name space
+
+The following figure shows a part of the current domain name space, and
+is used in many examples in this RFC.  Note that the tree is a very
+small subset of the actual name space.
+
+                                   |
+                                   |
+             +---------------------+------------------+
+             |                     |                  |
+            MIL                   EDU                ARPA
+             |                     |                  |
+             |                     |                  |
+       +-----+-----+               |     +------+-----+-----+
+       |     |     |               |     |      |           |
+      BRL  NOSC  DARPA             |  IN-ADDR  SRI-NIC     ACC
+                                   |
+       +--------+------------------+---------------+--------+
+       |        |                  |               |        |
+      UCI      MIT                 |              UDEL     YALE
+                |                 ISI
+                |                  |
+            +---+---+              |
+            |       |              |
+           LCS  ACHILLES  +--+-----+-----+--------+
+            |             |  |     |     |        |
+            XX            A  C   VAXA  VENERA Mockapetris
+
+In this example, the root domain has three immediate subdomains: MIL,
+EDU, and ARPA.  The LCS.MIT.EDU domain has one immediate subdomain named
+XX.LCS.MIT.EDU.  All of the leaves are also domains.
+
+3.5. Preferred name syntax
+
+The DNS specifications attempt to be as general as possible in the rules
+
+
+
+Mockapetris                                                    [Page 10]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+for constructing domain names.  The idea is that the name of any
+existing object can be expressed as a domain name with minimal changes.
+However, when assigning a domain name for an object, the prudent user
+will select a name which satisfies both the rules of the domain system
+and any existing rules for the object, whether these rules are published
+or implied by existing programs.
+
+For example, when naming a mail domain, the user should satisfy both the
+rules of this memo and those in RFC-822.  When creating a new host name,
+the old rules for HOSTS.TXT should be followed.  This avoids problems
+when old software is converted to use domain names.
+
+The following syntax will result in fewer problems with many
+applications that use domain names (e.g., mail, TELNET).
+
+<domain> ::= <subdomain> | " "
+
+<subdomain> ::= <label> | <subdomain> "." <label>
+
+<label> ::= <letter> [ [ <ldh-str> ] <let-dig> ]
+
+<ldh-str> ::= <let-dig-hyp> | <let-dig-hyp> <ldh-str>
+
+<let-dig-hyp> ::= <let-dig> | "-"
+
+<let-dig> ::= <letter> | <digit>
+
+<letter> ::= any one of the 52 alphabetic characters A through Z in
+upper case and a through z in lower case
+
+<digit> ::= any one of the ten digits 0 through 9
+
+Note that while upper and lower case letters are allowed in domain
+names, no significance is attached to the case.  That is, two names with
+the same spelling but different case are to be treated as if identical.
+
+The labels must follow the rules for ARPANET host names.  They must
+start with a letter, end with a letter or digit, and have as interior
+characters only letters, digits, and hyphen.  There are also some
+restrictions on the length.  Labels must be 63 characters or less.
+
+For example, the following strings identify hosts in the Internet:
+
+A.ISI.EDU  XX.LCS.MIT.EDU  SRI-NIC.ARPA
+
+3.6. Resource Records
+
+A domain name identifies a node.  Each node has a set of resource
+
+
+
+Mockapetris                                                    [Page 11]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+information, which may be empty.  The set of resource information
+associated with a particular name is composed of separate resource
+records (RRs).  The order of RRs in a set is not significant, and need
+not be preserved by name servers, resolvers, or other parts of the DNS.
+
+When we talk about a specific RR, we assume it has the following:
+
+owner           which is the domain name where the RR is found.
+
+type            which is an encoded 16 bit value that specifies the type
+                of the resource in this resource record.  Types refer to
+                abstract resources.
+
+                This memo uses the following types:
+
+                A               a host address
+
+                CNAME           identifies the canonical name of an
+                                alias
+
+                HINFO           identifies the CPU and OS used by a host
+
+                MX              identifies a mail exchange for the
+                                domain.  See [RFC-974 for details.
+
+                NS
+                the authoritative name server for the domain
+
+                PTR
+                a pointer to another part of the domain name space
+
+                SOA
+                identifies the start of a zone of authority]
+
+class           which is an encoded 16 bit value which identifies a
+                protocol family or instance of a protocol.
+
+                This memo uses the following classes:
+
+                IN              the Internet system
+
+                CH              the Chaos system
+
+TTL             which is the time to live of the RR.  This field is a 32
+                bit integer in units of seconds, an is primarily used by
+                resolvers when they cache RRs.  The TTL describes how
+                long a RR can be cached before it should be discarded.
+
+
+
+
+Mockapetris                                                    [Page 12]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+RDATA           which is the type and sometimes class dependent data
+                which describes the resource:
+
+                A               For the IN class, a 32 bit IP address
+
+                                For the CH class, a domain name followed
+                                by a 16 bit octal Chaos address.
+
+                CNAME           a domain name.
+
+                MX              a 16 bit preference value (lower is
+                                better) followed by a host name willing
+                                to act as a mail exchange for the owner
+                                domain.
+
+                NS              a host name.
+
+                PTR             a domain name.
+
+                SOA             several fields.
+
+The owner name is often implicit, rather than forming an integral part
+of the RR.  For example, many name servers internally form tree or hash
+structures for the name space, and chain RRs off nodes.  The remaining
+RR parts are the fixed header (type, class, TTL) which is consistent for
+all RRs, and a variable part (RDATA) that fits the needs of the resource
+being described.
+
+The meaning of the TTL field is a time limit on how long an RR can be
+kept in a cache.  This limit does not apply to authoritative data in
+zones; it is also timed out, but by the refreshing policies for the
+zone.  The TTL is assigned by the administrator for the zone where the
+data originates.  While short TTLs can be used to minimize caching, and
+a zero TTL prohibits caching, the realities of Internet performance
+suggest that these times should be on the order of days for the typical
+host.  If a change can be anticipated, the TTL can be reduced prior to
+the change to minimize inconsistency during the change, and then
+increased back to its former value following the change.
+
+The data in the RDATA section of RRs is carried as a combination of
+binary strings and domain names.  The domain names are frequently used
+as "pointers" to other data in the DNS.
+
+3.6.1. Textual expression of RRs
+
+RRs are represented in binary form in the packets of the DNS protocol,
+and are usually represented in highly encoded form when stored in a name
+server or resolver.  In this memo, we adopt a style similar to that used
+
+
+
+Mockapetris                                                    [Page 13]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+in master files in order to show the contents of RRs.  In this format,
+most RRs are shown on a single line, although continuation lines are
+possible using parentheses.
+
+The start of the line gives the owner of the RR.  If a line begins with
+a blank, then the owner is assumed to be the same as that of the
+previous RR.  Blank lines are often included for readability.
+
+Following the owner, we list the TTL, type, and class of the RR.  Class
+and type use the mnemonics defined above, and TTL is an integer before
+the type field.  In order to avoid ambiguity in parsing, type and class
+mnemonics are disjoint, TTLs are integers, and the type mnemonic is
+always last. The IN class and TTL values are often omitted from examples
+in the interests of clarity.
+
+The resource data or RDATA section of the RR are given using knowledge
+of the typical representation for the data.
+
+For example, we might show the RRs carried in a message as:
+
+    ISI.EDU.        MX      10 VENERA.ISI.EDU.
+                    MX      10 VAXA.ISI.EDU.
+    VENERA.ISI.EDU. A       128.9.0.32
+                    A       10.1.0.52
+    VAXA.ISI.EDU.   A       10.2.0.27
+                    A       128.9.0.33
+
+The MX RRs have an RDATA section which consists of a 16 bit number
+followed by a domain name.  The address RRs use a standard IP address
+format to contain a 32 bit internet address.
+
+This example shows six RRs, with two RRs at each of three domain names.
+
+Similarly we might see:
+
+    XX.LCS.MIT.EDU. IN      A       10.0.0.44
+                    CH      A       MIT.EDU. 2420
+
+This example shows two addresses for XX.LCS.MIT.EDU, each of a different
+class.
+
+3.6.2. Aliases and canonical names
+
+In existing systems, hosts and other resources often have several names
+that identify the same resource.  For example, the names C.ISI.EDU and
+USC-ISIC.ARPA both identify the same host.  Similarly, in the case of
+mailboxes, many organizations provide many names that actually go to the
+same mailbox; for example Mockapetris@C.ISI.EDU, Mockapetris@B.ISI.EDU,
+
+
+
+Mockapetris                                                    [Page 14]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+and PVM@ISI.EDU all go to the same mailbox (although the mechanism
+behind this is somewhat complicated).
+
+Most of these systems have a notion that one of the equivalent set of
+names is the canonical or primary name and all others are aliases.
+
+The domain system provides such a feature using the canonical name
+(CNAME) RR.  A CNAME RR identifies its owner name as an alias, and
+specifies the corresponding canonical name in the RDATA section of the
+RR.  If a CNAME RR is present at a node, no other data should be
+present; this ensures that the data for a canonical name and its aliases
+cannot be different.  This rule also insures that a cached CNAME can be
+used without checking with an authoritative server for other RR types.
+
+CNAME RRs cause special action in DNS software.  When a name server
+fails to find a desired RR in the resource set associated with the
+domain name, it checks to see if the resource set consists of a CNAME
+record with a matching class.  If so, the name server includes the CNAME
+record in the response and restarts the query at the domain name
+specified in the data field of the CNAME record.  The one exception to
+this rule is that queries which match the CNAME type are not restarted.
+
+For example, suppose a name server was processing a query with for USC-
+ISIC.ARPA, asking for type A information, and had the following resource
+records:
+
+    USC-ISIC.ARPA   IN      CNAME   C.ISI.EDU
+
+    C.ISI.EDU       IN      A       10.0.0.52
+
+Both of these RRs would be returned in the response to the type A query,
+while a type CNAME or * query should return just the CNAME.
+
+Domain names in RRs which point at another name should always point at
+the primary name and not the alias.  This avoids extra indirections in
+accessing information.  For example, the address to name RR for the
+above host should be:
+
+    52.0.0.10.IN-ADDR.ARPA  IN      PTR     C.ISI.EDU
+
+rather than pointing at USC-ISIC.ARPA.  Of course, by the robustness
+principle, domain software should not fail when presented with CNAME
+chains or loops; CNAME chains should be followed and CNAME loops
+signalled as an error.
+
+3.7. Queries
+
+Queries are messages which may be sent to a name server to provoke a
+
+
+
+Mockapetris                                                    [Page 15]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+response.  In the Internet, queries are carried in UDP datagrams or over
+TCP connections.  The response by the name server either answers the
+question posed in the query, refers the requester to another set of name
+servers, or signals some error condition.
+
+In general, the user does not generate queries directly, but instead
+makes a request to a resolver which in turn sends one or more queries to
+name servers and deals with the error conditions and referrals that may
+result.  Of course, the possible questions which can be asked in a query
+does shape the kind of service a resolver can provide.
+
+DNS queries and responses are carried in a standard message format.  The
+message format has a header containing a number of fixed fields which
+are always present, and four sections which carry query parameters and
+RRs.
+
+The most important field in the header is a four bit field called an
+opcode which separates different queries.  Of the possible 16 values,
+one (standard query) is part of the official protocol, two (inverse
+query and status query) are options, one (completion) is obsolete, and
+the rest are unassigned.
+
+The four sections are:
+
+Question        Carries the query name and other query parameters.
+
+Answer          Carries RRs which directly answer the query.
+
+Authority       Carries RRs which describe other authoritative servers.
+                May optionally carry the SOA RR for the authoritative
+                data in the answer section.
+
+Additional      Carries RRs which may be helpful in using the RRs in the
+                other sections.
+
+Note that the content, but not the format, of these sections varies with
+header opcode.
+
+3.7.1. Standard queries
+
+A standard query specifies a target domain name (QNAME), query type
+(QTYPE), and query class (QCLASS) and asks for RRs which match.  This
+type of query makes up such a vast majority of DNS queries that we use
+the term "query" to mean standard query unless otherwise specified.  The
+QTYPE and QCLASS fields are each 16 bits long, and are a superset of
+defined types and classes.
+
+
+
+
+
+Mockapetris                                                    [Page 16]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+The QTYPE field may contain:
+
+<any type>      matches just that type. (e.g., A, PTR).
+
+AXFR            special zone transfer QTYPE.
+
+MAILB           matches all mail box related RRs (e.g. MB and MG).
+
+*               matches all RR types.
+
+The QCLASS field may contain:
+
+<any class>     matches just that class (e.g., IN, CH).
+
+*               matches aLL RR classes.
+
+Using the query domain name, QTYPE, and QCLASS, the name server looks
+for matching RRs.  In addition to relevant records, the name server may
+return RRs that point toward a name server that has the desired
+information or RRs that are expected to be useful in interpreting the
+relevant RRs.  For example, a name server that doesn't have the
+requested information may know a name server that does; a name server
+that returns a domain name in a relevant RR may also return the RR that
+binds that domain name to an address.
+
+For example, a mailer tying to send mail to Mockapetris@ISI.EDU might
+ask the resolver for mail information about ISI.EDU, resulting in a
+query for QNAME=ISI.EDU, QTYPE=MX, QCLASS=IN.  The response's answer
+section would be:
+
+    ISI.EDU.        MX      10 VENERA.ISI.EDU.
+                    MX      10 VAXA.ISI.EDU.
+
+while the additional section might be:
+
+    VAXA.ISI.EDU.   A       10.2.0.27
+                    A       128.9.0.33
+    VENERA.ISI.EDU. A       10.1.0.52
+                    A       128.9.0.32
+
+Because the server assumes that if the requester wants mail exchange
+information, it will probably want the addresses of the mail exchanges
+soon afterward.
+
+Note that the QCLASS=* construct requires special interpretation
+regarding authority.  Since a particular name server may not know all of
+the classes available in the domain system, it can never know if it is
+authoritative for all classes.  Hence responses to QCLASS=* queries can
+
+
+
+Mockapetris                                                    [Page 17]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+never be authoritative.
+
+3.7.2. Inverse queries (Optional)
+
+Name servers may also support inverse queries that map a particular
+resource to a domain name or domain names that have that resource.  For
+example, while a standard query might map a domain name to a SOA RR, the
+corresponding inverse query might map the SOA RR back to the domain
+name.
+
+Implementation of this service is optional in a name server, but all
+name servers must at least be able to understand an inverse query
+message and return a not-implemented error response.
+
+The domain system cannot guarantee the completeness or uniqueness of
+inverse queries because the domain system is organized by domain name
+rather than by host address or any other resource type.  Inverse queries
+are primarily useful for debugging and database maintenance activities.
+
+Inverse queries may not return the proper TTL, and do not indicate cases
+where the identified RR is one of a set (for example, one address for a
+host having multiple addresses).  Therefore, the RRs returned in inverse
+queries should never be cached.
+
+Inverse queries are NOT an acceptable method for mapping host addresses
+to host names; use the IN-ADDR.ARPA domain instead.
+
+A detailed discussion of inverse queries is contained in [RFC-1035].
+
+3.8. Status queries (Experimental)
+
+To be defined.
+
+3.9. Completion queries (Obsolete)
+
+The optional completion services described in RFCs 882 and 883 have been
+deleted.  Redesigned services may become available in the future, or the
+opcodes may be reclaimed for other use.
+
+4. NAME SERVERS
+
+4.1. Introduction
+
+Name servers are the repositories of information that make up the domain
+database.  The database is divided up into sections called zones, which
+are distributed among the name servers.  While name servers can have
+several optional functions and sources of data, the essential task of a
+name server is to answer queries using data in its zones.  By design,
+
+
+
+Mockapetris                                                    [Page 18]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+name servers can answer queries in a simple manner; the response can
+always be generated using only local data, and either contains the
+answer to the question or a referral to other name servers "closer" to
+the desired information.
+
+A given zone will be available from several name servers to insure its
+availability in spite of host or communication link failure.  By
+administrative fiat, we require every zone to be available on at least
+two servers, and many zones have more redundancy than that.
+
+A given name server will typically support one or more zones, but this
+gives it authoritative information about only a small section of the
+domain tree.  It may also have some cached non-authoritative data about
+other parts of the tree.  The name server marks its responses to queries
+so that the requester can tell whether the response comes from
+authoritative data or not.
+
+4.2. How the database is divided into zones
+
+The domain database is partitioned in two ways: by class, and by "cuts"
+made in the name space between nodes.
+
+The class partition is simple.  The database for any class is organized,
+delegated, and maintained separately from all other classes.  Since, by
+convention, the name spaces are the same for all classes, the separate
+classes can be thought of as an array of parallel namespace trees.  Note
+that the data attached to nodes will be different for these different
+parallel classes.  The most common reasons for creating a new class are
+the necessity for a new data format for existing types or a desire for a
+separately managed version of the existing name space.
+
+Within a class, "cuts" in the name space can be made between any two
+adjacent nodes.  After all cuts are made, each group of connected name
+space is a separate zone.  The zone is said to be authoritative for all
+names in the connected region.  Note that the "cuts" in the name space
+may be in different places for different classes, the name servers may
+be different, etc.
+
+These rules mean that every zone has at least one node, and hence domain
+name, for which it is authoritative, and all of the nodes in a
+particular zone are connected.  Given, the tree structure, every zone
+has a highest node which is closer to the root than any other node in
+the zone.  The name of this node is often used to identify the zone.
+
+It would be possible, though not particularly useful, to partition the
+name space so that each domain name was in a separate zone or so that
+all nodes were in a single zone.  Instead, the database is partitioned
+at points where a particular organization wants to take over control of
+
+
+
+Mockapetris                                                    [Page 19]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+a subtree.  Once an organization controls its own zone it can
+unilaterally change the data in the zone, grow new tree sections
+connected to the zone, delete existing nodes, or delegate new subzones
+under its zone.
+
+If the organization has substructure, it may want to make further
+internal partitions to achieve nested delegations of name space control.
+In some cases, such divisions are made purely to make database
+maintenance more convenient.
+
+4.2.1. Technical considerations
+
+The data that describes a zone has four major parts:
+
+   - Authoritative data for all nodes within the zone.
+
+   - Data that defines the top node of the zone (can be thought of
+     as part of the authoritative data).
+
+   - Data that describes delegated subzones, i.e., cuts around the
+     bottom of the zone.
+
+   - Data that allows access to name servers for subzones
+     (sometimes called "glue" data).
+
+All of this data is expressed in the form of RRs, so a zone can be
+completely described in terms of a set of RRs.  Whole zones can be
+transferred between name servers by transferring the RRs, either carried
+in a series of messages or by FTPing a master file which is a textual
+representation.
+
+The authoritative data for a zone is simply all of the RRs attached to
+all of the nodes from the top node of the zone down to leaf nodes or
+nodes above cuts around the bottom edge of the zone.
+
+Though logically part of the authoritative data, the RRs that describe
+the top node of the zone are especially important to the zone's
+management.  These RRs are of two types: name server RRs that list, one
+per RR, all of the servers for the zone, and a single SOA RR that
+describes zone management parameters.
+
+The RRs that describe cuts around the bottom of the zone are NS RRs that
+name the servers for the subzones.  Since the cuts are between nodes,
+these RRs are NOT part of the authoritative data of the zone, and should
+be exactly the same as the corresponding RRs in the top node of the
+subzone.  Since name servers are always associated with zone boundaries,
+NS RRs are only found at nodes which are the top node of some zone.  In
+the data that makes up a zone, NS RRs are found at the top node of the
+
+
+
+Mockapetris                                                    [Page 20]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+zone (and are authoritative) and at cuts around the bottom of the zone
+(where they are not authoritative), but never in between.
+
+One of the goals of the zone structure is that any zone have all the
+data required to set up communications with the name servers for any
+subzones.  That is, parent zones have all the information needed to
+access servers for their children zones.  The NS RRs that name the
+servers for subzones are often not enough for this task since they name
+the servers, but do not give their addresses.  In particular, if the
+name of the name server is itself in the subzone, we could be faced with
+the situation where the NS RRs tell us that in order to learn a name
+server's address, we should contact the server using the address we wish
+to learn.  To fix this problem, a zone contains "glue" RRs which are not
+part of the authoritative data, and are address RRs for the servers.
+These RRs are only necessary if the name server's name is "below" the
+cut, and are only used as part of a referral response.
+
+4.2.2. Administrative considerations
+
+When some organization wants to control its own domain, the first step
+is to identify the proper parent zone, and get the parent zone's owners
+to agree to the delegation of control.  While there are no particular
+technical constraints dealing with where in the tree this can be done,
+there are some administrative groupings discussed in [RFC-1032] which
+deal with top level organization, and middle level zones are free to
+create their own rules.  For example, one university might choose to use
+a single zone, while another might choose to organize by subzones
+dedicated to individual departments or schools.  [RFC-1033] catalogs
+available DNS software an discusses administration procedures.
+
+Once the proper name for the new subzone is selected, the new owners
+should be required to demonstrate redundant name server support.  Note
+that there is no requirement that the servers for a zone reside in a
+host which has a name in that domain.  In many cases, a zone will be
+more accessible to the internet at large if its servers are widely
+distributed rather than being within the physical facilities controlled
+by the same organization that manages the zone.  For example, in the
+current DNS, one of the name servers for the United Kingdom, or UK
+domain, is found in the US.  This allows US hosts to get UK data without
+using limited transatlantic bandwidth.
+
+As the last installation step, the delegation NS RRs and glue RRs
+necessary to make the delegation effective should be added to the parent
+zone.  The administrators of both zones should insure that the NS and
+glue RRs which mark both sides of the cut are consistent and remain so.
+
+4.3. Name server internals
+
+
+
+
+Mockapetris                                                    [Page 21]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+4.3.1. Queries and responses
+
+The principal activity of name servers is to answer standard queries.
+Both the query and its response are carried in a standard message format
+which is described in [RFC-1035].  The query contains a QTYPE, QCLASS,
+and QNAME, which describe the types and classes of desired information
+and the name of interest.
+
+The way that the name server answers the query depends upon whether it
+is operating in recursive mode or not:
+
+   - The simplest mode for the server is non-recursive, since it
+     can answer queries using only local information: the response
+     contains an error, the answer, or a referral to some other
+     server "closer" to the answer.  All name servers must
+     implement non-recursive queries.
+
+   - The simplest mode for the client is recursive, since in this
+     mode the name server acts in the role of a resolver and
+     returns either an error or the answer, but never referrals.
+     This service is optional in a name server, and the name server
+     may also choose to restrict the clients which can use
+     recursive mode.
+
+Recursive service is helpful in several situations:
+
+   - a relatively simple requester that lacks the ability to use
+     anything other than a direct answer to the question.
+
+   - a request that needs to cross protocol or other boundaries and
+     can be sent to a server which can act as intermediary.
+
+   - a network where we want to concentrate the cache rather than
+     having a separate cache for each client.
+
+Non-recursive service is appropriate if the requester is capable of
+pursuing referrals and interested in information which will aid future
+requests.
+
+The use of recursive mode is limited to cases where both the client and
+the name server agree to its use.  The agreement is negotiated through
+the use of two bits in query and response messages:
+
+   - The recursion available, or RA bit, is set or cleared by a
+     name server in all responses.  The bit is true if the name
+     server is willing to provide recursive service for the client,
+     regardless of whether the client requested recursive service.
+     That is, RA signals availability rather than use.
+
+
+
+Mockapetris                                                    [Page 22]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+   - Queries contain a bit called recursion desired or RD.  This
+     bit specifies specifies whether the requester wants recursive
+     service for this query.  Clients may request recursive service
+     from any name server, though they should depend upon receiving
+     it only from servers which have previously sent an RA, or
+     servers which have agreed to provide service through private
+     agreement or some other means outside of the DNS protocol.
+
+The recursive mode occurs when a query with RD set arrives at a server
+which is willing to provide recursive service; the client can verify
+that recursive mode was used by checking that both RA and RD are set in
+the reply.  Note that the name server should never perform recursive
+service unless asked via RD, since this interferes with trouble shooting
+of name servers and their databases.
+
+If recursive service is requested and available, the recursive response
+to a query will be one of the following:
+
+   - The answer to the query, possibly preface by one or more CNAME
+     RRs that specify aliases encountered on the way to an answer.
+
+   - A name error indicating that the name does not exist.  This
+     may include CNAME RRs that indicate that the original query
+     name was an alias for a name which does not exist.
+
+   - A temporary error indication.
+
+If recursive service is not requested or is not available, the non-
+recursive response will be one of the following:
+
+   - An authoritative name error indicating that the name does not
+     exist.
+
+   - A temporary error indication.
+
+   - Some combination of:
+
+     RRs that answer the question, together with an indication
+     whether the data comes from a zone or is cached.
+
+     A referral to name servers which have zones which are closer
+     ancestors to the name than the server sending the reply.
+
+   - RRs that the name server thinks will prove useful to the
+     requester.
+
+
+
+
+
+
+Mockapetris                                                    [Page 23]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+4.3.2. Algorithm
+
+The actual algorithm used by the name server will depend on the local OS
+and data structures used to store RRs.  The following algorithm assumes
+that the RRs are organized in several tree structures, one for each
+zone, and another for the cache:
+
+   1. Set or clear the value of recursion available in the response
+      depending on whether the name server is willing to provide
+      recursive service.  If recursive service is available and
+      requested via the RD bit in the query, go to step 5,
+      otherwise step 2.
+
+   2. Search the available zones for the zone which is the nearest
+      ancestor to QNAME.  If such a zone is found, go to step 3,
+      otherwise step 4.
+
+   3. Start matching down, label by label, in the zone.  The
+      matching process can terminate several ways:
+
+         a. If the whole of QNAME is matched, we have found the
+            node.
+
+            If the data at the node is a CNAME, and QTYPE doesn't
+            match CNAME, copy the CNAME RR into the answer section
+            of the response, change QNAME to the canonical name in
+            the CNAME RR, and go back to step 1.
+
+            Otherwise, copy all RRs which match QTYPE into the
+            answer section and go to step 6.
+
+         b. If a match would take us out of the authoritative data,
+            we have a referral.  This happens when we encounter a
+            node with NS RRs marking cuts along the bottom of a
+            zone.
+
+            Copy the NS RRs for the subzone into the authority
+            section of the reply.  Put whatever addresses are
+            available into the additional section, using glue RRs
+            if the addresses are not available from authoritative
+            data or the cache.  Go to step 4.
+
+         c. If at some label, a match is impossible (i.e., the
+            corresponding label does not exist), look to see if a
+            the "*" label exists.
+
+            If the "*" label does not exist, check whether the name
+            we are looking for is the original QNAME in the query
+
+
+
+Mockapetris                                                    [Page 24]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+            or a name we have followed due to a CNAME.  If the name
+            is original, set an authoritative name error in the
+            response and exit.  Otherwise just exit.
+
+            If the "*" label does exist, match RRs at that node
+            against QTYPE.  If any match, copy them into the answer
+            section, but set the owner of the RR to be QNAME, and
+            not the node with the "*" label.  Go to step 6.
+
+   4. Start matching down in the cache.  If QNAME is found in the
+      cache, copy all RRs attached to it that match QTYPE into the
+      answer section.  If there was no delegation from
+      authoritative data, look for the best one from the cache, and
+      put it in the authority section.  Go to step 6.
+
+   5. Using the local resolver or a copy of its algorithm (see
+      resolver section of this memo) to answer the query.  Store
+      the results, including any intermediate CNAMEs, in the answer
+      section of the response.
+
+   6. Using local data only, attempt to add other RRs which may be
+      useful to the additional section of the query.  Exit.
+
+4.3.3. Wildcards
+
+In the previous algorithm, special treatment was given to RRs with owner
+names starting with the label "*".  Such RRs are called wildcards.
+Wildcard RRs can be thought of as instructions for synthesizing RRs.
+When the appropriate conditions are met, the name server creates RRs
+with an owner name equal to the query name and contents taken from the
+wildcard RRs.
+
+This facility is most often used to create a zone which will be used to
+forward mail from the Internet to some other mail system.  The general
+idea is that any name in that zone which is presented to server in a
+query will be assumed to exist, with certain properties, unless explicit
+evidence exists to the contrary.  Note that the use of the term zone
+here, instead of domain, is intentional; such defaults do not propagate
+across zone boundaries, although a subzone may choose to achieve that
+appearance by setting up similar defaults.
+
+The contents of the wildcard RRs follows the usual rules and formats for
+RRs.  The wildcards in the zone have an owner name that controls the
+query names they will match.  The owner name of the wildcard RRs is of
+the form "*.<anydomain>", where <anydomain> is any domain name.
+<anydomain> should not contain other * labels, and should be in the
+authoritative data of the zone.  The wildcards potentially apply to
+descendants of <anydomain>, but not to <anydomain> itself.  Another way
+
+
+
+Mockapetris                                                    [Page 25]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+to look at this is that the "*" label always matches at least one whole
+label and sometimes more, but always whole labels.
+
+Wildcard RRs do not apply:
+
+   - When the query is in another zone.  That is, delegation cancels
+     the wildcard defaults.
+
+   - When the query name or a name between the wildcard domain and
+     the query name is know to exist.  For example, if a wildcard
+     RR has an owner name of "*.X", and the zone also contains RRs
+     attached to B.X, the wildcards would apply to queries for name
+     Z.X (presuming there is no explicit information for Z.X), but
+     not to B.X, A.B.X, or X.
+
+A * label appearing in a query name has no special effect, but can be
+used to test for wildcards in an authoritative zone; such a query is the
+only way to get a response containing RRs with an owner name with * in
+it.  The result of such a query should not be cached.
+
+Note that the contents of the wildcard RRs are not modified when used to
+synthesize RRs.
+
+To illustrate the use of wildcard RRs, suppose a large company with a
+large, non-IP/TCP, network wanted to create a mail gateway.  If the
+company was called X.COM, and IP/TCP capable gateway machine was called
+A.X.COM, the following RRs might be entered into the COM zone:
+
+    X.COM           MX      10      A.X.COM
+
+    *.X.COM         MX      10      A.X.COM
+
+    A.X.COM         A       1.2.3.4
+    A.X.COM         MX      10      A.X.COM
+
+    *.A.X.COM       MX      10      A.X.COM
+
+This would cause any MX query for any domain name ending in X.COM to
+return an MX RR pointing at A.X.COM.  Two wildcard RRs are required
+since the effect of the wildcard at *.X.COM is inhibited in the A.X.COM
+subtree by the explicit data for A.X.COM.  Note also that the explicit
+MX data at X.COM and A.X.COM is required, and that none of the RRs above
+would match a query name of XX.COM.
+
+4.3.4. Negative response caching (Optional)
+
+The DNS provides an optional service which allows name servers to
+distribute, and resolvers to cache, negative results with TTLs.  For
+
+
+
+Mockapetris                                                    [Page 26]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+example, a name server can distribute a TTL along with a name error
+indication, and a resolver receiving such information is allowed to
+assume that the name does not exist during the TTL period without
+consulting authoritative data.  Similarly, a resolver can make a query
+with a QTYPE which matches multiple types, and cache the fact that some
+of the types are not present.
+
+This feature can be particularly important in a system which implements
+naming shorthands that use search lists beacuse a popular shorthand,
+which happens to require a suffix toward the end of the search list,
+will generate multiple name errors whenever it is used.
+
+The method is that a name server may add an SOA RR to the additional
+section of a response when that response is authoritative.  The SOA must
+be that of the zone which was the source of the authoritative data in
+the answer section, or name error if applicable.  The MINIMUM field of
+the SOA controls the length of time that the negative result may be
+cached.
+
+Note that in some circumstances, the answer section may contain multiple
+owner names.  In this case, the SOA mechanism should only be used for
+the data which matches QNAME, which is the only authoritative data in
+this section.
+
+Name servers and resolvers should never attempt to add SOAs to the
+additional section of a non-authoritative response, or attempt to infer
+results which are not directly stated in an authoritative response.
+There are several reasons for this, including: cached information isn't
+usually enough to match up RRs and their zone names, SOA RRs may be
+cached due to direct SOA queries, and name servers are not required to
+output the SOAs in the authority section.
+
+This feature is optional, although a refined version is expected to
+become part of the standard protocol in the future.  Name servers are
+not required to add the SOA RRs in all authoritative responses, nor are
+resolvers required to cache negative results.  Both are recommended.
+All resolvers and recursive name servers are required to at least be
+able to ignore the SOA RR when it is present in a response.
+
+Some experiments have also been proposed which will use this feature.
+The idea is that if cached data is known to come from a particular zone,
+and if an authoritative copy of the zone's SOA is obtained, and if the
+zone's SERIAL has not changed since the data was cached, then the TTL of
+the cached data can be reset to the zone MINIMUM value if it is smaller.
+This usage is mentioned for planning purposes only, and is not
+recommended as yet.
+
+
+
+
+
+Mockapetris                                                    [Page 27]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+4.3.5. Zone maintenance and transfers
+
+Part of the job of a zone administrator is to maintain the zones at all
+of the name servers which are authoritative for the zone.  When the
+inevitable changes are made, they must be distributed to all of the name
+servers.  While this distribution can be accomplished using FTP or some
+other ad hoc procedure, the preferred method is the zone transfer part
+of the DNS protocol.
+
+The general model of automatic zone transfer or refreshing is that one
+of the name servers is the master or primary for the zone.  Changes are
+coordinated at the primary, typically by editing a master file for the
+zone.  After editing, the administrator signals the master server to
+load the new zone.  The other non-master or secondary servers for the
+zone periodically check for changes (at a selectable interval) and
+obtain new zone copies when changes have been made.
+
+To detect changes, secondaries just check the SERIAL field of the SOA
+for the zone.  In addition to whatever other changes are made, the
+SERIAL field in the SOA of the zone is always advanced whenever any
+change is made to the zone.  The advancing can be a simple increment, or
+could be based on the write date and time of the master file, etc.  The
+purpose is to make it possible to determine which of two copies of a
+zone is more recent by comparing serial numbers.  Serial number advances
+and comparisons use sequence space arithmetic, so there is a theoretic
+limit on how fast a zone can be updated, basically that old copies must
+die out before the serial number covers half of its 32 bit range.  In
+practice, the only concern is that the compare operation deals properly
+with comparisons around the boundary between the most positive and most
+negative 32 bit numbers.
+
+The periodic polling of the secondary servers is controlled by
+parameters in the SOA RR for the zone, which set the minimum acceptable
+polling intervals.  The parameters are called REFRESH, RETRY, and
+EXPIRE.  Whenever a new zone is loaded in a secondary, the secondary
+waits REFRESH seconds before checking with the primary for a new serial.
+If this check cannot be completed, new checks are started every RETRY
+seconds.  The check is a simple query to the primary for the SOA RR of
+the zone.  If the serial field in the secondary's zone copy is equal to
+the serial returned by the primary, then no changes have occurred, and
+the REFRESH interval wait is restarted.  If the secondary finds it
+impossible to perform a serial check for the EXPIRE interval, it must
+assume that its copy of the zone is obsolete an discard it.
+
+When the poll shows that the zone has changed, then the secondary server
+must request a zone transfer via an AXFR request for the zone.  The AXFR
+may cause an error, such as refused, but normally is answered by a
+sequence of response messages.  The first and last messages must contain
+
+
+
+Mockapetris                                                    [Page 28]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+the data for the top authoritative node of the zone.  Intermediate
+messages carry all of the other RRs from the zone, including both
+authoritative and non-authoritative RRs.  The stream of messages allows
+the secondary to construct a copy of the zone.  Because accuracy is
+essential, TCP or some other reliable protocol must be used for AXFR
+requests.
+
+Each secondary server is required to perform the following operations
+against the master, but may also optionally perform these operations
+against other secondary servers.  This strategy can improve the transfer
+process when the primary is unavailable due to host downtime or network
+problems, or when a secondary server has better network access to an
+"intermediate" secondary than to the primary.
+
+5. RESOLVERS
+
+5.1. Introduction
+
+Resolvers are programs that interface user programs to domain name
+servers.  In the simplest case, a resolver receives a request from a
+user program (e.g., mail programs, TELNET, FTP) in the form of a
+subroutine call, system call etc., and returns the desired information
+in a form compatible with the local host's data formats.
+
+The resolver is located on the same machine as the program that requests
+the resolver's services, but it may need to consult name servers on
+other hosts.  Because a resolver may need to consult several name
+servers, or may have the requested information in a local cache, the
+amount of time that a resolver will take to complete can vary quite a
+bit, from milliseconds to several seconds.
+
+A very important goal of the resolver is to eliminate network delay and
+name server load from most requests by answering them from its cache of
+prior results.  It follows that caches which are shared by multiple
+processes, users, machines, etc., are more efficient than non-shared
+caches.
+
+5.2. Client-resolver interface
+
+5.2.1. Typical functions
+
+The client interface to the resolver is influenced by the local host's
+conventions, but the typical resolver-client interface has three
+functions:
+
+   1. Host name to host address translation.
+
+      This function is often defined to mimic a previous HOSTS.TXT
+
+
+
+Mockapetris                                                    [Page 29]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+      based function.  Given a character string, the caller wants
+      one or more 32 bit IP addresses.  Under the DNS, it
+      translates into a request for type A RRs.  Since the DNS does
+      not preserve the order of RRs, this function may choose to
+      sort the returned addresses or select the "best" address if
+      the service returns only one choice to the client.  Note that
+      a multiple address return is recommended, but a single
+      address may be the only way to emulate prior HOSTS.TXT
+      services.
+
+   2. Host address to host name translation
+
+      This function will often follow the form of previous
+      functions.  Given a 32 bit IP address, the caller wants a
+      character string.  The octets of the IP address are reversed,
+      used as name components, and suffixed with "IN-ADDR.ARPA".  A
+      type PTR query is used to get the RR with the primary name of
+      the host.  For example, a request for the host name
+      corresponding to IP address 1.2.3.4 looks for PTR RRs for
+      domain name "4.3.2.1.IN-ADDR.ARPA".
+
+   3. General lookup function
+
+      This function retrieves arbitrary information from the DNS,
+      and has no counterpart in previous systems.  The caller
+      supplies a QNAME, QTYPE, and QCLASS, and wants all of the
+      matching RRs.  This function will often use the DNS format
+      for all RR data instead of the local host's, and returns all
+      RR content (e.g., TTL) instead of a processed form with local
+      quoting conventions.
+
+When the resolver performs the indicated function, it usually has one of
+the following results to pass back to the client:
+
+   - One or more RRs giving the requested data.
+
+     In this case the resolver returns the answer in the
+     appropriate format.
+
+   - A name error (NE).
+
+     This happens when the referenced name does not exist.  For
+     example, a user may have mistyped a host name.
+
+   - A data not found error.
+
+     This happens when the referenced name exists, but data of the
+     appropriate type does not.  For example, a host address
+
+
+
+Mockapetris                                                    [Page 30]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+     function applied to a mailbox name would return this error
+     since the name exists, but no address RR is present.
+
+It is important to note that the functions for translating between host
+names and addresses may combine the "name error" and "data not found"
+error conditions into a single type of error return, but the general
+function should not.  One reason for this is that applications may ask
+first for one type of information about a name followed by a second
+request to the same name for some other type of information; if the two
+errors are combined, then useless queries may slow the application.
+
+5.2.2. Aliases
+
+While attempting to resolve a particular request, the resolver may find
+that the name in question is an alias.  For example, the resolver might
+find that the name given for host name to address translation is an
+alias when it finds the CNAME RR.  If possible, the alias condition
+should be signalled back from the resolver to the client.
+
+In most cases a resolver simply restarts the query at the new name when
+it encounters a CNAME.  However, when performing the general function,
+the resolver should not pursue aliases when the CNAME RR matches the
+query type.  This allows queries which ask whether an alias is present.
+For example, if the query type is CNAME, the user is interested in the
+CNAME RR itself, and not the RRs at the name it points to.
+
+Several special conditions can occur with aliases.  Multiple levels of
+aliases should be avoided due to their lack of efficiency, but should
+not be signalled as an error.  Alias loops and aliases which point to
+non-existent names should be caught and an error condition passed back
+to the client.
+
+5.2.3. Temporary failures
+
+In a less than perfect world, all resolvers will occasionally be unable
+to resolve a particular request.  This condition can be caused by a
+resolver which becomes separated from the rest of the network due to a
+link failure or gateway problem, or less often by coincident failure or
+unavailability of all servers for a particular domain.
+
+It is essential that this sort of condition should not be signalled as a
+name or data not present error to applications.  This sort of behavior
+is annoying to humans, and can wreak havoc when mail systems use the
+DNS.
+
+While in some cases it is possible to deal with such a temporary problem
+by blocking the request indefinitely, this is usually not a good choice,
+particularly when the client is a server process that could move on to
+
+
+
+Mockapetris                                                    [Page 31]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+other tasks.  The recommended solution is to always have temporary
+failure as one of the possible results of a resolver function, even
+though this may make emulation of existing HOSTS.TXT functions more
+difficult.
+
+5.3. Resolver internals
+
+Every resolver implementation uses slightly different algorithms, and
+typically spends much more logic dealing with errors of various sorts
+than typical occurances.  This section outlines a recommended basic
+strategy for resolver operation, but leaves details to [RFC-1035].
+
+5.3.1. Stub resolvers
+
+One option for implementing a resolver is to move the resolution
+function out of the local machine and into a name server which supports
+recursive queries.  This can provide an easy method of providing domain
+service in a PC which lacks the resources to perform the resolver
+function, or can centralize the cache for a whole local network or
+organization.
+
+All that the remaining stub needs is a list of name server addresses
+that will perform the recursive requests.  This type of resolver
+presumably needs the information in a configuration file, since it
+probably lacks the sophistication to locate it in the domain database.
+The user also needs to verify that the listed servers will perform the
+recursive service; a name server is free to refuse to perform recursive
+services for any or all clients.  The user should consult the local
+system administrator to find name servers willing to perform the
+service.
+
+This type of service suffers from some drawbacks.  Since the recursive
+requests may take an arbitrary amount of time to perform, the stub may
+have difficulty optimizing retransmission intervals to deal with both
+lost UDP packets and dead servers; the name server can be easily
+overloaded by too zealous a stub if it interprets retransmissions as new
+requests.  Use of TCP may be an answer, but TCP may well place burdens
+on the host's capabilities which are similar to those of a real
+resolver.
+
+5.3.2. Resources
+
+In addition to its own resources, the resolver may also have shared
+access to zones maintained by a local name server.  This gives the
+resolver the advantage of more rapid access, but the resolver must be
+careful to never let cached information override zone data.  In this
+discussion the term "local information" is meant to mean the union of
+the cache and such shared zones, with the understanding that
+
+
+
+Mockapetris                                                    [Page 32]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+authoritative data is always used in preference to cached data when both
+are present.
+
+The following resolver algorithm assumes that all functions have been
+converted to a general lookup function, and uses the following data
+structures to represent the state of a request in progress in the
+resolver:
+
+SNAME           the domain name we are searching for.
+
+STYPE           the QTYPE of the search request.
+
+SCLASS          the QCLASS of the search request.
+
+SLIST           a structure which describes the name servers and the
+                zone which the resolver is currently trying to query.
+                This structure keeps track of the resolver's current
+                best guess about which name servers hold the desired
+                information; it is updated when arriving information
+                changes the guess.  This structure includes the
+                equivalent of a zone name, the known name servers for
+                the zone, the known addresses for the name servers, and
+                history information which can be used to suggest which
+                server is likely to be the best one to try next.  The
+                zone name equivalent is a match count of the number of
+                labels from the root down which SNAME has in common with
+                the zone being queried; this is used as a measure of how
+                "close" the resolver is to SNAME.
+
+SBELT           a "safety belt" structure of the same form as SLIST,
+                which is initialized from a configuration file, and
+                lists servers which should be used when the resolver
+                doesn't have any local information to guide name server
+                selection.  The match count will be -1 to indicate that
+                no labels are known to match.
+
+CACHE           A structure which stores the results from previous
+                responses.  Since resolvers are responsible for
+                discarding old RRs whose TTL has expired, most
+                implementations convert the interval specified in
+                arriving RRs to some sort of absolute time when the RR
+                is stored in the cache.  Instead of counting the TTLs
+                down individually, the resolver just ignores or discards
+                old RRs when it runs across them in the course of a
+                search, or discards them during periodic sweeps to
+                reclaim the memory consumed by old RRs.
+
+
+
+
+
+Mockapetris                                                    [Page 33]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+5.3.3. Algorithm
+
+The top level algorithm has four steps:
+
+   1. See if the answer is in local information, and if so return
+      it to the client.
+
+   2. Find the best servers to ask.
+
+   3. Send them queries until one returns a response.
+
+   4. Analyze the response, either:
+
+         a. if the response answers the question or contains a name
+            error, cache the data as well as returning it back to
+            the client.
+
+         b. if the response contains a better delegation to other
+            servers, cache the delegation information, and go to
+            step 2.
+
+         c. if the response shows a CNAME and that is not the
+            answer itself, cache the CNAME, change the SNAME to the
+            canonical name in the CNAME RR and go to step 1.
+
+         d. if the response shows a servers failure or other
+            bizarre contents, delete the server from the SLIST and
+            go back to step 3.
+
+Step 1 searches the cache for the desired data. If the data is in the
+cache, it is assumed to be good enough for normal use.  Some resolvers
+have an option at the user interface which will force the resolver to
+ignore the cached data and consult with an authoritative server.  This
+is not recommended as the default.  If the resolver has direct access to
+a name server's zones, it should check to see if the desired data is
+present in authoritative form, and if so, use the authoritative data in
+preference to cached data.
+
+Step 2 looks for a name server to ask for the required data.  The
+general strategy is to look for locally-available name server RRs,
+starting at SNAME, then the parent domain name of SNAME, the
+grandparent, and so on toward the root.  Thus if SNAME were
+Mockapetris.ISI.EDU, this step would look for NS RRs for
+Mockapetris.ISI.EDU, then ISI.EDU, then EDU, and then . (the root).
+These NS RRs list the names of hosts for a zone at or above SNAME.  Copy
+the names into SLIST.  Set up their addresses using local data.  It may
+be the case that the addresses are not available.  The resolver has many
+choices here; the best is to start parallel resolver processes looking
+
+
+
+Mockapetris                                                    [Page 34]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+for the addresses while continuing onward with the addresses which are
+available.  Obviously, the design choices and options are complicated
+and a function of the local host's capabilities.  The recommended
+priorities for the resolver designer are:
+
+   1. Bound the amount of work (packets sent, parallel processes
+      started) so that a request can't get into an infinite loop or
+      start off a chain reaction of requests or queries with other
+      implementations EVEN IF SOMEONE HAS INCORRECTLY CONFIGURED
+      SOME DATA.
+
+   2. Get back an answer if at all possible.
+
+   3. Avoid unnecessary transmissions.
+
+   4. Get the answer as quickly as possible.
+
+If the search for NS RRs fails, then the resolver initializes SLIST from
+the safety belt SBELT.  The basic idea is that when the resolver has no
+idea what servers to ask, it should use information from a configuration
+file that lists several servers which are expected to be helpful.
+Although there are special situations, the usual choice is two of the
+root servers and two of the servers for the host's domain.  The reason
+for two of each is for redundancy.  The root servers will provide
+eventual access to all of the domain space.  The two local servers will
+allow the resolver to continue to resolve local names if the local
+network becomes isolated from the internet due to gateway or link
+failure.
+
+In addition to the names and addresses of the servers, the SLIST data
+structure can be sorted to use the best servers first, and to insure
+that all addresses of all servers are used in a round-robin manner.  The
+sorting can be a simple function of preferring addresses on the local
+network over others, or may involve statistics from past events, such as
+previous response times and batting averages.
+
+Step 3 sends out queries until a response is received.  The strategy is
+to cycle around all of the addresses for all of the servers with a
+timeout between each transmission.  In practice it is important to use
+all addresses of a multihomed host, and too aggressive a retransmission
+policy actually slows response when used by multiple resolvers
+contending for the same name server and even occasionally for a single
+resolver.  SLIST typically contains data values to control the timeouts
+and keep track of previous transmissions.
+
+Step 4 involves analyzing responses.  The resolver should be highly
+paranoid in its parsing of responses.  It should also check that the
+response matches the query it sent using the ID field in the response.
+
+
+
+Mockapetris                                                    [Page 35]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+The ideal answer is one from a server authoritative for the query which
+either gives the required data or a name error.  The data is passed back
+to the user and entered in the cache for future use if its TTL is
+greater than zero.
+
+If the response shows a delegation, the resolver should check to see
+that the delegation is "closer" to the answer than the servers in SLIST
+are.  This can be done by comparing the match count in SLIST with that
+computed from SNAME and the NS RRs in the delegation.  If not, the reply
+is bogus and should be ignored.  If the delegation is valid the NS
+delegation RRs and any address RRs for the servers should be cached.
+The name servers are entered in the SLIST, and the search is restarted.
+
+If the response contains a CNAME, the search is restarted at the CNAME
+unless the response has the data for the canonical name or if the CNAME
+is the answer itself.
+
+Details and implementation hints can be found in [RFC-1035].
+
+6. A SCENARIO
+
+In our sample domain space, suppose we wanted separate administrative
+control for the root, MIL, EDU, MIT.EDU and ISI.EDU zones.  We might
+allocate name servers as follows:
+
+
+                                   |(C.ISI.EDU,SRI-NIC.ARPA
+                                   | A.ISI.EDU)
+             +---------------------+------------------+
+             |                     |                  |
+            MIL                   EDU                ARPA
+             |(SRI-NIC.ARPA,       |(SRI-NIC.ARPA,    |
+             | A.ISI.EDU           | C.ISI.EDU)       |
+       +-----+-----+               |     +------+-----+-----+
+       |     |     |               |     |      |           |
+      BRL  NOSC  DARPA             |  IN-ADDR  SRI-NIC     ACC
+                                   |
+       +--------+------------------+---------------+--------+
+       |        |                  |               |        |
+      UCI      MIT                 |              UDEL     YALE
+                |(XX.LCS.MIT.EDU, ISI
+                |ACHILLES.MIT.EDU) |(VAXA.ISI.EDU,VENERA.ISI.EDU,
+            +---+---+              | A.ISI.EDU)
+            |       |              |
+           LCS   ACHILLES +--+-----+-----+--------+
+            |             |  |     |     |        |
+            XX            A  C   VAXA  VENERA Mockapetris
+
+
+
+
+Mockapetris                                                    [Page 36]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+In this example, the authoritative name server is shown in parentheses
+at the point in the domain tree at which is assumes control.
+
+Thus the root name servers are on C.ISI.EDU, SRI-NIC.ARPA, and
+A.ISI.EDU.  The MIL domain is served by SRI-NIC.ARPA and A.ISI.EDU.  The
+EDU domain is served by SRI-NIC.ARPA. and C.ISI.EDU.  Note that servers
+may have zones which are contiguous or disjoint.  In this scenario,
+C.ISI.EDU has contiguous zones at the root and EDU domains.  A.ISI.EDU
+has contiguous zones at the root and MIL domains, but also has a non-
+contiguous zone at ISI.EDU.
+
+6.1. C.ISI.EDU name server
+
+C.ISI.EDU is a name server for the root, MIL, and EDU domains of the IN
+class, and would have zones for these domains.  The zone data for the
+root domain might be:
+
+    .       IN      SOA     SRI-NIC.ARPA. HOSTMASTER.SRI-NIC.ARPA. (
+                            870611          ;serial
+                            1800            ;refresh every 30 min
+                            300             ;retry every 5 min
+                            604800          ;expire after a week
+                            86400)          ;minimum of a day
+                    NS      A.ISI.EDU.
+                    NS      C.ISI.EDU.
+                    NS      SRI-NIC.ARPA.
+
+    MIL.    86400   NS      SRI-NIC.ARPA.
+            86400   NS      A.ISI.EDU.
+
+    EDU.    86400   NS      SRI-NIC.ARPA.
+            86400   NS      C.ISI.EDU.
+
+    SRI-NIC.ARPA.   A       26.0.0.73
+                    A       10.0.0.51
+                    MX      0 SRI-NIC.ARPA.
+                    HINFO   DEC-2060 TOPS20
+
+    ACC.ARPA.       A       26.6.0.65
+                    HINFO   PDP-11/70 UNIX
+                    MX      10 ACC.ARPA.
+
+    USC-ISIC.ARPA.  CNAME   C.ISI.EDU.
+
+    73.0.0.26.IN-ADDR.ARPA.  PTR    SRI-NIC.ARPA.
+    65.0.6.26.IN-ADDR.ARPA.  PTR    ACC.ARPA.
+    51.0.0.10.IN-ADDR.ARPA.  PTR    SRI-NIC.ARPA.
+    52.0.0.10.IN-ADDR.ARPA.  PTR    C.ISI.EDU.
+
+
+
+Mockapetris                                                    [Page 37]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+    103.0.3.26.IN-ADDR.ARPA. PTR    A.ISI.EDU.
+
+    A.ISI.EDU. 86400 A      26.3.0.103
+    C.ISI.EDU. 86400 A      10.0.0.52
+
+This data is represented as it would be in a master file.  Most RRs are
+single line entries; the sole exception here is the SOA RR, which uses
+"(" to start a multi-line RR and ")" to show the end of a multi-line RR.
+Since the class of all RRs in a zone must be the same, only the first RR
+in a zone need specify the class.  When a name server loads a zone, it
+forces the TTL of all authoritative RRs to be at least the MINIMUM field
+of the SOA, here 86400 seconds, or one day.  The NS RRs marking
+delegation of the MIL and EDU domains, together with the glue RRs for
+the servers host addresses, are not part of the authoritative data in
+the zone, and hence have explicit TTLs.
+
+Four RRs are attached to the root node: the SOA which describes the root
+zone and the 3 NS RRs which list the name servers for the root.  The
+data in the SOA RR describes the management of the zone.  The zone data
+is maintained on host SRI-NIC.ARPA, and the responsible party for the
+zone is HOSTMASTER@SRI-NIC.ARPA.  A key item in the SOA is the 86400
+second minimum TTL, which means that all authoritative data in the zone
+has at least that TTL, although higher values may be explicitly
+specified.
+
+The NS RRs for the MIL and EDU domains mark the boundary between the
+root zone and the MIL and EDU zones.  Note that in this example, the
+lower zones happen to be supported by name servers which also support
+the root zone.
+
+The master file for the EDU zone might be stated relative to the origin
+EDU.  The zone data for the EDU domain might be:
+
+    EDU.  IN SOA SRI-NIC.ARPA. HOSTMASTER.SRI-NIC.ARPA. (
+                            870729 ;serial
+                            1800 ;refresh every 30 minutes
+                            300 ;retry every 5 minutes
+                            604800 ;expire after a week
+                            86400 ;minimum of a day
+                            )
+                    NS SRI-NIC.ARPA.
+                    NS C.ISI.EDU.
+
+    UCI 172800 NS ICS.UCI
+                    172800 NS ROME.UCI
+    ICS.UCI 172800 A 192.5.19.1
+    ROME.UCI 172800 A 192.5.19.31
+
+
+
+
+Mockapetris                                                    [Page 38]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+    ISI 172800 NS VAXA.ISI
+                    172800 NS A.ISI
+                    172800 NS VENERA.ISI.EDU.
+    VAXA.ISI 172800 A 10.2.0.27
+                    172800 A 128.9.0.33
+    VENERA.ISI.EDU. 172800 A 10.1.0.52
+                    172800 A 128.9.0.32
+    A.ISI 172800 A 26.3.0.103
+
+    UDEL.EDU.  172800 NS LOUIE.UDEL.EDU.
+                    172800 NS UMN-REI-UC.ARPA.
+    LOUIE.UDEL.EDU. 172800 A 10.0.0.96
+                    172800 A 192.5.39.3
+
+    YALE.EDU.  172800 NS YALE.ARPA.
+    YALE.EDU.  172800 NS YALE-BULLDOG.ARPA.
+
+    MIT.EDU.  43200 NS XX.LCS.MIT.EDU.
+                      43200 NS ACHILLES.MIT.EDU.
+    XX.LCS.MIT.EDU.  43200 A 10.0.0.44
+    ACHILLES.MIT.EDU. 43200 A 18.72.0.8
+
+Note the use of relative names here.  The owner name for the ISI.EDU. is
+stated using a relative name, as are two of the name server RR contents.
+Relative and absolute domain names may be freely intermixed in a master
+
+6.2. Example standard queries
+
+The following queries and responses illustrate name server behavior.
+Unless otherwise noted, the queries do not have recursion desired (RD)
+in the header.  Note that the answers to non-recursive queries do depend
+on the server being asked, but do not depend on the identity of the
+requester.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 39]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+6.2.1. QNAME=SRI-NIC.ARPA, QTYPE=A
+
+The query would look like:
+
+               +---------------------------------------------------+
+    Header     | OPCODE=SQUERY                                     |
+               +---------------------------------------------------+
+    Question   | QNAME=SRI-NIC.ARPA., QCLASS=IN, QTYPE=A           |
+               +---------------------------------------------------+
+    Answer     | <empty>                                           |
+               +---------------------------------------------------+
+    Authority  | <empty>                                           |
+               +---------------------------------------------------+
+    Additional | <empty>                                           |
+               +---------------------------------------------------+
+
+The response from C.ISI.EDU would be:
+
+               +---------------------------------------------------+
+    Header     | OPCODE=SQUERY, RESPONSE, AA                       |
+               +---------------------------------------------------+
+    Question   | QNAME=SRI-NIC.ARPA., QCLASS=IN, QTYPE=A           |
+               +---------------------------------------------------+
+    Answer     | SRI-NIC.ARPA. 86400 IN A 26.0.0.73                |
+               |               86400 IN A 10.0.0.51                |
+               +---------------------------------------------------+
+    Authority  | <empty>                                           |
+               +---------------------------------------------------+
+    Additional | <empty>                                           |
+               +---------------------------------------------------+
+
+The header of the response looks like the header of the query, except
+that the RESPONSE bit is set, indicating that this message is a
+response, not a query, and the Authoritative Answer (AA) bit is set
+indicating that the address RRs in the answer section are from
+authoritative data.  The question section of the response matches the
+question section of the query.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 40]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+If the same query was sent to some other server which was not
+authoritative for SRI-NIC.ARPA, the response might be:
+
+               +---------------------------------------------------+
+    Header     | OPCODE=SQUERY,RESPONSE                            |
+               +---------------------------------------------------+
+    Question   | QNAME=SRI-NIC.ARPA., QCLASS=IN, QTYPE=A           |
+               +---------------------------------------------------+
+    Answer     | SRI-NIC.ARPA. 1777 IN A 10.0.0.51                 |
+               |               1777 IN A 26.0.0.73                 |
+               +---------------------------------------------------+
+    Authority  | <empty>                                           |
+               +---------------------------------------------------+
+    Additional | <empty>                                           |
+               +---------------------------------------------------+
+
+This response is different from the previous one in two ways: the header
+does not have AA set, and the TTLs are different.  The inference is that
+the data did not come from a zone, but from a cache.  The difference
+between the authoritative TTL and the TTL here is due to aging of the
+data in a cache.  The difference in ordering of the RRs in the answer
+section is not significant.
+
+6.2.2. QNAME=SRI-NIC.ARPA, QTYPE=*
+
+A query similar to the previous one, but using a QTYPE of *, would
+receive the following response from C.ISI.EDU:
+
+               +---------------------------------------------------+
+    Header     | OPCODE=SQUERY, RESPONSE, AA                       |
+               +---------------------------------------------------+
+    Question   | QNAME=SRI-NIC.ARPA., QCLASS=IN, QTYPE=*           |
+               +---------------------------------------------------+
+    Answer     | SRI-NIC.ARPA. 86400 IN  A     26.0.0.73           |
+               |                         A     10.0.0.51           |
+               |                         MX    0 SRI-NIC.ARPA.     |
+               |                         HINFO DEC-2060 TOPS20     |
+               +---------------------------------------------------+
+    Authority  | <empty>                                           |
+               +---------------------------------------------------+
+    Additional | <empty>                                           |
+               +---------------------------------------------------+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 41]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+If a similar query was directed to two name servers which are not
+authoritative for SRI-NIC.ARPA, the responses might be:
+
+               +---------------------------------------------------+
+    Header     | OPCODE=SQUERY, RESPONSE                           |
+               +---------------------------------------------------+
+    Question   | QNAME=SRI-NIC.ARPA., QCLASS=IN, QTYPE=*           |
+               +---------------------------------------------------+
+    Answer     | SRI-NIC.ARPA. 12345 IN     A       26.0.0.73      |
+               |                            A       10.0.0.51      |
+               +---------------------------------------------------+
+    Authority  | <empty>                                           |
+               +---------------------------------------------------+
+    Additional | <empty>                                           |
+               +---------------------------------------------------+
+
+and
+
+               +---------------------------------------------------+
+    Header     | OPCODE=SQUERY, RESPONSE                           |
+               +---------------------------------------------------+
+    Question   | QNAME=SRI-NIC.ARPA., QCLASS=IN, QTYPE=*           |
+               +---------------------------------------------------+
+    Answer     | SRI-NIC.ARPA. 1290 IN HINFO  DEC-2060 TOPS20      |
+               +---------------------------------------------------+
+    Authority  | <empty>                                           |
+               +---------------------------------------------------+
+    Additional | <empty>                                           |
+               +---------------------------------------------------+
+
+Neither of these answers have AA set, so neither response comes from
+authoritative data.  The different contents and different TTLs suggest
+that the two servers cached data at different times, and that the first
+server cached the response to a QTYPE=A query and the second cached the
+response to a HINFO query.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 42]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+6.2.3. QNAME=SRI-NIC.ARPA, QTYPE=MX
+
+This type of query might be result from a mailer trying to look up
+routing information for the mail destination HOSTMASTER@SRI-NIC.ARPA.
+The response from C.ISI.EDU would be:
+
+               +---------------------------------------------------+
+    Header     | OPCODE=SQUERY, RESPONSE, AA                       |
+               +---------------------------------------------------+
+    Question   | QNAME=SRI-NIC.ARPA., QCLASS=IN, QTYPE=MX          |
+               +---------------------------------------------------+
+    Answer     | SRI-NIC.ARPA. 86400 IN     MX      0 SRI-NIC.ARPA.|
+               +---------------------------------------------------+
+    Authority  | <empty>                                           |
+               +---------------------------------------------------+
+    Additional | SRI-NIC.ARPA. 86400 IN     A       26.0.0.73      |
+               |                            A       10.0.0.51      |
+               +---------------------------------------------------+
+
+This response contains the MX RR in the answer section of the response.
+The additional section contains the address RRs because the name server
+at C.ISI.EDU guesses that the requester will need the addresses in order
+to properly use the information carried by the MX.
+
+6.2.4. QNAME=SRI-NIC.ARPA, QTYPE=NS
+
+C.ISI.EDU would reply to this query with:
+
+               +---------------------------------------------------+
+    Header     | OPCODE=SQUERY, RESPONSE, AA                       |
+               +---------------------------------------------------+
+    Question   | QNAME=SRI-NIC.ARPA., QCLASS=IN, QTYPE=NS          |
+               +---------------------------------------------------+
+    Answer     | <empty>                                           |
+               +---------------------------------------------------+
+    Authority  | <empty>                                           |
+               +---------------------------------------------------+
+    Additional | <empty>                                           |
+               +---------------------------------------------------+
+
+The only difference between the response and the query is the AA and
+RESPONSE bits in the header.  The interpretation of this response is
+that the server is authoritative for the name, and the name exists, but
+no RRs of type NS are present there.
+
+6.2.5. QNAME=SIR-NIC.ARPA, QTYPE=A
+
+If a user mistyped a host name, we might see this type of query.
+
+
+
+Mockapetris                                                    [Page 43]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+C.ISI.EDU would answer it with:
+
+               +---------------------------------------------------+
+    Header     | OPCODE=SQUERY, RESPONSE, AA, RCODE=NE             |
+               +---------------------------------------------------+
+    Question   | QNAME=SIR-NIC.ARPA., QCLASS=IN, QTYPE=A           |
+               +---------------------------------------------------+
+    Answer     | <empty>                                           |
+               +---------------------------------------------------+
+    Authority  | . SOA SRI-NIC.ARPA. HOSTMASTER.SRI-NIC.ARPA.      |
+               |       870611 1800 300 604800 86400                |
+               +---------------------------------------------------+
+    Additional | <empty>                                           |
+               +---------------------------------------------------+
+
+This response states that the name does not exist.  This condition is
+signalled in the response code (RCODE) section of the header.
+
+The SOA RR in the authority section is the optional negative caching
+information which allows the resolver using this response to assume that
+the name will not exist for the SOA MINIMUM (86400) seconds.
+
+6.2.6. QNAME=BRL.MIL, QTYPE=A
+
+If this query is sent to C.ISI.EDU, the reply would be:
+
+               +---------------------------------------------------+
+    Header     | OPCODE=SQUERY, RESPONSE                           |
+               +---------------------------------------------------+
+    Question   | QNAME=BRL.MIL, QCLASS=IN, QTYPE=A                 |
+               +---------------------------------------------------+
+    Answer     | <empty>                                           |
+               +---------------------------------------------------+
+    Authority  | MIL.             86400 IN NS       SRI-NIC.ARPA.  |
+               |                  86400    NS       A.ISI.EDU.     |
+               +---------------------------------------------------+
+    Additional | A.ISI.EDU.                A        26.3.0.103     |
+               | SRI-NIC.ARPA.             A        26.0.0.73      |
+               |                           A        10.0.0.51      |
+               +---------------------------------------------------+
+
+This response has an empty answer section, but is not authoritative, so
+it is a referral.  The name server on C.ISI.EDU, realizing that it is
+not authoritative for the MIL domain, has referred the requester to
+servers on A.ISI.EDU and SRI-NIC.ARPA, which it knows are authoritative
+for the MIL domain.
+
+
+
+
+
+Mockapetris                                                    [Page 44]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+6.2.7. QNAME=USC-ISIC.ARPA, QTYPE=A
+
+The response to this query from A.ISI.EDU would be:
+
+               +---------------------------------------------------+
+    Header     | OPCODE=SQUERY, RESPONSE, AA                       |
+               +---------------------------------------------------+
+    Question   | QNAME=USC-ISIC.ARPA., QCLASS=IN, QTYPE=A          |
+               +---------------------------------------------------+
+    Answer     | USC-ISIC.ARPA. 86400 IN CNAME      C.ISI.EDU.     |
+               | C.ISI.EDU.     86400 IN A          10.0.0.52      |
+               +---------------------------------------------------+
+    Authority  | <empty>                                           |
+               +---------------------------------------------------+
+    Additional | <empty>                                           |
+               +---------------------------------------------------+
+
+Note that the AA bit in the header guarantees that the data matching
+QNAME is authoritative, but does not say anything about whether the data
+for C.ISI.EDU is authoritative.  This complete reply is possible because
+A.ISI.EDU happens to be authoritative for both the ARPA domain where
+USC-ISIC.ARPA is found and the ISI.EDU domain where C.ISI.EDU data is
+found.
+
+If the same query was sent to C.ISI.EDU, its response might be the same
+as shown above if it had its own address in its cache, but might also
+be:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 45]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+               +---------------------------------------------------+
+    Header     | OPCODE=SQUERY, RESPONSE, AA                       |
+               +---------------------------------------------------+
+    Question   | QNAME=USC-ISIC.ARPA., QCLASS=IN, QTYPE=A          |
+               +---------------------------------------------------+
+    Answer     | USC-ISIC.ARPA.   86400 IN CNAME   C.ISI.EDU.      |
+               +---------------------------------------------------+
+    Authority  | ISI.EDU.        172800 IN NS      VAXA.ISI.EDU.   |
+               |                           NS      A.ISI.EDU.      |
+               |                           NS      VENERA.ISI.EDU. |
+               +---------------------------------------------------+
+    Additional | VAXA.ISI.EDU.   172800    A       10.2.0.27       |
+               |                 172800    A       128.9.0.33      |
+               | VENERA.ISI.EDU. 172800    A       10.1.0.52       |
+               |                 172800    A       128.9.0.32      |
+               | A.ISI.EDU.      172800    A       26.3.0.103      |
+               +---------------------------------------------------+
+
+This reply contains an authoritative reply for the alias USC-ISIC.ARPA,
+plus a referral to the name servers for ISI.EDU.  This sort of reply
+isn't very likely given that the query is for the host name of the name
+server being asked, but would be common for other aliases.
+
+6.2.8. QNAME=USC-ISIC.ARPA, QTYPE=CNAME
+
+If this query is sent to either A.ISI.EDU or C.ISI.EDU, the reply would
+be:
+
+               +---------------------------------------------------+
+    Header     | OPCODE=SQUERY, RESPONSE, AA                       |
+               +---------------------------------------------------+
+    Question   | QNAME=USC-ISIC.ARPA., QCLASS=IN, QTYPE=A          |
+               +---------------------------------------------------+
+    Answer     | USC-ISIC.ARPA. 86400 IN CNAME      C.ISI.EDU.     |
+               +---------------------------------------------------+
+    Authority  | <empty>                                           |
+               +---------------------------------------------------+
+    Additional | <empty>                                           |
+               +---------------------------------------------------+
+
+Because QTYPE=CNAME, the CNAME RR itself answers the query, and the name
+server doesn't attempt to look up anything for C.ISI.EDU.  (Except
+possibly for the additional section.)
+
+6.3. Example resolution
+
+The following examples illustrate the operations a resolver must perform
+for its client.  We assume that the resolver is starting without a
+
+
+
+Mockapetris                                                    [Page 46]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+cache, as might be the case after system boot.  We further assume that
+the system is not one of the hosts in the data and that the host is
+located somewhere on net 26, and that its safety belt (SBELT) data
+structure has the following information:
+
+    Match count = -1
+    SRI-NIC.ARPA.   26.0.0.73       10.0.0.51
+    A.ISI.EDU.      26.3.0.103
+
+This information specifies servers to try, their addresses, and a match
+count of -1, which says that the servers aren't very close to the
+target.  Note that the -1 isn't supposed to be an accurate closeness
+measure, just a value so that later stages of the algorithm will work.
+
+The following examples illustrate the use of a cache, so each example
+assumes that previous requests have completed.
+
+6.3.1. Resolve MX for ISI.EDU.
+
+Suppose the first request to the resolver comes from the local mailer,
+which has mail for PVM@ISI.EDU.  The mailer might then ask for type MX
+RRs for the domain name ISI.EDU.
+
+The resolver would look in its cache for MX RRs at ISI.EDU, but the
+empty cache wouldn't be helpful.  The resolver would recognize that it
+needed to query foreign servers and try to determine the best servers to
+query.  This search would look for NS RRs for the domains ISI.EDU, EDU,
+and the root.  These searches of the cache would also fail.  As a last
+resort, the resolver would use the information from the SBELT, copying
+it into its SLIST structure.
+
+At this point the resolver would need to pick one of the three available
+addresses to try.  Given that the resolver is on net 26, it should
+choose either 26.0.0.73 or 26.3.0.103 as its first choice.  It would
+then send off a query of the form:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 47]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+               +---------------------------------------------------+
+    Header     | OPCODE=SQUERY                                     |
+               +---------------------------------------------------+
+    Question   | QNAME=ISI.EDU., QCLASS=IN, QTYPE=MX               |
+               +---------------------------------------------------+
+    Answer     | <empty>                                           |
+               +---------------------------------------------------+
+    Authority  | <empty>                                           |
+               +---------------------------------------------------+
+    Additional | <empty>                                           |
+               +---------------------------------------------------+
+
+The resolver would then wait for a response to its query or a timeout.
+If the timeout occurs, it would try different servers, then different
+addresses of the same servers, lastly retrying addresses already tried.
+It might eventually receive a reply from SRI-NIC.ARPA:
+
+               +---------------------------------------------------+
+    Header     | OPCODE=SQUERY, RESPONSE                           |
+               +---------------------------------------------------+
+    Question   | QNAME=ISI.EDU., QCLASS=IN, QTYPE=MX               |
+               +---------------------------------------------------+
+    Answer     | <empty>                                           |
+               +---------------------------------------------------+
+    Authority  | ISI.EDU.        172800 IN NS       VAXA.ISI.EDU.  |
+               |                           NS       A.ISI.EDU.     |
+               |                           NS       VENERA.ISI.EDU.|
+               +---------------------------------------------------+
+    Additional | VAXA.ISI.EDU.   172800    A        10.2.0.27      |
+               |                 172800    A        128.9.0.33     |
+               | VENERA.ISI.EDU. 172800    A        10.1.0.52      |
+               |                 172800    A        128.9.0.32     |
+               | A.ISI.EDU.      172800    A        26.3.0.103     |
+               +---------------------------------------------------+
+
+The resolver would notice that the information in the response gave a
+closer delegation to ISI.EDU than its existing SLIST (since it matches
+three labels).  The resolver would then cache the information in this
+response and use it to set up a new SLIST:
+
+    Match count = 3
+    A.ISI.EDU.      26.3.0.103
+    VAXA.ISI.EDU.   10.2.0.27       128.9.0.33
+    VENERA.ISI.EDU. 10.1.0.52       128.9.0.32
+
+A.ISI.EDU appears on this list as well as the previous one, but that is
+purely coincidental.  The resolver would again start transmitting and
+waiting for responses.  Eventually it would get an answer:
+
+
+
+Mockapetris                                                    [Page 48]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+               +---------------------------------------------------+
+    Header     | OPCODE=SQUERY, RESPONSE, AA                       |
+               +---------------------------------------------------+
+    Question   | QNAME=ISI.EDU., QCLASS=IN, QTYPE=MX               |
+               +---------------------------------------------------+
+    Answer     | ISI.EDU.                MX 10 VENERA.ISI.EDU.     |
+               |                         MX 20 VAXA.ISI.EDU.       |
+               +---------------------------------------------------+
+    Authority  | <empty>                                           |
+               +---------------------------------------------------+
+    Additional | VAXA.ISI.EDU.   172800  A  10.2.0.27              |
+               |                 172800  A  128.9.0.33             |
+               | VENERA.ISI.EDU. 172800  A  10.1.0.52              |
+               |                 172800  A  128.9.0.32             |
+               +---------------------------------------------------+
+
+The resolver would add this information to its cache, and return the MX
+RRs to its client.
+
+6.3.2. Get the host name for address 26.6.0.65
+
+The resolver would translate this into a request for PTR RRs for
+65.0.6.26.IN-ADDR.ARPA.  This information is not in the cache, so the
+resolver would look for foreign servers to ask.  No servers would match,
+so it would use SBELT again.  (Note that the servers for the ISI.EDU
+domain are in the cache, but ISI.EDU is not an ancestor of
+65.0.6.26.IN-ADDR.ARPA, so the SBELT is used.)
+
+Since this request is within the authoritative data of both servers in
+SBELT, eventually one would return:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 49]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+               +---------------------------------------------------+
+    Header     | OPCODE=SQUERY, RESPONSE, AA                       |
+               +---------------------------------------------------+
+    Question   | QNAME=65.0.6.26.IN-ADDR.ARPA.,QCLASS=IN,QTYPE=PTR |
+               +---------------------------------------------------+
+    Answer     | 65.0.6.26.IN-ADDR.ARPA.    PTR     ACC.ARPA.      |
+               +---------------------------------------------------+
+    Authority  | <empty>                                           |
+               +---------------------------------------------------+
+    Additional | <empty>                                           |
+               +---------------------------------------------------+
+
+6.3.3. Get the host address of poneria.ISI.EDU
+
+This request would translate into a type A request for poneria.ISI.EDU.
+The resolver would not find any cached data for this name, but would
+find the NS RRs in the cache for ISI.EDU when it looks for foreign
+servers to ask.  Using this data, it would construct a SLIST of the
+form:
+
+    Match count = 3
+
+    A.ISI.EDU.      26.3.0.103
+    VAXA.ISI.EDU.   10.2.0.27       128.9.0.33
+    VENERA.ISI.EDU. 10.1.0.52
+
+A.ISI.EDU is listed first on the assumption that the resolver orders its
+choices by preference, and A.ISI.EDU is on the same network.
+
+One of these servers would answer the query.
+
+7. REFERENCES and BIBLIOGRAPHY
+
+[Dyer 87]       Dyer, S., and F. Hsu, "Hesiod", Project Athena
+                Technical Plan - Name Service, April 1987, version 1.9.
+
+                Describes the fundamentals of the Hesiod name service.
+
+[IEN-116]       J. Postel, "Internet Name Server", IEN-116,
+                USC/Information Sciences Institute, August 1979.
+
+                A name service obsoleted by the Domain Name System, but
+                still in use.
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 50]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+[Quarterman 86] Quarterman, J., and J. Hoskins, "Notable Computer
+                Networks",Communications of the ACM, October 1986,
+                volume 29, number 10.
+
+[RFC-742]       K. Harrenstien, "NAME/FINGER", RFC-742, Network
+                Information Center, SRI International, December 1977.
+
+[RFC-768]       J. Postel, "User Datagram Protocol", RFC-768,
+                USC/Information Sciences Institute, August 1980.
+
+[RFC-793]       J. Postel, "Transmission Control Protocol", RFC-793,
+                USC/Information Sciences Institute, September 1981.
+
+[RFC-799]       D. Mills, "Internet Name Domains", RFC-799, COMSAT,
+                September 1981.
+
+                Suggests introduction of a hierarchy in place of a flat
+                name space for the Internet.
+
+[RFC-805]       J. Postel, "Computer Mail Meeting Notes", RFC-805,
+                USC/Information Sciences Institute, February 1982.
+
+[RFC-810]       E. Feinler, K. Harrenstien, Z. Su, and V. White, "DOD
+                Internet Host Table Specification", RFC-810, Network
+                Information Center, SRI International, March 1982.
+
+                Obsolete.  See RFC-952.
+
+[RFC-811]       K. Harrenstien, V. White, and E. Feinler, "Hostnames
+                Server", RFC-811, Network Information Center, SRI
+                International, March 1982.
+
+                Obsolete.  See RFC-953.
+
+[RFC-812]       K. Harrenstien, and V. White, "NICNAME/WHOIS", RFC-812,
+                Network Information Center, SRI International, March
+                1982.
+
+[RFC-819]       Z. Su, and J. Postel, "The Domain Naming Convention for
+                Internet User Applications", RFC-819, Network
+                Information Center, SRI International, August 1982.
+
+                Early thoughts on the design of the domain system.
+                Current implementation is completely different.
+
+[RFC-821]       J. Postel, "Simple Mail Transfer Protocol", RFC-821,
+                USC/Information Sciences Institute, August 1980.
+
+
+
+
+Mockapetris                                                    [Page 51]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+[RFC-830]       Z. Su, "A Distributed System for Internet Name Service",
+                RFC-830, Network Information Center, SRI International,
+                October 1982.
+
+                Early thoughts on the design of the domain system.
+                Current implementation is completely different.
+
+[RFC-882]       P. Mockapetris, "Domain names - Concepts and
+                Facilities," RFC-882, USC/Information Sciences
+                Institute, November 1983.
+
+                Superceeded by this memo.
+
+[RFC-883]       P. Mockapetris, "Domain names - Implementation and
+                Specification," RFC-883, USC/Information Sciences
+                Institute, November 1983.
+
+                Superceeded by this memo.
+
+[RFC-920]       J. Postel and J. Reynolds, "Domain Requirements",
+                RFC-920, USC/Information Sciences Institute
+                October 1984.
+
+                Explains the naming scheme for top level domains.
+
+[RFC-952]       K. Harrenstien, M. Stahl, E. Feinler, "DoD Internet Host
+                Table Specification", RFC-952, SRI, October 1985.
+
+                Specifies the format of HOSTS.TXT, the host/address
+                table replaced by the DNS.
+
+[RFC-953]       K. Harrenstien, M. Stahl, E. Feinler, "HOSTNAME Server",
+                RFC-953, SRI, October 1985.
+
+                This RFC contains the official specification of the
+                hostname server protocol, which is obsoleted by the DNS.
+                This TCP based protocol accesses information stored in
+                the RFC-952 format, and is used to obtain copies of the
+                host table.
+
+[RFC-973]       P. Mockapetris, "Domain System Changes and
+                Observations", RFC-973, USC/Information Sciences
+                Institute, January 1986.
+
+                Describes changes to RFC-882 and RFC-883 and reasons for
+                them.  Now obsolete.
+
+
+
+
+
+Mockapetris                                                    [Page 52]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+[RFC-974]       C. Partridge, "Mail routing and the domain system",
+                RFC-974, CSNET CIC BBN Labs, January 1986.
+
+                Describes the transition from HOSTS.TXT based mail
+                addressing to the more powerful MX system used with the
+                domain system.
+
+[RFC-1001]      NetBIOS Working Group, "Protocol standard for a NetBIOS
+                service on a TCP/UDP transport: Concepts and Methods",
+                RFC-1001, March 1987.
+
+                This RFC and RFC-1002 are a preliminary design for
+                NETBIOS on top of TCP/IP which proposes to base NetBIOS
+                name service on top of the DNS.
+
+[RFC-1002]      NetBIOS Working Group, "Protocol standard for a NetBIOS
+                service on a TCP/UDP transport: Detailed
+                Specifications", RFC-1002, March 1987.
+
+[RFC-1010]      J. Reynolds and J. Postel, "Assigned Numbers", RFC-1010,
+                USC/Information Sciences Institute, May 1987
+
+                Contains socket numbers and mnemonics for host names,
+                operating systems, etc.
+
+[RFC-1031]      W. Lazear, "MILNET Name Domain Transition", RFC-1031,
+                November 1987.
+
+                Describes a plan for converting the MILNET to the DNS.
+
+[RFC-1032]      M. K. Stahl, "Establishing a Domain - Guidelines for
+                Administrators", RFC-1032, November 1987.
+
+                Describes the registration policies used by the NIC to
+                administer the top level domains and delegate subzones.
+
+[RFC-1033]      M. K. Lottor, "Domain Administrators Operations Guide",
+                RFC-1033, November 1987.
+
+                A cookbook for domain administrators.
+
+[Solomon 82]    M. Solomon, L. Landweber, and D. Neuhengen, "The CSNET
+                Name Server", Computer Networks, vol 6, nr 3, July 1982.
+
+                Describes a name service for CSNET which is independent
+                from the DNS and DNS use in the CSNET.
+
+
+
+
+
+Mockapetris                                                    [Page 53]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+Index
+
+          A   12
+          Absolute names   8
+          Aliases   14, 31
+          Authority   6
+          AXFR   17
+
+          Case of characters   7
+          CH   12
+          CNAME   12, 13, 31
+          Completion queries   18
+
+          Domain name   6, 7
+
+          Glue RRs   20
+
+          HINFO   12
+
+          IN   12
+          Inverse queries   16
+          Iterative   4
+
+          Label   7
+
+          Mailbox names   9
+          MX   12
+
+          Name error   27, 36
+          Name servers   5, 17
+          NE   30
+          Negative caching   44
+          NS   12
+
+          Opcode   16
+
+          PTR   12
+
+          QCLASS   16
+          QTYPE   16
+
+          RDATA   13
+          Recursive   4
+          Recursive service   22
+          Relative names   7
+          Resolvers   6
+          RR   12
+
+
+
+
+Mockapetris                                                    [Page 54]
+
+RFC 1034             Domain Concepts and Facilities        November 1987
+
+
+          Safety belt   33
+          Sections   16
+          SOA   12
+          Standard queries   22
+
+          Status queries   18
+          Stub resolvers   32
+
+          TTL   12, 13
+
+          Wildcards   25
+
+          Zone transfers   28
+          Zones   19
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 55]
+
diff --git a/contrib/bind9/doc/rfc/rfc1035.txt b/contrib/bind9/doc/rfc/rfc1035.txt
new file mode 100644
index 0000000..b1a9bf5
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc1035.txt
@@ -0,0 +1,3077 @@
+Network Working Group                                     P. Mockapetris
+Request for Comments: 1035                                           ISI
+                                                           November 1987
+Obsoletes: RFCs 882, 883, 973
+
+            DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION
+
+
+1. STATUS OF THIS MEMO
+
+This RFC describes the details of the domain system and protocol, and
+assumes that the reader is familiar with the concepts discussed in a
+companion RFC, "Domain Names - Concepts and Facilities" [RFC-1034].
+
+The domain system is a mixture of functions and data types which are an
+official protocol and functions and data types which are still
+experimental.  Since the domain system is intentionally extensible, new
+data types and experimental behavior should always be expected in parts
+of the system beyond the official protocol.  The official protocol parts
+include standard queries, responses and the Internet class RR data
+formats (e.g., host addresses).  Since the previous RFC set, several
+definitions have changed, so some previous definitions are obsolete.
+
+Experimental or obsolete features are clearly marked in these RFCs, and
+such information should be used with caution.
+
+The reader is especially cautioned not to depend on the values which
+appear in examples to be current or complete, since their purpose is
+primarily pedagogical.  Distribution of this memo is unlimited.
+
+                           Table of Contents
+
+  1. STATUS OF THIS MEMO                                              1
+  2. INTRODUCTION                                                     3
+      2.1. Overview                                                   3
+      2.2. Common configurations                                      4
+      2.3. Conventions                                                7
+          2.3.1. Preferred name syntax                                7
+          2.3.2. Data Transmission Order                              8
+          2.3.3. Character Case                                       9
+          2.3.4. Size limits                                         10
+  3. DOMAIN NAME SPACE AND RR DEFINITIONS                            10
+      3.1. Name space definitions                                    10
+      3.2. RR definitions                                            11
+          3.2.1. Format                                              11
+          3.2.2. TYPE values                                         12
+          3.2.3. QTYPE values                                        12
+          3.2.4. CLASS values                                        13
+
+
+
+Mockapetris                                                     [Page 1]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+          3.2.5. QCLASS values                                       13
+      3.3. Standard RRs                                              13
+          3.3.1. CNAME RDATA format                                  14
+          3.3.2. HINFO RDATA format                                  14
+          3.3.3. MB RDATA format (EXPERIMENTAL)                      14
+          3.3.4. MD RDATA format (Obsolete)                          15
+          3.3.5. MF RDATA format (Obsolete)                          15
+          3.3.6. MG RDATA format (EXPERIMENTAL)                      16
+          3.3.7. MINFO RDATA format (EXPERIMENTAL)                   16
+          3.3.8. MR RDATA format (EXPERIMENTAL)                      17
+          3.3.9. MX RDATA format                                     17
+          3.3.10. NULL RDATA format (EXPERIMENTAL)                   17
+          3.3.11. NS RDATA format                                    18
+          3.3.12. PTR RDATA format                                   18
+          3.3.13. SOA RDATA format                                   19
+          3.3.14. TXT RDATA format                                   20
+      3.4. ARPA Internet specific RRs                                20
+          3.4.1. A RDATA format                                      20
+          3.4.2. WKS RDATA format                                    21
+      3.5. IN-ADDR.ARPA domain                                       22
+      3.6. Defining new types, classes, and special namespaces       24
+  4. MESSAGES                                                        25
+      4.1. Format                                                    25
+          4.1.1. Header section format                               26
+          4.1.2. Question section format                             28
+          4.1.3. Resource record format                              29
+          4.1.4. Message compression                                 30
+      4.2. Transport                                                 32
+          4.2.1. UDP usage                                           32
+          4.2.2. TCP usage                                           32
+  5. MASTER FILES                                                    33
+      5.1. Format                                                    33
+      5.2. Use of master files to define zones                       35
+      5.3. Master file example                                       36
+  6. NAME SERVER IMPLEMENTATION                                      37
+      6.1. Architecture                                              37
+          6.1.1. Control                                             37
+          6.1.2. Database                                            37
+          6.1.3. Time                                                39
+      6.2. Standard query processing                                 39
+      6.3. Zone refresh and reload processing                        39
+      6.4. Inverse queries (Optional)                                40
+          6.4.1. The contents of inverse queries and responses       40
+          6.4.2. Inverse query and response example                  41
+          6.4.3. Inverse query processing                            42
+
+
+
+
+
+
+Mockapetris                                                     [Page 2]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+      6.5. Completion queries and responses                          42
+  7. RESOLVER IMPLEMENTATION                                         43
+      7.1. Transforming a user request into a query                  43
+      7.2. Sending the queries                                       44
+      7.3. Processing responses                                      46
+      7.4. Using the cache                                           47
+  8. MAIL SUPPORT                                                    47
+      8.1. Mail exchange binding                                     48
+      8.2. Mailbox binding (Experimental)                            48
+  9. REFERENCES and BIBLIOGRAPHY                                     50
+  Index                                                              54
+
+2. INTRODUCTION
+
+2.1. Overview
+
+The goal of domain names is to provide a mechanism for naming resources
+in such a way that the names are usable in different hosts, networks,
+protocol families, internets, and administrative organizations.
+
+From the user's point of view, domain names are useful as arguments to a
+local agent, called a resolver, which retrieves information associated
+with the domain name.  Thus a user might ask for the host address or
+mail information associated with a particular domain name.  To enable
+the user to request a particular type of information, an appropriate
+query type is passed to the resolver with the domain name.  To the user,
+the domain tree is a single information space; the resolver is
+responsible for hiding the distribution of data among name servers from
+the user.
+
+From the resolver's point of view, the database that makes up the domain
+space is distributed among various name servers.  Different parts of the
+domain space are stored in different name servers, although a particular
+data item will be stored redundantly in two or more name servers.  The
+resolver starts with knowledge of at least one name server.  When the
+resolver processes a user query it asks a known name server for the
+information; in return, the resolver either receives the desired
+information or a referral to another name server.  Using these
+referrals, resolvers learn the identities and contents of other name
+servers.  Resolvers are responsible for dealing with the distribution of
+the domain space and dealing with the effects of name server failure by
+consulting redundant databases in other servers.
+
+Name servers manage two kinds of data.  The first kind of data held in
+sets called zones; each zone is the complete database for a particular
+"pruned" subtree of the domain space.  This data is called
+authoritative.  A name server periodically checks to make sure that its
+zones are up to date, and if not, obtains a new copy of updated zones
+
+
+
+Mockapetris                                                     [Page 3]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+from master files stored locally or in another name server.  The second
+kind of data is cached data which was acquired by a local resolver.
+This data may be incomplete, but improves the performance of the
+retrieval process when non-local data is repeatedly accessed.  Cached
+data is eventually discarded by a timeout mechanism.
+
+This functional structure isolates the problems of user interface,
+failure recovery, and distribution in the resolvers and isolates the
+database update and refresh problems in the name servers.
+
+2.2. Common configurations
+
+A host can participate in the domain name system in a number of ways,
+depending on whether the host runs programs that retrieve information
+from the domain system, name servers that answer queries from other
+hosts, or various combinations of both functions.  The simplest, and
+perhaps most typical, configuration is shown below:
+
+                 Local Host                        |  Foreign
+                                                   |
+    +---------+               +----------+         |  +--------+
+    |         | user queries  |          |queries  |  |        |
+    |  User   |-------------->|          |---------|->|Foreign |
+    | Program |               | Resolver |         |  |  Name  |
+    |         |<--------------|          |<--------|--| Server |
+    |         | user responses|          |responses|  |        |
+    +---------+               +----------+         |  +--------+
+                                |     A            |
+                cache additions |     | references |
+                                V     |            |
+                              +----------+         |
+                              |  cache   |         |
+                              +----------+         |
+
+User programs interact with the domain name space through resolvers; the
+format of user queries and user responses is specific to the host and
+its operating system.  User queries will typically be operating system
+calls, and the resolver and its cache will be part of the host operating
+system.  Less capable hosts may choose to implement the resolver as a
+subroutine to be linked in with every program that needs its services.
+Resolvers answer user queries with information they acquire via queries
+to foreign name servers and the local cache.
+
+Note that the resolver may have to make several queries to several
+different foreign name servers to answer a particular user query, and
+hence the resolution of a user query may involve several network
+accesses and an arbitrary amount of time.  The queries to foreign name
+servers and the corresponding responses have a standard format described
+
+
+
+Mockapetris                                                     [Page 4]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+in this memo, and may be datagrams.
+
+Depending on its capabilities, a name server could be a stand alone
+program on a dedicated machine or a process or processes on a large
+timeshared host.  A simple configuration might be:
+
+                 Local Host                        |  Foreign
+                                                   |
+      +---------+                                  |
+     /         /|                                  |
+    +---------+ |             +----------+         |  +--------+
+    |         | |             |          |responses|  |        |
+    |         | |             |   Name   |---------|->|Foreign |
+    |  Master |-------------->|  Server  |         |  |Resolver|
+    |  files  | |             |          |<--------|--|        |
+    |         |/              |          | queries |  +--------+
+    +---------+               +----------+         |
+
+Here a primary name server acquires information about one or more zones
+by reading master files from its local file system, and answers queries
+about those zones that arrive from foreign resolvers.
+
+The DNS requires that all zones be redundantly supported by more than
+one name server.  Designated secondary servers can acquire zones and
+check for updates from the primary server using the zone transfer
+protocol of the DNS.  This configuration is shown below:
+
+                 Local Host                        |  Foreign
+                                                   |
+      +---------+                                  |
+     /         /|                                  |
+    +---------+ |             +----------+         |  +--------+
+    |         | |             |          |responses|  |        |
+    |         | |             |   Name   |---------|->|Foreign |
+    |  Master |-------------->|  Server  |         |  |Resolver|
+    |  files  | |             |          |<--------|--|        |
+    |         |/              |          | queries |  +--------+
+    +---------+               +----------+         |
+                                A     |maintenance |  +--------+
+                                |     +------------|->|        |
+                                |      queries     |  |Foreign |
+                                |                  |  |  Name  |
+                                +------------------|--| Server |
+                             maintenance responses |  +--------+
+
+In this configuration, the name server periodically establishes a
+virtual circuit to a foreign name server to acquire a copy of a zone or
+to check that an existing copy has not changed.  The messages sent for
+
+
+
+Mockapetris                                                     [Page 5]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+these maintenance activities follow the same form as queries and
+responses, but the message sequences are somewhat different.
+
+The information flow in a host that supports all aspects of the domain
+name system is shown below:
+
+                 Local Host                        |  Foreign
+                                                   |
+    +---------+               +----------+         |  +--------+
+    |         | user queries  |          |queries  |  |        |
+    |  User   |-------------->|          |---------|->|Foreign |
+    | Program |               | Resolver |         |  |  Name  |
+    |         |<--------------|          |<--------|--| Server |
+    |         | user responses|          |responses|  |        |
+    +---------+               +----------+         |  +--------+
+                                |     A            |
+                cache additions |     | references |
+                                V     |            |
+                              +----------+         |
+                              |  Shared  |         |
+                              | database |         |
+                              +----------+         |
+                                A     |            |
+      +---------+     refreshes |     | references |
+     /         /|               |     V            |
+    +---------+ |             +----------+         |  +--------+
+    |         | |             |          |responses|  |        |
+    |         | |             |   Name   |---------|->|Foreign |
+    |  Master |-------------->|  Server  |         |  |Resolver|
+    |  files  | |             |          |<--------|--|        |
+    |         |/              |          | queries |  +--------+
+    +---------+               +----------+         |
+                                A     |maintenance |  +--------+
+                                |     +------------|->|        |
+                                |      queries     |  |Foreign |
+                                |                  |  |  Name  |
+                                +------------------|--| Server |
+                             maintenance responses |  +--------+
+
+The shared database holds domain space data for the local name server
+and resolver.  The contents of the shared database will typically be a
+mixture of authoritative data maintained by the periodic refresh
+operations of the name server and cached data from previous resolver
+requests.  The structure of the domain data and the necessity for
+synchronization between name servers and resolvers imply the general
+characteristics of this database, but the actual format is up to the
+local implementor.
+
+
+
+
+Mockapetris                                                     [Page 6]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+Information flow can also be tailored so that a group of hosts act
+together to optimize activities.  Sometimes this is done to offload less
+capable hosts so that they do not have to implement a full resolver.
+This can be appropriate for PCs or hosts which want to minimize the
+amount of new network code which is required.  This scheme can also
+allow a group of hosts can share a small number of caches rather than
+maintaining a large number of separate caches, on the premise that the
+centralized caches will have a higher hit ratio.  In either case,
+resolvers are replaced with stub resolvers which act as front ends to
+resolvers located in a recursive server in one or more name servers
+known to perform that service:
+
+                   Local Hosts                     |  Foreign
+                                                   |
+    +---------+                                    |
+    |         | responses                          |
+    | Stub    |<--------------------+              |
+    | Resolver|                     |              |
+    |         |----------------+    |              |
+    +---------+ recursive      |    |              |
+                queries        |    |              |
+                               V    |              |
+    +---------+ recursive     +----------+         |  +--------+
+    |         | queries       |          |queries  |  |        |
+    | Stub    |-------------->| Recursive|---------|->|Foreign |
+    | Resolver|               | Server   |         |  |  Name  |
+    |         |<--------------|          |<--------|--| Server |
+    +---------+ responses     |          |responses|  |        |
+                              +----------+         |  +--------+
+                              |  Central |         |
+                              |   cache  |         |
+                              +----------+         |
+
+In any case, note that domain components are always replicated for
+reliability whenever possible.
+
+2.3. Conventions
+
+The domain system has several conventions dealing with low-level, but
+fundamental, issues.  While the implementor is free to violate these
+conventions WITHIN HIS OWN SYSTEM, he must observe these conventions in
+ALL behavior observed from other hosts.
+
+2.3.1. Preferred name syntax
+
+The DNS specifications attempt to be as general as possible in the rules
+for constructing domain names.  The idea is that the name of any
+existing object can be expressed as a domain name with minimal changes.
+
+
+
+Mockapetris                                                     [Page 7]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+However, when assigning a domain name for an object, the prudent user
+will select a name which satisfies both the rules of the domain system
+and any existing rules for the object, whether these rules are published
+or implied by existing programs.
+
+For example, when naming a mail domain, the user should satisfy both the
+rules of this memo and those in RFC-822.  When creating a new host name,
+the old rules for HOSTS.TXT should be followed.  This avoids problems
+when old software is converted to use domain names.
+
+The following syntax will result in fewer problems with many
+
+applications that use domain names (e.g., mail, TELNET).
+
+<domain> ::= <subdomain> | " "
+
+<subdomain> ::= <label> | <subdomain> "." <label>
+
+<label> ::= <letter> [ [ <ldh-str> ] <let-dig> ]
+
+<ldh-str> ::= <let-dig-hyp> | <let-dig-hyp> <ldh-str>
+
+<let-dig-hyp> ::= <let-dig> | "-"
+
+<let-dig> ::= <letter> | <digit>
+
+<letter> ::= any one of the 52 alphabetic characters A through Z in
+upper case and a through z in lower case
+
+<digit> ::= any one of the ten digits 0 through 9
+
+Note that while upper and lower case letters are allowed in domain
+names, no significance is attached to the case.  That is, two names with
+the same spelling but different case are to be treated as if identical.
+
+The labels must follow the rules for ARPANET host names.  They must
+start with a letter, end with a letter or digit, and have as interior
+characters only letters, digits, and hyphen.  There are also some
+restrictions on the length.  Labels must be 63 characters or less.
+
+For example, the following strings identify hosts in the Internet:
+
+A.ISI.EDU XX.LCS.MIT.EDU SRI-NIC.ARPA
+
+2.3.2. Data Transmission Order
+
+The order of transmission of the header and data described in this
+document is resolved to the octet level.  Whenever a diagram shows a
+
+
+
+Mockapetris                                                     [Page 8]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+group of octets, the order of transmission of those octets is the normal
+order in which they are read in English.  For example, in the following
+diagram, the octets are transmitted in the order they are numbered.
+
+     0                   1
+     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    |       1       |       2       |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    |       3       |       4       |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    |       5       |       6       |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+Whenever an octet represents a numeric quantity, the left most bit in
+the diagram is the high order or most significant bit.  That is, the bit
+labeled 0 is the most significant bit.  For example, the following
+diagram represents the value 170 (decimal).
+
+     0 1 2 3 4 5 6 7
+    +-+-+-+-+-+-+-+-+
+    |1 0 1 0 1 0 1 0|
+    +-+-+-+-+-+-+-+-+
+
+Similarly, whenever a multi-octet field represents a numeric quantity
+the left most bit of the whole field is the most significant bit.  When
+a multi-octet quantity is transmitted the most significant octet is
+transmitted first.
+
+2.3.3. Character Case
+
+For all parts of the DNS that are part of the official protocol, all
+comparisons between character strings (e.g., labels, domain names, etc.)
+are done in a case-insensitive manner.  At present, this rule is in
+force throughout the domain system without exception.  However, future
+additions beyond current usage may need to use the full binary octet
+capabilities in names, so attempts to store domain names in 7-bit ASCII
+or use of special bytes to terminate labels, etc., should be avoided.
+
+When data enters the domain system, its original case should be
+preserved whenever possible.  In certain circumstances this cannot be
+done.  For example, if two RRs are stored in a database, one at x.y and
+one at X.Y, they are actually stored at the same place in the database,
+and hence only one casing would be preserved.  The basic rule is that
+case can be discarded only when data is used to define structure in a
+database, and two names are identical when compared in a case
+insensitive manner.
+
+
+
+
+Mockapetris                                                     [Page 9]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+Loss of case sensitive data must be minimized.  Thus while data for x.y
+and X.Y may both be stored under a single location x.y or X.Y, data for
+a.x and B.X would never be stored under A.x, A.X, b.x, or b.X.  In
+general, this preserves the case of the first label of a domain name,
+but forces standardization of interior node labels.
+
+Systems administrators who enter data into the domain database should
+take care to represent the data they supply to the domain system in a
+case-consistent manner if their system is case-sensitive.  The data
+distribution system in the domain system will ensure that consistent
+representations are preserved.
+
+2.3.4. Size limits
+
+Various objects and parameters in the DNS have size limits.  They are
+listed below.  Some could be easily changed, others are more
+fundamental.
+
+labels          63 octets or less
+
+names           255 octets or less
+
+TTL             positive values of a signed 32 bit number.
+
+UDP messages    512 octets or less
+
+3. DOMAIN NAME SPACE AND RR DEFINITIONS
+
+3.1. Name space definitions
+
+Domain names in messages are expressed in terms of a sequence of labels.
+Each label is represented as a one octet length field followed by that
+number of octets.  Since every domain name ends with the null label of
+the root, a domain name is terminated by a length byte of zero.  The
+high order two bits of every length octet must be zero, and the
+remaining six bits of the length field limit the label to 63 octets or
+less.
+
+To simplify implementations, the total length of a domain name (i.e.,
+label octets and label length octets) is restricted to 255 octets or
+less.
+
+Although labels can contain any 8 bit values in octets that make up a
+label, it is strongly recommended that labels follow the preferred
+syntax described elsewhere in this memo, which is compatible with
+existing host naming conventions.  Name servers and resolvers must
+compare labels in a case-insensitive manner (i.e., A=a), assuming ASCII
+with zero parity.  Non-alphabetic codes must match exactly.
+
+
+
+Mockapetris                                                    [Page 10]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.2. RR definitions
+
+3.2.1. Format
+
+All RRs have the same top level format shown below:
+
+                                    1  1  1  1  1  1
+      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                                               |
+    /                                               /
+    /                      NAME                     /
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                      TYPE                     |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                     CLASS                     |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                      TTL                      |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                   RDLENGTH                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--|
+    /                     RDATA                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+
+where:
+
+NAME            an owner name, i.e., the name of the node to which this
+                resource record pertains.
+
+TYPE            two octets containing one of the RR TYPE codes.
+
+CLASS           two octets containing one of the RR CLASS codes.
+
+TTL             a 32 bit signed integer that specifies the time interval
+                that the resource record may be cached before the source
+                of the information should again be consulted.  Zero
+                values are interpreted to mean that the RR can only be
+                used for the transaction in progress, and should not be
+                cached.  For example, SOA records are always distributed
+                with a zero TTL to prohibit caching.  Zero values can
+                also be used for extremely volatile data.
+
+RDLENGTH        an unsigned 16 bit integer that specifies the length in
+                octets of the RDATA field.
+
+
+
+Mockapetris                                                    [Page 11]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+RDATA           a variable length string of octets that describes the
+                resource.  The format of this information varies
+                according to the TYPE and CLASS of the resource record.
+
+3.2.2. TYPE values
+
+TYPE fields are used in resource records.  Note that these types are a
+subset of QTYPEs.
+
+TYPE            value and meaning
+
+A               1 a host address
+
+NS              2 an authoritative name server
+
+MD              3 a mail destination (Obsolete - use MX)
+
+MF              4 a mail forwarder (Obsolete - use MX)
+
+CNAME           5 the canonical name for an alias
+
+SOA             6 marks the start of a zone of authority
+
+MB              7 a mailbox domain name (EXPERIMENTAL)
+
+MG              8 a mail group member (EXPERIMENTAL)
+
+MR              9 a mail rename domain name (EXPERIMENTAL)
+
+NULL            10 a null RR (EXPERIMENTAL)
+
+WKS             11 a well known service description
+
+PTR             12 a domain name pointer
+
+HINFO           13 host information
+
+MINFO           14 mailbox or mail list information
+
+MX              15 mail exchange
+
+TXT             16 text strings
+
+3.2.3. QTYPE values
+
+QTYPE fields appear in the question part of a query.  QTYPES are a
+superset of TYPEs, hence all TYPEs are valid QTYPEs.  In addition, the
+following QTYPEs are defined:
+
+
+
+Mockapetris                                                    [Page 12]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+AXFR            252 A request for a transfer of an entire zone
+
+MAILB           253 A request for mailbox-related records (MB, MG or MR)
+
+MAILA           254 A request for mail agent RRs (Obsolete - see MX)
+
+*               255 A request for all records
+
+3.2.4. CLASS values
+
+CLASS fields appear in resource records.  The following CLASS mnemonics
+and values are defined:
+
+IN              1 the Internet
+
+CS              2 the CSNET class (Obsolete - used only for examples in
+                some obsolete RFCs)
+
+CH              3 the CHAOS class
+
+HS              4 Hesiod [Dyer 87]
+
+3.2.5. QCLASS values
+
+QCLASS fields appear in the question section of a query.  QCLASS values
+are a superset of CLASS values; every CLASS is a valid QCLASS.  In
+addition to CLASS values, the following QCLASSes are defined:
+
+*               255 any class
+
+3.3. Standard RRs
+
+The following RR definitions are expected to occur, at least
+potentially, in all classes.  In particular, NS, SOA, CNAME, and PTR
+will be used in all classes, and have the same format in all classes.
+Because their RDATA format is known, all domain names in the RDATA
+section of these RRs may be compressed.
+
+<domain-name> is a domain name represented as a series of labels, and
+terminated by a label with zero length.  <character-string> is a single
+length octet followed by that number of characters.  <character-string>
+is treated as binary information, and can be up to 256 characters in
+length (including the length octet).
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 13]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.3.1. CNAME RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                     CNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+CNAME           A <domain-name> which specifies the canonical or primary
+                name for the owner.  The owner name is an alias.
+
+CNAME RRs cause no additional section processing, but name servers may
+choose to restart the query at the canonical name in certain cases.  See
+the description of name server logic in [RFC-1034] for details.
+
+3.3.2. HINFO RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                      CPU                      /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                       OS                      /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+CPU             A <character-string> which specifies the CPU type.
+
+OS              A <character-string> which specifies the operating
+                system type.
+
+Standard values for CPU and OS can be found in [RFC-1010].
+
+HINFO records are used to acquire general information about a host.  The
+main use is for protocols such as FTP that can use special procedures
+when talking between machines or operating systems of the same type.
+
+3.3.3. MB RDATA format (EXPERIMENTAL)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   MADNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+MADNAME         A <domain-name> which specifies a host which has the
+                specified mailbox.
+
+
+
+Mockapetris                                                    [Page 14]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+MB records cause additional section processing which looks up an A type
+RRs corresponding to MADNAME.
+
+3.3.4. MD RDATA format (Obsolete)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   MADNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+MADNAME         A <domain-name> which specifies a host which has a mail
+                agent for the domain which should be able to deliver
+                mail for the domain.
+
+MD records cause additional section processing which looks up an A type
+record corresponding to MADNAME.
+
+MD is obsolete.  See the definition of MX and [RFC-974] for details of
+the new scheme.  The recommended policy for dealing with MD RRs found in
+a master file is to reject them, or to convert them to MX RRs with a
+preference of 0.
+
+3.3.5. MF RDATA format (Obsolete)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   MADNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+MADNAME         A <domain-name> which specifies a host which has a mail
+                agent for the domain which will accept mail for
+                forwarding to the domain.
+
+MF records cause additional section processing which looks up an A type
+record corresponding to MADNAME.
+
+MF is obsolete.  See the definition of MX and [RFC-974] for details ofw
+the new scheme.  The recommended policy for dealing with MD RRs found in
+a master file is to reject them, or to convert them to MX RRs with a
+preference of 10.
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 15]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.3.6. MG RDATA format (EXPERIMENTAL)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   MGMNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+MGMNAME         A <domain-name> which specifies a mailbox which is a
+                member of the mail group specified by the domain name.
+
+MG records cause no additional section processing.
+
+3.3.7. MINFO RDATA format (EXPERIMENTAL)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                    RMAILBX                    /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                    EMAILBX                    /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+RMAILBX         A <domain-name> which specifies a mailbox which is
+                responsible for the mailing list or mailbox.  If this
+                domain name names the root, the owner of the MINFO RR is
+                responsible for itself.  Note that many existing mailing
+                lists use a mailbox X-request for the RMAILBX field of
+                mailing list X, e.g., Msgroup-request for Msgroup.  This
+                field provides a more general mechanism.
+
+
+EMAILBX         A <domain-name> which specifies a mailbox which is to
+                receive error messages related to the mailing list or
+                mailbox specified by the owner of the MINFO RR (similar
+                to the ERRORS-TO: field which has been proposed).  If
+                this domain name names the root, errors should be
+                returned to the sender of the message.
+
+MINFO records cause no additional section processing.  Although these
+records can be associated with a simple mailbox, they are usually used
+with a mailing list.
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 16]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.3.8. MR RDATA format (EXPERIMENTAL)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   NEWNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+NEWNAME         A <domain-name> which specifies a mailbox which is the
+                proper rename of the specified mailbox.
+
+MR records cause no additional section processing.  The main use for MR
+is as a forwarding entry for a user who has moved to a different
+mailbox.
+
+3.3.9. MX RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                  PREFERENCE                   |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   EXCHANGE                    /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+PREFERENCE      A 16 bit integer which specifies the preference given to
+                this RR among others at the same owner.  Lower values
+                are preferred.
+
+EXCHANGE        A <domain-name> which specifies a host willing to act as
+                a mail exchange for the owner name.
+
+MX records cause type A additional section processing for the host
+specified by EXCHANGE.  The use of MX RRs is explained in detail in
+[RFC-974].
+
+3.3.10. NULL RDATA format (EXPERIMENTAL)
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                  <anything>                   /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+Anything at all may be in the RDATA field so long as it is 65535 octets
+or less.
+
+
+
+
+Mockapetris                                                    [Page 17]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+NULL records cause no additional section processing.  NULL RRs are not
+allowed in master files.  NULLs are used as placeholders in some
+experimental extensions of the DNS.
+
+3.3.11. NS RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   NSDNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+NSDNAME         A <domain-name> which specifies a host which should be
+                authoritative for the specified class and domain.
+
+NS records cause both the usual additional section processing to locate
+a type A record, and, when used in a referral, a special search of the
+zone in which they reside for glue information.
+
+The NS RR states that the named host should be expected to have a zone
+starting at owner name of the specified class.  Note that the class may
+not indicate the protocol family which should be used to communicate
+with the host, although it is typically a strong hint.  For example,
+hosts which are name servers for either Internet (IN) or Hesiod (HS)
+class information are normally queried using IN class protocols.
+
+3.3.12. PTR RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   PTRDNAME                    /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+PTRDNAME        A <domain-name> which points to some location in the
+                domain name space.
+
+PTR records cause no additional section processing.  These RRs are used
+in special domains to point to some other location in the domain space.
+These records are simple data, and don't imply any special processing
+similar to that performed by CNAME, which identifies aliases.  See the
+description of the IN-ADDR.ARPA domain for an example.
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 18]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.3.13. SOA RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                     MNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                     RNAME                     /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    SERIAL                     |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    REFRESH                    |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                     RETRY                     |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    EXPIRE                     |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    MINIMUM                    |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+MNAME           The <domain-name> of the name server that was the
+                original or primary source of data for this zone.
+
+RNAME           A <domain-name> which specifies the mailbox of the
+                person responsible for this zone.
+
+SERIAL          The unsigned 32 bit version number of the original copy
+                of the zone.  Zone transfers preserve this value.  This
+                value wraps and should be compared using sequence space
+                arithmetic.
+
+REFRESH         A 32 bit time interval before the zone should be
+                refreshed.
+
+RETRY           A 32 bit time interval that should elapse before a
+                failed refresh should be retried.
+
+EXPIRE          A 32 bit time value that specifies the upper limit on
+                the time interval that can elapse before the zone is no
+                longer authoritative.
+
+
+
+
+
+Mockapetris                                                    [Page 19]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+MINIMUM         The unsigned 32 bit minimum TTL field that should be
+                exported with any RR from this zone.
+
+SOA records cause no additional section processing.
+
+All times are in units of seconds.
+
+Most of these fields are pertinent only for name server maintenance
+operations.  However, MINIMUM is used in all query operations that
+retrieve RRs from a zone.  Whenever a RR is sent in a response to a
+query, the TTL field is set to the maximum of the TTL field from the RR
+and the MINIMUM field in the appropriate SOA.  Thus MINIMUM is a lower
+bound on the TTL field for all RRs in a zone.  Note that this use of
+MINIMUM should occur when the RRs are copied into the response and not
+when the zone is loaded from a master file or via a zone transfer.  The
+reason for this provison is to allow future dynamic update facilities to
+change the SOA RR with known semantics.
+
+
+3.3.14. TXT RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   TXT-DATA                    /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+TXT-DATA        One or more <character-string>s.
+
+TXT RRs are used to hold descriptive text.  The semantics of the text
+depends on the domain where it is found.
+
+3.4. Internet specific RRs
+
+3.4.1. A RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    ADDRESS                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+ADDRESS         A 32 bit Internet address.
+
+Hosts that have multiple Internet addresses will have multiple A
+records.
+
+
+
+
+
+Mockapetris                                                    [Page 20]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+A records cause no additional section processing.  The RDATA section of
+an A line in a master file is an Internet address expressed as four
+decimal numbers separated by dots without any imbedded spaces (e.g.,
+"10.2.0.52" or "192.0.5.6").
+
+3.4.2. WKS RDATA format
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    ADDRESS                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |       PROTOCOL        |                       |
+    +--+--+--+--+--+--+--+--+                       |
+    |                                               |
+    /                   <BIT MAP>                   /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+ADDRESS         An 32 bit Internet address
+
+PROTOCOL        An 8 bit IP protocol number
+
+<BIT MAP>       A variable length bit map.  The bit map must be a
+                multiple of 8 bits long.
+
+The WKS record is used to describe the well known services supported by
+a particular protocol on a particular internet address.  The PROTOCOL
+field specifies an IP protocol number, and the bit map has one bit per
+port of the specified protocol.  The first bit corresponds to port 0,
+the second to port 1, etc.  If the bit map does not include a bit for a
+protocol of interest, that bit is assumed zero.  The appropriate values
+and mnemonics for ports and protocols are specified in [RFC-1010].
+
+For example, if PROTOCOL=TCP (6), the 26th bit corresponds to TCP port
+25 (SMTP).  If this bit is set, a SMTP server should be listening on TCP
+port 25; if zero, SMTP service is not supported on the specified
+address.
+
+The purpose of WKS RRs is to provide availability information for
+servers for TCP and UDP.  If a server supports both TCP and UDP, or has
+multiple Internet addresses, then multiple WKS RRs are used.
+
+WKS RRs cause no additional section processing.
+
+In master files, both ports and protocols are expressed using mnemonics
+or decimal numbers.
+
+
+
+
+Mockapetris                                                    [Page 21]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.5. IN-ADDR.ARPA domain
+
+The Internet uses a special domain to support gateway location and
+Internet address to host mapping.  Other classes may employ a similar
+strategy in other domains.  The intent of this domain is to provide a
+guaranteed method to perform host address to host name mapping, and to
+facilitate queries to locate all gateways on a particular network in the
+Internet.
+
+Note that both of these services are similar to functions that could be
+performed by inverse queries; the difference is that this part of the
+domain name space is structured according to address, and hence can
+guarantee that the appropriate data can be located without an exhaustive
+search of the domain space.
+
+The domain begins at IN-ADDR.ARPA and has a substructure which follows
+the Internet addressing structure.
+
+Domain names in the IN-ADDR.ARPA domain are defined to have up to four
+labels in addition to the IN-ADDR.ARPA suffix.  Each label represents
+one octet of an Internet address, and is expressed as a character string
+for a decimal value in the range 0-255 (with leading zeros omitted
+except in the case of a zero octet which is represented by a single
+zero).
+
+Host addresses are represented by domain names that have all four labels
+specified.  Thus data for Internet address 10.2.0.52 is located at
+domain name 52.0.2.10.IN-ADDR.ARPA.  The reversal, though awkward to
+read, allows zones to be delegated which are exactly one network of
+address space.  For example, 10.IN-ADDR.ARPA can be a zone containing
+data for the ARPANET, while 26.IN-ADDR.ARPA can be a separate zone for
+MILNET.  Address nodes are used to hold pointers to primary host names
+in the normal domain space.
+
+Network numbers correspond to some non-terminal nodes at various depths
+in the IN-ADDR.ARPA domain, since Internet network numbers are either 1,
+2, or 3 octets.  Network nodes are used to hold pointers to the primary
+host names of gateways attached to that network.  Since a gateway is, by
+definition, on more than one network, it will typically have two or more
+network nodes which point at it.  Gateways will also have host level
+pointers at their fully qualified addresses.
+
+Both the gateway pointers at network nodes and the normal host pointers
+at full address nodes use the PTR RR to point back to the primary domain
+names of the corresponding hosts.
+
+For example, the IN-ADDR.ARPA domain will contain information about the
+ISI gateway between net 10 and 26, an MIT gateway from net 10 to MIT's
+
+
+
+Mockapetris                                                    [Page 22]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+net 18, and hosts A.ISI.EDU and MULTICS.MIT.EDU.  Assuming that ISI
+gateway has addresses 10.2.0.22 and 26.0.0.103, and a name MILNET-
+GW.ISI.EDU, and the MIT gateway has addresses 10.0.0.77 and 18.10.0.4
+and a name GW.LCS.MIT.EDU, the domain database would contain:
+
+    10.IN-ADDR.ARPA.           PTR MILNET-GW.ISI.EDU.
+    10.IN-ADDR.ARPA.           PTR GW.LCS.MIT.EDU.
+    18.IN-ADDR.ARPA.           PTR GW.LCS.MIT.EDU.
+    26.IN-ADDR.ARPA.           PTR MILNET-GW.ISI.EDU.
+    22.0.2.10.IN-ADDR.ARPA.    PTR MILNET-GW.ISI.EDU.
+    103.0.0.26.IN-ADDR.ARPA.   PTR MILNET-GW.ISI.EDU.
+    77.0.0.10.IN-ADDR.ARPA.    PTR GW.LCS.MIT.EDU.
+    4.0.10.18.IN-ADDR.ARPA.    PTR GW.LCS.MIT.EDU.
+    103.0.3.26.IN-ADDR.ARPA.   PTR A.ISI.EDU.
+    6.0.0.10.IN-ADDR.ARPA.     PTR MULTICS.MIT.EDU.
+
+Thus a program which wanted to locate gateways on net 10 would originate
+a query of the form QTYPE=PTR, QCLASS=IN, QNAME=10.IN-ADDR.ARPA.  It
+would receive two RRs in response:
+
+    10.IN-ADDR.ARPA.           PTR MILNET-GW.ISI.EDU.
+    10.IN-ADDR.ARPA.           PTR GW.LCS.MIT.EDU.
+
+The program could then originate QTYPE=A, QCLASS=IN queries for MILNET-
+GW.ISI.EDU. and GW.LCS.MIT.EDU. to discover the Internet addresses of
+these gateways.
+
+A resolver which wanted to find the host name corresponding to Internet
+host address 10.0.0.6 would pursue a query of the form QTYPE=PTR,
+QCLASS=IN, QNAME=6.0.0.10.IN-ADDR.ARPA, and would receive:
+
+    6.0.0.10.IN-ADDR.ARPA.     PTR MULTICS.MIT.EDU.
+
+Several cautions apply to the use of these services:
+   - Since the IN-ADDR.ARPA special domain and the normal domain
+     for a particular host or gateway will be in different zones,
+     the possibility exists that that the data may be inconsistent.
+
+   - Gateways will often have two names in separate domains, only
+     one of which can be primary.
+
+   - Systems that use the domain database to initialize their
+     routing tables must start with enough gateway information to
+     guarantee that they can access the appropriate name server.
+
+   - The gateway data only reflects the existence of a gateway in a
+     manner equivalent to the current HOSTS.TXT file.  It doesn't
+     replace the dynamic availability information from GGP or EGP.
+
+
+
+Mockapetris                                                    [Page 23]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+3.6. Defining new types, classes, and special namespaces
+
+The previously defined types and classes are the ones in use as of the
+date of this memo.  New definitions should be expected.  This section
+makes some recommendations to designers considering additions to the
+existing facilities.  The mailing list NAMEDROPPERS@SRI-NIC.ARPA is the
+forum where general discussion of design issues takes place.
+
+In general, a new type is appropriate when new information is to be
+added to the database about an existing object, or we need new data
+formats for some totally new object.  Designers should attempt to define
+types and their RDATA formats that are generally applicable to all
+classes, and which avoid duplication of information.  New classes are
+appropriate when the DNS is to be used for a new protocol, etc which
+requires new class-specific data formats, or when a copy of the existing
+name space is desired, but a separate management domain is necessary.
+
+New types and classes need mnemonics for master files; the format of the
+master files requires that the mnemonics for type and class be disjoint.
+
+TYPE and CLASS values must be a proper subset of QTYPEs and QCLASSes
+respectively.
+
+The present system uses multiple RRs to represent multiple values of a
+type rather than storing multiple values in the RDATA section of a
+single RR.  This is less efficient for most applications, but does keep
+RRs shorter.  The multiple RRs assumption is incorporated in some
+experimental work on dynamic update methods.
+
+The present system attempts to minimize the duplication of data in the
+database in order to insure consistency.  Thus, in order to find the
+address of the host for a mail exchange, you map the mail domain name to
+a host name, then the host name to addresses, rather than a direct
+mapping to host address.  This approach is preferred because it avoids
+the opportunity for inconsistency.
+
+In defining a new type of data, multiple RR types should not be used to
+create an ordering between entries or express different formats for
+equivalent bindings, instead this information should be carried in the
+body of the RR and a single type used.  This policy avoids problems with
+caching multiple types and defining QTYPEs to match multiple types.
+
+For example, the original form of mail exchange binding used two RR
+types one to represent a "closer" exchange (MD) and one to represent a
+"less close" exchange (MF).  The difficulty is that the presence of one
+RR type in a cache doesn't convey any information about the other
+because the query which acquired the cached information might have used
+a QTYPE of MF, MD, or MAILA (which matched both).  The redesigned
+
+
+
+Mockapetris                                                    [Page 24]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+service used a single type (MX) with a "preference" value in the RDATA
+section which can order different RRs.  However, if any MX RRs are found
+in the cache, then all should be there.
+
+4. MESSAGES
+
+4.1. Format
+
+All communications inside of the domain protocol are carried in a single
+format called a message.  The top level format of message is divided
+into 5 sections (some of which are empty in certain cases) shown below:
+
+    +---------------------+
+    |        Header       |
+    +---------------------+
+    |       Question      | the question for the name server
+    +---------------------+
+    |        Answer       | RRs answering the question
+    +---------------------+
+    |      Authority      | RRs pointing toward an authority
+    +---------------------+
+    |      Additional     | RRs holding additional information
+    +---------------------+
+
+The header section is always present.  The header includes fields that
+specify which of the remaining sections are present, and also specify
+whether the message is a query or a response, a standard query or some
+other opcode, etc.
+
+The names of the sections after the header are derived from their use in
+standard queries.  The question section contains fields that describe a
+question to a name server.  These fields are a query type (QTYPE), a
+query class (QCLASS), and a query domain name (QNAME).  The last three
+sections have the same format: a possibly empty list of concatenated
+resource records (RRs).  The answer section contains RRs that answer the
+question; the authority section contains RRs that point toward an
+authoritative name server; the additional records section contains RRs
+which relate to the query, but are not strictly answers for the
+question.
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 25]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+4.1.1. Header section format
+
+The header contains the following fields:
+
+                                    1  1  1  1  1  1
+      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                      ID                       |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |QR|   Opcode  |AA|TC|RD|RA|   Z    |   RCODE   |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    QDCOUNT                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    ANCOUNT                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    NSCOUNT                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                    ARCOUNT                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+ID              A 16 bit identifier assigned by the program that
+                generates any kind of query.  This identifier is copied
+                the corresponding reply and can be used by the requester
+                to match up replies to outstanding queries.
+
+QR              A one bit field that specifies whether this message is a
+                query (0), or a response (1).
+
+OPCODE          A four bit field that specifies kind of query in this
+                message.  This value is set by the originator of a query
+                and copied into the response.  The values are:
+
+                0               a standard query (QUERY)
+
+                1               an inverse query (IQUERY)
+
+                2               a server status request (STATUS)
+
+                3-15            reserved for future use
+
+AA              Authoritative Answer - this bit is valid in responses,
+                and specifies that the responding name server is an
+                authority for the domain name in question section.
+
+                Note that the contents of the answer section may have
+                multiple owner names because of aliases.  The AA bit
+
+
+
+Mockapetris                                                    [Page 26]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+                corresponds to the name which matches the query name, or
+                the first owner name in the answer section.
+
+TC              TrunCation - specifies that this message was truncated
+                due to length greater than that permitted on the
+                transmission channel.
+
+RD              Recursion Desired - this bit may be set in a query and
+                is copied into the response.  If RD is set, it directs
+                the name server to pursue the query recursively.
+                Recursive query support is optional.
+
+RA              Recursion Available - this be is set or cleared in a
+                response, and denotes whether recursive query support is
+                available in the name server.
+
+Z               Reserved for future use.  Must be zero in all queries
+                and responses.
+
+RCODE           Response code - this 4 bit field is set as part of
+                responses.  The values have the following
+                interpretation:
+
+                0               No error condition
+
+                1               Format error - The name server was
+                                unable to interpret the query.
+
+                2               Server failure - The name server was
+                                unable to process this query due to a
+                                problem with the name server.
+
+                3               Name Error - Meaningful only for
+                                responses from an authoritative name
+                                server, this code signifies that the
+                                domain name referenced in the query does
+                                not exist.
+
+                4               Not Implemented - The name server does
+                                not support the requested kind of query.
+
+                5               Refused - The name server refuses to
+                                perform the specified operation for
+                                policy reasons.  For example, a name
+                                server may not wish to provide the
+                                information to the particular requester,
+                                or a name server may not wish to perform
+                                a particular operation (e.g., zone
+
+
+
+Mockapetris                                                    [Page 27]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+                                transfer) for particular data.
+
+                6-15            Reserved for future use.
+
+QDCOUNT         an unsigned 16 bit integer specifying the number of
+                entries in the question section.
+
+ANCOUNT         an unsigned 16 bit integer specifying the number of
+                resource records in the answer section.
+
+NSCOUNT         an unsigned 16 bit integer specifying the number of name
+                server resource records in the authority records
+                section.
+
+ARCOUNT         an unsigned 16 bit integer specifying the number of
+                resource records in the additional records section.
+
+4.1.2. Question section format
+
+The question section is used to carry the "question" in most queries,
+i.e., the parameters that define what is being asked.  The section
+contains QDCOUNT (usually 1) entries, each of the following format:
+
+                                    1  1  1  1  1  1
+      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                                               |
+    /                     QNAME                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                     QTYPE                     |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                     QCLASS                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+QNAME           a domain name represented as a sequence of labels, where
+                each label consists of a length octet followed by that
+                number of octets.  The domain name terminates with the
+                zero length octet for the null label of the root.  Note
+                that this field may be an odd number of octets; no
+                padding is used.
+
+QTYPE           a two octet code which specifies the type of the query.
+                The values for this field include all codes valid for a
+                TYPE field, together with some more general codes which
+                can match more than one type of RR.
+
+
+
+Mockapetris                                                    [Page 28]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+QCLASS          a two octet code that specifies the class of the query.
+                For example, the QCLASS field is IN for the Internet.
+
+4.1.3. Resource record format
+
+The answer, authority, and additional sections all share the same
+format: a variable number of resource records, where the number of
+records is specified in the corresponding count field in the header.
+Each resource record has the following format:
+                                    1  1  1  1  1  1
+      0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                                               |
+    /                                               /
+    /                      NAME                     /
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                      TYPE                     |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                     CLASS                     |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                      TTL                      |
+    |                                               |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                   RDLENGTH                    |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--|
+    /                     RDATA                     /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+where:
+
+NAME            a domain name to which this resource record pertains.
+
+TYPE            two octets containing one of the RR type codes.  This
+                field specifies the meaning of the data in the RDATA
+                field.
+
+CLASS           two octets which specify the class of the data in the
+                RDATA field.
+
+TTL             a 32 bit unsigned integer that specifies the time
+                interval (in seconds) that the resource record may be
+                cached before it should be discarded.  Zero values are
+                interpreted to mean that the RR can only be used for the
+                transaction in progress, and should not be cached.
+
+
+
+
+
+Mockapetris                                                    [Page 29]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+RDLENGTH        an unsigned 16 bit integer that specifies the length in
+                octets of the RDATA field.
+
+RDATA           a variable length string of octets that describes the
+                resource.  The format of this information varies
+                according to the TYPE and CLASS of the resource record.
+                For example, the if the TYPE is A and the CLASS is IN,
+                the RDATA field is a 4 octet ARPA Internet address.
+
+4.1.4. Message compression
+
+In order to reduce the size of messages, the domain system utilizes a
+compression scheme which eliminates the repetition of domain names in a
+message.  In this scheme, an entire domain name or a list of labels at
+the end of a domain name is replaced with a pointer to a prior occurance
+of the same name.
+
+The pointer takes the form of a two octet sequence:
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    | 1  1|                OFFSET                   |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+The first two bits are ones.  This allows a pointer to be distinguished
+from a label, since the label must begin with two zero bits because
+labels are restricted to 63 octets or less.  (The 10 and 01 combinations
+are reserved for future use.)  The OFFSET field specifies an offset from
+the start of the message (i.e., the first octet of the ID field in the
+domain header).  A zero offset specifies the first byte of the ID field,
+etc.
+
+The compression scheme allows a domain name in a message to be
+represented as either:
+
+   - a sequence of labels ending in a zero octet
+
+   - a pointer
+
+   - a sequence of labels ending with a pointer
+
+Pointers can only be used for occurances of a domain name where the
+format is not class specific.  If this were not the case, a name server
+or resolver would be required to know the format of all RRs it handled.
+As yet, there are no such cases, but they may occur in future RDATA
+formats.
+
+If a domain name is contained in a part of the message subject to a
+length field (such as the RDATA section of an RR), and compression is
+
+
+
+Mockapetris                                                    [Page 30]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+used, the length of the compressed name is used in the length
+calculation, rather than the length of the expanded name.
+
+Programs are free to avoid using pointers in messages they generate,
+although this will reduce datagram capacity, and may cause truncation.
+However all programs are required to understand arriving messages that
+contain pointers.
+
+For example, a datagram might need to use the domain names F.ISI.ARPA,
+FOO.F.ISI.ARPA, ARPA, and the root.  Ignoring the other fields of the
+message, these domain names might be represented as:
+
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    20 |           1           |           F           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    22 |           3           |           I           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    24 |           S           |           I           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    26 |           4           |           A           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    28 |           R           |           P           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    30 |           A           |           0           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    40 |           3           |           F           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    42 |           O           |           O           |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    44 | 1  1|                20                       |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    64 | 1  1|                26                       |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    92 |           0           |                       |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+The domain name for F.ISI.ARPA is shown at offset 20.  The domain name
+FOO.F.ISI.ARPA is shown at offset 40; this definition uses a pointer to
+concatenate a label for FOO to the previously defined F.ISI.ARPA.  The
+domain name ARPA is defined at offset 64 using a pointer to the ARPA
+component of the name F.ISI.ARPA at 20; note that this pointer relies on
+ARPA being the last label in the string at 20.  The root domain name is
+
+
+
+Mockapetris                                                    [Page 31]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+defined by a single octet of zeros at 92; the root domain name has no
+labels.
+
+4.2. Transport
+
+The DNS assumes that messages will be transmitted as datagrams or in a
+byte stream carried by a virtual circuit.  While virtual circuits can be
+used for any DNS activity, datagrams are preferred for queries due to
+their lower overhead and better performance.  Zone refresh activities
+must use virtual circuits because of the need for reliable transfer.
+
+The Internet supports name server access using TCP [RFC-793] on server
+port 53 (decimal) as well as datagram access using UDP [RFC-768] on UDP
+port 53 (decimal).
+
+4.2.1. UDP usage
+
+Messages sent using UDP user server port 53 (decimal).
+
+Messages carried by UDP are restricted to 512 bytes (not counting the IP
+or UDP headers).  Longer messages are truncated and the TC bit is set in
+the header.
+
+UDP is not acceptable for zone transfers, but is the recommended method
+for standard queries in the Internet.  Queries sent using UDP may be
+lost, and hence a retransmission strategy is required.  Queries or their
+responses may be reordered by the network, or by processing in name
+servers, so resolvers should not depend on them being returned in order.
+
+The optimal UDP retransmission policy will vary with performance of the
+Internet and the needs of the client, but the following are recommended:
+
+   - The client should try other servers and server addresses
+     before repeating a query to a specific address of a server.
+
+   - The retransmission interval should be based on prior
+     statistics if possible.  Too aggressive retransmission can
+     easily slow responses for the community at large.  Depending
+     on how well connected the client is to its expected servers,
+     the minimum retransmission interval should be 2-5 seconds.
+
+More suggestions on server selection and retransmission policy can be
+found in the resolver section of this memo.
+
+4.2.2. TCP usage
+
+Messages sent over TCP connections use server port 53 (decimal).  The
+message is prefixed with a two byte length field which gives the message
+
+
+
+Mockapetris                                                    [Page 32]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+length, excluding the two byte length field.  This length field allows
+the low-level processing to assemble a complete message before beginning
+to parse it.
+
+Several connection management policies are recommended:
+
+   - The server should not block other activities waiting for TCP
+     data.
+
+   - The server should support multiple connections.
+
+   - The server should assume that the client will initiate
+     connection closing, and should delay closing its end of the
+     connection until all outstanding client requests have been
+     satisfied.
+
+   - If the server needs to close a dormant connection to reclaim
+     resources, it should wait until the connection has been idle
+     for a period on the order of two minutes.  In particular, the
+     server should allow the SOA and AXFR request sequence (which
+     begins a refresh operation) to be made on a single connection.
+     Since the server would be unable to answer queries anyway, a
+     unilateral close or reset may be used instead of a graceful
+     close.
+
+5. MASTER FILES
+
+Master files are text files that contain RRs in text form.  Since the
+contents of a zone can be expressed in the form of a list of RRs a
+master file is most often used to define a zone, though it can be used
+to list a cache's contents.  Hence, this section first discusses the
+format of RRs in a master file, and then the special considerations when
+a master file is used to create a zone in some name server.
+
+5.1. Format
+
+The format of these files is a sequence of entries.  Entries are
+predominantly line-oriented, though parentheses can be used to continue
+a list of items across a line boundary, and text literals can contain
+CRLF within the text.  Any combination of tabs and spaces act as a
+delimiter between the separate items that make up an entry.  The end of
+any line in the master file can end with a comment.  The comment starts
+with a ";" (semicolon).
+
+The following entries are defined:
+
+    <blank>[<comment>]
+
+
+
+
+Mockapetris                                                    [Page 33]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+    $ORIGIN <domain-name> [<comment>]
+
+    $INCLUDE <file-name> [<domain-name>] [<comment>]
+
+    <domain-name><rr> [<comment>]
+
+    <blank><rr> [<comment>]
+
+Blank lines, with or without comments, are allowed anywhere in the file.
+
+Two control entries are defined: $ORIGIN and $INCLUDE.  $ORIGIN is
+followed by a domain name, and resets the current origin for relative
+domain names to the stated name.  $INCLUDE inserts the named file into
+the current file, and may optionally specify a domain name that sets the
+relative domain name origin for the included file.  $INCLUDE may also
+have a comment.  Note that a $INCLUDE entry never changes the relative
+origin of the parent file, regardless of changes to the relative origin
+made within the included file.
+
+The last two forms represent RRs.  If an entry for an RR begins with a
+blank, then the RR is assumed to be owned by the last stated owner.  If
+an RR entry begins with a <domain-name>, then the owner name is reset.
+
+<rr> contents take one of the following forms:
+
+    [<TTL>] [<class>] <type> <RDATA>
+
+    [<class>] [<TTL>] <type> <RDATA>
+
+The RR begins with optional TTL and class fields, followed by a type and
+RDATA field appropriate to the type and class.  Class and type use the
+standard mnemonics, TTL is a decimal integer.  Omitted class and TTL
+values are default to the last explicitly stated values.  Since type and
+class mnemonics are disjoint, the parse is unique.  (Note that this
+order is different from the order used in examples and the order used in
+the actual RRs; the given order allows easier parsing and defaulting.)
+
+<domain-name>s make up a large share of the data in the master file.
+The labels in the domain name are expressed as character strings and
+separated by dots.  Quoting conventions allow arbitrary characters to be
+stored in domain names.  Domain names that end in a dot are called
+absolute, and are taken as complete.  Domain names which do not end in a
+dot are called relative; the actual domain name is the concatenation of
+the relative part with an origin specified in a $ORIGIN, $INCLUDE, or as
+an argument to the master file loading routine.  A relative name is an
+error when no origin is available.
+
+
+
+
+
+Mockapetris                                                    [Page 34]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+<character-string> is expressed in one or two ways: as a contiguous set
+of characters without interior spaces, or as a string beginning with a "
+and ending with a ".  Inside a " delimited string any character can
+occur, except for a " itself, which must be quoted using \ (back slash).
+
+Because these files are text files several special encodings are
+necessary to allow arbitrary data to be loaded.  In particular:
+
+                of the root.
+
+@               A free standing @ is used to denote the current origin.
+
+\X              where X is any character other than a digit (0-9), is
+                used to quote that character so that its special meaning
+                does not apply.  For example, "\." can be used to place
+                a dot character in a label.
+
+\DDD            where each D is a digit is the octet corresponding to
+                the decimal number described by DDD.  The resulting
+                octet is assumed to be text and is not checked for
+                special meaning.
+
+( )             Parentheses are used to group data that crosses a line
+                boundary.  In effect, line terminations are not
+                recognized within parentheses.
+
+;               Semicolon is used to start a comment; the remainder of
+                the line is ignored.
+
+5.2. Use of master files to define zones
+
+When a master file is used to load a zone, the operation should be
+suppressed if any errors are encountered in the master file.  The
+rationale for this is that a single error can have widespread
+consequences.  For example, suppose that the RRs defining a delegation
+have syntax errors; then the server will return authoritative name
+errors for all names in the subzone (except in the case where the
+subzone is also present on the server).
+
+Several other validity checks that should be performed in addition to
+insuring that the file is syntactically correct:
+
+   1. All RRs in the file should have the same class.
+
+   2. Exactly one SOA RR should be present at the top of the zone.
+
+   3. If delegations are present and glue information is required,
+      it should be present.
+
+
+
+Mockapetris                                                    [Page 35]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+   4. Information present outside of the authoritative nodes in the
+      zone should be glue information, rather than the result of an
+      origin or similar error.
+
+5.3. Master file example
+
+The following is an example file which might be used to define the
+ISI.EDU zone.and is loaded with an origin of ISI.EDU:
+
+@   IN  SOA     VENERA      Action\.domains (
+                                 20     ; SERIAL
+                                 7200   ; REFRESH
+                                 600    ; RETRY
+                                 3600000; EXPIRE
+                                 60)    ; MINIMUM
+
+        NS      A.ISI.EDU.
+        NS      VENERA
+        NS      VAXA
+        MX      10      VENERA
+        MX      20      VAXA
+
+A       A       26.3.0.103
+
+VENERA  A       10.1.0.52
+        A       128.9.0.32
+
+VAXA    A       10.2.0.27
+        A       128.9.0.33
+
+
+$INCLUDE <SUBSYS>ISI-MAILBOXES.TXT
+
+Where the file <SUBSYS>ISI-MAILBOXES.TXT is:
+
+    MOE     MB      A.ISI.EDU.
+    LARRY   MB      A.ISI.EDU.
+    CURLEY  MB      A.ISI.EDU.
+    STOOGES MG      MOE
+            MG      LARRY
+            MG      CURLEY
+
+Note the use of the \ character in the SOA RR to specify the responsible
+person mailbox "Action.domains@E.ISI.EDU".
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 36]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+6. NAME SERVER IMPLEMENTATION
+
+6.1. Architecture
+
+The optimal structure for the name server will depend on the host
+operating system and whether the name server is integrated with resolver
+operations, either by supporting recursive service, or by sharing its
+database with a resolver.  This section discusses implementation
+considerations for a name server which shares a database with a
+resolver, but most of these concerns are present in any name server.
+
+6.1.1. Control
+
+A name server must employ multiple concurrent activities, whether they
+are implemented as separate tasks in the host's OS or multiplexing
+inside a single name server program.  It is simply not acceptable for a
+name server to block the service of UDP requests while it waits for TCP
+data for refreshing or query activities.  Similarly, a name server
+should not attempt to provide recursive service without processing such
+requests in parallel, though it may choose to serialize requests from a
+single client, or to regard identical requests from the same client as
+duplicates.  A name server should not substantially delay requests while
+it reloads a zone from master files or while it incorporates a newly
+refreshed zone into its database.
+
+6.1.2. Database
+
+While name server implementations are free to use any internal data
+structures they choose, the suggested structure consists of three major
+parts:
+
+   - A "catalog" data structure which lists the zones available to
+     this server, and a "pointer" to the zone data structure.  The
+     main purpose of this structure is to find the nearest ancestor
+     zone, if any, for arriving standard queries.
+
+   - Separate data structures for each of the zones held by the
+     name server.
+
+   - A data structure for cached data. (or perhaps separate caches
+     for different classes)
+
+All of these data structures can be implemented an identical tree
+structure format, with different data chained off the nodes in different
+parts: in the catalog the data is pointers to zones, while in the zone
+and cache data structures, the data will be RRs.  In designing the tree
+framework the designer should recognize that query processing will need
+to traverse the tree using case-insensitive label comparisons; and that
+
+
+
+Mockapetris                                                    [Page 37]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+in real data, a few nodes have a very high branching factor (100-1000 or
+more), but the vast majority have a very low branching factor (0-1).
+
+One way to solve the case problem is to store the labels for each node
+in two pieces: a standardized-case representation of the label where all
+ASCII characters are in a single case, together with a bit mask that
+denotes which characters are actually of a different case.  The
+branching factor diversity can be handled using a simple linked list for
+a node until the branching factor exceeds some threshold, and
+transitioning to a hash structure after the threshold is exceeded.  In
+any case, hash structures used to store tree sections must insure that
+hash functions and procedures preserve the casing conventions of the
+DNS.
+
+The use of separate structures for the different parts of the database
+is motivated by several factors:
+
+   - The catalog structure can be an almost static structure that
+     need change only when the system administrator changes the
+     zones supported by the server.  This structure can also be
+     used to store parameters used to control refreshing
+     activities.
+
+   - The individual data structures for zones allow a zone to be
+     replaced simply by changing a pointer in the catalog.  Zone
+     refresh operations can build a new structure and, when
+     complete, splice it into the database via a simple pointer
+     replacement.  It is very important that when a zone is
+     refreshed, queries should not use old and new data
+     simultaneously.
+
+   - With the proper search procedures, authoritative data in zones
+     will always "hide", and hence take precedence over, cached
+     data.
+
+   - Errors in zone definitions that cause overlapping zones, etc.,
+     may cause erroneous responses to queries, but problem
+     determination is simplified, and the contents of one "bad"
+     zone can't corrupt another.
+
+   - Since the cache is most frequently updated, it is most
+     vulnerable to corruption during system restarts.  It can also
+     become full of expired RR data.  In either case, it can easily
+     be discarded without disturbing zone data.
+
+A major aspect of database design is selecting a structure which allows
+the name server to deal with crashes of the name server's host.  State
+information which a name server should save across system crashes
+
+
+
+Mockapetris                                                    [Page 38]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+includes the catalog structure (including the state of refreshing for
+each zone) and the zone data itself.
+
+6.1.3. Time
+
+Both the TTL data for RRs and the timing data for refreshing activities
+depends on 32 bit timers in units of seconds.  Inside the database,
+refresh timers and TTLs for cached data conceptually "count down", while
+data in the zone stays with constant TTLs.
+
+A recommended implementation strategy is to store time in two ways:  as
+a relative increment and as an absolute time.  One way to do this is to
+use positive 32 bit numbers for one type and negative numbers for the
+other.  The RRs in zones use relative times; the refresh timers and
+cache data use absolute times.  Absolute numbers are taken with respect
+to some known origin and converted to relative values when placed in the
+response to a query.  When an absolute TTL is negative after conversion
+to relative, then the data is expired and should be ignored.
+
+6.2. Standard query processing
+
+The major algorithm for standard query processing is presented in
+[RFC-1034].
+
+When processing queries with QCLASS=*, or some other QCLASS which
+matches multiple classes, the response should never be authoritative
+unless the server can guarantee that the response covers all classes.
+
+When composing a response, RRs which are to be inserted in the
+additional section, but duplicate RRs in the answer or authority
+sections, may be omitted from the additional section.
+
+When a response is so long that truncation is required, the truncation
+should start at the end of the response and work forward in the
+datagram.  Thus if there is any data for the authority section, the
+answer section is guaranteed to be unique.
+
+The MINIMUM value in the SOA should be used to set a floor on the TTL of
+data distributed from a zone.  This floor function should be done when
+the data is copied into a response.  This will allow future dynamic
+update protocols to change the SOA MINIMUM field without ambiguous
+semantics.
+
+6.3. Zone refresh and reload processing
+
+In spite of a server's best efforts, it may be unable to load zone data
+from a master file due to syntax errors, etc., or be unable to refresh a
+zone within the its expiration parameter.  In this case, the name server
+
+
+
+Mockapetris                                                    [Page 39]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+should answer queries as if it were not supposed to possess the zone.
+
+If a master is sending a zone out via AXFR, and a new version is created
+during the transfer, the master should continue to send the old version
+if possible.  In any case, it should never send part of one version and
+part of another.  If completion is not possible, the master should reset
+the connection on which the zone transfer is taking place.
+
+6.4. Inverse queries (Optional)
+
+Inverse queries are an optional part of the DNS.  Name servers are not
+required to support any form of inverse queries.  If a name server
+receives an inverse query that it does not support, it returns an error
+response with the "Not Implemented" error set in the header.  While
+inverse query support is optional, all name servers must be at least
+able to return the error response.
+
+6.4.1. The contents of inverse queries and responses          Inverse
+queries reverse the mappings performed by standard query operations;
+while a standard query maps a domain name to a resource, an inverse
+query maps a resource to a domain name.  For example, a standard query
+might bind a domain name to a host address; the corresponding inverse
+query binds the host address to a domain name.
+
+Inverse queries take the form of a single RR in the answer section of
+the message, with an empty question section.  The owner name of the
+query RR and its TTL are not significant.  The response carries
+questions in the question section which identify all names possessing
+the query RR WHICH THE NAME SERVER KNOWS.  Since no name server knows
+about all of the domain name space, the response can never be assumed to
+be complete.  Thus inverse queries are primarily useful for database
+management and debugging activities.  Inverse queries are NOT an
+acceptable method of mapping host addresses to host names; use the IN-
+ADDR.ARPA domain instead.
+
+Where possible, name servers should provide case-insensitive comparisons
+for inverse queries.  Thus an inverse query asking for an MX RR of
+"Venera.isi.edu" should get the same response as a query for
+"VENERA.ISI.EDU"; an inverse query for HINFO RR "IBM-PC UNIX" should
+produce the same result as an inverse query for "IBM-pc unix".  However,
+this cannot be guaranteed because name servers may possess RRs that
+contain character strings but the name server does not know that the
+data is character.
+
+When a name server processes an inverse query, it either returns:
+
+   1. zero, one, or multiple domain names for the specified
+      resource as QNAMEs in the question section
+
+
+
+Mockapetris                                                    [Page 40]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+   2. an error code indicating that the name server doesn't support
+      inverse mapping of the specified resource type.
+
+When the response to an inverse query contains one or more QNAMEs, the
+owner name and TTL of the RR in the answer section which defines the
+inverse query is modified to exactly match an RR found at the first
+QNAME.
+
+RRs returned in the inverse queries cannot be cached using the same
+mechanism as is used for the replies to standard queries.  One reason
+for this is that a name might have multiple RRs of the same type, and
+only one would appear.  For example, an inverse query for a single
+address of a multiply homed host might create the impression that only
+one address existed.
+
+6.4.2. Inverse query and response example          The overall structure
+of an inverse query for retrieving the domain name that corresponds to
+Internet address 10.1.0.52 is shown below:
+
+                         +-----------------------------------------+
+           Header        |          OPCODE=IQUERY, ID=997          |
+                         +-----------------------------------------+
+          Question       |                 <empty>                 |
+                         +-----------------------------------------+
+           Answer        |        <anyname> A IN 10.1.0.52         |
+                         +-----------------------------------------+
+          Authority      |                 <empty>                 |
+                         +-----------------------------------------+
+         Additional      |                 <empty>                 |
+                         +-----------------------------------------+
+
+This query asks for a question whose answer is the Internet style
+address 10.1.0.52.  Since the owner name is not known, any domain name
+can be used as a placeholder (and is ignored).  A single octet of zero,
+signifying the root, is usually used because it minimizes the length of
+the message.  The TTL of the RR is not significant.  The response to
+this query might be:
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 41]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+                         +-----------------------------------------+
+           Header        |         OPCODE=RESPONSE, ID=997         |
+                         +-----------------------------------------+
+          Question       |QTYPE=A, QCLASS=IN, QNAME=VENERA.ISI.EDU |
+                         +-----------------------------------------+
+           Answer        |  VENERA.ISI.EDU  A IN 10.1.0.52         |
+                         +-----------------------------------------+
+          Authority      |                 <empty>                 |
+                         +-----------------------------------------+
+         Additional      |                 <empty>                 |
+                         +-----------------------------------------+
+
+Note that the QTYPE in a response to an inverse query is the same as the
+TYPE field in the answer section of the inverse query.  Responses to
+inverse queries may contain multiple questions when the inverse is not
+unique.  If the question section in the response is not empty, then the
+RR in the answer section is modified to correspond to be an exact copy
+of an RR at the first QNAME.
+
+6.4.3. Inverse query processing
+
+Name servers that support inverse queries can support these operations
+through exhaustive searches of their databases, but this becomes
+impractical as the size of the database increases.  An alternative
+approach is to invert the database according to the search key.
+
+For name servers that support multiple zones and a large amount of data,
+the recommended approach is separate inversions for each zone.  When a
+particular zone is changed during a refresh, only its inversions need to
+be redone.
+
+Support for transfer of this type of inversion may be included in future
+versions of the domain system, but is not supported in this version.
+
+6.5. Completion queries and responses
+
+The optional completion services described in RFC-882 and RFC-883 have
+been deleted.  Redesigned services may become available in the future.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 42]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+7. RESOLVER IMPLEMENTATION
+
+The top levels of the recommended resolver algorithm are discussed in
+[RFC-1034].  This section discusses implementation details assuming the
+database structure suggested in the name server implementation section
+of this memo.
+
+7.1. Transforming a user request into a query
+
+The first step a resolver takes is to transform the client's request,
+stated in a format suitable to the local OS, into a search specification
+for RRs at a specific name which match a specific QTYPE and QCLASS.
+Where possible, the QTYPE and QCLASS should correspond to a single type
+and a single class, because this makes the use of cached data much
+simpler.  The reason for this is that the presence of data of one type
+in a cache doesn't confirm the existence or non-existence of data of
+other types, hence the only way to be sure is to consult an
+authoritative source.  If QCLASS=* is used, then authoritative answers
+won't be available.
+
+Since a resolver must be able to multiplex multiple requests if it is to
+perform its function efficiently, each pending request is usually
+represented in some block of state information.  This state block will
+typically contain:
+
+   - A timestamp indicating the time the request began.
+     The timestamp is used to decide whether RRs in the database
+     can be used or are out of date.  This timestamp uses the
+     absolute time format previously discussed for RR storage in
+     zones and caches.  Note that when an RRs TTL indicates a
+     relative time, the RR must be timely, since it is part of a
+     zone.  When the RR has an absolute time, it is part of a
+     cache, and the TTL of the RR is compared against the timestamp
+     for the start of the request.
+
+     Note that using the timestamp is superior to using a current
+     time, since it allows RRs with TTLs of zero to be entered in
+     the cache in the usual manner, but still used by the current
+     request, even after intervals of many seconds due to system
+     load, query retransmission timeouts, etc.
+
+   - Some sort of parameters to limit the amount of work which will
+     be performed for this request.
+
+     The amount of work which a resolver will do in response to a
+     client request must be limited to guard against errors in the
+     database, such as circular CNAME references, and operational
+     problems, such as network partition which prevents the
+
+
+
+Mockapetris                                                    [Page 43]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+     resolver from accessing the name servers it needs.  While
+     local limits on the number of times a resolver will retransmit
+     a particular query to a particular name server address are
+     essential, the resolver should have a global per-request
+     counter to limit work on a single request.  The counter should
+     be set to some initial value and decremented whenever the
+     resolver performs any action (retransmission timeout,
+     retransmission, etc.)  If the counter passes zero, the request
+     is terminated with a temporary error.
+
+     Note that if the resolver structure allows one request to
+     start others in parallel, such as when the need to access a
+     name server for one request causes a parallel resolve for the
+     name server's addresses, the spawned request should be started
+     with a lower counter.  This prevents circular references in
+     the database from starting a chain reaction of resolver
+     activity.
+
+   - The SLIST data structure discussed in [RFC-1034].
+
+     This structure keeps track of the state of a request if it
+     must wait for answers from foreign name servers.
+
+7.2. Sending the queries
+
+As described in [RFC-1034], the basic task of the resolver is to
+formulate a query which will answer the client's request and direct that
+query to name servers which can provide the information.  The resolver
+will usually only have very strong hints about which servers to ask, in
+the form of NS RRs, and may have to revise the query, in response to
+CNAMEs, or revise the set of name servers the resolver is asking, in
+response to delegation responses which point the resolver to name
+servers closer to the desired information.  In addition to the
+information requested by the client, the resolver may have to call upon
+its own services to determine the address of name servers it wishes to
+contact.
+
+In any case, the model used in this memo assumes that the resolver is
+multiplexing attention between multiple requests, some from the client,
+and some internally generated.  Each request is represented by some
+state information, and the desired behavior is that the resolver
+transmit queries to name servers in a way that maximizes the probability
+that the request is answered, minimizes the time that the request takes,
+and avoids excessive transmissions.  The key algorithm uses the state
+information of the request to select the next name server address to
+query, and also computes a timeout which will cause the next action
+should a response not arrive.  The next action will usually be a
+transmission to some other server, but may be a temporary error to the
+
+
+
+Mockapetris                                                    [Page 44]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+client.
+
+The resolver always starts with a list of server names to query (SLIST).
+This list will be all NS RRs which correspond to the nearest ancestor
+zone that the resolver knows about.  To avoid startup problems, the
+resolver should have a set of default servers which it will ask should
+it have no current NS RRs which are appropriate.  The resolver then adds
+to SLIST all of the known addresses for the name servers, and may start
+parallel requests to acquire the addresses of the servers when the
+resolver has the name, but no addresses, for the name servers.
+
+To complete initialization of SLIST, the resolver attaches whatever
+history information it has to the each address in SLIST.  This will
+usually consist of some sort of weighted averages for the response time
+of the address, and the batting average of the address (i.e., how often
+the address responded at all to the request).  Note that this
+information should be kept on a per address basis, rather than on a per
+name server basis, because the response time and batting average of a
+particular server may vary considerably from address to address.  Note
+also that this information is actually specific to a resolver address /
+server address pair, so a resolver with multiple addresses may wish to
+keep separate histories for each of its addresses.  Part of this step
+must deal with addresses which have no such history; in this case an
+expected round trip time of 5-10 seconds should be the worst case, with
+lower estimates for the same local network, etc.
+
+Note that whenever a delegation is followed, the resolver algorithm
+reinitializes SLIST.
+
+The information establishes a partial ranking of the available name
+server addresses.  Each time an address is chosen and the state should
+be altered to prevent its selection again until all other addresses have
+been tried.  The timeout for each transmission should be 50-100% greater
+than the average predicted value to allow for variance in response.
+
+Some fine points:
+
+   - The resolver may encounter a situation where no addresses are
+     available for any of the name servers named in SLIST, and
+     where the servers in the list are precisely those which would
+     normally be used to look up their own addresses.  This
+     situation typically occurs when the glue address RRs have a
+     smaller TTL than the NS RRs marking delegation, or when the
+     resolver caches the result of a NS search.  The resolver
+     should detect this condition and restart the search at the
+     next ancestor zone, or alternatively at the root.
+
+
+
+
+
+Mockapetris                                                    [Page 45]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+   - If a resolver gets a server error or other bizarre response
+     from a name server, it should remove it from SLIST, and may
+     wish to schedule an immediate transmission to the next
+     candidate server address.
+
+7.3. Processing responses
+
+The first step in processing arriving response datagrams is to parse the
+response.  This procedure should include:
+
+   - Check the header for reasonableness.  Discard datagrams which
+     are queries when responses are expected.
+
+   - Parse the sections of the message, and insure that all RRs are
+     correctly formatted.
+
+   - As an optional step, check the TTLs of arriving data looking
+     for RRs with excessively long TTLs.  If a RR has an
+     excessively long TTL, say greater than 1 week, either discard
+     the whole response, or limit all TTLs in the response to 1
+     week.
+
+The next step is to match the response to a current resolver request.
+The recommended strategy is to do a preliminary matching using the ID
+field in the domain header, and then to verify that the question section
+corresponds to the information currently desired.  This requires that
+the transmission algorithm devote several bits of the domain ID field to
+a request identifier of some sort.  This step has several fine points:
+
+   - Some name servers send their responses from different
+     addresses than the one used to receive the query.  That is, a
+     resolver cannot rely that a response will come from the same
+     address which it sent the corresponding query to.  This name
+     server bug is typically encountered in UNIX systems.
+
+   - If the resolver retransmits a particular request to a name
+     server it should be able to use a response from any of the
+     transmissions.  However, if it is using the response to sample
+     the round trip time to access the name server, it must be able
+     to determine which transmission matches the response (and keep
+     transmission times for each outgoing message), or only
+     calculate round trip times based on initial transmissions.
+
+   - A name server will occasionally not have a current copy of a
+     zone which it should have according to some NS RRs.  The
+     resolver should simply remove the name server from the current
+     SLIST, and continue.
+
+
+
+
+Mockapetris                                                    [Page 46]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+7.4. Using the cache
+
+In general, we expect a resolver to cache all data which it receives in
+responses since it may be useful in answering future client requests.
+However, there are several types of data which should not be cached:
+
+   - When several RRs of the same type are available for a
+     particular owner name, the resolver should either cache them
+     all or none at all.  When a response is truncated, and a
+     resolver doesn't know whether it has a complete set, it should
+     not cache a possibly partial set of RRs.
+
+   - Cached data should never be used in preference to
+     authoritative data, so if caching would cause this to happen
+     the data should not be cached.
+
+   - The results of an inverse query should not be cached.
+
+   - The results of standard queries where the QNAME contains "*"
+     labels if the data might be used to construct wildcards.  The
+     reason is that the cache does not necessarily contain existing
+     RRs or zone boundary information which is necessary to
+     restrict the application of the wildcard RRs.
+
+   - RR data in responses of dubious reliability.  When a resolver
+     receives unsolicited responses or RR data other than that
+     requested, it should discard it without caching it.  The basic
+     implication is that all sanity checks on a packet should be
+     performed before any of it is cached.
+
+In a similar vein, when a resolver has a set of RRs for some name in a
+response, and wants to cache the RRs, it should check its cache for
+already existing RRs.  Depending on the circumstances, either the data
+in the response or the cache is preferred, but the two should never be
+combined.  If the data in the response is from authoritative data in the
+answer section, it is always preferred.
+
+8. MAIL SUPPORT
+
+The domain system defines a standard for mapping mailboxes into domain
+names, and two methods for using the mailbox information to derive mail
+routing information.  The first method is called mail exchange binding
+and the other method is mailbox binding.  The mailbox encoding standard
+and mail exchange binding are part of the DNS official protocol, and are
+the recommended method for mail routing in the Internet.  Mailbox
+binding is an experimental feature which is still under development and
+subject to change.
+
+
+
+
+Mockapetris                                                    [Page 47]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+The mailbox encoding standard assumes a mailbox name of the form
+"<local-part>@<mail-domain>".  While the syntax allowed in each of these
+sections varies substantially between the various mail internets, the
+preferred syntax for the ARPA Internet is given in [RFC-822].
+
+The DNS encodes the <local-part> as a single label, and encodes the
+<mail-domain> as a domain name.  The single label from the <local-part>
+is prefaced to the domain name from <mail-domain> to form the domain
+name corresponding to the mailbox.  Thus the mailbox HOSTMASTER@SRI-
+NIC.ARPA is mapped into the domain name HOSTMASTER.SRI-NIC.ARPA.  If the
+<local-part> contains dots or other special characters, its
+representation in a master file will require the use of backslash
+quoting to ensure that the domain name is properly encoded.  For
+example, the mailbox Action.domains@ISI.EDU would be represented as
+Action\.domains.ISI.EDU.
+
+8.1. Mail exchange binding
+
+Mail exchange binding uses the <mail-domain> part of a mailbox
+specification to determine where mail should be sent.  The <local-part>
+is not even consulted.  [RFC-974] specifies this method in detail, and
+should be consulted before attempting to use mail exchange support.
+
+One of the advantages of this method is that it decouples mail
+destination naming from the hosts used to support mail service, at the
+cost of another layer of indirection in the lookup function.  However,
+the addition layer should eliminate the need for complicated "%", "!",
+etc encodings in <local-part>.
+
+The essence of the method is that the <mail-domain> is used as a domain
+name to locate type MX RRs which list hosts willing to accept mail for
+<mail-domain>, together with preference values which rank the hosts
+according to an order specified by the administrators for <mail-domain>.
+
+In this memo, the <mail-domain> ISI.EDU is used in examples, together
+with the hosts VENERA.ISI.EDU and VAXA.ISI.EDU as mail exchanges for
+ISI.EDU.  If a mailer had a message for Mockapetris@ISI.EDU, it would
+route it by looking up MX RRs for ISI.EDU.  The MX RRs at ISI.EDU name
+VENERA.ISI.EDU and VAXA.ISI.EDU, and type A queries can find the host
+addresses.
+
+8.2. Mailbox binding (Experimental)
+
+In mailbox binding, the mailer uses the entire mail destination
+specification to construct a domain name.  The encoded domain name for
+the mailbox is used as the QNAME field in a QTYPE=MAILB query.
+
+Several outcomes are possible for this query:
+
+
+
+Mockapetris                                                    [Page 48]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+   1. The query can return a name error indicating that the mailbox
+      does not exist as a domain name.
+
+      In the long term, this would indicate that the specified
+      mailbox doesn't exist.  However, until the use of mailbox
+      binding is universal, this error condition should be
+      interpreted to mean that the organization identified by the
+      global part does not support mailbox binding.  The
+      appropriate procedure is to revert to exchange binding at
+      this point.
+
+   2. The query can return a Mail Rename (MR) RR.
+
+      The MR RR carries new mailbox specification in its RDATA
+      field.  The mailer should replace the old mailbox with the
+      new one and retry the operation.
+
+   3. The query can return a MB RR.
+
+      The MB RR carries a domain name for a host in its RDATA
+      field.  The mailer should deliver the message to that host
+      via whatever protocol is applicable, e.g., b,SMTP.
+
+   4. The query can return one or more Mail Group (MG) RRs.
+
+      This condition means that the mailbox was actually a mailing
+      list or mail group, rather than a single mailbox.  Each MG RR
+      has a RDATA field that identifies a mailbox that is a member
+      of the group.  The mailer should deliver a copy of the
+      message to each member.
+
+   5. The query can return a MB RR as well as one or more MG RRs.
+
+      This condition means the the mailbox was actually a mailing
+      list.  The mailer can either deliver the message to the host
+      specified by the MB RR, which will in turn do the delivery to
+      all members, or the mailer can use the MG RRs to do the
+      expansion itself.
+
+In any of these cases, the response may include a Mail Information
+(MINFO) RR.  This RR is usually associated with a mail group, but is
+legal with a MB.  The MINFO RR identifies two mailboxes.  One of these
+identifies a responsible person for the original mailbox name.  This
+mailbox should be used for requests to be added to a mail group, etc.
+The second mailbox name in the MINFO RR identifies a mailbox that should
+receive error messages for mail failures.  This is particularly
+appropriate for mailing lists when errors in member names should be
+reported to a person other than the one who sends a message to the list.
+
+
+
+Mockapetris                                                    [Page 49]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+New fields may be added to this RR in the future.
+
+
+9. REFERENCES and BIBLIOGRAPHY
+
+[Dyer 87]       S. Dyer, F. Hsu, "Hesiod", Project Athena
+                Technical Plan - Name Service, April 1987, version 1.9.
+
+                Describes the fundamentals of the Hesiod name service.
+
+[IEN-116]       J. Postel, "Internet Name Server", IEN-116,
+                USC/Information Sciences Institute, August 1979.
+
+                A name service obsoleted by the Domain Name System, but
+                still in use.
+
+[Quarterman 86] J. Quarterman, and J. Hoskins, "Notable Computer Networks",
+                Communications of the ACM, October 1986, volume 29, number
+                10.
+
+[RFC-742]       K. Harrenstien, "NAME/FINGER", RFC-742, Network
+                Information Center, SRI International, December 1977.
+
+[RFC-768]       J. Postel, "User Datagram Protocol", RFC-768,
+                USC/Information Sciences Institute, August 1980.
+
+[RFC-793]       J. Postel, "Transmission Control Protocol", RFC-793,
+                USC/Information Sciences Institute, September 1981.
+
+[RFC-799]       D. Mills, "Internet Name Domains", RFC-799, COMSAT,
+                September 1981.
+
+                Suggests introduction of a hierarchy in place of a flat
+                name space for the Internet.
+
+[RFC-805]       J. Postel, "Computer Mail Meeting Notes", RFC-805,
+                USC/Information Sciences Institute, February 1982.
+
+[RFC-810]       E. Feinler, K. Harrenstien, Z. Su, and V. White, "DOD
+                Internet Host Table Specification", RFC-810, Network
+                Information Center, SRI International, March 1982.
+
+                Obsolete.  See RFC-952.
+
+[RFC-811]       K. Harrenstien, V. White, and E. Feinler, "Hostnames
+                Server", RFC-811, Network Information Center, SRI
+                International, March 1982.
+
+
+
+
+Mockapetris                                                    [Page 50]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+                Obsolete.  See RFC-953.
+
+[RFC-812]       K. Harrenstien, and V. White, "NICNAME/WHOIS", RFC-812,
+                Network Information Center, SRI International, March
+                1982.
+
+[RFC-819]       Z. Su, and J. Postel, "The Domain Naming Convention for
+                Internet User Applications", RFC-819, Network
+                Information Center, SRI International, August 1982.
+
+                Early thoughts on the design of the domain system.
+                Current implementation is completely different.
+
+[RFC-821]       J. Postel, "Simple Mail Transfer Protocol", RFC-821,
+                USC/Information Sciences Institute, August 1980.
+
+[RFC-830]       Z. Su, "A Distributed System for Internet Name Service",
+                RFC-830, Network Information Center, SRI International,
+                October 1982.
+
+                Early thoughts on the design of the domain system.
+                Current implementation is completely different.
+
+[RFC-882]       P. Mockapetris, "Domain names - Concepts and
+                Facilities," RFC-882, USC/Information Sciences
+                Institute, November 1983.
+
+                Superceeded by this memo.
+
+[RFC-883]       P. Mockapetris, "Domain names - Implementation and
+                Specification," RFC-883, USC/Information Sciences
+                Institute, November 1983.
+
+                Superceeded by this memo.
+
+[RFC-920]       J. Postel and J. Reynolds, "Domain Requirements",
+                RFC-920, USC/Information Sciences Institute,
+                October 1984.
+
+                Explains the naming scheme for top level domains.
+
+[RFC-952]       K. Harrenstien, M. Stahl, E. Feinler, "DoD Internet Host
+                Table Specification", RFC-952, SRI, October 1985.
+
+                Specifies the format of HOSTS.TXT, the host/address
+                table replaced by the DNS.
+
+
+
+
+
+Mockapetris                                                    [Page 51]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+[RFC-953]       K. Harrenstien, M. Stahl, E. Feinler, "HOSTNAME Server",
+                RFC-953, SRI, October 1985.
+
+                This RFC contains the official specification of the
+                hostname server protocol, which is obsoleted by the DNS.
+                This TCP based protocol accesses information stored in
+                the RFC-952 format, and is used to obtain copies of the
+                host table.
+
+[RFC-973]       P. Mockapetris, "Domain System Changes and
+                Observations", RFC-973, USC/Information Sciences
+                Institute, January 1986.
+
+                Describes changes to RFC-882 and RFC-883 and reasons for
+                them.
+
+[RFC-974]       C. Partridge, "Mail routing and the domain system",
+                RFC-974, CSNET CIC BBN Labs, January 1986.
+
+                Describes the transition from HOSTS.TXT based mail
+                addressing to the more powerful MX system used with the
+                domain system.
+
+[RFC-1001]      NetBIOS Working Group, "Protocol standard for a NetBIOS
+                service on a TCP/UDP transport: Concepts and Methods",
+                RFC-1001, March 1987.
+
+                This RFC and RFC-1002 are a preliminary design for
+                NETBIOS on top of TCP/IP which proposes to base NetBIOS
+                name service on top of the DNS.
+
+[RFC-1002]      NetBIOS Working Group, "Protocol standard for a NetBIOS
+                service on a TCP/UDP transport: Detailed
+                Specifications", RFC-1002, March 1987.
+
+[RFC-1010]      J. Reynolds, and J. Postel, "Assigned Numbers", RFC-1010,
+                USC/Information Sciences Institute, May 1987.
+
+                Contains socket numbers and mnemonics for host names,
+                operating systems, etc.
+
+[RFC-1031]      W. Lazear, "MILNET Name Domain Transition", RFC-1031,
+                November 1987.
+
+                Describes a plan for converting the MILNET to the DNS.
+
+[RFC-1032]      M. Stahl, "Establishing a Domain - Guidelines for
+                Administrators", RFC-1032, November 1987.
+
+
+
+Mockapetris                                                    [Page 52]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+                Describes the registration policies used by the NIC to
+                administer the top level domains and delegate subzones.
+
+[RFC-1033]      M. Lottor, "Domain Administrators Operations Guide",
+                RFC-1033, November 1987.
+
+                A cookbook for domain administrators.
+
+[Solomon 82]    M. Solomon, L. Landweber, and D. Neuhengen, "The CSNET
+                Name Server", Computer Networks, vol 6, nr 3, July 1982.
+
+                Describes a name service for CSNET which is independent
+                from the DNS and DNS use in the CSNET.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 53]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+Index
+
+          *   13
+
+          ;   33, 35
+
+          <character-string>   35
+          <domain-name>   34
+
+          @   35
+
+          \   35
+
+          A   12
+
+          Byte order   8
+
+          CH   13
+          Character case   9
+          CLASS   11
+          CNAME   12
+          Completion   42
+          CS   13
+
+          Hesiod   13
+          HINFO   12
+          HS   13
+
+          IN   13
+          IN-ADDR.ARPA domain   22
+          Inverse queries   40
+
+          Mailbox names   47
+          MB   12
+          MD   12
+          MF   12
+          MG   12
+          MINFO   12
+          MINIMUM   20
+          MR   12
+          MX   12
+
+          NS   12
+          NULL   12
+
+          Port numbers   32
+          Primary server   5
+          PTR   12, 18
+
+
+
+Mockapetris                                                    [Page 54]
+
+RFC 1035        Domain Implementation and Specification    November 1987
+
+
+          QCLASS   13
+          QTYPE   12
+
+          RDATA   12
+          RDLENGTH  11
+
+          Secondary server   5
+          SOA   12
+          Stub resolvers   7
+
+          TCP   32
+          TXT   12
+          TYPE   11
+
+          UDP   32
+
+          WKS   12
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 55]
+
diff --git a/contrib/bind9/doc/rfc/rfc1101.txt b/contrib/bind9/doc/rfc/rfc1101.txt
new file mode 100644
index 0000000..66c9d8b
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc1101.txt
@@ -0,0 +1,787 @@
+
+
+
+
+
+
+Network Working Group                                     P. Mockapetris
+Request for Comments: 1101                                           ISI
+Updates: RFCs 1034, 1035                                      April 1989
+
+
+             DNS Encoding of Network Names and Other Types
+
+
+1. STATUS OF THIS MEMO
+
+   This RFC proposes two extensions to the Domain Name System:
+
+      - A specific method for entering and retrieving RRs which map
+        between network names and numbers.
+
+      - Ideas for a general method for describing mappings between
+        arbitrary identifiers and numbers.
+
+   The method for mapping between network names and addresses is a
+   proposed standard, the ideas for a general method are experimental.
+
+   This RFC assumes that the reader is familiar with the DNS [RFC 1034,
+   RFC 1035] and its use.  The data shown is for pedagogical use and
+   does not necessarily reflect the real Internet.
+
+   Distribution of this memo is unlimited.
+
+2. INTRODUCTION
+
+   The DNS is extensible and can be used for a virtually unlimited
+   number of data types, name spaces, etc.  New type definitions are
+   occasionally necessary as are revisions or deletions of old types
+   (e.g., MX replacement of MD and MF [RFC 974]), and changes described
+   in [RFC 973].  This RFC describes changes due to the general need to
+   map between identifiers and values, and a specific need for network
+   name support.
+
+   Users wish to be able to use the DNS to map between network names and
+   numbers.  This need is the only capability found in HOSTS.TXT which
+   is not available from the DNS.  In designing a method to do this,
+   there were two major areas of concern:
+
+      - Several tradeoffs involving control of network names, the
+        syntax of network names, backward compatibility, etc.
+
+      - A desire to create a method which would be sufficiently
+        general to set a good precedent for future mappings,
+        for example, between TCP-port names and numbers,
+
+
+
+Mockapetris                                                     [Page 1]
+
+RFC 1101     DNS Encoding of Network Names and Other Types    April 1989
+
+
+        autonomous system names and numbers, X.500 Relative
+        Distinguished Names (RDNs) and their servers, or whatever.
+
+   It was impossible to reconcile these two areas of concern for network
+   names because of the desire to unify network number support within
+   existing IP address to host name support.  The existing support is
+   the IN-ADDR.ARPA section of the DNS name space.  As a result this RFC
+   describes one structure for network names which builds on the
+   existing support for host names, and another family of structures for
+   future yellow pages (YP) functions such as conversions between TCP-
+   port numbers and mnemonics.
+
+   Both structures are described in following sections.  Each structure
+   has a discussion of design issues and specific structure
+   recommendations.
+
+   We wish to avoid defining structures and methods which can work but
+   do not because of indifference or errors on the part of system
+   administrators when maintaining the database.  The WKS RR is an
+   example.  Thus, while we favor distribution as a general method, we
+   also recognize that centrally maintained tables (such as HOSTS.TXT)
+   are usually more consistent though less maintainable and timely.
+   Hence we recommend both specific methods for mapping network names,
+   addresses, and subnets, as well as an instance of the general method
+   for mapping between allocated network numbers and network names.
+   (Allocation is centrally performed by the SRI Network Information
+   Center, aka the NIC).
+
+3. NETWORK NAME ISSUES AND DISCUSSION
+
+   The issues involved in the design were the definition of network name
+   syntax, the mappings to be provided, and possible support for similar
+   functions at the subnet level.
+
+3.1. Network name syntax
+
+   The current syntax for network names, as defined by [RFC 952] is an
+   alphanumeric string of up to 24 characters, which begins with an
+   alpha, and may include "." and "-" except as first and last
+   characters.  This is the format which was also used for host names
+   before the DNS.  Upward compatibility with existing names might be a
+   goal of any new scheme.
+
+   However, the present syntax has been used to define a flat name
+   space, and hence would prohibit the same distributed name allocation
+   method used for host names.  There is some sentiment for allowing the
+   NIC to continue to allocate and regulate network names, much as it
+   allocates numbers, but the majority opinion favors local control of
+
+
+
+Mockapetris                                                     [Page 2]
+
+RFC 1101     DNS Encoding of Network Names and Other Types    April 1989
+
+
+   network names.  Although it would be possible to provide a flat space
+   or a name space in which, for example, the last label of a domain
+   name captured the old-style network name, any such approach would add
+   complexity to the method and create different rules for network names
+   and host names.
+
+   For these reasons, we assume that the syntax of network names will be
+   the same as the expanded syntax for host names permitted in [HR].
+   The new syntax expands the set of names to allow leading digits, so
+   long as the resulting representations do not conflict with IP
+   addresses in decimal octet form.  For example, 3Com.COM and 3M.COM
+   are now legal, although 26.0.0.73.COM is not.  See [HR] for details.
+
+   The price is that network names will get as complicated as host
+   names.  An administrator will be able to create network names in any
+   domain under his control, and also create network number to name
+   entries in IN-ADDR.ARPA domains under his control.  Thus, the name
+   for the ARPANET might become NET.ARPA, ARPANET.ARPA or Arpa-
+   network.MIL., depending on the preferences of the owner.
+
+3.2. Mappings
+
+   The desired mappings, ranked by priority with most important first,
+   are:
+
+      - Mapping a IP address or network number to a network name.
+
+        This mapping is for use in debugging tools and status displays
+        of various sorts.  The conversion from IP address to network
+        number is well known for class A, B, and C IP addresses, and
+        involves a simple mask operation.  The needs of other classes
+        are not yet defined and are ignored for the rest of this RFC.
+
+      - Mapping a network name to a network address.
+
+        This facility is of less obvious application, but a
+        symmetrical mapping seems desirable.
+
+      - Mapping an organization to its network names and numbers.
+
+        This facility is useful because it may not always be possible
+        to guess the local choice for network names, but the
+        organization name is often well known.
+
+      - Similar mappings for subnets, even when nested.
+
+        The primary application is to be able to identify all of the
+        subnets involved in a particular IP address.  A secondary
+
+
+
+Mockapetris                                                     [Page 3]
+
+RFC 1101     DNS Encoding of Network Names and Other Types    April 1989
+
+
+        requirement is to retrieve address mask information.
+
+3.3. Network address section of the name space
+
+   The network name syntax discussed above can provide domain names
+   which will contain mappings from network names to various quantities,
+   but we also need a section of the name space, organized by network
+   and subnet number to hold the inverse mappings.
+
+   The choices include:
+
+      - The same network number slots already assigned and delegated
+        in the IN-ADDR.ARPA section of the name space.
+
+        For example, 10.IN-ADDR.ARPA for class A net 10,
+        2.128.IN-ADDR.ARPA for class B net 128.2, etc.
+
+      - Host-zero addresses in the IN-ADDR.ARPA tree.  (A host field
+        of all zero in an IP address is prohibited because of
+        confusion related to broadcast addresses, et al.)
+
+        For example, 0.0.0.10.IN-ADDR.ARPA for class A net 10,
+        0.0.2.128.IN-ADDR.arpa for class B net 128.2, etc.  Like the
+        first scheme, it uses in-place name space delegations to
+        distribute control.
+
+        The main advantage of this scheme over the first is that it
+        allows convenient names for subnets as well as networks.  A
+        secondary advantage is that it uses names which are not in use
+        already, and hence it is possible to test whether an
+        organization has entered this information in its domain
+        database.
+
+      - Some new section of the name space.
+
+        While this option provides the most opportunities, it creates
+        a need to delegate a whole new name space.  Since the IP
+        address space is so closely related to the network number
+        space, most believe that the overhead of creating such a new
+        space is overwhelming and would lead to the WKS syndrome.  (As
+        of February, 1989, approximately 400 sections of the
+        IN-ADDR.ARPA tree are already delegated, usually at network
+        boundaries.)
+
+
+
+
+
+
+
+
+Mockapetris                                                     [Page 4]
+
+RFC 1101     DNS Encoding of Network Names and Other Types    April 1989
+
+
+4. SPECIFICS FOR NETWORK NAME MAPPINGS
+
+   The proposed solution uses information stored at:
+
+      - Names in the IN-ADDR.ARPA tree that correspond to host-zero IP
+        addresses.  The same method is used for subnets in a nested
+        fashion.  For example, 0.0.0.10.IN-ADDR.ARPA. for net 10.
+
+        Two types of information are stored here: PTR RRs which point
+        to the network name in their data sections, and A RRs, which
+        are present if the network (or subnet) is subnetted further.
+        If a type A RR is present, then it has the address mask as its
+        data.  The general form is:
+
+        <reversed-host-zero-number>.IN-ADDR.ARPA. PTR <network-name>
+        <reversed-host-zero-number>.IN-ADDR.ARPA. A   <subnet-mask>
+
+        For example:
+
+        0.0.0.10.IN-ADDR.ARPA.  PTR     ARPANET.ARPA.
+
+        or
+
+        0.0.2.128.IN-ADDR.ARPA. PTR     cmu-net.cmu.edu.
+                                A       255.255.255.0
+
+        In general, this information will be added to an existing
+        master file for some IN-ADDR.ARPA domain for each network
+        involved.  Similar RRs can be used at host-zero subnet
+        entries.
+
+      - Names which are network names.
+
+        The data stored here is PTR RRs pointing at the host-zero
+        entries.  The general form is:
+
+        <network-name> ptr <reversed-host-zero-number>.IN-ADDR.ARPA
+
+        For example:
+
+        ARPANET.ARPA.           PTR     0.0.0.10.IN-ADDR.ARPA.
+
+        or
+
+        isi-net.isi.edu.        PTR     0.0.9.128.IN-ADDR.ARPA.
+
+        In general, this information will be inserted in the master
+        file for the domain name of the organization; this is a
+
+
+
+Mockapetris                                                     [Page 5]
+
+RFC 1101     DNS Encoding of Network Names and Other Types    April 1989
+
+
+        different file from that which holds the information below
+        IN-ADDR.ARPA.  Similar PTR RRs can be used at subnet names.
+
+      - Names corresponding to organizations.
+
+        The data here is one or more PTR RRs pointing at the
+        IN-ADDR.ARPA names corresponding to host-zero entries for
+        networks.
+
+        For example:
+
+        ISI.EDU.        PTR     0.0.9.128.IN-ADDR.ARPA.
+
+        MCC.COM.        PTR     0.167.5.192.IN-ADDR.ARPA.
+                        PTR     0.168.5.192.IN-ADDR.ARPA.
+                        PTR     0.169.5.192.IN-ADDR.ARPA.
+                        PTR     0.0.62.128.IN-ADDR.ARPA.
+
+4.1. A simple example
+
+   The ARPANET is a Class A network without subnets.  The RRs which
+   would be added, assuming the ARPANET.ARPA was selected as a network
+   name, would be:
+
+   ARPA.                   PTR     0.0.0.10.IN-ADDR.ARPA.
+
+   ARPANET.ARPA.           PTR     0.0.0.10.IN-ADDR.ARPA.
+
+   0.0.0.10.IN-ADDR.ARPA.  PTR     ARPANET.ARPA.
+
+   The first RR states that the organization named ARPA owns net 10 (It
+   might also own more network numbers, and these would be represented
+   with an additional RR per net.)  The second states that the network
+   name ARPANET.ARPA. maps to net 10.  The last states that net 10 is
+   named ARPANET.ARPA.
+
+   Note that all of the usual host and corresponding IN-ADDR.ARPA
+   entries would still be required.
+
+4.2. A complicated, subnetted example
+
+   The ISI network is 128.9, a class B number.  Suppose the ISI network
+   was organized into two levels of subnet, with the first level using
+   an additional 8 bits of address, and the second level using 4 bits,
+   for address masks of x'FFFFFF00' and X'FFFFFFF0'.
+
+   Then the following RRs would be entered in ISI's master file for the
+   ISI.EDU zone:
+
+
+
+Mockapetris                                                     [Page 6]
+
+RFC 1101     DNS Encoding of Network Names and Other Types    April 1989
+
+
+   ; Define network entry
+   isi-net.isi.edu.                PTR  0.0.9.128.IN-ADDR.ARPA.
+
+   ; Define first level subnets
+   div1-subnet.isi.edu.            PTR  0.1.9.128.IN-ADDR.ARPA.
+   div2-subnet.isi.edu.            PTR  0.2.9.128.IN-ADDR.ARPA.
+
+   ; Define second level subnets
+   inc-subsubnet.isi.edu.          PTR  16.2.9.128.IN-ADDR.ARPA.
+
+   in the 9.128.IN-ADDR.ARPA zone:
+
+   ; Define network number and address mask
+   0.0.9.128.IN-ADDR.ARPA.         PTR  isi-net.isi.edu.
+                                   A    255.255.255.0  ;aka X'FFFFFF00'
+
+   ; Define one of the first level subnet numbers and masks
+   0.1.9.128.IN-ADDR.ARPA.         PTR  div1-subnet.isi.edu.
+                                   A    255.255.255.240 ;aka X'FFFFFFF0'
+
+   ; Define another first level subnet number and mask
+   0.2.9.128.IN-ADDR.ARPA.         PTR  div2-subnet.isi.edu.
+                                   A    255.255.255.240 ;aka X'FFFFFFF0'
+
+   ; Define second level subnet number
+   16.2.9.128.IN-ADDR.ARPA.        PTR  inc-subsubnet.isi.edu.
+
+   This assumes that the ISI network is named isi-net.isi.edu., first
+   level subnets are named div1-subnet.isi.edu. and div2-
+   subnet.isi.edu., and a second level subnet is called inc-
+   subsubnet.isi.edu.  (In a real system as complicated as this there
+   would be more first and second level subnets defined, but we have
+   shown enough to illustrate the ideas.)
+
+4.3. Procedure for using an IP address to get network name
+
+   Depending on whether the IP address is class A, B, or C, mask off the
+   high one, two, or three bytes, respectively.  Reverse the octets,
+   suffix IN-ADDR.ARPA, and do a PTR query.
+
+   For example, suppose the IP address is 10.0.0.51.
+
+      1. Since this is a class A address, use a mask x'FF000000' and
+         get 10.0.0.0.
+
+      2. Construct the name 0.0.0.10.IN-ADDR.ARPA.
+
+      3. Do a PTR query.  Get back
+
+
+
+Mockapetris                                                     [Page 7]
+
+RFC 1101     DNS Encoding of Network Names and Other Types    April 1989
+
+
+         0.0.0.10.IN-ADDR.ARPA.  PTR     ARPANET.ARPA.
+
+      4. Conclude that the network name is "ARPANET.ARPA."
+
+   Suppose that the IP address is 128.9.2.17.
+
+      1. Since this is a class B address, use a mask of x'FFFF0000'
+         and get 128.9.0.0.
+
+      2. Construct the name 0.0.9.128.IN-ADDR.ARPA.
+
+      3. Do a PTR query.  Get back
+
+         0.0.9.128.IN-ADDR.ARPA.       PTR     isi-net.isi.edu
+
+      4. Conclude that the network name is "isi-net.isi.edu."
+
+4.4. Procedure for finding all subnets involved with an IP address
+
+   This is a simple extension of the IP address to network name method.
+   When the network entry is located, do a lookup for a possible A RR.
+   If the A RR is found, look up the next level of subnet using the
+   original IP address and the mask in the A RR.  Repeat this procedure
+   until no A RR is found.
+
+   For example, repeating the use of 128.9.2.17.
+
+      1. As before construct a query for 0.0.9.128.IN-ADDR.ARPA.
+         Retrieve:
+
+         0.0.9.128.IN-ADDR.ARPA.  PTR    isi-net.isi.edu.
+                                  A      255.255.255.0
+
+      2. Since an A RR was found, repeat using mask from RR
+         (255.255.255.0), constructing a query for
+         0.2.9.128.IN-ADDR.ARPA.  Retrieve:
+
+         0.2.9.128.IN-ADDR.ARPA.  PTR    div2-subnet.isi.edu.
+                                  A      255.255.255.240
+
+      3. Since another A RR was found, repeat using mask
+         255.255.255.240 (x'FFFFFFF0').  constructing a query for
+         16.2.9.128.IN-ADDR.ARPA.  Retrieve:
+
+         16.2.9.128.IN-ADDR.ARPA. PTR    inc-subsubnet.isi.edu.
+
+      4. Since no A RR is present at 16.2.9.128.IN-ADDR.ARPA., there
+         are no more subnet levels.
+
+
+
+Mockapetris                                                     [Page 8]
+
+RFC 1101     DNS Encoding of Network Names and Other Types    April 1989
+
+
+5. YP ISSUES AND DISCUSSION
+
+   The term "Yellow Pages" is used in almost as many ways as the term
+   "domain", so it is useful to define what is meant herein by YP.  The
+   general problem to be solved is to create a method for creating
+   mappings from one kind of identifier to another, often with an
+   inverse capability.  The traditional methods are to search or use a
+   precomputed index of some kind.
+
+   Searching is impractical when the search is too large, and
+   precomputed indexes are possible only when it is possible to specify
+   search criteria in advance, and pay for the resources necessary to
+   build the index.  For example, it is impractical to search the entire
+   domain tree to find a particular address RR, so we build the IN-
+   ADDR.ARPA YP.  Similarly, we could never build an Internet-wide index
+   of "hosts with a load average of less than 2" in less time than it
+   would take for the data to change, so indexes are a useless approach
+   for that problem.
+
+   Such a precomputed index is what we mean by YP, and we regard the
+   IN-ADDR.ARPA domain as the first instance of a YP in the DNS.
+   Although a single, centrally-managed YP for well-known values such as
+   TCP-port is desirable, we regard organization-specific YPs for, say,
+   locally defined TCP ports as a natural extension, as are combinations
+   of YPs using search lists to merge the two.
+
+   In examining Internet Numbers [RFC 997] and Assigned Numbers [RFC
+   1010], it is clear that there are several mappings which might be of
+   value.  For example:
+
+   <assigned-network-name> <==> <IP-address>
+   <autonomous-system-id>  <==> <number>
+   <protocol-id>           <==> <number>
+   <port-id>               <==> <number>
+   <ethernet-type>         <==> <number>
+   <public-data-net>       <==> <IP-address>
+
+   Following the IN-ADDR example, the YP takes the form of a domain tree
+   organized to optimize retrieval by search key and distribution via
+   normal DNS rules.  The name used as a key must include:
+
+      1. A well known origin.  For example, IN-ADDR.ARPA is the
+         current IP-address to host name YP.
+
+      2. A "from" data type.  This identifies the input type of the
+         mapping.  This is necessary because we may be mapping
+         something as anonymous as a number to any number of
+         mnemonics, etc.
+
+
+
+Mockapetris                                                     [Page 9]
+
+RFC 1101     DNS Encoding of Network Names and Other Types    April 1989
+
+
+      3. A "to" data type.  Since we assume several symmetrical
+         mnemonic <==> number mappings, this is also necessary.
+
+   This ordering reflects the natural scoping of control, and hence the
+   order of the components in a domain name.  Thus domain names would be
+   of the form:
+
+   <from-value>.<to-data-type>.<from-data-type>.<YP-origin>
+
+   To make this work, we need to define well-know strings for each of
+   these metavariables, as well as encoding rules for converting a
+   <from-value> into a domain name.  We might define:
+
+   <YP-origin>     :=YP
+   <from-data-type>:=TCP-port | IN-ADDR | Number |
+                     Assigned-network-number | Name
+   <to-data-type>  :=<from-data-type>
+
+   Note that "YP" is NOT a valid country code under [ISO 3166] (although
+   we may want to worry about the future), and the existence of a
+   syntactically valid <to-data-type>.<from-data-type> pair does not
+   imply that a meaningful mapping exists, or is even possible.
+
+   The encoding rules might be:
+
+   TCP-port        Six character alphanumeric
+
+   IN-ADDR         Reversed 4-octet decimal string
+
+   Number          decimal integer
+
+   Assigned-network-number
+                   Reversed 4-octet decimal string
+
+   Name            Domain name
+
+6. SPECIFICS FOR YP MAPPINGS
+
+6.1. TCP-PORT
+
+   $origin Number.TCP-port.YP.
+
+   23              PTR     TELNET.TCP-port.Number.YP.
+   25              PTR     SMTP.TCP-port.Number.YP.
+
+   $origin TCP-port.Number.YP.
+
+   TELNET          PTR     23.Number.TCP-port.YP.
+
+
+
+Mockapetris                                                    [Page 10]
+
+RFC 1101     DNS Encoding of Network Names and Other Types    April 1989
+
+
+   SMTP            PTR     25.Number.TCP-port.YP.
+
+   Thus the mapping between 23 and TELNET is represented by a pair of
+   PTR RRs, one for each direction of the mapping.
+
+6.2. Assigned networks
+
+   Network numbers are assigned by the NIC and reported in "Internet
+   Numbers" RFCs.  To create a YP, the NIC would set up two domains:
+
+   Name.Assigned-network-number.YP and Assigned-network-number.YP
+
+   The first would contain entries of the form:
+
+   $origin Name.Assigned-network-number.YP.
+
+   0.0.0.4         PTR     SATNET.Assigned-network-number.Name.YP.
+   0.0.0.10        PTR     ARPANET.Assigned-network-number.Name.YP.
+
+   The second would contain entries of the form:
+
+   $origin Assigned-network-number.Name.YP.
+
+   SATNET.         PTR     0.0.0.4.Name.Assigned-network-number.YP.
+   ARPANET.        PTR     0.0.0.10.Name.Assigned-network-number.YP.
+
+   These YPs are not in conflict with the network name support described
+   in the first half of this RFC since they map between ASSIGNED network
+   names and numbers, not those allocated by the organizations
+   themselves.  That is, they document the NIC's decisions about
+   allocating network numbers but do not automatically track any
+   renaming performed by the new owners.
+
+   As a practical matter, we might want to create both of these domains
+   to enable users on the Internet to experiment with centrally
+   maintained support as well as the distributed version, or might want
+   to implement only the allocated number to name mapping and request
+   organizations to convert their allocated network names to the network
+   names described in the distributed model.
+
+6.3. Operational improvements
+
+   We could imagine that all conversion routines using these YPs might
+   be instructed to use "YP.<local-domain>" followed by "YP."  as a
+   search list.  Thus, if the organization ISI.EDU wished to define
+   locally meaningful TCP-PORT, it would define the domains:
+
+   <TCP-port.Number.YP.ISI.EDU> and <Number.TCP-port.YP.ISI.EDU>.
+
+
+
+Mockapetris                                                    [Page 11]
+
+RFC 1101     DNS Encoding of Network Names and Other Types    April 1989
+
+
+   We could add another level of indirection in the YP lookup, defining
+   the <to-data-type>.<from-data-type>.<YP-origin> nodes to point to the
+   YP tree, rather than being the YP tree directly.  This would enable
+   entries of the form:
+
+   IN-ADDR.Netname.YP.   PTR     IN-ADDR.ARPA.
+
+   to splice in YPs from other origins or existing spaces.
+
+   Another possibility would be to shorten the RDATA section of the RRs
+   which map back and forth by deleting the origin.  This could be done
+   either by allowing the domain name in the RDATA portion to not
+   identify a real domain name, or by defining a new RR which used a
+   simple text string rather than a domain name.
+
+   Thus, we might replace
+
+   $origin Assigned-network-number.Name.YP.
+
+   SATNET.         PTR     0.0.0.4.Name.Assigned-network-number.YP.
+   ARPANET.        PTR     0.0.0.10.Name.Assigned-network-number.YP.
+
+   with
+
+   $origin Assigned-network-number.Name.YP.
+
+   SATNET.         PTR     0.0.0.4.
+   ARPANET.        PTR     0.0.0.10.
+
+   or
+
+   $origin Assigned-network-number.Name.YP.
+
+   SATNET.         PTT     "0.0.0.4"
+   ARPANET.        PTT     "0.0.0.10"
+
+   where PTT is a new type whose RDATA section is a text string.
+
+7. ACKNOWLEDGMENTS
+
+   Drew Perkins, Mark Lottor, and Rob Austein contributed several of the
+   ideas in this RFC.  Numerous contributions, criticisms, and
+   compromises were produced in the IETF Domain working group and the
+   NAMEDROPPERS mailing list.
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 12]
+
+RFC 1101     DNS Encoding of Network Names and Other Types    April 1989
+
+
+8. REFERENCES
+
+   [HR]        Braden, B., editor, "Requirements for Internet Hosts",
+               RFC in preparation.
+
+   [ISO 3166]  ISO, "Codes for the Representation of Names of
+               Countries", 1981.
+
+   [RFC 882]   Mockapetris, P., "Domain names - Concepts and
+               Facilities", RFC 882, USC/Information Sciences Institute,
+               November 1983.
+
+               Superseded by RFC 1034.
+
+   [RFC 883]   Mockapetris, P.,"Domain names - Implementation and
+               Specification", RFC 883, USC/Information Sciences
+               Institute, November 1983.
+
+               Superceeded by RFC 1035.
+
+   [RFC 920]   Postel, J. and J. Reynolds, "Domain Requirements", RFC
+               920, October 1984.
+
+               Explains the naming scheme for top level domains.
+
+   [RFC 952]   Harrenstien, K., M. Stahl, and E. Feinler, "DoD Internet
+               Host Table Specification", RFC 952, SRI, October 1985.
+
+               Specifies the format of HOSTS.TXT, the host/address table
+               replaced by the DNS
+
+   [RFC 973]   Mockapetris, P., "Domain System Changes and
+               Observations", RFC 973, USC/Information Sciences
+               Institute, January 1986.
+
+               Describes changes to RFCs 882 and 883 and reasons for
+               them.
+
+   [RFC 974]   Partridge, C., "Mail routing and the domain system", RFC
+               974, CSNET CIC BBN Labs, January 1986.
+
+               Describes the transition from HOSTS.TXT based mail
+               addressing to the more powerful MX system used with the
+               domain system.
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 13]
+
+RFC 1101     DNS Encoding of Network Names and Other Types    April 1989
+
+
+   [RFC 997]   Reynolds, J., and J. Postel, "Internet Numbers", RFC 997,
+               USC/Information Sciences Institute, March 1987
+
+               Contains network numbers, autonomous system numbers, etc.
+
+   [RFC 1010]  Reynolds, J., and J. Postel, "Assigned Numbers", RFC
+               1010, USC/Information Sciences Institute, May 1987
+
+               Contains socket numbers and mnemonics for host names,
+               operating systems, etc.
+
+
+   [RFC 1034]  Mockapetris, P., "Domain names - Concepts and
+               Facilities", RFC 1034, USC/Information Sciences
+               Institute, November 1987.
+
+               Introduction/overview of the DNS.
+
+   [RFC 1035]  Mockapetris, P., "Domain names - Implementation and
+               Specification", RFC 1035, USC/Information Sciences
+               Institute, November 1987.
+
+               DNS implementation instructions.
+
+Author's Address:
+
+   Paul Mockapetris
+   USC/Information Sciences Institute
+   4676 Admiralty Way
+   Marina del Rey, CA 90292
+
+   Phone: (213) 822-1511
+
+   Email: PVM@ISI.EDU
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mockapetris                                                    [Page 14]
+
\ No newline at end of file
diff --git a/contrib/bind9/doc/rfc/rfc1122.txt b/contrib/bind9/doc/rfc/rfc1122.txt
new file mode 100644
index 0000000..c14f2e5
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc1122.txt
@@ -0,0 +1,6844 @@
+
+
+
+
+
+
+Network Working Group                    Internet Engineering Task Force
+Request for Comments: 1122                             R. Braden, Editor
+                                                            October 1989
+
+
+        Requirements for Internet Hosts -- Communication Layers
+
+
+Status of This Memo
+
+   This RFC is an official specification for the Internet community.  It
+   incorporates by reference, amends, corrects, and supplements the
+   primary protocol standards documents relating to hosts.  Distribution
+   of this document is unlimited.
+
+Summary
+
+   This is one RFC of a pair that defines and discusses the requirements
+   for Internet host software.  This RFC covers the communications
+   protocol layers: link layer, IP layer, and transport layer; its
+   companion RFC-1123 covers the application and support protocols.
+
+
+
+                           Table of Contents
+
+
+
+
+   1.  INTRODUCTION ...............................................    5
+      1.1  The Internet Architecture ..............................    6
+         1.1.1  Internet Hosts ....................................    6
+         1.1.2  Architectural Assumptions .........................    7
+         1.1.3  Internet Protocol Suite ...........................    8
+         1.1.4  Embedded Gateway Code .............................   10
+      1.2  General Considerations .................................   12
+         1.2.1  Continuing Internet Evolution .....................   12
+         1.2.2  Robustness Principle ..............................   12
+         1.2.3  Error Logging .....................................   13
+         1.2.4  Configuration .....................................   14
+      1.3  Reading this Document ..................................   15
+         1.3.1  Organization ......................................   15
+         1.3.2  Requirements ......................................   16
+         1.3.3  Terminology .......................................   17
+      1.4  Acknowledgments ........................................   20
+
+   2. LINK LAYER ..................................................   21
+      2.1  INTRODUCTION ...........................................   21
+
+
+
+Internet Engineering Task Force                                 [Page 1]
+
+
+
+
+RFC1122                       INTRODUCTION                  October 1989
+
+
+      2.2  PROTOCOL WALK-THROUGH ..................................   21
+      2.3  SPECIFIC ISSUES ........................................   21
+         2.3.1  Trailer Protocol Negotiation ......................   21
+         2.3.2  Address Resolution Protocol -- ARP ................   22
+            2.3.2.1  ARP Cache Validation .........................   22
+            2.3.2.2  ARP Packet Queue .............................   24
+         2.3.3  Ethernet and IEEE 802 Encapsulation ...............   24
+      2.4  LINK/INTERNET LAYER INTERFACE ..........................   25
+      2.5  LINK LAYER REQUIREMENTS SUMMARY ........................   26
+
+   3. INTERNET LAYER PROTOCOLS ....................................   27
+      3.1 INTRODUCTION ............................................   27
+      3.2  PROTOCOL WALK-THROUGH ..................................   29
+         3.2.1 Internet Protocol -- IP ............................   29
+            3.2.1.1  Version Number ...............................   29
+            3.2.1.2  Checksum .....................................   29
+            3.2.1.3  Addressing ...................................   29
+            3.2.1.4  Fragmentation and Reassembly .................   32
+            3.2.1.5  Identification ...............................   32
+            3.2.1.6  Type-of-Service ..............................   33
+            3.2.1.7  Time-to-Live .................................   34
+            3.2.1.8  Options ......................................   35
+         3.2.2 Internet Control Message Protocol -- ICMP ..........   38
+            3.2.2.1  Destination Unreachable ......................   39
+            3.2.2.2  Redirect .....................................   40
+            3.2.2.3  Source Quench ................................   41
+            3.2.2.4  Time Exceeded ................................   41
+            3.2.2.5  Parameter Problem ............................   42
+            3.2.2.6  Echo Request/Reply ...........................   42
+            3.2.2.7  Information Request/Reply ....................   43
+            3.2.2.8  Timestamp and Timestamp Reply ................   43
+            3.2.2.9  Address Mask Request/Reply ...................   45
+         3.2.3  Internet Group Management Protocol IGMP ...........   47
+      3.3  SPECIFIC ISSUES ........................................   47
+         3.3.1  Routing Outbound Datagrams ........................   47
+            3.3.1.1  Local/Remote Decision ........................   47
+            3.3.1.2  Gateway Selection ............................   48
+            3.3.1.3  Route Cache ..................................   49
+            3.3.1.4  Dead Gateway Detection .......................   51
+            3.3.1.5  New Gateway Selection ........................   55
+            3.3.1.6  Initialization ...............................   56
+         3.3.2  Reassembly ........................................   56
+         3.3.3  Fragmentation .....................................   58
+         3.3.4  Local Multihoming .................................   60
+            3.3.4.1  Introduction .................................   60
+            3.3.4.2  Multihoming Requirements .....................   61
+            3.3.4.3  Choosing a Source Address ....................   64
+         3.3.5  Source Route Forwarding ...........................   65
+
+
+
+Internet Engineering Task Force                                 [Page 2]
+
+
+
+
+RFC1122                       INTRODUCTION                  October 1989
+
+
+         3.3.6  Broadcasts ........................................   66
+         3.3.7  IP Multicasting ...................................   67
+         3.3.8  Error Reporting ...................................   69
+      3.4  INTERNET/TRANSPORT LAYER INTERFACE .....................   69
+      3.5  INTERNET LAYER REQUIREMENTS SUMMARY ....................   72
+
+   4. TRANSPORT PROTOCOLS .........................................   77
+      4.1  USER DATAGRAM PROTOCOL -- UDP ..........................   77
+         4.1.1  INTRODUCTION ......................................   77
+         4.1.2  PROTOCOL WALK-THROUGH .............................   77
+         4.1.3  SPECIFIC ISSUES ...................................   77
+            4.1.3.1  Ports ........................................   77
+            4.1.3.2  IP Options ...................................   77
+            4.1.3.3  ICMP Messages ................................   78
+            4.1.3.4  UDP Checksums ................................   78
+            4.1.3.5  UDP Multihoming ..............................   79
+            4.1.3.6  Invalid Addresses ............................   79
+         4.1.4  UDP/APPLICATION LAYER INTERFACE ...................   79
+         4.1.5  UDP REQUIREMENTS SUMMARY ..........................   80
+      4.2  TRANSMISSION CONTROL PROTOCOL -- TCP ...................   82
+         4.2.1  INTRODUCTION ......................................   82
+         4.2.2  PROTOCOL WALK-THROUGH .............................   82
+            4.2.2.1  Well-Known Ports .............................   82
+            4.2.2.2  Use of Push ..................................   82
+            4.2.2.3  Window Size ..................................   83
+            4.2.2.4  Urgent Pointer ...............................   84
+            4.2.2.5  TCP Options ..................................   85
+            4.2.2.6  Maximum Segment Size Option ..................   85
+            4.2.2.7  TCP Checksum .................................   86
+            4.2.2.8  TCP Connection State Diagram .................   86
+            4.2.2.9  Initial Sequence Number Selection ............   87
+            4.2.2.10  Simultaneous Open Attempts ..................   87
+            4.2.2.11  Recovery from Old Duplicate SYN .............   87
+            4.2.2.12  RST Segment .................................   87
+            4.2.2.13  Closing a Connection ........................   87
+            4.2.2.14  Data Communication ..........................   89
+            4.2.2.15  Retransmission Timeout ......................   90
+            4.2.2.16  Managing the Window .........................   91
+            4.2.2.17  Probing Zero Windows ........................   92
+            4.2.2.18  Passive OPEN Calls ..........................   92
+            4.2.2.19  Time to Live ................................   93
+            4.2.2.20  Event Processing ............................   93
+            4.2.2.21  Acknowledging Queued Segments ...............   94
+         4.2.3  SPECIFIC ISSUES ...................................   95
+            4.2.3.1  Retransmission Timeout Calculation ...........   95
+            4.2.3.2  When to Send an ACK Segment ..................   96
+            4.2.3.3  When to Send a Window Update .................   97
+            4.2.3.4  When to Send Data ............................   98
+
+
+
+Internet Engineering Task Force                                 [Page 3]
+
+
+
+
+RFC1122                       INTRODUCTION                  October 1989
+
+
+            4.2.3.5  TCP Connection Failures ......................  100
+            4.2.3.6  TCP Keep-Alives ..............................  101
+            4.2.3.7  TCP Multihoming ..............................  103
+            4.2.3.8  IP Options ...................................  103
+            4.2.3.9  ICMP Messages ................................  103
+            4.2.3.10  Remote Address Validation ...................  104
+            4.2.3.11  TCP Traffic Patterns ........................  104
+            4.2.3.12  Efficiency ..................................  105
+         4.2.4  TCP/APPLICATION LAYER INTERFACE ...................  106
+            4.2.4.1  Asynchronous Reports .........................  106
+            4.2.4.2  Type-of-Service ..............................  107
+            4.2.4.3  Flush Call ...................................  107
+            4.2.4.4  Multihoming ..................................  108
+         4.2.5  TCP REQUIREMENT SUMMARY ...........................  108
+
+   5.  REFERENCES .................................................  112
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Internet Engineering Task Force                                 [Page 4]
+
+
+
+
+RFC1122                       INTRODUCTION                  October 1989
+
+
+1.  INTRODUCTION
+
+   This document is one of a pair that defines and discusses the
+   requirements for host system implementations of the Internet protocol
+   suite.  This RFC covers the communication protocol layers:  link
+   layer, IP layer, and transport layer.  Its companion RFC,
+   "Requirements for Internet Hosts -- Application and Support"
+   [INTRO:1], covers the application layer protocols.  This document
+   should also be read in conjunction with "Requirements for Internet
+   Gateways" [INTRO:2].
+
+   These documents are intended to provide guidance for vendors,
+   implementors, and users of Internet communication software.  They
+   represent the consensus of a large body of technical experience and
+   wisdom, contributed by the members of the Internet research and
+   vendor communities.
+
+   This RFC enumerates standard protocols that a host connected to the
+   Internet must use, and it incorporates by reference the RFCs and
+   other documents describing the current specifications for these
+   protocols.  It corrects errors in the referenced documents and adds
+   additional discussion and guidance for an implementor.
+
+   For each protocol, this document also contains an explicit set of
+   requirements, recommendations, and options.  The reader must
+   understand that the list of requirements in this document is
+   incomplete by itself; the complete set of requirements for an
+   Internet host is primarily defined in the standard protocol
+   specification documents, with the corrections, amendments, and
+   supplements contained in this RFC.
+
+   A good-faith implementation of the protocols that was produced after
+   careful reading of the RFC's and with some interaction with the
+   Internet technical community, and that followed good communications
+   software engineering practices, should differ from the requirements
+   of this document in only minor ways.  Thus, in many cases, the
+   "requirements" in this RFC are already stated or implied in the
+   standard protocol documents, so that their inclusion here is, in a
+   sense, redundant.  However, they were included because some past
+   implementation has made the wrong choice, causing problems of
+   interoperability, performance, and/or robustness.
+
+   This document includes discussion and explanation of many of the
+   requirements and recommendations.  A simple list of requirements
+   would be dangerous, because:
+
+   o    Some required features are more important than others, and some
+        features are optional.
+
+
+
+Internet Engineering Task Force                                 [Page 5]
+
+
+
+
+RFC1122                       INTRODUCTION                  October 1989
+
+
+   o    There may be valid reasons why particular vendor products that
+        are designed for restricted contexts might choose to use
+        different specifications.
+
+   However, the specifications of this document must be followed to meet
+   the general goal of arbitrary host interoperation across the
+   diversity and complexity of the Internet system.  Although most
+   current implementations fail to meet these requirements in various
+   ways, some minor and some major, this specification is the ideal
+   towards which we need to move.
+
+   These requirements are based on the current level of Internet
+   architecture.  This document will be updated as required to provide
+   additional clarifications or to include additional information in
+   those areas in which specifications are still evolving.
+
+   This introductory section begins with a brief overview of the
+   Internet architecture as it relates to hosts, and then gives some
+   general advice to host software vendors.  Finally, there is some
+   guidance on reading the rest of the document and some terminology.
+
+   1.1  The Internet Architecture
+
+      General background and discussion on the Internet architecture and
+      supporting protocol suite can be found in the DDN Protocol
+      Handbook [INTRO:3]; for background see for example [INTRO:9],
+      [INTRO:10], and [INTRO:11].  Reference [INTRO:5] describes the
+      procedure for obtaining Internet protocol documents, while
+      [INTRO:6] contains a list of the numbers assigned within Internet
+      protocols.
+
+      1.1.1  Internet Hosts
+
+         A host computer, or simply "host," is the ultimate consumer of
+         communication services.  A host generally executes application
+         programs on behalf of user(s), employing network and/or
+         Internet communication services in support of this function.
+         An Internet host corresponds to the concept of an "End-System"
+         used in the OSI protocol suite [INTRO:13].
+
+         An Internet communication system consists of interconnected
+         packet networks supporting communication among host computers
+         using the Internet protocols.  The networks are interconnected
+         using packet-switching computers called "gateways" or "IP
+         routers" by the Internet community, and "Intermediate Systems"
+         by the OSI world [INTRO:13].  The RFC "Requirements for
+         Internet Gateways" [INTRO:2] contains the official
+         specifications for Internet gateways.  That RFC together with
+
+
+
+Internet Engineering Task Force                                 [Page 6]
+
+
+
+
+RFC1122                       INTRODUCTION                  October 1989
+
+
+         the present document and its companion [INTRO:1] define the
+         rules for the current realization of the Internet architecture.
+
+         Internet hosts span a wide range of size, speed, and function.
+         They range in size from small microprocessors through
+         workstations to mainframes and supercomputers.  In function,
+         they range from single-purpose hosts (such as terminal servers)
+         to full-service hosts that support a variety of online network
+         services, typically including remote login, file transfer, and
+         electronic mail.
+
+         A host is generally said to be multihomed if it has more than
+         one interface to the same or to different networks.  See
+         Section 1.1.3 on "Terminology".
+
+      1.1.2  Architectural Assumptions
+
+         The current Internet architecture is based on a set of
+         assumptions about the communication system.  The assumptions
+         most relevant to hosts are as follows:
+
+         (a)  The Internet is a network of networks.
+
+              Each host is directly connected to some particular
+              network(s); its connection to the Internet is only
+              conceptual.  Two hosts on the same network communicate
+              with each other using the same set of protocols that they
+              would use to communicate with hosts on distant networks.
+
+         (b)  Gateways don't keep connection state information.
+
+              To improve robustness of the communication system,
+              gateways are designed to be stateless, forwarding each IP
+              datagram independently of other datagrams.  As a result,
+              redundant paths can be exploited to provide robust service
+              in spite of failures of intervening gateways and networks.
+
+              All state information required for end-to-end flow control
+              and reliability is implemented in the hosts, in the
+              transport layer or in application programs.  All
+              connection control information is thus co-located with the
+              end points of the communication, so it will be lost only
+              if an end point fails.
+
+         (c)  Routing complexity should be in the gateways.
+
+              Routing is a complex and difficult problem, and ought to
+              be performed by the gateways, not the hosts.  An important
+
+
+
+Internet Engineering Task Force                                 [Page 7]
+
+
+
+
+RFC1122                       INTRODUCTION                  October 1989
+
+
+              objective is to insulate host software from changes caused
+              by the inevitable evolution of the Internet routing
+              architecture.
+
+         (d)  The System must tolerate wide network variation.
+
+              A basic objective of the Internet design is to tolerate a
+              wide range of network characteristics -- e.g., bandwidth,
+              delay, packet loss, packet reordering, and maximum packet
+              size.  Another objective is robustness against failure of
+              individual networks, gateways, and hosts, using whatever
+              bandwidth is still available.  Finally, the goal is full
+              "open system interconnection": an Internet host must be
+              able to interoperate robustly and effectively with any
+              other Internet host, across diverse Internet paths.
+
+              Sometimes host implementors have designed for less
+              ambitious goals.  For example, the LAN environment is
+              typically much more benign than the Internet as a whole;
+              LANs have low packet loss and delay and do not reorder
+              packets.  Some vendors have fielded host implementations
+              that are adequate for a simple LAN environment, but work
+              badly for general interoperation.  The vendor justifies
+              such a product as being economical within the restricted
+              LAN market.  However, isolated LANs seldom stay isolated
+              for long; they are soon gatewayed to each other, to
+              organization-wide internets, and eventually to the global
+              Internet system.  In the end, neither the customer nor the
+              vendor is served by incomplete or substandard Internet
+              host software.
+
+              The requirements spelled out in this document are designed
+              for a full-function Internet host, capable of full
+              interoperation over an arbitrary Internet path.
+
+
+      1.1.3  Internet Protocol Suite
+
+         To communicate using the Internet system, a host must implement
+         the layered set of protocols comprising the Internet protocol
+         suite.  A host typically must implement at least one protocol
+         from each layer.
+
+         The protocol layers used in the Internet architecture are as
+         follows [INTRO:4]:
+
+
+         o  Application Layer
+
+
+
+Internet Engineering Task Force                                 [Page 8]
+
+
+
+
+RFC1122                       INTRODUCTION                  October 1989
+
+
+              The application layer is the top layer of the Internet
+              protocol suite.  The Internet suite does not further
+              subdivide the application layer, although some of the
+              Internet application layer protocols do contain some
+              internal sub-layering.  The application layer of the
+              Internet suite essentially combines the functions of the
+              top two layers -- Presentation and Application -- of the
+              OSI reference model.
+
+              We distinguish two categories of application layer
+              protocols:  user protocols that provide service directly
+              to users, and support protocols that provide common system
+              functions.  Requirements for user and support protocols
+              will be found in the companion RFC [INTRO:1].
+
+              The most common Internet user protocols are:
+
+                o  Telnet (remote login)
+                o  FTP    (file transfer)
+                o  SMTP   (electronic mail delivery)
+
+              There are a number of other standardized user protocols
+              [INTRO:4] and many private user protocols.
+
+              Support protocols, used for host name mapping, booting,
+              and management, include SNMP, BOOTP, RARP, and the Domain
+              Name System (DNS) protocols.
+
+
+         o  Transport Layer
+
+              The transport layer provides end-to-end communication
+              services for applications.  There are two primary
+              transport layer protocols at present:
+
+                o Transmission Control Protocol (TCP)
+                o User Datagram Protocol (UDP)
+
+              TCP is a reliable connection-oriented transport service
+              that provides end-to-end reliability, resequencing, and
+              flow control.  UDP is a connectionless ("datagram")
+              transport service.
+
+              Other transport protocols have been developed by the
+              research community, and the set of official Internet
+              transport protocols may be expanded in the future.
+
+              Transport layer protocols are discussed in Chapter 4.
+
+
+
+Internet Engineering Task Force                                 [Page 9]
+
+
+
+
+RFC1122                       INTRODUCTION                  October 1989
+
+
+         o  Internet Layer
+
+              All Internet transport protocols use the Internet Protocol
+              (IP) to carry data from source host to destination host.
+              IP is a connectionless or datagram internetwork service,
+              providing no end-to-end delivery guarantees. Thus, IP
+              datagrams may arrive at the destination host damaged,
+              duplicated, out of order, or not at all.  The layers above
+              IP are responsible for reliable delivery service when it
+              is required.  The IP protocol includes provision for
+              addressing, type-of-service specification, fragmentation
+              and reassembly, and security information.
+
+              The datagram or connectionless nature of the IP protocol
+              is a fundamental and characteristic feature of the
+              Internet architecture.  Internet IP was the model for the
+              OSI Connectionless Network Protocol [INTRO:12].
+
+              ICMP is a control protocol that is considered to be an
+              integral part of IP, although it is architecturally
+              layered upon IP, i.e., it uses IP to carry its data end-
+              to-end just as a transport protocol like TCP or UDP does.
+              ICMP provides error reporting, congestion reporting, and
+              first-hop gateway redirection.
+
+              IGMP is an Internet layer protocol used for establishing
+              dynamic host groups for IP multicasting.
+
+              The Internet layer protocols IP, ICMP, and IGMP are
+              discussed in Chapter 3.
+
+
+         o  Link Layer
+
+              To communicate on its directly-connected network, a host
+              must implement the communication protocol used to
+              interface to that network.  We call this a link layer or
+              media-access layer protocol.
+
+              There is a wide variety of link layer protocols,
+              corresponding to the many different types of networks.
+              See Chapter 2.
+
+
+      1.1.4  Embedded Gateway Code
+
+         Some Internet host software includes embedded gateway
+         functionality, so that these hosts can forward packets as a
+
+
+
+Internet Engineering Task Force                                [Page 10]
+
+
+
+
+RFC1122                       INTRODUCTION                  October 1989
+
+
+         gateway would, while still performing the application layer
+         functions of a host.
+
+         Such dual-purpose systems must follow the Gateway Requirements
+         RFC [INTRO:2]  with respect to their gateway functions, and
+         must follow the present document with respect to their host
+         functions.  In all overlapping cases, the two specifications
+         should be in agreement.
+
+         There are varying opinions in the Internet community about
+         embedded gateway functionality.  The main arguments are as
+         follows:
+
+         o    Pro: in a local network environment where networking is
+              informal, or in isolated internets, it may be convenient
+              and economical to use existing host systems as gateways.
+
+              There is also an architectural argument for embedded
+              gateway functionality: multihoming is much more common
+              than originally foreseen, and multihoming forces a host to
+              make routing decisions as if it were a gateway.  If the
+              multihomed  host contains an embedded gateway, it will
+              have full routing knowledge and as a result will be able
+              to make more optimal routing decisions.
+
+         o    Con: Gateway algorithms and protocols are still changing,
+              and they will continue to change as the Internet system
+              grows larger.  Attempting to include a general gateway
+              function within the host IP layer will force host system
+              maintainers to track these (more frequent) changes.  Also,
+              a larger pool of gateway implementations will make
+              coordinating the changes more difficult.  Finally, the
+              complexity of a gateway IP layer is somewhat greater than
+              that of a host, making the implementation and operation
+              tasks more complex.
+
+              In addition, the style of operation of some hosts is not
+              appropriate for providing stable and robust gateway
+              service.
+
+         There is considerable merit in both of these viewpoints.  One
+         conclusion can be drawn: an host administrator must have
+         conscious control over whether or not a given host acts as a
+         gateway.  See Section 3.1 for the detailed requirements.
+
+
+
+
+
+
+
+Internet Engineering Task Force                                [Page 11]
+
+
+
+
+RFC1122                       INTRODUCTION                  October 1989
+
+
+   1.2  General Considerations
+
+      There are two important lessons that vendors of Internet host
+      software have learned and which a new vendor should consider
+      seriously.
+
+      1.2.1  Continuing Internet Evolution
+
+         The enormous growth of the Internet has revealed problems of
+         management and scaling in a large datagram-based packet
+         communication system.  These problems are being addressed, and
+         as a result there will be continuing evolution of the
+         specifications described in this document.  These changes will
+         be carefully planned and controlled, since there is extensive
+         participation in this planning by the vendors and by the
+         organizations responsible for operations of the networks.
+
+         Development, evolution, and revision are characteristic of
+         computer network protocols today, and this situation will
+         persist for some years.  A vendor who develops computer
+         communication software for the Internet protocol suite (or any
+         other protocol suite!) and then fails to maintain and update
+         that software for changing specifications is going to leave a
+         trail of unhappy customers.  The Internet is a large
+         communication network, and the users are in constant contact
+         through it.  Experience has shown that knowledge of
+         deficiencies in vendor software propagates quickly through the
+         Internet technical community.
+
+      1.2.2  Robustness Principle
+
+         At every layer of the protocols, there is a general rule whose
+         application can lead to enormous benefits in robustness and
+         interoperability [IP:1]:
+
+                "Be liberal in what you accept, and
+                 conservative in what you send"
+
+         Software should be written to deal with every conceivable
+         error, no matter how unlikely; sooner or later a packet will
+         come in with that particular combination of errors and
+         attributes, and unless the software is prepared, chaos can
+         ensue.  In general, it is best to assume that the network is
+         filled with malevolent entities that will send in packets
+         designed to have the worst possible effect.  This assumption
+         will lead to suitable protective design, although the most
+         serious problems in the Internet have been caused by
+         unenvisaged mechanisms triggered by low-probability events;
+
+
+
+Internet Engineering Task Force                                [Page 12]
+
+
+
+
+RFC1122                       INTRODUCTION                  October 1989
+
+
+         mere human malice would never have taken so devious a course!
+
+         Adaptability to change must be designed into all levels of
+         Internet host software.  As a simple example, consider a
+         protocol specification that contains an enumeration of values
+         for a particular header field -- e.g., a type field, a port
+         number, or an error code; this enumeration must be assumed to
+         be incomplete.  Thus, if a protocol specification defines four
+         possible error codes, the software must not break when a fifth
+         code shows up.  An undefined code might be logged (see below),
+         but it must not cause a failure.
+
+         The second part of the principle is almost as important:
+         software on other hosts may contain deficiencies that make it
+         unwise to exploit legal but obscure protocol features.  It is
+         unwise to stray far from the obvious and simple, lest untoward
+         effects result elsewhere.  A corollary of this is "watch out
+         for misbehaving hosts"; host software should be prepared, not
+         just to survive other misbehaving hosts, but also to cooperate
+         to limit the amount of disruption such hosts can cause to the
+         shared communication facility.
+
+      1.2.3  Error Logging
+
+         The Internet includes a great variety of host and gateway
+         systems, each implementing many protocols and protocol layers,
+         and some of these contain bugs and mis-features in their
+         Internet protocol software.  As a result of complexity,
+         diversity, and distribution of function, the diagnosis of
+         Internet problems is often very difficult.
+
+         Problem diagnosis will be aided if host implementations include
+         a carefully designed facility for logging erroneous or
+         "strange" protocol events.  It is important to include as much
+         diagnostic information as possible when an error is logged.  In
+         particular, it is often useful to record the header(s) of a
+         packet that caused an error.  However, care must be taken to
+         ensure that error logging does not consume prohibitive amounts
+         of resources or otherwise interfere with the operation of the
+         host.
+
+         There is a tendency for abnormal but harmless protocol events
+         to overflow error logging files; this can be avoided by using a
+         "circular" log, or by enabling logging only while diagnosing a
+         known failure.  It may be useful to filter and count duplicate
+         successive messages.  One strategy that seems to work well is:
+         (1) always count abnormalities and make such counts accessible
+         through the management protocol (see [INTRO:1]); and (2) allow
+
+
+
+Internet Engineering Task Force                                [Page 13]
+
+
+
+
+RFC1122                       INTRODUCTION                  October 1989
+
+
+         the logging of a great variety of events to be selectively
+         enabled.  For example, it might useful to be able to "log
+         everything" or to "log everything for host X".
+
+         Note that different managements may have differing policies
+         about the amount of error logging that they want normally
+         enabled in a host.  Some will say, "if it doesn't hurt me, I
+         don't want to know about it", while others will want to take a
+         more watchful and aggressive attitude about detecting and
+         removing protocol abnormalities.
+
+      1.2.4  Configuration
+
+         It would be ideal if a host implementation of the Internet
+         protocol suite could be entirely self-configuring.  This would
+         allow the whole suite to be implemented in ROM or cast into
+         silicon, it would simplify diskless workstations, and it would
+         be an immense boon to harried LAN administrators as well as
+         system vendors.  We have not reached this ideal; in fact, we
+         are not even close.
+
+         At many points in this document, you will find a requirement
+         that a parameter be a configurable option.  There are several
+         different reasons behind such requirements.  In a few cases,
+         there is current uncertainty or disagreement about the best
+         value, and it may be necessary to update the recommended value
+         in the future.  In other cases, the value really depends on
+         external factors -- e.g., the size of the host and the
+         distribution of its communication load, or the speeds and
+         topology of nearby networks -- and self-tuning algorithms are
+         unavailable and may be insufficient.  In some cases,
+         configurability is needed because of administrative
+         requirements.
+
+         Finally, some configuration options are required to communicate
+         with obsolete or incorrect implementations of the protocols,
+         distributed without sources, that unfortunately persist in many
+         parts of the Internet.  To make correct systems coexist with
+         these faulty systems, administrators often have to "mis-
+         configure" the correct systems.  This problem will correct
+         itself gradually as the faulty systems are retired, but it
+         cannot be ignored by vendors.
+
+         When we say that a parameter must be configurable, we do not
+         intend to require that its value be explicitly read from a
+         configuration file at every boot time.  We recommend that
+         implementors set up a default for each parameter, so a
+         configuration file is only necessary to override those defaults
+
+
+
+Internet Engineering Task Force                                [Page 14]
+
+
+
+
+RFC1122                       INTRODUCTION                  October 1989
+
+
+         that are inappropriate in a particular installation.  Thus, the
+         configurability requirement is an assurance that it will be
+         POSSIBLE to override the default when necessary, even in a
+         binary-only or ROM-based product.
+
+         This document requires a particular value for such defaults in
+         some cases.  The choice of default is a sensitive issue when
+         the configuration item controls the accommodation to existing
+         faulty systems.  If the Internet is to converge successfully to
+         complete interoperability, the default values built into
+         implementations must implement the official protocol, not
+         "mis-configurations" to accommodate faulty implementations.
+         Although marketing considerations have led some vendors to
+         choose mis-configuration defaults, we urge vendors to choose
+         defaults that will conform to the standard.
+
+         Finally, we note that a vendor needs to provide adequate
+         documentation on all configuration parameters, their limits and
+         effects.
+
+
+   1.3  Reading this Document
+
+      1.3.1  Organization
+
+         Protocol layering, which is generally used as an organizing
+         principle in implementing network software, has also been used
+         to organize this document.  In describing the rules, we assume
+         that an implementation does strictly mirror the layering of the
+         protocols.  Thus, the following three major sections specify
+         the requirements for the link layer, the internet layer, and
+         the transport layer, respectively.  A companion RFC [INTRO:1]
+         covers application level software.  This layerist organization
+         was chosen for simplicity and clarity.
+
+         However, strict layering is an imperfect model, both for the
+         protocol suite and for recommended implementation approaches.
+         Protocols in different layers interact in complex and sometimes
+         subtle ways, and particular functions often involve multiple
+         layers.  There are many design choices in an implementation,
+         many of which involve creative "breaking" of strict layering.
+         Every implementor is urged to read references [INTRO:7] and
+         [INTRO:8].
+
+         This document describes the conceptual service interface
+         between layers using a functional ("procedure call") notation,
+         like that used in the TCP specification [TCP:1].  A host
+         implementation must support the logical information flow
+
+
+
+Internet Engineering Task Force                                [Page 15]
+
+
+
+
+RFC1122                       INTRODUCTION                  October 1989
+
+
+         implied by these calls, but need not literally implement the
+         calls themselves.  For example, many implementations reflect
+         the coupling between the transport layer and the IP layer by
+         giving them shared access to common data structures.  These
+         data structures, rather than explicit procedure calls, are then
+         the agency for passing much of the information that is
+         required.
+
+         In general, each major section of this document is organized
+         into the following subsections:
+
+         (1)  Introduction
+
+         (2)  Protocol Walk-Through -- considers the protocol
+              specification documents section-by-section, correcting
+              errors, stating requirements that may be ambiguous or
+              ill-defined, and providing further clarification or
+              explanation.
+
+         (3)  Specific Issues -- discusses protocol design and
+              implementation issues that were not included in the walk-
+              through.
+
+         (4)  Interfaces -- discusses the service interface to the next
+              higher layer.
+
+         (5)  Summary -- contains a summary of the requirements of the
+              section.
+
+
+         Under many of the individual topics in this document, there is
+         parenthetical material labeled "DISCUSSION" or
+         "IMPLEMENTATION". This material is intended to give
+         clarification and explanation of the preceding requirements
+         text.  It also includes some suggestions on possible future
+         directions or developments.  The implementation material
+         contains suggested approaches that an implementor may want to
+         consider.
+
+         The summary sections are intended to be guides and indexes to
+         the text, but are necessarily cryptic and incomplete.  The
+         summaries should never be used or referenced separately from
+         the complete RFC.
+
+      1.3.2  Requirements
+
+         In this document, the words that are used to define the
+         significance of each particular requirement are capitalized.
+
+
+
+Internet Engineering Task Force                                [Page 16]
+
+
+
+
+RFC1122                       INTRODUCTION                  October 1989
+
+
+         These words are:
+
+         *    "MUST"
+
+              This word or the adjective "REQUIRED" means that the item
+              is an absolute requirement of the specification.
+
+         *    "SHOULD"
+
+              This word or the adjective "RECOMMENDED" means that there
+              may exist valid reasons in particular circumstances to
+              ignore this item, but the full implications should be
+              understood and the case carefully weighed before choosing
+              a different course.
+
+         *    "MAY"
+
+              This word or the adjective "OPTIONAL" means that this item
+              is truly optional.  One vendor may choose to include the
+              item because a particular marketplace requires it or
+              because it enhances the product, for example; another
+              vendor may omit the same item.
+
+
+         An implementation is not compliant if it fails to satisfy one
+         or more of the MUST requirements for the protocols it
+         implements.  An implementation that satisfies all the MUST and
+         all the SHOULD requirements for its protocols is said to be
+         "unconditionally compliant"; one that satisfies all the MUST
+         requirements but not all the SHOULD requirements for its
+         protocols is said to be "conditionally compliant".
+
+      1.3.3  Terminology
+
+         This document uses the following technical terms:
+
+         Segment
+              A segment is the unit of end-to-end transmission in the
+              TCP protocol.  A segment consists of a TCP header followed
+              by application data.  A segment is transmitted by
+              encapsulation inside an IP datagram.
+
+         Message
+              In this description of the lower-layer protocols, a
+              message is the unit of transmission in a transport layer
+              protocol.  In particular, a TCP segment is a message.  A
+              message consists of a transport protocol header followed
+              by application protocol data.  To be transmitted end-to-
+
+
+
+Internet Engineering Task Force                                [Page 17]
+
+
+
+
+RFC1122                       INTRODUCTION                  October 1989
+
+
+              end through the Internet, a message must be encapsulated
+              inside a datagram.
+
+         IP Datagram
+              An IP datagram is the unit of end-to-end transmission in
+              the IP protocol.  An IP datagram consists of an IP header
+              followed by transport layer data, i.e., of an IP header
+              followed by a message.
+
+              In the description of the internet layer (Section 3), the
+              unqualified term "datagram" should be understood to refer
+              to an IP datagram.
+
+         Packet
+              A packet is the unit of data passed across the interface
+              between the internet layer and the link layer.  It
+              includes an IP header and data.  A packet may be a
+              complete IP datagram or a fragment of an IP datagram.
+
+         Frame
+              A frame is the unit of transmission in a link layer
+              protocol, and consists of a link-layer header followed by
+              a packet.
+
+         Connected Network
+              A network to which a host is interfaced is often known as
+              the "local network" or the "subnetwork" relative to that
+              host.  However, these terms can cause confusion, and
+              therefore we use the term "connected network" in this
+              document.
+
+         Multihomed
+              A host is said to be multihomed if it has multiple IP
+              addresses.  For a discussion of multihoming, see Section
+              3.3.4 below.
+
+         Physical network interface
+              This is a physical interface to a connected network and
+              has a (possibly unique) link-layer address.  Multiple
+              physical network interfaces on a single host may share the
+              same link-layer address, but the address must be unique
+              for different hosts on the same physical network.
+
+         Logical [network] interface
+              We define a logical [network] interface to be a logical
+              path, distinguished by a unique IP address, to a connected
+              network.  See Section 3.3.4.
+
+
+
+
+Internet Engineering Task Force                                [Page 18]
+
+
+
+
+RFC1122                       INTRODUCTION                  October 1989
+
+
+         Specific-destination address
+              This is the effective destination address of a datagram,
+              even if it is broadcast or multicast; see Section 3.2.1.3.
+
+         Path
+              At a given moment, all the IP datagrams from a particular
+              source host to a particular destination host will
+              typically traverse the same sequence of gateways.  We use
+              the term "path" for this sequence.  Note that a path is
+              uni-directional; it is not unusual to have different paths
+              in the two directions between a given host pair.
+
+         MTU
+              The maximum transmission unit, i.e., the size of the
+              largest packet that can be transmitted.
+
+
+         The terms frame, packet, datagram, message, and segment are
+         illustrated by the following schematic diagrams:
+
+         A. Transmission on connected network:
+           _______________________________________________
+          | LL hdr | IP hdr |         (data)              |
+          |________|________|_____________________________|
+
+           <---------- Frame ----------------------------->
+                    <----------Packet -------------------->
+
+
+         B. Before IP fragmentation or after IP reassembly:
+                    ______________________________________
+                   | IP hdr | transport| Application Data |
+                   |________|____hdr___|__________________|
+
+                    <--------  Datagram ------------------>
+                             <-------- Message ----------->
+           or, for TCP:
+                    ______________________________________
+                   | IP hdr |  TCP hdr | Application Data |
+                   |________|__________|__________________|
+
+                    <--------  Datagram ------------------>
+                             <-------- Segment ----------->
+
+
+
+
+
+
+
+
+Internet Engineering Task Force                                [Page 19]
+
+
+
+
+RFC1122                       INTRODUCTION                  October 1989
+
+
+   1.4  Acknowledgments
+
+      This document incorporates contributions and comments from a large
+      group of Internet protocol experts, including representatives of
+      university and research labs, vendors, and government agencies.
+      It was assembled primarily by the Host Requirements Working Group
+      of the Internet Engineering Task Force (IETF).
+
+      The Editor would especially like to acknowledge the tireless
+      dedication of the following people, who attended many long
+      meetings and generated 3 million bytes of electronic mail over the
+      past 18 months in pursuit of this document: Philip Almquist, Dave
+      Borman (Cray Research), Noel Chiappa, Dave Crocker (DEC), Steve
+      Deering (Stanford), Mike Karels (Berkeley), Phil Karn (Bellcore),
+      John Lekashman (NASA), Charles Lynn (BBN), Keith McCloghrie (TWG),
+      Paul Mockapetris (ISI), Thomas Narten (Purdue), Craig Partridge
+      (BBN), Drew Perkins (CMU), and James Van Bokkelen (FTP Software).
+
+      In addition, the following people made major contributions to the
+      effort: Bill Barns (Mitre), Steve Bellovin (AT&T), Mike Brescia
+      (BBN), Ed Cain (DCA), Annette DeSchon (ISI), Martin Gross (DCA),
+      Phill Gross (NRI), Charles Hedrick (Rutgers), Van Jacobson (LBL),
+      John Klensin (MIT), Mark Lottor (SRI), Milo Medin (NASA), Bill
+      Melohn (Sun Microsystems), Greg Minshall (Kinetics), Jeff Mogul
+      (DEC), John Mullen (CMC), Jon Postel (ISI), John Romkey (Epilogue
+      Technology), and Mike StJohns (DCA).  The following also made
+      significant contributions to particular areas: Eric Allman
+      (Berkeley), Rob Austein (MIT), Art Berggreen (ACC), Keith Bostic
+      (Berkeley), Vint Cerf (NRI), Wayne Hathaway (NASA), Matt Korn
+      (IBM), Erik Naggum (Naggum Software, Norway), Robert Ullmann
+      (Prime Computer), David Waitzman (BBN), Frank Wancho (USA), Arun
+      Welch (Ohio State), Bill Westfield (Cisco), and Rayan Zachariassen
+      (Toronto).
+
+      We are grateful to all, including any contributors who may have
+      been inadvertently omitted from this list.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Internet Engineering Task Force                                [Page 20]
+
+
+
+
+RFC1122                        LINK LAYER                   October 1989
+
+
+2. LINK LAYER
+
+   2.1  INTRODUCTION
+
+      All Internet systems, both hosts and gateways, have the same
+      requirements for link layer protocols.  These requirements are
+      given in Chapter 3 of "Requirements for Internet Gateways"
+      [INTRO:2], augmented with the material in this section.
+
+   2.2  PROTOCOL WALK-THROUGH
+
+      None.
+
+   2.3  SPECIFIC ISSUES
+
+      2.3.1  Trailer Protocol Negotiation
+
+         The trailer protocol [LINK:1] for link-layer encapsulation MAY
+         be used, but only when it has been verified that both systems
+         (host or gateway) involved in the link-layer communication
+         implement trailers.  If the system does not dynamically
+         negotiate use of the trailer protocol on a per-destination
+         basis, the default configuration MUST disable the protocol.
+
+         DISCUSSION:
+              The trailer protocol is a link-layer encapsulation
+              technique that rearranges the data contents of packets
+              sent on the physical network.  In some cases, trailers
+              improve the throughput of higher layer protocols by
+              reducing the amount of data copying within the operating
+              system.  Higher layer protocols are unaware of trailer
+              use, but both the sending and receiving host MUST
+              understand the protocol if it is used.
+
+              Improper use of trailers can result in very confusing
+              symptoms.  Only packets with specific size attributes are
+              encapsulated using trailers, and typically only a small
+              fraction of the packets being exchanged have these
+              attributes.  Thus, if a system using trailers exchanges
+              packets with a system that does not, some packets
+              disappear into a black hole while others are delivered
+              successfully.
+
+         IMPLEMENTATION:
+              On an Ethernet, packets encapsulated with trailers use a
+              distinct Ethernet type [LINK:1], and trailer negotiation
+              is performed at the time that ARP is used to discover the
+              link-layer address of a destination system.
+
+
+
+Internet Engineering Task Force                                [Page 21]
+
+
+
+
+RFC1122                        LINK LAYER                   October 1989
+
+
+              Specifically, the ARP exchange is completed in the usual
+              manner using the normal IP protocol type, but a host that
+              wants to speak trailers will send an additional "trailer
+              ARP reply" packet, i.e., an ARP reply that specifies the
+              trailer encapsulation protocol type but otherwise has the
+              format of a normal ARP reply.  If a host configured to use
+              trailers receives a trailer ARP reply message from a
+              remote machine, it can add that machine to the list of
+              machines that understand trailers, e.g., by marking the
+              corresponding entry in the ARP cache.
+
+              Hosts wishing to receive trailer encapsulations send
+              trailer ARP replies whenever they complete exchanges of
+              normal ARP messages for IP.  Thus, a host that received an
+              ARP request for its IP protocol address would send a
+              trailer ARP reply in addition to the normal IP ARP reply;
+              a host that sent the IP ARP request would send a trailer
+              ARP reply when it received the corresponding IP ARP reply.
+              In this way, either the requesting or responding host in
+              an IP ARP exchange may request that it receive trailer
+              encapsulations.
+
+              This scheme, using extra trailer ARP reply packets rather
+              than sending an ARP request for the trailer protocol type,
+              was designed to avoid a continuous exchange of ARP packets
+              with a misbehaving host that, contrary to any
+              specification or common sense, responded to an ARP reply
+              for trailers with another ARP reply for IP.  This problem
+              is avoided by sending a trailer ARP reply in response to
+              an IP ARP reply only when the IP ARP reply answers an
+              outstanding request; this is true when the hardware
+              address for the host is still unknown when the IP ARP
+              reply is received.  A trailer ARP reply may always be sent
+              along with an IP ARP reply responding to an IP ARP
+              request.
+
+      2.3.2  Address Resolution Protocol -- ARP
+
+         2.3.2.1  ARP Cache Validation
+
+            An implementation of the Address Resolution Protocol (ARP)
+            [LINK:2] MUST provide a mechanism to flush out-of-date cache
+            entries.  If this mechanism involves a timeout, it SHOULD be
+            possible to configure the timeout value.
+
+            A mechanism to prevent ARP flooding (repeatedly sending an
+            ARP Request for the same IP address, at a high rate) MUST be
+            included.  The recommended maximum rate is 1 per second per
+
+
+
+Internet Engineering Task Force                                [Page 22]
+
+
+
+
+RFC1122                        LINK LAYER                   October 1989
+
+
+            destination.
+
+            DISCUSSION:
+                 The ARP specification [LINK:2] suggests but does not
+                 require a timeout mechanism to invalidate cache entries
+                 when hosts change their Ethernet addresses.  The
+                 prevalence of proxy ARP (see Section 2.4 of [INTRO:2])
+                 has significantly increased the likelihood that cache
+                 entries in hosts will become invalid, and therefore
+                 some ARP-cache invalidation mechanism is now required
+                 for hosts.  Even in the absence of proxy ARP, a long-
+                 period cache timeout is useful in order to
+                 automatically correct any bad ARP data that might have
+                 been cached.
+
+            IMPLEMENTATION:
+                 Four mechanisms have been used, sometimes in
+                 combination, to flush out-of-date cache entries.
+
+                 (1)  Timeout -- Periodically time out cache entries,
+                      even if they are in use.  Note that this timeout
+                      should be restarted when the cache entry is
+                      "refreshed" (by observing the source fields,
+                      regardless of target address, of an ARP broadcast
+                      from the system in question).  For proxy ARP
+                      situations, the timeout needs to be on the order
+                      of a minute.
+
+                 (2)  Unicast Poll -- Actively poll the remote host by
+                      periodically sending a point-to-point ARP Request
+                      to it, and delete the entry if no ARP Reply is
+                      received from N successive polls.  Again, the
+                      timeout should be on the order of a minute, and
+                      typically N is 2.
+
+                 (3)  Link-Layer Advice -- If the link-layer driver
+                      detects a delivery problem, flush the
+                      corresponding ARP cache entry.
+
+                 (4)  Higher-layer Advice -- Provide a call from the
+                      Internet layer to the link layer to indicate a
+                      delivery problem.  The effect of this call would
+                      be to invalidate the corresponding cache entry.
+                      This call would be analogous to the
+                      "ADVISE_DELIVPROB()" call from the transport layer
+                      to the Internet layer (see Section 3.4), and in
+                      fact the ADVISE_DELIVPROB routine might in turn
+                      call the link-layer advice routine to invalidate
+
+
+
+Internet Engineering Task Force                                [Page 23]
+
+
+
+
+RFC1122                        LINK LAYER                   October 1989
+
+
+                      the ARP cache entry.
+
+                 Approaches (1) and (2) involve ARP cache timeouts on
+                 the order of a minute or less.  In the absence of proxy
+                 ARP, a timeout this short could create noticeable
+                 overhead traffic on a very large Ethernet.  Therefore,
+                 it may be necessary to configure a host to lengthen the
+                 ARP cache timeout.
+
+         2.3.2.2  ARP Packet Queue
+
+            The link layer SHOULD save (rather than discard) at least
+            one (the latest) packet of each set of packets destined to
+            the same unresolved IP address, and transmit the saved
+            packet when the address has been resolved.
+
+            DISCUSSION:
+                 Failure to follow this recommendation causes the first
+                 packet of every exchange to be lost.  Although higher-
+                 layer protocols can generally cope with packet loss by
+                 retransmission, packet loss does impact performance.
+                 For example, loss of a TCP open request causes the
+                 initial round-trip time estimate to be inflated.  UDP-
+                 based applications such as the Domain Name System are
+                 more seriously affected.
+
+      2.3.3  Ethernet and IEEE 802 Encapsulation
+
+         The IP encapsulation for Ethernets is described in RFC-894
+         [LINK:3], while RFC-1042 [LINK:4] describes the IP
+         encapsulation for IEEE 802 networks.  RFC-1042 elaborates and
+         replaces the discussion in Section 3.4 of [INTRO:2].
+
+         Every Internet host connected to a 10Mbps Ethernet cable:
+
+         o    MUST be able to send and receive packets using RFC-894
+              encapsulation;
+
+         o    SHOULD be able to receive RFC-1042 packets, intermixed
+              with RFC-894 packets; and
+
+         o    MAY be able to send packets using RFC-1042 encapsulation.
+
+
+         An Internet host that implements sending both the RFC-894 and
+         the RFC-1042 encapsulations MUST provide a configuration switch
+         to select which is sent, and this switch MUST default to RFC-
+         894.
+
+
+
+Internet Engineering Task Force                                [Page 24]
+
+
+
+
+RFC1122                        LINK LAYER                   October 1989
+
+
+         Note that the standard IP encapsulation in RFC-1042 does not
+         use the protocol id value (K1=6) that IEEE reserved for IP;
+         instead, it uses a value (K1=170) that implies an extension
+         (the "SNAP") which can be used to hold the Ether-Type field.
+         An Internet system MUST NOT send 802 packets using K1=6.
+
+         Address translation from Internet addresses to link-layer
+         addresses on Ethernet and IEEE 802 networks MUST be managed by
+         the Address Resolution Protocol (ARP).
+
+         The MTU for an Ethernet is 1500 and for 802.3 is 1492.
+
+         DISCUSSION:
+              The IEEE 802.3 specification provides for operation over a
+              10Mbps Ethernet cable, in which case Ethernet and IEEE
+              802.3 frames can be physically intermixed.  A receiver can
+              distinguish Ethernet and 802.3 frames by the value of the
+              802.3 Length field; this two-octet field coincides in the
+              header with the Ether-Type field of an Ethernet frame.  In
+              particular, the 802.3 Length field must be less than or
+              equal to 1500, while all valid Ether-Type values are
+              greater than 1500.
+
+              Another compatibility problem arises with link-layer
+              broadcasts.  A broadcast sent with one framing will not be
+              seen by hosts that can receive only the other framing.
+
+              The provisions of this section were designed to provide
+              direct interoperation between 894-capable and 1042-capable
+              systems on the same cable, to the maximum extent possible.
+              It is intended to support the present situation where
+              894-only systems predominate, while providing an easy
+              transition to a possible future in which 1042-capable
+              systems become common.
+
+              Note that 894-only systems cannot interoperate directly
+              with 1042-only systems.  If the two system types are set
+              up as two different logical networks on the same cable,
+              they can communicate only through an IP gateway.
+              Furthermore, it is not useful or even possible for a
+              dual-format host to discover automatically which format to
+              send, because of the problem of link-layer broadcasts.
+
+   2.4  LINK/INTERNET LAYER INTERFACE
+
+      The packet receive interface between the IP layer and the link
+      layer MUST include a flag to indicate whether the incoming packet
+      was addressed to a link-layer broadcast address.
+
+
+
+Internet Engineering Task Force                                [Page 25]
+
+
+
+
+RFC1122                        LINK LAYER                   October 1989
+
+
+      DISCUSSION
+           Although the IP layer does not generally know link layer
+           addresses (since every different network medium typically has
+           a different address format), the broadcast address on a
+           broadcast-capable medium is an important special case.  See
+           Section 3.2.2, especially the DISCUSSION concerning broadcast
+           storms.
+
+      The packet send interface between the IP and link layers MUST
+      include the 5-bit TOS field (see Section 3.2.1.6).
+
+      The link layer MUST NOT report a Destination Unreachable error to
+      IP solely because there is no ARP cache entry for a destination.
+
+   2.5  LINK LAYER REQUIREMENTS SUMMARY
+
+                                                  |       | | | |S| |
+                                                  |       | | | |H| |F
+                                                  |       | | | |O|M|o
+                                                  |       | |S| |U|U|o
+                                                  |       | |H| |L|S|t
+                                                  |       |M|O| |D|T|n
+                                                  |       |U|U|M| | |o
+                                                  |       |S|L|A|N|N|t
+                                                  |       |T|D|Y|O|O|t
+FEATURE                                           |SECTION| | | |T|T|e
+--------------------------------------------------|-------|-|-|-|-|-|--
+                                                  |       | | | | | |
+Trailer encapsulation                             |2.3.1  | | |x| | |
+Send Trailers by default without negotiation      |2.3.1  | | | | |x|
+ARP                                               |2.3.2  | | | | | |
+  Flush out-of-date ARP cache entries             |2.3.2.1|x| | | | |
+  Prevent ARP floods                              |2.3.2.1|x| | | | |
+  Cache timeout configurable                      |2.3.2.1| |x| | | |
+  Save at least one (latest) unresolved pkt       |2.3.2.2| |x| | | |
+Ethernet and IEEE 802 Encapsulation               |2.3.3  | | | | | |
+  Host able to:                                   |2.3.3  | | | | | |
+    Send & receive RFC-894 encapsulation          |2.3.3  |x| | | | |
+    Receive RFC-1042 encapsulation                |2.3.3  | |x| | | |
+    Send RFC-1042 encapsulation                   |2.3.3  | | |x| | |
+      Then config. sw. to select, RFC-894 dflt    |2.3.3  |x| | | | |
+  Send K1=6 encapsulation                         |2.3.3  | | | | |x|
+  Use ARP on Ethernet and IEEE 802 nets           |2.3.3  |x| | | | |
+Link layer report b'casts to IP layer             |2.4    |x| | | | |
+IP layer pass TOS to link layer                   |2.4    |x| | | | |
+No ARP cache entry treated as Dest. Unreach.      |2.4    | | | | |x|
+
+
+
+
+
+Internet Engineering Task Force                                [Page 26]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+3. INTERNET LAYER PROTOCOLS
+
+   3.1 INTRODUCTION
+
+      The Robustness Principle: "Be liberal in what you accept, and
+      conservative in what you send" is particularly important in the
+      Internet layer, where one misbehaving host can deny Internet
+      service to many other hosts.
+
+      The protocol standards used in the Internet layer are:
+
+      o    RFC-791 [IP:1] defines the IP protocol and gives an
+           introduction to the architecture of the Internet.
+
+      o    RFC-792 [IP:2] defines ICMP, which provides routing,
+           diagnostic and error functionality for IP.  Although ICMP
+           messages are encapsulated within IP datagrams, ICMP
+           processing is considered to be (and is typically implemented
+           as) part of the IP layer.  See Section 3.2.2.
+
+      o    RFC-950 [IP:3] defines the mandatory subnet extension to the
+           addressing architecture.
+
+      o    RFC-1112 [IP:4] defines the Internet Group Management
+           Protocol IGMP, as part of a recommended extension to hosts
+           and to the host-gateway interface to support Internet-wide
+           multicasting at the IP level.  See Section 3.2.3.
+
+           The target of an IP multicast may be an arbitrary group of
+           Internet hosts.  IP multicasting is designed as a natural
+           extension of the link-layer multicasting facilities of some
+           networks, and it provides a standard means for local access
+           to such link-layer multicasting facilities.
+
+      Other important references are listed in Section 5 of this
+      document.
+
+      The Internet layer of host software MUST implement both IP and
+      ICMP.  See Section 3.3.7 for the requirements on support of IGMP.
+
+      The host IP layer has two basic functions:  (1) choose the "next
+      hop" gateway or host for outgoing IP datagrams and (2) reassemble
+      incoming IP datagrams.  The IP layer may also (3) implement
+      intentional fragmentation of outgoing datagrams.  Finally, the IP
+      layer must (4) provide diagnostic and error functionality.  We
+      expect that IP layer functions may increase somewhat in the
+      future, as further Internet control and management facilities are
+      developed.
+
+
+
+Internet Engineering Task Force                                [Page 27]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+      For normal datagrams, the processing is straightforward.  For
+      incoming datagrams, the IP layer:
+
+      (1)  verifies that the datagram is correctly formatted;
+
+      (2)  verifies that it is destined to the local host;
+
+      (3)  processes options;
+
+      (4)  reassembles the datagram if necessary; and
+
+      (5)  passes the encapsulated message to the appropriate
+           transport-layer protocol module.
+
+      For outgoing datagrams, the IP layer:
+
+      (1)  sets any fields not set by the transport layer;
+
+      (2)  selects the correct first hop on the connected network (a
+           process called "routing");
+
+      (3)  fragments the datagram if necessary and if intentional
+           fragmentation is implemented (see Section 3.3.3); and
+
+      (4)  passes the packet(s) to the appropriate link-layer driver.
+
+
+      A host is said to be multihomed if it has multiple IP addresses.
+      Multihoming introduces considerable confusion and complexity into
+      the protocol suite, and it is an area in which the Internet
+      architecture falls seriously short of solving all problems.  There
+      are two distinct problem areas in multihoming:
+
+      (1)  Local multihoming --  the host itself is multihomed; or
+
+      (2)  Remote multihoming -- the local host needs to communicate
+           with a remote multihomed host.
+
+      At present, remote multihoming MUST be handled at the application
+      layer, as discussed in the companion RFC [INTRO:1].  A host MAY
+      support local multihoming, which is discussed in this document,
+      and in particular in Section 3.3.4.
+
+      Any host that forwards datagrams generated by another host is
+      acting as a gateway and MUST also meet the specifications laid out
+      in the gateway requirements RFC [INTRO:2].  An Internet host that
+      includes embedded gateway code MUST have a configuration switch to
+      disable the gateway function, and this switch MUST default to the
+
+
+
+Internet Engineering Task Force                                [Page 28]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+      non-gateway mode.  In this mode, a datagram arriving through one
+      interface will not be forwarded to another host or gateway (unless
+      it is source-routed), regardless of whether the host is single-
+      homed or multihomed.  The host software MUST NOT automatically
+      move into gateway mode if the host has more than one interface, as
+      the operator of the machine may neither want to provide that
+      service nor be competent to do so.
+
+      In the following, the action specified in certain cases is to
+      "silently discard" a received datagram.  This means that the
+      datagram will be discarded without further processing and that the
+      host will not send any ICMP error message (see Section 3.2.2) as a
+      result.  However, for diagnosis of problems a host SHOULD provide
+      the capability of logging the error (see Section 1.2.3), including
+      the contents of the silently-discarded datagram, and SHOULD record
+      the event in a statistics counter.
+
+      DISCUSSION:
+           Silent discard of erroneous datagrams is generally intended
+           to prevent "broadcast storms".
+
+   3.2  PROTOCOL WALK-THROUGH
+
+      3.2.1 Internet Protocol -- IP
+
+         3.2.1.1  Version Number: RFC-791 Section 3.1
+
+            A datagram whose version number is not 4 MUST be silently
+            discarded.
+
+         3.2.1.2  Checksum: RFC-791 Section 3.1
+
+            A host MUST verify the IP header checksum on every received
+            datagram and silently discard every datagram that has a bad
+            checksum.
+
+         3.2.1.3  Addressing: RFC-791 Section 3.2
+
+            There are now five classes of IP addresses: Class A through
+            Class E.  Class D addresses are used for IP multicasting
+            [IP:4], while Class E addresses are reserved for
+            experimental use.
+
+            A multicast (Class D) address is a 28-bit logical address
+            that stands for a group of hosts, and may be either
+            permanent or transient.  Permanent multicast addresses are
+            allocated by the Internet Assigned Number Authority
+            [INTRO:6], while transient addresses may be allocated
+
+
+
+Internet Engineering Task Force                                [Page 29]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+            dynamically to transient groups.  Group membership is
+            determined dynamically using IGMP [IP:4].
+
+            We now summarize the important special cases for Class A, B,
+            and C IP addresses, using the following notation for an IP
+            address:
+
+                { <Network-number>, <Host-number> }
+
+            or
+                { <Network-number>, <Subnet-number>, <Host-number> }
+
+            and the notation "-1" for a field that contains all 1 bits.
+            This notation is not intended to imply that the 1-bits in an
+            address mask need be contiguous.
+
+            (a)  { 0, 0 }
+
+                 This host on this network.  MUST NOT be sent, except as
+                 a source address as part of an initialization procedure
+                 by which the host learns its own IP address.
+
+                 See also Section 3.3.6 for a non-standard use of {0,0}.
+
+            (b)  { 0, <Host-number> }
+
+                 Specified host on this network.  It MUST NOT be sent,
+                 except as a source address as part of an initialization
+                 procedure by which the host learns its full IP address.
+
+            (c)  { -1, -1 }
+
+                 Limited broadcast.  It MUST NOT be used as a source
+                 address.
+
+                 A datagram with this destination address will be
+                 received by every host on the connected physical
+                 network but will not be forwarded outside that network.
+
+            (d)  { <Network-number>, -1 }
+
+                 Directed broadcast to the specified network.  It MUST
+                 NOT be used as a source address.
+
+            (e)  { <Network-number>, <Subnet-number>, -1 }
+
+                 Directed broadcast to the specified subnet.  It MUST
+                 NOT be used as a source address.
+
+
+
+Internet Engineering Task Force                                [Page 30]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+            (f)  { <Network-number>, -1, -1 }
+
+                 Directed broadcast to all subnets of the specified
+                 subnetted network.  It MUST NOT be used as a source
+                 address.
+
+            (g)  { 127, <any> }
+
+                 Internal host loopback address.  Addresses of this form
+                 MUST NOT appear outside a host.
+
+            The <Network-number> is administratively assigned so that
+            its value will be unique in the entire world.
+
+            IP addresses are not permitted to have the value 0 or -1 for
+            any of the <Host-number>, <Network-number>, or <Subnet-
+            number> fields (except in the special cases listed above).
+            This implies that each of these fields will be at least two
+            bits long.
+
+            For further discussion of broadcast addresses, see Section
+            3.3.6.
+
+            A host MUST support the subnet extensions to IP [IP:3].  As
+            a result, there will be an address mask of the form:
+            {-1, -1, 0} associated with each of the host's local IP
+            addresses; see Sections 3.2.2.9 and 3.3.1.1.
+
+            When a host sends any datagram, the IP source address MUST
+            be one of its own IP addresses (but not a broadcast or
+            multicast address).
+
+            A host MUST silently discard an incoming datagram that is
+            not destined for the host.  An incoming datagram is destined
+            for the host if the datagram's destination address field is:
+
+            (1)  (one of) the host's IP address(es); or
+
+            (2)  an IP broadcast address valid for the connected
+                 network; or
+
+            (3)  the address for a multicast group of which the host is
+                 a member on the incoming physical interface.
+
+            For most purposes, a datagram addressed to a broadcast or
+            multicast destination is processed as if it had been
+            addressed to one of the host's IP addresses; we use the term
+            "specific-destination address" for the equivalent local IP
+
+
+
+Internet Engineering Task Force                                [Page 31]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+            address of the host.  The specific-destination address is
+            defined to be the destination address in the IP header
+            unless the header contains a broadcast or multicast address,
+            in which case the specific-destination is an IP address
+            assigned to the physical interface on which the datagram
+            arrived.
+
+            A host MUST silently discard an incoming datagram containing
+            an IP source address that is invalid by the rules of this
+            section.  This validation could be done in either the IP
+            layer or by each protocol in the transport layer.
+
+            DISCUSSION:
+                 A mis-addressed datagram might be caused by a link-
+                 layer broadcast of a unicast datagram or by a gateway
+                 or host that is confused or mis-configured.
+
+                 An architectural goal for Internet hosts was to allow
+                 IP addresses to be featureless 32-bit numbers, avoiding
+                 algorithms that required a knowledge of the IP address
+                 format.  Otherwise, any future change in the format or
+                 interpretation of IP addresses will require host
+                 software changes.  However, validation of broadcast and
+                 multicast addresses violates this goal; a few other
+                 violations are described elsewhere in this document.
+
+                 Implementers should be aware that applications
+                 depending upon the all-subnets directed broadcast
+                 address (f) may be unusable on some networks.  All-
+                 subnets broadcast is not widely implemented in vendor
+                 gateways at present, and even when it is implemented, a
+                 particular network administration may disable it in the
+                 gateway configuration.
+
+         3.2.1.4  Fragmentation and Reassembly: RFC-791 Section 3.2
+
+            The Internet model requires that every host support
+            reassembly.  See Sections 3.3.2 and 3.3.3 for the
+            requirements on fragmentation and reassembly.
+
+         3.2.1.5  Identification: RFC-791 Section 3.2
+
+            When sending an identical copy of an earlier datagram, a
+            host MAY optionally retain the same Identification field in
+            the copy.
+
+
+
+
+
+
+Internet Engineering Task Force                                [Page 32]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+            DISCUSSION:
+                 Some Internet protocol experts have maintained that
+                 when a host sends an identical copy of an earlier
+                 datagram, the new copy should contain the same
+                 Identification value as the original.  There are two
+                 suggested advantages:  (1) if the datagrams are
+                 fragmented and some of the fragments are lost, the
+                 receiver may be able to reconstruct a complete datagram
+                 from fragments of the original and the copies; (2) a
+                 congested gateway might use the IP Identification field
+                 (and Fragment Offset) to discard duplicate datagrams
+                 from the queue.
+
+                 However, the observed patterns of datagram loss in the
+                 Internet do not favor the probability of retransmitted
+                 fragments filling reassembly gaps, while other
+                 mechanisms (e.g., TCP repacketizing upon
+                 retransmission) tend to prevent retransmission of an
+                 identical datagram [IP:9].  Therefore, we believe that
+                 retransmitting the same Identification field is not
+                 useful.  Also, a connectionless transport protocol like
+                 UDP would require the cooperation of the application
+                 programs to retain the same Identification value in
+                 identical datagrams.
+
+         3.2.1.6  Type-of-Service: RFC-791 Section 3.2
+
+            The "Type-of-Service" byte in the IP header is divided into
+            two sections:  the Precedence field (high-order 3 bits), and
+            a field that is customarily called "Type-of-Service" or
+            "TOS" (low-order 5 bits).  In this document, all references
+            to "TOS" or the "TOS field" refer to the low-order 5 bits
+            only.
+
+            The Precedence field is intended for Department of Defense
+            applications of the Internet protocols.  The use of non-zero
+            values in this field is outside the scope of this document
+            and the IP standard specification.  Vendors should consult
+            the Defense Communication Agency (DCA) for guidance on the
+            IP Precedence field and its implications for other protocol
+            layers.  However, vendors should note that the use of
+            precedence will most likely require that its value be passed
+            between protocol layers in just the same way as the TOS
+            field is passed.
+
+            The IP layer MUST provide a means for the transport layer to
+            set the TOS field of every datagram that is sent; the
+            default is all zero bits.  The IP layer SHOULD pass received
+
+
+
+Internet Engineering Task Force                                [Page 33]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+            TOS values up to the transport layer.
+
+            The particular link-layer mappings of TOS contained in RFC-
+            795 SHOULD NOT be implemented.
+
+            DISCUSSION:
+                 While the TOS field has been little used in the past,
+                 it is expected to play an increasing role in the near
+                 future.  The TOS field is expected to be used to
+                 control two aspects of gateway operations: routing and
+                 queueing algorithms.  See Section 2 of [INTRO:1] for
+                 the requirements on application programs to specify TOS
+                 values.
+
+                 The TOS field may also be mapped into link-layer
+                 service selectors.  This has been applied to provide
+                 effective sharing of serial lines by different classes
+                 of TCP traffic, for example.  However, the mappings
+                 suggested in RFC-795 for networks that were included in
+                 the Internet as of 1981 are now obsolete.
+
+         3.2.1.7  Time-to-Live: RFC-791 Section 3.2
+
+            A host MUST NOT send a datagram with a Time-to-Live (TTL)
+            value of zero.
+
+            A host MUST NOT discard a datagram just because it was
+            received with TTL less than 2.
+
+            The IP layer MUST provide a means for the transport layer to
+            set the TTL field of every datagram that is sent.  When a
+            fixed TTL value is used, it MUST be configurable.  The
+            current suggested value will be published in the "Assigned
+            Numbers" RFC.
+
+            DISCUSSION:
+                 The TTL field has two functions: limit the lifetime of
+                 TCP segments (see RFC-793 [TCP:1], p. 28), and
+                 terminate Internet routing loops.  Although TTL is a
+                 time in seconds, it also has some attributes of a hop-
+                 count, since each gateway is required to reduce the TTL
+                 field by at least one.
+
+                 The intent is that TTL expiration will cause a datagram
+                 to be discarded by a gateway but not by the destination
+                 host; however, hosts that act as gateways by forwarding
+                 datagrams must follow the gateway rules for TTL.
+
+
+
+
+Internet Engineering Task Force                                [Page 34]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+                 A higher-layer protocol may want to set the TTL in
+                 order to implement an "expanding scope" search for some
+                 Internet resource.  This is used by some diagnostic
+                 tools, and is expected to be useful for locating the
+                 "nearest" server of a given class using IP
+                 multicasting, for example.  A particular transport
+                 protocol may also want to specify its own TTL bound on
+                 maximum datagram lifetime.
+
+                 A fixed value must be at least big enough for the
+                 Internet "diameter," i.e., the longest possible path.
+                 A reasonable value is about twice the diameter, to
+                 allow for continued Internet growth.
+
+         3.2.1.8  Options: RFC-791 Section 3.2
+
+            There MUST be a means for the transport layer to specify IP
+            options to be included in transmitted IP datagrams (see
+            Section 3.4).
+
+            All IP options (except NOP or END-OF-LIST) received in
+            datagrams MUST be passed to the transport layer (or to ICMP
+            processing when the datagram is an ICMP message).  The IP
+            and transport layer MUST each interpret those IP options
+            that they understand and silently ignore the others.
+
+            Later sections of this document discuss specific IP option
+            support required by each of ICMP, TCP, and UDP.
+
+            DISCUSSION:
+                 Passing all received IP options to the transport layer
+                 is a deliberate "violation of strict layering" that is
+                 designed to ease the introduction of new transport-
+                 relevant IP options in the future.  Each layer must
+                 pick out any options that are relevant to its own
+                 processing and ignore the rest.  For this purpose,
+                 every IP option except NOP and END-OF-LIST will include
+                 a specification of its own length.
+
+                 This document does not define the order in which a
+                 receiver must process multiple options in the same IP
+                 header.  Hosts sending multiple options must be aware
+                 that this introduces an ambiguity in the meaning of
+                 certain options when combined with a source-route
+                 option.
+
+            IMPLEMENTATION:
+                 The IP layer must not crash as the result of an option
+
+
+
+Internet Engineering Task Force                                [Page 35]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+                 length that is outside the possible range.  For
+                 example, erroneous option lengths have been observed to
+                 put some IP implementations into infinite loops.
+
+            Here are the requirements for specific IP options:
+
+
+            (a)  Security Option
+
+                 Some environments require the Security option in every
+                 datagram; such a requirement is outside the scope of
+                 this document and the IP standard specification.  Note,
+                 however, that the security options described in RFC-791
+                 and RFC-1038 are obsolete.  For DoD applications,
+                 vendors should consult [IP:8] for guidance.
+
+
+            (b)  Stream Identifier Option
+
+                 This option is obsolete; it SHOULD NOT be sent, and it
+                 MUST be silently ignored if received.
+
+
+            (c)  Source Route Options
+
+                 A host MUST support originating a source route and MUST
+                 be able to act as the final destination of a source
+                 route.
+
+                 If host receives a datagram containing a completed
+                 source route (i.e., the pointer points beyond the last
+                 field), the datagram has reached its final destination;
+                 the option as received (the recorded route) MUST be
+                 passed up to the transport layer (or to ICMP message
+                 processing).  This recorded route will be reversed and
+                 used to form a return source route for reply datagrams
+                 (see discussion of IP Options in Section 4).  When a
+                 return source route is built, it MUST be correctly
+                 formed even if the recorded route included the source
+                 host (see case (B) in the discussion below).
+
+                 An IP header containing more than one Source Route
+                 option MUST NOT be sent; the effect on routing of
+                 multiple Source Route options is implementation-
+                 specific.
+
+                 Section 3.3.5 presents the rules for a host acting as
+                 an intermediate hop in a source route, i.e., forwarding
+
+
+
+Internet Engineering Task Force                                [Page 36]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+                 a source-routed datagram.
+
+                 DISCUSSION:
+                      If a source-routed datagram is fragmented, each
+                      fragment will contain a copy of the source route.
+                      Since the processing of IP options (including a
+                      source route) must precede reassembly, the
+                      original datagram will not be reassembled until
+                      the final destination is reached.
+
+                      Suppose a source routed datagram is to be routed
+                      from host S to host D via gateways G1, G2, ... Gn.
+                      There was an ambiguity in the specification over
+                      whether the source route option in a datagram sent
+                      out by S should be (A) or (B):
+
+                          (A):  {>>G2, G3, ... Gn, D}     <--- CORRECT
+
+                          (B):  {S, >>G2, G3, ... Gn, D}  <---- WRONG
+
+                      (where >> represents the pointer).  If (A) is
+                      sent, the datagram received at D will contain the
+                      option: {G1, G2, ... Gn >>}, with S and D as the
+                      IP source and destination addresses.  If (B) were
+                      sent, the datagram received at D would again
+                      contain S and D as the same IP source and
+                      destination addresses, but the option would be:
+                      {S, G1, ...Gn >>}; i.e., the originating host
+                      would be the first hop in the route.
+
+
+            (d)  Record Route Option
+
+                 Implementation of originating and processing the Record
+                 Route option is OPTIONAL.
+
+
+            (e)  Timestamp Option
+
+                 Implementation of originating and processing the
+                 Timestamp option is OPTIONAL.  If it is implemented,
+                 the following rules apply:
+
+                 o    The originating host MUST record a timestamp in a
+                      Timestamp option whose Internet address fields are
+                      not pre-specified or whose first pre-specified
+                      address is the host's interface address.
+
+
+
+
+Internet Engineering Task Force                                [Page 37]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+                 o    The destination host MUST (if possible) add the
+                      current timestamp to a Timestamp option before
+                      passing the option to the transport layer or to
+                      ICMP for processing.
+
+                 o    A timestamp value MUST follow the rules given in
+                      Section 3.2.2.8 for the ICMP Timestamp message.
+
+
+      3.2.2 Internet Control Message Protocol -- ICMP
+
+         ICMP messages are grouped into two classes.
+
+         *
+              ICMP error messages:
+
+               Destination Unreachable   (see Section 3.2.2.1)
+               Redirect                  (see Section 3.2.2.2)
+               Source Quench             (see Section 3.2.2.3)
+               Time Exceeded             (see Section 3.2.2.4)
+               Parameter Problem         (see Section 3.2.2.5)
+
+
+         *
+              ICMP query messages:
+
+                Echo                     (see Section 3.2.2.6)
+                Information              (see Section 3.2.2.7)
+                Timestamp                (see Section 3.2.2.8)
+                Address Mask             (see Section 3.2.2.9)
+
+
+         If an ICMP message of unknown type is received, it MUST be
+         silently discarded.
+
+         Every ICMP error message includes the Internet header and at
+         least the first 8 data octets of the datagram that triggered
+         the error; more than 8 octets MAY be sent; this header and data
+         MUST be unchanged from the received datagram.
+
+         In those cases where the Internet layer is required to pass an
+         ICMP error message to the transport layer, the IP protocol
+         number MUST be extracted from the original header and used to
+         select the appropriate transport protocol entity to handle the
+         error.
+
+         An ICMP error message SHOULD be sent with normal (i.e., zero)
+         TOS bits.
+
+
+
+Internet Engineering Task Force                                [Page 38]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+         An ICMP error message MUST NOT be sent as the result of
+         receiving:
+
+         *    an ICMP error message, or
+
+         *    a datagram destined to an IP broadcast or IP multicast
+              address, or
+
+         *    a datagram sent as a link-layer broadcast, or
+
+         *    a non-initial fragment, or
+
+         *    a datagram whose source address does not define a single
+              host -- e.g., a zero address, a loopback address, a
+              broadcast address, a multicast address, or a Class E
+              address.
+
+         NOTE: THESE RESTRICTIONS TAKE PRECEDENCE OVER ANY REQUIREMENT
+         ELSEWHERE IN THIS DOCUMENT FOR SENDING ICMP ERROR MESSAGES.
+
+         DISCUSSION:
+              These rules will prevent the "broadcast storms" that have
+              resulted from hosts returning ICMP error messages in
+              response to broadcast datagrams.  For example, a broadcast
+              UDP segment to a non-existent port could trigger a flood
+              of ICMP Destination Unreachable datagrams from all
+              machines that do not have a client for that destination
+              port.  On a large Ethernet, the resulting collisions can
+              render the network useless for a second or more.
+
+              Every datagram that is broadcast on the connected network
+              should have a valid IP broadcast address as its IP
+              destination (see Section 3.3.6).  However, some hosts
+              violate this rule.  To be certain to detect broadcast
+              datagrams, therefore, hosts are required to check for a
+              link-layer broadcast as well as an IP-layer broadcast
+              address.
+
+         IMPLEMENTATION:
+              This requires that the link layer inform the IP layer when
+              a link-layer broadcast datagram has been received; see
+              Section 2.4.
+
+         3.2.2.1  Destination Unreachable: RFC-792
+
+            The following additional codes are hereby defined:
+
+                    6 = destination network unknown
+
+
+
+Internet Engineering Task Force                                [Page 39]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+                    7 = destination host unknown
+
+                    8 = source host isolated
+
+                    9 = communication with destination network
+                            administratively prohibited
+
+                   10 = communication with destination host
+                            administratively prohibited
+
+                   11 = network unreachable for type of service
+
+                   12 = host unreachable for type of service
+
+            A host SHOULD generate Destination Unreachable messages with
+            code:
+
+            2    (Protocol Unreachable), when the designated transport
+                 protocol is not supported; or
+
+            3    (Port Unreachable), when the designated transport
+                 protocol (e.g., UDP) is unable to demultiplex the
+                 datagram but has no protocol mechanism to inform the
+                 sender.
+
+            A Destination Unreachable message that is received MUST be
+            reported to the transport layer.  The transport layer SHOULD
+            use the information appropriately; for example, see Sections
+            4.1.3.3, 4.2.3.9, and 4.2.4 below.  A transport protocol
+            that has its own mechanism for notifying the sender that a
+            port is unreachable (e.g., TCP, which sends RST segments)
+            MUST nevertheless accept an ICMP Port Unreachable for the
+            same purpose.
+
+            A Destination Unreachable message that is received with code
+            0 (Net), 1 (Host), or 5 (Bad Source Route) may result from a
+            routing transient and MUST therefore be interpreted as only
+            a hint, not proof, that the specified destination is
+            unreachable [IP:11].  For example, it MUST NOT be used as
+            proof of a dead gateway (see Section 3.3.1).
+
+         3.2.2.2  Redirect: RFC-792
+
+            A host SHOULD NOT send an ICMP Redirect message; Redirects
+            are to be sent only by gateways.
+
+            A host receiving a Redirect message MUST update its routing
+            information accordingly.  Every host MUST be prepared to
+
+
+
+Internet Engineering Task Force                                [Page 40]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+            accept both Host and Network Redirects and to process them
+            as described in Section 3.3.1.2 below.
+
+            A Redirect message SHOULD be silently discarded if the new
+            gateway address it specifies is not on the same connected
+            (sub-) net through which the Redirect arrived [INTRO:2,
+            Appendix A], or if the source of the Redirect is not the
+            current first-hop gateway for the specified destination (see
+            Section 3.3.1).
+
+         3.2.2.3  Source Quench: RFC-792
+
+            A host MAY send a Source Quench message if it is
+            approaching, or has reached, the point at which it is forced
+            to discard incoming datagrams due to a shortage of
+            reassembly buffers or other resources.  See Section 2.2.3 of
+            [INTRO:2] for suggestions on when to send Source Quench.
+
+            If a Source Quench message is received, the IP layer MUST
+            report it to the transport layer (or ICMP processing). In
+            general, the transport or application layer SHOULD implement
+            a mechanism to respond to Source Quench for any protocol
+            that can send a sequence of datagrams to the same
+            destination and which can reasonably be expected to maintain
+            enough state information to make this feasible.  See Section
+            4 for the handling of Source Quench by TCP and UDP.
+
+            DISCUSSION:
+                 A Source Quench may be generated by the target host or
+                 by some gateway in the path of a datagram.  The host
+                 receiving a Source Quench should throttle itself back
+                 for a period of time, then gradually increase the
+                 transmission rate again.  The mechanism to respond to
+                 Source Quench may be in the transport layer (for
+                 connection-oriented protocols like TCP) or in the
+                 application layer (for protocols that are built on top
+                 of UDP).
+
+                 A mechanism has been proposed [IP:14] to make the IP
+                 layer respond directly to Source Quench by controlling
+                 the rate at which datagrams are sent, however, this
+                 proposal is currently experimental and not currently
+                 recommended.
+
+         3.2.2.4  Time Exceeded: RFC-792
+
+            An incoming Time Exceeded message MUST be passed to the
+            transport layer.
+
+
+
+Internet Engineering Task Force                                [Page 41]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+            DISCUSSION:
+                 A gateway will send a Time Exceeded Code 0 (In Transit)
+                 message when it discards a datagram due to an expired
+                 TTL field.  This indicates either a gateway routing
+                 loop or too small an initial TTL value.
+
+                 A host may receive a Time Exceeded Code 1 (Reassembly
+                 Timeout) message from a destination host that has timed
+                 out and discarded an incomplete datagram; see Section
+                 3.3.2 below.  In the future, receipt of this message
+                 might be part of some "MTU discovery" procedure, to
+                 discover the maximum datagram size that can be sent on
+                 the path without fragmentation.
+
+         3.2.2.5  Parameter Problem: RFC-792
+
+            A host SHOULD generate Parameter Problem messages.  An
+            incoming Parameter Problem message MUST be passed to the
+            transport layer, and it MAY be reported to the user.
+
+            DISCUSSION:
+                 The ICMP Parameter Problem message is sent to the
+                 source host for any problem not specifically covered by
+                 another ICMP message.  Receipt of a Parameter Problem
+                 message generally indicates some local or remote
+                 implementation error.
+
+            A new variant on the Parameter Problem message is hereby
+            defined:
+              Code 1 = required option is missing.
+
+            DISCUSSION:
+                 This variant is currently in use in the military
+                 community for a missing security option.
+
+         3.2.2.6  Echo Request/Reply: RFC-792
+
+            Every host MUST implement an ICMP Echo server function that
+            receives Echo Requests and sends corresponding Echo Replies.
+            A host SHOULD also implement an application-layer interface
+            for sending an Echo Request and receiving an Echo Reply, for
+            diagnostic purposes.
+
+            An ICMP Echo Request destined to an IP broadcast or IP
+            multicast address MAY be silently discarded.
+
+
+
+
+
+
+Internet Engineering Task Force                                [Page 42]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+            DISCUSSION:
+                 This neutral provision results from a passionate debate
+                 between those who feel that ICMP Echo to a broadcast
+                 address provides a valuable diagnostic capability and
+                 those who feel that misuse of this feature can too
+                 easily create packet storms.
+
+            The IP source address in an ICMP Echo Reply MUST be the same
+            as the specific-destination address (defined in Section
+            3.2.1.3) of the corresponding ICMP Echo Request message.
+
+            Data received in an ICMP Echo Request MUST be entirely
+            included in the resulting Echo Reply.  However, if sending
+            the Echo Reply requires intentional fragmentation that is
+            not implemented, the datagram MUST be truncated to maximum
+            transmission size (see Section 3.3.3) and sent.
+
+            Echo Reply messages MUST be passed to the ICMP user
+            interface, unless the corresponding Echo Request originated
+            in the IP layer.
+
+            If a Record Route and/or Time Stamp option is received in an
+            ICMP Echo Request, this option (these options) SHOULD be
+            updated to include the current host and included in the IP
+            header of the Echo Reply message, without "truncation".
+            Thus, the recorded route will be for the entire round trip.
+
+            If a Source Route option is received in an ICMP Echo
+            Request, the return route MUST be reversed and used as a
+            Source Route option for the Echo Reply message.
+
+         3.2.2.7  Information Request/Reply: RFC-792
+
+            A host SHOULD NOT implement these messages.
+
+            DISCUSSION:
+                 The Information Request/Reply pair was intended to
+                 support self-configuring systems such as diskless
+                 workstations, to allow them to discover their IP
+                 network numbers at boot time.  However, the RARP and
+                 BOOTP protocols provide better mechanisms for a host to
+                 discover its own IP address.
+
+         3.2.2.8  Timestamp and Timestamp Reply: RFC-792
+
+            A host MAY implement Timestamp and Timestamp Reply.  If they
+            are implemented, the following rules MUST be followed.
+
+
+
+
+Internet Engineering Task Force                                [Page 43]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+            o    The ICMP Timestamp server function returns a Timestamp
+                 Reply to every Timestamp message that is received.  If
+                 this function is implemented, it SHOULD be designed for
+                 minimum variability in delay (e.g., implemented in the
+                 kernel to avoid delay in scheduling a user process).
+
+            The following cases for Timestamp are to be handled
+            according to the corresponding rules for ICMP Echo:
+
+            o    An ICMP Timestamp Request message to an IP broadcast or
+                 IP multicast address MAY be silently discarded.
+
+            o    The IP source address in an ICMP Timestamp Reply MUST
+                 be the same as the specific-destination address of the
+                 corresponding Timestamp Request message.
+
+            o    If a Source-route option is received in an ICMP Echo
+                 Request, the return route MUST be reversed and used as
+                 a Source Route option for the Timestamp Reply message.
+
+            o    If a Record Route and/or Timestamp option is received
+                 in a Timestamp Request, this (these) option(s) SHOULD
+                 be updated to include the current host and included in
+                 the IP header of the Timestamp Reply message.
+
+            o    Incoming Timestamp Reply messages MUST be passed up to
+                 the ICMP user interface.
+
+            The preferred form for a timestamp value (the "standard
+            value") is in units of milliseconds since midnight Universal
+            Time.  However, it may be difficult to provide this value
+            with millisecond resolution.  For example, many systems use
+            clocks that update only at line frequency, 50 or 60 times
+            per second.  Therefore, some latitude is allowed in a
+            "standard value":
+
+            (a)  A "standard value" MUST be updated at least 15 times
+                 per second (i.e., at most the six low-order bits of the
+                 value may be undefined).
+
+            (b)  The accuracy of a "standard value" MUST approximate
+                 that of operator-set CPU clocks, i.e., correct within a
+                 few minutes.
+
+
+
+
+
+
+
+
+Internet Engineering Task Force                                [Page 44]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+         3.2.2.9  Address Mask Request/Reply: RFC-950
+
+            A host MUST support the first, and MAY implement all three,
+            of the following methods for determining the address mask(s)
+            corresponding to its IP address(es):
+
+            (1)  static configuration information;
+
+            (2)  obtaining the address mask(s) dynamically as a side-
+                 effect of the system initialization process (see
+                 [INTRO:1]); and
+
+            (3)  sending ICMP Address Mask Request(s) and receiving ICMP
+                 Address Mask Reply(s).
+
+            The choice of method to be used in a particular host MUST be
+            configurable.
+
+            When method (3), the use of Address Mask messages, is
+            enabled, then:
+
+            (a)  When it initializes, the host MUST broadcast an Address
+                 Mask Request message on the connected network
+                 corresponding to the IP address.  It MUST retransmit
+                 this message a small number of times if it does not
+                 receive an immediate Address Mask Reply.
+
+            (b)  Until it has received an Address Mask Reply, the host
+                 SHOULD assume a mask appropriate for the address class
+                 of the IP address, i.e., assume that the connected
+                 network is not subnetted.
+
+            (c)  The first Address Mask Reply message received MUST be
+                 used to set the address mask corresponding to the
+                 particular local IP address.  This is true even if the
+                 first Address Mask Reply message is "unsolicited", in
+                 which case it will have been broadcast and may arrive
+                 after the host has ceased to retransmit Address Mask
+                 Requests.  Once the mask has been set by an Address
+                 Mask Reply, later Address Mask Reply messages MUST be
+                 (silently) ignored.
+
+            Conversely, if Address Mask messages are disabled, then no
+            ICMP Address Mask Requests will be sent, and any ICMP
+            Address Mask Replies received for that local IP address MUST
+            be (silently) ignored.
+
+            A host SHOULD make some reasonableness check on any address
+
+
+
+Internet Engineering Task Force                                [Page 45]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+            mask it installs; see IMPLEMENTATION section below.
+
+            A system MUST NOT send an Address Mask Reply unless it is an
+            authoritative agent for address masks.  An authoritative
+            agent may be a host or a gateway, but it MUST be explicitly
+            configured as a address mask agent.  Receiving an address
+            mask via an Address Mask Reply does not give the receiver
+            authority and MUST NOT be used as the basis for issuing
+            Address Mask Replies.
+
+            With a statically configured address mask, there SHOULD be
+            an additional configuration flag that determines whether the
+            host is to act as an authoritative agent for this mask,
+            i.e., whether it will answer Address Mask Request messages
+            using this mask.
+
+            If it is configured as an agent, the host MUST broadcast an
+            Address Mask Reply for the mask on the appropriate interface
+            when it initializes.
+
+            See "System Initialization" in [INTRO:1] for more
+            information about the use of Address Mask Request/Reply
+            messages.
+
+            DISCUSSION
+                 Hosts that casually send Address Mask Replies with
+                 invalid address masks have often been a serious
+                 nuisance.  To prevent this, Address Mask Replies ought
+                 to be sent only by authoritative agents that have been
+                 selected by explicit administrative action.
+
+                 When an authoritative agent receives an Address Mask
+                 Request message, it will send a unicast Address Mask
+                 Reply to the source IP address.  If the network part of
+                 this address is zero (see (a) and (b) in 3.2.1.3), the
+                 Reply will be broadcast.
+
+                 Getting no reply to its Address Mask Request messages,
+                 a host will assume there is no agent and use an
+                 unsubnetted mask, but the agent may be only temporarily
+                 unreachable.  An agent will broadcast an unsolicited
+                 Address Mask Reply whenever it initializes, in order to
+                 update the masks of all hosts that have initialized in
+                 the meantime.
+
+            IMPLEMENTATION:
+                 The following reasonableness check on an address mask
+                 is suggested: the mask is not all 1 bits, and it is
+
+
+
+Internet Engineering Task Force                                [Page 46]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+                 either zero or else the 8 highest-order bits are on.
+
+      3.2.3  Internet Group Management Protocol IGMP
+
+         IGMP [IP:4] is a protocol used between hosts and gateways on a
+         single network to establish hosts' membership in particular
+         multicast groups.  The gateways use this information, in
+         conjunction with a multicast routing protocol, to support IP
+         multicasting across the Internet.
+
+         At this time, implementation of IGMP is OPTIONAL; see Section
+         3.3.7 for more information.  Without IGMP, a host can still
+         participate in multicasting local to its connected networks.
+
+   3.3  SPECIFIC ISSUES
+
+      3.3.1  Routing Outbound Datagrams
+
+         The IP layer chooses the correct next hop for each datagram it
+         sends.  If the destination is on a connected network, the
+         datagram is sent directly to the destination host; otherwise,
+         it has to be routed to a gateway on a connected network.
+
+         3.3.1.1  Local/Remote Decision
+
+            To decide if the destination is on a connected network, the
+            following algorithm MUST be used [see IP:3]:
+
+            (a)  The address mask (particular to a local IP address for
+                 a multihomed host) is a 32-bit mask that selects the
+                 network number and subnet number fields of the
+                 corresponding IP address.
+
+            (b)  If the IP destination address bits extracted by the
+                 address mask match the IP source address bits extracted
+                 by the same mask, then the destination is on the
+                 corresponding connected network, and the datagram is to
+                 be transmitted directly to the destination host.
+
+            (c)  If not, then the destination is accessible only through
+                 a gateway.  Selection of a gateway is described below
+                 (3.3.1.2).
+
+            A special-case destination address is handled as follows:
+
+            *    For a limited broadcast or a multicast address, simply
+                 pass the datagram to the link layer for the appropriate
+                 interface.
+
+
+
+Internet Engineering Task Force                                [Page 47]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+            *    For a (network or subnet) directed broadcast, the
+                 datagram can use the standard routing algorithms.
+
+            The host IP layer MUST operate correctly in a minimal
+            network environment, and in particular, when there are no
+            gateways.  For example, if the IP layer of a host insists on
+            finding at least one gateway to initialize, the host will be
+            unable to operate on a single isolated broadcast net.
+
+         3.3.1.2  Gateway Selection
+
+            To efficiently route a series of datagrams to the same
+            destination, the source host MUST keep a "route cache" of
+            mappings to next-hop gateways.  A host uses the following
+            basic algorithm on this cache to route a datagram; this
+            algorithm is designed to put the primary routing burden on
+            the gateways [IP:11].
+
+            (a)  If the route cache contains no information for a
+                 particular destination, the host chooses a "default"
+                 gateway and sends the datagram to it.  It also builds a
+                 corresponding Route Cache entry.
+
+            (b)  If that gateway is not the best next hop to the
+                 destination, the gateway will forward the datagram to
+                 the best next-hop gateway and return an ICMP Redirect
+                 message to the source host.
+
+            (c)  When it receives a Redirect, the host updates the
+                 next-hop gateway in the appropriate route cache entry,
+                 so later datagrams to the same destination will go
+                 directly to the best gateway.
+
+            Since the subnet mask appropriate to the destination address
+            is generally not known, a Network Redirect message SHOULD be
+            treated identically to a Host Redirect message; i.e., the
+            cache entry for the destination host (only) would be updated
+            (or created, if an entry for that host did not exist) for
+            the new gateway.
+
+            DISCUSSION:
+                 This recommendation is to protect against gateways that
+                 erroneously send Network Redirects for a subnetted
+                 network, in violation of the gateway requirements
+                 [INTRO:2].
+
+            When there is no route cache entry for the destination host
+            address (and the destination is not on the connected
+
+
+
+Internet Engineering Task Force                                [Page 48]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+            network), the IP layer MUST pick a gateway from its list of
+            "default" gateways.  The IP layer MUST support multiple
+            default gateways.
+
+            As an extra feature, a host IP layer MAY implement a table
+            of "static routes".  Each such static route MAY include a
+            flag specifying whether it may be overridden by ICMP
+            Redirects.
+
+            DISCUSSION:
+                 A host generally needs to know at least one default
+                 gateway to get started.  This information can be
+                 obtained from a configuration file or else from the
+                 host startup sequence, e.g., the BOOTP protocol (see
+                 [INTRO:1]).
+
+                 It has been suggested that a host can augment its list
+                 of default gateways by recording any new gateways it
+                 learns about.  For example, it can record every gateway
+                 to which it is ever redirected.  Such a feature, while
+                 possibly useful in some circumstances, may cause
+                 problems in other cases (e.g., gateways are not all
+                 equal), and it is not recommended.
+
+                 A static route is typically a particular preset mapping
+                 from destination host or network into a particular
+                 next-hop gateway; it might also depend on the Type-of-
+                 Service (see next section).  Static routes would be set
+                 up by system administrators to override the normal
+                 automatic routing mechanism, to handle exceptional
+                 situations.  However, any static routing information is
+                 a potential source of failure as configurations change
+                 or equipment fails.
+
+         3.3.1.3  Route Cache
+
+            Each route cache entry needs to include the following
+            fields:
+
+            (1)  Local IP address (for a multihomed host)
+
+            (2)  Destination IP address
+
+            (3)  Type(s)-of-Service
+
+            (4)  Next-hop gateway IP address
+
+            Field (2) MAY be the full IP address of the destination
+
+
+
+Internet Engineering Task Force                                [Page 49]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+            host, or only the destination network number.  Field (3),
+            the TOS, SHOULD be included.
+
+            See Section 3.3.4.2 for a discussion of the implications of
+            multihoming for the lookup procedure in this cache.
+
+            DISCUSSION:
+                 Including the Type-of-Service field in the route cache
+                 and considering it in the host route algorithm will
+                 provide the necessary mechanism for the future when
+                 Type-of-Service routing is commonly used in the
+                 Internet.  See Section 3.2.1.6.
+
+                 Each route cache entry defines the endpoints of an
+                 Internet path.  Although the connecting path may change
+                 dynamically in an arbitrary way, the transmission
+                 characteristics of the path tend to remain
+                 approximately constant over a time period longer than a
+                 single typical host-host transport connection.
+                 Therefore, a route cache entry is a natural place to
+                 cache data on the properties of the path.  Examples of
+                 such properties might be the maximum unfragmented
+                 datagram size (see Section 3.3.3), or the average
+                 round-trip delay measured by a transport protocol.
+                 This data will generally be both gathered and used by a
+                 higher layer protocol, e.g., by TCP, or by an
+                 application using UDP.  Experiments are currently in
+                 progress on caching path properties in this manner.
+
+                 There is no consensus on whether the route cache should
+                 be keyed on destination host addresses alone, or allow
+                 both host and network addresses.  Those who favor the
+                 use of only host addresses argue that:
+
+                 (1)  As required in Section 3.3.1.2, Redirect messages
+                      will generally result in entries keyed on
+                      destination host addresses; the simplest and most
+                      general scheme would be to use host addresses
+                      always.
+
+                 (2)  The IP layer may not always know the address mask
+                      for a network address in a complex subnetted
+                      environment.
+
+                 (3)  The use of only host addresses allows the
+                      destination address to be used as a pure 32-bit
+                      number, which may allow the Internet architecture
+                      to be more easily extended in the future without
+
+
+
+Internet Engineering Task Force                                [Page 50]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+                      any change to the hosts.
+
+                 The opposing view is that allowing a mixture of
+                 destination hosts and networks in the route cache:
+
+                 (1)  Saves memory space.
+
+                 (2)  Leads to a simpler data structure, easily
+                      combining the cache with the tables of default and
+                      static routes (see below).
+
+                 (3)  Provides a more useful place to cache path
+                      properties, as discussed earlier.
+
+
+            IMPLEMENTATION:
+                 The cache needs to be large enough to include entries
+                 for the maximum number of destination hosts that may be
+                 in use at one time.
+
+                 A route cache entry may also include control
+                 information used to choose an entry for replacement.
+                 This might take the form of a "recently used" bit, a
+                 use count, or a last-used timestamp, for example.  It
+                 is recommended that it include the time of last
+                 modification of the entry, for diagnostic purposes.
+
+                 An implementation may wish to reduce the overhead of
+                 scanning the route cache for every datagram to be
+                 transmitted.  This may be accomplished with a hash
+                 table to speed the lookup, or by giving a connection-
+                 oriented transport protocol a "hint" or temporary
+                 handle on the appropriate cache entry, to be passed to
+                 the IP layer with each subsequent datagram.
+
+                 Although we have described the route cache, the lists
+                 of default gateways, and a table of static routes as
+                 conceptually distinct, in practice they may be combined
+                 into a single "routing table" data structure.
+
+         3.3.1.4  Dead Gateway Detection
+
+            The IP layer MUST be able to detect the failure of a "next-
+            hop" gateway that is listed in its route cache and to choose
+            an alternate gateway (see Section 3.3.1.5).
+
+            Dead gateway detection is covered in some detail in RFC-816
+            [IP:11]. Experience to date has not produced a complete
+
+
+
+Internet Engineering Task Force                                [Page 51]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+            algorithm which is totally satisfactory, though it has
+            identified several forbidden paths and promising techniques.
+
+            *    A particular gateway SHOULD NOT be used indefinitely in
+                 the absence of positive indications that it is
+                 functioning.
+
+            *    Active probes such as "pinging" (i.e., using an ICMP
+                 Echo Request/Reply exchange) are expensive and scale
+                 poorly.  In particular, hosts MUST NOT actively check
+                 the status of a first-hop gateway by simply pinging the
+                 gateway continuously.
+
+            *    Even when it is the only effective way to verify a
+                 gateway's status, pinging MUST be used only when
+                 traffic is being sent to the gateway and when there is
+                 no other positive indication to suggest that the
+                 gateway is functioning.
+
+            *    To avoid pinging, the layers above and/or below the
+                 Internet layer SHOULD be able to give "advice" on the
+                 status of route cache entries when either positive
+                 (gateway OK) or negative (gateway dead) information is
+                 available.
+
+
+            DISCUSSION:
+                 If an implementation does not include an adequate
+                 mechanism for detecting a dead gateway and re-routing,
+                 a gateway failure may cause datagrams to apparently
+                 vanish into a "black hole".  This failure can be
+                 extremely confusing for users and difficult for network
+                 personnel to debug.
+
+                 The dead-gateway detection mechanism must not cause
+                 unacceptable load on the host, on connected networks,
+                 or on first-hop gateway(s).  The exact constraints on
+                 the timeliness of dead gateway detection and on
+                 acceptable load may vary somewhat depending on the
+                 nature of the host's mission, but a host generally
+                 needs to detect a failed first-hop gateway quickly
+                 enough that transport-layer connections will not break
+                 before an alternate gateway can be selected.
+
+                 Passing advice from other layers of the protocol stack
+                 complicates the interfaces between the layers, but it
+                 is the preferred approach to dead gateway detection.
+                 Advice can come from almost any part of the IP/TCP
+
+
+
+Internet Engineering Task Force                                [Page 52]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+                 architecture, but it is expected to come primarily from
+                 the transport and link layers.  Here are some possible
+                 sources for gateway advice:
+
+                 o    TCP or any connection-oriented transport protocol
+                      should be able to give negative advice, e.g.,
+                      triggered by excessive retransmissions.
+
+                 o    TCP may give positive advice when (new) data is
+                      acknowledged.  Even though the route may be
+                      asymmetric, an ACK for new data proves that the
+                      acknowleged data must have been transmitted
+                      successfully.
+
+                 o    An ICMP Redirect message from a particular gateway
+                      should be used as positive advice about that
+                      gateway.
+
+                 o    Link-layer information that reliably detects and
+                      reports host failures (e.g., ARPANET Destination
+                      Dead messages) should be used as negative advice.
+
+                 o    Failure to ARP or to re-validate ARP mappings may
+                      be used as negative advice for the corresponding
+                      IP address.
+
+                 o    Packets arriving from a particular link-layer
+                      address are evidence that the system at this
+                      address is alive.  However, turning this
+                      information into advice about gateways requires
+                      mapping the link-layer address into an IP address,
+                      and then checking that IP address against the
+                      gateways pointed to by the route cache.  This is
+                      probably prohibitively inefficient.
+
+                 Note that positive advice that is given for every
+                 datagram received may cause unacceptable overhead in
+                 the implementation.
+
+                 While advice might be passed using required arguments
+                 in all interfaces to the IP layer, some transport and
+                 application layer protocols cannot deduce the correct
+                 advice.  These interfaces must therefore allow a
+                 neutral value for advice, since either always-positive
+                 or always-negative advice leads to incorrect behavior.
+
+                 There is another technique for dead gateway detection
+                 that has been commonly used but is not recommended.
+
+
+
+Internet Engineering Task Force                                [Page 53]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+                 This technique depends upon the host passively
+                 receiving ("wiretapping") the Interior Gateway Protocol
+                 (IGP) datagrams that the gateways are broadcasting to
+                 each other.  This approach has the drawback that a host
+                 needs to recognize all the interior gateway protocols
+                 that gateways may use (see [INTRO:2]).  In addition, it
+                 only works on a broadcast network.
+
+                 At present, pinging (i.e., using ICMP Echo messages) is
+                 the mechanism for gateway probing when absolutely
+                 required.  A successful ping guarantees that the
+                 addressed interface and its associated machine are up,
+                 but it does not guarantee that the machine is a gateway
+                 as opposed to a host.  The normal inference is that if
+                 a Redirect or other evidence indicates that a machine
+                 was a gateway, successful pings will indicate that the
+                 machine is still up and hence still a gateway.
+                 However, since a host silently discards packets that a
+                 gateway would forward or redirect, this assumption
+                 could sometimes fail.  To avoid this problem, a new
+                 ICMP message under development will ask "are you a
+                 gateway?"
+
+            IMPLEMENTATION:
+                 The following specific algorithm has been suggested:
+
+                 o    Associate a "reroute timer" with each gateway
+                      pointed to by the route cache.  Initialize the
+                      timer to a value Tr, which must be small enough to
+                      allow detection of a dead gateway before transport
+                      connections time out.
+
+                 o    Positive advice would reset the reroute timer to
+                      Tr.  Negative advice would reduce or zero the
+                      reroute timer.
+
+                 o    Whenever the IP layer used a particular gateway to
+                      route a datagram, it would check the corresponding
+                      reroute timer.  If the timer had expired (reached
+                      zero), the IP layer would send a ping to the
+                      gateway, followed immediately by the datagram.
+
+                 o    The ping (ICMP Echo) would be sent again if
+                      necessary, up to N times.  If no ping reply was
+                      received in N tries, the gateway would be assumed
+                      to have failed, and a new first-hop gateway would
+                      be chosen for all cache entries pointing to the
+                      failed gateway.
+
+
+
+Internet Engineering Task Force                                [Page 54]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+                 Note that the size of Tr is inversely related to the
+                 amount of advice available.  Tr should be large enough
+                 to insure that:
+
+                 *    Any pinging will be at a low level (e.g., <10%) of
+                      all packets sent to a gateway from the host, AND
+
+                 *    pinging is infrequent (e.g., every 3 minutes)
+
+                 Since the recommended algorithm is concerned with the
+                 gateways pointed to by route cache entries, rather than
+                 the cache entries themselves, a two level data
+                 structure (perhaps coordinated with ARP or similar
+                 caches) may be desirable for implementing a route
+                 cache.
+
+         3.3.1.5  New Gateway Selection
+
+            If the failed gateway is not the current default, the IP
+            layer can immediately switch to a default gateway.  If it is
+            the current default that failed, the IP layer MUST select a
+            different default gateway (assuming more than one default is
+            known) for the failed route and for establishing new routes.
+
+            DISCUSSION:
+                 When a gateway does fail, the other gateways on the
+                 connected network will learn of the failure through
+                 some inter-gateway routing protocol.  However, this
+                 will not happen instantaneously, since gateway routing
+                 protocols typically have a settling time of 30-60
+                 seconds.  If the host switches to an alternative
+                 gateway before the gateways have agreed on the failure,
+                 the new target gateway will probably forward the
+                 datagram to the failed gateway and send a Redirect back
+                 to the host pointing to the failed gateway (!).  The
+                 result is likely to be a rapid oscillation in the
+                 contents of the host's route cache during the gateway
+                 settling period.  It has been proposed that the dead-
+                 gateway logic should include some hysteresis mechanism
+                 to prevent such oscillations.  However, experience has
+                 not shown any harm from such oscillations, since
+                 service cannot be restored to the host until the
+                 gateways' routing information does settle down.
+
+            IMPLEMENTATION:
+                 One implementation technique for choosing a new default
+                 gateway is to simply round-robin among the default
+                 gateways in the host's list.  Another is to rank the
+
+
+
+Internet Engineering Task Force                                [Page 55]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+                 gateways in priority order, and when the current
+                 default gateway is not the highest priority one, to
+                 "ping" the higher-priority gateways slowly to detect
+                 when they return to service.  This pinging can be at a
+                 very low rate, e.g., 0.005 per second.
+
+         3.3.1.6  Initialization
+
+            The following information MUST be configurable:
+
+            (1)  IP address(es).
+
+            (2)  Address mask(s).
+
+            (3)  A list of default gateways, with a preference level.
+
+            A manual method of entering this configuration data MUST be
+            provided.  In addition, a variety of methods can be used to
+            determine this information dynamically; see the section on
+            "Host Initialization" in [INTRO:1].
+
+            DISCUSSION:
+                 Some host implementations use "wiretapping" of gateway
+                 protocols on a broadcast network to learn what gateways
+                 exist.  A standard method for default gateway discovery
+                 is under development.
+
+      3.3.2  Reassembly
+
+         The IP layer MUST implement reassembly of IP datagrams.
+
+         We designate the largest datagram size that can be reassembled
+         by EMTU_R ("Effective MTU to receive"); this is sometimes
+         called the "reassembly buffer size".  EMTU_R MUST be greater
+         than or equal to 576, SHOULD be either configurable or
+         indefinite, and SHOULD be greater than or equal to the MTU of
+         the connected network(s).
+
+         DISCUSSION:
+              A fixed EMTU_R limit should not be built into the code
+              because some application layer protocols require EMTU_R
+              values larger than 576.
+
+         IMPLEMENTATION:
+              An implementation may use a contiguous reassembly buffer
+              for each datagram, or it may use a more complex data
+              structure that places no definite limit on the reassembled
+              datagram size; in the latter case, EMTU_R is said to be
+
+
+
+Internet Engineering Task Force                                [Page 56]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+              "indefinite".
+
+              Logically, reassembly is performed by simply copying each
+              fragment into the packet buffer at the proper offset.
+              Note that fragments may overlap if successive
+              retransmissions use different packetizing but the same
+              reassembly Id.
+
+              The tricky part of reassembly is the bookkeeping to
+              determine when all bytes of the datagram have been
+              reassembled.  We recommend Clark's algorithm [IP:10] that
+              requires no additional data space for the bookkeeping.
+              However, note that, contrary to [IP:10], the first
+              fragment header needs to be saved for inclusion in a
+              possible ICMP Time Exceeded (Reassembly Timeout) message.
+
+         There MUST be a mechanism by which the transport layer can
+         learn MMS_R, the maximum message size that can be received and
+         reassembled in an IP datagram (see GET_MAXSIZES calls in
+         Section 3.4).  If EMTU_R is not indefinite, then the value of
+         MMS_R is given by:
+
+            MMS_R = EMTU_R - 20
+
+         since 20 is the minimum size of an IP header.
+
+         There MUST be a reassembly timeout.  The reassembly timeout
+         value SHOULD be a fixed value, not set from the remaining TTL.
+         It is recommended that the value lie between 60 seconds and 120
+         seconds.  If this timeout expires, the partially-reassembled
+         datagram MUST be discarded and an ICMP Time Exceeded message
+         sent to the source host (if fragment zero has been received).
+
+         DISCUSSION:
+              The IP specification says that the reassembly timeout
+              should be the remaining TTL from the IP header, but this
+              does not work well because gateways generally treat TTL as
+              a simple hop count rather than an elapsed time.  If the
+              reassembly timeout is too small, datagrams will be
+              discarded unnecessarily, and communication may fail.  The
+              timeout needs to be at least as large as the typical
+              maximum delay across the Internet.  A realistic minimum
+              reassembly timeout would be 60 seconds.
+
+              It has been suggested that a cache might be kept of
+              round-trip times measured by transport protocols for
+              various destinations, and that these values might be used
+              to dynamically determine a reasonable reassembly timeout
+
+
+
+Internet Engineering Task Force                                [Page 57]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+              value.  Further investigation of this approach is
+              required.
+
+              If the reassembly timeout is set too high, buffer
+              resources in the receiving host will be tied up too long,
+              and the MSL (Maximum Segment Lifetime) [TCP:1] will be
+              larger than necessary.  The MSL controls the maximum rate
+              at which fragmented datagrams can be sent using distinct
+              values of the 16-bit Ident field; a larger MSL lowers the
+              maximum rate.  The TCP specification [TCP:1] arbitrarily
+              assumes a value of 2 minutes for MSL.  This sets an upper
+              limit on a reasonable reassembly timeout value.
+
+      3.3.3  Fragmentation
+
+         Optionally, the IP layer MAY implement a mechanism to fragment
+         outgoing datagrams intentionally.
+
+         We designate by EMTU_S ("Effective MTU for sending") the
+         maximum IP datagram size that may be sent, for a particular
+         combination of IP source and destination addresses and perhaps
+         TOS.
+
+         A host MUST implement a mechanism to allow the transport layer
+         to learn MMS_S, the maximum transport-layer message size that
+         may be sent for a given {source, destination, TOS} triplet (see
+         GET_MAXSIZES call in Section 3.4).  If no local fragmentation
+         is performed, the value of MMS_S will be:
+
+            MMS_S = EMTU_S - <IP header size>
+
+         and EMTU_S must be less than or equal to the MTU of the network
+         interface corresponding to the source address of the datagram.
+         Note that <IP header size> in this equation will be 20, unless
+         the IP reserves space to insert IP options for its own purposes
+         in addition to any options inserted by the transport layer.
+
+         A host that does not implement local fragmentation MUST ensure
+         that the transport layer (for TCP) or the application layer
+         (for UDP) obtains MMS_S from the IP layer and does not send a
+         datagram exceeding MMS_S in size.
+
+         It is generally desirable to avoid local fragmentation and to
+         choose EMTU_S low enough to avoid fragmentation in any gateway
+         along the path.  In the absence of actual knowledge of the
+         minimum MTU along the path, the IP layer SHOULD use
+         EMTU_S <= 576 whenever the destination address is not on a
+         connected network, and otherwise use the connected network's
+
+
+
+Internet Engineering Task Force                                [Page 58]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+         MTU.
+
+         The MTU of each physical interface MUST be configurable.
+
+         A host IP layer implementation MAY have a configuration flag
+         "All-Subnets-MTU", indicating that the MTU of the connected
+         network is to be used for destinations on different subnets
+         within the same network, but not for other networks.  Thus,
+         this flag causes the network class mask, rather than the subnet
+         address mask, to be used to choose an EMTU_S.  For a multihomed
+         host, an "All-Subnets-MTU" flag is needed for each network
+         interface.
+
+         DISCUSSION:
+              Picking the correct datagram size to use when sending data
+              is a complex topic [IP:9].
+
+              (a)  In general, no host is required to accept an IP
+                   datagram larger than 576 bytes (including header and
+                   data), so a host must not send a larger datagram
+                   without explicit knowledge or prior arrangement with
+                   the destination host.  Thus, MMS_S is only an upper
+                   bound on the datagram size that a transport protocol
+                   may send; even when MMS_S exceeds 556, the transport
+                   layer must limit its messages to 556 bytes in the
+                   absence of other knowledge about the destination
+                   host.
+
+              (b)  Some transport protocols (e.g., TCP) provide a way to
+                   explicitly inform the sender about the largest
+                   datagram the other end can receive and reassemble
+                   [IP:7].  There is no corresponding mechanism in the
+                   IP layer.
+
+                   A transport protocol that assumes an EMTU_R larger
+                   than 576 (see Section 3.3.2), can send a datagram of
+                   this larger size to another host that implements the
+                   same protocol.
+
+              (c)  Hosts should ideally limit their EMTU_S for a given
+                   destination to the minimum MTU of all the networks
+                   along the path, to avoid any fragmentation.  IP
+                   fragmentation, while formally correct, can create a
+                   serious transport protocol performance problem,
+                   because loss of a single fragment means all the
+                   fragments in the segment must be retransmitted
+                   [IP:9].
+
+
+
+
+Internet Engineering Task Force                                [Page 59]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+              Since nearly all networks in the Internet currently
+              support an MTU of 576 or greater, we strongly recommend
+              the use of 576 for datagrams sent to non-local networks.
+
+              It has been suggested that a host could determine the MTU
+              over a given path by sending a zero-offset datagram
+              fragment and waiting for the receiver to time out the
+              reassembly (which cannot complete!) and return an ICMP
+              Time Exceeded message.  This message would include the
+              largest remaining fragment header in its body.  More
+              direct mechanisms are being experimented with, but have
+              not yet been adopted (see e.g., RFC-1063).
+
+      3.3.4  Local Multihoming
+
+         3.3.4.1  Introduction
+
+            A multihomed host has multiple IP addresses, which we may
+            think of as "logical interfaces".  These logical interfaces
+            may be associated with one or more physical interfaces, and
+            these physical interfaces may be connected to the same or
+            different networks.
+
+            Here are some important cases of multihoming:
+
+            (a)  Multiple Logical Networks
+
+                 The Internet architects envisioned that each physical
+                 network would have a single unique IP network (or
+                 subnet) number.  However, LAN administrators have
+                 sometimes found it useful to violate this assumption,
+                 operating a LAN with multiple logical networks per
+                 physical connected network.
+
+                 If a host connected to such a physical network is
+                 configured to handle traffic for each of N different
+                 logical networks, then the host will have N logical
+                 interfaces.  These could share a single physical
+                 interface, or might use N physical interfaces to the
+                 same network.
+
+            (b)  Multiple Logical Hosts
+
+                 When a host has multiple IP addresses that all have the
+                 same <Network-number> part (and the same <Subnet-
+                 number> part, if any), the logical interfaces are known
+                 as "logical hosts".  These logical interfaces might
+                 share a single physical interface or might use separate
+
+
+
+Internet Engineering Task Force                                [Page 60]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+                 physical interfaces to the same physical network.
+
+            (c)  Simple Multihoming
+
+                 In this case, each logical interface is mapped into a
+                 separate physical interface and each physical interface
+                 is connected to a different physical network.  The term
+                 "multihoming" was originally applied only to this case,
+                 but it is now applied more generally.
+
+                 A host with embedded gateway functionality will
+                 typically fall into the simple multihoming case.  Note,
+                 however, that a host may be simply multihomed without
+                 containing an embedded gateway, i.e., without
+                 forwarding datagrams from one connected network to
+                 another.
+
+                 This case presents the most difficult routing problems.
+                 The choice of interface (i.e., the choice of first-hop
+                 network) may significantly affect performance or even
+                 reachability of remote parts of the Internet.
+
+
+            Finally, we note another possibility that is NOT
+            multihoming:  one logical interface may be bound to multiple
+            physical interfaces, in order to increase the reliability or
+            throughput between directly connected machines by providing
+            alternative physical paths between them.  For instance, two
+            systems might be connected by multiple point-to-point links.
+            We call this "link-layer multiplexing".  With link-layer
+            multiplexing, the protocols above the link layer are unaware
+            that multiple physical interfaces are present; the link-
+            layer device driver is responsible for multiplexing and
+            routing packets across the physical interfaces.
+
+            In the Internet protocol architecture, a transport protocol
+            instance ("entity") has no address of its own, but instead
+            uses a single Internet Protocol (IP) address.  This has
+            implications for the IP, transport, and application layers,
+            and for the interfaces between them.  In particular, the
+            application software may have to be aware of the multiple IP
+            addresses of a multihomed host; in other cases, the choice
+            can be made within the network software.
+
+         3.3.4.2  Multihoming Requirements
+
+            The following general rules apply to the selection of an IP
+            source address for sending a datagram from a multihomed
+
+
+
+Internet Engineering Task Force                                [Page 61]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+            host.
+
+            (1)  If the datagram is sent in response to a received
+                 datagram, the source address for the response SHOULD be
+                 the specific-destination address of the request.  See
+                 Sections 4.1.3.5 and 4.2.3.7 and the "General Issues"
+                 section of [INTRO:1] for more specific requirements on
+                 higher layers.
+
+                 Otherwise, a source address must be selected.
+
+            (2)  An application MUST be able to explicitly specify the
+                 source address for initiating a connection or a
+                 request.
+
+            (3)  In the absence of such a specification, the networking
+                 software MUST choose a source address.  Rules for this
+                 choice are described below.
+
+
+            There are two key requirement issues related to multihoming:
+
+            (A)  A host MAY silently discard an incoming datagram whose
+                 destination address does not correspond to the physical
+                 interface through which it is received.
+
+            (B)  A host MAY restrict itself to sending (non-source-
+                 routed) IP datagrams only through the physical
+                 interface that corresponds to the IP source address of
+                 the datagrams.
+
+
+            DISCUSSION:
+                 Internet host implementors have used two different
+                 conceptual models for multihoming, briefly summarized
+                 in the following discussion.  This document takes no
+                 stand on which model is preferred; each seems to have a
+                 place.  This ambivalence is reflected in the issues (A)
+                 and (B) being optional.
+
+                 o    Strong ES Model
+
+                      The Strong ES (End System, i.e., host) model
+                      emphasizes the host/gateway (ES/IS) distinction,
+                      and would therefore substitute MUST for MAY in
+                      issues (A) and (B) above.  It tends to model a
+                      multihomed host as a set of logical hosts within
+                      the same physical host.
+
+
+
+Internet Engineering Task Force                                [Page 62]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+                      With respect to (A), proponents of the Strong ES
+                      model note that automatic Internet routing
+                      mechanisms could not route a datagram to a
+                      physical interface that did not correspond to the
+                      destination address.
+
+                      Under the Strong ES model, the route computation
+                      for an outgoing datagram is the mapping:
+
+                         route(src IP addr, dest IP addr, TOS)
+                                                        -> gateway
+
+                      Here the source address is included as a parameter
+                      in order to select a gateway that is directly
+                      reachable on the corresponding physical interface.
+                      Note that this model logically requires that in
+                      general there be at least one default gateway, and
+                      preferably multiple defaults, for each IP source
+                      address.
+
+                 o    Weak ES Model
+
+                      This view de-emphasizes the ES/IS distinction, and
+                      would therefore substitute MUST NOT for MAY in
+                      issues (A) and (B).  This model may be the more
+                      natural one for hosts that wiretap gateway routing
+                      protocols, and is necessary for hosts that have
+                      embedded gateway functionality.
+
+                      The Weak ES Model may cause the Redirect mechanism
+                      to fail.  If a datagram is sent out a physical
+                      interface that does not correspond to the
+                      destination address, the first-hop gateway will
+                      not realize when it needs to send a Redirect.  On
+                      the other hand, if the host has embedded gateway
+                      functionality, then it has routing information
+                      without listening to Redirects.
+
+                      In the Weak ES model, the route computation for an
+                      outgoing datagram is the mapping:
+
+                         route(dest IP addr, TOS) -> gateway, interface
+
+
+
+
+
+
+
+
+
+Internet Engineering Task Force                                [Page 63]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+         3.3.4.3  Choosing a Source Address
+
+            DISCUSSION:
+                 When it sends an initial connection request (e.g., a
+                 TCP "SYN" segment) or a datagram service request (e.g.,
+                 a UDP-based query), the transport layer on a multihomed
+                 host needs to know which source address to use.  If the
+                 application does not specify it, the transport layer
+                 must ask the IP layer to perform the conceptual
+                 mapping:
+
+                     GET_SRCADDR(remote IP addr, TOS)
+                                               -> local IP address
+
+                 Here TOS is the Type-of-Service value (see Section
+                 3.2.1.6), and the result is the desired source address.
+                 The following rules are suggested for implementing this
+                 mapping:
+
+                 (a)  If the remote Internet address lies on one of the
+                      (sub-) nets to which the host is directly
+                      connected, a corresponding source address may be
+                      chosen, unless the corresponding interface is
+                      known to be down.
+
+                 (b)  The route cache may be consulted, to see if there
+                      is an active route to the specified destination
+                      network through any network interface; if so, a
+                      local IP address corresponding to that interface
+                      may be chosen.
+
+                 (c)  The table of static routes, if any (see Section
+                      3.3.1.2) may be similarly consulted.
+
+                 (d)  The default gateways may be consulted.  If these
+                      gateways are assigned to different interfaces, the
+                      interface corresponding to the gateway with the
+                      highest preference may be chosen.
+
+                 In the future, there may be a defined way for a
+                 multihomed host to ask the gateways on all connected
+                 networks for advice about the best network to use for a
+                 given destination.
+
+            IMPLEMENTATION:
+                 It will be noted that this process is essentially the
+                 same as datagram routing (see Section 3.3.1), and
+                 therefore hosts may be able to combine the
+
+
+
+Internet Engineering Task Force                                [Page 64]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+                 implementation of the two functions.
+
+      3.3.5  Source Route Forwarding
+
+         Subject to restrictions given below, a host MAY be able to act
+         as an intermediate hop in a source route, forwarding a source-
+         routed datagram to the next specified hop.
+
+         However, in performing this gateway-like function, the host
+         MUST obey all the relevant rules for a gateway forwarding
+         source-routed datagrams [INTRO:2].  This includes the following
+         specific provisions, which override the corresponding host
+         provisions given earlier in this document:
+
+         (A)  TTL (ref. Section 3.2.1.7)
+
+              The TTL field MUST be decremented and the datagram perhaps
+              discarded as specified for a gateway in [INTRO:2].
+
+         (B)  ICMP Destination Unreachable (ref. Section 3.2.2.1)
+
+              A host MUST be able to generate Destination Unreachable
+              messages with the following codes:
+
+              4    (Fragmentation Required but DF Set) when a source-
+                   routed datagram cannot be fragmented to fit into the
+                   target network;
+
+              5    (Source Route Failed) when a source-routed datagram
+                   cannot be forwarded, e.g., because of a routing
+                   problem or because the next hop of a strict source
+                   route is not on a connected network.
+
+         (C)  IP Source Address (ref. Section 3.2.1.3)
+
+              A source-routed datagram being forwarded MAY (and normally
+              will) have a source address that is not one of the IP
+              addresses of the forwarding host.
+
+         (D)  Record Route Option (ref. Section 3.2.1.8d)
+
+              A host that is forwarding a source-routed datagram
+              containing a Record Route option MUST update that option,
+              if it has room.
+
+         (E)  Timestamp Option (ref. Section 3.2.1.8e)
+
+              A host that is forwarding a source-routed datagram
+
+
+
+Internet Engineering Task Force                                [Page 65]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+              containing a Timestamp Option MUST add the current
+              timestamp to that option, according to the rules for this
+              option.
+
+         To define the rules restricting host forwarding of source-
+         routed datagrams, we use the term "local source-routing" if the
+         next hop will be through the same physical interface through
+         which the datagram arrived; otherwise, it is "non-local
+         source-routing".
+
+         o    A host is permitted to perform local source-routing
+              without restriction.
+
+         o    A host that supports non-local source-routing MUST have a
+              configurable switch to disable forwarding, and this switch
+              MUST default to disabled.
+
+         o    The host MUST satisfy all gateway requirements for
+              configurable policy filters [INTRO:2] restricting non-
+              local forwarding.
+
+         If a host receives a datagram with an incomplete source route
+         but does not forward it for some reason, the host SHOULD return
+         an ICMP Destination Unreachable (code 5, Source Route Failed)
+         message, unless the datagram was itself an ICMP error message.
+
+      3.3.6  Broadcasts
+
+         Section 3.2.1.3 defined the four standard IP broadcast address
+         forms:
+
+           Limited Broadcast:  {-1, -1}
+
+           Directed Broadcast:  {<Network-number>,-1}
+
+           Subnet Directed Broadcast:
+                              {<Network-number>,<Subnet-number>,-1}
+
+           All-Subnets Directed Broadcast: {<Network-number>,-1,-1}
+
+         A host MUST recognize any of these forms in the destination
+         address of an incoming datagram.
+
+         There is a class of hosts* that use non-standard broadcast
+         address forms, substituting 0 for -1.  All hosts SHOULD
+_________________________
+*4.2BSD Unix and its derivatives, but not 4.3BSD.
+
+
+
+
+Internet Engineering Task Force                                [Page 66]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+         recognize and accept any of these non-standard broadcast
+         addresses as the destination address of an incoming datagram.
+         A host MAY optionally have a configuration option to choose the
+         0 or the -1 form of broadcast address, for each physical
+         interface, but this option SHOULD default to the standard (-1)
+         form.
+
+         When a host sends a datagram to a link-layer broadcast address,
+         the IP destination address MUST be a legal IP broadcast or IP
+         multicast address.
+
+         A host SHOULD silently discard a datagram that is received via
+         a link-layer broadcast (see Section 2.4) but does not specify
+         an IP multicast or broadcast destination address.
+
+         Hosts SHOULD use the Limited Broadcast address to broadcast to
+         a connected network.
+
+
+         DISCUSSION:
+              Using the Limited Broadcast address instead of a Directed
+              Broadcast address may improve system robustness.  Problems
+              are often caused by machines that do not understand the
+              plethora of broadcast addresses (see Section 3.2.1.3), or
+              that may have different ideas about which broadcast
+              addresses are in use.  The prime example of the latter is
+              machines that do not understand subnetting but are
+              attached to a subnetted net.  Sending a Subnet Broadcast
+              for the connected network will confuse those machines,
+              which will see it as a message to some other host.
+
+              There has been discussion on whether a datagram addressed
+              to the Limited Broadcast address ought to be sent from all
+              the interfaces of a multihomed host.  This specification
+              takes no stand on the issue.
+
+      3.3.7  IP Multicasting
+
+         A host SHOULD support local IP multicasting on all connected
+         networks for which a mapping from Class D IP addresses to
+         link-layer addresses has been specified (see below).  Support
+         for local IP multicasting includes sending multicast datagrams,
+         joining multicast groups and receiving multicast datagrams, and
+         leaving multicast groups.  This implies support for all of
+         [IP:4] except the IGMP protocol itself, which is OPTIONAL.
+
+
+
+
+
+
+Internet Engineering Task Force                                [Page 67]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+         DISCUSSION:
+              IGMP provides gateways that are capable of multicast
+              routing with the information required to support IP
+              multicasting across multiple networks.  At this time,
+              multicast-routing gateways are in the experimental stage
+              and are not widely available.  For hosts that are not
+              connected to networks with multicast-routing gateways or
+              that do not need to receive multicast datagrams
+              originating on other networks, IGMP serves no purpose and
+              is therefore optional for now.  However, the rest of
+              [IP:4] is currently recommended for the purpose of
+              providing IP-layer access to local network multicast
+              addressing, as a preferable alternative to local broadcast
+              addressing.  It is expected that IGMP will become
+              recommended at some future date, when multicast-routing
+              gateways have become more widely available.
+
+         If IGMP is not implemented, a host SHOULD still join the "all-
+         hosts" group (224.0.0.1) when the IP layer is initialized and
+         remain a member for as long as the IP layer is active.
+
+         DISCUSSION:
+              Joining the "all-hosts" group will support strictly local
+              uses of multicasting, e.g., a gateway discovery protocol,
+              even if IGMP is not implemented.
+
+         The mapping of IP Class D addresses to local addresses is
+         currently specified for the following types of networks:
+
+         o    Ethernet/IEEE 802.3, as defined in [IP:4].
+
+         o    Any network that supports broadcast but not multicast,
+              addressing: all IP Class D addresses map to the local
+              broadcast address.
+
+         o    Any type of point-to-point link (e.g., SLIP or HDLC
+              links): no mapping required.  All IP multicast datagrams
+              are sent as-is, inside the local framing.
+
+         Mappings for other types of networks will be specified in the
+         future.
+
+         A host SHOULD provide a way for higher-layer protocols or
+         applications to determine which of the host's connected
+         network(s) support IP multicast addressing.
+
+
+
+
+
+
+Internet Engineering Task Force                                [Page 68]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+      3.3.8  Error Reporting
+
+         Wherever practical, hosts MUST return ICMP error datagrams on
+         detection of an error, except in those cases where returning an
+         ICMP error message is specifically prohibited.
+
+         DISCUSSION:
+              A common phenomenon in datagram networks is the "black
+              hole disease": datagrams are sent out, but nothing comes
+              back.  Without any error datagrams, it is difficult for
+              the user to figure out what the problem is.
+
+   3.4  INTERNET/TRANSPORT LAYER INTERFACE
+
+      The interface between the IP layer and the transport layer MUST
+      provide full access to all the mechanisms of the IP layer,
+      including options, Type-of-Service, and Time-to-Live.  The
+      transport layer MUST either have mechanisms to set these interface
+      parameters, or provide a path to pass them through from an
+      application, or both.
+
+      DISCUSSION:
+           Applications are urged to make use of these mechanisms where
+           applicable, even when the mechanisms are not currently
+           effective in the Internet (e.g., TOS).  This will allow these
+           mechanisms to be immediately useful when they do become
+           effective, without a large amount of retrofitting of host
+           software.
+
+      We now describe a conceptual interface between the transport layer
+      and the IP layer, as a set of procedure calls.  This is an
+      extension of the information in Section 3.3 of RFC-791 [IP:1].
+
+
+      *    Send Datagram
+
+                SEND(src, dst, prot, TOS, TTL, BufPTR, len, Id, DF, opt
+                     => result )
+
+           where the parameters are defined in RFC-791.  Passing an Id
+           parameter is optional; see Section 3.2.1.5.
+
+
+      *    Receive Datagram
+
+                RECV(BufPTR, prot
+                     => result, src, dst, SpecDest, TOS, len, opt)
+
+
+
+
+Internet Engineering Task Force                                [Page 69]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+           All the parameters are defined in RFC-791, except for:
+
+                SpecDest = specific-destination address of datagram
+                            (defined in Section 3.2.1.3)
+
+           The result parameter dst contains the datagram's destination
+           address.  Since this may be a broadcast or multicast address,
+           the SpecDest parameter (not shown in RFC-791) MUST be passed.
+           The parameter opt contains all the IP options received in the
+           datagram; these MUST also be passed to the transport layer.
+
+
+      *    Select Source Address
+
+                GET_SRCADDR(remote, TOS)  -> local
+
+                remote = remote IP address
+                TOS = Type-of-Service
+                local = local IP address
+
+           See Section 3.3.4.3.
+
+
+      *    Find Maximum Datagram Sizes
+
+                GET_MAXSIZES(local, remote, TOS) -> MMS_R, MMS_S
+
+                MMS_R = maximum receive transport-message size.
+                MMS_S = maximum send transport-message size.
+               (local, remote, TOS defined above)
+
+           See Sections 3.3.2 and 3.3.3.
+
+
+      *    Advice on Delivery Success
+
+                ADVISE_DELIVPROB(sense, local, remote, TOS)
+
+           Here the parameter sense is a 1-bit flag indicating whether
+           positive or negative advice is being given; see the
+           discussion in Section 3.3.1.4. The other parameters were
+           defined earlier.
+
+
+      *    Send ICMP Message
+
+                SEND_ICMP(src, dst, TOS, TTL, BufPTR, len, Id, DF, opt)
+                     -> result
+
+
+
+Internet Engineering Task Force                                [Page 70]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+                (Parameters defined in RFC-791).
+
+           Passing an Id parameter is optional; see Section 3.2.1.5.
+           The transport layer MUST be able to send certain ICMP
+           messages:  Port Unreachable or any of the query-type
+           messages.  This function could be considered to be a special
+           case of the SEND() call, of course; we describe it separately
+           for clarity.
+
+
+      *    Receive ICMP Message
+
+                RECV_ICMP(BufPTR ) -> result, src, dst, len, opt
+
+                (Parameters defined in RFC-791).
+
+           The IP layer MUST pass certain ICMP messages up to the
+           appropriate transport-layer routine.  This function could be
+           considered to be a special case of the RECV() call, of
+           course; we describe it separately for clarity.
+
+           For an ICMP error message, the data that is passed up MUST
+           include the original Internet header plus all the octets of
+           the original message that are included in the ICMP message.
+           This data will be used by the transport layer to locate the
+           connection state information, if any.
+
+           In particular, the following ICMP messages are to be passed
+           up:
+
+           o    Destination Unreachable
+
+           o    Source Quench
+
+           o    Echo Reply (to ICMP user interface, unless the Echo
+                Request originated in the IP layer)
+
+           o    Timestamp Reply (to ICMP user interface)
+
+           o    Time Exceeded
+
+
+      DISCUSSION:
+           In the future, there may be additions to this interface to
+           pass path data (see Section 3.3.1.3) between the IP and
+           transport layers.
+
+
+
+
+
+Internet Engineering Task Force                                [Page 71]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+   3.5  INTERNET LAYER REQUIREMENTS SUMMARY
+
+
+                                                 |        | | | |S| |
+                                                 |        | | | |H| |F
+                                                 |        | | | |O|M|o
+                                                 |        | |S| |U|U|o
+                                                 |        | |H| |L|S|t
+                                                 |        |M|O| |D|T|n
+                                                 |        |U|U|M| | |o
+                                                 |        |S|L|A|N|N|t
+                                                 |        |T|D|Y|O|O|t
+FEATURE                                          |SECTION | | | |T|T|e
+-------------------------------------------------|--------|-|-|-|-|-|--
+                                                 |        | | | | | |
+Implement IP and ICMP                            |3.1     |x| | | | |
+Handle remote multihoming in application layer   |3.1     |x| | | | |
+Support local multihoming                        |3.1     | | |x| | |
+Meet gateway specs if forward datagrams          |3.1     |x| | | | |
+Configuration switch for embedded gateway        |3.1     |x| | | | |1
+   Config switch default to non-gateway          |3.1     |x| | | | |1
+   Auto-config based on number of interfaces     |3.1     | | | | |x|1
+Able to log discarded datagrams                  |3.1     | |x| | | |
+   Record in counter                             |3.1     | |x| | | |
+                                                 |        | | | | | |
+Silently discard Version != 4                    |3.2.1.1 |x| | | | |
+Verify IP checksum, silently discard bad dgram   |3.2.1.2 |x| | | | |
+Addressing:                                      |        | | | | | |
+  Subnet addressing (RFC-950)                    |3.2.1.3 |x| | | | |
+  Src address must be host's own IP address      |3.2.1.3 |x| | | | |
+  Silently discard datagram with bad dest addr   |3.2.1.3 |x| | | | |
+  Silently discard datagram with bad src addr    |3.2.1.3 |x| | | | |
+Support reassembly                               |3.2.1.4 |x| | | | |
+Retain same Id field in identical datagram       |3.2.1.5 | | |x| | |
+                                                 |        | | | | | |
+TOS:                                             |        | | | | | |
+  Allow transport layer to set TOS               |3.2.1.6 |x| | | | |
+  Pass received TOS up to transport layer        |3.2.1.6 | |x| | | |
+  Use RFC-795 link-layer mappings for TOS        |3.2.1.6 | | | |x| |
+TTL:                                             |        | | | | | |
+  Send packet with TTL of 0                      |3.2.1.7 | | | | |x|
+  Discard received packets with TTL < 2          |3.2.1.7 | | | | |x|
+  Allow transport layer to set TTL               |3.2.1.7 |x| | | | |
+  Fixed TTL is configurable                      |3.2.1.7 |x| | | | |
+                                                 |        | | | | | |
+IP Options:                                      |        | | | | | |
+  Allow transport layer to send IP options       |3.2.1.8 |x| | | | |
+  Pass all IP options rcvd to higher layer       |3.2.1.8 |x| | | | |
+
+
+
+Internet Engineering Task Force                                [Page 72]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+  IP layer silently ignore unknown options       |3.2.1.8 |x| | | | |
+  Security option                                |3.2.1.8a| | |x| | |
+  Send Stream Identifier option                  |3.2.1.8b| | | |x| |
+  Silently ignore Stream Identifer option        |3.2.1.8b|x| | | | |
+  Record Route option                            |3.2.1.8d| | |x| | |
+  Timestamp option                               |3.2.1.8e| | |x| | |
+Source Route Option:                             |        | | | | | |
+  Originate & terminate Source Route options     |3.2.1.8c|x| | | | |
+  Datagram with completed SR passed up to TL     |3.2.1.8c|x| | | | |
+  Build correct (non-redundant) return route     |3.2.1.8c|x| | | | |
+  Send multiple SR options in one header         |3.2.1.8c| | | | |x|
+                                                 |        | | | | | |
+ICMP:                                            |        | | | | | |
+  Silently discard ICMP msg with unknown type    |3.2.2   |x| | | | |
+  Include more than 8 octets of orig datagram    |3.2.2   | | |x| | |
+      Included octets same as received           |3.2.2   |x| | | | |
+  Demux ICMP Error to transport protocol         |3.2.2   |x| | | | |
+  Send ICMP error message with TOS=0             |3.2.2   | |x| | | |
+  Send ICMP error message for:                   |        | | | | | |
+   - ICMP error msg                              |3.2.2   | | | | |x|
+   - IP b'cast or IP m'cast                      |3.2.2   | | | | |x|
+   - Link-layer b'cast                           |3.2.2   | | | | |x|
+   - Non-initial fragment                        |3.2.2   | | | | |x|
+   - Datagram with non-unique src address        |3.2.2   | | | | |x|
+  Return ICMP error msgs (when not prohibited)   |3.3.8   |x| | | | |
+                                                 |        | | | | | |
+  Dest Unreachable:                              |        | | | | | |
+    Generate Dest Unreachable (code 2/3)         |3.2.2.1 | |x| | | |
+    Pass ICMP Dest Unreachable to higher layer   |3.2.2.1 |x| | | | |
+    Higher layer act on Dest Unreach             |3.2.2.1 | |x| | | |
+      Interpret Dest Unreach as only hint        |3.2.2.1 |x| | | | |
+  Redirect:                                      |        | | | | | |
+    Host send Redirect                           |3.2.2.2 | | | |x| |
+    Update route cache when recv Redirect        |3.2.2.2 |x| | | | |
+    Handle both Host and Net Redirects           |3.2.2.2 |x| | | | |
+    Discard illegal Redirect                     |3.2.2.2 | |x| | | |
+  Source Quench:                                 |        | | | | | |
+    Send Source Quench if buffering exceeded     |3.2.2.3 | | |x| | |
+    Pass Source Quench to higher layer           |3.2.2.3 |x| | | | |
+    Higher layer act on Source Quench            |3.2.2.3 | |x| | | |
+  Time Exceeded: pass to higher layer            |3.2.2.4 |x| | | | |
+  Parameter Problem:                             |        | | | | | |
+    Send Parameter Problem messages              |3.2.2.5 | |x| | | |
+    Pass Parameter Problem to higher layer       |3.2.2.5 |x| | | | |
+    Report Parameter Problem to user             |3.2.2.5 | | |x| | |
+                                                 |        | | | | | |
+  ICMP Echo Request or Reply:                    |        | | | | | |
+    Echo server and Echo client                  |3.2.2.6 |x| | | | |
+
+
+
+Internet Engineering Task Force                                [Page 73]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+    Echo client                                  |3.2.2.6 | |x| | | |
+    Discard Echo Request to broadcast address    |3.2.2.6 | | |x| | |
+    Discard Echo Request to multicast address    |3.2.2.6 | | |x| | |
+    Use specific-dest addr as Echo Reply src     |3.2.2.6 |x| | | | |
+    Send same data in Echo Reply                 |3.2.2.6 |x| | | | |
+    Pass Echo Reply to higher layer              |3.2.2.6 |x| | | | |
+    Reflect Record Route, Time Stamp options     |3.2.2.6 | |x| | | |
+    Reverse and reflect Source Route option      |3.2.2.6 |x| | | | |
+                                                 |        | | | | | |
+  ICMP Information Request or Reply:             |3.2.2.7 | | | |x| |
+  ICMP Timestamp and Timestamp Reply:            |3.2.2.8 | | |x| | |
+    Minimize delay variability                   |3.2.2.8 | |x| | | |1
+    Silently discard b'cast Timestamp            |3.2.2.8 | | |x| | |1
+    Silently discard m'cast Timestamp            |3.2.2.8 | | |x| | |1
+    Use specific-dest addr as TS Reply src       |3.2.2.8 |x| | | | |1
+    Reflect Record Route, Time Stamp options     |3.2.2.6 | |x| | | |1
+    Reverse and reflect Source Route option      |3.2.2.8 |x| | | | |1
+    Pass Timestamp Reply to higher layer         |3.2.2.8 |x| | | | |1
+    Obey rules for "standard value"              |3.2.2.8 |x| | | | |1
+                                                 |        | | | | | |
+  ICMP Address Mask Request and Reply:           |        | | | | | |
+    Addr Mask source configurable                |3.2.2.9 |x| | | | |
+    Support static configuration of addr mask    |3.2.2.9 |x| | | | |
+    Get addr mask dynamically during booting     |3.2.2.9 | | |x| | |
+    Get addr via ICMP Addr Mask Request/Reply    |3.2.2.9 | | |x| | |
+      Retransmit Addr Mask Req if no Reply       |3.2.2.9 |x| | | | |3
+      Assume default mask if no Reply            |3.2.2.9 | |x| | | |3
+      Update address mask from first Reply only  |3.2.2.9 |x| | | | |3
+    Reasonableness check on Addr Mask            |3.2.2.9 | |x| | | |
+    Send unauthorized Addr Mask Reply msgs       |3.2.2.9 | | | | |x|
+      Explicitly configured to be agent          |3.2.2.9 |x| | | | |
+    Static config=> Addr-Mask-Authoritative flag |3.2.2.9 | |x| | | |
+      Broadcast Addr Mask Reply when init.       |3.2.2.9 |x| | | | |3
+                                                 |        | | | | | |
+ROUTING OUTBOUND DATAGRAMS:                      |        | | | | | |
+  Use address mask in local/remote decision      |3.3.1.1 |x| | | | |
+  Operate with no gateways on conn network       |3.3.1.1 |x| | | | |
+  Maintain "route cache" of next-hop gateways    |3.3.1.2 |x| | | | |
+  Treat Host and Net Redirect the same           |3.3.1.2 | |x| | | |
+  If no cache entry, use default gateway         |3.3.1.2 |x| | | | |
+    Support multiple default gateways            |3.3.1.2 |x| | | | |
+  Provide table of static routes                 |3.3.1.2 | | |x| | |
+    Flag: route overridable by Redirects         |3.3.1.2 | | |x| | |
+  Key route cache on host, not net address       |3.3.1.3 | | |x| | |
+  Include TOS in route cache                     |3.3.1.3 | |x| | | |
+                                                 |        | | | | | |
+  Able to detect failure of next-hop gateway     |3.3.1.4 |x| | | | |
+  Assume route is good forever                   |3.3.1.4 | | | |x| |
+
+
+
+Internet Engineering Task Force                                [Page 74]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+  Ping gateways continuously                     |3.3.1.4 | | | | |x|
+  Ping only when traffic being sent              |3.3.1.4 |x| | | | |
+  Ping only when no positive indication          |3.3.1.4 |x| | | | |
+  Higher and lower layers give advice            |3.3.1.4 | |x| | | |
+  Switch from failed default g'way to another    |3.3.1.5 |x| | | | |
+  Manual method of entering config info          |3.3.1.6 |x| | | | |
+                                                 |        | | | | | |
+REASSEMBLY and FRAGMENTATION:                    |        | | | | | |
+  Able to reassemble incoming datagrams          |3.3.2   |x| | | | |
+    At least 576 byte datagrams                  |3.3.2   |x| | | | |
+    EMTU_R configurable or indefinite            |3.3.2   | |x| | | |
+  Transport layer able to learn MMS_R            |3.3.2   |x| | | | |
+  Send ICMP Time Exceeded on reassembly timeout  |3.3.2   |x| | | | |
+    Fixed reassembly timeout value               |3.3.2   | |x| | | |
+                                                 |        | | | | | |
+  Pass MMS_S to higher layers                    |3.3.3   |x| | | | |
+  Local fragmentation of outgoing packets        |3.3.3   | | |x| | |
+     Else don't send bigger than MMS_S           |3.3.3   |x| | | | |
+  Send max 576 to off-net destination            |3.3.3   | |x| | | |
+  All-Subnets-MTU configuration flag             |3.3.3   | | |x| | |
+                                                 |        | | | | | |
+MULTIHOMING:                                     |        | | | | | |
+  Reply with same addr as spec-dest addr         |3.3.4.2 | |x| | | |
+  Allow application to choose local IP addr      |3.3.4.2 |x| | | | |
+  Silently discard d'gram in "wrong" interface   |3.3.4.2 | | |x| | |
+  Only send d'gram through "right" interface     |3.3.4.2 | | |x| | |4
+                                                 |        | | | | | |
+SOURCE-ROUTE FORWARDING:                         |        | | | | | |
+  Forward datagram with Source Route option      |3.3.5   | | |x| | |1
+    Obey corresponding gateway rules             |3.3.5   |x| | | | |1
+      Update TTL by gateway rules                |3.3.5   |x| | | | |1
+      Able to generate ICMP err code 4, 5        |3.3.5   |x| | | | |1
+      IP src addr not local host                 |3.3.5   | | |x| | |1
+      Update Timestamp, Record Route options     |3.3.5   |x| | | | |1
+    Configurable switch for non-local SRing      |3.3.5   |x| | | | |1
+      Defaults to OFF                            |3.3.5   |x| | | | |1
+    Satisfy gwy access rules for non-local SRing |3.3.5   |x| | | | |1
+    If not forward, send Dest Unreach (cd 5)     |3.3.5   | |x| | | |2
+                                                 |        | | | | | |
+BROADCAST:                                       |        | | | | | |
+  Broadcast addr as IP source addr               |3.2.1.3 | | | | |x|
+  Receive 0 or -1 broadcast formats OK           |3.3.6   | |x| | | |
+  Config'ble option to send 0 or -1 b'cast       |3.3.6   | | |x| | |
+    Default to -1 broadcast                      |3.3.6   | |x| | | |
+  Recognize all broadcast address formats        |3.3.6   |x| | | | |
+  Use IP b'cast/m'cast addr in link-layer b'cast |3.3.6   |x| | | | |
+  Silently discard link-layer-only b'cast dg's   |3.3.6   | |x| | | |
+  Use Limited Broadcast addr for connected net   |3.3.6   | |x| | | |
+
+
+
+Internet Engineering Task Force                                [Page 75]
+
+
+
+
+RFC1122                      INTERNET LAYER                 October 1989
+
+
+                                                 |        | | | | | |
+MULTICAST:                                       |        | | | | | |
+  Support local IP multicasting (RFC-1112)       |3.3.7   | |x| | | |
+  Support IGMP (RFC-1112)                        |3.3.7   | | |x| | |
+  Join all-hosts group at startup                |3.3.7   | |x| | | |
+  Higher layers learn i'face m'cast capability   |3.3.7   | |x| | | |
+                                                 |        | | | | | |
+INTERFACE:                                       |        | | | | | |
+  Allow transport layer to use all IP mechanisms |3.4     |x| | | | |
+  Pass interface ident up to transport layer     |3.4     |x| | | | |
+  Pass all IP options up to transport layer      |3.4     |x| | | | |
+  Transport layer can send certain ICMP messages |3.4     |x| | | | |
+  Pass spec'd ICMP messages up to transp. layer  |3.4     |x| | | | |
+     Include IP hdr+8 octets or more from orig.  |3.4     |x| | | | |
+  Able to leap tall buildings at a single bound  |3.5     | |x| | | |
+
+Footnotes:
+
+(1)  Only if feature is implemented.
+
+(2)  This requirement is overruled if datagram is an ICMP error message.
+
+(3)  Only if feature is implemented and is configured "on".
+
+(4)  Unless has embedded gateway functionality or is source routed.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Internet Engineering Task Force                                [Page 76]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- UDP             October 1989
+
+
+4. TRANSPORT PROTOCOLS
+
+   4.1  USER DATAGRAM PROTOCOL -- UDP
+
+      4.1.1  INTRODUCTION
+
+         The User Datagram Protocol UDP [UDP:1] offers only a minimal
+         transport service -- non-guaranteed datagram delivery -- and
+         gives applications direct access to the datagram service of the
+         IP layer.  UDP is used by applications that do not require the
+         level of service of TCP or that wish to use communications
+         services (e.g., multicast or broadcast delivery) not available
+         from TCP.
+
+         UDP is almost a null protocol; the only services it provides
+         over IP are checksumming of data and multiplexing by port
+         number.  Therefore, an application program running over UDP
+         must deal directly with end-to-end communication problems that
+         a connection-oriented protocol would have handled -- e.g.,
+         retransmission for reliable delivery, packetization and
+         reassembly, flow control, congestion avoidance, etc., when
+         these are required.  The fairly complex coupling between IP and
+         TCP will be mirrored in the coupling between UDP and many
+         applications using UDP.
+
+      4.1.2  PROTOCOL WALK-THROUGH
+
+         There are no known errors in the specification of UDP.
+
+      4.1.3  SPECIFIC ISSUES
+
+         4.1.3.1  Ports
+
+            UDP well-known ports follow the same rules as TCP well-known
+            ports; see Section 4.2.2.1 below.
+
+            If a datagram arrives addressed to a UDP port for which
+            there is no pending LISTEN call, UDP SHOULD send an ICMP
+            Port Unreachable message.
+
+         4.1.3.2  IP Options
+
+            UDP MUST pass any IP option that it receives from the IP
+            layer transparently to the application layer.
+
+            An application MUST be able to specify IP options to be sent
+            in its UDP datagrams, and UDP MUST pass these options to the
+            IP layer.
+
+
+
+Internet Engineering Task Force                                [Page 77]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- UDP             October 1989
+
+
+            DISCUSSION:
+                 At present, the only options that need be passed
+                 through UDP are Source Route, Record Route, and Time
+                 Stamp.  However, new options may be defined in the
+                 future, and UDP need not and should not make any
+                 assumptions about the format or content of options it
+                 passes to or from the application; an exception to this
+                 might be an IP-layer security option.
+
+                 An application based on UDP will need to obtain a
+                 source route from a request datagram and supply a
+                 reversed route for sending the corresponding reply.
+
+         4.1.3.3  ICMP Messages
+
+            UDP MUST pass to the application layer all ICMP error
+            messages that it receives from the IP layer.  Conceptually
+            at least, this may be accomplished with an upcall to the
+            ERROR_REPORT routine (see Section 4.2.4.1).
+
+            DISCUSSION:
+                 Note that ICMP error messages resulting from sending a
+                 UDP datagram are received asynchronously.  A UDP-based
+                 application that wants to receive ICMP error messages
+                 is responsible for maintaining the state necessary to
+                 demultiplex these messages when they arrive; for
+                 example, the application may keep a pending receive
+                 operation for this purpose.  The application is also
+                 responsible to avoid confusion from a delayed ICMP
+                 error message resulting from an earlier use of the same
+                 port(s).
+
+         4.1.3.4  UDP Checksums
+
+            A host MUST implement the facility to generate and validate
+            UDP checksums.  An application MAY optionally be able to
+            control whether a UDP checksum will be generated, but it
+            MUST default to checksumming on.
+
+            If a UDP datagram is received with a checksum that is non-
+            zero and invalid, UDP MUST silently discard the datagram.
+            An application MAY optionally be able to control whether UDP
+            datagrams without checksums should be discarded or passed to
+            the application.
+
+            DISCUSSION:
+                 Some applications that normally run only across local
+                 area networks have chosen to turn off UDP checksums for
+
+
+
+Internet Engineering Task Force                                [Page 78]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- UDP             October 1989
+
+
+                 efficiency.  As a result, numerous cases of undetected
+                 errors have been reported.  The advisability of ever
+                 turning off UDP checksumming is very controversial.
+
+            IMPLEMENTATION:
+                 There is a common implementation error in UDP
+                 checksums.  Unlike the TCP checksum, the UDP checksum
+                 is optional; the value zero is transmitted in the
+                 checksum field of a UDP header to indicate the absence
+                 of a checksum.  If the transmitter really calculates a
+                 UDP checksum of zero, it must transmit the checksum as
+                 all 1's (65535).  No special action is required at the
+                 receiver, since zero and 65535 are equivalent in 1's
+                 complement arithmetic.
+
+         4.1.3.5  UDP Multihoming
+
+            When a UDP datagram is received, its specific-destination
+            address MUST be passed up to the application layer.
+
+            An application program MUST be able to specify the IP source
+            address to be used for sending a UDP datagram or to leave it
+            unspecified (in which case the networking software will
+            choose an appropriate source address).  There SHOULD be a
+            way to communicate the chosen source address up to the
+            application layer (e.g, so that the application can later
+            receive a reply datagram only from the corresponding
+            interface).
+
+            DISCUSSION:
+                 A request/response application that uses UDP should use
+                 a source address for the response that is the same as
+                 the specific destination address of the request.  See
+                 the "General Issues" section of [INTRO:1].
+
+         4.1.3.6  Invalid Addresses
+
+            A UDP datagram received with an invalid IP source address
+            (e.g., a broadcast or multicast address) must be discarded
+            by UDP or by the IP layer (see Section 3.2.1.3).
+
+            When a host sends a UDP datagram, the source address MUST be
+            (one of) the IP address(es) of the host.
+
+      4.1.4  UDP/APPLICATION LAYER INTERFACE
+
+         The application interface to UDP MUST provide the full services
+         of the IP/transport interface described in Section 3.4 of this
+
+
+
+Internet Engineering Task Force                                [Page 79]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- UDP             October 1989
+
+
+         document.  Thus, an application using UDP needs the functions
+         of the GET_SRCADDR(), GET_MAXSIZES(), ADVISE_DELIVPROB(), and
+         RECV_ICMP() calls described in Section 3.4.  For example,
+         GET_MAXSIZES() can be used to learn the effective maximum UDP
+         maximum datagram size for a particular {interface,remote
+         host,TOS} triplet.
+
+         An application-layer program MUST be able to set the TTL and
+         TOS values as well as IP options for sending a UDP datagram,
+         and these values must be passed transparently to the IP layer.
+         UDP MAY pass the received TOS up to the application layer.
+
+      4.1.5  UDP REQUIREMENTS SUMMARY
+
+
+                                                 |        | | | |S| |
+                                                 |        | | | |H| |F
+                                                 |        | | | |O|M|o
+                                                 |        | |S| |U|U|o
+                                                 |        | |H| |L|S|t
+                                                 |        |M|O| |D|T|n
+                                                 |        |U|U|M| | |o
+                                                 |        |S|L|A|N|N|t
+                                                 |        |T|D|Y|O|O|t
+FEATURE                                          |SECTION | | | |T|T|e
+-------------------------------------------------|--------|-|-|-|-|-|--
+                                                 |        | | | | | |
+    UDP                                          |        | | | | | |
+-------------------------------------------------|--------|-|-|-|-|-|--
+                                                 |        | | | | | |
+UDP send Port Unreachable                        |4.1.3.1 | |x| | | |
+                                                 |        | | | | | |
+IP Options in UDP                                |        | | | | | |
+ - Pass rcv'd IP options to applic layer         |4.1.3.2 |x| | | | |
+ - Applic layer can specify IP options in Send   |4.1.3.2 |x| | | | |
+ - UDP passes IP options down to IP layer        |4.1.3.2 |x| | | | |
+                                                 |        | | | | | |
+Pass ICMP msgs up to applic layer                |4.1.3.3 |x| | | | |
+                                                 |        | | | | | |
+UDP checksums:                                   |        | | | | | |
+ - Able to generate/check checksum               |4.1.3.4 |x| | | | |
+ - Silently discard bad checksum                 |4.1.3.4 |x| | | | |
+ - Sender Option to not generate checksum        |4.1.3.4 | | |x| | |
+   - Default is to checksum                      |4.1.3.4 |x| | | | |
+ - Receiver Option to require checksum           |4.1.3.4 | | |x| | |
+                                                 |        | | | | | |
+UDP Multihoming                                  |        | | | | | |
+ - Pass spec-dest addr to application            |4.1.3.5 |x| | | | |
+
+
+
+Internet Engineering Task Force                                [Page 80]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- UDP             October 1989
+
+
+ - Applic layer can specify Local IP addr        |4.1.3.5 |x| | | | |
+ - Applic layer specify wild Local IP addr       |4.1.3.5 |x| | | | |
+ - Applic layer notified of Local IP addr used   |4.1.3.5 | |x| | | |
+                                                 |        | | | | | |
+Bad IP src addr silently discarded by UDP/IP     |4.1.3.6 |x| | | | |
+Only send valid IP source address                |4.1.3.6 |x| | | | |
+UDP Application Interface Services               |        | | | | | |
+Full IP interface of 3.4 for application         |4.1.4   |x| | | | |
+ - Able to spec TTL, TOS, IP opts when send dg   |4.1.4   |x| | | | |
+ - Pass received TOS up to applic layer          |4.1.4   | | |x| | |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Internet Engineering Task Force                                [Page 81]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+   4.2  TRANSMISSION CONTROL PROTOCOL -- TCP
+
+      4.2.1  INTRODUCTION
+
+         The Transmission Control Protocol TCP [TCP:1] is the primary
+         virtual-circuit transport protocol for the Internet suite.  TCP
+         provides reliable, in-sequence delivery of a full-duplex stream
+         of octets (8-bit bytes).  TCP is used by those applications
+         needing reliable, connection-oriented transport service, e.g.,
+         mail (SMTP), file transfer (FTP), and virtual terminal service
+         (Telnet); requirements for these application-layer protocols
+         are described in [INTRO:1].
+
+      4.2.2  PROTOCOL WALK-THROUGH
+
+         4.2.2.1  Well-Known Ports: RFC-793 Section 2.7
+
+            DISCUSSION:
+                 TCP reserves port numbers in the range 0-255 for
+                 "well-known" ports, used to access services that are
+                 standardized across the Internet.  The remainder of the
+                 port space can be freely allocated to application
+                 processes.  Current well-known port definitions are
+                 listed in the RFC entitled "Assigned Numbers"
+                 [INTRO:6].  A prerequisite for defining a new well-
+                 known port is an RFC documenting the proposed service
+                 in enough detail to allow new implementations.
+
+                 Some systems extend this notion by adding a third
+                 subdivision of the TCP port space: reserved ports,
+                 which are generally used for operating-system-specific
+                 services.  For example, reserved ports might fall
+                 between 256 and some system-dependent upper limit.
+                 Some systems further choose to protect well-known and
+                 reserved ports by permitting only privileged users to
+                 open TCP connections with those port values.  This is
+                 perfectly reasonable as long as the host does not
+                 assume that all hosts protect their low-numbered ports
+                 in this manner.
+
+         4.2.2.2  Use of Push: RFC-793 Section 2.8
+
+            When an application issues a series of SEND calls without
+            setting the PUSH flag, the TCP MAY aggregate the data
+            internally without sending it.  Similarly, when a series of
+            segments is received without the PSH bit, a TCP MAY queue
+            the data internally without passing it to the receiving
+            application.
+
+
+
+Internet Engineering Task Force                                [Page 82]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+            The PSH bit is not a record marker and is independent of
+            segment boundaries.  The transmitter SHOULD collapse
+            successive PSH bits when it packetizes data, to send the
+            largest possible segment.
+
+            A TCP MAY implement PUSH flags on SEND calls.  If PUSH flags
+            are not implemented, then the sending TCP: (1) must not
+            buffer data indefinitely, and (2) MUST set the PSH bit in
+            the last buffered segment (i.e., when there is no more
+            queued data to be sent).
+
+            The discussion in RFC-793 on pages 48, 50, and 74
+            erroneously implies that a received PSH flag must be passed
+            to the application layer.  Passing a received PSH flag to
+            the application layer is now OPTIONAL.
+
+            An application program is logically required to set the PUSH
+            flag in a SEND call whenever it needs to force delivery of
+            the data to avoid a communication deadlock.  However, a TCP
+            SHOULD send a maximum-sized segment whenever possible, to
+            improve performance (see Section 4.2.3.4).
+
+            DISCUSSION:
+                 When the PUSH flag is not implemented on SEND calls,
+                 i.e., when the application/TCP interface uses a pure
+                 streaming model, responsibility for aggregating any
+                 tiny data fragments to form reasonable sized segments
+                 is partially borne by the application layer.
+
+                 Generally, an interactive application protocol must set
+                 the PUSH flag at least in the last SEND call in each
+                 command or response sequence.  A bulk transfer protocol
+                 like FTP should set the PUSH flag on the last segment
+                 of a file or when necessary to prevent buffer deadlock.
+
+                 At the receiver, the PSH bit forces buffered data to be
+                 delivered to the application (even if less than a full
+                 buffer has been received). Conversely, the lack of a
+                 PSH bit can be used to avoid unnecessary wakeup calls
+                 to the application process; this can be an important
+                 performance optimization for large timesharing hosts.
+                 Passing the PSH bit to the receiving application allows
+                 an analogous optimization within the application.
+
+         4.2.2.3  Window Size: RFC-793 Section 3.1
+
+            The window size MUST be treated as an unsigned number, or
+            else large window sizes will appear like negative windows
+
+
+
+Internet Engineering Task Force                                [Page 83]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+            and TCP will not work.  It is RECOMMENDED that
+            implementations reserve 32-bit fields for the send and
+            receive window sizes in the connection record and do all
+            window computations with 32 bits.
+
+            DISCUSSION:
+                 It is known that the window field in the TCP header is
+                 too small for high-speed, long-delay paths.
+                 Experimental TCP options have been defined to extend
+                 the window size; see for example [TCP:11].  In
+                 anticipation of the adoption of such an extension, TCP
+                 implementors should treat windows as 32 bits.
+
+         4.2.2.4  Urgent Pointer: RFC-793 Section 3.1
+
+            The second sentence is in error: the urgent pointer points
+            to the sequence number of the LAST octet (not LAST+1) in a
+            sequence of urgent data.  The description on page 56 (last
+            sentence) is correct.
+
+            A TCP MUST support a sequence of urgent data of any length.
+
+            A TCP MUST inform the application layer asynchronously
+            whenever it receives an Urgent pointer and there was
+            previously no pending urgent data, or whenever the Urgent
+            pointer advances in the data stream.  There MUST be a way
+            for the application to learn how much urgent data remains to
+            be read from the connection, or at least to determine
+            whether or not more urgent data remains to be read.
+
+            DISCUSSION:
+                 Although the Urgent mechanism may be used for any
+                 application, it is normally used to send "interrupt"-
+                 type commands to a Telnet program (see "Using Telnet
+                 Synch Sequence" section in [INTRO:1]).
+
+                 The asynchronous or "out-of-band" notification will
+                 allow the application to go into "urgent mode", reading
+                 data from the TCP connection.  This allows control
+                 commands to be sent to an application whose normal
+                 input buffers are full of unprocessed data.
+
+            IMPLEMENTATION:
+                 The generic ERROR-REPORT() upcall described in Section
+                 4.2.4.1 is a possible mechanism for informing the
+                 application of the arrival of urgent data.
+
+
+
+
+
+Internet Engineering Task Force                                [Page 84]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+         4.2.2.5  TCP Options: RFC-793 Section 3.1
+
+            A TCP MUST be able to receive a TCP option in any segment.
+            A TCP MUST ignore without error any TCP option it does not
+            implement, assuming that the option has a length field (all
+            TCP options defined in the future will have length fields).
+            TCP MUST be prepared to handle an illegal option length
+            (e.g., zero) without crashing; a suggested procedure is to
+            reset the connection and log the reason.
+
+         4.2.2.6  Maximum Segment Size Option: RFC-793 Section 3.1
+
+            TCP MUST implement both sending and receiving the Maximum
+            Segment Size option [TCP:4].
+
+            TCP SHOULD send an MSS (Maximum Segment Size) option in
+            every SYN segment when its receive MSS differs from the
+            default 536, and MAY send it always.
+
+            If an MSS option is not received at connection setup, TCP
+            MUST assume a default send MSS of 536 (576-40) [TCP:4].
+
+            The maximum size of a segment that TCP really sends, the
+            "effective send MSS," MUST be the smaller of the send MSS
+            (which reflects the available reassembly buffer size at the
+            remote host) and the largest size permitted by the IP layer:
+
+               Eff.snd.MSS =
+
+                  min(SendMSS+20, MMS_S) - TCPhdrsize - IPoptionsize
+
+            where:
+
+            *    SendMSS is the MSS value received from the remote host,
+                 or the default 536 if no MSS option is received.
+
+            *    MMS_S is the maximum size for a transport-layer message
+                 that TCP may send.
+
+            *    TCPhdrsize is the size of the TCP header; this is
+                 normally 20, but may be larger if TCP options are to be
+                 sent.
+
+            *    IPoptionsize is the size of any IP options that TCP
+                 will pass to the IP layer with the current message.
+
+
+            The MSS value to be sent in an MSS option must be less than
+
+
+
+Internet Engineering Task Force                                [Page 85]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+            or equal to:
+
+               MMS_R - 20
+
+            where MMS_R is the maximum size for a transport-layer
+            message that can be received (and reassembled).  TCP obtains
+            MMS_R and MMS_S from the IP layer; see the generic call
+            GET_MAXSIZES in Section 3.4.
+
+            DISCUSSION:
+                 The choice of TCP segment size has a strong effect on
+                 performance.  Larger segments increase throughput by
+                 amortizing header size and per-datagram processing
+                 overhead over more data bytes; however, if the packet
+                 is so large that it causes IP fragmentation, efficiency
+                 drops sharply if any fragments are lost [IP:9].
+
+                 Some TCP implementations send an MSS option only if the
+                 destination host is on a non-connected network.
+                 However, in general the TCP layer may not have the
+                 appropriate information to make this decision, so it is
+                 preferable to leave to the IP layer the task of
+                 determining a suitable MTU for the Internet path.  We
+                 therefore recommend that TCP always send the option (if
+                 not 536) and that the IP layer determine MMS_R as
+                 specified in 3.3.3 and 3.4.  A proposed IP-layer
+                 mechanism to measure the MTU would then modify the IP
+                 layer without changing TCP.
+
+         4.2.2.7  TCP Checksum: RFC-793 Section 3.1
+
+            Unlike the UDP checksum (see Section 4.1.3.4), the TCP
+            checksum is never optional.  The sender MUST generate it and
+            the receiver MUST check it.
+
+         4.2.2.8  TCP Connection State Diagram: RFC-793 Section 3.2,
+            page 23
+
+            There are several problems with this diagram:
+
+            (a)  The arrow from SYN-SENT to SYN-RCVD should be labeled
+                 with "snd SYN,ACK", to agree with the text on page 68
+                 and with Figure 8.
+
+            (b)  There could be an arrow from SYN-RCVD state to LISTEN
+                 state, conditioned on receiving a RST after a passive
+                 open (see text page 70).
+
+
+
+
+Internet Engineering Task Force                                [Page 86]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+            (c)  It is possible to go directly from FIN-WAIT-1 to the
+                 TIME-WAIT state (see page 75 of the spec).
+
+
+         4.2.2.9  Initial Sequence Number Selection: RFC-793 Section
+            3.3, page 27
+
+            A TCP MUST use the specified clock-driven selection of
+            initial sequence numbers.
+
+         4.2.2.10  Simultaneous Open Attempts: RFC-793 Section 3.4, page
+            32
+
+            There is an error in Figure 8: the packet on line 7 should
+            be identical to the packet on line 5.
+
+            A TCP MUST support simultaneous open attempts.
+
+            DISCUSSION:
+                 It sometimes surprises implementors that if two
+                 applications attempt to simultaneously connect to each
+                 other, only one connection is generated instead of two.
+                 This was an intentional design decision; don't try to
+                 "fix" it.
+
+         4.2.2.11  Recovery from Old Duplicate SYN: RFC-793 Section 3.4,
+            page 33
+
+            Note that a TCP implementation MUST keep track of whether a
+            connection has reached SYN_RCVD state as the result of a
+            passive OPEN or an active OPEN.
+
+         4.2.2.12  RST Segment: RFC-793 Section 3.4
+
+            A TCP SHOULD allow a received RST segment to include data.
+
+            DISCUSSION
+                 It has been suggested that a RST segment could contain
+                 ASCII text that encoded and explained the cause of the
+                 RST.  No standard has yet been established for such
+                 data.
+
+         4.2.2.13  Closing a Connection: RFC-793 Section 3.5
+
+            A TCP connection may terminate in two ways: (1) the normal
+            TCP close sequence using a FIN handshake, and (2) an "abort"
+            in which one or more RST segments are sent and the
+            connection state is immediately discarded.  If a TCP
+
+
+
+Internet Engineering Task Force                                [Page 87]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+            connection is closed by the remote site, the local
+            application MUST be informed whether it closed normally or
+            was aborted.
+
+            The normal TCP close sequence delivers buffered data
+            reliably in both directions.  Since the two directions of a
+            TCP connection are closed independently, it is possible for
+            a connection to be "half closed," i.e., closed in only one
+            direction, and a host is permitted to continue sending data
+            in the open direction on a half-closed connection.
+
+            A host MAY implement a "half-duplex" TCP close sequence, so
+            that an application that has called CLOSE cannot continue to
+            read data from the connection.  If such a host issues a
+            CLOSE call while received data is still pending in TCP, or
+            if new data is received after CLOSE is called, its TCP
+            SHOULD send a RST to show that data was lost.
+
+            When a connection is closed actively, it MUST linger in
+            TIME-WAIT state for a time 2xMSL (Maximum Segment Lifetime).
+            However, it MAY accept a new SYN from the remote TCP to
+            reopen the connection directly from TIME-WAIT state, if it:
+
+            (1)  assigns its initial sequence number for the new
+                 connection to be larger than the largest sequence
+                 number it used on the previous connection incarnation,
+                 and
+
+            (2)  returns to TIME-WAIT state if the SYN turns out to be
+                 an old duplicate.
+
+
+            DISCUSSION:
+                 TCP's full-duplex data-preserving close is a feature
+                 that is not included in the analogous ISO transport
+                 protocol TP4.
+
+                 Some systems have not implemented half-closed
+                 connections, presumably because they do not fit into
+                 the I/O model of their particular operating system.  On
+                 these systems, once an application has called CLOSE, it
+                 can no longer read input data from the connection; this
+                 is referred to as a "half-duplex" TCP close sequence.
+
+                 The graceful close algorithm of TCP requires that the
+                 connection state remain defined on (at least)  one end
+                 of the connection, for a timeout period of 2xMSL, i.e.,
+                 4 minutes.  During this period, the (remote socket,
+
+
+
+Internet Engineering Task Force                                [Page 88]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+                 local socket) pair that defines the connection is busy
+                 and cannot be reused.  To shorten the time that a given
+                 port pair is tied up, some TCPs allow a new SYN to be
+                 accepted in TIME-WAIT state.
+
+         4.2.2.14  Data Communication: RFC-793 Section 3.7, page 40
+
+            Since RFC-793 was written, there has been extensive work on
+            TCP algorithms to achieve efficient data communication.
+            Later sections of the present document describe required and
+            recommended TCP algorithms to determine when to send data
+            (Section 4.2.3.4), when to send an acknowledgment (Section
+            4.2.3.2), and when to update the window (Section 4.2.3.3).
+
+            DISCUSSION:
+                 One important performance issue is "Silly Window
+                 Syndrome" or "SWS" [TCP:5], a stable pattern of small
+                 incremental window movements resulting in extremely
+                 poor TCP performance.  Algorithms to avoid SWS are
+                 described below for both the sending side (Section
+                 4.2.3.4) and the receiving side (Section 4.2.3.3).
+
+                 In brief, SWS is caused by the receiver advancing the
+                 right window edge whenever it has any new buffer space
+                 available to receive data and by the sender using any
+                 incremental window, no matter how small, to send more
+                 data [TCP:5].  The result can be a stable pattern of
+                 sending tiny data segments, even though both sender and
+                 receiver have a large total buffer space for the
+                 connection.  SWS can only occur during the transmission
+                 of a large amount of data; if the connection goes
+                 quiescent, the problem will disappear.  It is caused by
+                 typical straightforward implementation of window
+                 management, but the sender and receiver algorithms
+                 given below will avoid it.
+
+                 Another important TCP performance issue is that some
+                 applications, especially remote login to character-at-
+                 a-time hosts, tend to send streams of one-octet data
+                 segments.  To avoid deadlocks, every TCP SEND call from
+                 such applications must be "pushed", either explicitly
+                 by the application or else implicitly by TCP.  The
+                 result may be a stream of TCP segments that contain one
+                 data octet each, which makes very inefficient use of
+                 the Internet and contributes to Internet congestion.
+                 The Nagle Algorithm described in Section 4.2.3.4
+                 provides a simple and effective solution to this
+                 problem.  It does have the effect of clumping
+
+
+
+Internet Engineering Task Force                                [Page 89]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+                 characters over Telnet connections; this may initially
+                 surprise users accustomed to single-character echo, but
+                 user acceptance has not been a problem.
+
+                 Note that the Nagle algorithm and the send SWS
+                 avoidance algorithm play complementary roles in
+                 improving performance.  The Nagle algorithm discourages
+                 sending tiny segments when the data to be sent
+                 increases in small increments, while the SWS avoidance
+                 algorithm discourages small segments resulting from the
+                 right window edge advancing in small increments.
+
+                 A careless implementation can send two or more
+                 acknowledgment segments per data segment received.  For
+                 example, suppose the receiver acknowledges every data
+                 segment immediately.  When the application program
+                 subsequently consumes the data and increases the
+                 available receive buffer space again, the receiver may
+                 send a second acknowledgment segment to update the
+                 window at the sender.  The extreme case occurs with
+                 single-character segments on TCP connections using the
+                 Telnet protocol for remote login service.  Some
+                 implementations have been observed in which each
+                 incoming 1-character segment generates three return
+                 segments: (1) the acknowledgment, (2) a one byte
+                 increase in the window, and (3) the echoed character,
+                 respectively.
+
+         4.2.2.15  Retransmission Timeout: RFC-793 Section 3.7, page 41
+
+            The algorithm suggested in RFC-793 for calculating the
+            retransmission timeout is now known to be inadequate; see
+            Section 4.2.3.1 below.
+
+            Recent work by Jacobson [TCP:7] on Internet congestion and
+            TCP retransmission stability has produced a transmission
+            algorithm combining "slow start" with "congestion
+            avoidance".  A TCP MUST implement this algorithm.
+
+            If a retransmitted packet is identical to the original
+            packet (which implies not only that the data boundaries have
+            not changed, but also that the window and acknowledgment
+            fields of the header have not changed), then the same IP
+            Identification field MAY be used (see Section 3.2.1.5).
+
+            IMPLEMENTATION:
+                 Some TCP implementors have chosen to "packetize" the
+                 data stream, i.e., to pick segment boundaries when
+
+
+
+Internet Engineering Task Force                                [Page 90]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+                 segments are originally sent and to queue these
+                 segments in a "retransmission queue" until they are
+                 acknowledged.  Another design (which may be simpler) is
+                 to defer packetizing until each time data is
+                 transmitted or retransmitted, so there will be no
+                 segment retransmission queue.
+
+                 In an implementation with a segment retransmission
+                 queue, TCP performance may be enhanced by repacketizing
+                 the segments awaiting acknowledgment when the first
+                 retransmission timeout occurs.  That is, the
+                 outstanding segments that fitted would be combined into
+                 one maximum-sized segment, with a new IP Identification
+                 value.  The TCP would then retain this combined segment
+                 in the retransmit queue until it was acknowledged.
+                 However, if the first two segments in the
+                 retransmission queue totalled more than one maximum-
+                 sized segment, the TCP would retransmit only the first
+                 segment using the original IP Identification field.
+
+         4.2.2.16  Managing the Window: RFC-793 Section 3.7, page 41
+
+            A TCP receiver SHOULD NOT shrink the window, i.e., move the
+            right window edge to the left.  However, a sending TCP MUST
+            be robust against window shrinking, which may cause the
+            "useable window" (see Section 4.2.3.4) to become negative.
+
+            If this happens, the sender SHOULD NOT send new data, but
+            SHOULD retransmit normally the old unacknowledged data
+            between SND.UNA and SND.UNA+SND.WND.  The sender MAY also
+            retransmit old data beyond SND.UNA+SND.WND, but SHOULD NOT
+            time out the connection if data beyond the right window edge
+            is not acknowledged.  If the window shrinks to zero, the TCP
+            MUST probe it in the standard way (see next Section).
+
+            DISCUSSION:
+                 Many TCP implementations become confused if the window
+                 shrinks from the right after data has been sent into a
+                 larger window.  Note that TCP has a heuristic to select
+                 the latest window update despite possible datagram
+                 reordering; as a result, it may ignore a window update
+                 with a smaller window than previously offered if
+                 neither the sequence number nor the acknowledgment
+                 number is increased.
+
+
+
+
+
+
+
+Internet Engineering Task Force                                [Page 91]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+         4.2.2.17  Probing Zero Windows: RFC-793 Section 3.7, page 42
+
+            Probing of zero (offered) windows MUST be supported.
+
+            A TCP MAY keep its offered receive window closed
+            indefinitely.  As long as the receiving TCP continues to
+            send acknowledgments in response to the probe segments, the
+            sending TCP MUST allow the connection to stay open.
+
+            DISCUSSION:
+                 It is extremely important to remember that ACK
+                 (acknowledgment) segments that contain no data are not
+                 reliably transmitted by TCP.  If zero window probing is
+                 not supported, a connection may hang forever when an
+                 ACK segment that re-opens the window is lost.
+
+                 The delay in opening a zero window generally occurs
+                 when the receiving application stops taking data from
+                 its TCP.  For example, consider a printer daemon
+                 application, stopped because the printer ran out of
+                 paper.
+
+            The transmitting host SHOULD send the first zero-window
+            probe when a zero window has existed for the retransmission
+            timeout period (see Section 4.2.2.15), and SHOULD increase
+            exponentially the interval between successive probes.
+
+            DISCUSSION:
+                 This procedure minimizes delay if the zero-window
+                 condition is due to a lost ACK segment containing a
+                 window-opening update.  Exponential backoff is
+                 recommended, possibly with some maximum interval not
+                 specified here.  This procedure is similar to that of
+                 the retransmission algorithm, and it may be possible to
+                 combine the two procedures in the implementation.
+
+         4.2.2.18  Passive OPEN Calls:  RFC-793 Section 3.8
+
+            Every passive OPEN call either creates a new connection
+            record in LISTEN state, or it returns an error; it MUST NOT
+            affect any previously created connection record.
+
+            A TCP that supports multiple concurrent users MUST provide
+            an OPEN call that will functionally allow an application to
+            LISTEN on a port while a connection block with the same
+            local port is in SYN-SENT or SYN-RECEIVED state.
+
+            DISCUSSION:
+
+
+
+Internet Engineering Task Force                                [Page 92]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+                 Some applications (e.g., SMTP servers) may need to
+                 handle multiple connection attempts at about the same
+                 time.  The probability of a connection attempt failing
+                 is reduced by giving the application some means of
+                 listening for a new connection at the same time that an
+                 earlier connection attempt is going through the three-
+                 way handshake.
+
+            IMPLEMENTATION:
+                 Acceptable implementations of concurrent opens may
+                 permit multiple passive OPEN calls, or they may allow
+                 "cloning" of LISTEN-state connections from a single
+                 passive OPEN call.
+
+         4.2.2.19  Time to Live: RFC-793 Section 3.9, page 52
+
+            RFC-793 specified that TCP was to request the IP layer to
+            send TCP segments with TTL = 60.  This is obsolete; the TTL
+            value used to send TCP segments MUST be configurable.  See
+            Section 3.2.1.7 for discussion.
+
+         4.2.2.20  Event Processing: RFC-793 Section 3.9
+
+            While it is not strictly required, a TCP SHOULD be capable
+            of queueing out-of-order TCP segments.  Change the "may" in
+            the last sentence of the first paragraph on page 70 to
+            "should".
+
+            DISCUSSION:
+                 Some small-host implementations have omitted segment
+                 queueing because of limited buffer space.  This
+                 omission may be expected to adversely affect TCP
+                 throughput, since loss of a single segment causes all
+                 later segments to appear to be "out of sequence".
+
+            In general, the processing of received segments MUST be
+            implemented to aggregate ACK segments whenever possible.
+            For example, if the TCP is processing a series of queued
+            segments, it MUST process them all before sending any ACK
+            segments.
+
+            Here are some detailed error corrections and notes on the
+            Event Processing section of RFC-793.
+
+            (a)  CLOSE Call, CLOSE-WAIT state, p. 61: enter LAST-ACK
+                 state, not CLOSING.
+
+            (b)  LISTEN state, check for SYN (pp. 65, 66): With a SYN
+
+
+
+Internet Engineering Task Force                                [Page 93]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+                 bit, if the security/compartment or the precedence is
+                 wrong for the segment, a reset is sent.  The wrong form
+                 of reset is shown in the text; it should be:
+
+                   <SEQ=0><ACK=SEG.SEQ+SEG.LEN><CTL=RST,ACK>
+
+
+            (c)  SYN-SENT state, Check for SYN, p. 68: When the
+                 connection enters ESTABLISHED state, the following
+                 variables must be set:
+                    SND.WND <- SEG.WND
+                    SND.WL1 <- SEG.SEQ
+                    SND.WL2 <- SEG.ACK
+
+
+            (d)  Check security and precedence, p. 71: The first heading
+                 "ESTABLISHED STATE" should really be a list of all
+                 states other than SYN-RECEIVED: ESTABLISHED, FIN-WAIT-
+                 1, FIN-WAIT-2, CLOSE-WAIT, CLOSING, LAST-ACK, and
+                 TIME-WAIT.
+
+            (e)  Check SYN bit, p. 71:  "In SYN-RECEIVED state and if
+                 the connection was initiated with a passive OPEN, then
+                 return this connection to the LISTEN state and return.
+                 Otherwise...".
+
+            (f)  Check ACK field, SYN-RECEIVED state, p. 72: When the
+                 connection enters ESTABLISHED state, the variables
+                 listed in (c) must be set.
+
+            (g)  Check ACK field, ESTABLISHED state, p. 72: The ACK is a
+                 duplicate if SEG.ACK =< SND.UNA (the = was omitted).
+                 Similarly, the window should be updated if: SND.UNA =<
+                 SEG.ACK =< SND.NXT.
+
+            (h)  USER TIMEOUT, p. 77:
+
+                 It would be better to notify the application of the
+                 timeout rather than letting TCP force the connection
+                 closed.  However, see also Section 4.2.3.5.
+
+
+         4.2.2.21  Acknowledging Queued Segments: RFC-793 Section 3.9
+
+            A TCP MAY send an ACK segment acknowledging RCV.NXT when a
+            valid segment arrives that is in the window but not at the
+            left window edge.
+
+
+
+
+Internet Engineering Task Force                                [Page 94]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+            DISCUSSION:
+                 RFC-793 (see page 74) was ambiguous about whether or
+                 not an ACK segment should be sent when an out-of-order
+                 segment was received, i.e., when SEG.SEQ was unequal to
+                 RCV.NXT.
+
+                 One reason for ACKing out-of-order segments might be to
+                 support an experimental algorithm known as "fast
+                 retransmit".   With this algorithm, the sender uses the
+                 "redundant" ACK's to deduce that a segment has been
+                 lost before the retransmission timer has expired.  It
+                 counts the number of times an ACK has been received
+                 with the same value of SEG.ACK and with the same right
+                 window edge.  If more than a threshold number of such
+                 ACK's is received, then the segment containing the
+                 octets starting at SEG.ACK is assumed to have been lost
+                 and is retransmitted, without awaiting a timeout.  The
+                 threshold is chosen to compensate for the maximum
+                 likely segment reordering in the Internet.  There is
+                 not yet enough experience with the fast retransmit
+                 algorithm to determine how useful it is.
+
+      4.2.3  SPECIFIC ISSUES
+
+         4.2.3.1  Retransmission Timeout Calculation
+
+            A host TCP MUST implement Karn's algorithm and Jacobson's
+            algorithm for computing the retransmission timeout ("RTO").
+
+            o    Jacobson's algorithm for computing the smoothed round-
+                 trip ("RTT") time incorporates a simple measure of the
+                 variance [TCP:7].
+
+            o    Karn's algorithm for selecting RTT measurements ensures
+                 that ambiguous round-trip times will not corrupt the
+                 calculation of the smoothed round-trip time [TCP:6].
+
+            This implementation also MUST include "exponential backoff"
+            for successive RTO values for the same segment.
+            Retransmission of SYN segments SHOULD use the same algorithm
+            as data segments.
+
+            DISCUSSION:
+                 There were two known problems with the RTO calculations
+                 specified in RFC-793.  First, the accurate measurement
+                 of RTTs is difficult when there are retransmissions.
+                 Second, the algorithm to compute the smoothed round-
+                 trip time is inadequate [TCP:7], because it incorrectly
+
+
+
+Internet Engineering Task Force                                [Page 95]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+                 assumed that the variance in RTT values would be small
+                 and constant.  These problems were solved by Karn's and
+                 Jacobson's algorithm, respectively.
+
+                 The performance increase resulting from the use of
+                 these improvements varies from noticeable to dramatic.
+                 Jacobson's algorithm for incorporating the measured RTT
+                 variance is especially important on a low-speed link,
+                 where the natural variation of packet sizes causes a
+                 large variation in RTT.  One vendor found link
+                 utilization on a 9.6kb line went from 10% to 90% as a
+                 result of implementing Jacobson's variance algorithm in
+                 TCP.
+
+            The following values SHOULD be used to initialize the
+            estimation parameters for a new connection:
+
+            (a)  RTT = 0 seconds.
+
+            (b)  RTO = 3 seconds.  (The smoothed variance is to be
+                 initialized to the value that will result in this RTO).
+
+            The recommended upper and lower bounds on the RTO are known
+            to be inadequate on large internets.  The lower bound SHOULD
+            be measured in fractions of a second (to accommodate high
+            speed LANs) and the upper bound should be 2*MSL, i.e., 240
+            seconds.
+
+            DISCUSSION:
+                 Experience has shown that these initialization values
+                 are reasonable, and that in any case the Karn and
+                 Jacobson algorithms make TCP behavior reasonably
+                 insensitive to the initial parameter choices.
+
+         4.2.3.2  When to Send an ACK Segment
+
+            A host that is receiving a stream of TCP data segments can
+            increase efficiency in both the Internet and the hosts by
+            sending fewer than one ACK (acknowledgment) segment per data
+            segment received; this is known as a "delayed ACK" [TCP:5].
+
+            A TCP SHOULD implement a delayed ACK, but an ACK should not
+            be excessively delayed; in particular, the delay MUST be
+            less than 0.5 seconds, and in a stream of full-sized
+            segments there SHOULD be an ACK for at least every second
+            segment.
+
+            DISCUSSION:
+
+
+
+Internet Engineering Task Force                                [Page 96]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+                 A delayed ACK gives the application an opportunity to
+                 update the window and perhaps to send an immediate
+                 response.  In particular, in the case of character-mode
+                 remote login, a delayed ACK can reduce the number of
+                 segments sent by the server by a factor of 3 (ACK,
+                 window update, and echo character all combined in one
+                 segment).
+
+                 In addition, on some large multi-user hosts, a delayed
+                 ACK can substantially reduce protocol processing
+                 overhead by reducing the total number of packets to be
+                 processed [TCP:5].  However, excessive delays on ACK's
+                 can disturb the round-trip timing and packet "clocking"
+                 algorithms [TCP:7].
+
+         4.2.3.3  When to Send a Window Update
+
+            A TCP MUST include a SWS avoidance algorithm in the receiver
+            [TCP:5].
+
+            IMPLEMENTATION:
+                 The receiver's SWS avoidance algorithm determines when
+                 the right window edge may be advanced; this is
+                 customarily known as "updating the window".  This
+                 algorithm combines with the delayed ACK algorithm (see
+                 Section 4.2.3.2) to determine when an ACK segment
+                 containing the current window will really be sent to
+                 the receiver.  We use the notation of RFC-793; see
+                 Figures 4 and 5 in that document.
+
+                 The solution to receiver SWS is to avoid advancing the
+                 right window edge RCV.NXT+RCV.WND in small increments,
+                 even if data is received from the network in small
+                 segments.
+
+                 Suppose the total receive buffer space is RCV.BUFF.  At
+                 any given moment, RCV.USER octets of this total may be
+                 tied up with data that has been received and
+                 acknowledged but which the user process has not yet
+                 consumed.  When the connection is quiescent, RCV.WND =
+                 RCV.BUFF and RCV.USER = 0.
+
+                 Keeping the right window edge fixed as data arrives and
+                 is acknowledged requires that the receiver offer less
+                 than its full buffer space, i.e., the receiver must
+                 specify a RCV.WND that keeps RCV.NXT+RCV.WND constant
+                 as RCV.NXT increases.  Thus, the total buffer space
+                 RCV.BUFF is generally divided into three parts:
+
+
+
+Internet Engineering Task Force                                [Page 97]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+
+                 |<------- RCV.BUFF ---------------->|
+                      1             2            3
+             ----|---------|------------------|------|----
+                        RCV.NXT               ^
+                                           (Fixed)
+
+             1 - RCV.USER =  data received but not yet consumed;
+             2 - RCV.WND =   space advertised to sender;
+             3 - Reduction = space available but not yet
+                             advertised.
+
+
+                 The suggested SWS avoidance algorithm for the receiver
+                 is to keep RCV.NXT+RCV.WND fixed until the reduction
+                 satisfies:
+
+                      RCV.BUFF - RCV.USER - RCV.WND  >=
+
+                             min( Fr * RCV.BUFF, Eff.snd.MSS )
+
+                 where Fr is a fraction whose recommended value is 1/2,
+                 and Eff.snd.MSS is the effective send MSS for the
+                 connection (see Section 4.2.2.6).  When the inequality
+                 is satisfied, RCV.WND is set to RCV.BUFF-RCV.USER.
+
+                 Note that the general effect of this algorithm is to
+                 advance RCV.WND in increments of Eff.snd.MSS (for
+                 realistic receive buffers:  Eff.snd.MSS < RCV.BUFF/2).
+                 Note also that the receiver must use its own
+                 Eff.snd.MSS, assuming it is the same as the sender's.
+
+         4.2.3.4  When to Send Data
+
+            A TCP MUST include a SWS avoidance algorithm in the sender.
+
+            A TCP SHOULD implement the Nagle Algorithm [TCP:9] to
+            coalesce short segments.  However, there MUST be a way for
+            an application to disable the Nagle algorithm on an
+            individual connection.  In all cases, sending data is also
+            subject to the limitation imposed by the Slow Start
+            algorithm (Section 4.2.2.15).
+
+            DISCUSSION:
+                 The Nagle algorithm is generally as follows:
+
+                      If there is unacknowledged data (i.e., SND.NXT >
+                      SND.UNA), then the sending TCP buffers all user
+
+
+
+Internet Engineering Task Force                                [Page 98]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+                      data (regardless of the PSH bit), until the
+                      outstanding data has been acknowledged or until
+                      the TCP can send a full-sized segment (Eff.snd.MSS
+                      bytes; see Section 4.2.2.6).
+
+                 Some applications (e.g., real-time display window
+                 updates) require that the Nagle algorithm be turned
+                 off, so small data segments can be streamed out at the
+                 maximum rate.
+
+            IMPLEMENTATION:
+                 The sender's SWS avoidance algorithm is more difficult
+                 than the receivers's, because the sender does not know
+                 (directly) the receiver's total buffer space RCV.BUFF.
+                 An approach which has been found to work well is for
+                 the sender to calculate Max(SND.WND), the maximum send
+                 window it has seen so far on the connection, and to use
+                 this value as an estimate of RCV.BUFF.  Unfortunately,
+                 this can only be an estimate; the receiver may at any
+                 time reduce the size of RCV.BUFF.  To avoid a resulting
+                 deadlock, it is necessary to have a timeout to force
+                 transmission of data, overriding the SWS avoidance
+                 algorithm.  In practice, this timeout should seldom
+                 occur.
+
+                 The "useable window" [TCP:5] is:
+
+                      U = SND.UNA + SND.WND - SND.NXT
+
+                 i.e., the offered window less the amount of data sent
+                 but not acknowledged.  If D is the amount of data
+                 queued in the sending TCP but not yet sent, then the
+                 following set of rules is recommended.
+
+                 Send data:
+
+                 (1)  if a maximum-sized segment can be sent, i.e, if:
+
+                           min(D,U) >= Eff.snd.MSS;
+
+
+                 (2)  or if the data is pushed and all queued data can
+                      be sent now, i.e., if:
+
+                          [SND.NXT = SND.UNA and] PUSHED and D <= U
+
+                      (the bracketed condition is imposed by the Nagle
+                      algorithm);
+
+
+
+Internet Engineering Task Force                                [Page 99]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+                 (3)  or if at least a fraction Fs of the maximum window
+                      can be sent, i.e., if:
+
+                          [SND.NXT = SND.UNA and]
+
+                                  min(D.U) >= Fs * Max(SND.WND);
+
+
+                 (4)  or if data is PUSHed and the override timeout
+                      occurs.
+
+                 Here Fs is a fraction whose recommended value is 1/2.
+                 The override timeout should be in the range 0.1 - 1.0
+                 seconds.  It may be convenient to combine this timer
+                 with the timer used to probe zero windows (Section
+                 4.2.2.17).
+
+                 Finally, note that the SWS avoidance algorithm just
+                 specified is to be used instead of the sender-side
+                 algorithm contained in [TCP:5].
+
+         4.2.3.5  TCP Connection Failures
+
+            Excessive retransmission of the same segment by TCP
+            indicates some failure of the remote host or the Internet
+            path.  This failure may be of short or long duration.  The
+            following procedure MUST be used to handle excessive
+            retransmissions of data segments [IP:11]:
+
+            (a)  There are two thresholds R1 and R2 measuring the amount
+                 of retransmission that has occurred for the same
+                 segment.  R1 and R2 might be measured in time units or
+                 as a count of retransmissions.
+
+            (b)  When the number of transmissions of the same segment
+                 reaches or exceeds threshold R1, pass negative advice
+                 (see Section 3.3.1.4) to the IP layer, to trigger
+                 dead-gateway diagnosis.
+
+            (c)  When the number of transmissions of the same segment
+                 reaches a threshold R2 greater than R1, close the
+                 connection.
+
+            (d)  An application MUST be able to set the value for R2 for
+                 a particular connection.  For example, an interactive
+                 application might set R2 to "infinity," giving the user
+                 control over when to disconnect.
+
+
+
+
+Internet Engineering Task Force                               [Page 100]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+            (d)  TCP SHOULD inform the application of the delivery
+                 problem (unless such information has been disabled by
+                 the application; see Section 4.2.4.1), when R1 is
+                 reached and before R2.  This will allow a remote login
+                 (User Telnet) application program to inform the user,
+                 for example.
+
+            The value of R1 SHOULD correspond to at least 3
+            retransmissions, at the current RTO.  The value of R2 SHOULD
+            correspond to at least 100 seconds.
+
+            An attempt to open a TCP connection could fail with
+            excessive retransmissions of the SYN segment or by receipt
+            of a RST segment or an ICMP Port Unreachable.  SYN
+            retransmissions MUST be handled in the general way just
+            described for data retransmissions, including notification
+            of the application layer.
+
+            However, the values of R1 and R2 may be different for SYN
+            and data segments.  In particular, R2 for a SYN segment MUST
+            be set large enough to provide retransmission of the segment
+            for at least 3 minutes.  The application can close the
+            connection (i.e., give up on the open attempt) sooner, of
+            course.
+
+            DISCUSSION:
+                 Some Internet paths have significant setup times, and
+                 the number of such paths is likely to increase in the
+                 future.
+
+         4.2.3.6  TCP Keep-Alives
+
+            Implementors MAY include "keep-alives" in their TCP
+            implementations, although this practice is not universally
+            accepted.  If keep-alives are included, the application MUST
+            be able to turn them on or off for each TCP connection, and
+            they MUST default to off.
+
+            Keep-alive packets MUST only be sent when no data or
+            acknowledgement packets have been received for the
+            connection within an interval.  This interval MUST be
+            configurable and MUST default to no less than two hours.
+
+            It is extremely important to remember that ACK segments that
+            contain no data are not reliably transmitted by TCP.
+            Consequently, if a keep-alive mechanism is implemented it
+            MUST NOT interpret failure to respond to any specific probe
+            as a dead connection.
+
+
+
+Internet Engineering Task Force                               [Page 101]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+            An implementation SHOULD send a keep-alive segment with no
+            data; however, it MAY be configurable to send a keep-alive
+            segment containing one garbage octet, for compatibility with
+            erroneous TCP implementations.
+
+            DISCUSSION:
+                 A "keep-alive" mechanism periodically probes the other
+                 end of a connection when the connection is otherwise
+                 idle, even when there is no data to be sent.  The TCP
+                 specification does not include a keep-alive mechanism
+                 because it could:  (1) cause perfectly good connections
+                 to break during transient Internet failures; (2)
+                 consume unnecessary bandwidth ("if no one is using the
+                 connection, who cares if it is still good?"); and (3)
+                 cost money for an Internet path that charges for
+                 packets.
+
+                 Some TCP implementations, however, have included a
+                 keep-alive mechanism.  To confirm that an idle
+                 connection is still active, these implementations send
+                 a probe segment designed to elicit a response from the
+                 peer TCP.  Such a segment generally contains SEG.SEQ =
+                 SND.NXT-1 and may or may not contain one garbage octet
+                 of data.  Note that on a quiet connection SND.NXT =
+                 RCV.NXT, so that this SEG.SEQ will be outside the
+                 window.  Therefore, the probe causes the receiver to
+                 return an acknowledgment segment, confirming that the
+                 connection is still live.  If the peer has dropped the
+                 connection due to a network partition or a crash, it
+                 will respond with a RST instead of an acknowledgment
+                 segment.
+
+                 Unfortunately, some misbehaved TCP implementations fail
+                 to respond to a segment with SEG.SEQ = SND.NXT-1 unless
+                 the segment contains data.  Alternatively, an
+                 implementation could determine whether a peer responded
+                 correctly to keep-alive packets with no garbage data
+                 octet.
+
+                 A TCP keep-alive mechanism should only be invoked in
+                 server applications that might otherwise hang
+                 indefinitely and consume resources unnecessarily if a
+                 client crashes or aborts a connection during a network
+                 failure.
+
+
+
+
+
+
+
+Internet Engineering Task Force                               [Page 102]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+         4.2.3.7  TCP Multihoming
+
+            If an application on a multihomed host does not specify the
+            local IP address when actively opening a TCP connection,
+            then the TCP MUST ask the IP layer to select a local IP
+            address before sending the (first) SYN.  See the function
+            GET_SRCADDR() in Section 3.4.
+
+            At all other times, a previous segment has either been sent
+            or received on this connection, and TCP MUST use the same
+            local address is used that was used in those previous
+            segments.
+
+         4.2.3.8  IP Options
+
+            When received options are passed up to TCP from the IP
+            layer, TCP MUST ignore options that it does not understand.
+
+            A TCP MAY support the Time Stamp and Record Route options.
+
+            An application MUST be able to specify a source route when
+            it actively opens a TCP connection, and this MUST take
+            precedence over a source route received in a datagram.
+
+            When a TCP connection is OPENed passively and a packet
+            arrives with a completed IP Source Route option (containing
+            a return route), TCP MUST save the return route and use it
+            for all segments sent on this connection.  If a different
+            source route arrives in a later segment, the later
+            definition SHOULD override the earlier one.
+
+         4.2.3.9  ICMP Messages
+
+            TCP MUST act on an ICMP error message passed up from the IP
+            layer, directing it to the connection that created the
+            error.  The necessary demultiplexing information can be
+            found in the IP header contained within the ICMP message.
+
+            o    Source Quench
+
+                 TCP MUST react to a Source Quench by slowing
+                 transmission on the connection.  The RECOMMENDED
+                 procedure is for a Source Quench to trigger a "slow
+                 start," as if a retransmission timeout had occurred.
+
+            o    Destination Unreachable -- codes 0, 1, 5
+
+                 Since these Unreachable messages indicate soft error
+
+
+
+Internet Engineering Task Force                               [Page 103]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+                 conditions, TCP MUST NOT abort the connection, and it
+                 SHOULD make the information available to the
+                 application.
+
+                 DISCUSSION:
+                      TCP could report the soft error condition directly
+                      to the application layer with an upcall to the
+                      ERROR_REPORT routine, or it could merely note the
+                      message and report it to the application only when
+                      and if the TCP connection times out.
+
+            o    Destination Unreachable -- codes 2-4
+
+                 These are hard error conditions, so TCP SHOULD abort
+                 the connection.
+
+            o    Time Exceeded -- codes 0, 1
+
+                 This should be handled the same way as Destination
+                 Unreachable codes 0, 1, 5 (see above).
+
+            o    Parameter Problem
+
+                 This should be handled the same way as Destination
+                 Unreachable codes 0, 1, 5 (see above).
+
+
+         4.2.3.10  Remote Address Validation
+
+            A TCP implementation MUST reject as an error a local OPEN
+            call for an invalid remote IP address (e.g., a broadcast or
+            multicast address).
+
+            An incoming SYN with an invalid source address must be
+            ignored either by TCP or by the IP layer (see Section
+            3.2.1.3).
+
+            A TCP implementation MUST silently discard an incoming SYN
+            segment that is addressed to a broadcast or multicast
+            address.
+
+         4.2.3.11  TCP Traffic Patterns
+
+            IMPLEMENTATION:
+                 The TCP protocol specification [TCP:1] gives the
+                 implementor much freedom in designing the algorithms
+                 that control the message flow over the connection --
+                 packetizing, managing the window, sending
+
+
+
+Internet Engineering Task Force                               [Page 104]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+                 acknowledgments, etc.  These design decisions are
+                 difficult because a TCP must adapt to a wide range of
+                 traffic patterns.  Experience has shown that a TCP
+                 implementor needs to verify the design on two extreme
+                 traffic patterns:
+
+                 o    Single-character Segments
+
+                      Even if the sender is using the Nagle Algorithm,
+                      when a TCP connection carries remote login traffic
+                      across a low-delay LAN the receiver will generally
+                      get a stream of single-character segments.  If
+                      remote terminal echo mode is in effect, the
+                      receiver's system will generally echo each
+                      character as it is received.
+
+                 o    Bulk Transfer
+
+                      When TCP is used for bulk transfer, the data
+                      stream should be made up (almost) entirely of
+                      segments of the size of the effective MSS.
+                      Although TCP uses a sequence number space with
+                      byte (octet) granularity, in bulk-transfer mode
+                      its operation should be as if TCP used a sequence
+                      space that counted only segments.
+
+                 Experience has furthermore shown that a single TCP can
+                 effectively and efficiently handle these two extremes.
+
+                 The most important tool for verifying a new TCP
+                 implementation is a packet trace program.  There is a
+                 large volume of experience showing the importance of
+                 tracing a variety of traffic patterns with other TCP
+                 implementations and studying the results carefully.
+
+
+         4.2.3.12  Efficiency
+
+            IMPLEMENTATION:
+                 Extensive experience has led to the following
+                 suggestions for efficient implementation of TCP:
+
+                 (a)  Don't Copy Data
+
+                      In bulk data transfer, the primary CPU-intensive
+                      tasks are copying data from one place to another
+                      and checksumming the data.  It is vital to
+                      minimize the number of copies of TCP data.  Since
+
+
+
+Internet Engineering Task Force                               [Page 105]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+                      the ultimate speed limitation may be fetching data
+                      across the memory bus, it may be useful to combine
+                      the copy with checksumming, doing both with a
+                      single memory fetch.
+
+                 (b)  Hand-Craft the Checksum Routine
+
+                      A good TCP checksumming routine is typically two
+                      to five times faster than a simple and direct
+                      implementation of the definition.  Great care and
+                      clever coding are often required and advisable to
+                      make the checksumming code "blazing fast".  See
+                      [TCP:10].
+
+                 (c)  Code for the Common Case
+
+                      TCP protocol processing can be complicated, but
+                      for most segments there are only a few simple
+                      decisions to be made.  Per-segment processing will
+                      be greatly speeded up by coding the main line to
+                      minimize the number of decisions in the most
+                      common case.
+
+
+      4.2.4  TCP/APPLICATION LAYER INTERFACE
+
+         4.2.4.1  Asynchronous Reports
+
+            There MUST be a mechanism for reporting soft TCP error
+            conditions to the application.  Generically, we assume this
+            takes the form of an application-supplied ERROR_REPORT
+            routine that may be upcalled [INTRO:7] asynchronously from
+            the transport layer:
+
+               ERROR_REPORT(local connection name, reason, subreason)
+
+            The precise encoding of the reason and subreason parameters
+            is not specified here.  However, the conditions that are
+            reported asynchronously to the application MUST include:
+
+            *    ICMP error message arrived (see 4.2.3.9)
+
+            *    Excessive retransmissions (see 4.2.3.5)
+
+            *    Urgent pointer advance (see 4.2.2.4).
+
+            However, an application program that does not want to
+            receive such ERROR_REPORT calls SHOULD be able to
+
+
+
+Internet Engineering Task Force                               [Page 106]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+            effectively disable these calls.
+
+            DISCUSSION:
+                 These error reports generally reflect soft errors that
+                 can be ignored without harm by many applications.  It
+                 has been suggested that these error report calls should
+                 default to "disabled," but this is not required.
+
+         4.2.4.2  Type-of-Service
+
+            The application layer MUST be able to specify the Type-of-
+            Service (TOS) for segments that are sent on a connection.
+            It not required, but the application SHOULD be able to
+            change the TOS during the connection lifetime.  TCP SHOULD
+            pass the current TOS value without change to the IP layer,
+            when it sends segments on the connection.
+
+            The TOS will be specified independently in each direction on
+            the connection, so that the receiver application will
+            specify the TOS used for ACK segments.
+
+            TCP MAY pass the most recently received TOS up to the
+            application.
+
+            DISCUSSION
+                 Some applications (e.g., SMTP) change the nature of
+                 their communication during the lifetime of a
+                 connection, and therefore would like to change the TOS
+                 specification.
+
+                 Note also that the OPEN call specified in RFC-793
+                 includes a parameter ("options") in which the caller
+                 can specify IP options such as source route, record
+                 route, or timestamp.
+
+         4.2.4.3  Flush Call
+
+            Some TCP implementations have included a FLUSH call, which
+            will empty the TCP send queue of any data for which the user
+            has issued SEND calls but which is still to the right of the
+            current send window.  That is, it flushes as much queued
+            send data as possible without losing sequence number
+            synchronization.  This is useful for implementing the "abort
+            output" function of Telnet.
+
+
+
+
+
+
+
+Internet Engineering Task Force                               [Page 107]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+         4.2.4.4  Multihoming
+
+            The user interface outlined in sections 2.7 and 3.8 of RFC-
+            793 needs to be extended for multihoming.  The OPEN call
+            MUST have an optional parameter:
+
+                OPEN( ... [local IP address,] ... )
+
+            to allow the specification of the local IP address.
+
+            DISCUSSION:
+                 Some TCP-based applications need to specify the local
+                 IP address to be used to open a particular connection;
+                 FTP is an example.
+
+            IMPLEMENTATION:
+                 A passive OPEN call with a specified "local IP address"
+                 parameter will await an incoming connection request to
+                 that address.  If the parameter is unspecified, a
+                 passive OPEN will await an incoming connection request
+                 to any local IP address, and then bind the local IP
+                 address of the connection to the particular address
+                 that is used.
+
+                 For an active OPEN call, a specified "local IP address"
+                 parameter will be used for opening the connection.  If
+                 the parameter is unspecified, the networking software
+                 will choose an appropriate local IP address (see
+                 Section 3.3.4.2) for the connection
+
+      4.2.5  TCP REQUIREMENT SUMMARY
+
+                                                 |        | | | |S| |
+                                                 |        | | | |H| |F
+                                                 |        | | | |O|M|o
+                                                 |        | |S| |U|U|o
+                                                 |        | |H| |L|S|t
+                                                 |        |M|O| |D|T|n
+                                                 |        |U|U|M| | |o
+                                                 |        |S|L|A|N|N|t
+                                                 |        |T|D|Y|O|O|t
+FEATURE                                          |SECTION | | | |T|T|e
+-------------------------------------------------|--------|-|-|-|-|-|--
+                                                 |        | | | | | |
+Push flag                                        |        | | | | | |
+  Aggregate or queue un-pushed data              |4.2.2.2 | | |x| | |
+  Sender collapse successive PSH flags           |4.2.2.2 | |x| | | |
+  SEND call can specify PUSH                     |4.2.2.2 | | |x| | |
+
+
+
+Internet Engineering Task Force                               [Page 108]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+    If cannot: sender buffer indefinitely        |4.2.2.2 | | | | |x|
+    If cannot: PSH last segment                  |4.2.2.2 |x| | | | |
+  Notify receiving ALP of PSH                    |4.2.2.2 | | |x| | |1
+  Send max size segment when possible            |4.2.2.2 | |x| | | |
+                                                 |        | | | | | |
+Window                                           |        | | | | | |
+  Treat as unsigned number                       |4.2.2.3 |x| | | | |
+  Handle as 32-bit number                        |4.2.2.3 | |x| | | |
+  Shrink window from right                       |4.2.2.16| | | |x| |
+  Robust against shrinking window                |4.2.2.16|x| | | | |
+  Receiver's window closed indefinitely          |4.2.2.17| | |x| | |
+  Sender probe zero window                       |4.2.2.17|x| | | | |
+    First probe after RTO                        |4.2.2.17| |x| | | |
+    Exponential backoff                          |4.2.2.17| |x| | | |
+  Allow window stay zero indefinitely            |4.2.2.17|x| | | | |
+  Sender timeout OK conn with zero wind          |4.2.2.17| | | | |x|
+                                                 |        | | | | | |
+Urgent Data                                      |        | | | | | |
+  Pointer points to last octet                   |4.2.2.4 |x| | | | |
+  Arbitrary length urgent data sequence          |4.2.2.4 |x| | | | |
+  Inform ALP asynchronously of urgent data       |4.2.2.4 |x| | | | |1
+  ALP can learn if/how much urgent data Q'd      |4.2.2.4 |x| | | | |1
+                                                 |        | | | | | |
+TCP Options                                      |        | | | | | |
+  Receive TCP option in any segment              |4.2.2.5 |x| | | | |
+  Ignore unsupported options                     |4.2.2.5 |x| | | | |
+  Cope with illegal option length                |4.2.2.5 |x| | | | |
+  Implement sending & receiving MSS option       |4.2.2.6 |x| | | | |
+  Send MSS option unless 536                     |4.2.2.6 | |x| | | |
+  Send MSS option always                         |4.2.2.6 | | |x| | |
+  Send-MSS default is 536                        |4.2.2.6 |x| | | | |
+  Calculate effective send seg size              |4.2.2.6 |x| | | | |
+                                                 |        | | | | | |
+TCP Checksums                                    |        | | | | | |
+  Sender compute checksum                        |4.2.2.7 |x| | | | |
+  Receiver check checksum                        |4.2.2.7 |x| | | | |
+                                                 |        | | | | | |
+Use clock-driven ISN selection                   |4.2.2.9 |x| | | | |
+                                                 |        | | | | | |
+Opening Connections                              |        | | | | | |
+  Support simultaneous open attempts             |4.2.2.10|x| | | | |
+  SYN-RCVD remembers last state                  |4.2.2.11|x| | | | |
+  Passive Open call interfere with others        |4.2.2.18| | | | |x|
+  Function: simultan. LISTENs for same port      |4.2.2.18|x| | | | |
+  Ask IP for src address for SYN if necc.        |4.2.3.7 |x| | | | |
+    Otherwise, use local addr of conn.           |4.2.3.7 |x| | | | |
+  OPEN to broadcast/multicast IP Address         |4.2.3.14| | | | |x|
+  Silently discard seg to bcast/mcast addr       |4.2.3.14|x| | | | |
+
+
+
+Internet Engineering Task Force                               [Page 109]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+                                                 |        | | | | | |
+Closing Connections                              |        | | | | | |
+  RST can contain data                           |4.2.2.12| |x| | | |
+  Inform application of aborted conn             |4.2.2.13|x| | | | |
+  Half-duplex close connections                  |4.2.2.13| | |x| | |
+    Send RST to indicate data lost               |4.2.2.13| |x| | | |
+  In TIME-WAIT state for 2xMSL seconds           |4.2.2.13|x| | | | |
+    Accept SYN from TIME-WAIT state              |4.2.2.13| | |x| | |
+                                                 |        | | | | | |
+Retransmissions                                  |        | | | | | |
+  Jacobson Slow Start algorithm                  |4.2.2.15|x| | | | |
+  Jacobson Congestion-Avoidance algorithm        |4.2.2.15|x| | | | |
+  Retransmit with same IP ident                  |4.2.2.15| | |x| | |
+  Karn's algorithm                               |4.2.3.1 |x| | | | |
+  Jacobson's RTO estimation alg.                 |4.2.3.1 |x| | | | |
+  Exponential backoff                            |4.2.3.1 |x| | | | |
+  SYN RTO calc same as data                      |4.2.3.1 | |x| | | |
+  Recommended initial values and bounds          |4.2.3.1 | |x| | | |
+                                                 |        | | | | | |
+Generating ACK's:                                |        | | | | | |
+  Queue out-of-order segments                    |4.2.2.20| |x| | | |
+  Process all Q'd before send ACK                |4.2.2.20|x| | | | |
+  Send ACK for out-of-order segment              |4.2.2.21| | |x| | |
+  Delayed ACK's                                  |4.2.3.2 | |x| | | |
+    Delay < 0.5 seconds                          |4.2.3.2 |x| | | | |
+    Every 2nd full-sized segment ACK'd           |4.2.3.2 |x| | | | |
+  Receiver SWS-Avoidance Algorithm               |4.2.3.3 |x| | | | |
+                                                 |        | | | | | |
+Sending data                                     |        | | | | | |
+  Configurable TTL                               |4.2.2.19|x| | | | |
+  Sender SWS-Avoidance Algorithm                 |4.2.3.4 |x| | | | |
+  Nagle algorithm                                |4.2.3.4 | |x| | | |
+    Application can disable Nagle algorithm      |4.2.3.4 |x| | | | |
+                                                 |        | | | | | |
+Connection Failures:                             |        | | | | | |
+  Negative advice to IP on R1 retxs              |4.2.3.5 |x| | | | |
+  Close connection on R2 retxs                   |4.2.3.5 |x| | | | |
+  ALP can set R2                                 |4.2.3.5 |x| | | | |1
+  Inform ALP of  R1<=retxs<R2                    |4.2.3.5 | |x| | | |1
+  Recommended values for R1, R2                  |4.2.3.5 | |x| | | |
+  Same mechanism for SYNs                        |4.2.3.5 |x| | | | |
+    R2 at least 3 minutes for SYN                |4.2.3.5 |x| | | | |
+                                                 |        | | | | | |
+Send Keep-alive Packets:                         |4.2.3.6 | | |x| | |
+  - Application can request                      |4.2.3.6 |x| | | | |
+  - Default is "off"                             |4.2.3.6 |x| | | | |
+  - Only send if idle for interval               |4.2.3.6 |x| | | | |
+  - Interval configurable                        |4.2.3.6 |x| | | | |
+
+
+
+Internet Engineering Task Force                               [Page 110]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+  - Default at least 2 hrs.                      |4.2.3.6 |x| | | | |
+  - Tolerant of lost ACK's                       |4.2.3.6 |x| | | | |
+                                                 |        | | | | | |
+IP Options                                       |        | | | | | |
+  Ignore options TCP doesn't understand          |4.2.3.8 |x| | | | |
+  Time Stamp support                             |4.2.3.8 | | |x| | |
+  Record Route support                           |4.2.3.8 | | |x| | |
+  Source Route:                                  |        | | | | | |
+    ALP can specify                              |4.2.3.8 |x| | | | |1
+      Overrides src rt in datagram               |4.2.3.8 |x| | | | |
+    Build return route from src rt               |4.2.3.8 |x| | | | |
+    Later src route overrides                    |4.2.3.8 | |x| | | |
+                                                 |        | | | | | |
+Receiving ICMP Messages from IP                  |4.2.3.9 |x| | | | |
+  Dest. Unreach (0,1,5) => inform ALP            |4.2.3.9 | |x| | | |
+  Dest. Unreach (0,1,5) => abort conn            |4.2.3.9 | | | | |x|
+  Dest. Unreach (2-4) => abort conn              |4.2.3.9 | |x| | | |
+  Source Quench => slow start                    |4.2.3.9 | |x| | | |
+  Time Exceeded => tell ALP, don't abort         |4.2.3.9 | |x| | | |
+  Param Problem => tell ALP, don't abort         |4.2.3.9 | |x| | | |
+                                                 |        | | | | | |
+Address Validation                               |        | | | | | |
+  Reject OPEN call to invalid IP address         |4.2.3.10|x| | | | |
+  Reject SYN from invalid IP address             |4.2.3.10|x| | | | |
+  Silently discard SYN to bcast/mcast addr       |4.2.3.10|x| | | | |
+                                                 |        | | | | | |
+TCP/ALP Interface Services                       |        | | | | | |
+  Error Report mechanism                         |4.2.4.1 |x| | | | |
+  ALP can disable Error Report Routine           |4.2.4.1 | |x| | | |
+  ALP can specify TOS for sending                |4.2.4.2 |x| | | | |
+    Passed unchanged to IP                       |4.2.4.2 | |x| | | |
+  ALP can change TOS during connection           |4.2.4.2 | |x| | | |
+  Pass received TOS up to ALP                    |4.2.4.2 | | |x| | |
+  FLUSH call                                     |4.2.4.3 | | |x| | |
+  Optional local IP addr parm. in OPEN           |4.2.4.4 |x| | | | |
+-------------------------------------------------|--------|-|-|-|-|-|--
+-------------------------------------------------|--------|-|-|-|-|-|--
+
+FOOTNOTES:
+
+(1)  "ALP" means Application-Layer program.
+
+
+
+
+
+
+
+
+
+
+Internet Engineering Task Force                               [Page 111]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+5.  REFERENCES
+
+INTRODUCTORY REFERENCES
+
+
+[INTRO:1] "Requirements for Internet Hosts -- Application and Support,"
+     IETF Host Requirements Working Group, R. Braden, Ed., RFC-1123,
+     October 1989.
+
+[INTRO:2]  "Requirements for Internet Gateways,"  R. Braden and J.
+     Postel, RFC-1009, June 1987.
+
+[INTRO:3]  "DDN Protocol Handbook," NIC-50004, NIC-50005, NIC-50006,
+     (three volumes), SRI International, December 1985.
+
+[INTRO:4]  "Official Internet Protocols," J. Reynolds and J. Postel,
+     RFC-1011, May 1987.
+
+     This document is republished periodically with new RFC numbers; the
+     latest version must be used.
+
+[INTRO:5]  "Protocol Document Order Information," O. Jacobsen and J.
+     Postel, RFC-980, March 1986.
+
+[INTRO:6]  "Assigned Numbers," J. Reynolds and J. Postel, RFC-1010, May
+     1987.
+
+     This document is republished periodically with new RFC numbers; the
+     latest version must be used.
+
+[INTRO:7] "Modularity and Efficiency in Protocol Implementations," D.
+     Clark, RFC-817, July 1982.
+
+[INTRO:8] "The Structuring of Systems Using Upcalls," D. Clark, 10th ACM
+     SOSP, Orcas Island, Washington, December 1985.
+
+
+Secondary References:
+
+
+[INTRO:9]  "A Protocol for Packet Network Intercommunication," V. Cerf
+     and R. Kahn, IEEE Transactions on Communication, May 1974.
+
+[INTRO:10]  "The ARPA Internet Protocol," J. Postel, C. Sunshine, and D.
+     Cohen, Computer Networks, Vol. 5, No. 4, July 1981.
+
+[INTRO:11]  "The DARPA Internet Protocol Suite," B. Leiner, J. Postel,
+     R. Cole and D. Mills, Proceedings INFOCOM 85, IEEE, Washington DC,
+
+
+
+Internet Engineering Task Force                               [Page 112]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+     March 1985.  Also in: IEEE Communications Magazine, March 1985.
+     Also available as ISI-RS-85-153.
+
+[INTRO:12] "Final Text of DIS8473, Protocol for Providing the
+     Connectionless Mode Network Service," ANSI, published as RFC-994,
+     March 1986.
+
+[INTRO:13] "End System to Intermediate System Routing Exchange
+     Protocol," ANSI X3S3.3, published as RFC-995, April 1986.
+
+
+LINK LAYER REFERENCES
+
+
+[LINK:1] "Trailer Encapsulations," S. Leffler and M. Karels, RFC-893,
+     April 1984.
+
+[LINK:2] "An Ethernet Address Resolution Protocol," D. Plummer, RFC-826,
+     November 1982.
+
+[LINK:3] "A Standard for the Transmission of IP Datagrams over Ethernet
+     Networks," C. Hornig, RFC-894, April 1984.
+
+[LINK:4] "A Standard for the Transmission of IP Datagrams over IEEE 802
+     "Networks," J. Postel and J. Reynolds, RFC-1042, February 1988.
+
+     This RFC contains a great deal of information of importance to
+     Internet implementers planning to use IEEE 802 networks.
+
+
+IP LAYER REFERENCES
+
+
+[IP:1] "Internet Protocol (IP)," J. Postel, RFC-791, September 1981.
+
+[IP:2] "Internet Control Message Protocol (ICMP)," J. Postel, RFC-792,
+     September 1981.
+
+[IP:3] "Internet Standard Subnetting Procedure," J. Mogul and J. Postel,
+     RFC-950, August 1985.
+
+[IP:4]  "Host Extensions for IP Multicasting," S. Deering, RFC-1112,
+     August 1989.
+
+[IP:5] "Military Standard Internet Protocol," MIL-STD-1777, Department
+     of Defense, August 1983.
+
+     This specification, as amended by RFC-963, is intended to describe
+
+
+
+Internet Engineering Task Force                               [Page 113]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+     the Internet Protocol but has some serious omissions (e.g., the
+     mandatory subnet extension [IP:3] and the optional multicasting
+     extension [IP:4]).  It is also out of date.  If there is a
+     conflict, RFC-791, RFC-792, and RFC-950 must be taken as
+     authoritative, while the present document is authoritative over
+     all.
+
+[IP:6] "Some Problems with the Specification of the Military Standard
+     Internet Protocol," D. Sidhu, RFC-963, November 1985.
+
+[IP:7] "The TCP Maximum Segment Size and Related Topics," J. Postel,
+     RFC-879, November 1983.
+
+     Discusses and clarifies the relationship between the TCP Maximum
+     Segment Size option and the IP datagram size.
+
+[IP:8] "Internet Protocol Security Options,"  B. Schofield, RFC-1108,
+     October 1989.
+
+[IP:9] "Fragmentation Considered Harmful," C. Kent and J. Mogul, ACM
+     SIGCOMM-87, August 1987.  Published as ACM Comp Comm Review, Vol.
+     17, no. 5.
+
+     This useful paper discusses the problems created by Internet
+     fragmentation and presents alternative solutions.
+
+[IP:10] "IP Datagram Reassembly Algorithms," D. Clark, RFC-815, July
+     1982.
+
+     This and the following paper should be read by every implementor.
+
+[IP:11] "Fault Isolation and Recovery," D. Clark, RFC-816, July 1982.
+
+SECONDARY IP REFERENCES:
+
+
+[IP:12] "Broadcasting Internet Datagrams in the Presence of Subnets," J.
+     Mogul, RFC-922, October 1984.
+
+[IP:13] "Name, Addresses, Ports, and Routes," D. Clark, RFC-814, July
+     1982.
+
+[IP:14] "Something a Host Could Do with Source Quench: The Source Quench
+     Introduced Delay (SQUID)," W. Prue and J. Postel, RFC-1016, July
+     1987.
+
+     This RFC first described directed broadcast addresses.  However,
+     the bulk of the RFC is concerned with gateways, not hosts.
+
+
+
+Internet Engineering Task Force                               [Page 114]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+UDP REFERENCES:
+
+
+[UDP:1] "User Datagram Protocol," J. Postel, RFC-768, August 1980.
+
+
+TCP REFERENCES:
+
+
+[TCP:1] "Transmission Control Protocol," J. Postel, RFC-793, September
+     1981.
+
+
+[TCP:2] "Transmission Control Protocol," MIL-STD-1778, US Department of
+     Defense, August 1984.
+
+     This specification as amended by RFC-964 is intended to describe
+     the same protocol as RFC-793 [TCP:1].  If there is a conflict,
+     RFC-793 takes precedence, and the present document is authoritative
+     over both.
+
+
+[TCP:3] "Some Problems with the Specification of the Military Standard
+     Transmission Control Protocol," D. Sidhu and T. Blumer, RFC-964,
+     November 1985.
+
+
+[TCP:4] "The TCP Maximum Segment Size and Related Topics," J. Postel,
+     RFC-879, November 1983.
+
+
+[TCP:5] "Window and Acknowledgment Strategy in TCP," D. Clark, RFC-813,
+     July 1982.
+
+
+[TCP:6] "Round Trip Time Estimation," P. Karn & C. Partridge, ACM
+     SIGCOMM-87, August 1987.
+
+
+[TCP:7] "Congestion Avoidance and Control," V. Jacobson, ACM SIGCOMM-88,
+     August 1988.
+
+
+SECONDARY TCP REFERENCES:
+
+
+[TCP:8] "Modularity and Efficiency in Protocol Implementation," D.
+     Clark, RFC-817, July 1982.
+
+
+
+Internet Engineering Task Force                               [Page 115]
+
+
+
+
+RFC1122                  TRANSPORT LAYER -- TCP             October 1989
+
+
+[TCP:9] "Congestion Control in IP/TCP," J. Nagle, RFC-896, January 1984.
+
+
+[TCP:10] "Computing the Internet Checksum," R. Braden, D. Borman, and C.
+     Partridge, RFC-1071, September 1988.
+
+
+[TCP:11] "TCP Extensions for Long-Delay Paths," V. Jacobson & R. Braden,
+     RFC-1072, October 1988.
+
+
+Security Considerations
+
+   There are many security issues in the communication layers of host
+   software, but a full discussion is beyond the scope of this RFC.
+
+   The Internet architecture generally provides little protection
+   against spoofing of IP source addresses, so any security mechanism
+   that is based upon verifying the IP source address of a datagram
+   should be treated with suspicion.  However, in restricted
+   environments some source-address checking may be possible.  For
+   example, there might be a secure LAN whose gateway to the rest of the
+   Internet discarded any incoming datagram with a source address that
+   spoofed the LAN address.  In this case, a host on the LAN could use
+   the source address to test for local vs. remote source.  This problem
+   is complicated by source routing, and some have suggested that
+   source-routed datagram forwarding by hosts (see Section 3.3.5) should
+   be outlawed for security reasons.
+
+   Security-related issues are mentioned in sections concerning the IP
+   Security option (Section 3.2.1.8), the ICMP Parameter Problem message
+   (Section 3.2.2.5), IP options in UDP datagrams (Section 4.1.3.2), and
+   reserved TCP ports (Section 4.2.2.1).
+
+Author's Address
+
+   Robert Braden
+   USC/Information Sciences Institute
+   4676 Admiralty Way
+   Marina del Rey, CA 90292-6695
+
+   Phone: (213) 822 1511
+
+   EMail: Braden@ISI.EDU
+
+
+
+
+
+
+
+Internet Engineering Task Force                               [Page 116]
+
diff --git a/contrib/bind9/doc/rfc/rfc1123.txt b/contrib/bind9/doc/rfc/rfc1123.txt
new file mode 100644
index 0000000..51cdf83
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc1123.txt
@@ -0,0 +1,5782 @@
+
+
+
+
+
+
+Network Working Group                    Internet Engineering Task Force
+Request for Comments: 1123                             R. Braden, Editor
+                                                            October 1989
+
+
+       Requirements for Internet Hosts -- Application and Support
+
+Status of This Memo
+
+   This RFC is an official specification for the Internet community.  It
+   incorporates by reference, amends, corrects, and supplements the
+   primary protocol standards documents relating to hosts.  Distribution
+   of this document is unlimited.
+
+Summary
+
+   This RFC is one of a pair that defines and discusses the requirements
+   for Internet host software.  This RFC covers the application and
+   support protocols; its companion RFC-1122 covers the communication
+   protocol layers: link layer, IP layer, and transport layer.
+
+
+
+                           Table of Contents
+
+
+
+
+   1.  INTRODUCTION ...............................................    5
+      1.1  The Internet Architecture ..............................    6
+      1.2  General Considerations .................................    6
+         1.2.1  Continuing Internet Evolution .....................    6
+         1.2.2  Robustness Principle ..............................    7
+         1.2.3  Error Logging .....................................    8
+         1.2.4  Configuration .....................................    8
+      1.3  Reading this Document ..................................   10
+         1.3.1  Organization ......................................   10
+         1.3.2  Requirements ......................................   10
+         1.3.3  Terminology .......................................   11
+      1.4  Acknowledgments ........................................   12
+
+   2.  GENERAL ISSUES .............................................   13
+      2.1  Host Names and Numbers .................................   13
+      2.2  Using Domain Name Service ..............................   13
+      2.3  Applications on Multihomed hosts .......................   14
+      2.4  Type-of-Service ........................................   14
+      2.5  GENERAL APPLICATION REQUIREMENTS SUMMARY ...............   15
+
+
+
+
+Internet Engineering Task Force                                 [Page 1]
+
+
+
+
+RFC1123                       INTRODUCTION                  October 1989
+
+
+   3.  REMOTE LOGIN -- TELNET PROTOCOL ............................   16
+      3.1  INTRODUCTION ...........................................   16
+      3.2  PROTOCOL WALK-THROUGH ..................................   16
+         3.2.1  Option Negotiation ................................   16
+         3.2.2  Telnet Go-Ahead Function ..........................   16
+         3.2.3  Control Functions .................................   17
+         3.2.4  Telnet "Synch" Signal .............................   18
+         3.2.5  NVT Printer and Keyboard ..........................   19
+         3.2.6  Telnet Command Structure ..........................   20
+         3.2.7  Telnet Binary Option ..............................   20
+         3.2.8  Telnet Terminal-Type Option .......................   20
+      3.3  SPECIFIC ISSUES ........................................   21
+         3.3.1  Telnet End-of-Line Convention .....................   21
+         3.3.2  Data Entry Terminals ..............................   23
+         3.3.3  Option Requirements ...............................   24
+         3.3.4  Option Initiation .................................   24
+         3.3.5  Telnet Linemode Option ............................   25
+      3.4  TELNET/USER INTERFACE ..................................   25
+         3.4.1  Character Set Transparency ........................   25
+         3.4.2  Telnet Commands ...................................   26
+         3.4.3  TCP Connection Errors .............................   26
+         3.4.4  Non-Default Telnet Contact Port ...................   26
+         3.4.5  Flushing Output ...................................   26
+      3.5.  TELNET REQUIREMENTS SUMMARY ...........................   27
+
+   4.  FILE TRANSFER ..............................................   29
+      4.1  FILE TRANSFER PROTOCOL -- FTP ..........................   29
+         4.1.1  INTRODUCTION ......................................   29
+         4.1.2.  PROTOCOL WALK-THROUGH ............................   29
+            4.1.2.1  LOCAL Type ...................................   29
+            4.1.2.2  Telnet Format Control ........................   30
+            4.1.2.3  Page Structure ...............................   30
+            4.1.2.4  Data Structure Transformations ...............   30
+            4.1.2.5  Data Connection Management ...................   31
+            4.1.2.6  PASV Command .................................   31
+            4.1.2.7  LIST and NLST Commands .......................   31
+            4.1.2.8  SITE Command .................................   32
+            4.1.2.9  STOU Command .................................   32
+            4.1.2.10  Telnet End-of-line Code .....................   32
+            4.1.2.11  FTP Replies .................................   33
+            4.1.2.12  Connections .................................   34
+            4.1.2.13  Minimum Implementation; RFC-959 Section .....   34
+         4.1.3  SPECIFIC ISSUES ...................................   35
+            4.1.3.1  Non-standard Command Verbs ...................   35
+            4.1.3.2  Idle Timeout .................................   36
+            4.1.3.3  Concurrency of Data and Control ..............   36
+            4.1.3.4  FTP Restart Mechanism ........................   36
+         4.1.4  FTP/USER INTERFACE ................................   39
+
+
+
+Internet Engineering Task Force                                 [Page 2]
+
+
+
+
+RFC1123                       INTRODUCTION                  October 1989
+
+
+            4.1.4.1  Pathname Specification .......................   39
+            4.1.4.2  "QUOTE" Command ..............................   40
+            4.1.4.3  Displaying Replies to User ...................   40
+            4.1.4.4  Maintaining Synchronization ..................   40
+         4.1.5   FTP REQUIREMENTS SUMMARY .........................   41
+      4.2  TRIVIAL FILE TRANSFER PROTOCOL -- TFTP .................   44
+         4.2.1  INTRODUCTION ......................................   44
+         4.2.2  PROTOCOL WALK-THROUGH .............................   44
+            4.2.2.1  Transfer Modes ...............................   44
+            4.2.2.2  UDP Header ...................................   44
+         4.2.3  SPECIFIC ISSUES ...................................   44
+            4.2.3.1  Sorcerer's Apprentice Syndrome ...............   44
+            4.2.3.2  Timeout Algorithms ...........................   46
+            4.2.3.3  Extensions ...................................   46
+            4.2.3.4  Access Control ...............................   46
+            4.2.3.5  Broadcast Request ............................   46
+         4.2.4  TFTP REQUIREMENTS SUMMARY .........................   47
+
+   5.  ELECTRONIC MAIL -- SMTP and RFC-822 ........................   48
+      5.1  INTRODUCTION ...........................................   48
+      5.2  PROTOCOL WALK-THROUGH ..................................   48
+         5.2.1  The SMTP Model ....................................   48
+         5.2.2  Canonicalization ..................................   49
+         5.2.3  VRFY and EXPN Commands ............................   50
+         5.2.4  SEND, SOML, and SAML Commands .....................   50
+         5.2.5  HELO Command ......................................   50
+         5.2.6  Mail Relay ........................................   51
+         5.2.7  RCPT Command ......................................   52
+         5.2.8  DATA Command ......................................   53
+         5.2.9  Command Syntax ....................................   54
+         5.2.10  SMTP Replies .....................................   54
+         5.2.11  Transparency .....................................   55
+         5.2.12  WKS Use in MX Processing .........................   55
+         5.2.13  RFC-822 Message Specification ....................   55
+         5.2.14  RFC-822 Date and Time Specification ..............   55
+         5.2.15  RFC-822 Syntax Change ............................   56
+         5.2.16  RFC-822  Local-part ..............................   56
+         5.2.17  Domain Literals ..................................   57
+         5.2.18  Common Address Formatting Errors .................   58
+         5.2.19  Explicit Source Routes ...........................   58
+      5.3  SPECIFIC ISSUES ........................................   59
+         5.3.1  SMTP Queueing Strategies ..........................   59
+            5.3.1.1 Sending Strategy ..............................   59
+            5.3.1.2  Receiving strategy ...........................   61
+         5.3.2  Timeouts in SMTP ..................................   61
+         5.3.3  Reliable Mail Receipt .............................   63
+         5.3.4  Reliable Mail Transmission ........................   63
+         5.3.5  Domain Name Support ...............................   65
+
+
+
+Internet Engineering Task Force                                 [Page 3]
+
+
+
+
+RFC1123                       INTRODUCTION                  October 1989
+
+
+         5.3.6  Mailing Lists and Aliases .........................   65
+         5.3.7  Mail Gatewaying ...................................   66
+         5.3.8  Maximum Message Size ..............................   68
+      5.4  SMTP REQUIREMENTS SUMMARY ..............................   69
+
+   6. SUPPORT SERVICES ............................................   72
+      6.1 DOMAIN NAME TRANSLATION .................................   72
+         6.1.1 INTRODUCTION .......................................   72
+         6.1.2  PROTOCOL WALK-THROUGH .............................   72
+            6.1.2.1  Resource Records with Zero TTL ...............   73
+            6.1.2.2  QCLASS Values ................................   73
+            6.1.2.3  Unused Fields ................................   73
+            6.1.2.4  Compression ..................................   73
+            6.1.2.5  Misusing Configuration Info ..................   73
+         6.1.3  SPECIFIC ISSUES ...................................   74
+            6.1.3.1  Resolver Implementation ......................   74
+            6.1.3.2  Transport Protocols ..........................   75
+            6.1.3.3  Efficient Resource Usage .....................   77
+            6.1.3.4  Multihomed Hosts .............................   78
+            6.1.3.5  Extensibility ................................   79
+            6.1.3.6  Status of RR Types ...........................   79
+            6.1.3.7  Robustness ...................................   80
+            6.1.3.8  Local Host Table .............................   80
+         6.1.4  DNS USER INTERFACE ................................   81
+            6.1.4.1  DNS Administration ...........................   81
+            6.1.4.2  DNS User Interface ...........................   81
+            6.1.4.3 Interface Abbreviation Facilities .............   82
+         6.1.5  DOMAIN NAME SYSTEM REQUIREMENTS SUMMARY ...........   84
+      6.2  HOST INITIALIZATION ....................................   87
+         6.2.1  INTRODUCTION ......................................   87
+         6.2.2  REQUIREMENTS ......................................   87
+            6.2.2.1  Dynamic Configuration ........................   87
+            6.2.2.2  Loading Phase ................................   89
+      6.3  REMOTE MANAGEMENT ......................................   90
+         6.3.1  INTRODUCTION ......................................   90
+         6.3.2  PROTOCOL WALK-THROUGH .............................   90
+         6.3.3  MANAGEMENT REQUIREMENTS SUMMARY ...................   92
+
+   7.  REFERENCES .................................................   93
+
+
+
+
+
+
+
+
+
+
+
+
+Internet Engineering Task Force                                 [Page 4]
+
+
+
+
+RFC1123                       INTRODUCTION                  October 1989
+
+
+1.  INTRODUCTION
+
+   This document is one of a pair that defines and discusses the
+   requirements for host system implementations of the Internet protocol
+   suite.  This RFC covers the applications layer and support protocols.
+   Its companion RFC, "Requirements for Internet Hosts -- Communications
+   Layers" [INTRO:1] covers the lower layer protocols: transport layer,
+   IP layer, and link layer.
+
+   These documents are intended to provide guidance for vendors,
+   implementors, and users of Internet communication software.  They
+   represent the consensus of a large body of technical experience and
+   wisdom, contributed by members of the Internet research and vendor
+   communities.
+
+   This RFC enumerates standard protocols that a host connected to the
+   Internet must use, and it incorporates by reference the RFCs and
+   other documents describing the current specifications for these
+   protocols.  It corrects errors in the referenced documents and adds
+   additional discussion and guidance for an implementor.
+
+   For each protocol, this document also contains an explicit set of
+   requirements, recommendations, and options.  The reader must
+   understand that the list of requirements in this document is
+   incomplete by itself; the complete set of requirements for an
+   Internet host is primarily defined in the standard protocol
+   specification documents, with the corrections, amendments, and
+   supplements contained in this RFC.
+
+   A good-faith implementation of the protocols that was produced after
+   careful reading of the RFC's and with some interaction with the
+   Internet technical community, and that followed good communications
+   software engineering practices, should differ from the requirements
+   of this document in only minor ways.  Thus, in many cases, the
+   "requirements" in this RFC are already stated or implied in the
+   standard protocol documents, so that their inclusion here is, in a
+   sense, redundant.  However, they were included because some past
+   implementation has made the wrong choice, causing problems of
+   interoperability, performance, and/or robustness.
+
+   This document includes discussion and explanation of many of the
+   requirements and recommendations.  A simple list of requirements
+   would be dangerous, because:
+
+   o    Some required features are more important than others, and some
+        features are optional.
+
+   o    There may be valid reasons why particular vendor products that
+
+
+
+Internet Engineering Task Force                                 [Page 5]
+
+
+
+
+RFC1123                       INTRODUCTION                  October 1989
+
+
+        are designed for restricted contexts might choose to use
+        different specifications.
+
+   However, the specifications of this document must be followed to meet
+   the general goal of arbitrary host interoperation across the
+   diversity and complexity of the Internet system.  Although most
+   current implementations fail to meet these requirements in various
+   ways, some minor and some major, this specification is the ideal
+   towards which we need to move.
+
+   These requirements are based on the current level of Internet
+   architecture.  This document will be updated as required to provide
+   additional clarifications or to include additional information in
+   those areas in which specifications are still evolving.
+
+   This introductory section begins with general advice to host software
+   vendors, and then gives some guidance on reading the rest of the
+   document.  Section 2 contains general requirements that may be
+   applicable to all application and support protocols.  Sections 3, 4,
+   and 5 contain the requirements on protocols for the three major
+   applications: Telnet, file transfer, and electronic mail,
+   respectively. Section 6 covers the support applications: the domain
+   name system, system initialization, and management.  Finally, all
+   references will be found in Section 7.
+
+   1.1  The Internet Architecture
+
+      For a brief introduction to the Internet architecture from a host
+      viewpoint, see Section 1.1 of [INTRO:1].  That section also
+      contains recommended references for general background on the
+      Internet architecture.
+
+   1.2  General Considerations
+
+      There are two important lessons that vendors of Internet host
+      software have learned and which a new vendor should consider
+      seriously.
+
+      1.2.1  Continuing Internet Evolution
+
+         The enormous growth of the Internet has revealed problems of
+         management and scaling in a large datagram-based packet
+         communication system.  These problems are being addressed, and
+         as a result there will be continuing evolution of the
+         specifications described in this document.  These changes will
+         be carefully planned and controlled, since there is extensive
+         participation in this planning by the vendors and by the
+         organizations responsible for operations of the networks.
+
+
+
+Internet Engineering Task Force                                 [Page 6]
+
+
+
+
+RFC1123                       INTRODUCTION                  October 1989
+
+
+         Development, evolution, and revision are characteristic of
+         computer network protocols today, and this situation will
+         persist for some years.  A vendor who develops computer
+         communication software for the Internet protocol suite (or any
+         other protocol suite!) and then fails to maintain and update
+         that software for changing specifications is going to leave a
+         trail of unhappy customers.  The Internet is a large
+         communication network, and the users are in constant contact
+         through it.  Experience has shown that knowledge of
+         deficiencies in vendor software propagates quickly through the
+         Internet technical community.
+
+      1.2.2  Robustness Principle
+
+         At every layer of the protocols, there is a general rule whose
+         application can lead to enormous benefits in robustness and
+         interoperability:
+
+                "Be liberal in what you accept, and
+                 conservative in what you send"
+
+         Software should be written to deal with every conceivable
+         error, no matter how unlikely; sooner or later a packet will
+         come in with that particular combination of errors and
+         attributes, and unless the software is prepared, chaos can
+         ensue.  In general, it is best to assume that the network is
+         filled with malevolent entities that will send in packets
+         designed to have the worst possible effect.  This assumption
+         will lead to suitable protective design, although the most
+         serious problems in the Internet have been caused by
+         unenvisaged mechanisms triggered by low-probability events;
+         mere human malice would never have taken so devious a course!
+
+         Adaptability to change must be designed into all levels of
+         Internet host software.  As a simple example, consider a
+         protocol specification that contains an enumeration of values
+         for a particular header field -- e.g., a type field, a port
+         number, or an error code; this enumeration must be assumed to
+         be incomplete.  Thus, if a protocol specification defines four
+         possible error codes, the software must not break when a fifth
+         code shows up.  An undefined code might be logged (see below),
+         but it must not cause a failure.
+
+         The second part of the principle is almost as important:
+         software on other hosts may contain deficiencies that make it
+         unwise to exploit legal but obscure protocol features.  It is
+         unwise to stray far from the obvious and simple, lest untoward
+         effects result elsewhere.  A corollary of this is "watch out
+
+
+
+Internet Engineering Task Force                                 [Page 7]
+
+
+
+
+RFC1123                       INTRODUCTION                  October 1989
+
+
+         for misbehaving hosts"; host software should be prepared, not
+         just to survive other misbehaving hosts, but also to cooperate
+         to limit the amount of disruption such hosts can cause to the
+         shared communication facility.
+
+      1.2.3  Error Logging
+
+         The Internet includes a great variety of host and gateway
+         systems, each implementing many protocols and protocol layers,
+         and some of these contain bugs and mis-features in their
+         Internet protocol software.  As a result of complexity,
+         diversity, and distribution of function, the diagnosis of user
+         problems is often very difficult.
+
+         Problem diagnosis will be aided if host implementations include
+         a carefully designed facility for logging erroneous or
+         "strange" protocol events.  It is important to include as much
+         diagnostic information as possible when an error is logged.  In
+         particular, it is often useful to record the header(s) of a
+         packet that caused an error.  However, care must be taken to
+         ensure that error logging does not consume prohibitive amounts
+         of resources or otherwise interfere with the operation of the
+         host.
+
+         There is a tendency for abnormal but harmless protocol events
+         to overflow error logging files; this can be avoided by using a
+         "circular" log, or by enabling logging only while diagnosing a
+         known failure.  It may be useful to filter and count duplicate
+         successive messages.  One strategy that seems to work well is:
+         (1) always count abnormalities and make such counts accessible
+         through the management protocol (see Section 6.3); and (2)
+         allow the logging of a great variety of events to be
+         selectively enabled.  For example, it might useful to be able
+         to "log everything" or to "log everything for host X".
+
+         Note that different managements may have differing policies
+         about the amount of error logging that they want normally
+         enabled in a host.  Some will say, "if it doesn't hurt me, I
+         don't want to know about it", while others will want to take a
+         more watchful and aggressive attitude about detecting and
+         removing protocol abnormalities.
+
+      1.2.4  Configuration
+
+         It would be ideal if a host implementation of the Internet
+         protocol suite could be entirely self-configuring.  This would
+         allow the whole suite to be implemented in ROM or cast into
+         silicon, it would simplify diskless workstations, and it would
+
+
+
+Internet Engineering Task Force                                 [Page 8]
+
+
+
+
+RFC1123                       INTRODUCTION                  October 1989
+
+
+         be an immense boon to harried LAN administrators as well as
+         system vendors.  We have not reached this ideal; in fact, we
+         are not even close.
+
+         At many points in this document, you will find a requirement
+         that a parameter be a configurable option.  There are several
+         different reasons behind such requirements.  In a few cases,
+         there is current uncertainty or disagreement about the best
+         value, and it may be necessary to update the recommended value
+         in the future.  In other cases, the value really depends on
+         external factors -- e.g., the size of the host and the
+         distribution of its communication load, or the speeds and
+         topology of nearby networks -- and self-tuning algorithms are
+         unavailable and may be insufficient.  In some cases,
+         configurability is needed because of administrative
+         requirements.
+
+         Finally, some configuration options are required to communicate
+         with obsolete or incorrect implementations of the protocols,
+         distributed without sources, that unfortunately persist in many
+         parts of the Internet.  To make correct systems coexist with
+         these faulty systems, administrators often have to "mis-
+         configure" the correct systems.  This problem will correct
+         itself gradually as the faulty systems are retired, but it
+         cannot be ignored by vendors.
+
+         When we say that a parameter must be configurable, we do not
+         intend to require that its value be explicitly read from a
+         configuration file at every boot time.  We recommend that
+         implementors set up a default for each parameter, so a
+         configuration file is only necessary to override those defaults
+         that are inappropriate in a particular installation.  Thus, the
+         configurability requirement is an assurance that it will be
+         POSSIBLE to override the default when necessary, even in a
+         binary-only or ROM-based product.
+
+         This document requires a particular value for such defaults in
+         some cases.  The choice of default is a sensitive issue when
+         the configuration item controls the accommodation to existing
+         faulty systems.  If the Internet is to converge successfully to
+         complete interoperability, the default values built into
+         implementations must implement the official protocol, not
+         "mis-configurations" to accommodate faulty implementations.
+         Although marketing considerations have led some vendors to
+         choose mis-configuration defaults, we urge vendors to choose
+         defaults that will conform to the standard.
+
+         Finally, we note that a vendor needs to provide adequate
+
+
+
+Internet Engineering Task Force                                 [Page 9]
+
+
+
+
+RFC1123                       INTRODUCTION                  October 1989
+
+
+         documentation on all configuration parameters, their limits and
+         effects.
+
+
+   1.3  Reading this Document
+
+      1.3.1  Organization
+
+         In general, each major section is organized into the following
+         subsections:
+
+         (1)  Introduction
+
+         (2)  Protocol Walk-Through -- considers the protocol
+              specification documents section-by-section, correcting
+              errors, stating requirements that may be ambiguous or
+              ill-defined, and providing further clarification or
+              explanation.
+
+         (3)  Specific Issues -- discusses protocol design and
+              implementation issues that were not included in the walk-
+              through.
+
+         (4)  Interfaces -- discusses the service interface to the next
+              higher layer.
+
+         (5)  Summary -- contains a summary of the requirements of the
+              section.
+
+         Under many of the individual topics in this document, there is
+         parenthetical material labeled "DISCUSSION" or
+         "IMPLEMENTATION".  This material is intended to give
+         clarification and explanation of the preceding requirements
+         text.  It also includes some suggestions on possible future
+         directions or developments.  The implementation material
+         contains suggested approaches that an implementor may want to
+         consider.
+
+         The summary sections are intended to be guides and indexes to
+         the text, but are necessarily cryptic and incomplete.  The
+         summaries should never be used or referenced separately from
+         the complete RFC.
+
+      1.3.2  Requirements
+
+         In this document, the words that are used to define the
+         significance of each particular requirement are capitalized.
+         These words are:
+
+
+
+Internet Engineering Task Force                                [Page 10]
+
+
+
+
+RFC1123                       INTRODUCTION                  October 1989
+
+
+         *    "MUST"
+
+              This word or the adjective "REQUIRED" means that the item
+              is an absolute requirement of the specification.
+
+         *    "SHOULD"
+
+              This word or the adjective "RECOMMENDED" means that there
+              may exist valid reasons in particular circumstances to
+              ignore this item, but the full implications should be
+              understood and the case carefully weighed before choosing
+              a different course.
+
+         *    "MAY"
+
+              This word or the adjective "OPTIONAL" means that this item
+              is truly optional.  One vendor may choose to include the
+              item because a particular marketplace requires it or
+              because it enhances the product, for example; another
+              vendor may omit the same item.
+
+
+         An implementation is not compliant if it fails to satisfy one
+         or more of the MUST requirements for the protocols it
+         implements.  An implementation that satisfies all the MUST and
+         all the SHOULD requirements for its protocols is said to be
+         "unconditionally compliant"; one that satisfies all the MUST
+         requirements but not all the SHOULD requirements for its
+         protocols is said to be "conditionally compliant".
+
+      1.3.3  Terminology
+
+         This document uses the following technical terms:
+
+         Segment
+              A segment is the unit of end-to-end transmission in the
+              TCP protocol.  A segment consists of a TCP header followed
+              by application data.  A segment is transmitted by
+              encapsulation in an IP datagram.
+
+         Message
+              This term is used by some application layer protocols
+              (particularly SMTP) for an application data unit.
+
+         Datagram
+              A [UDP] datagram is the unit of end-to-end transmission in
+              the UDP protocol.
+
+
+
+
+Internet Engineering Task Force                                [Page 11]
+
+
+
+
+RFC1123                       INTRODUCTION                  October 1989
+
+
+         Multihomed
+              A host is said to be multihomed if it has multiple IP
+              addresses to connected networks.
+
+
+
+   1.4  Acknowledgments
+
+      This document incorporates contributions and comments from a large
+      group of Internet protocol experts, including representatives of
+      university and research labs, vendors, and government agencies.
+      It was assembled primarily by the Host Requirements Working Group
+      of the Internet Engineering Task Force (IETF).
+
+      The Editor would especially like to acknowledge the tireless
+      dedication of the following people, who attended many long
+      meetings and generated 3 million bytes of electronic mail over the
+      past 18 months in pursuit of this document: Philip Almquist, Dave
+      Borman (Cray Research), Noel Chiappa, Dave Crocker (DEC), Steve
+      Deering (Stanford), Mike Karels (Berkeley), Phil Karn (Bellcore),
+      John Lekashman (NASA), Charles Lynn (BBN), Keith McCloghrie (TWG),
+      Paul Mockapetris (ISI), Thomas Narten (Purdue), Craig Partridge
+      (BBN), Drew Perkins (CMU), and James Van Bokkelen (FTP Software).
+
+      In addition, the following people made major contributions to the
+      effort: Bill Barns (Mitre), Steve Bellovin (AT&T), Mike Brescia
+      (BBN), Ed Cain (DCA), Annette DeSchon (ISI), Martin Gross (DCA),
+      Phill Gross (NRI), Charles Hedrick (Rutgers), Van Jacobson (LBL),
+      John Klensin (MIT), Mark Lottor (SRI), Milo Medin (NASA), Bill
+      Melohn (Sun Microsystems), Greg Minshall (Kinetics), Jeff Mogul
+      (DEC), John Mullen (CMC), Jon Postel (ISI), John Romkey (Epilogue
+      Technology), and Mike StJohns (DCA).  The following also made
+      significant contributions to particular areas: Eric Allman
+      (Berkeley), Rob Austein (MIT), Art Berggreen (ACC), Keith Bostic
+      (Berkeley), Vint Cerf (NRI), Wayne Hathaway (NASA), Matt Korn
+      (IBM), Erik Naggum (Naggum Software, Norway), Robert Ullmann
+      (Prime Computer), David Waitzman (BBN), Frank Wancho (USA), Arun
+      Welch (Ohio State), Bill Westfield (Cisco), and Rayan Zachariassen
+      (Toronto).
+
+      We are grateful to all, including any contributors who may have
+      been inadvertently omitted from this list.
+
+
+
+
+
+
+
+
+
+Internet Engineering Task Force                                [Page 12]
+
+
+
+
+RFC1123              APPLICATIONS LAYER -- GENERAL          October 1989
+
+
+2.  GENERAL ISSUES
+
+   This section contains general requirements that may be applicable to
+   all application-layer protocols.
+
+   2.1  Host Names and Numbers
+
+      The syntax of a legal Internet host name was specified in RFC-952
+      [DNS:4].  One aspect of host name syntax is hereby changed: the
+      restriction on the first character is relaxed to allow either a
+      letter or a digit.  Host software MUST support this more liberal
+      syntax.
+
+      Host software MUST handle host names of up to 63 characters and
+      SHOULD handle host names of up to 255 characters.
+
+      Whenever a user inputs the identity of an Internet host, it SHOULD
+      be possible to enter either (1) a host domain name or (2) an IP
+      address in dotted-decimal ("#.#.#.#") form.  The host SHOULD check
+      the string syntactically for a dotted-decimal number before
+      looking it up in the Domain Name System.
+
+      DISCUSSION:
+           This last requirement is not intended to specify the complete
+           syntactic form for entering a dotted-decimal host number;
+           that is considered to be a user-interface issue.  For
+           example, a dotted-decimal number must be enclosed within
+           "[ ]" brackets for SMTP mail (see Section 5.2.17).  This
+           notation could be made universal within a host system,
+           simplifying the syntactic checking for a dotted-decimal
+           number.
+
+           If a dotted-decimal number can be entered without such
+           identifying delimiters, then a full syntactic check must be
+           made, because a segment of a host domain name is now allowed
+           to begin with a digit and could legally be entirely numeric
+           (see Section 6.1.2.4).  However, a valid host name can never
+           have the dotted-decimal form #.#.#.#, since at least the
+           highest-level component label will be alphabetic.
+
+   2.2  Using Domain Name Service
+
+      Host domain names MUST be translated to IP addresses as described
+      in Section 6.1.
+
+      Applications using domain name services MUST be able to cope with
+      soft error conditions.  Applications MUST wait a reasonable
+      interval between successive retries due to a soft error, and MUST
+
+
+
+Internet Engineering Task Force                                [Page 13]
+
+
+
+
+RFC1123              APPLICATIONS LAYER -- GENERAL          October 1989
+
+
+      allow for the possibility that network problems may deny service
+      for hours or even days.
+
+      An application SHOULD NOT rely on the ability to locate a WKS
+      record containing an accurate listing of all services at a
+      particular host address, since the WKS RR type is not often used
+      by Internet sites.  To confirm that a service is present, simply
+      attempt to use it.
+
+   2.3  Applications on Multihomed hosts
+
+      When the remote host is multihomed, the name-to-address
+      translation will return a list of alternative IP addresses.  As
+      specified in Section 6.1.3.4, this list should be in order of
+      decreasing preference.  Application protocol implementations
+      SHOULD be prepared to try multiple addresses from the list until
+      success is obtained.  More specific requirements for SMTP are
+      given in Section 5.3.4.
+
+      When the local host is multihomed, a UDP-based request/response
+      application SHOULD send the response with an IP source address
+      that is the same as the specific destination address of the UDP
+      request datagram.  The "specific destination address" is defined
+      in the "IP Addressing" section of the companion RFC [INTRO:1].
+
+      Similarly, a server application that opens multiple TCP
+      connections to the same client SHOULD use the same local IP
+      address for all.
+
+   2.4  Type-of-Service
+
+      Applications MUST select appropriate TOS values when they invoke
+      transport layer services, and these values MUST be configurable.
+      Note that a TOS value contains 5 bits, of which only the most-
+      significant 3 bits are currently defined; the other two bits MUST
+      be zero.
+
+      DISCUSSION:
+           As gateway algorithms are developed to implement Type-of-
+           Service, the recommended values for various application
+           protocols may change.  In addition, it is likely that
+           particular combinations of users and Internet paths will want
+           non-standard TOS values.  For these reasons, the TOS values
+           must be configurable.
+
+           See the latest version of the "Assigned Numbers" RFC
+           [INTRO:5] for the recommended TOS values for the major
+           application protocols.
+
+
+
+Internet Engineering Task Force                                [Page 14]
+
+
+
+
+RFC1123              APPLICATIONS LAYER -- GENERAL          October 1989
+
+
+   2.5  GENERAL APPLICATION REQUIREMENTS SUMMARY
+
+                                               |          | | | |S| |
+                                               |          | | | |H| |F
+                                               |          | | | |O|M|o
+                                               |          | |S| |U|U|o
+                                               |          | |H| |L|S|t
+                                               |          |M|O| |D|T|n
+                                               |          |U|U|M| | |o
+                                               |          |S|L|A|N|N|t
+                                               |          |T|D|Y|O|O|t
+FEATURE                                        |SECTION   | | | |T|T|e
+-----------------------------------------------|----------|-|-|-|-|-|--
+                                               |          | | | | | |
+User interfaces:                               |          | | | | | |
+  Allow host name to begin with digit          |2.1       |x| | | | |
+  Host names of up to 635 characters           |2.1       |x| | | | |
+  Host names of up to 255 characters           |2.1       | |x| | | |
+  Support dotted-decimal host numbers          |2.1       | |x| | | |
+  Check syntactically for dotted-dec first     |2.1       | |x| | | |
+                                               |          | | | | | |
+Map domain names per Section 6.1               |2.2       |x| | | | |
+Cope with soft DNS errors                      |2.2       |x| | | | |
+   Reasonable interval between retries         |2.2       |x| | | | |
+   Allow for long outages                      |2.2       |x| | | | |
+Expect WKS records to be available             |2.2       | | | |x| |
+                                               |          | | | | | |
+Try multiple addr's for remote multihomed host |2.3       | |x| | | |
+UDP reply src addr is specific dest of request |2.3       | |x| | | |
+Use same IP addr for related TCP connections   |2.3       | |x| | | |
+Specify appropriate TOS values                 |2.4       |x| | | | |
+  TOS values configurable                      |2.4       |x| | | | |
+  Unused TOS bits zero                         |2.4       |x| | | | |
+                                               |          | | | | | |
+                                               |          | | | | | |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Internet Engineering Task Force                                [Page 15]
+
+
+
+
+RFC1123                  REMOTE LOGIN -- TELNET             October 1989
+
+
+3.  REMOTE LOGIN -- TELNET PROTOCOL
+
+   3.1  INTRODUCTION
+
+      Telnet is the standard Internet application protocol for remote
+      login.  It provides the encoding rules to link a user's
+      keyboard/display on a client ("user") system with a command
+      interpreter on a remote server system.  A subset of the Telnet
+      protocol is also incorporated within other application protocols,
+      e.g., FTP and SMTP.
+
+      Telnet uses a single TCP connection, and its normal data stream
+      ("Network Virtual Terminal" or "NVT" mode) is 7-bit ASCII with
+      escape sequences to embed control functions.  Telnet also allows
+      the negotiation of many optional modes and functions.
+
+      The primary Telnet specification is to be found in RFC-854
+      [TELNET:1], while the options are defined in many other RFCs; see
+      Section 7 for references.
+
+   3.2  PROTOCOL WALK-THROUGH
+
+      3.2.1  Option Negotiation: RFC-854, pp. 2-3
+
+         Every Telnet implementation MUST include option negotiation and
+         subnegotiation machinery [TELNET:2].
+
+         A host MUST carefully follow the rules of RFC-854 to avoid
+         option-negotiation loops.  A host MUST refuse (i.e, reply
+         WONT/DONT to a DO/WILL) an unsupported option.  Option
+         negotiation SHOULD continue to function (even if all requests
+         are refused) throughout the lifetime of a Telnet connection.
+
+         If all option negotiations fail, a Telnet implementation MUST
+         default to, and support, an NVT.
+
+         DISCUSSION:
+              Even though more sophisticated "terminals" and supporting
+              option negotiations are becoming the norm, all
+              implementations must be prepared to support an NVT for any
+              user-server communication.
+
+      3.2.2  Telnet Go-Ahead Function: RFC-854, p. 5, and RFC-858
+
+         On a host that never sends the Telnet command Go Ahead (GA),
+         the Telnet Server MUST attempt to negotiate the Suppress Go
+         Ahead option (i.e., send "WILL Suppress Go Ahead").  A User or
+         Server Telnet MUST always accept negotiation of the Suppress Go
+
+
+
+Internet Engineering Task Force                                [Page 16]
+
+
+
+
+RFC1123                  REMOTE LOGIN -- TELNET             October 1989
+
+
+         Ahead option.
+
+         When it is driving a full-duplex terminal for which GA has no
+         meaning, a User Telnet implementation MAY ignore GA commands.
+
+         DISCUSSION:
+              Half-duplex ("locked-keyboard") line-at-a-time terminals
+              for which the Go-Ahead mechanism was designed have largely
+              disappeared from the scene.  It turned out to be difficult
+              to implement sending the Go-Ahead signal in many operating
+              systems, even some systems that support native half-duplex
+              terminals.  The difficulty is typically that the Telnet
+              server code does not have access to information about
+              whether the user process is blocked awaiting input from
+              the Telnet connection, i.e., it cannot reliably determine
+              when to send a GA command.  Therefore, most Telnet Server
+              hosts do not send GA commands.
+
+              The effect of the rules in this section is to allow either
+              end of a Telnet connection to veto the use of GA commands.
+
+              There is a class of half-duplex terminals that is still
+              commercially important: "data entry terminals," which
+              interact in a full-screen manner.  However, supporting
+              data entry terminals using the Telnet protocol does not
+              require the Go Ahead signal; see Section 3.3.2.
+
+      3.2.3  Control Functions: RFC-854, pp. 7-8
+
+         The list of Telnet commands has been extended to include EOR
+         (End-of-Record), with code 239 [TELNET:9].
+
+         Both User and Server Telnets MAY support the control functions
+         EOR, EC, EL, and Break, and MUST support AO, AYT, DM, IP, NOP,
+         SB, and SE.
+
+         A host MUST be able to receive and ignore any Telnet control
+         functions that it does not support.
+
+         DISCUSSION:
+              Note that a Server Telnet is required to support the
+              Telnet IP (Interrupt Process) function, even if the server
+              host has an equivalent in-stream function (e.g., Control-C
+              in many systems).  The Telnet IP function may be stronger
+              than an in-stream interrupt command, because of the out-
+              of-band effect of TCP urgent data.
+
+              The EOR control function may be used to delimit the
+
+
+
+Internet Engineering Task Force                                [Page 17]
+
+
+
+
+RFC1123                  REMOTE LOGIN -- TELNET             October 1989
+
+
+              stream.  An important application is data entry terminal
+              support (see Section 3.3.2).  There was concern that since
+              EOR had not been defined in RFC-854, a host that was not
+              prepared to correctly ignore unknown Telnet commands might
+              crash if it received an EOR.  To protect such hosts, the
+              End-of-Record option [TELNET:9] was introduced; however, a
+              properly implemented Telnet program will not require this
+              protection.
+
+      3.2.4  Telnet "Synch" Signal: RFC-854, pp. 8-10
+
+         When it receives "urgent" TCP data, a User or Server Telnet
+         MUST discard all data except Telnet commands until the DM (and
+         end of urgent) is reached.
+
+         When it sends Telnet IP (Interrupt Process), a User Telnet
+         SHOULD follow it by the Telnet "Synch" sequence, i.e., send as
+         TCP urgent data the sequence "IAC IP IAC DM".  The TCP urgent
+         pointer points to the DM octet.
+
+         When it receives a Telnet IP command, a Server Telnet MAY send
+         a Telnet "Synch" sequence back to the user, to flush the output
+         stream.  The choice ought to be consistent with the way the
+         server operating system behaves when a local user interrupts a
+         process.
+
+         When it receives a Telnet AO command, a Server Telnet MUST send
+         a Telnet "Synch" sequence back to the user, to flush the output
+         stream.
+
+         A User Telnet SHOULD have the capability of flushing output
+         when it sends a Telnet IP; see also Section 3.4.5.
+
+         DISCUSSION:
+              There are three possible ways for a User Telnet to flush
+              the stream of server output data:
+
+              (1)  Send AO after IP.
+
+                   This will cause the server host to send a "flush-
+                   buffered-output" signal to its operating system.
+                   However, the AO may not take effect locally, i.e.,
+                   stop terminal output at the User Telnet end, until
+                   the Server Telnet has received and processed the AO
+                   and has sent back a "Synch".
+
+              (2)  Send DO TIMING-MARK [TELNET:7] after IP, and discard
+                   all output locally until a WILL/WONT TIMING-MARK is
+
+
+
+Internet Engineering Task Force                                [Page 18]
+
+
+
+
+RFC1123                  REMOTE LOGIN -- TELNET             October 1989
+
+
+                   received from the Server Telnet.
+
+                   Since the DO TIMING-MARK will be processed after the
+                   IP at the server, the reply to it should be in the
+                   right place in the output data stream.  However, the
+                   TIMING-MARK will not send a "flush buffered output"
+                   signal to the server operating system.  Whether or
+                   not this is needed is dependent upon the server
+                   system.
+
+              (3)  Do both.
+
+              The best method is not entirely clear, since it must
+              accommodate a number of existing server hosts that do not
+              follow the Telnet standards in various ways.  The safest
+              approach is probably to provide a user-controllable option
+              to select (1), (2), or (3).
+
+      3.2.5  NVT Printer and Keyboard: RFC-854, p. 11
+
+         In NVT mode, a Telnet SHOULD NOT send characters with the
+         high-order bit 1, and MUST NOT send it as a parity bit.
+         Implementations that pass the high-order bit to applications
+         SHOULD negotiate binary mode (see Section 3.2.6).
+
+
+         DISCUSSION:
+              Implementors should be aware that a strict reading of
+              RFC-854 allows a client or server expecting NVT ASCII to
+              ignore characters with the high-order bit set.  In
+              general, binary mode is expected to be used for
+              transmission of an extended (beyond 7-bit) character set
+              with Telnet.
+
+              However, there exist applications that really need an 8-
+              bit NVT mode, which is currently not defined, and these
+              existing applications do set the high-order bit during
+              part or all of the life of a Telnet connection.  Note that
+              binary mode is not the same as 8-bit NVT mode, since
+              binary mode turns off end-of-line processing.  For this
+              reason, the requirements on the high-order bit are stated
+              as SHOULD, not MUST.
+
+              RFC-854 defines a minimal set of properties of a "network
+              virtual terminal" or NVT; this is not meant to preclude
+              additional features in a real terminal.  A Telnet
+              connection is fully transparent to all 7-bit ASCII
+              characters, including arbitrary ASCII control characters.
+
+
+
+Internet Engineering Task Force                                [Page 19]
+
+
+
+
+RFC1123                  REMOTE LOGIN -- TELNET             October 1989
+
+
+              For example, a terminal might support full-screen commands
+              coded as ASCII escape sequences; a Telnet implementation
+              would pass these sequences as uninterpreted data.  Thus,
+              an NVT should not be conceived as a terminal type of a
+              highly-restricted device.
+
+      3.2.6  Telnet Command Structure: RFC-854, p. 13
+
+         Since options may appear at any point in the data stream, a
+         Telnet escape character (known as IAC, with the value 255) to
+         be sent as data MUST be doubled.
+
+      3.2.7  Telnet Binary Option: RFC-856
+
+         When the Binary option has been successfully negotiated,
+         arbitrary 8-bit characters are allowed.  However, the data
+         stream MUST still be scanned for IAC characters, any embedded
+         Telnet commands MUST be obeyed, and data bytes equal to IAC
+         MUST be doubled.  Other character processing (e.g., replacing
+         CR by CR NUL or by CR LF) MUST NOT be done.  In particular,
+         there is no end-of-line convention (see Section 3.3.1) in
+         binary mode.
+
+         DISCUSSION:
+              The Binary option is normally negotiated in both
+              directions, to change the Telnet connection from NVT mode
+              to "binary mode".
+
+              The sequence IAC EOR can be used to delimit blocks of data
+              within a binary-mode Telnet stream.
+
+      3.2.8  Telnet Terminal-Type Option: RFC-1091
+
+         The Terminal-Type option MUST use the terminal type names
+         officially defined in the Assigned Numbers RFC [INTRO:5], when
+         they are available for the particular terminal.  However, the
+         receiver of a Terminal-Type option MUST accept any name.
+
+         DISCUSSION:
+              RFC-1091 [TELNET:10] updates an earlier version of the
+              Terminal-Type option defined in RFC-930.  The earlier
+              version allowed a server host capable of supporting
+              multiple terminal types to learn the type of a particular
+              client's terminal, assuming that each physical terminal
+              had an intrinsic type.  However, today a "terminal" is
+              often really a terminal emulator program running in a PC,
+              perhaps capable of emulating a range of terminal types.
+              Therefore, RFC-1091 extends the specification to allow a
+
+
+
+Internet Engineering Task Force                                [Page 20]
+
+
+
+
+RFC1123                  REMOTE LOGIN -- TELNET             October 1989
+
+
+              more general terminal-type negotiation between User and
+              Server Telnets.
+
+   3.3  SPECIFIC ISSUES
+
+      3.3.1  Telnet End-of-Line Convention
+
+         The Telnet protocol defines the sequence CR LF to mean "end-
+         of-line".  For terminal input, this corresponds to a command-
+         completion or "end-of-line" key being pressed on a user
+         terminal; on an ASCII terminal, this is the CR key, but it may
+         also be labelled "Return" or "Enter".
+
+         When a Server Telnet receives the Telnet end-of-line sequence
+         CR LF as input from a remote terminal, the effect MUST be the
+         same as if the user had pressed the "end-of-line" key on a
+         local terminal.  On server hosts that use ASCII, in particular,
+         receipt of the Telnet sequence CR LF must cause the same effect
+         as a local user pressing the CR key on a local terminal.  Thus,
+         CR LF and CR NUL MUST have the same effect on an ASCII server
+         host when received as input over a Telnet connection.
+
+         A User Telnet MUST be able to send any of the forms: CR LF, CR
+         NUL, and LF.  A User Telnet on an ASCII host SHOULD have a
+         user-controllable mode to send either CR LF or CR NUL when the
+         user presses the "end-of-line" key, and CR LF SHOULD be the
+         default.
+
+         The Telnet end-of-line sequence CR LF MUST be used to send
+         Telnet data that is not terminal-to-computer (e.g., for Server
+         Telnet sending output, or the Telnet protocol incorporated
+         another application protocol).
+
+         DISCUSSION:
+              To allow interoperability between arbitrary Telnet clients
+              and servers, the Telnet protocol defined a standard
+              representation for a line terminator.  Since the ASCII
+              character set includes no explicit end-of-line character,
+              systems have chosen various representations, e.g., CR, LF,
+              and the sequence CR LF.  The Telnet protocol chose the CR
+              LF sequence as the standard for network transmission.
+
+              Unfortunately, the Telnet protocol specification in RFC-
+              854 [TELNET:1] has turned out to be somewhat ambiguous on
+              what character(s) should be sent from client to server for
+              the "end-of-line" key.  The result has been a massive and
+              continuing interoperability headache, made worse by
+              various faulty implementations of both User and Server
+
+
+
+Internet Engineering Task Force                                [Page 21]
+
+
+
+
+RFC1123                  REMOTE LOGIN -- TELNET             October 1989
+
+
+              Telnets.
+
+              Although the Telnet protocol is based on a perfectly
+              symmetric model, in a remote login session the role of the
+              user at a terminal differs from the role of the server
+              host.  For example, RFC-854 defines the meaning of CR, LF,
+              and CR LF as output from the server, but does not specify
+              what the User Telnet should send when the user presses the
+              "end-of-line" key on the terminal; this turns out to be
+              the point at issue.
+
+              When a user presses the "end-of-line" key, some User
+              Telnet implementations send CR LF, while others send CR
+              NUL (based on a different interpretation of the same
+              sentence in RFC-854).  These will be equivalent for a
+              correctly-implemented ASCII server host, as discussed
+              above.  For other servers, a mode in the User Telnet is
+              needed.
+
+              The existence of User Telnets that send only CR NUL when
+              CR is pressed creates a dilemma for non-ASCII hosts: they
+              can either treat CR NUL as equivalent to CR LF in input,
+              thus precluding the possibility of entering a "bare" CR,
+              or else lose complete interworking.
+
+              Suppose a user on host A uses Telnet to log into a server
+              host B, and then execute B's User Telnet program to log
+              into server host C.  It is desirable for the Server/User
+              Telnet combination on B to be as transparent as possible,
+              i.e., to appear as if A were connected directly to C.  In
+              particular, correct implementation will make B transparent
+              to Telnet end-of-line sequences, except that CR LF may be
+              translated to CR NUL or vice versa.
+
+         IMPLEMENTATION:
+              To understand Telnet end-of-line issues, one must have at
+              least a general model of the relationship of Telnet to the
+              local operating system.  The Server Telnet process is
+              typically coupled into the terminal driver software of the
+              operating system as a pseudo-terminal.  A Telnet end-of-
+              line sequence received by the Server Telnet must have the
+              same effect as pressing the end-of-line key on a real
+              locally-connected terminal.
+
+              Operating systems that support interactive character-at-
+              a-time applications (e.g., editors) typically have two
+              internal modes for their terminal I/O: a formatted mode,
+              in which local conventions for end-of-line and other
+
+
+
+Internet Engineering Task Force                                [Page 22]
+
+
+
+
+RFC1123                  REMOTE LOGIN -- TELNET             October 1989
+
+
+              formatting rules have been applied to the data stream, and
+              a "raw" mode, in which the application has direct access
+              to every character as it was entered.  A Server Telnet
+              must be implemented in such a way that these modes have
+              the same effect for remote as for local terminals.  For
+              example, suppose a CR LF or CR NUL is received by the
+              Server Telnet on an ASCII host.  In raw mode, a CR
+              character is passed to the application; in formatted mode,
+              the local system's end-of-line convention is used.
+
+      3.3.2  Data Entry Terminals
+
+         DISCUSSION:
+              In addition to the line-oriented and character-oriented
+              ASCII terminals for which Telnet was designed, there are
+              several families of video display terminals that are
+              sometimes known as "data entry terminals" or DETs.  The
+              IBM 3270 family is a well-known example.
+
+              Two Internet protocols have been designed to support
+              generic DETs: SUPDUP [TELNET:16, TELNET:17], and the DET
+              option [TELNET:18, TELNET:19].  The DET option drives a
+              data entry terminal over a Telnet connection using (sub-)
+              negotiation.  SUPDUP is a completely separate terminal
+              protocol, which can be entered from Telnet by negotiation.
+              Although both SUPDUP and the DET option have been used
+              successfully in particular environments, neither has
+              gained general acceptance or wide implementation.
+
+              A different approach to DET interaction has been developed
+              for supporting the IBM 3270 family through Telnet,
+              although the same approach would be applicable to any DET.
+              The idea is to enter a "native DET" mode, in which the
+              native DET input/output stream is sent as binary data.
+              The Telnet EOR command is used to delimit logical records
+              (e.g., "screens") within this binary stream.
+
+         IMPLEMENTATION:
+              The rules for entering and leaving native DET mode are as
+              follows:
+
+              o    The Server uses the Terminal-Type option [TELNET:10]
+                   to learn that the client is a DET.
+
+              o    It is conventional, but not required, that both ends
+                   negotiate the EOR option [TELNET:9].
+
+              o    Both ends negotiate the Binary option [TELNET:3] to
+
+
+
+Internet Engineering Task Force                                [Page 23]
+
+
+
+
+RFC1123                  REMOTE LOGIN -- TELNET             October 1989
+
+
+                   enter native DET mode.
+
+              o    When either end negotiates out of binary mode, the
+                   other end does too, and the mode then reverts to
+                   normal NVT.
+
+
+      3.3.3  Option Requirements
+
+         Every Telnet implementation MUST support the Binary option
+         [TELNET:3] and the Suppress Go Ahead option [TELNET:5], and
+         SHOULD support the Echo [TELNET:4], Status [TELNET:6], End-of-
+         Record [TELNET:9], and Extended Options List [TELNET:8]
+         options.
+
+         A User or Server Telnet SHOULD support the Window Size Option
+         [TELNET:12] if the local operating system provides the
+         corresponding capability.
+
+         DISCUSSION:
+              Note that the End-of-Record option only signifies that a
+              Telnet can receive a Telnet EOR without crashing;
+              therefore, every Telnet ought to be willing to accept
+              negotiation of the End-of-Record option.  See also the
+              discussion in Section 3.2.3.
+
+      3.3.4  Option Initiation
+
+         When the Telnet protocol is used in a client/server situation,
+         the server SHOULD initiate negotiation of the terminal
+         interaction mode it expects.
+
+         DISCUSSION:
+              The Telnet protocol was defined to be perfectly
+              symmetrical, but its application is generally asymmetric.
+              Remote login has been known to fail because NEITHER side
+              initiated negotiation of the required non-default terminal
+              modes.  It is generally the server that determines the
+              preferred mode, so the server needs to initiate the
+              negotiation; since the negotiation is symmetric, the user
+              can also initiate it.
+
+         A client (User Telnet) SHOULD provide a means for users to
+         enable and disable the initiation of option negotiation.
+
+         DISCUSSION:
+              A user sometimes needs to connect to an application
+              service (e.g., FTP or SMTP) that uses Telnet for its
+
+
+
+Internet Engineering Task Force                                [Page 24]
+
+
+
+
+RFC1123                  REMOTE LOGIN -- TELNET             October 1989
+
+
+              control stream but does not support Telnet options.  User
+              Telnet may be used for this purpose if initiation of
+              option negotiation is  disabled.
+
+      3.3.5  Telnet Linemode Option
+
+         DISCUSSION:
+              An important new Telnet option, LINEMODE [TELNET:12], has
+              been proposed.  The LINEMODE option provides a standard
+              way for a User Telnet and a Server Telnet to agree that
+              the client rather than the server will perform terminal
+              character processing.  When the client has prepared a
+              complete line of text, it will send it to the server in
+              (usually) one TCP packet.  This option will greatly
+              decrease the packet cost of Telnet sessions and will also
+              give much better user response over congested or long-
+              delay networks.
+
+              The LINEMODE option allows dynamic switching between local
+              and remote character processing.  For example, the Telnet
+              connection will automatically negotiate into single-
+              character mode while a full screen editor is running, and
+              then return to linemode when the editor is finished.
+
+              We expect that when this RFC is released, hosts should
+              implement the client side of this option, and may
+              implement the server side of this option.  To properly
+              implement the server side, the server needs to be able to
+              tell the local system not to do any input character
+              processing, but to remember its current terminal state and
+              notify the Server Telnet process whenever the state
+              changes.  This will allow password echoing and full screen
+              editors to be handled properly, for example.
+
+   3.4  TELNET/USER INTERFACE
+
+      3.4.1  Character Set Transparency
+
+         User Telnet implementations SHOULD be able to send or receive
+         any 7-bit ASCII character.  Where possible, any special
+         character interpretations by the user host's operating system
+         SHOULD be bypassed so that these characters can conveniently be
+         sent and received on the connection.
+
+         Some character value MUST be reserved as "escape to command
+         mode"; conventionally, doubling this character allows it to be
+         entered as data.  The specific character used SHOULD be user
+         selectable.
+
+
+
+Internet Engineering Task Force                                [Page 25]
+
+
+
+
+RFC1123                  REMOTE LOGIN -- TELNET             October 1989
+
+
+         On binary-mode connections, a User Telnet program MAY provide
+         an escape mechanism for entering arbitrary 8-bit values, if the
+         host operating system doesn't allow them to be entered directly
+         from the keyboard.
+
+         IMPLEMENTATION:
+              The transparency issues are less pressing on servers, but
+              implementors should take care in dealing with issues like:
+              masking off parity bits (sent by an older, non-conforming
+              client) before they reach programs that expect only NVT
+              ASCII, and properly handling programs that request 8-bit
+              data streams.
+
+      3.4.2  Telnet Commands
+
+         A User Telnet program MUST provide a user the capability of
+         entering any of the Telnet control functions IP, AO, or AYT,
+         and SHOULD provide the capability of entering EC, EL, and
+         Break.
+
+      3.4.3  TCP Connection Errors
+
+         A User Telnet program SHOULD report to the user any TCP errors
+         that are reported by the transport layer (see "TCP/Application
+         Layer Interface" section in [INTRO:1]).
+
+      3.4.4  Non-Default Telnet Contact Port
+
+         A User Telnet program SHOULD allow the user to optionally
+         specify a non-standard contact port number at the Server Telnet
+         host.
+
+      3.4.5  Flushing Output
+
+         A User Telnet program SHOULD provide the user the ability to
+         specify whether or not output should be flushed when an IP is
+         sent; see Section 3.2.4.
+
+         For any output flushing scheme that causes the User Telnet to
+         flush output locally until a Telnet signal is received from the
+         Server, there SHOULD be a way for the user to manually restore
+         normal output, in case the Server fails to send the expected
+         signal.
+
+
+
+
+
+
+
+
+Internet Engineering Task Force                                [Page 26]
+
+
+
+
+RFC1123                  REMOTE LOGIN -- TELNET             October 1989
+
+
+   3.5.  TELNET REQUIREMENTS SUMMARY
+
+
+                                                 |        | | | |S| |
+                                                 |        | | | |H| |F
+                                                 |        | | | |O|M|o
+                                                 |        | |S| |U|U|o
+                                                 |        | |H| |L|S|t
+                                                 |        |M|O| |D|T|n
+                                                 |        |U|U|M| | |o
+                                                 |        |S|L|A|N|N|t
+                                                 |        |T|D|Y|O|O|t
+FEATURE                                          |SECTION | | | |T|T|e
+-------------------------------------------------|--------|-|-|-|-|-|--
+                                                 |        | | | | | |
+Option Negotiation                               |3.2.1   |x| | | | |
+  Avoid negotiation loops                        |3.2.1   |x| | | | |
+  Refuse unsupported options                     |3.2.1   |x| | | | |
+  Negotiation OK anytime on connection           |3.2.1   | |x| | | |
+  Default to NVT                                 |3.2.1   |x| | | | |
+  Send official name in Term-Type option         |3.2.8   |x| | | | |
+  Accept any name in Term-Type option            |3.2.8   |x| | | | |
+  Implement Binary, Suppress-GA options          |3.3.3   |x| | | | |
+  Echo, Status, EOL, Ext-Opt-List options        |3.3.3   | |x| | | |
+  Implement Window-Size option if appropriate    |3.3.3   | |x| | | |
+  Server initiate mode negotiations              |3.3.4   | |x| | | |
+  User can enable/disable init negotiations      |3.3.4   | |x| | | |
+                                                 |        | | | | | |
+Go-Aheads                                        |        | | | | | |
+  Non-GA server negotiate SUPPRESS-GA option     |3.2.2   |x| | | | |
+  User or Server accept SUPPRESS-GA option       |3.2.2   |x| | | | |
+  User Telnet ignore GA's                        |3.2.2   | | |x| | |
+                                                 |        | | | | | |
+Control Functions                                |        | | | | | |
+  Support SE NOP DM IP AO AYT SB                 |3.2.3   |x| | | | |
+  Support EOR EC EL Break                        |3.2.3   | | |x| | |
+  Ignore unsupported control functions           |3.2.3   |x| | | | |
+  User, Server discard urgent data up to DM      |3.2.4   |x| | | | |
+  User Telnet send "Synch" after IP, AO, AYT     |3.2.4   | |x| | | |
+  Server Telnet reply Synch to IP                |3.2.4   | | |x| | |
+  Server Telnet reply Synch to AO                |3.2.4   |x| | | | |
+  User Telnet can flush output when send IP      |3.2.4   | |x| | | |
+                                                 |        | | | | | |
+Encoding                                         |        | | | | | |
+  Send high-order bit in NVT mode                |3.2.5   | | | |x| |
+  Send high-order bit as parity bit              |3.2.5   | | | | |x|
+  Negot. BINARY if pass high-ord. bit to applic  |3.2.5   | |x| | | |
+  Always double IAC data byte                    |3.2.6   |x| | | | |
+
+
+
+Internet Engineering Task Force                                [Page 27]
+
+
+
+
+RFC1123                  REMOTE LOGIN -- TELNET             October 1989
+
+
+  Double IAC data byte in binary mode            |3.2.7   |x| | | | |
+  Obey Telnet cmds in binary mode                |3.2.7   |x| | | | |
+  End-of-line, CR NUL in binary mode             |3.2.7   | | | | |x|
+                                                 |        | | | | | |
+End-of-Line                                      |        | | | | | |
+  EOL at Server same as local end-of-line        |3.3.1   |x| | | | |
+  ASCII Server accept CR LF or CR NUL for EOL    |3.3.1   |x| | | | |
+  User Telnet able to send CR LF, CR NUL, or LF  |3.3.1   |x| | | | |
+    ASCII user able to select CR LF/CR NUL       |3.3.1   | |x| | | |
+    User Telnet default mode is CR LF            |3.3.1   | |x| | | |
+  Non-interactive uses CR LF for EOL             |3.3.1   |x| | | | |
+                                                 |        | | | | | |
+User Telnet interface                            |        | | | | | |
+  Input & output all 7-bit characters            |3.4.1   | |x| | | |
+  Bypass local op sys interpretation             |3.4.1   | |x| | | |
+  Escape character                               |3.4.1   |x| | | | |
+     User-settable escape character              |3.4.1   | |x| | | |
+  Escape to enter 8-bit values                   |3.4.1   | | |x| | |
+  Can input IP, AO, AYT                          |3.4.2   |x| | | | |
+  Can input EC, EL, Break                        |3.4.2   | |x| | | |
+  Report TCP connection errors to user           |3.4.3   | |x| | | |
+  Optional non-default contact port              |3.4.4   | |x| | | |
+  Can spec: output flushed when IP sent          |3.4.5   | |x| | | |
+  Can manually restore output mode               |3.4.5   | |x| | | |
+                                                 |        | | | | | |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Internet Engineering Task Force                                [Page 28]
+
+
+
+
+RFC1123                   FILE TRANSFER -- FTP              October 1989
+
+
+4.  FILE TRANSFER
+
+   4.1  FILE TRANSFER PROTOCOL -- FTP
+
+      4.1.1  INTRODUCTION
+
+         The File Transfer Protocol FTP is the primary Internet standard
+         for file transfer.  The current specification is contained in
+         RFC-959 [FTP:1].
+
+         FTP uses separate simultaneous TCP connections for control and
+         for data transfer.  The FTP protocol includes many features,
+         some of which are not commonly implemented.  However, for every
+         feature in FTP, there exists at least one implementation.  The
+         minimum implementation defined in RFC-959 was too small, so a
+         somewhat larger minimum implementation is defined here.
+
+         Internet users have been unnecessarily burdened for years by
+         deficient FTP implementations.  Protocol implementors have
+         suffered from the erroneous opinion that implementing FTP ought
+         to be a small and trivial task.  This is wrong, because FTP has
+         a user interface, because it has to deal (correctly) with the
+         whole variety of communication and operating system errors that
+         may occur, and because it has to handle the great diversity of
+         real file systems in the world.
+
+      4.1.2.  PROTOCOL WALK-THROUGH
+
+         4.1.2.1  LOCAL Type: RFC-959 Section 3.1.1.4
+
+            An FTP program MUST support TYPE I ("IMAGE" or binary type)
+            as well as TYPE L 8 ("LOCAL" type with logical byte size 8).
+            A machine whose memory is organized into m-bit words, where
+            m is not a multiple of 8, MAY also support TYPE L m.
+
+            DISCUSSION:
+                 The command "TYPE L 8" is often required to transfer
+                 binary data between a machine whose memory is organized
+                 into (e.g.) 36-bit words and a machine with an 8-bit
+                 byte organization.  For an 8-bit byte machine, TYPE L 8
+                 is equivalent to IMAGE.
+
+                 "TYPE L m" is sometimes specified to the FTP programs
+                 on two m-bit word machines to ensure the correct
+                 transfer of a native-mode binary file from one machine
+                 to the other.  However, this command should have the
+                 same effect on these machines as "TYPE I".
+
+
+
+
+Internet Engineering Task Force                                [Page 29]
+
+
+
+
+RFC1123                   FILE TRANSFER -- FTP              October 1989
+
+
+         4.1.2.2  Telnet Format Control: RFC-959 Section 3.1.1.5.2
+
+            A host that makes no distinction between TYPE N and TYPE T
+            SHOULD implement TYPE T to be identical to TYPE N.
+
+            DISCUSSION:
+                 This provision should ease interoperation with hosts
+                 that do make this distinction.
+
+                 Many hosts represent text files internally as strings
+                 of ASCII characters, using the embedded ASCII format
+                 effector characters (LF, BS, FF, ...) to control the
+                 format when a file is printed.  For such hosts, there
+                 is no distinction between "print" files and other
+                 files.  However, systems that use record structured
+                 files typically need a special format for printable
+                 files (e.g., ASA carriage control).   For the latter
+                 hosts, FTP allows a choice of TYPE N or TYPE T.
+
+         4.1.2.3  Page Structure: RFC-959 Section 3.1.2.3 and Appendix I
+
+            Implementation of page structure is NOT RECOMMENDED in
+            general. However, if a host system does need to implement
+            FTP for "random access" or "holey" files, it MUST use the
+            defined page structure format rather than define a new
+            private FTP format.
+
+         4.1.2.4  Data Structure Transformations: RFC-959 Section 3.1.2
+
+            An FTP transformation between record-structure and file-
+            structure SHOULD be invertible, to the extent possible while
+            making the result useful on the target host.
+
+            DISCUSSION:
+                 RFC-959 required strict invertibility between record-
+                 structure and file-structure, but in practice,
+                 efficiency and convenience often preclude it.
+                 Therefore, the requirement is being relaxed.  There are
+                 two different objectives for transferring a file:
+                 processing it on the target host, or just storage.  For
+                 storage, strict invertibility is important.  For
+                 processing, the file created on the target host needs
+                 to be in the format expected by application programs on
+                 that host.
+
+                 As an example of the conflict, imagine a record-
+                 oriented operating system that requires some data files
+                 to have exactly 80 bytes in each record.  While STORing
+
+
+
+Internet Engineering Task Force                                [Page 30]
+
+
+
+
+RFC1123                   FILE TRANSFER -- FTP              October 1989
+
+
+                 a file on such a host, an FTP Server must be able to
+                 pad each line or record to 80 bytes; a later retrieval
+                 of such a file cannot be strictly invertible.
+
+         4.1.2.5  Data Connection Management: RFC-959 Section 3.3
+
+            A User-FTP that uses STREAM mode SHOULD send a PORT command
+            to assign a non-default data port before each transfer
+            command is issued.
+
+            DISCUSSION:
+                 This is required because of the long delay after a TCP
+                 connection is closed until its socket pair can be
+                 reused, to allow multiple transfers during a single FTP
+                 session.  Sending a port command can avoided if a
+                 transfer mode other than stream is used, by leaving the
+                 data transfer connection open between transfers.
+
+         4.1.2.6  PASV Command: RFC-959 Section 4.1.2
+
+            A server-FTP MUST implement the PASV command.
+
+            If multiple third-party transfers are to be executed during
+            the same session, a new PASV command MUST be issued before
+            each transfer command, to obtain a unique port pair.
+
+            IMPLEMENTATION:
+                 The format of the 227 reply to a PASV command is not
+                 well standardized.  In particular, an FTP client cannot
+                 assume that the parentheses shown on page 40 of RFC-959
+                 will be present (and in fact, Figure 3 on page 43 omits
+                 them).  Therefore, a User-FTP program that interprets
+                 the PASV reply must scan the reply for the first digit
+                 of the host and port numbers.
+
+                 Note that the host number h1,h2,h3,h4 is the IP address
+                 of the server host that is sending the reply, and that
+                 p1,p2 is a non-default data transfer port that PASV has
+                 assigned.
+
+         4.1.2.7  LIST and NLST Commands: RFC-959 Section 4.1.3
+
+            The data returned by an NLST command MUST contain only a
+            simple list of legal pathnames, such that the server can use
+            them directly as the arguments of subsequent data transfer
+            commands for the individual files.
+
+            The data returned by a LIST or NLST command SHOULD use an
+
+
+
+Internet Engineering Task Force                                [Page 31]
+
+
+
+
+RFC1123                   FILE TRANSFER -- FTP              October 1989
+
+
+            implied TYPE AN, unless the current type is EBCDIC, in which
+            case an implied TYPE EN SHOULD be used.
+
+            DISCUSSION:
+                 Many FTP clients support macro-commands that will get
+                 or put files matching a wildcard specification, using
+                 NLST to obtain a list of pathnames.  The expansion of
+                 "multiple-put" is local to the client, but "multiple-
+                 get" requires cooperation by the server.
+
+                 The implied type for LIST and NLST is designed to
+                 provide compatibility with existing User-FTPs, and in
+                 particular with multiple-get commands.
+
+         4.1.2.8  SITE Command: RFC-959 Section 4.1.3
+
+            A Server-FTP SHOULD use the SITE command for non-standard
+            features, rather than invent new private commands or
+            unstandardized extensions to existing commands.
+
+         4.1.2.9  STOU Command: RFC-959 Section 4.1.3
+
+            The STOU command stores into a uniquely named file.  When it
+            receives an STOU command, a Server-FTP MUST return the
+            actual file name in the "125 Transfer Starting" or the "150
+            Opening Data Connection" message that precedes the transfer
+            (the 250 reply code mentioned in RFC-959 is incorrect).  The
+            exact format of these messages is hereby defined to be as
+            follows:
+
+                125 FILE: pppp
+                150 FILE: pppp
+
+            where pppp represents the unique pathname of the file that
+            will be written.
+
+         4.1.2.10  Telnet End-of-line Code: RFC-959, Page 34
+
+            Implementors MUST NOT assume any correspondence between READ
+            boundaries on the control connection and the Telnet EOL
+            sequences (CR LF).
+
+            DISCUSSION:
+                 Thus, a server-FTP (or User-FTP) must continue reading
+                 characters from the control connection until a complete
+                 Telnet EOL sequence is encountered, before processing
+                 the command (or response, respectively).  Conversely, a
+                 single READ from the control connection may include
+
+
+
+Internet Engineering Task Force                                [Page 32]
+
+
+
+
+RFC1123                   FILE TRANSFER -- FTP              October 1989
+
+
+                 more than one FTP command.
+
+         4.1.2.11  FTP Replies: RFC-959 Section 4.2, Page 35
+
+            A Server-FTP MUST send only correctly formatted replies on
+            the control connection.  Note that RFC-959 (unlike earlier
+            versions of the FTP spec) contains no provision for a
+            "spontaneous" reply message.
+
+            A Server-FTP SHOULD use the reply codes defined in RFC-959
+            whenever they apply.  However, a server-FTP MAY use a
+            different reply code when needed, as long as the general
+            rules of Section 4.2 are followed. When the implementor has
+            a choice between a 4xx and 5xx reply code, a Server-FTP
+            SHOULD send a 4xx (temporary failure) code when there is any
+            reasonable possibility that a failed FTP will succeed a few
+            hours later.
+
+            A User-FTP SHOULD generally use only the highest-order digit
+            of a 3-digit reply code for making a procedural decision, to
+            prevent difficulties when a Server-FTP uses non-standard
+            reply codes.
+
+            A User-FTP MUST be able to handle multi-line replies.  If
+            the implementation imposes a limit on the number of lines
+            and if this limit is exceeded, the User-FTP MUST recover,
+            e.g., by ignoring the excess lines until the end of the
+            multi-line reply is reached.
+
+            A User-FTP SHOULD NOT interpret a 421 reply code ("Service
+            not available, closing control connection") specially, but
+            SHOULD detect closing of the control connection by the
+            server.
+
+            DISCUSSION:
+                 Server implementations that fail to strictly follow the
+                 reply rules often cause FTP user programs to hang.
+                 Note that RFC-959 resolved ambiguities in the reply
+                 rules found in earlier FTP specifications and must be
+                 followed.
+
+                 It is important to choose FTP reply codes that properly
+                 distinguish between temporary and permanent failures,
+                 to allow the successful use of file transfer client
+                 daemons.  These programs depend on the reply codes to
+                 decide whether or not to retry a failed transfer; using
+                 a permanent failure code (5xx) for a temporary error
+                 will cause these programs to give up unnecessarily.
+
+
+
+Internet Engineering Task Force                                [Page 33]
+
+
+
+
+RFC1123                   FILE TRANSFER -- FTP              October 1989
+
+
+                 When the meaning of a reply matches exactly the text
+                 shown in RFC-959, uniformity will be enhanced by using
+                 the RFC-959 text verbatim.  However, a Server-FTP
+                 implementor is encouraged to choose reply text that
+                 conveys specific system-dependent information, when
+                 appropriate.
+
+         4.1.2.12  Connections: RFC-959 Section 5.2
+
+            The words "and the port used" in the second paragraph of
+            this section of RFC-959 are erroneous (historical), and they
+            should be ignored.
+
+            On a multihomed server host, the default data transfer port
+            (L-1) MUST be associated with the same local IP address as
+            the corresponding control connection to port L.
+
+            A user-FTP MUST NOT send any Telnet controls other than
+            SYNCH and IP on an FTP control connection. In particular, it
+            MUST NOT attempt to negotiate Telnet options on the control
+            connection.  However, a server-FTP MUST be capable of
+            accepting and refusing Telnet negotiations (i.e., sending
+            DONT/WONT).
+
+            DISCUSSION:
+                 Although the RFC says: "Server- and User- processes
+                 should follow the conventions for the Telnet
+                 protocol...[on the control connection]", it is not the
+                 intent that Telnet option negotiation is to be
+                 employed.
+
+         4.1.2.13  Minimum Implementation; RFC-959 Section 5.1
+
+            The following commands and options MUST be supported by
+            every server-FTP and user-FTP, except in cases where the
+            underlying file system or operating system does not allow or
+            support a particular command.
+
+                 Type: ASCII Non-print, IMAGE, LOCAL 8
+                 Mode: Stream
+                 Structure: File, Record*
+                 Commands:
+                    USER, PASS, ACCT,
+                    PORT, PASV,
+                    TYPE, MODE, STRU,
+                    RETR, STOR, APPE,
+                    RNFR, RNTO, DELE,
+                    CWD,  CDUP, RMD,  MKD,  PWD,
+
+
+
+Internet Engineering Task Force                                [Page 34]
+
+
+
+
+RFC1123                   FILE TRANSFER -- FTP              October 1989
+
+
+                    LIST, NLST,
+                    SYST, STAT,
+                    HELP, NOOP, QUIT.
+
+            *Record structure is REQUIRED only for hosts whose file
+            systems support record structure.
+
+            DISCUSSION:
+                 Vendors are encouraged to implement a larger subset of
+                 the protocol.  For example, there are important
+                 robustness features in the protocol (e.g., Restart,
+                 ABOR, block mode) that would be an aid to some Internet
+                 users but are not widely implemented.
+
+                 A host that does not have record structures in its file
+                 system may still accept files with STRU R, recording
+                 the byte stream literally.
+
+      4.1.3  SPECIFIC ISSUES
+
+         4.1.3.1  Non-standard Command Verbs
+
+            FTP allows "experimental" commands, whose names begin with
+            "X".  If these commands are subsequently adopted as
+            standards, there may still be existing implementations using
+            the "X" form.  At present, this is true for the directory
+            commands:
+
+                RFC-959   "Experimental"
+
+                  MKD        XMKD
+                  RMD        XRMD
+                  PWD        XPWD
+                  CDUP       XCUP
+                  CWD        XCWD
+
+            All FTP implementations SHOULD recognize both forms of these
+            commands, by simply equating them with extra entries in the
+            command lookup table.
+
+            IMPLEMENTATION:
+                 A User-FTP can access a server that supports only the
+                 "X" forms by implementing a mode switch, or
+                 automatically using the following procedure: if the
+                 RFC-959 form of one of the above commands is rejected
+                 with a 500 or 502 response code, then try the
+                 experimental form; any other response would be passed
+                 to the user.
+
+
+
+Internet Engineering Task Force                                [Page 35]
+
+
+
+
+RFC1123                   FILE TRANSFER -- FTP              October 1989
+
+
+         4.1.3.2  Idle Timeout
+
+            A Server-FTP process SHOULD have an idle timeout, which will
+            terminate the process and close the control connection if
+            the server is inactive (i.e., no command or data transfer in
+            progress) for a long period of time.  The idle timeout time
+            SHOULD be configurable, and the default should be at least 5
+            minutes.
+
+            A client FTP process ("User-PI" in RFC-959) will need
+            timeouts on responses only if it is invoked from a program.
+
+            DISCUSSION:
+                 Without a timeout, a Server-FTP process may be left
+                 pending indefinitely if the corresponding client
+                 crashes without closing the control connection.
+
+         4.1.3.3  Concurrency of Data and Control
+
+            DISCUSSION:
+                 The intent of the designers of FTP was that a user
+                 should be able to send a STAT command at any time while
+                 data transfer was in progress and that the server-FTP
+                 would reply immediately with status -- e.g., the number
+                 of bytes transferred so far.  Similarly, an ABOR
+                 command should be possible at any time during a data
+                 transfer.
+
+                 Unfortunately, some small-machine operating systems
+                 make such concurrent programming difficult, and some
+                 other implementers seek minimal solutions, so some FTP
+                 implementations do not allow concurrent use of the data
+                 and control connections.  Even such a minimal server
+                 must be prepared to accept and defer a STAT or ABOR
+                 command that arrives during data transfer.
+
+         4.1.3.4  FTP Restart Mechanism
+
+            The description of the 110 reply on pp. 40-41 of RFC-959 is
+            incorrect; the correct description is as follows.  A restart
+            reply message, sent over the control connection from the
+            receiving FTP to the User-FTP, has the format:
+
+                110 MARK ssss = rrrr
+
+            Here:
+
+            *    ssss is a text string that appeared in a Restart Marker
+
+
+
+Internet Engineering Task Force                                [Page 36]
+
+
+
+
+RFC1123                   FILE TRANSFER -- FTP              October 1989
+
+
+                 in the data stream and encodes a position in the
+                 sender's file system;
+
+            *    rrrr encodes the corresponding position in the
+                 receiver's file system.
+
+            The encoding, which is specific to a particular file system
+            and network implementation, is always generated and
+            interpreted by the same system, either sender or receiver.
+
+            When an FTP that implements restart receives a Restart
+            Marker in the data stream, it SHOULD force the data to that
+            point to be written to stable storage before encoding the
+            corresponding position rrrr.  An FTP sending Restart Markers
+            MUST NOT assume that 110 replies will be returned
+            synchronously with the data, i.e., it must not await a 110
+            reply before sending more data.
+
+            Two new reply codes are hereby defined for errors
+            encountered in restarting a transfer:
+
+              554 Requested action not taken: invalid REST parameter.
+
+                 A 554 reply may result from a FTP service command that
+                 follows a REST command.  The reply indicates that the
+                 existing file at the Server-FTP cannot be repositioned
+                 as specified in the REST.
+
+              555 Requested action not taken: type or stru mismatch.
+
+                 A 555 reply may result from an APPE command or from any
+                 FTP service command following a REST command.  The
+                 reply indicates that there is some mismatch between the
+                 current transfer parameters (type and stru) and the
+                 attributes of the existing file.
+
+            DISCUSSION:
+                 Note that the FTP Restart mechanism requires that Block
+                 or Compressed mode be used for data transfer, to allow
+                 the Restart Markers to be included within the data
+                 stream.  The frequency of Restart Markers can be low.
+
+                 Restart Markers mark a place in the data stream, but
+                 the receiver may be performing some transformation on
+                 the data as it is stored into stable storage.  In
+                 general, the receiver's encoding must include any state
+                 information necessary to restart this transformation at
+                 any point of the FTP data stream.  For example, in TYPE
+
+
+
+Internet Engineering Task Force                                [Page 37]
+
+
+
+
+RFC1123                   FILE TRANSFER -- FTP              October 1989
+
+
+                 A transfers, some receiver hosts transform CR LF
+                 sequences into a single LF character on disk.   If a
+                 Restart Marker happens to fall between CR and LF, the
+                 receiver must encode in rrrr that the transfer must be
+                 restarted in a "CR has been seen and discarded" state.
+
+                 Note that the Restart Marker is required to be encoded
+                 as a string of printable ASCII characters, regardless
+                 of the type of the data.
+
+                 RFC-959 says that restart information is to be returned
+                 "to the user".  This should not be taken literally.  In
+                 general, the User-FTP should save the restart
+                 information (ssss,rrrr) in stable storage, e.g., append
+                 it to a restart control file.  An empty restart control
+                 file should be created when the transfer first starts
+                 and deleted automatically when the transfer completes
+                 successfully.  It is suggested that this file have a
+                 name derived in an easily-identifiable manner from the
+                 name of the file being transferred and the remote host
+                 name; this is analogous to the means used by many text
+                 editors for naming "backup" files.
+
+                 There are three cases for FTP restart.
+
+                 (1)  User-to-Server Transfer
+
+                      The User-FTP puts Restart Markers <ssss> at
+                      convenient places in the data stream.  When the
+                      Server-FTP receives a Marker, it writes all prior
+                      data to disk, encodes its file system position and
+                      transformation state as rrrr, and returns a "110
+                      MARK ssss = rrrr" reply over the control
+                      connection.  The User-FTP appends the pair
+                      (ssss,rrrr) to its restart control file.
+
+                      To restart the transfer, the User-FTP fetches the
+                      last (ssss,rrrr) pair from the restart control
+                      file, repositions its local file system and
+                      transformation state using ssss, and sends the
+                      command "REST rrrr" to the Server-FTP.
+
+                 (2)  Server-to-User Transfer
+
+                      The Server-FTP puts Restart Markers <ssss> at
+                      convenient places in the data stream.  When the
+                      User-FTP receives a Marker, it writes all prior
+                      data to disk, encodes its file system position and
+
+
+
+Internet Engineering Task Force                                [Page 38]
+
+
+
+
+RFC1123                   FILE TRANSFER -- FTP              October 1989
+
+
+                      transformation state as rrrr, and appends the pair
+                      (rrrr,ssss) to its restart control file.
+
+                      To restart the transfer, the User-FTP fetches the
+                      last (rrrr,ssss) pair from the restart control
+                      file, repositions its local file system and
+                      transformation state using rrrr, and sends the
+                      command "REST ssss" to the Server-FTP.
+
+                 (3)  Server-to-Server ("Third-Party") Transfer
+
+                      The sending Server-FTP puts Restart Markers <ssss>
+                      at convenient places in the data stream.  When it
+                      receives a Marker, the receiving Server-FTP writes
+                      all prior data to disk, encodes its file system
+                      position and transformation state as rrrr, and
+                      sends a "110 MARK ssss = rrrr" reply over the
+                      control connection to the User.  The User-FTP
+                      appends the pair (ssss,rrrr) to its restart
+                      control file.
+
+                      To restart the transfer, the User-FTP fetches the
+                      last (ssss,rrrr) pair from the restart control
+                      file, sends "REST ssss" to the sending Server-FTP,
+                      and sends "REST rrrr" to the receiving Server-FTP.
+
+
+      4.1.4  FTP/USER INTERFACE
+
+         This section discusses the user interface for a User-FTP
+         program.
+
+         4.1.4.1  Pathname Specification
+
+            Since FTP is intended for use in a heterogeneous
+            environment, User-FTP implementations MUST support remote
+            pathnames as arbitrary character strings, so that their form
+            and content are not limited by the conventions of the local
+            operating system.
+
+            DISCUSSION:
+                 In particular, remote pathnames can be of arbitrary
+                 length, and all the printing ASCII characters as well
+                 as space (0x20) must be allowed.  RFC-959 allows a
+                 pathname to contain any 7-bit ASCII character except CR
+                 or LF.
+
+
+
+
+
+Internet Engineering Task Force                                [Page 39]
+
+
+
+
+RFC1123                   FILE TRANSFER -- FTP              October 1989
+
+
+         4.1.4.2  "QUOTE" Command
+
+            A User-FTP program MUST implement a "QUOTE" command that
+            will pass an arbitrary character string to the server and
+            display all resulting response messages to the user.
+
+            To make the "QUOTE" command useful, a User-FTP SHOULD send
+            transfer control commands to the server as the user enters
+            them, rather than saving all the commands and sending them
+            to the server only when a data transfer is started.
+
+            DISCUSSION:
+                 The "QUOTE" command is essential to allow the user to
+                 access servers that require system-specific commands
+                 (e.g., SITE or ALLO), or to invoke new or optional
+                 features that are not implemented by the User-FTP.  For
+                 example, "QUOTE" may be used to specify "TYPE A T" to
+                 send a print file to hosts that require the
+                 distinction, even if the User-FTP does not recognize
+                 that TYPE.
+
+         4.1.4.3  Displaying Replies to User
+
+            A User-FTP SHOULD display to the user the full text of all
+            error reply messages it receives.  It SHOULD have a
+            "verbose" mode in which all commands it sends and the full
+            text and reply codes it receives are displayed, for
+            diagnosis of problems.
+
+         4.1.4.4  Maintaining Synchronization
+
+            The state machine in a User-FTP SHOULD be forgiving of
+            missing and unexpected reply messages, in order to maintain
+            command synchronization with the server.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Internet Engineering Task Force                                [Page 40]
+
+
+
+
+RFC1123                   FILE TRANSFER -- FTP              October 1989
+
+
+      4.1.5   FTP REQUIREMENTS SUMMARY
+
+                                           |               | | | |S| |
+                                           |               | | | |H| |F
+                                           |               | | | |O|M|o
+                                           |               | |S| |U|U|o
+                                           |               | |H| |L|S|t
+                                           |               |M|O| |D|T|n
+                                           |               |U|U|M| | |o
+                                           |               |S|L|A|N|N|t
+                                           |               |T|D|Y|O|O|t
+FEATURE                                    |SECTION        | | | |T|T|e
+-------------------------------------------|---------------|-|-|-|-|-|--
+Implement TYPE T if same as TYPE N         |4.1.2.2        | |x| | | |
+File/Record transform invertible if poss.  |4.1.2.4        | |x| | | |
+User-FTP send PORT cmd for stream mode     |4.1.2.5        | |x| | | |
+Server-FTP implement PASV                  |4.1.2.6        |x| | | | |
+  PASV is per-transfer                     |4.1.2.6        |x| | | | |
+NLST reply usable in RETR cmds             |4.1.2.7        |x| | | | |
+Implied type for LIST and NLST             |4.1.2.7        | |x| | | |
+SITE cmd for non-standard features         |4.1.2.8        | |x| | | |
+STOU cmd return pathname as specified      |4.1.2.9        |x| | | | |
+Use TCP READ boundaries on control conn.   |4.1.2.10       | | | | |x|
+                                           |               | | | | | |
+Server-FTP send only correct reply format  |4.1.2.11       |x| | | | |
+Server-FTP use defined reply code if poss. |4.1.2.11       | |x| | | |
+  New reply code following Section 4.2     |4.1.2.11       | | |x| | |
+User-FTP use only high digit of reply      |4.1.2.11       | |x| | | |
+User-FTP handle multi-line reply lines     |4.1.2.11       |x| | | | |
+User-FTP handle 421 reply specially        |4.1.2.11       | | | |x| |
+                                           |               | | | | | |
+Default data port same IP addr as ctl conn |4.1.2.12       |x| | | | |
+User-FTP send Telnet cmds exc. SYNCH, IP   |4.1.2.12       | | | | |x|
+User-FTP negotiate Telnet options          |4.1.2.12       | | | | |x|
+Server-FTP handle Telnet options           |4.1.2.12       |x| | | | |
+Handle "Experimental" directory cmds       |4.1.3.1        | |x| | | |
+Idle timeout in server-FTP                 |4.1.3.2        | |x| | | |
+    Configurable idle timeout              |4.1.3.2        | |x| | | |
+Receiver checkpoint data at Restart Marker |4.1.3.4        | |x| | | |
+Sender assume 110 replies are synchronous  |4.1.3.4        | | | | |x|
+                                           |               | | | | | |
+Support TYPE:                              |               | | | | | |
+  ASCII - Non-Print (AN)                   |4.1.2.13       |x| | | | |
+  ASCII - Telnet (AT) -- if same as AN     |4.1.2.2        | |x| | | |
+  ASCII - Carriage Control (AC)            |959 3.1.1.5.2  | | |x| | |
+  EBCDIC - (any form)                      |959 3.1.1.2    | | |x| | |
+  IMAGE                                    |4.1.2.1        |x| | | | |
+  LOCAL 8                                  |4.1.2.1        |x| | | | |
+
+
+
+Internet Engineering Task Force                                [Page 41]
+
+
+
+
+RFC1123                   FILE TRANSFER -- FTP              October 1989
+
+
+  LOCAL m                                  |4.1.2.1        | | |x| | |2
+                                           |               | | | | | |
+Support MODE:                              |               | | | | | |
+  Stream                                   |4.1.2.13       |x| | | | |
+  Block                                    |959 3.4.2      | | |x| | |
+                                           |               | | | | | |
+Support STRUCTURE:                         |               | | | | | |
+  File                                     |4.1.2.13       |x| | | | |
+  Record                                   |4.1.2.13       |x| | | | |3
+  Page                                     |4.1.2.3        | | | |x| |
+                                           |               | | | | | |
+Support commands:                          |               | | | | | |
+  USER                                     |4.1.2.13       |x| | | | |
+  PASS                                     |4.1.2.13       |x| | | | |
+  ACCT                                     |4.1.2.13       |x| | | | |
+  CWD                                      |4.1.2.13       |x| | | | |
+  CDUP                                     |4.1.2.13       |x| | | | |
+  SMNT                                     |959 5.3.1      | | |x| | |
+  REIN                                     |959 5.3.1      | | |x| | |
+  QUIT                                     |4.1.2.13       |x| | | | |
+                                           |               | | | | | |
+  PORT                                     |4.1.2.13       |x| | | | |
+  PASV                                     |4.1.2.6        |x| | | | |
+  TYPE                                     |4.1.2.13       |x| | | | |1
+  STRU                                     |4.1.2.13       |x| | | | |1
+  MODE                                     |4.1.2.13       |x| | | | |1
+                                           |               | | | | | |
+  RETR                                     |4.1.2.13       |x| | | | |
+  STOR                                     |4.1.2.13       |x| | | | |
+  STOU                                     |959 5.3.1      | | |x| | |
+  APPE                                     |4.1.2.13       |x| | | | |
+  ALLO                                     |959 5.3.1      | | |x| | |
+  REST                                     |959 5.3.1      | | |x| | |
+  RNFR                                     |4.1.2.13       |x| | | | |
+  RNTO                                     |4.1.2.13       |x| | | | |
+  ABOR                                     |959 5.3.1      | | |x| | |
+  DELE                                     |4.1.2.13       |x| | | | |
+  RMD                                      |4.1.2.13       |x| | | | |
+  MKD                                      |4.1.2.13       |x| | | | |
+  PWD                                      |4.1.2.13       |x| | | | |
+  LIST                                     |4.1.2.13       |x| | | | |
+  NLST                                     |4.1.2.13       |x| | | | |
+  SITE                                     |4.1.2.8        | | |x| | |
+  STAT                                     |4.1.2.13       |x| | | | |
+  SYST                                     |4.1.2.13       |x| | | | |
+  HELP                                     |4.1.2.13       |x| | | | |
+  NOOP                                     |4.1.2.13       |x| | | | |
+                                           |               | | | | | |
+
+
+
+Internet Engineering Task Force                                [Page 42]
+
+
+
+
+RFC1123                   FILE TRANSFER -- FTP              October 1989
+
+
+User Interface:                            |               | | | | | |
+  Arbitrary pathnames                      |4.1.4.1        |x| | | | |
+  Implement "QUOTE" command                |4.1.4.2        |x| | | | |
+  Transfer control commands immediately    |4.1.4.2        | |x| | | |
+  Display error messages to user           |4.1.4.3        | |x| | | |
+    Verbose mode                           |4.1.4.3        | |x| | | |
+  Maintain synchronization with server     |4.1.4.4        | |x| | | |
+
+Footnotes:
+
+(1)  For the values shown earlier.
+
+(2)  Here m is number of bits in a memory word.
+
+(3)  Required for host with record-structured file system, optional
+     otherwise.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Internet Engineering Task Force                                [Page 43]
+
+
+
+
+RFC1123                  FILE TRANSFER -- TFTP              October 1989
+
+
+   4.2  TRIVIAL FILE TRANSFER PROTOCOL -- TFTP
+
+      4.2.1  INTRODUCTION
+
+         The Trivial File Transfer Protocol TFTP is defined in RFC-783
+         [TFTP:1].
+
+         TFTP provides its own reliable delivery with UDP as its
+         transport protocol, using a simple stop-and-wait acknowledgment
+         system.  Since TFTP has an effective window of only one 512
+         octet segment, it can provide good performance only over paths
+         that have a small delay*bandwidth product.  The TFTP file
+         interface is very simple, providing no access control or
+         security.
+
+         TFTP's most important application is bootstrapping a host over
+         a local network, since it is simple and small enough to be
+         easily implemented in EPROM [BOOT:1, BOOT:2].  Vendors are
+         urged to support TFTP for booting.
+
+      4.2.2  PROTOCOL WALK-THROUGH
+
+         The TFTP specification [TFTP:1] is written in an open style,
+         and does not fully specify many parts of the protocol.
+
+         4.2.2.1  Transfer Modes: RFC-783, Page 3
+
+            The transfer mode "mail" SHOULD NOT be supported.
+
+         4.2.2.2  UDP Header: RFC-783, Page 17
+
+            The Length field of a UDP header is incorrectly defined; it
+            includes the UDP header length (8).
+
+      4.2.3  SPECIFIC ISSUES
+
+         4.2.3.1  Sorcerer's Apprentice Syndrome
+
+            There is a serious bug, known as the "Sorcerer's Apprentice
+            Syndrome," in the protocol specification.  While it does not
+            cause incorrect operation of the transfer (the file will
+            always be transferred correctly if the transfer completes),
+            this bug may cause excessive retransmission, which may cause
+            the transfer to time out.
+
+            Implementations MUST contain the fix for this problem: the
+            sender (i.e., the side originating the DATA packets) must
+            never resend the current DATA packet on receipt of a
+
+
+
+Internet Engineering Task Force                                [Page 44]
+
+
+
+
+RFC1123                  FILE TRANSFER -- TFTP              October 1989
+
+
+            duplicate ACK.
+
+            DISCUSSION:
+                 The bug is caused by the protocol rule that either
+                 side, on receiving an old duplicate datagram, may
+                 resend the current datagram.  If a packet is delayed in
+                 the network but later successfully delivered after
+                 either side has timed out and retransmitted a packet, a
+                 duplicate copy of the response may be generated.  If
+                 the other side responds to this duplicate with a
+                 duplicate of its own, then every datagram will be sent
+                 in duplicate for the remainder of the transfer (unless
+                 a datagram is lost, breaking the repetition).  Worse
+                 yet, since the delay is often caused by congestion,
+                 this duplicate transmission will usually causes more
+                 congestion, leading to more delayed packets, etc.
+
+                 The following example may help to clarify this problem.
+
+                     TFTP A                  TFTP B
+
+                 (1)  Receive ACK X-1
+                      Send DATA X
+                 (2)                          Receive DATA X
+                                              Send ACK X
+                        (ACK X is delayed in network,
+                         and  A times out):
+                 (3)  Retransmit DATA X
+
+                 (4)                          Receive DATA X again
+                                              Send ACK X again
+                 (5)  Receive (delayed) ACK X
+                      Send DATA X+1
+                 (6)                          Receive DATA X+1
+                                              Send ACK X+1
+                 (7)  Receive ACK X again
+                      Send DATA X+1 again
+                 (8)                          Receive DATA X+1 again
+                                              Send ACK X+1 again
+                 (9)  Receive ACK X+1
+                      Send DATA X+2
+                 (10)                         Receive DATA X+2
+                                              Send ACK X+3
+                 (11) Receive ACK X+1 again
+                      Send DATA X+2 again
+                 (12)                         Receive DATA X+2 again
+                                              Send ACK X+3 again
+
+
+
+
+Internet Engineering Task Force                                [Page 45]
+
+
+
+
+RFC1123                  FILE TRANSFER -- TFTP              October 1989
+
+
+                 Notice that once the delayed ACK arrives, the protocol
+                 settles down to duplicate all further packets
+                 (sequences 5-8 and 9-12).  The problem is caused not by
+                 either side timing out, but by both sides
+                 retransmitting the current packet when they receive a
+                 duplicate.
+
+                 The fix is to break the retransmission loop, as
+                 indicated above.  This is analogous to the behavior of
+                 TCP.  It is then possible to remove the retransmission
+                 timer on the receiver, since the resent ACK will never
+                 cause any action; this is a useful simplification where
+                 TFTP is used in a bootstrap program.  It is OK to allow
+                 the timer to remain, and it may be helpful if the
+                 retransmitted ACK replaces one that was genuinely lost
+                 in the network.  The sender still requires a retransmit
+                 timer, of course.
+
+         4.2.3.2  Timeout Algorithms
+
+            A TFTP implementation MUST use an adaptive timeout.
+
+            IMPLEMENTATION:
+                 TCP retransmission algorithms provide a useful base to
+                 work from.  At least an exponential backoff of
+                 retransmission timeout is necessary.
+
+         4.2.3.3  Extensions
+
+            A variety of non-standard extensions have been made to TFTP,
+            including additional transfer modes and a secure operation
+            mode (with passwords).  None of these have been
+            standardized.
+
+         4.2.3.4  Access Control
+
+            A server TFTP implementation SHOULD include some
+            configurable access control over what pathnames are allowed
+            in TFTP operations.
+
+         4.2.3.5  Broadcast Request
+
+            A TFTP request directed to a broadcast address SHOULD be
+            silently ignored.
+
+            DISCUSSION:
+                 Due to the weak access control capability of TFTP,
+                 directed broadcasts of TFTP requests to random networks
+
+
+
+Internet Engineering Task Force                                [Page 46]
+
+
+
+
+RFC1123                  FILE TRANSFER -- TFTP              October 1989
+
+
+                 could create a significant security hole.
+
+      4.2.4  TFTP REQUIREMENTS SUMMARY
+
+                                                 |        | | | |S| |
+                                                 |        | | | |H| |F
+                                                 |        | | | |O|M|o
+                                                 |        | |S| |U|U|o
+                                                 |        | |H| |L|S|t
+                                                 |        |M|O| |D|T|n
+                                                 |        |U|U|M| | |o
+                                                 |        |S|L|A|N|N|t
+                                                 |        |T|D|Y|O|O|t
+FEATURE                                          |SECTION | | | |T|T|e
+-------------------------------------------------|--------|-|-|-|-|-|--
+Fix Sorcerer's Apprentice Syndrome               |4.2.3.1 |x| | | | |
+Transfer modes:                                  |        | | | | | |
+  netascii                                       |RFC-783 |x| | | | |
+  octet                                          |RFC-783 |x| | | | |
+  mail                                           |4.2.2.1 | | | |x| |
+  extensions                                     |4.2.3.3 | | |x| | |
+Use adaptive timeout                             |4.2.3.2 |x| | | | |
+Configurable access control                      |4.2.3.4 | |x| | | |
+Silently ignore broadcast request                |4.2.3.5 | |x| | | |
+-------------------------------------------------|--------|-|-|-|-|-|--
+-------------------------------------------------|--------|-|-|-|-|-|--
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Internet Engineering Task Force                                [Page 47]
+
+
+
+
+RFC1123                  MAIL -- SMTP & RFC-822             October 1989
+
+
+5.  ELECTRONIC MAIL -- SMTP and RFC-822
+
+   5.1  INTRODUCTION
+
+      In the TCP/IP protocol suite, electronic mail in a format
+      specified in RFC-822 [SMTP:2] is transmitted using the Simple Mail
+      Transfer Protocol (SMTP) defined in RFC-821 [SMTP:1].
+
+      While SMTP has remained unchanged over the years, the Internet
+      community has made several changes in the way SMTP is used.  In
+      particular, the conversion to the Domain Name System (DNS) has
+      caused changes in address formats and in mail routing.  In this
+      section, we assume familiarity with the concepts and terminology
+      of the DNS, whose requirements are given in Section 6.1.
+
+      RFC-822 specifies the Internet standard format for electronic mail
+      messages.  RFC-822 supercedes an older standard, RFC-733, that may
+      still be in use in a few places, although it is obsolete.  The two
+      formats are sometimes referred to simply by number ("822" and
+      "733").
+
+      RFC-822 is used in some non-Internet mail environments with
+      different mail transfer protocols than SMTP, and SMTP has also
+      been adapted for use in some non-Internet environments.  Note that
+      this document presents the rules for the use of SMTP and RFC-822
+      for the Internet environment only; other mail environments that
+      use these protocols may be expected to have their own rules.
+
+   5.2  PROTOCOL WALK-THROUGH
+
+      This section covers both RFC-821 and RFC-822.
+
+      The SMTP specification in RFC-821 is clear and contains numerous
+      examples, so implementors should not find it difficult to
+      understand.  This section simply updates or annotates portions of
+      RFC-821 to conform with current usage.
+
+      RFC-822 is a long and dense document, defining a rich syntax.
+      Unfortunately, incomplete or defective implementations of RFC-822
+      are common.  In fact, nearly all of the many formats of RFC-822
+      are actually used, so an implementation generally needs to
+      recognize and correctly interpret all of the RFC-822 syntax.
+
+      5.2.1  The SMTP Model: RFC-821 Section 2
+
+         DISCUSSION:
+              Mail is sent by a series of request/response transactions
+              between a client, the "sender-SMTP," and a server, the
+
+
+
+Internet Engineering Task Force                                [Page 48]
+
+
+
+
+RFC1123                  MAIL -- SMTP & RFC-822             October 1989
+
+
+              "receiver-SMTP".  These transactions pass (1) the message
+              proper, which is composed of header and body, and (2) SMTP
+              source and destination addresses, referred to as the
+              "envelope".
+
+              The SMTP programs are analogous to Message Transfer Agents
+              (MTAs) of X.400.  There will be another level of protocol
+              software, closer to the end user, that is responsible for
+              composing and analyzing RFC-822 message headers; this
+              component is known as the "User Agent" in X.400, and we
+              use that term in this document.  There is a clear logical
+              distinction between the User Agent and the SMTP
+              implementation, since they operate on different levels of
+              protocol.  Note, however, that this distinction is may not
+              be exactly reflected the structure of typical
+              implementations of Internet mail.  Often there is a
+              program known as the "mailer" that implements SMTP and
+              also some of the User Agent functions; the rest of the
+              User Agent functions are included in a user interface used
+              for entering and reading mail.
+
+              The SMTP envelope is constructed at the originating site,
+              typically by the User Agent when the message is first
+              queued for the Sender-SMTP program.  The envelope
+              addresses may be derived from information in the message
+              header, supplied by the user interface (e.g., to implement
+              a bcc: request), or derived from local configuration
+              information (e.g., expansion of a mailing list).  The SMTP
+              envelope cannot in general be re-derived from the header
+              at a later stage in message delivery, so the envelope is
+              transmitted separately from the message itself using the
+              MAIL and RCPT commands of SMTP.
+
+              The text of RFC-821 suggests that mail is to be delivered
+              to an individual user at a host.  With the advent of the
+              domain system and of mail routing using mail-exchange (MX)
+              resource records, implementors should now think of
+              delivering mail to a user at a domain, which may or may
+              not be a particular host.  This DOES NOT change the fact
+              that SMTP is a host-to-host mail exchange protocol.
+
+      5.2.2  Canonicalization: RFC-821 Section 3.1
+
+         The domain names that a Sender-SMTP sends in MAIL and RCPT
+         commands MUST have been  "canonicalized," i.e., they must be
+         fully-qualified principal names or domain literals, not
+         nicknames or domain abbreviations.  A canonicalized name either
+         identifies a host directly or is an MX name; it cannot be a
+
+
+
+Internet Engineering Task Force                                [Page 49]
+
+
+
+
+RFC1123                  MAIL -- SMTP & RFC-822             October 1989
+
+
+         CNAME.
+
+      5.2.3  VRFY and EXPN Commands: RFC-821 Section 3.3
+
+         A receiver-SMTP MUST implement VRFY and SHOULD implement EXPN
+         (this requirement overrides RFC-821).  However, there MAY be
+         configuration information to disable VRFY and EXPN in a
+         particular installation; this might even allow EXPN to be
+         disabled for selected lists.
+
+         A new reply code is defined for the VRFY command:
+
+              252 Cannot VRFY user (e.g., info is not local), but will
+                  take message for this user and attempt delivery.
+
+         DISCUSSION:
+              SMTP users and administrators make regular use of these
+              commands for diagnosing mail delivery problems.  With the
+              increasing use of multi-level mailing list expansion
+              (sometimes more than two levels), EXPN has been
+              increasingly important for diagnosing inadvertent mail
+              loops.  On the other hand,  some feel that EXPN represents
+              a significant privacy, and perhaps even a security,
+              exposure.
+
+      5.2.4  SEND, SOML, and SAML Commands: RFC-821 Section 3.4
+
+         An SMTP MAY implement the commands to send a message to a
+         user's terminal: SEND, SOML, and SAML.
+
+         DISCUSSION:
+              It has been suggested that the use of mail relaying
+              through an MX record is inconsistent with the intent of
+              SEND to deliver a message immediately and directly to a
+              user's terminal.  However, an SMTP receiver that is unable
+              to write directly to the user terminal can return a "251
+              User Not Local" reply to the RCPT following a SEND, to
+              inform the originator of possibly deferred delivery.
+
+      5.2.5  HELO Command: RFC-821 Section 3.5
+
+         The sender-SMTP MUST ensure that the <domain> parameter in a
+         HELO command is a valid principal host domain name for the
+         client host.  As a result, the receiver-SMTP will not have to
+         perform MX resolution on this name in order to validate the
+         HELO parameter.
+
+         The HELO receiver MAY verify that the HELO parameter really
+
+
+
+Internet Engineering Task Force                                [Page 50]
+
+
+
+
+RFC1123                  MAIL -- SMTP & RFC-822             October 1989
+
+
+         corresponds to the IP address of the sender.  However, the
+         receiver MUST NOT refuse to accept a message, even if the
+         sender's HELO command fails verification.
+
+         DISCUSSION:
+              Verifying the HELO parameter requires a domain name lookup
+              and may therefore take considerable time.  An alternative
+              tool for tracking bogus mail sources is suggested below
+              (see "DATA Command").
+
+              Note also that the HELO argument is still required to have
+              valid <domain> syntax, since it will appear in a Received:
+              line; otherwise, a 501 error is to be sent.
+
+         IMPLEMENTATION:
+              When HELO parameter validation fails, a suggested
+              procedure is to insert a note about the unknown
+              authenticity of the sender into the message header (e.g.,
+              in the "Received:"  line).
+
+      5.2.6  Mail Relay: RFC-821 Section 3.6
+
+         We distinguish three types of mail (store-and-) forwarding:
+
+         (1)  A simple forwarder or "mail exchanger" forwards a message
+              using private knowledge about the recipient; see section
+              3.2 of RFC-821.
+
+         (2)  An SMTP mail "relay" forwards a message within an SMTP
+              mail environment as the result of an explicit source route
+              (as defined in section 3.6 of RFC-821).  The SMTP relay
+              function uses the "@...:" form of source route from RFC-
+              822 (see Section 5.2.19 below).
+
+         (3)  A mail "gateway" passes a message between different
+              environments.  The rules for mail gateways are discussed
+              below in Section 5.3.7.
+
+         An Internet host that is forwarding a message but is not a
+         gateway to a different mail environment (i.e., it falls under
+         (1) or (2)) SHOULD NOT alter any existing header fields,
+         although the host will add an appropriate Received: line as
+         required in Section 5.2.8.
+
+         A Sender-SMTP SHOULD NOT send a RCPT TO: command containing an
+         explicit source route using the "@...:" address form.  Thus,
+         the relay function defined in section  3.6 of RFC-821 should
+         not be used.
+
+
+
+Internet Engineering Task Force                                [Page 51]
+
+
+
+
+RFC1123                  MAIL -- SMTP & RFC-822             October 1989
+
+
+         DISCUSSION:
+              The intent is to discourage all source routing and to
+              abolish explicit source routing for mail delivery within
+              the Internet environment.  Source-routing is unnecessary;
+              the simple target address "user@domain" should always
+              suffice.  This is the result of an explicit architectural
+              decision to use universal naming rather than source
+              routing for mail.  Thus, SMTP provides end-to-end
+              connectivity, and the DNS provides globally-unique,
+              location-independent names.  MX records handle the major
+              case where source routing might otherwise be needed.
+
+         A receiver-SMTP MUST accept the explicit source route syntax in
+         the envelope, but it MAY implement the relay function as
+         defined in section 3.6 of RFC-821.  If it does not implement
+         the relay function, it SHOULD attempt to deliver the message
+         directly to the host to the right of the right-most "@" sign.
+
+         DISCUSSION:
+              For example, suppose a host that does not implement the
+              relay function receives a message with the SMTP command:
+              "RCPT TO:<@ALPHA,@BETA:joe@GAMMA>", where ALPHA, BETA, and
+              GAMMA represent domain names.  Rather than immediately
+              refusing the message with a 550 error reply as suggested
+              on page 20 of RFC-821, the host should try to forward the
+              message to GAMMA directly, using: "RCPT TO:<joe@GAMMA>".
+              Since this host does not support relaying, it is not
+              required to update the reverse path.
+
+              Some have suggested that source routing may be needed
+              occasionally for manually routing mail around failures;
+              however, the reality and importance of this need is
+              controversial.  The use of explicit SMTP mail relaying for
+              this purpose is discouraged, and in fact it may not be
+              successful, as many host systems do not support it.  Some
+              have used the "%-hack" (see Section 5.2.16) for this
+              purpose.
+
+      5.2.7  RCPT Command: RFC-821 Section 4.1.1
+
+         A host that supports a receiver-SMTP MUST support the reserved
+         mailbox "Postmaster".
+
+         The receiver-SMTP MAY verify RCPT parameters as they arrive;
+         however, RCPT responses MUST NOT be delayed beyond a reasonable
+         time (see Section 5.3.2).
+
+         Therefore, a "250 OK" response to a RCPT does not necessarily
+
+
+
+Internet Engineering Task Force                                [Page 52]
+
+
+
+
+RFC1123                  MAIL -- SMTP & RFC-822             October 1989
+
+
+         imply that the delivery address(es) are valid.  Errors found
+         after message acceptance will be reported by mailing a
+         notification message to an appropriate address (see Section
+         5.3.3).
+
+         DISCUSSION:
+              The set of conditions under which a RCPT parameter can be
+              validated immediately is an engineering design choice.
+              Reporting destination mailbox errors to the Sender-SMTP
+              before mail is transferred is generally desirable to save
+              time and network bandwidth, but this advantage is lost if
+              RCPT verification is lengthy.
+
+              For example, the receiver can verify immediately any
+              simple local reference, such as a single locally-
+              registered mailbox.  On the other hand, the "reasonable
+              time" limitation generally implies deferring verification
+              of a mailing list until after the message has been
+              transferred and accepted, since verifying a large mailing
+              list can take a very long time.  An implementation might
+              or might not choose to defer validation of addresses that
+              are non-local and therefore require a DNS lookup.  If a
+              DNS lookup is performed but a soft domain system error
+              (e.g., timeout) occurs, validity must be assumed.
+
+      5.2.8  DATA Command: RFC-821 Section 4.1.1
+
+         Every receiver-SMTP (not just one that "accepts a message for
+         relaying or for final delivery" [SMTP:1]) MUST insert a
+         "Received:" line at the beginning of a message.  In this line,
+         called a "time stamp line" in RFC-821:
+
+         *    The FROM field SHOULD contain both (1) the name of the
+              source host as presented in the HELO command and (2) a
+              domain literal containing the IP address of the source,
+              determined from the TCP connection.
+
+         *    The ID field MAY contain an "@" as suggested in RFC-822,
+              but this is not required.
+
+         *    The FOR field MAY contain a list of <path> entries when
+              multiple RCPT commands have been given.
+
+
+         An Internet mail program MUST NOT change a Received: line that
+         was previously added to the message header.
+
+
+
+
+
+Internet Engineering Task Force                                [Page 53]
+
+
+
+
+RFC1123                  MAIL -- SMTP & RFC-822             October 1989
+
+
+         DISCUSSION:
+              Including both the source host and the IP source address
+              in the Received: line may provide enough information for
+              tracking illicit mail sources and eliminate a need to
+              explicitly verify the HELO parameter.
+
+              Received: lines are primarily intended for humans tracing
+              mail routes, primarily of diagnosis of faults.  See also
+              the discussion under 5.3.7.
+
+         When the receiver-SMTP makes "final delivery" of a message,
+         then it MUST pass the MAIL FROM: address from the SMTP envelope
+         with the message, for use if an error notification message must
+         be sent later (see Section 5.3.3).  There is an analogous
+         requirement when gatewaying from the Internet into a different
+         mail environment; see Section 5.3.7.
+
+         DISCUSSION:
+              Note that the final reply to the DATA command depends only
+              upon the successful transfer and storage of the message.
+              Any problem with the destination address(es) must either
+              (1) have been reported in an SMTP error reply to the RCPT
+              command(s), or (2) be reported in a later error message
+              mailed to the originator.
+
+         IMPLEMENTATION:
+              The MAIL FROM: information may be passed as a parameter or
+              in a Return-Path: line inserted at the beginning of the
+              message.
+
+      5.2.9  Command Syntax: RFC-821 Section 4.1.2
+
+         The syntax shown in RFC-821 for the MAIL FROM: command omits
+         the case of an empty path:  "MAIL FROM: <>" (see RFC-821 Page
+         15).  An empty reverse path MUST be supported.
+
+      5.2.10  SMTP Replies:  RFC-821 Section 4.2
+
+         A receiver-SMTP SHOULD send only the reply codes listed in
+         section 4.2.2 of RFC-821 or in this document.  A receiver-SMTP
+         SHOULD use the text shown in examples in RFC-821 whenever
+         appropriate.
+
+         A sender-SMTP MUST determine its actions only by the reply
+         code, not by the text (except for 251 and 551 replies); any
+         text, including no text at all, must be acceptable.  The space
+         (blank) following the reply code is considered part of the
+         text.  Whenever possible, a sender-SMTP SHOULD test only the
+
+
+
+Internet Engineering Task Force                                [Page 54]
+
+
+
+
+RFC1123                  MAIL -- SMTP & RFC-822             October 1989
+
+
+         first digit of the reply code, as specified in Appendix E of
+         RFC-821.
+
+         DISCUSSION:
+              Interoperability problems have arisen with SMTP systems
+              using reply codes that are not listed explicitly in RFC-
+              821 Section 4.3 but are legal according to the theory of
+              reply codes explained in Appendix E.
+
+      5.2.11  Transparency: RFC-821 Section 4.5.2
+
+         Implementors MUST be sure that their mail systems always add
+         and delete periods to ensure message transparency.
+
+      5.2.12  WKS Use in MX Processing: RFC-974, p. 5
+
+         RFC-974 [SMTP:3] recommended that the domain system be queried
+         for WKS ("Well-Known Service") records, to verify that each
+         proposed mail target does support SMTP.  Later experience has
+         shown that WKS is not widely supported, so the WKS step in MX
+         processing SHOULD NOT be used.
+
+      The following are notes on RFC-822, organized by section of that
+      document.
+
+      5.2.13  RFC-822 Message Specification: RFC-822 Section 4
+
+         The syntax shown for the Return-path line omits the possibility
+         of a null return path, which is used to prevent looping of
+         error notifications (see Section 5.3.3).  The complete syntax
+         is:
+
+             return = "Return-path"  ":" route-addr
+                    / "Return-path"  ":" "<" ">"
+
+         The set of optional header fields is hereby expanded to include
+         the Content-Type field defined in RFC-1049 [SMTP:7].  This
+         field "allows mail reading systems to automatically identify
+         the type of a structured message body and to process it for
+         display accordingly".  [SMTP:7]  A User Agent MAY support this
+         field.
+
+      5.2.14  RFC-822 Date and Time Specification: RFC-822 Section 5
+
+         The syntax for the date is hereby changed to:
+
+            date = 1*2DIGIT month 2*4DIGIT
+
+
+
+
+Internet Engineering Task Force                                [Page 55]
+
+
+
+
+RFC1123                  MAIL -- SMTP & RFC-822             October 1989
+
+
+         All mail software SHOULD use 4-digit years in dates, to ease
+         the transition to the next century.
+
+         There is a strong trend towards the use of numeric timezone
+         indicators, and implementations SHOULD use numeric timezones
+         instead of timezone names.  However, all implementations MUST
+         accept either notation.  If timezone names are used, they MUST
+         be exactly as defined in RFC-822.
+
+         The military time zones are specified incorrectly in RFC-822:
+         they count the wrong way from UT (the signs are reversed).  As
+         a result, military time zones in RFC-822 headers carry no
+         information.
+
+         Finally, note that there is a typo in the definition of "zone"
+         in the syntax summary of appendix D; the correct definition
+         occurs in Section 3 of RFC-822.
+
+      5.2.15  RFC-822 Syntax Change: RFC-822 Section 6.1
+
+         The syntactic definition of "mailbox" in RFC-822 is hereby
+         changed to:
+
+            mailbox =  addr-spec            ; simple address
+                    / [phrase] route-addr   ; name & addr-spec
+
+         That is, the phrase preceding a route address is now OPTIONAL.
+         This change makes the following header field legal, for
+         example:
+
+             From: <craig@nnsc.nsf.net>
+
+      5.2.16  RFC-822  Local-part: RFC-822 Section 6.2
+
+         The basic mailbox address specification has the form: "local-
+         part@domain".  Here "local-part", sometimes called the "left-
+         hand side" of the address, is domain-dependent.
+
+         A host that is forwarding the message but is not the
+         destination host implied by the right-hand side "domain" MUST
+         NOT interpret or modify the "local-part" of the address.
+
+         When mail is to be gatewayed from the Internet mail environment
+         into a foreign mail environment (see Section 5.3.7), routing
+         information for that foreign environment MAY be embedded within
+         the "local-part" of the address.  The gateway will then
+         interpret this local part appropriately for the foreign mail
+         environment.
+
+
+
+Internet Engineering Task Force                                [Page 56]
+
+
+
+
+RFC1123                  MAIL -- SMTP & RFC-822             October 1989
+
+
+         DISCUSSION:
+              Although source routes are discouraged within the Internet
+              (see Section 5.2.6), there are non-Internet mail
+              environments whose delivery mechanisms do depend upon
+              source routes.  Source routes for extra-Internet
+              environments can generally be buried in the "local-part"
+              of the address (see Section 5.2.16) while mail traverses
+              the Internet.  When the mail reaches the appropriate
+              Internet mail gateway, the gateway will interpret the
+              local-part and build the necessary address or route for
+              the target mail environment.
+
+              For example, an Internet host might send mail to:
+              "a!b!c!user@gateway-domain".  The complex local part
+              "a!b!c!user" would be uninterpreted within the Internet
+              domain, but could be parsed and understood by the
+              specified mail gateway.
+
+              An embedded source route is sometimes encoded in the
+              "local-part" using "%" as a right-binding routing
+              operator.  For example, in:
+
+                 user%domain%relay3%relay2@relay1
+
+              the "%" convention implies that the mail is to be routed
+              from "relay1" through "relay2", "relay3", and finally to
+              "user" at "domain".  This is commonly known as the "%-
+              hack".  It is suggested that "%" have lower precedence
+              than any other routing operator (e.g., "!") hidden in the
+              local-part; for example, "a!b%c" would be interpreted as
+              "(a!b)%c".
+
+              Only the target host (in this case, "relay1") is permitted
+              to analyze the local-part "user%domain%relay3%relay2".
+
+      5.2.17  Domain Literals: RFC-822 Section 6.2.3
+
+         A mailer MUST be able to accept and parse an Internet domain
+         literal whose content ("dtext"; see RFC-822) is a dotted-
+         decimal host address.  This satisfies the requirement of
+         Section 2.1 for the case of mail.
+
+         An SMTP MUST accept and recognize a domain literal for any of
+         its own IP addresses.
+
+
+
+
+
+
+
+Internet Engineering Task Force                                [Page 57]
+
+
+
+
+RFC1123                  MAIL -- SMTP & RFC-822             October 1989
+
+
+      5.2.18  Common Address Formatting Errors: RFC-822 Section 6.1
+
+         Errors in formatting or parsing 822 addresses are unfortunately
+         common.  This section mentions only the most common errors.  A
+         User Agent MUST accept all valid RFC-822 address formats, and
+         MUST NOT generate illegal address syntax.
+
+         o    A common error is to leave out the semicolon after a group
+              identifier.
+
+         o    Some systems fail to fully-qualify domain names in
+              messages they generate.  The right-hand side of an "@"
+              sign in a header address field MUST be a fully-qualified
+              domain name.
+
+              For example, some systems fail to fully-qualify the From:
+              address; this prevents a "reply" command in the user
+              interface from automatically constructing a return
+              address.
+
+              DISCUSSION:
+                   Although RFC-822 allows the local use of abbreviated
+                   domain names within a domain, the application of
+                   RFC-822 in Internet mail does not allow this.  The
+                   intent is that an Internet host must not send an SMTP
+                   message header containing an abbreviated domain name
+                   in an address field.  This allows the address fields
+                   of the header to be passed without alteration across
+                   the Internet, as required in Section 5.2.6.
+
+         o    Some systems mis-parse multiple-hop explicit source routes
+              such as:
+
+                  @relay1,@relay2,@relay3:user@domain.
+
+
+         o    Some systems over-qualify domain names by adding a
+              trailing dot to some or all domain names in addresses or
+              message-ids.  This violates RFC-822 syntax.
+
+
+      5.2.19  Explicit Source Routes: RFC-822 Section 6.2.7
+
+         Internet host software SHOULD NOT create an RFC-822 header
+         containing an address with an explicit source route, but MUST
+         accept such headers for compatibility with earlier systems.
+
+         DISCUSSION:
+
+
+
+Internet Engineering Task Force                                [Page 58]
+
+
+
+
+RFC1123                  MAIL -- SMTP & RFC-822             October 1989
+
+
+              In an understatement, RFC-822 says "The use of explicit
+              source routing is discouraged".  Many hosts implemented
+              RFC-822 source routes incorrectly, so the syntax cannot be
+              used unambiguously in practice.  Many users feel the
+              syntax is ugly.  Explicit source routes are not needed in
+              the mail envelope for delivery; see Section 5.2.6.  For
+              all these reasons, explicit source routes using the RFC-
+              822 notations are not to be used in Internet mail headers.
+
+              As stated in Section 5.2.16, it is necessary to allow an
+              explicit source route to be buried in the local-part of an
+              address, e.g., using the "%-hack", in order to allow mail
+              to be gatewayed into another environment in which explicit
+              source routing is necessary.  The vigilant will observe
+              that there is no way for a User Agent to detect and
+              prevent the use of such implicit source routing when the
+              destination is within the Internet.  We can only
+              discourage source routing of any kind within the Internet,
+              as unnecessary and undesirable.
+
+   5.3  SPECIFIC ISSUES
+
+      5.3.1  SMTP Queueing Strategies
+
+         The common structure of a host SMTP implementation includes
+         user mailboxes, one or more areas for queueing messages in
+         transit, and one or more daemon processes for sending and
+         receiving mail.  The exact structure will vary depending on the
+         needs of the users on the host and the number and size of
+         mailing lists supported by the host.  We describe several
+         optimizations that have proved helpful, particularly for
+         mailers supporting high traffic levels.
+
+         Any queueing strategy MUST include:
+
+         o    Timeouts on all activities.  See Section 5.3.2.
+
+         o    Never sending error messages in response to error
+              messages.
+
+
+         5.3.1.1 Sending Strategy
+
+            The general model of a sender-SMTP is one or more processes
+            that periodically attempt to transmit outgoing mail.  In a
+            typical system, the program that composes a message has some
+            method for requesting immediate attention for a new piece of
+            outgoing mail, while mail that cannot be transmitted
+
+
+
+Internet Engineering Task Force                                [Page 59]
+
+
+
+
+RFC1123                  MAIL -- SMTP & RFC-822             October 1989
+
+
+            immediately MUST be queued and periodically retried by the
+            sender.  A mail queue entry will include not only the
+            message itself but also the envelope information.
+
+            The sender MUST delay retrying a particular destination
+            after one attempt has failed.  In general, the retry
+            interval SHOULD be at least 30 minutes; however, more
+            sophisticated and variable strategies will be beneficial
+            when the sender-SMTP can determine the reason for non-
+            delivery.
+
+            Retries continue until the message is transmitted or the
+            sender gives up; the give-up time generally needs to be at
+            least 4-5 days.  The parameters to the retry algorithm MUST
+            be configurable.
+
+            A sender SHOULD keep a list of hosts it cannot reach and
+            corresponding timeouts, rather than just retrying queued
+            mail items.
+
+            DISCUSSION:
+                 Experience suggests that failures are typically
+                 transient (the target system has crashed), favoring a
+                 policy of two connection attempts in the first hour the
+                 message is in the queue, and then backing off to once
+                 every two or three hours.
+
+                 The sender-SMTP can shorten the queueing delay by
+                 cooperation with the receiver-SMTP.  In particular, if
+                 mail is received from a particular address, it is good
+                 evidence that any mail queued for that host can now be
+                 sent.
+
+                 The strategy may be further modified as a result of
+                 multiple addresses per host (see Section 5.3.4), to
+                 optimize delivery time vs. resource usage.
+
+                 A sender-SMTP may have a large queue of messages for
+                 each unavailable destination host, and if it retried
+                 all these messages in every retry cycle, there would be
+                 excessive Internet overhead and the daemon would be
+                 blocked for a long period.  Note that an SMTP can
+                 generally determine that a delivery attempt has failed
+                 only after a timeout of a minute or more; a one minute
+                 timeout per connection will result in a very large
+                 delay if it is repeated for dozens or even hundreds of
+                 queued messages.
+
+
+
+
+Internet Engineering Task Force                                [Page 60]
+
+
+
+
+RFC1123                  MAIL -- SMTP & RFC-822             October 1989
+
+
+            When the same message is to be delivered to several users on
+            the same host, only one copy of the message SHOULD be
+            transmitted.  That is, the sender-SMTP should use the
+            command sequence: RCPT, RCPT,... RCPT, DATA instead of the
+            sequence: RCPT, DATA, RCPT, DATA,... RCPT, DATA.
+            Implementation of this efficiency feature is strongly urged.
+
+            Similarly, the sender-SMTP MAY support multiple concurrent
+            outgoing mail transactions to achieve timely delivery.
+            However, some limit SHOULD be imposed to protect the host
+            from devoting all its resources to mail.
+
+            The use of the different addresses of a multihomed host is
+            discussed below.
+
+         5.3.1.2  Receiving strategy
+
+            The receiver-SMTP SHOULD attempt to keep a pending listen on
+            the SMTP port at all times.  This will require the support
+            of multiple incoming TCP connections for SMTP.  Some limit
+            MAY be imposed.
+
+            IMPLEMENTATION:
+                 When the receiver-SMTP receives mail from a particular
+                 host address, it could notify the sender-SMTP to retry
+                 any mail pending for that host address.
+
+      5.3.2  Timeouts in SMTP
+
+         There are two approaches to timeouts in the sender-SMTP:  (a)
+         limit the time for each SMTP command separately, or (b) limit
+         the time for the entire SMTP dialogue for a single mail
+         message.  A sender-SMTP SHOULD use option (a), per-command
+         timeouts.  Timeouts SHOULD be easily reconfigurable, preferably
+         without recompiling the SMTP code.
+
+         DISCUSSION:
+              Timeouts are an essential feature of an SMTP
+              implementation.  If the timeouts are too long (or worse,
+              there are no timeouts), Internet communication failures or
+              software bugs in receiver-SMTP programs can tie up SMTP
+              processes indefinitely.  If the timeouts are too short,
+              resources will be wasted with attempts that time out part
+              way through message delivery.
+
+              If option (b) is used, the timeout has to be very large,
+              e.g., an hour, to allow time to expand very large mailing
+              lists.  The timeout may also need to increase linearly
+
+
+
+Internet Engineering Task Force                                [Page 61]
+
+
+
+
+RFC1123                  MAIL -- SMTP & RFC-822             October 1989
+
+
+              with the size of the message, to account for the time to
+              transmit a very large message.  A large fixed timeout
+              leads to two problems:  a failure can still tie up the
+              sender for a very long time, and very large messages may
+              still spuriously time out (which is a wasteful failure!).
+
+              Using the recommended option (a), a timer is set for each
+              SMTP command and for each buffer of the data transfer.
+              The latter means that the overall timeout is inherently
+              proportional to the size of the message.
+
+         Based on extensive experience with busy mail-relay hosts, the
+         minimum per-command timeout values SHOULD be as follows:
+
+         o    Initial 220 Message: 5 minutes
+
+              A Sender-SMTP process needs to distinguish between a
+              failed TCP connection and a delay in receiving the initial
+              220 greeting message.  Many receiver-SMTPs will accept a
+              TCP connection but delay delivery of the 220 message until
+              their system load will permit more mail to be processed.
+
+         o    MAIL Command: 5 minutes
+
+
+         o    RCPT Command: 5 minutes
+
+              A longer timeout would be required if processing of
+              mailing lists and aliases were not deferred until after
+              the message was accepted.
+
+         o    DATA Initiation: 2 minutes
+
+              This is while awaiting the "354 Start Input" reply to a
+              DATA command.
+
+         o    Data Block: 3 minutes
+
+              This is while awaiting the completion of each TCP SEND
+              call transmitting a chunk of data.
+
+         o    DATA Termination: 10 minutes.
+
+              This is while awaiting the "250 OK" reply. When the
+              receiver gets the final period terminating the message
+              data, it typically performs processing to deliver the
+              message to a user mailbox.  A spurious timeout at this
+              point would be very wasteful, since the message has been
+
+
+
+Internet Engineering Task Force                                [Page 62]
+
+
+
+
+RFC1123                  MAIL -- SMTP & RFC-822             October 1989
+
+
+              successfully sent.
+
+         A receiver-SMTP SHOULD have a timeout of at least 5 minutes
+         while it is awaiting the next command from the sender.
+
+      5.3.3  Reliable Mail Receipt
+
+         When the receiver-SMTP accepts a piece of mail (by sending a
+         "250 OK" message in response to DATA), it is accepting
+         responsibility for delivering or relaying the message.  It must
+         take this responsibility seriously, i.e., it MUST NOT lose the
+         message for frivolous reasons, e.g., because the host later
+         crashes or because of a predictable resource shortage.
+
+         If there is a delivery failure after acceptance of a message,
+         the receiver-SMTP MUST formulate and mail a notification
+         message.  This notification MUST be sent using a null ("<>")
+         reverse path in the envelope; see Section 3.6 of RFC-821.  The
+         recipient of this notification SHOULD be the address from the
+         envelope return path (or the Return-Path: line).  However, if
+         this address is null ("<>"),  the receiver-SMTP MUST NOT send a
+         notification.  If the address is an explicit source route, it
+         SHOULD be stripped down to its final hop.
+
+         DISCUSSION:
+              For example, suppose that an error notification must be
+              sent for a message that arrived with:
+              "MAIL FROM:<@a,@b:user@d>".  The notification message
+              should be sent to: "RCPT TO:<user@d>".
+
+              Some delivery failures after the message is accepted by
+              SMTP will be unavoidable.  For example, it may be
+              impossible for the receiver-SMTP to validate all the
+              delivery addresses in RCPT command(s) due to a "soft"
+              domain system error or because the target is a mailing
+              list (see earlier discussion of RCPT).
+
+         To avoid receiving duplicate messages as the result of
+         timeouts, a receiver-SMTP MUST seek to minimize the time
+         required to respond to the final "." that ends a message
+         transfer.  See RFC-1047 [SMTP:4] for a discussion of this
+         problem.
+
+      5.3.4  Reliable Mail Transmission
+
+         To transmit a message, a sender-SMTP determines the IP address
+         of the target host from the destination address in the
+         envelope.  Specifically, it maps the string to the right of the
+
+
+
+Internet Engineering Task Force                                [Page 63]
+
+
+
+
+RFC1123                  MAIL -- SMTP & RFC-822             October 1989
+
+
+         "@" sign into an IP address.  This mapping or the transfer
+         itself may fail with a soft error, in which case the sender-
+         SMTP will requeue the outgoing mail for a later retry, as
+         required in Section 5.3.1.1.
+
+         When it succeeds, the mapping can result in a list of
+         alternative delivery addresses rather than a single address,
+         because of (a) multiple MX records, (b) multihoming, or both.
+         To provide reliable mail transmission, the sender-SMTP MUST be
+         able to try (and retry) each of the addresses in this list in
+         order, until a delivery attempt succeeds.  However, there MAY
+         also be a configurable limit on the number of alternate
+         addresses that can be tried.  In any case, a host SHOULD try at
+         least two addresses.
+
+         The following information is to be used to rank the host
+         addresses:
+
+         (1)  Multiple MX Records -- these contain a preference
+              indication that should be used in sorting.  If there are
+              multiple destinations with the same preference and there
+              is no clear reason to favor one (e.g., by address
+              preference), then the sender-SMTP SHOULD pick one at
+              random to spread the load across multiple mail exchanges
+              for a specific organization; note that this is a
+              refinement of the procedure in [DNS:3].
+
+         (2)  Multihomed host -- The destination host (perhaps taken
+              from the preferred MX record) may be multihomed, in which
+              case the domain name resolver will return a list of
+              alternative IP addresses.  It is the responsibility of the
+              domain name resolver interface (see Section 6.1.3.4 below)
+              to have ordered this list by decreasing preference, and
+              SMTP MUST try them in the order presented.
+
+         DISCUSSION:
+              Although the capability to try multiple alternative
+              addresses is required, there may be circumstances where
+              specific installations want to limit or disable the use of
+              alternative addresses.  The question of whether a sender
+              should attempt retries using the different addresses of a
+              multihomed host has been controversial.  The main argument
+              for using the multiple addresses is that it maximizes the
+              probability of timely delivery, and indeed sometimes the
+              probability of any delivery; the counter argument is that
+              it may result in unnecessary resource use.
+
+              Note that resource use is also strongly determined by the
+
+
+
+Internet Engineering Task Force                                [Page 64]
+
+
+
+
+RFC1123                  MAIL -- SMTP & RFC-822             October 1989
+
+
+              sending strategy discussed in Section 5.3.1.
+
+      5.3.5  Domain Name Support
+
+         SMTP implementations MUST use the mechanism defined in Section
+         6.1 for mapping between domain names and IP addresses.  This
+         means that every Internet SMTP MUST include support for the
+         Internet DNS.
+
+         In particular, a sender-SMTP MUST support the MX record scheme
+         [SMTP:3].  See also Section 7.4 of [DNS:2] for information on
+         domain name support for SMTP.
+
+      5.3.6  Mailing Lists and Aliases
+
+         An SMTP-capable host SHOULD support both the alias and the list
+         form of address expansion for multiple delivery.  When a
+         message is delivered or forwarded to each address of an
+         expanded list form, the return address in the envelope
+         ("MAIL FROM:") MUST be changed to be the address of a person
+         who administers the list, but the message header MUST be left
+         unchanged; in particular, the "From" field of the message is
+         unaffected.
+
+         DISCUSSION:
+              An important mail facility is a mechanism for multi-
+              destination delivery of a single message, by transforming
+              or "expanding" a pseudo-mailbox address into a list of
+              destination mailbox addresses.  When a message is sent to
+              such a pseudo-mailbox (sometimes called an "exploder"),
+              copies are forwarded or redistributed to each mailbox in
+              the expanded list.  We classify such a pseudo-mailbox as
+              an "alias" or a "list", depending upon the expansion
+              rules:
+
+              (a)  Alias
+
+                   To expand an alias, the recipient mailer simply
+                   replaces the pseudo-mailbox address in the envelope
+                   with each of the expanded addresses in turn; the rest
+                   of the envelope and the message body are left
+                   unchanged.  The message is then delivered or
+                   forwarded to each expanded address.
+
+              (b)  List
+
+                   A mailing list may be said to operate by
+                   "redistribution" rather than by "forwarding".  To
+
+
+
+Internet Engineering Task Force                                [Page 65]
+
+
+
+
+RFC1123                  MAIL -- SMTP & RFC-822             October 1989
+
+
+                   expand a list, the recipient mailer replaces the
+                   pseudo-mailbox address in the envelope with each of
+                   the expanded addresses in turn. The return address in
+                   the envelope is changed so that all error messages
+                   generated by the final deliveries will be returned to
+                   a list administrator, not to the message originator,
+                   who generally has no control over the contents of the
+                   list and will typically find error messages annoying.
+
+
+      5.3.7  Mail Gatewaying
+
+         Gatewaying mail between different mail environments, i.e.,
+         different mail formats and protocols, is complex and does not
+         easily yield to standardization.  See for example [SMTP:5a],
+         [SMTP:5b].  However, some general requirements may be given for
+         a gateway between the Internet and another mail environment.
+
+         (A)  Header fields MAY be rewritten when necessary as messages
+              are gatewayed across mail environment boundaries.
+
+              DISCUSSION:
+                   This may involve interpreting the local-part of the
+                   destination address, as suggested in Section 5.2.16.
+
+                   The other mail systems gatewayed to the Internet
+                   generally use a subset of RFC-822 headers, but some
+                   of them do not have an equivalent to the SMTP
+                   envelope.  Therefore, when a message leaves the
+                   Internet environment, it may be necessary to fold the
+                   SMTP envelope information into the message header.  A
+                   possible solution would be to create new header
+                   fields to carry the envelope information (e.g., "X-
+                   SMTP-MAIL:" and "X-SMTP-RCPT:"); however, this would
+                   require changes in mail programs in the foreign
+                   environment.
+
+         (B)  When forwarding a message into or out of the Internet
+              environment, a gateway MUST prepend a Received: line, but
+              it MUST NOT alter in any way a Received: line that is
+              already in the header.
+
+              DISCUSSION:
+                   This requirement is a subset of the general
+                   "Received:" line requirement of Section 5.2.8; it is
+                   restated here for emphasis.
+
+                   Received: fields of messages originating from other
+
+
+
+Internet Engineering Task Force                                [Page 66]
+
+
+
+
+RFC1123                  MAIL -- SMTP & RFC-822             October 1989
+
+
+                   environments may not conform exactly to RFC822.
+                   However, the most important use of Received: lines is
+                   for debugging mail faults, and this debugging can be
+                   severely hampered by well-meaning gateways that try
+                   to "fix" a Received: line.
+
+                   The gateway is strongly encouraged to indicate the
+                   environment and protocol in the "via" clauses of
+                   Received field(s) that it supplies.
+
+         (C)  From the Internet side, the gateway SHOULD accept all
+              valid address formats in SMTP commands and in RFC-822
+              headers, and all valid RFC-822 messages.  Although a
+              gateway must accept an RFC-822 explicit source route
+              ("@...:" format) in either the RFC-822 header or in the
+              envelope, it MAY or may not act on the source route; see
+              Sections 5.2.6 and 5.2.19.
+
+              DISCUSSION:
+                   It is often tempting to restrict the range of
+                   addresses accepted at the mail gateway to simplify
+                   the translation into addresses for the remote
+                   environment.  This practice is based on the
+                   assumption that mail users have control over the
+                   addresses their mailers send to the mail gateway.  In
+                   practice, however, users have little control over the
+                   addresses that are finally sent; their mailers are
+                   free to change addresses into any legal RFC-822
+                   format.
+
+         (D)  The gateway MUST ensure that all header fields of a
+              message that it forwards into the Internet meet the
+              requirements for Internet mail.  In particular, all
+              addresses in "From:", "To:", "Cc:", etc., fields must be
+              transformed (if necessary) to satisfy RFC-822 syntax, and
+              they must be effective and useful for sending replies.
+
+
+         (E)  The translation algorithm used to convert mail from the
+              Internet protocols to another environment's protocol
+              SHOULD try to ensure that error messages from the foreign
+              mail environment are delivered to the return path from the
+              SMTP envelope, not to the sender listed in the "From:"
+              field of the RFC-822 message.
+
+              DISCUSSION:
+                   Internet mail lists usually place the address of the
+                   mail list maintainer in the envelope but leave the
+
+
+
+Internet Engineering Task Force                                [Page 67]
+
+
+
+
+RFC1123                  MAIL -- SMTP & RFC-822             October 1989
+
+
+                   original message header intact (with the "From:"
+                   field containing the original sender).  This yields
+                   the behavior the average recipient expects: a reply
+                   to the header gets sent to the original sender, not
+                   to a mail list maintainer; however, errors get sent
+                   to the maintainer (who can fix the problem) and not
+                   the sender (who probably cannot).
+
+         (F)  Similarly, when forwarding a message from another
+              environment into the Internet, the gateway SHOULD set the
+              envelope return path in accordance with an error message
+              return address, if any, supplied by the foreign
+              environment.
+
+
+      5.3.8  Maximum Message Size
+
+         Mailer software MUST be able to send and receive messages of at
+         least 64K bytes in length (including header), and a much larger
+         maximum size is highly desirable.
+
+         DISCUSSION:
+              Although SMTP does not define the maximum size of a
+              message, many systems impose implementation limits.
+
+              The current de facto minimum limit in the Internet is 64K
+              bytes.  However, electronic mail is used for a variety of
+              purposes that create much larger messages.  For example,
+              mail is often used instead of FTP for transmitting ASCII
+              files, and in particular to transmit entire documents.  As
+              a result, messages can be 1 megabyte or even larger.  We
+              note that the present document together with its lower-
+              layer companion contains 0.5 megabytes.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Internet Engineering Task Force                                [Page 68]
+
+
+
+
+RFC1123                  MAIL -- SMTP & RFC-822             October 1989
+
+
+   5.4  SMTP REQUIREMENTS SUMMARY
+
+                                               |          | | | |S| |
+                                               |          | | | |H| |F
+                                               |          | | | |O|M|o
+                                               |          | |S| |U|U|o
+                                               |          | |H| |L|S|t
+                                               |          |M|O| |D|T|n
+                                               |          |U|U|M| | |o
+                                               |          |S|L|A|N|N|t
+                                               |          |T|D|Y|O|O|t
+FEATURE                                        |SECTION   | | | |T|T|e
+-----------------------------------------------|----------|-|-|-|-|-|--
+                                               |          | | | | | |
+RECEIVER-SMTP:                                 |          | | | | | |
+  Implement VRFY                               |5.2.3     |x| | | | |
+  Implement EXPN                               |5.2.3     | |x| | | |
+    EXPN, VRFY configurable                    |5.2.3     | | |x| | |
+  Implement SEND, SOML, SAML                   |5.2.4     | | |x| | |
+  Verify HELO parameter                        |5.2.5     | | |x| | |
+    Refuse message with bad HELO               |5.2.5     | | | | |x|
+  Accept explicit src-route syntax in env.     |5.2.6     |x| | | | |
+  Support "postmaster"                         |5.2.7     |x| | | | |
+  Process RCPT when received (except lists)    |5.2.7     | | |x| | |
+      Long delay of RCPT responses             |5.2.7     | | | | |x|
+                                               |          | | | | | |
+  Add Received: line                           |5.2.8     |x| | | | |
+      Received: line include domain literal    |5.2.8     | |x| | | |
+  Change previous Received: line               |5.2.8     | | | | |x|
+  Pass Return-Path info (final deliv/gwy)      |5.2.8     |x| | | | |
+  Support empty reverse path                   |5.2.9     |x| | | | |
+  Send only official reply codes               |5.2.10    | |x| | | |
+  Send text from RFC-821 when appropriate      |5.2.10    | |x| | | |
+  Delete "." for transparency                  |5.2.11    |x| | | | |
+  Accept and recognize self domain literal(s)  |5.2.17    |x| | | | |
+                                               |          | | | | | |
+  Error message about error message            |5.3.1     | | | | |x|
+  Keep pending listen on SMTP port             |5.3.1.2   | |x| | | |
+  Provide limit on recv concurrency            |5.3.1.2   | | |x| | |
+  Wait at least 5 mins for next sender cmd     |5.3.2     | |x| | | |
+  Avoidable delivery failure after "250 OK"    |5.3.3     | | | | |x|
+  Send error notification msg after accept     |5.3.3     |x| | | | |
+    Send using null return path                |5.3.3     |x| | | | |
+    Send to envelope return path               |5.3.3     | |x| | | |
+    Send to null address                       |5.3.3     | | | | |x|
+    Strip off explicit src route               |5.3.3     | |x| | | |
+  Minimize acceptance delay (RFC-1047)         |5.3.3     |x| | | | |
+-----------------------------------------------|----------|-|-|-|-|-|--
+
+
+
+Internet Engineering Task Force                                [Page 69]
+
+
+
+
+RFC1123                  MAIL -- SMTP & RFC-822             October 1989
+
+
+                                               |          | | | | | |
+SENDER-SMTP:                                   |          | | | | | |
+  Canonicalized domain names in MAIL, RCPT     |5.2.2     |x| | | | |
+  Implement SEND, SOML, SAML                   |5.2.4     | | |x| | |
+  Send valid principal host name in HELO       |5.2.5     |x| | | | |
+  Send explicit source route in RCPT TO:       |5.2.6     | | | |x| |
+  Use only reply code to determine action      |5.2.10    |x| | | | |
+  Use only high digit of reply code when poss. |5.2.10    | |x| | | |
+  Add "." for transparency                     |5.2.11    |x| | | | |
+                                               |          | | | | | |
+  Retry messages after soft failure            |5.3.1.1   |x| | | | |
+    Delay before retry                         |5.3.1.1   |x| | | | |
+    Configurable retry parameters              |5.3.1.1   |x| | | | |
+    Retry once per each queued dest host       |5.3.1.1   | |x| | | |
+  Multiple RCPT's for same DATA                |5.3.1.1   | |x| | | |
+  Support multiple concurrent transactions     |5.3.1.1   | | |x| | |
+    Provide limit on concurrency               |5.3.1.1   | |x| | | |
+                                               |          | | | | | |
+  Timeouts on all activities                   |5.3.1     |x| | | | |
+    Per-command timeouts                       |5.3.2     | |x| | | |
+    Timeouts easily reconfigurable             |5.3.2     | |x| | | |
+    Recommended times                          |5.3.2     | |x| | | |
+  Try alternate addr's in order                |5.3.4     |x| | | | |
+    Configurable limit on alternate tries      |5.3.4     | | |x| | |
+    Try at least two alternates                |5.3.4     | |x| | | |
+  Load-split across equal MX alternates        |5.3.4     | |x| | | |
+  Use the Domain Name System                   |5.3.5     |x| | | | |
+    Support MX records                         |5.3.5     |x| | | | |
+    Use WKS records in MX processing           |5.2.12    | | | |x| |
+-----------------------------------------------|----------|-|-|-|-|-|--
+                                               |          | | | | | |
+MAIL FORWARDING:                               |          | | | | | |
+  Alter existing header field(s)               |5.2.6     | | | |x| |
+  Implement relay function: 821/section 3.6    |5.2.6     | | |x| | |
+    If not, deliver to RHS domain              |5.2.6     | |x| | | |
+  Interpret 'local-part' of addr               |5.2.16    | | | | |x|
+                                               |          | | | | | |
+MAILING LISTS AND ALIASES                      |          | | | | | |
+  Support both                                 |5.3.6     | |x| | | |
+  Report mail list error to local admin.       |5.3.6     |x| | | | |
+                                               |          | | | | | |
+MAIL GATEWAYS:                                 |          | | | | | |
+  Embed foreign mail route in local-part       |5.2.16    | | |x| | |
+  Rewrite header fields when necessary         |5.3.7     | | |x| | |
+  Prepend Received: line                       |5.3.7     |x| | | | |
+  Change existing Received: line               |5.3.7     | | | | |x|
+  Accept full RFC-822 on Internet side         |5.3.7     | |x| | | |
+  Act on RFC-822 explicit source route         |5.3.7     | | |x| | |
+
+
+
+Internet Engineering Task Force                                [Page 70]
+
+
+
+
+RFC1123                  MAIL -- SMTP & RFC-822             October 1989
+
+
+  Send only valid RFC-822 on Internet side     |5.3.7     |x| | | | |
+  Deliver error msgs to envelope addr          |5.3.7     | |x| | | |
+  Set env return path from err return addr     |5.3.7     | |x| | | |
+                                               |          | | | | | |
+USER AGENT -- RFC-822                          |          | | | | | |
+  Allow user to enter <route> address          |5.2.6     | | | |x| |
+  Support RFC-1049 Content Type field          |5.2.13    | | |x| | |
+  Use 4-digit years                            |5.2.14    | |x| | | |
+  Generate numeric timezones                   |5.2.14    | |x| | | |
+  Accept all timezones                         |5.2.14    |x| | | | |
+  Use non-num timezones from RFC-822           |5.2.14    |x| | | | |
+  Omit phrase before route-addr                |5.2.15    | | |x| | |
+  Accept and parse dot.dec. domain literals    |5.2.17    |x| | | | |
+  Accept all RFC-822 address formats           |5.2.18    |x| | | | |
+  Generate invalid RFC-822 address format      |5.2.18    | | | | |x|
+  Fully-qualified domain names in header       |5.2.18    |x| | | | |
+  Create explicit src route in header          |5.2.19    | | | |x| |
+  Accept explicit src route in header          |5.2.19    |x| | | | |
+                                               |          | | | | | |
+Send/recv at least 64KB messages               |5.3.8     |x| | | | |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Internet Engineering Task Force                                [Page 71]
+
+
+
+
+RFC1123               SUPPORT SERVICES -- DOMAINS           October 1989
+
+
+6. SUPPORT SERVICES
+
+   6.1 DOMAIN NAME TRANSLATION
+
+      6.1.1 INTRODUCTION
+
+         Every host MUST implement a resolver for the Domain Name System
+         (DNS), and it MUST implement a mechanism using this DNS
+         resolver to convert host names to IP addresses and vice-versa
+         [DNS:1, DNS:2].
+
+         In addition to the DNS, a host MAY also implement a host name
+         translation mechanism that searches a local Internet host
+         table.  See Section 6.1.3.8 for more information on this
+         option.
+
+         DISCUSSION:
+              Internet host name translation was originally performed by
+              searching local copies of a table of all hosts.  This
+              table became too large to update and distribute in a
+              timely manner and too large to fit into many hosts, so the
+              DNS was invented.
+
+              The DNS creates a distributed database used primarily for
+              the translation between host names and host addresses.
+              Implementation of DNS software is required.  The DNS
+              consists of two logically distinct parts: name servers and
+              resolvers (although implementations often combine these
+              two logical parts in the interest of efficiency) [DNS:2].
+
+              Domain name servers store authoritative data about certain
+              sections of the database and answer queries about the
+              data.  Domain resolvers query domain name servers for data
+              on behalf of user processes.  Every host therefore needs a
+              DNS resolver; some host machines will also need to run
+              domain name servers.  Since no name server has complete
+              information, in general it is necessary to obtain
+              information from more than one name server to resolve a
+              query.
+
+      6.1.2  PROTOCOL WALK-THROUGH
+
+         An implementor must study references [DNS:1] and [DNS:2]
+         carefully.  They provide a thorough description of the theory,
+         protocol, and implementation of the domain name system, and
+         reflect several years of experience.
+
+
+
+
+
+Internet Engineering Task Force                                [Page 72]
+
+
+
+
+RFC1123               SUPPORT SERVICES -- DOMAINS           October 1989
+
+
+         6.1.2.1  Resource Records with Zero TTL: RFC-1035 Section 3.2.1
+
+            All DNS name servers and resolvers MUST properly handle RRs
+            with a zero TTL: return the RR to the client but do not
+            cache it.
+
+            DISCUSSION:
+                 Zero TTL values are interpreted to mean that the RR can
+                 only be used for the transaction in progress, and
+                 should not be cached; they are useful for extremely
+                 volatile data.
+
+         6.1.2.2  QCLASS Values: RFC-1035 Section 3.2.5
+
+            A query with "QCLASS=*" SHOULD NOT be used unless the
+            requestor is seeking data from more than one class.  In
+            particular, if the requestor is only interested in Internet
+            data types, QCLASS=IN MUST be used.
+
+         6.1.2.3  Unused Fields: RFC-1035 Section 4.1.1
+
+            Unused fields in a query or response message MUST be zero.
+
+         6.1.2.4  Compression: RFC-1035 Section 4.1.4
+
+            Name servers MUST use compression in responses.
+
+            DISCUSSION:
+                 Compression is essential to avoid overflowing UDP
+                 datagrams; see Section 6.1.3.2.
+
+         6.1.2.5  Misusing Configuration Info: RFC-1035 Section 6.1.2
+
+            Recursive name servers and full-service resolvers generally
+            have some configuration information containing hints about
+            the location of root or local name servers.  An
+            implementation MUST NOT include any of these hints in a
+            response.
+
+            DISCUSSION:
+                 Many implementors have found it convenient to store
+                 these hints as if they were cached data, but some
+                 neglected to ensure that this "cached data" was not
+                 included in responses.  This has caused serious
+                 problems in the Internet when the hints were obsolete
+                 or incorrect.
+
+
+
+
+
+Internet Engineering Task Force                                [Page 73]
+
+
+
+
+RFC1123               SUPPORT SERVICES -- DOMAINS           October 1989
+
+
+      6.1.3  SPECIFIC ISSUES
+
+         6.1.3.1  Resolver Implementation
+
+            A name resolver SHOULD be able to multiplex concurrent
+            requests if the host supports concurrent processes.
+
+            In implementing a DNS resolver, one of two different models
+            MAY optionally be chosen: a full-service resolver, or a stub
+            resolver.
+
+
+            (A)  Full-Service Resolver
+
+                 A full-service resolver is a complete implementation of
+                 the resolver service, and is capable of dealing with
+                 communication failures, failure of individual name
+                 servers, location of the proper name server for a given
+                 name, etc.  It must satisfy the following requirements:
+
+                 o    The resolver MUST implement a local caching
+                      function to avoid repeated remote access for
+                      identical requests, and MUST time out information
+                      in the cache.
+
+                 o    The resolver SHOULD be configurable with start-up
+                      information pointing to multiple root name servers
+                      and multiple name servers for the local domain.
+                      This insures that the resolver will be able to
+                      access the whole name space in normal cases, and
+                      will be able to access local domain information
+                      should the local network become disconnected from
+                      the rest of the Internet.
+
+
+            (B)  Stub Resolver
+
+                 A "stub resolver" relies on the services of a recursive
+                 name server on the connected network or a "nearby"
+                 network.  This scheme allows the host to pass on the
+                 burden of the resolver function to a name server on
+                 another host.  This model is often essential for less
+                 capable hosts, such as PCs, and is also recommended
+                 when the host is one of several workstations on a local
+                 network, because it allows all of the workstations to
+                 share the cache of the recursive name server and hence
+                 reduce the number of domain requests exported by the
+                 local network.
+
+
+
+Internet Engineering Task Force                                [Page 74]
+
+
+
+
+RFC1123               SUPPORT SERVICES -- DOMAINS           October 1989
+
+
+                 At a minimum, the stub resolver MUST be capable of
+                 directing its requests to redundant recursive name
+                 servers.  Note that recursive name servers are allowed
+                 to restrict the sources of requests that they will
+                 honor, so the host administrator must verify that the
+                 service will be provided.  Stub resolvers MAY implement
+                 caching if they choose, but if so, MUST timeout cached
+                 information.
+
+
+         6.1.3.2  Transport Protocols
+
+            DNS resolvers and recursive servers MUST support UDP, and
+            SHOULD support TCP, for sending (non-zone-transfer) queries.
+            Specifically, a DNS resolver or server that is sending a
+            non-zone-transfer query MUST send a UDP query first.  If the
+            Answer section of the response is truncated and if the
+            requester supports TCP, it SHOULD try the query again using
+            TCP.
+
+            DNS servers MUST be able to service UDP queries and SHOULD
+            be able to service TCP queries.  A name server MAY limit the
+            resources it devotes to TCP queries, but it SHOULD NOT
+            refuse to service a TCP query just because it would have
+            succeeded with UDP.
+
+            Truncated responses MUST NOT be saved (cached) and later
+            used in such a way that the fact that they are truncated is
+            lost.
+
+            DISCUSSION:
+                 UDP is preferred over TCP for queries because UDP
+                 queries have much lower overhead, both in packet count
+                 and in connection state.  The use of UDP is essential
+                 for heavily-loaded servers, especially the root
+                 servers.  UDP also offers additional robustness, since
+                 a resolver can attempt several UDP queries to different
+                 servers for the cost of a single TCP query.
+
+                 It is possible for a DNS response to be truncated,
+                 although this is a very rare occurrence in the present
+                 Internet DNS.  Practically speaking, truncation cannot
+                 be predicted, since it is data-dependent.  The
+                 dependencies include the number of RRs in the answer,
+                 the size of each RR, and the savings in space realized
+                 by the name compression algorithm.  As a rule of thumb,
+                 truncation in NS and MX lists should not occur for
+                 answers containing 15 or fewer RRs.
+
+
+
+Internet Engineering Task Force                                [Page 75]
+
+
+
+
+RFC1123               SUPPORT SERVICES -- DOMAINS           October 1989
+
+
+                 Whether it is possible to use a truncated answer
+                 depends on the application.  A mailer must not use a
+                 truncated MX response, since this could lead to mail
+                 loops.
+
+                 Responsible practices can make UDP suffice in the vast
+                 majority of cases.  Name servers must use compression
+                 in responses.  Resolvers must differentiate truncation
+                 of the Additional section of a response (which only
+                 loses extra information) from truncation of the Answer
+                 section (which for MX records renders the response
+                 unusable by mailers).  Database administrators should
+                 list only a reasonable number of primary names in lists
+                 of name servers, MX alternatives, etc.
+
+                 However, it is also clear that some new DNS record
+                 types defined in the future will contain information
+                 exceeding the 512 byte limit that applies to UDP, and
+                 hence will require TCP.  Thus, resolvers and name
+                 servers should implement TCP services as a backup to
+                 UDP today, with the knowledge that they will require
+                 the TCP service in the future.
+
+            By private agreement, name servers and resolvers MAY arrange
+            to use TCP for all traffic between themselves.  TCP MUST be
+            used for zone transfers.
+
+            A DNS server MUST have sufficient internal concurrency that
+            it can continue to process UDP queries while awaiting a
+            response or performing a zone transfer on an open TCP
+            connection [DNS:2].
+
+            A server MAY support a UDP query that is delivered using an
+            IP broadcast or multicast address.  However, the Recursion
+            Desired bit MUST NOT be set in a query that is multicast,
+            and MUST be ignored by name servers receiving queries via a
+            broadcast or multicast address.  A host that sends broadcast
+            or multicast DNS queries SHOULD send them only as occasional
+            probes, caching the IP address(es) it obtains from the
+            response(s) so it can normally send unicast queries.
+
+            DISCUSSION:
+                 Broadcast or (especially) IP multicast can provide a
+                 way to locate nearby name servers without knowing their
+                 IP addresses in advance.  However, general broadcasting
+                 of recursive queries can result in excessive and
+                 unnecessary load on both network and servers.
+
+
+
+
+Internet Engineering Task Force                                [Page 76]
+
+
+
+
+RFC1123               SUPPORT SERVICES -- DOMAINS           October 1989
+
+
+         6.1.3.3  Efficient Resource Usage
+
+            The following requirements on servers and resolvers are very
+            important to the health of the Internet as a whole,
+            particularly when DNS services are invoked repeatedly by
+            higher level automatic servers, such as mailers.
+
+            (1)  The resolver MUST implement retransmission controls to
+                 insure that it does not waste communication bandwidth,
+                 and MUST impose finite bounds on the resources consumed
+                 to respond to a single request.  See [DNS:2] pages 43-
+                 44 for specific recommendations.
+
+            (2)  After a query has been retransmitted several times
+                 without a response, an implementation MUST give up and
+                 return a soft error to the application.
+
+            (3)  All DNS name servers and resolvers SHOULD cache
+                 temporary failures, with a timeout period of the order
+                 of minutes.
+
+                 DISCUSSION:
+                      This will prevent applications that immediately
+                      retry soft failures (in violation of Section 2.2
+                      of this document) from generating excessive DNS
+                      traffic.
+
+            (4)  All DNS name servers and resolvers SHOULD cache
+                 negative responses that indicate the specified name, or
+                 data of the specified type, does not exist, as
+                 described in [DNS:2].
+
+            (5)  When a DNS server or resolver retries a UDP query, the
+                 retry interval SHOULD be constrained by an exponential
+                 backoff algorithm, and SHOULD also have upper and lower
+                 bounds.
+
+                 IMPLEMENTATION:
+                      A measured RTT and variance (if available) should
+                      be used to calculate an initial retransmission
+                      interval.  If this information is not available, a
+                      default of no less than 5 seconds should be used.
+                      Implementations may limit the retransmission
+                      interval, but this limit must exceed twice the
+                      Internet maximum segment lifetime plus service
+                      delay at the name server.
+
+            (6)  When a resolver or server receives a Source Quench for
+
+
+
+Internet Engineering Task Force                                [Page 77]
+
+
+
+
+RFC1123               SUPPORT SERVICES -- DOMAINS           October 1989
+
+
+                 a query it has issued, it SHOULD take steps to reduce
+                 the rate of querying that server in the near future.  A
+                 server MAY ignore a Source Quench that it receives as
+                 the result of sending a response datagram.
+
+                 IMPLEMENTATION:
+                      One recommended action to reduce the rate is to
+                      send the next query attempt to an alternate
+                      server, if there is one available.  Another is to
+                      backoff the retry interval for the same server.
+
+
+         6.1.3.4  Multihomed Hosts
+
+            When the host name-to-address function encounters a host
+            with multiple addresses, it SHOULD rank or sort the
+            addresses using knowledge of the immediately connected
+            network number(s) and any other applicable performance or
+            history information.
+
+            DISCUSSION:
+                 The different addresses of a multihomed host generally
+                 imply different Internet paths, and some paths may be
+                 preferable to others in performance, reliability, or
+                 administrative restrictions.  There is no general way
+                 for the domain system to determine the best path.  A
+                 recommended approach is to base this decision on local
+                 configuration information set by the system
+                 administrator.
+
+            IMPLEMENTATION:
+                 The following scheme has been used successfully:
+
+                 (a)  Incorporate into the host configuration data a
+                      Network-Preference List, that is simply a list of
+                      networks in preferred order.  This list may be
+                      empty if there is no preference.
+
+                 (b)  When a host name is mapped into a list of IP
+                      addresses, these addresses should be sorted by
+                      network number, into the same order as the
+                      corresponding networks in the Network-Preference
+                      List.  IP addresses whose networks do not appear
+                      in the Network-Preference List should be placed at
+                      the end of the list.
+
+
+
+
+
+
+Internet Engineering Task Force                                [Page 78]
+
+
+
+
+RFC1123               SUPPORT SERVICES -- DOMAINS           October 1989
+
+
+         6.1.3.5  Extensibility
+
+            DNS software MUST support all well-known, class-independent
+            formats [DNS:2], and SHOULD be written to minimize the
+            trauma associated with the introduction of new well-known
+            types and local experimentation with non-standard types.
+
+            DISCUSSION:
+                 The data types and classes used by the DNS are
+                 extensible, and thus new types will be added and old
+                 types deleted or redefined.  Introduction of new data
+                 types ought to be dependent only upon the rules for
+                 compression of domain names inside DNS messages, and
+                 the translation between printable (i.e., master file)
+                 and internal formats for Resource Records (RRs).
+
+                 Compression relies on knowledge of the format of data
+                 inside a particular RR.  Hence compression must only be
+                 used for the contents of well-known, class-independent
+                 RRs, and must never be used for class-specific RRs or
+                 RR types that are not well-known.  The owner name of an
+                 RR is always eligible for compression.
+
+                 A name server may acquire, via zone transfer, RRs that
+                 the server doesn't know how to convert to printable
+                 format.  A resolver can receive similar information as
+                 the result of queries.  For proper operation, this data
+                 must be preserved, and hence the implication is that
+                 DNS software cannot use textual formats for internal
+                 storage.
+
+                 The DNS defines domain name syntax very generally -- a
+                 string of labels each containing up to 63 8-bit octets,
+                 separated by dots, and with a maximum total of 255
+                 octets.  Particular applications of the DNS are
+                 permitted to further constrain the syntax of the domain
+                 names they use, although the DNS deployment has led to
+                 some applications allowing more general names.  In
+                 particular, Section 2.1 of this document liberalizes
+                 slightly the syntax of a legal Internet host name that
+                 was defined in RFC-952 [DNS:4].
+
+         6.1.3.6  Status of RR Types
+
+            Name servers MUST be able to load all RR types except MD and
+            MF from configuration files.  The MD and MF types are
+            obsolete and MUST NOT be implemented; in particular, name
+            servers MUST NOT load these types from configuration files.
+
+
+
+Internet Engineering Task Force                                [Page 79]
+
+
+
+
+RFC1123               SUPPORT SERVICES -- DOMAINS           October 1989
+
+
+            DISCUSSION:
+                 The RR types MB, MG, MR, NULL, MINFO and RP are
+                 considered experimental, and applications that use the
+                 DNS cannot expect these RR types to be supported by
+                 most domains.  Furthermore these types are subject to
+                 redefinition.
+
+                 The TXT and WKS RR types have not been widely used by
+                 Internet sites; as a result, an application cannot rely
+                 on the the existence of a TXT or WKS RR in most
+                 domains.
+
+         6.1.3.7  Robustness
+
+            DNS software may need to operate in environments where the
+            root servers or other servers are unavailable due to network
+            connectivity or other problems.  In this situation, DNS name
+            servers and resolvers MUST continue to provide service for
+            the reachable part of the name space, while giving temporary
+            failures for the rest.
+
+            DISCUSSION:
+                 Although the DNS is meant to be used primarily in the
+                 connected Internet, it should be possible to use the
+                 system in networks which are unconnected to the
+                 Internet.  Hence implementations must not depend on
+                 access to root servers before providing service for
+                 local names.
+
+         6.1.3.8  Local Host Table
+
+            DISCUSSION:
+                 A host may use a local host table as a backup or
+                 supplement to the DNS.  This raises the question of
+                 which takes precedence, the DNS or the host table; the
+                 most flexible approach would make this a configuration
+                 option.
+
+                 Typically, the contents of such a supplementary host
+                 table will be determined locally by the site.  However,
+                 a publically-available table of Internet hosts is
+                 maintained by the DDN Network Information Center (DDN
+                 NIC), with a format documented in [DNS:4].  This table
+                 can be retrieved from the DDN NIC using a protocol
+                 described in [DNS:5].  It must be noted that this table
+                 contains only a small fraction of all Internet hosts.
+                 Hosts using this protocol to retrieve the DDN NIC host
+                 table should use the VERSION command to check if the
+
+
+
+Internet Engineering Task Force                                [Page 80]
+
+
+
+
+RFC1123               SUPPORT SERVICES -- DOMAINS           October 1989
+
+
+                 table has changed before requesting the entire table
+                 with the ALL command.  The VERSION identifier should be
+                 treated as an arbitrary string and tested only for
+                 equality; no numerical sequence may be assumed.
+
+                 The DDN NIC host table includes administrative
+                 information that is not needed for host operation and
+                 is therefore not currently included in the DNS
+                 database; examples include network and gateway entries.
+                 However, much of this additional information will be
+                 added to the DNS in the future.  Conversely, the DNS
+                 provides essential services (in particular, MX records)
+                 that are not available from the DDN NIC host table.
+
+      6.1.4  DNS USER INTERFACE
+
+         6.1.4.1  DNS Administration
+
+            This document is concerned with design and implementation
+            issues in host software, not with administrative or
+            operational issues.  However, administrative issues are of
+            particular importance in the DNS, since errors in particular
+            segments of this large distributed database can cause poor
+            or erroneous performance for many sites.  These issues are
+            discussed in [DNS:6] and [DNS:7].
+
+         6.1.4.2  DNS User Interface
+
+            Hosts MUST provide an interface to the DNS for all
+            application programs running on the host.  This interface
+            will typically direct requests to a system process to
+            perform the resolver function [DNS:1, 6.1:2].
+
+            At a minimum, the basic interface MUST support a request for
+            all information of a specific type and class associated with
+            a specific name, and it MUST return either all of the
+            requested information, a hard error code, or a soft error
+            indication.  When there is no error, the basic interface
+            returns the complete response information without
+            modification, deletion, or ordering, so that the basic
+            interface will not need to be changed to accommodate new
+            data types.
+
+            DISCUSSION:
+                 The soft error indication is an essential part of the
+                 interface, since it may not always be possible to
+                 access particular information from the DNS; see Section
+                 6.1.3.3.
+
+
+
+Internet Engineering Task Force                                [Page 81]
+
+
+
+
+RFC1123               SUPPORT SERVICES -- DOMAINS           October 1989
+
+
+            A host MAY provide other DNS interfaces tailored to
+            particular functions, transforming the raw domain data into
+            formats more suited to these functions.  In particular, a
+            host MUST provide a DNS interface to facilitate translation
+            between host addresses and host names.
+
+         6.1.4.3 Interface Abbreviation Facilities
+
+            User interfaces MAY provide a method for users to enter
+            abbreviations for commonly-used names.  Although the
+            definition of such methods is outside of the scope of the
+            DNS specification, certain rules are necessary to insure
+            that these methods allow access to the entire DNS name space
+            and to prevent excessive use of Internet resources.
+
+            If an abbreviation method is provided, then:
+
+            (a)  There MUST be some convention for denoting that a name
+                 is already complete, so that the abbreviation method(s)
+                 are suppressed.  A trailing dot is the usual method.
+
+            (b)  Abbreviation expansion MUST be done exactly once, and
+                 MUST be done in the context in which the name was
+                 entered.
+
+
+            DISCUSSION:
+                 For example, if an abbreviation is used in a mail
+                 program for a destination, the abbreviation should be
+                 expanded into a full domain name and stored in the
+                 queued message with an indication that it is already
+                 complete.  Otherwise, the abbreviation might be
+                 expanded with a mail system search list, not the
+                 user's, or a name could grow due to repeated
+                 canonicalizations attempts interacting with wildcards.
+
+            The two most common abbreviation methods are:
+
+            (1)  Interface-level aliases
+
+                 Interface-level aliases are conceptually implemented as
+                 a list of alias/domain name pairs. The list can be
+                 per-user or per-host, and separate lists can be
+                 associated with different functions, e.g. one list for
+                 host name-to-address translation, and a different list
+                 for mail domains.  When the user enters a name, the
+                 interface attempts to match the name to the alias
+                 component of a list entry, and if a matching entry can
+
+
+
+Internet Engineering Task Force                                [Page 82]
+
+
+
+
+RFC1123               SUPPORT SERVICES -- DOMAINS           October 1989
+
+
+                 be found, the name is replaced by the domain name found
+                 in the pair.
+
+                 Note that interface-level aliases and CNAMEs are
+                 completely separate mechanisms; interface-level aliases
+                 are a local matter while CNAMEs are an Internet-wide
+                 aliasing mechanism which is a required part of any DNS
+                 implementation.
+
+            (2)  Search Lists
+
+                 A search list is conceptually implemented as an ordered
+                 list of domain names.  When the user enters a name, the
+                 domain names in the search list are used as suffixes to
+                 the user-supplied name, one by one, until a domain name
+                 with the desired associated data is found, or the
+                 search list is exhausted.  Search lists often contain
+                 the name of the local host's parent domain or other
+                 ancestor domains.  Search lists are often per-user or
+                 per-process.
+
+                 It SHOULD be possible for an administrator to disable a
+                 DNS search-list facility.  Administrative denial may be
+                 warranted in some cases, to prevent abuse of the DNS.
+
+                 There is danger that a search-list mechanism will
+                 generate excessive queries to the root servers while
+                 testing whether user input is a complete domain name,
+                 lacking a final period to mark it as complete.  A
+                 search-list mechanism MUST have one of, and SHOULD have
+                 both of, the following two provisions to prevent this:
+
+                 (a)  The local resolver/name server can implement
+                      caching  of negative responses (see Section
+                      6.1.3.3).
+
+                 (b)  The search list expander can require two or more
+                      interior dots in a generated domain name before it
+                      tries using the name in a query to non-local
+                      domain servers, such as the root.
+
+                 DISCUSSION:
+                      The intent of this requirement is to avoid
+                      excessive delay for the user as the search list is
+                      tested, and more importantly to prevent excessive
+                      traffic to the root and other high-level servers.
+                      For example, if the user supplied a name "X" and
+                      the search list contained the root as a component,
+
+
+
+Internet Engineering Task Force                                [Page 83]
+
+
+
+
+RFC1123               SUPPORT SERVICES -- DOMAINS           October 1989
+
+
+                      a query would have to consult a root server before
+                      the next search list alternative could be tried.
+                      The resulting load seen by the root servers and
+                      gateways near the root would be multiplied by the
+                      number of hosts in the Internet.
+
+                      The negative caching alternative limits the effect
+                      to the first time a name is used.  The interior
+                      dot rule is simpler to implement but can prevent
+                      easy use of some top-level names.
+
+
+      6.1.5  DOMAIN NAME SYSTEM REQUIREMENTS SUMMARY
+
+                                               |           | | | |S| |
+                                               |           | | | |H| |F
+                                               |           | | | |O|M|o
+                                               |           | |S| |U|U|o
+                                               |           | |H| |L|S|t
+                                               |           |M|O| |D|T|n
+                                               |           |U|U|M| | |o
+                                               |           |S|L|A|N|N|t
+                                               |           |T|D|Y|O|O|t
+FEATURE                                        |SECTION    | | | |T|T|e
+-----------------------------------------------|-----------|-|-|-|-|-|--
+GENERAL ISSUES                                 |           | | | | | |
+                                               |           | | | | | |
+Implement DNS name-to-address conversion       |6.1.1      |x| | | | |
+Implement DNS address-to-name conversion       |6.1.1      |x| | | | |
+Support conversions using host table           |6.1.1      | | |x| | |
+Properly handle RR with zero TTL               |6.1.2.1    |x| | | | |
+Use QCLASS=* unnecessarily                     |6.1.2.2    | |x| | | |
+  Use QCLASS=IN for Internet class             |6.1.2.2    |x| | | | |
+Unused fields zero                             |6.1.2.3    |x| | | | |
+Use compression in responses                   |6.1.2.4    |x| | | | |
+                                               |           | | | | | |
+Include config info in responses               |6.1.2.5    | | | | |x|
+Support all well-known, class-indep. types     |6.1.3.5    |x| | | | |
+Easily expand type list                        |6.1.3.5    | |x| | | |
+Load all RR types (except MD and MF)           |6.1.3.6    |x| | | | |
+Load MD or MF type                             |6.1.3.6    | | | | |x|
+Operate when root servers, etc. unavailable    |6.1.3.7    |x| | | | |
+-----------------------------------------------|-----------|-|-|-|-|-|--
+RESOLVER ISSUES:                               |           | | | | | |
+                                               |           | | | | | |
+Resolver support multiple concurrent requests  |6.1.3.1    | |x| | | |
+Full-service resolver:                         |6.1.3.1    | | |x| | |
+  Local caching                                |6.1.3.1    |x| | | | |
+
+
+
+Internet Engineering Task Force                                [Page 84]
+
+
+
+
+RFC1123               SUPPORT SERVICES -- DOMAINS           October 1989
+
+
+  Information in local cache times out         |6.1.3.1    |x| | | | |
+  Configurable with starting info              |6.1.3.1    | |x| | | |
+Stub resolver:                                 |6.1.3.1    | | |x| | |
+  Use redundant recursive name servers         |6.1.3.1    |x| | | | |
+  Local caching                                |6.1.3.1    | | |x| | |
+  Information in local cache times out         |6.1.3.1    |x| | | | |
+Support for remote multi-homed hosts:          |           | | | | | |
+  Sort multiple addresses by preference list   |6.1.3.4    | |x| | | |
+                                               |           | | | | | |
+-----------------------------------------------|-----------|-|-|-|-|-|--
+TRANSPORT PROTOCOLS:                           |           | | | | | |
+                                               |           | | | | | |
+Support UDP queries                            |6.1.3.2    |x| | | | |
+Support TCP queries                            |6.1.3.2    | |x| | | |
+  Send query using UDP first                   |6.1.3.2    |x| | | | |1
+  Try TCP if UDP answers are truncated         |6.1.3.2    | |x| | | |
+Name server limit TCP query resources          |6.1.3.2    | | |x| | |
+  Punish unnecessary TCP query                 |6.1.3.2    | | | |x| |
+Use truncated data as if it were not           |6.1.3.2    | | | | |x|
+Private agreement to use only TCP              |6.1.3.2    | | |x| | |
+Use TCP for zone transfers                     |6.1.3.2    |x| | | | |
+TCP usage not block UDP queries                |6.1.3.2    |x| | | | |
+Support broadcast or multicast queries         |6.1.3.2    | | |x| | |
+  RD bit set in query                          |6.1.3.2    | | | | |x|
+  RD bit ignored by server is b'cast/m'cast    |6.1.3.2    |x| | | | |
+  Send only as occasional probe for addr's     |6.1.3.2    | |x| | | |
+-----------------------------------------------|-----------|-|-|-|-|-|--
+RESOURCE USAGE:                                |           | | | | | |
+                                               |           | | | | | |
+Transmission controls, per [DNS:2]             |6.1.3.3    |x| | | | |
+  Finite bounds per request                    |6.1.3.3    |x| | | | |
+Failure after retries => soft error            |6.1.3.3    |x| | | | |
+Cache temporary failures                       |6.1.3.3    | |x| | | |
+Cache negative responses                       |6.1.3.3    | |x| | | |
+Retries use exponential backoff                |6.1.3.3    | |x| | | |
+  Upper, lower bounds                          |6.1.3.3    | |x| | | |
+Client handle Source Quench                    |6.1.3.3    | |x| | | |
+Server ignore Source Quench                    |6.1.3.3    | | |x| | |
+-----------------------------------------------|-----------|-|-|-|-|-|--
+USER INTERFACE:                                |           | | | | | |
+                                               |           | | | | | |
+All programs have access to DNS interface      |6.1.4.2    |x| | | | |
+Able to request all info for given name        |6.1.4.2    |x| | | | |
+Returns complete info or error                 |6.1.4.2    |x| | | | |
+Special interfaces                             |6.1.4.2    | | |x| | |
+  Name<->Address translation                   |6.1.4.2    |x| | | | |
+                                               |           | | | | | |
+Abbreviation Facilities:                       |6.1.4.3    | | |x| | |
+
+
+
+Internet Engineering Task Force                                [Page 85]
+
+
+
+
+RFC1123               SUPPORT SERVICES -- DOMAINS           October 1989
+
+
+  Convention for complete names                |6.1.4.3    |x| | | | |
+  Conversion exactly once                      |6.1.4.3    |x| | | | |
+  Conversion in proper context                 |6.1.4.3    |x| | | | |
+  Search list:                                 |6.1.4.3    | | |x| | |
+    Administrator can disable                  |6.1.4.3    | |x| | | |
+    Prevention of excessive root queries       |6.1.4.3    |x| | | | |
+      Both methods                             |6.1.4.3    | |x| | | |
+-----------------------------------------------|-----------|-|-|-|-|-|--
+-----------------------------------------------|-----------|-|-|-|-|-|--
+
+1.   Unless there is private agreement between particular resolver and
+     particular server.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Internet Engineering Task Force                                [Page 86]
+
+
+
+
+RFC1123            SUPPORT SERVICES -- INITIALIZATION       October 1989
+
+
+   6.2  HOST INITIALIZATION
+
+      6.2.1  INTRODUCTION
+
+         This section discusses the initialization of host software
+         across a connected network, or more generally across an
+         Internet path.  This is necessary for a diskless host, and may
+         optionally be used for a host with disk drives.  For a diskless
+         host, the initialization process is called "network booting"
+         and is controlled by a bootstrap program located in a boot ROM.
+
+         To initialize a diskless host across the network, there are two
+         distinct phases:
+
+         (1)  Configure the IP layer.
+
+              Diskless machines often have no permanent storage in which
+              to store network configuration information, so that
+              sufficient configuration information must be obtained
+              dynamically to support the loading phase that follows.
+              This information must include at least the IP addresses of
+              the host and of the boot server.  To support booting
+              across a gateway, the address mask and a list of default
+              gateways are also required.
+
+         (2)  Load the host system code.
+
+              During the loading phase, an appropriate file transfer
+              protocol is used to copy the system code across the
+              network from the boot server.
+
+         A host with a disk may perform the first step, dynamic
+         configuration.  This is important for microcomputers, whose
+         floppy disks allow network configuration information to be
+         mistakenly duplicated on more than one host.  Also,
+         installation of new hosts is much simpler if they automatically
+         obtain their configuration information from a central server,
+         saving administrator time and decreasing the probability of
+         mistakes.
+
+      6.2.2  REQUIREMENTS
+
+         6.2.2.1  Dynamic Configuration
+
+            A number of protocol provisions have been made for dynamic
+            configuration.
+
+            o    ICMP Information Request/Reply messages
+
+
+
+Internet Engineering Task Force                                [Page 87]
+
+
+
+
+RFC1123            SUPPORT SERVICES -- INITIALIZATION       October 1989
+
+
+                 This obsolete message pair was designed to allow a host
+                 to find the number of the network it is on.
+                 Unfortunately, it was useful only if the host already
+                 knew the host number part of its IP address,
+                 information that hosts requiring dynamic configuration
+                 seldom had.
+
+            o    Reverse Address Resolution Protocol (RARP) [BOOT:4]
+
+                 RARP is a link-layer protocol for a broadcast medium
+                 that allows a host to find its IP address given its
+                 link layer address.  Unfortunately, RARP does not work
+                 across IP gateways and therefore requires a RARP server
+                 on every network.  In addition, RARP does not provide
+                 any other configuration information.
+
+            o    ICMP Address Mask Request/Reply messages
+
+                 These ICMP messages allow a host to learn the address
+                 mask for a particular network interface.
+
+            o    BOOTP Protocol [BOOT:2]
+
+                 This protocol allows a host to determine the IP
+                 addresses of the local host and the boot server, the
+                 name of an appropriate boot file, and optionally the
+                 address mask and list of default gateways.  To locate a
+                 BOOTP server, the host broadcasts a BOOTP request using
+                 UDP.  Ad hoc gateway extensions have been used to
+                 transmit the BOOTP broadcast through gateways, and in
+                 the future the IP Multicasting facility will provide a
+                 standard mechanism for this purpose.
+
+
+            The suggested approach to dynamic configuration is to use
+            the BOOTP protocol with the extensions defined in "BOOTP
+            Vendor Information Extensions" RFC-1084 [BOOT:3].  RFC-1084
+            defines some important general (not vendor-specific)
+            extensions.  In particular, these extensions allow the
+            address mask to be supplied in BOOTP; we RECOMMEND that the
+            address mask be supplied in this manner.
+
+            DISCUSSION:
+                 Historically, subnetting was defined long after IP, and
+                 so a separate mechanism (ICMP Address Mask messages)
+                 was designed to supply the address mask to a host.
+                 However, the IP address mask and the corresponding IP
+                 address conceptually form a pair, and for operational
+
+
+
+Internet Engineering Task Force                                [Page 88]
+
+
+
+
+RFC1123            SUPPORT SERVICES -- INITIALIZATION       October 1989
+
+
+                 simplicity they ought to be defined at the same time
+                 and by the same mechanism, whether a configuration file
+                 or a dynamic mechanism like BOOTP.
+
+                 Note that BOOTP is not sufficiently general to specify
+                 the configurations of all interfaces of a multihomed
+                 host.  A multihomed host must either use BOOTP
+                 separately for each interface, or configure one
+                 interface using BOOTP to perform the loading, and
+                 perform the complete initialization from a file later.
+
+                 Application layer configuration information is expected
+                 to be obtained from files after loading of the system
+                 code.
+
+         6.2.2.2  Loading Phase
+
+            A suggested approach for the loading phase is to use TFTP
+            [BOOT:1] between the IP addresses established by BOOTP.
+
+            TFTP to a broadcast address SHOULD NOT be used, for reasons
+            explained in Section 4.2.3.4.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Internet Engineering Task Force                                [Page 89]
+
+
+
+
+RFC1123              SUPPORT SERVICES -- MANAGEMENT         October 1989
+
+
+   6.3  REMOTE MANAGEMENT
+
+      6.3.1  INTRODUCTION
+
+         The Internet community has recently put considerable effort
+         into the development of network management protocols.  The
+         result has been a two-pronged approach [MGT:1, MGT:6]:  the
+         Simple Network Management Protocol (SNMP) [MGT:4] and the
+         Common Management Information Protocol over TCP (CMOT) [MGT:5].
+
+         In order to be managed using SNMP or CMOT, a host will need to
+         implement an appropriate management agent.  An Internet host
+         SHOULD include an agent for either SNMP or CMOT.
+
+         Both SNMP and CMOT operate on a Management Information Base
+         (MIB) that defines a collection of management values.  By
+         reading and setting these values, a remote application may
+         query and change the state of the managed system.
+
+         A standard MIB [MGT:3] has been defined for use by both
+         management protocols, using data types defined by the Structure
+         of Management Information (SMI) defined in [MGT:2].  Additional
+         MIB variables can be introduced under the "enterprises" and
+         "experimental" subtrees of the MIB naming space [MGT:2].
+
+         Every protocol module in the host SHOULD implement the relevant
+         MIB variables.  A host SHOULD implement the MIB variables as
+         defined in the most recent standard MIB, and MAY implement
+         other MIB variables when appropriate and useful.
+
+      6.3.2  PROTOCOL WALK-THROUGH
+
+         The MIB is intended to cover both hosts and gateways, although
+         there may be detailed differences in MIB application to the two
+         cases.  This section contains the appropriate interpretation of
+         the MIB for hosts.  It is likely that later versions of the MIB
+         will include more entries for host management.
+
+         A managed host must implement the following groups of MIB
+         object definitions: System, Interfaces, Address Translation,
+         IP, ICMP, TCP, and UDP.
+
+         The following specific interpretations apply to hosts:
+
+         o    ipInHdrErrors
+
+              Note that the error "time-to-live exceeded" can occur in a
+              host only when it is forwarding a source-routed datagram.
+
+
+
+Internet Engineering Task Force                                [Page 90]
+
+
+
+
+RFC1123              SUPPORT SERVICES -- MANAGEMENT         October 1989
+
+
+         o    ipOutNoRoutes
+
+              This object counts datagrams discarded because no route
+              can be found.  This may happen in a host if all the
+              default gateways in the host's configuration are down.
+
+         o    ipFragOKs, ipFragFails, ipFragCreates
+
+              A host that does not implement intentional fragmentation
+              (see "Fragmentation" section of [INTRO:1]) MUST return the
+              value zero for these three objects.
+
+         o    icmpOutRedirects
+
+              For a host, this object MUST always be zero, since hosts
+              do not send Redirects.
+
+         o    icmpOutAddrMaskReps
+
+              For a host, this object MUST always be zero, unless the
+              host is an authoritative source of address mask
+              information.
+
+         o    ipAddrTable
+
+              For a host, the "IP Address Table" object is effectively a
+              table of logical interfaces.
+
+         o    ipRoutingTable
+
+              For a host, the "IP Routing Table" object is effectively a
+              combination of the host's Routing Cache and the static
+              route table described in "Routing Outbound Datagrams"
+              section of [INTRO:1].
+
+              Within each ipRouteEntry, ipRouteMetric1...4 normally will
+              have no meaning for a host and SHOULD always be -1, while
+              ipRouteType will normally have the value "remote".
+
+              If destinations on the connected network do not appear in
+              the Route Cache (see "Routing Outbound Datagrams section
+              of [INTRO:1]), there will be no entries with ipRouteType
+              of "direct".
+
+
+         DISCUSSION:
+              The current MIB does not include Type-of-Service in an
+              ipRouteEntry, but a future revision is expected to make
+
+
+
+Internet Engineering Task Force                                [Page 91]
+
+
+
+
+RFC1123              SUPPORT SERVICES -- MANAGEMENT         October 1989
+
+
+              this addition.
+
+              We also expect the MIB to be expanded to allow the remote
+              management of applications (e.g., the ability to partially
+              reconfigure mail systems).  Network service applications
+              such as mail systems should therefore be written with the
+              "hooks" for remote management.
+
+      6.3.3  MANAGEMENT REQUIREMENTS SUMMARY
+
+                                               |           | | | |S| |
+                                               |           | | | |H| |F
+                                               |           | | | |O|M|o
+                                               |           | |S| |U|U|o
+                                               |           | |H| |L|S|t
+                                               |           |M|O| |D|T|n
+                                               |           |U|U|M| | |o
+                                               |           |S|L|A|N|N|t
+                                               |           |T|D|Y|O|O|t
+FEATURE                                        |SECTION    | | | |T|T|e
+-----------------------------------------------|-----------|-|-|-|-|-|--
+Support SNMP or CMOT agent                     |6.3.1      | |x| | | |
+Implement specified objects in standard MIB    |6.3.1      | |x| | | |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Internet Engineering Task Force                                [Page 92]
+
+
+
+
+RFC1123              SUPPORT SERVICES -- MANAGEMENT         October 1989
+
+
+7.  REFERENCES
+
+   This section lists the primary references with which every
+   implementer must be thoroughly familiar.  It also lists some
+   secondary references that are suggested additional reading.
+
+   INTRODUCTORY REFERENCES:
+
+
+   [INTRO:1] "Requirements for Internet Hosts -- Communication Layers,"
+        IETF Host Requirements Working Group, R. Braden, Ed., RFC-1122,
+        October 1989.
+
+   [INTRO:2]  "DDN Protocol Handbook," NIC-50004, NIC-50005, NIC-50006,
+        (three volumes), SRI International, December 1985.
+
+   [INTRO:3]  "Official Internet Protocols," J. Reynolds and J. Postel,
+        RFC-1011, May 1987.
+
+        This document is republished periodically with new RFC numbers;
+        the latest version must be used.
+
+   [INTRO:4]  "Protocol Document Order Information," O. Jacobsen and J.
+        Postel, RFC-980, March 1986.
+
+   [INTRO:5]  "Assigned Numbers," J. Reynolds and J. Postel, RFC-1010,
+        May 1987.
+
+        This document is republished periodically with new RFC numbers;
+        the latest version must be used.
+
+
+   TELNET REFERENCES:
+
+
+   [TELNET:1]  "Telnet Protocol Specification," J. Postel and J.
+        Reynolds, RFC-854, May 1983.
+
+   [TELNET:2]  "Telnet Option Specification," J. Postel and J. Reynolds,
+        RFC-855, May 1983.
+
+   [TELNET:3]  "Telnet Binary Transmission," J. Postel and J. Reynolds,
+        RFC-856, May 1983.
+
+   [TELNET:4]  "Telnet Echo Option," J. Postel and J. Reynolds, RFC-857,
+        May 1983.
+
+   [TELNET:5]  "Telnet Suppress Go Ahead Option," J. Postel and J.
+
+
+
+Internet Engineering Task Force                                [Page 93]
+
+
+
+
+RFC1123              SUPPORT SERVICES -- MANAGEMENT         October 1989
+
+
+        Reynolds, RFC-858, May 1983.
+
+   [TELNET:6]  "Telnet Status Option," J. Postel and J. Reynolds, RFC-
+        859, May 1983.
+
+   [TELNET:7]  "Telnet Timing Mark Option," J. Postel and J. Reynolds,
+        RFC-860, May 1983.
+
+   [TELNET:8]  "Telnet Extended Options List," J. Postel and J.
+        Reynolds, RFC-861, May 1983.
+
+   [TELNET:9]  "Telnet End-Of-Record Option," J. Postel, RFC-855,
+        December 1983.
+
+   [TELNET:10] "Telnet Terminal-Type Option," J. VanBokkelen, RFC-1091,
+        February 1989.
+
+        This document supercedes RFC-930.
+
+   [TELNET:11] "Telnet Window Size Option," D. Waitzman, RFC-1073,
+        October 1988.
+
+   [TELNET:12] "Telnet Linemode Option," D. Borman, RFC-1116, August
+        1989.
+
+   [TELNET:13] "Telnet Terminal Speed Option," C. Hedrick, RFC-1079,
+        December 1988.
+
+   [TELNET:14] "Telnet Remote Flow Control Option," C. Hedrick, RFC-
+        1080, November 1988.
+
+
+   SECONDARY TELNET REFERENCES:
+
+
+   [TELNET:15] "Telnet Protocol," MIL-STD-1782, U.S. Department of
+        Defense, May 1984.
+
+        This document is intended to describe the same protocol as RFC-
+        854.  In case of conflict, RFC-854 takes precedence, and the
+        present document takes precedence over both.
+
+   [TELNET:16] "SUPDUP Protocol," M. Crispin, RFC-734, October 1977.
+
+   [TELNET:17] "Telnet SUPDUP Option," M. Crispin, RFC-736, October
+        1977.
+
+   [TELNET:18] "Data Entry Terminal Option," J. Day, RFC-732, June 1977.
+
+
+
+Internet Engineering Task Force                                [Page 94]
+
+
+
+
+RFC1123              SUPPORT SERVICES -- MANAGEMENT         October 1989
+
+
+   [TELNET:19] "TELNET Data Entry Terminal option -- DODIIS
+        Implementation," A. Yasuda and T. Thompson, RFC-1043, February
+        1988.
+
+
+   FTP REFERENCES:
+
+
+   [FTP:1]  "File Transfer Protocol," J. Postel and J. Reynolds, RFC-
+        959, October 1985.
+
+   [FTP:2]  "Document File Format Standards," J. Postel, RFC-678,
+        December 1974.
+
+   [FTP:3]  "File Transfer Protocol," MIL-STD-1780, U.S. Department of
+        Defense, May 1984.
+
+        This document is based on an earlier version of the FTP
+        specification (RFC-765) and is obsolete.
+
+
+   TFTP REFERENCES:
+
+
+   [TFTP:1]  "The TFTP Protocol Revision 2," K. Sollins, RFC-783, June
+        1981.
+
+
+   MAIL REFERENCES:
+
+
+   [SMTP:1]  "Simple Mail Transfer Protocol," J. Postel, RFC-821, August
+        1982.
+
+   [SMTP:2]  "Standard For The Format of ARPA Internet Text Messages,"
+        D. Crocker, RFC-822, August 1982.
+
+        This document obsoleted an earlier specification, RFC-733.
+
+   [SMTP:3]  "Mail Routing and the Domain System," C. Partridge, RFC-
+        974, January 1986.
+
+        This RFC describes the use of MX records, a mandatory extension
+        to the mail delivery process.
+
+   [SMTP:4]  "Duplicate Messages and SMTP," C. Partridge, RFC-1047,
+        February 1988.
+
+
+
+
+Internet Engineering Task Force                                [Page 95]
+
+
+
+
+RFC1123              SUPPORT SERVICES -- MANAGEMENT         October 1989
+
+
+   [SMTP:5a]  "Mapping between X.400 and RFC 822," S. Kille, RFC-987,
+        June 1986.
+
+   [SMTP:5b]  "Addendum to RFC-987," S. Kille, RFC-???, September 1987.
+
+        The two preceding RFC's define a proposed standard for
+        gatewaying mail between the Internet and the X.400 environments.
+
+   [SMTP:6]  "Simple Mail Transfer Protocol,"  MIL-STD-1781, U.S.
+        Department of Defense, May 1984.
+
+        This specification is intended to describe the same protocol as
+        does RFC-821.  However, MIL-STD-1781 is incomplete; in
+        particular, it does not include MX records [SMTP:3].
+
+   [SMTP:7]  "A Content-Type Field for Internet Messages," M. Sirbu,
+        RFC-1049, March 1988.
+
+
+   DOMAIN NAME SYSTEM REFERENCES:
+
+
+   [DNS:1]  "Domain Names - Concepts and Facilities," P. Mockapetris,
+        RFC-1034, November 1987.
+
+        This document and the following one obsolete RFC-882, RFC-883,
+        and RFC-973.
+
+   [DNS:2]  "Domain Names - Implementation and Specification," RFC-1035,
+        P. Mockapetris, November 1987.
+
+
+   [DNS:3]  "Mail Routing and the Domain System," C. Partridge, RFC-974,
+        January 1986.
+
+
+   [DNS:4]  "DoD Internet Host Table Specification," K. Harrenstein,
+        RFC-952, M. Stahl, E. Feinler, October 1985.
+
+        SECONDARY DNS REFERENCES:
+
+
+   [DNS:5]  "Hostname Server," K. Harrenstein, M. Stahl, E. Feinler,
+        RFC-953, October 1985.
+
+   [DNS:6]  "Domain Administrators Guide," M. Stahl, RFC-1032, November
+        1987.
+
+
+
+
+Internet Engineering Task Force                                [Page 96]
+
+
+
+
+RFC1123              SUPPORT SERVICES -- MANAGEMENT         October 1989
+
+
+   [DNS:7]  "Domain Administrators Operations Guide," M. Lottor, RFC-
+        1033, November 1987.
+
+   [DNS:8]  "The Domain Name System Handbook," Vol. 4 of Internet
+        Protocol Handbook, NIC 50007, SRI Network Information Center,
+        August 1989.
+
+
+   SYSTEM INITIALIZATION REFERENCES:
+
+
+   [BOOT:1] "Bootstrap Loading Using TFTP," R. Finlayson, RFC-906, June
+        1984.
+
+   [BOOT:2] "Bootstrap Protocol (BOOTP)," W. Croft and J. Gilmore, RFC-
+        951, September 1985.
+
+   [BOOT:3] "BOOTP Vendor Information Extensions," J. Reynolds, RFC-
+        1084, December 1988.
+
+        Note: this RFC revised and obsoleted RFC-1048.
+
+   [BOOT:4] "A Reverse Address Resolution Protocol," R. Finlayson, T.
+        Mann, J. Mogul, and M. Theimer, RFC-903, June 1984.
+
+
+   MANAGEMENT REFERENCES:
+
+
+   [MGT:1]  "IAB Recommendations for the Development of Internet Network
+        Management Standards," V. Cerf, RFC-1052, April 1988.
+
+   [MGT:2]  "Structure and Identification of Management Information for
+        TCP/IP-based internets," M. Rose and K. McCloghrie, RFC-1065,
+        August 1988.
+
+   [MGT:3]  "Management Information Base for Network Management of
+        TCP/IP-based internets," M. Rose and K. McCloghrie, RFC-1066,
+        August 1988.
+
+   [MGT:4]  "A Simple Network Management Protocol," J. Case, M. Fedor,
+        M. Schoffstall, and C. Davin, RFC-1098, April 1989.
+
+   [MGT:5]  "The Common Management Information Services and Protocol
+        over TCP/IP," U. Warrier and L. Besaw, RFC-1095, April 1989.
+
+   [MGT:6]  "Report of the Second Ad Hoc Network Management Review
+        Group," V. Cerf, RFC-1109, August 1989.
+
+
+
+Internet Engineering Task Force                                [Page 97]
+
+
+
+
+RFC1123              SUPPORT SERVICES -- MANAGEMENT         October 1989
+
+
+Security Considerations
+
+   There are many security issues in the application and support
+   programs of host software, but a full discussion is beyond the scope
+   of this RFC.  Security-related issues are mentioned in sections
+   concerning TFTP (Sections 4.2.1, 4.2.3.4, 4.2.3.5), the SMTP VRFY and
+   EXPN commands (Section 5.2.3), the SMTP HELO command (5.2.5), and the
+   SMTP DATA command (Section 5.2.8).
+
+Author's Address
+
+   Robert Braden
+   USC/Information Sciences Institute
+   4676 Admiralty Way
+   Marina del Rey, CA 90292-6695
+
+   Phone: (213) 822 1511
+
+   EMail: Braden@ISI.EDU
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Internet Engineering Task Force                                [Page 98]
+
diff --git a/contrib/bind9/doc/rfc/rfc1183.txt b/contrib/bind9/doc/rfc/rfc1183.txt
new file mode 100644
index 0000000..6f08044
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc1183.txt
@@ -0,0 +1,619 @@
+
+
+
+
+
+
+Network Working Group                                        C. Everhart
+Request for Comments: 1183                                      Transarc
+Updates: RFCs 1034, 1035                                      L. Mamakos
+                                                  University of Maryland
+                                                              R. Ullmann
+                                                          Prime Computer
+                                                  P. Mockapetris, Editor
+                                                                     ISI
+                                                            October 1990
+
+
+                         New DNS RR Definitions
+
+Status of this Memo
+
+   This memo defines five new DNS types for experimental purposes.  This
+   RFC describes an Experimental Protocol for the Internet community,
+   and requests discussion and suggestions for improvements.
+   Distribution of this memo is unlimited.
+
+Table of Contents
+
+   Introduction....................................................    1
+   1. AFS Data Base location.......................................    2
+   2. Responsible Person...........................................    3
+   2.1. Identification of the guilty party.........................    3
+   2.2. The Responsible Person RR..................................    4
+   3. X.25 and ISDN addresses, Route Binding.......................    6
+   3.1. The X25 RR.................................................    6
+   3.2. The ISDN RR................................................    7
+   3.3. The Route Through RR.......................................    8
+   REFERENCES and BIBLIOGRAPHY.....................................    9
+   Security Considerations.........................................   10
+   Authors' Addresses..............................................   11
+
+Introduction
+
+   This RFC defines the format of new Resource Records (RRs) for the
+   Domain Name System (DNS), and reserves corresponding DNS type
+   mnemonics and numerical codes.  The definitions are in three
+   independent sections: (1) location of AFS database servers, (2)
+   location of responsible persons, and (3) representation of X.25 and
+   ISDN addresses and route binding.  All are experimental.
+
+   This RFC assumes that the reader is familiar with the DNS [3,4].  The
+   data shown is for pedagogical use and does not necessarily reflect
+   the real Internet.
+
+
+
+
+Everhart, Mamakos, Ullmann & Mockapetris                        [Page 1]
+
+RFC 1183                 New DNS RR Definitions             October 1990
+
+
+1. AFS Data Base location
+
+   This section defines an extension of the DNS to locate servers both
+   for AFS (AFS is a registered trademark of Transarc Corporation) and
+   for the Open Software Foundation's (OSF) Distributed Computing
+   Environment (DCE) authenticated naming system using HP/Apollo's NCA,
+   both to be components of the OSF DCE.  The discussion assumes that
+   the reader is familiar with AFS [5] and NCA [6].
+
+   The AFS (originally the Andrew File System) system uses the DNS to
+   map from a domain name to the name of an AFS cell database server.
+   The DCE Naming service uses the DNS for a similar function: mapping
+   from the domain name of a cell to authenticated name servers for that
+   cell.  The method uses a new RR type with mnemonic AFSDB and type
+   code of 18 (decimal).
+
+   AFSDB has the following format:
+
+   <owner> <ttl> <class> AFSDB <subtype> <hostname>
+
+   Both RDATA fields are required in all AFSDB RRs.  The <subtype> field
+   is a 16 bit integer.  The <hostname> field is a domain name of a host
+   that has a server for the cell named by the owner name of the RR.
+
+   The format of the AFSDB RR is class insensitive.  AFSDB records cause
+   type A additional section processing for <hostname>.  This, in fact,
+   is the rationale for using a new type code, rather than trying to
+   build the same functionality with TXT RRs.
+
+   Note that the format of AFSDB in a master file is identical to MX.
+   For purposes of the DNS itself, the subtype is merely an integer.
+   The present subtype semantics are discussed below, but changes are
+   possible and will be announced in subsequent RFCs.
+
+   In the case of subtype 1, the host has an AFS version 3.0 Volume
+   Location Server for the named AFS cell.  In the case of subtype 2,
+   the host has an authenticated name server holding the cell-root
+   directory node for the named DCE/NCA cell.
+
+   The use of subtypes is motivated by two considerations.  First, the
+   space of DNS RR types is limited.  Second, the services provided are
+   sufficiently distinct that it would continue to be confusing for a
+   client to attempt to connect to a cell's servers using the protocol
+   for one service, if the cell offered only the other service.
+
+   As an example of the use of this RR, suppose that the Toaster
+   Corporation has deployed AFS 3.0 but not (yet) the OSF's DCE.  Their
+   cell, named toaster.com, has three "AFS 3.0 cell database server"
+
+
+
+Everhart, Mamakos, Ullmann & Mockapetris                        [Page 2]
+
+RFC 1183                 New DNS RR Definitions             October 1990
+
+
+   machines: bigbird.toaster.com, ernie.toaster.com, and
+   henson.toaster.com.  These three machines would be listed in three
+   AFSDB RRs.  These might appear in a master file as:
+
+   toaster.com.   AFSDB   1 bigbird.toaster.com.
+   toaster.com.   AFSDB   1 ernie.toaster.com.
+   toaster.com.   AFSDB   1 henson.toaster.com.
+
+   As another example use of this RR, suppose that Femto College (domain
+   name femto.edu) has deployed DCE, and that their DCE cell root
+   directory is served by processes running on green.femto.edu and
+   turquoise.femto.edu.  Furthermore, their DCE file servers also run
+   AFS 3.0-compatible volume location servers, on the hosts
+   turquoise.femto.edu and orange.femto.edu.  These machines would be
+   listed in four AFSDB RRs, which might appear in a master file as:
+
+   femto.edu.   AFSDB   2 green.femto.edu.
+   femto.edu.   AFSDB   2 turquoise.femto.edu.
+   femto.edu.   AFSDB   1 turquoise.femto.edu.
+   femto.edu.   AFSDB   1 orange.femto.edu.
+
+2. Responsible Person
+
+   The purpose of this section is to provide a standard method for
+   associating responsible person identification to any name in the DNS.
+
+   The domain name system functions as a distributed database which
+   contains many different form of information.  For a particular name
+   or host, you can discover it's Internet address, mail forwarding
+   information, hardware type and operating system among others.
+
+   A key aspect of the DNS is that the tree-structured namespace can be
+   divided into pieces, called zones, for purposes of distributing
+   control and responsibility.  The responsible person for zone database
+   purposes is named in the SOA RR for that zone.  This section
+   describes an extension which allows different responsible persons to
+   be specified for different names in a zone.
+
+2.1. Identification of the guilty party
+
+   Often it is desirable to be able to identify the responsible entity
+   for a particular host.  When that host is down or malfunctioning, it
+   is difficult to contact those parties which might resolve or repair
+   the host.  Mail sent to POSTMASTER may not reach the person in a
+   timely fashion.  If the host is one of a multitude of workstations,
+   there may be no responsible person which can be contacted on that
+   host.
+
+
+
+
+Everhart, Mamakos, Ullmann & Mockapetris                        [Page 3]
+
+RFC 1183                 New DNS RR Definitions             October 1990
+
+
+   The POSTMASTER mailbox on that host continues to be a good contact
+   point for mail problems, and the zone contact in the SOA record for
+   database problem, but the RP record allows us to associate a mailbox
+   to entities that don't receive mail or are not directly connected
+   (namespace-wise) to the problem (e.g., GATEWAY.ISI.EDU might want to
+   point at HOTLINE@BBN.COM, and GATEWAY doesn't get mail, nor does the
+   ISI zone administrator have a clue about fixing gateways).
+
+2.2. The Responsible Person RR
+
+   The method uses a new RR type with mnemonic RP and type code of 17
+   (decimal).
+
+   RP has the following format:
+
+   <owner> <ttl> <class> RP <mbox-dname> <txt-dname>
+
+   Both RDATA fields are required in all RP RRs.
+
+   The first field, <mbox-dname>, is a domain name that specifies the
+   mailbox for the responsible person.  Its format in master files uses
+   the DNS convention for mailbox encoding, identical to that used for
+   the RNAME mailbox field in the SOA RR.  The root domain name (just
+   ".") may be specified for <mbox-dname> to indicate that no mailbox is
+   available.
+
+   The second field, <txt-dname>, is a domain name for which TXT RR's
+   exist.  A subsequent query can be performed to retrieve the
+   associated TXT resource records at <txt-dname>.  This provides a
+   level of indirection so that the entity can be referred to from
+   multiple places in the DNS.  The root domain name (just ".") may be
+   specified for <txt-dname> to indicate that the TXT_DNAME is absent,
+   and no associated TXT RR exists.
+
+   The format of the RP RR is class insensitive.  RP records cause no
+   additional section processing.  (TXT additional section processing
+   for <txt-dname> is allowed as an option, but only if it is disabled
+   for the root, i.e., ".").
+
+   The Responsible Person RR can be associated with any node in the
+   Domain Name System hierarchy, not just at the leaves of the tree.
+
+   The TXT RR associated with the TXT_DNAME contain free format text
+   suitable for humans.  Refer to [4] for more details on the TXT RR.
+
+   Multiple RP records at a single name may be present in the database.
+   They should have identical TTLs.
+
+
+
+
+Everhart, Mamakos, Ullmann & Mockapetris                        [Page 4]
+
+RFC 1183                 New DNS RR Definitions             October 1990
+
+
+   EXAMPLES
+
+   Some examples of how the RP record might be used.
+
+   sayshell.umd.edu. A     128.8.1.14
+                     MX    10 sayshell.umd.edu.
+                     HINFO NeXT UNIX
+                     WKS   128.8.1.14 tcp ftp telnet smtp
+                     RP    louie.trantor.umd.edu.  LAM1.people.umd.edu.
+
+   LAM1.people.umd.edu. TXT (
+         "Louis A. Mamakos, (301) 454-2946, don't call me at home!" )
+
+   In this example, the responsible person's mailbox for the host
+   SAYSHELL.UMD.EDU is louie@trantor.umd.edu.  The TXT RR at
+   LAM1.people.umd.edu provides additional information and advice.
+
+   TERP.UMD.EDU.    A     128.8.10.90
+                    MX    10 128.8.10.90
+                    HINFO MICROVAX-II UNIX
+                    WKS   128.8.10.90 udp domain
+                    WKS   128.8.10.90 tcp ftp telnet smtp domain
+                    RP    louie.trantor.umd.edu. LAM1.people.umd.edu.
+                    RP    root.terp.umd.edu. ops.CS.UMD.EDU.
+
+   TRANTOR.UMD.EDU. A     128.8.10.14
+                    MX    10 trantor.umd.edu.
+                    HINFO MICROVAX-II UNIX
+                    WKS   128.8.10.14 udp domain
+                    WKS   128.8.10.14 tcp ftp telnet smtp domain
+                    RP    louie.trantor.umd.edu. LAM1.people.umd.edu.
+                    RP    petry.netwolf.umd.edu. petry.people.UMD.EDU.
+                    RP    root.trantor.umd.edu. ops.CS.UMD.EDU.
+                    RP    gregh.sunset.umd.edu.  .
+
+   LAM1.people.umd.edu.  TXT   "Louis A. Mamakos (301) 454-2946"
+   petry.people.umd.edu. TXT   "Michael G. Petry (301) 454-2946"
+   ops.CS.UMD.EDU.       TXT   "CS Operations Staff (301) 454-2943"
+
+   This set of resource records has two hosts, TRANTOR.UMD.EDU and
+   TERP.UMD.EDU, as well as a number of TXT RRs.  Note that TERP.UMD.EDU
+   and TRANTOR.UMD.EDU both reference the same pair of TXT resource
+   records, although the mail box names (root.terp.umd.edu and
+   root.trantor.umd.edu) differ.
+
+   Here, we obviously care much more if the machine flakes out, as we've
+   specified four persons which might want to be notified of problems or
+   other events involving TRANTOR.UMD.EDU.  In this example, the last RP
+
+
+
+Everhart, Mamakos, Ullmann & Mockapetris                        [Page 5]
+
+RFC 1183                 New DNS RR Definitions             October 1990
+
+
+   RR for TRANTOR.UMD.EDU specifies a mailbox (gregh.sunset.umd.edu),
+   but no associated TXT RR.
+
+3. X.25 and ISDN addresses, Route Binding
+
+   This section describes an experimental representation of X.25 and
+   ISDN addresses in the DNS, as well as a route binding method,
+   analogous to the MX for mail routing, for very large scale networks.
+
+   There are several possible uses, all experimental at this time.
+   First, the RRs provide simple documentation of the correct addresses
+   to use in static configurations of IP/X.25 [11] and SMTP/X.25 [12].
+
+   The RRs could also be used automatically by an internet network-layer
+   router, typically IP.  The procedure would be to map IP address to
+   domain name, then name to canonical name if needed, then following RT
+   records, and finally attempting an IP/X.25 call to the address found.
+   Alternately, configured domain names could be resolved to identify IP
+   to X.25/ISDN bindings for a static but periodically refreshed routing
+   table.
+
+   This provides a function similar to ARP for wide area non-broadcast
+   networks that will scale well to a network with hundreds of millions
+   of hosts.
+
+   Also, a standard address binding reference will facilitate other
+   experiments in the use of X.25 and ISDN, especially in serious
+   inter-operability testing.  The majority of work in such a test is
+   establishing the n-squared entries in static tables.
+
+   Finally, the RRs are intended for use in a proposal [13] by one of
+   the authors for a possible next-generation internet.
+
+3.1. The X25 RR
+
+   The X25 RR is defined with mnemonic X25 and type code 19 (decimal).
+
+   X25 has the following format:
+
+   <owner> <ttl> <class> X25 <PSDN-address>
+
+   <PSDN-address> is required in all X25 RRs.
+
+   <PSDN-address> identifies the PSDN (Public Switched Data Network)
+   address in the X.121 [10] numbering plan associated with <owner>.
+   Its format in master files is a <character-string> syntactically
+   identical to that used in TXT and HINFO.
+
+
+
+
+Everhart, Mamakos, Ullmann & Mockapetris                        [Page 6]
+
+RFC 1183                 New DNS RR Definitions             October 1990
+
+
+   The format of X25 is class insensitive.  X25 RRs cause no additional
+   section processing.
+
+   The <PSDN-address> is a string of decimal digits, beginning with the
+   4 digit DNIC (Data Network Identification Code), as specified in
+   X.121. National prefixes (such as a 0) MUST NOT be used.
+
+   For example:
+
+   Relay.Prime.COM.  X25       311061700956
+
+3.2. The ISDN RR
+
+   The ISDN RR is defined with mnemonic ISDN and type code 20 (decimal).
+
+   An ISDN (Integrated Service Digital Network) number is simply a
+   telephone number.  The intent of the members of the CCITT is to
+   upgrade all telephone and data network service to a common service.
+
+   The numbering plan (E.163/E.164) is the same as the familiar
+   international plan for POTS (an un-official acronym, meaning Plain
+   Old Telephone Service).  In E.166, CCITT says "An E.163/E.164
+   telephony subscriber may become an ISDN subscriber without a number
+   change."
+
+   ISDN has the following format:
+
+   <owner> <ttl> <class> ISDN <ISDN-address> <sa>
+
+   The <ISDN-address> field is required; <sa> is optional.
+
+   <ISDN-address> identifies the ISDN number of <owner> and DDI (Direct
+   Dial In) if any, as defined by E.164 [8] and E.163 [7], the ISDN and
+   PSTN (Public Switched Telephone Network) numbering plan.  E.163
+   defines the country codes, and E.164 the form of the addresses.  Its
+   format in master files is a <character-string> syntactically
+   identical to that used in TXT and HINFO.
+
+   <sa> specifies the subaddress (SA).  The format of <sa> in master
+   files is a <character-string> syntactically identical to that used in
+   TXT and HINFO.
+
+   The format of ISDN is class insensitive.  ISDN RRs cause no
+   additional section processing.
+
+   The <ISDN-address> is a string of characters, normally decimal
+   digits, beginning with the E.163 country code and ending with the DDI
+   if any.  Note that ISDN, in Q.931, permits any IA5 character in the
+
+
+
+Everhart, Mamakos, Ullmann & Mockapetris                        [Page 7]
+
+RFC 1183                 New DNS RR Definitions             October 1990
+
+
+   general case.
+
+   The <sa> is a string of hexadecimal digits.  For digits 0-9, the
+   concrete encoding in the Q.931 call setup information element is
+   identical to BCD.
+
+   For example:
+
+   Relay.Prime.COM.   IN   ISDN      150862028003217
+   sh.Prime.COM.      IN   ISDN      150862028003217 004
+
+   (Note: "1" is the country code for the North American Integrated
+   Numbering Area, i.e., the system of "area codes" familiar to people
+   in those countries.)
+
+   The RR data is the ASCII representation of the digits.  It is encoded
+   as one or two <character-string>s, i.e., count followed by
+   characters.
+
+   CCITT recommendation E.166 [9] defines prefix escape codes for the
+   representation of ISDN (E.163/E.164) addresses in X.121, and PSDN
+   (X.121) addresses in E.164.  It specifies that the exact codes are a
+   "national matter", i.e., different on different networks.  A host
+   connected to the ISDN may be able to use both the X25 and ISDN
+   addresses, with the local prefix added.
+
+3.3. The Route Through RR
+
+   The Route Through RR is defined with mnemonic RT and type code 21
+   (decimal).
+
+   The RT resource record provides a route-through binding for hosts
+   that do not have their own direct wide area network addresses.  It is
+   used in much the same way as the MX RR.
+
+   RT has the following format:
+
+   <owner> <ttl> <class> RT <preference> <intermediate-host>
+
+   Both RDATA fields are required in all RT RRs.
+
+   The first field, <preference>, is a 16 bit integer, representing the
+   preference of the route.  Smaller numbers indicate more preferred
+   routes.
+
+   <intermediate-host> is the domain name of a host which will serve as
+   an intermediate in reaching the host specified by <owner>.  The DNS
+   RRs associated with <intermediate-host> are expected to include at
+
+
+
+Everhart, Mamakos, Ullmann & Mockapetris                        [Page 8]
+
+RFC 1183                 New DNS RR Definitions             October 1990
+
+
+   least one A, X25, or ISDN record.
+
+   The format of the RT RR is class insensitive.  RT records cause type
+   X25, ISDN, and A additional section processing for <intermediate-
+   host>.
+
+   For example,
+
+   sh.prime.com.      IN   RT   2    Relay.Prime.COM.
+                      IN   RT   10   NET.Prime.COM.
+   *.prime.com.       IN   RT   90   Relay.Prime.COM.
+
+   When a host is looking up DNS records to attempt to route a datagram,
+   it first looks for RT records for the destination host, which point
+   to hosts with address records (A, X25, ISDN) compatible with the wide
+   area networks available to the host.  If it is itself in the set of
+   RT records, it discards any RTs with preferences higher or equal to
+   its own.  If there are no (remaining) RTs, it can then use address
+   records of the destination itself.
+
+   Wild-card RTs are used exactly as are wild-card MXs.  RT's do not
+   "chain"; that is, it is not valid to use the RT RRs found for a host
+   referred to by an RT.
+
+   The concrete encoding is identical to the MX RR.
+
+REFERENCES and BIBLIOGRAPHY
+
+   [1] Stahl, M., "Domain Administrators Guide", RFC 1032, Network
+       Information Center, SRI International, November 1987.
+
+   [2] Lottor, M., "Domain Administrators Operations Guide", RFC 1033,
+       Network Information Center, SRI International, November, 1987.
+
+   [3] Mockapetris, P., "Domain Names - Concepts and Facilities", RFC
+       1034, USC/Information Sciences Institute, November 1987.
+
+   [4] Mockapetris, P., "Domain Names - Implementation and
+       Specification", RFC 1035, USC/Information Sciences Institute,
+       November 1987.
+
+   [5] Spector A., and M. Kazar, "Uniting File Systems", UNIX Review,
+       7(3), pp. 61-69, March 1989.
+
+   [6] Zahn, et al., "Network Computing Architecture", Prentice-Hall,
+       1989.
+
+   [7] International Telegraph and Telephone Consultative Committee,
+
+
+
+Everhart, Mamakos, Ullmann & Mockapetris                        [Page 9]
+
+RFC 1183                 New DNS RR Definitions             October 1990
+
+
+       "Numbering Plan for the International Telephone Service", CCITT
+       Recommendations E.163., IXth Plenary Assembly, Melbourne, 1988,
+       Fascicle II.2 ("Blue Book").
+
+   [8] International Telegraph and Telephone Consultative Committee,
+       "Numbering Plan for the ISDN Era", CCITT Recommendations E.164.,
+       IXth Plenary Assembly, Melbourne, 1988, Fascicle II.2 ("Blue
+       Book").
+
+   [9] International Telegraph and Telephone Consultative Committee.
+       "Numbering Plan Interworking in the ISDN Era", CCITT
+       Recommendations E.166., IXth Plenary Assembly, Melbourne, 1988,
+       Fascicle II.2 ("Blue Book").
+
+  [10] International Telegraph and Telephone Consultative Committee,
+       "International Numbering Plan for the Public Data Networks",
+       CCITT Recommendations X.121., IXth Plenary Assembly, Melbourne,
+       1988, Fascicle VIII.3 ("Blue Book"); provisional, Geneva, 1978;
+       amended, Geneva, 1980, Malaga-Torremolinos, 1984 and Melborne,
+       1988.
+
+  [11] Korb, J., "Standard for the Transmission of IP datagrams Over
+       Public Data Networks", RFC 877, Purdue University, September
+       1983.
+
+  [12] Ullmann, R., "SMTP on X.25", RFC 1090, Prime Computer, February
+       1989.
+
+  [13] Ullmann, R., "TP/IX: The Next Internet", Prime Computer
+       (unpublished), July 1990.
+
+  [14] Mockapetris, P., "DNS Encoding of Network Names and Other Types",
+       RFC 1101, USC/Information Sciences Institute, April 1989.
+
+Security Considerations
+
+   Security issues are not addressed in this memo.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Everhart, Mamakos, Ullmann & Mockapetris                       [Page 10]
+
+RFC 1183                 New DNS RR Definitions             October 1990
+
+
+Authors' Addresses
+
+   Craig F. Everhart
+   Transarc Corporation
+   The Gulf Tower
+   707 Grant Street
+   Pittsburgh, PA  15219
+
+   Phone: +1 412 338 4467
+
+   EMail: Craig_Everhart@transarc.com
+
+
+   Louis A. Mamakos
+   Network Infrastructure Group
+   Computer Science Center
+   University of Maryland
+   College Park, MD 20742-2411
+
+   Phone: +1-301-405-7836
+
+   Email: louie@Sayshell.UMD.EDU
+
+
+   Robert Ullmann 10-30
+   Prime Computer, Inc.
+   500 Old Connecticut Path
+   Framingham, MA 01701
+
+   Phone: +1 508 620 2800 ext 1736
+
+   Email: Ariel@Relay.Prime.COM
+
+
+   Paul Mockapetris
+   USC Information Sciences Institute
+   4676 Admiralty Way
+   Marina del Rey, CA 90292
+
+   Phone: 213-822-1511
+
+   EMail: pvm@isi.edu
+
+
+
+
+
+
+
+
+
+Everhart, Mamakos, Ullmann & Mockapetris                       [Page 11]
+
\ No newline at end of file
diff --git a/contrib/bind9/doc/rfc/rfc1348.txt b/contrib/bind9/doc/rfc/rfc1348.txt
new file mode 100644
index 0000000..d9e5dea
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc1348.txt
@@ -0,0 +1,227 @@
+
+
+
+
+
+
+Network Working Group                                         B. Manning
+Request for Comments: 1348                               Rice University
+Updates: RFCs 1034, 1035                                       July 1992
+
+
+                              DNS NSAP RRs
+
+Status of this Memo
+
+   This memo defines an Experimental Protocol for the Internet
+   community.  Discussion and suggestions for improvement are requested.
+   Please refer to the current edition of the "IAB Official Protocol
+   Standards" for the standardization state and status of this protocol.
+   Distribution of this memo is unlimited.
+
+Table of Contents
+
+   Introduction .....................................................  1
+   Background .......................................................  1
+   NSAP RR ..........................................................  2
+   NSAP-PTR RR ......................................................  2
+   REFERENCES and BIBLIOGRAPHY ......................................  3
+   Security Considerations ..........................................  4
+   Author's Address .................................................  4
+
+Introduction
+
+   This RFC defines the format of two new Resource Records (RRs) for the
+   Domain Name System (DNS), and reserves corresponding DNS type
+   mnemonic and numerical codes.  This format may be used with the any
+   proposal that has variable length addresses, but is targeted for CLNP
+   use.
+
+   This memo assumes that the reader is familiar with the DNS [3,4].
+
+Background
+
+   This section describes an experimental representation of NSAP
+   addresses in the DNS. There are several reasons to take this approch.
+   First, it provides simple documentation of the correct addresses to
+   use in static configurations of CLNP compliant hosts and routers.
+
+   NSAP support requires that a new DNS resource record entry type
+   ("NSAP") be defined, to store longer Internet (i.e., NSAP) addresses.
+   This resource record allows mapping from DNS names to NSAP addresses,
+   and will contain entries for systems which are able to run Internet
+   applications, over TCP or UDP, over CLNP.
+
+
+
+
+Manning                                                         [Page 1]
+
+RFC 1348                      DNS NSAP RRs                     July 1992
+
+
+   The backward translation (from NSAP address to DNS name) is
+   facilitated by definition of an associated resource record. This
+   resource record is known as "NSAP-PTR", and is used in a manner
+   analogous to the existing "in-addr.arpa".
+
+   These RRs are intended for use in a proposal [6] by one of the
+   members of the NOOP WG to address the next-generation internet.
+
+The NSAP RR
+
+   The NSAP RR is defined with mnemonic NSAP and type code 22 (decimal).
+
+   An NSAP (Network Service Access Protocol) number is a unique string
+   to OSI transport service.
+
+   The numbering plan follows RFC 1237 and associated OSI definitions
+   for NSAP format.
+
+   NSAP has the following format:
+
+   <owner> <ttl> <class> NSAP <length> <NSAP-address>
+
+   All fields are required.
+
+   <length> identifies the number of octets in the <NSAP-address> as
+   defined by the various national and international authorities.
+
+   <NSAP-address> enumerates the actual octet values assigned by the
+   assigning authority.  Its format in master files is a <character-
+   string> syntactically identical to that used in TXT and HINFO.
+
+   The format of NSAP is class insensitive.  NSAP RR causes no
+   additional section processing.
+
+   For example:
+
+foo.bar.com.    IN  NSAP   21 47000580ffff000000321099991111222233334444
+host.school.de  IN  NSAP   17 39276f3100111100002222333344449876
+
+   The RR data is the ASCII representation of the digits.  It is encoded
+   as two <character-strings>, i.e., count followed by characters.
+
+The NSAP-PTR RR
+
+   The NSAP-PTR RR is defined with mnemonic NSAP-PTR and a type code 23
+   (decimal).
+
+   Its function is analogous to the PTR record used for IP addresses
+
+
+
+Manning                                                         [Page 2]
+
+RFC 1348                      DNS NSAP RRs                     July 1992
+
+
+   [4,7].
+
+   NSAP-PTR has the following format:
+
+   <NSAP-suffix> <ttl> <class> NSAP-PTR <owner>
+
+   All fields are required.
+
+   <NSAP-suffix> enumerates the actual octet values assigned by the
+   assigning authority for the LOCAL network.  Its format in master
+   files is a <character-string> syntactically identical to that used in
+   TXT and HINFO.
+
+   The format of NSAP-PTR is class insensitive.  NSAP-PTR RR causes no
+   additional section processing.
+
+   For example:
+
+   In net ff08000574.nsap-in-addr.arpa:
+
+   444433332222111199990123000000ff    NSAP-PTR   foo.bar.com.
+
+   Or in net 11110031f67293.nsap-in-addr.arpa:
+
+   67894444333322220000  NSAP-PTR        host.school.de.
+
+   The RR data is the ASCII representation of the digits.  It is encoded
+   as a <character-string>.
+
+REFERENCES and BIBLIOGRAPHY
+
+   [1] Stahl, M., "Domain Administrators Guide", RFC 1032, Network
+       Information Center, SRI International, November 1987.
+
+   [2] Lottor, M., "Domain Administrators Operations Guide", RFC 1033,
+       Network Information Center, SRI International, November, 1987.
+
+   [3] Mockapetris, P., "Domain Names - Concepts and Facilities", RFC
+       1034, USC/Information Sciences Institute, November 1987.
+
+   [4] Mockapetris, P., "Domain Names - Implementation and
+       Specification", RFC 1035, USC/Information Sciences Institute,
+       November 1987.
+
+   [5] Colella, R., Gardner, E., and R. Callon, "Guidelines for OSI
+       NSAP Allocation in the Internet", RFC 1237, NIST, Mitre, DEC,
+       July 1991.
+
+
+
+
+Manning                                                         [Page 3]
+
+RFC 1348                      DNS NSAP RRs                     July 1992
+
+
+   [6] Callon, R., "TCP and UDP with Bigger Addresses (TUBA),
+       A Simple Proposal for Internet Addressing and Routing",
+       Digital Equipment Corporation, RFC 1347, June 1992.
+
+   [7] Mockapetris, P., "DNS Encoding of Network Names and Other Types",
+       RFC 1101, USC/Information Sciences Institute, April 1989.
+
+   [8] ISO/IEC.  Information Processing Systems -- Data Communications
+       -- Network Service Definition Addendum 2: Network Layer Address-
+       ing. International Standard 8348/Addendum 2, ISO/IEC JTC 1,
+       Switzerland, 1988.
+
+   [9] Bryant, P., "NSAPs", PB660, IPTAG/92/23, SCIENCE AND ENGINEERING
+       RESEARCH COUNCIL, RUTHERFORD APPLETON LABORATORY May 1992.
+
+Security Considerations
+
+   Security issues are not addressed in this memo.
+
+Author's Address
+
+   Bill Manning
+   Rice University - ONCS
+   PO Box 1892
+   6100 South Main
+   Houston, Texas  77251-1892
+
+   Phone: +1.713.285.5415
+   EMail: bmanning@rice.edu
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Manning                                                         [Page 4]
+
\ No newline at end of file
diff --git a/contrib/bind9/doc/rfc/rfc1535.txt b/contrib/bind9/doc/rfc/rfc1535.txt
new file mode 100644
index 0000000..03bddee
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc1535.txt
@@ -0,0 +1,283 @@
+
+
+
+
+
+
+Network Working Group                                          E. Gavron
+Request for Comments: 1535                            ACES Research Inc.
+Category: Informational                                     October 1993
+
+
+              A Security Problem and Proposed Correction
+                   With Widely Deployed DNS Software
+
+Status of this Memo
+
+   This memo provides information for the Internet community.  It does
+   not specify an Internet standard.  Distribution of this memo is
+   unlimited.
+
+Abstract
+
+   This document discusses a flaw in some of the currently distributed
+   name resolver clients.  The flaw exposes a security weakness related
+   to the search heuristic invoked by these same resolvers when users
+   provide a partial domain name, and which is easy to exploit (although
+   not by the masses).  This document points out the flaw, a case in
+   point, and a solution.
+
+Background
+
+   Current Domain Name Server clients are designed to ease the burden of
+   remembering IP dotted quad addresses.  As such they translate human-
+   readable names into addresses and other resource records.  Part of
+   the translation process includes understanding and dealing with
+   hostnames that are not fully qualified domain names (FQDNs).
+
+   An absolute "rooted" FQDN is of the format {name}{.} A non "rooted"
+   domain name is of the format {name}
+
+   A domain name may have many parts and typically these include the
+   host, domain, and type.  Example:  foobar.company.com or
+   fooschool.university.edu.
+
+Flaw
+
+   The problem with most widely distributed resolvers based on the BSD
+   BIND resolver is that they attempt to resolve a partial name by
+   processing a search list of partial domains to be added to portions
+   of the specified host name until a DNS record is found.  This
+   "feature" is disabled by default in the official BIND 4.9.2 release.
+
+   Example: A TELNET attempt by    User@Machine.Tech.ACES.COM
+                             to    UnivHost.University.EDU
+
+
+
+Gavron                                                          [Page 1]
+
+RFC 1535               DNS Software Enhancements            October 1993
+
+
+   The resolver client will realize that since "UnivHost.University.EDU"
+   does not end with a ".", it is not an absolute "rooted" FQDN.  It
+   will then try the following combinations until a resource record is
+   found:
+
+                UnivHost.University.EDU.Tech.ACES.COM.
+                UnivHost.University.EDU.ACES.COM.
+                UnivHost.University.EDU.COM.
+                UnivHost.University.EDU.
+
+Security Issue
+
+   After registering the EDU.COM domain, it was discovered that an
+   unliberal application of one wildcard CNAME record would cause *all*
+   connects from any .COM site to any .EDU site to terminate at one
+   target machine in the private edu.com sub-domain.
+
+   Further, discussion reveals that specific hostnames registered in
+   this private subdomain, or any similarly named subdomain may be used
+   to spoof a host.
+
+        Example:        harvard.edu.com.        CNAME   targethost
+
+   Thus all connects to Harvard.edu from all .com sites would end up at
+   targthost, a machine which could provide a Harvard.edu login banner.
+
+   This is clearly unacceptable.  Further, it could only be made worse
+   with domains like COM.EDU, MIL.GOV, GOV.COM, etc.
+
+Public vs. Local Name Space Administration
+
+   The specification of the Domain Name System and the software that
+   implements it provides an undifferentiated hierarchy which permits
+   delegation of administration for subordinate portions of the name
+   space.  Actual administration of the name space is divided between
+   "public" and "local" portions.  Public administration pertains to all
+   top-level domains, such as .COM and .EDU.  For some domains, it also
+   pertains to some number of sub-domain levels.  The multi-level nature
+   of the public administration is most evident for top-level domains
+   for countries.  For example in the Fully Qualified Domain Name,
+   dbc.mtview.ca.us., the portion "mtview.ca.us" represents three levels
+   of public administration.  Only the left-most portion is subject to
+   local administration.
+
+
+
+
+
+
+
+
+Gavron                                                          [Page 2]
+
+RFC 1535               DNS Software Enhancements            October 1993
+
+
+   The danger of the heuristic search common in current practise is that
+   it it is possible to "intercept" the search by matching against an
+   unintended value while walking up the search list.  While this is
+   potentially dangerous at any level, it is entirely unacceptable when
+   the error impacts users outside of a local administration.
+
+   When attempting to resolve a partial domain name, DNS resolvers use
+   the Domain Name of the searching host for deriving the search list.
+   Existing DNS resolvers do not distinguish the portion of that name
+   which is in the locally administered scope from the part that is
+   publically administered.
+
+Solution(s)
+
+   At a minimum, DNS resolvers must honor the BOUNDARY between local and
+   public administration, by limiting any search lists to locally-
+   administered portions of the Domain Name space.  This requires a
+   parameter which shows the scope of the name space controlled by the
+   local administrator.
+
+   This would permit progressive searches from the most qualified to
+   less qualified up through the locally controlled domain, but not
+   beyond.
+
+   For example, if the local user were trying to reach:
+
+        User@chief.admin.DESERTU.EDU from
+        starburst,astro.DESERTU.EDU,
+
+   it is reasonable to permit the user to enter just chief.admin, and
+   for the search to cover:
+
+        chief.admin.astro.DESERTU.EDU
+        chief.admin.DESERTU.EDU
+
+   but not
+
+        chief.admin.EDU
+
+   In this case, the value of "search" should be set to "DESERTU.EDU"
+   because that's the scope of the name space controlled by the local
+   DNS administrator.
+
+   This is more than a mere optimization hack.  The local administrator
+   has control over the assignment of names within the locally
+   administered domain, so the administrator can make sure that
+   abbreviations result in the right thing.  Outside of the local
+   control, users are necessarily at risk.
+
+
+
+Gavron                                                          [Page 3]
+
+RFC 1535               DNS Software Enhancements            October 1993
+
+
+   A more stringent mechanism is implemented in BIND 4.9.2, to respond
+   to this problem:
+
+   The DNS Name resolver clients narrows its IMPLICIT search list IF ANY
+   to only try the first and the last of the examples shown.
+
+   Any additional search alternatives must be configured into the
+   resolver EXPLICITLY.
+
+   DNS Name resolver software SHOULD NOT use implicit search lists in
+   attempts to resolve partial names into absolute FQDNs other than the
+   hosts's immediate parent domain.
+
+   Resolvers which continue to use implicit search lists MUST limit
+   their scope to locally administered sub-domains.
+
+   DNS Name resolver software SHOULD NOT come pre-configured with
+   explicit search lists that perpetuate this problem.
+
+   Further, in any event where a "." exists in a specified name it
+   should be assumed to be a fully qualified domain name (FQDN) and
+   SHOULD be tried as a rooted name first.
+
+   Example:  Given  user@a.b.c.d connecting to e.f.g.h  only two tries
+             should be attempted as a result of using an implicit
+             search list:
+
+                e.f.g.h.  and e.f.g.h.b.c.d.
+
+             Given user@a.b.c.d. connecting to host those same two
+             tries would appear as:
+
+                x.b.c.d.  and x.
+
+   Some organizations make regular use of multi-part, partially
+   qualified Domain Names.  For example, host foo.loc1.org.city.state.us
+   might be used to making references to bar.loc2, or mumble.loc3, all
+   of which refer to whatever.locN.org.city.state.us
+
+   The stringent implicit search rules for BIND 4.9.2 will now cause
+   these searches to fail.  To return the ability for them to succeed,
+   configuration of the client resolvers must be changed to include an
+   explicit search rule for org.city.state.us.  That is, it must contain
+   an explicit rule for any -- and each -- portion of the locally-
+   administered sub-domain that it wishes to have as part of the search
+   list.
+
+
+
+
+
+Gavron                                                          [Page 4]
+
+RFC 1535               DNS Software Enhancements            October 1993
+
+
+References
+
+   [1] Mockapetris, P., "Domain Names Concepts and Facilities", STD 13,
+       RFC 1034, USC/Information Sciences Institute, November 1987.
+
+   [2] Mockapetris, P., "Domain Names Implementation and Specification",
+       STD 13, RFC 1035, USC/Information Sciences Institute, November
+       1987.
+
+   [3] Partridge, C., "Mail Routing and the Domain System", STD 14, RFC
+       974, CSNET CIC BBN, January 1986.
+
+   [4] Kumar, A., Postel, J., Neuman, C., Danzig, P., and S. Miller,
+       "Common DNS Implementation Errors and Suggested Fixes", RFC 1536,
+       USC/Information Sciences Institute, USC, October 1993.
+
+   [5] Beertema, P., "Common DNS Data File Configuration Errors", RFC
+       1537, CWI, October 1993.
+
+Security Considerations
+
+   This memo indicates vulnerabilities with all too-forgiving DNS
+   clients.  It points out a correction that would eliminate the future
+   potential of the problem.
+
+Author's Address
+
+   Ehud Gavron
+   ACES Research Inc.
+   PO Box 14546
+   Tucson, AZ 85711
+
+   Phone: (602) 743-9841
+   EMail: gavron@aces.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gavron                                                          [Page 5]
+
diff --git a/contrib/bind9/doc/rfc/rfc1536.txt b/contrib/bind9/doc/rfc/rfc1536.txt
new file mode 100644
index 0000000..5ff2b25
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc1536.txt
@@ -0,0 +1,675 @@
+
+
+
+
+
+
+Network Working Group                                           A. Kumar
+Request for Comments: 1536                                     J. Postel
+Category: Informational                                        C. Neuman
+                                                                     ISI
+                                                               P. Danzig
+                                                               S. Miller
+                                                                     USC
+                                                            October 1993
+
+
+          Common DNS Implementation Errors and Suggested Fixes
+
+Status of this Memo
+
+   This memo provides information for the Internet community.  It does
+   not specify an Internet standard.  Distribution of this memo is
+   unlimited.
+
+Abstract
+
+   This memo describes common errors seen in DNS implementations and
+   suggests some fixes. Where applicable, violations of recommendations
+   from STD 13, RFC 1034 and STD 13, RFC 1035 are mentioned. The memo
+   also describes, where relevant, the algorithms followed in BIND
+   (versions 4.8.3 and 4.9 which the authors referred to) to serve as an
+   example.
+
+Introduction
+
+   The last few years have seen, virtually, an explosion of DNS traffic
+   on the NSFnet backbone. Various DNS implementations and various
+   versions of these implementations interact with each other, producing
+   huge amounts of unnecessary traffic. Attempts are being made by
+   researchers all over the internet, to document the nature of these
+   interactions, the symptomatic traffic patterns and to devise remedies
+   for the sick pieces of software.
+
+   This draft is an attempt to document fixes for known DNS problems so
+   people know what problems to watch out for and how to repair broken
+   software.
+
+1. Fast Retransmissions
+
+   DNS implements the classic request-response scheme of client-server
+   interaction. UDP is, therefore, the chosen protocol for communication
+   though TCP is used for zone transfers. The onus of requerying in case
+   no response is seen in a "reasonable" period of time, lies with the
+   client. Although RFC 1034 and 1035 do not recommend any
+
+
+
+Kumar, Postel, Neuman, Danzig & Miller                          [Page 1]
+
+RFC 1536            Common DNS Implementation Errors        October 1993
+
+
+   retransmission policy, RFC 1035 does recommend that the resolvers
+   should cycle through a list of servers. Both name servers and stub
+   resolvers should, therefore, implement some kind of a retransmission
+   policy based on round trip time estimates of the name servers. The
+   client should back-off exponentially, probably to a maximum timeout
+   value.
+
+   However, clients might not implement either of the two. They might
+   not wait a sufficient amount of time before retransmitting or they
+   might not back-off their inter-query times sufficiently.
+
+   Thus, what the server would see will be a series of queries from the
+   same querying entity, spaced very close together. Of course, a
+   correctly implemented server discards all duplicate queries but the
+   queries contribute to wide-area traffic, nevertheless.
+
+   We classify a retransmission of a query as a pure Fast retry timeout
+   problem when a series of query packets meet the following conditions.
+
+      a. Query packets are seen within a time less than a "reasonable
+         waiting period" of each other.
+
+      b. No response to the original query was seen i.e., we see two or
+         more queries, back to back.
+
+      c. The query packets share the same query identifier.
+
+      d. The server eventually responds to the query.
+
+A GOOD IMPLEMENTATION:
+
+   BIND (we looked at versions 4.8.3 and 4.9) implements a good
+   retransmission algorithm which solves or limits all of these
+   problems.  The Berkeley stub-resolver queries servers at an interval
+   that starts at the greater of 4 seconds and 5 seconds divided by the
+   number of servers the resolver queries. The resolver cycles through
+   servers and at the end of a cycle, backs off the time out
+   exponentially.
+
+   The Berkeley full-service resolver (built in with the program
+   "named") starts with a time-out equal to the greater of 4 seconds and
+   two times the round-trip time estimate of the server.  The time-out
+   is backed off with each cycle, exponentially, to a ceiling value of
+   45 seconds.
+
+
+
+
+
+
+
+Kumar, Postel, Neuman, Danzig & Miller                          [Page 2]
+
+RFC 1536            Common DNS Implementation Errors        October 1993
+
+
+FIXES:
+
+      a. Estimate round-trip times or set a reasonably high initial
+         time-out.
+
+      b. Back-off timeout periods exponentially.
+
+      c. Yet another fundamental though difficult fix is to send the
+         client an acknowledgement of a query, with a round-trip time
+         estimate.
+
+   Since UDP is used, no response is expected by the client until the
+   query is complete.  Thus, it is less likely to have information about
+   previous packets on which to estimate its back-off time.  Unless, you
+   maintain state across queries, so subsequent queries to the same
+   server use information from previous queries.  Unfortunately, such
+   estimates are likely to be inaccurate for chained requests since the
+   variance is likely to be high.
+
+   The fix chosen in the ARDP library used by Prospero is that the
+   server will send an initial acknowledgement to the client in those
+   cases where the server expects the query to take a long time (as
+   might be the case for chained queries).  This initial acknowledgement
+   can include an expected time to wait before retrying.
+
+   This fix is more difficult since it requires that the client software
+   also be trained to expect the acknowledgement packet. This, in an
+   internet of millions of hosts is at best a hard problem.
+
+2. Recursion Bugs
+
+   When a server receives a client request, it first looks up its zone
+   data and the cache to check if the query can be answered. If the
+   answer is unavailable in either place, the server seeks names of
+   servers that are more likely to have the information, in its cache or
+   zone data. It then does one of two things. If the client desires the
+   server to recurse and the server architecture allows recursion, the
+   server chains this request to these known servers closest to the
+   queried name. If the client doesn't seek recursion or if the server
+   cannot handle recursion, it returns the list of name servers to the
+   client assuming the client knows what to do with these records.
+
+   The client queries this new list of name servers to get either the
+   answer, or names of another set of name servers to query. This
+   process repeats until the client is satisfied. Servers might also go
+   through this chaining process if the server returns a CNAME record
+   for the queried name. Some servers reprocess this name to try and get
+   the desired record type.
+
+
+
+Kumar, Postel, Neuman, Danzig & Miller                          [Page 3]
+
+RFC 1536            Common DNS Implementation Errors        October 1993
+
+
+   However, in certain cases, this chain of events may not be good. For
+   example, a broken or malicious name server might list itself as one
+   of the name servers to query again. The unsuspecting client resends
+   the same query to the same server.
+
+   In another situation, more difficult to detect, a set of servers
+   might form a loop wherein A refers to B and B refers to A. This loop
+   might involve more than two servers.
+
+   Yet another error is where the client does not know how to process
+   the list of name servers returned, and requeries the same server
+   since that is one (of the few) servers it knows.
+
+   We, therefore, classify recursion bugs into three distinct
+   categories:
+
+      a. Ignored referral: Client did not know how to handle NS records
+         in the AUTHORITY section.
+
+      b. Too many referrals: Client called on a server too many times,
+         beyond a "reasonable" number, with same query. This is
+         different from a Fast retransmission problem and a Server
+         Failure detection problem in that a response is seen for every
+         query.  Also, the identifiers are always different. It implies
+         client is in a loop and should have detected that and broken
+         it.  (RFC 1035 mentions that client should not recurse beyond
+         a certain depth.)
+
+      c. Malicious Server: a server refers to itself in the authority
+         section. If a server does not have an answer now, it is very
+         unlikely it will be any better the next time you query it,
+         specially when it claims to be authoritative over a domain.
+
+      RFC 1034 warns against such situations, on page 35.
+
+      "Bound the amount of work (packets sent, parallel processes
+       started) so that a request can't get into an infinite loop or
+       start off a chain reaction of requests or queries with other
+       implementations EVEN IF SOMEONE HAS INCORRECTLY CONFIGURED
+       SOME DATA."
+
+A GOOD IMPLEMENTATION:
+
+   BIND fixes at least one of these problems. It places an upper limit
+   on the number of recursive queries it will make, to answer a
+   question.  It chases a maximum of 20 referral links and 8 canonical
+   name translations.
+
+
+
+
+Kumar, Postel, Neuman, Danzig & Miller                          [Page 4]
+
+RFC 1536            Common DNS Implementation Errors        October 1993
+
+
+FIXES:
+
+      a. Set an upper limit on the number of referral links and CNAME
+         links you are willing to chase.
+
+         Note that this is not guaranteed to break only recursion loops.
+         It could, in a rare case, prune off a very long search path,
+         prematurely.  We know, however, with high probability, that if
+         the number of links cross a certain metric (two times the depth
+         of the DNS tree), it is a recursion problem.
+
+      b. Watch out for self-referring servers. Avoid them whenever
+         possible.
+
+      c. Make sure you never pass off an authority NS record with your
+         own name on it!
+
+      d. Fix clients to accept iterative answers from servers not built
+         to provide recursion. Such clients should either be happy with
+         the non-authoritative answer or be willing to chase the
+         referral links themselves.
+
+3. Zero Answer Bugs:
+
+   Name servers sometimes return an authoritative NOERROR with no
+   ANSWER, AUTHORITY or ADDITIONAL records. This happens when the
+   queried name is valid but it does not have a record of the desired
+   type. Of course, the server has authority over the domain.
+
+   However, once again, some implementations of resolvers do not
+   interpret this kind of a response reasonably. They always expect an
+   answer record when they see an authoritative NOERROR. These entities
+   continue to resend their queries, possibly endlessly.
+
+A GOOD IMPLEMENTATION
+
+   BIND resolver code does not query a server more than 3 times. If it
+   is unable to get an answer from 4 servers, querying them three times
+   each, it returns error.
+
+   Of course, it treats a zero-answer response the way it should be
+   treated; with respect!
+
+FIXES:
+
+      a. Set an upper limit on the number of retransmissions for a given
+         query, at the very least.
+
+
+
+
+Kumar, Postel, Neuman, Danzig & Miller                          [Page 5]
+
+RFC 1536            Common DNS Implementation Errors        October 1993
+
+
+      b. Fix resolvers to interpret such a response as an authoritative
+         statement of non-existence of the record type for the given
+         name.
+
+4. Inability to detect server failure:
+
+   Servers in the internet are not very reliable (they go down every
+   once in a while) and resolvers are expected to adapt to the changed
+   scenario by not querying the server for a while. Thus, when a server
+   does not respond to a query, resolvers should try another server.
+   Also, non-stub resolvers should update their round trip time estimate
+   for the server to a large value so that server is not tried again
+   before other, faster servers.
+
+   Stub resolvers, however, cycle through a fixed set of servers and if,
+   unfortunately, a server is down while others do not respond for other
+   reasons (high load, recursive resolution of query is taking more time
+   than the resolver's time-out, ....), the resolver queries the dead
+   server again! In fact, some resolvers might not set an upper limit on
+   the number of query retransmissions they will send and continue to
+   query dead servers indefinitely.
+
+   Name servers running system or chained queries might also suffer from
+   the same problem. They store names of servers they should query for a
+   given domain. They cycle through these names and in case none of them
+   answers, hit each one more than one. It is, once again, important
+   that there be an upper limit on the number of retransmissions, to
+   prevent network overload.
+
+   This behavior is clearly in violation of the dictum in RFC 1035 (page
+   46)
+
+      "If a resolver gets a server error or other bizarre response
+       from a name server, it should remove it from SLIST, and may
+       wish to schedule an immediate transmission to the next
+       candidate server address."
+
+   Removal from SLIST implies that the server is not queried again for
+   some time.
+
+   Correctly implemented full-service resolvers should, as pointed out
+   before, update round trip time values for servers that do not respond
+   and query them only after other, good servers. Full-service resolvers
+   might, however, not follow any of these common sense directives. They
+   query dead servers, and they query them endlessly.
+
+
+
+
+
+
+Kumar, Postel, Neuman, Danzig & Miller                          [Page 6]
+
+RFC 1536            Common DNS Implementation Errors        October 1993
+
+
+A GOOD IMPLEMENTATION:
+
+   BIND places an upper limit on the number of times it queries a
+   server.  Both the stub-resolver and the full-service resolver code do
+   this.  Also, since the full-service resolver estimates round-trip
+   times and sorts name server addresses by these estimates, it does not
+   query a dead server again, until and unless all the other servers in
+   the list are dead too!  Further, BIND implements exponential back-off
+   too.
+
+FIXES:
+
+      a. Set an upper limit on number of retransmissions.
+
+      b. Measure round-trip time from servers (some estimate is better
+         than none). Treat no response as a "very large" round-trip
+         time.
+
+      c. Maintain a weighted rtt estimate and decay the "large" value
+         slowly, with time, so that the server is eventually tested
+         again, but not after an indefinitely long period.
+
+      d. Follow an exponential back-off scheme so that even if you do
+         not restrict the number of queries, you do not overload the
+         net excessively.
+
+5. Cache Leaks:
+
+   Every resource record returned by a server is cached for TTL seconds,
+   where the TTL value is returned with the RR. Full-service (or stub)
+   resolvers cache the RR and answer any queries based on this cached
+   information, in the future, until the TTL expires. After that, one
+   more query to the wide-area network gets the RR in cache again.
+
+   Full-service resolvers might not implement this caching mechanism
+   well. They might impose a limit on the cache size or might not
+   interpret the TTL value correctly. In either case, queries repeated
+   within a TTL period of a RR constitute a cache leak.
+
+A GOOD/BAD IMPLEMENTATION:
+
+   BIND has no restriction on the cache size and the size is governed by
+   the limits on the virtual address space of the machine it is running
+   on. BIND caches RRs for the duration of the TTL returned with each
+   record.
+
+   It does, however, not follow the RFCs with respect to interpretation
+   of a 0 TTL value. If a record has a TTL value of 0 seconds, BIND uses
+
+
+
+Kumar, Postel, Neuman, Danzig & Miller                          [Page 7]
+
+RFC 1536            Common DNS Implementation Errors        October 1993
+
+
+   the minimum TTL value, for that zone, from the SOA record and caches
+   it for that duration. This, though it saves some traffic on the
+   wide-area network, is not correct behavior.
+
+FIXES:
+
+      a. Look over your caching mechanism to ensure TTLs are interpreted
+         correctly.
+
+      b. Do not restrict cache sizes (come on, memory is cheap!).
+         Expired entries are reclaimed periodically, anyway. Of course,
+         the cache size is bound to have some physical limit. But, when
+         possible, this limit should be large (run your name server on
+         a machine with a large amount of physical memory).
+
+      c. Possibly, a mechanism is needed to flush the cache, when it is
+         known or even suspected that the information has changed.
+
+6. Name Error Bugs:
+
+   This bug is very similar to the Zero Answer bug. A server returns an
+   authoritative NXDOMAIN when the queried name is known to be bad, by
+   the server authoritative for the domain, in the absence of negative
+   caching. This authoritative NXDOMAIN response is usually accompanied
+   by the SOA record for the domain, in the authority section.
+
+   Resolvers should recognize that the name they queried for was a bad
+   name and should stop querying further.
+
+   Some resolvers might, however, not interpret this correctly and
+   continue to query servers, expecting an answer record.
+
+   Some applications, in fact, prompt NXDOMAIN answers! When given a
+   perfectly good name to resolve, they append the local domain to it
+   e.g., an application in the domain "foo.bar.com", when trying to
+   resolve the name "usc.edu" first tries "usc.edu.foo.bar.com", then
+   "usc.edu.bar.com" and finally the good name "usc.edu". This causes at
+   least two queries that return NXDOMAIN, for every good query. The
+   problem is aggravated since the negative answers from the previous
+   queries are not cached.  When the same name is sought again, the
+   process repeats.
+
+   Some DNS resolver implementations suffer from this problem, too. They
+   append successive sub-parts of the local domain using an implicit
+   searchlist mechanism, when certain conditions are satisfied and try
+   the original name, only when this first set of iterations fails. This
+   behavior recently caused pandemonium in the Internet when the domain
+   "edu.com" was registered and a wildcard "CNAME" record placed at the
+
+
+
+Kumar, Postel, Neuman, Danzig & Miller                          [Page 8]
+
+RFC 1536            Common DNS Implementation Errors        October 1993
+
+
+   top level. All machines from "com" domains trying to connect to hosts
+   in the "edu" domain ended up with connections to the local machine in
+   the "edu.com" domain!
+
+GOOD/BAD IMPLEMENTATIONS:
+
+   Some local versions of BIND already implement negative caching. They
+   typically cache negative answers with a very small TTL, sufficient to
+   answer a burst of queries spaced close together, as is typically
+   seen.
+
+   The next official public release of BIND (4.9.2) will have negative
+   caching as an ifdef'd feature.
+
+   The BIND resolver appends local domain to the given name, when one of
+   two conditions is met:
+
+      i.  The name has no periods and the flag RES_DEFNAME is set.
+      ii. There is no trailing period and the flag RES_DNSRCH is set.
+
+   The flags RES_DEFNAME and RES_DNSRCH are default resolver options, in
+   BIND, but can be changed at compile time.
+
+   Only if the name, so generated, returns an NXDOMAIN is the original
+   name tried as a Fully Qualified Domain Name. And only if it contains
+   at least one period.
+
+FIXES:
+
+      a. Fix the resolver code.
+
+      b. Negative Caching. Negative caching servers will restrict the
+         traffic seen on the wide-area network, even if not curb it
+         altogether.
+
+      c. Applications and resolvers should not append the local domain to
+         names they seek to resolve, as far as possible. Names
+         interspersed with periods should be treated as Fully Qualified
+         Domain Names.
+
+         In other words, Use searchlists only when explicitly specified.
+         No implicit searchlists should be used. A name that contains
+         any dots should first be tried as a FQDN and if that fails, with
+         the local domain name (or searchlist if specified) appended. A
+         name containing no dots can be appended with the searchlist right
+         away, but once again, no implicit searchlists should be used.
+
+
+
+
+
+Kumar, Postel, Neuman, Danzig & Miller                          [Page 9]
+
+RFC 1536            Common DNS Implementation Errors        October 1993
+
+
+   Associated with the name error bug is another problem where a server
+   might return an authoritative NXDOMAIN, although the name is valid. A
+   secondary server, on start-up, reads the zone information from the
+   primary, through a zone transfer. While it is in the process of
+   loading the zones, it does not have information about them, although
+   it is authoritative for them.  Thus, any query for a name in that
+   domain is answered with an NXDOMAIN response code. This problem might
+   not be disastrous were it not for negative caching servers that cache
+   this answer and so propagate incorrect information over the internet.
+
+BAD IMPLEMENTATION:
+
+   BIND apparently suffers from this problem.
+
+   Also, a new name added to the primary database will take a while to
+   propagate to the secondaries. Until that time, they will return
+   NXDOMAIN answers for a good name. Negative caching servers store this
+   answer, too and aggravate this problem further. This is probably a
+   more general DNS problem but is apparently more harmful in this
+   situation.
+
+FIX:
+
+      a. Servers should start answering only after loading all the zone
+         data. A failed server is better than a server handing out
+         incorrect information.
+
+      b. Negative cache records for a very small time, sufficient only
+         to ward off a burst of requests for the same bad name. This
+         could be related to the round-trip time of the server from
+         which the negative answer was received. Alternatively, a
+         statistical measure of the amount of time for which queries
+         for such names are received could be used. Minimum TTL value
+         from the SOA record is not advisable since they tend to be
+         pretty large.
+
+      c. A "PUSH" (or, at least, a "NOTIFY") mechanism should be allowed
+         and implemented, to allow the primary server to inform
+         secondaries that the database has been modified since it last
+         transferred zone data.  To alleviate the problem of "too many
+         zone transfers" that this might cause, Incremental Zone
+         Transfers should also be part of DNS.  Also, the primary should
+         not NOTIFY/PUSH with every update but bunch a good number
+         together.
+
+
+
+
+
+
+
+Kumar, Postel, Neuman, Danzig & Miller                         [Page 10]
+
+RFC 1536            Common DNS Implementation Errors        October 1993
+
+
+7. Format Errors:
+
+   Some resolvers issue query packets that do not necessarily conform to
+   standards as laid out in the relevant RFCs. This unnecessarily
+   increases net traffic and wastes server time.
+
+FIXES:
+
+      a. Fix resolvers.
+
+      b. Each resolver verify format of packets before sending them out,
+         using a mechanism outside of the resolver. This is, obviously,
+         needed only if step 1 cannot be followed.
+
+References
+
+   [1] Mockapetris, P., "Domain Names Concepts and Facilities", STD 13,
+       RFC 1034, USC/Information Sciences Institute, November 1987.
+
+   [2] Mockapetris, P., "Domain Names Implementation and Specification",
+       STD 13, RFC 1035, USC/Information Sciences Institute, November
+       1987.
+
+   [3] Partridge, C., "Mail Routing and the Domain System", STD 14, RFC
+       974, CSNET CIC BBN, January 1986.
+
+   [4] Gavron, E., "A Security Problem and Proposed Correction With
+       Widely Deployed DNS Software", RFC 1535, ACES Research Inc.,
+       October 1993.
+
+   [5] Beertema, P., "Common DNS Data File Configuration Errors", RFC
+       1537, CWI, October 1993.
+
+Security Considerations
+
+   Security issues are not discussed in this memo.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kumar, Postel, Neuman, Danzig & Miller                         [Page 11]
+
+RFC 1536            Common DNS Implementation Errors        October 1993
+
+
+Authors' Addresses
+
+   Anant Kumar
+   USC Information Sciences Institute
+   4676 Admiralty Way
+   Marina Del Rey CA 90292-6695
+
+   Phone:(310) 822-1511
+   FAX:  (310) 823-6741
+   EMail: anant@isi.edu
+
+
+   Jon Postel
+   USC Information Sciences Institute
+   4676 Admiralty Way
+   Marina Del Rey CA 90292-6695
+
+   Phone:(310) 822-1511
+   FAX:  (310) 823-6714
+   EMail: postel@isi.edu
+
+
+   Cliff Neuman
+   USC Information Sciences Institute
+   4676 Admiralty Way
+   Marina Del Rey CA 90292-6695
+
+   Phone:(310) 822-1511
+   FAX:  (310) 823-6714
+   EMail: bcn@isi.edu
+
+
+   Peter Danzig
+   Computer Science Department
+   University of Southern California
+   University Park
+
+   EMail: danzig@caldera.usc.edu
+
+
+   Steve Miller
+   Computer Science Department
+   University of Southern California
+   University Park
+   Los Angeles CA 90089
+
+   EMail: smiller@caldera.usc.edu
+
+
+
+
+Kumar, Postel, Neuman, Danzig & Miller                         [Page 12]
+
diff --git a/contrib/bind9/doc/rfc/rfc1537.txt b/contrib/bind9/doc/rfc/rfc1537.txt
new file mode 100644
index 0000000..81b9768
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc1537.txt
@@ -0,0 +1,507 @@
+
+
+
+
+
+
+Network Working Group                                        P. Beertema
+Request for Comments: 1537                                           CWI
+Category: Informational                                     October 1993
+
+
+               Common DNS Data File Configuration Errors
+
+Status of this Memo
+
+   This memo provides information for the Internet community.  It does
+   not specify an Internet standard.  Distribution of this memo is
+   unlimited.
+
+Abstract
+
+   This memo describes errors often found in DNS data files. It points
+   out common mistakes system administrators tend to make and why they
+   often go unnoticed for long periods of time.
+
+Introduction
+
+   Due to the lack of extensive documentation and automated tools, DNS
+   zone files have mostly been configured by system administrators, by
+   hand. Some of the rules for writing the data files are rather subtle
+   and a few common mistakes are seen in domains worldwide.
+
+   This document is an attempt to list "surprises" that administrators
+   might find hidden in their zone files. It describes the symptoms of
+   the malady and prescribes medicine to cure that. It also gives some
+   general recommendations and advice on specific nameserver and zone
+   file issues and on the (proper) use of the Domain Name System.
+
+1. SOA records
+
+   A problem I've found in quite some nameservers is that the various
+   timers have been set (far) too low. Especially for top level domain
+   nameservers this causes unnecessary traffic over international and
+   intercontinental links.
+
+   Unfortunately the examples given in the BIND manual, in RFC's and in
+   some expert documents give those very short timer values, and that's
+   most likely what people have modeled their SOA records after.
+
+   First of all a short explanation of the timers used in the SOA
+   record:
+
+
+
+
+
+
+Beertema                                                        [Page 1]
+
+RFC 1537       Common DNS Data File Configuration Errors    October 1993
+
+
+        - Refresh: The SOA record of the primary server is checked
+                   every "refresh" time by the secondary servers;
+                   if it has changed, a zone transfer is done.
+
+        - Retry: If a secondary server cannot reach the primary
+                 server, it tries it again every "retry" time.
+
+        - Expire: If for "expire" time the primary server cannot
+                  be reached, all information about the zone is
+                  invalidated on the secondary servers (i.e., they
+                  are no longer authoritative for that zone).
+
+        - Minimum TTL: The default TTL value for all records in the
+                       zone file; a different TTL value may be given
+                       explicitly in a record when necessary.
+                       (This timer is named "Minimum", and that's
+                       what it's function should be according to
+                       STD 13, RFC 1035, but most (all?)
+                       implementations take it as the default value
+                       exported with records without an explicit TTL
+                       value).
+
+   For top level domain servers I would recommend the following values:
+
+          86400 ; Refresh     24 hours
+           7200 ; Retry        2 hours
+        2592000 ; Expire      30 days
+         345600 ; Minimum TTL  4 days
+
+   For other servers I would suggest:
+
+          28800 ; Refresh     8 hours
+           7200 ; Retry       2 hours
+         604800 ; Expire      7 days
+          86400 ; Minimum TTL 1 day
+
+   but here the frequency of changes, the required speed of propagation,
+   the reachability of the primary server etc. play a role in optimizing
+   the timer values.
+
+2. Glue records
+
+   Quite often, people put unnecessary glue (A) records in their zone
+   files. Even worse is that I've even seen *wrong* glue records for an
+   external host in a primary zone file! Glue records need only be in a
+   zone file if the server host is within the zone and there is no A
+   record for that host elsewhere in the zone file.
+
+
+
+
+Beertema                                                        [Page 2]
+
+RFC 1537       Common DNS Data File Configuration Errors    October 1993
+
+
+   Old BIND versions ("native" 4.8.3 and older versions) showed the
+   problem that wrong glue records could enter secondary servers in a
+   zone transfer.
+
+3. "Secondary server surprise"
+
+   I've seen it happen on various occasions that hosts got bombarded by
+   nameserver requests without knowing why. On investigation it turned
+   out then that such a host was supposed to (i.e., the information was
+   in the root servers) run secondary for some domain (or reverse (in-
+   addr.arpa)) domain, without that host's nameserver manager having
+   been asked or even been told so!
+
+   Newer BIND versions (4.9 and later) solved this problem.  At the same
+   time though the fix has the disadvantage that it's far less easy to
+   spot this problem.
+
+   Practice has shown that most domain registrars accept registrations
+   of nameservers without checking if primary (!) and secondary servers
+   have been set up, informed, or even asked.  It should also be noted
+   that a combination of long-lasting unreachability of primary
+   nameservers, (therefore) expiration of zone information, plus static
+   IP routing, can lead to massive network traffic that can fill up
+   lines completely.
+
+4. "MX records surprise"
+
+   In a sense similar to point 3. Sometimes nameserver managers enter MX
+   records in their zone files that point to external hosts, without
+   first asking or even informing the systems managers of those external
+   hosts.  This has to be fought out between the nameserver manager and
+   the systems managers involved. Only as a last resort, if really
+   nothing helps to get the offending records removed, can the systems
+   manager turn to the naming authority of the domain above the
+   offending domain to get the problem sorted out.
+
+5. "Name extension surprise"
+
+   Sometimes one encounters weird names, which appear to be an external
+   name extended with a local domain. This is caused by forgetting to
+   terminate a name with a dot: names in zone files that don't end with
+   a dot are always expanded with the name of the current zone (the
+   domain that the zone file stands for or the last $ORIGIN).
+
+   Example: zone file for foo.xx:
+
+   pqr          MX 100  relay.yy.
+   xyz          MX 100  relay.yy           (no trailing dot!)
+
+
+
+Beertema                                                        [Page 3]
+
+RFC 1537       Common DNS Data File Configuration Errors    October 1993
+
+
+   When fully written out this stands for:
+
+      pqr.foo.xx.  MX 100  relay.yy.
+      xyz.foo.xx.  MX 100  relay.yy.foo.xx.   (name extension!)
+
+6. Missing secondary servers
+
+   It is required that there be a least 2 nameservers for a domain. For
+   obvious reasons the nameservers for top level domains need to be very
+   well reachable from all over the Internet. This implies that there
+   must be more than just 2 of them; besides, most of the (secondary)
+   servers should be placed at "strategic" locations, e.g., close to a
+   point where international and/or intercontinental lines come
+   together.  To keep things manageable, there shouldn't be too many
+   servers for a domain either.
+
+   Important aspects in selecting the location of primary and secondary
+   servers are reliability (network, host) and expedient contacts: in
+   case of problems, changes/fixes must be carried out quickly.  It
+   should be considered logical that primary servers for European top
+   level domains should run on a host in Europe, preferably (if
+   possible) in the country itself. For each top level domain there
+   should be 2 secondary servers in Europe and 2 in the USA, but there
+   may of course be more on either side.  An excessive number of
+   nameservers is not a good idea though; a recommended maximum is 7
+   nameservers.  In Europe, EUnet has offered to run secondary server
+   for each European top level domain.
+
+7. Wildcard MX records
+
+   Wildcard MX records should be avoided where possible. They often
+   cause confusion and errors: especially beginning nameserver managers
+   tend to overlook the fact that a host/domain listed with ANY type of
+   record in a zone file is NOT covered by an overall wildcard MX record
+   in that zone; this goes not only for simple domain/host names, but
+   also for names that cover one or more domains. Take the following
+   example in zone foo.bar:
+
+         *            MX 100  mailhost
+         pqr          MX 100  mailhost
+         abc.def      MX 100  mailhost
+
+   This makes pqr.foo.bar, def.foo.bar and abd.def.foo.bar valid
+   domains, but the wildcard MX record covers NONE of them, nor anything
+   below them.  To cover everything by MX records, the required entries
+   are:
+
+
+
+
+
+Beertema                                                        [Page 4]
+
+RFC 1537       Common DNS Data File Configuration Errors    October 1993
+
+
+         *            MX 100  mailhost
+         pqr          MX 100  mailhost
+         *.pqr        MX 100  mailhost
+         abc.def      MX 100  mailhost
+         *.def        MX 100  mailhost
+         *.abc.def    MX 100  mailhost
+
+   An overall wildcard MX record is almost never useful.
+
+   In particular the zone file of a top level domain should NEVER
+   contain only an overall wildcard MX record (*.XX). The effect of such
+   a wildcard MX record can be that mail is unnecessarily sent across
+   possibly expensive links, only to fail at the destination or gateway
+   that the record points to. Top level domain zone files should
+   explicitly list at least all the officially registered primary
+   subdomains.
+
+   Whereas overall wildcard MX records should be avoided, wildcard MX
+   records are acceptable as an explicit part of subdomain entries,
+   provided they are allowed under a given subdomain (to be determined
+   by the naming authority for that domain).
+
+   Example:
+
+         foo.xx.      MX 100  gateway.xx.
+                      MX 200  fallback.yy.
+         *.foo.xx.    MX 100  gateway.xx.
+                      MX 200  fallback.yy.
+8. Hostnames
+
+   People appear to sometimes look only at STD 11, RFC 822 to determine
+   whether a particular hostname is correct or not. Hostnames should
+   strictly conform to the syntax given in STD 13, RFC 1034 (page 11),
+   with *addresses* in addition conforming to RFC 822. As an example
+   take "c&w.blues" which is perfectly legal according to RFC 822, but
+   which can have quite surprising effects on particular systems, e.g.,
+   "telnet c&w.blues" on a Unix system.
+
+9. HINFO records
+
+   There appears to be a common misunderstanding that one of the data
+   fields (usually the second field) in HINFO records is optional. A
+   recent scan of all reachable nameservers in only one country revealed
+   some 300 incomplete HINFO records. Specifying two data fields in a
+   HINFO record is mandatory (RFC 1033), but note that this does *not*
+   mean that HINFO records themselves are mandatory.
+
+
+
+
+
+Beertema                                                        [Page 5]
+
+RFC 1537       Common DNS Data File Configuration Errors    October 1993
+
+
+10. Safety measures and specialties
+
+   Nameservers and resolvers aren't flawless. Bogus queries should be
+   kept from being forwarded to the root servers, since they'll only
+   lead to unnecessary intercontinental traffic. Known bogus queries
+   that can easily be dealt with locally are queries for 0 and broadcast
+   addresses.  To catch such queries, every nameserver should run
+   primary for the 0.in-addr.arpa and 255.in-addr.arpa zones; the zone
+   files need only contain a SOA and an NS record.
+
+   Also each nameserver should run primary for 0.0.127.in-addr.arpa;
+   that zone file should contain a SOA and NS record and an entry:
+
+         1    PTR     localhost.
+
+   There has been extensive discussion about whether or not to append
+   the local domain to it. The conclusion was that "localhost." would be
+   the best solution; reasons given were:
+
+   - "localhost" itself is used and expected to work on some systems.
+
+   - translating 127.0.0.1 into "localhost.my_domain" can cause some
+     software to connect to itself using the loopback interface when
+     it didn't want to.
+
+   Note that all domains that contain hosts should have a "localhost" A
+   record in them.
+
+   People maintaining zone files with the Serial number given in dotted
+   decimal notation (e.g., when SCCS is used to maintain the files)
+   should beware of a bug in all BIND versions: if the serial number is
+   in Release.Version (dotted decimal) notation, then it is virtually
+   impossible to change to a higher release: because of the wrong way
+   that notation is turned into an integer, it results in a serial
+   number that is LOWER than that of the former release.
+
+   For this reason and because the Serial is an (unsigned) integer
+   according to STD 13, RFC 1035, it is recommended not to use the
+   dotted decimal notation. A recommended notation is to use the date
+   (yyyymmdd), if necessary with an extra digit (yyyymmddn) if there is
+   or can be more than one change per day in a zone file.
+
+   Very old versions of DNS resolver code have a bug that causes queries
+   for A records with domain names like "192.16.184.3" to go out. This
+   happens when users type in IP addresses and the resolver code does
+   not catch this case before sending out a DNS query. This problem has
+   been fixed in all resolver implementations known to us but if it
+   still pops up it is very serious because all those queries will go to
+
+
+
+Beertema                                                        [Page 6]
+
+RFC 1537       Common DNS Data File Configuration Errors    October 1993
+
+
+   the root servers looking for top level domains like "3" etc. It is
+   strongly recommended to install the latest (publicly) available BIND
+   version plus all available patches to get rid of these and other
+   problems.
+
+   Running secondary nameserver off another secondary nameserver is
+   possible, but not recommended unless really necessary: there are
+   known cases where it has led to problems like bogus TTL values. This
+   can be caused by older or flawed implementations, but secondary
+   nameservers in principle should always transfer their zones from the
+   official primary nameserver.
+
+11. Some general points
+
+   The Domain Name System and nameserver are purely technical tools, not
+   meant in any way to exert control or impose politics. The function of
+   a naming authority is that of a clearing house. Anyone registering a
+   subdomain under a particular (top level) domain becomes naming
+   authority and therewith the sole responsible for that subdomain.
+   Requests to enter MX or NS records concerning such a subdomain
+   therefore always MUST be honored by the registrar of the next higher
+   domain.
+
+   Examples of practices that are not allowed are:
+
+      - imposing specific mail routing (MX records) when registering
+        a subdomain.
+
+      - making registration of a subdomain dependent on to the use of
+        certain networks or services.
+
+      - using TXT records as a means of (free) commercial advertising.
+
+   In the latter case a network service provider could decide to cut off
+   a particular site until the offending TXT records have been removed
+   from the site's zone file.
+
+   Of course there are obvious cases where a naming authority can refuse
+   to register a particular subdomain and can require a proposed name to
+   be changed in order to get it registered (think of DEC trying to
+   register a domain IBM.XX).
+
+   There are also cases were one has to probe the authority of the
+   person: sending in the application - not every systems manager should
+   be able to register a domain name for a whole university.  The naming
+   authority can impose certain extra rules as long as they don't
+   violate or conflict with the rights and interest of the registrars of
+   subdomains; a top level domain registrar may e.g., require that there
+
+
+
+Beertema                                                        [Page 7]
+
+RFC 1537       Common DNS Data File Configuration Errors    October 1993
+
+
+   be primary subdomain "ac" and "co" only and that subdomains be
+   registered under those primary subdomains.
+
+   The naming authority can also interfere in exceptional cases like the
+   one mentioned in point 4, e.g., by temporarily removing a domain's
+   entry from the nameserver zone files; this of course should be done
+   only with extreme care and only as a last resort.
+
+   When adding NS records for subdomains, top level domain nameserver
+   managers should realize that the people setting up the nameserver for
+   a subdomain often are rather inexperienced and can make mistakes that
+   can easily lead to the subdomain becoming completely unreachable or
+   that can cause unnecessary DNS traffic (see point 1). It is therefore
+   highly recommended that, prior to entering such an NS record, the
+   (top level) nameserver manager does a couple of sanity checks on the
+   new nameserver (SOA record and timers OK?, MX records present where
+   needed? No obvious errors made? Listed secondary servers
+   operational?). Things that cannot be caught though by such checks
+   are:
+
+      - resolvers set up to use external hosts as nameservers
+
+      - nameservers set up to use external hosts as forwarders
+        without permission from those hosts.
+
+   Care should also be taken when registering 2-letter subdomains.
+   Although this is allowed, an implication is that abbreviated
+   addressing (see STD 11, RFC 822, paragraph 6.2.2) is not possible in
+   and under that subdomain.  When requested to register such a domain,
+   one should always notify the people of this consequence. As an
+   example take the name "cs", which is commonly used for Computer
+   Science departments: it is also the name of the top level domain for
+   Czecho-Slovakia, so within the domain cs.foo.bar the user@host.cs is
+   ambiguous in that in can denote both a user on the host
+   host.cs.foo.bar and a user on the host "host" in Czecho-Slovakia.
+   (This example does not take into account the recent political changes
+   in the mentioned country).
+
+References
+
+   [1] Mockapetris, P., "Domain Names Concepts and Facilities", STD 13,
+       RFC 1034, USC/Information Sciences Institute, November 1987.
+
+   [2] Mockapetris, P., "Domain Names Implementation and Specification",
+       STD 13, RFC 1035, USC/Information Sciences Institute, November
+       1987.
+
+
+
+
+
+Beertema                                                        [Page 8]
+
+RFC 1537       Common DNS Data File Configuration Errors    October 1993
+
+
+   [3] Partridge, C., "Mail Routing and the Domain System", STD 14, RFC
+       974, CSNET CIC BBN, January 1986.
+
+   [4] Gavron, E., "A Security Problem and Proposed Correction With
+       Widely Deployed DNS Software", RFC 1535, ACES Research Inc.,
+       October 1993.
+
+   [5] Kumar, A., Postel, J., Neuman, C., Danzig, P., and S. Miller,
+       "Common DNS Implementation Errors and Suggested Fixes", RFC 1536,
+       USC/Information Sciences Institute, USC, October 1993.
+
+Security Considerations
+
+   Security issues are not discussed in this memo.
+
+Author's Address
+
+   Piet Beertema
+   CWI
+   Kruislaan 413
+   NL-1098 SJ Amsterdam
+   The Netherlands
+
+   Phone: +31 20 592 4112
+   FAX:   +31 20 592 4199
+   EMail: Piet.Beertema@cwi.nl
+
+
+Editor's Address
+
+   Anant Kumar
+   USC Information Sciences Institute
+   4676 Admiralty Way
+   Marina Del Rey CA 90292-6695
+
+   Phone:(310) 822-1511
+   FAX:  (310) 823-6741
+   EMail: anant@isi.edu
+
+
+
+
+
+
+
+
+
+
+
+
+
+Beertema                                                        [Page 9]
+
\ No newline at end of file
diff --git a/contrib/bind9/doc/rfc/rfc1591.txt b/contrib/bind9/doc/rfc/rfc1591.txt
new file mode 100644
index 0000000..89e0a25
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc1591.txt
@@ -0,0 +1,395 @@
+
+
+
+
+
+
+Network Working Group                                          J. Postel
+Request for Comments: 1591                                           ISI
+Category: Informational                                       March 1994
+
+
+              Domain Name System Structure and Delegation
+
+
+Status of this Memo
+
+   This memo provides information for the Internet community.  This memo
+   does not specify an Internet standard of any kind.  Distribution of
+   this memo is unlimited.
+
+1. Introduction
+
+   This memo provides some information on the structure of the names in
+   the Domain Name System (DNS), specifically the top-level domain
+   names; and on the administration of domains.  The Internet Assigned
+   Numbers Authority (IANA) is the overall authority for the IP
+   Addresses, the Domain Names, and many other parameters, used in the
+   Internet.  The day-to-day responsibility for the assignment of IP
+   Addresses, Autonomous System Numbers, and most top and second level
+   Domain Names are handled by the Internet Registry (IR) and regional
+   registries.
+
+2.  The Top Level Structure of the Domain Names
+
+   In the Domain Name System (DNS) naming of computers there is a
+   hierarchy of names.  The root of system is unnamed.  There are a set
+   of what are called "top-level domain names" (TLDs).  These are the
+   generic TLDs (EDU, COM, NET, ORG, GOV, MIL, and INT), and the two
+   letter country codes from ISO-3166.  It is extremely unlikely that
+   any other TLDs will be created.
+
+   Under each TLD may be created a hierarchy of names.  Generally, under
+   the generic TLDs the structure is very flat.  That is, many
+   organizations are registered directly under the TLD, and any further
+   structure is up to the individual organizations.
+
+   In the country TLDs, there is a wide variation in the structure, in
+   some countries the structure is very flat, in others there is
+   substantial structural organization.  In some country domains the
+   second levels are generic categories (such as, AC, CO, GO, and RE),
+   in others they are based on political geography, and in still others,
+   organization names are listed directly under the country code.  The
+   organization for the US country domain is described in RFC 1480 [1].
+
+
+
+
+Postel                                                          [Page 1]
+
+RFC 1591      Domain Name System Structure and Delegation     March 1994
+
+
+   Each of the generic TLDs was created for a general category of
+   organizations.  The country code domains (for example, FR, NL, KR,
+   US) are each organized by an administrator for that country.  These
+   administrators may further delegate the management of portions of the
+   naming tree.  These administrators are performing a public service on
+   behalf of the Internet community.  Descriptions of the generic
+   domains and the US country domain follow.
+
+   Of these generic domains, five are international in nature, and two
+   are restricted to use by entities in the United States.
+
+   World Wide Generic Domains:
+
+   COM - This domain is intended for commercial entities, that is
+         companies.  This domain has grown very large and there is
+         concern about the administrative load and system performance if
+         the current growth pattern is continued.  Consideration is
+         being taken to subdivide the COM domain and only allow future
+         commercial registrations in the subdomains.
+
+   EDU - This domain was originally intended for all educational
+         institutions.  Many Universities, colleges, schools,
+         educational service organizations, and educational consortia
+         have registered here.  More recently a decision has been taken
+         to limit further registrations to 4 year colleges and
+         universities.  Schools and 2-year colleges will be registered
+         in the country domains (see US Domain, especially K12 and CC,
+         below).
+
+   NET - This domain is intended to hold only the computers of network
+         providers, that is the NIC and NOC computers, the
+         administrative computers, and the network node computers.  The
+         customers of the network provider would have domain names of
+         their own (not in the NET TLD).
+
+   ORG - This domain is intended as the miscellaneous TLD for
+         organizations that didn't fit anywhere else.  Some non-
+         government organizations may fit here.
+
+   INT - This domain is for organizations established by international
+         treaties, or international databases.
+
+   United States Only Generic Domains:
+
+   GOV - This domain was originally intended for any kind of government
+         office or agency.  More recently a decision was taken to
+         register only agencies of the US Federal government in this
+         domain.  State and local agencies are registered in the country
+
+
+
+Postel                                                          [Page 2]
+
+RFC 1591      Domain Name System Structure and Delegation     March 1994
+
+
+         domains (see US Domain, below).
+
+   MIL - This domain is used by the US military.
+
+   Example country code Domain:
+
+   US - As an example of a country domain, the US domain provides for
+        the registration of all kinds of entities in the United States
+        on the basis of political geography, that is, a hierarchy of
+        <entity-name>.<locality>.<state-code>.US.  For example,
+        "IBM.Armonk.NY.US".  In addition, branches of the US domain are
+        provided within each state for schools (K12), community colleges
+        (CC), technical schools (TEC), state government agencies
+        (STATE), councils of governments (COG),libraries (LIB), museums
+        (MUS), and several other generic types of entities (see RFC 1480
+        for details [1]).
+
+   To find a contact for a TLD use the "whois" program to access the
+   database on the host rs.internic.net.  Append "-dom" to the name of
+   TLD you are interested in.  For example:
+
+                       whois -h rs.internic.net us-dom
+      or
+                       whois -h rs.internic.net edu-dom
+
+3.  The Administration of Delegated Domains
+
+   The Internet Assigned Numbers Authority (IANA) is responsible for the
+   overall coordination and management of the Domain Name System (DNS),
+   and especially the delegation of portions of the name space called
+   top-level domains.  Most of these top-level domains are two-letter
+   country codes taken from the ISO standard 3166.
+
+   A central Internet Registry (IR) has been selected and designated to
+   handled the bulk of the day-to-day administration of the Domain Name
+   System.  Applications for new top-level domains (for example, country
+   code domains) are handled by the IR with consultation with the IANA.
+   The central IR is INTERNIC.NET.  Second level domains in COM, EDU,
+   ORG, NET, and GOV are registered by the Internet Registry at the
+   InterNIC.  The second level domains in the MIL are registered by the
+   DDN registry at NIC.DDN.MIL.  Second level names in INT are
+   registered by the PVM at ISI.EDU.
+
+   While all requests for new top-level domains must be sent to the
+   Internic (at hostmaster@internic.net), the regional registries are
+   often enlisted to assist in the administration of the DNS, especially
+   in solving problems with a country administration.  Currently, the
+   RIPE NCC is the regional registry for Europe and the APNIC is the
+
+
+
+Postel                                                          [Page 3]
+
+RFC 1591      Domain Name System Structure and Delegation     March 1994
+
+
+   regional registry for the Asia-Pacific region, while the INTERNIC
+   administers the North America region, and all the as yet undelegated
+   regions.
+
+      The contact mailboxes for these regional registries are:
+
+         INTERNIC        hostmaster@internic.net
+         APNIC           hostmaster@apnic.net
+         RIPE NCC        ncc@ripe.net
+
+   The policy concerns involved when a new top-level domain is
+   established are described in the following.  Also mentioned are
+   concerns raised when it is necessary to change the delegation of an
+   established domain from one party to another.
+
+   A new top-level domain is usually created and its management
+   delegated to a "designated manager" all at once.
+
+   Most of these same concerns are relevant when a sub-domain is
+   delegated and in general the principles described here apply
+   recursively to all delegations of the Internet DNS name space.
+
+   The major concern in selecting a designated manager for a domain is
+   that it be able to carry out the necessary responsibilities, and have
+   the ability to do a equitable, just, honest, and competent job.
+
+   1) The key requirement is that for each domain there be a designated
+      manager for supervising that domain's name space.  In the case of
+      top-level domains that are country codes this means that there is
+      a manager that supervises the domain names and operates the domain
+      name system in that country.
+
+      The manager must, of course, be on the Internet.  There must be
+      Internet Protocol (IP) connectivity to the nameservers and email
+      connectivity to the management and staff of the manager.
+
+      There must be an administrative contact and a technical contact
+      for each domain.  For top-level domains that are country codes at
+      least the administrative contact must reside in the country
+      involved.
+
+   2) These designated authorities are trustees for the delegated
+      domain, and have a duty to serve the community.
+
+      The designated manager is the trustee of the top-level domain for
+      both the nation, in the case of a country code, and the global
+      Internet community.
+
+
+
+
+Postel                                                          [Page 4]
+
+RFC 1591      Domain Name System Structure and Delegation     March 1994
+
+
+      Concerns about "rights" and "ownership" of domains are
+      inappropriate.  It is appropriate to be concerned about
+      "responsibilities" and "service" to the community.
+
+   3) The designated manager must be equitable to all groups in the
+      domain that request domain names.
+
+      This means that the same rules are applied to all requests, all
+      requests must be processed in a non-discriminatory fashion, and
+      academic and commercial (and other) users are treated on an equal
+      basis.  No bias shall be shown regarding requests that may come
+      from customers of some other business related to the manager --
+      e.g., no preferential service for customers of a particular data
+      network provider.  There can be no requirement that a particular
+      mail system (or other application), protocol, or product be used.
+
+      There are no requirements on subdomains of top-level domains
+      beyond the requirements on higher-level domains themselves.  That
+      is, the requirements in this memo are applied recursively.  In
+      particular, all subdomains shall be allowed to operate their own
+      domain name servers, providing in them whatever information the
+      subdomain manager sees fit (as long as it is true and correct).
+
+   4) Significantly interested parties in the domain should agree that
+      the designated manager is the appropriate party.
+
+      The IANA tries to have any contending parties reach agreement
+      among themselves, and generally takes no action to change things
+      unless all the contending parties agree; only in cases where the
+      designated manager has substantially mis-behaved would the IANA
+      step in.
+
+      However, it is also appropriate for interested parties to have
+      some voice in selecting the designated manager.
+
+      There are two cases where the IANA and the central IR may
+      establish a new top-level domain and delegate only a portion of
+      it: (1) there are contending parties that cannot agree, or (2) the
+      applying party may not be able to represent or serve the whole
+      country.  The later case sometimes arises when a party outside a
+      country is trying to be helpful in getting networking started in a
+      country -- this is sometimes called a "proxy" DNS service.
+
+      The Internet DNS Names Review Board (IDNB), a committee
+      established by the IANA, will act as a review panel for cases in
+      which the parties can not reach agreement among themselves.  The
+      IDNB's decisions will be binding.
+
+
+
+
+Postel                                                          [Page 5]
+
+RFC 1591      Domain Name System Structure and Delegation     March 1994
+
+
+   5) The designated manager must do a satisfactory job of operating the
+      DNS service for the domain.
+
+      That is, the actual management of the assigning of domain names,
+      delegating subdomains and operating nameservers must be done with
+      technical competence.  This includes keeping the central IR (in
+      the case of top-level domains) or other higher-level domain
+      manager advised of the status of the domain, responding to
+      requests in a timely manner, and operating the database with
+      accuracy, robustness, and resilience.
+
+      There must be a primary and a secondary nameserver that have IP
+      connectivity to the Internet and can be easily checked for
+      operational status and database accuracy by the IR and the IANA.
+
+      In cases when there are persistent problems with the proper
+      operation of a domain, the delegation may be revoked, and possibly
+      delegated to another designated manager.
+
+   6) For any transfer of the designated manager trusteeship from one
+      organization to another, the higher-level domain manager (the IANA
+      in the case of top-level domains) must receive communications from
+      both the old organization and the new organization that assure the
+      IANA that the transfer in mutually agreed, and that the new
+      organization understands its responsibilities.
+
+      It is also very helpful for the IANA to receive communications
+      from other parties that may be concerned or affected by the
+      transfer.
+
+4. Rights to Names
+
+   1) Names and Trademarks
+
+      In case of a dispute between domain name registrants as to the
+      rights to a particular name, the registration authority shall have
+      no role or responsibility other than to provide the contact
+      information to both parties.
+
+      The registration of a domain name does not have any Trademark
+      status.  It is up to the requestor to be sure he is not violating
+      anyone else's Trademark.
+
+   2) Country Codes
+
+      The IANA is not in the business of deciding what is and what is
+      not a country.
+
+
+
+
+Postel                                                          [Page 6]
+
+RFC 1591      Domain Name System Structure and Delegation     March 1994
+
+
+      The selection of the ISO 3166 list as a basis for country code
+      top-level domain names was made with the knowledge that ISO has a
+      procedure for determining which entities should be and should not
+      be on that list.
+
+5. Security Considerations
+
+   Security issues are not discussed in this memo.
+
+6. Acknowledgements
+
+   Many people have made comments on draft version of these descriptions
+   and procedures.  Steve Goldstein and John Klensin have been
+   particularly helpful.
+
+7. Author's Address
+
+   Jon Postel
+   USC/Information Sciences Institute
+   4676 Admiralty Way
+   Marina del Rey, CA  90292
+
+   Phone: 310-822-1511
+   Fax:   310-823-6714
+   EMail: Postel@ISI.EDU
+
+7. References
+
+   [1] Cooper, A., and J. Postel, "The US Domain", RFC 1480,
+       USC/Information Sciences Institute, June 1993.
+
+   [2] Reynolds, J., and J. Postel, "Assigned Numbers", STD 2, RFC 1340,
+       USC/Information Sciences Institute, July 1992.
+
+   [3] Mockapetris, P., "Domain Names - Concepts and Facilities", STD
+       13, RFC 1034, USC/Information Sciences Institute, November 1987.
+
+   [4] Mockapetris, P., "Domain Names - Implementation and
+       Specification", STD 13, RFC 1035, USC/Information Sciences
+       Institute, November 1987.
+
+   [6] Partridge, C., "Mail Routing and the Domain System", STD 14, RFC
+       974, CSNET CIC BBN, January 1986.
+
+   [7] Braden, R., Editor, "Requirements for Internet Hosts --
+       Application and Support", STD 3, RFC 1123, Internet Engineering
+       Task Force, October 1989.
+
+
+
+
+Postel                                                          [Page 7]
+
diff --git a/contrib/bind9/doc/rfc/rfc1611.txt b/contrib/bind9/doc/rfc/rfc1611.txt
new file mode 100644
index 0000000..ed5b93a
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc1611.txt
@@ -0,0 +1,1683 @@
+
+
+
+
+
+
+Network Working Group                                         R. Austein
+Request for Comments: 1611               Epilogue Technology Corporation
+Category: Standards Track                                     J. Saperia
+                                           Digital Equipment Corporation
+                                                                May 1994
+
+                       DNS Server MIB Extensions
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Table of Contents
+
+   1. Introduction ..............................................    1
+   2. The SNMPv2 Network Management Framework ...................    2
+   2.1 Object Definitions .......................................    2
+   3. Overview ..................................................    2
+   3.1 Resolvers ................................................    3
+   3.2 Name Servers .............................................    3
+   3.3 Selected Objects .........................................    4
+   3.4 Textual Conventions ......................................    4
+   4. Definitions ...............................................    5
+   5. Acknowledgements ..........................................   28
+   6. References ................................................   28
+   7. Security Considerations ...................................   29
+   8. Authors' Addresses ........................................   30
+
+1.  Introduction
+
+   This memo defines a portion of the Management Information Base (MIB)
+   for use with network management protocols in the Internet community.
+   In particular, it describes a set of extensions which instrument DNS
+   name server functions.  This memo was produced by the DNS working
+   group.
+
+   With the adoption of the Internet-standard Network Management
+   Framework [4,5,6,7], and with a large number of vendor
+   implementations of these standards in commercially available
+   products, it became possible to provide a higher level of effective
+   network management in TCP/IP-based internets than was previously
+   available.  With the growth in the use of these standards, it has
+   become possible to consider the management of other elements of the
+   infrastructure beyond the basic TCP/IP protocols.  A key element of
+
+
+
+Austein & Saperia                                               [Page 1]
+
+RFC 1611               DNS Server MIB Extensions                May 1994
+
+
+   the TCP/IP infrastructure is the DNS.
+
+   Up to this point there has been no mechanism to integrate the
+   management of the DNS with SNMP-based managers.  This memo provides
+   the mechanisms by which IP-based management stations can effectively
+   manage DNS name server software in an integrated fashion.
+
+   We have defined DNS MIB objects to be used in conjunction with the
+   Internet MIB to allow access to and control of DNS name server
+   software via SNMP by the Internet community.
+
+2.  The SNMPv2 Network Management Framework
+
+   The SNMPv2 Network Management Framework consists of four major
+   components.  They are:
+
+      o  RFC 1442 which defines the SMI, the mechanisms used for
+         describing and naming objects for the purpose of management.
+
+      o  STD 17, RFC 1213 defines MIB-II, the core set of managed objects
+         for the Internet suite of protocols.
+
+      o  RFC 1445 which defines the administrative and other architectural
+         aspects of the framework.
+
+      o  RFC 1448 which defines the protocol used for network access to
+         managed objects.
+
+      The Framework permits new objects to be defined for the purpose of
+      experimentation and evaluation.
+
+2.1.  Object Definitions
+
+   Managed objects are accessed via a virtual information store, termed
+   the Management Information Base or MIB.  Objects in the MIB are
+   defined using the subset of Abstract Syntax Notation One (ASN.1)
+   defined in the SMI.  In particular, each object object type is named
+   by an OBJECT IDENTIFIER, an administratively assigned name.  The
+   object type together with an object instance serves to uniquely
+   identify a specific instantiation of the object.  For human
+   convenience, we often use a textual string, termed the descriptor, to
+   refer to the object type.
+
+3.  Overview
+
+   In theory, the DNS world is pretty simple.  There are two kinds of
+   entities: resolvers and name servers.  Resolvers ask questions.  Name
+   servers answer them.  The real world, however, is not so simple.
+
+
+
+Austein & Saperia                                               [Page 2]
+
+RFC 1611               DNS Server MIB Extensions                May 1994
+
+
+   Implementors have made widely differing choices about how to divide
+   DNS functions between resolvers and servers.  They have also
+   constructed various sorts of exotic hybrids.  The most difficult task
+   in defining this MIB was to accommodate this wide range of entities
+   without having to come up with a separate MIB for each.
+
+   We divided up the various DNS functions into two, non-overlapping
+   classes, called "resolver functions" and "name server functions."  A
+   DNS entity that performs what we define as resolver functions
+   contains a resolver, and therefore must implement the MIB groups
+   required of all resolvers which are defined in a separate MIB Module.
+   A DNS entity which implements name server functions is considered to
+   be a name server, and must implement the MIB groups required for name
+   servers in this module.  If the same piece of software performs both
+   resolver and server functions, we imagine that it contains both a
+   resolver and a server and would thus implement both the DNS Server
+   and DNS Resolver MIBs.
+
+3.1.  Resolvers
+
+   In our model, a resolver is a program (or piece thereof) which
+   obtains resource records from servers.  Normally it does so at the
+   behest of an application, but may also do so as part of its own
+   operation.  A resolver sends DNS protocol queries and receives DNS
+   protocol replies.  A resolver neither receives queries nor sends
+   replies.  A full service resolver is one that knows how to resolve
+   queries: it obtains the needed resource records by contacting a
+   server authoritative for the records desired.  A stub resolver does
+   not know how to resolve queries: it sends all queries to a local name
+   server, setting the "recursion desired" flag to indicate that it
+   hopes that the name server will be willing to resolve the query.  A
+   resolver may (optionally) have a cache for remembering previously
+   acquired resource records.  It may also have a negative cache for
+   remembering names or data that have been determined not to exist.
+
+3.2.  Name Servers
+
+   A name server is a program (or piece thereof) that provides resource
+   records to resolvers.  All references in this document to "a name
+   server" imply "the name server's role"; in some cases the name
+   server's role and the resolver's role might be combined into a single
+   program.  A name server receives DNS protocol queries and sends DNS
+   protocol replies.  A name server neither sends queries nor receives
+   replies.  As a consequence, name servers do not have caches.
+   Normally, a name server would expect to receive only those queries to
+   which it could respond with authoritative information.  However, if a
+   name server receives a query that it cannot respond to with purely
+   authoritative information, it may choose to try to obtain the
+
+
+
+Austein & Saperia                                               [Page 3]
+
+RFC 1611               DNS Server MIB Extensions                May 1994
+
+
+   necessary additional information from a resolver which may or may not
+   be a separate process.
+
+3.3.  Selected Objects
+
+   Many of the objects included in this memo have been created from
+   information contained in the DNS specifications [1,2], as amended and
+   clarified by subsequent host requirements documents [3].  Other
+   objects have been created based on experience with existing DNS
+   management tools, expected operational needs, the statistics
+   generated by existing DNS implementations, and the configuration
+   files used by existing DNS implementations.  These objects have been
+   ordered into groups as follows:
+
+      o  Server Configuration Group
+
+      o  Server Counter Group
+
+      o  Server Optional Counter Group
+
+      o  Server Zone Group
+
+   This information has been converted into a standard form using the
+   SNMPv2 SMI defined in [9].  For the most part, the descriptions are
+   influenced by the DNS related RFCs noted above.  For example, the
+   descriptions for counters used for the various types of queries of
+   DNS records are influenced by the definitions used for the various
+   record types found in [2].
+
+3.4.  Textual Conventions
+
+   Several conceptual data types have been introduced as a textual
+   conventions in this DNS MIB document.  These additions will
+   facilitate the common understanding of information used by the DNS.
+   No changes to the SMI or the SNMP are necessary to support these
+   conventions.
+
+   Readers familiar with MIBs designed to manage entities in the lower
+   layers of the Internet protocol suite may be surprised at the number
+   of non-enumerated integers used in this MIB to represent values such
+   as DNS RR class and type numbers.  The reason for this choice is
+   simple: the DNS itself is designed as an extensible protocol,
+   allowing new classes and types of resource records to be added to the
+   protocol without recoding the core DNS software.  Using non-
+   enumerated integers to represent these data types in this MIB allows
+   the MIB to accommodate these changes as well.
+
+
+
+
+
+Austein & Saperia                                               [Page 4]
+
+RFC 1611               DNS Server MIB Extensions                May 1994
+
+
+4.  Definitions
+
+   DNS-SERVER-MIB DEFINITIONS ::= BEGIN
+
+   IMPORTS
+       mib-2
+           FROM RFC-1213
+       MODULE-IDENTITY, OBJECT-TYPE, OBJECT-IDENTITY,
+       IpAddress, Counter32, Gauge32
+           FROM SNMPv2-SMI
+       TEXTUAL-CONVENTION, RowStatus, DisplayString, TruthValue
+           FROM SNMPv2-TC
+       MODULE-COMPLIANCE, OBJECT-GROUP
+           FROM SNMPv2-CONF;
+
+   dns OBJECT-IDENTITY
+       STATUS  current
+       DESCRIPTION
+               "The OID assigned to DNS MIB work by the IANA."
+       ::= { mib-2 32 }
+
+   dnsServMIB MODULE-IDENTITY
+       LAST-UPDATED "9401282251Z"
+       ORGANIZATION "IETF DNS Working Group"
+       CONTACT-INFO
+               "       Rob Austein
+               Postal: Epilogue Technology Corporation
+                       268 Main Street, Suite 283
+                       North Reading, MA 10864
+                       US
+                  Tel: +1 617 245 0804
+                  Fax: +1 617 245 8122
+               E-Mail: sra@epilogue.com
+
+                       Jon Saperia
+               Postal: Digital Equipment Corporation
+                       110 Spit Brook Road
+                       ZKO1-3/H18
+                       Nashua, NH 03062-2698
+                       US
+                  Tel: +1 603 881 0480
+                  Fax: +1 603 881 0120
+                Email: saperia@zko.dec.com"
+       DESCRIPTION
+               "The MIB module for entities implementing the server side
+               of the Domain Name System (DNS) protocol."
+       ::= { dns 1 }
+
+
+
+
+Austein & Saperia                                               [Page 5]
+
+RFC 1611               DNS Server MIB Extensions                May 1994
+
+
+   dnsServMIBObjects       OBJECT IDENTIFIER ::= { dnsServMIB 1 }
+
+   -- (Old-style) groups in the DNS server MIB.
+
+   dnsServConfig           OBJECT IDENTIFIER ::= { dnsServMIBObjects 1 }
+   dnsServCounter          OBJECT IDENTIFIER ::= { dnsServMIBObjects 2 }
+   dnsServOptCounter       OBJECT IDENTIFIER ::= { dnsServMIBObjects 3 }
+   dnsServZone             OBJECT IDENTIFIER ::= { dnsServMIBObjects 4 }
+
+
+   -- Textual conventions
+
+   DnsName ::= TEXTUAL-CONVENTION
+       -- A DISPLAY-HINT would be nice, but difficult to express.
+       STATUS  current
+       DESCRIPTION
+               "A DNS name is a sequence of labels.  When DNS names are
+               displayed, the boundaries between labels are typically
+               indicated by dots (e.g. `Acme' and `COM' are labels in
+               the name `Acme.COM').  In the DNS protocol, however, no
+               such separators are needed because each label is encoded
+               as a length octet followed by the indicated number of
+               octets of label.  For example, `Acme.COM' is encoded as
+               the octet sequence { 4, 'A', 'c', 'm', 'e', 3, 'C', 'O',
+               'M', 0 } (the final 0 is the length of the name of the
+               root domain, which appears implicitly at the end of any
+               DNS name).  This MIB uses the same encoding as the DNS
+               protocol.
+
+               A DnsName must always be a fully qualified name.  It is
+               an error to encode a relative domain name as a DnsName
+               without first making it a fully qualified name."
+       REFERENCE
+               "RFC-1034 section 3.1."
+       SYNTAX  OCTET STRING (SIZE (0..255))
+
+   DnsNameAsIndex ::= TEXTUAL-CONVENTION
+       STATUS  current
+       DESCRIPTION
+               "This textual convention is like a DnsName, but is used
+               as an index componant in tables.  Alphabetic characters
+               in names of this type are restricted to uppercase: the
+               characters 'a' through 'z' are mapped to the characters
+               'A' through 'Z'.  This restriction is intended to make
+               the lexical ordering imposed by SNMP useful when applied
+               to DNS names.
+
+               Note that it is theoretically possible for a valid DNS
+
+
+
+Austein & Saperia                                               [Page 6]
+
+RFC 1611               DNS Server MIB Extensions                May 1994
+
+
+               name to exceed the allowed length of an SNMP object
+               identifer, and thus be impossible to represent in tables
+               in this MIB that are indexed by DNS name.  Sampling of
+               DNS names in current use on the Internet suggests that
+               this limit does not pose a serious problem in practice."
+       REFERENCE
+               "RFC-1034 section 3.1, RFC-1448 section 4.1."
+       SYNTAX  DnsName
+
+   DnsClass ::= TEXTUAL-CONVENTION
+       DISPLAY-HINT "2d"
+       STATUS  current
+       DESCRIPTION
+               "This data type is used to represent the class values
+               which appear in Resource Records in the DNS.  A 16-bit
+               unsigned integer is used to allow room for new classes
+               of records to be defined.  Existing standard classes are
+               listed in the DNS specifications."
+       REFERENCE
+               "RFC-1035 section 3.2.4."
+       SYNTAX  INTEGER (0..65535)
+
+   DnsType ::= TEXTUAL-CONVENTION
+       DISPLAY-HINT "2d"
+       STATUS  current
+       DESCRIPTION
+               "This data type is used to represent the type values
+               which appear in Resource Records in the DNS.  A 16-bit
+               unsigned integer is used to allow room for new record
+               types to be defined.  Existing standard types are listed
+               in the DNS specifications."
+       REFERENCE
+               "RFC-1035 section 3.2.2."
+       SYNTAX  INTEGER (0..65535)
+
+   DnsQClass ::= TEXTUAL-CONVENTION
+       DISPLAY-HINT "2d"
+       STATUS  current
+       DESCRIPTION
+               "This data type is used to represent the QClass values
+               which appear in Resource Records in the DNS.  A 16-bit
+               unsigned integer is used to allow room for new QClass
+               records to be defined.  Existing standard QClasses are
+               listed in the DNS specification."
+       REFERENCE
+               "RFC-1035 section 3.2.5."
+       SYNTAX  INTEGER (0..65535)
+
+
+
+
+Austein & Saperia                                               [Page 7]
+
+RFC 1611               DNS Server MIB Extensions                May 1994
+
+
+   DnsQType ::= TEXTUAL-CONVENTION
+       DISPLAY-HINT "2d"
+       STATUS  current
+       DESCRIPTION
+               "This data type is used to represent the QType values
+               which appear in Resource Records in the DNS.  A 16-bit
+               unsigned integer is used to allow room for new QType
+               records to be defined.  Existing standard QTypes are
+               listed in the DNS specification."
+       REFERENCE
+               "RFC-1035 section 3.2.3."
+       SYNTAX  INTEGER (0..65535)
+
+   DnsTime ::= TEXTUAL-CONVENTION
+       DISPLAY-HINT "4d"
+       STATUS  current
+       DESCRIPTION
+               "DnsTime values are 32-bit unsigned integers which
+               measure time in seconds."
+       REFERENCE
+               "RFC-1035."
+       SYNTAX  Gauge32
+
+
+   DnsOpCode ::= TEXTUAL-CONVENTION
+       STATUS  current
+       DESCRIPTION
+               "This textual convention is used to represent the DNS
+               OPCODE values used in the header section of DNS
+               messages.  Existing standard OPCODE values are listed in
+               the DNS specifications."
+       REFERENCE
+               "RFC-1035 section 4.1.1."
+       SYNTAX  INTEGER (0..15)
+
+   DnsRespCode ::= TEXTUAL-CONVENTION
+       STATUS  current
+       DESCRIPTION
+               "This data type is used to represent the DNS RCODE value
+               in DNS response messages.  Existing standard RCODE
+               values are listed in the DNS specifications."
+       REFERENCE
+               "RFC-1035 section 4.1.1."
+       SYNTAX  INTEGER (0..15)
+
+
+
+
+
+
+
+Austein & Saperia                                               [Page 8]
+
+RFC 1611               DNS Server MIB Extensions                May 1994
+
+
+   -- Server Configuration Group
+
+   dnsServConfigImplementIdent OBJECT-TYPE
+       SYNTAX      DisplayString
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "The implementation identification string for the DNS
+               server software in use on the system, for example;
+               `FNS-2.1'"
+       ::= { dnsServConfig 1 }
+
+   dnsServConfigRecurs  OBJECT-TYPE
+       SYNTAX      INTEGER { available(1),
+                             restricted(2),
+                             unavailable(3) }
+       MAX-ACCESS  read-write
+       STATUS      current
+       DESCRIPTION
+               "This represents the recursion services offered by this
+               name server.  The values that can be read or written
+               are:
+
+               available(1) - performs recursion on requests from
+               clients.
+
+               restricted(2) - recursion is performed on requests only
+               from certain clients, for example; clients on an access
+               control list.
+
+               unavailable(3) - recursion is not available."
+        ::= { dnsServConfig 2 }
+
+   dnsServConfigUpTime OBJECT-TYPE
+       SYNTAX      DnsTime
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "If the server has a persistent state (e.g., a process),
+               this value will be the time elapsed since it started.
+               For software without persistant state, this value will
+               be zero."
+       ::= { dnsServConfig 3 }
+
+   dnsServConfigResetTime OBJECT-TYPE
+       SYNTAX      DnsTime
+       MAX-ACCESS  read-only
+       STATUS      current
+
+
+
+Austein & Saperia                                               [Page 9]
+
+RFC 1611               DNS Server MIB Extensions                May 1994
+
+
+       DESCRIPTION
+               "If the server has a persistent state (e.g., a process)
+               and supports a `reset' operation (e.g., can be told to
+               re-read configuration files), this value will be the
+               time elapsed since the last time the name server was
+               `reset.'  For software that does not have persistence or
+               does not support a `reset' operation, this value will be
+               zero."
+       ::= { dnsServConfig 4 }
+
+   dnsServConfigReset OBJECT-TYPE
+       SYNTAX      INTEGER { other(1),
+                             reset(2),
+                             initializing(3),
+                             running(4) }
+       MAX-ACCESS  read-write
+       STATUS      current
+       DESCRIPTION
+               "Status/action object to reinitialize any persistant name
+               server state.  When set to reset(2), any persistant
+               name server state (such as a process) is reinitialized as
+               if the name server had just been started.  This value
+               will never be returned by a read operation.  When read,
+               one of the following values will be returned:
+                   other(1) - server in some unknown state;
+                   initializing(3) - server (re)initializing;
+                   running(4) - server currently running."
+       ::= { dnsServConfig 5 }
+
+
+   -- Server Counter Group
+
+   dnsServCounterAuthAns OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of queries which were authoritatively answered."
+       ::= { dnsServCounter 2 }
+
+   dnsServCounterAuthNoNames OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of queries for which `authoritative no such name'
+               responses were made."
+       ::= { dnsServCounter 3 }
+
+
+
+Austein & Saperia                                              [Page 10]
+
+RFC 1611               DNS Server MIB Extensions                May 1994
+
+
+   dnsServCounterAuthNoDataResps OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of queries for which `authoritative no such data'
+               (empty answer) responses were made."
+       ::= { dnsServCounter 4 }
+
+   dnsServCounterNonAuthDatas OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of queries which were non-authoritatively
+               answered (cached data)."
+       ::= { dnsServCounter 5 }
+
+   dnsServCounterNonAuthNoDatas OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of queries which were non-authoritatively
+               answered with no data (empty answer)."
+       ::= { dnsServCounter 6 }
+
+   dnsServCounterReferrals OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of requests that were referred to other servers."
+       ::= { dnsServCounter 7 }
+
+   dnsServCounterErrors OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of requests the server has processed that were
+               answered with errors (RCODE values other than 0 and 3)."
+       REFERENCE
+               "RFC-1035 section 4.1.1."
+       ::= { dnsServCounter 8 }
+
+   dnsServCounterRelNames OBJECT-TYPE
+       SYNTAX      Counter32
+
+
+
+Austein & Saperia                                              [Page 11]
+
+RFC 1611               DNS Server MIB Extensions                May 1994
+
+
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of requests received by the server for names that
+               are only 1 label long (text form - no internal dots)."
+       ::= { dnsServCounter 9 }
+
+   dnsServCounterReqRefusals OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of DNS requests refused by the server."
+       ::= { dnsServCounter 10 }
+
+   dnsServCounterReqUnparses OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of requests received which were unparseable."
+       ::= { dnsServCounter 11 }
+
+   dnsServCounterOtherErrors OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of requests which were aborted for other (local)
+               server errors."
+       ::= { dnsServCounter 12 }
+
+   -- DNS Server Counter Table
+
+   dnsServCounterTable OBJECT-TYPE
+       SYNTAX      SEQUENCE OF DnsServCounterEntry
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "Counter information broken down by DNS class and type."
+       ::= { dnsServCounter 13 }
+
+   dnsServCounterEntry OBJECT-TYPE
+       SYNTAX      DnsServCounterEntry
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "This table contains count information for each DNS class
+
+
+
+Austein & Saperia                                              [Page 12]
+
+RFC 1611               DNS Server MIB Extensions                May 1994
+
+
+               and type value known to the server.  The index allows
+               management software to to create indices to the table to
+               get the specific information desired, e.g., number of
+               queries over UDP for records with type value `A' which
+               came to this server.  In order to prevent an
+               uncontrolled expansion of rows in the table; if
+               dnsServCounterRequests is 0 and dnsServCounterResponses
+               is 0, then the row does not exist and `no such' is
+               returned when the agent is queried for such instances."
+       INDEX     { dnsServCounterOpCode,
+                   dnsServCounterQClass,
+                   dnsServCounterQType,
+                   dnsServCounterTransport }
+       ::= { dnsServCounterTable 1 }
+
+   DnsServCounterEntry ::=
+       SEQUENCE {
+           dnsServCounterOpCode
+               DnsOpCode,
+           dnsServCounterQClass
+               DnsClass,
+           dnsServCounterQType
+               DnsType,
+           dnsServCounterTransport
+               INTEGER,
+           dnsServCounterRequests
+               Counter32,
+           dnsServCounterResponses
+               Counter32
+           }
+
+   dnsServCounterOpCode OBJECT-TYPE
+       SYNTAX      DnsOpCode
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "The DNS OPCODE being counted in this row of the table."
+       ::= { dnsServCounterEntry 1 }
+
+   dnsServCounterQClass OBJECT-TYPE
+       SYNTAX      DnsClass
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "The class of record being counted in this row of the
+               table."
+       ::= { dnsServCounterEntry 2 }
+
+
+
+
+Austein & Saperia                                              [Page 13]
+
+RFC 1611               DNS Server MIB Extensions                May 1994
+
+
+   dnsServCounterQType OBJECT-TYPE
+       SYNTAX      DnsType
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "The type of record which is being counted in this row in
+               the table."
+       ::= { dnsServCounterEntry 3 }
+
+   dnsServCounterTransport OBJECT-TYPE
+       SYNTAX      INTEGER { udp(1), tcp(2), other(3) }
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "A value of udp(1) indicates that the queries reported on
+               this row were sent using UDP.
+
+               A value of tcp(2) indicates that the queries reported on
+               this row were sent using TCP.
+
+               A value of other(3) indicates that the queries reported
+               on this row were sent using a transport that was neither
+               TCP nor UDP."
+       ::= { dnsServCounterEntry 4 }
+
+   dnsServCounterRequests OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of requests (queries) that have been recorded in
+               this row of the table."
+       ::= { dnsServCounterEntry 5 }
+
+   dnsServCounterResponses OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of responses made by the server since
+               initialization for the kind of query identified on this
+               row of the table."
+       ::= { dnsServCounterEntry 6 }
+
+
+
+
+
+
+
+
+Austein & Saperia                                              [Page 14]
+
+RFC 1611               DNS Server MIB Extensions                May 1994
+
+
+   -- Server Optional Counter Group
+
+   -- The Server Optional Counter Group is intended for those systems
+   -- which make distinctions between the different sources of the DNS
+   -- queries as defined below.
+   --
+   -- Objects in this group are implemented on servers which distinguish
+   -- between queries which originate from the same host as the server,
+   -- queries from one of an arbitrary group of hosts that are on an
+   -- access list defined by the server, and queries from hosts that do
+   -- not fit either of these descriptions.
+   --
+   -- The objects found in the Server Counter group are totals.  Thus if
+   -- one wanted to identify, for example, the number of queries from
+   -- `remote' hosts which have been given authoritative answers, one
+   -- would subtract the current values of ServOptCounterFriendsAuthAns
+   -- and ServOptCounterSelfAuthAns from servCounterAuthAns.
+   --
+   -- The purpose of these distinctions is to allow for implementations
+   -- to group queries and responses on this basis.  One way in which
+   -- servers may make these distinctions is by looking at the source IP
+   -- address of the DNS query.  If the source of the query is `your
+   -- own' then the query should be counted as `yourself' (local host).
+   -- If the source of the query matches an `access list,' the query
+   -- came from a friend.  What constitutes an `access list' is
+   -- implementation dependent and could be as simple as a rule that all
+   -- hosts on the same IP network as the DNS server are classed
+   -- `friends.'
+   --
+   -- In order to avoid double counting, the following rules apply:
+   --
+   -- 1. No host is in more than one of the three groups defined above.
+   --
+   -- 2. All queries from the local host are always counted in the
+   --    `yourself' group regardless of what the access list, if any,
+   --    says.
+   --
+   -- 3. The access list should not define `your friends' in such a way
+   --    that it includes all hosts.   That is, not everybody is your
+   --    `friend.'
+
+   dnsServOptCounterSelfAuthAns OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of requests the server has processed which
+               originated from a resolver on the same host for which
+
+
+
+Austein & Saperia                                              [Page 15]
+
+RFC 1611               DNS Server MIB Extensions                May 1994
+
+
+               there has been an authoritative answer."
+       ::= { dnsServOptCounter 1 }
+
+   dnsServOptCounterSelfAuthNoNames OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of requests the server has processed which
+               originated from a resolver on the same host for which
+               there has been an authoritative no such name answer
+               given."
+       ::= { dnsServOptCounter 2 }
+
+   dnsServOptCounterSelfAuthNoDataResps OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of requests the server has processed which
+               originated from a resolver on the same host for which
+               there has been an authoritative no such data answer
+               (empty answer) made."
+       ::= { dnsServOptCounter 3 }
+
+   dnsServOptCounterSelfNonAuthDatas OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of requests the server has processed which
+               originated from a resolver on the same host for which a
+               non-authoritative answer (cached data) was made."
+       ::= { dnsServOptCounter 4 }
+
+   dnsServOptCounterSelfNonAuthNoDatas OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of requests the server has processed which
+               originated from a resolver on the same host for which a
+               `non-authoritative, no such data' response was made
+               (empty answer)."
+       ::= { dnsServOptCounter 5 }
+
+   dnsServOptCounterSelfReferrals OBJECT-TYPE
+       SYNTAX      Counter32
+
+
+
+Austein & Saperia                                              [Page 16]
+
+RFC 1611               DNS Server MIB Extensions                May 1994
+
+
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of queries the server has processed which
+               originated from a resolver on the same host and were
+               referred to other servers."
+       ::= { dnsServOptCounter 6 }
+
+   dnsServOptCounterSelfErrors OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of requests the server has processed which
+               originated from a resolver on the same host which have
+               been answered with errors (RCODEs other than 0 and 3)."
+       REFERENCE
+               "RFC-1035 section 4.1.1."
+       ::= { dnsServOptCounter 7 }
+
+   dnsServOptCounterSelfRelNames OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of requests received for names that are only 1
+               label long (text form - no internal dots) the server has
+               processed which originated from a resolver on the same
+               host."
+       ::= { dnsServOptCounter 8 }
+
+   dnsServOptCounterSelfReqRefusals OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of DNS requests refused by the server which
+               originated from a resolver on the same host."
+       ::= { dnsServOptCounter 9 }
+
+   dnsServOptCounterSelfReqUnparses OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of requests received which were unparseable and
+               which originated from a resolver on the same host."
+       ::= { dnsServOptCounter 10 }
+
+
+
+Austein & Saperia                                              [Page 17]
+
+RFC 1611               DNS Server MIB Extensions                May 1994
+
+
+   dnsServOptCounterSelfOtherErrors OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of requests which were aborted for other (local)
+               server errors and which originated on the same host."
+       ::= { dnsServOptCounter 11 }
+
+   dnsServOptCounterFriendsAuthAns OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of queries originating from friends which were
+               authoritatively answered.  The definition of friends is
+               a locally defined matter."
+       ::= { dnsServOptCounter 12 }
+
+   dnsServOptCounterFriendsAuthNoNames OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of queries originating from friends, for which
+               authoritative `no such name' responses were made.  The
+               definition of friends is a locally defined matter."
+       ::= { dnsServOptCounter 13 }
+
+   dnsServOptCounterFriendsAuthNoDataResps OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of queries originating from friends for which
+               authoritative no such data (empty answer) responses were
+               made.  The definition of friends is a locally defined
+               matter."
+       ::= { dnsServOptCounter 14 }
+
+   dnsServOptCounterFriendsNonAuthDatas OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of queries originating from friends which were
+               non-authoritatively answered (cached data). The
+               definition of friends is a locally defined matter."
+
+
+
+Austein & Saperia                                              [Page 18]
+
+RFC 1611               DNS Server MIB Extensions                May 1994
+
+
+       ::= { dnsServOptCounter 15 }
+
+   dnsServOptCounterFriendsNonAuthNoDatas OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of queries originating from friends which were
+               non-authoritatively answered with no such data (empty
+               answer)."
+       ::= { dnsServOptCounter 16 }
+
+   dnsServOptCounterFriendsReferrals OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of requests which originated from friends that
+               were referred to other servers.  The definition of
+               friends is a locally defined matter."
+       ::= { dnsServOptCounter 17 }
+
+   dnsServOptCounterFriendsErrors OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of requests the server has processed which
+               originated from friends and were answered with errors
+               (RCODE values other than 0 and 3).  The definition of
+               friends is a locally defined matter."
+       REFERENCE
+               "RFC-1035 section 4.1.1."
+       ::= { dnsServOptCounter 18 }
+
+   dnsServOptCounterFriendsRelNames OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of requests received for names from friends that
+               are only 1 label long (text form - no internal dots) the
+               server has processed."
+       ::= { dnsServOptCounter 19 }
+
+   dnsServOptCounterFriendsReqRefusals OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+
+
+
+Austein & Saperia                                              [Page 19]
+
+RFC 1611               DNS Server MIB Extensions                May 1994
+
+
+       STATUS      current
+       DESCRIPTION
+               "Number of DNS requests refused by the server which were
+               received from `friends'."
+       ::= { dnsServOptCounter 20 }
+
+   dnsServOptCounterFriendsReqUnparses OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of requests received which were unparseable and
+               which originated from `friends'."
+       ::= { dnsServOptCounter 21 }
+
+   dnsServOptCounterFriendsOtherErrors OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of requests which were aborted for other (local)
+               server errors and which originated from `friends'."
+       ::= { dnsServOptCounter 22 }
+
+
+   -- Server Zone Group
+
+   -- DNS Management Zone Configuration Table
+
+   -- This table contains zone configuration information.
+
+   dnsServZoneTable OBJECT-TYPE
+       SYNTAX      SEQUENCE OF DnsServZoneEntry
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "Table of zones for which this name server provides
+               information.  Each of the zones may be loaded from stable
+               storage via an implementation-specific mechanism or may
+               be obtained from another name server via a zone transfer.
+
+               If name server doesn't load any zones, this table is
+               empty."
+       ::= { dnsServZone 1 }
+
+   dnsServZoneEntry OBJECT-TYPE
+       SYNTAX      DnsServZoneEntry
+       MAX-ACCESS  not-accessible
+
+
+
+Austein & Saperia                                              [Page 20]
+
+RFC 1611               DNS Server MIB Extensions                May 1994
+
+
+       STATUS      current
+       DESCRIPTION
+               "An entry in the name server zone table.  New rows may be
+               added either via SNMP or by the name server itself."
+       INDEX     { dnsServZoneName,
+                   dnsServZoneClass }
+       ::= { dnsServZoneTable 1 }
+
+   DnsServZoneEntry ::=
+       SEQUENCE {
+           dnsServZoneName
+               DnsNameAsIndex,
+           dnsServZoneClass
+               DnsClass,
+           dnsServZoneLastReloadSuccess
+               DnsTime,
+           dnsServZoneLastReloadAttempt
+               DnsTime,
+           dnsServZoneLastSourceAttempt
+               IpAddress,
+           dnsServZoneStatus
+               RowStatus,
+           dnsServZoneSerial
+               Counter32,
+           dnsServZoneCurrent
+               TruthValue,
+           dnsServZoneLastSourceSuccess
+               IpAddress
+       }
+
+   dnsServZoneName OBJECT-TYPE
+       SYNTAX      DnsNameAsIndex
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "DNS name of the zone described by this row of the table.
+               This is the owner name of the SOA RR that defines the
+               top of the zone. This is name is in uppercase:
+               characters 'a' through 'z' are mapped to 'A' through 'Z'
+               in order to make the lexical ordering useful."
+       ::= { dnsServZoneEntry 1 }
+
+   dnsServZoneClass OBJECT-TYPE
+       SYNTAX      DnsClass
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "DNS class of the RRs in this zone."
+
+
+
+Austein & Saperia                                              [Page 21]
+
+RFC 1611               DNS Server MIB Extensions                May 1994
+
+
+       ::= { dnsServZoneEntry 2 }
+
+   dnsServZoneLastReloadSuccess OBJECT-TYPE
+       SYNTAX      DnsTime
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Elapsed time in seconds since last successful reload of
+               this zone."
+       ::= { dnsServZoneEntry 3 }
+
+   dnsServZoneLastReloadAttempt OBJECT-TYPE
+       SYNTAX      DnsTime
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Elapsed time in seconds since last attempted reload of
+               this zone."
+       ::= { dnsServZoneEntry 4 }
+
+   dnsServZoneLastSourceAttempt OBJECT-TYPE
+       SYNTAX      IpAddress
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "IP address of host from which most recent zone transfer
+               of this zone was attempted.  This value should match the
+               value of dnsServZoneSourceSuccess if the attempt was
+               succcessful.  If zone transfer has not been attempted
+               within the memory of this name server, this value should
+               be 0.0.0.0."
+       ::= { dnsServZoneEntry 5 }
+
+   dnsServZoneStatus OBJECT-TYPE
+       SYNTAX      RowStatus
+       MAX-ACCESS  read-create
+       STATUS      current
+       DESCRIPTION
+               "The status of the information represented in this row of
+               the table."
+       ::= { dnsServZoneEntry 6 }
+
+   dnsServZoneSerial OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Zone serial number (from the SOA RR) of the zone
+
+
+
+Austein & Saperia                                              [Page 22]
+
+RFC 1611               DNS Server MIB Extensions                May 1994
+
+
+               represented by this row of the table.  If the zone has
+               not been successfully loaded within the memory of this
+               name server, the value of this variable is zero."
+       ::= { dnsServZoneEntry 7 }
+
+   dnsServZoneCurrent OBJECT-TYPE
+       SYNTAX      TruthValue
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Whether the server's copy of the zone represented by
+               this row of the table is currently valid.  If the zone
+               has never been successfully loaded or has expired since
+               it was last succesfully loaded, this variable will have
+               the value false(2), otherwise this variable will have
+               the value true(1)."
+       ::= { dnsServZoneEntry 8 }
+
+   dnsServZoneLastSourceSuccess OBJECT-TYPE
+       SYNTAX      IpAddress
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "IP address of host which was the source of the most
+               recent successful zone transfer for this zone.  If
+               unknown (e.g., zone has never been successfully
+               transfered) or irrelevant (e.g., zone was loaded from
+               stable storage), this value should be 0.0.0.0."
+       ::= { dnsServZoneEntry 9 }
+
+   -- DNS Zone Source Table
+
+   dnsServZoneSrcTable OBJECT-TYPE
+       SYNTAX      SEQUENCE OF DnsServZoneSrcEntry
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "This table is a list of IP addresses from which the
+               server will attempt to load zone information using DNS
+               zone transfer operations.  A reload may occur due to SNMP
+               operations that create a row in dnsServZoneTable or a
+               SET to object dnsServZoneReload.  This table is only
+               used when the zone is loaded via zone transfer."
+       ::= { dnsServZone 2 }
+
+   dnsServZoneSrcEntry OBJECT-TYPE
+       SYNTAX      DnsServZoneSrcEntry
+       MAX-ACCESS  not-accessible
+
+
+
+Austein & Saperia                                              [Page 23]
+
+RFC 1611               DNS Server MIB Extensions                May 1994
+
+
+       STATUS      current
+       DESCRIPTION
+               "An entry in the name server zone source table."
+       INDEX     { dnsServZoneSrcName,
+                   dnsServZoneSrcClass,
+                   dnsServZoneSrcAddr }
+       ::= { dnsServZoneSrcTable 1 }
+
+   DnsServZoneSrcEntry ::=
+       SEQUENCE {
+           dnsServZoneSrcName
+               DnsNameAsIndex,
+           dnsServZoneSrcClass
+               DnsClass,
+           dnsServZoneSrcAddr
+               IpAddress,
+           dnsServZoneSrcStatus
+               RowStatus
+       }
+
+   dnsServZoneSrcName OBJECT-TYPE
+       SYNTAX      DnsNameAsIndex
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "DNS name of the zone to which this entry applies."
+       ::= { dnsServZoneSrcEntry 1 }
+
+   dnsServZoneSrcClass OBJECT-TYPE
+       SYNTAX      DnsClass
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "DNS class of zone to which this entry applies."
+       ::= { dnsServZoneSrcEntry 2 }
+
+   dnsServZoneSrcAddr OBJECT-TYPE
+       SYNTAX      IpAddress
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "IP address of name server host from which this zone
+               might be obtainable."
+       ::= { dnsServZoneSrcEntry 3 }
+
+   dnsServZoneSrcStatus OBJECT-TYPE
+       SYNTAX      RowStatus
+       MAX-ACCESS  read-create
+
+
+
+Austein & Saperia                                              [Page 24]
+
+RFC 1611               DNS Server MIB Extensions                May 1994
+
+
+       STATUS      current
+       DESCRIPTION
+               "The status of the information represented in this row of
+               the table."
+       ::= { dnsServZoneSrcEntry 4 }
+
+
+   -- SNMPv2 groups.
+
+   dnsServMIBGroups        OBJECT IDENTIFIER ::= { dnsServMIB 2 }
+
+   dnsServConfigGroup OBJECT-GROUP
+       OBJECTS   { dnsServConfigImplementIdent,
+                   dnsServConfigRecurs,
+                   dnsServConfigUpTime,
+                   dnsServConfigResetTime,
+                   dnsServConfigReset }
+       STATUS      current
+       DESCRIPTION
+               "A collection of objects providing basic configuration
+               control of a DNS name server."
+       ::= { dnsServMIBGroups 1 }
+
+   dnsServCounterGroup OBJECT-GROUP
+       OBJECTS   { dnsServCounterAuthAns,
+                   dnsServCounterAuthNoNames,
+                   dnsServCounterAuthNoDataResps,
+                   dnsServCounterNonAuthDatas,
+                   dnsServCounterNonAuthNoDatas,
+                   dnsServCounterReferrals,
+                   dnsServCounterErrors,
+                   dnsServCounterRelNames,
+                   dnsServCounterReqRefusals,
+                   dnsServCounterReqUnparses,
+                   dnsServCounterOtherErrors,
+                   dnsServCounterOpCode,
+                   dnsServCounterQClass,
+                   dnsServCounterQType,
+                   dnsServCounterTransport,
+                   dnsServCounterRequests,
+                   dnsServCounterResponses }
+       STATUS      current
+       DESCRIPTION
+               "A collection of objects providing basic instrumentation
+               of a DNS name server."
+       ::= { dnsServMIBGroups 2 }
+
+
+
+
+
+Austein & Saperia                                              [Page 25]
+
+RFC 1611               DNS Server MIB Extensions                May 1994
+
+
+   dnsServOptCounterGroup OBJECT-GROUP
+       OBJECTS   { dnsServOptCounterSelfAuthAns,
+                   dnsServOptCounterSelfAuthNoNames,
+                   dnsServOptCounterSelfAuthNoDataResps,
+                   dnsServOptCounterSelfNonAuthDatas,
+                   dnsServOptCounterSelfNonAuthNoDatas,
+                   dnsServOptCounterSelfReferrals,
+                   dnsServOptCounterSelfErrors,
+                   dnsServOptCounterSelfRelNames,
+                   dnsServOptCounterSelfReqRefusals,
+                   dnsServOptCounterSelfReqUnparses,
+                   dnsServOptCounterSelfOtherErrors,
+                   dnsServOptCounterFriendsAuthAns,
+                   dnsServOptCounterFriendsAuthNoNames,
+                   dnsServOptCounterFriendsAuthNoDataResps,
+                   dnsServOptCounterFriendsNonAuthDatas,
+                   dnsServOptCounterFriendsNonAuthNoDatas,
+                   dnsServOptCounterFriendsReferrals,
+                   dnsServOptCounterFriendsErrors,
+                   dnsServOptCounterFriendsRelNames,
+                   dnsServOptCounterFriendsReqRefusals,
+                   dnsServOptCounterFriendsReqUnparses,
+                   dnsServOptCounterFriendsOtherErrors }
+       STATUS      current
+       DESCRIPTION
+               "A collection of objects providing extended
+               instrumentation of a DNS name server."
+       ::= { dnsServMIBGroups 3 }
+
+   dnsServZoneGroup OBJECT-GROUP
+       OBJECTS   { dnsServZoneName,
+                   dnsServZoneClass,
+                   dnsServZoneLastReloadSuccess,
+                   dnsServZoneLastReloadAttempt,
+                   dnsServZoneLastSourceAttempt,
+                   dnsServZoneLastSourceSuccess,
+                   dnsServZoneStatus,
+                   dnsServZoneSerial,
+                   dnsServZoneCurrent,
+                   dnsServZoneSrcName,
+                   dnsServZoneSrcClass,
+                   dnsServZoneSrcAddr,
+                   dnsServZoneSrcStatus }
+       STATUS      current
+       DESCRIPTION
+               "A collection of objects providing configuration control
+               of a DNS name server which loads authoritative zones."
+       ::= { dnsServMIBGroups 4 }
+
+
+
+Austein & Saperia                                              [Page 26]
+
+RFC 1611               DNS Server MIB Extensions                May 1994
+
+
+   -- Compliances.
+
+   dnsServMIBCompliances OBJECT IDENTIFIER ::= { dnsServMIB 3 }
+
+   dnsServMIBCompliance MODULE-COMPLIANCE
+       STATUS      current
+       DESCRIPTION
+               "The compliance statement for agents implementing the DNS
+               name server MIB extensions."
+       MODULE -- This MIB module
+           MANDATORY-GROUPS { dnsServConfigGroup, dnsServCounterGroup }
+           GROUP   dnsServOptCounterGroup
+           DESCRIPTION
+               "The server optional counter group is unconditionally
+               optional."
+           GROUP   dnsServZoneGroup
+           DESCRIPTION
+               "The server zone group is mandatory for any name server
+               that acts as an authoritative server for any DNS zone."
+           OBJECT  dnsServConfigRecurs
+           MIN-ACCESS      read-only
+           DESCRIPTION
+               "This object need not be writable."
+           OBJECT  dnsServConfigReset
+           MIN-ACCESS      read-only
+           DESCRIPTION
+               "This object need not be writable."
+       ::= { dnsServMIBCompliances 1 }
+
+   END
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Austein & Saperia                                              [Page 27]
+
+RFC 1611               DNS Server MIB Extensions                May 1994
+
+
+5.  Acknowledgements
+
+   This document is the result of work undertaken the by DNS working
+   group.  The authors would particularly like to thank the following
+   people for their contributions to this document: Philip Almquist,
+   Frank Kastenholz (FTP Software), Joe Peck (DEC), Dave Perkins
+   (SynOptics), Win Treese (DEC), and Mimi Zohar (IBM).
+
+6.  References
+
+   [1] Mockapetris, P., "Domain Names -- Concepts and Facilities", STD
+       13, RFC 1034, USC/Information Sciences Institute, November 1987.
+
+   [2] Mockapetris, P., "Domain Names -- Implementation and
+       Specification", STD 13, RFC 1035, USC/Information Sciences
+       Institute, November 1987.
+
+   [3] Braden, R., Editor, "Requirements for Internet Hosts --
+       Application and Support, STD 3, RFC 1123, USC/Information
+       Sciences Institute, October 1989.
+
+   [4] Rose, M., and K. McCloghrie, "Structure and Identification of
+       Management Information for TCP/IP-based internets", STD 16, RFC
+       1155, Performance Systems International, Hughes LAN Systems, May
+       1990.
+
+   [5] McCloghrie, K., and M. Rose, "Management Information Base for
+       Network Management of TCP/IP-based internets", RFC 1156, Hughes
+       LAN Systems, Performance Systems International, May 1990.
+
+   [6] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple
+       Network Management Protocol", STD 15, RFC 1157, SNMP Research,
+       Performance Systems International, Performance Systems
+       International, MIT Laboratory for Computer Science, May 1990.
+
+   [7] Rose, M., and K. McCloghrie, Editors, "Concise MIB Definitions",
+       STD 16, RFC 1212, Performance Systems International, Hughes LAN
+       Systems, March 1991.
+
+   [8] McCloghrie, K., and M. Rose, Editors, "Management Information
+       Base for Network Management of TCP/IP-based internets: MIB-II",
+       STD 17, RFC 1213, Hughes LAN Systems, Performance Systems
+       International, March 1991.
+
+   [9] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Structure
+       of Management Information for version 2 of the Simple Network
+       Management Protocol (SNMPv2)", RFC 1442, SNMP Research, Inc.,
+       Hughes LAN Systems, Dover Beach Consulting, Inc., Carnegie Mellon
+
+
+
+Austein & Saperia                                              [Page 28]
+
+RFC 1611               DNS Server MIB Extensions                May 1994
+
+
+       University, April 1993.
+
+  [10] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Textual
+       Conventions for version 2 of the the Simple Network Management
+       Protocol (SNMPv2)", RFC 1443, SNMP Research, Inc., Hughes LAN
+       Systems, Dover Beach Consulting, Inc., Carnegie Mellon
+       University, April 1993.
+
+  [11] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
+       "Conformance Statements for version 2 of the the Simple Network
+       Management Protocol (SNMPv2)", RFC 1444, SNMP Research, Inc.,
+       Hughes LAN Systems, Dover Beach Consulting, Inc., Carnegie Mellon
+       University, April 1993.
+
+  [12] Galvin, J., and K. McCloghrie, "Administrative Model for version
+       2 of the Simple Network Management Protocol (SNMPv2)", RFC 1445,
+       Trusted Information Systems, Hughes LAN Systems, April 1993.
+
+  [13] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol
+       Operations for version 2 of the Simple Network Management
+       Protocol (SNMPv2)", RFC 1448, SNMP Research, Inc., Hughes LAN
+       Systems, Dover Beach Consulting, Inc., Carnegie Mellon
+       University, April 1993.
+
+  [14] "Information processing systems - Open Systems Interconnection -
+       Specification of Abstract Syntax Notation One (ASN.1)",
+       International Organization for Standardization, International
+       Standard 8824, December 1987.
+
+7.  Security Considerations
+
+   Security issues are not discussed in this memo.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Austein & Saperia                                              [Page 29]
+
+RFC 1611               DNS Server MIB Extensions                May 1994
+
+
+8.  Authors' Addresses
+
+   Rob Austein
+   Epilogue Technology Corporation
+   268 Main Street, Suite 283
+   North Reading, MA 01864
+   USA
+
+   Phone: +1-617-245-0804
+   Fax:   +1-617-245-8122
+   EMail: sra@epilogue.com
+
+
+   Jon Saperia
+   Digital Equipment Corporation
+   110 Spit Brook Road
+   ZKO1-3/H18
+   Nashua, NH 03062-2698
+   USA
+
+   Phone: +1-603-881-0480
+   Fax:   +1-603-881-0120
+   EMail: saperia@zko.dec.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Austein & Saperia                                              [Page 30]
+
diff --git a/contrib/bind9/doc/rfc/rfc1612.txt b/contrib/bind9/doc/rfc/rfc1612.txt
new file mode 100644
index 0000000..4ef23b0
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc1612.txt
@@ -0,0 +1,1795 @@
+
+
+
+
+
+
+Network Working Group                                         R. Austein
+Request for Comments: 1612               Epilogue Technology Corporation
+Category: Standards Track                                     J. Saperia
+                                           Digital Equipment Corporation
+                                                                May 1994
+
+
+                      DNS Resolver MIB Extensions
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Table of Contents
+
+   1. Introduction ..............................................    1
+   2. The SNMPv2 Network Management Framework ...................    2
+   2.1 Object Definitions .......................................    2
+   3. Overview ..................................................    2
+   3.1 Resolvers ................................................    3
+   3.2 Name Servers .............................................    3
+   3.3 Selected Objects .........................................    4
+   3.4 Textual Conventions ......................................    4
+   4. Definitions ...............................................    5
+   5. Acknowledgements ..........................................   30
+   6. References ................................................   30
+   7. Security Considerations ...................................   32
+   8. Authors' Addresses ........................................   32
+
+1.  Introduction
+
+   This memo defines a portion of the Management Information Base (MIB)
+   for use with network management protocols in the Internet community.
+   In particular, it describes a set of extensions which instrument DNS
+   resolver functions.  This memo was produced by the DNS working group.
+
+   With the adoption of the Internet-standard Network Management
+   Framework [4,5,6,7], and with a large number of vendor
+   implementations of these standards in commercially available
+   products, it became possible to provide a higher level of effective
+   network management in TCP/IP-based internets than was previously
+   available.  With the growth in the use of these standards, it has
+   become possible to consider the management of other elements of the
+   infrastructure beyond the basic TCP/IP protocols.  A key element of
+
+
+
+Austein & Saperia                                               [Page 1]
+
+RFC 1612                    DNS Resolver MIB                    May 1994
+
+
+   the TCP/IP infrastructure is the DNS.
+
+   Up to this point there has been no mechanism to integrate the
+   management of the DNS with SNMP-based managers.  This memo provides
+   the mechanisms by which IP-based management stations can effectively
+   manage DNS resolver software in an integrated fashion.
+
+   We have defined DNS MIB objects to be used in conjunction with the
+   Internet MIB to allow access to and control of DNS resolver software
+   via SNMP by the Internet community.
+
+2.  The SNMPv2 Network Management Framework
+
+   The SNMPv2 Network Management Framework consists of four major
+   components.  They are:
+
+      o  RFC 1442 which defines the SMI, the mechanisms used for
+         describing and naming objects for the purpose of management.
+
+      o  STD 17, RFC 1213 defines MIB-II, the core set of managed
+         objects for the Internet suite of protocols.
+
+      o  RFC 1445 which defines the administrative and other
+         architectural aspects of the framework.
+
+      o  RFC 1448 which defines the protocol used for network access to
+         managed objects.
+
+   The Framework permits new objects to be defined for the purpose of
+   experimentation and evaluation.
+
+2.1.  Object Definitions
+
+   Managed objects are accessed via a virtual information store, termed
+   the Management Information Base or MIB.  Objects in the MIB are
+   defined using the subset of Abstract Syntax Notation One (ASN.1)
+   defined in the SMI.  In particular, each object object type is named
+   by an OBJECT IDENTIFIER, an administratively assigned name.  The
+   object type together with an object instance serves to uniquely
+   identify a specific instantiation of the object.  For human
+   convenience, we often use a textual string, termed the descriptor, to
+   refer to the object type.
+
+3.  Overview
+
+   In theory, the DNS world is pretty simple.  There are two kinds of
+   entities: resolvers and name servers.  Resolvers ask questions.  Name
+   servers answer them.  The real world, however, is not so simple.
+
+
+
+Austein & Saperia                                               [Page 2]
+
+RFC 1612                    DNS Resolver MIB                    May 1994
+
+
+   Implementors have made widely differing choices about how to divide
+   DNS functions between resolvers and servers.  They have also
+   constructed various sorts of exotic hybrids.  The most difficult task
+   in defining this MIB was to accommodate this wide range of entities
+   without having to come up with a separate MIB for each.
+
+   We divided up the various DNS functions into two, non-overlapping
+   classes, called "resolver functions" and "name server functions."  A
+   DNS entity that performs what we define as resolver functions
+   contains a resolver, and therefore must implement the MIB groups
+   required of all resolvers which are defined in this module.  Some
+   resolvers also implement "optional" functions such as a cache, in
+   which case they must also implement the cache group contained in this
+   MIB.  A DNS entity which implements name server functions is
+   considered to be a name server, and must implement the MIB groups
+   required for name servers which are defined in a separate module.  If
+   the same piece of software performs both resolver and server
+   functions, we imagine that it contains both a resolver and a server
+   and would thus implement both the DNS Server and DNS Resolver MIBs.
+
+3.1.  Resolvers
+
+   In our model, a resolver is a program (or piece thereof) which
+   obtains resource records from servers.  Normally it does so at the
+   behest of an application, but may also do so as part of its own
+   operation.  A resolver sends DNS protocol queries and receives DNS
+   protocol replies.  A resolver neither receives queries nor sends
+   replies.  A full service resolver is one that knows how to resolve
+   queries: it obtains the needed resource records by contacting a
+   server authoritative for the records desired.  A stub resolver does
+   not know how to resolve queries: it sends all queries to a local name
+   server, setting the "recursion desired" flag to indicate that it
+   hopes that the name server will be willing to resolve the query.  A
+   resolver may (optionally) have a cache for remembering previously
+   acquired resource records.  It may also have a negative cache for
+   remembering names or data that have been determined not to exist.
+
+3.2.  Name Servers
+
+   A name server is a program (or piece thereof) that provides resource
+   records to resolvers.  All references in this document to "a name
+   server" imply "the name server's role"; in some cases the name
+   server's role and the resolver's role might be combined into a single
+   program.  A name server receives DNS protocol queries and sends DNS
+   protocol replies.  A name server neither sends queries nor receives
+   replies.  As a consequence, name servers do not have caches.
+   Normally, a name server would expect to receive only those queries to
+   which it could respond with authoritative information.  However, if a
+
+
+
+Austein & Saperia                                               [Page 3]
+
+RFC 1612                    DNS Resolver MIB                    May 1994
+
+
+   name server receives a query that it cannot respond to with purely
+   authoritative information, it may choose to try to obtain the
+   necessary additional information from a resolver which may or may not
+   be a separate process.
+
+3.3.  Selected Objects
+
+   Many of the objects included in this memo have been created from
+   information contained in the DNS specifications [1,2], as amended and
+   clarified by subsequent host requirements documents [3].  Other
+   objects have been created based on experience with existing DNS
+   management tools, expected operational needs, the statistics
+   generated by existing DNS implementations, and the configuration
+   files used by existing DNS implementations.  These objects have been
+   ordered into groups as follows:
+
+         o  Resolver Configuration Group
+
+         o  Resolver Counter Group
+
+         o  Resolver Lame Delegation Group
+
+         o  Resolver Cache Group
+
+         o  Resolver Negative Cache Group
+
+         o  Resolver Optional Counter Group
+
+   This information has been converted into a standard form using the
+   SNMPv2 SMI defined in [9].  For the most part, the descriptions are
+   influenced by the DNS related RFCs noted above.  For example, the
+   descriptions for counters used for the various types of queries of
+   DNS records are influenced by the definitions used for the various
+   record types found in [2].
+
+3.4.  Textual Conventions
+
+   Several conceptual data types have been introduced as a textual
+   conventions in the DNS Server MIB document and have been imported
+   into this MIB module.  These additions will facilitate the common
+   understanding of information used by the DNS.  No changes to the SMI
+   or the SNMP are necessary to support these conventions.
+
+   Readers familiar with MIBs designed to manage entities in the lower
+   layers of the Internet protocol suite may be surprised at the number
+   of non-enumerated integers used in this MIB to represent values such
+   as DNS RR class and type numbers.  The reason for this choice is
+   simple: the DNS itself is designed as an extensible protocol,
+
+
+
+Austein & Saperia                                               [Page 4]
+
+RFC 1612                    DNS Resolver MIB                    May 1994
+
+
+   allowing new classes and types of resource records to be added to the
+   protocol without recoding the core DNS software.  Using non-
+   enumerated integers to represent these data types in this MIB allows
+   the MIB to accommodate these changes as well.
+
+4.  Definitions
+
+   DNS-RESOLVER-MIB DEFINITIONS ::= BEGIN
+
+   IMPORTS
+       MODULE-IDENTITY, OBJECT-TYPE, IpAddress, Counter32, Integer32
+           FROM SNMPv2-SMI
+       TEXTUAL-CONVENTION, RowStatus, DisplayString
+           FROM SNMPv2-TC
+       MODULE-COMPLIANCE, OBJECT-GROUP
+           FROM SNMPv2-CONF
+       dns, DnsName, DnsNameAsIndex, DnsClass, DnsType, DnsQClass,
+       DnsQType, DnsTime, DnsOpCode, DnsRespCode
+           FROM DNS-SERVER-MIB;
+
+   -- DNS Resolver MIB
+
+   dnsResMIB MODULE-IDENTITY
+       LAST-UPDATED "9401282250Z"
+       ORGANIZATION "IETF DNS Working Group"
+       CONTACT-INFO
+               "       Rob Austein
+               Postal: Epilogue Technology Corporation
+                       268 Main Street, Suite 283
+                       North Reading, MA 10864
+                       US
+                  Tel: +1 617 245 0804
+                  Fax: +1 617 245 8122
+               E-Mail: sra@epilogue.com
+
+                       Jon Saperia
+               Postal: Digital Equipment Corporation
+                       110 Spit Brook Road
+                       ZKO1-3/H18
+                       Nashua, NH 03062-2698
+                       US
+                  Tel: +1 603 881 0480
+                  Fax: +1 603 881 0120
+               E-mail: saperia@zko.dec.com"
+       DESCRIPTION
+               "The MIB module for entities implementing the client
+               (resolver) side of the Domain Name System (DNS)
+               protocol."
+
+
+
+Austein & Saperia                                               [Page 5]
+
+RFC 1612                    DNS Resolver MIB                    May 1994
+
+
+       ::= { dns 2 }
+
+   dnsResMIBObjects        OBJECT IDENTIFIER ::= { dnsResMIB 1 }
+
+   -- (Old-style) groups in the DNS resolver MIB.
+
+   dnsResConfig            OBJECT IDENTIFIER ::= { dnsResMIBObjects 1 }
+   dnsResCounter           OBJECT IDENTIFIER ::= { dnsResMIBObjects 2 }
+   dnsResLameDelegation    OBJECT IDENTIFIER ::= { dnsResMIBObjects 3 }
+   dnsResCache             OBJECT IDENTIFIER ::= { dnsResMIBObjects 4 }
+   dnsResNCache            OBJECT IDENTIFIER ::= { dnsResMIBObjects 5 }
+   dnsResOptCounter        OBJECT IDENTIFIER ::= { dnsResMIBObjects 6 }
+
+
+   -- Resolver Configuration Group
+
+   dnsResConfigImplementIdent OBJECT-TYPE
+       SYNTAX      DisplayString
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "The implementation identification string for the
+               resolver software in use on the system, for example;
+               `RES-2.1'"
+       ::= { dnsResConfig 1 }
+
+   dnsResConfigService OBJECT-TYPE
+       SYNTAX      INTEGER { recursiveOnly(1),
+                             iterativeOnly(2),
+                             recursiveAndIterative(3) }
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Kind of DNS resolution service provided:
+
+               recursiveOnly(1) indicates a stub resolver.
+
+               iterativeOnly(2) indicates a normal full service
+               resolver.
+
+               recursiveAndIterative(3) indicates a full-service
+               resolver which performs a mix of recursive and iterative
+               queries."
+        ::= { dnsResConfig 2 }
+
+   dnsResConfigMaxCnames OBJECT-TYPE
+       SYNTAX      INTEGER (0..2147483647)
+       MAX-ACCESS  read-write
+
+
+
+Austein & Saperia                                               [Page 6]
+
+RFC 1612                    DNS Resolver MIB                    May 1994
+
+
+       STATUS      current
+       DESCRIPTION
+               "Limit on how many CNAMEs the resolver should allow
+               before deciding that there's a CNAME loop.  Zero means
+               that resolver has no explicit CNAME limit."
+       REFERENCE
+               "RFC-1035 section 7.1."
+       ::= { dnsResConfig 3 }
+
+   -- DNS Resolver Safety Belt Table
+
+   dnsResConfigSbeltTable OBJECT-TYPE
+       SYNTAX      SEQUENCE OF DnsResConfigSbeltEntry
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "Table of safety belt information used by the resolver
+               when it hasn't got any better idea of where to send a
+               query, such as when the resolver is booting or is a stub
+               resolver."
+       ::= { dnsResConfig 4 }
+
+   dnsResConfigSbeltEntry OBJECT-TYPE
+       SYNTAX      DnsResConfigSbeltEntry
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "An entry in the resolver's Sbelt table.
+               Rows may be created or deleted at any time by the DNS
+               resolver and by SNMP SET requests.  Whether the values
+               changed via SNMP are saved in stable storage across
+               `reset' operations is implementation-specific."
+       INDEX     { dnsResConfigSbeltAddr,
+                   dnsResConfigSbeltSubTree,
+                   dnsResConfigSbeltClass }
+       ::= { dnsResConfigSbeltTable 1 }
+
+   DnsResConfigSbeltEntry ::=
+       SEQUENCE {
+           dnsResConfigSbeltAddr
+               IpAddress,
+           dnsResConfigSbeltName
+               DnsName,
+           dnsResConfigSbeltRecursion
+               INTEGER,
+           dnsResConfigSbeltPref
+               INTEGER,
+           dnsResConfigSbeltSubTree
+
+
+
+Austein & Saperia                                               [Page 7]
+
+RFC 1612                    DNS Resolver MIB                    May 1994
+
+
+               DnsNameAsIndex,
+           dnsResConfigSbeltClass
+               DnsClass,
+           dnsResConfigSbeltStatus
+               RowStatus
+       }
+
+   dnsResConfigSbeltAddr OBJECT-TYPE
+       SYNTAX      IpAddress
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "The IP address of the Sbelt name server identified by
+               this row of the table."
+       ::= { dnsResConfigSbeltEntry 1 }
+
+   dnsResConfigSbeltName OBJECT-TYPE
+       SYNTAX      DnsName
+       MAX-ACCESS  read-create
+       STATUS      current
+       DESCRIPTION
+               "The DNS name of a Sbelt nameserver identified by this
+               row of the table.  A zero-length string indicates that
+               the name is not known by the resolver."
+       ::= { dnsResConfigSbeltEntry 2 }
+
+   dnsResConfigSbeltRecursion OBJECT-TYPE
+       SYNTAX      INTEGER { iterative(1),
+                             recursive(2),
+                             recursiveAndIterative(3) }
+       MAX-ACCESS  read-create
+       STATUS      current
+       DESCRIPTION
+               "Kind of queries resolver will be sending to the name
+               server identified in this row of the table:
+
+               iterative(1) indicates that resolver will be directing
+               iterative queries to this name server (RD bit turned
+               off).
+
+               recursive(2) indicates that resolver will be directing
+               recursive queries to this name server (RD bit turned
+               on).
+
+               recursiveAndIterative(3) indicates that the resolver
+               will be directing both recursive and iterative queries
+               to the server identified in this row of the table."
+        ::= { dnsResConfigSbeltEntry 3 }
+
+
+
+Austein & Saperia                                               [Page 8]
+
+RFC 1612                    DNS Resolver MIB                    May 1994
+
+
+   dnsResConfigSbeltPref OBJECT-TYPE
+       SYNTAX      INTEGER (0..2147483647)
+       MAX-ACCESS  read-create
+       STATUS      current
+       DESCRIPTION
+               "This value identifies the preference for the name server
+               identified in this row of the table.  The lower the
+               value, the more desirable the resolver considers this
+               server."
+        ::= { dnsResConfigSbeltEntry 4 }
+
+   dnsResConfigSbeltSubTree OBJECT-TYPE
+       SYNTAX      DnsNameAsIndex
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "Queries sent to the name server identified by this row
+               of the table are limited to those for names in the name
+               subtree identified by this variable.  If no such
+               limitation applies, the value of this variable is the
+               name of the root domain (a DNS name consisting of a
+               single zero octet)."
+       ::= { dnsResConfigSbeltEntry 5 }
+
+   dnsResConfigSbeltClass OBJECT-TYPE
+       SYNTAX      DnsClass
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "The class of DNS queries that will be sent to the server
+               identified by this row of the table."
+       ::= { dnsResConfigSbeltEntry 6 }
+
+   dnsResConfigSbeltStatus OBJECT-TYPE
+       SYNTAX      RowStatus
+       MAX-ACCESS  read-create
+       STATUS      current
+       DESCRIPTION
+               "Row status column for this row of the Sbelt table."
+       ::= { dnsResConfigSbeltEntry 7 }
+
+   dnsResConfigUpTime OBJECT-TYPE
+       SYNTAX      DnsTime
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "If the resolver has a persistent state (e.g., a
+               process), this value will be the time elapsed since it
+
+
+
+Austein & Saperia                                               [Page 9]
+
+RFC 1612                    DNS Resolver MIB                    May 1994
+
+
+               started.  For software without persistant state, this
+               value will be 0."
+       ::= { dnsResConfig 5 }
+
+   dnsResConfigResetTime OBJECT-TYPE
+       SYNTAX      DnsTime
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "If the resolver has a persistent state (e.g., a process)
+               and supports a `reset' operation (e.g., can be told to
+               re-read configuration files), this value will be the
+               time elapsed since the last time the resolver was
+               `reset.'  For software that does not have persistence or
+               does not support a `reset' operation, this value will be
+               zero."
+       ::= { dnsResConfig 6 }
+
+   dnsResConfigReset OBJECT-TYPE
+       SYNTAX      INTEGER { other(1),
+                             reset(2),
+                             initializing(3),
+                             running(4) }
+       MAX-ACCESS  read-write
+       STATUS      current
+       DESCRIPTION
+               "Status/action object to reinitialize any persistant
+               resolver state.  When set to reset(2), any persistant
+               resolver state (such as a process) is reinitialized as if
+               the resolver had just been started.  This value will
+               never be returned by a read operation.  When read, one of
+               the following values will be returned:
+                   other(1) - resolver in some unknown state;
+                   initializing(3) - resolver (re)initializing;
+                   running(4) - resolver currently running."
+       ::= { dnsResConfig 7 }
+
+
+   -- Resolver Counters Group
+
+   -- Resolver Counter Table
+
+   dnsResCounterByOpcodeTable OBJECT-TYPE
+       SYNTAX      SEQUENCE OF DnsResCounterByOpcodeEntry
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "Table of the current count of resolver queries and
+
+
+
+Austein & Saperia                                              [Page 10]
+
+RFC 1612                    DNS Resolver MIB                    May 1994
+
+
+               answers."
+       ::= { dnsResCounter 3 }
+
+   dnsResCounterByOpcodeEntry OBJECT-TYPE
+       SYNTAX      DnsResCounterByOpcodeEntry
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "Entry in the resolver counter table.  Entries are
+               indexed by DNS OpCode."
+       INDEX     { dnsResCounterByOpcodeCode }
+       ::= { dnsResCounterByOpcodeTable 1 }
+
+   DnsResCounterByOpcodeEntry ::=
+       SEQUENCE {
+           dnsResCounterByOpcodeCode
+               DnsOpCode,
+           dnsResCounterByOpcodeQueries
+               Counter32,
+           dnsResCounterByOpcodeResponses
+               Counter32
+       }
+
+   dnsResCounterByOpcodeCode OBJECT-TYPE
+       SYNTAX      DnsOpCode
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "The index to this table.  The OpCodes that have already
+               been defined are found in RFC-1035."
+       REFERENCE
+               "RFC-1035 section 4.1.1."
+       ::= { dnsResCounterByOpcodeEntry 1 }
+
+   dnsResCounterByOpcodeQueries OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Total number of queries that have sent out by the
+               resolver since initialization for the OpCode which is
+               the index to this row of the table."
+       ::= { dnsResCounterByOpcodeEntry 2 }
+
+   dnsResCounterByOpcodeResponses OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+
+
+
+Austein & Saperia                                              [Page 11]
+
+RFC 1612                    DNS Resolver MIB                    May 1994
+
+
+       DESCRIPTION
+               "Total number of responses that have been received by the
+               resolver since initialization for the OpCode which is
+               the index to this row of the table."
+       ::= { dnsResCounterByOpcodeEntry 3 }
+
+   -- Resolver Response Code Counter Table
+
+   dnsResCounterByRcodeTable OBJECT-TYPE
+       SYNTAX      SEQUENCE OF DnsResCounterByRcodeEntry
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "Table of the current count of responses to resolver
+               queries."
+       ::= { dnsResCounter 4 }
+
+   dnsResCounterByRcodeEntry OBJECT-TYPE
+       SYNTAX      DnsResCounterByRcodeEntry
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "Entry in the resolver response table.  Entries are
+               indexed by DNS response code."
+       INDEX     { dnsResCounterByRcodeCode }
+       ::= { dnsResCounterByRcodeTable 1 }
+
+   DnsResCounterByRcodeEntry ::=
+       SEQUENCE {
+           dnsResCounterByRcodeCode
+               DnsRespCode,
+           dnsResCounterByRcodeResponses
+               Counter32
+       }
+
+   dnsResCounterByRcodeCode OBJECT-TYPE
+       SYNTAX      DnsRespCode
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "The index to this table.  The Response Codes that have
+               already been defined are found in RFC-1035."
+       REFERENCE
+               "RFC-1035 section 4.1.1."
+       ::= { dnsResCounterByRcodeEntry 1 }
+
+
+
+
+
+
+Austein & Saperia                                              [Page 12]
+
+RFC 1612                    DNS Resolver MIB                    May 1994
+
+
+   dnsResCounterByRcodeResponses OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of responses the resolver has received for the
+               response code value which identifies this row of the
+               table."
+       ::= { dnsResCounterByRcodeEntry 2 }
+
+   -- Additional DNS Resolver Counter Objects
+
+   dnsResCounterNonAuthDataResps OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of requests made by the resolver for which a
+               non-authoritative answer (cached data) was received."
+       ::= { dnsResCounter 5 }
+
+   dnsResCounterNonAuthNoDataResps OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of requests made by the resolver for which a
+               non-authoritative answer - no such data response (empty
+               answer) was received."
+       ::= { dnsResCounter 6 }
+
+   dnsResCounterMartians OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of responses received which were received from
+               servers that the resolver does not think it asked."
+       ::= { dnsResCounter 7 }
+
+   dnsResCounterRecdResponses OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of responses received to all queries."
+       ::= { dnsResCounter 8 }
+
+
+
+
+Austein & Saperia                                              [Page 13]
+
+RFC 1612                    DNS Resolver MIB                    May 1994
+
+
+   dnsResCounterUnparseResps OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of responses received which were unparseable."
+       ::= { dnsResCounter 9 }
+
+   dnsResCounterFallbacks OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of times the resolver had to fall back to its
+               seat belt information."
+       ::= { dnsResCounter 10 }
+
+
+   -- Lame Delegation Group
+
+   dnsResLameDelegationOverflows OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of times the resolver attempted to add an entry
+               to the Lame Delegation table but was unable to for some
+               reason such as space constraints."
+       ::= { dnsResLameDelegation 1 }
+
+   -- Lame Delegation Table
+
+   dnsResLameDelegationTable OBJECT-TYPE
+       SYNTAX      SEQUENCE OF DnsResLameDelegationEntry
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "Table of name servers returning lame delegations.
+
+               A lame delegation has occured when a parent zone
+               delegates authority for a child zone to a server that
+               appears not to think that it is authoritative for the
+               child zone in question."
+       ::= { dnsResLameDelegation 2 }
+
+   dnsResLameDelegationEntry OBJECT-TYPE
+       SYNTAX      DnsResLameDelegationEntry
+       MAX-ACCESS  not-accessible
+
+
+
+Austein & Saperia                                              [Page 14]
+
+RFC 1612                    DNS Resolver MIB                    May 1994
+
+
+       STATUS      current
+       DESCRIPTION
+               "Entry in lame delegation table.  Only the resolver may
+               create rows in this table.  SNMP SET requests may be used
+               to delete rows."
+       INDEX     { dnsResLameDelegationSource,
+                   dnsResLameDelegationName,
+                   dnsResLameDelegationClass }
+       ::= { dnsResLameDelegationTable 1 }
+
+   DnsResLameDelegationEntry ::=
+       SEQUENCE {
+           dnsResLameDelegationSource
+               IpAddress,
+           dnsResLameDelegationName
+               DnsNameAsIndex,
+           dnsResLameDelegationClass
+               DnsClass,
+           dnsResLameDelegationCounts
+               Counter32,
+           dnsResLameDelegationStatus
+               RowStatus
+       }
+
+   dnsResLameDelegationSource OBJECT-TYPE
+       SYNTAX      IpAddress
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "Source of lame delegation."
+       ::= { dnsResLameDelegationEntry 1 }
+
+   dnsResLameDelegationName OBJECT-TYPE
+       SYNTAX      DnsNameAsIndex
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "DNS name for which lame delegation was received."
+       ::= { dnsResLameDelegationEntry 2 }
+
+   dnsResLameDelegationClass OBJECT-TYPE
+       SYNTAX      DnsClass
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "DNS class of received lame delegation."
+       ::= { dnsResLameDelegationEntry 3 }
+
+
+
+
+Austein & Saperia                                              [Page 15]
+
+RFC 1612                    DNS Resolver MIB                    May 1994
+
+
+   dnsResLameDelegationCounts OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "How many times this lame delegation has been received."
+       ::= { dnsResLameDelegationEntry 4 }
+
+   dnsResLameDelegationStatus OBJECT-TYPE
+       SYNTAX      RowStatus
+       MAX-ACCESS  read-write
+       STATUS      current
+       DESCRIPTION
+               "Status column for the lame delegation table.  Since only
+               the agent (DNS resolver) creates rows in this table, the
+               only values that a manager may write to this variable
+               are active(1) and destroy(6)."
+       ::= { dnsResLameDelegationEntry 5 }
+
+
+   -- Resolver Cache Group
+
+   dnsResCacheStatus OBJECT-TYPE
+       SYNTAX      INTEGER { enabled(1), disabled(2), clear(3) }
+       MAX-ACCESS  read-write
+       STATUS      current
+       DESCRIPTION
+               "Status/action for the resolver's cache.
+
+               enabled(1) means that the use of the cache is allowed.
+               Query operations can return this state.
+
+               disabled(2) means that the cache is not being used.
+               Query operations can return this state.
+
+               Setting this variable to clear(3) deletes the entire
+               contents of the resolver's cache, but does not otherwise
+               change the resolver's state.  The status will retain its
+               previous value from before the clear operation (i.e.,
+               enabled(1) or disabled(2)).  The value of clear(3) can
+               NOT be returned by a query operation."
+       ::= { dnsResCache 1 }
+
+   dnsResCacheMaxTTL OBJECT-TYPE
+       SYNTAX      DnsTime
+       MAX-ACCESS  read-write
+       STATUS      current
+       DESCRIPTION
+
+
+
+Austein & Saperia                                              [Page 16]
+
+RFC 1612                    DNS Resolver MIB                    May 1994
+
+
+               "Maximum Time-To-Live for RRs in this cache.  If the
+               resolver does not implement a TTL ceiling, the value of
+               this field should be zero."
+       ::= { dnsResCache 2 }
+
+   dnsResCacheGoodCaches OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of RRs the resolver has cached successfully."
+       ::= { dnsResCache 3 }
+
+   dnsResCacheBadCaches OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of RRs the resolver has refused to cache because
+               they appear to be dangerous or irrelevant.  E.g., RRs
+               with suspiciously high TTLs, unsolicited root
+               information, or that just don't appear to be relevant to
+               the question the resolver asked."
+       ::= { dnsResCache 4 }
+
+   -- Resolver Cache Table
+
+   dnsResCacheRRTable OBJECT-TYPE
+       SYNTAX      SEQUENCE OF DnsResCacheRREntry
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "This table contains information about all the resource
+               records currently in the resolver's cache."
+       ::= { dnsResCache 5 }
+
+   dnsResCacheRREntry OBJECT-TYPE
+       SYNTAX      DnsResCacheRREntry
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "An entry in the resolvers's cache.  Rows may be created
+               only by the resolver.  SNMP SET requests may be used to
+               delete rows."
+       INDEX     { dnsResCacheRRName,
+                   dnsResCacheRRClass,
+                   dnsResCacheRRType,
+                   dnsResCacheRRIndex }
+
+
+
+Austein & Saperia                                              [Page 17]
+
+RFC 1612                    DNS Resolver MIB                    May 1994
+
+
+       ::= { dnsResCacheRRTable 1 }
+
+   DnsResCacheRREntry ::=
+       SEQUENCE {
+           dnsResCacheRRName
+               DnsNameAsIndex,
+           dnsResCacheRRClass
+               DnsClass,
+           dnsResCacheRRType
+               DnsType,
+           dnsResCacheRRTTL
+               DnsTime,
+           dnsResCacheRRElapsedTTL
+               DnsTime,
+           dnsResCacheRRSource
+               IpAddress,
+           dnsResCacheRRData
+               OCTET STRING,
+           dnsResCacheRRStatus
+               RowStatus,
+           dnsResCacheRRIndex
+               Integer32,
+           dnsResCacheRRPrettyName
+               DnsName
+       }
+
+   dnsResCacheRRName OBJECT-TYPE
+       SYNTAX      DnsNameAsIndex
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "Owner name of the Resource Record in the cache which is
+               identified in this row of the table.  As described in
+               RFC-1034, the owner of the record is the domain name
+               were the RR is found."
+       REFERENCE
+               "RFC-1034 section 3.6."
+       ::= { dnsResCacheRREntry 1 }
+
+   dnsResCacheRRClass OBJECT-TYPE
+       SYNTAX      DnsClass
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "DNS class of the Resource Record in the cache which is
+               identified in this row of the table."
+       ::= { dnsResCacheRREntry 2 }
+
+
+
+
+Austein & Saperia                                              [Page 18]
+
+RFC 1612                    DNS Resolver MIB                    May 1994
+
+
+   dnsResCacheRRType OBJECT-TYPE
+       SYNTAX      DnsType
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "DNS type of the Resource Record in the cache which is
+               identified in this row of the table."
+       ::= { dnsResCacheRREntry 3 }
+
+   dnsResCacheRRTTL OBJECT-TYPE
+       SYNTAX      DnsTime
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Time-To-Live of RR in DNS cache.  This is the initial
+               TTL value which was received with the RR when it was
+               originally received."
+       ::= { dnsResCacheRREntry 4 }
+
+   dnsResCacheRRElapsedTTL OBJECT-TYPE
+       SYNTAX      DnsTime
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Elapsed seconds since RR was received."
+       ::= { dnsResCacheRREntry 5 }
+
+   dnsResCacheRRSource OBJECT-TYPE
+       SYNTAX      IpAddress
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Host from which RR was received, 0.0.0.0 if unknown."
+       ::= { dnsResCacheRREntry 6 }
+
+   dnsResCacheRRData OBJECT-TYPE
+       SYNTAX      OCTET STRING
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "RDATA portion of a cached RR.  The value is in the
+               format defined for the particular DNS class and type of
+               the resource record."
+       REFERENCE
+               "RFC-1035 section 3.2.1."
+       ::= { dnsResCacheRREntry 7 }
+
+
+
+
+
+Austein & Saperia                                              [Page 19]
+
+RFC 1612                    DNS Resolver MIB                    May 1994
+
+
+   dnsResCacheRRStatus OBJECT-TYPE
+       SYNTAX      RowStatus
+       MAX-ACCESS  read-write
+       STATUS      current
+       DESCRIPTION
+               "Status column for the resolver cache table.  Since only
+               the agent (DNS resolver) creates rows in this table, the
+               only values that a manager may write to this variable
+               are active(1) and destroy(6)."
+       ::= { dnsResCacheRREntry 8 }
+
+   dnsResCacheRRIndex OBJECT-TYPE
+       SYNTAX      Integer32
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "A value which makes entries in the table unique when the
+               other index values (dnsResCacheRRName,
+               dnsResCacheRRClass, and dnsResCacheRRType) do not
+               provide a unique index."
+       ::= { dnsResCacheRREntry 9 }
+
+   dnsResCacheRRPrettyName OBJECT-TYPE
+       SYNTAX      DnsName
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Name of the RR at this row in the table.  This is
+               identical to the dnsResCacheRRName variable, except that
+               character case is preserved in this variable, per DNS
+               conventions."
+       REFERENCE
+               "RFC-1035 section 2.3.3."
+       ::= { dnsResCacheRREntry 10 }
+
+   -- Resolver Negative Cache Group
+
+   dnsResNCacheStatus OBJECT-TYPE
+       SYNTAX      INTEGER { enabled(1), disabled(2), clear(3) }
+       MAX-ACCESS  read-write
+       STATUS      current
+       DESCRIPTION
+               "Status/action for the resolver's negative response
+               cache.
+
+               enabled(1) means that the use of the negative response
+               cache is allowed.  Query operations can return this
+               state.
+
+
+
+Austein & Saperia                                              [Page 20]
+
+RFC 1612                    DNS Resolver MIB                    May 1994
+
+
+               disabled(2) means that the negative response cache is
+               not being used.  Query operations can return this state.
+
+               Setting this variable to clear(3) deletes the entire
+               contents of the resolver's negative response cache.  The
+               status will retain its previous value from before the
+               clear operation (i.e., enabled(1) or disabled(2)).  The
+               value of clear(3) can NOT be returned by a query
+               operation."
+       ::= { dnsResNCache 1 }
+
+   dnsResNCacheMaxTTL OBJECT-TYPE
+       SYNTAX      DnsTime
+       MAX-ACCESS  read-write
+       STATUS      current
+       DESCRIPTION
+               "Maximum Time-To-Live for cached authoritative errors.
+               If the resolver does not implement a TTL ceiling, the
+               value of this field should be zero."
+       ::= { dnsResNCache 2 }
+
+   dnsResNCacheGoodNCaches OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of authoritative errors the resolver has cached
+               successfully."
+       ::= { dnsResNCache 3 }
+
+   dnsResNCacheBadNCaches OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of authoritative errors the resolver would have
+               liked to cache but was unable to because the appropriate
+               SOA RR was not supplied or looked suspicious."
+       REFERENCE
+               "RFC-1034 section 4.3.4."
+       ::= { dnsResNCache 4 }
+
+   -- Resolver Negative Cache Table
+
+   dnsResNCacheErrTable OBJECT-TYPE
+       SYNTAX      SEQUENCE OF DnsResNCacheErrEntry
+       MAX-ACCESS  not-accessible
+       STATUS      current
+
+
+
+Austein & Saperia                                              [Page 21]
+
+RFC 1612                    DNS Resolver MIB                    May 1994
+
+
+       DESCRIPTION
+               "The resolver's negative response cache.  This table
+               contains information about authoritative errors that
+               have been cached by the resolver."
+       ::= { dnsResNCache 5 }
+
+   dnsResNCacheErrEntry OBJECT-TYPE
+       SYNTAX      DnsResNCacheErrEntry
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "An entry in the resolver's negative response cache
+               table.  Only the resolver can create rows.  SNMP SET
+               requests may be used to delete rows."
+       INDEX     { dnsResNCacheErrQName,
+                   dnsResNCacheErrQClass,
+                   dnsResNCacheErrQType,
+                   dnsResNCacheErrIndex }
+       ::= { dnsResNCacheErrTable 1 }
+
+   DnsResNCacheErrEntry ::=
+       SEQUENCE {
+           dnsResNCacheErrQName
+               DnsNameAsIndex,
+           dnsResNCacheErrQClass
+               DnsQClass,
+           dnsResNCacheErrQType
+               DnsQType,
+           dnsResNCacheErrTTL
+               DnsTime,
+           dnsResNCacheErrElapsedTTL
+               DnsTime,
+           dnsResNCacheErrSource
+               IpAddress,
+           dnsResNCacheErrCode
+               INTEGER,
+           dnsResNCacheErrStatus
+               RowStatus,
+           dnsResNCacheErrIndex
+               Integer32,
+           dnsResNCacheErrPrettyName
+               DnsName
+       }
+
+   dnsResNCacheErrQName OBJECT-TYPE
+       SYNTAX      DnsNameAsIndex
+       MAX-ACCESS  not-accessible
+       STATUS      current
+
+
+
+Austein & Saperia                                              [Page 22]
+
+RFC 1612                    DNS Resolver MIB                    May 1994
+
+
+       DESCRIPTION
+               "QNAME associated with a cached authoritative error."
+       REFERENCE
+               "RFC-1034 section 3.7.1."
+       ::= { dnsResNCacheErrEntry 1 }
+
+   dnsResNCacheErrQClass OBJECT-TYPE
+       SYNTAX      DnsQClass
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "DNS QCLASS associated with a cached authoritative
+               error."
+       ::= { dnsResNCacheErrEntry 2 }
+
+   dnsResNCacheErrQType OBJECT-TYPE
+       SYNTAX      DnsQType
+       MAX-ACCESS  not-accessible
+       STATUS      current
+       DESCRIPTION
+               "DNS QTYPE associated with a cached authoritative error."
+       ::= { dnsResNCacheErrEntry 3 }
+
+   dnsResNCacheErrTTL OBJECT-TYPE
+       SYNTAX      DnsTime
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Time-To-Live of a cached authoritative error at the time
+               of the error, it should not be decremented by the number
+               of seconds since it was received.  This should be the
+               TTL as copied from the MINIMUM field of the SOA that
+               accompanied the authoritative error, or a smaller value
+               if the resolver implements a ceiling on negative
+               response cache TTLs."
+       REFERENCE
+               "RFC-1034 section 4.3.4."
+       ::= { dnsResNCacheErrEntry 4 }
+
+   dnsResNCacheErrElapsedTTL OBJECT-TYPE
+       SYNTAX      DnsTime
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Elapsed seconds since authoritative error was received."
+       ::= { dnsResNCacheErrEntry 5 }
+
+
+
+
+
+Austein & Saperia                                              [Page 23]
+
+RFC 1612                    DNS Resolver MIB                    May 1994
+
+
+   dnsResNCacheErrSource OBJECT-TYPE
+       SYNTAX      IpAddress
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Host which sent the authoritative error, 0.0.0.0 if
+               unknown."
+       ::= { dnsResNCacheErrEntry 6 }
+
+   dnsResNCacheErrCode OBJECT-TYPE
+       SYNTAX      INTEGER { nonexistantName(1), noData(2), other(3) }
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "The authoritative error that has been cached:
+
+               nonexistantName(1) indicates an authoritative name error
+               (RCODE = 3).
+
+               noData(2) indicates an authoritative response with no
+               error (RCODE = 0) and no relevant data.
+
+               other(3) indicates some other cached authoritative
+               error.  At present, no such errors are known to exist."
+       ::= { dnsResNCacheErrEntry 7 }
+
+   dnsResNCacheErrStatus OBJECT-TYPE
+       SYNTAX      RowStatus
+       MAX-ACCESS  read-write
+       STATUS      current
+       DESCRIPTION
+               "Status column for the resolver negative response cache
+               table.  Since only the agent (DNS resolver) creates rows
+               in this table, the only values that a manager may write
+               to this variable are active(1) and destroy(6)."
+       ::= { dnsResNCacheErrEntry 8 }
+
+   dnsResNCacheErrIndex OBJECT-TYPE
+       SYNTAX      Integer32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "A value which makes entries in the table unique when the
+               other index values (dnsResNCacheErrQName,
+               dnsResNCacheErrQClass, and dnsResNCacheErrQType) do not
+               provide a unique index."
+       ::= { dnsResNCacheErrEntry 9 }
+
+
+
+
+Austein & Saperia                                              [Page 24]
+
+RFC 1612                    DNS Resolver MIB                    May 1994
+
+
+   dnsResNCacheErrPrettyName OBJECT-TYPE
+       SYNTAX      DnsName
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "QNAME associated with this row in the table.  This is
+               identical to the dnsResNCacheErrQName variable, except
+               that character case is preserved in this variable, per
+               DNS conventions."
+       REFERENCE
+               "RFC-1035 section 2.3.3."
+       ::= { dnsResNCacheErrEntry 10 }
+
+
+   -- Resolver Optional Counters Group
+
+   dnsResOptCounterReferals OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of responses which were received from servers
+               redirecting query to another server."
+       ::= { dnsResOptCounter 1 }
+
+   dnsResOptCounterRetrans OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number requests retransmitted for all reasons."
+       ::= { dnsResOptCounter 2 }
+
+   dnsResOptCounterNoResponses OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of queries that were retransmitted because of no
+               response."
+       ::= { dnsResOptCounter 3 }
+
+   dnsResOptCounterRootRetrans OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of queries that were retransmitted that were to
+
+
+
+Austein & Saperia                                              [Page 25]
+
+RFC 1612                    DNS Resolver MIB                    May 1994
+
+
+               root servers."
+       ::= { dnsResOptCounter 4 }
+
+   dnsResOptCounterInternals OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of requests internally generated by the
+               resolver."
+       ::= { dnsResOptCounter 5 }
+
+   dnsResOptCounterInternalTimeOuts OBJECT-TYPE
+       SYNTAX      Counter32
+       MAX-ACCESS  read-only
+       STATUS      current
+       DESCRIPTION
+               "Number of requests internally generated which timed
+               out."
+       ::= { dnsResOptCounter 6 }
+
+
+   -- SNMPv2 groups.
+
+   dnsResMIBGroups         OBJECT IDENTIFIER ::= { dnsResMIB 2 }
+
+   dnsResConfigGroup OBJECT-GROUP
+       OBJECTS   { dnsResConfigImplementIdent,
+                   dnsResConfigService,
+                   dnsResConfigMaxCnames,
+                   dnsResConfigSbeltAddr,
+                   dnsResConfigSbeltName,
+                   dnsResConfigSbeltRecursion,
+                   dnsResConfigSbeltPref,
+                   dnsResConfigSbeltSubTree,
+                   dnsResConfigSbeltClass,
+                   dnsResConfigSbeltStatus,
+                   dnsResConfigUpTime,
+                   dnsResConfigResetTime }
+       STATUS      current
+       DESCRIPTION
+               "A collection of objects providing basic configuration
+               information for a DNS resolver implementation."
+       ::= { dnsResMIBGroups 1 }
+
+   dnsResCounterGroup OBJECT-GROUP
+       OBJECTS   { dnsResCounterByOpcodeCode,
+                   dnsResCounterByOpcodeQueries,
+
+
+
+Austein & Saperia                                              [Page 26]
+
+RFC 1612                    DNS Resolver MIB                    May 1994
+
+
+                   dnsResCounterByOpcodeResponses,
+                   dnsResCounterByRcodeCode,
+                   dnsResCounterByRcodeResponses,
+                   dnsResCounterNonAuthDataResps,
+                   dnsResCounterNonAuthNoDataResps,
+                   dnsResCounterMartians,
+                   dnsResCounterRecdResponses,
+                   dnsResCounterUnparseResps,
+                   dnsResCounterFallbacks }
+       STATUS      current
+       DESCRIPTION
+               "A collection of objects providing basic instrumentation
+               of a DNS resolver implementation."
+       ::= { dnsResMIBGroups 2 }
+
+   dnsResLameDelegationGroup OBJECT-GROUP
+       OBJECTS   { dnsResLameDelegationOverflows,
+                   dnsResLameDelegationSource,
+                   dnsResLameDelegationName,
+                   dnsResLameDelegationClass,
+                   dnsResLameDelegationCounts,
+                   dnsResLameDelegationStatus }
+       STATUS      current
+       DESCRIPTION
+               "A collection of objects providing instrumentation of
+               `lame delegation' failures."
+       ::= { dnsResMIBGroups 3 }
+
+
+   dnsResCacheGroup OBJECT-GROUP
+       OBJECTS   { dnsResCacheStatus,
+                   dnsResCacheMaxTTL,
+                   dnsResCacheGoodCaches,
+                   dnsResCacheBadCaches,
+                   dnsResCacheRRName,
+                   dnsResCacheRRClass,
+                   dnsResCacheRRType,
+                   dnsResCacheRRTTL,
+                   dnsResCacheRRElapsedTTL,
+                   dnsResCacheRRSource,
+                   dnsResCacheRRData,
+                   dnsResCacheRRStatus,
+                   dnsResCacheRRIndex,
+                   dnsResCacheRRPrettyName }
+       STATUS      current
+       DESCRIPTION
+               "A collection of objects providing access to and control
+               of a DNS resolver's cache."
+
+
+
+Austein & Saperia                                              [Page 27]
+
+RFC 1612                    DNS Resolver MIB                    May 1994
+
+
+       ::= { dnsResMIBGroups 4 }
+
+   dnsResNCacheGroup OBJECT-GROUP
+       OBJECTS   { dnsResNCacheStatus,
+                   dnsResNCacheMaxTTL,
+                   dnsResNCacheGoodNCaches,
+                   dnsResNCacheBadNCaches,
+                   dnsResNCacheErrQName,
+                   dnsResNCacheErrQClass,
+                   dnsResNCacheErrQType,
+                   dnsResNCacheErrTTL,
+                   dnsResNCacheErrElapsedTTL,
+                   dnsResNCacheErrSource,
+                   dnsResNCacheErrCode,
+                   dnsResNCacheErrStatus,
+                   dnsResNCacheErrIndex,
+                   dnsResNCacheErrPrettyName }
+       STATUS      current
+       DESCRIPTION
+               "A collection of objects providing access to and control
+               of a DNS resolver's negative response cache."
+       ::= { dnsResMIBGroups 5 }
+
+   dnsResOptCounterGroup OBJECT-GROUP
+       OBJECTS   { dnsResOptCounterReferals,
+                   dnsResOptCounterRetrans,
+                   dnsResOptCounterNoResponses,
+                   dnsResOptCounterRootRetrans,
+                   dnsResOptCounterInternals,
+                   dnsResOptCounterInternalTimeOuts }
+       STATUS      current
+       DESCRIPTION
+               "A collection of objects providing further
+               instrumentation applicable to many but not all DNS
+               resolvers."
+       ::= { dnsResMIBGroups 6 }
+
+
+   -- Compliances.
+
+   dnsResMIBCompliances OBJECT IDENTIFIER ::= { dnsResMIB 3 }
+
+   dnsResMIBCompliance MODULE-COMPLIANCE
+       STATUS      current
+       DESCRIPTION
+               "The compliance statement for agents implementing the DNS
+               resolver MIB extensions."
+       MODULE -- This MIB module
+
+
+
+Austein & Saperia                                              [Page 28]
+
+RFC 1612                    DNS Resolver MIB                    May 1994
+
+
+           MANDATORY-GROUPS { dnsResConfigGroup, dnsResCounterGroup }
+           GROUP   dnsResCacheGroup
+           DESCRIPTION
+               "The resolver cache group is mandatory for resolvers that
+               implement a cache."
+           GROUP   dnsResNCacheGroup
+           DESCRIPTION
+               "The resolver negative cache group is mandatory for
+               resolvers that implement a negative response cache."
+           GROUP   dnsResLameDelegationGroup
+           DESCRIPTION
+               "The lame delegation group is unconditionally optional."
+           GROUP   dnsResOptCounterGroup
+           DESCRIPTION
+               "The optional counters group is unconditionally
+               optional."
+           OBJECT  dnsResConfigMaxCnames
+           MIN-ACCESS      read-only
+           DESCRIPTION
+               "This object need not be writable."
+           OBJECT  dnsResConfigSbeltName
+           MIN-ACCESS      read-only
+           DESCRIPTION
+               "This object need not be writable."
+           OBJECT  dnsResConfigSbeltRecursion
+           MIN-ACCESS      read-only
+           DESCRIPTION
+               "This object need not be writable."
+           OBJECT  dnsResConfigSbeltPref
+           MIN-ACCESS      read-only
+           DESCRIPTION
+               "This object need not be writable."
+           OBJECT  dnsResConfigReset
+           MIN-ACCESS      read-only
+           DESCRIPTION
+               "This object need not be writable."
+           OBJECT  dnsResCacheStatus
+           MIN-ACCESS      read-only
+           DESCRIPTION
+               "This object need not be writable."
+           OBJECT  dnsResCacheMaxTTL
+           MIN-ACCESS      read-only
+           DESCRIPTION
+               "This object need not be writable."
+           OBJECT  dnsResNCacheStatus
+           MIN-ACCESS      read-only
+           DESCRIPTION
+               "This object need not be writable."
+
+
+
+Austein & Saperia                                              [Page 29]
+
+RFC 1612                    DNS Resolver MIB                    May 1994
+
+
+           OBJECT  dnsResNCacheMaxTTL
+           MIN-ACCESS      read-only
+           DESCRIPTION
+               "This object need not be writable."
+       ::= { dnsResMIBCompliances 1 }
+
+   END
+
+5.  Acknowledgements
+
+   This document is the result of work undertaken the by DNS working
+   group.  The authors would particularly like to thank the following
+   people for their contributions to this document: Philip Almquist,
+   Frank Kastenholz (FTP Software), Joe Peck (DEC), Dave Perkins
+   (SynOptics), Win Treese (DEC), and Mimi Zohar (IBM).
+
+6.  References
+
+   [1] Mockapetris, P., "Domain Names -- Concepts and Facilities", STD
+       13, RFC 1034, USC/Information Sciences Institute, November 1987.
+
+   [2] Mockapetris, P., "Domain Names -- Implementation and
+       Specification", STD 13, RFC 1035, USC/Information Sciences
+       Institute, November 1987.
+
+   [3] Braden, R., Editor, "Requirements for Internet Hosts --
+       Application and Support, STD 3, RFC 1123, USC/Information
+       Sciences Institute, October 1989.
+
+   [4] Rose, M., and K. McCloghrie, "Structure and Identification of
+       Management Information for TCP/IP-based internets", STD 16, RFC
+       1155, Performance Systems International, Hughes LAN Systems, May
+       1990.
+
+   [5] McCloghrie, K., and M. Rose, "Management Information Base for
+       Network Management of TCP/IP-based internets", RFC 1156, Hughes
+       LAN Systems, Performance Systems International, May 1990.
+
+   [6] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple
+       Network Management Protocol", STD 15, RFC 1157, SNMP Research,
+       Performance Systems International, Performance Systems
+       International, MIT Laboratory for Computer Science, May 1990.
+
+   [7] Rose, M., and K. McCloghrie, Editors, "Concise MIB Definitions",
+       STD 16, RFC 1212, Performance Systems International, Hughes LAN
+       Systems, March 1991.
+
+
+
+
+
+Austein & Saperia                                              [Page 30]
+
+RFC 1612                    DNS Resolver MIB                    May 1994
+
+
+   [8] McCloghrie, K., and M. Rose, "Management Information Base for
+       Network Management of TCP/IP-based internets: MIB-II", STD 17,
+       RFC 1213, Hughes LAN Systems, Performance Systems International,
+       March 1991.
+
+   [9] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Structure
+       of Management Information for version 2 of the Simple Network
+       Management Protocol (SNMPv2)", RFC 1442, SNMP Research, Inc.,
+       Hughes LAN Systems, Dover Beach Consulting, Inc., Carnegie Mellon
+       University, April 1993.
+
+  [10] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Textual
+       Conventions for version 2 of the the Simple Network Management
+       Protocol (SNMPv2)", RFC 1443, SNMP Research, Inc., Hughes LAN
+       Systems, Dover Beach Consulting, Inc., Carnegie Mellon
+       University, April 1993.
+
+  [11] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser,
+       "Conformance Statements for version 2 of the the Simple Network
+       Management Protocol (SNMPv2)", RFC 1444, SNMP Research, Inc.,
+       Hughes LAN Systems, Dover Beach Consulting, Inc., Carnegie Mellon
+       University, April 1993.
+
+  [12] Galvin, J., and K. McCloghrie, "Administrative Model for version
+       2 of the Simple Network Management Protocol (SNMPv2)", RFC 1445,
+       Trusted Information Systems, Hughes LAN Systems, April 1993.
+
+  [13] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol
+       Operations for version 2 of the Simple Network Management
+       Protocol (SNMPv2)", RFC 1448, SNMP Research, Inc., Hughes LAN
+       Systems, Dover Beach Consulting, Inc., Carnegie Mellon
+       University, April 1993.
+
+  [14] "Information processing systems - Open Systems Interconnection -
+       Specification of Abstract Syntax Notation One (ASN.1)",
+       International Organization for Standardization, International
+       Standard 8824, December 1987.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Austein & Saperia                                              [Page 31]
+
+RFC 1612                    DNS Resolver MIB                    May 1994
+
+
+7.  Security Considerations
+
+   Security issues are not discussed in this memo.
+
+8.  Authors' Addresses
+
+   Rob Austein
+   Epilogue Technology Corporation
+   268 Main Street, Suite 283
+   North Reading, MA 01864
+   USA
+
+   Phone: +1-617-245-0804
+   Fax:   +1-617-245-8122
+   EMail: sra@epilogue.com
+
+
+   Jon Saperia
+   Digital Equipment Corporation
+   110 Spit Brook Road
+   ZKO1-3/H18
+   Nashua, NH 03062-2698
+   USA
+
+   Phone: +1-603-881-0480
+   Fax:   +1-603-881-0120
+   EMail: saperia@zko.dec.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Austein & Saperia                                              [Page 32]
+
diff --git a/contrib/bind9/doc/rfc/rfc1706.txt b/contrib/bind9/doc/rfc/rfc1706.txt
new file mode 100644
index 0000000..5b5d821
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc1706.txt
@@ -0,0 +1,563 @@
+
+
+
+
+
+
+Network Working Group                                         B. Manning
+Request for Comments: 1706                                           ISI
+Obsoletes: 1637, 1348                                         R. Colella
+Category: Informational                                             NIST
+                                                            October 1994
+
+
+                       DNS NSAP Resource Records
+
+
+Status of this Memo
+
+   This memo provides information for the Internet community.  This memo
+   does not specify an Internet standard of any kind.  Distribution of
+   this memo is unlimited.
+
+Abstract
+
+   OSI lower layer protocols, comprising the connectionless network
+   protocol (CLNP) and supporting routing protocols, are deployed in
+   some parts of the global Internet.  Maintenance and debugging of CLNP
+   connectivity is greatly aided by support in the Domain Name System
+   (DNS) for mapping between names and NSAP addresses.
+
+   This document defines the format of one new Resource Record (RR) for
+   the DNS for domain name-to-NSAP mapping. The RR may be used with any
+   NSAP address format.
+
+   NSAP-to-name translation is accomplished through use of the PTR RR
+   (see STD 13, RFC 1035 for a description of the PTR RR). This paper
+   describes how PTR RRs are used to support this translation.
+
+   This document obsoletes RFC 1348 and RFC 1637.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Manning & Colella                                               [Page 1]
+
+RFC 1706                      DNS NSAP RRs                  October 1994
+
+
+1.  Introduction
+
+   OSI lower layer protocols, comprising the connectionless network
+   protocol (CLNP) [5] and supporting routing protocols, are deployed in
+   some parts of the global Internet.  Maintenance and debugging of CLNP
+   connectivity is greatly aided by support in the Domain Name System
+   (DNS) [7] [8] for mapping between names and NSAP (network service
+   access point) addresses [6] [Note: NSAP and NSAP address are used
+   interchangeably throughout this memo].
+
+   This document defines the format of one new Resource Record (RR) for
+   the DNS for domain name-to-NSAP mapping. The RR may be used with any
+   NSAP address format.
+
+   NSAP-to-name translation is accomplished through use of the PTR RR
+   (see RFC 1035 for a description of the PTR RR). This paper describes
+   how PTR RRs are used to support this translation.
+
+   This memo assumes that the reader is familiar with the DNS. Some
+   familiarity with NSAPs is useful; see [1] or Annex A of [6] for
+   additional information.
+
+2.  Background
+
+   The reason for defining DNS mappings for NSAPs is to support the
+   existing CLNP deployment in the Internet.  Debugging with CLNP ping
+   and traceroute has become more difficult with only numeric NSAPs as
+   the scale of deployment has increased. Current debugging is supported
+   by maintaining and exchanging a configuration file with name/NSAP
+   mappings similar in function to hosts.txt. This suffers from the lack
+   of a central coordinator for this file and also from the perspective
+   of scaling.  The former describes the most serious short-term
+   problem. Scaling of a hosts.txt-like solution has well-known long-
+   term scaling difficiencies.
+
+3.  Scope
+
+   The methods defined in this paper are applicable to all NSAP formats.
+
+   As a point of reference, there is a distinction between registration
+   and publication of addresses. For IP addresses, the IANA is the root
+   registration authority and the DNS a publication method. For NSAPs,
+   Annex A of the network service definition, ISO8348 [6], describes the
+   root registration authority and this memo defines how the DNS is used
+   as a publication method.
+
+
+
+
+
+
+Manning & Colella                                               [Page 2]
+
+RFC 1706                      DNS NSAP RRs                  October 1994
+
+
+4.  Structure of NSAPs
+
+   NSAPs are hierarchically structured to allow distributed
+   administration and efficient routing. Distributed administration
+   permits subdelegated addressing authorities to, as allowed by the
+   delegator, further structure the portion of the NSAP space under
+   their delegated control.  Accomodating this distributed authority
+   requires that there be little or no a priori knowledge of the
+   structure of NSAPs built into DNS resolvers and servers.
+
+   For the purposes of this memo, NSAPs can be thought of as a tree of
+   identifiers. The root of the tree is ISO8348 [6], and has as its
+   immediately registered subordinates the one-octet Authority and
+   Format Identifiers (AFIs) defined there. The size of subsequently-
+   defined fields depends on which branch of the tree is taken. The
+   depth of the tree varies according to the authority responsible for
+   defining subsequent fields.
+
+   An example is the authority under which U.S. GOSIP defines NSAPs [2].
+   Under the AFI of 47, NIST (National Institute of Standards and
+   Technology) obtained a value of 0005 (the AFI of 47 defines the next
+   field as being two octets consisting of four BCD digits from the
+   International Code Designator space [3]). NIST defined the subsequent
+   fields in [2], as shown in Figure 1. The field immediately following
+   0005 is a format identifier for the rest of the U.S. GOSIP NSAP
+   structure, with a hex value of 80. Following this is the three-octet
+   field, values for which are allocated to network operators; the
+   registration authority for this field is delegated to GSA (General
+   Services Administration).
+
+   The last octet of the NSAP is the NSelector (NSel). In practice, the
+   NSAP minus the NSel identifies the CLNP protocol machine on a given
+   system, and the NSel identifies the CLNP user. Since there can be
+   more than one CLNP user (meaning multiple NSel values for a given
+   "base" NSAP), the representation of the NSAP should be CLNP-user
+   independent. To achieve this, an NSel value of zero shall be used
+   with all NSAP values stored in the DNS. An NSAP with NSel=0
+   identifies the network layer itself. It is left to the application
+   retrieving the NSAP to determine the appropriate value to use in that
+   instance of communication.
+
+   When CLNP is used to support TCP and UDP services, the NSel value
+   used is the appropriate IP PROTO value as registered with the IANA.
+   For "standard" OSI, the selection of NSel values is left as a matter
+   of local administration. Administrators of systems that support the
+   OSI transport protocol [4] in addition to TCP/UDP must select NSels
+   for use by OSI Transport that do not conflict with the IP PROTO
+   values.
+
+
+
+Manning & Colella                                               [Page 3]
+
+RFC 1706                      DNS NSAP RRs                  October 1994
+
+
+              |--------------|
+              | <-- IDP -->  |
+              |--------------|-------------------------------------|
+              | AFI |  IDI   |            <-- DSP -->              |
+              |-----|--------|-------------------------------------|
+              | 47  |  0005  | DFI | AA |Rsvd | RD |Area | ID |Sel |
+              |-----|--------|-----|----|-----|----|-----|----|----|
+       octets |  1  |   2    |  1  | 3  |  2  | 2  |  2  | 6  | 1  |
+              |-----|--------|-----|----|-----|----|-----|----|----|
+
+                    IDP    Initial Domain Part
+                    AFI    Authority and Format Identifier
+                    IDI    Initial Domain Identifier
+                    DSP    Domain Specific Part
+                    DFI    DSP Format Identifier
+                    AA     Administrative Authority
+                    Rsvd   Reserved
+                    RD     Routing Domain Identifier
+                    Area   Area Identifier
+                    ID     System Identifier
+                    SEL    NSAP Selector
+
+                  Figure 1: GOSIP Version 2 NSAP structure.
+
+
+   In the NSAP RRs in Master Files and in the printed text in this memo,
+   NSAPs are often represented as a string of "."-separated hex values.
+   The values correspond to convenient divisions of the NSAP to make it
+   more readable. For example, the "."-separated fields might correspond
+   to the NSAP fields as defined by the appropriate authority (RARE,
+   U.S. GOSIP, ANSI, etc.). The use of this notation is strictly for
+   readability. The "."s do not appear in DNS packets and DNS servers
+   can ignore them when reading Master Files. For example, a printable
+   representation of the first four fields of a U.S. GOSIP NSAP might
+   look like
+
+                             47.0005.80.005a00
+
+   and a full U.S. GOSIP NSAP might appear as
+
+             47.0005.80.005a00.0000.1000.0020.00800a123456.00.
+
+   Other NSAP formats have different lengths and different
+   administratively defined field widths to accomodate different
+   requirements. For more information on NSAP formats in use see RFC
+   1629 [1].
+
+
+
+
+
+Manning & Colella                                               [Page 4]
+
+RFC 1706                      DNS NSAP RRs                  October 1994
+
+
+5.  The NSAP RR
+
+   The NSAP RR is defined with mnemonic "NSAP" and TYPE code 22
+   (decimal) and is used to map from domain names to NSAPs. Name-to-NSAP
+   mapping in the DNS using the NSAP RR operates analogously to IP
+   address lookup. A query is generated by the resolver requesting an
+   NSAP RR for a provided domain name.
+
+   NSAP RRs conform to the top level RR format and semantics as defined
+   in Section 3.2.1 of RFC 1035.
+
+                                            1  1  1  1  1  1
+              0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+           +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+           |                                               |
+           /                                               /
+           /                        NAME                   /
+           |                                               |
+           +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+           |                    TYPE = NSAP                |
+           +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+           |                    CLASS = IN                 |
+           +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+           |                        TTL                    |
+           |                                               |
+           +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+           |                      RDLENGTH                 |
+           +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+           /                       RDATA                   /
+           /                                               /
+           +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+   where:
+
+   *  NAME: an owner name, i.e., the name of the node to which this
+      resource record pertains.
+
+   *  TYPE: two octets containing the NSAP RR TYPE code of 22 (decimal).
+
+   *  CLASS: two octets containing the RR IN CLASS code of 1.
+
+   *  TTL: a 32 bit signed integer that specifies the time interval in
+      seconds that the resource record may be cached before the source
+      of the information should again be consulted. Zero values are
+      interpreted to mean that the RR can only be used for the
+      transaction in progress, and should not be cached. For example,
+      SOA records are always distributed with a zero TTL to prohibit
+      caching. Zero values can also be used for extremely volatile data.
+
+
+
+Manning & Colella                                               [Page 5]
+
+RFC 1706                      DNS NSAP RRs                  October 1994
+
+
+   *  RDLENGTH: an unsigned 16 bit integer that specifies the length in
+      octets of the RDATA field.
+
+   *  RDATA: a variable length string of octets containing the NSAP.
+      The value is the binary encoding of the NSAP as it would appear in
+      the CLNP source or destination address field. A typical example of
+      such an NSAP (in hex) is shown below. For this NSAP, RDLENGTH is
+      20 (decimal); "."s have been omitted to emphasize that they don't
+      appear in the DNS packets.
+
+                 39840f80005a0000000001e13708002010726e00
+
+   NSAP RRs cause no additional section processing.
+
+6.  NSAP-to-name Mapping Using the PTR RR
+
+   The PTR RR is defined in RFC 1035. This RR is typically used under
+   the "IN-ADDR.ARPA" domain to map from IPv4 addresses to domain names.
+
+   Similarly, the PTR RR is used to map from NSAPs to domain names under
+   the "NSAP.INT" domain. A domain name is generated from the NSAP
+   according to the rules described below. A query is sent by the
+   resolver requesting a PTR RR for the provided domain name.
+
+   A domain name is generated from an NSAP by reversing the hex nibbles
+   of the NSAP, treating each nibble as a separate subdomain, and
+   appending the top-level subdomain name "NSAP.INT" to it. For example,
+   the domain name used in the reverse lookup for the NSAP
+
+             47.0005.80.005a00.0000.0001.e133.ffffff000162.00
+
+   would appear as
+
+     0.0.2.6.1.0.0.0.f.f.f.f.f.f.3.3.1.e.1.0.0.0.0.0.0.0.0.0.a.5.0.0. \
+                         0.8.5.0.0.0.7.4.NSAP.INT.
+
+   [Implementation note: For sanity's sake user interfaces should be
+   designed to allow users to enter NSAPs using their natural order,
+   i.e., as they are typically written on paper. Also, arbitrary "."s
+   should be allowed (and ignored) on input.]
+
+7.  Master File Format
+
+   The format of NSAP RRs (and NSAP-related PTR RRs) in Master Files
+   conforms to Section 5, "Master Files," of RFC 1035. Below are
+   examples of the use of these RRs in Master Files to support name-to-
+   NSAP and NSAP-to-name mapping.
+
+
+
+
+Manning & Colella                                               [Page 6]
+
+RFC 1706                      DNS NSAP RRs                  October 1994
+
+
+   The NSAP RR introduces a new hex string format for the RDATA field.
+   The format is "0x" (i.e., a zero followed by an 'x' character)
+   followed by a variable length string of hex characters (0 to 9, a to
+   f). The hex string is case-insensitive. "."s (i.e., periods) may be
+   inserted in the hex string anywhere after the "0x" for readability.
+   The "."s have no significance other than for readability and are not
+   propagated in the protocol (e.g., queries or zone transfers).
+
+
+   ;;;;;;
+   ;;;;;; Master File for domain nsap.nist.gov.
+   ;;;;;;
+
+
+   @      IN     SOA    emu.ncsl.nist.gov.  root.emu.ncsl.nist.gov. (
+                                     1994041800   ; Serial  - date
+                                     1800         ; Refresh - 30 minutes
+                                     300          ; Retry   - 5 minutes
+                                     604800       ; Expire  - 7 days
+                                     3600 )       ; Minimum - 1 hour
+          IN     NS     emu.ncsl.nist.gov.
+          IN     NS     tuba.nsap.lanl.gov.
+   ;
+   ;
+   $ORIGIN nsap.nist.gov.
+   ;
+   ;     hosts
+   ;
+   bsdi1    IN  NSAP  0x47.0005.80.005a00.0000.0001.e133.ffffff000161.00
+            IN  A     129.6.224.161
+            IN  HINFO PC_486    BSDi1.1
+   ;
+   bsdi2    IN  NSAP  0x47.0005.80.005a00.0000.0001.e133.ffffff000162.00
+            IN  A     129.6.224.162
+            IN  HINFO PC_486    BSDi1.1
+   ;
+   cursive  IN  NSAP  0x47.0005.80.005a00.0000.0001.e133.ffffff000171.00
+            IN  A     129.6.224.171
+            IN  HINFO PC_386    DOS_5.0/NCSA_Telnet(TUBA)
+   ;
+   infidel  IN  NSAP  0x47.0005.80.005a00.0000.0001.e133.ffffff000164.00
+            IN  A     129.6.55.164
+            IN  HINFO PC/486    BSDi1.0(TUBA)
+   ;
+   ;     routers
+   ;
+   cisco1   IN  NSAP  0x47.0005.80.005a00.0000.0001.e133.aaaaaa000151.00
+            IN  A     129.6.224.151
+
+
+
+Manning & Colella                                               [Page 7]
+
+RFC 1706                      DNS NSAP RRs                  October 1994
+
+
+            IN  A     129.6.225.151
+            IN  A     129.6.229.151
+   ;
+   3com1    IN  NSAP  0x47.0005.80.005a00.0000.0001.e133.aaaaaa000111.00
+            IN  A     129.6.224.111
+            IN  A     129.6.225.111
+            IN  A     129.6.228.111
+
+
+
+
+   ;;;;;;
+   ;;;;;; Master File for reverse mapping of NSAPs under the
+   ;;;;;;     NSAP prefix:
+   ;;;;;;
+   ;;;;;;          47.0005.80.005a00.0000.0001.e133
+   ;;;;;;
+
+
+   @      IN     SOA    emu.ncsl.nist.gov.  root.emu.ncsl.nist.gov. (
+                                     1994041800   ; Serial  - date
+                                     1800         ; Refresh - 30 minutes
+                                     300          ; Retry   - 5 minutes
+                                     604800       ; Expire  - 7 days
+                                     3600 )       ; Minimum - 1 hour
+          IN     NS     emu.ncsl.nist.gov.
+          IN     NS     tuba.nsap.lanl.gov.
+   ;
+   ;
+   $ORIGIN 3.3.1.e.1.0.0.0.0.0.0.0.0.0.a.5.0.0.0.8.5.0.0.0.7.4.NSAP.INT.
+   ;
+   0.0.1.6.1.0.0.0.f.f.f.f.f.f  IN    PTR  bsdi1.nsap.nist.gov.
+   ;
+   0.0.2.6.1.0.0.0.f.f.f.f.f.f  IN    PTR  bsdi2.nsap.nist.gov.
+   ;
+   0.0.1.7.1.0.0.0.f.f.f.f.f.f  IN    PTR  cursive.nsap.nist.gov.
+   ;
+   0.0.4.6.1.0.0.0.f.f.f.f.f.f  IN    PTR  infidel.nsap.nist.gov.
+   ;
+   0.0.1.5.1.0.0.0.a.a.a.a.a.a  IN    PTR  cisco1.nsap.nist.gov.
+   ;
+   0.0.1.1.1.0.0.0.a.a.a.a.a.a  IN    PTR  3com1.nsap.nist.gov.
+
+8.  Security Considerations
+
+   Security issues are not discussed in this memo.
+
+
+
+
+
+Manning & Colella                                               [Page 8]
+
+RFC 1706                      DNS NSAP RRs                  October 1994
+
+
+9.  Authors' Addresses
+
+   Bill Manning
+   USC/Information Sciences Institute
+   4676 Admiralty Way
+   Marina del Rey, CA. 90292
+   USA
+
+   Phone: +1.310.822.1511
+   EMail: bmanning@isi.edu
+
+
+   Richard Colella
+   National Institute of Standards and Technology
+   Technology/B217
+   Gaithersburg, MD 20899
+   USA
+
+   Phone: +1 301-975-3627
+   Fax: +1 301 590-0932
+   EMail: colella@nist.gov
+
+10.  References
+
+   [1] Colella, R., Gardner, E., Callon, R., and Y. Rekhter, "Guidelines
+       for OSI NSAP Allocation inh the Internet", RFC 1629, NIST,
+       Wellfleet, Mitre, T.J. Watson Research Center, IBM Corp., May
+       1994.
+
+   [2] GOSIP Advanced Requirements Group.  Government Open Systems
+       Interconnection Profile (GOSIP) Version 2. Federal Information
+       Processing Standard 146-1, U.S. Department of Commerce, National
+       Institute of Standards and Technology, Gaithersburg, MD, April
+       1991.
+
+   [3] ISO/IEC.  Data interchange - structures for the identification of
+       organization.  International Standard 6523, ISO/IEC JTC 1,
+       Switzerland, 1984.
+
+   [4] ISO/IEC. Connection oriented transport protocol specification.
+       International Standard 8073, ISO/IEC JTC 1, Switzerland, 1986.
+
+   [5] ISO/IEC.  Protocol for Providing the Connectionless-mode Network
+       Service.  International Standard 8473, ISO/IEC JTC 1,
+       Switzerland, 1986.
+
+
+
+
+
+
+Manning & Colella                                               [Page 9]
+
+RFC 1706                      DNS NSAP RRs                  October 1994
+
+
+   [6] ISO/IEC. Information Processing Systems -- Data Communications --
+       Network Service Definition.  International Standard 8348, ISO/IEC
+       JTC 1, Switzerland, 1993.
+
+   [7] Mockapetris, P., "Domain Names -- Concepts and Facilities", STD
+       13, RFC 1034, USC/Information Sciences Institute, November 1987.
+
+   [8] Mockapetris, P., "Domain Names -- Implementation and
+       Specification", STD 13, RFC 1035, USC/Information Sciences
+       Institute, November 1987.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Manning & Colella                                              [Page 10]
+
diff --git a/contrib/bind9/doc/rfc/rfc1712.txt b/contrib/bind9/doc/rfc/rfc1712.txt
new file mode 100644
index 0000000..40d8857
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc1712.txt
@@ -0,0 +1,395 @@
+
+
+
+
+
+
+Network Working Group                                         C. Farrell
+Request for Comments: 1712                                    M. Schulze
+Category: Experimental                                       S. Pleitner
+                                                              D. Baldoni
+                                         Curtin University of Technology
+                                                           November 1994
+
+
+                 DNS Encoding of Geographical Location
+
+Status of this Memo
+
+   This memo defines an Experimental Protocol for the Internet
+   community.  This memo does not specify an Internet standard of any
+   kind.  Discussion and suggestions for improvement are requested.
+   Distribution of this memo is unlimited.
+
+Abstract
+
+   This document defines the format of a new Resource Record (RR) for
+   the Domain Naming System (DNS), and reserves a corresponding DNS type
+   mnemonic and numerical code.  This definition deals with associating
+   geographical host location mappings to host names within a domain.
+   The data shown in this document is fictitious and does not
+   necessarily reflect the real Internet.
+
+1. Introduction
+
+   It has been a long standing problem to relate IP numbers to
+   geographical locations. The availability of Geographical location
+   information has immediate applications in network management.  Such
+   information can be used to supplement the data already provided by
+   utilities such as whois [Har85], traceroute [VJ89], and nslookup
+   [UCB89].  The usefulness and functionality of these already widely
+   used tools would be greatly enhanced by the provision of reliable
+   geographical location information.
+
+   The ideal way to manage and maintain a database of information, such
+   as geographical location of internet hosts, is to delegate
+   responsibility to local domain administrators. A large distributed
+   database could be implemented with a simple mechanism for updating
+   the local information.  A query mechanism also has to be available
+   for checking local entries, as well as inquiring about data from
+   non-local domains.
+
+
+
+
+
+
+
+Farrell, Schulze, Pleitner & Baldoni                            [Page 1]
+
+RFC 1712         DNS Encoding of Geographical Location     November 1994
+
+
+2. Background
+
+   The Internet continues to grow at an ever increasing rate with IP
+   numbers allocated on a first-come-first-serve basis.  Deciding when
+   and how to setup a database of geographical information about
+   internet hosts presented a number of options.  The uumap project
+   [UU85] was the first serious attempt to collect geographical location
+   data from sites and store it centrally.  This project met with
+   limited success because of the difficulty in maintaining and updating
+   a large central database.  Another problem was the lack of tools for
+   the checking the data supplied, this problem resulted in some
+   erroneous data entering the database.
+
+2.1 SNMP:
+
+   Using an SNMP get request on the sysLocation MIB (Management
+   Information Base) variable was also an option, however this would
+   require the host to be running an appropriate agent with public read
+   access.  It was also felt that MIB data should reflect local
+   management data (e.g., "this" host is on level 5 room 74) rather than
+   a hosts geographical position.  This view is supported in the
+   examples given in literature in this area [ROSE91].
+
+2.2 X500:
+
+   The X.500 Directory service [X.500.88] defined as part of the ISO
+   standards also appears as a potential provider of geographical
+   location data. However due to the limited implementations of this
+   service it was decided to defer this until this service gains wider
+   use and acceptance within the Internet community.
+
+2.3 BIND:
+
+   The DNS [Mock87a][Mock87b] represents an existing system ideally
+   suited to the provision of host specific information. The DNS is a
+   widely used and well-understood mechanism for providing a distributed
+   database of such information and its extensible nature allows it to
+   be used to disseminate virtually any information.  The most commonly
+   used DNS implementation is the Berkeley Internet Name Domain server
+   BIND [UCB89].  The information we wished to make available needed to
+   be updated locally but available globally; a perfect match with the
+   services provided by the DNS. Current DNS servers provide a variety
+   of useful information about hosts in their domain but lack the
+   ability to report a host's geographical location.
+
+
+
+
+
+
+
+Farrell, Schulze, Pleitner & Baldoni                            [Page 2]
+
+RFC 1712         DNS Encoding of Geographical Location     November 1994
+
+
+3. RDATA Format
+
+        MSB                                        LSB
+        +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+        /                 LONGITUDE                  /
+        +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+        /                  LATITUDE                  /
+        +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+        /                  ALTITUDE                  /
+        +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+   where:
+
+   LONGITUDE The real number describing the longitude encoded as a
+             printable string. The precision is limited by 256 charcters
+             within the range -90..90 degrees. Positive numbers
+             indicate locations north of the equator.
+
+   LATITUDE The real number describing the latitude encoded as a
+            printable string. The precision is limited by 256 charcters
+            within the range -180..180 degrees. Positive numbers
+            indicate locations east of the prime meridian.
+
+   ALTITUDE The real number describing the altitude (in meters) from
+            mean sea-level encoded as a printable string. The precision
+            is limited by 256 charcters. Positive numbers indicate
+            locations above mean sea-level.
+
+   Latitude/Longitude/Altitude values are encoded as strings as to avoid
+   the precision limitations imposed by encoding as unsigned integers.
+   Although this might not be considered optimal, it allows for a very
+   high degree of precision with an acceptable average encoded record
+   length.
+
+4. The GPOS RR
+
+   The geographical location is defined with the mnemonic GPOS and type
+   code 27.
+
+   GPOS has the following format:
+           <owner> <ttl> <class> GPOS <longitude> <latitude> <altitude>
+
+   A floating point format was chosen to specify geographical locations
+   for reasons of simplicity.  This also guarantees a concise
+   unambiguous description of a location by enforcing three compulsory
+   numerical values to be specified.
+
+
+
+
+
+Farrell, Schulze, Pleitner & Baldoni                            [Page 3]
+
+RFC 1712         DNS Encoding of Geographical Location     November 1994
+
+
+   The owner, ttl, and class fields are optional and default to the last
+   defined value if omitted. The longitude is a floating point number
+   ranging from -90 to 90 with positive values indicating locations
+   north of the equator.  For example Perth, Western Australia is
+   located at 32^ 7` 19" south of the equator which would be specified
+   as -32.68820.  The latitude is a number ranging from -180.0 to 180.0.
+   For example Perth, Western Australia is located at 116^ 2' 25" east
+   of the prime meridian which would be specified as 116.86520.  Curtin
+   University, Perth is also 10 meters above sea-level.
+
+   The valid GPOS record for a host at Curtin University in  Perth
+   Western Australia would therefore be:
+
+                GPOS -32.6882 116.8652 10.0
+
+   There is no limit imposed on the number of decimal places, although
+   the length of the encoded string is limited to 256 characters for
+   each field. It is also suggested that administrators limit their
+   entries to the minimum number of necessary characters in each field.
+
+5. Master File Format
+
+   Each host requires its own GPOS field in the corresponding  DNS RR to
+   explicitly specify its geographical location and altitude.  If the
+   GPOS field is omitted, a DNS enquiry will return no position
+   information for that host.
+
+   Consider the following example:
+
+; Authoritative data for cs.curtin.edu.au.
+;
+@     IN    SOA     marsh.cs.curtin.edu.au. postmaster.cs.curtin.edu.au.
+                (
+                        94070503        ; Serial (yymmddnn)
+                        10800           ; Refresh (3 hours)
+                        3600            ; Retry (1 hour)
+                        3600000         ; Expire (1000 hours)
+                        86400           ; Minimum (24 hours)
+                )
+
+                IN      NS      marsh.cs.curtin.edu.au.
+
+marsh           IN      A       134.7.1.1
+                IN      MX      0       marsh
+                IN      HINFO   SGI-Indigo IRIX-4.0.5F
+                IN      GPOS    -32.6882 116.8652 10.0
+ftp             IN      CNAME   marsh
+
+
+
+
+Farrell, Schulze, Pleitner & Baldoni                            [Page 4]
+
+RFC 1712         DNS Encoding of Geographical Location     November 1994
+
+
+lillee          IN      A       134.7.1.2
+                IN      MX      0       marsh
+                IN      HINFO   SGI-Indigo IRIX-4.0.5F
+                IN      GPOS    -32.6882 116.8652 10.0
+
+hinault         IN      A       134.7.1.23
+                IN      MX      0       marsh
+                IN      HINFO   SUN-IPC SunOS-4.1.3
+                IN      GPOS    -22.6882 116.8652 250.0
+
+merckx          IN      A       134.7.1.24
+                IN      MX      0       marsh
+                IN      HINFO   SUN-IPC SunOS-4.1.1
+
+ambrose         IN      A       134.7.1.99
+                IN      MX      0       marsh
+                IN      HINFO   SGI-CHALLENGE_L IRIX-5.2
+                IN      GPOS    -32.6882 116.8652 10.0
+
+   The hosts marsh, lillee, and ambrose are all at the same geographical
+   location, Perth Western Australia (-32.68820 116.86520). The host
+   hinault is at a different geographical location, 10 degrees north of
+   Perth in the mountains (-22.6882 116.8652 250.0). For security
+   reasons we do not wish to give the location of the host merckx.
+
+   Although the GPOS clause is not a standard entry within BIND
+   configuration files, most vendor implementations seem to ignore
+   whatever is not understood upon startup of the DNS.  Usually this
+   will result in a number of warnings appearing in system log files,
+   but in no way alters naming information or impedes the DNS from
+   performing its normal duties.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Farrell, Schulze, Pleitner & Baldoni                            [Page 5]
+
+RFC 1712         DNS Encoding of Geographical Location     November 1994
+
+
+7. References
+
+   [ROSE91]        Rose M., "The Simple Book: An Introduction to
+                   Management of TCP/IP-based Internets", Prentice-Hall,
+                   Englewood Cliffs, New Jersey, 1991.
+
+   [X.500.88]      CCITT: The Directory - Overview of Concepts, Models
+                   and Services", Recommendations X.500 - X.521.
+
+   [Har82]         Harrenstein K, Stahl M., and E. Feinler,
+                   "NICNAME/WHOIS" RFC 812, SRI NIC, March 1982.
+
+   [Mock87a]       Mockapetris P., "Domain Names - Concepts and
+                   Facilities", STD 13, RFC 1034, USC/Information
+                   Sciences Institute, November 1987.
+
+   [Mock87b]       Mockapetris P., "Domain Names - Implementation and
+                   Specification", STD 13, RFC 1035, USC/Information
+                   Sciences Institute, November 1987.
+
+   [FRB93]         Ford P., Rekhter Y., and H-W. Braun, "Improving the
+                   Routing and Addressing of IP", IEEE Network
+                   Vol.7, No. 3, pp. 11-15, May 1993.
+
+   [VJ89]          Jacobsen V., "The Traceroute(8) Manual Page",
+                   Lawrence Berkeley Laboratory, Berkeley,
+                   CA, February 1989.
+
+   [UCB89]         University of California, "BIND: Berkeley Internet
+                   Name Domain Server", 1989.
+   [UU85]          UUCP Mapping Project, Software available via
+                   anonymous FTP from ftp.uu.net., 1985.
+
+8. Security Considerations
+
+   Once information has been entered into the DNS, it is considered
+   public.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Farrell, Schulze, Pleitner & Baldoni                            [Page 6]
+
+RFC 1712         DNS Encoding of Geographical Location     November 1994
+
+
+9. Authors' Addresses
+
+   Craig Farrell
+   Department of Computer Science
+   Curtin University of technology
+   GPO Box U1987 Perth,
+   Western Australia
+
+   EMail: craig@cs.curtin.edu.au
+
+
+   Mike Schulze
+   Department of Computer Science
+   Curtin University of technology
+   GPO Box U1987 Perth,
+   Western Australia
+
+   EMail: mike@cs.curtin.edu.au
+
+
+   Scott Pleitner
+   Department of Computer Science
+   Curtin University of technology
+   GPO Box U1987 Perth,
+   Western Australia
+
+   EMail: pleitner@cs.curtin.edu.au
+
+
+   Daniel Baldoni
+   Department of Computer Science
+   Curtin University of technology
+   GPO Box U1987 Perth,
+   Western Australia
+
+   EMail: flint@cs.curtin.edu.au
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Farrell, Schulze, Pleitner & Baldoni                            [Page 7]
+
diff --git a/contrib/bind9/doc/rfc/rfc1750.txt b/contrib/bind9/doc/rfc/rfc1750.txt
new file mode 100644
index 0000000..56d478c
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc1750.txt
@@ -0,0 +1,1683 @@
+
+
+
+
+
+
+Network Working Group                                   D. Eastlake, 3rd
+Request for Comments: 1750                                           DEC
+Category: Informational                                       S. Crocker
+                                                               Cybercash
+                                                             J. Schiller
+                                                                     MIT
+                                                           December 1994
+
+
+                Randomness Recommendations for Security
+
+Status of this Memo
+
+   This memo provides information for the Internet community.  This memo
+   does not specify an Internet standard of any kind.  Distribution of
+   this memo is unlimited.
+
+Abstract
+
+   Security systems today are built on increasingly strong cryptographic
+   algorithms that foil pattern analysis attempts. However, the security
+   of these systems is dependent on generating secret quantities for
+   passwords, cryptographic keys, and similar quantities.  The use of
+   pseudo-random processes to generate secret quantities can result in
+   pseudo-security.  The sophisticated attacker of these security
+   systems may find it easier to reproduce the environment that produced
+   the secret quantities, searching the resulting small set of
+   possibilities, than to locate the quantities in the whole of the
+   number space.
+
+   Choosing random quantities to foil a resourceful and motivated
+   adversary is surprisingly difficult.  This paper points out many
+   pitfalls in using traditional pseudo-random number generation
+   techniques for choosing such quantities.  It recommends the use of
+   truly random hardware techniques and shows that the existing hardware
+   on many systems can be used for this purpose.  It provides
+   suggestions to ameliorate the problem when a hardware solution is not
+   available.  And it gives examples of how large such quantities need
+   to be for some particular applications.
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                    [Page 1]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+Acknowledgements
+
+   Comments on this document that have been incorporated were received
+   from (in alphabetic order) the following:
+
+        David M. Balenson (TIS)
+        Don Coppersmith (IBM)
+        Don T. Davis (consultant)
+        Carl Ellison (Stratus)
+        Marc Horowitz (MIT)
+        Christian Huitema (INRIA)
+        Charlie Kaufman (IRIS)
+        Steve Kent (BBN)
+        Hal Murray (DEC)
+        Neil Haller (Bellcore)
+        Richard Pitkin (DEC)
+        Tim Redmond (TIS)
+        Doug Tygar (CMU)
+
+Table of Contents
+
+   1. Introduction........................................... 3
+   2. Requirements........................................... 4
+   3. Traditional Pseudo-Random Sequences.................... 5
+   4. Unpredictability....................................... 7
+   4.1 Problems with Clocks and Serial Numbers............... 7
+   4.2 Timing and Content of External Events................  8
+   4.3 The Fallacy of Complex Manipulation..................  8
+   4.4 The Fallacy of Selection from a Large Database.......  9
+   5. Hardware for Randomness............................... 10
+   5.1 Volume Required...................................... 10
+   5.2 Sensitivity to Skew.................................. 10
+   5.2.1 Using Stream Parity to De-Skew..................... 11
+   5.2.2 Using Transition Mappings to De-Skew............... 12
+   5.2.3 Using FFT to De-Skew............................... 13
+   5.2.4 Using Compression to De-Skew....................... 13
+   5.3 Existing Hardware Can Be Used For Randomness......... 14
+   5.3.1 Using Existing Sound/Video Input................... 14
+   5.3.2 Using Existing Disk Drives......................... 14
+   6. Recommended Non-Hardware Strategy..................... 14
+   6.1 Mixing Functions..................................... 15
+   6.1.1 A Trivial Mixing Function.......................... 15
+   6.1.2 Stronger Mixing Functions.......................... 16
+   6.1.3 Diff-Hellman as a Mixing Function.................. 17
+   6.1.4 Using a Mixing Function to Stretch Random Bits..... 17
+   6.1.5 Other Factors in Choosing a Mixing Function........ 18
+   6.2 Non-Hardware Sources of Randomness................... 19
+   6.3 Cryptographically Strong Sequences................... 19
+
+
+
+Eastlake, Crocker & Schiller                                    [Page 2]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   6.3.1 Traditional Strong Sequences....................... 20
+   6.3.2 The Blum Blum Shub Sequence Generator.............. 21
+   7. Key Generation Standards.............................. 22
+   7.1 US DoD Recommendations for Password Generation....... 23
+   7.2 X9.17 Key Generation................................. 23
+   8. Examples of Randomness Required....................... 24
+   8.1  Password Generation................................. 24
+   8.2 A Very High Security Cryptographic Key............... 25
+   8.2.1 Effort per Key Trial............................... 25
+   8.2.2 Meet in the Middle Attacks......................... 26
+   8.2.3 Other Considerations............................... 26
+   9. Conclusion............................................ 27
+   10. Security Considerations.............................. 27
+   References............................................... 28
+   Authors' Addresses....................................... 30
+
+1. Introduction
+
+   Software cryptography is coming into wider use.  Systems like
+   Kerberos, PEM, PGP, etc. are maturing and becoming a part of the
+   network landscape [PEM].  These systems provide substantial
+   protection against snooping and spoofing.  However, there is a
+   potential flaw.  At the heart of all cryptographic systems is the
+   generation of secret, unguessable (i.e., random) numbers.
+
+   For the present, the lack of generally available facilities for
+   generating such unpredictable numbers is an open wound in the design
+   of cryptographic software.  For the software developer who wants to
+   build a key or password generation procedure that runs on a wide
+   range of hardware, the only safe strategy so far has been to force
+   the local installation to supply a suitable routine to generate
+   random numbers.  To say the least, this is an awkward, error-prone
+   and unpalatable solution.
+
+   It is important to keep in mind that the requirement is for data that
+   an adversary has a very low probability of guessing or determining.
+   This will fail if pseudo-random data is used which only meets
+   traditional statistical tests for randomness or which is based on
+   limited range sources, such as clocks.  Frequently such random
+   quantities are determinable by an adversary searching through an
+   embarrassingly small space of possibilities.
+
+   This informational document suggests techniques for producing random
+   quantities that will be resistant to such attack.  It recommends that
+   future systems include hardware random number generation or provide
+   access to existing hardware that can be used for this purpose.  It
+   suggests methods for use if such hardware is not available.  And it
+   gives some estimates of the number of random bits required for sample
+
+
+
+Eastlake, Crocker & Schiller                                    [Page 3]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   applications.
+
+2. Requirements
+
+   Probably the most commonly encountered randomness requirement today
+   is the user password. This is usually a simple character string.
+   Obviously, if a password can be guessed, it does not provide
+   security.  (For re-usable passwords, it is desirable that users be
+   able to remember the password.  This may make it advisable to use
+   pronounceable character strings or phrases composed on ordinary
+   words.  But this only affects the format of the password information,
+   not the requirement that the password be very hard to guess.)
+
+   Many other requirements come from the cryptographic arena.
+   Cryptographic techniques can be used to provide a variety of services
+   including confidentiality and authentication.  Such services are
+   based on quantities, traditionally called "keys", that are unknown to
+   and unguessable by an adversary.
+
+   In some cases, such as the use of symmetric encryption with the one
+   time pads [CRYPTO*] or the US Data Encryption Standard [DES], the
+   parties who wish to communicate confidentially and/or with
+   authentication must all know the same secret key.  In other cases,
+   using what are called asymmetric or "public key" cryptographic
+   techniques, keys come in pairs.  One key of the pair is private and
+   must be kept secret by one party, the other is public and can be
+   published to the world.  It is computationally infeasible to
+   determine the private key from the public key [ASYMMETRIC, CRYPTO*].
+
+   The frequency and volume of the requirement for random quantities
+   differs greatly for different cryptographic systems.  Using pure RSA
+   [CRYPTO*], random quantities are required when the key pair is
+   generated, but thereafter any number of messages can be signed
+   without any further need for randomness.  The public key Digital
+   Signature Algorithm that has been proposed by the US National
+   Institute of Standards and Technology (NIST) requires good random
+   numbers for each signature.  And encrypting with a one time pad, in
+   principle the strongest possible encryption technique, requires a
+   volume of randomness equal to all the messages to be processed.
+
+   In most of these cases, an adversary can try to determine the
+   "secret" key by trial and error.  (This is possible as long as the
+   key is enough smaller than the message that the correct key can be
+   uniquely identified.)  The probability of an adversary succeeding at
+   this must be made acceptably low, depending on the particular
+   application.  The size of the space the adversary must search is
+   related to the amount of key "information" present in the information
+   theoretic sense [SHANNON].  This depends on the number of different
+
+
+
+Eastlake, Crocker & Schiller                                    [Page 4]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   secret values possible and the probability of each value as follows:
+
+                      -----
+                       \
+        Bits-of-info =  \  - p   * log  ( p  )
+                        /     i       2    i
+                       /
+                      -----
+
+   where i varies from 1 to the number of possible secret values and p
+   sub i is the probability of the value numbered i.  (Since p sub i is
+   less than one, the log will be negative so each term in the sum will
+   be non-negative.)
+
+   If there are 2^n different values of equal probability, then n bits
+   of information are present and an adversary would, on the average,
+   have to try half of the values, or 2^(n-1) , before guessing the
+   secret quantity.  If the probability of different values is unequal,
+   then there is less information present and fewer guesses will, on
+   average, be required by an adversary.  In particular, any values that
+   the adversary can know are impossible, or are of low probability, can
+   be initially ignored by an adversary, who will search through the
+   more probable values first.
+
+   For example, consider a cryptographic system that uses 56 bit keys.
+   If these 56 bit keys are derived by using a fixed pseudo-random
+   number generator that is seeded with an 8 bit seed, then an adversary
+   needs to search through only 256 keys (by running the pseudo-random
+   number generator with every possible seed), not the 2^56 keys that
+   may at first appear to be the case. Only 8 bits of "information" are
+   in these 56 bit keys.
+
+3. Traditional Pseudo-Random Sequences
+
+   Most traditional sources of random numbers use deterministic sources
+   of "pseudo-random" numbers.  These typically start with a "seed"
+   quantity and use numeric or logical operations to produce a sequence
+   of values.
+
+   [KNUTH] has a classic exposition on pseudo-random numbers.
+   Applications he mentions are simulation of natural phenomena,
+   sampling, numerical analysis, testing computer programs, decision
+   making, and games.  None of these have the same characteristics as
+   the sort of security uses we are talking about.  Only in the last two
+   could there be an adversary trying to find the random quantity.
+   However, in these cases, the adversary normally has only a single
+   chance to use a guessed value.  In guessing passwords or attempting
+   to break an encryption scheme, the adversary normally has many,
+
+
+
+Eastlake, Crocker & Schiller                                    [Page 5]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   perhaps unlimited, chances at guessing the correct value and should
+   be assumed to be aided by a computer.
+
+   For testing the "randomness" of numbers, Knuth suggests a variety of
+   measures including statistical and spectral.  These tests check
+   things like autocorrelation between different parts of a "random"
+   sequence or distribution of its values.  They could be met by a
+   constant stored random sequence, such as the "random" sequence
+   printed in the CRC Standard Mathematical Tables [CRC].
+
+   A typical pseudo-random number generation technique, known as a
+   linear congruence pseudo-random number generator, is modular
+   arithmetic where the N+1th value is calculated from the Nth value by
+
+        V    = ( V  * a + b )(Mod c)
+         N+1      N
+
+   The above technique has a strong relationship to linear shift
+   register pseudo-random number generators, which are well understood
+   cryptographically [SHIFT*].  In such generators bits are introduced
+   at one end of a shift register as the Exclusive Or (binary sum
+   without carry) of bits from selected fixed taps into the register.
+
+   For example:
+
+      +----+     +----+     +----+                      +----+
+      | B  | <-- | B  | <-- | B  | <--  . . . . . . <-- | B  | <-+
+      |  0 |     |  1 |     |  2 |                      |  n |   |
+      +----+     +----+     +----+                      +----+   |
+        |                     |            |                     |
+        |                     |            V                  +-----+
+        |                     V            +----------------> |     |
+        V                     +-----------------------------> | XOR |
+        +---------------------------------------------------> |     |
+                                                              +-----+
+
+
+       V    = ( ( V  * 2 ) + B .xor. B ... )(Mod 2^n)
+        N+1         N         0       2
+
+   The goodness of traditional pseudo-random number generator algorithms
+   is measured by statistical tests on such sequences.  Carefully chosen
+   values of the initial V and a, b, and c or the placement of shift
+   register tap in the above simple processes can produce excellent
+   statistics.
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                    [Page 6]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   These sequences may be adequate in simulations (Monte Carlo
+   experiments) as long as the sequence is orthogonal to the structure
+   of the space being explored.  Even there, subtle patterns may cause
+   problems.  However, such sequences are clearly bad for use in
+   security applications.  They are fully predictable if the initial
+   state is known.  Depending on the form of the pseudo-random number
+   generator, the sequence may be determinable from observation of a
+   short portion of the sequence [CRYPTO*, STERN].  For example, with
+   the generators above, one can determine V(n+1) given knowledge of
+   V(n).  In fact, it has been shown that with these techniques, even if
+   only one bit of the pseudo-random values is released, the seed can be
+   determined from short sequences.
+
+   Not only have linear congruent generators been broken, but techniques
+   are now known for breaking all polynomial congruent generators
+   [KRAWCZYK].
+
+4. Unpredictability
+
+   Randomness in the traditional sense described in section 3 is NOT the
+   same as the unpredictability required for security use.
+
+   For example, use of a widely available constant sequence, such as
+   that from the CRC tables, is very weak against an adversary. Once
+   they learn of or guess it, they can easily break all security, future
+   and past, based on the sequence [CRC].  Yet the statistical
+   properties of these tables are good.
+
+   The following sections describe the limitations of some randomness
+   generation techniques and sources.
+
+4.1 Problems with Clocks and Serial Numbers
+
+   Computer clocks, or similar operating system or hardware values,
+   provide significantly fewer real bits of unpredictability than might
+   appear from their specifications.
+
+   Tests have been done on clocks on numerous systems and it was found
+   that their behavior can vary widely and in unexpected ways.  One
+   version of an operating system running on one set of hardware may
+   actually provide, say, microsecond resolution in a clock while a
+   different configuration of the "same" system may always provide the
+   same lower bits and only count in the upper bits at much lower
+   resolution.  This means that successive reads on the clock may
+   produce identical values even if enough time has passed that the
+   value "should" change based on the nominal clock resolution. There
+   are also cases where frequently reading a clock can produce
+   artificial sequential values because of extra code that checks for
+
+
+
+Eastlake, Crocker & Schiller                                    [Page 7]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   the clock being unchanged between two reads and increases it by one!
+   Designing portable application code to generate unpredictable numbers
+   based on such system clocks is particularly challenging because the
+   system designer does not always know the properties of the system
+   clocks that the code will execute on.
+
+   Use of a hardware serial number such as an Ethernet address may also
+   provide fewer bits of uniqueness than one would guess.  Such
+   quantities are usually heavily structured and subfields may have only
+   a limited range of possible values or values easily guessable based
+   on approximate date of manufacture or other data.  For example, it is
+   likely that most of the Ethernet cards installed on Digital Equipment
+   Corporation (DEC) hardware within DEC were manufactured by DEC
+   itself, which significantly limits the range of built in addresses.
+
+   Problems such as those described above related to clocks and serial
+   numbers make code to produce unpredictable quantities difficult if
+   the code is to be ported across a variety of computer platforms and
+   systems.
+
+4.2 Timing and Content of External Events
+
+   It is possible to measure the timing and content of mouse movement,
+   key strokes, and similar user events.  This is a reasonable source of
+   unguessable data with some qualifications.  On some machines, inputs
+   such as key strokes are buffered.  Even though the user's inter-
+   keystroke timing may have sufficient variation and unpredictability,
+   there might not be an easy way to access that variation.  Another
+   problem is that no standard method exists to sample timing details.
+   This makes it hard to build standard software intended for
+   distribution to a large range of machines based on this technique.
+
+   The amount of mouse movement or the keys actually hit are usually
+   easier to access than timings but may yield less unpredictability as
+   the user may provide highly repetitive input.
+
+   Other external events, such as network packet arrival times, can also
+   be used with care.  In particular, the possibility of manipulation of
+   such times by an adversary must be considered.
+
+4.3 The Fallacy of Complex Manipulation
+
+   One strategy which may give a misleading appearance of
+   unpredictability is to take a very complex algorithm (or an excellent
+   traditional pseudo-random number generator with good statistical
+   properties) and calculate a cryptographic key by starting with the
+   current value of a computer system clock as the seed.  An adversary
+   who knew roughly when the generator was started would have a
+
+
+
+Eastlake, Crocker & Schiller                                    [Page 8]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   relatively small number of seed values to test as they would know
+   likely values of the system clock.  Large numbers of pseudo-random
+   bits could be generated but the search space an adversary would need
+   to check could be quite small.
+
+   Thus very strong and/or complex manipulation of data will not help if
+   the adversary can learn what the manipulation is and there is not
+   enough unpredictability in the starting seed value.  Even if they can
+   not learn what the manipulation is, they may be able to use the
+   limited number of results stemming from a limited number of seed
+   values to defeat security.
+
+   Another serious strategy error is to assume that a very complex
+   pseudo-random number generation algorithm will produce strong random
+   numbers when there has been no theory behind or analysis of the
+   algorithm.  There is a excellent example of this fallacy right near
+   the beginning of chapter 3 in [KNUTH] where the author describes a
+   complex algorithm.  It was intended that the machine language program
+   corresponding to the algorithm would be so complicated that a person
+   trying to read the code without comments wouldn't know what the
+   program was doing.  Unfortunately, actual use of this algorithm
+   showed that it almost immediately converged to a single repeated
+   value in one case and a small cycle of values in another case.
+
+   Not only does complex manipulation not help you if you have a limited
+   range of seeds but blindly chosen complex manipulation can destroy
+   the randomness in a good seed!
+
+4.4 The Fallacy of Selection from a Large Database
+
+   Another strategy that can give a misleading appearance of
+   unpredictability is selection of a quantity randomly from a database
+   and assume that its strength is related to the total number of bits
+   in the database.  For example, typical USENET servers as of this date
+   process over 35 megabytes of information per day.  Assume a random
+   quantity was selected by fetching 32 bytes of data from a random
+   starting point in this data.  This does not yield 32*8 = 256 bits
+   worth of unguessability.  Even after allowing that much of the data
+   is human language and probably has more like 2 or 3 bits of
+   information per byte, it doesn't yield 32*2.5 = 80 bits of
+   unguessability.  For an adversary with access to the same 35
+   megabytes the unguessability rests only on the starting point of the
+   selection.  That is, at best, about 25 bits of unguessability in this
+   case.
+
+   The same argument applies to selecting sequences from the data on a
+   CD ROM or Audio CD recording or any other large public database.  If
+   the adversary has access to the same database, this "selection from a
+
+
+
+Eastlake, Crocker & Schiller                                    [Page 9]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   large volume of data" step buys very little.  However, if a selection
+   can be made from data to which the adversary has no access, such as
+   system buffers on an active multi-user system, it may be of some
+   help.
+
+5. Hardware for Randomness
+
+   Is there any hope for strong portable randomness in the future?
+   There might be.  All that's needed is a physical source of
+   unpredictable numbers.
+
+   A thermal noise or radioactive decay source and a fast, free-running
+   oscillator would do the trick directly [GIFFORD].  This is a trivial
+   amount of hardware, and could easily be included as a standard part
+   of a computer system's architecture.  Furthermore, any system with a
+   spinning disk or the like has an adequate source of randomness
+   [DAVIS].  All that's needed is the common perception among computer
+   vendors that this small additional hardware and the software to
+   access it is necessary and useful.
+
+5.1 Volume Required
+
+   How much unpredictability is needed?  Is it possible to quantify the
+   requirement in, say, number of random bits per second?
+
+   The answer is not very much is needed.  For DES, the key is 56 bits
+   and, as we show in an example in Section 8, even the highest security
+   system is unlikely to require a keying material of over 200 bits.  If
+   a series of keys are needed, it can be generated from a strong random
+   seed using a cryptographically strong sequence as explained in
+   Section 6.3.  A few hundred random bits generated once a day would be
+   enough using such techniques.  Even if the random bits are generated
+   as slowly as one per second and it is not possible to overlap the
+   generation process, it should be tolerable in high security
+   applications to wait 200 seconds occasionally.
+
+   These numbers are trivial to achieve.  It could be done by a person
+   repeatedly tossing a coin.  Almost any hardware process is likely to
+   be much faster.
+
+5.2 Sensitivity to Skew
+
+   Is there any specific requirement on the shape of the distribution of
+   the random numbers?  The good news is the distribution need not be
+   uniform.  All that is needed is a conservative estimate of how non-
+   uniform it is to bound performance.  Two simple techniques to de-skew
+   the bit stream are given below and stronger techniques are mentioned
+   in Section 6.1.2 below.
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 10]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+5.2.1 Using Stream Parity to De-Skew
+
+   Consider taking a sufficiently long string of bits and map the string
+   to "zero" or "one".  The mapping will not yield a perfectly uniform
+   distribution, but it can be as close as desired.  One mapping that
+   serves the purpose is to take the parity of the string.  This has the
+   advantages that it is robust across all degrees of skew up to the
+   estimated maximum skew and is absolutely trivial to implement in
+   hardware.
+
+   The following analysis gives the number of bits that must be sampled:
+
+   Suppose the ratio of ones to zeros is 0.5 + e : 0.5 - e, where e is
+   between 0 and 0.5 and is a measure of the "eccentricity" of the
+   distribution.  Consider the distribution of the parity function of N
+   bit samples.  The probabilities that the parity will be one or zero
+   will be the sum of the odd or even terms in the binomial expansion of
+   (p + q)^N, where p = 0.5 + e, the probability of a one, and q = 0.5 -
+   e, the probability of a zero.
+
+   These sums can be computed easily as
+
+                         N            N
+        1/2 * ( ( p + q )  + ( p - q )  )
+   and
+                         N            N
+        1/2 * ( ( p + q )  - ( p - q )  ).
+
+   (Which one corresponds to the probability the parity will be 1
+   depends on whether N is odd or even.)
+
+   Since p + q = 1 and p - q = 2e, these expressions reduce to
+
+                       N
+        1/2 * [1 + (2e) ]
+   and
+                       N
+        1/2 * [1 - (2e) ].
+
+   Neither of these will ever be exactly 0.5 unless e is zero, but we
+   can bring them arbitrarily close to 0.5.  If we want the
+   probabilities to be within some delta d of 0.5, i.e. then
+
+                            N
+        ( 0.5 + ( 0.5 * (2e)  ) )  <  0.5 + d.
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 11]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   Solving for N yields N > log(2d)/log(2e).  (Note that 2e is less than
+   1, so its log is negative.  Division by a negative number reverses
+   the sense of an inequality.)
+
+   The following table gives the length of the string which must be
+   sampled for various degrees of skew in order to come within 0.001 of
+   a 50/50 distribution.
+
+                       +---------+--------+-------+
+                       | Prob(1) |    e   |    N  |
+                       +---------+--------+-------+
+                       |   0.5   |  0.00  |    1  |
+                       |   0.6   |  0.10  |    4  |
+                       |   0.7   |  0.20  |    7  |
+                       |   0.8   |  0.30  |   13  |
+                       |   0.9   |  0.40  |   28  |
+                       |   0.95  |  0.45  |   59  |
+                       |   0.99  |  0.49  |  308  |
+                       +---------+--------+-------+
+
+   The last entry shows that even if the distribution is skewed 99% in
+   favor of ones, the parity of a string of 308 samples will be within
+   0.001 of a 50/50 distribution.
+
+5.2.2 Using Transition Mappings to De-Skew
+
+   Another technique, originally due to von Neumann [VON NEUMANN], is to
+   examine a bit stream as a sequence of non-overlapping pairs. You
+   could then discard any 00 or 11 pairs found, interpret 01 as a 0 and
+   10 as a 1.  Assume the probability of a 1 is 0.5+e and the
+   probability of a 0 is 0.5-e where e is the eccentricity of the source
+   and described in the previous section.  Then the probability of each
+   pair is as follows:
+
+            +------+-----------------------------------------+
+            | pair |            probability                  |
+            +------+-----------------------------------------+
+            |  00  | (0.5 - e)^2          =  0.25 - e + e^2  |
+            |  01  | (0.5 - e)*(0.5 + e)  =  0.25     - e^2  |
+            |  10  | (0.5 + e)*(0.5 - e)  =  0.25     - e^2  |
+            |  11  | (0.5 + e)^2          =  0.25 + e + e^2  |
+            +------+-----------------------------------------+
+
+   This technique will completely eliminate any bias but at the expense
+   of taking an indeterminate number of input bits for any particular
+   desired number of output bits.  The probability of any particular
+   pair being discarded is 0.5 + 2e^2 so the expected number of input
+   bits to produce X output bits is X/(0.25 - e^2).
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 12]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   This technique assumes that the bits are from a stream where each bit
+   has the same probability of being a 0 or 1 as any other bit in the
+   stream and that bits are not correlated, i.e., that the bits are
+   identical independent distributions.  If alternate bits were from two
+   correlated sources, for example, the above analysis breaks down.
+
+   The above technique also provides another illustration of how a
+   simple statistical analysis can mislead if one is not always on the
+   lookout for patterns that could be exploited by an adversary.  If the
+   algorithm were mis-read slightly so that overlapping successive bits
+   pairs were used instead of non-overlapping pairs, the statistical
+   analysis given is the same; however, instead of provided an unbiased
+   uncorrelated series of random 1's and 0's, it instead produces a
+   totally predictable sequence of exactly alternating 1's and 0's.
+
+5.2.3 Using FFT to De-Skew
+
+   When real world data consists of strongly biased or correlated bits,
+   it may still contain useful amounts of randomness.  This randomness
+   can be extracted through use of the discrete Fourier transform or its
+   optimized variant, the FFT.
+
+   Using the Fourier transform of the data, strong correlations can be
+   discarded.  If adequate data is processed and remaining correlations
+   decay, spectral lines approaching statistical independence and
+   normally distributed randomness can be produced [BRILLINGER].
+
+5.2.4 Using Compression to De-Skew
+
+   Reversible compression techniques also provide a crude method of de-
+   skewing a skewed bit stream.  This follows directly from the
+   definition of reversible compression and the formula in Section 2
+   above for the amount of information in a sequence.  Since the
+   compression is reversible, the same amount of information must be
+   present in the shorter output than was present in the longer input.
+   By the Shannon information equation, this is only possible if, on
+   average, the probabilities of the different shorter sequences are
+   more uniformly distributed than were the probabilities of the longer
+   sequences.  Thus the shorter sequences are de-skewed relative to the
+   input.
+
+   However, many compression techniques add a somewhat predicatable
+   preface to their output stream and may insert such a sequence again
+   periodically in their output or otherwise introduce subtle patterns
+   of their own.  They should be considered only a rough technique
+   compared with those described above or in Section 6.1.2.  At a
+   minimum, the beginning of the compressed sequence should be skipped
+   and only later bits used for applications requiring random bits.
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 13]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+5.3 Existing Hardware Can Be Used For Randomness
+
+   As described below, many computers come with hardware that can, with
+   care, be used to generate truly random quantities.
+
+5.3.1 Using Existing Sound/Video Input
+
+   Increasingly computers are being built with inputs that digitize some
+   real world analog source, such as sound from a microphone or video
+   input from a camera.  Under appropriate circumstances, such input can
+   provide reasonably high quality random bits.  The "input" from a
+   sound digitizer with no source plugged in or a camera with the lens
+   cap on, if the system has enough gain to detect anything, is
+   essentially thermal noise.
+
+   For example, on a SPARCstation, one can read from the /dev/audio
+   device with nothing plugged into the microphone jack.  Such data is
+   essentially random noise although it should not be trusted without
+   some checking in case of hardware failure.  It will, in any case,
+   need to be de-skewed as described elsewhere.
+
+   Combining this with compression to de-skew one can, in UNIXese,
+   generate a huge amount of medium quality random data by doing
+
+        cat /dev/audio | compress - >random-bits-file
+
+5.3.2 Using Existing Disk Drives
+
+   Disk drives have small random fluctuations in their rotational speed
+   due to chaotic air turbulence [DAVIS].  By adding low level disk seek
+   time instrumentation to a system, a series of measurements can be
+   obtained that include this randomness. Such data is usually highly
+   correlated so that significant processing is needed, including FFT
+   (see section 5.2.3).  Nevertheless experimentation has shown that,
+   with such processing, disk drives easily produce 100 bits a minute or
+   more of excellent random data.
+
+   Partly offsetting this need for processing is the fact that disk
+   drive failure will normally be rapidly noticed.  Thus, problems with
+   this method of random number generation due to hardware failure are
+   very unlikely.
+
+6. Recommended Non-Hardware Strategy
+
+   What is the best overall strategy for meeting the requirement for
+   unguessable random numbers in the absence of a reliable hardware
+   source?  It is to obtain random input from a large number of
+   uncorrelated sources and to mix them with a strong mixing function.
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 14]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   Such a function will preserve the randomness present in any of the
+   sources even if other quantities being combined are fixed or easily
+   guessable.  This may be advisable even with a good hardware source as
+   hardware can also fail, though this should be weighed against any
+   increase in the chance of overall failure due to added software
+   complexity.
+
+6.1 Mixing Functions
+
+   A strong mixing function is one which combines two or more inputs and
+   produces an output where each output bit is a different complex non-
+   linear function of all the input bits.  On average, changing any
+   input bit will change about half the output bits.  But because the
+   relationship is complex and non-linear, no particular output bit is
+   guaranteed to change when any particular input bit is changed.
+
+   Consider the problem of converting a stream of bits that is skewed
+   towards 0 or 1 to a shorter stream which is more random, as discussed
+   in Section 5.2 above.  This is simply another case where a strong
+   mixing function is desired, mixing the input bits to produce a
+   smaller number of output bits.  The technique given in Section 5.2.1
+   of using the parity of a number of bits is simply the result of
+   successively Exclusive Or'ing them which is examined as a trivial
+   mixing function immediately below.  Use of stronger mixing functions
+   to extract more of the randomness in a stream of skewed bits is
+   examined in Section 6.1.2.
+
+6.1.1 A Trivial Mixing Function
+
+   A trivial example for single bit inputs is the Exclusive Or function,
+   which is equivalent to addition without carry, as show in the table
+   below.  This is a degenerate case in which the one output bit always
+   changes for a change in either input bit.  But, despite its
+   simplicity, it will still provide a useful illustration.
+
+                   +-----------+-----------+----------+
+                   |  input 1  |  input 2  |  output  |
+                   +-----------+-----------+----------+
+                   |     0     |     0     |     0    |
+                   |     0     |     1     |     1    |
+                   |     1     |     0     |     1    |
+                   |     1     |     1     |     0    |
+                   +-----------+-----------+----------+
+
+   If inputs 1 and 2 are uncorrelated and combined in this fashion then
+   the output will be an even better (less skewed) random bit than the
+   inputs.  If we assume an "eccentricity" e as defined in Section 5.2
+   above, then the output eccentricity relates to the input eccentricity
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 15]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   as follows:
+
+        e       = 2 * e        * e
+         output        input 1    input 2
+
+   Since e is never greater than 1/2, the eccentricity is always
+   improved except in the case where at least one input is a totally
+   skewed constant.  This is illustrated in the following table where
+   the top and left side values are the two input eccentricities and the
+   entries are the output eccentricity:
+
+     +--------+--------+--------+--------+--------+--------+--------+
+     |    e   |  0.00  |  0.10  |  0.20  |  0.30  |  0.40  |  0.50  |
+     +--------+--------+--------+--------+--------+--------+--------+
+     |  0.00  |  0.00  |  0.00  |  0.00  |  0.00  |  0.00  |  0.00  |
+     |  0.10  |  0.00  |  0.02  |  0.04  |  0.06  |  0.08  |  0.10  |
+     |  0.20  |  0.00  |  0.04  |  0.08  |  0.12  |  0.16  |  0.20  |
+     |  0.30  |  0.00  |  0.06  |  0.12  |  0.18  |  0.24  |  0.30  |
+     |  0.40  |  0.00  |  0.08  |  0.16  |  0.24  |  0.32  |  0.40  |
+     |  0.50  |  0.00  |  0.10  |  0.20  |  0.30  |  0.40  |  0.50  |
+     +--------+--------+--------+--------+--------+--------+--------+
+
+   However, keep in mind that the above calculations assume that the
+   inputs are not correlated.  If the inputs were, say, the parity of
+   the number of minutes from midnight on two clocks accurate to a few
+   seconds, then each might appear random if sampled at random intervals
+   much longer than a minute.  Yet if they were both sampled and
+   combined with xor, the result would be zero most of the time.
+
+6.1.2 Stronger Mixing Functions
+
+   The US Government Data Encryption Standard [DES] is an example of a
+   strong mixing function for multiple bit quantities.  It takes up to
+   120 bits of input (64 bits of "data" and 56 bits of "key") and
+   produces 64 bits of output each of which is dependent on a complex
+   non-linear function of all input bits.  Other strong encryption
+   functions with this characteristic can also be used by considering
+   them to mix all of their key and data input bits.
+
+   Another good family of mixing functions are the "message digest" or
+   hashing functions such as The US Government Secure Hash Standard
+   [SHS] and the MD2, MD4, MD5 [MD2, MD4, MD5] series.  These functions
+   all take an arbitrary amount of input and produce an output mixing
+   all the input bits. The MD* series produce 128 bits of output and SHS
+   produces 160 bits.
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 16]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   Although the message digest functions are designed for variable
+   amounts of input, DES and other encryption functions can also be used
+   to combine any number of inputs.  If 64 bits of output is adequate,
+   the inputs can be packed into a 64 bit data quantity and successive
+   56 bit keys, padding with zeros if needed, which are then used to
+   successively encrypt using DES in Electronic Codebook Mode [DES
+   MODES].  If more than 64 bits of output are needed, use more complex
+   mixing.  For example, if inputs are packed into three quantities, A,
+   B, and C, use DES to encrypt A with B as a key and then with C as a
+   key to produce the 1st part of the output, then encrypt B with C and
+   then A for more output and, if necessary, encrypt C with A and then B
+   for yet more output.  Still more output can be produced by reversing
+   the order of the keys given above to stretch things. The same can be
+   done with the hash functions by hashing various subsets of the input
+   data to produce multiple outputs.  But keep in mind that it is
+   impossible to get more bits of "randomness" out than are put in.
+
+   An example of using a strong mixing function would be to reconsider
+   the case of a string of 308 bits each of which is biased 99% towards
+   zero.  The parity technique given in Section 5.2.1 above reduced this
+   to one bit with only a 1/1000 deviance from being equally likely a
+   zero or one.  But, applying the equation for information given in
+   Section 2, this 308 bit sequence has 5 bits of information in it.
+   Thus hashing it with SHS or MD5 and taking the bottom 5 bits of the
+   result would yield 5 unbiased random bits as opposed to the single
+   bit given by calculating the parity of the string.
+
+6.1.3 Diffie-Hellman as a Mixing Function
+
+   Diffie-Hellman exponential key exchange is a technique that yields a
+   shared secret between two parties that can be made computationally
+   infeasible for a third party to determine even if they can observe
+   all the messages between the two communicating parties.  This shared
+   secret is a mixture of initial quantities generated by each of them
+   [D-H].  If these initial quantities are random, then the shared
+   secret contains the combined randomness of them both, assuming they
+   are uncorrelated.
+
+6.1.4 Using a Mixing Function to Stretch Random Bits
+
+   While it is not necessary for a mixing function to produce the same
+   or fewer bits than its inputs, mixing bits cannot "stretch" the
+   amount of random unpredictability present in the inputs.  Thus four
+   inputs of 32 bits each where there is 12 bits worth of
+   unpredicatability (such as 4,096 equally probable values) in each
+   input cannot produce more than 48 bits worth of unpredictable output.
+   The output can be expanded to hundreds or thousands of bits by, for
+   example, mixing with successive integers, but the clever adversary's
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 17]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   search space is still 2^48 possibilities.  Furthermore, mixing to
+   fewer bits than are input will tend to strengthen the randomness of
+   the output the way using Exclusive Or to produce one bit from two did
+   above.
+
+   The last table in Section 6.1.1 shows that mixing a random bit with a
+   constant bit with Exclusive Or will produce a random bit.  While this
+   is true, it does not provide a way to "stretch" one random bit into
+   more than one.  If, for example, a random bit is mixed with a 0 and
+   then with a 1, this produces a two bit sequence but it will always be
+   either 01 or 10.  Since there are only two possible values, there is
+   still only the one bit of original randomness.
+
+6.1.5 Other Factors in Choosing a Mixing Function
+
+   For local use, DES has the advantages that it has been widely tested
+   for flaws, is widely documented, and is widely implemented with
+   hardware and software implementations available all over the world
+   including source code available by anonymous FTP.  The SHS and MD*
+   family are younger algorithms which have been less tested but there
+   is no particular reason to believe they are flawed.  Both MD5 and SHS
+   were derived from the earlier MD4 algorithm.  They all have source
+   code available by anonymous FTP [SHS, MD2, MD4, MD5].
+
+   DES and SHS have been vouched for the the US National Security Agency
+   (NSA) on the basis of criteria that primarily remain secret.  While
+   this is the cause of much speculation and doubt, investigation of DES
+   over the years has indicated that NSA involvement in modifications to
+   its design, which originated with IBM, was primarily to strengthen
+   it.  No concealed or special weakness has been found in DES.  It is
+   almost certain that the NSA modification to MD4 to produce the SHS
+   similarly strengthened the algorithm, possibly against threats not
+   yet known in the public cryptographic community.
+
+   DES, SHS, MD4, and MD5 are royalty free for all purposes.  MD2 has
+   been freely licensed only for non-profit use in connection with
+   Privacy Enhanced Mail [PEM].  Between the MD* algorithms, some people
+   believe that, as with "Goldilocks and the Three Bears", MD2 is strong
+   but too slow, MD4 is fast but too weak, and MD5 is just right.
+
+   Another advantage of the MD* or similar hashing algorithms over
+   encryption algorithms is that they are not subject to the same
+   regulations imposed by the US Government prohibiting the unlicensed
+   export or import of encryption/decryption software and hardware.  The
+   same should be true of DES rigged to produce an irreversible hash
+   code but most DES packages are oriented to reversible encryption.
+
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 18]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+6.2 Non-Hardware Sources of Randomness
+
+   The best source of input for mixing would be a hardware randomness
+   such as disk drive timing affected by air turbulence, audio input
+   with thermal noise, or radioactive decay.  However, if that is not
+   available there are other possibilities.  These include system
+   clocks, system or input/output buffers, user/system/hardware/network
+   serial numbers and/or addresses and timing, and user input.
+   Unfortunately, any of these sources can produce limited or
+   predicatable values under some circumstances.
+
+   Some of the sources listed above would be quite strong on multi-user
+   systems where, in essence, each user of the system is a source of
+   randomness.  However, on a small single user system, such as a
+   typical IBM PC or Apple Macintosh, it might be possible for an
+   adversary to assemble a similar configuration.  This could give the
+   adversary inputs to the mixing process that were sufficiently
+   correlated to those used originally as to make exhaustive search
+   practical.
+
+   The use of multiple random inputs with a strong mixing function is
+   recommended and can overcome weakness in any particular input.  For
+   example, the timing and content of requested "random" user keystrokes
+   can yield hundreds of random bits but conservative assumptions need
+   to be made.  For example, assuming a few bits of randomness if the
+   inter-keystroke interval is unique in the sequence up to that point
+   and a similar assumption if the key hit is unique but assuming that
+   no bits of randomness are present in the initial key value or if the
+   timing or key value duplicate previous values.  The results of mixing
+   these timings and characters typed could be further combined with
+   clock values and other inputs.
+
+   This strategy may make practical portable code to produce good random
+   numbers for security even if some of the inputs are very weak on some
+   of the target systems.  However, it may still fail against a high
+   grade attack on small single user systems, especially if the
+   adversary has ever been able to observe the generation process in the
+   past.  A hardware based random source is still preferable.
+
+6.3 Cryptographically Strong Sequences
+
+   In cases where a series of random quantities must be generated, an
+   adversary may learn some values in the sequence.  In general, they
+   should not be able to predict other values from the ones that they
+   know.
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 19]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   The correct technique is to start with a strong random seed, take
+   cryptographically strong steps from that seed [CRYPTO2, CRYPTO3], and
+   do not reveal the complete state of the generator in the sequence
+   elements.  If each value in the sequence can be calculated in a fixed
+   way from the previous value, then when any value is compromised, all
+   future values can be determined.  This would be the case, for
+   example, if each value were a constant function of the previously
+   used values, even if the function were a very strong, non-invertible
+   message digest function.
+
+   It should be noted that if your technique for generating a sequence
+   of key values is fast enough, it can trivially be used as the basis
+   for a confidentiality system.  If two parties use the same sequence
+   generating technique and start with the same seed material, they will
+   generate identical sequences.  These could, for example, be xor'ed at
+   one end with data being send, encrypting it, and xor'ed with this
+   data as received, decrypting it due to the reversible properties of
+   the xor operation.
+
+6.3.1 Traditional Strong Sequences
+
+   A traditional way to achieve a strong sequence has been to have the
+   values be produced by hashing the quantities produced by
+   concatenating the seed with successive integers or the like and then
+   mask the values obtained so as to limit the amount of generator state
+   available to the adversary.
+
+   It may also be possible to use an "encryption" algorithm with a
+   random key and seed value to encrypt and feedback some or all of the
+   output encrypted value into the value to be encrypted for the next
+   iteration.  Appropriate feedback techniques will usually be
+   recommended with the encryption algorithm.  An example is shown below
+   where shifting and masking are used to combine the cypher output
+   feedback.  This type of feedback is recommended by the US Government
+   in connection with DES [DES MODES].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 20]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+      +---------------+
+      |       V       |
+      |  |     n      |
+      +--+------------+
+            |      |           +---------+
+            |      +---------> |         |      +-----+
+         +--+                  | Encrypt | <--- | Key |
+         |           +-------- |         |      +-----+
+         |           |         +---------+
+         V           V
+      +------------+--+
+      |      V     |  |
+      |       n+1     |
+      +---------------+
+
+   Note that if a shift of one is used, this is the same as the shift
+   register technique described in Section 3 above but with the all
+   important difference that the feedback is determined by a complex
+   non-linear function of all bits rather than a simple linear or
+   polynomial combination of output from a few bit position taps.
+
+   It has been shown by Donald W. Davies that this sort of shifted
+   partial output feedback significantly weakens an algorithm compared
+   will feeding all of the output bits back as input.  In particular,
+   for DES, repeated encrypting a full 64 bit quantity will give an
+   expected repeat in about 2^63 iterations.  Feeding back anything less
+   than 64 (and more than 0) bits will give an expected repeat in
+   between 2**31 and 2**32 iterations!
+
+   To predict values of a sequence from others when the sequence was
+   generated by these techniques is equivalent to breaking the
+   cryptosystem or inverting the "non-invertible" hashing involved with
+   only partial information available.  The less information revealed
+   each iteration, the harder it will be for an adversary to predict the
+   sequence.  Thus it is best to use only one bit from each value.  It
+   has been shown that in some cases this makes it impossible to break a
+   system even when the cryptographic system is invertible and can be
+   broken if all of each generated value was revealed.
+
+6.3.2 The Blum Blum Shub Sequence Generator
+
+   Currently the generator which has the strongest public proof of
+   strength is called the Blum Blum Shub generator after its inventors
+   [BBS].  It is also very simple and is based on quadratic residues.
+   It's only disadvantage is that is is computationally intensive
+   compared with the traditional techniques give in 6.3.1 above.  This
+   is not a serious draw back if it is used for moderately infrequent
+   purposes, such as generating session keys.
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 21]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   Simply choose two large prime numbers, say p and q, which both have
+   the property that you get a remainder of 3 if you divide them by 4.
+   Let n = p * q.  Then you choose a random number x relatively prime to
+   n.  The initial seed for the generator and the method for calculating
+   subsequent values are then
+
+                   2
+        s    =  ( x  )(Mod n)
+         0
+
+                   2
+        s    = ( s   )(Mod n)
+         i+1      i
+
+   You must be careful to use only a few bits from the bottom of each s.
+   It is always safe to use only the lowest order bit.  If you use no
+   more than the
+
+                  log  ( log  ( s  ) )
+                     2      2    i
+
+   low order bits, then predicting any additional bits from a sequence
+   generated in this manner is provable as hard as factoring n.  As long
+   as the initial x is secret, you can even make n public if you want.
+
+   An intersting characteristic of this generator is that you can
+   directly calculate any of the s values.  In particular
+
+                     i
+               ( ( 2  )(Mod (( p - 1 ) * ( q - 1 )) ) )
+      s  = ( s                                          )(Mod n)
+       i      0
+
+   This means that in applications where many keys are generated in this
+   fashion, it is not necessary to save them all.  Each key can be
+   effectively indexed and recovered from that small index and the
+   initial s and n.
+
+7. Key Generation Standards
+
+   Several public standards are now in place for the generation of keys.
+   Two of these are described below.  Both use DES but any equally
+   strong or stronger mixing function could be substituted.
+
+
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 22]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+7.1 US DoD Recommendations for Password Generation
+
+   The United States Department of Defense has specific recommendations
+   for password generation [DoD].  They suggest using the US Data
+   Encryption Standard [DES] in Output Feedback Mode [DES MODES] as
+   follows:
+
+        use an initialization vector determined from
+             the system clock,
+             system ID,
+             user ID, and
+             date and time;
+        use a key determined from
+             system interrupt registers,
+             system status registers, and
+             system counters; and,
+        as plain text, use an external randomly generated 64 bit
+        quantity such as 8 characters typed in by a system
+        administrator.
+
+   The password can then be calculated from the 64 bit "cipher text"
+   generated in 64-bit Output Feedback Mode.  As many bits as are needed
+   can be taken from these 64 bits and expanded into a pronounceable
+   word, phrase, or other format if a human being needs to remember the
+   password.
+
+7.2 X9.17 Key Generation
+
+   The American National Standards Institute has specified a method for
+   generating a sequence of keys as follows:
+
+        s  is the initial 64 bit seed
+         0
+
+        g  is the sequence of generated 64 bit key quantities
+         n
+
+        k is a random key reserved for generating this key sequence
+
+        t is the time at which a key is generated to as fine a resolution
+            as is available (up to 64 bits).
+
+        DES ( K, Q ) is the DES encryption of quantity Q with key K
+
+
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 23]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+        g    = DES ( k, DES ( k, t ) .xor. s  )
+         n                                  n
+
+        s    = DES ( k, DES ( k, t ) .xor. g  )
+         n+1                                n
+
+   If g sub n is to be used as a DES key, then every eighth bit should
+   be adjusted for parity for that use but the entire 64 bit unmodified
+   g should be used in calculating the next s.
+
+8. Examples of Randomness Required
+
+   Below are two examples showing rough calculations of needed
+   randomness for security.  The first is for moderate security
+   passwords while the second assumes a need for a very high security
+   cryptographic key.
+
+8.1  Password Generation
+
+   Assume that user passwords change once a year and it is desired that
+   the probability that an adversary could guess the password for a
+   particular account be less than one in a thousand.  Further assume
+   that sending a password to the system is the only way to try a
+   password.  Then the crucial question is how often an adversary can
+   try possibilities.  Assume that delays have been introduced into a
+   system so that, at most, an adversary can make one password try every
+   six seconds.  That's 600 per hour or about 15,000 per day or about
+   5,000,000 tries in a year.  Assuming any sort of monitoring, it is
+   unlikely someone could actually try continuously for a year.  In
+   fact, even if log files are only checked monthly, 500,000 tries is
+   more plausible before the attack is noticed and steps taken to change
+   passwords and make it harder to try more passwords.
+
+   To have a one in a thousand chance of guessing the password in
+   500,000 tries implies a universe of at least 500,000,000 passwords or
+   about 2^29.  Thus 29 bits of randomness are needed. This can probably
+   be achieved using the US DoD recommended inputs for password
+   generation as it has 8 inputs which probably average over 5 bits of
+   randomness each (see section 7.1).  Using a list of 1000 words, the
+   password could be expressed as a three word phrase (1,000,000,000
+   possibilities) or, using case insensitive letters and digits, six
+   would suffice ((26+10)^6 = 2,176,782,336 possibilities).
+
+   For a higher security password, the number of bits required goes up.
+   To decrease the probability by 1,000 requires increasing the universe
+   of passwords by the same factor which adds about 10 bits.  Thus to
+   have only a one in a million chance of a password being guessed under
+   the above scenario would require 39 bits of randomness and a password
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 24]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   that was a four word phrase from a 1000 word list or eight
+   letters/digits.  To go to a one in 10^9 chance, 49 bits of randomness
+   are needed implying a five word phrase or ten letter/digit password.
+
+   In a real system, of course, there are also other factors.  For
+   example, the larger and harder to remember passwords are, the more
+   likely users are to write them down resulting in an additional risk
+   of compromise.
+
+8.2 A Very High Security Cryptographic Key
+
+   Assume that a very high security key is needed for symmetric
+   encryption / decryption between two parties.  Assume an adversary can
+   observe communications and knows the algorithm being used.  Within
+   the field of random possibilities, the adversary can try key values
+   in hopes of finding the one in use.  Assume further that brute force
+   trial of keys is the best the adversary can do.
+
+8.2.1 Effort per Key Trial
+
+   How much effort will it take to try each key?  For very high security
+   applications it is best to assume a low value of effort.  Even if it
+   would clearly take tens of thousands of computer cycles or more to
+   try a single key, there may be some pattern that enables huge blocks
+   of key values to be tested with much less effort per key.  Thus it is
+   probably best to assume no more than a couple hundred cycles per key.
+   (There is no clear lower bound on this as computers operate in
+   parallel on a number of bits and a poor encryption algorithm could
+   allow many keys or even groups of keys to be tested in parallel.
+   However, we need to assume some value and can hope that a reasonably
+   strong algorithm has been chosen for our hypothetical high security
+   task.)
+
+   If the adversary can command a highly parallel processor or a large
+   network of work stations, 2*10^10 cycles per second is probably a
+   minimum assumption for availability today.  Looking forward just a
+   couple years, there should be at least an order of magnitude
+   improvement.  Thus assuming 10^9 keys could be checked per second or
+   3.6*10^11 per hour or 6*10^13 per week or 2.4*10^14 per month is
+   reasonable.  This implies a need for a minimum of 51 bits of
+   randomness in keys to be sure they cannot be found in a month.  Even
+   then it is possible that, a few years from now, a highly determined
+   and resourceful adversary could break the key in 2 weeks (on average
+   they need try only half the keys).
+
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 25]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+8.2.2 Meet in the Middle Attacks
+
+   If chosen or known plain text and the resulting encrypted text are
+   available, a "meet in the middle" attack is possible if the structure
+   of the encryption algorithm allows it.  (In a known plain text
+   attack, the adversary knows all or part of the messages being
+   encrypted, possibly some standard header or trailer fields.  In a
+   chosen plain text attack, the adversary can force some chosen plain
+   text to be encrypted, possibly by "leaking" an exciting text that
+   would then be sent by the adversary over an encrypted channel.)
+
+   An oversimplified explanation of the meet in the middle attack is as
+   follows: the adversary can half-encrypt the known or chosen plain
+   text with all possible first half-keys, sort the output, then half-
+   decrypt the encoded text with all the second half-keys.  If a match
+   is found, the full key can be assembled from the halves and used to
+   decrypt other parts of the message or other messages.  At its best,
+   this type of attack can halve the exponent of the work required by
+   the adversary while adding a large but roughly constant factor of
+   effort.  To be assured of safety against this, a doubling of the
+   amount of randomness in the key to a minimum of 102 bits is required.
+
+   The meet in the middle attack assumes that the cryptographic
+   algorithm can be decomposed in this way but we can not rule that out
+   without a deep knowledge of the algorithm.  Even if a basic algorithm
+   is not subject to a meet in the middle attack, an attempt to produce
+   a stronger algorithm by applying the basic algorithm twice (or two
+   different algorithms sequentially) with different keys may gain less
+   added security than would be expected.  Such a composite algorithm
+   would be subject to a meet in the middle attack.
+
+   Enormous resources may be required to mount a meet in the middle
+   attack but they are probably within the range of the national
+   security services of a major nation.  Essentially all nations spy on
+   other nations government traffic and several nations are believed to
+   spy on commercial traffic for economic advantage.
+
+8.2.3 Other Considerations
+
+   Since we have not even considered the possibilities of special
+   purpose code breaking hardware or just how much of a safety margin we
+   want beyond our assumptions above, probably a good minimum for a very
+   high security cryptographic key is 128 bits of randomness which
+   implies a minimum key length of 128 bits.  If the two parties agree
+   on a key by Diffie-Hellman exchange [D-H], then in principle only
+   half of this randomness would have to be supplied by each party.
+   However, there is probably some correlation between their random
+   inputs so it is probably best to assume that each party needs to
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 26]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   provide at least 96 bits worth of randomness for very high security
+   if Diffie-Hellman is used.
+
+   This amount of randomness is beyond the limit of that in the inputs
+   recommended by the US DoD for password generation and could require
+   user typing timing, hardware random number generation, or other
+   sources.
+
+   It should be noted that key length calculations such at those above
+   are controversial and depend on various assumptions about the
+   cryptographic algorithms in use.  In some cases, a professional with
+   a deep knowledge of code breaking techniques and of the strength of
+   the algorithm in use could be satisfied with less than half of the
+   key size derived above.
+
+9. Conclusion
+
+   Generation of unguessable "random" secret quantities for security use
+   is an essential but difficult task.
+
+   We have shown that hardware techniques to produce such randomness
+   would be relatively simple.  In particular, the volume and quality
+   would not need to be high and existing computer hardware, such as
+   disk drives, can be used.  Computational techniques are available to
+   process low quality random quantities from multiple sources or a
+   larger quantity of such low quality input from one source and produce
+   a smaller quantity of higher quality, less predictable key material.
+   In the absence of hardware sources of randomness, a variety of user
+   and software sources can frequently be used instead with care;
+   however, most modern systems already have hardware, such as disk
+   drives or audio input, that could be used to produce high quality
+   randomness.
+
+   Once a sufficient quantity of high quality seed key material (a few
+   hundred bits) is available, strong computational techniques are
+   available to produce cryptographically strong sequences of
+   unpredicatable quantities from this seed material.
+
+10. Security Considerations
+
+   The entirety of this document concerns techniques and recommendations
+   for generating unguessable "random" quantities for use as passwords,
+   cryptographic keys, and similar security uses.
+
+
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 27]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+References
+
+   [ASYMMETRIC] - Secure Communications and Asymmetric Cryptosystems,
+   edited by Gustavus J. Simmons, AAAS Selected Symposium 69, Westview
+   Press, Inc.
+
+   [BBS] - A Simple Unpredictable Pseudo-Random Number Generator, SIAM
+   Journal on Computing, v. 15, n. 2, 1986, L. Blum, M. Blum, & M. Shub.
+
+   [BRILLINGER] - Time Series: Data Analysis and Theory, Holden-Day,
+   1981, David Brillinger.
+
+   [CRC] - C.R.C. Standard Mathematical Tables, Chemical Rubber
+   Publishing Company.
+
+   [CRYPTO1] - Cryptography: A Primer, A Wiley-Interscience Publication,
+   John Wiley & Sons, 1981, Alan G. Konheim.
+
+   [CRYPTO2] - Cryptography:  A New Dimension in Computer Data Security,
+   A Wiley-Interscience Publication, John Wiley & Sons, 1982, Carl H.
+   Meyer & Stephen M. Matyas.
+
+   [CRYPTO3] - Applied Cryptography: Protocols, Algorithms, and Source
+   Code in C, John Wiley & Sons, 1994, Bruce Schneier.
+
+   [DAVIS] - Cryptographic Randomness from Air Turbulence in Disk
+   Drives, Advances in Cryptology - Crypto '94, Springer-Verlag Lecture
+   Notes in Computer Science #839, 1984, Don Davis, Ross Ihaka, and
+   Philip Fenstermacher.
+
+   [DES] -  Data Encryption Standard, United States of America,
+   Department of Commerce, National Institute of Standards and
+   Technology, Federal Information Processing Standard (FIPS) 46-1.
+   - Data Encryption Algorithm, American National Standards Institute,
+   ANSI X3.92-1981.
+   (See also FIPS 112, Password Usage, which includes FORTRAN code for
+   performing DES.)
+
+   [DES MODES] - DES Modes of Operation, United States of America,
+   Department of Commerce, National Institute of Standards and
+   Technology, Federal Information Processing Standard (FIPS) 81.
+   - Data Encryption Algorithm - Modes of Operation, American National
+   Standards Institute, ANSI X3.106-1983.
+
+   [D-H] - New Directions in Cryptography, IEEE Transactions on
+   Information Technology, November, 1976, Whitfield Diffie and Martin
+   E. Hellman.
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 28]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   [DoD] - Password Management Guideline, United States of America,
+   Department of Defense, Computer Security Center, CSC-STD-002-85.
+   (See also FIPS 112, Password Usage, which incorporates CSC-STD-002-85
+   as one of its appendices.)
+
+   [GIFFORD] - Natural Random Number, MIT/LCS/TM-371, September 1988,
+   David K. Gifford
+
+   [KNUTH] - The Art of Computer Programming, Volume 2: Seminumerical
+   Algorithms, Chapter 3: Random Numbers. Addison Wesley Publishing
+   Company, Second Edition 1982, Donald E. Knuth.
+
+   [KRAWCZYK] - How to Predict Congruential Generators, Journal of
+   Algorithms, V. 13, N. 4, December 1992, H. Krawczyk
+
+   [MD2] - The MD2 Message-Digest Algorithm, RFC1319, April 1992, B.
+   Kaliski
+   [MD4] - The MD4 Message-Digest Algorithm, RFC1320, April 1992, R.
+   Rivest
+   [MD5] - The MD5 Message-Digest Algorithm, RFC1321, April 1992, R.
+   Rivest
+
+   [PEM] - RFCs 1421 through 1424:
+   - RFC 1424, Privacy Enhancement for Internet Electronic Mail: Part
+   IV: Key Certification and Related Services, 02/10/1993, B. Kaliski
+   - RFC 1423, Privacy Enhancement for Internet Electronic Mail: Part
+   III: Algorithms, Modes, and Identifiers, 02/10/1993, D. Balenson
+   - RFC 1422, Privacy Enhancement for Internet Electronic Mail: Part
+   II: Certificate-Based Key Management, 02/10/1993, S. Kent
+   - RFC 1421, Privacy Enhancement for Internet Electronic Mail: Part I:
+   Message Encryption and Authentication Procedures, 02/10/1993, J. Linn
+
+   [SHANNON] - The Mathematical Theory of Communication, University of
+   Illinois Press, 1963, Claude E. Shannon.  (originally from:  Bell
+   System Technical Journal, July and October 1948)
+
+   [SHIFT1] - Shift Register Sequences, Aegean Park Press, Revised
+   Edition 1982, Solomon W. Golomb.
+
+   [SHIFT2] - Cryptanalysis of Shift-Register Generated Stream Cypher
+   Systems, Aegean Park Press, 1984, Wayne G. Barker.
+
+   [SHS] - Secure Hash Standard, United States of American, National
+   Institute of Science and Technology, Federal Information Processing
+   Standard (FIPS) 180, April 1993.
+
+   [STERN] - Secret Linear Congruential Generators are not
+   Cryptograhically Secure, Proceedings of IEEE STOC, 1987, J. Stern.
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 29]
+
+RFC 1750        Randomness Recommendations for Security    December 1994
+
+
+   [VON NEUMANN] - Various techniques used in connection with random
+   digits, von Neumann's Collected Works, Vol. 5, Pergamon Press, 1963,
+   J. von Neumann.
+
+Authors' Addresses
+
+   Donald E. Eastlake 3rd
+   Digital Equipment Corporation
+   550 King Street, LKG2-1/BB3
+   Littleton, MA 01460
+
+   Phone:   +1 508 486 6577(w)  +1 508 287 4877(h)
+   EMail:   dee@lkg.dec.com
+
+
+   Stephen D. Crocker
+   CyberCash Inc.
+   2086 Hunters Crest Way
+   Vienna, VA 22181
+
+   Phone:   +1 703-620-1222(w)  +1 703-391-2651 (fax)
+   EMail:   crocker@cybercash.com
+
+
+   Jeffrey I. Schiller
+   Massachusetts Institute of Technology
+   77 Massachusetts Avenue
+   Cambridge, MA 02139
+
+   Phone:   +1 617 253 0161(w)
+   EMail:   jis@mit.edu
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake, Crocker & Schiller                                   [Page 30]
+
diff --git a/contrib/bind9/doc/rfc/rfc1876.txt b/contrib/bind9/doc/rfc/rfc1876.txt
new file mode 100644
index 0000000..a289cff
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc1876.txt
@@ -0,0 +1,1011 @@
+
+
+
+
+
+
+Network Working Group                                           C. Davis
+Request for Comments: 1876                             Kapor Enterprises
+Updates: 1034, 1035                                             P. Vixie
+Category: Experimental                                 Vixie Enterprises
+                                                              T. Goodwin
+                                                            FORE Systems
+                                                            I. Dickinson
+                                                   University of Warwick
+                                                            January 1996
+
+
+ A Means for Expressing Location Information in the Domain Name System
+
+Status of this Memo
+
+   This memo defines an Experimental Protocol for the Internet
+   community.  This memo does not specify an Internet standard of any
+   kind.  Discussion and suggestions for improvement are requested.
+   Distribution of this memo is unlimited.
+
+1. Abstract
+
+   This memo defines a new DNS RR type for experimental purposes.  This
+   RFC describes a mechanism to allow the DNS to carry location
+   information about hosts, networks, and subnets.  Such information for
+   a small subset of hosts is currently contained in the flat-file UUCP
+   maps.  However, just as the DNS replaced the use of HOSTS.TXT to
+   carry host and network address information, it is possible to replace
+   the UUCP maps as carriers of location information.
+
+   This RFC defines the format of a new Resource Record (RR) for the
+   Domain Name System (DNS), and reserves a corresponding DNS type
+   mnemonic (LOC) and numerical code (29).
+
+   This RFC assumes that the reader is familiar with the DNS [RFC 1034,
+   RFC 1035].  The data shown in our examples is for pedagogical use and
+   does not necessarily reflect the real Internet.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Davis, et al                  Experimental                      [Page 1]
+
+RFC 1876            Location Information in the DNS         January 1996
+
+
+2. RDATA Format
+
+       MSB                                           LSB
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+      0|        VERSION        |         SIZE          |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+      2|       HORIZ PRE       |       VERT PRE        |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+      4|                   LATITUDE                    |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+      6|                   LATITUDE                    |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+      8|                   LONGITUDE                   |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+     10|                   LONGITUDE                   |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+     12|                   ALTITUDE                    |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+     14|                   ALTITUDE                    |
+       +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+   (octet)
+
+where:
+
+VERSION      Version number of the representation.  This must be zero.
+             Implementations are required to check this field and make
+             no assumptions about the format of unrecognized versions.
+
+SIZE         The diameter of a sphere enclosing the described entity, in
+             centimeters, expressed as a pair of four-bit unsigned
+             integers, each ranging from zero to nine, with the most
+             significant four bits representing the base and the second
+             number representing the power of ten by which to multiply
+             the base.  This allows sizes from 0e0 (<1cm) to 9e9
+             (90,000km) to be expressed.  This representation was chosen
+             such that the hexadecimal representation can be read by
+             eye; 0x15 = 1e5.  Four-bit values greater than 9 are
+             undefined, as are values with a base of zero and a non-zero
+             exponent.
+
+             Since 20000000m (represented by the value 0x29) is greater
+             than the equatorial diameter of the WGS 84 ellipsoid
+             (12756274m), it is therefore suitable for use as a
+             "worldwide" size.
+
+HORIZ PRE    The horizontal precision of the data, in centimeters,
+             expressed using the same representation as SIZE.  This is
+             the diameter of the horizontal "circle of error", rather
+
+
+
+Davis, et al                  Experimental                      [Page 2]
+
+RFC 1876            Location Information in the DNS         January 1996
+
+
+             than a "plus or minus" value.  (This was chosen to match
+             the interpretation of SIZE; to get a "plus or minus" value,
+             divide by 2.)
+
+VERT PRE     The vertical precision of the data, in centimeters,
+             expressed using the sane representation as for SIZE.  This
+             is the total potential vertical error, rather than a "plus
+             or minus" value.  (This was chosen to match the
+             interpretation of SIZE; to get a "plus or minus" value,
+             divide by 2.)  Note that if altitude above or below sea
+             level is used as an approximation for altitude relative to
+             the [WGS 84] ellipsoid, the precision value should be
+             adjusted.
+
+LATITUDE     The latitude of the center of the sphere described by the
+             SIZE field, expressed as a 32-bit integer, most significant
+             octet first (network standard byte order), in thousandths
+             of a second of arc.  2^31 represents the equator; numbers
+             above that are north latitude.
+
+LONGITUDE    The longitude of the center of the sphere described by the
+             SIZE field, expressed as a 32-bit integer, most significant
+             octet first (network standard byte order), in thousandths
+             of a second of arc, rounded away from the prime meridian.
+             2^31 represents the prime meridian; numbers above that are
+             east longitude.
+
+ALTITUDE     The altitude of the center of the sphere described by the
+             SIZE field, expressed as a 32-bit integer, most significant
+             octet first (network standard byte order), in centimeters,
+             from a base of 100,000m below the [WGS 84] reference
+             spheroid used by GPS (semimajor axis a=6378137.0,
+             reciprocal flattening rf=298.257223563).  Altitude above
+             (or below) sea level may be used as an approximation of
+             altitude relative to the the [WGS 84] spheroid, though due
+             to the Earth's surface not being a perfect spheroid, there
+             will be differences.  (For example, the geoid (which sea
+             level approximates) for the continental US ranges from 10
+             meters to 50 meters below the [WGS 84] spheroid.
+             Adjustments to ALTITUDE and/or VERT PRE will be necessary
+             in most cases.  The Defense Mapping Agency publishes geoid
+             height values relative to the [WGS 84] ellipsoid.
+
+
+
+
+
+
+
+
+
+Davis, et al                  Experimental                      [Page 3]
+
+RFC 1876            Location Information in the DNS         January 1996
+
+
+3. Master File Format
+
+   The LOC record is expressed in a master file in the following format:
+
+   <owner> <TTL> <class> LOC ( d1 [m1 [s1]] {"N"|"S"} d2 [m2 [s2]]
+                               {"E"|"W"} alt["m"] [siz["m"] [hp["m"]
+                               [vp["m"]]]] )
+
+   (The parentheses are used for multi-line data as specified in [RFC
+   1035] section 5.1.)
+
+   where:
+
+       d1:     [0 .. 90]            (degrees latitude)
+       d2:     [0 .. 180]           (degrees longitude)
+       m1, m2: [0 .. 59]            (minutes latitude/longitude)
+       s1, s2: [0 .. 59.999]        (seconds latitude/longitude)
+       alt:    [-100000.00 .. 42849672.95] BY .01 (altitude in meters)
+       siz, hp, vp: [0 .. 90000000.00] (size/precision in meters)
+
+   If omitted, minutes and seconds default to zero, size defaults to 1m,
+   horizontal precision defaults to 10000m, and vertical precision
+   defaults to 10m.  These defaults are chosen to represent typical
+   ZIP/postal code area sizes, since it is often easy to find
+   approximate geographical location by ZIP/postal code.
+
+4. Example Data
+
+;;;
+;;; note that these data would not all appear in one zone file
+;;;
+
+;; network LOC RR derived from ZIP data.  note use of precision defaults
+cambridge-net.kei.com.        LOC   42 21 54 N 71 06 18 W -24m 30m
+
+;; higher-precision host LOC RR.  note use of vertical precision default
+loiosh.kei.com.               LOC   42 21 43.952 N 71 5 6.344 W
+                                    -24m 1m 200m
+
+pipex.net.                    LOC   52 14 05 N 00 08 50 E 10m
+
+curtin.edu.au.                LOC   32 7 19 S 116 2 25 E 10m
+
+rwy04L.logan-airport.boston.  LOC   42 21 28.764 N 71 00 51.617 W
+                                    -44m 2000m
+
+
+
+
+
+
+Davis, et al                  Experimental                      [Page 4]
+
+RFC 1876            Location Information in the DNS         January 1996
+
+
+5. Application use of the LOC RR
+
+5.1 Suggested Uses
+
+   Some uses for the LOC RR have already been suggested, including the
+   USENET backbone flow maps, a "visual traceroute" application showing
+   the geographical path of an IP packet, and network management
+   applications that could use LOC RRs to generate a map of hosts and
+   routers being managed.
+
+5.2 Search Algorithms
+
+   This section specifies how to use the DNS to translate domain names
+   and/or IP addresses into location information.
+
+   If an application wishes to have a "fallback" behavior, displaying a
+   less precise or larger area when a host does not have an associated
+   LOC RR, it MAY support use of the algorithm in section 5.2.3, as
+   noted in sections 5.2.1 and 5.2.2.  If fallback is desired, this
+   behaviour is the RECOMMENDED default, but in some cases it may need
+   to be modified based on the specific requirements of the application
+   involved.
+
+   This search algorithm is designed to allow network administrators to
+   specify the location of a network or subnet without requiring LOC RR
+   data for each individual host.  For example, a computer lab with 24
+   workstations, all of which are on the same subnet and in basically
+   the same location, would only need a LOC RR for the subnet.
+   (However, if the file server's location has been more precisely
+   measured, a separate LOC RR for it can be placed in the DNS.)
+
+5.2.1 Searching by Name
+
+   If the application is beginning with a name, rather than an IP
+   address (as the USENET backbone flow maps do), it MUST check for a
+   LOC RR associated with that name.  (CNAME records should be followed
+   as for any other RR type.)
+
+   If there is no LOC RR for that name, all A records (if any)
+   associated with the name MAY be checked for network (or subnet) LOC
+   RRs using the "Searching by Network or Subnet" algorithm (5.2.3).  If
+   multiple A records exist and have associated network or subnet LOC
+   RRs, the application may choose to use any, some, or all of the LOC
+   RRs found, possibly in combination.  It is suggested that multi-homed
+   hosts have LOC RRs for their name in the DNS to avoid any ambiguity
+   in these cases.
+
+
+
+
+
+Davis, et al                  Experimental                      [Page 5]
+
+RFC 1876            Location Information in the DNS         January 1996
+
+
+   Note that domain names that do not have associated A records must
+   have a LOC RR associated with their name in order for location
+   information to be accessible.
+
+5.2.2 Searching by Address
+
+   If the application is beginning with an IP address (as a "visual
+   traceroute" application might be) it MUST first map the address to a
+   name using the IN-ADDR.ARPA namespace (see [RFC 1034], section
+   5.2.1), then check for a LOC RR associated with that name.
+
+   If there is no LOC RR for the name, the address MAY be checked for
+   network (or subnet) LOC RRs using the "Searching by Network or
+   Subnet" algorithm (5.2.3).
+
+5.2.3 Searching by Network or Subnet
+
+   Even if a host's name does not have any associated LOC RRs, the
+   network(s) or subnet(s) it is on may.  If the application wishes to
+   search for such less specific data, the following algorithm SHOULD be
+   followed to find a network or subnet LOC RR associated with the IP
+   address.  This algorithm is adapted slightly from that specified in
+   [RFC 1101], sections 4.3 and 4.4.
+
+   Since subnet LOC RRs are (if present) more specific than network LOC
+   RRs, it is best to use them if available.  In order to do so, we
+   build a stack of network and subnet names found while performing the
+   [RFC 1101] search, then work our way down the stack until a LOC RR is
+   found.
+
+   1. create a host-zero address using the network portion of the IP
+      address (one, two, or three bytes for class A, B, or C networks,
+      respectively).  For example, for the host 128.9.2.17, on the class
+      B network 128.9, this would result in the address "128.9.0.0".
+
+   2. Reverse the octets, suffix IN-ADDR.ARPA, and query for PTR and A
+      records.  Retrieve:
+
+               0.0.9.128.IN-ADDR.ARPA.  PTR    isi-net.isi.edu.
+                                        A      255.255.255.0
+
+      Push the name "isi-net.isi.edu" onto the stack of names to be
+      searched for LOC RRs later.
+
+
+
+
+
+
+
+
+Davis, et al                  Experimental                      [Page 6]
+
+RFC 1876            Location Information in the DNS         January 1996
+
+
+   3. Since an A RR was found, repeat using mask from RR
+      (255.255.255.0), constructing a query for 0.2.9.128.IN-ADDR.ARPA.
+      Retrieve:
+
+               0.2.9.128.IN-ADDR.ARPA.  PTR    div2-subnet.isi.edu.
+                                        A      255.255.255.240
+
+      Push the name "div2-subnet.isi.edu" onto the stack of names to be
+      searched for LOC RRs later.
+
+   4. Since another A RR was found, repeat using mask 255.255.255.240
+      (x'FFFFFFF0'), constructing a query for 16.2.9.128.IN-ADDR.ARPA.
+      Retrieve:
+
+               16.2.9.128.IN-ADDR.ARPA. PTR    inc-subsubnet.isi.edu.
+
+      Push the name "inc-subsubnet.isi.edu" onto the stack of names to
+      be searched for LOC RRs later.
+
+   5. Since no A RR is present at 16.2.9.128.IN-ADDR.ARPA., there are no
+      more subnet levels to search.  We now pop the top name from the
+      stack and check for an associated LOC RR.  Repeat until a LOC RR
+      is found.
+
+      In this case, assume that inc-subsubnet.isi.edu does not have an
+      associated LOC RR, but that div2-subnet.isi.edu does.  We will
+      then use div2-subnet.isi.edu's LOC RR as an approximation of this
+      host's location.  (Note that even if isi-net.isi.edu has a LOC RR,
+      it will not be used if a subnet also has a LOC RR.)
+
+5.3 Applicability to non-IN Classes and non-IP Addresses
+
+   The LOC record is defined for all RR classes, and may be used with
+   non-IN classes such as HS and CH.  The semantics of such use are not
+   defined by this memo.
+
+   The search algorithm in section 5.2.3 may be adapted to other
+   addressing schemes by extending [RFC 1101]'s encoding of network
+   names to cover those schemes.  Such extensions are not defined by
+   this memo.
+
+
+
+
+
+
+
+
+
+
+
+Davis, et al                  Experimental                      [Page 7]
+
+RFC 1876            Location Information in the DNS         January 1996
+
+
+6. References
+
+   [RFC 1034] Mockapetris, P., "Domain Names - Concepts and Facilities",
+              STD 13, RFC 1034, USC/Information Sciences Institute,
+              November 1987.
+
+   [RFC 1035] Mockapetris, P., "Domain Names - Implementation and
+              Specification", STD 13, RFC 1035, USC/Information Sciences
+              Institute, November 1987.
+
+   [RFC 1101] Mockapetris, P., "DNS Encoding of Network Names and Other
+              Types", RFC 1101, USC/Information Sciences Institute,
+              April 1989.
+
+   [WGS 84] United States Department of Defense; DoD WGS-1984 - Its
+            Definition and Relationships with Local Geodetic Systems;
+            Washington, D.C.; 1985; Report AD-A188 815 DMA; 6127; 7-R-
+            138-R; CV, KV;
+
+7. Security Considerations
+
+   High-precision LOC RR information could be used to plan a penetration
+   of physical security, leading to potential denial-of-machine attacks.
+   To avoid any appearance of suggesting this method to potential
+   attackers, we declined the opportunity to name this RR "ICBM".
+
+8. Authors' Addresses
+
+   The authors as a group can be reached as <loc@pipex.net>.
+
+   Christopher Davis
+   Kapor Enterprises, Inc.
+   238 Main Street, Suite 400
+   Cambridge, MA 02142
+
+   Phone: +1 617 576 4532
+   EMail: ckd@kei.com
+
+
+   Paul Vixie
+   Vixie Enterprises
+   Star Route Box 159A
+   Woodside, CA 94062
+
+   Phone: +1 415 747 0204
+   EMail: paul@vix.com
+
+
+
+
+
+Davis, et al                  Experimental                      [Page 8]
+
+RFC 1876            Location Information in the DNS         January 1996
+
+
+   Tim Goodwin
+   Public IP Exchange Ltd (PIPEX)
+   216 The Science Park
+   Cambridge CB4 4WA
+   UK
+
+   Phone: +44 1223 250250
+   EMail: tim@pipex.net
+
+
+   Ian Dickinson
+   FORE Systems
+   2475 The Crescent
+   Solihull Parkway
+   Birmingham Business Park
+   B37 7YE
+   UK
+
+   Phone: +44 121 717 4444
+   EMail: idickins@fore.co.uk
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Davis, et al                  Experimental                      [Page 9]
+
+RFC 1876            Location Information in the DNS         January 1996
+
+
+Appendix A: Sample Conversion Routines
+
+/*
+ * routines to convert between on-the-wire RR format and zone file
+ * format.  Does not contain conversion to/from decimal degrees;
+ * divide or multiply by 60*60*1000 for that.
+ */
+
+static unsigned int poweroften[10] = {1, 10, 100, 1000, 10000, 100000,
+                                 1000000,10000000,100000000,1000000000};
+
+/* takes an XeY precision/size value, returns a string representation.*/
+static const char *
+precsize_ntoa(prec)
+        u_int8_t prec;
+{
+        static char retbuf[sizeof("90000000.00")];
+        unsigned long val;
+        int mantissa, exponent;
+
+        mantissa = (int)((prec >> 4) & 0x0f) % 10;
+        exponent = (int)((prec >> 0) & 0x0f) % 10;
+
+        val = mantissa * poweroften[exponent];
+
+        (void) sprintf(retbuf,"%d.%.2d", val/100, val%100);
+        return (retbuf);
+}
+
+/* converts ascii size/precision X * 10**Y(cm) to 0xXY. moves pointer.*/
+static u_int8_t
+precsize_aton(strptr)
+        char **strptr;
+{
+        unsigned int mval = 0, cmval = 0;
+        u_int8_t retval = 0;
+        register char *cp;
+        register int exponent;
+        register int mantissa;
+
+        cp = *strptr;
+
+        while (isdigit(*cp))
+                mval = mval * 10 + (*cp++ - '0');
+
+        if (*cp == '.') {               /* centimeters */
+                cp++;
+                if (isdigit(*cp)) {
+
+
+
+Davis, et al                  Experimental                     [Page 10]
+
+RFC 1876            Location Information in the DNS         January 1996
+
+
+                        cmval = (*cp++ - '0') * 10;
+                        if (isdigit(*cp)) {
+                                cmval += (*cp++ - '0');
+                        }
+                }
+        }
+        cmval = (mval * 100) + cmval;
+
+        for (exponent = 0; exponent < 9; exponent++)
+                if (cmval < poweroften[exponent+1])
+                        break;
+
+        mantissa = cmval / poweroften[exponent];
+        if (mantissa > 9)
+                mantissa = 9;
+
+        retval = (mantissa << 4) | exponent;
+
+        *strptr = cp;
+
+        return (retval);
+}
+
+/* converts ascii lat/lon to unsigned encoded 32-bit number.
+ *  moves pointer. */
+static u_int32_t
+latlon2ul(latlonstrptr,which)
+        char **latlonstrptr;
+        int *which;
+{
+        register char *cp;
+        u_int32_t retval;
+        int deg = 0, min = 0, secs = 0, secsfrac = 0;
+
+        cp = *latlonstrptr;
+
+        while (isdigit(*cp))
+                deg = deg * 10 + (*cp++ - '0');
+
+        while (isspace(*cp))
+                cp++;
+
+        if (!(isdigit(*cp)))
+                goto fndhemi;
+
+        while (isdigit(*cp))
+                min = min * 10 + (*cp++ - '0');
+
+
+
+
+Davis, et al                  Experimental                     [Page 11]
+
+RFC 1876            Location Information in the DNS         January 1996
+
+
+        while (isspace(*cp))
+                cp++;
+
+        if (!(isdigit(*cp)))
+                goto fndhemi;
+
+        while (isdigit(*cp))
+                secs = secs * 10 + (*cp++ - '0');
+
+        if (*cp == '.') {               /* decimal seconds */
+                cp++;
+                if (isdigit(*cp)) {
+                        secsfrac = (*cp++ - '0') * 100;
+                        if (isdigit(*cp)) {
+                                secsfrac += (*cp++ - '0') * 10;
+                                if (isdigit(*cp)) {
+                                        secsfrac += (*cp++ - '0');
+                                }
+                        }
+                }
+        }
+
+        while (!isspace(*cp))   /* if any trailing garbage */
+                cp++;
+
+        while (isspace(*cp))
+                cp++;
+
+ fndhemi:
+        switch (*cp) {
+        case 'N': case 'n':
+        case 'E': case 'e':
+                retval = ((unsigned)1<<31)
+                        + (((((deg * 60) + min) * 60) + secs) * 1000)
+                        + secsfrac;
+                break;
+        case 'S': case 's':
+        case 'W': case 'w':
+                retval = ((unsigned)1<<31)
+                        - (((((deg * 60) + min) * 60) + secs) * 1000)
+                        - secsfrac;
+                break;
+        default:
+                retval = 0;     /* invalid value -- indicates error */
+                break;
+        }
+
+        switch (*cp) {
+
+
+
+Davis, et al                  Experimental                     [Page 12]
+
+RFC 1876            Location Information in the DNS         January 1996
+
+
+        case 'N': case 'n':
+        case 'S': case 's':
+                *which = 1;     /* latitude */
+                break;
+        case 'E': case 'e':
+        case 'W': case 'w':
+                *which = 2;     /* longitude */
+                break;
+        default:
+                *which = 0;     /* error */
+                break;
+        }
+
+        cp++;                   /* skip the hemisphere */
+
+        while (!isspace(*cp))   /* if any trailing garbage */
+                cp++;
+
+        while (isspace(*cp))    /* move to next field */
+                cp++;
+
+        *latlonstrptr = cp;
+
+        return (retval);
+}
+
+/* converts a zone file representation in a string to an RDATA
+ * on-the-wire representation. */
+u_int32_t
+loc_aton(ascii, binary)
+        const char *ascii;
+        u_char *binary;
+{
+        const char *cp, *maxcp;
+        u_char *bcp;
+
+        u_int32_t latit = 0, longit = 0, alt = 0;
+        u_int32_t lltemp1 = 0, lltemp2 = 0;
+        int altmeters = 0, altfrac = 0, altsign = 1;
+        u_int8_t hp = 0x16;    /* default = 1e6 cm = 10000.00m = 10km */
+        u_int8_t vp = 0x13;    /* default = 1e3 cm = 10.00m */
+        u_int8_t siz = 0x12;   /* default = 1e2 cm = 1.00m */
+        int which1 = 0, which2 = 0;
+
+        cp = ascii;
+        maxcp = cp + strlen(ascii);
+
+        lltemp1 = latlon2ul(&cp, &which1);
+
+
+
+Davis, et al                  Experimental                     [Page 13]
+
+RFC 1876            Location Information in the DNS         January 1996
+
+
+        lltemp2 = latlon2ul(&cp, &which2);
+
+        switch (which1 + which2) {
+        case 3:                 /* 1 + 2, the only valid combination */
+                if ((which1 == 1) && (which2 == 2)) { /* normal case */
+                        latit = lltemp1;
+                        longit = lltemp2;
+                } else if ((which1 == 2) && (which2 == 1)) {/*reversed*/
+                        longit = lltemp1;
+                        latit = lltemp2;
+                } else {        /* some kind of brokenness */
+                        return 0;
+                }
+                break;
+        default:                /* we didn't get one of each */
+                return 0;
+        }
+
+        /* altitude */
+        if (*cp == '-') {
+                altsign = -1;
+                cp++;
+        }
+
+        if (*cp == '+')
+                cp++;
+
+        while (isdigit(*cp))
+                altmeters = altmeters * 10 + (*cp++ - '0');
+
+        if (*cp == '.') {               /* decimal meters */
+                cp++;
+                if (isdigit(*cp)) {
+                        altfrac = (*cp++ - '0') * 10;
+                        if (isdigit(*cp)) {
+                                altfrac += (*cp++ - '0');
+                        }
+                }
+        }
+
+        alt = (10000000 + (altsign * (altmeters * 100 + altfrac)));
+
+        while (!isspace(*cp) && (cp < maxcp))
+                                           /* if trailing garbage or m */
+                cp++;
+
+        while (isspace(*cp) && (cp < maxcp))
+                cp++;
+
+
+
+Davis, et al                  Experimental                     [Page 14]
+
+RFC 1876            Location Information in the DNS         January 1996
+
+
+        if (cp >= maxcp)
+                goto defaults;
+
+        siz = precsize_aton(&cp);
+
+        while (!isspace(*cp) && (cp < maxcp))/*if trailing garbage or m*/
+                cp++;
+
+        while (isspace(*cp) && (cp < maxcp))
+                cp++;
+
+        if (cp >= maxcp)
+                goto defaults;
+
+        hp = precsize_aton(&cp);
+
+        while (!isspace(*cp) && (cp < maxcp))/*if trailing garbage or m*/
+                cp++;
+
+        while (isspace(*cp) && (cp < maxcp))
+                cp++;
+
+        if (cp >= maxcp)
+                goto defaults;
+
+        vp = precsize_aton(&cp);
+
+ defaults:
+
+        bcp = binary;
+        *bcp++ = (u_int8_t) 0;  /* version byte */
+        *bcp++ = siz;
+        *bcp++ = hp;
+        *bcp++ = vp;
+        PUTLONG(latit,bcp);
+        PUTLONG(longit,bcp);
+        PUTLONG(alt,bcp);
+
+        return (16);            /* size of RR in octets */
+}
+
+/* takes an on-the-wire LOC RR and prints it in zone file
+ * (human readable) format. */
+char *
+loc_ntoa(binary,ascii)
+        const u_char *binary;
+        char *ascii;
+{
+
+
+
+Davis, et al                  Experimental                     [Page 15]
+
+RFC 1876            Location Information in the DNS         January 1996
+
+
+        static char tmpbuf[255*3];
+
+        register char *cp;
+        register const u_char *rcp;
+
+        int latdeg, latmin, latsec, latsecfrac;
+        int longdeg, longmin, longsec, longsecfrac;
+        char northsouth, eastwest;
+        int altmeters, altfrac, altsign;
+
+        const int referencealt = 100000 * 100;
+
+        int32_t latval, longval, altval;
+        u_int32_t templ;
+        u_int8_t sizeval, hpval, vpval, versionval;
+
+        char *sizestr, *hpstr, *vpstr;
+
+        rcp = binary;
+        if (ascii)
+                cp = ascii;
+        else {
+                cp = tmpbuf;
+        }
+
+        versionval = *rcp++;
+
+        if (versionval) {
+                sprintf(cp,"; error: unknown LOC RR version");
+                return (cp);
+        }
+
+        sizeval = *rcp++;
+
+        hpval = *rcp++;
+        vpval = *rcp++;
+
+        GETLONG(templ,rcp);
+        latval = (templ - ((unsigned)1<<31));
+
+        GETLONG(templ,rcp);
+        longval = (templ - ((unsigned)1<<31));
+
+        GETLONG(templ,rcp);
+        if (templ < referencealt) { /* below WGS 84 spheroid */
+                altval = referencealt - templ;
+                altsign = -1;
+        } else {
+
+
+
+Davis, et al                  Experimental                     [Page 16]
+
+RFC 1876            Location Information in the DNS         January 1996
+
+
+                altval = templ - referencealt;
+                altsign = 1;
+        }
+
+        if (latval < 0) {
+                northsouth = 'S';
+                latval = -latval;
+        }
+        else
+                northsouth = 'N';
+
+        latsecfrac = latval % 1000;
+        latval = latval / 1000;
+        latsec = latval % 60;
+        latval = latval / 60;
+        latmin = latval % 60;
+        latval = latval / 60;
+        latdeg = latval;
+
+        if (longval < 0) {
+                eastwest = 'W';
+                longval = -longval;
+        }
+        else
+                eastwest = 'E';
+
+        longsecfrac = longval % 1000;
+        longval = longval / 1000;
+        longsec = longval % 60;
+        longval = longval / 60;
+        longmin = longval % 60;
+        longval = longval / 60;
+        longdeg = longval;
+
+        altfrac = altval % 100;
+        altmeters = (altval / 100) * altsign;
+
+        sizestr = savestr(precsize_ntoa(sizeval));
+        hpstr = savestr(precsize_ntoa(hpval));
+        vpstr = savestr(precsize_ntoa(vpval));
+
+        sprintf(cp,
+                "%d %.2d %.2d.%.3d %c %d %.2d %.2d.%.3d %c %d.%.2dm
+                %sm %sm %sm",
+                latdeg, latmin, latsec, latsecfrac, northsouth,
+                longdeg, longmin, longsec, longsecfrac, eastwest,
+                altmeters, altfrac, sizestr, hpstr, vpstr);
+
+
+
+
+Davis, et al                  Experimental                     [Page 17]
+
+RFC 1876            Location Information in the DNS         January 1996
+
+
+        free(sizestr);
+        free(hpstr);
+        free(vpstr);
+
+        return (cp);
+}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Davis, et al                  Experimental                     [Page 18]
+
diff --git a/contrib/bind9/doc/rfc/rfc1886.txt b/contrib/bind9/doc/rfc/rfc1886.txt
new file mode 100644
index 0000000..9874fdd
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc1886.txt
@@ -0,0 +1,268 @@
+
+
+
+
+
+
+Network Working Group                                         S. Thomson
+Request for Comments: 1886                                      Bellcore
+Category: Standards Track                                     C. Huitema
+                                                                   INRIA
+                                                           December 1995
+
+
+                DNS Extensions to support IP version 6
+
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+
+Abstract
+
+   This document defines the changes that need to be made to the Domain
+   Name System to support hosts running IP version 6 (IPv6).  The
+   changes include a new resource record type to store an IPv6 address,
+   a new domain to support lookups based on an IPv6 address, and updated
+   definitions of existing query types that return Internet addresses as
+   part of additional section processing.  The extensions are designed
+   to be compatible with existing applications and, in particular, DNS
+   implementations themselves.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Thompson & Huitema          Standards Track                    [Page 1]
+
+RFC 1886                  IPv6 DNS Extensions              December 1995
+
+
+1. INTRODUCTION
+
+   Current support for the storage of Internet addresses in the Domain
+   Name System (DNS)[1,2] cannot easily be extended to support IPv6
+   addresses[3] since applications assume that address queries return
+   32-bit IPv4 addresses only.
+
+   To support the storage of IPv6 addresses we define the following
+   extensions:
+
+      o A new resource record type is defined to map a domain name to an
+        IPv6 address.
+
+      o A new domain is defined to support lookups based on address.
+
+      o Existing queries that perform additional section processing to
+        locate IPv4 addresses are redefined to perform additional
+        section processing on both IPv4 and IPv6 addresses.
+
+   The changes are designed to be compatible with existing software. The
+   existing support for IPv4 addresses is retained. Transition issues
+   related to the co-existence of both IPv4 and IPv6 addresses in DNS
+   are discussed in [4].
+
+
+2. NEW RESOURCE RECORD DEFINITION AND DOMAIN
+
+   A new record type is defined to store a host's IPv6 address. A host
+   that has more than one IPv6 address must have more than one such
+   record.
+
+
+2.1 AAAA record type
+
+   The AAAA resource record type is a new record specific to the
+   Internet class that stores a single IPv6 address.
+
+   The value of the type is 28 (decimal).
+
+
+2.2 AAAA data format
+
+   A 128 bit IPv6 address is encoded in the data portion of an AAAA
+   resource record in network byte order (high-order byte first).
+
+
+
+
+Thompson & Huitema          Standards Track                    [Page 2]
+
+RFC 1886                  IPv6 DNS Extensions              December 1995
+
+
+2.3 AAAA query
+
+   An AAAA query for a specified domain name in the Internet class
+   returns all associated AAAA resource records in the answer section of
+   a response.
+
+   A type AAAA query does not perform additional section processing.
+
+
+2.4 Textual format of AAAA records
+
+   The textual representation of the data portion of the AAAA resource
+   record used in a master database file is the textual representation
+   of a IPv6 address as defined in [3].
+
+
+2.5 IP6.INT Domain
+
+   A special domain is defined to look up a record given an address. The
+   intent of this domain is to provide a way of mapping an IPv6 address
+   to a host name, although it may be used for other purposes as well.
+   The domain is rooted at IP6.INT.
+
+   An IPv6 address is represented as a name in the IP6.INT domain by a
+   sequence of nibbles separated by dots with the suffix ".IP6.INT". The
+   sequence of nibbles is encoded in reverse order, i.e. the low-order
+   nibble is encoded first, followed by the next low-order nibble and so
+   on. Each nibble is represented by a hexadecimal digit. For example,
+   the inverse lookup domain name corresponding to the address
+
+       4321:0:1:2:3:4:567:89ab
+
+   would be
+
+b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.0.0.0.0.1.2.3.4.IP6.INT.
+
+
+
+3. MODIFICATIONS TO EXISTING QUERY TYPES
+
+   All existing query types that perform type A additional section
+   processing, i.e. name server (NS), mail exchange (MX) and mailbox
+   (MB) query types, must be redefined to perform both type A and type
+   AAAA additional section processing. These new definitions mean that a
+   name server must add any relevant IPv4 addresses and any relevant
+
+
+
+Thompson & Huitema          Standards Track                    [Page 3]
+
+RFC 1886                  IPv6 DNS Extensions              December 1995
+
+
+   IPv6 addresses available locally to the additional section of a
+   response when processing any one of the above queries.
+
+
+4. SECURITY CONSIDERATIONS
+
+   Security issues are not discussed in this memo.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Thompson & Huitema          Standards Track                    [Page 4]
+
+RFC 1886                  IPv6 DNS Extensions              December 1995
+
+
+5. REFERENCES
+
+
+   [1]  Mockapetris, P., "Domain Names - Concepts and Facilities", STD
+        13, RFC 1034, USC/Information Sciences Institute, November 1987.
+
+   [2]  Mockapetris, P., "Domain Names - Implementation and Specifica-
+        tion", STD 13, RFC 1035, USC/Information Sciences Institute,
+        November 1987.
+
+   [3]  Hinden, R., and S. Deering, Editors, "IP Version 6 Addressing
+        Architecture", RFC 1884, Ipsilon Networks, Xerox PARC, December
+        1995.
+
+
+   [4]  Gilligan, R., and E. Nordmark, "Transition Mechanisms for IPv6
+        Hosts and Routers", Work in Progress.
+
+
+Authors' Addresses
+
+   Susan Thomson
+   Bellcore
+   MRE 2P343
+   445 South Street
+   Morristown, NJ 07960
+   U.S.A.
+
+   Phone: +1 201-829-4514
+   EMail: set@thumper.bellcore.com
+
+
+   Christian Huitema
+   INRIA, Sophia-Antipolis
+   2004 Route des Lucioles
+   BP 109
+   F-06561 Valbonne Cedex
+   France
+
+   Phone: +33 93 65 77 15
+   EMail: Christian.Huitema@MIRSA.INRIA.FR
+
+
+
+
+
+
+
+Thompson & Huitema          Standards Track                    [Page 5]
+
diff --git a/contrib/bind9/doc/rfc/rfc1982.txt b/contrib/bind9/doc/rfc/rfc1982.txt
new file mode 100644
index 0000000..5a34bc4
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc1982.txt
@@ -0,0 +1,394 @@
+
+
+
+
+
+
+Network Working Group                                             R. Elz
+Request for Comments: 1982                       University of Melbourne
+Updates: 1034, 1035                                              R. Bush
+Category: Standards Track                                    RGnet, Inc.
+                                                             August 1996
+
+
+                        Serial Number Arithmetic
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Abstract
+
+   This memo defines serial number arithmetic, as used in the Domain
+   Name System.  The DNS has long relied upon serial number arithmetic,
+   a concept which has never really been defined, certainly not in an
+   IETF document, though which has been widely understood.  This memo
+   supplies the missing definition.  It is intended to update RFC1034
+   and RFC1035.
+
+1. Introduction
+
+   The serial number field of the SOA resource record is defined in
+   RFC1035 as
+
+   SERIAL   The unsigned 32 bit version number of the original copy of
+            the zone.  Zone transfers preserve this value.  This value
+            wraps and should be compared using sequence space
+            arithmetic.
+
+   RFC1034 uses the same terminology when defining secondary server zone
+   consistency procedures.
+
+   Unfortunately the term "sequence space arithmetic" is not defined in
+   either RFC1034 or RFC1035, nor do any of their references provide
+   further information.
+
+   This phrase seems to have been intending to specify arithmetic as
+   used in TCP sequence numbers [RFC793], and defined in [IEN-74].
+
+   Unfortunately, the arithmetic defined in [IEN-74] is not adequate for
+   the purposes of the DNS, as no general comparison operator is
+
+
+
+Elz & Bush                  Standards Track                     [Page 1]
+
+RFC 1982                Serial Number Arithmetic             August 1996
+
+
+   defined.
+
+   To avoid further problems with this simple field, this document
+   defines the field and the operations available upon it.  This
+   definition is intended merely to clarify the intent of RFC1034 and
+   RFC1035, and is believed to generally agree with current
+   implementations.  However, older, superseded, implementations are
+   known to have treated the serial number as a simple unsigned integer,
+   with no attempt to implement any kind of "sequence space arithmetic",
+   however that may have been interpreted, and further, ignoring the
+   requirement that the value wraps.  Nothing can be done with these
+   implementations, beyond extermination.
+
+2. Serial Number Arithmetic
+
+   Serial numbers are formed from non-negative integers from a finite
+   subset of the range of all integer values.  The lowest integer in
+   every subset used for this purpose is zero, the maximum is always one
+   less than a power of two.
+
+   When considered as serial numbers however no value has any particular
+   significance, there is no minimum or maximum serial number, every
+   value has a successor and predecessor.
+
+   To define a serial number to be used in this way, the size of the
+   serial number space must be given.  This value, called "SERIAL_BITS",
+   gives the power of two which results in one larger than the largest
+   integer corresponding to a serial number value.  This also specifies
+   the number of bits required to hold every possible value of a serial
+   number of the defined type.  The operations permitted upon serial
+   numbers are defined in the following section.
+
+3. Operations upon the serial number
+
+   Only two operations are defined upon serial numbers, addition of a
+   positive integer of limited range, and comparison with another serial
+   number.
+
+3.1. Addition
+
+   Serial numbers may be incremented by the addition of a positive
+   integer n, where n is taken from the range of integers
+   [0 .. (2^(SERIAL_BITS - 1) - 1)].  For a sequence number s, the
+   result of such an addition, s', is defined as
+
+                   s' = (s + n) modulo (2 ^ SERIAL_BITS)
+
+
+
+
+
+Elz & Bush                  Standards Track                     [Page 2]
+
+RFC 1982                Serial Number Arithmetic             August 1996
+
+
+   where the addition and modulus operations here act upon values that
+   are non-negative values of unbounded size in the usual ways of
+   integer arithmetic.
+
+   Addition of a value outside the range
+   [0 .. (2^(SERIAL_BITS - 1) - 1)] is undefined.
+
+3.2. Comparison
+
+   Any two serial numbers, s1 and s2, may be compared.  The definition
+   of the result of this comparison is as follows.
+
+   For the purposes of this definition, consider two integers, i1 and
+   i2, from the unbounded set of non-negative integers, such that i1 and
+   s1 have the same numeric value, as do i2 and s2.  Arithmetic and
+   comparisons applied to i1 and i2 use ordinary unbounded integer
+   arithmetic.
+
+   Then, s1 is said to be equal to s2 if and only if i1 is equal to i2,
+   in all other cases, s1 is not equal to s2.
+
+   s1 is said to be less than s2 if, and only if, s1 is not equal to s2,
+   and
+
+        (i1 < i2 and i2 - i1 < 2^(SERIAL_BITS - 1)) or
+        (i1 > i2 and i1 - i2 > 2^(SERIAL_BITS - 1))
+
+   s1 is said to be greater than s2 if, and only if, s1 is not equal to
+   s2, and
+
+        (i1 < i2 and i2 - i1 > 2^(SERIAL_BITS - 1)) or
+        (i1 > i2 and i1 - i2 < 2^(SERIAL_BITS - 1))
+
+   Note that there are some pairs of values s1 and s2 for which s1 is
+   not equal to s2, but for which s1 is neither greater than, nor less
+   than, s2.  An attempt to use these ordering operators on such pairs
+   of values produces an undefined result.
+
+   The reason for this is that those pairs of values are such that any
+   simple definition that were to define s1 to be less than s2 where
+   (s1, s2) is such a pair, would also usually cause s2 to be less than
+   s1, when the pair is (s2, s1).  This would mean that the particular
+   order selected for a test could cause the result to differ, leading
+   to unpredictable implementations.
+
+   While it would be possible to define the test in such a way that the
+   inequality would not have this surprising property, while being
+   defined for all pairs of values, such a definition would be
+
+
+
+Elz & Bush                  Standards Track                     [Page 3]
+
+RFC 1982                Serial Number Arithmetic             August 1996
+
+
+   unnecessarily burdensome to implement, and difficult to understand,
+   and would still allow cases where
+
+        s1 < s2 and (s1 + 1) > (s2 + 1)
+
+   which is just as non-intuitive.
+
+   Thus the problem case is left undefined, implementations are free to
+   return either result, or to flag an error, and users must take care
+   not to depend on any particular outcome.  Usually this will mean
+   avoiding allowing those particular pairs of numbers to co-exist.
+
+   The relationships greater than or equal to, and less than or equal
+   to, follow in the natural way from the above definitions.
+
+4. Corollaries
+
+   These definitions give rise to some results of note.
+
+4.1. Corollary 1
+
+   For any sequence number s and any integer n such that addition of n
+   to s is well defined, (s + n) >= s.  Further (s + n) == s only when
+   n == 0, in all other defined cases, (s + n) > s.
+
+4.2. Corollary 2
+
+   If s' is the result of adding the non-zero integer n to the sequence
+   number s, and m is another integer from the range defined as able to
+   be added to a sequence number, and s" is the result of adding m to
+   s', then it is undefined whether s" is greater than, or less than s,
+   though it is known that s" is not equal to s.
+
+4.3. Corollary 3
+
+   If s" from the previous corollary is further incremented, then there
+   is no longer any known relationship between the result and s.
+
+4.4. Corollary 4
+
+   If in corollary 2 the value (n + m) is such that addition of the sum
+   to sequence number s would produce a defined result, then corollary 1
+   applies, and s" is known to be greater than s.
+
+
+
+
+
+
+
+
+Elz & Bush                  Standards Track                     [Page 4]
+
+RFC 1982                Serial Number Arithmetic             August 1996
+
+
+5. Examples
+
+5.1. A trivial example
+
+   The simplest meaningful serial number space has SERIAL_BITS == 2.  In
+   this space, the integers that make up the serial number space are 0,
+   1, 2, and 3.  That is, 3 == 2^SERIAL_BITS - 1.
+
+   In this space, the largest integer that it is meaningful to add to a
+   sequence number is 2^(SERIAL_BITS - 1) - 1, or 1.
+
+   Then, as defined 0+1 == 1, 1+1 == 2, 2+1 == 3, and 3+1 == 0.
+   Further, 1 > 0, 2 > 1, 3 > 2, and 0 > 3.  It is undefined whether
+   2 > 0 or 0 > 2, and whether 1 > 3 or 3 > 1.
+
+5.2. A slightly larger example
+
+   Consider the case where SERIAL_BITS == 8.  In this space the integers
+   that make up the serial number space are 0, 1, 2, ... 254, 255.
+   255 == 2^SERIAL_BITS - 1.
+
+   In this space, the largest integer that it is meaningful to add to a
+   sequence number is 2^(SERIAL_BITS - 1) - 1, or 127.
+
+   Addition is as expected in this space, for example: 255+1 == 0,
+   100+100 == 200, and 200+100 == 44.
+
+   Comparison is more interesting, 1 > 0, 44 > 0, 100 > 0, 100 > 44,
+   200 > 100, 255 > 200, 0 > 255, 100 > 255, 0 > 200, and 44 > 200.
+
+   Note that 100+100 > 100, but that (100+100)+100 < 100.  Incrementing
+   a serial number can cause it to become "smaller".  Of course,
+   incrementing by a smaller number will allow many more increments to
+   be made before this occurs.  However this is always something to be
+   aware of, it can cause surprising errors, or be useful as it is the
+   only defined way to actually cause a serial number to decrease.
+
+   The pairs of values 0 and 128, 1 and 129, 2 and 130, etc, to 127 and
+   255 are not equal, but in each pair, neither number is defined as
+   being greater than, or less than, the other.
+
+   It could be defined (arbitrarily) that 128 > 0, 129 > 1,
+   130 > 2, ..., 255 > 127, by changing the comparison operator
+   definitions, as mentioned above.  However note that that would cause
+   255 > 127, while (255 + 1) < (127 + 1), as 0 < 128.  Such a
+   definition, apart from being arbitrary, would also be more costly to
+   implement.
+
+
+
+
+Elz & Bush                  Standards Track                     [Page 5]
+
+RFC 1982                Serial Number Arithmetic             August 1996
+
+
+6. Citation
+
+   As this defined arithmetic may be useful for purposes other than for
+   the DNS serial number, it may be referenced as Serial Number
+   Arithmetic from RFC1982.  Any such reference shall be taken as
+   implying that the rules of sections 2 to 5 of this document apply to
+   the stated values.
+
+7. The DNS SOA serial number
+
+   The serial number in the DNS SOA Resource Record is a Serial Number
+   as defined above, with SERIAL_BITS being 32.  That is, the serial
+   number is a non negative integer with values taken from the range
+   [0 .. 4294967295].  That is, a 32 bit unsigned integer.
+
+   The maximum defined increment is 2147483647 (2^31 - 1).
+
+   Care should be taken that the serial number not be incremented, in
+   one or more steps, by more than this maximum within the period given
+   by the value of SOA.expire.  Doing so may leave some secondary
+   servers with out of date copies of the zone, but with a serial number
+   "greater" than that of the primary server.  Of course, special
+   circumstances may require this rule be set aside, for example, when
+   the serial number needs to be set lower for some reason.  If this
+   must be done, then take special care to verify that ALL servers have
+   correctly succeeded in following the primary server's serial number
+   changes, at each step.
+
+   Note that each, and every, increment to the serial number must be
+   treated as the start of a new sequence of increments for this
+   purpose, as well as being the continuation of all previous sequences
+   started within the period specified by SOA.expire.
+
+   Caution should also be exercised before causing the serial number to
+   be set to the value zero.  While this value is not in any way special
+   in serial number arithmetic, or to the DNS SOA serial number, many
+   DNS implementations have incorrectly treated zero as a special case,
+   with special properties, and unusual behaviour may be expected if
+   zero is used as a DNS SOA serial number.
+
+
+
+
+
+
+
+
+
+
+
+
+Elz & Bush                  Standards Track                     [Page 6]
+
+RFC 1982                Serial Number Arithmetic             August 1996
+
+
+8. Document Updates
+
+   RFC1034 and RFC1035 are to be treated as if the references to
+   "sequence space arithmetic" therein are replaced by references to
+   serial number arithmetic, as defined in this document.
+
+9. Security Considerations
+
+   This document does not consider security.
+
+   It is not believed that anything in this document adds to any
+   security issues that may exist with the DNS, nor does it do anything
+   to lessen them.
+
+References
+
+   [RFC1034]   Domain Names - Concepts and Facilities,
+               P. Mockapetris, STD 13, ISI, November 1987.
+
+   [RFC1035]   Domain Names - Implementation and Specification
+               P. Mockapetris, STD 13, ISI, November 1987
+
+   [RFC793]    Transmission Control protocol
+               Information Sciences Institute, STD 7, USC, September 1981
+
+   [IEN-74]    Sequence Number Arithmetic
+               William W. Plummer, BB&N Inc, September 1978
+
+Acknowledgements
+
+   Thanks to Rob Austein for suggesting clarification of the undefined
+   comparison operators, and to Michael Patton for attempting to locate
+   another reference for this procedure.  Thanks also to members of the
+   IETF DNSIND working group of 1995-6, in particular, Paul Mockapetris.
+
+Authors' Addresses
+
+   Robert Elz                     Randy Bush
+   Computer Science               RGnet, Inc.
+   University of Melbourne        10361 NE Sasquatch Lane
+   Parkville, Vic,  3052          Bainbridge Island, Washington,  98110
+   Australia.                     United States.
+
+   EMail: kre@munnari.OZ.AU       EMail: randy@psg.com
+
+
+
+
+
+
+
+Elz & Bush                  Standards Track                     [Page 7]
diff --git a/contrib/bind9/doc/rfc/rfc1995.txt b/contrib/bind9/doc/rfc/rfc1995.txt
new file mode 100644
index 0000000..b50bdc6
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc1995.txt
@@ -0,0 +1,451 @@
+
+
+
+
+
+
+Network Working Group                                            M. Ohta
+Request for Comments: 1995                 Tokyo Institute of Technology
+Updates: 1035                                                August 1996
+Category: Standards Track
+
+
+                    Incremental Zone Transfer in DNS
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Abstract
+
+   This document proposes extensions to the DNS protocols to provide an
+   incremental zone transfer (IXFR) mechanism.
+
+1. Introduction
+
+   For rapid propagation of changes to a DNS database [STD13], it is
+   necessary to reduce latency by actively notifying servers of the
+   change.  This is accomplished by the NOTIFY extension of the DNS
+   [NOTIFY].
+
+   The current full zone transfer mechanism (AXFR) is not an efficient
+   means to propagate changes to a small part of a zone, as it transfers
+   the entire zone file.
+
+   Incremental transfer (IXFR) as proposed is a more efficient
+   mechanism, as it transfers only the changed portion(s) of a zone.
+
+   In this document, a secondary name server which requests IXFR is
+   called an IXFR client and a primary or secondary name server which
+   responds to the request is called an IXFR server.
+
+2. Brief Description of the Protocol
+
+   If an IXFR client, which likely has an older version of a zone,
+   thinks it needs new information about the zone (typically through SOA
+   refresh timeout or the NOTIFY mechanism), it sends an IXFR message
+   containing the SOA serial number of its, presumably outdated, copy of
+   the zone.
+
+
+
+
+
+Ohta                        Standards Track                     [Page 1]
+
+RFC 1995            Incremental Zone Transfer in DNS         August 1996
+
+
+   An IXFR server should keep record of the newest version of the zone
+   and the differences between that copy and several older versions.
+   When an IXFR request with an older version number is received, the
+   IXFR server needs to send only the differences required to make that
+   version current.  Alternatively, the server may choose to transfer
+   the entire zone just as in a normal full zone transfer.
+
+   When a zone has been updated, it should be saved in stable storage
+   before the new version is used to respond to IXFR (or AXFR) queries.
+   Otherwise, if the server crashes, data which is no longer available
+   may have been distributed to secondary servers, which can cause
+   persistent database inconsistencies.
+
+   If an IXFR query with the same or newer version number than that of
+   the server is received, it is replied to with a single SOA record of
+   the server's current version, just as in AXFR.
+
+   Transport of a query may be by either UDP or TCP.  If an IXFR query
+   is via UDP, the IXFR server may attempt to reply using UDP if the
+   entire response can be contained in a single DNS packet.  If the UDP
+   reply does not fit, the query is responded to with a single SOA
+   record of the server's current version to inform the client that a
+   TCP query should be initiated.
+
+   Thus, a client should first make an IXFR query using UDP.  If the
+   query type is not recognized by the server, an AXFR (preceded by a
+   UDP SOA query) should be tried, ensuring backward compatibility.  If
+   the query response is a single packet with the entire new zone, or if
+   the server does not have a newer version than the client, everything
+   is done.  Otherwise, a TCP IXFR query should be tried.
+
+   To ensure integrity, servers should use UDP checksums for all UDP
+   responses.  A cautious client which receives a UDP packet with a
+   checksum value of zero should ignore the result and try a TCP IXFR
+   instead.
+
+   The query type value of IXFR assigned by IANA is 251.
+
+3. Query Format
+
+   The IXFR query packet format is the same as that of a normal DNS
+   query, but with the query type being IXFR and the authority section
+   containing the SOA record of client's version of the zone.
+
+
+
+
+
+
+
+
+Ohta                        Standards Track                     [Page 2]
+
+RFC 1995            Incremental Zone Transfer in DNS         August 1996
+
+
+4. Response Format
+
+   If incremental zone transfer is not available, the entire zone is
+   returned.  The first and the last RR of the response is the SOA
+   record of the zone.  I.e. the behavior is the same as an AXFR
+   response except the query type is IXFR.
+
+   If incremental zone transfer is available, one or more difference
+   sequences is returned.  The list of difference sequences is preceded
+   and followed by a copy of the server's current version of the SOA.
+
+   Each difference sequence represents one update to the zone (one SOA
+   serial change) consisting of deleted RRs and added RRs.  The first RR
+   of the deleted RRs is the older SOA RR and the first RR of the added
+   RRs is the newer SOA RR.
+
+   Modification of an RR is performed first by removing the original RR
+   and then adding the modified one.
+
+   The sequences of differential information are ordered oldest first
+   newest last.  Thus, the differential sequences are the history of
+   changes made since the version known by the IXFR client up to the
+   server's current version.
+
+   RRs in the incremental transfer messages may be partial.  That is, if
+   a single RR of multiple RRs of the same RR type changes, only the
+   changed RR is transferred.
+
+   An IXFR client, should only replace an older version with a newer
+   version after all the differences have been successfully processed.
+
+   An incremental response is different from that of a non-incremental
+   response in that it begins with two SOA RRs, the server's current SOA
+   followed by the SOA of the client's version which is about to be
+   replaced.
+
+   5. Purging Strategy
+
+   An IXFR server can not be required to hold all previous versions
+   forever and may delete them anytime. In general, there is a trade-off
+   between the size of storage space and the possibility of using IXFR.
+
+   Information about older versions should be purged if the total length
+   of an IXFR response would be longer than that of an AXFR response.
+   Given that the purpose of IXFR is to reduce AXFR overhead, this
+   strategy is quite reasonable.  The strategy assures that the amount
+   of storage required is at most twice that of the current zone
+   information.
+
+
+
+Ohta                        Standards Track                     [Page 3]
+
+RFC 1995            Incremental Zone Transfer in DNS         August 1996
+
+
+   Information older than the SOA expire period may also be purged.
+
+6. Optional Condensation of Multiple Versions
+
+   An IXFR server may optionally condense multiple difference sequences
+   into a single difference sequence, thus, dropping information on
+   intermediate versions.
+
+   This may be beneficial if a lot of versions, not all of which are
+   useful, are generated. For example, if multiple ftp servers share a
+   single DNS name and the IP address associated with the name is
+   changed once a minute to balance load between the ftp servers, it is
+   not so important to keep track of all the history of changes.
+
+   But, this feature may not be so useful if an IXFR client has access
+   to two IXFR servers: A and B, with inconsistent condensation results.
+   The current version of the IXFR client, received from server A, may
+   be unknown to server B. In such a case, server B can not provide
+   incremental data from the unknown version and a full zone transfer is
+   necessary.
+
+   Condensation is completely optional. Clients can't detect from the
+   response whether the server has condensed the reply or not.
+
+   For interoperability, IXFR servers, including those without the
+   condensation feature, should not flag an error even if it receives a
+   client's IXFR request with a unknown version number and should,
+   instead, attempt to perform a full zone transfer.
+
+7. Example
+
+   Given the following three generations of data with the current serial
+   number of 3,
+
+      JAIN.AD.JP.         IN SOA NS.JAIN.AD.JP. mohta.jain.ad.jp. (
+                                        1 600 600 3600000 604800)
+                          IN NS  NS.JAIN.AD.JP.
+      NS.JAIN.AD.JP.      IN A   133.69.136.1
+      NEZU.JAIN.AD.JP.    IN A   133.69.136.5
+
+   NEZU.JAIN.AD.JP. is removed and JAIN-BB.JAIN.AD.JP. is added.
+
+      jain.ad.jp.         IN SOA ns.jain.ad.jp. mohta.jain.ad.jp. (
+                                        2 600 600 3600000 604800)
+                          IN NS  NS.JAIN.AD.JP.
+      NS.JAIN.AD.JP.      IN A   133.69.136.1
+      JAIN-BB.JAIN.AD.JP. IN A   133.69.136.4
+                          IN A   192.41.197.2
+
+
+
+Ohta                        Standards Track                     [Page 4]
+
+RFC 1995            Incremental Zone Transfer in DNS         August 1996
+
+
+   One of the IP addresses of JAIN-BB.JAIN.AD.JP. is changed.
+
+      JAIN.AD.JP.         IN SOA ns.jain.ad.jp. mohta.jain.ad.jp. (
+                                        3 600 600 3600000 604800)
+                          IN NS  NS.JAIN.AD.JP.
+      NS.JAIN.AD.JP.      IN A   133.69.136.1
+      JAIN-BB.JAIN.AD.JP. IN A   133.69.136.3
+                          IN A   192.41.197.2
+
+   The following IXFR query
+
+                 +---------------------------------------------------+
+      Header     | OPCODE=SQUERY                                     |
+                 +---------------------------------------------------+
+      Question   | QNAME=JAIN.AD.JP., QCLASS=IN, QTYPE=IXFR          |
+                 +---------------------------------------------------+
+      Answer     | <empty>                                           |
+                 +---------------------------------------------------+
+      Authority  | JAIN.AD.JP.         IN SOA serial=1               |
+                 +---------------------------------------------------+
+      Additional | <empty>                                           |
+                 +---------------------------------------------------+
+
+   could be replied to with the following full zone transfer message:
+
+                 +---------------------------------------------------+
+      Header     | OPCODE=SQUERY, RESPONSE                           |
+                 +---------------------------------------------------+
+      Question   | QNAME=JAIN.AD.JP., QCLASS=IN, QTYPE=IXFR          |
+                 +---------------------------------------------------+
+      Answer     | JAIN.AD.JP.         IN SOA serial=3               |
+                 | JAIN.AD.JP.         IN NS  NS.JAIN.AD.JP.         |
+                 | NS.JAIN.AD.JP.      IN A   133.69.136.1           |
+                 | JAIN-BB.JAIN.AD.JP. IN A   133.69.136.3           |
+                 | JAIN-BB.JAIN.AD.JP. IN A   192.41.197.2           |
+                 | JAIN.AD.JP.         IN SOA serial=3               |
+                 +---------------------------------------------------+
+      Authority  | <empty>                                           |
+                 +---------------------------------------------------+
+      Additional | <empty>                                           |
+                 +---------------------------------------------------+
+
+
+
+
+
+
+
+
+
+
+Ohta                        Standards Track                     [Page 5]
+
+RFC 1995            Incremental Zone Transfer in DNS         August 1996
+
+
+   or with the following incremental message:
+
+                 +---------------------------------------------------+
+      Header     | OPCODE=SQUERY, RESPONSE                           |
+                 +---------------------------------------------------+
+      Question   | QNAME=JAIN.AD.JP., QCLASS=IN, QTYPE=IXFR          |
+                 +---------------------------------------------------+
+      Answer     | JAIN.AD.JP.         IN SOA serial=3               |
+                 | JAIN.AD.JP.         IN SOA serial=1               |
+                 | NEZU.JAIN.AD.JP.    IN A   133.69.136.5           |
+                 | JAIN.AD.JP.         IN SOA serial=2               |
+                 | JAIN-BB.JAIN.AD.JP. IN A   133.69.136.4           |
+                 | JAIN-BB.JAIN.AD.JP. IN A   192.41.197.2           |
+                 | JAIN.AD.JP.         IN SOA serial=2               |
+                 | JAIN-BB.JAIN.AD.JP. IN A   133.69.136.4           |
+                 | JAIN.AD.JP.         IN SOA serial=3               |
+                 | JAIN-BB.JAIN.AD.JP. IN A   133.69.136.3           |
+                 | JAIN.AD.JP.         IN SOA serial=3               |
+                 +---------------------------------------------------+
+      Authority  | <empty>                                           |
+                 +---------------------------------------------------+
+      Additional | <empty>                                           |
+                 +---------------------------------------------------+
+
+   or with the following condensed incremental message:
+
+                 +---------------------------------------------------+
+      Header     | OPCODE=SQUERY, RESPONSE                           |
+                 +---------------------------------------------------+
+      Question   | QNAME=JAIN.AD.JP., QCLASS=IN, QTYPE=IXFR          |
+                 +---------------------------------------------------+
+      Answer     | JAIN.AD.JP.         IN SOA serial=3               |
+                 | JAIN.AD.JP.         IN SOA serial=1               |
+                 | NEZU.JAIN.AD.JP.    IN A   133.69.136.5           |
+                 | JAIN.AD.JP.         IN SOA serial=3               |
+                 | JAIN-BB.JAIN.AD.JP. IN A   133.69.136.3           |
+                 | JAIN-BB.JAIN.AD.JP. IN A   192.41.197.2           |
+                 | JAIN.AD.JP.         IN SOA serial=3               |
+                 +---------------------------------------------------+
+      Authority  | <empty>                                           |
+                 +---------------------------------------------------+
+      Additional | <empty>                                           |
+                 +---------------------------------------------------+
+
+
+
+
+
+
+
+
+Ohta                        Standards Track                     [Page 6]
+
+RFC 1995            Incremental Zone Transfer in DNS         August 1996
+
+
+   or, if UDP packet overflow occurs, with the following message:
+
+                 +---------------------------------------------------+
+      Header     | OPCODE=SQUERY, RESPONSE                           |
+                 +---------------------------------------------------+
+      Question   | QNAME=JAIN.AD.JP., QCLASS=IN, QTYPE=IXFR          |
+                 +---------------------------------------------------+
+      Answer     | JAIN.AD.JP.         IN SOA serial=3               |
+                 +---------------------------------------------------+
+      Authority  | <empty>                                           |
+                 +---------------------------------------------------+
+      Additional | <empty>                                           |
+                 +---------------------------------------------------+
+
+8. Acknowledgements
+
+   The original idea of IXFR was conceived by Anant Kumar, Steve Hotz
+   and Jon Postel.
+
+   For the refinement of the protocol and documentation, many people
+   have contributed including, but not limited to, Anant Kumar, Robert
+   Austein, Paul Vixie, Randy Bush, Mark Andrews, Robert Elz and the
+   members of the IETF DNSIND working group.
+
+9. References
+
+   [NOTIFY] Vixie, P., "DNS NOTIFY: A Mechanism for Prompt
+   Notification of Zone Changes", RFC 1996, August 1996.
+
+   [STD13] Mockapetris, P., "Domain Name System", STD 13, RFC 1034 and
+   RFC 1035), November 1987.
+
+10. Security Considerations
+
+   Though DNS is related to several security problems, no attempt is
+   made to fix them in this document.
+
+   This document is believed to introduce no additional security
+   problems to the current DNS protocol.
+
+
+
+
+
+
+
+
+
+
+
+
+Ohta                        Standards Track                     [Page 7]
+
+RFC 1995            Incremental Zone Transfer in DNS         August 1996
+
+
+11. Author's Address
+
+   Masataka Ohta
+   Computer Center
+   Tokyo Institute of Technology
+   2-12-1, O-okayama, Meguro-ku, Tokyo 152, JAPAN
+
+   Phone: +81-3-5734-3299
+   Fax: +81-3-5734-3415
+   EMail: mohta@necom830.hpcl.titech.ac.jp
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Ohta                        Standards Track                     [Page 8]
+
diff --git a/contrib/bind9/doc/rfc/rfc1996.txt b/contrib/bind9/doc/rfc/rfc1996.txt
new file mode 100644
index 0000000..b08f200
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc1996.txt
@@ -0,0 +1,395 @@
+
+
+
+
+
+
+Network Working Group                                           P. Vixie
+Request for Comments: 1996                                           ISC
+Updates: 1035                                                August 1996
+Category: Standards Track
+
+
+    A Mechanism for Prompt Notification of Zone Changes (DNS NOTIFY)
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Abstract
+
+   This memo describes the NOTIFY opcode for DNS, by which a master
+   server advises a set of slave servers that the master's data has been
+   changed and that a query should be initiated to discover the new
+   data.
+
+1. Rationale and Scope
+
+   1.1. Slow propagation of new and changed data in a DNS zone can be
+   due to a zone's relatively long refresh times.  Longer refresh times
+   are beneficial in that they reduce load on the master servers, but
+   that benefit comes at the cost of long intervals of incoherence among
+   authority servers whenever the zone is updated.
+
+   1.2. The DNS NOTIFY transaction allows master servers to inform slave
+   servers when the zone has changed -- an interrupt as opposed to poll
+   model -- which it is hoped will reduce propagation delay while not
+   unduly increasing the masters' load.  This specification only allows
+   slaves to be notified of SOA RR changes, but the architechture of
+   NOTIFY is intended to be extensible to other RR types.
+
+   1.3. This document intentionally gives more definition to the roles
+   of "Master," "Slave" and "Stealth" servers, their enumeration in NS
+   RRs, and the SOA MNAME field.  In that sense, this document can be
+   considered an addendum to [RFC1035].
+
+
+
+
+
+
+
+
+
+Vixie                       Standards Track                     [Page 1]
+
+RFC 1996                       DNS NOTIFY                    August 1996
+
+
+2. Definitions and Invariants
+
+   2.1. The following definitions are used in this document:
+
+   Slave           an authoritative server which uses zone transfer to
+                   retrieve the zone.  All slave servers are named in
+                   the NS RRs for the zone.
+
+   Master          any authoritative server configured to be the source
+                   of zone transfer for one or more slave servers.
+
+   Primary Master  master server at the root of the zone transfer
+                   dependency graph.  The primary master is named in the
+                   zone's SOA MNAME field and optionally by an NS RR.
+                   There is by definition only one primary master server
+                   per zone.
+
+   Stealth         like a slave server except not listed in an NS RR for
+                   the zone.  A stealth server, unless explicitly
+                   configured to do otherwise, will set the AA bit in
+                   responses and be capable of acting as a master.  A
+                   stealth server will only be known by other servers if
+                   they are given static configuration data indicating
+                   its existence.
+
+   Notify Set      set of servers to be notified of changes to some
+                   zone.  Default is all servers named in the NS RRset,
+                   except for any server also named in the SOA MNAME.
+                   Some implementations will permit the name server
+                   administrator to override this set or add elements to
+                   it (such as, for example, stealth servers).
+
+   2.2. The zone's servers must be organized into a dependency graph
+   such that there is a primary master, and all other servers must use
+   AXFR or IXFR either from the primary master or from some slave which
+   is also a master.  No loops are permitted in the AXFR dependency
+   graph.
+
+3. NOTIFY Message
+
+   3.1. When a master has updated one or more RRs in which slave servers
+   may be interested, the master may send the changed RR's name, class,
+   type, and optionally, new RDATA(s), to each known slave server using
+   a best efforts protocol based on the NOTIFY opcode.
+
+   3.2. NOTIFY uses the DNS Message Format, although it uses only a
+   subset of the available fields.  Fields not otherwise described
+   herein are to be filled with binary zero (0), and implementations
+
+
+
+Vixie                       Standards Track                     [Page 2]
+
+RFC 1996                       DNS NOTIFY                    August 1996
+
+
+   must ignore all messages for which this is not the case.
+
+   3.3. NOTIFY is similar to QUERY in that it has a request message with
+   the header QR flag "clear" and a response message with QR "set".  The
+   response message contains no useful information, but its reception by
+   the master is an indication that the slave has received the NOTIFY
+   and that the master can remove the slave from any retry queue for
+   this NOTIFY event.
+
+   3.4. The transport protocol used for a NOTIFY transaction will be UDP
+   unless the master has reason to believe that TCP is necessary; for
+   example, if a firewall has been installed between master and slave,
+   and only TCP has been allowed; or, if the changed RR is too large to
+   fit in a UDP/DNS datagram.
+
+   3.5. If TCP is used, both master and slave must continue to offer
+   name service during the transaction, even when the TCP transaction is
+   not making progress.  The NOTIFY request is sent once, and a
+   "timeout" is said to have occurred if no NOTIFY response is received
+   within a reasonable interval.
+
+   3.6. If UDP is used, a master periodically sends a NOTIFY request to
+   a slave until either too many copies have been sent (a "timeout"), an
+   ICMP message indicating that the port is unreachable, or until a
+   NOTIFY response is received from the slave with a matching query ID,
+   QNAME, IP source address, and UDP source port number.
+
+   Note:
+      The interval between transmissions, and the total number of
+      retransmissions, should be operational parameters specifiable by
+      the name server administrator, perhaps on a per-zone basis.
+      Reasonable defaults are a 60 second interval (or timeout if
+      using TCP), and a maximum of 5 retransmissions (for UDP).  It is
+      considered reasonable to use additive or exponential backoff for
+      the retry interval.
+
+   3.7. A NOTIFY request has QDCOUNT>0, ANCOUNT>=0, AUCOUNT>=0,
+   ADCOUNT>=0.  If ANCOUNT>0, then the answer section represents an
+   unsecure hint at the new RRset for this <QNAME,QCLASS,QTYPE>.  A
+   slave receiving such a hint is free to treat equivilence of this
+   answer section with its local data as a "no further work needs to be
+   done" indication.  If ANCOUNT=0, or ANCOUNT>0 and the answer section
+   differs from the slave's local data, then the slave should query its
+   known masters to retrieve the new data.
+
+   3.8. In no case shall the answer section of a NOTIFY request be used
+   to update a slave's local data, or to indicate that a zone transfer
+   needs to be undertaken, or to change the slave's zone refresh timers.
+
+
+
+Vixie                       Standards Track                     [Page 3]
+
+RFC 1996                       DNS NOTIFY                    August 1996
+
+
+   Only a "data present; data same" condition can lead a slave to act
+   differently if ANCOUNT>0 than it would if ANCOUNT=0.
+
+   3.9. This version of the NOTIFY specification makes no use of the
+   authority or additional data sections, and so conforming
+   implementations should set AUCOUNT=0 and ADCOUNT=0 when transmitting
+   requests.  Since a future revision of this specification may define a
+   backwards compatible use for either or both of these sections,
+   current implementations must ignore these sections, but not the
+   entire message, if AUCOUNT>0 and/or ADCOUNT>0.
+
+   3.10. If a slave receives a NOTIFY request from a host that is not a
+   known master for the zone containing the QNAME, it should ignore the
+   request and produce an error message in its operations log.
+
+   Note:
+      This implies that slaves of a multihomed master must either know
+      their master by the "closest" of the master's interface
+      addresses, or must know all of the master's interface addresses.
+      Otherwise, a valid NOTIFY request might come from an address
+      that is not on the slave's state list of masters for the zone,
+      which would be an error.
+
+   3.11. The only defined NOTIFY event at this time is that the SOA RR
+   has changed.  Upon completion of a NOTIFY transaction for QTYPE=SOA,
+   the slave should behave as though the zone given in the QNAME had
+   reached its REFRESH interval (see [RFC1035]), i.e., it should query
+   its masters for the SOA of the zone given in the NOTIFY QNAME, and
+   check the answer to see if the SOA SERIAL has been incremented since
+   the last time the zone was fetched.  If so, a zone transfer (either
+   AXFR or IXFR) should be initiated.
+
+   Note:
+      Because a deep server dependency graph may have multiple paths
+      from the primary master to any given slave, it is possible that
+      a slave will receive a NOTIFY from one of its known masters even
+      though the rest of its known masters have not yet updated their
+      copies of the zone.  Therefore, when issuing a QUERY for the
+      zone's SOA, the query should be directed at the known master who
+      was the source of the NOTIFY event, and not at any of the other
+      known masters.  This represents a departure from [RFC1035],
+      which specifies that upon expiry of the SOA REFRESH interval,
+      all known masters should be queried in turn.
+
+   3.12. If a NOTIFY request is received by a slave who does not
+   implement the NOTIFY opcode, it will respond with a NOTIMP
+   (unimplemented feature error) message.  A master server who receives
+   such a NOTIMP should consider the NOTIFY transaction complete for
+
+
+
+Vixie                       Standards Track                     [Page 4]
+
+RFC 1996                       DNS NOTIFY                    August 1996
+
+
+   that slave.
+
+4. Details and Examples
+
+   4.1. Retaining query state information across host reboots is
+   optional, but it is reasonable to simply execute an SOA NOTIFY
+   transaction on each authority zone when a server first starts.
+
+   4.2. Each slave is likely to receive several copies of the same
+   NOTIFY request:  One from the primary master, and one from each other
+   slave as that slave transfers the new zone and notifies its potential
+   peers.  The NOTIFY protocol supports this multiplicity by requiring
+   that NOTIFY be sent by a slave/master only AFTER it has updated the
+   SOA RR or has determined that no update is necessary, which in
+   practice means after a successful zone transfer.  Thus, barring
+   delivery reordering, the last NOTIFY any slave receives will be the
+   one indicating the latest change.  Since a slave always requests SOAs
+   and AXFR/IXFRs only from its known masters, it will have an
+   opportunity to retry its QUERY for the SOA after each of its masters
+   have completed each zone update.
+
+   4.3. If a master server seeks to avoid causing a large number of
+   simultaneous outbound zone transfers, it may delay for an arbitrary
+   length of time before sending a NOTIFY message to any given slave.
+   It is expected that the time will be chosen at random, so that each
+   slave will begin its transfer at a unique time.  The delay shall not
+   in any case be longer than the SOA REFRESH time.
+
+   Note:
+      This delay should be a parameter that each primary master name
+      server can specify, perhaps on a per-zone basis.  Random delays
+      of between 30 and 60 seconds would seem adequate if the servers
+      share a LAN and the zones are of moderate size.
+
+   4.4. A slave which receives a valid NOTIFY should defer action on any
+   subsequent NOTIFY with the same <QNAME,QCLASS,QTYPE> until it has
+   completed the transaction begun by the first NOTIFY.  This duplicate
+   rejection is necessary to avoid having multiple notifications lead to
+   pummeling the master server.
+
+
+
+
+
+
+
+
+
+
+
+
+Vixie                       Standards Track                     [Page 5]
+
+RFC 1996                       DNS NOTIFY                    August 1996
+
+
+   4.5 Zone has Updated on Primary Master
+
+   Primary master sends a NOTIFY request to all servers named in Notify
+   Set.  The NOTIFY request has the following characteristics:
+
+      query ID:   (new)
+      op:         NOTIFY (4)
+      resp:       NOERROR
+      flags:      AA
+      qcount:     1
+      qname:      (zone name)
+      qclass:     (zone class)
+      qtype:      T_SOA
+
+   4.6 Zone has Updated on a Slave that is also a Master
+
+   As above in 4.5, except that this server's Notify Set may be
+   different from the Primary Master's due to optional static
+   specification of local stealth servers.
+
+   4.7 Slave Receives a NOTIFY Request from a Master
+
+   When a slave server receives a NOTIFY request from one of its locally
+   designated masters for the zone enclosing the given QNAME, with
+   QTYPE=SOA and QR=0, it should enter the state it would if the zone's
+   refresh timer had expired.  It will also send a NOTIFY response back
+   to the NOTIFY request's source, with the following characteristics:
+
+      query ID:   (same)
+      op:         NOTIFY (4)
+      resp:       NOERROR
+      flags:      QR AA
+      qcount:     1
+      qname:      (zone name)
+      qclass:     (zone class)
+      qtype:      T_SOA
+
+   This is intended to be identical to the NOTIFY request, except that
+   the QR bit is also set.  The query ID of the response must be the
+   same as was received in the request.
+
+   4.8 Master Receives a NOTIFY Response from Slave
+
+   When a master server receives a NOTIFY response, it deletes this
+   query from the retry queue, thus completing the "notification
+   process" of "this" RRset change to "that" server.
+
+
+
+
+
+Vixie                       Standards Track                     [Page 6]
+
+RFC 1996                       DNS NOTIFY                    August 1996
+
+
+5. Security Considerations
+
+   We believe that the NOTIFY operation's only security considerations
+   are:
+
+   1. That a NOTIFY request with a forged IP/UDP source address can
+      cause a slave to send spurious SOA queries to its masters,
+      leading to a benign denial of service attack if the forged
+      requests are sent very often.
+
+   2. That TCP spoofing could be used against a slave server given
+      NOTIFY as a means of synchronizing an SOA query and UDP/DNS
+      spoofing as a means of forcing a zone transfer.
+
+6. References
+
+   [RFC1035]
+      Mockapetris, P., "Domain Names - Implementation and
+      Specification", STD 13, RFC 1035, November 1987.
+
+   [IXFR]
+      Ohta, M., "Incremental Zone Transfer", RFC 1995, August 1996.
+
+7. Author's Address
+
+   Paul Vixie
+   Internet Software Consortium
+   Star Route Box 159A
+   Woodside, CA 94062
+
+   Phone: +1 415 747 0204
+   EMail: paul@vix.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Vixie                       Standards Track                     [Page 7]
+
diff --git a/contrib/bind9/doc/rfc/rfc2052.txt b/contrib/bind9/doc/rfc/rfc2052.txt
new file mode 100644
index 0000000..46ba362
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2052.txt
@@ -0,0 +1,563 @@
+
+
+
+
+
+
+Network Working Group                                     A. Gulbrandsen
+Request for Comments: 2052                            Troll Technologies
+Updates: 1035, 1183                                             P. Vixie
+Category: Experimental                                 Vixie Enterprises
+                                                            October 1996
+
+
+       A DNS RR for specifying the location of services (DNS SRV)
+
+Status of this Memo
+
+   This memo defines an Experimental Protocol for the Internet
+   community.  This memo does not specify an Internet standard of any
+   kind.  Discussion and suggestions for improvement are requested.
+   Distribution of this memo is unlimited.
+
+Abstract
+
+   This document describes a DNS RR which specifies the location of the
+   server(s) for a specific protocol and domain (like a more general
+   form of MX).
+
+Overview and rationale
+
+   Currently, one must either know the exact address of a server to
+   contact it, or broadcast a question.  This has led to, for example,
+   ftp.whatever.com aliases, the SMTP-specific MX RR, and using MAC-
+   level broadcasts to locate servers.
+
+   The SRV RR allows administrators to use several servers for a single
+   domain, to move services from host to host with little fuss, and to
+   designate some hosts as primary servers for a service and others as
+   backups.
+
+   Clients ask for a specific service/protocol for a specific domain
+   (the word domain is used here in the strict RFC 1034 sense), and get
+   back the names of any available servers.
+
+Introductory example
+
+   When a SRV-cognizant web-browser wants to retrieve
+
+      http://www.asdf.com/
+
+   it does a lookup of
+
+      http.tcp.www.asdf.com
+
+
+
+
+Gulbrandsen & Vixie           Experimental                      [Page 1]
+
+RFC 2052                       DNS SRV RR                   October 1996
+
+
+   and retrieves the document from one of the servers in the reply.  The
+   example zone file near the end of the memo contains answering RRs for
+   this query.
+
+The format of the SRV RR
+
+   Here is the format of the SRV RR, whose DNS type code is 33:
+
+        Service.Proto.Name TTL Class SRV Priority Weight Port Target
+
+        (There is an example near the end of this document.)
+
+   Service
+        The symbolic name of the desired service, as defined in Assigned
+        Numbers or locally.
+
+        Some widely used services, notably POP, don't have a single
+        universal name.  If Assigned Numbers names the service
+        indicated, that name is the only name which is legal for SRV
+        lookups.  Only locally defined services may be named locally.
+        The Service is case insensitive.
+
+   Proto
+        TCP and UDP are at present the most useful values
+        for this field, though any name defined by Assigned Numbers or
+        locally may be used (as for Service).  The Proto is case
+        insensitive.
+
+   Name
+        The domain this RR refers to.  The SRV RR is unique in that the
+        name one searches for is not this name; the example near the end
+        shows this clearly.
+
+   TTL
+        Standard DNS meaning.
+
+   Class
+        Standard DNS meaning.
+
+   Priority
+        As for MX, the priority of this target host.  A client MUST
+        attempt to contact the target host with the lowest-numbered
+        priority it can reach; target hosts with the same priority
+        SHOULD be tried in pseudorandom order.  The range is 0-65535.
+
+
+
+
+
+
+
+Gulbrandsen & Vixie           Experimental                      [Page 2]
+
+RFC 2052                       DNS SRV RR                   October 1996
+
+
+   Weight
+        Load balancing mechanism.  When selecting a target host among
+        the those that have the same priority, the chance of trying this
+        one first SHOULD be proportional to its weight.  The range of
+        this number is 1-65535.  Domain administrators are urged to use
+        Weight 0 when there isn't any load balancing to do, to make the
+        RR easier to read for humans (less noisy).
+
+   Port
+        The port on this target host of this service.  The range is
+        0-65535.  This is often as specified in Assigned Numbers but
+        need not be.
+
+   Target
+        As for MX, the domain name of the target host.  There MUST be
+        one or more A records for this name. Implementors are urged, but
+        not required, to return the A record(s) in the Additional Data
+        section.  Name compression is to be used for this field.
+
+        A Target of "." means that the service is decidedly not
+        available at this domain.
+
+Domain administrator advice
+
+   Asking everyone to update their telnet (for example) clients when the
+   first internet site adds a SRV RR for Telnet/TCP is futile (even if
+   desirable).  Therefore SRV will have to coexist with A record lookups
+   for a long time, and DNS administrators should try to provide A
+   records to support old clients:
+
+      - Where the services for a single domain are spread over several
+        hosts, it seems advisable to have a list of A RRs at the same
+        DNS node as the SRV RR, listing reasonable (if perhaps
+        suboptimal) fallback hosts for Telnet, NNTP and other protocols
+        likely to be used with this name.  Note that some programs only
+        try the first address they get back from e.g. gethostbyname(),
+        and we don't know how widespread this behaviour is.
+
+      - Where one service is provided by several hosts, one can either
+        provide A records for all the hosts (in which case the round-
+        robin mechanism, where available, will share the load equally)
+        or just for one (presumably the fastest).
+
+      - If a host is intended to provide a service only when the main
+        server(s) is/are down, it probably shouldn't be listed in A
+        records.
+
+
+
+
+
+Gulbrandsen & Vixie           Experimental                      [Page 3]
+
+RFC 2052                       DNS SRV RR                   October 1996
+
+
+      - Hosts that are referenced by backup A records must use the port
+        number specified in Assigned Numbers for the service.
+
+   Currently there's a practical limit of 512 bytes for DNS replies.
+   Until all resolvers can handle larger responses, domain
+   administrators are strongly advised to keep their SRV replies below
+   512 bytes.
+
+   All round numbers, wrote Dr. Johnson, are false, and these numbers
+   are very round: A reply packet has a 30-byte overhead plus the name
+   of the service ("telnet.tcp.asdf.com" for instance); each SRV RR adds
+   20 bytes plus the name of the target host; each NS RR in the NS
+   section is 15 bytes plus the name of the name server host; and
+   finally each A RR in the additional data section is 20 bytes or so,
+   and there are A's for each SRV and NS RR mentioned in the answer.
+   This size estimate is extremely crude, but shouldn't underestimate
+   the actual answer size by much.  If an answer may be close to the
+   limit, using e.g. "dig" to look at the actual answer is a good idea.
+
+The "Weight" field
+
+   Weight, the load balancing field, is not quite satisfactory, but the
+   actual load on typical servers changes much too quickly to be kept
+   around in DNS caches.  It seems to the authors that offering
+   administrators a way to say "this machine is three times as fast as
+   that one" is the best that can practically be done.
+
+   The only way the authors can see of getting a "better" load figure is
+   asking a separate server when the client selects a server and
+   contacts it.  For short-lived services like SMTP an extra step in the
+   connection establishment seems too expensive, and for long-lived
+   services like telnet, the load figure may well be thrown off a minute
+   after the connection is established when someone else starts or
+   finishes a heavy job.
+
+The Port number
+
+   Currently, the translation from service name to port number happens
+   at the client, often using a file such as /etc/services.
+
+   Moving this information to the DNS makes it less necessary to update
+   these files on every single computer of the net every time a new
+   service is added, and makes it possible to move standard services out
+   of the "root-only" port range on unix
+
+
+
+
+
+
+
+Gulbrandsen & Vixie           Experimental                      [Page 4]
+
+RFC 2052                       DNS SRV RR                   October 1996
+
+
+Usage rules
+
+   A SRV-cognizant client SHOULD use this procedure to locate a list of
+   servers and connect to the preferred one:
+
+        Do a lookup for QNAME=service.protocol.target, QCLASS=IN,
+        QTYPE=SRV.
+
+        If the reply is NOERROR, ANCOUNT>0 and there is at least one SRV
+        RR which specifies the requested Service and Protocol in the
+        reply:
+
+             If there is precisely one SRV RR, and its Target is "."
+             (the root domain), abort.
+
+             Else, for all such RR's, build a list of (Priority, Weight,
+             Target) tuples
+
+             Sort the list by priority (lowest number first)
+
+             Create a new empty list
+
+             For each distinct priority level
+                  While there are still elements left at this priority
+                  level
+                       Select an element randomly, with probability
+                       Weight, and move it to the tail of the new list
+
+             For each element in the new list
+
+                  query the DNS for A RR's for the Target or use any
+                  RR's found in the Additional Data secion of the
+                  earlier SRV query.
+
+                  for each A RR found, try to connect to the (protocol,
+                  address, service).
+
+        else if the service desired is SMTP
+
+             skip to RFC 974 (MX).
+
+        else
+
+             Do a lookup for QNAME=target, QCLASS=IN, QTYPE=A
+
+             for each A RR found, try to connect to the (protocol,
+             address, service)
+
+
+
+
+Gulbrandsen & Vixie           Experimental                      [Page 5]
+
+RFC 2052                       DNS SRV RR                   October 1996
+
+
+   Notes:
+
+      - Port numbers SHOULD NOT be used in place of the symbolic service
+        or protocol names (for the same reason why variant names cannot
+        be allowed: Applications would have to do two or more lookups).
+
+      - If a truncated response comes back from an SRV query, and the
+        Additional Data section has at least one complete RR in it, the
+        answer MUST be considered complete and the client resolver
+        SHOULD NOT retry the query using TCP, but use normal UDP queries
+        for A RR's missing from the Additional Data section.
+
+      - A client MAY use means other than Weight to choose among target
+        hosts with equal Priority.
+
+      - A client MUST parse all of the RR's in the reply.
+
+      - If the Additional Data section doesn't contain A RR's for all
+        the SRV RR's and the client may want to connect to the target
+        host(s) involved, the client MUST look up the A RR(s).  (This
+        happens quite often when the A RR has shorter TTL than the SRV
+        or NS RR's.)
+
+      - A future standard could specify that a SRV RR whose Protocol was
+        TCP and whose Service was SMTP would override RFC 974's rules
+        with regard to the use of an MX RR.  This would allow firewalled
+        organizations with several SMTP relays to control the load
+        distribution using the Weight field.
+
+      - Future protocols could be designed to use SRV RR lookups as the
+        means by which clients locate their servers.
+
+Fictional example
+
+   This is (part of) the zone file for asdf.com, a still-unused domain:
+
+        $ORIGIN asdf.com.
+        @               SOA server.asdf.com. root.asdf.com. (
+                            1995032001 3600 3600 604800 86400 )
+                        NS  server.asdf.com.
+                        NS  ns1.ip-provider.net.
+                        NS  ns2.ip-provider.net.
+        ftp.tcp         SRV 0 0 21 server.asdf.com.
+        finger.tcp      SRV 0 0 79 server.asdf.com.
+        ; telnet - use old-slow-box or new-fast-box if either is
+        ; available, make three quarters of the logins go to
+        ; new-fast-box.
+        telnet.tcp      SRV 0 1 23 old-slow-box.asdf.com.
+
+
+
+Gulbrandsen & Vixie           Experimental                      [Page 6]
+
+RFC 2052                       DNS SRV RR                   October 1996
+
+
+                        SRV 0 3 23 new-fast-box.asdf.com.
+        ; if neither old-slow-box or new-fast-box is up, switch to
+        ; using the sysdmin's box and the server
+                        SRV 1 0 23 sysadmins-box.asdf.com.
+                        SRV 1 0 23 server.asdf.com.
+        ; HTTP - server is the main server, new-fast-box is the backup
+        ; (On new-fast-box, the HTTP daemon runs on port 8000)
+        http.tcp        SRV 0 0 80 server.asdf.com.
+                        SRV 10 0 8000 new-fast-box.asdf.com.
+        ; since we want to support both http://asdf.com/ and
+        ; http://www.asdf.com/ we need the next two RRs as well
+        http.tcp.www    SRV 0 0 80 server.asdf.com.
+                        SRV 10 0 8000 new-fast-box.asdf.com.
+        ; SMTP - mail goes to the server, and to the IP provider if
+        ; the net is down
+        smtp.tcp        SRV 0 0 25 server.asdf.com.
+                        SRV 1 0 25 mailhost.ip-provider.net.
+        @               MX  0 server.asdf.com.
+                        MX  1 mailhost.ip-provider.net.
+        ; NNTP - use the IP providers's NNTP server
+        nntp.tcp        SRV 0 0 119 nntphost.ip-provider.net.
+        ; IDB is an locally defined protocol
+        idb.tcp         SRV  0 0 2025 new-fast-box.asdf.com.
+        ; addresses
+        server          A   172.30.79.10
+        old-slow-box    A   172.30.79.11
+        sysadmins-box   A   172.30.79.12
+        new-fast-box    A   172.30.79.13
+        ; backup A records - new-fast-box and old-slow-box are
+        ; included, naturally, and server is too, but might go
+        ; if the load got too bad
+        @               A   172.30.79.10
+                        A   172.30.79.11
+                        A   172.30.79.13
+        ; backup A RR for www.asdf.com
+        www             A       172.30.79.10
+        ; NO other services are supported
+        *.tcp           SRV  0 0 0 .
+        *.udp           SRV  0 0 0 .
+
+   In this example, a telnet connection to "asdf.com." needs an SRV
+   lookup of "telnet.tcp.asdf.com." and possibly A lookups of "new-
+   fast-box.asdf.com." and/or the other hosts named.  The size of the
+   SRV reply is approximately 365 bytes:
+
+      30 bytes general overhead
+      20 bytes for the query string, "telnet.tcp.asdf.com."
+      130 bytes for 4 SRV RR's, 20 bytes each plus the lengths of "new-
+
+
+
+Gulbrandsen & Vixie           Experimental                      [Page 7]
+
+RFC 2052                       DNS SRV RR                   October 1996
+
+
+        fast-box", "old-slow-box", "server" and "sysadmins-box" -
+        "asdf.com" in the query section is quoted here and doesn't
+        need to be counted again.
+      75 bytes for 3 NS RRs, 15 bytes each plus the lengths of
+        "server", "ns1.ip-provider.net." and "ns2" - again, "ip-
+        provider.net." is quoted and only needs to be counted once.
+      120 bytes for the 6 A RR's mentioned by the SRV and NS RR's.
+
+Refererences
+
+   RFC 1918: Rekhter, Y., Moskowitz, R., Karrenberg, D., de Groot, G.,
+        and E.  Lear, "Address Allocation for Private Internets",
+        RFC 1918, February 1996.
+
+   RFC 1916 Berkowitz, H., Ferguson, P, Leland, W. and P. Nesser,
+        "Enterprise Renumbering: Experience and Information
+        Solicitation", RFC 1916, February 1996.
+
+   RFC 1912 Barr, D., "Common DNS Operational and Configuration
+        Errors", RFC 1912, February 1996.
+
+   RFC 1900: Carpenter, B., and Y. Rekhter, "Renumbering Needs Work",
+        RFC 1900, February 1996.
+
+   RFC 1920: Postel, J., "INTERNET OFFICIAL PROTOCOL STANDARDS",
+        STD 1, RFC 1920, March 1996.
+
+   RFC 1814: Gerich, E., "Unique Addresses are Good", RFC 1814, June
+             1995.
+
+   RFC 1794: Brisco, T., "DNS Support for Load Balancing", April 1995.
+
+   RFC 1713: Romao, A., "Tools for DNS debugging", November 1994.
+
+   RFC 1712: Farrell, C., Schulze, M., Pleitner, S., and D. Baldoni,
+        "DNS Encoding of Geographical Location", RFC 1712, November
+        1994.
+
+   RFC 1706: Manning, B. and R. Colella, "DNS NSAP Resource Records",
+        RFC 1706, October 1994.
+
+   RFC 1700: Reynolds, J., and J. Postel, "ASSIGNED NUMBERS",
+        STD 2, RFC 1700, October 1994.
+
+   RFC 1183: Ullmann, R., Mockapetris, P., Mamakos, L., and
+        C. Everhart, "New DNS RR Definitions", RFC 1183, November
+        1990.
+
+
+
+
+Gulbrandsen & Vixie           Experimental                      [Page 8]
+
+RFC 2052                       DNS SRV RR                   October 1996
+
+
+   RFC 1101: Mockapetris, P., "DNS encoding of network names and other
+        types", RFC 1101, April 1989.
+
+   RFC 1035: Mockapetris, P., "Domain names - implementation and
+        specification", STD 13, RFC 1035, November 1987.
+
+   RFC 1034: Mockapetris, P., "Domain names - concepts and
+        facilities", STD 13, RFC 1034, November 1987.
+
+   RFC 1033: Lottor, M., "Domain administrators operations guide",
+        RFC 1033, November 1987.
+
+   RFC 1032: Stahl, M., "Domain administrators guide", RFC 1032,
+        November 1987.
+
+   RFC 974: Partridge, C., "Mail routing and the domain system",
+        STD 14, RFC 974, January 1986.
+
+Security Considerations
+
+   The authors believes this RR to not cause any new security problems.
+   Some problems become more visible, though.
+
+      - The ability to specify ports on a fine-grained basis obviously
+        changes how a router can filter packets.  It becomes impossible
+        to block internal clients from accessing specific external
+        services, slightly harder to block internal users from running
+        unautorised services, and more important for the router
+        operations and DNS operations personnel to cooperate.
+
+      - There is no way a site can keep its hosts from being referenced
+        as servers (as, indeed, some sites become unwilling secondary
+        MXes today).  This could lead to denial of service.
+
+      - With SRV, DNS spoofers can supply false port numbers, as well as
+        host names and addresses.  The authors do not see any practical
+        effect of this.
+
+   We assume that as the DNS-security people invent new features, DNS
+   servers will return the relevant RRs in the Additional Data section
+   when answering an SRV query.
+
+
+
+
+
+
+
+
+
+
+Gulbrandsen & Vixie           Experimental                      [Page 9]
+
+RFC 2052                       DNS SRV RR                   October 1996
+
+
+Authors' Addresses
+
+   Arnt Gulbrandsen
+   Troll Tech
+   Postboks 6133 Etterstad
+   N-0602 Oslo
+   Norway
+
+   Phone: +47 22646966
+   EMail: agulbra@troll.no
+
+
+   Paul Vixie
+   Vixie Enterprises
+   Star Route 159A
+   Woodside, CA  94062
+
+   Phone: (415) 747-0204
+   EMail: paul@vix.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gulbrandsen & Vixie           Experimental                     [Page 10]
+
diff --git a/contrib/bind9/doc/rfc/rfc2104.txt b/contrib/bind9/doc/rfc/rfc2104.txt
new file mode 100644
index 0000000..a205103
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2104.txt
@@ -0,0 +1,620 @@
+
+
+
+
+
+
+Network Working Group                                       H. Krawczyk
+Request for Comments: 2104                                          IBM
+Category: Informational                                      M. Bellare
+                                                                   UCSD
+                                                             R. Canetti
+                                                                    IBM
+                                                          February 1997
+
+
+             HMAC: Keyed-Hashing for Message Authentication
+
+Status of This Memo
+
+   This memo provides information for the Internet community.  This memo
+   does not specify an Internet standard of any kind.  Distribution of
+   this memo is unlimited.
+
+Abstract
+
+   This document describes HMAC, a mechanism for message authentication
+   using cryptographic hash functions. HMAC can be used with any
+   iterative cryptographic hash function, e.g., MD5, SHA-1, in
+   combination with a secret shared key.  The cryptographic strength of
+   HMAC depends on the properties of the underlying hash function.
+
+1. Introduction
+
+   Providing a way to check the integrity of information transmitted
+   over or stored in an unreliable medium is a prime necessity in the
+   world of open computing and communications. Mechanisms that provide
+   such integrity check based on a secret key are usually called
+   "message authentication codes" (MAC). Typically, message
+   authentication codes are used between two parties that share a secret
+   key in order to validate information transmitted between these
+   parties. In this document we present such a MAC mechanism based on
+   cryptographic hash functions. This mechanism, called HMAC, is based
+   on work by the authors [BCK1] where the construction is presented and
+   cryptographically analyzed. We refer to that work for the details on
+   the rationale and security analysis of HMAC, and its comparison to
+   other keyed-hash methods.
+
+
+
+
+
+
+
+
+
+
+
+Krawczyk, et. al.            Informational                      [Page 1]
+
+RFC 2104                          HMAC                     February 1997
+
+
+   HMAC can be used in combination with any iterated cryptographic hash
+   function. MD5 and SHA-1 are examples of such hash functions. HMAC
+   also uses a secret key for calculation and verification of the
+   message authentication values. The main goals behind this
+   construction are
+
+   * To use, without modifications, available hash functions.
+     In particular, hash functions that perform well in software,
+     and for which code is freely and widely available.
+
+   * To preserve the original performance of the hash function without
+     incurring a significant degradation.
+
+   * To use and handle keys in a simple way.
+
+   * To have a well understood cryptographic analysis of the strength of
+     the authentication mechanism based on reasonable assumptions on the
+     underlying hash function.
+
+   * To allow for easy replaceability of the underlying hash function in
+     case that faster or more secure hash functions are found or
+     required.
+
+   This document specifies HMAC using a generic cryptographic hash
+   function (denoted by H). Specific instantiations of HMAC need to
+   define a particular hash function. Current candidates for such hash
+   functions include SHA-1 [SHA], MD5 [MD5], RIPEMD-128/160 [RIPEMD].
+   These different realizations of HMAC will be denoted by HMAC-SHA1,
+   HMAC-MD5, HMAC-RIPEMD, etc.
+
+   Note: To the date of writing of this document MD5 and SHA-1 are the
+   most widely used cryptographic hash functions. MD5 has been recently
+   shown to be vulnerable to collision search attacks [Dobb].  This
+   attack and other currently known weaknesses of MD5 do not compromise
+   the use of MD5 within HMAC as specified in this document (see
+   [Dobb]); however, SHA-1 appears to be a cryptographically stronger
+   function. To this date, MD5 can be considered for use in HMAC for
+   applications where the superior performance of MD5 is critical.   In
+   any case, implementers and users need to be aware of possible
+   cryptanalytic developments regarding any of these cryptographic hash
+   functions, and the eventual need to replace the underlying hash
+   function. (See section 6 for more information on the security of
+   HMAC.)
+
+
+
+
+
+
+
+
+Krawczyk, et. al.            Informational                      [Page 2]
+
+RFC 2104                          HMAC                     February 1997
+
+
+2. Definition of HMAC
+
+   The definition of HMAC requires a cryptographic hash function, which
+   we denote by H, and a secret key K. We assume H to be a cryptographic
+   hash function where data is hashed by iterating a basic compression
+   function on blocks of data.   We denote by B the byte-length of such
+   blocks (B=64 for all the above mentioned examples of hash functions),
+   and by L the byte-length of hash outputs (L=16 for MD5, L=20 for
+   SHA-1).  The authentication key K can be of any length up to B, the
+   block length of the hash function.  Applications that use keys longer
+   than B bytes will first hash the key using H and then use the
+   resultant L byte string as the actual key to HMAC. In any case the
+   minimal recommended length for K is L bytes (as the hash output
+   length). See section 3 for more information on keys.
+
+   We define two fixed and different strings ipad and opad as follows
+   (the 'i' and 'o' are mnemonics for inner and outer):
+
+                   ipad = the byte 0x36 repeated B times
+                  opad = the byte 0x5C repeated B times.
+
+   To compute HMAC over the data `text' we perform
+
+                    H(K XOR opad, H(K XOR ipad, text))
+
+   Namely,
+
+    (1) append zeros to the end of K to create a B byte string
+        (e.g., if K is of length 20 bytes and B=64, then K will be
+         appended with 44 zero bytes 0x00)
+    (2) XOR (bitwise exclusive-OR) the B byte string computed in step
+        (1) with ipad
+    (3) append the stream of data 'text' to the B byte string resulting
+        from step (2)
+    (4) apply H to the stream generated in step (3)
+    (5) XOR (bitwise exclusive-OR) the B byte string computed in
+        step (1) with opad
+    (6) append the H result from step (4) to the B byte string
+        resulting from step (5)
+    (7) apply H to the stream generated in step (6) and output
+        the result
+
+   For illustration purposes, sample code based on MD5 is provided as an
+   appendix.
+
+
+
+
+
+
+
+Krawczyk, et. al.            Informational                      [Page 3]
+
+RFC 2104                          HMAC                     February 1997
+
+
+3. Keys
+
+   The key for HMAC can be of any length (keys longer than B bytes are
+   first hashed using H).  However, less than L bytes is strongly
+   discouraged as it would decrease the security strength of the
+   function.  Keys longer than L bytes are acceptable but the extra
+   length would not significantly increase the function strength. (A
+   longer key may be advisable if the randomness of the key is
+   considered weak.)
+
+   Keys need to be chosen at random (or using a cryptographically strong
+   pseudo-random generator seeded with a random seed), and periodically
+   refreshed.  (Current attacks do not indicate a specific recommended
+   frequency for key changes as these attacks are practically
+   infeasible.  However, periodic key refreshment is a fundamental
+   security practice that helps against potential weaknesses of the
+   function and keys, and limits the damage of an exposed key.)
+
+4. Implementation Note
+
+   HMAC is defined in such a way that the underlying hash function H can
+   be used with no modification to its code. In particular, it uses the
+   function H with the pre-defined initial value IV (a fixed value
+   specified by each iterative hash function to initialize its
+   compression function).  However, if desired, a performance
+   improvement can be achieved at the cost of (possibly) modifying the
+   code of H to support variable IVs.
+
+   The idea is that the intermediate results of the compression function
+   on the B-byte blocks (K XOR ipad) and (K XOR opad) can be precomputed
+   only once at the time of generation of the key K, or before its first
+   use. These intermediate results are stored and then used to
+   initialize the IV of H each time that a message needs to be
+   authenticated.  This method saves, for each authenticated message,
+   the application of the compression function of H on two B-byte blocks
+   (i.e., on (K XOR ipad) and (K XOR opad)). Such a savings may be
+   significant when authenticating short streams of data.  We stress
+   that the stored intermediate values need to be treated and protected
+   the same as secret keys.
+
+   Choosing to implement HMAC in the above way is a decision of the
+   local implementation and has no effect on inter-operability.
+
+
+
+
+
+
+
+
+
+Krawczyk, et. al.            Informational                      [Page 4]
+
+RFC 2104                          HMAC                     February 1997
+
+
+5. Truncated output
+
+   A well-known practice with message authentication codes is to
+   truncate the output of the MAC and output only part of the bits
+   (e.g., [MM, ANSI]).  Preneel and van Oorschot [PV] show some
+   analytical advantages of truncating the output of hash-based MAC
+   functions. The results in this area are not absolute as for the
+   overall security advantages of truncation. It has advantages (less
+   information on the hash result available to an attacker) and
+   disadvantages (less bits to predict for the attacker).  Applications
+   of HMAC can choose to truncate the output of HMAC by outputting the t
+   leftmost bits of the HMAC computation for some parameter t (namely,
+   the computation is carried in the normal way as defined in section 2
+   above but the end result is truncated to t bits). We recommend that
+   the output length t be not less than half the length of the hash
+   output (to match the birthday attack bound) and not less than 80 bits
+   (a suitable lower bound on the number of bits that need to be
+   predicted by an attacker).  We propose denoting a realization of HMAC
+   that uses a hash function H with t bits of output as HMAC-H-t. For
+   example, HMAC-SHA1-80 denotes HMAC computed using the SHA-1 function
+   and with the output truncated to 80 bits.  (If the parameter t is not
+   specified, e.g. HMAC-MD5, then it is assumed that all the bits of the
+   hash are output.)
+
+6. Security
+
+   The security of the message authentication mechanism presented here
+   depends on cryptographic properties of the hash function H: the
+   resistance to collision finding (limited to the case where the
+   initial value is secret and random, and where the output of the
+   function is not explicitly available to the attacker), and the
+   message authentication property of the compression function of H when
+   applied to single blocks (in HMAC these blocks are partially unknown
+   to an attacker as they contain the result of the inner H computation
+   and, in particular, cannot be fully chosen by the attacker).
+
+   These properties, and actually stronger ones, are commonly assumed
+   for hash functions of the kind used with HMAC. In particular, a hash
+   function for which the above properties do not hold would become
+   unsuitable for most (probably, all) cryptographic applications,
+   including alternative message authentication schemes based on such
+   functions.  (For a complete analysis and rationale of the HMAC
+   function the reader is referred to [BCK1].)
+
+
+
+
+
+
+
+
+Krawczyk, et. al.            Informational                      [Page 5]
+
+RFC 2104                          HMAC                     February 1997
+
+
+   Given the limited confidence gained so far as for the cryptographic
+   strength of candidate hash functions, it is important to observe the
+   following two properties of the HMAC construction and its secure use
+   for message authentication:
+
+   1. The construction is independent of the details of the particular
+   hash function H in use and then the latter can be replaced by any
+   other secure (iterative) cryptographic hash function.
+
+   2. Message authentication, as opposed to encryption, has a
+   "transient" effect. A published breaking of a message authentication
+   scheme would lead to the replacement of that scheme, but would have
+   no adversarial effect on information authenticated in the past.  This
+   is in sharp contrast with encryption, where information encrypted
+   today may suffer from exposure in the future if, and when, the
+   encryption algorithm is broken.
+
+   The strongest attack known against HMAC is based on the frequency of
+   collisions for the hash function H ("birthday attack") [PV,BCK2], and
+   is totally impractical for minimally reasonable hash functions.
+
+   As an example, if we consider a hash function like MD5 where the
+   output length equals L=16 bytes (128 bits) the attacker needs to
+   acquire the correct message authentication tags computed (with the
+   _same_ secret key K!) on about 2**64 known plaintexts.  This would
+   require the processing of at least 2**64 blocks under H, an
+   impossible task in any realistic scenario (for a block length of 64
+   bytes this would take 250,000 years in a continuous 1Gbps link, and
+   without changing the secret key K during all this time).  This attack
+   could become realistic only if serious flaws in the collision
+   behavior of the function H are discovered (e.g.  collisions found
+   after 2**30 messages). Such a discovery would determine the immediate
+   replacement of the function H (the effects of such failure would be
+   far more severe for the traditional uses of H in the context of
+   digital signatures, public key certificates, etc.).
+
+   Note: this attack needs to be strongly contrasted with regular
+   collision attacks on cryptographic hash functions where no secret key
+   is involved and where 2**64 off-line parallelizable (!) operations
+   suffice to find collisions.  The latter attack is approaching
+   feasibility [VW] while the birthday attack on HMAC is totally
+   impractical.  (In the above examples, if one uses a hash function
+   with, say, 160 bit of output then 2**64 should be replaced by 2**80.)
+
+
+
+
+
+
+
+
+Krawczyk, et. al.            Informational                      [Page 6]
+
+RFC 2104                          HMAC                     February 1997
+
+
+   A correct implementation of the above construction, the choice of
+   random (or cryptographically pseudorandom) keys, a secure key
+   exchange mechanism, frequent key refreshments, and good secrecy
+   protection of keys are all essential ingredients for the security of
+   the integrity verification mechanism provided by HMAC.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Krawczyk, et. al.            Informational                      [Page 7]
+
+RFC 2104                          HMAC                     February 1997
+
+
+Appendix -- Sample Code
+
+   For the sake of illustration we provide the following sample code for
+   the implementation of HMAC-MD5 as well as some corresponding test
+   vectors (the code is based on MD5 code as described in [MD5]).
+
+/*
+** Function: hmac_md5
+*/
+
+void
+hmac_md5(text, text_len, key, key_len, digest)
+unsigned char*  text;                /* pointer to data stream */
+int             text_len;            /* length of data stream */
+unsigned char*  key;                 /* pointer to authentication key */
+int             key_len;             /* length of authentication key */
+caddr_t         digest;              /* caller digest to be filled in */
+
+{
+        MD5_CTX context;
+        unsigned char k_ipad[65];    /* inner padding -
+                                      * key XORd with ipad
+                                      */
+        unsigned char k_opad[65];    /* outer padding -
+                                      * key XORd with opad
+                                      */
+        unsigned char tk[16];
+        int i;
+        /* if key is longer than 64 bytes reset it to key=MD5(key) */
+        if (key_len > 64) {
+
+                MD5_CTX      tctx;
+
+                MD5Init(&tctx);
+                MD5Update(&tctx, key, key_len);
+                MD5Final(tk, &tctx);
+
+                key = tk;
+                key_len = 16;
+        }
+
+        /*
+         * the HMAC_MD5 transform looks like:
+         *
+         * MD5(K XOR opad, MD5(K XOR ipad, text))
+         *
+         * where K is an n byte key
+         * ipad is the byte 0x36 repeated 64 times
+
+
+
+Krawczyk, et. al.            Informational                      [Page 8]
+
+RFC 2104                          HMAC                     February 1997
+
+
+         * opad is the byte 0x5c repeated 64 times
+         * and text is the data being protected
+         */
+
+        /* start out by storing key in pads */
+        bzero( k_ipad, sizeof k_ipad);
+        bzero( k_opad, sizeof k_opad);
+        bcopy( key, k_ipad, key_len);
+        bcopy( key, k_opad, key_len);
+
+        /* XOR key with ipad and opad values */
+        for (i=0; i<64; i++) {
+                k_ipad[i] ^= 0x36;
+                k_opad[i] ^= 0x5c;
+        }
+        /*
+         * perform inner MD5
+         */
+        MD5Init(&context);                   /* init context for 1st
+                                              * pass */
+        MD5Update(&context, k_ipad, 64)      /* start with inner pad */
+        MD5Update(&context, text, text_len); /* then text of datagram */
+        MD5Final(digest, &context);          /* finish up 1st pass */
+        /*
+         * perform outer MD5
+         */
+        MD5Init(&context);                   /* init context for 2nd
+                                              * pass */
+        MD5Update(&context, k_opad, 64);     /* start with outer pad */
+        MD5Update(&context, digest, 16);     /* then results of 1st
+                                              * hash */
+        MD5Final(digest, &context);          /* finish up 2nd pass */
+}
+
+Test Vectors (Trailing '\0' of a character string not included in test):
+
+  key =         0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
+  key_len =     16 bytes
+  data =        "Hi There"
+  data_len =    8  bytes
+  digest =      0x9294727a3638bb1c13f48ef8158bfc9d
+
+  key =         "Jefe"
+  data =        "what do ya want for nothing?"
+  data_len =    28 bytes
+  digest =      0x750c783e6ab0b503eaa86e310a5db738
+
+  key =         0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+
+
+
+Krawczyk, et. al.            Informational                      [Page 9]
+
+RFC 2104                          HMAC                     February 1997
+
+
+  key_len       16 bytes
+  data =        0xDDDDDDDDDDDDDDDDDDDD...
+                ..DDDDDDDDDDDDDDDDDDDD...
+                ..DDDDDDDDDDDDDDDDDDDD...
+                ..DDDDDDDDDDDDDDDDDDDD...
+                ..DDDDDDDDDDDDDDDDDDDD
+  data_len =    50 bytes
+  digest =      0x56be34521d144c88dbb8c733f0e8b3f6
+
+Acknowledgments
+
+   Pau-Chen Cheng, Jeff Kraemer, and Michael Oehler, have provided
+   useful comments on early drafts, and ran the first interoperability
+   tests of this specification. Jeff and Pau-Chen kindly provided the
+   sample code and test vectors that appear in the appendix.  Burt
+   Kaliski, Bart Preneel, Matt Robshaw, Adi Shamir, and Paul van
+   Oorschot have provided useful comments and suggestions during the
+   investigation of the HMAC construction.
+
+References
+
+   [ANSI]  ANSI X9.9, "American National Standard for Financial
+           Institution Message Authentication (Wholesale)," American
+           Bankers Association, 1981.   Revised 1986.
+
+   [Atk]   Atkinson, R., "IP Authentication Header", RFC 1826, August
+           1995.
+
+   [BCK1]  M. Bellare, R. Canetti, and H. Krawczyk,
+           "Keyed Hash Functions and Message Authentication",
+           Proceedings of Crypto'96, LNCS 1109, pp. 1-15.
+           (http://www.research.ibm.com/security/keyed-md5.html)
+
+   [BCK2]  M. Bellare, R. Canetti, and H. Krawczyk,
+           "Pseudorandom Functions Revisited: The Cascade Construction",
+           Proceedings of FOCS'96.
+
+   [Dobb]  H. Dobbertin, "The Status of MD5  After a Recent Attack",
+           RSA Labs' CryptoBytes, Vol. 2 No. 2, Summer 1996.
+           http://www.rsa.com/rsalabs/pubs/cryptobytes.html
+
+   [PV]    B. Preneel and P. van Oorschot, "Building fast MACs from hash
+           functions", Advances in Cryptology -- CRYPTO'95 Proceedings,
+           Lecture Notes in Computer Science, Springer-Verlag Vol.963,
+           1995, pp. 1-14.
+
+   [MD5]   Rivest, R., "The MD5 Message-Digest Algorithm",
+           RFC 1321, April 1992.
+
+
+
+Krawczyk, et. al.            Informational                     [Page 10]
+
+RFC 2104                          HMAC                     February 1997
+
+
+   [MM]    Meyer, S. and Matyas, S.M., Cryptography, New York Wiley,
+           1982.
+
+   [RIPEMD] H. Dobbertin, A. Bosselaers, and B. Preneel, "RIPEMD-160: A
+            strengthened version of RIPEMD", Fast Software Encryption,
+            LNCS Vol 1039, pp. 71-82.
+            ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/bosselae/ripemd/.
+
+   [SHA]   NIST, FIPS PUB 180-1: Secure Hash Standard, April 1995.
+
+   [Tsu]   G. Tsudik, "Message authentication with one-way hash
+           functions", In Proceedings of Infocom'92, May 1992.
+           (Also in "Access Control and Policy Enforcement in
+            Internetworks", Ph.D. Dissertation, Computer Science
+            Department, University of Southern California, April 1991.)
+
+   [VW]    P. van Oorschot and M. Wiener, "Parallel Collision
+           Search with Applications to Hash Functions and Discrete
+           Logarithms", Proceedings of the 2nd ACM Conf. Computer and
+           Communications Security, Fairfax, VA, November 1994.
+
+Authors' Addresses
+
+   Hugo Krawczyk
+   IBM T.J. Watson Research Center
+   P.O.Box 704
+   Yorktown Heights, NY 10598
+
+   EMail: hugo@watson.ibm.com
+
+   Mihir Bellare
+   Dept of Computer Science and Engineering
+   Mail Code 0114
+   University of California at San Diego
+   9500 Gilman Drive
+   La Jolla, CA 92093
+
+   EMail: mihir@cs.ucsd.edu
+
+   Ran Canetti
+   IBM T.J. Watson Research Center
+   P.O.Box 704
+   Yorktown Heights, NY 10598
+
+   EMail: canetti@watson.ibm.com
+
+
+
+
+
+
+Krawczyk, et. al.            Informational                     [Page 11]
+
+
diff --git a/contrib/bind9/doc/rfc/rfc2119.txt b/contrib/bind9/doc/rfc/rfc2119.txt
new file mode 100644
index 0000000..e31fae4
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2119.txt
@@ -0,0 +1,171 @@
+
+
+
+
+
+
+Network Working Group                                         S. Bradner
+Request for Comments: 2119                            Harvard University
+BCP: 14                                                       March 1997
+Category: Best Current Practice
+
+
+        Key words for use in RFCs to Indicate Requirement Levels
+
+Status of this Memo
+
+   This document specifies an Internet Best Current Practices for the
+   Internet Community, and requests discussion and suggestions for
+   improvements.  Distribution of this memo is unlimited.
+
+Abstract
+
+   In many standards track documents several words are used to signify
+   the requirements in the specification.  These words are often
+   capitalized.  This document defines these words as they should be
+   interpreted in IETF documents.  Authors who follow these guidelines
+   should incorporate this phrase near the beginning of their document:
+
+      The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
+      NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and
+      "OPTIONAL" in this document are to be interpreted as described in
+      RFC 2119.
+
+   Note that the force of these words is modified by the requirement
+   level of the document in which they are used.
+
+1. MUST   This word, or the terms "REQUIRED" or "SHALL", mean that the
+   definition is an absolute requirement of the specification.
+
+2. MUST NOT   This phrase, or the phrase "SHALL NOT", mean that the
+   definition is an absolute prohibition of the specification.
+
+3. SHOULD   This word, or the adjective "RECOMMENDED", mean that there
+   may exist valid reasons in particular circumstances to ignore a
+   particular item, but the full implications must be understood and
+   carefully weighed before choosing a different course.
+
+4. SHOULD NOT   This phrase, or the phrase "NOT RECOMMENDED" mean that
+   there may exist valid reasons in particular circumstances when the
+   particular behavior is acceptable or even useful, but the full
+   implications should be understood and the case carefully weighed
+   before implementing any behavior described with this label.
+
+
+
+
+
+Bradner                  Best Current Practice                  [Page 1]
+
+RFC 2119                     RFC Key Words                    March 1997
+
+
+5. MAY   This word, or the adjective "OPTIONAL", mean that an item is
+   truly optional.  One vendor may choose to include the item because a
+   particular marketplace requires it or because the vendor feels that
+   it enhances the product while another vendor may omit the same item.
+   An implementation which does not include a particular option MUST be
+   prepared to interoperate with another implementation which does
+   include the option, though perhaps with reduced functionality. In the
+   same vein an implementation which does include a particular option
+   MUST be prepared to interoperate with another implementation which
+   does not include the option (except, of course, for the feature the
+   option provides.)
+
+6. Guidance in the use of these Imperatives
+
+   Imperatives of the type defined in this memo must be used with care
+   and sparingly.  In particular, they MUST only be used where it is
+   actually required for interoperation or to limit behavior which has
+   potential for causing harm (e.g., limiting retransmisssions)  For
+   example, they must not be used to try to impose a particular method
+   on implementors where the method is not required for
+   interoperability.
+
+7. Security Considerations
+
+   These terms are frequently used to specify behavior with security
+   implications.  The effects on security of not implementing a MUST or
+   SHOULD, or doing something the specification says MUST NOT or SHOULD
+   NOT be done may be very subtle. Document authors should take the time
+   to elaborate the security implications of not following
+   recommendations or requirements as most implementors will not have
+   had the benefit of the experience and discussion that produced the
+   specification.
+
+8. Acknowledgments
+
+   The definitions of these terms are an amalgam of definitions taken
+   from a number of RFCs.  In addition, suggestions have been
+   incorporated from a number of people including Robert Ullmann, Thomas
+   Narten, Neal McBurnett, and Robert Elz.
+
+
+
+
+
+
+
+
+
+
+
+
+Bradner                  Best Current Practice                  [Page 2]
+
+RFC 2119                     RFC Key Words                    March 1997
+
+
+9. Author's Address
+
+      Scott Bradner
+      Harvard University
+      1350 Mass. Ave.
+      Cambridge, MA 02138
+
+      phone - +1 617 495 3864
+
+      email - sob@harvard.edu
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Bradner                  Best Current Practice                  [Page 3]
+
diff --git a/contrib/bind9/doc/rfc/rfc2133.txt b/contrib/bind9/doc/rfc/rfc2133.txt
new file mode 100644
index 0000000..ea66cf0
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2133.txt
@@ -0,0 +1,1795 @@
+
+
+
+
+
+
+Network Working Group                                        R. Gilligan
+Request for Comments: 2133                                      Freegate
+Category: Informational                                       S. Thomson
+                                                                Bellcore
+                                                                J. Bound
+                                                                 Digital
+                                                              W. Stevens
+                                                              Consultant
+                                                              April 1997
+
+               Basic Socket Interface Extensions for IPv6
+
+Status of this Memo
+
+   This memo provides information for the Internet community.  This memo
+   does not specify an Internet standard of any kind.  Distribution of
+   this memo is unlimited.
+
+Abstract
+
+   The de facto standard application program interface (API) for TCP/IP
+   applications is the "sockets" interface.  Although this API was
+   developed for Unix in the early 1980s it has also been implemented on
+   a wide variety of non-Unix systems.  TCP/IP applications written
+   using the sockets API have in the past enjoyed a high degree of
+   portability and we would like the same portability with IPv6
+   applications.  But changes are required to the sockets API to support
+   IPv6 and this memo describes these changes.  These include a new
+   socket address structure to carry IPv6 addresses, new address
+   conversion functions, and some new socket options.  These extensions
+   are designed to provide access to the basic IPv6 features required by
+   TCP and UDP applications, including multicasting, while introducing a
+   minimum of change into the system and providing complete
+   compatibility for existing IPv4 applications.  Additional extensions
+   for advanced IPv6 features (raw sockets and access to the IPv6
+   extension headers) are defined in another document [5].
+
+Table of Contents
+
+   1.  Introduction ................................................  2
+   2.  Design Considerations .......................................  3
+   2.1.  What Needs to be Changed ..................................  3
+   2.2.  Data Types ................................................  5
+   2.3.  Headers ...................................................  5
+   2.4.  Structures ................................................  5
+   3.  Socket Interface ............................................  5
+   3.1.  IPv6 Address Family and Protocol Family ...................  5
+   3.2.  IPv6 Address Structure ....................................  6
+
+
+
+Gilligan, et. al.            Informational                      [Page 1]
+
+RFC 2133            IPv6 Socket Interface Extensions          April 1997
+
+
+   3.3.  Socket Address Structure for 4.3BSD-Based Systems .........  6
+   3.4.  Socket Address Structure for 4.4BSD-Based Systems .........  7
+   3.5.  The Socket Functions ......................................  8
+   3.6.  Compatibility with IPv4 Applications ......................  9
+   3.7.  Compatibility with IPv4 Nodes .............................  9
+   3.8.  IPv6 Wildcard Address ..................................... 10
+   3.9.  IPv6 Loopback Address ..................................... 11
+   4.  Interface Identification .................................... 12
+   4.1.  Name-to-Index ............................................. 13
+   4.2.  Index-to-Name ............................................. 13
+   4.3.  Return All Interface Names and Indexes .................... 14
+   4.4.  Free Memory ............................................... 14
+   5.  Socket Options .............................................. 14
+   5.1.  Changing Socket Type ...................................... 15
+   5.2.  Unicast Hop Limit ......................................... 16
+   5.3.  Sending and Receiving Multicast Packets ................... 17
+   6.  Library Functions ........................................... 19
+   6.1.  Hostname-to-Address Translation ........................... 19
+   6.2.  Address To Hostname Translation ........................... 22
+   6.3.  Protocol-Independent Hostname and Service Name Translation  22
+   6.4.  Socket Address Structure to Hostname and Service Name ..... 25
+   6.5.  Address Conversion Functions .............................. 27
+   6.6.  Address Testing Macros .................................... 28
+   7.  Summary of New Definitions .................................. 29
+   8.  Security Considerations ..................................... 31
+   9.  Acknowledgments ............................................. 31
+   10.  References ................................................. 31
+   11.  Authors' Addresses ......................................... 32
+
+1.  Introduction
+
+   While IPv4 addresses are 32 bits long, IPv6 interfaces are identified
+   by 128-bit addresses.  The socket interface make the size of an IP
+   address quite visible to an application; virtually all TCP/IP
+   applications for BSD-based systems have knowledge of the size of an
+   IP address.  Those parts of the API that expose the addresses must be
+   changed to accommodate the larger IPv6 address size.  IPv6 also
+   introduces new features (e.g., flow label and priority), some of
+   which must be made visible to applications via the API.  This memo
+   defines a set of extensions to the socket interface to support the
+   larger address size and new features of IPv6.
+
+
+
+
+
+
+
+
+
+
+Gilligan, et. al.            Informational                      [Page 2]
+
+RFC 2133            IPv6 Socket Interface Extensions          April 1997
+
+
+2.  Design Considerations
+
+   There are a number of important considerations in designing changes
+   to this well-worn API:
+
+   -  The API changes should provide both source and binary
+       compatibility for programs written to the original API.  That is,
+       existing program binaries should continue to operate when run on
+       a system supporting the new API.  In addition, existing
+       applications that are re-compiled and run on a system supporting
+       the new API should continue to operate.  Simply put, the API
+       changes for IPv6 should not break existing programs.
+
+   -  The changes to the API should be as small as possible in order to
+       simplify the task of converting existing IPv4 applications to
+       IPv6.
+
+   -  Where possible, applications should be able to use this API to
+       interoperate with both IPv6 and IPv4 hosts.  Applications should
+       not need to know which type of host they are communicating with.
+
+   -  IPv6 addresses carried in data structures should be 64-bit
+       aligned.  This is necessary in order to obtain optimum
+       performance on 64-bit machine architectures.
+
+   Because of the importance of providing IPv4 compatibility in the API,
+   these extensions are explicitly designed to operate on machines that
+   provide complete support for both IPv4 and IPv6.  A subset of this
+   API could probably be designed for operation on systems that support
+   only IPv6.  However, this is not addressed in this memo.
+
+2.1.  What Needs to be Changed
+
+   The socket interface API consists of a few distinct components:
+
+    -  Core socket functions.
+
+    -  Address data structures.
+
+    -  Name-to-address translation functions.
+
+    -  Address conversion functions.
+
+    The core socket functions -- those functions that deal with such
+    things as setting up and tearing down TCP connections, and sending
+    and receiving UDP packets -- were designed to be transport
+    independent.  Where protocol addresses are passed as function
+    arguments, they are carried via opaque pointers.  A protocol-specific
+
+
+
+Gilligan, et. al.            Informational                      [Page 3]
+
+RFC 2133            IPv6 Socket Interface Extensions          April 1997
+
+
+    address data structure is defined for each protocol that the socket
+    functions support.  Applications must cast pointers to these
+    protocol-specific address structures into pointers to the generic
+    "sockaddr" address structure when using the socket functions.  These
+    functions need not change for IPv6, but a new IPv6-specific address
+    data structure is needed.
+
+    The "sockaddr_in" structure is the protocol-specific data structure
+    for IPv4.  This data structure actually includes 8-octets of unused
+    space, and it is tempting to try to use this space to adapt the
+    sockaddr_in structure to IPv6.  Unfortunately, the sockaddr_in
+    structure is not large enough to hold the 16-octet IPv6 address as
+    well as the other information (address family and port number) that
+    is needed.  So a new address data structure must be defined for IPv6.
+
+    The name-to-address translation functions in the socket interface are
+    gethostbyname() and gethostbyaddr().  These must be modified to
+    support IPv6 and the semantics defined must provide 100% backward
+    compatibility for all existing IPv4 applications, along with IPv6
+    support for new applications.  Additionally, the POSIX 1003.g work in
+    progress [4] specifies a new hostname-to-address translation function
+    which is protocol independent.  This function can also be used with
+    IPv6.
+
+    The address conversion functions -- inet_ntoa() and inet_addr() --
+    convert IPv4 addresses between binary and printable form.  These
+    functions are quite specific to 32-bit IPv4 addresses.  We have
+    designed two analogous functions that convert both IPv4 and IPv6
+    addresses, and carry an address type parameter so that they can be
+    extended to other protocol families as well.
+
+    Finally, a few miscellaneous features are needed to support IPv6.
+    New interfaces are needed to support the IPv6 flow label, priority,
+    and hop limit header fields.  New socket options are needed to
+    control the sending and receiving of IPv6 multicast packets.
+
+    The socket interface will be enhanced in the future to provide access
+    to other IPv6 features.  These extensions are described in [5].
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gilligan, et. al.            Informational                      [Page 4]
+
+RFC 2133            IPv6 Socket Interface Extensions          April 1997
+
+
+2.2.  Data Types
+
+   The data types of the structure elements given in this memo are
+   intended to be examples, not absolute requirements.  Whenever
+   possible, POSIX 1003.1g data types are used:  u_intN_t means an
+   unsigned integer of exactly N bits (e.g., u_int16_t) and u_intNm_t
+   means an unsigned integer of at least N bits (e.g., u_int32m_t).  We
+   also assume the argument data types from 1003.1g when possible (e.g.,
+    the final argument to setsockopt() is a size_t value).  Whenever
+   buffer sizes are specified, the POSIX 1003.1 size_t data type is used
+   (e.g., the two length arguments to getnameinfo()).
+
+2.3.  Headers
+
+   When function prototypes and structures are shown we show the headers
+   that must be #included to cause that item to be defined.
+
+2.4.  Structures
+
+   When structures are described the members shown are the ones that
+   must appear in an implementation.  Additional, nonstandard members
+   may also be defined by an implementation.
+
+   The ordering shown for the members of a structure is the recommended
+   ordering, given alignment considerations of multibyte members, but an
+   implementation may order the members differently.
+
+3.  Socket Interface
+
+   This section specifies the socket interface changes for IPv6.
+
+3.1.  IPv6 Address Family and Protocol Family
+
+   A new address family name, AF_INET6, is defined in <sys/socket.h>.
+   The AF_INET6 definition distinguishes between the original
+   sockaddr_in address data structure, and the new sockaddr_in6 data
+   structure.
+
+   A new protocol family name, PF_INET6, is defined in <sys/socket.h>.
+   Like most of the other protocol family names, this will usually be
+   defined to have the same value as the corresponding address family
+   name:
+
+       #define PF_INET6        AF_INET6
+
+   The PF_INET6 is used in the first argument to the socket() function
+   to indicate that an IPv6 socket is being created.
+
+
+
+
+Gilligan, et. al.            Informational                      [Page 5]
+
+RFC 2133            IPv6 Socket Interface Extensions          April 1997
+
+
+3.2.  IPv6 Address Structure
+
+   A new data structure to hold a single IPv6 address is defined as
+    follows:
+
+       #include <netinet/in.h>
+
+       struct in6_addr {
+           u_int8_t  s6_addr[16];      /* IPv6 address */
+       }
+
+   This data structure contains an array of sixteen 8-bit elements,
+   which make up one 128-bit IPv6 address.  The IPv6 address is stored
+   in network byte order.
+
+3.3.  Socket Address Structure for 4.3BSD-Based Systems
+
+   In the socket interface, a different protocol-specific data structure
+   is defined to carry the addresses for each protocol suite.  Each
+   protocol-specific data structure is designed so it can be cast into a
+   protocol-independent data structure -- the "sockaddr" structure.
+   Each has a "family" field that overlays the "sa_family" of the
+   sockaddr data structure.  This field identifies the type of the data
+   structure.
+
+   The sockaddr_in structure is the protocol-specific address data
+   structure for IPv4.  It is used to pass addresses between
+   applications and the system in the socket functions.  The following
+   structure is defined to carry IPv6 addresses:
+
+       #include <netinet/in.h>
+
+       struct sockaddr_in6 {
+           u_int16m_t      sin6_family;    /* AF_INET6 */
+           u_int16m_t      sin6_port;      /* transport layer port # */
+           u_int32m_t      sin6_flowinfo;  /* IPv6 flow information */
+           struct in6_addr sin6_addr;      /* IPv6 address */
+       };
+
+   This structure is designed to be compatible with the sockaddr data
+   structure used in the 4.3BSD release.
+
+   The sin6_family field identifies this as a sockaddr_in6 structure.
+   This field overlays the sa_family field when the buffer is cast to a
+   sockaddr data structure.  The value of this field must be AF_INET6.
+
+
+
+
+
+
+Gilligan, et. al.            Informational                      [Page 6]
+
+RFC 2133            IPv6 Socket Interface Extensions          April 1997
+
+
+   The sin6_port field contains the 16-bit UDP or TCP port number.  This
+   field is used in the same way as the sin_port field of the
+   sockaddr_in structure.  The port number is stored in network byte
+   order.
+
+   The sin6_flowinfo field is a 32-bit field that contains two pieces of
+   information: the 24-bit IPv6 flow label and the 4-bit priority field.
+   The contents and interpretation of this member is unspecified at this
+   time.
+
+   The sin6_addr field is a single in6_addr structure (defined in the
+   previous section).  This field holds one 128-bit IPv6 address.  The
+   address is stored in network byte order.
+
+   The ordering of elements in this structure is specifically designed
+   so that the sin6_addr field will be aligned on a 64-bit boundary.
+   This is done for optimum performance on 64-bit architectures.
+
+   Notice that the sockaddr_in6 structure will normally be larger than
+   the generic sockaddr structure.  On many existing implementations the
+   sizeof(struct sockaddr_in) equals sizeof(struct sockaddr), with both
+   being 16 bytes.  Any existing code that makes this assumption needs
+   to be examined carefully when converting to IPv6.
+
+3.4.  Socket Address Structure for 4.4BSD-Based Systems
+
+   The 4.4BSD release includes a small, but incompatible change to the
+   socket interface.  The "sa_family" field of the sockaddr data
+   structure was changed from a 16-bit value to an 8-bit value, and the
+   space saved used to hold a length field, named "sa_len".  The
+   sockaddr_in6 data structure given in the previous section cannot be
+   correctly cast into the newer sockaddr data structure.  For this
+   reason, the following alternative IPv6 address data structure is
+   provided to be used on systems based on 4.4BSD:
+
+       #include <netinet/in.h>
+
+       #define SIN6_LEN
+
+       struct sockaddr_in6 {
+           u_char          sin6_len;       /* length of this struct */
+           u_char          sin6_family;    /* AF_INET6 */
+           u_int16m_t      sin6_port;      /* transport layer port # */
+           u_int32m_t      sin6_flowinfo;  /* IPv6 flow information */
+           struct in6_addr sin6_addr;      /* IPv6 address */
+       };
+
+
+
+
+
+Gilligan, et. al.            Informational                      [Page 7]
+
+RFC 2133            IPv6 Socket Interface Extensions          April 1997
+
+
+   The only differences between this data structure and the 4.3BSD
+   variant are the inclusion of the length field, and the change of the
+   family field to a 8-bit data type.  The definitions of all the other
+   fields are identical to the structure defined in the previous
+   section.
+
+   Systems that provide this version of the sockaddr_in6 data structure
+   must also declare SIN6_LEN as a result of including the
+   <netinet/in.h> header.  This macro allows applications to determine
+   whether they are being built on a system that supports the 4.3BSD or
+   4.4BSD variants of the data structure.
+
+3.5.  The Socket Functions
+
+   Applications call the socket() function to create a socket descriptor
+   that represents a communication endpoint.  The arguments to the
+   socket() function tell the system which protocol to use, and what
+   format address structure will be used in subsequent functions.  For
+   example, to create an IPv4/TCP socket, applications make the call:
+
+       s = socket(PF_INET, SOCK_STREAM, 0);
+
+   To create an IPv4/UDP socket, applications make the call:
+
+       s = socket(PF_INET, SOCK_DGRAM, 0);
+
+   Applications may create IPv6/TCP and IPv6/UDP sockets by simply using
+   the constant PF_INET6 instead of PF_INET in the first argument.  For
+   example, to create an IPv6/TCP socket, applications make the call:
+
+       s = socket(PF_INET6, SOCK_STREAM, 0);
+
+   To create an IPv6/UDP socket, applications make the call:
+
+       s = socket(PF_INET6, SOCK_DGRAM, 0);
+
+   Once the application has created a PF_INET6 socket, it must use the
+   sockaddr_in6 address structure when passing addresses in to the
+   system.  The functions that the application uses to pass addresses
+   into the system are:
+
+       bind()
+       connect()
+       sendmsg()
+       sendto()
+
+
+
+
+
+
+Gilligan, et. al.            Informational                      [Page 8]
+
+RFC 2133            IPv6 Socket Interface Extensions          April 1997
+
+
+   The system will use the sockaddr_in6 address structure to return
+   addresses to applications that are using PF_INET6 sockets.  The
+   functions that return an address from the system to an application
+   are:
+
+          accept()
+          recvfrom()
+          recvmsg()
+          getpeername()
+          getsockname()
+
+   No changes to the syntax of the socket functions are needed to
+   support IPv6, since all of the "address carrying" functions use an
+   opaque address pointer, and carry an address length as a function
+   argument.
+
+3.6.  Compatibility with IPv4 Applications
+
+   In order to support the large base of applications using the original
+   API, system implementations must provide complete source and binary
+   compatibility with the original API.  This means that systems must
+   continue to support PF_INET sockets and the sockaddr_in address
+   structure.  Applications must be able to create IPv4/TCP and IPv4/UDP
+   sockets using the PF_INET constant in the socket() function, as
+   described in the previous section.  Applications should be able to
+   hold a combination of IPv4/TCP, IPv4/UDP, IPv6/TCP and IPv6/UDP
+   sockets simultaneously within the same process.
+
+   Applications using the original API should continue to operate as
+   they did on systems supporting only IPv4.  That is, they should
+   continue to interoperate with IPv4 nodes.
+
+3.7.  Compatibility with IPv4 Nodes
+
+   The API also provides a different type of compatibility: the ability
+   for IPv6 applications to interoperate with IPv4 applications.  This
+   feature uses the IPv4-mapped IPv6 address format defined in the IPv6
+   addressing architecture specification [2].  This address format
+   allows the IPv4 address of an IPv4 node to be represented as an IPv6
+   address.  The IPv4 address is encoded into the low-order 32 bits of
+   the IPv6 address, and the high-order 96 bits hold the fixed prefix
+   0:0:0:0:0:FFFF.  IPv4-mapped addresses are written as follows:
+
+       ::FFFF:<IPv4-address>
+
+   These addresses are often generated automatically by the
+   gethostbyname() function when the specified host has only IPv4
+   addresses (as described in Section 6.1).
+
+
+
+Gilligan, et. al.            Informational                      [Page 9]
+
+RFC 2133            IPv6 Socket Interface Extensions          April 1997
+
+
+   Applications may use PF_INET6 sockets to open TCP connections to IPv4
+   nodes, or send UDP packets to IPv4 nodes, by simply encoding the
+   destination's IPv4 address as an IPv4-mapped IPv6 address, and
+   passing that address, within a sockaddr_in6 structure, in the
+   connect() or sendto() call.  When applications use PF_INET6 sockets
+   to accept TCP connections from IPv4 nodes, or receive UDP packets
+   from IPv4 nodes, the system returns the peer's address to the
+   application in the accept(), recvfrom(), or getpeername() call using
+   a sockaddr_in6 structure encoded this way.
+
+   Few applications will likely need to know which type of node they are
+   interoperating with.  However, for those applications that do need to
+   know, the IN6_IS_ADDR_V4MAPPED() macro, defined in Section 6.6, is
+   provided.
+
+3.8.  IPv6 Wildcard Address
+
+   While the bind() function allows applications to select the source IP
+   address of UDP packets and TCP connections, applications often want
+   the system to select the source address for them.  With IPv4, one
+   specifies the address as the symbolic constant INADDR_ANY (called the
+   "wildcard" address) in the bind() call, or simply omits the bind()
+   entirely.
+
+   Since the IPv6 address type is a structure (struct in6_addr), a
+   symbolic constant can be used to initialize an IPv6 address variable,
+   but cannot be used in an assignment.  Therefore systems provide the
+   IPv6 wildcard address in two forms.
+
+   The first version is a global variable named "in6addr_any" that is an
+   in6_addr structure.  The extern declaration for this variable is
+   defined in <netinet/in.h>:
+
+       extern const struct in6_addr in6addr_any;
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 10]
+
+RFC 2133            IPv6 Socket Interface Extensions          April 1997
+
+
+   Applications use in6addr_any similarly to the way they use INADDR_ANY
+   in IPv4.  For example, to bind a socket to port number 23, but let
+   the system select the source address, an application could use the
+   following code:
+
+       struct sockaddr_in6 sin6;
+        . . .
+       sin6.sin6_family = AF_INET6;
+       sin6.sin6_flowinfo = 0;
+       sin6.sin6_port = htons(23);
+       sin6.sin6_addr = in6addr_any;  /* structure assignment */
+        . . .
+       if (bind(s, (struct sockaddr *) &sin6, sizeof(sin6)) == -1)
+               . . .
+
+   The other version is a symbolic constant named IN6ADDR_ANY_INIT and
+   is defined in <netinet/in.h>.  This constant can be used to
+   initialize an in6_addr structure:
+
+       struct in6_addr anyaddr = IN6ADDR_ANY_INIT;
+
+   Note that this constant can be used ONLY at declaration time.  It can
+   not be used to assign a previously declared in6_addr structure.  For
+   example, the following code will not work:
+
+       /* This is the WRONG way to assign an unspecified address */
+       struct sockaddr_in6 sin6;
+        . . .
+       sin6.sin6_addr = IN6ADDR_ANY_INIT; /* will NOT compile */
+
+   Be aware that the IPv4 INADDR_xxx constants are all defined in host
+   byte order but the IPv6 IN6ADDR_xxx constants and the IPv6
+   in6addr_xxx externals are defined in network byte order.
+
+3.9.  IPv6 Loopback Address
+
+   Applications may need to send UDP packets to, or originate TCP
+   connections to, services residing on the local node.  In IPv4, they
+   can do this by using the constant IPv4 address INADDR_LOOPBACK in
+   their connect(), sendto(), or sendmsg() call.
+
+   IPv6 also provides a loopback address to contact local TCP and UDP
+   services.  Like the unspecified address, the IPv6 loopback address is
+   provided in two forms -- a global variable and a symbolic constant.
+
+
+
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 11]
+
+RFC 2133            IPv6 Socket Interface Extensions          April 1997
+
+
+   The global variable is an in6_addr structure named
+   "in6addr_loopback."  The extern declaration for this variable is
+   defined in <netinet/in.h>:
+
+       extern const struct in6_addr in6addr_loopback;
+
+   Applications use in6addr_loopback as they would use INADDR_LOOPBACK
+   in IPv4 applications (but beware of the byte ordering difference
+   mentioned at the end of the previous section).  For example, to open
+   a TCP connection to the local telnet server, an application could use
+   the following code:
+
+       struct sockaddr_in6 sin6;
+        . . .
+       sin6.sin6_family = AF_INET6;
+       sin6.sin6_flowinfo = 0;
+       sin6.sin6_port = htons(23);
+       sin6.sin6_addr = in6addr_loopback;  /* structure assignment */
+        . . .
+       if (connect(s, (struct sockaddr *) &sin6, sizeof(sin6)) == -1)
+               . . .
+
+   The symbolic constant is named IN6ADDR_LOOPBACK_INIT and is defined
+   in <netinet/in.h>.  It can be used at declaration time ONLY; for
+   example:
+
+       struct in6_addr loopbackaddr = IN6ADDR_LOOPBACK_INIT;
+
+   Like IN6ADDR_ANY_INIT, this constant cannot be used in an assignment
+   to a previously declared IPv6 address variable.
+
+4.  Interface Identification
+
+   This API uses an interface index (a small positive integer) to
+   identify the local interface on which a multicast group is joined
+   (Section 5.3).  Additionally, the advanced API [5] uses these same
+   interface indexes to identify the interface on which a datagram is
+   received, or to specify the interface on which a datagram is to be
+   sent.
+
+   Interfaces are normally known by names such as "le0", "sl1", "ppp2",
+   and the like.  On Berkeley-derived implementations, when an interface
+   is made known to the system, the kernel assigns a unique positive
+   integer value (called the interface index) to that interface.  These
+   are small positive integers that start at 1.  (Note that 0 is never
+   used for an interface index.)  There may be gaps so that there is no
+   current interface for a particular positive interface index.
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 12]
+
+RFC 2133            IPv6 Socket Interface Extensions          April 1997
+
+
+   This API defines two functions that map between an interface name and
+   index, a third function that returns all the interface names and
+   indexes, and a fourth function to return the dynamic memory allocated
+   by the previous function.  How these functions are implemented is
+   left up to the implementation.  4.4BSD implementations can implement
+   these functions using the existing sysctl() function with the
+   NET_RT_LIST command.  Other implementations may wish to use ioctl()
+   for this purpose.
+
+4.1.  Name-to-Index
+
+   The first function maps an interface name into its corresponding
+   index.
+
+       #include <net/if.h>
+
+       unsigned int  if_nametoindex(const char *ifname);
+
+   If the specified interface does not exist, the return value is 0.
+
+4.2.  Index-to-Name
+
+   The second function maps an interface index into its corresponding
+   name.
+
+       #include <net/if.h>
+
+       char  *if_indextoname(unsigned int ifindex, char *ifname);
+
+   The ifname argument must point to a buffer of at least IFNAMSIZ bytes
+   into which the interface name corresponding to the specified index is
+   returned.  (IFNAMSIZ is also defined in <net/if.h> and its value
+   includes a terminating null byte at the end of the interface name.)
+   This pointer is also the return value of the function.  If there is
+   no interface corresponding to the specified index, NULL is returned.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 13]
+
+RFC 2133            IPv6 Socket Interface Extensions          April 1997
+
+
+4.3.  Return All Interface Names and Indexes
+
+   The final function returns an array of if_nameindex structures, one
+   structure per interface.
+
+       #include <net/if.h>
+
+       struct if_nameindex {
+         unsigned int   if_index;  /* 1, 2, ... */
+         char          *if_name;   /* null terminated name: "le0", ... */
+       };
+
+       struct if_nameindex  *if_nameindex(void);
+
+   The end of the array of structures is indicated by a structure with
+   an if_index of 0 and an if_name of NULL.  The function returns a NULL
+   pointer upon an error.
+
+   The memory used for this array of structures along with the interface
+   names pointed to by the if_name members is obtained dynamically.
+   This memory is freed by the next function.
+
+4.4.  Free Memory
+
+   The following function frees the dynamic memory that was allocated by
+   if_nameindex().
+
+       #include <net/if.h>
+
+       void  if_freenameindex(struct if_nameindex *ptr);
+
+   The argument to this function must be a pointer that was returned by
+   if_nameindex().
+
+5.  Socket Options
+
+   A number of new socket options are defined for IPv6.  All of these
+   new options are at the IPPROTO_IPV6 level.  That is, the "level"
+   parameter in the getsockopt() and setsockopt() calls is IPPROTO_IPV6
+   when using these options.  The constant name prefix IPV6_ is used in
+   all of the new socket options.  This serves to clearly identify these
+   options as applying to IPv6.
+
+   The declaration for IPPROTO_IPV6, the new IPv6 socket options, and
+   related constants defined in this section are obtained by including
+   the header <netinet/in.h>.
+
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 14]
+
+RFC 2133            IPv6 Socket Interface Extensions          April 1997
+
+
+5.1.  Changing Socket Type
+
+   Unix allows open sockets to be passed between processes via the
+   exec() call and other means.  It is a relatively common application
+   practice to pass open sockets across exec() calls.  Thus it is
+   possible for an application using the original API to pass an open
+   PF_INET socket to an application that is expecting to receive a
+   PF_INET6 socket.  Similarly, it is possible for an application using
+   the extended API to pass an open PF_INET6 socket to an application
+   using the original API, which would be equipped only to deal with
+   PF_INET sockets.  Either of these cases could cause problems, because
+   the application that is passed the open socket might not know how to
+   decode the address structures returned in subsequent socket
+   functions.
+
+   To remedy this problem, a new setsockopt() option is defined that
+   allows an application to "convert" a PF_INET6 socket into a PF_INET
+   socket and vice versa.
+
+   An IPv6 application that is passed an open socket from an unknown
+   process may use the IPV6_ADDRFORM setsockopt() option to "convert"
+   the socket to PF_INET6.  Once that has been done, the system will
+   return sockaddr_in6 address structures in subsequent socket
+   functions.
+
+   An IPv6 application that is about to pass an open PF_INET6 socket to
+   a program that is not be IPv6 capable can "downgrade" the socket to
+   PF_INET before calling exec().  After that, the system will return
+   sockaddr_in address structures to the application that was exec()'ed.
+   Be aware that you cannot downgrade an IPv6 socket to an IPv4 socket
+   unless all nonwildcard addresses already associated with the IPv6
+   socket are IPv4-mapped IPv6 addresses.
+
+   The IPV6_ADDRFORM option is valid at both the IPPROTO_IP and
+   IPPROTO_IPV6 levels.  The only valid option values are PF_INET6 and
+   PF_INET.  For example, to convert a PF_INET6 socket to PF_INET, a
+   program would call:
+
+       int  addrform = PF_INET;
+
+       if (setsockopt(s, IPPROTO_IPV6, IPV6_ADDRFORM,
+                      (char *) &addrform, sizeof(addrform)) == -1)
+           perror("setsockopt IPV6_ADDRFORM");
+
+
+
+
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 15]
+
+RFC 2133            IPv6 Socket Interface Extensions          April 1997
+
+
+   An application may use IPV6_ADDRFORM with getsockopt() to learn
+   whether an open socket is a PF_INET of PF_INET6 socket.  For example:
+
+       int  addrform;
+       size_t  len = sizeof(addrform);
+
+       if (getsockopt(s, IPPROTO_IPV6, IPV6_ADDRFORM,
+                      (char *) &addrform, &len) == -1)
+           perror("getsockopt IPV6_ADDRFORM");
+       else if (addrform == PF_INET)
+           printf("This is an IPv4 socket.\n");
+       else if (addrform == PF_INET6)
+           printf("This is an IPv6 socket.\n");
+       else
+           printf("This system is broken.\n");
+
+5.2.  Unicast Hop Limit
+
+   A new setsockopt() option controls the hop limit used in outgoing
+   unicast IPv6 packets.  The name of this option is IPV6_UNICAST_HOPS,
+   and it is used at the IPPROTO_IPV6 layer.  The following example
+   illustrates how it is used:
+
+       int  hoplimit = 10;
+
+       if (setsockopt(s, IPPROTO_IPV6, IPV6_UNICAST_HOPS,
+                      (char *) &hoplimit, sizeof(hoplimit)) == -1)
+           perror("setsockopt IPV6_UNICAST_HOPS");
+
+   When the IPV6_UNICAST_HOPS option is set with setsockopt(), the
+   option value given is used as the hop limit for all subsequent
+   unicast packets sent via that socket.  If the option is not set, the
+   system selects a default value.  The integer hop limit value (called
+   x) is interpreted as follows:
+
+       x < -1:        return an error of EINVAL
+       x == -1:       use kernel default
+       0 <= x <= 255: use x
+       x >= 256:      return an error of EINVAL
+
+
+
+
+
+
+
+
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 16]
+
+RFC 2133            IPv6 Socket Interface Extensions          April 1997
+
+
+   The IPV6_UNICAST_HOPS option may be used with getsockopt() to
+   determine the hop limit value that the system will use for subsequent
+   unicast packets sent via that socket.  For example:
+
+       int  hoplimit;
+       size_t  len = sizeof(hoplimit);
+
+       if (getsockopt(s, IPPROTO_IPV6, IPV6_UNICAST_HOPS,
+                      (char *) &hoplimit, &len) == -1)
+           perror("getsockopt IPV6_UNICAST_HOPS");
+       else
+           printf("Using %d for hop limit.\n", hoplimit);
+
+5.3.  Sending and Receiving Multicast Packets
+
+   IPv6 applications may send UDP multicast packets by simply specifying
+   an IPv6 multicast address in the address argument of the sendto()
+   function.
+
+   Three socket options at the IPPROTO_IPV6 layer control some of the
+   parameters for sending multicast packets.  Setting these options is
+   not required:  applications may send multicast packets without using
+   these options.  The setsockopt() options for controlling the sending
+   of multicast packets are summarized below:
+
+       IPV6_MULTICAST_IF
+
+           Set the interface to use for outgoing multicast packets.  The
+           argument is the index of the interface to use.
+
+           Argument type: unsigned int
+
+       IPV6_MULTICAST_HOPS
+
+           Set the hop limit to use for outgoing multicast packets.
+           (Note a separate option - IPV6_UNICAST_HOPS - is provided to
+           set the hop limit to use for outgoing unicast packets.)  The
+           interpretation of the argument is the same as for the
+           IPV6_UNICAST_HOPS option:
+
+               x < -1:        return an error of EINVAL
+               x == -1:       use kernel default
+               0 <= x <= 255: use x
+               x >= 256:      return an error of EINVAL
+
+           Argument type: int
+
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 17]
+
+RFC 2133            IPv6 Socket Interface Extensions          April 1997
+
+
+       IPV6_MULTICAST_LOOP
+
+           Controls whether outgoing multicast packets  sent  should  be
+           delivered  back  to the local application.  A toggle.  If the
+           option is set to 1, multicast packets are looped back.  If it
+           is set to 0, they are not.
+
+           Argument type: unsigned int
+
+   The reception of multicast packets is controlled by the two
+   setsockopt() options summarized below:
+
+       IPV6_ADD_MEMBERSHIP
+
+           Join a multicast group on a specified local interface.  If
+           the interface index is specified as 0, the kernel chooses the
+           local interface.  For example, some kernels look up the
+           multicast group in the normal IPv6 routing table and using
+           the resulting interface.
+
+           Argument type: struct ipv6_mreq
+
+       IPV6_DROP_MEMBERSHIP
+
+           Leave a multicast group on a specified interface.
+
+           Argument type: struct ipv6_mreq
+
+   The argument type of both of these options is the ipv6_mreq
+   structure, defined as:
+
+       #include <netinet/in.h>
+
+       struct ipv6_mreq {
+           struct in6_addr ipv6mr_multiaddr; /* IPv6 multicast addr */
+           unsigned int    ipv6mr_interface; /* interface index */
+       };
+
+   Note that to receive multicast datagrams a process must join the
+   multicast group and bind the UDP port to which datagrams will be
+   sent.  Some processes also bind the multicast group address to the
+   socket, in addition to the port, to prevent other datagrams destined
+   to that same port from being delivered to the socket.
+
+
+
+
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 18]
+
+RFC 2133            IPv6 Socket Interface Extensions          April 1997
+
+
+6.  Library Functions
+
+   New library functions are needed to perform a variety of operations
+   with IPv6 addresses.  Functions are needed to lookup IPv6 addresses
+   in the Domain Name System (DNS).  Both forward lookup (hostname-to-
+   address translation) and reverse lookup (address-to-hostname
+   translation) need to be supported.  Functions are also needed to
+   convert IPv6 addresses between their binary and textual form.
+
+6.1.  Hostname-to-Address Translation
+
+   The commonly used function gethostbyname() remains unchanged as does
+   the hostent structure to which it returns a pointer.  Existing
+   applications that call this function continue to receive only IPv4
+   addresses that are the result of a query in the DNS for A records.
+   (We assume the DNS is being used; some environments may be using a
+   hosts file or some other name resolution system, either of which may
+   impede renumbering.  We also assume that the RES_USE_INET6 resolver
+   option is not set, which we describe in more detail shortly.)
+
+   Two new changes are made to support IPv6 addresses.  First, the
+   following function is new:
+
+       #include <sys/socket.h>
+       #include <netdb.h>
+
+       struct hostent *gethostbyname2(const char *name, int af);
+
+   The af argument specifies the address family.  The default operation
+   of this function is simple:
+
+    -  If the af argument is AF_INET, then a query is made for A
+       records.  If successful, IPv4 addresses are returned and the
+       h_length member of the hostent structure will be 4, else the
+       function returns a NULL pointer.
+
+    -  If the af argument is AF_INET6, then a query is made for AAAA
+       records.  If successful, IPv6 addresses are returned and the
+       h_length member of the hostent structure will be 16, else the
+       function returns a NULL pointer.
+
+
+
+
+
+
+
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 19]
+
+RFC 2133            IPv6 Socket Interface Extensions          April 1997
+
+
+   The second change, that provides additional functionality, is a new
+   resolver option RES_USE_INET6, which is defined as a result of
+   including the <resolv.h> header.  (This option is provided starting
+   with the BIND 4.9.4 release.)  There are three ways to set this
+   option.
+
+    -  The first way is
+
+           res_init();
+           _res.options |= RES_USE_INET6;
+
+       and then call either gethostbyname() or gethostbyname2().  This
+       option then affects only the process that is calling the
+       resolver.
+
+    -  The second way to set this option is to set the environment
+       variable RES_OPTIONS, as in RES_OPTIONS=inet6.  (This example is
+       for the Bourne and Korn shells.)  This method affects any
+       processes that see this environment variable.
+
+    -  The third way is to set this option in the resolver configuration
+       file (normally /etc/resolv.conf) and the option then affects all
+       applications on the host.  This final method should not be done
+       until all applications on the host are capable of dealing with
+       IPv6 addresses.
+
+   There is no priority among these three methods.  When the
+   RES_USE_INET6 option is set, two changes occur:
+
+    -  gethostbyname(host) first calls gethostbyname2(host, AF_INET6)
+       looking for AAAA records, and if this fails it then calls
+       gethostbyname2(host, AF_INET) looking for A records.
+
+    -  gethostbyname2(host, AF_INET) always returns IPv4-mapped IPv6
+       addresses with the h_length member of the hostent structure set
+       to 16.
+
+   An application must not enable the RES_USE_INET6 option until it is
+   prepared to deal with 16-byte addresses in the returned hostent
+   structure.
+
+
+
+
+
+
+
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 20]
+
+RFC 2133            IPv6 Socket Interface Extensions          April 1997
+
+
+   The following table summarizes the operation of the existing
+   gethostbyname() function, the new function gethostbyname2(), along
+   with the new resolver option RES_USE_INET6.
+
++------------------+---------------------------------------------------+
+|                  |              RES_USE_INET6 option                 |
+|                  +-------------------------+-------------------------+
+|                  |          off            |           on            |
++------------------+-------------------------+-------------------------+
+|                  |Search for A records.    |Search for AAAA records. |
+| gethostbyname    | If found, return IPv4   | If found, return IPv6   |
+| (host)           | addresses (h_length=4). | addresses (h_length=16).|
+|                  | Else error.             | Else search for A       |
+|                  |                         | records.  If found,     |
+|                  |Provides backward        | return IPv4-mapped IPv6 |
+|                  | compatibility with all  | addresses (h_length=16).|
+|                  | existing IPv4 appls.    | Else error.             |
++------------------+-------------------------+-------------------------+
+|                  |Search for A records.    |Search for A records.    |
+| gethostbyname2   | If found, return IPv4   | If found, return        |
+| (host, AF_INET)  | addresses (h_length=4). | IPv4-mapped IPv6        |
+|                  | Else error.             | addresses (h_length=16).|
+|                  |                         | Else error.             |
++------------------+-------------------------+-------------------------+
+|                  |Search for AAAA records. |Search for AAAA records. |
+| gethostbyname2   | If found, return IPv6   | If found, return IPv6   |
+| (host, AF_INET6) | addresses (h_length=16).| addresses (h_length=16).|
+|                  | Else error.             | Else error.             |
++------------------+-------------------------+-------------------------+
+
+   It is expected that when a typical naive application that calls
+   gethostbyname() today is modified to use IPv6, it simply changes the
+   program to use IPv6 sockets and then enables the RES_USE_INET6
+   resolver option before calling gethostbyname().  This application
+   will then work with either IPv4 or IPv6 peers.
+
+   Note that gethostbyname() and gethostbyname2() are not thread-safe,
+   since both return a pointer to a static hostent structure.  But
+   several vendors have defined a thread-safe gethostbyname_r() function
+   that requires four additional arguments.  We expect these vendors to
+   also define a gethostbyname2_r() function.
+
+
+
+
+
+
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 21]
+
+RFC 2133            IPv6 Socket Interface Extensions          April 1997
+
+
+6.2.  Address To Hostname Translation
+
+   The existing gethostbyaddr() function already requires an address
+   family argument and can therefore work with IPv6 addresses:
+
+       #include <sys/socket.h>
+       #include <netdb.h>
+
+       struct hostent *gethostbyaddr(const char *src, int len, int af);
+
+   One possible source of confusion is the handling of IPv4-mapped IPv6
+   addresses and IPv4-compatible IPv6 addresses.  This is addressed in
+   [6] and involves the following logic:
+
+    1.  If af is AF_INET6, and if len equals 16, and if the IPv6 address
+        is an IPv4-mapped IPv6 address or an IPv4-compatible IPv6
+        address, then skip over the first 12 bytes of the IPv6 address,
+        set af to AF_INET, and set len to 4.
+
+    2.  If af is AF_INET, then query for a PTR record in the in-
+        addr.arpa domain.
+
+    3.  If af is AF_INET6, then query for a PTR record in the ip6.int
+        domain.
+
+    4.  If the function is returning success, and if af equals AF_INET,
+        and if the RES_USE_INET6 option was set, then the single address
+        that is returned in the hostent structure (a copy of the first
+        argument to the function) is returned as an IPv4-mapped IPv6
+        address and the h_length member is set to 16.
+
+   All four steps listed are performed, in order.  The same caveats
+   regarding a thread-safe version of gethostbyname() that were made at
+   the end of the previous section apply here as well.
+
+6.3.  Protocol-Independent Hostname and Service Name Translation
+
+   Hostname-to-address translation is done in a protocol-independent
+   fashion using the getaddrinfo() function that is taken from the
+   Institute of Electrical and Electronic Engineers (IEEE) POSIX 1003.1g
+   (Protocol Independent Interfaces) work in progress specification [4].
+
+   The official specification for this function will be the final POSIX
+   standard.  We are providing this independent description of the
+   function because POSIX standards are not freely available (as are
+   IETF documents).  Should there be any discrepancies between this
+   description and the POSIX description, the POSIX description takes
+   precedence.
+
+
+
+Gilligan, et. al.            Informational                     [Page 22]
+
+RFC 2133            IPv6 Socket Interface Extensions          April 1997
+
+
+       #include <sys/socket.h>
+       #include <netdb.h>
+
+       int getaddrinfo(const char *hostname, const char *servname,
+                       const struct addrinfo *hints,
+                       struct addrinfo **res);
+
+   The addrinfo structure is defined as:
+
+       #include <sys/socket.h>
+       #include <netdb.h>
+
+       struct addrinfo {
+         int     ai_flags;     /* AI_PASSIVE, AI_CANONNAME */
+         int     ai_family;    /* PF_xxx */
+         int     ai_socktype;  /* SOCK_xxx */
+         int     ai_protocol;  /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
+         size_t  ai_addrlen;   /* length of ai_addr */
+         char   *ai_canonname; /* canonical name for hostname */
+         struct sockaddr  *ai_addr; /* binary address */
+         struct addrinfo  *ai_next; /* next structure in linked list */
+       };
+
+   The return value from the function is 0 upon success or a nonzero
+   error code.  The following names are the nonzero error codes from
+   getaddrinfo(), and are defined in <netdb.h>:
+
+       EAI_ADDRFAMILY  address family for hostname not supported
+       EAI_AGAIN       temporary failure in name resolution
+       EAI_BADFLAGS    invalid value for ai_flags
+       EAI_FAIL        non-recoverable failure in name resolution
+       EAI_FAMILY      ai_family not supported
+       EAI_MEMORY      memory allocation failure
+       EAI_NODATA      no address associated with hostname
+       EAI_NONAME      hostname nor servname provided, or not known
+       EAI_SERVICE     servname not supported for ai_socktype
+       EAI_SOCKTYPE    ai_socktype not supported
+       EAI_SYSTEM      system error returned in errno
+
+   The hostname and servname arguments are pointers to null-terminated
+   strings or NULL.  One or both of these two arguments must be a non-
+   NULL pointer.  In the normal client scenario, both the hostname and
+   servname are specified.  In the normal server scenario, only the
+   servname is specified.  A non-NULL hostname string can be either a
+   host name or a numeric host address string (i.e., a dotted-decimal
+   IPv4 address or an IPv6 hex address).  A non-NULL servname string can
+   be either a service name or a decimal port number.
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 23]
+
+RFC 2133            IPv6 Socket Interface Extensions          April 1997
+
+
+   The caller can optionally pass an addrinfo structure, pointed to by
+   the third argument, to provide hints concerning the type of socket
+   that the caller supports.  In this hints structure all members other
+   than ai_flags, ai_family, ai_socktype, and ai_protocol must be zero
+   or a NULL pointer.  A value of PF_UNSPEC for ai_family means the
+   caller will accept any protocol family.  A value of 0 for ai_socktype
+   means the caller will accept any socket type.  A value of 0 for
+   ai_protocol means the caller will accept any protocol.  For example,
+   if the caller handles only TCP and not UDP, then the ai_socktype
+   member of the hints structure should be set to SOCK_STREAM when
+   getaddrinfo() is called.  If the caller handles only IPv4 and not
+   IPv6, then the ai_family member of the hints structure should be set
+   to PF_INET when getaddrinfo() is called.  If the third argument to
+   getaddrinfo() is a NULL pointer, this is the same as if the caller
+   had filled in an addrinfo structure initialized to zero with
+   ai_family set to PF_UNSPEC.
+
+   Upon successful return a pointer to a linked list of one or more
+   addrinfo structures is returned through the final argument.  The
+   caller can process each addrinfo structure in this list by following
+   the ai_next pointer, until a NULL pointer is encountered.  In each
+   returned addrinfo structure the three members ai_family, ai_socktype,
+   and ai_protocol are the corresponding arguments for a call to the
+   socket() function.  In each addrinfo structure the ai_addr member
+   points to a filled-in socket address structure whose length is
+   specified by the ai_addrlen member.
+
+   If the AI_PASSIVE bit is set in the ai_flags member of the hints
+   structure, then the caller plans to use the returned socket address
+   structure in a call to bind().  In this case, if the hostname
+   argument is a NULL pointer, then the IP address portion of the socket
+   address structure will be set to INADDR_ANY for an IPv4 address or
+   IN6ADDR_ANY_INIT for an IPv6 address.
+
+   If the AI_PASSIVE bit is not set in the ai_flags member of the hints
+   structure, then the returned socket address structure will be ready
+   for a call to connect() (for a connection-oriented protocol) or
+   either connect(), sendto(), or sendmsg() (for a connectionless
+   protocol).  In this case, if the hostname argument is a NULL pointer,
+   then the IP address portion of the socket address structure will be
+   set to the loopback address.
+
+   If the AI_CANONNAME bit is set in the ai_flags member of the hints
+   structure, then upon successful return the ai_canonname member of the
+   first addrinfo structure in the linked list will point to a null-
+   terminated string containing the canonical name of the specified
+   hostname.
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 24]
+
+RFC 2133            IPv6 Socket Interface Extensions          April 1997
+
+
+   All of the information returned by getaddrinfo() is dynamically
+   allocated: the addrinfo structures, and the socket address structures
+   and canonical host name strings pointed to by the addrinfo
+   structures.  To return this information to the system the function
+   freeaddrinfo() is called:
+
+       #include <sys/socket.h>
+       #include <netdb.h>
+
+       void freeaddrinfo(struct addrinfo *ai);
+
+   The addrinfo structure pointed to by the ai argument is freed, along
+   with any dynamic storage pointed to by the structure.  This operation
+   is repeated until a NULL ai_next pointer is encountered.
+
+   To aid applications in printing error messages based on the EAI_xxx
+   codes returned by getaddrinfo(), the following function is defined.
+
+       #include <sys/socket.h>
+       #include <netdb.h>
+
+       char *gai_strerror(int ecode);
+
+   The argument is one of the EAI_xxx values defined earlier and the
+   eturn value points to a string describing the error.  If the argument
+   is not one of the EAI_xxx values, the function still returns a
+   pointer to a string whose contents indicate an unknown error.
+
+6.4.  Socket Address Structure to Hostname and Service Name
+
+   The POSIX 1003.1g specification includes no function to perform the
+   reverse conversion from getaddrinfo():  to look up a hostname and
+   service name, given the binary address and port.  Therefore, we
+   define the following function:
+
+       #include <sys/socket.h>
+       #include <netdb.h>
+
+       int getnameinfo(const struct sockaddr *sa, size_t salen,
+                       char *host, size_t hostlen,
+                       char *serv, size_t servlen,
+                       int flags);
+
+   This function looks up an IP address and port number provided by the
+   caller in the DNS and system-specific database, and returns text
+   strings for both in buffers provided by the caller.  The function
+   indicates successful completion by a zero return value; a non-zero
+   return value indicates failure.
+
+
+
+Gilligan, et. al.            Informational                     [Page 25]
+
+RFC 2133            IPv6 Socket Interface Extensions          April 1997
+
+
+   The first argument, sa, points to either a sockaddr_in structure (for
+   IPv4) or a sockaddr_in6 structure (for IPv6) that holds the IP
+   address and port number.  The salen argument gives the length of the
+   sockaddr_in or sockaddr_in6 structure.
+
+   The function returns the hostname associated with the IP address in
+   the buffer pointed to by the host argument.  The caller provides the
+   size of this buffer via the hostlen argument.  The service name
+   associated with the port number is returned in the buffer pointed to
+   by serv, and the servlen argument gives the length of this buffer.
+   The caller specifies not to return either string by providing a zero
+   value for the hostlen or servlen arguments.  Otherwise, the caller
+   must provide buffers large enough to hold the hostname and the
+   service name, including the terminating null characters.
+
+   Unfortunately most systems do not provide constants that specify the
+   maximum size of either a fully-qualified domain name or a service
+   name.  Therefore to aid the application in allocating buffers for
+   these two returned strings the following constants are defined in
+   <netdb.h>:
+
+       #define NI_MAXHOST  1025
+       #define NI_MAXSERV    32
+
+   The first value is actually defined as the constant MAXDNAME in
+   recent versions of BIND's <arpa/nameser.h> header (older versions of
+   BIND define this constant to be 256) and the second is a guess based
+   on the services listed in the current Assigned Numbers RFC.
+
+   The final argument is a flag that changes the default actions of this
+   function.  By default the fully-qualified domain name (FQDN) for the
+   host is looked up in the DNS and returned.  If the flag bit NI_NOFQDN
+   is set, only the hostname portion of the FQDN is returned for local
+   hosts.
+
+   If the flag bit NI_NUMERICHOST is set, or if the host's name cannot
+   be located in the DNS, the numeric form of the host's address is
+   returned instead of its name (e.g., by calling inet_ntop() instead of
+   gethostbyaddr()).  If the flag bit NI_NAMEREQD is set, an error is
+   returned if the host's name cannot be located in the DNS.
+
+   If the flag bit NI_NUMERICSERV is set, the numeric form of the
+   service address is returned (e.g., its port number) instead of its
+   name.  The two NI_NUMERICxxx flags are required to support the "-n"
+   flag that many commands provide.
+
+
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 26]
+
+RFC 2133            IPv6 Socket Interface Extensions          April 1997
+
+
+   A fifth flag bit, NI_DGRAM, specifies that the service is a datagram
+   service, and causes getservbyport() to be called with a second
+   argument of "udp" instead of its default of "tcp".  This is required
+   for the few ports (512-514) that have different services for UDP and
+   TCP.
+
+   These NI_xxx flags are defined in <netdb.h> along with the AI_xxx
+   flags already defined for getaddrinfo().
+
+6.5.  Address Conversion Functions
+
+   The two functions inet_addr() and inet_ntoa() convert an IPv4 address
+   between binary and text form.  IPv6 applications need similar
+   functions.  The following two functions convert both IPv6 and IPv4
+   addresses:
+
+       #include <sys/socket.h>
+       #include <arpa/inet.h>
+
+       int inet_pton(int af, const char *src, void *dst);
+
+       const char *inet_ntop(int af, const void *src,
+                             char *dst, size_t size);
+
+   The inet_pton() function converts an address in its standard text
+   presentation form into its numeric binary form.  The af argument
+   specifies the family of the address.  Currently the AF_INET and
+   AF_INET6 address families are supported.  The src argument points to
+   the string being passed in.  The dst argument points to a buffer into
+   which the function stores the numeric address.  The address is
+   returned in network byte order.  Inet_pton() returns 1 if the
+   conversion succeeds, 0 if the input is not a valid IPv4 dotted-
+   decimal string or a valid IPv6 address string, or -1 with errno set
+   to EAFNOSUPPORT if the af argument is unknown.  The calling
+   application must ensure that the buffer referred to by dst is large
+   enough to hold the numeric address (e.g., 4 bytes for AF_INET or 16
+   bytes for AF_INET6).
+
+   If the af argument is AF_INET, the function accepts a string in the
+   standard IPv4 dotted-decimal form:
+
+       ddd.ddd.ddd.ddd
+
+   where ddd is a one to three digit decimal number between 0 and 255.
+   Note that many implementations of the existing inet_addr() and
+   inet_aton() functions accept nonstandard input:  octal numbers,
+   hexadecimal numbers, and fewer than four numbers.  inet_pton() does
+   not accept these formats.
+
+
+
+Gilligan, et. al.            Informational                     [Page 27]
+
+RFC 2133            IPv6 Socket Interface Extensions          April 1997
+
+
+   If the af argument is AF_INET6, then the function accepts a string in
+   one of the standard IPv6 text forms defined in Section 2.2 of the
+   addressing architecture specification [2].
+
+   The inet_ntop() function converts a numeric address into a text
+   string suitable for presentation.  The af argument specifies the
+   family of the address.  This can be AF_INET or AF_INET6.  The src
+   argument points to a buffer holding an IPv4 address if the af
+   argument is AF_INET, or an IPv6 address if the af argument is
+   AF_INET6.  The dst argument points to a buffer where the function
+   will store the resulting text string.  The size argument specifies
+   the size of this buffer.  The application must specify a non-NULL dst
+   argument.  For IPv6 addresses, the buffer must be at least 46-octets.
+   For IPv4 addresses, the buffer must be at least 16-octets.  In order
+   to allow applications to easily declare buffers of the proper size to
+   store IPv4 and IPv6 addresses in string form, the following two
+   constants are defined in <netinet/in.h>:
+
+       #define INET_ADDRSTRLEN    16
+       #define INET6_ADDRSTRLEN   46
+
+   The inet_ntop() function returns a pointer to the buffer containing
+   the text string if the conversion succeeds, and NULL otherwise.  Upon
+   failure, errno is set to EAFNOSUPPORT if the af argument is invalid
+   or ENOSPC if the size of the result buffer is inadequate.
+
+6.6.  Address Testing Macros
+
+   The following macros can be used to test for special IPv6 addresses.
+
+       #include <netinet/in.h>
+
+       int  IN6_IS_ADDR_UNSPECIFIED (const struct in6_addr *);
+       int  IN6_IS_ADDR_LOOPBACK    (const struct in6_addr *);
+       int  IN6_IS_ADDR_MULTICAST   (const struct in6_addr *);
+       int  IN6_IS_ADDR_LINKLOCAL   (const struct in6_addr *);
+       int  IN6_IS_ADDR_SITELOCAL   (const struct in6_addr *);
+       int  IN6_IS_ADDR_V4MAPPED    (const struct in6_addr *);
+       int  IN6_IS_ADDR_V4COMPAT    (const struct in6_addr *);
+
+       int  IN6_IS_ADDR_MC_NODELOCAL(const struct in6_addr *);
+       int  IN6_IS_ADDR_MC_LINKLOCAL(const struct in6_addr *);
+       int  IN6_IS_ADDR_MC_SITELOCAL(const struct in6_addr *);
+       int  IN6_IS_ADDR_MC_ORGLOCAL (const struct in6_addr *);
+       int  IN6_IS_ADDR_MC_GLOBAL   (const struct in6_addr *);
+
+
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 28]
+
+RFC 2133            IPv6 Socket Interface Extensions          April 1997
+
+
+   The first seven macros return true if the address is of the specified
+   type, or false otherwise.  The last five test the scope of a
+   multicast address and return true if the address is a multicast
+   address of the specified scope or false if the address is either not
+   a multicast address or not of the specified scope.
+
+7.  Summary of New Definitions
+
+   The following list summarizes the constants, structure, and extern
+   definitions discussed in this memo, sorted by header.
+
+     <net/if.h>      IFNAMSIZ
+     <net/if.h>      struct if_nameindex{};
+
+     <netdb.h>       AI_CANONNAME
+     <netdb.h>       AI_PASSIVE
+     <netdb.h>       EAI_ADDRFAMILY
+     <netdb.h>       EAI_AGAIN
+     <netdb.h>       EAI_BADFLAGS
+     <netdb.h>       EAI_FAIL
+     <netdb.h>       EAI_FAMILY
+     <netdb.h>       EAI_MEMORY
+     <netdb.h>       EAI_NODATA
+     <netdb.h>       EAI_NONAME
+     <netdb.h>       EAI_SERVICE
+     <netdb.h>       EAI_SOCKTYPE
+     <netdb.h>       EAI_SYSTEM
+     <netdb.h>       NI_DGRAM
+     <netdb.h>       NI_MAXHOST
+     <netdb.h>       NI_MAXSERV
+     <netdb.h>       NI_NAMEREQD
+     <netdb.h>       NI_NOFQDN
+     <netdb.h>       NI_NUMERICHOST
+     <netdb.h>       NI_NUMERICSERV
+     <netdb.h>       struct addrinfo{};
+
+     <netinet/in.h>  IN6ADDR_ANY_INIT
+     <netinet/in.h>  IN6ADDR_LOOPBACK_INIT
+     <netinet/in.h>  INET6_ADDRSTRLEN
+     <netinet/in.h>  INET_ADDRSTRLEN
+     <netinet/in.h>  IPPROTO_IPV6
+     <netinet/in.h>  IPV6_ADDRFORM
+     <netinet/in.h>  IPV6_ADD_MEMBERSHIP
+     <netinet/in.h>  IPV6_DROP_MEMBERSHIP
+     <netinet/in.h>  IPV6_MULTICAST_HOPS
+     <netinet/in.h>  IPV6_MULTICAST_IF
+     <netinet/in.h>  IPV6_MULTICAST_LOOP
+     <netinet/in.h>  IPV6_UNICAST_HOPS
+
+
+
+Gilligan, et. al.            Informational                     [Page 29]
+
+RFC 2133            IPv6 Socket Interface Extensions          April 1997
+
+
+     <netinet/in.h>  SIN6_LEN
+     <netinet/in.h>  extern const struct in6_addr in6addr_any;
+     <netinet/in.h>  extern const struct in6_addr in6addr_loopback;
+     <netinet/in.h>  struct in6_addr{};
+     <netinet/in.h>  struct ipv6_mreq{};
+     <netinet/in.h>  struct sockaddr_in6{};
+
+     <resolv.h>      RES_USE_INET6
+
+     <sys/socket.h>  AF_INET6
+     <sys/socket.h>  PF_INET6
+
+
+   The following list summarizes the function and macro prototypes
+   discussed in this memo, sorted by header.
+
+<arpa/inet.h>   int inet_pton(int, const char *, void *);
+<arpa/inet.h>   const char *inet_ntop(int, const void *,
+                                      char *, size_t);
+
+<net/if.h>      char *if_indextoname(unsigned int, char *);
+<net/if.h>      unsigned int if_nametoindex(const char *);
+<net/if.h>      void if_freenameindex(struct if_nameindex *);
+<net/if.h>      struct if_nameindex *if_nameindex(void);
+
+<netdb.h>       int getaddrinfo(const char *, const char *,
+                                const struct addrinfo *,
+                                struct addrinfo **);
+<netdb.h>       int getnameinfo(const struct sockaddr *, size_t,
+                                char *, size_t, char *, size_t, int);
+<netdb.h>       void freeaddrinfo(struct addrinfo *);
+<netdb.h>       char *gai_strerror(int);
+<netdb.h>       struct hostent *gethostbyname(const char *);
+<netdb.h>       struct hostent *gethostbyaddr(const char *, int, int);
+<netdb.h>       struct hostent *gethostbyname2(const char *, int);
+
+<netinet/in.h>  int IN6_IS_ADDR_LINKLOCAL(const struct in6_addr *);
+<netinet/in.h>  int IN6_IS_ADDR_LOOPBACK(const struct in6_addr *);
+<netinet/in.h>  int IN6_IS_ADDR_MC_GLOBAL(const struct in6_addr *);
+<netinet/in.h>  int IN6_IS_ADDR_MC_LINKLOCAL(const struct in6_addr *);
+<netinet/in.h>  int IN6_IS_ADDR_MC_NODELOCAL(const struct in6_addr *);
+<netinet/in.h>  int IN6_IS_ADDR_MC_ORGLOCAL(const struct in6_addr *);
+<netinet/in.h>  int IN6_IS_ADDR_MC_SITELOCAL(const struct in6_addr *);
+<netinet/in.h>  int IN6_IS_ADDR_MULTICAST(const struct in6_addr *);
+<netinet/in.h>  int IN6_IS_ADDR_SITELOCAL(const struct in6_addr *);
+<netinet/in.h>  int IN6_IS_ADDR_UNSPECIFIED(const struct in6_addr *);
+<netinet/in.h>  int IN6_IS_ADDR_V4COMPAT(const struct in6_addr *);
+<netinet/in.h>  int IN6_IS_ADDR_V4MAPPED(const struct in6_addr *);
+
+
+
+Gilligan, et. al.            Informational                     [Page 30]
+
+RFC 2133            IPv6 Socket Interface Extensions          April 1997
+
+
+8.  Security Considerations
+
+   IPv6 provides a number of new security mechanisms, many of which need
+   to be accessible to applications.  A companion memo detailing the
+   extensions to the socket interfaces to support IPv6 security is being
+   written [3].
+
+9.  Acknowledgments
+
+   Thanks to the many people who made suggestions and provided feedback
+   to to the numerous revisions of this document, including: Werner
+   Almesberger, Ran Atkinson, Fred Baker, Dave Borman, Andrew Cherenson,
+   Alex Conta, Alan Cox, Steve Deering, Richard Draves, Francis Dupont,
+   Robert Elz, Marc Hasson, Tim Hartrick, Tom Herbert, Bob Hinden, Wan-
+   Yen Hsu, Christian Huitema, Koji Imada, Markus Jork, Ron Lee, Alan
+   Lloyd, Charles Lynn, Jack McCann, Dan McDonald, Dave Mitton, Thomas
+   Narten, Erik Nordmark, Josh Osborne, Craig Partridge, Jean-Luc
+   Richier, Erik Scoredos, Keith Sklower, Matt Thomas, Harvey Thompson,
+   Dean D. Throop, Karen Tracey, Glenn Trewitt, Paul Vixie, David
+   Waitzman, Carl Williams, and Kazuhiko Yamamoto,
+
+   The getaddrinfo() and getnameinfo() functions are taken from an
+   earlier Work in Progress by Keith Sklower.  As noted in that
+   document, William Durst, Steven Wise, Michael Karels, and Eric Allman
+   provided many useful discussions on the subject of protocol-
+   independent name-to-address translation, and reviewed early versions
+   of Keith Sklower's original proposal.  Eric Allman implemented the
+   first prototype of getaddrinfo().  The observation that specifying
+   the pair of name and service would suffice for connecting to a
+   service independent of protocol details was made by Marshall Rose in
+   a proposal to X/Open for a "Uniform Network Interface".
+
+   Craig Metz made many contributions to this document.  Ramesh Govindan
+   made a number of contributions and co-authored an earlier version of
+   this memo.
+
+10.  References
+
+   [1] Deering, S., and R. Hinden, "Internet Protocol, Version 6 (IPv6)
+       Specification", RFC 1883, December 1995.
+
+   [2] Hinden, R., and S. Deering, "IP Version 6 Addressing Architecture",
+       RFC 1884, December 1995.
+
+   [3] McDonald, D., "A Simple IP Security API Extension to BSD Sockets",
+       Work in Progress.
+
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 31]
+
+RFC 2133            IPv6 Socket Interface Extensions          April 1997
+
+
+   [4] IEEE, "Protocol Independent Interfaces", IEEE Std 1003.1g, DRAFT
+       6.3, November 1995.
+
+   [5] Stevens, W., and M. Thomas, "Advanced Sockets API for IPv6",
+       Work in Progress.
+
+   [6] Vixie, P., "Reverse Name Lookups of Encapsulated IPv4 Addresses in
+       IPv6", Work in Progress.
+
+11.  Authors' Addresses
+
+    Robert E. Gilligan
+    Freegate Corporation
+    710 Lakeway Dr.  STE 230
+    Sunnyvale, CA 94086
+
+    Phone: +1 408 524 4804
+    EMail: gilligan@freegate.net
+
+
+    Susan Thomson
+    Bell Communications Research
+    MRE 2P-343, 445 South Street
+    Morristown, NJ 07960
+
+    Phone: +1 201 829 4514
+    EMail: set@thumper.bellcore.com
+
+
+    Jim Bound
+    Digital Equipment Corporation
+    110 Spitbrook Road ZK3-3/U14
+    Nashua, NH 03062-2698
+
+    Phone: +1 603 881 0400
+    Email: bound@zk3.dec.com
+
+
+    W. Richard Stevens
+    1202 E. Paseo del Zorro
+    Tucson, AZ 85718-2826
+
+    Phone: +1 520 297 9416
+    EMail: rstevens@kohala.com
+
+
+
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 32]
+
diff --git a/contrib/bind9/doc/rfc/rfc2136.txt b/contrib/bind9/doc/rfc/rfc2136.txt
new file mode 100644
index 0000000..4d62702
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2136.txt
@@ -0,0 +1,1460 @@
+
+
+
+
+
+
+Network Working Group                                  P. Vixie, Editor
+Request for Comments: 2136                                          ISC
+Updates: 1035                                                S. Thomson
+Category: Standards Track                                      Bellcore
+                                                             Y. Rekhter
+                                                                  Cisco
+                                                               J. Bound
+                                                                    DEC
+                                                             April 1997
+
+         Dynamic Updates in the Domain Name System (DNS UPDATE)
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Abstract
+
+   The Domain Name System was originally designed to support queries of
+   a statically configured database.  While the data was expected to
+   change, the frequency of those changes was expected to be fairly low,
+   and all updates were made as external edits to a zone's Master File.
+
+   Using this specification of the UPDATE opcode, it is possible to add
+   or delete RRs or RRsets from a specified zone.  Prerequisites are
+   specified separately from update operations, and can specify a
+   dependency upon either the previous existence or nonexistence of an
+   RRset, or the existence of a single RR.
+
+   UPDATE is atomic, i.e., all prerequisites must be satisfied or else
+   no update operations will take place.  There are no data dependent
+   error conditions defined after the prerequisites have been met.
+
+1 - Definitions
+
+   This document intentionally gives more definition to the roles of
+   "Master," "Slave," and "Primary Master" servers, and their
+   enumeration in NS RRs, and the SOA MNAME field.  In that sense, the
+   following server type definitions can be considered an addendum to
+   [RFC1035], and are intended to be consistent with [RFC1996]:
+
+      Slave           an authoritative server that uses AXFR or IXFR to
+                      retrieve the zone and is named in the zone's NS
+                      RRset.
+
+
+
+Vixie, et. al.              Standards Track                     [Page 1]
+
+RFC 2136                       DNS Update                     April 1997
+
+
+      Master          an authoritative server configured to be the
+                      source of AXFR or IXFR data for one or more slave
+                      servers.
+
+      Primary Master  master server at the root of the AXFR/IXFR
+                      dependency graph.  The primary master is named in
+                      the zone's SOA MNAME field and optionally by an NS
+                      RR.  There is by definition only one primary master
+                      server per zone.
+
+   A domain name identifies a node within the domain name space tree
+   structure.  Each node has a set (possibly empty) of Resource Records
+   (RRs).  All RRs having the same NAME, CLASS and TYPE are called a
+   Resource Record Set (RRset).
+
+   The pseudocode used in this document is for example purposes only.
+   If it is found to disagree with the text, the text shall be
+   considered authoritative.  If the text is found to be ambiguous, the
+   pseudocode can be used to help resolve the ambiguity.
+
+   1.1 - Comparison Rules
+
+   1.1.1. Two RRs are considered equal if their NAME, CLASS, TYPE,
+   RDLENGTH and RDATA fields are equal.  Note that the time-to-live
+   (TTL) field is explicitly excluded from the comparison.
+
+   1.1.2. The rules for comparison of character strings in names are
+   specified in [RFC1035 2.3.3].
+
+   1.1.3. Wildcarding is disabled.  That is, a wildcard ("*") in an
+   update only matches a wildcard ("*") in the zone, and vice versa.
+
+   1.1.4. Aliasing is disabled: A CNAME in the zone matches a CNAME in
+   the update, and will not otherwise be followed.  All UPDATE
+   operations are done on the basis of canonical names.
+
+   1.1.5. The following RR types cannot be appended to an RRset.  If the
+   following comparison rules are met, then an attempt to add the new RR
+   will result in the replacement of the previous RR:
+
+      SOA    compare only NAME, CLASS and TYPE -- it is not possible to
+             have more than one SOA per zone, even if any of the data
+             fields differ.
+
+      WKS    compare only NAME, CLASS, TYPE, ADDRESS, and PROTOCOL
+             -- only one WKS RR is possible for this tuple, even if the
+             services masks differ.
+
+
+
+
+Vixie, et. al.              Standards Track                     [Page 2]
+
+RFC 2136                       DNS Update                     April 1997
+
+
+      CNAME  compare only NAME, CLASS, and TYPE -- it is not possible
+             to have more than one CNAME RR, even if their data fields
+             differ.
+
+   1.2 - Glue RRs
+
+   For the purpose of determining whether a domain name used in the
+   UPDATE protocol is contained within a specified zone, a domain name
+   is "in" a zone if it is owned by that zone's domain name.  See
+   section 7.18 for details.
+
+   1.3 - New Assigned Numbers
+
+      CLASS = NONE (254)
+      RCODE = YXDOMAIN (6)
+      RCODE = YXRRSET (7)
+      RCODE = NXRRSET (8)
+      RCODE = NOTAUTH (9)
+      RCODE = NOTZONE (10)
+      Opcode = UPDATE (5)
+
+2 - Update Message Format
+
+   The DNS Message Format is defined by [RFC1035 4.1].  Some extensions
+   are necessary (for example, more error codes are possible under
+   UPDATE than under QUERY) and some fields must be overloaded (see
+   description of CLASS fields below).
+
+   The overall format of an UPDATE message is, following [ibid]:
+
+      +---------------------+
+      |        Header       |
+      +---------------------+
+      |         Zone        | specifies the zone to be updated
+      +---------------------+
+      |     Prerequisite    | RRs or RRsets which must (not) preexist
+      +---------------------+
+      |        Update       | RRs or RRsets to be added or deleted
+      +---------------------+
+      |   Additional Data   | additional data
+      +---------------------+
+
+
+
+
+
+
+
+
+
+
+Vixie, et. al.              Standards Track                     [Page 3]
+
+RFC 2136                       DNS Update                     April 1997
+
+
+   The Header Section specifies that this message is an UPDATE, and
+   describes the size of the other sections.  The Zone Section names the
+   zone that is to be updated by this message.  The Prerequisite Section
+   specifies the starting invariants (in terms of zone content) required
+   for this update.  The Update Section contains the edits to be made,
+   and the Additional Data Section contains data which may be necessary
+   to complete, but is not part of, this update.
+
+   2.1 - Transport Issues
+
+   An update transaction may be carried in a UDP datagram, if the
+   request fits, or in a TCP connection (at the discretion of the
+   requestor).  When TCP is used, the message is in the format described
+   in [RFC1035 4.2.2].
+
+   2.2 - Message Header
+
+   The header of the DNS Message Format is defined by [RFC 1035 4.1].
+   Not all opcodes define the same set of flag bits, though as a
+   practical matter most of the bits defined for QUERY (in [ibid]) are
+   identically defined by the other opcodes.  UPDATE uses only one flag
+   bit (QR).
+
+   The DNS Message Format specifies record counts for its four sections
+   (Question, Answer, Authority, and Additional).  UPDATE uses the same
+   fields, and the same section formats, but the naming and use of these
+   sections differs as shown in the following modified header, after
+   [RFC1035 4.1.1]:
+
+                                      1  1  1  1  1  1
+        0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+      +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+      |                      ID                       |
+      +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+      |QR|   Opcode  |          Z         |   RCODE   |
+      +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+      |                    ZOCOUNT                    |
+      +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+      |                    PRCOUNT                    |
+      +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+      |                    UPCOUNT                    |
+      +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+      |                    ADCOUNT                    |
+      +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+
+
+
+
+
+
+Vixie, et. al.              Standards Track                     [Page 4]
+
+RFC 2136                       DNS Update                     April 1997
+
+
+   These fields are used as follows:
+
+   ID      A 16-bit identifier assigned by the entity that generates any
+           kind of request.  This identifier is copied in the
+           corresponding reply and can be used by the requestor to match
+           replies to outstanding requests, or by the server to detect
+           duplicated requests from some requestor.
+
+   QR      A one bit field that specifies whether this message is a
+           request (0), or a response (1).
+
+   Opcode  A four bit field that specifies the kind of request in this
+           message.  This value is set by the originator of a request
+           and copied into the response.  The Opcode value that
+           identifies an UPDATE message is five (5).
+
+   Z       Reserved for future use.  Should be zero (0) in all requests
+           and responses.  A non-zero Z field should be ignored by
+           implementations of this specification.
+
+   RCODE   Response code - this four bit field is undefined in requests
+           and set in responses.  The values and meanings of this field
+           within responses are as follows:
+
+              Mneumonic   Value   Description
+              ------------------------------------------------------------
+              NOERROR     0       No error condition.
+              FORMERR     1       The name server was unable to interpret
+                                  the request due to a format error.
+              SERVFAIL    2       The name server encountered an internal
+                                  failure while processing this request,
+                                  for example an operating system error
+                                  or a forwarding timeout.
+              NXDOMAIN    3       Some name that ought to exist,
+                                  does not exist.
+              NOTIMP      4       The name server does not support
+                                  the specified Opcode.
+              REFUSED     5       The name server refuses to perform the
+                                  specified operation for policy or
+                                  security reasons.
+              YXDOMAIN    6       Some name that ought not to exist,
+                                  does exist.
+              YXRRSET     7       Some RRset that ought not to exist,
+                                  does exist.
+              NXRRSET     8       Some RRset that ought to exist,
+                                  does not exist.
+
+
+
+
+
+Vixie, et. al.              Standards Track                     [Page 5]
+
+RFC 2136                       DNS Update                     April 1997
+
+
+              NOTAUTH     9       The server is not authoritative for
+                                  the zone named in the Zone Section.
+              NOTZONE     10      A name used in the Prerequisite or
+                                  Update Section is not within the
+                                  zone denoted by the Zone Section.
+
+   ZOCOUNT The number of RRs in the Zone Section.
+
+   PRCOUNT The number of RRs in the Prerequisite Section.
+
+   UPCOUNT The number of RRs in the Update Section.
+
+   ADCOUNT The number of RRs in the Additional Data Section.
+
+   2.3 - Zone Section
+
+   The Zone Section has the same format as that specified in [RFC1035
+   4.1.2], with the fields redefined as follows:
+
+                                      1  1  1  1  1  1
+        0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+      +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+      |                                               |
+      /                     ZNAME                     /
+      /                                               /
+      +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+      |                     ZTYPE                     |
+      +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+      |                     ZCLASS                    |
+      +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+   UPDATE uses this section to denote the zone of the records being
+   updated.  All records to be updated must be in the same zone, and
+   therefore the Zone Section is allowed to contain exactly one record.
+   The ZNAME is the zone name, the ZTYPE must be SOA, and the ZCLASS is
+   the zone's class.
+
+   2.4 - Prerequisite Section
+
+   This section contains a set of RRset prerequisites which must be
+   satisfied at the time the UPDATE packet is received by the primary
+   master server.  The format of this section is as specified by
+   [RFC1035 4.1.3].  There are five possible sets of semantics that can
+   be expressed here, summarized as follows and then explained below.
+
+      (1)  RRset exists (value independent).  At least one RR with a
+           specified NAME and TYPE (in the zone and class specified by
+           the Zone Section) must exist.
+
+
+
+Vixie, et. al.              Standards Track                     [Page 6]
+
+RFC 2136                       DNS Update                     April 1997
+
+
+      (2)  RRset exists (value dependent).  A set of RRs with a
+           specified NAME and TYPE exists and has the same members
+           with the same RDATAs as the RRset specified here in this
+           Section.
+
+      (3)  RRset does not exist.  No RRs with a specified NAME and TYPE
+          (in the zone and class denoted by the Zone Section) can exist.
+
+      (4)  Name is in use.  At least one RR with a specified NAME (in
+           the zone and class specified by the Zone Section) must exist.
+           Note that this prerequisite is NOT satisfied by empty
+           nonterminals.
+
+      (5)  Name is not in use.  No RR of any type is owned by a
+           specified NAME.  Note that this prerequisite IS satisfied by
+           empty nonterminals.
+
+   The syntax of these is as follows:
+
+   2.4.1 - RRset Exists (Value Independent)
+
+   At least one RR with a specified NAME and TYPE (in the zone and class
+   specified in the Zone Section) must exist.
+
+   For this prerequisite, a requestor adds to the section a single RR
+   whose NAME and TYPE are equal to that of the zone RRset whose
+   existence is required.  RDLENGTH is zero and RDATA is therefore
+   empty.  CLASS must be specified as ANY to differentiate this
+   condition from that of an actual RR whose RDLENGTH is naturally zero
+   (0) (e.g., NULL).  TTL is specified as zero (0).
+
+   2.4.2 - RRset Exists (Value Dependent)
+
+   A set of RRs with a specified NAME and TYPE exists and has the same
+   members with the same RDATAs as the RRset specified here in this
+   section.  While RRset ordering is undefined and therefore not
+   significant to this comparison, the sets be identical in their
+   extent.
+
+   For this prerequisite, a requestor adds to the section an entire
+   RRset whose preexistence is required.  NAME and TYPE are that of the
+   RRset being denoted.  CLASS is that of the zone.  TTL must be
+   specified as zero (0) and is ignored when comparing RRsets for
+   identity.
+
+
+
+
+
+
+
+Vixie, et. al.              Standards Track                     [Page 7]
+
+RFC 2136                       DNS Update                     April 1997
+
+
+   2.4.3 - RRset Does Not Exist
+
+   No RRs with a specified NAME and TYPE (in the zone and class denoted
+   by the Zone Section) can exist.
+
+   For this prerequisite, a requestor adds to the section a single RR
+   whose NAME and TYPE are equal to that of the RRset whose nonexistence
+   is required.  The RDLENGTH of this record is zero (0), and RDATA
+   field is therefore empty.  CLASS must be specified as NONE in order
+   to distinguish this condition from a valid RR whose RDLENGTH is
+   naturally zero (0) (for example, the NULL RR).  TTL must be specified
+   as zero (0).
+
+   2.4.4 - Name Is In Use
+
+   Name is in use.  At least one RR with a specified NAME (in the zone
+   and class specified by the Zone Section) must exist.  Note that this
+   prerequisite is NOT satisfied by empty nonterminals.
+
+   For this prerequisite, a requestor adds to the section a single RR
+   whose NAME is equal to that of the name whose ownership of an RR is
+   required.  RDLENGTH is zero and RDATA is therefore empty.  CLASS must
+   be specified as ANY to differentiate this condition from that of an
+   actual RR whose RDLENGTH is naturally zero (0) (e.g., NULL).  TYPE
+   must be specified as ANY to differentiate this case from that of an
+   RRset existence test.  TTL is specified as zero (0).
+
+   2.4.5 - Name Is Not In Use
+
+   Name is not in use.  No RR of any type is owned by a specified NAME.
+   Note that this prerequisite IS satisfied by empty nonterminals.
+
+   For this prerequisite, a requestor adds to the section a single RR
+   whose NAME is equal to that of the name whose nonownership of any RRs
+   is required.  RDLENGTH is zero and RDATA is therefore empty.  CLASS
+   must be specified as NONE.  TYPE must be specified as ANY.  TTL must
+   be specified as zero (0).
+
+   2.5 - Update Section
+
+   This section contains RRs to be added to or deleted from the zone.
+   The format of this section is as specified by [RFC1035 4.1.3].  There
+   are four possible sets of semantics, summarized below and with
+   details to follow.
+
+
+
+
+
+
+
+Vixie, et. al.              Standards Track                     [Page 8]
+
+RFC 2136                       DNS Update                     April 1997
+
+
+      (1) Add RRs to an RRset.
+      (2) Delete an RRset.
+      (3) Delete all RRsets from a name.
+      (4) Delete an RR from an RRset.
+
+   The syntax of these is as follows:
+
+   2.5.1 - Add To An RRset
+
+   RRs are added to the Update Section whose NAME, TYPE, TTL, RDLENGTH
+   and RDATA are those being added, and CLASS is the same as the zone
+   class.  Any duplicate RRs will be silently ignored by the primary
+   master.
+
+   2.5.2 - Delete An RRset
+
+   One RR is added to the Update Section whose NAME and TYPE are those
+   of the RRset to be deleted.  TTL must be specified as zero (0) and is
+   otherwise not used by the primary master.  CLASS must be specified as
+   ANY.  RDLENGTH must be zero (0) and RDATA must therefore be empty.
+   If no such RRset exists, then this Update RR will be silently ignored
+   by the primary master.
+
+   2.5.3 - Delete All RRsets From A Name
+
+   One RR is added to the Update Section whose NAME is that of the name
+   to be cleansed of RRsets.  TYPE must be specified as ANY.  TTL must
+   be specified as zero (0) and is otherwise not used by the primary
+   master.  CLASS must be specified as ANY.  RDLENGTH must be zero (0)
+   and RDATA must therefore be empty.  If no such RRsets exist, then
+   this Update RR will be silently ignored by the primary master.
+
+   2.5.4 - Delete An RR From An RRset
+
+   RRs to be deleted are added to the Update Section.  The NAME, TYPE,
+   RDLENGTH and RDATA must match the RR being deleted.  TTL must be
+   specified as zero (0) and will otherwise be ignored by the primary
+   master.  CLASS must be specified as NONE to distinguish this from an
+   RR addition.  If no such RRs exist, then this Update RR will be
+   silently ignored by the primary master.
+
+
+
+
+
+
+
+
+
+
+
+Vixie, et. al.              Standards Track                     [Page 9]
+
+RFC 2136                       DNS Update                     April 1997
+
+
+   2.6 - Additional Data Section
+
+   This section contains RRs which are related to the update itself, or
+   to new RRs being added by the update.  For example, out of zone glue
+   (A RRs referred to by new NS RRs) should be presented here.  The
+   server can use or ignore out of zone glue, at the discretion of the
+   server implementor.  The format of this section is as specified by
+   [RFC1035 4.1.3].
+
+3 - Server Behavior
+
+   A server, upon receiving an UPDATE request, will signal NOTIMP to the
+   requestor if the UPDATE opcode is not recognized or if it is
+   recognized but has not been implemented.  Otherwise, processing
+   continues as follows.
+
+   3.1 - Process Zone Section
+
+   3.1.1. The Zone Section is checked to see that there is exactly one
+   RR therein and that the RR's ZTYPE is SOA, else signal FORMERR to the
+   requestor.  Next, the ZNAME and ZCLASS are checked to see if the zone
+   so named is one of this server's authority zones, else signal NOTAUTH
+   to the requestor.  If the server is a zone slave, the request will be
+   forwarded toward the primary master.
+
+   3.1.2 - Pseudocode For Zone Section Processing
+
+      if (zcount != 1 || ztype != SOA)
+           return (FORMERR)
+      if (zone_type(zname, zclass) == SLAVE)
+           return forward()
+      if (zone_type(zname, zclass) == MASTER)
+           return update()
+      return (NOTAUTH)
+
+   Sections 3.2 through 3.8 describe the primary master's behaviour,
+   whereas Section 6 describes a forwarder's behaviour.
+
+   3.2 - Process Prerequisite Section
+
+   Next, the Prerequisite Section is checked to see that all
+   prerequisites are satisfied by the current state of the zone.  Using
+   the definitions expressed in Section 1.2, if any RR's NAME is not
+   within the zone specified in the Zone Section, signal NOTZONE to the
+   requestor.
+
+
+
+
+
+
+Vixie, et. al.              Standards Track                    [Page 10]
+
+RFC 2136                       DNS Update                     April 1997
+
+
+   3.2.1. For RRs in this section whose CLASS is ANY, test to see that
+   TTL and RDLENGTH are both zero (0), else signal FORMERR to the
+   requestor.  If TYPE is ANY, test to see that there is at least one RR
+   in the zone whose NAME is the same as that of the Prerequisite RR,
+   else signal NXDOMAIN to the requestor.  If TYPE is not ANY, test to
+   see that there is at least one RR in the zone whose NAME and TYPE are
+   the same as that of the Prerequisite RR, else signal NXRRSET to the
+   requestor.
+
+   3.2.2. For RRs in this section whose CLASS is NONE, test to see that
+   the TTL and RDLENGTH are both zero (0), else signal FORMERR to the
+   requestor.  If the TYPE is ANY, test to see that there are no RRs in
+   the zone whose NAME is the same as that of the Prerequisite RR, else
+   signal YXDOMAIN to the requestor.  If the TYPE is not ANY, test to
+   see that there are no RRs in the zone whose NAME and TYPE are the
+   same as that of the Prerequisite RR, else signal YXRRSET to the
+   requestor.
+
+   3.2.3. For RRs in this section whose CLASS is the same as the ZCLASS,
+   test to see that the TTL is zero (0), else signal FORMERR to the
+   requestor.  Then, build an RRset for each unique <NAME,TYPE> and
+   compare each resulting RRset for set equality (same members, no more,
+   no less) with RRsets in the zone.  If any Prerequisite RRset is not
+   entirely and exactly matched by a zone RRset, signal NXRRSET to the
+   requestor.  If any RR in this section has a CLASS other than ZCLASS
+   or NONE or ANY, signal FORMERR to the requestor.
+
+   3.2.4 - Table Of Metavalues Used In Prerequisite Section
+
+   CLASS    TYPE     RDATA    Meaning
+   ------------------------------------------------------------
+   ANY      ANY      empty    Name is in use
+   ANY      rrset    empty    RRset exists (value independent)
+   NONE     ANY      empty    Name is not in use
+   NONE     rrset    empty    RRset does not exist
+   zone     rrset    rr       RRset exists (value dependent)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Vixie, et. al.              Standards Track                    [Page 11]
+
+RFC 2136                       DNS Update                     April 1997
+
+
+   3.2.5 - Pseudocode for Prerequisite Section Processing
+
+      for rr in prerequisites
+           if (rr.ttl != 0)
+                return (FORMERR)
+           if (zone_of(rr.name) != ZNAME)
+                return (NOTZONE);
+           if (rr.class == ANY)
+                if (rr.rdlength != 0)
+                     return (FORMERR)
+                if (rr.type == ANY)
+                     if (!zone_name<rr.name>)
+                          return (NXDOMAIN)
+                else
+                     if (!zone_rrset<rr.name, rr.type>)
+                          return (NXRRSET)
+           if (rr.class == NONE)
+                if (rr.rdlength != 0)
+                     return (FORMERR)
+                if (rr.type == ANY)
+                     if (zone_name<rr.name>)
+                          return (YXDOMAIN)
+                else
+                     if (zone_rrset<rr.name, rr.type>)
+                          return (YXRRSET)
+           if (rr.class == zclass)
+                temp<rr.name, rr.type> += rr
+           else
+                return (FORMERR)
+
+      for rrset in temp
+           if (zone_rrset<rrset.name, rrset.type> != rrset)
+                return (NXRRSET)
+
+   3.3 - Check Requestor's Permissions
+
+   3.3.1. Next, the requestor's permission to update the RRs named in
+   the Update Section may be tested in an implementation dependent
+   fashion or using mechanisms specified in a subsequent Secure DNS
+   Update protocol.  If the requestor does not have permission to
+   perform these updates, the server may write a warning message in its
+   operations log, and may either signal REFUSED to the requestor, or
+   ignore the permission problem and proceed with the update.
+
+
+
+
+
+
+
+
+Vixie, et. al.              Standards Track                    [Page 12]
+
+RFC 2136                       DNS Update                     April 1997
+
+
+   3.3.2. While the exact processing is implementation defined, if these
+   verification activities are to be performed, this is the point in the
+   server's processing where such performance should take place, since
+   if a REFUSED condition is encountered after an update has been
+   partially applied, it will be necessary to undo the partial update
+   and restore the zone to its original state before answering the
+   requestor.
+
+   3.3.3 - Pseudocode for Permission Checking
+
+      if (security policy exists)
+           if (this update is not permitted)
+                if (local option)
+                     log a message about permission problem
+                if (local option)
+                     return (REFUSED)
+
+   3.4 - Process Update Section
+
+   Next, the Update Section is processed as follows.
+
+   3.4.1 - Prescan
+
+   The Update Section is parsed into RRs and each RR's CLASS is checked
+   to see if it is ANY, NONE, or the same as the Zone Class, else signal
+   a FORMERR to the requestor.  Using the definitions in Section 1.2,
+   each RR's NAME must be in the zone specified by the Zone Section,
+   else signal NOTZONE to the requestor.
+
+   3.4.1.2. For RRs whose CLASS is not ANY, check the TYPE and if it is
+   ANY, AXFR, MAILA, MAILB, or any other QUERY metatype, or any
+   unrecognized type, then signal FORMERR to the requestor.  For RRs
+   whose CLASS is ANY or NONE, check the TTL to see that it is zero (0),
+   else signal a FORMERR to the requestor.  For any RR whose CLASS is
+   ANY, check the RDLENGTH to make sure that it is zero (0) (that is,
+   the RDATA field is empty), and that the TYPE is not AXFR, MAILA,
+   MAILB, or any other QUERY metatype besides ANY, or any unrecognized
+   type, else signal FORMERR to the requestor.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Vixie, et. al.              Standards Track                    [Page 13]
+
+RFC 2136                       DNS Update                     April 1997
+
+
+   3.4.1.3 - Pseudocode For Update Section Prescan
+
+      [rr] for rr in updates
+           if (zone_of(rr.name) != ZNAME)
+                return (NOTZONE);
+           if (rr.class == zclass)
+                if (rr.type & ANY|AXFR|MAILA|MAILB)
+                     return (FORMERR)
+           elsif (rr.class == ANY)
+                if (rr.ttl != 0 || rr.rdlength != 0
+                    || rr.type & AXFR|MAILA|MAILB)
+                     return (FORMERR)
+           elsif (rr.class == NONE)
+                if (rr.ttl != 0 || rr.type & ANY|AXFR|MAILA|MAILB)
+                     return (FORMERR)
+           else
+                return (FORMERR)
+
+   3.4.2 - Update
+
+   The Update Section is parsed into RRs and these RRs are processed in
+   order.
+
+   3.4.2.1. If any system failure (such as an out of memory condition,
+   or a hardware error in persistent storage) occurs during the
+   processing of this section, signal SERVFAIL to the requestor and undo
+   all updates applied to the zone during this transaction.
+
+   3.4.2.2. Any Update RR whose CLASS is the same as ZCLASS is added to
+   the zone.  In case of duplicate RDATAs (which for SOA RRs is always
+   the case, and for WKS RRs is the case if the ADDRESS and PROTOCOL
+   fields both match), the Zone RR is replaced by Update RR.  If the
+   TYPE is SOA and there is no Zone SOA RR, or the new SOA.SERIAL is
+   lower (according to [RFC1982]) than or equal to the current Zone SOA
+   RR's SOA.SERIAL, the Update RR is ignored.  In the case of a CNAME
+   Update RR and a non-CNAME Zone RRset or vice versa, ignore the CNAME
+   Update RR, otherwise replace the CNAME Zone RR with the CNAME Update
+   RR.
+
+   3.4.2.3. For any Update RR whose CLASS is ANY and whose TYPE is ANY,
+   all Zone RRs with the same NAME are deleted, unless the NAME is the
+   same as ZNAME in which case only those RRs whose TYPE is other than
+   SOA or NS are deleted.  For any Update RR whose CLASS is ANY and
+   whose TYPE is not ANY all Zone RRs with the same NAME and TYPE are
+   deleted, unless the NAME is the same as ZNAME in which case neither
+   SOA or NS RRs will be deleted.
+
+
+
+
+
+Vixie, et. al.              Standards Track                    [Page 14]
+
+RFC 2136                       DNS Update                     April 1997
+
+
+   3.4.2.4. For any Update RR whose class is NONE, any Zone RR whose
+   NAME, TYPE, RDATA and RDLENGTH are equal to the Update RR is deleted,
+   unless the NAME is the same as ZNAME and either the TYPE is SOA or
+   the TYPE is NS and the matching Zone RR is the only NS remaining in
+   the RRset, in which case this Update RR is ignored.
+
+   3.4.2.5. Signal NOERROR to the requestor.
+
+   3.4.2.6 - Table Of Metavalues Used In Update Section
+
+   CLASS    TYPE     RDATA    Meaning
+   ---------------------------------------------------------
+   ANY      ANY      empty    Delete all RRsets from a name
+   ANY      rrset    empty    Delete an RRset
+   NONE     rrset    rr       Delete an RR from an RRset
+   zone     rrset    rr       Add to an RRset
+
+   3.4.2.7 - Pseudocode For Update Section Processing
+
+      [rr] for rr in updates
+           if (rr.class == zclass)
+                if (rr.type == CNAME)
+                     if (zone_rrset<rr.name, ~CNAME>)
+                          next [rr]
+                elsif (zone_rrset<rr.name, CNAME>)
+                     next [rr]
+                if (rr.type == SOA)
+                     if (!zone_rrset<rr.name, SOA> ||
+                         zone_rr<rr.name, SOA>.serial > rr.soa.serial)
+                          next [rr]
+                for zrr in zone_rrset<rr.name, rr.type>
+                     if (rr.type == CNAME || rr.type == SOA ||
+                         (rr.type == WKS && rr.proto == zrr.proto &&
+                          rr.address == zrr.address) ||
+                         rr.rdata == zrr.rdata)
+                          zrr = rr
+                          next [rr]
+                zone_rrset<rr.name, rr.type> += rr
+           elsif (rr.class == ANY)
+                if (rr.type == ANY)
+                     if (rr.name == zname)
+                          zone_rrset<rr.name, ~(SOA|NS)> = Nil
+                     else
+                          zone_rrset<rr.name, *> = Nil
+                elsif (rr.name == zname &&
+                       (rr.type == SOA || rr.type == NS))
+                     next [rr]
+                else
+
+
+
+Vixie, et. al.              Standards Track                    [Page 15]
+
+RFC 2136                       DNS Update                     April 1997
+
+
+                     zone_rrset<rr.name, rr.type> = Nil
+           elsif (rr.class == NONE)
+                if (rr.type == SOA)
+                     next [rr]
+                if (rr.type == NS && zone_rrset<rr.name, NS> == rr)
+                     next [rr]
+                zone_rr<rr.name, rr.type, rr.data> = Nil
+      return (NOERROR)
+
+   3.5 - Stability
+
+   When a zone is modified by an UPDATE operation, the server must
+   commit the change to nonvolatile storage before sending a response to
+   the requestor or answering any queries or transfers for the modified
+   zone.  It is reasonable for a server to store only the update records
+   as long as a system reboot or power failure will cause these update
+   records to be incorporated into the zone the next time the server is
+   started.  It is also reasonable for the server to copy the entire
+   modified zone to nonvolatile storage after each update operation,
+   though this would have suboptimal performance for large zones.
+
+   3.6 - Zone Identity
+
+   If the zone's SOA SERIAL is changed by an update operation, that
+   change must be in a positive direction (using modulo 2**32 arithmetic
+   as specified by [RFC1982]).  Attempts to replace an SOA with one
+   whose SERIAL is less than the current one will be silently ignored by
+   the primary master server.
+
+   If the zone's SOA's SERIAL is not changed as a result of an update
+   operation, then the server shall increment it automatically before
+   the SOA or any changed name or RR or RRset is included in any
+   response or transfer.  The primary master server's implementor might
+   choose to autoincrement the SOA SERIAL if any of the following events
+   occurs:
+
+   (1)  Each update operation.
+
+   (2)  A name, RR or RRset in the zone has changed and has subsequently
+        been visible to a DNS client since the unincremented SOA was
+        visible to a DNS client, and the SOA is about to become visible
+        to a DNS client.
+
+   (3)  A configurable period of time has elapsed since the last update
+        operation.  This period shall be less than or equal to one third
+        of the zone refresh time, and the default shall be the lesser of
+        that maximum and 300 seconds.
+
+
+
+
+Vixie, et. al.              Standards Track                    [Page 16]
+
+RFC 2136                       DNS Update                     April 1997
+
+
+   (4)  A configurable number of updates has been applied since the last
+        SOA change.  The default value for this configuration parameter
+        shall be one hundred (100).
+
+   It is imperative that the zone's contents and the SOA's SERIAL be
+   tightly synchronized.  If the zone appears to change, the SOA must
+   appear to change as well.
+
+   3.7 - Atomicity
+
+   During the processing of an UPDATE transaction, the server must
+   ensure atomicity with respect to other (concurrent) UPDATE or QUERY
+   transactions.  No two transactions can be processed concurrently if
+   either depends on the final results of the other; in particular, a
+   QUERY should not be able to retrieve RRsets which have been partially
+   modified by a concurrent UPDATE, and an UPDATE should not be able to
+   start from prerequisites that might not still hold at the completion
+   of some other concurrent UPDATE.  Finally, if two UPDATE transactions
+   would modify the same names, RRs or RRsets, then such UPDATE
+   transactions must be serialized.
+
+   3.8 - Response
+
+   At the end of UPDATE processing, a response code will be known.  A
+   response message is generated by copying the ID and Opcode fields
+   from the request, and either copying the ZOCOUNT, PRCOUNT, UPCOUNT,
+   and ADCOUNT fields and associated sections, or placing zeros (0) in
+   the these "count" fields and not including any part of the original
+   update.  The QR bit is set to one (1), and the response is sent back
+   to the requestor.  If the requestor used UDP, then the response will
+   be sent to the requestor's source UDP port.  If the requestor used
+   TCP, then the response will be sent back on the requestor's open TCP
+   connection.
+
+4 - Requestor Behaviour
+
+   4.1. From a requestor's point of view, any authoritative server for
+   the zone can appear to be able to process update requests, even
+   though only the primary master server is actually able to modify the
+   zone's master file.  Requestors are expected to know the name of the
+   zone they intend to update and to know or be able to determine the
+   name servers for that zone.
+
+
+
+
+
+
+
+
+
+Vixie, et. al.              Standards Track                    [Page 17]
+
+RFC 2136                       DNS Update                     April 1997
+
+
+   4.2. If update ordering is desired, the requestor will need to know
+   the value of the existing SOA RR.  Requestors who update the SOA RR
+   must update the SOA SERIAL field in a positive direction (as defined
+   by [RFC1982]) and also preserve the other SOA fields unless the
+   requestor's explicit intent is to change them.  The SOA SERIAL field
+   must never be set to zero (0).
+
+   4.3. If the requestor has reasonable cause to believe that all of a
+   zone's servers will be equally reachable, then it should arrange to
+   try the primary master server (as given by the SOA MNAME field if
+   matched by some NS NSDNAME) first to avoid unnecessary forwarding
+   inside the slave servers.  (Note that the primary master will in some
+   cases not be reachable by all requestors, due to firewalls or network
+   partitioning.)
+
+   4.4. Once the zone's name servers been found and possibly sorted so
+   that the ones more likely to be reachable and/or support the UPDATE
+   opcode are listed first, the requestor composes an UPDATE message of
+   the following form and sends it to the first name server on its list:
+
+      ID:                        (new)
+      Opcode:                    UPDATE
+      Zone zcount:               1
+      Zone zname:                (zone name)
+      Zone zclass:               (zone class)
+      Zone ztype:                T_SOA
+      Prerequisite Section:      (see previous text)
+      Update Section:            (see previous text)
+      Additional Data Section:   (empty)
+
+   4.5. If the requestor receives a response, and the response has an
+   RCODE other than SERVFAIL or NOTIMP, then the requestor returns an
+   appropriate response to its caller.
+
+   4.6. If a response is received whose RCODE is SERVFAIL or NOTIMP, or
+   if no response is received within an implementation dependent timeout
+   period, or if an ICMP error is received indicating that the server's
+   port is unreachable, then the requestor will delete the unusable
+   server from its internal name server list and try the next one,
+   repeating until the name server list is empty.  If the requestor runs
+   out of servers to try, an appropriate error will be returned to the
+   requestor's caller.
+
+
+
+
+
+
+
+
+
+Vixie, et. al.              Standards Track                    [Page 18]
+
+RFC 2136                       DNS Update                     April 1997
+
+
+5 - Duplicate Detection, Ordering and Mutual Exclusion
+
+   5.1. For correct operation, mechanisms may be needed to ensure
+   idempotence, order UPDATE requests and provide mutual exclusion.  An
+   UPDATE message or response might be delivered zero times, one time,
+   or multiple times.  Datagram duplication is of particular interest
+   since it covers the case of the so-called "replay attack" where a
+   correct request is duplicated maliciously by an intruder.
+
+   5.2. Multiple UPDATE requests or responses in transit might be
+   delivered in any order, due to network topology changes or load
+   balancing, or to multipath forwarding graphs wherein several slave
+   servers all forward to the primary master.  In some cases, it might
+   be required that the earlier update not be applied after the later
+   update, where "earlier" and "later" are defined by an external time
+   base visible to some set of requestors, rather than by the order of
+   request receipt at the primary master.
+
+   5.3. A requestor can ensure transaction idempotence by explicitly
+   deleting some "marker RR" (rather than deleting the RRset of which it
+   is a part) and then adding a new "marker RR" with a different RDATA
+   field.  The Prerequisite Section should specify that the original
+   "marker RR" must be present in order for this UPDATE message to be
+   accepted by the server.
+
+   5.4. If the request is duplicated by a network error, all duplicate
+   requests will fail since only the first will find the original
+   "marker RR" present and having its known previous value.  The
+   decisions of whether to use such a "marker RR" and what RR to use are
+   left up to the application programmer, though one obvious choice is
+   the zone's SOA RR as described below.
+
+   5.5. Requestors can ensure update ordering by externally
+   synchronizing their use of successive values of the "marker RR."
+   Mutual exclusion can be addressed as a degenerate case, in that a
+   single succession of the "marker RR" is all that is needed.
+
+   5.6. A special case where update ordering and datagram duplication
+   intersect is when an RR validly changes to some new value and then
+   back to its previous value.  Without a "marker RR" as described
+   above, this sequence of updates can leave the zone in an undefined
+   state if datagrams are duplicated.
+
+   5.7. To achieve an atomic multitransaction "read-modify-write" cycle,
+   a requestor could first retrieve the SOA RR, and build an UPDATE
+   message one of whose prerequisites was the old SOA RR.  It would then
+   specify updates that would delete this SOA RR and add a new one with
+   an incremented SOA SERIAL, along with whatever actual prerequisites
+
+
+
+Vixie, et. al.              Standards Track                    [Page 19]
+
+RFC 2136                       DNS Update                     April 1997
+
+
+   and updates were the object of the transaction.  If the transaction
+   succeeds, the requestor knows that the RRs being changed were not
+   otherwise altered by any other requestor.
+
+6 - Forwarding
+
+   When a zone slave forwards an UPDATE message upward toward the zone's
+   primary master server, it must allocate a new ID and prepare to enter
+   the role of "forwarding server," which is a requestor with respect to
+   the forward server.
+
+   6.1. The set of forward servers will be same as the set of servers
+   this zone slave would use as the source of AXFR or IXFR data.  So,
+   while the original requestor might have used the zone's NS RRset to
+   locate its update server, a forwarder always forwards toward its
+   designated zone master servers.
+
+   6.2. If the original requestor used TCP, then the TCP connection from
+   the requestor is still open and the forwarder must use TCP to forward
+   the message.  If the original requestor used UDP, the forwarder may
+   use either UDP or TCP to forward the message, at the whim of the
+   implementor.
+
+   6.3. It is reasonable for forward servers to be forwarders
+   themselves, if the AXFR dependency graph being followed is a deep one
+   involving firewalls and multiple connectivity realms.  In most cases
+   the AXFR dependency graph will be shallow and the forward server will
+   be the primary master server.
+
+   6.4. The forwarder will not respond to its requestor until it
+   receives a response from its forward server.  UPDATE transactions
+   involving forwarders are therefore time synchronized with respect to
+   the original requestor and the primary master server.
+
+   6.5. When there are multiple possible sources of AXFR data and
+   therefore multiple possible forward servers, a forwarder will use the
+   same fallback strategy with respect to connectivity or timeout errors
+   that it would use when performing an AXFR.  This is implementation
+   dependent.
+
+   6.6. When a forwarder receives a response from a forward server, it
+   copies this response into a new response message, assigns its
+   requestor's ID to that message, and sends the response back to the
+   requestor.
+
+
+
+
+
+
+
+Vixie, et. al.              Standards Track                    [Page 20]
+
+RFC 2136                       DNS Update                     April 1997
+
+
+7 - Design, Implementation, Operation, and Protocol Notes
+
+   Some of the principles which guided the design of this UPDATE
+   specification are as follows.  Note that these are not part of the
+   formal specification and any disagreement between this section and
+   any other section of this document should be resolved in favour of
+   the other section.
+
+   7.1. Using metavalues for CLASS is possible only because all RRs in
+   the packet are assumed to be in the same zone, and CLASS is an
+   attribute of a zone rather than of an RRset.  (It is for this reason
+   that the Zone Section is not optional.)
+
+   7.2. Since there are no data-present or data-absent errors possible
+   from processing the Update Section, any necessary data-present and
+   data- absent dependencies should be specified in the Prerequisite
+   Section.
+
+   7.3. The Additional Data Section can be used to supply a server with
+   out of zone glue that will be needed in referrals.  For example, if
+   adding a new NS RR to HOME.VIX.COM specifying a nameserver called
+   NS.AU.OZ, the A RR for NS.AU.OZ can be included in the Additional
+   Data Section.  Servers can use this information or ignore it, at the
+   discretion of the implementor.  We discourage caching this
+   information for use in subsequent DNS responses.
+
+   7.4. The Additional Data Section might be used if some of the RRs
+   later needed for Secure DNS Update are not actually zone updates, but
+   rather ancillary keys or signatures not intended to be stored in the
+   zone (as an update would be), yet necessary for validating the update
+   operation.
+
+   7.5. It is expected that in the absence of Secure DNS Update, a
+   server will only accept updates if they come from a source address
+   that has been statically configured in the server's description of a
+   primary master zone.  DHCP servers would be likely candidates for
+   inclusion in this statically configured list.
+
+   7.6. It is not possible to create a zone using this protocol, since
+   there is no provision for a slave server to be told who its master
+   servers are.  It is expected that this protocol will be extended in
+   the future to cover this case.  Therefore, at this time, the addition
+   of SOA RRs is unsupported.  For similar reasons, deletion of SOA RRs
+   is also unsupported.
+
+
+
+
+
+
+
+Vixie, et. al.              Standards Track                    [Page 21]
+
+RFC 2136                       DNS Update                     April 1997
+
+
+   7.7. The prerequisite for specifying that a name own at least one RR
+   differs semantically from QUERY, in that QUERY would return
+   <NOERROR,ANCOUNT=0> rather than NXDOMAIN if queried for an RRset at
+   this name, while UPDATE's prerequisite condition [Section 2.4.4]
+   would NOT be satisfied.
+
+   7.8. It is possible for a UDP response to be lost in transit and for
+   a request to be retried due to a timeout condition.  In this case an
+   UPDATE that was successful the first time it was received by the
+   primary master might ultimately appear to have failed when the
+   response to a duplicate request is finally received by the requestor.
+   (This is because the original prerequisites may no longer be
+   satisfied after the update has been applied.)  For this reason,
+   requestors who require an accurate response code must use TCP.
+
+   7.9. Because a requestor who requires an accurate response code will
+   initiate their UPDATE transaction using TCP, a forwarder who receives
+   a request via TCP must forward it using TCP.
+
+   7.10. Deferral of SOA SERIAL autoincrements is made possible so that
+   serial numbers can be conserved and wraparound at 2**32 can be made
+   an infrequent occurance.  Visible (to DNS clients) SOA SERIALs need
+   to differ if the zone differs.  Note that the Authority Section SOA
+   in a QUERY response is a form of visibility, for the purposes of this
+   prerequisite.
+
+   7.11. A zone's SOA SERIAL should never be set to zero (0) due to
+   interoperability problems with some older but widely installed
+   implementations of DNS.  When incrementing an SOA SERIAL, if the
+   result of the increment is zero (0) (as will be true when wrapping
+   around 2**32), it is necessary to increment it again or set it to one
+   (1).  See [RFC1982] for more detail on this subject.
+
+   7.12. Due to the TTL minimalization necessary when caching an RRset,
+   it is recommended that all TTLs in an RRset be set to the same value.
+   While the DNS Message Format permits variant TTLs to exist in the
+   same RRset, and this variance can exist inside a zone, such variance
+   will have counterintuitive results and its use is discouraged.
+
+   7.13. Zone cut management presents some obscure corner cases to the
+   add and delete operations in the Update Section.  It is possible to
+   delete an NS RR as long as it is not the last NS RR at the root of a
+   zone.  If deleting all RRs from a name, SOA and NS RRs at the root of
+   a zone are unaffected.  If deleting RRsets, it is not possible to
+   delete either SOA or NS RRsets at the top of a zone.  An attempt to
+   add an SOA will be treated as a replace operation if an SOA already
+   exists, or as a no-op if the SOA would be new.
+
+
+
+
+Vixie, et. al.              Standards Track                    [Page 22]
+
+RFC 2136                       DNS Update                     April 1997
+
+
+   7.14. No semantic checking is required in the primary master server
+   when adding new RRs.  Therefore a requestor can cause CNAME or NS or
+   any other kind of RR to be added even if their target name does not
+   exist or does not have the proper RRsets to make the original RR
+   useful.  Primary master servers that DO implement this kind of
+   checking should take great care to avoid out-of-zone dependencies
+   (whose veracity cannot be authoritatively checked) and should
+   implement all such checking during the prescan phase.
+
+   7.15. Nonterminal or wildcard CNAMEs are not well specified by
+   [RFC1035] and their use will probably lead to unpredictable results.
+   Their use is discouraged.
+
+   7.16. Empty nonterminals (nodes with children but no RRs of their
+   own) will cause <NOERROR,ANCOUNT=0> responses to be sent in response
+   to a query of any type for that name.  There is no provision for
+   empty terminal nodes -- so if all RRs of a terminal node are deleted,
+   the name is no longer in use, and queries of any type for that name
+   will result in an NXDOMAIN response.
+
+   7.17. In a deep AXFR dependency graph, it has not historically been
+   an error for slaves to depend mutually upon each other.  This
+   configuration has been used to enable a zone to flow from the primary
+   master to all slaves even though not all slaves have continuous
+   connectivity to the primary master.  UPDATE's use of the AXFR
+   dependency graph for forwarding prohibits this kind of dependency
+   loop, since UPDATE forwarding has no loop detection analagous to the
+   SOA SERIAL pretest used by AXFR.
+
+   7.18. Previously existing names which are occluded by a new zone cut
+   are still considered part of the parent zone, for the purposes of
+   zone transfers, even though queries for such names will be referred
+   to the new subzone's servers.  If a zone cut is removed, all parent
+   zone names that were occluded by it will again become visible to
+   queries.  (This is a clarification of [RFC1034].)
+
+   7.19. If a server is authoritative for both a zone and its child,
+   then queries for names at the zone cut between them will be answered
+   authoritatively using only data from the child zone.  (This is a
+   clarification of [RFC1034].)
+
+
+
+
+
+
+
+
+
+
+
+Vixie, et. al.              Standards Track                    [Page 23]
+
+RFC 2136                       DNS Update                     April 1997
+
+
+   7.20. Update ordering using the SOA RR is problematic since there is
+   no way to know which of a zone's NS RRs represents the primary
+   master, and the zone slaves can be out of date if their SOA.REFRESH
+   timers have not elapsed since the last time the zone was changed on
+   the primary master.  We recommend that a zone needing ordered updates
+   use only servers which implement NOTIFY (see [RFC1996]) and IXFR (see
+   [RFC1995]), and that a client receiving a prerequisite error while
+   attempting an ordered update simply retry after a random delay period
+   to allow the zone to settle.
+
+8 - Security Considerations
+
+   8.1. In the absence of [RFC2137] or equivilent technology, the
+   protocol described by this document makes it possible for anyone who
+   can reach an authoritative name server to alter the contents of any
+   zones on that server.  This is a serious increase in vulnerability
+   from the current technology.  Therefore it is very strongly
+   recommended that the protocols described in this document not be used
+   without [RFC2137] or other equivalently strong security measures,
+   e.g. IPsec.
+
+   8.2. A denial of service attack can be launched by flooding an update
+   forwarder with TCP sessions containing updates that the primary
+   master server will ultimately refuse due to permission problems.
+   This arises due to the requirement that an update forwarder receiving
+   a request via TCP use a synchronous TCP session for its forwarding
+   operation.  The connection management mechanisms of [RFC1035 4.2.2]
+   are sufficient to prevent large scale damage from such an attack, but
+   not to prevent some queries from going unanswered during the attack.
+
+Acknowledgements
+
+   We would like to thank the IETF DNSIND working group for their input
+   and assistance, in particular, Rob Austein, Randy Bush, Donald
+   Eastlake, Masataka Ohta, Mark Andrews, and Robert Elz.  Special
+   thanks to Bill Simpson, Ken Wallich and Bob Halley for reviewing this
+   document.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Vixie, et. al.              Standards Track                    [Page 24]
+
+RFC 2136                       DNS Update                     April 1997
+
+
+References
+
+   [RFC1035]
+      Mockapetris, P., "Domain Names - Implementation and
+      Specification", STD 13, RFC 1035, USC/Information Sciences
+      Institute, November 1987.
+
+   [RFC1982]
+      Elz, R., "Serial Number Arithmetic", RFC 1982, University of
+      Melbourne, August 1996.
+
+   [RFC1995]
+      Ohta, M., "Incremental Zone Transfer", RFC 1995, Tokyo Institute
+      of Technology, August 1996.
+
+   [RFC1996]
+      Vixie, P., "A Mechanism for Prompt Notification of Zone Changes",
+      RFC 1996, Internet Software Consortium, August 1996.
+
+   [RFC2065]
+      Eastlake, D., and C. Kaufman, "Domain Name System Protocol
+      Security Extensions", RFC 2065, January 1997.
+
+   [RFC2137]
+      Eastlake, D., "Secure Domain Name System Dynamic Update", RFC
+      2137, April 1997.
+
+Authors' Addresses
+
+   Yakov Rekhter
+   Cisco Systems
+   170 West Tasman Drive
+   San Jose, CA 95134-1706
+
+   Phone: +1 914 528 0090
+   EMail: yakov@cisco.com
+
+
+   Susan Thomson
+   Bellcore
+   445 South Street
+   Morristown, NJ 07960
+
+   Phone: +1 201 829 4514
+   EMail: set@thumper.bellcore.com
+
+
+
+
+
+
+Vixie, et. al.              Standards Track                    [Page 25]
+
+RFC 2136                       DNS Update                     April 1997
+
+
+   Jim Bound
+   Digital Equipment Corp.
+   110 Spitbrook Rd ZK3-3/U14
+   Nashua, NH 03062-2698
+
+   Phone: +1 603 881 0400
+   EMail: bound@zk3.dec.com
+
+
+   Paul Vixie
+   Internet Software Consortium
+   Star Route Box 159A
+   Woodside, CA 94062
+
+   Phone: +1 415 747 0204
+   EMail: paul@vix.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Vixie, et. al.              Standards Track                    [Page 26]
+
+
diff --git a/contrib/bind9/doc/rfc/rfc2137.txt b/contrib/bind9/doc/rfc/rfc2137.txt
new file mode 100644
index 0000000..ceb3613
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2137.txt
@@ -0,0 +1,619 @@
+
+
+
+
+
+
+Network Working Group                                    D. Eastlake 3rd
+Request for Comments: 2137                               CyberCash, Inc.
+Updates: 1035                                                 April 1997
+Category: Standards Track
+
+
+                Secure Domain Name System Dynamic Update
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Abstract
+
+   Domain Name System (DNS) protocol extensions have been defined to
+   authenticate the data in DNS and provide key distribution services
+   [RFC2065].  DNS Dynamic Update operations have also been defined
+   [RFC2136], but without a detailed description of security for the
+   update operation.  This memo describes how to use DNSSEC digital
+   signatures covering requests and data to secure updates and restrict
+   updates to those authorized to perform them as indicated by the
+   updater's possession of cryptographic keys.
+
+Acknowledgements
+
+   The contributions of the following persons (who are listed in
+   alphabetic order) to this memo are gratefully acknowledged:
+
+         Olafur Gudmundsson (ogud@tis.com>
+         Charlie Kaufman <Charlie_Kaufman@iris.com>
+         Stuart Kwan <skwan@microsoft.com>
+         Edward Lewis <lewis@tis.com>
+
+Table of Contents
+
+      1. Introduction............................................2
+      1.1 Overview of DNS Dynamic Update.........................2
+      1.2 Overview of DNS Security...............................2
+      2. Two Basic Modes.........................................3
+      3. Keys....................................................5
+      3.1 Update Keys............................................6
+      3.1.1 Update Key Name Scope................................6
+      3.1.2 Update Key Class Scope...............................6
+      3.1.3 Update Key Signatory Field...........................6
+
+
+
+Eastlake                    Standards Track                     [Page 1]
+
+RFC 2137                         SDNSDU                       April 1997
+
+
+      3.2 Zone Keys and Update Modes.............................8
+      3.3 Wildcard Key Punch Through.............................9
+      4. Update Signatures.......................................9
+      4.1 Update Request Signatures..............................9
+      4.2 Update Data Signatures................................10
+      5. Security Considerations................................10
+      References................................................10
+      Author's Address..........................................11
+
+1. Introduction
+
+   Dynamic update operations have been defined for the Domain Name
+   System (DNS) in RFC 2136, but without a detailed description of
+   security for those updates.  Means of securing the DNS and using it
+   for key distribution have been defined in RFC 2065.
+
+   This memo proposes techniques based on the defined DNS security
+   mechanisms to authenticate DNS updates.
+
+   Familiarity with the DNS system [RFC 1034, 1035] is assumed.
+   Familiarity with the DNS security and dynamic update proposals will
+   be helpful.
+
+1.1 Overview of DNS Dynamic Update
+
+   DNS dynamic update defines a new DNS opcode, new DNS request and
+   response structure if that opcode is used, and new error codes.  An
+   update can specify complex combinations of deletion and insertion
+   (with or without pre-existence testing) of resource records (RRs)
+   with one or more owner names; however, all testing and changes for
+   any particular DNS update request are restricted to a single zone.
+   Updates occur at the primary server for a zone.
+
+   The primary server for a secure dynamic zone must increment the zone
+   SOA serial number when an update occurs or the next time the SOA is
+   retrieved if one or more updates have occurred since the previous SOA
+   retrieval and the updates themselves did not update the SOA.
+
+1.2 Overview of DNS Security
+
+   DNS security authenticates data in the DNS by also storing digital
+   signatures in the DNS as SIG resource records (RRs).  A SIG RR
+   provides a digital signature on the set of all RRs with the same
+   owner name and class as the SIG and whose type is the type covered by
+   the SIG.  The SIG RR cryptographically binds the covered RR set to
+   the signer, time signed, signature expiration date, etc.  There are
+   one or more keys associated with every secure zone and all data in
+   the secure zone is signed either by a zone key or by a dynamic update
+
+
+
+Eastlake                    Standards Track                     [Page 2]
+
+RFC 2137                         SDNSDU                       April 1997
+
+
+   key tracing its authority to a zone key.
+
+   DNS security also defines transaction SIGs and request SIGs.
+   Transaction SIGs appear at the end of a response.  Transaction SIGs
+   authenticate the response and bind it to the corresponding request
+   with the key of the host where the responding DNS server is.  Request
+   SIGs appear at the end of a request and authenticate the request with
+   the key of the submitting entity.
+
+   Request SIGs are the primary means of authenticating update requests.
+
+   DNS security also permits the storage of public keys in the DNS via
+   KEY RRs.  These KEY RRs are also, of course, authenticated by SIG
+   RRs.  KEY RRs for zones are stored in their superzone and subzone
+   servers, if any, so that the secure DNS tree of zones can be
+   traversed by a security aware resolver.
+
+2. Two Basic Modes
+
+   A dynamic secure zone is any secure DNS zone containing one or more
+   KEY RRs that can authorize dynamic updates, i.e., entity or user KEY
+   RRs with the signatory field non-zero, and whose zone KEY RR
+   signatory field indicates that updates are implemented. There are two
+   basic modes of dynamic secure zone which relate to the update
+   strategy, mode A and mode B.  A summary comparison table is given
+   below and then each mode is described.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 3]
+
+RFC 2137                         SDNSDU                       April 1997
+
+
+                   SUMMARY OF DYNAMIC SECURE ZONE MODES
+
+   CRITERIA:                |   MODE A           |   MODE B
+   =========================+====================+===================
+   Definition:              | Zone Key Off line  | Zone Key On line
+   =========================+====================+===================
+   Server Workload          |   Low              |   High
+   -------------------------+--------------------+-------------------
+   Static Data Security     |   Very High        |   Medium-High
+   -------------------------+--------------------+-------------------
+   Dynamic Data Security    |   Medium           |   Medium-High
+   -------------------------+--------------------+-------------------
+   Key Restrictions         |   Fine grain       |   Coarse grain
+   -------------------------+--------------------+-------------------
+   Dynamic Data Temporality |   Transient        |   Permanent
+   -------------------------+--------------------+-------------------
+   Dynamic Key Rollover     |   No               |   Yes
+   -------------------------+--------------------+-------------------
+
+   For mode A, the zone owner key and static zone master file are always
+   kept off-line for maximum security of the static zone contents.
+
+   As a consequence, any dynamicly added or changed RRs are signed in
+   the secure zone by their authorizing dynamic update key and they are
+   backed up, along with this SIG RR, in a separate online dynamic
+   master file.  In this type of zone, server computation is minimized
+   since the server need only check signatures on the update data and
+   request, which have already been signed by the updater, generally a
+   much faster operation than signing data.  However, the AXFR SIG and
+   NXT RRs which covers the zone under the zone key will not cover
+   dynamically added data.  Thus, for type A dynamic secure zones, zone
+   transfer security is not automatically provided for dynamically added
+   RRs, where they could be omitted, and authentication is not provided
+   for the server denial of the existence of a dynamically added type.
+   Because the dynamicly added RRs retain their update KEY signed SIG,
+   finer grained control of updates can be implemented via bits in the
+   KEY RR signatory field.  Because dynamic data is only stored in the
+   online dynamic master file and only authenticated by dynamic keys
+   which expire, updates are transient in nature.  Key rollover for an
+   entity that can authorize dynamic updates is more cumbersome since
+   the authority of their key must be traceable to a zone key and so, in
+   general, they must securely communicate a new key to the zone
+   authority for manual transfer to the off line static master file.
+   NOTE: for this mode the zone SOA must be signed by a dynamic update
+   key and that private key must be kept on line so that the SOA can be
+   changed for updates.
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 4]
+
+RFC 2137                         SDNSDU                       April 1997
+
+
+   For mode B, the zone owner key and master file are kept on-line at
+   the zone primary server. When authenticated updates succeed, SIGs
+   under the zone key for the resulting data (including the possible NXT
+   type bit map changes) are calculated and these SIG (and possible NXT)
+   changes are entered into the zone and the unified on-line master
+   file.  (The zone transfer AXFR SIG may be recalculated for each
+   update or on demand when a zone transfer is requested and it is out
+   of date.)
+
+   As a consequence, this mode requires considerably more computational
+   effort on the part of the server as the public/private keys are
+   generally arranged so that signing (calculating a SIG) is more effort
+   than verifying a signature.  The security of static data in the zone
+   is decreased because the ultimate state of the static data being
+   served and the ultimate zone authority private key are all on-line on
+   the net.  This means that if the primary server is subverted, false
+   data could be authenticated to secondaries and other
+   servers/resolvers.  On the other hand, this mode of operation means
+   that data added dynamically is more secure than in mode A.  Dynamic
+   data will be covered by the AXFR SIG and thus always protected during
+   zone transfers and will be included in NXT RRs so that it can be
+   falsely denied by a server only to the same extent that static data
+   can (i.e., if it is within a wild card scope). Because the zone key
+   is used to sign all the zone data, the information as to who
+   originated the current state of dynamic RR sets is lost, making
+   unavailable the effects of some of the update control bits in the KEY
+   RR signatory field.  In addition, the incorporation of the updates
+   into the primary master file and their authentication by the zone key
+   makes then permanent in nature.  Maintaining the zone key on-line
+   also means that dynamic update keys which are signed by the zone key
+   can be dynamically updated since the zone key is available to
+   dynamically sign new values.
+
+   NOTE:  The Mode A / Mode B distinction only effects the validation
+   and performance of update requests.  It has no effect on retrievals.
+   One reasonable operational scheme may be to keep a mostly static main
+   zone operating in Mode A and have one or more dynamic subzones
+   operating in Mode B.
+
+3. Keys
+
+   Dynamic update requests depend on update keys as described in section
+   3.1 below.  In addition, the zone secure dynamic update mode and
+   availability of some options is indicated in the zone key.  Finally,
+   a special rule is used in searching for KEYs to validate updates as
+   described in section 3.3.
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 5]
+
+RFC 2137                         SDNSDU                       April 1997
+
+
+3.1 Update Keys
+
+   All update requests to a secure zone must include signatures by one
+   or more key(s) that together can authorize that update.  In order for
+   the Domain Name System (DNS) server receiving the request to confirm
+   this, the key or keys must be available to and authenticated by that
+   server as a specially flagged KEY Resource Record.
+
+   The scope of authority of such keys is indicated by their KEY RR
+   owner name, class, and signatory field flags as described below. In
+   addition, such KEY RRs must be entity or user keys and not have the
+   authentication use prohibited bit on.  All parts of the actual update
+   must be within the scope of at least one of the keys used for a
+   request SIG on the update request as described in section 4.
+
+3.1.1 Update Key Name Scope
+
+   The owner name of any update authorizing KEY RR must (1) be the same
+   as the owner name of any RRs being added or deleted or (2) a wildcard
+   name including within its extended scope (see section 3.3) the name
+   of any RRs being added or deleted and those RRs must be in the same
+   zone.
+
+3.1.2 Update Key Class Scope
+
+   The class of any update authorizing KEY RR must be the same as the
+   class of any RR's being added or deleted.
+
+3.1.3 Update Key Signatory Field
+
+   The four bit "signatory field" (see RFC 2065) of any update
+   authorizing KEY RR must be non-zero.  The bits have the meanings
+   described below for non-zone keys (see section 3.2 for zone type
+   keys).
+
+                    UPDATE KEY RR SIGNATORY FIELD BITS
+
+         0           1           2           3
+   +-----------+-----------+-----------+-----------+
+   |   zone    |  strong   |  unique   |  general  |
+   +-----------+-----------+-----------+-----------+
+
+   Bit 0, zone control - If nonzero, this key is authorized to attach,
+        detach, and move zones by creating and deleting NS, glue A, and
+        zone KEY RR(s).  If zero, the key can not authorize any update
+        that would effect such RRs.  This bit is meaningful for both
+        type A and type B dynamic secure zones.
+
+
+
+
+Eastlake                    Standards Track                     [Page 6]
+
+RFC 2137                         SDNSDU                       April 1997
+
+
+        NOTE:  do not confuse the "zone" signatory field bit with the
+        "zone" key type bit.
+
+   Bit 1, strong update - If nonzero, this key is authorized to add and
+        delete RRs even if there are other RRs with the same owner name
+        and class that are authenticated by a SIG signed with a
+        different dynamic update KEY. If zero, the key can only
+        authorize updates where any existing RRs of the same owner and
+        class are authenticated by a SIG using the same key.  This bit
+        is meaningful only for type A dynamic zones and is ignored in
+        type B dynamic zones.
+
+        Keeping this bit zero on multiple KEY RRs with the same or
+        nested wild card owner names permits multiple entities to exist
+        that can create and delete names but can not effect RRs with
+        different owner names from any they created.  In effect, this
+        creates two levels of dynamic update key, strong and weak, where
+        weak keys are limited in interfering with each other but a
+        strong key can interfere with any weak keys or other strong
+        keys.
+
+   Bit 2, unique name update - If nonzero, this key is authorized to add
+        and update RRs for only a single owner name.  If there already
+        exist RRs with one or more names signed by this key, they may be
+        updated but no new name created until the number of existing
+        names is reduced to zero.  This bit is meaningful only for mode
+        A dynamic zones and is ignored in mode B dynamic zones. This bit
+        is meaningful only if the owner name is a wildcard.  (Any
+        dynamic update KEY with a non-wildcard name is, in effect, a
+        unique name update key.)
+
+        This bit can be used to restrict a KEY from flooding a zone with
+        new names.  In conjunction with a local administratively imposed
+        limit on the number of dynamic RRs with a particular name, it
+        can completely restrict a KEY from flooding a zone with RRs.
+
+   Bit 3, general update - The general update signatory field bit has no
+        special meaning.  If the other three bits are all zero, it must
+        be one so that the field is non-zero to designate that the key
+        is an update key.  The meaning of all values of the signatory
+        field with the general bit and one or more other signatory field
+        bits on is reserved.
+
+   All the signatory bit update authorizations described above only
+   apply if the update is within the name and class scope as per
+   sections 3.1.1 and 3.1.2.
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 7]
+
+RFC 2137                         SDNSDU                       April 1997
+
+
+3.2 Zone Keys and Update Modes
+
+   Zone type keys are automatically authorized to sign anything in their
+   zone, of course, regardless of the value of their signatory field.
+   For zone keys, the signatory field bits have different means than
+   they they do for update keys, as shown below.  The signatory field
+   MUST be zero if dynamic update is not supported for a zone and MUST
+   be non-zero if it is.
+
+                     ZONE KEY RR SIGNATORY FIELD BITS
+
+                  0           1           2           3
+            +-----------+-----------+-----------+-----------+
+            |   mode    |  strong   |  unique   |  general  |
+            +-----------+-----------+-----------+-----------+
+
+   Bit 0, mode - This bit indicates the update mode for this zone.  Zero
+        indicates mode A while a one indicates mode B.
+
+   Bit 1, strong update - If nonzero, this indicates that the "strong"
+        key feature described in section 3.1.3 above is implemented and
+        enabled for this secure zone.  If zero, the feature is not
+        available.  Has no effect if the zone is a mode B secure update
+        zone.
+
+   Bit 2, unique name update - If nonzero, this indicates that the
+        "unique name" feature described in section 3.1.3 above is
+        implemented and enabled for this secure zone.  If zero, this
+        feature is not available.  Has no effect if the zone is a mode B
+        secure update zone.
+
+   Bit 3, general - This bit has no special meeting.  If dynamic update
+        for a zone is supported and the other bits in the zone key
+        signatory field are zero, it must be a one.  The meaning of zone
+        keys where the signatory field has the general bit and one or
+        more other bits on is reserved.
+
+   If there are multiple dynamic update KEY RRs for a zone and zone
+   policy is in transition, they might have different non-zero signatory
+   fields.  In that case, strong and unique name restrictions must be
+   enforced as long as there is a non-expired zone key being advertised
+   that indicates mode A with the strong or unique name bit on
+   respectively.  Mode B updates MUST be supported as long as there is a
+   non-expired zone key that indicates mode B.  Mode A updates may be
+   treated as mode B updates at server option if non-expired zone keys
+   indicate that both are supported.
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 8]
+
+RFC 2137                         SDNSDU                       April 1997
+
+
+   A server that will be executing update operations on a zone, that is,
+   the primary master server, MUST not advertize a zone key that will
+   attract requests for a mode or features that it can not support.
+
+3.3 Wildcard Key Punch Through
+
+   Just as a zone key is valid throughout the entire zone, update keys
+   with wildcard names are valid throughout their extended scope, within
+   the zone. That is, they remain valid for any name that would match
+   them, even existing specific names within their apparent scope.
+
+   If this were not so, then whenever a name within a wildcard scope was
+   created by dynamic update, it would be necessary to first create a
+   copy of the KEY RR with this name, because otherwise the existence of
+   the more specific name would hide the authorizing KEY RR and would
+   make later updates impossible.  An updater could create such a KEY RR
+   but could not zone sign it with their authorizing signer.  They would
+   have to sign it with the same key using the wildcard name as signer.
+   Thus in creating, for example, one hundred type A RRs authorized by a
+   *.1.1.1.in-addr.arpa. KEY RR, without key punch through 100 As, 100
+   KEYs, and 200 SIGs would have to be created as opposed to merely 100
+   As and 100 SIGs with key punch through.
+
+4. Update Signatures
+
+   Two kinds of signatures can appear in updates.  Request signatures,
+   which are always required, cover the entire request and authenticate
+   the DNS header, including opcode, counts, etc., as well as the data.
+   Data signatures, on the other hand, appear only among the RRs to be
+   added and are only required for mode A operation.  These two types of
+   signatures are described further below.
+
+4.1 Update Request Signatures
+
+   An update can effect multiple owner names in a zone.  It may be that
+   these different names are covered by different dynamic update keys.
+   For every owner name effected, the updater must know a private key
+   valid for that name (and the zone's class) and must prove this by
+   appending request SIG RRs under each such key.
+
+   As specified in RFC 2065, a request signature is a SIG RR occurring
+   at the end of a request with a type covered field of zero.  For an
+   update, request signatures occur in the Additional information
+   section.  Each request SIG signs the entire request, including DNS
+   header, but excluding any other request SIG(s) and with the ARCOUNT
+   in the DNS header set to what it wold be without the request SIGs.
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 9]
+
+RFC 2137                         SDNSDU                       April 1997
+
+
+4.2 Update Data Signatures
+
+   Mode A dynamic secure zones require that the update requester provide
+   SIG RRs that will authenticate the after update state of all RR sets
+   that are changed by the update and are non-empty after the update.
+   These SIG RRs appear in the request as RRs to be added and the
+   request must delete any previous data SIG RRs that are invalidated by
+   the request.
+
+   In Mode B dynamic secure zones, all zone data is authenticated by
+   zone key SIG RRs.  In this case, data signatures need not be included
+   with the update.  A resolver can determine which mode an updatable
+   secure zone is using by examining the signatory field bits of the
+   zone KEY RR (see section 3.2).
+
+5. Security Considerations
+
+   Any zone permitting dynamic updates is inherently less secure than a
+   static secure zone maintained off line as recommended in RFC 2065. If
+   nothing else, secure dynamic update requires on line change to and
+   re-signing of the zone SOA resource record (RR) to increase the SOA
+   serial number.  This means that compromise of the primary server host
+   could lead to arbitrary serial number changes.
+
+   Isolation of dynamic RRs to separate zones from those holding most
+   static RRs can limit the damage that could occur from breach of a
+   dynamic zone's security.
+
+References
+
+   [RFC2065] Eastlake, D., and C. Kaufman, "Domain Name System Security
+   Extensions", RFC 2065, CyberCash, Iris, January 1997.
+
+   [RFC2136] Vixie, P., Editor, Thomson, T., Rekhter, Y., and J. Bound,
+   "Dynamic Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
+   April 1997.
+
+   [RFC1035] Mockapetris, P., "Domain Names - Implementation and
+   Specifications", STD 13, RFC 1035, November 1987.
+
+   [RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities",
+   STD 13, RFC 1034, November 1987.
+
+
+
+
+
+
+
+
+
+Eastlake                    Standards Track                    [Page 10]
+
+RFC 2137                         SDNSDU                       April 1997
+
+
+Author's Address
+
+   Donald E. Eastlake, 3rd
+   CyberCash, Inc.
+   318 Acton Street
+   Carlisle, MA 01741 USA
+
+   Phone:   +1 508-287-4877
+            +1 508-371-7148 (fax)
+            +1 703-620-4200 (main office, Reston, Virginia, USA)
+   EMail:   dee@cybercash.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake                    Standards Track                    [Page 11]
+
diff --git a/contrib/bind9/doc/rfc/rfc2163.txt b/contrib/bind9/doc/rfc/rfc2163.txt
new file mode 100644
index 0000000..00fcee7
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2163.txt
@@ -0,0 +1,1459 @@
+
+
+
+
+
+
+Network Working Group                                       C. Allocchio
+Request for Comments: 2163                                    GARR-Italy
+Obsoletes: 1664                                             January 1998
+Category: Standards Track
+
+
+                  Using the Internet DNS to Distribute
+            MIXER Conformant Global Address Mapping (MCGAM)
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (1998).  All Rights Reserved.
+
+Abstract
+
+   This memo is the complete technical specification to store in the
+   Internet Domain Name System (DNS) the mapping information (MCGAM)
+   needed by MIXER conformant e-mail gateways and other tools to map
+   RFC822 domain names into X.400 O/R names and vice versa.  Mapping
+   information can be managed in a distributed rather than a centralised
+   way. Organizations can publish their MIXER mapping or preferred
+   gateway routing information using just local resources (their local
+   DNS server), avoiding the need for a strong coordination with any
+   centralised organization. MIXER conformant gateways and tools located
+   on Internet hosts can retrieve the mapping information querying the
+   DNS instead of having fixed tables which need to be centrally updated
+   and distributed.
+
+   This memo obsoletes RFC1664. It includes the changes introduced by
+   MIXER specification with respect to RFC1327: the new 'gate1' (O/R
+   addresses to domain) table is fully supported. Full backward
+   compatibility with RFC1664 specification is mantained, too.
+
+   RFC1664 was a joint effort of IETF X400 operation working group
+   (x400ops) and TERENA (formely named "RARE") Mail and Messaging
+   working group (WG-MSG). This update was performed by the IETF MIXER
+   working group.
+
+
+
+
+
+
+Allocchio                   Standards Track                     [Page 1]
+
+RFC 2163                      MIXER MCGAM                   January 1998
+
+
+1. Introduction
+
+   The connectivity between the Internet SMTP mail and other mail
+   services, including the Internet X.400 mail and the commercial X.400
+   service providers, is assured by the Mail eXchanger (MX) record
+   information distributed via the Internet Domain Name System (DNS). A
+   number of documents then specify in details how to convert or encode
+   addresses from/to RFC822 style to the other mail system syntax.
+   However, only conversion methods provide, via some algorithm or a set
+   of mapping rules, a smooth translation, resulting in addresses
+   indistinguishable from the native ones in both RFC822 and foreign
+   world.
+
+   MIXER describes a set of mappings (MIXER Conformant Global Address
+   Mapping - MCGAM) which will enable interworking between systems
+   operating the CCITT X.400 (1984/88/92) Recommendations and systems
+   using using the RFC822 mail protocol, or protocols derived from
+   RFC822. That document addresses conversion of services, addresses,
+   message envelopes, and message bodies between the two mail systems.
+   This document is concerned with one aspect of MIXER: the mechanism
+   for mapping between X.400 O/R addresses and RFC822 domain names. As
+   described in Appendix F of MIXER, implementation of the mappings
+   requires a database which maps between X.400 O/R addresses and domain
+   names; in RFC1327 this database was statically defined.
+
+   The original approach in RFC1327 required many efforts to maintain
+   the correct mapping: all the gateways needed to get coherent tables
+   to apply the same mappings, the conversion tables had to be
+   distributed among all the operational gateways, and also every update
+   needed to be distributed.
+
+   The concept of mapping rules distribution and use has been revised in
+   the new MIXER specification, introducing the concept of MIXER
+   Conformant Global Address Mapping (MCGAM). A MCGAM does not need to
+   be globally installed by any MIXER conformant gateway in the world
+   any more. However MIXER requires now efficient methods to publish its
+   MCGAM.
+
+   Static tables are one of the possible methods to publish MCGAM.
+   However this static mechanism requires quite a long time to be spent
+   modifying and distributing the information, putting heavy constraints
+   on the time schedule of every update.  In fact it does not appear
+   efficient compared to the Internet Domain Name Service (DNS).  More
+   over it does not look feasible to distribute the database to a large
+   number of other useful applications, like local address converters,
+   e-mail User Agents or any other tool requiring the mapping rules to
+   produce correct results.
+
+
+
+
+Allocchio                   Standards Track                     [Page 2]
+
+RFC 2163                      MIXER MCGAM                   January 1998
+
+
+   Two much more efficient methods are proposed by MIXER for publication
+   of MCGAM: the Internet DNS and X.500. This memo is the complete
+   technical specification for publishing MCGAM via Internet DNS.
+
+   A first proposal to use the Internet DNS to store, retrieve and
+   maintain those mappings was introduced by two of the authors of
+   RFC1664 (B. Cole and R. Hagens) adopting two new DNS resource record
+   (RR)  types: TO-X400 and TO-822. This proposal now adopts a more
+   complete strategy, and requires one new RR only. The distribution of
+   MCGAMs via DNS is in fact an important service for the whole Internet
+   community: it completes the information given by MX resource record
+   and it allows to produce clean addresses when messages are exchanged
+   among the Internet RFC822 world and the X.400 one (both Internet and
+   Public X.400 service providers).
+
+   A first experiment in using the DNS without expanding the current set
+   of RR and using available ones was deployed by some of the authors of
+   RFC1664 at the time of its development. The existing PTR resource
+   records were used to store the mapping rules, and a new DNS tree was
+   created under the ".it" top level domain. The result of the
+   experiment was positive, and a few test applications ran under this
+   provisional set up. This test was also very useful in order to define
+   a possible migration strategy during the deployment of the new DNS
+   containing the new RR. The Internet DNS nameservers wishing to
+   provide this mapping information need in fact to be modified to
+   support the new RR type, and in the real Internet, due to the large
+   number of different implementations, this takes some time.
+
+   The basic idea is to adopt a new DNS RR to store the mapping
+   information. The RFC822 to X.400 mapping rules (including the so
+   called 'gate2' rules) will be stored in the ordinary DNS tree, while
+   the definition of a new branch of the name space defined under each
+   national top level domain is envisaged in order to contain the X.400
+   to RFC822 mappings ('table1' and 'gate1'). A "two-way" mapping
+   resolution schema is thus fully implemented.
+
+   The creation of the new domain name space representing the X.400 O/R
+   names structure also provides the chance to use the DNS to distribute
+   dynamically other X.400 related information, thus solving other
+   efficiency problems currently affecting the X.400 MHS service.
+
+   In this paper we will adopt the MCGAM syntax, showing how it can be
+   stored into the Internet DNS.
+
+
+
+
+
+
+
+
+Allocchio                   Standards Track                     [Page 3]
+
+RFC 2163                      MIXER MCGAM                   January 1998
+
+
+1.1 Definitions syntax
+
+   The definitions in this document is given in BNF-like syntax, using
+   the following conventions:
+
+      |   means choice
+      \   is used for continuation of a definition over several lines
+      []  means optional
+      {}  means repeated one or more times
+
+   The definitions, however, are detailed only until a certain level,
+   and below it self-explaining character text strings will be used.
+
+2. Motivation
+
+   Implementations of MIXER gateways require that a database store
+   address mapping information for X.400 and RFC822. This information
+   must be made available (published) to all MIXER gateways. In the
+   Internet community, the DNS has proven to be a practical mean for
+   providing a distributed name service. Advantages of using a DNS based
+   system over a table based approach for mapping between O/R addresses
+   and domain names are:
+
+     - It avoids fetching and storing of entire mapping tables by every
+       host that wishes to implement MIXER gateways and/or tools
+
+     - Modifications to the DNS based mapping information can be made
+       available in a more timely manner than with a table driven
+       approach.
+
+     - It allows full authority delegation, in agreement with the
+       Internet regionalization process.
+
+     - Table management is not necessarily required for DNS-based
+       MIXER gateways.
+
+     - One can determine the mappings in use by a remote gateway by
+       querying the DNS (remote debugging).
+
+   Also many other tools, like address converters and User Agents can
+   take advantage of the real-time availability of MIXER tables,
+   allowing a much easier maintenance of the information.
+
+3. The domain space for X.400 O/R name addresses
+
+   Usual domain names (the ones normally used as the global part of an
+   RFC822 e-mail address) and their associated information, i.e., host
+   IP addresses, mail exchanger names, etc., are stored in the DNS as a
+
+
+
+Allocchio                   Standards Track                     [Page 4]
+
+RFC 2163                      MIXER MCGAM                   January 1998
+
+
+   distributed database under a number of top-level domains. Some top-
+   level domains are used for traditional categories or international
+   organisations (EDU, COM, NET, ORG, INT, MIL...). On the other hand
+   any country has its own two letter ISO country code as top-level
+   domain (FR, DE, GB, IT, RU, ...), including "US" for USA.  The
+   special top-level/second-level couple IN-ADDR.ARPA is used to store
+   the IP address to domain name relationship. This memo defines in the
+   above structure the appropriate way to locate the X.400 O/R name
+   space, thus enabling to store in DNS the MIXER mappings (MCGAMs).
+
+   The MIXER mapping information is composed by four tables:
+
+    - 'table1' and 'gate1' gives the translation from X.400 to RFC822;
+    - 'table2' and 'gate2' tables map RFC822 into X.400.
+
+   Each mapping table is composed by mapping rules, and a single mapping
+   rule is composed by a keyword (the argument of the mapping function
+   derived from the address to be translated) and a translator (the
+   mapping function parameter):
+
+                            keyword#translator#
+
+   the '#' sign is a delimiter enclosing the translator. An example:
+
+                 foo.bar.us#PRMD$foo\.bar.ADMD$intx.C$us#
+
+   Local mappings are not intended for use outside their restricted
+   environment, thus they should not be included in DNS. If local
+   mappings are used, they should be stored using static local tables,
+   exactly as local static host tables can be used with DNS.
+
+   The keyword of a 'table2' and 'gate2' table entry is a valid RFC822
+   domain; thus the usual domain name space can be used without problems
+   to store these entries.
+   On the other hand, the keyword of a 'table1' and 'gate1' entry
+   belongs to the X.400 O/R name space. The X.400 O/R name space does
+   not usually fit into the usual domain name space, although there are
+   a number of similarities; a new name structure is thus needed to
+   represent it. This new name structure contains the X.400 mail
+   domains.
+
+   To ensure the correct functioning of the DNS system, the new X.400
+   name structure must be hooked to the existing domain name space in a
+   way which respects the existing name hierarchy.
+
+   A possible solution was to create another special branch, starting
+   from the root of the DNS tree, somehow similar to the in-addr.arpa
+   tree. This idea would have required to establish a central authority
+
+
+
+Allocchio                   Standards Track                     [Page 5]
+
+RFC 2163                      MIXER MCGAM                   January 1998
+
+
+   to coordinate at international level the management of each national
+   X.400 name tree, including the X.400 public service providers. This
+   coordination problem is a heavy burden if approached globally. More
+   over the X.400 name structure is very 'country oriented': thus while
+   it requires a coordination at national level, it does not have
+   concepts like the international root. In fact the X.400 international
+   service is based  on a large number of bilateral agreements, and only
+   within some communities an international coordination service exists.
+
+   The X.400 two letter ISO country codes, however, are the same used
+   for the RFC822 country top-level domains and this gives us an
+   appropriate hook to insert the new branches. The proposal is, in
+   fact, to create under each national top level ISO country code a new
+   branch in the name space. This branch represents exactly the X.400
+   O/R name structure as defined in each single country, following the
+   ADMD, PRMD, O, OU hierarchy. A unique reserved label 'X42D' is placed
+   under each country top-level domain, and hence the national X.400
+   name space derives its own structure:
+
+                                    . (root)
+                                    |
+      +-----------------+-----------+--------+-----------------+...
+      |                 |                    |                 |
+     edu                it                   us                fr
+      |                 |                    |                 |
+  +---+---+...    +-----+-----+...     +-----+-----+...     +--+---+...
+  |       |       |     |     |        |     |     |        |      |
+ ...     ...     cnr   X42D  infn      va    ca   X42D     X42D  inria
+                        |                    |     |        |
+           +------------+------------+...   ...   ...  +----+-------+...
+           |            |            |                 |            |
+    ADMD-PtPostel  ADMD-garr  ADMD-Master400        ADMD-atlas  ADMD-red
+                        |            |                 |            |
+             +----------+----+...   ...        +-------+------+... ...
+             |               |                 |              |
+         PRMD-infn       PRMD-STET        PRMD-Telecom   PRMD-Renault
+             |               |                 |              |
+            ...             ...               ...            ...
+
+
+   The creation of the X.400 new name tree at national level solves the
+   problem of the international coordination. Actually the coordination
+   problem is just moved at national level, but it thus becomes easier
+   to solve. The coordination at national level between the X.400
+   communities and the Internet world is already a requirement for the
+   creation of the national static MIXER mapping tables; the use of the
+   Internet DNS gives further motivations for this coordination.
+
+
+
+
+Allocchio                   Standards Track                     [Page 6]
+
+RFC 2163                      MIXER MCGAM                   January 1998
+
+
+   The coordination at national level also fits in the new concept of
+   MCGAM pubblication. The DNS in fact allows a step by step authority
+   distribution, up to a final complete delegation: thus organizations
+   whishing to publish their MCGAM just need to receive delegation also
+   for their branch of the new X.400 name space. A further advantage of
+   the national based solution is to allow each country to set up its
+   own X.400 name structure in DNS and to deploy its own authority
+   delegation according to its local time scale and requirements, with
+   no loss of global service in the mean time. And last, placing the new
+   X.400 name tree and coordination process at national level fits into
+   the Internet regionalization and internationalisation process, as it
+   requires local bodies to take care of local coordination problems.
+
+   The DNS name space thus contains completely the information required
+   by an e-mail gateway or tool to perform the X.400-RFC822 mapping: a
+   simple query to the nearest nameserver provides it. Moreover there is
+   no more any need to store, maintain and distribute manually any
+   mapping table. The new X.400 name space can also contain further
+   information about the X.400 community, as DNS allows for it a
+   complete set of resource records, and thus it allows further
+   developments. This set of RRs in the new X.400 name space must be
+   considered 'reserved' and thus not used until further specifications.
+
+   The construction of the new domain space trees will follow the same
+   procedures used when organising at first the already existing DNS
+   space: at first the information will be stored in a quite centralised
+   way, and distribution of authority will be gradually achieved. A
+   separate document will describe the implementation phase and the
+   methods to assure a smooth introduction of the new service.
+
+4. The new DNS resource record for MIXER mapping rules: PX
+
+   The specification of the Internet DNS (RFC1035) provides a number of
+   specific resource records (RRs) to contain specific pieces of
+   information. In particular they contain the Mail eXchanger (MX) RR
+   and the host Address (A) records which are used by the Internet SMTP
+   mailers. As we will store the RFC822 to X.400 mapping information in
+   the already existing DNS name tree, we need to define a new DNS RR in
+   order to avoid any possible clash or misuse of already existing data
+   structures. The same new RR will also be used to store the mappings
+   from X.400 to RFC822. More over the mapping information, i.e., the
+   MCGAMs, has a specific format and syntax which require an appropriate
+   data structure and processing. A further advantage of defining a new
+   RR is the ability to include flexibility for some eventual future
+   development.
+
+
+
+
+
+
+Allocchio                   Standards Track                     [Page 7]
+
+RFC 2163                      MIXER MCGAM                   January 1998
+
+
+   The definition of the new 'PX' DNS resource record is:
+
+      class:        IN   (Internet)
+
+      name:         PX   (pointer to X.400/RFC822 mapping information)
+
+      value:        26
+
+   The PX RDATA format is:
+
+          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+          |                  PREFERENCE                   |
+          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+          /                    MAP822                     /
+          /                                               /
+          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+          /                    MAPX400                    /
+          /                                               /
+          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+   where:
+
+   PREFERENCE   A 16 bit integer which specifies the preference given to
+                this RR among others at the same owner.  Lower values
+                are preferred;
+
+   MAP822       A <domain-name> element containing <rfc822-domain>, the
+                RFC822 part of the MCGAM;
+
+   MAPX400      A <domain-name> element containing the value of
+                <x400-in-domain-syntax> derived from the X.400 part of
+                the MCGAM (see sect. 4.2);
+
+   PX records cause no additional section processing. The PX RR format
+   is the usual one:
+
+             <name> [<class>] [<TTL>] <type> <RDATA>
+
+   When we store in DNS a 'table1' or a 'gate1' entry, then <name> will
+   be an X.400 mail domain name in DNS syntax (see sect. 4.2). When we
+   store a 'table2' or a 'gate2' table entry, <name> will be an RFC822
+   mail domain name, including both fully qualified DNS domains and mail
+   only domains (MX-only domains). All normal DNS conventions, like
+   default values, wildcards, abbreviations and message compression,
+   apply also for all the components of the PX RR. In particular <name>,
+   MAP822 and MAPX400, as <domain-name> elements, must have the final
+   "." (root) when they are fully qualified.
+
+
+
+
+Allocchio                   Standards Track                     [Page 8]
+
+RFC 2163                      MIXER MCGAM                   January 1998
+
+
+4.1 Additional features of the PX resource record
+
+   The definition of the RDATA for the PX resource record, and the fact
+   that DNS allows a distinction between an exact value and a wildcard
+   match for the <name> parameter, represent an extension of the MIXER
+   specification for mapping rules. In fact, any MCGAM entry is an
+   implicit wildcard entry, i.e., the rule
+
+      net2.it#PRMD$net2.ADMD$p400.C$it#
+
+   covers any RFC822 domain ending with 'net2.it', unless more detailed
+   rules for some subdomain in 'net2.it' are present. Thus there is no
+   possibility to specify explicitly a MCGAM as an exact match only
+   rule. In DNS an entry like
+
+      *.net2.it.   IN  PX  10   net2.it.  PRMD-net2.ADMD-p400.C-it.
+
+   specify the usual wildcard match as for MIXER tables. However an
+   entry like
+
+      ab.net2.it.  IN  PX  10   ab.net2.it.  O-ab.PRMD-net2.ADMDb.C-it.
+
+   is valid only for an exact match of 'ab.net2.it' RFC822 domain.
+
+   Note also that in DNS syntax there is no '#' delimiter around MAP822
+   and MAPX400 fields: the syntax defined in sect. 4.2 in fact does not
+   allow the <blank> (ASCII decimal 32) character within these fields,
+   making unneeded the use of an explicit delimiter as required in the
+   MIXER original syntax.
+
+   Another extension to the MIXER specifications is the PREFERENCE value
+   defined as part of the PX RDATA section. This numeric value has
+   exactly the same meaning than the similar one used for the MX RR. It
+   is thus possible to specify more than one single mapping for a domain
+   (both from RFC822 to X.400 and vice versa), giving as the preference
+   order. In MIXER static tables, however, you cannot specify more than
+   one mapping per each RFC822 domain, and the same restriction apply
+   for any X.400 domain mapping to an RFC822 one.
+
+   More over, in the X.400 recommendations a note suggests than an
+   ADMD=<blank> should be reserved for some special cases. Various
+   national functional profile specifications for an X.400 MHS states
+   that if an X.400 PRMD is reachable via any of its national ADMDs,
+   independently of its actual single or multiple connectivity with
+   them, it should use ADMD=<blank> to advertise this fact. Again, if a
+   PRMD has no connections to any ADMD it should use ADMD=0 to notify
+   its status, etc. However, in most of the current real situations, the
+   ADMD service providers do not accept messages coming from their
+
+
+
+Allocchio                   Standards Track                     [Page 9]
+
+RFC 2163                      MIXER MCGAM                   January 1998
+
+
+   subscribers if they have a blank ADMD, forcing them to have their own
+   ADMD value. In such a situation there are problems in indicating
+   properly the actually working mappings for domains with multiple
+   connectivity. The PX RDATA 'PREFERENCE' extension was introduced to
+   take in consideration these problems.
+
+   However, as these extensions are not available with MIXER static
+   tables, it is strongly discouraged to use them when interworking with
+   any table based gateway or application. The extensions were in fact
+   introduced just to add more flexibility, like the PREFERENCE value,
+    or they were already implicit in the DNS mechanism, like the
+   wildcard specification. They should be used very carefully or just
+   considered 'reserved for future use'. In particular, for current use,
+   the PREFERENCE value in the PX record specification should be fixed
+   to a value of 50, and only wildcard specifications should be used
+   when specifying <name> values.
+
+4.2 The DNS syntax for an X.400 'domain'
+
+   The syntax definition of the MCGAM rules is defined in appendix F of
+   that document. However that syntax is not very human oriented and
+   contains a number of characters which have a special meaning in other
+   fields of the Internet DNS. Thus in order to avoid any possible
+   problem, especially due to some old DNS implementations still being
+   used in the Internet, we define a syntax for the X.400 part of any
+   MCGAM rules (and hence for any X.400 O/R name) which makes it
+   compatible with a <domain-name> element, i.e.,
+
+   <domain-name>    ::= <subdomain> | " "
+   <subdomain>      ::= <label> | <label> "." <subdomain>
+   <label>          ::= <alphanum>|
+                        <alphanum> {<alphanumhyphen>} <alphanum>
+   <alphanum>       ::= "0".."9" | "A".."Z" | "a".."z"
+   <alphanumhyphen> ::= "0".."9" | "A".."Z" | "a".."z" | "-"
+
+   (see RFC1035, section 2.3.1, page 8).  The legal character set for
+   <label> does not correspond to the IA5 Printablestring one used in
+   MIXER to define MCGAM rules. However a very simple "escape mechanism"
+   can be applied in order to bypass the problem. We can in fact simply
+   describe the X.400 part of a MCGAM rule format as:
+
+     <map-rule>   ::= <map-elem> | <map-elem> { "." <map-elem> }
+     <map-elem>   ::= <attr-label> "$" <attr-value>
+     <attr-label> ::= "C" | "ADMD" | "PRMD" | "O" | "OU"
+     <attr-value> ::= " " | "@" | IA5-Printablestring
+
+
+
+
+
+
+Allocchio                   Standards Track                    [Page 10]
+
+RFC 2163                      MIXER MCGAM                   January 1998
+
+
+   As you can notice <domain-name> and <map-rule> look similar, and also
+   <label> and <map-elem> look the same. If we define the correct method
+   to transform a <map-elem> into a <label> and vice versa the problem
+   to write a MCGAM rule in <domain-name> syntax is solved.
+
+   The RFC822 domain part of any MCGAM rule is of course already in
+   <domain-name> syntax, and thus remains unchanged.
+
+   In particular, in a 'table1' or 'gate1' mapping rule the 'keyword'
+   value must be converted into <x400-in-domain-syntax> (X.400 mail DNS
+   mail domain), while the 'translator' value is already a valid RFC822
+   domain.  Vice versa in a 'table2' or 'gate2' mapping rule, the
+   'translator' must be converted into <x400-in-domain-syntax>, while
+   the 'keyword' is already a valid RFC822 domain.
+
+4.2.1 IA5-Printablestring to <alphanumhyphen> mappings
+
+   The problem of unmatching IA5-Printablestring and <label> character
+   set definition is solved by a simple character mapping rule: whenever
+   an IA5 character does not belong to <alphanumhyphen>, then it is
+   mapped using its 3 digit decimal ASCII code, enclosed in hyphens. A
+   small set of special rules is also defined for the most frequent
+   cases. Moreover some frequent characters combinations used in MIXER
+   rules are also mapped as special cases.
+
+   Let's then define the following simple rules:
+
+    MCGAM rule            DNS store translation    conditions
+    -----------------------------------------------------------------
+    <attr-label>$@        <attr-label>             missing attribute
+    <attr-label>$<blank>  <attr-label>"b"          blank attribute
+    <attr-label>$xxx      <attr-label>-xxx         elsewhere
+
+   Non <alphanumhyphen> characters in <attr-value>:
+
+    MCGAM rule            DNS store translation    conditions
+    -----------------------------------------------------------------
+    -                     -h-                      hyphen
+    \.                    -d-                      quoted dot
+    <blank>               -b-                      blank
+    <non A/N character>   -<3digit-decimal>-       elsewhere
+
+   If the DNS store translation of <attr-value> happens to end with an
+   hyphen, then this last hyphen is omitted.
+
+   Let's now have some examples:
+
+
+
+
+
+Allocchio                   Standards Track                    [Page 11]
+
+RFC 2163                      MIXER MCGAM                   January 1998
+
+
+    MCGAM rule            DNS store translation    conditions
+    -----------------------------------------------------------------
+    PRMD$@                PRMD                     missing attribute
+    ADMD$<blank>          ADMDb                    blank attribute
+    ADMD$400-net          ADMD-400-h-net           hyphen mapping
+    PRMD$UK\.BD           PRMD-UK-d-BD             quoted dot mapping
+    O$ACME Inc\.          O-ACME-b-Inc-d           blank & final hyphen
+    PRMD$main-400-a       PRMD-main-h-400-h-a      hyphen mapping
+    O$-123-b              O--h-123-h-b             hyphen mapping
+    OU$123-x              OU-123-h-x               hyphen mapping
+    PRMD$Adis+co          PRMD-Adis-043-co         3digit mapping
+
+   Thus, an X.400 part from a MCGAM like
+
+     OU$uuu.O$@.PRMD$ppp\.rrr.ADMD$aaa ddd-mmm.C$cc
+
+   translates to
+
+     OU-uuu.O.PRMD-ppp-d-rrr.ADMD-aaa-b-ddd-h-mmm.C-cc
+
+   Another example:
+
+     OU$sales dept\..O$@.PRMD$ACME.ADMD$ .C$GB
+
+   translates to
+
+     OU-sales-b-dept-d.O.PRMD-ACME.ADMDb.C-GB
+
+4.2.2 Flow chart
+
+   In order to achieve the proper DNS store translations of the X.400
+   part of a MCGAM or any other X.400 O/R name, some software tools will
+   be used. It is in fact evident that the above rules for converting
+   mapping table from MIXER to DNS format (and vice versa) are not user
+   friendly enough to think of a human made conversion.
+
+   To help in designing such tools, we describe hereunder a small flow
+   chart. The fundamental rule to be applied during translation is,
+   however, the following:
+
+      "A string must be parsed from left to right, moving appropriately
+      the pointer in order not to consider again the already translated
+      left section of the string in subsequent analysis."
+
+
+
+
+
+
+
+
+Allocchio                   Standards Track                    [Page 12]
+
+RFC 2163                      MIXER MCGAM                   January 1998
+
+
+   Flow chart 1 - Translation from MIXER to DNS format:
+
+                 parse  single attribute
+              (enclosed in "." separators)
+                           |
+            (yes)  ---  <label>$@ ?  ---  (no)
+              |                             |
+        map to <label>        (no)  <label>$<blank> ?  (yes)
+              |                 |                        |
+              |           map to <label>-        map to <label>"b"
+              |                 |                        |
+              |           map "\." to -d-                |
+              |                 |                        |
+              |           map "-" to -h-                 |
+              |                 |                        |
+              |    map non A/N char to -<3digit>-        |
+  restart     |                 |                        |
+     ^        |      remove (if any) last "-"            |
+     |        |                 |                        |
+     |        \------->     add a  "."    <--------------/
+     |                          |
+     \----------  take  next  attribute  (if  any)
+
+
+   Flow chart 2 - Translation from DNS to MIXER format:
+
+
+                parse single attribute
+            (enclosed in "." separators)
+                          |
+            (yes) ---- <label> ? ---- (no)
+              |                          |
+      map to <label>$@        (no) <label>"b" ? (yes)
+              |                 |                 |
+              |           map to <label>$    map to <label>$<blank>
+              |                 |                 |
+              |           map -d- to "\."         |
+              |                 |                 |
+              |           map -h- to "-"          |
+              |                 |                 |
+              |           map -b- to " "          |
+  restart     |                 |                 |
+     ^        |   map -<3digit>- to non A/N char  |
+     |        |                 |                 |
+     |        \-------->   add a "."   <----------/
+     |                         |
+     \------------- take next attribute (if any)
+
+
+
+
+Allocchio                   Standards Track                    [Page 13]
+
+RFC 2163                      MIXER MCGAM                   January 1998
+
+
+   Note that the above flow charts deal with the translation of the
+   attributes syntax, only.
+
+4.2.3 The Country Code convention in the <name> value.
+
+   The RFC822 domain space and the X.400 O/R address space, as said in
+   section 3, have one specific common feature: the X.400 ISO country
+   codes are the same as the RFC822 ISO top level domains for countries.
+   In the previous sections we have also defined a method to write in
+   <domain-name> syntax any X.400 domain, while in section 3 we
+   described the new name space starting at each country top level
+   domain under the X42D.cc (where 'cc' is then two letter ISO country
+   code).
+
+   The <name> value for a 'table1' or 'gate1' entry in DNS should thus
+   be derived from the X.400 domain value, translated to <domain-name>
+   syntax, adding the 'X42D.cc.' post-fix to it, i.e.,
+
+     ADMD$acme.C$fr
+
+   produces in <domain-name> syntax the key:
+
+     ADMD-acme.C-fr
+
+   which is post-fixed by 'X42D.fr.' resulting in:
+
+     ADMD-acme.C-fr.X42D.fr.
+
+   However, due to the identical encoding for X.400 country codes and
+   RFC822 country top level domains, the string 'C-fr.X42D.fr.' is
+   clearly redundant.
+
+   We thus define the 'Country Code convention' for the <name> key,
+   i.e.,
+
+     "The C-cc section of an X.400 domain in <domain-name> syntax must
+     be omitted when creating a <name> key, as it is identical to the
+     top level country code used to identify the DNS zone where the
+     information is stored".
+
+   Thus we obtain the following <name> key examples:
+
+   X.400 domain                       DNS <name> key
+   --------------------------------------------------------------------
+   ADMD$acme.C$fr                     ADMD-acme.X42D.fr.
+   PRMD$ux\.av.ADMD$ .C$gb            PRMD-ux-d-av.ADMDb.X42D.gb.
+   PRMD$ppb.ADMD$Dat 400.C$de         PRMD-ppb.ADMD-Dat-b-400.X42D.de.
+
+
+
+
+Allocchio                   Standards Track                    [Page 14]
+
+RFC 2163                      MIXER MCGAM                   January 1998
+
+
+4.3 Creating the appropriate DNS files
+
+   Using MIXER's assumption of an asymmetric mapping between X.400 and
+   RFC822 addresses, two separate relations are required to store the
+   mapping database: MIXER 'table1' and MIXER 'table2'; thus also in DNS
+   we will maintain the two different sections, even if they will both
+   use the PX resource record. More over MIXER also specify two
+   additional tables: MIXER 'gate1' and 'gate2' tables. These additional
+   tables, however, have the same syntax rules than MIXER 'table1' and
+   'table2' respectively, and thus the same translation procedure as
+   'table1' and 'table2' will be applied; some details about the MIXER
+   'gate1' and 'gate2' tables are discussed in section 4.4.
+
+   Let's now check how to create, from an MCGAM entry, the appropriate
+   DNS entry in a DNS data file. We can again define an MCGAM entry as
+   defined in appendix F of that document as:
+
+     <x400-domain>#<rfc822-domain>#  (case A: 'table1' and 'gate1'
+     entry)
+
+   and
+
+     <rfc822-domain>#<x400-domain>#  (case B: 'table2' and 'gate2'
+     entry)
+
+   The two cases must be considered separately. Let's consider case A.
+
+    - take <x400-domain> and translate it into <domain-name> syntax,
+     obtaining <x400-in-domain-syntax>;
+    - create the <name> key from <x400-in-domain-syntax> i.e., apply
+     the Country Code convention described in sect. 4.2.3;
+    - construct the DNS PX record as:
+
+      *.<name>  IN  PX  50  <rfc822-domain>  <x400-in-domain-syntax>
+
+   Please note that within PX RDATA the <rfc822-domain> precedes the
+   <x400-in-domain-syntax> also for a 'table1' and 'gate1' entry.
+
+   an example: from the 'table1' rule
+
+     PRMD$ab.ADMD$ac.C$fr#ab.fr#
+
+   we obtain
+
+     *.PRMD-ab.ADMD-ac.X42D.fr. IN PX 50  ab.fr.  PRMD-ab.ADMD-ac.C-fr.
+
+   Note that <name>, <rfc822-domain> and <x400-in-domain-syntax> are
+   fully qualified <domain-name> elements, thus ending with a ".".
+
+
+
+Allocchio                   Standards Track                    [Page 15]
+
+RFC 2163                      MIXER MCGAM                   January 1998
+
+
+   Let's now consider case B.
+
+    - take <rfc822-domain> as <name> key;
+    - translate <x400-domain> into <x400-in-domain-syntax>;
+    - construct the DNS PX record as:
+
+     *.<name>  IN  PX  50  <rfc822-domain>  <x400-in-domain-syntax>
+
+   an example: from the 'table2' rule
+
+     ab.fr#PRMD$ab.ADMD$ac.C$fr#
+
+   we obtain
+
+     *.ab.fr.  IN  PX  50  ab.fr.  PRMD-ab.ADMD-ac.C-fr.
+
+   Again note the fully qualified <domain-name> elements.
+
+   A file containing the MIXER mapping rules and MIXER 'gate1' and
+   'gate2' table written in DNS format will look like the following
+   fictious example:
+
+     !
+     ! MIXER table 1: X.400 --> RFC822
+     !
+     *.ADMD-acme.X42D.it.               IN  PX  50  it. ADMD-acme.C-it.
+     *.PRMD-accred.ADMD-tx400.X42D.it.  IN  PX  50   \
+                                accred.it. PRMD-accred.ADMD-tx400.C-it.
+     *.O-u-h-newcity.PRMD-x4net.ADMDb.X42D.it.  IN  PX  50   \
+                       cs.ncty.it. O-u-h-newcity.PRMD-x4net.ADMDb.C-it.
+     !
+     ! MIXER table 2: RFC822 --> X.400
+     !
+     *.nrc.it.    IN  PX  50   nrc.it. PRMD-nrc.ADMD-acme.C-it.
+     *.ninp.it.   IN  PX  50   ninp.it. O.PRMD-ninp.ADMD-acme.C-it.
+     *.bd.it.     IN  PX  50   bd.it. PRMD-uk-d-bd.ADMDb.C-it.
+     !
+     ! MIXER Gate 1 Table
+     !
+     *.ADMD-XKW-h-Mail.X42D.it.         IN  PX  50   \
+                            XKW-gateway.it. ADMD-XKW-h-Mail.C-it.G.
+     *.PRMD-Super-b-Inc.ADMDb.X42D.it.  IN  PX  50   \
+                            GlobalGw.it. PRMD-Super-b-Inc.ADMDb.C-it.G.
+     !
+     ! MIXER Gate 2 Table
+     !
+     my.it.  IN PX 50  my.it. OU-int-h-gw.O.PRMD-ninp.ADMD-acme.C-it.G.
+     co.it.  IN PX 50  co.it. O-mhs-h-relay.PRMD-x4net.ADMDb.C-it.G.
+
+
+
+Allocchio                   Standards Track                    [Page 16]
+
+RFC 2163                      MIXER MCGAM                   January 1998
+
+
+   (here the "\" indicates continuation on the same line, as wrapping is
+   done only due to typographical reasons).
+
+   Note the special suffix ".G." on the right side of the 'gate1' and
+   'gate2' Tables section whose aim is described in section 4.4. The
+   corresponding MIXER tables are:
+
+     #
+     # MIXER table 1: X.400 --> RFC822
+     #
+     ADMD$acme.C$it#it#
+     PRMD$accred.ADMD$tx400.C$it#accred.it#
+     O$u-newcity.PRMD$x4net.ADMD$ .C$it#cs.ncty.it#
+     #
+     # MIXER table 2: RFC822 --> X.400
+     #
+     nrc.it#PRMD$nrc.ADMD$acme.C$it#
+     ninp.it#O.PRMD$ninp.ADMD$acme.C$it#
+     bd.it#PRMD$uk\.bd.ADMD$ .C$it#
+     #
+     # MIXER Gate 1 Table
+     #
+     ADMD$XKW-Mail.C$it#XKW-gateway.it#
+     PRMD$Super Inc.ADMD$ .C$it#GlobalGw.it#
+     #
+     # MIXER Gate 2 Table
+     #
+     my.it#OU$int-gw.O$@.PRMD$ninp.ADMD$acme.C$it#
+     co.it#O$mhs-relay.PRMD$x4net.ADMD$ .C$t#
+
+4.4 Storing the MIXER 'gate1' and 'gate2' tables
+
+   Section 4.3.4 of MIXER also specify how an address should be
+   converted between RFC822 and X.400 in case a complete mapping is
+   impossible. To allow the use of DDAs for non mappable domains, the
+   MIXER 'gate2' table is thus introduced.
+
+   In a totally similar way, when an X.400 address cannot be completely
+   converted in RFC822, section 4.3.5 of MIXER specifies how to encode
+   (LHS encoding) the address itself, pointing then to the appropriate
+   MIXER conformant gateway, indicated in the MIXER 'gate1' table.
+
+   DNS must store and distribute also these 'gate1' and 'gate2' data.
+
+   One of the major features of the DNS is the ability to distribute the
+   authority: a certain site runs the "primary" nameserver for one
+   determined sub-tree and thus it is also the only place allowed to
+   update information regarding that sub-tree. This fact allows, in our
+
+
+
+Allocchio                   Standards Track                    [Page 17]
+
+RFC 2163                      MIXER MCGAM                   January 1998
+
+
+   case, a further additional feature to the table based approach. In
+   fact we can avoid one possible ambiguity about the use of the 'gate1'
+   and 'gate2' tables (and thus of LHS and DDAs encoding).
+
+   The authority maintaining a DNS entry in the usual RFC822 domain
+   space is the only one allowed to decide if its domain should be
+   mapped using Standard Attributes (SA) syntax or Domain Defined
+   Attributes (DDA) one. If the authority decides that its RFC822 domain
+   should be mapped using SA, then the PX RDATA will be a 'table2'
+   entry, otherwise it will be a 'gate2' table entry. Thus for an RFC822
+   domain we cannot have any more two possible entries, one from 'table2
+   and another one from 'gate2' table, and the action for a gateway
+   results clearly stated.
+
+   Similarly, the authority mantaining a DNS entry in the new X.400 name
+   space is the only one allowed to decide if its X.400 domain should be
+   mapped using SA syntax or Left Hand Side (LHS) encoding. If the
+   authority decides that its X.400 domain should be mapped using SA,
+   then the PX RDATA will be a 'table1' entry, otherwise it will be a
+   'gate1' table entry. Thus also for an X.400 domain we cannot have any
+   more two possible entries, one from 'table1' and another one from
+   'gate1' table, and the action for a gateway results clearly stated.
+
+   The MIXER 'gate1' table syntax is actually identical to MIXER
+   'table1', and 'gate2' table syntax is identical to MIXER 'table2'.
+   Thus the same syntax translation rules from MIXER to DNS format can
+   be applied in both cases. However a gateway or any other application
+   must know if the answer it got from DNS contains some 'table1',
+   'table2' or some 'gate1', 'gate2' table information. This is easily
+   obtained flagging with an additional ".G." post-fix the PX RDATA
+   value when it contains a 'gate1' or 'gate2' table entry. The example
+   in section 4.3 shows clearly the result. As any X.400 O/R domain must
+   end with a country code ("C-xx" in our DNS syntax) the additional
+   ".G." creates no conflicts or ambiguities at all. This postfix must
+   obviously be removed before using the MIXER 'gate1' or 'gate2' table
+   data.
+
+5. Finding MIXER mapping information from DNS
+
+   The MIXER mapping information is stored in DNS both in the normal
+   RFC822 domain name space, and in the newly defined X.400 name space.
+   The information, stored in PX resource records, does not represent a
+   full RFC822 or X.400 O/R address: it is a template which specifies
+   the fields of the domain that are used by the mapping algorithm.
+
+   When mapping information is stored in the DNS, queries to the DNS are
+   issued whenever an iterative search through the mapping table would
+   be performed (MIXER: section 4.3.4, State I; section 4.3.5, mapping
+
+
+
+Allocchio                   Standards Track                    [Page 18]
+
+RFC 2163                      MIXER MCGAM                   January 1998
+
+
+   B). Due to the DNS search mechanism, DNS by itself returns the
+   longest possible match in the stored mapping rule with a single
+   query, thus no iteration and/or multiple queries are needed. As
+   specified in MIXER, a search of the mapping table will result in
+   either success (mapping found) or failure (query failed, mapping not
+   found).
+
+   When a DNS query is issued, a third possible result is timeout. If
+   the result is timeout, the gateway operation is delayed and then
+   retried at a later time. A result of success or failure is processed
+   according to the algorithms specified in MIXER. If a DNS error code
+   is returned, an error message should be logged and the gateway
+   operation is delayed as for timeout. These pathological situations,
+   however, should be avoided with a careful duplication and chaching
+   mechanism which DNS itself provides.
+
+   Searching the nameserver which can authoritatively solve the query is
+   automatically performed by the DNS distributed name service.
+
+5.1 A DNS query example
+
+   An MIXER mail-gateway located in the Internet, when translating
+   addresses from RFC822 to X.400, can get information about the MCGAM
+   rule asking the DNS. As an example, when translating the address
+   SUN.CCE.NRC.IT, the gateway will just query DNS for the associated PX
+   resource record. The DNS should contain a PX record like this:
+
+   *.cce.nrc.it.  IN PX 50   cce.nrc.it.  O-cce.PRMD-nrc.ADMD-acme.C-it.
+
+   The first query will return immediately the appropriate mapping rule
+   in DNS store format.
+
+   There is no ".G." at the end of the obtained PX RDATA value, thus
+   applying the syntax translation specified in paragraph 4.2 the MIXER
+   Table 2 mapping rule will be obtained.
+
+   Let's now take another example where a 'gate2' table rule is
+   returned.  If we are looking for an RFC822 domain ending with top
+   level domain "MW", and the DNS contains a PX record like this,
+
+      *.mw.   IN  PX  50  mw.  O-cce.PRMD-nrc.ADMD-acme.C-it.G.
+
+   DNS will return 'mw.' and 'O-cce.PRMD-nrc.ADMD-acme.C-it.G.', i.e., a
+   'gate2' table entry in DNS store format. Dropping the final ".G." and
+   applying the syntax translation specified in paragraph 4.2 the
+   original rule will be available. More over, the ".G." flag also tells
+   the gateway to use DDA encoding for the inquired RFC822 domain.
+
+
+
+
+Allocchio                   Standards Track                    [Page 19]
+
+RFC 2163                      MIXER MCGAM                   January 1998
+
+
+   On the other hand, translating from X.400 to RFC822 the address
+
+      C=de; ADMD=pkz; PRMD=nfc; O=top;
+
+   the mail gateway should convert the syntax according to paragraph
+   4.2, apply the 'Country code convention' described in 4.2.3 to derive
+   the appropriate DNS translation of the X.400 O/R name and then query
+   DNS for the corresponding PX resource record. The obtained record for
+   which the PX record must be queried is thus:
+
+      O-top.PRMD-nfc.ADMD-pkz.X42D.de.
+
+   The DNS could contain:
+
+      *.ADMD-pkz.X42D.de.  IN  PX  50  pkz.de.  ADMD-pkz.C-de.
+
+   Assuming that there are not more specific records in DNS, the
+   wildcard mechanism will return the MIXER 'table1' rule in encoded
+   format.
+
+   Finally, an example where a 'gate1' rule is involved. If we are
+   looking for an X.400 domain ending with ADMD=PWT400; C=US; , and the
+   DNS contains a PX record like this,
+
+      *.ADMD-PWT400.X42D.us.  IN  PX  50  intGw.com. ADMD-PWT400.C-us.G.
+
+   DNS will return 'intGw.com.' and 'ADMD-PWT400.C-us.G.', i.e., a
+   'gate1' table entry in DNS store format. Dropping the final ".G." and
+   applying the syntax translation specified in paragraph 4.2 the
+   original rule will be available. More over, the ".G." flag also tells
+   the gateway to use LHS encoding for the inquired X.400 domain.
+
+6. Administration of mapping information
+
+   The DNS, using the PX RR, is able to distribute the MCGAM rules to
+   all MIXER gateways located on the Internet. However, not all MIXER
+   gateways will be able to use the Internet DNS. It is expected that
+   some gateways in a particular management domain will conform to one
+   of the following models:
+
+     (a) Table-based, (b) DNS-based, (c) X.500-based
+
+   Table-based management domains will continue to publish their MCGAM
+   rules and retrieve the mapping tables via the International Mapping
+   Table coordinator, manually or via some automated procedures. Their
+   MCGAM information can be made available also in DNS by the
+   appropriate DNS authorities, using the same mechanism already in
+   place for MX records: if a branch has not yet in place its own DNS
+
+
+
+Allocchio                   Standards Track                    [Page 20]
+
+RFC 2163                      MIXER MCGAM                   January 1998
+
+
+   server, some higher authority in the DNS tree will provide the
+   service for it. A transition procedure similar to the one used to
+   migrate from the 'hosts.txt' tables to DNS can be applied also to the
+   deployment phase of this specification. An informational document
+   describing the implementation phase and the detailed coordination
+   procedures is expected.
+
+   Another distributed directory service which can distribute the MCGAM
+   information is X.500. Coordination with table-based domains can be
+   obtained in an identical way as for the DNS case.
+
+   Coordination of MCGAM information between DNS and X.500 is more
+   complex, as it requies some kind of uploading information between the
+   two systems. The ideal solution is a dynamic alignment mechanism
+   which transparently makes the DNS mapping information available in
+   X.500 and vice versa. Some work in this specific field is already
+   being done [see Costa] which can result in a global transparent
+   directory service, where the information is stored in DNS or in
+   X.500, but is visible completely by any of the two systems.
+
+   However we must remind that MIXER concept of MCGAM rules publication
+   is different from the old RFC1327 concept of globally distributed,
+   coordinated and unique mapping rules. In fact MIXER does not requires
+   any more for any conformant gateway or tool to know the complete set
+   of MCGAM: it only requires to use some set (eventually empty) of
+   valid MCGAM rules, published either by Tables, DNS or X.500
+   mechanisms or any combination of these methods. More over MIXER
+   specifies that also incomplete sets of MCGAM can be used, and
+   supplementary local unpublished (but valid) MCGAM can also be used.
+   As a consequence, the problem of coordination between the three
+   systems proposed by MIXER for MCGAM publication is non essential, and
+   important only for efficient operational matters. It does not in fact
+   affect the correct behaviour of MIXER conformant gateways and tools.
+
+7. Conclusion
+
+   The introduction of the new PX resource record and the definition of
+   the X.400 O/R name space in the DNS structure provide a good
+   repository for MCGAM information. The mapping information is stored
+   in the DNS tree structure so that it can be easily obtained using the
+   DNS distributed name service. At the same time the definition of the
+   appropriate DNS space for X.400 O/R names provide a repository where
+   to store and distribute some other X.400 MHS information. The use of
+   the DNS has many known advantages in storing, managing and updating
+   the information. A successful number of tests were been performed
+   under the provisional top level domain "X400.IT" when RFC1664 was
+   developed, and their results confirmed the advantages of the method.
+   Operational exeprience for over 2 years with RFC1664 specification
+
+
+
+Allocchio                   Standards Track                    [Page 21]
+
+RFC 2163                      MIXER MCGAM                   January 1998
+
+
+   confirmed the feasibility of the method, and helped identifying some
+   operational procedures to deploy the insertion of MCGAM into DNS.
+
+   Software to query the DNS and then to convert between the textual
+   representation of DNS resource records and the address format defined
+   in MIXER was developed with RFC1664. This software also allows a
+   smooth implementation and deployment period, eventually taking care
+   of the transition phase. This software can be easily used (with
+   little or null modification) also for this updated specification,
+   supporting the new 'gate1' MIXER table. DNS software implementations
+   supporting RFC1664 also supports with no modification this memo new
+   specification.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Allocchio                   Standards Track                    [Page 22]
+
+RFC 2163                      MIXER MCGAM                   January 1998
+
+
+   A further informational document describing operational and
+   implementation of the service is expected.
+
+8. Acknowledgements
+
+   We wish to thanks all those who contributed to the discussion and
+   revision of this document: many of their ideas and suggestions
+   constitute essential parts of this work. In particular thanks to Jon
+   Postel, Paul Mockapetris, Rob Austin and the whole IETF x400ops,
+   TERENA wg-msg and IETF namedroppers groups. A special mention to
+   Christian Huitema for his fundamental contribution to this work.
+
+   This document is a revision of RFC1664, edited by one of its authors
+   on behalf of the IETF MIXER working group. The current editor wishes
+   to thank here also the authors of RFC1664:
+
+     Antonio Blasco Bonito     RFC822: bonito@cnuce.cnr.it
+     CNUCE - CNR               X.400:  C=it;A=garr;P=cnr;
+     Reparto infr. reti                O=cnuce;S=bonito;
+     Viale S. Maria 36
+     I 56126 Pisa
+     Italy
+
+
+     Bruce Cole                RFC822: bcole@cisco.com
+     Cisco Systems Inc.        X.400:  C=us;A= ;P=Internet;
+     P.O. Box 3075                     DD.rfc-822=bcole(a)cisco.com;
+     1525 O'Brien Drive
+     Menlo Park, CA 94026
+     U.S.A.
+
+
+     Silvia Giordano           RFC822: giordano@cscs.ch
+     Centro Svizzero di        X.400:  C=ch;A=arcom;P=switch;O=cscs;
+     Calcolo Scientifico               S=giordano;
+     Via Cantonale
+     CH 6928 Manno
+     Switzerland
+
+
+     Robert Hagens                   RFC822: hagens@ans.net
+     Advanced Network and Services   X.400:  C=us;A= ;P=Internet;
+     1875 Campus Commons Drive               DD.rfc-822=hagens(a)ans.net;
+     Reston, VA 22091
+     U.S.A.
+
+
+
+
+
+
+Allocchio                   Standards Track                    [Page 23]
+
+RFC 2163                      MIXER MCGAM                   January 1998
+
+
+9. References
+
+   [CCITT] CCITT SG 5/VII, "Recommendation X.400, Message Handling
+       Systems: System Model - Service Elements", October 1988.
+
+   [RFC 1327] Kille, S., "Mapping between X.400(1988)/ISO 10021 and RFC
+       822", RFC 1327, March 1992.
+
+   [RFC 1034] Mockapetris, P., "Domain Names - Concepts and Facilities",
+       STD 13, RFC 1034, USC/Information Sciences Institute, November
+       1987.
+
+   [RFC 1035] Mockapetris, P., "Domain names - Implementation and
+       Specification", STD 13, RFC 1035, USC/Information Sciences
+       Institute, November 1987.
+
+   [RFC 1033] Lottor, M., "Domain Administrators Operation Guide", RFC
+       1033, SRI International, November 1987.
+
+   [RFC 2156] Kille, S. E., " MIXER (Mime Internet X.400 Enhanced
+       Relay): Mapping between X.400 and RFC 822/MIME", RFC 2156,
+       January 1998.
+
+   [Costa] Costa, A., Macedo, J., and V. Freitas, "Accessing and
+       Managing DNS Information in the X.500 Directory", Proceeding of
+       the 4th Joint European Networking Conference, Trondheim, NO, May
+       1993.
+
+10. Security Considerations
+
+   This document specifies a means by which DNS "PX" records can direct
+   the translation between X.400 and Internet mail addresses.
+
+   This can indirectly affect the routing of mail across an gateway
+   between X.400 and Internet Mail.  A succesful attack on this service
+   could cause incorrect translation of an originator address (thus
+   "forging" the originator address), or incorrect translation of a
+   recipient address (thus directing the mail to an unauthorized
+   recipient, or making it appear to an authorized recipient, that the
+   message was intended for recipients other than those chosen by the
+   originator) or could force the mail path via some particular gateway
+   or message transfer agent where mail security can be affected by
+   compromised software.
+
+
+
+
+
+
+
+
+Allocchio                   Standards Track                    [Page 24]
+
+RFC 2163                      MIXER MCGAM                   January 1998
+
+
+   There are several means by which an attacker might be able to deliver
+   incorrect PX records to a client.  These include: (a) compromise of a
+   DNS server,  (b) generating a counterfeit response to a client's DNS
+   query, (c) returning incorrect "additional information" in response
+   to an unrelated query.
+
+   Clients using PX records SHOULD ensure that routing and address
+   translations are based only on authoritative answers.  Once DNS
+   Security mechanisms [RFC 2065] become more widely deployed, clients
+   SHOULD employ those mechanisms to verify the authenticity and
+   integrity of PX records.
+
+11. Author's Address
+
+   Claudio Allocchio
+   Sincrotrone Trieste
+   SS 14 Km 163.5 Basovizza
+   I 34012 Trieste
+   Italy
+
+   RFC822: Claudio.Allocchio@elettra.trieste.it
+   X.400:  C=it;A=garr;P=Trieste;O=Elettra;
+   S=Allocchio;G=Claudio;
+   Phone:  +39 40 3758523
+   Fax:    +39 40 3758565
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Allocchio                   Standards Track                    [Page 25]
+
+RFC 2163                      MIXER MCGAM                   January 1998
+
+
+12.  Full Copyright Statement
+
+   Copyright (C) The Internet Society (1998).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Allocchio                   Standards Track                    [Page 26]
+
diff --git a/contrib/bind9/doc/rfc/rfc2168.txt b/contrib/bind9/doc/rfc/rfc2168.txt
new file mode 100644
index 0000000..3eed1bd
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2168.txt
@@ -0,0 +1,1123 @@
+
+
+
+
+
+
+Network Working Group                                       R. Daniel
+Request for Comments: 2168             Los Alamos National Laboratory
+Category: Experimental                                    M. Mealling
+                                              Network Solutions, Inc.
+                                                            June 1997
+
+
+               Resolution of Uniform Resource Identifiers
+                      using the Domain Name System
+
+Status of this Memo
+===================
+
+   This memo defines an Experimental Protocol for the Internet
+   community.  This memo does not specify an Internet standard of any
+   kind.  Discussion and suggestions for improvement are requested.
+   Distribution of this memo is unlimited.
+
+Abstract:
+=========
+
+   Uniform Resource Locators (URLs) are the foundation of the World Wide
+   Web, and are a vital Internet technology. However, they have proven
+   to be brittle in practice. The basic problem is that URLs typically
+   identify a particular path to a file on a particular host. There is
+   no graceful way of changing the path or host once the URL has been
+   assigned. Neither is there a graceful way of replicating the resource
+   located by the URL to achieve better network utilization and/or fault
+   tolerance. Uniform Resource Names (URNs) have been hypothesized as a
+   adjunct to URLs that would overcome such problems. URNs and URLs are
+   both instances of a broader class of identifiers known as Uniform
+   Resource Identifiers (URIs).
+
+   The requirements document for URN resolution systems[15] defines the
+   concept of a "resolver discovery service". This document describes
+   the first, experimental, RDS. It is implemented by a new DNS Resource
+   Record, NAPTR (Naming Authority PoinTeR), that provides rules for
+   mapping parts of URIs to domain names.  By changing the mapping
+   rules, we can change the host that is contacted to resolve a URI.
+   This will allow a more graceful handling of URLs over long time
+   periods, and forms the foundation for a new proposal for Uniform
+   Resource Names.
+
+
+
+
+
+
+
+
+
+Daniel & Mealling             Experimental                      [Page 1]
+
+RFC 2168            Resolution of URIs Using the DNS           June 1997
+
+
+   In addition to locating resolvers, the NAPTR provides for other
+   naming systems to be grandfathered into the URN world, provides
+   independence between the name assignment system and the resolution
+   protocol system, and allows multiple services (Name to Location, Name
+   to Description, Name to Resource, ...) to be offered.  In conjunction
+   with the SRV RR, the NAPTR record allows those services to be
+   replicated for the purposes of fault tolerance and load balancing.
+
+Introduction:
+=============
+
+   Uniform Resource Locators have been a significant advance in
+   retrieving Internet-accessible resources. However, their  brittle
+   nature over time has been recognized for several years. The Uniform
+   Resource Identifier working group proposed the development of Uniform
+   Resource Names to serve as persistent, location-independent
+   identifiers for Internet resources in order to overcome most of the
+   problems with URLs. RFC-1737 [1] sets forth requirements on URNs.
+
+   During the lifetime of the URI-WG, a number of URN proposals were
+   generated. The developers of several of those proposals met in a
+   series of meetings, resulting in a compromise known as the Knoxville
+   framework.  The major principle behind the Knoxville framework is
+   that the resolution system must be separate from the way names are
+   assigned. This is in marked contrast to most URLs, which identify the
+   host to contact and the protocol to use. Readers are referred to [2]
+   for background on the Knoxville framework and for additional
+   information on the context and purpose of this proposal.
+
+   Separating the way names are resolved from the way they are
+   constructed provides several benefits. It allows multiple naming
+   approaches and resolution approaches to compete, as it allows
+   different protocols and resolvers to be used. There is just one
+   problem with such a separation - how do we resolve a name when it
+   can't give us directions to its resolver?
+
+   For the short term, DNS is the obvious candidate for the resolution
+   framework, since it is widely deployed and understood. However, it is
+   not appropriate to use DNS to maintain information on a per-resource
+   basis. First of all, DNS was never intended to handle that many
+   records. Second, the limited record size is inappropriate for catalog
+   information. Third, domain names are not appropriate as URNs.
+
+   Therefore our approach is to use DNS to locate "resolvers" that can
+   provide information on individual resources, potentially including
+   the resource itself. To accomplish this, we "rewrite" the URI into a
+   domain name following the rules provided in NAPTR records. Rewrite
+   rules provide considerable power, which is important when trying to
+
+
+
+Daniel & Mealling             Experimental                      [Page 2]
+
+RFC 2168            Resolution of URIs Using the DNS           June 1997
+
+
+   meet the goals listed above. However, collections of rules can become
+   difficult to understand. To lessen this problem, the NAPTR rules are
+   *always* applied to the original URI, *never* to the output of
+   previous rules.
+
+   Locating a resolver through the rewrite procedure may take multiple
+   steps, but the beginning is always the same. The start of the URI is
+   scanned to extract its colon-delimited prefix. (For URNs, the prefix
+   is always "urn:" and we extract the following colon-delimited
+   namespace identifier [3]). NAPTR resolution begins by taking the
+   extracted string, appending the well-known suffix ".urn.net", and
+   querying the DNS for NAPTR records at that domain name.  Based on the
+   results of this query, zero or more additional DNS queries may be
+   needed to locate resolvers for the URI. The details of the
+   conversation between the client and the resolver thus located are
+   outside the bounds of this draft. Three brief examples of this
+   procedure are given in the next section.
+
+   The NAPTR RR provides the level of indirection needed to keep the
+   naming system independent of the resolution system, its protocols,
+   and services.  Coupled with the new SRV resource record proposal[4]
+   there is also the potential for replicating the resolver on multiple
+   hosts, overcoming some of the most significant problems of URLs. This
+   is an important and subtle point. Not only do the NAPTR and SRV
+   records allow us to replicate the resource, we can replicate the
+   resolvers that know about the replicated resource. Preventing a
+   single point of failure at the resolver level is a significant
+   benefit. Separating the resolution procedure from the way names are
+   constructed has additional benefits.  Different resolution procedures
+   can be used over time, and resolution procedures that are determined
+   to be useful can be extended to deal with additional namespaces.
+
+Caveats
+=======
+
+   The NAPTR proposal is the first resolution procedure to be considered
+   by the URN-WG. There are several concerns about the proposal which
+   have motivated the group to recommend it for publication as an
+   Experimental rather than a standards-track RFC.
+
+   First, URN resolution is new to the IETF and we wish to gain
+   operational experience before recommending any procedure for the
+   standards track. Second, the NAPTR proposal is based on DNS and
+   consequently inherits concerns about security and administration. The
+   recent advancement of the DNSSEC and secure update drafts to Proposed
+   Standard reduce these concerns, but we wish to experiment with those
+   new capabilities in the context of URN administration.  A third area
+   of concern is the potential for a noticeable impact on the DNS.  We
+
+
+
+Daniel & Mealling             Experimental                      [Page 3]
+
+RFC 2168            Resolution of URIs Using the DNS           June 1997
+
+
+   believe that the proposal makes appropriate use of caching and
+   additional information, but it is best to go slow where the potential
+   for impact on a core system like the DNS is concerned. Fourth, the
+   rewrite rules in the NAPTR proposal are based on regular expressions.
+   Since regular expressions are difficult for humans to construct
+   correctly, concerns exist about the usability and maintainability of
+   the rules. This is especially true where international character sets
+   are concerned. Finally, the URN-WG is developing a requirements
+   document for URN Resolution Services[15], but that document is not
+   complete. That document needs to precede any resolution service
+   proposals on the standards track.
+
+Terminology
+===========
+
+   "Must" or "Shall" - Software that does not behave in the manner that
+              this document says it must is not conformant to this
+              document.
+   "Should" - Software that does not follow the behavior that this
+              document says it should may still be conformant, but is
+              probably broken in some fundamental way.
+   "May" -    Implementations may or may not provide the described
+              behavior, while still remaining conformant to this
+              document.
+
+Brief overview and examples of the NAPTR RR:
+============================================
+
+   A detailed description of the NAPTR RR will be given later, but to
+   give a flavor for the proposal we first give a simple description of
+   the record and three examples of its use.
+
+   The key fields in the NAPTR RR are order, preference, service, flags,
+   regexp, and replacement:
+
+   * The order field specifies the order in which records MUST be
+     processed when multiple NAPTR records are returned in response to a
+     single query.  A naming authority may have delegated a portion of
+     its namespace to another agency. Evaluating the NAPTR records in
+     the correct order is necessary for delegation to work properly.
+
+   * The preference field specifies the order in which records SHOULD be
+     processed when multiple NAPTR records have the same value of
+     "order".  This field lets a service provider specify the order in
+     which resolvers are contacted, so that more capable machines are
+     contacted in preference to less capable ones.
+
+
+
+
+
+Daniel & Mealling             Experimental                      [Page 4]
+
+RFC 2168            Resolution of URIs Using the DNS           June 1997
+
+
+   * The service field specifies the resolution protocol and resolution
+     service(s) that will be available if the rewrite specified by the
+     regexp or replacement fields is applied. Resolution protocols are
+     the protocols used to talk with a resolver. They will be specified
+     in other documents, such as [5]. Resolution services are operations
+     such as N2R (URN to Resource), N2L (URN to URL), N2C (URN to URC),
+     etc.  These will be discussed in the URN Resolution Services
+     document[6], and their behavior in a particular resolution protocol
+     will be given in the specification for that protocol (see [5] for a
+     concrete example).
+
+   * The flags field contains modifiers that affect what happens in the
+     next DNS lookup, typically for optimizing the process. Flags may
+     also affect the interpretation of the other fields in the record,
+     therefore, clients MUST skip NAPTR records which contain an unknown
+     flag value.
+
+   * The regexp field is one of two fields used for the rewrite rules,
+     and is the core concept of the NAPTR record. The regexp field is a
+     String containing a sed-like substitution expression. (The actual
+     grammar for the substitution expressions is given later in this
+     draft). The substitution expression is applied to the original URN
+     to determine the next domain name to be queried. The regexp field
+     should be used when the domain name to be generated is conditional
+     on information in the URI. If the next domain name is always known,
+     which is anticipated to be a common occurrence, the replacement
+     field should be used instead.
+
+   * The replacement field is the other field that may be used for the
+     rewrite rule. It is an optimization of the rewrite process for the
+     case where the next domain name is fixed instead of being
+     conditional on the content of the URI. The replacement field is a
+     domain name (subject to compression if a DNS sender knows that a
+     given recipient is able to decompress names in this RR type's RDATA
+     field). If the rewrite is more complex than a simple substitution
+     of a domain name, the replacement field should be set to . and the
+     regexp field used.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Daniel & Mealling             Experimental                      [Page 5]
+
+RFC 2168            Resolution of URIs Using the DNS           June 1997
+
+
+   Note that the client applies all the substitutions and performs all
+   lookups, they are not performed in the DNS servers. Note also that it
+   is the belief of the developers of this document that regexps should
+   rarely be used. The replacement field seems adequate for the vast
+   majority of situations. Regexps are only necessary when portions of a
+   namespace are to be delegated to different resolvers. Finally, note
+   that the regexp and replacement fields are, at present, mutually
+   exclusive. However, developers of client software should be aware
+   that a new flag might be defined which requires values in both
+   fields.
+
+Example 1
+---------
+
+   Consider a URN that uses the hypothetical DUNS namespace. DUNS
+   numbers are identifiers for approximately 30 million registered
+   businesses around the world, assigned and maintained by Dunn and
+   Bradstreet. The URN might look like:
+
+                   urn:duns:002372413:annual-report-1997
+
+   The first step in the resolution process is to find out about the
+   DUNS namespace. The namespace identifier, "duns", is extracted from
+   the URN, prepended to urn.net, and the NAPTRs for duns.urn.net looked
+   up. It might return records of the form:
+
+duns.urn.net
+;;      order pref flags service          regexp        replacement
+ IN NAPTR 100  10  "s" "dunslink+N2L+N2C" ""  dunslink.udp.isi.dandb.com
+ IN NAPTR 100  20  "s" "rcds+N2C"         ""  rcds.udp.isi.dandb.com
+ IN NAPTR 100  30  "s" "http+N2L+N2C+N2R" ""  http.tcp.isi.dandb.com
+
+   The order field contains equal values, indicating that no name
+   delegation order has to be followed. The preference field indicates
+   that the provider would like clients to use the special dunslink
+   protocol, followed by the RCDS protocol, and that HTTP is offered as
+   a last resort. All the records specify the "s" flag, which will be
+   explained momentarily.  The service fields say that if we speak
+   dunslink, we will be able to issue either the N2L or N2C requests to
+   obtain a URL or a URC (description) of the resource. The Resource
+   Cataloging and Distribution Service (RCDS)[7] could be used to get a
+   URC for the resource, while HTTP could be used to get a URL, URC, or
+   the resource itself.  All the records supply the next domain name to
+   query, none of them need to be rewritten with the aid of regular
+   expressions.
+
+
+
+
+
+
+Daniel & Mealling             Experimental                      [Page 6]
+
+RFC 2168            Resolution of URIs Using the DNS           June 1997
+
+
+   The general case might require multiple NAPTR rewrites to locate a
+   resolver, but eventually we will come to the "terminal NAPTR". Once
+   we have the terminal NAPTR, our next probe into the DNS will be for a
+   SRV or A record instead of another NAPTR. Rather than probing for a
+   non-existent NAPTR record to terminate the loop, the flags field is
+   used to indicate a terminal lookup. If it has a value of "s", the
+   next lookup should be for SRV RRs, "a" denotes that A records should
+   sought.  A "p" flag is also provided to indicate that the next action
+   is Protocol-specific, but that looking up another NAPTR will not be
+   part of it.
+
+   Since our example RR specified the "s" flag, it was terminal.
+   Assuming our client does not know the dunslink protocol, our next
+   action is to lookup SRV RRs for rcds.udp.isi.dandb.com, which will
+   tell us hosts that can provide the necessary resolution service. That
+   lookup might return:
+
+    ;;                          Pref Weight Port Target
+    rcds.udp.isi.dandb.com IN SRV 0    0    1000 defduns.isi.dandb.com
+                           IN SRV 0    0    1000 dbmirror.com.au
+                           IN SRV 0    0    1000 ukmirror.com.uk
+
+   telling us three hosts that could actually do the resolution, and
+   giving us the port we should use to talk to their RCDS server.  (The
+   reader is referred to the SRV proposal [4] for the interpretation of
+   the fields above).
+
+   There is opportunity for significant optimization here. We can return
+   the SRV records as additional information for terminal NAPTRs (and
+   the A records as additional information for those SRVs). While this
+   recursive provision of additional information is not explicitly
+   blessed in the DNS specifications, it is not forbidden, and BIND does
+   take advantage of it [8]. This is a significant optimization. In
+   conjunction with a long TTL for *.urn.net records, the average number
+   of probes to DNS for resolving DUNS URNs would approach one.
+   Therefore, DNS server implementors SHOULD provide additional
+   information with NAPTR responses. The additional information will be
+   either SRV or A records.  If SRV records are available, their A
+   records should be provided as recursive additional information.
+
+   Note that the example NAPTR records above are intended to represent
+   the reply the client will see. They are not quite identical to what
+   the domain administrator would put into the zone files. For one
+   thing, the administrator should supply the trailing '.' character on
+   any FQDNs.
+
+
+
+
+
+
+Daniel & Mealling             Experimental                      [Page 7]
+
+RFC 2168            Resolution of URIs Using the DNS           June 1997
+
+
+Example 2
+---------
+
+   Consider a URN namespace based on MIME Content-Ids. The URN might
+   look like this:
+
+                 urn:cid:199606121851.1@mordred.gatech.edu
+
+   (Note that this example is chosen for pedagogical purposes, and does
+   not conform to the recently-approved CID URL scheme.)
+
+   The first step in the resolution process is to find out about the CID
+   namespace. The namespace identifier, cid, is extracted from the URN,
+   prepended to urn.net, and the NAPTR for cid.urn.net looked up. It
+   might return records of the form:
+
+ cid.urn.net
+  ;;       order pref flags service        regexp           replacement
+   IN NAPTR 100   10   ""  ""  "/urn:cid:.+@([^\.]+\.)(.*)$/\2/i"    .
+
+   We have only one NAPTR response, so ordering the responses is not a
+   problem.  The replacement field is empty, so we check the regexp
+   field and use the pattern provided there. We apply that regexp to the
+   entire URN to see if it matches, which it does.  The \2 part of the
+   substitution expression returns the string "gatech.edu". Since the
+   flags field does not contain "s" or "a", the lookup is not terminal
+   and our next probe to DNS is for more NAPTR records:
+   lookup(query=NAPTR, "gatech.edu").
+
+   Note that the rule does not extract the full domain name from the
+   CID, instead it assumes the CID comes from a host and extracts its
+   domain.  While all hosts, such as mordred, could have their very own
+   NAPTR, maintaining those records for all the machines at a site as
+   large as Georgia Tech would be an intolerable burden. Wildcards are
+   not appropriate here since they only return results when there is no
+   exactly matching names already in the system.
+
+   The record returned from the query on "gatech.edu" might look like:
+
+gatech.edu IN NAPTR
+;;       order pref flags service           regexp  replacement
+  IN NAPTR 100  50  "s"  "z3950+N2L+N2C"     ""    z3950.tcp.gatech.edu
+  IN NAPTR 100  50  "s"  "rcds+N2C"          ""    rcds.udp.gatech.edu
+  IN NAPTR 100  50  "s"  "http+N2L+N2C+N2R"  ""    http.tcp.gatech.edu
+
+
+
+
+
+
+
+Daniel & Mealling             Experimental                      [Page 8]
+
+RFC 2168            Resolution of URIs Using the DNS           June 1997
+
+
+   Continuing with our example, we note that the values of the order and
+   preference fields are equal in all records, so the client is free to
+   pick any record. The flags field tells us that these are the last
+   NAPTR patterns we should see, and after the rewrite (a simple
+   replacement in this case) we should look up SRV records to get
+   information on the hosts that can provide the necessary service.
+
+   Assuming we prefer the Z39.50 protocol, our lookup might return:
+
+   ;;                        Pref Weight   Port Target
+   z3950.tcp.gatech.edu IN SRV 0    0      1000 z3950.gatech.edu
+                        IN SRV 0    0      1000 z3950.cc.gatech.edu
+                        IN SRV 0    0      1000 z3950.uga.edu
+
+   telling us three hosts that could actually do the resolution, and
+   giving us the port we should use to talk to their Z39.50 server.
+
+   Recall that the regular expression used \2 to extract a domain name
+   from the CID, and \. for matching the literal '.' characters
+   seperating the domain name components. Since '\' is the escape
+   character, literal occurances of a backslash must be escaped by
+   another backslash. For the case of the cid.urn.net record above, the
+   regular expression entered into the zone file should be
+   "/urn:cid:.+@([^\\.]+\\.)(.*)$/\\2/i".  When the client code actually
+   receives the record, the pattern will have been converted to
+   "/urn:cid:.+@([^.]+\.)(.*)$/\2/i".
+
+Example 3
+---------
+
+   Even if URN systems were in place now, there would still be a
+   tremendous number of URLs.  It should be possible to develop a URN
+   resolution system that can also provide location independence for
+   those URLs.  This is related to the requirement in [1] to be able to
+   grandfather in names from other naming systems, such as ISO Formal
+   Public Identifiers, Library of Congress Call Numbers, ISBNs, ISSNs,
+   etc.
+
+   The NAPTR RR could also be used for URLs that have already been
+   assigned.  Assume we have the URL for a very popular piece of
+   software that the publisher wishes to mirror at multiple sites around
+   the world:
+
+        http://www.foo.com/software/latest-beta.exe
+
+
+
+
+
+
+
+Daniel & Mealling             Experimental                      [Page 9]
+
+RFC 2168            Resolution of URIs Using the DNS           June 1997
+
+
+   We extract the prefix, "http", and lookup NAPTR records for
+   http.urn.net. This might return a record of the form
+
+   http.urn.net IN NAPTR
+   ;;  order   pref flags service      regexp             replacement
+        100     90   ""      ""   "!http://([^/:]+)!\1!i"       .
+
+   This expression returns everything after the first double slash and
+   before the next slash or colon. (We use the '!' character to delimit
+   the parts of the substitution expression. Otherwise we would have to
+   use backslashes to escape the forward slashes, and would have a
+   regexp in the zone file that looked like
+   "/http:\\/\\/([^\\/:]+)/\\1/i".).
+
+   Applying this pattern to the URL extracts "www.foo.com". Looking up
+   NAPTR records for that might return:
+
+   www.foo.com
+   ;;       order pref flags   service  regexp     replacement
+    IN NAPTR 100  100  "s"   "http+L2R"   ""    http.tcp.foo.com
+    IN NAPTR 100  100  "s"   "ftp+L2R"    ""    ftp.tcp.foo.com
+
+   Looking up SRV records for http.tcp.foo.com would return information
+   on the hosts that foo.com has designated to be its mirror sites. The
+   client can then pick one for the user.
+
+NAPTR RR Format
+===============
+
+   The format of the NAPTR RR is given below. The DNS type code for
+   NAPTR is 35.
+
+       Domain TTL Class Order Preference Flags Service Regexp
+       Replacement
+
+   where:
+
+   Domain
+          The domain name this resource record refers to.
+   TTL
+          Standard DNS Time To Live field
+   Class
+          Standard DNS meaning
+
+
+
+
+
+
+
+
+Daniel & Mealling             Experimental                     [Page 10]
+
+RFC 2168            Resolution of URIs Using the DNS           June 1997
+
+
+   Order
+          A 16-bit integer specifying the order in which the NAPTR
+          records MUST be processed to ensure correct delegation of
+          portions of the namespace over time. Low numbers are processed
+          before high numbers, and once a NAPTR is found that "matches"
+          a URN, the client MUST NOT consider any NAPTRs with a higher
+          value for order.
+
+   Preference
+          A 16-bit integer which specifies the order in which NAPTR
+          records with equal "order" values SHOULD be processed, low
+          numbers being processed before high numbers.  This is similar
+          to the preference field in an MX record, and is used so domain
+          administrators can direct clients towards more capable hosts
+          or lighter weight protocols.
+
+   Flags
+          A String giving flags to control aspects of the rewriting and
+          interpretation of the fields in the record. Flags are single
+          characters from the set [A-Z0-9]. The case of the alphabetic
+          characters is not significant.
+
+          At this time only three flags, "S", "A", and "P", are defined.
+          "S" means that the next lookup should be for SRV records
+          instead of NAPTR records. "A" means that the next lookup
+          should be for A records. The "P" flag says that the remainder
+          of the resolution shall be carried out in a Protocol-specific
+          fashion, and we should not do any more DNS queries.
+
+          The remaining alphabetic flags are reserved. The numeric flags
+          may be used for local experimentation. The S, A, and P flags
+          are all mutually exclusive, and resolution libraries MAY
+          signal an error if more than one is given. (Experimental code
+          and code for assisting in the creation of NAPTRs would be more
+          likely to signal such an error than a client such as a
+          browser). We anticipate that multiple flags will be allowed in
+          the future, so implementers MUST NOT assume that the flags
+          field can only contain 0 or 1 characters. Finally, if a client
+          encounters a record with an unknown flag, it MUST ignore it
+          and move to the next record. This test takes precedence even
+          over the "order" field. Since flags can control the
+          interpretation placed on fields, a novel flag might change the
+          interpretation of the regexp and/or replacement fields such
+          that it is impossible to determine if a record matched a URN.
+
+
+
+
+
+
+
+Daniel & Mealling             Experimental                     [Page 11]
+
+RFC 2168            Resolution of URIs Using the DNS           June 1997
+
+
+   Service
+          Specifies the resolution service(s) available down this
+          rewrite path. It may also specify the particular protocol that
+          is used to talk with a resolver. A protocol MUST be specified
+          if the flags field states that the NAPTR is terminal. If a
+          protocol is specified, but the flags field does not state that
+          the NAPTR is terminal, the next lookup MUST be for a NAPTR.
+          The client MAY choose not to perform the next lookup if the
+          protocol is unknown, but that behavior MUST NOT be relied
+          upon.
+
+          The service field may take any of the values below (using the
+          Augmented BNF of RFC 822[9]):
+
+           service_field = [ [protocol] *("+" rs)]
+           protocol      = ALPHA *31ALPHANUM
+           rs            = ALPHA *31ALPHANUM
+        // The protocol and rs fields are limited to 32
+        // characters and must start with an alphabetic.
+        // The current set of "known" strings are:
+        // protocol      = "rcds" / "thttp" / "hdl" / "rwhois" / "z3950"
+        // rs            = "N2L" / "N2Ls" / "N2R" / "N2Rs" / "N2C"
+        //               / "N2Ns" / "L2R" / "L2Ns" / "L2Ls" / "L2C"
+
+          i.e. an optional protocol specification followed by 0 or more
+          resolution services. Each resolution service is indicated by
+          an initial '+' character.
+
+          Note that the empty string is also a valid service field. This
+          will typically be seen at the top levels of a namespace, when
+          it is impossible to know what services and protocols will be
+          offered by a particular publisher within that name space.
+
+          At this time the known protocols are rcds[7], hdl[10] (binary,
+          UDP-based protocols),  thttp[5] (a textual, TCP-based
+          protocol), rwhois[11] (textual, UDP or TCP based), and
+          Z39.50[12] (binary, TCP-based). More will be allowed later.
+          The names of the protocols must be formed from the characters
+          [a-Z0-9]. Case of the characters is not significant.
+
+          The service requests currently allowed will be described in
+          more detail in [6], but in brief they are:
+                N2L  - Given a URN, return a URL
+                N2Ls - Given a URN, return a set of URLs
+                N2R  - Given a URN, return an instance of the resource.
+                N2Rs - Given a URN, return multiple instances of the
+                       resource, typically encoded using
+                       multipart/alternative.
+
+
+
+Daniel & Mealling             Experimental                     [Page 12]
+
+RFC 2168            Resolution of URIs Using the DNS           June 1997
+
+
+                N2C  - Given a URN, return a collection of meta-
+                       information on the named resource. The format of
+                       this response is the subject of another document.
+                N2Ns - Given a URN, return all URNs that are also
+                       identifers for the resource.
+                L2R  - Given a URL, return the resource.
+                L2Ns - Given a URL, return all the URNs that are
+                       identifiers for the resource.
+                L2Ls - Given a URL, return all the URLs for instances of
+                       of the same resource.
+                L2C  - Given a URL, return a description of the
+                       resource.
+
+          The actual format of the service request and response will be
+          determined by the resolution protocol, and is the subject for
+          other documents (e.g. [5]). Protocols need not offer all
+          services. The labels for service requests shall be formed from
+          the set of characters [A-Z0-9]. The case of the alphabetic
+          characters is not significant.
+
+   Regexp
+          A STRING containing a substitution expression that is applied
+          to the original URI in order to construct the next domain name
+          to lookup. The grammar of the substitution expression is given
+          in the next section.
+
+   Replacement
+          The next NAME to query for NAPTR, SRV, or A records depending
+          on the value of the flags field. As mentioned above, this may
+          be compressed.
+
+Substitution Expression Grammar:
+================================
+
+   The content of the regexp field is a substitution expression. True
+   sed(1) substitution expressions are not appropriate for use in this
+   application for a variety of reasons, therefore the contents of the
+   regexp field MUST follow the grammar below:
+
+subst_expr   = delim-char  ere  delim-char  repl  delim-char  *flags
+delim-char   = "/" / "!" / ... (Any non-digit or non-flag character other
+               than backslash '\'. All occurances of a delim_char in a
+               subst_expr must be the same character.)
+ere          = POSIX Extended Regular Expression (see [13], section
+               2.8.4)
+repl         = dns_str /  backref / repl dns_str  / repl backref
+dns_str      = 1*DNS_CHAR
+backref      = "\" 1POS_DIGIT
+
+
+
+Daniel & Mealling             Experimental                     [Page 13]
+
+RFC 2168            Resolution of URIs Using the DNS           June 1997
+
+
+flags        = "i"
+DNS_CHAR     = "-" / "0" / ... / "9" / "a" / ... / "z" / "A" / ... / "Z"
+POS_DIGIT    = "1" / "2" / ... / "9"  ; 0 is not an allowed backref
+value domain name (see RFC-1123 [14]).
+
+   The result of applying the substitution expression to the original
+   URI MUST result in a string that obeys the syntax for DNS host names
+   [14]. Since it is possible for the regexp field to be improperly
+   specified, such that a non-conforming host name can be constructed,
+   client software SHOULD verify that the result is a legal host name
+   before making queries on it.
+
+   Backref expressions in the repl portion of the substitution
+   expression are replaced by the (possibly empty) string of characters
+   enclosed by '(' and ')' in the ERE portion of the substitution
+   expression. N is a single digit from 1 through 9, inclusive. It
+   specifies the N'th backref expression, the one that begins with the
+   N'th '(' and continues to the matching ')'.  For example, the ERE
+                      (A(B(C)DE)(F)G)
+   has backref expressions:
+                      \1  = ABCDEFG
+                      \2  = BCDE
+                      \3  = C
+                      \4  = F
+                 \5..\9  = error - no matching subexpression
+
+   The "i" flag indicates that the ERE matching SHALL be performed in a
+   case-insensitive fashion. Furthermore, any backref replacements MAY
+   be normalized to lower case when the "i" flag is given.
+
+   The first character in the substitution expression shall be used as
+   the character that delimits the components of the substitution
+   expression.  There must be exactly three non-escaped occurrences of
+   the delimiter character in a substitution expression. Since escaped
+   occurrences of the delimiter character will be interpreted as
+   occurrences of that character, digits MUST NOT be used as delimiters.
+   Backrefs would be confused with literal digits were this allowed.
+   Similarly, if flags are specified in the substitution expression, the
+   delimiter character must not also be a flag character.
+
+
+
+
+
+
+
+
+
+
+
+
+Daniel & Mealling             Experimental                     [Page 14]
+
+RFC 2168            Resolution of URIs Using the DNS           June 1997
+
+
+Advice to domain administrators:
+================================
+
+   Beware of regular expressions. Not only are they a pain to get
+   correct on their own, but there is the previously mentioned
+   interaction with DNS. Any backslashes in a regexp must be entered
+   twice in a zone file in order to appear once in a query response.
+   More seriously, the need for double backslashes has probably not been
+   tested by all implementors of DNS servers. We anticipate that urn.net
+   will be the heaviest user of regexps. Only when delegating portions
+   of namespaces should the typical domain administrator need to use
+   regexps.
+
+   On a related note, beware of interactions with the shell when
+   manipulating regexps from the command line. Since '\' is a common
+   escape character in shells, there is a good chance that when you
+   think you are saying "\\" you are actually saying "\".  Similar
+   caveats apply to characters such as
+
+   The "a" flag allows the next lookup to be for A records rather than
+   SRV records. Since there is no place for a port specification in the
+   NAPTR record, when the "A" flag is used the specified protocol must
+   be running on its default port.
+
+   The URN Sytnax draft defines a canonical form for each URN, which
+   requires %encoding characters outside a limited repertoire. The
+   regular expressions MUST be written to operate on that canonical
+   form. Since international character sets will end up with extensive
+   use of %encoded characters, regular expressions operating on them
+   will be essentially impossible to read or write by hand.
+
+Usage
+=====
+
+   For the edification of implementers, pseudocode for a client routine
+   using NAPTRs is given below. This code is provided merely as a
+   convience, it does not have any weight as a standard way to process
+   NAPTR records. Also, as is the case with pseudocode, it has never
+   been executed and may contain logical errors. You have been warned.
+
+    //
+    // findResolver(URN)
+    // Given a URN, find a host that can resolve it.
+    //
+    findResolver(string URN) {
+      // prepend prefix to urn.net
+      sprintf(key, "%s.urn.net", extractNS(URN));
+      do {
+
+
+
+Daniel & Mealling             Experimental                     [Page 15]
+
+RFC 2168            Resolution of URIs Using the DNS           June 1997
+
+
+        rewrite_flag = false;
+        terminal = false;
+        if (key has been seen) {
+          quit with a loop detected error
+        }
+        add key to list of "seens"
+        records = lookup(type=NAPTR, key); // get all NAPTR RRs for 'key'
+
+        discard any records with an unknown value in the "flags" field.
+        sort NAPTR records by "order" field and "preference" field
+            (with "order" being more significant than "preference").
+        n_naptrs = number of NAPTR records in response.
+        curr_order = records[0].order;
+        max_order = records[n_naptrs-1].order;
+
+        // Process current batch of NAPTRs according to "order" field.
+        for (j=0; j < n_naptrs && records[j].order <= max_order; j++) {
+          if (unknown_flag) // skip this record and go to next one
+             continue;
+          newkey = rewrite(URN, naptr[j].replacement, naptr[j].regexp);
+          if (!newkey) // Skip to next record if the rewrite didn't
+             match continue;
+          // We did do a rewrite, shrink max_order to current value
+          // so that delegation works properly
+          max_order = naptr[j].order;
+          // Will we know what to do with the protocol and services
+          // specified in the NAPTR? If not, try next record.
+          if(!isKnownProto(naptr[j].services)) {
+            continue;
+          }
+          if(!isKnownService(naptr[j].services)) {
+            continue;
+          }
+
+          // At this point we have a successful rewrite and we will
+          // know how to speak the protocol and request a known
+          // resolution service. Before we do the next lookup, check
+          // some optimization possibilities.
+
+          if (strcasecmp(flags, "S")
+           || strcasecmp(flags, "P"))
+           || strcasecmp(flags, "A")) {
+             terminal = true;
+             services = naptr[j].services;
+             addnl = any SRV and/or A records returned as additional
+                     info for naptr[j].
+          }
+          key = newkey;
+
+
+
+Daniel & Mealling             Experimental                     [Page 16]
+
+RFC 2168            Resolution of URIs Using the DNS           June 1997
+
+
+          rewriteflag = true;
+          break;
+        }
+      } while (rewriteflag && !terminal);
+
+      // Did we not find our way to a resolver?
+      if (!rewrite_flag) {
+         report an error
+         return NULL;
+      }
+
+
+      // Leave rest to another protocol?
+      if (strcasecmp(flags, "P")) {
+         return key as host to talk to;
+      }
+
+      // If not, keep plugging
+      if (!addnl) { // No SRVs came in as additional info, look them up
+        srvs = lookup(type=SRV, key);
+      }
+
+      sort SRV records by preference, weight, ...
+      foreach (SRV record) { // in order of preference
+        try contacting srv[j].target using the protocol and one of the
+            resolution service requests from the "services" field of the
+            last NAPTR record.
+        if (successful)
+          return (target, protocol, service);
+          // Actually we would probably return a result, but this
+          // code was supposed to just tell us a good host to talk to.
+      }
+      die with an "unable to find a host" error;
+    }
+
+Notes:
+======
+
+     -  A client MUST process multiple NAPTR records in the order
+        specified by the "order" field, it MUST NOT simply use the first
+        record that provides a known protocol and service combination.
+
+
+
+
+
+
+
+
+
+
+Daniel & Mealling             Experimental                     [Page 17]
+
+RFC 2168            Resolution of URIs Using the DNS           June 1997
+
+
+     -  If a record at a particular order matches the URI, but the
+        client doesn't know the specified protocol and service, the
+        client SHOULD continue to examine records that have the same
+        order. The client MUST NOT consider records with a higher value
+        of order. This is necessary to make delegation of portions of
+        the namespace work.  The order field is what lets site
+        administrators say "all requests for URIs matching pattern x go
+        to server 1, all others go to server 2".
+        (A match is defined as:
+          1)  The NAPTR provides a replacement domain name
+          or
+          2) The regular expression matches the URN
+           )
+
+     -  When multiple RRs have the same "order", the client should use
+        the value of the preference field to select the next NAPTR to
+        consider. However, because of preferred protocols or services,
+        estimates of network distance and bandwidth, etc. clients may
+        use different criteria to sort the records.
+     -  If the lookup after a rewrite fails, clients are strongly
+        encouraged to report a failure, rather than backing up to pursue
+        other rewrite paths.
+     -  When a namespace is to be delegated among a set of resolvers,
+        regexps must be used. Each regexp appears in a separate NAPTR
+        RR.  Administrators should do as little delegation as possible,
+        because of limitations on the size of DNS responses.
+     -  Note that SRV RRs impose additional requirements on clients.
+
+Acknowledgments:
+=================
+
+   The editors would like to thank Keith Moore for all his consultations
+   during the development of this draft. We would also like to thank
+   Paul Vixie for his assistance in debugging our implementation, and
+   his answers on our questions. Finally, we would like to acknowledge
+   our enormous intellectual debt to the participants in the Knoxville
+   series of meetings, as well as to the participants in the URI and URN
+   working groups.
+
+References:
+===========
+
+   [1]  Sollins, Karen and Larry Masinter, "Functional Requirements
+        for Uniform Resource Names", RFC-1737, Dec. 1994.
+
+   [2]  The URN Implementors, Uniform Resource Names: A Progress Report,
+        http://www.dlib.org/dlib/february96/02arms.html, D-Lib Magazine,
+        February 1996.
+
+
+
+Daniel & Mealling             Experimental                     [Page 18]
+
+RFC 2168            Resolution of URIs Using the DNS           June 1997
+
+
+   [3]  Moats, Ryan, "URN Syntax", RFC-2141, May 1997.
+
+   [4]  Gulbrandsen, A. and P. Vixie, "A DNS RR for specifying
+        the location of services (DNS SRV)", RFC-2052, October 1996.
+
+   [5]  Daniel, Jr., Ron, "A Trivial Convention for using HTTP in URN
+        Resolution", RFC-2169, June 1997.
+
+   [6]  URN-WG, "URN Resolution Services", Work in Progress.
+
+   [7]  Moore, Keith,  Shirley Browne, Jason Cox, and Jonathan Gettler,
+        Resource Cataloging and Distribution System, Technical Report
+        CS-97-346, University of Tennessee, Knoxville, December 1996
+
+   [8]  Paul Vixie, personal communication.
+
+   [9]  Crocker, Dave H. "Standard for the Format of ARPA Internet Text
+        Messages", RFC-822, August 1982.
+
+   [10] Orth, Charles and Bill Arms; Handle Resolution Protocol
+        Specification, http://www.handle.net/docs/client_spec.html
+
+   [11] Williamson, S., M. Kosters, D. Blacka, J. Singh, K. Zeilstra,
+        "Referral Whois Protocol (RWhois)", RFC-2167, June 1997.
+
+   [12] Information Retrieval (Z39.50): Application Service Definition
+        and Protocol Specification, ANSI/NISO Z39.50-1995, July 1995.
+
+   [13] IEEE Standard for Information Technology - Portable Operating
+        System Interface (POSIX) - Part 2: Shell and Utilities (Vol. 1);
+        IEEE Std 1003.2-1992; The Institute of Electrical and
+        Electronics Engineers; New York; 1993. ISBN:1-55937-255-9
+
+   [14] Braden, R., "Requirements for Internet Hosts - Application and
+        and Support", RFC-1123, Oct. 1989.
+
+   [15] Sollins, Karen, "Requirements and a Framework for URN Resolution
+        Systems", November 1996, Work in Progress.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Daniel & Mealling             Experimental                     [Page 19]
+
+RFC 2168            Resolution of URIs Using the DNS           June 1997
+
+
+Security Considerations
+=======================
+
+   The use of "urn.net" as the registry for URN namespaces is subject to
+   denial of service attacks, as well as other DNS spoofing attacks. The
+   interactions with DNSSEC are currently being studied. It is expected
+   that NAPTR records will be signed with SIG records once the DNSSEC
+   work is deployed.
+
+   The rewrite rules make identifiers from other namespaces subject to
+   the same attacks as normal domain names. Since they have not been
+   easily resolvable before, this may or may not be considered a
+   problem.
+
+   Regular expressions should be checked for sanity, not blindly passed
+   to something like PERL.
+
+   This document has discussed a way of locating a resolver, but has not
+   discussed any detail of how the communication with the resolver takes
+   place. There are significant security considerations attached to the
+   communication with a resolver. Those considerations are outside the
+   scope of this document, and must be addressed by the specifications
+   for particular resolver communication protocols.
+
+Author Contact Information:
+===========================
+
+   Ron Daniel
+   Los Alamos National Laboratory
+   MS B287
+   Los Alamos, NM, USA, 87545
+   voice:  +1 505 665 0597
+   fax:    +1 505 665 4939
+   email:  rdaniel@lanl.gov
+
+
+   Michael Mealling
+   Network Solutions
+   505 Huntmar Park Drive
+   Herndon, VA  22070
+   voice: (703) 742-0400
+   fax: (703) 742-9552
+   email: michaelm@internic.net
+   URL: http://www.netsol.com/
+
+
+
+
+
+
+
+Daniel & Mealling             Experimental                     [Page 20]
+
diff --git a/contrib/bind9/doc/rfc/rfc2181.txt b/contrib/bind9/doc/rfc/rfc2181.txt
new file mode 100644
index 0000000..7899e1c
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2181.txt
@@ -0,0 +1,842 @@
+
+
+
+
+
+
+Network Working Group                                             R. Elz
+Request for Comments: 2181                       University of Melbourne
+Updates: 1034, 1035, 1123                                        R. Bush
+Category: Standards Track                                    RGnet, Inc.
+                                                               July 1997
+
+
+                Clarifications to the DNS Specification
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+1. Abstract
+
+   This document considers some areas that have been identified as
+   problems with the specification of the Domain Name System, and
+   proposes remedies for the defects identified.  Eight separate issues
+   are considered:
+
+     + IP packet header address usage from multi-homed servers,
+     + TTLs in sets of records with the same name, class, and type,
+     + correct handling of zone cuts,
+     + three minor issues concerning SOA records and their use,
+     + the precise definition of the Time to Live (TTL)
+     + Use of the TC (truncated) header bit
+     + the issue of what is an authoritative, or canonical, name,
+     + and the issue of what makes a valid DNS label.
+
+   The first six of these are areas where the correct behaviour has been
+   somewhat unclear, we seek to rectify that.  The other two are already
+   adequately specified, however the specifications seem to be sometimes
+   ignored.  We seek to reinforce the existing specifications.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Elz & Bush                  Standards Track                     [Page 1]
+
+RFC 2181        Clarifications to the DNS Specification        July 1997
+
+
+
+
+Contents
+
+    1  Abstract  ...................................................   1
+    2  Introduction  ...............................................   2
+    3  Terminology  ................................................   3
+    4  Server Reply Source Address Selection  ......................   3
+    5  Resource Record Sets  .......................................   4
+    6  Zone Cuts  ..................................................   8
+    7  SOA RRs  ....................................................  10
+    8  Time to Live (TTL)  .........................................  10
+    9  The TC (truncated) header bit  ..............................  11
+   10  Naming issues  ..............................................  11
+   11  Name syntax  ................................................  13
+   12  Security Considerations  ....................................  14
+   13  References  .................................................  14
+   14  Acknowledgements  ...........................................  15
+   15  Authors' Addresses  .........................................  15
+
+
+
+
+2. Introduction
+
+   Several problem areas in the Domain Name System specification
+   [RFC1034, RFC1035] have been noted through the years [RFC1123].  This
+   document addresses several additional problem areas.  The issues here
+   are independent.  Those issues are the question of which source
+   address a multi-homed DNS server should use when replying to a query,
+   the issue of differing TTLs for DNS records with the same label,
+   class and type, and the issue of canonical names, what they are, how
+   CNAME records relate, what names are legal in what parts of the DNS,
+   and what is the valid syntax of a DNS name.
+
+   Clarifications to the DNS specification to avoid these problems are
+   made in this memo.  A minor ambiguity in RFC1034 concerned with SOA
+   records is also corrected, as is one in the definition of the TTL
+   (Time To Live) and some possible confusion in use of the TC bit.
+
+
+
+
+
+
+
+
+
+
+
+
+Elz & Bush                  Standards Track                     [Page 2]
+
+RFC 2181        Clarifications to the DNS Specification        July 1997
+
+
+3. Terminology
+
+   This memo does not use the oft used expressions MUST, SHOULD, MAY, or
+   their negative forms.  In some sections it may seem that a
+   specification is worded mildly, and hence some may infer that the
+   specification is optional.  That is not correct.  Anywhere that this
+   memo suggests that some action should be carried out, or must be
+   carried out, or that some behaviour is acceptable, or not, that is to
+   be considered as a fundamental aspect of this specification,
+   regardless of the specific words used.  If some behaviour or action
+   is truly optional, that will be clearly specified by the text.
+
+4. Server Reply Source Address Selection
+
+   Most, if not all, DNS clients, expect the address from which a reply
+   is received to be the same address as that to which the query
+   eliciting the reply was sent.  This is true for servers acting as
+   clients for the purposes of recursive query resolution, as well as
+   simple resolver clients.  The address, along with the identifier (ID)
+   in the reply is used for disambiguating replies, and filtering
+   spurious responses.  This may, or may not, have been intended when
+   the DNS was designed, but is now a fact of life.
+
+   Some multi-homed hosts running DNS servers generate a reply using a
+   source address that is not the same as the destination address from
+   the client's request packet.  Such replies will be discarded by the
+   client because the source address of the reply does not match that of
+   a host to which the client sent the original request.  That is, it
+   appears to be an unsolicited response.
+
+4.1. UDP Source Address Selection
+
+   To avoid these problems, servers when responding to queries using UDP
+   must cause the reply to be sent with the source address field in the
+   IP header set to the address that was in the destination address
+   field of the IP header of the packet containing the query causing the
+   response.  If this would cause the response to be sent from an IP
+   address that is not permitted for this purpose, then the response may
+   be sent from any legal IP address allocated to the server.  That
+   address should be chosen to maximise the possibility that the client
+   will be able to use it for further queries.  Servers configured in
+   such a way that not all their addresses are equally reachable from
+   all potential clients need take particular care when responding to
+   queries sent to anycast, multicast, or similar, addresses.
+
+
+
+
+
+
+
+Elz & Bush                  Standards Track                     [Page 3]
+
+RFC 2181        Clarifications to the DNS Specification        July 1997
+
+
+4.2. Port Number Selection
+
+   Replies to all queries must be directed to the port from which they
+   were sent.  When queries are received via TCP this is an inherent
+   part of the transport protocol.  For queries received by UDP the
+   server must take note of the source port and use that as the
+   destination port in the response.  Replies should always be sent from
+   the port to which they were directed.  Except in extraordinary
+   circumstances, this will be the well known port assigned for DNS
+   queries [RFC1700].
+
+5. Resource Record Sets
+
+   Each DNS Resource Record (RR) has a label, class, type, and data.  It
+   is meaningless for two records to ever have label, class, type and
+   data all equal - servers should suppress such duplicates if
+   encountered.  It is however possible for most record types to exist
+   with the same label, class and type, but with different data.  Such a
+   group of records is hereby defined to be a Resource Record Set
+   (RRSet).
+
+5.1. Sending RRs from an RRSet
+
+   A query for a specific (or non-specific) label, class, and type, will
+   always return all records in the associated RRSet - whether that be
+   one or more RRs.  The response must be marked as "truncated" if the
+   entire RRSet will not fit in the response.
+
+5.2. TTLs of RRs in an RRSet
+
+   Resource Records also have a time to live (TTL).  It is possible for
+   the RRs in an RRSet to have different TTLs.  No uses for this have
+   been found that cannot be better accomplished in other ways.  This
+   can, however, cause partial replies (not marked "truncated") from a
+   caching server, where the TTLs for some but not all the RRs in the
+   RRSet have expired.
+
+   Consequently the use of differing TTLs in an RRSet is hereby
+   deprecated, the TTLs of all RRs in an RRSet must be the same.
+
+   Should a client receive a response containing RRs from an RRSet with
+   differing TTLs, it should treat this as an error.  If the RRSet
+   concerned is from a non-authoritative source for this data, the
+   client should simply ignore the RRSet, and if the values were
+   required, seek to acquire them from an authoritative source.  Clients
+   that are configured to send all queries to one, or more, particular
+   servers should treat those servers as authoritative for this purpose.
+   Should an authoritative source send such a malformed RRSet, the
+
+
+
+Elz & Bush                  Standards Track                     [Page 4]
+
+RFC 2181        Clarifications to the DNS Specification        July 1997
+
+
+   client should treat the RRs for all purposes as if all TTLs in the
+   RRSet had been set to the value of the lowest TTL in the RRSet.  In
+   no case may a server send an RRSet with TTLs not all equal.
+
+5.3. DNSSEC Special Cases
+
+   Two of the record types added by DNS Security (DNSSEC) [RFC2065]
+   require special attention when considering the formation of Resource
+   Record Sets.  Those are the SIG and NXT records.  It should be noted
+   that DNS Security is still very new, and there is, as yet, little
+   experience with it.  Readers should be prepared for the information
+   related to DNSSEC contained in this document to become outdated as
+   the DNS Security specification matures.
+
+5.3.1. SIG records and RRSets
+
+   A SIG record provides signature (validation) data for another RRSet
+   in the DNS.  Where a zone has been signed, every RRSet in the zone
+   will have had a SIG record associated with it.  The data type of the
+   RRSet is included in the data of the SIG RR, to indicate with which
+   particular RRSet this SIG record is associated.  Were the rules above
+   applied, whenever a SIG record was included with a response to
+   validate that response, the SIG records for all other RRSets
+   associated with the appropriate node would also need to be included.
+   In some cases, this could be a very large number of records, not
+   helped by their being rather large RRs.
+
+   Thus, it is specifically permitted for the authority section to
+   contain only those SIG RRs with the "type covered" field equal to the
+   type field of an answer being returned.  However, where SIG records
+   are being returned in the answer section, in response to a query for
+   SIG records, or a query for all records associated with a name
+   (type=ANY) the entire SIG RRSet must be included, as for any other RR
+   type.
+
+   Servers that receive responses containing SIG records in the
+   authority section, or (probably incorrectly) as additional data, must
+   understand that the entire RRSet has almost certainly not been
+   included.  Thus, they must not cache that SIG record in a way that
+   would permit it to be returned should a query for SIG records be
+   received at that server.  RFC2065 actually requires that SIG queries
+   be directed only to authoritative servers to avoid the problems that
+   could be caused here, and while servers exist that do not understand
+   the special properties of SIG records, this will remain necessary.
+   However, careful design of SIG record processing in new
+   implementations should permit this restriction to be relaxed in the
+   future, so resolvers do not need to treat SIG record queries
+   specially.
+
+
+
+Elz & Bush                  Standards Track                     [Page 5]
+
+RFC 2181        Clarifications to the DNS Specification        July 1997
+
+
+   It has been occasionally stated that a received request for a SIG
+   record should be forwarded to an authoritative server, rather than
+   being answered from data in the cache.  This is not necessary - a
+   server that has the knowledge of SIG as a special case for processing
+   this way would be better to correctly cache SIG records, taking into
+   account their characteristics.  Then the server can determine when it
+   is safe to reply from the cache, and when the answer is not available
+   and the query must be forwarded.
+
+5.3.2. NXT RRs
+
+   Next Resource Records (NXT) are even more peculiar.  There will only
+   ever be one NXT record in a zone for a particular label, so
+   superficially, the RRSet problem is trivial.  However, at a zone cut,
+   both the parent zone, and the child zone (superzone and subzone in
+   RFC2065 terminology) will have NXT records for the same name.  Those
+   two NXT records do not form an RRSet, even where both zones are
+   housed at the same server.  NXT RRSets always contain just a single
+   RR.  Where both NXT records are visible, two RRSets exist.  However,
+   servers are not required to treat this as a special case when
+   receiving NXT records in a response.  They may elect to notice the
+   existence of two different NXT RRSets, and treat that as they would
+   two different RRSets of any other type.  That is, cache one, and
+   ignore the other.  Security aware servers will need to correctly
+   process the NXT record in the received response though.
+
+5.4. Receiving RRSets
+
+   Servers must never merge RRs from a response with RRs in their cache
+   to form an RRSet.  If a response contains data that would form an
+   RRSet with data in a server's cache the server must either ignore the
+   RRs in the response, or discard the entire RRSet currently in the
+   cache, as appropriate.  Consequently the issue of TTLs varying
+   between the cache and a response does not cause concern, one will be
+   ignored.  That is, one of the data sets is always incorrect if the
+   data from an answer differs from the data in the cache.  The
+   challenge for the server is to determine which of the data sets is
+   correct, if one is, and retain that, while ignoring the other.  Note
+   that if a server receives an answer containing an RRSet that is
+   identical to that in its cache, with the possible exception of the
+   TTL value, it may, optionally, update the TTL in its cache with the
+   TTL of the received answer.  It should do this if the received answer
+   would be considered more authoritative (as discussed in the next
+   section) than the previously cached answer.
+
+
+
+
+
+
+
+Elz & Bush                  Standards Track                     [Page 6]
+
+RFC 2181        Clarifications to the DNS Specification        July 1997
+
+
+5.4.1. Ranking data
+
+   When considering whether to accept an RRSet in a reply, or retain an
+   RRSet already in its cache instead, a server should consider the
+   relative likely trustworthiness of the various data.  An
+   authoritative answer from a reply should replace cached data that had
+   been obtained from additional information in an earlier reply.
+   However additional information from a reply will be ignored if the
+   cache contains data from an authoritative answer or a zone file.
+
+   The accuracy of data available is assumed from its source.
+   Trustworthiness shall be, in order from most to least:
+
+     + Data from a primary zone file, other than glue data,
+     + Data from a zone transfer, other than glue,
+     + The authoritative data included in the answer section of an
+       authoritative reply.
+     + Data from the authority section of an authoritative answer,
+     + Glue from a primary zone, or glue from a zone transfer,
+     + Data from the answer section of a non-authoritative answer, and
+       non-authoritative data from the answer section of authoritative
+       answers,
+     + Additional information from an authoritative answer,
+       Data from the authority section of a non-authoritative answer,
+       Additional information from non-authoritative answers.
+
+   Note that the answer section of an authoritative answer normally
+   contains only authoritative data.  However when the name sought is an
+   alias (see section 10.1.1) only the record describing that alias is
+   necessarily authoritative.  Clients should assume that other records
+   may have come from the server's cache.  Where authoritative answers
+   are required, the client should query again, using the canonical name
+   associated with the alias.
+
+   Unauthenticated RRs received and cached from the least trustworthy of
+   those groupings, that is data from the additional data section, and
+   data from the authority section of a non-authoritative answer, should
+   not be cached in such a way that they would ever be returned as
+   answers to a received query.  They may be returned as additional
+   information where appropriate.  Ignoring this would allow the
+   trustworthiness of relatively untrustworthy data to be increased
+   without cause or excuse.
+
+   When DNS security [RFC2065] is in use, and an authenticated reply has
+   been received and verified, the data thus authenticated shall be
+   considered more trustworthy than unauthenticated data of the same
+   type.  Note that throughout this document, "authoritative" means a
+   reply with the AA bit set.  DNSSEC uses trusted chains of SIG and KEY
+
+
+
+Elz & Bush                  Standards Track                     [Page 7]
+
+RFC 2181        Clarifications to the DNS Specification        July 1997
+
+
+   records to determine the authenticity of data, the AA bit is almost
+   irrelevant.  However DNSSEC aware servers must still correctly set
+   the AA bit in responses to enable correct operation with servers that
+   are not security aware (almost all currently).
+
+   Note that, glue excluded, it is impossible for data from two
+   correctly configured primary zone files, two correctly configured
+   secondary zones (data from zone transfers) or data from correctly
+   configured primary and secondary zones to ever conflict.  Where glue
+   for the same name exists in multiple zones, and differs in value, the
+   nameserver should select data from a primary zone file in preference
+   to secondary, but otherwise may choose any single set of such data.
+   Choosing that which appears to come from a source nearer the
+   authoritative data source may make sense where that can be
+   determined.  Choosing primary data over secondary allows the source
+   of incorrect glue data to be discovered more readily, when a problem
+   with such data exists.  Where a server can detect from two zone files
+   that one or more are incorrectly configured, so as to create
+   conflicts, it should refuse to load the zones determined to be
+   erroneous, and issue suitable diagnostics.
+
+   "Glue" above includes any record in a zone file that is not properly
+   part of that zone, including nameserver records of delegated sub-
+   zones (NS records), address records that accompany those NS records
+   (A, AAAA, etc), and any other stray data that might appear.
+
+5.5. Sending RRSets (reprise)
+
+   A Resource Record Set should only be included once in any DNS reply.
+   It may occur in any of the Answer, Authority, or Additional
+   Information sections, as required.  However it should not be repeated
+   in the same, or any other, section, except where explicitly required
+   by a specification.  For example, an AXFR response requires the SOA
+   record (always an RRSet containing a single RR) be both the first and
+   last record of the reply.  Where duplicates are required this way,
+   the TTL transmitted in each case must be the same.
+
+6. Zone Cuts
+
+   The DNS tree is divided into "zones", which are collections of
+   domains that are treated as a unit for certain management purposes.
+   Zones are delimited by "zone cuts".  Each zone cut separates a
+   "child" zone (below the cut) from a "parent" zone (above the cut).
+   The domain name that appears at the top of a zone (just below the cut
+   that separates the zone from its parent) is called the zone's
+   "origin".  The name of the zone is the same as the name of the domain
+   at the zone's origin.  Each zone comprises that subset of the DNS
+   tree that is at or below the zone's origin, and that is above the
+
+
+
+Elz & Bush                  Standards Track                     [Page 8]
+
+RFC 2181        Clarifications to the DNS Specification        July 1997
+
+
+   cuts that separate the zone from its children (if any).  The
+   existence of a zone cut is indicated in the parent zone by the
+   existence of NS records specifying the origin of the child zone.  A
+   child zone does not contain any explicit reference to its parent.
+
+6.1. Zone authority
+
+   The authoritative servers for a zone are enumerated in the NS records
+   for the origin of the zone, which, along with a Start of Authority
+   (SOA) record are the mandatory records in every zone.  Such a server
+   is authoritative for all resource records in a zone that are not in
+   another zone.  The NS records that indicate a zone cut are the
+   property of the child zone created, as are any other records for the
+   origin of that child zone, or any sub-domains of it.  A server for a
+   zone should not return authoritative answers for queries related to
+   names in another zone, which includes the NS, and perhaps A, records
+   at a zone cut, unless it also happens to be a server for the other
+   zone.
+
+   Other than the DNSSEC cases mentioned immediately below, servers
+   should ignore data other than NS records, and necessary A records to
+   locate the servers listed in the NS records, that may happen to be
+   configured in a zone at a zone cut.
+
+6.2. DNSSEC issues
+
+   The DNS security mechanisms [RFC2065] complicate this somewhat, as
+   some of the new resource record types added are very unusual when
+   compared with other DNS RRs.  In particular the NXT ("next") RR type
+   contains information about which names exist in a zone, and hence
+   which do not, and thus must necessarily relate to the zone in which
+   it exists.  The same domain name may have different NXT records in
+   the parent zone and the child zone, and both are valid, and are not
+   an RRSet.  See also section 5.3.2.
+
+   Since NXT records are intended to be automatically generated, rather
+   than configured by DNS operators, servers may, but are not required
+   to, retain all differing NXT records they receive regardless of the
+   rules in section 5.4.
+
+   For a secure parent zone to securely indicate that a subzone is
+   insecure, DNSSEC requires that a KEY RR indicating that the subzone
+   is insecure, and the parent zone's authenticating SIG RR(s) be
+   present in the parent zone, as they by definition cannot be in the
+   subzone.  Where a subzone is secure, the KEY and SIG records will be
+   present, and authoritative, in that zone, but should also always be
+   present in the parent zone (if secure).
+
+
+
+
+Elz & Bush                  Standards Track                     [Page 9]
+
+RFC 2181        Clarifications to the DNS Specification        July 1997
+
+
+   Note that in none of these cases should a server for the parent zone,
+   not also being a server for the subzone, set the AA bit in any
+   response for a label at a zone cut.
+
+7. SOA RRs
+
+   Three minor issues concerning the Start of Zone of Authority (SOA)
+   Resource Record need some clarification.
+
+7.1. Placement of SOA RRs in authoritative answers
+
+   RFC1034, in section 3.7, indicates that the authority section of an
+   authoritative answer may contain the SOA record for the zone from
+   which the answer was obtained.  When discussing negative caching,
+   RFC1034 section 4.3.4 refers to this technique but mentions the
+   additional section of the response.  The former is correct, as is
+   implied by the example shown in section 6.2.5 of RFC1034.  SOA
+   records, if added, are to be placed in the authority section.
+
+7.2. TTLs on SOA RRs
+
+   It may be observed that in section 3.2.1 of RFC1035, which defines
+   the format of a Resource Record, that the definition of the TTL field
+   contains a throw away line which states that the TTL of an SOA record
+   should always be sent as zero to prevent caching.  This is mentioned
+   nowhere else, and has not generally been implemented.
+   Implementations should not assume that SOA records will have a TTL of
+   zero, nor are they required to send SOA records with a TTL of zero.
+
+7.3. The SOA.MNAME field
+
+   It is quite clear in the specifications, yet seems to have been
+   widely ignored, that the MNAME field of the SOA record should contain
+   the name of the primary (master) server for the zone identified by
+   the SOA.  It should not contain the name of the zone itself.  That
+   information would be useless, as to discover it, one needs to start
+   with the domain name of the SOA record - that is the name of the
+   zone.
+
+8. Time to Live (TTL)
+
+   The definition of values appropriate to the TTL field in STD 13 is
+   not as clear as it could be, with respect to how many significant
+   bits exist, and whether the value is signed or unsigned.  It is
+   hereby specified that a TTL value is an unsigned number, with a
+   minimum value of 0, and a maximum value of 2147483647.  That is, a
+   maximum of 2^31 - 1.  When transmitted, this value shall be encoded
+   in the less significant 31 bits of the 32 bit TTL field, with the
+
+
+
+Elz & Bush                  Standards Track                    [Page 10]
+
+RFC 2181        Clarifications to the DNS Specification        July 1997
+
+
+   most significant, or sign, bit set to zero.
+
+   Implementations should treat TTL values received with the most
+   significant bit set as if the entire value received was zero.
+
+   Implementations are always free to place an upper bound on any TTL
+   received, and treat any larger values as if they were that upper
+   bound.  The TTL specifies a maximum time to live, not a mandatory
+   time to live.
+
+9. The TC (truncated) header bit
+
+   The TC bit should be set in responses only when an RRSet is required
+   as a part of the response, but could not be included in its entirety.
+   The TC bit should not be set merely because some extra information
+   could have been included, but there was insufficient room.  This
+   includes the results of additional section processing.  In such cases
+   the entire RRSet that will not fit in the response should be omitted,
+   and the reply sent as is, with the TC bit clear.  If the recipient of
+   the reply needs the omitted data, it can construct a query for that
+   data and send that separately.
+
+   Where TC is set, the partial RRSet that would not completely fit may
+   be left in the response.  When a DNS client receives a reply with TC
+   set, it should ignore that response, and query again, using a
+   mechanism, such as a TCP connection, that will permit larger replies.
+
+10. Naming issues
+
+   It has sometimes been inferred from some sections of the DNS
+   specification [RFC1034, RFC1035] that a host, or perhaps an interface
+   of a host, is permitted exactly one authoritative, or official, name,
+   called the canonical name.  There is no such requirement in the DNS.
+
+10.1. CNAME resource records
+
+   The DNS CNAME ("canonical name") record exists to provide the
+   canonical name associated with an alias name.  There may be only one
+   such canonical name for any one alias.  That name should generally be
+   a name that exists elsewhere in the DNS, though there are some rare
+   applications for aliases with the accompanying canonical name
+   undefined in the DNS.  An alias name (label of a CNAME record) may,
+   if DNSSEC is in use, have SIG, NXT, and KEY RRs, but may have no
+   other data.  That is, for any label in the DNS (any domain name)
+   exactly one of the following is true:
+
+
+
+
+
+
+Elz & Bush                  Standards Track                    [Page 11]
+
+RFC 2181        Clarifications to the DNS Specification        July 1997
+
+
+     + one CNAME record exists, optionally accompanied by SIG, NXT, and
+       KEY RRs,
+     + one or more records exist, none being CNAME records,
+     + the name exists, but has no associated RRs of any type,
+     + the name does not exist at all.
+
+10.1.1. CNAME terminology
+
+   It has been traditional to refer to the label of a CNAME record as "a
+   CNAME".  This is unfortunate, as "CNAME" is an abbreviation of
+   "canonical name", and the label of a CNAME record is most certainly
+   not a canonical name.  It is, however, an entrenched usage.  Care
+   must therefore be taken to be very clear whether the label, or the
+   value (the canonical name) of a CNAME resource record is intended.
+   In this document, the label of a CNAME resource record will always be
+   referred to as an alias.
+
+10.2. PTR records
+
+   Confusion about canonical names has lead to a belief that a PTR
+   record should have exactly one RR in its RRSet.  This is incorrect,
+   the relevant section of RFC1034 (section 3.6.2) indicates that the
+   value of a PTR record should be a canonical name.  That is, it should
+   not be an alias.  There is no implication in that section that only
+   one PTR record is permitted for a name.  No such restriction should
+   be inferred.
+
+   Note that while the value of a PTR record must not be an alias, there
+   is no requirement that the process of resolving a PTR record not
+   encounter any aliases.  The label that is being looked up for a PTR
+   value might have a CNAME record.  That is, it might be an alias.  The
+   value of that CNAME RR, if not another alias, which it should not be,
+   will give the location where the PTR record is found.  That record
+   gives the result of the PTR type lookup.  This final result, the
+   value of the PTR RR, is the label which must not be an alias.
+
+10.3. MX and NS records
+
+   The domain name used as the value of a NS resource record, or part of
+   the value of a MX resource record must not be an alias.  Not only is
+   the specification clear on this point, but using an alias in either
+   of these positions neither works as well as might be hoped, nor well
+   fulfills the ambition that may have led to this approach.  This
+   domain name must have as its value one or more address records.
+   Currently those will be A records, however in the future other record
+   types giving addressing information may be acceptable.  It can also
+   have other RRs, but never a CNAME RR.
+
+
+
+
+Elz & Bush                  Standards Track                    [Page 12]
+
+RFC 2181        Clarifications to the DNS Specification        July 1997
+
+
+   Searching for either NS or MX records causes "additional section
+   processing" in which address records associated with the value of the
+   record sought are appended to the answer.  This helps avoid needless
+   extra queries that are easily anticipated when the first was made.
+
+   Additional section processing does not include CNAME records, let
+   alone the address records that may be associated with the canonical
+   name derived from the alias.  Thus, if an alias is used as the value
+   of an NS or MX record, no address will be returned with the NS or MX
+   value.  This can cause extra queries, and extra network burden, on
+   every query.  It is trivial for the DNS administrator to avoid this
+   by resolving the alias and placing the canonical name directly in the
+   affected record just once when it is updated or installed.  In some
+   particular hard cases the lack of the additional section address
+   records in the results of a NS lookup can cause the request to fail.
+
+11. Name syntax
+
+   Occasionally it is assumed that the Domain Name System serves only
+   the purpose of mapping Internet host names to data, and mapping
+   Internet addresses to host names.  This is not correct, the DNS is a
+   general (if somewhat limited) hierarchical database, and can store
+   almost any kind of data, for almost any purpose.
+
+   The DNS itself places only one restriction on the particular labels
+   that can be used to identify resource records.  That one restriction
+   relates to the length of the label and the full name.  The length of
+   any one label is limited to between 1 and 63 octets.  A full domain
+   name is limited to 255 octets (including the separators).  The zero
+   length full name is defined as representing the root of the DNS tree,
+   and is typically written and displayed as ".".  Those restrictions
+   aside, any binary string whatever can be used as the label of any
+   resource record.  Similarly, any binary string can serve as the value
+   of any record that includes a domain name as some or all of its value
+   (SOA, NS, MX, PTR, CNAME, and any others that may be added).
+   Implementations of the DNS protocols must not place any restrictions
+   on the labels that can be used.  In particular, DNS servers must not
+   refuse to serve a zone because it contains labels that might not be
+   acceptable to some DNS client programs.  A DNS server may be
+   configurable to issue warnings when loading, or even to refuse to
+   load, a primary zone containing labels that might be considered
+   questionable, however this should not happen by default.
+
+   Note however, that the various applications that make use of DNS data
+   can have restrictions imposed on what particular values are
+   acceptable in their environment.  For example, that any binary label
+   can have an MX record does not imply that any binary name can be used
+   as the host part of an e-mail address.  Clients of the DNS can impose
+
+
+
+Elz & Bush                  Standards Track                    [Page 13]
+
+RFC 2181        Clarifications to the DNS Specification        July 1997
+
+
+   whatever restrictions are appropriate to their circumstances on the
+   values they use as keys for DNS lookup requests, and on the values
+   returned by the DNS.  If the client has such restrictions, it is
+   solely responsible for validating the data from the DNS to ensure
+   that it conforms before it makes any use of that data.
+
+   See also [RFC1123] section 6.1.3.5.
+
+12. Security Considerations
+
+   This document does not consider security.
+
+   In particular, nothing in section 4 is any way related to, or useful
+   for, any security related purposes.
+
+   Section 5.4.1 is also not related to security.  Security of DNS data
+   will be obtained by the Secure DNS [RFC2065], which is mostly
+   orthogonal to this memo.
+
+   It is not believed that anything in this document adds to any
+   security issues that may exist with the DNS, nor does it do anything
+   to that will necessarily lessen them.  Correct implementation of the
+   clarifications in this document might play some small part in
+   limiting the spread of non-malicious bad data in the DNS, but only
+   DNSSEC can help with deliberate attempts to subvert DNS data.
+
+13. References
+
+   [RFC1034]   Mockapetris, P., "Domain Names - Concepts and Facilities",
+               STD 13, RFC 1034, November 1987.
+
+   [RFC1035]   Mockapetris, P., "Domain Names - Implementation and
+               Specification", STD 13, RFC 1035, November 1987.
+
+   [RFC1123]   Braden, R., "Requirements for Internet Hosts - application
+               and support", STD 3, RFC 1123, January 1989.
+
+   [RFC1700]   Reynolds, J., Postel, J., "Assigned Numbers",
+               STD 2, RFC 1700, October 1994.
+
+   [RFC2065]   Eastlake, D., Kaufman, C., "Domain Name System Security
+               Extensions", RFC 2065, January 1997.
+
+
+
+
+
+
+
+
+
+Elz & Bush                  Standards Track                    [Page 14]
+
+RFC 2181        Clarifications to the DNS Specification        July 1997
+
+
+14. Acknowledgements
+
+   This memo arose from discussions in the DNSIND working group of the
+   IETF in 1995 and 1996, the members of that working group are largely
+   responsible for the ideas captured herein.  Particular thanks to
+   Donald E. Eastlake, 3rd, and Olafur Gudmundsson, for help with the
+   DNSSEC issues in this document, and to John Gilmore for pointing out
+   where the clarifications were not necessarily clarifying.  Bob Halley
+   suggested clarifying the placement of SOA records in authoritative
+   answers, and provided the references.  Michael Patton, as usual, and
+   Mark Andrews, Alan Barrett and Stan Barber provided much assistance
+   with many details.  Josh Littlefield helped make sure that the
+   clarifications didn't cause problems in some irritating corner cases.
+
+15. Authors' Addresses
+
+   Robert Elz
+   Computer Science
+   University of Melbourne
+   Parkville, Victoria, 3052
+   Australia.
+
+   EMail: kre@munnari.OZ.AU
+
+
+   Randy Bush
+   RGnet, Inc.
+   5147 Crystal Springs Drive NE
+   Bainbridge Island, Washington,  98110
+   United States.
+
+   EMail: randy@psg.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Elz & Bush                  Standards Track                    [Page 15]
diff --git a/contrib/bind9/doc/rfc/rfc2230.txt b/contrib/bind9/doc/rfc/rfc2230.txt
new file mode 100644
index 0000000..03995fe
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2230.txt
@@ -0,0 +1,619 @@
+
+
+
+
+
+
+Network Working Group                                         R. Atkinson
+Request for Comments: 2230                                            NRL
+Category: Informational                                     November 1997
+
+
+               Key Exchange Delegation Record for the DNS
+
+Status of this Memo
+
+   This memo provides information for the Internet community.  It does
+   not specify an Internet standard of any kind.  Distribution of this
+   memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (1997).  All Rights Reserved.
+
+ABSTRACT
+
+   This note describes a mechanism whereby authorisation for one node to
+   act as key exchanger for a second node is delegated and made
+   available via the Secure DNS.  This mechanism is intended to be used
+   only with the Secure DNS.  It can be used with several security
+   services.  For example, a system seeking to use IP Security [RFC-
+   1825, RFC-1826, RFC-1827] to protect IP packets for a given
+   destination can use this mechanism to determine the set of authorised
+   remote key exchanger systems for that destination.
+
+1. INTRODUCTION
+
+
+   The Domain Name System (DNS) is the standard way that Internet nodes
+   locate information about addresses, mail exchangers, and other data
+   relating to remote Internet nodes. [RFC-1035, RFC-1034] More
+   recently, Eastlake and Kaufman have defined standards-track security
+   extensions to the DNS. [RFC-2065] These security extensions can be
+   used to authenticate signed DNS data records and can also be used to
+   store signed public keys in the DNS.
+
+   The KX record is useful in providing an authenticatible method of
+   delegating authorisation for one node to provide key exchange
+   services on behalf of one or more, possibly different, nodes.  This
+   note specifies the syntax and semantics of the KX record, which is
+   currently in limited deployment in certain IP-based networks.  The
+
+
+
+
+
+
+
+Atkinson                     Informational                      [Page 1]
+
+RFC 2230           DNS Key Exchange Delegation Record      November 1997
+
+
+   reader is assumed to be familiar with the basics of DNS, including
+   familiarity with [RFC-1035, RFC-1034].  This document is not on the
+   IETF standards-track and does not specify any level of standard.
+   This document merely provides information for the Internet community.
+
+1.1 Identity Terminology
+
+   This document relies upon the concept of "identity domination".  This
+   concept might be new to the reader and so is explained in this
+   section.  The subject of endpoint naming for security associations
+   has historically been somewhat contentious.  This document takes no
+   position on what forms of identity should be used.  In a network,
+   there are several forms of identity that are possible.
+
+   For example, IP Security has defined notions of identity that
+   include: IP Address, IP Address Range, Connection ID, Fully-Qualified
+   Domain Name (FQDN), and User with Fully Qualified Domain Name (USER
+   FQDN).
+
+   A USER FQDN identity dominates a FQDN identity.  A FQDN identity in
+   turn dominates an IP Address identity.  Similarly, a Connection ID
+   dominates an IP Address identity.  An IP Address Range dominates each
+   IP Address identity for each IP address within that IP address range.
+   Also, for completeness, an IP Address identity is considered to
+   dominate itself.
+
+2. APPROACH
+
+   This document specifies a new kind of DNS Resource Record (RR), known
+   as the Key Exchanger (KX) record.  A Key Exchanger Record has the
+   mnemonic "KX" and the type code of 36.  Each KX record is associated
+   with a fully-qualified domain name.  The KX record is modeled on the
+   MX record described in [Part86]. Any given domain, subdomain, or host
+   entry in the DNS might have a KX record.
+
+2.1 IPsec Examples
+
+   In these two examples, let S be the originating node and let D be the
+   destination node.  S2 is another node on the same subnet as S.  D2 is
+   another node on the same subnet as D.  R1 and R2 are IPsec-capable
+   routers.  The path from S to D goes via first R1 and later R2.  The
+   return path from D to S goes via first R2 and later R1.
+
+   IETF-standard IP Security uses unidirectional Security Associations
+   [RFC-1825].  Therefore, a typical IP session will use a pair of
+   related Security Associations, one in each direction.  The examples
+   below talk about how to setup an example Security Association, but in
+   practice a pair of matched Security Associations will normally be
+
+
+
+Atkinson                     Informational                      [Page 2]
+
+RFC 2230           DNS Key Exchange Delegation Record      November 1997
+
+
+   used.
+
+2.1.1 Subnet-to-Subnet Example
+
+   If neither S nor D implements IPsec, security can still be provided
+   between R1 and R2 by building a secure tunnel.  This can use either
+   AH or ESP.
+
+       S ---+                                          +----D
+            |                                          |
+            +- R1 -----[zero or more routers]-------R2-+
+            |                                          |
+       S2---+                                          +----D2
+
+       Figure 1:  Network Diagram for Subnet-to-Subnet Example
+
+   In this example, R1 makes the policy decision to provide the IPsec
+   service for traffic from R1 destined for R2.  Once R1 has decided
+   that the packet from S to D should be protected, it performs a secure
+   DNS lookup for the records associated with domain D.  If R1 only
+   knows the IP address for D, then a secure reverse DNS lookup will be
+   necessary to determine the domain D, before that forward secure DNS
+   lookup for records associated with domain D.  If these DNS records of
+   domain D include a KX record for the IPsec service, then R1 knows
+   which set of nodes are authorised key exchanger nodes for the
+   destination D.
+
+   In this example, let there be at least one KX record for D and let
+   the most preferred KX record for D point at R2.  R1 then selects a
+   key exchanger (in this example, R2) for D from the list obtained from
+   the secure DNS.  Then R1 initiates a key management session with that
+   key exchanger (in this example, R2) to setup an IPsec Security
+   Association between R1 and D.  In this example, R1 knows (either by
+   seeing an outbound packet arriving from S destined to D or via other
+   methods) that S will be sending traffic to D.  In this example R1's
+   policy requires that traffic from S to D should be segregated at
+   least on a host-to-host basis, so R1 desires an IPsec Security
+   Association with source identity that dominates S, proxy identity
+   that dominates R1, and destination identity that dominates R2.
+
+   In turn, R2 is able to authenticate the delegation of Key Exchanger
+   authorisation for target S to R1 by making an authenticated forward
+   DNS lookup for KX records associated with S and verifying that at
+   least one such record points to R1.  The identity S is typically
+   given to R2 as part of the key management process between R1 and R2.
+
+
+
+
+
+
+Atkinson                     Informational                      [Page 3]
+
+RFC 2230           DNS Key Exchange Delegation Record      November 1997
+
+
+   If D initially only knows the IP address of S, then it will need to
+   perform a secure reverse DNS lookup to obtain the fully-qualified
+   domain name for S prior to that secure forward DNS lookup.
+
+   If R2 does not receive an authenticated DNS response indicating that
+   R1 is an authorised key exchanger for S, then D will not accept the
+   SA negotiation from R1 on behalf of identity S.
+
+   If the proposed IPsec Security Association is acceptable to both R1
+   and R2, each of which might have separate policies, then they create
+   that IPsec Security Association via Key Management.
+
+   Note that for unicast traffic, Key Management will typically also
+   setup a separate (but related) IPsec Security Association for the
+   return traffic.  That return IPsec Security Association will have
+   equivalent identities.  In this example, that return IPsec Security
+   Association will have a source identity that dominates D, a proxy
+   identity that dominates R2, and a destination identity that dominates
+   R1.
+
+   Once the IPsec Security Association has been created, then R1 uses it
+   to protect traffic from S destined for D via a secure tunnel that
+   originates at R1 and terminates at R2.  For the case of unicast, R2
+   will use the return IPsec Security Association to protect traffic
+   from D destined for S via a secure tunnel that originates at R2 and
+   terminates at R1.
+
+2.1.2 Subnet-to-Host Example
+
+   Consider the case where D and R1 implement IPsec, but S does not
+   implement IPsec, which is an interesting variation on the previous
+   example.  This example is shown in Figure 2 below.
+
+       S ---+
+            |
+            +- R1 -----[zero or more routers]-------D
+            |
+       S2---+
+
+       Figure 2:  Network Diagram for Subnet-to-Host Example
+
+   In this example, R1 makes the policy decision that IP Security is
+   needed for the packet travelling from S to D.  Then, R1 performs the
+   secure DNS lookup for D and determines that D is its own key
+   exchanger, either from the existence of a KX record for D pointing to
+   D or from an authenticated DNS response indicating that no KX record
+   exists for D.  If R1 does not initially know the domain name of D,
+   then prior to the above forward secure DNS lookup, R1 performs a
+
+
+
+Atkinson                     Informational                      [Page 4]
+
+RFC 2230           DNS Key Exchange Delegation Record      November 1997
+
+
+   secure reverse DNS lookup on the IP address of D to determine the
+   fully-qualified domain name for that IP address.  R1 then initiates
+   key management with D to create an IPsec Security Association on
+   behalf of S.
+
+   In turn, D can verify that R1 is authorised to create an IPsec
+   Security Association on behalf of S by performing a DNS KX record
+   lookup for target S.  R1 usually provides identity S to D via key
+   management.  If D only has the IP address of S, then D will need to
+   perform a secure reverse lookup on the IP address of S to determine
+   domain name S prior to the secure forward DNS lookup on S to locate
+   the KX records for S.
+
+   If D does not receive an authenticated DNS response indicating that
+   R1 is an authorised key exchanger for S, then D will not accept the
+   SA negotiation from R1 on behalf of identity S.
+
+   If the IPsec Security Association is successfully established between
+   R1 and D, that IPsec Security Association has a source identity that
+   dominates S's IP address, a proxy identity that dominates R1's IP
+   address, and a destination identity that dominates D's IP address.
+
+   Finally, R1 begins providing the security service for packets from S
+   that transit R1 destined for D.  When D receives such packets, D
+   examines the SA information during IPsec input processing and sees
+   that R1's address is listed as valid proxy address for that SA and
+   that S is the source address for that SA.  Hence, D knows at input
+   processing time that R1 is authorised to provide security on behalf
+   of S.  Therefore packets coming from R1 with valid IP security that
+   claim to be from S are trusted by D to have really come from S.
+
+2.1.3 Host to Subnet Example
+
+   Now consider the above case from D's perspective (i.e. where D is
+   sending IP packets to S).  This variant is sometimes known as the
+   Mobile Host or "roadwarrier" case. The same basic concepts apply, but
+   the details are covered here in hope of improved clarity.
+
+       S ---+
+            |
+            +- R1 -----[zero or more routers]-------D
+            |
+       S2---+
+
+       Figure 3:  Network Diagram for Host-to-Subnet Example
+
+
+
+
+
+
+Atkinson                     Informational                      [Page 5]
+
+RFC 2230           DNS Key Exchange Delegation Record      November 1997
+
+
+   In this example, D makes the policy decision that IP Security is
+   needed for the packets from D to S.  Then D performs the secure DNS
+   lookup for S and discovers that a KX record for S exists and points
+   at R1.  If D only has the IP address of S, then it performs a secure
+   reverse DNS lookup on the IP address of S prior to the forward secure
+   DNS lookup for S.
+
+   D then initiates key management with R1, where R1 is acting on behalf
+   of S, to create an appropriate Security Association.  Because D is
+   acting as its own key exchanger, R1 does not need to perform a secure
+   DNS lookup for KX records associated with D.
+
+   D and R1 then create an appropriate IPsec Security Security
+   Association.  This IPsec Security Association is setup as a secure
+   tunnel with a source identity that dominates D's IP Address and a
+   destination identity that dominates R1's IP Address.  Because D
+   performs IPsec for itself, no proxy identity is needed in this IPsec
+   Security Association.  If the proxy identity is non-null in this
+   situation, then the proxy identity must dominate D's IP Address.
+
+   Finally, D sends secured IP packets to R1.  R1 receives those
+   packets, provides IPsec input processing (including appropriate
+   inner/outer IP address validation), and forwards valid packets along
+   to S.
+
+2.2 Other Examples
+
+   This mechanism can be extended for use with other services as well.
+   To give some insight into other possible uses, this section discusses
+   use of KX records in environments using a Key Distribution Center
+   (KDC), such as Kerberos [KN93], and a possible use of KX records in
+   conjunction with mobile nodes accessing the network via a dialup
+   service.
+
+2.2.1 KDC Examples
+
+   This example considers the situation of a destination node
+   implementing IPsec that can only obtain its Security Association
+   information from a Key Distribution Center (KDC).  Let the KDC
+   implement both the KDC protocol and also a non-KDC key management
+   protocol (e.g. ISAKMP).  In such a case, each client node of the KDC
+   might have its own KX record pointing at the KDC so that nodes not
+   implementing the KDC protocol can still create Security Associations
+   with each of the client nodes of the KDC.
+
+   In the event the session initiator were not using the KDC but the
+   session target was an IPsec node that only used the KDC, the
+   initiator would find the KX record for the target pointing at the
+
+
+
+Atkinson                     Informational                      [Page 6]
+
+RFC 2230           DNS Key Exchange Delegation Record      November 1997
+
+
+   KDC.  Then, the external key management exchange (e.g. ISAKMP) would
+   be between the initiator and the KDC.  Then the KDC would distribute
+   the IPsec SA to the KDC-only IPsec node using the KDC.  The IPsec
+   traffic itself could travel directly between the initiator and the
+   destination node.
+
+   In the event the initiator node could only use the KDC and the target
+   were not using the KDC, the initiator would send its request for a
+   key to the KDC.  The KDC would then initiate an external key
+   management exchange (e.g. ISAKMP) with a node that the target's KX
+   record(s) pointed to, on behalf of the initiator node.
+
+   The target node could verify that the KDC were allowed to proxy for
+   the initiator node by looking up the KX records for the initiator
+   node and finding a KX record for the initiator that listed the KDC.
+
+   Then the external key exchange would be performed between the KDC and
+   the target node.  Then the KDC would distribute the resulting IPsec
+   Security Association to the initiator.  Again, IPsec traffic itself
+   could travel directly between the initiator and the destination.
+
+2.2.2 Dial-Up Host Example
+
+   This example outlines a possible use of KX records with mobile hosts
+   that dial into the network via PPP and are dynamically assigned an IP
+   address and domain-name at dial-in time.
+
+   Consider the situation where each mobile node is dynamically assigned
+   both a domain name and an IP address at the time that node dials into
+   the network.  Let the policy require that each mobile node act as its
+   own Key Exchanger.  In this case, it is important that dial-in nodes
+   use addresses from one or more well known IP subnets or address pools
+   dedicated to dial-in access.  If that is true, then no KX record or
+   other action is needed to ensure that each node will act as its own
+   Key Exchanger because lack of a KX record indicates that the node is
+   its own Key Exchanger.
+
+   Consider the situation where the mobile node's domain name remains
+   constant but its IP address changes.  Let the policy require that
+   each mobile node act as its own Key Exchanger.  In this case, there
+   might be operational problems when another node attempts to perform a
+   secure reverse DNS lookup on the IP address to determine the
+   corresponding domain name.  The authenticated DNS binding (in the
+   form of a PTR record) between the mobile node's currently assigned IP
+   address and its permanent domain name will need to be securely
+   updated each time the node is assigned a new IP address.  There are
+   no mechanisms for accomplishing this that are both IETF-standard and
+   widely deployed as of the time this note was written.  Use of Dynamic
+
+
+
+Atkinson                     Informational                      [Page 7]
+
+RFC 2230           DNS Key Exchange Delegation Record      November 1997
+
+
+   DNS Update without authentication is a significant security risk and
+   hence is not recommended for this situation.
+
+3. SYNTAX OF KX RECORD
+
+   A KX record has the DNS TYPE of "KX" and a numeric value of 36.  A KX
+   record is a member of the Internet ("IN") CLASS in the DNS.  Each KX
+   record is associated with a <domain-name> entry in the DNS.  A KX
+   record has the following textual syntax:
+
+        <domain-name>  IN  KX  <preference> <domain-name>
+
+   For this description, let the <domain-name> item to the left of the
+   "KX" string be called <domain-name 1> and the <domain-name> item to
+   the right of the "KX" string be called <domain-name 2>.  <preference>
+   is a non-negative integer.
+
+   Internet nodes about to initiate a key exchange with <domain-name 1>
+   should instead contact <domain-name 2> to initiate the key exchange
+   for a security service between the initiator and <domain-name 2>.  If
+   more than one KX record exists for <domain-name 1>, then the
+   <preference> field is used to indicate preference among the systems
+   delegated to.  Lower values are preferred over higher values.  The
+   <domain-name 2> is authorised to provide key exchange services on
+   behalf of <domain-name 1>.  The <domain-name 2> MUST have a CNAME
+   record, an A record, or an AAAA record associated with it.
+
+3.1 KX RDATA format
+
+   The KX DNS record has the following RDATA format:
+
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    |                  PREFERENCE                   |
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+    /                   EXCHANGER                   /
+    /                                               /
+    +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+   where:
+
+   PREFERENCE      A 16 bit non-negative integer which specifies the
+                   preference given to this RR among other KX records
+                   at the same owner.  Lower values are preferred.
+
+   EXCHANGER       A <domain-name> which specifies a host willing to
+                   act as a mail exchange for the owner name.
+
+
+
+
+
+Atkinson                     Informational                      [Page 8]
+
+RFC 2230           DNS Key Exchange Delegation Record      November 1997
+
+
+   KX records MUST cause type A additional section processing for the
+   host specified by EXCHANGER.  In the event that the host processing
+   the DNS transaction supports IPv6, KX records MUST also cause type
+   AAAA additional section processing.
+
+   The KX RDATA field MUST NOT be compressed.
+
+4. SECURITY CONSIDERATIONS
+
+   KX records MUST always be signed using the method(s) defined by the
+   DNS Security extensions specified in [RFC-2065].  All unsigned KX
+   records MUST be ignored because of the security vulnerability caused
+   by assuming that unsigned records are valid.  All signed KX records
+   whose signatures do not correctly validate MUST be ignored because of
+   the potential security vulnerability in trusting an invalid KX
+   record.
+
+   KX records MUST be ignored by systems not implementing Secure DNS
+   because such systems have no mechanism to authenticate the KX record.
+
+   If a node does not have a permanent DNS entry and some form of
+   Dynamic DNS Update is in use, then those dynamic DNS updates MUST be
+   fully authenticated to prevent an adversary from injecting false DNS
+   records (especially the KX, A, and PTR records) into the Domain Name
+   System.  If false records were inserted into the DNS without being
+   signed by the Secure DNS mechanisms, then a denial-of-service attack
+   results.  If false records were inserted into the DNS and were
+   (erroneously) signed by the signing authority, then an active attack
+   results.
+
+   Myriad serious security vulnerabilities can arise if the restrictions
+   throuhout this document are not strictly adhered to.  Implementers
+   should carefully consider the openly published issues relating to DNS
+   security [Bell95,Vixie95] as they build their implementations.
+   Readers should also consider the security considerations discussed in
+   the DNS Security Extensions document [RFC-2065].
+
+5. REFERENCES
+
+
+   [RFC-1825]  Atkinson, R., "IP Authentication Header", RFC 1826,
+               August 1995.
+
+   [RFC-1827]  Atkinson, R., "IP Encapsulating Security Payload",
+               RFC 1827, August 1995.
+
+
+
+
+
+
+Atkinson                     Informational                      [Page 9]
+
+RFC 2230           DNS Key Exchange Delegation Record      November 1997
+
+
+   [Bell95] Bellovin, S., "Using the Domain Name System for System
+            Break-ins", Proceedings of 5th USENIX UNIX Security
+            Symposium, USENIX Association, Berkeley, CA, June 1995.
+            ftp://ftp.research.att.com/dist/smb/dnshack.ps
+
+   [RFC-2065]  Eastlake, D., and C. Kaufman, "Domain Name System
+               Security Extensions", RFC 2065, January 1997.
+
+   [RFC-1510]  Kohl J., and C. Neuman, "The Kerberos Network
+               Authentication Service", RFC 1510, September 1993.
+
+   [RFC-1035]  Mockapetris, P., "Domain names - implementation and
+               specification", STD 13, RFC 1035, November 1987.
+
+   [RFC-1034]  Mockapetris, P., "Domain names - concepts and
+               facilities", STD 13, RFC 1034, November 1987.
+
+   [Vixie95] P. Vixie, "DNS and BIND Security Issues", Proceedings of
+             the 5th USENIX UNIX Security Symposium, USENIX
+             Association, Berkeley, CA, June 1995.
+             ftp://ftp.vix.com/pri/vixie/bindsec.psf
+
+ACKNOWLEDGEMENTS
+
+   Development of this DNS record was primarily performed during 1993
+   through 1995.  The author's work on this was sponsored jointly by the
+   Computing Systems Technology Office (CSTO) of the Advanced Research
+   Projects Agency (ARPA) and by the Information Security Program Office
+   (PD71E), Space & Naval Warface Systems Command (SPAWAR).  In that
+   era, Dave Mihelcic and others provided detailed review and
+   constructive feedback.  More recently, Bob Moscowitz and Todd Welch
+   provided detailed review and constructive feedback of a work in
+   progress version of this document.
+
+AUTHOR'S ADDRESS
+
+   Randall Atkinson
+   Code 5544
+   Naval Research Laboratory
+   4555 Overlook Avenue, SW
+   Washington, DC 20375-5337
+
+   Phone: (DSN) 354-8590
+   EMail: atkinson@itd.nrl.navy.mil
+
+
+
+
+
+
+
+Atkinson                     Informational                     [Page 10]
+
+RFC 2230           DNS Key Exchange Delegation Record      November 1997
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (1997).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implmentation may be prepared, copied, published
+   andand distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Atkinson                     Informational                     [Page 11]
+
diff --git a/contrib/bind9/doc/rfc/rfc2308.txt b/contrib/bind9/doc/rfc/rfc2308.txt
new file mode 100644
index 0000000..9123a95
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2308.txt
@@ -0,0 +1,1067 @@
+
+
+
+
+
+
+Network Working Group                                          M. Andrews
+Request for Comments: 2308                                          CSIRO
+Updates: 1034, 1035                                            March 1998
+Category: Standards Track
+
+
+              Negative Caching of DNS Queries (DNS NCACHE)
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (1998).  All Rights Reserved.
+
+Abstract
+
+   [RFC1034] provided a description of how to cache negative responses.
+   It however had a fundamental flaw in that it did not allow a name
+   server to hand out those cached responses to other resolvers, thereby
+   greatly reducing the effect of the caching.  This document addresses
+   issues raise in the light of experience and replaces [RFC1034 Section
+   4.3.4].
+
+   Negative caching was an optional part of the DNS specification and
+   deals with the caching of the non-existence of an RRset [RFC2181] or
+   domain name.
+
+   Negative caching is useful as it reduces the response time for
+   negative answers.  It also reduces the number of messages that have
+   to be sent between resolvers and name servers hence overall network
+   traffic.  A large proportion of DNS traffic on the Internet could be
+   eliminated if all resolvers implemented negative caching.  With this
+   in mind negative caching should no longer be seen as an optional part
+   of a DNS resolver.
+
+
+
+
+
+
+
+
+
+
+
+Andrews                     Standards Track                     [Page 1]
+
+RFC 2308                       DNS NCACHE                     March 1998
+
+
+1 - Terminology
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC2119].
+
+   "Negative caching" - the storage of knowledge that something does not
+   exist.  We can store the knowledge that a record has a particular
+   value.  We can also do the reverse, that is, to store the knowledge
+   that a record does not exist.  It is the storage of knowledge that
+   something does not exist, cannot or does not give an answer that we
+   call negative caching.
+
+   "QNAME" - the name in the query section of an answer, or where this
+   resolves to a CNAME, or CNAME chain, the data field of the last
+   CNAME.  The last CNAME in this sense is that which contains a value
+   which does not resolve to another CNAME.  Implementations should note
+   that including CNAME records in responses in order, so that the first
+   has the label from the query section, and then each in sequence has
+   the label from the data section of the previous (where more than one
+   CNAME is needed) allows the sequence to be processed in one pass, and
+   considerably eases the task of the receiver.  Other relevant records
+   (such as SIG RRs [RFC2065]) can be interspersed amongst the CNAMEs.
+
+   "NXDOMAIN" - an alternate expression for the "Name Error" RCODE as
+   described in [RFC1035 Section 4.1.1] and the two terms are used
+   interchangeably in this document.
+
+   "NODATA" - a pseudo RCODE which indicates that the name is valid, for
+   the given class, but are no records of the given type.  A NODATA
+   response has to be inferred from the answer.
+
+   "FORWARDER" - a nameserver used to resolve queries instead of
+   directly using the authoritative nameserver chain.  The forwarder
+   typically either has better access to the internet, or maintains a
+   bigger cache which may be shared amongst many resolvers.  How a
+   server is identified as a FORWARDER, or knows it is a FORWARDER is
+   outside the scope of this document.  However if you are being used as
+   a forwarder the query will have the recursion desired flag set.
+
+   An understanding of [RFC1034], [RFC1035] and [RFC2065] is expected
+   when reading this document.
+
+
+
+
+
+
+
+
+
+Andrews                     Standards Track                     [Page 2]
+
+RFC 2308                       DNS NCACHE                     March 1998
+
+
+2 - Negative Responses
+
+   The most common negative responses indicate that a particular RRset
+   does not exist in the DNS.  The first sections of this document deal
+   with this case.  Other negative responses can indicate failures of a
+   nameserver, those are dealt with in section 7 (Other Negative
+   Responses).
+
+   A negative response is indicated by one of the following conditions:
+
+2.1 - Name Error
+
+   Name errors (NXDOMAIN) are indicated by the presence of "Name Error"
+   in the RCODE field.  In this case the domain referred to by the QNAME
+   does not exist.  Note: the answer section may have SIG and CNAME RRs
+   and the authority section may have SOA, NXT [RFC2065] and SIG RRsets.
+
+   It is possible to distinguish between a referral and a NXDOMAIN
+   response by the presense of NXDOMAIN in the RCODE regardless of the
+   presence of NS or SOA records in the authority section.
+
+   NXDOMAIN responses can be categorised into four types by the contents
+   of the authority section.  These are shown below along with a
+   referral for comparison.  Fields not mentioned are not important in
+   terms of the examples.
+
+           NXDOMAIN RESPONSE: TYPE 1.
+
+           Header:
+               RDCODE=NXDOMAIN
+           Query:
+               AN.EXAMPLE. A
+           Answer:
+               AN.EXAMPLE. CNAME TRIPPLE.XX.
+           Authority:
+               XX. SOA NS1.XX. HOSTMASTER.NS1.XX. ....
+               XX. NS NS1.XX.
+               XX. NS NS2.XX.
+           Additional:
+               NS1.XX. A 127.0.0.2
+               NS2.XX. A 127.0.0.3
+
+           NXDOMAIN RESPONSE: TYPE 2.
+
+           Header:
+               RDCODE=NXDOMAIN
+           Query:
+               AN.EXAMPLE. A
+
+
+
+Andrews                     Standards Track                     [Page 3]
+
+RFC 2308                       DNS NCACHE                     March 1998
+
+
+           Answer:
+               AN.EXAMPLE. CNAME TRIPPLE.XX.
+           Authority:
+               XX. SOA NS1.XX. HOSTMASTER.NS1.XX. ....
+           Additional:
+               <empty>
+
+           NXDOMAIN RESPONSE: TYPE 3.
+
+           Header:
+               RDCODE=NXDOMAIN
+           Query:
+               AN.EXAMPLE. A
+           Answer:
+               AN.EXAMPLE. CNAME TRIPPLE.XX.
+           Authority:
+               <empty>
+           Additional:
+               <empty>
+
+           NXDOMAIN RESPONSE: TYPE 4
+
+           Header:
+               RDCODE=NXDOMAIN
+           Query:
+               AN.EXAMPLE. A
+           Answer:
+               AN.EXAMPLE. CNAME TRIPPLE.XX.
+           Authority:
+               XX. NS NS1.XX.
+               XX. NS NS2.XX.
+           Additional:
+               NS1.XX. A 127.0.0.2
+               NS2.XX. A 127.0.0.3
+
+           REFERRAL RESPONSE.
+
+           Header:
+               RDCODE=NOERROR
+           Query:
+               AN.EXAMPLE. A
+           Answer:
+               AN.EXAMPLE. CNAME TRIPPLE.XX.
+           Authority:
+               XX. NS NS1.XX.
+               XX. NS NS2.XX.
+           Additional:
+               NS1.XX. A 127.0.0.2
+
+
+
+Andrews                     Standards Track                     [Page 4]
+
+RFC 2308                       DNS NCACHE                     March 1998
+
+
+               NS2.XX. A 127.0.0.3
+
+   Note, in the four examples of NXDOMAIN responses, it is known that
+   the name "AN.EXAMPLE." exists, and has as its value a CNAME record.
+   The NXDOMAIN refers to "TRIPPLE.XX", which is then known not to
+   exist.  On the other hand, in the referral example, it is shown that
+   "AN.EXAMPLE" exists, and has a CNAME RR as its value, but nothing is
+   known one way or the other about the existence of "TRIPPLE.XX", other
+   than that "NS1.XX" or "NS2.XX" can be consulted as the next step in
+   obtaining information about it.
+
+   Where no CNAME records appear, the NXDOMAIN response refers to the
+   name in the label of the RR in the question section.
+
+2.1.1 Special Handling of Name Error
+
+   This section deals with errors encountered when implementing negative
+   caching of NXDOMAIN responses.
+
+   There are a large number of resolvers currently in existence that
+   fail to correctly detect and process all forms of NXDOMAIN response.
+   Some resolvers treat a TYPE 1 NXDOMAIN response as a referral.  To
+   alleviate this problem it is recommended that servers that are
+   authoritative for the NXDOMAIN response only send TYPE 2 NXDOMAIN
+   responses, that is the authority section contains a SOA record and no
+   NS records.  If a non- authoritative server sends a type 1 NXDOMAIN
+   response to one of these old resolvers, the result will be an
+   unnecessary query to an authoritative server.  This is undesirable,
+   but not fatal except when the server is being used a FORWARDER.  If
+   however the resolver is using the server as a FORWARDER to such a
+   resolver it will be necessary to disable the sending of TYPE 1
+   NXDOMAIN response to it, use TYPE 2 NXDOMAIN instead.
+
+   Some resolvers incorrectly continue processing if the authoritative
+   answer flag is not set, looping until the query retry threshold is
+   exceeded and then returning SERVFAIL.  This is a problem when your
+   nameserver is listed as a FORWARDER for such resolvers.  If the
+   nameserver is used as a FORWARDER by such resolver, the authority
+   flag will have to be forced on for NXDOMAIN responses to these
+   resolvers.  In practice this causes no problems even if turned on
+   always, and has been the default behaviour in BIND from 4.9.3
+   onwards.
+
+2.2 - No Data
+
+   NODATA is indicated by an answer with the RCODE set to NOERROR and no
+   relevant answers in the answer section.  The authority section will
+   contain an SOA record, or there will be no NS records there.
+
+
+
+Andrews                     Standards Track                     [Page 5]
+
+RFC 2308                       DNS NCACHE                     March 1998
+
+
+   NODATA responses have to be algorithmically determined from the
+   response's contents as there is no RCODE value to indicate NODATA.
+   In some cases to determine with certainty that NODATA is the correct
+   response it can be necessary to send another query.
+
+   The authority section may contain NXT and SIG RRsets in addition to
+   NS and SOA records.  CNAME and SIG records may exist in the answer
+   section.
+
+   It is possible to distinguish between a NODATA and a referral
+   response by the presence of a SOA record in the authority section or
+   the absence of NS records in the authority section.
+
+   NODATA responses can be categorised into three types by the contents
+   of the authority section.  These are shown below along with a
+   referral for comparison.  Fields not mentioned are not important in
+   terms of the examples.
+
+           NODATA RESPONSE: TYPE 1.
+
+           Header:
+               RDCODE=NOERROR
+           Query:
+               ANOTHER.EXAMPLE. A
+           Answer:
+               <empty>
+           Authority:
+               EXAMPLE. SOA NS1.XX. HOSTMASTER.NS1.XX. ....
+               EXAMPLE. NS NS1.XX.
+               EXAMPLE. NS NS2.XX.
+           Additional:
+               NS1.XX. A 127.0.0.2
+               NS2.XX. A 127.0.0.3
+
+           NO DATA RESPONSE: TYPE 2.
+
+           Header:
+               RDCODE=NOERROR
+           Query:
+               ANOTHER.EXAMPLE. A
+           Answer:
+               <empty>
+           Authority:
+               EXAMPLE. SOA NS1.XX. HOSTMASTER.NS1.XX. ....
+           Additional:
+               <empty>
+
+
+
+
+
+Andrews                     Standards Track                     [Page 6]
+
+RFC 2308                       DNS NCACHE                     March 1998
+
+
+           NO DATA RESPONSE: TYPE 3.
+
+           Header:
+               RDCODE=NOERROR
+           Query:
+               ANOTHER.EXAMPLE. A
+           Answer:
+               <empty>
+           Authority:
+               <empty>
+           Additional:
+               <empty>
+
+           REFERRAL RESPONSE.
+
+           Header:
+               RDCODE=NOERROR
+           Query:
+               ANOTHER.EXAMPLE. A
+           Answer:
+               <empty>
+           Authority:
+               EXAMPLE. NS NS1.XX.
+               EXAMPLE. NS NS2.XX.
+           Additional:
+               NS1.XX. A 127.0.0.2
+               NS2.XX. A 127.0.0.3
+
+
+   These examples, unlike the NXDOMAIN examples above, have no CNAME
+   records, however they could, in just the same way that the NXDOMAIN
+   examples did, in which case it would be the value of the last CNAME
+   (the QNAME) for which NODATA would be concluded.
+
+2.2.1 - Special Handling of No Data
+
+   There are a large number of resolvers currently in existence that
+   fail to correctly detect and process all forms of NODATA response.
+   Some resolvers treat a TYPE 1 NODATA response as a referral.  To
+   alleviate this problem it is recommended that servers that are
+   authoritative for the NODATA response only send TYPE 2 NODATA
+   responses, that is the authority section contains a SOA record and no
+   NS records.  Sending a TYPE 1 NODATA response from a non-
+   authoritative server to one of these resolvers will only result in an
+   unnecessary query.  If a server is listed as a FORWARDER for another
+   resolver it may also be necessary to disable the sending of TYPE 1
+   NODATA response for non-authoritative NODATA responses.
+
+
+
+
+Andrews                     Standards Track                     [Page 7]
+
+RFC 2308                       DNS NCACHE                     March 1998
+
+
+   Some name servers fail to set the RCODE to NXDOMAIN in the presence
+   of CNAMEs in the answer section.  If a definitive NXDOMAIN / NODATA
+   answer is required in this case the resolver must query again using
+   the QNAME as the query label.
+
+3 - Negative Answers from Authoritative Servers
+
+   Name servers authoritative for a zone MUST include the SOA record of
+   the zone in the authority section of the response when reporting an
+   NXDOMAIN or indicating that no data of the requested type exists.
+   This is required so that the response may be cached.  The TTL of this
+   record is set from the minimum of the MINIMUM field of the SOA record
+   and the TTL of the SOA itself, and indicates how long a resolver may
+   cache the negative answer.  The TTL SIG record associated with the
+   SOA record should also be trimmed in line with the SOA's TTL.
+
+   If the containing zone is signed [RFC2065] the SOA and appropriate
+   NXT and SIG records MUST be added.
+
+4 - SOA Minimum Field
+
+   The SOA minimum field has been overloaded in the past to have three
+   different meanings, the minimum TTL value of all RRs in a zone, the
+   default TTL of RRs which did not contain a TTL value and the TTL of
+   negative responses.
+
+   Despite being the original defined meaning, the first of these, the
+   minimum TTL value of all RRs in a zone, has never in practice been
+   used and is hereby deprecated.
+
+   The second, the default TTL of RRs which contain no explicit TTL in
+   the master zone file, is relevant only at the primary server.  After
+   a zone transfer all RRs have explicit TTLs and it is impossible to
+   determine whether the TTL for a record was explicitly set or derived
+   from the default after a zone transfer.  Where a server does not
+   require RRs to include the TTL value explicitly, it should provide a
+   mechanism, not being the value of the MINIMUM field of the SOA
+   record, from which the missing TTL values are obtained.  How this is
+   done is implementation dependent.
+
+   The Master File format [RFC 1035 Section 5] is extended to include
+   the following directive:
+
+                           $TTL <TTL> [comment]
+
+
+
+
+
+
+
+Andrews                     Standards Track                     [Page 8]
+
+RFC 2308                       DNS NCACHE                     March 1998
+
+
+   All resource records appearing after the directive, and which do not
+   explicitly include a TTL value, have their TTL set to the TTL given
+   in the $TTL directive.  SIG records without a explicit TTL get their
+   TTL from the "original TTL" of the SIG record [RFC 2065 Section 4.5].
+
+   The remaining of the current meanings, of being the TTL to be used
+   for negative responses, is the new defined meaning of the SOA minimum
+   field.
+
+5 - Caching Negative Answers
+
+   Like normal answers negative answers have a time to live (TTL).  As
+   there is no record in the answer section to which this TTL can be
+   applied, the TTL must be carried by another method.  This is done by
+   including the SOA record from the zone in the authority section of
+   the reply.  When the authoritative server creates this record its TTL
+   is taken from the minimum of the SOA.MINIMUM field and SOA's TTL.
+   This TTL decrements in a similar manner to a normal cached answer and
+   upon reaching zero (0) indicates the cached negative answer MUST NOT
+   be used again.
+
+   A negative answer that resulted from a name error (NXDOMAIN) should
+   be cached such that it can be retrieved and returned in response to
+   another query for the same <QNAME, QCLASS> that resulted in the
+   cached negative response.
+
+   A negative answer that resulted from a no data error (NODATA) should
+   be cached such that it can be retrieved and returned in response to
+   another query for the same <QNAME, QTYPE, QCLASS> that resulted in
+   the cached negative response.
+
+   The NXT record, if it exists in the authority section of a negative
+   answer received, MUST be stored such that it can be be located and
+   returned with SOA record in the authority section, as should any SIG
+   records in the authority section.  For NXDOMAIN answers there is no
+   "necessary" obvious relationship between the NXT records and the
+   QNAME.  The NXT record MUST have the same owner name as the query
+   name for NODATA responses.
+
+   Negative responses without SOA records SHOULD NOT be cached as there
+   is no way to prevent the negative responses looping forever between a
+   pair of servers even with a short TTL.
+
+   Despite the DNS forming a tree of servers, with various mis-
+   configurations it is possible to form a loop in the query graph, e.g.
+   two servers listing each other as forwarders, various lame server
+   configurations.  Without a TTL count down a cache negative response
+
+
+
+
+Andrews                     Standards Track                     [Page 9]
+
+RFC 2308                       DNS NCACHE                     March 1998
+
+
+   when received by the next server would have its TTL reset.  This
+   negative indication could then live forever circulating between the
+   servers involved.
+
+   As with caching positive responses it is sensible for a resolver to
+   limit for how long it will cache a negative response as the protocol
+   supports caching for up to 68 years.  Such a limit should not be
+   greater than that applied to positive answers and preferably be
+   tunable.  Values of one to three hours have been found to work well
+   and would make sensible a default.  Values exceeding one day have
+   been found to be problematic.
+
+6 - Negative answers from the cache
+
+   When a server, in answering a query, encounters a cached negative
+   response it MUST add the cached SOA record to the authority section
+   of the response with the TTL decremented by the amount of time it was
+   stored in the cache.  This allows the NXDOMAIN / NODATA response to
+   time out correctly.
+
+   If a NXT record was cached along with SOA record it MUST be added to
+   the authority section.  If a SIG record was cached along with a NXT
+   record it SHOULD be added to the authority section.
+
+   As with all answers coming from the cache, negative answers SHOULD
+   have an implicit referral built into the answer.  This enables the
+   resolver to locate an authoritative source.  An implicit referral is
+   characterised by NS records in the authority section referring the
+   resolver towards a authoritative source.  NXDOMAIN types 1 and 4
+   responses contain implicit referrals as does NODATA type 1 response.
+
+7 - Other Negative Responses
+
+   Caching of other negative responses is not covered by any existing
+   RFC.  There is no way to indicate a desired TTL in these responses.
+   Care needs to be taken to ensure that there are not forwarding loops.
+
+7.1 Server Failure (OPTIONAL)
+
+   Server failures fall into two major classes.  The first is where a
+   server can determine that it has been misconfigured for a zone.  This
+   may be where it has been listed as a server, but not configured to be
+   a server for the zone, or where it has been configured to be a server
+   for the zone, but cannot obtain the zone data for some reason.  This
+   can occur either because the zone file does not exist or contains
+   errors, or because another server from which the zone should have
+   been available either did not respond or was unable or unwilling to
+   supply the zone.
+
+
+
+Andrews                     Standards Track                    [Page 10]
+
+RFC 2308                       DNS NCACHE                     March 1998
+
+
+   The second class is where the server needs to obtain an answer from
+   elsewhere, but is unable to do so, due to network failures, other
+   servers that don't reply, or return server failure errors, or
+   similar.
+
+   In either case a resolver MAY cache a server failure response.  If it
+   does so it MUST NOT cache it for longer than five (5) minutes, and it
+   MUST be cached against the specific query tuple <query name, type,
+   class, server IP address>.
+
+7.2 Dead / Unreachable Server (OPTIONAL)
+
+   Dead / Unreachable servers are servers that fail to respond in any
+   way to a query or where the transport layer has provided an
+   indication that the server does not exist or is unreachable.  A
+   server may be deemed to be dead or unreachable if it has not
+   responded to an outstanding query within 120 seconds.
+
+   Examples of transport layer indications are:
+
+      ICMP error messages indicating host, net or port unreachable.
+      TCP resets
+      IP stack error messages providing similar indications to those above.
+
+   A server MAY cache a dead server indication.  If it does so it MUST
+   NOT be deemed dead for longer than five (5) minutes.  The indication
+   MUST be stored against query tuple <query name, type, class, server
+   IP address> unless there was a transport layer indication that the
+   server does not exist, in which case it applies to all queries to
+   that specific IP address.
+
+8 - Changes from RFC 1034
+
+   Negative caching in resolvers is no-longer optional, if a resolver
+   caches anything it must also cache negative answers.
+
+   Non-authoritative negative answers MAY be cached.
+
+   The SOA record from the authority section MUST be cached.  Name error
+   indications must be cached against the tuple <query name, QCLASS>.
+   No data indications must be cached against <query name, QTYPE,
+   QCLASS> tuple.
+
+   A cached SOA record must be added to the response.  This was
+   explicitly not allowed because previously the distinction between a
+   normal cached SOA record, and the SOA cached as a result of a
+   negative response was not made, and simply extracting a normal cached
+   SOA and adding that to a cached negative response causes problems.
+
+
+
+Andrews                     Standards Track                    [Page 11]
+
+RFC 2308                       DNS NCACHE                     March 1998
+
+
+   The $TTL TTL directive was added to the master file format.
+
+9 - History of Negative Caching
+
+   This section presents a potted history of negative caching in the DNS
+   and forms no part of the technical specification of negative caching.
+
+   It is interesting to note that the same concepts were re-invented in
+   both the CHIVES and BIND servers.
+
+   The history of the early CHIVES work (Section 9.1) was supplied by
+   Rob Austein <sra@epilogue.com> and is reproduced here in the form in
+   which he supplied it [MPA].
+
+   Sometime around the spring of 1985, I mentioned to Paul Mockapetris
+   that our experience with his JEEVES DNS resolver had pointed out the
+   need for some kind of negative caching scheme.  Paul suggested that
+   we simply cache authoritative errors, using the SOA MINIMUM value for
+   the zone that would have contained the target RRs.  I'm pretty sure
+   that this conversation took place before RFC-973 was written, but it
+   was never clear to me whether this idea was something that Paul came
+   up with on the spot in response to my question or something he'd
+   already been planning to put into the document that became RFC-973.
+   In any case, neither of us was entirely sure that the SOA MINIMUM
+   value was really the right metric to use, but it was available and
+   was under the control of the administrator of the target zone, both
+   of which seemed to us at the time to be important feature.
+
+   Late in 1987, I released the initial beta-test version of CHIVES, the
+   DNS resolver I'd written to replace Paul's JEEVES resolver.  CHIVES
+   included a search path mechanism that was used pretty heavily at
+   several sites (including my own), so CHIVES also included a negative
+   caching mechanism based on SOA MINIMUM values.  The basic strategy
+   was to cache authoritative error codes keyed by the exact query
+   parameters (QNAME, QCLASS, and QTYPE), with a cache TTL equal to the
+   SOA MINIMUM value.  CHIVES did not attempt to track down SOA RRs if
+   they weren't supplied in the authoritative response, so it never
+   managed to completely eliminate the gratuitous DNS error message
+   traffic, but it did help considerably.  Keep in mind that this was
+   happening at about the same time as the near-collapse of the ARPANET
+   due to congestion caused by exponential growth and the the "old"
+   (pre-VJ) TCP retransmission algorithm, so negative caching resulted
+   in drasticly better DNS response time for our users, mailer daemons,
+   etcetera.
+
+
+
+
+
+
+
+Andrews                     Standards Track                    [Page 12]
+
+RFC 2308                       DNS NCACHE                     March 1998
+
+
+   As far as I know, CHIVES was the first resolver to implement negative
+   caching.  CHIVES was developed during the twilight years of TOPS-20,
+   so it never ran on very many machines, but the few machines that it
+   did run on were the ones that were too critical to shut down quickly
+   no matter how much it cost to keep them running.  So what few users
+   we did have tended to drive CHIVES pretty hard.  Several interesting
+   bits of DNS technology resulted from that, but the one that's
+   relevant here is the MAXTTL configuration parameter.
+
+   Experience with JEEVES had already shown that RRs often showed up
+   with ridiculously long TTLs (99999999 was particularly popular for
+   many years, due to bugs in the code and documentation of several
+   early versions of BIND), and that robust software that blindly
+   believed such TTLs could create so many strange failures that it was
+   often necessary to reboot the resolver frequently just to clear this
+   garbage out of the cache.  So CHIVES had a configuration parameter
+   "MAXTTL", which specified the maximum "reasonable" TTL in a received
+   RR.  RRs with TTLs greater than MAXTTL would either have their TTLs
+   reduced to MAXTTL or would be discarded entirely, depending on the
+   setting of another configuration parameter.
+
+   When we started getting field experience with CHIVES's negative
+   caching code, it became clear that the SOA MINIMUM value was often
+   large enough to cause the same kinds of problems for negative caching
+   as the huge TTLs in RRs had for normal caching (again, this was in
+   part due to a bug in several early versions of BIND, where a
+   secondary server would authoritatively deny all knowledge of its
+   zones if it couldn't contact the primaries on reboot).  So we started
+   running the negative cache TTLs through the MAXTTL check too, and
+   continued to experiment.
+
+   The configuration that seemed to work best on WSMR-SIMTEL20.ARMY.MIL
+   (last of the major Internet TOPS-20 machines to be shut down, thus
+   the last major user of CHIVES, thus the place where we had the
+   longest experimental baseline) was to set MAXTTL to about three days.
+   Most of the traffic initiated by SIMTEL20 in its last years was
+   mail-related, and the mail queue timeout was set to one week, so this
+   gave a "stuck" message several tries at complete DNS resolution,
+   without bogging down the system with a lot of useless queries.  Since
+   (for reasons that now escape me) we only had the single MAXTTL
+   parameter rather than separate ones for positive and negative
+   caching, it's not clear how much effect this setting of MAXTTL had on
+   the negative caching code.
+
+   CHIVES also included a second, somewhat controversial mechanism which
+   took the place of negative caching in some cases.  The CHIVES
+   resolver daemon could be configured to load DNS master files, giving
+   it the ability to act as what today would be called a "stealth
+
+
+
+Andrews                     Standards Track                    [Page 13]
+
+RFC 2308                       DNS NCACHE                     March 1998
+
+
+   secondary".  That is, when configured in this way, the resolver had
+   direct access to authoritative information for heavily-used zones.
+   The search path mechanisms in CHIVES reflected this: there were
+   actually two separate search paths, one of which only searched local
+   authoritative zone data, and one which could generate normal
+   iterative queries.  This cut down on the need for negative caching in
+   cases where usage was predictably heavy (e.g., the resolver on
+   XX.LCS.MIT.EDU always loaded the zone files for both LCS.MIT.EDU and
+   AI.MIT.EDU and put both of these suffixes into the "local" search
+   path, since between them the hosts in these two zones accounted for
+   the bulk of the DNS traffic).  Not all sites running CHIVES chose to
+   use this feature; C.CS.CMU.EDU, for example, chose to use the
+   "remote" search path for everything because there were too many
+   different sub-zones at CMU for zone shadowing to be practical for
+   them, so they relied pretty heavily on negative caching even for
+   local traffic.
+
+   Overall, I still think the basic design we used for negative caching
+   was pretty reasonable: the zone administrator specified how long to
+   cache negative answers, and the resolver configuration chose the
+   actual cache time from the range between zero and the period
+   specified by the zone administrator.  There are a lot of details I'd
+   do differently now (like using a new SOA field instead of overloading
+   the MINIMUM field), but after more than a decade, I'd be more worried
+   if we couldn't think of at least a few improvements.
+
+9.2 BIND
+
+   While not the first attempt to get negative caching into BIND, in
+   July 1993, BIND 4.9.2 ALPHA, Anant Kumar of ISI supplied code that
+   implemented, validation and negative caching (NCACHE).  This code had
+   a 10 minute TTL for negative caching and only cached the indication
+   that there was a negative response, NXDOMAIN or NOERROR_NODATA. This
+   is the origin of the NODATA pseudo response code mentioned above.
+
+   Mark Andrews of CSIRO added code (RETURNSOA) that stored the SOA
+   record such that it could be retrieved by a similar query.  UUnet
+   complained that they were getting old answers after loading a new
+   zone, and the option was turned off, BIND 4.9.3-alpha5, April 1994.
+   In reality this indicated that the named needed to purge the space
+   the zone would occupy.  Functionality to do this was added in BIND
+   4.9.3 BETA11 patch2, December 1994.
+
+   RETURNSOA was re-enabled by default, BIND 4.9.5-T1A, August 1996.
+
+
+
+
+
+
+
+Andrews                     Standards Track                    [Page 14]
+
+RFC 2308                       DNS NCACHE                     March 1998
+
+
+10 Example
+
+   The following example is based on a signed zone that is empty apart
+   from the nameservers.  We will query for WWW.XX.EXAMPLE showing
+   initial response and again 10 minutes later.  Note 1: during the
+   intervening 10 minutes the NS records for XX.EXAMPLE have expired.
+   Note 2: the TTL of the SIG records are not explicitly set in the zone
+   file and are hence the TTL of the RRset they are the signature for.
+
+        Zone File:
+
+        $TTL 86400
+        $ORIGIN XX.EXAMPLE.
+        @       IN      SOA     NS1.XX.EXAMPLE. HOSTMATER.XX.EXAMPLE. (
+                                1997102000      ; serial
+                                1800    ; refresh (30 mins)
+                                900     ; retry (15 mins)
+                                604800  ; expire (7 days)
+                                1200 ) ; minimum (20 mins)
+                IN      SIG     SOA ...
+          1200  IN      NXT     NS1.XX.EXAMPLE. A NXT SIG SOA NS KEY
+                IN      SIG     NXT ... XX.EXAMPLE. ...
+           300  IN      NS      NS1.XX.EXAMPLE.
+           300  IN      NS      NS2.XX.EXAMPLE.
+                IN      SIG     NS ... XX.EXAMPLE. ...
+                IN      KEY     0x4100 1 1 ...
+                IN      SIG     KEY ... XX.EXAMPLE. ...
+                IN      SIG     KEY ... EXAMPLE. ...
+        NS1     IN      A       10.0.0.1
+                IN      SIG     A ... XX.EXAMPLE. ...
+          1200  IN      NXT     NS2.XX.EXAMPLE. A NXT SIG
+                IN      SIG     NXT ...
+        NS2     IN      A       10.0.0.2
+                IN      SIG     A ... XX.EXAMPLE. ...
+          1200  IN      NXT     XX.EXAMPLE. A NXT SIG
+                IN      SIG     NXT ... XX.EXAMPLE. ...
+
+        Initial Response:
+
+        Header:
+            RDCODE=NXDOMAIN, AA=1, QR=1, TC=0
+        Query:
+            WWW.XX.EXAMPLE. IN A
+        Answer:
+            <empty>
+        Authority:
+            XX.EXAMPLE.      1200 IN SOA NS1.XX.EXAMPLE. ...
+            XX.EXAMPLE.      1200 IN SIG SOA ... XX.EXAMPLE. ...
+
+
+
+Andrews                     Standards Track                    [Page 15]
+
+RFC 2308                       DNS NCACHE                     March 1998
+
+
+            NS2.XX.EXAMPLE.  1200 IN NXT XX.EXAMPLE. NXT A NXT SIG
+            NS2.XX.EXAMPLE.  1200 IN SIG NXT ... XX.EXAMPLE. ...
+            XX.EXAMPLE.     86400 IN NS  NS1.XX.EXAMPLE.
+            XX.EXAMPLE.     86400 IN NS  NS2.XX.EXAMPLE.
+            XX.EXAMPLE.     86400 IN SIG NS ... XX.EXAMPLE. ...
+        Additional
+            XX.EXAMPLE.     86400 IN KEY 0x4100 1 1 ...
+            XX.EXAMPLE.     86400 IN SIG KEY ... EXAMPLE. ...
+            NS1.XX.EXAMPLE. 86400 IN A   10.0.0.1
+            NS1.XX.EXAMPLE. 86400 IN SIG A ... XX.EXAMPLE. ...
+            NS2.XX.EXAMPLE. 86400 IN A   10.0.0.2
+            NS3.XX.EXAMPLE. 86400 IN SIG A ... XX.EXAMPLE. ...
+
+         After 10 Minutes:
+
+         Header:
+             RDCODE=NXDOMAIN, AA=0, QR=1, TC=0
+         Query:
+             WWW.XX.EXAMPLE. IN A
+         Answer:
+             <empty>
+         Authority:
+             XX.EXAMPLE.       600 IN SOA NS1.XX.EXAMPLE. ...
+             XX.EXAMPLE.       600 IN SIG SOA ... XX.EXAMPLE. ...
+             NS2.XX.EXAMPLE.   600 IN NXT XX.EXAMPLE. NXT A NXT SIG
+             NS2.XX.EXAMPLE.   600 IN SIG NXT ... XX.EXAMPLE. ...
+             EXAMPLE.        65799 IN NS  NS1.YY.EXAMPLE.
+             EXAMPLE.        65799 IN NS  NS2.YY.EXAMPLE.
+             EXAMPLE.        65799 IN SIG NS ... XX.EXAMPLE. ...
+         Additional
+             XX.EXAMPLE.     65800 IN KEY 0x4100 1 1 ...
+             XX.EXAMPLE.     65800 IN SIG KEY ... EXAMPLE. ...
+             NS1.YY.EXAMPLE. 65799 IN A   10.100.0.1
+             NS1.YY.EXAMPLE. 65799 IN SIG A ... EXAMPLE. ...
+             NS2.YY.EXAMPLE. 65799 IN A   10.100.0.2
+             NS3.YY.EXAMPLE. 65799 IN SIG A ... EXAMPLE. ...
+             EXAMPLE.        65799 IN KEY 0x4100 1 1 ...
+             EXAMPLE.        65799 IN SIG KEY ... . ...
+
+
+11 Security Considerations
+
+   It is believed that this document does not introduce any significant
+   additional security threats other that those that already exist when
+   using data from the DNS.
+
+
+
+
+
+
+Andrews                     Standards Track                    [Page 16]
+
+RFC 2308                       DNS NCACHE                     March 1998
+
+
+   With negative caching it might be possible to propagate a denial of
+   service attack by spreading a NXDOMAIN message with a very high TTL.
+   Without negative caching that would be much harder.  A similar effect
+   could be achieved previously by spreading a bad A record, so that the
+   server could not be reached - which is almost the same.  It has the
+   same effect as far as what the end user is able to do, but with a
+   different psychological effect.  With the bad A, I feel "damn the
+   network is broken again" and try again tomorrow.  With the "NXDOMAIN"
+   I feel "Oh, they've turned off the server and it doesn't exist any
+   more" and probably never bother trying this server again.
+
+   A practical example of this is a SMTP server where this behaviour is
+   encoded.  With a NXDOMAIN attack the mail message would bounce
+   immediately, where as with a bad A attack the mail would be queued
+   and could potentially get through after the attack was suspended.
+
+   For such an attack to be successful, the NXDOMAIN indiction must be
+   injected into a parent server (or a busy caching resolver).  One way
+   this might be done by the use of a CNAME which results in the parent
+   server querying an attackers server.  Resolvers that wish to prevent
+   such attacks can query again the final QNAME ignoring any NS data in
+   the query responses it has received for this query.
+
+   Implementing TTL sanity checking will reduce the effectiveness of
+   such an attack, because a successful attack would require re-
+   injection of the bogus data at more frequent intervals.
+
+   DNS Security [RFC2065] provides a mechanism to verify whether a
+   negative response is valid or not, through the use of NXT and SIG
+   records.  This document supports the use of that mechanism by
+   promoting the transmission of the relevant security records even in a
+   non security aware server.
+
+Acknowledgments
+
+   I would like to thank Rob Austein for his history of the CHIVES
+   nameserver. The DNSIND working group, in particular Robert Elz for
+   his valuable technical and editorial contributions to this document.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Andrews                     Standards Track                    [Page 17]
+
+RFC 2308                       DNS NCACHE                     March 1998
+
+
+References
+
+   [RFC1034]
+           Mockapetris, P., "DOMAIN NAMES - CONCEPTS AND FACILITIES,"
+           STD 13, RFC 1034, November 1987.
+
+   [RFC1035]
+           Mockapetris, P., "DOMAIN NAMES - IMPLEMENTATION AND
+           SPECIFICATION," STD 13, RFC 1035, November 1987.
+
+   [RFC2065]
+           Eastlake, D., and C. Kaufman, "Domain Name System Security
+           Extensions," RFC 2065, January 1997.
+
+   [RFC2119]
+           Bradner, S., "Key words for use in RFCs to Indicate
+           Requirement Levels," BCP 14, RFC 2119, March 1997.
+
+   [RFC2181]
+           Elz, R., and R. Bush, "Clarifications to the DNS
+           Specification," RFC 2181, July 1997.
+
+Author's Address
+
+   Mark Andrews
+   CSIRO - Mathematical and Information Sciences
+   Locked Bag 17
+   North Ryde NSW 2113
+   AUSTRALIA
+
+   Phone: +61 2 9325 3148
+   EMail: Mark.Andrews@cmis.csiro.au
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Andrews                     Standards Track                    [Page 18]
+
+RFC 2308                       DNS NCACHE                     March 1998
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (1998).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Andrews                     Standards Track                    [Page 19]
+
diff --git a/contrib/bind9/doc/rfc/rfc2317.txt b/contrib/bind9/doc/rfc/rfc2317.txt
new file mode 100644
index 0000000..c17bb41
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2317.txt
@@ -0,0 +1,563 @@
+
+
+
+
+
+
+Network Working Group                                         H. Eidnes
+Request for Comments: 2317                                 SINTEF RUNIT
+BCP: 20                                                     G. de Groot
+Category: Best Current Practice          Berkeley Software Design, Inc.
+                                                               P. Vixie
+                                           Internet Software Consortium
+                                                             March 1998
+
+
+                   Classless IN-ADDR.ARPA delegation
+
+Status of this Memo
+
+   This document specifies an Internet Best Current Practices for the
+   Internet Community, and requests discussion and suggestions for
+   improvements.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (1998).  All Rights Reserved.
+
+2. Introduction
+
+   This document describes a way to do IN-ADDR.ARPA delegation on non-
+   octet boundaries for address spaces covering fewer than 256
+   addresses.  The proposed method should thus remove one of the
+   objections to subnet on non-octet boundaries but perhaps more
+   significantly, make it possible to assign IP address space in smaller
+   chunks than 24-bit prefixes, without losing the ability to delegate
+   authority for the corresponding IN-ADDR.ARPA mappings.  The proposed
+   method is fully compatible with the original DNS lookup mechanisms
+   specified in [1], i.e. there is no need to modify the lookup
+   algorithm used, and there should be no need to modify any software
+   which does DNS lookups.
+
+   The document also discusses some operational considerations to
+   provide some guidance in implementing this method.
+
+3. Motivation
+
+   With the proliferation of classless routing technology, it has become
+   feasible to assign address space on non-octet boundaries.  In case of
+   a very small organization with only a few hosts, assigning a full
+   24-bit prefix (what was traditionally referred to as a "class C
+   network number") often leads to inefficient address space
+   utilization.
+
+
+
+
+
+Eidnes, et. al.          Best Current Practice                  [Page 1]
+
+RFC 2317           Classless IN-ADDR.ARPA delegation          March 1998
+
+
+   One of the problems encountered when assigning a longer prefix (less
+   address space) is that it seems impossible for such an organization
+   to maintain its own reverse ("IN-ADDR.ARPA") zone autonomously.  By
+   use of the reverse delegation method described below, the most
+   important objection to assignment of longer prefixes to unrelated
+   organizations can be removed.
+
+   Let us assume we have assigned the address spaces to three different
+   parties as follows:
+
+           192.0.2.0/25   to organization A
+           192.0.2.128/26 to organization B
+           192.0.2.192/26 to organization C
+
+   In the classical approach, this would lead to a single zone like
+   this:
+
+   $ORIGIN 2.0.192.in-addr.arpa.
+   ;
+   1               PTR     host1.A.domain.
+   2               PTR     host2.A.domain.
+   3               PTR     host3.A.domain.
+   ;
+   129             PTR     host1.B.domain.
+   130             PTR     host2.B.domain.
+   131             PTR     host3.B.domain.
+   ;
+   193             PTR     host1.C.domain.
+   194             PTR     host2.C.domain.
+   195             PTR     host3.C.domain.
+
+   The administration of this zone is problematic.  Authority for this
+   zone can only be delegated once, and this usually translates into
+   "this zone can only be administered by one organization."  The other
+   organizations with address space that corresponds to entries in this
+   zone would thus have to depend on another organization for their
+   address to name translation.  With the proposed method, this
+   potential problem can be avoided.
+
+4. Classless IN-ADDR.ARPA delegation
+
+   Since a single zone can only be delegated once, we need more points
+   to do delegation on to solve the problem above.  These extra points
+   of delegation can be introduced by extending the IN-ADDR.ARPA tree
+   downwards, e.g. by using the first address or the first address and
+   the network mask length (as shown below) in the corresponding address
+
+
+
+
+
+Eidnes, et. al.          Best Current Practice                  [Page 2]
+
+RFC 2317           Classless IN-ADDR.ARPA delegation          March 1998
+
+
+   space to form the the first component in the name for the zones.  The
+   following four zone files show how the problem in the motivation
+   section could be solved using this method.
+
+   $ORIGIN 2.0.192.in-addr.arpa.
+   @       IN      SOA     my-ns.my.domain. hostmaster.my.domain. (...)
+   ;...
+   ;  <<0-127>> /25
+   0/25            NS      ns.A.domain.
+   0/25            NS      some.other.name.server.
+   ;
+   1               CNAME   1.0/25.2.0.192.in-addr.arpa.
+   2               CNAME   2.0/25.2.0.192.in-addr.arpa.
+   3               CNAME   3.0/25.2.0.192.in-addr.arpa.
+   ;
+   ;  <<128-191>> /26
+   128/26          NS      ns.B.domain.
+   128/26          NS      some.other.name.server.too.
+   ;
+   129             CNAME   129.128/26.2.0.192.in-addr.arpa.
+   130             CNAME   130.128/26.2.0.192.in-addr.arpa.
+   131             CNAME   131.128/26.2.0.192.in-addr.arpa.
+   ;
+   ;  <<192-255>> /26
+   192/26          NS      ns.C.domain.
+   192/26          NS      some.other.third.name.server.
+   ;
+   193             CNAME   193.192/26.2.0.192.in-addr.arpa.
+   194             CNAME   194.192/26.2.0.192.in-addr.arpa.
+   195             CNAME   195.192/26.2.0.192.in-addr.arpa.
+
+   $ORIGIN 0/25.2.0.192.in-addr.arpa.
+   @       IN      SOA     ns.A.domain. hostmaster.A.domain. (...)
+   @               NS      ns.A.domain.
+   @               NS      some.other.name.server.
+   ;
+   1               PTR     host1.A.domain.
+   2               PTR     host2.A.domain.
+   3               PTR     host3.A.domain.
+
+
+
+
+
+
+
+
+
+
+
+
+Eidnes, et. al.          Best Current Practice                  [Page 3]
+
+RFC 2317           Classless IN-ADDR.ARPA delegation          March 1998
+
+
+   $ORIGIN 128/26.2.0.192.in-addr.arpa.
+   @       IN      SOA     ns.B.domain. hostmaster.B.domain. (...)
+   @               NS      ns.B.domain.
+   @               NS      some.other.name.server.too.
+   ;
+   129             PTR     host1.B.domain.
+   130             PTR     host2.B.domain.
+   131             PTR     host3.B.domain.
+
+
+   $ORIGIN 192/26.2.0.192.in-addr.arpa.
+   @       IN      SOA     ns.C.domain. hostmaster.C.domain. (...)
+   @               NS      ns.C.domain.
+   @               NS      some.other.third.name.server.
+   ;
+   193             PTR     host1.C.domain.
+   194             PTR     host2.C.domain.
+   195             PTR     host3.C.domain.
+
+   For each size-256 chunk split up using this method, there is a need
+   to install close to 256 CNAME records in the parent zone.  Some
+   people might view this as ugly; we will not argue that particular
+   point.  It is however quite easy to automatically generate the CNAME
+   resource records in the parent zone once and for all, if the way the
+   address space is partitioned is known.
+
+   The advantage of this approach over the other proposed approaches for
+   dealing with this problem is that there should be no need to modify
+   any already-deployed software.  In particular, the lookup mechanism
+   in the DNS does not have to be modified to accommodate this splitting
+   of the responsibility for the IPv4 address to name translation on
+   "non-dot" boundaries.  Furthermore, this technique has been in use
+   for several years in many installations, apparently with no ill
+   effects.
+
+   As usual, a resource record like
+
+   $ORIGIN 2.0.192.in-addr.arpa.
+   129             CNAME   129.128/26.2.0.192.in-addr.arpa.
+
+   can be convienently abbreviated to
+
+   $ORIGIN 2.0.192.in-addr.arpa.
+   129             CNAME   129.128/26
+
+
+
+
+
+
+
+Eidnes, et. al.          Best Current Practice                  [Page 4]
+
+RFC 2317           Classless IN-ADDR.ARPA delegation          March 1998
+
+
+   Some DNS implementations are not kind to special characters in domain
+   names, e.g. the "/" used in the above examples.  As [3] makes clear,
+   these are legal, though some might feel unsightly.  Because these are
+   not host names the restriction of [2] does not apply.  Modern clients
+   and servers have an option to act in the liberal and correct fashion.
+
+   The examples here use "/" because it was felt to be more visible and
+   pedantic reviewers felt that the 'these are not hostnames' argument
+   needed to be repeated.  We advise you not to be so pedantic, and to
+   not precisely copy the above examples, e.g.  substitute a more
+   conservative character, such as hyphen, for "/".
+
+5. Operational considerations
+
+   This technique is intended to be used for delegating address spaces
+   covering fewer than 256 addresses.  For delegations covering larger
+   blocks of addresses the traditional methods (multiple delegations)
+   can be used instead.
+
+5.1 Recommended secondary name service
+
+   Some older versions of name server software will make no effort to
+   find and return the pointed-to name in CNAME records if the pointed-
+   to name is not already known locally as cached or as authoritative
+   data.  This can cause some confusion in resolvers, as only the CNAME
+   record will be returned in the response.  To avoid this problem it is
+   recommended that the authoritative name servers for the delegating
+   zone (the zone containing all the CNAME records) all run as slave
+   (secondary) name servers for the "child" zones delegated and pointed
+   into via the CNAME records.
+
+5.2 Alternative naming conventions
+
+   As a result of this method, the location of the zone containing the
+   actual PTR records is no longer predefined.  This gives flexibility
+   and some examples will be presented here.
+
+   An alternative to using the first address, or the first address and
+   the network mask length in the corresponding address space, to name
+   the new zones is to use some other (non-numeric) name.  Thus it is
+   also possible to point to an entirely different part of the DNS tree
+   (i.e. outside of the IN-ADDR.ARPA tree).  It would be necessary to
+   use one of these alternate methods if two organizations somehow
+   shared the same physical subnet (and corresponding IP address space)
+   with no "neat" alignment of the addresses, but still wanted to
+   administrate their own IN-ADDR.ARPA mappings.
+
+
+
+
+
+Eidnes, et. al.          Best Current Practice                  [Page 5]
+
+RFC 2317           Classless IN-ADDR.ARPA delegation          March 1998
+
+
+   The following short example shows how you can point out of the IN-
+   ADDR.ARPA tree:
+
+   $ORIGIN 2.0.192.in-addr.arpa.
+   @       IN      SOA     my-ns.my.domain. hostmaster.my.domain. (...)
+   ; ...
+   1               CNAME   1.A.domain.
+   2               CNAME   2.A.domain.
+   ; ...
+   129             CNAME   129.B.domain.
+   130             CNAME   130.B.domain.
+   ;
+
+
+   $ORIGIN A.domain.
+   @       IN      SOA     my-ns.A.domain. hostmaster.A.domain. (...)
+   ; ...
+   ;
+   host1           A       192.0.2.1
+   1               PTR     host1
+   ;
+   host2           A       192.0.2.2
+   2               PTR     host2
+   ;
+
+   etc.
+
+   This way you can actually end up with the name->address and the
+   (pointed-to) address->name mapping data in the same zone file - some
+   may view this as an added bonus as no separate set of secondaries for
+   the reverse zone is required.  Do however note that the traversal via
+   the IN-ADDR.ARPA tree will still be done, so the CNAME records
+   inserted there need to point in the right direction for this to work.
+
+   Sketched below is an alternative approach using the same solution:
+
+   $ORIGIN 2.0.192.in-addr.arpa.
+   @                  SOA     my-ns.my.domain. hostmaster.my.domain. (...)
+   ; ...
+   1                  CNAME   1.2.0.192.in-addr.A.domain.
+   2                  CNAME   2.2.0.192.in-addr.A.domain.
+
+   $ORIGIN A.domain.
+   @                  SOA     my-ns.A.domain. hostmaster.A.domain. (...)
+   ; ...
+   ;
+   host1              A       192.0.2.1
+   1.2.0.192.in-addr  PTR     host1
+
+
+
+Eidnes, et. al.          Best Current Practice                  [Page 6]
+
+RFC 2317           Classless IN-ADDR.ARPA delegation          March 1998
+
+
+   host2              A       192.0.2.2
+   2.2.0.192.in-addr  PTR     host2
+
+   It is clear that many possibilities exist which can be adapted to the
+   specific requirements of the situation at hand.
+
+5.3 Other operational issues
+
+   Note that one cannot provide CNAME referrals twice for the same
+   address space, i.e. you cannot allocate a /25 prefix to one
+   organisation, and run IN-ADDR.ARPA this way, and then have the
+   organisation subnet the /25 into longer prefixes, and attempt to
+   employ the same technique to give each subnet control of its own
+   number space. This would result in a CNAME record pointing to a CNAME
+   record, which may be less robust overall.
+
+   Unfortunately, some old beta releases of the popular DNS name server
+   implementation BIND 4.9.3 had a bug which caused problems if a CNAME
+   record was encountered when a reverse lookup was made.  The beta
+   releases involved have since been obsoleted, and this issue is
+   resolved in the released code.  Some software manufacturers have
+   included the defective beta code in their product. In the few cases
+   we know of, patches from the manufacturers are available or planned
+   to replace the obsolete beta code involved.
+
+6. Security Considerations
+
+   With this scheme, the "leaf sites" will need to rely on one more site
+   running their DNS name service correctly than they would be if they
+   had a /24 allocation of their own, and this may add an extra
+   component which will need to work for reliable name resolution.
+
+   Other than that, the authors are not aware of any additional security
+   issues introduced by this mechanism.
+
+7. Conclusion
+
+   The suggested scheme gives more flexibility in delegating authority
+   in the IN-ADDR.ARPA domain, thus making it possible to assign address
+   space more efficiently without losing the ability to delegate the DNS
+   authority over the corresponding address to name mappings.
+
+8. Acknowledgments
+
+   Glen A. Herrmannsfeldt described this trick on comp.protocols.tcp-
+   ip.domains some time ago.  Alan Barrett and Sam Wilson provided
+   valuable comments on the newsgroup.
+
+
+
+
+Eidnes, et. al.          Best Current Practice                  [Page 7]
+
+RFC 2317           Classless IN-ADDR.ARPA delegation          March 1998
+
+
+   We would like to thank Rob Austein, Randy Bush, Matt Crawford, Robert
+   Elz, Glen A. Herrmannsfeldt, Daniel Karrenberg, David Kessens, Tony
+   Li, Paul Mockapetris, Eric Wassenaar, Michael Patton, Hans Maurer,
+   and Peter Koch for their review and constructive comments.
+
+9. References
+
+   [1]  Mockapetris, P., "Domain Names - Concepts and Facilities",
+        STD 13, RFC 1034, November 1987.
+
+   [2]  Harrenstien, K., Stahl, M., and E. Feinler, "DoD Internet Host
+        Table Specification", RFC 952, October 1985.
+
+   [3]  Elz, R., and R. Bush, "Clarifications to the DNS
+        Specification", RFC 2181, July 1997.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eidnes, et. al.          Best Current Practice                  [Page 8]
+
+RFC 2317           Classless IN-ADDR.ARPA delegation          March 1998
+
+
+10. Authors' Addresses
+
+   Havard Eidnes
+   SINTEF RUNIT
+   N-7034 Trondheim
+   Norway
+
+   Phone: +47 73 59 44 68
+   Fax: +47 73 59 17 00
+   EMail: Havard.Eidnes@runit.sintef.no
+
+
+   Geert Jan de Groot
+   Berkeley Software Design, Inc. (BSDI)
+   Hendrik Staetslaan 69
+   5622 HM Eindhoven
+   The Netherlands
+
+   Phone: +31 40 2960509
+   Fax:   +31 40 2960309
+   EMail: GeertJan.deGroot@bsdi.com
+
+
+   Paul Vixie
+   Internet Software Consortium
+   Star Route Box 159A
+   Woodside, CA 94062
+   USA
+
+   Phone: +1 415 747 0204
+   EMail: paul@vix.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eidnes, et. al.          Best Current Practice                  [Page 9]
+
+RFC 2317           Classless IN-ADDR.ARPA delegation          March 1998
+
+
+11.  Full Copyright Statement
+
+   Copyright (C) The Internet Society (1998).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eidnes, et. al.          Best Current Practice                 [Page 10]
+
diff --git a/contrib/bind9/doc/rfc/rfc2373.txt b/contrib/bind9/doc/rfc/rfc2373.txt
new file mode 100644
index 0000000..59fcff8
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2373.txt
@@ -0,0 +1,1459 @@
+
+
+
+
+
+
+Network Working Group                                        R. Hinden
+Request for Comments: 2373                                       Nokia
+Obsoletes: 1884                                             S. Deering
+Category: Standards Track                                Cisco Systems
+							     July 1998
+
+                  IP Version 6 Addressing Architecture
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (1998).  All Rights Reserved.
+
+Abstract
+
+   This specification defines the addressing architecture of the IP
+   Version 6 protocol [IPV6].  The document includes the IPv6 addressing
+   model, text representations of IPv6 addresses, definition of IPv6
+   unicast addresses, anycast addresses, and multicast addresses, and an
+   IPv6 node's required addresses.
+
+Table of Contents
+
+   1. Introduction.................................................2
+   2. IPv6 Addressing..............................................2
+      2.1 Addressing Model.........................................3
+      2.2 Text Representation of Addresses.........................3
+      2.3 Text Representation of Address Prefixes..................5
+      2.4 Address Type Representation..............................6
+      2.5 Unicast Addresses........................................7
+        2.5.1 Interface Identifiers................................8
+        2.5.2 The Unspecified Address..............................9
+        2.5.3 The Loopback Address.................................9
+        2.5.4 IPv6 Addresses with Embedded IPv4 Addresses.........10
+        2.5.5 NSAP Addresses......................................10
+        2.5.6 IPX Addresses.......................................10
+        2.5.7 Aggregatable Global Unicast Addresses...............11
+        2.5.8 Local-use IPv6 Unicast Addresses....................11
+      2.6 Anycast Addresses.......................................12
+        2.6.1 Required Anycast Address............................13
+      2.7 Multicast Addresses.....................................14
+
+
+
+Hinden & Deering            Standards Track                     [Page 1]
+
+RFC 2373              IPv6 Addressing Architecture             July 1998
+
+
+        2.7.1 Pre-Defined Multicast Addresses.....................15
+        2.7.2 Assignment of New IPv6 Multicast Addresses..........17
+      2.8 A Node's Required Addresses.............................17
+   3. Security Considerations.....................................18
+   APPENDIX A: Creating EUI-64 based Interface Identifiers........19
+   APPENDIX B: ABNF Description of Text Representations...........22
+   APPENDIX C: CHANGES FROM RFC-1884..............................23
+   REFERENCES.....................................................24
+   AUTHORS' ADDRESSES.............................................25
+   FULL COPYRIGHT STATEMENT.......................................26
+
+
+1.0 INTRODUCTION
+
+   This specification defines the addressing architecture of the IP
+   Version 6 protocol.  It includes a detailed description of the
+   currently defined address formats for IPv6 [IPV6].
+
+   The authors would like to acknowledge the contributions of Paul
+   Francis, Scott Bradner, Jim Bound, Brian Carpenter, Matt Crawford,
+   Deborah Estrin, Roger Fajman, Bob Fink, Peter Ford, Bob Gilligan,
+   Dimitry Haskin, Tom Harsch, Christian Huitema, Tony Li, Greg
+   Minshall, Thomas Narten, Erik Nordmark, Yakov Rekhter, Bill Simpson,
+   and Sue Thomson.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC 2119].
+
+2.0 IPv6 ADDRESSING
+
+   IPv6 addresses are 128-bit identifiers for interfaces and sets of
+   interfaces.  There are three types of addresses:
+
+     Unicast:   An identifier for a single interface.  A packet sent to
+                a unicast address is delivered to the interface
+                identified by that address.
+
+     Anycast:   An identifier for a set of interfaces (typically
+                belonging to different nodes).  A packet sent to an
+                anycast address is delivered to one of the interfaces
+                identified by that address (the "nearest" one, according
+                to the routing protocols' measure of distance).
+
+     Multicast: An identifier for a set of interfaces (typically
+                belonging to different nodes).  A packet sent to a
+                multicast address is delivered to all interfaces
+                identified by that address.
+
+
+
+Hinden & Deering            Standards Track                     [Page 2]
+
+RFC 2373              IPv6 Addressing Architecture             July 1998
+
+
+   There are no broadcast addresses in IPv6, their function being
+   superseded by multicast addresses.
+
+   In this document, fields in addresses are given a specific name, for
+   example "subscriber".  When this name is used with the term "ID" for
+   identifier after the name (e.g., "subscriber ID"), it refers to the
+   contents of the named field.  When it is used with the term "prefix"
+   (e.g.  "subscriber prefix") it refers to all of the address up to and
+   including this field.
+
+   In IPv6, all zeros and all ones are legal values for any field,
+   unless specifically excluded.  Specifically, prefixes may contain
+   zero-valued fields or end in zeros.
+
+2.1 Addressing Model
+
+   IPv6 addresses of all types are assigned to interfaces, not nodes.
+   An IPv6 unicast address refers to a single interface.  Since each
+   interface belongs to a single node, any of that node's interfaces'
+   unicast addresses may be used as an identifier for the node.
+
+   All interfaces are required to have at least one link-local unicast
+   address (see section 2.8 for additional required addresses).  A
+   single interface may also be assigned multiple IPv6 addresses of any
+   type (unicast, anycast, and multicast) or scope.  Unicast addresses
+   with scope greater than link-scope are not needed for interfaces that
+   are not used as the origin or destination of any IPv6 packets to or
+   from non-neighbors.  This is sometimes convenient for point-to-point
+   interfaces.  There is one exception to this addressing model:
+
+     An unicast address or a set of unicast addresses may be assigned to
+     multiple physical interfaces if the implementation treats the
+     multiple physical interfaces as one interface when presenting it to
+     the internet layer.  This is useful for load-sharing over multiple
+     physical interfaces.
+
+   Currently IPv6 continues the IPv4 model that a subnet prefix is
+   associated with one link.  Multiple subnet prefixes may be assigned
+   to the same link.
+
+2.2 Text Representation of Addresses
+
+   There are three conventional forms for representing IPv6 addresses as
+   text strings:
+
+   1. The preferred form is x:x:x:x:x:x:x:x, where the 'x's are the
+      hexadecimal values of the eight 16-bit pieces of the address.
+      Examples:
+
+
+
+Hinden & Deering            Standards Track                     [Page 3]
+
+RFC 2373              IPv6 Addressing Architecture             July 1998
+
+
+         FEDC:BA98:7654:3210:FEDC:BA98:7654:3210
+
+         1080:0:0:0:8:800:200C:417A
+
+      Note that it is not necessary to write the leading zeros in an
+      individual field, but there must be at least one numeral in every
+      field (except for the case described in 2.).
+
+   2. Due to some methods of allocating certain styles of IPv6
+      addresses, it will be common for addresses to contain long strings
+      of zero bits.  In order to make writing addresses containing zero
+      bits easier a special syntax is available to compress the zeros.
+      The use of "::" indicates multiple groups of 16-bits of zeros.
+      The "::" can only appear once in an address.  The "::" can also be
+      used to compress the leading and/or trailing zeros in an address.
+
+      For example the following addresses:
+
+         1080:0:0:0:8:800:200C:417A  a unicast address
+         FF01:0:0:0:0:0:0:101        a multicast address
+         0:0:0:0:0:0:0:1             the loopback address
+         0:0:0:0:0:0:0:0             the unspecified addresses
+
+      may be represented as:
+
+         1080::8:800:200C:417A       a unicast address
+         FF01::101                   a multicast address
+         ::1                         the loopback address
+         ::                          the unspecified addresses
+
+   3. An alternative form that is sometimes more convenient when dealing
+      with a mixed environment of IPv4 and IPv6 nodes is
+      x:x:x:x:x:x:d.d.d.d, where the 'x's are the hexadecimal values of
+      the six high-order 16-bit pieces of the address, and the 'd's are
+      the decimal values of the four low-order 8-bit pieces of the
+      address (standard IPv4 representation).  Examples:
+
+         0:0:0:0:0:0:13.1.68.3
+
+         0:0:0:0:0:FFFF:129.144.52.38
+
+      or in compressed form:
+
+         ::13.1.68.3
+
+         ::FFFF:129.144.52.38
+
+
+
+
+
+Hinden & Deering            Standards Track                     [Page 4]
+
+RFC 2373              IPv6 Addressing Architecture             July 1998
+
+
+2.3 Text Representation of Address Prefixes
+
+   The text representation of IPv6 address prefixes is similar to the
+   way IPv4 addresses prefixes are written in CIDR notation.  An IPv6
+   address prefix is represented by the notation:
+
+      ipv6-address/prefix-length
+
+   where
+
+      ipv6-address    is an IPv6 address in any of the notations listed
+                      in section 2.2.
+
+      prefix-length   is a decimal value specifying how many of the
+                      leftmost contiguous bits of the address comprise
+                      the prefix.
+
+   For example, the following are legal representations of the 60-bit
+   prefix 12AB00000000CD3 (hexadecimal):
+
+      12AB:0000:0000:CD30:0000:0000:0000:0000/60
+      12AB::CD30:0:0:0:0/60
+      12AB:0:0:CD30::/60
+
+   The following are NOT legal representations of the above prefix:
+
+      12AB:0:0:CD3/60   may drop leading zeros, but not trailing zeros,
+                        within any 16-bit chunk of the address
+
+      12AB::CD30/60     address to left of "/" expands to
+                        12AB:0000:0000:0000:0000:000:0000:CD30
+
+      12AB::CD3/60      address to left of "/" expands to
+                        12AB:0000:0000:0000:0000:000:0000:0CD3
+
+   When writing both a node address and a prefix of that node address
+   (e.g., the node's subnet prefix), the two can combined as follows:
+
+      the node address      12AB:0:0:CD30:123:4567:89AB:CDEF
+      and its subnet number 12AB:0:0:CD30::/60
+
+      can be abbreviated as 12AB:0:0:CD30:123:4567:89AB:CDEF/60
+
+
+
+
+
+
+
+
+
+Hinden & Deering            Standards Track                     [Page 5]
+
+RFC 2373              IPv6 Addressing Architecture             July 1998
+
+
+2.4 Address Type Representation
+
+   The specific type of an IPv6 address is indicated by the leading bits
+   in the address.  The variable-length field comprising these leading
+   bits is called the Format Prefix (FP).  The initial allocation of
+   these prefixes is as follows:
+
+    Allocation                            Prefix         Fraction of
+                                          (binary)       Address Space
+    -----------------------------------   --------       -------------
+    Reserved                              0000 0000      1/256
+    Unassigned                            0000 0001      1/256
+
+    Reserved for NSAP Allocation          0000 001       1/128
+    Reserved for IPX Allocation           0000 010       1/128
+
+    Unassigned                            0000 011       1/128
+    Unassigned                            0000 1         1/32
+    Unassigned                            0001           1/16
+
+    Aggregatable Global Unicast Addresses 001            1/8
+    Unassigned                            010            1/8
+    Unassigned                            011            1/8
+    Unassigned                            100            1/8
+    Unassigned                            101            1/8
+    Unassigned                            110            1/8
+
+    Unassigned                            1110           1/16
+    Unassigned                            1111 0         1/32
+    Unassigned                            1111 10        1/64
+    Unassigned                            1111 110       1/128
+    Unassigned                            1111 1110 0    1/512
+
+    Link-Local Unicast Addresses          1111 1110 10   1/1024
+    Site-Local Unicast Addresses          1111 1110 11   1/1024
+
+    Multicast Addresses                   1111 1111      1/256
+
+    Notes:
+
+      (1) The "unspecified address" (see section 2.5.2), the loopback
+          address (see section 2.5.3), and the IPv6 Addresses with
+          Embedded IPv4 Addresses (see section 2.5.4), are assigned out
+          of the 0000 0000 format prefix space.
+
+
+
+
+
+
+
+Hinden & Deering            Standards Track                     [Page 6]
+
+RFC 2373              IPv6 Addressing Architecture             July 1998
+
+
+      (2) The format prefixes 001 through 111, except for Multicast
+          Addresses (1111 1111), are all required to have to have 64-bit
+          interface identifiers in EUI-64 format.  See section 2.5.1 for
+          definitions.
+
+   This allocation supports the direct allocation of aggregation
+   addresses, local use addresses, and multicast addresses.  Space is
+   reserved for NSAP addresses and IPX addresses.  The remainder of the
+   address space is unassigned for future use.  This can be used for
+   expansion of existing use (e.g., additional aggregatable addresses,
+   etc.) or new uses (e.g., separate locators and identifiers).  Fifteen
+   percent of the address space is initially allocated.  The remaining
+   85% is reserved for future use.
+
+   Unicast addresses are distinguished from multicast addresses by the
+   value of the high-order octet of the addresses: a value of FF
+   (11111111) identifies an address as a multicast address; any other
+   value identifies an address as a unicast address.  Anycast addresses
+   are taken from the unicast address space, and are not syntactically
+   distinguishable from unicast addresses.
+
+2.5 Unicast Addresses
+
+   IPv6 unicast addresses are aggregatable with contiguous bit-wise
+   masks similar to IPv4 addresses under Class-less Interdomain Routing
+   [CIDR].
+
+   There are several forms of unicast address assignment in IPv6,
+   including the global aggregatable global unicast address, the NSAP
+   address, the IPX hierarchical address, the site-local address, the
+   link-local address, and the IPv4-capable host address.  Additional
+   address types can be defined in the future.
+
+   IPv6 nodes may have considerable or little knowledge of the internal
+   structure of the IPv6 address, depending on the role the node plays
+   (for instance, host versus router).  At a minimum, a node may
+   consider that unicast addresses (including its own) have no internal
+   structure:
+
+   |                           128 bits                              |
+   +-----------------------------------------------------------------+
+   |                          node address                           |
+   +-----------------------------------------------------------------+
+
+   A slightly sophisticated host (but still rather simple) may
+   additionally be aware of subnet prefix(es) for the link(s) it is
+   attached to, where different addresses may have different values for
+   n:
+
+
+
+Hinden & Deering            Standards Track                     [Page 7]
+
+RFC 2373              IPv6 Addressing Architecture             July 1998
+
+
+   |                         n bits                 |   128-n bits   |
+   +------------------------------------------------+----------------+
+   |                   subnet prefix                | interface ID   |
+   +------------------------------------------------+----------------+
+
+   Still more sophisticated hosts may be aware of other hierarchical
+   boundaries in the unicast address.  Though a very simple router may
+   have no knowledge of the internal structure of IPv6 unicast
+   addresses, routers will more generally have knowledge of one or more
+   of the hierarchical boundaries for the operation of routing
+   protocols.  The known boundaries will differ from router to router,
+   depending on what positions the router holds in the routing
+   hierarchy.
+
+2.5.1 Interface Identifiers
+
+   Interface identifiers in IPv6 unicast addresses are used to identify
+   interfaces on a link.  They are required to be unique on that link.
+   They may also be unique over a broader scope.  In many cases an
+   interface's identifier will be the same as that interface's link-
+   layer address.  The same interface identifier may be used on multiple
+   interfaces on a single node.
+
+   Note that the use of the same interface identifier on multiple
+   interfaces of a single node does not affect the interface
+   identifier's global uniqueness or each IPv6 addresses global
+   uniqueness created using that interface identifier.
+
+   In a number of the format prefixes (see section 2.4) Interface IDs
+   are required to be 64 bits long and to be constructed in IEEE EUI-64
+   format [EUI64].  EUI-64 based Interface identifiers may have global
+   scope when a global token is available (e.g., IEEE 48bit MAC) or may
+   have local scope where a global token is not available (e.g., serial
+   links, tunnel end-points, etc.).  It is required that the "u" bit
+   (universal/local bit in IEEE EUI-64 terminology) be inverted when
+   forming the interface identifier from the EUI-64.  The "u" bit is set
+   to one (1) to indicate global scope, and it is set to zero (0) to
+   indicate local scope.  The first three octets in binary of an EUI-64
+   identifier are as follows:
+
+       0       0 0       1 1       2
+      |0       7 8       5 6       3|
+      +----+----+----+----+----+----+
+      |cccc|ccug|cccc|cccc|cccc|cccc|
+      +----+----+----+----+----+----+
+
+
+
+
+
+
+Hinden & Deering            Standards Track                     [Page 8]
+
+RFC 2373              IPv6 Addressing Architecture             July 1998
+
+
+   written in Internet standard bit-order , where "u" is the
+   universal/local bit, "g" is the individual/group bit, and "c" are the
+   bits of the company_id.  Appendix A: "Creating EUI-64 based Interface
+   Identifiers" provides examples on the creation of different EUI-64
+   based interface identifiers.
+
+   The motivation for inverting the "u" bit when forming the interface
+   identifier is to make it easy for system administrators to hand
+   configure local scope identifiers when hardware tokens are not
+   available.  This is expected to be case for serial links, tunnel end-
+   points, etc.  The alternative would have been for these to be of the
+   form 0200:0:0:1, 0200:0:0:2, etc., instead of the much simpler ::1,
+   ::2, etc.
+
+   The use of the universal/local bit in the IEEE EUI-64 identifier is
+   to allow development of future technology that can take advantage of
+   interface identifiers with global scope.
+
+   The details of forming interface identifiers are defined in the
+   appropriate "IPv6 over <link>" specification such as "IPv6 over
+   Ethernet" [ETHER], "IPv6 over FDDI" [FDDI], etc.
+
+2.5.2 The Unspecified Address
+
+   The address 0:0:0:0:0:0:0:0 is called the unspecified address.  It
+   must never be assigned to any node.  It indicates the absence of an
+   address.  One example of its use is in the Source Address field of
+   any IPv6 packets sent by an initializing host before it has learned
+   its own address.
+
+   The unspecified address must not be used as the destination address
+   of IPv6 packets or in IPv6 Routing Headers.
+
+2.5.3 The Loopback Address
+
+   The unicast address 0:0:0:0:0:0:0:1 is called the loopback address.
+   It may be used by a node to send an IPv6 packet to itself.  It may
+   never be assigned to any physical interface.  It may be thought of as
+   being associated with a virtual interface (e.g., the loopback
+   interface).
+
+   The loopback address must not be used as the source address in IPv6
+   packets that are sent outside of a single node.  An IPv6 packet with
+   a destination address of loopback must never be sent outside of a
+   single node and must never be forwarded by an IPv6 router.
+
+
+
+
+
+
+Hinden & Deering            Standards Track                     [Page 9]
+
+RFC 2373              IPv6 Addressing Architecture             July 1998
+
+
+2.5.4 IPv6 Addresses with Embedded IPv4 Addresses
+
+   The IPv6 transition mechanisms [TRAN] include a technique for hosts
+   and routers to dynamically tunnel IPv6 packets over IPv4 routing
+   infrastructure.  IPv6 nodes that utilize this technique are assigned
+   special IPv6 unicast addresses that carry an IPv4 address in the low-
+   order 32-bits.  This type of address is termed an "IPv4-compatible
+   IPv6 address" and has the format:
+
+   |                80 bits               | 16 |      32 bits        |
+   +--------------------------------------+--------------------------+
+   |0000..............................0000|0000|    IPv4 address     |
+   +--------------------------------------+----+---------------------+
+
+   A second type of IPv6 address which holds an embedded IPv4 address is
+   also defined.  This address is used to represent the addresses of
+   IPv4-only nodes (those that *do not* support IPv6) as IPv6 addresses.
+   This type of address is termed an "IPv4-mapped IPv6 address" and has
+   the format:
+
+   |                80 bits               | 16 |      32 bits        |
+   +--------------------------------------+--------------------------+
+   |0000..............................0000|FFFF|    IPv4 address     |
+   +--------------------------------------+----+---------------------+
+
+2.5.5 NSAP Addresses
+
+   This mapping of NSAP address into IPv6 addresses is defined in
+   [NSAP].  This document recommends that network implementors who have
+   planned or deployed an OSI NSAP addressing plan, and who wish to
+   deploy or transition to IPv6, should redesign a native IPv6
+   addressing plan to meet their needs.  However, it also defines a set
+   of mechanisms for the support of OSI NSAP addressing in an IPv6
+   network.  These mechanisms are the ones that must be used if such
+   support is required.  This document also defines a mapping of IPv6
+   addresses within the OSI address format, should this be required.
+
+2.5.6 IPX Addresses
+
+   This mapping of IPX address into IPv6 addresses is as follows:
+
+   |   7   |                   121 bits                              |
+   +-------+---------------------------------------------------------+
+   |0000010|                 to be defined                           |
+   +-------+---------------------------------------------------------+
+
+   The draft definition, motivation, and usage are under study.
+
+
+
+
+Hinden & Deering            Standards Track                    [Page 10]
+
+RFC 2373              IPv6 Addressing Architecture             July 1998
+
+
+2.5.7 Aggregatable Global Unicast Addresses
+
+   The global aggregatable global unicast address is defined in [AGGR].
+   This address format is designed to support both the current provider
+   based aggregation and a new type of aggregation called exchanges.
+   The combination will allow efficient routing aggregation for both
+   sites which connect directly to providers and who connect to
+   exchanges.  Sites will have the choice to connect to either type of
+   aggregation point.
+
+   The IPv6 aggregatable global unicast address format is as follows:
+
+   | 3|  13 | 8 |   24   |   16   |          64 bits               |
+   +--+-----+---+--------+--------+--------------------------------+
+   |FP| TLA |RES|  NLA   |  SLA   |         Interface ID           |
+   |  | ID  |   |  ID    |  ID    |                                |
+   +--+-----+---+--------+--------+--------------------------------+
+
+   Where
+
+      001          Format Prefix (3 bit) for Aggregatable Global
+                   Unicast Addresses
+      TLA ID       Top-Level Aggregation Identifier
+      RES          Reserved for future use
+      NLA ID       Next-Level Aggregation Identifier
+      SLA ID       Site-Level Aggregation Identifier
+      INTERFACE ID Interface Identifier
+
+   The contents, field sizes, and assignment rules are defined in
+   [AGGR].
+
+2.5.8 Local-Use IPv6 Unicast Addresses
+
+   There are two types of local-use unicast addresses defined.  These
+   are Link-Local and Site-Local.  The Link-Local is for use on a single
+   link and the Site-Local is for use in a single site.  Link-Local
+   addresses have the following format:
+
+   |   10     |
+   |  bits    |        54 bits          |          64 bits           |
+   +----------+-------------------------+----------------------------+
+   |1111111010|           0             |       interface ID         |
+   +----------+-------------------------+----------------------------+
+
+   Link-Local addresses are designed to be used for addressing on a
+   single link for purposes such as auto-address configuration, neighbor
+   discovery, or when no routers are present.
+
+
+
+
+Hinden & Deering            Standards Track                    [Page 11]
+
+RFC 2373              IPv6 Addressing Architecture             July 1998
+
+
+   Routers must not forward any packets with link-local source or
+   destination addresses to other links.
+
+   Site-Local addresses have the following format:
+
+   |   10     |
+   |  bits    |   38 bits   |  16 bits  |         64 bits            |
+   +----------+-------------+-----------+----------------------------+
+   |1111111011|    0        | subnet ID |       interface ID         |
+   +----------+-------------+-----------+----------------------------+
+
+   Site-Local addresses are designed to be used for addressing inside of
+   a site without the need for a global prefix.
+
+   Routers must not forward any packets with site-local source or
+   destination addresses outside of the site.
+
+2.6 Anycast Addresses
+
+   An IPv6 anycast address is an address that is assigned to more than
+   one interface (typically belonging to different nodes), with the
+   property that a packet sent to an anycast address is routed to the
+   "nearest" interface having that address, according to the routing
+   protocols' measure of distance.
+
+   Anycast addresses are allocated from the unicast address space, using
+   any of the defined unicast address formats.  Thus, anycast addresses
+   are syntactically indistinguishable from unicast addresses.  When a
+   unicast address is assigned to more than one interface, thus turning
+   it into an anycast address, the nodes to which the address is
+   assigned must be explicitly configured to know that it is an anycast
+   address.
+
+   For any assigned anycast address, there is a longest address prefix P
+   that identifies the topological region in which all interfaces
+   belonging to that anycast address reside.  Within the region
+   identified by P, each member of the anycast set must be advertised as
+   a separate entry in the routing system (commonly referred to as a
+   "host route"); outside the region identified by P, the anycast
+   address may be aggregated into the routing advertisement for prefix
+   P.
+
+   Note that in, the worst case, the prefix P of an anycast set may be
+   the null prefix, i.e., the members of the set may have no topological
+   locality.  In that case, the anycast address must be advertised as a
+   separate routing entry throughout the entire internet, which presents
+
+
+
+
+
+Hinden & Deering            Standards Track                    [Page 12]
+
+RFC 2373              IPv6 Addressing Architecture             July 1998
+
+
+   a severe scaling limit on how many such "global" anycast sets may be
+   supported.  Therefore, it is expected that support for global anycast
+   sets may be unavailable or very restricted.
+
+   One expected use of anycast addresses is to identify the set of
+   routers belonging to an organization providing internet service.
+   Such addresses could be used as intermediate addresses in an IPv6
+   Routing header, to cause a packet to be delivered via a particular
+   aggregation or sequence of aggregations.  Some other possible uses
+   are to identify the set of routers attached to a particular subnet,
+   or the set of routers providing entry into a particular routing
+   domain.
+
+   There is little experience with widespread, arbitrary use of internet
+   anycast addresses, and some known complications and hazards when
+   using them in their full generality [ANYCST].  Until more experience
+   has been gained and solutions agreed upon for those problems, the
+   following restrictions are imposed on IPv6 anycast addresses:
+
+      o An anycast address must not be used as the source address of an
+        IPv6 packet.
+
+      o An anycast address must not be assigned to an IPv6 host, that
+        is, it may be assigned to an IPv6 router only.
+
+2.6.1 Required Anycast Address
+
+   The Subnet-Router anycast address is predefined.  Its format is as
+   follows:
+
+   |                         n bits                 |   128-n bits   |
+   +------------------------------------------------+----------------+
+   |                   subnet prefix                | 00000000000000 |
+   +------------------------------------------------+----------------+
+
+   The "subnet prefix" in an anycast address is the prefix which
+   identifies a specific link.  This anycast address is syntactically
+   the same as a unicast address for an interface on the link with the
+   interface identifier set to zero.
+
+   Packets sent to the Subnet-Router anycast address will be delivered
+   to one router on the subnet.  All routers are required to support the
+   Subnet-Router anycast addresses for the subnets which they have
+   interfaces.
+
+
+
+
+
+
+
+Hinden & Deering            Standards Track                    [Page 13]
+
+RFC 2373              IPv6 Addressing Architecture             July 1998
+
+
+   The subnet-router anycast address is intended to be used for
+   applications where a node needs to communicate with one of a set of
+   routers on a remote subnet.  For example when a mobile host needs to
+   communicate with one of the mobile agents on its "home" subnet.
+
+2.7 Multicast Addresses
+
+   An IPv6 multicast address is an identifier for a group of nodes.  A
+   node may belong to any number of multicast groups.  Multicast
+   addresses have the following format:
+
+   |   8    |  4 |  4 |                  112 bits                   |
+   +------ -+----+----+---------------------------------------------+
+   |11111111|flgs|scop|                  group ID                   |
+   +--------+----+----+---------------------------------------------+
+
+      11111111 at the start of the address identifies the address as
+      being a multicast address.
+
+                                    +-+-+-+-+
+      flgs is a set of 4 flags:     |0|0|0|T|
+                                    +-+-+-+-+
+
+         The high-order 3 flags are reserved, and must be initialized to
+         0.
+
+         T = 0 indicates a permanently-assigned ("well-known") multicast
+         address, assigned by the global internet numbering authority.
+
+         T = 1 indicates a non-permanently-assigned ("transient")
+         multicast address.
+
+      scop is a 4-bit multicast scope value used to limit the scope of
+      the multicast group.  The values are:
+
+         0  reserved
+         1  node-local scope
+         2  link-local scope
+         3  (unassigned)
+         4  (unassigned)
+         5  site-local scope
+         6  (unassigned)
+         7  (unassigned)
+         8  organization-local scope
+         9  (unassigned)
+         A  (unassigned)
+         B  (unassigned)
+         C  (unassigned)
+
+
+
+Hinden & Deering            Standards Track                    [Page 14]
+
+RFC 2373              IPv6 Addressing Architecture             July 1998
+
+
+         D  (unassigned)
+         E  global scope
+         F  reserved
+
+      group ID identifies the multicast group, either permanent or
+      transient, within the given scope.
+
+   The "meaning" of a permanently-assigned multicast address is
+   independent of the scope value.  For example, if the "NTP servers
+   group" is assigned a permanent multicast address with a group ID of
+   101 (hex), then:
+
+      FF01:0:0:0:0:0:0:101 means all NTP servers on the same node as the
+      sender.
+
+      FF02:0:0:0:0:0:0:101 means all NTP servers on the same link as the
+      sender.
+
+      FF05:0:0:0:0:0:0:101 means all NTP servers at the same site as the
+      sender.
+
+      FF0E:0:0:0:0:0:0:101 means all NTP servers in the internet.
+
+   Non-permanently-assigned multicast addresses are meaningful only
+   within a given scope.  For example, a group identified by the non-
+   permanent, site-local multicast address FF15:0:0:0:0:0:0:101 at one
+   site bears no relationship to a group using the same address at a
+   different site, nor to a non-permanent group using the same group ID
+   with different scope, nor to a permanent group with the same group
+   ID.
+
+   Multicast addresses must not be used as source addresses in IPv6
+   packets or appear in any routing header.
+
+2.7.1 Pre-Defined Multicast Addresses
+
+   The following well-known multicast addresses are pre-defined:
+
+      Reserved Multicast Addresses:   FF00:0:0:0:0:0:0:0
+                                      FF01:0:0:0:0:0:0:0
+                                      FF02:0:0:0:0:0:0:0
+                                      FF03:0:0:0:0:0:0:0
+                                      FF04:0:0:0:0:0:0:0
+                                      FF05:0:0:0:0:0:0:0
+                                      FF06:0:0:0:0:0:0:0
+                                      FF07:0:0:0:0:0:0:0
+                                      FF08:0:0:0:0:0:0:0
+                                      FF09:0:0:0:0:0:0:0
+
+
+
+Hinden & Deering            Standards Track                    [Page 15]
+
+RFC 2373              IPv6 Addressing Architecture             July 1998
+
+
+                                      FF0A:0:0:0:0:0:0:0
+                                      FF0B:0:0:0:0:0:0:0
+                                      FF0C:0:0:0:0:0:0:0
+                                      FF0D:0:0:0:0:0:0:0
+                                      FF0E:0:0:0:0:0:0:0
+                                      FF0F:0:0:0:0:0:0:0
+
+   The above multicast addresses are reserved and shall never be
+   assigned to any multicast group.
+
+      All Nodes Addresses:    FF01:0:0:0:0:0:0:1
+                              FF02:0:0:0:0:0:0:1
+
+   The above multicast addresses identify the group of all IPv6 nodes,
+   within scope 1 (node-local) or 2 (link-local).
+
+      All Routers Addresses:   FF01:0:0:0:0:0:0:2
+                               FF02:0:0:0:0:0:0:2
+                               FF05:0:0:0:0:0:0:2
+
+   The above multicast addresses identify the group of all IPv6 routers,
+   within scope 1 (node-local), 2 (link-local), or 5 (site-local).
+
+      Solicited-Node Address:  FF02:0:0:0:0:1:FFXX:XXXX
+
+   The above multicast address is computed as a function of a node's
+   unicast and anycast addresses.  The solicited-node multicast address
+   is formed by taking the low-order 24 bits of the address (unicast or
+   anycast) and appending those bits to the prefix
+   FF02:0:0:0:0:1:FF00::/104 resulting in a multicast address in the
+   range
+
+      FF02:0:0:0:0:1:FF00:0000
+
+   to
+
+      FF02:0:0:0:0:1:FFFF:FFFF
+
+   For example, the solicited node multicast address corresponding to
+   the IPv6 address 4037::01:800:200E:8C6C is FF02::1:FF0E:8C6C.  IPv6
+   addresses that differ only in the high-order bits, e.g. due to
+   multiple high-order prefixes associated with different aggregations,
+   will map to the same solicited-node address thereby reducing the
+   number of multicast addresses a node must join.
+
+   A node is required to compute and join the associated Solicited-Node
+   multicast addresses for every unicast and anycast address it is
+   assigned.
+
+
+
+Hinden & Deering            Standards Track                    [Page 16]
+
+RFC 2373              IPv6 Addressing Architecture             July 1998
+
+
+2.7.2 Assignment of New IPv6 Multicast Addresses
+
+   The current approach [ETHER] to map IPv6 multicast addresses into
+   IEEE 802 MAC addresses takes the low order 32 bits of the IPv6
+   multicast address and uses it to create a MAC address.  Note that
+   Token Ring networks are handled differently.  This is defined in
+   [TOKEN].  Group ID's less than or equal to 32 bits will generate
+   unique MAC addresses.  Due to this new IPv6 multicast addresses
+   should be assigned so that the group identifier is always in the low
+   order 32 bits as shown in the following:
+
+   |   8    |  4 |  4 |          80 bits          |     32 bits     |
+   +------ -+----+----+---------------------------+-----------------+
+   |11111111|flgs|scop|   reserved must be zero   |    group ID     |
+   +--------+----+----+---------------------------+-----------------+
+
+   While this limits the number of permanent IPv6 multicast groups to
+   2^32 this is unlikely to be a limitation in the future.  If it
+   becomes necessary to exceed this limit in the future multicast will
+   still work but the processing will be sightly slower.
+
+   Additional IPv6 multicast addresses are defined and registered by the
+   IANA [MASGN].
+
+2.8 A Node's Required Addresses
+
+   A host is required to recognize the following addresses as
+   identifying itself:
+
+      o Its Link-Local Address for each interface
+      o Assigned Unicast Addresses
+      o Loopback Address
+      o All-Nodes Multicast Addresses
+      o Solicited-Node Multicast Address for each of its assigned
+        unicast and anycast addresses
+      o Multicast Addresses of all other groups to which the host
+        belongs.
+
+   A router is required to recognize all addresses that a host is
+   required to recognize, plus the following addresses as identifying
+   itself:
+
+      o The Subnet-Router anycast addresses for the interfaces it is
+        configured to act as a router on.
+      o All other Anycast addresses with which the router has been
+        configured.
+      o All-Routers Multicast Addresses
+
+
+
+
+Hinden & Deering            Standards Track                    [Page 17]
+
+RFC 2373              IPv6 Addressing Architecture             July 1998
+
+
+      o Multicast Addresses of all other groups to which the router
+        belongs.
+
+   The only address prefixes which should be predefined in an
+   implementation are the:
+
+      o Unspecified Address
+      o Loopback Address
+      o Multicast Prefix (FF)
+      o Local-Use Prefixes (Link-Local and Site-Local)
+      o Pre-Defined Multicast Addresses
+      o IPv4-Compatible Prefixes
+
+   Implementations should assume all other addresses are unicast unless
+   specifically configured (e.g., anycast addresses).
+
+3. Security Considerations
+
+   IPv6 addressing documents do not have any direct impact on Internet
+   infrastructure security.  Authentication of IPv6 packets is defined
+   in [AUTH].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hinden & Deering            Standards Track                    [Page 18]
+
+RFC 2373              IPv6 Addressing Architecture             July 1998
+
+
+APPENDIX A : Creating EUI-64 based Interface Identifiers
+--------------------------------------------------------
+
+   Depending on the characteristics of a specific link or node there are
+   a number of approaches for creating EUI-64 based interface
+   identifiers.  This appendix describes some of these approaches.
+
+Links or Nodes with EUI-64 Identifiers
+
+   The only change needed to transform an EUI-64 identifier to an
+   interface identifier is to invert the "u" (universal/local) bit.  For
+   example, a globally unique EUI-64 identifier of the form:
+
+   |0              1|1              3|3              4|4              6|
+   |0              5|6              1|2              7|8              3|
+   +----------------+----------------+----------------+----------------+
+   |cccccc0gcccccccc|ccccccccmmmmmmmm|mmmmmmmmmmmmmmmm|mmmmmmmmmmmmmmmm|
+   +----------------+----------------+----------------+----------------+
+
+   where "c" are the bits of the assigned company_id, "0" is the value
+   of the universal/local bit to indicate global scope, "g" is
+   individual/group bit, and "m" are the bits of the manufacturer-
+   selected extension identifier.  The IPv6 interface identifier would
+   be of the form:
+
+   |0              1|1              3|3              4|4              6|
+   |0              5|6              1|2              7|8              3|
+   +----------------+----------------+----------------+----------------+
+   |cccccc1gcccccccc|ccccccccmmmmmmmm|mmmmmmmmmmmmmmmm|mmmmmmmmmmmmmmmm|
+   +----------------+----------------+----------------+----------------+
+
+   The only change is inverting the value of the universal/local bit.
+
+Links or Nodes with IEEE 802 48 bit MAC's
+
+   [EUI64] defines a method to create a EUI-64 identifier from an IEEE
+   48bit MAC identifier.  This is to insert two octets, with hexadecimal
+   values of 0xFF and 0xFE, in the middle of the 48 bit MAC (between the
+   company_id and vendor supplied id).  For example the 48 bit MAC with
+   global scope:
+
+   |0              1|1              3|3              4|
+   |0              5|6              1|2              7|
+   +----------------+----------------+----------------+
+   |cccccc0gcccccccc|ccccccccmmmmmmmm|mmmmmmmmmmmmmmmm|
+   +----------------+----------------+----------------+
+
+
+
+
+
+Hinden & Deering            Standards Track                    [Page 19]
+
+RFC 2373              IPv6 Addressing Architecture             July 1998
+
+
+   where "c" are the bits of the assigned company_id, "0" is the value
+   of the universal/local bit to indicate global scope, "g" is
+   individual/group bit, and "m" are the bits of the manufacturer-
+   selected extension identifier.  The interface identifier would be of
+   the form:
+
+   |0              1|1              3|3              4|4              6|
+   |0              5|6              1|2              7|8              3|
+   +----------------+----------------+----------------+----------------+
+   |cccccc1gcccccccc|cccccccc11111111|11111110mmmmmmmm|mmmmmmmmmmmmmmmm|
+   +----------------+----------------+----------------+----------------+
+
+   When IEEE 802 48bit MAC addresses are available (on an interface or a
+   node), an implementation should use them to create interface
+   identifiers due to their availability and uniqueness properties.
+
+Links with Non-Global Identifiers
+
+   There are a number of types of links that, while multi-access, do not
+   have globally unique link identifiers.  Examples include LocalTalk
+   and Arcnet.  The method to create an EUI-64 formatted identifier is
+   to take the link identifier (e.g., the LocalTalk 8 bit node
+   identifier) and zero fill it to the left.  For example a LocalTalk 8
+   bit node identifier of hexadecimal value 0x4F results in the
+   following interface identifier:
+
+   |0              1|1              3|3              4|4              6|
+   |0              5|6              1|2              7|8              3|
+   +----------------+----------------+----------------+----------------+
+   |0000000000000000|0000000000000000|0000000000000000|0000000001001111|
+   +----------------+----------------+----------------+----------------+
+
+   Note that this results in the universal/local bit set to "0" to
+   indicate local scope.
+
+Links without Identifiers
+
+   There are a number of links that do not have any type of built-in
+   identifier.  The most common of these are serial links and configured
+   tunnels.  Interface identifiers must be chosen that are unique for
+   the link.
+
+   When no built-in identifier is available on a link the preferred
+   approach is to use a global interface identifier from another
+   interface or one which is assigned to the node itself.  To use this
+   approach no other interface connecting the same node to the same link
+   may use the same identifier.
+
+
+
+
+Hinden & Deering            Standards Track                    [Page 20]
+
+RFC 2373              IPv6 Addressing Architecture             July 1998
+
+
+   If there is no global interface identifier available for use on the
+   link the implementation needs to create a local scope interface
+   identifier.  The only requirement is that it be unique on the link.
+   There are many possible approaches to select a link-unique interface
+   identifier.  They include:
+
+      Manual Configuration
+      Generated Random Number
+      Node Serial Number (or other node-specific token)
+
+   The link-unique interface identifier should be generated in a manner
+   that it does not change after a reboot of a node or if interfaces are
+   added or deleted from the node.
+
+   The selection of the appropriate algorithm is link and implementation
+   dependent.  The details on forming interface identifiers are defined
+   in the appropriate "IPv6 over <link>" specification.  It is strongly
+   recommended that a collision detection algorithm be implemented as
+   part of any automatic algorithm.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hinden & Deering            Standards Track                    [Page 21]
+
+RFC 2373              IPv6 Addressing Architecture             July 1998
+
+
+APPENDIX B: ABNF Description of Text Representations
+----------------------------------------------------
+
+   This appendix defines the text representation of IPv6 addresses and
+   prefixes in Augmented BNF [ABNF] for reference purposes.
+
+      IPv6address = hexpart [ ":" IPv4address ]
+      IPv4address = 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT "." 1*3DIGIT
+
+      IPv6prefix  = hexpart "/" 1*2DIGIT
+
+      hexpart = hexseq | hexseq "::" [ hexseq ] | "::" [ hexseq ]
+      hexseq  = hex4 *( ":" hex4)
+      hex4    = 1*4HEXDIG
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hinden & Deering            Standards Track                    [Page 22]
+
+RFC 2373              IPv6 Addressing Architecture             July 1998
+
+
+APPENDIX C: CHANGES FROM RFC-1884
+---------------------------------
+
+   The following changes were made from RFC-1884 "IP Version 6
+   Addressing Architecture":
+
+      - Added an appendix providing a ABNF description of text
+        representations.
+      - Clarification that link unique identifiers not change after
+        reboot or other interface reconfigurations.
+      - Clarification of Address Model based on comments.
+      - Changed aggregation format terminology to be consistent with
+        aggregation draft.
+      - Added text to allow interface identifier to be used on more than
+        one interface on same node.
+      - Added rules for defining new multicast addresses.
+      - Added appendix describing procedures for creating EUI-64 based
+        interface ID's.
+      - Added notation for defining IPv6 prefixes.
+      - Changed solicited node multicast definition to use a longer
+        prefix.
+      - Added site scope all routers multicast address.
+      - Defined Aggregatable Global Unicast Addresses to use "001" Format
+        Prefix.
+      - Changed "010" (Provider-Based Unicast) and "100" (Reserved for
+        Geographic) Format Prefixes to Unassigned.
+      - Added section on Interface ID definition for unicast addresses.
+        Requires use of EUI-64 in range of format prefixes and rules for
+        setting global/local scope bit in EUI-64.
+      - Updated NSAP text to reflect working in RFC1888.
+      - Removed protocol specific IPv6 multicast addresses (e.g., DHCP)
+        and referenced the IANA definitions.
+      - Removed section "Unicast Address Example".  Had become OBE.
+      - Added new and updated references.
+      - Minor text clarifications and improvements.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hinden & Deering            Standards Track                    [Page 23]
+
+RFC 2373              IPv6 Addressing Architecture             July 1998
+
+
+REFERENCES
+
+   [ABNF]    Crocker, D., and P. Overell, "Augmented BNF for
+             Syntax Specifications: ABNF", RFC 2234, November 1997.
+
+   [AGGR]    Hinden, R., O'Dell, M., and S. Deering, "An
+             Aggregatable Global Unicast Address Format", RFC 2374, July
+             1998.
+
+   [AUTH]    Atkinson, R., "IP Authentication Header", RFC 1826, August
+             1995.
+
+   [ANYCST]  Partridge, C., Mendez, T., and W. Milliken, "Host
+             Anycasting Service", RFC 1546, November 1993.
+
+   [CIDR]    Fuller, V., Li, T., Yu, J., and K. Varadhan, "Classless
+             Inter-Domain Routing (CIDR): An Address Assignment and
+             Aggregation Strategy", RFC 1519, September 1993.
+
+   [ETHER]   Crawford, M., "Transmission of IPv6 Pacekts over Ethernet
+             Networks", Work in Progress.
+
+   [EUI64]   IEEE, "Guidelines for 64-bit Global Identifier (EUI-64)
+             Registration Authority",
+             http://standards.ieee.org/db/oui/tutorials/EUI64.html,
+             March 1997.
+
+   [FDDI]    Crawford, M., "Transmission of IPv6 Packets over FDDI
+             Networks", Work in Progress.
+
+   [IPV6]    Deering, S., and R. Hinden, Editors, "Internet Protocol,
+             Version 6 (IPv6) Specification", RFC 1883, December 1995.
+
+   [MASGN]   Hinden, R., and S. Deering, "IPv6 Multicast Address
+             Assignments", RFC 2375, July 1998.
+
+   [NSAP]    Bound, J., Carpenter, B., Harrington, D., Houldsworth, J.,
+             and A. Lloyd, "OSI NSAPs and IPv6", RFC 1888, August 1996.
+
+   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+             Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [TOKEN]   Thomas, S., "Transmission of IPv6 Packets over Token Ring
+             Networks", Work in Progress.
+
+   [TRAN]    Gilligan, R., and E. Nordmark, "Transition Mechanisms for
+             IPv6 Hosts and Routers", RFC 1993, April 1996.
+
+
+
+
+Hinden & Deering            Standards Track                    [Page 24]
+
+RFC 2373              IPv6 Addressing Architecture             July 1998
+
+
+AUTHORS' ADDRESSES
+
+   Robert M. Hinden
+   Nokia
+   232 Java Drive
+   Sunnyvale, CA 94089
+   USA
+
+   Phone: +1 408 990-2004
+   Fax:   +1 408 743-5677
+   EMail: hinden@iprg.nokia.com
+
+
+   Stephen E. Deering
+   Cisco Systems, Inc.
+   170 West Tasman Drive
+   San Jose, CA 95134-1706
+   USA
+
+   Phone: +1 408 527-8213
+   Fax:   +1 408 527-8254
+   EMail: deering@cisco.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hinden & Deering            Standards Track                    [Page 25]
+
+RFC 2373              IPv6 Addressing Architecture             July 1998
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (1998).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hinden & Deering            Standards Track                    [Page 26]
+
diff --git a/contrib/bind9/doc/rfc/rfc2374.txt b/contrib/bind9/doc/rfc/rfc2374.txt
new file mode 100644
index 0000000..e3c7f0d
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2374.txt
@@ -0,0 +1,675 @@
+
+
+
+
+
+
+Network Working Group                                        R. Hinden
+Request for Comments: 2374                                       Nokia
+Obsoletes: 2073                                              M. O'Dell
+Category: Standards Track                                        UUNET
+                                                            S. Deering
+                                                                 Cisco
+                                                             July 1998
+
+
+           An IPv6 Aggregatable Global Unicast Address Format
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (1998).  All Rights Reserved.
+
+1.0 Introduction
+
+   This document defines an IPv6 aggregatable global unicast address
+   format for use in the Internet.  The address format defined in this
+   document is consistent with the IPv6 Protocol [IPV6] and the "IPv6
+   Addressing Architecture" [ARCH].  It is designed to facilitate
+   scalable Internet routing.
+
+   This documented replaces RFC 2073, "An IPv6 Provider-Based Unicast
+   Address Format".  RFC 2073 will become historic.  The Aggregatable
+   Global Unicast Address Format is an improvement over RFC 2073 in a
+   number of areas.  The major changes include removal of the registry
+   bits because they are not needed for route aggregation, support of
+   EUI-64 based interface identifiers, support of provider and exchange
+   based aggregation, separation of public and site topology, and new
+   aggregation based terminology.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC 2119].
+
+
+
+
+
+
+
+
+Hinden, et. al.             Standards Track                     [Page 1]
+
+RFC 2374           IPv6 Global Unicast Address Format          July 1998
+
+
+2.0 Overview of the IPv6 Address
+
+   IPv6 addresses are 128-bit identifiers for interfaces and sets of
+   interfaces.  There are three types of addresses: Unicast, Anycast,
+   and Multicast.  This document defines a specific type of Unicast
+   address.
+
+   In this document, fields in addresses are given specific names, for
+   example "subnet".  When this name is used with the term "ID" (for
+   "identifier") after the name (e.g., "subnet ID"), it refers to the
+   contents of the named field.  When it is used with the term "prefix"
+   (e.g.  "subnet prefix") it refers to all of the addressing bits to
+   the left of and including this field.
+
+   IPv6 unicast addresses are designed assuming that the Internet
+   routing system makes forwarding decisions based on a "longest prefix
+   match" algorithm on arbitrary bit boundaries and does not have any
+   knowledge of the internal structure of IPv6 addresses.  The structure
+   in IPv6 addresses is for assignment and allocation.  The only
+   exception to this is the distinction made between unicast and
+   multicast addresses.
+
+   The specific type of an IPv6 address is indicated by the leading bits
+   in the address.  The variable-length field comprising these leading
+   bits is called the Format Prefix (FP).
+
+   This document defines an address format for the 001 (binary) Format
+   Prefix for Aggregatable Global Unicast addresses. The same address
+   format could be used for other Format Prefixes, as long as these
+   Format Prefixes also identify IPv6 unicast addresses.  Only the "001"
+   Format Prefix is defined here.
+
+3.0 IPv6 Aggregatable Global Unicast Address Format
+
+   This document defines an address format for the IPv6 aggregatable
+   global unicast address assignment.  The authors believe that this
+   address format will be widely used for IPv6 nodes connected to the
+   Internet.  This address format is designed to support both the
+   current provider-based aggregation and a new type of exchange-based
+   aggregation.  The combination will allow efficient routing
+   aggregation for sites that connect directly to providers and for
+   sites that connect to exchanges.  Sites will have the choice to
+   connect to either type of aggregation entity.
+
+
+
+
+
+
+
+
+Hinden, et. al.             Standards Track                     [Page 2]
+
+RFC 2374           IPv6 Global Unicast Address Format          July 1998
+
+
+   While this address format is designed to support exchange-based
+   aggregation (in addition to current provider-based aggregation) it is
+   not dependent on exchanges for it's overall route aggregation
+   properties.  It will provide efficient route aggregation with only
+   provider-based aggregation.
+
+   Aggregatable addresses are organized into a three level hierarchy:
+
+      - Public Topology
+      - Site Topology
+      - Interface Identifier
+
+   Public topology is the collection of providers and exchanges who
+   provide public Internet transit services.  Site topology is local to
+   a specific site or organization which does not provide public transit
+   service to nodes outside of the site.  Interface identifiers identify
+   interfaces on links.
+
+        ______________                  ______________
+    --+/              \+--------------+/              \+----------
+      (       P1       )    +----+    (       P3       )  +----+
+      +\______________/     |    |----+\______________/+--|    |--
+      |                  +--| X1 |                       +| X2 |
+      | ______________  /   |    |-+    ______________  / |    |--
+      +/              \+    +-+--+  \  /              \+  +----+
+      (       P2       )     / \     +(      P4        )
+    --+\______________/     /   \      \______________/
+           |               /     \           |      |
+           |              /       |          |      |
+           |             /        |          |      |
+          _|_          _/_       _|_        _|_    _|_
+         /   \        /   \     /   \      /   \  /   \
+        ( S.A )      ( S.B )   ( P5  )    ( P6  )( S.C )
+         \___/        \___/     \___/      \___/  \___/
+                                  |          / \
+                                 _|_       _/_  \   ___
+                                /   \     /   \  +-/   \
+                               ( S.D )   ( S.E )  ( S.F )
+                                \___/     \___/    \___/
+
+   As shown in the figure above, the aggregatable address format is
+   designed to support long-haul providers (shown as P1, P2, P3, and
+   P4), exchanges (shown as X1 and X2), multiple levels of providers
+   (shown at P5 and P6), and subscribers (shown as S.x) Exchanges
+   (unlike current NAPs, FIXes, etc.) will allocate IPv6 addresses.
+   Organizations who connect to these exchanges will also subscribe
+   (directly, indirectly via the exchange, etc.) for long-haul service
+   from one or more long-haul providers.  Doing so, they will achieve
+
+
+
+Hinden, et. al.             Standards Track                     [Page 3]
+
+RFC 2374           IPv6 Global Unicast Address Format          July 1998
+
+
+   addressing independence from long-haul transit providers.  They will
+   be able to change long-haul providers without having to renumber
+   their organization.  They can also be multihomed via the exchange to
+   more than one long-haul provider without having to have address
+   prefixes from each long-haul provider.  Note that the mechanisms used
+   for this type of provider selection and portability are not discussed
+   in the document.
+
+3.1 Aggregatable Global Unicast Address Structure
+
+   The aggregatable global unicast address format is as follows:
+
+     | 3|  13 | 8 |   24   |   16   |          64 bits               |
+     +--+-----+---+--------+--------+--------------------------------+
+     |FP| TLA |RES|  NLA   |  SLA   |         Interface ID           |
+     |  | ID  |   |  ID    |  ID    |                                |
+     +--+-----+---+--------+--------+--------------------------------+
+
+     <--Public Topology--->   Site
+                           <-------->
+                            Topology
+                                     <------Interface Identifier----->
+
+   Where
+
+      FP           Format Prefix (001)
+      TLA ID       Top-Level Aggregation Identifier
+      RES          Reserved for future use
+      NLA ID       Next-Level Aggregation Identifier
+      SLA ID       Site-Level Aggregation Identifier
+      INTERFACE ID Interface Identifier
+
+   The following sections specify each part of the IPv6 Aggregatable
+   Global Unicast address format.
+
+3.2 Top-Level Aggregation ID
+
+   Top-Level Aggregation Identifiers (TLA ID) are the top level in the
+   routing hierarchy.  Default-free routers must have a routing table
+   entry for every active TLA ID and will probably have additional
+   entries providing routing information for the TLA ID in which they
+   are located.  They may have additional entries in order to optimize
+   routing for their specific topology, but the routing topology at all
+   levels must be designed to minimize the number of additional entries
+   fed into the default free routing tables.
+
+
+
+
+
+
+Hinden, et. al.             Standards Track                     [Page 4]
+
+RFC 2374           IPv6 Global Unicast Address Format          July 1998
+
+
+   This addressing format supports 8,192 (2^13) TLA ID's.  Additional
+   TLA ID's may be added by either growing the TLA field to the right
+   into the reserved field or by using this format for additional format
+   prefixes.
+
+   The issues relating to TLA ID assignment are beyond the scope of this
+   document.  They will be described in a document under preparation.
+
+3.3 Reserved
+
+   The Reserved field is reserved for future use and must be set to
+   zero.
+
+   The Reserved field allows for future growth of the TLA and NLA fields
+   as appropriate.  See section 4.0 for a discussion.
+
+3.4 Next-Level Aggregation Identifier
+
+   Next-Level Aggregation Identifier's are used by organizations
+   assigned a TLA ID to create an addressing hierarchy and to identify
+   sites.  The organization can assign the top part of the NLA ID in a
+   manner to create an addressing hierarchy appropriate to its network.
+   It can use the remainder of the bits in the field to identify sites
+   it wishes to serve.  This is shown as follows:
+
+      |  n  |      24-n bits     |   16   |    64 bits      |
+      +-----+--------------------+--------+-----------------+
+      |NLA1 |      Site ID       | SLA ID | Interface ID    |
+      +-----+--------------------+--------+-----------------+
+
+   Each organization assigned a TLA ID receives 24 bits of NLA ID space.
+   This NLA ID space allows each organization to provide service to
+   approximately as many organizations as the current IPv4 Internet can
+   support total networks.
+
+   Organizations assigned TLA ID's may also support NLA ID's in their
+   own Site ID space.  This allows the organization assigned a TLA ID to
+   provide service to organizations providing public transit service and
+   to organizations who do not provide public transit service.  These
+   organizations receiving an NLA ID may also choose to use their Site
+   ID space to support other NLA ID's.  This is shown as follows:
+
+
+
+
+
+
+
+
+
+
+Hinden, et. al.             Standards Track                     [Page 5]
+
+RFC 2374           IPv6 Global Unicast Address Format          July 1998
+
+
+   |  n  |      24-n bits     |   16   |    64 bits      |
+   +-----+--------------------+--------+-----------------+
+   |NLA1 |      Site ID       | SLA ID | Interface ID    |
+   +-----+--------------------+--------+-----------------+
+
+         |  m  |    24-n-m    |   16   |    64 bits      |
+         +-----+--------------+--------+-----------------+
+         |NLA2 |   Site ID    | SLA ID | Interface ID    |
+         +-----+--------------+--------+-----------------+
+
+               |  o  |24-n-m-o|   16   |    64 bits      |
+               +-----+--------+--------+-----------------+
+               |NLA3 | Site ID| SLA ID | Interface ID    |
+               +-----+--------+--------+-----------------+
+
+   The design of the bit layout of the NLA ID space for a specific TLA
+   ID is left to the organization responsible for that TLA ID.  Likewise
+   the design of the bit layout of the next level NLA ID is the
+   responsibility of the previous level NLA ID.  It is recommended that
+   organizations assigning NLA address space use "slow start" allocation
+   procedures similar to [RFC2050].
+
+   The design of an NLA ID allocation plan is a tradeoff between routing
+   aggregation efficiency and flexibility.  Creating hierarchies allows
+   for greater amount of aggregation and results in smaller routing
+   tables.  Flat NLA ID assignment provides for easier allocation and
+   attachment flexibility, but results in larger routing tables.
+
+3.5 Site-Level Aggregation Identifier
+
+   The SLA ID field is used by an individual organization to create its
+   own local addressing hierarchy and to identify subnets.  This is
+   analogous to subnets in IPv4 except that each organization has a much
+   greater number of subnets.  The 16 bit SLA ID field support 65,535
+   individual subnets.
+
+   Organizations may choose to either route their SLA ID "flat" (e.g.,
+   not create any logical relationship between the SLA identifiers that
+   results in larger routing tables), or to create a two or more level
+   hierarchy (that results in smaller routing tables) in the SLA ID
+   field.  The latter is shown as follows:
+
+
+
+
+
+
+
+
+
+
+Hinden, et. al.             Standards Track                     [Page 6]
+
+RFC 2374           IPv6 Global Unicast Address Format          July 1998
+
+
+   |  n  |   16-n     |              64 bits                |
+   +-----+------------+-------------------------------------+
+   |SLA1 |   Subnet   |            Interface ID             |
+   +-----+------------+-------------------------------------+
+
+         | m  |16-n-m |              64 bits                |
+         +----+-------+-------------------------------------+
+         |SLA2|Subnet |            Interface ID             |
+         +----+-------+-------------------------------------+
+
+   The approach chosen for structuring an SLA ID field is the
+   responsibility of the individual organization.
+
+   The number of subnets supported in this address format should be
+   sufficient for all but the largest of organizations.  Organizations
+   which need additional subnets can arrange with the organization they
+   are obtaining Internet service from to obtain additional site
+   identifiers and use this to create additional subnets.
+
+3.6 Interface ID
+
+   Interface identifiers are used to identify interfaces on a link.
+   They are required to be unique on that link.  They may also be unique
+   over a broader scope.  In many cases an interfaces identifier will be
+   the same or be based on the interface's link-layer address.
+   Interface IDs used in the aggregatable global unicast address format
+   are required to be 64 bits long and to be constructed in IEEE EUI-64
+   format [EUI-64].  These identifiers may have global scope when a
+   global token (e.g., IEEE 48bit MAC) is available or may have local
+   scope where a global token is not available (e.g., serial links,
+   tunnel end-points, etc.).  The "u" bit (universal/local bit in IEEE
+   EUI-64 terminology) in the EUI-64 identifier must be set correctly,
+   as defined in [ARCH], to indicate global or local scope.
+
+   The procedures for creating EUI-64 based Interface Identifiers is
+   defined in [ARCH].  The details on forming interface identifiers is
+   defined in the appropriate "IPv6 over <link>" specification such as
+   "IPv6 over Ethernet" [ETHER], "IPv6 over FDDI" [FDDI], etc.
+
+4.0 Technical Motivation
+
+   The design choices for the size of the fields in the aggregatable
+   address format were based on the need to meet a number of technical
+   requirements.  These are described in the following paragraphs.
+
+   The size of the Top-Level Aggregation Identifier is 13 bits.  This
+   allows for 8,192 TLA ID's.  This size was chosen to insure that the
+   default-free routing table in top level routers in the Internet is
+
+
+
+Hinden, et. al.             Standards Track                     [Page 7]
+
+RFC 2374           IPv6 Global Unicast Address Format          July 1998
+
+
+   kept within the limits, with a reasonable margin, of the current
+   routing technology.  The margin is important because default-free
+   routers will also carry a significant number of longer (i.e., more-
+   specific) prefixes for optimizing paths internal to a TLA and between
+   TLAs.
+
+   The important issue is not only the size of the default-free routing
+   table, but the complexity of the topology that determines the number
+   of copies of the default-free routes that a router must examine while
+   computing a forwarding table.  Current practice with IPv4 it is
+   common to see a prefix announced fifteen times via different paths.
+
+   The complexity of Internet topology is very likely to increase in the
+   future.  It is important that IPv6 default-free routing support
+   additional complexity as well as a considerably larger internet.
+
+   It should be noted for comparison that at the time of this writing
+   (spring, 1998) the IPv4 default-free routing table contains
+   approximately 50,000 prefixes.  While this shows that it is possible
+   to support more routes than 8,192 it is matter of debate if the
+   number of prefixes supported today in IPv4 is already too high for
+   current routing technology.  There are serious issues of route
+   stability as well as cases of providers not supporting all top level
+   prefixes.  The technical requirement was to pick a TLA ID size that
+   was below, with a reasonable margin, what was being done with IPv4.
+
+   The choice of 13 bits for the TLA field was an engineering
+   compromise.  Fewer bits would have been too small by not supporting
+   enough top level organizations.  More bits would have exceeded what
+   can be reasonably accommodated, with a reasonable margin, with
+   current routing technology in order to deal with the issues described
+   in the previous paragraphs.
+
+   If in the future, routing technology improves to support a larger
+   number of top level routes in the default-free routing tables there
+   are two choices on how to increase the number TLA identifiers.  The
+   first is to expand the TLA ID field into the reserved field.  This
+   would increase the number of TLA ID's to approximately 2 million.
+   The second approach is to allocate another format prefix (FP) for use
+   with this address format.  Either or a combination of these
+   approaches allows the number of TLA ID's to increase significantly.
+
+   The size of the Reserved field is 8 bits.  This size was chosen to
+   allow significant growth of either the TLA ID and/or the NLA ID
+   fields.
+
+   The size of the Next-Level Aggregation Identifier field is 24 bits.
+
+
+
+
+Hinden, et. al.             Standards Track                     [Page 8]
+
+RFC 2374           IPv6 Global Unicast Address Format          July 1998
+
+
+   This allows for approximately sixteen million NLA ID's if used in a
+   flat manner.  Used hierarchically it allows for a complexity roughly
+   equivalent to the IPv4 address space (assuming an average network
+   size of 254 interfaces).  If in the future additional room for
+   complexity is needed in the NLA ID, this may be accommodated by
+   extending the NLA ID into the Reserved field.
+
+   The size of the Site-Level Aggregation Identifier field is 16 bits.
+   This supports 65,535 individual subnets per site.  The design goal
+   for the size of this field was to be sufficient for all but the
+   largest of organizations.  Organizations which need additional
+   subnets can arrange with the organization they are obtaining Internet
+   service from to obtain additional site identifiers and use this to
+   create additional subnets.
+
+   The Site-Level Aggregation Identifier field was given a fixed size in
+   order to force the length of all prefixes identifying a particular
+   site to be the same length (i.e., 48 bits).  This facilitates
+   movement of sites in the topology (e.g., changing service providers
+   and multi-homing to multiple service providers).
+
+   The Interface ID Interface Identifier field is 64 bits.  This size
+   was chosen to meet the requirement specified in [ARCH] to support
+   EUI-64 based Interface Identifiers.
+
+5.0 Acknowledgments
+
+   The authors would like to express our thanks to Thomas Narten, Bob
+   Fink, Matt Crawford, Allison Mankin, Jim Bound, Christian Huitema,
+   Scott Bradner, Brian Carpenter, John Stewart, and Daniel Karrenberg
+   for their review and constructive comments.
+
+6.0 References
+
+   [ALLOC]   IAB and IESG, "IPv6 Address Allocation Management",
+             RFC 1881, December 1995.
+
+   [ARCH]    Hinden, R., "IP Version 6 Addressing Architecture",
+             RFC 2373, July 1998.
+
+   [AUTH]    Atkinson, R., "IP Authentication Header", RFC 1826, August
+             1995.
+
+   [AUTO]    Thompson, S., and T. Narten., "IPv6 Stateless Address
+             Autoconfiguration", RFC 1971, August 1996.
+
+   [ETHER]   Crawford, M., "Transmission of IPv6 Packets over Ethernet
+             Networks", Work in Progress.
+
+
+
+Hinden, et. al.             Standards Track                     [Page 9]
+
+RFC 2374           IPv6 Global Unicast Address Format          July 1998
+
+
+   [EUI64]   IEEE, "Guidelines for 64-bit Global Identifier (EUI-64)
+             Registration Authority",
+             http://standards.ieee.org/db/oui/tutorials/EUI64.html,
+             March 1997.
+
+   [FDDI]    Crawford, M., "Transmission of IPv6 Packets over FDDI
+             Networks", Work in Progress.
+
+   [IPV6]    Deering, S., and R. Hinden, "Internet Protocol, Version 6
+             (IPv6) Specification", RFC 1883, December 1995.
+
+   [RFC2050] Hubbard, K., Kosters, M., Conrad, D., Karrenberg, D.,
+             and J. Postel, "Internet Registry IP Allocation
+             Guidelines", BCP 12, RFC 1466, November 1996.
+
+   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+             Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+7.0 Security Considerations
+
+   IPv6 addressing documents do not have any direct impact on Internet
+   infrastructure security.  Authentication of IPv6 packets is defined
+   in [AUTH].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hinden, et. al.             Standards Track                    [Page 10]
+
+RFC 2374           IPv6 Global Unicast Address Format          July 1998
+
+
+8.0 Authors' Addresses
+
+   Robert M. Hinden
+   Nokia
+   232 Java Drive
+   Sunnyvale, CA 94089
+   USA
+
+   Phone: 1 408 990-2004
+   EMail: hinden@iprg.nokia.com
+
+
+   Mike O'Dell
+   UUNET Technologies, Inc.
+   3060 Williams Drive
+   Fairfax, VA 22030
+   USA
+
+   Phone: 1 703 206-5890
+   EMail: mo@uunet.uu.net
+
+
+   Stephen E. Deering
+   Cisco Systems, Inc.
+   170 West Tasman Drive
+   San Jose, CA 95134-1706
+   USA
+
+   Phone: 1 408 527-8213
+   EMail: deering@cisco.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hinden, et. al.             Standards Track                    [Page 11]
+
+RFC 2374           IPv6 Global Unicast Address Format          July 1998
+
+
+9.0  Full Copyright Statement
+
+   Copyright (C) The Internet Society (1998).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hinden, et. al.             Standards Track                    [Page 12]
+
diff --git a/contrib/bind9/doc/rfc/rfc2375.txt b/contrib/bind9/doc/rfc/rfc2375.txt
new file mode 100644
index 0000000..a1fe8b9
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2375.txt
@@ -0,0 +1,451 @@
+
+
+
+
+
+
+Network Working Group                                         R. Hinden
+Request for Comments: 2375                             Ipsilon Networks
+Category: Informational                                      S. Deering
+                                                                  Cisco
+                                                              July 1998
+
+
+                   IPv6 Multicast Address Assignments
+
+Status of this Memo
+
+   This memo provides information for the Internet community.  It does
+   not specify an Internet standard of any kind.  Distribution of this
+   memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (1998).  All Rights Reserved.
+
+1.0 Introduction
+
+   This document defines the initial assignment of IPv6 multicast
+   addresses.  It is based on the "IP Version 6 Addressing Architecture"
+   [ADDARCH] and current IPv4 multicast address assignment found in
+   <ftp://venera.isi.edu/in-notes/iana/assignments/multicast-addresses>.
+   It adapts the IPv4 assignments that are relevant to IPv6 assignments.
+   IPv4 assignments that were not relevant were not converted into IPv6
+   assignments.  Comments are solicited on this conversion.
+
+   All other IPv6 multicast addresses are reserved.
+
+   Sections 2 and 3 specify reserved and preassigned IPv6 multicast
+   addresses.
+
+   [ADDRARCH] defines rules for assigning new IPv6 multicast addresses.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC 2119].
+
+2. Fixed Scope Multicast Addresses
+
+   These permanently assigned multicast addresses are valid over a
+   specified scope value.
+
+
+
+
+
+
+
+Hinden & Deering             Informational                      [Page 1]
+
+RFC 2375           IPv6 Multicast Address Assignments          July 1998
+
+
+2.1 Node-Local Scope
+
+   FF01:0:0:0:0:0:0:1     All Nodes Address                  [ADDARCH]
+   FF01:0:0:0:0:0:0:2     All Routers Address                [ADDARCH]
+
+2.2 Link-Local Scope
+
+   FF02:0:0:0:0:0:0:1     All Nodes Address                  [ADDARCH]
+   FF02:0:0:0:0:0:0:2     All Routers Address                [ADDARCH]
+   FF02:0:0:0:0:0:0:3     Unassigned                             [JBP]
+   FF02:0:0:0:0:0:0:4     DVMRP Routers                  [RFC1075,JBP]
+   FF02:0:0:0:0:0:0:5     OSPFIGP                        [RFC2328,Moy]
+   FF02:0:0:0:0:0:0:6     OSPFIGP Designated Routers     [RFC2328,Moy]
+   FF02:0:0:0:0:0:0:7     ST Routers                    [RFC1190,KS14]
+   FF02:0:0:0:0:0:0:8     ST Hosts                      [RFC1190,KS14]
+   FF02:0:0:0:0:0:0:9     RIP Routers                        [RFC2080]
+   FF02:0:0:0:0:0:0:A     EIGRP Routers                    [Farinacci]
+   FF02:0:0:0:0:0:0:B     Mobile-Agents                 [Bill Simpson]
+
+   FF02:0:0:0:0:0:0:D     All PIM Routers                  [Farinacci]
+   FF02:0:0:0:0:0:0:E     RSVP-ENCAPSULATION                  [Braden]
+
+   FF02:0:0:0:0:0:1:1     Link Name                       [Harrington]
+   FF02:0:0:0:0:0:1:2     All-dhcp-agents              [Bound,Perkins]
+
+   FF02:0:0:0:0:1:FFXX:XXXX     Solicited-Node Address       [ADDARCH]
+
+2.3 Site-Local Scope
+
+   FF05:0:0:0:0:0:0:2       All Routers Address              [ADDARCH]
+
+   FF05:0:0:0:0:0:1:3       All-dhcp-servers           [Bound,Perkins]
+   FF05:0:0:0:0:0:1:4       All-dhcp-relays            [Bound,Perkins]
+   FF05:0:0:0:0:0:1:1000    Service Location                 [RFC2165]
+    -FF05:0:0:0:0:0:1:13FF
+
+3.0 All Scope Multicast Addresses
+
+   These permanently assigned multicast addresses are valid over all
+   scope ranges.  This is shown by an "X" in the scope field of the
+   address that means any legal scope value.
+
+   Note that, as defined in [ADDARCH], IPv6 multicast addresses which
+   are only different in scope represent different groups.  Nodes must
+   join each group individually.
+
+   The IPv6 multicast addresses with variable scope are as follows:
+
+
+
+
+Hinden & Deering             Informational                      [Page 2]
+
+RFC 2375           IPv6 Multicast Address Assignments          July 1998
+
+
+   FF0X:0:0:0:0:0:0:0     Reserved Multicast Address         [ADDARCH]
+
+   FF0X:0:0:0:0:0:0:100   VMTP Managers Group           [RFC1045,DRC3]
+   FF0X:0:0:0:0:0:0:101   Network Time Protocol (NTP)   [RFC1119,DLM1]
+   FF0X:0:0:0:0:0:0:102   SGI-Dogfight                           [AXC]
+   FF0X:0:0:0:0:0:0:103   Rwhod                                  [SXD]
+   FF0X:0:0:0:0:0:0:104   VNP                                   [DRC3]
+   FF0X:0:0:0:0:0:0:105   Artificial Horizons - Aviator          [BXF]
+   FF0X:0:0:0:0:0:0:106   NSS - Name Service Server             [BXS2]
+   FF0X:0:0:0:0:0:0:107   AUDIONEWS - Audio News Multicast      [MXF2]
+   FF0X:0:0:0:0:0:0:108   SUN NIS+ Information Service          [CXM3]
+   FF0X:0:0:0:0:0:0:109   MTP Multicast Transport Protocol       [SXA]
+   FF0X:0:0:0:0:0:0:10A   IETF-1-LOW-AUDIO                       [SC3]
+   FF0X:0:0:0:0:0:0:10B   IETF-1-AUDIO                           [SC3]
+   FF0X:0:0:0:0:0:0:10C   IETF-1-VIDEO                           [SC3]
+   FF0X:0:0:0:0:0:0:10D   IETF-2-LOW-AUDIO                       [SC3]
+   FF0X:0:0:0:0:0:0:10E   IETF-2-AUDIO                           [SC3]
+   FF0X:0:0:0:0:0:0:10F   IETF-2-VIDEO                           [SC3]
+
+   FF0X:0:0:0:0:0:0:110   MUSIC-SERVICE             [Guido van Rossum]
+   FF0X:0:0:0:0:0:0:111   SEANET-TELEMETRY             [Andrew Maffei]
+   FF0X:0:0:0:0:0:0:112   SEANET-IMAGE                 [Andrew Maffei]
+   FF0X:0:0:0:0:0:0:113   MLOADD                              [Braden]
+   FF0X:0:0:0:0:0:0:114   any private experiment                 [JBP]
+   FF0X:0:0:0:0:0:0:115   DVMRP on MOSPF                         [Moy]
+   FF0X:0:0:0:0:0:0:116   SVRLOC                            [Veizades]
+   FF0X:0:0:0:0:0:0:117   XINGTV                      <hgxing@aol.com>
+   FF0X:0:0:0:0:0:0:118   microsoft-ds         <arnoldm@microsoft.com>
+   FF0X:0:0:0:0:0:0:119   nbc-pro           <bloomer@birch.crd.ge.com>
+   FF0X:0:0:0:0:0:0:11A   nbc-pfn           <bloomer@birch.crd.ge.com>
+   FF0X:0:0:0:0:0:0:11B   lmsc-calren-1                         [Uang]
+   FF0X:0:0:0:0:0:0:11C   lmsc-calren-2                         [Uang]
+   FF0X:0:0:0:0:0:0:11D   lmsc-calren-3                         [Uang]
+   FF0X:0:0:0:0:0:0:11E   lmsc-calren-4                         [Uang]
+   FF0X:0:0:0:0:0:0:11F   ampr-info                          [Janssen]
+
+   FF0X:0:0:0:0:0:0:120   mtrace                              [Casner]
+   FF0X:0:0:0:0:0:0:121   RSVP-encap-1                        [Braden]
+   FF0X:0:0:0:0:0:0:122   RSVP-encap-2                        [Braden]
+   FF0X:0:0:0:0:0:0:123   SVRLOC-DA                         [Veizades]
+   FF0X:0:0:0:0:0:0:124   rln-server                            [Kean]
+   FF0X:0:0:0:0:0:0:125   proshare-mc                          [Lewis]
+   FF0X:0:0:0:0:0:0:126   dantz                               [Yackle]
+   FF0X:0:0:0:0:0:0:127   cisco-rp-announce                [Farinacci]
+   FF0X:0:0:0:0:0:0:128   cisco-rp-discovery               [Farinacci]
+   FF0X:0:0:0:0:0:0:129   gatekeeper                            [Toga]
+   FF0X:0:0:0:0:0:0:12A   iberiagames                        [Marocho]
+
+
+
+
+Hinden & Deering             Informational                      [Page 3]
+
+RFC 2375           IPv6 Multicast Address Assignments          July 1998
+
+
+   FF0X:0:0:0:0:0:0:201  "rwho" Group (BSD) (unofficial)         [JBP]
+   FF0X:0:0:0:0:0:0:202   SUN RPC PMAPPROC_CALLIT               [BXE1]
+
+   FF0X:0:0:0:0:0:2:0000
+    -FF0X:0:0:0:0:0:2:7FFD  Multimedia Conference Calls          [SC3]
+   FF0X:0:0:0:0:0:2:7FFE    SAPv1 Announcements                  [SC3]
+   FF0X:0:0:0:0:0:2:7FFF    SAPv0 Announcements (deprecated)     [SC3]
+   FF0X:0:0:0:0:0:2:8000
+    -FF0X:0:0:0:0:0:2:FFFF  SAP Dynamic Assignments              [SC3]
+
+5.0 References
+
+   [ADDARCH] Hinden, R., and S. Deering, "IP Version 6 Addressing
+             Architecture", RFC 2373, July 1998.
+
+   [AUTORFC] Thompson, S., and T. Narten, "IPv6 Stateless Address
+             Autoconfiguration", RFC 1971, August 1996.
+
+   [ETHER]   Crawford, M., "Transmission of IPv6 Packets over Ethernet
+             Networks", Work in Progress.
+
+   [RFC1045] Cheriton, D., "VMTP: Versatile Message Transaction Protocol
+             Specification", RFC 1045, February 1988.
+
+   [RFC1075] Waitzman, D., Partridge, C., and S. Deering, "Distance
+             Vector Multicast Routing Protocol", RFC 1075, November
+             1988.
+
+   [RFC1112] Deering, S., "Host Extensions for IP Multicasting", STD 5,
+             RFC 1112, Stanford University, August 1989.
+
+   [RFC1119] Mills, D., "Network Time Protocol (Version 1),
+             Specification and Implementation", STD 12, RFC 1119, July
+             1988.
+
+   [RFC1190] Topolcic, C., Editor, "Experimental Internet Stream
+             Protocol, Version 2 (ST-II)", RFC 1190, October 1990.
+
+   [RFC2080] Malkin, G., and R. Minnear, "RIPng for IPv6", RFC 2080,
+             January 1997.
+
+   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+             Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC2165] Veizades, J., Guttman, E., Perkins, C., and S. Kaplan
+             "Service Location Protocol", RFC 2165 June 1997.
+
+   [RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, April 1998.
+
+
+
+Hinden & Deering             Informational                      [Page 4]
+
+RFC 2375           IPv6 Multicast Address Assignments          July 1998
+
+
+6. People
+
+   <arnoldm@microsoft.com>
+
+   [AXC] Andrew Cherenson <arc@SGI.COM>
+
+   [Braden] Bob Braden, <braden@isi.edu>, April 1996.
+
+   [Bob Brenner]
+
+   [Bressler] David J. Bressler, <bressler@tss.com>, April 1996.
+
+   <bloomer@birch.crd.ge.com>
+
+   [Bound] Jim Bound <bound@zk3.dec.com>
+
+   [BXE1] Brendan Eic <brendan@illyria.wpd.sgi.com>
+
+   [BXF] Bruce Factor <ahi!bigapple!bruce@uunet.UU.NET>
+
+   [BXS2] Bill Schilit <schilit@parc.xerox.com>
+
+   [Casner] Steve Casner, <casner@isi.edu>, January 1995.
+
+   [CXM3] Chuck McManis <cmcmanis@sun.com>
+
+   [Tim Clark]
+
+   [DLM1] David Mills <Mills@HUEY.UDEL.EDU>
+
+   [DRC3] Dave Cheriton <cheriton@PESCADERO.STANFORD.EDU>
+
+   [DXS3] Daniel Steinber <Daniel.Steinberg@Eng.Sun.COM>
+
+   [Farinacci] Dino Farinacci, <dino@cisco.com>
+
+   [GSM11] Gary S. Malkin <GMALKIN@XYLOGICS.COM>
+
+   [Harrington] Dan Harrington, <dan@lucent.com>, July 1996.
+
+   <hgxing@aol.com>
+
+   [IANA] IANA <iana@iana.org>
+
+   [Janssen] Rob Janssen, <rob@pe1chl.ampr.org>, January 1995.
+
+   [JBP] Jon Postel <postel@isi.edu>
+
+
+
+
+Hinden & Deering             Informational                      [Page 5]
+
+RFC 2375           IPv6 Multicast Address Assignments          July 1998
+
+
+   [JXM1] Jim Miner <miner@star.com>
+
+   [Kean] Brian Kean, <bkean@dca.com>, August 1995.
+
+   [KS14] <mystery contact>
+
+   [Lee] Choon Lee, <cwl@nsd.3com.com>, April 1996.
+
+   [Lewis] Mark Lewis, <Mark_Lewis@ccm.jf.intel.com>, October 1995.
+
+   [Malamud] Carl Malamud, <carl@radio.com>, January 1996.
+
+   [Andrew Maffei]
+
+   [Marohco] Jose Luis Marocho, <73374.313@compuserve.com>, July 1996.
+
+   [Moy] John Moy <jmoy@casc.com>
+
+   [MXF2] Martin Forssen <maf@dtek.chalmers.se>
+
+   [Perkins] Charlie Perkins, <cperkins@corp.sun.com>
+
+   [Guido van Rossum]
+
+   [SC3] Steve Casner <casner@isi.edu>
+
+   [Simpson] Bill Simpson <bill.simpson@um.cc.umich.edu> November 1994.
+
+   [Joel Snyder]
+
+   [SXA] Susie Armstrong <Armstrong.wbst128@XEROX.COM>
+
+   [SXD] Steve Deering <deering@PARC.XEROX.COM>
+
+   [tynan] Dermot Tynan, <dtynan@claddagh.ie>, August 1995.
+
+   [Toga] Jim Toga, <jtoga@ibeam.jf.intel.com>, May 1996.
+
+   [Uang] Yea Uang <uang@force.decnet.lockheed.com> November 1994.
+
+   [Veizades] John Veizades,  <veizades@tgv.com>, May 1995.
+
+   [Yackle] Dotty Yackle, <ditty_yackle@dantz.com>, February 1996.
+
+
+
+
+
+
+
+
+Hinden & Deering             Informational                      [Page 6]
+
+RFC 2375           IPv6 Multicast Address Assignments          July 1998
+
+
+7.0 Security Considerations
+
+   This document defines the initial assignment of IPv6 multicast
+   addresses.  As such it does not directly impact the security of the
+   Internet infrastructure or its applications.
+
+8.0 Authors' Addresses
+
+   Robert M. Hinden
+   Ipsilon Networks, Inc.
+   232 Java Drive
+   Sunnyvale, CA 94089
+   USA
+
+   Phone: +1 415 990 2004
+   EMail: hinden@ipsilon.com
+
+
+   Stephen E. Deering
+   Cisco Systems, Inc.
+   170 West Tasman Drive
+   San Jose, CA 95134-1706
+   USA
+
+   Phone: +1 408 527-8213
+   EMail: deering@cisco.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hinden & Deering             Informational                      [Page 7]
+
+RFC 2375           IPv6 Multicast Address Assignments          July 1998
+
+
+9.0  Full Copyright Statement
+
+   Copyright (C) The Internet Society (1998).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hinden & Deering             Informational                      [Page 8]
+
diff --git a/contrib/bind9/doc/rfc/rfc2418.txt b/contrib/bind9/doc/rfc/rfc2418.txt
new file mode 100644
index 0000000..9bdb2c5
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2418.txt
@@ -0,0 +1,1459 @@
+
+
+
+
+
+
+Network Working Group                                         S. Bradner
+Request for Comments: 2418                                        Editor
+Obsoletes: 1603                                       Harvard University
+BCP: 25                                                   September 1998
+Category: Best Current Practice
+
+
+                           IETF Working Group
+                       Guidelines and Procedures
+
+Status of this Memo
+
+   This document specifies an Internet Best Current Practices for the
+   Internet Community, and requests discussion and suggestions for
+   improvements.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (1998).  All Rights Reserved.
+
+Abstract
+
+   The Internet Engineering Task Force (IETF) has responsibility for
+   developing and reviewing specifications intended as Internet
+   Standards. IETF activities are organized into working groups (WGs).
+   This document describes the guidelines and procedures for formation
+   and operation of IETF working groups. It also describes the formal
+   relationship between IETF participants WG and the Internet
+   Engineering Steering Group (IESG) and the basic duties of IETF
+   participants, including WG Chairs, WG participants, and IETF Area
+   Directors.
+
+Table of Contents
+
+   Abstract .........................................................  1
+   1. Introduction ..................................................  2
+     1.1. IETF approach to standardization ..........................  4
+     1.2. Roles within a Working Group ..............................  4
+   2. Working group formation .......................................  4
+     2.1. Criteria for formation ....................................  4
+     2.2. Charter ...................................................  6
+     2.3. Charter review & approval .................................  8
+     2.4. Birds of a feather (BOF) ..................................  9
+   3. Working Group Operation ....................................... 10
+     3.1. Session planning .......................................... 11
+     3.2. Session venue ............................................. 11
+     3.3. Session management ........................................ 13
+     3.4. Contention and appeals .................................... 15
+
+
+
+Bradner                  Best Current Practice                  [Page 1]
+
+RFC 2418                Working Group Guidelines          September 1998
+
+
+   4. Working Group Termination ..................................... 15
+   5. Rechartering a Working Group .................................. 15
+   6. Staff Roles ................................................... 16
+     6.1. WG Chair .................................................. 16
+     6.2. WG Secretary .............................................. 18
+     6.3. Document Editor ........................................... 18
+     6.4. WG Facilitator ............................................ 18
+     6.5. Design teams .............................................. 19
+     6.6. Working Group Consultant .................................. 19
+     6.7. Area Director ............................................. 19
+   7. Working Group Documents ....................................... 19
+     7.1. Session documents ......................................... 19
+     7.2. Internet-Drafts (I-D) ..................................... 19
+     7.3. Request For Comments (RFC) ................................ 20
+     7.4. Working Group Last-Call ................................... 20
+     7.5. Submission of documents ................................... 21
+   8. Review of documents ........................................... 21
+   9. Security Considerations ....................................... 22
+   10. Acknowledgments .............................................. 23
+   11. References ................................................... 23
+   12. Editor's Address ............................................. 23
+   Appendix:  Sample Working Group Charter .......................... 24
+   Full Copyright Statement ......................................... 26
+
+1. Introduction
+
+   The Internet, a loosely-organized international collaboration of
+   autonomous, interconnected networks, supports host-to-host
+   communication through voluntary adherence to open protocols and
+   procedures defined by Internet Standards.  There are also many
+   isolated interconnected networks, which are not connected to the
+   global Internet but use the Internet Standards. Internet Standards
+   are developed in the Internet Engineering Task Force (IETF).  This
+   document defines guidelines and procedures for IETF working groups.
+   The Internet Standards Process of the IETF is defined in [1]. The
+   organizations involved in the IETF Standards Process are described in
+   [2] as are the roles of specific individuals.
+
+   The IETF is a large, open community of network designers, operators,
+   vendors, users, and researchers concerned with the Internet and the
+   technology used on it. The primary activities of the IETF are
+   performed by committees known as working groups. There are currently
+   more than 100 working groups. (See the IETF web page for an up-to-
+   date list of IETF Working Groups - http://www.ietf.org.) Working
+   groups tend to have a narrow focus and a lifetime bounded by the
+   completion of a specific set of tasks, although there are exceptions.
+
+
+
+
+
+Bradner                  Best Current Practice                  [Page 2]
+
+RFC 2418                Working Group Guidelines          September 1998
+
+
+   For management purposes, the IETF working groups are collected
+   together into areas, with each area having a separate focus.  For
+   example, the security area deals with the development of security-
+   related technology.  Each IETF area is managed by one or two Area
+   Directors (ADs).  There are currently 8 areas in the IETF but the
+   number changes from time to time.  (See the IETF web page for a list
+   of the current areas, the Area Directors for each area, and a list of
+   which working groups are assigned to each area.)
+
+   In many areas, the Area Directors have formed an advisory group or
+   directorate.  These comprise experienced members of the IETF and the
+   technical community represented by the area.  The specific name and
+   the details of the role for each group differ from area to area, but
+   the primary intent is that these groups assist the Area Director(s),
+   e.g., with the review of specifications produced in the area.
+
+   The IETF area directors are selected by a nominating committee, which
+   also selects an overall chair for the IETF.  The nominations process
+   is described in [3].
+
+   The area directors sitting as a body, along with the IETF Chair,
+   comprise the Internet Engineering Steering Group (IESG). The IETF
+   Executive Director is an ex-officio participant of the IESG, as are
+   the IAB Chair and a designated Internet Architecture Board (IAB)
+   liaison.  The IESG approves IETF Standards and approves the
+   publication of other IETF documents.  (See [1].)
+
+   A small IETF Secretariat provides staff and administrative support
+   for the operation of the IETF.
+
+   There is no formal membership in the IETF.  Participation is open to
+   all.  This participation may be by on-line contribution, attendance
+   at face-to-face sessions, or both.  Anyone from the Internet
+   community who has the time and interest is urged to participate in
+   IETF meetings and any of its on-line working group discussions.
+   Participation is by individual technical contributors, rather than by
+   formal representatives of organizations.
+
+   This document defines procedures and guidelines for the formation and
+   operation of working groups in the IETF. It defines the relations of
+   working groups to other bodies within the IETF. The duties of working
+   group Chairs and Area Directors with respect to the operation of the
+   working group are also defined.  When used in this document the key
+   words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
+   "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" are to be
+   interpreted as described in RFC 2119 [6].  RFC 2119 defines the use
+   of these key words to help make the intent of standards track
+   documents as clear as possible.  The same key words are used in this
+
+
+
+Bradner                  Best Current Practice                  [Page 3]
+
+RFC 2418                Working Group Guidelines          September 1998
+
+
+   document to help smooth WG operation and reduce the chance for
+   confusion about the processes.
+
+1.1. IETF approach to standardization
+
+   Familiarity with The Internet Standards Process [1] is essential for
+   a complete understanding of the philosophy, procedures and guidelines
+   described in this document.
+
+1.2. Roles within a Working Group
+
+   The document, "Organizations Involved in the IETF Standards Process"
+   [2] describes the roles of a number of individuals within a working
+   group, including the working group chair and the document editor.
+   These descriptions are expanded later in this document.
+
+2. Working group formation
+
+   IETF working groups (WGs) are the primary mechanism for development
+   of IETF specifications and guidelines, many of which are intended to
+   be standards or recommendations. A working group may be established
+   at the initiative of an Area Director or it may be initiated by an
+   individual or group of individuals. Anyone interested in creating an
+   IETF working group MUST obtain the advice and consent of the IETF
+   Area Director(s) in whose area the working group would fall and MUST
+   proceed through the formal steps detailed in this section.
+
+   Working groups are typically created to address a specific problem or
+   to produce one or more specific deliverables (a guideline, standards
+   specification, etc.).  Working groups are generally expected to be
+   short-lived in nature.  Upon completion of its goals and achievement
+   of its objectives, the working group is terminated. A working group
+   may also be terminated for other reasons (see section 4).
+   Alternatively, with the concurrence of the IESG, Area Director, the
+   WG Chair, and the WG participants, the objectives or assignment of
+   the working group may be extended by modifying the working group's
+   charter through a rechartering process (see section 5).
+
+2.1. Criteria for formation
+
+   When determining whether it is appropriate to create a working group,
+   the Area Director(s) and the IESG will consider several issues:
+
+    - Are the issues that the working group plans to address clear and
+      relevant to the Internet community?
+
+    - Are the goals specific and reasonably achievable, and achievable
+      within a reasonable time frame?
+
+
+
+Bradner                  Best Current Practice                  [Page 4]
+
+RFC 2418                Working Group Guidelines          September 1998
+
+
+    - What are the risks and urgency of the work, to determine the level
+      of effort required?
+
+    - Do the working group's activities overlap with those of another
+      working group?  If so, it may still be appropriate to create the
+      working group, but this question must be considered carefully by
+      the Area Directors as subdividing efforts often dilutes the
+      available technical expertise.
+
+    - Is there sufficient interest within the IETF in the working
+      group's topic with enough people willing to expend the effort to
+      produce the desired result (e.g., a protocol specification)?
+      Working groups require considerable effort, including management
+      of the working group process, editing of working group documents,
+      and contributing to the document text.  IETF experience suggests
+      that these roles typically cannot all be handled by one person; a
+      minimum of four or five active participants in the management
+      positions are typically required in addition to a minimum of one
+      or two dozen people that will attend the working group meetings
+      and contribute on the mailing list.  NOTE: The interest must be
+      broad enough that a working group would not be seen as merely the
+      activity of a single vendor.
+
+    - Is there enough expertise within the IETF in the working group's
+      topic, and are those people interested in contributing in the
+      working group?
+
+    - Does a base of interested consumers (end-users) appear to exist
+      for the planned work?  Consumer interest can be measured by
+      participation of end-users within the IETF process, as well as by
+      less direct means.
+
+    - Does the IETF have a reasonable role to play in the determination
+      of the technology?  There are many Internet-related technologies
+      that may be interesting to IETF members but in some cases the IETF
+      may not be in a position to effect the course of the technology in
+      the "real world".  This can happen, for example, if the technology
+      is being developed by another standards body or an industry
+      consortium.
+
+    - Are all known intellectual property rights relevant to the
+      proposed working group's efforts issues understood?
+
+    - Is the proposed work plan an open IETF effort or is it an attempt
+      to "bless" non-IETF technology where the effect of input from IETF
+      participants may be limited?
+
+
+
+
+
+Bradner                  Best Current Practice                  [Page 5]
+
+RFC 2418                Working Group Guidelines          September 1998
+
+
+    - Is there a good understanding of any existing work that is
+      relevant to the topics that the proposed working group is to
+      pursue?  This includes work within the IETF and elsewhere.
+
+    - Do the working group's goals overlap with known work in another
+      standards body, and if so is adequate liaison in place?
+
+   Considering the above criteria, the Area Director(s), using his or
+   her best judgement, will decide whether to pursue the formation of
+   the group through the chartering process.
+
+2.2. Charter
+
+   The formation of a working group requires a charter which is
+   primarily negotiated between a prospective working group Chair and
+   the relevant Area Director(s), although final approval is made by the
+   IESG with advice from the Internet Architecture Board (IAB).  A
+   charter is a contract between a working group and the IETF to perform
+   a set of tasks.  A charter:
+
+   1. Lists relevant administrative information for the working group;
+   2. Specifies the direction or objectives of the working group and
+      describes the approach that will be taken to achieve the goals;
+      and
+   3. Enumerates a set of milestones together with time frames for their
+      completion.
+
+   When the prospective Chair(s), the Area Director and the IETF
+   Secretariat are satisfied with the charter form and content, it
+   becomes the basis for forming a working group. Note that an Area
+   Director MAY require holding an exploratory Birds of a Feather (BOF)
+   meeting, as described below, to gage the level of support for a
+   working group before submitting the charter to the IESG and IAB for
+   approval.
+
+   Charters may be renegotiated periodically to reflect the current
+   status, organization or goals of the working group (see section 5).
+   Hence, a charter is a contract between the IETF and the working group
+   which is committing to meet explicit milestones and delivering
+   specific "products".
+
+   Specifically, each charter consists of the following sections:
+
+   Working group name
+      A working group name should be reasonably descriptive or
+      identifiable. Additionally, the group shall define an acronym
+      (maximum 8 printable ASCII characters) to reference the group in
+      the IETF directories, mailing lists, and general documents.
+
+
+
+Bradner                  Best Current Practice                  [Page 6]
+
+RFC 2418                Working Group Guidelines          September 1998
+
+
+   Chair(s)
+      The working group may have one or more Chairs to perform the
+      administrative functions of the group. The email address(es) of
+      the Chair(s) shall be included.  Generally, a working group is
+      limited to two chairs.
+
+   Area and Area Director(s)
+      The name of the IETF area with which the working group is
+      affiliated and the name and electronic mail address of the
+      associated Area Director(s).
+
+   Responsible Area Director
+      The Area Director who acts as the primary IESG contact for the
+      working group.
+
+   Mailing list
+      An IETF working group MUST have a general Internet mailing list.
+      Most of the work of an IETF working group will be conducted on the
+      mailing list. The working group charter MUST include:
+
+      1. The address to which a participant sends a subscription request
+         and the procedures to follow when subscribing,
+
+      2. The address to which a participant sends submissions and
+         special procedures, if any, and
+
+      3. The location of the mailing list archive. A message archive
+         MUST be maintained in a public place which can be accessed via
+         FTP or via the web.
+
+         As a service to the community, the IETF Secretariat operates a
+         mailing list archive for working group mailing lists. In order
+         to take advantage of this service, working group mailing lists
+         MUST include the address "wg_acronym-archive@lists.ietf.org"
+         (where "wg_acronym" is the working group acronym) in the
+         mailing list in order that a copy of all mailing list messages
+         be recorded in the Secretariat's archive.  Those archives are
+         located at ftp://ftp.ietf.org/ietf-mail-archive.  For
+         robustness, WGs SHOULD maintain an additional archive separate
+         from that maintained by the Secretariat.
+
+   Description of working group
+      The focus and intent of the group shall be set forth briefly. By
+      reading this section alone, an individual should be able to decide
+      whether this group is relevant to their own work. The first
+      paragraph must give a brief summary of the problem area, basis,
+      goal(s) and approach(es) planned for the working group.  This
+      paragraph can be used as an overview of the working group's
+
+
+
+Bradner                  Best Current Practice                  [Page 7]
+
+RFC 2418                Working Group Guidelines          September 1998
+
+
+      effort.
+
+      To facilitate evaluation of the intended work and to provide on-
+      going guidance to the working group, the charter must describe the
+      problem being solved and should discuss objectives and expected
+      impact with respect to:
+
+         - Architecture
+         - Operations
+         - Security
+         - Network management
+         - Scaling
+         - Transition (where applicable)
+
+   Goals and milestones
+      The working group charter MUST establish a timetable for specific
+      work items.  While this may be renegotiated over time, the list of
+      milestones and dates facilitates the Area Director's tracking of
+      working group progress and status, and it is indispensable to
+      potential participants identifying the critical moments for input.
+      Milestones shall consist of deliverables that can be qualified as
+      showing specific achievement; e.g., "Internet-Draft finished" is
+      fine, but "discuss via email" is not. It is helpful to specify
+      milestones for every 3-6 months, so that progress can be gauged
+      easily.  This milestone list is expected to be updated
+      periodically (see section 5).
+
+      An example of a WG charter is included as Appendix A.
+
+2.3. Charter review & approval
+
+   Proposed working groups often comprise technically competent
+   participants who are not familiar with the history of Internet
+   architecture or IETF processes.  This can, unfortunately, lead to
+   good working group consensus about a bad design.  To facilitate
+   working group efforts, an Area Director may assign a Consultant from
+   among the ranks of senior IETF participants.  (Consultants are
+   described in section 6.)  At the discretion of the Area Director,
+   approval of a new WG may be withheld in the absence of sufficient
+   consultant resources.
+
+   Once the Area Director (and the Area Directorate, as the Area
+   Director deems appropriate) has approved the working group charter,
+   the charter is submitted for review by the IAB and approval by the
+   IESG.  After a review period of at least a week the proposed charter
+   is posted to the IETF-announce mailing list as a public notice that
+   the formation of the working group is being considered.  At the same
+   time the proposed charter is also posted to the "new-work" mailing
+
+
+
+Bradner                  Best Current Practice                  [Page 8]
+
+RFC 2418                Working Group Guidelines          September 1998
+
+
+   list.  This mailing list has been created to let qualified
+   representatives from other standards organizations know about pending
+   IETF working groups.  After another review period lasting at least a
+   week the IESG MAY approve the charter as-is, it MAY request that
+   changes be made in the charter, or MAY decline to approve chartering
+   of the working group
+
+   If the IESG approves the formation of the working group it remands
+   the approved charter to the IETF Secretariat who records and enters
+   the information into the IETF tracking database.  The working group
+   is announced to the IETF-announce a by the IETF Secretariat.
+
+2.4. Birds of a Feather (BOF)
+
+   Often it is not clear whether an issue merits the formation of a
+   working group.  To facilitate exploration of the issues the IETF
+   offers the possibility of a Birds of a Feather (BOF) session, as well
+   as the early formation of an email list for preliminary discussion.
+   In addition, a BOF may serve as a forum for a single presentation or
+   discussion, without any intent to form a working group.
+
+   A BOF is a session at an IETF meeting which permits "market research"
+   and technical "brainstorming".  Any individual may request permission
+   to hold a BOF on a subject. The request MUST be filed with a relevant
+   Area Director who must approve a BOF before it can be scheduled. The
+   person who requests the BOF may be asked to serve as Chair of the
+   BOF.
+
+   The Chair of the BOF is also responsible for providing a report on
+   the outcome of the BOF.  If the Area Director approves, the BOF is
+   then scheduled by submitting a request to agenda@ietf.org with copies
+   to the Area Director(s). A BOF description and agenda are required
+   before a BOF can be scheduled.
+
+   Available time for BOFs is limited, and BOFs are held at the
+   discretion of the ADs for an area.  The AD(s) may require additional
+   assurances before authorizing a BOF.  For example,
+
+    - The Area Director MAY require the establishment of an open email
+      list prior to authorizing a BOF.  This permits initial exchanges
+      and sharing of framework, vocabulary and approaches, in order to
+      make the time spent in the BOF more productive.
+
+    - The Area Director MAY require that a BOF be held, prior to
+      establishing a working group (see section 2.2).
+
+    - The Area Director MAY require that there be a draft of the WG
+      charter prior to holding a BOF.
+
+
+
+Bradner                  Best Current Practice                  [Page 9]
+
+RFC 2418                Working Group Guidelines          September 1998
+
+
+    - The Area Director MAY require that a BOF not be held until an
+      Internet-Draft describing the proposed technology has been
+      published so it can be used as a basis for discussion in the BOF.
+
+   In general, a BOF on a particular topic is held only once (ONE slot
+   at one IETF Plenary meeting). Under unusual circumstances Area
+   Directors may, at their discretion, allow a BOF to meet for a second
+   time. BOFs are not permitted to meet three times.  Note that all
+   other things being equal, WGs will be given priority for meeting
+   space over BOFs.  Also, occasionally BOFs may be held for other
+   purposes than to discuss formation of a working group.
+
+   Usually the outcome of a BOF will be one of the following:
+
+    - There was enough interest and focus in the subject to warrant the
+      formation of a WG;
+
+    - While there was a reasonable level of interest expressed in the
+      BOF some other criteria for working group formation was not met
+      (see section 2.1).
+
+    - The discussion came to a fruitful conclusion, with results to be
+      written down and published, however there is no need to establish
+      a WG; or
+
+    - There was not enough interest in the subject to warrant the
+      formation of a WG.
+
+3.  Working Group Operation
+
+   The IETF has basic requirements for open and fair participation and
+   for thorough consideration of technical alternatives.  Within those
+   constraints, working groups are autonomous and each determines most
+   of the details of its own operation with respect to session
+   participation, reaching closure, etc. The core rule for operation is
+   that acceptance or agreement is achieved via working group "rough
+   consensus".  WG participants should specifically note the
+   requirements for disclosure of conflicts of interest in [2].
+
+   A number of procedural questions and issues will arise over time, and
+   it is the function of the Working Group Chair(s) to manage the group
+   process, keeping in mind that the overall purpose of the group is to
+   make progress towards reaching rough consensus in realizing the
+   working group's goals and objectives.
+
+   There are few hard and fast rules on organizing or conducting working
+   group activities, but a set of guidelines and practices has evolved
+   over time that have proven successful. These are listed here, with
+
+
+
+Bradner                  Best Current Practice                 [Page 10]
+
+RFC 2418                Working Group Guidelines          September 1998
+
+
+   actual choices typically determined by the working group participants
+   and the Chair(s).
+
+3.1. Session planning
+
+   For coordinated, structured WG interactions, the Chair(s) MUST
+   publish a draft agenda well in advance of the actual session. The
+   agenda should contain at least:
+
+   - The items for discussion;
+   - The estimated time necessary per item; and
+   - A clear indication of what documents the participants will need to
+     read before the session in order to be well prepared.
+
+   Publication of the working group agenda shall include sending a copy
+   of the agenda to the working group mailing list and to
+   agenda@ietf.org.
+
+   All working group actions shall be taken in a public forum, and wide
+   participation is encouraged. A working group will conduct much of its
+   business via electronic mail distribution lists but may meet
+   periodically to discuss and review task status and progress, to
+   resolve specific issues and to direct future activities.  IETF
+   Plenary meetings are the primary venue for these face-to-face working
+   group sessions, and it is common (though not required) that active
+   "interim" face-to-face meetings, telephone conferences, or video
+   conferences may also be held.  Interim meetings are subject to the
+   same rules for advance notification, reporting, open participation,
+   and process, which apply to other working group meetings.
+
+   All working group sessions (including those held outside of the IETF
+   meetings) shall be reported by making minutes available.  These
+   minutes should include the agenda for the session, an account of the
+   discussion including any decisions made, and a list of attendees. The
+   Working Group Chair is responsible for insuring that session minutes
+   are written and distributed, though the actual task may be performed
+   by someone designated by the Working Group Chair. The minutes shall
+   be submitted in printable ASCII text for publication in the IETF
+   Proceedings, and for posting in the IETF Directories and are to be
+   sent to: minutes@ietf.org
+
+3.2. Session venue
+
+   Each working group will determine the balance of email and face-to-
+   face sessions that is appropriate for achieving its milestones.
+   Electronic mail permits the widest participation; face-to-face
+   meetings often permit better focus and therefore can be more
+   efficient for reaching a consensus among a core of the working group
+
+
+
+Bradner                  Best Current Practice                 [Page 11]
+
+RFC 2418                Working Group Guidelines          September 1998
+
+
+   participants.  In determining the balance, the WG must ensure that
+   its process does not serve to exclude contribution by email-only
+   participants.  Decisions reached during a face-to-face meeting about
+   topics or issues which have not been discussed on the mailing list,
+   or are significantly different from previously arrived mailing list
+   consensus MUST be reviewed on the mailing list.
+
+   IETF Meetings
+   If a WG needs a session at an IETF meeting, the Chair must apply for
+   time-slots as soon as the first announcement of that IETF meeting is
+   made by the IETF Secretariat to the WG-chairs list.  Session time is
+   a scarce resource at IETF meetings, so placing requests early will
+   facilitate schedule coordination for WGs requiring the same set of
+   experts.
+
+   The application for a WG session at an IETF meeting MUST be made to
+   the IETF Secretariat at the address agenda@ietf.org.  Some Area
+   Directors may want to coordinate WG sessions in their area and
+   request that time slots be coordinated through them.  If this is the
+   case it will be noted in the IETF meeting announcement. A WG
+   scheduling request MUST contain:
+
+   - The working group name and full title;
+   - The amount of time requested;
+   - The rough outline of the WG agenda that is expected to be covered;
+   - The estimated number of people that will attend the WG session;
+   - Related WGs that should not be scheduled for the same time slot(s);
+     and
+   - Optionally a request can be added for the WG session to be
+     transmitted over the Internet in audio and video.
+
+   NOTE: While open discussion and contribution is essential to working
+   group success, the Chair is responsible for ensuring forward
+   progress.  When acceptable to the WG, the Chair may call for
+   restricted participation (but not restricted attendance!) at IETF
+   working group sessions for the purpose of achieving progress. The
+   Working Group Chair then has the authority to refuse to grant the
+   floor to any individual who is unprepared or otherwise covering
+   inappropriate material, or who, in the opinion of the Chair is
+   disrupting the WG process.  The Chair should consult with the Area
+   Director(s) if the individual persists in disruptive behavior.
+
+   On-line
+   It can be quite useful to conduct email exchanges in the same manner
+   as a face-to-face session, with published schedule and agenda, as
+   well as on-going summarization and consensus polling.
+
+
+
+
+
+Bradner                  Best Current Practice                 [Page 12]
+
+RFC 2418                Working Group Guidelines          September 1998
+
+
+   Many working group participants hold that mailing list discussion is
+   the best place to consider and resolve issues and make decisions. The
+   choice of operational style is made by the working group itself.  It
+   is important to note, however, that Internet email discussion is
+   possible for a much wider base of interested persons than is
+   attendance at IETF meetings, due to the time and expense required to
+   attend.
+
+   As with face-to-face sessions occasionally one or more individuals
+   may engage in behavior on a mailing list which disrupts the WG's
+   progress.  In these cases the Chair should attempt to discourage the
+   behavior by communication directly with the offending individual
+   rather than on the open mailing list.  If the behavior persists then
+   the Chair must involve the Area Director in the issue.  As a last
+   resort and after explicit warnings, the Area Director, with the
+   approval of the IESG, may request that the mailing list maintainer
+   block the ability of the offending individual to post to the mailing
+   list. (If the mailing list software permits this type of operation.)
+   Even if this is done, the individual must not be prevented from
+   receiving messages posted to the list.  Other methods of mailing list
+   control may be considered but must be approved by the AD(s) and the
+   IESG.
+
+3.3. Session management
+
+   Working groups make decisions through a "rough consensus" process.
+   IETF consensus does not require that all participants agree although
+   this is, of course, preferred.  In general, the dominant view of the
+   working group shall prevail.  (However, it must be noted that
+   "dominance" is not to be determined on the basis of volume or
+   persistence, but rather a more general sense of agreement.) Consensus
+   can be determined by a show of hands, humming, or any other means on
+   which the WG agrees (by rough consensus, of course).  Note that 51%
+   of the working group does not qualify as "rough consensus" and 99% is
+   better than rough.  It is up to the Chair to determine if rough
+   consensus has been reached.
+
+   It can be particularly challenging to gauge the level of consensus on
+   a mailing list.  There are two different cases where a working group
+   may be trying to understand the level of consensus via a mailing list
+   discussion. But in both cases the volume of messages on a topic is
+   not, by itself, a good indicator of consensus since one or two
+   individuals may be generating much of the traffic.
+
+   In the case where a consensus which has been reached during a face-
+   to-face meeting is being verified on a mailing list the people who
+   were in the meeting and expressed agreement must be taken into
+   account.  If there were 100 people in a meeting and only a few people
+
+
+
+Bradner                  Best Current Practice                 [Page 13]
+
+RFC 2418                Working Group Guidelines          September 1998
+
+
+   on the mailing list disagree with the consensus of the meeting then
+   the consensus should be seen as being verified.  Note that enough
+   time should be given to the verification process for the mailing list
+   readers to understand and consider any objections that may be raised
+   on the list.  The normal two week last-call period should be
+   sufficient for this.
+
+   The other case is where the discussion has been held entirely over
+   the mailing list.  The determination of the level of consensus may be
+   harder to do in this case since most people subscribed to mailing
+   lists do not actively participate in discussions on the list. It is
+   left to the discretion of the working group chair how to evaluate the
+   level of consensus.  The most common method used is for the working
+   group chair to state what he or she believes to be the consensus view
+   and. at the same time, requests comments from the list about the
+   stated conclusion.
+
+   The challenge to managing working group sessions is to balance the
+   need for open and fair consideration of the issues against the need
+   to make forward progress.  The working group, as a whole, has the
+   final responsibility for striking this balance.  The Chair has the
+   responsibility for overseeing the process but may delegate direct
+   process management to a formally-designated Facilitator.
+
+   It is occasionally appropriate to revisit a topic, to re-evaluate
+   alternatives or to improve the group's understanding of a relevant
+   decision.  However, unnecessary repeated discussions on issues can be
+   avoided if the Chair makes sure that the main arguments in the
+   discussion (and the outcome) are summarized and archived after a
+   discussion has come to conclusion. It is also good practice to note
+   important decisions/consensus reached by email in the minutes of the
+   next 'live' session, and to summarize briefly the decision-making
+   history in the final documents the WG produces.
+
+   To facilitate making forward progress, a Working Group Chair may wish
+   to decide to reject or defer the input from a member, based upon the
+   following criteria:
+
+   Old
+   The input pertains to a topic that already has been resolved and is
+   redundant with information previously available;
+
+   Minor
+   The input is new and pertains to a topic that has already been
+   resolved, but it is felt to be of minor import to the existing
+   decision;
+
+
+
+
+
+Bradner                  Best Current Practice                 [Page 14]
+
+RFC 2418                Working Group Guidelines          September 1998
+
+
+   Timing
+   The input pertains to a topic that the working group has not yet
+   opened for discussion; or
+
+   Scope
+   The input is outside of the scope of the working group charter.
+
+3.4. Contention and appeals
+
+   Disputes are possible at various stages during the IETF process. As
+   much as possible the process is designed so that compromises can be
+   made, and genuine consensus achieved; however, there are times when
+   even the most reasonable and knowledgeable people are unable to
+   agree.  To achieve the goals of openness and fairness, such conflicts
+   must be resolved by a process of open review and discussion.
+
+   Formal procedures for requesting a review of WG, Chair, Area Director
+   or IESG actions and conducting appeals are documented in The Internet
+   Standards Process [1].
+
+4. Working Group Termination
+
+   Working groups are typically chartered to accomplish a specific task
+   or tasks.  After the tasks are complete, the group will be disbanded.
+   However, if a WG produces a Proposed or Draft Standard, the WG will
+   frequently become dormant rather than disband (i.e., the WG will no
+   longer conduct formal activities, but the mailing list will remain
+   available to review the work as it moves to Draft Standard and
+   Standard status.)
+
+   If, at some point, it becomes evident that a working group is unable
+   to complete the work outlined in the charter, or if the assumptions
+   which that work was based have been modified in discussion or by
+   experience, the Area Director, in consultation with the working group
+   can either:
+
+   1. Recharter to refocus its tasks,
+   2. Choose new Chair(s), or
+   3. Disband.
+
+   If the working group disagrees with the Area Director's choice, it
+   may appeal to the IESG (see section 3.4).
+
+5. Rechartering a Working Group
+
+   Updated milestones are renegotiated with the Area Director and the
+   IESG, as needed, and then are submitted to the IESG Secretariat:
+   iesg-secretary@ietf.org.
+
+
+
+Bradner                  Best Current Practice                 [Page 15]
+
+RFC 2418                Working Group Guidelines          September 1998
+
+
+   Rechartering (other than revising milestones) a working group follows
+   the same procedures that the initial chartering does (see section 2).
+   The revised charter must be submitted to the IESG and IAB for
+   approval.  As with the initial chartering, the IESG may approve new
+   charter as-is, it may request that changes be made in the new charter
+   (including having the Working Group continue to use the old charter),
+   or it may decline to approve the rechartered working group.  In the
+   latter case, the working group is disbanded.
+
+6. Staff Roles
+
+   Working groups require considerable care and feeding.  In addition to
+   general participation, successful working groups benefit from the
+   efforts of participants filling specific functional roles.  The Area
+   Director must agree to the specific people performing the WG Chair,
+   and Working Group Consultant roles, and they serve at the discretion
+   of the Area Director.
+
+6.1. WG Chair
+
+   The Working Group Chair is concerned with making forward progress
+   through a fair and open process, and has wide discretion in the
+   conduct of WG business.  The Chair must ensure that a number of tasks
+   are performed, either directly or by others assigned to the tasks.
+
+   The Chair has the responsibility and the authority to make decisions,
+   on behalf of the working group, regarding all matters of working
+   group process and staffing, in conformance with the rules of the
+   IETF.  The AD has the authority and the responsibility to assist in
+   making those decisions at the request of the Chair or when
+   circumstances warrant such an intervention.
+
+   The Chair's responsibility encompasses at least the following:
+
+   Ensure WG process and content management
+
+      The Chair has ultimate responsibility for ensuring that a working
+      group achieves forward progress and meets its milestones.  The
+      Chair is also responsible to ensure that the working group
+      operates in an open and fair manner.  For some working groups,
+      this can be accomplished by having the Chair perform all
+      management-related activities.  In other working groups --
+      particularly those with large or divisive participation -- it is
+      helpful to allocate process and/or secretarial functions to other
+      participants.  Process management pertains strictly to the style
+      of working group interaction and not to its content. It ensures
+      fairness and detects redundancy.  The secretarial function
+      encompasses document editing.  It is quite common for a working
+
+
+
+Bradner                  Best Current Practice                 [Page 16]
+
+RFC 2418                Working Group Guidelines          September 1998
+
+
+      group to assign the task of specification Editor to one or two
+      participants.  Sometimes, they also are part of the design team,
+      described below.
+
+   Moderate the WG email list
+
+      The Chair should attempt to ensure that the discussions on this
+      list are relevant and that they converge to consensus agreements.
+      The Chair should make sure that discussions on the list are
+      summarized and that the outcome is well documented (to avoid
+      repetition).  The Chair also may choose to schedule organized on-
+      line "sessions" with agenda and deliverables.  These can be
+      structured as true meetings, conducted over the course of several
+      days (to allow participation across the Internet).
+
+      Organize, prepare and chair face-to-face and on-line formal
+      sessions.
+
+   Plan WG Sessions
+
+      The Chair must plan and announce all WG sessions well in advance
+      (see section 3.1).
+
+   Communicate results of sessions
+
+      The Chair and/or Secretary must ensure that minutes of a session
+      are taken and that an attendance list is circulated (see section
+      3.1).
+
+      Immediately after a session, the WG Chair MUST provide the Area
+      Director with a very short report (approximately one paragraph,
+      via email) on the session.
+
+   Distribute the workload
+
+      Of course, each WG will have participants who may not be able (or
+      want) to do any work at all. Most of the time the bulk of the work
+      is done by a few dedicated participants. It is the task of the
+      Chair to motivate enough experts to allow for a fair distribution
+      of the workload.
+
+   Document development
+
+      Working groups produce documents and documents need authors. The
+      Chair must make sure that authors of WG documents incorporate
+      changes as agreed to by the WG (see section 6.3).
+
+
+
+
+
+Bradner                  Best Current Practice                 [Page 17]
+
+RFC 2418                Working Group Guidelines          September 1998
+
+
+   Document publication
+
+      The Chair and/or Document Editor will work with the RFC Editor to
+      ensure document conformance with RFC publication requirements [5]
+      and to coordinate any editorial changes suggested by the RFC
+      Editor.  A particular concern is that all participants are working
+      from the same version of a document at the same time.
+
+   Document implementations
+
+      Under the procedures described in [1], the Chair is responsible
+      for documenting the specific implementations which qualify the
+      specification for Draft or Internet Standard status along with
+      documentation about testing of the interoperation of these
+      implementations.
+
+6.2. WG Secretary
+
+   Taking minutes and editing working group documents often is performed
+   by a specifically-designated participant or set of participants.  In
+   this role, the Secretary's job is to record WG decisions, rather than
+   to perform basic specification.
+
+6.3. Document Editor
+
+   Most IETF working groups focus their efforts on a document, or set of
+   documents, that capture the results of the group's work.  A working
+   group generally designates a person or persons to serve as the Editor
+   for a particular document.  The Document Editor is responsible for
+   ensuring that the contents of the document accurately reflect the
+   decisions that have been made by the working group.
+
+   As a general practice, the Working Group Chair and Document Editor
+   positions are filled by different individuals to help ensure that the
+   resulting documents accurately reflect the consensus of the working
+   group and that all processes are followed.
+
+6.4. WG Facilitator
+
+   When meetings tend to become distracted or divisive, it often is
+   helpful to assign the task of "process management" to one
+   participant.  Their job is to oversee the nature, rather than the
+   content, of participant interactions.  That is, they attend to the
+   style of the discussion and to the schedule of the agenda, rather
+   than making direct technical contributions themselves.
+
+
+
+
+
+
+Bradner                  Best Current Practice                 [Page 18]
+
+RFC 2418                Working Group Guidelines          September 1998
+
+
+6.5. Design teams
+
+   It is often useful, and perhaps inevitable, for a sub-group of a
+   working group to develop a proposal to solve a particular problem.
+   Such a sub-group is called a design team.  In order for a design team
+   to remain small and agile, it is acceptable to have closed membership
+   and private meetings.  Design teams may range from an informal chat
+   between people in a hallway to a formal set of expert volunteers that
+   the WG chair or AD appoints to attack a controversial problem.  The
+   output of a design team is always subject to approval, rejection or
+   modification by the WG as a whole.
+
+6.6. Working Group Consultant
+
+   At the discretion of the Area Director, a Consultant may be assigned
+   to a working group.  Consultants have specific technical background
+   appropriate to the WG and experience in Internet architecture and
+   IETF process.
+
+6.7. Area Director
+
+   Area Directors are responsible for ensuring that working groups in
+   their area produce coherent, coordinated, architecturally consistent
+   and timely output as a contribution to the overall results of the
+   IETF.
+
+7.  Working Group Documents
+
+7.1. Session documents
+
+   All relevant documents to be discussed at a session should be
+   published and available as Internet-Drafts at least two weeks before
+   a session starts.  Any document which does not meet this publication
+   deadline can only be discussed in a working group session with the
+   specific approval of the working group chair(s).  Since it is
+   important that working group members have adequate time to review all
+   documents, granting such an exception should only be done under
+   unusual conditions.  The final session agenda should be posted to the
+   working group mailing list at least two weeks before the session and
+   sent at that time to agenda@ietf.org for publication on the IETF web
+   site.
+
+7.2. Internet-Drafts (I-D)
+
+   The Internet-Drafts directory is provided to working groups as a
+   resource for posting and disseminating in-process copies of working
+   group documents. This repository is replicated at various locations
+   around the Internet. It is encouraged that draft documents be posted
+
+
+
+Bradner                  Best Current Practice                 [Page 19]
+
+RFC 2418                Working Group Guidelines          September 1998
+
+
+   as soon as they become reasonably stable.
+
+   It is stressed here that Internet-Drafts are working documents and
+   have no official standards status whatsoever. They may, eventually,
+   turn into a standards-track document or they may sink from sight.
+   Internet-Drafts are submitted to: internet-drafts@ietf.org
+
+   The format of an Internet-Draft must be the same as for an RFC [2].
+   Further, an I-D must contain:
+
+   - Beginning, standard, boilerplate text which is provided by the
+     Secretariat on their web site and in the ftp directory;
+   - The I-D filename; and
+   - The expiration date for the I-D.
+
+   Complete specification of requirements for an Internet-Draft are
+   found in the file "1id-guidelines.txt" in the Internet-Drafts
+   directory at an Internet Repository site.  The organization of the
+   Internet-Drafts directory is found in the file "1id-organization" in
+   the Internet-Drafts directory at an Internet Repository site.  This
+   file also contains the rules for naming Internet-Drafts.  (See [1]
+   for more information about Internet-Drafts.)
+
+7.3. Request For Comments (RFC)
+
+   The work of an IETF working group often results in publication of one
+   or more documents, as part of the Request For Comments (RFCs) [1]
+   series. This series is the archival publication record for the
+   Internet community. A document can be written by an individual in a
+   working group, by a group as a whole with a designated Editor, or by
+   others not involved with the IETF.
+
+   NOTE: The RFC series is a publication mechanism only and publication
+   does not determine the IETF status of a document.  Status is
+   determined through separate, explicit status labels assigned by the
+   IESG on behalf of the IETF.  In other words, the reader is reminded
+   that all Internet Standards are published as RFCs, but NOT all RFCs
+   specify standards [4].
+
+7.4. Working Group Last-Call
+
+   When a WG decides that a document is ready for publication it may be
+   submitted to the IESG for consideration. In most cases the
+   determination that a WG feels that a document is ready for
+   publication is done by the WG Chair issuing a working group Last-
+   Call.  The decision to issue a working group Last-Call is at the
+   discretion of the WG Chair working with the Area Director.  A working
+   group Last-Call serves the same purpose within a working group that
+
+
+
+Bradner                  Best Current Practice                 [Page 20]
+
+RFC 2418                Working Group Guidelines          September 1998
+
+
+   an IESG Last-Call does in the broader IETF community (see [1]).
+
+7.5. Submission of documents
+
+   Once that a WG has determined at least rough consensus exists within
+   the WG for the advancement of a document the following must be done:
+
+   - The version of the relevant document exactly as agreed to by the WG
+     MUST be in the Internet-Drafts directory.
+
+   - The relevant document MUST be formatted according to section 7.3.
+
+   - The WG Chair MUST send email to the relevant Area Director.  A copy
+     of the request MUST be also sent to the IESG Secretariat.  The mail
+     MUST contain the reference to the document's ID filename, and the
+     action requested.  The copy of the message to the IESG Secretariat
+     is to ensure that the request gets recorded by the Secretariat so
+     that they can monitor the progress of the document through the
+     process.
+
+   Unless returned by the IESG to the WG for further development,
+   progressing of the document is then the responsibility of the IESG.
+   After IESG approval, responsibility for final disposition is the
+   joint responsibility of the RFC Editor, the WG Chair and the Document
+   Editor.
+
+8. Review of documents
+
+   The IESG reviews all documents submitted for publication as RFCs.
+   Usually minimal IESG review is necessary in the case of a submission
+   from a WG intended as an Informational or Experimental RFC. More
+   extensive review is undertaken in the case of standards-track
+   documents.
+
+   Prior to the IESG beginning their deliberations on standards-track
+   documents, IETF Secretariat will issue a "Last-Call" to the IETF
+   mailing list (see [1]). This Last Call will announce the intention of
+   the IESG to consider the document, and it will solicit final comments
+   from the IETF within a period of two weeks.  It is important to note
+   that a Last-Call is intended as a brief, final check with the
+   Internet community, to make sure that no important concerns have been
+   missed or misunderstood. The Last-Call should not serve as a more
+   general, in-depth review.
+
+   The IESG review takes into account responses to the Last-Call and
+   will lead to one of these possible conclusions:
+
+
+
+
+
+Bradner                  Best Current Practice                 [Page 21]
+
+RFC 2418                Working Group Guidelines          September 1998
+
+
+   1. The document is accepted as is for the status requested.
+      This fact will be announced by the IETF Secretariat to the IETF
+      mailing list and to the RFC Editor.
+
+   2. The document is accepted as-is but not for the status requested.
+      This fact will be announced by the IETF Secretariat to the IETF
+      mailing list and to the RFC Editor (see [1] for more details).
+
+   3. Changes regarding content are suggested to the author(s)/WG.
+      Suggestions from the IESG must be clear and direct, so as to
+      facilitate working group and author correction of the
+      specification.  If the author(s)/WG can explain to the
+      satisfaction of the IESG why the changes are not necessary, the
+      document will be accepted for publication as under point 1, above.
+      If the changes are made the revised document may be resubmitted
+      for IESG review.
+
+   4. Changes are suggested by the IESG and a change in status is
+      recommended.
+      The process described above for 3 and 2 are followed in that
+      order.
+
+   5. The document is rejected.
+      Any document rejection will be accompanied by specific and
+      thorough arguments from the IESG. Although the IETF and working
+      group process is structured such that this alternative is not
+      likely to arise for documents coming from a working group, the
+      IESG has the right and responsibility to reject documents that the
+      IESG feels are fatally flawed in some way.
+
+      If any individual or group of individuals feels that the review
+      treatment has been unfair, there is the opportunity to make a
+      procedural complaint. The mechanism for this type of complaints is
+      described in [1].
+
+9. Security Considerations
+
+   Documents describing IETF processes, such as this one, do not have an
+   impact on the security of the network infrastructure or of Internet
+   applications.
+
+   It should be noted that all IETF working groups are required to
+   examine and understand the security implications of any technology
+   they develop.  This analysis must be included in any resulting RFCs
+   in a Security Considerations section.  Note that merely noting a
+   significant security hole is no longer sufficient.  IETF developed
+   technologies should not add insecurity to the environment in which
+   they are run.
+
+
+
+Bradner                  Best Current Practice                 [Page 22]
+
+RFC 2418                Working Group Guidelines          September 1998
+
+
+10. Acknowledgments
+
+   This revision of this document relies heavily on the previous version
+   (RFC 1603) which was edited by Erik Huizer and Dave Crocker.  It has
+   been reviewed by the Poisson Working Group.
+
+11. References
+
+   [1] Bradner, S., Editor, "The Internet Standards Process -- Revision
+       3", BCP 9, RFC 2026, October 1996.
+
+   [2] Hovey, R., and S. Bradner, "The Organizations involved in the
+       IETF Standards Process", BCP 11, RFC 2028, October 1996.
+
+   [3] Gavin, J., "IAB and IESG Selection, Confirmation, and Recall
+       Process: Operation of the Nominating and Recall Committees", BCP
+       10, RFC 2282, February 1998.
+
+   [4] Huitema, C., J. Postel, S. Crocker, "Not all RFCs are Standards",
+       RFC 1796, April 1995.
+
+   [5] Postel, J., and J. Reynolds, "Instructions to RFC Authors", RFC
+       2223, October 1997.
+
+   [6] Bradner, S., "Key words for use in RFCs to Indicate Requirement
+       Level", BCP 14, RFC 2119, March 1997.
+
+
+12. Editor's Address
+
+   Scott Bradner
+   Harvard University
+   1350 Mass Ave.
+   Cambridge MA
+   02138
+   USA
+
+   Phone +1 617 495 3864
+   EMail: sob@harvard.edu
+
+
+
+
+
+
+
+
+
+
+
+
+Bradner                  Best Current Practice                 [Page 23]
+
+RFC 2418                Working Group Guidelines          September 1998
+
+
+   Appendix:  Sample Working Group Charter
+
+   Working Group Name:
+        IP Telephony (iptel)
+
+   IETF Area:
+        Transport Area
+
+   Chair(s):
+        Jonathan Rosenberg <jdrosen@bell-labs.com>
+
+   Transport Area Director(s):
+        Scott Bradner <sob@harvard.edu>
+        Allyn Romanow <allyn@mci.net>
+
+   Responsible Area Director:
+        Allyn Romanow <allyn@mci.net>
+
+   Mailing Lists:
+        General Discussion:iptel@lists.research.bell-labs.com
+        To Subscribe: iptel-request@lists.research.bell-labs.com
+        Archive: http://www.bell-labs.com/mailing-lists/siptel
+
+   Description of Working Group:
+
+   Before Internet telephony can become a widely deployed service, a
+   number of protocols must be deployed. These include signaling and
+   capabilities exchange, but also include a number of "peripheral"
+   protocols for providing related services.
+
+   The primary purpose of this working group is to develop two such
+   supportive protocols and a frameword document. They are:
+
+   1. Call Processing Syntax. When a call is setup between two
+   endpoints, the signaling will generally pass through several servers
+   (such as an H.323 gatekeeper) which are responsible for forwarding,
+   redirecting, or proxying the signaling messages. For example, a user
+   may make a call to j.doe@bigcompany.com. The signaling message to
+   initiate the call will arrive at some server at bigcompany. This
+   server can inform the caller that the callee is busy, forward the
+   call initiation request to another server closer to the user, or drop
+   the call completely (among other possibilities). It is very desirable
+   to allow the callee to provide input to this process, guiding the
+   server in its decision on how to act. This can enable a wide variety
+   of advanced personal mobility and call agent services.
+
+
+
+
+
+
+Bradner                  Best Current Practice                 [Page 24]
+
+RFC 2418                Working Group Guidelines          September 1998
+
+
+   Such preferences can be expressed in a call processing syntax, which
+   can be authored by the user (or generated automatically by some
+   tool), and then uploaded to the server. The group will develop this
+   syntax, and specify means of securely transporting and extending it.
+   The result will be a single standards track RFC.
+
+   2. In addition, the group will write a service model document, which
+   describes the services that are enabled by the call processing
+   syntax, and discusses how the syntax can be used. This document will
+   result in a single RFC.
+
+   3. Gateway Attribute Distribution Protocol. When making a call
+   between an IP host and a PSTN user, a telephony gateway must be used.
+   The selection of such gateways can be based on many criteria,
+   including client expressed preferences, service provider preferences,
+   and availability of gateways, in addition to destination telephone
+   number.  Since gateways outside of the hosts' administrative domain
+   might be used, a protocol is required to allow gateways in remote
+   domains to distribute their attributes (such as PSTN connectivity,
+   supported codecs, etc.) to entities in other domains which must make
+   a selection of a gateway. The protocol must allow for scalable,
+   bandwidth efficient, and very secure transmission of these
+   attributes. The group will investigate and design a protocol for this
+   purpose, generate an Internet Draft, and advance it to RFC as
+   appropriate.
+
+   Goals and Milestones:
+
+   May 98    Issue first Internet-Draft on service framework
+   Jul 98    Submit framework ID to IESG for publication as an RFC.
+   Aug 98    Issue first Internet-Draft on Call Processing Syntax
+   Oct 98    Submit Call processing syntax to IESG for consideration
+             as a Proposed Standard.
+   Dec 98    Achieve consensus on basics of gateway attribute
+             distribution protocol
+   Jan 99    Submit Gateway Attribute Distribution protocol to IESG
+             for consideration as a RFC (info, exp, stds track TB
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Bradner                  Best Current Practice                 [Page 25]
+
+RFC 2418                Working Group Guidelines          September 1998
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (1998).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Bradner                  Best Current Practice                 [Page 26]
+
diff --git a/contrib/bind9/doc/rfc/rfc2535.txt b/contrib/bind9/doc/rfc/rfc2535.txt
new file mode 100644
index 0000000..fe0b3d0
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2535.txt
@@ -0,0 +1,2635 @@
+
+
+
+
+
+
+Network Working Group                                         D. Eastlake
+Request for Comments: 2535                                            IBM
+Obsoletes: 2065                                                March 1999
+Updates: 2181, 1035, 1034
+Category: Standards Track
+
+                 Domain Name System Security Extensions
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (1999).  All Rights Reserved.
+
+Abstract
+
+   Extensions to the Domain Name System (DNS) are described that provide
+   data integrity and authentication to security aware resolvers and
+   applications through the use of cryptographic digital signatures.
+   These digital signatures are included in secured zones as resource
+   records.  Security can also be provided through non-security aware
+   DNS servers in some cases.
+
+   The extensions provide for the storage of authenticated public keys
+   in the DNS.  This storage of keys can support general public key
+   distribution services as well as DNS security.  The stored keys
+   enable security aware resolvers to learn the authenticating key of
+   zones in addition to those for which they are initially configured.
+   Keys associated with DNS names can be retrieved to support other
+   protocols.  Provision is made for a variety of key types and
+   algorithms.
+
+   In addition, the security extensions provide for the optional
+   authentication of DNS protocol transactions and requests.
+
+   This document incorporates feedback on RFC 2065 from early
+   implementers and potential users.
+
+
+
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 1]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+Acknowledgments
+
+   The significant contributions and suggestions of the following
+   persons (in alphabetic order) to DNS security are gratefully
+   acknowledged:
+
+      James M. Galvin
+      John Gilmore
+      Olafur Gudmundsson
+      Charlie Kaufman
+      Edward Lewis
+      Thomas Narten
+      Radia J. Perlman
+      Jeffrey I. Schiller
+      Steven (Xunhua) Wang
+      Brian Wellington
+
+Table of Contents
+
+   Abstract...................................................1
+   Acknowledgments............................................2
+   1. Overview of Contents....................................4
+   2. Overview of the DNS Extensions..........................5
+   2.1 Services Not Provided..................................5
+   2.2 Key Distribution.......................................5
+   2.3 Data Origin Authentication and Integrity...............6
+   2.3.1 The SIG Resource Record..............................7
+   2.3.2 Authenticating Name and Type Non-existence...........7
+   2.3.3 Special Considerations With Time-to-Live.............7
+   2.3.4 Special Considerations at Delegation Points..........8
+   2.3.5 Special Considerations with CNAME....................8
+   2.3.6 Signers Other Than The Zone..........................9
+   2.4 DNS Transaction and Request Authentication.............9
+   3. The KEY Resource Record................................10
+   3.1 KEY RDATA format......................................10
+   3.1.1 Object Types, DNS Names, and Keys...................11
+   3.1.2 The KEY RR Flag Field...............................11
+   3.1.3 The Protocol Octet..................................13
+   3.2 The KEY Algorithm Number Specification................14
+   3.3 Interaction of Flags, Algorithm, and Protocol Bytes...15
+   3.4 Determination of Zone Secure/Unsecured Status.........15
+   3.5 KEY RRs in the Construction of Responses..............17
+   4. The SIG Resource Record................................17
+   4.1 SIG RDATA Format......................................17
+   4.1.1 Type Covered Field..................................18
+   4.1.2 Algorithm Number Field..............................18
+   4.1.3 Labels Field........................................18
+   4.1.4 Original TTL Field..................................19
+
+
+
+Eastlake                    Standards Track                     [Page 2]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+   4.1.5 Signature Expiration and Inception Fields...........19
+   4.1.6 Key Tag Field.......................................20
+   4.1.7 Signer's Name Field.................................20
+   4.1.8 Signature Field.....................................20
+   4.1.8.1 Calculating Transaction and Request SIGs..........21
+   4.2 SIG RRs in the Construction of Responses..............21
+   4.3 Processing Responses and SIG RRs......................22
+   4.4 Signature Lifetime, Expiration, TTLs, and Validity....23
+   5. Non-existent Names and Types...........................24
+   5.1 The NXT Resource Record...............................24
+   5.2 NXT RDATA Format......................................25
+   5.3 Additional Complexity Due to Wildcards................26
+   5.4 Example...............................................26
+   5.5 Special Considerations at Delegation Points...........27
+   5.6 Zone Transfers........................................27
+   5.6.1 Full Zone Transfers.................................28
+   5.6.2 Incremental Zone Transfers..........................28
+   6. How to Resolve Securely and the AD and CD Bits.........29
+   6.1 The AD and CD Header Bits.............................29
+   6.2 Staticly Configured Keys..............................31
+   6.3 Chaining Through The DNS..............................31
+   6.3.1 Chaining Through KEYs...............................31
+   6.3.2 Conflicting Data....................................33
+   6.4 Secure Time...........................................33
+   7. ASCII Representation of Security RRs...................34
+   7.1 Presentation of KEY RRs...............................34
+   7.2 Presentation of SIG RRs...............................35
+   7.3 Presentation of NXT RRs...............................36
+   8. Canonical Form and Order of Resource Records...........36
+   8.1 Canonical RR Form.....................................36
+   8.2 Canonical DNS Name Order..............................37
+   8.3 Canonical RR Ordering Within An RRset.................37
+   8.4 Canonical Ordering of RR Types........................37
+   9. Conformance............................................37
+   9.1 Server Conformance....................................37
+   9.2 Resolver Conformance..................................38
+   10. Security Considerations...............................38
+   11. IANA Considerations...................................39
+   References................................................39
+   Author's Address..........................................41
+   Appendix A: Base 64 Encoding..............................42
+   Appendix B: Changes from RFC 2065.........................44
+   Appendix C: Key Tag Calculation...........................46
+   Full Copyright Statement..................................47
+
+
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 3]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+1. Overview of Contents
+
+   This document standardizes extensions of the Domain Name System (DNS)
+   protocol to support DNS security and public key distribution. It
+   assumes that the reader is familiar with the Domain Name System,
+   particularly as described in RFCs 1033, 1034, 1035 and later RFCs. An
+   earlier version of these extensions appears in RFC 2065.  This
+   replacement for that RFC incorporates early implementation experience
+   and requests from  potential users.
+
+   Section 2 provides an overview of the extensions and the key
+   distribution, data origin authentication, and transaction and request
+   security they provide.
+
+   Section 3 discusses the KEY resource record, its structure, and use
+   in DNS responses.  These resource records represent the public keys
+   of entities named in the DNS and are used for key distribution.
+
+   Section 4 discusses the SIG digital signature resource record, its
+   structure, and use in DNS responses.  These resource records are used
+   to authenticate other resource records in the DNS and optionally to
+   authenticate DNS transactions and requests.
+
+   Section 5 discusses the NXT resource record (RR) and its use in DNS
+   responses including full and incremental zone transfers.  The NXT RR
+   permits authenticated denial of the existence of a name or of an RR
+   type for an existing name.
+
+   Section 6 discusses how a resolver can be configured with a starting
+   key or keys and proceed to securely resolve DNS requests.
+   Interactions between resolvers and servers are discussed for various
+   combinations of security aware and security non-aware.  Two
+   additional DNS header bits are defined for signaling between
+   resolvers and servers.
+
+   Section 7 describes the ASCII representation of the security resource
+   records for use in master files and elsewhere.
+
+   Section 8 defines the canonical form and order of RRs for DNS
+   security purposes.
+
+   Section 9 defines levels of conformance for resolvers and servers.
+
+   Section 10 provides a few paragraphs on overall security
+   considerations.
+
+   Section 11 specified IANA considerations for allocation of additional
+   values of paramters defined in this document.
+
+
+
+Eastlake                    Standards Track                     [Page 4]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+   Appendix A gives details of base 64 encoding which is used in the
+   file representation of some RRs defined in this document.
+
+   Appendix B summarizes changes between this memo and RFC 2065.
+
+   Appendix C specified how to calculate the simple checksum used as a
+   key tag in most SIG RRs.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC2119].
+
+2. Overview of the DNS Extensions
+
+   The Domain Name System (DNS) protocol security extensions provide
+   three distinct services: key distribution as described in Section 2.2
+   below, data origin authentication as described in Section 2.3 below,
+   and transaction and request authentication, described in Section 2.4
+   below.
+
+   Special considerations related to "time to live", CNAMEs, and
+   delegation points are also discussed in Section 2.3.
+
+2.1 Services Not Provided
+
+   It is part of the design philosophy of the DNS that the data in it is
+   public and that the DNS gives the same answers to all inquirers.
+   Following this philosophy, no attempt has been made to include any
+   sort of access control lists or other means to differentiate
+   inquirers.
+
+   No effort has been made to provide for any confidentiality for
+   queries or responses.  (This service may be available via IPSEC [RFC
+   2401], TLS, or other security protocols.)
+
+   Protection is not provided against denial of service.
+
+2.2 Key Distribution
+
+   A resource record format is defined to associate keys with DNS names.
+   This permits the DNS to be used as a public key distribution
+   mechanism in support of DNS security itself and other protocols.
+
+   The syntax of a KEY resource record (RR) is described in Section 3.
+   It includes an algorithm identifier, the actual public key
+   parameter(s), and a variety of flags including those indicating the
+   type of entity the key is associated with and/or asserting that there
+   is no key associated with that entity.
+
+
+
+Eastlake                    Standards Track                     [Page 5]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+   Under conditions described in Section 3.5, security aware DNS servers
+   will automatically attempt to return KEY resources as additional
+   information, along with those resource records actually requested, to
+   minimize the number of queries needed.
+
+2.3 Data Origin Authentication and Integrity
+
+   Authentication is provided by associating with resource record sets
+   (RRsets [RFC 2181]) in the DNS cryptographically generated digital
+   signatures. Commonly, there will be a single private key that
+   authenticates an entire zone but there might be multiple keys for
+   different algorithms, signers, etc. If a security aware resolver
+   reliably learns a public key of the zone, it can authenticate, for
+   signed data read from that zone, that it is properly authorized.  The
+   most secure implementation is for the zone private key(s) to be kept
+   off-line and used to re-sign all of the records in the zone
+   periodically.  However, there are cases, for example dynamic update
+   [RFCs 2136, 2137], where DNS private keys need to be on-line [RFC
+   2541].
+
+   The data origin authentication key(s) are associated with the zone
+   and not with the servers that store copies of the data.  That means
+   compromise of a secondary server or, if the key(s) are kept off line,
+   even the primary server for a zone, will not necessarily affect the
+   degree of assurance that a resolver has that it can determine whether
+   data is genuine.
+
+   A resolver could learn a public key of a zone either by reading it
+   from the DNS or by having it staticly configured.  To reliably learn
+   a public key by reading it from the DNS, the key itself must be
+   signed with a key the resolver trusts. The resolver must be
+   configured with at least a public key which authenticates one zone as
+   a starting point. From there, it can securely read public keys of
+   other zones, if the intervening zones in the DNS tree are secure and
+   their signed keys accessible.
+
+   Adding data origin authentication and integrity requires no change to
+   the "on-the-wire" DNS protocol beyond the addition of the signature
+   resource type and the key resource type needed for key distribution.
+   (Data non-existence authentication also requires the NXT RR as
+   described in 2.3.2.)  This service can be supported by existing
+   resolver and caching server implementations so long as they can
+   support the additional resource types (see Section 9). The one
+   exception is that CNAME referrals in a secure zone can not be
+   authenticated if they are from non-security aware servers (see
+   Section 2.3.5).
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 6]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+   If signatures are separately retrieved and verified when retrieving
+   the information they authenticate, there will be more trips to the
+   server and performance will suffer.  Security aware servers mitigate
+   that degradation by attempting to send the signature(s) needed (see
+   Section 4.2).
+
+2.3.1 The SIG Resource Record
+
+   The syntax of a SIG resource record (signature) is described in
+   Section 4.  It cryptographicly binds the RRset being signed to the
+   signer and a validity interval.
+
+   Every name in a secured zone will have associated with it at least
+   one SIG resource record for each resource type under that name except
+   for glue address RRs and delegation point NS RRs.  A security aware
+   server will attempt to return, with RRs retrieved, the corresponding
+   SIGs.  If a server is not security aware, the resolver must retrieve
+   all the SIG records for a name and select the one or ones that sign
+   the resource record set(s) that resolver is interested in.
+
+2.3.2 Authenticating Name and Type Non-existence
+
+   The above security mechanism only provides a way to sign existing
+   RRsets in a zone.  "Data origin" authentication is not obviously
+   provided for the non-existence of a domain name in a zone or the
+   non-existence of a type for an existing name.  This gap is filled by
+   the NXT RR which authenticatably asserts a range of non-existent
+   names in a zone and the non-existence of types for the existing name
+   just before that range.
+
+   Section 5 below covers the NXT RR.
+
+2.3.3 Special Considerations With Time-to-Live
+
+   A digital signature will fail to verify if any change has occurred to
+   the data between the time it was originally signed and the time the
+   signature is verified.  This conflicts with our desire to have the
+   time-to-live (TTL) field of resource records tick down while they are
+   cached.
+
+   This could be avoided by leaving the time-to-live out of the digital
+   signature, but that would allow unscrupulous servers to set
+   arbitrarily long TTL values undetected.  Instead, we include the
+   "original" TTL in the signature and communicate that data along with
+   the current TTL. Unscrupulous servers under this scheme can
+   manipulate the TTL but a security aware resolver will bound the TTL
+   value it uses at the original signed value.  Separately, signatures
+   include a signature inception time and a signature expiration time. A
+
+
+
+Eastlake                    Standards Track                     [Page 7]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+   resolver that knows the absolute time can determine securely whether
+   a signature is in effect.  It is not possible to rely solely on the
+   signature expiration as a substitute for the TTL, however, since the
+   TTL is primarily a database consistency mechanism and non-security
+   aware servers that depend on TTL must still be supported.
+
+2.3.4 Special Considerations at Delegation Points
+
+   DNS security would like to view each zone as a unit of data
+   completely under the control of the zone owner with each entry
+   (RRset) signed by a special private key held by the zone manager.
+   But the DNS protocol views the leaf nodes in a zone, which are also
+   the apex nodes of a subzone (i.e., delegation points), as "really"
+   belonging to the subzone.  These nodes occur in two master files and
+   might have RRs signed by both the upper and lower zone's keys. A
+   retrieval could get a mixture of these RRs and SIGs, especially since
+   one server could be serving both the zone above and below a
+   delegation point. [RFC 2181]
+
+   There MUST be a zone KEY RR, signed by its superzone, for every
+   subzone if the superzone is secure. This will normally appear in the
+   subzone and may also be included in the superzone.  But, in the case
+   of an unsecured subzone which can not or will not be modified to add
+   any security RRs, a KEY declaring the subzone to be unsecured MUST
+   appear with the superzone signature in the superzone, if the
+   superzone is secure. For all but one other RR type the data from the
+   subzone is more authoritative so only the subzone KEY RR should be
+   signed in the superzone if it appears there. The NS and any glue
+   address RRs SHOULD only be signed in the subzone. The SOA and any
+   other RRs that have the zone name as owner should appear only in the
+   subzone and thus are signed only there. The NXT RR type is the
+   exceptional case that will always appear differently and
+   authoritatively in both the superzone and subzone, if both are
+   secure, as described in Section 5.
+
+2.3.5 Special Considerations with CNAME
+
+   There is a problem when security related RRs with the same owner name
+   as a CNAME RR are retrieved from a non-security-aware server. In
+   particular, an initial retrieval for the CNAME or any other type may
+   not retrieve any associated SIG, KEY, or NXT RR. For retrieved types
+   other than CNAME, it will retrieve that type at the target name of
+   the CNAME (or chain of CNAMEs) and will also return the CNAME.  In
+   particular, a specific retrieval for type SIG will not get the SIG,
+   if any, at the original CNAME domain name but rather a SIG at the
+   target name.
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 8]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+   Security aware servers must be used to securely CNAME in DNS.
+   Security aware servers MUST (1) allow KEY, SIG, and NXT RRs along
+   with CNAME RRs, (2) suppress CNAME processing on retrieval of these
+   types as well as on retrieval of the type CNAME, and (3)
+   automatically return SIG RRs authenticating the CNAME or CNAMEs
+   encountered in resolving a query.  This is a change from the previous
+   DNS standard [RFCs 1034/1035] which prohibited any other RR type at a
+   node where a CNAME RR was present.
+
+2.3.6 Signers Other Than The Zone
+
+   There are cases where the signer in a SIG resource record is other
+   than one of the private key(s) used to authenticate a zone.
+
+   One is for support of dynamic update [RFC 2136] (or future requests
+   which require secure authentication) where an entity is permitted to
+   authenticate/update its records [RFC 2137] and the zone is operating
+   in a mode where the zone key is not on line. The public key of the
+   entity must be present in the DNS and be signed by a zone level key
+   but the other RR(s) may be signed with the entity's key.
+
+   A second case is support of transaction and request authentication as
+   described in Section 2.4.
+
+   In additions, signatures can be included on resource records within
+   the DNS for use by applications other than DNS. DNS related
+   signatures authenticate that data originated with the authority of a
+   zone owner or that a request or transaction originated with the
+   relevant entity. Other signatures can provide other types of
+   assurances.
+
+2.4 DNS Transaction and Request Authentication
+
+   The data origin authentication service described above protects
+   retrieved resource records and the non-existence of resource records
+   but provides no protection for DNS requests or for message headers.
+
+   If header bits are falsely set by a bad server, there is little that
+   can be done.  However, it is possible to add transaction
+   authentication.  Such authentication means that a resolver can be
+   sure it is at least getting messages from the server it thinks it
+   queried and that the response is from the query it sent (i.e., that
+   these messages have not been diddled in transit).  This is
+   accomplished by optionally adding a special SIG resource record at
+   the end of the reply which digitally signs the concatenation of the
+   server's response and the resolver's query.
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 9]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+   Requests can also be authenticated by including a special SIG RR at
+   the end of the request.  Authenticating requests serves no function
+   in older DNS servers and requests with a non-empty additional
+   information section produce error returns or may even be ignored by
+   many of them. However, this syntax for signing requests is defined as
+   a way of authenticating secure dynamic update requests [RFC 2137] or
+   future requests requiring authentication.
+
+   The private keys used in transaction security belong to the entity
+   composing the reply, not to the zone involved.  Request
+   authentication may also involve the private key of the host or other
+   entity composing the request or other private keys depending on the
+   request authority it is sought to establish. The corresponding public
+   key(s) are normally stored in and retrieved from the DNS for
+   verification.
+
+   Because requests and replies are highly variable, message
+   authentication SIGs can not be pre-calculated.  Thus it will be
+   necessary to keep the private key on-line, for example in software or
+   in a directly connected piece of hardware.
+
+3. The KEY Resource Record
+
+   The KEY resource record (RR) is used to store a public key that is
+   associated with a Domain Name System (DNS) name.  This can be the
+   public key of a zone, a user, or a host or other end entity. Security
+   aware DNS implementations MUST be designed to handle at least two
+   simultaneously valid keys of the same type associated with the same
+   name.
+
+   The type number for the KEY RR is 25.
+
+   A KEY RR is, like any other RR, authenticated by a SIG RR.  KEY RRs
+   must be signed by a zone level key.
+
+3.1 KEY RDATA format
+
+   The RDATA for a KEY RR consists of flags, a protocol octet, the
+   algorithm number octet, and the public key itself.  The format is as
+   follows:
+
+
+
+
+
+
+
+
+
+
+
+Eastlake                    Standards Track                    [Page 10]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |             flags             |    protocol   |   algorithm   |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |                                                               /
+   /                          public key                           /
+   /                                                               /
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
+
+   The KEY RR is not intended for storage of certificates and a separate
+   certificate RR has been developed for that purpose, defined in [RFC
+   2538].
+
+   The meaning of the KEY RR owner name, flags, and protocol octet are
+   described in Sections 3.1.1 through 3.1.5 below.  The flags and
+   algorithm must be examined before any data following the algorithm
+   octet as they control the existence and format of any following data.
+   The algorithm and public key fields are described in Section 3.2.
+   The format of the public key is algorithm dependent.
+
+   KEY RRs do not specify their validity period but their authenticating
+   SIG RR(s) do as described in Section 4 below.
+
+3.1.1 Object Types, DNS Names, and Keys
+
+   The public key in a KEY RR is for the object named in the owner name.
+
+   A DNS name may refer to three different categories of things.  For
+   example, foo.host.example could be (1) a zone, (2) a host or other
+   end entity , or (3) the mapping into a DNS name of the user or
+   account foo@host.example.  Thus, there are flag bits, as described
+   below, in the KEY RR to indicate with which of these roles the owner
+   name and public key are associated.  Note that an appropriate zone
+   KEY RR MUST occur at the apex node of a secure zone and zone KEY RRs
+   occur only at delegation points.
+
+3.1.2 The KEY RR Flag Field
+
+   In the "flags" field:
+
+     0   1   2   3   4   5   6   7   8   9   0   1   2   3   4   5
+   +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+   |  A/C  | Z | XT| Z | Z | NAMTYP| Z | Z | Z | Z |      SIG      |
+   +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+
+   Bit 0 and 1 are the key "type" bits whose values have the following
+   meanings:
+
+
+
+Eastlake                    Standards Track                    [Page 11]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+           10: Use of the key is prohibited for authentication.
+           01: Use of the key is prohibited for confidentiality.
+           00: Use of the key for authentication and/or confidentiality
+               is permitted. Note that DNS security makes use of keys
+               for authentication only. Confidentiality use flagging is
+               provided for use of keys in other protocols.
+               Implementations not intended to support key distribution
+               for confidentiality MAY require that the confidentiality
+               use prohibited bit be on for keys they serve.
+           11: If both bits are one, the "no key" value, there is no key
+               information and the RR stops after the algorithm octet.
+               By the use of this "no key" value, a signed KEY RR can
+               authenticatably assert that, for example, a zone is not
+               secured.  See section 3.4 below.
+
+   Bits 2 is reserved and must be zero.
+
+   Bits 3 is reserved as a flag extension bit.  If it is a one, a second
+          16 bit flag field is added after the algorithm octet and
+          before the key data.  This bit MUST NOT be set unless one or
+          more such additional bits have been defined and are non-zero.
+
+   Bits 4-5 are reserved and must be zero.
+
+   Bits 6 and 7 form a field that encodes the name type. Field values
+   have the following meanings:
+
+           00: indicates that this is a key associated with a "user" or
+               "account" at an end entity, usually a host.  The coding
+               of the owner name is that used for the responsible
+               individual mailbox in the SOA and RP RRs: The owner name
+               is the user name as the name of a node under the entity
+               name.  For example, "j_random_user" on
+               host.subdomain.example could have a public key associated
+               through a KEY RR with name
+               j_random_user.host.subdomain.example.  It could be used
+               in a security protocol where authentication of a user was
+               desired.  This key might be useful in IP or other
+               security for a user level service such a telnet, ftp,
+               rlogin, etc.
+           01: indicates that this is a zone key for the zone whose name
+               is the KEY RR owner name.  This is the public key used
+               for the primary DNS security feature of data origin
+               authentication.  Zone KEY RRs occur only at delegation
+               points.
+           10: indicates that this is a key associated with the non-zone
+               "entity" whose name is the RR owner name.  This will
+               commonly be a host but could, in some parts of the DNS
+
+
+
+Eastlake                    Standards Track                    [Page 12]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+               tree, be some other type of entity such as a telephone
+               number [RFC 1530] or numeric IP address.  This is the
+               public key used in connection with DNS request and
+               transaction authentication services.  It could also be
+               used in an IP-security protocol where authentication at
+               the host, rather than user, level was desired, such as
+               routing, NTP, etc.
+           11: reserved.
+
+   Bits 8-11 are reserved and must be zero.
+
+   Bits 12-15 are the "signatory" field.  If non-zero, they indicate
+              that the key can validly sign things as specified in DNS
+              dynamic update [RFC 2137].  Note that zone keys (see bits
+              6 and 7 above) always have authority to sign any RRs in
+              the zone regardless of the value of the signatory field.
+
+3.1.3 The Protocol Octet
+
+   It is anticipated that keys stored in DNS will be used in conjunction
+   with a variety of Internet protocols.  It is intended that the
+   protocol octet and possibly some of the currently unused (must be
+   zero) bits in the KEY RR flags as specified in the future will be
+   used to indicate a key's validity for different protocols.
+
+   The following values of the Protocol Octet are reserved as indicated:
+
+        VALUE   Protocol
+
+          0      -reserved
+          1     TLS
+          2     email
+          3     dnssec
+          4     IPSEC
+         5-254   - available for assignment by IANA
+        255     All
+
+   In more detail:
+        1 is reserved for use in connection with TLS.
+        2 is reserved for use in connection with email.
+        3 is used for DNS security.  The protocol field SHOULD be set to
+          this value for zone keys and other keys used in DNS security.
+          Implementations that can determine that a key is a DNS
+          security key by the fact that flags label it a zone key or the
+          signatory flag field is non-zero are NOT REQUIRED to check the
+          protocol field.
+        4 is reserved to refer to the Oakley/IPSEC [RFC 2401] protocol
+          and indicates that this key is valid for use in conjunction
+
+
+
+Eastlake                    Standards Track                    [Page 13]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+          with that security standard.  This key could be used in
+          connection with secured communication on behalf of an end
+          entity or user whose name is the owner name of the KEY RR if
+          the entity or user flag bits are set.  The presence of a KEY
+          resource with this protocol value is an assertion that the
+          host speaks Oakley/IPSEC.
+        255 indicates that the key can be used in connection with any
+          protocol for which KEY RR protocol octet values have been
+          defined.  The use of this value is discouraged and the use of
+          different keys for different protocols is encouraged.
+
+3.2 The KEY Algorithm Number Specification
+
+   This octet is the key algorithm parallel to the same field for the
+   SIG resource as described in Section 4.1.  The following values are
+   assigned:
+
+   VALUE   Algorithm
+
+     0      - reserved, see Section 11
+     1     RSA/MD5 [RFC 2537] - recommended
+     2     Diffie-Hellman [RFC 2539] - optional, key only
+     3     DSA [RFC 2536] - MANDATORY
+     4     reserved for elliptic curve crypto
+   5-251    - available, see Section 11
+   252     reserved for indirect keys
+   253     private - domain name (see below)
+   254     private - OID (see below)
+   255      - reserved, see Section 11
+
+   Algorithm specific formats and procedures are given in separate
+   documents.  The mandatory to implement for interoperability algorithm
+   is number 3, DSA.  It is recommended that the RSA/MD5 algorithm,
+   number 1, also be implemented.  Algorithm 2 is used to indicate
+   Diffie-Hellman keys and algorithm 4 is reserved for elliptic curve.
+
+   Algorithm number 252 indicates an indirect key format where the
+   actual key material is elsewhere.  This format is to be defined in a
+   separate document.
+
+   Algorithm numbers 253 and 254 are reserved for private use and will
+   never be assigned a specific algorithm.  For number 253, the public
+   key area and the signature begin with a wire encoded domain name.
+   Only local domain name compression is permitted.  The domain name
+   indicates the private algorithm to use and the remainder of the
+   public key area is whatever is required by that algorithm.  For
+   number 254, the public key area for the KEY RR and the signature
+   begin with an unsigned length byte followed by a BER encoded Object
+
+
+
+Eastlake                    Standards Track                    [Page 14]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+   Identifier (ISO OID) of that length.  The OID indicates the private
+   algorithm in use and the remainder of the area is whatever is
+   required by that algorithm.  Entities should only use domain names
+   and OIDs they control to designate their private algorithms.
+
+   Values 0 and 255 are reserved but the value 0 is used in the
+   algorithm field when that field is not used.  An example is in a KEY
+   RR with the top two flag bits on, the "no-key" value, where no key is
+   present.
+
+3.3 Interaction of Flags, Algorithm, and Protocol Bytes
+
+   Various combinations of the no-key type flags, algorithm byte,
+   protocol byte, and any future assigned protocol indicating flags are
+   possible.  The meaning of these combinations is indicated below:
+
+   NK = no key type (flags bits 0 and 1 on)
+   AL = algorithm byte
+   PR = protocols indicated by protocol byte or future assigned flags
+
+   x represents any valid non-zero value(s).
+
+    AL  PR   NK  Meaning
+     0   0   0   Illegal, claims key but has bad algorithm field.
+     0   0   1   Specifies total lack of security for owner zone.
+     0   x   0   Illegal, claims key but has bad algorithm field.
+     0   x   1   Specified protocols unsecured, others may be secure.
+     x   0   0   Gives key but no protocols to use it.
+     x   0   1   Denies key for specific algorithm.
+     x   x   0   Specifies key for protocols.
+     x   x   1   Algorithm not understood for protocol.
+
+3.4 Determination of Zone Secure/Unsecured Status
+
+   A zone KEY RR with the "no-key" type field value (both key type flag
+   bits 0 and 1 on) indicates that the zone named is unsecured while a
+   zone KEY RR with a key present indicates that the zone named is
+   secure.  The secured versus unsecured status of a zone may vary with
+   different cryptographic algorithms.  Even for the same algorithm,
+   conflicting zone KEY RRs may be present.
+
+   Zone KEY RRs, like all RRs, are only trusted if they are
+   authenticated by a SIG RR whose signer field is a signer for which
+   the resolver has a public key they trust and where resolver policy
+   permits that signer to sign for the KEY owner name.  Untrusted zone
+   KEY RRs MUST be ignored in determining the security status of the
+   zone.  However, there can be multiple sets of trusted zone KEY RRs
+   for a zone with different algorithms, signers, etc.
+
+
+
+Eastlake                    Standards Track                    [Page 15]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+   For any particular algorithm, zones can be (1) secure, indicating
+   that any retrieved RR must be authenticated by a SIG RR or it will be
+   discarded as bogus, (2) unsecured, indicating that SIG RRs are not
+   expected or required for RRs retrieved from the zone, or (3)
+   experimentally secure, which indicates that SIG RRs might or might
+   not be present but must be checked if found.  The status of a zone is
+   determined as follows:
+
+   1. If, for a zone and algorithm, every trusted zone KEY RR for the
+      zone says there is no key for that zone, it is unsecured for that
+      algorithm.
+
+   2. If, there is at least one trusted no-key zone KEY RR and one
+      trusted key specifying zone KEY RR, then that zone is only
+      experimentally secure for the algorithm.  Both authenticated and
+      non-authenticated RRs for it should be accepted by the resolver.
+
+   3. If every trusted zone KEY RR that the zone and algorithm has is
+      key specifying, then it is secure for that algorithm and only
+      authenticated RRs from it will be accepted.
+
+   Examples:
+
+   (1)  A resolver initially trusts only signatures by the superzone of
+   zone Z within the DNS hierarchy.  Thus it will look only at the KEY
+   RRs that are signed by the superzone.  If it finds only no-key KEY
+   RRs, it will assume the zone is not secure.  If it finds only key
+   specifying KEY RRs, it will assume the zone is secure and reject any
+   unsigned responses.  If it finds both, it will assume the zone is
+   experimentally secure
+
+   (2)  A resolver trusts the superzone of zone Z (to which it got
+   securely from its local zone) and a third party, cert-auth.example.
+   When considering data from zone Z, it may be signed by the superzone
+   of Z, by cert-auth.example, by both, or by neither.  The following
+   table indicates whether zone Z will be considered secure,
+   experimentally secure, or unsecured, depending on the signed zone KEY
+   RRs for Z;
+
+                      c e r t - a u t h . e x a m p l e
+
+        KEY RRs|   None    |  NoKeys   |  Mixed   |   Keys   |
+     S       --+-----------+-----------+----------+----------+
+     u  None   | illegal   | unsecured | experim. | secure   |
+     p       --+-----------+-----------+----------+----------+
+     e  NoKeys | unsecured | unsecured | experim. | secure   |
+     r       --+-----------+-----------+----------+----------+
+     Z  Mixed  | experim.  | experim.  | experim. | secure   |
+
+
+
+Eastlake                    Standards Track                    [Page 16]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+     o       --+-----------+-----------+----------+----------+
+     n  Keys   | secure    | secure    | secure   | secure   |
+     e         +-----------+-----------+----------+----------+
+
+3.5 KEY RRs in the Construction of Responses
+
+   An explicit request for KEY RRs does not cause any special additional
+   information processing except, of course, for the corresponding SIG
+   RR from a security aware server (see Section 4.2).
+
+   Security aware DNS servers include KEY RRs as additional information
+   in responses, where a KEY is available, in the following cases:
+
+   (1) On the retrieval of SOA or NS RRs, the KEY RRset with the same
+   name (perhaps just a zone key) SHOULD be included as additional
+   information if space is available. If not all additional information
+   will fit, type A and AAAA glue RRs have higher priority than KEY
+   RR(s).
+
+   (2) On retrieval of type A or AAAA RRs, the KEY RRset with the same
+   name (usually just a host RR and NOT the zone key (which usually
+   would have a different name)) SHOULD be included if space is
+   available.  On inclusion of A or AAAA RRs as additional information,
+   the KEY RRset with the same name should also be included but with
+   lower priority than the A or AAAA RRs.
+
+4. The SIG Resource Record
+
+   The SIG or "signature" resource record (RR) is the fundamental way
+   that data is authenticated in the secure Domain Name System (DNS). As
+   such it is the heart of the security provided.
+
+   The SIG RR unforgably authenticates an RRset [RFC 2181] of a
+   particular type, class, and name and binds it to a time interval and
+   the signer's domain name.  This is done using cryptographic
+   techniques and the signer's private key.  The signer is frequently
+   the owner of the zone from which the RR originated.
+
+   The type number for the SIG RR type is 24.
+
+4.1 SIG RDATA Format
+
+   The RDATA portion of a SIG RR is as shown below.  The integrity of
+   the RDATA information is protected by the signature field.
+
+
+
+
+
+
+
+Eastlake                    Standards Track                    [Page 17]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+                           1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |        type covered           |  algorithm    |     labels    |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |                         original TTL                          |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |                      signature expiration                     |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |                      signature inception                      |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+      |            key  tag           |                               |
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+         signer's name         +
+      |                                                               /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-/
+      /                                                               /
+      /                            signature                          /
+      /                                                               /
+      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+4.1.1 Type Covered Field
+
+   The "type covered" is the type of the other RRs covered by this SIG.
+
+4.1.2 Algorithm Number Field
+
+   This octet is as described in section 3.2.
+
+4.1.3 Labels Field
+
+   The "labels" octet is an unsigned count of how many labels there are
+   in the original SIG RR owner name not counting the null label for
+   root and not counting any initial "*" for a wildcard.  If a secured
+   retrieval is the result of wild card substitution, it is necessary
+   for the resolver to use the original form of the name in verifying
+   the digital signature.  This field makes it easy to determine the
+   original form.
+
+   If, on retrieval, the RR appears to have a longer name than indicated
+   by "labels", the resolver can tell it is the result of wildcard
+   substitution.  If the RR owner name appears to be shorter than the
+   labels count, the SIG RR must be considered corrupt and ignored.  The
+   maximum number of labels allowed in the current DNS is 127 but the
+   entire octet is reserved and would be required should DNS names ever
+   be expanded to 255 labels.  The following table gives some examples.
+   The value of "labels" is at the top, the retrieved owner name on the
+   left, and the table entry is the name to use in signature
+   verification except that "bad" means the RR is corrupt.
+
+
+
+Eastlake                    Standards Track                    [Page 18]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+   labels= |  0  |   1  |    2   |      3   |      4   |
+   --------+-----+------+--------+----------+----------+
+          .|   . | bad  |  bad   |    bad   |    bad   |
+         d.|  *. |   d. |  bad   |    bad   |    bad   |
+       c.d.|  *. | *.d. |   c.d. |    bad   |    bad   |
+     b.c.d.|  *. | *.d. | *.c.d. |   b.c.d. |    bad   |
+   a.b.c.d.|  *. | *.d. | *.c.d. | *.b.c.d. | a.b.c.d. |
+
+4.1.4 Original TTL Field
+
+   The "original TTL" field is included in the RDATA portion to avoid
+   (1) authentication problems that caching servers would otherwise
+   cause by decrementing the real TTL field and (2) security problems
+   that unscrupulous servers could otherwise cause by manipulating the
+   real TTL field.  This original TTL is protected by the signature
+   while the current TTL field is not.
+
+   NOTE:  The "original TTL" must be restored into the covered RRs when
+   the signature is verified (see Section 8).  This generaly implies
+   that all RRs for a particular type, name, and class, that is, all the
+   RRs in any particular RRset, must have the same TTL to start with.
+
+4.1.5 Signature Expiration and Inception Fields
+
+   The SIG is valid from the "signature inception" time until the
+   "signature expiration" time.  Both are unsigned numbers of seconds
+   since the start of 1 January 1970, GMT, ignoring leap seconds.  (See
+   also Section 4.4.)  Ring arithmetic is used as for DNS SOA serial
+   numbers [RFC 1982] which means that these times can never be more
+   than about 68 years in the past or the future.  This means that these
+   times are ambiguous modulo ~136.09 years.  However there is no
+   security flaw because keys are required to be changed to new random
+   keys by [RFC 2541] at least every five years.  This means that the
+   probability that the same key is in use N*136.09 years later should
+   be the same as the probability that a random guess will work.
+
+   A SIG RR may have an expiration time numerically less than the
+   inception time if the expiration time is near the 32 bit wrap around
+   point and/or the signature is long lived.
+
+   (To prevent misordering of network requests to update a zone
+   dynamically, monotonically increasing "signature inception" times may
+   be necessary.)
+
+   A secure zone must be considered changed for SOA serial number
+   purposes not only when its data is updated but also when new SIG RRs
+   are inserted (ie, the zone or any part of it is re-signed).
+
+
+
+
+Eastlake                    Standards Track                    [Page 19]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+4.1.6 Key Tag Field
+
+   The "key Tag" is a two octet quantity that is used to efficiently
+   select between multiple keys which may be applicable and thus check
+   that a public key about to be used for the computationally expensive
+   effort to check the signature is possibly valid.  For algorithm 1
+   (MD5/RSA) as defined in [RFC 2537], it is the next to the bottom two
+   octets of the public key modulus needed to decode the signature
+   field.  That is to say, the most significant 16 of the least
+   significant 24 bits of the modulus in network (big endian) order. For
+   all other algorithms, including private algorithms, it is calculated
+   as a simple checksum of the KEY RR as described in Appendix C.
+
+4.1.7 Signer's Name Field
+
+   The "signer's name" field is the domain name of the signer generating
+   the SIG RR.  This is the owner name of the public KEY RR that can be
+   used to verify the signature.  It is frequently the zone which
+   contained the RRset being authenticated.  Which signers should be
+   authorized to sign what is a significant resolver policy question as
+   discussed in Section 6. The signer's name may be compressed with
+   standard DNS name compression when being transmitted over the
+   network.
+
+4.1.8 Signature Field
+
+   The actual signature portion of the SIG RR binds the other RDATA
+   fields to the RRset of the "type covered" RRs with that owner name
+   and class.  This covered RRset is thereby authenticated.  To
+   accomplish this, a data sequence is constructed as follows:
+
+         data = RDATA | RR(s)...
+
+   where "|" is concatenation,
+
+   RDATA is the wire format of all the RDATA fields in the SIG RR itself
+   (including the canonical form of the signer's name) before but not
+   including the signature, and
+
+   RR(s) is the RRset of the RR(s) of the type covered with the same
+   owner name and class as the SIG RR in canonical form and order as
+   defined in Section 8.
+
+   How this data sequence is processed into the signature is algorithm
+   dependent.  These algorithm dependent formats and procedures are
+   described in separate documents (Section 3.2).
+
+
+
+
+
+Eastlake                    Standards Track                    [Page 20]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+   SIGs SHOULD NOT be included in a zone for any "meta-type" such as
+   ANY, AXFR, etc. (but see section 5.6.2 with regard to IXFR).
+
+4.1.8.1 Calculating Transaction and Request SIGs
+
+   A response message from a security aware server may optionally
+   contain a special SIG at the end of the additional information
+   section to authenticate the transaction.
+
+   This SIG has a "type covered" field of zero, which is not a valid RR
+   type.  It is calculated by using a "data" (see Section 4.1.8) of the
+   entire preceding DNS reply message, including DNS header but not the
+   IP header and before the reply RR counts have been adjusted for the
+   inclusion of any transaction SIG, concatenated with the entire DNS
+   query message that produced this response, including the query's DNS
+   header and any request SIGs but not its IP header.  That is
+
+      data = full response (less transaction SIG) | full query
+
+   Verification of the transaction SIG (which is signed by the server
+   host key, not the zone key) by the requesting resolver shows that the
+   query and response were not tampered with in transit, that the
+   response corresponds to the intended query, and that the response
+   comes from the queried server.
+
+   A DNS request may be optionally signed by including one or more SIGs
+   at the end of the query. Such SIGs are identified by having a "type
+   covered" field of zero. They sign the preceding DNS request message
+   including DNS header but not including the IP header or any request
+   SIGs at the end and before the request RR counts have been adjusted
+   for the inclusions of any request SIG(s).
+
+   WARNING: Request SIGs are unnecessary for any currently defined
+   request other than update [RFC 2136, 2137] and will cause some old
+   DNS servers to give an error return or ignore a query.  However, such
+   SIGs may in the future be needed for other requests.
+
+   Except where needed to authenticate an update or similar privileged
+   request, servers are not required to check request SIGs.
+
+4.2 SIG RRs in the Construction of Responses
+
+   Security aware DNS servers SHOULD, for every authenticated RRset the
+   query will return, attempt to send the available SIG RRs which
+   authenticate the requested RRset.  The following rules apply to the
+   inclusion of SIG RRs in responses:
+
+
+
+
+
+Eastlake                    Standards Track                    [Page 21]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+     1. when an RRset is placed in a response, its SIG RR has a higher
+        priority for inclusion than additional RRs that may need to be
+        included.  If space does not permit its inclusion, the response
+        MUST be considered truncated except as provided in 2 below.
+
+     2. When a SIG RR is present in the zone for an additional
+        information section RR, the response MUST NOT be considered
+        truncated merely because space does not permit the inclusion of
+        the SIG RR with the additional information.
+
+     3. SIGs to authenticate glue records and NS RRs for subzones at a
+        delegation point are unnecessary and MUST NOT be sent.
+
+     4. If a SIG covers any RR that would be in the answer section of
+        the response, its automatic inclusion MUST be in the answer
+        section.  If it covers an RR that would appear in the authority
+        section, its automatic inclusion MUST be in the authority
+        section.  If it covers an RR that would appear in the additional
+        information section it MUST appear in the additional information
+        section.  This is a change in the existing standard [RFCs 1034,
+        1035] which contemplates only NS and SOA RRs in the authority
+        section.
+
+     5. Optionally, DNS transactions may be authenticated by a SIG RR at
+        the end of the response in the additional information section
+        (Section 4.1.8.1).  Such SIG RRs are signed by the DNS server
+        originating the response.  Although the signer field MUST be a
+        name of the originating server host, the owner name, class, TTL,
+        and original TTL, are meaningless.  The class and TTL fields
+        SHOULD be zero.  To conserve space, the owner name SHOULD be
+        root (a single zero octet).  If transaction authentication is
+        desired, that SIG RR must be considered the highest priority for
+        inclusion.
+
+4.3 Processing Responses and SIG RRs
+
+   The following rules apply to the processing of SIG RRs included in a
+   response:
+
+     1. A security aware resolver that receives a response from a
+        security aware server via a secure communication with the AD bit
+        (see Section 6.1) set, MAY choose to accept the RRs as received
+        without verifying the zone SIG RRs.
+
+     2. In other cases, a security aware resolver SHOULD verify the SIG
+        RRs for the RRs of interest.  This may involve initiating
+        additional queries for SIG or KEY RRs, especially in the case of
+
+
+
+
+Eastlake                    Standards Track                    [Page 22]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+        getting a response from a server that does not implement
+        security.  (As explained in 2.3.5 above, it will not be possible
+        to secure CNAMEs being served up by non-secure resolvers.)
+
+        NOTE: Implementers might expect the above SHOULD to be a MUST.
+        However, local policy or the calling application may not require
+        the security services.
+
+     3. If SIG RRs are received in response to a user query explicitly
+        specifying the SIG type, no special processing is required.
+
+   If the message does not pass integrity checks or the SIG does not
+   check against the signed RRs, the SIG RR is invalid and should be
+   ignored.  If all of the SIG RR(s) purporting to authenticate an RRset
+   are invalid, then the RRset is not authenticated.
+
+   If the SIG RR is the last RR in a response in the additional
+   information section and has a type covered of zero, it is a
+   transaction signature of the response and the query that produced the
+   response.  It MAY be optionally checked and the message rejected if
+   the checks fail.  But even if the checks succeed, such a transaction
+   authentication SIG does NOT directly authenticate any RRs in the
+   message.  Only a proper SIG RR signed by the zone or a key tracing
+   its authority to the zone or to static resolver configuration can
+   directly authenticate RRs, depending on resolver policy (see Section
+   6).  If a resolver does not implement transaction and/or request
+   SIGs, it MUST ignore them without error.
+
+   If all checks indicate that the SIG RR is valid then RRs verified by
+   it should be considered authenticated.
+
+4.4 Signature Lifetime, Expiration, TTLs, and Validity
+
+   Security aware servers MUST NOT consider SIG RRs to authenticate
+   anything before their signature inception or after its expiration
+   time (see also Section 6).  Security aware servers MUST NOT consider
+   any RR to be authenticated after all its signatures have expired.
+   When a secure server caches authenticated data, if the TTL would
+   expire at a time further in the future than the authentication
+   expiration time, the server SHOULD trim the TTL in the cache entry
+   not to extent beyond the authentication expiration time.  Within
+   these constraints, servers should continue to follow DNS TTL aging.
+   Thus authoritative servers should continue to follow the zone refresh
+   and expire parameters and a non-authoritative server should count
+   down the TTL and discard RRs when the TTL is zero (even for a SIG
+   that has not yet reached its authentication expiration time).  In
+   addition, when RRs are transmitted in a query response, the TTL
+
+
+
+
+Eastlake                    Standards Track                    [Page 23]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+   should be trimmed so that current time plus the TTL does not extend
+   beyond the authentication expiration time.  Thus, in general, the TTL
+   on a transmitted RR would be
+
+      min(authExpTim,max(zoneMinTTL,min(originalTTL,currentTTL)))
+
+   When signatures are generated, signature expiration times should be
+   set far enough in the future that it is quite certain that new
+   signatures can be generated before the old ones expire.  However,
+   setting expiration too far into the future could mean a long time to
+   flush any bad data or signatures that may have been generated.
+
+   It is recommended that signature lifetime be a small multiple of the
+   TTL (ie, 4 to 16 times the TTL) but not less than a reasonable
+   maximum re-signing interval and not less than the zone expiry time.
+
+5. Non-existent Names and Types
+
+   The SIG RR mechanism described in Section 4 above provides strong
+   authentication of RRs that exist in a zone.  But it is not clear
+   above how to verifiably deny the existence of a name in a zone or a
+   type for an existent name.
+
+   The nonexistence of a name in a zone is indicated by the NXT ("next")
+   RR for a name interval containing the nonexistent name. An NXT RR or
+   RRs and its or their SIG(s) are returned in the authority section,
+   along with the error, if the server is security aware.  The same is
+   true for a non-existent type under an existing name except that there
+   is no error indication other than an empty answer section
+   accompanying the NXT(s). This is a change in the existing standard
+   [RFCs 1034/1035] which contemplates only NS and SOA RRs in the
+   authority section. NXT RRs will also be returned if an explicit query
+   is made for the NXT type.
+
+   The existence of a complete set of NXT records in a zone means that
+   any query for any name and any type to a security aware server
+   serving the zone will result in an reply containing at least one
+   signed RR unless it is a query for delegation point NS or glue A or
+   AAAA RRs.
+
+5.1 The NXT Resource Record
+
+   The NXT resource record is used to securely indicate that RRs with an
+   owner name in a certain name interval do not exist in a zone and to
+   indicate what RR types are present for an existing name.
+
+
+
+
+
+
+Eastlake                    Standards Track                    [Page 24]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+   The owner name of the NXT RR is an existing name in the zone.  It's
+   RDATA is a "next" name and a type bit map. Thus the NXT RRs in a zone
+   create a chain of all of the literal owner names in that zone,
+   including unexpanded wildcards but omitting the owner name of glue
+   address records unless they would otherwise be included. This implies
+   a canonical ordering of all domain names in a zone as described in
+   Section 8. The presence of the NXT RR means that no name between its
+   owner name and the name in its RDATA area exists and that no other
+   types exist under its owner name.
+
+   There is a potential problem with the last NXT in a zone as it wants
+   to have an owner name which is the last existing name in canonical
+   order, which is easy, but it is not obvious what name to put in its
+   RDATA to indicate the entire remainder of the name space.  This is
+   handled by treating the name space as circular and putting the zone
+   name in the RDATA of the last NXT in a zone.
+
+   The NXT RRs for a zone SHOULD be automatically calculated and added
+   to the zone when SIGs are added.  The NXT RR's TTL SHOULD NOT exceed
+   the zone minimum TTL.
+
+   The type number for the NXT RR is 30.
+
+   NXT RRs are only signed by zone level keys.
+
+5.2 NXT RDATA Format
+
+   The RDATA for an NXT RR consists simply of a domain name followed by
+   a bit map, as shown below.
+
+                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |                  next domain name                             /
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |                    type bit map                               /
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+   The NXT RR type bit map format currently defined is one bit per RR
+   type present for the owner name.  A one bit indicates that at least
+   one RR of that type is present for the owner name.  A zero indicates
+   that no such RR is present.  All bits not specified because they are
+   beyond the end of the bit map are assumed to be zero.  Note that bit
+   30, for NXT, will always be on so the minimum bit map length is
+   actually four octets. Trailing zero octets are prohibited in this
+   format.  The first bit represents RR type zero (an illegal type which
+   can not be present) and so will be zero in this format.  This format
+   is not used if there exists an RR with a type number greater than
+
+
+
+Eastlake                    Standards Track                    [Page 25]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+   127.  If the zero bit of the type bit map is a one, it indicates that
+   a different format is being used which will always be the case if a
+   type number greater than 127 is present.
+
+   The domain name may be compressed with standard DNS name compression
+   when being transmitted over the network.  The size of the bit map can
+   be inferred from the RDLENGTH and the length of the next domain name.
+
+5.3 Additional Complexity Due to Wildcards
+
+   Proving that a non-existent name response is correct or that a
+   wildcard expansion response is correct makes things a little more
+   complex.
+
+   In particular, when a non-existent name response is returned, an NXT
+   must be returned showing that the exact name queried did not exist
+   and, in general, one or more additional NXT's need to be returned to
+   also prove that there wasn't a wildcard whose expansion should have
+   been returned. (There is no need to return multiple copies of the
+   same NXT.) These NXTs, if any, are returned in the authority section
+   of the response.
+
+   Furthermore, if a wildcard expansion is returned in a response, in
+   general one or more NXTs needs to also be returned in the authority
+   section to prove that no more specific name (including possibly more
+   specific wildcards in the zone) existed on which the response should
+   have been based.
+
+5.4 Example
+
+   Assume zone foo.nil has entries for
+
+          big.foo.nil,
+          medium.foo.nil.
+          small.foo.nil.
+          tiny.foo.nil.
+
+   Then a query to a security aware server for huge.foo.nil would
+   produce an error reply with an RCODE of NXDOMAIN and the authority
+   section data including something like the following:
+
+
+
+
+
+
+
+
+
+
+
+Eastlake                    Standards Track                    [Page 26]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+   foo.nil.    NXT big.foo.nil NS KEY SOA NXT ;prove no *.foo.nil
+   foo.nil.    SIG NXT 1 2 ( ;type-cov=NXT, alg=1, labels=2
+                    19970102030405 ;signature expiration
+                    19961211100908 ;signature inception
+                    2143           ;key identifier
+                    foo.nil.       ;signer
+   AIYADP8d3zYNyQwW2EM4wXVFdslEJcUx/fxkfBeH1El4ixPFhpfHFElxbvKoWmvjDTCm
+   fiYy2X+8XpFjwICHc398kzWsTMKlxovpz2FnCTM= ;signature (640 bits)
+                          )
+   big.foo.nil. NXT medium.foo.nil. A MX SIG NXT ;prove no huge.foo.nil
+   big.foo.nil. SIG NXT 1 3 ( ;type-cov=NXT, alg=1, labels=3
+                    19970102030405 ;signature expiration
+                    19961211100908 ;signature inception
+                    2143           ;key identifier
+                    foo.nil.       ;signer
+    MxFcby9k/yvedMfQgKzhH5er0Mu/vILz45IkskceFGgiWCn/GxHhai6VAuHAoNUz4YoU
+    1tVfSCSqQYn6//11U6Nld80jEeC8aTrO+KKmCaY= ;signature (640 bits)
+                             )
+   Note that this response implies that big.foo.nil is an existing name
+   in the zone and thus has other RR types associated with it than NXT.
+   However, only the NXT (and its SIG) RR appear in the response to this
+   query for huge.foo.nil, which is a non-existent name.
+
+5.5 Special Considerations at Delegation Points
+
+   A name (other than root) which is the head of a zone also appears as
+   the leaf in a superzone.  If both are secure, there will always be
+   two different NXT RRs with the same name.  They can be easily
+   distinguished by their signers, the next domain name fields, the
+   presence of the SOA type bit, etc.  Security aware servers should
+   return the correct NXT automatically when required to authenticate
+   the non-existence of a name and both NXTs, if available, on explicit
+   query for type NXT.
+
+   Non-security aware servers will never automatically return an NXT and
+   some old implementations may only return the NXT from the subzone on
+   explicit queries.
+
+5.6 Zone Transfers
+
+   The subsections below describe how full and incremental zone
+   transfers are secured.
+
+   SIG RRs secure all authoritative RRs transferred for both full and
+   incremental [RFC 1995] zone transfers.  NXT RRs are an essential
+   element in secure zone transfers and assure that every authoritative
+   name and type will be present; however, if there are multiple SIGs
+   with the same name and type covered, a subset of the SIGs could be
+
+
+
+Eastlake                    Standards Track                    [Page 27]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+   sent as long as at least one is present and, in the case of unsigned
+   delegation point NS or glue A or AAAA RRs a subset of these RRs or
+   simply a modified set could be sent as long as at least one of each
+   type is included.
+
+   When an incremental or full zone transfer request is received with
+   the same or newer version number than that of the server's copy of
+   the zone, it is replied to with just the SOA RR of the server's
+   current version and the SIG RRset verifying that SOA RR.
+
+   The complete NXT chains specified in this document enable a resolver
+   to obtain, by successive queries chaining through NXTs, all of the
+   names in a zone even if zone transfers are prohibited.  Different
+   format NXTs may be specified in the future to avoid this.
+
+5.6.1 Full Zone Transfers
+
+   To provide server authentication that a complete transfer has
+   occurred, transaction authentication SHOULD be used on full zone
+   transfers.  This provides strong server based protection for the
+   entire zone in transit.
+
+5.6.2 Incremental Zone Transfers
+
+   Individual RRs in an incremental (IXFR) transfer [RFC 1995] can be
+   verified in the same way as for a full zone transfer and the
+   integrity of the NXT name chain and correctness of the NXT type bits
+   for the zone after the incremental RR deletes and adds can check each
+   disjoint area of the zone updated.  But the completeness of an
+   incremental transfer can not be confirmed because usually neither the
+   deleted RR section nor the added RR section has a compete zone NXT
+   chain.  As a result, a server which securely supports IXFR must
+   handle IXFR SIG RRs for each incremental transfer set that it
+   maintains.
+
+   The IXFR SIG is calculated over the incremental zone update
+   collection of RRs in the order in which it is transmitted: old SOA,
+   then deleted RRs, then new SOA and added RRs.  Within each section,
+   RRs must be ordered as specified in Section 8.  If condensation of
+   adjacent incremental update sets is done by the zone owner, the
+   original IXFR SIG for each set included in the condensation must be
+   discarded and a new on IXFR SIG calculated to cover the resulting
+   condensed set.
+
+   The IXFR SIG really belongs to the zone as a whole, not to the zone
+   name.  Although it SHOULD be correct for the zone name, the labels
+   field of an IXFR SIG is otherwise meaningless.  The IXFR SIG is only
+   sent as part of an incremental zone transfer.  After validation of
+
+
+
+Eastlake                    Standards Track                    [Page 28]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+   the IXFR SIG, the transferred RRs MAY be considered valid without
+   verification of the internal SIGs if such trust in the server
+   conforms to local policy.
+
+6. How to Resolve Securely and the AD and CD Bits
+
+   Retrieving or resolving secure data from the Domain Name System (DNS)
+   involves starting with one or more trusted public keys that have been
+   staticly configured at the resolver.  With starting trusted keys, a
+   resolver willing to perform cryptography can progress securely
+   through the secure DNS structure to the zone of interest as described
+   in Section 6.3. Such trusted public keys would normally be configured
+   in a manner similar to that described in Section 6.2.  However, as a
+   practical matter, a security aware resolver would still gain some
+   confidence in the results it returns even if it was not configured
+   with any keys but trusted what it got from a local well known server
+   as if it were staticly configured.
+
+   Data stored at a security aware server needs to be internally
+   categorized as Authenticated, Pending, or Insecure. There is also a
+   fourth transient state of Bad which indicates that all SIG checks
+   have explicitly failed on the data. Such Bad data is not retained at
+   a security aware server. Authenticated means that the data has a
+   valid SIG under a KEY traceable via a chain of zero or more SIG and
+   KEY RRs allowed by the resolvers policies to a KEY staticly
+   configured at the resolver. Pending data has no authenticated SIGs
+   and at least one additional SIG the resolver is still trying to
+   authenticate.  Insecure data is data which it is known can never be
+   either Authenticated or found Bad in the zone where it was found
+   because it is in or has been reached via a unsecured zone or because
+   it is unsigned glue address or delegation point NS data. Behavior in
+   terms of control of and flagging based on such data labels is
+   described in Section 6.1.
+
+   The proper validation of signatures requires a reasonably secure
+   shared opinion of the absolute time between resolvers and servers as
+   described in Section 6.4.
+
+6.1 The AD and CD Header Bits
+
+   Two previously unused bits are allocated out of the DNS
+   query/response format header. The AD (authentic data) bit indicates
+   in a response that all the data included in the answer and authority
+   portion of the response has been authenticated by the server
+   according to the policies of that server. The CD (checking disabled)
+   bit indicates in a query that Pending (non-authenticated) data is
+   acceptable to the resolver sending the query.
+
+
+
+
+Eastlake                    Standards Track                    [Page 29]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+   These bits are allocated from the previously must-be-zero Z field as
+   follows:
+
+                                           1  1  1  1  1  1
+             0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+            |                      ID                       |
+            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+            |QR|   Opcode  |AA|TC|RD|RA| Z|AD|CD|   RCODE   |
+            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+            |                    QDCOUNT                    |
+            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+            |                    ANCOUNT                    |
+            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+            |                    NSCOUNT                    |
+            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+            |                    ARCOUNT                    |
+            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+   These bits are zero in old servers and resolvers.  Thus the responses
+   of old servers are not flagged as authenticated to security aware
+   resolvers and queries from non-security aware resolvers do not assert
+   the checking disabled bit and thus will be answered by security aware
+   servers only with Authenticated or Insecure data. Security aware
+   resolvers MUST NOT trust the AD bit unless they trust the server they
+   are talking to and either have a secure path to it or use DNS
+   transaction security.
+
+   Any security aware resolver willing to do cryptography SHOULD assert
+   the CD bit on all queries to permit it to impose its own policies and
+   to reduce DNS latency time by allowing security aware servers to
+   answer with Pending data.
+
+   Security aware servers MUST NOT return Bad data.  For non-security
+   aware resolvers or security aware resolvers requesting service by
+   having the CD bit clear, security aware servers MUST return only
+   Authenticated or Insecure data in the answer and authority sections
+   with the AD bit set in the response. Security aware servers SHOULD
+   return Pending data, with the AD bit clear in the response, to
+   security aware resolvers requesting this service by asserting the CD
+   bit in their request.  The AD bit MUST NOT be set on a response
+   unless all of the RRs in the answer and authority sections of the
+   response are either Authenticated or Insecure.  The AD bit does not
+   cover the additional information section.
+
+
+
+
+
+
+
+Eastlake                    Standards Track                    [Page 30]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+6.2 Staticly Configured Keys
+
+   The public key to authenticate a zone SHOULD be defined in local
+   configuration files before that zone is loaded at the primary server
+   so the zone can be authenticated.
+
+   While it might seem logical for everyone to start with a public key
+   associated with the root zone and staticly configure this in every
+   resolver, this has problems.  The logistics of updating every DNS
+   resolver in the world should this key ever change would be severe.
+   Furthermore, many organizations will explicitly wish their "interior"
+   DNS implementations to completely trust only their own DNS servers.
+   Interior resolvers of such organizations can then go through the
+   organization's zone servers to access data outside the organization's
+   domain and need not be configured with keys above the organization's
+   DNS apex.
+
+   Host resolvers that are not part of a larger organization may be
+   configured with a key for the domain of their local ISP whose
+   recursive secure DNS caching server they use.
+
+6.3 Chaining Through The DNS
+
+   Starting with one or more trusted keys for any zone, it should be
+   possible to retrieve signed keys for that zone's subzones which have
+   a key. A secure sub-zone is indicated by a KEY RR with non-null key
+   information appearing with the NS RRs in the sub-zone and which may
+   also be present in the parent.  These make it possible to descend
+   within the tree of zones.
+
+6.3.1 Chaining Through KEYs
+
+   In general, some RRset that you wish to validate in the secure DNS
+   will be signed by one or more SIG RRs.  Each of these SIG RRs has a
+   signer under whose name is stored the public KEY to use in
+   authenticating the SIG.  Each of those KEYs will, generally, also be
+   signed with a SIG.  And those SIGs will have signer names also
+   referring to KEYs.  And so on. As a result, authentication leads to
+   chains of alternating SIG and KEY RRs with the first SIG signing the
+   original data whose authenticity is to be shown and the final KEY
+   being some trusted key staticly configured at the resolver performing
+   the authentication.
+
+   In testing such a chain, the validity periods of the SIGs encountered
+   must be intersected to determine the validity period of the
+   authentication of the data, a purely algorithmic process. In
+   addition, the validation of each SIG over the data with reference to
+   a KEY must meet the objective cryptographic test implied by the
+
+
+
+Eastlake                    Standards Track                    [Page 31]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+   cryptographic algorithm used (although even here the resolver may
+   have policies as to trusted algorithms and key lengths).  Finally,
+   the judgement that a SIG with a particular signer name can
+   authenticate data (possibly a KEY RRset) with a particular owner
+   name, is primarily a policy question.  Ultimately, this is a policy
+   local to the resolver and any clients that depend on that resolver's
+   decisions.  It is, however, recommended, that the policy below be
+   adopted:
+
+        Let A < B mean that A is a shorter domain name than B formed by
+        dropping one or more whole labels from the left end of B, i.e.,
+        A is a direct or indirect superdomain of B.  Let A = B mean that
+        A and B are the same domain name (i.e., are identical after
+        letter case canonicalization).  Let A > B mean that A is a
+        longer domain name than B formed by adding one or more whole
+        labels on the left end of B, i.e., A is a direct or indirect
+        subdomain of B
+
+        Let Static be the owner names of the set of staticly configured
+        trusted keys at a resolver.
+
+        Then Signer is a valid signer name for a SIG authenticating an
+        RRset (possibly a KEY RRset) with owner name Owner at the
+        resolver if any of the following three rules apply:
+
+        (1) Owner > or = Signer (except that if Signer is root, Owner
+        must be root or a top level domain name).  That is, Owner is the
+        same as or a subdomain of Signer.
+
+        (2) ( Owner < Signer ) and ( Signer > or = some Static ).  That
+        is, Owner is a superdomain of Signer and Signer is staticly
+        configured or a subdomain of a staticly configured key.
+
+        (3) Signer = some Static.  That is, the signer is exactly some
+        staticly configured key.
+
+   Rule 1 is the rule for descending the DNS tree and includes a special
+   prohibition on the root zone key due to the restriction that the root
+   zone be only one label deep.  This is the most fundamental rule.
+
+   Rule 2 is the rule for ascending the DNS tree from one or more
+   staticly configured keys.  Rule 2 has no effect if only root zone
+   keys are staticly configured.
+
+   Rule 3 is a rule permitting direct cross certification.  Rule 3 has
+   no effect if only root zone keys are staticly configured.
+
+
+
+
+
+Eastlake                    Standards Track                    [Page 32]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+   Great care should be taken that the consequences have been fully
+   considered before making any local policy adjustments to these rules
+   (other than dispensing with rules 2 and 3 if only root zone keys are
+   staticly configured).
+
+6.3.2 Conflicting Data
+
+   It is possible that there will be multiple SIG-KEY chains that appear
+   to authenticate conflicting RRset answers to the same query.  A
+   resolver should choose only the most reliable answer to return and
+   discard other data.  This choice of most reliable is a matter of
+   local policy which could take into account differing trust in
+   algorithms, key sizes, staticly configured keys, zones traversed,
+   etc.  The technique given below is recommended for taking into
+   account SIG-KEY chain length.
+
+   A resolver should keep track of the number of successive secure zones
+   traversed from a staticly configured key starting point to any secure
+   zone it can reach.  In general, the lower such a distance number is,
+   the greater the confidence in the data.  Staticly configured data
+   should be given a distance number of zero.  If a query encounters
+   different Authenticated data for the same query with different
+   distance values, that with a larger value should be ignored unless
+   some other local policy covers the case.
+
+   A security conscious resolver should completely refuse to step from a
+   secure zone into a unsecured zone unless the unsecured zone is
+   certified to be non-secure by the presence of an authenticated KEY RR
+   for the unsecured zone with the no-key type value.  Otherwise the
+   resolver is getting bogus or spoofed data.
+
+   If legitimate unsecured zones are encountered in traversing the DNS
+   tree, then no zone can be trusted as secure that can be reached only
+   via information from such non-secure zones. Since the unsecured zone
+   data could have been spoofed, the "secure" zone reached via it could
+   be counterfeit.  The "distance" to data in such zones or zones
+   reached via such zones could be set to 256 or more as this exceeds
+   the largest possible distance through secure zones in the DNS.
+
+6.4 Secure Time
+
+   Coordinated interpretation of the time fields in SIG RRs requires
+   that reasonably consistent time be available to the hosts
+   implementing the DNS security extensions.
+
+   A variety of time synchronization protocols exist including the
+   Network Time Protocol (NTP [RFC 1305, 2030]).  If such protocols are
+   used, they MUST be used securely so that time can not be spoofed.
+
+
+
+Eastlake                    Standards Track                    [Page 33]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+   Otherwise, for example, a host could get its clock turned back and
+   might then believe old SIG RRs, and the data they authenticate, which
+   were valid but are no longer.
+
+7. ASCII Representation of Security RRs
+
+   This section discusses the format for master file and other ASCII
+   presentation of the three DNS security resource records.
+
+   The algorithm field in KEY and SIG RRs can be represented as either
+   an unsigned integer or symbolicly.  The following initial symbols are
+   defined as indicated:
+
+        Value  Symbol
+
+        001    RSAMD5
+        002    DH
+        003    DSA
+        004    ECC
+        252    INDIRECT
+        253    PRIVATEDNS
+        254    PRIVATEOID
+
+7.1 Presentation of KEY RRs
+
+   KEY RRs may appear as single logical lines in a zone data master file
+   [RFC 1033].
+
+   The flag field is represented as an unsigned integer or a sequence of
+   mnemonics as follows separated by instances of the verticle bar ("|")
+   character:
+
+     BIT  Mnemonic  Explanation
+    0-1           key type
+        NOCONF    =1 confidentiality use prohibited
+        NOAUTH    =2 authentication use prohibited
+        NOKEY     =3 no key present
+    2   FLAG2     - reserved
+    3   EXTEND    flags extension
+    4   FLAG4     - reserved
+    5   FLAG5     - reserved
+    6-7           name type
+        USER      =0 (default, may be omitted)
+        ZONE      =1
+        HOST      =2 (host or other end entity)
+        NTYP3     - reserved
+    8   FLAG8     - reserved
+    9   FLAG9     - reserved
+
+
+
+Eastlake                    Standards Track                    [Page 34]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+   10   FLAG10    - reserved
+   11   FLAG11    - reserved
+   12-15          signatory field, values 0 to 15
+            can be represented by SIG0, SIG1, ... SIG15
+
+   No flag mnemonic need be present if the bit or field it represents is
+   zero.
+
+   The protocol octet can be represented as either an unsigned integer
+   or symbolicly.  The following initial symbols are defined:
+
+        000    NONE
+        001    TLS
+        002    EMAIL
+        003    DNSSEC
+        004    IPSEC
+        255    ALL
+
+   Note that if the type flags field has the NOKEY value, nothing
+   appears after the algorithm octet.
+
+   The remaining public key portion is represented in base 64 (see
+   Appendix A) and may be divided up into any number of white space
+   separated substrings, down to single base 64 digits, which are
+   concatenated to obtain the full signature.  These substrings can span
+   lines using the standard parenthesis.
+
+   Note that the public key may have internal sub-fields but these do
+   not appear in the master file representation.  For example, with
+   algorithm 1 there is a public exponent size, then a public exponent,
+   and then a modulus.  With algorithm 254, there will be an OID size,
+   an OID, and algorithm dependent information. But in both cases only a
+   single logical base 64 string will appear in the master file.
+
+7.2 Presentation of SIG RRs
+
+   A data SIG RR may be represented as a single logical line in a zone
+   data file [RFC 1033] but there are some special considerations as
+   described below.  (It does not make sense to include a transaction or
+   request authenticating SIG RR in a file as they are a transient
+   authentication that covers data including an ephemeral transaction
+   number and so must be calculated in real time.)
+
+   There is no particular problem with the signer, covered type, and
+   times.  The time fields appears in the form YYYYMMDDHHMMSS where YYYY
+   is the year, the first MM is the month number (01-12), DD is the day
+   of the month (01-31), HH is the hour in 24 hours notation (00-23),
+   the second MM is the minute (00-59), and SS is the second (00-59).
+
+
+
+Eastlake                    Standards Track                    [Page 35]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+   The original TTL field appears as an unsigned integer.
+
+   If the original TTL, which applies to the type signed, is the same as
+   the TTL of the SIG RR itself, it may be omitted.  The date field
+   which follows it is larger than the maximum possible TTL so there is
+   no ambiguity.
+
+   The "labels" field appears as an unsigned integer.
+
+   The key tag appears as an unsigned number.
+
+   However, the signature itself can be very long.  It is the last data
+   field and is represented in base 64 (see Appendix A) and may be
+   divided up into any number of white space separated substrings, down
+   to single base 64 digits, which are concatenated to obtain the full
+   signature.  These substrings can be split between lines using the
+   standard parenthesis.
+
+7.3 Presentation of NXT RRs
+
+   NXT RRs do not appear in original unsigned zone master files since
+   they should be derived from the zone as it is being signed.  If a
+   signed file with NXTs added is printed or NXTs are printed by
+   debugging code, they appear as the next domain name followed by the
+   RR type present bits as an unsigned interger or sequence of RR
+   mnemonics.
+
+8. Canonical Form and Order of Resource Records
+
+   This section specifies, for purposes of domain name system (DNS)
+   security, the canonical form of resource records (RRs), their name
+   order, and their overall order.  A canonical name order is necessary
+   to construct the NXT name chain.  A canonical form and ordering
+   within an RRset is necessary in consistently constructing and
+   verifying SIG RRs.  A canonical ordering of types within a name is
+   required in connection with incremental transfer (Section 5.6.2).
+
+8.1 Canonical RR Form
+
+   For purposes of DNS security, the canonical form for an RR is the
+   wire format of the RR with domain names (1) fully expanded (no name
+   compression via pointers), (2) all domain name letters set to lower
+   case, (3) owner name wild cards in master file form (no substitution
+   made for *), and (4) the original TTL substituted for the current
+   TTL.
+
+
+
+
+
+
+Eastlake                    Standards Track                    [Page 36]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+8.2 Canonical DNS Name Order
+
+   For purposes of DNS security, the canonical ordering of owner names
+   is to sort individual labels as unsigned left justified octet strings
+   where the absence of a octet sorts before a zero value octet and
+   upper case letters are treated as lower case letters.  Names in a
+   zone are sorted by sorting on the highest level label and then,
+   within those names with the same highest level label by the next
+   lower label, etc. down to leaf node labels.  Within a zone, the zone
+   name itself always exists and all other names are the zone name with
+   some prefix of lower level labels.  Thus the zone name itself always
+   sorts first.
+
+   Example:
+          foo.example
+          a.foo.example
+          yljkjljk.a.foo.example
+          Z.a.foo.example
+          zABC.a.FOO.EXAMPLE
+          z.foo.example
+          *.z.foo.example
+          \200.z.foo.example
+
+8.3 Canonical RR Ordering Within An RRset
+
+   Within any particular owner name and type, RRs are sorted by RDATA as
+   a left justified unsigned octet sequence where the absence of an
+   octet sorts before the zero octet.
+
+8.4 Canonical Ordering of RR Types
+
+   When RRs of the same name but different types must be ordered, they
+   are ordered by type, considering the type to be an unsigned integer,
+   except that SIG RRs are placed immediately after the type they cover.
+   Thus, for example, an A record would be put before an MX record
+   because A is type 1 and MX is type 15 but if both were signed, the
+   order would be A < SIG(A) < MX < SIG(MX).
+
+9. Conformance
+
+   Levels of server and resolver conformance are defined below.
+
+9.1 Server Conformance
+
+   Two levels of server conformance for DNS security are defined as
+   follows:
+
+
+
+
+
+Eastlake                    Standards Track                    [Page 37]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+   BASIC:  Basic server compliance is the ability to store and retrieve
+   (including zone transfer) SIG, KEY, and NXT RRs.  Any secondary or
+   caching server for a secure zone MUST have at least basic compliance
+   and even then some things, such as secure CNAMEs, will not work
+   without full compliance.
+
+   FULL:  Full server compliance adds the following to basic compliance:
+   (1) ability to read SIG, KEY, and NXT RRs in zone files and (2)
+   ability, given a zone file and private key, to add appropriate SIG
+   and NXT RRs, possibly via a separate application, (3) proper
+   automatic inclusion of SIG, KEY, and NXT RRs in responses, (4)
+   suppression of CNAME following on retrieval of the security type RRs,
+   (5) recognize the CD query header bit and set the AD query header
+   bit, as appropriate, and (6) proper handling of the two NXT RRs at
+   delegation points.  Primary servers for secure zones MUST be fully
+   compliant and for complete secure operation, all secondary, caching,
+   and other servers handling the zone SHOULD be fully compliant as
+   well.
+
+9.2 Resolver Conformance
+
+   Two levels of resolver compliance (including the resolver portion of
+   a server) are defined for DNS Security:
+
+   BASIC: A basic compliance resolver can handle SIG, KEY, and NXT RRs
+   when they are explicitly requested.
+
+   FULL: A fully compliant resolver (1) understands KEY, SIG, and NXT
+   RRs including verification of SIGs at least for the mandatory
+   algorithm, (2) maintains appropriate information in its local caches
+   and database to indicate which RRs have been authenticated and to
+   what extent they have been authenticated, (3) performs additional
+   queries as necessary to attempt to obtain KEY, SIG, or NXT RRs when
+   needed, (4) normally sets the CD query header bit on its queries.
+
+10. Security Considerations
+
+   This document specifies extensions to the Domain Name System (DNS)
+   protocol to provide data integrity and data origin authentication,
+   public key distribution, and optional transaction and request
+   security.
+
+   It should be noted that, at most, these extensions guarantee the
+   validity of resource records, including KEY resource records,
+   retrieved from the DNS.  They do not magically solve other security
+   problems.  For example, using secure DNS you can have high confidence
+   in the IP address you retrieve for a host name; however, this does
+   not stop someone for substituting an unauthorized host at that
+
+
+
+Eastlake                    Standards Track                    [Page 38]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+   address or capturing packets sent to that address and falsely
+   responding with packets apparently from that address.  Any reasonably
+   complete security system will require the protection of many
+   additional facets of the Internet beyond DNS.
+
+   The implementation of NXT RRs as described herein enables a resolver
+   to determine all the names in a zone even if zone transfers are
+   prohibited (section 5.6).  This is an active area of work and may
+   change.
+
+   A number of precautions in DNS implementation have evolved over the
+   years to harden the insecure DNS against spoofing.  These precautions
+   should not be abandoned but should be considered to provide
+   additional protection in case of key compromise in secure DNS.
+
+11. IANA Considerations
+
+   KEY RR flag bits 2 and 8-11 and all flag extension field bits can be
+   assigned by IETF consensus as defined in RFC 2434.  The remaining
+   values of the NAMTYP flag field and flag bits 4 and 5 (which could
+   conceivably become an extension of the NAMTYP field) can only be
+   assigned by an IETF Standards Action [RFC 2434].
+
+   Algorithm numbers 5 through 251 are available for assignment should
+   sufficient reason arise.  However, the designation of a new algorithm
+   could have a major impact on interoperability and requires an IETF
+   Standards Action [RFC 2434].  The existence of the private algorithm
+   types 253 and 254 should satify most needs for private or proprietary
+   algorithms.
+
+   Additional values of the Protocol Octet (5-254) can be assigned by
+   IETF Consensus [RFC 2434].
+
+   The meaning of the first bit of the NXT RR "type bit map" being a one
+   can only be assigned by a standards action.
+
+References
+
+   [RFC 1033]  Lottor, M., "Domain Administrators Operations Guide", RFC
+               1033, November 1987.
+
+   [RFC 1034]  Mockapetris, P., "Domain Names - Concepts and
+               Facilities", STD 13, RFC 1034, November 1987.
+
+   [RFC 1035]  Mockapetris, P., "Domain Names - Implementation and
+               Specifications", STD 13, RFC 1035, November 1987.
+
+
+
+
+
+Eastlake                    Standards Track                    [Page 39]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+   [RFC 1305]  Mills, D., "Network Time Protocol (v3)", RFC 1305, March
+               1992.
+
+   [RFC 1530]  Malamud, C. and M. Rose, "Principles of Operation for the
+               TPC.INT Subdomain: General Principles and Policy", RFC
+               1530, October 1993.
+
+   [RFC 2401]  Kent, S. and R. Atkinson, "Security Architecture for the
+               Internet Protocol", RFC 2401, November 1998.
+
+   [RFC 1982]  Elz, R. and R. Bush, "Serial Number Arithmetic", RFC
+               1982, September 1996.
+
+   [RFC 1995]  Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,
+               August 1996.
+
+   [RFC 2030]  Mills, D., "Simple Network Time Protocol (SNTP) Version 4
+               for IPv4, IPv6 and OSI", RFC 2030, October 1996.
+
+   [RFC 2045]  Freed, N. and N. Borenstein, "Multipurpose Internet Mail
+               Extensions (MIME) Part One: Format of Internet Message
+               Bodies", RFC 2045, November 1996.
+
+   [RFC 2065]  Eastlake, D. and C. Kaufman, "Domain Name System Security
+               Extensions", RFC 2065, January 1997.
+
+   [RFC 2119]  Bradner, S., "Key words for use in RFCs to Indicate
+               Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC 2136]  Vixie, P., Thomson, S., Rekhter, Y. and J. Bound,
+               "Dynamic Updates in the Domain Name System (DNS UPDATE)",
+               RFC 2136, April 1997.
+
+   [RFC 2137]  Eastlake, D., "Secure Domain Name System Dynamic Update",
+               RFC 2137, April 1997.
+
+   [RFC 2181]  Elz, R. and R. Bush, "Clarifications to the DNS
+               Specification", RFC 2181, July 1997.
+
+   [RFC 2434]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
+               IANA Considerations Section in RFCs", BCP 26, RFC 2434,
+               October 1998.
+
+   [RFC 2537]  Eastlake, D., "RSA/MD5 KEYs and SIGs in the Domain Name
+               System (DNS)", RFC 2537, March 1999.
+
+   [RFC 2539]  Eastlake, D., "Storage of Diffie-Hellman Keys in the
+               Domain Name System (DNS)", RFC 2539, March 1999.
+
+
+
+Eastlake                    Standards Track                    [Page 40]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+   [RFC 2536]  Eastlake, D., "DSA KEYs and SIGs in the Domain Name
+               System (DNS)", RFC 2536, March 1999.
+
+   [RFC 2538]  Eastlake, D. and O. Gudmundsson, "Storing Certificates in
+               the Domain Name System", RFC 2538, March 1999.
+
+   [RFC 2541]  Eastlake, D., "DNS Operational Security Considerations",
+               RFC 2541, March 1999.
+
+   [RSA FAQ] - RSADSI Frequently Asked Questions periodic posting.
+
+Author's Address
+
+   Donald E. Eastlake 3rd
+   IBM
+   65 Shindegan Hill Road
+   RR #1
+   Carmel, NY 10512
+
+   Phone:   +1-914-784-7913 (w)
+            +1-914-276-2668 (h)
+   Fax:     +1-914-784-3833 (w-fax)
+   EMail:   dee3@us.ibm.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake                    Standards Track                    [Page 41]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+Appendix A: Base 64 Encoding
+
+   The following encoding technique is taken from [RFC 2045] by N.
+   Borenstein and N. Freed.  It is reproduced here in an edited form for
+   convenience.
+
+   A 65-character subset of US-ASCII is used, enabling 6 bits to be
+   represented per printable character. (The extra 65th character, "=",
+   is used to signify a special processing function.)
+
+   The encoding process represents 24-bit groups of input bits as output
+   strings of 4 encoded characters. Proceeding from left to right, a
+   24-bit input group is formed by concatenating 3 8-bit input groups.
+   These 24 bits are then treated as 4 concatenated 6-bit groups, each
+   of which is translated into a single digit in the base 64 alphabet.
+
+   Each 6-bit group is used as an index into an array of 64 printable
+   characters. The character referenced by the index is placed in the
+   output string.
+
+                         Table 1: The Base 64 Alphabet
+
+      Value Encoding  Value Encoding  Value Encoding  Value Encoding
+          0 A            17 R            34 i            51 z
+          1 B            18 S            35 j            52 0
+          2 C            19 T            36 k            53 1
+          3 D            20 U            37 l            54 2
+          4 E            21 V            38 m            55 3
+          5 F            22 W            39 n            56 4
+          6 G            23 X            40 o            57 5
+          7 H            24 Y            41 p            58 6
+          8 I            25 Z            42 q            59 7
+          9 J            26 a            43 r            60 8
+         10 K            27 b            44 s            61 9
+         11 L            28 c            45 t            62 +
+         12 M            29 d            46 u            63 /
+         13 N            30 e            47 v
+         14 O            31 f            48 w         (pad) =
+         15 P            32 g            49 x
+         16 Q            33 h            50 y
+
+   Special processing is performed if fewer than 24 bits are available
+   at the end of the data being encoded.  A full encoding quantum is
+   always completed at the end of a quantity.  When fewer than 24 input
+   bits are available in an input group, zero bits are added (on the
+   right) to form an integral number of 6-bit groups.  Padding at the
+   end of the data is performed using the '=' character.  Since all base
+   64 input is an integral number of octets, only the following cases
+
+
+
+Eastlake                    Standards Track                    [Page 42]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+   can arise: (1) the final quantum of encoding input is an integral
+   multiple of 24 bits; here, the final unit of encoded output will be
+   an integral multiple of 4 characters with no "=" padding, (2) the
+   final quantum of encoding input is exactly 8 bits; here, the final
+   unit of encoded output will be two characters followed by two "="
+   padding characters, or (3) the final quantum of encoding input is
+   exactly 16 bits; here, the final unit of encoded output will be three
+   characters followed by one "=" padding character.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake                    Standards Track                    [Page 43]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+Appendix B: Changes from RFC 2065
+
+   This section summarizes the most important changes that have been
+   made since RFC 2065.
+
+   1. Most of Section 7 of [RFC 2065] called "Operational
+      Considerations", has been removed and may be made into a separate
+      document [RFC 2541].
+
+   2. The KEY RR has been changed by (2a) eliminating the "experimental"
+      flag as unnecessary, (2b) reserving a flag  bit for flags
+      expansion, (2c) more compactly encoding a number of bit fields in
+      such a way as to leave unchanged bits actually used by the limited
+      code currently deployed, (2d) eliminating the IPSEC and email flag
+      bits which are replaced by values of the protocol field and adding
+      a protocol field value for DNS security itself, (2e) adding
+      material to indicate that zone KEY RRs occur only at delegation
+      points, and (2f) removing the description of the RSA/MD5 algorithm
+      to a separate document [RFC 2537].  Section 3.4 describing the
+      meaning of various combinations of "no-key" and key present KEY
+      RRs has been added and the secure / unsecure status of a zone has
+      been clarified as being per algorithm.
+
+   3. The SIG RR has been changed by (3a) renaming the "time signed"
+      field to be the "signature inception" field, (3b) clarifying that
+      signature expiration and inception use serial number ring
+      arithmetic, (3c) changing the definition of the key footprint/tag
+      for algorithms other than 1 and adding Appendix C to specify its
+      calculation.  In addition, the SIG covering type AXFR has been
+      eliminated while one covering IXFR [RFC 1995] has been added (see
+      section 5.6).
+
+   4. Algorithm 3, the DSA algorithm, is now designated as the mandatory
+      to implement algorithm.  Algorithm 1, the RSA/MD5 algorithm, is
+      now a recommended option.  Algorithm 2 and 4 are designated as the
+      Diffie-Hellman key and elliptic cryptography algorithms
+      respectively, all to be defined in separate documents. Algorithm
+      code point 252 is designated to indicate "indirect" keys, to be
+      defined in a separate document, where the actual key is elsewhere.
+      Both the KEY and SIG RR definitions have been simplified by
+      eliminating the "null" algorithm 253 as defined in [RFC 2065].
+      That algorithm had been included because at the time it was
+      thought it might be useful in DNS dynamic update [RFC 2136]. It
+      was in fact not so used and it is dropped to simplify DNS
+      security.  Howver, that algorithm number has been re-used to
+      indicate private algorithms where a domain name specifies the
+      algorithm.
+
+
+
+
+Eastlake                    Standards Track                    [Page 44]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+   5. The NXT RR has been changed so that (5a) the NXT RRs in a zone
+      cover all names, including wildcards as literal names without
+      expansion, except for glue address records whose names would not
+      otherwise appear, (5b) all NXT bit map areas whose first octet has
+      bit zero set have been reserved for future definition, (5c) the
+      number of and circumstances under which an NXT must be returned in
+      connection with wildcard names has been extended, and (5d) in
+      connection with the bit map, references to the WKS RR have been
+      removed and verticle bars ("|") have been added between the RR
+      type mnemonics in the ASCII representation.
+
+   6. Information on the canonical form and ordering of RRs has been
+      moved into a separate Section 8.
+
+   7. A subsection covering incremental and full zone transfer has been
+      added in Section 5.
+
+   8. Concerning DNS chaining: Further specification and policy
+      recommendations on secure resolution have been added, primarily in
+      Section 6.3.1.  It is now clearly stated that authenticated data
+      has a validity period of the intersection of the validity periods
+      of the SIG RRs in its authentication chain.  The requirement to
+      staticly configure a superzone's key signed by a zone in all of
+      the zone's authoritative servers has been removed.  The
+      recommendation to continue DNS security checks in a secure island
+      of DNS data that is separated from other parts of the DNS tree by
+      insecure zones and does not contain a zone for which a key has
+      been staticly configured was dropped.
+
+   9. It was clarified that the presence of the AD bit in a response
+      does not apply to the additional information section or to glue
+      address or delegation point NS RRs.  The AD bit only indicates
+      that the answer and authority sections of the response are
+      authoritative.
+
+   10. It is now required that KEY RRs and NXT RRs be signed only with
+       zone-level keys.
+
+   11.  Add IANA Considerations section and references to RFC 2434.
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake                    Standards Track                    [Page 45]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+Appendix C: Key Tag Calculation
+
+   The key tag field in the SIG RR is just a means of more efficiently
+   selecting the correct KEY RR to use when there is more than one KEY
+   RR candidate available, for example, in verifying a signature.  It is
+   possible for more than one candidate key to have the same tag, in
+   which case each must be tried until one works or all fail.  The
+   following reference implementation of how to calculate the Key Tag,
+   for all algorithms other than algorithm 1, is in ANSI C.  It is coded
+   for clarity, not efficiency.  (See section 4.1.6 for how to determine
+   the Key Tag of an algorithm 1 key.)
+
+   /* assumes int is at least 16 bits
+      first byte of the key tag is the most significant byte of return
+      value
+      second byte of the key tag is the least significant byte of
+      return value
+      */
+
+   int keytag (
+
+           unsigned char key[],  /* the RDATA part of the KEY RR */
+           unsigned int keysize, /* the RDLENGTH */
+           )
+   {
+   long int    ac;    /* assumed to be 32 bits or larger */
+
+   for ( ac = 0, i = 0; i < keysize; ++i )
+       ac += (i&1) ? key[i] : key[i]<<8;
+   ac += (ac>>16) & 0xFFFF;
+   return ac & 0xFFFF;
+   }
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake                    Standards Track                    [Page 46]
+
+RFC 2535                DNS Security Extensions               March 1999
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (1999).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake                    Standards Track                    [Page 47]
+
diff --git a/contrib/bind9/doc/rfc/rfc2536.txt b/contrib/bind9/doc/rfc/rfc2536.txt
new file mode 100644
index 0000000..88be242
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2536.txt
@@ -0,0 +1,339 @@
+
+
+
+
+
+
+Network Working Group                                        D. EastLake
+Request for Comments: 2536                                           IBM
+Category: Standards Track                                     March 1999
+
+
+           DSA KEYs and SIGs in the Domain Name System (DNS)
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (1999).  All Rights Reserved.
+
+Abstract
+
+   A standard method for storing US Government Digital Signature
+   Algorithm keys and signatures in the Domain Name System is described
+   which utilizes DNS KEY and SIG resource records.
+
+Table of Contents
+
+   Abstract...................................................1
+   1. Introduction............................................1
+   2. DSA KEY Resource Records................................2
+   3. DSA SIG Resource Records................................3
+   4. Performance Considerations..............................3
+   5. Security Considerations.................................4
+   6. IANA Considerations.....................................4
+   References.................................................5
+   Author's Address...........................................5
+   Full Copyright Statement...................................6
+
+1. Introduction
+
+   The Domain Name System (DNS) is the global hierarchical replicated
+   distributed database system for Internet addressing, mail proxy, and
+   other information. The DNS has been extended to include digital
+   signatures and cryptographic keys as described in [RFC 2535].  Thus
+   the DNS can now be secured and can be used for secure key
+   distribution.
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 1]
+
+RFC 2536                     DSA in the DNS                   March 1999
+
+
+   This document describes how to store US Government Digital Signature
+   Algorithm (DSA) keys and signatures in the DNS.  Familiarity with the
+   US Digital Signature Algorithm is assumed [Schneier].  Implementation
+   of DSA is mandatory for DNS security.
+
+2. DSA KEY Resource Records
+
+   DSA public keys are stored in the DNS as KEY RRs using algorithm
+   number 3 [RFC 2535].  The structure of the algorithm specific portion
+   of the RDATA part of this RR is as shown below.  These fields, from Q
+   through Y are the "public key" part of the DSA KEY RR.
+
+   The period of key validity is not in the KEY RR but is indicated by
+   the SIG RR(s) which signs and authenticates the KEY RR(s) at that
+   domain name.
+
+           Field     Size
+           -----     ----
+            T         1  octet
+            Q        20  octets
+            P        64 + T*8  octets
+            G        64 + T*8  octets
+            Y        64 + T*8  octets
+
+   As described in [FIPS 186] and [Schneier]: T is a key size parameter
+   chosen such that 0 <= T <= 8.  (The meaning for algorithm 3 if the T
+   octet is greater than 8 is reserved and the remainder of the RDATA
+   portion may have a different format in that case.)  Q is a prime
+   number selected at key generation time such that 2**159 < Q < 2**160
+   so Q is always 20 octets long and, as with all other fields, is
+   stored in "big-endian" network order.  P, G, and Y are calculated as
+   directed by the FIPS 186 key generation algorithm [Schneier].  P is
+   in the range 2**(511+64T) < P < 2**(512+64T) and so is 64 + 8*T
+   octets long.  G and Y are quantities modulus P and so can be up to
+   the same length as P and are allocated fixed size fields with the
+   same number of octets as P.
+
+   During the key generation process, a random number X must be
+   generated such that 1 <= X <= Q-1.  X is the private key and is used
+   in the final step of public key generation where Y is computed as
+
+             Y = G**X mod P
+
+
+
+
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 2]
+
+RFC 2536                     DSA in the DNS                   March 1999
+
+
+3. DSA SIG Resource Records
+
+   The signature portion of the SIG RR RDATA area, when using the US
+   Digital Signature Algorithm, is shown below with fields in the order
+   they occur.  See [RFC 2535] for fields in the SIG RR RDATA which
+   precede the signature itself.
+
+           Field     Size
+           -----     ----
+            T         1 octet
+            R        20 octets
+            S        20 octets
+
+   The data signed is determined as specified in [RFC 2535].  Then the
+   following steps are taken, as specified in [FIPS 186], where Q, P, G,
+   and Y are as specified in the public key [Schneier]:
+
+           hash = SHA-1 ( data )
+
+           Generate a random K such that 0 < K < Q.
+
+           R = ( G**K mod P ) mod Q
+
+           S = ( K**(-1) * (hash + X*R) ) mod Q
+
+   Since Q is 160 bits long, R and S can not be larger than 20 octets,
+   which is the space allocated.
+
+   T is copied from the public key.  It is not logically necessary in
+   the SIG but is present so that values of T > 8 can more conveniently
+   be used as an escape for extended versions of DSA or other algorithms
+   as later specified.
+
+4. Performance Considerations
+
+   General signature generation speeds are roughly the same for RSA [RFC
+   2537] and DSA.  With sufficient pre-computation, signature generation
+   with DSA is faster than RSA.  Key generation is also faster for DSA.
+   However, signature verification is an order of magnitude slower than
+   RSA when the RSA public exponent is chosen to be small as is
+   recommended for KEY RRs used in domain name system (DNS) data
+   authentication.
+
+   Current DNS implementations are optimized for small transfers,
+   typically less than 512 bytes including overhead.  While larger
+   transfers will perform correctly and work is underway to make larger
+   transfers more efficient, it is still advisable at this time to make
+   reasonable efforts to minimize the size of KEY RR sets stored within
+
+
+
+Eastlake                    Standards Track                     [Page 3]
+
+RFC 2536                     DSA in the DNS                   March 1999
+
+
+   the DNS consistent with adequate security.  Keep in mind that in a
+   secure zone, at least one authenticating SIG RR will also be
+   returned.
+
+5. Security Considerations
+
+   Many of the general security consideration in [RFC 2535] apply.  Keys
+   retrieved from the DNS should not be trusted unless (1) they have
+   been securely obtained from a secure resolver or independently
+   verified by the user and (2) this secure resolver and secure
+   obtainment or independent verification conform to security policies
+   acceptable to the user.  As with all cryptographic algorithms,
+   evaluating the necessary strength of the key is essential and
+   dependent on local policy.
+
+   The key size limitation of a maximum of 1024 bits ( T = 8 ) in the
+   current DSA standard may limit the security of DSA.  For particularly
+   critical applications, implementors are encouraged to consider the
+   range of available algorithms and key sizes.
+
+   DSA assumes the ability to frequently generate high quality random
+   numbers.  See [RFC 1750] for guidance.  DSA is designed so that if
+   manipulated rather than random numbers are used, very high bandwidth
+   covert channels are possible.  See [Schneier] and more recent
+   research.  The leakage of an entire DSA private key in only two DSA
+   signatures has been demonstrated.  DSA provides security only if
+   trusted implementations, including trusted random number generation,
+   are used.
+
+6. IANA Considerations
+
+   Allocation of meaning to values of the T parameter that are not
+   defined herein requires an IETF standards actions.  It is intended
+   that values unallocated herein be used to cover future extensions of
+   the DSS standard.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 4]
+
+RFC 2536                     DSA in the DNS                   March 1999
+
+
+References
+
+   [FIPS 186]   U.S. Federal Information Processing Standard: Digital
+                Signature Standard.
+
+   [RFC 1034]   Mockapetris, P., "Domain Names - Concepts and
+                Facilities", STD 13, RFC 1034, November 1987.
+
+   [RFC 1035]   Mockapetris, P., "Domain Names - Implementation and
+                Specification", STD 13, RFC 1035, November 1987.
+
+   [RFC 1750]   Eastlake, D., Crocker, S. and J. Schiller, "Randomness
+                Recommendations for Security", RFC 1750, December 1994.
+
+   [RFC 2535]   Eastlake, D., "Domain Name System Security Extensions",
+                RFC 2535, March 1999.
+
+   [RFC 2537]   Eastlake, D., "RSA/MD5 KEYs and SIGs in the Domain Name
+                System (DNS)", RFC 2537, March 1999.
+
+   [Schneier]   Schneier, B., "Applied Cryptography Second Edition:
+                protocols, algorithms, and source code in C", 1996.
+
+Author's Address
+
+   Donald E. Eastlake 3rd
+   IBM
+   65 Shindegan Hill Road, RR #1
+   Carmel, NY 10512
+
+   Phone:   +1-914-276-2668(h)
+            +1-914-784-7913(w)
+   Fax:     +1-914-784-3833(w)
+   EMail:   dee3@us.ibm.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 5]
+
+RFC 2536                     DSA in the DNS                   March 1999
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (1999).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 6]
+
diff --git a/contrib/bind9/doc/rfc/rfc2537.txt b/contrib/bind9/doc/rfc/rfc2537.txt
new file mode 100644
index 0000000..cb75cf5
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2537.txt
@@ -0,0 +1,339 @@
+
+
+
+
+
+
+Network Working Group                                        D. Eastlake
+Request for Comments: 2537                                           IBM
+Category: Standards Track                                     March 1999
+
+
+         RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (1999).  All Rights Reserved.
+
+Abstract
+
+   A standard method for storing RSA keys and and RSA/MD5 based
+   signatures in the Domain Name System is described which utilizes DNS
+   KEY and SIG resource records.
+
+Table of Contents
+
+   Abstract...................................................1
+   1. Introduction............................................1
+   2. RSA Public KEY Resource Records.........................2
+   3. RSA/MD5 SIG Resource Records............................2
+   4. Performance Considerations..............................3
+   5. Security Considerations.................................4
+   References.................................................4
+   Author's Address...........................................5
+   Full Copyright Statement...................................6
+
+1. Introduction
+
+   The Domain Name System (DNS) is the global hierarchical replicated
+   distributed database system for Internet addressing, mail proxy, and
+   other information. The DNS has been extended to include digital
+   signatures and cryptographic keys as described in [RFC 2535].  Thus
+   the DNS can now be secured and used for secure key distribution.
+
+
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 1]
+
+RFC 2537            RSA/MD5 KEYs and SIGs in the DNS          March 1999
+
+
+   This document describes how to store RSA keys and and RSA/MD5 based
+   signatures in the DNS.  Familiarity with the RSA algorithm is assumed
+   [Schneier].  Implementation of the RSA algorithm in DNS is
+   recommended.
+
+   The key words "MUST", "REQUIRED", "SHOULD", "RECOMMENDED", and "MAY"
+   in this document are to be interpreted as described in RFC 2119.
+
+2. RSA Public KEY Resource Records
+
+   RSA public keys are stored in the DNS as KEY RRs using algorithm
+   number 1 [RFC 2535].  The structure of the algorithm specific portion
+   of the RDATA part of such RRs is as shown below.
+
+           Field             Size
+           -----             ----
+           exponent length   1 or 3 octets (see text)
+           exponent          as specified by length field
+           modulus           remaining space
+
+   For interoperability, the exponent and modulus are each currently
+   limited to 4096 bits in length.  The public key exponent is a
+   variable length unsigned integer.  Its length in octets is
+   represented as one octet if it is in the range of 1 to 255 and by a
+   zero octet followed by a two octet unsigned length if it is longer
+   than 255 bytes.  The public key modulus field is a multiprecision
+   unsigned integer.  The length of the modulus can be determined from
+   the RDLENGTH and the preceding RDATA fields including the exponent.
+   Leading zero octets are prohibited in the exponent and modulus.
+
+3. RSA/MD5 SIG Resource Records
+
+   The signature portion of the SIG RR RDATA area, when using the
+   RSA/MD5 algorithm, is calculated as shown below.  The data signed is
+   determined as specified in [RFC 2535].  See [RFC 2535] for fields in
+   the SIG RR RDATA which precede the signature itself.
+
+
+     hash = MD5 ( data )
+
+     signature = ( 00 | 01 | FF* | 00 | prefix | hash ) ** e (mod n)
+
+
+
+
+
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 2]
+
+RFC 2537            RSA/MD5 KEYs and SIGs in the DNS          March 1999
+
+
+   where MD5 is the message digest algorithm documented in [RFC 1321],
+   "|" is concatenation, "e" is the private key exponent of the signer,
+   and "n" is the modulus of the signer's public key.  01, FF, and 00
+   are fixed octets of the corresponding hexadecimal value. "prefix" is
+   the ASN.1 BER MD5 algorithm designator prefix specified in [RFC
+   2437], that is,
+
+      hex 3020300c06082a864886f70d020505000410 [NETSEC].
+
+   This prefix is included to make it easier to use RSAREF (or similar
+   packages such as EuroRef).  The FF octet MUST be repeated the maximum
+   number of times such that the value of the quantity being
+   exponentiated is the same length in octets as the value of n.
+
+   (The above specifications are identical to the corresponding part of
+   Public Key Cryptographic Standard #1 [RFC 2437].)
+
+   The size of n, including most and least significant bits (which will
+   be 1) MUST be not less than 512 bits and not more than 4096 bits.  n
+   and e SHOULD be chosen such that the public exponent is small.
+
+   Leading zero bytes are permitted in the RSA/MD5 algorithm signature.
+
+   A public exponent of 3 minimizes the effort needed to verify a
+   signature.  Use of 3 as the public exponent is weak for
+   confidentiality uses since, if the same data can be collected
+   encrypted under three different keys with an exponent of 3 then,
+   using the Chinese Remainder Theorem [NETSEC], the original plain text
+   can be easily recovered.  This weakness is not significant for DNS
+   security because we seek only authentication, not confidentiality.
+
+4. Performance Considerations
+
+   General signature generation speeds are roughly the same for RSA and
+   DSA [RFC 2536].  With sufficient pre-computation, signature
+   generation with DSA is faster than RSA.  Key generation is also
+   faster for DSA.  However, signature verification is an order of
+   magnitude slower with DSA when the RSA public exponent is chosen to
+   be small as is recommended for KEY RRs used in domain name system
+   (DNS) data authentication.
+
+   Current DNS implementations are optimized for small transfers,
+   typically less than 512 bytes including overhead.  While larger
+   transfers will perform correctly and work is underway to make larger
+
+
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 3]
+
+RFC 2537            RSA/MD5 KEYs and SIGs in the DNS          March 1999
+
+
+   transfers more efficient, it is still advisable at this time to make
+   reasonable efforts to minimize the size of KEY RR sets stored within
+   the DNS consistent with adequate security.  Keep in mind that in a
+   secure zone, at least one authenticating SIG RR will also be
+   returned.
+
+5. Security Considerations
+
+   Many of the general security consideration in [RFC 2535] apply.  Keys
+   retrieved from the DNS should not be trusted unless (1) they have
+   been securely obtained from a secure resolver or independently
+   verified by the user and (2) this secure resolver and secure
+   obtainment or independent verification conform to security policies
+   acceptable to the user.  As with all cryptographic algorithms,
+   evaluating the necessary strength of the key is essential and
+   dependent on local policy.
+
+   For interoperability, the RSA key size is limited to 4096 bits.  For
+   particularly critical applications, implementors are encouraged to
+   consider the range of available algorithms and key sizes.
+
+References
+
+   [NETSEC]     Kaufman, C., Perlman, R. and M. Speciner, "Network
+                Security: PRIVATE Communications in a PUBLIC World",
+                Series in Computer Networking and Distributed
+                Communications, 1995.
+
+   [RFC 2437]   Kaliski, B. and J. Staddon, "PKCS #1: RSA Cryptography
+                Specifications Version 2.0", RFC 2437, October 1998.
+
+   [RFC 1034]   Mockapetris, P., "Domain Names - Concepts and
+                Facilities", STD 13, RFC 1034, November 1987.
+
+   [RFC 1035]   Mockapetris, P., "Domain Names - Implementation and
+                Specification", STD 13, RFC 1035, November 1987.
+
+   [RFC 1321]   Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321
+                April 1992.
+
+   [RFC 2535]   Eastlake, D., "Domain Name System Security Extensions",
+                RFC 2535, March 1999.
+
+   [RFC 2536]   EastLake, D., "DSA KEYs and SIGs in the Domain Name
+                System (DNS)", RFC 2536, March 1999.
+
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 4]
+
+RFC 2537            RSA/MD5 KEYs and SIGs in the DNS          March 1999
+
+
+   [Schneier]   Bruce Schneier, "Applied Cryptography Second Edition:
+                protocols, algorithms, and source code in C", 1996, John
+                Wiley and Sons, ISBN 0-471-11709-9.
+
+Author's Address
+
+   Donald E. Eastlake 3rd
+   IBM
+   65 Shindegan Hill Road, RR #1
+   Carmel, NY 10512
+
+   Phone:   +1-914-276-2668(h)
+            +1-914-784-7913(w)
+   Fax:     +1-914-784-3833(w)
+   EMail:   dee3@us.ibm.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 5]
+
+RFC 2537            RSA/MD5 KEYs and SIGs in the DNS          March 1999
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (1999).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 6]
+
diff --git a/contrib/bind9/doc/rfc/rfc2538.txt b/contrib/bind9/doc/rfc/rfc2538.txt
new file mode 100644
index 0000000..c53e3ef
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2538.txt
@@ -0,0 +1,563 @@
+
+
+
+
+
+
+Network Working Group                                        D. Eastlake
+Request for Comments: 2538                                           IBM
+Category: Standards Track                                 O. Gudmundsson
+                                                                TIS Labs
+                                                              March 1999
+
+
+          Storing Certificates in the Domain Name System (DNS)
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (1999).  All Rights Reserved.
+
+Abstract
+
+   Cryptographic public key are frequently published and their
+   authenticity demonstrated by certificates.  A CERT resource record
+   (RR) is defined so that such certificates and related certificate
+   revocation lists can be stored in the Domain Name System (DNS).
+
+Table of Contents
+
+   Abstract...................................................1
+   1. Introduction............................................2
+   2. The CERT Resource Record................................2
+   2.1 Certificate Type Values................................3
+   2.2 Text Representation of CERT RRs........................4
+   2.3 X.509 OIDs.............................................4
+   3. Appropriate Owner Names for CERT RRs....................5
+   3.1 X.509 CERT RR Names....................................5
+   3.2 PGP CERT RR Names......................................6
+   4. Performance Considerations..............................6
+   5. IANA Considerations.....................................7
+   6. Security Considerations.................................7
+   References.................................................8
+   Authors' Addresses.........................................9
+   Full Copyright Notice.....................................10
+
+
+
+
+
+
+Eastlake & Gudmundsson      Standards Track                     [Page 1]
+
+RFC 2538            Storing Certificates in the DNS           March 1999
+
+
+1. Introduction
+
+   Public keys are frequently published in the form of a certificate and
+   their authenticity is commonly demonstrated by certificates and
+   related certificate revocation lists (CRLs).  A certificate is a
+   binding, through a cryptographic digital signature, of a public key,
+   a validity interval and/or conditions, and identity, authorization,
+   or other information. A certificate revocation list is a list of
+   certificates that are revoked, and incidental information, all signed
+   by the signer (issuer) of the revoked certificates. Examples are
+   X.509 certificates/CRLs in the X.500 directory system or PGP
+   certificates/revocations used by PGP software.
+
+   Section 2 below specifies a CERT resource record (RR) for the storage
+   of certificates in the Domain Name System.
+
+   Section 3 discusses appropriate owner names for CERT RRs.
+
+   Sections 4, 5, and 6 below cover performance, IANA, and security
+   considerations, respectively.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC2119].
+
+2. The CERT Resource Record
+
+   The CERT resource record (RR) has the structure given below.  Its RR
+   type code is 37.
+
+                         1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    |             type              |             key tag           |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    |   algorithm   |                                               /
+    +---------------+            certificate or CRL                 /
+    /                                                               /
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
+
+   The type field is the certificate type as define in section 2.1
+   below.
+
+   The algorithm field has the same meaning as the algorithm field in
+   KEY and SIG RRs [RFC 2535] except that a zero algorithm field
+   indicates the algorithm is unknown to a secure DNS, which may simply
+   be the result of the algorithm not having been standardized for
+   secure DNS.
+
+
+
+Eastlake & Gudmundsson      Standards Track                     [Page 2]
+
+RFC 2538            Storing Certificates in the DNS           March 1999
+
+
+   The key tag field is the 16 bit value computed for the key embedded
+   in the certificate as specified in the DNSSEC Standard [RFC 2535].
+   This field is used as an efficiency measure to pick which CERT RRs
+   may be applicable to a particular key.  The key tag can be calculated
+   for the key in question and then only CERT RRs with the same key tag
+   need be examined. However, the key must always be transformed to the
+   format it would have as the public key portion of a KEY RR before the
+   key tag is computed.  This is only possible if the key is applicable
+   to an algorithm (and limits such as key size limits) defined for DNS
+   security.  If it is not, the algorithm field MUST BE zero and the tag
+   field is meaningless and SHOULD BE zero.
+
+2.1 Certificate Type Values
+
+   The following values are defined or reserved:
+
+    Value  Mnemonic  Certificate Type
+    -----  --------  ----------- ----
+        0            reserved
+        1   PKIX     X.509 as per PKIX
+        2   SPKI     SPKI cert
+        3   PGP      PGP cert
+    4-252            available for IANA assignment
+      253   URI      URI private
+      254   OID      OID private
+    255-65534        available for IANA assignment
+    65535            reserved
+
+   The PKIX type is reserved to indicate an X.509 certificate conforming
+   to the profile being defined by the IETF PKIX working group.  The
+   certificate section will start with a one byte unsigned OID length
+   and then an X.500 OID indicating the nature of the remainder of the
+   certificate section (see 2.3 below).  (NOTE: X.509 certificates do
+   not include their X.500 directory type designating OID as a prefix.)
+
+   The SPKI type is reserved to indicate a certificate formated as to be
+   specified by the IETF SPKI working group.
+
+   The PGP type indicates a Pretty Good Privacy certificate as described
+   in RFC 2440 and its extensions and successors.
+
+   The URI private type indicates a certificate format defined by an
+   absolute URI.  The certificate portion of the CERT RR MUST begin with
+   a null terminated URI [RFC 2396] and the data after the null is the
+   private format certificate itself.  The URI SHOULD be such that a
+   retrieval from it will lead to documentation on the format of the
+   certificate.  Recognition of private certificate types need not be
+   based on URI equality but can use various forms of pattern matching
+
+
+
+Eastlake & Gudmundsson      Standards Track                     [Page 3]
+
+RFC 2538            Storing Certificates in the DNS           March 1999
+
+
+   so that, for example, subtype or version information can also be
+   encoded into the URI.
+
+   The OID private type indicates a private format certificate specified
+   by a an ISO OID prefix.  The certificate section will start with a
+   one byte unsigned OID length and then a BER encoded OID indicating
+   the nature of the remainder of the certificate section.  This can be
+   an X.509 certificate format or some other format.  X.509 certificates
+   that conform to the IETF PKIX profile SHOULD be indicated by the PKIX
+   type, not the OID private type.  Recognition of private certificate
+   types need not be based on OID equality but can use various forms of
+   pattern matching such as OID prefix.
+
+2.2 Text Representation of CERT RRs
+
+   The RDATA portion of a CERT RR has the type field as an unsigned
+   integer or as a mnemonic symbol as listed in section 2.1 above.
+
+   The key tag field is represented as an unsigned integer.
+
+   The algorithm field is represented as an unsigned integer or a
+   mnemonic symbol as listed in [RFC 2535].
+
+   The certificate / CRL portion is represented in base 64 and may be
+   divided up into any number of white space separated substrings, down
+   to single base 64 digits, which are concatenated to obtain the full
+   signature.  These substrings can span lines using the standard
+   parenthesis.
+
+   Note that the certificate / CRL portion may have internal sub-fields
+   but these do not appear in the master file representation.  For
+   example, with type 254, there will be an OID size, an OID, and then
+   the certificate / CRL proper. But only a single logical base 64
+   string will appear in the text representation.
+
+2.3 X.509 OIDs
+
+   OIDs have been defined in connection with the X.500 directory for
+   user certificates, certification authority certificates, revocations
+   of certification authority, and revocations of user certificates.
+   The following table lists the OIDs, their BER encoding, and their
+   length prefixed hex format for use in CERT RRs:
+
+
+
+
+
+
+
+
+
+Eastlake & Gudmundsson      Standards Track                     [Page 4]
+
+RFC 2538            Storing Certificates in the DNS           March 1999
+
+
+    id-at-userCertificate
+        = { joint-iso-ccitt(2) ds(5) at(4) 36 }
+           == 0x 03 55 04 24
+    id-at-cACertificate
+        = { joint-iso-ccitt(2) ds(5) at(4) 37 }
+           == 0x 03 55 04 25
+    id-at-authorityRevocationList
+        = { joint-iso-ccitt(2) ds(5) at(4) 38 }
+           == 0x 03 55 04 26
+    id-at-certificateRevocationList
+        = { joint-iso-ccitt(2) ds(5) at(4) 39 }
+           == 0x 03 55 04 27
+
+3. Appropriate Owner Names for CERT RRs
+
+   It is recommended that certificate CERT RRs be stored under a domain
+   name related to their subject, i.e., the name of the entity intended
+   to control the private key corresponding to the public key being
+   certified.  It is recommended that certificate revocation list CERT
+   RRs be stored under a domain name related to their issuer.
+
+   Following some of the guidelines below may result in the use in DNS
+   names of characters that require DNS quoting which is to use a
+   backslash followed by the octal representation of the ASCII code for
+   the character such as \000 for NULL.
+
+3.1 X.509 CERT RR Names
+
+   Some X.509 versions permit multiple names to be associated with
+   subjects and issuers under "Subject Alternate Name" and "Issuer
+   Alternate Name".  For example, x.509v3 has such Alternate Names with
+   an ASN.1 specification as follows:
+
+         GeneralName ::= CHOICE {
+            otherName                  [0] INSTANCE OF OTHER-NAME,
+            rfc822Name                 [1] IA5String,
+            dNSName                    [2] IA5String,
+            x400Address                [3] EXPLICIT OR-ADDRESS.&Type,
+            directoryName              [4] EXPLICIT Name,
+            ediPartyName               [5] EDIPartyName,
+            uniformResourceIdentifier  [6] IA5String,
+            iPAddress                  [7] OCTET STRING,
+            registeredID               [8] OBJECT IDENTIFIER
+         }
+
+   The recommended locations of CERT storage are as follows, in priority
+   order:
+
+
+
+
+Eastlake & Gudmundsson      Standards Track                     [Page 5]
+
+RFC 2538            Storing Certificates in the DNS           March 1999
+
+
+   (1) If a domain name is included in the identification in the
+       certificate or CRL, that should be used.
+   (2) If a domain name is not included but an IP address is included,
+       then the translation of that IP address into the appropriate
+       inverse domain name should be used.
+   (3) If neither of the above it used but a URI containing a domain
+       name is present, that domain name should be used.
+   (4) If none of the above is included but a character string name is
+       included, then it should be treated as described for PGP names in
+       3.2 below.
+   (5) If none of the above apply, then the distinguished name (DN)
+       should be mapped into a domain name as specified in RFC 2247.
+
+   Example 1: Assume that an X.509v3 certificate is issued to /CN=John
+   Doe/DC=Doe/DC=com/DC=xy/O=Doe Inc/C=XY/ with Subject Alternative
+   names of (a) string "John (the Man) Doe", (b) domain name john-
+   doe.com, and (c) uri <https://www.secure.john-doe.com:8080/>.  Then
+   the storage locations recommended, in priority order, would be
+       (1) john-doe.com,
+       (2) www.secure.john-doe.com, and
+       (3) Doe.com.xy.
+
+   Example 2:  Assume that an X.509v3 certificate is issued to /CN=James
+   Hacker/L=Basingstoke/O=Widget Inc/C=GB/ with Subject Alternate names
+   of (a) domain name widget.foo.example, (b) IPv4 address
+   10.251.13.201, and (c) string "James Hacker
+   <hacker@mail.widget.foo.example>".  Then the storage locations
+   recommended, in priority order, would be
+        (1) widget.foo.example,
+        (2) 201.13.251.10.in-addr.arpa, and
+        (3) hacker.mail.widget.foo.example.
+
+3.2 PGP CERT RR Names
+
+   PGP signed keys (certificates) use a general character string User ID
+   [RFC 2440]. However, it is recommended by PGP that such names include
+   the RFC 822 email address of the party, as in "Leslie Example
+   <Leslie@host.example>".  If such a format is used, the CERT should be
+   under the standard translation of the email address into a domain
+   name, which would be leslie.host.example in this case.  If no RFC 822
+   name can be extracted from the string name no specific domain name is
+   recommended.
+
+4. Performance Considerations
+
+   Current Domain Name System (DNS) implementations are optimized for
+   small transfers, typically not more than 512 bytes including
+   overhead.  While larger transfers will perform correctly and work is
+
+
+
+Eastlake & Gudmundsson      Standards Track                     [Page 6]
+
+RFC 2538            Storing Certificates in the DNS           March 1999
+
+
+   underway to make larger transfers more efficient, it is still
+   advisable at this time to make every reasonable effort to minimize
+   the size of certificates stored within the DNS.  Steps that can be
+   taken may include using the fewest possible optional or extensions
+   fields and using short field values for variable length fields that
+   must be included.
+
+5. IANA Considerations
+
+   Certificate types 0x0000 through 0x00FF and 0xFF00 through 0xFFFF can
+   only be assigned by an IETF standards action [RFC 2434] (and this
+   document assigns 0x0001 through 0x0003 and 0x00FD and 0x00FE).
+   Certificate types 0x0100 through 0xFEFF are assigned through IETF
+   Consensus [RFC 2434] based on RFC documentation of the certificate
+   type.  The availability of private types under 0x00FD and 0x00FE
+   should satisfy most requirements for proprietary or private types.
+
+6. Security Considerations
+
+   By definition, certificates contain their own authenticating
+   signature.  Thus it is reasonable to store certificates in non-secure
+   DNS zones or to retrieve certificates from DNS with DNS security
+   checking not implemented or deferred for efficiency.  The results MAY
+   be trusted if the certificate chain is verified back to a known
+   trusted key and this conforms with the user's security policy.
+
+   Alternatively, if certificates are retrieved from a secure DNS zone
+   with DNS security checking enabled and are verified by DNS security,
+   the key within the retrieved certificate MAY be trusted without
+   verifying the certificate chain if this conforms with the user's
+   security policy.
+
+   CERT RRs are not used in connection with securing the DNS security
+   additions so there are no security considerations related to CERT RRs
+   and securing the DNS itself.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake & Gudmundsson      Standards Track                     [Page 7]
+
+RFC 2538            Storing Certificates in the DNS           March 1999
+
+
+References
+
+   RFC 1034   Mockapetris, P., "Domain Names - Concepts and Facilities",
+              STD 13, RFC 1034, November 1987.
+
+   RFC 1035   Mockapetris, P., "Domain Names - Implementation and
+              Specifications", STD 13, RFC 1035, November 1987.
+
+   RFC 2119   Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   RFC 2247   Kille, S., Wahl, M., Grimstad, A., Huber, R. and S.
+              Sataluri, "Using Domains in LDAP/X.500 Distinguished
+              Names", RFC 2247, January 1998.
+
+   RFC 2396   Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform
+              Resource Identifiers (URI): Generic Syntax", RFC 2396,
+              August 1998.
+
+   RFC 2440   Callas, J., Donnerhacke, L., Finney, H. and R.  Thayer,
+              "OpenPGP Message Format", RFC 2240, November 1998.
+
+   RFC 2434   Narten, T. and H. Alvestrand, "Guidelines for Writing an
+              IANA Considerations Section in RFCs", BCP 26, RFC 2434,
+              October 1998.
+
+   RFC 2535   Eastlake, D., "Domain Name System (DNS) Security
+              Extensions", RFC 2535, March 1999.
+
+   RFC 2459   Housley, R., Ford, W., Polk, W. and D. Solo, "Internet
+              X.509 Public Key Infrastructure Certificate and CRL
+              Profile", RFC 2459, January 1999.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake & Gudmundsson      Standards Track                     [Page 8]
+
+RFC 2538            Storing Certificates in the DNS           March 1999
+
+
+Authors' Addresses
+
+   Donald E. Eastlake 3rd
+   IBM
+   65 Shindegan Hill Road
+   RR#1
+   Carmel, NY 10512 USA
+
+   Phone:   +1-914-784-7913 (w)
+            +1-914-276-2668 (h)
+   Fax:     +1-914-784-3833 (w-fax)
+   EMail:   dee3@us.ibm.com
+
+
+   Olafur Gudmundsson
+   TIS Labs at Network Associates
+   3060 Washington Rd, Route 97
+   Glenwood MD 21738
+
+   Phone: +1 443-259-2389
+   EMail: ogud@tislabs.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake & Gudmundsson      Standards Track                     [Page 9]
+
+RFC 2538            Storing Certificates in the DNS           March 1999
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (1999).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake & Gudmundsson      Standards Track                    [Page 10]
+
diff --git a/contrib/bind9/doc/rfc/rfc2539.txt b/contrib/bind9/doc/rfc/rfc2539.txt
new file mode 100644
index 0000000..cf32523
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2539.txt
@@ -0,0 +1,395 @@
+
+
+
+
+
+
+Network Working Group                                        D. Eastlake
+Request for Comments: 2539                                           IBM
+Category: Standards Track                                     March 1999
+
+
+     Storage of Diffie-Hellman Keys in the Domain Name System (DNS)
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (1999).  All Rights Reserved.
+
+Abstract
+
+   A standard method for storing Diffie-Hellman keys in the Domain Name
+   System is described which utilizes DNS KEY resource records.
+
+Acknowledgements
+
+   Part of the format for Diffie-Hellman keys and the description
+   thereof was taken from a work in progress by:
+
+      Ashar Aziz <ashar.aziz@eng.sun.com>
+      Tom Markson <markson@incog.com>
+      Hemma Prafullchandra <hemma@eng.sun.com>
+
+   In addition, the following person provided useful comments that have
+   been incorporated:
+
+      Ran Atkinson <rja@inet.org>
+      Thomas Narten <narten@raleigh.ibm.com>
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 1]
+
+RFC 2539             Diffie-Hellman Keys in the DNS           March 1999
+
+
+Table of Contents
+
+   Abstract...................................................1
+   Acknowledgements...........................................1
+   1. Introduction............................................2
+   1.1 About This Document....................................2
+   1.2 About Diffie-Hellman...................................2
+   2. Diffie-Hellman KEY Resource Records.....................3
+   3. Performance Considerations..............................4
+   4. IANA Considerations.....................................4
+   5. Security Considerations.................................4
+   References.................................................5
+   Author's Address...........................................5
+   Appendix A: Well known prime/generator pairs...............6
+   A.1. Well-Known Group 1:  A 768 bit prime..................6
+   A.2. Well-Known Group 2:  A 1024 bit prime.................6
+   Full Copyright Notice......................................7
+
+1. Introduction
+
+   The Domain Name System (DNS) is the current global hierarchical
+   replicated distributed database system for Internet addressing, mail
+   proxy, and similar information. The DNS has been extended to include
+   digital signatures and cryptographic keys as described in [RFC 2535].
+   Thus the DNS can now be used for secure key distribution.
+
+1.1 About This Document
+
+   This document describes how to store Diffie-Hellman keys in the DNS.
+   Familiarity with the Diffie-Hellman key exchange algorithm is assumed
+   [Schneier].
+
+1.2 About Diffie-Hellman
+
+   Diffie-Hellman requires two parties to interact to derive keying
+   information which can then be used for authentication.  Since DNS SIG
+   RRs are primarily used as stored authenticators of zone information
+   for many different resolvers, no Diffie-Hellman algorithm SIG RR is
+   defined. For example, assume that two parties have local secrets "i"
+   and "j".  Assume they each respectively calculate X and Y as follows:
+
+                X = g**i ( mod p ) Y = g**j ( mod p )
+
+   They exchange these quantities and then each calculates a Z as
+   follows:
+
+                Zi = Y**i ( mod p ) Zj = X**j ( mod p )
+
+
+
+
+Eastlake                    Standards Track                     [Page 2]
+
+RFC 2539             Diffie-Hellman Keys in the DNS           March 1999
+
+
+   shared secret between the two parties that an adversary who does not
+   know i or j will not be able to learn from the exchanged messages
+   (unless the adversary can derive i or j by performing a discrete
+   logarithm mod p which is hard for strong p and g).
+
+   The private key for each party is their secret i (or j).  The public
+   key is the pair p and g, which must be the same for the parties, and
+   their individual X (or Y).
+
+2. Diffie-Hellman KEY Resource Records
+
+   Diffie-Hellman keys are stored in the DNS as KEY RRs using algorithm
+   number 2.  The structure of the RDATA portion of this RR is as shown
+   below.  The first 4 octets, including the flags, protocol, and
+   algorithm fields are common to all KEY RRs as described in [RFC
+   2535].  The remainder, from prime length through public value is the
+   "public key" part of the KEY RR. The period of key validity is not in
+   the KEY RR but is indicated by the SIG RR(s) which signs and
+   authenticates the KEY RR(s) at that domain name.
+
+                         1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    |           KEY flags           |    protocol   |  algorithm=2  |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    |     prime length (or flag)    |  prime (p) (or special)       /
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    /  prime (p)  (variable length) |       generator length        |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    | generator (g) (variable length)                               |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    |     public value length       | public value (variable length)/
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    /  public value (g^i mod p)    (variable length)                |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+   Prime length is length of the Diffie-Hellman prime (p) in bytes if it
+   is 16 or greater.  Prime contains the binary representation of the
+   Diffie-Hellman prime with most significant byte first (i.e., in
+   network order). If "prime length" field is 1 or 2, then the "prime"
+   field is actually an unsigned index into a table of 65,536
+   prime/generator pairs and the generator length SHOULD be zero.  See
+   Appedix A for defined table entries and Section 4 for information on
+   allocating additional table entries.  The meaning of a zero or 3
+   through 15 value for "prime length" is reserved.
+
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 3]
+
+RFC 2539             Diffie-Hellman Keys in the DNS           March 1999
+
+
+   Generator length is the length of the generator (g) in bytes.
+   Generator is the binary representation of generator with most
+   significant byte first.  PublicValueLen is the Length of the Public
+   Value (g**i (mod p)) in bytes.  PublicValue is the binary
+   representation of the DH public value with most significant byte
+   first.
+
+   The corresponding algorithm=2 SIG resource record is not used so no
+   format for it is defined.
+
+3. Performance Considerations
+
+   Current DNS implementations are optimized for small transfers,
+   typically less than 512 bytes including overhead.  While larger
+   transfers will perform correctly and work is underway to make larger
+   transfers more efficient, it is still advisable to make reasonable
+   efforts to minimize the size of KEY RR sets stored within the DNS
+   consistent with adequate security.  Keep in mind that in a secure
+   zone, an authenticating SIG RR will also be returned.
+
+4. IANA Considerations
+
+   Assignment of meaning to Prime Lengths of 0 and 3 through 15 requires
+   an IETF consensus.
+
+   Well known prime/generator pairs number 0x0000 through 0x07FF can
+   only be assigned by an IETF standards action and this Proposed
+   Standard assigns 0x0001 through 0x0002. Pairs number 0s0800 through
+   0xBFFF can be assigned based on RFC documentation.  Pairs number
+   0xC000 through 0xFFFF are available for private use and are not
+   centrally coordinated. Use of such private pairs outside of a closed
+   environment may result in conflicts.
+
+5. Security Considerations
+
+   Many of the general security consideration in [RFC 2535] apply.  Keys
+   retrieved from the DNS should not be trusted unless (1) they have
+   been securely obtained from a secure resolver or independently
+   verified by the user and (2) this secure resolver and secure
+   obtainment or independent verification conform to security policies
+   acceptable to the user.  As with all cryptographic algorithms,
+   evaluating the necessary strength of the key is important and
+   dependent on local policy.
+
+   In addition, the usual Diffie-Hellman key strength considerations
+   apply. (p-1)/2 should also be prime, g should be primitive mod p, p
+   should be "large", etc.  [Schneier]
+
+
+
+
+Eastlake                    Standards Track                     [Page 4]
+
+RFC 2539             Diffie-Hellman Keys in the DNS           March 1999
+
+
+References
+
+   [RFC 1034]   Mockapetris, P., "Domain Names - Concepts and
+                Facilities", STD 13, RFC 1034, November 1987.
+
+   [RFC 1035]   Mockapetris, P., "Domain Names - Implementation and
+                Specification", STD 13, RFC 1035, November 1987.
+
+   [RFC 2535]   Eastlake, D., "Domain Name System Security Extensions",
+                RFC 2535, March 1999.
+
+   [Schneier]   Bruce Schneier, "Applied Cryptography: Protocols,
+                Algorithms, and Source Code in C", 1996, John Wiley and
+                Sons
+
+Author's Address
+
+   Donald E. Eastlake 3rd
+   IBM
+   65 Shindegan Hill Road, RR #1
+   Carmel, NY 10512
+
+   Phone:   +1-914-276-2668(h)
+            +1-914-784-7913(w)
+   Fax:     +1-914-784-3833(w)
+   EMail:   dee3@us.ibm.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 5]
+
+RFC 2539             Diffie-Hellman Keys in the DNS           March 1999
+
+
+Appendix A: Well known prime/generator pairs
+
+   These numbers are copied from the IPSEC effort where the derivation
+   of these values is more fully explained and additional information is
+   available.  Richard Schroeppel performed all the mathematical and
+   computational work for this appendix.
+
+A.1. Well-Known Group 1:  A 768 bit prime
+
+   The prime is 2^768 - 2^704 - 1 + 2^64 * { [2^638 pi] + 149686 }.  Its
+   decimal value is
+          155251809230070893513091813125848175563133404943451431320235
+          119490296623994910210725866945387659164244291000768028886422
+          915080371891804634263272761303128298374438082089019628850917
+          0691316593175367469551763119843371637221007210577919
+
+   Prime modulus: Length (32 bit words): 24, Data (hex):
+            FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
+            29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
+            EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
+            E485B576 625E7EC6 F44C42E9 A63A3620 FFFFFFFF FFFFFFFF
+
+   Generator: Length (32 bit words): 1, Data (hex): 2
+
+A.2. Well-Known Group 2:  A 1024 bit prime
+
+   The prime is 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.
+   Its decimal value is
+         179769313486231590770839156793787453197860296048756011706444
+         423684197180216158519368947833795864925541502180565485980503
+         646440548199239100050792877003355816639229553136239076508735
+         759914822574862575007425302077447712589550957937778424442426
+         617334727629299387668709205606050270810842907692932019128194
+         467627007
+
+   Prime modulus:  Length (32 bit words): 32, Data (hex):
+            FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1
+            29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD
+            EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245
+            E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED
+            EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381
+            FFFFFFFF FFFFFFFF
+
+   Generator: Length (32 bit words):  1, Data (hex): 2
+
+
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 6]
+
+RFC 2539             Diffie-Hellman Keys in the DNS           March 1999
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (1999).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 7]
+
diff --git a/contrib/bind9/doc/rfc/rfc2540.txt b/contrib/bind9/doc/rfc/rfc2540.txt
new file mode 100644
index 0000000..6314806
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2540.txt
@@ -0,0 +1,339 @@
+
+
+
+
+
+
+Network Working Group                                        D. Eastlake
+Request for Comments: 2540                                           IBM
+Category: Experimental                                        March 1999
+
+
+             Detached Domain Name System (DNS) Information
+
+Status of this Memo
+
+   This memo defines an Experimental Protocol for the Internet
+   community.  It does not specify an Internet standard of any kind.
+   Discussion and suggestions for improvement are requested.
+   Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (1999).  All Rights Reserved.
+
+Abstract
+
+   A standard format is defined for representing detached DNS
+   information.  This is anticipated to be of use for storing
+   information retrieved from the Domain Name System (DNS), including
+   security information, in archival contexts or contexts not connected
+   to the Internet.
+
+Table of Contents
+
+   Abstract...................................................1
+   1. Introduction............................................1
+   2. General Format..........................................2
+   2.1 Binary Format..........................................3
+   2.2. Text Format...........................................4
+   3. Usage Example...........................................4
+   4. IANA Considerations.....................................4
+   5. Security Considerations.................................4
+   References.................................................5
+   Author's Address...........................................5
+   Full Copyright Statement...................................6
+
+1. Introduction
+
+   The Domain Name System (DNS) is a replicated hierarchical distributed
+   database system [RFC 1034, 1035] that can provide highly available
+   service.  It provides the operational basis for Internet host name to
+   address translation, automatic SMTP mail routing, and other basic
+   Internet functions.  The DNS has been extended as described in [RFC
+   2535] to permit the general storage of public cryptographic keys in
+
+
+
+Eastlake                      Experimental                      [Page 1]
+
+RFC 2540                Detached DNS Information              March 1999
+
+
+   the DNS and to enable the authentication of information retrieved
+   from the DNS though digital signatures.
+
+   The DNS was not originally designed for storage of information
+   outside of the active zones and authoritative master files that are
+   part of the connected DNS.  However there may be cases where this is
+   useful, particularly in connection with archived security
+   information.
+
+2. General Format
+
+   The formats used for detached Domain Name System (DNS) information
+   are similar to those used for connected DNS information. The primary
+   difference is that elements of the connected DNS system (unless they
+   are an authoritative server for the zone containing the information)
+   are required to count down the Time To Live (TTL) associated with
+   each DNS Resource Record (RR) and discard them (possibly fetching a
+   fresh copy) when the TTL reaches zero.  In contrast to this, detached
+   information may be stored in a off-line file, where it can not be
+   updated, and perhaps used to authenticate historic data or it might
+   be received via non-DNS protocols long after it was retrieved from
+   the DNS.  Therefore, it is not practical to count down detached DNS
+   information TTL and it may be necessary to keep the data beyond the
+   point where the TTL (which is defined as an unsigned field) would
+   underflow.  To preserve information as to the freshness of this
+   detached data, it is accompanied by its retrieval time.
+
+   Whatever retrieves the information from the DNS must associate this
+   retrieval time with it.  The retrieval time remains fixed thereafter.
+   When the current time minus the retrieval time exceeds the TTL for
+   any particular detached RR, it is no longer a valid copy within the
+   normal connected DNS scheme.  This may make it invalid in context for
+   some detached purposes as well.  If the RR is a SIG (signature) RR it
+   also has an expiration time.  Regardless of the TTL, it and any RRs
+   it signs can not be considered authenticated after the signature
+   expiration time.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake                      Experimental                      [Page 2]
+
+RFC 2540                Detached DNS Information              March 1999
+
+
+2.1 Binary Format
+
+   The standard binary format for detached DNS information is as
+   follows:
+
+                         1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    |                      first retrieval time                     |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    |          RR count             |                               |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+     Resource Records (RRs)    |
+    /                                                               /
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
+    |                       next retrieval time                     |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    |          RR count             |                               |
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+     Resource Records (RRs)    |
+    /                                                               /
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    /                              ...                              /
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    |     hex 20    |
+    +-+-+-+-+-+-+-+-+
+
+   Retrieval time - the time that the immediately following information
+       was obtained from the connected DNS system.  It is an unsigned
+       number of seconds since the start of 1 January 1970, GMT,
+       ignoring leap seconds, in network (big-endian) order.  Note that
+       this time can not be before the initial proposal of this
+       standard.  Therefore, the initial byte of an actual retrieval
+       time, considered as a 32 bit unsigned quantity, would always be
+       larger than 20 hex.  The end of detached DNS information is
+       indicated by a "retrieval time" field initial byte equal to 0x20.
+       Use of a "retrieval time" field with a leading unsigned byte of
+       zero indicates a 64 bit (actually 8 leading zero bits plus a 56
+       bit quantity).  This 64 bit format will be required when
+       retrieval time is larger than 0xFFFFFFFF, which is some time in
+       the year 2106.  The meaning of retrieval times with an initial
+       byte between 0x01 and 0x1F is reserved (see section 5).
+       Retrieval times will not generally be 32 bit aligned with respect
+       to each other due to the variable length nature of RRs.
+
+   RR count - an unsigned integer number (with bytes in network order)
+       of following resource records retrieved at the preceding
+       retrieval time.
+
+
+
+
+
+Eastlake                      Experimental                      [Page 3]
+
+RFC 2540                Detached DNS Information              March 1999
+
+
+   Resource Records - the actual data which is in the same format as if
+       it were being transmitted in a DNS response.  In particular, name
+       compression via pointers is permitted with the origin at the
+       beginning of the particular detached information data section,
+       just after the RR count.
+
+2.2. Text Format
+
+   The standard text format for detached DNS information is as
+   prescribed for zone master files [RFC 1035] except that the $INCLUDE
+   control entry is prohibited and the new $DATE entry is required
+   (unless the information set is empty). $DATE is followed by the date
+   and time that the following information was obtained from the DNS
+   system as described for retrieval time in section 2.1 above.  It is
+   in the text format YYYYMMDDHHMMSS where YYYY is the year (which may
+   be more than four digits to cover years after 9999), the first MM is
+   the month number (01-12), DD is the day of the month (01-31), HH is
+   the hour in 24 hours notation (00-23), the second MM is the minute
+   (00-59), and SS is the second (00-59).  Thus a $DATE must appear
+   before the first RR and at every change in retrieval time through the
+   detached information.
+
+3. Usage Example
+
+   A document might be authenticated by a key retrieved from the DNS in
+   a KEY resource record (RR).  To later prove the authenticity of this
+   document, it would be desirable to preserve the KEY RR for that
+   public key, the SIG RR signing that KEY RR, the KEY RR for the key
+   used to authenticate that SIG, and so on through SIG and KEY RRs
+   until a well known trusted key is reached, perhaps the key for the
+   DNS root or some third party authentication service. (In some cases
+   these KEY RRs will actually be sets of KEY RRs with the same owner
+   and class because SIGs actually sign such record sets.)
+
+   This information could be preserved as a set of detached DNS
+   information blocks.
+
+4. IANA Considerations
+
+   Allocation of meanings to retrieval time fields with a initial byte
+   of between 0x01 and 0x1F requires an IETF consensus.
+
+5. Security Considerations
+
+   The entirety of this document concerns a means to represent detached
+   DNS information.  Such detached resource records may be security
+   relevant and/or secured information as described in [RFC 2535].  The
+   detached format provides no overall security for sets of detached
+
+
+
+Eastlake                      Experimental                      [Page 4]
+
+RFC 2540                Detached DNS Information              March 1999
+
+
+   information or for the association between retrieval time and
+   information.  This can be provided by wrapping the detached
+   information format with some other form of signature.  However, if
+   the detached information is accompanied by SIG RRs, its validity
+   period is indicated in those SIG RRs so the retrieval time might be
+   of secondary importance.
+
+References
+
+   [RFC 1034]   Mockapetris, P., "Domain Names - Concepts and
+                Facilities", STD 13, RFC 1034, November 1987.
+
+   [RFC 1035]   Mockapetris, P., " Domain Names - Implementation and
+                Specifications", STD 13, RFC 1035, November 1987.
+
+   [RFC 2535]   Eastlake, D., "Domain Name System Security Extensions",
+                RFC 2535, March 1999.
+
+Author's Address
+
+   Donald E. Eastlake 3rd
+   IBM
+   65 Shindegan Hill Road, RR #1
+   Carmel, NY 10512
+
+   Phone:   +1-914-276-2668(h)
+            +1-914-784-7913(w)
+   Fax:     +1-914-784-3833(w)
+   EMail:   dee3@us.ibm.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake                      Experimental                      [Page 5]
+
+RFC 2540                Detached DNS Information              March 1999
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (1999).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake                      Experimental                      [Page 6]
+
diff --git a/contrib/bind9/doc/rfc/rfc2541.txt b/contrib/bind9/doc/rfc/rfc2541.txt
new file mode 100644
index 0000000..a62ed2b
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2541.txt
@@ -0,0 +1,395 @@
+
+
+
+
+
+
+Network Working Group                                        D. Eastlake
+Request for Comments: 2541                                           IBM
+Category: Informational                                       March 1999
+
+
+                DNS Security Operational Considerations
+
+Status of this Memo
+
+   This memo provides information for the Internet community.  It does
+   not specify an Internet standard of any kind.  Distribution of this
+   memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (1999).  All Rights Reserved.
+
+Abstract
+
+   Secure DNS is based on cryptographic techniques.  A necessary part of
+   the strength of these techniques is careful attention to the
+   operational aspects of key and signature generation, lifetime, size,
+   and storage.  In addition, special attention must be paid to the
+   security of the high level zones, particularly the root zone.  This
+   document discusses these operational aspects for keys and signatures
+   used in connection with the KEY and SIG DNS resource records.
+
+Acknowledgments
+
+   The contributions and suggestions of the following persons (in
+   alphabetic order) are gratefully acknowledged:
+
+         John Gilmore
+         Olafur Gudmundsson
+         Charlie Kaufman
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake                     Informational                      [Page 1]
+
+RFC 2541        DNS Security Operational Considerations       March 1999
+
+
+Table of Contents
+
+   Abstract...................................................1
+   Acknowledgments............................................1
+   1. Introduction............................................2
+   2. Public/Private Key Generation...........................2
+   3. Public/Private Key Lifetimes............................2
+   4. Public/Private Key Size Considerations..................3
+   4.1 RSA Key Sizes..........................................3
+   4.2 DSS Key Sizes..........................................4
+   5. Private Key Storage.....................................4
+   6. High Level Zones, The Root Zone, and The Meta-Root Key..5
+   7. Security Considerations.................................5
+   References.................................................6
+   Author's Address...........................................6
+   Full Copyright Statement...................................7
+
+1. Introduction
+
+   This document describes operational considerations for the
+   generation, lifetime, size, and storage of DNS cryptographic keys and
+   signatures for use in the KEY and SIG resource records [RFC 2535].
+   Particular attention is paid to high level zones and the root zone.
+
+2. Public/Private Key Generation
+
+   Careful generation of all keys is a sometimes overlooked but
+   absolutely essential element in any cryptographically secure system.
+   The strongest algorithms used with the longest keys are still of no
+   use if an adversary can guess enough to lower the size of the likely
+   key space so that it can be exhaustively searched.  Technical
+   suggestions for the generation of random keys will be found in [RFC
+   1750].
+
+   Long term keys are particularly sensitive as they will represent a
+   more valuable target and be subject to attack for a longer time than
+   short period keys.  It is strongly recommended that long term key
+   generation occur off-line in a manner isolated from the network via
+   an air gap or, at a minimum, high level secure hardware.
+
+3. Public/Private Key Lifetimes
+
+   No key should be used forever.  The longer a key is in use, the
+   greater the probability that it will have been compromised through
+   carelessness, accident, espionage, or cryptanalysis.  Furthermore, if
+
+
+
+
+
+
+Eastlake                     Informational                      [Page 2]
+
+RFC 2541        DNS Security Operational Considerations       March 1999
+
+
+   key rollover is a rare event, there is an increased risk that, when
+   the time does come to change the key, no one at the site will
+   remember how to do it or operational problems will have developed in
+   the key rollover procedures.
+
+   While public key lifetime is a matter of local policy, these
+   considerations imply that, unless there are extraordinary
+   circumstances, no long term key should have a lifetime significantly
+   over four years.  In fact, a reasonable guideline for long term keys
+   that are kept off-line and carefully guarded is a 13 month lifetime
+   with the intent that they be replaced every year.  A reasonable
+   maximum lifetime for keys that are used for transaction security or
+   the like and are kept on line is 36 days with the intent that they be
+   replaced monthly or more often.  In many cases, a key lifetime of
+   somewhat over a day may be reasonable.
+
+   On the other hand, public keys with too short a lifetime can lead to
+   excessive resource consumption in re-signing data and retrieving
+   fresh information because cached information becomes stale.  In the
+   Internet environment, almost all public keys should have lifetimes no
+   shorter than three minutes, which is a reasonable estimate of maximum
+   packet delay even in unusual circumstances.
+
+4. Public/Private Key Size Considerations
+
+   There are a number of factors that effect public key size choice for
+   use in the DNS security extension.  Unfortunately, these factors
+   usually do not all point in the same direction.  Choice of zone key
+   size should generally be made by the zone administrator depending on
+   their local conditions.
+
+   For most schemes, larger keys are more secure but slower.  In
+   addition, larger keys increase the size of the KEY and SIG RRs.  This
+   increases the chance of DNS UDP packet overflow and the possible
+   necessity for using higher overhead TCP in responses.
+
+4.1 RSA Key Sizes
+
+   Given a small public exponent, verification (the most common
+   operation) for the MD5/RSA algorithm will vary roughly with the
+   square of the modulus length, signing will vary with the cube of the
+   modulus length, and key generation (the least common operation) will
+   vary with the fourth power of the modulus length.  The current best
+   algorithms for factoring a modulus and breaking RSA security vary
+   roughly with the 1.6 power of the modulus itself.  Thus going from a
+   640 bit modulus to a 1280 bit modulus only increases the verification
+   time by a factor of 4 but may increase the work factor of breaking
+   the key by over 2^900.
+
+
+
+Eastlake                     Informational                      [Page 3]
+
+RFC 2541        DNS Security Operational Considerations       March 1999
+
+
+   The recommended minimum RSA algorithm modulus size is 704 bits which
+   is believed by the author to be secure at this time.  But high level
+   zones in the DNS tree may wish to set a higher minimum, perhaps 1000
+   bits, for security reasons.  (Since the United States National
+   Security Agency generally permits export of encryption systems using
+   an RSA modulus of up to 512 bits, use of that small a modulus, i.e.
+   n, must be considered weak.)
+
+   For an RSA key used only to secure data and not to secure other keys,
+   704 bits should be adequate at this time.
+
+4.2 DSS Key Sizes
+
+   DSS keys are probably roughly as strong as an RSA key of the same
+   length but DSS signatures are significantly smaller.
+
+5. Private Key Storage
+
+   It is recommended that, where possible, zone private keys and the
+   zone file master copy be kept and used in off-line, non-network
+   connected, physically secure machines only.  Periodically an
+   application can be run to add authentication to a zone by adding SIG
+   and NXT RRs and adding no-key type KEY RRs for subzones/algorithms
+   where a real KEY RR for the subzone with that algorithm is not
+   provided. Then the augmented file can be transferred, perhaps by
+   sneaker-net, to the networked zone primary server machine.
+
+   The idea is to have a one way information flow to the network to
+   avoid the possibility of tampering from the network.  Keeping the
+   zone master file on-line on the network and simply cycling it through
+   an off-line signer does not do this.  The on-line version could still
+   be tampered with if the host it resides on is compromised.  For
+   maximum security, the master copy of the zone file should be off net
+   and should not be updated based on an unsecured network mediated
+   communication.
+
+   This is not possible if the zone is to be dynamically updated
+   securely [RFC 2137]. At least a private key capable of updating the
+   SOA and NXT chain must be on line in that case.
+
+   Secure resolvers must be configured with some trusted on-line public
+   key information (or a secure path to such a resolver) or they will be
+   unable to authenticate.  Although on line, this public key
+   information must be protected or it could be altered so that spoofed
+   DNS data would appear authentic.
+
+
+
+
+
+
+Eastlake                     Informational                      [Page 4]
+
+RFC 2541        DNS Security Operational Considerations       March 1999
+
+
+   Non-zone private keys, such as host or user keys, generally have to
+   be kept on line to be used for real-time purposes such as DNS
+   transaction security.
+
+6. High Level Zones, The Root Zone, and The Meta-Root Key
+
+   Higher level zones are generally more sensitive than lower level
+   zones.  Anyone controlling or breaking the security of a zone thereby
+   obtains authority over all of its subdomains (except in the case of
+   resolvers that have locally configured the public key of a
+   subdomain).  Therefore, extra care should be taken with high level
+   zones and strong keys used.
+
+   The root zone is the most critical of all zones.  Someone controlling
+   or compromising the security of the root zone would control the
+   entire DNS name space of all resolvers using that root zone (except
+   in the case of resolvers that have locally configured the public key
+   of a subdomain). Therefore, the utmost care must be taken in the
+   securing of the root zone. The strongest and most carefully handled
+   keys should be used.  The root zone private key should always be kept
+   off line.
+
+   Many resolvers will start at a root server for their access to and
+   authentication of DNS data.  Securely updating an enormous population
+   of resolvers around the world will be extremely difficult.  Yet the
+   guidelines in section 3 above would imply that the root zone private
+   key be changed annually or more often and if it were staticly
+   configured at all these resolvers, it would have to be updated when
+   changed.
+
+   To permit relatively frequent change to the root zone key yet
+   minimize exposure of the ultimate key of the DNS tree, there will be
+   a "meta-root" key used very rarely and then only to sign a sequence
+   of regular root key RRsets with overlapping time validity periods
+   that are to be rolled out. The root zone contains the meta-root and
+   current regular root KEY RR(s) signed by SIG RRs under both the
+   meta-root and other root private key(s) themselves.
+
+   The utmost security in the storage and use of the meta-root key is
+   essential.  The exact techniques are precautions to be used are
+   beyond the scope of this document.  Because of its special position,
+   it may be best to continue with the same meta-root key for an
+   extended period of time such as ten to fifteen years.
+
+7. Security Considerations
+
+   The entirety of this document is concerned with operational
+   considerations of public/private key pair DNS Security.
+
+
+
+Eastlake                     Informational                      [Page 5]
+
+RFC 2541        DNS Security Operational Considerations       March 1999
+
+
+References
+
+   [RFC 1034]   Mockapetris, P., "Domain Names - Concepts and
+                Facilities", STD 13, RFC 1034, November 1987.
+
+   [RFC 1035]   Mockapetris, P., "Domain Names - Implementation and
+                Specifications", STD 13, RFC 1035, November 1987.
+
+   [RFC 1750]   Eastlake, D., Crocker, S. and J. Schiller, "Randomness
+                Requirements for Security", RFC 1750, December 1994.
+
+   [RFC 2065]   Eastlake, D. and C. Kaufman, "Domain Name System
+                Security Extensions", RFC 2065, January 1997.
+
+   [RFC 2137]   Eastlake, D., "Secure Domain Name System Dynamic
+                Update", RFC 2137, April 1997.
+
+   [RFC 2535]   Eastlake, D., "Domain Name System Security Extensions",
+                RFC 2535, March 1999.
+
+   [RSA FAQ]    RSADSI Frequently Asked Questions periodic posting.
+
+Author's Address
+
+   Donald E. Eastlake 3rd
+   IBM
+   65 Shindegan Hill Road, RR #1
+   Carmel, NY 10512
+
+   Phone:   +1-914-276-2668(h)
+            +1-914-784-7913(w)
+   Fax:     +1-914-784-3833(w)
+   EMail:   dee3@us.ibm.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake                     Informational                      [Page 6]
+
+RFC 2541        DNS Security Operational Considerations       March 1999
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (1999).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake                     Informational                      [Page 7]
+
diff --git a/contrib/bind9/doc/rfc/rfc2553.txt b/contrib/bind9/doc/rfc/rfc2553.txt
new file mode 100644
index 0000000..6989bf3
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2553.txt
@@ -0,0 +1,2299 @@
+
+
+
+
+
+
+Network Working Group                                        R. Gilligan
+Request for Comments: 2553                                      FreeGate
+Obsoletes: 2133                                               S. Thomson
+Category: Informational                                         Bellcore
+                                                                J. Bound
+                                                                  Compaq
+                                                              W. Stevens
+                                                              Consultant
+                                                              March 1999
+
+
+               Basic Socket Interface Extensions for IPv6
+
+Status of this Memo
+
+   This memo provides information for the Internet community.  It does
+   not specify an Internet standard of any kind.  Distribution of this
+   memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (1999).  All Rights Reserved.
+
+Abstract
+
+   The de facto standard application program interface (API) for TCP/IP
+   applications is the "sockets" interface.  Although this API was
+   developed for Unix in the early 1980s it has also been implemented on
+   a wide variety of non-Unix systems.  TCP/IP applications written
+   using the sockets API have in the past enjoyed a high degree of
+   portability and we would like the same portability with IPv6
+   applications.  But changes are required to the sockets API to support
+   IPv6 and this memo describes these changes.  These include a new
+   socket address structure to carry IPv6 addresses, new address
+   conversion functions, and some new socket options.  These extensions
+   are designed to provide access to the basic IPv6 features required by
+   TCP and UDP applications, including multicasting, while introducing a
+   minimum of change into the system and providing complete
+   compatibility for existing IPv4 applications.  Additional extensions
+   for advanced IPv6 features (raw sockets and access to the IPv6
+   extension headers) are defined in another document [4].
+
+
+
+
+
+
+
+
+
+
+Gilligan, et. al.            Informational                      [Page 1]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+Table of Contents
+
+   1. Introduction.................................................3
+   2. Design Considerations........................................3
+   2.1 What Needs to be Changed....................................4
+   2.2 Data Types..................................................5
+   2.3 Headers.....................................................5
+   2.4 Structures..................................................5
+   3. Socket Interface.............................................6
+   3.1 IPv6 Address Family and Protocol Family.....................6
+   3.2 IPv6 Address Structure......................................6
+   3.3 Socket Address Structure for 4.3BSD-Based Systems...........7
+   3.4 Socket Address Structure for 4.4BSD-Based Systems...........8
+   3.5 The Socket Functions........................................9
+   3.6 Compatibility with IPv4 Applications.......................10
+   3.7 Compatibility with IPv4 Nodes..............................10
+   3.8 IPv6 Wildcard Address......................................11
+   3.9 IPv6 Loopback Address......................................12
+   3.10 Portability Additions.....................................13
+   4. Interface Identification....................................16
+   4.1 Name-to-Index..............................................16
+   4.2 Index-to-Name..............................................17
+   4.3 Return All Interface Names and Indexes.....................17
+   4.4 Free Memory................................................18
+   5. Socket Options..............................................18
+   5.1 Unicast Hop Limit..........................................18
+   5.2 Sending and Receiving Multicast Packets....................19
+   6. Library Functions...........................................21
+   6.1 Nodename-to-Address Translation............................21
+   6.2 Address-To-Nodename Translation............................24
+   6.3 Freeing memory for getipnodebyname and getipnodebyaddr.....26
+   6.4 Protocol-Independent Nodename and Service Name Translation.26
+   6.5 Socket Address Structure to Nodename and Service Name......29
+   6.6 Address Conversion Functions...............................31
+   6.7 Address Testing Macros.....................................32
+   7. Summary of New Definitions..................................33
+   8. Security Considerations.....................................35
+   9. Year 2000 Considerations....................................35
+   Changes From RFC 2133..........................................35
+   Acknowledgments................................................38
+   References.....................................................39
+   Authors' Addresses.............................................40
+   Full Copyright Statement.......................................41
+
+
+
+
+
+
+
+
+Gilligan, et. al.            Informational                      [Page 2]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+1. Introduction
+
+   While IPv4 addresses are 32 bits long, IPv6 interfaces are identified
+   by 128-bit addresses.  The socket interface makes the size of an IP
+   address quite visible to an application; virtually all TCP/IP
+   applications for BSD-based systems have knowledge of the size of an
+   IP address.  Those parts of the API that expose the addresses must be
+   changed to accommodate the larger IPv6 address size.  IPv6 also
+   introduces new features (e.g., traffic class and flowlabel), some of
+   which must be made visible to applications via the API.  This memo
+   defines a set of extensions to the socket interface to support the
+   larger address size and new features of IPv6.
+
+2. Design Considerations
+
+   There are a number of important considerations in designing changes
+   to this well-worn API:
+
+      - The API changes should provide both source and binary
+        compatibility for programs written to the original API.  That
+        is, existing program binaries should continue to operate when
+        run on a system supporting the new API.  In addition, existing
+        applications that are re-compiled and run on a system supporting
+        the new API should continue to operate.  Simply put, the API
+        changes for IPv6 should not break existing programs.  An
+        additonal mechanism for implementations to verify this is to
+        verify the new symbols are protected by Feature Test Macros as
+        described in IEEE Std 1003.1.  (Such Feature Test Macros are not
+        defined by this RFC.)
+
+      - The changes to the API should be as small as possible in order
+        to simplify the task of converting existing IPv4 applications to
+        IPv6.
+
+      - Where possible, applications should be able to use this API to
+        interoperate with both IPv6 and IPv4 hosts.  Applications should
+        not need to know which type of host they are communicating with.
+
+      - IPv6 addresses carried in data structures should be 64-bit
+        aligned.  This is necessary in order to obtain optimum
+        performance on 64-bit machine architectures.
+
+   Because of the importance of providing IPv4 compatibility in the API,
+   these extensions are explicitly designed to operate on machines that
+   provide complete support for both IPv4 and IPv6.  A subset of this
+   API could probably be designed for operation on systems that support
+   only IPv6.  However, this is not addressed in this memo.
+
+
+
+
+Gilligan, et. al.            Informational                      [Page 3]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+2.1 What Needs to be Changed
+
+   The socket interface API consists of a few distinct components:
+
+      -  Core socket functions.
+
+      -  Address data structures.
+
+      -  Name-to-address translation functions.
+
+      -  Address conversion functions.
+
+   The core socket functions -- those functions that deal with such
+   things as setting up and tearing down TCP connections, and sending
+   and receiving UDP packets -- were designed to be transport
+   independent.  Where protocol addresses are passed as function
+   arguments, they are carried via opaque pointers.  A protocol-specific
+   address data structure is defined for each protocol that the socket
+   functions support.  Applications must cast pointers to these
+   protocol-specific address structures into pointers to the generic
+   "sockaddr" address structure when using the socket functions.  These
+   functions need not change for IPv6, but a new IPv6-specific address
+   data structure is needed.
+
+   The "sockaddr_in" structure is the protocol-specific data structure
+   for IPv4.  This data structure actually includes 8-octets of unused
+   space, and it is tempting to try to use this space to adapt the
+   sockaddr_in structure to IPv6.  Unfortunately, the sockaddr_in
+   structure is not large enough to hold the 16-octet IPv6 address as
+   well as the other information (address family and port number) that
+   is needed.  So a new address data structure must be defined for IPv6.
+
+   IPv6 addresses are scoped [2] so they could be link-local, site,
+   organization, global, or other scopes at this time undefined.  To
+   support applications that want to be able to identify a set of
+   interfaces for a specific scope, the IPv6 sockaddr_in structure must
+   support a field that can be used by an implementation to identify a
+   set of interfaces identifying the scope for an IPv6 address.
+
+   The name-to-address translation functions in the socket interface are
+   gethostbyname() and gethostbyaddr().  These are left as is and new
+   functions are defined to support IPv4 and IPv6.  Additionally, the
+   POSIX 1003.g draft [3] specifies a new nodename-to-address
+   translation function which is protocol independent.  This function
+   can also be used with IPv4 and IPv6.
+
+
+
+
+
+
+Gilligan, et. al.            Informational                      [Page 4]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+   The address conversion functions -- inet_ntoa() and inet_addr() --
+   convert IPv4 addresses between binary and printable form.  These
+   functions are quite specific to 32-bit IPv4 addresses.  We have
+   designed two analogous functions that convert both IPv4 and IPv6
+   addresses, and carry an address type parameter so that they can be
+   extended to other protocol families as well.
+
+   Finally, a few miscellaneous features are needed to support IPv6.
+   New interfaces are needed to support the IPv6 traffic class, flow
+   label, and hop limit header fields.  New socket options are needed to
+   control the sending and receiving of IPv6 multicast packets.
+
+   The socket interface will be enhanced in the future to provide access
+   to other IPv6 features.  These extensions are described in [4].
+
+2.2 Data Types
+
+   The data types of the structure elements given in this memo are
+   intended to be examples, not absolute requirements.  Whenever
+   possible, data types from Draft 6.6 (March 1997) of POSIX 1003.1g are
+   used: uintN_t means an unsigned integer of exactly N bits (e.g.,
+   uint16_t).  We also assume the argument data types from 1003.1g when
+   possible (e.g., the final argument to setsockopt() is a size_t
+   value).  Whenever buffer sizes are specified, the POSIX 1003.1 size_t
+   data type is used (e.g., the two length arguments to getnameinfo()).
+
+2.3 Headers
+
+   When function prototypes and structures are shown we show the headers
+   that must be #included to cause that item to be defined.
+
+2.4 Structures
+
+   When structures are described the members shown are the ones that
+   must appear in an implementation.  Additional, nonstandard members
+   may also be defined by an implementation.  As an additional
+   precaution nonstandard members could be verified by Feature Test
+   Macros as described in IEEE Std 1003.1.  (Such Feature Test Macros
+   are not defined by this RFC.)
+
+   The ordering shown for the members of a structure is the recommended
+   ordering, given alignment considerations of multibyte members, but an
+   implementation may order the members differently.
+
+
+
+
+
+
+
+
+Gilligan, et. al.            Informational                      [Page 5]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+3. Socket Interface
+
+   This section specifies the socket interface changes for IPv6.
+
+3.1 IPv6 Address Family and Protocol Family
+
+   A new address family name, AF_INET6, is defined in <sys/socket.h>.
+   The AF_INET6 definition distinguishes between the original
+   sockaddr_in address data structure, and the new sockaddr_in6 data
+   structure.
+
+   A new protocol family name, PF_INET6, is defined in <sys/socket.h>.
+   Like most of the other protocol family names, this will usually be
+   defined to have the same value as the corresponding address family
+   name:
+
+      #define PF_INET6        AF_INET6
+
+   The PF_INET6 is used in the first argument to the socket() function
+   to indicate that an IPv6 socket is being created.
+
+3.2 IPv6 Address Structure
+
+   A new in6_addr structure holds a single IPv6 address and is defined
+   as a result of including <netinet/in.h>:
+
+      struct in6_addr {
+          uint8_t  s6_addr[16];      /* IPv6 address */
+      };
+
+   This data structure contains an array of sixteen 8-bit elements,
+   which make up one 128-bit IPv6 address.  The IPv6 address is stored
+   in network byte order.
+
+   The structure in6_addr above is usually implemented with an embedded
+   union with extra fields that force the desired alignment level in a
+   manner similar to BSD implementations of "struct in_addr". Those
+   additional implementation details are omitted here for simplicity.
+
+   An example is as follows:
+
+
+
+
+
+
+
+
+
+
+
+Gilligan, et. al.            Informational                      [Page 6]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+   struct in6_addr {
+        union {
+            uint8_t  _S6_u8[16];
+            uint32_t _S6_u32[4];
+            uint64_t _S6_u64[2];
+        } _S6_un;
+   };
+   #define s6_addr _S6_un._S6_u8
+
+3.3 Socket Address Structure for 4.3BSD-Based Systems
+
+   In the socket interface, a different protocol-specific data structure
+   is defined to carry the addresses for each protocol suite.  Each
+   protocol- specific data structure is designed so it can be cast into a
+   protocol- independent data structure -- the "sockaddr" structure.
+   Each has a "family" field that overlays the "sa_family" of the
+   sockaddr data structure.  This field identifies the type of the data
+   structure.
+
+   The sockaddr_in structure is the protocol-specific address data
+   structure for IPv4.  It is used to pass addresses between applications
+   and the system in the socket functions.  The following sockaddr_in6
+   structure holds IPv6 addresses and is defined as a result of including
+   the <netinet/in.h> header:
+
+struct sockaddr_in6 {
+    sa_family_t     sin6_family;    /* AF_INET6 */
+    in_port_t       sin6_port;      /* transport layer port # */
+    uint32_t        sin6_flowinfo;  /* IPv6 traffic class & flow info */
+    struct in6_addr sin6_addr;      /* IPv6 address */
+    uint32_t        sin6_scope_id;  /* set of interfaces for a scope */
+};
+
+   This structure is designed to be compatible with the sockaddr data
+   structure used in the 4.3BSD release.
+
+   The sin6_family field identifies this as a sockaddr_in6 structure.
+   This field overlays the sa_family field when the buffer is cast to a
+   sockaddr data structure.  The value of this field must be AF_INET6.
+
+   The sin6_port field contains the 16-bit UDP or TCP port number.  This
+   field is used in the same way as the sin_port field of the
+   sockaddr_in structure.  The port number is stored in network byte
+   order.
+
+
+
+
+
+
+
+Gilligan, et. al.            Informational                      [Page 7]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+   The sin6_flowinfo field is a 32-bit field that contains two pieces of
+   information: the traffic class and the flow label.  The contents and
+   interpretation of this member is specified in [1].  The sin6_flowinfo
+   field SHOULD be set to zero by an implementation prior to using the
+   sockaddr_in6 structure by an application on receive operations.
+
+   The sin6_addr field is a single in6_addr structure (defined in the
+   previous section).  This field holds one 128-bit IPv6 address.  The
+   address is stored in network byte order.
+
+   The ordering of elements in this structure is specifically designed
+   so that when sin6_addr field is aligned on a 64-bit boundary, the
+   start of the structure will also be aligned on a 64-bit boundary.
+   This is done for optimum performance on 64-bit architectures.
+
+   The sin6_scope_id field is a 32-bit integer that identifies a set of
+   interfaces as appropriate for the scope of the address carried in the
+   sin6_addr field.  For a link scope sin6_addr sin6_scope_id would be
+   an interface index.  For a site scope sin6_addr, sin6_scope_id would
+   be a site identifier.  The mapping of sin6_scope_id to an interface
+   or set of interfaces is left to implementation and future
+   specifications on the subject of site identifiers.
+
+   Notice that the sockaddr_in6 structure will normally be larger than
+   the generic sockaddr structure.  On many existing implementations the
+   sizeof(struct sockaddr_in) equals sizeof(struct sockaddr), with both
+   being 16 bytes.  Any existing code that makes this assumption needs
+   to be examined carefully when converting to IPv6.
+
+3.4 Socket Address Structure for 4.4BSD-Based Systems
+
+   The 4.4BSD release includes a small, but incompatible change to the
+   socket interface.  The "sa_family" field of the sockaddr data
+   structure was changed from a 16-bit value to an 8-bit value, and the
+   space saved used to hold a length field, named "sa_len".  The
+   sockaddr_in6 data structure given in the previous section cannot be
+   correctly cast into the newer sockaddr data structure.  For this
+   reason, the following alternative IPv6 address data structure is
+   provided to be used on systems based on 4.4BSD.  It is defined as a
+   result of including the <netinet/in.h> header.
+
+
+
+
+
+
+
+
+
+
+
+Gilligan, et. al.            Informational                      [Page 8]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+struct sockaddr_in6 {
+    uint8_t         sin6_len;       /* length of this struct */
+    sa_family_t     sin6_family;    /* AF_INET6 */
+    in_port_t       sin6_port;      /* transport layer port # */
+    uint32_t        sin6_flowinfo;  /* IPv6 flow information */
+    struct in6_addr sin6_addr;      /* IPv6 address */
+    uint32_t        sin6_scope_id;  /* set of interfaces for a scope */
+};
+
+   The only differences between this data structure and the 4.3BSD
+   variant are the inclusion of the length field, and the change of the
+   family field to a 8-bit data type.  The definitions of all the other
+   fields are identical to the structure defined in the previous
+   section.
+
+   Systems that provide this version of the sockaddr_in6 data structure
+   must also declare SIN6_LEN as a result of including the
+   <netinet/in.h> header.  This macro allows applications to determine
+   whether they are being built on a system that supports the 4.3BSD or
+   4.4BSD variants of the data structure.
+
+3.5 The Socket Functions
+
+   Applications call the socket() function to create a socket descriptor
+   that represents a communication endpoint.  The arguments to the
+   socket() function tell the system which protocol to use, and what
+   format address structure will be used in subsequent functions.  For
+   example, to create an IPv4/TCP socket, applications make the call:
+
+      s = socket(PF_INET, SOCK_STREAM, 0);
+
+   To create an IPv4/UDP socket, applications make the call:
+
+      s = socket(PF_INET, SOCK_DGRAM, 0);
+
+   Applications may create IPv6/TCP and IPv6/UDP sockets by simply using
+   the constant PF_INET6 instead of PF_INET in the first argument.  For
+   example, to create an IPv6/TCP socket, applications make the call:
+
+      s = socket(PF_INET6, SOCK_STREAM, 0);
+
+   To create an IPv6/UDP socket, applications make the call:
+
+      s = socket(PF_INET6, SOCK_DGRAM, 0);
+
+
+
+
+
+
+
+Gilligan, et. al.            Informational                      [Page 9]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+   Once the application has created a PF_INET6 socket, it must use the
+   sockaddr_in6 address structure when passing addresses in to the
+   system.  The functions that the application uses to pass addresses
+   into the system are:
+
+      bind()
+      connect()
+      sendmsg()
+      sendto()
+
+   The system will use the sockaddr_in6 address structure to return
+   addresses to applications that are using PF_INET6 sockets.  The
+   functions that return an address from the system to an application
+   are:
+
+      accept()
+      recvfrom()
+      recvmsg()
+      getpeername()
+      getsockname()
+
+   No changes to the syntax of the socket functions are needed to
+   support IPv6, since all of the "address carrying" functions use an
+   opaque address pointer, and carry an address length as a function
+   argument.
+
+3.6 Compatibility with IPv4 Applications
+
+   In order to support the large base of applications using the original
+   API, system implementations must provide complete source and binary
+   compatibility with the original API.  This means that systems must
+   continue to support PF_INET sockets and the sockaddr_in address
+   structure.  Applications must be able to create IPv4/TCP and IPv4/UDP
+   sockets using the PF_INET constant in the socket() function, as
+   described in the previous section.  Applications should be able to
+   hold a combination of IPv4/TCP, IPv4/UDP, IPv6/TCP and IPv6/UDP
+   sockets simultaneously within the same process.
+
+   Applications using the original API should continue to operate as
+   they did on systems supporting only IPv4.  That is, they should
+   continue to interoperate with IPv4 nodes.
+
+3.7 Compatibility with IPv4 Nodes
+
+   The API also provides a different type of compatibility: the ability
+   for IPv6 applications to interoperate with IPv4 applications.  This
+   feature uses the IPv4-mapped IPv6 address format defined in the IPv6
+   addressing architecture specification [2].  This address format
+
+
+
+Gilligan, et. al.            Informational                     [Page 10]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+   allows the IPv4 address of an IPv4 node to be represented as an IPv6
+   address.  The IPv4 address is encoded into the low-order 32 bits of
+   the IPv6 address, and the high-order 96 bits hold the fixed prefix
+   0:0:0:0:0:FFFF.  IPv4- mapped addresses are written as follows:
+
+      ::FFFF:<IPv4-address>
+
+   These addresses can be generated automatically by the
+   getipnodebyname() function when the specified host has only IPv4
+   addresses (as described in Section 6.1).
+
+   Applications may use PF_INET6 sockets to open TCP connections to IPv4
+   nodes, or send UDP packets to IPv4 nodes, by simply encoding the
+   destination's IPv4 address as an IPv4-mapped IPv6 address, and
+   passing that address, within a sockaddr_in6 structure, in the
+   connect() or sendto() call.  When applications use PF_INET6 sockets
+   to accept TCP connections from IPv4 nodes, or receive UDP packets
+   from IPv4 nodes, the system returns the peer's address to the
+   application in the accept(), recvfrom(), or getpeername() call using
+   a sockaddr_in6 structure encoded this way.
+
+   Few applications will likely need to know which type of node they are
+   interoperating with.  However, for those applications that do need to
+   know, the IN6_IS_ADDR_V4MAPPED() macro, defined in Section 6.7, is
+   provided.
+
+3.8 IPv6 Wildcard Address
+
+   While the bind() function allows applications to select the source IP
+   address of UDP packets and TCP connections, applications often want
+   the system to select the source address for them.  With IPv4, one
+   specifies the address as the symbolic constant INADDR_ANY (called the
+   "wildcard" address) in the bind() call, or simply omits the bind()
+   entirely.
+
+   Since the IPv6 address type is a structure (struct in6_addr), a
+   symbolic constant can be used to initialize an IPv6 address variable,
+   but cannot be used in an assignment.  Therefore systems provide the
+   IPv6 wildcard address in two forms.
+
+   The first version is a global variable named "in6addr_any" that is an
+   in6_addr structure.  The extern declaration for this variable is
+   defined in <netinet/in.h>:
+
+      extern const struct in6_addr in6addr_any;
+
+
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 11]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+   Applications use in6addr_any similarly to the way they use INADDR_ANY
+   in IPv4.  For example, to bind a socket to port number 23, but let
+   the system select the source address, an application could use the
+   following code:
+
+      struct sockaddr_in6 sin6;
+       . . .
+      sin6.sin6_family = AF_INET6;
+      sin6.sin6_flowinfo = 0;
+      sin6.sin6_port = htons(23);
+      sin6.sin6_addr = in6addr_any;  /* structure assignment */
+       . . .
+      if (bind(s, (struct sockaddr *) &sin6, sizeof(sin6)) == -1)
+              . . .
+
+   The other version is a symbolic constant named IN6ADDR_ANY_INIT and
+   is defined in <netinet/in.h>.  This constant can be used to
+   initialize an in6_addr structure:
+
+      struct in6_addr anyaddr = IN6ADDR_ANY_INIT;
+
+   Note that this constant can be used ONLY at declaration time.  It can
+   not be used to assign a previously declared in6_addr structure.  For
+   example, the following code will not work:
+
+      /* This is the WRONG way to assign an unspecified address */
+      struct sockaddr_in6 sin6;
+       . . .
+      sin6.sin6_addr = IN6ADDR_ANY_INIT; /* will NOT compile */
+
+   Be aware that the IPv4 INADDR_xxx constants are all defined in host
+   byte order but the IPv6 IN6ADDR_xxx constants and the IPv6
+   in6addr_xxx externals are defined in network byte order.
+
+3.9 IPv6 Loopback Address
+
+   Applications may need to send UDP packets to, or originate TCP
+   connections to, services residing on the local node.  In IPv4, they
+   can do this by using the constant IPv4 address INADDR_LOOPBACK in
+   their connect(), sendto(), or sendmsg() call.
+
+   IPv6 also provides a loopback address to contact local TCP and UDP
+   services.  Like the unspecified address, the IPv6 loopback address is
+   provided in two forms -- a global variable and a symbolic constant.
+
+
+
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 12]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+   The global variable is an in6_addr structure named
+   "in6addr_loopback."  The extern declaration for this variable is
+   defined in <netinet/in.h>:
+
+      extern const struct in6_addr in6addr_loopback;
+
+   Applications use in6addr_loopback as they would use INADDR_LOOPBACK
+   in IPv4 applications (but beware of the byte ordering difference
+   mentioned at the end of the previous section).  For example, to open
+   a TCP connection to the local telnet server, an application could use
+   the following code:
+
+      struct sockaddr_in6 sin6;
+       . . .
+      sin6.sin6_family = AF_INET6;
+      sin6.sin6_flowinfo = 0;
+      sin6.sin6_port = htons(23);
+      sin6.sin6_addr = in6addr_loopback;  /* structure assignment */
+       . . .
+      if (connect(s, (struct sockaddr *) &sin6, sizeof(sin6)) == -1)
+              . . .
+
+   The symbolic constant is named IN6ADDR_LOOPBACK_INIT and is defined
+   in <netinet/in.h>.  It can be used at declaration time ONLY; for
+   example:
+
+      struct in6_addr loopbackaddr = IN6ADDR_LOOPBACK_INIT;
+
+   Like IN6ADDR_ANY_INIT, this constant cannot be used in an assignment
+   to a previously declared IPv6 address variable.
+
+3.10 Portability Additions
+
+   One simple addition to the sockets API that can help application
+   writers is the "struct sockaddr_storage". This data structure can
+   simplify writing code portable across multiple address families and
+   platforms.  This data structure is designed with the following goals.
+
+      - It has a large enough implementation specific maximum size to
+        store the desired set of protocol specific socket address data
+        structures. Specifically, it is at least large enough to
+        accommodate sockaddr_in and sockaddr_in6 and possibly other
+        protocol specific socket addresses too.
+      - It is aligned at an appropriate boundary so protocol specific
+        socket address data structure pointers can be cast to it and
+        access their fields without alignment problems. (e.g. pointers
+        to sockaddr_in6 and/or sockaddr_in can be cast to it and access
+        fields without alignment problems).
+
+
+
+Gilligan, et. al.            Informational                     [Page 13]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+      - It has the initial field(s) isomorphic to the fields of the
+        "struct sockaddr" data structure on that implementation which
+        can be used as a discriminants for deriving the protocol in use.
+        These initial field(s) would on most implementations either be a
+        single field of type "sa_family_t" (isomorphic to sa_family
+        field, 16 bits) or two fields of type uint8_t and sa_family_t
+        respectively, (isomorphic to sa_len and sa_family_t, 8 bits
+        each).
+
+   An example implementation design of such a data structure would be as
+   follows.
+
+/*
+ * Desired design of maximum size and alignment
+ */
+#define _SS_MAXSIZE    128  /* Implementation specific max size */
+#define _SS_ALIGNSIZE  (sizeof (int64_t))
+                         /* Implementation specific desired alignment */
+/*
+ * Definitions used for sockaddr_storage structure paddings design.
+ */
+#define _SS_PAD1SIZE   (_SS_ALIGNSIZE - sizeof (sa_family_t))
+#define _SS_PAD2SIZE   (_SS_MAXSIZE - (sizeof (sa_family_t)+
+                              _SS_PAD1SIZE + _SS_ALIGNSIZE))
+struct sockaddr_storage {
+    sa_family_t  __ss_family;     /* address family */
+    /* Following fields are implementation specific */
+    char      __ss_pad1[_SS_PAD1SIZE];
+              /* 6 byte pad, this is to make implementation
+              /* specific pad up to alignment field that */
+              /* follows explicit in the data structure */
+    int64_t   __ss_align;     /* field to force desired structure */
+               /* storage alignment */
+    char      __ss_pad2[_SS_PAD2SIZE];
+              /* 112 byte pad to achieve desired size, */
+              /* _SS_MAXSIZE value minus size of ss_family */
+              /* __ss_pad1, __ss_align fields is 112 */
+};
+
+   On implementations where sockaddr data structure includes a "sa_len",
+   field this data structure would look like this:
+
+/*
+ * Definitions used for sockaddr_storage structure paddings design.
+ */
+#define _SS_PAD1SIZE (_SS_ALIGNSIZE -
+                            (sizeof (uint8_t) + sizeof (sa_family_t))
+#define _SS_PAD2SIZE (_SS_MAXSIZE - (sizeof (sa_family_t)+
+
+
+
+Gilligan, et. al.            Informational                     [Page 14]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+                              _SS_PAD1SIZE + _SS_ALIGNSIZE))
+struct sockaddr_storage {
+    uint8_t      __ss_len;        /* address length */
+    sa_family_t  __ss_family;     /* address family */
+    /* Following fields are implementation specific */
+    char         __ss_pad1[_SS_PAD1SIZE];
+                  /* 6 byte pad, this is to make implementation
+                  /* specific pad up to alignment field that */
+                  /* follows explicit in the data structure */
+    int64_t      __ss_align;  /* field to force desired structure */
+                  /* storage alignment */
+    char         __ss_pad2[_SS_PAD2SIZE];
+                  /* 112 byte pad to achieve desired size, */
+                  /* _SS_MAXSIZE value minus size of ss_len, */
+                  /* __ss_family, __ss_pad1, __ss_align fields is 112 */
+};
+
+   The above example implementation illustrates a data structure which
+   will align on a 64 bit boundary. An implementation specific field
+   "__ss_align" along "__ss_pad1" is used to force a 64-bit alignment
+   which covers proper alignment good enough for needs of sockaddr_in6
+   (IPv6), sockaddr_in (IPv4) address data structures.  The size of
+   padding fields __ss_pad1 depends on the chosen alignment boundary.
+   The size of padding field __ss_pad2 depends on the value of overall
+   size chosen for the total size of the structure. This size and
+   alignment are represented in the above example by implementation
+   specific (not required) constants _SS_MAXSIZE (chosen value 128) and
+   _SS_ALIGNMENT (with chosen value 8).  Constants _SS_PAD1SIZE (derived
+   value 6) and _SS_PAD2SIZE (derived value 112) are also for
+   illustration and not required.  The implementation specific
+   definitions and structure field names above start with an underscore
+   to denote implementation private namespace.  Portable code is not
+   expected to access or reference those fields or constants.
+
+   The sockaddr_storage structure solves the problem of declaring
+   storage for automatic variables which is large enough and aligned
+   enough for storing socket address data structure of any family. For
+   example, code with a file descriptor and without the context of the
+   address family can pass a pointer to a variable of this type where a
+   pointer to a socket address structure is expected in calls such as
+   getpeername() and determine the address family by accessing the
+   received content after the call.
+
+   The sockaddr_storage structure may also be useful and applied to
+   certain other interfaces where a generic socket address large enough
+   and aligned for use with multiple address families may be needed. A
+   discussion of those interfaces is outside the scope of this document.
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 15]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+   Also, much existing code assumes that any socket address structure
+   can fit in a generic sockaddr structure.  While this has been true
+   for IPv4 socket address structures, it has always been false for Unix
+   domain socket address structures (but in practice this has not been a
+   problem) and it is also false for IPv6 socket address structures
+   (which can be a problem).
+
+   So now an application can do the following:
+
+      struct sockaddr_storage __ss;
+      struct sockaddr_in6 *sin6;
+      sin6 = (struct sockaddr_in6 *) &__ss;
+
+4. Interface Identification
+
+   This API uses an interface index (a small positive integer) to
+   identify the local interface on which a multicast group is joined
+   (Section 5.3).  Additionally, the advanced API [4] uses these same
+   interface indexes to identify the interface on which a datagram is
+   received, or to specify the interface on which a datagram is to be
+   sent.
+
+   Interfaces are normally known by names such as "le0", "sl1", "ppp2",
+   and the like.  On Berkeley-derived implementations, when an interface
+   is made known to the system, the kernel assigns a unique positive
+   integer value (called the interface index) to that interface.  These
+   are small positive integers that start at 1.  (Note that 0 is never
+   used for an interface index.) There may be gaps so that there is no
+   current interface for a particular positive interface index.
+
+   This API defines two functions that map between an interface name and
+   index, a third function that returns all the interface names and
+   indexes, and a fourth function to return the dynamic memory allocated
+   by the previous function.  How these functions are implemented is
+   left up to the implementation.  4.4BSD implementations can implement
+   these functions using the existing sysctl() function with the
+   NET_RT_IFLIST command.  Other implementations may wish to use ioctl()
+   for this purpose.
+
+4.1 Name-to-Index
+
+   The first function maps an interface name into its corresponding
+   index.
+
+      #include <net/if.h>
+
+      unsigned int  if_nametoindex(const char *ifname);
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 16]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+   If the specified interface name does not exist, the return value is
+   0, and errno is set to ENXIO.  If there was a system error (such as
+   running out of memory), the return value is 0 and errno is set to the
+   proper value (e.g., ENOMEM).
+
+4.2 Index-to-Name
+
+   The second function maps an interface index into its corresponding
+   name.
+
+      #include <net/if.h>
+
+      char  *if_indextoname(unsigned int ifindex, char *ifname);
+
+   The ifname argument must point to a buffer of at least IF_NAMESIZE
+   bytes into which the interface name corresponding to the specified
+   index is returned.  (IF_NAMESIZE is also defined in <net/if.h> and
+   its value includes a terminating null byte at the end of the
+   interface name.) This pointer is also the return value of the
+   function.  If there is no interface corresponding to the specified
+   index, NULL is returned, and errno is set to ENXIO, if there was a
+   system error (such as running out of memory), if_indextoname returns
+   NULL and errno would be set to the proper value (e.g., ENOMEM).
+
+4.3 Return All Interface Names and Indexes
+
+   The if_nameindex structure holds the information about a single
+   interface and is defined as a result of including the <net/if.h>
+   header.
+
+      struct if_nameindex {
+        unsigned int   if_index;  /* 1, 2, ... */
+        char          *if_name;   /* null terminated name: "le0", ... */
+      };
+
+   The final function returns an array of if_nameindex structures, one
+   structure per interface.
+
+      struct if_nameindex  *if_nameindex(void);
+
+   The end of the array of structures is indicated by a structure with
+   an if_index of 0 and an if_name of NULL.  The function returns a NULL
+   pointer upon an error, and would set errno to the appropriate value.
+
+   The memory used for this array of structures along with the interface
+   names pointed to by the if_name members is obtained dynamically.
+   This memory is freed by the next function.
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 17]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+4.4 Free Memory
+
+   The following function frees the dynamic memory that was allocated by
+   if_nameindex().
+
+      #include <net/if.h>
+
+      void  if_freenameindex(struct if_nameindex *ptr);
+
+   The argument to this function must be a pointer that was returned by
+   if_nameindex().
+
+   Currently net/if.h doesn't have prototype definitions for functions
+   and it is recommended that these definitions be defined in net/if.h
+   as well and the struct if_nameindex{}.
+
+5. Socket Options
+
+   A number of new socket options are defined for IPv6.  All of these
+   new options are at the IPPROTO_IPV6 level.  That is, the "level"
+   parameter in the getsockopt() and setsockopt() calls is IPPROTO_IPV6
+   when using these options.  The constant name prefix IPV6_ is used in
+   all of the new socket options.  This serves to clearly identify these
+   options as applying to IPv6.
+
+   The declaration for IPPROTO_IPV6, the new IPv6 socket options, and
+   related constants defined in this section are obtained by including
+   the header <netinet/in.h>.
+
+5.1 Unicast Hop Limit
+
+   A new setsockopt() option controls the hop limit used in outgoing
+   unicast IPv6 packets.  The name of this option is IPV6_UNICAST_HOPS,
+   and it is used at the IPPROTO_IPV6 layer.  The following example
+   illustrates how it is used:
+
+      int  hoplimit = 10;
+
+      if (setsockopt(s, IPPROTO_IPV6, IPV6_UNICAST_HOPS,
+                     (char *) &hoplimit, sizeof(hoplimit)) == -1)
+          perror("setsockopt IPV6_UNICAST_HOPS");
+
+   When the IPV6_UNICAST_HOPS option is set with setsockopt(), the
+   option value given is used as the hop limit for all subsequent
+   unicast packets sent via that socket.  If the option is not set, the
+   system selects a default value.  The integer hop limit value (called
+   x) is interpreted as follows:
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 18]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+      x < -1:        return an error of EINVAL
+      x == -1:       use kernel default
+      0 <= x <= 255: use x
+      x >= 256:      return an error of EINVAL
+
+   The IPV6_UNICAST_HOPS option may be used with getsockopt() to
+   determine the hop limit value that the system will use for subsequent
+   unicast packets sent via that socket.  For example:
+
+      int  hoplimit;
+      size_t  len = sizeof(hoplimit);
+
+      if (getsockopt(s, IPPROTO_IPV6, IPV6_UNICAST_HOPS,
+                     (char *) &hoplimit, &len) == -1)
+          perror("getsockopt IPV6_UNICAST_HOPS");
+      else
+          printf("Using %d for hop limit.\n", hoplimit);
+
+5.2 Sending and Receiving Multicast Packets
+
+   IPv6 applications may send UDP multicast packets by simply specifying
+   an IPv6 multicast address in the address argument of the sendto()
+   function.
+
+   Three socket options at the IPPROTO_IPV6 layer control some of the
+   parameters for sending multicast packets.  Setting these options is
+   not required: applications may send multicast packets without using
+   these options.  The setsockopt() options for controlling the sending
+   of multicast packets are summarized below.  These three options can
+   also be used with getsockopt().
+
+      IPV6_MULTICAST_IF
+
+         Set the interface to use for outgoing multicast packets.  The
+         argument is the index of the interface to use.
+
+         Argument type: unsigned int
+
+      IPV6_MULTICAST_HOPS
+
+         Set the hop limit to use for outgoing multicast packets.  (Note
+         a separate option - IPV6_UNICAST_HOPS - is provided to set the
+         hop limit to use for outgoing unicast packets.)
+
+         The interpretation of the argument is the same as for the
+         IPV6_UNICAST_HOPS option:
+
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 19]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+           x < -1:        return an error of EINVAL
+           x == -1:       use kernel default
+           0 <= x <= 255: use x
+           x >= 256:      return an error of EINVAL
+
+           If IPV6_MULTICAST_HOPS is not set, the default is 1
+           (same as IPv4 today)
+
+         Argument type: int
+
+      IPV6_MULTICAST_LOOP
+
+         If a multicast datagram is sent to a group to which the sending
+         host itself belongs (on the outgoing interface), a copy of the
+         datagram is looped back by the IP layer for local delivery if
+         this option is set to 1.  If this option is set to 0 a copy
+         is not looped back.  Other option values return an error of
+         EINVAL.
+
+         If IPV6_MULTICAST_LOOP is not set, the default is 1 (loopback;
+         same as IPv4 today).
+
+         Argument type: unsigned int
+
+   The reception of multicast packets is controlled by the two
+   setsockopt() options summarized below.  An error of EOPNOTSUPP is
+   returned if these two options are used with getsockopt().
+
+      IPV6_JOIN_GROUP
+
+         Join a multicast group on a specified local interface.  If the
+         interface index is specified as 0, the kernel chooses the local
+         interface.  For example, some kernels look up the multicast
+         group in the normal IPv6 routing table and using the resulting
+         interface.
+
+         Argument type: struct ipv6_mreq
+
+      IPV6_LEAVE_GROUP
+
+         Leave a multicast group on a specified interface.
+
+         Argument type: struct ipv6_mreq
+
+   The argument type of both of these options is the ipv6_mreq structure,
+   defined as a result of including the <netinet/in.h> header;
+
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 20]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+   struct ipv6_mreq {
+       struct in6_addr ipv6mr_multiaddr; /* IPv6 multicast addr */
+       unsigned int    ipv6mr_interface; /* interface index */
+   };
+
+   Note that to receive multicast datagrams a process must join the
+   multicast group and bind the UDP port to which datagrams will be
+   sent.  Some processes also bind the multicast group address to the
+   socket, in addition to the port, to prevent other datagrams destined
+   to that same port from being delivered to the socket.
+
+6. Library Functions
+
+   New library functions are needed to perform a variety of operations
+   with IPv6 addresses.  Functions are needed to lookup IPv6 addresses
+   in the Domain Name System (DNS).  Both forward lookup (nodename-to-
+   address translation) and reverse lookup (address-to-nodename
+   translation) need to be supported.  Functions are also needed to
+   convert IPv6 addresses between their binary and textual form.
+
+   We note that the two existing functions, gethostbyname() and
+   gethostbyaddr(), are left as-is.  New functions are defined to handle
+   both IPv4 and IPv6 addresses.
+
+6.1 Nodename-to-Address Translation
+
+   The commonly used function gethostbyname() is inadequate for many
+   applications, first because it provides no way for the caller to
+   specify anything about the types of addresses desired (IPv4 only,
+   IPv6 only, IPv4-mapped IPv6 are OK, etc.), and second because many
+   implementations of this function are not thread safe.  RFC 2133
+   defined a function named gethostbyname2() but this function was also
+   inadequate, first because its use required setting a global option
+   (RES_USE_INET6) when IPv6 addresses were required, and second because
+   a flag argument is needed to provide the caller with additional
+   control over the types of addresses required.
+
+   The following function is new and must be thread safe:
+
+   #include <sys/socket.h>
+   #include <netdb.h>
+
+   struct hostent *getipnodebyname(const char *name, int af, int flags
+                                       int *error_num);
+
+   The name argument can be either a node name or a numeric address
+   string (i.e., a dotted-decimal IPv4 address or an IPv6 hex address).
+   The af argument specifies the address family, either AF_INET or
+
+
+
+Gilligan, et. al.            Informational                     [Page 21]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+   AF_INET6. The error_num value is returned to the caller, via a
+   pointer, with the appropriate error code in error_num, to support
+   thread safe error code returns.  error_num will be set to one of the
+   following values:
+
+      HOST_NOT_FOUND
+
+         No such host is known.
+
+      NO_ADDRESS
+
+         The server recognised the request and the name but no address is
+         available.  Another type of request to the name server for the
+         domain might return an answer.
+
+      NO_RECOVERY
+
+         An unexpected server failure occurred which cannot be recovered.
+
+      TRY_AGAIN
+
+         A temporary and possibly transient error occurred, such as a
+         failure of a server to respond.
+
+   The flags argument specifies the types of addresses that are searched
+   for, and the types of addresses that are returned.  We note that a
+   special flags value of AI_DEFAULT (defined below) should handle most
+   applications.
+
+   That is, porting simple applications to use IPv6 replaces the call
+
+      hptr = gethostbyname(name);
+
+   with
+
+      hptr = getipnodebyname(name, AF_INET6, AI_DEFAULT, &error_num);
+
+   and changes any subsequent error diagnosis code to use error_num
+   instead of externally declared variables, such as h_errno.
+
+   Applications desiring finer control over the types of addresses
+   searched for and returned, can specify other combinations of the
+   flags argument.
+
+
+
+
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 22]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+   A flags of 0 implies a strict interpretation of the af argument:
+
+      - If flags is 0 and af is AF_INET, then the caller wants only
+        IPv4 addresses.  A query is made for A records.  If successful,
+        the IPv4 addresses are returned and the h_length member of the
+        hostent structure will be 4, else the function returns a NULL
+        pointer.
+
+      -  If flags is 0 and if af is AF_INET6, then the caller wants only
+        IPv6 addresses.  A query is made for AAAA records.  If
+        successful, the IPv6 addresses are returned and the h_length
+        member of the hostent structure will be 16, else the function
+        returns a NULL pointer.
+
+   Other constants can be logically-ORed into the flags argument, to
+   modify the behavior of the function.
+
+      - If the AI_V4MAPPED flag is specified along with an af of
+        AF_INET6, then the caller will accept IPv4-mapped IPv6
+        addresses.  That is, if no AAAA records are found then a query
+        is made for A records and any found are returned as IPv4-mapped
+        IPv6 addresses (h_length will be 16).  The AI_V4MAPPED flag is
+        ignored unless af equals AF_INET6.
+
+      - The AI_ALL flag is used in conjunction with the AI_V4MAPPED
+        flag, and is only used with the IPv6 address family.  When AI_ALL
+        is logically or'd with AI_V4MAPPED flag then the caller wants
+        all addresses: IPv6 and IPv4-mapped IPv6.  A query is first made
+        for AAAA records and if successful, the IPv6 addresses are
+        returned. Another query is then made for A records and any found
+        are returned as IPv4-mapped IPv6 addresses. h_length will be 16.
+        Only if both queries fail does the function return a NULL pointer.
+        This flag is ignored unless af equals AF_INET6.
+
+      - The AI_ADDRCONFIG flag specifies that a query for AAAA records
+        should occur only if the node has at least one IPv6 source
+        address configured and a query for A records should occur only
+        if the node has at least one IPv4 source address configured.
+
+        For example, if the node has no IPv6 source addresses
+        configured, and af equals AF_INET6, and the node name being
+        looked up has both AAAA and A records, then:
+
+            (a) if only AI_ADDRCONFIG is specified, the function
+                returns a NULL pointer;
+            (b) if AI_ADDRCONFIG | AI_V4MAPPED is specified, the A
+                records are returned as IPv4-mapped IPv6 addresses;
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 23]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+   The special flags value of AI_DEFAULT is defined as
+
+      #define  AI_DEFAULT  (AI_V4MAPPED | AI_ADDRCONFIG)
+
+   We noted that the getipnodebyname() function must allow the name
+   argument to be either a node name or a literal address string (i.e.,
+   a dotted-decimal IPv4 address or an IPv6 hex address).  This saves
+   applications from having to call inet_pton() to handle literal
+   address strings.
+
+   There are four scenarios based on the type of literal address string
+   and the value of the af argument.
+
+   The two simple cases are:
+
+   When name is a dotted-decimal IPv4 address and af equals AF_INET, or
+   when name is an IPv6 hex address and af equals AF_INET6.  The members
+   of the returned hostent structure are: h_name points to a copy of the
+   name argument, h_aliases is a NULL pointer, h_addrtype is a copy of
+   the af argument, h_length is either 4 (for AF_INET) or 16 (for
+   AF_INET6), h_addr_list[0] is a pointer to the 4-byte or 16-byte
+   binary address, and h_addr_list[1] is a NULL pointer.
+
+   When name is a dotted-decimal IPv4 address and af equals AF_INET6,
+   and flags equals AI_V4MAPPED, an IPv4-mapped IPv6 address is
+   returned:  h_name points to an IPv6 hex address containing the IPv4-
+   mapped IPv6 address, h_aliases is a NULL pointer, h_addrtype is
+   AF_INET6, h_length is 16, h_addr_list[0] is a pointer to the 16-byte
+   binary address, and h_addr_list[1] is a NULL pointer.  If AI_V4MAPPED
+   is set (with or without AI_ALL) return IPv4-mapped otherwise return
+   NULL.
+
+   It is an error when name is an IPv6 hex address and af equals
+   AF_INET.  The function's return value is a NULL pointer and error_num
+   equals HOST_NOT_FOUND.
+
+6.2 Address-To-Nodename Translation
+
+   The following function has the same arguments as the existing
+   gethostbyaddr() function, but adds an error number.
+
+      #include <sys/socket.h> #include <netdb.h>
+
+      struct hostent *getipnodebyaddr(const void *src, size_t len,
+                                          int af, int *error_num);
+
+
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 24]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+   As with getipnodebyname(), getipnodebyaddr() must be thread safe.
+   The error_num value is returned to the caller with the appropriate
+   error code, to support thread safe error code returns.  The following
+   error conditions may be returned for error_num:
+
+      HOST_NOT_FOUND
+
+         No such host is known.
+
+      NO_ADDRESS
+
+         The server recognized the request and the name but no address
+         is available.  Another type of request to the name server for
+         the domain might return an answer.
+
+      NO_RECOVERY
+
+         An unexpected server failure occurred which cannot be
+         recovered.
+
+      TRY_AGAIN
+
+         A temporary and possibly transient error occurred, such as a
+         failure of a server to respond.
+
+   One possible source of confusion is the handling of IPv4-mapped IPv6
+   addresses and IPv4-compatible IPv6 addresses, but the following logic
+   should apply.
+
+      1.  If af is AF_INET6, and if len equals 16, and if the IPv6
+          address is an IPv4-mapped IPv6 address or an IPv4-compatible
+          IPv6 address, then skip over the first 12 bytes of the IPv6
+          address, set af to AF_INET, and set len to 4.
+
+      2.  If af is AF_INET, lookup the name for the given IPv4 address
+          (e.g., query for a PTR record in the in-addr.arpa domain).
+
+      3.  If af is AF_INET6, lookup the name for the given IPv6 address
+          (e.g., query for a PTR record in the ip6.int domain).
+
+      4.  If the function is returning success, then the single address
+          that is returned in the hostent structure is a copy of the
+          first argument to the function with the same address family
+          that was passed as an argument to this function.
+
+
+
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 25]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+   All four steps listed are performed, in order.  Also note that the
+   IPv6 hex addresses "::" and "::1" MUST NOT be treated as IPv4-
+   compatible addresses, and if the address is "::", HOST_NOT_FOUND MUST
+   be returned and a query of the address not performed.
+
+   Also for the macro in section 6.7 IN6_IS_ADDR_V4COMPAT MUST return
+   false for "::" and "::1".
+
+6.3 Freeing memory for getipnodebyname and getipnodebyaddr
+
+   The hostent structure does not change from its existing definition.
+   This structure, and the information pointed to by this structure, are
+   dynamically allocated by getipnodebyname and getipnodebyaddr.  The
+   following function frees this memory:
+
+      #include <netdb.h>
+
+      void freehostent(struct hostent *ptr);
+
+6.4 Protocol-Independent Nodename and Service Name Translation
+
+   Nodename-to-address translation is done in a protocol-independent
+   fashion using the getaddrinfo() function that is taken from the
+   Institute of Electrical and Electronic Engineers (IEEE) POSIX 1003.1g
+   (Protocol Independent Interfaces) draft specification [3].
+
+   The official specification for this function will be the final POSIX
+   standard, with the following additional requirements:
+
+      -  getaddrinfo() (along with the getnameinfo() function described
+         in the next section) must be thread safe.
+
+      -  The AI_NUMERICHOST is new with this document.
+
+      -  All fields in socket address structures returned by
+         getaddrinfo() that are not filled in through an explicit
+         argument (e.g., sin6_flowinfo and sin_zero) must be set to 0.
+         (This makes it easier to compare socket address structures.)
+
+      -  getaddrinfo() must fill in the length field of a socket address
+         structure (e.g., sin6_len) on systems that support this field.
+
+   We are providing this independent description of the function because
+   POSIX standards are not freely available (as are IETF documents).
+
+      #include <sys/socket.h>
+      #include <netdb.h>
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 26]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+      int getaddrinfo(const char *nodename, const char *servname,
+                      const struct addrinfo *hints,
+                      struct addrinfo **res);
+
+   The addrinfo structure is defined as a result of including the
+   <netdb.h> header.
+
+  struct addrinfo {
+    int     ai_flags;     /* AI_PASSIVE, AI_CANONNAME, AI_NUMERICHOST */
+    int     ai_family;    /* PF_xxx */
+    int     ai_socktype;  /* SOCK_xxx */
+    int     ai_protocol;  /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
+    size_t  ai_addrlen;   /* length of ai_addr */
+    char   *ai_canonname; /* canonical name for nodename */
+    struct sockaddr  *ai_addr; /* binary address */
+    struct addrinfo  *ai_next; /* next structure in linked list */
+  };
+
+   The return value from the function is 0 upon success or a nonzero
+   error code.  The following names are the nonzero error codes from
+   getaddrinfo(), and are defined in <netdb.h>:
+
+      EAI_ADDRFAMILY  address family for nodename not supported
+      EAI_AGAIN       temporary failure in name resolution
+      EAI_BADFLAGS    invalid value for ai_flags
+      EAI_FAIL        non-recoverable failure in name resolution
+      EAI_FAMILY      ai_family not supported
+      EAI_MEMORY      memory allocation failure
+      EAI_NODATA      no address associated with nodename
+      EAI_NONAME      nodename nor servname provided, or not known
+      EAI_SERVICE     servname not supported for ai_socktype
+      EAI_SOCKTYPE    ai_socktype not supported
+      EAI_SYSTEM      system error returned in errno
+
+   The nodename and servname arguments are pointers to null-terminated
+   strings or NULL.  One or both of these two arguments must be a non-
+   NULL pointer.  In the normal client scenario, both the nodename and
+   servname are specified.  In the normal server scenario, only the
+   servname is specified.  A non-NULL nodename string can be either a
+   node name or a numeric host address string (i.e., a dotted-decimal
+   IPv4 address or an IPv6 hex address).  A non-NULL servname string can
+   be either a service name or a decimal port number.
+
+   The caller can optionally pass an addrinfo structure, pointed to by
+   the third argument, to provide hints concerning the type of socket
+   that the caller supports.  In this hints structure all members other
+   than ai_flags, ai_family, ai_socktype, and ai_protocol must be zero
+   or a NULL pointer.  A value of PF_UNSPEC for ai_family means the
+
+
+
+Gilligan, et. al.            Informational                     [Page 27]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+   caller will accept any protocol family.  A value of 0 for ai_socktype
+   means the caller will accept any socket type.  A value of 0 for
+   ai_protocol means the caller will accept any protocol.  For example,
+   if the caller handles only TCP and not UDP, then the ai_socktype
+   member of the hints structure should be set to SOCK_STREAM when
+   getaddrinfo() is called.  If the caller handles only IPv4 and not
+   IPv6, then the ai_family member of the hints structure should be set
+   to PF_INET when getaddrinfo() is called.  If the third argument to
+   getaddrinfo() is a NULL pointer, this is the same as if the caller
+   had filled in an addrinfo structure initialized to zero with
+   ai_family set to PF_UNSPEC.
+
+   Upon successful return a pointer to a linked list of one or more
+   addrinfo structures is returned through the final argument.  The
+   caller can process each addrinfo structure in this list by following
+   the ai_next pointer, until a NULL pointer is encountered.  In each
+   returned addrinfo structure the three members ai_family, ai_socktype,
+   and ai_protocol are the corresponding arguments for a call to the
+   socket() function.  In each addrinfo structure the ai_addr member
+   points to a filled-in socket address structure whose length is
+   specified by the ai_addrlen member.
+
+   If the AI_PASSIVE bit is set in the ai_flags member of the hints
+   structure, then the caller plans to use the returned socket address
+   structure in a call to bind().  In this case, if the nodename
+   argument is a NULL pointer, then the IP address portion of the socket
+   address structure will be set to INADDR_ANY for an IPv4 address or
+   IN6ADDR_ANY_INIT for an IPv6 address.
+
+   If the AI_PASSIVE bit is not set in the ai_flags member of the hints
+   structure, then the returned socket address structure will be ready
+   for a call to connect() (for a connection-oriented protocol) or
+   either connect(), sendto(), or sendmsg() (for a connectionless
+   protocol).  In this case, if the nodename argument is a NULL pointer,
+   then the IP address portion of the socket address structure will be
+   set to the loopback address.
+
+   If the AI_CANONNAME bit is set in the ai_flags member of the hints
+   structure, then upon successful return the ai_canonname member of the
+   first addrinfo structure in the linked list will point to a null-
+   terminated string containing the canonical name of the specified
+   nodename.
+
+   If the AI_NUMERICHOST bit is set in the ai_flags member of the hints
+   structure, then a non-NULL nodename string must be a numeric host
+   address string.  Otherwise an error of EAI_NONAME is returned.  This
+   flag prevents any type of name resolution service (e.g., the DNS)
+   from being called.
+
+
+
+Gilligan, et. al.            Informational                     [Page 28]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+   All of the information returned by getaddrinfo() is dynamically
+   allocated: the addrinfo structures, and the socket address structures
+   and canonical node name strings pointed to by the addrinfo
+   structures.  To return this information to the system the function
+   freeaddrinfo() is called:
+
+      #include <sys/socket.h> #include <netdb.h>
+
+      void freeaddrinfo(struct addrinfo *ai);
+
+   The addrinfo structure pointed to by the ai argument is freed, along
+   with any dynamic storage pointed to by the structure.  This operation
+   is repeated until a NULL ai_next pointer is encountered.
+
+   To aid applications in printing error messages based on the EAI_xxx
+   codes returned by getaddrinfo(), the following function is defined.
+
+      #include <sys/socket.h> #include <netdb.h>
+
+      char *gai_strerror(int ecode);
+
+   The argument is one of the EAI_xxx values defined earlier and the
+   return value points to a string describing the error.  If the
+   argument is not one of the EAI_xxx values, the function still returns
+   a pointer to a string whose contents indicate an unknown error.
+
+6.5 Socket Address Structure to Nodename and Service Name
+
+   The POSIX 1003.1g specification includes no function to perform the
+   reverse conversion from getaddrinfo(): to look up a nodename and
+   service name, given the binary address and port.  Therefore, we
+   define the following function:
+
+      #include <sys/socket.h>
+      #include <netdb.h>
+
+      int getnameinfo(const struct sockaddr *sa, socklen_t salen,
+                      char *host, size_t hostlen,
+                      char *serv, size_t servlen,
+                      int flags);
+
+   This function looks up an IP address and port number provided by the
+   caller in the DNS and system-specific database, and returns text
+   strings for both in buffers provided by the caller.  The function
+   indicates successful completion by a zero return value; a non-zero
+   return value indicates failure.
+
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 29]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+   The first argument, sa, points to either a sockaddr_in structure (for
+   IPv4) or a sockaddr_in6 structure (for IPv6) that holds the IP
+   address and port number.  The salen argument gives the length of the
+   sockaddr_in or sockaddr_in6 structure.
+
+   The function returns the nodename associated with the IP address in
+   the buffer pointed to by the host argument.  The caller provides the
+   size of this buffer via the hostlen argument.  The service name
+   associated with the port number is returned in the buffer pointed to
+   by serv, and the servlen argument gives the length of this buffer.
+   The caller specifies not to return either string by providing a zero
+   value for the hostlen or servlen arguments.  Otherwise, the caller
+   must provide buffers large enough to hold the nodename and the
+   service name, including the terminating null characters.
+
+   Unfortunately most systems do not provide constants that specify the
+   maximum size of either a fully-qualified domain name or a service
+   name.  Therefore to aid the application in allocating buffers for
+   these two returned strings the following constants are defined in
+   <netdb.h>:
+
+      #define NI_MAXHOST  1025
+      #define NI_MAXSERV    32
+
+   The first value is actually defined as the constant MAXDNAME in recent
+   versions of BIND's <arpa/nameser.h> header (older versions of BIND
+   define this constant to be 256) and the second is a guess based on the
+   services listed in the current Assigned Numbers RFC.
+
+   The final argument is a flag that changes the default actions of this
+   function.  By default the fully-qualified domain name (FQDN) for the
+   host is looked up in the DNS and returned.  If the flag bit NI_NOFQDN
+   is set, only the nodename portion of the FQDN is returned for local
+   hosts.
+
+   If the flag bit NI_NUMERICHOST is set, or if the host's name cannot be
+   located in the DNS, the numeric form of the host's address is returned
+   instead of its name (e.g., by calling inet_ntop() instead of
+   getipnodebyaddr()).  If the flag bit NI_NAMEREQD is set, an error is
+   returned if the host's name cannot be located in the DNS.
+
+   If the flag bit NI_NUMERICSERV is set, the numeric form of the service
+   address is returned (e.g., its port number) instead of its name.  The
+   two NI_NUMERICxxx flags are required to support the "-n" flag that
+   many commands provide.
+
+
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 30]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+   A fifth flag bit, NI_DGRAM, specifies that the service is a datagram
+   service, and causes getservbyport() to be called with a second
+   argument of "udp" instead of its default of "tcp".  This is required
+   for the few ports (e.g. 512-514) that have different services for UDP
+   and TCP.
+
+   These NI_xxx flags are defined in <netdb.h> along with the AI_xxx
+   flags already defined for getaddrinfo().
+
+6.6 Address Conversion Functions
+
+   The two functions inet_addr() and inet_ntoa() convert an IPv4 address
+   between binary and text form.  IPv6 applications need similar
+   functions.  The following two functions convert both IPv6 and IPv4
+   addresses:
+
+      #include <sys/socket.h>
+      #include <arpa/inet.h>
+
+      int inet_pton(int af, const char *src, void *dst);
+
+      const char *inet_ntop(int af, const void *src,
+                            char *dst, size_t size);
+
+   The inet_pton() function converts an address in its standard text
+   presentation form into its numeric binary form.  The af argument
+   specifies the family of the address.  Currently the AF_INET and
+   AF_INET6 address families are supported.  The src argument points to
+   the string being passed in.  The dst argument points to a buffer into
+   which the function stores the numeric address.  The address is
+   returned in network byte order.  Inet_pton() returns 1 if the
+   conversion succeeds, 0 if the input is not a valid IPv4 dotted-
+   decimal string or a valid IPv6 address string, or -1 with errno set
+   to EAFNOSUPPORT if the af argument is unknown.  The calling
+   application must ensure that the buffer referred to by dst is large
+   enough to hold the numeric address (e.g., 4 bytes for AF_INET or 16
+   bytes for AF_INET6).
+
+   If the af argument is AF_INET, the function accepts a string in the
+   standard IPv4 dotted-decimal form:
+
+      ddd.ddd.ddd.ddd
+
+   where ddd is a one to three digit decimal number between 0 and 255.
+   Note that many implementations of the existing inet_addr() and
+   inet_aton() functions accept nonstandard input: octal numbers,
+   hexadecimal numbers, and fewer than four numbers.  inet_pton() does
+   not accept these formats.
+
+
+
+Gilligan, et. al.            Informational                     [Page 31]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+   If the af argument is AF_INET6, then the function accepts a string in
+   one of the standard IPv6 text forms defined in Section 2.2 of the
+   addressing architecture specification [2].
+
+   The inet_ntop() function converts a numeric address into a text
+   string suitable for presentation.  The af argument specifies the
+   family of the address.  This can be AF_INET or AF_INET6.  The src
+   argument points to a buffer holding an IPv4 address if the af
+   argument is AF_INET, or an IPv6 address if the af argument is
+   AF_INET6, the address must be in network byte order.  The dst
+   argument points to a buffer where the function will store the
+   resulting text string.  The size argument specifies the size of this
+   buffer.  The application must specify a non-NULL dst argument.  For
+   IPv6 addresses, the buffer must be at least 46-octets.  For IPv4
+   addresses, the buffer must be at least 16-octets.  In order to allow
+   applications to easily declare buffers of the proper size to store
+   IPv4 and IPv6 addresses in string form, the following two constants
+   are defined in <netinet/in.h>:
+
+      #define INET_ADDRSTRLEN    16
+      #define INET6_ADDRSTRLEN   46
+
+   The inet_ntop() function returns a pointer to the buffer containing
+   the text string if the conversion succeeds, and NULL otherwise.  Upon
+   failure, errno is set to EAFNOSUPPORT if the af argument is invalid or
+   ENOSPC if the size of the result buffer is inadequate.
+
+6.7 Address Testing Macros
+
+   The following macros can be used to test for special IPv6 addresses.
+
+      #include <netinet/in.h>
+
+      int  IN6_IS_ADDR_UNSPECIFIED (const struct in6_addr *);
+      int  IN6_IS_ADDR_LOOPBACK    (const struct in6_addr *);
+      int  IN6_IS_ADDR_MULTICAST   (const struct in6_addr *);
+      int  IN6_IS_ADDR_LINKLOCAL   (const struct in6_addr *);
+      int  IN6_IS_ADDR_SITELOCAL   (const struct in6_addr *);
+      int  IN6_IS_ADDR_V4MAPPED    (const struct in6_addr *);
+      int  IN6_IS_ADDR_V4COMPAT    (const struct in6_addr *);
+
+      int  IN6_IS_ADDR_MC_NODELOCAL(const struct in6_addr *);
+      int  IN6_IS_ADDR_MC_LINKLOCAL(const struct in6_addr *);
+      int  IN6_IS_ADDR_MC_SITELOCAL(const struct in6_addr *);
+      int  IN6_IS_ADDR_MC_ORGLOCAL (const struct in6_addr *);
+      int  IN6_IS_ADDR_MC_GLOBAL   (const struct in6_addr *);
+
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 32]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+   The first seven macros return true if the address is of the specified
+   type, or false otherwise.  The last five test the scope of a
+   multicast address and return true if the address is a multicast
+   address of the specified scope or false if the address is either not
+   a multicast address or not of the specified scope.  Note that
+   IN6_IS_ADDR_LINKLOCAL and IN6_IS_ADDR_SITELOCAL return true only for
+   the two local-use IPv6 unicast addresses.  These two macros do not
+   return true for IPv6 multicast addresses of either link-local scope
+   or site-local scope.
+
+7. Summary of New Definitions
+
+   The following list summarizes the constants, structure, and extern
+   definitions discussed in this memo, sorted by header.
+
+      <net/if.h>      IF_NAMESIZE
+      <net/if.h>      struct if_nameindex{};
+
+      <netdb.h>       AI_ADDRCONFIG
+      <netdb.h>       AI_DEFAULT
+      <netdb.h>       AI_ALL
+      <netdb.h>       AI_CANONNAME
+      <netdb.h>       AI_NUMERICHOST
+      <netdb.h>       AI_PASSIVE
+      <netdb.h>       AI_V4MAPPED
+      <netdb.h>       EAI_ADDRFAMILY
+      <netdb.h>       EAI_AGAIN
+      <netdb.h>       EAI_BADFLAGS
+      <netdb.h>       EAI_FAIL
+      <netdb.h>       EAI_FAMILY
+      <netdb.h>       EAI_MEMORY
+      <netdb.h>       EAI_NODATA
+      <netdb.h>       EAI_NONAME
+      <netdb.h>       EAI_SERVICE
+      <netdb.h>       EAI_SOCKTYPE
+      <netdb.h>       EAI_SYSTEM
+      <netdb.h>       NI_DGRAM
+      <netdb.h>       NI_MAXHOST
+      <netdb.h>       NI_MAXSERV
+      <netdb.h>       NI_NAMEREQD
+      <netdb.h>       NI_NOFQDN
+      <netdb.h>       NI_NUMERICHOST
+      <netdb.h>       NI_NUMERICSERV
+      <netdb.h>       struct addrinfo{};
+
+      <netinet/in.h>  IN6ADDR_ANY_INIT
+      <netinet/in.h>  IN6ADDR_LOOPBACK_INIT
+      <netinet/in.h>  INET6_ADDRSTRLEN
+
+
+
+Gilligan, et. al.            Informational                     [Page 33]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+      <netinet/in.h>  INET_ADDRSTRLEN
+      <netinet/in.h>  IPPROTO_IPV6
+      <netinet/in.h>  IPV6_JOIN_GROUP
+      <netinet/in.h>  IPV6_LEAVE_GROUP
+      <netinet/in.h>  IPV6_MULTICAST_HOPS
+      <netinet/in.h>  IPV6_MULTICAST_IF
+      <netinet/in.h>  IPV6_MULTICAST_LOOP
+      <netinet/in.h>  IPV6_UNICAST_HOPS
+      <netinet/in.h>  SIN6_LEN
+      <netinet/in.h>  extern const struct in6_addr in6addr_any;
+      <netinet/in.h>  extern const struct in6_addr in6addr_loopback;
+      <netinet/in.h>  struct in6_addr{};
+      <netinet/in.h>  struct ipv6_mreq{};
+      <netinet/in.h>  struct sockaddr_in6{};
+
+      <sys/socket.h>  AF_INET6
+      <sys/socket.h>  PF_INET6
+      <sys/socket.h>  struct sockaddr_storage;
+
+   The following list summarizes the function and macro prototypes
+   discussed in this memo, sorted by header.
+
+<arpa/inet.h>   int inet_pton(int, const char *, void *);
+<arpa/inet.h>   const char *inet_ntop(int, const void *,
+                                      char *, size_t);
+
+<net/if.h>      char *if_indextoname(unsigned int, char *);
+<net/if.h>      unsigned int if_nametoindex(const char *);
+<net/if.h>      void if_freenameindex(struct if_nameindex *);
+<net/if.h>      struct if_nameindex *if_nameindex(void);
+
+<netdb.h>       int getaddrinfo(const char *, const char *,
+                                const struct addrinfo *,
+                                struct addrinfo **);
+<netdb.h>       int getnameinfo(const struct sockaddr *, socklen_t,
+                                char *, size_t, char *, size_t, int);
+<netdb.h>       void freeaddrinfo(struct addrinfo *);
+<netdb.h>       char *gai_strerror(int);
+<netdb.h>       struct hostent *getipnodebyname(const char *, int, int,
+                                       int *);
+<netdb.h>       struct hostent *getipnodebyaddr(const void *, size_t,
+                                       int, int *);
+<netdb.h>       void freehostent(struct hostent *);
+
+<netinet/in.h>  int IN6_IS_ADDR_LINKLOCAL(const struct in6_addr *);
+<netinet/in.h>  int IN6_IS_ADDR_LOOPBACK(const struct in6_addr *);
+<netinet/in.h>  int IN6_IS_ADDR_MC_GLOBAL(const struct in6_addr *);
+<netinet/in.h>  int IN6_IS_ADDR_MC_LINKLOCAL(const struct in6_addr *);
+
+
+
+Gilligan, et. al.            Informational                     [Page 34]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+<netinet/in.h>  int IN6_IS_ADDR_MC_NODELOCAL(const struct in6_addr *);
+<netinet/in.h>  int IN6_IS_ADDR_MC_ORGLOCAL(const struct in6_addr *);
+<netinet/in.h>  int IN6_IS_ADDR_MC_SITELOCAL(const struct in6_addr *);
+<netinet/in.h>  int IN6_IS_ADDR_MULTICAST(const struct in6_addr *);
+<netinet/in.h>  int IN6_IS_ADDR_SITELOCAL(const struct in6_addr *);
+<netinet/in.h>  int IN6_IS_ADDR_UNSPECIFIED(const struct in6_addr *);
+<netinet/in.h>  int IN6_IS_ADDR_V4COMPAT(const struct in6_addr *);
+<netinet/in.h>  int IN6_IS_ADDR_V4MAPPED(const struct in6_addr *);
+
+8. Security Considerations
+
+   IPv6 provides a number of new security mechanisms, many of which need
+   to be accessible to applications.  Companion memos detailing the
+   extensions to the socket interfaces to support IPv6 security are
+   being written.
+
+9. Year 2000 Considerations
+
+   There are no issues for this memo concerning the Year 2000 issue
+   regarding the use of dates.
+
+Changes From RFC 2133
+
+   Changes made in the March 1998 Edition (-01 draft):
+
+      Changed all "hostname" to "nodename" for consistency with other
+      IPv6 documents.
+
+      Section 3.3: changed comment for sin6_flowinfo to be "traffic
+      class & flow info" and updated corresponding text description to
+      current definition of these two fields.
+
+      Section 3.10 ("Portability Additions") is new.
+
+      Section 6: a new paragraph was added reiterating that the existing
+      gethostbyname() and gethostbyaddr() are not changed.
+
+      Section 6.1: change gethostbyname3() to getnodebyname().  Add
+      AI_DEFAULT to handle majority of applications.  Renamed
+      AI_V6ADDRCONFIG to AI_ADDRCONFIG and define it for A records and
+      IPv4 addresses too.  Defined exactly what getnodebyname() must
+      return if the name argument is a numeric address string.
+
+      Section 6.2: change gethostbyaddr() to getnodebyaddr().  Reword
+      items 2 and 3 in the description of how to handle IPv4-mapped and
+      IPv4- compatible addresses to "lookup a name" for a given address,
+      instead of specifying what type of DNS query to issue.
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 35]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+      Section 6.3: added two more requirements to getaddrinfo().
+
+      Section 7: added the following constants to the list for
+      <netdb.h>:  AI_ADDRCONFIG, AI_ALL, and AI_V4MAPPED.  Add union
+      sockaddr_union and SA_LEN to the lists for <sys/socket.h>.
+
+      Updated references.
+
+   Changes made in the November 1997 Edition (-00 draft):
+
+      The data types have been changed to conform with Draft 6.6 of the
+      Posix 1003.1g standard.
+
+      Section 3.2: data type of s6_addr changed to "uint8_t".
+
+      Section 3.3: data type of sin6_family changed to "sa_family_t".
+      data type of sin6_port changed to "in_port_t", data type of
+      sin6_flowinfo changed to "uint32_t".
+
+      Section 3.4: same as Section 3.3, plus data type of sin6_len
+      changed to "uint8_t".
+
+      Section 6.2: first argument of gethostbyaddr() changed from "const
+      char *" to "const void *" and second argument changed from "int"
+      to "size_t".
+
+      Section 6.4: second argument of getnameinfo() changed from
+      "size_t" to "socklen_t".
+
+      The wording was changed when new structures were defined, to be
+      more explicit as to which header must be included to define the
+      structure:
+
+      Section 3.2 (in6_addr{}), Section 3.3 (sockaddr_in6{}), Section
+      3.4 (sockaddr_in6{}), Section 4.3 (if_nameindex{}), Section 5.3
+      (ipv6_mreq{}), and Section 6.3 (addrinfo{}).
+
+      Section 4: NET_RT_LIST changed to NET_RT_IFLIST.
+
+      Section 5.1: The IPV6_ADDRFORM socket option was removed.
+
+      Section 5.3: Added a note that an option value other than 0 or 1
+      for IPV6_MULTICAST_LOOP returns an error.  Added a note that
+      IPV6_MULTICAST_IF, IPV6_MULTICAST_HOPS, and IPV6_MULTICAST_LOOP
+      can also be used with getsockopt(), but IPV6_ADD_MEMBERSHIP and
+      IPV6_DROP_MEMBERSHIP cannot be used with getsockopt().
+
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 36]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+      Section 6.1: Removed the description of gethostbyname2() and its
+      associated RES_USE_INET6 option, replacing it with
+      gethostbyname3().
+
+      Section 6.2: Added requirement that gethostbyaddr() be thread
+      safe.  Reworded step 4 to avoid using the RES_USE_INET6 option.
+
+      Section 6.3: Added the requirement that getaddrinfo() and
+      getnameinfo() be thread safe.  Added the AI_NUMERICHOST flag.
+
+      Section 6.6: Added clarification about IN6_IS_ADDR_LINKLOCAL and
+      IN6_IS_ADDR_SITELOCAL macros.
+
+   Changes made to the draft -01 specification Sept 98
+
+      Changed priority to traffic class in the spec.
+
+      Added the need for scope identification in section 2.1.
+
+      Added sin6_scope_id to struct sockaddr_in6 in sections 3.3 and
+      3.4.
+
+      Changed 3.10 to use generic storage structure to support holding
+      IPv6 addresses and removed the SA_LEN macro.
+
+      Distinguished between invalid input parameters and system failures
+      for Interface Identification in Section 4.1 and 4.2.
+
+      Added defaults for multicast operations in section 5.2 and changed
+      the names from ADD to JOIN and DROP to LEAVE to be consistent with
+      IPv6 multicast terminology.
+
+      Changed getnodebyname to getipnodebyname, getnodebyaddr to
+      getipnodebyaddr, and added MT safe error code to function
+      parameters in section 6.
+
+      Moved freehostent to its own sub-section after getipnodebyaddr now
+      6.3 (so this bumps all remaining sections in section 6.
+
+      Clarified the use of AI_ALL and AI_V4MAPPED that these are
+      dependent on the AF parameter and must be used as a conjunction in
+      section 6.1.
+
+      Removed the restriction that literal addresses cannot be used with
+      a flags argument in section 6.1.
+
+      Added Year 2000 Section to the draft
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 37]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+      Deleted Reference to the following because the attached is deleted
+      from the ID directory and has expired.  But the logic from the
+      aforementioned draft still applies, so that was kept in Section
+      6.2 bullets after 3rd paragraph.
+
+      [7]  P. Vixie, "Reverse Name Lookups of Encapsulated IPv4
+           Addresses in IPv6", Internet-Draft, <draft-vixie-ipng-
+           ipv4ptr-00.txt>, May 1996.
+
+      Deleted the following reference as it is no longer referenced.
+      And the draft has expired.
+
+      [3]  D. McDonald, "A Simple IP Security API Extension to BSD
+           Sockets", Internet-Draft, <draft-mcdonald-simple-ipsec-api-
+           01.txt>, March 1997.
+
+      Deleted the following reference as it is no longer referenced.
+
+      [4]  C. Metz, "Network Security API for Sockets",
+           Internet-Draft, <draft-metz-net-security-api-01.txt>, January
+           1998.
+
+      Update current references to current status.
+
+      Added alignment notes for in6_addr and sin6_addr.
+
+      Clarified further that AI_V4MAPPED must be used with a dotted IPv4
+      literal address for getipnodebyname(), when address family is
+      AF_INET6.
+
+      Added text to clarify "::" and "::1" when used by
+      getipnodebyaddr().
+
+Acknowledgments
+
+   Thanks to the many people who made suggestions and provided feedback
+   to this document, including: Werner Almesberger, Ran Atkinson, Fred
+   Baker, Dave Borman, Andrew Cherenson, Alex Conta, Alan Cox, Steve
+   Deering, Richard Draves, Francis Dupont, Robert Elz, Marc Hasson, Tom
+   Herbert, Bob Hinden, Wan-Yen Hsu, Christian Huitema, Koji Imada,
+   Markus Jork, Ron Lee, Alan Lloyd, Charles Lynn, Dan McDonald, Dave
+   Mitton, Thomas Narten, Josh Osborne, Craig Partridge, Jean-Luc
+   Richier, Erik Scoredos, Keith Sklower, Matt Thomas, Harvey Thompson,
+   Dean D. Throop, Karen Tracey, Glenn Trewitt, Paul Vixie, David
+   Waitzman, Carl Williams, and Kazu Yamamoto,
+
+
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 38]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+   The getaddrinfo() and getnameinfo() functions are taken from an
+   earlier Internet Draft by Keith Sklower.  As noted in that draft,
+   William Durst, Steven Wise, Michael Karels, and Eric Allman provided
+   many useful discussions on the subject of protocol-independent name-
+   to-address translation, and reviewed early versions of Keith
+   Sklower's original proposal.  Eric Allman implemented the first
+   prototype of getaddrinfo().  The observation that specifying the pair
+   of name and service would suffice for connecting to a service
+   independent of protocol details was made by Marshall Rose in a
+   proposal to X/Open for a "Uniform Network Interface".
+
+   Craig Metz, Jack McCann, Erik Nordmark, Tim Hartrick, and Mukesh
+   Kacker made many contributions to this document.  Ramesh Govindan
+   made a number of contributions and co-authored an earlier version of
+   this memo.
+
+References
+
+   [1]  Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6)
+        Specification", RFC 2460, December 1998.
+
+   [2]  Hinden, R. and S. Deering, "IP Version 6 Addressing
+        Architecture", RFC 2373, July 1998.
+
+   [3]  IEEE, "Protocol Independent Interfaces", IEEE Std 1003.1g, DRAFT
+        6.6, March 1997.
+
+   [4]  Stevens, W. and M. Thomas, "Advanced Sockets API for IPv6", RFC
+        2292, February 1998.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 39]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+Authors' Addresses
+
+   Robert E. Gilligan
+   FreeGate Corporation
+   1208 E. Arques Ave.
+   Sunnyvale, CA 94086
+
+   Phone: +1 408 617 1004
+   EMail: gilligan@freegate.com
+
+
+   Susan Thomson
+   Bell Communications Research
+   MRE 2P-343, 445 South Street
+   Morristown, NJ 07960
+
+   Phone: +1 201 829 4514
+   EMail: set@thumper.bellcore.com
+
+
+   Jim Bound
+   Compaq Computer Corporation
+   110 Spitbrook Road ZK3-3/U14
+   Nashua, NH 03062-2698
+
+   Phone: +1 603 884 0400
+   EMail: bound@zk3.dec.com
+
+
+   W. Richard Stevens
+   1202 E. Paseo del Zorro
+   Tucson, AZ 85718-2826
+
+   Phone: +1 520 297 9416
+   EMail: rstevens@kohala.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 40]
+
+RFC 2553       Basic Socket Interface Extensions for IPv6     March 1999
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (1999).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gilligan, et. al.            Informational                     [Page 41]
+
diff --git a/contrib/bind9/doc/rfc/rfc2671.txt b/contrib/bind9/doc/rfc/rfc2671.txt
new file mode 100644
index 0000000..ec05f80
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2671.txt
@@ -0,0 +1,395 @@
+
+
+
+
+
+
+Network Working Group                                            P. Vixie
+Request for Comments: 2671                                            ISC
+Category: Standards Track                                     August 1999
+
+
+                  Extension Mechanisms for DNS (EDNS0)
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (1999).  All Rights Reserved.
+
+Abstract
+
+   The Domain Name System's wire protocol includes a number of fixed
+   fields whose range has been or soon will be exhausted and does not
+   allow clients to advertise their capabilities to servers.  This
+   document describes backward compatible mechanisms for allowing the
+   protocol to grow.
+
+1 - Rationale and Scope
+
+1.1. DNS (see [RFC1035]) specifies a Message Format and within such
+     messages there are standard formats for encoding options, errors,
+     and name compression.  The maximum allowable size of a DNS Message
+     is fixed.  Many of DNS's protocol limits are too small for uses
+     which are or which are desired to become common.  There is no way
+     for implementations to advertise their capabilities.
+
+1.2. Existing clients will not know how to interpret the protocol
+     extensions detailed here.  In practice, these clients will be
+     upgraded when they have need of a new feature, and only new
+     features will make use of the extensions.  We must however take
+     account of client behaviour in the face of extra fields, and design
+     a fallback scheme for interoperability with these clients.
+
+
+
+
+
+
+
+
+
+Vixie                       Standards Track                     [Page 1]
+
+RFC 2671          Extension Mechanisms for DNS (EDNS0)       August 1999
+
+
+2 - Affected Protocol Elements
+
+2.1. The DNS Message Header's (see [RFC1035 4.1.1]) second full 16-bit
+     word is divided into a 4-bit OPCODE, a 4-bit RCODE, and a number of
+     1-bit flags.  The original reserved Z bits have been allocated to
+     various purposes, and most of the RCODE values are now in use.
+     More flags and more possible RCODEs are needed.
+
+2.2. The first two bits of a wire format domain label are used to denote
+     the type of the label.  [RFC1035 4.1.4] allocates two of the four
+     possible types and reserves the other two.  Proposals for use of
+     the remaining types far outnumber those available.  More label
+     types are needed.
+
+2.3. DNS Messages are limited to 512 octets in size when sent over UDP.
+     While the minimum maximum reassembly buffer size still allows a
+     limit of 512 octets of UDP payload, most of the hosts now connected
+     to the Internet are able to reassemble larger datagrams.  Some
+     mechanism must be created to allow requestors to advertise larger
+     buffer sizes to responders.
+
+3 - Extended Label Types
+
+3.1. The "0 1" label type will now indicate an extended label type,
+     whose value is encoded in the lower six bits of the first octet of
+     a label.  All subsequently developed label types should be encoded
+     using an extended label type.
+
+3.2. The "1 1 1 1 1 1" extended label type will be reserved for future
+     expansion of the extended label type code space.
+
+4 - OPT pseudo-RR
+
+4.1. One OPT pseudo-RR can be added to the additional data section of
+     either a request or a response.  An OPT is called a pseudo-RR
+     because it pertains to a particular transport level message and not
+     to any actual DNS data.  OPT RRs shall never be cached, forwarded,
+     or stored in or loaded from master files.  The quantity of OPT
+     pseudo-RRs per message shall be either zero or one, but not
+     greater.
+
+4.2. An OPT RR has a fixed part and a variable set of options expressed
+     as {attribute, value} pairs.  The fixed part holds some DNS meta
+     data and also a small collection of new protocol elements which we
+     expect to be so popular that it would be a waste of wire space to
+     encode them as {attribute, value} pairs.
+
+
+
+
+
+Vixie                       Standards Track                     [Page 2]
+
+RFC 2671          Extension Mechanisms for DNS (EDNS0)       August 1999
+
+
+4.3. The fixed part of an OPT RR is structured as follows:
+
+     Field Name   Field Type     Description
+     ------------------------------------------------------
+     NAME         domain name    empty (root domain)
+     TYPE         u_int16_t      OPT
+     CLASS        u_int16_t      sender's UDP payload size
+     TTL          u_int32_t      extended RCODE and flags
+     RDLEN        u_int16_t      describes RDATA
+     RDATA        octet stream   {attribute,value} pairs
+
+4.4. The variable part of an OPT RR is encoded in its RDATA and is
+     structured as zero or more of the following:
+
+                +0 (MSB)                            +1 (LSB)
+     +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+  0: |                          OPTION-CODE                          |
+     +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+  2: |                         OPTION-LENGTH                         |
+     +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+  4: |                                                               |
+     /                          OPTION-DATA                          /
+     /                                                               /
+     +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+
+   OPTION-CODE    (Assigned by IANA.)
+
+   OPTION-LENGTH  Size (in octets) of OPTION-DATA.
+
+   OPTION-DATA    Varies per OPTION-CODE.
+
+4.5. The sender's UDP payload size (which OPT stores in the RR CLASS
+     field) is the number of octets of the largest UDP payload that can
+     be reassembled and delivered in the sender's network stack.  Note
+     that path MTU, with or without fragmentation, may be smaller than
+     this.
+
+4.5.1. Note that a 512-octet UDP payload requires a 576-octet IP
+       reassembly buffer.  Choosing 1280 on an Ethernet connected
+       requestor would be reasonable.  The consequence of choosing too
+       large a value may be an ICMP message from an intermediate
+       gateway, or even a silent drop of the response message.
+
+4.5.2. Both requestors and responders are advised to take account of the
+       path's discovered MTU (if already known) when considering message
+       sizes.
+
+
+
+
+
+Vixie                       Standards Track                     [Page 3]
+
+RFC 2671          Extension Mechanisms for DNS (EDNS0)       August 1999
+
+
+4.5.3. The requestor's maximum payload size can change over time, and
+       should therefore not be cached for use beyond the transaction in
+       which it is advertised.
+
+4.5.4. The responder's maximum payload size can change over time, but
+       can be reasonably expected to remain constant between two
+       sequential transactions; for example, a meaningless QUERY to
+       discover a responder's maximum UDP payload size, followed
+       immediately by an UPDATE which takes advantage of this size.
+       (This is considered preferrable to the outright use of TCP for
+       oversized requests, if there is any reason to suspect that the
+       responder implements EDNS, and if a request will not fit in the
+       default 512 payload size limit.)
+
+4.5.5. Due to transaction overhead, it is unwise to advertise an
+       architectural limit as a maximum UDP payload size.  Just because
+       your stack can reassemble 64KB datagrams, don't assume that you
+       want to spend more than about 4KB of state memory per ongoing
+       transaction.
+
+4.6. The extended RCODE and flags (which OPT stores in the RR TTL field)
+     are structured as follows:
+
+                 +0 (MSB)                            +1 (LSB)
+      +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+   0: |         EXTENDED-RCODE        |            VERSION            |
+      +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+   2: |                               Z                               |
+      +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+
+   EXTENDED-RCODE  Forms upper 8 bits of extended 12-bit RCODE.  Note
+                   that EXTENDED-RCODE value "0" indicates that an
+                   unextended RCODE is in use (values "0" through "15").
+
+   VERSION         Indicates the implementation level of whoever sets
+                   it.  Full conformance with this specification is
+                   indicated by version "0."  Requestors are encouraged
+                   to set this to the lowest implemented level capable
+                   of expressing a transaction, to minimize the
+                   responder and network load of discovering the
+                   greatest common implementation level between
+                   requestor and responder.  A requestor's version
+                   numbering strategy should ideally be a run time
+                   configuration option.
+
+                   If a responder does not implement the VERSION level
+                   of the request, then it answers with RCODE=BADVERS.
+                   All responses will be limited in format to the
+
+
+
+Vixie                       Standards Track                     [Page 4]
+
+RFC 2671          Extension Mechanisms for DNS (EDNS0)       August 1999
+
+
+                   VERSION level of the request, but the VERSION of each
+                   response will be the highest implementation level of
+                   the responder.  In this way a requestor will learn
+                   the implementation level of a responder as a side
+                   effect of every response, including error responses,
+                   including RCODE=BADVERS.
+
+   Z               Set to zero by senders and ignored by receivers,
+                   unless modified in a subsequent specification.
+
+5 - Transport Considerations
+
+5.1. The presence of an OPT pseudo-RR in a request should be taken as an
+     indication that the requestor fully implements the given version of
+     EDNS, and can correctly understand any response that conforms to
+     that feature's specification.
+
+5.2. Lack of use of these features in a request must be taken as an
+     indication that the requestor does not implement any part of this
+     specification and that the responder may make no use of any
+     protocol extension described here in its response.
+
+5.3. Responders who do not understand these protocol extensions are
+     expected to send a response with RCODE NOTIMPL, FORMERR, or
+     SERVFAIL.  Therefore use of extensions should be "probed" such that
+     a responder who isn't known to support them be allowed a retry with
+     no extensions if it responds with such an RCODE.  If a responder's
+     capability level is cached by a requestor, a new probe should be
+     sent periodically to test for changes to responder capability.
+
+6 - Security Considerations
+
+     Requestor-side specification of the maximum buffer size may open a
+     new DNS denial of service attack if responders can be made to send
+     messages which are too large for intermediate gateways to forward,
+     thus leading to potential ICMP storms between gateways and
+     responders.
+
+7 - IANA Considerations
+
+     The IANA has assigned RR type code 41 for OPT.
+
+     It is the recommendation of this document and its working group
+     that IANA create a registry for EDNS Extended Label Types, for EDNS
+     Option Codes, and for EDNS Version Numbers.
+
+     This document assigns label type 0b01xxxxxx as "EDNS Extended Label
+     Type."  We request that IANA record this assignment.
+
+
+
+Vixie                       Standards Track                     [Page 5]
+
+RFC 2671          Extension Mechanisms for DNS (EDNS0)       August 1999
+
+
+     This document assigns extended label type 0bxx111111 as "Reserved
+     for future extended label types."  We request that IANA record this
+     assignment.
+
+     This document assigns option code 65535 to "Reserved for future
+     expansion."
+
+     This document expands the RCODE space from 4 bits to 12 bits.  This
+     will allow IANA to assign more than the 16 distinct RCODE values
+     allowed in [RFC1035].
+
+     This document assigns EDNS Extended RCODE "16" to "BADVERS".
+
+     IESG approval should be required to create new entries in the EDNS
+     Extended Label Type or EDNS Version Number registries, while any
+     published RFC (including Informational, Experimental, or BCP)
+     should be grounds for allocation of an EDNS Option Code.
+
+8 - Acknowledgements
+
+     Paul Mockapetris, Mark Andrews, Robert Elz, Don Lewis, Bob Halley,
+     Donald Eastlake, Rob Austein, Matt Crawford, Randy Bush, and Thomas
+     Narten were each instrumental in creating and refining this
+     specification.
+
+9 - References
+
+    [RFC1035]  Mockapetris, P., "Domain Names - Implementation and
+               Specification", STD 13, RFC 1035, November 1987.
+
+10 - Author's Address
+
+   Paul Vixie
+   Internet Software Consortium
+   950 Charter Street
+   Redwood City, CA 94063
+
+   Phone: +1 650 779 7001
+   EMail: vixie@isc.org
+
+
+
+
+
+
+
+
+
+
+
+
+Vixie                       Standards Track                     [Page 6]
+
+RFC 2671          Extension Mechanisms for DNS (EDNS0)       August 1999
+
+
+11 - Full Copyright Statement
+
+   Copyright (C) The Internet Society (1999).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Vixie                       Standards Track                     [Page 7]
+
diff --git a/contrib/bind9/doc/rfc/rfc2672.txt b/contrib/bind9/doc/rfc/rfc2672.txt
new file mode 100644
index 0000000..1103016
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2672.txt
@@ -0,0 +1,507 @@
+
+
+
+
+
+
+Network Working Group                                        M. Crawford
+Request for Comments: 2672                                      Fermilab
+Category: Standards Track                                    August 1999
+
+
+                   Non-Terminal DNS Name Redirection
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (1999).  All Rights Reserved.
+
+1.  Introduction
+
+   This document defines a new DNS Resource Record called "DNAME", which
+   provides the capability to map an entire subtree of the DNS name
+   space to another domain.  It differs from the CNAME record which maps
+   a single node of the name space.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [KWORD].
+
+2.  Motivation
+
+   This Resource Record and its processing rules were conceived as a
+   solution to the problem of maintaining address-to-name mappings in a
+   context of network renumbering.  Without the DNAME mechanism, an
+   authoritative DNS server for the address-to-name mappings of some
+   network must be reconfigured when that network is renumbered.  With
+   DNAME, the zone can be constructed so that it needs no modification
+   when renumbered.  DNAME can also be useful in other situations, such
+   as when an organizational unit is renamed.
+
+3. The DNAME Resource Record
+
+   The DNAME RR has mnemonic DNAME and type code 39 (decimal).
+
+
+
+
+
+
+
+Crawford                    Standards Track                     [Page 1]
+
+RFC 2672           Non-Terminal DNS Name Redirection         August 1999
+
+
+   DNAME has the following format:
+
+      <owner> <ttl> <class> DNAME <target>
+
+   The format is not class-sensitive.  All fields are required.  The
+   RDATA field <target> is a <domain-name> [DNSIS].
+
+   The DNAME RR causes type NS additional section processing.
+
+   The effect of the DNAME record is the substitution of the record's
+   <target> for its <owner> as a suffix of a domain name.  A "no-
+   descendants" limitation governs the use of DNAMEs in a zone file:
+
+      If a DNAME RR is present at a node N, there may be other data at N
+      (except a CNAME or another DNAME), but there MUST be no data at
+      any descendant of N.  This restriction applies only to records of
+      the same class as the DNAME record.
+
+   This rule assures predictable results when a DNAME record is cached
+   by a server which is not authoritative for the record's zone.  It
+   MUST be enforced when authoritative zone data is loaded.  Together
+   with the rules for DNS zone authority [DNSCLR] it implies that DNAME
+   and NS records can only coexist at the top of a zone which has only
+   one node.
+
+   The compression scheme of [DNSIS] MUST NOT be applied to the RDATA
+   portion of a DNAME record unless the sending server has some way of
+   knowing that the receiver understands the DNAME record format.
+   Signalling such understanding is expected to be the subject of future
+   DNS Extensions.
+
+   Naming loops can be created with DNAME records or a combination of
+   DNAME and CNAME records, just as they can with CNAME records alone.
+   Resolvers, including resolvers embedded in DNS servers, MUST limit
+   the resources they devote to any query.  Implementors should note,
+   however, that fairly lengthy chains of DNAME records may be valid.
+
+4.  Query Processing
+
+   To exploit the DNAME mechanism the name resolution algorithms [DNSCF]
+   must be modified slightly for both servers and resolvers.
+
+   Both modified algorithms incorporate the operation of making a
+   substitution on a name (either QNAME or SNAME) under control of a
+   DNAME record.  This operation will be referred to as "the DNAME
+   substitution".
+
+
+
+
+
+Crawford                    Standards Track                     [Page 2]
+
+RFC 2672           Non-Terminal DNS Name Redirection         August 1999
+
+
+4.1.  Processing by Servers
+
+   For a server performing non-recursive service steps 3.c and 4 of
+   section 4.3.2 [DNSCF] are changed to check for a DNAME record before
+   checking for a wildcard ("*") label, and to return certain DNAME
+   records from zone data and the cache.
+
+   DNS clients sending Extended DNS [EDNS0] queries with Version 0 or
+   non-extended queries are presumed not to understand the semantics of
+   the DNAME record, so a server which implements this specification,
+   when answering a non-extended query, SHOULD synthesize a CNAME record
+   for each DNAME record encountered during query processing to help the
+   client reach the correct DNS data.  The behavior of clients and
+   servers under Extended DNS versions greater than 0 will be specified
+   when those versions are defined.
+
+   The synthesized CNAME RR, if provided, MUST have
+
+      The same CLASS as the QCLASS of the query,
+
+      TTL equal to zero,
+
+      An <owner> equal to the QNAME in effect at the moment the DNAME RR
+      was encountered, and
+
+      An RDATA field containing the new QNAME formed by the action of
+      the DNAME substitution.
+
+   If the server has the appropriate key on-line [DNSSEC, SECDYN], it
+   MAY generate and return a SIG RR for the synthesized CNAME RR.
+
+   The revised server algorithm is:
+
+   1. Set or clear the value of recursion available in the response
+      depending on whether the name server is willing to provide
+      recursive service.  If recursive service is available and
+      requested via the RD bit in the query, go to step 5, otherwise
+      step 2.
+
+   2. Search the available zones for the zone which is the nearest
+      ancestor to QNAME.  If such a zone is found, go to step 3,
+      otherwise step 4.
+
+   3. Start matching down, label by label, in the zone.  The matching
+      process can terminate several ways:
+
+
+
+
+
+
+Crawford                    Standards Track                     [Page 3]
+
+RFC 2672           Non-Terminal DNS Name Redirection         August 1999
+
+
+      a. If the whole of QNAME is matched, we have found the node.
+
+         If the data at the node is a CNAME, and QTYPE doesn't match
+         CNAME, copy the CNAME RR into the answer section of the
+         response, change QNAME to the canonical name in the CNAME RR,
+         and go back to step 1.
+
+         Otherwise, copy all RRs which match QTYPE into the answer
+         section and go to step 6.
+
+      b. If a match would take us out of the authoritative data, we have
+         a referral.  This happens when we encounter a node with NS RRs
+         marking cuts along the bottom of a zone.
+
+         Copy the NS RRs for the subzone into the authority section of
+         the reply.  Put whatever addresses are available into the
+         additional section, using glue RRs if the addresses are not
+         available from authoritative data or the cache.  Go to step 4.
+
+      c. If at some label, a match is impossible (i.e., the
+         corresponding label does not exist), look to see whether the
+         last label matched has a DNAME record.
+
+         If a DNAME record exists at that point, copy that record into
+         the answer section.  If substitution of its <target> for its
+         <owner> in QNAME would overflow the legal size for a <domain-
+         name>, set RCODE to YXDOMAIN [DNSUPD] and exit; otherwise
+         perform the substitution and continue.  If the query was not
+         extended [EDNS0] with a Version indicating understanding of the
+         DNAME record, the server SHOULD synthesize a CNAME record as
+         described above and include it in the answer section.  Go back
+         to step 1.
+
+         If there was no DNAME record, look to see if the "*" label
+         exists.
+
+         If the "*" label does not exist, check whether the name we are
+         looking for is the original QNAME in the query or a name we
+         have followed due to a CNAME.  If the name is original, set an
+         authoritative name error in the response and exit.  Otherwise
+         just exit.
+
+         If the "*" label does exist, match RRs at that node against
+         QTYPE.  If any match, copy them into the answer section, but
+         set the owner of the RR to be QNAME, and not the node with the
+         "*" label.  Go to step 6.
+
+
+
+
+
+Crawford                    Standards Track                     [Page 4]
+
+RFC 2672           Non-Terminal DNS Name Redirection         August 1999
+
+
+   4. Start matching down in the cache.  If QNAME is found in the cache,
+      copy all RRs attached to it that match QTYPE into the answer
+      section.  If QNAME is not found in the cache but a DNAME record is
+      present at an ancestor of QNAME, copy that DNAME record into the
+      answer section.  If there was no delegation from authoritative
+      data, look for the best one from the cache, and put it in the
+      authority section.  Go to step 6.
+
+   5. Use the local resolver or a copy of its algorithm (see resolver
+      section of this memo) to answer the query.  Store the results,
+      including any intermediate CNAMEs and DNAMEs, in the answer
+      section of the response.
+
+   6. Using local data only, attempt to add other RRs which may be
+      useful to the additional section of the query.  Exit.
+
+   Note that there will be at most one ancestor with a DNAME as
+   described in step 4 unless some zone's data is in violation of the
+   no-descendants limitation in section 3.  An implementation might take
+   advantage of this limitation by stopping the search of step 3c or
+   step 4 when a DNAME record is encountered.
+
+4.2.  Processing by Resolvers
+
+   A resolver or a server providing recursive service must be modified
+   to treat a DNAME as somewhat analogous to a CNAME.  The resolver
+   algorithm of [DNSCF] section 5.3.3 is modified to renumber step 4.d
+   as 4.e and insert a new 4.d.  The complete algorithm becomes:
+
+   1. See if the answer is in local information, and if so return it to
+      the client.
+
+   2. Find the best servers to ask.
+
+   3. Send them queries until one returns a response.
+
+   4. Analyze the response, either:
+
+      a. if the response answers the question or contains a name error,
+         cache the data as well as returning it back to the client.
+
+      b. if the response contains a better delegation to other servers,
+         cache the delegation information, and go to step 2.
+
+      c. if the response shows a CNAME and that is not the answer
+         itself, cache the CNAME, change the SNAME to the canonical name
+         in the CNAME RR and go to step 1.
+
+
+
+
+Crawford                    Standards Track                     [Page 5]
+
+RFC 2672           Non-Terminal DNS Name Redirection         August 1999
+
+
+      d. if the response shows a DNAME and that is not the answer
+         itself, cache the DNAME.  If substitution of the DNAME's
+         <target> for its <owner> in the SNAME would overflow the legal
+         size for a <domain-name>, return an implementation-dependent
+         error to the application; otherwise perform the substitution
+         and go to step 1.
+
+      e. if the response shows a server failure or other bizarre
+         contents, delete the server from the SLIST and go back to step
+         3.
+
+   A resolver or recursive server which understands DNAME records but
+   sends non-extended queries MUST augment step 4.c by deleting from the
+   reply any CNAME records which have an <owner> which is a subdomain of
+   the <owner> of any DNAME record in the response.
+
+5.  Examples of Use
+
+5.1.  Organizational Renaming
+
+   If an organization with domain name FROBOZZ.EXAMPLE became part of an
+   organization with domain name ACME.EXAMPLE, it might ease transition
+   by placing information such as this in its old zone.
+
+       frobozz.example.  DNAME    frobozz-division.acme.example.
+                         MX       10       mailhub.acme.example.
+
+   The response to an extended recursive query for www.frobozz.example
+   would contain, in the answer section, the DNAME record shown above
+   and the relevant RRs for www.frobozz-division.acme.example.
+
+5.2.  Classless Delegation of Shorter Prefixes
+
+   The classless scheme for in-addr.arpa delegation [INADDR] can be
+   extended to prefixes shorter than 24 bits by use of the DNAME record.
+   For example, the prefix 192.0.8.0/22 can be delegated by the
+   following records.
+
+       $ORIGIN 0.192.in-addr.arpa.
+       8/22    NS       ns.slash-22-holder.example.
+       8       DNAME    8.8/22
+       9       DNAME    9.8/22
+       10      DNAME    10.8/22
+       11      DNAME    11.8/22
+
+
+
+
+
+
+
+Crawford                    Standards Track                     [Page 6]
+
+RFC 2672           Non-Terminal DNS Name Redirection         August 1999
+
+
+   A typical entry in the resulting reverse zone for some host with
+   address 192.0.9.33 might be
+
+       $ORIGIN 8/22.0.192.in-addr.arpa.
+       33.9    PTR     somehost.slash-22-holder.example.
+
+   The same advisory remarks concerning the choice of the "/" character
+   apply here as in [INADDR].
+
+5.3.  Network Renumbering Support
+
+   If IPv4 network renumbering were common, maintenance of address space
+   delegation could be simplified by using DNAME records instead of NS
+   records to delegate.
+
+      $ORIGIN new-style.in-addr.arpa.
+      189.190           DNAME    in-addr.example.net.
+
+      $ORIGIN in-addr.example.net.
+      188               DNAME    in-addr.customer.example.
+
+      $ORIGIN in-addr.customer.example.
+      1                 PTR      www.customer.example.
+      2                 PTR      mailhub.customer.example.
+      ; etc ...
+
+   This would allow the address space 190.189.0.0/16 assigned to the ISP
+   "example.net" to be changed without the necessity of altering the
+   zone files describing the use of that space by the ISP and its
+   customers.
+
+   Renumbering IPv4 networks is currently so arduous a task that
+   updating the DNS is only a small part of the labor, so this scheme
+   may have a low value.  But it is hoped that in IPv6 the renumbering
+   task will be quite different and the DNAME mechanism may play a
+   useful part.
+
+6.  IANA Considerations
+
+   This document defines a new DNS Resource Record type with the
+   mnemonic DNAME and type code 39 (decimal).  The naming/numbering
+   space is defined in [DNSIS].  This name and number have already been
+   registered with the IANA.
+
+
+
+
+
+
+
+
+Crawford                    Standards Track                     [Page 7]
+
+RFC 2672           Non-Terminal DNS Name Redirection         August 1999
+
+
+7.  Security Considerations
+
+   The DNAME record is similar to the CNAME record with regard to the
+   consequences of insertion of a spoofed record into a DNS server or
+   resolver, differing in that the DNAME's effect covers a whole subtree
+   of the name space.  The facilities of [DNSSEC] are available to
+   authenticate this record type.
+
+8.  References
+
+   [DNSCF]  Mockapetris, P., "Domain names - concepts and facilities",
+            STD 13, RFC 1034, November 1987.
+
+   [DNSCLR] Elz, R. and R. Bush, "Clarifications to the DNS
+            Specification", RFC 2181, July 1997.
+
+   [DNSIS]  Mockapetris, P., "Domain names - implementation and
+            specification", STD 13, RFC 1035, November 1987.
+
+   [DNSSEC] Eastlake, 3rd, D. and C. Kaufman, "Domain Name System
+            Security Extensions", RFC 2065, January 1997.
+
+   [DNSUPD] Vixie, P., Ed., Thomson, S., Rekhter, Y. and J. Bound,
+            "Dynamic Updates in the Domain Name System", RFC 2136, April
+            1997.
+
+   [EDNS0]  Vixie, P., "Extensions mechanisms for DNS (EDNS0)", RFC
+            2671, August 1999.
+
+   [INADDR] Eidnes, H., de Groot, G. and P. Vixie, "Classless IN-
+            ADDR.ARPA delegation", RFC 2317, March 1998.
+
+   [KWORD]  Bradner, S., "Key words for use in RFCs to Indicate
+            Requirement Levels," BCP 14, RFC 2119, March 1997.
+
+   [SECDYN] D. Eastlake, 3rd, "Secure Domain Name System Dynamic
+            Update", RFC 2137, April 1997.
+
+9.  Author's Address
+
+   Matt Crawford
+   Fermilab MS 368
+   PO Box 500
+   Batavia, IL 60510
+   USA
+
+   Phone: +1 630 840-3461
+   EMail: crawdad@fnal.gov
+
+
+
+Crawford                    Standards Track                     [Page 8]
+
+RFC 2672           Non-Terminal DNS Name Redirection         August 1999
+
+
+10.  Full Copyright Statement
+
+   Copyright (C) The Internet Society (1999).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Crawford                    Standards Track                     [Page 9]
+
diff --git a/contrib/bind9/doc/rfc/rfc2673.txt b/contrib/bind9/doc/rfc/rfc2673.txt
new file mode 100644
index 0000000..19d272e
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2673.txt
@@ -0,0 +1,395 @@
+
+
+
+
+
+
+Network Working Group                                        M. Crawford
+Request for Comments: 2673                                      Fermilab
+Category: Standards Track                                    August 1999
+
+
+                Binary Labels in the Domain Name System
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (1999).  All Rights Reserved.
+
+1.  Introduction and Terminology
+
+   This document defines a "Bit-String Label" which may appear within
+   domain names.  This new label type compactly represents a sequence of
+   "One-Bit Labels" and enables resource records to be stored at any
+   bit-boundary in a binary-named section of the domain name tree.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [KWORD].
+
+2.  Motivation
+
+   Binary labels are intended to efficiently solve the problem of
+   storing data and delegating authority on arbitrary boundaries when
+   the structure of underlying name space is most naturally represented
+   in binary.
+
+3.  Label Format
+
+   Up to 256 One-Bit Labels can be grouped into a single Bit-String
+   Label.  Within a Bit-String Label the most significant or "highest
+   level" bit appears first.  This is unlike the ordering of DNS labels
+   themselves, which has the least significant or "lowest level" label
+   first.  Nonetheless, this ordering seems to be the most natural and
+   efficient for representing binary labels.
+
+
+
+
+
+
+Crawford                    Standards Track                     [Page 1]
+
+RFC 2673        Binary Labels in the Domain Name System      August 1999
+
+
+   Among consecutive Bit-String Labels, the bits in the first-appearing
+   label are less significant or "at a lower level" than the bits in
+   subsequent Bit-String Labels, just as ASCII labels are ordered.
+
+3.1.  Encoding
+
+      0                   1                   2
+      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2     . . .
+     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-//+-+-+-+-+-+-+
+     |0 1|    ELT    |     Count     |           Label ...         |
+     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+//-+-+-+-+-+-+-+
+
+   (Each tic mark represents one bit.)
+
+
+   ELT       000001 binary, the six-bit extended label type [EDNS0]
+             assigned to the Bit-String Label.
+
+   Count     The number of significant bits in the Label field.  A Count
+             value of zero indicates that 256 bits are significant.
+             (Thus the null label representing the DNS root cannot be
+             represented as a Bit String Label.)
+
+   Label     The bit string representing a sequence of One-Bit Labels,
+             with the most significant bit first.  That is, the One-Bit
+             Label in position 17 in the diagram above represents a
+             subdomain of the domain represented by the One-Bit Label in
+             position 16, and so on.
+
+             The Label field is padded on the right with zero to seven
+             pad bits to make the entire field occupy an integral number
+             of octets.  These pad bits MUST be zero on transmission and
+             ignored on reception.
+
+   A sequence of bits may be split into two or more Bit-String Labels,
+   but the division points have no significance and need not be
+   preserved.  An excessively clever server implementation might split
+   Bit-String Labels so as to maximize the effectiveness of message
+   compression [DNSIS].  A simpler server might divide Bit-String Labels
+   at zone boundaries, if any zone boundaries happen to fall between
+   One-Bit Labels.
+
+3.2.  Textual Representation
+
+   A Bit-String Label is represented in text -- in a zone file, for
+   example -- as a <bit-spec> surrounded by the delimiters "\[" and "]".
+   The <bit-spec> is either a dotted quad or a base indicator and a
+   sequence of digits appropriate to that base, optionally followed by a
+
+
+
+Crawford                    Standards Track                     [Page 2]
+
+RFC 2673        Binary Labels in the Domain Name System      August 1999
+
+
+   slash and a length.  The base indicators are "b", "o" and "x",
+   denoting base 2, 8 and 16 respectively.  The length counts the
+   significant bits and MUST be between 1 and 32, inclusive, after a
+   dotted quad, or between 1 and 256, inclusive, after one of the other
+   forms.  If the length is omitted, the implicit length is 32 for a
+   dotted quad or 1, 3 or 4 times the number of binary, octal or
+   hexadecimal digits supplied, respectively, for the other forms.
+
+   In augmented Backus-Naur form [ABNF],
+
+     bit-string-label =  "\[" bit-spec "]"
+
+     bit-spec         =  bit-data [ "/" length ]
+                       / dotted-quad [ "/" slength ]
+
+     bit-data         =  "x" 1*64HEXDIG
+                       / "o" 1*86OCTDIG
+                       / "b" 1*256BIT
+
+     dotted-quad      =  decbyte "." decbyte "." decbyte "." decbyte
+
+     decbyte          =  1*3DIGIT
+
+     length           =  NZDIGIT *2DIGIT
+
+     slength          =  NZDIGIT [ DIGIT ]
+
+     OCTDIG           =  %x30-37
+
+     NZDIGIT          =  %x31-39
+
+   If a <length> is present, the number of digits in the <bit-data> MUST
+   be just sufficient to contain the number of bits specified by the
+   <length>.  If there are insignificant bits in a final hexadecimal or
+   octal digit, they MUST be zero.  A <dotted-quad> always has all four
+   parts even if the associated <slength> is less than 24, but, like the
+   other forms, insignificant bits MUST be zero.
+
+   Each number represented by a <decbyte> must be between 0 and 255,
+   inclusive.
+
+   The number represented by <length> must be between 1 and 256
+   inclusive.
+
+   The number represented by <slength> must be between 1 and 32
+   inclusive.
+
+
+
+
+
+Crawford                    Standards Track                     [Page 3]
+
+RFC 2673        Binary Labels in the Domain Name System      August 1999
+
+
+   When the textual form of a Bit-String Label is generated by machine,
+   the length SHOULD be explicit, not implicit.
+
+3.2.1.  Examples
+
+   The following four textual forms represent the same Bit-String Label.
+
+                             \[b11010000011101]
+                             \[o64072/14]
+                             \[xd074/14]
+                             \[208.116.0.0/14]
+
+   The following represents two consecutive Bit-String Labels which
+   denote the same relative point in the DNS tree as any of the above
+   single Bit-String Labels.
+
+                             \[b11101].\[o640]
+
+3.3.  Canonical Representation and Sort Order
+
+   Both the wire form and the text form of binary labels have a degree
+   of flexibility in their grouping into multiple consecutive Bit-String
+   Labels.  For generating and checking DNS signature records [DNSSEC]
+   binary labels must be in a predictable form.  This canonical form is
+   defined as the form which has the fewest possible Bit-String Labels
+   and in which all except possibly the first (least significant) label
+   in any sequence of consecutive Bit-String Labels is of maximum
+   length.
+
+   For example, the canonical form of any sequence of up to 256 One-Bit
+   Labels has a single Bit-String Label, and the canonical form of a
+   sequence of 513 to 768 One-Bit Labels has three Bit-String Labels of
+   which the second and third contain 256 label bits.
+
+   The canonical sort order of domain names [DNSSEC] is extended to
+   encompass binary labels as follows.  Sorting is still label-by-label,
+   from most to least significant, where a label may now be a One-Bit
+   Label or a standard (code 00) label.  Any One-Bit Label sorts before
+   any standard label, and a 0 bit sorts before a 1 bit.  The absence of
+   a label sorts before any label, as specified in [DNSSEC].
+
+
+
+
+
+
+
+
+
+
+
+Crawford                    Standards Track                     [Page 4]
+
+RFC 2673        Binary Labels in the Domain Name System      August 1999
+
+
+   For example, the following domain names are correctly sorted.
+
+                         foo.example
+                         \[b1].foo.example
+                         \[b100].foo.example
+                         \[b101].foo.example
+                         bravo.\[b10].foo.example
+                         alpha.foo.example
+
+4.  Processing Rules
+
+   A One-Bit Label never matches any other kind of label.  In
+   particular, the DNS labels represented by the single ASCII characters
+   "0" and "1" do not match One-Bit Labels represented by the bit values
+   0 and 1.
+
+5.  Discussion
+
+   A Count of zero in the wire-form represents a 256-bit sequence, not
+   to optimize that particular case, but to make it completely
+   impossible to have a zero-bit label.
+
+6.  IANA Considerations
+
+   This document defines one Extended Label Type, termed the Bit-String
+   Label, and requests registration of the code point 000001 binary in
+   the space defined by [EDNS0].
+
+7.  Security Considerations
+
+   All security considerations which apply to traditional ASCII DNS
+   labels apply equally to binary labels.  he canonicalization and
+   sorting rules of section 3.3 allow these to be addressed by DNS
+   Security [DNSSEC].
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Crawford                    Standards Track                     [Page 5]
+
+RFC 2673        Binary Labels in the Domain Name System      August 1999
+
+
+8.  References
+
+   [ABNF]   Crocker, D. and P. Overell, "Augmented BNF for Syntax
+            Specifications: ABNF", RFC 2234, November 1997.
+
+   [DNSIS]  Mockapetris, P., "Domain names - implementation and
+            specification", STD 13, RFC 1035, November 1987.
+
+   [DNSSEC] Eastlake, D., 3rd, C. Kaufman, "Domain Name System Security
+            Extensions", RFC 2065, January 1997
+
+   [EDNS0]  Vixie, P., "Extension mechanisms for DNS (EDNS0)", RFC 2671,
+            August 1999.
+
+   [KWORD]  Bradner, S., "Key words for use in RFCs to Indicate
+            Requirement Levels," BCP 14, RFC 2119, March 1997.
+
+9.  Author's Address
+
+   Matt Crawford
+   Fermilab MS 368
+   PO Box 500
+   Batavia, IL 60510
+   USA
+
+   Phone: +1 630 840-3461
+   EMail: crawdad@fnal.gov
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Crawford                    Standards Track                     [Page 6]
+
+RFC 2673        Binary Labels in the Domain Name System      August 1999
+
+
+10.  Full Copyright Statement
+
+   Copyright (C) The Internet Society (1999).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Crawford                    Standards Track                     [Page 7]
+
diff --git a/contrib/bind9/doc/rfc/rfc2782.txt b/contrib/bind9/doc/rfc/rfc2782.txt
new file mode 100644
index 0000000..1827f10
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2782.txt
@@ -0,0 +1,675 @@
+
+
+
+
+
+
+Network Working Group                                     A. Gulbrandsen
+Request for Comments: 2782                            Troll Technologies
+Obsoletes: 2052                                                 P. Vixie
+Category: Standards Track                   Internet Software Consortium
+                                                               L. Esibov
+                                                         Microsoft Corp.
+                                                           February 2000
+
+
+       A DNS RR for specifying the location of services (DNS SRV)
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+Abstract
+
+   This document describes a DNS RR which specifies the location of the
+   server(s) for a specific protocol and domain.
+
+Overview and rationale
+
+   Currently, one must either know the exact address of a server to
+   contact it, or broadcast a question.
+
+   The SRV RR allows administrators to use several servers for a single
+   domain, to move services from host to host with little fuss, and to
+   designate some hosts as primary servers for a service and others as
+   backups.
+
+   Clients ask for a specific service/protocol for a specific domain
+   (the word domain is used here in the strict RFC 1034 sense), and get
+   back the names of any available servers.
+
+   Note that where this document refers to "address records", it means A
+   RR's, AAAA RR's, or their most modern equivalent.
+
+
+
+
+
+
+
+Gulbrandsen, et al.         Standards Track                     [Page 1]
+
+RFC 2782                       DNS SRV RR                  February 2000
+
+
+Definitions
+
+   The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT" and "MAY"
+   used in this document are to be interpreted as specified in [BCP 14].
+   Other terms used in this document are defined in the DNS
+   specification, RFC 1034.
+
+Applicability Statement
+
+   In general, it is expected that SRV records will be used by clients
+   for applications where the relevant protocol specification indicates
+   that clients should use the SRV record. Such specification MUST
+   define the symbolic name to be used in the Service field of the SRV
+   record as described below. It also MUST include security
+   considerations. Service SRV records SHOULD NOT be used in the absence
+   of such specification.
+
+Introductory example
+
+   If a SRV-cognizant LDAP client wants to discover a LDAP server that
+   supports TCP protocol and provides LDAP service for the domain
+   example.com., it does a lookup of
+
+      _ldap._tcp.example.com
+
+   as described in [ARM].  The example zone file near the end of this
+   memo contains answering RRs for an SRV query.
+
+   Note: LDAP is chosen as an example for illustrative purposes only,
+   and the LDAP examples used in this document should not be considered
+   a definitive statement on the recommended way for LDAP to use SRV
+   records. As described in the earlier applicability section, consult
+   the appropriate LDAP documents for the recommended procedures.
+
+The format of the SRV RR
+
+   Here is the format of the SRV RR, whose DNS type code is 33:
+
+        _Service._Proto.Name TTL Class SRV Priority Weight Port Target
+
+        (There is an example near the end of this document.)
+
+   Service
+        The symbolic name of the desired service, as defined in Assigned
+        Numbers [STD 2] or locally.  An underscore (_) is prepended to
+        the service identifier to avoid collisions with DNS labels that
+        occur in nature.
+
+
+
+
+Gulbrandsen, et al.         Standards Track                     [Page 2]
+
+RFC 2782                       DNS SRV RR                  February 2000
+
+
+        Some widely used services, notably POP, don't have a single
+        universal name.  If Assigned Numbers names the service
+        indicated, that name is the only name which is legal for SRV
+        lookups.  The Service is case insensitive.
+
+   Proto
+        The symbolic name of the desired protocol, with an underscore
+        (_) prepended to prevent collisions with DNS labels that occur
+        in nature.  _TCP and _UDP are at present the most useful values
+        for this field, though any name defined by Assigned Numbers or
+        locally may be used (as for Service).  The Proto is case
+        insensitive.
+
+   Name
+        The domain this RR refers to.  The SRV RR is unique in that the
+        name one searches for is not this name; the example near the end
+        shows this clearly.
+
+   TTL
+        Standard DNS meaning [RFC 1035].
+
+   Class
+        Standard DNS meaning [RFC 1035].   SRV records occur in the IN
+        Class.
+
+   Priority
+        The priority of this target host.  A client MUST attempt to
+        contact the target host with the lowest-numbered priority it can
+        reach; target hosts with the same priority SHOULD be tried in an
+        order defined by the weight field.  The range is 0-65535.  This
+        is a 16 bit unsigned integer in network byte order.
+
+   Weight
+        A server selection mechanism.  The weight field specifies a
+        relative weight for entries with the same priority. Larger
+        weights SHOULD be given a proportionately higher probability of
+        being selected. The range of this number is 0-65535.  This is a
+        16 bit unsigned integer in network byte order.  Domain
+        administrators SHOULD use Weight 0 when there isn't any server
+        selection to do, to make the RR easier to read for humans (less
+        noisy).  In the presence of records containing weights greater
+        than 0, records with weight 0 should have a very small chance of
+        being selected.
+
+        In the absence of a protocol whose specification calls for the
+        use of other weighting information, a client arranges the SRV
+        RRs of the same Priority in the order in which target hosts,
+
+
+
+
+Gulbrandsen, et al.         Standards Track                     [Page 3]
+
+RFC 2782                       DNS SRV RR                  February 2000
+
+
+        specified by the SRV RRs, will be contacted. The following
+        algorithm SHOULD be used to order the SRV RRs of the same
+        priority:
+
+        To select a target to be contacted next, arrange all SRV RRs
+        (that have not been ordered yet) in any order, except that all
+        those with weight 0 are placed at the beginning of the list.
+
+        Compute the sum of the weights of those RRs, and with each RR
+        associate the running sum in the selected order. Then choose a
+        uniform random number between 0 and the sum computed
+        (inclusive), and select the RR whose running sum value is the
+        first in the selected order which is greater than or equal to
+        the random number selected. The target host specified in the
+        selected SRV RR is the next one to be contacted by the client.
+        Remove this SRV RR from the set of the unordered SRV RRs and
+        apply the described algorithm to the unordered SRV RRs to select
+        the next target host.  Continue the ordering process until there
+        are no unordered SRV RRs.  This process is repeated for each
+        Priority.
+
+   Port
+        The port on this target host of this service.  The range is 0-
+        65535.  This is a 16 bit unsigned integer in network byte order.
+        This is often as specified in Assigned Numbers but need not be.
+
+   Target
+        The domain name of the target host.  There MUST be one or more
+        address records for this name, the name MUST NOT be an alias (in
+        the sense of RFC 1034 or RFC 2181).  Implementors are urged, but
+        not required, to return the address record(s) in the Additional
+        Data section.  Unless and until permitted by future standards
+        action, name compression is not to be used for this field.
+
+        A Target of "." means that the service is decidedly not
+        available at this domain.
+
+Domain administrator advice
+
+   Expecting everyone to update their client applications when the first
+   server publishes a SRV RR is futile (even if desirable).  Therefore
+   SRV would have to coexist with address record lookups for existing
+   protocols, and DNS administrators should try to provide address
+   records to support old clients:
+
+      - Where the services for a single domain are spread over several
+        hosts, it seems advisable to have a list of address records at
+        the same DNS node as the SRV RR, listing reasonable (if perhaps
+
+
+
+Gulbrandsen, et al.         Standards Track                     [Page 4]
+
+RFC 2782                       DNS SRV RR                  February 2000
+
+
+        suboptimal) fallback hosts for Telnet, NNTP and other protocols
+        likely to be used with this name.  Note that some programs only
+        try the first address they get back from e.g. gethostbyname(),
+        and we don't know how widespread this behavior is.
+
+      - Where one service is provided by several hosts, one can either
+        provide address records for all the hosts (in which case the
+        round-robin mechanism, where available, will share the load
+        equally) or just for one (presumably the fastest).
+
+      - If a host is intended to provide a service only when the main
+        server(s) is/are down, it probably shouldn't be listed in
+        address records.
+
+      - Hosts that are referenced by backup address records must use the
+        port number specified in Assigned Numbers for the service.
+
+      - Designers of future protocols for which "secondary servers" is
+        not useful (or meaningful) may choose to not use SRV's support
+        for secondary servers.  Clients for such protocols may use or
+        ignore SRV RRs with Priority higher than the RR with the lowest
+        Priority for a domain.
+
+   Currently there's a practical limit of 512 bytes for DNS replies.
+   Until all resolvers can handle larger responses, domain
+   administrators are strongly advised to keep their SRV replies below
+   512 bytes.
+
+   All round numbers, wrote Dr. Johnson, are false, and these numbers
+   are very round: A reply packet has a 30-byte overhead plus the name
+   of the service ("_ldap._tcp.example.com" for instance); each SRV RR
+   adds 20 bytes plus the name of the target host; each NS RR in the NS
+   section is 15 bytes plus the name of the name server host; and
+   finally each A RR in the additional data section is 20 bytes or so,
+   and there are A's for each SRV and NS RR mentioned in the answer.
+   This size estimate is extremely crude, but shouldn't underestimate
+   the actual answer size by much.  If an answer may be close to the
+   limit, using a DNS query tool (e.g. "dig") to look at the actual
+   answer is a good idea.
+
+The "Weight" field
+
+   Weight, the server selection field, is not quite satisfactory, but
+   the actual load on typical servers changes much too quickly to be
+   kept around in DNS caches.  It seems to the authors that offering
+   administrators a way to say "this machine is three times as fast as
+   that one" is the best that can practically be done.
+
+
+
+
+Gulbrandsen, et al.         Standards Track                     [Page 5]
+
+RFC 2782                       DNS SRV RR                  February 2000
+
+
+   The only way the authors can see of getting a "better" load figure is
+   asking a separate server when the client selects a server and
+   contacts it.  For short-lived services an extra step in the
+   connection establishment seems too expensive, and for long-lived
+   services, the load figure may well be thrown off a minute after the
+   connection is established when someone else starts or finishes a
+   heavy job.
+
+   Note: There are currently various experiments at providing relative
+   network proximity estimation, available bandwidth estimation, and
+   similar services.  Use of the SRV record with such facilities, and in
+   particular the interpretation of the Weight field when these
+   facilities are used, is for further study.  Weight is only intended
+   for static, not dynamic, server selection.  Using SRV weight for
+   dynamic server selection would require assigning unreasonably short
+   TTLs to the SRV RRs, which would limit the usefulness of the DNS
+   caching mechanism, thus increasing overall network load and
+   decreasing overall reliability.  Server selection via SRV is only
+   intended to express static information such as "this server has a
+   faster CPU than that one" or "this server has a much better network
+   connection than that one".
+
+The Port number
+
+   Currently, the translation from service name to port number happens
+   at the client, often using a file such as /etc/services.
+
+   Moving this information to the DNS makes it less necessary to update
+   these files on every single computer of the net every time a new
+   service is added, and makes it possible to move standard services out
+   of the "root-only" port range on unix.
+
+Usage rules
+
+   A SRV-cognizant client SHOULD use this procedure to locate a list of
+   servers and connect to the preferred one:
+
+        Do a lookup for QNAME=_service._protocol.target, QCLASS=IN,
+        QTYPE=SRV.
+
+        If the reply is NOERROR, ANCOUNT>0 and there is at least one
+        SRV RR which specifies the requested Service and Protocol in
+        the reply:
+
+            If there is precisely one SRV RR, and its Target is "."
+            (the root domain), abort.
+
+
+
+
+
+Gulbrandsen, et al.         Standards Track                     [Page 6]
+
+RFC 2782                       DNS SRV RR                  February 2000
+
+
+            Else, for all such RR's, build a list of (Priority, Weight,
+            Target) tuples
+
+            Sort the list by priority (lowest number first)
+
+            Create a new empty list
+
+            For each distinct priority level
+                While there are still elements left at this priority
+                level
+
+                    Select an element as specified above, in the
+                    description of Weight in "The format of the SRV
+                    RR" Section, and move it to the tail of the new
+                    list
+
+            For each element in the new list
+
+                query the DNS for address records for the Target or
+                use any such records found in the Additional Data
+                section of the earlier SRV response.
+
+                for each address record found, try to connect to the
+               (protocol, address, service).
+
+        else
+
+            Do a lookup for QNAME=target, QCLASS=IN, QTYPE=A
+
+            for each address record found, try to connect to the
+           (protocol, address, service)
+
+Notes:
+
+   - Port numbers SHOULD NOT be used in place of the symbolic service
+     or protocol names (for the same reason why variant names cannot
+     be allowed: Applications would have to do two or more lookups).
+
+   - If a truncated response comes back from an SRV query, the rules
+     described in [RFC 2181] shall apply.
+
+   - A client MUST parse all of the RR's in the reply.
+
+   - If the Additional Data section doesn't contain address records
+     for all the SRV RR's and the client may want to connect to the
+     target host(s) involved, the client MUST look up the address
+     record(s).  (This happens quite often when the address record
+     has shorter TTL than the SRV or NS RR's.)
+
+
+
+Gulbrandsen, et al.         Standards Track                     [Page 7]
+
+RFC 2782                       DNS SRV RR                  February 2000
+
+
+   - Future protocols could be designed to use SRV RR lookups as the
+     means by which clients locate their servers.
+
+Fictional example
+
+   This example uses fictional service "foobar" as an aid in
+   understanding SRV records. If ever service "foobar" is implemented,
+   it is not intended that it will necessarily use SRV records.  This is
+   (part of) the zone file for example.com, a still-unused domain:
+
+      $ORIGIN example.com.
+      @               SOA server.example.com. root.example.com. (
+                          1995032001 3600 3600 604800 86400 )
+                      NS  server.example.com.
+                      NS  ns1.ip-provider.net.
+                      NS  ns2.ip-provider.net.
+      ; foobar - use old-slow-box or new-fast-box if either is
+      ; available, make three quarters of the logins go to
+      ; new-fast-box.
+      _foobar._tcp    SRV 0 1 9 old-slow-box.example.com.
+                       SRV 0 3 9 new-fast-box.example.com.
+      ; if neither old-slow-box or new-fast-box is up, switch to
+      ; using the sysdmin's box and the server
+                       SRV 1 0 9 sysadmins-box.example.com.
+                       SRV 1 0 9 server.example.com.
+      server           A   172.30.79.10
+      old-slow-box     A   172.30.79.11
+      sysadmins-box    A   172.30.79.12
+      new-fast-box     A   172.30.79.13
+      ; NO other services are supported
+      *._tcp          SRV  0 0 0 .
+      *._udp          SRV  0 0 0 .
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gulbrandsen, et al.         Standards Track                     [Page 8]
+
+RFC 2782                       DNS SRV RR                  February 2000
+
+
+   In this example, a client of the "foobar" service in the
+   "example.com." domain needs an SRV lookup of
+   "_foobar._tcp.example.com." and possibly A lookups of "new-fast-
+   box.example.com." and/or the other hosts named.  The size of the SRV
+   reply is approximately 365 bytes:
+
+      30 bytes general overhead
+      20 bytes for the query string, "_foobar._tcp.example.com."
+      130 bytes for 4 SRV RR's, 20 bytes each plus the lengths of "new-
+        fast-box", "old-slow-box", "server" and "sysadmins-box" -
+        "example.com" in the query section is quoted here and doesn't
+        need to be counted again.
+      75 bytes for 3 NS RRs, 15 bytes each plus the lengths of "server",
+        "ns1.ip-provider.net." and "ns2" - again, "ip-provider.net." is
+        quoted and only needs to be counted once.
+      120 bytes for the 6 address records (assuming IPv4 only) mentioned
+        by the SRV and NS RR's.
+
+IANA Considerations
+
+   The IANA has assigned RR type value 33 to the SRV RR.  No other IANA
+   services are required by this document.
+
+Changes from RFC 2052
+
+   This document obsoletes RFC 2052.   The major change from that
+   previous, experimental, version of this specification is that now the
+   protocol and service labels are prepended with an underscore, to
+   lower the probability of an accidental clash with a similar name used
+   for unrelated purposes.  Aside from that, changes are only intended
+   to increase the clarity and completeness of the document. This
+   document especially clarifies the use of the Weight field of the SRV
+   records.
+
+Security Considerations
+
+   The authors believe this RR to not cause any new security problems.
+   Some problems become more visible, though.
+
+   - The ability to specify ports on a fine-grained basis obviously
+     changes how a router can filter packets.  It becomes impossible
+     to block internal clients from accessing specific external
+     services, slightly harder to block internal users from running
+     unauthorized services, and more important for the router
+     operations and DNS operations personnel to cooperate.
+
+   - There is no way a site can keep its hosts from being referenced
+     as servers.  This could lead to denial of service.
+
+
+
+Gulbrandsen, et al.         Standards Track                     [Page 9]
+
+RFC 2782                       DNS SRV RR                  February 2000
+
+
+   - With SRV, DNS spoofers can supply false port numbers, as well as
+     host names and addresses.   Because this vulnerability exists
+     already, with names and addresses, this is not a new
+     vulnerability, merely a slightly extended one, with little
+     practical effect.
+
+References
+
+   STD 2:    Reynolds, J., and J. Postel, "Assigned Numbers", STD 2, RFC
+             1700, October 1994.
+
+   RFC 1034: Mockapetris, P., "Domain names - concepts and facilities",
+             STD 13, RFC 1034, November 1987.
+
+   RFC 1035: Mockapetris, P., "Domain names - Implementation and
+             Specification", STD 13, RFC 1035, November 1987.
+
+   RFC 974:  Partridge, C., "Mail routing and the domain system", STD
+             14, RFC 974, January 1986.
+
+   BCP 14:   Bradner, S., "Key words for use in RFCs to Indicate
+             Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   RFC 2181: Elz, R. and R. Bush, "Clarifications to the DNS
+             Specification", RFC 2181, July 1997.
+
+   RFC 2219: Hamilton, M. and R. Wright, "Use of DNS Aliases for Network
+             Services", BCP 17, RFC 2219, October 1997.
+
+   BCP 14:   Bradner, S., "Key words for use in RFCs to Indicate
+             Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   ARM:      Armijo, M., Esibov, L. and P. Leach, "Discovering LDAP
+             Services with DNS", Work in Progress.
+
+   KDC-DNS:  Hornstein, K. and J. Altman, "Distributing Kerberos KDC and
+             Realm Information with DNS", Work in Progress.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gulbrandsen, et al.         Standards Track                    [Page 10]
+
+RFC 2782                       DNS SRV RR                  February 2000
+
+
+Acknowledgements
+
+   The algorithm used to select from the weighted SRV RRs of equal
+   priority is adapted from one supplied by Dan Bernstein.
+
+Authors' Addresses
+
+   Arnt Gulbrandsen
+   Troll Tech
+   Waldemar Thranes gate 98B
+   N-0175 Oslo, Norway
+
+   Fax:   +47 22806380
+   Phone: +47 22806390
+   EMail: arnt@troll.no
+
+
+   Paul Vixie
+   Internet Software Consortium
+   950 Charter Street
+   Redwood City, CA 94063
+
+   Phone: +1 650 779 7001
+
+
+   Levon Esibov
+   Microsoft Corporation
+   One Microsoft Way
+   Redmond, WA 98052
+
+   EMail: levone@microsoft.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gulbrandsen, et al.         Standards Track                    [Page 11]
+
+RFC 2782                       DNS SRV RR                  February 2000
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gulbrandsen, et al.         Standards Track                    [Page 12]
+
diff --git a/contrib/bind9/doc/rfc/rfc2825.txt b/contrib/bind9/doc/rfc/rfc2825.txt
new file mode 100644
index 0000000..fd8ef7c
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2825.txt
@@ -0,0 +1,395 @@
+

+

+

+

+

+

+Network Working Group                  Internet Architecture Board (IAB)

+Request for Comments: 2825                             L. Daigle, Editor

+Category: Informational                                         May 2000

+

+

+         A Tangled Web: Issues of I18N, Domain Names, and the

+                        Other Internet protocols

+

+Status of this Memo

+

+   This memo provides information for the Internet community.  It does

+   not specify an Internet standard of any kind.  Distribution of this

+   memo is unlimited.

+

+Copyright Notice

+

+   Copyright (C) The Internet Society (2000).  All Rights Reserved.

+

+Abstract

+

+   The goals of the work to "internationalize" Internet protocols

+   include providing all users of the Internet with the capability of

+   using their own language and its standard character set to express

+   themselves, write names, and to navigate the network. This impacts

+   the domain names visible in e-mail addresses and so many of today's

+   URLs used to locate information on the World Wide Web, etc.  However,

+   domain names are used by Internet protocols that are used across

+   national boundaries. These services must interoperate worldwide, or

+   we risk isolating components of the network from each other along

+   locale boundaries.  This type of isolation could impede not only

+   communications among people, but opportunities of the areas involved

+   to participate effectively in e-commerce, distance learning, and

+   other activities at an international scale, thereby retarding

+   economic development.

+

+   There are several proposals for internationalizing domain names,

+   however it it is still to be determined whether any of them will

+   ensure this interoperability and global reach while addressing

+   visible-name representation.  Some of them obviously do not. This

+   document does not attempt to review any specific proposals, as that

+   is the work of the Internationalized Domain Name (IDN) Working Group

+   of the IETF, which is tasked with evaluating them in consideration of

+   the continued global network interoperation that is the deserved

+   expectation of all Internet users.

+

+

+

+

+

+

+

+IAB                          Informational                      [Page 1]

+

+RFC 2825   Issues: I18N, Domain Names, and Internet Protocols   May 2000

+

+

+   This document is a statement by the Internet Architecture Board. It

+   is not a protocol specification, but an attempt to clarify the range

+   of architectural issues that the internationalization of domain names

+   faces.

+

+1. A Definition of Success

+

+   The Internationalized Domain Names (IDN) Working Group is one

+   component of the IETF's continuing comprehensive effort to

+   internationalize language representation facilities in the protocols

+   that support the global functioning of the Internet.

+

+   In keeping with the principles of rough consensus, running code,

+   architectural integrity, and in the interest of ensuring the global

+   stability of the Internet, the IAB emphasizes that all solutions

+   proposed to the (IDN) Working Group will have to be evaluated not

+   only on their individual technical features, but also in terms of

+   impact on existing standards and operations of the Internet and the

+   total effect for end-users: solutions must not cause users to become

+   more isolated from their global neighbors even if they appear to

+   solve a local problem.  In some cases, existing protocols have

+   limitations on allowable characters, and in other cases

+   implementations of protocols used in the core of the Internet (beyond

+   individual organizations) have in practice not implemented all the

+   requisite options of the standards.

+

+2. Technical Challenges within the Domain Name System (DNS)

+

+   In many technical respects, the IDN work is not different from any

+   other effort to enable multiple character set representations in

+   textual elements that were traditionally restricted to English

+   language characters.

+

+   One aspect of the challenge is to decide how to represent the names

+   users want in the DNS in a way that is clear, technically feasible,

+   and ensures that a name always means the same thing.  Several

+   proposals have been suggested to address these issues.

+

+   These issues are being outlined in more detail in the IDN WG's

+   evolving draft requirements document; further discussion is deferred

+   to the WG and its documents.

+

+3. Integrating with Current Realities

+

+   Nevertheless, issues faced by the IDN working group are complex and

+   intricately intertwined with other operational components of the

+   Internet.  A key challenge in evaluating any proposed solution is the

+   analysis of the impact on existing critical operational standards

+

+

+

+IAB                          Informational                      [Page 2]

+

+RFC 2825   Issues: I18N, Domain Names, and Internet Protocols   May 2000

+

+

+   which use fully-qualified domain names [RFC1034], or simply host

+   names [RFC1123].  Standards-changes can be effected, but the best

+   path forward is one that takes into account current realities and

+   (re)deployment latencies. In the Internet's global context, it is not

+   enough to update a few isolated systems, or even most of the systems

+   in a country or region.  Deployment must be nearly universal in order

+   to avoid the creation of "islands" of interoperation that provide

+   users with less access to and connection from the rest of the world.

+

+   These are not esoteric or ephemeral concerns.  Some specific issues

+   have already been identified as part of the IDN WG's efforts.  These

+   include (but are not limited to) the following examples.

+

+3.1 Domain Names and E-mail

+

+   As indicated in the IDN WG's draft requirements document, the issue

+   goes beyond standardization of DNS usage.  Electronic mail has long

+   been one of the most-used and most important applications of the

+   Internet.  Internet e-mail is also used as the bridge that permits

+   the users of a variety of local and proprietary mail systems to

+   communicate. The standard protocols that define its use (e.g., SMTP

+   [RFC821, RFC822] and MIME [RFC2045]) do not permit the full range of

+   characters allowed in the DNS specification. Certain characters are

+   not allowed in e-mail address domain portions of these

+   specifications.  Some mailers, built to adhere to these

+   specifications, are known to fail when on mail having non-ASCII

+   domain names in its address -- by discarding, misrouting or damaging

+   the mail.  Thus, it's not possible to simply switch to

+   internationalized domain names and expect global e-mail to continue

+   to work until most of the servers in the world are upgraded.

+

+3.2 Domain Names and Routing

+

+   At a lower level, the Routing Policy Specification Language (RPLS)

+   [RFC2622] makes use of "named objects" -- and inherits object naming

+   restrictions from older standards ([RFC822] for the same e-mail

+   address restrictions, [RFC1034] for hostnames).  This means that

+   until routing registries and their protocols are updated, it is not

+   possible to enter or retrieve network descriptions utilizing

+   internationalized domain names.

+

+3.3 Domain Names and Network Management

+

+   Also, the Simple Network Management Protocol (SNMP) uses the textual

+   representation defined in [RFC2579].  While that specification does

+   allow for UTF-8-based domain names, an informal survey of deployed

+   implementations of software libraries being used to build SNMP-

+   compliant software uncovered the fact that few (if any) implement it.

+

+

+

+IAB                          Informational                      [Page 3]

+

+RFC 2825   Issues: I18N, Domain Names, and Internet Protocols   May 2000

+

+

+   This may cause inability to enter or display correct data in network

+   management tools, if such names are internationalized domain names.

+

+3.4 Domain Names and Security

+

+   Critical components of Internet public key technologies (PKIX,

+   [RFC2459], IKE [RFC2409]) rely heavily on identification of servers

+   (hostnames, or fully qualified domain names) and users (e-mail

+   addresses).  Failure to respect the character restrictions in these

+   protocols will impact security tools built to use them -- Transport

+   Layer Security protocol (TLS, [RFC2246]), and IPsec [RFC2401] to name

+   two.

+

+   Failure may not be obvious.  For example, in TLS, it is common usage

+   for a server to display a certificate containing a domain name

+   purporting to be the domain name of the server, which the client can

+   then match with the server name he thought he used to reach the

+   service.

+

+   Unless comparison of domain names is properly defined, the client may

+   either fail to match the domain name of a legitimate server, or match

+   incorrectly the domain name of a server performing a man-in-the-

+   middle attack.  Either failure could enable attacks on systems that

+   are now impossible or at least far more difficult.

+

+4. Conclusion

+

+   It is therefore clear that, although there are many possible ways to

+   assign internationalized names that are compatible with today's DNS

+   (or a version that is easily-deployable in the near future), not all

+   of them are compatible with the full range of necessary networking

+   tools.  When designing a solution for internationalization of domain

+   names, the effects on the current Internet must be carefully

+   evaluated. Some types of solutions proposed would, if put into effect

+   immediately, cause Internet communications to fail in ways that would

+   be hard to detect by and pose problems for those who deploy the new

+   services, but also for those who do not; this would have the effect

+   of cutting those who deploy them off from effective use of the

+   Internet.

+

+   The IDN WG has been identified as the appropriate forum for

+   identifying and discussing solutions for such potential

+   interoperability issues.

+

+   Experience with deployment of other protocols has indicated that it

+   will take years before a new protocol or enhancement is used all over

+   the Internet.  So far, the IDN WG has benefited from proposed

+   solutions from all quarters, including organizations hoping to

+

+

+

+IAB                          Informational                      [Page 4]

+

+RFC 2825   Issues: I18N, Domain Names, and Internet Protocols   May 2000

+

+

+   provide services that address visible-name representation and

+   registration -- continuing this process with the aim of getting a

+   single, scalable and deployable solution to this problem is the only

+   way to ensure the continued global interoperation that is the

+   deserved expectation of all Internet users.

+

+5. Security Considerations

+

+   In general, assignment and use of names does not raise any special

+   security problems.  However, as noted above, some existing security

+   mechanisms are reliant on the current specification of domain names

+   and may not be expected to work, as is, with Internationalized domain

+   names.  Additionally, deployment of non-standard systems (e.g., in

+   response to current pressures to address national or regional

+   characterset representation) might result in name strings that are

+   not globally unique, thereby opening up the possibility of "spoofing"

+   hosts from one domain in another, as described in [RFC2826].

+

+6. Acknowledgements

+

+   This document is the outcome of the joint effort of the members of

+   the IAB.  Additionally, valuable remarks were provided by Randy Bush,

+   Patrik Faltstrom, Ted Hardie, Paul Hoffman, and Mark Kosters.

+

+7. References

+

+   [RFC821]  Postel, J., "Simple Mail Transfer Protocol", STD 10, RFC

+             821, August 1982.

+

+   [RFC822]  Crocker, D., "Standard for the Format of ARPA Internet Text

+             Messages", STD 11, RFC 822, August 1982.

+

+   [RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities",

+             STD 13, RFC 1034, November 1987.

+

+   [RFC1123] Braden, R., "Requirements for Internet Hosts -- Application

+             and Support", STD 3, RFC 1123, November 1989.

+

+   [RFC2401] Kent, S. and R. Atkinson, "Security Architecture for the

+             Internet Protocol", RFC 2401, November 1998.

+

+   [RFC2409] Harkins, D and D. Carrel, "The Internet Key Exchange

+             (IKE)", RFC 2409, November 1998.

+

+   [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail

+             Extensions (MIME) Part One:  Format of Internet Message

+             Bodies", RFC 2045, November 1996.

+

+

+

+

+IAB                          Informational                      [Page 5]

+

+RFC 2825   Issues: I18N, Domain Names, and Internet Protocols   May 2000

+

+

+   [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",

+             RFC 2246, January 1999.

+

+   [RFC2459] Housley, R., Ford, W., Polk, W. and D. Solo, "Internet

+             X.509 Public Key Infrastructure Certificate and CRL

+             Profile", RFC 2459, January 1999.

+

+   [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.

+             and M. Rose, "Textual Conventions for SMIv2", RFC 2579,

+             April 1999.

+

+   [RFC2622] Alaettinoglu, C., Villamizar, C., Gerich, E., Kessens, D.,

+             Meyer, D., Bates, T., Karrenberg, D. and M. Terpstra,

+             "Routing Policy Specification Language (RPSL)", RFC 2622,

+             June 1999.

+

+   [RFC2826] IAB, "IAB Technical Comment on the Unique DNS Root", RFC

+             2826, May 2000.

+

+8. Author's Address

+

+   Internet Architecture Board

+

+   EMail:  iab@iab.org

+

+

+   Membership at time this document was completed:

+

+      Harald Alvestrand

+      Ran Atkinson

+      Rob Austein

+      Brian Carpenter

+      Steve Bellovin

+      Jon Crowcroft

+      Leslie Daigle

+      Steve Deering

+      Tony Hain

+      Geoff Huston

+      John Klensin

+      Henning Schulzrinne

+

+

+

+

+

+

+

+

+

+

+

+IAB                          Informational                      [Page 6]

+

+RFC 2825   Issues: I18N, Domain Names, and Internet Protocols   May 2000

+

+

+9. Full Copyright Statement

+

+   Copyright (C) The Internet Society (2000).  All Rights Reserved.

+

+   This document and translations of it may be copied and furnished to

+   others, and derivative works that comment on or otherwise explain it

+   or assist in its implementation may be prepared, copied, published

+   and distributed, in whole or in part, without restriction of any

+   kind, provided that the above copyright notice and this paragraph are

+   included on all such copies and derivative works.  However, this

+   document itself may not be modified in any way, such as by removing

+   the copyright notice or references to the Internet Society or other

+   Internet organizations, except as needed for the purpose of

+   developing Internet standards in which case the procedures for

+   copyrights defined in the Internet Standards process must be

+   followed, or as required to translate it into languages other than

+   English.

+

+   The limited permissions granted above are perpetual and will not be

+   revoked by the Internet Society or its successors or assigns.

+

+   This document and the information contained herein is provided on an

+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING

+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING

+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION

+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF

+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

+

+Acknowledgement

+

+   Funding for the RFC Editor function is currently provided by the

+   Internet Society.

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+IAB                          Informational                      [Page 7]

+

diff --git a/contrib/bind9/doc/rfc/rfc2826.txt b/contrib/bind9/doc/rfc/rfc2826.txt
new file mode 100644
index 0000000..b4d8869
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2826.txt
@@ -0,0 +1,339 @@
+

+

+

+

+

+

+Network Working Group                        Internet Architecture Board

+Request for Comments: 2826                                      May 2000

+Category: Informational

+

+

+              IAB Technical Comment on the Unique DNS Root

+

+Status of this Memo

+

+   This memo provides information for the Internet community.  It does

+   not specify an Internet standard of any kind.  Distribution of this

+   memo is unlimited.

+

+Copyright Notice

+

+   Copyright (C) The Internet Society (2000).  All Rights Reserved.

+

+Summary

+

+   To remain a global network, the Internet requires the existence of a

+   globally unique public name space.  The DNS name space is a

+   hierarchical name space derived from a single, globally unique root.

+   This is a technical constraint inherent in the design of the DNS.

+   Therefore it is not technically feasible for there to be more than

+   one root in the public DNS.  That one root must be supported by a set

+   of coordinated root servers administered by a unique naming

+   authority.

+

+   Put simply, deploying multiple public DNS roots would raise a very

+   strong possibility that users of different ISPs who click on the same

+   link on a web page could end up at different destinations, against

+   the will of the web page designers.

+

+   This does not preclude private networks from operating their own

+   private name spaces, but if they wish to make use of names uniquely

+   defined for the global Internet, they have to fetch that information

+   from the global DNS naming hierarchy, and in particular from the

+   coordinated root servers of the global DNS naming hierarchy.

+

+1.  Detailed Explanation

+

+   There are several distinct reasons why the DNS requires a single root

+   in order to operate properly.

+

+1.1.  Maintenance of a Common Symbol Set

+

+   Effective communications between two parties requires two essential

+   preconditions:

+

+

+

+IAB                          Informational                      [Page 1]

+

+RFC 2826      IAB Technical Comment on the Unique DNS Root      May 2000

+

+

+   -  The existence of a common symbol set, and

+

+   -  The existence of a common semantic interpretation of these

+      symbols.

+

+   Failure to meet the first condition implies a failure to communicate

+   at all, while failure to meet the second implies that the meaning of

+   the communication is lost.

+

+   In the case of a public communications system this condition of a

+   common symbol set with a common semantic interpretation must be

+   further strengthened to that of a unique symbol set with a unique

+   semantic interpretation.  This condition of uniqueness allows any

+   party to initiate a communication that can be received and understood

+   by any other party.  Such a condition rules out the ability to define

+   a symbol within some bounded context.  In such a case, once the

+   communication moves out of the context of interpretation in which it

+   was defined, the meaning of the symbol becomes lost.

+

+   Within public digital communications networks such as the Internet

+   this requirement for a uniquely defined symbol set with a uniquely

+   defined meaning exists at many levels, commencing with the binary

+   encoding scheme, extending to packet headers and payload formats and

+   the protocol that an application uses to interact.  In each case a

+   variation of the symbol set or a difference of interpretation of the

+   symbols being used within the interaction causes a protocol failure,

+   and the communication fails.  The property of uniqueness allows a

+   symbol to be used unambiguously in any context, allowing the symbol

+   to be passed on, referred to, and reused, while still preserving the

+   meaning of the original use.

+

+   The DNS fulfills an essential role within the Internet protocol

+   environment, allowing network locations to be referred to using a

+   label other than a protocol address.  As with any other such symbol

+   set, DNS names are designed to be globally unique, that is, for any

+   one DNS name at any one time there must be a single set of DNS

+   records uniquely describing protocol addresses, network resources and

+   services associated with that DNS name.  All of the applications

+   deployed on the Internet which use the DNS assume this, and Internet

+   users expect such behavior from DNS names.  Names are then constant

+   symbols, whose interpretation does not specifically require knowledge

+   of the context of any individual party.  A DNS name can be passed

+   from one party to another without altering the semantic intent of the

+   name.

+

+   Since the DNS is hierarchically structured into domains, the

+   uniqueness requirement for DNS names in their entirety implies that

+   each of the names (sub-domains) defined within a domain has a unique

+

+

+

+IAB                          Informational                      [Page 2]

+

+RFC 2826      IAB Technical Comment on the Unique DNS Root      May 2000

+

+

+   meaning (i.e., set of DNS records) within that domain.  This is as

+   true for the root domain as for any other DNS domain.  The

+   requirement for uniqueness within a domain further implies that there

+   be some mechanism to prevent name conflicts within a domain.  In DNS

+   this is accomplished by assigning a single owner or maintainer to

+   every domain, including the root domain, who is responsible for

+   ensuring that each sub-domain of that domain has the proper records

+   associated with it.  This is a technical requirement, not a policy

+   choice.

+

+1.2.  Coordination of Updates

+

+   Both the design and implementations of the DNS protocol are heavily

+   based on the assumption that there is a single owner or maintainer

+   for every domain, and that any set of resources records associated

+   with a domain is modified in a single-copy serializable fashion.

+   That is, even assuming that a single domain could somehow be "shared"

+   by uncooperating parties, there is no means within the DNS protocol

+   by which a user or client could discover, and choose between,

+   conflicting definitions of a DNS name made by different parties.  The

+   client will simply return the first set of resource records that it

+   finds that matches the requested domain, and assume that these are

+   valid.  This protocol is embedded in the operating software of

+   hundreds of millions of computer systems, and is not easily updated

+   to support a shared domain scenario.

+

+   Moreover, even supposing that some other means of resolving

+   conflicting definitions could be provided in the future, it would

+   have to be based on objective rules established in advance.  For

+   example, zone A.B could declare that naming authority Y had been

+   delegated all subdomains of A.B with an odd number of characters, and

+   that naming authority Z had been delegated authority to define

+   subdomains of A.B with an even number of characters.  Thus, a single

+   set of rules would have to be agreed to prevent Y and Z from making

+   conflicting assignments, and with this train of actions a single

+   unique space has been created in any case.  Even this would not allow

+   multiple non-cooperating authorities to assign arbitrary sub-domains

+   within a single domain.

+

+   It seems that a degree of cooperation and agreed technical rules are

+   required in order to guarantee the uniqueness of names.  In the DNS,

+   these rules are established independently for each part of the naming

+   hierarchy, and the root domain is no exception.  Thus, there must be

+   a generally agreed single set of rules for the root.

+

+

+

+

+

+

+

+IAB                          Informational                      [Page 3]

+

+RFC 2826      IAB Technical Comment on the Unique DNS Root      May 2000

+

+

+1.3.  Difficulty of Relocating the Root Zone

+

+   There is one specific technical respect in which the root zone

+   differs from all other DNS zones: the addresses of the name servers

+   for the root zone come primarily from out-of-band information.  This

+   out-of-band information is often poorly maintained and, unlike all

+   other data in the DNS, the out-of-band information has no automatic

+   timeout mechanism.  It is not uncommon for this information to be

+   years out of date at many sites.

+

+   Like any other zone, the root zone contains a set of "name server"

+   resource records listing its servers, but a resolver with no valid

+   addresses for the current set of root servers will never be able to

+   obtain these records.  More insidiously, a resolver that has a mixed

+   set of partially valid and partially stale out-of-band configuration

+   information will not be able to tell which are the "real" root

+   servers if it gets back conflicting answers; thus, it is very

+   difficult to revoke the status of a malicious root server, or even to

+   route around a buggy root server.

+

+   In effect, every full-service resolver in the world "delegates" the

+   root of the public tree to the public root server(s) of its choice.

+

+   As a direct consequence, any change to the list of IP addresses that

+   specify the public root zone is significantly more difficult than

+   changing any other aspect of the DNS delegation chain.   Thus,

+   stability of the system calls for extremely conservative and cautious

+   management of the public root zone: the frequency of updates to the

+   root zone must be kept low, and the servers for the root zone must be

+   closely coordinated.

+

+   These problems can be ameliorated to some extent by the DNS Security

+   Extensions [DNSSEC], but a similar out-of-band configuration problem

+   exists for the cryptographic signature key to the root zone, so the

+   root zone still requires tight coupling and coordinated management

+   even in the presence of DNSSEC.

+

+2.  Conclusion

+

+   The DNS type of unique naming and name-mapping system may not be

+   ideal for a number of purposes for which it was never designed, such

+   a locating information when the user doesn't precisely know the

+   correct names.  As the Internet continues to expand, we would expect

+   directory systems to evolve which can assist the user in dealing with

+   vague or ambiguous references.  To preserve the many important

+   features of the DNS and its multiple record types -- including the

+   Internet's equivalent of telephone number portability -- we would

+   expect the result of directory lookups and identification of the

+

+

+

+IAB                          Informational                      [Page 4]

+

+RFC 2826      IAB Technical Comment on the Unique DNS Root      May 2000

+

+

+   correct names for a particular purpose to be unique DNS names that

+   are then resolved normally, rather than having directory systems

+   "replace" the DNS.

+

+   There is no getting away from the unique root of the public DNS.

+

+3.  Security Considerations

+

+   This memo does not introduce any new security issues, but it does

+   attempt to identify some of the problems inherent in a family of

+   recurring technically naive proposals.

+

+4.  IANA Considerations

+

+   This memo is not intended to create any new issues for IANA.

+

+5.  References

+

+   [DNS-CONCEPTS]        Mockapetris, P., "Domain Names - Concepts and

+                         Facilities", STD 13, RFC 1034, November 1987.

+

+   [DNS-IMPLEMENTATION]  Mockapetris, P., "Domain Names - Implementation

+                         and Specification", STD 13, RFC 1035, November

+                         1987.

+

+   [DNSSEC]              Eastlake, D., "Domain Name System Security

+                         Extensions", RFC 2535, March 1999.

+

+6.  Author's Address

+

+   Internet Architecture Board

+

+   EMail: iab@iab.org

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+IAB                          Informational                      [Page 5]

+

+RFC 2826      IAB Technical Comment on the Unique DNS Root      May 2000

+

+

+7.  Full Copyright Statement

+

+   Copyright (C) The Internet Society (2000).  All Rights Reserved.

+

+   This document and translations of it may be copied and furnished to

+   others, and derivative works that comment on or otherwise explain it

+   or assist in its implementation may be prepared, copied, published

+   and distributed, in whole or in part, without restriction of any

+   kind, provided that the above copyright notice and this paragraph are

+   included on all such copies and derivative works.  However, this

+   document itself may not be modified in any way, such as by removing

+   the copyright notice or references to the Internet Society or other

+   Internet organizations, except as needed for the purpose of

+   developing Internet standards in which case the procedures for

+   copyrights defined in the Internet Standards process must be

+   followed, or as required to translate it into languages other than

+   English.

+

+   The limited permissions granted above are perpetual and will not be

+   revoked by the Internet Society or its successors or assigns.

+

+   This document and the information contained herein is provided on an

+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING

+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING

+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION

+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF

+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

+

+Acknowledgement

+

+   Funding for the RFC Editor function is currently provided by the

+   Internet Society.

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+

+IAB                          Informational                      [Page 6]

+

diff --git a/contrib/bind9/doc/rfc/rfc2845.txt b/contrib/bind9/doc/rfc/rfc2845.txt
new file mode 100644
index 0000000..aa9f385
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2845.txt
@@ -0,0 +1,843 @@
+
+
+
+
+
+
+Network Working Group                                             P. Vixie
+Request for Comments: 2845                                             ISC
+Category: Standards Track                                   O. Gudmundsson
+Updates: 1035                                                     NAI Labs
+                                                           D. Eastlake 3rd
+                                                                  Motorola
+                                                             B. Wellington
+                                                                   Nominum
+                                                                  May 2000
+
+
+          Secret Key Transaction Authentication for DNS (TSIG)
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+Abstract
+
+   This protocol allows for transaction level authentication using
+   shared secrets and one way hashing.  It can be used to authenticate
+   dynamic updates as coming from an approved client, or to authenticate
+   responses as coming from an approved recursive name server.
+
+   No provision has been made here for distributing the shared secrets;
+   it is expected that a network administrator will statically configure
+   name servers and clients using some out of band mechanism such as
+   sneaker-net until a secure automated mechanism for key distribution
+   is available.
+
+1 - Introduction
+
+   1.1. The Domain Name System (DNS) [RFC1034, RFC1035] is a replicated
+   hierarchical distributed database system that provides information
+   fundamental to Internet operations, such as name <=> address
+   translation and mail handling information.  DNS has recently been
+   extended [RFC2535] to provide for data origin authentication, and
+   public key distribution, all based on public key cryptography and
+   public key based digital signatures.  To be practical, this form of
+
+
+
+
+Vixie, et al.               Standards Track                     [Page 1]
+
+RFC 2845                        DNS TSIG                        May 2000
+
+
+   security generally requires extensive local caching of keys and
+   tracing of authentication through multiple keys and signatures to a
+   pre-trusted locally configured key.
+
+   1.2. One difficulty with the [RFC2535] scheme is that common DNS
+   implementations include simple "stub" resolvers which do not have
+   caches.  Such resolvers typically rely on a caching DNS server on
+   another host.  It is impractical for these stub resolvers to perform
+   general [RFC2535] authentication and they would naturally depend on
+   their caching DNS server to perform such services for them.  To do so
+   securely requires secure communication of queries and responses.
+   [RFC2535] provides public key transaction signatures to support this,
+   but such signatures are very expensive computationally to generate.
+   In general, these require the same complex public key logic that is
+   impractical for stubs.  This document specifies use of a message
+   authentication code (MAC), specifically HMAC-MD5 (a keyed hash
+   function), to provide an efficient means of point-to-point
+   authentication and integrity checking for transactions.
+
+   1.3. A second area where use of straight [RFC2535] public key based
+   mechanisms may be impractical is authenticating dynamic update
+   [RFC2136] requests.  [RFC2535] provides for request signatures but
+   with [RFC2535] they, like transaction signatures, require
+   computationally expensive public key cryptography and complex
+   authentication logic.  Secure Domain Name System Dynamic Update
+   ([RFC2137]) describes how different keys are used in dynamically
+   updated zones.  This document's secret key based MACs can be used to
+   authenticate DNS update requests as well as transaction responses,
+   providing a lightweight alternative to the protocol described by
+   [RFC2137].
+
+   1.4. A further use of this mechanism is to protect zone transfers.
+   In this case the data covered would be the whole zone transfer
+   including any glue records sent.  The protocol described by [RFC2535]
+   does not protect glue records and unsigned records unless SIG(0)
+   (transaction signature) is used.
+
+   1.5. The authentication mechanism proposed in this document uses
+   shared secret keys to establish a trust relationship between two
+   entities.  Such keys must be protected in a fashion similar to
+   private keys, lest a third party masquerade as one of the intended
+   parties (forge MACs).  There is an urgent need to provide simple and
+   efficient authentication between clients and local servers and this
+   proposal addresses that need.  This proposal is unsuitable for
+   general server to server authentication for servers which speak with
+   many other servers, since key management would become unwieldy with
+
+
+
+
+
+Vixie, et al.               Standards Track                     [Page 2]
+
+RFC 2845                        DNS TSIG                        May 2000
+
+
+   the number of shared keys going up quadratically.  But it is suitable
+   for many resolvers on hosts that only talk to a few recursive
+   servers.
+
+   1.6. A server acting as an indirect caching resolver -- a "forwarder"
+   in common usage -- might use transaction-based authentication when
+   communicating with its small number of preconfigured "upstream"
+   servers.  Other uses of DNS secret key authentication and possible
+   systems for automatic secret key distribution may be proposed in
+   separate future documents.
+
+   1.7. New Assigned Numbers
+
+      RRTYPE = TSIG (250)
+      ERROR = 0..15 (a DNS RCODE)
+      ERROR = 16 (BADSIG)
+      ERROR = 17 (BADKEY)
+      ERROR = 18 (BADTIME)
+
+   1.8. The key words "MUST", "REQUIRED", "SHOULD", "RECOMMENDED",  and
+   "MAY" in this document are to be interpreted as described in [RFC
+   2119].
+
+2 - TSIG RR Format
+
+   2.1 TSIG RR Type
+
+   To provide secret key authentication, we use a new RR type whose
+   mnemonic is TSIG and whose type code is 250.  TSIG is a meta-RR and
+   MUST not be cached.  TSIG RRs are used for authentication between DNS
+   entities that have established a shared secret key.  TSIG RRs are
+   dynamically computed to cover a particular DNS transaction and are
+   not DNS RRs in the usual sense.
+
+   2.2 TSIG Calculation
+
+   As the TSIG RRs are related to one DNS request/response, there is no
+   value in storing or retransmitting them, thus the TSIG RR is
+   discarded once it has been used to authenticate a DNS message.  The
+   only message digest algorithm specified in this document is "HMAC-
+   MD5" (see [RFC1321], [RFC2104]).  The "HMAC-MD5" algorithm is
+   mandatory to implement for interoperability.  Other algorithms can be
+   specified at a later date.  Names and definitions of new algorithms
+   MUST be registered with IANA.  All multi-octet integers in the TSIG
+   record are sent in network byte order (see [RFC1035 2.3.2]).
+
+
+
+
+
+
+Vixie, et al.               Standards Track                     [Page 3]
+
+RFC 2845                        DNS TSIG                        May 2000
+
+
+   2.3. Record Format
+
+    NAME The name of the key used in domain name syntax.  The name
+         should reflect the names of the hosts and uniquely identify
+         the key among a set of keys these two hosts may share at any
+         given time.  If hosts A.site.example and B.example.net share a
+         key, possibilities for the key name include
+         <id>.A.site.example, <id>.B.example.net, and
+         <id>.A.site.example.B.example.net.  It should be possible for
+         more than one key to be in simultaneous use among a set of
+         interacting hosts.  The name only needs to be meaningful to
+         the communicating hosts but a meaningful mnemonic name as
+         above is strongly recommended.
+
+         The name may be used as a local index to the key involved and
+         it is recommended that it be globally unique.  Where a key is
+         just shared between two hosts, its name actually only need
+         only be meaningful to them but it is recommended that the key
+         name be mnemonic and incorporate the resolver and server host
+         names in that order.
+
+    TYPE TSIG (250: Transaction SIGnature)
+
+    CLASS ANY
+
+    TTL  0
+
+    RdLen (variable)
+
+    RDATA
+
+      Field Name       Data Type      Notes
+      --------------------------------------------------------------
+      Algorithm Name   domain-name    Name of the algorithm
+                                      in domain name syntax.
+      Time Signed      u_int48_t      seconds since 1-Jan-70 UTC.
+      Fudge            u_int16_t      seconds of error permitted
+                                      in Time Signed.
+      MAC Size         u_int16_t      number of octets in MAC.
+      MAC              octet stream   defined by Algorithm Name.
+      Original ID      u_int16_t      original message ID
+      Error            u_int16_t      expanded RCODE covering
+                                      TSIG processing.
+      Other Len        u_int16_t      length, in octets, of
+                                      Other Data.
+      Other Data       octet stream   empty unless Error == BADTIME
+
+
+
+
+
+Vixie, et al.               Standards Track                     [Page 4]
+
+RFC 2845                        DNS TSIG                        May 2000
+
+
+   2.4. Example
+
+      NAME   HOST.EXAMPLE.
+
+      TYPE   TSIG
+
+      CLASS  ANY
+
+      TTL    0
+
+      RdLen  as appropriate
+
+      RDATA
+
+         Field Name       Contents
+         -------------------------------------
+         Algorithm Name   SAMPLE-ALG.EXAMPLE.
+         Time Signed      853804800
+         Fudge            300
+         MAC Size         as appropriate
+         MAC              as appropriate
+         Original ID      as appropriate
+         Error            0 (NOERROR)
+         Other Len        0
+         Other Data       empty
+
+3 - Protocol Operation
+
+   3.1. Effects of adding TSIG to outgoing message
+
+   Once the outgoing message has been constructed, the keyed message
+   digest operation can be performed.  The resulting message digest will
+   then be stored in a TSIG which is appended to the additional data
+   section (the ARCOUNT is incremented to reflect this).  If the TSIG
+   record cannot be added without causing the message to be truncated,
+   the server MUST alter the response so that a TSIG can be included.
+   This response consists of only the question and a TSIG record, and
+   has the TC bit set and RCODE 0 (NOERROR).  The client SHOULD at this
+   point retry the request using TCP (per [RFC1035 4.2.2]).
+
+   3.2. TSIG processing on incoming messages
+
+   If an incoming message contains a TSIG record, it MUST be the last
+   record in the additional section.  Multiple TSIG records are not
+   allowed.  If a TSIG record is present in any other position, the
+   packet is dropped and a response with RCODE 1 (FORMERR) MUST be
+   returned.  Upon receipt of a message with a correctly placed TSIG RR,
+   the TSIG RR is copied to a safe location, removed from the DNS
+
+
+
+Vixie, et al.               Standards Track                     [Page 5]
+
+RFC 2845                        DNS TSIG                        May 2000
+
+
+   Message, and decremented out of the DNS message header's ARCOUNT.  At
+   this point the keyed message digest operation is performed.  If the
+   algorithm name or key name is unknown to the recipient, or if the
+   message digests do not match, the whole DNS message MUST be
+   discarded.  If the message is a query, a response with RCODE 9
+   (NOTAUTH) MUST be sent back to the originator with TSIG ERROR 17
+   (BADKEY) or TSIG ERROR 16 (BADSIG).  If no key is available to sign
+   this message it MUST be sent unsigned (MAC size == 0 and empty MAC).
+   A message to the system operations log SHOULD be generated, to warn
+   the operations staff of a possible security incident in progress.
+   Care should be taken to ensure that logging of this type of event
+   does not open the system to a denial of service attack.
+
+   3.3. Time values used in TSIG calculations
+
+   The data digested includes the two timer values in the TSIG header in
+   order to defend against replay attacks.  If this were not done, an
+   attacker could replay old messages but update the "Time Signed" and
+   "Fudge" fields to make the message look new.  This data is named
+   "TSIG Timers", and for the purpose of digest calculation they are
+   invoked in their "on the wire" format, in the following order: first
+   Time Signed, then Fudge.  For example:
+
+Field Name    Value       Wire Format         Meaning
+----------------------------------------------------------------------
+Time Signed   853804800   00 00 32 e4 07 00   Tue Jan 21 00:00:00 1997
+Fudge         300         01 2C               5 minutes
+
+   3.4. TSIG Variables and Coverage
+
+   When generating or verifying the contents of a TSIG record, the
+   following data are digested, in network byte order or wire format, as
+   appropriate:
+
+   3.4.1. DNS Message
+
+   A whole and complete DNS message in wire format, before the TSIG RR
+   has been added to the additional data section and before the DNS
+   Message Header's ARCOUNT field has been incremented to contain the
+   TSIG RR.  If the message ID differs from the original message ID, the
+   original message ID is substituted for the message ID.  This could
+   happen when forwarding a dynamic update request, for example.
+
+
+
+
+
+
+
+
+
+Vixie, et al.               Standards Track                     [Page 6]
+
+RFC 2845                        DNS TSIG                        May 2000
+
+
+   3.4.2. TSIG Variables
+
+Source       Field Name       Notes
+-----------------------------------------------------------------------
+TSIG RR      NAME             Key name, in canonical wire format
+TSIG RR      CLASS            (Always ANY in the current specification)
+TSIG RR      TTL              (Always 0 in the current specification)
+TSIG RDATA   Algorithm Name   in canonical wire format
+TSIG RDATA   Time Signed      in network byte order
+TSIG RDATA   Fudge            in network byte order
+TSIG RDATA   Error            in network byte order
+TSIG RDATA   Other Len        in network byte order
+TSIG RDATA   Other Data       exactly as transmitted
+
+   The RR RDLEN and RDATA MAC Length are not included in the hash since
+   they are not guaranteed to be knowable before the MAC is generated.
+
+   The Original ID field is not included in this section, as it has
+   already been substituted for the message ID in the DNS header and
+   hashed.
+
+   For each label type, there must be a defined "Canonical wire format"
+   that specifies how to express a label in an unambiguous way.  For
+   label type 00, this is defined in [RFC2535], for label type 01, this
+   is defined in [RFC2673].  The use of label types other than 00 and 01
+   is not defined for this specification.
+
+   3.4.3. Request MAC
+
+   When generating the MAC to be included in a response, the request MAC
+   must be included in the digest.  The request's MAC is digested in
+   wire format, including the following fields:
+
+   Field        Type           Description
+   ---------------------------------------------------
+   MAC Length   u_int16_t      in network byte order
+   MAC Data     octet stream   exactly as transmitted
+
+   3.5. Padding
+
+   Digested components are fed into the hashing function as a continuous
+   octet stream with no interfield padding.
+
+
+
+
+
+
+
+
+
+Vixie, et al.               Standards Track                     [Page 7]
+
+RFC 2845                        DNS TSIG                        May 2000
+
+
+4 - Protocol Details
+
+   4.1. TSIG generation on requests
+
+   Client performs the message digest operation and appends a TSIG
+   record to the additional data section and transmits the request to
+   the server.  The client MUST store the message digest from the
+   request while awaiting an answer.  The digest components for a
+   request are:
+
+      DNS Message (request)
+      TSIG Variables (request)
+
+   Note that some older name servers will not accept requests with a
+   nonempty additional data section.  Clients SHOULD only attempt signed
+   transactions with servers who are known to support TSIG and share
+   some secret key with the client -- so, this is not a problem in
+   practice.
+
+   4.2. TSIG on Answers
+
+   When a server has generated a response to a signed request, it signs
+   the response using the same algorithm and key.  The server MUST not
+   generate a signed response to an unsigned request.  The digest
+   components are:
+
+      Request MAC
+      DNS Message (response)
+      TSIG Variables (response)
+
+   4.3. TSIG on TSIG Error returns
+
+   When a server detects an error relating to the key or MAC, the server
+   SHOULD send back an unsigned error message (MAC size == 0 and empty
+   MAC).  If an error is detected relating to the TSIG validity period,
+   the server SHOULD send back a signed error message.  The digest
+   components are:
+
+      Request MAC (if the request MAC validated)
+      DNS Message (response)
+      TSIG Variables (response)
+
+   The reason that the request is not included in this digest in some
+   cases is to make it possible for the client to verify the error.  If
+   the error is not a TSIG error the response MUST be generated as
+   specified in [4.2].
+
+
+
+
+
+Vixie, et al.               Standards Track                     [Page 8]
+
+RFC 2845                        DNS TSIG                        May 2000
+
+
+   4.4. TSIG on TCP connection
+
+   A DNS TCP session can include multiple DNS envelopes.  This is, for
+   example, commonly used by zone transfer.  Using TSIG on such a
+   connection can protect the connection from hijacking and provide data
+   integrity.  The TSIG MUST be included on the first and last DNS
+   envelopes.  It can be optionally placed on any intermediary
+   envelopes.  It is expensive to include it on every envelopes, but it
+   MUST be placed on at least every 100'th envelope.  The first envelope
+   is processed as a standard answer, and subsequent messages have the
+   following digest components:
+
+      Prior Digest (running)
+      DNS Messages (any unsigned messages since the last TSIG)
+      TSIG Timers (current message)
+
+   This allows the client to rapidly detect when the session has been
+   altered; at which point it can close the connection and retry.  If a
+   client TSIG verification fails, the client MUST close the connection.
+   If the client does not receive TSIG records frequently enough (as
+   specified above) it SHOULD assume the connection has been hijacked
+   and it SHOULD close the connection.  The client SHOULD treat this the
+   same way as they would any other interrupted transfer (although the
+   exact behavior is not specified).
+
+   4.5. Server TSIG checks
+
+   Upon receipt of a message, server will check if there is a TSIG RR.
+   If one exists, the server is REQUIRED to return a TSIG RR in the
+   response.  The server MUST perform the following checks in the
+   following order, check KEY, check TIME values, check MAC.
+
+   4.5.1. KEY check and error handling
+
+   If a non-forwarding server does not recognize the key used by the
+   client, the server MUST generate an error response with RCODE 9
+   (NOTAUTH) and TSIG ERROR 17 (BADKEY).  This response MUST be unsigned
+   as specified in [4.3].  The server SHOULD log the error.
+
+   4.5.2. TIME check and error handling
+
+   If the server time is outside the time interval specified by the
+   request (which is: Time Signed, plus/minus Fudge), the server MUST
+   generate an error response with RCODE 9 (NOTAUTH) and TSIG ERROR 18
+   (BADTIME).  The server SHOULD also cache the most recent time signed
+   value in a message generated by a key, and SHOULD return BADTIME if a
+   message received later has an earlier time signed value.  A response
+   indicating a BADTIME error MUST be signed by the same key as the
+
+
+
+Vixie, et al.               Standards Track                     [Page 9]
+
+RFC 2845                        DNS TSIG                        May 2000
+
+
+   request.  It MUST include the client's current time in the time
+   signed field, the server's current time (a u_int48_t) in the other
+   data field, and 6 in the other data length field.  This is done so
+   that the client can verify a message with a BADTIME error without the
+   verification failing due to another BADTIME error.  The data signed
+   is specified in [4.3].  The server SHOULD log the error.
+
+   4.5.3. MAC check and error handling
+
+   If a TSIG fails to verify, the server MUST generate an error response
+   as specified in [4.3] with RCODE 9 (NOTAUTH) and TSIG ERROR 16
+   (BADSIG).  This response MUST be unsigned as specified in [4.3].  The
+   server SHOULD log the error.
+
+   4.6. Client processing of answer
+
+   When a client receives a response from a server and expects to see a
+   TSIG, it first checks if the TSIG RR is present in the response.
+   Otherwise, the response is treated as having a format error and
+   discarded.  The client then extracts the TSIG, adjusts the ARCOUNT,
+   and calculates the keyed digest in the same way as the server.  If
+   the TSIG does not validate, that response MUST be discarded, unless
+   the RCODE is 9 (NOTAUTH), in which case the client SHOULD attempt to
+   verify the response as if it were a TSIG Error response, as specified
+   in [4.3].  A message containing an unsigned TSIG record or a TSIG
+   record which fails verification SHOULD not be considered an
+   acceptable response; the client SHOULD log an error and continue to
+   wait for a signed response until the request times out.
+
+   4.6.1. Key error handling
+
+   If an RCODE on a response is 9 (NOTAUTH), and the response TSIG
+   validates, and the TSIG key is different from the key used on the
+   request, then this is a KEY error.  The client MAY retry the request
+   using the key specified by the server.  This should never occur, as a
+   server MUST NOT sign a response with a different key than signed the
+   request.
+
+   4.6.2. Time error handling
+
+   If the response RCODE is 9 (NOTAUTH) and the TSIG ERROR is 18
+   (BADTIME), or the current time does not fall in the range specified
+   in the TSIG record, then this is a TIME error.  This is an indication
+   that the client and server clocks are not synchronized.  In this case
+   the client SHOULD log the event.  DNS resolvers MUST NOT adjust any
+   clocks in the client based on BADTIME errors, but the server's time
+   in the other data field SHOULD be logged.
+
+
+
+
+Vixie, et al.               Standards Track                    [Page 10]
+
+RFC 2845                        DNS TSIG                        May 2000
+
+
+   4.6.3. MAC error handling
+
+   If the response RCODE is 9 (NOTAUTH) and TSIG ERROR is 16 (BADSIG),
+   this is a MAC error, and client MAY retry the request with a new
+   request ID but it would be better to try a different shared key if
+   one is available.  Client SHOULD keep track of how many MAC errors
+   are associated with each key.  Clients SHOULD log this event.
+
+   4.7. Special considerations for forwarding servers
+
+   A server acting as a forwarding server of a DNS message SHOULD check
+   for the existence of a TSIG record.  If the name on the TSIG is not
+   of a secret that the server shares with the originator the server
+   MUST forward the message unchanged including the TSIG.  If the name
+   of the TSIG is of a key this server shares with the originator, it
+   MUST process the TSIG.  If the TSIG passes all checks, the forwarding
+   server MUST, if possible, include a TSIG of his own, to the
+   destination or the next forwarder.  If no transaction security is
+   available to the destination and the response has the AD flag (see
+   [RFC2535]), the forwarder MUST unset the AD flag before adding the
+   TSIG to the answer.
+
+5 - Shared Secrets
+
+   5.1. Secret keys are very sensitive information and all available
+   steps should be taken to protect them on every host on which they are
+   stored.  Generally such hosts need to be physically protected.  If
+   they are multi-user machines, great care should be taken that
+   unprivileged users have no access to keying material.  Resolvers
+   often run unprivileged, which means all users of a host would be able
+   to see whatever configuration data is used by the resolver.
+
+   5.2. A name server usually runs privileged, which means its
+   configuration data need not be visible to all users of the host.  For
+   this reason, a host that implements transaction-based authentication
+   should probably be configured with a "stub resolver" and a local
+   caching and forwarding name server.  This presents a special problem
+   for [RFC2136] which otherwise depends on clients to communicate only
+   with a zone's authoritative name servers.
+
+   5.3. Use of strong random shared secrets is essential to the security
+   of TSIG.  See [RFC1750] for a discussion of this issue.  The secret
+   should be at least as long as the keyed message digest, i.e. 16 bytes
+   for HMAC-MD5 or 20 bytes for HMAC-SHA1.
+
+
+
+
+
+
+
+Vixie, et al.               Standards Track                    [Page 11]
+
+RFC 2845                        DNS TSIG                        May 2000
+
+
+6 - Security Considerations
+
+   6.1. The approach specified here is computationally much less
+   expensive than the signatures specified in [RFC2535].  As long as the
+   shared secret key is not compromised, strong authentication is
+   provided for the last hop from a local name server to the user
+   resolver.
+
+   6.2. Secret keys should be changed periodically.  If the client host
+   has been compromised, the server should suspend the use of all
+   secrets known to that client.  If possible, secrets should be stored
+   in encrypted form.  Secrets should never be transmitted in the clear
+   over any network.  This document does not address the issue on how to
+   distribute secrets. Secrets should never be shared by more than two
+   entities.
+
+   6.3. This mechanism does not authenticate source data, only its
+   transmission between two parties who share some secret.  The original
+   source data can come from a compromised zone master or can be
+   corrupted during transit from an authentic zone master to some
+   "caching forwarder."  However, if the server is faithfully performing
+   the full [RFC2535] security checks, then only security checked data
+   will be available to the client.
+
+   6.4. A fudge value that is too large may leave the server open to
+   replay attacks.  A fudge value that is too small may cause failures
+   if machines are not time synchronized or there are unexpected network
+   delays.  The recommended value in most situation is 300 seconds.
+
+7 - IANA Considerations
+
+   IANA is expected to create and maintain a registry of algorithm names
+   to be used as "Algorithm Names" as defined in Section 2.3.  The
+   initial value should be "HMAC-MD5.SIG-ALG.REG.INT".  Algorithm names
+   are text strings encoded using the syntax of a domain name.  There is
+   no structure required other than names for different algorithms must
+   be unique when compared as DNS names, i.e., comparison is case
+   insensitive.  Note that the initial value mentioned above is not a
+   domain name, and therefore need not be a registered name within the
+   DNS.  New algorithms are assigned using the IETF Consensus policy
+   defined in RFC 2434. The algorithm name HMAC-MD5.SIG-ALG.REG.INT
+   looks like a FQDN for historical reasons; future algorithm names are
+   expected to be simple (i.e., single-component) names.
+
+
+
+
+
+
+
+
+Vixie, et al.               Standards Track                    [Page 12]
+
+RFC 2845                        DNS TSIG                        May 2000
+
+
+   IANA is expected to create and maintain a registry of "TSIG Error
+   values" to be used for "Error" values as defined in section 2.3.
+   Initial values should be those defined in section 1.7.  New TSIG
+   error codes for the TSIG error field are assigned using the IETF
+   Consensus policy defined in RFC 2434.
+
+8 - References
+
+   [RFC1034]  Mockapetris, P., "Domain Names - Concepts and Facilities",
+              STD 13, RFC 1034, November 1987.
+
+   [RFC1035]  Mockapetris, P., "Domain Names - Implementation and
+              Specification", STD 13, RFC 1034, November 1987.
+
+   [RFC1321]  Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
+              April 1992.
+
+   [RFC1750]  Eastlake, D., Crocker, S. and J. Schiller, "Randomness
+              Recommendations for Security", RFC 1750, December 1995.
+
+   [RFC2104]  Krawczyk, H., Bellare, M. and R. Canetti, "HMAC-MD5:
+              Keyed-MD5 for Message Authentication", RFC 2104, February
+              1997.
+
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC2136]  Vixie, P., Thomson, S., Rekhter, Y. and J. Bound "Dynamic
+              Updates in the Domain Name System", RFC 2136, April 1997.
+
+   [RFC2137]  Eastlake 3rd, D., "Secure Domain Name System Dynamic
+              Update", RFC 2137, April 1997.
+
+   [RFC2535]  Eastlake, D., "Domain Name System Security Extensions",
+              RFC 2535, March 1999.
+
+   [RFC2673]  Crawford, M., "Binary Labels in the Domain Name System",
+              RFC 2673, August 1999.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Vixie, et al.               Standards Track                    [Page 13]
+
+RFC 2845                        DNS TSIG                        May 2000
+
+
+9 - Authors' Addresses
+
+   Paul Vixie
+   Internet Software Consortium
+   950 Charter Street
+   Redwood City, CA 94063
+
+   Phone: +1 650 779 7001
+   EMail: vixie@isc.org
+
+
+   Olafur Gudmundsson
+   NAI Labs
+   3060 Washington Road, Route 97
+   Glenwood, MD 21738
+
+   Phone: +1 443 259 2389
+   EMail: ogud@tislabs.com
+
+
+   Donald E. Eastlake 3rd
+   Motorola
+   140 Forest Avenue
+   Hudson, MA 01749 USA
+
+   Phone: +1 508 261 5434
+   EMail: dee3@torque.pothole.com
+
+
+   Brian Wellington
+   Nominum, Inc.
+   950 Charter Street
+   Redwood City, CA 94063
+
+   Phone: +1 650 779 6022
+   EMail: Brian.Wellington@nominum.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Vixie, et al.               Standards Track                    [Page 14]
+
+RFC 2845                        DNS TSIG                        May 2000
+
+
+10  Full Copyright Statement
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Vixie, et al.               Standards Track                    [Page 15]
+
diff --git a/contrib/bind9/doc/rfc/rfc2874.txt b/contrib/bind9/doc/rfc/rfc2874.txt
new file mode 100644
index 0000000..915c104
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2874.txt
@@ -0,0 +1,1123 @@
+
+
+
+
+
+
+Network Working Group                                        M. Crawford
+Request for Comments: 2874                                      Fermilab
+Category: Standards Track                                     C. Huitema
+                                                   Microsoft Corporation
+                                                               July 2000
+
+
+   DNS Extensions to Support IPv6 Address Aggregation and Renumbering
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+Abstract
+
+   This document defines changes to the Domain Name System to support
+   renumberable and aggregatable IPv6 addressing.  The changes include a
+   new resource record type to store an IPv6 address in a manner which
+   expedites network renumbering and updated definitions of existing
+   query types that return Internet addresses as part of additional
+   section processing.
+
+   For lookups keyed on IPv6 addresses (often called reverse lookups),
+   this document defines a new zone structure which allows a zone to be
+   used without modification for parallel copies of an address space (as
+   for a multihomed provider or site) and across network renumbering
+   events.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Crawford, et al.            Standards Track                     [Page 1]
+
+RFC 2874                        IPv6 DNS                       July 2000
+
+
+Table of Contents
+
+   1.  Introduction ...............................................  2
+   2.  Overview ...................................................  3
+       2.1.  Name-to-Address Lookup ...............................  4
+       2.2.  Underlying Mechanisms for Reverse Lookups ............  4
+           2.2.1.  Delegation on Arbitrary Boundaries .............  4
+           2.2.2.  Reusable Zones .................................  5
+   3.  Specifications .............................................  5
+       3.1.  The A6 Record Type ...................................  5
+           3.1.1.  Format .........................................  6
+           3.1.2.  Processing .....................................  6
+           3.1.3.  Textual Representation .........................  7
+           3.1.4.  Name Resolution Procedure ......................  7
+       3.2.  Zone Structure for Reverse Lookups ...................  7
+   4.  Modifications to Existing Query Types ......................  8
+   5.  Usage Illustrations ........................................  8
+       5.1.  A6 Record Chains .....................................  9
+           5.1.1.  Authoritative Data .............................  9
+           5.1.2.  Glue ........................................... 10
+           5.1.3.  Variations ..................................... 12
+       5.2.  Reverse Mapping Zones ................................ 13
+           5.2.1.  The TLA level .................................. 13
+           5.2.2.  The ISP level .................................. 13
+           5.2.3.  The Site Level ................................. 13
+       5.3.  Lookups .............................................. 14
+       5.4.  Operational Note ..................................... 15
+   6.  Transition from RFC 1886 and Deployment Notes .............. 15
+       6.1.  Transition from AAAA and Coexistence with A Records .. 16
+       6.2.  Transition from Nibble Labels to Binary Labels ....... 17
+   7.  Security Considerations .................................... 17
+   8.  IANA Considerations ........................................ 17
+   9.  Acknowledgments ............................................ 18
+   10.  References ................................................ 18
+   11.  Authors' Addresses ........................................ 19
+   12.  Full Copyright Statement .................................. 20
+
+1.  Introduction
+
+   Maintenance of address information in the DNS is one of several
+   obstacles which have prevented site and provider renumbering from
+   being feasible in IP version 4.  Arguments about the importance of
+   network renumbering for the preservation of a stable routing system
+   and for other purposes may be read in [RENUM1, RENUM2, RENUM3].  To
+   support the storage of IPv6 addresses without impeding renumbering we
+   define the following extensions.
+
+
+
+
+
+Crawford, et al.            Standards Track                     [Page 2]
+
+RFC 2874                        IPv6 DNS                       July 2000
+
+
+   o  A new resource record type, "A6", is defined to map a domain name
+      to an IPv6 address, with a provision for indirection for leading
+      "prefix" bits.
+
+   o  Existing queries that perform additional section processing to
+      locate IPv4 addresses are redefined to do that processing for both
+      IPv4 and IPv6 addresses.
+
+   o  A new domain, IP6.ARPA, is defined to support lookups based on
+      IPv6 address.
+
+   o  A new prefix-delegation method is defined, relying on new DNS
+      features [BITLBL, DNAME].
+
+   The changes are designed to be compatible with existing application
+   programming interfaces.  The existing support for IPv4 addresses is
+   retained.  Transition issues related to the coexistence of both IPv4
+   and IPv6 addresses in DNS are discussed in [TRANS].
+
+   This memo proposes a replacement for the specification in RFC 1886
+   [AAAA] and a departure from current implementation practices.  The
+   changes are designed to facilitate network renumbering and
+   multihoming.  Domains employing the A6 record for IPv6 addresses can
+   insert automatically-generated AAAA records in zone files to ease
+   transition.  It is expected that after a reasonable period, RFC 1886
+   will become Historic.
+
+   The next three major sections of this document are an overview of the
+   facilities defined or employed by this specification, the
+   specification itself, and examples of use.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [KWORD].  The key word
+   "SUGGESTED" signifies a strength between MAY and SHOULD: it is
+   believed that compliance with the suggestion has tangible benefits in
+   most instances.
+
+2.  Overview
+
+   This section provides an overview of the DNS facilities for storage
+   of IPv6 addresses and for lookups based on IPv6 address, including
+   those defined here and elsewhere.
+
+
+
+
+
+
+
+
+Crawford, et al.            Standards Track                     [Page 3]
+
+RFC 2874                        IPv6 DNS                       July 2000
+
+
+2.1.  Name-to-Address Lookup
+
+   IPv6 addresses are stored in one or more A6 resource records.  A
+   single A6 record may include a complete IPv6 address, or a contiguous
+   portion of an address and information leading to one or more
+   prefixes.  Prefix information comprises a prefix length and a DNS
+   name which is in turn the owner of one or more A6 records defining
+   the prefix or prefixes which are needed to form one or more complete
+   IPv6 addresses.  When the prefix length is zero, no DNS name is
+   present and all the leading bits of the address are significant.
+   There may be multiple levels of indirection and the existence of
+   multiple A6 records at any level multiplies the number of IPv6
+   addresses which are formed.
+
+   An application looking up an IPv6 address will generally cause the
+   DNS resolver to access several A6 records, and multiple IPv6
+   addresses may be returned even if the queried name was the owner of
+   only one A6 record.  The authenticity of the returned address(es)
+   cannot be directly verified by DNS Security [DNSSEC].  The A6 records
+   which contributed to the address(es) may of course be verified if
+   signed.
+
+   Implementers are reminded of the necessity to limit the amount of
+   work a resolver will perform in response to a client request.  This
+   principle MUST be extended to also limit the generation of DNS
+   requests in response to one name-to-address (or address-to-name)
+   lookup request.
+
+2.2.  Underlying Mechanisms for Reverse Lookups
+
+   This section describes the new DNS features which this document
+   exploits.  This section is an overview, not a specification of those
+   features.  The reader is directed to the referenced documents for
+   more details on each.
+
+2.2.1.  Delegation on Arbitrary Boundaries
+
+   This new scheme for reverse lookups relies on a new type of DNS label
+   called the "bit-string label" [BITLBL].  This label compactly
+   represents an arbitrary string of bits which is treated as a
+   hierarchical sequence of one-bit domain labels.  Resource records can
+   thereby be stored at arbitrary bit-boundaries.
+
+   Examples in section 5 will employ the following textual
+   representation for bit-string labels, which is a subset of the syntax
+   defined in [BITLBL].  A base indicator "x" for hexadecimal and a
+   sequence of hexadecimal digits is enclosed between "\[" and "]".  The
+   bits denoted by the digits represent a sequence of one-bit domain
+
+
+
+Crawford, et al.            Standards Track                     [Page 4]
+
+RFC 2874                        IPv6 DNS                       July 2000
+
+
+   labels ordered from most to least significant.  (This is the opposite
+   of the order they would appear if listed one bit at a time, but it
+   appears to be a convenient notation.)  The digit string may be
+   followed by a slash ("/") and a decimal count.  If omitted, the
+   implicit count is equal to four times the number of hexadecimal
+   digits.
+
+   Consecutive bit-string labels are equivalent (up to the limit imposed
+   by the size of the bit count field) to a single bit-string label
+   containing all the bits of the consecutive labels in the proper
+   order.  As an example, either of the following domain names could be
+   used in a QCLASS=IN, QTYPE=PTR query to find the name of the node
+   with IPv6 address 3ffe:7c0:40:9:a00:20ff:fe81:2b32.
+
+    \[x3FFE07C0004000090A0020FFFE812B32/128].IP6.ARPA.
+
+    \[x0A0020FFFE812B32/64].\[x0009/16].\[x3FFE07C00040/48].IP6.ARPA.
+
+2.2.2.  Reusable Zones
+
+   DNS address space delegation is implemented not by zone cuts and NS
+   records, but by a new analogue to the CNAME record, called the DNAME
+   resource record [DNAME].  The DNAME record provides alternate naming
+   to an entire subtree of the domain name space, rather than to a
+   single node.  It causes some suffix of a queried name to be
+   substituted with a name from the DNAME record's RDATA.
+
+   For example, a resolver or server providing recursion, while looking
+   up a QNAME a.b.c.d.e.f may encounter a DNAME record
+
+                        d.e.f.     DNAME     w.xy.
+
+   which will cause it to look for a.b.c.w.xy.
+
+3.  Specifications
+
+3.1.  The A6 Record Type
+
+   The A6 record type is specific to the IN (Internet) class and has
+   type number 38 (decimal).
+
+
+
+
+
+
+
+
+
+
+
+Crawford, et al.            Standards Track                     [Page 5]
+
+RFC 2874                        IPv6 DNS                       July 2000
+
+
+3.1.1.  Format
+
+   The RDATA portion of the A6 record contains two or three fields.
+
+           +-----------+------------------+-------------------+
+           |Prefix len.|  Address suffix  |    Prefix name    |
+           | (1 octet) |  (0..16 octets)  |  (0..255 octets)  |
+           +-----------+------------------+-------------------+
+
+   o  A prefix length, encoded as an eight-bit unsigned integer with
+      value between 0 and 128 inclusive.
+
+   o  An IPv6 address suffix, encoded in network order (high-order octet
+      first).  There MUST be exactly enough octets in this field to
+      contain a number of bits equal to 128 minus prefix length, with 0
+      to 7 leading pad bits to make this field an integral number of
+      octets.  Pad bits, if present, MUST be set to zero when loading a
+      zone file and ignored (other than for SIG [DNSSEC] verification)
+      on reception.
+
+   o  The name of the prefix, encoded as a domain name.  By the rules of
+      [DNSIS], this name MUST NOT be compressed.
+
+   The domain name component SHALL NOT be present if the prefix length
+   is zero.  The address suffix component SHALL NOT be present if the
+   prefix length is 128.
+
+   It is SUGGESTED that an A6 record intended for use as a prefix for
+   other A6 records have all the insignificant trailing bits in its
+   address suffix field set to zero.
+
+3.1.2.  Processing
+
+   A query with QTYPE=A6 causes type A6 and type NS additional section
+   processing for the prefix names, if any, in the RDATA field of the A6
+   records in the answer section.  This processing SHOULD be recursively
+   applied to the prefix names of A6 records included as additional
+   data.  When space in the reply packet is a limit, inclusion of
+   additional A6 records takes priority over NS records.
+
+   It is an error for an A6 record with prefix length L1 > 0 to refer to
+   a domain name which owns an A6 record with a prefix length L2 > L1.
+   If such a situation is encountered by a resolver, the A6 record with
+   the offending (larger) prefix length MUST be ignored.  Robustness
+   precludes signaling an error if addresses can still be formed from
+   valid A6 records, but it is SUGGESTED that zone maintainers from time
+   to time check all the A6 records their zones reference.
+
+
+
+
+Crawford, et al.            Standards Track                     [Page 6]
+
+RFC 2874                        IPv6 DNS                       July 2000
+
+
+3.1.3.  Textual Representation
+
+   The textual representation of the RDATA portion of the A6 resource
+   record in a zone file comprises two or three fields separated by
+   whitespace.
+
+   o  A prefix length, represented as a decimal number between 0 and 128
+      inclusive,
+
+   o  the textual representation of an IPv6 address as defined in
+      [AARCH] (although some leading and/or trailing bits may not be
+      significant),
+
+   o  a domain name, if the prefix length is not zero.
+
+   The domain name MUST be absent if the prefix length is zero.  The
+   IPv6 address MAY be be absent if the prefix length is 128.  A number
+   of leading address bits equal to the prefix length SHOULD be zero,
+   either implicitly (through the :: notation) or explicitly, as
+   specified in section 3.1.1.
+
+3.1.4.  Name Resolution Procedure
+
+   To obtain the IPv6 address or addresses which belong to a given name,
+   a DNS client MUST obtain one or more complete chains of A6 records,
+   each chain beginning with a record owned by the given name and
+   including a record owned by the prefix name in that record, and so on
+   recursively, ending with an A6 record with a prefix length of zero.
+   One IPv6 address is formed from one such chain by taking the value of
+   each bit position from the earliest A6 record in the chain which
+   validly covers that position, as indicated by the prefix length.  The
+   set of all IPv6 addresses for the given name comprises the addresses
+   formed from all complete chains of A6 records beginning at that name,
+   discarding records which have invalid prefix lengths as defined in
+   section 3.1.2.
+
+   If some A6 queries fail and others succeed, a client might obtain a
+   non-empty but incomplete set of IPv6 addresses for a host.  In many
+   situations this may be acceptable.  The completeness of a set of A6
+   records may always be determined by inspection.
+
+3.2.  Zone Structure for Reverse Lookups
+
+   Very little of the new scheme's data actually appears under IP6.ARPA;
+   only the first level of delegation needs to be under that domain.
+   More levels of delegation could be placed under IP6.ARPA if some
+   top-level delegations were done via NS records instead of DNAME
+   records, but this would incur some cost in renumbering ease at the
+
+
+
+Crawford, et al.            Standards Track                     [Page 7]
+
+RFC 2874                        IPv6 DNS                       July 2000
+
+
+   level of TLAs [AGGR].  Therefore, it is declared here that all
+   address space delegations SHOULD be done by the DNAME mechanism
+   rather than NS.
+
+   In addition, since uniformity in deployment will simplify maintenance
+   of address delegations, it is SUGGESTED that address and prefix
+   information be stored immediately below a DNS label "IP6".  Stated
+   another way, conformance with this suggestion would mean that "IP6"
+   is the first label in the RDATA field of DNAME records which support
+   IPv6 reverse lookups.
+
+   When any "reserved" or "must be zero" bits are adjacent to a
+   delegation boundary, the higher-level entity MUST retain those bits
+   in its own control and delegate only the bits over which the lower-
+   level entity has authority.
+
+   To find the name of a node given its IPv6 address, a DNS client MUST
+   perform a query with QCLASS=IN, QTYPE=PTR on the name formed from the
+   128 bit address as one or more bit-string labels [BITLBL], followed
+   by the two standard labels "IP6.ARPA".  If recursive service was not
+   obtained from a server and the desired PTR record was not returned,
+   the resolver MUST handle returned DNAME records as specified in
+   [DNAME], and NS records as specified in [DNSCF], and iterate.
+
+4.  Modifications to Existing Query Types
+
+   All existing query types that perform type A additional section
+   processing, i.e. the name server (NS), mail exchange (MX), and
+   mailbox (MB) query types, and the experimental AFS data base (AFSDB)
+   and route through (RT) types, must be redefined to perform type A, A6
+   and AAAA additional section processing, with type A having the
+   highest priority for inclusion and type AAAA the lowest.  This
+   redefinition means that a name server may add any relevant IPv4 and
+   IPv6 address information available locally to the additional section
+   of a response when processing any one of the above queries.  The
+   recursive inclusion of A6 records referenced by A6 records already
+   included in the additional section is OPTIONAL.
+
+5.  Usage Illustrations
+
+   This section provides examples of use of the mechanisms defined in
+   the previous section.  All addresses and domains mentioned here are
+   intended to be fictitious and for illustrative purposes only.
+   Example delegations will be on 4-bit boundaries solely for
+   readability; this specification is indifferent to bit alignment.
+
+   Use of the IPv6 aggregatable address format [AGGR] is assumed in the
+   examples.
+
+
+
+Crawford, et al.            Standards Track                     [Page 8]
+
+RFC 2874                        IPv6 DNS                       July 2000
+
+
+5.1.  A6 Record Chains
+
+   Let's take the example of a site X that is multi-homed to two
+   "intermediate" providers A and B.  The provider A is itself multi-
+   homed to two "transit" providers, C and D.  The provider B gets its
+   transit service from a single provider, E.  For simplicity suppose
+   that C, D and E all belong to the same top-level aggregate (TLA) with
+   identifier (including format prefix) '2345', and the TLA authority at
+   ALPHA-TLA.ORG assigns to C, D and E respectively the next level
+   aggregate (NLA) prefixes 2345:00C0::/28, 2345:00D0::/28 and
+   2345:000E::/32.
+
+   C assigns the NLA prefix 2345:00C1:CA00::/40 to A, D assigns the
+   prefix 2345:00D2:DA00::/40 to A and E assigns 2345:000E:EB00::/40 to
+   B.
+
+   A assigns to X the subscriber identification '11' and B assigns the
+   subscriber identification '22'.  As a result, the site X inherits
+   three address prefixes:
+
+   o  2345:00C1:CA11::/48 from A, for routes through C.
+   o  2345:00D2:DA11::/48 from A, for routes through D.
+   o  2345:000E:EB22::/48 from B, for routes through E.
+
+   Let us suppose that N is a node in the site X, that it is assigned to
+   subnet number 1 in this site, and that it uses the interface
+   identifier '1234:5678:9ABC:DEF0'.  In our configuration, this node
+   will have three addresses:
+
+   o  2345:00C1:CA11:0001:1234:5678:9ABC:DEF0
+   o  2345:00D2:DA11:0001:1234:5678:9ABC:DEF0
+   o  2345:000E:EB22:0001:1234:5678:9ABC:DEF0
+
+5.1.1.  Authoritative Data
+
+   We will assume that the site X is represented in the DNS by the
+   domain name X.EXAMPLE, while A, B, C, D and E are represented by
+   A.NET, B.NET, C.NET, D.NET and E.NET.  In each of these domains, we
+   assume a subdomain "IP6" that will hold the corresponding prefixes.
+   The node N is identified by the domain name N.X.EXAMPLE.  The
+   following records would then appear in X's DNS.
+
+          $ORIGIN X.EXAMPLE.
+          N            A6 64 ::1234:5678:9ABC:DEF0 SUBNET-1.IP6
+          SUBNET-1.IP6 A6 48 0:0:0:1::  IP6
+          IP6          A6 48 0::0       SUBSCRIBER-X.IP6.A.NET.
+          IP6          A6 48 0::0       SUBSCRIBER-X.IP6.B.NET.
+
+
+
+
+Crawford, et al.            Standards Track                     [Page 9]
+
+RFC 2874                        IPv6 DNS                       July 2000
+
+
+   And elsewhere there would appear
+
+        SUBSCRIBER-X.IP6.A.NET. A6 40 0:0:0011:: A.NET.IP6.C.NET.
+        SUBSCRIBER-X.IP6.A.NET. A6 40 0:0:0011:: A.NET.IP6.D.NET.
+
+        SUBSCRIBER-X.IP6.B.NET. A6 40 0:0:0022:: B-NET.IP6.E.NET.
+
+        A.NET.IP6.C.NET. A6 28 0:0001:CA00:: C.NET.ALPHA-TLA.ORG.
+
+        A.NET.IP6.D.NET. A6 28 0:0002:DA00:: D.NET.ALPHA-TLA.ORG.
+
+        B-NET.IP6.E.NET. A6 32 0:0:EB00::    E.NET.ALPHA-TLA.ORG.
+
+        C.NET.ALPHA-TLA.ORG. A6 0 2345:00C0::
+        D.NET.ALPHA-TLA.ORG. A6 0 2345:00D0::
+        E.NET.ALPHA-TLA.ORG. A6 0 2345:000E::
+
+5.1.2.  Glue
+
+   When, as is common, some or all DNS servers for X.EXAMPLE are within
+   the X.EXAMPLE zone itself, the top-level zone EXAMPLE must carry
+   enough "glue" information to enable DNS clients to reach those
+   nameservers.  This is true in IPv6 just as in IPv4.  However, the A6
+   record affords the DNS administrator some choices.  The glue could be
+   any of
+
+   o  a minimal set of A6 records duplicated from the X.EXAMPLE zone,
+
+   o  a (possibly smaller) set of records which collapse the structure
+      of that minimal set,
+
+   o  or a set of A6 records with prefix length zero, giving the entire
+      global addresses of the servers.
+
+   The trade-off is ease of maintenance against robustness.  The best
+   and worst of both may be had together by implementing either the
+   first or second option together with the third.  To illustrate the
+   glue options, suppose that X.EXAMPLE is served by two nameservers
+   NS1.X.EXAMPLE and NS2.X.EXAMPLE, having interface identifiers
+   ::1:11:111:1111 and ::2:22:222:2222 on subnets 1 and 2 respectively.
+   Then the top-level zone EXAMPLE would include one (or more) of the
+   following sets of A6 records as glue.
+
+
+
+
+
+
+
+
+
+Crawford, et al.            Standards Track                    [Page 10]
+
+RFC 2874                        IPv6 DNS                       July 2000
+
+
+   $ORIGIN EXAMPLE.            ; first option
+   X               NS NS1.X
+                   NS NS2.X
+   NS1.X           A6 64 ::1:11:111:1111 SUBNET-1.IP6.X
+   NS2.X           A6 64 ::2:22:222:2222 SUBNET-2.IP6.X
+   SUBNET-1.IP6.X  A6 48 0:0:0:1::       IP6.X
+   SUBNET-2.IP6.X  A6 48 0:0:0:2::       IP6.X
+   IP6.X           A6 48 0::0            SUBSCRIBER-X.IP6.A.NET.
+   IP6.X           A6 48 0::0            SUBSCRIBER-X.IP6.B.NET.
+
+
+   $ORIGIN EXAMPLE.            ; second option
+   X               NS NS1.X
+                   NS NS2.X
+   NS1.X           A6 48 ::1:1:11:111:1111 SUBSCRIBER-X.IP6.A.NET.
+                   A6 48 ::1:1:11:111:1111 SUBSCRIBER-X.IP6.B.NET.
+   NS2.X           A6 48 ::2:2:22:222:2222 SUBSCRIBER-X.IP6.A.NET.
+                   A6 48 ::2:2:22:222:2222 SUBSCRIBER-X.IP6.B.NET.
+
+
+   $ORIGIN EXAMPLE.            ; third option
+   X               NS NS1.X
+                   NS NS2.X
+   NS1.X           A6 0  2345:00C1:CA11:1:1:11:111:1111
+                   A6 0  2345:00D2:DA11:1:1:11:111:1111
+                   A6 0  2345:000E:EB22:1:1:11:111:1111
+   NS2.X           A6 0  2345:00C1:CA11:2:2:22:222:2222
+                   A6 0  2345:00D2:DA11:2:2:22:222:2222
+                   A6 0  2345:000E:EB22:2:2:22:222:2222
+
+   The first and second glue options are robust against renumbering of
+   X.EXAMPLE's prefixes by providers A.NET and B.NET, but will fail if
+   those providers' own DNS is unreachable.  The glue records of the
+   third option are robust against DNS failures elsewhere than the zones
+   EXAMPLE and X.EXAMPLE themselves, but must be updated when X's
+   address space is renumbered.
+
+   If the EXAMPLE zone includes redundant glue, for instance the union
+   of the A6 records of the first and third options, then under normal
+   circumstances duplicate IPv6 addresses will be derived by DNS
+   clients.  But if provider DNS fails, addresses will still be obtained
+   from the zero-prefix-length records, while if the EXAMPLE zone lags
+   behind a renumbering of X.EXAMPLE, half of the addresses obtained by
+   DNS clients will still be up-to-date.
+
+   The zero-prefix-length glue records can of course be automatically
+   generated and/or checked in practice.
+
+
+
+
+Crawford, et al.            Standards Track                    [Page 11]
+
+RFC 2874                        IPv6 DNS                       July 2000
+
+
+5.1.3.  Variations
+
+   Several more-or-less arbitrary assumptions are reflected in the above
+   structure.  All of the following choices could have been made
+   differently, according to someone's notion of convenience or an
+   agreement between two parties.
+
+      First, that site X has chosen to put subnet information in a
+      separate A6 record rather than incorporate it into each node's A6
+      records.
+
+      Second, that site X is referred to as "SUBSCRIBER-X" by both of
+      its providers A and B.
+
+      Third, that site X chose to indirect its provider information
+      through A6 records at IP6.X.EXAMPLE containing no significant
+      bits.  An alternative would have been to replicate each subnet
+      record for each provider.
+
+      Fourth, B and E used a slightly different prefix naming convention
+      between themselves than did A, C and D.  Each hierarchical pair of
+      network entities must arrange this naming between themselves.
+
+      Fifth, that the upward prefix referral chain topped out at ALPHA-
+      TLA.ORG.  There could have been another level which assigned the
+      TLA values and holds A6 records containing those bits.
+
+   Finally, the above structure reflects an assumption that address
+   fields assigned by a given entity are recorded only in A6 records
+   held by that entity.  Those bits could be entered into A6 records in
+   the lower-level entity's zone instead, thus:
+
+                IP6.X.EXAMPLE. A6 40 0:0:11::   IP6.A.NET.
+                IP6.X.EXAMPLE. A6 40 0:0:22::   IP6.B.NET.
+
+                IP6.A.NET.     A6 28 0:1:CA00:: IP6.C.NET.
+                and so on.
+
+   Or the higher-level entities could hold both sorts of A6 records
+   (with different DNS owner names) and allow the lower-level entities
+   to choose either mode of A6 chaining.  But the general principle of
+   avoiding data duplication suggests that the proper place to store
+   assigned values is with the entity that assigned them.
+
+   It is possible, but not necessarily recommended, for a zone
+   maintainer to forego the renumbering support afforded by the chaining
+   of A6 records and to record entire IPv6 addresses within one zone
+   file.
+
+
+
+Crawford, et al.            Standards Track                    [Page 12]
+
+RFC 2874                        IPv6 DNS                       July 2000
+
+
+5.2.  Reverse Mapping Zones
+
+   Supposing that address space assignments in the TLAs with Format
+   Prefix (001) binary and IDs 0345, 0678 and 09AB were maintained in
+   zones called ALPHA-TLA.ORG, BRAVO-TLA.ORG and CHARLIE-TLA.XY, then
+   the IP6.ARPA zone would include
+
+               $ORIGIN IP6.ARPA.
+               \[x234500/24]   DNAME   IP6.ALPHA-TLA.ORG.
+               \[x267800/24]   DNAME   IP6.BRAVO-TLA.ORG.
+               \[x29AB00/24]   DNAME   IP6.CHARLIE-TLA.XY.
+
+   Eight trailing zero bits have been included in each TLA ID to reflect
+   the eight reserved bits in the current aggregatable global unicast
+   addresses format [AGGR].
+
+5.2.1.  The TLA level
+
+   ALPHA-TLA's assignments to network providers C, D and E are reflected
+   in the reverse data as follows.
+
+              \[xC/4].IP6.ALPHA-TLA.ORG.   DNAME  IP6.C.NET.
+              \[xD/4].IP6.ALPHA-TLA.ORG.   DNAME  IP6.D.NET.
+              \[x0E/8].IP6.ALPHA-TLA.ORG.  DNAME  IP6.E.NET.
+
+5.2.2.  The ISP level
+
+   The providers A through E carry the following delegation information
+   in their zone files.
+
+               \[x1CA/12].IP6.C.NET.  DNAME  IP6.A.NET.
+               \[x2DA/12].IP6.D.NET.  DNAME  IP6.A.NET.
+               \[xEB/8].IP6.E.NET.    DNAME  IP6.B.NET.
+               \[x11/8].IP6.A.NET.    DNAME  IP6.X.EXAMPLE.
+               \[x22/8].IP6.B.NET.    DNAME  IP6.X.EXAMPLE.
+
+   Note that some domain names appear in the RDATA of more than one
+   DNAME record.  In those cases, one zone is being used to map multiple
+   prefixes.
+
+5.2.3.  The Site Level
+
+   Consider the customer X.EXAMPLE using IP6.X.EXAMPLE for address-to-
+   name translations.  This domain is now referenced by two different
+   DNAME records held by two different providers.
+
+
+
+
+
+
+Crawford, et al.            Standards Track                    [Page 13]
+
+RFC 2874                        IPv6 DNS                       July 2000
+
+
+           $ORIGIN IP6.X.EXAMPLE.
+           \[x0001/16]                    DNAME   SUBNET-1
+           \[x123456789ABCDEF0].SUBNET-1  PTR     N.X.EXAMPLE.
+           and so on.
+
+   SUBNET-1 need not have been named in a DNAME record; the subnet bits
+   could have been joined with the interface identifier.  But if subnets
+   are treated alike in both the A6 records and in the reverse zone, it
+   will always be possible to keep the forward and reverse definition
+   data for each prefix in one zone.
+
+5.3.  Lookups
+
+   A DNS resolver looking for a hostname for the address
+   2345:00C1:CA11:0001:1234:5678:9ABC:DEF0 would acquire certain of the
+   DNAME records shown above and would form new queries.  Assuming that
+   it began the process knowing servers for IP6.ARPA, but that no server
+   it consulted provided recursion and none had other useful additional
+   information cached, the sequence of queried names and responses would
+   be (all with QCLASS=IN, QTYPE=PTR):
+
+   To a server for IP6.ARPA:
+   QNAME=\[x234500C1CA110001123456789ABCDEF0/128].IP6.ARPA.
+
+        Answer:
+        \[x234500/24].IP6.ARPA. DNAME IP6.ALPHA-TLA.ORG.
+
+   To a server for IP6.ALPHA-TLA.ORG:
+   QNAME=\[xC1CA110001123456789ABCDEF0/104].IP6.ALPHA-TLA.ORG.
+
+        Answer:
+        \[xC/4].IP6.ALPHA-TLA.ORG. DNAME IP6.C.NET.
+
+   To a server for IP6.C.NET.:
+   QNAME=\[x1CA110001123456789ABCDEF0/100].IP6.C.NET.
+
+        Answer:
+        \[x1CA/12].IP6.C.NET. DNAME IP6.A.NET.
+
+   To a server for IP6.A.NET.:
+   QNAME=\[x110001123456789ABCDEF0/88].IP6.A.NET.
+
+        Answer:
+        \[x11/8].IP6.A.NET. DNAME IP6.X.EXAMPLE.
+
+   To a server for IP6.X.EXAMPLE.:
+   QNAME=\[x0001123456789ABCDEF0/80].IP6.X.EXAMPLE.
+
+
+
+
+Crawford, et al.            Standards Track                    [Page 14]
+
+RFC 2874                        IPv6 DNS                       July 2000
+
+
+        Answer:
+        \[x0001/16].IP6.X.EXAMPLE. DNAME SUBNET-1.IP6.X.EXAMPLE.
+        \[x123456789ABCDEF0/64].SUBNET-1.X.EXAMPLE. PTR N.X.EXAMPLE.
+
+   All the DNAME (and NS) records acquired along the way can be cached
+   to expedite resolution of addresses topologically near to this
+   address.  And if another global address of N.X.EXAMPLE were resolved
+   within the TTL of the final PTR record, that record would not have to
+   be fetched again.
+
+5.4.  Operational Note
+
+   In the illustrations in section 5.1, hierarchically adjacent
+   entities, such as a network provider and a customer, must agree on a
+   DNS name which will own the definition of the delegated prefix(es).
+   One simple convention would be to use a bit-string label representing
+   exactly the bits which are assigned to the lower-level entity by the
+   higher.  For example, "SUBSCRIBER-X" could be replaced by "\[x11/8]".
+   This would place the A6 record(s) defining the delegated prefix at
+   exactly the same point in the DNS tree as the DNAME record associated
+   with that delegation.  The cost of this simplification is that the
+   lower-level zone must update its upward-pointing A6 records when it
+   is renumbered.  This cost may be found quite acceptable in practice.
+
+6.  Transition from RFC 1886 and Deployment Notes
+
+   When prefixes have been "delegated upward" with A6 records, the
+   number of DNS resource records required to establish a single IPv6
+   address increases by some non-trivial factor.  Those records will
+   typically, but not necessarily, come from different DNS zones (which
+   can independently suffer failures for all the usual reasons).  When
+   obtaining multiple IPv6 addresses together, this increase in RR count
+   will be proportionally less -- and the total size of a DNS reply
+   might even decrease -- if the addresses are topologically clustered.
+   But the records could still easily exceed the space available in a
+   UDP response which returns a large RRset [DNSCLAR] to an MX, NS, or
+   SRV query, for example.  The possibilities for overall degradation of
+   performance and reliability of DNS lookups are numerous, and increase
+   with the number of prefix delegations involved, especially when those
+   delegations point to records in other zones.
+
+   DNS Security [DNSSEC] addresses the trustworthiness of cached data,
+   which is a problem intrinsic to DNS, but the cost of applying this to
+   an IPv6 address is multiplied by a factor which may be greater than
+   the number of prefix delegations involved if different signature
+   chains must be verified for different A6 records.  If a trusted
+   centralized caching server (as in [TSIG], for example) is used, this
+   cost might be amortized to acceptable levels.  One new phenomenon is
+
+
+
+Crawford, et al.            Standards Track                    [Page 15]
+
+RFC 2874                        IPv6 DNS                       July 2000
+
+
+   the possibility that IPv6 addresses may be formed from a A6 records
+   from a combination of secure and unsecured zones.
+
+   Until more deployment experience is gained with the A6 record, it is
+   recommended that prefix delegations be limited to one or two levels.
+   A reasonable phasing-in mechanism would be to start with no prefix
+   delegations (all A6 records having prefix length 0) and then to move
+   to the use of a single level of delegation within a single zone.  (If
+   the TTL of the "prefix" A6 records is kept to an appropriate duration
+   the capability for rapid renumbering is not lost.)  More aggressively
+   flexible delegation could be introduced for a subset of hosts for
+   experimentation.
+
+6.1.  Transition from AAAA and Coexistence with A Records
+
+   Administrators of zones which contain A6 records can easily
+   accommodate deployed resolvers which understand AAAA records but not
+   A6 records.  Such administrators can do automatic generation of AAAA
+   records for all of a zone's names which own A6 records by a process
+   which mimics the resolution of a hostname to an IPv6 address (see
+   section 3.1.4).  Attention must be paid to the TTL assigned to a
+   generated AAAA record, which MUST be no more than the minimum of the
+   TTLs of the A6 records that were used to form the IPv6 address in
+   that record.  For full robustness, those A6 records which were in
+   different zones should be monitored for changes (in TTL or RDATA)
+   even when there are no changes to zone for which AAAA records are
+   being generated.  If the zone is secure [DNSSEC], the generated AAAA
+   records MUST be signed along with the rest of the zone data.
+
+   A zone-specific heuristic MAY be used to avoid generation of AAAA
+   records for A6 records which record prefixes, although such
+   superfluous records would be relatively few in number and harmless.
+   Examples of such heuristics include omitting A6 records with a prefix
+   length less than the largest value found in the zone file, or records
+   with an address suffix field with a certain number of trailing zero
+   bits.
+
+   On the client side, when looking up and IPv6 address, the order of A6
+   and AAAA queries MAY be configurable to be one of: A6, then AAAA;
+   AAAA, then A6; A6 only; or both in parallel.  The default order (or
+   only order, if not configurable) MUST be to try A6 first, then AAAA.
+   If and when the AAAA becomes deprecated a new document will change
+   the default.
+
+   The guidelines and options for precedence between IPv4 and IPv6
+   addresses are specified in [TRANS].  All mentions of AAAA records in
+   that document are henceforth to be interpreted as meaning A6 and/or
+   AAAA records in the order specified in the previous paragraph.
+
+
+
+Crawford, et al.            Standards Track                    [Page 16]
+
+RFC 2874                        IPv6 DNS                       July 2000
+
+
+6.2.  Transition from Nibble Labels to Binary Labels
+
+   Implementations conforming to RFC 1886 [AAAA] perform reverse lookups
+   as follows:
+
+      An IPv6 address is represented as a name in the IP6.INT domain by
+      a sequence of nibbles separated by dots with the suffix
+      ".IP6.INT". The sequence of nibbles is encoded in reverse order,
+      i.e. the low-order nibble is encoded first, followed by the next
+      low-order nibble and so on. Each nibble is represented by a
+      hexadecimal digit. For example, a name for the address
+      2345:00C1:CA11:0001:1234:5678:9ABC:DEF0 of the example in section
+      5.3 would be sought at the DNS name "0.f.e.d.c.b.a.9.-
+      8.7.6.5.4.3.2.1.1.0.0.0.1.1.a.c.1.c.0.0.5.4.3.2.ip6.int."
+
+   Implementations conforming to this specification will perform a
+   lookup of a binary label in IP6.ARPA as specified in Section 3.2.  It
+   is RECOMMENDED that for a transition period implementations first
+   lookup the binary label in IP6.ARPA and if this fails try to lookup
+   the 'nibble' label in IP6.INT.
+
+7.  Security Considerations
+
+   The signing authority [DNSSEC] for the A6 records which determine an
+   IPv6 address is distributed among several entities, reflecting the
+   delegation path of the address space which that address occupies.
+   DNS Security is fully applicable to bit-string labels and DNAME
+   records.  And just as in IPv4, verification of name-to-address
+   mappings is logically independent of verification of address-to-name
+   mappings.
+
+   With or without DNSSEC, the incomplete but non-empty address set
+   scenario of section 3.1.4 could be caused by selective interference
+   with DNS lookups.  If in some situation this would be more harmful
+   than complete DNS failure, it might be mitigated on the client side
+   by refusing to act on an incomplete set, or on the server side by
+   listing all addresses in A6 records with prefix length 0.
+
+8.  IANA Considerations
+
+   The A6 resource record has been assigned a Type value of 38.
+
+
+
+
+
+
+
+
+
+
+Crawford, et al.            Standards Track                    [Page 17]
+
+RFC 2874                        IPv6 DNS                       July 2000
+
+
+9.  Acknowledgments
+
+   The authors would like to thank the following persons for valuable
+   discussions and reviews:  Mark Andrews, Rob Austein, Jim Bound, Randy
+   Bush, Brian Carpenter, David Conrad, Steve Deering, Francis Dupont,
+   Robert Elz, Bob Fink, Olafur Gudmundsson, Bob Halley, Bob Hinden,
+   Edward Lewis, Bill Manning, Keith Moore, Thomas Narten, Erik
+   Nordmark, Mike O'Dell, Michael Patton and Ken Powell.
+
+10.  References
+
+   [AAAA]    Thomson, S. and C. Huitema, "DNS Extensions to support IP
+             version 6, RFC 1886, December 1995.
+
+   [AARCH]   Hinden, R. and S. Deering, "IP Version 6 Addressing
+             Architecture", RFC 2373, July 1998.
+
+   [AGGR]    Hinden, R., O'Dell, M. and S. Deering, "An IPv6
+             Aggregatable Global Unicast Address Format", RFC 2374, July
+             1998.
+
+   [BITLBL]  Crawford, M., "Binary Labels in the Domain Name System",
+             RFC 2673, August 1999.
+
+   [DNAME]   Crawford, M., "Non-Terminal DNS Name Redirection", RFC
+             2672, August 1999.
+
+   [DNSCLAR] Elz, R. and R. Bush, "Clarifications to the DNS
+             Specification", RFC 2181, July 1997.
+
+   [DNSIS]   Mockapetris, P., "Domain names - implementation and
+             specification", STD 13, RFC 1035, November 1987.
+
+   [DNSSEC]  Eastlake, D. 3rd and C. Kaufman, "Domain Name System
+             Security Extensions", RFC 2535, March 1999.
+
+   [KWORD]   Bradner, S., "Key words for use in RFCs to Indicate
+             Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RENUM1]  Carpenter, B. and Y. Rekhter, "Renumbering Needs Work", RFC
+             1900, February 1996.
+
+   [RENUM2]  Ferguson, P. and H. Berkowitz, "Network Renumbering
+             Overview:  Why would I want it and what is it anyway?", RFC
+             2071, January 1997.
+
+   [RENUM3]  Carpenter, B., Crowcroft, J. and Y. Rekhter, "IPv4 Address
+             Behaviour Today", RFC 2101, February 1997.
+
+
+
+Crawford, et al.            Standards Track                    [Page 18]
+
+RFC 2874                        IPv6 DNS                       July 2000
+
+
+   [TRANS]   Gilligan, R. and E. Nordmark, "Transition Mechanisms for
+             IPv6 Hosts and Routers", RFC 1933, April 1996.
+
+   [TSIG]    Vixie, P., Gudmundsson, O., Eastlake, D. 3rd and B.
+             Wellington, "Secret Key Transaction Authentication for DNS
+             (TSIG)", RFC 2845, May 2000.
+
+11.  Authors' Addresses
+
+   Matt Crawford
+   Fermilab
+   MS 368
+   PO Box 500
+   Batavia, IL 60510
+   USA
+
+   Phone: +1 630 840-3461
+   EMail: crawdad@fnal.gov
+
+
+   Christian Huitema
+   Microsoft Corporation
+   One Microsoft Way
+   Redmond, WA 98052-6399
+
+   EMail: huitema@microsoft.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Crawford, et al.            Standards Track                    [Page 19]
+
+RFC 2874                        IPv6 DNS                       July 2000
+
+
+12.  Full Copyright Statement
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Crawford, et al.            Standards Track                    [Page 20]
+
diff --git a/contrib/bind9/doc/rfc/rfc2915.txt b/contrib/bind9/doc/rfc/rfc2915.txt
new file mode 100644
index 0000000..2022ba1
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2915.txt
@@ -0,0 +1,1011 @@
+
+
+
+
+
+
+Network Working Group                                         M. Mealling
+Request for Comments: 2915                        Network Solutions, Inc.
+Updates: 2168                                                   R. Daniel
+Category: Standards Track                                DATAFUSION, Inc.
+                                                           September 2000
+
+
+        The Naming Authority Pointer (NAPTR) DNS Resource Record
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2000). All Rights Reserved.
+
+Abstract
+
+   This document describes a Domain Name System (DNS) resource record
+   which specifies a regular expression based rewrite rule that, when
+   applied to an existing string, will produce a new domain label or
+   Uniform Resource Identifier (URI).  Depending on the value of the
+   flags field of the resource record, the resulting domain label or URI
+   may be used in subsequent queries for the Naming Authority Pointer
+   (NAPTR) resource records (to delegate the name lookup) or as the
+   output of the entire process for which this system is used (a
+   resolution server for URI resolution, a service URI for ENUM style
+   e.164 number to URI mapping, etc).
+
+   This allows the DNS to be used to lookup services for a wide variety
+   of resource names (including URIs) which are not in domain name
+   syntax.  Reasons for doing this range from URN Resource Discovery
+   Systems to moving out-of-date services to new domains.
+
+   This document updates the portions of RFC 2168 specifically dealing
+   with the definition of the NAPTR records and how other, non-URI
+   specific applications, might use NAPTR.
+
+
+
+
+
+
+
+
+
+Mealling & Daniel           Standards Track                     [Page 1]
+
+RFC 2915                      NAPTR DNS RR                September 2000
+
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . .   2
+   2.  NAPTR RR Format  . . . . . . . . . . . . . . . . . . . . . .   3
+   3.  Substitution Expression Grammar  . . . . . . . . . . . . . .   7
+   4.  The Basic NAPTR Algorithm  . . . . . . . . . . . . . . . . .   8
+   5.  Concerning How NAPTR Uses SRV Records  . . . . . . . . . . .   9
+   6.  Application Specifications . . . . . . . . . . . . . . . . .  10
+   7.  Examples . . . . . . . . . . . . . . . . . . . . . . . . . .  10
+   7.1 Example 1  . . . . . . . . . . . . . . . . . . . . . . . . .  10
+   7.2 Example 2  . . . . . . . . . . . . . . . . . . . . . . . . .  12
+   7.3 Example 3  . . . . . . . . . . . . . . . . . . . . . . . . .  13
+   8.  DNS Packet Format  . . . . . . . . . . . . . . . . . . . . .  13
+   9.  Master File Format . . . . . . . . . . . . . . . . . . . . .  14
+   10. Advice for DNS Administrators  . . . . . . . . . . . . . . .  14
+   11. Notes  . . . . . . . . . . . . . . . . . . . . . . . . . . .  15
+   12. IANA Considerations  . . . . . . . . . . . . . . . . . . . .  15
+   13. Security Considerations  . . . . . . . . . . . . . . . . . .  15
+   14. Acknowledgments  . . . . . . . . . . . . . . . . . . . . . .  16
+       References . . . . . . . . . . . . . . . . . . . . . . . . .  16
+       Authors' Addresses . . . . . . . . . . . . . . . . . . . . .  17
+       Full Copyright Statement . . . . . . . . . . . . . . . . . .  18
+
+1. Introduction
+
+   This RR was originally produced by the URN Working Group [3] as a way
+   to encode rule-sets in DNS so that the delegated sections of a URI
+   could be decomposed in such a way that they could be changed and re-
+   delegated over time.  The result was a Resource Record that included
+   a regular expression that would be used by a client program to
+   rewrite a string into a domain name.  Regular expressions were chosen
+   for their compactness to expressivity ratio allowing for a great deal
+   of information to be encoded in a rather small DNS packet.
+
+   The function of rewriting a string according to the rules in a record
+   has usefulness in several different applications.  This document
+   defines the basic assumptions to which all of those applications must
+   adhere to.  It does not define the reasons the rewrite is used, what
+   the expected outcomes are, or what they are used for.  Those are
+   specified by applications that define how they use the NAPTR record
+   and algorithms within their contexts.
+
+   Flags and other fields are also specified in the RR to control the
+   rewrite procedure in various ways or to provide information on how to
+   communicate with the host at the domain name that was the result of
+   the rewrite.
+
+
+
+
+
+Mealling & Daniel           Standards Track                     [Page 2]
+
+RFC 2915                      NAPTR DNS RR                September 2000
+
+
+   The final result is a RR that has several fields that interact in a
+   non-trivial but implementable way.  This document specifies those
+   fields and their values.
+
+   This document does not define applications that utilizes this rewrite
+   functionality. Instead it specifies just the mechanics of how it is
+   done.  Why its done, what the rules concerning the inputs, and the
+   types of rules used are reserved for other documents that fully
+   specify a particular application.  This separation is due to several
+   different applications all wanting to take advantage of the rewrite
+   rule lookup process.  Each one has vastly different reasons for why
+   and how it uses the service, thus requiring that the definition of
+   the service be generic.
+
+      The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
+      NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL"
+      in this document are to be interpreted as described in RFC 2119.
+
+      All references to Uniform Resource Identifiers in this document
+      adhere to the 'absoluteURI' production of the "Collected ABNF"
+      found in RFC 2396 [9].  Specifically, the semantics of URI
+      References do not apply since the concept of a Base makes no sense
+      here.
+
+2. NAPTR RR Format
+
+   The format of the NAPTR RR is given below.  The DNS type code [1] for
+   NAPTR is 35.
+
+   Domain TTL Class Type Order Preference Flags Service Regexp
+   Replacement
+
+   Domain
+      The domain name to which this resource record refers.  This is the
+      'key' for this entry in the rule database.  This value will either
+      be the first well known key (<something>.uri.arpa for example) or
+      a new key that is the output of a replacement or regexp rewrite.
+      Beyond this, it has the standard DNS requirements [1].
+
+   TTL
+      Standard DNS meaning [1].
+
+   Class
+      Standard DNS meaning [1].
+
+   Type
+      The Type Code [1] for NAPTR is 35.
+
+
+
+
+Mealling & Daniel           Standards Track                     [Page 3]
+
+RFC 2915                      NAPTR DNS RR                September 2000
+
+
+   Order
+      A 16-bit unsigned integer specifying the order in which the NAPTR
+      records MUST be processed to ensure the correct ordering of
+      rules.  Low numbers are processed before high numbers, and once a
+      NAPTR is found whose rule "matches" the target, the client MUST
+      NOT consider any NAPTRs with a higher value for order (except as
+      noted below for the Flags field).
+
+   Preference
+      A 16-bit unsigned integer that specifies the order in which NAPTR
+      records with equal "order" values SHOULD be processed, low
+      numbers being processed before high numbers.  This is similar to
+      the preference field in an MX record, and is used so domain
+      administrators can direct clients towards more capable hosts or
+      lighter weight protocols.  A client MAY look at records with
+      higher preference values if it has a good reason to do so such as
+      not understanding the preferred protocol or service.
+
+      The important difference between Order and Preference is that
+      once a match is found the client MUST NOT consider records with a
+      different Order but they MAY process records with the same Order
+      but different Preferences.  I.e., Preference is used to give weight
+      to rules that are considered the same from an authority
+      standpoint but not from a simple load balancing standpoint.
+
+   Flags
+      A <character-string> containing flags to control aspects of the
+      rewriting and interpretation of the fields in the record.  Flags
+      are single characters from the set [A-Z0-9].  The case of the
+      alphabetic characters is not significant.
+
+      At this time only four flags, "S", "A", "U", and "P", are
+      defined.  The "S", "A" and "U" flags denote a terminal lookup.
+      This means that this NAPTR record is the last one and that the
+      flag determines what the next stage should be.  The "S" flag
+      means that the next lookup should be for SRV records [4].  See
+      Section 5 for additional information on how NAPTR uses the SRV
+      record type.  "A" means that the next lookup should be for either
+      an A, AAAA, or A6 record.  The "U" flag means that the next step
+      is not a DNS lookup but that the output of the Regexp field is an
+      URI that adheres to the 'absoluteURI' production found in the
+      ABNF of RFC 2396 [9].  Since there may be applications that use
+      NAPTR to also lookup aspects of URIs, implementors should be
+      aware that this may cause loop conditions and should act
+      accordingly.
+
+
+
+
+
+
+Mealling & Daniel           Standards Track                     [Page 4]
+
+RFC 2915                      NAPTR DNS RR                September 2000
+
+
+      The "P" flag says that the remainder of the application side
+      algorithm shall be carried out in a Protocol-specific fashion.
+      The new set of rules is identified by the Protocol specified in
+      the Services field.  The record that contains the 'P' flag is the
+      last record that is interpreted by the rules specified in this
+      document.  The new rules are dependent on the application for
+      which they are being used and the protocol specified.  For
+      example, if the application is a URI RDS and the protocol is WIRE
+      then the new set of rules are governed by the algorithms
+      surrounding the WIRE HTTP specification and not this document.
+
+      The remaining alphabetic flags are reserved for future versions
+      of the NAPTR specification.  The numeric flags may be used for
+      local experimentation.  The S, A, U and P flags are all mutually
+      exclusive, and resolution libraries MAY signal an error if more
+      than one is given.  (Experimental code and code for assisting in
+      the creation of NAPTRs would be more likely to signal such an
+      error than a client such as a browser).  It is anticipated that
+      multiple flags will be allowed in the future, so implementers
+      MUST NOT assume that the flags field can only contain 0 or 1
+      characters.  Finally, if a client encounters a record with an
+      unknown flag, it MUST ignore it and move to the next record.  This
+      test takes precedence even over the "order" field.  Since flags
+      can control the interpretation placed on fields, a novel flag
+      might change the interpretation of the regexp and/or replacement
+      fields such that it is impossible to determine if a record
+      matched a given target.
+
+      The "S", "A", and "U"  flags are called 'terminal' flags since
+      they halt the looping rewrite algorithm.  If those flags are not
+      present, clients may assume that another NAPTR RR exists at the
+      domain name produced by the current rewrite rule.  Since the "P"
+      flag specifies a new algorithm, it may or may not be 'terminal'.
+      Thus, the client cannot assume that another NAPTR exists since
+      this case is determined elsewhere.
+
+      DNS servers MAY interpret these flags and values and use that
+      information to include appropriate SRV and A,AAAA, or A6 records
+      in the additional information portion of the DNS packet.  Clients
+      are encouraged to check for additional information but are not
+      required to do so.
+
+   Service
+      Specifies the service(s) available down this rewrite path.  It may
+      also specify the particular protocol that is used to talk with a
+      service.  A protocol MUST be specified if the flags field states
+      that the NAPTR is terminal.  If a protocol is specified, but the
+      flags field does not state that the NAPTR is terminal, the next
+
+
+
+Mealling & Daniel           Standards Track                     [Page 5]
+
+RFC 2915                      NAPTR DNS RR                September 2000
+
+
+      lookup MUST be for a NAPTR.  The client MAY choose not to perform
+      the next lookup if the protocol is unknown, but that behavior
+      MUST NOT be relied upon.
+
+      The service field may take any of the values below (using the
+      Augmented BNF of RFC 2234 [5]):
+
+                 service_field = [ [protocol] *("+" rs)]
+                 protocol      = ALPHA *31ALPHANUM
+                 rs            = ALPHA *31ALPHANUM
+                 ; The protocol and rs fields are limited to 32
+                 ; characters and must start with an alphabetic.
+
+      For example, an optional protocol specification followed by 0 or
+      more resolution services.  Each resolution service is indicated by
+      an initial '+' character.
+
+      Note that the empty string is also a valid service field.  This
+      will typically be seen at the beginning of a series of rules,
+      when it is impossible to know what services and protocols will be
+      offered by a particular service.
+
+      The actual format of the service request and response will be
+      determined by the resolution protocol, and is the subject for
+      other documents.  Protocols need not offer all services.  The
+      labels for service requests shall be formed from the set of
+      characters [A-Z0-9].  The case of the alphabetic characters is
+      not significant.
+
+      The list of "valid" protocols for any given NAPTR record is any
+      protocol that implements some or all of the services defined for
+      a NAPTR application.  Currently, THTTP [6] is the only protocol
+      that is known to make that claim at the time of publication.  Any
+      other protocol that is to be used must have documentation
+      specifying:
+
+      *  how it implements the services of the application
+
+      *  how it is to appear in the NAPTR record (i.e., the string id
+         of the protocol)
+
+      The list of valid Resolution Services is defined by the documents
+      that specify individual NAPTR based applications.
+
+      It is worth noting that the interpretation of this field is
+      subject to being changed by new flags, and that the current
+      specification is oriented towards telling clients how to talk
+      with a URN resolver.
+
+
+
+Mealling & Daniel           Standards Track                     [Page 6]
+
+RFC 2915                      NAPTR DNS RR                September 2000
+
+
+   Regexp
+      A STRING containing a substitution expression that is applied to
+      the original string held by the client in order to construct the
+      next domain name to lookup.  The grammar of the substitution
+      expression is given in the next section.
+
+      The regular expressions MUST NOT be used in a cumulative fashion,
+      that is, they should only be applied to the original string held
+      by the client, never to the domain name produced by a previous
+      NAPTR rewrite.  The latter is tempting in some applications but
+      experience has shown such use to be extremely fault sensitive,
+      very error prone, and extremely difficult to debug.
+
+   Replacement
+      The next NAME to query for NAPTR, SRV, or address records
+      depending on the value of the flags field.  This MUST be a fully
+      qualified domain-name. Unless and until permitted by future
+      standards action, name compression is not to be used for this
+      field.
+
+3. Substitution Expression Grammar
+
+   The content of the regexp field is a substitution expression.  True
+   sed(1) and Perl style substitution expressions are not appropriate
+   for use in this application for a variety of reasons stemming from
+   internationalization requirements and backref limitations, therefore
+   the contents of the regexp field MUST follow the grammar below:
+
+subst_expr   = delim-char  ere  delim-char  repl  delim-char  *flags
+delim-char   = "/" / "!" / ... <Any non-digit or non-flag character
+               other than backslash '\'. All occurances of a delim_char
+               in a subst_expr must be the same character.>
+ere          = POSIX Extended Regular Expression
+repl         = 1 * ( OCTET /  backref )
+backref      = "\" 1POS_DIGIT
+flags        = "i"
+POS_DIGIT    = %x31-39                 ; 0 is not an allowed backref
+
+   The definition of a POSIX Extended Regular Expression can be found in
+   [8], section 2.8.4.
+
+   The result of applying the substitution expression to the original
+   URI MUST result in either a string that obeys the syntax for DNS
+   domain-names [1] or a URI [9] if the Flags field contains a 'u'.
+   Since it is possible for the regexp field to be improperly specified,
+   such that a non-conforming domain-name can be constructed, client
+   software SHOULD verify that the result is a legal DNS domain-name
+   before making queries on it.
+
+
+
+Mealling & Daniel           Standards Track                     [Page 7]
+
+RFC 2915                      NAPTR DNS RR                September 2000
+
+
+   Backref expressions in the repl portion of the substitution
+   expression are replaced by the (possibly empty) string of characters
+   enclosed by '(' and ')' in the ERE portion of the substitution
+   expression. N is a single digit from 1 through 9, inclusive.  It
+   specifies the N'th backref expression, the one that begins with the
+   N'th '(' and continues to the matching ')'.  For example, the ERE
+
+                            (A(B(C)DE)(F)G)
+
+         has backref expressions:
+
+                            \1  = ABCDEFG
+                            \2  = BCDE
+                            \3  = C
+                            \4  = F
+                            \5..\9  = error - no matching subexpression
+
+   The "i" flag indicates that the ERE matching SHALL be performed in a
+   case-insensitive fashion. Furthermore, any backref replacements MAY
+   be normalized to lower case when the "i" flag is given.
+
+   The first character in the substitution expression shall be used as
+   the character that delimits the components of the substitution
+   expression.  There must be exactly three non-escaped occurrences of
+   the delimiter character in a substitution expression.  Since escaped
+   occurrences of the delimiter character will be interpreted as
+   occurrences of that character, digits MUST NOT be used as delimiters.
+   Backrefs would be confused with literal digits were this allowed.
+   Similarly, if flags are specified in the substitution expression, the
+   delimiter character must not also be a flag character.
+
+4. The Basic NAPTR Algorithm
+
+   The behavior and meaning of the flags and services assume an
+   algorithm where the output of one rewrite is a new key that points to
+   another rule.  This looping algorithm allows NAPTR records to
+   incrementally specify a complete rule.  These incremental rules can
+   be delegated which allows other entities to specify rules so that one
+   entity does not need to understand _all_ rules.
+
+   The algorithm starts with a string and some known key (domain).
+   NAPTR records for this key are retrieved, those with unknown Flags or
+   inappropriate Services are discarded and the remaining records are
+   sorted by their Order field.  Within each value of Order, the records
+   are further sorted by the Preferences field.
+
+   The records are examined in sorted order until a matching record is
+   found.  A record is considered a match iff:
+
+
+
+Mealling & Daniel           Standards Track                     [Page 8]
+
+RFC 2915                      NAPTR DNS RR                September 2000
+
+
+   o  it has a Replacement field value instead of a Regexp field value.
+
+   o  or the Regexp field matches the string held by the client.
+
+   The first match MUST be the match that is used.  Once a match is
+   found, the Services field is examined for whether or not this rule
+   advances toward the desired result.  If so, the rule is applied to
+   the target string.  If not, the process halts.  The domain that
+   results from the regular expression is then used as the domain of the
+   next loop through the NAPTR algorithm.  Note that the same target
+   string is used throughout the algorithm.
+
+   This looping is extremely important since it is the method by which
+   complex rules are broken down into manageable delegated chunks.  The
+   flags fields simply determine at which point the looping should stop
+   (or other specialized behavior).
+
+   Since flags are valid at any level of the algorithm, the degenerative
+   case is to never loop but to look up the NAPTR and then stop.  In
+   many specialized cases this is all that is needed.  Implementors
+   should be aware that the degenerative case should not become the
+   common case.
+
+5. Concerning How NAPTR Uses SRV Records
+
+   When the SRV record type was originally specified it assumed that the
+   client did not know the specific domain-name before hand.  The client
+   would construct a domain-name more in the form of a question than the
+   usual case of knowing ahead of time that the domain-name should
+   exist.  I.e., if the client wants to know if there is a TCP based
+   HTTP server running at a particular domain, the client would
+   construct the domain-name _http._tcp.somedomain.com and ask the DNS
+   if that records exists. The underscores are used to avoid collisions
+   with potentially 'real' domain-names.
+
+   In the case of NAPTR, the actual domain-name is specified by the
+   various fields in the NAPTR record.  In this case the client isn't
+   asking a question but is instead attempting to get at information
+   that it has been told exists in an SRV record at that particular
+   domain-name.  While this usage of SRV is slightly different than the
+   SRV authors originally intended it does not break any of the
+   assumptions concerning what SRV contains.  Also, since the NAPTR
+   explicitly spells out the domain-name for which an SRV exists, that
+   domain-name MUST be used in SRV queries with NO transformations.  Any
+   given NAPTR record may result in a domain-name to be used for SRV
+   queries that may or may not contain the SRV standardized underscore
+
+
+
+
+
+Mealling & Daniel           Standards Track                     [Page 9]
+
+RFC 2915                      NAPTR DNS RR                September 2000
+
+
+   characters.  NAPTR applications that make use of SRV MUST NOT attempt
+   to understand these domains or use them according to how the SRV
+   specification structures its query domains.
+
+6. Application Specifications
+
+   It should be noted that the NAPTR algorithm is the basic assumption
+   about how NAPTR works.  The reasons for the rewrite and the expected
+   output and its use are specified by documents that define what
+   applications the NAPTR record and algorithm are used for.  Any
+   document that defines such an application must define the following:
+
+   o  The first known domain-name or how to build it
+
+   o  The valid Services and Protocols
+
+   o  What the expected use is for the output of the last rewrite
+
+   o  The validity and/or behavior of any 'P' flag protocols.
+
+   o  The general semantics surrounding why and how NAPTR and its
+      algorithm are being used.
+
+7. Examples
+
+   NOTE: These are examples only.  They are taken from ongoing work and
+   may not represent the end result of that work. They are here for
+   pedagogical reasons only.
+
+7.1 Example 1
+
+   NAPTR was originally specified for use with the a Uniform Resource
+   Name Resolver Discovery System.  This example details how a
+   particular URN would use the NAPTR record to find a resolver service.
+
+   Consider a URN namespace based on MIME Content-Ids.  The URN might
+   look like this:
+
+      urn:cid:39CB83F7.A8450130@fake.gatech.edu
+
+   (Note that this example is chosen for pedagogical purposes, and does
+   not conform to the CID URL scheme.)
+
+   The first step in the resolution process is to find out about the CID
+   namespace.  The namespace identifier [3], 'cid', is extracted from
+   the URN, prepended to urn.arpa. 'cid.urn.arpa' then becomes the first
+   'known' key in the NAPTR algorithm.  The NAPTR records for
+   cid.urn.arpa looked up and return a single record:
+
+
+
+Mealling & Daniel           Standards Track                    [Page 10]
+
+RFC 2915                      NAPTR DNS RR                September 2000
+
+
+   cid.urn.arpa.
+   ;;       order pref flags service        regexp           replacement
+   IN NAPTR 100   10   ""  ""  "/urn:cid:.+@([^\.]+\.)(.*)$/\2/i"    .
+
+   There is only one NAPTR response, so ordering the responses is not a
+   problem.  The replacement field is empty, so the pattern provided in
+   the regexp field is used.  We apply that regexp to the entire URN to
+   see if it matches, which it does.  The \2 part of the substitution
+   expression returns the string "gatech.edu".  Since the flags field
+   does not contain "s" or "a", the lookup is not terminal and our next
+   probe to DNS is for more NAPTR records where the new domain is '
+   gatech.edu' and the string is the same string as before.
+
+   Note that the rule does not extract the full domain name from the
+   CID, instead it assumes the CID comes from a host and extracts its
+   domain.  While all hosts, such as mordred, could have their very own
+   NAPTR, maintaining those records for all the machines at a site as
+   large as Georgia Tech would be an intolerable burden.  Wildcards are
+   not appropriate here since they only return results when there is no
+   exactly matching names already in the system.
+
+   The record returned from the query on "gatech.edu" might look like:
+
+;;       order pref flags service           regexp  replacement
+ IN NAPTR 100  50  "s"  "z3950+I2L+I2C"     ""  _z3950._tcp.gatech.edu.
+ IN NAPTR 100  50  "s"  "rcds+I2C"          ""  _rcds._udp.gatech.edu.
+ IN NAPTR 100  50  "s"  "http+I2L+I2C+I2R"  ""  _http._tcp.gatech.edu.
+
+   Continuing with the example, note that the values of the order and
+   preference fields are equal in all records, so the client is free to
+   pick any record.  The flags field tells us that these are the last
+   NAPTR patterns we should see, and after the rewrite (a simple
+   replacement in this case) we should look up SRV records to get
+   information on the hosts that can provide the necessary service.
+
+   Assuming we prefer the Z39.50 protocol, our lookup might return:
+
+ ;;                        Pref Weight   Port Target
+ _z3950._tcp.gatech.edu. IN SRV 0    0      1000 z3950.gatech.edu.
+                         IN SRV 0    0      1000 z3950.cc.gatech.edu.
+                         IN SRV 0    0      1000 z3950.uga.edu.
+
+   telling us three hosts that could actually do the resolution, and
+   giving us the port we should use to talk to their Z39.50 server.
+
+   Recall that the regular expression used \2 to extract a domain name
+   from the CID, and \. for matching the literal '.' characters
+   separating the domain name components. Since '\' is the escape
+
+
+
+Mealling & Daniel           Standards Track                    [Page 11]
+
+RFC 2915                      NAPTR DNS RR                September 2000
+
+
+   character, literal occurances of a backslash must be escaped by
+   another backslash.  For the case of the cid.urn.arpa record above,
+   the regular expression entered into the master file should be
+   "/urn:cid:.+@([^\\.]+\\.)(.*)$/\\2/i".  When the client code actually
+   receives the record, the pattern will have been converted to
+   "/urn:cid:.+@([^\.]+\.)(.*)$/\2/i".
+
+7.2 Example 2
+
+   Even if URN systems were in place now, there would still be a
+   tremendous number of URLs.  It should be possible to develop a URN
+   resolution system that can also provide location independence for
+   those URLs.  This is related to the requirement that URNs be able to
+   grandfather in names from other naming systems, such as ISO Formal
+   Public Identifiers, Library of Congress Call Numbers, ISBNs, ISSNs,
+   etc.
+
+   The NAPTR RR could also be used for URLs that have already been
+   assigned.  Assume we have the URL for a very popular piece of
+   software that the publisher wishes to mirror at multiple sites around
+   the world:
+
+   Using the rules specified for this application we extract the prefix,
+   "http", and lookup NAPTR records for http.uri.arpa.  This might
+   return a record of the form
+
+     http.uri.arpa. IN NAPTR
+     ;;  order   pref flags service      regexp             replacement
+          100     90   ""      ""   "!http://([^/:]+)!\1!i"       .
+
+   This expression returns everything after the first double slash and
+   before the next slash or colon.  (We use the '!' character to delimit
+   the parts of the substitution expression.  Otherwise we would have to
+   use backslashes to escape the forward slashes and would have a regexp
+   in the zone file that looked like "/http:\\/\\/([^\\/:]+)/\\1/i".).
+
+   Applying this pattern to the URL extracts "www.foo.com".  Looking up
+   NAPTR records for that might return:
+
+     www.foo.com.
+     ;;       order pref flags   service  regexp     replacement
+      IN NAPTR 100  100  "s"   "http+I2R"   ""    _http._tcp.foo.com.
+      IN NAPTR 100  100  "s"   "ftp+I2R"    ""    _ftp._tcp.foo.com.
+
+   Looking up SRV records for http.tcp.foo.com would return information
+   on the hosts that foo.com has designated to be its mirror sites.  The
+   client can then pick one for the user.
+
+
+
+
+Mealling & Daniel           Standards Track                    [Page 12]
+
+RFC 2915                      NAPTR DNS RR                September 2000
+
+
+7.3 Example 3
+
+   A non-URI example is the ENUM application which uses a NAPTR record
+   to map an e.164 telephone number to a URI.  In order to convert the
+   phone number to a domain name for the first iteration all characters
+   other than digits are removed from the the telephone number, the
+   entire number is inverted, periods are put between each digit and the
+   string ".e164.arpa" is put on the left-hand side.  For example, the
+   E.164 phone number "+1-770-555-1212" converted to a domain-name it
+   would be "2.1.2.1.5.5.5.0.7.7.1.e164.arpa."
+
+   For this example telephone number we might get back the following
+   NAPTR records:
+
+$ORIGIN 2.1.2.1.5.5.5.0.7.7.1.e164.arpa.
+ IN NAPTR 100 10 "u" "sip+E2U"  "!^.*$!sip:information@tele2.se!"     .
+ IN NAPTR 102 10 "u" "mailto+E2U" "!^.*$!mailto:information@tele2.se!"  .
+
+   This application uses the same 'u' flag as the URI Resolution
+   application. This flag states that the Rule is terminal and that the
+   output is a URI which contains the information needed to contact that
+   telephone service.  ENUM also uses the same format for its Service
+   field except that it defines the 'E2U' service instead of the 'I2*'
+   services that URI resolution uses.  The example above states that the
+   available protocols used to access that telephone's service are
+   either the Session Initiation Protocol or SMTP mail.
+
+8. DNS Packet Format
+
+         The packet format for the NAPTR record is:
+
+                                          1  1  1  1  1  1
+            0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+          |                     ORDER                     |
+          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+          |                   PREFERENCE                  |
+          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+          /                     FLAGS                     /
+          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+          /                   SERVICES                    /
+          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+          /                    REGEXP                     /
+          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+          /                  REPLACEMENT                  /
+          /                                               /
+          +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+
+
+
+Mealling & Daniel           Standards Track                    [Page 13]
+
+RFC 2915                      NAPTR DNS RR                September 2000
+
+
+    where:
+
+   FLAGS A <character-string> which contains various flags.
+
+   SERVICES A <character-string> which contains protocol and service
+      identifiers.
+
+   REGEXP A <character-string> which contains a regular expression.
+
+   REPLACEMENT A <domain-name> which specifies the new value in the
+      case where the regular expression is a simple replacement
+      operation.
+
+   <character-string> and <domain-name> as used here are defined in
+   RFC1035 [1].
+
+9. Master File Format
+
+   The master file format follows the standard rules in RFC-1035 [1].
+   Order and preference, being 16-bit unsigned integers, shall be an
+   integer between 0 and 65535.  The Flags and Services and Regexp
+   fields are all quoted <character-string>s.  Since the Regexp field
+   can contain numerous backslashes and thus should be treated with
+   care.  See Section 10 for how to correctly enter and escape the
+   regular expression.
+
+10. Advice for DNS Administrators
+
+   Beware of regular expressions.  Not only are they difficult to get
+   correct on their own, but there is the previously mentioned
+   interaction with DNS.  Any backslashes in a regexp must be entered
+   twice in a zone file in order to appear once in a query response.
+   More seriously, the need for double backslashes has probably not been
+   tested by all implementors of DNS servers.
+
+   The "a" flag allows the next lookup to be for address records (A,
+   AAAA, A6) rather than SRV records.  Since there is no place for a
+   port specification in the NAPTR record, when the "A" flag is used the
+   specified protocol must be running on its default port.
+
+   The URN Syntax draft defines a canonical form for each URN, which
+   requires %encoding characters outside a limited repertoire.  The
+   regular expressions MUST be written to operate on that canonical
+   form.  Since international character sets will end up with extensive
+   use of %encoded characters, regular expressions operating on them
+   will be essentially impossible to read or write by hand.
+
+
+
+
+
+Mealling & Daniel           Standards Track                    [Page 14]
+
+RFC 2915                      NAPTR DNS RR                September 2000
+
+
+11. Notes
+
+   o  A client MUST process multiple NAPTR records in the order
+      specified by the "order" field, it MUST NOT simply use the first
+      record that provides a known protocol and service combination.
+
+   o  When multiple RRs have the same "order" and all other criteria
+      being equal, the client should use the value of the preference
+      field to select the next NAPTR to consider.  However, because it
+      will often be the case where preferred protocols or services
+      exist, clients may use this additional criteria to sort
+      the records.
+
+   o  If the lookup after a rewrite fails, clients are strongly
+      encouraged to report a failure, rather than backing up to pursue
+      other rewrite paths.
+
+   o  Note that SRV RRs impose additional requirements on clients.
+
+12. IANA Considerations
+
+   The only registration function that impacts the IANA is for the
+   values that are standardized for the Services and Flags fields.  To
+   extend the valid values of the Flags field beyond what is specified
+   in this document requires a published specification that is approved
+   by the IESG.
+
+   The values for the Services field will be determined by the
+   application that makes use of the NAPTR record.  Those values must be
+   specified in a published specification and approved by the IESG.
+
+13. Security Considerations
+
+   The interactions with DNSSEC are currently being studied.  It is
+   expected that NAPTR records will be signed with SIG records once the
+   DNSSEC work is deployed.
+
+   The rewrite rules make identifiers from other namespaces subject to
+   the same attacks as normal domain names.  Since they have not been
+   easily resolvable before, this may or may not be considered a
+   problem.
+
+   Regular expressions should be checked for sanity, not blindly passed
+   to something like PERL.
+
+   This document has discussed a way of locating a service, but has not
+   discussed any detail of how the communication with that service takes
+   place.  There are significant security considerations attached to the
+
+
+
+Mealling & Daniel           Standards Track                    [Page 15]
+
+RFC 2915                      NAPTR DNS RR                September 2000
+
+
+   communication with a service.  Those considerations are outside the
+   scope of this document, and must be addressed by the specifications
+   for particular communication protocols.
+
+14. Acknowledgments
+
+   The editors would like to thank Keith Moore for all his consultations
+   during the development of this memo.  We would also like to thank
+   Paul Vixie for his assistance in debugging our implementation, and
+   his answers on our questions.  Finally, we would like to acknowledge
+   our enormous intellectual debt to the participants in the Knoxville
+   series of meetings, as well as to the participants in the URI and URN
+   working groups.
+
+References
+
+   [1]  Mockapetris, P., "Domain names - implementation and
+        specification", STD 13, RFC 1035, November 1987.
+
+   [2]  Mockapetris, P., "Domain names - concepts and facilities", STD
+        13, RFC 1034, November 1987.
+
+   [3]  Moats, R., "URN Syntax", RFC 2141, May 1997.
+
+   [4]  Gulbrandsen, A., Vixie, P. and L. Esibov, "A DNS RR for
+        specifying the location of services (DNS SRV)", RFC 2782,
+        February 2000.
+
+   [5]  Crocker, D., "Augmented BNF for Syntax Specifications: ABNF",
+        RFC 2234, November 1997.
+
+   [6]  Daniel, R., "A Trivial Convention for using HTTP in URN
+        Resolution", RFC 2169, June 1997.
+
+   [7]  Daniel, R. and M. Mealling, "Resolution of Uniform Resource
+        Identifiers using the Domain Name System", RFC 2168, June 1997.
+
+   [8]  IEEE, "IEEE Standard for Information Technology - Portable
+        Operating System Interface (POSIX) - Part 2: Shell and Utilities
+        (Vol. 1)", IEEE Std 1003.2-1992, January 1993.
+
+   [9]  Berners-Lee, T., Fielding, R.T. and L. Masinter, "Uniform
+        Resource Identifiers (URI): Generic Syntax", RFC 2396, August
+        1998.
+
+
+
+
+
+
+
+Mealling & Daniel           Standards Track                    [Page 16]
+
+RFC 2915                      NAPTR DNS RR                September 2000
+
+
+Authors' Addresses
+
+   Michael Mealling
+   Network Solutions, Inc.
+   505 Huntmar Park Drive
+   Herndon, VA  22070
+   US
+
+   Phone: +1 770 921 2251
+   EMail: michaelm@netsol.com
+   URI:   http://www.netsol.com
+
+
+   Ron Daniel
+   DATAFUSION, Inc.
+   139 Townsend Street, Ste. 100
+   San Francisco, CA  94107
+   US
+
+   Phone: +1 415 222 0100
+   EMail: rdaniel@datafusion.net
+   URI:   http://www.datafusion.net
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mealling & Daniel           Standards Track                    [Page 17]
+
+RFC 2915                      NAPTR DNS RR                September 2000
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Mealling & Daniel           Standards Track                    [Page 18]
+
diff --git a/contrib/bind9/doc/rfc/rfc2929.txt b/contrib/bind9/doc/rfc/rfc2929.txt
new file mode 100644
index 0000000..f055968
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2929.txt
@@ -0,0 +1,675 @@
+
+
+
+
+
+
+Network Working Group                                   D. Eastlake, 3rd
+Request for Comments: 2929                                      Motorola
+BCP: 42                                              E. Brunner-Williams
+Category: Best Current Practice                                   Engage
+                                                              B. Manning
+                                                                     ISI
+                                                          September 2000
+
+              Domain Name System (DNS) IANA Considerations
+
+Status of this Memo
+
+   This document specifies an Internet Best Current Practices for the
+   Internet Community, and requests discussion and suggestions for
+   improvements.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+Abstract
+
+   Internet Assigned Number Authority (IANA) parameter assignment
+   considerations are given for the allocation of Domain Name System
+   (DNS) classes, Resource Record (RR) types, operation codes, error
+   codes, etc.
+
+Table of Contents
+
+   1. Introduction.................................................  2
+   2. DNS Query/Response Headers...................................  2
+   2.1 One Spare Bit?..............................................  3
+   2.2 Opcode Assignment...........................................  3
+   2.3 RCODE Assignment............................................  4
+   3. DNS Resource Records.........................................  5
+   3.1 RR TYPE IANA Considerations.................................  6
+   3.1.1 Special Note on the OPT RR................................  7
+   3.2 RR CLASS IANA Considerations................................  7
+   3.3 RR NAME Considerations......................................  8
+   4. Security Considerations......................................  9
+   References......................................................  9
+   Authors' Addresses.............................................. 11
+   Full Copyright Statement........................................ 12
+
+
+
+
+
+
+
+
+Eastlake, et al.         Best Current Practice                  [Page 1]
+
+RFC 2929                DNS IANA Considerations           September 2000
+
+
+1. Introduction
+
+   The Domain Name System (DNS) provides replicated distributed secure
+   hierarchical databases which hierarchically store "resource records"
+   (RRs) under domain names.
+
+   This data is structured into CLASSes and zones which can be
+   independently maintained.  See [RFC 1034, 1035, 2136, 2181, 2535]
+   familiarity with which is assumed.
+
+   This document covers, either directly or by reference, general IANA
+   parameter assignment considerations applying across DNS query and
+   response headers and all RRs.  There may be additional IANA
+   considerations that apply to only a particular RR type or
+   query/response opcode.  See the specific RFC defining that RR type or
+   query/response opcode for such considerations if they have been
+   defined.
+
+   IANA currently maintains a web page of DNS parameters.  See
+   <http://www.iana.org/numbers.htm>.
+
+   "IETF Standards Action", "IETF Consensus", "Specification Required",
+   and "Private Use" are as defined in [RFC 2434].
+
+2. DNS Query/Response Headers
+
+   The header for DNS queries and responses contains field/bits in the
+   following diagram taken from [RFC 2136, 2535]:
+
+                                           1  1  1  1  1  1
+             0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+            |                      ID                       |
+            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+            |QR|   Opcode  |AA|TC|RD|RA| Z|AD|CD|   RCODE   |
+            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+            |                QDCOUNT/ZOCOUNT                |
+            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+            |                ANCOUNT/PRCOUNT                |
+            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+            |                NSCOUNT/UPCOUNT                |
+            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+            |                    ARCOUNT                    |
+            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+   The ID field identifies the query and is echoed in the response so
+   they can be matched.
+
+
+
+
+Eastlake, et al.         Best Current Practice                  [Page 2]
+
+RFC 2929                DNS IANA Considerations           September 2000
+
+
+   The QR bit indicates whether the header is for a query or a response.
+
+   The AA, TC, RD, RA, AD, and CD bits are each theoretically meaningful
+   only in queries or only in responses, depending on the bit.  However,
+   many DNS implementations copy the query header as the initial value
+   of the response header without clearing bits.  Thus any attempt to
+   use a "query" bit with a different meaning in a response or to define
+   a query meaning for a "response" bit is dangerous given existing
+   implementation.  Such meanings may only be assigned by an IETF
+   Standards Action.
+
+   The unsigned fields query count (QDCOUNT), answer count (ANCOUNT),
+   authority count (NSCOUNT), and additional information count (ARCOUNT)
+   express the number of records in each section for all opcodes except
+   Update.  These fields have the same structure and data type for
+   Update but are instead the counts for the zone (ZOCOUNT),
+   prerequisite (PRCOUNT), update (UPCOUNT), and additional information
+   (ARCOUNT) sections.
+
+2.1 One Spare Bit?
+
+   There have been ancient DNS implementations for which the Z bit being
+   on in a query meant that only a response from the primary server for
+   a zone is acceptable.  It is believed that current DNS
+   implementations ignore this bit.
+
+   Assigning a meaning to the Z bit requires an IETF Standards Action.
+
+2.2 Opcode Assignment
+
+   New OpCode assignments require an IETF Standards Action.
+
+   Currently DNS OpCodes are assigned as follows:
+
+       OpCode Name                      Reference
+
+        0     Query                     [RFC 1035]
+        1     IQuery  (Inverse Query)   [RFC 1035]
+        2     Status                    [RFC 1035]
+        3     available for assignment
+        4     Notify                    [RFC 1996]
+        5     Update                    [RFC 2136]
+       6-15   available for assignment
+
+
+
+
+
+
+
+
+Eastlake, et al.         Best Current Practice                  [Page 3]
+
+RFC 2929                DNS IANA Considerations           September 2000
+
+
+2.3 RCODE Assignment
+
+   It would appear from the DNS header above that only four bits of
+   RCODE, or response/error code are available.  However, RCODEs can
+   appear not only at the top level of a DNS response but also inside
+   OPT RRs [RFC 2671], TSIG RRs [RFC 2845], and TKEY RRs [RFC 2930].
+   The OPT RR provides an eight bit extension resulting in a 12 bit
+   RCODE field and the TSIG and TKEY RRs have a 16 bit RCODE field.
+
+   Error codes appearing in the DNS header and in these three RR types
+   all refer to the same error code space with the single exception of
+   error code 16 which has a different meaning in the OPT RR from its
+   meaning in other contexts.  See table below.
+
+   RCODE   Name    Description                        Reference
+   Decimal
+     Hexadecimal
+    0    NoError   No Error                           [RFC 1035]
+    1    FormErr   Format Error                       [RFC 1035]
+    2    ServFail  Server Failure                     [RFC 1035]
+    3    NXDomain  Non-Existent Domain                [RFC 1035]
+    4    NotImp    Not Implemented                    [RFC 1035]
+    5    Refused   Query Refused                      [RFC 1035]
+    6    YXDomain  Name Exists when it should not     [RFC 2136]
+    7    YXRRSet   RR Set Exists when it should not   [RFC 2136]
+    8    NXRRSet   RR Set that should exist does not  [RFC 2136]
+    9    NotAuth   Server Not Authoritative for zone  [RFC 2136]
+   10    NotZone   Name not contained in zone         [RFC 2136]
+   11-15           available for assignment
+   16    BADVERS   Bad OPT Version                    [RFC 2671]
+   16    BADSIG    TSIG Signature Failure             [RFC 2845]
+   17    BADKEY    Key not recognized                 [RFC 2845]
+   18    BADTIME   Signature out of time window       [RFC 2845]
+   19    BADMODE   Bad TKEY Mode                      [RFC 2930]
+   20    BADNAME   Duplicate key name                 [RFC 2930]
+   21    BADALG    Algorithm not supported            [RFC 2930]
+   22-3840         available for assignment
+     0x0016-0x0F00
+   3841-4095       Private Use
+     0x0F01-0x0FFF
+   4096-65535      available for assignment
+     0x1000-0xFFFF
+
+   Since it is important that RCODEs be understood for interoperability,
+   assignment of new RCODE listed above as "available for assignment"
+   requires an IETF Consensus.
+
+
+
+
+
+Eastlake, et al.         Best Current Practice                  [Page 4]
+
+RFC 2929                DNS IANA Considerations           September 2000
+
+
+3. DNS Resource Records
+
+   All RRs have the same top level format shown in the figure below
+   taken from [RFC 1035]:
+
+                                         1  1  1  1  1  1
+           0  1  2  3  4  5  6  7  8  9  0  1  2  3  4  5
+         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+         |                                               |
+         /                                               /
+         /                      NAME                     /
+         |                                               |
+         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+         |                      TYPE                     |
+         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+         |                     CLASS                     |
+         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+         |                      TTL                      |
+         |                                               |
+         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+         |                   RDLENGTH                    |
+         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--|
+         /                     RDATA                     /
+         /                                               /
+         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+   NAME is an owner name, i.e., the name of the node to which this
+   resource record pertains.  NAMEs are specific to a CLASS as described
+   in section 3.2.  NAMEs consist of an ordered sequence of one or more
+   labels each of which has a label type [RFC 1035, 2671].
+
+   TYPE is a two octet unsigned integer containing one of the RR TYPE
+   codes.  See section 3.1.
+
+   CLASS is a two octet unsigned integer containing one of the RR CLASS
+   codes.  See section 3.2.
+
+   TTL is a four octet (32 bit) bit unsigned integer that specifies the
+   number of seconds that the resource record may be cached before the
+   source of the information should again be consulted.  Zero is
+   interpreted to mean that the RR can only be used for the transaction
+   in progress.
+
+   RDLENGTH is an unsigned 16 bit integer that specifies the length in
+   octets of the RDATA field.
+
+
+
+
+
+
+Eastlake, et al.         Best Current Practice                  [Page 5]
+
+RFC 2929                DNS IANA Considerations           September 2000
+
+
+   RDATA is a variable length string of octets that constitutes the
+   resource.  The format of this information varies according to the
+   TYPE and in some cases the CLASS of the resource record.
+
+3.1 RR TYPE IANA Considerations
+
+   There are three subcategories of RR TYPE numbers: data TYPEs, QTYPEs,
+   and MetaTYPEs.
+
+   Data TYPEs are the primary means of storing data.  QTYPES can only be
+   used in queries.  Meta-TYPEs designate transient data associated with
+   an particular DNS message and in some cases can also be used in
+   queries.  Thus far, data TYPEs have been assigned from 1 upwards plus
+   the block from 100 through 103 while Q and Meta Types have been
+   assigned from 255 downwards (except for the OPT Meta-RR which is
+   assigned TYPE 41).  There have been DNS implementations which made
+   caching decisions based on the top bit of the bottom byte of the RR
+   TYPE.
+
+   There are currently three Meta-TYPEs assigned: OPT [RFC 2671], TSIG
+   [RFC 2845], and TKEY [RFC 2930].
+
+   There are currently five QTYPEs assigned: * (all), MAILA, MAILB,
+   AXFR, and IXFR.
+
+   Considerations for the allocation of new RR TYPEs are as follows:
+
+     Decimal
+   Hexadecimal
+
+     0
+   0x0000 - TYPE zero is used as a special indicator for the SIG RR [RFC
+          2535] and in other circumstances and must never be allocated
+          for ordinary use.
+
+     1 - 127
+   0x0001 - 0x007F - remaining TYPEs in this range are assigned for data
+          TYPEs by IETF Consensus.
+
+     128 - 255
+   0x0080 - 0x00FF - remaining TYPEs in this rage are assigned for Q and
+          Meta TYPEs by IETF Consensus.
+
+     256 - 32767
+   0x0100 - 0x7FFF - assigned for data, Q, or Meta TYPE use by IETF
+          Consensus.
+
+
+
+
+
+Eastlake, et al.         Best Current Practice                  [Page 6]
+
+RFC 2929                DNS IANA Considerations           September 2000
+
+
+     32768 - 65279
+   0x8000 - 0xFEFF - Specification Required as defined in [RFC 2434].
+
+     65280 - 65535
+   0xFF00 - 0xFFFF - Private Use.
+
+3.1.1 Special Note on the OPT RR
+
+   The OPT (OPTion) RR, number 41, is specified in [RFC 2671].  Its
+   primary purpose is to extend the effective field size of various DNS
+   fields including RCODE, label type, flag bits, and RDATA size.  In
+   particular, for resolvers and servers that recognize it, it extends
+   the RCODE field from 4 to 12 bits.
+
+3.2 RR CLASS IANA Considerations
+
+   DNS CLASSes have been little used but constitute another dimension of
+   the DNS distributed database.  In particular, there is no necessary
+   relationship between the name space or root servers for one CLASS and
+   those for another CLASS.  The same name can have completely different
+   meanings in different CLASSes although the label types are the same
+   and the null label is usable only as root in every CLASS.  However,
+   as global networking and DNS have evolved, the IN, or Internet, CLASS
+   has dominated DNS use.
+
+   There are two subcategories of DNS CLASSes: normal data containing
+   classes and QCLASSes that are only meaningful in queries or updates.
+
+   The current CLASS assignments and considerations for future
+   assignments are as follows:
+
+     Decimal
+   Hexadecimal
+
+     0
+   0x0000 - assignment requires an IETF Standards Action.
+
+     1
+   0x0001 - Internet (IN).
+
+     2
+   0x0002 - available for assignment by IETF Consensus as a data CLASS.
+
+     3
+   0x0003 - Chaos (CH) [Moon 1981].
+
+     4
+   0x0004 - Hesiod (HS) [Dyer 1987].
+
+
+
+Eastlake, et al.         Best Current Practice                  [Page 7]
+
+RFC 2929                DNS IANA Considerations           September 2000
+
+
+     5 - 127
+   0x0005 - 0x007F - available for assignment by IETF Consensus as data
+          CLASSes only.
+
+     128 - 253
+   0x0080 - 0x00FD - available for assignment by IETF Consensus as
+          QCLASSes only.
+
+     254
+   0x00FE - QCLASS None [RFC 2136].
+
+     255
+   0x00FF - QCLASS Any [RFC 1035].
+
+     256 - 32767
+   0x0100 - 0x7FFF - assigned by IETF Consensus.
+
+     32768 - 65280
+   0x8000 - 0xFEFF - assigned based on Specification Required as defined
+          in [RFC 2434].
+
+     65280 - 65534
+   0xFF00 - 0xFFFE - Private Use.
+
+     65535
+   0xFFFF - can only be assigned by an IETF Standards Action.
+
+3.3 RR NAME Considerations
+
+   DNS NAMEs are sequences of labels [RFC 1035].  The last label in each
+   NAME is "ROOT" which is the zero length label.  By definition, the
+   null or ROOT label can not be used for any other NAME purpose.
+
+   At the present time, there are two categories of label types, data
+   labels and compression labels.  Compression labels are pointers to
+   data labels elsewhere within an RR or DNS message and are intended to
+   shorten the wire encoding of NAMEs.  The two existing data label
+   types are sometimes referred to as Text and Binary.  Text labels can,
+   in fact, include any octet value including zero octets but most
+   current uses involve only [US-ASCII].  For retrieval, Text labels are
+   defined to treat ASCII upper and lower case letter codes as matching.
+   Binary labels are bit sequences [RFC 2673].
+
+   IANA considerations for label types are given in [RFC 2671].
+
+
+
+
+
+
+
+Eastlake, et al.         Best Current Practice                  [Page 8]
+
+RFC 2929                DNS IANA Considerations           September 2000
+
+
+   NAMEs are local to a CLASS.  The Hesiod [Dyer 1987] and Chaos [Moon
+   1981] CLASSes are essentially for local use.  The IN or Internet
+   CLASS is thus the only DNS CLASS in global use on the Internet at
+   this time.
+
+   A somewhat dated description of name allocation in the IN Class is
+   given in [RFC 1591].  Some information on reserved top level domain
+   names is in Best Current Practice 32 [RFC 2606].
+
+4. Security Considerations
+
+   This document addresses IANA considerations in the allocation of
+   general DNS parameters, not security.  See [RFC 2535] for secure DNS
+   considerations.
+
+References
+
+   [Dyer 1987] Dyer, S., and F. Hsu, "Hesiod", Project Athena Technical
+               Plan - Name Service, April 1987,
+
+   [Moon 1981] D. Moon, "Chaosnet", A.I. Memo 628, Massachusetts
+               Institute of Technology Artificial Intelligence
+               Laboratory, June 1981.
+
+   [RFC 1034]  Mockapetris, P., "Domain Names - Concepts and
+               Facilities", STD 13, RFC 1034, November 1987.
+
+   [RFC 1035]  Mockapetris, P., "Domain Names - Implementation and
+               Specifications", STD 13, RFC 1035, November 1987.
+
+   [RFC 1591]  Postel, J., "Domain Name System Structure and
+               Delegation", RFC 1591, March 1994.
+
+   [RFC 1996]  Vixie, P., "A Mechanism for Prompt Notification of Zone
+               Changes (DNS NOTIFY)", RFC 1996, August 1996.
+
+   [RFC 2136]  Vixie, P., Thomson, S., Rekhter, Y. and J. Bound,
+               "Dynamic Updates in the Domain Name System (DNS UPDATE)",
+               RFC 2136, April 1997.
+
+   [RFC 2181]  Elz, R. and R. Bush, "Clarifications to the DNS
+               Specification", RFC 2181, July 1997.
+
+   [RFC 2434]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
+               IANA Considerations Section in RFCs", BCP 26, RFC 2434,
+               October 1998.
+
+
+
+
+
+Eastlake, et al.         Best Current Practice                  [Page 9]
+
+RFC 2929                DNS IANA Considerations           September 2000
+
+
+   [RFC 2535]  Eastlake, D., "Domain Name System Security Extensions",
+               RFC 2535, March 1999.
+
+   [RFC 2606]  Eastlake, D. and A. Panitz, "Reserved Top Level DNS
+               Names", RFC 2606, June 1999.
+
+   [RFC 2671]  Vixie, P., "Extension mechanisms for DNS (EDNS0)", RFC
+               2671, August 1999.
+
+   [RFC 2672]  Crawford, M., "Non-Terminal DNS Name Redirection", RFC
+               2672, August 1999.
+
+   [RFC 2673]  Crawford, M., "Binary Labels in the Domain Name System",
+               RFC 2673, August 1999.
+
+   [RFC 2845]  Vixie, P., Gudmundsson, O., Eastlake, D. and B.
+               Wellington, "Secret Key Transaction Authentication for
+               DNS (TSIG)", RFC 2845, May 2000.
+
+   [RFC 2930]  Eastlake, D., "Secret Key Establishment for DNS (TKEY
+               RR)", RFC 2930, September 2000.
+
+   [US-ASCII]  ANSI, "USA Standard Code for Information Interchange",
+               X3.4, American National Standards Institute: New York,
+               1968.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake, et al.         Best Current Practice                 [Page 10]
+
+RFC 2929                DNS IANA Considerations           September 2000
+
+
+Authors' Addresses
+
+   Donald E. Eastlake 3rd
+   Motorola
+   140 Forest Avenue
+   Hudson, MA 01749 USA
+
+   Phone: +1-978-562-2827 (h)
+          +1-508-261-5434 (w)
+   Fax:   +1-508-261-4447 (w)
+   EMail: Donald.Eastlake@motorola.com
+
+
+   Eric Brunner-Williams
+   Engage
+   100 Brickstone Square, 2nd Floor
+   Andover, MA 01810
+
+   Phone: +1-207-797-0525 (h)
+          +1-978-684-7796 (w)
+   Fax:   +1-978-684-3118
+   EMail: brunner@engage.com
+
+
+   Bill Manning
+   USC/ISI
+   4676 Admiralty Way, #1001
+   Marina del Rey, CA 90292 USA
+
+   Phone: +1-310-822-1511
+   EMail: bmanning@isi.edu
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake, et al.         Best Current Practice                 [Page 11]
+
+RFC 2929                DNS IANA Considerations           September 2000
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake, et al.         Best Current Practice                 [Page 12]
+
diff --git a/contrib/bind9/doc/rfc/rfc2930.txt b/contrib/bind9/doc/rfc/rfc2930.txt
new file mode 100644
index 0000000..f99573d
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2930.txt
@@ -0,0 +1,899 @@
+
+
+
+
+
+
+Network Working Group                                   D. Eastlake, 3rd
+Request for Comments: 2930                                      Motorola
+Category: Standards Track                                 September 2000
+
+
+               Secret Key Establishment for DNS (TKEY RR)
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+Abstract
+
+   [RFC 2845] provides a means of authenticating Domain Name System
+   (DNS) queries and responses using shared secret keys via the
+   Transaction Signature (TSIG) resource record (RR).  However, it
+   provides no mechanism for setting up such keys other than manual
+   exchange. This document describes a Transaction Key (TKEY) RR that
+   can be used in a number of different modes to establish shared secret
+   keys between a DNS resolver and server.
+
+Acknowledgments
+
+   The comments and ideas of the following persons (listed in alphabetic
+   order) have been incorporated herein and are gratefully acknowledged:
+
+         Olafur Gudmundsson (TIS)
+
+         Stuart Kwan (Microsoft)
+
+         Ed Lewis (TIS)
+
+         Erik Nordmark (SUN)
+
+         Brian Wellington (Nominum)
+
+
+
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 1]
+
+RFC 2930                    The DNS TKEY RR               September 2000
+
+
+Table of Contents
+
+   1. Introduction...............................................  2
+   1.1 Overview of Contents......................................  3
+   2. The TKEY Resource Record...................................  4
+   2.1 The Name Field............................................  4
+   2.2 The TTL Field.............................................  5
+   2.3 The Algorithm Field.......................................  5
+   2.4 The Inception and Expiration Fields.......................  5
+   2.5 The Mode Field............................................  5
+   2.6 The Error Field...........................................  6
+   2.7 The Key Size and Data Fields..............................  6
+   2.8 The Other Size and Data Fields............................  6
+   3. General TKEY Considerations................................  7
+   4. Exchange via Resolver Query................................  8
+   4.1 Query for Diffie-Hellman Exchanged Keying.................  8
+   4.2 Query for TKEY Deletion...................................  9
+   4.3 Query for GSS-API Establishment........................... 10
+   4.4 Query for Server Assigned Keying.......................... 10
+   4.5 Query for Resolver Assigned Keying........................ 11
+   5. Spontaneous Server Inclusion............................... 12
+   5.1 Spontaneous Server Key Deletion........................... 12
+   6. Methods of Encryption...................................... 12
+   7. IANA Considerations........................................ 13
+   8. Security Considerations.................................... 13
+   References.................................................... 14
+   Author's Address.............................................. 15
+   Full Copyright Statement...................................... 16
+
+1. Introduction
+
+   The Domain Name System (DNS) is a hierarchical, distributed, highly
+   available database used for bi-directional mapping between domain
+   names and addresses, for email routing, and for other information
+   [RFC 1034, 1035].  It has been extended to provide for public key
+   security and dynamic update [RFC 2535, RFC 2136].  Familiarity with
+   these RFCs is assumed.
+
+   [RFC 2845] provides a means of efficiently authenticating DNS
+   messages using shared secret keys via the TSIG resource record (RR)
+   but provides no mechanism for setting up such keys other than manual
+   exchange. This document specifies a TKEY RR that can be used in a
+   number of different modes to establish and delete such shared secret
+   keys between a DNS resolver and server.
+
+
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 2]
+
+RFC 2930                    The DNS TKEY RR               September 2000
+
+
+   Note that TKEY established keying material and TSIGs that use it are
+   associated with DNS servers or resolvers.  They are not associated
+   with zones.  They may be used to authenticate queries and responses
+   but they do not provide zone based DNS data origin or denial
+   authentication [RFC 2535].
+
+   Certain modes of TKEY perform encryption which may affect their
+   export or import status for some countries.  The affected modes
+   specified in this document are the server assigned mode and the
+   resolver assigned mode.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC 2119].
+
+   In all cases herein, the term "resolver" includes that part of a
+   server which may make full and incremental [RFC 1995] zone transfer
+   queries, forwards recursive queries, etc.
+
+1.1 Overview of Contents
+
+   Section 2 below specifies the TKEY RR and provides a description of
+   and considerations for its constituent fields.
+
+   Section 3 describes general principles of operations with TKEY.
+
+   Section 4 discusses key agreement and deletion via DNS requests with
+   the Query opcode for RR type TKEY.  This method is applicable to all
+   currently defined TKEY modes, although in some cases it is not what
+   would intuitively be called a "query".
+
+   Section 5 discusses spontaneous inclusion of TKEY RRs in responses by
+   servers which is currently used only for key deletion.
+
+   Section 6 describes encryption methods for transmitting secret key
+   information. In this document these are used only for the server
+   assigned mode and the resolver assigned mode.
+
+   Section 7 covers IANA considerations in assignment of TKEY modes.
+
+   Finally, Section 8 provides the required security considerations
+   section.
+
+
+
+
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 3]
+
+RFC 2930                    The DNS TKEY RR               September 2000
+
+
+2. The TKEY Resource Record
+
+   The TKEY resource record (RR) has the structure given below.  Its RR
+   type code is 249.
+
+      Field       Type         Comment
+      -----       ----         -------
+
+      NAME         domain      see description below
+      TTYPE        u_int16_t   TKEY = 249
+      CLASS        u_int16_t   ignored, SHOULD be 255 (ANY)
+      TTL          u_int32_t   ignored, SHOULD be zero
+      RDLEN        u_int16_t   size of RDATA
+      RDATA:
+       Algorithm:   domain
+       Inception:   u_int32_t
+       Expiration:  u_int32_t
+       Mode:        u_int16_t
+       Error:       u_int16_t
+       Key Size:    u_int16_t
+       Key Data:    octet-stream
+       Other Size:  u_int16_t
+       Other Data:  octet-stream  undefined by this specification
+
+2.1 The Name Field
+
+   The Name field relates to naming keys.  Its meaning differs somewhat
+   with mode and context as explained in subsequent sections.
+
+   At any DNS server or resolver only one octet string of keying
+   material may be in place for any particular key name.  An attempt to
+   establish another set of keying material at a server for an existing
+   name returns a BADNAME error.
+
+   For a TKEY with a non-root name appearing in a query, the TKEY RR
+   name SHOULD be a domain locally unique at the resolver, less than 128
+   octets long in wire encoding, and meaningful to the resolver to
+   assist in distinguishing keys and/or key agreement sessions.   For
+   TKEY(s) appearing in a response to a query, the TKEY RR name SHOULD
+   be a globally unique server assigned domain.
+
+   A reasonable key naming strategy is as follows:
+
+      If the key is generated as the result of a query with root as its
+      owner name, then the server SHOULD create a globally unique domain
+      name, to be the key name, by suffixing a pseudo-random [RFC 1750]
+      label with a domain name of the server.  For example
+      89n3mDgX072pp.server1.example.com.  If generation of a new
+
+
+
+Eastlake                    Standards Track                     [Page 4]
+
+RFC 2930                    The DNS TKEY RR               September 2000
+
+
+      pseudo-random name in each case is an excessive computation load
+      or entropy drain, a serial number prefix can be added to a fixed
+      pseudo-random name generated an DNS server start time, such as
+      1001.89n3mDgX072pp.server1.example.com.
+
+      If the key is generated as the result of a query with a non-root
+      name, say 789.resolver.example.net, then use the concatenation of
+      that with a name of the server.  For example
+      789.resolver.example.net.server1.example.com.
+
+2.2 The TTL Field
+
+   The TTL field is meaningless in TKEY RRs. It SHOULD always be zero to
+   be sure that older DNS implementations do not cache TKEY RRs.
+
+2.3 The Algorithm Field
+
+   The algorithm name is in the form of a domain name with the same
+   meaning as in [RFC 2845].  The algorithm determines how the secret
+   keying material agreed to using the TKEY RR is actually used to
+   derive the algorithm specific key.
+
+2.4 The Inception and Expiration Fields
+
+   The inception time and expiration times are in number of seconds
+   since the beginning of 1 January 1970 GMT ignoring leap seconds
+   treated as modulo 2**32 using ring arithmetic [RFC 1982]. In messages
+   between a DNS resolver and a DNS server where these fields are
+   meaningful, they are either the requested validity interval for the
+   keying material asked for or specify the validity interval of keying
+   material provided.
+
+   To avoid different interpretations of the inception and expiration
+   times in TKEY RRs, resolvers and servers exchanging them must have
+   the same idea of what time it is.  One way of doing this is with the
+   NTP protocol [RFC 2030] but that or any other time synchronization
+   used for this purpose MUST be done securely.
+
+2.5 The Mode Field
+
+   The mode field specifies the general scheme for key agreement or the
+   purpose of the TKEY DNS message.  Servers and resolvers supporting
+   this specification MUST implement the Diffie-Hellman key agreement
+   mode and the key deletion mode for queries.  All other modes are
+   OPTIONAL.  A server supporting TKEY that receives a TKEY request with
+   a mode it does not support returns the BADMODE error.  The following
+   values of the Mode octet are defined, available, or reserved:
+
+
+
+
+Eastlake                    Standards Track                     [Page 5]
+
+RFC 2930                    The DNS TKEY RR               September 2000
+
+
+         Value    Description
+         -----    -----------
+          0        - reserved, see section 7
+          1       server assignment
+          2       Diffie-Hellman exchange
+          3       GSS-API negotiation
+          4       resolver assignment
+          5       key deletion
+         6-65534   - available, see section 7
+         65535     - reserved, see section 7
+
+2.6 The Error Field
+
+   The error code field is an extended RCODE.  The following values are
+   defined:
+
+         Value   Description
+         -----   -----------
+          0       - no error
+          1-15   a non-extended RCODE
+          16     BADSIG   (TSIG)
+          17     BADKEY   (TSIG)
+          18     BADTIME  (TSIG)
+          19     BADMODE
+          20     BADNAME
+          21     BADALG
+
+   When the TKEY Error Field is non-zero in a response to a TKEY query,
+   the DNS header RCODE field indicates no error. However, it is
+   possible if a TKEY is spontaneously included in a response the TKEY
+   RR and DNS header error field could have unrelated non-zero error
+   codes.
+
+2.7 The Key Size and Data Fields
+
+   The key data size field is an unsigned 16 bit integer in network
+   order which specifies the size of the key exchange data field in
+   octets. The meaning of this data depends on the mode.
+
+2.8 The Other Size and Data Fields
+
+   The Other Size and Other Data fields are not used in this
+   specification but may be used in future extensions.  The RDLEN field
+   MUST equal the length of the RDATA section through the end of Other
+   Data or the RR is to be considered malformed and rejected.
+
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 6]
+
+RFC 2930                    The DNS TKEY RR               September 2000
+
+
+3. General TKEY Considerations
+
+   TKEY is a meta-RR that is not stored or cached in the DNS and does
+   not appear in zone files.  It supports a variety of modes for the
+   establishment and deletion of shared secret keys information between
+   DNS resolvers and servers.  The establishment of such a shared key
+   requires that state be maintained at both ends and the allocation of
+   the resources to maintain such state may require mutual agreement. In
+   the absence of willingness to provide such state, servers MUST return
+   errors such as NOTIMP or REFUSED for an attempt to use TKEY and
+   resolvers are free to ignore any TKEY RRs they receive.
+
+   The shared secret keying material developed by using TKEY is a plain
+   octet sequence.  The means by which this shared secret keying
+   material, exchanged via TKEY, is actually used in any particular TSIG
+   algorithm is algorithm dependent and is defined in connection with
+   that algorithm.  For example, see [RFC 2104] for how TKEY agreed
+   shared secret keying material is used in the HMAC-MD5 algorithm or
+   other HMAC algorithms.
+
+   There MUST NOT be more than one TKEY RR in a DNS query or response.
+
+   Except for GSS-API mode, TKEY responses MUST always have DNS
+   transaction authentication to protect the integrity of any keying
+   data, error codes, etc.  This authentication MUST use a previously
+   established secret (TSIG) or public (SIG(0) [RFC 2931]) key and MUST
+   NOT use any key that the response to be verified is itself providing.
+
+   TKEY queries MUST be authenticated for all modes except GSS-API and,
+   under some circumstances, server assignment mode.  In particular, if
+   the query for a server assigned key is for a key to assert some
+   privilege, such as update authority, then the query must be
+   authenticated to avoid spoofing.  However, if the key is just to be
+   used for transaction security, then spoofing will lead at worst to
+   denial of service.  Query authentication SHOULD use an established
+   secret (TSIG) key authenticator if available.  Otherwise, it must use
+   a public (SIG(0)) key signature.  It MUST NOT use any key that the
+   query is itself providing.
+
+   In the absence of required TKEY authentication, a NOTAUTH error MUST
+   be returned.
+
+   To avoid replay attacks, it is necessary that a TKEY response or
+   query not be valid if replayed on the order of 2**32 second (about
+   136 years), or a multiple thereof, later.  To accomplish this, the
+   keying material used in any TSIG or SIG(0) RR that authenticates a
+   TKEY message MUST NOT have a lifetime of more then 2**31 - 1 seconds
+
+
+
+
+Eastlake                    Standards Track                     [Page 7]
+
+RFC 2930                    The DNS TKEY RR               September 2000
+
+
+   (about 68 years).  Thus, on attempted replay, the authenticating TSIG
+   or SIG(0) RR will not be verifiable due to key expiration and the
+   replay will fail.
+
+4. Exchange via Resolver Query
+
+   One method for a resolver and a server to agree about shared secret
+   keying material for use in TSIG is through DNS requests from the
+   resolver which are syntactically DNS queries for type TKEY.  Such
+   queries MUST be accompanied by a TKEY RR in the additional
+   information section to indicate the mode in use and accompanied by
+   other information where required.
+
+   Type TKEY queries SHOULD NOT be flagged as recursive and servers MAY
+   ignore the recursive header bit in TKEY queries they receive.
+
+4.1 Query for Diffie-Hellman Exchanged Keying
+
+   Diffie-Hellman (DH) key exchange is a means whereby two parties can
+   derive some shared secret information without requiring any secrecy
+   of the messages they exchange [Schneier].  Provisions have been made
+   for the storage of DH public keys in the DNS [RFC 2539].
+
+   A resolver sends a query for type TKEY accompanied by a TKEY RR in
+   the additional information section specifying the Diffie-Hellman mode
+   and accompanied by a KEY RR also in the additional information
+   section specifying a resolver Diffie-Hellman key.  The TKEY RR
+   algorithm field is set to the authentication algorithm the resolver
+   plans to use. The "key data" provided in the TKEY is used as a random
+   [RFC 1750] nonce to avoid always deriving the same keying material
+   for the same pair of DH KEYs.
+
+   The server response contains a TKEY in its answer section with the
+   Diffie-Hellman mode. The "key data" provided in this TKEY is used as
+   an additional nonce to avoid always deriving the same keying material
+   for the same pair of DH KEYs. If the TKEY error field is non-zero,
+   the query failed for the reason given. FORMERR is given if the query
+   included no DH KEY and BADKEY is given if the query included an
+   incompatible DH KEY.
+
+   If the TKEY error field is zero, the resolver supplied Diffie-Hellman
+   KEY RR SHOULD be echoed in the additional information section and a
+   server Diffie-Hellman KEY RR will also be present in the answer
+   section of the response.  Both parties can then calculate the same
+   shared secret quantity from the pair of Diffie-Hellman (DH) keys used
+   [Schneier] (provided these DH keys use the same generator and
+   modulus) and the data in the TKEY RRs.  The TKEY RR data is mixed
+   with the DH result as follows:
+
+
+
+Eastlake                    Standards Track                     [Page 8]
+
+RFC 2930                    The DNS TKEY RR               September 2000
+
+
+      keying material =
+           XOR ( DH value, MD5 ( query data | DH value ) |
+                           MD5 ( server data | DH value ) )
+
+   Where XOR is an exclusive-OR operation and "|" is byte-stream
+   concatenation.  The shorter of the two operands to XOR is byte-wise
+   left justified and padded with zero-valued bytes to match the length
+   of the other operand.  "DH value" is the Diffie-Hellman value derived
+   from the KEY RRs. Query data and server data are the values sent in
+   the TKEY RR data fields.  These "query data" and "server data" nonces
+   are suffixed by the DH value, digested by MD5, the results
+   concatenated, and then XORed with the DH value.
+
+   The inception and expiry times in the query TKEY RR are those
+   requested for the keying material.  The inception and expiry times in
+   the response TKEY RR are the maximum period the server will consider
+   the keying material valid.  Servers may pre-expire keys so this is
+   not a guarantee.
+
+4.2 Query for TKEY Deletion
+
+   Keys established via TKEY can be treated as soft state.  Since DNS
+   transactions are originated by the resolver, the resolver can simply
+   toss keys, although it may have to go through another key exchange if
+   it later needs one.  Similarly, the server can discard keys although
+   that will result in an error on receiving a query with a TSIG using
+   the discarded key.
+
+   To avoid attempted reliance in requests on keys no longer in effect,
+   servers MUST implement key deletion whereby the server "discards" a
+   key on receipt from a resolver of an authenticated delete request for
+   a TKEY RR with the key's name.  If the server has no record of a key
+   with that name, it returns BADNAME.
+
+   Key deletion TKEY queries MUST be authenticated.  This authentication
+   MAY be a TSIG RR using the key to be deleted.
+
+   For querier assigned and Diffie-Hellman keys, the server MUST truly
+   "discard" all active state associated with the key.  For server
+   assigned keys, the server MAY simply mark the key as no longer
+   retained by the client and may re-send it in response to a future
+   query for server assigned keying material.
+
+
+
+
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 9]
+
+RFC 2930                    The DNS TKEY RR               September 2000
+
+
+4.3 Query for GSS-API Establishment
+
+   This mode is described in a separate document under preparation which
+   should be seen for the full description.  Basically the resolver and
+   server can exchange queries and responses for type TKEY with a TKEY
+   RR specifying the GSS-API mode in the additional information section
+   and a GSS-API token in the key data portion of the TKEY RR.
+
+   Any issues of possible encryption of parts the GSS-API token data
+   being transmitted are handled by the GSS-API level.  In addition, the
+   GSS-API level provides its own authentication so that this mode of
+   TKEY query and response MAY be, but do not need to be, authenticated
+   with TSIG RR or SIG(0) RR [RFC 2931].
+
+   The inception and expiry times in a GSS-API mode TKEY RR are ignored.
+
+4.4 Query for Server Assigned Keying
+
+   Optionally, the server can assign keying for the resolver.  It is
+   sent to the resolver encrypted under a resolver public key.  See
+   section 6 for description of encryption methods.
+
+   A resolver sends a query for type TKEY accompanied by a TKEY RR
+   specifying the "server assignment" mode and a resolver KEY RR to be
+   used in encrypting the response, both in the additional information
+   section. The TKEY algorithm field is set to the authentication
+   algorithm the resolver plans to use.  It is RECOMMENDED that any "key
+   data" provided in the query TKEY RR by the resolver be strongly mixed
+   by the server with server generated randomness [RFC 1750] to derive
+   the keying material to be used.  The KEY RR that appears in the query
+   need not be accompanied by a SIG(KEY) RR.  If the query is
+   authenticated by the resolver with a TSIG RR [RFC 2845] or SIG(0) RR
+   and that authentication is verified, then any SIG(KEY) provided in
+   the query SHOULD be ignored.  The KEY RR in such a query SHOULD have
+   a name that corresponds to the resolver but it is only essential that
+   it be a public key for which the resolver has the corresponding
+   private key so it can decrypt the response data.
+
+   The server response contains a TKEY RR in its answer section with the
+   server assigned mode and echoes the KEY RR provided in the query in
+   its additional information section.
+
+   If the response TKEY error field is zero, the key data portion of the
+   response TKEY RR will be the server assigned keying data encrypted
+   under the public key in the resolver provided KEY RR.  In this case,
+   the owner name of the answer TKEY RR will be the server assigned name
+   of the key.
+
+
+
+
+Eastlake                    Standards Track                    [Page 10]
+
+RFC 2930                    The DNS TKEY RR               September 2000
+
+
+   If the error field of the response TKEY is non-zero, the query failed
+   for the reason given.  FORMERR is given if the query specified no
+   encryption key.
+
+   The inception and expiry times in the query TKEY RR are those
+   requested for the keying material.  The inception and expiry times in
+   the response TKEY are the maximum period the server will consider the
+   keying material valid.  Servers may pre-expire keys so this is not a
+   guarantee.
+
+   The resolver KEY RR MUST be authenticated, through the authentication
+   of this query with a TSIG or SIG(0) or the signing of the resolver
+   KEY with a SIG(KEY).  Otherwise, an attacker can forge a resolver KEY
+   for which they know the private key, and thereby the attacker could
+   obtain a valid shared secret key from the server.
+
+4.5 Query for Resolver Assigned Keying
+
+   Optionally, a server can accept resolver assigned keys.  The keying
+   material MUST be encrypted under a server key for protection in
+   transmission as described in Section 6.
+
+   The resolver sends a TKEY query with a TKEY RR that specifies the
+   encrypted keying material and a KEY RR specifying the server public
+   key used to encrypt the data, both in the additional information
+   section.  The name of the key and the keying data are completely
+   controlled by the sending resolver so a globally unique key name
+   SHOULD be used.  The KEY RR used MUST be one for which the server has
+   the corresponding private key, or it will not be able to decrypt the
+   keying material and will return a FORMERR. It is also important that
+   no untrusted party (preferably no other party than the server) has
+   the private key corresponding to the KEY RR because, if they do, they
+   can capture the messages to the server, learn the shared secret, and
+   spoof valid TSIGs.
+
+   The query TKEY RR inception and expiry give the time period the
+   querier intends to consider the keying material valid.  The server
+   can return a lesser time interval to advise that it will not maintain
+   state for that long and can pre-expire keys in any case.
+
+   This mode of query MUST be authenticated with a TSIG or SIG(0).
+   Otherwise, an attacker can forge a resolver assigned TKEY query, and
+   thereby the attacker could specify a shared secret key that would be
+   accepted, used, and honored by the server.
+
+
+
+
+
+
+
+Eastlake                    Standards Track                    [Page 11]
+
+RFC 2930                    The DNS TKEY RR               September 2000
+
+
+5. Spontaneous Server Inclusion
+
+   A DNS server may include a TKEY RR spontaneously as additional
+   information in responses.  This SHOULD only be done if the server
+   knows the querier understands TKEY and has this option implemented.
+   This technique can be used to delete a key and may be specified for
+   modes defined in the future.  A disadvantage of this technique is
+   that there is no way for the server to get any error or success
+   indication back and, in the case of UDP, no way to even know if the
+   DNS response reached the resolver.
+
+5.1 Spontaneous Server Key Deletion
+
+   A server can optionally tell a client that it has deleted a secret
+   key by spontaneously including a TKEY RR in the additional
+   information section of a response with the key's name and specifying
+   the key deletion mode.  Such a response SHOULD be authenticated.  If
+   authenticated, it "deletes" the key with the given name.  The
+   inception and expiry times of the delete TKEY RR are ignored. Failure
+   by a client to receive or properly process such additional
+   information in a response would mean that the client might use a key
+   that the server had discarded and would then get an error indication.
+
+   For server assigned and Diffie-Hellman keys, the client MUST
+   "discard" active state associated with the key.  For querier assigned
+   keys, the querier MAY simply mark the key as no longer retained by
+   the server and may re-send it in a future query specifying querier
+   assigned keying material.
+
+6. Methods of Encryption
+
+   For the server assigned and resolver assigned key agreement modes,
+   the keying material is sent within the key data field of a TKEY RR
+   encrypted under the public key in an accompanying KEY RR [RFC 2535].
+   This KEY RR MUST be for a public key algorithm where the public and
+   private keys can be used for encryption and the corresponding
+   decryption which recovers the originally encrypted data.  The KEY RR
+   SHOULD correspond to a name for the decrypting resolver/server such
+   that the decrypting process has access to the corresponding private
+   key to decrypt the data.  The secret keying material being sent will
+   generally be fairly short, usually less than 256 bits, because that
+   is adequate for very strong protection with modern keyed hash or
+   symmetric algorithms.
+
+   If the KEY RR specifies the RSA algorithm, then the keying material
+   is encrypted as per the description of RSAES-PKCS1-v1_5 encryption in
+   PKCS#1 [RFC 2437].  (Note, the secret keying material being sent is
+   directly RSA encrypted in PKCS#1 format. It is not "enveloped" under
+
+
+
+Eastlake                    Standards Track                    [Page 12]
+
+RFC 2930                    The DNS TKEY RR               September 2000
+
+
+   some other symmetric algorithm.)  In the unlikely event that the
+   keying material will not fit within one RSA modulus of the chosen
+   public key, additional RSA encryption blocks are included.  The
+   length of each block is clear from the public RSA key specified and
+   the RSAES-PKCS1-v1_5 padding makes it clear what part of the
+   encrypted data is actually keying material and what part is
+   formatting or the required at least eight bytes of random [RFC 1750]
+   padding.
+
+7. IANA Considerations
+
+   This section is to be interpreted as provided in [RFC 2434].
+
+   Mode field values 0x0000 and 0xFFFF are reserved.
+
+   Mode field values 0x0001 through 0x00FF, and 0XFF00 through 0XFFFE
+   can only be assigned by an IETF Standards Action.
+
+   Mode field values 0x0100 through 0x0FFF and 0xF0000 through 0xFEFF
+   are allocated by IESG approval or IETF consensus.
+
+   Mode field values 0x1000 through 0xEFFF are allocated based on
+   Specification Required as defined in [RFC 2434].
+
+   Mode values should not be changed when the status of their use
+   changes.  For example, a mode value assigned based just on providing
+   a specification should not be changed later just because that use's
+   status is changed to standards track.
+
+   The following assignments are documented herein:
+
+      RR Type 249 for TKEY.
+
+      TKEY Modes 1 through 5 as listed in section 2.5.
+
+      Extended RCODE Error values of 19, 20, and 21 as listed in section
+      2.6.
+
+8. Security Considerations
+
+   The entirety of this specification is concerned with the secure
+   establishment of a shared secret between DNS clients and servers in
+   support of TSIG [RFC 2845].
+
+   Protection against denial of service via the use of TKEY is not
+   provided.
+
+
+
+
+
+Eastlake                    Standards Track                    [Page 13]
+
+RFC 2930                    The DNS TKEY RR               September 2000
+
+
+References
+
+   [Schneier] Bruce Schneier, "Applied Cryptography: Protocols,
+              Algorithms, and Source Code in C", 1996, John Wiley and
+              Sons
+
+   [RFC 1034] Mockapetris, P., "Domain Names - Concepts and Facilities",
+              STD 13, RFC 1034, November 1987.
+
+   [RFC 1035] Mockapetris, P., "Domain Names - Implementation and
+              Specifications", STD 13, RFC 1035, November 1987.
+
+   [RFC 1750] Eastlake, D., Crocker, S. and J. Schiller, "Randomness
+              Recommendations for Security", RFC 1750, December 1994.
+
+   [RFC 1982] Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982,
+              September 1996.
+
+   [RFC 1995] Ohta, M., "Incremental Zone Transfer in DNS", RFC 1995,
+              August 1996.
+
+   [RFC 2030] Mills, D., "Simple Network Time Protocol (SNTP) Version 4
+              for IPv4, IPv6 and OSI", RFC 2030, October 1996.
+
+   [RFC 2104] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC:  Keyed-
+              Hashing for Message Authentication", RFC 2104, February
+              1997.
+
+   [RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC 2136] Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic
+              Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
+              April 1997.
+
+   [RFC 2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an
+              IANA Considerations Section in RFCs", BCP 26, RFC 2434,
+              October 1998.
+
+   [RFC 2437] Kaliski, B. and J. Staddon, "PKCS #1: RSA Cryptography
+              Specifications Version 2.0", RFC 2437, October 1998.
+
+   [RFC 2535] Eastlake, D., "Domain Name System Security Extensions",
+              RFC 2535, March 1999.
+
+   [RFC 2539] Eastlake, D., "Storage of Diffie-Hellman Keys in the
+              Domain Name System (DNS)", RFC 2539, March 1999.
+
+
+
+
+Eastlake                    Standards Track                    [Page 14]
+
+RFC 2930                    The DNS TKEY RR               September 2000
+
+
+   [RFC 2845] Vixie, P., Gudmundsson, O., Eastlake, D. and B.
+              Wellington, "Secret Key Transaction Authentication for DNS
+              (TSIG)", RFC 2845, May 2000.
+
+   [RFC 2931] Eastlake, D., "DNS Request and Transaction Signatures
+              (SIG(0)s )", RFC 2931, September 2000.
+
+Author's Address
+
+   Donald E. Eastlake 3rd
+   Motorola
+   140 Forest Avenue
+   Hudson, MA 01749 USA
+
+   Phone: +1 978-562-2827 (h)
+          +1 508-261-5434 (w)
+   Fax:   +1 508-261-4447 (w)
+   EMail: Donald.Eastlake@motorola.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake                    Standards Track                    [Page 15]
+
+RFC 2930                    The DNS TKEY RR               September 2000
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake                    Standards Track                    [Page 16]
+
diff --git a/contrib/bind9/doc/rfc/rfc2931.txt b/contrib/bind9/doc/rfc/rfc2931.txt
new file mode 100644
index 0000000..84cc97e
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc2931.txt
@@ -0,0 +1,563 @@
+
+
+
+
+
+
+Network Working Group                                    D. Eastlake 3rd
+Request for Comments: 2931                                      Motorola
+Updates: 2535                                             September 2000
+Category: Standards Track
+
+
+           DNS Request and Transaction Signatures ( SIG(0)s )
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+Abstract
+
+   Extensions to the Domain Name System (DNS) are described in [RFC
+   2535] that can provide data origin and transaction integrity and
+   authentication to security aware resolvers and applications through
+   the use of cryptographic digital signatures.
+
+   Implementation experience has indicated the need for minor but non-
+   interoperable changes in Request and Transaction signature resource
+   records ( SIG(0)s ).  These changes are documented herein.
+
+Acknowledgments
+
+   The contributions and suggestions of the following persons (in
+   alphabetic order) to this memo are gratefully acknowledged:
+
+         Olafur Gudmundsson
+
+         Ed Lewis
+
+         Erik Nordmark
+
+         Brian Wellington
+
+
+
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 1]
+
+RFC 2931                       DNS SIG(0)                 September 2000
+
+
+Table of Contents
+
+   1. Introduction.................................................  2
+   2. SIG(0) Design Rationale......................................  3
+   2.1 Transaction Authentication..................................  3
+   2.2 Request Authentication......................................  3
+   2.3 Keying......................................................  3
+   2.4 Differences Between TSIG and SIG(0).........................  4
+   3. The SIG(0) Resource Record...................................  4
+   3.1 Calculating Request and Transaction SIGs....................  5
+   3.2 Processing Responses and SIG(0) RRs.........................  6
+   3.3 SIG(0) Lifetime and Expiration..............................  7
+   4. Security Considerations......................................  7
+   5. IANA Considerations..........................................  7
+   References......................................................  7
+   Author's Address................................................  8
+   Appendix: SIG(0) Changes from RFC 2535..........................  9
+   Full Copyright Statement........................................ 10
+
+1. Introduction
+
+   This document makes minor but non-interoperable changes to part of
+   [RFC 2535], familiarity with which is assumed, and includes
+   additional explanatory text.  These changes concern SIG Resource
+   Records (RRs) that are used to digitally sign DNS requests and
+   transactions / responses.  Such a resource record, because it has a
+   type covered field of zero, is frequently called a SIG(0). The
+   changes are based on implementation and attempted implementation
+   experience with TSIG [RFC 2845] and the [RFC 2535] specification for
+   SIG(0).
+
+   Sections of [RFC 2535] updated are all of 4.1.8.1 and parts of 4.2
+   and 4.3.  No changes are made herein related to the KEY or NXT RRs or
+   to the processing involved with data origin and denial authentication
+   for DNS data.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC 2119].
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 2]
+
+RFC 2931                       DNS SIG(0)                 September 2000
+
+
+2. SIG(0) Design Rationale
+
+   SIG(0) provides protection for DNS transactions and requests that is
+   not provided by the regular SIG, KEY, and NXT RRs specified in [RFC
+   2535].  The authenticated data origin services of secure DNS either
+   provide protected data resource records (RRs) or authenticatably deny
+   their nonexistence.  These services provide no protection for glue
+   records, DNS requests, no protection for message headers on requests
+   or responses, and no protection of the overall integrity of a
+   response.
+
+2.1 Transaction Authentication
+
+   Transaction authentication means that a requester can be sure it is
+   at least getting the messages from the server it queried and that the
+   received messages are in response to the query it sent.  This is
+   accomplished by optionally adding either a TSIG RR [RFC 2845] or, as
+   described herein, a SIG(0) resource record at the end of the response
+   which digitally signs the concatenation of the server's response and
+   the corresponding resolver query.
+
+2.2 Request Authentication
+
+   Requests can also be authenticated by including a TSIG or, as
+   described herein, a special SIG(0) RR at the end of the request.
+   Authenticating requests serves no function in DNS servers that
+   predate the specification of dynamic update.  Requests with a non-
+   empty additional information section produce error returns or may
+   even be ignored by a few such older DNS servers. However, this syntax
+   for signing requests is defined for authenticating dynamic update
+   requests [RFC 2136], TKEY requests [RFC 2930], or future requests
+   requiring authentication.
+
+2.3 Keying
+
+   The private keys used in transaction security belong to the host
+   composing the DNS response message, not to the zone involved.
+   Request authentication may also involve the private key of the host
+   or other entity composing the request or of a zone to be affected by
+   the request or other private keys depending on the request authority
+   it is sought to establish. The corresponding public key(s) are
+   normally stored in and retrieved from the DNS for verification as KEY
+   RRs with a protocol byte of 3 (DNSSEC) or 255 (ANY).
+
+   Because requests and replies are highly variable, message
+   authentication SIGs can not be pre-calculated.  Thus it will be
+   necessary to keep the private key on-line, for example in software or
+   in a directly connected piece of hardware.
+
+
+
+Eastlake                    Standards Track                     [Page 3]
+
+RFC 2931                       DNS SIG(0)                 September 2000
+
+
+2.4 Differences Between TSIG and SIG(0)
+
+   There are significant differences between TSIG and SIG(0).
+
+   Because TSIG involves secret keys installed at both the requester and
+   server the presence of such a key implies that the other party
+   understands TSIG and very likely has the same key installed.
+   Furthermore, TSIG uses keyed hash authentication codes which are
+   relatively inexpensive to compute.  Thus it is common to authenticate
+   requests with TSIG and responses are authenticated with TSIG if the
+   corresponding request is authenticated.
+
+   SIG(0) on the other hand, uses public key authentication, where the
+   public keys are stored in DNS as KEY RRs and a private key is stored
+   at the signer.  Existence of such a KEY RR does not necessarily imply
+   implementation of SIG(0).  In addition, SIG(0) involves relatively
+   expensive public key cryptographic operations that should be
+   minimized and the verification of a SIG(0) involves obtaining and
+   verifying the corresponding KEY which can be an expensive and lengthy
+   operation.  Indeed, a policy of using SIG(0) on all requests and
+   verifying it before responding would, for some configurations, lead
+   to a deadly embrace with the attempt to obtain and verify the KEY
+   needed to authenticate the request SIG(0) resulting in additional
+   requests accompanied by a SIG(0) leading to further requests
+   accompanied by a SIG(0), etc.  Furthermore, omitting SIG(0)s when not
+   required on requests halves the number of public key operations
+   required by the transaction.
+
+   For these reasons, SIG(0)s SHOULD only be used on requests when
+   necessary to authenticate that the requester has some required
+   privilege or identity.  SIG(0)s on replies are defined in such a way
+   as to not require a SIG(0) on the corresponding request and still
+   provide transaction protection.  For other replies, whether they are
+   authenticated by the server or required to be authenticated by the
+   requester SHOULD be a local configuration option.
+
+3. The SIG(0) Resource Record
+
+   The structure of and type number of SIG resource records (RRs) is
+   given in [RFC 2535] Section 4.1.  However all of Section 4.1.8.1 and
+   the parts of Sections 4.2 and 4.3 related to SIG(0) should be
+   considered replaced by the material below.  Any conflict between [RFC
+   2535] and this document concerning SIG(0) RRs should be resolved in
+   favor of this document.
+
+   For all transaction SIG(0)s, the signer field MUST be a name of the
+   originating host and there MUST be a KEY RR at that name with the
+   public key corresponding to the private key used to calculate the
+
+
+
+Eastlake                    Standards Track                     [Page 4]
+
+RFC 2931                       DNS SIG(0)                 September 2000
+
+
+   signature.  (The host domain name used may be the inverse IP address
+   mapping name for an IP address of the host if the relevant KEY is
+   stored there.)
+
+   For all SIG(0) RRs, the owner name, class, TTL, and original TTL, are
+   meaningless.  The TTL fields SHOULD be zero and the CLASS field
+   SHOULD be ANY.  To conserve space, the owner name SHOULD be root (a
+   single zero octet).  When SIG(0) authentication on a response is
+   desired, that SIG RR MUST be considered the highest priority of any
+   additional information for inclusion in the response. If the SIG(0)
+   RR cannot be added without causing the message to be truncated, the
+   server MUST alter the response so that a SIG(0) can be included.
+   This response consists of only the question and a SIG(0) record, and
+   has the TC bit set and RCODE 0 (NOERROR).  The client should at this
+   point retry the request using TCP.
+
+3.1 Calculating Request and Transaction SIGs
+
+   A DNS request may be optionally signed by including one SIG(0)s at
+   the end of the query additional information section.  Such a SIG is
+   identified by having a "type covered" field of zero. It signs the
+   preceding DNS request message including DNS header but not including
+   the UDP/IP header and before the request RR counts have been adjusted
+   for the inclusions of the request SIG(0).
+
+   It is calculated by using a "data" (see [RFC 2535], Section 4.1.8) of
+   (1) the SIG's RDATA section entirely omitting (not just zeroing) the
+   signature subfield itself, (2) the DNS query messages, including DNS
+   header, but not the UDP/IP header and before the reply RR counts have
+   been adjusted for the inclusion of the SIG(0).  That is
+
+      data = RDATA | request - SIG(0)
+
+   where "|" is concatenation and RDATA is the RDATA of the SIG(0) being
+   calculated less the signature itself.
+
+   Similarly, a SIG(0) can be used to secure a response and the request
+   that produced it.  Such transaction signatures are calculated by
+   using a "data" of (1) the SIG's RDATA section omitting the signature
+   itself, (2) the entire DNS query message that produced this response,
+   including the query's DNS header but not its UDP/IP header, and (3)
+   the entire DNS response message, including DNS header but not the
+   UDP/IP header and before the response RR counts have been adjusted
+   for the inclusion of the SIG(0).
+
+
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 5]
+
+RFC 2931                       DNS SIG(0)                 September 2000
+
+
+   That is
+
+      data = RDATA | full query | response - SIG(0)
+
+   where "|" is concatenation and RDATA is the RDATA of the SIG(0) being
+   calculated less the signature itself.
+
+   Verification of a response SIG(0) (which is signed by the server host
+   key, not the zone key) by the requesting resolver shows that the
+   query and response were not tampered with in transit, that the
+   response corresponds to the intended query, and that the response
+   comes from the queried server.
+
+   In the case of a DNS message via TCP, a SIG(0) on the first data
+   packet is calculated with "data" as above and for each subsequent
+   packet, it is calculated as follows:
+
+      data = RDATA | DNS payload - SIG(0) | previous packet
+
+   where "|" is concatenations, RDATA is as above, and previous packet
+   is the previous DNS payload including DNS header and the SIG(0) but
+   not the TCP/IP header.  Support of SIG(0) for TCP is OPTIONAL.  As an
+   alternative, TSIG may be used after, if necessary, setting up a key
+   with TKEY [RFC 2930].
+
+   Except where needed to authenticate an update, TKEY, or similar
+   privileged request, servers are not required to check a request
+   SIG(0).
+
+   Note: requests and responses can either have a single TSIG or one
+   SIG(0) but not both a TSIG and a SIG(0).
+
+3.2 Processing Responses and SIG(0) RRs
+
+   If a SIG RR is at the end of the additional information section of a
+   response and has a type covered of zero, it is a transaction
+   signature covering the response and the query that produced the
+   response.  For TKEY responses, it MUST be checked and the message
+   rejected if the checks fail unless otherwise specified for the TKEY
+   mode in use.  For all other responses, it MAY be checked and the
+   message rejected if the checks fail.
+
+   If a response's SIG(0) check succeed, such a transaction
+   authentication SIG does NOT directly authenticate the validity any
+   data-RRs in the message.  However, it authenticates that they were
+   sent by the queried server and have not been diddled.  (Only a proper
+   SIG(0) RR signed by the zone or a key tracing its authority to the
+   zone or to static resolver configuration can directly authenticate
+
+
+
+Eastlake                    Standards Track                     [Page 6]
+
+RFC 2931                       DNS SIG(0)                 September 2000
+
+
+   data-RRs, depending on resolver policy.) If a resolver or server does
+   not implement transaction and/or request SIGs, it MUST ignore them
+   without error where they are optional and treat them as failing where
+   they are required.
+
+3.3 SIG(0) Lifetime and Expiration
+
+   The inception and expiration times in SIG(0)s are for the purpose of
+   resisting replay attacks.  They should be set to form a time bracket
+   such that messages outside that bracket can be ignored.  In IP
+   networks, this time bracket should not normally extend further than 5
+   minutes into the past and 5 minutes into the future.
+
+4. Security Considerations
+
+   No additional considerations beyond those in [RFC 2535].
+
+   The inclusion of the SIG(0) inception and expiration time under the
+   signature improves resistance to replay attacks.
+
+5. IANA Considerations
+
+   No new parameters are created or parameter values assigned by this
+   document.
+
+References
+
+   [RFC 1982] Elz, R. and R. Bush, "Serial Number Arithmetic", RFC 1982,
+              September 1996.
+
+   [RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC 2136] Vixie, P., Thomson, S., Rekhter, Y. and J. Bound, "Dynamic
+              Updates in the Domain Name System (DNS UPDATE)", RFC 2136,
+              April 1997.
+
+   [RFC 2535] Eastlake, D., "Domain Name System Security Extensions",
+              RFC 2535, March 1999.
+
+   [RFC 2845] Vixie, P., Gudmundsson, O., Eastlake, D. and B.
+              Wellington, "Secret Key Transaction Signatures for DNS
+              (TSIG)", RFC 2845, May 2000.
+
+   [RFC 2930] Eastlake, D., "Secret Key Establishment for DNS (RR)", RFC
+              2930, September 2000.
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 7]
+
+RFC 2931                       DNS SIG(0)                 September 2000
+
+
+Author's Address
+
+   Donald E. Eastlake 3rd
+   Motorola
+   140 Forest Avenue
+   Hudson, MA 01749 USA
+
+   Phone: +1-978-562-2827(h)
+          +1-508-261-5434(w)
+   Fax:   +1 978-567-7941(h)
+          +1-508-261-4447(w)
+   EMail: Donald.Eastlake@motorola.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 8]
+
+RFC 2931                       DNS SIG(0)                 September 2000
+
+
+Appendix: SIG(0) Changes from RFC 2535
+
+   Add explanatory text concerning the differences between TSIG and
+   SIG(0).
+
+   Change the data over which SIG(0) is calculated to include the SIG(0)
+   RDATA other than the signature itself so as to secure the signature
+   inception and expiration times and resist replay attacks.  Specify
+   SIG(0) for TCP.
+
+   Add discussion of appropriate inception and expiration times for
+   SIG(0).
+
+   Add wording to indicate that either a TSIG or one or more SIG(0)s may
+   be present but not both.
+
+   Reword some areas for clarity.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake                    Standards Track                     [Page 9]
+
+RFC 2931                       DNS SIG(0)                 September 2000
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Eastlake                    Standards Track                    [Page 10]
+
diff --git a/contrib/bind9/doc/rfc/rfc3007.txt b/contrib/bind9/doc/rfc/rfc3007.txt
new file mode 100644
index 0000000..1697475
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc3007.txt
@@ -0,0 +1,507 @@
+
+
+
+
+
+
+Network Working Group                                      B. Wellington
+Request for Comments: 3007                                       Nominum
+Updates: 2535, 2136                                        November 2000
+Obsoletes: 2137
+Category: Standards Track
+
+
+             Secure Domain Name System (DNS) Dynamic Update
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+Abstract
+
+   This document proposes a method for performing secure Domain Name
+   System (DNS) dynamic updates.  The method described here is intended
+   to be flexible and useful while requiring as few changes to the
+   protocol as possible.  The authentication of the dynamic update
+   message is separate from later DNSSEC validation of the data.  Secure
+   communication based on authenticated requests and transactions is
+   used to provide authorization.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in RFC 2119 [RFC2119].
+
+1 - Introduction
+
+   This document defines a means to secure dynamic updates of the Domain
+   Name System (DNS), allowing only authorized sources to make changes
+   to a zone's contents.  The existing unsecured dynamic update
+   operations form the basis for this work.
+
+   Familiarity with the DNS system [RFC1034, RFC1035] and dynamic update
+   [RFC2136] is helpful and is assumed by this document.  In addition,
+   knowledge of DNS security extensions [RFC2535], SIG(0) transaction
+   security [RFC2535, RFC2931], and TSIG transaction security [RFC2845]
+   is recommended.
+
+
+
+
+Wellington                  Standards Track                     [Page 1]
+
+RFC 3007                 Secure Dynamic Update             November 2000
+
+
+   This document updates portions of RFC 2535, in particular section
+   3.1.2, and RFC 2136.  This document obsoletes RFC 2137, an alternate
+   proposal for secure dynamic update, due to implementation experience.
+
+1.1 - Overview of DNS Dynamic Update
+
+   DNS dynamic update defines a new DNS opcode and a new interpretation
+   of the DNS message if that opcode is used.  An update can specify
+   insertions or deletions of data, along with prerequisites necessary
+   for the updates to occur.  All tests and changes for a DNS update
+   request are restricted to a single zone, and are performed at the
+   primary server for the zone.  The primary server for a dynamic zone
+   must increment the zone SOA serial number when an update occurs or
+   before the next retrieval of the SOA.
+
+1.2 - Overview of DNS Transaction Security
+
+   Exchanges of DNS messages which include TSIG [RFC2845] or SIG(0)
+   [RFC2535, RFC2931] records allow two DNS entities to authenticate DNS
+   requests and responses sent between them.  A TSIG MAC (message
+   authentication code) is derived from a shared secret, and a SIG(0) is
+   generated from a private key whose public counterpart is stored in
+   DNS.  In both cases, a record containing the message signature/MAC is
+   included as the final resource record in a DNS message.  Keyed
+   hashes, used in TSIG, are inexpensive to calculate and verify.
+   Public key encryption, as used in SIG(0), is more scalable as the
+   public keys are stored in DNS.
+
+1.3 - Comparison of data authentication and message authentication
+
+   Message based authentication, using TSIG or SIG(0), provides
+   protection for the entire message with a single signing and single
+   verification which, in the case of TSIG, is a relatively inexpensive
+   MAC creation and check.  For update requests, this signature can
+   establish, based on policy or key negotiation, the authority to make
+   the request.
+
+   DNSSEC SIG records can be used to protect the integrity of individual
+   RRs or RRsets in a DNS message with the authority of the zone owner.
+   However, this cannot sufficiently protect the dynamic update request.
+
+   Using SIG records to secure RRsets in an update request is
+   incompatible with the design of update, as described below, and would
+   in any case require multiple expensive public key signatures and
+   verifications.
+
+
+
+
+
+
+Wellington                  Standards Track                     [Page 2]
+
+RFC 3007                 Secure Dynamic Update             November 2000
+
+
+   SIG records do not cover the message header, which includes record
+   counts.  Therefore, it is possible to maliciously insert or remove
+   RRsets in an update request without causing a verification failure.
+
+   If SIG records were used to protect the prerequisite section, it
+   would be impossible to determine whether the SIGs themselves were a
+   prerequisite or simply used for validation.
+
+   In the update section of an update request, signing requests to add
+   an RRset is straightforward, and this signature could be permanently
+   used to protect the data, as specified in [RFC2535].  However, if an
+   RRset is deleted, there is no data for a SIG to cover.
+
+1.4 - Data and message signatures
+
+   As specified in [RFC3008], the DNSSEC validation process performed by
+   a resolver MUST NOT process any non-zone keys unless local policy
+   dictates otherwise.  When performing secure dynamic update, all zone
+   data modified in a signed zone MUST be signed by a relevant zone key.
+   This completely disassociates authentication of an update request
+   from authentication of the data itself.
+
+   The primary usefulness of host and user keys, with respect to DNSSEC,
+   is to authenticate messages, including dynamic updates.  Thus, host
+   and user keys MAY be used to generate SIG(0) records to authenticate
+   updates and MAY be used in the TKEY [RFC2930] process to generate
+   TSIG shared secrets.  In both cases, no SIG records generated by
+   non-zone keys will be used in a DNSSEC validation process unless
+   local policy dictates.
+
+   Authentication of data, once it is present in DNS, only involves
+   DNSSEC zone keys and signatures generated by them.
+
+1.5 - Signatory strength
+
+   [RFC2535, section 3.1.2] defines the signatory field of a key as the
+   final 4 bits of the flags field, but does not define its value.  This
+   proposal leaves this field undefined.  Updating [RFC2535], this field
+   SHOULD be set to 0 in KEY records, and MUST be ignored.
+
+2 - Authentication
+
+   TSIG or SIG(0) records MUST be included in all secure dynamic update
+   messages.  This allows the server to verifiably determine the
+   originator of a message.  If the message contains authentication in
+   the form of a SIG(0), the identity of the sender (that is, the
+   principal) is the owner of the KEY RR that generated the SIG(0).  If
+   the message contains a TSIG generated by a statically configured
+
+
+
+Wellington                  Standards Track                     [Page 3]
+
+RFC 3007                 Secure Dynamic Update             November 2000
+
+
+   shared secret, the principal is the same as or derived from the
+   shared secret name.  If the message contains a TSIG generated by a
+   dynamically configured shared secret, the principal is the same as
+   the one that authenticated the TKEY process; if the TKEY process was
+   unauthenticated, no information is known about the principal, and the
+   associated TSIG shared secret MUST NOT be used for secure dynamic
+   update.
+
+   SIG(0) signatures SHOULD NOT be generated by zone keys, since
+   transactions are initiated by a host or user, not a zone.
+
+   DNSSEC SIG records (other than SIG(0)) MAY be included in an update
+   message, but MUST NOT be used to authenticate the update request.
+
+   If an update fails because it is signed with an unauthorized key, the
+   server MUST indicate failure by returning a message with RCODE
+   REFUSED.  Other TSIG, SIG(0), or dynamic update errors are returned
+   as specified in the appropriate protocol description.
+
+3 - Policy
+
+   All policy is configured by the zone administrator and enforced by
+   the zone's primary name server.  Policy dictates the authorized
+   actions that an authenticated principal can take.  Policy checks are
+   based on the principal and the desired action, where the principal is
+   derived from the message signing key and applied to dynamic update
+   messages signed with that key.
+
+   The server's policy defines criteria which determine if the key used
+   to sign the update is permitted to perform the requested updates.  By
+   default, a principal MUST NOT be permitted to make any changes to
+   zone data; any permissions MUST be enabled though configuration.
+
+   The policy is fully implemented in the primary zone server's
+   configuration for several reasons.  This removes limitations imposed
+   by encoding policy into a fixed number of bits (such as the KEY RR's
+   signatory field).  Policy is only relevant in the server applying it,
+   so there is no reason to expose it.  Finally, a change in policy or a
+   new type of policy should not affect the DNS protocol or data format,
+   and should not cause interoperability failures.
+
+3.1 - Standard policies
+
+   Implementations SHOULD allow access control policies to use the
+   principal as an authorization token, and MAY also allow policies to
+   grant permission to a signed message regardless of principal.
+
+
+
+
+
+Wellington                  Standards Track                     [Page 4]
+
+RFC 3007                 Secure Dynamic Update             November 2000
+
+
+   A common practice would be to restrict the permissions of a principal
+   by domain name.  That is, a principal could be permitted to add,
+   delete, or modify entries corresponding to one or more domain names.
+   Implementations SHOULD allow per-name access control, and SHOULD
+   provide a concise representation of the principal's own name, its
+   subdomains, and all names in the zone.
+
+   Additionally, a server SHOULD allow restricting updates by RR type,
+   so that a principal could add, delete, or modify specific record
+   types at certain names.  Implementations SHOULD allow per-type access
+   control, and SHOULD provide concise representations of all types and
+   all "user" types, where a user type is defined as one that does not
+   affect the operation of DNS itself.
+
+3.1.1 - User types
+
+   User types include all data types except SOA, NS, SIG, and NXT.  SOA
+   and NS records SHOULD NOT be modified by normal users, since these
+   types create or modify delegation points.  The addition of SIG
+   records can lead to attacks resulting in additional workload for
+   resolvers, and the deletion of SIG records could lead to extra work
+   for the server if the zone SIG was deleted.  Note that these records
+   are not forbidden, but not recommended for normal users.
+
+   NXT records MUST NOT be created, modified, or deleted by dynamic
+   update, as their update may cause instability in the protocol.  This
+   is an update to RFC 2136.
+
+   Issues concerning updates of KEY records are discussed in the
+   Security Considerations section.
+
+3.2 - Additional policies
+
+   Users are free to implement any policies.  Policies may be as
+   specific or general as desired, and as complex as desired.  They may
+   depend on the principal or any other characteristics of the signed
+   message.
+
+4 - Interaction with DNSSEC
+
+   Although this protocol does not change the way updates to secure
+   zones are processed, there are a number of issues that should be
+   clarified.
+
+
+
+
+
+
+
+
+Wellington                  Standards Track                     [Page 5]
+
+RFC 3007                 Secure Dynamic Update             November 2000
+
+
+4.1 - Adding SIGs
+
+   An authorized update request MAY include SIG records with each RRset.
+   Since SIG records (except SIG(0) records) MUST NOT be used for
+   authentication of the update message, they are not required.
+
+   If a principal is authorized to update SIG records and there are SIG
+   records in the update, the SIG records are added without
+   verification.  The server MAY examine SIG records and drop SIGs with
+   a temporal validity period in the past.
+
+4.2 - Deleting SIGs
+
+   If a principal is authorized to update SIG records and the update
+   specifies the deletion of SIG records, the server MAY choose to
+   override the authority and refuse the update.  For example, the
+   server may allow all SIG records not generated by a zone key to be
+   deleted.
+
+4.3 - Non-explicit updates to SIGs
+
+   If the updated zone is secured, the RRset affected by an update
+   operation MUST, at the completion of the update, be signed in
+   accordance with the zone's signing policy.  This will usually require
+   one or more SIG records to be generated by one or more zone keys
+   whose private components MUST be online [RFC3008].
+
+   When the contents of an RRset are updated, the server MAY delete all
+   associated SIG records, since they will no longer be valid.
+
+4.4 - Effects on the zone
+
+   If any changes are made, the server MUST, if necessary, generate a
+   new SOA record and new NXT records, and sign these with the
+   appropriate zone keys.  Changes to NXT records by secure dynamic
+   update are explicitly forbidden.  SOA updates are allowed, since the
+   maintenance of SOA parameters is outside of the scope of the DNS
+   protocol.
+
+5 - Security Considerations
+
+   This document requires that a zone key and possibly other
+   cryptographic secret material be held in an on-line, network-
+   connected host, most likely a name server.  This material is at the
+   mercy of host security to remain a secret.  Exposing this secret puts
+   DNS data at risk of masquerade attacks.  The data at risk is that in
+   both zones served by the machine and delegated from this machine.
+
+
+
+
+Wellington                  Standards Track                     [Page 6]
+
+RFC 3007                 Secure Dynamic Update             November 2000
+
+
+   Allowing updates of KEY records may lead to undesirable results,
+   since a principal may be allowed to insert a public key without
+   holding the private key, and possibly masquerade as the key owner.
+
+6 - Acknowledgements
+
+   The author would like to thank the following people for review and
+   informative comments (in alphabetical order):
+
+   Harald Alvestrand
+   Donald Eastlake
+   Olafur Gudmundsson
+   Andreas Gustafsson
+   Bob Halley
+   Stuart Kwan
+   Ed Lewis
+
+7 - References
+
+   [RFC1034]  Mockapetris, P., "Domain Names - Concepts and Facilities",
+              STD 13, RFC 1034, November 1987.
+
+   [RFC1035]  Mockapetris, P., "Domain Names - Implementation and
+              Specification", STD 13, RFC 1035, November 1987.
+
+   [RFC2136]  Vixie (Ed.), P., Thomson, S., Rekhter, Y. and J. Bound,
+              "Dynamic Updates in the Domain Name System", RFC 2136,
+              April 1997.
+
+   [RFC2137]  Eastlake, D., "Secure Domain Name System Dynamic Update",
+              RFC 2137, April 1997.
+
+   [RFC2535]  Eastlake, G., "Domain Name System Security Extensions",
+              RFC 2535, March 1999.
+
+   [RFC2845]  Vixie, P., Gudmundsson, O., Eastlake, D. and B.
+              Wellington, "Secret Key Transaction Signatures for DNS
+              (TSIG)", RFC 2845, May 2000.
+
+   [RFC2930]  Eastlake, D., "Secret Key Establishment for DNS (TKEY
+              RR)", RFC 2930, September 2000.
+
+   [RFC2931]  Eastlake, D., "DNS Request and Transaction Signatures
+              (SIG(0)s)", RFC 2931, September 2000.
+
+   [RFC3008]  Wellington, B., "Domain Name System Security (DNSSEC)
+              Signing Authority", RFC 3008, November 2000.
+
+
+
+
+Wellington                  Standards Track                     [Page 7]
+
+RFC 3007                 Secure Dynamic Update             November 2000
+
+
+8 - Author's Address
+
+   Brian Wellington
+   Nominum, Inc.
+   950 Charter Street
+   Redwood City, CA 94063
+
+   Phone: +1 650 381 6022
+   EMail: Brian.Wellington@nominum.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wellington                  Standards Track                     [Page 8]
+
+RFC 3007                 Secure Dynamic Update             November 2000
+
+
+9.  Full Copyright Statement
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wellington                  Standards Track                     [Page 9]
+
diff --git a/contrib/bind9/doc/rfc/rfc3008.txt b/contrib/bind9/doc/rfc/rfc3008.txt
new file mode 100644
index 0000000..08a4a8f
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc3008.txt
@@ -0,0 +1,395 @@
+
+
+
+
+
+
+Network Working Group                                      B. Wellington
+Request for Comments: 3008                                       Nominum
+Updates: 2535                                              November 2000
+Category: Standards Track
+
+
+         Domain Name System Security (DNSSEC) Signing Authority
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+Abstract
+
+   This document proposes a revised model of Domain Name System Security
+   (DNSSEC) Signing Authority.  The revised model is designed to clarify
+   earlier documents and add additional restrictions to simplify the
+   secure resolution process.  Specifically, this affects the
+   authorization of keys to sign sets of records.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in RFC 2119 [RFC2119].
+
+1 - Introduction
+
+   This document defines additional restrictions on DNSSEC signatures
+   (SIG) records relating to their authority to sign associated data.
+   The intent is to establish a standard policy followed by a secure
+   resolver; this policy can be augmented by local rules.  This builds
+   upon [RFC2535], updating section 2.3.6 of that document.
+
+   The most significant change is that in a secure zone, zone data is
+   required to be signed by the zone key.
+
+   Familiarity with the DNS system [RFC1034, RFC1035] and the DNS
+   security extensions [RFC2535] is assumed.
+
+
+
+
+
+
+Wellington                  Standards Track                     [Page 1]
+
+RFC 3008                DNSSEC Signing Authority           November 2000
+
+
+2 - The SIG Record
+
+   A SIG record is normally associated with an RRset, and "covers" (that
+   is, demonstrates the authenticity and integrity of) the RRset.  This
+   is referred to as a "data SIG".  Note that there can be multiple SIG
+   records covering an RRset, and the same validation process should be
+   repeated for each of them.  Some data SIGs are considered "material",
+   that is, relevant to a DNSSEC capable resolver, and some are
+   "immaterial" or "extra-DNSSEC", as they are not relevant to DNSSEC
+   validation.  Immaterial SIGs may have application defined roles.  SIG
+   records may exist which are not bound to any RRset; these are also
+   considered immaterial.  The validation process determines which SIGs
+   are material; once a SIG is shown to be immaterial, no other
+   validation is necessary.
+
+   SIGs may also be used for transaction security.  In this case, a SIG
+   record with a type covered field of 0 is attached to a message, and
+   is used to protect message integrity.  This is referred to as a
+   SIG(0) [RFC2535, RFC2931].
+
+   The following sections define requirements for all of the fields of a
+   SIG record.  These requirements MUST be met in order for a DNSSEC
+   capable resolver to process this signature.  If any of these
+   requirements are not met, the SIG cannot be further processed.
+   Additionally, once a KEY has been identified as having generated this
+   SIG, there are requirements that it MUST meet.
+
+2.1 - Type Covered
+
+   For a data SIG, the type covered MUST be the same as the type of data
+   in the associated RRset.  For a SIG(0), the type covered MUST be 0.
+
+2.2 - Algorithm Number
+
+   The algorithm specified in a SIG MUST be recognized by the client,
+   and it MUST be an algorithm that has a defined SIG rdata format.
+
+2.3 - Labels
+
+   The labels count MUST be less than or equal to the number of labels
+   in the SIG owner name, as specified in [RFC2535, section 4.1.3].
+
+2.4 - Original TTL
+
+   The original TTL MUST be greater than or equal to the TTL of the SIG
+   record itself, since the TTL cannot be increased by intermediate
+   servers.  This field can be ignored for SIG(0) records.
+
+
+
+
+Wellington                  Standards Track                     [Page 2]
+
+RFC 3008                DNSSEC Signing Authority           November 2000
+
+
+2.5 - Signature Expiration and Inception
+
+   The current time at the time of validation MUST lie within the
+   validity period bounded by the inception and expiration times.
+
+2.6 - Key Tag
+
+   There are no restrictions on the Key Tag field, although it is
+   possible that future algorithms will impose constraints.
+
+2.7 - Signer's Name
+
+   The signer's name field of a data SIG MUST contain the name of the
+   zone to which the data and signature belong.  The combination of
+   signer's name, key tag, and algorithm MUST identify a zone key if the
+   SIG is to be considered material.  The only exception that the
+   signer's name field in a SIG KEY at a zone apex SHOULD contain the
+   parent zone's name, unless the KEY set is self-signed.  This document
+   defines a standard policy for DNSSEC validation; local policy may
+   override the standard policy.
+
+   There are no restrictions on the signer field of a SIG(0) record.
+   The combination of signer's name, key tag, and algorithm MUST
+   identify a key if this SIG(0) is to be processed.
+
+2.8 - Signature
+
+   There are no restrictions on the signature field.  The signature will
+   be verified at some point, but does not need to be examined prior to
+   verification unless a future algorithm imposes constraints.
+
+3 - The Signing KEY Record
+
+   Once a signature has been examined and its fields validated (but
+   before the signature has been verified), the resolver attempts to
+   locate a KEY that matches the signer name, key tag, and algorithm
+   fields in the SIG.  If one is not found, the SIG cannot be verified
+   and is considered immaterial.  If KEYs are found, several fields of
+   the KEY record MUST have specific values if the SIG is to be
+   considered material and authorized.  If there are multiple KEYs, the
+   following checks are performed on all of them, as there is no way to
+   determine which one generated the signature until the verification is
+   performed.
+
+
+
+
+
+
+
+
+Wellington                  Standards Track                     [Page 3]
+
+RFC 3008                DNSSEC Signing Authority           November 2000
+
+
+3.1 - Type Flags
+
+   The signing KEY record MUST have a flags value of 00 or 01
+   (authentication allowed, confidentiality optional) [RFC2535, 3.1.2].
+   A DNSSEC resolver MUST only trust signatures generated by keys that
+   are permitted to authenticate data.
+
+3.2 - Name Flags
+
+   The interpretation of this field is considerably different for data
+   SIGs and SIG(0) records.
+
+3.2.1 - Data SIG
+
+   If the SIG record covers an RRset, the name type of the associated
+   KEY MUST be 01 (zone) [RFC2535, 3.1.2].  This updates RFC 2535,
+   section 2.3.6.  The DNSSEC validation process performed by a resolver
+   MUST ignore all keys that are not zone keys unless local policy
+   dictates otherwise.
+
+   The primary reason that RFC 2535 allows host and user keys to
+   generate material DNSSEC signatures is to allow dynamic update
+   without online zone keys; that is, avoid storing private keys in an
+   online server.  The desire to avoid online signing keys cannot be
+   achieved, though, because they are necessary to sign NXT and SOA sets
+   [RFC3007].  These online zone keys can sign any incoming data.
+   Removing the goal of having no online keys removes the reason to
+   allow host and user keys to generate material signatures.
+
+   Limiting material signatures to zone keys simplifies the validation
+   process.  The length of the verification chain is bounded by the
+   name's label depth.  The authority of a key is clearly defined; a
+   resolver does not need to make a potentially complicated decision to
+   determine whether a key has the proper authority to sign data.
+
+   Finally, there is no additional flexibility granted by allowing
+   host/user key generated material signatures.  As long as users and
+   hosts have the ability to authenticate update requests to the primary
+   zone server, signatures by zone keys are sufficient to protect the
+   integrity of the data to the world at large.
+
+3.2.2 - SIG(0)
+
+   If the SIG record is a SIG(0) protecting a message, the name type of
+   the associated KEY SHOULD be 00 (user) or 10 (host/entity).
+   Transactions are initiated by a host or user, not a zone, so zone
+   keys SHOULD not generate SIG(0) records.
+
+
+
+
+Wellington                  Standards Track                     [Page 4]
+
+RFC 3008                DNSSEC Signing Authority           November 2000
+
+
+   A client is either explicitly executed by a user or on behalf of a
+   host, therefore the name type of a SIG(0) generated by a client
+   SHOULD be either user or host.  A nameserver is associated with a
+   host, and its use of SIG(0) is not associated with a particular zone,
+   so the name type of a SIG(0) generated by a nameserver SHOULD be
+   host.
+
+3.3 - Signatory Flags
+
+   This document does not assign any values to the signatory field, nor
+   require any values to be present.
+
+3.4 - Protocol
+
+   The signing KEY record MUST have a protocol value of 3 (DNSSEC) or
+   255 (ALL).  If a key is not specified for use with DNSSEC, a DNSSEC
+   resolver MUST NOT trust any signature that it generates.
+
+3.5 - Algorithm Number
+
+   The algorithm field MUST be identical to that of the generated SIG
+   record, and MUST meet all requirements for an algorithm value in a
+   SIG record.
+
+4 - Security Considerations
+
+   This document defines a standard baseline for a DNSSEC capable
+   resolver.  This is necessary for a thorough security analysis of
+   DNSSEC, if one is to be done.
+
+   Specifically, this document places additional restrictions on SIG
+   records that a resolver must validate before the signature can be
+   considered worthy of DNSSEC trust.  This simplifies the protocol,
+   making it more robust and able to withstand scrutiny by the security
+   community.
+
+5 - Acknowledgements
+
+   The author would like to thank the following people for review and
+   informative comments (in alphabetical order):
+
+   Olafur Gudmundsson
+   Ed Lewis
+
+
+
+
+
+
+
+
+Wellington                  Standards Track                     [Page 5]
+
+RFC 3008                DNSSEC Signing Authority           November 2000
+
+
+6 - References
+
+   [RFC1034]  Mockapetris, P., "Domain Names - Concepts and Facilities",
+              STD 13, RFC 1034, November 1987.
+
+   [RFC1035]  Mockapetris, P., "Domain Names - Implementation and
+              Specification", STD 13, RFC 1035, November 1987.
+
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC2136]  Vixie (Ed.), P., Thomson, S., Rekhter, Y. and J. Bound,
+              "Dynamic Updates in the Domain Name System", RFC 2136,
+              April 1997.
+
+   [RFC2535]  Eastlake, D., "Domain Name System Security Extensions",
+              RFC 2535, March 1999.
+
+   [RFC2931]  Eastlake, D., "DNS Request and Transaction Signatures
+              (SIG(0)s )", RFC 2931, September 2000.
+
+   [RFC3007]      Wellington, B., "Simple Secure Domain Name System
+              (DNS) Dynamic Update", RFC 3007, November 2000.
+
+7 - Author's Address
+
+   Brian Wellington
+   Nominum, Inc.
+   950 Charter Street
+   Redwood City, CA 94063
+
+   Phone: +1 650 381 6022
+   EMail: Brian.Wellington@nominum.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wellington                  Standards Track                     [Page 6]
+
+RFC 3008                DNSSEC Signing Authority           November 2000
+
+
+8  Full Copyright Statement
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wellington                  Standards Track                     [Page 7]
+
diff --git a/contrib/bind9/doc/rfc/rfc3071.txt b/contrib/bind9/doc/rfc/rfc3071.txt
new file mode 100644
index 0000000..2c4d52f
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc3071.txt
@@ -0,0 +1,563 @@
+
+
+
+
+
+
+Network Working Group                                         J. Klensin
+Request for Comments: 3071                                 February 2001
+Category: Informational
+
+
+      Reflections on the DNS, RFC 1591, and Categories of Domains
+
+Status of this Memo
+
+   This memo provides information for the Internet community.  It does
+   not specify an Internet standard of any kind.  Distribution of this
+   memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2001).  All Rights Reserved.
+
+Abstract
+
+   RFC 1591, "Domain Name System Structure and Delegation", laid out the
+   basic administrative design and principles for the allocation and
+   administration of domains, from the top level down.  It was written
+   before the introduction of the world wide web (WWW) and rapid growth
+   of the Internet put significant market, social, and political
+   pressure on domain name allocations.  In recent years, 1591 has been
+   cited by all sides in various debates, and attempts have been made by
+   various bodies to update it or adjust its provisions, sometimes under
+   pressures that have arguably produced policies that are less well
+   thought out than the original.  Some of those efforts have begun from
+   misconceptions about the provisions of 1591 or the motivation for
+   those provisions.  The current directions of the Internet Corporation
+   for Assigned Names and Numbers (ICANN) and other groups who now
+   determine the Domain Name System (DNS) policy directions appear to be
+   drifting away from the policies and philosophy of 1591.  This
+   document is being published primarily for historical context and
+   comparative purposes, essentially to document some thoughts about how
+   1591 might have been interpreted and adjusted by the Internet
+   Assigned Numbers Authority (IANA) and ICANN to better reflect today's
+   world while retaining characteristics and policies that have proven
+   to be effective in supporting Internet growth and stability.  An
+   earlier variation of this memo was submitted to ICANN as a comment on
+   its evolving Top-level Domain (TLD) policies.
+
+
+
+
+
+
+
+
+
+Klensin                      Informational                      [Page 1]
+
+RFC 3071          Reflections on the DNS and RFC 1591      February 2001
+
+
+1.  Introduction
+
+   RFC 1591 [1] has been heavily discussed and referenced in the last
+   year or two, especially in discussions within ICANN and its
+   predecessors about the creation, delegation, and management of top-
+   level domains.  In particular, the ICANN Domain Name Supporting
+   Organization (DNSO), and especially its ccTLD constituency, have been
+   the home of many discussions in which 1591 and interpretations of it
+   have been cited in support of a variety of sometimes-contradictory
+   positions.  During that period, other discussions have gone on to try
+   to reconstruct the thinking that went into RFC 1591.  Those in turn
+   have led me and others to muse on how that original thinking might
+   relate to some of the issues being raised.  1591 is, I believe, one
+   of Jon Postel's masterpieces, drawing together very different
+   philosophies (e.g., his traditional view that people are basically
+   reasonable and will do the right thing if told what it is with some
+   stronger mechanisms when that model is not successful) into a single
+   whole.
+
+   RFC 1591 was written in the context of the assumption that what it
+   described as generic TLDs would be bound to policies and categories
+   of registration (see the "This domain is intended..."  text in
+   section 2) while ccTLDs were expected to be used primarily to support
+   users and uses within and for a country and its residents.  The
+   notion that different domains would be run in different ways --albeit
+   within the broad contexts of "public service on behalf of the
+   Internet community" and "trustee... for the global Internet
+   community"-- was considered a design feature and a safeguard against
+   a variety of potential abuses.  Obviously the world has changed in
+   many ways in the seven or eight years since 1591 was written.  In
+   particular, the Internet has become more heavily used and, because
+   the design of the world wide web has put domain names in front of
+   users, top-level domain names and registrations in them have been
+   heavily in demand: not only has the number of hosts increased
+   dramatically during that time, but the ratio between registered
+   domain names and physical hosts has increased very significantly.
+
+   The issues 1591 attempted to address when it was written and those we
+   face today have not changed significantly in principle.  But one
+   alternative to present trends would be to take a step back to refine
+   it into a model that can function effectively today.  Therefore, it
+   may be useful to try to reconstruct 1591's principles and think about
+   their applicability today as a model that could continue to be
+   applied: not because it is historically significant, but because many
+   of its elements have proven to work reasonably well, even in
+   difficult situations.  In particular, for many domains (some in
+   1591's "generic" list and others in its "country code" category) the
+   notion of "public service" --expected then to imply being carried out
+
+
+
+Klensin                      Informational                      [Page 2]
+
+RFC 3071          Reflections on the DNS and RFC 1591      February 2001
+
+
+   at no or minimal cost to the users, not merely on a non-profit
+   basis-- has yielded to profitability calculations.  And, in most of
+   the rest, considerations of at least calculating and recovering costs
+   have crept in.  While many of us feel some nostalgia for the old
+   system, it is clear that its days are waning if not gone: perhaps the
+   public service notions as understood when 1591 was written just don't
+   scale to rapid internet growth and very large numbers of
+   yregistrations.
+
+   In particular, some ccTLDs have advertised for registrations outside
+   the designated countries (or other entities), while others have made
+   clear decisions to allow registrations by non-nationals.  These
+   decisions and others have produced protests from many sides,
+   suggesting, in turn, that a recategorization is in order.  For
+   example, we have heard concerns by governments and managers of
+   traditional, "public service", in-country, ccTLDs about excessive
+   ICANN interference and fears of being forced to conform to
+   internationally-set policies for dispute resolution when their
+   domestic ones are considered more appropriate.  We have also heard
+   concerns from registrars and operators of externally-marketed ccTLDs
+   about unreasonable government interference and from gTLD registrars
+   and registries about unreasonable competition from aggressively
+   marketed ccTLDs.  The appropriate distinction is no longer between
+   what RFC 1591 described as "generic" TLDs (but which were really
+   intended to be "purpose-specific", a term I will use again below) and
+   ccTLDs but among:
+
+      (i) true "generic" TLDs, in which any registration is acceptable
+      and, ordinarily, registrations from all sources are actively
+      promoted.  This list currently includes (the formerly purpose-
+      specific) COM, NET, and ORG, and some ccTLDs.  There have been
+      proposals from time to time for additional TLDs of this variety in
+      which, as with COM (and, more recently, NET and ORG) anyone
+      (generally subject only to name conflicts and national law) could
+      register who could pay the fees.
+
+      (ii) purpose-specific TLDs, in which registration is accepted only
+      from organizations or individuals meeting particular
+      qualifications, but where those qualifications are not tied to
+      national boundaries.  This list currently includes INT, EDU, the
+      infrastructure domain ARPA, and, arguably, the specialized US
+      Government TLDs MIL and GOV.  There have been proposals from time
+      to time for other international TLDs of this variety, e.g., for
+      medical entities such as physicians and hospitals and for museums.
+      ICANN has recently approved several TLDs of this type and
+      describes them as "sponsored" TLDs.
+
+
+
+
+
+Klensin                      Informational                      [Page 3]
+
+RFC 3071          Reflections on the DNS and RFC 1591      February 2001
+
+
+      (iii) Country domains, operated according to the original
+      underlying assumptions of 1591, i.e., registrants are largely
+      expected to be people or other entities within the country.  While
+      external registrations might be accepted by some of these, the
+      country does not aggressively advertise for such registrations,
+      nor does anyone expect to derive significant fee revenue from
+      them.  All current domains in this category are ccTLDs, but not
+      all ccTLDs are in this category.
+
+   These categories are clearly orthogonal to the association between
+   the use of the IS 3166-1 registered code list [2] and two-letter
+   "country" domain names.  If that relationship is to be maintained
+   (and I believe it is desirable), the only inherent requirement is
+   that no two-letter TLDs be created except from that list (in order to
+   avoid future conflicts).  ICANN should control the allocation and
+   delegation of TLDs using these, and other, criteria, but only
+   registered 3166-1 two letter codes should be used as two-letter TLDs.
+
+2. Implications of the Categories
+
+   If we had adopted this type of three-way categorization and could
+   make it work, I believe it would have presented several opportunities
+   for ICANN and the community more generally to reduce controversies
+   and move forward.  Of course, there will be cases where the
+   categorization of a particular domain and its operating style will
+   not be completely clear-cut (see section 3, below).  But having ICANN
+   work out procedures for dealing with those (probably few) situations
+   appears preferable to strategies that would tend to propel ICANN into
+   areas that are beyond its competence or that might require
+   significant expansion of its mandate.
+
+   First, the internally-operated ccTLDs (category iii above) should not
+   be required to have much interaction with ICANN or vice versa.  Once
+   a domain of this sort is established and delegated, and assuming that
+   the "admin contact in the country" rule is strictly observed, the
+   domain should be able to function effectively without ICANN
+   intervention or oversight.  In particular, while a country might
+   choose to adopt the general ICANN policies about dispute resolution
+   or name management, issues that arise in these areas might equally
+   well be dealt with exclusively under applicable national laws.  If a
+   domain chooses to use ICANN services that cost resources to provide,
+   it should contribute to ICANN's support, but, if it does not, ICANN
+   should not presume to charge it for other than a reasonable fraction
+   of the costs to ICANN of operating the root, root servers, and any
+   directory systems that are generally agreed upon to be necessary and
+   in which the domain participates.
+
+
+
+
+
+Klensin                      Informational                      [Page 4]
+
+RFC 3071          Reflections on the DNS and RFC 1591      February 2001
+
+
+   By contrast, ccTLDs operated as generic domains ought to be treated
+   as generic domains.  ICANN dispute resolution and name management
+   policies and any special rules developed to protect the Internet
+   public in multiple registrar or registry situations should reasonably
+   apply.
+
+3.  Telling TLD types apart
+
+   If appropriate policies are adopted, ccTLDs operated as generic
+   domains (category (i) above) and those operated as country domains
+   (category (iii) above) ought to be able to be self-identified.  There
+   are several criteria that could be applied to make this
+   determination.  For example, either a domain is aggressively seeking
+   outside registrations or it is not and either the vast majority of
+   registrants in a domain are in-country or they are not.  One could
+   also think of this as the issue of having some tangible level of
+   presence in the jurisdiction - e.g., is the administrative contact
+   subject, in practical terms, to the in-country laws, or are the
+   registration rules such that it is reasonably likely that a court in
+   the jurisdiction of the country associated with the domain can
+   exercise jurisdiction and enforce a judgment against the registrant.
+
+   One (fairly non-intrusive) rule ICANN might well impose on all top-
+   level domains is that they identify and publish the policies they
+   intend to use.  E.g., registrants in a domain that will use the laws
+   of one particular country to resolve disputes should have a
+   reasonable opportunity to understand those policies prior to
+   registration and to make other arrangements (e.g., to register
+   elsewhere) if that mechanism for dispute resolution is not
+   acceptable.  Giving IANA (as the root registrar) incorrect
+   information about the purpose and use of a domain should be subject
+   to challenge, and should be grounds for reviewing the appropriateness
+   of the domain delegation, just as not acting consistently and
+   equitably provides such grounds under the original provisions of RFC
+   1591.
+
+   In order to ensure the availability of accurate and up-to-date
+   registration information the criteria must be consistent, and
+   consistent with more traditional gTLDs, for all nominally country
+   code domains operating as generic TLDs.
+
+4. The role of ICANN in country domains
+
+   ICANN (and IANA) should, as described above, have as little
+   involvement as possible in the direction of true country [code]
+   domains (i.e., category (iii)).  There is no particular reason why
+
+
+
+
+
+Klensin                      Informational                      [Page 5]
+
+RFC 3071          Reflections on the DNS and RFC 1591      February 2001
+
+
+   these domains should be subject to ICANN regulation beyond the basic
+   principles of 1591 and associated arrangements needed to ensure
+   Internet interoperability and stability.
+
+   ICANN's avoiding such involvement strengthens it: the desirability of
+   avoiding collisions with national sovereignty, determinations about
+   government legitimacy, and the authority of someone purportedly
+   writing on behalf of a government, is as important today as it was
+   when 1591 was written.  The alternatives take us quickly from
+   "administration" into "internet governance" or, in the case of
+   determining which claimant is the legitimate government of a country,
+   "international relations", and the reasons for not moving in that
+   particular direction are legion.
+
+5. The role of governments
+
+   The history of IANA strategy in handling ccTLDs included three major
+   "things to avoid" considerations:
+
+      * Never get involved in determining which entities were countries
+        and which ones were not.
+
+      * Never get involved in determining who was, or was not, the
+        legitimate government of a country.  And, more generally, avoid
+        deciding what entity --government, religion, commercial,
+        academic, etc.-- has what legitimacy or rights.
+
+      * If possible, never become involved in in-country disputes.
+        Instead, very strongly encourage internal parties to work
+        problems out among themselves.  At most, adopt a role as
+        mediator and educator, rather than judge, unless abuses are very
+        clear and clearly will not be settled by any internal mechanism.
+
+   All three considerations were obviously intended to avoid IANA's
+   being dragged into a political morass in which it had (and, I
+   suggest, has) no competence to resolve the issues and could only get
+   bogged down.  The first consideration was the most visible (and the
+   easiest) and was implemented by strict and careful adherence (see
+   below) to the ISO 3166 registered Country Code list.  If an entity
+   had a code, it was eligible to be registered with a TLD (although
+   IANA was free to apply additional criteria-most of them stated in
+   1591).  If it did not, there were no exceptions: the applicant's only
+   recourse was a discussion with the 3166 Registration Authority (now
+   Maintenance Agency, often known just as "3166/MA") or the UN
+   Statistical Office (now Statistics Bureau), not with IANA.
+
+
+
+
+
+
+Klensin                      Informational                      [Page 6]
+
+RFC 3071          Reflections on the DNS and RFC 1591      February 2001
+
+
+   There are actually five ccTLD exceptions to the strict rules.  One,
+   "UK", is historical: it predates the adoption of ISO 3166 for this
+   purpose.  The others --Ascension Island, Guernsey, Isle of Man, and
+   Jersey --are arguably, at least in retrospect, just mistakes.
+   Regardless of the historical reasons (about which there has been much
+   speculation), it is almost certainly the case that the right way to
+   handle mistakes of this sort is to acknowledge them and move on,
+   rather than trying to use them as precedents to justify more
+   mistakes.
+
+   This, obviously, is also the argument against use of the "reserved"
+   list (technically internal to the 3166 maintenance activity, and not
+   part of the Standard): since IANA (or ICANN) can ask that a name be
+   placed on that list, there is no rule of an absolute determination by
+   an external organization.  Purported countries can come to ICANN,
+   insist on having delegations made and persuade ICANN to ask that the
+   names be reserved.  Then, since the reserved name would exist, they
+   could insist that the domain be delegated.  Worse, someone could use
+   another organization to request reservation of the name by 3166/MA;
+   once it was reserved, ICANN might be hard-pressed not to do the
+   delegation.  Of course, ICANN could (and probably would be forced to)
+   adopt additional criteria other than appearance on the "reserved
+   list" in order to delegate such domains.  But those criteria would
+   almost certainly be nearly equivalent to determining which applicants
+   were legitimate and stable enough to be considered a country, the
+   exact decision process that 1591 strove to avoid.
+
+   The other two considerations were more subtle and not always
+   successful: from time to time, both before and after the formal
+   policy shifted toward "governments could have their way", IANA
+   received letters from people purporting to be competent government
+   authorities asking for changes.  Some of them turned out later to not
+   have that authority or appropriate qualifications.  The assumption of
+   1591 itself was that, if the "administrative contact in country" rule
+   was strictly observed, as was the rule that delegation changes
+   requested by the administrative contact would be honored, then, if a
+   government _really_ wanted to assert itself, it could pressure the
+   administrative contact into requesting the changes it wanted, using
+   whatever would pass for due process in that country.  And the ability
+   to apply that process and pressure would effectively determine who
+   was the government and who wasn't, and would do so far more
+   effectively than any IANA evaluation of, e.g., whether the letterhead
+   on a request looked authentic (and far more safely for ICANN than
+   asking the opinion of any particular other government or selection of
+   governments).
+
+
+
+
+
+
+Klensin                      Informational                      [Page 7]
+
+RFC 3071          Reflections on the DNS and RFC 1591      February 2001
+
+
+   Specific language in 1591 permitted IANA to adopt a "work it out
+   yourselves; if we have to decide, we will strive for a solution that
+   is not satisfactory to any party" stance.  That approach was used
+   successfully, along with large doses of education, on many occasions
+   over the years, to avoid IANA's having to assume the role of judge
+   between conflicting parties.
+
+   Similar principles could be applied to the boundary between country-
+   code-based generic TLDs and country domains.  Different countries,
+   under different circumstances, might prefer to operate the ccTLD
+   either as a national service or as a profit center where the
+   "customers" were largely external.  Whatever decisions were made
+   historically, general Internet stability argues that changes should
+   not be made lightly.  At the same time, if a government wishes to
+   make a change, the best mechanism for doing so is not to involve
+   ICANN in a potential determination of legitimacy (or even to have
+   ICANN's Government Advisory Committee (GAC) try to formally make that
+   decision for individual countries) but for the relevant government to
+   use its own procedures to persuade the administrative contact to
+   request the change and for IANA to promptly and efficiently carry out
+   requests made by administrative contacts.
+
+6. Implications for the current ICANN DNSO structure.
+
+   The arguments by some of the ccTLD administrators that they are
+   different from the rest of the ICANN and DNSO structures are (in this
+   model) correct: they are different.  The ccTLDs that are operating as
+   generic TLDs should be separated from the ccTLD constituency and
+   joined to the gTLD constituency.  The country ccTLDs should be
+   separated from ICANN's immediate Supporting Organization structure,
+   and operate in a parallel and advisory capacity to ICANN, similar to
+   the arrangements used with the GAC.  The DNSO and country TLDs should
+   not be required to interact with each other except on a mutually
+   voluntary basis and, if ICANN needs interaction or advice from some
+   of all of those TLDs, it would be more appropriate to get it in the
+   form of an advisory body like the GAC rather than as DNSO
+   constituency.
+
+7. References
+
+   [1] Postel, J., "Domain Name System Structure and Delegation", RFC
+       1591, March 1994.
+
+   [2] ISO 3166. ISO 3166-1. Codes for the representation of names of
+       countries and their subdivisions - Part 1: Country codes (1997).
+
+
+
+
+
+
+Klensin                      Informational                      [Page 8]
+
+RFC 3071          Reflections on the DNS and RFC 1591      February 2001
+
+
+8. Acknowledgements and disclaimer
+
+   These reflections have been prepared in my individual capacity and do
+   not necessarily reflect the views of my past or present employers.
+   Several people, including Randy Bush, Theresa Swinehart, Zita Wenzel,
+   Geoff Huston, Havard Eidnes, and several anonymous reviewers, made
+   suggestions or offered editorial comments about earlier versions of
+   this document.  Cord Wischhoefer, of the ISO 3166/MA, was also kind
+   enough to look at the draft and supplied some useful details.  Those
+   comments contributed significantly to whatever clarity the document
+   has, but the author bears responsibility for the selection of
+   comments which were ultimately incorporated and the way in which the
+   conclusions were presented.
+
+9.  Security Considerations
+
+   This memo addresses the context for a set of administrative decisions
+   and procedures, and does not raise or address security issues.
+
+10. Author's Address
+
+   John C. Klensin
+   1770 Massachusetts Ave, Suite 322
+   Cambridge, MA 02140, USA
+
+   EMail: klensin@jck.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Klensin                      Informational                      [Page 9]
+
+RFC 3071          Reflections on the DNS and RFC 1591      February 2001
+
+
+11. Full Copyright Statement
+
+   Copyright (C) The Internet Society 2001. All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others provided that the above copyright notice and this paragraph
+   are included on all such copies.  However, this document itself may
+   not be modified in any way, such as by removing the copyright notice
+   or references to the Internet Society or other Internet
+   organizations, except as required to translate it into languages
+   other than English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR  IMPLIED, INCLUDING
+   BUT NOT  LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY  IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Klensin                      Informational                     [Page 10]
+
diff --git a/contrib/bind9/doc/rfc/rfc3090.txt b/contrib/bind9/doc/rfc/rfc3090.txt
new file mode 100644
index 0000000..08008f7
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc3090.txt
@@ -0,0 +1,619 @@
+
+
+
+
+
+
+Network Working Group                                           E. Lewis
+Request for Comments: 3090                                      NAI Labs
+Category: Standards Track                                     March 2001
+
+
+          DNS Security Extension Clarification on Zone Status
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2001).  All Rights Reserved.
+
+Abstract
+
+   The definition of a secured zone is presented, clarifying and
+   updating sections of RFC 2535.  RFC 2535 defines a zone to be secured
+   based on a per algorithm basis, e.g., a zone can be secured with RSA
+   keys, and not secured with DSA keys.  This document changes this to
+   define a zone to be secured or not secured regardless of the key
+   algorithm used (or not used).  To further simplify the determination
+   of a zone's status, "experimentally secure" status is deprecated.
+
+1 Introduction
+
+   Whether a DNS zone is "secured" or not is a question asked in at
+   least four contexts.  A zone administrator asks the question when
+   configuring a zone to use DNSSEC.  A dynamic update server asks the
+   question when an update request arrives, which may require DNSSEC
+   processing.  A delegating zone asks the question of a child zone when
+   the parent enters data indicating the status the child.  A resolver
+   asks the question upon receipt of data belonging to the zone.
+
+1.1 When a Zone's Status is Important
+
+   A zone administrator needs to be able to determine what steps are
+   needed to make the zone as secure as it can be.  Realizing that due
+   to the distributed nature of DNS and its administration, any single
+   zone is at the mercy of other zones when it comes to the appearance
+   of security.  This document will define what makes a zone qualify as
+   secure.
+
+
+
+
+Lewis                       Standards Track                     [Page 1]
+
+RFC 3090         DNS Security Extension on Zone Status        March 2001
+
+
+   A name server performing dynamic updates needs to know whether a zone
+   being updated is to have signatures added to the updated data, NXT
+   records applied, and other required processing.  In this case, it is
+   conceivable that the name server is configured with the knowledge,
+   but being able to determine the status of a zone by examining the
+   data is a desirable alternative to configuration parameters.
+
+   A delegating zone is required to indicate whether a child zone is
+   secured.  The reason for this requirement lies in the way in which a
+   resolver makes its own determination about a zone (next paragraph).
+   To shorten a long story, a parent needs to know whether a child
+   should be considered secured.  This is a two part question.  Under
+   what circumstances does a parent consider a child zone to be secure,
+   and how does a parent know if the child conforms?
+
+   A resolver needs to know if a zone is secured when the resolver is
+   processing data from the zone.  Ultimately, a resolver needs to know
+   whether or not to expect a usable signature covering the data.  How
+   this determination is done is out of the scope of this document,
+   except that, in some cases, the resolver will need to contact the
+   parent of the zone to see if the parent states that the child is
+   secured.
+
+1.2 Islands of Security
+
+   The goal of DNSSEC is to have each zone secured, from the root zone
+   and the top-level domains down the hierarchy to the leaf zones.
+   Transitioning from an unsecured DNS, as we have now, to a fully
+   secured - or "as much as will be secured" - tree will take some time.
+   During this time, DNSSEC will be applied in various locations in the
+   tree, not necessarily "top down."
+
+   For example, at a particular instant, the root zone and the "test."
+   TLD might be secured, but region1.test. might not be.  (For
+   reference, let's assume that region2.test. is secured.)  However,
+   subarea1.region1.test. may have gone through the process of becoming
+   secured, along with its delegations.  The dilemma here is that
+   subarea1 cannot get its zone keys properly signed as its parent zone,
+   region1, is not secured.
+
+   The colloquial phrase describing the collection of contiguous secured
+   zones at or below subarea1.region1.test. is an "island of security."
+   The only way in which a DNSSEC resolver will come to trust any data
+   from this island is if the resolver is pre-configured with the zone
+   key(s) for subarea1.region1.test., i.e., the root of the island of
+   security.  Other resolvers (not so configured) will recognize this
+   island as unsecured.
+
+
+
+
+Lewis                       Standards Track                     [Page 2]
+
+RFC 3090         DNS Security Extension on Zone Status        March 2001
+
+
+   An island of security begins with one zone whose public key is pre-
+   configured in resolvers.  Within this island are subzones which are
+   also secured.  The "bottom" of the island is defined by delegations
+   to unsecured zones.  One island may also be on top of another -
+   meaning that there is at least one unsecured zone between the bottom
+   of the upper island and the root of the lower secured island.
+
+   Although both subarea1.region1.test. and region2.test. have both been
+   properly brought to a secured state by the administering staff, only
+   the latter of the two is actually "globally" secured - in the sense
+   that all DNSSEC resolvers can and will verify its data.  The former,
+   subarea1, will be seen as secured by a subset of those resolvers,
+   just those appropriately configured.  This document refers to such
+   zones as being "locally" secured.
+
+   In RFC 2535, there is a provision for "certification authorities,"
+   entities that will sign public keys for zones such as subarea1.
+   There is another document, [RFC3008], that restricts this activity.
+   Regardless of the other document, resolvers would still need proper
+   configuration to be able to use the certification authority to verify
+   the data for the subarea1 island.
+
+1.2.1 Determining the closest security root
+
+   Given a domain, in order to determine whether it is secure or not,
+   the first step is to determine the closest security root.  The
+   closest security root is the top of an island of security whose name
+   has the most matching (in order from the root) right-most labels to
+   the given domain.
+
+   For example, given a name "sub.domain.testing.signed.exp.test.", and
+   given the secure roots "exp.test.", "testing.signed.exp.test." and
+   "not-the-same.xy.", the middle one is the closest.  The first secure
+   root shares 2 labels, the middle 4, and the last 0.
+
+   The reason why the closest is desired is to eliminate false senses of
+   insecurity because of a NULL key.  Continuing with the example, the
+   reason both "testing..." and "exp.test." are listed as secure root is
+   presumably because "signed.exp.test." is unsecured (has a NULL key).
+   If we started to descend from "exp.test." to our given domain
+   (sub...), we would encounter a NULL key and conclude that sub... was
+   unsigned.  However, if we descend from "testing..." and find keys
+   "domain...." then we can conclude that "sub..." is secured.
+
+   Note that this example assumes one-label deep zones, and assumes that
+   we do not configure overlapping islands of security.  To be clear,
+   the definition given should exclude "short.xy.test." from being a
+   closest security root for "short.xy." even though 2 labels match.
+
+
+
+Lewis                       Standards Track                     [Page 3]
+
+RFC 3090         DNS Security Extension on Zone Status        March 2001
+
+
+   Overlapping islands of security introduce no conceptually interesting
+   ideas and do not impact the protocol in anyway.  However, protocol
+   implementers are advised to make sure their code is not thrown for a
+   loop by overlaps.  Overlaps are sure to be configuration problems as
+   islands of security grow to encompass larger regions of the name
+   space.
+
+1.3 Parent Statement of Child Security
+
+   In 1.1 of this document, there is the comment "the parent states that
+   the child is secured."  This has caused quite a bit of confusion.
+
+   The need to have the parent "state" the status of a child is derived
+   from the following observation.  If you are looking to see if an
+   answer is secured, that it comes from an "island of security" and is
+   properly signed, you must begin at the (appropriate) root of the
+   island of security.
+
+   To find the answer you are inspecting, you may have to descend
+   through zones within the island of security.  Beginning with the
+   trusted root of the island, you descend into the next zone down.  As
+   you trust the upper zone, you need to get data from it about the next
+   zone down, otherwise there is a vulnerable point in which a zone can
+   be hijacked. When or if you reach a point of traversing from a
+   secured zone to an unsecured zone, you have left the island of
+   security and should conclude that the answer is unsecured.
+
+   However, in RFC 2535, section 2.3.4, these words seem to conflict
+   with the need to have the parent "state" something about a child:
+
+      There MUST be a zone KEY RR, signed by its superzone, for every
+      subzone if the superzone is secure.  This will normally appear in
+      the subzone and may also be included in the superzone.  But, in
+      the case of an unsecured subzone which can not or will not be
+      modified to add any security RRs, a KEY declaring the subzone to
+      be unsecured MUST appear with the superzone signature in the
+      superzone, if the superzone is secure.
+
+   The confusion here is that in RFC 2535, a secured parent states that
+   a child is secured by SAYING NOTHING ("may also be" as opposed to
+   "MUST also be").  This is counter intuitive, the fact that an absence
+   of data means something is "secured."  This notion, while acceptable
+   in a theoretic setting has met with some discomfort in an operation
+   setting.  However, the use of "silence" to state something does
+   indeed work in this case, so there hasn't been sufficient need
+   demonstrated to change the definition.
+
+
+
+
+
+Lewis                       Standards Track                     [Page 4]
+
+RFC 3090         DNS Security Extension on Zone Status        March 2001
+
+
+1.4 Impact on RFC 2535
+
+   This document updates sections of RFC 2535.  The definition of a
+   secured zone is an update to section 3.4 of the RFC.  Section 3.4 is
+   updated to eliminate the definition of experimental keys and
+   illustrate a way to still achieve the functionality they were
+   designed to provide.  Section 3.1.3 is updated by the specifying the
+   value of the protocol octet in a zone key.
+
+1.5 "MUST" and other key words
+
+   The key words "MUST", "REQUIRED", "SHOULD", "RECOMMENDED", and "MAY"
+   in this document are to be interpreted as described in [RFC 2119].
+   Currently, only "MUST" is used in this document.
+
+2 Status of a Zone
+
+   In this section, rules governing a zone's DNSSEC status are
+   presented.  There are three levels of security defined: global,
+   local, and unsecured.  A zone is globally secure when it complies
+   with the strictest set of DNSSEC processing rules.  A zone is locally
+   secured when it is configured in such a way that only resolvers that
+   are appropriately configured see the zone as secured.  All other
+   zones are unsecured.
+
+   Note: there currently is no document completely defining DNSSEC
+   verification rules.  For the purposes of this document, the strictest
+   rules are assumed to state that the verification chain of zone keys
+   parallels the delegation tree up to the root zone.  (See 2.b below.)
+   This is not intended to disallow alternate verification paths, just
+   to establish a baseline definition.
+
+   To avoid repetition in the rules below, the following terms are
+   defined.
+
+   2.a Zone signing KEY RR - A KEY RR whose flag field has the value 01
+   for name type (indicating a zone key) and either value 00 or value 01
+   for key type (indicating a key permitted to authenticate data).  (See
+   RFC 2535, section 3.1.2).  The KEY RR also has a protocol octet value
+   of DNSSEC (3) or ALL (255).
+
+   The definition updates RFC 2535's definition of a zone key.  The
+   requirement that the protocol field be either DNSSEC or ALL is a new
+   requirement (a change to section 3.1.3.)
+
+   2.b On-tree Validation - The authorization model in which only the
+   parent zone is recognized to supply a DNSSEC-meaningful signature
+   that is used by a resolver to build a chain of trust from the child's
+
+
+
+Lewis                       Standards Track                     [Page 5]
+
+RFC 3090         DNS Security Extension on Zone Status        March 2001
+
+
+   keys to a recognized root of security.  The term "on-tree" refers to
+   following the DNS domain hierarchy (upwards) to reach a trusted key,
+   presumably the root key if no other key is available.  The term
+   "validation" refers to the digital signature by the parent to prove
+   the integrity, authentication and authorization of the child's key to
+   sign the child's zone data.
+
+   2.c Off-tree Validation - Any authorization model that permits domain
+   names other than the parent's to provide a signature over a child's
+   zone keys that will enable a resolver to trust the keys.
+
+2.1 Globally Secured
+
+   A globally secured zone, in a nutshell, is a zone that uses only
+   mandatory to implement algorithms (RFC 2535, section 3.2) and relies
+   on a key certification chain that parallels the delegation tree (on-
+   tree validation).  Globally secured zones are defined by the
+   following rules.
+
+   2.1.a. The zone's apex MUST have a KEY RR set.  There MUST be at
+   least one zone signing KEY RR (2.a) of a mandatory to implement
+   algorithm in the set.
+
+   2.1.b. The zone's apex KEY RR set MUST be signed by a private key
+   belonging to the parent zone.  The private key's public companion
+   MUST be a zone signing KEY RR (2.a) of a mandatory to implement
+   algorithm and owned by the parent's apex.
+
+   If a zone cannot get a conforming signature from the parent zone, the
+   child zone cannot be considered globally secured.  The only exception
+   to this is the root zone, for which there is no parent zone.
+
+   2.1.c. NXT records MUST be deployed throughout the zone.  (Clarifies
+   RFC 2535, section 2.3.2.)  Note: there is some operational discomfort
+   with the current NXT record.  This requirement is open to
+   modification when two things happen.  First, an alternate mechanism
+   to the NXT is defined and second, a means by which a zone can
+   indicate that it is using an alternate method.
+
+   2.1.d. Each RR set that qualifies for zone membership MUST be signed
+   by a key that is in the apex's KEY RR set and is a zone signing KEY
+   RR (2.a) of a mandatory to implement algorithm.  (Updates 2535,
+   section 2.3.1.)
+
+   Mentioned earlier, the root zone is a special case.  The root zone
+   will be considered to be globally secured provided that if conforms
+   to the rules for locally secured, with the exception that rule 2.1.a.
+   be also met (mandatory to implement requirement).
+
+
+
+Lewis                       Standards Track                     [Page 6]
+
+RFC 3090         DNS Security Extension on Zone Status        March 2001
+
+
+2.2 Locally Secured
+
+   The term "locally" stems from the likely hood that the only resolvers
+   to be configured for a particular zone will be resolvers "local" to
+   an organization.
+
+   A locally secured zone is a zone that complies with rules like those
+   for a globally secured zone with the following exceptions.  The
+   signing keys may be of an algorithm that is not mandatory to
+   implement and/or the verification of the zone keys in use may rely on
+   a verification chain that is not parallel to the delegation tree
+   (off-tree validation).
+
+   2.2.a. The zone's apex MUST have a KEY RR set.  There MUST be at
+   least one zone signing KEY RR (2.a) in the set.
+
+   2.2.b. The zone's apex KEY RR set MUST be signed by a private key and
+   one of the following two subclauses MUST hold true.
+
+   2.2.b.1 The private key's public companion MUST be pre-configured in
+   all the resolvers of interest.
+
+   2.2.b.2 The private key's public companion MUST be a zone signing KEY
+   RR (2.a) authorized to provide validation of the zone's apex KEY RR
+   set, as recognized by resolvers of interest.
+
+   The previous sentence is trying to convey the notion of using a
+   trusted third party to provide validation of keys.  If the domain
+   name owning the validating key is not the parent zone, the domain
+   name must represent someone the resolver trusts to provide
+   validation.
+
+   2.2.c. NXT records MUST be deployed throughout the zone.  Note: see
+   the discussion following 2.1.c.
+
+   2.2.d. Each RR set that qualifies for zone membership MUST be signed
+   by a key that is in the apex's KEY RR set and is a zone signing KEY
+   RR (2.a).  (Updates 2535, section 2.3.1.)
+
+2.3 Unsecured
+
+   All other zones qualify as unsecured.  This includes zones that are
+   designed to be experimentally secure, as defined in a later section
+   on that topic.
+
+
+
+
+
+
+
+Lewis                       Standards Track                     [Page 7]
+
+RFC 3090         DNS Security Extension on Zone Status        March 2001
+
+
+2.4 Wrap up
+
+   The designation of globally secured, locally secured, and unsecured
+   are merely labels to apply to zones, based on their contents.
+   Resolvers, when determining whether a signature is expected or not,
+   will only see a zone as secured or unsecured.
+
+   Resolvers that follow the most restrictive DNSSEC verification rules
+   will only see globally secured zones as secured, and all others as
+   unsecured, including zones which are locally secured.  Resolvers that
+   are not as restrictive, such as those that implement algorithms in
+   addition to the mandatory to implement algorithms, will see some
+   locally secured zones as secured.
+
+   The intent of the labels "global" and "local" is to identify the
+   specific attributes of a zone.  The words are chosen to assist in the
+   writing of a document recommending the actions a zone administrator
+   take in making use of the DNS security extensions.  The words are
+   explicitly not intended to convey a state of compliance with DNS
+   security standards.
+
+3 Experimental Status
+
+   The purpose of an experimentally secured zone is to facilitate the
+   migration from an unsecured zone to a secured zone.  This distinction
+   is dropped.
+
+   The objective of facilitating the migration can be achieved without a
+   special designation of an experimentally secure status.
+   Experimentally secured is a special case of locally secured.  A zone
+   administrator can achieve this by publishing a zone with signatures
+   and configuring a set of test resolvers with the corresponding public
+   keys.  Even if the public key is published in a KEY RR, as long as
+   there is no parent signature, the resolvers will need some pre-
+   configuration to know to process the signatures.  This allows a zone
+   to be secured with in the sphere of the experiment, yet still be
+   registered as unsecured in the general Internet.
+
+4 IANA Considerations
+
+   This document does not request any action from an assigned number
+   authority nor recommends any actions.
+
+
+
+
+
+
+
+
+
+Lewis                       Standards Track                     [Page 8]
+
+RFC 3090         DNS Security Extension on Zone Status        March 2001
+
+
+5 Security Considerations
+
+   Without a means to enforce compliance with specified protocols or
+   recommended actions, declaring a DNS zone to be "completely" secured
+   is impossible.  Even if, assuming an omnipotent view of DNS, one can
+   declare a zone to be properly configured for security, and all of the
+   zones up to the root too, a misbehaving resolver could be duped into
+   believing bad data.  If a zone and resolver comply, a non-compliant
+   or subverted parent could interrupt operations.  The best that can be
+   hoped for is that all parties are prepared to be judged secure and
+   that security incidents can be traced to the cause in short order.
+
+6 Acknowledgements
+
+   The need to refine the definition of a secured zone has become
+   apparent through the efforts of the participants at two DNSSEC
+   workshops, sponsored by the NIC-SE (.se registrar), CAIRN (a DARPA-
+   funded research network), and other workshops.  Further discussions
+   leading to the document include Olafur Gudmundsson, Russ Mundy,
+   Robert Watson, and Brian Wellington.  Roy Arends, Ted Lindgreen and
+   others have contributed significant input via the namedroppers
+   mailing list.
+
+7 References
+
+   [RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities",
+             STD 13, RFC 1034, November 1987.
+
+   [RFC1035] Mockapetris, P., "Domain Names - Implementation and
+             Specification", STD 13, RFC 1035, November 1987.
+
+   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+             Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC2136] Vixie, P., (Ed.), Thomson, S., Rekhter, Y. and J. Bound,
+             "Dynamic Updates in the Domain Name System", RFC 2136,
+             April 1997.
+
+   [RFC2535] Eastlake, D., "Domain Name System Security Extensions", RFC
+             2535, March 1999.
+
+   [RFC3007] Wellington, B., "Simple Secure Domain Name System (DNS)
+             Dynamic Update", RFC 3007, November 2000.
+
+   [RFC3008] Wellington, B., "Domain Name System Security (DNSSEC)
+             Signing Authority", RFC 3008, November 2000.
+
+
+
+
+
+Lewis                       Standards Track                     [Page 9]
+
+RFC 3090         DNS Security Extension on Zone Status        March 2001
+
+
+10 Author's Address
+
+   Edward Lewis
+   NAI Labs
+   3060 Washington Road Glenwood
+   MD 21738
+
+   Phone: +1 443 259 2352
+   EMail: lewis@tislabs.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Lewis                       Standards Track                    [Page 10]
+
+RFC 3090         DNS Security Extension on Zone Status        March 2001
+
+
+11 Full Copyright Statement
+
+   Copyright (C) The Internet Society (2001).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Lewis                       Standards Track                    [Page 11]
+
diff --git a/contrib/bind9/doc/rfc/rfc3110.txt b/contrib/bind9/doc/rfc/rfc3110.txt
new file mode 100644
index 0000000..7646948
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc3110.txt
@@ -0,0 +1,395 @@
+
+
+
+
+
+
+Network Working Group                                    D. Eastlake 3rd
+Request for Comments: 3110                                      Motorola
+Obsoletes: 2537                                                 May 2001
+Category: Standards Track
+
+
+      RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2001).  All Rights Reserved.
+
+Abstract
+
+   This document describes how to produce RSA/SHA1 SIG resource records
+   (RRs) in Section 3 and, so as to completely replace RFC 2537,
+   describes how to produce RSA KEY RRs in Section 2.
+
+   Since the adoption of a Proposed Standard for RSA signatures in the
+   DNS (Domain Name Space), advances in hashing have been made.  A new
+   DNS signature algorithm is defined to make these advances available
+   in SIG RRs.  The use of the previously specified weaker mechanism is
+   deprecated.  The algorithm number of the RSA KEY RR is changed to
+   correspond to this new SIG algorithm.  No other changes are made to
+   DNS security.
+
+Acknowledgements
+
+   Material and comments from the following have been incorporated and
+   are gratefully acknowledged:
+
+      Olafur Gudmundsson
+
+      The IESG
+
+      Charlie Kaufman
+
+      Steve Wang
+
+
+
+
+
+D. Eastlake 3rd             Standards Track                     [Page 1]
+
+RFC 3110              RSA SIGs and KEYs in the DNS              May 2001
+
+
+Table of Contents
+
+   1. Introduction................................................... 2
+   2. RSA Public KEY Resource Records................................ 3
+   3. RSA/SHA1 SIG Resource Records.................................. 3
+   4. Performance Considerations..................................... 4
+   5. IANA Considerations............................................ 5
+   6. Security Considerations........................................ 5
+   References........................................................ 5
+   Author's Address.................................................. 6
+   Full Copyright Statement.......................................... 7
+
+1. Introduction
+
+   The Domain Name System (DNS) is the global hierarchical replicated
+   distributed database system for Internet addressing, mail proxy, and
+   other information [RFC1034, 1035, etc.].  The DNS has been extended
+   to include digital signatures and cryptographic keys as described in
+   [RFC2535].  Thus the DNS can now be secured and used for secure key
+   distribution.
+
+   Familiarity with the RSA and SHA-1 algorithms is assumed [Schneier,
+   FIP180] in this document.
+
+   RFC 2537 described how to store RSA keys and RSA/MD5 based signatures
+   in the DNS.  However, since the adoption of RFC 2537, continued
+   cryptographic research has revealed hints of weakness in the MD5
+   [RFC1321] algorithm used in RFC 2537.  The SHA1 Secure Hash Algorithm
+   [FIP180], which produces a larger hash, has been developed.  By now
+   there has been sufficient experience with SHA1 that it is generally
+   acknowledged to be stronger than MD5.  While this stronger hash is
+   probably not needed today in most secure DNS zones, critical zones
+   such a root, most top level domains, and some second and third level
+   domains, are sufficiently valuable targets that it would be negligent
+   not to provide what are generally agreed to be stronger mechanisms.
+   Furthermore, future advances in cryptanalysis and/or computer speeds
+   may require a stronger hash everywhere.  In addition, the additional
+   computation required by SHA1 above that required by MD5 is
+   insignificant compared with the computational effort required by the
+   RSA modular exponentiation.
+
+   This document describes how to produce RSA/SHA1 SIG RRs in Section 3
+   and, so as to completely replace RFC 2537, describes how to produce
+   RSA KEY RRs in Section 2.
+
+   Implementation of the RSA algorithm in DNS with SHA1 is MANDATORY for
+   DNSSEC.  The generation of RSA/MD5 SIG RRs as described in RFC 2537
+   is NOT RECOMMENDED.
+
+
+
+D. Eastlake 3rd             Standards Track                     [Page 2]
+
+RFC 3110              RSA SIGs and KEYs in the DNS              May 2001
+
+
+   The key words "MUST", "REQUIRED", "SHOULD", "RECOMMENDED", "NOT
+   RECOMMENDED", and "MAY" in this document are to be interpreted as
+   described in RFC 2119.
+
+2. RSA Public KEY Resource Records
+
+   RSA public keys are stored in the DNS as KEY RRs using algorithm
+   number 5 [RFC2535].  The structure of the algorithm specific portion
+   of the RDATA part of such RRs is as shown below.
+
+         Field             Size
+         -----             ----
+         exponent length   1 or 3 octets (see text)
+         exponent          as specified by length field
+         modulus           remaining space
+
+   For interoperability, the exponent and modulus are each limited to
+   4096 bits in length.  The public key exponent is a variable length
+   unsigned integer.  Its length in octets is represented as one octet
+   if it is in the range of 1 to 255 and by a zero octet followed by a
+   two octet unsigned length if it is longer than 255 bytes.  The public
+   key modulus field is a multiprecision unsigned integer.  The length
+   of the modulus can be determined from the RDLENGTH and the preceding
+   RDATA fields including the exponent.  Leading zero octets are
+   prohibited in the exponent and modulus.
+
+   Note: KEY RRs for use with RSA/SHA1 DNS signatures MUST use this
+   algorithm number (rather than the algorithm number specified in the
+   obsoleted RFC 2537).
+
+   Note: This changes the algorithm number for RSA KEY RRs to be the
+   same as the new algorithm number for RSA/SHA1 SIGs.
+
+3. RSA/SHA1 SIG Resource Records
+
+   RSA/SHA1 signatures are stored in the DNS using SIG resource records
+   (RRs) with algorithm number 5.
+
+   The signature portion of the SIG RR RDATA area, when using the
+   RSA/SHA1 algorithm, is calculated as shown below.  The data signed is
+   determined as specified in RFC 2535.  See RFC 2535 for fields in the
+   SIG RR RDATA which precede the signature itself.
+
+         hash = SHA1 ( data )
+
+         signature = ( 01 | FF* | 00 | prefix | hash ) ** e (mod n)
+
+
+
+
+
+D. Eastlake 3rd             Standards Track                     [Page 3]
+
+RFC 3110              RSA SIGs and KEYs in the DNS              May 2001
+
+
+   where SHA1 is the message digest algorithm documented in [FIP180],
+   "|" is concatenation, "e" is the private key exponent of the signer,
+   and "n" is the modulus of the signer's public key.  01, FF, and 00
+   are fixed octets of the corresponding hexadecimal value.  "prefix" is
+   the ASN.1 BER SHA1 algorithm designator prefix required in PKCS1
+   [RFC2437], that is,
+
+         hex 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14
+
+   This prefix is included to make it easier to use standard
+   cryptographic libraries.  The FF octet MUST be repeated the maximum
+   number of times such that the value of the quantity being
+   exponentiated is one octet shorter than the value of n.
+
+   (The above specifications are identical to the corresponding parts of
+   Public Key Cryptographic Standard #1 [RFC2437].)
+
+   The size of "n", including most and least significant bits (which
+   will be 1) MUST be not less than 512 bits and not more than 4096
+   bits.  "n" and "e" SHOULD be chosen such that the public exponent is
+   small.  These are protocol limits.  For a discussion of key size see
+   RFC 2541.
+
+   Leading zero bytes are permitted in the RSA/SHA1 algorithm signature.
+
+4. Performance Considerations
+
+   General signature generation speeds are roughly the same for RSA and
+   DSA [RFC2536].  With sufficient pre-computation, signature generation
+   with DSA is faster than RSA.  Key generation is also faster for DSA.
+   However, signature verification is an order of magnitude slower with
+   DSA when the RSA public exponent is chosen to be small as is
+   recommended for KEY RRs used in domain name system (DNS) data
+   authentication.
+
+   A public exponent of 3 minimizes the effort needed to verify a
+   signature.  Use of 3 as the public exponent is weak for
+   confidentiality uses since, if the same data can be collected
+   encrypted under three different keys with an exponent of 3 then,
+   using the Chinese Remainder Theorem [NETSEC], the original plain text
+   can be easily recovered.  If a key is known to be used only for
+   authentication, as is the case with DNSSEC, then an exponent of 3 is
+   acceptable.  However other applications in the future may wish to
+   leverage DNS distributed keys for applications that do require
+   confidentiality.  For keys which might have such other uses, a more
+   conservative choice would be 65537 (F4, the fourth fermat number).
+
+
+
+
+
+D. Eastlake 3rd             Standards Track                     [Page 4]
+
+RFC 3110              RSA SIGs and KEYs in the DNS              May 2001
+
+
+   Current DNS implementations are optimized for small transfers,
+   typically less than 512 bytes including DNS overhead.  Larger
+   transfers will perform correctly and extensions have been
+   standardized [RFC2671] to make larger transfers more efficient, it is
+   still advisable at this time to make reasonable efforts to minimize
+   the size of KEY RR sets stored within the DNS consistent with
+   adequate security.  Keep in mind that in a secure zone, at least one
+   authenticating SIG RR will also be returned.
+
+5. IANA Considerations
+
+   The DNSSEC algorithm number 5 is allocated for RSA/SHA1 SIG RRs and
+   RSA KEY RRs.
+
+6. Security Considerations
+
+   Many of the general security considerations in RFC 2535 apply.  Keys
+   retrieved from the DNS should not be trusted unless (1) they have
+   been securely obtained from a secure resolver or independently
+   verified by the user and (2) this secure resolver and secure
+   obtainment or independent verification conform to security policies
+   acceptable to the user.  As with all cryptographic algorithms,
+   evaluating the necessary strength of the key is essential and
+   dependent on local policy.  For particularly critical applications,
+   implementers are encouraged to consider the range of available
+   algorithms and key sizes.  See also RFC 2541, "DNS Security
+   Operational Considerations".
+
+References
+
+   [FIP180]   U.S. Department of Commerce, "Secure Hash Standard", FIPS
+              PUB 180-1, 17 Apr 1995.
+
+   [NETSEC]   Network Security: PRIVATE Communications in a PUBLIC
+              World, Charlie Kaufman, Radia Perlman, & Mike Speciner,
+              Prentice Hall Series in Computer Networking and
+              Distributed Communications, 1995.
+
+   [RFC1034]  Mockapetris, P., "Domain Names - Concepts and Facilities",
+              STD 13, RFC 1034, November 1987.
+
+   [RFC1035]  Mockapetris, P., "Domain Names - Implementation and
+              Specification", STD 13, RFC 1035, November 1987.
+
+   [RFC1321]  Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
+              April 1992.
+
+
+
+
+
+D. Eastlake 3rd             Standards Track                     [Page 5]
+
+RFC 3110              RSA SIGs and KEYs in the DNS              May 2001
+
+
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC2437]  Kaliski, B. and J. Staddon, "PKCS #1: RSA Cryptography
+              Specifications Version 2.0", RFC 2437, October 1998.
+
+   [RFC2535]  Eastlake, D., "Domain Name System Security Extensions",
+              RFC 2535, March 1999.
+
+   [RFC2536]  Eastlake, D., "DSA KEYs and SIGs in the Domain Name System
+              (DNS)", RFC 2536, March 1999.
+
+   [RFC2537]  Eastlake, D., "RSA/MD5 KEYs and SIGs in the Domain Name
+              System (DNS)", RFC 2537, March 1999.
+
+   [RFC2541]  Eastlake, D., "DNS Security Operational Considerations",
+              RFC 2541, March 1999.
+
+   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
+              2671, August 1999.
+
+   [Schneier] Bruce Schneier, "Applied Cryptography Second Edition:
+              protocols, algorithms, and source code in C", 1996, John
+              Wiley and Sons, ISBN 0-471-11709-9.
+
+Author's Address
+
+   Donald E. Eastlake 3rd
+   Motorola
+   155 Beaver Street
+   Milford, MA 01757 USA
+
+   Phone:   +1-508-261-5434 (w)
+            +1-508-634-2066 (h)
+   Fax      +1-508-261-4777 (w)
+   EMail:   Donald.Eastlake@motorola.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+D. Eastlake 3rd             Standards Track                     [Page 6]
+
+RFC 3110              RSA SIGs and KEYs in the DNS              May 2001
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2001).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+D. Eastlake 3rd             Standards Track                     [Page 7]
+
diff --git a/contrib/bind9/doc/rfc/rfc3123.txt b/contrib/bind9/doc/rfc/rfc3123.txt
new file mode 100644
index 0000000..3b2fe00
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc3123.txt
@@ -0,0 +1,451 @@
+
+
+
+
+
+
+Network Working Group                                            P. Koch
+Request for Comments: 3123                        Universitaet Bielefeld
+Category: Experimental                                         June 2001
+
+
+          A DNS RR Type for Lists of Address Prefixes (APL RR)
+
+Status of this Memo
+
+   This memo defines an Experimental Protocol for the Internet
+   community.  It does not specify an Internet standard of any kind.
+   Discussion and suggestions for improvement are requested.
+   Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2001).  All Rights Reserved.
+
+Abstract
+
+   The Domain Name System (DNS) is primarily used to translate domain
+   names into IPv4 addresses using A RRs (Resource Records).  Several
+   approaches exist to describe networks or address ranges.  This
+   document specifies a new DNS RR type "APL" for address prefix lists.
+
+1. Conventions used in this document
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC2119].
+
+   Domain names herein are for explanatory purposes only and should not
+   be expected to lead to useful information in real life [RFC2606].
+
+2. Background
+
+   The Domain Name System [RFC1034], [RFC1035] provides a mechanism to
+   associate addresses and other Internet infrastructure elements with
+   hierarchically built domain names.  Various types of resource records
+   have been defined, especially those for IPv4 and IPv6 [RFC2874]
+   addresses.  In [RFC1101] a method is described to publish information
+   about the address space allocated to an organisation.  In older BIND
+   versions, a weak form of controlling access to zone data was
+   implemented using TXT RRs describing address ranges.
+
+   This document specifies a new RR type for address prefix lists.
+
+
+
+
+
+Koch                          Experimental                      [Page 1]
+
+RFC 3123                       DNS APL RR                      June 2001
+
+
+3. APL RR Type
+
+   An APL record has the DNS type of "APL" and a numeric value of 42
+   [IANA].  The APL RR is defined in the IN class only.  APL RRs cause
+   no additional section processing.
+
+4. APL RDATA format
+
+   The RDATA section consists of zero or more items (<apitem>) of the
+   form
+
+      +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+      |                          ADDRESSFAMILY                        |
+      +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+      |             PREFIX            | N |         AFDLENGTH         |
+      +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+      /                            AFDPART                            /
+      |                                                               |
+      +---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+
+
+      ADDRESSFAMILY     16 bit unsigned value as assigned by IANA
+                        (see IANA Considerations)
+      PREFIX            8 bit unsigned binary coded prefix length.
+                        Upper and lower bounds and interpretation of
+                        this value are address family specific.
+      N                 negation flag, indicates the presence of the
+                        "!" character in the textual format.  It has
+                        the value "1" if the "!" was given, "0" else.
+      AFDLENGTH         length in octets of the following address
+                        family dependent part (7 bit unsigned).
+      AFDPART           address family dependent part.  See below.
+
+   This document defines the AFDPARTs for address families 1 (IPv4) and
+   2 (IPv6).  Future revisions may deal with additional address
+   families.
+
+4.1. AFDPART for IPv4
+
+   The encoding of an IPv4 address (address family 1) follows the
+   encoding specified for the A RR by [RFC1035], section 3.4.1.
+
+   PREFIX specifies the number of bits of the IPv4 address starting at
+   the most significant bit.  Legal values range from 0 to 32.
+
+   Trailing zero octets do not bear any information (e.g., there is no
+   semantic difference between 10.0.0.0/16 and 10/16) in an address
+   prefix, so the shortest possible AFDLENGTH can be used to encode it.
+   However, for DNSSEC [RFC2535] a single wire encoding must be used by
+
+
+
+Koch                          Experimental                      [Page 2]
+
+RFC 3123                       DNS APL RR                      June 2001
+
+
+   all.  Therefore the sender MUST NOT include trailing zero octets in
+   the AFDPART regardless of the value of PREFIX.  This includes cases
+   in which AFDLENGTH times 8 results in a value less than PREFIX.  The
+   AFDPART is padded with zero bits to match a full octet boundary.
+
+   An IPv4 AFDPART has a variable length of 0 to 4 octets.
+
+4.2. AFDPART for IPv6
+
+   The 128 bit IPv6 address (address family 2) is encoded in network
+   byte order (high-order byte first).
+
+   PREFIX specifies the number of bits of the IPv6 address starting at
+   the most significant bit.  Legal values range from 0 to 128.
+
+   With the same reasoning as in 4.1 above, the sender MUST NOT include
+   trailing zero octets in the AFDPART regardless of the value of
+   PREFIX.  This includes cases in which AFDLENGTH times 8 results in a
+   value less than PREFIX.  The AFDPART is padded with zero bits to
+   match a full octet boundary.
+
+   An IPv6 AFDPART has a variable length of 0 to 16 octets.
+
+5. Zone File Syntax
+
+   The textual representation of an APL RR in a DNS zone file is as
+   follows:
+
+   <owner>   IN   <TTL>   APL   {[!]afi:address/prefix}*
+
+   The data consists of zero or more strings of the address family
+   indicator <afi>, immediately followed by a colon ":", an address,
+   immediately followed by the "/" character, immediately followed by a
+   decimal numeric value for the prefix length.  Any such string may be
+   preceded by a "!" character.  The strings are separated by
+   whitespace.  The <afi> is the decimal numeric value of that
+   particular address family.
+
+5.1. Textual Representation of IPv4 Addresses
+
+   An IPv4 address in the <address> part of an <apitem> is in dotted
+   quad notation, just as in an A RR.  The <prefix> has values from the
+   interval 0..32 (decimal).
+
+
+
+
+
+
+
+
+Koch                          Experimental                      [Page 3]
+
+RFC 3123                       DNS APL RR                      June 2001
+
+
+5.2. Textual Representation of IPv6 Addresses
+
+   The representation of an IPv6 address in the <address> part of an
+   <apitem> follows [RFC2373], section 2.2.  Legal values for <prefix>
+   are from the interval 0..128 (decimal).
+
+6. APL RR usage
+
+   An APL RR with empty RDATA is valid and implements an empty list.
+   Multiple occurrences of the same <apitem> in a single APL RR are
+   allowed and MUST NOT be merged by a DNS server or resolver.
+   <apitems> MUST be kept in order and MUST NOT be rearranged or
+   aggregated.
+
+   A single APL RR may contain <apitems> belonging to different address
+   families.  The maximum number of <apitems> is upper bounded by the
+   available RDATA space.
+
+   RRSets consisting of more than one APL RR are legal but the
+   interpretation is left to the particular application.
+
+7. Applicability Statement
+
+   The APL RR defines a framework without specifying any particular
+   meaning for the list of prefixes.  It is expected that APL RRs will
+   be used in different application scenarios which have to be
+   documented separately.  Those scenarios may be distinguished by
+   characteristic prefixes placed in front of the DNS owner name.
+
+   An APL application specification MUST include information on
+
+   o  the characteristic prefix, if any
+
+   o  how to interpret APL RRSets consisting of more than one RR
+
+   o  how to interpret an empty APL RR
+
+   o  which address families are expected to appear in the APL RRs for
+      that application
+
+   o  how to deal with APL RR list elements which belong to other
+      address families, including those not yet defined
+
+   o  the exact semantics of list elements negated by the "!" character
+
+
+
+
+
+
+
+Koch                          Experimental                      [Page 4]
+
+RFC 3123                       DNS APL RR                      June 2001
+
+
+   Possible applications include the publication of address ranges
+   similar to [RFC1101], description of zones built following [RFC2317]
+   and in-band access control to limit general access or zone transfer
+   (AXFR) availability for zone data held in DNS servers.
+
+   The specification of particular application scenarios is out of the
+   scope of this document.
+
+8. Examples
+
+   The following examples only illustrate some of the possible usages
+   outlined in the previous section.  None of those applications are
+   hereby specified nor is it implied that any particular APL RR based
+   application does exist now or will exist in the future.
+
+  ; RFC 1101-like announcement of address ranges for foo.example
+  foo.example.             IN APL 1:192.168.32.0/21 !1:192.168.38.0/28
+
+  ; CIDR blocks covered by classless delegation
+  42.168.192.IN-ADDR.ARPA. IN APL ( 1:192.168.42.0/26 1:192.168.42.64/26
+                                  1:192.168.42.128/25 )
+
+  ; Zone transfer restriction
+  _axfr.sbo.example.       IN APL 1:127.0.0.1/32 1:172.16.64.0/22
+
+  ; List of address ranges for multicast
+  multicast.example.       IN APL 1:224.0.0.0/4  2:FF00:0:0:0:0:0:0:0/8
+
+   Note that since trailing zeroes are ignored in the first APL RR the
+   AFDLENGTH of both <apitems> is three.
+
+9. Security Considerations
+
+   Any information obtained from the DNS should be regarded as unsafe
+   unless techniques specified in [RFC2535] or [RFC2845] were used.  The
+   definition of a new RR type does not introduce security problems into
+   the DNS, but usage of information made available by APL RRs may
+   compromise security.  This includes disclosure of network topology
+   information and in particular the use of APL RRs to construct access
+   control lists.
+
+
+
+
+
+
+
+
+
+
+
+Koch                          Experimental                      [Page 5]
+
+RFC 3123                       DNS APL RR                      June 2001
+
+
+10. IANA Considerations
+
+   This section is to be interpreted as following [RFC2434].
+
+   This document does not define any new namespaces.  It uses the 16 bit
+   identifiers for address families maintained by IANA in
+   http://www.iana.org/numbers.html.
+
+   The IANA assigned numeric RR type value 42 for APL [IANA].
+
+11. Acknowledgements
+
+   The author would like to thank Mark Andrews, Olafur Gudmundsson, Ed
+   Lewis, Thomas Narten, Erik Nordmark, and Paul Vixie for their review
+   and constructive comments.
+
+12. References
+
+   [RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities",
+             STD 13, RFC 1034, November 1987.
+
+   [RFC1035] Mockapetris, P., "Domain Names - Implementation and
+             Specification", STD 13, RFC 1035, November 1987.
+
+   [RFC1101] Mockapetris, P., "DNS Encoding of Network Names and Other
+             Types", RFC 1101, April 1989.
+
+   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+             Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
+             Specification", RFC 2181, July 1997.
+
+   [RFC2317] Eidnes, H., de Groot, G. and P. Vixie, "Classless IN-
+             ADDR.ARPA delegation", BCP 20, RFC 2317, March 1998.
+
+   [RFC2373] Hinden, R. and S. Deering, "IP Version 6 Addressing
+             Architecture", RFC 2373, July 1998.
+
+   [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an
+             IANA Considerations Section in RFCs", BCP 26, RFC 2434,
+             October 1998.
+
+   [RFC2535] Eastlake, D., "Domain Name System Security Extensions", RFC
+             2535, March 1999.
+
+   [RFC2606] Eastlake, D. and A. Panitz, "Reserved Top Level DNS Names",
+             BCP 32, RFC 2606, June 1999.
+
+
+
+Koch                          Experimental                      [Page 6]
+
+RFC 3123                       DNS APL RR                      June 2001
+
+
+   [RFC2845] Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
+             "Secret Key Transaction Authentication for DNS (TSIG)", RFC
+             2845, May 2000.
+
+   [RFC2874] Crawford, M. and C. Huitema, "DNS Extensions to Support
+             IPv6 Address Aggregation and Renumbering", RFC 2874, July
+             2000.
+
+   [IANA]    http://www.iana.org/assignments/dns-parameters
+
+13. Author's Address
+
+   Peter Koch
+   Universitaet Bielefeld
+   Technische Fakultaet
+   D-33594 Bielefeld
+   Germany
+
+   Phone: +49 521 106 2902
+   EMail: pk@TechFak.Uni-Bielefeld.DE
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Koch                          Experimental                      [Page 7]
+
+RFC 3123                       DNS APL RR                      June 2001
+
+
+14. Full Copyright Statement
+
+   Copyright (C) The Internet Society (2001).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Koch                          Experimental                      [Page 8]
+
diff --git a/contrib/bind9/doc/rfc/rfc3152.txt b/contrib/bind9/doc/rfc/rfc3152.txt
new file mode 100644
index 0000000..b226ce6
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc3152.txt
@@ -0,0 +1,227 @@
+
+
+
+
+
+
+Network Working Group                                            R. Bush
+Request for Comments: 3152                                         RGnet
+BCP: 49                                                      August 2001
+Updates: 2874, 2772, 2766, 2553, 1886
+Category: Best Current Practice
+
+
+                         Delegation of IP6.ARPA
+
+Status of this Memo
+
+   This document specifies an Internet Best Current Practices for the
+   Internet Community, and requests discussion and suggestions for
+   improvements.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2001).  All Rights Reserved.
+
+Abstract
+
+   This document discusses the need for delegation of the IP6.ARPA DNS
+   zone, and specifies a plan for the technical operation thereof.
+
+1. Why IP6.ARPA?
+
+   In the IPv6 address space, there is a need for 'reverse mapping' of
+   addresses to DNS names analogous to that provided by the IN-ADDR.ARPA
+   zone for IPv4.
+
+   The IAB recommended that the ARPA top level domain (the name is now
+   considered an acronym for "Address and Routing Parameters Area") be
+   used for technical infrastructure sub-domains when possible.  It is
+   already in use for IPv4 reverse mapping and has been established as
+   the location for E.164 numbering on the Internet [RFC2916 RFC3026].
+
+   IETF consensus was reached that the IP6.ARPA domain be used for
+   address to DNS name mapping for the IPv6 address space [RFC2874].
+
+2. Obsoleted Usage
+
+   This document deprecates references to IP6.INT in [RFC1886] section
+   2.5, [RFC2553] section 6.2.3, [RFC2766] section 4.1, [RFC2772]
+   section 7.1.c, and [RFC2874] section 2.5.
+
+   In this context, 'deprecate' means that the old usage is not
+   appropriate for new implementations, and IP6.INT will likely be
+   phased out in an orderly fashion.
+
+
+
+Bush                     Best Current Practice                  [Page 1]
+
+RFC 3152                 Delegation of IP6.ARPA              August 2001
+
+
+3. IANA Considerations
+
+   This memo requests that the IANA delegate the IP6.ARPA domain
+   following instructions to be provided by the IAB.  Names within this
+   zone are to be further delegated to the regional IP registries in
+   accordance with the delegation of IPv6 address space to those
+   registries.  The names allocated should be hierarchic in accordance
+   with the address space assignment.
+
+4. Security Considerations
+
+   While DNS spoofing of address to name mapping has been exploited in
+   IPv4, delegation of the IP6.ARPA zone creates no new threats to the
+   security of the internet.
+
+5. References
+
+   [RFC1886]   Thomson, S. and C. Huitema, "DNS Extensions to support IP
+               version 6", RFC 1886, December 1995.
+
+   [RFC2553]   Gilligan, R., Thomson, S., Bound, J. and W. Stevens,
+               "Basic Socket Interface Extensions for IPv6", RFC 2553,
+               March 1999.
+
+   [RFC2766]   Tsirtsis, G. and P. Srisuresh, "Network Address
+               Translation - Protocol Translation (NAT-PT)", RFC 2766,
+               February 2000.
+
+   [RFC2772]   Rockell, R. and R. Fink, "6Bone Backbone Routing
+               Guidelines", RFC 2772, February 2000.
+
+   [RFC2874]   Crawford, M. and C. Huitema, "DNS Extensions to Support
+               IPv6 Address Aggregation and Renumbering", RFC 2874, July
+               2001.
+
+   [RFC2916]   Faltstrom, P., "E.164 number and DNS", RFC 2916,
+               September 2000.
+
+   [RFC3026]   Blane, R., "Liaison to IETF/ISOC on ENUM", RFC 3026,
+               January 2001.
+
+
+
+
+
+
+
+
+
+
+
+Bush                     Best Current Practice                  [Page 2]
+
+RFC 3152                 Delegation of IP6.ARPA              August 2001
+
+
+6. Author's Address
+
+   Randy Bush
+   5147 Crystal Springs
+   Bainbridge Island, WA US-98110
+
+   Phone: +1 206 780 0431
+   EMail: randy@psg.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Bush                     Best Current Practice                  [Page 3]
+
+RFC 3152                 Delegation of IP6.ARPA              August 2001
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2001).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Bush                     Best Current Practice                  [Page 4]
+
diff --git a/contrib/bind9/doc/rfc/rfc3197.txt b/contrib/bind9/doc/rfc/rfc3197.txt
new file mode 100644
index 0000000..94cefa4
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc3197.txt
@@ -0,0 +1,283 @@
+
+
+
+
+
+
+Network Working Group                                         R. Austein
+Request for Comments: 3197                                 InterNetShare
+Category: Informational                                    November 2001
+
+
+             Applicability Statement for DNS MIB Extensions
+
+Status of this Memo
+
+   This memo provides information for the Internet community.  It does
+   not specify an Internet standard of any kind.  Distribution of this
+   memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2001).  All Rights Reserved.
+
+Abstract
+
+   This document explains why, after more than six years as proposed
+   standards, the DNS Server and Resolver MIB extensions were never
+   deployed, and recommends retiring these MIB extensions by moving them
+   to Historical status.
+
+1. History
+
+   The road to the DNS MIB extensions was paved with good intentions.
+
+   In retrospect, it's obvious that the working group never had much
+   agreement on what belonged in the MIB extensions, just that we should
+   have some.  This happened during the height of the craze for MIB
+   extensions in virtually every protocol that the IETF was working on
+   at the time, so the question of why we were doing this in the first
+   place never got a lot of scrutiny.  Very late in the development
+   cycle we discovered that much of the support for writing the MIB
+   extensions in the first place had come from people who wanted to use
+   SNMP SET operations to update DNS zones on the fly.  Examination of
+   the security model involved, however, led us to conclude that this
+   was not a good way to do dynamic update and that a separate DNS
+   Dynamic Update protocol would be necessary.
+
+   The MIB extensions started out being fairly specific to one
+   particular DNS implementation (BIND-4.8.3); as work progressed, the
+   BIND-specific portions were rewritten to be as implementation-neutral
+   as we knew how to make them, but somehow every revision of the MIB
+   extensions managed to create new counters that just happened to
+   closely match statistics kept by some version of BIND.  As a result,
+   the MIB extensions ended up being much too big, which raised a number
+
+
+
+Austein                      Informational                      [Page 1]
+
+RFC 3197      Applicability Statement - DNS MIB Extensions November 2001
+
+
+   of concerns with the network management directorate, but the WG
+   resisted every attempt to remove any of these variables.  In the end,
+   large portions of the MIB extensions were moved into optional groups
+   in an attempt to get the required subset down to a manageable size.
+
+   The DNS Server and Resolver MIB extensions were one of the first
+   attempts to write MIB extensions for a protocol usually considered to
+   be at the application layer.  Fairly early on it became clear that,
+   while it was certainly possible to write MIB extensions for DNS, the
+   SMI was not really designed with this sort of thing in mind.  A case
+   in point was the attempt to provide direct indexing into the caches
+   in the resolver MIB extensions: while arguably the only sane way to
+   do this for a large cache, this required much more complex indexing
+   clauses than is usual, and ended up running into known length limits
+   for object identifiers in some SNMP implementations.
+
+   Furthermore, the lack of either real proxy MIB support in SNMP
+   managers or a standard subagent protocol meant that there was no
+   reasonable way to implement the MIB extensions in the dominant
+   implementation (BIND).  When the AgentX subagent protocol was
+   developed a few years later, we initially hoped that this would
+   finally clear the way for an implementation of the DNS MIB
+   extensions, but by the time AgentX was a viable protocol it had
+   become clear that nobody really wanted to implement these MIB
+   extensions.
+
+   Finally, the MIB extensions took much too long to produce.  In
+   retrospect, this should have been a clear warning sign, particularly
+   when the WG had clearly become so tired of the project that the
+   authors found it impossible to elicit any comments whatsoever on the
+   documents.
+
+2. Lessons
+
+   Observations based on the preceding list of mistakes, for the benefit
+   of anyone else who ever attempts to write DNS MIB extensions again:
+
+   -  Define a clear set of goals before writing any MIB extensions.
+      Know who the constituency is and make sure that what you write
+      solves their problem.
+
+   -  Keep the MIB extensions short, and don't add variables just
+      because somebody in the WG thinks they'd be a cool thing to
+      measure.
+
+   -  If some portion of the task seems to be very hard to do within the
+      SMI, that's a strong hint that SNMP is not the right tool for
+      whatever it is that you're trying to do.
+
+
+
+Austein                      Informational                      [Page 2]
+
+RFC 3197      Applicability Statement - DNS MIB Extensions November 2001
+
+
+   -  If the entire project is taking too long, perhaps that's a hint
+      too.
+
+3. Recommendation
+
+   In view of the community's apparent total lack of interest in
+   deploying these MIB extensions, we recommend that RFCs 1611 and 1612
+   be reclassified as Historical documents.
+
+4. Security Considerations
+
+   Re-classifying an existing MIB document from Proposed Standard to
+   Historic should not have any negative impact on security for the
+   Internet.
+
+5. IANA Considerations
+
+   Getting rid of the DNS MIB extensions should not impose any new work
+   on IANA.
+
+6. Acknowledgments
+
+   The author would like to thank all the people who were involved in
+   this project over the years for their optimism and patience,
+   misguided though it may have been.
+
+7. References
+
+   [DNS-SERVER-MIB]     Austein, R. and J. Saperia, "DNS Server MIB
+                        Extensions", RFC 1611, May 1994.
+
+   [DNS-RESOLVER-MIB]   Austein, R. and J. Saperia, "DNS Resolver MIB
+                        Extensions", RFC 1612, May 1994.
+
+   [DNS-DYNAMIC-UPDATE] Vixie, P., Thomson, S., Rekhter, Y. and J.
+                        Bound, "Dynamic Updates in the Domain Name
+                        System (DNS UPDATE)", RFC 2136, April 1997.
+
+   [AGENTX]             Daniele, M., Wijnen, B., Ellison, M., and D.
+                        Francisco, "Agent Extensibility (AgentX)
+                        Protocol Version 1", RFC 2741, January 2000.
+
+
+
+
+
+
+
+
+
+
+Austein                      Informational                      [Page 3]
+
+RFC 3197      Applicability Statement - DNS MIB Extensions November 2001
+
+
+8. Author's Address
+
+   Rob Austein
+   InterNetShare, Incorporated
+   325M Sharon Park Drive, Suite 308
+   Menlo Park, CA  94025
+   USA
+
+   EMail: sra@hactrn.net
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Austein                      Informational                      [Page 4]
+
+RFC 3197      Applicability Statement - DNS MIB Extensions November 2001
+
+
+9. Full Copyright Statement
+
+   Copyright (C) The Internet Society (2001).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Austein                      Informational                      [Page 5]
+
diff --git a/contrib/bind9/doc/rfc/rfc3225.txt b/contrib/bind9/doc/rfc/rfc3225.txt
new file mode 100644
index 0000000..13e6768
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc3225.txt
@@ -0,0 +1,339 @@
+
+
+
+
+
+
+Network Working Group                                          D. Conrad
+Request for Comments: 3225                                 Nominum, Inc.
+Category: Standards Track                                  December 2001
+
+
+                 Indicating Resolver Support of DNSSEC
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2001).  All Rights Reserved.
+
+Abstract
+
+   In order to deploy DNSSEC (Domain Name System Security Extensions)
+   operationally, DNSSEC aware servers should only perform automatic
+   inclusion of DNSSEC RRs when there is an explicit indication that the
+   resolver can understand those RRs.  This document proposes the use of
+   a bit in the EDNS0 header to provide that explicit indication and
+   describes the necessary protocol changes to implement that
+   notification.
+
+1. Introduction
+
+   DNSSEC [RFC2535] has been specified to provide data integrity and
+   authentication to security aware resolvers and applications through
+   the use of cryptographic digital signatures.  However, as DNSSEC is
+   deployed, non-DNSSEC-aware clients will likely query DNSSEC-aware
+   servers.  In such situations, the DNSSEC-aware server (responding to
+   a request for data in a signed zone) will respond with SIG, KEY,
+   and/or NXT records.  For reasons described in the subsequent section,
+   such responses can have significant negative operational impacts for
+   the DNS infrastructure.
+
+   This document discusses a method to avoid these negative impacts,
+   namely DNSSEC-aware servers should only respond with SIG, KEY, and/or
+   NXT RRs when there is an explicit indication from the resolver that
+   it can understand those RRs.
+
+   For the purposes of this document, "DNSSEC security RRs" are
+   considered RRs of type SIG, KEY, or NXT.
+
+
+
+Conrad                      Standards Track                     [Page 1]
+
+RFC 3225         Indicating Resolver Support of DNSSEC     December 2001
+
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC2119].
+
+2. Rationale
+
+   Initially, as DNSSEC is deployed, the vast majority of queries will
+   be from resolvers that are not DNSSEC aware and thus do not
+   understand or support the DNSSEC security RRs.  When a query from
+   such a resolver is received for a DNSSEC signed zone, the DNSSEC
+   specification indicates the nameserver must respond with the
+   appropriate DNSSEC security RRs.  As DNS UDP datagrams are limited to
+   512 bytes [RFC1035], responses including DNSSEC security RRs have a
+   high probability of resulting in a truncated response being returned
+   and the resolver retrying the query using TCP.
+
+   TCP DNS queries result in significant overhead due to connection
+   setup and teardown.  Operationally, the impact of these TCP queries
+   will likely be quite detrimental in terms of increased network
+   traffic (typically five packets for a single query/response instead
+   of two), increased latency resulting from the additional round trip
+   times, increased incidences of queries failing due to timeouts, and
+   significantly increased load on nameservers.
+
+   In addition, in preliminary and experimental deployment of DNSSEC,
+   there have been reports of non-DNSSEC aware resolvers being unable to
+   handle responses which contain DNSSEC security RRs, resulting in the
+   resolver failing (in the worst case) or entire responses being
+   ignored (in the better case).
+
+   Given these operational implications, explicitly notifying the
+   nameserver that the client is prepared to receive (if not understand)
+   DNSSEC security RRs would be prudent.
+
+   Client-side support of DNSSEC is assumed to be binary -- either the
+   client is willing to receive all DNSSEC security RRs or it is not
+   willing to accept any.  As such, a single bit is sufficient to
+   indicate client-side DNSSEC support.  As effective use of DNSSEC
+   implies the need of EDNS0 [RFC2671], bits in the "classic" (non-EDNS
+   enhanced DNS header) are scarce, and there may be situations in which
+   non-compliant caching or forwarding servers inappropriately copy data
+   from classic headers as queries are passed on to authoritative
+   servers, the use of a bit from the EDNS0 header is proposed.
+
+   An alternative approach would be to use the existence of an EDNS0
+   header as an implicit indication of client-side support of DNSSEC.
+   This approach was not chosen as there may be applications in which
+   EDNS0 is supported but in which the use of DNSSEC is inappropriate.
+
+
+
+Conrad                      Standards Track                     [Page 2]
+
+RFC 3225         Indicating Resolver Support of DNSSEC     December 2001
+
+
+3. Protocol Changes
+
+   The mechanism chosen for the explicit notification of the ability of
+   the client to accept (if not understand) DNSSEC security RRs is using
+   the most significant bit of the Z field on the EDNS0 OPT header in
+   the query.  This bit is referred to as the "DNSSEC OK" (DO) bit.  In
+   the context of the EDNS0 OPT meta-RR, the DO bit is the first bit of
+   the third and fourth bytes of the "extended RCODE and flags" portion
+   of the EDNS0 OPT meta-RR, structured as follows:
+
+                +0 (MSB)                +1 (LSB)
+         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+      0: |   EXTENDED-RCODE      |       VERSION         |
+         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+      2: |DO|                    Z                       |
+         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+   Setting the DO bit to one in a query indicates to the server that the
+   resolver is able to accept DNSSEC security RRs.  The DO bit cleared
+   (set to zero) indicates the resolver is unprepared to handle DNSSEC
+   security RRs and those RRs MUST NOT be returned in the response
+   (unless DNSSEC security RRs are explicitly queried for).  The DO bit
+   of the query MUST be copied in the response.
+
+   More explicitly, DNSSEC-aware nameservers MUST NOT insert SIG, KEY,
+   or NXT RRs to authenticate a response as specified in [RFC2535]
+   unless the DO bit was set on the request.  Security records that
+   match an explicit SIG, KEY, NXT, or ANY query, or are part of the
+   zone data for an AXFR or IXFR query, are included whether or not the
+   DO bit was set.
+
+   A recursive DNSSEC-aware server MUST set the DO bit on recursive
+   requests, regardless of the status of the DO bit on the initiating
+   resolver request.  If the initiating resolver request does not have
+   the DO bit set, the recursive DNSSEC-aware server MUST remove DNSSEC
+   security RRs before returning the data to the client, however cached
+   data MUST NOT be modified.
+
+   In the event a server returns a NOTIMP, FORMERR or SERVFAIL response
+   to a query that has the DO bit set, the resolver SHOULD NOT expect
+   DNSSEC security RRs and SHOULD retry the query without EDNS0 in
+   accordance with section 5.3 of [RFC2671].
+
+
+
+
+
+
+
+
+
+Conrad                      Standards Track                     [Page 3]
+
+RFC 3225         Indicating Resolver Support of DNSSEC     December 2001
+
+
+Security Considerations
+
+   The absence of DNSSEC data in response to a query with the DO bit set
+   MUST NOT be taken to mean no security information is available for
+   that zone as the response may be forged or a non-forged response of
+   an altered (DO bit cleared) query.
+
+IANA Considerations
+
+   EDNS0 [RFC2671] defines 16 bits as extended flags in the OPT record,
+   these bits are encoded into the TTL field of the OPT record (RFC2671
+   section 4.6).
+
+   This document reserves one of these bits as the OK bit.  It is
+   requested that the left most bit be allocated.  Thus the USE of the
+   OPT record TTL field would look like
+
+                +0 (MSB)                +1 (LSB)
+         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+      0: |   EXTENDED-RCODE      |       VERSION         |
+         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+      2: |DO|                    Z                       |
+         +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
+
+Acknowledgements
+
+   This document is based on a rough draft by Bob Halley with input from
+   Olafur Gudmundsson, Andreas Gustafsson, Brian Wellington, Randy Bush,
+   Rob Austein, Steve Bellovin, and Erik Nordmark.
+
+References
+
+   [RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities",
+             STD 13, RFC 1034, November 1987.
+
+   [RFC1035] Mockapetris, P., "Domain Names - Implementation and
+             Specifications", STD 13, RFC 1035, November 1987.
+
+   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+             Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC2535] Eastlake, D., "Domain Name System Security Extensions", RFC
+             2535, March 1999.
+
+   [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
+             2671, August 1999.
+
+
+
+
+
+Conrad                      Standards Track                     [Page 4]
+
+RFC 3225         Indicating Resolver Support of DNSSEC     December 2001
+
+
+Author's Address
+
+   David Conrad
+   Nominum Inc.
+   950 Charter Street
+   Redwood City, CA 94063
+   USA
+
+   Phone: +1 650 381 6003
+   EMail: david.conrad@nominum.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Conrad                      Standards Track                     [Page 5]
+
+RFC 3225         Indicating Resolver Support of DNSSEC     December 2001
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2001).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Conrad                      Standards Track                     [Page 6]
+
diff --git a/contrib/bind9/doc/rfc/rfc3226.txt b/contrib/bind9/doc/rfc/rfc3226.txt
new file mode 100644
index 0000000..dac0e11
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc3226.txt
@@ -0,0 +1,339 @@
+
+
+
+
+
+
+Network Working Group                                     O. Gudmundsson
+Request for Comments: 3226                                 December 2001
+Updates: 2874, 2535
+Category: Standards Track
+
+
+   DNSSEC and IPv6 A6 aware server/resolver message size requirements
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2001).  All Rights Reserved.
+
+Abstract
+
+   This document mandates support for EDNS0 (Extension Mechanisms for
+   DNS) in DNS entities claiming to support either DNS Security
+   Extensions or A6 records.  This requirement is necessary because
+   these new features increase the size of DNS messages.  If EDNS0 is
+   not supported fall back to TCP will happen, having a detrimental
+   impact on query latency and DNS server load.  This document updates
+   RFC 2535 and RFC 2874, by adding new requirements.
+
+1.  Introduction
+
+   Familiarity with the DNS [RFC1034, RFC1035], DNS Security Extensions
+   [RFC2535], EDNS0 [RFC2671] and A6 [RFC2874] is helpful.
+
+   STD 13, RFC 1035 Section 2.3.4 requires that DNS messages over UDP
+   have a data payload of 512 octets or less.  Most DNS software today
+   will not accept larger UDP datagrams.  Any answer that requires more
+   than 512 octets, results in a partial and sometimes useless reply
+   with the Truncation Bit set; in most cases the requester will then
+   retry using TCP.  Furthermore, server delivery of truncated responses
+   varies widely and resolver handling of these responses also varies,
+   leading to additional inefficiencies in handling truncation.
+
+   Compared to UDP, TCP is an expensive protocol to use for a simple
+   transaction like DNS: a TCP connection requires 5 packets for setup
+   and tear down, excluding data packets, thus requiring at least 3
+   round trips on top of the one for the original UDP query.  The DNS
+
+
+
+Gudmundsson                 Standards Track                     [Page 1]
+
+RFC 3226            DNSSEC and IPv6 A6 requirements        December 2001
+
+
+   server also needs to keep a state of the connection during this
+   transaction.  Many DNS servers answer thousands of queries per
+   second, requiring them to use TCP will cause significant overhead and
+   delays.
+
+1.1.  Requirements
+
+   The key words "MUST", "REQUIRED", "SHOULD", "RECOMMENDED", and "MAY"
+   in this document are to be interpreted as described in RFC 2119.
+
+2.  Motivating factors
+
+2.1.  DNSSEC motivations
+
+   DNSSEC [RFC2535] secures DNS by adding a Public Key signature on each
+   RR set.  These signatures range in size from about 80 octets to 800
+   octets, most are going to be in the range of 80 to 200 octets.  The
+   addition of signatures on each or most RR sets in an answer
+   significantly increases the size of DNS answers from secure zones.
+
+   For performance reasons and to reduce load on DNS servers, it is
+   important that security aware servers and resolvers get all the data
+   in Answer and Authority section in one query without truncation.
+   Sending Additional Data in the same query is helpful when the server
+   is authoritative for the data, and this reduces round trips.
+
+   DNSSEC OK[OK] specifies how a client can, using EDNS0, indicate that
+   it is interested in receiving DNSSEC records.  The OK bit does not
+   eliminate the need for large answers for DNSSEC capable clients.
+
+2.1.1.  Message authentication or TSIG motivation
+
+   TSIG [RFC2845] allows for the light weight authentication of DNS
+   messages, but increases the size of the messages by at least 70
+   octets.  DNSSEC specifies for computationally expensive message
+   authentication SIG(0) using a standard public key signature.  As only
+   one TSIG or SIG(0) can be attached to each DNS answer the size
+   increase of message authentication is not significant, but may still
+   lead to a truncation.
+
+2.2.  IPv6 Motivations
+
+   IPv6 addresses [RFC2874] are 128 bits and can be represented in the
+   DNS by multiple A6 records, each consisting of a domain name and a
+   bit field.  The domain name refers to an address prefix that may
+   require additional A6 RRs to be included in the answer.  Answers
+   where the queried name has multiple A6 addresses may overflow a 512-
+   octet UDP packet size.
+
+
+
+Gudmundsson                 Standards Track                     [Page 2]
+
+RFC 3226            DNSSEC and IPv6 A6 requirements        December 2001
+
+
+2.3.  Root server and TLD server motivations
+
+   The current number of root servers is limited to 13 as that is the
+   maximum number of name servers and their address records that fit in
+   one 512-octet answer for a SOA record.  If root servers start
+   advertising A6 or KEY records then the answer for the root NS records
+   will not fit in a single 512-octet DNS message, resulting in a large
+   number of TCP query connections to the root servers.  Even if all
+   client resolver query their local name server for information, there
+   are millions of these servers.  Each name server must periodically
+   update its information about the high level servers.
+
+   For redundancy, latency and load balancing reasons, large numbers of
+   DNS servers are required for some zones.  Since the root zone is used
+   by the entire net, it is important to have as many servers as
+   possible.  Large TLDs (and many high-visibility SLDs) often have
+   enough servers that either A6 or KEY records would cause the NS
+   response to overflow the 512 byte limit.  Note that these zones with
+   large numbers of servers are often exactly those zones that are
+   critical to network operation and that already sustain fairly high
+   loads.
+
+2.4.  UDP vs TCP for DNS messages
+
+   Given all these factors, it is essential that any implementation that
+   supports DNSSEC and or A6 be able to use larger DNS messages than 512
+   octets.
+
+   The original 512 restriction was put in place to reduce the
+   probability of fragmentation of DNS responses.  A fragmented UDP
+   message that suffers a loss of one of the fragments renders the
+   answer useless and the query must be retried.  A TCP connection
+   requires a larger number of round trips for establishment, data
+   transfer and tear down, but only the lost data segments are
+   retransmitted.
+
+   In the early days a number of IP implementations did not handle
+   fragmentation well, but all modern operating systems have overcome
+   that issue thus sending fragmented messages is fine from that
+   standpoint.  The open issue is the effect of losses on fragmented
+   messages.  If connection has high loss ratio only TCP will allow
+   reliable transfer of DNS data, most links have low loss ratios thus
+   sending fragmented UDP packet in one round trip is better than
+   establishing a TCP connection to transfer a few thousand octets.
+
+
+
+
+
+
+
+Gudmundsson                 Standards Track                     [Page 3]
+
+RFC 3226            DNSSEC and IPv6 A6 requirements        December 2001
+
+
+2.5.  EDNS0 and large UDP messages
+
+   EDNS0 [RFC2671] allows clients to declare the maximum size of UDP
+   message they are willing to handle.  Thus, if the expected answer is
+   between 512 octets and the maximum size that the client can accept,
+   the additional overhead of a TCP connection can be avoided.
+
+3.  Protocol changes:
+
+   This document updates RFC 2535 and RFC 2874, by adding new
+   requirements.
+
+   All RFC 2535 compliant servers and resolvers MUST support EDNS0 and
+   advertise message size of at least 1220 octets, but SHOULD advertise
+   message size of 4000.  This value might be too low to get full
+   answers for high level servers and successor of this document may
+   require a larger value.
+
+   All RFC 2874 compliant servers and resolver MUST support EDNS0 and
+   advertise message size of at least 1024 octets, but SHOULD advertise
+   message size of 2048.  The IPv6 datagrams should be 1024 octets,
+   unless the MTU of the path is known.  (Note that this is smaller than
+   the minimum IPv6 MTU to allow for some extension headers and/or
+   encapsulation without exceeding the minimum MTU.)
+
+   All RFC 2535 and RFC 2874 compliant entities MUST be able to handle
+   fragmented IPv4 and IPv6 UDP packets.
+
+   All hosts supporting both RFC 2535 and RFC 2874 MUST use the larger
+   required value in EDNS0 advertisements.
+
+4.  Acknowledgments
+
+   Harald Alvestrand, Rob Austein, Randy Bush, David Conrad, Andreas
+   Gustafsson, Jun-ichiro itojun Hagino, Bob Halley, Edward Lewis
+   Michael Patton and Kazu Yamamoto were instrumental in motivating and
+   shaping this document.
+
+5.  Security Considerations:
+
+   There are no additional security considerations other than those in
+   RFC 2671.
+
+6.  IANA Considerations:
+
+   None
+
+
+
+
+
+Gudmundsson                 Standards Track                     [Page 4]
+
+RFC 3226            DNSSEC and IPv6 A6 requirements        December 2001
+
+
+7.  References
+
+   [RFC1034]  Mockapetris, P., "Domain Names - Concepts and Facilities",
+              STD 13, RFC 1034, November 1987.
+
+   [RFC1035]  Mockapetris, P., "Domain Names - Implementation and
+              Specification", STD 13, RFC 1035, November 1987.
+
+   [RFC2535]  Eastlake, D. "Domain Name System Security Extensions", RFC
+              2535, March 1999.
+
+   [RFC2671]  Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
+              2671, August 1999.
+
+   [RFC2845]  Vixie, P., Gudmundsson, O., Eastlake, D. and B.
+              Wellington, "Secret Key Transaction Authentication for DNS
+              (TSIG)", RFC 2845, May 2000.
+
+   [RFC2874]  Crawford, M. and C. Huitema, "DNS Extensions to Support
+              IPv6 Address Aggregation and Renumbering", RFC 2874, July
+              2000.
+
+   [RFC3225]  Conrad, D., "Indicating Resolver Support of DNSSEC", RFC
+              3225, December 2001.
+
+8.  Author Address
+
+   Olafur Gudmundsson
+   3826 Legation Street, NW
+   Washington, DC 20015
+   USA
+
+   EMail: ogud@ogud.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson                 Standards Track                     [Page 5]
+
+RFC 3226            DNSSEC and IPv6 A6 requirements        December 2001
+
+
+9.  Full Copyright Statement
+
+   Copyright (C) The Internet Society (2001).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson                 Standards Track                     [Page 6]
+
diff --git a/contrib/bind9/doc/rfc/rfc3258.txt b/contrib/bind9/doc/rfc/rfc3258.txt
new file mode 100644
index 0000000..dcd4b34
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc3258.txt
@@ -0,0 +1,619 @@
+
+
+
+
+
+
+Network Working Group                                          T. Hardie
+Request for Comments: 3258                                 Nominum, Inc.
+Category: Informational                                       April 2002
+
+
+  Distributing Authoritative Name Servers via Shared Unicast Addresses
+
+Status of this Memo
+
+   This memo provides information for the Internet community.  It does
+   not specify an Internet standard of any kind.  Distribution of this
+   memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2002).  All Rights Reserved.
+
+Abstract
+
+   This memo describes a set of practices intended to enable an
+   authoritative name server operator to provide access to a single
+   named server in multiple locations.  The primary motivation for the
+   development and deployment of these practices is to increase the
+   distribution of Domain Name System (DNS) servers to previously
+   under-served areas of the network topology and to reduce the latency
+   for DNS  query responses in those areas.
+
+1.  Introduction
+
+   This memo describes a set of practices intended to enable an
+   authoritative name server operator to provide access to a single
+   named server in multiple locations.  The primary motivation for the
+   development and deployment of these practices is to increase the
+   distribution of DNS servers to previously under-served areas of the
+   network topology and to reduce the latency for DNS query responses in
+   those areas.  This document presumes a one-to-one mapping between
+   named authoritative servers and administrative entities (operators).
+   This document contains no guidelines or recommendations for caching
+   name servers.  The shared unicast system described here is specific
+   to IPv4; applicability to IPv6 is an area for further study.  It
+   should also be noted that the system described here is related to
+   that described in [ANYCAST], but it does not require dedicated
+   address space, routing changes, or the other elements of a full
+   anycast infrastructure which that document describes.
+
+
+
+
+
+
+
+Hardie                       Informational                      [Page 1]
+
+RFC 3258        Distributing Authoritative Name Servers       April 2002
+
+
+2.  Architecture
+
+2.1 Server Requirements
+
+   Operators of authoritative name servers may wish to refer to
+   [SECONDARY] and [ROOT] for general guidance on appropriate practice
+   for authoritative name servers.  In addition to proper configuration
+   as a standard authoritative name server, each of the hosts
+   participating in a shared-unicast system should be configured with
+   two network interfaces.  These interfaces may be either two physical
+   interfaces or one physical interface mapped to two logical
+   interfaces.  One of the network interfaces should use the IPv4 shared
+   unicast address associated with the authoritative name server.  The
+   other interface, referred to as the administrative interface below,
+   should use a distinct IPv4 address specific to that host.  The host
+   should respond to DNS queries only on the shared-unicast interface.
+   In order to provide the most consistent set of responses from the
+   mesh of anycast hosts, it is good practice to limit responses on that
+   interface to zones for which the host is authoritative.
+
+2.2 Zone file delivery
+
+   In order to minimize the risk of man-in-the-middle attacks, zone
+   files should be delivered to the administrative interface of the
+   servers participating in the mesh.  Secure file transfer methods and
+   strong authentication should be used for all transfers.  If the hosts
+   in the mesh make their zones available for zone transfer, the
+   administrative interfaces should be used for those transfers as well,
+   in order to avoid the problems with potential routing changes for TCP
+   traffic noted in section 2.5 below.
+
+2.3 Synchronization
+
+   Authoritative name servers may be loosely or tightly synchronized,
+   depending on the practices set by the operating organization.  As
+   noted below in section 4.1.2, lack of synchronization among servers
+   using the same shared unicast address could create problems for some
+   users of this service.  In order to minimize that risk, switch-overs
+   from one data set to another data set should be coordinated as much
+   as possible.  The use of synchronized clocks on the participating
+   hosts and set times for switch-overs provides a basic level of
+   coordination.  A more complete coordination process would involve:
+
+      a) receipt of zones at a distribution host
+      b) confirmation of the integrity of zones received
+      c) distribution of the zones to all of the servers in the mesh
+      d) confirmation of the integrity of the zones at each server
+
+
+
+
+Hardie                       Informational                      [Page 2]
+
+RFC 3258        Distributing Authoritative Name Servers       April 2002
+
+
+      e) coordination of the switchover times for the servers in the
+         mesh
+      f) institution of a failure process to ensure that servers that
+         did not receive correct data or could not switchover to the new
+         data ceased to respond to incoming queries until the problem
+         could be resolved.
+
+   Depending on the size of the mesh, the distribution host may also be
+   a participant; for authoritative servers, it may also be the host on
+   which zones are generated.
+
+   This document presumes that the usual DNS failover methods are the
+   only ones used to ensure reachability of the data for clients.  It
+   does not advise that the routes be withdrawn in the case of failure;
+   it advises instead that the DNS process shutdown so that servers on
+   other addresses are queried.  This recommendation reflects a choice
+   between performance and operational complexity.  While it would be
+   possible to have some process withdraw the route for a specific
+   server instance when it is not available, there is considerable
+   operational complexity involved in ensuring that this occurs
+   reliably.  Given the existing DNS failover methods, the marginal
+   improvement in performance will not be sufficient to justify the
+   additional complexity for most uses.
+
+2.4 Server Placement
+
+   Though the geographic diversity of server placement helps reduce the
+   effects of service disruptions due to local problems, it is diversity
+   of placement in the network topology which is the driving force
+   behind these distribution practices.  Server placement should
+   emphasize that diversity.  Ideally, servers should be placed
+   topologically near the points at which the operator exchanges routes
+   and traffic with other networks.
+
+2.5 Routing
+
+   The organization administering the mesh of servers sharing a unicast
+   address must have an autonomous system number and speak BGP to its
+   peers.  To those peers, the organization announces a route to the
+   network containing the shared-unicast address of the name server.
+   The organization's border routers must then deliver the traffic
+   destined for the name server to the nearest instantiation.  Routing
+   to the administrative interfaces for the servers can use the normal
+   routing methods for the administering organization.
+
+   One potential problem with using shared unicast addresses is that
+   routers forwarding traffic to them may have more than one available
+   route, and those routes may, in fact, reach different instances of
+
+
+
+Hardie                       Informational                      [Page 3]
+
+RFC 3258        Distributing Authoritative Name Servers       April 2002
+
+
+   the shared unicast address.  Applications like the DNS, whose
+   communication typically consists of independent request-response
+   messages each fitting in a single UDP packet present no problem.
+   Other applications, in which multiple packets must reach the same
+   endpoint (e.g., TCP) may fail or present unworkable performance
+   characteristics in some circumstances.  Split-destination failures
+   may occur when a router does per-packet (or round-robin) load
+   sharing, a topology change occurs that changes the relative metrics
+   of two paths to the same anycast destination, etc.
+
+   Four things mitigate the severity of this problem.  The first is that
+   UDP is a fairly high proportion of the query traffic to name servers.
+   The second is that the aim of this proposal is to diversify
+   topological placement; for most users, this means that the
+   coordination of placement will ensure that new instances of a name
+   server will be at a significantly different cost metric from existing
+   instances.  Some set of users may end up in the middle, but that
+   should be relatively rare.  The third is that per packet load sharing
+   is only one of the possible load sharing mechanisms, and other
+   mechanisms are increasing in popularity.
+
+   Lastly, in the case where the traffic is TCP, per packet load sharing
+   is used, and equal cost routes to different instances of a name
+   server are available, any DNS implementation which measures the
+   performance of servers to select a preferred server will quickly
+   prefer a server for which this problem does not occur.  For the DNS
+   failover mechanisms to reliably avoid this problem, however, those
+   using shared unicast distribution mechanisms must take care that all
+   of the servers for a specific zone are not participants in the same
+   shared-unicast mesh.  To guard even against the case where multiple
+   meshes have a set of users affected by per packet load sharing along
+   equal cost routes, organizations implementing these practices should
+   always provide at least one authoritative server which is not a
+   participant in any shared unicast mesh.  Those deploying shared-
+   unicast meshes should note that any specific host may become
+   unreachable to a client should a server fail, a path fail, or the
+   route to that host be withdrawn.  These error conditions are,
+   however, not specific to shared-unicast distributions, but would
+   occur for standard unicast hosts.
+
+   Since ICMP response packets might go to a different member of the
+   mesh than that sending a packet, packets sent with a shared unicast
+   source address should also avoid using path MTU discovery.
+
+   Appendix A. contains an ASCII diagram of an example of a simple
+   implementation of this system.  In it, the odd numbered routers
+   deliver traffic to the shared-unicast interface network and filter
+   traffic from the administrative network; the even numbered routers
+
+
+
+Hardie                       Informational                      [Page 4]
+
+RFC 3258        Distributing Authoritative Name Servers       April 2002
+
+
+   deliver traffic to the administrative network and filter traffic from
+   the shared-unicast network.  These are depicted as separate routers
+   for the ease this gives in explanation, but they could easily be
+   separate interfaces on the same router.  Similarly, a local NTP
+   source is depicted for synchronization, but the level of
+   synchronization needed would not require that source to be either
+   local or a stratum one NTP server.
+
+3. Administration
+
+3.1 Points of Contact
+
+   A single point of contact for reporting problems is crucial to the
+   correct administration of this system.  If an external user of the
+   system needs to report a problem related to the service, there must
+   be no ambiguity about whom to contact.  If internal monitoring does
+   not indicate a problem, the contact may, of course, need to work with
+   the external user to identify which server generated the error.
+
+4. Security Considerations
+
+   As a core piece of Internet infrastructure, authoritative name
+   servers are common targets of attack.  The practices outlined here
+   increase the risk of certain kinds of attacks and reduce the risk of
+   others.
+
+4.1 Increased Risks
+
+4.1.1 Increase in physical servers
+
+   The architecture outlined in this document increases the number of
+   physical servers, which could increase the possibility that a server
+   mis-configuration will occur which allows for a security breach.  In
+   general, the entity administering a mesh should ensure that patches
+   and security mechanisms applied to a single member of the mesh are
+   appropriate for and applied to all of the members of a mesh.
+   "Genetic diversity" (code from different code bases) can be a useful
+   security measure in avoiding attacks based on vulnerabilities in a
+   specific code base; in order to ensure consistency of responses from
+   a single named server, however, that diversity should be applied to
+   different shared-unicast meshes or between a mesh and a related
+   unicast authoritative server.
+
+4.1.2 Data synchronization problems
+
+   The level of systemic synchronization described above should be
+   augmented by synchronization of the data present at each of the
+   servers.  While the DNS itself is a loosely coupled system, debugging
+
+
+
+Hardie                       Informational                      [Page 5]
+
+RFC 3258        Distributing Authoritative Name Servers       April 2002
+
+
+   problems with data in specific zones would be far more difficult if
+   two different servers sharing a single unicast address might return
+   different responses to the same query.  For example, if the data
+   associated with www.example.com has changed and the administrators of
+   the domain are testing for the changes at the example.com
+   authoritative name servers, they should not need to check each
+   instance of a named authoritative server.  The use of NTP to provide
+   a synchronized time for switch-over eliminates some aspects of this
+   problem, but mechanisms to handle failure during the switchover are
+   required.  In particular, a server which cannot make the switchover
+   must not roll-back to a previous version; it must cease to respond to
+   queries so that other servers are queried.
+
+4.1.3 Distribution risks
+
+   If the mechanism used to distribute zone files among the servers is
+   not well secured, a man-in-the-middle attack could result in the
+   injection of false information.  Digital signatures will alleviate
+   this risk, but encrypted transport and tight access lists are a
+   necessary adjunct to them.  Since zone files will be distributed to
+   the administrative interfaces of meshed servers, the access control
+   list for distribution of the zone files should include the
+   administrative interface of the server or servers, rather than their
+   shared unicast addresses.
+
+4.2 Decreased Risks
+
+   The increase in number of physical servers reduces the likelihood
+   that a denial-of-service attack will take out a significant portion
+   of the DNS infrastructure.  The increase in servers also reduces the
+   effect of machine crashes, fiber cuts, and localized disasters by
+   reducing the number of users dependent on a specific machine.
+
+5. Acknowledgments
+
+   Masataka Ohta, Bill Manning, Randy Bush, Chris Yarnell, Ray Plzak,
+   Mark Andrews, Robert Elz, Geoff Huston, Bill Norton, Akira Kato,
+   Suzanne Woolf, Bernard Aboba, Casey Ajalat, and Gunnar Lindberg all
+   provided input and commentary on this work.  The editor wishes to
+   remember in particular the contribution of the late Scott Tucker,
+   whose extensive systems experience and plain common sense both
+   contributed greatly to the editor's own deployment experience and are
+   missed by all who knew him.
+
+
+
+
+
+
+
+
+Hardie                       Informational                      [Page 6]
+
+RFC 3258        Distributing Authoritative Name Servers       April 2002
+
+
+6. References
+
+   [SECONDARY] Elz, R., Bush, R., Bradner, S. and M. Patton, "Selection
+               and Operation of Secondary DNS Servers", BCP 16, RFC
+               2182, July 1997.
+
+   [ROOT]      Bush, R., Karrenberg, D., Kosters, M. and R. Plzak, "Root
+               Name Server Operational Requirements", BCP 40, RFC 2870,
+               June 2000.
+
+   [ANYCAST]   Patridge, C., Mendez, T. and W. Milliken, "Host
+               Anycasting Service", RFC 1546, November 1993.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hardie                       Informational                      [Page 7]
+
+RFC 3258        Distributing Authoritative Name Servers       April 2002
+
+
+Appendix A.
+
+       __________________
+Peer 1-|                |
+Peer 2-|                |
+Peer 3-|     Switch     |
+Transit|                |  _________                   _________
+etc    |                |--|Router1|---|----|----------|Router2|---WAN-|
+       |                |  ---------   |    |          ---------       |
+       |                |              |    |                          |
+       |                |              |    |                          |
+       ------------------            [NTP] [DNS]                       |
+                                                                       |
+                                                                       |
+                                                                       |
+                                                                       |
+       __________________                                              |
+Peer 1-|                |                                              |
+Peer 2-|                |                                              |
+Peer 3-|     Switch     |                                              |
+Transit|                |  _________                   _________       |
+etc    |                |--|Router3|---|----|----------|Router4|---WAN-|
+       |                |  ---------   |    |          ---------       |
+       |                |              |    |                          |
+       |                |              |    |                          |
+       ------------------            [NTP] [DNS]                       |
+                                                                       |
+                                                                       |
+                                                                       |
+                                                                       |
+       __________________                                              |
+Peer 1-|                |                                              |
+Peer 2-|                |                                              |
+Peer 3-|     Switch     |                                              |
+Transit|                |  _________                   _________       |
+etc    |                |--|Router5|---|----|----------|Router6|---WAN-|
+       |                |  ---------   |    |          ---------       |
+       |                |              |    |                          |
+       |                |              |    |                          |
+       ------------------            [NTP] [DNS]                       |
+                                                                       |
+                                                                       |
+                                                                       |
+
+
+
+
+
+
+
+
+Hardie                       Informational                      [Page 8]
+
+RFC 3258        Distributing Authoritative Name Servers       April 2002
+
+
+                                                                       |
+       __________________                                              |
+Peer 1-|                |                                              |
+Peer 2-|                |                                              |
+Peer 3-|     Switch     |                                              |
+Transit|                |  _________                   _________       |
+etc    |                |--|Router7|---|----|----------|Router8|---WAN-|
+       |                |  ---------   |    |          ---------
+       |                |              |    |
+       |                |              |    |
+       ------------------            [NTP] [DNS]
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hardie                       Informational                      [Page 9]
+
+RFC 3258        Distributing Authoritative Name Servers       April 2002
+
+
+7. Editor's Address
+
+   Ted Hardie
+   Nominum, Inc.
+   2385 Bay Road.
+   Redwood City, CA 94063
+
+   Phone: 1.650.381.6226
+   EMail: Ted.Hardie@nominum.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hardie                       Informational                     [Page 10]
+
+RFC 3258        Distributing Authoritative Name Servers       April 2002
+
+
+8.  Full Copyright Statement
+
+   Copyright (C) The Internet Society (2002).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hardie                       Informational                     [Page 11]
+
diff --git a/contrib/bind9/doc/rfc/rfc3363.txt b/contrib/bind9/doc/rfc/rfc3363.txt
new file mode 100644
index 0000000..9d7a39c
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc3363.txt
@@ -0,0 +1,339 @@
+
+
+
+
+
+
+Network Working Group                                            R. Bush
+Request for Comments: 3363                                     A. Durand
+Updates: 2673, 2874                                              B. Fink
+Category: Informational                                   O. Gudmundsson
+                                                                 T. Hain
+                                                                 Editors
+                                                             August 2002
+
+
+            Representing Internet Protocol version 6 (IPv6)
+               Addresses in the Domain Name System (DNS)
+
+Status of this Memo
+
+   This memo provides information for the Internet community.  It does
+   not specify an Internet standard of any kind.  Distribution of this
+   memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2002).  All Rights Reserved.
+
+Abstract
+
+   This document clarifies and updates the standards status of RFCs that
+   define direct and reverse map of IPv6 addresses in DNS.  This
+   document moves the A6 and Bit label specifications to experimental
+   status.
+
+1.  Introduction
+
+   The IETF had begun the process of standardizing two different address
+   formats for IPv6 addresses AAAA [RFC1886] and A6 [RFC2874] and both
+   are at proposed standard.  This had led to confusion and conflicts on
+   which one to deploy.  It is important for deployment that any
+   confusion in this area be cleared up, as there is a feeling in the
+   community that having more than one choice will lead to delays in the
+   deployment of IPv6.  The goal of this document is to clarify the
+   situation.
+
+   This document also discusses issues relating to the usage of Binary
+   Labels [RFC 2673] to support the reverse mapping of IPv6 addresses.
+
+   This document is based on extensive technical discussion on various
+   relevant working groups mailing lists and a joint DNSEXT and NGTRANS
+   meeting at the 51st IETF in August 2001.  This document attempts to
+   capture the sense of the discussions and reflect them in this
+   document to represent the consensus of the community.
+
+
+
+Bush, et. al.                Informational                      [Page 1]
+
+RFC 3363        Representation of IPv6 Addresses in DNS      August 2002
+
+
+   The main arguments and the issues are covered in a separate document
+   [RFC3364] that reflects the current understanding of the issues.
+   This document summarizes the outcome of these discussions.
+
+   The issue of the root of reverse IPv6 address map is outside the
+   scope of this document and is covered in a different document
+   [RFC3152].
+
+1.1 Standards Action Taken
+
+   This document changes the status of RFCs 2673 and 2874 from Proposed
+   Standard to Experimental.
+
+2.  IPv6 Addresses: AAAA RR vs A6 RR
+
+   Working group consensus as perceived by the chairs of the DNSEXT and
+   NGTRANS working groups is that:
+
+   a) AAAA records are preferable at the moment for production
+      deployment of IPv6, and
+
+   b) that A6 records have interesting properties that need to be better
+      understood before deployment.
+
+   c) It is not known if the benefits of A6 outweigh the costs and
+      risks.
+
+2.1 Rationale
+
+   There are several potential issues with A6 RRs that stem directly
+   from the feature that makes them different from AAAA RRs: the ability
+   to build up addresses via chaining.
+
+   Resolving a chain of A6 RRs involves resolving a series of what are
+   nearly-independent queries.  Each of these sub-queries takes some
+   non-zero amount of time, unless the answer happens to be in the
+   resolver's local cache already.  Other things being equal, we expect
+   that the time it takes to resolve an N-link chain of A6 RRs will be
+   roughly proportional to N.  What data we have suggests that users are
+   already impatient with the length of time it takes to resolve A RRs
+   in the IPv4 Internet, which suggests that users are not likely to be
+   patient with significantly longer delays in the IPv6 Internet, but
+   terminating queries prematurely is both a waste of resources and
+   another source of user frustration.  Thus, we are forced to conclude
+   that indiscriminate use of long A6 chains is likely to lead to
+   increased user frustration.
+
+
+
+
+
+Bush, et. al.                Informational                      [Page 2]
+
+RFC 3363        Representation of IPv6 Addresses in DNS      August 2002
+
+
+   The probability of failure during the process of resolving an N-link
+   A6 chain also appears to be roughly proportional to N, since each of
+   the queries involved in resolving an A6 chain has roughly the same
+   probability of failure as a single AAAA query.
+
+   Last, several of the most interesting potential applications for A6
+   RRs involve situations where the prefix name field in the A6 RR
+   points to a target that is not only outside the DNS zone containing
+   the A6 RR, but is administered by a different organization entirely.
+   While pointers out of zone are not a problem per se, experience both
+   with glue RRs and with PTR RRs in the IN-ADDR.ARPA tree suggests that
+   pointers to other organizations are often not maintained properly,
+   perhaps because they're less susceptible to automation than pointers
+   within a single organization would be.
+
+2.2 Recommended Standard Action
+
+   Based on the perceived consensus, this document recommends that RFC
+   1886 stay on standards track and be advanced, while moving RFC 2874
+   to Experimental status.
+
+3.  Bitlabels in the Reverse DNS Tree
+
+   RFC 2673 defines a new DNS label type.  This was the first new type
+   defined since RFC 1035 [RFC1035].  Since the development of 2673 it
+   has been learned that deployment of a new type is difficult since DNS
+   servers that do not support bitlabels reject queries containing bit
+   labels as being malformed.  The community has also indicated that
+   this new label type is not needed for mapping reverse addresses.
+
+3.1 Rationale
+
+   The hexadecimal text representation of IPv6 addresses appears to be
+   capable of expressing all of the delegation schemes that we expect to
+   be used in the DNS reverse tree.
+
+3.2 Recommended Standard Action
+
+   RFC 2673 standard status is to be changed from Proposed to
+   Experimental.  Future standardization of these documents is to be
+   done by the DNSEXT working group or its successor.
+
+
+
+
+
+
+
+
+
+
+Bush, et. al.                Informational                      [Page 3]
+
+RFC 3363        Representation of IPv6 Addresses in DNS      August 2002
+
+
+4.  DNAME in IPv6 Reverse Tree
+
+   The issues for DNAME in the reverse mapping tree appears to be
+   closely tied to the need to use fragmented A6 in the main tree: if
+   one is necessary, so is the other, and if one isn't necessary, the
+   other isn't either.  Therefore, in moving RFC 2874 to experimental,
+   the intent of this document is that use of DNAME RRs in the reverse
+   tree be deprecated.
+
+5.  Acknowledgments
+
+   This document is based on input from many members of the various IETF
+   working groups involved in this issues.  Special thanks go to the
+   people that prepared reading material for the joint DNSEXT and
+   NGTRANS working group meeting at the 51st IETF in London, Rob
+   Austein, Dan Bernstein, Matt Crawford, Jun-ichiro itojun Hagino,
+   Christian Huitema.  Number of other people have made number of
+   comments on mailing lists about this issue including Andrew W.
+   Barclay, Robert Elz, Johan Ihren, Edward Lewis, Bill Manning, Pekka
+   Savola, Paul Vixie.
+
+6.  Security Considerations
+
+   As this document specifies a course of action, there are no direct
+   security considerations.  There is an indirect security impact of the
+   choice, in that the relationship between A6 and DNSSEC is not well
+   understood throughout the community, while the choice of AAAA does
+   leads to a model for use of DNSSEC in IPv6 networks which parallels
+   current IPv4 practice.
+
+7.  IANA Considerations
+
+   None.
+
+Normative References
+
+   [RFC1035]  Mockapetris, P., "Domain Names - Implementation and
+              Specification", STD 13, RFC 1035, November 1987.
+
+   [RFC1886]  Thompson, S. and C. Huitema, "DNS Extensions to support IP
+              version 6", RFC 1886, December 1995.
+
+   [RFC2673]  Crawford, M., "Binary Labels in the Domain Name System",
+              RFC 2673, August 1999.
+
+   [RFC2874]  Crawford, M. and C. Huitema, "DNS Extensions to Support
+              IPv6 Address Aggregation and Renumbering", RFC 2874, July
+              2000.
+
+
+
+Bush, et. al.                Informational                      [Page 4]
+
+RFC 3363        Representation of IPv6 Addresses in DNS      August 2002
+
+
+   [RFC3152]  Bush, R., "Delegation of IP6.ARPA", BCP 49, RFC 3152
+              August 2001.
+
+Informative References
+
+   [RFC3364]  Austein, R., "Tradeoffs in Domain Name System (DNS)
+              Support for Internet Protocol version 6 (IPv6)", RFC 3364,
+              August 2002.
+
+Editors' Addresses
+
+   Randy Bush
+   EMail: randy@psg.com
+
+
+   Alain Durand
+   EMail: alain.durand@sun.com
+
+
+   Bob Fink
+   EMail: fink@es.net
+
+
+   Olafur Gudmundsson
+   EMail: ogud@ogud.com
+
+
+   Tony Hain
+   EMail: hain@tndh.net
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Bush, et. al.                Informational                      [Page 5]
+
+RFC 3363        Representation of IPv6 Addresses in DNS      August 2002
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2002).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Bush, et. al.                Informational                      [Page 6]
+
diff --git a/contrib/bind9/doc/rfc/rfc3364.txt b/contrib/bind9/doc/rfc/rfc3364.txt
new file mode 100644
index 0000000..189c0d2
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc3364.txt
@@ -0,0 +1,619 @@
+
+
+
+
+
+
+Network Working Group                                         R. Austein
+Request for Comments: 3364                           Bourgeois Dilettant
+Updates: 2673, 2874                                          August 2002
+Category: Informational
+
+
+             Tradeoffs in Domain Name System (DNS) Support
+                 for Internet Protocol version 6 (IPv6)
+
+Status of this Memo
+
+   This memo provides information for the Internet community.  It does
+   not specify an Internet standard of any kind.  Distribution of this
+   memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2002).  All Rights Reserved.
+
+Abstract
+
+   The IETF has two different proposals on the table for how to do DNS
+   support for IPv6, and has thus far failed to reach a clear consensus
+   on which approach is better.  This note attempts to examine the pros
+   and cons of each approach, in the hope of clarifying the debate so
+   that we can reach closure and move on.
+
+Introduction
+
+   RFC 1886 [RFC1886] specified straightforward mechanisms to support
+   IPv6 addresses in the DNS.  These mechanisms closely resemble the
+   mechanisms used to support IPv4, with a minor improvement to the
+   reverse mapping mechanism based on experience with CIDR.  RFC 1886 is
+   currently listed as a Proposed Standard.
+
+   RFC 2874 [RFC2874] specified enhanced mechanisms to support IPv6
+   addresses in the DNS.  These mechanisms provide new features that
+   make it possible for an IPv6 address stored in the DNS to be broken
+   up into multiple DNS resource records in ways that can reflect the
+   network topology underlying the address, thus making it possible for
+   the data stored in the DNS to reflect certain kinds of network
+   topology changes or routing architectures that are either impossible
+   or more difficult to represent without these mechanisms.  RFC 2874 is
+   also currently listed as a Proposed Standard.
+
+
+
+
+
+
+
+Austein                      Informational                      [Page 1]
+
+RFC 3364           Tradeoffs in DNS Support for IPv6         August 2002
+
+
+   Both of these Proposed Standards were the output of the IPNG Working
+   Group.  Both have been implemented, although implementation of
+   [RFC1886] is more widespread, both because it was specified earlier
+   and because it's simpler to implement.
+
+   There's little question that the mechanisms proposed in [RFC2874] are
+   more general than the mechanisms proposed in [RFC1886], and that
+   these enhanced mechanisms might be valuable if IPv6's evolution goes
+   in certain directions.  The questions are whether we really need the
+   more general mechanism, what new usage problems might come along with
+   the enhanced mechanisms, and what effect all this will have on IPv6
+   deployment.
+
+   The one thing on which there does seem to be widespread agreement is
+   that we should make up our minds about all this Real Soon Now.
+
+Main Advantages of Going with A6
+
+   While the A6 RR proposed in [RFC2874] is very general and provides a
+   superset of the functionality provided by the AAAA RR in [RFC1886],
+   many of the features of A6 can also be implemented with AAAA RRs via
+   preprocessing during zone file generation.
+
+   There is one specific area where A6 RRs provide something that cannot
+   be provided using AAAA RRs: A6 RRs can represent addresses in which a
+   prefix portion of the address can change without any action (or
+   perhaps even knowledge) by the parties controlling the DNS zone
+   containing the terminal portion (least significant bits) of the
+   address.  This includes both so-called "rapid renumbering" scenarios
+   (where an entire network's prefix may change very quickly) and
+   routing architectures such as the former "GSE" proposal [GSE] (where
+   the "routing goop" portion of an address may be subject to change
+   without warning).  A6 RRs do not completely remove the need to update
+   leaf zones during all renumbering events (for example, changing ISPs
+   would usually require a change to the upward delegation pointer), but
+   careful use of A6 RRs could keep the number of RRs that need to
+   change during such an event to a minimum.
+
+   Note that constructing AAAA RRs via preprocessing during zone file
+   generation requires exactly the sort of information that A6 RRs store
+   in the DNS.  This begs the question of where the hypothetical
+   preprocessor obtains that information if it's not getting it from the
+   DNS.
+
+   Note also that the A6 RR, when restricted to its zero-length-prefix
+   form ("A6 0"), is semantically equivalent to an AAAA RR (with one
+   "wasted" octet in the wire representation), so anything that can be
+   done with an AAAA RR can also be done with an A6 RR.
+
+
+
+Austein                      Informational                      [Page 2]
+
+RFC 3364           Tradeoffs in DNS Support for IPv6         August 2002
+
+
+Main Advantages of Going with AAAA
+
+   The AAAA RR proposed in [RFC1886], while providing only a subset of
+   the functionality provided by the A6 RR proposed in [RFC2874], has
+   two main points to recommend it:
+
+   - AAAA RRs are essentially identical (other than their length) to
+     IPv4's A RRs, so we have more than 15 years of experience to help
+     us predict the usage patterns, failure scenarios and so forth
+     associated with AAAA RRs.
+
+   - The AAAA RR is "optimized for read", in the sense that, by storing
+     a complete address rather than making the resolver fetch the
+     address in pieces, it minimizes the effort involved in fetching
+     addresses from the DNS (at the expense of increasing the effort
+     involved in injecting new data into the DNS).
+
+Less Compelling Arguments in Favor of A6
+
+   Since the A6 RR allows a zone administrator to write zone files whose
+   description of addresses maps to the underlying network topology, A6
+   RRs can be construed as a "better" way of representing addresses than
+   AAAA.  This may well be a useful capability, but in and of itself
+   it's more of an argument for better tools for zone administrators to
+   use when constructing zone files than a justification for changing
+   the resolution protocol used on the wire.
+
+Less Compelling Arguments in Favor of AAAA
+
+   Some of the pressure to go with AAAA instead of A6 appears to be
+   based on the wider deployment of AAAA.  Since it is possible to
+   construct transition tools (see discussion of AAAA synthesis, later
+   in this note), this does not appear to be a compelling argument if A6
+   provides features that we really need.
+
+   Another argument in favor of AAAA RRs over A6 RRs appears to be that
+   the A6 RR's advanced capabilities increase the number of ways in
+   which a zone administrator could build a non-working configuration.
+   While operational issues are certainly important, this is more of
+   argument that we need better tools for zone administrators than it is
+   a justification for turning away from A6 if A6 provides features that
+   we really need.
+
+
+
+
+
+
+
+
+
+Austein                      Informational                      [Page 3]
+
+RFC 3364           Tradeoffs in DNS Support for IPv6         August 2002
+
+
+Potential Problems with A6
+
+   The enhanced capabilities of the A6 RR, while interesting, are not in
+   themselves justification for choosing A6 if we don't really need
+   those capabilities.  The A6 RR is "optimized for write", in the sense
+   that, by making it possible to store fragmented IPv6 addresses in the
+   DNS, it makes it possible to reduce the effort that it takes to
+   inject new data into the DNS (at the expense of increasing the effort
+   involved in fetching data from the DNS).  This may be justified if we
+   expect the effort involved in maintaining AAAA-style DNS entries to
+   be prohibitive, but in general, we expect the DNS data to be read
+   more frequently than it is written, so we need to evaluate this
+   particular tradeoff very carefully.
+
+   There are also several potential issues with A6 RRs that stem
+   directly from the feature that makes them different from AAAA RRs:
+   the ability to build up address via chaining.
+
+   Resolving a chain of A6 RRs involves resolving a series of what are
+   almost independent queries, but not quite.  Each of these sub-queries
+   takes some non-zero amount of time, unless the answer happens to be
+   in the resolver's local cache already.  Assuming that resolving an
+   AAAA RR takes time T as a baseline, we can guess that, on the
+   average, it will take something approaching time N*T to resolve an
+   N-link chain of A6 RRs, although we would expect to see a fairly good
+   caching factor for the A6 fragments representing the more significant
+   bits of an address.  This leaves us with two choices, neither of
+   which is very good:  we can decrease the amount of time that the
+   resolver is willing to wait for each fragment, or we can increase the
+   amount of time that a resolver is willing to wait before returning
+   failure to a client.  What little data we have on this subject
+   suggests that users are already impatient with the length of time it
+   takes to resolve A RRs in the IPv4 Internet, which suggests that they
+   are not likely to be patient with significantly longer delays in the
+   IPv6 Internet.  At the same time, terminating queries prematurely is
+   both a waste of resources and another source of user frustration.
+   Thus, we are forced to conclude that indiscriminate use of long A6
+   chains is likely to lead to problems.
+
+   To make matters worse, the places where A6 RRs are likely to be most
+   critical for rapid renumbering or GSE-like routing are situations
+   where the prefix name field in the A6 RR points to a target that is
+   not only outside the DNS zone containing the A6 RR, but is
+   administered by a different organization (for example, in the case of
+   an end user's site, the prefix name will most likely point to a name
+   belonging to an ISP that provides connectivity for the site).  While
+   pointers out of zone are not a problem per se, pointers to other
+   organizations are somewhat more difficult to maintain and less
+
+
+
+Austein                      Informational                      [Page 4]
+
+RFC 3364           Tradeoffs in DNS Support for IPv6         August 2002
+
+
+   susceptible to automation than pointers within a single organization
+   would be.  Experience both with glue RRs and with PTR RRs in the IN-
+   ADDR.ARPA tree suggests that many zone administrators do not really
+   understand how to set up and maintain these pointers properly, and we
+   have no particular reason to believe that these zone administrators
+   will do a better job with A6 chains than they do today.  To be fair,
+   however, the alternative case of building AAAA RRs via preprocessing
+   before loading zones has many of the same problems; at best, one can
+   claim that using AAAA RRs for this purpose would allow DNS clients to
+   get the wrong answer somewhat more efficiently than with A6 RRs.
+
+   Finally, assuming near total ignorance of how likely a query is to
+   fail, the probability of failure with an N-link A6 chain would appear
+   to be roughly proportional to N, since each of the queries involved
+   in resolving an A6 chain would have the same probability of failure
+   as a single AAAA query.  Note again that this comment applies to
+   failures in the the process of resolving a query, not to the data
+   obtained via that process.  Arguably, in an ideal world, A6 RRs would
+   increase the probability of the answer a client (finally) gets being
+   right, assuming that nothing goes wrong in the query process, but we
+   have no real idea how to quantify that assumption at this point even
+   to the hand-wavey extent used elsewhere in this note.
+
+   One potential problem that has been raised in the past regarding A6
+   RRs turns out not to be a serious issue.  The A6 design includes the
+   possibility of there being more than one A6 RR matching the prefix
+   name portion of a leaf A6 RR.  That is, an A6 chain may not be a
+   simple linked list, it may in fact be a tree, where each branch
+   represents a possible prefix.  Some critics of A6 have been concerned
+   that this will lead to a wild expansion of queries, but this turns
+   out not to be a problem if a resolver simply follows the "bounded
+   work per query" rule described in RFC 1034 (page 35).  That rule
+   applies to all work resulting from attempts to process a query,
+   regardless of whether it's a simple query, a CNAME chain, an A6 tree,
+   or an infinite loop.  The client may not get back a useful answer in
+   cases where the zone has been configured badly, but a proper
+   implementation should not produce a query explosion as a result of
+   processing even the most perverse A6 tree, chain, or loop.
+
+Interactions with DNSSEC
+
+   One of the areas where AAAA and A6 RRs differ is in the precise
+   details of how they interact with DNSSEC.  The following comments
+   apply only to non-zero-prefix A6 RRs (A6 0 RRs, once again, are
+   semantically equivalent to AAAA RRs).
+
+
+
+
+
+
+Austein                      Informational                      [Page 5]
+
+RFC 3364           Tradeoffs in DNS Support for IPv6         August 2002
+
+
+   Other things being equal, the time it takes to re-sign all of the
+   addresses in a zone after a renumbering event is longer with AAAA RRs
+   than with A6 RRs (because each address record has to be re-signed
+   rather than just signing a common prefix A6 RR and a few A6 0 RRs
+   associated with the zone's name servers).  Note, however, that in
+   general this does not present a serious scaling problem, because the
+   re-signing is performed in the leaf zones.
+
+   Other things being equal, there's more work involved in verifying the
+   signatures received back for A6 RRs, because each address fragment
+   has a separate associated signature.  Similarly, a DNS message
+   containing a set of A6 address fragments and their associated
+   signatures will be larger than the equivalent packet with a single
+   AAAA (or A6 0) and a single associated signature.
+
+   Since AAAA RRs cannot really represent rapid renumbering or GSE-style
+   routing scenarios very well, it should not be surprising that DNSSEC
+   signatures of AAAA RRs are also somewhat problematic.  In cases where
+   the AAAA RRs would have to be changing very quickly to keep up with
+   prefix changes, the time required to re-sign the AAAA RRs may be
+   prohibitive.
+
+   Empirical testing by Bill Sommerfeld [Sommerfeld] suggests that
+   333MHz Celeron laptop with 128KB L2 cache and 64MB RAM running the
+   BIND-9 dnssec-signzone program under NetBSD can generate roughly 40
+   1024-bit RSA signatures per second.  Extrapolating from this,
+   assuming one A RR, one AAAA RR, and one NXT RR per host, this
+   suggests that it would take this laptop a few hours to sign a zone
+   listing 10**5 hosts, or about a day to sign a zone listing 10**6
+   hosts using AAAA RRs.
+
+   This suggests that the additional effort of re-signing a large zone
+   full of AAAA RRs during a re-numbering event, while noticeable, is
+   only likely to be prohibitive in the rapid renumbering case where
+   AAAA RRs don't work well anyway.
+
+Interactions with Dynamic Update
+
+   DNS dynamic update appears to work equally well for AAAA or A6 RRs,
+   with one minor exception: with A6 RRs, the dynamic update client
+   needs to know the prefix length and prefix name.  At present, no
+   mechanism exists to inform a dynamic update client of these values,
+   but presumably such a mechanism could be provided via an extension to
+   DHCP, or some other equivalent could be devised.
+
+
+
+
+
+
+
+Austein                      Informational                      [Page 6]
+
+RFC 3364           Tradeoffs in DNS Support for IPv6         August 2002
+
+
+Transition from AAAA to A6 Via AAAA Synthesis
+
+   While AAAA is at present more widely deployed than A6, it is possible
+   to transition from AAAA-aware DNS software to A6-aware DNS software.
+   A rough plan for this was presented at IETF-50 in Minneapolis and has
+   been discussed on the ipng mailing list.  So if the IETF concludes
+   that A6's enhanced capabilities are necessary, it should be possible
+   to transition from AAAA to A6.
+
+   The details of this transition have been left to a separate document,
+   but the general idea is that the resolver that is performing
+   iterative resolution on behalf of a DNS client program could
+   synthesize AAAA RRs representing the result of performing the
+   equivalent A6 queries.  Note that in this case it is not possible to
+   generate an equivalent DNSSEC signature for the AAAA RR, so clients
+   that care about performing DNSSEC validation for themselves would
+   have to issue A6 queries directly rather than relying on AAAA
+   synthesis.
+
+Bitlabels
+
+   While the differences between AAAA and A6 RRs have generated most of
+   the discussion to date, there are also two proposed mechanisms for
+   building the reverse mapping tree (the IPv6 equivalent of IPv4's IN-
+   ADDR.ARPA tree).
+
+   [RFC1886] proposes a mechanism very similar to the IN-ADDR.ARPA
+   mechanism used for IPv4 addresses: the RR name is the hexadecimal
+   representation of the IPv6 address, reversed and concatenated with a
+   well-known suffix, broken up with a dot between each hexadecimal
+   digit.  The resulting DNS names are somewhat tedious for humans to
+   type, but are very easy for programs to generate.  Making each
+   hexadecimal digit a separate label means that delegation on arbitrary
+   bit boundaries will result in a maximum of 16 NS RRsets per label
+   level; again, the mechanism is somewhat tedious for humans, but is
+   very easy to program.  As with IPv4's IN-ADDR.ARPA tree, the one
+   place where this scheme is weak is in handling delegations in the
+   least significant label; however, since there appears to be no real
+   need to delegate the least significant four bits of an IPv6 address,
+   this does not appear to be a serious restriction.
+
+   [RFC2874] proposed a radically different way of naming entries in the
+   reverse mapping tree: rather than using textual representations of
+   addresses, it proposes to use a new kind of DNS label (a "bit label")
+   to represent binary addresses directly in the DNS.  This has the
+   advantage of being significantly more compact than the textual
+   representation, and arguably might have been a better solution for
+   DNS to use for this purpose if it had been designed into the protocol
+
+
+
+Austein                      Informational                      [Page 7]
+
+RFC 3364           Tradeoffs in DNS Support for IPv6         August 2002
+
+
+   from the outset.  Unfortunately, experience to date suggests that
+   deploying a new DNS label type is very hard: all of the DNS name
+   servers that are authoritative for any portion of the name in
+   question must be upgraded before the new label type can be used, as
+   must any resolvers involved in the resolution process.  Any name
+   server that has not been upgraded to understand the new label type
+   will reject the query as being malformed.
+
+   Since the main benefit of the bit label approach appears to be an
+   ability that we don't really need (delegation in the least
+   significant four bits of an IPv6 address), and since the upgrade
+   problem is likely to render bit labels unusable until a significant
+   portion of the DNS code base has been upgraded, it is difficult to
+   escape the conclusion that the textual solution is good enough.
+
+DNAME RRs
+
+   [RFC2874] also proposes using DNAME RRs as a way of providing the
+   equivalent of A6's fragmented addresses in the reverse mapping tree.
+   That is, by using DNAME RRs, one can write zone files for the reverse
+   mapping tree that have the same ability to cope with rapid
+   renumbering or GSE-style routing that the A6 RR offers in the main
+   portion of the DNS tree.  Consequently, the need to use DNAME in the
+   reverse mapping tree appears to be closely tied to the need to use
+   fragmented A6 in the main tree: if one is necessary, so is the other,
+   and if one isn't necessary, the other isn't either.
+
+   Other uses have also been proposed for the DNAME RR, but since they
+   are outside the scope of the IPv6 address discussion, they will not
+   be addressed here.
+
+Recommendation
+
+   Distilling the above feature comparisons down to their key elements,
+   the important questions appear to be:
+
+   (a) Is IPv6 going to do rapid renumbering or GSE-like routing?
+
+   (b) Is the reverse mapping tree for IPv6 going to require delegation
+       in the least significant four bits of the address?
+
+   Question (a) appears to be the key to the debate.  This is really a
+   decision for the IPv6 community to make, not the DNS community.
+
+   Question (b) is also for the IPv6 community to make, but it seems
+   fairly obvious that the answer is "no".
+
+
+
+
+
+Austein                      Informational                      [Page 8]
+
+RFC 3364           Tradeoffs in DNS Support for IPv6         August 2002
+
+
+   Recommendations based on these questions:
+
+   (1) If the IPv6 working groups seriously intend to specify and deploy
+       rapid renumbering or GSE-like routing, we should transition to
+       using the A6 RR in the main tree and to using DNAME RRs as
+       necessary in the reverse tree.
+
+   (2) Otherwise, we should keep the simpler AAAA solution in the main
+       tree and should not use DNAME RRs in the reverse tree.
+
+   (3) In either case, the reverse tree should use the textual
+       representation described in [RFC1886] rather than the bit label
+       representation described in [RFC2874].
+
+   (4) If we do go to using A6 RRs in the main tree and to using DNAME
+       RRs in the reverse tree, we should write applicability statements
+       and implementation guidelines designed to discourage excessively
+       complex uses of these features; in general, any network that can
+       be described adequately using A6 0 RRs and without using DNAME
+       RRs should be described that way, and the enhanced features
+       should be used only when absolutely necessary, at least until we
+       have much more experience with them and have a better
+       understanding of their failure modes.
+
+Security Considerations
+
+   This note compares two mechanisms with similar security
+   characteristics, but there are a few security implications to the
+   choice between these two mechanisms:
+
+   (1) The two mechanisms have similar but not identical interactions
+       with DNSSEC.  Please see the section entitled "Interactions with
+       DNSSEC" (above) for a discussion of these issues.
+
+   (2) To the extent that operational complexity is the enemy of
+       security, the tradeoffs in operational complexity discussed
+       throughout this note have an impact on security.
+
+   (3) To the extent that protocol complexity is the enemy of security,
+       the additional protocol complexity of [RFC2874] as compared to
+       [RFC1886] has some impact on security.
+
+IANA Considerations
+
+   None, since all of these RR types have already been allocated.
+
+
+
+
+
+
+Austein                      Informational                      [Page 9]
+
+RFC 3364           Tradeoffs in DNS Support for IPv6         August 2002
+
+
+Acknowledgments
+
+   This note is based on a number of discussions both public and private
+   over a period of (at least) eight years, but particular thanks go to
+   Alain Durand, Bill Sommerfeld, Christian Huitema, Jun-ichiro itojun
+   Hagino, Mark Andrews, Matt Crawford, Olafur Gudmundsson, Randy Bush,
+   and Sue Thomson, none of whom are responsible for what the author did
+   with their ideas.
+
+References
+
+   [RFC1886]    Thomson, S. and C. Huitema, "DNS Extensions to support
+                IP version 6", RFC 1886, December 1995.
+
+   [RFC2874]    Crawford, M. and C. Huitema, "DNS Extensions to Support
+                IPv6 Address Aggregation and Renumbering", RFC 2874,
+                July 2000.
+
+   [Sommerfeld] Private message to the author from Bill Sommerfeld dated
+                21 March 2001, summarizing the result of experiments he
+                performed on a copy of the MIT.EDU zone.
+
+   [GSE]       "GSE" was an evolution of the so-called "8+8" proposal
+                discussed by the IPng working group in 1996 and 1997.
+                The GSE proposal itself was written up as an Internet-
+                Draft, which has long since expired.  Readers interested
+                in the details and history of GSE should review the IPng
+                working group's mailing list archives and minutes from
+                that period.
+
+Author's Address
+
+   Rob Austein
+
+   EMail: sra@hactrn.net
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Austein                      Informational                     [Page 10]
+
+RFC 3364           Tradeoffs in DNS Support for IPv6         August 2002
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2002).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Austein                      Informational                     [Page 11]
+
diff --git a/contrib/bind9/doc/rfc/rfc3425.txt b/contrib/bind9/doc/rfc/rfc3425.txt
new file mode 100644
index 0000000..707cafd
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc3425.txt
@@ -0,0 +1,283 @@
+
+
+
+
+
+
+Network Working Group                                        D. Lawrence
+Request for Comments: 3425                                       Nominum
+Updates: 1035                                              November 2002
+Category: Standards Track
+
+
+                           Obsoleting IQUERY
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2002).  All Rights Reserved.
+
+Abstract
+
+   The IQUERY method of performing inverse DNS lookups, specified in RFC
+   1035, has not been generally implemented and has usually been
+   operationally disabled where it has been implemented.  Both reflect a
+   general view in the community that the concept was unwise and that
+   the widely-used alternate approach of using pointer (PTR) queries and
+   reverse-mapping records is preferable.  Consequently, this document
+   deprecates the IQUERY operation, declaring it entirely obsolete.
+   This document updates RFC 1035.
+
+1 - Introduction
+
+   As specified in RFC 1035 (section 6.4), the IQUERY operation for DNS
+   queries is used to look up the name(s) which are associated with the
+   given value.  The value being sought is provided in the query's
+   answer section and the response fills in the question section with
+   one or more 3-tuples of type, name and class.
+
+   As noted in [RFC1035], section 6.4.3, inverse query processing can
+   put quite an arduous burden on a server.  A server would need to
+   perform either an exhaustive search of its database or maintain a
+   separate database that is keyed by the values of the primary
+   database.  Both of these approaches could strain system resource use,
+   particularly for servers that are authoritative for millions of
+   names.
+
+
+
+
+
+Lawrence                    Standards Track                     [Page 1]
+
+RFC 3425                   Obsoleting IQUERY               November 2002
+
+
+   Response packets from these megaservers could be exceptionally large,
+   and easily run into megabyte sizes.  For example, using IQUERY to
+   find every domain that is delegated to one of the nameservers of a
+   large ISP could return tens of thousands of 3-tuples in the question
+   section.  This could easily be used to launch denial of service
+   attacks.
+
+   Operators of servers that do support IQUERY in some form (such as
+   very old BIND 4 servers) generally opt to disable it.  This is
+   largely due to bugs in insufficiently-exercised code, or concerns
+   about exposure of large blocks of names in their zones by probes such
+   as inverse MX queries.
+
+   IQUERY is also somewhat inherently crippled by being unable to tell a
+   requester where it needs to go to get the information that was
+   requested.  The answer is very specific to the single server that was
+   queried.  This is sometimes a handy diagnostic tool, but apparently
+   not enough so that server operators like to enable it, or request
+   implementation where it is lacking.
+
+   No known clients use IQUERY to provide any meaningful service.  The
+   only common reverse mapping support on the Internet, mapping address
+   records to names, is provided through the use of pointer (PTR)
+   records in the in-addr.arpa tree and has served the community well
+   for many years.
+
+   Based on all of these factors, this document recommends that the
+   IQUERY operation for DNS servers be officially obsoleted.
+
+2 - Requirements
+
+   The key word "SHOULD" in this document is to be interpreted as
+   described in BCP 14, RFC 2119, namely that there may exist valid
+   reasons to ignore a particular item, but the full implications must
+   be understood and carefully weighed before choosing a different
+   course.
+
+3 - Effect on RFC 1035
+
+   The effect of this document is to change the definition of opcode 1
+   from that originally defined in section 4.1.1 of RFC 1035, and to
+   entirely supersede section 6.4 (including subsections) of RFC 1035.
+
+   The definition of opcode 1 is hereby changed to:
+
+      "1               an inverse query (IQUERY) (obsolete)"
+
+
+
+
+
+Lawrence                    Standards Track                     [Page 2]
+
+RFC 3425                   Obsoleting IQUERY               November 2002
+
+
+   The text in section 6.4 of RFC 1035 is now considered obsolete.  The
+   following is an applicability statement regarding the IQUERY opcode:
+
+   Inverse queries using the IQUERY opcode were originally described as
+   the ability to look up the names that are associated with a
+   particular Resource Record (RR).  Their implementation was optional
+   and never achieved widespread use.  Therefore IQUERY is now obsolete,
+   and name servers SHOULD return a "Not Implemented" error when an
+   IQUERY request is received.
+
+4 - Security Considerations
+
+   Since this document obsoletes an operation that was once available,
+   it is conceivable that someone was using it as the basis of a
+   security policy.  However, since the most logical course for such a
+   policy to take in the face of a lack of positive response from a
+   server is to deny authentication/authorization, it is highly unlikely
+   that removing support for IQUERY will open any new security holes.
+
+   Note that if IQUERY is not obsoleted, securing the responses with DNS
+   Security (DNSSEC) is extremely difficult without out-on-the-fly
+   digital signing.
+
+5 - IANA Considerations
+
+   The IQUERY opcode of 1 should be permanently retired, not to be
+   assigned to any future opcode.
+
+6 - Acknowledgments
+
+   Olafur Gudmundsson instigated this action.  Matt Crawford, John
+   Klensin, Erik Nordmark and Keith Moore contributed some improved
+   wording in how to handle obsoleting functionality described by an
+   Internet Standard.
+
+7 - References
+
+   [RFC1035]  Mockapetris, P., "Domain Names - Implementation and
+              Specification", STD 13, RFC 1035, November 1987.
+
+   [RFC2026]  Bradner, S., "The Internet Standards Process -- Revision
+              3", BCP 9, RFC 2026, October 1996.
+
+   [RFC2119]  Bradner, S., "Key Words for Use in RFCs to Indicate
+              Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+
+
+
+
+
+Lawrence                    Standards Track                     [Page 3]
+
+RFC 3425                   Obsoleting IQUERY               November 2002
+
+
+8 - Author's Address
+
+   David C Lawrence
+   Nominum, Inc.
+   2385 Bay Rd
+   Redwood City CA 94063
+   USA
+
+   Phone: +1.650.779.6042
+   EMail: tale@nominum.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Lawrence                    Standards Track                     [Page 4]
+
+RFC 3425                   Obsoleting IQUERY               November 2002
+
+
+9 - Full Copyright Statement
+
+   Copyright (C) The Internet Society (2002).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Lawrence                    Standards Track                     [Page 5]
+
diff --git a/contrib/bind9/doc/rfc/rfc3445.txt b/contrib/bind9/doc/rfc/rfc3445.txt
new file mode 100644
index 0000000..67f9b2d
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc3445.txt
@@ -0,0 +1,563 @@
+
+
+
+
+
+
+Network Working Group                                          D. Massey
+Request for Comments: 3445                                       USC/ISI
+Updates: 2535                                                    S. Rose
+Category: Standards Track                                           NIST
+                                                           December 2002
+
+
+           Limiting the Scope of the KEY Resource Record (RR)
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2002).  All Rights Reserved.
+
+Abstract
+
+   This document limits the Domain Name System (DNS) KEY Resource Record
+   (RR) to only keys used by the Domain Name System Security Extensions
+   (DNSSEC).  The original KEY RR used sub-typing to store both DNSSEC
+   keys and arbitrary application keys.  Storing both DNSSEC and
+   application keys with the same record type is a mistake.  This
+   document removes application keys from the KEY record by redefining
+   the Protocol Octet field in the KEY RR Data.  As a result of removing
+   application keys, all but one of the flags in the KEY record become
+   unnecessary and are redefined.  Three existing application key sub-
+   types are changed to reserved, but the format of the KEY record is
+   not changed.  This document updates RFC 2535.
+
+1. Introduction
+
+   This document limits the scope of the KEY Resource Record (RR).  The
+   KEY RR was defined in [3] and used resource record sub-typing to hold
+   arbitrary public keys such as Email, IPSEC, DNSSEC, and TLS keys.
+   This document eliminates the existing Email, IPSEC, and TLS sub-types
+   and prohibits the introduction of new sub-types.  DNSSEC will be the
+   only allowable sub-type for the KEY RR (hence sub-typing is
+   essentially eliminated) and all but one of the KEY RR flags are also
+   eliminated.
+
+
+
+
+
+
+Massey & Rose               Standards Track                     [Page 1]
+
+RFC 3445         Limiting the KEY Resource Record (RR)     December 2002
+
+
+   Section 2 presents the motivation for restricting the KEY record and
+   Section 3 defines the revised KEY RR.  Sections 4 and 5 summarize the
+   changes from RFC 2535 and discuss backwards compatibility.  It is
+   important to note that this document restricts the use of the KEY RR
+   and simplifies the flags, but does not change the definition or use
+   of DNSSEC keys.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in RFC 2119 [1].
+
+2. Motivation for Restricting the KEY RR
+
+   The KEY RR RDATA [3] consists of Flags, a Protocol Octet, an
+   Algorithm type, and a Public Key.  The Protocol Octet identifies the
+   KEY RR sub-type.  DNSSEC public keys are stored in the KEY RR using a
+   Protocol Octet value of 3.  Email, IPSEC, and TLS keys were also
+   stored in the KEY RR and used Protocol Octet values of 1,2, and 4
+   (respectively).  Protocol Octet values 5-254 were available for
+   assignment by IANA and values were requested (but not assigned) for
+   applications such as SSH.
+
+   Any use of sub-typing has inherent limitations.  A resolver can not
+   specify the desired sub-type in a DNS query and most DNS operations
+   apply only to resource records sets.  For example, a resolver can not
+   directly request the DNSSEC subtype KEY RRs.  Instead, the resolver
+   has to request all KEY RRs associated with a DNS name and then search
+   the set for the desired DNSSEC sub-type.  DNSSEC signatures also
+   apply to the set of all KEY RRs associated with the DNS name,
+   regardless of sub-type.
+
+   In the case of the KEY RR, the inherent sub-type limitations are
+   exacerbated since the sub-type is used to distinguish between DNSSEC
+   keys and application keys.  DNSSEC keys and application keys differ
+   in virtually every respect and Section 2.1 discusses these
+   differences in more detail.  Combining these very different types of
+   keys into a single sub-typed resource record adds unnecessary
+   complexity and increases the potential for implementation and
+   deployment errors.  Limited experimental deployment has shown that
+   application keys stored in KEY RRs are problematic.
+
+   This document addresses these issues by removing all application keys
+   from the KEY RR.  Note that the scope of this document is strictly
+   limited to the KEY RR and this document does not endorse or restrict
+   the storage of application keys in other, yet undefined, resource
+   records.
+
+
+
+
+
+Massey & Rose               Standards Track                     [Page 2]
+
+RFC 3445         Limiting the KEY Resource Record (RR)     December 2002
+
+
+2.1 Differences Between DNSSEC and Application Keys
+
+   DNSSEC keys are an essential part of the DNSSEC protocol and are used
+   by both name servers and resolvers in order to perform DNS tasks.  A
+   DNS zone key, used to sign and authenticate RR sets, is the most
+   common example of a DNSSEC key.  SIG(0) [4] and TKEY [3]  also use
+   DNSSEC keys.
+
+   Application keys such as Email keys, IPSEC keys, and TLS keys are
+   simply another type of data.  These keys have no special meaning to a
+   name server or resolver.
+
+   The following table summarizes some of the differences between DNSSEC
+   keys and application keys:
+
+      1.  They serve different purposes.
+
+      2.  They are managed by different administrators.
+
+      3.  They are authenticated according to different rules.
+
+      4.  Nameservers use different rules when including them in
+          responses.
+
+      5.  Resolvers process them in different ways.
+
+      6.  Faults/key compromises have different consequences.
+
+   1.  The purpose of a DNSSEC key is to sign resource records
+   associated with a DNS zone (or generate DNS transaction signatures in
+   the case of SIG(0)/TKEY).  But the purpose of an application key is
+   specific to the application.  Application keys, such as PGP/email,
+   IPSEC, TLS, and SSH keys, are not a mandatory part of any zone and
+   the purpose and proper use of application keys is outside the scope
+   of DNS.
+
+   2.  DNSSEC keys are managed by DNS administrators, but application
+   keys are managed by application administrators.  The DNS zone
+   administrator determines the key lifetime, handles any suspected key
+   compromises, and manages any DNSSEC key changes.  Likewise, the
+   application administrator is responsible for the same functions for
+   the application keys related to the application.  For example, a user
+   typically manages her own PGP key and a server manages its own TLS
+   key.  Application key management tasks are outside the scope of DNS
+   administration.
+
+
+
+
+
+
+Massey & Rose               Standards Track                     [Page 3]
+
+RFC 3445         Limiting the KEY Resource Record (RR)     December 2002
+
+
+   3.  DNSSEC zone keys are used to authenticate application keys, but
+   by definition, application keys are not allowed to authenticate DNS
+   zone keys.  A DNS zone key is either configured as a trusted key or
+   authenticated by constructing a chain of trust in the DNS hierarchy.
+   To participate in the chain of trust, a DNS zone needs to exchange
+   zone key information with its parent zone [3].  Application keys are
+   not configured as trusted keys in the DNS and are never part of any
+   DNS chain of trust.  Application key data is not needed by the parent
+   and does not need to be exchanged with the parent zone for secure DNS
+   resolution to work.  A resolver considers an application key RRset as
+   authenticated DNS information if it has a valid signature from the
+   local DNS zone keys, but applications could impose additional
+   security requirements before the application key is accepted as
+   authentic for use with the application.
+
+   4.  It may be useful for nameservers to include DNS zone keys in the
+   additional section of a response, but application keys are typically
+   not useful unless they have been specifically requested.  For
+   example, it could be useful to include the example.com zone key along
+   with a response that contains the www.example.com A record and SIG
+   record.  A secure resolver will need the example.com zone key in
+   order to check the SIG and authenticate the www.example.com A record.
+   It is typically not useful to include the IPSEC, email, and TLS keys
+   along with the A record.  Note that by placing application keys in
+   the KEY record, a resolver would need the IPSEC, email, TLS, and
+   other key associated with example.com if the resolver intends to
+   authenticate the example.com zone key (since signatures only apply to
+   the entire KEY RR set).  Depending on the number of protocols
+   involved, the KEY RR set could grow unwieldy for resolvers, and DNS
+   administrators to manage.
+
+   5.  DNS zone keys require special handling by resolvers, but
+   application keys are treated the same as any other type of DNS data.
+   The DNSSEC keys are of no value to end applications, unless the
+   applications plan to do their own DNS authentication.  By definition,
+   secure resolvers are not allowed to use application keys as part of
+   the authentication process.  Application keys have no unique meaning
+   to resolvers and are only useful to the application requesting the
+   key.  Note that if sub-types are used to identify the application
+   key, then either the interface to the resolver needs to specify the
+   sub-type or the application needs to be able to accept all KEY RRs
+   and pick out the desired sub-type.
+
+   6.  A fault or compromise of a DNS zone key can lead to invalid or
+   forged DNS data, but a fault or compromise of an application key
+   should have no impact on other DNS data.  Incorrectly adding or
+   changing a DNS zone key can invalidate all of the DNS data in the
+   zone and in all of its subzones.  By using a compromised key, an
+
+
+
+Massey & Rose               Standards Track                     [Page 4]
+
+RFC 3445         Limiting the KEY Resource Record (RR)     December 2002
+
+
+   attacker can forge data from the effected zone and for any of its
+   sub-zones.  A fault or compromise of an application key has
+   implications for that application, but it should not have an impact
+   on the DNS.  Note that application key faults and key compromises can
+   have an impact on the entire DNS if the application key and DNS zone
+   keys are both stored in the KEY RR.
+
+   In summary, DNSSEC keys and application keys differ in most every
+   respect.  DNSSEC keys are an essential part of the DNS infrastructure
+   and require special handling by DNS administrators and DNS resolvers.
+   Application keys are simply another type of data and have no special
+   meaning to DNS administrators or resolvers.  These two different
+   types of data do not belong in the same resource record.
+
+3. Definition of the KEY RR
+
+   The KEY RR uses type 25 and is used as resource record for storing
+   DNSSEC keys.  The RDATA for a KEY RR consists of flags, a protocol
+   octet, the algorithm number octet, and the public key itself.  The
+   format is as follows:
+
+   ---------------------------------------------------------------------
+
+
+                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |              flags            |   protocol    |   algorithm   |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |                                                               /
+   /                        public key                             /
+   /                                                               /
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+                             KEY RR Format
+
+   ---------------------------------------------------------------------
+
+   In the flags field, all bits except bit 7 are reserved and MUST be
+   zero.  If Bit 7 (Zone bit) is set to 1, then the KEY is a DNS Zone
+   key.  If Bit 7 is set to 0, the KEY is not a zone key.  SIG(0)/TKEY
+   are examples of DNSSEC keys that are not zone keys.
+
+   The protocol field MUST be set to 3.
+
+   The algorithm and public key fields are not changed.
+
+
+
+
+
+Massey & Rose               Standards Track                     [Page 5]
+
+RFC 3445         Limiting the KEY Resource Record (RR)     December 2002
+
+
+4. Changes from RFC 2535 KEY RR
+
+   The KEY RDATA format is not changed.
+
+   All flags except for the zone key flag are eliminated:
+
+      The A/C bits (bits 0 and 1) are eliminated.  They MUST be set to 0
+      and MUST be ignored by the receiver.
+
+      The extended flags bit (bit 3) is eliminated.  It MUST be set to 0
+      and MUST be ignored by the receiver.
+
+      The host/user bit (bit 6) is eliminated.  It MUST be set to 0 and
+      MUST be ignored by the receiver.
+
+      The zone bit (bit 7) remains unchanged.
+
+      The signatory field (bits 12-15) are eliminated by [5].  They MUST
+      be set to 0 and MUST be ignored by the receiver.
+
+      Bits 2,4,5,8,9,10,11 remain unchanged.  They are reserved, MUST be
+      set to zero and MUST be ignored by the receiver.
+
+   Assignment of any future KEY RR Flag values requires a standards
+   action.
+
+   All Protocol Octet values except DNSSEC (3) are eliminated:
+
+      Value 1 (Email) is renamed to RESERVED.
+
+      Value 2 (IPSEC) is renamed to RESERVED.
+
+      Value 3 (DNSSEC) is unchanged.
+
+      Value 4 (TLS) is renamed to RESERVED.
+
+      Value 5-254 remains unchanged (reserved).
+
+      Value 255 (ANY) is renamed to RESERVED.
+
+   The authoritative data for a zone MUST NOT include any KEY records
+   with a protocol octet other than 3.  The registry maintained by IANA
+   for protocol values is closed for new assignments.
+
+   Name servers and resolvers SHOULD accept KEY RR sets that contain KEY
+   RRs with a value other than 3.  If out of date DNS zones contain
+   deprecated KEY RRs with a protocol octet value other than 3, then
+   simply dropping the deprecated KEY RRs from the KEY RR set would
+
+
+
+Massey & Rose               Standards Track                     [Page 6]
+
+RFC 3445         Limiting the KEY Resource Record (RR)     December 2002
+
+
+   invalidate any associated SIG record(s) and could create caching
+   consistency problems.  Note that KEY RRs with a protocol octet value
+   other than 3 MUST NOT be used to authenticate DNS data.
+
+   The algorithm and public key fields are not changed.
+
+5. Backward Compatibility
+
+   DNSSEC zone KEY RRs are not changed and remain backwards compatible.
+   A properly formatted RFC 2535 zone KEY would have all flag bits,
+   other than the Zone Bit (Bit 7), set to 0 and would have the Protocol
+   Octet set to 3.  This remains true under the restricted KEY.
+
+   DNSSEC non-zone KEY RRs (SIG(0)/TKEY keys) are backwards compatible,
+   but the distinction between host and user keys (flag bit 6) is lost.
+
+   No backwards compatibility is provided for application keys.  Any
+   Email, IPSEC, or TLS keys are now deprecated.  Storing application
+   keys in the KEY RR created problems such as keys at the apex and
+   large RR sets and some change in the definition and/or usage of the
+   KEY RR would have been required even if the approach described here
+   were not adopted.
+
+   Overall, existing nameservers and resolvers will continue to
+   correctly process KEY RRs with a sub-type of DNSSEC keys.
+
+6. Storing Application Keys in the DNS
+
+   The scope of this document is strictly limited to the KEY record.
+   This document prohibits storing application keys in the KEY record,
+   but it does not endorse or restrict the storing application keys in
+   other record types.  Other documents can describe how DNS handles
+   application keys.
+
+7. IANA Considerations
+
+   RFC 2535 created an IANA registry for DNS KEY RR Protocol Octet
+   values.  Values 1, 2, 3, 4, and 255 were assigned by RFC 2535 and
+   values 5-254 were made available for assignment by IANA.  This
+   document makes two sets of changes to this registry.
+
+   First, this document re-assigns DNS KEY RR Protocol Octet values 1,
+   2, 4, and 255 to "reserved".  DNS Key RR Protocol Octet Value 3
+   remains unchanged as "DNSSEC".
+
+
+
+
+
+
+
+Massey & Rose               Standards Track                     [Page 7]
+
+RFC 3445         Limiting the KEY Resource Record (RR)     December 2002
+
+
+   Second, new values are no longer available for assignment by IANA and
+   this document closes the IANA registry for DNS KEY RR Protocol Octet
+   Values.  Assignment of any future KEY RR Protocol Octet values
+   requires a standards action.
+
+8. Security Considerations
+
+   This document eliminates potential security problems that could arise
+   due to the coupling of DNS zone keys and application keys.  Prior to
+   the change described in this document, a correctly authenticated KEY
+   set could include both application keys and DNSSEC keys.  This
+   document restricts the KEY RR to DNS security usage only.  This is an
+   attempt to simplify the security model and make it less user-error
+   prone.  If one of the application keys is compromised, it could be
+   used as a false zone key to create false DNS signatures (SIG
+   records).  Resolvers that do not carefully check the KEY sub-type
+   could believe these false signatures and incorrectly authenticate DNS
+   data.  With this change, application keys cannot appear in an
+   authenticated KEY set and this vulnerability is eliminated.
+
+   The format and correct usage of DNSSEC keys is not changed by this
+   document and no new security considerations are introduced.
+
+9. Normative References
+
+   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
+        Levels", BCP 14, RFC 2119, March 1997.
+
+   [2]  Eastlake, D., "Domain Name System Security Extensions", RFC
+        2535, March 1999.
+
+   [3]  Eastlake, D., "Secret Key Establishment for DNS (TKEY RR)", RFC
+        2930, September 2000.
+
+   [4]  Eastlake, D., "DNS Request and Transaction Signatures
+        (SIG(0)s)", RFC 2931, September 2000.
+
+   [5]  Wellington, B., "Secure Domain Name System (DNS) Dynamic
+        Update", RFC 3007, November 2000.
+
+
+
+
+
+
+
+
+
+
+
+
+Massey & Rose               Standards Track                     [Page 8]
+
+RFC 3445         Limiting the KEY Resource Record (RR)     December 2002
+
+
+10. Authors' Addresses
+
+   Dan Massey
+   USC Information Sciences Institute
+   3811 N. Fairfax Drive
+   Arlington, VA  22203
+   USA
+
+   EMail: masseyd@isi.edu
+
+
+   Scott Rose
+   National Institute for Standards and Technology
+   100 Bureau Drive
+   Gaithersburg, MD  20899-3460
+   USA
+
+   EMail: scott.rose@nist.gov
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Massey & Rose               Standards Track                     [Page 9]
+
+RFC 3445         Limiting the KEY Resource Record (RR)     December 2002
+
+
+11.  Full Copyright Statement
+
+   Copyright (C) The Internet Society (2002).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Massey & Rose               Standards Track                    [Page 10]
+
diff --git a/contrib/bind9/doc/rfc/rfc3467.txt b/contrib/bind9/doc/rfc/rfc3467.txt
new file mode 100644
index 0000000..37ac7ec
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc3467.txt
@@ -0,0 +1,1739 @@
+
+
+
+
+
+
+Network Working Group                                         J. Klensin
+Request for Comments: 3467                                 February 2003
+Category: Informational
+
+
+                  Role of the Domain Name System (DNS)
+
+Status of this Memo
+
+   This memo provides information for the Internet community.  It does
+   not specify an Internet standard of any kind.  Distribution of this
+   memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2003).  All Rights Reserved.
+
+Abstract
+
+   This document reviews the original function and purpose of the domain
+   name system (DNS).  It contrasts that history with some of the
+   purposes for which the DNS has recently been applied and some of the
+   newer demands being placed upon it or suggested for it.  A framework
+   for an alternative to placing these additional stresses on the DNS is
+   then outlined.  This document and that framework are not a proposed
+   solution, only a strong suggestion that the time has come to begin
+   thinking more broadly about the problems we are encountering and
+   possible approaches to solving them.
+
+Table of Contents
+
+   1.  Introduction and History .....................................  2
+      1.1 Context for DNS Development ...............................  3
+      1.2 Review of the DNS and Its Role as Designed ................  4
+      1.3 The Web and User-visible Domain Names .....................  6
+      1.4 Internet Applications Protocols and Their Evolution .......  7
+   2.  Signs of DNS Overloading .....................................  8
+   3.  Searching, Directories, and the DNS .......................... 12
+      3.1 Overview  ................................................. 12
+      3.2 Some Details and Comments ................................. 14
+   4.  Internationalization ......................................... 15
+      4.1 ASCII Isn't Just Because of English ....................... 16
+      4.2 The "ASCII Encoding" Approaches ........................... 17
+      4.3 "Stringprep" and Its Complexities ......................... 17
+      4.4 The Unicode Stability Problem ............................. 19
+      4.5 Audiences, End Users, and the User Interface Problem ...... 20
+      4.6 Business Cards and Other Natural Uses of Natural Languages. 22
+      4.7 ASCII Encodings and the Roman Keyboard Assumption ......... 22
+
+
+
+Klensin                      Informational                      [Page 1]
+
+RFC 3467          Role of the Domain Name System (DNS)     February 2003
+
+
+      4.8 Intra-DNS Approaches for "Multilingual Names" ............. 23
+   5.  Search-based Systems: The Key Controversies .................. 23
+   6.  Security Considerations ...................................... 24
+   7.  References ................................................... 25
+      7.1 Normative References ...................................... 25
+      7.2 Explanatory and Informative References .................... 25
+   8.  Acknowledgements ............................................. 30
+   9.  Author's Address ............................................. 30
+   10. Full Copyright Statement ..................................... 31
+
+1. Introduction and History
+
+   The DNS was designed as a replacement for the older "host table"
+   system.  Both were intended to provide names for network resources at
+   a more abstract level than network (IP) addresses (see, e.g.,
+   [RFC625], [RFC811], [RFC819], [RFC830], [RFC882]).  In recent years,
+   the DNS has become a database of convenience for the Internet, with
+   many proposals to add new features.  Only some of these proposals
+   have been successful.  Often the main (or only) motivation for using
+   the DNS is because it exists and is widely deployed, not because its
+   existing structure, facilities, and content are appropriate for the
+   particular application of data involved.  This document reviews the
+   history of the DNS, including examination of some of those newer
+   applications.  It then argues that the overloading process is often
+   inappropriate.  Instead, it suggests that the DNS should be
+   supplemented by systems better matched to the intended applications
+   and outlines a framework and rationale for one such system.
+
+   Several of the comments that follow are somewhat revisionist.  Good
+   design and engineering often requires a level of intuition by the
+   designers about things that will be necessary in the future; the
+   reasons for some of these design decisions are not made explicit at
+   the time because no one is able to articulate them.  The discussion
+   below reconstructs some of the decisions about the Internet's primary
+   namespace (the "Class=IN" DNS) in the light of subsequent development
+   and experience.  In addition, the historical reasons for particular
+   decisions about the Internet were often severely underdocumented
+   contemporaneously and, not surprisingly, different participants have
+   different recollections about what happened and what was considered
+   important.  Consequently, the quasi-historical story below is just
+   one story.  There may be (indeed, almost certainly are) other stories
+   about how the DNS evolved to its present state, but those variants do
+   not invalidate the inferences and conclusions.
+
+   This document presumes a general understanding of the terminology of
+   RFC 1034 [RFC1034] or of any good DNS tutorial (see, e.g., [Albitz]).
+
+
+
+
+
+Klensin                      Informational                      [Page 2]
+
+RFC 3467          Role of the Domain Name System (DNS)     February 2003
+
+
+1.1  Context for DNS Development
+
+   During the entire post-startup-period life of the ARPANET and nearly
+   the first decade or so of operation of the Internet, the list of host
+   names and their mapping to and from addresses was maintained in a
+   frequently-updated "host table" [RFC625], [RFC811], [RFC952].  The
+   names themselves were restricted to a subset of ASCII [ASCII] chosen
+   to avoid ambiguities in printed form, to permit interoperation with
+   systems using other character codings (notably EBCDIC), and to avoid
+   the "national use" code positions of ISO 646 [IS646].  These
+   restrictions later became collectively known as the "LDH" rules for
+   "letter-digit-hyphen", the permitted characters.  The table was just
+   a list with a common format that was eventually agreed upon; sites
+   were expected to frequently obtain copies of, and install, new
+   versions.  The host tables themselves were introduced to:
+
+   o  Eliminate the requirement for people to remember host numbers
+      (addresses).  Despite apparent experience to the contrary in the
+      conventional telephone system, numeric numbering systems,
+      including the numeric host number strategy, did not (and do not)
+      work well for more than a (large) handful of hosts.
+
+   o  Provide stability when addresses changed.  Since addresses -- to
+      some degree in the ARPANET and more importantly in the
+      contemporary Internet -- are a function of network topology and
+      routing, they often had to be changed when connectivity or
+      topology changed.  The names could be kept stable even as
+      addresses changed.
+
+   o  Provide the capability to have multiple addresses associated with
+      a given host to reflect different types of connectivity and
+      topology.  Use of names, rather than explicit addresses, avoided
+      the requirement that would otherwise exist for users and other
+      hosts to track these multiple host numbers and addresses and the
+      topological considerations for selecting one over others.
+
+   After several years of using the host table approach, the community
+   concluded that model did not scale adequately and that it would not
+   adequately support new service variations.  A number of discussions
+   and meetings were held which drew several ideas and incomplete
+   proposals together.  The DNS was the result of that effort.  It
+   continued to evolve during the design and initial implementation
+   period, with a number of documents recording the changes (see
+   [RFC819], [RFC830], and [RFC1034]).
+
+
+
+
+
+
+
+Klensin                      Informational                      [Page 3]
+
+RFC 3467          Role of the Domain Name System (DNS)     February 2003
+
+
+   The goals for the DNS included:
+
+   o  Preservation of the capabilities of the host table arrangements
+      (especially unique, unambiguous, host names),
+
+   o  Provision for addition of additional services (e.g., the special
+      record types for electronic mail routing which quickly followed
+      introduction of the DNS), and
+
+   o  Creation of a robust, hierarchical, distributed, name lookup
+      system to accomplish the other goals.
+
+   The DNS design also permitted distribution of name administration,
+   rather than requiring that each host be entered into a single,
+   central, table by a central administration.
+
+1.2 Review of the DNS and Its Role as Designed
+
+   The DNS was designed to identify network resources.  Although there
+   was speculation about including, e.g., personal names and email
+   addresses, it was not designed primarily to identify people, brands,
+   etc.  At the same time, the system was designed with the flexibility
+   to accommodate new data types and structures, both through the
+   addition of new record types to the initial "INternet" class, and,
+   potentially, through the introduction of new classes.  Since the
+   appropriate identifiers and content of those future extensions could
+   not be anticipated, the design provided that these fields could
+   contain any (binary) information, not just the restricted text forms
+   of the host table.
+
+   However, the DNS, as it is actually used, is intimately tied to the
+   applications and application protocols that utilize it, often at a
+   fairly low level.
+
+   In particular, despite the ability of the protocols and data
+   structures themselves to accommodate any binary representation, DNS
+   names as used were historically not even unrestricted ASCII, but a
+   very restricted subset of it, a subset that derives from the original
+   host table naming rules.  Selection of that subset was driven in part
+   by human factors considerations, including a desire to eliminate
+   possible ambiguities in an international context.  Hence character
+   codes that had international variations in interpretation were
+   excluded, the underscore character and case distinctions were
+   eliminated as being confusing (in the underscore's case, with the
+   hyphen character) when written or read by people, and so on.  These
+   considerations appear to be very similar to those that resulted in
+   similarly restricted character sets being used as protocol elements
+   in many ITU and ISO protocols (cf. [X29]).
+
+
+
+Klensin                      Informational                      [Page 4]
+
+RFC 3467          Role of the Domain Name System (DNS)     February 2003
+
+
+   Another assumption was that there would be a high ratio of physical
+   hosts to second level domains and, more generally, that the system
+   would be deeply hierarchical, with most systems (and names) at the
+   third level or below and a very large percentage of the total names
+   representing physical hosts.  There are domains that follow this
+   model: many university and corporate domains use fairly deep
+   hierarchies, as do a few country-oriented top level domains
+   ("ccTLDs").  Historically, the "US." domain has been an excellent
+   example of the deeply hierarchical approach.  However, by 1998,
+   comparison of several efforts to survey the DNS showed a count of SOA
+   records that approached (and may have passed) the number of distinct
+   hosts.  Looked at differently, we appear to be moving toward a
+   situation in which the number of delegated domains on the Internet is
+   approaching or exceeding the number of hosts, or at least the number
+   of hosts able to provide services to others on the network.  This
+   presumably results from synonyms or aliases that map a great many
+   names onto a smaller number of hosts.  While experience up to this
+   time has shown that the DNS is robust enough -- given contemporary
+   machines as servers and current bandwidth norms -- to be able to
+   continue to operate reasonably well when those historical assumptions
+   are not met (e.g., with a flat, structure under ".COM" containing
+   well over ten million delegated subdomains [COMSIZE]), it is still
+   useful to remember that the system could have been designed to work
+   optimally with a flat structure (and very large zones) rather than a
+   deeply hierarchical one, and was not.
+
+   Similarly, despite some early speculation about entering people's
+   names and email addresses into the DNS directly (e.g., see
+   [RFC1034]), electronic mail addresses in the Internet have preserved
+   the original, pre-DNS, "user (or mailbox) at location" conceptual
+   format rather than a flatter or strictly dot-separated one.
+   Location, in that instance, is a reference to a host. The sole
+   exception, at least in the "IN" class, has been one field of the SOA
+   record.
+
+   Both the DNS architecture itself and the two-level (host name and
+   mailbox name) provisions for email and similar functions (e.g., see
+   the finger protocol [FINGER]), also anticipated a relatively high
+   ratio of users to actual hosts.  Despite the observation in RFC 1034
+   that the DNS was expected to grow to be proportional to the number of
+   users (section 2.3), it has never been clear that the DNS was
+   seriously designed for, or could, scale to the order of magnitude of
+   number of users (or, more recently, products or document objects),
+   rather than that of physical hosts.
+
+   Just as was the case for the host table before it, the DNS provided
+   critical uniqueness for names, and universal accessibility to them,
+   as part of overall "single internet" and "end to end" models (cf.
+
+
+
+Klensin                      Informational                      [Page 5]
+
+RFC 3467          Role of the Domain Name System (DNS)     February 2003
+
+
+   [RFC2826]).  However, there are many signs that, as new uses evolved
+   and original assumptions were abused (if not violated outright), the
+   system was being stretched to, or beyond, its practical limits.
+
+   The original design effort that led to the DNS included examination
+   of the directory technologies available at the time.  The design
+   group concluded that the DNS design, with its simplifying assumptions
+   and restricted capabilities, would be feasible to deploy and make
+   adequately robust, which the more comprehensive directory approaches
+   were not.  At the same time, some of the participants feared that the
+   limitations might cause future problems; this document essentially
+   takes the position that they were probably correct.  On the other
+   hand, directory technology and implementations have evolved
+   significantly in the ensuing years: it may be time to revisit the
+   assumptions, either in the context of the two- (or more) level
+   mechanism contemplated by the rest of this document or, even more
+   radically, as a path toward a DNS replacement.
+
+1.3 The Web and User-visible Domain Names
+
+   From the standpoint of the integrity of the domain name system -- and
+   scaling of the Internet, including optimal accessibility to content
+   -- the web design decision to use "A record" domain names directly in
+   URLs, rather than some system of indirection, has proven to be a
+   serious mistake in several respects.  Convenience of typing, and the
+   desire to make domain names out of easily-remembered product names,
+   has led to a flattening of the DNS, with many people now perceiving
+   that second-level names under COM (or in some countries, second- or
+   third-level names under the relevant ccTLD) are all that is
+   meaningful.  This perception has been reinforced by some domain name
+   registrars [REGISTRAR] who have been anxious to "sell" additional
+   names.  And, of course, the perception that one needed a second-level
+   (or even top-level) domain per product, rather than having names
+   associated with a (usually organizational) collection of network
+   resources, has led to a rapid acceleration in the number of names
+   being registered.  That acceleration has, in turn, clearly benefited
+   registrars charging on a per-name basis, "cybersquatters", and others
+   in the business of "selling" names, but it has not obviously
+   benefited the Internet as a whole.
+
+   This emphasis on second-level domain names has also created a problem
+   for the trademark community.  Since the Internet is international,
+   and names are being populated in a flat and unqualified space,
+   similarly-named entities are in conflict even if there would
+   ordinarily be no chance of confusing them in the marketplace.  The
+   problem appears to be unsolvable except by a choice between draconian
+   measures.  These might include significant changes to the legislation
+   and conventions that govern disputes over "names" and "marks".  Or
+
+
+
+Klensin                      Informational                      [Page 6]
+
+RFC 3467          Role of the Domain Name System (DNS)     February 2003
+
+
+   they might result in a situation in which the "rights" to a name are
+   typically not settled using the subtle and traditional product (or
+   industry) type and geopolitical scope rules of the trademark system.
+   Instead they have depended largely on political or economic power,
+   e.g., the organization with the greatest resources to invest in
+   defending (or attacking) names will ultimately win out.  The latter
+   raises not only important issues of equity, but also the risk of
+   backlash as the numerous small players are forced to relinquish names
+   they find attractive and to adopt less-desirable naming conventions.
+
+   Independent of these sociopolitical problems, content distribution
+   issues have made it clear that it should be possible for an
+   organization to have copies of data it wishes to make available
+   distributed around the network, with a user who asks for the
+   information by name getting the topologically-closest copy.  This is
+   not possible with simple, as-designed, use of the DNS: DNS names
+   identify target resources or, in the case of email "MX" records, a
+   preferentially-ordered list of resources "closest" to a target (not
+   to the source/user).  Several technologies (and, in some cases,
+   corresponding business models) have arisen to work around these
+   problems, including intercepting and altering DNS requests so as to
+   point to other locations.
+
+   Additional implications are still being discovered and evaluated.
+
+   Approaches that involve interception of DNS queries and rewriting of
+   DNS names (or otherwise altering the resolution process based on the
+   topological location of the user) seem, however, to risk disrupting
+   end-to-end applications in the general case and raise many of the
+   issues discussed by the IAB in [IAB-OPES].  These problems occur even
+   if the rewriting machinery is accompanied by additional workarounds
+   for particular applications.  For example, security associations and
+   applications that need to identify "the same host" often run into
+   problems if DNS names or other references are changed in the network
+   without participation of the applications that are trying to invoke
+   the associated services.
+
+1.4 Internet Applications Protocols and Their Evolution
+
+   At the applications level, few of the protocols in active,
+   widespread, use on the Internet reflect either contemporary knowledge
+   in computer science or human factors or experience accumulated
+   through deployment and use.  Instead, protocols tend to be deployed
+   at a just-past-prototype level, typically including the types of
+   expedient compromises typical with prototypes.  If they prove useful,
+   the nature of the network permits very rapid dissemination (i.e.,
+   they fill a vacuum, even if a vacuum that no one previously knew
+   existed).  But, once the vacuum is filled, the installed base
+
+
+
+Klensin                      Informational                      [Page 7]
+
+RFC 3467          Role of the Domain Name System (DNS)     February 2003
+
+
+   provides its own inertia: unless the design is so seriously faulty as
+   to prevent effective use (or there is a widely-perceived sense of
+   impending disaster unless the protocol is replaced), future
+   developments must maintain backward compatibility and workarounds for
+   problematic characteristics rather than benefiting from redesign in
+   the light of experience.  Applications that are "almost good enough"
+   prevent development and deployment of high-quality replacements.
+
+   The DNS is both an illustration of, and an exception to, parts of
+   this pessimistic interpretation. It was a second-generation
+   development, with the host table system being seen as at the end of
+   its useful life.  There was a serious attempt made to reflect the
+   computing state of the art at the time.  However, deployment was much
+   slower than expected (and very painful for many sites) and some fixed
+   (although relaxed several times) deadlines from a central network
+   administration were necessary for deployment to occur at all.
+   Replacing it now, in order to add functionality, while it continues
+   to perform its core functions at least reasonably well, would
+   presumably be extremely difficult.
+
+   There are many, perhaps obvious, examples of this.  Despite many
+   known deficiencies and weaknesses of definition, the "finger" and
+   "whois" [WHOIS] protocols have not been replaced (despite many
+   efforts to update or replace the latter [WHOIS-UPDATE]).  The Telnet
+   protocol and its many options drove out the SUPDUP [RFC734] one,
+   which was arguably much better designed for a diverse collection of
+   network hosts.  A number of efforts to replace the email or file
+   transfer protocols with models which their advocates considered much
+   better have failed.  And, more recently and below the applications
+   level, there is some reason to believe that this resistance to change
+   has been one of the factors impeding IPv6 deployment.
+
+2. Signs of DNS Overloading
+
+   Parts of the historical discussion above identify areas in which the
+   DNS has become overloaded (semantically if not in the mechanical
+   ability to resolve names).  Despite this overloading, it appears that
+   DNS performance and reliability are still within an acceptable range:
+   there is little evidence of serious performance degradation.  Recent
+   proposals and mechanisms to better respond to overloading and scaling
+   issues have all focused on patching or working around limitations
+   that develop when the DNS is utilized for out-of-design functions,
+   rather than on dramatic rethinking of either DNS design or those
+   uses.  The number of these issues that have arisen at much the same
+   time may argue for just that type of rethinking, and not just for
+   adding complexity and attempting to incrementally alter the design
+   (see, for example, the discussion of simplicity in section 2 of
+   [RFC3439]).
+
+
+
+Klensin                      Informational                      [Page 8]
+
+RFC 3467          Role of the Domain Name System (DNS)     February 2003
+
+
+   For example:
+
+   o  While technical approaches such as larger and higher-powered
+      servers and more bandwidth, and legal/political mechanisms such as
+      dispute resolution policies, have arguably kept the problems from
+      becoming critical, the DNS has not proven adequately responsive to
+      business and individual needs to describe or identify things (such
+      as product names and names of individuals) other than strict
+      network resources.
+
+   o  While stacks have been modified to better handle multiple
+      addresses on a physical interface and some protocols have been
+      extended to include DNS names for determining context, the DNS
+      does not deal especially well with many names associated with a
+      given host (e.g., web hosting facilities with multiple domains on
+      a server).
+
+   o  Efforts to add names deriving from languages or character sets
+      based on other than simple ASCII and English-like names (see
+      below), or even to utilize complex company or product names
+      without the use of hierarchy, have created apparent requirements
+      for names (labels) that are over 63 octets long.  This requirement
+      will undoubtedly increase over time; while there are workarounds
+      to accommodate longer names, they impose their own restrictions
+      and cause their own problems.
+
+   o  Increasing commercialization of the Internet, and visibility of
+      domain names that are assumed to match names of companies or
+      products, has turned the DNS and DNS names into a trademark
+      battleground.  The traditional trademark system in (at least) most
+      countries makes careful distinctions about fields of
+      applicability.  When the space is flattened, without
+      differentiation by either geography or industry sector, not only
+      are there likely conflicts between "Joe's Pizza" (of Boston) and
+      "Joe's Pizza" (of San Francisco) but between both and "Joe's Auto
+      Repair" (of Los Angeles).  All three would like to control
+      "Joes.com" (and would prefer, if it were permitted by DNS naming
+      rules, to also spell it as "Joe's.com" and have both resolve the
+      same way) and may claim trademark rights to do so, even though
+      conflict or confusion would not occur with traditional trademark
+      principles.
+
+   o  Many organizations wish to have different web sites under the same
+      URL and domain name.  Sometimes this is to create local variations
+      -- the Widget Company might want to present different material to
+      a UK user relative to a US one -- and sometimes it is to provide
+      higher performance by supplying information from the server
+      topologically closest to the user.  If the name resolution
+
+
+
+Klensin                      Informational                      [Page 9]
+
+RFC 3467          Role of the Domain Name System (DNS)     February 2003
+
+
+      mechanism is expected to provide this functionality, there are
+      three possible models (which might be combined):
+
+      -  supply information about multiple sites (or locations or
+         references).  Those sites would, in turn, provide information
+         associated with the name and sufficient site-specific
+         attributes to permit the application to make a sensible choice
+         of destination, or
+
+      -  accept client-site attributes and utilize them in the search
+         process, or
+
+      -  return different answers based on the location or identity of
+         the requestor.
+
+   While there are some tricks that can provide partial simulations of
+   these types of function, DNS responses cannot be reliably conditioned
+   in this way.
+
+   These, and similar, issues of performance or content choices can, of
+   course, be thought of as not involving the DNS at all.  For example,
+   the commonly-cited alternate approach of coupling these issues to
+   HTTP content negotiation (cf. [RFC2295]), requires that an HTTP
+   connection first be opened to some "common" or "primary" host so that
+   preferences can be negotiated and then the client redirected or sent
+   alternate data.  At least from the standpoint of improving
+   performance by accessing a "closer" location, both initially and
+   thereafter, this approach sacrifices the desired result before the
+   client initiates any action.  It could even be argued that some of
+   the characteristics of common content negotiation approaches are
+   workarounds for the non-optimal use of the DNS in web URLs.
+
+   o  Many existing and proposed systems for "finding things on the
+      Internet" require a true search capability in which near matches
+      can be reported to the user (or to some user agent with an
+      appropriate rule-set) and to which queries may be ambiguous or
+      fuzzy.  The DNS, by contrast, can accommodate only one set of
+      (quite rigid) matching rules.  Proposals to permit different rules
+      in different localities (e.g., matching rules that are TLD- or
+      zone-specific) help to identify the problem.  But they cannot be
+      applied directly to the DNS without either abandoning the desired
+      level of flexibility or isolating different parts of the Internet
+      from each other (or both).  Fuzzy or ambiguous searches are
+      desirable for resolution of names that might have spelling
+      variations and for names that can be resolved into different sets
+      of glyphs depending on context.  Especially when
+      internationalization is considered, variant name problems go
+      beyond simple differences in representation of a character or
+
+
+
+Klensin                      Informational                     [Page 10]
+
+RFC 3467          Role of the Domain Name System (DNS)     February 2003
+
+
+      ordering of a string.  Instead, avoiding user astonishment and
+      confusion requires consideration of relationships such as
+      languages that can be written with different alphabets, Kanji-
+      Hiragana relationships, Simplified and Traditional Chinese, etc.
+      See [Seng] for a discussion and suggestions for addressing a
+      subset of these issues in the context of characters based on
+      Chinese ones.  But that document essentially illustrates the
+      difficulty of providing the type of flexible matching that would
+      be anticipated by users; instead, it tries to protect against the
+      worst types of confusion (and opportunities for fraud).
+
+   o  The historical DNS, and applications that make assumptions about
+      how it works, impose significant risk (or forces technical kludges
+      and consequent odd restrictions), when one considers adding
+      mechanisms for use with various multi-character-set and
+      multilingual "internationalization" systems.  See the IAB's
+      discussion of some of these issues [RFC2825] for more information.
+
+   o  In order to provide proper functionality to the Internet, the DNS
+      must have a single unique root (the IAB provides more discussion
+      of this issue [RFC2826]).  There are many desires for local
+      treatment of names or character sets that cannot be accommodated
+      without either multiple roots (e.g., a separate root for
+      multilingual names, proposed at various times by MINC [MINC] and
+      others), or mechanisms that would have similar effects in terms of
+      Internet fragmentation and isolation.
+
+   o  For some purposes, it is desirable to be able to search not only
+      an index entry (labels or fully-qualified names in the DNS case),
+      but their values or targets (DNS data).  One might, for example,
+      want to locate all of the host (and virtual host) names which
+      cause mail to be directed to a given server via MX records.  The
+      DNS does not support this capability (see the discussion in
+      [IQUERY]) and it can be simulated only by extracting all of the
+      relevant records (perhaps by zone transfer if the source permits
+      doing so, but that permission is becoming less frequently
+      available) and then searching a file built from those records.
+
+   o  Finally, as additional types of personal or identifying
+      information are added to the DNS, issues arise with protection of
+      that information.  There are increasing calls to make different
+      information available based on the credentials and authorization
+      of the source of the inquiry.  As with information keyed to site
+      locations or proximity (as discussed above), the DNS protocols
+      make providing these differentiated services quite difficult if
+      not impossible.
+
+
+
+
+
+Klensin                      Informational                     [Page 11]
+
+RFC 3467          Role of the Domain Name System (DNS)     February 2003
+
+
+   In each of these cases, it is, or might be, possible to devise ways
+   to trick the DNS system into supporting mechanisms that were not
+   designed into it.  Several ingenious solutions have been proposed in
+   many of these areas already, and some have been deployed into the
+   marketplace with some success.  But the price of each of these
+   changes is added complexity and, with it, added risk of unexpected
+   and destabilizing problems.
+
+   Several of the above problems are addressed well by a good directory
+   system (supported by the LDAP protocol or some protocol more
+   precisely suited to these specific applications) or searching
+   environment (such as common web search engines) although not by the
+   DNS.  Given the difficulty of deploying new applications discussed
+   above, an important question is whether the tricks and kludges are
+   bad enough, or will become bad enough as usage grows, that new
+   solutions are needed and can be deployed.
+
+3. Searching, Directories, and the DNS
+
+3.1 Overview
+
+   The constraints of the DNS and the discussion above suggest the
+   introduction of an intermediate protocol mechanism, referred to below
+   as a "search layer" or "searchable system".  The terms "directory"
+   and "directory system" are used interchangeably with "searchable
+   system" in this document, although the latter is far more precise.
+   Search layer proposals would use a two (or more) stage lookup, not
+   unlike several of the proposals for internationalized names in the
+   DNS (see section 4), but all operations but the final one would
+   involve searching other systems, rather than looking up identifiers
+   in the DNS itself.  As explained below, this would permit relaxation
+   of several constraints, leading to a more capable and comprehensive
+   overall system.
+
+   Ultimately, many of the issues with domain names arise as the result
+   of efforts to use the DNS as a directory.  While, at the time this
+   document was written, sufficient pressure or demand had not occurred
+   to justify a change, it was already quite clear that, as a directory
+   system, the DNS is a good deal less than ideal.  This document
+   suggests that there actually is a requirement for a directory system,
+   and that the right solution to a searchable system requirement is a
+   searchable system, not a series of DNS patches, kludges, or
+   workarounds.
+
+
+
+
+
+
+
+
+Klensin                      Informational                     [Page 12]
+
+RFC 3467          Role of the Domain Name System (DNS)     February 2003
+
+
+   The following points illustrate particular aspects of this
+   conclusion.
+
+   o  A directory system would not require imposition of particular
+      length limits on names.
+
+   o  A directory system could permit explicit association of
+      attributes, e.g., language and country, with a name, without
+      having to utilize trick encodings to incorporate that information
+      in DNS labels (or creating artificial hierarchy for doing so).
+
+   o  There is considerable experience (albeit not much of it very
+      successful) in doing fuzzy and "sonex" (similar-sounding) matching
+      in directory systems.  Moreover, it is plausible to think about
+      different matching rules for different areas and sets of names so
+      that these can be adapted to local cultural requirements.
+      Specifically, it might be possible to have a single form of a name
+      in a directory, but to have great flexibility about what queries
+      matched that name (and even have different variations in different
+      areas).  Of course, the more flexibility that a system provides,
+      the greater the possibility of real or imagined trademark
+      conflicts.  But the opportunity would exist to design a directory
+      structure that dealt with those issues in an intelligent way,
+      while DNS constraints almost certainly make a general and
+      equitable DNS-only solution impossible.
+
+   o  If a directory system is used to translate to DNS names, and then
+      DNS names are looked up in the normal fashion, it may be possible
+      to relax several of the constraints that have been traditional
+      (and perhaps necessary) with the DNS.  For example, reverse-
+      mapping of addresses to directory names may not be a requirement
+      even if mapping of addresses to DNS names continues to be, since
+      the DNS name(s) would (continue to) uniquely identify the host.
+
+   o  Solutions to multilingual transcription problems that are common
+      in "normal life" (e.g., two-sided business cards to be sure that
+      recipients trying to contact a person can access romanized
+      spellings and numbers if the original language is not
+      comprehensible to them) can be easily handled in a directory
+      system by inserting both sets of entries.
+
+   o  A directory system could be designed that would return, not a
+      single name, but a set of names paired with network-locational
+      information or other context-establishing attributes.  This type
+      of information might be of considerable use in resolving the
+      "nearest (or best) server for a particular named resource"
+
+
+
+
+
+Klensin                      Informational                     [Page 13]
+
+RFC 3467          Role of the Domain Name System (DNS)     February 2003
+
+
+      problems that are a significant concern for organizations hosting
+      web and other sites that are accessed from a wide range of
+      locations and subnets.
+
+   o  Names bound to countries and languages might help to manage
+      trademark realities, while, as discussed in section 1.3 above, use
+      of the DNS in trademark-significant contexts tends to require
+      worldwide "flattening" of the trademark system.
+
+   Many of these issues are a consequence of another property of the
+   DNS:  names must be unique across the Internet.  The need to have a
+   system of unique identifiers is fairly obvious (see [RFC2826]).
+   However, if that requirement were to be eliminated in a search or
+   directory system that was visible to users instead of the DNS, many
+   difficult problems -- of both an engineering and a policy nature --
+   would be likely to vanish.
+
+3.2 Some Details and Comments
+
+   Almost any internationalization proposal for names that are in, or
+   map into, the DNS will require changing DNS resolver API calls
+   ("gethostbyname" or equivalent), or adding some pre-resolution
+   preparation mechanism, in almost all Internet applications -- whether
+   to cause the API to take a different character set (no matter how it
+   is then mapped into the bits used in the DNS or another system), to
+   accept or return more arguments with qualifying or identifying
+   information, or otherwise.  Once applications must be opened to make
+   such changes, it is a relatively small matter to switch from calling
+   into the DNS to calling a directory service and then the DNS (in many
+   situations, both actions could be accomplished in a single API call).
+
+   A directory approach can be consistent both with "flat" models and
+   multi-attribute ones.  The DNS requires strict hierarchies, limiting
+   its ability to differentiate among names by their properties.  By
+   contrast, modern directories can utilize independently-searched
+   attributes and other structured schema to provide flexibilities not
+   present in a strictly hierarchical system.
+
+   There is a strong historical argument for a single directory
+   structure (implying a need for mechanisms for registration,
+   delegation, etc.).  But a single structure is not a strict
+   requirement, especially if in-depth case analysis and design work
+   leads to the conclusion that reverse-mapping to directory names is
+   not a requirement (see section 5).  If a single structure is not
+   needed, then, unlike the DNS, there would be no requirement for a
+   global organization to authorize or delegate operation of portions of
+   the structure.
+
+
+
+
+Klensin                      Informational                     [Page 14]
+
+RFC 3467          Role of the Domain Name System (DNS)     February 2003
+
+
+   The "no single structure" concept could be taken further by moving
+   away from simple "names" in favor of, e.g., multiattribute,
+   multihierarchical, faceted systems in which most of the facets use
+   restricted vocabularies.  (These terms are fairly standard in the
+   information retrieval and classification system literature, see,
+   e.g., [IS5127].)  Such systems could be designed to avoid the need
+   for procedures to ensure uniqueness across, or even within, providers
+   and databases of the faceted entities for which the search is to be
+   performed.  (See [DNS-Search] for further discussion.)
+
+   While the discussion above includes very general comments about
+   attributes, it appears that only a very small number of attributes
+   would be needed.  The list would almost certainly include country and
+   language for internationalization purposes.  It might require
+   "charset" if we cannot agree on a character set and encoding,
+   although there are strong arguments for simply using ISO 10646 (also
+   known as Unicode or "UCS" (for Universal Character Set) [UNICODE],
+   [IS10646] coding in interchange.  Trademark issues might motivate
+   "commercial" and "non-commercial" (or other) attributes if they would
+   be helpful in bypassing trademark problems.  And applications to
+   resource location, such as those contemplated for Uniform Resource
+   Identifiers (URIs) [RFC2396, RFC3305] or the Service Location
+   Protocol [RFC2608], might argue for a few other attributes (as
+   outlined above).
+
+4.  Internationalization
+
+   Much of the thinking underlying this document was driven by
+   considerations of internationalizing the DNS or, more specifically,
+   providing access to the functions of the DNS from languages and
+   naming systems that cannot be accurately expressed in the traditional
+   DNS subset of ASCII.  Much of the relevant work was done in the
+   IETF's "Internationalized Domain Names" Working Group (IDN-WG),
+   although this document also draws on extensive parallel discussions
+   in other forums.  This section contains an evaluation of what was
+   learned as an "internationalized DNS" or "multilingual DNS" was
+   explored and suggests future steps based on that evaluation.
+
+   When the IDN-WG was initiated, it was obvious to several of the
+   participants that its first important task was an undocumented one:
+   to increase the understanding of the complexities of the problem
+   sufficiently that naive solutions could be rejected and people could
+   go to work on the harder problems.  The IDN-WG clearly accomplished
+   that task. The beliefs that the problems were simple, and in the
+   corresponding simplistic approaches and their promises of quick and
+   painless deployment, effectively disappeared as the WG's efforts
+   matured.
+
+
+
+
+Klensin                      Informational                     [Page 15]
+
+RFC 3467          Role of the Domain Name System (DNS)     February 2003
+
+
+   Some of the lessons learned from increased understanding and the
+   dissipation of naive beliefs should be taken as cautions by the wider
+   community: the problems are not simple. Specifically, extracting
+   small elements for solution rather than looking at whole systems, may
+   result in obscuring the problems but not solving any problem that is
+   worth the trouble.
+
+4.1 ASCII Isn't Just Because of English
+
+   The hostname rules chosen in the mid-70s weren't just "ASCII because
+   English uses ASCII", although that was a starting point.  We have
+   discovered that almost every other script (and even ASCII if we
+   permit the rest of the characters specified in the ISO 646
+   International Reference Version) is more complex than hostname-
+   restricted-ASCII (the "LDH" form, see section 1.1).  And ASCII isn't
+   sufficient to completely represent English -- there are several words
+   in the language that are correctly spelled only with characters or
+   diacritical marks that do not appear in ASCII.  With a broader
+   selection of scripts, in some examples, case mapping works from one
+   case to the other but is not reversible.  In others, there are
+   conventions about alternate ways to represent characters (in the
+   language, not [only] in character coding) that work most of the time,
+   but not always.  And there are issues in coding, with Unicode/10646
+   providing different ways to represent the same character
+   ("character", rather than "glyph", is used deliberately here).  And,
+   in still others, there are questions as to whether two glyphs
+   "match", which may be a distance-function question, not one with a
+   binary answer.  The IETF approach to these problems is to require
+   pre-matching canonicalization (see the "stringprep" discussion
+   below).
+
+   The IETF has resisted the temptations to either try to specify an
+   entirely new coded character set, or to pick and choose Unicode/10646
+   characters on a per-character basis rather than by using well-defined
+   blocks.  While it may appear that a character set designed to meet
+   Internet-specific needs would be very attractive, the IETF has never
+   had the expertise, resources, and representation from critically-
+   important communities to actually take on that job.  Perhaps more
+   important, a new effort might have chosen to make some of the many
+   complex tradeoffs differently than the Unicode committee did,
+   producing a code with somewhat different characteristics.  But there
+   is no evidence that doing so would produce a code with fewer problems
+   and side-effects.  It is much more likely that making tradeoffs
+   differently would simply result in a different set of problems, which
+   would be equally or more difficult.
+
+
+
+
+
+
+Klensin                      Informational                     [Page 16]
+
+RFC 3467          Role of the Domain Name System (DNS)     February 2003
+
+
+4.2 The "ASCII Encoding" Approaches
+
+   While the DNS can handle arbitrary binary strings without known
+   internal problems (see [RFC2181]), some restrictions are imposed by
+   the requirement that text be interpreted in a case-independent way
+   ([RFC1034], [RFC1035]).  More important, most internet applications
+   assume the hostname-restricted "LDH" syntax that is specified in the
+   host table RFCs and as "prudent" in RFC 1035.  If those assumptions
+   are not met, many conforming implementations of those applications
+   may exhibit behavior that would surprise implementors and users.  To
+   avoid these potential problems, IETF internationalization work has
+   focused on "ASCII-Compatible Encodings" (ACE).  These encodings
+   preserve the LDH conventions in the DNS itself.  Implementations of
+   applications that have not been upgraded utilize the encoded forms,
+   while newer ones can be written to recognize the special codings and
+   map them into non-ASCII characters. These approaches are, however,
+   not problem-free even if human interface issues are ignored.  Among
+   other issues, they rely on what is ultimately a heuristic to
+   determine whether a DNS label is to be considered as an
+   internationalized name (i.e., encoded Unicode) or interpreted as an
+   actual LDH name in its own right.  And, while all determinations of
+   whether a particular query matches a stored object are traditionally
+   made by DNS servers, the ACE systems, when combined with the
+   complexities of international scripts and names, require that much of
+   the matching work be separated into a separate, client-side,
+   canonicalization or "preparation" process before the DNS matching
+   mechanisms are invoked [STRINGPREP].
+
+4.3 "Stringprep" and Its Complexities
+
+   As outlined above, the model for avoiding problems associated with
+   putting non-ASCII names in the DNS and elsewhere evolved into the
+   principle that strings are to be placed into the DNS only after being
+   passed through a string preparation function that eliminates or
+   rejects spurious character codes, maps some characters onto others,
+   performs some sequence canonicalization, and generally creates forms
+   that can be accurately compared.  The impact of this process on
+   hostname-restricted ASCII (i.e., "LDH") strings is trivial and
+   essentially adds only overhead.  For other scripts, the impact is, of
+   necessity, quite significant.
+
+   Although the general notion underlying stringprep is simple, the many
+   details are quite subtle and the associated tradeoffs are complex. A
+   design team worked on it for months, with considerable effort placed
+   into clarifying and fine-tuning the protocol and tables.  Despite
+   general agreement that the IETF would avoid getting into the business
+   of defining character sets, character codings, and the associated
+   conventions, the group several times considered and rejected special
+
+
+
+Klensin                      Informational                     [Page 17]
+
+RFC 3467          Role of the Domain Name System (DNS)     February 2003
+
+
+   treatment of code positions to more nearly match the distinctions
+   made by Unicode with user perceptions about similarities and
+   differences between characters.  But there were intense temptations
+   (and pressures) to incorporate language-specific or country-specific
+   rules.  Those temptations, even when resisted, were indicative of
+   parts of the ongoing controversy or of the basic unsuitability of the
+   DNS for fully internationalized names that are visible,
+   comprehensible, and predictable for end users.
+
+   There have also been controversies about how far one should go in
+   these processes of preparation and transformation and, ultimately,
+   about the validity of various analogies.  For example, each of the
+   following operations has been claimed to be similar to case-mapping
+   in ASCII:
+
+   o  stripping of vowels in Arabic or Hebrew
+
+   o  matching of "look-alike" characters such as upper-case Alpha in
+      Greek and upper-case A in Roman-based alphabets
+
+   o  matching of Traditional and Simplified Chinese characters that
+      represent the same words,
+
+   o  matching of Serbo-Croatian words whether written in Roman-derived
+      or Cyrillic characters
+
+   A decision to support any of these operations would have implications
+   for other scripts or languages and would increase the overall
+   complexity of the process.  For example, unless language-specific
+   information is somehow available, performing matching between
+   Traditional and Simplified Chinese has impacts on Japanese and Korean
+   uses of the same "traditional" characters (e.g., it would not be
+   appropriate to map Kanji into Simplified Chinese).
+
+   Even were the IDN-WG's other work to have been abandoned completely
+   or if it were to fail in the marketplace, the stringprep and nameprep
+   work will continue to be extremely useful, both in identifying issues
+   and problem code points and in providing a reasonable set of basic
+   rules.  Where problems remain, they are arguably not with nameprep,
+   but with the DNS-imposed requirement that its results, as with all
+   other parts of the matching and comparison process, yield a binary
+   "match or no match" answer, rather than, e.g., a value on a
+   similarity scale that can be evaluated by the user or by user-driven
+   heuristic functions.
+
+
+
+
+
+
+
+Klensin                      Informational                     [Page 18]
+
+RFC 3467          Role of the Domain Name System (DNS)     February 2003
+
+
+4.4 The Unicode Stability Problem
+
+   ISO 10646 basically defines only code points, and not rules for using
+   or comparing the characters.  This is part of a long-standing
+   tradition with the work of what is now ISO/IEC JTC1/SC2: they have
+   performed code point assignments and have typically treated the ways
+   in which characters are used as beyond their scope.  Consequently,
+   they have not dealt effectively with the broader range of
+   internationalization issues.  By contrast, the Unicode Technical
+   Committee (UTC) has defined, in annexes and technical reports (see,
+   e.g., [UTR15]), some additional rules for canonicalization and
+   comparison.  Many of those rules and conventions have been factored
+   into the "stringprep" and "nameprep" work, but it is not
+   straightforward to make or define them in a fashion that is
+   sufficiently precise and permanent to be relied on by the DNS.
+
+   Perhaps more important, the discussions leading to nameprep also
+   identified several areas in which the UTC definitions are inadequate,
+   at least without additional information, to make matching precise and
+   unambiguous.  In some of these cases, the Unicode Standard permits
+   several alternate approaches, none of which are an exact and obvious
+   match to DNS needs.  That has left these sensitive choices up to
+   IETF, which lacks sufficient in-depth expertise, much less any
+   mechanism for deciding to optimize one language at the expense of
+   another.
+
+   For example, it is tempting to define some rules on the basis of
+   membership in particular scripts, or for punctuation characters, but
+   there is no precise definition of what characters belong to which
+   script or which ones are, or are not, punctuation.  The existence of
+   these areas of vagueness raises two issues: whether trying to do
+   precise matching at the character set level is actually possible
+   (addressed below) and whether driving toward more precision could
+   create issues that cause instability in the implementation and
+   resolution models for the DNS.
+
+   The Unicode definition also evolves.  Version 3.2 appeared shortly
+   after work on this document was initiated.  It added some characters
+   and functionality and included a few minor incompatible code point
+   changes.  IETF has secured an agreement about constraints on future
+   changes, but it remains to be seen how that agreement will work out
+   in practice.  The prognosis actually appears poor at this stage,
+   since UTC chose to ballot a recent possible change which should have
+   been prohibited by the agreement (the outcome of the ballot is not
+   relevant, only that the ballot was issued rather than having the
+   result be a foregone conclusion).  However, some members of the
+   community consider some of the changes between Unicode 3.0 and 3.1
+   and between 3.1 and 3.2, as well as this recent ballot, to be
+
+
+
+Klensin                      Informational                     [Page 19]
+
+RFC 3467          Role of the Domain Name System (DNS)     February 2003
+
+
+   evidence of instability and that these instabilities are better
+   handled in a system that can be more flexible about handling of
+   characters, scripts, and ancillary information than the DNS.
+
+   In addition, because the systems implications of internationalization
+   are considered out of scope in SC2, ISO/IEC JTC1 has assigned some of
+   those issues to its SC22/WG20 (the Internationalization working group
+   within the subcommittee that deals with programming languages,
+   systems, and environments).  WG20 has historically dealt with
+   internationalization issues thoughtfully and in depth, but its status
+   has several times been in doubt in recent years.  However, assignment
+   of these matters to WG20 increases the risk of eventual ISO
+   internationalization standards that specify different behavior than
+   the UTC specifications.
+
+4.5 Audiences, End Users, and the User Interface Problem
+
+   Part of what has "caused" the DNS internationalization problem, as
+   well as the DNS trademark problem and several others, is that we have
+   stopped thinking about "identifiers for objects" -- which normal
+   people are not expected to see -- and started thinking about "names"
+   -- strings that are expected not only to be readable, but to have
+   linguistically-sensible and culturally-dependent meaning to non-
+   specialist users.
+
+   Within the IETF, the IDN-WG, and sometimes other groups, avoided
+   addressing the implications of that transition by taking "outside our
+   scope -- someone else's problem" approaches or by suggesting that
+   people will just become accustomed to whatever conventions are
+   adopted.  The realities of user and vendor behavior suggest that
+   these approaches will not serve the Internet community well in the
+   long term:
+
+   o  If we want to make it a problem in a different part of the user
+      interface structure, we need to figure out where it goes in order
+      to have proof of concept of our solution.  Unlike vendors whose
+      sole [business] model is the selling or registering of names, the
+      IETF must produce solutions that actually work, in the
+      applications context as seen by the end user.
+
+   o  The principle that "they will get used to our conventions and
+      adapt" is fine if we are writing rules for programming languages
+      or an API.  But the conventions under discussion are not part of a
+      semi-mathematical system, they are deeply ingrained in culture.
+      No matter how often an English-speaking American is told that the
+      Internet requires that the correct spelling of "colour" be used,
+      he or she isn't going to be convinced. Getting a French-speaker in
+      Lyon to use exactly the same lexical conventions as a French-
+
+
+
+Klensin                      Informational                     [Page 20]
+
+RFC 3467          Role of the Domain Name System (DNS)     February 2003
+
+
+      speaker in Quebec in order to accommodate the decisions of the
+      IETF or of a registrar or registry is just not likely.  "Montreal"
+      is either a misspelling or an anglicization of a similar word with
+      an acute accent mark over the "e" (i.e., using the Unicode
+      character U+00E9 or one of its equivalents). But global agreement
+      on a rule that will determine whether the two forms should match
+      -- and that won't astonish end users and speakers of one language
+      or the other -- is as unlikely as agreement on whether
+      "misspelling" or "anglicization" is the greater travesty.
+
+   More generally, it is not clear that the outcome of any conceivable
+   nameprep-like process is going to be good enough for practical,
+   user-level, use.  In the use of human languages by humans, there are
+   many cases in which things that do not match are nonetheless
+   interpreted as matching.  The Norwegian/Danish character that appears
+   in U+00F8 (visually, a lower case 'o' overstruck with a forward
+   slash) and the "o-umlaut" German character that appears in U+00F6
+   (visually, a lower case 'o' with diaeresis (or umlaut)) are clearly
+   different and no matching program should yield an "equal" comparison.
+   But they are more similar to each other than either of them is to,
+   e.g., "e".  Humans are able to mentally make the correction in
+   context, and do so easily, and they can be surprised if computers
+   cannot do so.  Worse, there is a Swedish character whose appearance
+   is identical to the German o-umlaut, and which shares code point
+   U+00F6, but that, if the languages are known and the sounds of the
+   letters or meanings of words including the character are considered,
+   actually should match the Norwegian/Danish use of U+00F8.
+
+   This text uses examples in Roman scripts because it is being written
+   in English and those examples are relatively easy to render.  But one
+   of the important lessons of the discussions about domain name
+   internationalization in recent years is that problems similar to
+   those described above exist in almost every language and script.
+   Each one has its idiosyncrasies, and each set of idiosyncracies is
+   tied to common usage and cultural issues that are very familiar in
+   the relevant group, and often deeply held as cultural values.  As
+   long as a schoolchild in the US can get a bad grade on a spelling
+   test for using a perfectly valid British spelling, or one in France
+   or Germany can get a poor grade for leaving off a diacritical mark,
+   there are issues with the relevant language.  Similarly, if children
+   in Egypt or Israel are taught that it is acceptable to write a word
+   with or without vowels or stress marks, but that, if those marks are
+   included, they must be the correct ones, or a user in Korea is
+   potentially offended or astonished by out-of-order sequences of Jamo,
+   systems based on character-at-a-time processing and simplistic
+   matching, with no contextual information, are not going to satisfy
+   user needs.
+
+
+
+
+Klensin                      Informational                     [Page 21]
+
+RFC 3467          Role of the Domain Name System (DNS)     February 2003
+
+
+   Users are demanding solutions that deal with language and culture.
+   Systems of identifier symbol-strings that serve specialists or
+   computers are, at best, a solution to a rather different (and, at the
+   time this document was written, somewhat ill-defined), problem.  The
+   recent efforts have made it ever more clear that, if we ignore the
+   distinction between the user requirements and narrowly-defined
+   identifiers, we are solving an insufficient problem.  And,
+   conversely, the approaches that have been proposed to approximate
+   solutions to the user requirement may be far more complex than simple
+   identifiers require.
+
+4.6 Business Cards and Other Natural Uses of Natural Languages
+
+   Over the last few centuries, local conventions have been established
+   in various parts of the world for dealing with multilingual
+   situations.  It may be helpful to examine some of these.  For
+   example, if one visits a country where the language is different from
+   ones own, business cards are often printed on two sides, one side in
+   each language.  The conventions are not completely consistent and the
+   technique assumes that recipients will be tolerant. Translations of
+   names or places are attempted in some situations and transliterations
+   in others.  Since it is widely understood that exact translations or
+   transliterations are often not possible, people typically smile at
+   errors, appreciate the effort, and move on.
+
+   The DNS situation differs from these practices in at least two ways.
+   Since a global solution is required, the business card would need a
+   number of sides approximating the number of languages in the world,
+   which is probably impossible without violating laws of physics.  More
+   important, the opportunities for tolerance don't exist:  the DNS
+   requires a exact match or the lookup fails.
+
+4.7 ASCII Encodings and the Roman Keyboard Assumption
+
+   Part of the argument for ACE-based solutions is that they provide an
+   escape for multilingual environments when applications have not been
+   upgraded.  When an older application encounters an ACE-based name,
+   the assumption is that the (admittedly ugly) ASCII-coded string will
+   be displayed and can be typed in.  This argument is reasonable from
+   the standpoint of mixtures of Roman-based alphabets, but may not be
+   relevant if user-level systems and devices are involved that do not
+   support the entry of Roman-based characters or which cannot
+   conveniently render such characters.  Such systems are few in the
+   world today, but the number can reasonably be expected to rise as the
+   Internet is increasingly used by populations whose primary concern is
+   with local issues, local information, and local languages.  It is,
+
+
+
+
+
+Klensin                      Informational                     [Page 22]
+
+RFC 3467          Role of the Domain Name System (DNS)     February 2003
+
+
+   for example, fairly easy to imagine populations who use Arabic or
+   Thai scripts and who do not have routine access to scripts or input
+   devices based on Roman-derived alphabets.
+
+4.8 Intra-DNS Approaches for "Multilingual Names"
+
+   It appears, from the cases above and others, that none of the intra-
+   DNS-based solutions for "multilingual names" are workable.  They rest
+   on too many assumptions that do not appear to be feasible -- that
+   people will adapt deeply-entrenched language habits to conventions
+   laid down to make the lives of computers easy; that we can make
+   "freeze it now, no need for changes in these areas" decisions about
+   Unicode and nameprep; that ACE will smooth over applications
+   problems, even in environments without the ability to key or render
+   Roman-based glyphs (or where user experience is such that such glyphs
+   cannot easily be distinguished from each other); that the Unicode
+   Consortium will never decide to repair an error in a way that creates
+   a risk of DNS incompatibility; that we can either deploy EDNS
+   [RFC2671] or that long names are not really important; that Japanese
+   and Chinese computer users (and others) will either give up their
+   local or IS 2022-based character coding solutions (for which addition
+   of a large fraction of a million new code points to Unicode is almost
+   certainly a necessary, but probably not sufficient, condition) or
+   build leakproof and completely accurate boundary conversion
+   mechanisms; that out of band or contextual information will always be
+   sufficient for the "map glyph onto script" problem; and so on.  In
+   each case, it is likely that about 80% or 90% of cases will work
+   satisfactorily, but it is unlikely that such partial solutions will
+   be good enough.  For example, suppose someone can spell her name 90%
+   correctly, or a company name is matched correctly 80% of the time but
+   the other 20% of attempts identify a competitor: are either likely to
+   be considered adequate?
+
+5. Search-based Systems: The Key Controversies
+
+   For many years, a common response to requirements to locate people or
+   resources on the Internet has been to invoke the term "directory".
+   While an in-depth analysis of the reasons would require a separate
+   document, the history of failure of these invocations has given
+   "directory" efforts a bad reputation.  The effort proposed here is
+   different from those predecessors for several reasons, perhaps the
+   most important of which is that it focuses on a fairly-well-
+   understood set of problems and needs, rather than on finding uses for
+   a particular technology.
+
+   As suggested in some of the text above, it is an open question as to
+   whether the needs of the community would be best served by a single
+   (even if functionally, and perhaps administratively, distributed)
+
+
+
+Klensin                      Informational                     [Page 23]
+
+RFC 3467          Role of the Domain Name System (DNS)     February 2003
+
+
+   directory with universal applicability, a single directory that
+   supports locally-tailored search (and, most important, matching)
+   functions, or multiple, locally-determined, directories.  Each has
+   its attractions.  Any but the first would essentially prevent
+   reverse-mapping (determination of the user-visible name of the host
+   or resource from target information such as an address or DNS name).
+   But reverse mapping has become less useful over the years --at least
+   to users -- as more and more names have been associated with many
+   host addresses and as CIDR [CIDR] has proven problematic for mapping
+   smaller address blocks to meaningful names.
+
+   Locally-tailored searches and mappings would permit national
+   variations on interpretation of which strings matched which other
+   ones, an arrangement that is especially important when different
+   localities apply different rules to, e.g., matching of characters
+   with and without diacriticals.  But, of course, this implies that a
+   URL may evaluate properly or not depending on either settings on a
+   client machine or the network connectivity of the user.  That is not,
+   in general, a desirable situation, since it implies that users could
+   not, in the general case, share URLs (or other host references) and
+   that a particular user might not be able to carry references from one
+   host or location to another.
+
+   And, of course, completely separate directories would permit
+   translation and transliteration functions to be embedded in the
+   directory, giving much of the Internet a different appearance
+   depending on which directory was chosen.  The attractions of this are
+   obvious, but, unless things were very carefully designed to preserve
+   uniqueness and precise identities at the right points (which may or
+   may not be possible), such a system would have many of the
+   difficulties associated with multiple DNS roots.
+
+   Finally, a system of separate directories and databases, if coupled
+   with removal of the DNS-imposed requirement for unique names, would
+   largely eliminate the need for a single worldwide authority to manage
+   the top of the naming hierarchy.
+
+6.  Security Considerations
+
+   The set of proposals implied by this document suggests an interesting
+   set of security issues (i.e., nothing important is ever easy).  A
+   directory system used for locating network resources would presumably
+   need to be as carefully protected against unauthorized changes as the
+   DNS itself.  There also might be new opportunities for problems in an
+   arrangement involving two or more (sub)layers, especially if such a
+   system were designed without central authority or uniqueness of
+   names.  It is uncertain how much greater those risks would be as
+   compared to a DNS lookup sequence that involved looking up one name,
+
+
+
+Klensin                      Informational                     [Page 24]
+
+RFC 3467          Role of the Domain Name System (DNS)     February 2003
+
+
+   getting back information, and then doing additional lookups
+   potentially in different subtrees.  That multistage lookup will often
+   be the case with, e.g., NAPTR records [RFC 2915] unless additional
+   restrictions are imposed.  But additional steps, systems, and
+   databases almost certainly involve some additional risks of
+   compromise.
+
+7.  References
+
+7.1 Normative References
+
+   None
+
+7.2 Explanatory and Informative References
+
+   [Albitz]       Any of the editions of Albitz, P. and C. Liu, DNS and
+                  BIND, O'Reilly and Associates, 1992, 1997, 1998, 2001.
+
+   [ASCII]        American National Standards Institute (formerly United
+                  States of America Standards Institute), X3.4, 1968,
+                  "USA Code for Information Interchange". ANSI X3.4-1968
+                  has been replaced by newer versions with slight
+                  modifications, but the 1968 version remains definitive
+                  for the Internet.  Some time after ASCII was first
+                  formulated as a standard, ISO adopted international
+                  standard 646, which uses ASCII as a base.  IS 646
+                  actually contained two code tables: an "International
+                  Reference Version" (often referenced as ISO 646-IRV)
+                  which was essentially identical to the ASCII of the
+                  time, and a "Basic Version" (ISO 646-BV), which
+                  designates a number of character positions for
+                  national use.
+
+   [CIDR]         Fuller, V., Li, T., Yu, J. and K. Varadhan, "Classless
+                  Inter-Domain Routing (CIDR): an Address Assignment and
+                  Aggregation Strategy", RFC 1519, September 1993.
+
+                  Eidnes, H., de Groot, G. and P. Vixie, "Classless IN-
+                  ADDR.ARPA delegation", RFC 2317, March 1998.
+
+   [COM-SIZE]     Size information supplied by Verisign Global Registry
+                  Services (the zone administrator, or "registry
+                  operator", for COM, see [REGISTRAR], below) to ICANN,
+                  third quarter 2002.
+
+   [DNS-Search]   Klensin, J., "A Search-based access model for the
+                  DNS", Work in Progress.
+
+
+
+
+Klensin                      Informational                     [Page 25]
+
+RFC 3467          Role of the Domain Name System (DNS)     February 2003
+
+
+   [FINGER]       Zimmerman, D., "The Finger User Information Protocol",
+                  RFC 1288, December 1991.
+
+                  Harrenstien, K., "NAME/FINGER Protocol", RFC 742,
+                  December 1977.
+
+   [IAB-OPES]     Floyd, S. and L. Daigle, "IAB Architectural and Policy
+                  Considerations for Open Pluggable Edge Services", RFC
+                  3238, January 2002.
+
+   [IQUERY]       Lawrence, D., "Obsoleting IQUERY", RFC 3425, November
+                  2002.
+
+   [IS646]        ISO/IEC 646:1991 Information technology -- ISO 7-bit
+                  coded character set for information interchange
+
+   [IS10646]      ISO/IEC 10646-1:2000 Information technology --
+                  Universal Multiple-Octet Coded Character Set (UCS) --
+                  Part 1: Architecture and Basic Multilingual Plane and
+                  ISO/IEC 10646-2:2001 Information technology --
+                  Universal Multiple-Octet Coded Character Set (UCS) --
+                  Part 2: Supplementary Planes
+
+   [MINC]         The Multilingual Internet Names Consortium,
+                  http://www.minc.org/ has been an early advocate for
+                  the importance of expansion of DNS names to
+                  accommodate non-ASCII characters.  Some of their
+                  specific proposals, while helping people to understand
+                  the problems better, were not compatible with the
+                  design of the DNS.
+
+   [NAPTR]        Mealling, M. and R. Daniel, "The Naming Authority
+                  Pointer (NAPTR) DNS Resource Record", RFC 2915,
+                  September 2000.
+
+                  Mealling, M., "Dynamic Delegation Discovery System
+                  (DDDS) Part One: The Comprehensive DDDS", RFC 3401,
+                  October 2002.
+
+                  Mealling, M., "Dynamic Delegation Discovery System
+                  (DDDS) Part Two: The Algorithm", RFC 3402, October
+                  2002.
+
+                  Mealling, M., "Dynamic Delegation Discovery System
+                  (DDDS) Part Three: The Domain Name System (DNS)
+                  Database", RFC 3403, October 2002.
+
+
+
+
+
+Klensin                      Informational                     [Page 26]
+
+RFC 3467          Role of the Domain Name System (DNS)     February 2003
+
+
+   [REGISTRAR]    In an early stage of the process that created the
+                  Internet Corporation for Assigned Names and Numbers
+                  (ICANN), a "Green Paper" was released by the US
+                  Government.   That paper introduced new terminology
+                  and some concepts not needed by traditional DNS
+                  operations.  The term "registry" was applied to the
+                  actual operator and database holder of a domain
+                  (typically at the top level, since the Green Paper was
+                  little concerned with anything else), while
+                  organizations that marketed names and made them
+                  available to "registrants" were known as "registrars".
+                  In the classic DNS model, the function of "zone
+                  administrator" encompassed both registry and registrar
+                  roles, although that model did not anticipate a
+                  commercial market in names.
+
+   [RFC625]       Kudlick, M. and E. Feinler, "On-line hostnames
+                  service", RFC 625, March 1974.
+
+   [RFC734]       Crispin, M., "SUPDUP Protocol", RFC 734, October 1977.
+
+   [RFC811]       Harrenstien, K., White, V. and E. Feinler, "Hostnames
+                  Server", RFC 811, March 1982.
+
+   [RFC819]       Su, Z. and J. Postel, "Domain naming convention for
+                  Internet user applications", RFC 819, August 1982.
+
+   [RFC830]       Su, Z., "Distributed system for Internet name
+                  service", RFC 830, October 1982.
+
+   [RFC882]       Mockapetris, P., "Domain names: Concepts and
+                  facilities", RFC 882, November 1983.
+
+   [RFC883]       Mockapetris, P., "Domain names: Implementation
+                  specification", RFC 883, November 1983.
+
+   [RFC952]       Harrenstien, K, Stahl, M. and E. Feinler, "DoD
+                  Internet host table specification", RFC 952, October
+                  1985.
+
+   [RFC953]       Harrenstien, K., Stahl, M. and E. Feinler, "HOSTNAME
+                  SERVER", RFC 953, October 1985.
+
+   [RFC1034]      Mockapetris, P., "Domain names, Concepts and
+                  facilities", STD 13, RFC 1034, November 1987.
+
+
+
+
+
+
+Klensin                      Informational                     [Page 27]
+
+RFC 3467          Role of the Domain Name System (DNS)     February 2003
+
+
+   [RFC1035]      Mockapetris, P., "Domain names - implementation and
+                  specification", STD 13, RFC 1035, November 1987.
+
+   [RFC1591]      Postel, J., "Domain Name System Structure and
+                  Delegation", RFC 1591, March 1994.
+
+   [RFC2181]      Elz, R. and  R. Bush, "Clarifications to the DNS
+                  Specification", RFC 2181, July 1997.
+
+   [RFC2295]      Holtman, K. and A. Mutz, "Transparent Content
+                  Negotiation in HTTP", RFC 2295, March 1998
+
+   [RFC2396]      Berners-Lee, T., Fielding, R. and L. Masinter,
+                  "Uniform Resource Identifiers (URI): Generic Syntax",
+                  RFC 2396, August 1998.
+
+   [RFC2608]      Guttman, E., Perkins, C., Veizades, J. and M. Day,
+                  "Service Location Protocol, Version 2", RFC 2608, June
+                  1999.
+
+   [RFC2671]      Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
+                  2671, August 1999.
+
+   [RFC2825]      IAB, Daigle, L., Ed., "A Tangled Web: Issues of I18N,
+                  Domain Names, and the Other Internet protocols", RFC
+                  2825, May 2000.
+
+   [RFC2826]      IAB, "IAB Technical Comment on the Unique DNS Root",
+                  RFC 2826, May 2000.
+
+   [RFC2972]      Popp, N., Mealling, M., Masinter, L. and K. Sollins,
+                  "Context and Goals for Common Name Resolution", RFC
+                  2972, October 2000.
+
+   [RFC3305]      Mealling, M. and R. Denenberg, Eds., "Report from the
+                  Joint W3C/IETF URI Planning Interest Group: Uniform
+                  Resource Identifiers (URIs), URLs, and Uniform
+                  Resource Names (URNs):  Clarifications and
+                  Recommendations", RFC 3305, August 2002.
+
+   [RFC3439]      Bush, R. and D. Meyer, "Some Internet Architectural
+                  Guidelines and Philosophy", RFC 3439, December 2002.
+
+   [Seng]         Seng, J., et al., Eds., "Internationalized Domain
+                  Names:  Registration and Administration Guideline for
+                  Chinese, Japanese, and Korean", Work in Progress.
+
+
+
+
+
+Klensin                      Informational                     [Page 28]
+
+RFC 3467          Role of the Domain Name System (DNS)     February 2003
+
+
+   [STRINGPREP]   Hoffman, P. and M. Blanchet, "Preparation of
+                  Internationalized Strings (stringprep)", RFC 3454,
+                  December 2002.
+
+                  The particular profile used for placing
+                  internationalized strings in the DNS is called
+                  "nameprep", described in Hoffman, P. and M. Blanchet,
+                  "Nameprep: A Stringprep Profile for Internationalized
+                  Domain Names", Work in Progress.
+
+   [TELNET]       Postel, J. and J. Reynolds, "Telnet Protocol
+                  Specification", STD 8, RFC 854, May 1983.
+
+                  Postel, J. and J. Reynolds, "Telnet Option
+                  Specifications", STD 8, RFC 855, May 1983.
+
+   [UNICODE]      The Unicode Consortium, The Unicode Standard, Version
+                  3.0, Addison-Wesley: Reading, MA, 2000.  Update to
+                  version 3.1, 2001.  Update to version 3.2, 2002.
+
+   [UTR15]        Davis, M. and M. Duerst, "Unicode Standard Annex #15:
+                  Unicode Normalization Forms", Unicode Consortium,
+                  March 2002.  An integral part of The Unicode Standard,
+                  Version 3.1.1.  Available at
+                  (http://www.unicode.org/reports/tr15/tr15-21.html).
+
+   [WHOIS]        Harrenstien, K, Stahl, M. and E. Feinler,
+                  "NICNAME/WHOIS", RFC 954, October 1985.
+
+   [WHOIS-UPDATE] Gargano, J. and K. Weiss, "Whois and Network
+                  Information Lookup Service, Whois++", RFC 1834, August
+                  1995.
+
+                  Weider, C., Fullton, J. and S. Spero, "Architecture of
+                  the Whois++ Index Service", RFC 1913, February 1996.
+
+                  Williamson, S., Kosters, M., Blacka, D., Singh, J. and
+                  K. Zeilstra, "Referral Whois (RWhois) Protocol V1.5",
+                  RFC 2167, June 1997;
+
+                  Daigle, L. and P. Faltstrom, "The
+                  application/whoispp-query Content-Type", RFC 2957,
+                  October 2000.
+
+                  Daigle, L. and P. Falstrom, "The application/whoispp-
+                  response Content-type", RFC 2958, October 2000.
+
+
+
+
+
+Klensin                      Informational                     [Page 29]
+
+RFC 3467          Role of the Domain Name System (DNS)     February 2003
+
+
+   [X29]          International Telecommuncations Union, "Recommendation
+                  X.29: Procedures for the exchange of control
+                  information and user data between a Packet
+                  Assembly/Disassembly (PAD) facility and a packet mode
+                  DTE or another PAD", December 1997.
+
+8. Acknowledgements
+
+   Many people have contributed to versions of this document or the
+   thinking that went into it.  The author would particularly like to
+   thank Harald Alvestrand, Rob Austein, Bob Braden, Vinton Cerf, Matt
+   Crawford, Leslie Daigle, Patrik Faltstrom, Eric A. Hall, Ted Hardie,
+   Paul Hoffman, Erik Nordmark, and Zita Wenzel for making specific
+   suggestions and/or challenging the assumptions and presentation of
+   earlier versions and suggesting ways to improve them.
+
+9. Author's Address
+
+   John C. Klensin
+   1770 Massachusetts Ave, #322
+   Cambridge, MA 02140
+
+   EMail: klensin+srch@jck.com
+
+   A mailing list has been initiated for discussion of the topics
+   discussed in this document, and closely-related issues, at
+   ietf-irnss@lists.elistx.com.  See http://lists.elistx.com/archives/
+   for subscription and archival information.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Klensin                      Informational                     [Page 30]
+
+RFC 3467          Role of the Domain Name System (DNS)     February 2003
+
+
+10. Full Copyright Statement
+
+   Copyright (C) The Internet Society (2003).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Klensin                      Informational                     [Page 31]
+
diff --git a/contrib/bind9/doc/rfc/rfc3490.txt b/contrib/bind9/doc/rfc/rfc3490.txt
new file mode 100644
index 0000000..d2e0b3b
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc3490.txt
@@ -0,0 +1,1235 @@
+
+
+
+
+
+
+Network Working Group                                       P. Faltstrom
+Request for Comments: 3490                                         Cisco
+Category: Standards Track                                     P. Hoffman
+                                                              IMC & VPNC
+                                                             A. Costello
+                                                             UC Berkeley
+                                                              March 2003
+
+
+         Internationalizing Domain Names in Applications (IDNA)
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2003).  All Rights Reserved.
+
+Abstract
+
+   Until now, there has been no standard method for domain names to use
+   characters outside the ASCII repertoire.  This document defines
+   internationalized domain names (IDNs) and a mechanism called
+   Internationalizing Domain Names in Applications (IDNA) for handling
+   them in a standard fashion.  IDNs use characters drawn from a large
+   repertoire (Unicode), but IDNA allows the non-ASCII characters to be
+   represented using only the ASCII characters already allowed in so-
+   called host names today.  This backward-compatible representation is
+   required in existing protocols like DNS, so that IDNs can be
+   introduced with no changes to the existing infrastructure.  IDNA is
+   only meant for processing domain names, not free text.
+
+Table of Contents
+
+   1. Introduction..................................................  2
+      1.1 Problem Statement.........................................  3
+      1.2 Limitations of IDNA.......................................  3
+      1.3 Brief overview for application developers.................  4
+   2. Terminology...................................................  5
+   3. Requirements and applicability................................  7
+      3.1 Requirements..............................................  7
+      3.2 Applicability.............................................  8
+         3.2.1. DNS resource records................................  8
+
+
+
+Faltstrom, et al.           Standards Track                     [Page 1]
+
+RFC 3490                          IDNA                        March 2003
+
+
+         3.2.2. Non-domain-name data types stored in domain names...  9
+   4. Conversion operations.........................................  9
+      4.1 ToASCII................................................... 10
+      4.2 ToUnicode................................................. 11
+   5. ACE prefix.................................................... 12
+   6. Implications for typical applications using DNS............... 13
+      6.1 Entry and display in applications......................... 14
+      6.2 Applications and resolver libraries....................... 15
+      6.3 DNS servers............................................... 15
+      6.4 Avoiding exposing users to the raw ACE encoding........... 16
+      6.5  DNSSEC authentication of IDN domain names................ 16
+   7. Name server considerations.................................... 17
+   8. Root server considerations.................................... 17
+   9. References.................................................... 18
+      9.1 Normative References...................................... 18
+      9.2 Informative References.................................... 18
+   10. Security Considerations...................................... 19
+   11. IANA Considerations.......................................... 20
+   12. Authors' Addresses........................................... 21
+   13. Full Copyright Statement..................................... 22
+
+1. Introduction
+
+   IDNA works by allowing applications to use certain ASCII name labels
+   (beginning with a special prefix) to represent non-ASCII name labels.
+   Lower-layer protocols need not be aware of this; therefore IDNA does
+   not depend on changes to any infrastructure.  In particular, IDNA
+   does not depend on any changes to DNS servers, resolvers, or protocol
+   elements, because the ASCII name service provided by the existing DNS
+   is entirely sufficient for IDNA.
+
+   This document does not require any applications to conform to IDNA,
+   but applications can elect to use IDNA in order to support IDN while
+   maintaining interoperability with existing infrastructure.  If an
+   application wants to use non-ASCII characters in domain names, IDNA
+   is the only currently-defined option.  Adding IDNA support to an
+   existing application entails changes to the application only, and
+   leaves room for flexibility in the user interface.
+
+   A great deal of the discussion of IDN solutions has focused on
+   transition issues and how IDN will work in a world where not all of
+   the components have been updated.  Proposals that were not chosen by
+   the IDN Working Group would depend on user applications, resolvers,
+   and DNS servers being updated in order for a user to use an
+   internationalized domain name.  Rather than rely on widespread
+   updating of all components, IDNA depends on updates to user
+   applications only; no changes are needed to the DNS protocol or any
+   DNS servers or the resolvers on user's computers.
+
+
+
+Faltstrom, et al.           Standards Track                     [Page 2]
+
+RFC 3490                          IDNA                        March 2003
+
+
+1.1 Problem Statement
+
+   The IDNA specification solves the problem of extending the repertoire
+   of characters that can be used in domain names to include the Unicode
+   repertoire (with some restrictions).
+
+   IDNA does not extend the service offered by DNS to the applications.
+   Instead, the applications (and, by implication, the users) continue
+   to see an exact-match lookup service.  Either there is a single
+   exactly-matching name or there is no match.  This model has served
+   the existing applications well, but it requires, with or without
+   internationalized domain names, that users know the exact spelling of
+   the domain names that the users type into applications such as web
+   browsers and mail user agents.  The introduction of the larger
+   repertoire of characters potentially makes the set of misspellings
+   larger, especially given that in some cases the same appearance, for
+   example on a business card, might visually match several Unicode code
+   points or several sequences of code points.
+
+   IDNA allows the graceful introduction of IDNs not only by avoiding
+   upgrades to existing infrastructure (such as DNS servers and mail
+   transport agents), but also by allowing some rudimentary use of IDNs
+   in applications by using the ASCII representation of the non-ASCII
+   name labels.  While such names are very user-unfriendly to read and
+   type, and hence are not suitable for user input, they allow (for
+   instance) replying to email and clicking on URLs even though the
+   domain name displayed is incomprehensible to the user.  In order to
+   allow user-friendly input and output of the IDNs, the applications
+   need to be modified to conform to this specification.
+
+   IDNA uses the Unicode character repertoire, which avoids the
+   significant delays that would be inherent in waiting for a different
+   and specific character set be defined for IDN purposes by some other
+   standards developing organization.
+
+1.2 Limitations of IDNA
+
+   The IDNA protocol does not solve all linguistic issues with users
+   inputting names in different scripts.  Many important language-based
+   and script-based mappings are not covered in IDNA and need to be
+   handled outside the protocol.  For example, names that are entered in
+   a mix of traditional and simplified Chinese characters will not be
+   mapped to a single canonical name.  Another example is Scandinavian
+   names that are entered with U+00F6 (LATIN SMALL LETTER O WITH
+   DIAERESIS) will not be mapped to U+00F8 (LATIN SMALL LETTER O WITH
+   STROKE).
+
+
+
+
+
+Faltstrom, et al.           Standards Track                     [Page 3]
+
+RFC 3490                          IDNA                        March 2003
+
+
+   An example of an important issue that is not considered in detail in
+   IDNA is how to provide a high probability that a user who is entering
+   a domain name based on visual information (such as from a business
+   card or billboard) or aural information (such as from a telephone or
+   radio) would correctly enter the IDN.  Similar issues exist for ASCII
+   domain names, for example the possible visual confusion between the
+   letter 'O' and the digit zero, but the introduction of the larger
+   repertoire of characters creates more opportunities of similar
+   looking and similar sounding names.  Note that this is a complex
+   issue relating to languages, input methods on computers, and so on.
+   Furthermore, the kind of matching and searching necessary for a high
+   probability of success would not fit the role of the DNS and its
+   exact matching function.
+
+1.3 Brief overview for application developers
+
+   Applications can use IDNA to support internationalized domain names
+   anywhere that ASCII domain names are already supported, including DNS
+   master files and resolver interfaces.  (Applications can also define
+   protocols and interfaces that support IDNs directly using non-ASCII
+   representations.  IDNA does not prescribe any particular
+   representation for new protocols, but it still defines which names
+   are valid and how they are compared.)
+
+   The IDNA protocol is contained completely within applications.  It is
+   not a client-server or peer-to-peer protocol: everything is done
+   inside the application itself.  When used with a DNS resolver
+   library, IDNA is inserted as a "shim" between the application and the
+   resolver library.  When used for writing names into a DNS zone, IDNA
+   is used just before the name is committed to the zone.
+
+   There are two operations described in section 4 of this document:
+
+   -  The ToASCII operation is used before sending an IDN to something
+      that expects ASCII names (such as a resolver) or writing an IDN
+      into a place that expects ASCII names (such as a DNS master file).
+
+   -  The ToUnicode operation is used when displaying names to users,
+      for example names obtained from a DNS zone.
+
+   It is important to note that the ToASCII operation can fail.  If it
+   fails when processing a domain name, that domain name cannot be used
+   as an internationalized domain name and the application has to have
+   some method of dealing with this failure.
+
+   IDNA requires that implementations process input strings with
+   Nameprep [NAMEPREP], which is a profile of Stringprep [STRINGPREP],
+   and then with Punycode [PUNYCODE].  Implementations of IDNA MUST
+
+
+
+Faltstrom, et al.           Standards Track                     [Page 4]
+
+RFC 3490                          IDNA                        March 2003
+
+
+   fully implement Nameprep and Punycode; neither Nameprep nor Punycode
+   are optional.
+
+2. Terminology
+
+   The key words "MUST", "SHALL", "REQUIRED", "SHOULD", "RECOMMENDED",
+   and "MAY" in this document are to be interpreted as described in BCP
+   14, RFC 2119 [RFC2119].
+
+   A code point is an integer value associated with a character in a
+   coded character set.
+
+   Unicode [UNICODE] is a coded character set containing tens of
+   thousands of characters.  A single Unicode code point is denoted by
+   "U+" followed by four to six hexadecimal digits, while a range of
+   Unicode code points is denoted by two hexadecimal numbers separated
+   by "..", with no prefixes.
+
+   ASCII means US-ASCII [USASCII], a coded character set containing 128
+   characters associated with code points in the range 0..7F.  Unicode
+   is an extension of ASCII: it includes all the ASCII characters and
+   associates them with the same code points.
+
+   The term "LDH code points" is defined in this document to mean the
+   code points associated with ASCII letters, digits, and the hyphen-
+   minus; that is, U+002D, 30..39, 41..5A, and 61..7A. "LDH" is an
+   abbreviation for "letters, digits, hyphen".
+
+   [STD13] talks about "domain names" and "host names", but many people
+   use the terms interchangeably.  Further, because [STD13] was not
+   terribly clear, many people who are sure they know the exact
+   definitions of each of these terms disagree on the definitions.  In
+   this document the term "domain name" is used in general.  This
+   document explicitly cites [STD3] whenever referring to the host name
+   syntax restrictions defined therein.
+
+   A label is an individual part of a domain name.  Labels are usually
+   shown separated by dots; for example, the domain name
+   "www.example.com" is composed of three labels: "www", "example", and
+   "com".  (The zero-length root label described in [STD13], which can
+   be explicit as in "www.example.com." or implicit as in
+   "www.example.com", is not considered a label in this specification.)
+   IDNA extends the set of usable characters in labels that are text.
+   For the rest of this document, the term "label" is shorthand for
+   "text label", and "every label" means "every text label".
+
+
+
+
+
+
+Faltstrom, et al.           Standards Track                     [Page 5]
+
+RFC 3490                          IDNA                        March 2003
+
+
+   An "internationalized label" is a label to which the ToASCII
+   operation (see section 4) can be applied without failing (with the
+   UseSTD3ASCIIRules flag unset).  This implies that every ASCII label
+   that satisfies the [STD13] length restriction is an internationalized
+   label.  Therefore the term "internationalized label" is a
+   generalization, embracing both old ASCII labels and new non-ASCII
+   labels.  Although most Unicode characters can appear in
+   internationalized labels, ToASCII will fail for some input strings,
+   and such strings are not valid internationalized labels.
+
+   An "internationalized domain name" (IDN) is a domain name in which
+   every label is an internationalized label.  This implies that every
+   ASCII domain name is an IDN (which implies that it is possible for a
+   name to be an IDN without it containing any non-ASCII characters).
+   This document does not attempt to define an "internationalized host
+   name".  Just as has been the case with ASCII names, some DNS zone
+   administrators may impose restrictions, beyond those imposed by DNS
+   or IDNA, on the characters or strings that may be registered as
+   labels in their zones.  Such restrictions have no impact on the
+   syntax or semantics of DNS protocol messages; a query for a name that
+   matches no records will yield the same response regardless of the
+   reason why it is not in the zone.  Clients issuing queries or
+   interpreting responses cannot be assumed to have any knowledge of
+   zone-specific restrictions or conventions.
+
+   In IDNA, equivalence of labels is defined in terms of the ToASCII
+   operation, which constructs an ASCII form for a given label, whether
+   or not the label was already an ASCII label.  Labels are defined to
+   be equivalent if and only if their ASCII forms produced by ToASCII
+   match using a case-insensitive ASCII comparison.  ASCII labels
+   already have a notion of equivalence: upper case and lower case are
+   considered equivalent.  The IDNA notion of equivalence is an
+   extension of that older notion.  Equivalent labels in IDNA are
+   treated as alternate forms of the same label, just as "foo" and "Foo"
+   are treated as alternate forms of the same label.
+
+   To allow internationalized labels to be handled by existing
+   applications, IDNA uses an "ACE label" (ACE stands for ASCII
+   Compatible Encoding).  An ACE label is an internationalized label
+   that can be rendered in ASCII and is equivalent to an
+   internationalized label that cannot be rendered in ASCII.  Given any
+   internationalized label that cannot be rendered in ASCII, the ToASCII
+   operation will convert it to an equivalent ACE label (whereas an
+   ASCII label will be left unaltered by ToASCII).  ACE labels are
+   unsuitable for display to users.  The ToUnicode operation will
+   convert any label to an equivalent non-ACE label.  In fact, an ACE
+   label is formally defined to be any label that the ToUnicode
+   operation would alter (whereas non-ACE labels are left unaltered by
+
+
+
+Faltstrom, et al.           Standards Track                     [Page 6]
+
+RFC 3490                          IDNA                        March 2003
+
+
+   ToUnicode).  Every ACE label begins with the ACE prefix specified in
+   section 5.  The ToASCII and ToUnicode operations are specified in
+   section 4.
+
+   The "ACE prefix" is defined in this document to be a string of ASCII
+   characters that appears at the beginning of every ACE label.  It is
+   specified in section 5.
+
+   A "domain name slot" is defined in this document to be a protocol
+   element or a function argument or a return value (and so on)
+   explicitly designated for carrying a domain name.  Examples of domain
+   name slots include: the QNAME field of a DNS query; the name argument
+   of the gethostbyname() library function; the part of an email address
+   following the at-sign (@) in the From: field of an email message
+   header; and the host portion of the URI in the src attribute of an
+   HTML <IMG> tag.  General text that just happens to contain a domain
+   name is not a domain name slot; for example, a domain name appearing
+   in the plain text body of an email message is not occupying a domain
+   name slot.
+
+   An "IDN-aware domain name slot" is defined in this document to be a
+   domain name slot explicitly designated for carrying an
+   internationalized domain name as defined in this document.  The
+   designation may be static (for example, in the specification of the
+   protocol or interface) or dynamic (for example, as a result of
+   negotiation in an interactive session).
+
+   An "IDN-unaware domain name slot" is defined in this document to be
+   any domain name slot that is not an IDN-aware domain name slot.
+   Obviously, this includes any domain name slot whose specification
+   predates IDNA.
+
+3. Requirements and applicability
+
+3.1 Requirements
+
+   IDNA conformance means adherence to the following four requirements:
+
+   1) Whenever dots are used as label separators, the following
+      characters MUST be recognized as dots: U+002E (full stop), U+3002
+      (ideographic full stop), U+FF0E (fullwidth full stop), U+FF61
+      (halfwidth ideographic full stop).
+
+   2) Whenever a domain name is put into an IDN-unaware domain name slot
+      (see section 2), it MUST contain only ASCII characters.  Given an
+      internationalized domain name (IDN), an equivalent domain name
+      satisfying this requirement can be obtained by applying the
+
+
+
+
+Faltstrom, et al.           Standards Track                     [Page 7]
+
+RFC 3490                          IDNA                        March 2003
+
+
+      ToASCII operation (see section 4) to each label and, if dots are
+      used as label separators, changing all the label separators to
+      U+002E.
+
+   3) ACE labels obtained from domain name slots SHOULD be hidden from
+      users when it is known that the environment can handle the non-ACE
+      form, except when the ACE form is explicitly requested.  When it
+      is not known whether or not the environment can handle the non-ACE
+      form, the application MAY use the non-ACE form (which might fail,
+      such as by not being displayed properly), or it MAY use the ACE
+      form (which will look unintelligle to the user).  Given an
+      internationalized domain name, an equivalent domain name
+      containing no ACE labels can be obtained by applying the ToUnicode
+      operation (see section 4) to each label.  When requirements 2 and
+      3 both apply, requirement 2 takes precedence.
+
+   4) Whenever two labels are compared, they MUST be considered to match
+      if and only if they are equivalent, that is, their ASCII forms
+      (obtained by applying ToASCII) match using a case-insensitive
+      ASCII comparison.  Whenever two names are compared, they MUST be
+      considered to match if and only if their corresponding labels
+      match, regardless of whether the names use the same forms of label
+      separators.
+
+3.2 Applicability
+
+   IDNA is applicable to all domain names in all domain name slots
+   except where it is explicitly excluded.
+
+   This implies that IDNA is applicable to many protocols that predate
+   IDNA.  Note that IDNs occupying domain name slots in those protocols
+   MUST be in ASCII form (see section 3.1, requirement 2).
+
+3.2.1. DNS resource records
+
+   IDNA does not apply to domain names in the NAME and RDATA fields of
+   DNS resource records whose CLASS is not IN.  This exclusion applies
+   to every non-IN class, present and future, except where future
+   standards override this exclusion by explicitly inviting the use of
+   IDNA.
+
+   There are currently no other exclusions on the applicability of IDNA
+   to DNS resource records; it depends entirely on the CLASS, and not on
+   the TYPE.  This will remain true, even as new types are defined,
+   unless there is a compelling reason for a new type to complicate
+   matters by imposing type-specific rules.
+
+
+
+
+
+Faltstrom, et al.           Standards Track                     [Page 8]
+
+RFC 3490                          IDNA                        March 2003
+
+
+3.2.2. Non-domain-name data types stored in domain names
+
+   Although IDNA enables the representation of non-ASCII characters in
+   domain names, that does not imply that IDNA enables the
+   representation of non-ASCII characters in other data types that are
+   stored in domain names.  For example, an email address local part is
+   sometimes stored in a domain label (hostmaster@example.com would be
+   represented as hostmaster.example.com in the RDATA field of an SOA
+   record).  IDNA does not update the existing email standards, which
+   allow only ASCII characters in local parts.  Therefore, unless the
+   email standards are revised to invite the use of IDNA for local
+   parts, a domain label that holds the local part of an email address
+   SHOULD NOT begin with the ACE prefix, and even if it does, it is to
+   be interpreted literally as a local part that happens to begin with
+   the ACE prefix.
+
+4. Conversion operations
+
+   An application converts a domain name put into an IDN-unaware slot or
+   displayed to a user.  This section specifies the steps to perform in
+   the conversion, and the ToASCII and ToUnicode operations.
+
+   The input to ToASCII or ToUnicode is a single label that is a
+   sequence of Unicode code points (remember that all ASCII code points
+   are also Unicode code points).  If a domain name is represented using
+   a character set other than Unicode or US-ASCII, it will first need to
+   be transcoded to Unicode.
+
+   Starting from a whole domain name, the steps that an application
+   takes to do the conversions are:
+
+   1) Decide whether the domain name is a "stored string" or a "query
+      string" as described in [STRINGPREP].  If this conversion follows
+      the "queries" rule from [STRINGPREP], set the flag called
+      "AllowUnassigned".
+
+   2) Split the domain name into individual labels as described in
+      section 3.1.  The labels do not include the separator.
+
+   3) For each label, decide whether or not to enforce the restrictions
+      on ASCII characters in host names [STD3].  (Applications already
+      faced this choice before the introduction of IDNA, and can
+      continue to make the decision the same way they always have; IDNA
+      makes no new recommendations regarding this choice.)  If the
+      restrictions are to be enforced, set the flag called
+      "UseSTD3ASCIIRules" for that label.
+
+
+
+
+
+Faltstrom, et al.           Standards Track                     [Page 9]
+
+RFC 3490                          IDNA                        March 2003
+
+
+   4) Process each label with either the ToASCII or the ToUnicode
+      operation as appropriate.  Typically, you use the ToASCII
+      operation if you are about to put the name into an IDN-unaware
+      slot, and you use the ToUnicode operation if you are displaying
+      the name to a user; section 3.1 gives greater detail on the
+      applicable requirements.
+
+   5) If ToASCII was applied in step 4 and dots are used as label
+      separators, change all the label separators to U+002E (full stop).
+
+   The following two subsections define the ToASCII and ToUnicode
+   operations that are used in step 4.
+
+   This description of the protocol uses specific procedure names, names
+   of flags, and so on, in order to facilitate the specification of the
+   protocol.  These names, as well as the actual steps of the
+   procedures, are not required of an implementation.  In fact, any
+   implementation which has the same external behavior as specified in
+   this document conforms to this specification.
+
+4.1 ToASCII
+
+   The ToASCII operation takes a sequence of Unicode code points that
+   make up one label and transforms it into a sequence of code points in
+   the ASCII range (0..7F).  If ToASCII succeeds, the original sequence
+   and the resulting sequence are equivalent labels.
+
+   It is important to note that the ToASCII operation can fail.  ToASCII
+   fails if any step of it fails.  If any step of the ToASCII operation
+   fails on any label in a domain name, that domain name MUST NOT be
+   used as an internationalized domain name.  The method for dealing
+   with this failure is application-specific.
+
+   The inputs to ToASCII are a sequence of code points, the
+   AllowUnassigned flag, and the UseSTD3ASCIIRules flag.  The output of
+   ToASCII is either a sequence of ASCII code points or a failure
+   condition.
+
+   ToASCII never alters a sequence of code points that are all in the
+   ASCII range to begin with (although it could fail).  Applying the
+   ToASCII operation multiple times has exactly the same effect as
+   applying it just once.
+
+   ToASCII consists of the following steps:
+
+   1. If the sequence contains any code points outside the ASCII range
+      (0..7F) then proceed to step 2, otherwise skip to step 3.
+
+
+
+
+Faltstrom, et al.           Standards Track                    [Page 10]
+
+RFC 3490                          IDNA                        March 2003
+
+
+   2. Perform the steps specified in [NAMEPREP] and fail if there is an
+      error.  The AllowUnassigned flag is used in [NAMEPREP].
+
+   3. If the UseSTD3ASCIIRules flag is set, then perform these checks:
+
+     (a) Verify the absence of non-LDH ASCII code points; that is, the
+         absence of 0..2C, 2E..2F, 3A..40, 5B..60, and 7B..7F.
+
+     (b) Verify the absence of leading and trailing hyphen-minus; that
+         is, the absence of U+002D at the beginning and end of the
+         sequence.
+
+   4. If the sequence contains any code points outside the ASCII range
+      (0..7F) then proceed to step 5, otherwise skip to step 8.
+
+   5. Verify that the sequence does NOT begin with the ACE prefix.
+
+   6. Encode the sequence using the encoding algorithm in [PUNYCODE] and
+      fail if there is an error.
+
+   7. Prepend the ACE prefix.
+
+   8. Verify that the number of code points is in the range 1 to 63
+      inclusive.
+
+4.2 ToUnicode
+
+   The ToUnicode operation takes a sequence of Unicode code points that
+   make up one label and returns a sequence of Unicode code points.  If
+   the input sequence is a label in ACE form, then the result is an
+   equivalent internationalized label that is not in ACE form, otherwise
+   the original sequence is returned unaltered.
+
+   ToUnicode never fails.  If any step fails, then the original input
+   sequence is returned immediately in that step.
+
+   The ToUnicode output never contains more code points than its input.
+   Note that the number of octets needed to represent a sequence of code
+   points depends on the particular character encoding used.
+
+   The inputs to ToUnicode are a sequence of code points, the
+   AllowUnassigned flag, and the UseSTD3ASCIIRules flag.  The output of
+   ToUnicode is always a sequence of Unicode code points.
+
+   1. If all code points in the sequence are in the ASCII range (0..7F)
+      then skip to step 3.
+
+
+
+
+
+Faltstrom, et al.           Standards Track                    [Page 11]
+
+RFC 3490                          IDNA                        March 2003
+
+
+   2. Perform the steps specified in [NAMEPREP] and fail if there is an
+      error.  (If step 3 of ToASCII is also performed here, it will not
+      affect the overall behavior of ToUnicode, but it is not
+      necessary.)  The AllowUnassigned flag is used in [NAMEPREP].
+
+   3. Verify that the sequence begins with the ACE prefix, and save a
+      copy of the sequence.
+
+   4. Remove the ACE prefix.
+
+   5. Decode the sequence using the decoding algorithm in [PUNYCODE] and
+      fail if there is an error.  Save a copy of the result of this
+      step.
+
+   6. Apply ToASCII.
+
+   7. Verify that the result of step 6 matches the saved copy from step
+      3, using a case-insensitive ASCII comparison.
+
+   8. Return the saved copy from step 5.
+
+5. ACE prefix
+
+   The ACE prefix, used in the conversion operations (section 4), is two
+   alphanumeric ASCII characters followed by two hyphen-minuses.  It
+   cannot be any of the prefixes already used in earlier documents,
+   which includes the following: "bl--", "bq--", "dq--", "lq--", "mq--",
+   "ra--", "wq--" and "zq--".  The ToASCII and ToUnicode operations MUST
+   recognize the ACE prefix in a case-insensitive manner.
+
+   The ACE prefix for IDNA is "xn--" or any capitalization thereof.
+
+   This means that an ACE label might be "xn--de-jg4avhby1noc0d", where
+   "de-jg4avhby1noc0d" is the part of the ACE label that is generated by
+   the encoding steps in [PUNYCODE].
+
+   While all ACE labels begin with the ACE prefix, not all labels
+   beginning with the ACE prefix are necessarily ACE labels.  Non-ACE
+   labels that begin with the ACE prefix will confuse users and SHOULD
+   NOT be allowed in DNS zones.
+
+
+
+
+
+
+
+
+
+
+
+Faltstrom, et al.           Standards Track                    [Page 12]
+
+RFC 3490                          IDNA                        March 2003
+
+
+6. Implications for typical applications using DNS
+
+   In IDNA, applications perform the processing needed to input
+   internationalized domain names from users, display internationalized
+   domain names to users, and process the inputs and outputs from DNS
+   and other protocols that carry domain names.
+
+   The components and interfaces between them can be represented
+   pictorially as:
+
+                    +------+
+                    | User |
+                    +------+
+                       ^
+                       | Input and display: local interface methods
+                       | (pen, keyboard, glowing phosphorus, ...)
+   +-------------------|-------------------------------+
+   |                   v                               |
+   |          +-----------------------------+          |
+   |          |        Application          |          |
+   |          |   (ToASCII and ToUnicode    |          |
+   |          |      operations may be      |          |
+   |          |        called here)         |          |
+   |          +-----------------------------+          |
+   |                   ^        ^                      | End system
+   |                   |        |                      |
+   | Call to resolver: |        | Application-specific |
+   |              ACE  |        | protocol:            |
+   |                   v        | ACE unless the       |
+   |           +----------+     | protocol is updated  |
+   |           | Resolver |     | to handle other      |
+   |           +----------+     | encodings            |
+   |                 ^          |                      |
+   +-----------------|----------|----------------------+
+       DNS protocol: |          |
+                 ACE |          |
+                     v          v
+          +-------------+    +---------------------+
+          | DNS servers |    | Application servers |
+          +-------------+    +---------------------+
+
+   The box labeled "Application" is where the application splits a
+   domain name into labels, sets the appropriate flags, and performs the
+   ToASCII and ToUnicode operations.  This is described in section 4.
+
+
+
+
+
+
+
+Faltstrom, et al.           Standards Track                    [Page 13]
+
+RFC 3490                          IDNA                        March 2003
+
+
+6.1 Entry and display in applications
+
+   Applications can accept domain names using any character set or sets
+   desired by the application developer, and can display domain names in
+   any charset.  That is, the IDNA protocol does not affect the
+   interface between users and applications.
+
+   An IDNA-aware application can accept and display internationalized
+   domain names in two formats: the internationalized character set(s)
+   supported by the application, and as an ACE label.  ACE labels that
+   are displayed or input MUST always include the ACE prefix.
+   Applications MAY allow input and display of ACE labels, but are not
+   encouraged to do so except as an interface for special purposes,
+   possibly for debugging, or to cope with display limitations as
+   described in section 6.4..  ACE encoding is opaque and ugly, and
+   should thus only be exposed to users who absolutely need it.  Because
+   name labels encoded as ACE name labels can be rendered either as the
+   encoded ASCII characters or the proper decoded characters, the
+   application MAY have an option for the user to select the preferred
+   method of display; if it does, rendering the ACE SHOULD NOT be the
+   default.
+
+   Domain names are often stored and transported in many places.  For
+   example, they are part of documents such as mail messages and web
+   pages.  They are transported in many parts of many protocols, such as
+   both the control commands and the RFC 2822 body parts of SMTP, and
+   the headers and the body content in HTTP.  It is important to
+   remember that domain names appear both in domain name slots and in
+   the content that is passed over protocols.
+
+   In protocols and document formats that define how to handle
+   specification or negotiation of charsets, labels can be encoded in
+   any charset allowed by the protocol or document format.  If a
+   protocol or document format only allows one charset, the labels MUST
+   be given in that charset.
+
+   In any place where a protocol or document format allows transmission
+   of the characters in internationalized labels, internationalized
+   labels SHOULD be transmitted using whatever character encoding and
+   escape mechanism that the protocol or document format uses at that
+   place.
+
+   All protocols that use domain name slots already have the capacity
+   for handling domain names in the ASCII charset.  Thus, ACE labels
+   (internationalized labels that have been processed with the ToASCII
+   operation) can inherently be handled by those protocols.
+
+
+
+
+
+Faltstrom, et al.           Standards Track                    [Page 14]
+
+RFC 3490                          IDNA                        March 2003
+
+
+6.2 Applications and resolver libraries
+
+   Applications normally use functions in the operating system when they
+   resolve DNS queries.  Those functions in the operating system are
+   often called "the resolver library", and the applications communicate
+   with the resolver libraries through a programming interface (API).
+
+   Because these resolver libraries today expect only domain names in
+   ASCII, applications MUST prepare labels that are passed to the
+   resolver library using the ToASCII operation.  Labels received from
+   the resolver library contain only ASCII characters; internationalized
+   labels that cannot be represented directly in ASCII use the ACE form.
+   ACE labels always include the ACE prefix.
+
+   An operating system might have a set of libraries for performing the
+   ToASCII operation.  The input to such a library might be in one or
+   more charsets that are used in applications (UTF-8 and UTF-16 are
+   likely candidates for almost any operating system, and script-
+   specific charsets are likely for localized operating systems).
+
+   IDNA-aware applications MUST be able to work with both non-
+   internationalized labels (those that conform to [STD13] and [STD3])
+   and internationalized labels.
+
+   It is expected that new versions of the resolver libraries in the
+   future will be able to accept domain names in other charsets than
+   ASCII, and application developers might one day pass not only domain
+   names in Unicode, but also in local script to a new API for the
+   resolver libraries in the operating system.  Thus the ToASCII and
+   ToUnicode operations might be performed inside these new versions of
+   the resolver libraries.
+
+   Domain names passed to resolvers or put into the question section of
+   DNS requests follow the rules for "queries" from [STRINGPREP].
+
+6.3 DNS servers
+
+   Domain names stored in zones follow the rules for "stored strings"
+   from [STRINGPREP].
+
+   For internationalized labels that cannot be represented directly in
+   ASCII, DNS servers MUST use the ACE form produced by the ToASCII
+   operation.  All IDNs served by DNS servers MUST contain only ASCII
+   characters.
+
+   If a signaling system which makes negotiation possible between old
+   and new DNS clients and servers is standardized in the future, the
+   encoding of the query in the DNS protocol itself can be changed from
+
+
+
+Faltstrom, et al.           Standards Track                    [Page 15]
+
+RFC 3490                          IDNA                        March 2003
+
+
+   ACE to something else, such as UTF-8.  The question whether or not
+   this should be used is, however, a separate problem and is not
+   discussed in this memo.
+
+6.4 Avoiding exposing users to the raw ACE encoding
+
+   Any application that might show the user a domain name obtained from
+   a domain name slot, such as from gethostbyaddr or part of a mail
+   header, will need to be updated if it is to prevent users from seeing
+   the ACE.
+
+   If an application decodes an ACE name using ToUnicode but cannot show
+   all of the characters in the decoded name, such as if the name
+   contains characters that the output system cannot display, the
+   application SHOULD show the name in ACE format (which always includes
+   the ACE prefix) instead of displaying the name with the replacement
+   character (U+FFFD).  This is to make it easier for the user to
+   transfer the name correctly to other programs.  Programs that by
+   default show the ACE form when they cannot show all the characters in
+   a name label SHOULD also have a mechanism to show the name that is
+   produced by the ToUnicode operation with as many characters as
+   possible and replacement characters in the positions where characters
+   cannot be displayed.
+
+   The ToUnicode operation does not alter labels that are not valid ACE
+   labels, even if they begin with the ACE prefix.  After ToUnicode has
+   been applied, if a label still begins with the ACE prefix, then it is
+   not a valid ACE label, and is not equivalent to any of the
+   intermediate Unicode strings constructed by ToUnicode.
+
+6.5  DNSSEC authentication of IDN domain names
+
+   DNS Security [RFC2535] is a method for supplying cryptographic
+   verification information along with DNS messages.  Public Key
+   Cryptography is used in conjunction with digital signatures to
+   provide a means for a requester of domain information to authenticate
+   the source of the data.  This ensures that it can be traced back to a
+   trusted source, either directly, or via a chain of trust linking the
+   source of the information to the top of the DNS hierarchy.
+
+   IDNA specifies that all internationalized domain names served by DNS
+   servers that cannot be represented directly in ASCII must use the ACE
+   form produced by the ToASCII operation.  This operation must be
+   performed prior to a zone being signed by the private key for that
+   zone.  Because of this ordering, it is important to recognize that
+   DNSSEC authenticates the ASCII domain name, not the Unicode form or
+
+
+
+
+
+Faltstrom, et al.           Standards Track                    [Page 16]
+
+RFC 3490                          IDNA                        March 2003
+
+
+   the mapping between the Unicode form and the ASCII form.  In the
+   presence of DNSSEC, this is the name that MUST be signed in the zone
+   and MUST be validated against.
+
+   One consequence of this for sites deploying IDNA in the presence of
+   DNSSEC is that any special purpose proxies or forwarders used to
+   transform user input into IDNs must be earlier in the resolution flow
+   than DNSSEC authenticating nameservers for DNSSEC to work.
+
+7. Name server considerations
+
+   Existing DNS servers do not know the IDNA rules for handling non-
+   ASCII forms of IDNs, and therefore need to be shielded from them.
+   All existing channels through which names can enter a DNS server
+   database (for example, master files [STD13] and DNS update messages
+   [RFC2136]) are IDN-unaware because they predate IDNA, and therefore
+   requirement 2 of section 3.1 of this document provides the needed
+   shielding, by ensuring that internationalized domain names entering
+   DNS server databases through such channels have already been
+   converted to their equivalent ASCII forms.
+
+   It is imperative that there be only one ASCII encoding for a
+   particular domain name.  Because of the design of the ToASCII and
+   ToUnicode operations, there are no ACE labels that decode to ASCII
+   labels, and therefore name servers cannot contain multiple ASCII
+   encodings of the same domain name.
+
+   [RFC2181] explicitly allows domain labels to contain octets beyond
+   the ASCII range (0..7F), and this document does not change that.
+   Note, however, that there is no defined interpretation of octets
+   80..FF as characters.  If labels containing these octets are returned
+   to applications, unpredictable behavior could result.  The ASCII form
+   defined by ToASCII is the only standard representation for
+   internationalized labels in the current DNS protocol.
+
+8. Root server considerations
+
+   IDNs are likely to be somewhat longer than current domain names, so
+   the bandwidth needed by the root servers is likely to go up by a
+   small amount.  Also, queries and responses for IDNs will probably be
+   somewhat longer than typical queries today, so more queries and
+   responses may be forced to go to TCP instead of UDP.
+
+
+
+
+
+
+
+
+
+Faltstrom, et al.           Standards Track                    [Page 17]
+
+RFC 3490                          IDNA                        March 2003
+
+
+9. References
+
+9.1 Normative References
+
+   [RFC2119]    Bradner, S., "Key words for use in RFCs to Indicate
+                Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [STRINGPREP] Hoffman, P. and M. Blanchet, "Preparation of
+                Internationalized Strings ("stringprep")", RFC 3454,
+                December 2002.
+
+   [NAMEPREP]   Hoffman, P. and M. Blanchet, "Nameprep: A Stringprep
+                Profile for Internationalized Domain Names (IDN)", RFC
+                3491, March 2003.
+
+   [PUNYCODE]   Costello, A., "Punycode: A Bootstring encoding of
+                Unicode for use with Internationalized Domain Names in
+                Applications (IDNA)", RFC 3492, March 2003.
+
+   [STD3]       Braden, R., "Requirements for Internet Hosts --
+                Communication Layers", STD 3, RFC 1122, and
+                "Requirements for Internet Hosts -- Application and
+                Support", STD 3, RFC 1123, October 1989.
+
+   [STD13]      Mockapetris, P., "Domain names - concepts and
+                facilities", STD 13, RFC 1034 and "Domain names -
+                implementation and specification", STD 13, RFC 1035,
+                November 1987.
+
+9.2 Informative References
+
+   [RFC2535]    Eastlake, D., "Domain Name System Security Extensions",
+                RFC 2535, March 1999.
+
+   [RFC2181]    Elz, R. and R. Bush, "Clarifications to the DNS
+                Specification", RFC 2181, July 1997.
+
+   [UAX9]       Unicode Standard Annex #9, The Bidirectional Algorithm,
+                <http://www.unicode.org/unicode/reports/tr9/>.
+
+   [UNICODE]    The Unicode Consortium. The Unicode Standard, Version
+                3.2.0 is defined by The Unicode Standard, Version 3.0
+                (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5),
+                as amended by the Unicode Standard Annex #27: Unicode
+                3.1 (http://www.unicode.org/reports/tr27/) and by the
+                Unicode Standard Annex #28: Unicode 3.2
+                (http://www.unicode.org/reports/tr28/).
+
+
+
+
+Faltstrom, et al.           Standards Track                    [Page 18]
+
+RFC 3490                          IDNA                        March 2003
+
+
+   [USASCII]    Cerf, V., "ASCII format for Network Interchange", RFC
+                20, October 1969.
+
+10. Security Considerations
+
+   Security on the Internet partly relies on the DNS.  Thus, any change
+   to the characteristics of the DNS can change the security of much of
+   the Internet.
+
+   This memo describes an algorithm which encodes characters that are
+   not valid according to STD3 and STD13 into octet values that are
+   valid.  No security issues such as string length increases or new
+   allowed values are introduced by the encoding process or the use of
+   these encoded values, apart from those introduced by the ACE encoding
+   itself.
+
+   Domain names are used by users to identify and connect to Internet
+   servers.  The security of the Internet is compromised if a user
+   entering a single internationalized name is connected to different
+   servers based on different interpretations of the internationalized
+   domain name.
+
+   When systems use local character sets other than ASCII and Unicode,
+   this specification leaves the the problem of transcoding between the
+   local character set and Unicode up to the application.  If different
+   applications (or different versions of one application) implement
+   different transcoding rules, they could interpret the same name
+   differently and contact different servers.  This problem is not
+   solved by security protocols like TLS that do not take local
+   character sets into account.
+
+   Because this document normatively refers to [NAMEPREP], [PUNYCODE],
+   and [STRINGPREP], it includes the security considerations from those
+   documents as well.
+
+   If or when this specification is updated to use a more recent Unicode
+   normalization table, the new normalization table will need to be
+   compared with the old to spot backwards incompatible changes.  If
+   there are such changes, they will need to be handled somehow, or
+   there will be security as well as operational implications.  Methods
+   to handle the conflicts could include keeping the old normalization,
+   or taking care of the conflicting characters by operational means, or
+   some other method.
+
+   Implementations MUST NOT use more recent normalization tables than
+   the one referenced from this document, even though more recent tables
+   may be provided by operating systems.  If an application is unsure of
+   which version of the normalization tables are in the operating
+
+
+
+Faltstrom, et al.           Standards Track                    [Page 19]
+
+RFC 3490                          IDNA                        March 2003
+
+
+   system, the application needs to include the normalization tables
+   itself.  Using normalization tables other than the one referenced
+   from this specification could have security and operational
+   implications.
+
+   To help prevent confusion between characters that are visually
+   similar, it is suggested that implementations provide visual
+   indications where a domain name contains multiple scripts.  Such
+   mechanisms can also be used to show when a name contains a mixture of
+   simplified and traditional Chinese characters, or to distinguish zero
+   and one from O and l.  DNS zone adminstrators may impose restrictions
+   (subject to the limitations in section 2) that try to minimize
+   homographs.
+
+   Domain names (or portions of them) are sometimes compared against a
+   set of privileged or anti-privileged domains.  In such situations it
+   is especially important that the comparisons be done properly, as
+   specified in section 3.1 requirement 4.  For labels already in ASCII
+   form, the proper comparison reduces to the same case-insensitive
+   ASCII comparison that has always been used for ASCII labels.
+
+   The introduction of IDNA means that any existing labels that start
+   with the ACE prefix and would be altered by ToUnicode will
+   automatically be ACE labels, and will be considered equivalent to
+   non-ASCII labels, whether or not that was the intent of the zone
+   adminstrator or registrant.
+
+11. IANA Considerations
+
+   IANA has assigned the ACE prefix in consultation with the IESG.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Faltstrom, et al.           Standards Track                    [Page 20]
+
+RFC 3490                          IDNA                        March 2003
+
+
+12. Authors' Addresses
+
+   Patrik Faltstrom
+   Cisco Systems
+   Arstaangsvagen 31 J
+   S-117 43 Stockholm  Sweden
+
+   EMail: paf@cisco.com
+
+
+   Paul Hoffman
+   Internet Mail Consortium and VPN Consortium
+   127 Segre Place
+   Santa Cruz, CA  95060  USA
+
+   EMail: phoffman@imc.org
+
+
+   Adam M. Costello
+   University of California, Berkeley
+
+   URL: http://www.nicemice.net/amc/
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Faltstrom, et al.           Standards Track                    [Page 21]
+
+RFC 3490                          IDNA                        March 2003
+
+
+13. Full Copyright Statement
+
+   Copyright (C) The Internet Society (2003).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Faltstrom, et al.           Standards Track                    [Page 22]
+
diff --git a/contrib/bind9/doc/rfc/rfc3491.txt b/contrib/bind9/doc/rfc/rfc3491.txt
new file mode 100644
index 0000000..dbc86c7
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc3491.txt
@@ -0,0 +1,395 @@
+
+
+
+
+
+
+Network Working Group                                         P. Hoffman
+Request for Comments: 3491                                    IMC & VPNC
+Category: Standards Track                                    M. Blanchet
+                                                                Viagenie
+                                                              March 2003
+
+
+                   Nameprep: A Stringprep Profile for
+                  Internationalized Domain Names (IDN)
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2003).  All Rights Reserved.
+
+Abstract
+
+   This document describes how to prepare internationalized domain name
+   (IDN) labels in order to increase the likelihood that name input and
+   name comparison work in ways that make sense for typical users
+   throughout the world.  This profile of the stringprep protocol is
+   used as part of a suite of on-the-wire protocols for
+   internationalizing the Domain Name System (DNS).
+
+1. Introduction
+
+   This document specifies processing rules that will allow users to
+   enter internationalized domain names (IDNs) into applications and
+   have the highest chance of getting the content of the strings
+   correct.  It is a profile of stringprep [STRINGPREP].  These
+   processing rules are only intended for internationalized domain
+   names, not for arbitrary text.
+
+   This profile defines the following, as required by [STRINGPREP].
+
+   -  The intended applicability of the profile: internationalized
+      domain names processed by IDNA.
+
+   -  The character repertoire that is the input and output to
+      stringprep:  Unicode 3.2, specified in section 2.
+
+
+
+
+Hoffman & Blanchet          Standards Track                     [Page 1]
+
+RFC 3491                      IDN Nameprep                    March 2003
+
+
+   -  The mappings used: specified in section 3.
+
+   -  The Unicode normalization used: specified in section 4.
+
+   -  The characters that are prohibited as output: specified in section
+      5.
+
+   -  Bidirectional character handling: specified in section 6.
+
+1.1 Interaction of protocol parts
+
+   Nameprep is used by the IDNA [IDNA] protocol for preparing domain
+   names; it is not designed for any other purpose.  It is explicitly
+   not designed for processing arbitrary free text and SHOULD NOT be
+   used for that purpose.  Nameprep is a profile of Stringprep
+   [STRINGPREP].  Implementations of Nameprep MUST fully implement
+   Stringprep.
+
+   Nameprep is used to process domain name labels, not domain names.
+   IDNA calls nameprep for each label in a domain name, not for the
+   whole domain name.
+
+1.2 Terminology
+
+   The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY"
+   in this document are to be interpreted as described in BCP 14, RFC
+   2119 [RFC2119].
+
+2. Character Repertoire
+
+   This profile uses Unicode 3.2, as defined in [STRINGPREP] Appendix A.
+
+3. Mapping
+
+   This profile specifies mapping using the following tables from
+   [STRINGPREP]:
+
+   Table B.1
+   Table B.2
+
+4. Normalization
+
+   This profile specifies using Unicode normalization form KC, as
+   described in [STRINGPREP].
+
+
+
+
+
+
+
+Hoffman & Blanchet          Standards Track                     [Page 2]
+
+RFC 3491                      IDN Nameprep                    March 2003
+
+
+5. Prohibited Output
+
+   This profile specifies prohibiting using the following tables from
+   [STRINGPREP]:
+
+   Table C.1.2
+   Table C.2.2
+   Table C.3
+   Table C.4
+   Table C.5
+   Table C.6
+   Table C.7
+   Table C.8
+   Table C.9
+
+   IMPORTANT NOTE: This profile MUST be used with the IDNA protocol.
+   The IDNA protocol has additional prohibitions that are checked
+   outside of this profile.
+
+6. Bidirectional characters
+
+   This profile specifies checking bidirectional strings as described in
+   [STRINGPREP] section 6.
+
+7. Unassigned Code Points in Internationalized Domain Names
+
+   If the processing in [IDNA] specifies that a list of unassigned code
+   points be used, the system uses table A.1 from [STRINGPREP] as its
+   list of unassigned code points.
+
+8. References
+
+8.1 Normative References
+
+   [RFC2119]    Bradner, S., "Key words for use in RFCs to Indicate
+                Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [STRINGPREP] Hoffman, P. and M. Blanchet, "Preparation of
+                Internationalized Strings ("stringprep")", RFC 3454,
+                December 2002.
+
+   [IDNA]       Faltstrom, P., Hoffman, P. and A. Costello,
+                "Internationalizing Domain Names in Applications
+                (IDNA)", RFC 3490, March 2003.
+
+
+
+
+
+
+
+Hoffman & Blanchet          Standards Track                     [Page 3]
+
+RFC 3491                      IDN Nameprep                    March 2003
+
+
+8.2 Informative references
+
+   [STD13]      Mockapetris, P., "Domain names - concepts and
+                facilities", STD 13, RFC 1034, and "Domain names -
+                implementation and specification", STD 13, RFC 1035,
+                November 1987.
+
+9. Security Considerations
+
+   The Unicode and ISO/IEC 10646 repertoires have many characters that
+   look similar.  In many cases, users of security protocols might do
+   visual matching, such as when comparing the names of trusted third
+   parties.  Because it is impossible to map similar-looking characters
+   without a great deal of context such as knowing the fonts used,
+   stringprep does nothing to map similar-looking characters together
+   nor to prohibit some characters because they look like others.
+
+   Security on the Internet partly relies on the DNS.  Thus, any change
+   to the characteristics of the DNS can change the security of much of
+   the Internet.
+
+   Domain names are used by users to connect to Internet servers.  The
+   security of the Internet would be compromised if a user entering a
+   single internationalized name could be connected to different servers
+   based on different interpretations of the internationalized domain
+   name.
+
+   Current applications might assume that the characters allowed in
+   domain names will always be the same as they are in [STD13].  This
+   document vastly increases the number of characters available in
+   domain names.  Every program that uses "special" characters in
+   conjunction with domain names may be vulnerable to attack based on
+   the new characters allowed by this specification.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hoffman & Blanchet          Standards Track                     [Page 4]
+
+RFC 3491                      IDN Nameprep                    March 2003
+
+
+10. IANA Considerations
+
+   This is a profile of stringprep.  It has been registered by the IANA
+   in the stringprep profile registry
+   (www.iana.org/assignments/stringprep-profiles).
+
+      Name of this profile:
+         Nameprep
+
+      RFC in which the profile is defined:
+         This document.
+
+      Indicator whether or not this is the newest version of the
+      profile:
+         This is the first version of Nameprep.
+
+11. Acknowledgements
+
+   Many people from the IETF IDN Working Group and the Unicode Technical
+   Committee contributed ideas that went into this document.
+
+   The IDN Nameprep design team made many useful changes to the
+   document.  That team and its advisors include:
+
+      Asmus Freytag
+      Cathy Wissink
+      Francois Yergeau
+      James Seng
+      Marc Blanchet
+      Mark Davis
+      Martin Duerst
+      Patrik Faltstrom
+      Paul Hoffman
+
+   Additional significant improvements were proposed by:
+
+      Jonathan Rosenne
+      Kent Karlsson
+      Scott Hollenbeck
+      Dave Crocker
+      Erik Nordmark
+      Matitiahu Allouche
+
+
+
+
+
+
+
+
+
+Hoffman & Blanchet          Standards Track                     [Page 5]
+
+RFC 3491                      IDN Nameprep                    March 2003
+
+
+12. Authors' Addresses
+
+   Paul Hoffman
+   Internet Mail Consortium and VPN Consortium
+   127 Segre Place
+   Santa Cruz, CA  95060 USA
+
+   EMail: paul.hoffman@imc.org and paul.hoffman@vpnc.org
+
+
+   Marc Blanchet
+   Viagenie inc.
+   2875 boul. Laurier, bur. 300
+   Ste-Foy, Quebec, Canada, G1V 2M2
+
+   EMail: Marc.Blanchet@viagenie.qc.ca
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hoffman & Blanchet          Standards Track                     [Page 6]
+
+RFC 3491                      IDN Nameprep                    March 2003
+
+
+13.  Full Copyright Statement
+
+   Copyright (C) The Internet Society (2003).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hoffman & Blanchet          Standards Track                     [Page 7]
+
diff --git a/contrib/bind9/doc/rfc/rfc3492.txt b/contrib/bind9/doc/rfc/rfc3492.txt
new file mode 100644
index 0000000..e72ad81
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc3492.txt
@@ -0,0 +1,1963 @@
+
+
+
+
+
+
+Network Working Group                                        A. Costello
+Request for Comments: 3492                 Univ. of California, Berkeley
+Category: Standards Track                                     March 2003
+
+
+              Punycode: A Bootstring encoding of Unicode
+       for Internationalized Domain Names in Applications (IDNA)
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2003).  All Rights Reserved.
+
+Abstract
+
+   Punycode is a simple and efficient transfer encoding syntax designed
+   for use with Internationalized Domain Names in Applications (IDNA).
+   It uniquely and reversibly transforms a Unicode string into an ASCII
+   string.  ASCII characters in the Unicode string are represented
+   literally, and non-ASCII characters are represented by ASCII
+   characters that are allowed in host name labels (letters, digits, and
+   hyphens).  This document defines a general algorithm called
+   Bootstring that allows a string of basic code points to uniquely
+   represent any string of code points drawn from a larger set.
+   Punycode is an instance of Bootstring that uses particular parameter
+   values specified by this document, appropriate for IDNA.
+
+Table of Contents
+
+   1. Introduction...............................................2
+       1.1 Features..............................................2
+       1.2 Interaction of protocol parts.........................3
+   2. Terminology................................................3
+   3. Bootstring description.....................................4
+       3.1 Basic code point segregation..........................4
+       3.2 Insertion unsort coding...............................4
+       3.3 Generalized variable-length integers..................5
+       3.4 Bias adaptation.......................................7
+   4. Bootstring parameters......................................8
+   5. Parameter values for Punycode..............................8
+   6. Bootstring algorithms......................................9
+
+
+
+Costello                    Standards Track                     [Page 1]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+       6.1 Bias adaptation function.............................10
+       6.2 Decoding procedure...................................11
+       6.3 Encoding procedure...................................12
+       6.4 Overflow handling....................................13
+   7. Punycode examples.........................................14
+       7.1 Sample strings.......................................14
+       7.2 Decoding traces......................................17
+       7.3 Encoding traces......................................19
+   8. Security Considerations...................................20
+   9. References................................................21
+       9.1 Normative References.................................21
+       9.2 Informative References...............................21
+   A. Mixed-case annotation.....................................22
+   B. Disclaimer and license....................................22
+   C. Punycode sample implementation............................23
+   Author's Address.............................................34
+   Full Copyright Statement.....................................35
+
+1. Introduction
+
+   [IDNA] describes an architecture for supporting internationalized
+   domain names.  Labels containing non-ASCII characters can be
+   represented by ACE labels, which begin with a special ACE prefix and
+   contain only ASCII characters.  The remainder of the label after the
+   prefix is a Punycode encoding of a Unicode string satisfying certain
+   constraints.  For the details of the prefix and constraints, see
+   [IDNA] and [NAMEPREP].
+
+   Punycode is an instance of a more general algorithm called
+   Bootstring, which allows strings composed from a small set of "basic"
+   code points to uniquely represent any string of code points drawn
+   from a larger set.  Punycode is Bootstring with particular parameter
+   values appropriate for IDNA.
+
+1.1 Features
+
+   Bootstring has been designed to have the following features:
+
+   *  Completeness:  Every extended string (sequence of arbitrary code
+      points) can be represented by a basic string (sequence of basic
+      code points).  Restrictions on what strings are allowed, and on
+      length, can be imposed by higher layers.
+
+   *  Uniqueness:  There is at most one basic string that represents a
+      given extended string.
+
+   *  Reversibility:  Any extended string mapped to a basic string can
+      be recovered from that basic string.
+
+
+
+Costello                    Standards Track                     [Page 2]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+   *  Efficient encoding:  The ratio of basic string length to extended
+      string length is small.  This is important in the context of
+      domain names because RFC 1034 [RFC1034] restricts the length of a
+      domain label to 63 characters.
+
+   *  Simplicity:  The encoding and decoding algorithms are reasonably
+      simple to implement.  The goals of efficiency and simplicity are
+      at odds; Bootstring aims at a good balance between them.
+
+   *  Readability:  Basic code points appearing in the extended string
+      are represented as themselves in the basic string (although the
+      main purpose is to improve efficiency, not readability).
+
+   Punycode can also support an additional feature that is not used by
+   the ToASCII and ToUnicode operations of [IDNA].  When extended
+   strings are case-folded prior to encoding, the basic string can use
+   mixed case to tell how to convert the folded string into a mixed-case
+   string.  See appendix A "Mixed-case annotation".
+
+1.2 Interaction of protocol parts
+
+   Punycode is used by the IDNA protocol [IDNA] for converting domain
+   labels into ASCII; it is not designed for any other purpose.  It is
+   explicitly not designed for processing arbitrary free text.
+
+2. Terminology
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in BCP 14, RFC 2119
+   [RFC2119].
+
+   A code point is an integral value associated with a character in a
+   coded character set.
+
+   As in the Unicode Standard [UNICODE], Unicode code points are denoted
+   by "U+" followed by four to six hexadecimal digits, while a range of
+   code points is denoted by two hexadecimal numbers separated by "..",
+   with no prefixes.
+
+   The operators div and mod perform integer division; (x div y) is the
+   quotient of x divided by y, discarding the remainder, and (x mod y)
+   is the remainder, so (x div y) * y + (x mod y) == x.  Bootstring uses
+   these operators only with nonnegative operands, so the quotient and
+   remainder are always nonnegative.
+
+   The break statement jumps out of the innermost loop (as in C).
+
+
+
+
+Costello                    Standards Track                     [Page 3]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+   An overflow is an attempt to compute a value that exceeds the maximum
+   value of an integer variable.
+
+3. Bootstring description
+
+   Bootstring represents an arbitrary sequence of code points (the
+   "extended string") as a sequence of basic code points (the "basic
+   string").  This section describes the representation.  Section 6
+   "Bootstring algorithms" presents the algorithms as pseudocode.
+   Sections 7.1 "Decoding traces" and 7.2 "Encoding traces" trace the
+   algorithms for sample inputs.
+
+   The following sections describe the four techniques used in
+   Bootstring.  "Basic code point segregation" is a very simple and
+   efficient encoding for basic code points occurring in the extended
+   string: they are simply copied all at once.  "Insertion unsort
+   coding" encodes the non-basic code points as deltas, and processes
+   the code points in numerical order rather than in order of
+   appearance, which typically results in smaller deltas.  The deltas
+   are represented as "generalized variable-length integers", which use
+   basic code points to represent nonnegative integers.  The parameters
+   of this integer representation are dynamically adjusted using "bias
+   adaptation", to improve efficiency when consecutive deltas have
+   similar magnitudes.
+
+3.1 Basic code point segregation
+
+   All basic code points appearing in the extended string are
+   represented literally at the beginning of the basic string, in their
+   original order, followed by a delimiter if (and only if) the number
+   of basic code points is nonzero.  The delimiter is a particular basic
+   code point, which never appears in the remainder of the basic string.
+   The decoder can therefore find the end of the literal portion (if
+   there is one) by scanning for the last delimiter.
+
+3.2 Insertion unsort coding
+
+   The remainder of the basic string (after the last delimiter if there
+   is one) represents a sequence of nonnegative integral deltas as
+   generalized variable-length integers, described in section 3.3.  The
+   meaning of the deltas is best understood in terms of the decoder.
+
+   The decoder builds the extended string incrementally.  Initially, the
+   extended string is a copy of the literal portion of the basic string
+   (excluding the last delimiter).  The decoder inserts non-basic code
+   points, one for each delta, into the extended string, ultimately
+   arriving at the final decoded string.
+
+
+
+
+Costello                    Standards Track                     [Page 4]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+   At the heart of this process is a state machine with two state
+   variables: an index i and a counter n.  The index i refers to a
+   position in the extended string; it ranges from 0 (the first
+   position) to the current length of the extended string (which refers
+   to a potential position beyond the current end).  If the current
+   state is <n,i>, the next state is <n,i+1> if i is less than the
+   length of the extended string, or <n+1,0> if i equals the length of
+   the extended string.  In other words, each state change causes i to
+   increment, wrapping around to zero if necessary, and n counts the
+   number of wrap-arounds.
+
+   Notice that the state always advances monotonically (there is no way
+   for the decoder to return to an earlier state).  At each state, an
+   insertion is either performed or not performed.  At most one
+   insertion is performed in a given state.  An insertion inserts the
+   value of n at position i in the extended string.  The deltas are a
+   run-length encoding of this sequence of events: they are the lengths
+   of the runs of non-insertion states preceeding the insertion states.
+   Hence, for each delta, the decoder performs delta state changes, then
+   an insertion, and then one more state change.  (An implementation
+   need not perform each state change individually, but can instead use
+   division and remainder calculations to compute the next insertion
+   state directly.)  It is an error if the inserted code point is a
+   basic code point (because basic code points were supposed to be
+   segregated as described in section 3.1).
+
+   The encoder's main task is to derive the sequence of deltas that will
+   cause the decoder to construct the desired string.  It can do this by
+   repeatedly scanning the extended string for the next code point that
+   the decoder would need to insert, and counting the number of state
+   changes the decoder would need to perform, mindful of the fact that
+   the decoder's extended string will include only those code points
+   that have already been inserted.  Section 6.3 "Encoding procedure"
+   gives a precise algorithm.
+
+3.3 Generalized variable-length integers
+
+   In a conventional integer representation the base is the number of
+   distinct symbols for digits, whose values are 0 through base-1.  Let
+   digit_0 denote the least significant digit, digit_1 the next least
+   significant, and so on.  The value represented is the sum over j of
+   digit_j * w(j), where w(j) = base^j is the weight (scale factor) for
+   position j.  For example, in the base 8 integer 437, the digits are
+   7, 3, and 4, and the weights are 1, 8, and 64, so the value is 7 +
+   3*8 + 4*64 = 287.  This representation has two disadvantages:  First,
+   there are multiple encodings of each value (because there can be
+   extra zeros in the most significant positions), which is inconvenient
+
+
+
+
+Costello                    Standards Track                     [Page 5]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+   when unique encodings are needed.  Second, the integer is not self-
+   delimiting, so if multiple integers are concatenated the boundaries
+   between them are lost.
+
+   The generalized variable-length representation solves these two
+   problems.  The digit values are still 0 through base-1, but now the
+   integer is self-delimiting by means of thresholds t(j), each of which
+   is in the range 0 through base-1.  Exactly one digit, the most
+   significant, satisfies digit_j < t(j).  Therefore, if several
+   integers are concatenated, it is easy to separate them, starting with
+   the first if they are little-endian (least significant digit first),
+   or starting with the last if they are big-endian (most significant
+   digit first).  As before, the value is the sum over j of digit_j *
+   w(j), but the weights are different:
+
+      w(0) = 1
+      w(j) = w(j-1) * (base - t(j-1)) for j > 0
+
+   For example, consider the little-endian sequence of base 8 digits
+   734251...  Suppose the thresholds are 2, 3, 5, 5, 5, 5...  This
+   implies that the weights are 1, 1*(8-2) = 6, 6*(8-3) = 30, 30*(8-5) =
+   90, 90*(8-5) = 270, and so on.  7 is not less than 2, and 3 is not
+   less than 3, but 4 is less than 5, so 4 is the last digit.  The value
+   of 734 is 7*1 + 3*6 + 4*30 = 145.  The next integer is 251, with
+   value 2*1 + 5*6 + 1*30 = 62.  Decoding this representation is very
+   similar to decoding a conventional integer:  Start with a current
+   value of N = 0 and a weight w = 1.  Fetch the next digit d and
+   increase N by d * w.  If d is less than the current threshold (t)
+   then stop, otherwise increase w by a factor of (base - t), update t
+   for the next position, and repeat.
+
+   Encoding this representation is similar to encoding a conventional
+   integer:  If N < t then output one digit for N and stop, otherwise
+   output the digit for t + ((N - t) mod (base - t)), then replace N
+   with (N - t) div (base - t), update t for the next position, and
+   repeat.
+
+   For any particular set of values of t(j), there is exactly one
+   generalized variable-length representation of each nonnegative
+   integral value.
+
+   Bootstring uses little-endian ordering so that the deltas can be
+   separated starting with the first.  The t(j) values are defined in
+   terms of the constants base, tmin, and tmax, and a state variable
+   called bias:
+
+      t(j) = base * (j + 1) - bias,
+      clamped to the range tmin through tmax
+
+
+
+Costello                    Standards Track                     [Page 6]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+   The clamping means that if the formula yields a value less than tmin
+   or greater than tmax, then t(j) = tmin or tmax, respectively.  (In
+   the pseudocode in section 6 "Bootstring algorithms", the expression
+   base * (j + 1) is denoted by k for performance reasons.)  These t(j)
+   values cause the representation to favor integers within a particular
+   range determined by the bias.
+
+3.4 Bias adaptation
+
+   After each delta is encoded or decoded, bias is set for the next
+   delta as follows:
+
+   1. Delta is scaled in order to avoid overflow in the next step:
+
+         let delta = delta div 2
+
+      But when this is the very first delta, the divisor is not 2, but
+      instead a constant called damp.  This compensates for the fact
+      that the second delta is usually much smaller than the first.
+
+   2. Delta is increased to compensate for the fact that the next delta
+      will be inserting into a longer string:
+
+         let delta = delta + (delta div numpoints)
+
+      numpoints is the total number of code points encoded/decoded so
+      far (including the one corresponding to this delta itself, and
+      including the basic code points).
+
+   3. Delta is repeatedly divided until it falls within a threshold, to
+      predict the minimum number of digits needed to represent the next
+      delta:
+
+         while delta > ((base - tmin) * tmax) div 2
+         do let delta = delta div (base - tmin)
+
+   4. The bias is set:
+
+         let bias =
+           (base * the number of divisions performed in step 3) +
+           (((base - tmin + 1) * delta) div (delta + skew))
+
+      The motivation for this procedure is that the current delta
+      provides a hint about the likely size of the next delta, and so
+      t(j) is set to tmax for the more significant digits starting with
+      the one expected to be last, tmin for the less significant digits
+      up through the one expected to be third-last, and somewhere
+      between tmin and tmax for the digit expected to be second-last
+
+
+
+Costello                    Standards Track                     [Page 7]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+      (balancing the hope of the expected-last digit being unnecessary
+      against the danger of it being insufficient).
+
+4. Bootstring parameters
+
+   Given a set of basic code points, one needs to be designated as the
+   delimiter.  The base cannot be greater than the number of
+   distinguishable basic code points remaining.  The digit-values in the
+   range 0 through base-1 need to be associated with distinct non-
+   delimiter basic code points.  In some cases multiple code points need
+   to have the same digit-value; for example, uppercase and lowercase
+   versions of the same letter need to be equivalent if basic strings
+   are case-insensitive.
+
+   The initial value of n cannot be greater than the minimum non-basic
+   code point that could appear in extended strings.
+
+   The remaining five parameters (tmin, tmax, skew, damp, and the
+   initial value of bias) need to satisfy the following constraints:
+
+      0 <= tmin <= tmax <= base-1
+      skew >= 1
+      damp >= 2
+      initial_bias mod base <= base - tmin
+
+   Provided the constraints are satisfied, these five parameters affect
+   efficiency but not correctness.  They are best chosen empirically.
+
+   If support for mixed-case annotation is desired (see appendix A),
+   make sure that the code points corresponding to 0 through tmax-1 all
+   have both uppercase and lowercase forms.
+
+5. Parameter values for Punycode
+
+   Punycode uses the following Bootstring parameter values:
+
+      base         = 36
+      tmin         = 1
+      tmax         = 26
+      skew         = 38
+      damp         = 700
+      initial_bias = 72
+      initial_n    = 128 = 0x80
+
+   Although the only restriction Punycode imposes on the input integers
+   is that they be nonnegative, these parameters are especially designed
+   to work well with Unicode [UNICODE] code points, which are integers
+   in the range 0..10FFFF (but not D800..DFFF, which are reserved for
+
+
+
+Costello                    Standards Track                     [Page 8]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+   use by the UTF-16 encoding of Unicode).  The basic code points are
+   the ASCII [ASCII] code points (0..7F), of which U+002D (-) is the
+   delimiter, and some of the others have digit-values as follows:
+
+      code points    digit-values
+      ------------   ----------------------
+      41..5A (A-Z) =  0 to 25, respectively
+      61..7A (a-z) =  0 to 25, respectively
+      30..39 (0-9) = 26 to 35, respectively
+
+   Using hyphen-minus as the delimiter implies that the encoded string
+   can end with a hyphen-minus only if the Unicode string consists
+   entirely of basic code points, but IDNA forbids such strings from
+   being encoded.  The encoded string can begin with a hyphen-minus, but
+   IDNA prepends a prefix.  Therefore IDNA using Punycode conforms to
+   the RFC 952 rule that host name labels neither begin nor end with a
+   hyphen-minus [RFC952].
+
+   A decoder MUST recognize the letters in both uppercase and lowercase
+   forms (including mixtures of both forms).  An encoder SHOULD output
+   only uppercase forms or only lowercase forms, unless it uses mixed-
+   case annotation (see appendix A).
+
+   Presumably most users will not manually write or type encoded strings
+   (as opposed to cutting and pasting them), but those who do will need
+   to be alert to the potential visual ambiguity between the following
+   sets of characters:
+
+      G 6
+      I l 1
+      O 0
+      S 5
+      U V
+      Z 2
+
+   Such ambiguities are usually resolved by context, but in a Punycode
+   encoded string there is no context apparent to humans.
+
+6. Bootstring algorithms
+
+   Some parts of the pseudocode can be omitted if the parameters satisfy
+   certain conditions (for which Punycode qualifies).  These parts are
+   enclosed in {braces}, and notes immediately following the pseudocode
+   explain the conditions under which they can be omitted.
+
+
+
+
+
+
+
+Costello                    Standards Track                     [Page 9]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+   Formally, code points are integers, and hence the pseudocode assumes
+   that arithmetic operations can be performed directly on code points.
+   In some programming languages, explicit conversion between code
+   points and integers might be necessary.
+
+6.1 Bias adaptation function
+
+   function adapt(delta,numpoints,firsttime):
+     if firsttime then let delta = delta div damp
+     else let delta = delta div 2
+     let delta = delta + (delta div numpoints)
+     let k = 0
+     while delta > ((base - tmin) * tmax) div 2 do begin
+       let delta = delta div (base - tmin)
+       let k = k + base
+     end
+     return k + (((base - tmin + 1) * delta) div (delta + skew))
+
+   It does not matter whether the modifications to delta and k inside
+   adapt() affect variables of the same name inside the
+   encoding/decoding procedures, because after calling adapt() the
+   caller does not read those variables before overwriting them.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Costello                    Standards Track                    [Page 10]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+6.2 Decoding procedure
+
+   let n = initial_n
+   let i = 0
+   let bias = initial_bias
+   let output = an empty string indexed from 0
+   consume all code points before the last delimiter (if there is one)
+     and copy them to output, fail on any non-basic code point
+   if more than zero code points were consumed then consume one more
+     (which will be the last delimiter)
+   while the input is not exhausted do begin
+     let oldi = i
+     let w = 1
+     for k = base to infinity in steps of base do begin
+       consume a code point, or fail if there was none to consume
+       let digit = the code point's digit-value, fail if it has none
+       let i = i + digit * w, fail on overflow
+       let t = tmin if k <= bias {+ tmin}, or
+               tmax if k >= bias + tmax, or k - bias otherwise
+       if digit < t then break
+       let w = w * (base - t), fail on overflow
+     end
+     let bias = adapt(i - oldi, length(output) + 1, test oldi is 0?)
+     let n = n + i div (length(output) + 1), fail on overflow
+     let i = i mod (length(output) + 1)
+     {if n is a basic code point then fail}
+     insert n into output at position i
+     increment i
+   end
+
+   The full statement enclosed in braces (checking whether n is a basic
+   code point) can be omitted if initial_n exceeds all basic code points
+   (which is true for Punycode), because n is never less than initial_n.
+
+   In the assignment of t, where t is clamped to the range tmin through
+   tmax, "+ tmin" can always be omitted.  This makes the clamping
+   calculation incorrect when bias < k < bias + tmin, but that cannot
+   happen because of the way bias is computed and because of the
+   constraints on the parameters.
+
+   Because the decoder state can only advance monotonically, and there
+   is only one representation of any delta, there is therefore only one
+   encoded string that can represent a given sequence of integers.  The
+   only error conditions are invalid code points, unexpected end-of-
+   input, overflow, and basic code points encoded using deltas instead
+   of appearing literally.  If the decoder fails on these errors as
+   shown above, then it cannot produce the same output for two distinct
+   inputs.  Without this property it would have been necessary to re-
+
+
+
+Costello                    Standards Track                    [Page 11]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+   encode the output and verify that it matches the input in order to
+   guarantee the uniqueness of the encoding.
+
+6.3 Encoding procedure
+
+   let n = initial_n
+   let delta = 0
+   let bias = initial_bias
+   let h = b = the number of basic code points in the input
+   copy them to the output in order, followed by a delimiter if b > 0
+   {if the input contains a non-basic code point < n then fail}
+   while h < length(input) do begin
+     let m = the minimum {non-basic} code point >= n in the input
+     let delta = delta + (m - n) * (h + 1), fail on overflow
+     let n = m
+     for each code point c in the input (in order) do begin
+       if c < n {or c is basic} then increment delta, fail on overflow
+       if c == n then begin
+         let q = delta
+         for k = base to infinity in steps of base do begin
+           let t = tmin if k <= bias {+ tmin}, or
+                   tmax if k >= bias + tmax, or k - bias otherwise
+           if q < t then break
+           output the code point for digit t + ((q - t) mod (base - t))
+           let q = (q - t) div (base - t)
+         end
+         output the code point for digit q
+         let bias = adapt(delta, h + 1, test h equals b?)
+         let delta = 0
+         increment h
+       end
+     end
+     increment delta and n
+   end
+
+   The full statement enclosed in braces (checking whether the input
+   contains a non-basic code point less than n) can be omitted if all
+   code points less than initial_n are basic code points (which is true
+   for Punycode if code points are unsigned).
+
+   The brace-enclosed conditions "non-basic" and "or c is basic" can be
+   omitted if initial_n exceeds all basic code points (which is true for
+   Punycode), because the code point being tested is never less than
+   initial_n.
+
+   In the assignment of t, where t is clamped to the range tmin through
+   tmax, "+ tmin" can always be omitted.  This makes the clamping
+   calculation incorrect when bias < k < bias + tmin, but that cannot
+
+
+
+Costello                    Standards Track                    [Page 12]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+   happen because of the way bias is computed and because of the
+   constraints on the parameters.
+
+   The checks for overflow are necessary to avoid producing invalid
+   output when the input contains very large values or is very long.
+
+   The increment of delta at the bottom of the outer loop cannot
+   overflow because delta < length(input) before the increment, and
+   length(input) is already assumed to be representable.  The increment
+   of n could overflow, but only if h == length(input), in which case
+   the procedure is finished anyway.
+
+6.4 Overflow handling
+
+   For IDNA, 26-bit unsigned integers are sufficient to handle all valid
+   IDNA labels without overflow, because any string that needed a 27-bit
+   delta would have to exceed either the code point limit (0..10FFFF) or
+   the label length limit (63 characters).  However, overflow handling
+   is necessary because the inputs are not necessarily valid IDNA
+   labels.
+
+   If the programming language does not provide overflow detection, the
+   following technique can be used.  Suppose A, B, and C are
+   representable nonnegative integers and C is nonzero.  Then A + B
+   overflows if and only if B > maxint - A, and A + (B * C) overflows if
+   and only if B > (maxint - A) div C, where maxint is the greatest
+   integer for which maxint + 1 cannot be represented.  Refer to
+   appendix C "Punycode sample implementation" for demonstrations of
+   this technique in the C language.
+
+   The decoding and encoding algorithms shown in sections 6.2 and 6.3
+   handle overflow by detecting it whenever it happens.  Another
+   approach is to enforce limits on the inputs that prevent overflow
+   from happening.  For example, if the encoder were to verify that no
+   input code points exceed M and that the input length does not exceed
+   L, then no delta could ever exceed (M - initial_n) * (L + 1), and
+   hence no overflow could occur if integer variables were capable of
+   representing values that large.  This prevention approach would
+   impose more restrictions on the input than the detection approach
+   does, but might be considered simpler in some programming languages.
+
+   In theory, the decoder could use an analogous approach, limiting the
+   number of digits in a variable-length integer (that is, limiting the
+   number of iterations in the innermost loop).  However, the number of
+   digits that suffice to represent a given delta can sometimes
+   represent much larger deltas (because of the adaptation), and hence
+   this approach would probably need integers wider than 32 bits.
+
+
+
+
+Costello                    Standards Track                    [Page 13]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+   Yet another approach for the decoder is to allow overflow to occur,
+   but to check the final output string by re-encoding it and comparing
+   to the decoder input.  If and only if they do not match (using a
+   case-insensitive ASCII comparison) overflow has occurred.  This
+   delayed-detection approach would not impose any more restrictions on
+   the input than the immediate-detection approach does, and might be
+   considered simpler in some programming languages.
+
+   In fact, if the decoder is used only inside the IDNA ToUnicode
+   operation [IDNA], then it need not check for overflow at all, because
+   ToUnicode performs a higher level re-encoding and comparison, and a
+   mismatch has the same consequence as if the Punycode decoder had
+   failed.
+
+7. Punycode examples
+
+7.1 Sample strings
+
+   In the Punycode encodings below, the ACE prefix is not shown.
+   Backslashes show where line breaks have been inserted in strings too
+   long for one line.
+
+   The first several examples are all translations of the sentence "Why
+   can't they just speak in <language>?" (courtesy of Michael Kaplan's
+   "provincial" page [PROVINCIAL]).  Word breaks and punctuation have
+   been removed, as is often done in domain names.
+
+   (A) Arabic (Egyptian):
+       u+0644 u+064A u+0647 u+0645 u+0627 u+0628 u+062A u+0643 u+0644
+       u+0645 u+0648 u+0634 u+0639 u+0631 u+0628 u+064A u+061F
+       Punycode: egbpdaj6bu4bxfgehfvwxn
+
+   (B) Chinese (simplified):
+       u+4ED6 u+4EEC u+4E3A u+4EC0 u+4E48 u+4E0D u+8BF4 u+4E2D u+6587
+       Punycode: ihqwcrb4cv8a8dqg056pqjye
+
+   (C) Chinese (traditional):
+       u+4ED6 u+5011 u+7232 u+4EC0 u+9EBD u+4E0D u+8AAA u+4E2D u+6587
+       Punycode: ihqwctvzc91f659drss3x8bo0yb
+
+   (D) Czech: Pro<ccaron>prost<ecaron>nemluv<iacute><ccaron>esky
+       U+0050 u+0072 u+006F u+010D u+0070 u+0072 u+006F u+0073 u+0074
+       u+011B u+006E u+0065 u+006D u+006C u+0075 u+0076 u+00ED u+010D
+       u+0065 u+0073 u+006B u+0079
+       Punycode: Proprostnemluvesky-uyb24dma41a
+
+
+
+
+
+
+Costello                    Standards Track                    [Page 14]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+   (E) Hebrew:
+       u+05DC u+05DE u+05D4 u+05D4 u+05DD u+05E4 u+05E9 u+05D5 u+05D8
+       u+05DC u+05D0 u+05DE u+05D3 u+05D1 u+05E8 u+05D9 u+05DD u+05E2
+       u+05D1 u+05E8 u+05D9 u+05EA
+       Punycode: 4dbcagdahymbxekheh6e0a7fei0b
+
+   (F) Hindi (Devanagari):
+       u+092F u+0939 u+0932 u+094B u+0917 u+0939 u+093F u+0928 u+094D
+       u+0926 u+0940 u+0915 u+094D u+092F u+094B u+0902 u+0928 u+0939
+       u+0940 u+0902 u+092C u+094B u+0932 u+0938 u+0915 u+0924 u+0947
+       u+0939 u+0948 u+0902
+       Punycode: i1baa7eci9glrd9b2ae1bj0hfcgg6iyaf8o0a1dig0cd
+
+   (G) Japanese (kanji and hiragana):
+       u+306A u+305C u+307F u+3093 u+306A u+65E5 u+672C u+8A9E u+3092
+       u+8A71 u+3057 u+3066 u+304F u+308C u+306A u+3044 u+306E u+304B
+       Punycode: n8jok5ay5dzabd5bym9f0cm5685rrjetr6pdxa
+
+   (H) Korean (Hangul syllables):
+       u+C138 u+ACC4 u+C758 u+BAA8 u+B4E0 u+C0AC u+B78C u+B4E4 u+C774
+       u+D55C u+AD6D u+C5B4 u+B97C u+C774 u+D574 u+D55C u+B2E4 u+BA74
+       u+C5BC u+B9C8 u+B098 u+C88B u+C744 u+AE4C
+       Punycode: 989aomsvi5e83db1d2a355cv1e0vak1dwrv93d5xbh15a0dt30a5j\
+                 psd879ccm6fea98c
+
+   (I) Russian (Cyrillic):
+       U+043F u+043E u+0447 u+0435 u+043C u+0443 u+0436 u+0435 u+043E
+       u+043D u+0438 u+043D u+0435 u+0433 u+043E u+0432 u+043E u+0440
+       u+044F u+0442 u+043F u+043E u+0440 u+0443 u+0441 u+0441 u+043A
+       u+0438
+       Punycode: b1abfaaepdrnnbgefbaDotcwatmq2g4l
+
+   (J) Spanish: Porqu<eacute>nopuedensimplementehablarenEspa<ntilde>ol
+       U+0050 u+006F u+0072 u+0071 u+0075 u+00E9 u+006E u+006F u+0070
+       u+0075 u+0065 u+0064 u+0065 u+006E u+0073 u+0069 u+006D u+0070
+       u+006C u+0065 u+006D u+0065 u+006E u+0074 u+0065 u+0068 u+0061
+       u+0062 u+006C u+0061 u+0072 u+0065 u+006E U+0045 u+0073 u+0070
+       u+0061 u+00F1 u+006F u+006C
+       Punycode: PorqunopuedensimplementehablarenEspaol-fmd56a
+
+   (K) Vietnamese:
+       T<adotbelow>isaoh<odotbelow>kh<ocirc>ngth<ecirchookabove>ch\
+       <ihookabove>n<oacute>iti<ecircacute>ngVi<ecircdotbelow>t
+       U+0054 u+1EA1 u+0069 u+0073 u+0061 u+006F u+0068 u+1ECD u+006B
+       u+0068 u+00F4 u+006E u+0067 u+0074 u+0068 u+1EC3 u+0063 u+0068
+       u+1EC9 u+006E u+00F3 u+0069 u+0074 u+0069 u+1EBF u+006E u+0067
+       U+0056 u+0069 u+1EC7 u+0074
+       Punycode: TisaohkhngthchnitingVit-kjcr8268qyxafd2f1b9g
+
+
+
+Costello                    Standards Track                    [Page 15]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+   The next several examples are all names of Japanese music artists,
+   song titles, and TV programs, just because the author happens to have
+   them handy (but Japanese is useful for providing examples of single-
+   row text, two-row text, ideographic text, and various mixtures
+   thereof).
+
+   (L) 3<nen>B<gumi><kinpachi><sensei>
+       u+0033 u+5E74 U+0042 u+7D44 u+91D1 u+516B u+5148 u+751F
+       Punycode: 3B-ww4c5e180e575a65lsy2b
+
+   (M) <amuro><namie>-with-SUPER-MONKEYS
+       u+5B89 u+5BA4 u+5948 u+7F8E u+6075 u+002D u+0077 u+0069 u+0074
+       u+0068 u+002D U+0053 U+0055 U+0050 U+0045 U+0052 u+002D U+004D
+       U+004F U+004E U+004B U+0045 U+0059 U+0053
+       Punycode: -with-SUPER-MONKEYS-pc58ag80a8qai00g7n9n
+
+   (N) Hello-Another-Way-<sorezore><no><basho>
+       U+0048 u+0065 u+006C u+006C u+006F u+002D U+0041 u+006E u+006F
+       u+0074 u+0068 u+0065 u+0072 u+002D U+0057 u+0061 u+0079 u+002D
+       u+305D u+308C u+305E u+308C u+306E u+5834 u+6240
+       Punycode: Hello-Another-Way--fc4qua05auwb3674vfr0b
+
+   (O) <hitotsu><yane><no><shita>2
+       u+3072 u+3068 u+3064 u+5C4B u+6839 u+306E u+4E0B u+0032
+       Punycode: 2-u9tlzr9756bt3uc0v
+
+   (P) Maji<de>Koi<suru>5<byou><mae>
+       U+004D u+0061 u+006A u+0069 u+3067 U+004B u+006F u+0069 u+3059
+       u+308B u+0035 u+79D2 u+524D
+       Punycode: MajiKoi5-783gue6qz075azm5e
+
+   (Q) <pafii>de<runba>
+       u+30D1 u+30D5 u+30A3 u+30FC u+0064 u+0065 u+30EB u+30F3 u+30D0
+       Punycode: de-jg4avhby1noc0d
+
+   (R) <sono><supiido><de>
+       u+305D u+306E u+30B9 u+30D4 u+30FC u+30C9 u+3067
+       Punycode: d9juau41awczczp
+
+   The last example is an ASCII string that breaks the existing rules
+   for host name labels.  (It is not a realistic example for IDNA,
+   because IDNA never encodes pure ASCII labels.)
+
+   (S) -> $1.00 <-
+       u+002D u+003E u+0020 u+0024 u+0031 u+002E u+0030 u+0030 u+0020
+       u+003C u+002D
+       Punycode: -> $1.00 <--
+
+
+
+
+Costello                    Standards Track                    [Page 16]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+7.2 Decoding traces
+
+   In the following traces, the evolving state of the decoder is shown
+   as a sequence of hexadecimal values, representing the code points in
+   the extended string.  An asterisk appears just after the most
+   recently inserted code point, indicating both n (the value preceeding
+   the asterisk) and i (the position of the value just after the
+   asterisk).  Other numerical values are decimal.
+
+   Decoding trace of example B from section 7.1:
+
+   n is 128, i is 0, bias is 72
+   input is "ihqwcrb4cv8a8dqg056pqjye"
+   there is no delimiter, so extended string starts empty
+   delta "ihq" decodes to 19853
+   bias becomes 21
+   4E0D *
+   delta "wc" decodes to 64
+   bias becomes 20
+   4E0D 4E2D *
+   delta "rb" decodes to 37
+   bias becomes 13
+   4E3A * 4E0D 4E2D
+   delta "4c" decodes to 56
+   bias becomes 17
+   4E3A 4E48 * 4E0D 4E2D
+   delta "v8a" decodes to 599
+   bias becomes 32
+   4E3A 4EC0 * 4E48 4E0D 4E2D
+   delta "8d" decodes to 130
+   bias becomes 23
+   4ED6 * 4E3A 4EC0 4E48 4E0D 4E2D
+   delta "qg" decodes to 154
+   bias becomes 25
+   4ED6 4EEC * 4E3A 4EC0 4E48 4E0D 4E2D
+   delta "056p" decodes to 46301
+   bias becomes 84
+   4ED6 4EEC 4E3A 4EC0 4E48 4E0D 4E2D 6587 *
+   delta "qjye" decodes to 88531
+   bias becomes 90
+   4ED6 4EEC 4E3A 4EC0 4E48 4E0D 8BF4 * 4E2D 6587
+
+
+
+
+
+
+
+
+
+
+Costello                    Standards Track                    [Page 17]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+   Decoding trace of example L from section 7.1:
+
+   n is 128, i is 0, bias is 72
+   input is "3B-ww4c5e180e575a65lsy2b"
+   literal portion is "3B-", so extended string starts as:
+   0033 0042
+   delta "ww4c" decodes to 62042
+   bias becomes 27
+   0033 0042 5148 *
+   delta "5e" decodes to 139
+   bias becomes 24
+   0033 0042 516B * 5148
+   delta "180e" decodes to 16683
+   bias becomes 67
+   0033 5E74 * 0042 516B 5148
+   delta "575a" decodes to 34821
+   bias becomes 82
+   0033 5E74 0042 516B 5148 751F *
+   delta "65l" decodes to 14592
+   bias becomes 67
+   0033 5E74 0042 7D44 * 516B 5148 751F
+   delta "sy2b" decodes to 42088
+   bias becomes 84
+   0033 5E74 0042 7D44 91D1 * 516B 5148 751F
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Costello                    Standards Track                    [Page 18]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+7.3 Encoding traces
+
+   In the following traces, code point values are hexadecimal, while
+   other numerical values are decimal.
+
+   Encoding trace of example B from section 7.1:
+
+   bias is 72
+   input is:
+   4ED6 4EEC 4E3A 4EC0 4E48 4E0D 8BF4 4E2D 6587
+   there are no basic code points, so no literal portion
+   next code point to insert is 4E0D
+   needed delta is 19853, encodes as "ihq"
+   bias becomes 21
+   next code point to insert is 4E2D
+   needed delta is 64, encodes as "wc"
+   bias becomes 20
+   next code point to insert is 4E3A
+   needed delta is 37, encodes as "rb"
+   bias becomes 13
+   next code point to insert is 4E48
+   needed delta is 56, encodes as "4c"
+   bias becomes 17
+   next code point to insert is 4EC0
+   needed delta is 599, encodes as "v8a"
+   bias becomes 32
+   next code point to insert is 4ED6
+   needed delta is 130, encodes as "8d"
+   bias becomes 23
+   next code point to insert is 4EEC
+   needed delta is 154, encodes as "qg"
+   bias becomes 25
+   next code point to insert is 6587
+   needed delta is 46301, encodes as "056p"
+   bias becomes 84
+   next code point to insert is 8BF4
+   needed delta is 88531, encodes as "qjye"
+   bias becomes 90
+   output is "ihqwcrb4cv8a8dqg056pqjye"
+
+
+
+
+
+
+
+
+
+
+
+
+Costello                    Standards Track                    [Page 19]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+   Encoding trace of example L from section 7.1:
+
+   bias is 72
+   input is:
+   0033 5E74 0042 7D44 91D1 516B 5148 751F
+   basic code points (0033, 0042) are copied to literal portion: "3B-"
+   next code point to insert is 5148
+   needed delta is 62042, encodes as "ww4c"
+   bias becomes 27
+   next code point to insert is 516B
+   needed delta is 139, encodes as "5e"
+   bias becomes 24
+   next code point to insert is 5E74
+   needed delta is 16683, encodes as "180e"
+   bias becomes 67
+   next code point to insert is 751F
+   needed delta is 34821, encodes as "575a"
+   bias becomes 82
+   next code point to insert is 7D44
+   needed delta is 14592, encodes as "65l"
+   bias becomes 67
+   next code point to insert is 91D1
+   needed delta is 42088, encodes as "sy2b"
+   bias becomes 84
+   output is "3B-ww4c5e180e575a65lsy2b"
+
+8. Security Considerations
+
+   Users expect each domain name in DNS to be controlled by a single
+   authority.  If a Unicode string intended for use as a domain label
+   could map to multiple ACE labels, then an internationalized domain
+   name could map to multiple ASCII domain names, each controlled by a
+   different authority, some of which could be spoofs that hijack
+   service requests intended for another.  Therefore Punycode is
+   designed so that each Unicode string has a unique encoding.
+
+   However, there can still be multiple Unicode representations of the
+   "same" text, for various definitions of "same".  This problem is
+   addressed to some extent by the Unicode standard under the topic of
+   canonicalization, and this work is leveraged for domain names by
+   Nameprep [NAMEPREP].
+
+
+
+
+
+
+
+
+
+
+Costello                    Standards Track                    [Page 20]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+9. References
+
+9.1 Normative References
+
+   [RFC2119]    Bradner, S., "Key words for use in RFCs to Indicate
+                Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+9.2 Informative References
+
+   [RFC952]     Harrenstien, K., Stahl, M. and E. Feinler, "DOD Internet
+                Host Table Specification", RFC 952, October 1985.
+
+   [RFC1034]    Mockapetris, P., "Domain Names - Concepts and
+                Facilities", STD 13, RFC 1034, November 1987.
+
+   [IDNA]       Faltstrom, P., Hoffman, P. and A. Costello,
+                "Internationalizing Domain Names in Applications
+                (IDNA)", RFC 3490, March 2003.
+
+   [NAMEPREP]   Hoffman, P. and  M. Blanchet, "Nameprep: A Stringprep
+                Profile for Internationalized Domain Names (IDN)", RFC
+                3491, March 2003.
+
+   [ASCII]      Cerf, V., "ASCII format for Network Interchange", RFC
+                20, October 1969.
+
+   [PROVINCIAL] Kaplan, M., "The 'anyone can be provincial!' page",
+                http://www.trigeminal.com/samples/provincial.html.
+
+   [UNICODE]    The Unicode Consortium, "The Unicode Standard",
+                http://www.unicode.org/unicode/standard/standard.html.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Costello                    Standards Track                    [Page 21]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+A. Mixed-case annotation
+
+   In order to use Punycode to represent case-insensitive strings,
+   higher layers need to case-fold the strings prior to Punycode
+   encoding.  The encoded string can use mixed case as an annotation
+   telling how to convert the folded string into a mixed-case string for
+   display purposes.  Note, however, that mixed-case annotation is not
+   used by the ToASCII and ToUnicode operations specified in [IDNA], and
+   therefore implementors of IDNA can disregard this appendix.
+
+   Basic code points can use mixed case directly, because the decoder
+   copies them verbatim, leaving lowercase code points lowercase, and
+   leaving uppercase code points uppercase.  Each non-basic code point
+   is represented by a delta, which is represented by a sequence of
+   basic code points, the last of which provides the annotation.  If it
+   is uppercase, it is a suggestion to map the non-basic code point to
+   uppercase (if possible); if it is lowercase, it is a suggestion to
+   map the non-basic code point to lowercase (if possible).
+
+   These annotations do not alter the code points returned by decoders;
+   the annotations are returned separately, for the caller to use or
+   ignore.  Encoders can accept annotations in addition to code points,
+   but the annotations do not alter the output, except to influence the
+   uppercase/lowercase form of ASCII letters.
+
+   Punycode encoders and decoders need not support these annotations,
+   and higher layers need not use them.
+
+B. Disclaimer and license
+
+   Regarding this entire document or any portion of it (including the
+   pseudocode and C code), the author makes no guarantees and is not
+   responsible for any damage resulting from its use.  The author grants
+   irrevocable permission to anyone to use, modify, and distribute it in
+   any way that does not diminish the rights of anyone else to use,
+   modify, and distribute it, provided that redistributed derivative
+   works do not contain misleading author or version information.
+   Derivative works need not be licensed under similar terms.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Costello                    Standards Track                    [Page 22]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+C. Punycode sample implementation
+
+/*
+punycode.c from RFC 3492
+http://www.nicemice.net/idn/
+Adam M. Costello
+http://www.nicemice.net/amc/
+
+This is ANSI C code (C89) implementing Punycode (RFC 3492).
+
+*/
+
+
+/************************************************************/
+/* Public interface (would normally go in its own .h file): */
+
+#include <limits.h>
+
+enum punycode_status {
+  punycode_success,
+  punycode_bad_input,   /* Input is invalid.                       */
+  punycode_big_output,  /* Output would exceed the space provided. */
+  punycode_overflow     /* Input needs wider integers to process.  */
+};
+
+#if UINT_MAX >= (1 << 26) - 1
+typedef unsigned int punycode_uint;
+#else
+typedef unsigned long punycode_uint;
+#endif
+
+enum punycode_status punycode_encode(
+  punycode_uint input_length,
+  const punycode_uint input[],
+  const unsigned char case_flags[],
+  punycode_uint *output_length,
+  char output[] );
+
+    /* punycode_encode() converts Unicode to Punycode.  The input     */
+    /* is represented as an array of Unicode code points (not code    */
+    /* units; surrogate pairs are not allowed), and the output        */
+    /* will be represented as an array of ASCII code points.  The     */
+    /* output string is *not* null-terminated; it will contain        */
+    /* zeros if and only if the input contains zeros.  (Of course     */
+    /* the caller can leave room for a terminator and add one if      */
+    /* needed.)  The input_length is the number of code points in     */
+    /* the input.  The output_length is an in/out argument: the       */
+    /* caller passes in the maximum number of code points that it     */
+
+
+
+Costello                    Standards Track                    [Page 23]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+    /* can receive, and on successful return it will contain the      */
+    /* number of code points actually output.  The case_flags array   */
+    /* holds input_length boolean values, where nonzero suggests that */
+    /* the corresponding Unicode character be forced to uppercase     */
+    /* after being decoded (if possible), and zero suggests that      */
+    /* it be forced to lowercase (if possible).  ASCII code points    */
+    /* are encoded literally, except that ASCII letters are forced    */
+    /* to uppercase or lowercase according to the corresponding       */
+    /* uppercase flags.  If case_flags is a null pointer then ASCII   */
+    /* letters are left as they are, and other code points are        */
+    /* treated as if their uppercase flags were zero.  The return     */
+    /* value can be any of the punycode_status values defined above   */
+    /* except punycode_bad_input; if not punycode_success, then       */
+    /* output_size and output might contain garbage.                  */
+
+enum punycode_status punycode_decode(
+  punycode_uint input_length,
+  const char input[],
+  punycode_uint *output_length,
+  punycode_uint output[],
+  unsigned char case_flags[] );
+
+    /* punycode_decode() converts Punycode to Unicode.  The input is  */
+    /* represented as an array of ASCII code points, and the output   */
+    /* will be represented as an array of Unicode code points.  The   */
+    /* input_length is the number of code points in the input.  The   */
+    /* output_length is an in/out argument: the caller passes in      */
+    /* the maximum number of code points that it can receive, and     */
+    /* on successful return it will contain the actual number of      */
+    /* code points output.  The case_flags array needs room for at    */
+    /* least output_length values, or it can be a null pointer if the */
+    /* case information is not needed.  A nonzero flag suggests that  */
+    /* the corresponding Unicode character be forced to uppercase     */
+    /* by the caller (if possible), while zero suggests that it be    */
+    /* forced to lowercase (if possible).  ASCII code points are      */
+    /* output already in the proper case, but their flags will be set */
+    /* appropriately so that applying the flags would be harmless.    */
+    /* The return value can be any of the punycode_status values      */
+    /* defined above; if not punycode_success, then output_length,    */
+    /* output, and case_flags might contain garbage.  On success, the */
+    /* decoder will never need to write an output_length greater than */
+    /* input_length, because of how the encoding is defined.          */
+
+/**********************************************************/
+/* Implementation (would normally go in its own .c file): */
+
+#include <string.h>
+
+
+
+
+Costello                    Standards Track                    [Page 24]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+/*** Bootstring parameters for Punycode ***/
+
+enum { base = 36, tmin = 1, tmax = 26, skew = 38, damp = 700,
+       initial_bias = 72, initial_n = 0x80, delimiter = 0x2D };
+
+/* basic(cp) tests whether cp is a basic code point: */
+#define basic(cp) ((punycode_uint)(cp) < 0x80)
+
+/* delim(cp) tests whether cp is a delimiter: */
+#define delim(cp) ((cp) == delimiter)
+
+/* decode_digit(cp) returns the numeric value of a basic code */
+/* point (for use in representing integers) in the range 0 to */
+/* base-1, or base if cp is does not represent a value.       */
+
+static punycode_uint decode_digit(punycode_uint cp)
+{
+  return  cp - 48 < 10 ? cp - 22 :  cp - 65 < 26 ? cp - 65 :
+          cp - 97 < 26 ? cp - 97 :  base;
+}
+
+/* encode_digit(d,flag) returns the basic code point whose value      */
+/* (when used for representing integers) is d, which needs to be in   */
+/* the range 0 to base-1.  The lowercase form is used unless flag is  */
+/* nonzero, in which case the uppercase form is used.  The behavior   */
+/* is undefined if flag is nonzero and digit d has no uppercase form. */
+
+static char encode_digit(punycode_uint d, int flag)
+{
+  return d + 22 + 75 * (d < 26) - ((flag != 0) << 5);
+  /*  0..25 map to ASCII a..z or A..Z */
+  /* 26..35 map to ASCII 0..9         */
+}
+
+/* flagged(bcp) tests whether a basic code point is flagged */
+/* (uppercase).  The behavior is undefined if bcp is not a  */
+/* basic code point.                                        */
+
+#define flagged(bcp) ((punycode_uint)(bcp) - 65 < 26)
+
+/* encode_basic(bcp,flag) forces a basic code point to lowercase */
+/* if flag is zero, uppercase if flag is nonzero, and returns    */
+/* the resulting code point.  The code point is unchanged if it  */
+/* is caseless.  The behavior is undefined if bcp is not a basic */
+/* code point.                                                   */
+
+static char encode_basic(punycode_uint bcp, int flag)
+{
+
+
+
+Costello                    Standards Track                    [Page 25]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+  bcp -= (bcp - 97 < 26) << 5;
+  return bcp + ((!flag && (bcp - 65 < 26)) << 5);
+}
+
+/*** Platform-specific constants ***/
+
+/* maxint is the maximum value of a punycode_uint variable: */
+static const punycode_uint maxint = -1;
+/* Because maxint is unsigned, -1 becomes the maximum value. */
+
+/*** Bias adaptation function ***/
+
+static punycode_uint adapt(
+  punycode_uint delta, punycode_uint numpoints, int firsttime )
+{
+  punycode_uint k;
+
+  delta = firsttime ? delta / damp : delta >> 1;
+  /* delta >> 1 is a faster way of doing delta / 2 */
+  delta += delta / numpoints;
+
+  for (k = 0;  delta > ((base - tmin) * tmax) / 2;  k += base) {
+    delta /= base - tmin;
+  }
+
+  return k + (base - tmin + 1) * delta / (delta + skew);
+}
+
+/*** Main encode function ***/
+
+enum punycode_status punycode_encode(
+  punycode_uint input_length,
+  const punycode_uint input[],
+  const unsigned char case_flags[],
+  punycode_uint *output_length,
+  char output[] )
+{
+  punycode_uint n, delta, h, b, out, max_out, bias, j, m, q, k, t;
+
+  /* Initialize the state: */
+
+  n = initial_n;
+  delta = out = 0;
+  max_out = *output_length;
+  bias = initial_bias;
+
+  /* Handle the basic code points: */
+
+
+
+
+Costello                    Standards Track                    [Page 26]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+  for (j = 0;  j < input_length;  ++j) {
+    if (basic(input[j])) {
+      if (max_out - out < 2) return punycode_big_output;
+      output[out++] =
+        case_flags ?  encode_basic(input[j], case_flags[j]) : input[j];
+    }
+    /* else if (input[j] < n) return punycode_bad_input; */
+    /* (not needed for Punycode with unsigned code points) */
+  }
+
+  h = b = out;
+
+  /* h is the number of code points that have been handled, b is the  */
+  /* number of basic code points, and out is the number of characters */
+  /* that have been output.                                           */
+
+  if (b > 0) output[out++] = delimiter;
+
+  /* Main encoding loop: */
+
+  while (h < input_length) {
+    /* All non-basic code points < n have been     */
+    /* handled already.  Find the next larger one: */
+
+    for (m = maxint, j = 0;  j < input_length;  ++j) {
+      /* if (basic(input[j])) continue; */
+      /* (not needed for Punycode) */
+      if (input[j] >= n && input[j] < m) m = input[j];
+    }
+
+    /* Increase delta enough to advance the decoder's    */
+    /* <n,i> state to <m,0>, but guard against overflow: */
+
+    if (m - n > (maxint - delta) / (h + 1)) return punycode_overflow;
+    delta += (m - n) * (h + 1);
+    n = m;
+
+    for (j = 0;  j < input_length;  ++j) {
+      /* Punycode does not need to check whether input[j] is basic: */
+      if (input[j] < n /* || basic(input[j]) */ ) {
+        if (++delta == 0) return punycode_overflow;
+      }
+
+      if (input[j] == n) {
+        /* Represent delta as a generalized variable-length integer: */
+
+        for (q = delta, k = base;  ;  k += base) {
+          if (out >= max_out) return punycode_big_output;
+
+
+
+Costello                    Standards Track                    [Page 27]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+          t = k <= bias /* + tmin */ ? tmin :     /* +tmin not needed */
+              k >= bias + tmax ? tmax : k - bias;
+          if (q < t) break;
+          output[out++] = encode_digit(t + (q - t) % (base - t), 0);
+          q = (q - t) / (base - t);
+        }
+
+        output[out++] = encode_digit(q, case_flags && case_flags[j]);
+        bias = adapt(delta, h + 1, h == b);
+        delta = 0;
+        ++h;
+      }
+    }
+
+    ++delta, ++n;
+  }
+
+  *output_length = out;
+  return punycode_success;
+}
+
+/*** Main decode function ***/
+
+enum punycode_status punycode_decode(
+  punycode_uint input_length,
+  const char input[],
+  punycode_uint *output_length,
+  punycode_uint output[],
+  unsigned char case_flags[] )
+{
+  punycode_uint n, out, i, max_out, bias,
+                 b, j, in, oldi, w, k, digit, t;
+
+  /* Initialize the state: */
+
+  n = initial_n;
+  out = i = 0;
+  max_out = *output_length;
+  bias = initial_bias;
+
+  /* Handle the basic code points:  Let b be the number of input code */
+  /* points before the last delimiter, or 0 if there is none, then    */
+  /* copy the first b code points to the output.                      */
+
+  for (b = j = 0;  j < input_length;  ++j) if (delim(input[j])) b = j;
+  if (b > max_out) return punycode_big_output;
+
+  for (j = 0;  j < b;  ++j) {
+
+
+
+Costello                    Standards Track                    [Page 28]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+    if (case_flags) case_flags[out] = flagged(input[j]);
+    if (!basic(input[j])) return punycode_bad_input;
+    output[out++] = input[j];
+  }
+
+  /* Main decoding loop:  Start just after the last delimiter if any  */
+  /* basic code points were copied; start at the beginning otherwise. */
+
+  for (in = b > 0 ? b + 1 : 0;  in < input_length;  ++out) {
+
+    /* in is the index of the next character to be consumed, and */
+    /* out is the number of code points in the output array.     */
+
+    /* Decode a generalized variable-length integer into delta,  */
+    /* which gets added to i.  The overflow checking is easier   */
+    /* if we increase i as we go, then subtract off its starting */
+    /* value at the end to obtain delta.                         */
+
+    for (oldi = i, w = 1, k = base;  ;  k += base) {
+      if (in >= input_length) return punycode_bad_input;
+      digit = decode_digit(input[in++]);
+      if (digit >= base) return punycode_bad_input;
+      if (digit > (maxint - i) / w) return punycode_overflow;
+      i += digit * w;
+      t = k <= bias /* + tmin */ ? tmin :     /* +tmin not needed */
+          k >= bias + tmax ? tmax : k - bias;
+      if (digit < t) break;
+      if (w > maxint / (base - t)) return punycode_overflow;
+      w *= (base - t);
+    }
+
+    bias = adapt(i - oldi, out + 1, oldi == 0);
+
+    /* i was supposed to wrap around from out+1 to 0,   */
+    /* incrementing n each time, so we'll fix that now: */
+
+    if (i / (out + 1) > maxint - n) return punycode_overflow;
+    n += i / (out + 1);
+    i %= (out + 1);
+
+    /* Insert n at position i of the output: */
+
+    /* not needed for Punycode: */
+    /* if (decode_digit(n) <= base) return punycode_invalid_input; */
+    if (out >= max_out) return punycode_big_output;
+
+    if (case_flags) {
+      memmove(case_flags + i + 1, case_flags + i, out - i);
+
+
+
+Costello                    Standards Track                    [Page 29]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+      /* Case of last character determines uppercase flag: */
+      case_flags[i] = flagged(input[in - 1]);
+    }
+
+    memmove(output + i + 1, output + i, (out - i) * sizeof *output);
+    output[i++] = n;
+  }
+
+  *output_length = out;
+  return punycode_success;
+}
+
+/******************************************************************/
+/* Wrapper for testing (would normally go in a separate .c file): */
+
+#include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+/* For testing, we'll just set some compile-time limits rather than */
+/* use malloc(), and set a compile-time option rather than using a  */
+/* command-line option.                                             */
+
+enum {
+  unicode_max_length = 256,
+  ace_max_length = 256
+};
+
+static void usage(char **argv)
+{
+  fprintf(stderr,
+    "\n"
+    "%s -e reads code points and writes a Punycode string.\n"
+    "%s -d reads a Punycode string and writes code points.\n"
+    "\n"
+    "Input and output are plain text in the native character set.\n"
+    "Code points are in the form u+hex separated by whitespace.\n"
+    "Although the specification allows Punycode strings to contain\n"
+    "any characters from the ASCII repertoire, this test code\n"
+    "supports only the printable characters, and needs the Punycode\n"
+    "string to be followed by a newline.\n"
+    "The case of the u in u+hex is the force-to-uppercase flag.\n"
+    , argv[0], argv[0]);
+  exit(EXIT_FAILURE);
+}
+
+static void fail(const char *msg)
+
+
+
+Costello                    Standards Track                    [Page 30]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+{
+  fputs(msg,stderr);
+  exit(EXIT_FAILURE);
+}
+
+static const char too_big[] =
+  "input or output is too large, recompile with larger limits\n";
+static const char invalid_input[] = "invalid input\n";
+static const char overflow[] = "arithmetic overflow\n";
+static const char io_error[] = "I/O error\n";
+
+/* The following string is used to convert printable */
+/* characters between ASCII and the native charset:  */
+
+static const char print_ascii[] =
+  "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"
+  "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"
+  " !\"#$%&'()*+,-./"
+  "0123456789:;<=>?"
+  "@ABCDEFGHIJKLMNO"
+  "PQRSTUVWXYZ[\\]^_"
+  "`abcdefghijklmno"
+  "pqrstuvwxyz{|}~\n";
+
+int main(int argc, char **argv)
+{
+  enum punycode_status status;
+  int r;
+  unsigned int input_length, output_length, j;
+  unsigned char case_flags[unicode_max_length];
+
+  if (argc != 2) usage(argv);
+  if (argv[1][0] != '-') usage(argv);
+  if (argv[1][2] != 0) usage(argv);
+
+  if (argv[1][1] == 'e') {
+    punycode_uint input[unicode_max_length];
+    unsigned long codept;
+    char output[ace_max_length+1], uplus[3];
+    int c;
+
+    /* Read the input code points: */
+
+    input_length = 0;
+
+    for (;;) {
+      r = scanf("%2s%lx", uplus, &codept);
+      if (ferror(stdin)) fail(io_error);
+
+
+
+Costello                    Standards Track                    [Page 31]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+      if (r == EOF || r == 0) break;
+
+      if (r != 2 || uplus[1] != '+' || codept > (punycode_uint)-1) {
+        fail(invalid_input);
+      }
+
+      if (input_length == unicode_max_length) fail(too_big);
+
+      if (uplus[0] == 'u') case_flags[input_length] = 0;
+      else if (uplus[0] == 'U') case_flags[input_length] = 1;
+      else fail(invalid_input);
+
+      input[input_length++] = codept;
+    }
+
+    /* Encode: */
+
+    output_length = ace_max_length;
+    status = punycode_encode(input_length, input, case_flags,
+                             &output_length, output);
+    if (status == punycode_bad_input) fail(invalid_input);
+    if (status == punycode_big_output) fail(too_big);
+    if (status == punycode_overflow) fail(overflow);
+    assert(status == punycode_success);
+
+    /* Convert to native charset and output: */
+
+    for (j = 0;  j < output_length;  ++j) {
+      c = output[j];
+      assert(c >= 0 && c <= 127);
+      if (print_ascii[c] == 0) fail(invalid_input);
+      output[j] = print_ascii[c];
+    }
+
+    output[j] = 0;
+    r = puts(output);
+    if (r == EOF) fail(io_error);
+    return EXIT_SUCCESS;
+  }
+
+  if (argv[1][1] == 'd') {
+    char input[ace_max_length+2], *p, *pp;
+    punycode_uint output[unicode_max_length];
+
+    /* Read the Punycode input string and convert to ASCII: */
+
+    fgets(input, ace_max_length+2, stdin);
+    if (ferror(stdin)) fail(io_error);
+
+
+
+Costello                    Standards Track                    [Page 32]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+    if (feof(stdin)) fail(invalid_input);
+    input_length = strlen(input) - 1;
+    if (input[input_length] != '\n') fail(too_big);
+    input[input_length] = 0;
+
+    for (p = input;  *p != 0;  ++p) {
+      pp = strchr(print_ascii, *p);
+      if (pp == 0) fail(invalid_input);
+      *p = pp - print_ascii;
+    }
+
+    /* Decode: */
+
+    output_length = unicode_max_length;
+    status = punycode_decode(input_length, input, &output_length,
+                             output, case_flags);
+    if (status == punycode_bad_input) fail(invalid_input);
+    if (status == punycode_big_output) fail(too_big);
+    if (status == punycode_overflow) fail(overflow);
+    assert(status == punycode_success);
+
+    /* Output the result: */
+
+    for (j = 0;  j < output_length;  ++j) {
+      r = printf("%s+%04lX\n",
+                 case_flags[j] ? "U" : "u",
+                 (unsigned long) output[j] );
+      if (r < 0) fail(io_error);
+    }
+
+    return EXIT_SUCCESS;
+  }
+
+  usage(argv);
+  return EXIT_SUCCESS;  /* not reached, but quiets compiler warning */
+}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Costello                    Standards Track                    [Page 33]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+Author's Address
+
+   Adam M. Costello
+   University of California, Berkeley
+   http://www.nicemice.net/amc/
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Costello                    Standards Track                    [Page 34]
+
+RFC 3492                     IDNA Punycode                    March 2003
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2003).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Costello                    Standards Track                    [Page 35]
+
diff --git a/contrib/bind9/doc/rfc/rfc3493.txt b/contrib/bind9/doc/rfc/rfc3493.txt
new file mode 100644
index 0000000..5fea6c1
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc3493.txt
@@ -0,0 +1,2187 @@
+
+
+
+
+
+
+Network Working Group                                        R. Gilligan
+Request for Comments: 3493                                Intransa, Inc.
+Obsoletes: 2553                                               S. Thomson
+Category: Informational                                            Cisco
+                                                                J. Bound
+                                                               J. McCann
+                                                         Hewlett-Packard
+                                                              W. Stevens
+                                                           February 2003
+
+
+               Basic Socket Interface Extensions for IPv6
+
+Status of this Memo
+
+   This memo provides information for the Internet community.  It does
+   not specify an Internet standard of any kind.  Distribution of this
+   memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2003).  All Rights Reserved.
+
+Abstract
+
+   The de facto standard Application Program Interface (API) for TCP/IP
+   applications is the "sockets" interface.  Although this API was
+   developed for Unix in the early 1980s it has also been implemented on
+   a wide variety of non-Unix systems.  TCP/IP applications written
+   using the sockets API have in the past enjoyed a high degree of
+   portability and we would like the same portability with IPv6
+   applications.  But changes are required to the sockets API to support
+   IPv6 and this memo describes these changes.  These include a new
+   socket address structure to carry IPv6 addresses, new address
+   conversion functions, and some new socket options.  These extensions
+   are designed to provide access to the basic IPv6 features required by
+   TCP and UDP applications, including multicasting, while introducing a
+   minimum of change into the system and providing complete
+   compatibility for existing IPv4 applications.  Additional extensions
+   for advanced IPv6 features (raw sockets and access to the IPv6
+   extension headers) are defined in another document.
+
+
+
+
+
+
+
+
+
+
+Gilligan, et al.             Informational                      [Page 1]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+Table of Contents
+
+   1.  Introduction................................................3
+   2.  Design Considerations.......................................4
+       2.1  What Needs to be Changed...............................4
+       2.2  Data Types.............................................6
+       2.3  Headers................................................6
+       2.4  Structures.............................................6
+   3.  Socket Interface............................................6
+       3.1  IPv6 Address Family and Protocol Family................6
+       3.2  IPv6 Address Structure.................................7
+       3.3  Socket Address Structure for 4.3BSD-Based Systems......7
+       3.4  Socket Address Structure for 4.4BSD-Based Systems......9
+       3.5  The Socket Functions...................................9
+       3.6  Compatibility with IPv4 Applications..................10
+       3.7  Compatibility with IPv4 Nodes.........................11
+       3.8  IPv6 Wildcard Address.................................11
+       3.9  IPv6 Loopback Address.................................13
+       3.10 Portability Additions.................................14
+   4.  Interface Identification...................................16
+       4.1  Name-to-Index.........................................17
+       4.2  Index-to-Name.........................................17
+       4.3  Return All Interface Names and Indexes................18
+       4.4  Free Memory...........................................18
+   5.  Socket Options.............................................18
+       5.1  Unicast Hop Limit.....................................19
+       5.2  Sending and Receiving Multicast Packets...............19
+       5.3  IPV6_V6ONLY option for AF_INET6 Sockets...............22
+   6.  Library Functions..........................................22
+       6.1  Protocol-Independent Nodename and
+            Service Name Translation..............................23
+       6.2  Socket Address Structure to Node Name
+            and Service Name......................................28
+       6.3  Address Conversion Functions..........................31
+       6.4  Address Testing Macros................................33
+   7.  Summary of New Definitions.................................33
+   8.  Security Considerations....................................35
+   9.  Changes from RFC 2553......................................35
+   10. Acknowledgments............................................36
+   11. References.................................................37
+   12. Authors' Addresses.........................................38
+   13. Full Copyright Statement...................................39
+
+
+
+
+
+
+
+
+
+Gilligan, et al.             Informational                      [Page 2]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+1. Introduction
+
+   While IPv4 addresses are 32 bits long, IPv6 addresses are 128 bits
+   long.  The socket interface makes the size of an IP address quite
+   visible to an application; virtually all TCP/IP applications for
+   BSD-based systems have knowledge of the size of an IP address.  Those
+   parts of the API that expose the addresses must be changed to
+   accommodate the larger IPv6 address size.  IPv6 also introduces new
+   features, some of which must be made visible to applications via the
+   API.  This memo defines a set of extensions to the socket interface
+   to support the larger address size and new features of IPv6.  It
+   defines "basic" extensions that are of use to a broad range of
+   applications.  A companion document, the "advanced" API [4], covers
+   extensions that are of use to more specialized applications, examples
+   of which include routing daemons, and the "ping" and "traceroute"
+   utilities.
+
+   The development of this API was started in 1994 in the IETF IPng
+   working group.  The API has evolved over the years, published first
+   in RFC 2133, then again in RFC 2553, and reaching its final form in
+   this document.
+
+   As the API matured and stabilized, it was incorporated into the Open
+   Group's Networking Services (XNS) specification, issue 5.2, which was
+   subsequently incorporated into a joint Open Group/IEEE/ISO standard
+   [3].
+
+   Effort has been made to ensure that this document and [3] contain the
+   same information with regard to the API definitions.  However, the
+   reader should note that this document is for informational purposes
+   only, and that the official standard specification of the sockets API
+   is [3].
+
+   It is expected that any future standardization work on this API would
+   be done by the Open Group Base Working Group [6].
+
+   It should also be noted that this document describes only those
+   portions of the API needed for IPv4 and IPv6 communications.  Other
+   potential uses of the API, for example the use of getaddrinfo() and
+   getnameinfo() with the AF_UNIX address family, are beyond the scope
+   of this document.
+
+
+
+
+
+
+
+
+
+
+Gilligan, et al.             Informational                      [Page 3]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+2. Design Considerations
+
+   There are a number of important considerations in designing changes
+   to this well-worn API:
+
+   -  The API changes should provide both source and binary
+      compatibility for programs written to the original API.  That is,
+      existing program binaries should continue to operate when run on a
+      system supporting the new API.  In addition, existing applications
+      that are re-compiled and run on a system supporting the new API
+      should continue to operate.  Simply put, the API changes for IPv6
+      should not break existing programs.  An additional mechanism for
+      implementations to verify this is to verify the new symbols are
+      protected by Feature Test Macros as described in [3].  (Such
+      Feature Test Macros are not defined by this RFC.)
+
+   -  The changes to the API should be as small as possible in order to
+      simplify the task of converting existing IPv4 applications to
+      IPv6.
+
+   -  Where possible, applications should be able to use this API to
+      interoperate with both IPv6 and IPv4 hosts.  Applications should
+      not need to know which type of host they are communicating with.
+
+   -  IPv6 addresses carried in data structures should be 64-bit
+      aligned.  This is necessary in order to obtain optimum performance
+      on 64-bit machine architectures.
+
+   Because of the importance of providing IPv4 compatibility in the API,
+   these extensions are explicitly designed to operate on machines that
+   provide complete support for both IPv4 and IPv6.  A subset of this
+   API could probably be designed for operation on systems that support
+   only IPv6.  However, this is not addressed in this memo.
+
+2.1 What Needs to be Changed
+
+   The socket interface API consists of a few distinct components:
+
+   -  Core socket functions.
+
+   -  Address data structures.
+
+   -  Name-to-address translation functions.
+
+   -  Address conversion functions.
+
+
+
+
+
+
+Gilligan, et al.             Informational                      [Page 4]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+   The core socket functions -- those functions that deal with such
+   things as setting up and tearing down TCP connections, and sending
+   and receiving UDP packets -- were designed to be transport
+   independent.  Where protocol addresses are passed as function
+   arguments, they are carried via opaque pointers.  A protocol-specific
+   address data structure is defined for each protocol that the socket
+   functions support.  Applications must cast pointers to these
+   protocol-specific address structures into pointers to the generic
+   "sockaddr" address structure when using the socket functions.  These
+   functions need not change for IPv6, but a new IPv6-specific address
+   data structure is needed.
+
+   The "sockaddr_in" structure is the protocol-specific data structure
+   for IPv4.  This data structure actually includes 8-octets of unused
+   space, and it is tempting to try to use this space to adapt the
+   sockaddr_in structure to IPv6.  Unfortunately, the sockaddr_in
+   structure is not large enough to hold the 16-octet IPv6 address as
+   well as the other information (address family and port number) that
+   is needed.  So a new address data structure must be defined for IPv6.
+
+   IPv6 addresses are scoped [2] so they could be link-local, site,
+   organization, global, or other scopes at this time undefined.  To
+   support applications that want to be able to identify a set of
+   interfaces for a specific scope, the IPv6 sockaddr_in structure must
+   support a field that can be used by an implementation to identify a
+   set of interfaces identifying the scope for an IPv6 address.
+
+   The IPv4 name-to-address translation functions in the socket
+   interface are gethostbyname() and gethostbyaddr().  These are left as
+   is, and new functions are defined which support both IPv4 and IPv6.
+
+   The IPv4 address conversion functions -- inet_ntoa() and inet_addr()
+   -- convert IPv4 addresses between binary and printable form.  These
+   functions are quite specific to 32-bit IPv4 addresses.  We have
+   designed two analogous functions that convert both IPv4 and IPv6
+   addresses, and carry an address type parameter so that they can be
+   extended to other protocol families as well.
+
+   Finally, a few miscellaneous features are needed to support IPv6.  A
+   new interface is needed to support the IPv6 hop limit header field.
+   New socket options are needed to control the sending and receiving of
+   IPv6 multicast packets.
+
+   The socket interface will be enhanced in the future to provide access
+   to other IPv6 features.  Some of these extensions are described in
+   [4].
+
+
+
+
+
+Gilligan, et al.             Informational                      [Page 5]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+2.2 Data Types
+
+   The data types of the structure elements given in this memo are
+   intended to track the relevant standards.  uintN_t means an unsigned
+   integer of exactly N bits (e.g., uint16_t).  The sa_family_t and
+   in_port_t types are defined in [3].
+
+2.3 Headers
+
+   When function prototypes and structures are shown we show the headers
+   that must be #included to cause that item to be defined.
+
+2.4 Structures
+
+   When structures are described the members shown are the ones that
+   must appear in an implementation.  Additional, nonstandard members
+   may also be defined by an implementation.  As an additional
+   precaution nonstandard members could be verified by Feature Test
+   Macros as described in [3].  (Such Feature Test Macros are not
+   defined by this RFC.)
+
+   The ordering shown for the members of a structure is the recommended
+   ordering, given alignment considerations of multibyte members, but an
+   implementation may order the members differently.
+
+3. Socket Interface
+
+   This section specifies the socket interface changes for IPv6.
+
+3.1 IPv6 Address Family and Protocol Family
+
+   A new address family name, AF_INET6, is defined in <sys/socket.h>.
+   The AF_INET6 definition distinguishes between the original
+   sockaddr_in address data structure, and the new sockaddr_in6 data
+   structure.
+
+   A new protocol family name, PF_INET6, is defined in <sys/socket.h>.
+   Like most of the other protocol family names, this will usually be
+   defined to have the same value as the corresponding address family
+   name:
+
+      #define PF_INET6        AF_INET6
+
+   The AF_INET6 is used in the first argument to the socket() function
+   to indicate that an IPv6 socket is being created.
+
+
+
+
+
+
+Gilligan, et al.             Informational                      [Page 6]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+3.2 IPv6 Address Structure
+
+   A new in6_addr structure holds a single IPv6 address and is defined
+   as a result of including <netinet/in.h>:
+
+      struct in6_addr {
+          uint8_t  s6_addr[16];      /* IPv6 address */
+      };
+
+   This data structure contains an array of sixteen 8-bit elements,
+   which make up one 128-bit IPv6 address.  The IPv6 address is stored
+   in network byte order.
+
+   The structure in6_addr above is usually implemented with an embedded
+   union with extra fields that force the desired alignment level in a
+   manner similar to BSD implementations of "struct in_addr".  Those
+   additional implementation details are omitted here for simplicity.
+
+   An example is as follows:
+
+   struct in6_addr {
+        union {
+            uint8_t  _S6_u8[16];
+            uint32_t _S6_u32[4];
+            uint64_t _S6_u64[2];
+        } _S6_un;
+   };
+   #define s6_addr _S6_un._S6_u8
+
+3.3 Socket Address Structure for 4.3BSD-Based Systems
+
+   In the socket interface, a different protocol-specific data structure
+   is defined to carry the addresses for each protocol suite.  Each
+   protocol-specific data structure is designed so it can be cast into a
+   protocol-independent data structure -- the "sockaddr" structure.
+   Each has a "family" field that overlays the "sa_family" of the
+   sockaddr data structure.  This field identifies the type of the data
+   structure.
+
+   The sockaddr_in structure is the protocol-specific address data
+   structure for IPv4.  It is used to pass addresses between
+   applications and the system in the socket functions.  The following
+   sockaddr_in6 structure holds IPv6 addresses and is defined as a
+   result of including the <netinet/in.h> header:
+
+
+
+
+
+
+
+Gilligan, et al.             Informational                      [Page 7]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+struct sockaddr_in6 {
+    sa_family_t     sin6_family;    /* AF_INET6 */
+    in_port_t       sin6_port;      /* transport layer port # */
+    uint32_t        sin6_flowinfo;  /* IPv6 flow information */
+    struct in6_addr sin6_addr;      /* IPv6 address */
+    uint32_t        sin6_scope_id;  /* set of interfaces for a scope */
+};
+
+   This structure is designed to be compatible with the sockaddr data
+   structure used in the 4.3BSD release.
+
+   The sin6_family field identifies this as a sockaddr_in6 structure.
+   This field overlays the sa_family field when the buffer is cast to a
+   sockaddr data structure.  The value of this field must be AF_INET6.
+
+   The sin6_port field contains the 16-bit UDP or TCP port number.  This
+   field is used in the same way as the sin_port field of the
+   sockaddr_in structure.  The port number is stored in network byte
+   order.
+
+   The sin6_flowinfo field is a 32-bit field intended to contain flow-
+   related information.  The exact way this field is mapped to or from a
+   packet is not currently specified.  Until such time as its use is
+   specified, applications should set this field to zero when
+   constructing a sockaddr_in6, and ignore this field in a sockaddr_in6
+   structure constructed by the system.
+
+   The sin6_addr field is a single in6_addr structure (defined in the
+   previous section).  This field holds one 128-bit IPv6 address.  The
+   address is stored in network byte order.
+
+   The ordering of elements in this structure is specifically designed
+   so that when sin6_addr field is aligned on a 64-bit boundary, the
+   start of the structure will also be aligned on a 64-bit boundary.
+   This is done for optimum performance on 64-bit architectures.
+
+   The sin6_scope_id field is a 32-bit integer that identifies a set of
+   interfaces as appropriate for the scope [2] of the address carried in
+   the sin6_addr field.  The mapping of sin6_scope_id to an interface or
+   set of interfaces is left to implementation and future specifications
+   on the subject of scoped addresses.
+
+   Notice that the sockaddr_in6 structure will normally be larger than
+   the generic sockaddr structure.  On many existing implementations the
+   sizeof(struct sockaddr_in) equals sizeof(struct sockaddr), with both
+   being 16 bytes.  Any existing code that makes this assumption needs
+   to be examined carefully when converting to IPv6.
+
+
+
+
+Gilligan, et al.             Informational                      [Page 8]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+3.4 Socket Address Structure for 4.4BSD-Based Systems
+
+   The 4.4BSD release includes a small, but incompatible change to the
+   socket interface.  The "sa_family" field of the sockaddr data
+   structure was changed from a 16-bit value to an 8-bit value, and the
+   space saved used to hold a length field, named "sa_len".  The
+   sockaddr_in6 data structure given in the previous section cannot be
+   correctly cast into the newer sockaddr data structure.  For this
+   reason, the following alternative IPv6 address data structure is
+   provided to be used on systems based on 4.4BSD.  It is defined as a
+   result of including the <netinet/in.h> header.
+
+struct sockaddr_in6 {
+    uint8_t         sin6_len;       /* length of this struct */
+    sa_family_t     sin6_family;    /* AF_INET6 */
+    in_port_t       sin6_port;      /* transport layer port # */
+    uint32_t        sin6_flowinfo;  /* IPv6 flow information */
+    struct in6_addr sin6_addr;      /* IPv6 address */
+    uint32_t        sin6_scope_id;  /* set of interfaces for a scope */
+};
+
+   The only differences between this data structure and the 4.3BSD
+   variant are the inclusion of the length field, and the change of the
+   family field to a 8-bit data type.  The definitions of all the other
+   fields are identical to the structure defined in the previous
+   section.
+
+   Systems that provide this version of the sockaddr_in6 data structure
+   must also declare SIN6_LEN as a result of including the
+   <netinet/in.h> header.  This macro allows applications to determine
+   whether they are being built on a system that supports the 4.3BSD or
+   4.4BSD variants of the data structure.
+
+3.5 The Socket Functions
+
+   Applications call the socket() function to create a socket descriptor
+   that represents a communication endpoint.  The arguments to the
+   socket() function tell the system which protocol to use, and what
+   format address structure will be used in subsequent functions.  For
+   example, to create an IPv4/TCP socket, applications make the call:
+
+      s = socket(AF_INET, SOCK_STREAM, 0);
+
+   To create an IPv4/UDP socket, applications make the call:
+
+      s = socket(AF_INET, SOCK_DGRAM, 0);
+
+
+
+
+
+Gilligan, et al.             Informational                      [Page 9]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+   Applications may create IPv6/TCP and IPv6/UDP sockets (which may also
+   handle IPv4 communication as described in section 3.7) by simply
+   using the constant AF_INET6 instead of AF_INET in the first argument.
+   For example, to create an IPv6/TCP socket, applications make the
+   call:
+
+      s = socket(AF_INET6, SOCK_STREAM, 0);
+
+   To create an IPv6/UDP socket, applications make the call:
+
+      s = socket(AF_INET6, SOCK_DGRAM, 0);
+
+   Once the application has created a AF_INET6 socket, it must use the
+   sockaddr_in6 address structure when passing addresses in to the
+   system.  The functions that the application uses to pass addresses
+   into the system are:
+
+      bind()
+      connect()
+      sendmsg()
+      sendto()
+
+   The system will use the sockaddr_in6 address structure to return
+   addresses to applications that are using AF_INET6 sockets.  The
+   functions that return an address from the system to an application
+   are:
+
+      accept()
+      recvfrom()
+      recvmsg()
+      getpeername()
+      getsockname()
+
+   No changes to the syntax of the socket functions are needed to
+   support IPv6, since all of the "address carrying" functions use an
+   opaque address pointer, and carry an address length as a function
+   argument.
+
+3.6 Compatibility with IPv4 Applications
+
+   In order to support the large base of applications using the original
+   API, system implementations must provide complete source and binary
+   compatibility with the original API.  This means that systems must
+   continue to support AF_INET sockets and the sockaddr_in address
+   structure.  Applications must be able to create IPv4/TCP and IPv4/UDP
+   sockets using the AF_INET constant in the socket() function, as
+
+
+
+
+
+Gilligan, et al.             Informational                     [Page 10]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+   described in the previous section.  Applications should be able to
+   hold a combination of IPv4/TCP, IPv4/UDP, IPv6/TCP and IPv6/UDP
+   sockets simultaneously within the same process.
+
+   Applications using the original API should continue to operate as
+   they did on systems supporting only IPv4.  That is, they should
+   continue to interoperate with IPv4 nodes.
+
+3.7 Compatibility with IPv4 Nodes
+
+   The API also provides a different type of compatibility: the ability
+   for IPv6 applications to interoperate with IPv4 applications.  This
+   feature uses the IPv4-mapped IPv6 address format defined in the IPv6
+   addressing architecture specification [2].  This address format
+   allows the IPv4 address of an IPv4 node to be represented as an IPv6
+   address.  The IPv4 address is encoded into the low-order 32 bits of
+   the IPv6 address, and the high-order 96 bits hold the fixed prefix
+   0:0:0:0:0:FFFF.  IPv4-mapped addresses are written as follows:
+
+      ::FFFF:<IPv4-address>
+
+   These addresses can be generated automatically by the getaddrinfo()
+   function, as described in Section 6.1.
+
+   Applications may use AF_INET6 sockets to open TCP connections to IPv4
+   nodes, or send UDP packets to IPv4 nodes, by simply encoding the
+   destination's IPv4 address as an IPv4-mapped IPv6 address, and
+   passing that address, within a sockaddr_in6 structure, in the
+   connect() or sendto() call.  When applications use AF_INET6 sockets
+   to accept TCP connections from IPv4 nodes, or receive UDP packets
+   from IPv4 nodes, the system returns the peer's address to the
+   application in the accept(), recvfrom(), or getpeername() call using
+   a sockaddr_in6 structure encoded this way.
+
+   Few applications will likely need to know which type of node they are
+   interoperating with.  However, for those applications that do need to
+   know, the IN6_IS_ADDR_V4MAPPED() macro, defined in Section 6.4, is
+   provided.
+
+3.8 IPv6 Wildcard Address
+
+   While the bind() function allows applications to select the source IP
+   address of UDP packets and TCP connections, applications often want
+   the system to select the source address for them.  With IPv4, one
+   specifies the address as the symbolic constant INADDR_ANY (called the
+   "wildcard" address) in the bind() call, or simply omits the bind()
+   entirely.
+
+
+
+
+Gilligan, et al.             Informational                     [Page 11]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+   Since the IPv6 address type is a structure (struct in6_addr), a
+   symbolic constant can be used to initialize an IPv6 address variable,
+   but cannot be used in an assignment.  Therefore systems provide the
+   IPv6 wildcard address in two forms.
+
+   The first version is a global variable named "in6addr_any" that is an
+   in6_addr structure.  The extern declaration for this variable is
+   defined in <netinet/in.h>:
+
+      extern const struct in6_addr in6addr_any;
+
+   Applications use in6addr_any similarly to the way they use INADDR_ANY
+   in IPv4.  For example, to bind a socket to port number 23, but let
+   the system select the source address, an application could use the
+   following code:
+
+      struct sockaddr_in6 sin6;
+       . . .
+      sin6.sin6_family = AF_INET6;
+      sin6.sin6_flowinfo = 0;
+      sin6.sin6_port = htons(23);
+      sin6.sin6_addr = in6addr_any;  /* structure assignment */
+       . . .
+      if (bind(s, (struct sockaddr *) &sin6, sizeof(sin6)) == -1)
+              . . .
+
+   The other version is a symbolic constant named IN6ADDR_ANY_INIT and
+   is defined in <netinet/in.h>.  This constant can be used to
+   initialize an in6_addr structure:
+
+      struct in6_addr anyaddr = IN6ADDR_ANY_INIT;
+
+   Note that this constant can be used ONLY at declaration time.  It can
+   not be used to assign a previously declared in6_addr structure.  For
+   example, the following code will not work:
+
+      /* This is the WRONG way to assign an unspecified address */
+      struct sockaddr_in6 sin6;
+       . . .
+      sin6.sin6_addr = IN6ADDR_ANY_INIT; /* will NOT compile */
+
+   Be aware that the IPv4 INADDR_xxx constants are all defined in host
+   byte order but the IPv6 IN6ADDR_xxx constants and the IPv6
+   in6addr_xxx externals are defined in network byte order.
+
+
+
+
+
+
+
+Gilligan, et al.             Informational                     [Page 12]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+3.9 IPv6 Loopback Address
+
+   Applications may need to send UDP packets to, or originate TCP
+   connections to, services residing on the local node.  In IPv4, they
+   can do this by using the constant IPv4 address INADDR_LOOPBACK in
+   their connect(), sendto(), or sendmsg() call.
+
+   IPv6 also provides a loopback address to contact local TCP and UDP
+   services.  Like the unspecified address, the IPv6 loopback address is
+   provided in two forms -- a global variable and a symbolic constant.
+
+   The global variable is an in6_addr structure named
+   "in6addr_loopback."  The extern declaration for this variable is
+   defined in <netinet/in.h>:
+
+      extern const struct in6_addr in6addr_loopback;
+
+   Applications use in6addr_loopback as they would use INADDR_LOOPBACK
+   in IPv4 applications (but beware of the byte ordering difference
+   mentioned at the end of the previous section).  For example, to open
+   a TCP connection to the local telnet server, an application could use
+   the following code:
+
+   struct sockaddr_in6 sin6;
+    . . .
+   sin6.sin6_family = AF_INET6;
+   sin6.sin6_flowinfo = 0;
+   sin6.sin6_port = htons(23);
+   sin6.sin6_addr = in6addr_loopback;  /* structure assignment */
+    . . .
+   if (connect(s, (struct sockaddr *) &sin6, sizeof(sin6)) == -1)
+           . . .
+
+   The symbolic constant is named IN6ADDR_LOOPBACK_INIT and is defined
+   in <netinet/in.h>.  It can be used at declaration time ONLY; for
+   example:
+
+      struct in6_addr loopbackaddr = IN6ADDR_LOOPBACK_INIT;
+
+   Like IN6ADDR_ANY_INIT, this constant cannot be used in an assignment
+   to a previously declared IPv6 address variable.
+
+
+
+
+
+
+
+
+
+
+Gilligan, et al.             Informational                     [Page 13]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+3.10 Portability Additions
+
+   One simple addition to the sockets API that can help application
+   writers is the "struct sockaddr_storage".  This data structure can
+   simplify writing code that is portable across multiple address
+   families and platforms.  This data structure is designed with the
+   following goals.
+
+   - Large enough to accommodate all supported protocol-specific address
+      structures.
+
+   - Aligned at an appropriate boundary so that pointers to it can be
+      cast as pointers to protocol specific address structures and used
+      to access the fields of those structures without alignment
+      problems.
+
+   The sockaddr_storage structure contains field ss_family which is of
+   type sa_family_t.  When a sockaddr_storage structure is cast to a
+   sockaddr structure, the ss_family field of the sockaddr_storage
+   structure maps onto the sa_family field of the sockaddr structure.
+   When a sockaddr_storage structure is cast as a protocol specific
+   address structure, the ss_family field maps onto a field of that
+   structure that is of type sa_family_t and that identifies the
+   protocol's address family.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gilligan, et al.             Informational                     [Page 14]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+   An example implementation design of such a data structure would be as
+   follows.
+
+/*
+ * Desired design of maximum size and alignment
+ */
+#define _SS_MAXSIZE    128  /* Implementation specific max size */
+#define _SS_ALIGNSIZE  (sizeof (int64_t))
+                         /* Implementation specific desired alignment */
+/*
+ * Definitions used for sockaddr_storage structure paddings design.
+ */
+#define _SS_PAD1SIZE   (_SS_ALIGNSIZE - sizeof (sa_family_t))
+#define _SS_PAD2SIZE   (_SS_MAXSIZE - (sizeof (sa_family_t) +
+                              _SS_PAD1SIZE + _SS_ALIGNSIZE))
+struct sockaddr_storage {
+    sa_family_t  ss_family;     /* address family */
+    /* Following fields are implementation specific */
+    char      __ss_pad1[_SS_PAD1SIZE];
+              /* 6 byte pad, this is to make implementation
+              /* specific pad up to alignment field that */
+              /* follows explicit in the data structure */
+    int64_t   __ss_align;     /* field to force desired structure */
+               /* storage alignment */
+    char      __ss_pad2[_SS_PAD2SIZE];
+              /* 112 byte pad to achieve desired size, */
+              /* _SS_MAXSIZE value minus size of ss_family */
+              /* __ss_pad1, __ss_align fields is 112 */
+};
+
+   The above example implementation illustrates a data structure which
+   will align on a 64-bit boundary.  An implementation-specific field
+   "__ss_align" along with "__ss_pad1" is used to force a 64-bit
+   alignment which covers proper alignment good enough for the needs of
+   sockaddr_in6 (IPv6), sockaddr_in (IPv4) address data structures.  The
+   size of padding field __ss_pad1 depends on the chosen alignment
+   boundary.  The size of padding field __ss_pad2 depends on the value
+   of overall size chosen for the total size of the structure.  This
+   size and alignment are represented in the above example by
+   implementation specific (not required) constants _SS_MAXSIZE (chosen
+   value 128) and _SS_ALIGNSIZE (with chosen value 8).  Constants
+   _SS_PAD1SIZE (derived value 6) and _SS_PAD2SIZE (derived value 112)
+   are also for illustration and not required.  The derived values
+   assume sa_family_t is 2 bytes.  The implementation specific
+   definitions and structure field names above start with an underscore
+   to denote implementation private namespace.  Portable code is not
+   expected to access or reference those fields or constants.
+
+
+
+
+Gilligan, et al.             Informational                     [Page 15]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+   On implementations where the sockaddr data structure includes a
+   "sa_len" field this data structure would look like this:
+
+/*
+ * Definitions used for sockaddr_storage structure paddings design.
+ */
+#define _SS_PAD1SIZE (_SS_ALIGNSIZE -
+                            (sizeof (uint8_t) + sizeof (sa_family_t))
+#define _SS_PAD2SIZE (_SS_MAXSIZE -
+                            (sizeof (uint8_t) + sizeof (sa_family_t) +
+                             _SS_PAD1SIZE + _SS_ALIGNSIZE))
+struct sockaddr_storage {
+    uint8_t      ss_len;        /* address length */
+    sa_family_t  ss_family;     /* address family */
+    /* Following fields are implementation specific */
+    char         __ss_pad1[_SS_PAD1SIZE];
+                  /* 6 byte pad, this is to make implementation
+                  /* specific pad up to alignment field that */
+                  /* follows explicit in the data structure */
+    int64_t      __ss_align;  /* field to force desired structure */
+                  /* storage alignment */
+    char         __ss_pad2[_SS_PAD2SIZE];
+                  /* 112 byte pad to achieve desired size, */
+                  /* _SS_MAXSIZE value minus size of ss_len, */
+                  /* __ss_family, __ss_pad1, __ss_align fields is 112 */
+};
+
+4. Interface Identification
+
+   This API uses an interface index (a small positive integer) to
+   identify the local interface on which a multicast group is joined
+   (Section 5.2).  Additionally, the advanced API [4] uses these same
+   interface indexes to identify the interface on which a datagram is
+   received, or to specify the interface on which a datagram is to be
+   sent.
+
+   Interfaces are normally known by names such as "le0", "sl1", "ppp2",
+   and the like.  On Berkeley-derived implementations, when an interface
+   is made known to the system, the kernel assigns a unique positive
+   integer value (called the interface index) to that interface.  These
+   are small positive integers that start at 1.  (Note that 0 is never
+   used for an interface index.)  There may be gaps so that there is no
+   current interface for a particular positive interface index.
+
+   This API defines two functions that map between an interface name and
+   index, a third function that returns all the interface names and
+   indexes, and a fourth function to return the dynamic memory allocated
+   by the previous function.  How these functions are implemented is
+
+
+
+Gilligan, et al.             Informational                     [Page 16]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+   left up to the implementation.  4.4BSD implementations can implement
+   these functions using the existing sysctl() function with the
+   NET_RT_IFLIST command.  Other implementations may wish to use ioctl()
+   for this purpose.
+
+4.1 Name-to-Index
+
+   The first function maps an interface name into its corresponding
+   index.
+
+      #include <net/if.h>
+
+      unsigned int  if_nametoindex(const char *ifname);
+
+   If ifname is the name of an interface, the if_nametoindex() function
+   shall return the interface index corresponding to name ifname;
+   otherwise, it shall return zero.  No errors are defined.
+
+4.2 Index-to-Name
+
+   The second function maps an interface index into its corresponding
+   name.
+
+      #include <net/if.h>
+
+      char  *if_indextoname(unsigned int ifindex, char *ifname);
+
+   When this function is called, the ifname argument shall point to a
+   buffer of at least IF_NAMESIZE bytes.  The function shall place in
+   this buffer the name of the interface with index ifindex.
+   (IF_NAMESIZE is also defined in <net/if.h> and its value includes a
+   terminating null byte at the end of the interface name.)  If ifindex
+   is an interface index, then the function shall return the value
+   supplied in ifname, which points to a buffer now containing the
+   interface name.  Otherwise, the function shall return a NULL pointer
+   and set errno to indicate the error.  If there is no interface
+   corresponding to the specified index, errno is set to ENXIO.  If
+   there was a system error (such as running out of memory), errno would
+   be set to the proper value (e.g., ENOMEM).
+
+
+
+
+
+
+
+
+
+
+
+
+Gilligan, et al.             Informational                     [Page 17]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+4.3 Return All Interface Names and Indexes
+
+   The if_nameindex structure holds the information about a single
+   interface and is defined as a result of including the <net/if.h>
+   header.
+
+   struct if_nameindex {
+     unsigned int   if_index;  /* 1, 2, ... */
+     char          *if_name;   /* null terminated name: "le0", ... */
+   };
+
+   The final function returns an array of if_nameindex structures, one
+   structure per interface.
+
+      #include <net/if.h>
+
+      struct if_nameindex  *if_nameindex(void);
+
+   The end of the array of structures is indicated by a structure with
+   an if_index of 0 and an if_name of NULL.  The function returns a NULL
+   pointer upon an error, and would set errno to the appropriate value.
+
+   The memory used for this array of structures along with the interface
+   names pointed to by the if_name members is obtained dynamically.
+   This memory is freed by the next function.
+
+4.4 Free Memory
+
+   The following function frees the dynamic memory that was allocated by
+   if_nameindex().
+
+      #include <net/if.h>
+
+      void  if_freenameindex(struct if_nameindex *ptr);
+
+   The ptr argument shall be a pointer that was returned by
+   if_nameindex().  After if_freenameindex() has been called, the
+   application shall not use the array of which ptr is the address.
+
+5. Socket Options
+
+   A number of new socket options are defined for IPv6.  All of these
+   new options are at the IPPROTO_IPV6 level.  That is, the "level"
+   parameter in the getsockopt() and setsockopt() calls is IPPROTO_IPV6
+   when using these options.  The constant name prefix IPV6_ is used in
+   all of the new socket options.  This serves to clearly identify these
+   options as applying to IPv6.
+
+
+
+
+Gilligan, et al.             Informational                     [Page 18]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+   The declaration for IPPROTO_IPV6, the new IPv6 socket options, and
+   related constants defined in this section are obtained by including
+   the header <netinet/in.h>.
+
+5.1 Unicast Hop Limit
+
+   A new setsockopt() option controls the hop limit used in outgoing
+   unicast IPv6 packets.  The name of this option is IPV6_UNICAST_HOPS,
+   and it is used at the IPPROTO_IPV6 layer.  The following example
+   illustrates how it is used:
+
+   int  hoplimit = 10;
+
+   if (setsockopt(s, IPPROTO_IPV6, IPV6_UNICAST_HOPS,
+                  (char *) &hoplimit, sizeof(hoplimit)) == -1)
+       perror("setsockopt IPV6_UNICAST_HOPS");
+
+   When the IPV6_UNICAST_HOPS option is set with setsockopt(), the
+   option value given is used as the hop limit for all subsequent
+   unicast packets sent via that socket.  If the option is not set, the
+   system selects a default value.  The integer hop limit value (called
+   x) is interpreted as follows:
+
+      x < -1:        return an error of EINVAL
+      x == -1:       use kernel default
+      0 <= x <= 255: use x
+      x >= 256:      return an error of EINVAL
+
+   The IPV6_UNICAST_HOPS option may be used with getsockopt() to
+   determine the hop limit value that the system will use for subsequent
+   unicast packets sent via that socket.  For example:
+
+      int  hoplimit;
+      socklen_t  len = sizeof(hoplimit);
+
+      if (getsockopt(s, IPPROTO_IPV6, IPV6_UNICAST_HOPS,
+                     (char *) &hoplimit, &len) == -1)
+          perror("getsockopt IPV6_UNICAST_HOPS");
+      else
+          printf("Using %d for hop limit.\n", hoplimit);
+
+5.2 Sending and Receiving Multicast Packets
+
+   IPv6 applications may send multicast packets by simply specifying an
+   IPv6 multicast address as the destination address, for example in the
+   destination address argument of the sendto() function.
+
+
+
+
+
+Gilligan, et al.             Informational                     [Page 19]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+   Three socket options at the IPPROTO_IPV6 layer control some of the
+   parameters for sending multicast packets.  Setting these options is
+   not required: applications may send multicast packets without using
+   these options.  The setsockopt() options for controlling the sending
+   of multicast packets are summarized below.  These three options can
+   also be used with getsockopt().
+
+      IPV6_MULTICAST_IF
+
+         Set the interface to use for outgoing multicast packets.  The
+         argument is the index of the interface to use.  If the
+         interface index is specified as zero, the system selects the
+         interface (for example, by looking up the address in a routing
+         table and using the resulting interface).
+
+         Argument type: unsigned int
+
+      IPV6_MULTICAST_HOPS
+
+         Set the hop limit to use for outgoing multicast packets.  (Note
+         a separate option - IPV6_UNICAST_HOPS - is provided to set the
+         hop limit to use for outgoing unicast packets.)
+
+         The interpretation of the argument is the same as for the
+         IPV6_UNICAST_HOPS option:
+
+            x < -1:        return an error of EINVAL
+            x == -1:       use kernel default
+            0 <= x <= 255: use x
+            x >= 256:      return an error of EINVAL
+
+            If IPV6_MULTICAST_HOPS is not set, the default is 1
+            (same as IPv4 today)
+
+         Argument type: int
+
+      IPV6_MULTICAST_LOOP
+
+         If a multicast datagram is sent to a group to which the sending
+         host itself belongs (on the outgoing interface), a copy of the
+         datagram is looped back by the IP layer for local delivery if
+         this option is set to 1.  If this option is set to 0 a copy is
+         not looped back.  Other option values return an error of
+         EINVAL.
+
+
+
+
+
+
+
+Gilligan, et al.             Informational                     [Page 20]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+         If IPV6_MULTICAST_LOOP is not set, the default is 1 (loopback;
+         same as IPv4 today).
+
+         Argument type: unsigned int
+
+   The reception of multicast packets is controlled by the two
+   setsockopt() options summarized below.  An error of EOPNOTSUPP is
+   returned if these two options are used with getsockopt().
+
+      IPV6_JOIN_GROUP
+
+         Join a multicast group on a specified local interface.
+         If the interface index is specified as 0,
+         the kernel chooses the local interface.
+         For example, some kernels look up the multicast group
+         in the normal IPv6 routing table and use the resulting
+         interface.
+
+         Argument type: struct ipv6_mreq
+
+      IPV6_LEAVE_GROUP
+
+         Leave a multicast group on a specified interface.
+         If the interface index is specified as 0, the system
+         may choose a multicast group membership to drop by
+         matching the multicast address only.
+
+         Argument type: struct ipv6_mreq
+
+   The argument type of both of these options is the ipv6_mreq
+   structure, defined as a result of including the <netinet/in.h>
+   header;
+
+   struct ipv6_mreq {
+       struct in6_addr ipv6mr_multiaddr; /* IPv6 multicast addr */
+       unsigned int    ipv6mr_interface; /* interface index */
+   };
+
+   Note that to receive multicast datagrams a process must join the
+   multicast group to which datagrams will be sent.  UDP applications
+   must also bind the UDP port to which datagrams will be sent.  Some
+   processes also bind the multicast group address to the socket, in
+   addition to the port, to prevent other datagrams destined to that
+   same port from being delivered to the socket.
+
+
+
+
+
+
+
+Gilligan, et al.             Informational                     [Page 21]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+5.3 IPV6_V6ONLY option for AF_INET6 Sockets
+
+   This socket option restricts AF_INET6 sockets to IPv6 communications
+   only.  As stated in section <3.7 Compatibility with IPv4 Nodes>,
+   AF_INET6 sockets may be used for both IPv4 and IPv6 communications.
+   Some applications may want to restrict their use of an AF_INET6
+   socket to IPv6 communications only.  For these applications the
+   IPV6_V6ONLY socket option is defined.  When this option is turned on,
+   the socket can be used to send and receive IPv6 packets only.  This
+   is an IPPROTO_IPV6 level option.  This option takes an int value.
+   This is a boolean option.  By default this option is turned off.
+
+   Here is an example of setting this option:
+
+      int on = 1;
+
+      if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
+                     (char *)&on, sizeof(on)) == -1)
+          perror("setsockopt IPV6_V6ONLY");
+      else
+          printf("IPV6_V6ONLY set\n");
+
+   Note - This option has no effect on the use of IPv4 Mapped addresses
+   which enter a node as a valid IPv6 addresses for IPv6 communications
+   as defined by Stateless IP/ICMP Translation Algorithm (SIIT) [5].
+
+   An example use of this option is to allow two versions of the same
+   server process to run on the same port, one providing service over
+   IPv6, the other providing the same service over IPv4.
+
+6. Library Functions
+
+   New library functions are needed to perform a variety of operations
+   with IPv6 addresses.  Functions are needed to lookup IPv6 addresses
+   in the Domain Name System (DNS).  Both forward lookup (nodename-to-
+   address translation) and reverse lookup (address-to-nodename
+   translation) need to be supported.  Functions are also needed to
+   convert IPv6 addresses between their binary and textual form.
+
+   We note that the two existing functions, gethostbyname() and
+   gethostbyaddr(), are left as-is.  New functions are defined to handle
+   both IPv4 and IPv6 addresses.
+
+   The commonly used function gethostbyname() is inadequate for many
+   applications, first because it provides no way for the caller to
+   specify anything about the types of addresses desired (IPv4 only,
+   IPv6 only, IPv4-mapped IPv6 are OK, etc.), and second because many
+   implementations of this function are not thread safe.  RFC 2133
+
+
+
+Gilligan, et al.             Informational                     [Page 22]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+   defined a function named gethostbyname2() but this function was also
+   inadequate, first because its use required setting a global option
+   (RES_USE_INET6) when IPv6 addresses were required, and second because
+   a flag argument is needed to provide the caller with additional
+   control over the types of addresses required.  The gethostbyname2()
+   function was deprecated in RFC 2553 and is no longer part of the
+   basic API.
+
+6.1 Protocol-Independent Nodename and Service Name Translation
+
+   Nodename-to-address translation is done in a protocol-independent
+   fashion using the getaddrinfo() function.
+
+#include <sys/socket.h>
+#include <netdb.h>
+
+
+int getaddrinfo(const char *nodename, const char *servname,
+                const struct addrinfo *hints, struct addrinfo **res);
+
+void freeaddrinfo(struct addrinfo *ai);
+
+struct addrinfo {
+  int     ai_flags;     /* AI_PASSIVE, AI_CANONNAME,
+                           AI_NUMERICHOST, .. */
+  int     ai_family;    /* AF_xxx */
+  int     ai_socktype;  /* SOCK_xxx */
+  int     ai_protocol;  /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
+  socklen_t  ai_addrlen;   /* length of ai_addr */
+  char   *ai_canonname; /* canonical name for nodename */
+  struct sockaddr  *ai_addr; /* binary address */
+  struct addrinfo  *ai_next; /* next structure in linked list */
+};
+
+   The getaddrinfo() function translates the name of a service location
+   (for example, a host name) and/or a service name and returns a set of
+   socket addresses and associated information to be used in creating a
+   socket with which to address the specified service.
+
+   The nodename and servname arguments are either null pointers or
+   pointers to null-terminated strings.  One or both of these two
+   arguments must be a non-null pointer.
+
+   The format of a valid name depends on the address family or families.
+   If a specific family is not given and the name could be interpreted
+   as valid within multiple supported families, the implementation will
+   attempt to resolve the name in all supported families and, in absence
+   of errors, one or more results shall be returned.
+
+
+
+Gilligan, et al.             Informational                     [Page 23]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+   If the nodename argument is not null, it can be a descriptive name or
+   can be an address string.  If the specified address family is
+   AF_INET, AF_INET6, or AF_UNSPEC, valid descriptive names include host
+   names. If the specified address family is AF_INET or AF_UNSPEC,
+   address strings using Internet standard dot notation as specified in
+   inet_addr() are valid.  If the specified address family is AF_INET6
+   or AF_UNSPEC, standard IPv6 text forms described in inet_pton() are
+   valid.
+
+   If nodename is not null, the requested service location is named by
+   nodename; otherwise, the requested service location is local to the
+   caller.
+
+   If servname is null, the call shall return network-level addresses
+   for the specified nodename.  If servname is not null, it is a null-
+   terminated character string identifying the requested service.  This
+   can be either a descriptive name or a numeric representation suitable
+   for use with the address family or families.  If the specified
+   address family is AF_INET, AF_INET6 or AF_UNSPEC, the service can be
+   specified as a string specifying a decimal port number.
+
+   If the argument hints is not null, it refers to a structure
+   containing input values that may direct the operation by providing
+   options and by limiting the returned information to a specific socket
+   type, address family and/or protocol.  In this hints structure every
+   member other than ai_flags, ai_family, ai_socktype and ai_protocol
+   shall be set to zero or a null pointer.  A value of AF_UNSPEC for
+   ai_family means that the caller shall accept any address family.  A
+   value of zero for ai_socktype means that the caller shall accept any
+   socket type.  A value of zero for ai_protocol means that the caller
+   shall accept any protocol.  If hints is a null pointer, the behavior
+   shall be as if it referred to a structure containing the value zero
+   for the ai_flags, ai_socktype and ai_protocol fields, and AF_UNSPEC
+   for the ai_family field.
+
+   Note:
+
+   1. If the caller handles only TCP and not UDP, for example, then the
+      ai_protocol member of the hints structure should be set to
+      IPPROTO_TCP when getaddrinfo() is called.
+
+   2. If the caller handles only IPv4 and not IPv6, then the ai_family
+      member of the hints structure should be set to AF_INET when
+      getaddrinfo() is called.
+
+
+
+
+
+
+
+Gilligan, et al.             Informational                     [Page 24]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+   The ai_flags field to which hints parameter points shall be set to
+   zero or be the bitwise-inclusive OR of one or more of the values
+   AI_PASSIVE, AI_CANONNAME, AI_NUMERICHOST, AI_NUMERICSERV,
+   AI_V4MAPPED, AI_ALL, and AI_ADDRCONFIG.
+
+   If the AI_PASSIVE flag is specified, the returned address information
+   shall be suitable for use in binding a socket for accepting incoming
+   connections for the specified service (i.e., a call to bind()).  In
+   this case, if the nodename argument is null, then the IP address
+   portion of the socket address structure shall be set to INADDR_ANY
+   for an IPv4 address or IN6ADDR_ANY_INIT for an IPv6 address.  If the
+   AI_PASSIVE flag is not specified, the returned address information
+   shall be suitable for a call to connect() (for a connection-mode
+   protocol) or for a call to connect(), sendto() or sendmsg() (for a
+   connectionless protocol).  In this case, if the nodename argument is
+   null, then the IP address portion of the socket address structure
+   shall be set to the loopback address.  This flag is ignored if the
+   nodename argument is not null.
+
+   If the AI_CANONNAME flag is specified and the nodename argument is
+   not null, the function shall attempt to determine the canonical name
+   corresponding to nodename (for example, if nodename is an alias or
+   shorthand notation for a complete name).
+
+   If the AI_NUMERICHOST flag is specified, then a non-null nodename
+   string supplied shall be a numeric host address string.  Otherwise,
+   an [EAI_NONAME] error is returned.  This flag shall prevent any type
+   of name resolution service (for example, the DNS) from being invoked.
+
+   If the AI_NUMERICSERV flag is specified, then a non-null servname
+   string supplied shall be a numeric port string.  Otherwise, an
+   [EAI_NONAME] error shall be returned.  This flag shall prevent any
+   type of name resolution service (for example, NIS+) from being
+   invoked.
+
+   If the AI_V4MAPPED flag is specified along with an ai_family of
+   AF_INET6, then getaddrinfo() shall return IPv4-mapped IPv6 addresses
+   on finding no matching IPv6 addresses (ai_addrlen shall be 16).
+
+      For example, when using the DNS, if no AAAA records are found then
+      a query is made for A records and any found are returned as IPv4-
+      mapped IPv6 addresses.
+
+   The AI_V4MAPPED flag shall be ignored unless ai_family equals
+   AF_INET6.
+
+   If the AI_ALL flag is used with the AI_V4MAPPED flag, then
+   getaddrinfo() shall return all matching IPv6 and IPv4 addresses.
+
+
+
+Gilligan, et al.             Informational                     [Page 25]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+      For example, when using the DNS, queries are made for both AAAA
+      records and A records, and getaddrinfo() returns the combined
+      results of both queries.  Any IPv4 addresses found are returned as
+      IPv4-mapped IPv6 addresses.
+
+   The AI_ALL flag without the AI_V4MAPPED flag is ignored.
+
+      Note:
+
+      When ai_family is not specified (AF_UNSPEC), AI_V4MAPPED and
+      AI_ALL flags will only be used if AF_INET6 is supported.
+
+   If the AI_ADDRCONFIG flag is specified, IPv4 addresses shall be
+   returned only if an IPv4 address is configured on the local system,
+   and IPv6 addresses shall be returned only if an IPv6 address is
+   configured on the local system.  The loopback address is not
+   considered for this case as valid as a configured address.
+
+      For example, when using the DNS, a query for AAAA records should
+      occur only if the node has at least one IPv6 address configured
+      (other than IPv6 loopback) and a query for A records should occur
+      only if the node has at least one IPv4 address configured (other
+      than the IPv4 loopback).
+
+   The ai_socktype field to which argument hints points specifies the
+   socket type for the service, as defined for socket().  If a specific
+   socket type is not given (for example, a value of zero) and the
+   service name could be interpreted as valid with multiple supported
+   socket types, the implementation shall attempt to resolve the service
+   name for all supported socket types and, in the absence of errors,
+   all possible results shall be returned.  A non-zero socket type value
+   shall limit the returned information to values with the specified
+   socket type.
+
+   If the ai_family field to which hints points has the value AF_UNSPEC,
+   addresses shall be returned for use with any address family that can
+   be used with the specified nodename and/or servname.  Otherwise,
+   addresses shall be returned for use only with the specified address
+   family.  If ai_family is not AF_UNSPEC and ai_protocol is not zero,
+   then addresses are returned for use only with the specified address
+   family and protocol; the value of ai_protocol shall be interpreted as
+   in a call to the socket() function with the corresponding values of
+   ai_family and ai_protocol.
+
+   The freeaddrinfo() function frees one or more addrinfo structures
+   returned by getaddrinfo(), along with any additional storage
+   associated with those structures (for example, storage pointed to by
+   the ai_canonname and ai_addr fields; an application must not
+
+
+
+Gilligan, et al.             Informational                     [Page 26]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+   reference this storage after the associated addrinfo structure has
+   been freed).  If the ai_next field of the structure is not null, the
+   entire list of structures is freed.  The freeaddrinfo() function must
+   support the freeing of arbitrary sublists of an addrinfo list
+   originally returned by getaddrinfo().
+
+   Functions getaddrinfo() and freeaddrinfo() must be thread-safe.
+
+   A zero return value for getaddrinfo() indicates successful
+   completion; a non-zero return value indicates failure.  The possible
+   values for the failures are listed below under Error Return Values.
+
+   Upon successful return of getaddrinfo(), the location to which res
+   points shall refer to a linked list of addrinfo structures, each of
+   which shall specify a socket address and information for use in
+   creating a socket with which to use that socket address.  The list
+   shall include at least one addrinfo structure.  The ai_next field of
+   each structure contains a pointer to the next structure on the list,
+   or a null pointer if it is the last structure on the list.  Each
+   structure on the list shall include values for use with a call to the
+   socket() function, and a socket address for use with the connect()
+   function or, if the AI_PASSIVE flag was specified, for use with the
+   bind() function.  The fields ai_family, ai_socktype, and ai_protocol
+   shall be usable as the arguments to the socket() function to create a
+   socket suitable for use with the returned address.  The fields
+   ai_addr and ai_addrlen are usable as the arguments to the connect()
+   or bind() functions with such a socket, according to the AI_PASSIVE
+   flag.
+
+   If nodename is not null, and if requested by the AI_CANONNAME flag,
+   the ai_canonname field of the first returned addrinfo structure shall
+   point to a null-terminated string containing the canonical name
+   corresponding to the input nodename; if the canonical name is not
+   available, then ai_canonname shall refer to the nodename argument or
+   a string with the same contents.  The contents of the ai_flags field
+   of the returned structures are undefined.
+
+   All fields in socket address structures returned by getaddrinfo()
+   that are not filled in through an explicit argument (for example,
+   sin6_flowinfo) shall be set to zero.
+
+   Note: This makes it easier to compare socket address structures.
+
+
+
+
+
+
+
+
+
+Gilligan, et al.             Informational                     [Page 27]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+   Error Return Values:
+
+   The getaddrinfo() function shall fail and return the corresponding
+   value if:
+
+   [EAI_AGAIN]     The name could not be resolved at this time.  Future
+                   attempts may succeed.
+
+   [EAI_BADFLAGS]  The flags parameter had an invalid value.
+
+   [EAI_FAIL]      A non-recoverable error occurred when attempting to
+                   resolve the name.
+
+   [EAI_FAMILY]    The address family was not recognized.
+
+   [EAI_MEMORY]    There was a memory allocation failure when trying to
+                   allocate storage for the return value.
+
+   [EAI_NONAME]    The name does not resolve for the supplied
+                   parameters.  Neither nodename nor servname were
+                   supplied.  At least one of these must be supplied.
+
+   [EAI_SERVICE]   The service passed was not recognized for the
+                   specified socket type.
+
+   [EAI_SOCKTYPE]  The intended socket type was not recognized.
+
+   [EAI_SYSTEM]    A system error occurred; the error code can be found
+                   in errno.
+
+   The gai_strerror() function provides a descriptive text string
+   corresponding to an EAI_xxx error value.
+
+      #include <netdb.h>
+
+      const char *gai_strerror(int ecode);
+
+   The argument is one of the EAI_xxx values defined for the
+   getaddrinfo() and getnameinfo() functions.  The return value points
+   to a string describing the error.  If the argument is not one of the
+   EAI_xxx values, the function still returns a pointer to a string
+   whose contents indicate an unknown error.
+
+6.2 Socket Address Structure to Node Name and Service Name
+
+   The getnameinfo() function is used to translate the contents of a
+   socket address structure to a node name and/or service name.
+
+
+
+
+Gilligan, et al.             Informational                     [Page 28]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+   #include <sys/socket.h>
+   #include <netdb.h>
+
+   int getnameinfo(const struct sockaddr *sa, socklen_t salen,
+                       char *node, socklen_t nodelen,
+                       char *service, socklen_t servicelen,
+                         int flags);
+
+   The getnameinfo() function shall translate a socket address to a node
+   name and service location, all of which are defined as in
+   getaddrinfo().
+
+   The sa argument points to a socket address structure to be
+   translated.
+
+   The salen argument holds the size of the socket address structure
+   pointed to by sa.
+
+   If the socket address structure contains an IPv4-mapped IPv6 address
+   or an IPv4-compatible IPv6 address, the implementation shall extract
+   the embedded IPv4 address and lookup the node name for that IPv4
+   address.
+
+      Note: The IPv6 unspecified address ("::") and the IPv6 loopback
+      address ("::1") are not IPv4-compatible addresses.  If the address
+      is the IPv6 unspecified address ("::"), a lookup is not performed,
+      and the [EAI_NONAME] error is returned.
+
+   If the node argument is non-NULL and the nodelen argument is nonzero,
+   then the node argument points to a buffer able to contain up to
+   nodelen characters that receives the node name as a null-terminated
+   string.  If the node argument is NULL or the nodelen argument is
+   zero, the node name shall not be returned.  If the node's name cannot
+   be located, the numeric form of the node's address is returned
+   instead of its name.
+
+   If the service argument is non-NULL and the servicelen argument is
+   non-zero, then the service argument points to a buffer able to
+   contain up to servicelen bytes that receives the service name as a
+   null-terminated string.  If the service argument is NULL or the
+   servicelen argument is zero, the service name shall not be returned.
+   If the service's name cannot be located, the numeric form of the
+   service address (for example, its port number) shall be returned
+   instead of its name.
+
+   The arguments node and service cannot both be NULL.
+
+
+
+
+
+Gilligan, et al.             Informational                     [Page 29]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+   The flags argument is a flag that changes the default actions of the
+   function.  By default the fully-qualified domain name (FQDN) for the
+   host shall be returned, but:
+
+   -  If the flag bit NI_NOFQDN is set, only the node name portion of
+      the FQDN shall be returned for local hosts.
+
+   -  If the flag bit NI_NUMERICHOST is set, the numeric form of the
+      host's address shall be returned instead of its name, under all
+      circumstances.
+
+   -  If the flag bit NI_NAMEREQD is set, an error shall be returned if
+      the host's name cannot be located.
+
+   -  If the flag bit NI_NUMERICSERV is set, the numeric form of the
+      service address shall be returned (for example, its port number)
+      instead of its name, under all circumstances.
+
+   -  If the flag bit NI_DGRAM is set, this indicates that the service
+      is a datagram service (SOCK_DGRAM).  The default behavior shall
+      assume that the service is a stream service (SOCK_STREAM).
+
+   Note:
+
+   1. The NI_NUMERICxxx flags are required to support the "-n" flags
+      that many commands provide.
+
+   2. The NI_DGRAM flag is required for the few AF_INET and AF_INET6
+      port numbers (for example, [512,514]) that represent different
+      services for UDP and TCP.
+
+   The getnameinfo() function shall be thread safe.
+
+   A zero return value for getnameinfo() indicates successful
+   completion; a non-zero return value indicates failure.
+
+   Upon successful completion, getnameinfo() shall return the node and
+   service names, if requested, in the buffers provided.  The returned
+   names are always null-terminated strings.
+
+
+
+
+
+
+
+
+
+
+
+
+Gilligan, et al.             Informational                     [Page 30]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+   Error Return Values:
+
+   The getnameinfo() function shall fail and return the corresponding
+   value if:
+
+   [EAI_AGAIN]    The name could not be resolved at this time.
+                  Future attempts may succeed.
+
+   [EAI_BADFLAGS] The flags had an invalid value.
+
+   [EAI_FAIL]     A non-recoverable error occurred.
+
+   [EAI_FAMILY]   The address family was not recognized or the address
+                  length was invalid for the specified family.
+
+   [EAI_MEMORY]   There was a memory allocation failure.
+
+   [EAI_NONAME]   The name does not resolve for the supplied parameters.
+                  NI_NAMEREQD is set and the host's name cannot be
+                  located, or both nodename and servname were null.
+
+   [EAI_OVERFLOW] An argument buffer overflowed.
+
+   [EAI_SYSTEM]   A system error occurred.  The error code can be found
+                  in errno.
+
+6.3 Address Conversion Functions
+
+   The two IPv4 functions inet_addr() and inet_ntoa() convert an IPv4
+   address between binary and text form.  IPv6 applications need similar
+   functions.  The following two functions convert both IPv6 and IPv4
+   addresses:
+
+   #include <arpa/inet.h>
+
+   int inet_pton(int af, const char *src, void *dst);
+
+   const char *inet_ntop(int af, const void *src,
+                            char *dst, socklen_t size);
+
+   The inet_pton() function shall convert an address in its standard
+   text presentation form into its numeric binary form.  The af argument
+   shall specify the family of the address.  The AF_INET and AF_INET6
+   address families shall be supported.  The src argument points to the
+   string being passed in.  The dst argument points to a buffer into
+   which the function stores the numeric address; this shall be large
+   enough to hold the numeric address (32 bits for AF_INET, 128 bits for
+   AF_INET6).  The inet_pton() function shall return 1 if the conversion
+
+
+
+Gilligan, et al.             Informational                     [Page 31]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+   succeeds, with the address pointed to by dst in network byte order.
+   It shall return 0 if the input is not a valid IPv4 dotted-decimal
+   string or a valid IPv6 address string, or -1 with errno set to
+   EAFNOSUPPORT if the af argument is unknown.
+
+   If the af argument of inet_pton() is AF_INET, the src string shall be
+   in the standard IPv4 dotted-decimal form:
+
+      ddd.ddd.ddd.ddd
+
+   where "ddd" is a one to three digit decimal number between 0 and 255.
+   The inet_pton() function does not accept other formats (such as the
+   octal numbers, hexadecimal numbers, and fewer than four numbers that
+   inet_addr() accepts).
+
+   If the af argument of inet_pton() is AF_INET6, the src string shall
+   be in one of the standard IPv6 text forms defined in Section 2.2 of
+   the addressing architecture specification [2].
+
+   The inet_ntop() function shall convert a numeric address into a text
+   string suitable for presentation.  The af argument shall specify the
+   family of the address.  This can be AF_INET or AF_INET6.  The src
+   argument points to a buffer holding an IPv4 address if the af
+   argument is AF_INET, or an IPv6 address if the af argument is
+   AF_INET6; the address must be in network byte order.  The dst
+   argument points to a buffer where the function stores the resulting
+   text string; it shall not be NULL.  The size argument specifies the
+   size of this buffer, which shall be large enough to hold the text
+   string (INET_ADDRSTRLEN characters for IPv4, INET6_ADDRSTRLEN
+   characters for IPv6).
+
+   In order to allow applications to easily declare buffers of the
+   proper size to store IPv4 and IPv6 addresses in string form, the
+   following two constants are defined in <netinet/in.h>:
+
+      #define INET_ADDRSTRLEN    16
+      #define INET6_ADDRSTRLEN   46
+
+   The inet_ntop() function shall return a pointer to the buffer
+   containing the text string if the conversion succeeds, and NULL
+   otherwise.  Upon failure, errno is set to EAFNOSUPPORT if the af
+   argument is invalid or ENOSPC if the size of the result buffer is
+   inadequate.
+
+
+
+
+
+
+
+
+Gilligan, et al.             Informational                     [Page 32]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+6.4 Address Testing Macros
+
+   The following macros can be used to test for special IPv6 addresses.
+
+   #include <netinet/in.h>
+
+   int  IN6_IS_ADDR_UNSPECIFIED (const struct in6_addr *);
+   int  IN6_IS_ADDR_LOOPBACK    (const struct in6_addr *);
+   int  IN6_IS_ADDR_MULTICAST   (const struct in6_addr *);
+   int  IN6_IS_ADDR_LINKLOCAL   (const struct in6_addr *);
+   int  IN6_IS_ADDR_SITELOCAL   (const struct in6_addr *);
+   int  IN6_IS_ADDR_V4MAPPED    (const struct in6_addr *);
+   int  IN6_IS_ADDR_V4COMPAT    (const struct in6_addr *);
+
+   int  IN6_IS_ADDR_MC_NODELOCAL(const struct in6_addr *);
+   int  IN6_IS_ADDR_MC_LINKLOCAL(const struct in6_addr *);
+   int  IN6_IS_ADDR_MC_SITELOCAL(const struct in6_addr *);
+   int  IN6_IS_ADDR_MC_ORGLOCAL (const struct in6_addr *);
+   int  IN6_IS_ADDR_MC_GLOBAL   (const struct in6_addr *);
+
+   The first seven macros return true if the address is of the specified
+   type, or false otherwise.  The last five test the scope of a
+   multicast address and return true if the address is a multicast
+   address of the specified scope or false if the address is either not
+   a multicast address or not of the specified scope.
+
+   Note that IN6_IS_ADDR_LINKLOCAL and IN6_IS_ADDR_SITELOCAL return true
+   only for the two types of local-use IPv6 unicast addresses (Link-
+   Local and Site-Local) defined in [2], and that by this definition,
+   the IN6_IS_ADDR_LINKLOCAL macro returns false for the IPv6 loopback
+   address (::1).  These two macros do not return true for IPv6
+   multicast addresses of either link-local scope or site-local scope.
+
+7. Summary of New Definitions
+
+   The following list summarizes the constants, structure, and extern
+   definitions discussed in this memo, sorted by header.
+
+<net/if.h>      IF_NAMESIZE
+<net/if.h>      struct if_nameindex{};
+
+<netdb.h>       AI_ADDRCONFIG
+<netdb.h>       AI_ALL
+<netdb.h>       AI_CANONNAME
+<netdb.h>       AI_NUMERICHOST
+<netdb.h>       AI_NUMERICSERV
+<netdb.h>       AI_PASSIVE
+<netdb.h>       AI_V4MAPPED
+
+
+
+Gilligan, et al.             Informational                     [Page 33]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+<netdb.h>       EAI_AGAIN
+<netdb.h>       EAI_BADFLAGS
+<netdb.h>       EAI_FAIL
+<netdb.h>       EAI_FAMILY
+<netdb.h>       EAI_MEMORY
+<netdb.h>       EAI_NONAME
+<netdb.h>       EAI_OVERFLOW
+<netdb.h>       EAI_SERVICE
+<netdb.h>       EAI_SOCKTYPE
+<netdb.h>       EAI_SYSTEM
+<netdb.h>       NI_DGRAM
+<netdb.h>       NI_NAMEREQD
+<netdb.h>       NI_NOFQDN
+<netdb.h>       NI_NUMERICHOST
+<netdb.h>       NI_NUMERICSERV
+<netdb.h>       struct addrinfo{};
+
+<netinet/in.h>  IN6ADDR_ANY_INIT
+<netinet/in.h>  IN6ADDR_LOOPBACK_INIT
+<netinet/in.h>  INET6_ADDRSTRLEN
+<netinet/in.h>  INET_ADDRSTRLEN
+<netinet/in.h>  IPPROTO_IPV6
+<netinet/in.h>  IPV6_JOIN_GROUP
+<netinet/in.h>  IPV6_LEAVE_GROUP
+<netinet/in.h>  IPV6_MULTICAST_HOPS
+<netinet/in.h>  IPV6_MULTICAST_IF
+<netinet/in.h>  IPV6_MULTICAST_LOOP
+<netinet/in.h>  IPV6_UNICAST_HOPS
+<netinet/in.h>  IPV6_V6ONLY
+<netinet/in.h>  SIN6_LEN
+<netinet/in.h>  extern const struct in6_addr in6addr_any;
+<netinet/in.h>  extern const struct in6_addr in6addr_loopback;
+<netinet/in.h>  struct in6_addr{};
+<netinet/in.h>  struct ipv6_mreq{};
+<netinet/in.h>  struct sockaddr_in6{};
+
+<sys/socket.h>  AF_INET6
+<sys/socket.h>  PF_INET6
+<sys/socket.h>  struct sockaddr_storage;
+
+   The following list summarizes the function and macro prototypes
+   discussed in this memo, sorted by header.
+
+<arpa/inet.h>   int inet_pton(int, const char *, void *);
+<arpa/inet.h>   const char *inet_ntop(int, const void *,
+                               char *, socklen_t);
+
+
+
+
+
+Gilligan, et al.             Informational                     [Page 34]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+<net/if.h>      char *if_indextoname(unsigned int, char *);
+<net/if.h>      unsigned int if_nametoindex(const char *);
+<net/if.h>      void if_freenameindex(struct if_nameindex *);
+<net/if.h>      struct if_nameindex *if_nameindex(void);
+
+<netdb.h>       int getaddrinfo(const char *, const char *,
+                                const struct addrinfo *,
+                                struct addrinfo **);
+<netdb.h>       int getnameinfo(const struct sockaddr *, socklen_t,
+                  char *, socklen_t, char *, socklen_t, int);
+<netdb.h>       void freeaddrinfo(struct addrinfo *);
+<netdb.h>       const char *gai_strerror(int);
+
+<netinet/in.h>  int IN6_IS_ADDR_LINKLOCAL(const struct in6_addr *);
+<netinet/in.h>  int IN6_IS_ADDR_LOOPBACK(const struct in6_addr *);
+<netinet/in.h>  int IN6_IS_ADDR_MC_GLOBAL(const struct in6_addr *);
+<netinet/in.h>  int IN6_IS_ADDR_MC_LINKLOCAL(const struct in6_addr *);
+<netinet/in.h>  int IN6_IS_ADDR_MC_NODELOCAL(const struct in6_addr *);
+<netinet/in.h>  int IN6_IS_ADDR_MC_ORGLOCAL(const struct in6_addr *);
+<netinet/in.h>  int IN6_IS_ADDR_MC_SITELOCAL(const struct in6_addr *);
+<netinet/in.h>  int IN6_IS_ADDR_MULTICAST(const struct in6_addr *);
+<netinet/in.h>  int IN6_IS_ADDR_SITELOCAL(const struct in6_addr *);
+<netinet/in.h>  int IN6_IS_ADDR_UNSPECIFIED(const struct in6_addr *);
+<netinet/in.h>  int IN6_IS_ADDR_V4COMPAT(const struct in6_addr *);
+<netinet/in.h>  int IN6_IS_ADDR_V4MAPPED(const struct in6_addr *);
+
+8. Security Considerations
+
+   IPv6 provides a number of new security mechanisms, many of which need
+   to be accessible to applications.  Companion memos detailing the
+   extensions to the socket interfaces to support IPv6 security are
+   being written.
+
+9. Changes from RFC 2553
+
+   1. Add brief description of the history of this API and its relation
+      to the Open Group/IEEE/ISO standards.
+
+   2. Alignments with [3].
+
+   3. Removed all references to getipnodebyname() and getipnodebyaddr(),
+      which are deprecated in favor of getaddrinfo() and getnameinfo().
+
+   4. Added IPV6_V6ONLY IP level socket option to permit nodes to not
+      process IPv4 packets as IPv4 Mapped addresses in implementations.
+
+   5. Added SIIT to references and added new contributors.
+
+
+
+
+Gilligan, et al.             Informational                     [Page 35]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+   6. In previous versions of this specification, the sin6_flowinfo
+      field was associated with the IPv6 traffic class and flow label,
+      but its usage was not completely specified.  The complete
+      definition of the sin6_flowinfo field, including its association
+      with the traffic class or flow label, is now deferred to a future
+      specification.
+
+10. Acknowledgments
+
+   This specification's evolution and completeness were significantly
+   influenced by the efforts of Richard Stevens, who has passed on.
+   Richard's wisdom and talent made the specification what it is today.
+   The co-authors will long think of Richard with great respect.
+
+   Thanks to the many people who made suggestions and provided feedback
+   to this document, including:
+
+   Werner Almesberger, Ran Atkinson, Fred Baker, Dave Borman, Andrew
+   Cherenson, Alex Conta, Alan Cox, Steve Deering, Richard Draves,
+   Francis Dupont, Robert Elz, Brian Haberman, Jun-ichiro itojun Hagino,
+   Marc Hasson, Tom Herbert, Bob Hinden, Wan-Yen Hsu, Christian Huitema,
+   Koji Imada, Markus Jork, Ron Lee, Alan Lloyd, Charles Lynn, Dan
+   McDonald, Dave Mitton, Finnbarr Murphy, Thomas Narten, Josh Osborne,
+   Craig Partridge, Jean-Luc Richier, Bill Sommerfield, Erik Scoredos,
+   Keith Sklower, JINMEI Tatuya, Dave Thaler, Matt Thomas, Harvey
+   Thompson, Dean D. Throop, Karen Tracey, Glenn Trewitt, Paul Vixie,
+   David Waitzman, Carl Williams, Kazu Yamamoto, Vlad Yasevich, Stig
+   Venaas, and Brian Zill.
+
+   The getaddrinfo() and getnameinfo() functions are taken from an
+   earlier document by Keith Sklower.  As noted in that document,
+   William Durst, Steven Wise, Michael Karels, and Eric Allman provided
+   many useful discussions on the subject of protocol-independent name-
+   to-address translation, and reviewed early versions of Keith
+   Sklower's original proposal.  Eric Allman implemented the first
+   prototype of getaddrinfo().  The observation that specifying the pair
+   of name and service would suffice for connecting to a service
+   independent of protocol details was made by Marshall Rose in a
+   proposal to X/Open for a "Uniform Network Interface".
+
+   Craig Metz, Jack McCann, Erik Nordmark, Tim Hartrick, and Mukesh
+   Kacker made many contributions to this document.  Ramesh Govindan
+   made a number of contributions and co-authored an earlier version of
+   this memo.
+
+
+
+
+
+
+
+Gilligan, et al.             Informational                     [Page 36]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+11. References
+
+   [1]  Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6)
+        Specification", RFC 2460, December 1998.
+
+   [2]  Hinden, R. and S. Deering, "IP Version 6 Addressing
+        Architecture", RFC 2373, July 1998.
+
+   [3]  IEEE Std. 1003.1-2001 Standard for Information Technology --
+        Portable Operating System Interface (POSIX). Open Group
+        Technical Standard: Base Specifications, Issue 6, December 2001.
+        ISO/IEC 9945:2002.  http://www.opengroup.org/austin
+
+   [4]  Stevens, W. and M. Thomas, "Advanced Sockets API for IPv6", RFC
+        2292, February 1998.
+
+   [5]  Nordmark, E., "Stateless IP/ICMP Translation Algorithm (SIIT)",
+        RFC 2765, February 2000.
+
+   [6]  The Open Group Base Working Group
+        http://www.opengroup.org/platform/base.html
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gilligan, et al.             Informational                     [Page 37]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+12. Authors' Addresses
+
+   Bob Gilligan
+   Intransa, Inc.
+   2870 Zanker Rd.
+   San Jose, CA 95134
+
+   Phone: 408-678-8647
+   EMail: gilligan@intransa.com
+
+
+   Susan Thomson
+   Cisco Systems
+   499 Thornall Street, 8th floor
+   Edison, NJ 08837
+
+   Phone: 732-635-3086
+   EMail:  sethomso@cisco.com
+
+
+   Jim Bound
+   Hewlett-Packard Company
+   110 Spitbrook Road ZKO3-3/W20
+   Nashua, NH 03062
+
+   Phone: 603-884-0062
+   EMail: Jim.Bound@hp.com
+
+
+   Jack McCann
+   Hewlett-Packard Company
+   110 Spitbrook Road ZKO3-3/W20
+   Nashua, NH 03062
+
+   Phone: 603-884-2608
+   EMail: Jack.McCann@hp.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gilligan, et al.             Informational                     [Page 38]
+
+RFC 3493       Basic Socket Interface Extensions for IPv6  February 2003
+
+
+13. Full Copyright Statement
+
+   Copyright (C) The Internet Society (2003).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gilligan, et al.             Informational                     [Page 39]
+
diff --git a/contrib/bind9/doc/rfc/rfc3513.txt b/contrib/bind9/doc/rfc/rfc3513.txt
new file mode 100644
index 0000000..49c0fa4
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc3513.txt
@@ -0,0 +1,1459 @@
+
+
+
+
+
+
+Network Working Group                                          R. Hinden
+Request for Comments: 3513                                         Nokia
+Obsoletes: 2373                                               S. Deering
+Category: Standards Track                                  Cisco Systems
+                                                              April 2003
+
+
+       Internet Protocol Version 6 (IPv6) Addressing Architecture
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2003).  All Rights Reserved.
+
+Abstract
+
+   This specification defines the addressing architecture of the IP
+   Version 6 (IPv6) protocol.  The document includes the IPv6 addressing
+   model, text representations of IPv6 addresses, definition of IPv6
+   unicast addresses, anycast addresses, and multicast addresses, and an
+   IPv6 node's required addresses.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hinden & Deering            Standards Track                     [Page 1]
+
+RFC 3513              IPv6 Addressing Architecture            April 2003
+
+
+Table of Contents
+
+   1. Introduction.................................................3
+   2. IPv6 Addressing..............................................3
+      2.1 Addressing Model.........................................4
+      2.2 Text Representation of Addresses.........................4
+      2.3 Text Representation of Address Prefixes..................5
+      2.4 Address Type Identification..............................6
+      2.5 Unicast Addresses........................................7
+          2.5.1 Interface Identifiers..............................8
+          2.5.2 The Unspecified Address............................9
+          2.5.3 The Loopback Address...............................9
+          2.5.4 Global Unicast Addresses..........................10
+          2.5.5 IPv6 Addresses with Embedded IPv4 Addresses.......10
+          2.5.6 Local-use IPv6 Unicast Addresses..................11
+      2.6 Anycast Addresses.......................................12
+          2.6.1 Required Anycast Address..........................13
+      2.7 Multicast Addresses.....................................13
+          2.7.1 Pre-Defined Multicast Addresses...................15
+      2.8 A Node's Required Addresses.............................17
+   3. Security Considerations.....................................17
+   4. IANA Considerations.........................................18
+   5. References..................................................19
+      5.1 Normative References....................................19
+      5.2 Informative References..................................19
+   APPENDIX A: Creating Modified EUI-64 format Interface IDs......21
+   APPENDIX B: Changes from RFC-2373..............................24
+   Authors' Addresses.............................................25
+   Full Copyright Statement.......................................26
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hinden & Deering            Standards Track                     [Page 2]
+
+RFC 3513              IPv6 Addressing Architecture            April 2003
+
+
+1.  Introduction
+
+   This specification defines the addressing architecture of the IP
+   Version 6 (IPv6) protocol.  It includes the basic formats for the
+   various types of IPv6 addresses (unicast, anycast, and multicast).
+
+   The authors would like to acknowledge the contributions of Paul
+   Francis, Scott Bradner, Jim Bound, Brian Carpenter, Matt Crawford,
+   Deborah Estrin, Roger Fajman, Bob Fink, Peter Ford, Bob Gilligan,
+   Dimitry Haskin, Tom Harsch, Christian Huitema, Tony Li, Greg
+   Minshall, Thomas Narten, Erik Nordmark, Yakov Rekhter, Bill Simpson,
+   Sue Thomson, Markku Savela, and Larry Masinter.
+
+2. IPv6 Addressing
+
+   IPv6 addresses are 128-bit identifiers for interfaces and sets of
+   interfaces (where "interface" is as defined in section 2 of [IPV6]).
+   There are three types of addresses:
+
+   Unicast:   An identifier for a single interface.  A packet sent to a
+              unicast address is delivered to the interface identified
+              by that address.
+
+   Anycast:   An identifier for a set of interfaces (typically belonging
+              to different nodes).  A packet sent to an anycast address
+              is delivered to one of the interfaces identified by that
+              address (the "nearest" one, according to the routing
+              protocols' measure of distance).
+
+   Multicast: An identifier for a set of interfaces (typically belonging
+              to different nodes).  A packet sent to a multicast address
+              is delivered to all interfaces identified by that address.
+
+   There are no broadcast addresses in IPv6, their function being
+   superseded by multicast addresses.
+
+   In this document, fields in addresses are given a specific name, for
+   example "subnet".  When this name is used with the term "ID" for
+   identifier after the name (e.g., "subnet ID"), it refers to the
+   contents of the named field.  When it is used with the term "prefix"
+   (e.g., "subnet prefix") it refers to all of the address from the left
+   up to and including this field.
+
+   In IPv6, all zeros and all ones are legal values for any field,
+   unless specifically excluded.  Specifically, prefixes may contain, or
+   end with, zero-valued fields.
+
+
+
+
+
+Hinden & Deering            Standards Track                     [Page 3]
+
+RFC 3513              IPv6 Addressing Architecture            April 2003
+
+
+2.1 Addressing Model
+
+   IPv6 addresses of all types are assigned to interfaces, not nodes.
+   An IPv6 unicast address refers to a single interface.  Since each
+   interface belongs to a single node, any of that node's interfaces'
+   unicast addresses may be used as an identifier for the node.
+
+   All interfaces are required to have at least one link-local unicast
+   address (see section 2.8 for additional required addresses).  A
+   single interface may also have multiple IPv6 addresses of any type
+   (unicast, anycast, and multicast) or scope.  Unicast addresses with
+   scope greater than link-scope are not needed for interfaces that are
+   not used as the origin or destination of any IPv6 packets to or from
+   non-neighbors.  This is sometimes convenient for point-to-point
+   interfaces.  There is one exception to this addressing model:
+
+      A unicast address or a set of unicast addresses may be assigned to
+      multiple physical interfaces if the implementation treats the
+      multiple physical interfaces as one interface when presenting it
+      to the internet layer.  This is useful for load-sharing over
+      multiple physical interfaces.
+
+   Currently IPv6 continues the IPv4 model that a subnet prefix is
+   associated with one link.  Multiple subnet prefixes may be assigned
+   to the same link.
+
+2.2 Text Representation of Addresses
+
+   There are three conventional forms for representing IPv6 addresses as
+   text strings:
+
+   1. The preferred form is x:x:x:x:x:x:x:x, where the 'x's are the
+      hexadecimal values of the eight 16-bit pieces of the address.
+
+      Examples:
+
+         FEDC:BA98:7654:3210:FEDC:BA98:7654:3210
+
+         1080:0:0:0:8:800:200C:417A
+
+      Note that it is not necessary to write the leading zeros in an
+      individual field, but there must be at least one numeral in every
+      field (except for the case described in 2.).
+
+   2. Due to some methods of allocating certain styles of IPv6
+      addresses, it will be common for addresses to contain long strings
+      of zero bits.  In order to make writing addresses containing zero
+      bits easier a special syntax is available to compress the zeros.
+
+
+
+Hinden & Deering            Standards Track                     [Page 4]
+
+RFC 3513              IPv6 Addressing Architecture            April 2003
+
+
+      The use of "::" indicates one or more groups of 16 bits of zeros.
+      The "::" can only appear once in an address.  The "::" can also be
+      used to compress leading or trailing zeros in an address.
+
+      For example, the following addresses:
+
+         1080:0:0:0:8:800:200C:417A  a unicast address
+         FF01:0:0:0:0:0:0:101        a multicast address
+         0:0:0:0:0:0:0:1             the loopback address
+         0:0:0:0:0:0:0:0             the unspecified addresses
+
+      may be represented as:
+
+         1080::8:800:200C:417A       a unicast address
+         FF01::101                   a multicast address
+         ::1                         the loopback address
+         ::                          the unspecified addresses
+
+   3. An alternative form that is sometimes more convenient when dealing
+      with a mixed environment of IPv4 and IPv6 nodes is
+      x:x:x:x:x:x:d.d.d.d, where the 'x's are the hexadecimal values of
+      the six high-order 16-bit pieces of the address, and the 'd's are
+      the decimal values of the four low-order 8-bit pieces of the
+      address (standard IPv4 representation).  Examples:
+
+         0:0:0:0:0:0:13.1.68.3
+
+         0:0:0:0:0:FFFF:129.144.52.38
+
+      or in compressed form:
+
+         ::13.1.68.3
+
+         ::FFFF:129.144.52.38
+
+2.3 Text Representation of Address Prefixes
+
+   The text representation of IPv6 address prefixes is similar to the
+   way IPv4 addresses prefixes are written in CIDR notation [CIDR].  An
+   IPv6 address prefix is represented by the notation:
+
+      ipv6-address/prefix-length
+
+   where
+
+      ipv6-address    is an IPv6 address in any of the notations listed
+                      in section 2.2.
+
+
+
+
+Hinden & Deering            Standards Track                     [Page 5]
+
+RFC 3513              IPv6 Addressing Architecture            April 2003
+
+
+      prefix-length   is a decimal value specifying how many of the
+                      leftmost contiguous bits of the address comprise
+                      the prefix.
+
+   For example, the following are legal representations of the 60-bit
+   prefix 12AB00000000CD3 (hexadecimal):
+
+      12AB:0000:0000:CD30:0000:0000:0000:0000/60
+      12AB::CD30:0:0:0:0/60
+      12AB:0:0:CD30::/60
+
+   The following are NOT legal representations of the above prefix:
+
+      12AB:0:0:CD3/60   may drop leading zeros, but not trailing zeros,
+                        within any 16-bit chunk of the address
+
+      12AB::CD30/60     address to left of "/" expands to
+                        12AB:0000:0000:0000:0000:000:0000:CD30
+
+      12AB::CD3/60      address to left of "/" expands to
+                        12AB:0000:0000:0000:0000:000:0000:0CD3
+
+   When writing both a node address and a prefix of that node address
+   (e.g., the node's subnet prefix), the two can combined as follows:
+
+      the node address      12AB:0:0:CD30:123:4567:89AB:CDEF
+      and its subnet number 12AB:0:0:CD30::/60
+
+      can be abbreviated as 12AB:0:0:CD30:123:4567:89AB:CDEF/60
+
+2.4 Address Type Identification
+
+   The type of an IPv6 address is identified by the high-order bits of
+   the address, as follows:
+
+   Address type         Binary prefix        IPv6 notation   Section
+   ------------         -------------        -------------   -------
+   Unspecified          00...0  (128 bits)   ::/128          2.5.2
+   Loopback             00...1  (128 bits)   ::1/128         2.5.3
+   Multicast            11111111             FF00::/8        2.7
+   Link-local unicast   1111111010           FE80::/10       2.5.6
+   Site-local unicast   1111111011           FEC0::/10       2.5.6
+   Global unicast       (everything else)
+
+   Anycast addresses are taken from the unicast address spaces (of any
+   scope) and are not syntactically distinguishable from unicast
+   addresses.
+
+
+
+
+Hinden & Deering            Standards Track                     [Page 6]
+
+RFC 3513              IPv6 Addressing Architecture            April 2003
+
+
+   The general format of global unicast addresses is described in
+   section 2.5.4.  Some special-purpose subtypes of global unicast
+   addresses which contain embedded IPv4 addresses (for the purposes of
+   IPv4-IPv6 interoperation) are described in section 2.5.5.
+
+   Future specifications may redefine one or more sub-ranges of the
+   global unicast space for other purposes, but unless and until that
+   happens, implementations must treat all addresses that do not start
+   with any of the above-listed prefixes as global unicast addresses.
+
+2.5 Unicast Addresses
+
+   IPv6 unicast addresses are aggregable with prefixes of arbitrary
+   bit-length similar to IPv4 addresses under Classless Interdomain
+   Routing.
+
+   There are several types of unicast addresses in IPv6, in particular
+   global unicast, site-local unicast, and link-local unicast.  There
+   are also some special-purpose subtypes of global unicast, such as
+   IPv6 addresses with embedded IPv4 addresses or encoded NSAP
+   addresses.  Additional address types or subtypes can be defined in
+   the future.
+
+   IPv6 nodes may have considerable or little knowledge of the internal
+   structure of the IPv6 address, depending on the role the node plays
+   (for instance, host versus router).  At a minimum, a node may
+   consider that unicast addresses (including its own) have no internal
+   structure:
+
+   |                           128 bits                              |
+   +-----------------------------------------------------------------+
+   |                          node address                           |
+   +-----------------------------------------------------------------+
+
+   A slightly sophisticated host (but still rather simple) may
+   additionally be aware of subnet prefix(es) for the link(s) it is
+   attached to, where different addresses may have different values for
+   n:
+
+   |                         n bits                 |   128-n bits   |
+   +------------------------------------------------+----------------+
+   |                   subnet prefix                | interface ID   |
+   +------------------------------------------------+----------------+
+
+   Though a very simple router may have no knowledge of the internal
+   structure of IPv6 unicast addresses, routers will more generally have
+   knowledge of one or more of the hierarchical boundaries for the
+   operation of routing protocols.  The known boundaries will differ
+
+
+
+Hinden & Deering            Standards Track                     [Page 7]
+
+RFC 3513              IPv6 Addressing Architecture            April 2003
+
+
+   from router to router, depending on what positions the router holds
+   in the routing hierarchy.
+
+2.5.1 Interface Identifiers
+
+   Interface identifiers in IPv6 unicast addresses are used to identify
+   interfaces on a link.  They are required to be unique within a subnet
+   prefix.  It is recommended that the same interface identifier not be
+   assigned to different nodes on a link.  They may also be unique over
+   a broader scope.  In some cases an interface's identifier will be
+   derived directly from that interface's link-layer address.  The same
+   interface identifier may be used on multiple interfaces on a single
+   node, as long as they are attached to different subnets.
+
+   Note that the uniqueness of interface identifiers is independent of
+   the uniqueness of IPv6 addresses.  For example, a global unicast
+   address may be created with a non-global scope interface identifier
+   and a site-local address may be created with a global scope interface
+   identifier.
+
+   For all unicast addresses, except those that start with binary value
+   000, Interface IDs are required to be 64 bits long and to be
+   constructed in Modified EUI-64 format.
+
+   Modified EUI-64 format based Interface identifiers may have global
+   scope when derived from a global token (e.g., IEEE 802 48-bit MAC or
+   IEEE EUI-64 identifiers [EUI64]) or may have local scope where a
+   global token is not available (e.g., serial links, tunnel end-points,
+   etc.) or where global tokens are undesirable (e.g., temporary tokens
+   for privacy [PRIV]).
+
+   Modified EUI-64 format interface identifiers are formed by inverting
+   the "u" bit (universal/local bit in IEEE EUI-64 terminology) when
+   forming the interface identifier from IEEE EUI-64 identifiers.  In
+   the resulting Modified EUI-64 format the "u" bit is set to one (1) to
+   indicate global scope, and it is set to zero (0) to indicate local
+   scope.  The first three octets in binary of an IEEE EUI-64 identifier
+   are as follows:
+
+       0       0 0       1 1       2
+      |0       7 8       5 6       3|
+      +----+----+----+----+----+----+
+      |cccc|ccug|cccc|cccc|cccc|cccc|
+      +----+----+----+----+----+----+
+
+   written in Internet standard bit-order , where "u" is the
+   universal/local bit, "g" is the individual/group bit, and "c" are the
+   bits of the company_id.  Appendix A: "Creating Modified EUI-64 format
+
+
+
+Hinden & Deering            Standards Track                     [Page 8]
+
+RFC 3513              IPv6 Addressing Architecture            April 2003
+
+
+   Interface Identifiers" provides examples on the creation of Modified
+   EUI-64 format based interface identifiers.
+
+   The motivation for inverting the "u" bit when forming an interface
+   identifier is to make it easy for system administrators to hand
+   configure non-global identifiers when hardware tokens are not
+   available.  This is expected to be case for serial links, tunnel end-
+   points, etc.  The alternative would have been for these to be of the
+   form 0200:0:0:1, 0200:0:0:2, etc., instead of the much simpler 1, 2,
+   etc.
+
+   The use of the universal/local bit in the Modified EUI-64 format
+   identifier is to allow development of future technology that can take
+   advantage of interface identifiers with global scope.
+
+   The details of forming interface identifiers are defined in the
+   appropriate "IPv6 over <link>" specification such as "IPv6 over
+   Ethernet" [ETHER], "IPv6 over FDDI" [FDDI], etc.
+
+2.5.2 The Unspecified Address
+
+   The address 0:0:0:0:0:0:0:0 is called the unspecified address.  It
+   must never be assigned to any node.  It indicates the absence of an
+   address.  One example of its use is in the Source Address field of
+   any IPv6 packets sent by an initializing host before it has learned
+   its own address.
+
+   The unspecified address must not be used as the destination address
+   of IPv6 packets or in IPv6 Routing Headers.  An IPv6 packet with a
+   source address of unspecified must never be forwarded by an IPv6
+   router.
+
+2.5.3 The Loopback Address
+
+   The unicast address 0:0:0:0:0:0:0:1 is called the loopback address.
+   It may be used by a node to send an IPv6 packet to itself.  It may
+   never be assigned to any physical interface.   It is treated as
+   having link-local scope, and may be thought of as the link-local
+   unicast address of a virtual interface (typically called "the
+   loopback interface") to an imaginary link that goes nowhere.
+
+   The loopback address must not be used as the source address in IPv6
+   packets that are sent outside of a single node.  An IPv6 packet with
+   a destination address of loopback must never be sent outside of a
+   single node and must never be forwarded by an IPv6 router.  A packet
+   received on an interface with destination address of loopback must be
+   dropped.
+
+
+
+
+Hinden & Deering            Standards Track                     [Page 9]
+
+RFC 3513              IPv6 Addressing Architecture            April 2003
+
+
+2.5.4 Global Unicast Addresses
+
+   The general format for IPv6 global unicast addresses is as follows:
+
+   |         n bits         |   m bits  |       128-n-m bits         |
+   +------------------------+-----------+----------------------------+
+   | global routing prefix  | subnet ID |       interface ID         |
+   +------------------------+-----------+----------------------------+
+
+   where the global routing prefix is a (typically hierarchically-
+   structured) value assigned to a site (a cluster of subnets/links),
+   the subnet ID is an identifier of a link within the site, and the
+   interface ID is as defined in section 2.5.1.
+
+   All global unicast addresses other than those that start with binary
+   000 have a 64-bit interface ID field (i.e., n + m = 64), formatted as
+   described in section 2.5.1.  Global unicast addresses that start with
+   binary 000 have no such constraint on the size or structure of the
+   interface ID field.
+
+   Examples of global unicast addresses that start with binary 000 are
+   the IPv6 address with embedded IPv4 addresses described in section
+   2.5.5 and the IPv6 address containing encoded NSAP addresses
+   specified in [NSAP].  An example of global addresses starting with a
+   binary value other than 000 (and therefore having a 64-bit interface
+   ID field) can be found in [AGGR].
+
+2.5.5 IPv6 Addresses with Embedded IPv4 Addresses
+
+   The IPv6 transition mechanisms [TRAN] include a technique for hosts
+   and routers to dynamically tunnel IPv6 packets over IPv4 routing
+   infrastructure.  IPv6 nodes that use this technique are assigned
+   special IPv6 unicast addresses that carry a global IPv4 address in
+   the low-order 32 bits.  This type of address is termed an "IPv4-
+   compatible IPv6 address" and has the format:
+
+   |                80 bits               | 16 |      32 bits        |
+   +--------------------------------------+--------------------------+
+   |0000..............................0000|0000|    IPv4 address     |
+   +--------------------------------------+----+---------------------+
+
+   Note: The IPv4 address used in the "IPv4-compatible IPv6 address"
+   must be a globally-unique IPv4 unicast address.
+
+   A second type of IPv6 address which holds an embedded IPv4 address is
+   also defined.  This address type is used to represent the addresses
+   of IPv4 nodes as IPv6 addresses.  This type of address is termed an
+   "IPv4-mapped IPv6 address" and has the format:
+
+
+
+Hinden & Deering            Standards Track                    [Page 10]
+
+RFC 3513              IPv6 Addressing Architecture            April 2003
+
+
+   |                80 bits               | 16 |      32 bits        |
+   +--------------------------------------+--------------------------+
+   |0000..............................0000|FFFF|    IPv4 address     |
+   +--------------------------------------+----+---------------------+
+
+2.5.6 Local-Use IPv6 Unicast Addresses
+
+   There are two types of local-use unicast addresses defined.  These
+   are Link-Local and Site-Local.  The Link-Local is for use on a single
+   link and the Site-Local is for use in a single site.  Link-Local
+   addresses have the following format:
+
+   |   10     |
+   |  bits    |         54 bits         |          64 bits           |
+   +----------+-------------------------+----------------------------+
+   |1111111010|           0             |       interface ID         |
+   +----------+-------------------------+----------------------------+
+
+   Link-Local addresses are designed to be used for addressing on a
+   single link for purposes such as automatic address configuration,
+   neighbor discovery, or when no routers are present.
+
+   Routers must not forward any packets with link-local source or
+   destination addresses to other links.
+
+   Site-Local addresses have the following format:
+
+   |   10     |
+   |  bits    |         54 bits         |         64 bits            |
+   +----------+-------------------------+----------------------------+
+   |1111111011|        subnet ID        |       interface ID         |
+   +----------+-------------------------+----------------------------+
+
+   Site-local addresses are designed to be used for addressing inside of
+   a site without the need for a global prefix.  Although a subnet ID
+   may be up to 54-bits long, it is expected that globally-connected
+   sites will use the same subnet IDs for site-local and global
+   prefixes.
+
+   Routers must not forward any packets with site-local source or
+   destination addresses outside of the site.
+
+
+
+
+
+
+
+
+
+
+Hinden & Deering            Standards Track                    [Page 11]
+
+RFC 3513              IPv6 Addressing Architecture            April 2003
+
+
+2.6 Anycast Addresses
+
+   An IPv6 anycast address is an address that is assigned to more than
+   one interface (typically belonging to different nodes), with the
+   property that a packet sent to an anycast address is routed to the
+   "nearest" interface having that address, according to the routing
+   protocols' measure of distance.
+
+   Anycast addresses are allocated from the unicast address space, using
+   any of the defined unicast address formats.  Thus, anycast addresses
+   are syntactically indistinguishable from unicast addresses.  When a
+   unicast address is assigned to more than one interface, thus turning
+   it into an anycast address, the nodes to which the address is
+   assigned must be explicitly configured to know that it is an anycast
+   address.
+
+   For any assigned anycast address, there is a longest prefix P of that
+   address that identifies the topological region in which all
+   interfaces belonging to that anycast address reside.  Within the
+   region identified by P, the anycast address must be maintained as a
+   separate entry in the routing system (commonly referred to as a "host
+   route"); outside the region identified by P, the anycast address may
+   be aggregated into the routing entry for prefix P.
+
+   Note that in the worst case, the prefix P of an anycast set may be
+   the null prefix, i.e., the members of the set may have no topological
+   locality.  In that case, the anycast address must be maintained as a
+   separate routing entry throughout the entire internet, which presents
+   a severe scaling limit on how many such "global" anycast sets may be
+   supported.  Therefore, it is expected that support for global anycast
+   sets may be unavailable or very restricted.
+
+   One expected use of anycast addresses is to identify the set of
+   routers belonging to an organization providing internet service.
+   Such addresses could be used as intermediate addresses in an IPv6
+   Routing header, to cause a packet to be delivered via a particular
+   service provider or sequence of service providers.
+
+   Some other possible uses are to identify the set of routers attached
+   to a particular subnet, or the set of routers providing entry into a
+   particular routing domain.
+
+   There is little experience with widespread, arbitrary use of internet
+   anycast addresses, and some known complications and hazards when
+   using them in their full generality [ANYCST].  Until more experience
+   has been gained and solutions are specified, the following
+   restrictions are imposed on IPv6 anycast addresses:
+
+
+
+
+Hinden & Deering            Standards Track                    [Page 12]
+
+RFC 3513              IPv6 Addressing Architecture            April 2003
+
+
+   o  An anycast address must not be used as the source address of an
+      IPv6 packet.
+
+   o  An anycast address must not be assigned to an IPv6 host, that is,
+      it may be assigned to an IPv6 router only.
+
+2.6.1 Required Anycast Address
+
+   The Subnet-Router anycast address is predefined.  Its format is as
+   follows:
+
+   |                         n bits                 |   128-n bits   |
+   +------------------------------------------------+----------------+
+   |                   subnet prefix                | 00000000000000 |
+   +------------------------------------------------+----------------+
+
+   The "subnet prefix" in an anycast address is the prefix which
+   identifies a specific link.  This anycast address is syntactically
+   the same as a unicast address for an interface on the link with the
+   interface identifier set to zero.
+
+   Packets sent to the Subnet-Router anycast address will be delivered
+   to one router on the subnet.  All routers are required to support the
+   Subnet-Router anycast addresses for the subnets to which they have
+   interfaces.
+
+   The subnet-router anycast address is intended to be used for
+   applications where a node needs to communicate with any one of the
+   set of routers.
+
+2.7 Multicast Addresses
+
+   An IPv6 multicast address is an identifier for a group of interfaces
+   (typically on different nodes).  An interface may belong to any
+   number of multicast groups.  Multicast addresses have the following
+   format:
+
+   |   8    |  4 |  4 |                  112 bits                   |
+   +------ -+----+----+---------------------------------------------+
+   |11111111|flgs|scop|                  group ID                   |
+   +--------+----+----+---------------------------------------------+
+
+         binary 11111111 at the start of the address identifies the
+         address as being a multicast address.
+
+                                       +-+-+-+-+
+         flgs is a set of 4 flags:     |0|0|0|T|
+                                       +-+-+-+-+
+
+
+
+Hinden & Deering            Standards Track                    [Page 13]
+
+RFC 3513              IPv6 Addressing Architecture            April 2003
+
+
+            The high-order 3 flags are reserved, and must be initialized
+            to 0.
+
+            T = 0 indicates a permanently-assigned ("well-known")
+            multicast address, assigned by the Internet Assigned Number
+            Authority (IANA).
+
+            T = 1 indicates a non-permanently-assigned ("transient")
+            multicast address.
+
+         scop is a 4-bit multicast scope value used to limit the scope
+         of the multicast group.  The values are:
+
+            0  reserved
+            1  interface-local scope
+            2  link-local scope
+            3  reserved
+            4  admin-local scope
+            5  site-local scope
+            6  (unassigned)
+            7  (unassigned)
+            8  organization-local scope
+            9  (unassigned)
+            A  (unassigned)
+            B  (unassigned)
+            C  (unassigned)
+            D  (unassigned)
+            E  global scope
+            F  reserved
+
+            interface-local scope spans only a single interface on a
+            node, and is useful only for loopback transmission of
+            multicast.
+
+            link-local and site-local multicast scopes span the same
+            topological regions as the corresponding unicast scopes.
+
+            admin-local scope is the smallest scope that must be
+            administratively configured, i.e., not automatically derived
+            from physical connectivity or other, non- multicast-related
+            configuration.
+
+            organization-local scope is intended to span multiple sites
+            belonging to a single organization.
+
+            scopes labeled "(unassigned)" are available for
+            administrators to define additional multicast regions.
+
+
+
+
+Hinden & Deering            Standards Track                    [Page 14]
+
+RFC 3513              IPv6 Addressing Architecture            April 2003
+
+
+         group ID identifies the multicast group, either permanent or
+         transient, within the given scope.
+
+   The "meaning" of a permanently-assigned multicast address is
+   independent of the scope value.  For example, if the "NTP servers
+   group" is assigned a permanent multicast address with a group ID of
+   101 (hex), then:
+
+      FF01:0:0:0:0:0:0:101 means all NTP servers on the same interface
+      (i.e., the same node) as the sender.
+
+      FF02:0:0:0:0:0:0:101 means all NTP servers on the same link as the
+      sender.
+
+      FF05:0:0:0:0:0:0:101 means all NTP servers in the same site as the
+      sender.
+
+      FF0E:0:0:0:0:0:0:101 means all NTP servers in the internet.
+
+   Non-permanently-assigned multicast addresses are meaningful only
+   within a given scope.  For example, a group identified by the non-
+   permanent, site-local multicast address FF15:0:0:0:0:0:0:101 at one
+   site bears no relationship to a group using the same address at a
+   different site, nor to a non-permanent group using the same group ID
+   with different scope, nor to a permanent group with the same group
+   ID.
+
+   Multicast addresses must not be used as source addresses in IPv6
+   packets or appear in any Routing header.
+
+   Routers must not forward any multicast packets beyond of the scope
+   indicated by the scop field in the destination multicast address.
+
+   Nodes must not originate a packet to a multicast address whose scop
+   field contains the reserved value 0; if such a packet is received, it
+   must be silently dropped.  Nodes should not originate a packet to a
+   multicast address whose scop field contains the reserved value F; if
+   such a packet is sent or received, it must be treated the same as
+   packets destined to a global (scop E) multicast address.
+
+2.7.1 Pre-Defined Multicast Addresses
+
+   The following well-known multicast addresses are pre-defined.  The
+   group ID's defined in this section are defined for explicit scope
+   values.
+
+   Use of these group IDs for any other scope values, with the T flag
+   equal to 0, is not allowed.
+
+
+
+Hinden & Deering            Standards Track                    [Page 15]
+
+RFC 3513              IPv6 Addressing Architecture            April 2003
+
+
+      Reserved Multicast Addresses:   FF00:0:0:0:0:0:0:0
+                                      FF01:0:0:0:0:0:0:0
+                                      FF02:0:0:0:0:0:0:0
+                                      FF03:0:0:0:0:0:0:0
+                                      FF04:0:0:0:0:0:0:0
+                                      FF05:0:0:0:0:0:0:0
+                                      FF06:0:0:0:0:0:0:0
+                                      FF07:0:0:0:0:0:0:0
+                                      FF08:0:0:0:0:0:0:0
+                                      FF09:0:0:0:0:0:0:0
+                                      FF0A:0:0:0:0:0:0:0
+                                      FF0B:0:0:0:0:0:0:0
+                                      FF0C:0:0:0:0:0:0:0
+                                      FF0D:0:0:0:0:0:0:0
+                                      FF0E:0:0:0:0:0:0:0
+                                      FF0F:0:0:0:0:0:0:0
+
+   The above multicast addresses are reserved and shall never be
+   assigned to any multicast group.
+
+      All Nodes Addresses:    FF01:0:0:0:0:0:0:1
+                              FF02:0:0:0:0:0:0:1
+
+   The above multicast addresses identify the group of all IPv6 nodes,
+   within scope 1 (interface-local) or 2 (link-local).
+
+      All Routers Addresses:   FF01:0:0:0:0:0:0:2
+                               FF02:0:0:0:0:0:0:2
+                               FF05:0:0:0:0:0:0:2
+
+   The above multicast addresses identify the group of all IPv6 routers,
+   within scope 1 (interface-local), 2 (link-local), or 5 (site-local).
+
+      Solicited-Node Address:  FF02:0:0:0:0:1:FFXX:XXXX
+
+   Solicited-node multicast address are computed as a function of a
+   node's unicast and anycast addresses.  A solicited-node multicast
+   address is formed by taking the low-order 24 bits of an address
+   (unicast or anycast) and appending those bits to the prefix
+   FF02:0:0:0:0:1:FF00::/104 resulting in a multicast address in the
+   range
+
+      FF02:0:0:0:0:1:FF00:0000
+
+   to
+
+      FF02:0:0:0:0:1:FFFF:FFFF
+
+
+
+
+Hinden & Deering            Standards Track                    [Page 16]
+
+RFC 3513              IPv6 Addressing Architecture            April 2003
+
+
+   For example, the solicited node multicast address corresponding to
+   the IPv6 address 4037::01:800:200E:8C6C is FF02::1:FF0E:8C6C.  IPv6
+   addresses that differ only in the high-order bits, e.g., due to
+   multiple high-order prefixes associated with different aggregations,
+   will map to the same solicited-node address thereby, reducing the
+   number of multicast addresses a node must join.
+
+   A node is required to compute and join (on the appropriate interface)
+   the associated Solicited-Node multicast addresses for every unicast
+   and anycast address it is assigned.
+
+2.8 A Node's Required Addresses
+
+   A host is required to recognize the following addresses as
+   identifying itself:
+
+      o  Its required Link-Local Address for each interface.
+      o  Any additional Unicast and Anycast Addresses that have been
+         configured for the node's interfaces (manually or
+         automatically).
+      o  The loopback address.
+      o  The All-Nodes Multicast Addresses defined in section 2.7.1.
+      o  The Solicited-Node Multicast Address for each of its unicast
+         and anycast addresses.
+      o  Multicast Addresses of all other groups to which the node
+         belongs.
+
+   A router is required to recognize all addresses that a host is
+   required to recognize, plus the following addresses as identifying
+   itself:
+
+      o  The Subnet-Router Anycast Addresses for all interfaces for
+         which it is configured to act as a router.
+      o  All other Anycast Addresses with which the router has been
+         configured.
+      o  The All-Routers Multicast Addresses defined in section 2.7.1.
+
+3. Security Considerations
+
+   IPv6 addressing documents do not have any direct impact on Internet
+   infrastructure security.  Authentication of IPv6 packets is defined
+   in [AUTH].
+
+
+
+
+
+
+
+
+
+Hinden & Deering            Standards Track                    [Page 17]
+
+RFC 3513              IPv6 Addressing Architecture            April 2003
+
+
+4. IANA Considerations
+
+   The table and notes at http://www.isi.edu/in-
+   notes/iana/assignments/ipv6-address-space.txt should be replaced with
+   the following:
+
+   INTERNET PROTOCOL VERSION 6 ADDRESS SPACE
+
+   The initial assignment of IPv6 address space is as follows:
+
+   Allocation                            Prefix         Fraction of
+                                         (binary)       Address Space
+   -----------------------------------   --------       -------------
+   Unassigned (see Note 1 below)         0000 0000      1/256
+   Unassigned                            0000 0001      1/256
+   Reserved for NSAP Allocation          0000 001       1/128 [RFC1888]
+   Unassigned                            0000 01        1/64
+   Unassigned                            0000 1         1/32
+   Unassigned                            0001           1/16
+   Global Unicast                        001            1/8   [RFC2374]
+   Unassigned                            010            1/8
+   Unassigned                            011            1/8
+   Unassigned                            100            1/8
+   Unassigned                            101            1/8
+   Unassigned                            110            1/8
+   Unassigned                            1110           1/16
+   Unassigned                            1111 0         1/32
+   Unassigned                            1111 10        1/64
+   Unassigned                            1111 110       1/128
+   Unassigned                            1111 1110 0    1/512
+   Link-Local Unicast Addresses          1111 1110 10   1/1024
+   Site-Local Unicast Addresses          1111 1110 11   1/1024
+   Multicast Addresses                   1111 1111      1/256
+
+   Notes:
+
+   1. The "unspecified address", the "loopback address", and the IPv6
+      Addresses with Embedded IPv4 Addresses are assigned out of the
+      0000 0000 binary prefix space.
+
+   2. For now, IANA should limit its allocation of IPv6 unicast address
+      space to the range of addresses that start with binary value 001.
+      The rest of the global unicast address space (approximately 85% of
+      the IPv6 address space) is reserved for future definition and use,
+      and is not to be assigned by IANA at this time.
+
+
+
+
+
+
+Hinden & Deering            Standards Track                    [Page 18]
+
+RFC 3513              IPv6 Addressing Architecture            April 2003
+
+
+5.  References
+
+5.1  Normative References
+
+   [IPV6]    Deering, S. and R. Hinden, "Internet Protocol, Version 6
+             (IPv6) Specification", RFC 2460, December 1998.
+
+   [RFC2026] Bradner, S., "The Internet Standards Process -- Revision
+             3", BCP 9 , RFC 2026, October 1996.
+
+5.2  Informative References
+
+   [ANYCST]  Partridge, C., Mendez, T. and W. Milliken, "Host Anycasting
+             Service", RFC 1546, November 1993.
+
+   [AUTH]    Kent, S. and R. Atkinson, "IP Authentication Header", RFC
+             2402, November 1998.
+
+   [AGGR]    Hinden, R., O'Dell, M. and S. Deering, "An Aggregatable
+             Global Unicast Address Format", RFC 2374, July 1998.
+
+   [CIDR]    Fuller, V., Li, T., Yu, J. and K. Varadhan, "Classless
+             Inter-Domain Routing (CIDR): An Address Assignment and
+             Aggregation Strategy", RFC 1519, September 1993.
+
+   [ETHER]   Crawford, M., "Transmission of IPv6 Packets over Ethernet
+             Networks", RFC 2464, December 1998.
+
+   [EUI64]   IEEE, "Guidelines for 64-bit Global Identifier (EUI-64)
+             Registration Authority",
+             http://standards.ieee.org/regauth/oui/tutorials/EUI64.html,
+             March 1997.
+
+   [FDDI]    Crawford, M., "Transmission of IPv6 Packets over FDDI
+             Networks", RFC 2467, December 1998.
+
+   [MASGN]   Hinden, R. and S. Deering, "IPv6 Multicast Address
+             Assignments", RFC 2375, July 1998.
+
+   [NSAP]    Bound, J., Carpenter, B., Harrington, D., Houldsworth, J.
+             and A. Lloyd, "OSI NSAPs and IPv6", RFC 1888, August 1996.
+
+   [PRIV]    Narten, T. and R. Draves, "Privacy Extensions for Stateless
+             Address Autoconfiguration in IPv6", RFC 3041, January 2001.
+
+   [TOKEN]   Crawford, M., Narten, T. and S. Thomas, "Transmission of
+             IPv6 Packets over Token Ring Networks", RFC 2470, December
+             1998.
+
+
+
+Hinden & Deering            Standards Track                    [Page 19]
+
+RFC 3513              IPv6 Addressing Architecture            April 2003
+
+
+   [TRAN]    Gilligan, R. and E. Nordmark, "Transition Mechanisms for
+             IPv6 Hosts and Routers", RFC 2893, August 2000.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hinden & Deering            Standards Track                    [Page 20]
+
+RFC 3513              IPv6 Addressing Architecture            April 2003
+
+
+APPENDIX A: Creating Modified EUI-64 format Interface Identifiers
+
+   Depending on the characteristics of a specific link or node there are
+   a number of approaches for creating Modified EUI-64 format interface
+   identifiers.  This appendix describes some of these approaches.
+
+Links or Nodes with IEEE EUI-64 Identifiers
+
+   The only change needed to transform an IEEE EUI-64 identifier to an
+   interface identifier is to invert the "u" (universal/local) bit.  For
+   example, a globally unique IEEE EUI-64 identifier of the form:
+
+   |0              1|1              3|3              4|4              6|
+   |0              5|6              1|2              7|8              3|
+   +----------------+----------------+----------------+----------------+
+   |cccccc0gcccccccc|ccccccccmmmmmmmm|mmmmmmmmmmmmmmmm|mmmmmmmmmmmmmmmm|
+   +----------------+----------------+----------------+----------------+
+
+   where "c" are the bits of the assigned company_id, "0" is the value
+   of the universal/local bit to indicate global scope, "g" is
+   individual/group bit, and "m" are the bits of the manufacturer-
+   selected extension identifier.  The IPv6 interface identifier would
+   be of the form:
+
+   |0              1|1              3|3              4|4              6|
+   |0              5|6              1|2              7|8              3|
+   +----------------+----------------+----------------+----------------+
+   |cccccc1gcccccccc|ccccccccmmmmmmmm|mmmmmmmmmmmmmmmm|mmmmmmmmmmmmmmmm|
+   +----------------+----------------+----------------+----------------+
+
+   The only change is inverting the value of the universal/local bit.
+
+Links or Nodes with IEEE 802 48 bit MAC's
+
+   [EUI64] defines a method to create a IEEE EUI-64 identifier from an
+   IEEE 48bit MAC identifier.  This is to insert two octets, with
+   hexadecimal values of 0xFF and 0xFE, in the middle of the 48 bit MAC
+   (between the company_id and vendor supplied id).  For example, the 48
+   bit IEEE MAC with global scope:
+
+
+
+
+
+
+
+
+
+
+
+
+Hinden & Deering            Standards Track                    [Page 21]
+
+RFC 3513              IPv6 Addressing Architecture            April 2003
+
+
+   |0              1|1              3|3              4|
+   |0              5|6              1|2              7|
+   +----------------+----------------+----------------+
+   |cccccc0gcccccccc|ccccccccmmmmmmmm|mmmmmmmmmmmmmmmm|
+   +----------------+----------------+----------------+
+
+   where "c" are the bits of the assigned company_id, "0" is the value
+   of the universal/local bit to indicate global scope, "g" is
+   individual/group bit, and "m" are the bits of the manufacturer-
+   selected extension identifier.  The interface identifier would be of
+   the form:
+
+   |0              1|1              3|3              4|4              6|
+   |0              5|6              1|2              7|8              3|
+   +----------------+----------------+----------------+----------------+
+   |cccccc1gcccccccc|cccccccc11111111|11111110mmmmmmmm|mmmmmmmmmmmmmmmm|
+   +----------------+----------------+----------------+----------------+
+
+   When IEEE 802 48bit MAC addresses are available (on an interface or a
+   node), an implementation may use them to create interface identifiers
+   due to their availability and uniqueness properties.
+
+Links with Other Kinds of Identifiers
+
+   There are a number of types of links that have link-layer interface
+   identifiers other than IEEE EIU-64 or IEEE 802 48-bit MACs.  Examples
+   include LocalTalk and Arcnet.  The method to create an Modified EUI-
+   64 format identifier is to take the link identifier (e.g., the
+   LocalTalk 8 bit node identifier) and zero fill it to the left.  For
+   example, a LocalTalk 8 bit node identifier of hexadecimal value 0x4F
+   results in the following interface identifier:
+
+   |0              1|1              3|3              4|4              6|
+   |0              5|6              1|2              7|8              3|
+   +----------------+----------------+----------------+----------------+
+   |0000000000000000|0000000000000000|0000000000000000|0000000001001111|
+   +----------------+----------------+----------------+----------------+
+
+   Note that this results in the universal/local bit set to "0" to
+   indicate local scope.
+
+Links without Identifiers
+
+   There are a number of links that do not have any type of built-in
+   identifier.  The most common of these are serial links and configured
+   tunnels.  Interface identifiers must be chosen that are unique within
+   a subnet-prefix.
+
+
+
+
+Hinden & Deering            Standards Track                    [Page 22]
+
+RFC 3513              IPv6 Addressing Architecture            April 2003
+
+
+   When no built-in identifier is available on a link the preferred
+   approach is to use a global interface identifier from another
+   interface or one which is assigned to the node itself.  When using
+   this approach no other interface connecting the same node to the same
+   subnet-prefix may use the same identifier.
+
+   If there is no global interface identifier available for use on the
+   link the implementation needs to create a local-scope interface
+   identifier.  The only requirement is that it be unique within a
+   subnet prefix.  There are many possible approaches to select a
+   subnet-prefix-unique interface identifier.  These include:
+
+      Manual Configuration
+      Node Serial Number
+      Other node-specific token
+
+   The subnet-prefix-unique interface identifier should be generated in
+   a manner that it does not change after a reboot of a node or if
+   interfaces are added or deleted from the node.
+
+   The selection of the appropriate algorithm is link and implementation
+   dependent.  The details on forming interface identifiers are defined
+   in the appropriate "IPv6 over <link>" specification.  It is strongly
+   recommended that a collision detection algorithm be implemented as
+   part of any automatic algorithm.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hinden & Deering            Standards Track                    [Page 23]
+
+RFC 3513              IPv6 Addressing Architecture            April 2003
+
+
+APPENDIX B: Changes from RFC-2373
+
+   The following changes were made from RFC-2373 "IP Version 6
+   Addressing Architecture":
+
+   -  Clarified text in section 2.2 to allow "::" to represent one or
+      more groups of 16 bits of zeros.
+   -  Changed uniqueness requirement of Interface Identifiers from
+      unique on a link to unique within a subnet prefix.  Also added a
+      recommendation that the same interface identifier not be assigned
+      to different machines on a link.
+   -  Change site-local format to make the subnet ID field 54-bit long
+      and remove the 38-bit zero's field.
+   -  Added description of multicast scop values and rules to handle the
+      reserved scop value 0.
+   -  Revised sections 2.4 and 2.5.6 to simplify and clarify how
+      different address types  are identified.  This was done to insure
+      that implementations do not build in any knowledge about global
+      unicast format prefixes.  Changes include:
+         o  Removed Format Prefix (FP) terminology
+         o  Revised list of address types to only include exceptions to
+            global unicast and a singe entry that identifies everything
+            else as Global Unicast.
+         o  Removed list of defined prefix exceptions from section 2.5.6
+            as it is now the main part of section 2.4.
+   -  Clarified text relating to EUI-64 identifiers to distinguish
+      between IPv6's "Modified EUI-64 format" identifiers and IEEE EUI-
+      64 identifiers.
+   -  Combined the sections on the Global Unicast Addresses and NSAP
+      Addresses into a single section on Global Unicast Addresses,
+      generalized the Global Unicast format, and cited [AGGR] and [NSAP]
+      as examples.
+   -  Reordered sections 2.5.4 and 2.5.5.
+   -  Removed section 2.7.2 Assignment of New IPv6 Multicast Addresses
+      because this is being redefined elsewhere.
+   -  Added an IANA considerations section that updates the IANA IPv6
+      address allocations and documents the NSAP and AGGR allocations.
+   -  Added clarification that the "IPv4-compatible IPv6 address" must
+      use global IPv4 unicast addresses.
+   -  Divided references in to normative and non-normative sections.
+   -  Added reference to [PRIV] in section 2.5.1
+   -  Added clarification that routers must not forward multicast
+      packets outside of the scope indicated in the multicast address.
+   -  Added clarification that routers must not forward packets with
+       source address of the unspecified address.
+   -  Added clarification that routers must drop packets received on an
+      interface with destination address of loopback.
+   -  Clarified the definition of IPv4-mapped addresses.
+
+
+
+Hinden & Deering            Standards Track                    [Page 24]
+
+RFC 3513              IPv6 Addressing Architecture            April 2003
+
+
+   -  Removed the ABNF Description of Text Representations Appendix.
+   -  Removed the address block reserved for IPX addresses.
+   -  Multicast scope changes:
+         o  Changed name of scope value 1 from "node-local" to
+            "interface-local"
+         o  Defined scope value 4 as "admin-local"
+   -  Corrected reference to RFC1933 and updated references.
+   -  Many small changes to clarify and make the text more consistent.
+
+Authors' Addresses
+
+   Robert M. Hinden
+   Nokia
+   313 Fairchild Drive
+   Mountain View, CA 94043
+   USA
+
+   Phone: +1 650 625-2004
+   EMail: hinden@iprg.nokia.com
+
+
+   Stephen E. Deering
+   Cisco Systems, Inc.
+   170 West Tasman Drive
+   San Jose, CA 95134-1706
+   USA
+
+   Phone: +1 408 527-8213
+   EMail: deering@cisco.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hinden & Deering            Standards Track                    [Page 25]
+
+RFC 3513              IPv6 Addressing Architecture            April 2003
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2003).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assigns.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Hinden & Deering            Standards Track                    [Page 26]
+
diff --git a/contrib/bind9/doc/rfc/rfc3596.txt b/contrib/bind9/doc/rfc/rfc3596.txt
new file mode 100644
index 0000000..f65690c
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc3596.txt
@@ -0,0 +1,451 @@
+
+
+
+
+
+
+Network Working Group                                         S. Thomson
+Request for Comments: 3596                                         Cisco
+Obsoletes: 3152, 1886                                         C. Huitema
+Category: Standards Track                                      Microsoft
+                                                              V. Ksinant
+                                                                   6WIND
+                                                              M. Souissi
+                                                                   AFNIC
+                                                            October 2003
+
+
+                 DNS Extensions to Support IP Version 6
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2003).  All Rights Reserved.
+
+Abstract
+
+   This document defines the changes that need to be made to the Domain
+   Name System (DNS) to support hosts running IP version 6 (IPv6).  The
+   changes include a resource record type to store an IPv6 address, a
+   domain to support lookups based on an IPv6 address, and updated
+   definitions of existing query types that return Internet addresses as
+   part of additional section processing.  The extensions are designed
+   to be compatible with existing applications and, in particular, DNS
+   implementations themselves.
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
+   2.  New resource record definition and domain. . . . . . . . . . .  2
+       2.1.  AAAA record type . . . . . . . . . . . . . . . . . . . .  3
+       2.2.  AAAA data format . . . . . . . . . . . . . . . . . . . .  3
+       2.3.  AAAA query . . . . . . . . . . . . . . . . . . . . . . .  3
+       2.4.  Textual format of AAAA records . . . . . . . . . . . . .  3
+       2.5.  IP6.ARPA domain. . . . . . . . . . . . . . . . . . . . .  3
+   3.  Modifications to existing query types. . . . . . . . . . . . .  4
+   4.  Security Considerations. . . . . . . . . . . . . . . . . . . .  4
+   5.  IANA Considerations. . . . . . . . . . . . . . . . . . . . . .  4
+
+
+
+Thomson, et al.             Standards Track                     [Page 1]
+
+RFC 3596             DNS Extensions to Support IPv6         October 2003
+
+
+   6.  Intellectual Property Statement. . . . . . . . . . . . . . . .  4
+   Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . . .  5
+   Appendix A: Changes from RFC 1886. . . . . . . . . . . . . . . . .  6
+   Normative References . . . . . . . . . . . . . . . . . . . . . . .  6
+   Informative References . . . . . . . . . . . . . . . . . . . . . .  6
+   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . .  7
+   Full Copyright Statement . . . . . . . . . . . . . . . . . . . . .  8
+
+1. Introduction
+
+   Current support for the storage of Internet addresses in the Domain
+   Name System (DNS) [1,2] cannot easily be extended to support IPv6
+   addresses [3] since applications assume that address queries return
+   32-bit IPv4 addresses only.
+
+   To support the storage of IPv6 addresses in the DNS, this document
+   defines the following extensions:
+
+      o A resource record type is defined to map a domain name to an
+        IPv6 address.
+
+      o A domain is defined to support lookups based on address.
+
+      o Existing queries that perform additional section processing to
+        locate IPv4 addresses are redefined to perform additional
+        section processing on both IPv4 and IPv6 addresses.
+
+   The changes are designed to be compatible with existing software.
+   The existing support for IPv4 addresses is retained.  Transition
+   issues related to the co-existence of both IPv4 and IPv6 addresses in
+   the DNS are discussed in [4].
+
+   The IP protocol version used for querying resource records is
+   independent of the protocol version of the resource records; e.g.,
+   IPv4 transport can be used to query IPv6 records and vice versa.
+
+   This document combines RFC 1886 [5] and changes to RFC 1886 made by
+   RFC 3152 [6], obsoleting both.  Changes mainly consist in replacing
+   the IP6.INT domain by IP6.ARPA as defined in RFC 3152.
+
+2. New resource record definition and domain
+
+   A record type is defined to store a host's IPv6 address.  A host that
+   has more than one IPv6 address must have more than one such record.
+
+
+
+
+
+
+
+Thomson, et al.             Standards Track                     [Page 2]
+
+RFC 3596             DNS Extensions to Support IPv6         October 2003
+
+
+2.1 AAAA record type
+
+   The AAAA resource record type is a record specific to the Internet
+   class that stores a single IPv6 address.
+
+   The IANA assigned value of the type is 28 (decimal).
+
+2.2 AAAA data format
+
+   A 128 bit IPv6 address is encoded in the data portion of an AAAA
+   resource record in network byte order (high-order byte first).
+
+2.3 AAAA query
+
+   An AAAA query for a specified domain name in the Internet class
+   returns all associated AAAA resource records in the answer section of
+   a response.
+
+   A type AAAA query does not trigger additional section processing.
+
+2.4 Textual format of AAAA records
+
+   The textual representation of the data portion of the AAAA resource
+   record used in a master database file is the textual representation
+   of an IPv6 address as defined in [3].
+
+2.5 IP6.ARPA Domain
+
+   A special domain is defined to look up a record given an IPv6
+   address.  The intent of this domain is to provide a way of mapping an
+   IPv6 address to a host name, although it may be used for other
+   purposes as well.  The domain is rooted at IP6.ARPA.
+
+   An IPv6 address is represented as a name in the IP6.ARPA domain by a
+   sequence of nibbles separated by dots with the suffix ".IP6.ARPA".
+   The sequence of nibbles is encoded in reverse order, i.e., the
+   low-order nibble is encoded first, followed by the next low-order
+   nibble and so on.  Each nibble is represented by a hexadecimal digit.
+   For example, the reverse lookup domain name corresponding to the
+   address
+
+       4321:0:1:2:3:4:567:89ab
+
+   would be
+
+   b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.0.0.0.0.1.2.3.4.IP6.
+                                                                  ARPA.
+
+
+
+
+Thomson, et al.             Standards Track                     [Page 3]
+
+RFC 3596             DNS Extensions to Support IPv6         October 2003
+
+
+3. Modifications to existing query types
+
+   All existing query types that perform type A additional section
+   processing, i.e., name server (NS), location of services (SRV) and
+   mail exchange (MX) query types, must be redefined to perform both
+   type A and type AAAA additional section processing.  These
+   definitions mean that a name server must add any relevant IPv4
+   addresses and any relevant IPv6 addresses available locally to the
+   additional section of a response when processing any one of the above
+   queries.
+
+4. Security Considerations
+
+   Any information obtained from the DNS must be regarded as unsafe
+   unless techniques specified in [7] or [8] are used.  The definitions
+   of the AAAA record type and of the IP6.ARPA domain do not change the
+   model for use of these techniques.
+
+   So, this specification is not believed to cause any new security
+   problems, nor to solve any existing ones.
+
+5. IANA Considerations
+
+   There are no IANA assignments to be performed.
+
+6. Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   intellectual property or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; neither does it represent that it
+   has made any effort to identify any such rights.  Information on the
+   IETF's procedures with respect to rights in standards-track and
+   standards-related documentation can be found in BCP-11.  Copies of
+   claims of rights made available for publication and any assurances of
+   licenses to be made available, or the result of an attempt made to
+   obtain a general license or permission for the use of such
+   proprietary rights by implementors or users of this specification can
+   be obtained from the IETF Secretariat.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights which may cover technology that may be required to practice
+   this standard.  Please address the information to the IETF Executive
+   Director.
+
+
+
+
+
+Thomson, et al.             Standards Track                     [Page 4]
+
+RFC 3596             DNS Extensions to Support IPv6         October 2003
+
+
+Acknowledgments
+
+   Vladimir Ksinant and Mohsen Souissi would like to thank Sebastien
+   Barbin (IRISA), Luc Beloeil (France Telecom R&D), Jean-Mickael Guerin
+   (6WIND), Vincent Levigneron (AFNIC), Alain Ritoux (6WIND), Frederic
+   Roudaut (IRISA) and G6 group for their help during the RFC 1886
+   Interop tests sessions.
+
+   Many thanks to Alain Durand and Olafur Gudmundsson for their support.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Thomson, et al.             Standards Track                     [Page 5]
+
+RFC 3596             DNS Extensions to Support IPv6         October 2003
+
+
+Appendix A: Changes from RFC 1886
+
+   The following changes were made from RFC 1886 "DNS Extensions to
+   support IP version 6":
+
+   - Replaced the "IP6.INT" domain by "IP6.ARPA".
+   - Mentioned SRV query types in section 3 "MODIFICATIONS TO
+     EXISTING QUERY TYPES"
+   - Added security considerations.
+   - Updated references :
+     * From RFC 1884 to RFC 3513 (IP Version 6 Addressing
+       Architecture).
+     * From "work in progress" to RFC 2893 (Transition Mechanisms for
+       IPv6 Hosts and Routers).
+     * Added reference to RFC 1886, RFC 3152, RFC 2535 and RFC 2845.
+   - Updated document abstract
+   - Added table of contents
+   - Added full copyright statement
+   - Added IANA considerations section
+   - Added Intellectual Property Statement
+
+Normative References
+
+   [1]  Mockapetris, P., "Domain Names - Concepts and Facilities", STD
+        13, RFC 1034, November 1987.
+
+   [2]  Mockapetris, P., "Domain Names - Implementation and
+        Specification", STD 13, RFC 1035, November 1987.
+
+   [3]  Hinden, R. and S. Deering, "Internet Protocol Version 6 (IPv6)
+        Addressing Architecture", RFC 3513, April 2003.
+
+Informative References
+
+   [4]  Gilligan, R. and E. Nordmark, "Transition Mechanisms for IPv6
+        Hosts and Routers", RFC 2893, August 2000.
+
+   [5]  Thomson, S. and C. Huitema, "DNS Extensions to support IP
+        version 6", RFC 1886, December 1995.
+
+   [6]  Bush, R., "Delegation of IP6.ARPA", BCP 49, RFC 3152, August
+        2001.
+
+   [7]  Eastlake, D., "Domain Name System Security Extensions", RFC
+        2535, March 1999
+
+
+
+
+
+
+Thomson, et al.             Standards Track                     [Page 6]
+
+RFC 3596             DNS Extensions to Support IPv6         October 2003
+
+
+   [8]  Vixie, P., Gudmundsson, O., Eastlake, D. and B. Wellington,
+        "Secret Key Transaction Authentication for DNS (TSIG)", RFC
+        2845, May 2000.
+
+Authors' Addresses
+
+   Susan Thomson
+   Cisco Systems
+   499 Thornall Street, 8th floor
+   Edison, NJ 08837
+
+   Phone: +1 732-635-3086
+   EMail:  sethomso@cisco.com
+
+
+   Christian Huitema
+   Microsoft Corporation
+   One Microsoft Way
+   Redmond, WA 98052-6399
+
+   EMail: huitema@microsoft.com
+
+
+   Vladimir Ksinant
+   6WIND S.A.
+   Immeuble Central Gare - Bat.C
+   1, place Charles de Gaulle
+   78180, Montigny-Le-Bretonneux - France
+
+   Phone: +33 1 39 30 92 36
+   EMail: vladimir.ksinant@6wind.com
+
+
+   Mohsen Souissi
+   AFNIC
+   Immeuble International
+   2, rue Stephenson,
+   78181, Saint-Quentin en Yvelines Cedex - France
+
+   Phone: +33 1 39 30 83 40
+   EMail: Mohsen.Souissi@nic.fr
+
+
+
+
+
+
+
+
+
+
+Thomson, et al.             Standards Track                     [Page 7]
+
+RFC 3596             DNS Extensions to Support IPv6         October 2003
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2003).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assignees.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Thomson, et al.             Standards Track                     [Page 8]
+
diff --git a/contrib/bind9/doc/rfc/rfc3597.txt b/contrib/bind9/doc/rfc/rfc3597.txt
new file mode 100644
index 0000000..19e9a55
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc3597.txt
@@ -0,0 +1,451 @@
+
+
+
+
+
+
+Network Working Group                                      A. Gustafsson
+Request for Comments: 3597                                  Nominum Inc.
+Category: Standards Track                                 September 2003
+
+
+           Handling of Unknown DNS Resource Record (RR) Types
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2003).  All Rights Reserved.
+
+Abstract
+
+   Extending the Domain Name System (DNS) with new Resource Record (RR)
+   types currently requires changes to name server software.  This
+   document specifies the changes necessary to allow future DNS
+   implementations to handle new RR types transparently.
+
+1.  Introduction
+
+   The DNS is designed to be extensible to support new services through
+   the introduction of new resource record (RR) types.  In practice,
+   deploying a new RR type currently requires changes to the name server
+   software not only at the authoritative DNS server that is providing
+   the new information and the client making use of it, but also at all
+   slave servers for the zone containing it, and in some cases also at
+   caching name servers and forwarders used by the client.
+
+   Because the deployment of new server software is slow and expensive,
+   the potential of the DNS in supporting new services has never been
+   fully realized.  This memo proposes changes to name servers and to
+   procedures for defining new RR types aimed at simplifying the future
+   deployment of new RR types.
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in [RFC 2119].
+
+
+
+
+
+
+Gustafsson                  Standards Track                     [Page 1]
+
+RFC 3597            Handling of Unknown DNS RR Types      September 2003
+
+
+2.  Definition
+
+   An "RR of unknown type" is an RR whose RDATA format is not known to
+   the DNS implementation at hand, and whose type is not an assigned
+   QTYPE or Meta-TYPE as specified in [RFC 2929] (section 3.1) nor
+   within the range reserved in that section for assignment only to
+   QTYPEs and Meta-TYPEs.  Such an RR cannot be converted to a type-
+   specific text format, compressed, or otherwise handled in a type-
+   specific way.
+
+   In the case of a type whose RDATA format is class specific, an RR is
+   considered to be of unknown type when the RDATA format for that
+   combination of type and class is not known.
+
+3.  Transparency
+
+   To enable new RR types to be deployed without server changes, name
+   servers and resolvers MUST handle RRs of unknown type transparently.
+   That is, they must treat the RDATA section of such RRs as
+   unstructured binary data, storing and transmitting it without change
+   [RFC1123].
+
+   To ensure the correct operation of equality comparison (section 6)
+   and of the DNSSEC canonical form (section 7) when an RR type is known
+   to some but not all of the servers involved, servers MUST also
+   exactly preserve the RDATA of RRs of known type, except for changes
+   due to compression or decompression where allowed by section 4 of
+   this memo.  In particular, the character case of domain names that
+   are not subject to compression MUST be preserved.
+
+4.  Domain Name Compression
+
+   RRs containing compression pointers in the RDATA part cannot be
+   treated transparently, as the compression pointers are only
+   meaningful within the context of a DNS message.  Transparently
+   copying the RDATA into a new DNS message would cause the compression
+   pointers to point at the corresponding location in the new message,
+   which now contains unrelated data.  This would cause the compressed
+   name to be corrupted.
+
+   To avoid such corruption, servers MUST NOT compress domain names
+   embedded in the RDATA of types that are class-specific or not well-
+   known.  This requirement was stated in [RFC1123] without defining the
+   term "well-known"; it is hereby specified that only the RR types
+   defined in [RFC1035] are to be considered "well-known".
+
+
+
+
+
+
+Gustafsson                  Standards Track                     [Page 2]
+
+RFC 3597            Handling of Unknown DNS RR Types      September 2003
+
+
+   The specifications of a few existing RR types have explicitly allowed
+   compression contrary to this specification: [RFC2163] specified that
+   compression applies to the PX RR, and [RFC2535] allowed compression
+   in SIG RRs and NXT RRs records.  Since this specification disallows
+   compression in these cases, it is an update to [RFC2163] (section 4)
+   and [RFC2535] (sections 4.1.7 and 5.2).
+
+   Receiving servers MUST decompress domain names in RRs of well-known
+   type, and SHOULD also decompress RRs of type RP, AFSDB, RT, SIG, PX,
+   NXT, NAPTR, and SRV (although the current specification of the SRV RR
+   in [RFC2782] prohibits compression, [RFC2052] mandated it, and some
+   servers following that earlier specification are still in use).
+
+   Future specifications for new RR types that contain domain names
+   within their RDATA MUST NOT allow the use of name compression for
+   those names, and SHOULD explicitly state that the embedded domain
+   names MUST NOT be compressed.
+
+   As noted in [RFC1123], the owner name of an RR is always eligible for
+   compression.
+
+5.  Text Representation
+
+   In the "type" field of a master file line, an unknown RR type is
+   represented by the word "TYPE" immediately followed by the decimal RR
+   type number, with no intervening whitespace.  In the "class" field,
+   an unknown class is similarly represented as the word "CLASS"
+   immediately followed by the decimal class number.
+
+   This convention allows types and classes to be distinguished from
+   each other and from TTL values, allowing the "[<TTL>] [<class>]
+   <type> <RDATA>" and "[<class>] [<TTL>] <type> <RDATA>" forms of
+   [RFC1035] to both be unambiguously parsed.
+
+   The RDATA section of an RR of unknown type is represented as a
+   sequence of white space separated words as follows:
+
+      The special token \# (a backslash immediately followed by a hash
+      sign), which identifies the RDATA as having the generic encoding
+      defined herein rather than a traditional type-specific encoding.
+
+      An unsigned decimal integer specifying the RDATA length in octets.
+
+      Zero or more words of hexadecimal data encoding the actual RDATA
+      field, each containing an even number of hexadecimal digits.
+
+   If the RDATA is of zero length, the text representation contains only
+   the \# token and the single zero representing the length.
+
+
+
+Gustafsson                  Standards Track                     [Page 3]
+
+RFC 3597            Handling of Unknown DNS RR Types      September 2003
+
+
+   An implementation MAY also choose to represent some RRs of known type
+   using the above generic representations for the type, class and/or
+   RDATA, which carries the benefit of making the resulting master file
+   portable to servers where these types are unknown.  Using the generic
+   representation for the RDATA of an RR of known type can also be
+   useful in the case of an RR type where the text format varies
+   depending on a version, protocol, or similar field (or several)
+   embedded in the RDATA when such a field has a value for which no text
+   format is known, e.g., a LOC RR [RFC1876] with a VERSION other than
+   0.
+
+   Even though an RR of known type represented in the \# format is
+   effectively treated as an unknown type for the purpose of parsing the
+   RDATA text representation, all further processing by the server MUST
+   treat it as a known type and take into account any applicable type-
+   specific rules regarding compression, canonicalization, etc.
+
+   The following are examples of RRs represented in this manner,
+   illustrating various combinations of generic and type-specific
+   encodings for the different fields of the master file format:
+
+      a.example.   CLASS32     TYPE731         \# 6 abcd (
+                                               ef 01 23 45 )
+      b.example.   HS          TYPE62347       \# 0
+      e.example.   IN          A               \# 4 0A000001
+      e.example.   CLASS1      TYPE1           10.0.0.2
+
+6.  Equality Comparison
+
+   Certain DNS protocols, notably Dynamic Update [RFC2136], require RRs
+   to be compared for equality.  Two RRs of the same unknown type are
+   considered equal when their RDATA is bitwise equal.  To ensure that
+   the outcome of the comparison is identical whether the RR is known to
+   the server or not, specifications for new RR types MUST NOT specify
+   type-specific comparison rules.
+
+   This implies that embedded domain names, being included in the
+   overall bitwise comparison, are compared in a case-sensitive manner.
+
+   As a result, when a new RR type contains one or more embedded domain
+   names, it is possible to have multiple RRs owned by the same name
+   that differ only in the character case of the embedded domain
+   name(s).  This is similar to the existing possibility of multiple TXT
+   records differing only in character case, and not expected to cause
+   any problems in practice.
+
+
+
+
+
+
+Gustafsson                  Standards Track                     [Page 4]
+
+RFC 3597            Handling of Unknown DNS RR Types      September 2003
+
+
+7.  DNSSEC Canonical Form and Ordering
+
+   DNSSEC defines a canonical form and ordering for RRs [RFC2535]
+   (section 8.1).  In that canonical form, domain names embedded in the
+   RDATA are converted to lower case.
+
+   The downcasing is necessary to ensure the correctness of DNSSEC
+   signatures when case distinctions in domain names are lost due to
+   compression, but since it requires knowledge of the presence and
+   position of embedded domain names, it cannot be applied to unknown
+   types.
+
+   To ensure continued consistency of the canonical form of RR types
+   where compression is allowed, and for continued interoperability with
+   existing implementations that already implement the [RFC2535]
+   canonical form and apply it to their known RR types, the canonical
+   form remains unchanged for all RR types whose whose initial
+   publication as an RFC was prior to the initial publication of this
+   specification as an RFC (RFC 3597).
+
+   As a courtesy to implementors, it is hereby noted that the complete
+   set of such previously published RR types that contain embedded
+   domain names, and whose DNSSEC canonical form therefore involves
+   downcasing according to the DNS rules for character comparisons,
+   consists of the RR types NS, MD, MF, CNAME, SOA, MB, MG, MR, PTR,
+   HINFO, MINFO, MX, HINFO, RP, AFSDB, RT, SIG, PX, NXT, NAPTR, KX, SRV,
+   DNAME, and A6.
+
+   This document specifies that for all other RR types (whether treated
+   as unknown types or treated as known types according to an RR type
+   definition RFC more recent than RFC 3597), the canonical form is such
+   that no downcasing of embedded domain names takes place, and
+   otherwise identical to the canonical form specified in [RFC2535]
+   section 8.1.
+
+   Note that the owner name is always set to lower case according to the
+   DNS rules for character comparisons, regardless of the RR type.
+
+   The DNSSEC canonical RR ordering is as specified in [RFC2535] section
+   8.3, where the octet sequence is the canonical form as revised by
+   this specification.
+
+8.  Additional Section Processing
+
+   Unknown RR types cause no additional section processing.  Future RR
+   type specifications MAY specify type-specific additional section
+   processing rules, but any such processing MUST be optional as it can
+   only be performed by servers for which the RR type in case is known.
+
+
+
+Gustafsson                  Standards Track                     [Page 5]
+
+RFC 3597            Handling of Unknown DNS RR Types      September 2003
+
+
+9.  IANA Considerations
+
+   This document does not require any IANA actions.
+
+10.  Security Considerations
+
+   This specification is not believed to cause any new security
+   problems, nor to solve any existing ones.
+
+11.  Normative References
+
+   [RFC1034]   Mockapetris, P., "Domain Names - Concepts and
+               Facilities", STD 13, RFC 1034, November 1987.
+
+   [RFC1035]   Mockapetris, P., "Domain Names - Implementation and
+               Specifications", STD 13, RFC 1035, November 1987.
+
+   [RFC1123]   Braden, R., Ed., "Requirements for Internet Hosts --
+               Application and Support", STD 3, RFC 1123, October 1989.
+
+   [RFC2119]   Bradner, S., "Key words for use in RFCs to Indicate
+               Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC2535]   Eastlake, D., "Domain Name System Security Extensions",
+               RFC 2535, March 1999.
+
+   [RFC2163]   Allocchio, C., "Using the Internet DNS to Distribute
+               MIXER Conformant Global Address Mapping (MCGAM)", RFC
+               2163, January 1998.
+
+   [RFC2929]   Eastlake, D., Brunner-Williams, E. and B. Manning,
+               "Domain Name System (DNS) IANA Considerations", BCP 42,
+               RFC 2929, September 2000.
+
+12.  Informative References
+
+   [RFC1876]   Davis, C., Vixie, P., Goodwin, T. and I. Dickinson, "A
+               Means for Expressing Location Information in the Domain
+               Name System", RFC 1876, January 1996.
+
+   [RFC2052]   Gulbrandsen, A. and P. Vixie, "A DNS RR for specifying
+               the location of services (DNS SRV)", RFC 2052, October
+               1996.
+
+   [RFC2136]   Vixie, P., Ed., Thomson, S., Rekhter, Y. and J. Bound,
+               "Dynamic Updates in the Domain Name System (DNS UPDATE)",
+               RFC 2136, April 1997.
+
+
+
+
+Gustafsson                  Standards Track                     [Page 6]
+
+RFC 3597            Handling of Unknown DNS RR Types      September 2003
+
+
+   [RFC2782]   Gulbrandsen, A., Vixie, P. and L. Esibov, "A DNS RR for
+               specifying the location of services (DNS SRV)", RFC 2782,
+               February 2000.
+
+13.  Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   intellectual property or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; neither does it represent that it
+   has made any effort to identify any such rights.  Information on the
+   IETF's procedures with respect to rights in standards-track and
+   standards-related documentation can be found in BCP-11.  Copies of
+   claims of rights made available for publication and any assurances of
+   licenses to be made available, or the result of an attempt made to
+   obtain a general license or permission for the use of such
+   proprietary rights by implementors or users of this specification can
+   be obtained from the IETF Secretariat.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights which may cover technology that may be required to practice
+   this standard.  Please address the information to the IETF Executive
+   Director.
+
+14.  Author's Address
+
+   Andreas Gustafsson
+   Nominum, Inc.
+   2385 Bay Rd
+   Redwood City, CA 94063
+   USA
+
+   Phone: +1 650 381 6004
+   EMail: gson@nominum.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gustafsson                  Standards Track                     [Page 7]
+
+RFC 3597            Handling of Unknown DNS RR Types      September 2003
+
+
+15.  Full Copyright Statement
+
+   Copyright (C) The Internet Society (2003).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assignees.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gustafsson                  Standards Track                     [Page 8]
+
diff --git a/contrib/bind9/doc/rfc/rfc3645.txt b/contrib/bind9/doc/rfc/rfc3645.txt
new file mode 100644
index 0000000..6126678
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc3645.txt
@@ -0,0 +1,1459 @@
+
+
+
+
+
+
+Network Working Group                                            S. Kwan
+Request for Comments: 3645                                       P. Garg
+Updates: 2845                                                  J. Gilroy
+Category: Standards Track                                      L. Esibov
+                                                             J. Westhead
+                                                         Microsoft Corp.
+                                                                 R. Hall
+                                                     Lucent Technologies
+                                                            October 2003
+
+
+                 Generic Security Service Algorithm for
+        Secret Key Transaction Authentication for DNS (GSS-TSIG)
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2003).  All Rights Reserved.
+
+Abstract
+
+   The Secret Key Transaction Authentication for DNS (TSIG) protocol
+   provides transaction level authentication for DNS.  TSIG is
+   extensible through the definition of new algorithms.  This document
+   specifies an algorithm based on the Generic Security Service
+   Application Program Interface (GSS-API) (RFC2743).  This document
+   updates RFC 2845.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kwan, et al.                Standards Track                     [Page 1]
+
+RFC 3645                        GSS-TSIG                    October 2003
+
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
+   2.  Algorithm Overview . . . . . . . . . . . . . . . . . . . . . .  3
+       2.1.  GSS Details. . . . . . . . . . . . . . . . . . . . . . .  4
+       2.2.  Modifications to the TSIG protocol (RFC 2845). . . . . .  4
+   3.  Client Protocol Details. . . . . . . . . . . . . . . . . . . .  5
+       3.1.  Negotiating Context. . . . . . . . . . . . . . . . . . .  5
+           3.1.1.  Call GSS_Init_sec_context. . . . . . . . . . . . .  6
+           3.1.2.  Send TKEY Query to Server. . . . . . . . . . . . .  8
+           3.1.3.  Receive TKEY Query-Response from Server. . . . . .  8
+       3.2.  Context Established. . . . . . . . . . . . . . . . . . . 11
+           3.2.1.  Terminating a Context. . . . . . . . . . . . . . . 11
+   4.  Server Protocol Details. . . . . . . . . . . . . . . . . . . . 12
+       4.1.  Negotiating Context. . . . . . . . . . . . . . . . . . . 12
+           4.1.1.  Receive TKEY Query from Client . . . . . . . . . . 12
+           4.1.2.  Call GSS_Accept_sec_context. . . . . . . . . . . . 12
+           4.1.3.  Send TKEY Query-Response to Client . . . . . . . . 13
+       4.2.  Context Established. . . . . . . . . . . . . . . . . . . 15
+           4.2.1.  Terminating a Context. . . . . . . . . . . . . . . 15
+   5.  Sending and Verifying Signed Messages. . . . . . . . . . . . . 15
+       5.1.  Sending a Signed Message - Call GSS_GetMIC . . . . . . . 15
+       5.2.  Verifying a Signed Message - Call GSS_VerifyMIC. . . . . 16
+   6.  Example usage of GSS-TSIG algorithm. . . . . . . . . . . . . . 18
+   7.  Security Considerations. . . . . . . . . . . . . . . . . . . . 22
+   8.  IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 22
+   9.  Conformance. . . . . . . . . . . . . . . . . . . . . . . . . . 22
+   10. Intellectual Property Statement. . . . . . . . . . . . . . . . 23
+   11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 23
+   12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24
+       12.1.  Normative References. . . . . . . . . . . . . . . . . . 24
+       12.2.  Informative References. . . . . . . . . . . . . . . . . 24
+   13. Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 25
+   14. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 26
+
+1.  Introduction
+
+   The Secret Key Transaction Authentication for DNS (TSIG) [RFC2845]
+   protocol was developed to provide a lightweight authentication and
+   integrity of messages between two DNS entities, such as client and
+   server or server and server.  TSIG can be used to protect dynamic
+   update messages, authenticate regular message or to off-load
+   complicated DNSSEC [RFC2535] processing from a client to a server and
+   still allow the client to be assured of the integrity of the answers.
+
+
+
+
+
+
+
+Kwan, et al.                Standards Track                     [Page 2]
+
+RFC 3645                        GSS-TSIG                    October 2003
+
+
+   The TSIG protocol [RFC2845] is extensible through the definition of
+   new algorithms.  This document specifies an algorithm based on the
+   Generic Security Service Application Program Interface (GSS-API)
+   [RFC2743].  GSS-API is a framework that provides an abstraction of
+   security to the application protocol developer.  The security
+   services offered can include authentication, integrity, and
+   confidentiality.
+
+   The GSS-API framework has several benefits:
+
+   *  Mechanism and protocol independence.  The underlying mechanisms
+      that realize the security services can be negotiated on the fly
+      and varied over time.  For example, a client and server MAY use
+      Kerberos [RFC1964] for one transaction, whereas that same server
+      MAY use SPKM [RFC2025] with a different client.
+
+   *  The protocol developer is removed from the responsibility of
+      creating and managing a security infrastructure.  For example, the
+      developer does not need to create new key distribution or key
+      management systems.  Instead the developer relies on the security
+      service mechanism to manage this on its behalf.
+
+   The scope of this document is limited to the description of an
+   authentication mechanism only.  It does not discuss and/or propose an
+   authorization mechanism.  Readers that are unfamiliar with GSS-API
+   concepts are encouraged to read the characteristics and concepts
+   section of [RFC2743] before examining this protocol in detail.  It is
+   also assumed that the reader is familiar with [RFC2845], [RFC2930],
+   [RFC1034] and [RFC1035].
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT",
+   "RECOMMENDED", and "MAY" in this document are to be interpreted as
+   described in BCP 14, RFC 2119 [RFC2119].
+
+2.  Algorithm Overview
+
+   In GSS, client and server interact to create a "security context".
+   The security context can be used to create and verify transaction
+   signatures on messages between the two parties.  A unique security
+   context is required for each unique connection between client and
+   server.
+
+   Creating a security context involves a negotiation between client and
+   server.  Once a context has been established, it has a finite
+   lifetime for which it can be used to secure messages.  Thus there are
+   three states of a context associated with a connection:
+
+
+
+
+
+Kwan, et al.                Standards Track                     [Page 3]
+
+RFC 3645                        GSS-TSIG                    October 2003
+
+
+                              +----------+
+                              |          |
+                              V          |
+                      +---------------+  |
+                      | Uninitialized |  |
+                      |               |  |
+                      +---------------+  |
+                              |          |
+                              V          |
+                      +---------------+  |
+                      | Negotiating   |  |
+                      | Context       |  |
+                      +---------------+  |
+                              |          |
+                              V          |
+                      +---------------+  |
+                      | Context       |  |
+                      | Established   |  |
+                      +---------------+  |
+                              |          |
+                              +----------+
+
+   Every connection begins in the uninitialized state.
+
+2.1.  GSS Details
+
+   Client and server MUST be locally authenticated and have acquired
+   default credentials before using this protocol as specified in
+   Section 1.1.1 "Credentials" in RFC 2743 [RFC2743].
+
+   The GSS-TSIG algorithm consists of two stages:
+
+   I.  Establish security context.  The Client and Server use the
+       GSS_Init_sec_context and GSS_Accept_sec_context APIs to generate
+       the tokens that they pass to each other using [RFC2930] as a
+       transport mechanism.
+
+   II. Once the security context is established it is used to generate
+       and verify signatures using GSS_GetMIC and GSS_VerifyMIC APIs.
+       These signatures are exchanged by the Client and Server as a part
+       of the TSIG records exchanged in DNS messages sent between the
+       Client and Server, as described in [RFC2845].
+
+2.2.  Modifications to the TSIG protocol (RFC 2845)
+
+   Modification to RFC 2845 allows use of TSIG through signing server's
+   response in an explicitly specified place in multi message exchange
+   between two DNS entities even if client's request wasn't signed.
+
+
+
+Kwan, et al.                Standards Track                     [Page 4]
+
+RFC 3645                        GSS-TSIG                    October 2003
+
+
+   Specifically, Section 4.2 of RFC 2845 MUST be modified as follows:
+
+   Replace:
+      "The server MUST not generate a signed response to an unsigned
+      request."
+
+   With:
+      "The server MUST not generate a signed response to an unsigned
+      request, except in case of response to client's unsigned TKEY
+      query if secret key is established on server side after server
+      processed client's query.  Signing responses to unsigned TKEY
+      queries MUST be explicitly specified in the description of an
+      individual secret key establishment algorithm."
+
+3.  Client Protocol Details
+
+   A unique context is required for each server to which the client
+   sends secure messages.  A context is identified by a context handle.
+   A client maintains a mapping of servers to handles:
+
+      (target_name, key_name, context_handle)
+
+   The value key_name also identifies a context handle.  The key_name is
+   the owner name of the TKEY and TSIG records sent between a client and
+   a server to indicate to each other which context MUST be used to
+   process the current request.
+
+   DNS client and server MAY use various underlying security mechanisms
+   to establish security context as described in sections 3 and 4.  At
+   the same time, in order to guarantee interoperability between DNS
+   clients and servers that support GSS-TSIG it is REQUIRED that
+   security mechanism used by client enables use of Kerberos v5 (see
+   Section 9 for more information).
+
+3.1.  Negotiating Context
+
+   In GSS, establishing a security context involves the passing of
+   opaque tokens between the client and the server.  The client
+   generates the initial token and sends it to the server.  The server
+   processes the token and if necessary, returns a subsequent token to
+   the client.  The client processes this token, and so on, until the
+   negotiation is complete.  The number of times the client and server
+   exchange tokens depends on the underlying security mechanism.  A
+   completed negotiation results in a context handle.
+
+
+
+
+
+
+
+Kwan, et al.                Standards Track                     [Page 5]
+
+RFC 3645                        GSS-TSIG                    October 2003
+
+
+   The TKEY resource record [RFC2930] is used as the vehicle to transfer
+   tokens between client and server.  The TKEY record is a general
+   mechanism for establishing secret keys for use with TSIG.  For more
+   information, see [RFC2930].
+
+3.1.1.  Call GSS_Init_sec_context
+
+   To obtain the first token to be sent to a server, a client MUST call
+   GSS_Init_sec_context API.
+
+   The following input parameters MUST be used.  The outcome of the call
+   is indicated with the output values below.  Consult Sections 2.2.1,
+   "GSS_Init_sec_context call", of [RFC2743] for syntax definitions.
+
+   INPUTS
+     CREDENTIAL HANDLE claimant_cred_handle = NULL (NULL specifies "use
+         default").  Client MAY instead specify some other valid
+         handle to its credentials.
+     CONTEXT HANDLE input_context_handle  = 0
+     INTERNAL NAME  targ_name             = "DNS@<target_server_name>"
+     OBJECT IDENTIFIER mech_type          = Underlying security
+         mechanism chosen by implementers.  To guarantee
+         interoperability of the implementations of the GSS-TSIG
+         mechanism client MUST specify a valid underlying security
+         mechanism that enables use of Kerberos v5 (see Section 9 for
+         more information).
+     OCTET STRING   input_token           = NULL
+     BOOLEAN        replay_det_req_flag   = TRUE
+     BOOLEAN        mutual_req_flag       = TRUE
+     BOOLEAN        deleg_req_flag        = TRUE
+     BOOLEAN        sequence_req_flag     = TRUE
+     BOOLEAN        anon_req_flag         = FALSE
+     BOOLEAN        integ_req_flag        = TRUE
+     INTEGER        lifetime_req          = 0 (0 requests a default
+         value).  Client MAY instead specify another upper bound for the
+         lifetime of the context to be established in seconds.
+     OCTET STRING   chan_bindings         = Any valid channel bindings
+         as specified in Section 1.1.6 "Channel Bindings" in [RFC2743]
+
+   OUTPUTS
+     INTEGER        major_status
+     CONTEXT HANDLE output_context_handle
+     OCTET STRING   output_token
+     BOOLEAN        replay_det_state
+     BOOLEAN        mutual_state
+     INTEGER        minor_status
+     OBJECT IDENTIFIER mech_type
+     BOOLEAN        deleg_state
+
+
+
+Kwan, et al.                Standards Track                     [Page 6]
+
+RFC 3645                        GSS-TSIG                    October 2003
+
+
+     BOOLEAN        sequence_state
+     BOOLEAN        anon_state
+     BOOLEAN        trans_state
+     BOOLEAN        prot_ready_state
+     BOOLEAN        conf_avail
+     BOOLEAN        integ_avail
+     INTEGER        lifetime_rec
+
+   If returned major_status is set to one of the following errors:
+
+     GSS_S_DEFECTIVE_TOKEN
+     GSS_S_DEFECTIVE_CREDENTIAL
+     GSS_S_BAD_SIG (GSS_S_BAD_MIC)
+     GSS_S_NO_CRED
+     GSS_S_CREDENTIALS_EXPIRED
+     GSS_S_BAD_BINDINGS
+     GSS_S_OLD_TOKEN
+     GSS_S_DUPLICATE_TOKEN
+     GSS_S_NO_CONTEXT
+     GSS_S_BAD_NAMETYPE
+     GSS_S_BAD_NAME
+     GSS_S_BAD_MECH
+     GSS_S_FAILURE
+
+   then the client MUST abandon the algorithm and MUST NOT use the GSS-
+   TSIG algorithm to establish this security context.  This document
+   does not prescribe which other mechanism could be used to establish a
+   security context.  Next time when this client needs to establish
+   security context, the client MAY use GSS-TSIG algorithm.
+
+   Success values of major_status are GSS_S_CONTINUE_NEEDED and
+   GSS_S_COMPLETE.  The exact success code is important during later
+   processing.
+
+   The values of replay_det_state and mutual_state indicate if the
+   security package provides replay detection and mutual authentication,
+   respectively.  If returned major_status is GSS_S_COMPLETE AND one or
+   both of these values are FALSE, the client MUST abandon this
+   algorithm.
+
+   Client's behavior MAY depend on other OUTPUT parameters according to
+   the policy local to the client.
+
+   The handle output_context_handle is unique to this negotiation and is
+   stored in the client's mapping table as the context_handle that maps
+   to target_name.
+
+
+
+
+
+Kwan, et al.                Standards Track                     [Page 7]
+
+RFC 3645                        GSS-TSIG                    October 2003
+
+
+3.1.2.  Send TKEY Query to Server
+
+   An opaque output_token returned by GSS_Init_sec_context is
+   transmitted to the server in a query request with QTYPE=TKEY.  The
+   token itself will be placed in a Key Data field of the RDATA field in
+   the TKEY resource record in the additional records section of the
+   query.  The owner name of the TKEY resource record set queried for
+   and the owner name of the supplied TKEY resource record in the
+   additional records section MUST be the same.  This name uniquely
+   identifies the security context to both the client and server, and
+   thus the client SHOULD use a value which is globally unique as
+   described in [RFC2930].  To achieve global uniqueness, the name MAY
+   contain a UUID/GUID [ISO11578].
+
+      TKEY Record
+        NAME = client-generated globally unique domain name string
+               (as described in [RFC2930])
+        RDATA
+           Algorithm Name      = gss-tsig
+           Mode                = 3 (GSS-API negotiation - per [RFC2930])
+           Key Size            = size of output_token in octets
+           Key Data            = output_token
+
+   The remaining fields in the TKEY RDATA, i.e., Inception, Expiration,
+   Error, Other Size and Data Fields, MUST be set according to
+   [RFC2930].
+
+   The query is transmitted to the server.
+
+   Note: if the original client call to GSS_Init_sec_context returned
+   any major_status other than GSS_S_CONTINUE_NEEDED or GSS_S_COMPLETE,
+   then the client MUST NOT send TKEY query.  Client's behavior in this
+   case is described above in Section 3.1.1.
+
+3.1.3.  Receive TKEY Query-Response from Server
+
+   Upon the reception of the TKEY query the DNS server MUST respond
+   according to the description in Section 4.  This section specifies
+   the behavior of the client after it receives the matching response to
+   its query.
+
+   The next processing step depends on the value of major_status from
+   the most recent call that client performed to GSS_Init_sec_context:
+   either GSS_S_COMPLETE or GSS_S_CONTINUE.
+
+
+
+
+
+
+
+Kwan, et al.                Standards Track                     [Page 8]
+
+RFC 3645                        GSS-TSIG                    October 2003
+
+
+3.1.3.1.  Value of major_status == GSS_S_COMPLETE
+
+   If the last call to GSS_Init_sec_context yielded a major_status value
+   of GSS_S_COMPLETE and a non-NULL output_token was sent to the server,
+   then the client side component of the negotiation is complete and the
+   client is awaiting confirmation from the server.
+
+   Confirmation is in the form of a query response with RCODE=NOERROR
+   and with the last client supplied TKEY record in the answer section
+   of the query.  The response MUST be signed with a TSIG record.  Note
+   that the server is allowed to sign a response to unsigned client's
+   query due to modification to the RFC 2845 specified in Section 2.2
+   above.  The signature in the TSIG record MUST be verified using the
+   procedure detailed in section 5, Sending and Verifying Signed
+   Messages.  If the response is not signed, OR if the response is
+   signed but the signature is invalid, then an attacker has tampered
+   with the message in transit or has attempted to send the client a
+   false response.  In this case, the client MAY continue waiting for a
+   response to its last TKEY query until the time period since the
+   client sent last TKEY query expires.  Such a time period is specified
+   by the policy local to the client.  This is a new option that allows
+   the DNS client to accept multiple answers for one query ID and select
+   one (not necessarily the first one) based on some criteria.
+
+   If the signature is verified, the context state is advanced to
+   Context Established.  Proceed to section 3.2 for usage of the
+   security context.
+
+3.1.3.2.  Value of major_status == GSS_S_CONTINUE_NEEDED
+
+   If the last call to GSS_Init_sec_context yielded a major_status value
+   of GSS_S_CONTINUE_NEEDED, then the negotiation is not yet complete.
+   The server will return to the client a query response with a TKEY
+   record in the Answer section.  If the DNS message error is not
+   NO_ERROR or error field in the TKEY record is not 0 (i.e., no error),
+   then the client MUST abandon this negotiation sequence.  The client
+   MUST delete an active context by calling GSS_Delete_sec_context
+   providing the associated context_handle.  The client MAY repeat the
+   negotiation sequence starting with the uninitialized state as
+   described in section 3.1.  To prevent infinite looping the number of
+   attempts to establish a security context MUST be limited to ten or
+   less.
+
+   If the DNS message error is NO_ERROR and the error field in the TKEY
+   record is 0 (i.e., no error), then the client MUST pass a token
+   specified in the Key Data field in the TKEY resource record to
+
+
+
+
+
+Kwan, et al.                Standards Track                     [Page 9]
+
+RFC 3645                        GSS-TSIG                    October 2003
+
+
+   GSS_Init_sec_context using the same parameters values as in previous
+   call except values for CONTEXT HANDLE input_context_handle and OCTET
+   STRING input_token as described below:
+
+   INPUTS
+     CONTEXT HANDLE input_context_handle  = context_handle (this is the
+          context_handle corresponding to the key_name which is the
+          owner name of the TKEY record in the answer section in the
+          TKEY query response)
+
+     OCTET STRING   input_token           = token from Key field of
+                                            TKEY record
+
+   Depending on the following OUTPUT values of GSS_Init_sec_context
+
+        INTEGER        major_status
+        OCTET STRING   output_token
+
+   the client MUST take one of the following actions:
+
+   If OUTPUT major_status is set to one of the following values:
+
+        GSS_S_DEFECTIVE_TOKEN
+        GSS_S_DEFECTIVE_CREDENTIAL
+        GSS_S_BAD_SIG (GSS_S_BAD_MIC)
+        GSS_S_NO_CRED
+        GSS_S_CREDENTIALS_EXPIRED
+        GSS_S_BAD_BINDINGS
+        GSS_S_OLD_TOKEN
+        GSS_S_DUPLICATE_TOKEN
+        GSS_S_NO_CONTEXT
+        GSS_S_BAD_NAMETYPE
+        GSS_S_BAD_NAME
+        GSS_S_BAD_MECH
+        GSS_S_FAILURE
+
+   the client MUST abandon this negotiation sequence.  This means that
+   the client MUST delete an active context by calling
+   GSS_Delete_sec_context providing the associated context_handle.  The
+   client MAY repeat the negotiation sequence starting with the
+   uninitialized state as described in section 3.1.  To prevent infinite
+   looping the number of attempts to establish a security context MUST
+   be limited to ten or less.
+
+   If OUTPUT major_status is GSS_S_CONTINUE_NEEDED OR GSS_S_COMPLETE
+   then client MUST act as described below.
+
+
+
+
+
+Kwan, et al.                Standards Track                    [Page 10]
+
+RFC 3645                        GSS-TSIG                    October 2003
+
+
+   If the response from the server was signed, and the OUTPUT
+   major_status is GSS_S_COMPLETE,then the signature in the TSIG record
+   MUST be verified using the procedure detailed in section 5, Sending
+   and Verifying Signed Messages.  If the signature is invalid, then the
+   client MUST abandon this negotiation sequence.  This means that the
+   client MUST delete an active context by calling
+   GSS_Delete_sec_context providing the associated context_handle.  The
+   client MAY repeat the negotiation sequence starting with the
+   uninitialized state as described in section 3.1.  To prevent infinite
+   looping the number of attempts to establish a security context MUST
+   be limited to ten or less.
+
+   If major_status is GSS_S_CONTINUE_NEEDED the negotiation is not yet
+   finished.  The token output_token MUST be passed to the server in a
+   TKEY record by repeating the negotiation sequence beginning with
+   section 3.1.2.  The client MUST place a limit on the number of
+   continuations in a context negotiation to prevent endless looping.
+   Such limit SHOULD NOT exceed value of 10.
+
+   If major_status is GSS_S_COMPLETE and output_token is non-NULL, the
+   client-side component of the negotiation is complete but the token
+   output_token MUST be passed to the server by repeating the
+   negotiation sequence beginning with section 3.1.2.
+
+   If major_status is GSS_S_COMPLETE and output_token is NULL, context
+   negotiation is complete.  The context state is advanced to Context
+   Established.  Proceed to section 3.2 for usage of the security
+   context.
+
+3.2.  Context Established
+
+   When context negotiation is complete, the handle context_handle MUST
+   be used for the generation and verification of transaction
+   signatures.
+
+   The procedures for sending and receiving signed messages are
+   described in section 5, Sending and Verifying Signed Messages.
+
+3.2.1.  Terminating a Context
+
+   When the client is not intended to continue using the established
+   security context, the client SHOULD delete an active context by
+   calling GSS_Delete_sec_context providing the associated
+   context_handle, AND client SHOULD delete the established context on
+   the DNS server by using TKEY RR with the Mode field set to 5, i.e.,
+   "key deletion" [RFC2930].
+
+
+
+
+
+Kwan, et al.                Standards Track                    [Page 11]
+
+RFC 3645                        GSS-TSIG                    October 2003
+
+
+4.  Server Protocol Details
+
+   As on the client-side, the result of a successful context negotiation
+   is a context handle used in future generation and verification of the
+   transaction signatures.
+
+   A server MAY be managing several contexts with several clients.
+   Clients identify their contexts by providing a key name in their
+   request.  The server maintains a mapping of key names to handles:
+
+      (key_name, context_handle)
+
+4.1.  Negotiating Context
+
+   A server MUST recognize TKEY queries as security context negotiation
+   messages.
+
+4.1.1.  Receive TKEY Query from Client
+
+   Upon receiving a query with QTYPE = TKEY, the server MUST examine
+   whether the Mode and Algorithm Name fields of the TKEY record in the
+   additional records section of the message contain values of 3 and
+   gss-tsig, respectively.  If they do, then the (key_name,
+   context_handle) mapping table is searched for the key_name matching
+   the owner name of the TKEY record in the additional records section
+   of the query.  If the name is found in the table and the security
+   context for this name is established and not expired, then the server
+   MUST respond to the query with BADNAME error in the TKEY error field.
+   If the name is found in the table and the security context is not
+   established, the corresponding context_handle is used in subsequent
+   GSS operations.  If the name is found but the security context is
+   expired, then the server deletes this security context, as described
+   in Section 4.2.1, and interprets this query as a start of new
+   security context negotiation and performs operations described in
+   Section 4.1.2 and 4.1.3.  If the name is not found, then the server
+   interprets this query as a start of new security context negotiation
+   and performs operations described in Section 4.1.2 and 4.1.3.
+
+4.1.2.  Call GSS_Accept_sec_context
+
+   The server performs its side of a context negotiation by calling
+   GSS_Accept_sec_context.  The following input parameters MUST be used.
+   The outcome of the call is indicated with the output values below.
+   Consult Sections 2.2.2 "GSS_Accept_sec_context call" of the RFC 2743
+   [RFC2743] for syntax definitions.
+
+
+
+
+
+
+Kwan, et al.                Standards Track                    [Page 12]
+
+RFC 3645                        GSS-TSIG                    October 2003
+
+
+   INPUTS
+     CONTEXT HANDLE input_context_handle  = 0 if new negotiation,
+                                            context_handle matching
+                                         key_name if ongoing negotiation
+     OCTET STRING   input_token           = token specified in the Key
+           field from TKEY RR (from Additional records Section of
+           the client's query)
+
+     CREDENTIAL HANDLE acceptor_cred_handle = NULL (NULL specifies "use
+           default").  Server MAY instead specify some other valid
+           handle to its credentials.
+     OCTET STRING   chan_bindings          = Any valid channel bindings
+           as specified in Section 1.1.6 "Channel Bindings" in [RFC2743]
+
+   OUTPUTS
+     INTEGER        major_status
+     CONTEXT_HANDLE output_context_handle
+     OCTET STRING   output_token
+     INTEGER        minor_status
+     INTERNAL NAME  src_name
+     OBJECT IDENTIFIER  mech_type
+     BOOLEAN        deleg_state
+     BOOLEAN        mutual_state
+     BOOLEAN        replay_det_state
+     BOOLEAN        sequence_state
+     BOOLEAN        anon_state
+     BOOLEAN        trans_state
+     BOOLEAN        prot_ready_state
+     BOOLEAN        conf_avail
+     BOOLEAN        integ_avail
+     INTEGER        lifetime_rec
+     CONTEXT_HANDLE delegated_cred_handle
+
+   If this is the first call to GSS_Accept_sec_context in a new
+   negotiation, then output_context_handle is stored in the server's
+   key-mapping table as the context_handle that maps to the name of the
+   TKEY record.
+
+4.1.3.  Send TKEY Query-Response to Client
+
+   The server MUST respond to the client with a TKEY query response with
+   RCODE = NOERROR, that contains a TKEY record in the answer section.
+
+   If OUTPUT major_status is one of the following errors the error field
+   in the TKEY record set to BADKEY.
+
+
+
+
+
+
+Kwan, et al.                Standards Track                    [Page 13]
+
+RFC 3645                        GSS-TSIG                    October 2003
+
+
+        GSS_S_DEFECTIVE_TOKEN
+        GSS_S_DEFECTIVE_CREDENTIAL
+        GSS_S_BAD_SIG (GSS_S_BAD_MIC)
+        GSS_S_DUPLICATE_TOKEN
+        GSS_S_OLD_TOKEN
+        GSS_S_NO_CRED
+        GSS_S_CREDENTIALS_EXPIRED
+        GSS_S_BAD_BINDINGS
+        GSS_S_NO_CONTEXT
+        GSS_S_BAD_MECH
+        GSS_S_FAILURE
+
+   If OUTPUT major_status is set to  GSS_S_COMPLETE or
+   GSS_S_CONTINUE_NEEDED then server MUST act as described below.
+
+   If major_status is GSS_S_COMPLETE the server component of the
+   negotiation is finished.  If output_token is non-NULL, then it MUST
+   be returned to the client in a Key Data field of the RDATA in TKEY.
+   The error field in the TKEY record is set to NOERROR.  The message
+   MUST be signed with a TSIG record as described in section 5, Sending
+   and Verifying Signed Messages.  Note that server is allowed to sign a
+   response to unsigned client's query due to modification to the RFC
+   2845 specified in Section 2.2 above.  The context state is advanced
+   to Context Established.  Section 4.2 discusses the usage of the
+   security context.
+
+   If major_status is GSS_S_COMPLETE and output_token is NULL, then the
+   TKEY record received from the client MUST be returned in the Answer
+   section of the response.  The message MUST be signed with a TSIG
+   record as described in section 5, Sending and Verifying Signed
+   Messages.  Note that server is allowed to sign a response to unsigned
+   client's query due to modification to the RFC 2845 specified in
+   section 2.2 above.  The context state is advanced to Context
+   Established.  Section 4.2 discusses the usage of the security
+   context.
+
+   If major_status is GSS_S_CONTINUE_NEEDED, the server component of the
+   negotiation is not yet finished.  The server responds to the TKEY
+   query with a standard query response, placing in the answer section a
+   TKEY record containing output_token in the Key Data RDATA field.  The
+   error field in the TKEY record is set to NOERROR.  The server MUST
+   limit the number of times that a given context is allowed to repeat,
+   to prevent endless looping.  Such limit SHOULD NOT exceed value of
+   10.
+
+
+
+
+
+
+
+Kwan, et al.                Standards Track                    [Page 14]
+
+RFC 3645                        GSS-TSIG                    October 2003
+
+
+   In all cases, except if major_status is GSS_S_COMPLETE and
+   output_token is NULL, other TKEY record fields MUST contain the
+   following values:
+
+        NAME = key_name
+        RDATA
+           Algorithm Name      = gss-tsig
+           Mode                = 3 (GSS-API negotiation - per [RFC2930])
+           Key Size            = size of output_token in octets
+
+   The remaining fields in the TKEY RDATA, i.e., Inception, Expiration,
+   Error, Other Size and Data Fields, MUST be set according to
+   [RFC2930].
+
+4.2.  Context Established
+
+   When context negotiation is complete, the handle context_handle is
+   used for the generation and verification of transaction signatures.
+   The handle is valid for a finite amount of time determined by the
+   underlying security mechanism.  A server MAY unilaterally terminate a
+   context at any time (see section 4.2.1).
+
+   Server SHOULD limit the amount of memory used to cache established
+   contexts.
+
+   The procedures for sending and receiving signed messages are given in
+   section 5, Sending and Verifying Signed Messages.
+
+4.2.1.  Terminating a Context
+
+   A server can terminate any established context at any time.  The
+   server MAY hint to the client that the context is being deleted by
+   including a TKEY RR in a response with the Mode field set to 5, i.e.,
+   "key deletion" [RFC2930].  An active context is deleted by calling
+   GSS_Delete_sec_context providing the associated context_handle.
+
+5.  Sending and Verifying Signed Messages
+
+5.1.  Sending a Signed Message - Call GSS_GetMIC
+
+   The procedure for sending a signature-protected message is specified
+   in [RFC2845].  The data to be passed to the signature routine
+   includes the whole DNS message with specific TSIG variables appended.
+   For the exact format, see [RFC2845].  For this protocol, use the
+   following TSIG variable values:
+
+
+
+
+
+
+Kwan, et al.                Standards Track                    [Page 15]
+
+RFC 3645                        GSS-TSIG                    October 2003
+
+
+      TSIG Record
+        NAME = key_name that identifies this context
+        RDATA
+           Algorithm Name = gss-tsig
+
+   Assign the remaining fields in the TSIG RDATA appropriate values as
+   described in [RFC2845].
+
+   The signature is generated by calling GSS_GetMIC.  The following
+   input parameters MUST be used.  The outcome of the call is indicated
+   with the output values specified below.  Consult Sections 2.3.1
+   "GSS_GetMIC call" of the RFC 2743[RFC2743] for syntax definitions.
+
+   INPUTS
+     CONTEXT HANDLE context_handle = context_handle for key_name
+     OCTET STRING   message        = outgoing message plus TSIG
+                                     variables (per [RFC2845])
+     INTEGER qop_req               = 0 (0 requests a default
+         value).  Caller MAY instead specify other valid value (for
+         details see Section 1.2.4 in [RFC2743])
+
+   OUTPUTS
+     INTEGER        major_status
+     INTEGER        minor_status
+     OCTET STRING   per_msg_token
+
+   If major_status is GSS_S_COMPLETE, then signature generation
+   succeeded.  The signature in per_msg_token is inserted into the
+   Signature field of the TSIG RR and the message is transmitted.
+
+   If major_status is GSS_S_CONTEXT_EXPIRED, GSS_S_CREDENTIALS_EXPIRED
+   or GSS_S_FAILURE the caller MUST delete the security context, return
+   to the uninitialized state and SHOULD negotiate a new security
+   context, as described above in Section 3.1
+
+   If major_status is GSS_S_NO_CONTEXT, the caller MUST remove the entry
+   for key_name from the (target_ name, key_name, context_handle)
+   mapping table, return to the uninitialized state and SHOULD negotiate
+   a new security context, as described above in Section 3.1
+
+   If major_status is GSS_S_BAD_QOP, the caller SHOULD repeat the
+   GSS_GetMIC call with allowed QOP value.  The number of such
+   repetitions MUST be limited to prevent infinite loops.
+
+5.2.  Verifying a Signed Message - Call GSS_VerifyMIC
+
+   The procedure for verifying a signature-protected message is
+   specified in [RFC2845].
+
+
+
+Kwan, et al.                Standards Track                    [Page 16]
+
+RFC 3645                        GSS-TSIG                    October 2003
+
+
+   The NAME of the TSIG record determines which context_handle maps to
+   the context that MUST be used to verify the signature.  If the NAME
+   does not map to an established context, the server MUST send a
+   standard TSIG error response to the client indicating BADKEY in the
+   TSIG error field (as described in [RFC2845]).
+
+   For the GSS algorithm, a signature is verified by using
+   GSS_VerifyMIC:
+
+   INPUTS
+     CONTEXT HANDLE context_handle = context_handle for key_name
+     OCTET STRING   message        = incoming message plus TSIG
+                                     variables (per [RFC2845])
+     OCTET STRING   per_msg_token  = Signature field from TSIG RR
+
+   OUTPUTS
+     INTEGER        major_status
+     INTEGER        minor_status
+     INTEGER        qop_state
+
+   If major_status is GSS_S_COMPLETE, the signature is authentic and the
+   message was delivered intact.  Per [RFC2845], the timer values of the
+   TSIG record MUST also be valid before considering the message to be
+   authentic.  The caller MUST not act on the request or response in the
+   message until these checks are verified.
+
+   When a server is processing a client request, the server MUST send a
+   standard TSIG error response to the client indicating BADKEY in the
+   TSIG error field as described in [RFC2845], if major_status is set to
+   one of the following values
+
+        GSS_S_DEFECTIVE_TOKEN
+        GSS_S_BAD_SIG (GSS_S_BAD_MIC)
+        GSS_S_DUPLICATE_TOKEN
+        GSS_S_OLD_TOKEN
+        GSS_S_UNSEQ_TOKEN
+        GSS_S_GAP_TOKEN
+        GSS_S_CONTEXT_EXPIRED
+        GSS_S_NO_CONTEXT
+        GSS_S_FAILURE
+
+   If the timer values of the TSIG record are invalid, the message MUST
+   NOT be considered authentic.  If this error checking fails when a
+   server is processing a client request, the appropriate error response
+   MUST be sent to the client according to [RFC2845].
+
+
+
+
+
+
+Kwan, et al.                Standards Track                    [Page 17]
+
+RFC 3645                        GSS-TSIG                    October 2003
+
+
+6.  Example usage of GSS-TSIG algorithm
+
+   This Section describes an example where a Client, client.example.com,
+   and a Server, server.example.com, establish a security context
+   according to the algorithm described above.
+
+  I.  Client initializes security context negotiation
+
+  To establish a security context with a server, server.example.com, the
+  Client calls GSS_Init_sec_context with the following parameters.
+  (Note that some INPUT and OUTPUT parameters not critical for this
+  algorithm are not described in this example.)
+
+     CONTEXT HANDLE input_context_handle  = 0
+     INTERNAL NAME  targ_name             = "DNS@server.example.com"
+     OCTET STRING   input_token           = NULL
+     BOOLEAN        replay_det_req_flag   = TRUE
+     BOOLEAN        mutual_req_flag       = TRUE
+
+  The OUTPUTS parameters returned by GSS_Init_sec_context include
+     INTEGER        major_status = GSS_S_CONTINUE_NEEDED
+     CONTEXT HANDLE output_context_handle context_handle
+     OCTET STRING   output_token output_token
+     BOOLEAN        replay_det_state = TRUE
+     BOOLEAN        mutual_state = TRUE
+
+  Client verifies that replay_det_state and mutual_state values are
+  TRUE.  Since the major_status is GSS_S_CONTINUE_NEEDED, which is a
+  success OUTPUT major_status value, client stores context_handle that
+  maps to "DNS@server.example.com" and proceeds to the next step.
+
+  II.  Client sends a query with QTYPE = TKEY to server
+
+  Client sends a query with QTYPE = TKEY for a client-generated globally
+  unique domain name string, 789.client.example.com.server.example.com.
+  Query contains a TKEY record in its Additional records section with
+  the following fields.  (Note that some fields not specific to this
+  algorithm are not specified.)
+
+     NAME = 789.client.example.com.server.example.com.
+     RDATA
+        Algorithm Name      = gss-tsig
+        Mode                = 3 (GSS-API negotiation - per [RFC2930])
+        Key Size            = size of output_token in octets
+        Key Data            = output_token
+
+
+
+
+
+
+Kwan, et al.                Standards Track                    [Page 18]
+
+RFC 3645                        GSS-TSIG                    October 2003
+
+
+  After the key_name 789.client.example.com.server.example.com.
+  is generated it is stored in the client's (target_name, key_name,
+  context_handle) mapping table.
+
+  III.  Server receives a query with QTYPE = TKEY
+
+  When server receives a query with QTYPE = TKEY, the server verifies
+  that Mode and Algorithm fields in the TKEY record in the Additional
+  records section of the query are set to 3 and "gss-tsig" respectively.
+  It finds that the key_name 789.client.example.com.server.example.com.
+  is not listed in its (key_name, context_handle) mapping table.
+
+  IV.  Server calls GSS_Accept_sec_context
+
+  To continue security context negotiation server calls
+  GSS_Accept_sec_context with the following parameters.  (Note that
+  some INPUT and OUTPUT parameters not critical for this algorithm
+  are not described in this example.)
+
+   INPUTS
+     CONTEXT HANDLE input_context_handle  = 0
+     OCTET STRING   input_token           = token specified in the Key
+                              field from TKEY RR (from Additional
+                              records section of the client's query)
+
+  The OUTPUTS parameters returned by GSS_Accept_sec_context include
+     INTEGER        major_status = GSS_S_CONTINUE_NEEDED
+     CONTEXT_HANDLE output_context_handle context_handle
+     OCTET STRING   output_token output_token
+
+  Server stores the mapping of the
+  789.client.example.com.server.example.com. to OUTPUT context_handle
+  in its (key_name, context_handle) mapping table.
+
+  V.  Server responds to the TKEY query
+
+  Since the major_status = GSS_S_CONTINUE_NEEDED in the last server's
+  call to GSS_Accept_sec_context, the server responds to the TKEY query
+  placing in the answer section a TKEY record containing output_token in
+  the Key Data RDATA field.  The error field in the TKEY record is set
+  to 0.  The RCODE in the query response is set to NOERROR.
+
+  VI.  Client processes token returned by server
+
+  When the client receives the TKEY query response from the server, the
+  client calls GSS_Init_sec_context with the following parameters.
+  (Note that some INPUT and OUTPUT parameters not critical for this
+  algorithm are not described in this example.)
+
+
+
+Kwan, et al.                Standards Track                    [Page 19]
+
+RFC 3645                        GSS-TSIG                    October 2003
+
+
+     CONTEXT HANDLE input_context_handle  = the context_handle stored
+          in the client's mapping table entry (DNS@server.example.com.,
+          789.client.example.com.server.example.com., context_handle)
+     INTERNAL NAME  targ_name             = "DNS@server.example.com"
+     OCTET STRING   input_token           = token from Key field of TKEY
+          record from the Answer section of the server's response
+     BOOLEAN        replay_det_req_flag   = TRUE
+     BOOLEAN        mutual_req_flag       = TRUE
+
+  The OUTPUTS parameters returned by GSS_Init_sec_context include
+     INTEGER        major_status = GSS_S_COMPLETE
+     CONTEXT HANDLE output_context_handle = context_handle
+     OCTET STRING   output_token = output_token
+     BOOLEAN        replay_det_state = TRUE
+     BOOLEAN        mutual_state = TRUE
+
+  Since the major_status is set to GSS_S_COMPLETE the client side
+  security context is established, but since the output_token is not
+  NULL client MUST send a TKEY query to the server as described below.
+
+  VII.  Client sends a query with QTYPE = TKEY to server
+
+  Client sends to the server a TKEY query for the
+  789.client.example.com.server.example.com. name.  Query contains a
+  TKEY record in its Additional records section with the following
+  fields.  (Note that some INPUT and OUTPUT parameters not critical to
+  this algorithm are not described in this example.)
+
+     NAME = 789.client.example.com.server.example.com.
+     RDATA
+        Algorithm Name      = gss-tsig
+        Mode                = 3 (GSS-API negotiation - per [RFC2930])
+        Key Size            = size of output_token in octets
+        Key Data            = output_token
+
+  VIII.  Server receives a TKEY query
+
+  When the server receives a TKEY query, the server verifies that Mode
+  and Algorithm fields in the TKEY record in the Additional records
+  section of the query are set to 3 and gss-tsig, respectively.  It
+  finds that the key_name 789.client.example.com.server.example.com. is
+  listed in its (key_name, context_handle) mapping table.
+
+
+
+
+
+
+
+
+
+Kwan, et al.                Standards Track                    [Page 20]
+
+RFC 3645                        GSS-TSIG                    October 2003
+
+
+  IX.  Server calls GSS_Accept_sec_context
+
+  To continue security context negotiation server calls
+  GSS_Accept_sec_context with the following parameters (Note that some
+  INPUT and OUTPUT parameters not critical for this algorithm are not
+  described in this example)
+
+   INPUTS
+     CONTEXT HANDLE input_context_handle  = context_handle from the
+           (789.client.example.com.server.example.com., context_handle)
+           entry in the server's mapping table
+     OCTET STRING   input_token           = token specified in the Key
+           field of TKEY RR (from Additional records Section of
+           the client's query)
+
+  The OUTPUTS parameters returned by GSS_Accept_sec_context include
+     INTEGER        major_status = GSS_S_COMPLETE
+     CONTEXT_HANDLE output_context_handle = context_handle
+     OCTET STRING   output_token = NULL
+
+  Since major_status = GSS_S_COMPLETE, the security context on the
+  server side is established, but the server still needs to respond to
+  the client's TKEY query, as described below.  The security context
+  state is advanced to Context Established.
+
+  X.  Server responds to the TKEY query
+
+  Since the major_status = GSS_S_COMPLETE in the last server's call to
+  GSS_Accept_sec_context and the output_token is NULL, the server
+  responds to the TKEY query placing in the answer section a TKEY record
+  that was sent by the client in the Additional records section of the
+  client's latest TKEY query.  In addition, this server places a
+  TSIG record in additional records section of its response.  Server
+  calls GSS_GetMIC to generate a signature to include it in the TSIG
+  record.  The server specifies the following GSS_GetMIC INPUT
+  parameters:
+
+     CONTEXT HANDLE context_handle = context_handle from the
+           (789.client.example.com.server.example.com., context_handle)
+           entry in the server's mapping table
+     OCTET STRING   message        = outgoing message plus TSIG
+                                   variables (as described in [RFC2845])
+
+  The OUTPUTS parameters returned by GSS_GetMIC include
+     INTEGER        major_status = GSS_S_COMPLETE
+     OCTET STRING   per_msg_token
+
+  Signature field in the TSIG record is set to per_msg_token.
+
+
+
+Kwan, et al.                Standards Track                    [Page 21]
+
+RFC 3645                        GSS-TSIG                    October 2003
+
+
+  XI.  Client processes token returned by server
+
+  Client receives the TKEY query response from the server.  Since the
+  major_status was GSS_S_COMPLETE in the last client's call to
+  GSS_Init_sec_context, the client verifies that the server's response
+  is signed.  To validate the signature, the client calls
+  GSS_VerifyMIC with the following parameters:
+
+   INPUTS
+     CONTEXT HANDLE context_handle = context_handle for
+                  789.client.example.com.server.example.com. key_name
+     OCTET STRING   message        = incoming message plus TSIG
+                                  variables (as described in [RFC2845])
+     OCTET STRING   per_msg_token  = Signature field from TSIG RR
+                  included in the server's query response
+
+  Since the OUTPUTS parameter major_status = GSS_S_COMPLETE, the
+  signature is validated, security negotiation is complete and the
+  security context state is advanced to Context Established.  These
+  client and server will use the established security context to sign
+  and validate the signatures when they exchange packets with each
+  other until the context expires.
+
+7.  Security Considerations
+
+   This document describes a protocol for DNS security using GSS-API.
+   The security provided by this protocol is only as effective as the
+   security provided by the underlying GSS mechanisms.
+
+   All the security considerations from RFC 2845, RFC 2930 and RFC 2743
+   apply to the protocol described in this document.
+
+8.  IANA Considerations
+
+   The IANA has reserved the TSIG Algorithm name gss-tsig for the use in
+   the Algorithm fields of TKEY and TSIG resource records.  This
+   Algorithm name refers to the algorithm described in this document.
+   The requirement to have this name registered with IANA is specified
+   in RFC 2845.
+
+9.  Conformance
+
+   The GSS API using SPNEGO [RFC2478] provides maximum flexibility to
+   choose the underlying security mechanisms that enables security
+   context negotiation.  GSS API using SPNEGO [RFC2478] enables client
+   and server to negotiate and choose such underlying security
+   mechanisms on the fly.  To support such flexibility, DNS clients and
+   servers SHOULD specify SPNEGO mech_type in their GSS API calls.  At
+
+
+
+Kwan, et al.                Standards Track                    [Page 22]
+
+RFC 3645                        GSS-TSIG                    October 2003
+
+
+   the same time, in order to guarantee interoperability between DNS
+   clients and servers that support GSS-TSIG it is required that
+
+   -  DNS servers specify SPNEGO mech_type
+   -  GSS APIs called by DNS client support Kerberos v5
+   -  GSS APIs called by DNS server support SPNEGO [RFC2478] and
+      Kerberos v5.
+
+   In addition to these, GSS APIs used by DNS client and server MAY also
+   support other underlying security mechanisms.
+
+10.  Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   intellectual property or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; neither does it represent that it
+   has made any effort to identify any such rights.  Information on the
+   IETF's procedures with respect to rights in standards-track and
+   standards-related documentation can be found in BCP-11.  Copies of
+   claims of rights made available for publication and any assurances of
+   licenses to be made available, or the result of an attempt made to
+   obtain a general license or permission for the use of such
+   proprietary rights by implementors or users of this specification can
+   be obtained from the IETF Secretariat.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights which may cover technology that may be required to practice
+   this standard.  Please address the information to the IETF Executive
+   Director.
+
+11.  Acknowledgements
+
+   The authors of this document would like to thank the following people
+   for their contribution to this specification:  Chuck Chan, Mike
+   Swift, Ram Viswanathan, Olafur Gudmundsson, Donald E. Eastlake, 3rd
+   and Erik Nordmark.
+
+
+
+
+
+
+
+
+
+
+
+
+Kwan, et al.                Standards Track                    [Page 23]
+
+RFC 3645                        GSS-TSIG                    October 2003
+
+
+12.  References
+
+12.1.  Normative References
+
+   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+             Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC2478] Baize, E. and D. Pinkas, "The Simple and Protected GSS-API
+             Negotiation Mechanism", RFC 2478, December 1998.
+
+   [RFC2743] Linn, J., "Generic Security Service Application Program
+             Interface, Version 2 , Update 1", RFC 2743, January 2000.
+
+   [RFC2845] Vixie, P., Gudmundsson, O., Eastlake 3rd, D. and B.
+             Wellington, "Secret Key Transaction Authentication for DNS
+             (TSIG)", RFC 2845, May 2000.
+
+   [RFC2930] Eastlake 3rd, D., "Secret Key Establishment for DNS (TKEY
+             RR)", RFC 2930, September 2000.
+
+12.2.  Informative References
+
+
+   [ISO11578] "Information technology", "Open Systems Interconnection",
+              "Remote Procedure Call", ISO/IEC 11578:1996,
+              http://www.iso.ch/cate/d2229.html.
+
+   [RFC1034] Mockapetris, P., "Domain Names - Concepts and Facilities",
+             STD 13, RFC 1034, November 1987.
+
+   [RFC1035] Mockapetris, P., "Domain Names - Implementation and
+             Specification", STD 13, RFC 1034, November 1987.
+
+   [RFC1964] Linn, J., "The Kerberos Version 5 GSS-API Mechanism", RFC
+             1964, June 1996.
+
+   [RFC2025] Adams, C., "The Simple Public-Key GSS-API Mechanism
+             (SPKM)", RFC 2025, October 1996.
+
+   [RFC2137] Eastlake 3rd, D., "Secure Domain Name System Dynamic
+             Update", RFC 2137, April 1997.
+
+   [RFC2535] Eastlake 3rd, D., "Domain Name System Security Extensions",
+             RFC 2535, March 1999.
+
+
+
+
+
+
+
+Kwan, et al.                Standards Track                    [Page 24]
+
+RFC 3645                        GSS-TSIG                    October 2003
+
+
+13.  Authors' Addresses
+
+   Stuart Kwan
+   Microsoft Corporation
+   One Microsoft Way
+   Redmond, WA  98052
+   USA
+   EMail: skwan@microsoft.com
+
+   Praerit Garg
+   Microsoft Corporation
+   One Microsoft Way
+   Redmond, WA  98052
+   USA
+   EMail: praeritg@microsoft.com
+
+   James Gilroy
+   Microsoft Corporation
+   One Microsoft Way
+   Redmond, WA  98052
+   USA
+   EMail: jamesg@microsoft.com
+
+   Levon Esibov
+   Microsoft Corporation
+   One Microsoft Way
+   Redmond, WA  98052
+   USA
+   EMail: levone@microsoft.com
+
+   Randy Hall
+   Lucent Technologies
+   400 Lapp Road
+   Malvern PA 19355
+   USA
+   EMail: randyhall@lucent.com
+
+   Jeff Westhead
+   Microsoft Corporation
+   One Microsoft Way
+   Redmond, WA  98052
+   USA
+   EMail: jwesth@microsoft.com
+
+
+
+
+
+
+
+
+Kwan, et al.                Standards Track                    [Page 25]
+
+RFC 3645                        GSS-TSIG                    October 2003
+
+
+14.  Full Copyright Statement
+
+   Copyright (C) The Internet Society (2003).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assignees.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Kwan, et al.                Standards Track                    [Page 26]
+
diff --git a/contrib/bind9/doc/rfc/rfc3655.txt b/contrib/bind9/doc/rfc/rfc3655.txt
new file mode 100644
index 0000000..13e586b
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc3655.txt
@@ -0,0 +1,451 @@
+
+
+
+
+
+
+Network Working Group                                      B. Wellington
+Request for Comments: 3655                                O. Gudmundsson
+Updates: 2535                                              November 2003
+Category: Standards Track
+
+
+            Redefinition of DNS Authenticated Data (AD) bit
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2003).  All Rights Reserved.
+
+Abstract
+
+   This document alters the specification defined in RFC 2535.  Based on
+   implementation experience, the Authenticated Data (AD) bit in the DNS
+   header is not useful.  This document redefines the AD bit such that
+   it is only set if all answers or records proving that no answers
+   exist in the response has been cryptographically verified or
+   otherwise meets the server's local security policy.
+
+1.  Introduction
+
+   Familiarity with the DNS system [RFC1035] and DNS security extensions
+   [RFC2535] is helpful but not necessary.
+
+   As specified in RFC 2535 (section 6.1), the AD (Authenticated Data)
+   bit indicates in a response that all data included in the answer and
+   authority sections of the response have been authenticated by the
+   server according to the policies of that server.  This is not
+   especially useful in practice, since a conformant server SHOULD never
+   reply with data that failed its security policy.
+
+   This document redefines the AD bit such that it is only set if all
+   data in the response has been cryptographically verified or otherwise
+   meets the server's local security policy.  Thus, neither a response
+   containing properly delegated insecure data, nor a server configured
+   without DNSSEC keys, will have the AD set.  As before, data that
+   failed to verify will not be returned.  An application running on a
+   host that has a trust relationship with the server performing the
+
+
+
+Wellington & Gudmundsson    Standards Track                     [Page 1]
+
+RFC 3655               Redefinition of DNS AD bit          November 2003
+
+
+   recursive query can now use the value of the AD bit to determine
+   whether the data is secure.
+
+1.1.  Motivation
+
+   A full DNSSEC capable resolver called directly from an application
+   can return to the application the security status of the RRsets in
+   the answer.  However, most applications use a limited stub resolver
+   that relies on an external recursive name server which incorporates a
+   full resolver.  The recursive nameserver can use the AD bit in a
+   response to indicate the security status of the data in the answer,
+   and the local resolver can pass this information to the application.
+   The application in this context can be either a human using a DNS
+   tool or a software application.
+
+   The AD bit SHOULD be used by the local resolver if and only if it has
+   been explicitly configured to trust the remote resolver.  The AD bit
+   SHOULD be ignored when the recursive name server is not trusted.
+
+   An alternate solution would be to embed a full DNSSEC resolver into
+   every application, but this has several disadvantages.
+
+   -  DNSSEC validation is both CPU and network intensive, and caching
+      SHOULD be used whenever possible.
+
+   -  DNSSEC requires non-trivial configuration - the root key must be
+      configured, as well as keys for any "islands of security" that
+      will exist until DNSSEC is fully deployed.  The number of
+      configuration points should be minimized.
+
+1.2.  Requirements
+
+   The key words "MAY", "MAY NOT" "MUST", "MUST NOT", "SHOULD", "SHOULD
+   NOT", "RECOMMENDED", in this document are to be interpreted as
+   described in BCP 14, RFC 2119 [RFC2119].
+
+1.3.  Updated documents and sections
+
+   The definition of the AD bit in RFC 2535, Section 6.1, is changed.
+
+2.  Setting of AD bit
+
+   The presence of the CD (Checking Disabled) bit in a query does not
+   affect the setting of the AD bit in the response.  If the CD bit is
+   set, the server will not perform checking, but SHOULD still set the
+   AD bit if the data has already been cryptographically verified or
+
+
+
+
+
+Wellington & Gudmundsson    Standards Track                     [Page 2]
+
+RFC 3655               Redefinition of DNS AD bit          November 2003
+
+
+   complies with local policy.  The AD bit MUST only be set if DNSSEC
+   records have been requested via the DO bit [RFC3225] and relevant SIG
+   records are returned.
+
+2.1.  Setting of AD bit by recursive servers
+
+   Section 6.1 of RFC 2535 says:
+
+   "The AD bit MUST NOT be set on a response unless all of the RRs in
+   the answer and authority sections of the response are either
+   Authenticated or Insecure."
+
+   The replacement text reads:
+
+   "The AD bit MUST NOT be set on a response unless all of the RRsets in
+   the answer and authority sections of the response are Authenticated."
+
+   "The AD bit SHOULD be set if and only if all RRs in the answer
+   section and any relevant negative response RRs in the authority
+   section are Authenticated."
+
+   A recursive DNS server following this modified specification will
+   only set the AD bit when it has cryptographically verified the data
+   in the answer.
+
+2.2.  Setting of AD bit by authoritative servers
+
+   A primary server for a secure zone MAY have the policy of treating
+   authoritative secure zones as Authenticated.  Secondary servers MAY
+   have the same policy, but SHOULD NOT consider zone data Authenticated
+   unless the zone was transferred securely and/or the data was
+   verified.  An authoritative server MUST only set the AD bit for
+   authoritative answers from a secure zone if it has been explicitly
+   configured to do so.  The default for this behavior SHOULD be off.
+
+   Note that having the AD bit clear on an authoritative answer is
+   normal and expected behavior.
+
+2.2.1.  Justification for setting AD bit w/o verifying data
+
+   The setting of the AD bit by authoritative servers affects only the
+   small set of resolvers that are configured to directly query and
+   trust authoritative servers.  This only affects servers that function
+   as both recursive and authoritative.  Iterative resolvers SHOULD
+   ignore the AD bit.
+
+   The cost of verifying all signatures on load by an authoritative
+   server can be high and increases the delay before it can begin
+
+
+
+Wellington & Gudmundsson    Standards Track                     [Page 3]
+
+RFC 3655               Redefinition of DNS AD bit          November 2003
+
+
+   answering queries.  Verifying signatures at query time is also
+   expensive and could lead to resolvers timing out on many queries
+   after the server reloads zones.
+
+   Organizations requiring that all DNS responses contain
+   cryptographically verified data will need to separate the
+   authoritative name server and signature verification functions, since
+   name servers are not required to validate signatures of data for
+   which they are authoritative.
+
+3.  Interpretation of the AD bit
+
+   A response containing data marked Insecure in the answer or authority
+   section MUST never have the AD bit set.  In this case, the resolver
+   SHOULD treat the data as Insecure whether or not SIG records are
+   present.
+
+   A resolver MUST NOT blindly trust the AD bit unless it communicates
+   with a recursive nameserver over a secure transport mechanism or
+   using a message authentication such as TSIG [RFC2845] or SIG(0)
+   [RFC2931] and is explicitly configured to trust this recursive name
+   server.
+
+4.  Applicability statement
+
+   The AD bit is intended to allow the transmission of the indication
+   that a resolver has verified the DNSSEC signatures accompanying the
+   records in the Answer and Authority section.  The AD bit MUST only be
+   trusted when the end consumer of the DNS data has confidence that the
+   intermediary resolver setting the AD bit is trustworthy.  This can
+   only be accomplished via an out of band mechanism such as:
+
+   -  Fiat: An organization that can dictate whether it is OK to trust
+      certain DNS servers.
+
+   -  Personal: Because of a personal relationship or the reputation of
+      a recursive nameserver operator, a DNS consumer can decide to
+      trust that recursive nameserver.
+
+   -  Knowledge: If a recursive nameserver operator posts the configured
+      policy of a recursive nameserver, a consumer can decide that
+      recursive nameserver is trustworthy.
+
+   In the absence of one or more of these factors AD bit from a
+   recursive name server SHOULD NOT be trusted.  For example, home users
+   frequently depend on their ISP to provide recursive DNS service; it
+
+
+
+
+
+Wellington & Gudmundsson    Standards Track                     [Page 4]
+
+RFC 3655               Redefinition of DNS AD bit          November 2003
+
+
+   is not advisable to trust these recursive nameservers.  A
+   roaming/traveling host SHOULD not use recursive DNS servers offered
+   by DHCP when looking up information where security status matters.
+
+   In the latter two cases, the end consumer must also completely trust
+   the path to the trusted recursive name servers, or a secure transport
+   must be employed to protect the traffic.
+
+   When faced with a situation where there are no satisfactory recursive
+   nameservers available, running one locally is RECOMMENDED.  This has
+   the advantage that it can be trusted, and the AD bit can still be
+   used to allow applications to use stub resolvers.
+
+5.  Security Considerations
+
+   This document redefines a bit in the DNS header.  If a resolver
+   trusts the value of the AD bit, it must be sure that the responder is
+   using the updated definition, which is any DNS server/resolver
+   supporting the DO bit [RFC3225].
+
+   Authoritative servers can be explicitly configured to set the AD bit
+   on answers without doing cryptographic checks.  This behavior MUST be
+   off by default.  The only affected resolvers are those that directly
+   query and trust the authoritative server, and this functionality
+   SHOULD only be used on servers that act both as authoritative and
+   recursive name servers.
+
+   Resolvers (full or stub) that blindly trust the AD bit without
+   knowing the security policy of the server generating the answer can
+   not be considered security aware.
+
+   A resolver MUST NOT blindly trust the AD bit unless it communicates
+   such as IPsec, or using message authentication such as TSIG [RFC2845]
+   or SIG(0) [RFC2931].  In addition, the resolver must have been
+   explicitly configured to trust this recursive name server.
+
+6.  IANA Considerations
+
+   None.
+
+7.  Internationalization Considerations
+
+   None.  This document does not change any textual data in any
+   protocol.
+
+
+
+
+
+
+
+Wellington & Gudmundsson    Standards Track                     [Page 5]
+
+RFC 3655               Redefinition of DNS AD bit          November 2003
+
+
+8.  Intellectual Property Rights Notice
+
+   The IETF takes no position regarding the validity or scope of any
+   intellectual property or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; neither does it represent that it
+   has made any effort to identify any such rights.  Information on the
+   IETF's procedures with respect to rights in standards-track and
+   standards-related documentation can be found in BCP-11.  Copies of
+   claims of rights made available for publication and any assurances of
+   licenses to be made available, or the result of an attempt made to
+   obtain a general license or permission for the use of such
+   proprietary rights by implementors or users of this specification can
+   be obtained from the IETF Secretariat.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights which may cover technology that may be required to practice
+   this standard.  Please address the information to the IETF Executive
+   Director.
+
+9.  Acknowledgments
+
+   The following people have provided input on this document: Robert
+   Elz, Andreas Gustafsson, Bob Halley, Steven Jacob, Erik Nordmark,
+   Edward Lewis, Jakob Schlyter, Roy Arends, Ted Lindgreen.
+
+10.  Normative References
+
+   [RFC1035] Mockapetris, P., "Domain Names - Implementation and
+             Specification", STD 13, RFC 1035, November 1987.
+
+   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+             Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC2535] Eastlake, D., "Domain Name System Security Extensions", RFC
+             2535, March 1999.
+
+   [RFC2845] Vixie, P., Gudmundsson, O., Eastlake 3rd, D. and B.
+             Wellington, "Secret Key Transaction Authentication for DNS
+             (TSIG)", RFC 2845, May 2000.
+
+   [RFC2931] Eastlake, D., "DNS Request and Transaction Signatures
+             (SIG(0))", RFC 2931, September 2000.
+
+   [RFC3225] Conrad, D., "Indicating Resolver Support of DNSSEC", RFC
+             3225, December 2001.
+
+
+
+Wellington & Gudmundsson    Standards Track                     [Page 6]
+
+RFC 3655               Redefinition of DNS AD bit          November 2003
+
+
+11.  Authors' Addresses
+
+   Brian Wellington
+   Nominum Inc.
+   2385 Bay Road
+   Redwood City, CA, 94063
+   USA
+
+   EMail: Brian.Wellington@nominum.com
+
+
+   Olafur Gudmundsson
+   3821 Village Park Drive
+   Chevy Chase, MD, 20815
+   USA
+
+   EMail: ogud@ogud.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wellington & Gudmundsson    Standards Track                     [Page 7]
+
+RFC 3655               Redefinition of DNS AD bit          November 2003
+
+
+12.  Full Copyright Statement
+
+   Copyright (C) The Internet Society (2003).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assignees.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Wellington & Gudmundsson    Standards Track                     [Page 8]
+
diff --git a/contrib/bind9/doc/rfc/rfc3658.txt b/contrib/bind9/doc/rfc/rfc3658.txt
new file mode 100644
index 0000000..88cfb5a
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc3658.txt
@@ -0,0 +1,1067 @@
+
+
+
+
+
+
+Network Working Group                                     O. Gudmundsson
+Request for Comments: 3658                                 December 2003
+Updates: 3090, 3008, 2535, 1035
+Category: Standards Track
+
+
+              Delegation Signer (DS) Resource Record (RR)
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2003).  All Rights Reserved.
+
+Abstract
+
+   The delegation signer (DS) resource record (RR) is inserted at a zone
+   cut (i.e., a delegation point) to indicate that the delegated zone is
+   digitally signed and that the delegated zone recognizes the indicated
+   key as a valid zone key for the delegated zone.  The DS RR is a
+   modification to the DNS Security Extensions definition, motivated by
+   operational considerations.  The intent is to use this resource
+   record as an explicit statement about the delegation, rather than
+   relying on inference.
+
+   This document defines the DS RR, gives examples of how it is used and
+   describes the implications on resolvers.  This change is not
+   backwards compatible with RFC 2535.  This document updates RFC 1035,
+   RFC 2535, RFC 3008 and RFC 3090.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson                 Standards Track                     [Page 1]
+
+RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
+
+
+Table of Contents
+
+   1.  Introduction. . . . . . . . . . . . . . . . . . . . . . . . .   3
+       1.2.  Reserved Words. . . . . . . . . . . . . . . . . . . . .   4
+   2.  Specification of the Delegation key Signer. . . . . . . . . .   4
+       2.1.  Delegation Signer Record Model. . . . . . . . . . . . .   4
+       2.2.  Protocol Change . . . . . . . . . . . . . . . . . . . .   5
+             2.2.1.  RFC 2535 2.3.4 and 3.4: Special Considerations
+                     at Delegation Points  . . . . . . . . . . . . .   6
+                     2.2.1.1. Special processing for DS queries. . .   6
+                     2.2.1.2. Special processing when child and an
+                              ancestor share nameserver. . . . . . .   7
+                     2.2.1.3. Modification on use of KEY RR in the
+                              construction of Responses. . . . . . .   8
+             2.2.2.  Signer's Name (replaces RFC3008 section 2.7). .   9
+             2.2.3.  Changes to RFC 3090 . . . . . . . . . . . . . .   9
+                     2.2.3.1. RFC 3090: Updates to section 1:
+                              Introduction . . . . . . . . . . . . .   9
+                     2.2.3.2. RFC 3090 section 2.1: Globally
+                              Secured. . . . . . . . . . . . . . . .  10
+                     2.2.3.3. RFC 3090 section 3: Experimental
+                              Status . . . . . . . . . . . . . . . .  10
+             2.2.4.  NULL KEY elimination. . . . . . . . . . . . . .  10
+       2.3.  Comments on Protocol Changes. . . . . . . . . . . . . .  10
+       2.4.  Wire Format of the DS record. . . . . . . . . . . . . .  11
+             2.4.1.  Justifications for Fields . . . . . . . . . . .  12
+       2.5.  Presentation Format of the DS Record. . . . . . . . . .  12
+       2.6.  Transition Issues for Installed Base. . . . . . . . . .  12
+             2.6.1.  Backwards compatibility with RFC 2535 and
+                     RFC 1035. . . . . . . . . . . . . . . . . . . .  12
+       2.7.  KEY and corresponding DS record example . . . . . . . .  13
+   3.  Resolver. . . . . . . . . . . . . . . . . . . . . . . . . . .  14
+       3.1.  DS Example" . . . . . . . . . . . . . . . . . . . . . .  14
+       3.2.  Resolver Cost Estimates for DS Records" . . . . . . . .  15
+   4.  Security Considerations . . . . . . . . . . . . . . . . . . .  15
+   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  16
+   6.  Intellectual Property Statement . . . . . . . . . . . . . . .  16
+   7.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .  17
+   8.  References. . . . . . . . . . . . . . . . . . . . . . . . . .  17
+       8.1.  Normative References. . . . . . . . . . . . . . . . . .  17
+       8.2.  Informational References. . . . . . . . . . . . . . . .  17
+   9.  Author's Address. . . . . . . . . . . . . . . . . . . . . . .  18
+   10. Full Copyright Statement. . . . . . . . . . . . . . . . . . .  19
+
+
+
+
+
+
+
+
+Gudmundsson                 Standards Track                     [Page 2]
+
+RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
+
+
+1.  Introduction
+
+   Familiarity with the DNS system [RFC1035], DNS security extensions
+   [RFC2535], and DNSSEC terminology [RFC3090] is important.
+
+   Experience shows that when the same data can reside in two
+   administratively different DNS zones, the data frequently gets out of
+   sync.  The presence of an NS RRset in a zone anywhere other than at
+   the apex indicates a zone cut or delegation.  The RDATA of the NS
+   RRset specifies the authoritative nameservers for the delegated or
+   "child" zone.  Based on actual measurements, 10-30% of all
+   delegations on the Internet have differing NS RRsets at parent and
+   child.  There are a number of reasons for this, including a lack of
+   communication between parent and child and bogus name servers being
+   listed to meet registry requirements.
+
+   DNSSEC [RFC2535, RFC3008, RFC3090] specifies that a child zone needs
+   to have its KEY RRset signed by its parent to create a verifiable
+   chain of KEYs.  There has been some debate on where the signed KEY
+   RRset should reside, whether at the child [RFC2535] or at the parent.
+   If the KEY RRset resides at the child, maintaining the signed KEY
+   RRset in the child requires frequent two-way communication between
+   the two parties.  First, the child transmits the KEY RRset to the
+   parent and then the parent sends the signature(s) to the child.
+   Storing the KEY RRset at the parent was thought to simplify the
+   communication.
+
+   DNSSEC [RFC2535] requires that the parent store a NULL KEY record for
+   an unsecure child zone to indicate that the child is unsecure.  A
+   NULL KEY record is a waste: an entire signed RRset is used to
+   communicate effectively one bit of information - that the child is
+   unsecure. Chasing down NULL KEY RRsets complicates the resolution
+   process in many cases, because nameservers for both parent and child
+   need to be queried for the KEY RRset if the child nameserver does not
+   return it.  Storing the KEY RRset only in the parent zone simplifies
+   this and would allow the elimination of the NULL KEY RRsets entirely.
+   For large delegation zones, the cost of NULL keys is a significant
+   barrier to deployment.
+
+   Prior to the restrictions imposed by RFC 3445 [RFC3445], another
+   implication of the DNSSEC key model is that the KEY record could be
+   used to store public keys for other protocols in addition to DNSSEC
+   keys.  There are a number of potential problems with this, including:
+
+   1. The KEY RRset can become quite large if many applications and
+      protocols store their keys at the zone apex.  Possible protocols
+      are IPSEC, HTTP, SMTP, SSH and others that use public key
+      cryptography.
+
+
+
+Gudmundsson                 Standards Track                     [Page 3]
+
+RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
+
+
+   2. The KEY RRset may require frequent updates.
+
+   3. The probability of compromised or lost keys, which trigger
+      emergency key roll-over procedures, increases.
+
+   4. The parent may refuse to sign KEY RRsets with non-DNSSEC zone
+      keys.
+
+   5. The parent may not meet the child's expectations of turnaround
+      time for resigning the KEY RRset.
+
+   Given these reasons, SIG@parent isn't any better than SIG/KEY@Child.
+
+1.2.  Reserved Words
+
+   The key words "MAY", "MAY NOT", "MUST", "MUST NOT", "REQUIRED",
+   "RECOMMENDED", "SHOULD", and "SHOULD NOT" in this document are to be
+   interpreted as described in BCP 14, RFC 2119 [RFC2119].
+
+2.  Specification of the Delegation key Signer
+
+   This section defines the Delegation Signer (DS) RR type (type code
+   43) and the changes to DNS to accommodate it.
+
+2.1.  Delegation Signer Record Model
+
+   This document presents a replacement for the DNSSEC KEY record chain
+   of trust [RFC2535] that uses a new RR that resides only at the
+   parent.  This record identifies the key(s) that the child uses to
+   self-sign its own KEY RRset.
+
+   Even though DS identifies two roles for KEYs, Key Signing Key (KSK)
+   and Zone Signing Key (ZSK), there is no requirement that zone uses
+   two different keys for these roles.  It is expected that many small
+   zones will only use one key, while larger zones will be more likely
+   to use multiple keys.
+
+   The chain of trust is now established by verifying the parent KEY
+   RRset, the DS RRset from the parent and the KEY RRset at the child.
+   This is cryptographically equivalent to using just KEY records.
+
+   Communication between the parent and child is greatly reduced, since
+   the child only needs to notify the parent about changes in keys that
+   sign its apex KEY RRset.  The parent is ignorant of all other keys in
+   the child's apex KEY RRset.  Furthermore, the child maintains full
+   control over the apex KEY RRset and its content.  The child can
+   maintain any policies regarding its KEY usage for DNSSEC with minimal
+   impact on the parent.  Thus, if the child wants to have frequent key
+
+
+
+Gudmundsson                 Standards Track                     [Page 4]
+
+RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
+
+
+   roll-over for its DNS zone keys, the parent does not need to be aware
+   of it.  The child can use one key to sign only its apex KEY RRset and
+   a different key to sign the other RRsets in the zone.
+
+   This model fits well with a slow roll out of DNSSEC and the islands
+   of security model.  In this model, someone who trusts "good.example."
+   can preconfigure a key from "good.example." as a trusted key, and
+   from then on trusts any data signed by that key or that has a chain
+   of trust to that key.  If "example." starts advertising DS records,
+   "good.example." does not have to change operations by suspending
+   self-signing.  DS records can be used in configuration files to
+   identify trusted keys instead of KEY records.  Another significant
+   advantage is that the amount of information stored in large
+   delegation zones is reduced: rather than the NULL KEY record at every
+   unsecure delegation demanded by RFC 2535, only secure delegations
+   require additional information in the form of a signed DS RRset.
+
+   The main disadvantage of this approach is that verifying a zone's KEY
+   RRset requires two signature verification operations instead of the
+   one in RFC 2535 chain of trust.  There is no impact on the number of
+   signatures verified for other types of RRsets.
+
+2.2.  Protocol Change
+
+   All DNS servers and resolvers that support DS MUST support the OK bit
+   [RFC3225] and a larger message size [RFC3226].  In order for a
+   delegation to be considered secure the delegation MUST contain a DS
+   RRset.  If a query contains the OK bit, a nameserver returning a
+   referral for the delegation MUST include the following RRsets in the
+   authority section in this order:
+
+   If DS RRset is present:
+      parent's copy of child's NS RRset
+      DS and SIG(DS)
+
+   If no DS RRset is present:
+      parent's copy of child's NS RRset
+      parent's zone NXT and SIG(NXT)
+
+   This increases the size of referral messages, possibly causing some
+   or all glue to be omitted.  If the DS or NXT RRsets with signatures
+   do not fit in the DNS message, the TC bit MUST be set.  Additional
+   section processing is not changed.
+
+   A DS RRset accompanying a NS RRset indicates that the child zone is
+   secure.  If a NS RRset exists without a DS RRset, the child zone is
+   unsecure (from the parents point of view).  DS RRsets MUST NOT appear
+   at non-delegation points or at a zone's apex.
+
+
+
+Gudmundsson                 Standards Track                     [Page 5]
+
+RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
+
+
+   Section 2.2.1 defines special considerations related to authoritative
+   nameservers responding to DS queries and replaces RFC 2535 sections
+   2.3.4 and 3.4.  Section 2.2.2 replaces RFC 3008 section 2.7, and
+   section 2.2.3 updates RFC 3090.
+
+2.2.1.  RFC 2535 2.3.4 and 3.4: Special Considerations at Delegation
+        Points
+
+   DNS security views each zone as a unit of data completely under the
+   control of the zone owner with each entry (RRset) signed by a special
+   private key held by the zone manager.  But the DNS protocol views the
+   leaf nodes in a zone that are also the apex nodes of a child zone
+   (i.e., delegation points) as "really" belonging to the child zone.
+   The corresponding domain names appear in two master files and might
+   have RRsets signed by both the parent and child zones' keys.  A
+   retrieval could get a mixture of these RRsets and SIGs, especially
+   since one nameserver could be serving both the zone above and below a
+   delegation point [RFC2181].
+
+   Each DS RRset stored in the parent zone MUST be signed by at least
+   one of the parent zone's private keys.  The parent zone MUST NOT
+   contain a KEY RRset at any delegation point.  Delegations in the
+   parent MAY contain only the following RR types: NS, DS, NXT and SIG.
+   The NS RRset MUST NOT be signed.  The NXT RRset is the exceptional
+   case: it will always appear differently and authoritatively in both
+   the parent and child zones, if both are secure.
+
+   A secure zone MUST contain a self-signed KEY RRset at its apex.  Upon
+   verifying the DS RRset from the parent, a resolver MAY trust any KEY
+   identified in the DS RRset as a valid signer of the child's apex KEY
+   RRset.  Resolvers configured to trust one of the keys signing the KEY
+   RRset MAY now treat any data signed by the zone keys in the KEY RRset
+   as secure.  In all other cases, resolvers MUST consider the zone
+   unsecure.
+
+   An authoritative nameserver queried for type DS MUST return the DS
+   RRset in the answer section.
+
+2.2.1.1.  Special processing for DS queries
+
+   When a nameserver is authoritative for the parent zone at a
+   delegation point and receives a query for the DS record at that name,
+   it MUST answer based on data in the parent zone, return DS or
+   negative answer.  This is true whether or not it is also
+   authoritative for the child zone.
+
+
+
+
+
+
+Gudmundsson                 Standards Track                     [Page 6]
+
+RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
+
+
+   When the nameserver is authoritative for the child zone at a
+   delegation point but not the parent zone, there is no natural
+   response, since the child zone is not authoritative for the DS record
+   at the zone's apex.  As these queries are only expected to originate
+   from recursive nameservers which are not DS-aware, the authoritative
+   nameserver MUST answer with:
+
+      RCODE:             NOERROR
+      AA bit:            set
+      Answer Section:    Empty
+      Authority Section: SOA [+ SIG(SOA) + NXT + SIG(NXT)]
+
+   That is, it answers as if it is authoritative and the DS record does
+   not exist.  DS-aware recursive nameservers will query the parent zone
+   at delegation points, so will not be affected by this.
+
+   A nameserver authoritative for only the child zone, that is also a
+   caching server MAY (if the RD bit is set in the query) perform
+   recursion to find the DS record at the delegation point, or MAY
+   return the DS record from its cache.  In this case, the AA bit MUST
+   NOT be set in the response.
+
+2.2.1.2.  Special processing when child and an ancestor share
+          nameserver
+
+   Special rules are needed to permit DS RR aware nameservers to
+   gracefully interact with older caches which otherwise might falsely
+   label a nameserver as lame because of the placement of the DS RR set.
+
+   Such a situation might arise when a nameserver is authoritative for
+   both a zone and it's grandparent, but not the parent.  This sounds
+   like an obscure example, but it is very real.  The root zone is
+   currently served on 13 machines, and "root-servers.net." is served on
+   4 of the 13, but "net." is severed on different nameservers.
+
+   When a nameserver receives a query for (<QNAME>, DS, <QCLASS>), the
+   response MUST be determined from reading these rules in order:
+
+   1) If the nameserver is authoritative for the zone that holds the DS
+      RR set (i.e., the zone that delegates <QNAME>, a.k.a. the "parent"
+      zone), the response contains the DS RR set as an authoritative
+      answer.
+
+   2) If the nameserver is offering recursive service and the RD bit is
+      set in the query, the nameserver performs the query itself
+      (according to the rules for resolvers described below) and returns
+      its findings.
+
+
+
+
+Gudmundsson                 Standards Track                     [Page 7]
+
+RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
+
+
+   3) If the nameserver is authoritative for the zone that holds the
+      <QNAME>'s SOA RR set, the response is an authoritative negative
+      answer as described in 2.2.1.1.
+
+   4) If the nameserver is authoritative for a zone or zones above the
+      QNAME, a referral to the most enclosing (deepest match) zone's
+      servers is made.
+
+   5) If the nameserver is not authoritative for any part of the QNAME,
+      a response indicating a lame nameserver for QNAME is given.
+
+   Using these rules will require some special processing on the part of
+   a DS RR aware resolver.  To illustrate this, an example is used.
+
+   Assuming a nameserver is authoritative for roots.example.net. and for
+   the root zone but not the intervening two zones (or the intervening
+   two label deep zone).  Assume that QNAME=roots.example.net.,
+   QTYPE=DS, and QCLASS=IN.
+
+   The resolver will issue this request (assuming no cached data)
+   expecting a referral to a nameserver for .net.  Instead, rule number
+   3 above applies and a negative answer is returned by the nameserver.
+   The reaction by the resolver is not to accept this answer as final,
+   as it can determine from the SOA RR in the negative answer the
+   context within which the nameserver has answered.
+
+   A solution would be to instruct the resolver to hunt for the
+   authoritative zone of the data in a brute force manner.
+
+   This can be accomplished by taking the owner name of the returned SOA
+   RR and striping off enough left-hand labels until a successful NS
+   response is obtained.  A successful response here means that the
+   answer has NS records in it.  (Entertaining the possibility that a
+   cut point can be two labels down in a zone.)
+
+   Returning to the example, the response will include a negative answer
+   with either the SOA RR for "roots.example.net." or "example.net."
+   depending on whether roots.example.net is a delegated domain.  In
+   either case, removing the left most label of the SOA owner name will
+   lead to the location of the desired data.
+
+2.2.1.3.  Modification on use of KEY RR in the construction of Responses
+
+   This section updates RFC 2535 section 3.5 by replacing it with the
+   following:
+
+
+
+
+
+
+Gudmundsson                 Standards Track                     [Page 8]
+
+RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
+
+
+   A query for KEY RR MUST NOT trigger any additional section
+   processing.  Security aware resolvers will include corresponding SIG
+   records in the answer section.
+
+   KEY records SHOULD NOT be added to the additional records section in
+   response to any query.
+
+   RFC 2535 specified that KEY records be added to the additional
+   section when SOA or NS records were included in an answer.  This was
+   done to reduce round trips (in the case of SOA) and to force out NULL
+   KEYs (in the NS case).  As this document obsoletes NULL keys, there
+   is no need for the inclusion of KEYs with NSs.  Furthermore, as SOAs
+   are included in the authority section of negative answers, including
+   the KEYs each time will cause redundant transfers of KEYs.
+
+   RFC 2535 section 3.5 also included a rule for adding the KEY RRset to
+   the response for a query for A and AAAA types.  As Restrict KEY
+   [RFC3445] eliminated use of KEY RR by all applications, this rule is
+   no longer needed.
+
+2.2.2.  Signer's Name (replaces RFC 3008 section 2.7)
+
+   The signer's name field of a SIG RR MUST contain the name of the zone
+   to which the data and signature belong.  The combination of signer's
+   name, key tag, and algorithm MUST identify a zone key if the SIG is
+   to be considered material.  This document defines a standard policy
+   for DNSSEC validation; local policy MAY override the standard policy.
+
+   There are no restrictions on the signer field of a SIG(0) record. The
+   combination of signer's name, key tag, and algorithm MUST identify a
+   key if this SIG(0) is to be processed.
+
+2.2.3.  Changes to RFC 3090
+
+   A number of sections in RFC 3090 need to be updated to reflect the DS
+   record.
+
+2.2.3.1.  RFC 3090: Updates to section 1: Introduction
+
+   Most of the text is still relevant but the words "NULL key" are to be
+   replaced with "missing DS RRset".  In section 1.3, the last three
+   paragraphs discuss the confusion in sections of RFC 2535 that are
+   replaced in section 2.2.1 above.  Therefore, these paragraphs are now
+   obsolete.
+
+
+
+
+
+
+
+Gudmundsson                 Standards Track                     [Page 9]
+
+RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
+
+
+2.2.3.2.  RFC 3090 section 2.1: Globally Secured
+
+   Rule 2.1.b is replaced by the following rule:
+
+   2.1.b. The KEY RRset at a zone's apex MUST be self-signed by a
+   private key whose public counterpart MUST appear in a zone signing
+   KEY RR (2.a) owned by the zone's apex and specifying a mandatory-to-
+   implement algorithm.  This KEY RR MUST be identified by a DS RR in a
+   signed DS RRset in the parent zone.
+
+   If a zone cannot get its parent to advertise a DS record for it, the
+   child zone cannot be considered globally secured.  The only exception
+   to this is the root zone, for which there is no parent zone.
+
+2.2.3.3.  RFC 3090 section 3: Experimental Status.
+
+   The only difference between experimental status and globally secured
+   is the missing DS RRset in the parent zone.  All locally secured
+   zones are experimental.
+
+2.2.4.  NULL KEY elimination
+
+   RFC 3445 section 3 eliminates the top two bits in the flags field of
+   KEY RR.  These two bits were used to indicate NULL KEY or NO KEY. RFC
+   3090 defines that zone as either secure or not and these rules
+   eliminate the need to put NULL keys in the zone apex to indicate that
+   the zone is not secured for a algorithm.  Along with this document,
+   these other two eliminate all uses for the NULL KEY.  This document
+   obsoletes NULL KEY.
+
+2.3.  Comments on Protocol Changes
+
+   Over the years, there have been various discussions surrounding the
+   DNS delegation model, declaring it to be broken because there is no
+   good way to assert if a delegation exists.  In the RFC 2535 version
+   of DNSSEC, the presence of the NS bit in the NXT bit map proves there
+   is a delegation at this name.  Something more explicit is required
+   and the DS record addresses this need for secure delegations.
+
+   The DS record is a major change to DNS: it is the first resource
+   record that can appear only on the upper side of a delegation.
+   Adding it will cause interoperability problems and requires a flag
+   day for DNSSEC.  Many old nameservers and resolvers MUST be upgraded
+   to take advantage of DS.  Some old nameservers will be able to be
+   authoritative for zones with DS records but will not add the NXT or
+   DS records to the authority section.  The same is true for caching
+   nameservers; in fact, some might even refuse to pass on the DS or NXT
+   records.
+
+
+
+Gudmundsson                 Standards Track                    [Page 10]
+
+RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
+
+
+2.4.  Wire Format of the DS record
+
+   The DS (type=43) record contains these fields: key tag, algorithm,
+   digest type, and the digest of a public key KEY record that is
+   allowed and/or used to sign the child's apex KEY RRset.  Other keys
+   MAY sign the child's apex KEY RRset.
+
+                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |           key tag             |  algorithm    |  Digest type  |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |                digest  (length depends on type)               |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |                (SHA-1 digest is 20 bytes)                     |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+   |                                                               |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
+   |                                                               |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-|
+   |                                                               |
+   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+   The key tag is calculated as specified in RFC 2535.  Algorithm MUST
+   be allowed to sign DNS data.  The digest type is an identifier for
+   the digest algorithm used.  The digest is calculated over the
+   canonical name of the delegated domain name followed by the whole
+   RDATA of the KEY record (all four fields).
+
+      digest = hash( canonical FQDN on KEY RR | KEY_RR_rdata)
+
+      KEY_RR_rdata = Flags | Protocol | Algorithm | Public Key
+
+   Digest type value 0 is reserved, value 1 is SHA-1, and reserving
+   other types requires IETF standards action.  For interoperability
+   reasons, keeping number of digest algorithms low is strongly
+   RECOMMENDED.  The only reason to reserve additional digest types is
+   to increase security.
+
+   DS records MUST point to zone KEY records that are allowed to
+   authenticate DNS data.  The indicated KEY records protocol field MUST
+   be set to 3; flag field bit 7 MUST be set to 1.  The value of other
+   flag bits is not significant for the purposes of this document.
+
+   The size of the DS RDATA for type 1 (SHA-1) is 24 bytes, regardless
+   of key size.  New digest types probably will have larger digests.
+
+
+
+
+
+Gudmundsson                 Standards Track                    [Page 11]
+
+RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
+
+
+2.4.1.  Justifications for Fields
+
+   The algorithm and key tag fields are present to allow resolvers to
+   quickly identify the candidate KEY records to examine.  SHA-1 is a
+   strong cryptographic checksum: it is computationally infeasible for
+   an attacker to generate a KEY record that has the same SHA-1 digest.
+   Combining the name of the key and the key rdata as input to the
+   digest provides stronger assurance of the binding.  Having the key
+   tag in the DS record adds greater assurance than the SHA-1 digest
+   alone, as there are now two different mapping functions.
+
+   This format allows concise representation of the keys that the child
+   will use, thus keeping down the size of the answer for the
+   delegation, reducing the probability of DNS message overflow.  The
+   SHA-1 hash is strong enough to uniquely identify the key and is
+   similar to the PGP key footprint.  The digest type field is present
+   for possible future expansion.
+
+   The DS record is well suited to listing trusted keys for islands of
+   security in configuration files.
+
+2.5.  Presentation Format of the DS Record
+
+   The presentation format of the DS record consists of three numbers
+   (key tag, algorithm, and digest type) followed by the digest itself
+   presented in hex:
+
+      example.   DS  12345 3 1 123456789abcdef67890123456789abcdef67890
+
+2.6.  Transition Issues for Installed Base
+
+   No backwards compatibility with RFC 2535 is provided.
+
+   RFC 2535-compliant resolvers will assume that all DS-secured
+   delegations are locally secure.  This is bad, but the DNSEXT Working
+   Group has determined that rather than dealing with both RFC 2535-
+   secured zones and DS-secured zones, a rapid adoption of DS is
+   preferable.  Thus, the only option for early adopters is to upgrade
+   to DS as soon as possible.
+
+2.6.1.  Backwards compatibility with RFC 2535 and RFC 1035
+
+   This section documents how a resolver determines the type of
+   delegation.
+
+
+
+
+
+
+
+Gudmundsson                 Standards Track                    [Page 12]
+
+RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
+
+
+   RFC 1035 delegation (in parent) has:
+
+   RFC 1035           NS
+
+   RFC 2535 adds the following two cases:
+
+   Secure RFC 2535:   NS + NXT + SIG(NXT)
+                      NXT bit map contains: NS SIG NXT
+   Unsecure RFC 2535: NS + KEY + SIG(KEY) + NXT + SIG(NXT)
+                      NXT bit map contains: NS SIG KEY NXT
+                      KEY must be a NULL key.
+
+   DNSSEC with DS has the following two states:
+
+   Secure DS:         NS + DS + SIG(DS)
+                      NXT bit map contains: NS SIG NXT DS
+   Unsecure DS:       NS + NXT + SIG(NXT)
+                      NXT bit map contains: NS SIG NXT
+
+   It is difficult for a resolver to determine if a delegation is secure
+   RFC 2535 or unsecure DS.  This could be overcome by adding a flag to
+   the NXT bit map, but only upgraded resolvers would understand this
+   flag, anyway.  Having both parent and child signatures for a KEY
+   RRset might allow old resolvers to accept a zone as secure, but the
+   cost of doing this for a long time is much higher than just
+   prohibiting RFC 2535-style signatures at child zone apexes and
+   forcing rapid deployment of DS-enabled nameservers and resolvers.
+
+   RFC 2535 and DS can, in theory, be deployed in parallel, but this
+   would require resolvers to deal with RFC 2535 configurations forever.
+   This document obsoletes the NULL KEY in parent zones, which is a
+   difficult enough change that to cause a flag day.
+
+2.7.  KEY and corresponding DS record example
+
+   This is an example of a KEY record and the corresponding DS record.
+
+   dskey.example. KEY  256 3 1 (
+                  AQPwHb4UL1U9RHaU8qP+Ts5bVOU1s7fYbj2b3CCbzNdj
+                  4+/ECd18yKiyUQqKqQFWW5T3iVc8SJOKnueJHt/Jb/wt
+                  ) ; key id = 28668
+             DS   28668 1  1  49FD46E6C4B45C55D4AC69CBD3CD34AC1AFE51DE
+
+
+
+
+
+
+
+
+
+Gudmundsson                 Standards Track                    [Page 13]
+
+RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
+
+
+3.  Resolver
+
+3.1.  DS Example
+
+   To create a chain of trust, a resolver goes from trusted KEY to DS to
+   KEY.
+
+      Assume the key for domain "example." is trusted.  Zone "example."
+      contains at least the following records:
+      example.          SOA     <soa stuff>
+      example.          NS       ns.example.
+      example.          KEY     <stuff>
+      example.          NXT      secure.example. NS SOA KEY SIG NXT
+      example.          SIG(SOA)
+      example.          SIG(NS)
+      example.          SIG(NXT)
+      example.          SIG(KEY)
+      secure.example.   NS      ns1.secure.example.
+      secure.example.   DS      tag=12345 alg=3 digest_type=1 <foofoo>
+      secure.example.   NXT     unsecure.example. NS SIG NXT DS
+      secure.example.   SIG(NXT)
+      secure.example.   SIG(DS)
+      unsecure.example  NS      ns1.unsecure.example.
+      unsecure.example. NXT     example. NS SIG NXT
+      unsecure.example. SIG(NXT)
+
+      In zone "secure.example." following records exist:
+      secure.example.   SOA      <soa stuff>
+      secure.example.   NS       ns1.secure.example.
+      secure.example.   KEY      <tag=12345 alg=3>
+      secure.example.   KEY      <tag=54321 alg=5>
+      secure.example.   NXT      <nxt stuff>
+      secure.example.   SIG(KEY) <key-tag=12345 alg=3>
+      secure.example.   SIG(SOA) <key-tag=54321 alg=5>
+      secure.example.   SIG(NS)  <key-tag=54321 alg=5>
+      secure.example.   SIG(NXT) <key-tag=54321 alg=5>
+
+   In this example, the private key for "example." signs the DS record
+   for "secure.example.", making that a secure delegation.  The DS
+   record states which key is expected to sign the KEY RRset at
+   "secure.example.".  Here "secure.example." signs its KEY RRset with
+   the KEY identified in the DS RRset, thus the KEY RRset is validated
+   and trusted.
+
+   This example has only one DS record for the child, but parents MUST
+   allow multiple DS records to facilitate key roll-over and multiple
+   KEY algorithms.
+
+
+
+
+Gudmundsson                 Standards Track                    [Page 14]
+
+RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
+
+
+   The resolver determines the security status of "unsecure.example." by
+   examining the parent zone's NXT record for this name.  The absence of
+   the DS bit indicates an unsecure delegation.  Note the NXT record
+   SHOULD only be examined after verifying the corresponding signature.
+
+3.2.  Resolver Cost Estimates for DS Records
+
+   From a RFC 2535 recursive resolver point of view, for each delegation
+   followed to chase down an answer, one KEY RRset has to be verified.
+   Additional RRsets might also need to be verified based on local
+   policy (e.g., the contents of the NS RRset).  Once the resolver gets
+   to the appropriate delegation, validating the answer might require
+   verifying one or more signatures.  A simple A record lookup requires
+   at least N delegations to be verified and one RRset.  For a DS-
+   enabled recursive resolver, the cost is 2N+1.  For an MX record,
+   where the target of the MX record is in the same zone as the MX
+   record, the costs are N+2 and 2N+2, for RFC 2535 and DS,
+   respectively.  In the case of a negative answer, the same ratios hold
+   true.
+
+   The recursive resolver has to do an extra query to get the DS record,
+   which will increase the overall cost of resolving this question, but
+   it will never be worse than chasing down NULL KEY records from the
+   parent in RFC 2535 DNSSEC.
+
+   DS adds processing overhead on resolvers and increases the size of
+   delegation answers, but much less than storing signatures in the
+   parent zone.
+
+4.  Security Considerations
+
+   This document proposes a change to the validation chain of KEY
+   records in DNSSEC.  The change is not believed to reduce security in
+   the overall system.  In RFC 2535 DNSSEC, the child zone has to
+   communicate keys to its parent and prudent parents will require some
+   authentication with that transaction.  The modified protocol will
+   require the same authentication, but allows the child to exert more
+   local control over its own KEY RRset.
+
+   There is a remote possibility that an attacker could generate a valid
+   KEY that matches all the DS fields, of a specific DS set, and thus
+   forge data from the child.  This possibility is considered
+   impractical, as on average more than
+
+      2 ^ (160 - <Number of keys in DS set>)
+
+   keys would have to be generated before a match would be found.
+
+
+
+
+Gudmundsson                 Standards Track                    [Page 15]
+
+RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
+
+
+   An attacker that wants to match any DS record will have to generate
+   on average at least 2^80 keys.
+
+   The DS record represents a change to the DNSSEC protocol and there is
+   an installed base of implementations, as well as textbooks on how to
+   set up secure delegations.  Implementations that do not understand
+   the DS record will not be able to follow the KEY to DS to KEY chain
+   and will consider all zones secured that way as unsecure.
+
+5.  IANA Considerations
+
+   IANA has allocated an RR type code for DS from the standard RR type
+   space (type 43).
+
+   IANA has established a new registry for the DS RR type for digest
+   algorithms.  Defined types are:
+
+      0 is Reserved,
+      1 is SHA-1.
+
+   Adding new reservations requires IETF standards action.
+
+6.  Intellectual Property Statement
+
+   The IETF takes no position regarding the validity or scope of any
+   intellectual property or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; neither does it represent that it
+   has made any effort to identify any such rights.  Information on the
+   IETF's procedures with respect to rights in standards-track and
+   standards-related documentation can be found in BCP-11.  Copies of
+   claims of rights made available for publication and any assurances of
+   licenses to be made available, or the result of an attempt made to
+   obtain a general license or permission for the use of such
+   proprietary rights by implementors or users of this specification can
+   be obtained from the IETF Secretariat.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights which may cover technology that may be required to practice
+   this standard.  Please address the information to the IETF Executive
+   Director.
+
+
+
+
+
+
+
+
+Gudmundsson                 Standards Track                    [Page 16]
+
+RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
+
+
+7.  Acknowledgments
+
+   Over the last few years a number of people have contributed ideas
+   that are captured in this document.  The core idea of using one key
+   to sign only the KEY RRset comes from discussions with Bill Manning
+   and Perry Metzger on how to put in a single root key in all
+   resolvers. Alexis Yushin, Brian Wellington, Sam Weiler, Paul Vixie,
+   Jakob Schlyter, Scott Rose, Edward Lewis, Lars-Johan Liman, Matt
+   Larson, Mark Kosters, Dan Massey, Olaf Kolman, Phillip Hallam-Baker,
+   Miek Gieben, Havard Eidnes, Donald Eastlake 3rd., Randy Bush, David
+   Blacka, Steve Bellovin, Rob Austein, Derek Atkins, Roy Arends, Mark
+   Andrews, Harald Alvestrand, and others have provided useful comments.
+
+8.  References
+
+8.1.  Normative References
+
+   [RFC1035]  Mockapetris, P., "Domain Names - Implementation and
+              Specification", STD 13, RFC 1035, November 1987.
+
+   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
+              Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+   [RFC2535]  Eastlake, D., "Domain Name System Security Extensions",
+              RFC 2535, March 1999.
+
+   [RFC3008]  Wellington, B., "Domain Name System Security (DNSSEC)
+              Signing Authority", RFC 3008, November 2000.
+
+   [RFC3090]  Lewis, E., "DNS Security Extension Clarification on Zone
+              Status", RFC 3090, March 2001.
+
+   [RFC3225]  Conrad, D., "Indicating Resolver Support of DNSSEC", RFC
+              3225, December 2001.
+
+   [RFC3445]  Massey, D. and S. Rose, "Limiting the scope of the KEY
+              Resource Record (RR)", RFC 3445, December 2002.
+
+8.2.  Informational References
+
+   [RFC2181]  Elz, R. and R. Bush, "Clarifications to the DNS
+              Specification", RFC 2181, July 1997.
+
+   [RFC3226]  Gudmundsson, O., "DNSSEC and IPv6 A6 aware server/resolver
+              message size requirements", RFC 3226, December 2001.
+
+
+
+
+
+
+Gudmundsson                 Standards Track                    [Page 17]
+
+RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
+
+
+9.  Author's Address
+
+   Olafur Gudmundsson
+   3821 Village Park Drive
+   Chevy Chase, MD,  20815
+
+   EMail: ds-rfc@ogud.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson                 Standards Track                    [Page 18]
+
+RFC 3658      Delegation Signer (DS) Resource Record (RR)  December 2003
+
+
+10.  Full Copyright Statement
+
+   Copyright (C) The Internet Society (2003).  All Rights Reserved.
+
+   This document and translations of it may be copied and furnished to
+   others, and derivative works that comment on or otherwise explain it
+   or assist in its implementation may be prepared, copied, published
+   and distributed, in whole or in part, without restriction of any
+   kind, provided that the above copyright notice and this paragraph are
+   included on all such copies and derivative works.  However, this
+   document itself may not be modified in any way, such as by removing
+   the copyright notice or references to the Internet Society or other
+   Internet organizations, except as needed for the purpose of
+   developing Internet standards in which case the procedures for
+   copyrights defined in the Internet Standards process must be
+   followed, or as required to translate it into languages other than
+   English.
+
+   The limited permissions granted above are perpetual and will not be
+   revoked by the Internet Society or its successors or assignees.
+
+   This document and the information contained herein is provided on an
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gudmundsson                 Standards Track                    [Page 19]
+
diff --git a/contrib/bind9/doc/rfc/rfc3833.txt b/contrib/bind9/doc/rfc/rfc3833.txt
new file mode 100644
index 0000000..8ce4d34
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc3833.txt
@@ -0,0 +1,899 @@
+
+
+
+
+
+
+Network Working Group                                          D. Atkins
+Request for Comments: 3833                              IHTFP Consulting
+Category: Informational                                       R. Austein
+                                                                     ISC
+                                                             August 2004
+
+
+            Threat Analysis of the Domain Name System (DNS)
+
+Status of this Memo
+
+   This memo provides information for the Internet community.  It does
+   not specify an Internet standard of any kind.  Distribution of this
+   memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2004).
+
+Abstract
+
+   Although the DNS Security Extensions (DNSSEC) have been under
+   development for most of the last decade, the IETF has never written
+   down the specific set of threats against which DNSSEC is designed to
+   protect.  Among other drawbacks, this cart-before-the-horse situation
+   has made it difficult to determine whether DNSSEC meets its design
+   goals, since its design goals are not well specified.  This note
+   attempts to document some of the known threats to the DNS, and, in
+   doing so, attempts to measure to what extent (if any) DNSSEC is a
+   useful tool in defending against these threats.
+
+1. Introduction
+
+   The earliest organized work on DNSSEC within the IETF was an open
+   design team meeting organized by members of the DNS working group in
+   November 1993 at the 28th IETF meeting in Houston.  The broad
+   outlines of DNSSEC as we know it today are already clear in Jim
+   Galvin's summary of the results of that meeting [Galvin93]:
+
+   - While some participants in the meeting were interested in
+     protecting against disclosure of DNS data to unauthorized parties,
+     the design team made an explicit decision that "DNS data is
+     `public'", and ruled all threats of data disclosure explicitly out
+     of scope for DNSSEC.
+
+   - While some participants in the meeting were interested in
+     authentication of DNS clients and servers as a basis for access
+     control, this work was also ruled out of scope for DNSSEC per se.
+
+
+
+Atkins & Austein             Informational                      [Page 1]
+
+RFC 3833                  DNS Threat Analysis                August 2004
+
+
+   - Backwards compatibility and co-existence with "insecure DNS" was
+     listed as an explicit requirement.
+
+   - The resulting list of desired security services was
+     1) data integrity, and
+     2) data origin authentication.
+
+   - The design team noted that a digital signature mechanism would
+     support the desired services.
+
+   While a number of detail decisions were yet to be made (and in some
+   cases remade after implementation experience) over the subsequent
+   decade, the basic model and design goals have remained fixed.
+
+   Nowhere, however, does any of the DNSSEC work attempt to specify in
+   any detail the sorts of attacks against which DNSSEC is intended to
+   protect, or the reasons behind the list of desired security services
+   that came out of the Houston meeting.  For that, we have to go back
+   to a paper originally written by Steve Bellovin in 1990 but not
+   published until 1995, for reasons that Bellovin explained in the
+   paper's epilogue [Bellovin95].
+
+   While it may seem a bit strange to publish the threat analysis a
+   decade after starting work on the protocol designed to defend against
+   it, that is, nevertheless, what this note attempts to do.  Better
+   late than never.
+
+   This note assumes that the reader is familiar with both the DNS and
+   with DNSSEC, and does not attempt to provide a tutorial on either.
+   The DNS documents most relevant to the subject of this note are:
+   [RFC1034], [RFC1035], section 6.1 of [RFC1123], [RFC2181], [RFC2308],
+   [RFC2671], [RFC2845], [RFC2930], [RFC3007], and [RFC2535].
+
+   For purposes of discussion, this note uses the term "DNSSEC" to refer
+   to the core hierarchical public key and signature mechanism specified
+   in the DNSSEC documents, and refers to TKEY and TSIG as separate
+   mechanisms, even though channel security mechanisms such as TKEY and
+   TSIG are also part of the larger problem of "securing DNS" and thus
+   are often considered part of the overall set of "DNS security
+   extensions".  This is an arbitrary distinction that in part reflects
+   the way in which the protocol has evolved (introduction of a
+   putatively simpler channel security model for certain operations such
+   as zone transfers and dynamic update requests), and perhaps should be
+   changed in a future revision of this note.
+
+
+
+
+
+
+
+Atkins & Austein             Informational                      [Page 2]
+
+RFC 3833                  DNS Threat Analysis                August 2004
+
+
+2.  Known Threats
+
+   There are several distinct classes of threats to the DNS, most of
+   which are DNS-related instances of more general problems, but a few
+   of which are specific to peculiarities of the DNS protocol.
+
+2.1.  Packet Interception
+
+   Some of the simplest threats against DNS are various forms of packet
+   interception: monkey-in-the-middle attacks, eavesdropping on requests
+   combined with spoofed responses that beat the real response back to
+   the resolver, and so forth.  In any of these scenarios, the attacker
+   can simply tell either party (usually the resolver) whatever it wants
+   that party to believe.  While packet interception attacks are far
+   from unique to DNS, DNS's usual behavior of sending an entire query
+   or response in a single unsigned, unencrypted UDP packet makes these
+   attacks particularly easy for any bad guy with the ability to
+   intercept packets on a shared or transit network.
+
+   To further complicate things, the DNS query the attacker intercepts
+   may just be a means to an end for the attacker: the attacker might
+   even choose to return the correct result in the answer section of a
+   reply message while using other parts of the message to set the stage
+   for something more complicated, for example, a name chaining attack
+   (see section 2.3).
+
+   While it certainly would be possible to sign DNS messages using a
+   channel security mechanism such as TSIG or IPsec, or even to encrypt
+   them using IPsec, this would not be a very good solution for
+   interception attacks.  First, this approach would impose a fairly
+   high processing cost per DNS message, as well as a very high cost
+   associated with establishing and maintaining bilateral trust
+   relationships between all the parties that might be involved in
+   resolving any particular query.  For heavily used name servers (such
+   as the servers for the root zone), this cost would almost certainly
+   be prohibitively high.  Even more important, however, is that the
+   underlying trust model in such a design would be wrong, since at best
+   it would only provide a hop-by-hop integrity check on DNS messages
+   and would not provide any sort of end-to-end integrity check between
+   the producer of DNS data (the zone administrator) and the consumer of
+   DNS data (the application that triggered the query).
+
+   By contrast, DNSSEC (when used properly) does provide an end-to-end
+   data integrity check, and is thus a much better solution for this
+   class of problems during basic DNS lookup operations.
+
+
+
+
+
+
+Atkins & Austein             Informational                      [Page 3]
+
+RFC 3833                  DNS Threat Analysis                August 2004
+
+
+   TSIG does have its place in corners of the DNS protocol where there's
+   a specific trust relationship between a particular client and a
+   particular server, such as zone transfer, dynamic update, or a
+   resolver (stub or otherwise) that is not going to check all the
+   DNSSEC signatures itself.
+
+   Note that DNSSEC does not provide any protection against modification
+   of the DNS message header, so any properly paranoid resolver must:
+
+   - Perform all of the DNSSEC signature checking on its own,
+
+   - Use TSIG (or some equivalent mechanism) to ensure the integrity of
+     its communication with whatever name servers it chooses to trust,
+     or
+
+   - Resign itself to the possibility of being attacked via packet
+     interception (and via other techniques discussed below).
+
+2.2.  ID Guessing and Query Prediction
+
+   Since DNS is for the most part used over UDP/IP, it is relatively
+   easy for an attacker to generate packets which will match the
+   transport protocol parameters.  The ID field in the DNS header is
+   only a 16-bit field and the server UDP port associated with DNS is a
+   well-known value, so there are only 2**32 possible combinations of ID
+   and client UDP port for a given client and server.  This is not a
+   particularly large range, and is not sufficient to protect against a
+   brute force search; furthermore, in practice both the client UDP port
+   and the ID can often be predicted from previous traffic, and it is
+   not uncommon for the client port to be a known fixed value as well
+   (due to firewalls or other restrictions), thus frequently reducing
+   the search space to a range smaller than 2**16.
+
+   By itself, ID guessing is not enough to allow an attacker to inject
+   bogus data, but combined with knowledge (or guesses) about QNAMEs and
+   QTYPEs for which a resolver might be querying, this leaves the
+   resolver only weakly defended against injection of bogus responses.
+
+   Since this attack relies on predicting a resolver's behavior, it's
+   most likely to be successful when the victim is in a known state,
+   whether because the victim rebooted recently, or because the victim's
+   behavior has been influenced by some other action by the attacker, or
+   because the victim is responding (in a predictable way) to some third
+   party action known to the attacker.
+
+
+
+
+
+
+
+Atkins & Austein             Informational                      [Page 4]
+
+RFC 3833                  DNS Threat Analysis                August 2004
+
+
+   This attack is both more and less difficult for the attacker than the
+   simple interception attack described above: more difficult, because
+   the attack only works when the attacker guesses correctly; less
+   difficult, because the attacker doesn't need to be on a transit or
+   shared network.
+
+   In most other respects, this attack is similar to a packet
+   interception attack.  A resolver that checks DNSSEC signatures will
+   be able to detect the forged response; resolvers that do not perform
+   DNSSEC signature checking themselves should use TSIG or some
+   equivalent mechanism to ensure the integrity of their communication
+   with a recursive name server that does perform DNSSEC signature
+   checking.
+
+2.3.  Name Chaining
+
+   Perhaps the most interesting class of DNS-specific threats are the
+   name chaining attacks.  These are a subset of a larger class of
+   name-based attacks, sometimes called "cache poisoning" attacks.  Most
+   name-based attacks can be partially mitigated by the long-standing
+   defense of checking RRs in response messages for relevance to the
+   original query, but such defenses do not catch name chaining attacks.
+   There are several variations on the basic attack, but what they all
+   have in common is that they all involve DNS RRs whose RDATA portion
+   (right hand side) includes a DNS name (or, in a few cases, something
+   that is not a DNS name but which directly maps to a DNS name).  Any
+   such RR is, at least in principle, a hook that lets an attacker feed
+   bad data into a victim's cache, thus potentially subverting
+   subsequent decisions based on DNS names.
+
+   The worst examples in this class of RRs are CNAME, NS, and DNAME RRs
+   because they can redirect a victim's query to a location of the
+   attacker's choosing.  RRs like MX and SRV are somewhat less
+   dangerous, but in principle they can also be used to trigger further
+   lookups at a location of the attacker's choosing.  Address RR types
+   such as A or AAAA don't have DNS names in their RDATA, but since the
+   IN-ADDR.ARPA and IP6.ARPA trees are indexed using a DNS encoding of
+   IPv4 and IPv6 addresses, these record types can also be used in a
+   name chaining attack.
+
+   The general form of a name chaining attack is something like this:
+
+   - Victim issues a query, perhaps at the instigation of the attacker
+     or some third party; in some cases the query itself may be
+     unrelated to the name under attack (that is, the attacker is just
+     using this query as a means to inject false information about some
+     other name).
+
+
+
+
+Atkins & Austein             Informational                      [Page 5]
+
+RFC 3833                  DNS Threat Analysis                August 2004
+
+
+   - Attacker injects response, whether via packet interception, query
+     guessing, or by being a legitimate name server that's involved at
+     some point in the process of answering the query that the victim
+     issued.
+
+   - Attacker's response includes one or more RRs with DNS names in
+     their RDATA; depending on which particular form this attack takes,
+     the object may be to inject false data associated with those names
+     into the victim's cache via the Additional section of this
+     response, or may be to redirect the next stage of the query to a
+     server of the attacker's choosing (in order to inject more complex
+     lies into the victim's cache than will fit easily into a single
+     response, or in order to place the lies in the Authority or Answer
+     section of a response where they will have a better chance of
+     sneaking past a resolver's defenses).
+
+   Any attacker who can insert resource records into a victim's cache
+   can almost certainly do some kind of damage, so there are cache
+   poisoning attacks which are not name chaining attacks in the sense
+   discussed here.  However, in the case of name chaining attacks, the
+   cause and effect relationship between the initial attack and the
+   eventual result may be significantly more complex than in the other
+   forms of cache poisoning, so name chaining attacks merit special
+   attention.
+
+   The common thread in all of the name chaining attacks is that
+   response messages allow the attacker to introduce arbitrary DNS names
+   of the attacker's choosing and provide further information that the
+   attacker claims is associated with those names; unless the victim has
+   better knowledge of the data associated with those names, the victim
+   is going to have a hard time defending against this class of attacks.
+
+   This class of attack is particularly insidious given that it's quite
+   easy for an attacker to provoke a victim into querying for a
+   particular name of the attacker's choosing, for example, by embedding
+   a link to a 1x1-pixel "web bug" graphic in a piece of Text/HTML mail
+   to the victim.  If the victim's mail reading program attempts to
+   follow such a link, the result will be a DNS query for a name chosen
+   by the attacker.
+
+   DNSSEC should provide a good defense against most (all?) variations
+   on this class of attack.  By checking signatures, a resolver can
+   determine whether the data associated with a name really was inserted
+   by the delegated authority for that portion of the DNS name space.
+   More precisely, a resolver can determine whether the entity that
+   injected the data had access to an allegedly secret key whose
+
+
+
+
+
+Atkins & Austein             Informational                      [Page 6]
+
+RFC 3833                  DNS Threat Analysis                August 2004
+
+
+   corresponding public key appears at an expected location in the DNS
+   name space with an expected chain of parental signatures that start
+   with a public key of which the resolver has prior knowledge.
+
+   DNSSEC signatures do not cover glue records, so there's still a
+   possibility of a name chaining attack involving glue, but with DNSSEC
+   it is possible to detect the attack by temporarily accepting the glue
+   in order to fetch the signed authoritative version of the same data,
+   then checking the signatures on the authoritative version.
+
+2.4.  Betrayal By Trusted Server
+
+   Another variation on the packet interception attack is the trusted
+   server that turns out not to be so trustworthy, whether by accident
+   or by intent.  Many client machines are only configured with stub
+   resolvers, and use trusted servers to perform all of their DNS
+   queries on their behalf.  In many cases the trusted server is
+   furnished by the user's ISP and advertised to the client via DHCP or
+   PPP options.  Besides accidental betrayal of this trust relationship
+   (via server bugs, successful server break-ins, etc), the server
+   itself may be configured to give back answers that are not what the
+   user would expect, whether in an honest attempt to help the user or
+   to promote some other goal such as furthering a business partnership
+   between the ISP and some third party.
+
+   This problem is particularly acute for frequent travelers who carry
+   their own equipment and expect it to work in much the same way
+   wherever they go.  Such travelers need trustworthy DNS service
+   without regard to who operates the network into which their equipment
+   is currently plugged or what brand of middle boxes the local
+   infrastructure might use.
+
+   While the obvious solution to this problem would be for the client to
+   choose a more trustworthy server, in practice this may not be an
+   option for the client.  In many network environments a client machine
+   has only a limited set of recursive name servers from which to
+   choose, and none of them may be particularly trustworthy.  In extreme
+   cases, port filtering or other forms of packet interception may
+   prevent the client host from being able to run an iterative resolver
+   even if the owner of the client machine is willing and able to do so.
+   Thus, while the initial source of this problem is not a DNS protocol
+   attack per se, this sort of betrayal is a threat to DNS clients, and
+   simply switching to a different recursive name server is not an
+   adequate defense.
+
+   Viewed strictly from the DNS protocol standpoint, the only difference
+   between this sort of betrayal and a packet interception attack is
+   that in this case the client has voluntarily sent its request to the
+
+
+
+Atkins & Austein             Informational                      [Page 7]
+
+RFC 3833                  DNS Threat Analysis                August 2004
+
+
+   attacker.  The defense against this is the same as with a packet
+   interception attack: the resolver must either check DNSSEC signatures
+   itself or use TSIG (or equivalent) to authenticate the server that it
+   has chosen to trust.  Note that use of TSIG does not by itself
+   guarantee that a name server is at all trustworthy: all TSIG can do
+   is help a resolver protect its communication with a name server that
+   it has already decided to trust for other reasons.  Protecting a
+   resolver's communication with a server that's giving out bogus
+   answers is not particularly useful.
+
+   Also note that if the stub resolver does not trust the name server
+   that is doing work on its behalf and wants to check the DNSSEC
+   signatures itself, the resolver really does need to have independent
+   knowledge of the DNSSEC public key(s) it needs in order to perform
+   the check.  Usually the public key for the root zone is enough, but
+   in some cases knowledge of additional keys may also be appropriate.
+
+   It is difficult to escape the conclusion that a properly paranoid
+   resolver must always perform its own signature checking, and that
+   this rule even applies to stub resolvers.
+
+2.5.  Denial of Service
+
+   As with any network service (or, indeed, almost any service of any
+   kind in any domain of discourse), DNS is vulnerable to denial of
+   service attacks.  DNSSEC does not help this, and may in fact make the
+   problem worse for resolvers that check signatures, since checking
+   signatures both increases the processing cost per DNS message and in
+   some cases can also increase the number of messages needed to answer
+   a query.  TSIG (and similar mechanisms) have equivalent problems.
+
+   DNS servers are also at risk of being used as denial of service
+   amplifiers, since DNS response packets tend to be significantly
+   longer than DNS query packets.  Unsurprisingly, DNSSEC doesn't help
+   here either.
+
+2.6.  Authenticated Denial of Domain Names
+
+   Much discussion has taken place over the question of authenticated
+   denial of domain names.  The particular question is whether there is
+   a requirement for authenticating the non-existence of a name.  The
+   issue is whether the resolver should be able to detect when an
+   attacker removes RRs from a response.
+
+   General paranoia aside, the existence of RR types whose absence
+   causes an action other than immediate failure (such as missing MX and
+   SRV RRs, which fail over to A RRs) constitutes a real threat.
+   Arguably, in some cases, even the absence of an RR might be
+
+
+
+Atkins & Austein             Informational                      [Page 8]
+
+RFC 3833                  DNS Threat Analysis                August 2004
+
+
+   considered a problem.  The question remains: how serious is this
+   threat?  Clearly the threat does exist; general paranoia says that
+   some day it'll be on the front page of some major newspaper, even if
+   we cannot conceive of a plausible scenario involving this attack
+   today.  This implies that some mitigation of this risk is required.
+
+   Note that it's necessary to prove the non-existence of applicable
+   wildcard RRs as part of the authenticated denial mechanism, and that,
+   in a zone that is more than one label deep, such a proof may require
+   proving the non-existence of multiple discrete sets of wildcard RRs.
+
+   DNSSEC does include mechanisms which make it possible to determine
+   which authoritative names exist in a zone, and which authoritative
+   resource record types exist at those names.  The DNSSEC protections
+   do not cover non-authoritative data such as glue records.
+
+2.7.  Wildcards
+
+   Much discussion has taken place over whether and how to provide data
+   integrity and data origin authentication for "wildcard" DNS names.
+   Conceptually, RRs with wildcard names are patterns for synthesizing
+   RRs on the fly according to the matching rules described in section
+   4.3.2 of RFC 1034.  While the rules that control the behavior of
+   wildcard names have a few quirks that can make them a trap for the
+   unwary zone administrator, it's clear that a number of sites make
+   heavy use of wildcard RRs, particularly wildcard MX RRs.
+
+   In order to provide the desired services for wildcard RRs, we need to
+   do two things:
+
+   - We need a way to attest to the existence of the wildcard RR itself
+     (that is, we need to show that the synthesis rule exists), and
+
+   - We need a way to attest to the non-existence of any RRs which, if
+     they existed, would make the wildcard RR irrelevant according to
+     the synthesis rules that govern the way in which wildcard RRs are
+     used (that is, we need to show that the synthesis rule is
+     applicable).
+
+   Note that this makes the wildcard mechanisms dependent upon the
+   authenticated denial mechanism described in the previous section.
+
+   DNSSEC includes mechanisms along the lines described above, which
+   make it possible for a resolver to verify that a name server applied
+   the wildcard expansion rules correctly when generating an answer.
+
+
+
+
+
+
+Atkins & Austein             Informational                      [Page 9]
+
+RFC 3833                  DNS Threat Analysis                August 2004
+
+
+3.  Weaknesses of DNSSEC
+
+   DNSSEC has some problems of its own:
+
+   - DNSSEC is complex to implement and includes some nasty edge cases
+     at the zone cuts that require very careful coding.  Testbed
+     experience to date suggests that trivial zone configuration errors
+     or expired keys can cause serious problems for a DNSSEC-aware
+     resolver, and that the current protocol's error reporting
+     capabilities may leave something to be desired.
+
+   - DNSSEC significantly increases the size of DNS response packets;
+     among other issues, this makes DNSSEC-aware DNS servers even more
+     effective as denial of service amplifiers.
+
+   - DNSSEC answer validation increases the resolver's work load, since
+     a DNSSEC-aware resolver will need to perform signature validation
+     and in some cases will also need to issue further queries.  This
+     increased workload will also increase the time it takes to get an
+     answer back to the original DNS client, which is likely to trigger
+     both timeouts and re-queries in some cases.  Arguably, many current
+     DNS clients are already too impatient even before taking the
+     further delays that DNSSEC will impose into account, but that topic
+     is beyond the scope of this note.
+
+   - Like DNS itself, DNSSEC's trust model is almost totally
+     hierarchical.  While DNSSEC does allow resolvers to have special
+     additional knowledge of public keys beyond those for the root, in
+     the general case the root key is the one that matters.  Thus any
+     compromise in any of the zones between the root and a particular
+     target name can damage DNSSEC's ability to protect the integrity of
+     data owned by that target name.  This is not a change, since
+     insecure DNS has the same model.
+
+   - Key rollover at the root is really hard.  Work to date has not even
+     come close to adequately specifying how the root key rolls over, or
+     even how it's configured in the first place.
+
+   - DNSSEC creates a requirement of loose time synchronization between
+     the validating resolver and the entity creating the DNSSEC
+     signatures.  Prior to DNSSEC, all time-related actions in DNS could
+     be performed by a machine that only knew about "elapsed" or
+     "relative" time.  Because the validity period of a DNSSEC signature
+     is based on "absolute" time, a validating resolver must have the
+     same concept of absolute time as the zone signer in order to
+     determine whether the signature is within its validity period or
+     has expired.  An attacker that can change a resolver's opinion of
+     the current absolute time can fool the resolver using expired
+
+
+
+Atkins & Austein             Informational                     [Page 10]
+
+RFC 3833                  DNS Threat Analysis                August 2004
+
+
+     signatures.  An attacker that can change the zone signer's opinion
+     of the current absolute time can fool the zone signer into
+     generating signatures whose validity period does not match what the
+     signer intended.
+
+   - The possible existence of wildcard RRs in a zone complicates the
+     authenticated denial mechanism considerably.  For most of the
+     decade that DNSSEC has been under development these issues were
+     poorly understood.  At various times there have been questions as
+     to whether the authenticated denial mechanism is completely
+     airtight and whether it would be worthwhile to optimize the
+     authenticated denial mechanism for the common case in which
+     wildcards are not present in a zone.  However, the main problem is
+     just the inherent complexity of the wildcard mechanism itself.
+     This complexity probably makes the code for generating and checking
+     authenticated denial attestations somewhat fragile, but since the
+     alternative of giving up wildcards entirely is not practical due to
+     widespread use, we are going to have to live with wildcards. The
+     question just becomes one of whether or not the proposed
+     optimizations would make DNSSEC's mechanisms more or less fragile.
+
+   - Even with DNSSEC, the class of attacks discussed in section 2.4 is
+     not easy to defeat.  In order for DNSSEC to be effective in this
+     case, it must be possible to configure the resolver to expect
+     certain categories of DNS records to be signed.  This may require
+     manual configuration of the resolver, especially during the initial
+     DNSSEC rollout period when the resolver cannot reasonably expect
+     the root and TLD zones to be signed.
+
+4.  Topics for Future Work
+
+   This section lists a few subjects not covered above which probably
+   need additional study, additional mechanisms, or both.
+
+4.1.  Interactions With Other Protocols
+
+   The above discussion has concentrated exclusively on attacks within
+   the boundaries of the DNS protocol itself, since those are (some of)
+   the problems against which DNSSEC was intended to protect.  There
+   are, however, other potential problems at the boundaries where DNS
+   interacts with other protocols.
+
+4.2.  Securing DNS Dynamic Update
+
+   DNS dynamic update opens a number of potential problems when combined
+   with DNSSEC.  Dynamic update of a non-secure zone can use TSIG to
+   authenticate the updating client to the server.  While TSIG does not
+   scale very well (it requires manual configuration of shared keys
+
+
+
+Atkins & Austein             Informational                     [Page 11]
+
+RFC 3833                  DNS Threat Analysis                August 2004
+
+
+   between the DNS name server and each TSIG client), it works well in a
+   limited or closed environment such as a DHCP server updating a local
+   DNS name server.
+
+   Major issues arise when trying to use dynamic update on a secure
+   zone.  TSIG can similarly be used in a limited fashion to
+   authenticate the client to the server, but TSIG only protects DNS
+   transactions, not the actual data, and the TSIG is not inserted into
+   the DNS zone, so resolvers cannot use the TSIG as a way of verifying
+   the changes to the zone.  This means that either:
+
+   a) The updating client must have access to a zone-signing key in
+      order to sign the update before sending it to the server, or
+
+   b) The DNS name server must have access to an online zone-signing key
+      in order to sign the update.
+
+   In either case, a zone-signing key must be available to create signed
+   RRsets to place in the updated zone.  The fact that this key must be
+   online (or at least available) is a potential security risk.
+
+   Dynamic update also requires an update to the SERIAL field of the
+   zone's SOA RR.  In theory, this could also be handled via either of
+   the above options, but in practice (a) would almost certainly be
+   extremely fragile, so (b) is the only workable mechanism.
+
+   There are other threats in terms of describing the policy of who can
+   make what changes to which RRsets in the zone.  The current access
+   control scheme in Secure Dynamic Update is fairly limited.  There is
+   no way to give fine-grained access to updating DNS zone information
+   to multiple entities, each of whom may require different kinds of
+   access.  For example, Alice may need to be able to add new nodes to
+   the zone or change existing nodes, but not remove them; Bob may need
+   to be able to remove zones but not add them; Carol may need to be
+   able to add, remove, or modify nodes, but only A records.
+
+   Scaling properties of the key management problem here are a
+   particular concern that needs more study.
+
+4.3.  Securing DNS Zone Replication
+
+   As discussed in previous sections, DNSSEC per se attempts to provide
+   data integrity and data origin authentication services on top of the
+   normal DNS query protocol.  Using the terminology discussed in
+   [RFC3552], DNSSEC provides "object security" for the normal DNS query
+   protocol.  For purposes of replicating entire DNS zones, however,
+   DNSSEC does not provide object security, because zones include
+   unsigned NS RRs and glue at delegation points.  Use of TSIG to
+
+
+
+Atkins & Austein             Informational                     [Page 12]
+
+RFC 3833                  DNS Threat Analysis                August 2004
+
+
+   protect zone transfer (AXFR or IXFR) operations provides "channel
+   security", but still does not provide object security for complete
+   zones. The trust relationships involved in zone transfer are still
+   very much a hop-by-hop matter of name server operators trusting other
+   name server operators rather than an end-to-end matter of name server
+   operators trusting zone administrators.
+
+   Zone object security was not an explicit design goal of DNSSEC, so
+   failure to provide this service should not be a surprise.
+   Nevertheless, there are some zone replication scenarios for which
+   this would be a very useful additional service, so this seems like a
+   useful area for future work.  In theory it should not be difficult to
+   add zone object security as a backwards compatible enhancement to the
+   existing DNSSEC model, but the DNSEXT WG has not yet discussed either
+   the desirability of or the requirements for such an enhancement.
+
+5.  Conclusion
+
+   Based on the above analysis, the DNSSEC extensions do appear to solve
+   a set of problems that do need to be solved, and are worth deploying.
+
+Security Considerations
+
+   This entire document is about security considerations of the DNS.
+   The authors believe that deploying DNSSEC will help to address some,
+   but not all, of the known threats to the DNS.
+
+Acknowledgments
+
+   This note is based both on previous published works by others and on
+   a number of discussions both public and private over a period of many
+   years, but particular thanks go to
+
+   Jaap Akkerhuis,
+   Steve Bellovin,
+   Dan Bernstein,
+   Randy Bush,
+   Steve Crocker,
+   Olafur Gudmundsson,
+   Russ Housley,
+   Rip Loomis,
+   Allison Mankin,
+   Paul Mockapetris,
+   Thomas Narten
+   Mans Nilsson,
+   Pekka Savola,
+   Paul Vixie,
+   Xunhua Wang,
+
+
+
+Atkins & Austein             Informational                     [Page 13]
+
+RFC 3833                  DNS Threat Analysis                August 2004
+
+
+   and any other members of the DNS, DNSSEC, DNSIND, and DNSEXT working
+   groups whose names and contributions the authors have forgotten, none
+   of whom are responsible for what the authors did with their ideas.
+
+   As with any work of this nature, the authors of this note acknowledge
+   that we are standing on the toes of those who have gone before us.
+   Readers interested in this subject may also wish to read
+   [Bellovin95], [Schuba93], and [Vixie95].
+
+Normative References
+
+   [RFC1034]    Mockapetris, P., "Domain names - concepts and
+                facilities", STD 13, RFC 1034, November 1987.
+
+   [RFC1035]    Mockapetris, P., "Domain names - implementation and
+                specification", STD 13, RFC 1035, November 1987.
+
+   [RFC1123]    Braden, R., "Requirements for Internet Hosts -
+                Application and Support", STD 3, RFC 1123, October 1989.
+
+   [RFC2181]    Elz, R. and R. Bush, "Clarifications to the DNS
+                Specification", RFC 2181, July 1997.
+
+   [RFC2308]    Andrews, M., "Negative Caching of DNS Queries (DNS
+                NCACHE)", RFC 2308, March 1998.
+
+   [RFC2671]    Vixie, P., "Extension Mechanisms for DNS (EDNS0)", RFC
+                2671, August 1999.
+
+   [RFC2845]    Vixie, P., Gudmundsson, O., Eastlake 3rd, D., and B.
+                Wellington, "Secret Key Transaction Authentication for
+                DNS (TSIG)", RFC 2845, May 2000.
+
+   [RFC2930]    Eastlake 3rd, D., "Secret Key Establishment for DNS
+                (TKEY RR)", RFC 2930, September 2000.
+
+   [RFC3007]    Wellington, B., "Secure Domain Name System (DNS) Dynamic
+                Update", RFC 3007, November 2000.
+
+   [RFC2535]    Eastlake 3rd, D., "Domain Name System Security
+                Extensions", RFC 2535, March 1999.
+
+
+
+
+
+
+
+
+
+
+Atkins & Austein             Informational                     [Page 14]
+
+RFC 3833                  DNS Threat Analysis                August 2004
+
+
+Informative References
+
+   [RFC3552]    Rescorla, E. and B. Korver, "Guidelines for Writing RFC
+                Text on Security Considerations", BCP 72, RFC 3552, July
+                2003.
+
+   [Bellovin95] Bellovin, S., "Using the Domain Name System for System
+                Break-Ins", Proceedings of the Fifth Usenix Unix
+                Security Symposium, June 1995.
+
+   [Galvin93]   Design team meeting summary message posted to dns-
+                security@tis.com mailing list by Jim Galvin on 19
+                November 1993.
+
+   [Schuba93]   Schuba, C., "Addressing Weaknesses in the Domain Name
+                System Protocol", Master's thesis, Purdue University
+                Department of Computer Sciences,  August 1993.
+
+   [Vixie95]    Vixie, P, "DNS and BIND Security Issues", Proceedings of
+                the Fifth Usenix Unix Security Symposium, June 1995.
+
+Authors' Addresses
+
+   Derek Atkins
+   IHTFP Consulting, Inc.
+   6 Farragut Ave
+   Somerville, MA  02144
+   USA
+
+   EMail: derek@ihtfp.com
+
+
+   Rob Austein
+   Internet Systems Consortium
+   950 Charter Street
+   Redwood City, CA 94063
+   USA
+
+   EMail: sra@isc.org
+
+
+
+
+
+
+
+
+
+
+
+
+Atkins & Austein             Informational                     [Page 15]
+
+RFC 3833                  DNS Threat Analysis                August 2004
+
+
+Full Copyright Statement
+
+   Copyright (C) The Internet Society (2004).  This document is subject
+   to the rights, licenses and restrictions contained in BCP 78, and
+   except as set forth therein, the authors retain all their rights.
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
+   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
+   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
+   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
+   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the procedures with respect to rights in RFC documents can be
+   found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at ietf-
+   ipr@ietf.org.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+
+
+Atkins & Austein             Informational                     [Page 16]
+
diff --git a/contrib/bind9/doc/rfc/rfc3845.txt b/contrib/bind9/doc/rfc/rfc3845.txt
new file mode 100644
index 0000000..9887a20
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc3845.txt
@@ -0,0 +1,395 @@
+
+
+
+
+
+
+Network Working Group                                   J. Schlyter, Ed.
+Request for Comments: 3845                                   August 2004
+Updates: 3755, 2535
+Category: Standards Track
+
+
+          DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format
+
+Status of this Memo
+
+   This document specifies an Internet standards track protocol for the
+   Internet community, and requests discussion and suggestions for
+   improvements.  Please refer to the current edition of the "Internet
+   Official Protocol Standards" (STD 1) for the standardization state
+   and status of this protocol.  Distribution of this memo is unlimited.
+
+Copyright Notice
+
+   Copyright (C) The Internet Society (2004).
+
+Abstract
+
+   This document redefines the wire format of the "Type Bit Map" field
+   in the DNS NextSECure (NSEC) resource record RDATA format to cover
+   the full resource record (RR) type space.
+
+Table of Contents
+
+   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
+   2.  The NSEC Resource Record . . . . . . . . . . . . . . . . . . .  2
+       2.1.  NSEC RDATA Wire Format . . . . . . . . . . . . . . . . .  3
+             2.1.1.  The Next Domain Name Field . . . . . . . . . . .  3
+             2.1.2.  The List of Type Bit Map(s) Field  . . . . . . .  3
+             2.1.3.  Inclusion of Wildcard Names in NSEC RDATA  . . .  4
+       2.2.  The NSEC RR Presentation Format  . . . . . . . . . . . .  4
+       2.3.  NSEC RR Example  . . . . . . . . . . . . . . . . . . . .  5
+   3.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  5
+   4.  Security Considerations  . . . . . . . . . . . . . . . . . . .  5
+   5.  References . . . . . . . . . . . . . . . . . . . . . . . . . .  6
+       5.1.  Normative References . . . . . . . . . . . . . . . . . .  6
+       5.2.  Informative References . . . . . . . . . . . . . . . . .  6
+   6.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .  6
+   7.  Author's Address . . . . . . . . . . . . . . . . . . . . . . .  6
+   8.  Full Copyright Statement . . . . . . . . . . . . . . . . . . .  7
+
+
+
+
+
+
+
+Schlyter, Ed.               Standards Track                     [Page 1]
+
+RFC 3845                DNSSEC NSEC RDATA Format             August 2004
+
+
+1.  Introduction
+
+   The DNS [6][7] NSEC [5] Resource Record (RR) is used for
+   authenticated proof of the non-existence of DNS owner names and
+   types.  The NSEC RR is based on the NXT RR as described in RFC 2535
+   [2], and is similar except for the name and typecode.  The RDATA
+   format for the NXT RR has the limitation in that the RDATA could only
+   carry information about the existence of the first 127 types.  RFC
+   2535 did reserve a bit to specify an extension mechanism, but the
+   mechanism was never actually defined.
+
+   In order to avoid needing to develop an extension mechanism into a
+   deployed base of DNSSEC aware servers and resolvers once the first
+   127 type codes are allocated, this document redefines the wire format
+   of the "Type Bit Map" field in the NSEC RDATA to cover the full RR
+   type space.
+
+   This document introduces a new format for the type bit map.  The
+   properties of the type bit map format are that it can cover the full
+   possible range of typecodes, that it is relatively economical in the
+   amount of space it uses for the common case of a few types with an
+   owner name, that it can represent owner names with all possible types
+   present in packets of approximately 8.5 kilobytes, and that the
+   representation is simple to implement.  Efficient searching of the
+   type bitmap for the presence of certain types is not a requirement.
+
+   For convenience and completeness, this document presents the syntax
+   and semantics for the NSEC RR based on the specification in RFC 2535
+   [2] and as updated by RFC 3755 [5], thereby not introducing changes
+   except for the syntax of the type bit map.
+
+   This document updates RFC 2535 [2] and RFC 3755 [5].
+
+   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+   document are to be interpreted as described in BCP 14, RFC 2119 [1].
+
+2.  The NSEC Resource Record
+
+   The NSEC resource record lists two separate things: the owner name of
+   the next RRset in the canonical ordering of the zone, and the set of
+   RR types present at the NSEC RR's owner name.  The complete set of
+   NSEC RRs in a zone indicate which RRsets exist in a zone, and form a
+   chain of owner names in the zone.  This information is used to
+   provide authenticated denial of existence for DNS data, as described
+   in RFC 2535 [2].
+
+   The type value for the NSEC RR is 47.
+
+
+
+Schlyter, Ed.               Standards Track                     [Page 2]
+
+RFC 3845                DNSSEC NSEC RDATA Format             August 2004
+
+
+   The NSEC RR RDATA format is class independent and defined for all
+   classes.
+
+   The NSEC RR SHOULD have the same TTL value as the SOA minimum TTL
+   field.  This is in the spirit of negative caching [8].
+
+2.1.  NSEC RDATA Wire Format
+
+   The RDATA of the NSEC RR is as shown below:
+
+                         1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
+     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    /                      Next Domain Name                         /
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+    /                   List of Type Bit Map(s)                     /
+    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+2.1.1.  The Next Domain Name Field
+
+   The Next Domain Name field contains the owner name of the next RR in
+   the canonical ordering of the zone.  The value of the Next Domain
+   Name field in the last NSEC record in the zone is the name of the
+   zone apex (the owner name of the zone's SOA RR).
+
+   A sender MUST NOT use DNS name compression on the Next Domain Name
+   field when transmitting an NSEC RR.
+
+   Owner names of RRsets that are not authoritative for the given zone
+   (such as glue records) MUST NOT be listed in the Next Domain Name
+   unless at least one authoritative RRset exists at the same owner
+   name.
+
+2.1.2.  The List of Type Bit Map(s) Field
+
+   The RR type space is split into 256 window blocks, each representing
+   the low-order 8 bits of the 16-bit RR type space.  Each block that
+   has at least one active RR type is encoded using a single octet
+   window number (from 0 to 255), a single octet bitmap length (from 1
+   to 32) indicating the number of octets used for the window block's
+   bitmap, and up to 32 octets (256 bits) of bitmap.
+
+   Window blocks are present in the NSEC RR RDATA in increasing
+   numerical order.
+
+   "|" denotes concatenation
+
+   Type Bit Map(s) Field = ( Window Block # | Bitmap Length | Bitmap ) +
+
+
+
+Schlyter, Ed.               Standards Track                     [Page 3]
+
+RFC 3845                DNSSEC NSEC RDATA Format             August 2004
+
+
+   Each bitmap encodes the low-order 8 bits of RR types within the
+   window block, in network bit order.  The first bit is bit 0.  For
+   window block 0, bit 1 corresponds to RR type 1 (A), bit 2 corresponds
+   to RR type 2 (NS), and so forth.  For window block 1, bit 1
+   corresponds to RR type 257, and bit 2 to RR type 258.  If a bit is
+   set to 1, it indicates that an RRset of that type is present for the
+   NSEC RR's owner name.  If a bit is set to 0, it indicates that no
+   RRset of that type is present for the NSEC RR's owner name.
+
+   Since bit 0 in window block 0 refers to the non-existing RR type 0,
+   it MUST be set to 0.  After verification, the validator MUST ignore
+   the value of bit 0 in window block 0.
+
+   Bits representing Meta-TYPEs or QTYPEs, as specified in RFC 2929 [3]
+   (section 3.1), or within the range reserved for assignment only to
+   QTYPEs and Meta-TYPEs MUST be set to 0, since they do not appear in
+   zone data.  If encountered, they must be ignored upon reading.
+
+   Blocks with no types present MUST NOT be included.  Trailing zero
+   octets in the bitmap MUST be omitted.  The length of each block's
+   bitmap is determined by the type code with the largest numerical
+   value within that block, among the set of RR types present at the
+   NSEC RR's owner name.  Trailing zero octets not specified MUST be
+   interpreted as zero octets.
+
+2.1.3.  Inclusion of Wildcard Names in NSEC RDATA
+
+   If a wildcard owner name appears in a zone, the wildcard label ("*")
+   is treated as a literal symbol and is treated the same as any other
+   owner name for purposes of generating NSEC RRs.  Wildcard owner names
+   appear in the Next Domain Name field without any wildcard expansion.
+   RFC 2535 [2] describes the impact of wildcards on authenticated
+   denial of existence.
+
+2.2.  The NSEC RR Presentation Format
+
+   The presentation format of the RDATA portion is as follows:
+
+   The Next Domain Name field is represented as a domain name.
+
+   The List of Type Bit Map(s) Field is represented as a sequence of RR
+   type mnemonics.  When the mnemonic is not known, the TYPE
+   representation as described in RFC 3597 [4] (section 5) MUST be used.
+
+
+
+
+
+
+
+
+Schlyter, Ed.               Standards Track                     [Page 4]
+
+RFC 3845                DNSSEC NSEC RDATA Format             August 2004
+
+
+2.3.  NSEC RR Example
+
+   The following NSEC RR identifies the RRsets associated with
+   alfa.example.com. and the next authoritative name after
+   alfa.example.com.
+
+   alfa.example.com. 86400 IN NSEC host.example.com. A MX RRSIG NSEC
+   TYPE1234
+
+   The first four text fields specify the name, TTL, Class, and RR type
+   (NSEC).  The entry host.example.com. is the next authoritative name
+   after alfa.example.com. in canonical order.  The A, MX, RRSIG, NSEC,
+   and TYPE1234 mnemonics indicate there are A, MX, RRSIG, NSEC, and
+   TYPE1234 RRsets associated with the name alfa.example.com.
+
+   The RDATA section of the NSEC RR above would be encoded as:
+
+      0x04 'h'  'o'  's'  't'
+      0x07 'e'  'x'  'a'  'm'  'p'  'l'  'e'
+      0x03 'c'  'o'  'm'  0x00
+      0x00 0x06 0x40 0x01 0x00 0x00 0x00 0x03
+      0x04 0x1b 0x00 0x00 0x00 0x00 0x00 0x00
+      0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
+      0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
+      0x00 0x00 0x00 0x00 0x20
+
+   Assuming that the resolver can authenticate this NSEC record, it
+   could be used to prove that beta.example.com does not exist, or could
+   be used to prove that there is no AAAA record associated with
+   alfa.example.com.  Authenticated denial of existence is discussed in
+   RFC 2535 [2].
+
+3.  IANA Considerations
+
+   This document introduces no new IANA considerations, because all of
+   the protocol parameters used in this document have already been
+   assigned by RFC 3755 [5].
+
+4.  Security Considerations
+
+   The update of the RDATA format and encoding does not affect the
+   security of the use of NSEC RRs.
+
+
+
+
+
+
+
+
+
+Schlyter, Ed.               Standards Track                     [Page 5]
+
+RFC 3845                DNSSEC NSEC RDATA Format             August 2004
+
+
+5.  References
+
+5.1.  Normative References
+
+   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
+        Levels", BCP 14, RFC 2119, March 1997.
+
+   [2]  Eastlake 3rd, D., "Domain Name System Security Extensions", RFC
+        2535, March 1999.
+
+   [3]  Eastlake 3rd, D., Brunner-Williams, E., and B. Manning, "Domain
+        Name System (DNS) IANA Considerations", BCP 42, RFC 2929,
+        September 2000.
+
+   [4]  Gustafsson, A., "Handling of Unknown DNS Resource Record (RR)
+        Types", RFC 3597, September 2003.
+
+   [5]  Weiler, S., "Legacy Resolver Compatibility for Delegation Signer
+        (DS)", RFC 3755, May 2004.
+
+5.2.  Informative References
+
+   [6]  Mockapetris, P., "Domain names - concepts and facilities", STD
+        13, RFC 1034, November 1987.
+
+   [7]  Mockapetris, P., "Domain names - implementation and
+        specification", STD 13, RFC 1035, November 1987.
+
+   [8]  Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", RFC
+        2308, March 1998.
+
+6.  Acknowledgements
+
+   The encoding described in this document was initially proposed by
+   Mark Andrews.  Other encodings where proposed by David Blacka and
+   Michael Graff.
+
+7.  Author's Address
+
+   Jakob Schlyter (editor)
+   NIC-SE
+   Box 5774
+   Stockholm  SE-114 87
+   Sweden
+
+   EMail: jakob@nic.se
+   URI: http://www.nic.se/
+
+
+
+
+Schlyter, Ed.               Standards Track                     [Page 6]
+
+RFC 3845                DNSSEC NSEC RDATA Format             August 2004
+
+
+8.  Full Copyright Statement
+
+   Copyright (C) The Internet Society (2004).
+
+   This document is subject to the rights, licenses and restrictions
+   contained in BCP 78, and except as set forth therein, the authors
+   retain all their rights.
+
+   This document and the information contained herein are provided on an
+   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/S HE
+   REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
+   INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
+   IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
+   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
+   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Intellectual Property
+
+   The IETF takes no position regarding the validity or scope of any
+   Intellectual Property Rights or other rights that might be claimed to
+   pertain to the implementation or use of the technology described in
+   this document or the extent to which any license under such rights
+   might or might not be available; nor does it represent that it has
+   made any independent effort to identify any such rights.  Information
+   on the IETF's procedures with respect to rights in IETF Documents can
+   be found in BCP 78 and BCP 79.
+
+   Copies of IPR disclosures made to the IETF Secretariat and any
+   assurances of licenses to be made available, or the result of an
+   attempt made to obtain a general license or permission for the use of
+   such proprietary rights by implementers or users of this
+   specification can be obtained from the IETF on-line IPR repository at
+   http://www.ietf.org/ipr.
+
+   The IETF invites any interested party to bring to its attention any
+   copyrights, patents or patent applications, or other proprietary
+   rights that may cover technology that may be required to implement
+   this standard.  Please address the information to the IETF at ietf-
+   ipr@ietf.org.
+
+Acknowledgement
+
+   Funding for the RFC Editor function is currently provided by the
+   Internet Society.
+
+
+
+
+
+
+
+Schlyter, Ed.               Standards Track                     [Page 7]
+
diff --git a/contrib/bind9/doc/rfc/rfc952.txt b/contrib/bind9/doc/rfc/rfc952.txt
new file mode 100644
index 0000000..7df339a
--- /dev/null
+++ b/contrib/bind9/doc/rfc/rfc952.txt
@@ -0,0 +1,340 @@
+Network Working Group                               K. Harrenstien (SRI)
+Request for Comments: 952                                 M. Stahl (SRI)
+                                                        E. Feinler (SRI)
+Obsoletes:  RFC 810, 608                                    October 1985
+
+                 DOD INTERNET HOST TABLE SPECIFICATION
+
+
+STATUS OF THIS MEMO
+
+   This RFC is the official specification of the format of the Internet
+   Host Table.  This edition of the specification includes minor
+   revisions to RFC-810 which brings it up to date. Distribution of this
+   memo is unlimited.
+
+INTRODUCTION
+
+   The DoD Host Table is utilized by the DoD Hostname Server maintained
+   by the DDN Network Information Center (NIC) on behalf of the Defense
+   Communications Agency (DCA) [See RFC-953].
+
+LOCATION OF THE STANDARD DOD ONLINE HOST TABLE
+
+   A machine-translatable ASCII text version of the DoD Host Table is
+   online in the file NETINFO:HOSTS.TXT on the SRI-NIC host.  It can be
+   obtained via FTP from your local host by connecting to host
+   SRI-NIC.ARPA (26.0.0.73 or 10.0.0.51), logging in as user =
+   ANONYMOUS, password = GUEST, and retrieving the file
+   "NETINFO:HOSTS.TXT".  The same table may also be obtained via the NIC
+   Hostname Server, as described in RFC-953.  The latter method is
+   faster and easier, but requires a user program to make the necessary
+   connection to the Name Server.
+
+ASSUMPTIONS
+
+   1. A "name" (Net, Host, Gateway, or Domain name) is a text string up
+   to 24 characters drawn from the alphabet (A-Z), digits (0-9), minus
+   sign (-), and period (.).  Note that periods are only allowed when
+   they serve to delimit components of "domain style names". (See
+   RFC-921, "Domain Name System Implementation Schedule", for
+   background).  No blank or space characters are permitted as part of a
+   name. No distinction is made between upper and lower case.  The first
+   character must be an alpha character.  The last character must not be
+   a minus sign or period.  A host which serves as a GATEWAY should have
+   "-GATEWAY" or "-GW" as part of its name.  Hosts which do not serve as
+   Internet gateways should not use "-GATEWAY" and "-GW" as part of
+   their names. A host which is a TAC should have "-TAC" as the last
+   part of its host name, if it is a DoD host.  Single character names
+   or nicknames are not allowed.
+
+   2. Internet Addresses are 32-bit addresses [See RFC-796].  In the
+
+
+Harrenstien & Stahl & Feinler                                   [Page 1]
+
+
+
+RFC 952                                                     October 1985
+DOD INTERNET HOST TABLE SPECIFICATION
+
+
+   host table described herein each address is represented by four
+   decimal numbers separated by a period.  Each decimal number
+   represents 1 octet.
+
+   3. If the first bit of the first octet of the address is 0 (zero),
+   then the next 7 bits of the first octet indicate the network number
+   (Class A Address).  If the first two bits are 1,0 (one,zero), then
+   the next 14 bits define the net number (Class B Address).  If the
+   first 3 bits are 1,1,0 (one,one,zero), then the next 21 bits define
+   the net number (Class C Address) [See RFC-943].
+
+      This is depicted in the following diagram:
+
+      +-+------------+--------------+--------------+--------------+
+      |0|  NET <-7-> |         LOCAL ADDRESS <-24->               |
+      +-+------------+--------------+--------------+--------------+
+
+      +---+----------+--------------+--------------+--------------+
+      |1 0|      NET  <-14->        |  LOCAL ADDRESS <-16->       |
+      +---+----------+--------------+--------------+--------------+
+
+      +-----+--------+--------------+--------------+--------------+
+      |1 1 0|            NET  <-21->               | LOCAL ADDRESS|
+      +-----+--------+--------------+--------------+--------------+
+
+   4. The LOCAL ADDRESS portion of the internet address identifies a
+   host within the network specified by the NET portion of the address.
+
+   5. The ARPANET and MILNET are both Class A networks.  The NET portion
+   is 10 decimal for ARPANET, 26 decimal for MILNET, and the LOCAL
+   ADDRESS maps as follows: the second octet identifies the physical
+   host, the third octet identifies the logical host, and the fourth
+   identifies the Packet Switching Node (PSN), formerly known as an
+   Interface Message Processor (IMP).
+
+      +-+------------+--------------+--------------+--------------+
+      |0|  10 or 26  |    HOST      | LOGICAL HOST |   PSN (IMP)  |
+      +-+------------+--------------+--------------+--------------+
+
+      (NOTE:  RFC-796 also describes the local address mappings for
+      several other networks.)
+
+   6. It is the responsibility of the users of this host table to
+   translate it into whatever format is needed for their purposes.
+
+   7. Names and addresses for DoD hosts and gateways will be negotiated
+   and registered with the DDN PMO, and subsequently with the NIC,
+
+
+Harrenstien & Stahl & Feinler                                   [Page 2]
+
+
+
+RFC 952                                                     October 1985
+DOD INTERNET HOST TABLE SPECIFICATION
+
+
+   before being used and before traffic is passed by a DoD host.  Names
+   and addresses for domains and networks are to be registered with the
+   DDN Network Information Center (HOSTMASTER@SRI-NIC.ARPA) or
+   800-235-3155.
+
+   The NIC will attempt to keep similar information for non-DoD networks
+   and hosts, if this information is provided, and as long as it is
+   needed, i.e., until intercommunicating network name servers are in
+   place.
+
+EXAMPLE OF HOST TABLE FORMAT
+
+   NET : 10.0.0.0 : ARPANET :
+   NET : 128.10.0.0 : PURDUE-CS-NET :
+   GATEWAY : 10.0.0.77, 18.10.0.4 : MIT-GW.ARPA,MIT-GATEWAY : PDP-11 :
+             MOS : IP/GW,EGP :
+   HOST : 26.0.0.73, 10.0.0.51 : SRI-NIC.ARPA,SRI-NIC,NIC : DEC-2060 :
+          TOPS20 :TCP/TELNET,TCP/SMTP,TCP/TIME,TCP/FTP,TCP/ECHO,ICMP :
+   HOST : 10.2.0.11 : SU-TAC.ARPA,SU-TAC : C/30 : TAC : TCP :
+
+SYNTAX AND CONVENTIONS
+
+   ; (semicolon)   is used to denote the beginning of a comment.
+                   Any text on a given line following a ';' is a
+                   comment, and not part of the host table.
+
+   NET             keyword introducing a network entry
+
+   GATEWAY         keyword introducing a gateway entry
+
+   HOST            keyword introducing a host entry
+
+   DOMAIN          keyword introducing a domain entry
+
+   :(colon)        is used as a field delimiter
+
+   ::(2 colons)    indicates a null field
+
+   ,(comma)        is used as a data element delimiter
+
+   XXX/YYY         indicates protocol information of the type
+                   TRANSPORT/SERVICE.
+
+      where TRANSPORT/SERVICE options are specified as
+
+         "FOO/BAR"       both transport and service known
+
+
+
+Harrenstien & Stahl & Feinler                                   [Page 3]
+
+
+
+RFC 952                                                     October 1985
+DOD INTERNET HOST TABLE SPECIFICATION
+
+
+         "FOO"           transport known; services not known
+
+         "BAR"           service is known, transport not known
+
+         NOTE:  See "Assigned Numbers" for specific options and acronyms
+         for machine types, operating systems, and protocol/services.
+
+   Each host table entry is an ASCII text string comprised of 6 fields,
+   where
+
+      Field 1         KEYWORD indicating whether this entry pertains to
+                      a NET, GATEWAY, HOST, or DOMAIN.  NET entries are
+                      assigned and cannot have alternate addresses or
+                      nicknames.  DOMAIN entries do not use fields 4, 5,
+                      or 6.
+
+      Field 2         Internet Address of Network, Gateway, or Host
+                      followed by alternate addresses.  Addresses for a
+                      Domain are those where a Domain Name Server exists
+                      for that domain.
+
+      Field 3         Official Name of Network, Gateway, Host, or Domain
+                      (with optional nicknames, where permitted).
+
+      Field 4         Machine Type
+
+      Field 5         Operating System
+
+      Field 6         Protocol List
+
+   Fields 4, 5 and 6 are optional.  For a Domain they are not used.
+
+   Fields 3-6, if included, pertain to the first address in Field 2.
+
+   'Blanks' (spaces and tabs) are ignored between data elements or
+   fields, but are disallowed within a data element.
+
+   Each entry ends with a colon.
+
+   The entries in the table are grouped by types in the order Domain,
+   Net, Gateway, and Host.  Within each type the ordering is
+   unspecified.
+
+   Note that although optional nicknames are allowed for hosts, they are
+   discouraged, except in the case where host names have been changed
+
+
+
+
+Harrenstien & Stahl & Feinler                                   [Page 4]
+
+
+
+RFC 952                                                     October 1985
+DOD INTERNET HOST TABLE SPECIFICATION
+
+
+   and both the new and the old names are maintained for a suitable
+   period of time to effect a smooth transition.  Nicknames are not
+   permitted for NET names.
+
+GRAMMATICAL HOST TABLE SPECIFICATION
+
+   A. Parsing grammar
+
+      <entry> ::= <keyword> ":" <addresses> ":" <names> [":" [<cputype>]
+         [":" [<opsys>]  [":" [<protocol list>] ]]] ":"
+      <addresses> ::= <address> *["," <address>]
+      <address> ::= <octet> "." <octet> "." <octet> "." <octet>
+      <octet> ::= <0 to 255 decimal>
+      <names> ::= <netname> | <gatename> | <domainname> *[","
+         <nicknames>]
+         | <official hostname> *["," <nicknames>]
+      <netname>  ::= <name>
+      <gatename> ::= <hname>
+      <domainname> ::= <hname>
+      <official hostname> ::= <hname>
+      <nickname> ::= <hname>
+      <protocol list> ::= <protocol spec> *["," <protocol spec>]
+      <protocol spec> ::= <transport name> "/" <service name>
+         | <raw protocol name>
+
+   B. Lexical grammar
+
+      <entry-field> ::= <entry-text> [<cr><lf> <blank> <entry-field>]
+      <entry-text>  ::= <print-char> *<text>
+      <blank> ::= <space-or-tab> [<blank>]
+      <keyword> ::= NET | GATEWAY | HOST | DOMAIN
+      <hname> ::= <name>*["."<name>]
+      <name>  ::= <let>[*[<let-or-digit-or-hyphen>]<let-or-digit>]
+      <cputype> ::= PDP-11/70 | DEC-1080 | C/30 | CDC-6400...etc.
+      <opsys>   ::= ITS | MULTICS | TOPS20 | UNIX...etc.
+      <transport name> ::= TCP | NCP | UDP | IP...etc.
+      <service name> ::= TELNET | FTP | SMTP | MTP...etc.
+      <raw protocol name> ::= <name>
+      <comment> ::= ";" <text><cr><lf>
+      <text>    ::= *[<print-char> | <blank>]
+      <print-char>  ::= <any printing char (not space or tab)>
+
+   Notes:
+
+      1. Zero or more 'blanks' between separators " , : " are allowed.
+      'Blanks' are spaces and tabs.
+
+
+
+Harrenstien & Stahl & Feinler                                   [Page 5]
+
+
+
+RFC 952                                                     October 1985
+DOD INTERNET HOST TABLE SPECIFICATION
+
+
+      2. Continuation lines are lines that begin with at least one
+      blank.  They may be used anywhere 'blanks' are legal to split an
+      entry across lines.
+
+BIBLIOGRAPHY
+
+   1. Feinler, E., Harrenstien, K., Su, Z. and White, V., "Official DoD
+      Internet Host Table Specification", RFC-810, Network Information
+      Center, SRI International, March 1982.
+
+   2. Harrenstien, K., Stahl, M., and Feinler, E., "Hostname Server",
+      RFC-953, Network Information Center, SRI International, October
+      1985.
+
+   3. Kudlick, M. "Host Names Online", RFC-608, Network Information
+      Center, SRI International, January 1973.
+
+   4. Postel, J., "Internet Protocol", RFC-791, Information Sciences
+      Institute, University of Southern California, Marina del Rey,
+      September 1981.
+
+   5. Postel, J., "Address Mappings", RFC-796, Information Sciences
+      Institute, University of Southern California, Marina del Rey,
+      September 1981.
+
+   6. Postel, J., "Domain Name System Implementation Schedule", RFC-921,
+      Information Sciences Institute, University of Southern California,
+      Marina del Rey, October 1984.
+
+   7. Reynolds, J. and Postel, J., "Assigned Numbers", RFC-943,
+      Information Sciences Institute, University of Southern California,
+      Marina del Rey, April 1985.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Harrenstien & Stahl & Feinler                                   [Page 6]
+
diff --git a/contrib/bind9/install-sh b/contrib/bind9/install-sh
new file mode 100755
index 0000000..058b26c
--- /dev/null
+++ b/contrib/bind9/install-sh
@@ -0,0 +1,250 @@
+#! /bin/sh
+#
+# install - install a program, script, or datafile
+# This comes from X11R5 (mit/util/scripts/install.sh).
+#
+# Copyright 1991 by the Massachusetts Institute of Technology
+#
+# Permission to use, copy, modify, distribute, and sell this software and its
+# documentation for any purpose is hereby granted without fee, provided that
+# the above copyright notice appear in all copies and that both that
+# copyright notice and this permission notice appear in supporting
+# documentation, and that the name of M.I.T. not be used in advertising or
+# publicity pertaining to distribution of the software without specific,
+# written prior permission.  M.I.T. makes no representations about the
+# suitability of this software for any purpose.  It is provided "as is"
+# without express or implied warranty.
+#
+# Calling this script install-sh is preferred over install.sh, to prevent
+# `make' implicit rules from creating a file called install from it
+# when there is no Makefile.
+#
+# This script is compatible with the BSD install script, but was written
+# from scratch.  It can only install one file at a time, a restriction
+# shared with many OS's install programs.
+
+
+# set DOITPROG to echo to test this script
+
+# Don't use :- since 4.3BSD and earlier shells don't like it.
+doit="${DOITPROG-}"
+
+
+# put in absolute paths if you don't have them in your path; or use env. vars.
+
+mvprog="${MVPROG-mv}"
+cpprog="${CPPROG-cp}"
+chmodprog="${CHMODPROG-chmod}"
+chownprog="${CHOWNPROG-chown}"
+chgrpprog="${CHGRPPROG-chgrp}"
+stripprog="${STRIPPROG-strip}"
+rmprog="${RMPROG-rm}"
+mkdirprog="${MKDIRPROG-mkdir}"
+
+transformbasename=""
+transform_arg=""
+instcmd="$mvprog"
+chmodcmd="$chmodprog 0755"
+chowncmd=""
+chgrpcmd=""
+stripcmd=""
+rmcmd="$rmprog -f"
+mvcmd="$mvprog"
+src=""
+dst=""
+dir_arg=""
+
+while [ x"$1" != x ]; do
+    case $1 in
+	-c) instcmd="$cpprog"
+	    shift
+	    continue;;
+
+	-d) dir_arg=true
+	    shift
+	    continue;;
+
+	-m) chmodcmd="$chmodprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-o) chowncmd="$chownprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-g) chgrpcmd="$chgrpprog $2"
+	    shift
+	    shift
+	    continue;;
+
+	-s) stripcmd="$stripprog"
+	    shift
+	    continue;;
+
+	-t=*) transformarg=`echo $1 | sed 's/-t=//'`
+	    shift
+	    continue;;
+
+	-b=*) transformbasename=`echo $1 | sed 's/-b=//'`
+	    shift
+	    continue;;
+
+	*)  if [ x"$src" = x ]
+	    then
+		src=$1
+	    else
+		# this colon is to work around a 386BSD /bin/sh bug
+		:
+		dst=$1
+	    fi
+	    shift
+	    continue;;
+    esac
+done
+
+if [ x"$src" = x ]
+then
+	echo "install:	no input file specified"
+	exit 1
+else
+	true
+fi
+
+if [ x"$dir_arg" != x ]; then
+	dst=$src
+	src=""
+
+	if [ -d $dst ]; then
+		instcmd=:
+	else
+		instcmd=mkdir
+	fi
+else
+
+# Waiting for this to be detected by the "$instcmd $src $dsttmp" command
+# might cause directories to be created, which would be especially bad
+# if $src (and thus $dsttmp) contains '*'.
+
+	if [ -f $src -o -d $src ]
+	then
+		true
+	else
+		echo "install:  $src does not exist"
+		exit 1
+	fi
+
+	if [ x"$dst" = x ]
+	then
+		echo "install:	no destination specified"
+		exit 1
+	else
+		true
+	fi
+
+# If destination is a directory, append the input filename; if your system
+# does not like double slashes in filenames, you may need to add some logic
+
+	if [ -d $dst ]
+	then
+		dst="$dst"/`basename $src`
+	else
+		true
+	fi
+fi
+
+## this sed command emulates the dirname command
+dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'`
+
+# Make sure that the destination directory exists.
+#  this part is taken from Noah Friedman's mkinstalldirs script
+
+# Skip lots of stat calls in the usual case.
+if [ ! -d "$dstdir" ]; then
+defaultIFS='
+'
+IFS="${IFS-${defaultIFS}}"
+
+oIFS="${IFS}"
+# Some sh's can't handle IFS=/ for some reason.
+IFS='%'
+set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'`
+IFS="${oIFS}"
+
+pathcomp=''
+
+while [ $# -ne 0 ] ; do
+	pathcomp="${pathcomp}${1}"
+	shift
+
+	if [ ! -d "${pathcomp}" ] ;
+        then
+		$mkdirprog "${pathcomp}"
+	else
+		true
+	fi
+
+	pathcomp="${pathcomp}/"
+done
+fi
+
+if [ x"$dir_arg" != x ]
+then
+	$doit $instcmd $dst &&
+
+	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi &&
+	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi &&
+	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi &&
+	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi
+else
+
+# If we're going to rename the final executable, determine the name now.
+
+	if [ x"$transformarg" = x ]
+	then
+		dstfile=`basename $dst`
+	else
+		dstfile=`basename $dst $transformbasename |
+			sed $transformarg`$transformbasename
+	fi
+
+# don't allow the sed command to completely eliminate the filename
+
+	if [ x"$dstfile" = x ]
+	then
+		dstfile=`basename $dst`
+	else
+		true
+	fi
+
+# Make a temp file name in the proper directory.
+
+	dsttmp=$dstdir/#inst.$$#
+
+# Move or copy the file name to the temp name
+
+	$doit $instcmd $src $dsttmp &&
+
+	trap "rm -f ${dsttmp}" 0 &&
+
+# and set any options; do chmod last to preserve setuid bits
+
+# If any of these fail, we abort the whole thing.  If we want to
+# ignore errors from any of these, just make sure not to ignore
+# errors from the above "$doit $instcmd $src $dsttmp" command.
+
+	if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi &&
+	if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi &&
+	if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi &&
+	if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi &&
+
+# Now rename the file to the real destination.
+
+	$doit $rmcmd -f $dstdir/$dstfile &&
+	$doit $mvcmd $dsttmp $dstdir/$dstfile
+
+fi &&
+
+
+exit 0
diff --git a/contrib/bind9/isc-config.sh.in b/contrib/bind9/isc-config.sh.in
new file mode 100644
index 0000000..737e31d
--- /dev/null
+++ b/contrib/bind9/isc-config.sh.in
@@ -0,0 +1,149 @@
+#!/bin/sh
+#
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: isc-config.sh.in,v 1.10.12.3 2004/03/08 04:04:12 marka Exp $
+
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+exec_prefix_set=
+
+usage()
+{
+	cat << EOF
+Usage: isc-config [OPTIONS] [LIBRARIES]
+Options:
+	[--prefix[=DIR]]
+	[--exec-prefix[=DIR]]
+	[--version]
+	[--libs]
+	[--cflags]
+Libraries:
+	isc
+	isccc
+	isccfg
+	dns
+	lwres
+	bind9
+EOF
+	exit $1
+}
+
+if test $# -eq 0; then
+	usage 1 1>&2
+fi
+
+while test $# -gt 0; do
+	case "$1" in
+	-*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+	*) optarg= ;;
+	esac
+
+	case "$1" in
+	--prefix=*)
+		prefix=$optarg
+		if test "x$exec_prefix_set" = x ; then
+			exec_prefix=$prefix
+		fi
+		;;
+	--prefix)
+		echo_prefix=true
+		;;
+	--exec-prefix=*)
+		exec_prefix=$optarg
+		;;
+	--exec-prefix)
+		echo_exec_prefix=true
+		;;
+	--version)
+		echo @BIND9_VERSION@
+		exit 0
+		;;
+	--cflags)
+		echo_cflags=true
+		;;
+	--libs)
+		echo_libs=true;
+		;;
+	isc)
+		libisc=true;
+		;;
+	isccc)
+		libisccc=true;
+		libisc=true;
+		;;
+	isccfg)
+		libisccfg=true;
+		libisc=true;
+		;;
+	dns)
+		libdns=true;
+		libisc=true;
+		;;
+	lwres)
+		liblwres=true;
+		;;
+	bind9)
+		libdns=true;
+		libisc=true;
+		libisccfg=true;
+		libbind9=true;
+		;;
+	*)
+		usage 1 1>&2
+	esac
+	shift
+done
+
+if test x"$echo_prefix" = x"true" ; then
+	echo $prefix
+fi
+if test x"$echo_exec_prefix" = x"true" ; then
+	echo $exec_prefix
+fi
+if test x"$echo_cflags" = x"true"; then
+	includes="-I${exec_prefix}/include"
+	if test x"$libisc" = x"true"; then
+		includes="$includes @ALWAYS_DEFINES@ @STD_CINCLUDES@ @STD_CDEFINES@ @CCOPT@"
+	fi
+	echo $includes
+fi
+if test x"$echo_libs" = x"true"; then
+	libs=-L${exec_prefix}/lib
+	if test x"$liblwres" = x"true" ; then
+		libs="$libs -llwres"
+	fi
+	if test x"$libbind9" = x"true" ; then
+		libs="$libs -lbind9"
+	fi
+	if test x"$libdns" = x"true" ; then
+		libs="$libs -ldns @DNS_CRYPTO_LIBS@"
+	fi
+	if test x"$libisccfg" = x"true" ; then
+		libs="$libs -lisccfg"
+	fi
+	if test x"$libisccc" = x"true" ; then
+		libs="$libs -lisccc"
+	fi
+	if test x"$libisc" = x"true" ; then
+		libs="$libs -lisc"
+		needothers=true
+	fi
+	if test x"$needothers" = x"true" ; then
+		libs="$libs @CCOPT@ @LIBS@"
+	fi
+	echo $libs
+fi
diff --git a/contrib/bind9/lib/Makefile.in b/contrib/bind9/lib/Makefile.in
new file mode 100644
index 0000000..c72b3e7
--- /dev/null
+++ b/contrib/bind9/lib/Makefile.in
@@ -0,0 +1,29 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1998-2001, 2003  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.15.2.2.8.4 2004/03/08 09:04:25 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+# Note: the order of SUBDIRS is important.
+# Attempt to disable parallel processing.
+.NOTPARALLEL:
+.NO_PARALLEL:
+SUBDIRS =	isc isccc dns isccfg bind9 lwres tests
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/bind/Makefile.in b/contrib/bind9/lib/bind/Makefile.in
new file mode 100644
index 0000000..b4abd0d
--- /dev/null
+++ b/contrib/bind9/lib/bind/Makefile.in
@@ -0,0 +1,127 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001-2003  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.12.2.5.2.5 2004/07/20 07:01:56 marka Exp $
+
+srcdir =        @srcdir@
+VPATH =         @srcdir@
+top_srcdir =    @top_srcdir@
+
+@LIBBIND_API@
+
+LIBS =		@LIBS@
+
+DAEMON_OBJS=bsd/daemon.@O@
+STRSEP_OBJS=bsd/strsep.@O@
+
+BSDOBJS= @DAEMON_OBJS@ @STRSEP_OBJS@ bsd/ftruncate.@O@ bsd/gettimeofday.@O@ \
+        bsd/mktemp.@O@ bsd/putenv.@O@ bsd/readv.@O@ bsd/setenv.@O@ \
+	bsd/setitimer.@O@ bsd/strcasecmp.@O@ bsd/strdup.@O@ \
+        bsd/strerror.@O@ bsd/strpbrk.@O@ bsd/strtoul.@O@ bsd/utimes.@O@ \
+        bsd/writev.@O@
+
+DSTOBJS= dst/dst_api.@O@ dst/hmac_link.@O@ dst/md5_dgst.@O@ dst/support.@O@
+
+INETOBJS= inet/inet_addr.@O@ inet/inet_cidr_ntop.@O@ inet/inet_cidr_pton.@O@ \
+	inet/inet_data.@O@ inet/inet_lnaof.@O@ inet/inet_makeaddr.@O@ \
+	inet/inet_net_ntop.@O@ inet/inet_net_pton.@O@ inet/inet_neta.@O@ \
+	inet/inet_netof.@O@ inet/inet_network.@O@ inet/inet_ntoa.@O@ \
+	inet/inet_ntop.@O@ inet/inet_pton.@O@ inet/nsap_addr.@O@
+
+WANT_IRS_THREADS_OBJS=	irs/gethostent_r.@O@ irs/getnetgrent_r.@O@ \
+	irs/getprotoent_r.@O@ irs/getservent_r.@O@
+
+WANT_IRS_NISGR_OBJS= irs/nis_gr.@O@ 
+WANT_IRS_GR_OBJS= irs/dns_gr.@O@ irs/irp_gr.@O@ irs/lcl_gr.@O@ irs/gen_gr.@O@ \
+	irs/getgrent.@O@ @WANT_IRS_NISGR_OBJS@ @WANT_IRS_THREADSGR_OBJS@
+
+WANT_IRS_THREADSPW_OBJS=irs/getpwent_r.@O@
+WANT_IRS_NISPW_OBJS= irs/nis_pw.@O@
+WANT_IRS_DBPW_OBJS=irs/irp_pw.@O@ irs/lcl_pw.@O@
+WANT_IRS_PW_OBJS= irs/dns_pw.@O@ irs/gen_pw.@O@ irs/getpwent.@O@ \
+	@WANT_IRS_DBPW_OBJS@ @WANT_IRS_NISPW_OBJS@ @WANT_IRS_THREADSPW_OBJS@
+
+WANT_IRS_NIS_OBJS= irs/nis_ho.@O@ irs/nis_ng.@O@ irs/nis_nw.@O@ \
+	irs/nis_pr.@O@ irs/nis_sv.@O@
+
+IRSOBJS= @WANT_IRS_GR_OBJS@ @WANT_IRS_NIS_OBJS@ @WANT_IRS_THREADS_OBJS@ \
+	@WANT_IRS_PW_OBJS@ \
+	irs/dns.@O@ irs/dns_ho.@O@ irs/dns_nw.@O@ irs/dns_pr.@O@ \
+	irs/dns_sv.@O@ irs/gai_strerror.@O@ irs/gen.@O@ irs/gen_ho.@O@ \
+	irs/gen_ng.@O@ irs/gen_nw.@O@ irs/gen_pr.@O@ irs/gen_sv.@O@ \
+	irs/getaddrinfo.@O@ irs/gethostent.@O@  irs/getnameinfo.@O@ \
+	irs/getnetent.@O@ irs/getnetent_r.@O@ irs/getnetgrent.@O@ \
+	irs/getprotoent.@O@ irs/getservent.@O@ irs/hesiod.@O@ \
+	irs/irp.@O@ irs/irp_ho.@O@ irs/irp_ng.@O@ irs/irp_nw.@O@ \
+	irs/irp_pr.@O@ irs/irp_sv.@O@ irs/irpmarshall.@O@ irs/irs_data.@O@ \
+	irs/lcl.@O@ irs/lcl_ho.@O@ irs/lcl_ng.@O@ irs/lcl_nw.@O@ \
+	irs/lcl_pr.@O@ irs/lcl_sv.@O@ irs/nis.@O@ irs/nul_ng.@O@ irs/util.@O@
+
+WANT_IRS_THREADSGR_OBJS=irs/getgrent_r.@O@
+
+ISCOBJS= isc/assertions.@O@ isc/base64.@O@ isc/bitncmp.@O@ isc/ctl_clnt.@O@ \
+	isc/ctl_p.@O@ isc/ctl_srvr.@O@ isc/ev_connects.@O@ isc/ev_files.@O@ \
+	isc/ev_streams.@O@ isc/ev_timers.@O@ isc/ev_waits.@O@ \
+	isc/eventlib.@O@ isc/heap.@O@ isc/hex.@O@ isc/logging.@O@ \
+	isc/memcluster.@O@ isc/movefile.@O@ isc/tree.@O@
+
+NAMESEROBJS= nameser/ns_date.@O@ nameser/ns_name.@O@ nameser/ns_netint.@O@ \
+	nameser/ns_parse.@O@ nameser/ns_print.@O@  nameser/ns_samedomain.@O@ \
+	nameser/ns_sign.@O@ nameser/ns_ttl.@O@ nameser/ns_verify.@O@
+
+RESOLVOBJS= resolv/herror.@O@ resolv/res_comp.@O@ resolv/res_data.@O@ \
+	resolv/res_debug.@O@ resolv/res_findzonecut.@O@ resolv/res_init.@O@ \
+	resolv/res_mkquery.@O@ resolv/res_mkupdate.@O@ resolv/res_query.@O@ \
+	resolv/res_send.@O@ resolv/res_sendsigned.@O@ resolv/res_update.@O@
+
+SUBDIRS = bsd dst include inet irs isc nameser resolv @PORT_INCLUDE@
+
+TARGETS= timestamp
+OBJS=	${BSDOBJS} ${DSTOBJS} ${INETOBJS} ${IRSOBJS} ${ISCOBJS} \
+	${NAMESEROBJS} ${RESOLVOBJS}
+
+@BIND9_MAKE_RULES@
+
+libbind.@SA@: ${OBJS}
+	${AR} ${ARFLAGS} $@ ${OBJS}
+	${RANLIB} $@
+
+libbind.la: ${OBJS}
+	${LIBTOOL_MODE_LINK} \
+	${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libbind.la -rpath ${libdir} \
+		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+		${OBJS} ${LIBS}
+
+timestamp: libbind.@A@
+	touch timestamp
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
+
+install:: timestamp installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libbind.@A@ ${DESTDIR}${libdir}
+
+clean distclean::
+	rm -f libbind.@SA@ libbind.la
+
+distclean::
+	rm -f make/rules make/includes make/mkdep
+
+distclean::
+	rm -f config.cache config.h config.log config.status libtool
+	rm -f port_before.h port_after.h configure.lineno
+	rm -f port/Makefile @PORT_DIR@/Makefile
+
+man:
diff --git a/contrib/bind9/lib/bind/README b/contrib/bind9/lib/bind/README
new file mode 100644
index 0000000..b89cff7
--- /dev/null
+++ b/contrib/bind9/lib/bind/README
@@ -0,0 +1,4 @@
+--with-irs-gr=yes #define WANT_IRS_GR
+--with-irs-nis=yes #define WANT_IRS_NIS
+--with-irs-pw=yes #define WANT_IRS_PW
+
diff --git a/contrib/bind9/lib/bind/aclocal.m4 b/contrib/bind9/lib/bind/aclocal.m4
new file mode 100644
index 0000000..c1a594c
--- /dev/null
+++ b/contrib/bind9/lib/bind/aclocal.m4
@@ -0,0 +1,2 @@
+sinclude(./libtool.m4)dnl
+
diff --git a/contrib/bind9/lib/bind/api b/contrib/bind9/lib/bind/api
new file mode 100644
index 0000000..3a72afa
--- /dev/null
+++ b/contrib/bind9/lib/bind/api
@@ -0,0 +1,3 @@
+LIBINTERFACE = 3
+LIBREVISION = 7
+LIBAGE = 0
diff --git a/contrib/bind9/lib/bind/bsd/Makefile.in b/contrib/bind9/lib/bind/bsd/Makefile.in
new file mode 100644
index 0000000..dd7b616
--- /dev/null
+++ b/contrib/bind9/lib/bind/bsd/Makefile.in
@@ -0,0 +1,39 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.6.206.1 2004/03/06 08:13:22 marka Exp $
+
+srcdir=         @srcdir@
+VPATH =         @srcdir@
+
+DAEMON_OBJS=daemon.@O@
+STRSEP_OBJS=strsep.@O@
+
+OBJS=	@DAEMON_OBJS@ @STRSEP_OBJS@ ftruncate.@O@ gettimeofday.@O@ \
+	mktemp.@O@ putenv.@O@ \
+	readv.@O@ setenv.@O@ setitimer.@O@ strcasecmp.@O@ strdup.@O@ \
+	strerror.@O@ strpbrk.@O@ strtoul.@O@ utimes.@O@ \
+	writev.@O@
+
+SRCS=	daemon.c ftruncate.c gettimeofday.c mktemp.c putenv.c \
+	readv.c setenv.c setitimer.c strcasecmp.c strdup.c \
+	strerror.c strpbrk.c strsep.c strtoul.c utimes.c \
+	writev.c
+
+TARGETS= ${OBJS}
+
+CINCLUDES= -I.. -I${srcdir}/../include
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/bind/bsd/daemon.c b/contrib/bind9/lib/bind/bsd/daemon.c
new file mode 100644
index 0000000..a1472f9
--- /dev/null
+++ b/contrib/bind9/lib/bind/bsd/daemon.c
@@ -0,0 +1,79 @@
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char sccsid[] = "@(#)daemon.c	8.1 (Berkeley) 6/4/93";
+static const char rcsid[] = "$Id: daemon.c,v 1.1 2001/03/29 06:30:31 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+/*
+ * Copyright (c) 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "port_before.h"
+
+#include <fcntl.h>
+#include <paths.h>
+#include <unistd.h>
+
+#include "port_after.h"
+
+#ifndef NEED_DAEMON
+int __bind_daemon__;
+#else
+
+int
+daemon(int nochdir, int noclose) {
+	int fd;
+
+	switch (fork()) {
+	case -1:
+		return (-1);
+	case 0:
+		break;
+	default:
+		_exit(0);
+	}
+
+	if (setsid() == -1)
+		return (-1);
+
+	if (!nochdir)
+		(void)chdir("/");
+
+	if (!noclose && (fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) {
+		(void)dup2(fd, STDIN_FILENO);
+		(void)dup2(fd, STDOUT_FILENO);
+		(void)dup2(fd, STDERR_FILENO);
+		if (fd > 2)
+			(void)close (fd);
+	}
+	return (0);
+}
+#endif
diff --git a/contrib/bind9/lib/bind/bsd/ftruncate.c b/contrib/bind9/lib/bind/bsd/ftruncate.c
new file mode 100644
index 0000000..56ce8d3
--- /dev/null
+++ b/contrib/bind9/lib/bind/bsd/ftruncate.c
@@ -0,0 +1,63 @@
+#ifndef LINT
+static const char rcsid[] = "$Id: ftruncate.c,v 1.1 2001/03/29 06:30:32 marka Exp $";
+#endif
+
+/*
+ * ftruncate - set file size, BSD Style
+ *
+ * shortens or enlarges the file as neeeded
+ * uses some undocumented locking call. It is known to work on SCO unix,
+ * other vendors should try.
+ * The #error directive prevents unsupported OSes
+ */
+
+#include "port_before.h"
+
+#if defined(M_UNIX)
+#define OWN_FTRUNCATE
+#include <stdio.h>
+#ifdef _XOPEN_SOURCE
+#undef _XOPEN_SOURCE
+#endif
+#ifdef _POSIX_SOURCE
+#undef _POSIX_SOURCE
+#endif
+
+#include <fcntl.h>
+
+#include "port_after.h"
+
+int
+__ftruncate(int fd, long wantsize) {
+	long cursize;
+
+	/* determine current file size */
+	if ((cursize = lseek(fd, 0L, 2)) == -1)
+		return (-1);
+
+	/* maybe lengthen... */
+	if (cursize < wantsize) {
+		if (lseek(fd, wantsize - 1, 0) == -1 ||
+		    write(fd, "", 1) == -1) {
+			return (-1);
+		}
+		return (0);
+	}
+
+	/* maybe shorten... */
+	if (wantsize < cursize) {
+		struct flock fl;
+
+		fl.l_whence = 0;
+		fl.l_len = 0;
+		fl.l_start = wantsize;
+		fl.l_type = F_WRLCK;
+		return (fcntl(fd, F_FREESP, &fl));
+	}
+	return (0);
+}
+#endif
+
+#ifndef OWN_FTRUNCATE
+int __bindcompat_ftruncate;
+#endif
diff --git a/contrib/bind9/lib/bind/bsd/gettimeofday.c b/contrib/bind9/lib/bind/bsd/gettimeofday.c
new file mode 100644
index 0000000..ffde020
--- /dev/null
+++ b/contrib/bind9/lib/bind/bsd/gettimeofday.c
@@ -0,0 +1,62 @@
+#ifndef LINT
+static const char rcsid[] = "$Id: gettimeofday.c,v 1.1.2.2 2002/07/12 00:49:51 marka Exp $";
+#endif
+
+#include "port_before.h"
+#include <stdio.h>
+#include <syslog.h>
+#include <sys/time.h>
+#include "port_after.h"
+
+#if !defined(NEED_GETTIMEOFDAY)
+/*
+ * gettimeofday() occasionally returns invalid tv_usec on some platforms.
+ */
+#define MILLION 1000000
+#undef gettimeofday
+
+int
+isc__gettimeofday(struct timeval *tp, struct timezone *tzp) {
+	int res;
+
+	res = gettimeofday(tp, tzp);
+	if (res < 0)
+		return (res);
+	if (tp == NULL)
+		return (res);
+	if (tp->tv_usec < 0) {
+		do {
+			tp->tv_usec += MILLION;
+			tp->tv_sec--;
+		} while (tp->tv_usec < 0);
+		goto log;
+	} else if (tp->tv_usec > MILLION) {
+		do {
+			tp->tv_usec -= MILLION;
+			tp->tv_sec++;
+		} while (tp->tv_usec > MILLION);
+		goto log;
+	}
+	return (res);
+ log:
+	syslog(LOG_ERR, "gettimeofday: tv_usec out of range\n");
+	return (res);
+}
+#else
+int
+gettimeofday(struct timeval *tvp, struct _TIMEZONE *tzp) {
+	time_t clock, time(time_t *);
+
+	if (time(&clock) == (time_t) -1)
+		return (-1);
+	if (tvp) {
+		tvp->tv_sec = clock;
+		tvp->tv_usec = 0;
+	}
+	if (tzp) {
+		tzp->tz_minuteswest = 0;
+		tzp->tz_dsttime = 0;
+	}
+	return (0);
+}
+#endif /*NEED_GETTIMEOFDAY*/
diff --git a/contrib/bind9/lib/bind/bsd/mktemp.c b/contrib/bind9/lib/bind/bsd/mktemp.c
new file mode 100644
index 0000000..9852a35
--- /dev/null
+++ b/contrib/bind9/lib/bind/bsd/mktemp.c
@@ -0,0 +1,154 @@
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char sccsid[] = "@(#)mktemp.c	8.1 (Berkeley) 6/4/93";
+static const char rcsid[] = "$Id: mktemp.c,v 1.1 2001/03/29 06:30:33 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+/*
+ * Copyright (c) 1987, 1993
+ *    The Regents of the University of California.  All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ * 	This product includes software developed by the University of
+ * 	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Portions Copyright (c) 1993 by Digital Equipment Corporation.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies, and that
+ * the name of Digital Equipment Corporation not be used in advertising or
+ * publicity pertaining to distribution of the document or software without
+ * specific, written prior permission.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
+ * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+
+#include "port_after.h"
+
+#if (!defined(NEED_MKTEMP)) && (!defined(NEED_MKSTEMP))
+int __mktemp_unneeded__;
+#else
+
+static int gettemp(char *path, int *doopen);
+
+#ifdef NEED_MKSTEMP
+mkstemp(char *path) {
+	int fd;
+
+	return (gettemp(path, &fd) ? fd : -1);
+}
+#endif
+
+#ifdef NEED_MKTEMP
+char *
+mktemp(char *path) {
+	return(gettemp(path, (int *)NULL) ? path : (char *)NULL);
+}
+#endif
+
+static int
+gettemp(char *path, int *doopen) {
+	char *start, *trv;
+	struct stat sbuf;
+	u_int pid;
+
+	pid = getpid();
+	for (trv = path; *trv; ++trv);		/* extra X's get set to 0's */
+	while (*--trv == 'X') {
+		*trv = (pid % 10) + '0';
+		pid /= 10;
+	}
+
+	/*
+	 * check the target directory; if you have six X's and it
+	 * doesn't exist this runs for a *very* long time.
+	 */
+	for (start = trv + 1;; --trv) {
+		if (trv <= path)
+			break;
+		if (*trv == '/') {
+			*trv = '\0';
+			if (stat(path, &sbuf))
+				return(0);
+			if (!S_ISDIR(sbuf.st_mode)) {
+				errno = ENOTDIR;
+				return(0);
+			}
+			*trv = '/';
+			break;
+		}
+	}
+
+	for (;;) {
+		if (doopen) {
+			if ((*doopen =
+			    open(path, O_CREAT|O_EXCL|O_RDWR, 0600)) >= 0)
+				return(1);
+			if (errno != EEXIST)
+				return(0);
+		}
+		else if (stat(path, &sbuf))
+			return(errno == ENOENT ? 1 : 0);
+
+		/* tricky little algorithm for backward compatibility */
+		for (trv = start;;) {
+			if (!*trv)
+				return(0);
+			if (*trv == 'z')
+				*trv++ = 'a';
+			else {
+				if (isdigit(*trv))
+					*trv = 'a';
+				else
+					++*trv;
+				break;
+			}
+		}
+	}
+	/*NOTREACHED*/
+}
+
+#endif /*NEED_MKTEMP*/
diff --git a/contrib/bind9/lib/bind/bsd/putenv.c b/contrib/bind9/lib/bind/bsd/putenv.c
new file mode 100644
index 0000000..abaa525
--- /dev/null
+++ b/contrib/bind9/lib/bind/bsd/putenv.c
@@ -0,0 +1,25 @@
+#ifndef LINT
+static const char rcsid[] = "$Id: putenv.c,v 1.1 2001/03/29 06:30:33 marka Exp $";
+#endif
+
+#include "port_before.h"
+#include "port_after.h"
+
+/*
+ * To give a little credit to Sun, SGI,
+ * and many vendors in the SysV world.
+ */
+
+#if !defined(NEED_PUTENV)
+int __bindcompat_putenv;
+#else
+int
+putenv(char *str) {
+	char *tmp;
+
+	for (tmp = str; *tmp && (*tmp != '='); tmp++)
+		;
+
+	return (setenv(str, tmp, 1));
+}
+#endif
diff --git a/contrib/bind9/lib/bind/bsd/readv.c b/contrib/bind9/lib/bind/bsd/readv.c
new file mode 100644
index 0000000..ccfcb5a
--- /dev/null
+++ b/contrib/bind9/lib/bind/bsd/readv.c
@@ -0,0 +1,38 @@
+#ifndef LINT
+static const char rcsid[] = "$Id: readv.c,v 1.1 2001/03/29 06:30:35 marka Exp $";
+#endif
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <sys/uio.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+
+#include "port_after.h"
+
+#ifndef NEED_READV
+int __bindcompat_readv;
+#else
+
+int
+__readv(fd, vp, vpcount)
+	int fd;
+	const struct iovec *vp;
+	int vpcount;
+{
+	int count = 0;
+
+	while (vpcount-- > 0) {
+		int bytes = read(fd, vp->iov_base, vp->iov_len);
+
+		if (bytes < 0)
+			return (-1);
+		count += bytes;
+		if (bytes != vp->iov_len)
+			break;
+		vp++;
+	}
+	return (count);
+}
+#endif /* NEED_READV */
diff --git a/contrib/bind9/lib/bind/bsd/setenv.c b/contrib/bind9/lib/bind/bsd/setenv.c
new file mode 100644
index 0000000..6a11c9d
--- /dev/null
+++ b/contrib/bind9/lib/bind/bsd/setenv.c
@@ -0,0 +1,149 @@
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char sccsid[] = "@(#)setenv.c	8.1 (Berkeley) 6/4/93";
+static const char rcsid[] = "$Id: setenv.c,v 1.1 2001/03/29 06:30:35 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+/*
+ * Copyright (c) 1987, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "port_before.h"
+
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "port_after.h"
+
+#if !defined(NEED_SETENV)
+int __bindcompat_setenv;
+#else
+
+extern char **environ;
+
+static char *findenv(const char *name, int *offset);
+
+/*
+ * setenv --
+ *	Set the value of the environmental variable "name" to be
+ *	"value".  If rewrite is set, replace any current value.
+ */
+setenv(const char *name, const char *value, int rewrite) {
+	extern char **environ;
+	static int alloced;			/* if allocated space before */
+	char *c;
+	int l_value, offset;
+
+	if (*value == '=')			/* no `=' in value */
+		++value;
+	l_value = strlen(value);
+	if ((c = findenv(name, &offset))) {	/* find if already exists */
+		if (!rewrite)
+			return (0);
+		if (strlen(c) >= l_value) {	/* old larger; copy over */
+			while (*c++ = *value++);
+			return (0);
+		}
+	} else {					/* create new slot */
+		int cnt;
+		char **p;
+
+		for (p = environ, cnt = 0; *p; ++p, ++cnt);
+		if (alloced) {			/* just increase size */
+			environ = (char **)realloc((char *)environ,
+			    (size_t)(sizeof(char *) * (cnt + 2)));
+			if (!environ)
+				return (-1);
+		}
+		else {				/* get new space */
+			alloced = 1;		/* copy old entries into it */
+			p = malloc((size_t)(sizeof(char *) * (cnt + 2)));
+			if (!p)
+				return (-1);
+			memcpy(p, environ, cnt * sizeof(char *));
+			environ = p;
+		}
+		environ[cnt + 1] = NULL;
+		offset = cnt;
+	}
+	for (c = (char *)name; *c && *c != '='; ++c);	/* no `=' in name */
+	if (!(environ[offset] =			/* name + `=' + value */
+	    malloc((size_t)((int)(c - name) + l_value + 2))))
+		return (-1);
+	for (c = environ[offset]; (*c = *name++) && *c != '='; ++c);
+	for (*c++ = '='; *c++ = *value++;);
+	return (0);
+}
+
+/*
+ * unsetenv(name) --
+ *	Delete environmental variable "name".
+ */
+void
+unsetenv(const char *name) {
+	char **p;
+	int offset;
+
+	while (findenv(name, &offset))	/* if set multiple times */
+		for (p = &environ[offset];; ++p)
+			if (!(*p = *(p + 1)))
+				break;
+}
+
+/*
+ * findenv --
+ *	Returns pointer to value associated with name, if any, else NULL.
+ *	Sets offset to be the offset of the name/value combination in the
+ *	environmental array, for use by setenv(3) and unsetenv(3).
+ *	Explicitly removes '=' in argument name.
+ *
+ *	This routine *should* be a static; don't use it.
+ */
+static char *
+findenv(const char *name, int *offset) {
+	const char *np;
+	char **p, *c;
+	int len;
+
+	if (name == NULL || environ == NULL)
+		return (NULL);
+	for (np = name; *np && *np != '='; ++np)
+		continue;
+	len = np - name;
+	for (p = environ; (c = *p) != NULL; ++p)
+		if (strncmp(c, name, len) == 0 && c[len] == '=') {
+			*offset = p - environ;
+			return (c + len + 1);
+		}
+	return (NULL);
+}
+#endif
diff --git a/contrib/bind9/lib/bind/bsd/setitimer.c b/contrib/bind9/lib/bind/bsd/setitimer.c
new file mode 100644
index 0000000..791846a
--- /dev/null
+++ b/contrib/bind9/lib/bind/bsd/setitimer.c
@@ -0,0 +1,27 @@
+#ifndef LINT
+static const char rcsid[] = "$Id: setitimer.c,v 1.1 2001/03/29 06:30:35 marka Exp $";
+#endif
+
+#include "port_before.h"
+
+#include <sys/time.h>
+
+#include "port_after.h"
+
+/*
+ * Setitimer emulation routine.
+ */
+#ifndef NEED_SETITIMER
+int __bindcompat_setitimer;
+#else
+
+int
+__setitimer(int which, const struct itimerval *value,
+	    struct itimerval *ovalue)
+{
+	if (alarm(value->it_value.tv_sec) >= 0)
+		return (0);
+	else
+		return (-1);
+}
+#endif
diff --git a/contrib/bind9/lib/bind/bsd/strcasecmp.c b/contrib/bind9/lib/bind/bsd/strcasecmp.c
new file mode 100644
index 0000000..c8c9d05
--- /dev/null
+++ b/contrib/bind9/lib/bind/bsd/strcasecmp.c
@@ -0,0 +1,122 @@
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char sccsid[] = "@(#)strcasecmp.c	8.1 (Berkeley) 6/4/93";
+static const char rcsid[] = "$Id: strcasecmp.c,v 1.1 2001/03/29 06:30:35 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+/*
+ * Copyright (c) 1987, 1993
+ *    The Regents of the University of California.  All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ * 	This product includes software developed by the University of
+ * 	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "port_before.h"
+
+#include <sys/param.h>
+#include <sys/types.h>
+#include <sys/cdefs.h>
+
+#include <string.h>
+
+#include "port_after.h"
+
+#ifndef NEED_STRCASECMP
+int __strcasecmp_unneeded__;
+#else
+
+/*
+ * This array is designed for mapping upper and lower case letter
+ * together for a case independent comparison.  The mappings are
+ * based upon ascii character sequences.
+ */
+static const u_char charmap[] = {
+	0000, 0001, 0002, 0003, 0004, 0005, 0006, 0007,
+	0010, 0011, 0012, 0013, 0014, 0015, 0016, 0017,
+	0020, 0021, 0022, 0023, 0024, 0025, 0026, 0027,
+	0030, 0031, 0032, 0033, 0034, 0035, 0036, 0037,
+	0040, 0041, 0042, 0043, 0044, 0045, 0046, 0047,
+	0050, 0051, 0052, 0053, 0054, 0055, 0056, 0057,
+	0060, 0061, 0062, 0063, 0064, 0065, 0066, 0067,
+	0070, 0071, 0072, 0073, 0074, 0075, 0076, 0077,
+	0100, 0141, 0142, 0143, 0144, 0145, 0146, 0147,
+	0150, 0151, 0152, 0153, 0154, 0155, 0156, 0157,
+	0160, 0161, 0162, 0163, 0164, 0165, 0166, 0167,
+	0170, 0171, 0172, 0133, 0134, 0135, 0136, 0137,
+	0140, 0141, 0142, 0143, 0144, 0145, 0146, 0147,
+	0150, 0151, 0152, 0153, 0154, 0155, 0156, 0157,
+	0160, 0161, 0162, 0163, 0164, 0165, 0166, 0167,
+	0170, 0171, 0172, 0173, 0174, 0175, 0176, 0177,
+	0200, 0201, 0202, 0203, 0204, 0205, 0206, 0207,
+	0210, 0211, 0212, 0213, 0214, 0215, 0216, 0217,
+	0220, 0221, 0222, 0223, 0224, 0225, 0226, 0227,
+	0230, 0231, 0232, 0233, 0234, 0235, 0236, 0237,
+	0240, 0241, 0242, 0243, 0244, 0245, 0246, 0247,
+	0250, 0251, 0252, 0253, 0254, 0255, 0256, 0257,
+	0260, 0261, 0262, 0263, 0264, 0265, 0266, 0267,
+	0270, 0271, 0272, 0273, 0274, 0275, 0276, 0277,
+	0300, 0301, 0302, 0303, 0304, 0305, 0306, 0307,
+	0310, 0311, 0312, 0313, 0314, 0315, 0316, 0317,
+	0320, 0321, 0322, 0323, 0324, 0325, 0326, 0327,
+	0330, 0331, 0332, 0333, 0334, 0335, 0336, 0337,
+	0340, 0341, 0342, 0343, 0344, 0345, 0346, 0347,
+	0350, 0351, 0352, 0353, 0354, 0355, 0356, 0357,
+	0360, 0361, 0362, 0363, 0364, 0365, 0366, 0367,
+	0370, 0371, 0372, 0373, 0374, 0375, 0376, 0377
+};
+
+int
+strcasecmp(const char *s1, const char *s2) {
+	const u_char *cm = charmap,
+		     *us1 = (const u_char *)s1,
+		     *us2 = (const u_char *)s2;
+
+	while (cm[*us1] == cm[*us2++])
+		if (*us1++ == '\0')
+			return (0);
+	return (cm[*us1] - cm[*--us2]);
+}
+
+int
+strncasecmp(const char *s1, const char *s2, size_t n) {
+	if (n != 0) {
+		const u_char *cm = charmap,
+			     *us1 = (const u_char *)s1,
+			     *us2 = (const u_char *)s2;
+
+		do {
+			if (cm[*us1] != cm[*us2++])
+				return (cm[*us1] - cm[*--us2]);
+			if (*us1++ == '\0')
+				break;
+		} while (--n != 0);
+	}
+	return (0);
+}
+
+#endif /*NEED_STRCASECMP*/
diff --git a/contrib/bind9/lib/bind/bsd/strdup.c b/contrib/bind9/lib/bind/bsd/strdup.c
new file mode 100644
index 0000000..246bc1f
--- /dev/null
+++ b/contrib/bind9/lib/bind/bsd/strdup.c
@@ -0,0 +1,18 @@
+#include "port_before.h"
+
+#include <stdlib.h>
+
+#include "port_after.h"
+
+#ifndef NEED_STRDUP
+int __bind_strdup_unneeded;
+#else
+char *
+strdup(const char *src) {
+	char *dst = malloc(strlen(src) + 1);
+
+	if (dst)
+		strcpy(dst, src);
+	return (dst);
+}
+#endif
diff --git a/contrib/bind9/lib/bind/bsd/strerror.c b/contrib/bind9/lib/bind/bsd/strerror.c
new file mode 100644
index 0000000..d13adbb
--- /dev/null
+++ b/contrib/bind9/lib/bind/bsd/strerror.c
@@ -0,0 +1,90 @@
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char sccsid[] = "@(#)strerror.c	8.1 (Berkeley) 6/4/93";
+static const char rcsid[] = "$Id: strerror.c,v 1.3.2.1 2001/11/02 17:45:31 gson Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+/*
+ * Copyright (c) 1988, 1993
+ *    The Regents of the University of California.  All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ * 	This product includes software developed by the University of
+ * 	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "port_before.h"
+
+#include <sys/param.h>
+#include <sys/types.h>
+
+#include <string.h>
+
+#include "port_after.h"
+
+#ifndef NEED_STRERROR
+int __strerror_unneeded__;
+#else
+
+#ifdef USE_SYSERROR_LIST
+extern int sys_nerr;
+extern char *sys_errlist[];
+#endif
+
+const char *
+isc_strerror(int num) {
+#define	UPREFIX	"Unknown error: "
+	static char ebuf[40] = UPREFIX;		/* 64-bit number + slop */
+	u_int errnum;
+	char *p, *t;
+	const char *ret;
+	char tmp[40];
+
+	errnum = num;				/* convert to unsigned */
+#ifdef USE_SYSERROR_LIST
+	if (errnum < sys_nerr)
+		return (sys_errlist[errnum]);
+#else
+#undef strerror
+	ret = strerror(num);			/* call strerror() in libc */
+	if (ret != NULL)
+		return(ret);
+#endif
+
+	/* Do this by hand, so we don't include stdio(3). */
+	t = tmp;
+	do {
+		*t++ = "0123456789"[errnum % 10];
+	} while (errnum /= 10);
+	for (p = ebuf + sizeof(UPREFIX) - 1;;) {
+		*p++ = *--t;
+		if (t <= tmp)
+			break;
+	}
+	return (ebuf);
+}
+
+#endif /*NEED_STRERROR*/
diff --git a/contrib/bind9/lib/bind/bsd/strpbrk.c b/contrib/bind9/lib/bind/bsd/strpbrk.c
new file mode 100644
index 0000000..ff039e1
--- /dev/null
+++ b/contrib/bind9/lib/bind/bsd/strpbrk.c
@@ -0,0 +1,68 @@
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char sccsid[] = "@(#)strpbrk.c	8.1 (Berkeley) 6/4/93";
+static const char rcsid[] = "$Id: strpbrk.c,v 1.1 2001/03/29 06:30:36 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+/*
+ * Copyright (c) 1985, 1993
+ *    The Regents of the University of California.  All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ * 	This product includes software developed by the University of
+ * 	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "port_before.h"
+
+#include <sys/param.h>
+#include <sys/cdefs.h>
+
+#include <string.h>
+
+#include "port_after.h"
+
+#ifndef NEED_STRPBRK
+int __strpbrk_unneeded__;
+#else
+
+/*
+ * Find the first occurrence in s1 of a character in s2 (excluding NUL).
+ */
+char *
+strpbrk(const char *s1, const char *s2) {
+	const char *scanp;
+	int c, sc;
+
+	while ((c = *s1++) != 0) {
+		for (scanp = s2; (sc = *scanp++) != 0;)
+			if (sc == c)
+				return ((char *)(s1 - 1));
+	}
+	return (NULL);
+}
+
+#endif /*NEED_STRPBRK*/
diff --git a/contrib/bind9/lib/bind/bsd/strsep.c b/contrib/bind9/lib/bind/bsd/strsep.c
new file mode 100644
index 0000000..3dcee4a
--- /dev/null
+++ b/contrib/bind9/lib/bind/bsd/strsep.c
@@ -0,0 +1,86 @@
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char sccsid[] = "strsep.c	8.1 (Berkeley) 6/4/93";
+static const char rcsid[] = "$Id: strsep.c,v 1.1 2001/03/29 06:30:36 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+/*
+ * Copyright (c) 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "port_before.h"
+#include <sys/cdefs.h>
+#include <string.h>
+#include <stdio.h>
+#include "port_after.h"
+
+#ifndef NEED_STRSEP
+int __strsep_unneeded__;
+#else
+
+/*
+ * Get next token from string *stringp, where tokens are possibly-empty
+ * strings separated by characters from delim.  
+ *
+ * Writes NULs into the string at *stringp to end tokens.
+ * delim need not remain constant from call to call.
+ * On return, *stringp points past the last NUL written (if there might
+ * be further tokens), or is NULL (if there are definitely no more tokens).
+ *
+ * If *stringp is NULL, strsep returns NULL.
+ */
+char *
+strsep(char **stringp, const char *delim) {
+	char *s;
+	const char *spanp;
+	int c, sc;
+	char *tok;
+
+	if ((s = *stringp) == NULL)
+		return (NULL);
+	for (tok = s;;) {
+		c = *s++;
+		spanp = delim;
+		do {
+			if ((sc = *spanp++) == c) {
+				if (c == 0)
+					s = NULL;
+				else
+					s[-1] = 0;
+				*stringp = s;
+				return (tok);
+			}
+		} while (sc != 0);
+	}
+	/* NOTREACHED */
+}
+
+#endif /*NEED_STRSEP*/
diff --git a/contrib/bind9/lib/bind/bsd/strtoul.c b/contrib/bind9/lib/bind/bsd/strtoul.c
new file mode 100644
index 0000000..d110f30
--- /dev/null
+++ b/contrib/bind9/lib/bind/bsd/strtoul.c
@@ -0,0 +1,117 @@
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char sccsid[] = "@(#)strtoul.c	8.1 (Berkeley) 6/4/93";
+static const char rcsid[] = "$Id: strtoul.c,v 1.1.2.1 2003/06/27 03:51:35 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+/*
+ * Copyright (c) 1990, 1993
+ *    The Regents of the University of California.  All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ * 	This product includes software developed by the University of
+ * 	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <limits.h>
+#include <stdlib.h>
+
+#include "port_after.h"
+
+#ifndef NEED_STRTOUL
+int __strtoul_unneeded__;
+#else
+
+/*
+ * Convert a string to an unsigned long integer.
+ *
+ * Ignores `locale' stuff.  Assumes that the upper and lower case
+ * alphabets and digits are each contiguous.
+ */
+u_long
+strtoul(const char *nptr, char **endptr, int base) {
+	const char *s = nptr;
+	u_long acc, cutoff;
+	int neg, c, any, cutlim;
+
+	neg = 0;
+
+	/*
+	 * See strtol for comments as to the logic used.
+	 */
+	do {
+		c = *(unsigned char *)s++;
+	} while (isspace(c));
+	if (c == '-') {
+		neg = 1;
+		c = *s++;
+	} else if (c == '+')
+		c = *s++;
+	if ((base == 0 || base == 16) &&
+	    c == '0' && (*s == 'x' || *s == 'X')) {
+		c = s[1];
+		s += 2;
+		base = 16;
+	}
+	if (base == 0)
+		base = c == '0' ? 8 : 10;
+	cutoff = (u_long)ULONG_MAX / (u_long)base;
+	cutlim = (u_long)ULONG_MAX % (u_long)base;
+	for (acc = 0, any = 0;; c = *(unsigned char*)s++) {
+		if (isdigit(c))
+			c -= '0';
+		else if (isalpha(c))
+			c -= isupper(c) ? 'A' - 10 : 'a' - 10;
+		else
+			break;
+		if (c >= base)
+			break;
+		if (any < 0 || acc > cutoff || acc == cutoff && c > cutlim)
+			any = -1;
+		else {
+			any = 1;
+			acc *= base;
+			acc += c;
+		}
+	}
+	if (any < 0) {
+		acc = ULONG_MAX;
+		errno = ERANGE;
+	} else if (neg)
+		acc = -acc;
+	if (endptr != 0)
+		*endptr = (char *)(any ? s - 1 : nptr);
+	return (acc);
+}
+
+#endif /*NEED_STRTOUL*/
diff --git a/contrib/bind9/lib/bind/bsd/utimes.c b/contrib/bind9/lib/bind/bsd/utimes.c
new file mode 100644
index 0000000..6a288f4
--- /dev/null
+++ b/contrib/bind9/lib/bind/bsd/utimes.c
@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1997,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <sys/time.h>
+#include <utime.h>
+
+#include "port_after.h"
+
+#ifndef NEED_UTIMES
+int __bind_utimes_unneeded;
+#else
+
+int
+__utimes(char *filename, struct timeval *tvp) {
+	struct utimbuf utb;
+
+	utb.actime = (time_t)tvp[0].tv_sec;
+	utb.modtime = (time_t)tvp[1].tv_sec;
+	return (utime(filename, &utb));
+}
+
+#endif /* NEED_UTIMES */
diff --git a/contrib/bind9/lib/bind/bsd/writev.c b/contrib/bind9/lib/bind/bsd/writev.c
new file mode 100644
index 0000000..fe204a9
--- /dev/null
+++ b/contrib/bind9/lib/bind/bsd/writev.c
@@ -0,0 +1,87 @@
+#ifndef LINT
+static const char rcsid[] = "$Id: writev.c,v 1.1.2.1 2003/06/27 03:51:35 marka Exp $";
+#endif
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <sys/uio.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+
+#include "port_after.h"
+
+#ifndef NEED_WRITEV
+int __bindcompat_writev;
+#else
+
+#ifdef _CRAY
+#define OWN_WRITEV
+int
+__writev(int fd, struct iovec *iov, int iovlen)
+{
+	struct stat statbuf;
+
+	if (fstat(fd, &statbuf) < 0)
+		return (-1);
+
+	/*
+	 * Allow for atomic writes to network.
+	 */
+	if (statbuf.st_mode & S_IFSOCK) {
+		struct msghdr   mesg;		
+
+		memset(&mesg, 0, sizeof(mesg));
+		mesg.msg_name = 0;
+		mesg.msg_namelen = 0;
+		mesg.msg_iov = iov;
+		mesg.msg_iovlen = iovlen;
+		mesg.msg_accrights = 0;
+		mesg.msg_accrightslen = 0;
+		return (sendmsg(fd, &mesg, 0));
+	} else {
+		struct iovec *tv;
+		int i, rcode = 0, count = 0;
+
+		for (i = 0, tv = iov; i <= iovlen; tv++) {
+			rcode = write(fd, tv->iov_base, tv->iov_len);
+
+			if (rcode < 0)
+				break;
+
+			count += rcode;
+		}
+
+		if (count == 0)
+			return (rcode);
+		else
+			return (count);
+	}
+}
+
+#else /*_CRAY*/
+
+int
+__writev(fd, vp, vpcount)
+	int fd;
+	const struct iovec *vp;
+	int vpcount;
+{
+	int count = 0;
+
+	while (vpcount-- > 0) {
+		int written = write(fd, vp->iov_base, vp->iov_len);
+
+		if (written < 0)
+			return (-1);
+		count += written;
+		if (written != vp->iov_len)
+			break;
+		vp++;
+	}
+	return (count);
+}
+
+#endif /*_CRAY*/
+
+#endif /*NEED_WRITEV*/
diff --git a/contrib/bind9/lib/bind/config.h.in b/contrib/bind9/lib/bind/config.h.in
new file mode 100644
index 0000000..46de822
--- /dev/null
+++ b/contrib/bind9/lib/bind/config.h.in
@@ -0,0 +1,45 @@
+#undef _SOCKADDR_LEN
+#undef HAVE_FCNTL_H
+#undef HAVE_PATHS_H
+#undef HAVE_SYS_TIMERS_H
+#undef SYS_CDEFS_H
+#undef _POSIX_PTHREAD_SEMANTICS
+#undef POSIX_GETPWUID_R
+#undef POSIX_GETPWNAM_R
+#undef POSIX_GETGRGID_R
+#undef POSIX_GETGRNAM_R
+
+#undef NEED_SETGROUPENT
+#undef NEED_GETGROUPLIST
+
+/* define if prototype for getgrnam_r() is required */
+#undef NEED_GETGRNAM_R 
+#undef NEED_GETGRGID_R 
+#undef NEED_GETGRENT_R 
+#undef NEED_SETGRENT_R 
+#undef NEED_ENDGRENT_R 
+
+#undef NEED_INNETGR_R
+#undef NEED_SETNETGRENT_R
+#undef NEED_ENDNETGRENT_R
+
+#undef NEED_GETPWNAM_R
+#undef NEED_GETPWUID_R
+#undef NEED_SETPWENT_R
+#undef NEED_SETPASSENT_R
+#undef NEED_SETPWENT_R
+#undef NEED_GETPWENT_R
+#undef NEED_ENDPWENT_R
+
+#undef NEED_SETPASSENT
+
+#undef HAS_PW_CLASS
+
+/* Shut up warnings about sputaux in stdio.h on BSD/OS pre-4.1 */ 
+#undef SHUTUP_SPUTAUX
+#ifdef SHUTUP_SPUTAUX
+struct __sFILE;
+extern __inline int __sputaux(int _c, struct __sFILE *_p);
+#endif
+#undef BROKEN_IN6ADDR_INIT_MACROS
+#undef HAVE_STRLCAT
diff --git a/contrib/bind9/lib/bind/configure b/contrib/bind9/lib/bind/configure
new file mode 100755
index 0000000..54c6c10
--- /dev/null
+++ b/contrib/bind9/lib/bind/configure
@@ -0,0 +1,31829 @@
+#! /bin/sh
+# From configure.in Revision: 1.83.2.5.2.3 .
+# Guess values for system-dependent variables and create Makefiles.
+# Generated by GNU Autoconf 2.59.
+#
+# Copyright (C) 2003 Free Software Foundation, Inc.
+# This configure script is free software; the Free Software Foundation
+# gives unlimited permission to copy, distribute and modify it.
+## --------------------- ##
+## M4sh Initialization.  ##
+## --------------------- ##
+
+# Be Bourne compatible
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+  emulate sh
+  NULLCMD=:
+  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+  # is contrary to our usage.  Disable this feature.
+  alias -g '${1+"$@"}'='"$@"'
+elif test -n "${BASH_VERSION+set}" && (set -o posix) >/dev/null 2>&1; then
+  set -o posix
+fi
+DUALCASE=1; export DUALCASE # for MKS sh
+
+# Support unset when possible.
+if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
+  as_unset=unset
+else
+  as_unset=false
+fi
+
+
+# Work around bugs in pre-3.0 UWIN ksh.
+$as_unset ENV MAIL MAILPATH
+PS1='$ '
+PS2='> '
+PS4='+ '
+
+# NLS nuisances.
+for as_var in \
+  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
+  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
+  LC_TELEPHONE LC_TIME
+do
+  if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
+    eval $as_var=C; export $as_var
+  else
+    $as_unset $as_var
+  fi
+done
+
+# Required to use basename.
+if expr a : '\(a\)' >/dev/null 2>&1; then
+  as_expr=expr
+else
+  as_expr=false
+fi
+
+if (basename /) >/dev/null 2>&1 && test "X`basename / 2>&1`" = "X/"; then
+  as_basename=basename
+else
+  as_basename=false
+fi
+
+
+# Name of the executable.
+as_me=`$as_basename "$0" ||
+$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
+	 X"$0" : 'X\(//\)$' \| \
+	 X"$0" : 'X\(/\)$' \| \
+	 .     : '\(.\)' 2>/dev/null ||
+echo X/"$0" |
+    sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/; q; }
+  	  /^X\/\(\/\/\)$/{ s//\1/; q; }
+  	  /^X\/\(\/\).*/{ s//\1/; q; }
+  	  s/.*/./; q'`
+
+
+# PATH needs CR, and LINENO needs CR and PATH.
+# Avoid depending upon Character Ranges.
+as_cr_letters='abcdefghijklmnopqrstuvwxyz'
+as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+as_cr_Letters=$as_cr_letters$as_cr_LETTERS
+as_cr_digits='0123456789'
+as_cr_alnum=$as_cr_Letters$as_cr_digits
+
+# The user is always right.
+if test "${PATH_SEPARATOR+set}" != set; then
+  echo "#! /bin/sh" >conf$$.sh
+  echo  "exit 0"   >>conf$$.sh
+  chmod +x conf$$.sh
+  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
+    PATH_SEPARATOR=';'
+  else
+    PATH_SEPARATOR=:
+  fi
+  rm -f conf$$.sh
+fi
+
+
+  as_lineno_1=$LINENO
+  as_lineno_2=$LINENO
+  as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
+  test "x$as_lineno_1" != "x$as_lineno_2" &&
+  test "x$as_lineno_3"  = "x$as_lineno_2"  || {
+  # Find who we are.  Look in the path if we contain no path at all
+  # relative or not.
+  case $0 in
+    *[\\/]* ) as_myself=$0 ;;
+    *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
+done
+
+       ;;
+  esac
+  # We did not find ourselves, most probably we were run as `sh COMMAND'
+  # in which case we are not to be found in the path.
+  if test "x$as_myself" = x; then
+    as_myself=$0
+  fi
+  if test ! -f "$as_myself"; then
+    { echo "$as_me: error: cannot find myself; rerun with an absolute path" >&2
+   { (exit 1); exit 1; }; }
+  fi
+  case $CONFIG_SHELL in
+  '')
+    as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for as_base in sh bash ksh sh5; do
+	 case $as_dir in
+	 /*)
+	   if ("$as_dir/$as_base" -c '
+  as_lineno_1=$LINENO
+  as_lineno_2=$LINENO
+  as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
+  test "x$as_lineno_1" != "x$as_lineno_2" &&
+  test "x$as_lineno_3"  = "x$as_lineno_2" ') 2>/dev/null; then
+	     $as_unset BASH_ENV || test "${BASH_ENV+set}" != set || { BASH_ENV=; export BASH_ENV; }
+	     $as_unset ENV || test "${ENV+set}" != set || { ENV=; export ENV; }
+	     CONFIG_SHELL=$as_dir/$as_base
+	     export CONFIG_SHELL
+	     exec "$CONFIG_SHELL" "$0" ${1+"$@"}
+	   fi;;
+	 esac
+       done
+done
+;;
+  esac
+
+  # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
+  # uniformly replaced by the line number.  The first 'sed' inserts a
+  # line-number line before each line; the second 'sed' does the real
+  # work.  The second script uses 'N' to pair each line-number line
+  # with the numbered line, and appends trailing '-' during
+  # substitution so that $LINENO is not a special case at line end.
+  # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
+  # second 'sed' script.  Blame Lee E. McMahon for sed's syntax.  :-)
+  sed '=' <$as_myself |
+    sed '
+      N
+      s,$,-,
+      : loop
+      s,^\(['$as_cr_digits']*\)\(.*\)[$]LINENO\([^'$as_cr_alnum'_]\),\1\2\1\3,
+      t loop
+      s,-$,,
+      s,^['$as_cr_digits']*\n,,
+    ' >$as_me.lineno &&
+  chmod +x $as_me.lineno ||
+    { echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2
+   { (exit 1); exit 1; }; }
+
+  # Don't try to exec as it changes $[0], causing all sort of problems
+  # (the dirname of $[0] is not the place where we might find the
+  # original and so on.  Autoconf is especially sensible to this).
+  . ./$as_me.lineno
+  # Exit status is that of the last command.
+  exit
+}
+
+
+case `echo "testing\c"; echo 1,2,3`,`echo -n testing; echo 1,2,3` in
+  *c*,-n*) ECHO_N= ECHO_C='
+' ECHO_T='	' ;;
+  *c*,*  ) ECHO_N=-n ECHO_C= ECHO_T= ;;
+  *)       ECHO_N= ECHO_C='\c' ECHO_T= ;;
+esac
+
+if expr a : '\(a\)' >/dev/null 2>&1; then
+  as_expr=expr
+else
+  as_expr=false
+fi
+
+rm -f conf$$ conf$$.exe conf$$.file
+echo >conf$$.file
+if ln -s conf$$.file conf$$ 2>/dev/null; then
+  # We could just check for DJGPP; but this test a) works b) is more generic
+  # and c) will remain valid once DJGPP supports symlinks (DJGPP 2.04).
+  if test -f conf$$.exe; then
+    # Don't use ln at all; we don't have any links
+    as_ln_s='cp -p'
+  else
+    as_ln_s='ln -s'
+  fi
+elif ln conf$$.file conf$$ 2>/dev/null; then
+  as_ln_s=ln
+else
+  as_ln_s='cp -p'
+fi
+rm -f conf$$ conf$$.exe conf$$.file
+
+if mkdir -p . 2>/dev/null; then
+  as_mkdir_p=:
+else
+  test -d ./-p && rmdir ./-p
+  as_mkdir_p=false
+fi
+
+as_executable_p="test -f"
+
+# Sed expression to map a string onto a valid CPP name.
+as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
+
+# Sed expression to map a string onto a valid variable name.
+as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
+
+
+# IFS
+# We need space, tab and new line, in precisely that order.
+as_nl='
+'
+IFS=" 	$as_nl"
+
+# CDPATH.
+$as_unset CDPATH
+
+
+
+# Check that we are running under the correct shell.
+SHELL=${CONFIG_SHELL-/bin/sh}
+
+case X$ECHO in
+X*--fallback-echo)
+  # Remove one level of quotation (which was required for Make).
+  ECHO=`echo "$ECHO" | sed 's,\\\\\$\\$0,'$0','`
+  ;;
+esac
+
+echo=${ECHO-echo}
+if test "X$1" = X--no-reexec; then
+  # Discard the --no-reexec flag, and continue.
+  shift
+elif test "X$1" = X--fallback-echo; then
+  # Avoid inline document here, it may be left over
+  :
+elif test "X`($echo '\t') 2>/dev/null`" = 'X\t' ; then
+  # Yippee, $echo works!
+  :
+else
+  # Restart under the correct shell.
+  exec $SHELL "$0" --no-reexec ${1+"$@"}
+fi
+
+if test "X$1" = X--fallback-echo; then
+  # used as fallback echo
+  shift
+  cat <<EOF
+$*
+EOF
+  exit 0
+fi
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+if test "X${CDPATH+set}" = Xset; then CDPATH=:; export CDPATH; fi
+
+if test -z "$ECHO"; then
+if test "X${echo_test_string+set}" != Xset; then
+# find a string as large as possible, as long as the shell can cope with it
+  for cmd in 'sed 50q "$0"' 'sed 20q "$0"' 'sed 10q "$0"' 'sed 2q "$0"' 'echo test'; do
+    # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ...
+    if (echo_test_string="`eval $cmd`") 2>/dev/null &&
+       echo_test_string="`eval $cmd`" &&
+       (test "X$echo_test_string" = "X$echo_test_string") 2>/dev/null
+    then
+      break
+    fi
+  done
+fi
+
+if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
+   echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` &&
+   test "X$echo_testing_string" = "X$echo_test_string"; then
+  :
+else
+  # The Solaris, AIX, and Digital Unix default echo programs unquote
+  # backslashes.  This makes it impossible to quote backslashes using
+  #   echo "$something" | sed 's/\\/\\\\/g'
+  #
+  # So, first we look for a working echo in the user's PATH.
+
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  for dir in $PATH /usr/ucb; do
+    IFS="$lt_save_ifs"
+    if (test -f $dir/echo || test -f $dir/echo$ac_exeext) &&
+       test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' &&
+       echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` &&
+       test "X$echo_testing_string" = "X$echo_test_string"; then
+      echo="$dir/echo"
+      break
+    fi
+  done
+  IFS="$lt_save_ifs"
+
+  if test "X$echo" = Xecho; then
+    # We didn't find a better echo, so look for alternatives.
+    if test "X`(print -r '\t') 2>/dev/null`" = 'X\t' &&
+       echo_testing_string=`(print -r "$echo_test_string") 2>/dev/null` &&
+       test "X$echo_testing_string" = "X$echo_test_string"; then
+      # This shell has a builtin print -r that does the trick.
+      echo='print -r'
+    elif (test -f /bin/ksh || test -f /bin/ksh$ac_exeext) &&
+	 test "X$CONFIG_SHELL" != X/bin/ksh; then
+      # If we have ksh, try running configure again with it.
+      ORIGINAL_CONFIG_SHELL=${CONFIG_SHELL-/bin/sh}
+      export ORIGINAL_CONFIG_SHELL
+      CONFIG_SHELL=/bin/ksh
+      export CONFIG_SHELL
+      exec $CONFIG_SHELL "$0" --no-reexec ${1+"$@"}
+    else
+      # Try using printf.
+      echo='printf %s\n'
+      if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
+	 echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` &&
+	 test "X$echo_testing_string" = "X$echo_test_string"; then
+	# Cool, printf works
+	:
+      elif echo_testing_string=`($ORIGINAL_CONFIG_SHELL "$0" --fallback-echo '\t') 2>/dev/null` &&
+	   test "X$echo_testing_string" = 'X\t' &&
+	   echo_testing_string=`($ORIGINAL_CONFIG_SHELL "$0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
+	   test "X$echo_testing_string" = "X$echo_test_string"; then
+	CONFIG_SHELL=$ORIGINAL_CONFIG_SHELL
+	export CONFIG_SHELL
+	SHELL="$CONFIG_SHELL"
+	export SHELL
+	echo="$CONFIG_SHELL $0 --fallback-echo"
+      elif echo_testing_string=`($CONFIG_SHELL "$0" --fallback-echo '\t') 2>/dev/null` &&
+	   test "X$echo_testing_string" = 'X\t' &&
+	   echo_testing_string=`($CONFIG_SHELL "$0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
+	   test "X$echo_testing_string" = "X$echo_test_string"; then
+	echo="$CONFIG_SHELL $0 --fallback-echo"
+      else
+	# maybe with a smaller string...
+	prev=:
+
+	for cmd in 'echo test' 'sed 2q "$0"' 'sed 10q "$0"' 'sed 20q "$0"' 'sed 50q "$0"'; do
+	  if (test "X$echo_test_string" = "X`eval $cmd`") 2>/dev/null
+	  then
+	    break
+	  fi
+	  prev="$cmd"
+	done
+
+	if test "$prev" != 'sed 50q "$0"'; then
+	  echo_test_string=`eval $prev`
+	  export echo_test_string
+	  exec ${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}} "$0" ${1+"$@"}
+	else
+	  # Oops.  We lost completely, so just stick with echo.
+	  echo=echo
+	fi
+      fi
+    fi
+  fi
+fi
+fi
+
+# Copy echo and quote the copy suitably for passing to libtool from
+# the Makefile, instead of quoting the original, which is used later.
+ECHO=$echo
+if test "X$ECHO" = "X$CONFIG_SHELL $0 --fallback-echo"; then
+   ECHO="$CONFIG_SHELL \\\$\$0 --fallback-echo"
+fi
+
+
+
+
+tagnames=${tagnames+${tagnames},}CXX
+
+tagnames=${tagnames+${tagnames},}F77
+
+# Name of the host.
+# hostname on some systems (SVR3.2, Linux) returns a bogus exit status,
+# so uname gets run too.
+ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q`
+
+exec 6>&1
+
+#
+# Initializations.
+#
+ac_default_prefix=/usr/local
+ac_config_libobj_dir=.
+cross_compiling=no
+subdirs=
+MFLAGS=
+MAKEFLAGS=
+SHELL=${CONFIG_SHELL-/bin/sh}
+
+# Maximum number of lines to put in a shell here document.
+# This variable seems obsolete.  It should probably be removed, and
+# only ac_max_sed_lines should be used.
+: ${ac_max_here_lines=38}
+
+# Identity of this package.
+PACKAGE_NAME=
+PACKAGE_TARNAME=
+PACKAGE_VERSION=
+PACKAGE_STRING=
+PACKAGE_BUGREPORT=
+
+ac_unique_file="resolv/herror.c"
+# Factoring default headers for most tests.
+ac_includes_default="\
+#include <stdio.h>
+#if HAVE_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+#if HAVE_SYS_STAT_H
+# include <sys/stat.h>
+#endif
+#if STDC_HEADERS
+# include <stdlib.h>
+# include <stddef.h>
+#else
+# if HAVE_STDLIB_H
+#  include <stdlib.h>
+# endif
+#endif
+#if HAVE_STRING_H
+# if !STDC_HEADERS && HAVE_MEMORY_H
+#  include <memory.h>
+# endif
+# include <string.h>
+#endif
+#if HAVE_STRINGS_H
+# include <strings.h>
+#endif
+#if HAVE_INTTYPES_H
+# include <inttypes.h>
+#else
+# if HAVE_STDINT_H
+#  include <stdint.h>
+# endif
+#endif
+#if HAVE_UNISTD_H
+# include <unistd.h>
+#endif"
+
+ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS build build_cpu build_vendor build_os host host_cpu host_vendor host_os SET_MAKE RANLIB ac_ct_RANLIB INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA STD_CINCLUDES STD_CDEFINES STD_CWARNINGS CCOPT AR ARFLAGS LN ETAGS PERL CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT CPP EGREP ISC_PLATFORM_NEEDSYSSELECTH WANT_IRS_GR WANT_IRS_GR_OBJS WANT_IRS_PW WANT_IRS_PW_OBJS WANT_IRS_NIS WANT_IRS_NIS_OBJS WANT_IRS_NISGR_OBJS WANT_IRS_NISPW_OBJS WANT_IRS_DBPW_OBJS ALWAYS_DEFINES DO_PTHREADS WANT_IRS_THREADSGR_OBJS WANT_IRS_THREADSPW_OBJS WANT_IRS_THREADS_OBJS USE_IFNAMELINKID ISC_THREAD_DIR DAEMON_OBJS NEED_DAEMON STRSEP_OBJS NEED_STRSEP NEED_STRERROR MKDEPCC MKDEPCFLAGS MKDEPPROG IRIX_DNSSEC_WARNINGS_HACK purify_path PURIFY LN_S ECHO ac_ct_AR STRIP ac_ct_STRIP CXX CXXFLAGS ac_ct_CXX CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL O A SA LIBTOOL_MKDEP_SED LIBTOOL_MODE_COMPILE LIBTOOL_MODE_INSTALL LIBTOOL_MODE_LINK HAS_INET6_STRUCTS ISC_PLATFORM_NEEDNETINETIN6H ISC_PLATFORM_NEEDNETINET6IN6H HAS_IN_ADDR6 NEED_IN6ADDR_ANY ISC_PLATFORM_HAVEIN6PKTINFO ISC_PLATFORM_FIXIN6ISADDR ISC_IPV6_H ISC_IPV6_O ISC_ISCIPV6_O ISC_IPV6_C HAVE_SIN6_SCOPE_ID HAVE_SOCKADDR_STORAGE ISC_PLATFORM_NEEDNTOP ISC_PLATFORM_NEEDPTON ISC_PLATFORM_NEEDATON HAVE_SA_LEN HAVE_MINIMUM_IFREQ BSD_COMP SOLARIS_BITTYPES USE_FIONBIO_IOCTL PORT_DIR PORT_INCLUDE ISC_PLATFORM_MSGHDRFLAVOR ISC_PLATFORM_NEEDPORTT ISC_LWRES_ENDHOSTENTINT ISC_LWRES_SETNETENTINT ISC_LWRES_ENDNETENTINT ISC_LWRES_GETHOSTBYADDRVOID ISC_LWRES_NEEDHERRNO ISC_LWRES_GETIPNODEPROTO ISC_LWRES_GETADDRINFOPROTO ISC_LWRES_GETNAMEINFOPROTO NEED_PSELECT NEED_GETTIMEOFDAY HAVE_STRNDUP ISC_PLATFORM_NEEDSTRSEP ISC_PLATFORM_NEEDVSNPRINTF ISC_EXTRA_OBJS ISC_EXTRA_SRCS USE_SYSERROR_LIST ISC_PLATFORM_QUADFORMAT ISC_SOCKLEN_T GETGROUPLIST_ARGS NET_R_ARGS NET_R_BAD NET_R_COPY NET_R_COPY_ARGS NET_R_OK NET_R_SETANSWER NET_R_RETURN GETNETBYADDR_ADDR_T NETENT_DATA NET_R_ENT_ARGS NET_R_SET_RESULT NET_R_SET_RETURN NET_R_END_RESULT NET_R_END_RETURN GROUP_R_ARGS GROUP_R_BAD GROUP_R_OK GROUP_R_RETURN GROUP_R_END_RESULT GROUP_R_END_RETURN GROUP_R_ENT_ARGS GROUP_R_SET_RESULT GROUP_R_SET_RETURN HOST_R_ARGS HOST_R_BAD HOST_R_COPY HOST_R_COPY_ARGS HOST_R_ERRNO HOST_R_OK HOST_R_RETURN HOST_R_SETANSWER HOSTENT_DATA HOST_R_END_RESULT HOST_R_END_RETURN HOST_R_ENT_ARGS HOST_R_SET_RESULT HOST_R_SET_RETURN SETPWENT_VOID SETGRENT_VOID NGR_R_ARGS NGR_R_BAD NGR_R_COPY NGR_R_COPY_ARGS NGR_R_OK NGR_R_RETURN NGR_R_PRIVATE NGR_R_END_RESULT NGR_R_END_RETURN NGR_R_ENT_ARGS NGR_R_SET_RESULT NGR_R_SET_RETURN PROTO_R_ARGS PROTO_R_BAD PROTO_R_COPY PROTO_R_COPY_ARGS PROTO_R_OK PROTO_R_SETANSWER PROTO_R_RETURN PROTO_R_END_RESULT PROTO_R_END_RETURN PROTO_R_ENT_ARGS PROTO_R_SET_RESULT PROTO_R_SET_RETURN PASS_R_ARGS PASS_R_BAD PASS_R_COPY PASS_R_COPY_ARGS PASS_R_OK PASS_R_RETURN PASS_R_END_RESULT PASS_R_END_RETURN PASS_R_ENT_ARGS PASS_R_SET_RESULT PASS_R_SET_RETURN SERV_R_ARGS SERV_R_BAD SERV_R_COPY SERV_R_COPY_ARGS SERV_R_OK SERV_R_SETANSWER SERV_R_RETURN SERV_R_END_RESULT SERV_R_END_RETURN SERV_R_ENT_ARGS SERV_R_SET_RESULT SERV_R_SET_RETURN SETNETGRENT_ARGS INNETGR_ARGS ISC_PLATFORM_BRACEPTHREADONCEINIT BIND9_TOP_BUILDDIR BIND9_VERSION LIBOBJS LTLIBOBJS'
+ac_subst_files='BIND9_INCLUDES BIND9_MAKE_RULES LIBBIND_API'
+
+# Initialize some variables set by options.
+ac_init_help=
+ac_init_version=false
+# The variables have the same names as the options, with
+# dashes changed to underlines.
+cache_file=/dev/null
+exec_prefix=NONE
+no_create=
+no_recursion=
+prefix=NONE
+program_prefix=NONE
+program_suffix=NONE
+program_transform_name=s,x,x,
+silent=
+site=
+srcdir=
+verbose=
+x_includes=NONE
+x_libraries=NONE
+
+# Installation directory options.
+# These are left unexpanded so users can "make install exec_prefix=/foo"
+# and all the variables that are supposed to be based on exec_prefix
+# by default will actually change.
+# Use braces instead of parens because sh, perl, etc. also accept them.
+bindir='${exec_prefix}/bin'
+sbindir='${exec_prefix}/sbin'
+libexecdir='${exec_prefix}/libexec'
+datadir='${prefix}/share'
+sysconfdir='${prefix}/etc'
+sharedstatedir='${prefix}/com'
+localstatedir='${prefix}/var'
+libdir='${exec_prefix}/lib'
+includedir='${prefix}/include'
+oldincludedir='/usr/include'
+infodir='${prefix}/info'
+mandir='${prefix}/man'
+
+ac_prev=
+for ac_option
+do
+  # If the previous option needs an argument, assign it.
+  if test -n "$ac_prev"; then
+    eval "$ac_prev=\$ac_option"
+    ac_prev=
+    continue
+  fi
+
+  ac_optarg=`expr "x$ac_option" : 'x[^=]*=\(.*\)'`
+
+  # Accept the important Cygnus configure options, so we can diagnose typos.
+
+  case $ac_option in
+
+  -bindir | --bindir | --bindi | --bind | --bin | --bi)
+    ac_prev=bindir ;;
+  -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*)
+    bindir=$ac_optarg ;;
+
+  -build | --build | --buil | --bui | --bu)
+    ac_prev=build_alias ;;
+  -build=* | --build=* | --buil=* | --bui=* | --bu=*)
+    build_alias=$ac_optarg ;;
+
+  -cache-file | --cache-file | --cache-fil | --cache-fi \
+  | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c)
+    ac_prev=cache_file ;;
+  -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \
+  | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*)
+    cache_file=$ac_optarg ;;
+
+  --config-cache | -C)
+    cache_file=config.cache ;;
+
+  -datadir | --datadir | --datadi | --datad | --data | --dat | --da)
+    ac_prev=datadir ;;
+  -datadir=* | --datadir=* | --datadi=* | --datad=* | --data=* | --dat=* \
+  | --da=*)
+    datadir=$ac_optarg ;;
+
+  -disable-* | --disable-*)
+    ac_feature=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
+    # Reject names that are not valid shell variable names.
+    expr "x$ac_feature" : ".*[^-_$as_cr_alnum]" >/dev/null &&
+      { echo "$as_me: error: invalid feature name: $ac_feature" >&2
+   { (exit 1); exit 1; }; }
+    ac_feature=`echo $ac_feature | sed 's/-/_/g'`
+    eval "enable_$ac_feature=no" ;;
+
+  -enable-* | --enable-*)
+    ac_feature=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
+    # Reject names that are not valid shell variable names.
+    expr "x$ac_feature" : ".*[^-_$as_cr_alnum]" >/dev/null &&
+      { echo "$as_me: error: invalid feature name: $ac_feature" >&2
+   { (exit 1); exit 1; }; }
+    ac_feature=`echo $ac_feature | sed 's/-/_/g'`
+    case $ac_option in
+      *=*) ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"`;;
+      *) ac_optarg=yes ;;
+    esac
+    eval "enable_$ac_feature='$ac_optarg'" ;;
+
+  -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
+  | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \
+  | --exec | --exe | --ex)
+    ac_prev=exec_prefix ;;
+  -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \
+  | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \
+  | --exec=* | --exe=* | --ex=*)
+    exec_prefix=$ac_optarg ;;
+
+  -gas | --gas | --ga | --g)
+    # Obsolete; use --with-gas.
+    with_gas=yes ;;
+
+  -help | --help | --hel | --he | -h)
+    ac_init_help=long ;;
+  -help=r* | --help=r* | --hel=r* | --he=r* | -hr*)
+    ac_init_help=recursive ;;
+  -help=s* | --help=s* | --hel=s* | --he=s* | -hs*)
+    ac_init_help=short ;;
+
+  -host | --host | --hos | --ho)
+    ac_prev=host_alias ;;
+  -host=* | --host=* | --hos=* | --ho=*)
+    host_alias=$ac_optarg ;;
+
+  -includedir | --includedir | --includedi | --included | --include \
+  | --includ | --inclu | --incl | --inc)
+    ac_prev=includedir ;;
+  -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \
+  | --includ=* | --inclu=* | --incl=* | --inc=*)
+    includedir=$ac_optarg ;;
+
+  -infodir | --infodir | --infodi | --infod | --info | --inf)
+    ac_prev=infodir ;;
+  -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*)
+    infodir=$ac_optarg ;;
+
+  -libdir | --libdir | --libdi | --libd)
+    ac_prev=libdir ;;
+  -libdir=* | --libdir=* | --libdi=* | --libd=*)
+    libdir=$ac_optarg ;;
+
+  -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \
+  | --libexe | --libex | --libe)
+    ac_prev=libexecdir ;;
+  -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \
+  | --libexe=* | --libex=* | --libe=*)
+    libexecdir=$ac_optarg ;;
+
+  -localstatedir | --localstatedir | --localstatedi | --localstated \
+  | --localstate | --localstat | --localsta | --localst \
+  | --locals | --local | --loca | --loc | --lo)
+    ac_prev=localstatedir ;;
+  -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \
+  | --localstate=* | --localstat=* | --localsta=* | --localst=* \
+  | --locals=* | --local=* | --loca=* | --loc=* | --lo=*)
+    localstatedir=$ac_optarg ;;
+
+  -mandir | --mandir | --mandi | --mand | --man | --ma | --m)
+    ac_prev=mandir ;;
+  -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*)
+    mandir=$ac_optarg ;;
+
+  -nfp | --nfp | --nf)
+    # Obsolete; use --without-fp.
+    with_fp=no ;;
+
+  -no-create | --no-create | --no-creat | --no-crea | --no-cre \
+  | --no-cr | --no-c | -n)
+    no_create=yes ;;
+
+  -no-recursion | --no-recursion | --no-recursio | --no-recursi \
+  | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r)
+    no_recursion=yes ;;
+
+  -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \
+  | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \
+  | --oldin | --oldi | --old | --ol | --o)
+    ac_prev=oldincludedir ;;
+  -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \
+  | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \
+  | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*)
+    oldincludedir=$ac_optarg ;;
+
+  -prefix | --prefix | --prefi | --pref | --pre | --pr | --p)
+    ac_prev=prefix ;;
+  -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*)
+    prefix=$ac_optarg ;;
+
+  -program-prefix | --program-prefix | --program-prefi | --program-pref \
+  | --program-pre | --program-pr | --program-p)
+    ac_prev=program_prefix ;;
+  -program-prefix=* | --program-prefix=* | --program-prefi=* \
+  | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*)
+    program_prefix=$ac_optarg ;;
+
+  -program-suffix | --program-suffix | --program-suffi | --program-suff \
+  | --program-suf | --program-su | --program-s)
+    ac_prev=program_suffix ;;
+  -program-suffix=* | --program-suffix=* | --program-suffi=* \
+  | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*)
+    program_suffix=$ac_optarg ;;
+
+  -program-transform-name | --program-transform-name \
+  | --program-transform-nam | --program-transform-na \
+  | --program-transform-n | --program-transform- \
+  | --program-transform | --program-transfor \
+  | --program-transfo | --program-transf \
+  | --program-trans | --program-tran \
+  | --progr-tra | --program-tr | --program-t)
+    ac_prev=program_transform_name ;;
+  -program-transform-name=* | --program-transform-name=* \
+  | --program-transform-nam=* | --program-transform-na=* \
+  | --program-transform-n=* | --program-transform-=* \
+  | --program-transform=* | --program-transfor=* \
+  | --program-transfo=* | --program-transf=* \
+  | --program-trans=* | --program-tran=* \
+  | --progr-tra=* | --program-tr=* | --program-t=*)
+    program_transform_name=$ac_optarg ;;
+
+  -q | -quiet | --quiet | --quie | --qui | --qu | --q \
+  | -silent | --silent | --silen | --sile | --sil)
+    silent=yes ;;
+
+  -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
+    ac_prev=sbindir ;;
+  -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
+  | --sbi=* | --sb=*)
+    sbindir=$ac_optarg ;;
+
+  -sharedstatedir | --sharedstatedir | --sharedstatedi \
+  | --sharedstated | --sharedstate | --sharedstat | --sharedsta \
+  | --sharedst | --shareds | --shared | --share | --shar \
+  | --sha | --sh)
+    ac_prev=sharedstatedir ;;
+  -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \
+  | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \
+  | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \
+  | --sha=* | --sh=*)
+    sharedstatedir=$ac_optarg ;;
+
+  -site | --site | --sit)
+    ac_prev=site ;;
+  -site=* | --site=* | --sit=*)
+    site=$ac_optarg ;;
+
+  -srcdir | --srcdir | --srcdi | --srcd | --src | --sr)
+    ac_prev=srcdir ;;
+  -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*)
+    srcdir=$ac_optarg ;;
+
+  -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \
+  | --syscon | --sysco | --sysc | --sys | --sy)
+    ac_prev=sysconfdir ;;
+  -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \
+  | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*)
+    sysconfdir=$ac_optarg ;;
+
+  -target | --target | --targe | --targ | --tar | --ta | --t)
+    ac_prev=target_alias ;;
+  -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*)
+    target_alias=$ac_optarg ;;
+
+  -v | -verbose | --verbose | --verbos | --verbo | --verb)
+    verbose=yes ;;
+
+  -version | --version | --versio | --versi | --vers | -V)
+    ac_init_version=: ;;
+
+  -with-* | --with-*)
+    ac_package=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
+    # Reject names that are not valid shell variable names.
+    expr "x$ac_package" : ".*[^-_$as_cr_alnum]" >/dev/null &&
+      { echo "$as_me: error: invalid package name: $ac_package" >&2
+   { (exit 1); exit 1; }; }
+    ac_package=`echo $ac_package| sed 's/-/_/g'`
+    case $ac_option in
+      *=*) ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"`;;
+      *) ac_optarg=yes ;;
+    esac
+    eval "with_$ac_package='$ac_optarg'" ;;
+
+  -without-* | --without-*)
+    ac_package=`expr "x$ac_option" : 'x-*without-\(.*\)'`
+    # Reject names that are not valid shell variable names.
+    expr "x$ac_package" : ".*[^-_$as_cr_alnum]" >/dev/null &&
+      { echo "$as_me: error: invalid package name: $ac_package" >&2
+   { (exit 1); exit 1; }; }
+    ac_package=`echo $ac_package | sed 's/-/_/g'`
+    eval "with_$ac_package=no" ;;
+
+  --x)
+    # Obsolete; use --with-x.
+    with_x=yes ;;
+
+  -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \
+  | --x-incl | --x-inc | --x-in | --x-i)
+    ac_prev=x_includes ;;
+  -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \
+  | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*)
+    x_includes=$ac_optarg ;;
+
+  -x-libraries | --x-libraries | --x-librarie | --x-librari \
+  | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l)
+    ac_prev=x_libraries ;;
+  -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \
+  | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*)
+    x_libraries=$ac_optarg ;;
+
+  -*) { echo "$as_me: error: unrecognized option: $ac_option
+Try \`$0 --help' for more information." >&2
+   { (exit 1); exit 1; }; }
+    ;;
+
+  *=*)
+    ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='`
+    # Reject names that are not valid shell variable names.
+    expr "x$ac_envvar" : ".*[^_$as_cr_alnum]" >/dev/null &&
+      { echo "$as_me: error: invalid variable name: $ac_envvar" >&2
+   { (exit 1); exit 1; }; }
+    ac_optarg=`echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"`
+    eval "$ac_envvar='$ac_optarg'"
+    export $ac_envvar ;;
+
+  *)
+    # FIXME: should be removed in autoconf 3.0.
+    echo "$as_me: WARNING: you should use --build, --host, --target" >&2
+    expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+      echo "$as_me: WARNING: invalid host type: $ac_option" >&2
+    : ${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}
+    ;;
+
+  esac
+done
+
+if test -n "$ac_prev"; then
+  ac_option=--`echo $ac_prev | sed 's/_/-/g'`
+  { echo "$as_me: error: missing argument to $ac_option" >&2
+   { (exit 1); exit 1; }; }
+fi
+
+# Be sure to have absolute paths.
+for ac_var in exec_prefix prefix
+do
+  eval ac_val=$`echo $ac_var`
+  case $ac_val in
+    [\\/$]* | ?:[\\/]* | NONE | '' ) ;;
+    *)  { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
+   { (exit 1); exit 1; }; };;
+  esac
+done
+
+# Be sure to have absolute paths.
+for ac_var in bindir sbindir libexecdir datadir sysconfdir sharedstatedir \
+	      localstatedir libdir includedir oldincludedir infodir mandir
+do
+  eval ac_val=$`echo $ac_var`
+  case $ac_val in
+    [\\/$]* | ?:[\\/]* ) ;;
+    *)  { echo "$as_me: error: expected an absolute directory name for --$ac_var: $ac_val" >&2
+   { (exit 1); exit 1; }; };;
+  esac
+done
+
+# There might be people who depend on the old broken behavior: `$host'
+# used to hold the argument of --host etc.
+# FIXME: To remove some day.
+build=$build_alias
+host=$host_alias
+target=$target_alias
+
+# FIXME: To remove some day.
+if test "x$host_alias" != x; then
+  if test "x$build_alias" = x; then
+    cross_compiling=maybe
+    echo "$as_me: WARNING: If you wanted to set the --build type, don't use --host.
+    If a cross compiler is detected then cross compile mode will be used." >&2
+  elif test "x$build_alias" != "x$host_alias"; then
+    cross_compiling=yes
+  fi
+fi
+
+ac_tool_prefix=
+test -n "$host_alias" && ac_tool_prefix=$host_alias-
+
+test "$silent" = yes && exec 6>/dev/null
+
+
+# Find the source files, if location was not specified.
+if test -z "$srcdir"; then
+  ac_srcdir_defaulted=yes
+  # Try the directory containing this script, then its parent.
+  ac_confdir=`(dirname "$0") 2>/dev/null ||
+$as_expr X"$0" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	 X"$0" : 'X\(//\)[^/]' \| \
+	 X"$0" : 'X\(//\)$' \| \
+	 X"$0" : 'X\(/\)' \| \
+	 .     : '\(.\)' 2>/dev/null ||
+echo X"$0" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
+  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
+  	  /^X\(\/\/\)$/{ s//\1/; q; }
+  	  /^X\(\/\).*/{ s//\1/; q; }
+  	  s/.*/./; q'`
+  srcdir=$ac_confdir
+  if test ! -r $srcdir/$ac_unique_file; then
+    srcdir=..
+  fi
+else
+  ac_srcdir_defaulted=no
+fi
+if test ! -r $srcdir/$ac_unique_file; then
+  if test "$ac_srcdir_defaulted" = yes; then
+    { echo "$as_me: error: cannot find sources ($ac_unique_file) in $ac_confdir or .." >&2
+   { (exit 1); exit 1; }; }
+  else
+    { echo "$as_me: error: cannot find sources ($ac_unique_file) in $srcdir" >&2
+   { (exit 1); exit 1; }; }
+  fi
+fi
+(cd $srcdir && test -r ./$ac_unique_file) 2>/dev/null ||
+  { echo "$as_me: error: sources are in $srcdir, but \`cd $srcdir' does not work" >&2
+   { (exit 1); exit 1; }; }
+srcdir=`echo "$srcdir" | sed 's%\([^\\/]\)[\\/]*$%\1%'`
+ac_env_build_alias_set=${build_alias+set}
+ac_env_build_alias_value=$build_alias
+ac_cv_env_build_alias_set=${build_alias+set}
+ac_cv_env_build_alias_value=$build_alias
+ac_env_host_alias_set=${host_alias+set}
+ac_env_host_alias_value=$host_alias
+ac_cv_env_host_alias_set=${host_alias+set}
+ac_cv_env_host_alias_value=$host_alias
+ac_env_target_alias_set=${target_alias+set}
+ac_env_target_alias_value=$target_alias
+ac_cv_env_target_alias_set=${target_alias+set}
+ac_cv_env_target_alias_value=$target_alias
+ac_env_CC_set=${CC+set}
+ac_env_CC_value=$CC
+ac_cv_env_CC_set=${CC+set}
+ac_cv_env_CC_value=$CC
+ac_env_CFLAGS_set=${CFLAGS+set}
+ac_env_CFLAGS_value=$CFLAGS
+ac_cv_env_CFLAGS_set=${CFLAGS+set}
+ac_cv_env_CFLAGS_value=$CFLAGS
+ac_env_LDFLAGS_set=${LDFLAGS+set}
+ac_env_LDFLAGS_value=$LDFLAGS
+ac_cv_env_LDFLAGS_set=${LDFLAGS+set}
+ac_cv_env_LDFLAGS_value=$LDFLAGS
+ac_env_CPPFLAGS_set=${CPPFLAGS+set}
+ac_env_CPPFLAGS_value=$CPPFLAGS
+ac_cv_env_CPPFLAGS_set=${CPPFLAGS+set}
+ac_cv_env_CPPFLAGS_value=$CPPFLAGS
+ac_env_CPP_set=${CPP+set}
+ac_env_CPP_value=$CPP
+ac_cv_env_CPP_set=${CPP+set}
+ac_cv_env_CPP_value=$CPP
+ac_env_CXX_set=${CXX+set}
+ac_env_CXX_value=$CXX
+ac_cv_env_CXX_set=${CXX+set}
+ac_cv_env_CXX_value=$CXX
+ac_env_CXXFLAGS_set=${CXXFLAGS+set}
+ac_env_CXXFLAGS_value=$CXXFLAGS
+ac_cv_env_CXXFLAGS_set=${CXXFLAGS+set}
+ac_cv_env_CXXFLAGS_value=$CXXFLAGS
+ac_env_CXXCPP_set=${CXXCPP+set}
+ac_env_CXXCPP_value=$CXXCPP
+ac_cv_env_CXXCPP_set=${CXXCPP+set}
+ac_cv_env_CXXCPP_value=$CXXCPP
+ac_env_F77_set=${F77+set}
+ac_env_F77_value=$F77
+ac_cv_env_F77_set=${F77+set}
+ac_cv_env_F77_value=$F77
+ac_env_FFLAGS_set=${FFLAGS+set}
+ac_env_FFLAGS_value=$FFLAGS
+ac_cv_env_FFLAGS_set=${FFLAGS+set}
+ac_cv_env_FFLAGS_value=$FFLAGS
+
+#
+# Report the --help message.
+#
+if test "$ac_init_help" = "long"; then
+  # Omit some internal or obsolete options to make the list less imposing.
+  # This message is too long to be a string in the A/UX 3.1 sh.
+  cat <<_ACEOF
+\`configure' configures this package to adapt to many kinds of systems.
+
+Usage: $0 [OPTION]... [VAR=VALUE]...
+
+To assign environment variables (e.g., CC, CFLAGS...), specify them as
+VAR=VALUE.  See below for descriptions of some of the useful variables.
+
+Defaults for the options are specified in brackets.
+
+Configuration:
+  -h, --help              display this help and exit
+      --help=short        display options specific to this package
+      --help=recursive    display the short help of all the included packages
+  -V, --version           display version information and exit
+  -q, --quiet, --silent   do not print \`checking...' messages
+      --cache-file=FILE   cache test results in FILE [disabled]
+  -C, --config-cache      alias for \`--cache-file=config.cache'
+  -n, --no-create         do not create output files
+      --srcdir=DIR        find the sources in DIR [configure dir or \`..']
+
+_ACEOF
+
+  cat <<_ACEOF
+Installation directories:
+  --prefix=PREFIX         install architecture-independent files in PREFIX
+			  [$ac_default_prefix]
+  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
+			  [PREFIX]
+
+By default, \`make install' will install all the files in
+\`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc.  You can specify
+an installation prefix other than \`$ac_default_prefix' using \`--prefix',
+for instance \`--prefix=\$HOME'.
+
+For better control, use the options below.
+
+Fine tuning of the installation directories:
+  --bindir=DIR           user executables [EPREFIX/bin]
+  --sbindir=DIR          system admin executables [EPREFIX/sbin]
+  --libexecdir=DIR       program executables [EPREFIX/libexec]
+  --datadir=DIR          read-only architecture-independent data [PREFIX/share]
+  --sysconfdir=DIR       read-only single-machine data [PREFIX/etc]
+  --sharedstatedir=DIR   modifiable architecture-independent data [PREFIX/com]
+  --localstatedir=DIR    modifiable single-machine data [PREFIX/var]
+  --libdir=DIR           object code libraries [EPREFIX/lib]
+  --includedir=DIR       C header files [PREFIX/include]
+  --oldincludedir=DIR    C header files for non-gcc [/usr/include]
+  --infodir=DIR          info documentation [PREFIX/info]
+  --mandir=DIR           man documentation [PREFIX/man]
+_ACEOF
+
+  cat <<\_ACEOF
+
+System types:
+  --build=BUILD     configure for building on BUILD [guessed]
+  --host=HOST       cross-compile to build programs to run on HOST [BUILD]
+_ACEOF
+fi
+
+if test -n "$ac_init_help"; then
+
+  cat <<\_ACEOF
+
+Optional Features:
+  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
+  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
+  --disable-threads	disable multithreading
+  --enable-shared[=PKGS]
+                          build shared libraries [default=yes]
+  --enable-static[=PKGS]
+                          build static libraries [default=yes]
+  --enable-fast-install[=PKGS]
+                          optimize for fast installation [default=yes]
+  --disable-libtool-lock  avoid locking (might break parallel builds)
+  --enable-ipv6		use IPv6 default=autodetect
+
+Optional Packages:
+  --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
+  --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
+ --with-irs-gr		Build ....
+ --with-irs-pw		Build ....
+ --with-irs-nis		Build ....
+  --with-randomdev=PATH Specify path for random device
+  --with-ptl2		on NetBSD, use the ptl2 thread library (experimental)
+  --with-purify=PATH	use Rational purify
+  --with-libtool	use GNU libtool (following indented options supported)
+  --with-gnu-ld           assume the C compiler uses GNU ld [default=no]
+  --with-pic              try to use only PIC/non-PIC objects [default=use
+                          both]
+  --with-tags[=TAGS]
+                          include additional configurations [automatic]
+  --with-kame=PATH	use Kame IPv6 default path /usr/local/v6
+
+Some influential environment variables:
+  CC          C compiler command
+  CFLAGS      C compiler flags
+  LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
+              nonstandard directory <lib dir>
+  CPPFLAGS    C/C++ preprocessor flags, e.g. -I<include dir> if you have
+              headers in a nonstandard directory <include dir>
+  CPP         C preprocessor
+  CXX         C++ compiler command
+  CXXFLAGS    C++ compiler flags
+  CXXCPP      C++ preprocessor
+  F77         Fortran 77 compiler command
+  FFLAGS      Fortran 77 compiler flags
+
+Use these variables to override the choices made by `configure' or to help
+it to find libraries and programs with nonstandard names/locations.
+
+_ACEOF
+fi
+
+if test "$ac_init_help" = "recursive"; then
+  # If there are subdirs, report their specific --help.
+  ac_popdir=`pwd`
+  for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue
+    test -d $ac_dir || continue
+    ac_builddir=.
+
+if test "$ac_dir" != .; then
+  ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
+  # A "../" for each directory in $ac_dir_suffix.
+  ac_top_builddir=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,../,g'`
+else
+  ac_dir_suffix= ac_top_builddir=
+fi
+
+case $srcdir in
+  .)  # No --srcdir option.  We are building in place.
+    ac_srcdir=.
+    if test -z "$ac_top_builddir"; then
+       ac_top_srcdir=.
+    else
+       ac_top_srcdir=`echo $ac_top_builddir | sed 's,/$,,'`
+    fi ;;
+  [\\/]* | ?:[\\/]* )  # Absolute path.
+    ac_srcdir=$srcdir$ac_dir_suffix;
+    ac_top_srcdir=$srcdir ;;
+  *) # Relative path.
+    ac_srcdir=$ac_top_builddir$srcdir$ac_dir_suffix
+    ac_top_srcdir=$ac_top_builddir$srcdir ;;
+esac
+
+# Do not use `cd foo && pwd` to compute absolute paths, because
+# the directories may not exist.
+case `pwd` in
+.) ac_abs_builddir="$ac_dir";;
+*)
+  case "$ac_dir" in
+  .) ac_abs_builddir=`pwd`;;
+  [\\/]* | ?:[\\/]* ) ac_abs_builddir="$ac_dir";;
+  *) ac_abs_builddir=`pwd`/"$ac_dir";;
+  esac;;
+esac
+case $ac_abs_builddir in
+.) ac_abs_top_builddir=${ac_top_builddir}.;;
+*)
+  case ${ac_top_builddir}. in
+  .) ac_abs_top_builddir=$ac_abs_builddir;;
+  [\\/]* | ?:[\\/]* ) ac_abs_top_builddir=${ac_top_builddir}.;;
+  *) ac_abs_top_builddir=$ac_abs_builddir/${ac_top_builddir}.;;
+  esac;;
+esac
+case $ac_abs_builddir in
+.) ac_abs_srcdir=$ac_srcdir;;
+*)
+  case $ac_srcdir in
+  .) ac_abs_srcdir=$ac_abs_builddir;;
+  [\\/]* | ?:[\\/]* ) ac_abs_srcdir=$ac_srcdir;;
+  *) ac_abs_srcdir=$ac_abs_builddir/$ac_srcdir;;
+  esac;;
+esac
+case $ac_abs_builddir in
+.) ac_abs_top_srcdir=$ac_top_srcdir;;
+*)
+  case $ac_top_srcdir in
+  .) ac_abs_top_srcdir=$ac_abs_builddir;;
+  [\\/]* | ?:[\\/]* ) ac_abs_top_srcdir=$ac_top_srcdir;;
+  *) ac_abs_top_srcdir=$ac_abs_builddir/$ac_top_srcdir;;
+  esac;;
+esac
+
+    cd $ac_dir
+    # Check for guested configure; otherwise get Cygnus style configure.
+    if test -f $ac_srcdir/configure.gnu; then
+      echo
+      $SHELL $ac_srcdir/configure.gnu  --help=recursive
+    elif test -f $ac_srcdir/configure; then
+      echo
+      $SHELL $ac_srcdir/configure  --help=recursive
+    elif test -f $ac_srcdir/configure.ac ||
+	   test -f $ac_srcdir/configure.in; then
+      echo
+      $ac_configure --help
+    else
+      echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
+    fi
+    cd $ac_popdir
+  done
+fi
+
+test -n "$ac_init_help" && exit 0
+if $ac_init_version; then
+  cat <<\_ACEOF
+
+Copyright (C) 2003 Free Software Foundation, Inc.
+This configure script is free software; the Free Software Foundation
+gives unlimited permission to copy, distribute and modify it.
+_ACEOF
+  exit 0
+fi
+exec 5>config.log
+cat >&5 <<_ACEOF
+This file contains any messages produced by compilers while
+running configure, to aid debugging if configure makes a mistake.
+
+It was created by $as_me, which was
+generated by GNU Autoconf 2.59.  Invocation command line was
+
+  $ $0 $@
+
+_ACEOF
+{
+cat <<_ASUNAME
+## --------- ##
+## Platform. ##
+## --------- ##
+
+hostname = `(hostname || uname -n) 2>/dev/null | sed 1q`
+uname -m = `(uname -m) 2>/dev/null || echo unknown`
+uname -r = `(uname -r) 2>/dev/null || echo unknown`
+uname -s = `(uname -s) 2>/dev/null || echo unknown`
+uname -v = `(uname -v) 2>/dev/null || echo unknown`
+
+/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown`
+/bin/uname -X     = `(/bin/uname -X) 2>/dev/null     || echo unknown`
+
+/bin/arch              = `(/bin/arch) 2>/dev/null              || echo unknown`
+/usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null       || echo unknown`
+/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown`
+hostinfo               = `(hostinfo) 2>/dev/null               || echo unknown`
+/bin/machine           = `(/bin/machine) 2>/dev/null           || echo unknown`
+/usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null       || echo unknown`
+/bin/universe          = `(/bin/universe) 2>/dev/null          || echo unknown`
+
+_ASUNAME
+
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  echo "PATH: $as_dir"
+done
+
+} >&5
+
+cat >&5 <<_ACEOF
+
+
+## ----------- ##
+## Core tests. ##
+## ----------- ##
+
+_ACEOF
+
+
+# Keep a trace of the command line.
+# Strip out --no-create and --no-recursion so they do not pile up.
+# Strip out --silent because we don't want to record it for future runs.
+# Also quote any args containing shell meta-characters.
+# Make two passes to allow for proper duplicate-argument suppression.
+ac_configure_args=
+ac_configure_args0=
+ac_configure_args1=
+ac_sep=
+ac_must_keep_next=false
+for ac_pass in 1 2
+do
+  for ac_arg
+  do
+    case $ac_arg in
+    -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;;
+    -q | -quiet | --quiet | --quie | --qui | --qu | --q \
+    | -silent | --silent | --silen | --sile | --sil)
+      continue ;;
+    *" "*|*"	"*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?\"\']*)
+      ac_arg=`echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
+    esac
+    case $ac_pass in
+    1) ac_configure_args0="$ac_configure_args0 '$ac_arg'" ;;
+    2)
+      ac_configure_args1="$ac_configure_args1 '$ac_arg'"
+      if test $ac_must_keep_next = true; then
+	ac_must_keep_next=false # Got value, back to normal.
+      else
+	case $ac_arg in
+	  *=* | --config-cache | -C | -disable-* | --disable-* \
+	  | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \
+	  | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \
+	  | -with-* | --with-* | -without-* | --without-* | --x)
+	    case "$ac_configure_args0 " in
+	      "$ac_configure_args1"*" '$ac_arg' "* ) continue ;;
+	    esac
+	    ;;
+	  -* ) ac_must_keep_next=true ;;
+	esac
+      fi
+      ac_configure_args="$ac_configure_args$ac_sep'$ac_arg'"
+      # Get rid of the leading space.
+      ac_sep=" "
+      ;;
+    esac
+  done
+done
+$as_unset ac_configure_args0 || test "${ac_configure_args0+set}" != set || { ac_configure_args0=; export ac_configure_args0; }
+$as_unset ac_configure_args1 || test "${ac_configure_args1+set}" != set || { ac_configure_args1=; export ac_configure_args1; }
+
+# When interrupted or exit'd, cleanup temporary files, and complete
+# config.log.  We remove comments because anyway the quotes in there
+# would cause problems or look ugly.
+# WARNING: Be sure not to use single quotes in there, as some shells,
+# such as our DU 5.0 friend, will then `close' the trap.
+trap 'exit_status=$?
+  # Save into config.log some information that might help in debugging.
+  {
+    echo
+
+    cat <<\_ASBOX
+## ---------------- ##
+## Cache variables. ##
+## ---------------- ##
+_ASBOX
+    echo
+    # The following way of writing the cache mishandles newlines in values,
+{
+  (set) 2>&1 |
+    case `(ac_space='"'"' '"'"'; set | grep ac_space) 2>&1` in
+    *ac_space=\ *)
+      sed -n \
+	"s/'"'"'/'"'"'\\\\'"'"''"'"'/g;
+	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='"'"'\\2'"'"'/p"
+      ;;
+    *)
+      sed -n \
+	"s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1=\\2/p"
+      ;;
+    esac;
+}
+    echo
+
+    cat <<\_ASBOX
+## ----------------- ##
+## Output variables. ##
+## ----------------- ##
+_ASBOX
+    echo
+    for ac_var in $ac_subst_vars
+    do
+      eval ac_val=$`echo $ac_var`
+      echo "$ac_var='"'"'$ac_val'"'"'"
+    done | sort
+    echo
+
+    if test -n "$ac_subst_files"; then
+      cat <<\_ASBOX
+## ------------- ##
+## Output files. ##
+## ------------- ##
+_ASBOX
+      echo
+      for ac_var in $ac_subst_files
+      do
+	eval ac_val=$`echo $ac_var`
+	echo "$ac_var='"'"'$ac_val'"'"'"
+      done | sort
+      echo
+    fi
+
+    if test -s confdefs.h; then
+      cat <<\_ASBOX
+## ----------- ##
+## confdefs.h. ##
+## ----------- ##
+_ASBOX
+      echo
+      sed "/^$/d" confdefs.h | sort
+      echo
+    fi
+    test "$ac_signal" != 0 &&
+      echo "$as_me: caught signal $ac_signal"
+    echo "$as_me: exit $exit_status"
+  } >&5
+  rm -f core *.core &&
+  rm -rf conftest* confdefs* conf$$* $ac_clean_files &&
+    exit $exit_status
+     ' 0
+for ac_signal in 1 2 13 15; do
+  trap 'ac_signal='$ac_signal'; { (exit 1); exit 1; }' $ac_signal
+done
+ac_signal=0
+
+# confdefs.h avoids OS command line length limits that DEFS can exceed.
+rm -rf conftest* confdefs.h
+# AIX cpp loses on an empty file, so make sure it contains at least a newline.
+echo >confdefs.h
+
+# Predefined preprocessor variables.
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_NAME "$PACKAGE_NAME"
+_ACEOF
+
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_TARNAME "$PACKAGE_TARNAME"
+_ACEOF
+
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_VERSION "$PACKAGE_VERSION"
+_ACEOF
+
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_STRING "$PACKAGE_STRING"
+_ACEOF
+
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT"
+_ACEOF
+
+
+# Let the site file select an alternate cache file if it wants to.
+# Prefer explicitly selected file to automatically selected ones.
+if test -z "$CONFIG_SITE"; then
+  if test "x$prefix" != xNONE; then
+    CONFIG_SITE="$prefix/share/config.site $prefix/etc/config.site"
+  else
+    CONFIG_SITE="$ac_default_prefix/share/config.site $ac_default_prefix/etc/config.site"
+  fi
+fi
+for ac_site_file in $CONFIG_SITE; do
+  if test -r "$ac_site_file"; then
+    { echo "$as_me:$LINENO: loading site script $ac_site_file" >&5
+echo "$as_me: loading site script $ac_site_file" >&6;}
+    sed 's/^/| /' "$ac_site_file" >&5
+    . "$ac_site_file"
+  fi
+done
+
+if test -r "$cache_file"; then
+  # Some versions of bash will fail to source /dev/null (special
+  # files actually), so we avoid doing that.
+  if test -f "$cache_file"; then
+    { echo "$as_me:$LINENO: loading cache $cache_file" >&5
+echo "$as_me: loading cache $cache_file" >&6;}
+    case $cache_file in
+      [\\/]* | ?:[\\/]* ) . $cache_file;;
+      *)                      . ./$cache_file;;
+    esac
+  fi
+else
+  { echo "$as_me:$LINENO: creating cache $cache_file" >&5
+echo "$as_me: creating cache $cache_file" >&6;}
+  >$cache_file
+fi
+
+# Check that the precious variables saved in the cache have kept the same
+# value.
+ac_cache_corrupted=false
+for ac_var in `(set) 2>&1 |
+	       sed -n 's/^ac_env_\([a-zA-Z_0-9]*\)_set=.*/\1/p'`; do
+  eval ac_old_set=\$ac_cv_env_${ac_var}_set
+  eval ac_new_set=\$ac_env_${ac_var}_set
+  eval ac_old_val="\$ac_cv_env_${ac_var}_value"
+  eval ac_new_val="\$ac_env_${ac_var}_value"
+  case $ac_old_set,$ac_new_set in
+    set,)
+      { echo "$as_me:$LINENO: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
+echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;}
+      ac_cache_corrupted=: ;;
+    ,set)
+      { echo "$as_me:$LINENO: error: \`$ac_var' was not set in the previous run" >&5
+echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;}
+      ac_cache_corrupted=: ;;
+    ,);;
+    *)
+      if test "x$ac_old_val" != "x$ac_new_val"; then
+	{ echo "$as_me:$LINENO: error: \`$ac_var' has changed since the previous run:" >&5
+echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;}
+	{ echo "$as_me:$LINENO:   former value:  $ac_old_val" >&5
+echo "$as_me:   former value:  $ac_old_val" >&2;}
+	{ echo "$as_me:$LINENO:   current value: $ac_new_val" >&5
+echo "$as_me:   current value: $ac_new_val" >&2;}
+	ac_cache_corrupted=:
+      fi;;
+  esac
+  # Pass precious variables to config.status.
+  if test "$ac_new_set" = set; then
+    case $ac_new_val in
+    *" "*|*"	"*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?\"\']*)
+      ac_arg=$ac_var=`echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
+    *) ac_arg=$ac_var=$ac_new_val ;;
+    esac
+    case " $ac_configure_args " in
+      *" '$ac_arg' "*) ;; # Avoid dups.  Use of quotes ensures accuracy.
+      *) ac_configure_args="$ac_configure_args '$ac_arg'" ;;
+    esac
+  fi
+done
+if $ac_cache_corrupted; then
+  { echo "$as_me:$LINENO: error: changes in the environment can compromise the build" >&5
+echo "$as_me: error: changes in the environment can compromise the build" >&2;}
+  { { echo "$as_me:$LINENO: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&5
+echo "$as_me: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+          ac_config_headers="$ac_config_headers config.h"
+
+
+ac_aux_dir=
+for ac_dir in $srcdir $srcdir/.. $srcdir/../..; do
+  if test -f $ac_dir/install-sh; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/install-sh -c"
+    break
+  elif test -f $ac_dir/install.sh; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/install.sh -c"
+    break
+  elif test -f $ac_dir/shtool; then
+    ac_aux_dir=$ac_dir
+    ac_install_sh="$ac_aux_dir/shtool install -c"
+    break
+  fi
+done
+if test -z "$ac_aux_dir"; then
+  { { echo "$as_me:$LINENO: error: cannot find install-sh or install.sh in $srcdir $srcdir/.. $srcdir/../.." >&5
+echo "$as_me: error: cannot find install-sh or install.sh in $srcdir $srcdir/.. $srcdir/../.." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+ac_config_guess="$SHELL $ac_aux_dir/config.guess"
+ac_config_sub="$SHELL $ac_aux_dir/config.sub"
+ac_configure="$SHELL $ac_aux_dir/configure" # This should be Cygnus configure.
+
+# Make sure we can run config.sub.
+$ac_config_sub sun4 >/dev/null 2>&1 ||
+  { { echo "$as_me:$LINENO: error: cannot run $ac_config_sub" >&5
+echo "$as_me: error: cannot run $ac_config_sub" >&2;}
+   { (exit 1); exit 1; }; }
+
+echo "$as_me:$LINENO: checking build system type" >&5
+echo $ECHO_N "checking build system type... $ECHO_C" >&6
+if test "${ac_cv_build+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_build_alias=$build_alias
+test -z "$ac_cv_build_alias" &&
+  ac_cv_build_alias=`$ac_config_guess`
+test -z "$ac_cv_build_alias" &&
+  { { echo "$as_me:$LINENO: error: cannot guess build type; you must specify one" >&5
+echo "$as_me: error: cannot guess build type; you must specify one" >&2;}
+   { (exit 1); exit 1; }; }
+ac_cv_build=`$ac_config_sub $ac_cv_build_alias` ||
+  { { echo "$as_me:$LINENO: error: $ac_config_sub $ac_cv_build_alias failed" >&5
+echo "$as_me: error: $ac_config_sub $ac_cv_build_alias failed" >&2;}
+   { (exit 1); exit 1; }; }
+
+fi
+echo "$as_me:$LINENO: result: $ac_cv_build" >&5
+echo "${ECHO_T}$ac_cv_build" >&6
+build=$ac_cv_build
+build_cpu=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'`
+build_vendor=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'`
+build_os=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'`
+
+
+echo "$as_me:$LINENO: checking host system type" >&5
+echo $ECHO_N "checking host system type... $ECHO_C" >&6
+if test "${ac_cv_host+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_host_alias=$host_alias
+test -z "$ac_cv_host_alias" &&
+  ac_cv_host_alias=$ac_cv_build_alias
+ac_cv_host=`$ac_config_sub $ac_cv_host_alias` ||
+  { { echo "$as_me:$LINENO: error: $ac_config_sub $ac_cv_host_alias failed" >&5
+echo "$as_me: error: $ac_config_sub $ac_cv_host_alias failed" >&2;}
+   { (exit 1); exit 1; }; }
+
+fi
+echo "$as_me:$LINENO: result: $ac_cv_host" >&5
+echo "${ECHO_T}$ac_cv_host" >&6
+host=$ac_cv_host
+host_cpu=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'`
+host_vendor=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'`
+host_os=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'`
+
+
+
+echo "$as_me:$LINENO: checking whether ${MAKE-make} sets \$(MAKE)" >&5
+echo $ECHO_N "checking whether ${MAKE-make} sets \$(MAKE)... $ECHO_C" >&6
+set dummy ${MAKE-make}; ac_make=`echo "$2" | sed 'y,:./+-,___p_,'`
+if eval "test \"\${ac_cv_prog_make_${ac_make}_set+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.make <<\_ACEOF
+all:
+	@echo 'ac_maketemp="$(MAKE)"'
+_ACEOF
+# GNU make sometimes prints "make[1]: Entering...", which would confuse us.
+eval `${MAKE-make} -f conftest.make 2>/dev/null | grep temp=`
+if test -n "$ac_maketemp"; then
+  eval ac_cv_prog_make_${ac_make}_set=yes
+else
+  eval ac_cv_prog_make_${ac_make}_set=no
+fi
+rm -f conftest.make
+fi
+if eval "test \"`echo '$ac_cv_prog_make_'${ac_make}_set`\" = yes"; then
+  echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+  SET_MAKE=
+else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+  SET_MAKE="MAKE=${MAKE-make}"
+fi
+
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args.
+set dummy ${ac_tool_prefix}ranlib; ac_word=$2
+echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_RANLIB+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$RANLIB"; then
+  ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+
+fi
+fi
+RANLIB=$ac_cv_prog_RANLIB
+if test -n "$RANLIB"; then
+  echo "$as_me:$LINENO: result: $RANLIB" >&5
+echo "${ECHO_T}$RANLIB" >&6
+else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+fi
+if test -z "$ac_cv_prog_RANLIB"; then
+  ac_ct_RANLIB=$RANLIB
+  # Extract the first word of "ranlib", so it can be a program name with args.
+set dummy ranlib; ac_word=$2
+echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_RANLIB"; then
+  ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_ac_ct_RANLIB="ranlib"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+
+  test -z "$ac_cv_prog_ac_ct_RANLIB" && ac_cv_prog_ac_ct_RANLIB=":"
+fi
+fi
+ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB
+if test -n "$ac_ct_RANLIB"; then
+  echo "$as_me:$LINENO: result: $ac_ct_RANLIB" >&5
+echo "${ECHO_T}$ac_ct_RANLIB" >&6
+else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+  RANLIB=$ac_ct_RANLIB
+else
+  RANLIB="$ac_cv_prog_RANLIB"
+fi
+
+# Find a good install program.  We prefer a C program (faster),
+# so one script is as good as another.  But avoid the broken or
+# incompatible versions:
+# SysV /etc/install, /usr/sbin/install
+# SunOS /usr/etc/install
+# IRIX /sbin/install
+# AIX /bin/install
+# AmigaOS /C/install, which installs bootblocks on floppy discs
+# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag
+# AFS /usr/afsws/bin/install, which mishandles nonexistent args
+# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
+# OS/2's system install, which has a completely different semantic
+# ./install, which can be erroneously created by make from ./install.sh.
+echo "$as_me:$LINENO: checking for a BSD-compatible install" >&5
+echo $ECHO_N "checking for a BSD-compatible install... $ECHO_C" >&6
+if test -z "$INSTALL"; then
+if test "${ac_cv_path_install+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  # Account for people who put trailing slashes in PATH elements.
+case $as_dir/ in
+  ./ | .// | /cC/* | \
+  /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \
+  ?:\\/os2\\/install\\/* | ?:\\/OS2\\/INSTALL\\/* | \
+  /usr/ucb/* ) ;;
+  *)
+    # OSF1 and SCO ODT 3.0 have their own names for install.
+    # Don't use installbsd from OSF since it installs stuff as root
+    # by default.
+    for ac_prog in ginstall scoinst install; do
+      for ac_exec_ext in '' $ac_executable_extensions; do
+	if $as_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then
+	  if test $ac_prog = install &&
+	    grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
+	    # AIX install.  It has an incompatible calling convention.
+	    :
+	  elif test $ac_prog = install &&
+	    grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
+	    # program-specific install script used by HP pwplus--don't use.
+	    :
+	  else
+	    ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c"
+	    break 3
+	  fi
+	fi
+      done
+    done
+    ;;
+esac
+done
+
+
+fi
+  if test "${ac_cv_path_install+set}" = set; then
+    INSTALL=$ac_cv_path_install
+  else
+    # As a last resort, use the slow shell script.  We don't cache a
+    # path for INSTALL within a source directory, because that will
+    # break other packages using the cache if that directory is
+    # removed, or if the path is relative.
+    INSTALL=$ac_install_sh
+  fi
+fi
+echo "$as_me:$LINENO: result: $INSTALL" >&5
+echo "${ECHO_T}$INSTALL" >&6
+
+# Use test -z because SunOS4 sh mishandles braces in ${var-val}.
+# It thinks the first close brace ends the variable substitution.
+test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}'
+
+test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}'
+
+test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'
+
+
+
+
+
+
+
+# Extract the first word of "ar", so it can be a program name with args.
+set dummy ar; ac_word=$2
+echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_path_AR+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case $AR in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_AR="$AR" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_AR="$as_dir/$ac_word$ac_exec_ext"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+
+  ;;
+esac
+fi
+AR=$ac_cv_path_AR
+
+if test -n "$AR"; then
+  echo "$as_me:$LINENO: result: $AR" >&5
+echo "${ECHO_T}$AR" >&6
+else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+ARFLAGS="cruv"
+
+
+
+# The POSIX ln(1) program.  Non-POSIX systems may substitute
+# "copy" or something.
+LN=ln
+
+
+case "$AR" in
+	"")
+		{ { echo "$as_me:$LINENO: error:
+ar program not found.  Please fix your PATH to include the directory in
+which ar resides, or set AR in the environment with the full path to ar.
+" >&5
+echo "$as_me: error:
+ar program not found.  Please fix your PATH to include the directory in
+which ar resides, or set AR in the environment with the full path to ar.
+" >&2;}
+   { (exit 1); exit 1; }; }
+
+		;;
+esac
+
+#
+# Etags.
+#
+for ac_prog in etags emacs-etags
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_path_ETAGS+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case $ETAGS in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_ETAGS="$ETAGS" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_ETAGS="$as_dir/$ac_word$ac_exec_ext"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+
+  ;;
+esac
+fi
+ETAGS=$ac_cv_path_ETAGS
+
+if test -n "$ETAGS"; then
+  echo "$as_me:$LINENO: result: $ETAGS" >&5
+echo "${ECHO_T}$ETAGS" >&6
+else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+  test -n "$ETAGS" && break
+done
+
+
+#
+# Some systems, e.g. RH7, have the Exuberant Ctags etags instead of
+# GNU emacs etags, and it requires the -L flag.
+#
+if test "X$ETAGS" != "X"; then
+	echo "$as_me:$LINENO: checking for Exuberant Ctags etags" >&5
+echo $ECHO_N "checking for Exuberant Ctags etags... $ECHO_C" >&6
+	if $ETAGS --version 2>&1 | grep 'Exuberant Ctags' >/dev/null 2>&1; then
+		echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+		ETAGS="$ETAGS -L"
+	else
+		echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+	fi
+fi
+
+
+#
+# Perl is optional; it is used only by some of the system test scripts.
+#
+for ac_prog in perl5 perl
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_path_PERL+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case $PERL in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_PERL="$PERL" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_PERL="$as_dir/$ac_word$ac_exec_ext"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+
+  ;;
+esac
+fi
+PERL=$ac_cv_path_PERL
+
+if test -n "$PERL"; then
+  echo "$as_me:$LINENO: result: $PERL" >&5
+echo "${ECHO_T}$PERL" >&6
+else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+  test -n "$PERL" && break
+done
+
+
+
+#
+# isc/list.h and others clash with the rest of BIND 9
+#
+case "$includedir" in
+	'${prefix}/include')
+		includedir='${prefix}/bind/include'
+		;;
+esac
+case "$libdir" in
+	'${prefix}/lib')
+		libdir='${prefix}/bind/lib'
+		;;
+esac
+
+#
+# Make sure INSTALL uses an absolute path, else it will be wrong in all
+# Makefiles, since they use make/rules.in and INSTALL will be adjusted by
+# configure based on the location of the file where it is substituted.
+# Since in BIND9 INSTALL is only substituted into make/rules.in, an immediate
+# subdirectory of install-sh, This relative path will be wrong for all
+# directories more than one level down from install-sh.
+#
+case "$INSTALL" in
+	/*)
+                ;;
+        *)
+                #
+                # Not all systems have dirname.
+                #
+
+                ac_dir="`echo $INSTALL | sed 's%/[^/]*$%%'`"
+
+
+                ac_prog="`echo $INSTALL | sed 's%.*/%%'`"
+                test "$ac_dir" = "$ac_prog" && ac_dir=.
+                test -d "$ac_dir" && ac_dir="`(cd \"$ac_dir\" && pwd)`"
+                INSTALL="$ac_dir/$ac_prog"
+                ;;
+esac
+
+#
+# On these hosts, we really want to use cc, not gcc, even if it is
+# found.  The gcc that these systems have will not correctly handle
+# pthreads.
+#
+# However, if the user sets $CC to be something, let that override
+# our change.
+#
+if test "X$CC" = "X" ; then
+	case "$host" in
+		*-dec-osf*)
+			CC="cc"
+			;;
+		*-solaris*)
+                        # Use Sun's cc if it is available, but watch
+                        # out for /usr/ucb/cc; it will never be the right
+                        # compiler to use.
+                        #
+                        # If setting CC here fails, the AC_PROG_CC done
+                        # below might still find gcc.
+			IFS="${IFS=	}"; ac_save_ifs="$IFS"; IFS=":"
+			for ac_dir in $PATH; do
+				test -z "$ac_dir" && ac_dir=.
+				case "$ac_dir" in
+				/usr/ucb)
+					# exclude
+					;;
+				*)
+					if test -f "$ac_dir/cc"; then
+						CC="$ac_dir/cc"
+						break
+					fi
+					;;
+				esac
+			done
+			IFS="$ac_save_ifs"
+			;;
+		*-hp-hpux*)
+			CC="cc"
+			;;
+		mips-sgi-irix*)
+			CC="cc"
+			;;
+	esac
+fi
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
+set dummy ${ac_tool_prefix}gcc; ac_word=$2
+echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_CC="${ac_tool_prefix}gcc"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6
+else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+fi
+if test -z "$ac_cv_prog_CC"; then
+  ac_ct_CC=$CC
+  # Extract the first word of "gcc", so it can be a program name with args.
+set dummy gcc; ac_word=$2
+echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_CC"; then
+  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_ac_ct_CC="gcc"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+
+fi
+fi
+ac_ct_CC=$ac_cv_prog_ac_ct_CC
+if test -n "$ac_ct_CC"; then
+  echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+echo "${ECHO_T}$ac_ct_CC" >&6
+else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+  CC=$ac_ct_CC
+else
+  CC="$ac_cv_prog_CC"
+fi
+
+if test -z "$CC"; then
+  if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
+set dummy ${ac_tool_prefix}cc; ac_word=$2
+echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_CC="${ac_tool_prefix}cc"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6
+else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+fi
+if test -z "$ac_cv_prog_CC"; then
+  ac_ct_CC=$CC
+  # Extract the first word of "cc", so it can be a program name with args.
+set dummy cc; ac_word=$2
+echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_CC"; then
+  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_ac_ct_CC="cc"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+
+fi
+fi
+ac_ct_CC=$ac_cv_prog_ac_ct_CC
+if test -n "$ac_ct_CC"; then
+  echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+echo "${ECHO_T}$ac_ct_CC" >&6
+else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+  CC=$ac_ct_CC
+else
+  CC="$ac_cv_prog_CC"
+fi
+
+fi
+if test -z "$CC"; then
+  # Extract the first word of "cc", so it can be a program name with args.
+set dummy cc; ac_word=$2
+echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+  ac_prog_rejected=no
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
+       ac_prog_rejected=yes
+       continue
+     fi
+    ac_cv_prog_CC="cc"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+
+if test $ac_prog_rejected = yes; then
+  # We found a bogon in the path, so make sure we never use it.
+  set dummy $ac_cv_prog_CC
+  shift
+  if test $# != 0; then
+    # We chose a different compiler from the bogus one.
+    # However, it has the same basename, so the bogon will be chosen
+    # first if we set CC to just the basename; use the full file name.
+    shift
+    ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@"
+  fi
+fi
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6
+else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+fi
+if test -z "$CC"; then
+  if test -n "$ac_tool_prefix"; then
+  for ac_prog in cl
+  do
+    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
+set dummy $ac_tool_prefix$ac_prog; ac_word=$2
+echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$CC"; then
+  ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+  echo "$as_me:$LINENO: result: $CC" >&5
+echo "${ECHO_T}$CC" >&6
+else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+    test -n "$CC" && break
+  done
+fi
+if test -z "$CC"; then
+  ac_ct_CC=$CC
+  for ac_prog in cl
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_ac_ct_CC+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_CC"; then
+  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_ac_ct_CC="$ac_prog"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+
+fi
+fi
+ac_ct_CC=$ac_cv_prog_ac_ct_CC
+if test -n "$ac_ct_CC"; then
+  echo "$as_me:$LINENO: result: $ac_ct_CC" >&5
+echo "${ECHO_T}$ac_ct_CC" >&6
+else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+  test -n "$ac_ct_CC" && break
+done
+
+  CC=$ac_ct_CC
+fi
+
+fi
+
+
+test -z "$CC" && { { echo "$as_me:$LINENO: error: no acceptable C compiler found in \$PATH
+See \`config.log' for more details." >&5
+echo "$as_me: error: no acceptable C compiler found in \$PATH
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+
+# Provide some information about the compiler.
+echo "$as_me:$LINENO:" \
+     "checking for C compiler version" >&5
+ac_compiler=`set X $ac_compile; echo $2`
+{ (eval echo "$as_me:$LINENO: \"$ac_compiler --version </dev/null >&5\"") >&5
+  (eval $ac_compiler --version </dev/null >&5) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+{ (eval echo "$as_me:$LINENO: \"$ac_compiler -v </dev/null >&5\"") >&5
+  (eval $ac_compiler -v </dev/null >&5) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+{ (eval echo "$as_me:$LINENO: \"$ac_compiler -V </dev/null >&5\"") >&5
+  (eval $ac_compiler -V </dev/null >&5) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+ac_clean_files_save=$ac_clean_files
+ac_clean_files="$ac_clean_files a.out a.exe b.out"
+# Try to create an executable without -o first, disregard a.out.
+# It will help us diagnose broken compilers, and finding out an intuition
+# of exeext.
+echo "$as_me:$LINENO: checking for C compiler default output file name" >&5
+echo $ECHO_N "checking for C compiler default output file name... $ECHO_C" >&6
+ac_link_default=`echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
+if { (eval echo "$as_me:$LINENO: \"$ac_link_default\"") >&5
+  (eval $ac_link_default) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  # Find the output, starting from the most likely.  This scheme is
+# not robust to junk in `.', hence go to wildcards (a.*) only as a last
+# resort.
+
+# Be careful to initialize this variable, since it used to be cached.
+# Otherwise an old cache value of `no' led to `EXEEXT = no' in a Makefile.
+ac_cv_exeext=
+# b.out is created by i960 compilers.
+for ac_file in a_out.exe a.exe conftest.exe a.out conftest a.* conftest.* b.out
+do
+  test -f "$ac_file" || continue
+  case $ac_file in
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.o | *.obj )
+	;;
+    conftest.$ac_ext )
+	# This is the source file.
+	;;
+    [ab].out )
+	# We found the default executable, but exeext='' is most
+	# certainly right.
+	break;;
+    *.* )
+	ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
+	# FIXME: I believe we export ac_cv_exeext for Libtool,
+	# but it would be cool to find out if it's true.  Does anybody
+	# maintain Libtool? --akim.
+	export ac_cv_exeext
+	break;;
+    * )
+	break;;
+  esac
+done
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+{ { echo "$as_me:$LINENO: error: C compiler cannot create executables
+See \`config.log' for more details." >&5
+echo "$as_me: error: C compiler cannot create executables
+See \`config.log' for more details." >&2;}
+   { (exit 77); exit 77; }; }
+fi
+
+ac_exeext=$ac_cv_exeext
+echo "$as_me:$LINENO: result: $ac_file" >&5
+echo "${ECHO_T}$ac_file" >&6
+
+# Check the compiler produces executables we can run.  If not, either
+# the compiler is broken, or we cross compile.
+echo "$as_me:$LINENO: checking whether the C compiler works" >&5
+echo $ECHO_N "checking whether the C compiler works... $ECHO_C" >&6
+# FIXME: These cross compiler hacks should be removed for Autoconf 3.0
+# If not cross compiling, check that we can run a simple program.
+if test "$cross_compiling" != yes; then
+  if { ac_try='./$ac_file'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+    cross_compiling=no
+  else
+    if test "$cross_compiling" = maybe; then
+	cross_compiling=yes
+    else
+	{ { echo "$as_me:$LINENO: error: cannot run C compiled programs.
+If you meant to cross compile, use \`--host'.
+See \`config.log' for more details." >&5
+echo "$as_me: error: cannot run C compiled programs.
+If you meant to cross compile, use \`--host'.
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+    fi
+  fi
+fi
+echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+
+rm -f a.out a.exe conftest$ac_cv_exeext b.out
+ac_clean_files=$ac_clean_files_save
+# Check the compiler produces executables we can run.  If not, either
+# the compiler is broken, or we cross compile.
+echo "$as_me:$LINENO: checking whether we are cross compiling" >&5
+echo $ECHO_N "checking whether we are cross compiling... $ECHO_C" >&6
+echo "$as_me:$LINENO: result: $cross_compiling" >&5
+echo "${ECHO_T}$cross_compiling" >&6
+
+echo "$as_me:$LINENO: checking for suffix of executables" >&5
+echo $ECHO_N "checking for suffix of executables... $ECHO_C" >&6
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  # If both `conftest.exe' and `conftest' are `present' (well, observable)
+# catch `conftest.exe'.  For instance with Cygwin, `ls conftest' will
+# work properly (i.e., refer to `conftest.exe'), while it won't with
+# `rm'.
+for ac_file in conftest.exe conftest conftest.*; do
+  test -f "$ac_file" || continue
+  case $ac_file in
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.o | *.obj ) ;;
+    *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
+	  export ac_cv_exeext
+	  break;;
+    * ) break;;
+  esac
+done
+else
+  { { echo "$as_me:$LINENO: error: cannot compute suffix of executables: cannot compile and link
+See \`config.log' for more details." >&5
+echo "$as_me: error: cannot compute suffix of executables: cannot compile and link
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+rm -f conftest$ac_cv_exeext
+echo "$as_me:$LINENO: result: $ac_cv_exeext" >&5
+echo "${ECHO_T}$ac_cv_exeext" >&6
+
+rm -f conftest.$ac_ext
+EXEEXT=$ac_cv_exeext
+ac_exeext=$EXEEXT
+echo "$as_me:$LINENO: checking for suffix of object files" >&5
+echo $ECHO_N "checking for suffix of object files... $ECHO_C" >&6
+if test "${ac_cv_objext+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.o conftest.obj
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  for ac_file in `(ls conftest.o conftest.obj; ls conftest.*) 2>/dev/null`; do
+  case $ac_file in
+    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg ) ;;
+    *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'`
+       break;;
+  esac
+done
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+{ { echo "$as_me:$LINENO: error: cannot compute suffix of object files: cannot compile
+See \`config.log' for more details." >&5
+echo "$as_me: error: cannot compute suffix of object files: cannot compile
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+rm -f conftest.$ac_cv_objext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_objext" >&5
+echo "${ECHO_T}$ac_cv_objext" >&6
+OBJEXT=$ac_cv_objext
+ac_objext=$OBJEXT
+echo "$as_me:$LINENO: checking whether we are using the GNU C compiler" >&5
+echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6
+if test "${ac_cv_c_compiler_gnu+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+#ifndef __GNUC__
+       choke me
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_compiler_gnu=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_compiler_gnu=no
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+ac_cv_c_compiler_gnu=$ac_compiler_gnu
+
+fi
+echo "$as_me:$LINENO: result: $ac_cv_c_compiler_gnu" >&5
+echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6
+GCC=`test $ac_compiler_gnu = yes && echo yes`
+ac_test_CFLAGS=${CFLAGS+set}
+ac_save_CFLAGS=$CFLAGS
+CFLAGS="-g"
+echo "$as_me:$LINENO: checking whether $CC accepts -g" >&5
+echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6
+if test "${ac_cv_prog_cc_g+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_prog_cc_g=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_prog_cc_g=no
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_prog_cc_g" >&5
+echo "${ECHO_T}$ac_cv_prog_cc_g" >&6
+if test "$ac_test_CFLAGS" = set; then
+  CFLAGS=$ac_save_CFLAGS
+elif test $ac_cv_prog_cc_g = yes; then
+  if test "$GCC" = yes; then
+    CFLAGS="-g -O2"
+  else
+    CFLAGS="-g"
+  fi
+else
+  if test "$GCC" = yes; then
+    CFLAGS="-O2"
+  else
+    CFLAGS=
+  fi
+fi
+echo "$as_me:$LINENO: checking for $CC option to accept ANSI C" >&5
+echo $ECHO_N "checking for $CC option to accept ANSI C... $ECHO_C" >&6
+if test "${ac_cv_prog_cc_stdc+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_prog_cc_stdc=no
+ac_save_CC=$CC
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <stdarg.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+/* Most of the following tests are stolen from RCS 5.7's src/conf.sh.  */
+struct buf { int x; };
+FILE * (*rcsopen) (struct buf *, struct stat *, int);
+static char *e (p, i)
+     char **p;
+     int i;
+{
+  return p[i];
+}
+static char *f (char * (*g) (char **, int), char **p, ...)
+{
+  char *s;
+  va_list v;
+  va_start (v,p);
+  s = g (p, va_arg (v,int));
+  va_end (v);
+  return s;
+}
+
+/* OSF 4.0 Compaq cc is some sort of almost-ANSI by default.  It has
+   function prototypes and stuff, but not '\xHH' hex character constants.
+   These don't provoke an error unfortunately, instead are silently treated
+   as 'x'.  The following induces an error, until -std1 is added to get
+   proper ANSI mode.  Curiously '\x00'!='x' always comes out true, for an
+   array size at least.  It's necessary to write '\x00'==0 to get something
+   that's true only with -std1.  */
+int osf4_cc_array ['\x00' == 0 ? 1 : -1];
+
+int test (int i, double x);
+struct s1 {int (*f) (int a);};
+struct s2 {int (*f) (double a);};
+int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int);
+int argc;
+char **argv;
+int
+main ()
+{
+return f (e, argv, 0) != argv[0]  ||  f (e, argv, 1) != argv[1];
+  ;
+  return 0;
+}
+_ACEOF
+# Don't try gcc -ansi; that turns off useful extensions and
+# breaks some systems' header files.
+# AIX			-qlanglvl=ansi
+# Ultrix and OSF/1	-std1
+# HP-UX 10.20 and later	-Ae
+# HP-UX older versions	-Aa -D_HPUX_SOURCE
+# SVR4			-Xc -D__EXTENSIONS__
+for ac_arg in "" -qlanglvl=ansi -std1 -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
+do
+  CC="$ac_save_CC $ac_arg"
+  rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_prog_cc_stdc=$ac_arg
+break
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext
+done
+rm -f conftest.$ac_ext conftest.$ac_objext
+CC=$ac_save_CC
+
+fi
+
+case "x$ac_cv_prog_cc_stdc" in
+  x|xno)
+    echo "$as_me:$LINENO: result: none needed" >&5
+echo "${ECHO_T}none needed" >&6 ;;
+  *)
+    echo "$as_me:$LINENO: result: $ac_cv_prog_cc_stdc" >&5
+echo "${ECHO_T}$ac_cv_prog_cc_stdc" >&6
+    CC="$CC $ac_cv_prog_cc_stdc" ;;
+esac
+
+# Some people use a C++ compiler to compile C.  Since we use `exit',
+# in C++ we need to declare it.  In case someone uses the same compiler
+# for both compiling C and C++ we need to have the C++ compiler decide
+# the declaration of exit, since it's the most demanding environment.
+cat >conftest.$ac_ext <<_ACEOF
+#ifndef __cplusplus
+  choke me
+#endif
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  for ac_declaration in \
+   '' \
+   'extern "C" void std::exit (int) throw (); using std::exit;' \
+   'extern "C" void std::exit (int); using std::exit;' \
+   'extern "C" void exit (int) throw ();' \
+   'extern "C" void exit (int);' \
+   'void exit (int);'
+do
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_declaration
+#include <stdlib.h>
+int
+main ()
+{
+exit (42);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  :
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+continue
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_declaration
+int
+main ()
+{
+exit (42);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  break
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+done
+rm -f conftest*
+if test -n "$ac_declaration"; then
+  echo '#ifdef __cplusplus' >>confdefs.h
+  echo $ac_declaration      >>confdefs.h
+  echo '#endif'             >>confdefs.h
+fi
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+echo "$as_me:$LINENO: checking how to run the C preprocessor" >&5
+echo $ECHO_N "checking how to run the C preprocessor... $ECHO_C" >&6
+# On Suns, sometimes $CPP names a directory.
+if test -n "$CPP" && test -d "$CPP"; then
+  CPP=
+fi
+if test -z "$CPP"; then
+  if test "${ac_cv_prog_CPP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+      # Double quotes because CPP needs to be expanded
+    for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp"
+    do
+      ac_preproc_ok=false
+for ac_c_preproc_warn_flag in '' yes
+do
+  # Use a header file that comes with gcc, so configuring glibc
+  # with a fresh cross-compiler works.
+  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+  # <limits.h> exists even on freestanding compilers.
+  # On the NeXT, cc -E runs the code through the compiler's parser,
+  # not just through cpp. "Syntax error" is here to catch this case.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+		     Syntax error
+_ACEOF
+if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
+  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  :
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  # Broken: fails on valid input.
+continue
+fi
+rm -f conftest.err conftest.$ac_ext
+
+  # OK, works on sane cases.  Now check whether non-existent headers
+  # can be detected and how.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <ac_nonexistent.h>
+_ACEOF
+if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
+  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  # Broken: success on invalid input.
+continue
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  # Passes both tests.
+ac_preproc_ok=:
+break
+fi
+rm -f conftest.err conftest.$ac_ext
+
+done
+# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
+rm -f conftest.err conftest.$ac_ext
+if $ac_preproc_ok; then
+  break
+fi
+
+    done
+    ac_cv_prog_CPP=$CPP
+
+fi
+  CPP=$ac_cv_prog_CPP
+else
+  ac_cv_prog_CPP=$CPP
+fi
+echo "$as_me:$LINENO: result: $CPP" >&5
+echo "${ECHO_T}$CPP" >&6
+ac_preproc_ok=false
+for ac_c_preproc_warn_flag in '' yes
+do
+  # Use a header file that comes with gcc, so configuring glibc
+  # with a fresh cross-compiler works.
+  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+  # <limits.h> exists even on freestanding compilers.
+  # On the NeXT, cc -E runs the code through the compiler's parser,
+  # not just through cpp. "Syntax error" is here to catch this case.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+		     Syntax error
+_ACEOF
+if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
+  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  :
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  # Broken: fails on valid input.
+continue
+fi
+rm -f conftest.err conftest.$ac_ext
+
+  # OK, works on sane cases.  Now check whether non-existent headers
+  # can be detected and how.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <ac_nonexistent.h>
+_ACEOF
+if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
+  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  # Broken: success on invalid input.
+continue
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  # Passes both tests.
+ac_preproc_ok=:
+break
+fi
+rm -f conftest.err conftest.$ac_ext
+
+done
+# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
+rm -f conftest.err conftest.$ac_ext
+if $ac_preproc_ok; then
+  :
+else
+  { { echo "$as_me:$LINENO: error: C preprocessor \"$CPP\" fails sanity check
+See \`config.log' for more details." >&5
+echo "$as_me: error: C preprocessor \"$CPP\" fails sanity check
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+echo "$as_me:$LINENO: checking for egrep" >&5
+echo $ECHO_N "checking for egrep... $ECHO_C" >&6
+if test "${ac_cv_prog_egrep+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if echo a | (grep -E '(a|b)') >/dev/null 2>&1
+    then ac_cv_prog_egrep='grep -E'
+    else ac_cv_prog_egrep='egrep'
+    fi
+fi
+echo "$as_me:$LINENO: result: $ac_cv_prog_egrep" >&5
+echo "${ECHO_T}$ac_cv_prog_egrep" >&6
+ EGREP=$ac_cv_prog_egrep
+
+
+echo "$as_me:$LINENO: checking for ANSI C header files" >&5
+echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6
+if test "${ac_cv_header_stdc+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <float.h>
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_header_stdc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_header_stdc=no
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+if test $ac_cv_header_stdc = yes; then
+  # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <string.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  $EGREP "memchr" >/dev/null 2>&1; then
+  :
+else
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+fi
+
+if test $ac_cv_header_stdc = yes; then
+  # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <stdlib.h>
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  $EGREP "free" >/dev/null 2>&1; then
+  :
+else
+  ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+fi
+
+if test $ac_cv_header_stdc = yes; then
+  # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
+  if test "$cross_compiling" = yes; then
+  :
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <ctype.h>
+#if ((' ' & 0x0FF) == 0x020)
+# define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
+# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
+#else
+# define ISLOWER(c) \
+		   (('a' <= (c) && (c) <= 'i') \
+		     || ('j' <= (c) && (c) <= 'r') \
+		     || ('s' <= (c) && (c) <= 'z'))
+# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c))
+#endif
+
+#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
+int
+main ()
+{
+  int i;
+  for (i = 0; i < 256; i++)
+    if (XOR (islower (i), ISLOWER (i))
+	|| toupper (i) != TOUPPER (i))
+      exit(2);
+  exit (0);
+}
+_ACEOF
+rm -f conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  :
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+( exit $ac_status )
+ac_cv_header_stdc=no
+fi
+rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+fi
+fi
+fi
+echo "$as_me:$LINENO: result: $ac_cv_header_stdc" >&5
+echo "${ECHO_T}$ac_cv_header_stdc" >&6
+if test $ac_cv_header_stdc = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define STDC_HEADERS 1
+_ACEOF
+
+fi
+
+
+
+# On IRIX 5.3, sys/types and inttypes.h are conflicting.
+
+
+
+
+
+
+
+
+
+for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \
+		  inttypes.h stdint.h unistd.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
+if eval "test \"\${$as_ac_Header+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  eval "$as_ac_Header=yes"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+eval "$as_ac_Header=no"
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+
+
+
+
+
+
+
+
+
+for ac_header in fcntl.h db.h paths.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/timers.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+if eval "test \"\${$as_ac_Header+set}\" = set"; then
+  echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
+if eval "test \"\${$as_ac_Header+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+else
+  # Is the header compilable?
+echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_header_compiler=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_header_compiler=no
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6
+
+# Is the header present?
+echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <$ac_header>
+_ACEOF
+if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
+  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  ac_header_preproc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  ac_header_preproc=no
+fi
+rm -f conftest.err conftest.$ac_ext
+echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6
+
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+  yes:no: )
+    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
+    ac_header_preproc=yes
+    ;;
+  no:yes:* )
+    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
+echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
+    (
+      cat <<\_ASBOX
+## ------------------------------------------ ##
+## Report this to the AC_PACKAGE_NAME lists.  ##
+## ------------------------------------------ ##
+_ASBOX
+    ) |
+      sed "s/^/$as_me: WARNING:     /" >&2
+    ;;
+esac
+echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
+if eval "test \"\${$as_ac_Header+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  eval "$as_ac_Header=\$ac_header_preproc"
+fi
+echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+
+fi
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+
+
+echo "$as_me:$LINENO: checking for an ANSI C-conforming const" >&5
+echo $ECHO_N "checking for an ANSI C-conforming const... $ECHO_C" >&6
+if test "${ac_cv_c_const+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+/* FIXME: Include the comments suggested by Paul. */
+#ifndef __cplusplus
+  /* Ultrix mips cc rejects this.  */
+  typedef int charset[2];
+  const charset x;
+  /* SunOS 4.1.1 cc rejects this.  */
+  char const *const *ccp;
+  char **p;
+  /* NEC SVR4.0.2 mips cc rejects this.  */
+  struct point {int x, y;};
+  static struct point const zero = {0,0};
+  /* AIX XL C 1.02.0.0 rejects this.
+     It does not let you subtract one const X* pointer from another in
+     an arm of an if-expression whose if-part is not a constant
+     expression */
+  const char *g = "string";
+  ccp = &g + (g ? g-g : 0);
+  /* HPUX 7.0 cc rejects these. */
+  ++ccp;
+  p = (char**) ccp;
+  ccp = (char const *const *) p;
+  { /* SCO 3.2v4 cc rejects this.  */
+    char *t;
+    char const *s = 0 ? (char *) 0 : (char const *) 0;
+
+    *t++ = 0;
+  }
+  { /* Someone thinks the Sun supposedly-ANSI compiler will reject this.  */
+    int x[] = {25, 17};
+    const int *foo = &x[0];
+    ++foo;
+  }
+  { /* Sun SC1.0 ANSI compiler rejects this -- but not the above. */
+    typedef const int *iptr;
+    iptr p = 0;
+    ++p;
+  }
+  { /* AIX XL C 1.02.0.0 rejects this saying
+       "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */
+    struct s { int j; const int *ap[3]; };
+    struct s *b; b->j = 5;
+  }
+  { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */
+    const int foo = 10;
+  }
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_c_const=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_c_const=no
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_c_const" >&5
+echo "${ECHO_T}$ac_cv_c_const" >&6
+if test $ac_cv_c_const = no; then
+
+cat >>confdefs.h <<\_ACEOF
+#define const
+_ACEOF
+
+fi
+
+echo "$as_me:$LINENO: checking for inline" >&5
+echo $ECHO_N "checking for inline... $ECHO_C" >&6
+if test "${ac_cv_c_inline+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_cv_c_inline=no
+for ac_kw in inline __inline__ __inline; do
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#ifndef __cplusplus
+typedef int foo_t;
+static $ac_kw foo_t static_foo () {return 0; }
+$ac_kw foo_t foo () {return 0; }
+#endif
+
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_c_inline=$ac_kw; break
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+done
+
+fi
+echo "$as_me:$LINENO: result: $ac_cv_c_inline" >&5
+echo "${ECHO_T}$ac_cv_c_inline" >&6
+
+
+case $ac_cv_c_inline in
+  inline | yes) ;;
+  *)
+    case $ac_cv_c_inline in
+      no) ac_val=;;
+      *) ac_val=$ac_cv_c_inline;;
+    esac
+    cat >>confdefs.h <<_ACEOF
+#ifndef __cplusplus
+#define inline $ac_val
+#endif
+_ACEOF
+    ;;
+esac
+
+echo "$as_me:$LINENO: checking for size_t" >&5
+echo $ECHO_N "checking for size_t... $ECHO_C" >&6
+if test "${ac_cv_type_size_t+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+int
+main ()
+{
+if ((size_t *) 0)
+  return 0;
+if (sizeof (size_t))
+  return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_type_size_t=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_type_size_t=no
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_type_size_t" >&5
+echo "${ECHO_T}$ac_cv_type_size_t" >&6
+if test $ac_cv_type_size_t = yes; then
+  :
+else
+
+cat >>confdefs.h <<_ACEOF
+#define size_t unsigned
+_ACEOF
+
+fi
+
+echo "$as_me:$LINENO: checking whether time.h and sys/time.h may both be included" >&5
+echo $ECHO_N "checking whether time.h and sys/time.h may both be included... $ECHO_C" >&6
+if test "${ac_cv_header_time+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <sys/types.h>
+#include <sys/time.h>
+#include <time.h>
+
+int
+main ()
+{
+if ((struct tm *) 0)
+return 0;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_header_time=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_header_time=no
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_header_time" >&5
+echo "${ECHO_T}$ac_cv_header_time" >&6
+if test $ac_cv_header_time = yes; then
+
+cat >>confdefs.h <<\_ACEOF
+#define TIME_WITH_SYS_TIME 1
+_ACEOF
+
+fi
+
+#
+# check if we need to #include sys/select.h explicitly
+#
+case $ac_cv_header_unistd_h in
+yes)
+echo "$as_me:$LINENO: checking if unistd.h defines fd_set" >&5
+echo $ECHO_N "checking if unistd.h defines fd_set... $ECHO_C" >&6
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <unistd.h>
+int
+main ()
+{
+fd_set read_set; return (0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	 ISC_PLATFORM_NEEDSYSSELECTH="#undef ISC_PLATFORM_NEEDSYSSELECTH"
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+	case ac_cv_header_sys_select_h in
+	yes)
+         ISC_PLATFORM_NEEDSYSSELECTH="#define ISC_PLATFORM_NEEDSYSSELECTH 1"
+		;;
+	no)
+		{ { echo "$as_me:$LINENO: error: need either working unistd.h or sys/select.h" >&5
+echo "$as_me: error: need either working unistd.h or sys/select.h" >&2;}
+   { (exit 1); exit 1; }; }
+		;;
+	esac
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+	;;
+no)
+	case ac_cv_header_sys_select_h in
+	yes)
+             ISC_PLATFORM_NEEDSYSSELECTH="#define ISC_PLATFORM_NEEDSYSSELECTH 1"
+		;;
+	no)
+		{ { echo "$as_me:$LINENO: error: need either unistd.h or sys/select.h" >&5
+echo "$as_me: error: need either unistd.h or sys/select.h" >&2;}
+   { (exit 1); exit 1; }; }
+		;;
+	esac
+	;;
+esac
+
+
+#
+# Find the machine's endian flavor.
+#
+echo "$as_me:$LINENO: checking whether byte ordering is bigendian" >&5
+echo $ECHO_N "checking whether byte ordering is bigendian... $ECHO_C" >&6
+if test "${ac_cv_c_bigendian+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  # See if sys/param.h defines the BYTE_ORDER macro.
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <sys/types.h>
+#include <sys/param.h>
+
+int
+main ()
+{
+#if !BYTE_ORDER || !BIG_ENDIAN || !LITTLE_ENDIAN
+ bogus endian macros
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  # It does; now see whether it defined to BIG_ENDIAN or not.
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <sys/types.h>
+#include <sys/param.h>
+
+int
+main ()
+{
+#if BYTE_ORDER != BIG_ENDIAN
+ not big endian
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_c_bigendian=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_c_bigendian=no
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+# It does not; compile a test program.
+if test "$cross_compiling" = yes; then
+  # try to guess the endianness by grepping values into an object file
+  ac_cv_c_bigendian=unknown
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+short ascii_mm[] = { 0x4249, 0x4765, 0x6E44, 0x6961, 0x6E53, 0x7953, 0 };
+short ascii_ii[] = { 0x694C, 0x5454, 0x656C, 0x6E45, 0x6944, 0x6E61, 0 };
+void _ascii () { char *s = (char *) ascii_mm; s = (char *) ascii_ii; }
+short ebcdic_ii[] = { 0x89D3, 0xE3E3, 0x8593, 0x95C5, 0x89C4, 0x9581, 0 };
+short ebcdic_mm[] = { 0xC2C9, 0xC785, 0x95C4, 0x8981, 0x95E2, 0xA8E2, 0 };
+void _ebcdic () { char *s = (char *) ebcdic_mm; s = (char *) ebcdic_ii; }
+int
+main ()
+{
+ _ascii (); _ebcdic ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  if grep BIGenDianSyS conftest.$ac_objext >/dev/null ; then
+  ac_cv_c_bigendian=yes
+fi
+if grep LiTTleEnDian conftest.$ac_objext >/dev/null ; then
+  if test "$ac_cv_c_bigendian" = unknown; then
+    ac_cv_c_bigendian=no
+  else
+    # finding both strings is unlikely to happen, but who knows?
+    ac_cv_c_bigendian=unknown
+  fi
+fi
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+int
+main ()
+{
+  /* Are we little or big endian?  From Harbison&Steele.  */
+  union
+  {
+    long l;
+    char c[sizeof (long)];
+  } u;
+  u.l = 1;
+  exit (u.c[sizeof (long) - 1] == 1);
+}
+_ACEOF
+rm -f conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_c_bigendian=no
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+( exit $ac_status )
+ac_cv_c_bigendian=yes
+fi
+rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+fi
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_c_bigendian" >&5
+echo "${ECHO_T}$ac_cv_c_bigendian" >&6
+case $ac_cv_c_bigendian in
+  yes)
+
+cat >>confdefs.h <<\_ACEOF
+#define WORDS_BIGENDIAN 1
+_ACEOF
+ ;;
+  no)
+     ;;
+  *)
+    { { echo "$as_me:$LINENO: error: unknown endianness
+presetting ac_cv_c_bigendian=no (or yes) will help" >&5
+echo "$as_me: error: unknown endianness
+presetting ac_cv_c_bigendian=no (or yes) will help" >&2;}
+   { (exit 1); exit 1; }; } ;;
+esac
+
+
+
+# Check whether --with-irs-gr or --without-irs-gr was given.
+if test "${with_irs_gr+set}" = set; then
+  withval="$with_irs_gr"
+  want_irs_gr="$withval"
+else
+  want_irs_gr="no"
+fi;
+case "$want_irs_gr" in
+yes) WANT_IRS_GR="#define WANT_IRS_GR 1"
+     WANT_IRS_GR_OBJS="\${WANT_IRS_GR_OBJS}"
+	;;
+*) WANT_IRS_GR="#undef WANT_IRS_GR" WANT_IRS_GR_OBJS="";;
+esac
+
+
+
+
+# Check whether --with-irs-pw or --without-irs-pw was given.
+if test "${with_irs_pw+set}" = set; then
+  withval="$with_irs_pw"
+  want_irs_pw="$withval"
+else
+  want_irs_pw="no"
+fi;
+case "$want_irs_pw" in
+yes) WANT_IRS_PW="#define WANT_IRS_PW 1"
+     WANT_IRS_PW_OBJS="\${WANT_IRS_PW_OBJS}";;
+*) WANT_IRS_PW="#undef WANT_IRS_PW" WANT_IRS_PW_OBJS="";;
+esac
+
+
+
+
+# Check whether --with-irs-nis or --without-irs-nis was given.
+if test "${with_irs_nis+set}" = set; then
+  withval="$with_irs_nis"
+  want_irs_nis="$withval"
+else
+  want_irs_nis="no"
+fi;
+case "$want_irs_nis" in
+yes)
+	WANT_IRS_NIS="#define WANT_IRS_NIS 1"
+	WANT_IRS_NIS_OBJS="\${WANT_IRS_NIS_OBJS}"
+	case "$want_irs_gr" in
+	yes)
+		WANT_IRS_NISGR_OBJS="\${WANT_IRS_NISGR_OBJS}";;
+	*)
+		WANT_IRS_NISGR_OBJS="";;
+	esac
+	case "$want_irs_pw" in
+	yes)
+		WANT_IRS_NISPW_OBJS="\${WANT_IRS_NISPW_OBJS}";;
+	*)
+		WANT_IRS_NISPW_OBJS="";;
+	esac
+	;;
+*)
+	WANT_IRS_NIS="#undef WANT_IRS_NIS"
+	WANT_IRS_NIS_OBJS=""
+	WANT_IRS_NISGR_OBJS=""
+	WANT_IRS_NISPW_OBJS="";;
+esac
+
+
+
+
+if test "$cross_compiling" = yes; then
+  WANT_IRS_DBPW_OBJS=""
+
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#ifdef HAVE_DB_H
+int have_db_h = 1;
+#else
+int have_db_h = 0;
+#endif
+main() { return(!have_db_h); }
+
+_ACEOF
+rm -f conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  WANT_IRS_DBPW_OBJS="\${WANT_IRS_DBPW_OBJS}"
+
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+( exit $ac_status )
+WANT_IRS_DBPW_OBJS=""
+
+fi
+rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+fi
+
+
+#
+# was --with-randomdev specified?
+#
+echo "$as_me:$LINENO: checking for random device" >&5
+echo $ECHO_N "checking for random device... $ECHO_C" >&6
+
+# Check whether --with-randomdev or --without-randomdev was given.
+if test "${with_randomdev+set}" = set; then
+  withval="$with_randomdev"
+  use_randomdev="$withval"
+else
+  use_randomdev="unspec"
+fi;
+
+case "$use_randomdev" in
+	unspec)
+		case "$host" in
+			*-openbsd*)
+				devrandom=/dev/srandom
+				;;
+			*)
+				devrandom=/dev/random
+				;;
+		esac
+		echo "$as_me:$LINENO: result: $devrandom" >&5
+echo "${ECHO_T}$devrandom" >&6
+		as_ac_File=`echo "ac_cv_file_$devrandom" | $as_tr_sh`
+echo "$as_me:$LINENO: checking for $devrandom" >&5
+echo $ECHO_N "checking for $devrandom... $ECHO_C" >&6
+if eval "test \"\${$as_ac_File+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  test "$cross_compiling" = yes &&
+  { { echo "$as_me:$LINENO: error: cannot check for file existence when cross compiling" >&5
+echo "$as_me: error: cannot check for file existence when cross compiling" >&2;}
+   { (exit 1); exit 1; }; }
+if test -r "$devrandom"; then
+  eval "$as_ac_File=yes"
+else
+  eval "$as_ac_File=no"
+fi
+fi
+echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_File'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$as_ac_File'}'`" >&6
+if test `eval echo '${'$as_ac_File'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define PATH_RANDOMDEV "$devrandom"
+_ACEOF
+
+fi
+
+		;;
+	yes)
+		{ { echo "$as_me:$LINENO: error: --with-randomdev must specify a path" >&5
+echo "$as_me: error: --with-randomdev must specify a path" >&2;}
+   { (exit 1); exit 1; }; }
+		;;
+	*)
+		cat >>confdefs.h <<_ACEOF
+#define PATH_RANDOMDEV "$use_randomdev"
+_ACEOF
+
+		echo "$as_me:$LINENO: result: using \"$use_randomdev\"" >&5
+echo "${ECHO_T}using \"$use_randomdev\"" >&6
+		;;
+esac
+
+#
+# Begin pthreads checking.
+#
+# First, decide whether to use multithreading or not.
+#
+echo "$as_me:$LINENO: checking whether to look for thread support" >&5
+echo $ECHO_N "checking whether to look for thread support... $ECHO_C" >&6
+# Check whether --enable-threads or --disable-threads was given.
+if test "${enable_threads+set}" = set; then
+  enableval="$enable_threads"
+
+fi;
+case "$enable_threads" in
+	yes|'')
+		echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+		use_threads=true
+		;;
+	no)
+		echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+		use_threads=false
+		;;
+	*)
+	    	{ { echo "$as_me:$LINENO: error: --enable-threads takes yes or no" >&5
+echo "$as_me: error: --enable-threads takes yes or no" >&2;}
+   { (exit 1); exit 1; }; }
+		;;
+esac
+
+if $use_threads
+then
+	#
+	# Search for / configure pthreads in a system-dependent fashion.
+	#
+	case "$host" in
+	  *-netbsd*)
+		# NetBSD has multiple pthreads implementations.	 The
+		# recommended one to use is "unproven-pthreads".  The
+		# older "mit-pthreads" may also work on some NetBSD
+		# versions.  The PTL2 thread library does not
+		# currently work with bind9, but can be chosen with
+		# the --with-ptl2 option for those who wish to
+		# experiment with it.
+		CC="gcc"
+		echo "$as_me:$LINENO: checking which NetBSD thread library to use" >&5
+echo $ECHO_N "checking which NetBSD thread library to use... $ECHO_C" >&6
+
+
+# Check whether --with-ptl2 or --without-ptl2 was given.
+if test "${with_ptl2+set}" = set; then
+  withval="$with_ptl2"
+  use_ptl2="$withval"
+else
+  use_ptl2="no"
+fi;
+
+		: ${LOCALBASE:=/usr/pkg}
+
+		if test "X$use_ptl2" = "Xyes"
+		then
+			echo "$as_me:$LINENO: result: PTL2" >&5
+echo "${ECHO_T}PTL2" >&6
+			{ echo "$as_me:$LINENO: WARNING: linking with PTL2 is highly experimental and not expected to work" >&5
+echo "$as_me: WARNING: linking with PTL2 is highly experimental and not expected to work" >&2;}
+			CC=ptlgcc
+		else
+			if test ! -d $LOCALBASE/pthreads
+			then
+				echo "$as_me:$LINENO: result: none" >&5
+echo "${ECHO_T}none" >&6
+				use_threads=false
+			fi
+
+			if $use_threads
+			then
+				echo "$as_me:$LINENO: result: mit-pthreads/unproven-pthreads" >&5
+echo "${ECHO_T}mit-pthreads/unproven-pthreads" >&6
+				pkg="$LOCALBASE/pthreads"
+				lib1="-L$pkg/lib -Wl,-R$pkg/lib"
+				lib2="-lpthread -lm -lgcc -lpthread"
+				LIBS="$lib1 $lib2 $LIBS"
+				CPPFLAGS="$CPPFLAGS -I$pkg/include"
+				STD_CINCLUDES="$STD_CINCLUDES -I$pkg/include"
+			fi
+		fi
+		;;
+		*)
+
+echo "$as_me:$LINENO: checking for pthread_create in -lpthread" >&5
+echo $ECHO_N "checking for pthread_create in -lpthread... $ECHO_C" >&6
+if test "${ac_cv_lib_pthread_pthread_create+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lpthread  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char pthread_create ();
+int
+main ()
+{
+pthread_create ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_pthread_pthread_create=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_lib_pthread_pthread_create=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_pthread_pthread_create" >&5
+echo "${ECHO_T}$ac_cv_lib_pthread_pthread_create" >&6
+if test $ac_cv_lib_pthread_pthread_create = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBPTHREAD 1
+_ACEOF
+
+  LIBS="-lpthread $LIBS"
+
+else
+
+echo "$as_me:$LINENO: checking for __pthread_create in -lpthread" >&5
+echo $ECHO_N "checking for __pthread_create in -lpthread... $ECHO_C" >&6
+if test "${ac_cv_lib_pthread___pthread_create+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lpthread  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char __pthread_create ();
+int
+main ()
+{
+__pthread_create ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_pthread___pthread_create=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_lib_pthread___pthread_create=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_pthread___pthread_create" >&5
+echo "${ECHO_T}$ac_cv_lib_pthread___pthread_create" >&6
+if test $ac_cv_lib_pthread___pthread_create = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBPTHREAD 1
+_ACEOF
+
+  LIBS="-lpthread $LIBS"
+
+else
+
+echo "$as_me:$LINENO: checking for __pthread_create_system in -lpthread" >&5
+echo $ECHO_N "checking for __pthread_create_system in -lpthread... $ECHO_C" >&6
+if test "${ac_cv_lib_pthread___pthread_create_system+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lpthread  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char __pthread_create_system ();
+int
+main ()
+{
+__pthread_create_system ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_pthread___pthread_create_system=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_lib_pthread___pthread_create_system=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_pthread___pthread_create_system" >&5
+echo "${ECHO_T}$ac_cv_lib_pthread___pthread_create_system" >&6
+if test $ac_cv_lib_pthread___pthread_create_system = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBPTHREAD 1
+_ACEOF
+
+  LIBS="-lpthread $LIBS"
+
+else
+
+echo "$as_me:$LINENO: checking for pthread_create in -lc_r" >&5
+echo $ECHO_N "checking for pthread_create in -lc_r... $ECHO_C" >&6
+if test "${ac_cv_lib_c_r_pthread_create+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lc_r  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char pthread_create ();
+int
+main ()
+{
+pthread_create ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_c_r_pthread_create=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_lib_c_r_pthread_create=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_c_r_pthread_create" >&5
+echo "${ECHO_T}$ac_cv_lib_c_r_pthread_create" >&6
+if test $ac_cv_lib_c_r_pthread_create = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBC_R 1
+_ACEOF
+
+  LIBS="-lc_r $LIBS"
+
+else
+
+echo "$as_me:$LINENO: checking for pthread_create in -lc" >&5
+echo $ECHO_N "checking for pthread_create in -lc... $ECHO_C" >&6
+if test "${ac_cv_lib_c_pthread_create+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lc  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char pthread_create ();
+int
+main ()
+{
+pthread_create ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_c_pthread_create=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_lib_c_pthread_create=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_c_pthread_create" >&5
+echo "${ECHO_T}$ac_cv_lib_c_pthread_create" >&6
+if test $ac_cv_lib_c_pthread_create = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBC 1
+_ACEOF
+
+  LIBS="-lc $LIBS"
+
+else
+  use_threads=false
+fi
+
+fi
+
+fi
+
+fi
+
+fi
+
+		;;
+	esac
+fi
+
+if $use_threads
+then
+	#
+	# We'd like to use sigwait() too
+	#
+	echo "$as_me:$LINENO: checking for sigwait in -lc" >&5
+echo $ECHO_N "checking for sigwait in -lc... $ECHO_C" >&6
+if test "${ac_cv_lib_c_sigwait+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lc  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char sigwait ();
+int
+main ()
+{
+sigwait ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_c_sigwait=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_lib_c_sigwait=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_c_sigwait" >&5
+echo "${ECHO_T}$ac_cv_lib_c_sigwait" >&6
+if test $ac_cv_lib_c_sigwait = yes; then
+  cat >>confdefs.h <<\_ACEOF
+#define HAVE_SIGWAIT 1
+_ACEOF
+
+else
+  echo "$as_me:$LINENO: checking for sigwait in -lpthread" >&5
+echo $ECHO_N "checking for sigwait in -lpthread... $ECHO_C" >&6
+if test "${ac_cv_lib_pthread_sigwait+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lpthread  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char sigwait ();
+int
+main ()
+{
+sigwait ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_pthread_sigwait=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_lib_pthread_sigwait=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_pthread_sigwait" >&5
+echo "${ECHO_T}$ac_cv_lib_pthread_sigwait" >&6
+if test $ac_cv_lib_pthread_sigwait = yes; then
+  cat >>confdefs.h <<\_ACEOF
+#define HAVE_SIGWAIT 1
+_ACEOF
+
+else
+  echo "$as_me:$LINENO: checking for _Psigwait in -lpthread" >&5
+echo $ECHO_N "checking for _Psigwait in -lpthread... $ECHO_C" >&6
+if test "${ac_cv_lib_pthread__Psigwait+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lpthread  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char _Psigwait ();
+int
+main ()
+{
+_Psigwait ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_pthread__Psigwait=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_lib_pthread__Psigwait=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_pthread__Psigwait" >&5
+echo "${ECHO_T}$ac_cv_lib_pthread__Psigwait" >&6
+if test $ac_cv_lib_pthread__Psigwait = yes; then
+  cat >>confdefs.h <<\_ACEOF
+#define HAVE_SIGWAIT 1
+_ACEOF
+
+fi
+
+fi
+
+
+fi
+
+
+	echo "$as_me:$LINENO: checking for pthread_attr_getstacksize" >&5
+echo $ECHO_N "checking for pthread_attr_getstacksize... $ECHO_C" >&6
+if test "${ac_cv_func_pthread_attr_getstacksize+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define pthread_attr_getstacksize to an innocuous variant, in case <limits.h> declares pthread_attr_getstacksize.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define pthread_attr_getstacksize innocuous_pthread_attr_getstacksize
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char pthread_attr_getstacksize (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef pthread_attr_getstacksize
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char pthread_attr_getstacksize ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_pthread_attr_getstacksize) || defined (__stub___pthread_attr_getstacksize)
+choke me
+#else
+char (*f) () = pthread_attr_getstacksize;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != pthread_attr_getstacksize;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_pthread_attr_getstacksize=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_pthread_attr_getstacksize=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_pthread_attr_getstacksize" >&5
+echo "${ECHO_T}$ac_cv_func_pthread_attr_getstacksize" >&6
+if test $ac_cv_func_pthread_attr_getstacksize = yes; then
+  cat >>confdefs.h <<\_ACEOF
+#define HAVE_PTHREAD_ATTR_GETSTACKSIZE 1
+_ACEOF
+
+fi
+
+
+	#
+	# Additional OS-specific issues related to pthreads and sigwait.
+	#
+	case "$host" in
+		#
+		# One more place to look for sigwait.
+		#
+		*-freebsd*)
+			echo "$as_me:$LINENO: checking for sigwait in -lc_r" >&5
+echo $ECHO_N "checking for sigwait in -lc_r... $ECHO_C" >&6
+if test "${ac_cv_lib_c_r_sigwait+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lc_r  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char sigwait ();
+int
+main ()
+{
+sigwait ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_c_r_sigwait=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_lib_c_r_sigwait=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_c_r_sigwait" >&5
+echo "${ECHO_T}$ac_cv_lib_c_r_sigwait" >&6
+if test $ac_cv_lib_c_r_sigwait = yes; then
+  cat >>confdefs.h <<\_ACEOF
+#define HAVE_SIGWAIT 1
+_ACEOF
+
+fi
+
+			;;
+		#
+		# BSDI 3.0 through 4.0.1 needs pthread_init() to be
+		# called before certain pthreads calls.	 This is deprecated
+		# in BSD/OS 4.1.
+		#
+		*-bsdi3.*|*-bsdi4.0*)
+			cat >>confdefs.h <<\_ACEOF
+#define NEED_PTHREAD_INIT 1
+_ACEOF
+
+			;;
+		#
+		# LinuxThreads requires some changes to the way we
+		# deal with signals.
+		#
+		*-linux*)
+			cat >>confdefs.h <<\_ACEOF
+#define HAVE_LINUXTHREADS 1
+_ACEOF
+
+			;;
+		#
+		# Ensure the right sigwait() semantics on Solaris and make
+		# sure we call pthread_setconcurrency.
+		#
+		*-solaris*)
+			cat >>confdefs.h <<\_ACEOF
+#define _POSIX_PTHREAD_SEMANTICS 1
+_ACEOF
+
+			echo "$as_me:$LINENO: checking for pthread_setconcurrency" >&5
+echo $ECHO_N "checking for pthread_setconcurrency... $ECHO_C" >&6
+if test "${ac_cv_func_pthread_setconcurrency+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define pthread_setconcurrency to an innocuous variant, in case <limits.h> declares pthread_setconcurrency.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define pthread_setconcurrency innocuous_pthread_setconcurrency
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char pthread_setconcurrency (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef pthread_setconcurrency
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char pthread_setconcurrency ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_pthread_setconcurrency) || defined (__stub___pthread_setconcurrency)
+choke me
+#else
+char (*f) () = pthread_setconcurrency;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != pthread_setconcurrency;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_pthread_setconcurrency=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_pthread_setconcurrency=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_pthread_setconcurrency" >&5
+echo "${ECHO_T}$ac_cv_func_pthread_setconcurrency" >&6
+if test $ac_cv_func_pthread_setconcurrency = yes; then
+  cat >>confdefs.h <<\_ACEOF
+#define CALL_PTHREAD_SETCONCURRENCY 1
+_ACEOF
+
+fi
+
+			cat >>confdefs.h <<\_ACEOF
+#define POSIX_GETPWUID_R 1
+_ACEOF
+
+			cat >>confdefs.h <<\_ACEOF
+#define POSIX_GETPWNAM_R 1
+_ACEOF
+
+			cat >>confdefs.h <<\_ACEOF
+#define POSIX_GETGRGID_R 1
+_ACEOF
+
+			cat >>confdefs.h <<\_ACEOF
+#define POSIX_GETGRNAM_R 1
+_ACEOF
+
+			;;
+		*hpux11*)
+			cat >>confdefs.h <<\_ACEOF
+#define _PTHREADS_DRAFT4 1
+_ACEOF
+
+			;;
+		#
+		# UnixWare does things its own way.
+		#
+		*-UnixWare*)
+			cat >>confdefs.h <<\_ACEOF
+#define HAVE_UNIXWARE_SIGWAIT 1
+_ACEOF
+
+			;;
+	esac
+
+	#
+	# Look for sysconf to allow detection of the number of processors.
+	#
+	echo "$as_me:$LINENO: checking for sysconf" >&5
+echo $ECHO_N "checking for sysconf... $ECHO_C" >&6
+if test "${ac_cv_func_sysconf+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define sysconf to an innocuous variant, in case <limits.h> declares sysconf.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define sysconf innocuous_sysconf
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char sysconf (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef sysconf
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char sysconf ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_sysconf) || defined (__stub___sysconf)
+choke me
+#else
+char (*f) () = sysconf;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != sysconf;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_sysconf=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_sysconf=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_sysconf" >&5
+echo "${ECHO_T}$ac_cv_func_sysconf" >&6
+if test $ac_cv_func_sysconf = yes; then
+  cat >>confdefs.h <<\_ACEOF
+#define HAVE_SYSCONF 1
+_ACEOF
+
+fi
+
+
+	if test "X$GCC" = "Xyes"; then
+		case "$host" in
+		*-freebsd*)
+			CC="$CC -pthread"
+			CCOPT="$CCOPT -pthread"
+			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+			;;
+		*-openbsd*)
+			CC="$CC -pthread"
+			CCOPT="$CCOPT -pthread"
+			;;
+		*-solaris*)
+			LIBS="$LIBS -lthread"
+			;;
+		*-ibm-aix*)
+			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+			;;
+		esac
+	else
+		case $host in
+		*-dec-osf*)
+			CC="$CC -pthread"
+			CCOPT="$CCOPT -pthread"
+			;;
+		*-solaris*)
+			CC="$CC -mt"
+			CCOPT="$CCOPT -mt"
+			;;
+		*-ibm-aix*)
+			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+			;;
+		*-UnixWare*)
+			CC="$CC -Kthread"
+			CCOPT="$CCOPT -Kthread"
+			;;
+		esac
+	fi
+	ALWAYS_DEFINES="-D_REENTRANT"
+	DO_PTHREADS="#define DO_PTHREADS 1"
+	WANT_IRS_THREADSGR_OBJS="\${WANT_IRS_THREADSGR_OBJS}"
+	WANT_IRS_THREADSPW_OBJS="\${WANT_IRS_THREADSPW_OBJS}"
+	WANT_IRS_THREADS_OBJS="\${WANT_IRS_THREADS_OBJS}"
+	thread_dir=pthreads
+else
+	ALWAYS_DEFINES=""
+	DO_PTHREADS="#undef DO_PTHREADS"
+	WANT_IRS_THREADSGR_OBJS=""
+	WANT_IRS_THREADSPW_OBJS=""
+	WANT_IRS_THREADS_OBJS=""
+	thread_dir=nothreads
+fi
+
+echo "$as_me:$LINENO: checking for strlcat" >&5
+echo $ECHO_N "checking for strlcat... $ECHO_C" >&6
+if test "${ac_cv_func_strlcat+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define strlcat to an innocuous variant, in case <limits.h> declares strlcat.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define strlcat innocuous_strlcat
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char strlcat (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef strlcat
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char strlcat ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_strlcat) || defined (__stub___strlcat)
+choke me
+#else
+char (*f) () = strlcat;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != strlcat;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_strlcat=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_strlcat=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_strlcat" >&5
+echo "${ECHO_T}$ac_cv_func_strlcat" >&6
+if test $ac_cv_func_strlcat = yes; then
+  cat >>confdefs.h <<\_ACEOF
+#define HAVE_STRLCAT 1
+_ACEOF
+
+fi
+
+
+
+
+
+
+
+
+echo "$as_me:$LINENO: checking for if_nametoindex" >&5
+echo $ECHO_N "checking for if_nametoindex... $ECHO_C" >&6
+if test "${ac_cv_func_if_nametoindex+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define if_nametoindex to an innocuous variant, in case <limits.h> declares if_nametoindex.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define if_nametoindex innocuous_if_nametoindex
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char if_nametoindex (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef if_nametoindex
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char if_nametoindex ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_if_nametoindex) || defined (__stub___if_nametoindex)
+choke me
+#else
+char (*f) () = if_nametoindex;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != if_nametoindex;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_if_nametoindex=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_if_nametoindex=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_if_nametoindex" >&5
+echo "${ECHO_T}$ac_cv_func_if_nametoindex" >&6
+if test $ac_cv_func_if_nametoindex = yes; then
+  USE_IFNAMELINKID="#define USE_IFNAMELINKID 1"
+else
+  USE_IFNAMELINKID="#undef USE_IFNAMELINKID"
+fi
+
+
+
+ISC_THREAD_DIR=$thread_dir
+
+
+echo "$as_me:$LINENO: checking for daemon" >&5
+echo $ECHO_N "checking for daemon... $ECHO_C" >&6
+if test "${ac_cv_func_daemon+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define daemon to an innocuous variant, in case <limits.h> declares daemon.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define daemon innocuous_daemon
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char daemon (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef daemon
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char daemon ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_daemon) || defined (__stub___daemon)
+choke me
+#else
+char (*f) () = daemon;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != daemon;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_daemon=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_daemon=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_daemon" >&5
+echo "${ECHO_T}$ac_cv_func_daemon" >&6
+if test $ac_cv_func_daemon = yes; then
+  DAEMON_OBJS="" NEED_DAEMON="#undef NEED_DAEMON"
+
+else
+  DAEMON_OBJS="\${DAEMON_OBJS}" NEED_DAEMON="#define NEED_DAEMON 1"
+
+fi
+
+
+
+
+echo "$as_me:$LINENO: checking for strsep" >&5
+echo $ECHO_N "checking for strsep... $ECHO_C" >&6
+if test "${ac_cv_func_strsep+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define strsep to an innocuous variant, in case <limits.h> declares strsep.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define strsep innocuous_strsep
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char strsep (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef strsep
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char strsep ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_strsep) || defined (__stub___strsep)
+choke me
+#else
+char (*f) () = strsep;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != strsep;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_strsep=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_strsep=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_strsep" >&5
+echo "${ECHO_T}$ac_cv_func_strsep" >&6
+if test $ac_cv_func_strsep = yes; then
+  STRSEP_OBJS="" NEED_STRSEP="#undef NEED_STRSEP"
+
+else
+  STRSEP_OBJS="\${STRSEP_OBJS}" NEED_STRSEP="#define NEED_STRSEP 1"
+
+fi
+
+
+
+
+echo "$as_me:$LINENO: checking for strerror" >&5
+echo $ECHO_N "checking for strerror... $ECHO_C" >&6
+if test "${ac_cv_func_strerror+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define strerror to an innocuous variant, in case <limits.h> declares strerror.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define strerror innocuous_strerror
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char strerror (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef strerror
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char strerror ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_strerror) || defined (__stub___strerror)
+choke me
+#else
+char (*f) () = strerror;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != strerror;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_strerror=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_strerror=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_strerror" >&5
+echo "${ECHO_T}$ac_cv_func_strerror" >&6
+if test $ac_cv_func_strerror = yes; then
+  NEED_STRERROR="#undef NEED_STRERROR"
+else
+  NEED_STRERROR="#define NEED_STRERROR 1"
+fi
+
+
+
+#
+# flockfile is usually provided by pthreads, but we may want to use it
+# even if compiled with --disable-threads.
+#
+echo "$as_me:$LINENO: checking for flockfile" >&5
+echo $ECHO_N "checking for flockfile... $ECHO_C" >&6
+if test "${ac_cv_func_flockfile+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define flockfile to an innocuous variant, in case <limits.h> declares flockfile.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define flockfile innocuous_flockfile
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char flockfile (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef flockfile
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char flockfile ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_flockfile) || defined (__stub___flockfile)
+choke me
+#else
+char (*f) () = flockfile;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != flockfile;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_flockfile=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_flockfile=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_flockfile" >&5
+echo "${ECHO_T}$ac_cv_func_flockfile" >&6
+if test $ac_cv_func_flockfile = yes; then
+  cat >>confdefs.h <<\_ACEOF
+#define HAVE_FLOCKFILE 1
+_ACEOF
+
+fi
+
+
+#
+# Indicate what the final decision was regarding threads.
+#
+echo "$as_me:$LINENO: checking whether to build with threads" >&5
+echo $ECHO_N "checking whether to build with threads... $ECHO_C" >&6
+if $use_threads; then
+	echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+else
+	echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+#
+# End of pthreads stuff.
+#
+
+#
+# Additional compiler settings.
+#
+MKDEPCC="$CC"
+MKDEPCFLAGS="-M"
+IRIX_DNSSEC_WARNINGS_HACK=""
+
+if test "X$GCC" = "Xyes"; then
+	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings"
+else
+	case $host in
+	*-dec-osf*)
+		CC="$CC -std"
+		CCOPT="$CCOPT -std"
+		MKDEPCC="$CC"
+		;;
+	*-hp-hpux*)
+		CC="$CC -Ae -z"
+		# The version of the C compiler that constantly warns about
+                # 'const' as well as alignment issues is unfortunately not
+                # able to be discerned via the version of the operating
+                # system, nor does cc have a version flag.
+		case "`$CC +W 123 2>&1`" in
+		*Unknown?option*)
+			STD_CWARNINGS="+w1"
+			;;
+		*)
+			# Turn off the pointlessly noisy warnings.
+			STD_CWARNINGS="+w1 +W 474,530"
+			;;
+		esac
+		CCOPT="$CCOPT -Ae -z"
+		LIBS="-Wl,+vnocompatwarnings $LIBS"
+MKDEPPROG='cc -Ae -E -Wp,-M >/dev/null 2>&1 | awk '"'"'BEGIN {colon=0; rec="";} { for (i = 0 ; i < NF; i++) { if (colon && a$i) continue; if ($i == "\\") continue; if (!colon) { rec =  $i continue; } if ($i == ":") { rec = rec " :" colon = 1 continue; } if (length(rec $i) > 76) { print rec " \\"; rec = "\t" $i; a$i = 1; } else { rec = rec " " $i a$i = 1; } } } END {print rec}'"'"' >>$TMP'
+		MKDEPPROG='cc -Ae -E -Wp,-M >/dev/null 2>>$TMP'
+		;;
+	*-sgi-irix*)
+		STD_CWARNINGS="-fullwarn -woff 1209"
+		#
+		# Silence more than 250 instances of
+		#   "prototyped function redeclared without prototype"
+		# and 11 instances of
+		#   "variable ... was set but never used"
+		# from lib/dns/sec/openssl.
+		#
+		IRIX_DNSSEC_WARNINGS_HACK="-woff 1692,1552"
+		;;
+	*-solaris*)
+		MKDEPCFLAGS="-xM"
+		;;
+	*-UnixWare*)
+		CC="$CC -w"
+		;;
+	esac
+fi
+
+#
+# _GNU_SOURCE is needed to access the fd_bits field of struct fd_set, which
+# is supposed to be opaque.
+#
+case $host in
+	*linux*)
+		STD_CDEFINES="$STD_CDEFINES -D_GNU_SOURCE"
+		;;
+esac
+
+
+
+
+
+
+#
+# NLS
+#
+echo "$as_me:$LINENO: checking for catgets" >&5
+echo $ECHO_N "checking for catgets... $ECHO_C" >&6
+if test "${ac_cv_func_catgets+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define catgets to an innocuous variant, in case <limits.h> declares catgets.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define catgets innocuous_catgets
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char catgets (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef catgets
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char catgets ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_catgets) || defined (__stub___catgets)
+choke me
+#else
+char (*f) () = catgets;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != catgets;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_catgets=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_catgets=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_catgets" >&5
+echo "${ECHO_T}$ac_cv_func_catgets" >&6
+if test $ac_cv_func_catgets = yes; then
+  cat >>confdefs.h <<\_ACEOF
+#define HAVE_CATGETS 1
+_ACEOF
+
+fi
+
+
+#
+# -lxnet buys us one big porting headache...  standards, gotta love 'em.
+#
+# AC_CHECK_LIB(xnet, socket, ,
+#    AC_CHECK_LIB(socket, socket)
+#    AC_CHECK_LIB(nsl, inet_ntoa)
+# )
+#
+# Use this for now, instead:
+#
+case "$host" in
+	mips-sgi-irix*)
+		;;
+	*)
+
+echo "$as_me:$LINENO: checking for gethostbyname_r in -ld4r" >&5
+echo $ECHO_N "checking for gethostbyname_r in -ld4r... $ECHO_C" >&6
+if test "${ac_cv_lib_d4r_gethostbyname_r+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ld4r  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char gethostbyname_r ();
+int
+main ()
+{
+gethostbyname_r ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_d4r_gethostbyname_r=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_lib_d4r_gethostbyname_r=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_d4r_gethostbyname_r" >&5
+echo "${ECHO_T}$ac_cv_lib_d4r_gethostbyname_r" >&6
+if test $ac_cv_lib_d4r_gethostbyname_r = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBD4R 1
+_ACEOF
+
+  LIBS="-ld4r $LIBS"
+
+fi
+
+
+echo "$as_me:$LINENO: checking for socket in -lsocket" >&5
+echo $ECHO_N "checking for socket in -lsocket... $ECHO_C" >&6
+if test "${ac_cv_lib_socket_socket+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lsocket  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char socket ();
+int
+main ()
+{
+socket ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_socket_socket=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_lib_socket_socket=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_socket_socket" >&5
+echo "${ECHO_T}$ac_cv_lib_socket_socket" >&6
+if test $ac_cv_lib_socket_socket = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBSOCKET 1
+_ACEOF
+
+  LIBS="-lsocket $LIBS"
+
+fi
+
+
+echo "$as_me:$LINENO: checking for inet_ntoa in -lnsl" >&5
+echo $ECHO_N "checking for inet_ntoa in -lnsl... $ECHO_C" >&6
+if test "${ac_cv_lib_nsl_inet_ntoa+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lnsl  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char inet_ntoa ();
+int
+main ()
+{
+inet_ntoa ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_nsl_inet_ntoa=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_lib_nsl_inet_ntoa=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_nsl_inet_ntoa" >&5
+echo "${ECHO_T}$ac_cv_lib_nsl_inet_ntoa" >&6
+if test $ac_cv_lib_nsl_inet_ntoa = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBNSL 1
+_ACEOF
+
+  LIBS="-lnsl $LIBS"
+
+fi
+
+		;;
+esac
+
+#
+# Purify support
+#
+echo "$as_me:$LINENO: checking whether to use purify" >&5
+echo $ECHO_N "checking whether to use purify... $ECHO_C" >&6
+
+# Check whether --with-purify or --without-purify was given.
+if test "${with_purify+set}" = set; then
+  withval="$with_purify"
+  use_purify="$withval"
+else
+  use_purify="no"
+fi;
+
+case "$use_purify" in
+	no)
+		;;
+	yes)
+		# Extract the first word of "purify", so it can be a program name with args.
+set dummy purify; ac_word=$2
+echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_path_purify_path+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case $purify_path in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_purify_path="$purify_path" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_purify_path="$as_dir/$ac_word$ac_exec_ext"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+
+  test -z "$ac_cv_path_purify_path" && ac_cv_path_purify_path="purify"
+  ;;
+esac
+fi
+purify_path=$ac_cv_path_purify_path
+
+if test -n "$purify_path"; then
+  echo "$as_me:$LINENO: result: $purify_path" >&5
+echo "${ECHO_T}$purify_path" >&6
+else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+		;;
+	*)
+		purify_path="$use_purify"
+		;;
+esac
+
+case "$use_purify" in
+	no)
+		echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+		PURIFY=""
+		;;
+	*)
+		if test -f $purify_path || test $purify_path = purify; then
+			echo "$as_me:$LINENO: result: $purify_path" >&5
+echo "${ECHO_T}$purify_path" >&6
+			PURIFYFLAGS="`echo $PURIFYOPTIONS`"
+			PURIFY="$purify_path $PURIFYFLAGS"
+		else
+			{ { echo "$as_me:$LINENO: error: $purify_path not found.
+
+Please choose the proper path with the following command:
+
+    configure --with-purify=PATH
+" >&5
+echo "$as_me: error: $purify_path not found.
+
+Please choose the proper path with the following command:
+
+    configure --with-purify=PATH
+" >&2;}
+   { (exit 1); exit 1; }; }
+		fi
+		;;
+esac
+
+
+
+#
+# GNU libtool support
+#
+
+# Check whether --with-libtool or --without-libtool was given.
+if test "${with_libtool+set}" = set; then
+  withval="$with_libtool"
+  use_libtool="$withval"
+else
+  use_libtool="no"
+fi;
+
+case $use_libtool in
+	yes)
+		# Check whether --enable-shared or --disable-shared was given.
+if test "${enable_shared+set}" = set; then
+  enableval="$enable_shared"
+  p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_shared=yes ;;
+    no) enable_shared=no ;;
+    *)
+      enable_shared=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_shared=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac
+else
+  enable_shared=yes
+fi;
+
+# Check whether --enable-static or --disable-static was given.
+if test "${enable_static+set}" = set; then
+  enableval="$enable_static"
+  p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_static=yes ;;
+    no) enable_static=no ;;
+    *)
+     enable_static=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_static=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac
+else
+  enable_static=yes
+fi;
+
+# Check whether --enable-fast-install or --disable-fast-install was given.
+if test "${enable_fast_install+set}" = set; then
+  enableval="$enable_fast_install"
+  p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_fast_install=yes ;;
+    no) enable_fast_install=no ;;
+    *)
+      enable_fast_install=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_fast_install=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac
+else
+  enable_fast_install=yes
+fi;
+
+echo "$as_me:$LINENO: checking for a sed that does not truncate output" >&5
+echo $ECHO_N "checking for a sed that does not truncate output... $ECHO_C" >&6
+if test "${lt_cv_path_SED+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  # Loop through the user's path and test for sed and gsed.
+# Then use that list of sed's as ones to test for truncation.
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for lt_ac_prog in sed gsed; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
+      if $as_executable_p "$as_dir/$lt_ac_prog$ac_exec_ext"; then
+        lt_ac_sed_list="$lt_ac_sed_list $as_dir/$lt_ac_prog$ac_exec_ext"
+      fi
+    done
+  done
+done
+lt_ac_max=0
+lt_ac_count=0
+# Add /usr/xpg4/bin/sed as it is typically found on Solaris
+# along with /bin/sed that truncates output.
+for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do
+  test ! -f $lt_ac_sed && break
+  cat /dev/null > conftest.in
+  lt_ac_count=0
+  echo $ECHO_N "0123456789$ECHO_C" >conftest.in
+  # Check for GNU sed and select it if it is found.
+  if "$lt_ac_sed" --version 2>&1 < /dev/null | grep 'GNU' > /dev/null; then
+    lt_cv_path_SED=$lt_ac_sed
+    break
+  fi
+  while true; do
+    cat conftest.in conftest.in >conftest.tmp
+    mv conftest.tmp conftest.in
+    cp conftest.in conftest.nl
+    echo >>conftest.nl
+    $lt_ac_sed -e 's/a$//' < conftest.nl >conftest.out || break
+    cmp -s conftest.out conftest.nl || break
+    # 10000 chars as input seems more than enough
+    test $lt_ac_count -gt 10 && break
+    lt_ac_count=`expr $lt_ac_count + 1`
+    if test $lt_ac_count -gt $lt_ac_max; then
+      lt_ac_max=$lt_ac_count
+      lt_cv_path_SED=$lt_ac_sed
+    fi
+  done
+done
+SED=$lt_cv_path_SED
+
+fi
+
+echo "$as_me:$LINENO: result: $SED" >&5
+echo "${ECHO_T}$SED" >&6
+
+
+# Check whether --with-gnu-ld or --without-gnu-ld was given.
+if test "${with_gnu_ld+set}" = set; then
+  withval="$with_gnu_ld"
+  test "$withval" = no || with_gnu_ld=yes
+else
+  with_gnu_ld=no
+fi;
+ac_prog=ld
+if test "$GCC" = yes; then
+  # Check if gcc -print-prog-name=ld gives a path.
+  echo "$as_me:$LINENO: checking for ld used by $CC" >&5
+echo $ECHO_N "checking for ld used by $CC... $ECHO_C" >&6
+  case $host in
+  *-*-mingw*)
+    # gcc leaves a trailing carriage return which upsets mingw
+    ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;;
+  *)
+    ac_prog=`($CC -print-prog-name=ld) 2>&5` ;;
+  esac
+  case $ac_prog in
+    # Accept absolute paths.
+    [\\/]* | ?:[\\/]*)
+      re_direlt='/[^/][^/]*/\.\./'
+      # Canonicalize the pathname of ld
+      ac_prog=`echo $ac_prog| $SED 's%\\\\%/%g'`
+      while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do
+	ac_prog=`echo $ac_prog| $SED "s%$re_direlt%/%"`
+      done
+      test -z "$LD" && LD="$ac_prog"
+      ;;
+  "")
+    # If it fails, then pretend we aren't using GCC.
+    ac_prog=ld
+    ;;
+  *)
+    # If it is relative, then search for the first ld in PATH.
+    with_gnu_ld=unknown
+    ;;
+  esac
+elif test "$with_gnu_ld" = yes; then
+  echo "$as_me:$LINENO: checking for GNU ld" >&5
+echo $ECHO_N "checking for GNU ld... $ECHO_C" >&6
+else
+  echo "$as_me:$LINENO: checking for non-GNU ld" >&5
+echo $ECHO_N "checking for non-GNU ld... $ECHO_C" >&6
+fi
+if test "${lt_cv_path_LD+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -z "$LD"; then
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  for ac_dir in $PATH; do
+    IFS="$lt_save_ifs"
+    test -z "$ac_dir" && ac_dir=.
+    if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
+      lt_cv_path_LD="$ac_dir/$ac_prog"
+      # Check to see if the program is GNU ld.  I'd rather use --version,
+      # but apparently some GNU ld's only accept -v.
+      # Break only if it was the GNU/non-GNU ld that we prefer.
+      case `"$lt_cv_path_LD" -v 2>&1 </dev/null` in
+      *GNU* | *'with BFD'*)
+	test "$with_gnu_ld" != no && break
+	;;
+      *)
+	test "$with_gnu_ld" != yes && break
+	;;
+      esac
+    fi
+  done
+  IFS="$lt_save_ifs"
+else
+  lt_cv_path_LD="$LD" # Let the user override the test with a path.
+fi
+fi
+
+LD="$lt_cv_path_LD"
+if test -n "$LD"; then
+  echo "$as_me:$LINENO: result: $LD" >&5
+echo "${ECHO_T}$LD" >&6
+else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+test -z "$LD" && { { echo "$as_me:$LINENO: error: no acceptable ld found in \$PATH" >&5
+echo "$as_me: error: no acceptable ld found in \$PATH" >&2;}
+   { (exit 1); exit 1; }; }
+echo "$as_me:$LINENO: checking if the linker ($LD) is GNU ld" >&5
+echo $ECHO_N "checking if the linker ($LD) is GNU ld... $ECHO_C" >&6
+if test "${lt_cv_prog_gnu_ld+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  # I'd rather use --version here, but apparently some GNU ld's only accept -v.
+case `$LD -v 2>&1 </dev/null` in
+*GNU* | *'with BFD'*)
+  lt_cv_prog_gnu_ld=yes
+  ;;
+*)
+  lt_cv_prog_gnu_ld=no
+  ;;
+esac
+fi
+echo "$as_me:$LINENO: result: $lt_cv_prog_gnu_ld" >&5
+echo "${ECHO_T}$lt_cv_prog_gnu_ld" >&6
+with_gnu_ld=$lt_cv_prog_gnu_ld
+
+
+echo "$as_me:$LINENO: checking for $LD option to reload object files" >&5
+echo $ECHO_N "checking for $LD option to reload object files... $ECHO_C" >&6
+if test "${lt_cv_ld_reload_flag+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_ld_reload_flag='-r'
+fi
+echo "$as_me:$LINENO: result: $lt_cv_ld_reload_flag" >&5
+echo "${ECHO_T}$lt_cv_ld_reload_flag" >&6
+reload_flag=$lt_cv_ld_reload_flag
+case $reload_flag in
+"" | " "*) ;;
+*) reload_flag=" $reload_flag" ;;
+esac
+reload_cmds='$LD$reload_flag -o $output$reload_objs'
+
+echo "$as_me:$LINENO: checking for BSD-compatible nm" >&5
+echo $ECHO_N "checking for BSD-compatible nm... $ECHO_C" >&6
+if test "${lt_cv_path_NM+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$NM"; then
+  # Let the user override the test.
+  lt_cv_path_NM="$NM"
+else
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  for ac_dir in $PATH /usr/ccs/bin /usr/ucb /bin; do
+    IFS="$lt_save_ifs"
+    test -z "$ac_dir" && ac_dir=.
+    tmp_nm="$ac_dir/${ac_tool_prefix}nm"
+    if test -f "$tmp_nm" || test -f "$tmp_nm$ac_exeext" ; then
+      # Check to see if the nm accepts a BSD-compat flag.
+      # Adding the `sed 1q' prevents false positives on HP-UX, which says:
+      #   nm: unknown option "B" ignored
+      # Tru64's nm complains that /dev/null is an invalid object file
+      case `"$tmp_nm" -B /dev/null 2>&1 | sed '1q'` in
+      */dev/null* | *'Invalid file or object type'*)
+	lt_cv_path_NM="$tmp_nm -B"
+	break
+        ;;
+      *)
+	case `"$tmp_nm" -p /dev/null 2>&1 | sed '1q'` in
+	*/dev/null*)
+	  lt_cv_path_NM="$tmp_nm -p"
+	  break
+	  ;;
+	*)
+	  lt_cv_path_NM=${lt_cv_path_NM="$tmp_nm"} # keep the first match, but
+	  continue # so that we can try to find one that supports BSD flags
+	  ;;
+	esac
+      esac
+    fi
+  done
+  IFS="$lt_save_ifs"
+  test -z "$lt_cv_path_NM" && lt_cv_path_NM=nm
+fi
+fi
+echo "$as_me:$LINENO: result: $lt_cv_path_NM" >&5
+echo "${ECHO_T}$lt_cv_path_NM" >&6
+NM="$lt_cv_path_NM"
+
+echo "$as_me:$LINENO: checking whether ln -s works" >&5
+echo $ECHO_N "checking whether ln -s works... $ECHO_C" >&6
+LN_S=$as_ln_s
+if test "$LN_S" = "ln -s"; then
+  echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+else
+  echo "$as_me:$LINENO: result: no, using $LN_S" >&5
+echo "${ECHO_T}no, using $LN_S" >&6
+fi
+
+echo "$as_me:$LINENO: checking how to recognise dependent libraries" >&5
+echo $ECHO_N "checking how to recognise dependent libraries... $ECHO_C" >&6
+if test "${lt_cv_deplibs_check_method+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_file_magic_cmd='$MAGIC_CMD'
+lt_cv_file_magic_test_file=
+lt_cv_deplibs_check_method='unknown'
+# Need to set the preceding variable on all platforms that support
+# interlibrary dependencies.
+# 'none' -- dependencies not supported.
+# `unknown' -- same as none, but documents that we really don't know.
+# 'pass_all' -- all dependencies passed with no checks.
+# 'test_compile' -- check by making test program.
+# 'file_magic [[regex]]' -- check by looking for files in library path
+# which responds to the $file_magic_cmd with a given extended regex.
+# If you have `file' or equivalent on your system and you're not sure
+# whether `pass_all' will *always* work, you probably want this one.
+
+case $host_os in
+aix4* | aix5*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+beos*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+bsdi4*)
+  lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib)'
+  lt_cv_file_magic_cmd='/usr/bin/file -L'
+  lt_cv_file_magic_test_file=/shlib/libc.so
+  ;;
+
+cygwin*)
+  # win32_libid is a shell function defined in ltmain.sh
+  lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
+  lt_cv_file_magic_cmd='win32_libid'
+  ;;
+
+mingw* | pw32*)
+  # Base MSYS/MinGW do not provide the 'file' command needed by
+  # win32_libid shell function, so use a weaker test based on 'objdump'.
+  lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
+  lt_cv_file_magic_cmd='$OBJDUMP -f'
+  ;;
+
+darwin* | rhapsody*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+freebsd* | kfreebsd*-gnu)
+  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
+    case $host_cpu in
+    i*86 )
+      # Not sure whether the presence of OpenBSD here was a mistake.
+      # Let's accept both of them until this is cleared up.
+      lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD)/i[3-9]86 (compact )?demand paged shared library'
+      lt_cv_file_magic_cmd=/usr/bin/file
+      lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
+      ;;
+    esac
+  else
+    lt_cv_deplibs_check_method=pass_all
+  fi
+  ;;
+
+gnu*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+hpux10.20* | hpux11*)
+  lt_cv_file_magic_cmd=/usr/bin/file
+  case "$host_cpu" in
+  ia64*)
+    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - IA64'
+    lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so
+    ;;
+  hppa*64*)
+    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - PA-RISC [0-9].[0-9]'
+    lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl
+    ;;
+  *)
+    lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|PA-RISC[0-9].[0-9]) shared library'
+    lt_cv_file_magic_test_file=/usr/lib/libc.sl
+    ;;
+  esac
+  ;;
+
+irix5* | irix6* | nonstopux*)
+  case $LD in
+  *-32|*"-32 ") libmagic=32-bit;;
+  *-n32|*"-n32 ") libmagic=N32;;
+  *-64|*"-64 ") libmagic=64-bit;;
+  *) libmagic=never-match;;
+  esac
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+# This must be Linux ELF.
+linux*)
+  case $host_cpu in
+  alpha*|hppa*|i*86|ia64*|m68*|mips*|powerpc*|sparc*|s390*|sh*)
+    lt_cv_deplibs_check_method=pass_all ;;
+  *)
+    # glibc up to 2.1.1 does not perform some relocations on ARM
+    # this will be overridden with pass_all, but let us keep it just in case
+    lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB (shared object|dynamic lib )' ;;
+  esac
+  lt_cv_file_magic_test_file=`echo /lib/libc.so* /lib/libc-*.so`
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+netbsd*)
+  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
+    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$'
+  else
+    lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so|_pic\.a)$'
+  fi
+  ;;
+
+newos6*)
+  lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (executable|dynamic lib)'
+  lt_cv_file_magic_cmd=/usr/bin/file
+  lt_cv_file_magic_test_file=/usr/lib/libnls.so
+  ;;
+
+nto-qnx*)
+  lt_cv_deplibs_check_method=unknown
+  ;;
+
+openbsd*)
+  lt_cv_file_magic_cmd=/usr/bin/file
+  lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
+  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+    lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB shared object'
+  else
+    lt_cv_deplibs_check_method='file_magic OpenBSD.* shared library'
+  fi
+  ;;
+
+osf3* | osf4* | osf5*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+sco3.2v5*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+solaris*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+  case $host_vendor in
+  motorola)
+    lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [ML]SB (shared object|dynamic lib) M[0-9][0-9]* Version [0-9]'
+    lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*`
+    ;;
+  ncr)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  sequent)
+    lt_cv_file_magic_cmd='/bin/file'
+    lt_cv_deplibs_check_method='file_magic ELF [0-9][0-9]*-bit [LM]SB (shared object|dynamic lib )'
+    ;;
+  sni)
+    lt_cv_file_magic_cmd='/bin/file'
+    lt_cv_deplibs_check_method="file_magic ELF [0-9][0-9]*-bit [LM]SB dynamic lib"
+    lt_cv_file_magic_test_file=/lib/libc.so
+    ;;
+  siemens)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  esac
+  ;;
+
+sysv5OpenUNIX8* | sysv5UnixWare7* | sysv5uw[78]* | unixware7* | sysv4*uw2*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+esac
+
+fi
+echo "$as_me:$LINENO: result: $lt_cv_deplibs_check_method" >&5
+echo "${ECHO_T}$lt_cv_deplibs_check_method" >&6
+file_magic_cmd=$lt_cv_file_magic_cmd
+deplibs_check_method=$lt_cv_deplibs_check_method
+test -z "$deplibs_check_method" && deplibs_check_method=unknown
+
+
+
+
+# If no C compiler was specified, use CC.
+LTCC=${LTCC-"$CC"}
+
+# Allow CC to be a program name with arguments.
+compiler=$CC
+
+# Check whether --enable-libtool-lock or --disable-libtool-lock was given.
+if test "${enable_libtool_lock+set}" = set; then
+  enableval="$enable_libtool_lock"
+
+fi;
+test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
+
+# Some flags need to be propagated to the compiler or linker for good
+# libtool support.
+case $host in
+ia64-*-hpux*)
+  # Find out which ABI we are using.
+  echo 'int i;' > conftest.$ac_ext
+  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+    case `/usr/bin/file conftest.$ac_objext` in
+    *ELF-32*)
+      HPUX_IA64_MODE="32"
+      ;;
+    *ELF-64*)
+      HPUX_IA64_MODE="64"
+      ;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+*-*-irix6*)
+  # Find out which ABI we are using.
+  echo '#line 7298 "configure"' > conftest.$ac_ext
+  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+   if test "$lt_cv_prog_gnu_ld" = yes; then
+    case `/usr/bin/file conftest.$ac_objext` in
+    *32-bit*)
+      LD="${LD-ld} -melf32bsmip"
+      ;;
+    *N32*)
+      LD="${LD-ld} -melf32bmipn32"
+      ;;
+    *64-bit*)
+      LD="${LD-ld} -melf64bmip"
+      ;;
+    esac
+   else
+    case `/usr/bin/file conftest.$ac_objext` in
+    *32-bit*)
+      LD="${LD-ld} -32"
+      ;;
+    *N32*)
+      LD="${LD-ld} -n32"
+      ;;
+    *64-bit*)
+      LD="${LD-ld} -64"
+      ;;
+    esac
+   fi
+  fi
+  rm -rf conftest*
+  ;;
+
+x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*|s390*-*linux*|sparc*-*linux*)
+  # Find out which ABI we are using.
+  echo 'int i;' > conftest.$ac_ext
+  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+    case "`/usr/bin/file conftest.o`" in
+    *32-bit*)
+      case $host in
+        x86_64-*linux*)
+          LD="${LD-ld} -m elf_i386"
+          ;;
+        ppc64-*linux*|powerpc64-*linux*)
+          LD="${LD-ld} -m elf32ppclinux"
+          ;;
+        s390x-*linux*)
+          LD="${LD-ld} -m elf_s390"
+          ;;
+        sparc64-*linux*)
+          LD="${LD-ld} -m elf32_sparc"
+          ;;
+      esac
+      ;;
+    *64-bit*)
+      case $host in
+        x86_64-*linux*)
+          LD="${LD-ld} -m elf_x86_64"
+          ;;
+        ppc*-*linux*|powerpc*-*linux*)
+          LD="${LD-ld} -m elf64ppc"
+          ;;
+        s390*-*linux*)
+          LD="${LD-ld} -m elf64_s390"
+          ;;
+        sparc*-*linux*)
+          LD="${LD-ld} -m elf64_sparc"
+          ;;
+      esac
+      ;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+
+*-*-sco3.2v5*)
+  # On SCO OpenServer 5, we need -belf to get full-featured binaries.
+  SAVE_CFLAGS="$CFLAGS"
+  CFLAGS="$CFLAGS -belf"
+  echo "$as_me:$LINENO: checking whether the C compiler needs -belf" >&5
+echo $ECHO_N "checking whether the C compiler needs -belf... $ECHO_C" >&6
+if test "${lt_cv_cc_needs_belf+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+     cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  lt_cv_cc_needs_belf=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+lt_cv_cc_needs_belf=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+     ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+fi
+echo "$as_me:$LINENO: result: $lt_cv_cc_needs_belf" >&5
+echo "${ECHO_T}$lt_cv_cc_needs_belf" >&6
+  if test x"$lt_cv_cc_needs_belf" != x"yes"; then
+    # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf
+    CFLAGS="$SAVE_CFLAGS"
+  fi
+  ;;
+
+esac
+
+need_locks="$enable_libtool_lock"
+
+
+
+for ac_header in dlfcn.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+if eval "test \"\${$as_ac_Header+set}\" = set"; then
+  echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
+if eval "test \"\${$as_ac_Header+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+else
+  # Is the header compilable?
+echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_includes_default
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_header_compiler=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_header_compiler=no
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6
+
+# Is the header present?
+echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <$ac_header>
+_ACEOF
+if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
+  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_c_preproc_warn_flag
+    ac_cpp_err=$ac_cpp_err$ac_c_werror_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  ac_header_preproc=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  ac_header_preproc=no
+fi
+rm -f conftest.err conftest.$ac_ext
+echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6
+
+# So?  What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+  yes:no: )
+    { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
+    ac_header_preproc=yes
+    ;;
+  no:yes:* )
+    { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
+echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: $ac_header:     check for missing prerequisite headers?" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: $ac_header:     section \"Present But Cannot Be Compiled\"" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
+    { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
+    (
+      cat <<\_ASBOX
+## ------------------------------------------ ##
+## Report this to the AC_PACKAGE_NAME lists.  ##
+## ------------------------------------------ ##
+_ASBOX
+    ) |
+      sed "s/^/$as_me: WARNING:     /" >&2
+    ;;
+esac
+echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6
+if eval "test \"\${$as_ac_Header+set}\" = set"; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  eval "$as_ac_Header=\$ac_header_preproc"
+fi
+echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5
+echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6
+
+fi
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+  cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+ac_ext=cc
+ac_cpp='$CXXCPP $CPPFLAGS'
+ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
+if test -n "$ac_tool_prefix"; then
+  for ac_prog in $CCC g++ c++ gpp aCC CC cxx cc++ cl FCC KCC RCC xlC_r xlC
+  do
+    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
+set dummy $ac_tool_prefix$ac_prog; ac_word=$2
+echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_CXX+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$CXX"; then
+  ac_cv_prog_CXX="$CXX" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_CXX="$ac_tool_prefix$ac_prog"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+
+fi
+fi
+CXX=$ac_cv_prog_CXX
+if test -n "$CXX"; then
+  echo "$as_me:$LINENO: result: $CXX" >&5
+echo "${ECHO_T}$CXX" >&6
+else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+    test -n "$CXX" && break
+  done
+fi
+if test -z "$CXX"; then
+  ac_ct_CXX=$CXX
+  for ac_prog in $CCC g++ c++ gpp aCC CC cxx cc++ cl FCC KCC RCC xlC_r xlC
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_ac_ct_CXX+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_CXX"; then
+  ac_cv_prog_ac_ct_CXX="$ac_ct_CXX" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_ac_ct_CXX="$ac_prog"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+
+fi
+fi
+ac_ct_CXX=$ac_cv_prog_ac_ct_CXX
+if test -n "$ac_ct_CXX"; then
+  echo "$as_me:$LINENO: result: $ac_ct_CXX" >&5
+echo "${ECHO_T}$ac_ct_CXX" >&6
+else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+  test -n "$ac_ct_CXX" && break
+done
+test -n "$ac_ct_CXX" || ac_ct_CXX="g++"
+
+  CXX=$ac_ct_CXX
+fi
+
+
+# Provide some information about the compiler.
+echo "$as_me:$LINENO:" \
+     "checking for C++ compiler version" >&5
+ac_compiler=`set X $ac_compile; echo $2`
+{ (eval echo "$as_me:$LINENO: \"$ac_compiler --version </dev/null >&5\"") >&5
+  (eval $ac_compiler --version </dev/null >&5) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+{ (eval echo "$as_me:$LINENO: \"$ac_compiler -v </dev/null >&5\"") >&5
+  (eval $ac_compiler -v </dev/null >&5) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+{ (eval echo "$as_me:$LINENO: \"$ac_compiler -V </dev/null >&5\"") >&5
+  (eval $ac_compiler -V </dev/null >&5) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+
+echo "$as_me:$LINENO: checking whether we are using the GNU C++ compiler" >&5
+echo $ECHO_N "checking whether we are using the GNU C++ compiler... $ECHO_C" >&6
+if test "${ac_cv_cxx_compiler_gnu+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+#ifndef __GNUC__
+       choke me
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_cxx_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_compiler_gnu=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_compiler_gnu=no
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+ac_cv_cxx_compiler_gnu=$ac_compiler_gnu
+
+fi
+echo "$as_me:$LINENO: result: $ac_cv_cxx_compiler_gnu" >&5
+echo "${ECHO_T}$ac_cv_cxx_compiler_gnu" >&6
+GXX=`test $ac_compiler_gnu = yes && echo yes`
+ac_test_CXXFLAGS=${CXXFLAGS+set}
+ac_save_CXXFLAGS=$CXXFLAGS
+CXXFLAGS="-g"
+echo "$as_me:$LINENO: checking whether $CXX accepts -g" >&5
+echo $ECHO_N "checking whether $CXX accepts -g... $ECHO_C" >&6
+if test "${ac_cv_prog_cxx_g+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_cxx_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_prog_cxx_g=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_prog_cxx_g=no
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_prog_cxx_g" >&5
+echo "${ECHO_T}$ac_cv_prog_cxx_g" >&6
+if test "$ac_test_CXXFLAGS" = set; then
+  CXXFLAGS=$ac_save_CXXFLAGS
+elif test $ac_cv_prog_cxx_g = yes; then
+  if test "$GXX" = yes; then
+    CXXFLAGS="-g -O2"
+  else
+    CXXFLAGS="-g"
+  fi
+else
+  if test "$GXX" = yes; then
+    CXXFLAGS="-O2"
+  else
+    CXXFLAGS=
+  fi
+fi
+for ac_declaration in \
+   '' \
+   'extern "C" void std::exit (int) throw (); using std::exit;' \
+   'extern "C" void std::exit (int); using std::exit;' \
+   'extern "C" void exit (int) throw ();' \
+   'extern "C" void exit (int);' \
+   'void exit (int);'
+do
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_declaration
+#include <stdlib.h>
+int
+main ()
+{
+exit (42);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_cxx_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  :
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+continue
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+$ac_declaration
+int
+main ()
+{
+exit (42);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_cxx_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  break
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+done
+rm -f conftest*
+if test -n "$ac_declaration"; then
+  echo '#ifdef __cplusplus' >>confdefs.h
+  echo $ac_declaration      >>confdefs.h
+  echo '#endif'             >>confdefs.h
+fi
+
+ac_ext=cc
+ac_cpp='$CXXCPP $CPPFLAGS'
+ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
+
+ac_ext=cc
+ac_cpp='$CXXCPP $CPPFLAGS'
+ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
+echo "$as_me:$LINENO: checking how to run the C++ preprocessor" >&5
+echo $ECHO_N "checking how to run the C++ preprocessor... $ECHO_C" >&6
+if test -z "$CXXCPP"; then
+  if test "${ac_cv_prog_CXXCPP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+      # Double quotes because CXXCPP needs to be expanded
+    for CXXCPP in "$CXX -E" "/lib/cpp"
+    do
+      ac_preproc_ok=false
+for ac_cxx_preproc_warn_flag in '' yes
+do
+  # Use a header file that comes with gcc, so configuring glibc
+  # with a fresh cross-compiler works.
+  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+  # <limits.h> exists even on freestanding compilers.
+  # On the NeXT, cc -E runs the code through the compiler's parser,
+  # not just through cpp. "Syntax error" is here to catch this case.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+		     Syntax error
+_ACEOF
+if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
+  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_cxx_preproc_warn_flag
+    ac_cpp_err=$ac_cpp_err$ac_cxx_werror_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  :
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  # Broken: fails on valid input.
+continue
+fi
+rm -f conftest.err conftest.$ac_ext
+
+  # OK, works on sane cases.  Now check whether non-existent headers
+  # can be detected and how.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <ac_nonexistent.h>
+_ACEOF
+if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
+  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_cxx_preproc_warn_flag
+    ac_cpp_err=$ac_cpp_err$ac_cxx_werror_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  # Broken: success on invalid input.
+continue
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  # Passes both tests.
+ac_preproc_ok=:
+break
+fi
+rm -f conftest.err conftest.$ac_ext
+
+done
+# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
+rm -f conftest.err conftest.$ac_ext
+if $ac_preproc_ok; then
+  break
+fi
+
+    done
+    ac_cv_prog_CXXCPP=$CXXCPP
+
+fi
+  CXXCPP=$ac_cv_prog_CXXCPP
+else
+  ac_cv_prog_CXXCPP=$CXXCPP
+fi
+echo "$as_me:$LINENO: result: $CXXCPP" >&5
+echo "${ECHO_T}$CXXCPP" >&6
+ac_preproc_ok=false
+for ac_cxx_preproc_warn_flag in '' yes
+do
+  # Use a header file that comes with gcc, so configuring glibc
+  # with a fresh cross-compiler works.
+  # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+  # <limits.h> exists even on freestanding compilers.
+  # On the NeXT, cc -E runs the code through the compiler's parser,
+  # not just through cpp. "Syntax error" is here to catch this case.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+		     Syntax error
+_ACEOF
+if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
+  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_cxx_preproc_warn_flag
+    ac_cpp_err=$ac_cpp_err$ac_cxx_werror_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  :
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  # Broken: fails on valid input.
+continue
+fi
+rm -f conftest.err conftest.$ac_ext
+
+  # OK, works on sane cases.  Now check whether non-existent headers
+  # can be detected and how.
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <ac_nonexistent.h>
+_ACEOF
+if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5
+  (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } >/dev/null; then
+  if test -s conftest.err; then
+    ac_cpp_err=$ac_cxx_preproc_warn_flag
+    ac_cpp_err=$ac_cpp_err$ac_cxx_werror_flag
+  else
+    ac_cpp_err=
+  fi
+else
+  ac_cpp_err=yes
+fi
+if test -z "$ac_cpp_err"; then
+  # Broken: success on invalid input.
+continue
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+  # Passes both tests.
+ac_preproc_ok=:
+break
+fi
+rm -f conftest.err conftest.$ac_ext
+
+done
+# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
+rm -f conftest.err conftest.$ac_ext
+if $ac_preproc_ok; then
+  :
+else
+  { { echo "$as_me:$LINENO: error: C++ preprocessor \"$CXXCPP\" fails sanity check
+See \`config.log' for more details." >&5
+echo "$as_me: error: C++ preprocessor \"$CXXCPP\" fails sanity check
+See \`config.log' for more details." >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+ac_ext=cc
+ac_cpp='$CXXCPP $CPPFLAGS'
+ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
+
+
+ac_ext=f
+ac_compile='$F77 -c $FFLAGS conftest.$ac_ext >&5'
+ac_link='$F77 -o conftest$ac_exeext $FFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_f77_compiler_gnu
+if test -n "$ac_tool_prefix"; then
+  for ac_prog in g77 f77 xlf frt pgf77 fort77 fl32 af77 f90 xlf90 pgf90 epcf90 f95 fort xlf95 ifc efc pgf95 lf95 gfortran
+  do
+    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
+set dummy $ac_tool_prefix$ac_prog; ac_word=$2
+echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_F77+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$F77"; then
+  ac_cv_prog_F77="$F77" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_F77="$ac_tool_prefix$ac_prog"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+
+fi
+fi
+F77=$ac_cv_prog_F77
+if test -n "$F77"; then
+  echo "$as_me:$LINENO: result: $F77" >&5
+echo "${ECHO_T}$F77" >&6
+else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+    test -n "$F77" && break
+  done
+fi
+if test -z "$F77"; then
+  ac_ct_F77=$F77
+  for ac_prog in g77 f77 xlf frt pgf77 fort77 fl32 af77 f90 xlf90 pgf90 epcf90 f95 fort xlf95 ifc efc pgf95 lf95 gfortran
+do
+  # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_ac_ct_F77+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_F77"; then
+  ac_cv_prog_ac_ct_F77="$ac_ct_F77" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_ac_ct_F77="$ac_prog"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+
+fi
+fi
+ac_ct_F77=$ac_cv_prog_ac_ct_F77
+if test -n "$ac_ct_F77"; then
+  echo "$as_me:$LINENO: result: $ac_ct_F77" >&5
+echo "${ECHO_T}$ac_ct_F77" >&6
+else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+  test -n "$ac_ct_F77" && break
+done
+
+  F77=$ac_ct_F77
+fi
+
+
+# Provide some information about the compiler.
+echo "$as_me:8288:" \
+     "checking for Fortran 77 compiler version" >&5
+ac_compiler=`set X $ac_compile; echo $2`
+{ (eval echo "$as_me:$LINENO: \"$ac_compiler --version </dev/null >&5\"") >&5
+  (eval $ac_compiler --version </dev/null >&5) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+{ (eval echo "$as_me:$LINENO: \"$ac_compiler -v </dev/null >&5\"") >&5
+  (eval $ac_compiler -v </dev/null >&5) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+{ (eval echo "$as_me:$LINENO: \"$ac_compiler -V </dev/null >&5\"") >&5
+  (eval $ac_compiler -V </dev/null >&5) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+rm -f a.out
+
+# If we don't use `.F' as extension, the preprocessor is not run on the
+# input file.  (Note that this only needs to work for GNU compilers.)
+ac_save_ext=$ac_ext
+ac_ext=F
+echo "$as_me:$LINENO: checking whether we are using the GNU Fortran 77 compiler" >&5
+echo $ECHO_N "checking whether we are using the GNU Fortran 77 compiler... $ECHO_C" >&6
+if test "${ac_cv_f77_compiler_gnu+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+      program main
+#ifndef __GNUC__
+       choke me
+#endif
+
+      end
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_f77_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_compiler_gnu=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_compiler_gnu=no
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+ac_cv_f77_compiler_gnu=$ac_compiler_gnu
+
+fi
+echo "$as_me:$LINENO: result: $ac_cv_f77_compiler_gnu" >&5
+echo "${ECHO_T}$ac_cv_f77_compiler_gnu" >&6
+ac_ext=$ac_save_ext
+ac_test_FFLAGS=${FFLAGS+set}
+ac_save_FFLAGS=$FFLAGS
+FFLAGS=
+echo "$as_me:$LINENO: checking whether $F77 accepts -g" >&5
+echo $ECHO_N "checking whether $F77 accepts -g... $ECHO_C" >&6
+if test "${ac_cv_prog_f77_g+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  FFLAGS=-g
+cat >conftest.$ac_ext <<_ACEOF
+      program main
+
+      end
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_f77_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_prog_f77_g=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_prog_f77_g=no
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+fi
+echo "$as_me:$LINENO: result: $ac_cv_prog_f77_g" >&5
+echo "${ECHO_T}$ac_cv_prog_f77_g" >&6
+if test "$ac_test_FFLAGS" = set; then
+  FFLAGS=$ac_save_FFLAGS
+elif test $ac_cv_prog_f77_g = yes; then
+  if test "x$ac_cv_f77_compiler_gnu" = xyes; then
+    FFLAGS="-g -O2"
+  else
+    FFLAGS="-g"
+  fi
+else
+  if test "x$ac_cv_f77_compiler_gnu" = xyes; then
+    FFLAGS="-O2"
+  else
+    FFLAGS=
+  fi
+fi
+
+G77=`test $ac_compiler_gnu = yes && echo yes`
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+
+# Autoconf 2.13's AC_OBJEXT and AC_EXEEXT macros only works for C compilers!
+
+# find the maximum length of command line arguments
+echo "$as_me:$LINENO: checking the maximum length of command line arguments" >&5
+echo $ECHO_N "checking the maximum length of command line arguments... $ECHO_C" >&6
+if test "${lt_cv_sys_max_cmd_len+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+    i=0
+  testring="ABCD"
+
+  case $build_os in
+  msdosdjgpp*)
+    # On DJGPP, this test can blow up pretty badly due to problems in libc
+    # (any single argument exceeding 2000 bytes causes a buffer overrun
+    # during glob expansion).  Even if it were fixed, the result of this
+    # check would be larger than it should be.
+    lt_cv_sys_max_cmd_len=12288;    # 12K is about right
+    ;;
+
+  gnu*)
+    # Under GNU Hurd, this test is not required because there is
+    # no limit to the length of command line arguments.
+    # Libtool will interpret -1 as no limit whatsoever
+    lt_cv_sys_max_cmd_len=-1;
+    ;;
+
+  cygwin* | mingw*)
+    # On Win9x/ME, this test blows up -- it succeeds, but takes
+    # about 5 minutes as the teststring grows exponentially.
+    # Worse, since 9x/ME are not pre-emptively multitasking,
+    # you end up with a "frozen" computer, even though with patience
+    # the test eventually succeeds (with a max line length of 256k).
+    # Instead, let's just punt: use the minimum linelength reported by
+    # all of the supported platforms: 8192 (on NT/2K/XP).
+    lt_cv_sys_max_cmd_len=8192;
+    ;;
+
+  amigaos*)
+    # On AmigaOS with pdksh, this test takes hours, literally.
+    # So we just punt and use a minimum line length of 8192.
+    lt_cv_sys_max_cmd_len=8192;
+    ;;
+
+ *)
+    # If test is not a shell built-in, we'll probably end up computing a
+    # maximum length that is only half of the actual maximum length, but
+    # we can't tell.
+    while (test "X"`$CONFIG_SHELL $0 --fallback-echo "X$testring" 2>/dev/null` \
+	       = "XX$testring") >/dev/null 2>&1 &&
+	    new_result=`expr "X$testring" : ".*" 2>&1` &&
+	    lt_cv_sys_max_cmd_len=$new_result &&
+	    test $i != 17 # 1/2 MB should be enough
+    do
+      i=`expr $i + 1`
+      testring=$testring$testring
+    done
+    testring=
+    # Add a significant safety factor because C++ compilers can tack on massive
+    # amounts of additional arguments before passing them to the linker.
+    # It appears as though 1/2 is a usable value.
+    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2`
+    ;;
+  esac
+
+fi
+
+if test -n $lt_cv_sys_max_cmd_len ; then
+  echo "$as_me:$LINENO: result: $lt_cv_sys_max_cmd_len" >&5
+echo "${ECHO_T}$lt_cv_sys_max_cmd_len" >&6
+else
+  echo "$as_me:$LINENO: result: none" >&5
+echo "${ECHO_T}none" >&6
+fi
+
+
+
+
+# Check for command to grab the raw symbol name followed by C symbol from nm.
+echo "$as_me:$LINENO: checking command to parse $NM output from $compiler object" >&5
+echo $ECHO_N "checking command to parse $NM output from $compiler object... $ECHO_C" >&6
+if test "${lt_cv_sys_global_symbol_pipe+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+# These are sane defaults that work on at least a few old systems.
+# [They come from Ultrix.  What could be older than Ultrix?!! ;)]
+
+# Character class describing NM global symbol codes.
+symcode='[BCDEGRST]'
+
+# Regexp to match symbols that can be accessed directly from C.
+sympat='\([_A-Za-z][_A-Za-z0-9]*\)'
+
+# Transform the above into a raw symbol and a C symbol.
+symxfrm='\1 \2\3 \3'
+
+# Transform an extracted symbol line into a proper C declaration
+lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^. .* \(.*\)$/extern int \1;/p'"
+
+# Transform an extracted symbol line into symbol name and symbol address
+lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode \([^ ]*\) \([^ ]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
+
+# Define system-specific variables.
+case $host_os in
+aix*)
+  symcode='[BCDT]'
+  ;;
+cygwin* | mingw* | pw32*)
+  symcode='[ABCDGISTW]'
+  ;;
+hpux*) # Its linker distinguishes data from code symbols
+  if test "$host_cpu" = ia64; then
+    symcode='[ABCDEGRST]'
+  fi
+  lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
+  lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([^ ]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([^ ]*\) \([^ ]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
+  ;;
+irix* | nonstopux*)
+  symcode='[BCDEGRST]'
+  ;;
+osf*)
+  symcode='[BCDEGQRST]'
+  ;;
+solaris* | sysv5*)
+  symcode='[BDRT]'
+  ;;
+sysv4)
+  symcode='[DFNSTU]'
+  ;;
+esac
+
+# Handle CRLF in mingw tool chain
+opt_cr=
+case $build_os in
+mingw*)
+  opt_cr=`echo 'x\{0,1\}' | tr x '\015'` # option cr in regexp
+  ;;
+esac
+
+# If we're using GNU nm, then use its standard symbol codes.
+case `$NM -V 2>&1` in
+*GNU* | *'with BFD'*)
+  symcode='[ABCDGIRSTW]' ;;
+esac
+
+# Try without a prefix undercore, then with it.
+for ac_symprfx in "" "_"; do
+
+  # Write the raw and C identifiers.
+  lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[ 	]\($symcode$symcode*\)[ 	][ 	]*\($ac_symprfx\)$sympat$opt_cr$/$symxfrm/p'"
+
+  # Check to see that the pipe works correctly.
+  pipe_works=no
+
+  rm -f conftest*
+  cat > conftest.$ac_ext <<EOF
+#ifdef __cplusplus
+extern "C" {
+#endif
+char nm_test_var;
+void nm_test_func(){}
+#ifdef __cplusplus
+}
+#endif
+int main(){nm_test_var='a';nm_test_func();return(0);}
+EOF
+
+  if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+    # Now try to grab the symbols.
+    nlist=conftest.nm
+    if { (eval echo "$as_me:$LINENO: \"$NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist\"") >&5
+  (eval $NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && test -s "$nlist"; then
+      # Try sorting and uniquifying the output.
+      if sort "$nlist" | uniq > "$nlist"T; then
+	mv -f "$nlist"T "$nlist"
+      else
+	rm -f "$nlist"T
+      fi
+
+      # Make sure that we snagged all the symbols we need.
+      if grep ' nm_test_var$' "$nlist" >/dev/null; then
+	if grep ' nm_test_func$' "$nlist" >/dev/null; then
+	  cat <<EOF > conftest.$ac_ext
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+EOF
+	  # Now generate the symbol file.
+	  eval "$lt_cv_sys_global_symbol_to_cdecl"' < "$nlist" | grep -v main >> conftest.$ac_ext'
+
+	  cat <<EOF >> conftest.$ac_ext
+#if defined (__STDC__) && __STDC__
+# define lt_ptr_t void *
+#else
+# define lt_ptr_t char *
+# define const
+#endif
+
+/* The mapping between symbol names and symbols. */
+const struct {
+  const char *name;
+  lt_ptr_t address;
+}
+lt_preloaded_symbols[] =
+{
+EOF
+	  $SED "s/^$symcode$symcode* \(.*\) \(.*\)$/  {\"\2\", (lt_ptr_t) \&\2},/" < "$nlist" | grep -v main >> conftest.$ac_ext
+	  cat <<\EOF >> conftest.$ac_ext
+  {0, (lt_ptr_t) 0}
+};
+
+#ifdef __cplusplus
+}
+#endif
+EOF
+	  # Now try linking the two files.
+	  mv conftest.$ac_objext conftstm.$ac_objext
+	  lt_save_LIBS="$LIBS"
+	  lt_save_CFLAGS="$CFLAGS"
+	  LIBS="conftstm.$ac_objext"
+	  CFLAGS="$CFLAGS$lt_prog_compiler_no_builtin_flag"
+	  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && test -s conftest${ac_exeext}; then
+	    pipe_works=yes
+	  fi
+	  LIBS="$lt_save_LIBS"
+	  CFLAGS="$lt_save_CFLAGS"
+	else
+	  echo "cannot find nm_test_func in $nlist" >&5
+	fi
+      else
+	echo "cannot find nm_test_var in $nlist" >&5
+      fi
+    else
+      echo "cannot run $lt_cv_sys_global_symbol_pipe" >&5
+    fi
+  else
+    echo "$progname: failed program was:" >&5
+    cat conftest.$ac_ext >&5
+  fi
+  rm -f conftest* conftst*
+
+  # Do not use the global_symbol_pipe unless it works.
+  if test "$pipe_works" = yes; then
+    break
+  else
+    lt_cv_sys_global_symbol_pipe=
+  fi
+done
+
+fi
+
+if test -z "$lt_cv_sys_global_symbol_pipe"; then
+  lt_cv_sys_global_symbol_to_cdecl=
+fi
+if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then
+  echo "$as_me:$LINENO: result: failed" >&5
+echo "${ECHO_T}failed" >&6
+else
+  echo "$as_me:$LINENO: result: ok" >&5
+echo "${ECHO_T}ok" >&6
+fi
+
+echo "$as_me:$LINENO: checking for objdir" >&5
+echo $ECHO_N "checking for objdir... $ECHO_C" >&6
+if test "${lt_cv_objdir+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  rm -f .libs 2>/dev/null
+mkdir .libs 2>/dev/null
+if test -d .libs; then
+  lt_cv_objdir=.libs
+else
+  # MS-DOS does not allow filenames that begin with a dot.
+  lt_cv_objdir=_libs
+fi
+rmdir .libs 2>/dev/null
+fi
+echo "$as_me:$LINENO: result: $lt_cv_objdir" >&5
+echo "${ECHO_T}$lt_cv_objdir" >&6
+objdir=$lt_cv_objdir
+
+
+
+
+
+case $host_os in
+aix3*)
+  # AIX sometimes has problems with the GCC collect2 program.  For some
+  # reason, if we set the COLLECT_NAMES environment variable, the problems
+  # vanish in a puff of smoke.
+  if test "X${COLLECT_NAMES+set}" != Xset; then
+    COLLECT_NAMES=
+    export COLLECT_NAMES
+  fi
+  ;;
+esac
+
+# Sed substitution that helps us do robust quoting.  It backslashifies
+# metacharacters that are still active within double-quoted strings.
+Xsed='sed -e s/^X//'
+sed_quote_subst='s/\([\\"\\`$\\\\]\)/\\\1/g'
+
+# Same as above, but do not quote variable references.
+double_quote_subst='s/\([\\"\\`\\\\]\)/\\\1/g'
+
+# Sed substitution to delay expansion of an escaped shell variable in a
+# double_quote_subst'ed string.
+delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
+
+# Sed substitution to avoid accidental globbing in evaled expressions
+no_glob_subst='s/\*/\\\*/g'
+
+# Constants:
+rm="rm -f"
+
+# Global variables:
+default_ofile=libtool
+can_build_shared=yes
+
+# All known linkers require a `.a' archive for static linking (except M$VC,
+# which needs '.lib').
+libext=a
+ltmain="$ac_aux_dir/ltmain.sh"
+ofile="$default_ofile"
+with_gnu_ld="$lt_cv_prog_gnu_ld"
+
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}ar", so it can be a program name with args.
+set dummy ${ac_tool_prefix}ar; ac_word=$2
+echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_AR+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$AR"; then
+  ac_cv_prog_AR="$AR" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_AR="${ac_tool_prefix}ar"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+
+fi
+fi
+AR=$ac_cv_prog_AR
+if test -n "$AR"; then
+  echo "$as_me:$LINENO: result: $AR" >&5
+echo "${ECHO_T}$AR" >&6
+else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+fi
+if test -z "$ac_cv_prog_AR"; then
+  ac_ct_AR=$AR
+  # Extract the first word of "ar", so it can be a program name with args.
+set dummy ar; ac_word=$2
+echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_ac_ct_AR+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_AR"; then
+  ac_cv_prog_ac_ct_AR="$ac_ct_AR" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_ac_ct_AR="ar"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+
+  test -z "$ac_cv_prog_ac_ct_AR" && ac_cv_prog_ac_ct_AR="false"
+fi
+fi
+ac_ct_AR=$ac_cv_prog_ac_ct_AR
+if test -n "$ac_ct_AR"; then
+  echo "$as_me:$LINENO: result: $ac_ct_AR" >&5
+echo "${ECHO_T}$ac_ct_AR" >&6
+else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+  AR=$ac_ct_AR
+else
+  AR="$ac_cv_prog_AR"
+fi
+
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args.
+set dummy ${ac_tool_prefix}ranlib; ac_word=$2
+echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_RANLIB+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$RANLIB"; then
+  ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+
+fi
+fi
+RANLIB=$ac_cv_prog_RANLIB
+if test -n "$RANLIB"; then
+  echo "$as_me:$LINENO: result: $RANLIB" >&5
+echo "${ECHO_T}$RANLIB" >&6
+else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+fi
+if test -z "$ac_cv_prog_RANLIB"; then
+  ac_ct_RANLIB=$RANLIB
+  # Extract the first word of "ranlib", so it can be a program name with args.
+set dummy ranlib; ac_word=$2
+echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_RANLIB"; then
+  ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_ac_ct_RANLIB="ranlib"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+
+  test -z "$ac_cv_prog_ac_ct_RANLIB" && ac_cv_prog_ac_ct_RANLIB=":"
+fi
+fi
+ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB
+if test -n "$ac_ct_RANLIB"; then
+  echo "$as_me:$LINENO: result: $ac_ct_RANLIB" >&5
+echo "${ECHO_T}$ac_ct_RANLIB" >&6
+else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+  RANLIB=$ac_ct_RANLIB
+else
+  RANLIB="$ac_cv_prog_RANLIB"
+fi
+
+if test -n "$ac_tool_prefix"; then
+  # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args.
+set dummy ${ac_tool_prefix}strip; ac_word=$2
+echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_STRIP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$STRIP"; then
+  ac_cv_prog_STRIP="$STRIP" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_STRIP="${ac_tool_prefix}strip"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+
+fi
+fi
+STRIP=$ac_cv_prog_STRIP
+if test -n "$STRIP"; then
+  echo "$as_me:$LINENO: result: $STRIP" >&5
+echo "${ECHO_T}$STRIP" >&6
+else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+fi
+if test -z "$ac_cv_prog_STRIP"; then
+  ac_ct_STRIP=$STRIP
+  # Extract the first word of "strip", so it can be a program name with args.
+set dummy strip; ac_word=$2
+echo "$as_me:$LINENO: checking for $ac_word" >&5
+echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6
+if test "${ac_cv_prog_ac_ct_STRIP+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -n "$ac_ct_STRIP"; then
+  ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for ac_exec_ext in '' $ac_executable_extensions; do
+  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_prog_ac_ct_STRIP="strip"
+    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+done
+
+  test -z "$ac_cv_prog_ac_ct_STRIP" && ac_cv_prog_ac_ct_STRIP=":"
+fi
+fi
+ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP
+if test -n "$ac_ct_STRIP"; then
+  echo "$as_me:$LINENO: result: $ac_ct_STRIP" >&5
+echo "${ECHO_T}$ac_ct_STRIP" >&6
+else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+  STRIP=$ac_ct_STRIP
+else
+  STRIP="$ac_cv_prog_STRIP"
+fi
+
+
+old_CC="$CC"
+old_CFLAGS="$CFLAGS"
+
+# Set sane defaults for various variables
+test -z "$AR" && AR=ar
+test -z "$AR_FLAGS" && AR_FLAGS=cru
+test -z "$AS" && AS=as
+test -z "$CC" && CC=cc
+test -z "$LTCC" && LTCC=$CC
+test -z "$DLLTOOL" && DLLTOOL=dlltool
+test -z "$LD" && LD=ld
+test -z "$LN_S" && LN_S="ln -s"
+test -z "$MAGIC_CMD" && MAGIC_CMD=file
+test -z "$NM" && NM=nm
+test -z "$SED" && SED=sed
+test -z "$OBJDUMP" && OBJDUMP=objdump
+test -z "$RANLIB" && RANLIB=:
+test -z "$STRIP" && STRIP=:
+test -z "$ac_objext" && ac_objext=o
+
+# Determine commands to create old-style static archives.
+old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs$old_deplibs'
+old_postinstall_cmds='chmod 644 $oldlib'
+old_postuninstall_cmds=
+
+if test -n "$RANLIB"; then
+  case $host_os in
+  openbsd*)
+    old_postinstall_cmds="\$RANLIB -t \$oldlib~$old_postinstall_cmds"
+    ;;
+  *)
+    old_postinstall_cmds="\$RANLIB \$oldlib~$old_postinstall_cmds"
+    ;;
+  esac
+  old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
+fi
+
+# Only perform the check for file, if the check method requires it
+case $deplibs_check_method in
+file_magic*)
+  if test "$file_magic_cmd" = '$MAGIC_CMD'; then
+    echo "$as_me:$LINENO: checking for ${ac_tool_prefix}file" >&5
+echo $ECHO_N "checking for ${ac_tool_prefix}file... $ECHO_C" >&6
+if test "${lt_cv_path_MAGIC_CMD+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case $MAGIC_CMD in
+[\\/*] |  ?:[\\/]*)
+  lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path.
+  ;;
+*)
+  lt_save_MAGIC_CMD="$MAGIC_CMD"
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  ac_dummy="/usr/bin$PATH_SEPARATOR$PATH"
+  for ac_dir in $ac_dummy; do
+    IFS="$lt_save_ifs"
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/${ac_tool_prefix}file; then
+      lt_cv_path_MAGIC_CMD="$ac_dir/${ac_tool_prefix}file"
+      if test -n "$file_magic_test_file"; then
+	case $deplibs_check_method in
+	"file_magic "*)
+	  file_magic_regex="`expr \"$deplibs_check_method\" : \"file_magic \(.*\)\"`"
+	  MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
+	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
+	    $EGREP "$file_magic_regex" > /dev/null; then
+	    :
+	  else
+	    cat <<EOF 1>&2
+
+*** Warning: the command libtool uses to detect shared libraries,
+*** $file_magic_cmd, produces output that libtool cannot recognize.
+*** The result is that libtool may fail to recognize shared libraries
+*** as such.  This will affect the creation of libtool libraries that
+*** depend on shared libraries, but programs linked with such libtool
+*** libraries will work regardless of this problem.  Nevertheless, you
+*** may want to report the problem to your system manager and/or to
+*** bug-libtool@gnu.org
+
+EOF
+	  fi ;;
+	esac
+      fi
+      break
+    fi
+  done
+  IFS="$lt_save_ifs"
+  MAGIC_CMD="$lt_save_MAGIC_CMD"
+  ;;
+esac
+fi
+
+MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
+if test -n "$MAGIC_CMD"; then
+  echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5
+echo "${ECHO_T}$MAGIC_CMD" >&6
+else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+if test -z "$lt_cv_path_MAGIC_CMD"; then
+  if test -n "$ac_tool_prefix"; then
+    echo "$as_me:$LINENO: checking for file" >&5
+echo $ECHO_N "checking for file... $ECHO_C" >&6
+if test "${lt_cv_path_MAGIC_CMD+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  case $MAGIC_CMD in
+[\\/*] |  ?:[\\/]*)
+  lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path.
+  ;;
+*)
+  lt_save_MAGIC_CMD="$MAGIC_CMD"
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  ac_dummy="/usr/bin$PATH_SEPARATOR$PATH"
+  for ac_dir in $ac_dummy; do
+    IFS="$lt_save_ifs"
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/file; then
+      lt_cv_path_MAGIC_CMD="$ac_dir/file"
+      if test -n "$file_magic_test_file"; then
+	case $deplibs_check_method in
+	"file_magic "*)
+	  file_magic_regex="`expr \"$deplibs_check_method\" : \"file_magic \(.*\)\"`"
+	  MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
+	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
+	    $EGREP "$file_magic_regex" > /dev/null; then
+	    :
+	  else
+	    cat <<EOF 1>&2
+
+*** Warning: the command libtool uses to detect shared libraries,
+*** $file_magic_cmd, produces output that libtool cannot recognize.
+*** The result is that libtool may fail to recognize shared libraries
+*** as such.  This will affect the creation of libtool libraries that
+*** depend on shared libraries, but programs linked with such libtool
+*** libraries will work regardless of this problem.  Nevertheless, you
+*** may want to report the problem to your system manager and/or to
+*** bug-libtool@gnu.org
+
+EOF
+	  fi ;;
+	esac
+      fi
+      break
+    fi
+  done
+  IFS="$lt_save_ifs"
+  MAGIC_CMD="$lt_save_MAGIC_CMD"
+  ;;
+esac
+fi
+
+MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
+if test -n "$MAGIC_CMD"; then
+  echo "$as_me:$LINENO: result: $MAGIC_CMD" >&5
+echo "${ECHO_T}$MAGIC_CMD" >&6
+else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+
+  else
+    MAGIC_CMD=:
+  fi
+fi
+
+  fi
+  ;;
+esac
+
+enable_dlopen=no
+enable_win32_dll=no
+
+# Check whether --enable-libtool-lock or --disable-libtool-lock was given.
+if test "${enable_libtool_lock+set}" = set; then
+  enableval="$enable_libtool_lock"
+
+fi;
+test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
+
+
+# Check whether --with-pic or --without-pic was given.
+if test "${with_pic+set}" = set; then
+  withval="$with_pic"
+  pic_mode="$withval"
+else
+  pic_mode=default
+fi;
+test -z "$pic_mode" && pic_mode=default
+
+# Use C for the default configuration in the libtool script
+tagname=
+lt_save_CC="$CC"
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+# Source file extension for C test sources.
+ac_ext=c
+
+# Object file extension for compiled C test sources.
+objext=o
+objext=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="int some_variable = 0;\n"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='int main(){return(0);}\n'
+
+
+# If no C compiler was specified, use CC.
+LTCC=${LTCC-"$CC"}
+
+# Allow CC to be a program name with arguments.
+compiler=$CC
+
+
+#
+# Check for any special shared library compilation flags.
+#
+lt_prog_cc_shlib=
+if test "$GCC" = no; then
+  case $host_os in
+  sco3.2v5*)
+    lt_prog_cc_shlib='-belf'
+    ;;
+  esac
+fi
+if test -n "$lt_prog_cc_shlib"; then
+  { echo "$as_me:$LINENO: WARNING: \`$CC' requires \`$lt_prog_cc_shlib' to build shared libraries" >&5
+echo "$as_me: WARNING: \`$CC' requires \`$lt_prog_cc_shlib' to build shared libraries" >&2;}
+  if echo "$old_CC $old_CFLAGS " | grep "[ 	]$lt_prog_cc_shlib[ 	]" >/dev/null; then :
+  else
+    { echo "$as_me:$LINENO: WARNING: add \`$lt_prog_cc_shlib' to the CC or CFLAGS env variable and reconfigure" >&5
+echo "$as_me: WARNING: add \`$lt_prog_cc_shlib' to the CC or CFLAGS env variable and reconfigure" >&2;}
+    lt_cv_prog_cc_can_build_shared=no
+  fi
+fi
+
+
+#
+# Check to make sure the static flag actually works.
+#
+echo "$as_me:$LINENO: checking if $compiler static flag $lt_prog_compiler_static works" >&5
+echo $ECHO_N "checking if $compiler static flag $lt_prog_compiler_static works... $ECHO_C" >&6
+if test "${lt_prog_compiler_static_works+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_prog_compiler_static_works=no
+   save_LDFLAGS="$LDFLAGS"
+   LDFLAGS="$LDFLAGS $lt_prog_compiler_static"
+   printf "$lt_simple_link_test_code" > conftest.$ac_ext
+   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test -s conftest.err; then
+       # Append any errors to the config.log.
+       cat conftest.err 1>&5
+     else
+       lt_prog_compiler_static_works=yes
+     fi
+   fi
+   $rm conftest*
+   LDFLAGS="$save_LDFLAGS"
+
+fi
+echo "$as_me:$LINENO: result: $lt_prog_compiler_static_works" >&5
+echo "${ECHO_T}$lt_prog_compiler_static_works" >&6
+
+if test x"$lt_prog_compiler_static_works" = xyes; then
+    :
+else
+    lt_prog_compiler_static=
+fi
+
+
+
+## CAVEAT EMPTOR:
+## There is no encapsulation within the following macros, do not change
+## the running order or otherwise move them around unless you know exactly
+## what you are doing...
+
+lt_prog_compiler_no_builtin_flag=
+
+if test "$GCC" = yes; then
+  lt_prog_compiler_no_builtin_flag=' -fno-builtin'
+
+
+echo "$as_me:$LINENO: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
+echo $ECHO_N "checking if $compiler supports -fno-rtti -fno-exceptions... $ECHO_C" >&6
+if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_prog_compiler_rtti_exceptions=no
+  ac_outfile=conftest.$ac_objext
+   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+   lt_compiler_flag="-fno-rtti -fno-exceptions"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   # The option is referenced via a variable to avoid confusing sed.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:9326: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>conftest.err)
+   ac_status=$?
+   cat conftest.err >&5
+   echo "$as_me:9330: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s "$ac_outfile"; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test ! -s conftest.err; then
+       lt_cv_prog_compiler_rtti_exceptions=yes
+     fi
+   fi
+   $rm conftest*
+
+fi
+echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_rtti_exceptions" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_rtti_exceptions" >&6
+
+if test x"$lt_cv_prog_compiler_rtti_exceptions" = xyes; then
+    lt_prog_compiler_no_builtin_flag="$lt_prog_compiler_no_builtin_flag -fno-rtti -fno-exceptions"
+else
+    :
+fi
+
+fi
+
+lt_prog_compiler_wl=
+lt_prog_compiler_pic=
+lt_prog_compiler_static=
+
+echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
+echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
+
+  if test "$GCC" = yes; then
+    lt_prog_compiler_wl='-Wl,'
+    lt_prog_compiler_static='-static'
+
+    case $host_os in
+      aix*)
+      # All AIX code is PIC.
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	lt_prog_compiler_static='-Bstatic'
+      fi
+      ;;
+
+    amigaos*)
+      # FIXME: we need at least 68020 code to build shared libraries, but
+      # adding the `-m68020' flag to GCC prevents building anything better,
+      # like `-m68040'.
+      lt_prog_compiler_pic='-m68020 -resident32 -malways-restore-a4'
+      ;;
+
+    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+      # PIC is the default for these OSes.
+      ;;
+
+    mingw* | pw32* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      lt_prog_compiler_pic='-DDLL_EXPORT'
+      ;;
+
+    darwin* | rhapsody*)
+      # PIC is the default on this platform
+      # Common symbols not allowed in MH_DYLIB files
+      lt_prog_compiler_pic='-fno-common'
+      ;;
+
+    msdosdjgpp*)
+      # Just because we use GCC doesn't mean we suddenly get shared libraries
+      # on systems that don't support them.
+      lt_prog_compiler_can_build_shared=no
+      enable_shared=no
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	lt_prog_compiler_pic=-Kconform_pic
+      fi
+      ;;
+
+    hpux*)
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case "$host_cpu" in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	lt_prog_compiler_pic='-fPIC'
+	;;
+      esac
+      ;;
+
+    *)
+      lt_prog_compiler_pic='-fPIC'
+      ;;
+    esac
+  else
+    # PORTME Check for flag to pass linker flags through the system compiler.
+    case $host_os in
+    aix*)
+      lt_prog_compiler_wl='-Wl,'
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	lt_prog_compiler_static='-Bstatic'
+      else
+	lt_prog_compiler_static='-bnso -bI:/lib/syscalls.exp'
+      fi
+      ;;
+
+    mingw* | pw32* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      lt_prog_compiler_pic='-DDLL_EXPORT'
+      ;;
+
+    hpux9* | hpux10* | hpux11*)
+      lt_prog_compiler_wl='-Wl,'
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case "$host_cpu" in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	lt_prog_compiler_pic='+Z'
+	;;
+      esac
+      # Is there a better lt_prog_compiler_static that works with the bundled CC?
+      lt_prog_compiler_static='${wl}-a ${wl}archive'
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      lt_prog_compiler_wl='-Wl,'
+      # PIC (with -KPIC) is the default.
+      lt_prog_compiler_static='-non_shared'
+      ;;
+
+    newsos6)
+      lt_prog_compiler_pic='-KPIC'
+      lt_prog_compiler_static='-Bstatic'
+      ;;
+
+    linux*)
+      case $CC in
+      icc* | ecc*)
+	lt_prog_compiler_wl='-Wl,'
+	lt_prog_compiler_pic='-KPIC'
+	lt_prog_compiler_static='-static'
+        ;;
+      ccc*)
+        lt_prog_compiler_wl='-Wl,'
+        # All Alpha code is PIC.
+        lt_prog_compiler_static='-non_shared'
+        ;;
+      esac
+      ;;
+
+    osf3* | osf4* | osf5*)
+      lt_prog_compiler_wl='-Wl,'
+      # All OSF/1 code is PIC.
+      lt_prog_compiler_static='-non_shared'
+      ;;
+
+    sco3.2v5*)
+      lt_prog_compiler_pic='-Kpic'
+      lt_prog_compiler_static='-dn'
+      ;;
+
+    solaris*)
+      lt_prog_compiler_wl='-Wl,'
+      lt_prog_compiler_pic='-KPIC'
+      lt_prog_compiler_static='-Bstatic'
+      ;;
+
+    sunos4*)
+      lt_prog_compiler_wl='-Qoption ld '
+      lt_prog_compiler_pic='-PIC'
+      lt_prog_compiler_static='-Bstatic'
+      ;;
+
+    sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+      lt_prog_compiler_wl='-Wl,'
+      lt_prog_compiler_pic='-KPIC'
+      lt_prog_compiler_static='-Bstatic'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec ;then
+	lt_prog_compiler_pic='-Kconform_pic'
+	lt_prog_compiler_static='-Bstatic'
+      fi
+      ;;
+
+    uts4*)
+      lt_prog_compiler_pic='-pic'
+      lt_prog_compiler_static='-Bstatic'
+      ;;
+
+    *)
+      lt_prog_compiler_can_build_shared=no
+      ;;
+    esac
+  fi
+
+echo "$as_me:$LINENO: result: $lt_prog_compiler_pic" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic" >&6
+
+#
+# Check to make sure the PIC flag actually works.
+#
+if test -n "$lt_prog_compiler_pic"; then
+
+echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic works" >&5
+echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic works... $ECHO_C" >&6
+if test "${lt_prog_compiler_pic_works+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_prog_compiler_pic_works=no
+  ac_outfile=conftest.$ac_objext
+   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+   lt_compiler_flag="$lt_prog_compiler_pic -DPIC"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   # The option is referenced via a variable to avoid confusing sed.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:9559: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>conftest.err)
+   ac_status=$?
+   cat conftest.err >&5
+   echo "$as_me:9563: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s "$ac_outfile"; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test ! -s conftest.err; then
+       lt_prog_compiler_pic_works=yes
+     fi
+   fi
+   $rm conftest*
+
+fi
+echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_works" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic_works" >&6
+
+if test x"$lt_prog_compiler_pic_works" = xyes; then
+    case $lt_prog_compiler_pic in
+     "" | " "*) ;;
+     *) lt_prog_compiler_pic=" $lt_prog_compiler_pic" ;;
+     esac
+else
+    lt_prog_compiler_pic=
+     lt_prog_compiler_can_build_shared=no
+fi
+
+fi
+case "$host_os" in
+  # For platforms which do not support PIC, -DPIC is meaningless:
+  *djgpp*)
+    lt_prog_compiler_pic=
+    ;;
+  *)
+    lt_prog_compiler_pic="$lt_prog_compiler_pic -DPIC"
+    ;;
+esac
+
+echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
+echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6
+if test "${lt_cv_prog_compiler_c_o+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_prog_compiler_c_o=no
+   $rm -r conftest 2>/dev/null
+   mkdir conftest
+   cd conftest
+   mkdir out
+   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+   lt_compiler_flag="-o out/conftest2.$ac_objext"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:9619: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>out/conftest.err)
+   ac_status=$?
+   cat out/conftest.err >&5
+   echo "$as_me:9623: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s out/conftest2.$ac_objext
+   then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test ! -s out/conftest.err; then
+       lt_cv_prog_compiler_c_o=yes
+     fi
+   fi
+   chmod u+w .
+   $rm conftest*
+   # SGI C++ compiler will create directory out/ii_files/ for
+   # template instantiation
+   test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files
+   $rm out/* && rmdir out
+   cd ..
+   rmdir conftest
+   $rm conftest*
+
+fi
+echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_c_o" >&6
+
+
+hard_links="nottested"
+if test "$lt_cv_prog_compiler_c_o" = no && test "$need_locks" != no; then
+  # do not overwrite the value of need_locks provided by the user
+  echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
+echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6
+  hard_links=yes
+  $rm conftest*
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  touch conftest.a
+  ln conftest.a conftest.b 2>&5 || hard_links=no
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  echo "$as_me:$LINENO: result: $hard_links" >&5
+echo "${ECHO_T}$hard_links" >&6
+  if test "$hard_links" = no; then
+    { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
+echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
+    need_locks=warn
+  fi
+else
+  need_locks=no
+fi
+
+echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
+echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6
+
+  runpath_var=
+  allow_undefined_flag=
+  enable_shared_with_static_runtimes=no
+  archive_cmds=
+  archive_expsym_cmds=
+  old_archive_From_new_cmds=
+  old_archive_from_expsyms_cmds=
+  export_dynamic_flag_spec=
+  whole_archive_flag_spec=
+  thread_safe_flag_spec=
+  hardcode_libdir_flag_spec=
+  hardcode_libdir_flag_spec_ld=
+  hardcode_libdir_separator=
+  hardcode_direct=no
+  hardcode_minus_L=no
+  hardcode_shlibpath_var=unsupported
+  link_all_deplibs=unknown
+  hardcode_automatic=no
+  module_cmds=
+  module_expsym_cmds=
+  always_export_symbols=no
+  export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  # include_expsyms should be a list of space-separated symbols to be *always*
+  # included in the symbol list
+  include_expsyms=
+  # exclude_expsyms can be an extended regexp of symbols to exclude
+  # it will be wrapped by ` (' and `)$', so one must not match beginning or
+  # end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
+  # as well as any symbol that contains `d'.
+  exclude_expsyms="_GLOBAL_OFFSET_TABLE_"
+  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
+  # platforms (ab)use it in PIC code, but their linkers get confused if
+  # the symbol is explicitly referenced.  Since portable code cannot
+  # rely on this symbol name, it's probably fine to never include it in
+  # preloaded symbol tables.
+  extract_expsyms_cmds=
+
+  case $host_os in
+  cygwin* | mingw* | pw32*)
+    # FIXME: the MSVC++ port hasn't been tested in a loooong time
+    # When not using gcc, we currently assume that we are using
+    # Microsoft Visual C++.
+    if test "$GCC" != yes; then
+      with_gnu_ld=no
+    fi
+    ;;
+  openbsd*)
+    with_gnu_ld=no
+    ;;
+  esac
+
+  ld_shlibs=yes
+  if test "$with_gnu_ld" = yes; then
+    # If archive_cmds runs LD, not CC, wlarc should be empty
+    wlarc='${wl}'
+
+    # See if GNU ld supports shared libraries.
+    case $host_os in
+    aix3* | aix4* | aix5*)
+      # On AIX/PPC, the GNU linker is very broken
+      if test "$host_cpu" != ia64; then
+	ld_shlibs=no
+	cat <<EOF 1>&2
+
+*** Warning: the GNU linker, at least up to release 2.9.1, is reported
+*** to be unable to reliably create shared libraries on AIX.
+*** Therefore, libtool is disabling shared libraries support.  If you
+*** really care for shared libraries, you may want to modify your PATH
+*** so that a non-GNU linker is found, and then restart.
+
+EOF
+      fi
+      ;;
+
+    amigaos*)
+      archive_cmds='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+      hardcode_libdir_flag_spec='-L$libdir'
+      hardcode_minus_L=yes
+
+      # Samuel A. Falvo II <kc5tja@dolphin.openprojects.net> reports
+      # that the semantics of dynamic libraries on AmigaOS, at least up
+      # to version 4, is to share data among multiple programs linked
+      # with the same dynamic library.  Since this doesn't match the
+      # behavior of shared libraries on other platforms, we can't use
+      # them.
+      ld_shlibs=no
+      ;;
+
+    beos*)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	allow_undefined_flag=unsupported
+	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
+	# support --undefined.  This deserves some investigation.  FIXME
+	archive_cmds='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+      else
+	ld_shlibs=no
+      fi
+      ;;
+
+    cygwin* | mingw* | pw32*)
+      # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, ) is actually meaningless,
+      # as there is no search path for DLLs.
+      hardcode_libdir_flag_spec='-L$libdir'
+      allow_undefined_flag=unsupported
+      always_export_symbols=no
+      enable_shared_with_static_runtimes=yes
+      export_symbols_cmds='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGS] /s/.* \([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols'
+
+      if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
+        archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
+	# If the export-symbols file already is a .def file (1st line
+	# is EXPORTS), use it as is; otherwise, prepend...
+	archive_expsym_cmds='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	  cp $export_symbols $output_objdir/$soname.def;
+	else
+	  echo EXPORTS > $output_objdir/$soname.def;
+	  cat $export_symbols >> $output_objdir/$soname.def;
+	fi~
+	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000  ${wl}--out-implib,$lib'
+      else
+	ld_shlibs=no
+      fi
+      ;;
+
+    netbsd*)
+      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+	archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
+	wlarc=
+      else
+	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      fi
+      ;;
+
+    solaris* | sysv5*)
+      if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
+	ld_shlibs=no
+	cat <<EOF 1>&2
+
+*** Warning: The releases 2.8.* of the GNU linker cannot reliably
+*** create shared libraries on Solaris systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.9.1 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+EOF
+      elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	ld_shlibs=no
+      fi
+      ;;
+
+    sunos4*)
+      archive_cmds='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      wlarc=
+      hardcode_direct=yes
+      hardcode_shlibpath_var=no
+      ;;
+
+  linux*)
+    if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
+        tmp_archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_cmds="$tmp_archive_cmds"
+      supports_anon_versioning=no
+      case `$LD -v 2>/dev/null` in
+        *\ 01.* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
+        *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
+        *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
+        *\ 2.11.*) ;; # other 2.11 versions
+        *) supports_anon_versioning=yes ;;
+      esac
+      if test $supports_anon_versioning = yes; then
+        archive_expsym_cmds='$echo "{ global:" > $output_objdir/$libname.ver~
+cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+$echo "local: *; };" >> $output_objdir/$libname.ver~
+        $CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+      else
+        archive_expsym_cmds="$tmp_archive_cmds"
+      fi
+    else
+      ld_shlibs=no
+    fi
+    ;;
+
+    *)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	ld_shlibs=no
+      fi
+      ;;
+    esac
+
+    if test "$ld_shlibs" = yes; then
+      runpath_var=LD_RUN_PATH
+      hardcode_libdir_flag_spec='${wl}--rpath ${wl}$libdir'
+      export_dynamic_flag_spec='${wl}--export-dynamic'
+      # ancient GNU ld didn't support --whole-archive et. al.
+      if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
+ 	whole_archive_flag_spec="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+      else
+  	whole_archive_flag_spec=
+      fi
+    fi
+  else
+    # PORTME fill in a description of your system's linker (not GNU ld)
+    case $host_os in
+    aix3*)
+      allow_undefined_flag=unsupported
+      always_export_symbols=yes
+      archive_expsym_cmds='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
+      # Note: this linker hardcodes the directories in LIBPATH if there
+      # are no directories specified by -L.
+      hardcode_minus_L=yes
+      if test "$GCC" = yes && test -z "$link_static_flag"; then
+	# Neither direct hardcoding nor static linking is supported with a
+	# broken collect2.
+	hardcode_direct=unsupported
+      fi
+      ;;
+
+    aix4* | aix5*)
+      if test "$host_cpu" = ia64; then
+	# On IA64, the linker does run time linking by default, so we don't
+	# have to do anything special.
+	aix_use_runtimelinking=no
+	exp_sym_flag='-Bexport'
+	no_entry_flag=""
+      else
+	# If we're using GNU nm, then we don't want the "-C" option.
+	# -C means demangle to AIX nm, but means don't demangle with GNU nm
+	if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
+	  export_symbols_cmds='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
+	else
+	  export_symbols_cmds='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
+	fi
+	aix_use_runtimelinking=no
+
+	# Test if we are trying to use run time linking or normal
+	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
+	# need to do runtime linking.
+	case $host_os in aix4.[23]|aix4.[23].*|aix5*)
+	  for ld_flag in $LDFLAGS; do
+  	  if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
+  	    aix_use_runtimelinking=yes
+  	    break
+  	  fi
+	  done
+	esac
+
+	exp_sym_flag='-bexport'
+	no_entry_flag='-bnoentry'
+      fi
+
+      # When large executables or shared objects are built, AIX ld can
+      # have problems creating the table of contents.  If linking a library
+      # or program results in "error TOC overflow" add -mminimal-toc to
+      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
+      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
+
+      archive_cmds=''
+      hardcode_direct=yes
+      hardcode_libdir_separator=':'
+      link_all_deplibs=yes
+
+      if test "$GCC" = yes; then
+	case $host_os in aix4.012|aix4.012.*)
+	# We only want to do this on AIX 4.2 and lower, the check
+	# below for broken collect2 doesn't work under 4.3+
+	  collect2name=`${CC} -print-prog-name=collect2`
+	  if test -f "$collect2name" && \
+  	   strings "$collect2name" | grep resolve_lib_name >/dev/null
+	  then
+  	  # We have reworked collect2
+  	  hardcode_direct=yes
+	  else
+  	  # We have old collect2
+  	  hardcode_direct=unsupported
+  	  # It fails to find uninstalled libraries when the uninstalled
+  	  # path is not listed in the libpath.  Setting hardcode_minus_L
+  	  # to unsupported forces relinking
+  	  hardcode_minus_L=yes
+  	  hardcode_libdir_flag_spec='-L$libdir'
+  	  hardcode_libdir_separator=
+	  fi
+	esac
+	shared_flag='-shared'
+      else
+	# not using gcc
+	if test "$host_cpu" = ia64; then
+  	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
+  	# chokes on -Wl,-G. The following line is correct:
+	  shared_flag='-G'
+	else
+  	if test "$aix_use_runtimelinking" = yes; then
+	    shared_flag='${wl}-G'
+	  else
+	    shared_flag='${wl}-bM:SRE'
+  	fi
+	fi
+      fi
+
+      # It seems that -bexpall does not export symbols beginning with
+      # underscore (_), so it is better to generate a list of symbols to export.
+      always_export_symbols=yes
+      if test "$aix_use_runtimelinking" = yes; then
+	# Warning - without using the other runtime loading flags (-brtl),
+	# -berok will link without error, but may produce a broken library.
+	allow_undefined_flag='-berok'
+       # Determine the default libpath from the value encoded in an empty executable.
+       cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`
+# Check for a 64-bit object if we didn't find anything.
+if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`; fi
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+
+       hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath"
+	archive_expsym_cmds="\$CC"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+       else
+	if test "$host_cpu" = ia64; then
+	  hardcode_libdir_flag_spec='${wl}-R $libdir:/usr/lib:/lib'
+	  allow_undefined_flag="-z nodefs"
+	  archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols"
+	else
+	 # Determine the default libpath from the value encoded in an empty executable.
+	 cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`
+# Check for a 64-bit object if we didn't find anything.
+if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`; fi
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+
+	 hardcode_libdir_flag_spec='${wl}-blibpath:$libdir:'"$aix_libpath"
+	  # Warning - without using the other run time loading flags,
+	  # -berok will link without error, but may produce a broken library.
+	  no_undefined_flag=' ${wl}-bernotok'
+	  allow_undefined_flag=' ${wl}-berok'
+	  # -bexpall does not export symbols beginning with underscore (_)
+	  always_export_symbols=yes
+	  # Exported symbols can be pulled into shared objects from archives
+	  whole_archive_flag_spec=' '
+	  archive_cmds_need_lc=yes
+	  # This is similar to how AIX traditionally builds it's shared libraries.
+	  archive_expsym_cmds="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}-bE:$export_symbols ${wl}-bnoentry${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+	fi
+      fi
+      ;;
+
+    amigaos*)
+      archive_cmds='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+      hardcode_libdir_flag_spec='-L$libdir'
+      hardcode_minus_L=yes
+      # see comment about different semantics on the GNU ld section
+      ld_shlibs=no
+      ;;
+
+    bsdi4*)
+      export_dynamic_flag_spec=-rdynamic
+      ;;
+
+    cygwin* | mingw* | pw32*)
+      # When not using gcc, we currently assume that we are using
+      # Microsoft Visual C++.
+      # hardcode_libdir_flag_spec is actually meaningless, as there is
+      # no search path for DLLs.
+      hardcode_libdir_flag_spec=' '
+      allow_undefined_flag=unsupported
+      # Tell ltmain to make .lib files, not .a files.
+      libext=lib
+      # Tell ltmain to make .dll files, not .so files.
+      shrext=".dll"
+      # FIXME: Setting linknames here is a bad hack.
+      archive_cmds='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
+      # The linker will automatically build a .lib file if we build a DLL.
+      old_archive_From_new_cmds='true'
+      # FIXME: Should let the user specify the lib program.
+      old_archive_cmds='lib /OUT:$oldlib$oldobjs$old_deplibs'
+      fix_srcfile_path='`cygpath -w "$srcfile"`'
+      enable_shared_with_static_runtimes=yes
+      ;;
+
+    darwin* | rhapsody*)
+    if test "$GXX" = yes ; then
+      archive_cmds_need_lc=no
+      case "$host_os" in
+      rhapsody* | darwin1.[012])
+	allow_undefined_flag='-undefined suppress'
+	;;
+      *) # Darwin 1.3 on
+      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+      	allow_undefined_flag='-flat_namespace -undefined suppress'
+      else
+        case ${MACOSX_DEPLOYMENT_TARGET} in
+          10.[012])
+            allow_undefined_flag='-flat_namespace -undefined suppress'
+            ;;
+          10.*)
+            allow_undefined_flag='-undefined dynamic_lookup'
+            ;;
+        esac
+      fi
+	;;
+      esac
+    	lt_int_apple_cc_single_mod=no
+    	output_verbose_link_cmd='echo'
+    	if $CC -dumpspecs 2>&1 | grep 'single_module' >/dev/null ; then
+    	  lt_int_apple_cc_single_mod=yes
+    	fi
+    	if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+    	  archive_cmds='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+    	else
+        archive_cmds='$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+      fi
+      module_cmds='$CC ${wl}-bind_at_load $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
+        if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+          archive_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+        else
+          archive_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+        fi
+          module_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+      hardcode_direct=no
+      hardcode_automatic=yes
+      hardcode_shlibpath_var=unsupported
+      whole_archive_flag_spec='-all_load $convenience'
+      link_all_deplibs=yes
+    else
+      ld_shlibs=no
+    fi
+      ;;
+
+    dgux*)
+      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_libdir_flag_spec='-L$libdir'
+      hardcode_shlibpath_var=no
+      ;;
+
+    freebsd1*)
+      ld_shlibs=no
+      ;;
+
+    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
+    # support.  Future versions do this automatically, but an explicit c++rt0.o
+    # does not break anything, and helps significantly (at the cost of a little
+    # extra space).
+    freebsd2.2*)
+      archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
+      hardcode_libdir_flag_spec='-R$libdir'
+      hardcode_direct=yes
+      hardcode_shlibpath_var=no
+      ;;
+
+    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
+    freebsd2*)
+      archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_direct=yes
+      hardcode_minus_L=yes
+      hardcode_shlibpath_var=no
+      ;;
+
+    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
+    freebsd* | kfreebsd*-gnu)
+      archive_cmds='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
+      hardcode_libdir_flag_spec='-R$libdir'
+      hardcode_direct=yes
+      hardcode_shlibpath_var=no
+      ;;
+
+    hpux9*)
+      if test "$GCC" = yes; then
+	archive_cmds='$rm $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      else
+	archive_cmds='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      fi
+      hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
+      hardcode_libdir_separator=:
+      hardcode_direct=yes
+
+      # hardcode_minus_L: Not really in the search PATH,
+      # but as the default location of the library.
+      hardcode_minus_L=yes
+      export_dynamic_flag_spec='${wl}-E'
+      ;;
+
+    hpux10* | hpux11*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	case "$host_cpu" in
+	hppa*64*|ia64*)
+	  archive_cmds='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  archive_cmds='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	esac
+      else
+	case "$host_cpu" in
+	hppa*64*|ia64*)
+	  archive_cmds='$LD -b +h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  ;;
+	*)
+	  archive_cmds='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+	  ;;
+	esac
+      fi
+      if test "$with_gnu_ld" = no; then
+	case "$host_cpu" in
+	hppa*64*)
+	  hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
+	  hardcode_libdir_flag_spec_ld='+b $libdir'
+	  hardcode_libdir_separator=:
+	  hardcode_direct=no
+	  hardcode_shlibpath_var=no
+	  ;;
+	ia64*)
+	  hardcode_libdir_flag_spec='-L$libdir'
+	  hardcode_direct=no
+	  hardcode_shlibpath_var=no
+
+	  # hardcode_minus_L: Not really in the search PATH,
+	  # but as the default location of the library.
+	  hardcode_minus_L=yes
+	  ;;
+	*)
+	  hardcode_libdir_flag_spec='${wl}+b ${wl}$libdir'
+	  hardcode_libdir_separator=:
+	  hardcode_direct=yes
+	  export_dynamic_flag_spec='${wl}-E'
+
+	  # hardcode_minus_L: Not really in the search PATH,
+	  # but as the default location of the library.
+	  hardcode_minus_L=yes
+	  ;;
+	esac
+      fi
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      if test "$GCC" = yes; then
+	archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+      else
+	archive_cmds='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+	hardcode_libdir_flag_spec_ld='-rpath $libdir'
+      fi
+      hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator=:
+      link_all_deplibs=yes
+      ;;
+
+    netbsd*)
+      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+	archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
+      else
+	archive_cmds='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
+      fi
+      hardcode_libdir_flag_spec='-R$libdir'
+      hardcode_direct=yes
+      hardcode_shlibpath_var=no
+      ;;
+
+    newsos6)
+      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_direct=yes
+      hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator=:
+      hardcode_shlibpath_var=no
+      ;;
+
+    openbsd*)
+      hardcode_direct=yes
+      hardcode_shlibpath_var=no
+      if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+	archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
+	export_dynamic_flag_spec='${wl}-E'
+      else
+       case $host_os in
+	 openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*)
+	   archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+	   hardcode_libdir_flag_spec='-R$libdir'
+	   ;;
+	 *)
+	   archive_cmds='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	   hardcode_libdir_flag_spec='${wl}-rpath,$libdir'
+	   ;;
+       esac
+      fi
+      ;;
+
+    os2*)
+      hardcode_libdir_flag_spec='-L$libdir'
+      hardcode_minus_L=yes
+      allow_undefined_flag=unsupported
+      archive_cmds='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
+      old_archive_From_new_cmds='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
+      ;;
+
+    osf3*)
+      if test "$GCC" = yes; then
+	allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*'
+	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+      else
+	allow_undefined_flag=' -expect_unresolved \*'
+	archive_cmds='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+      fi
+      hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator=:
+      ;;
+
+    osf4* | osf5*)	# as osf3* with the addition of -msym flag
+      if test "$GCC" = yes; then
+	allow_undefined_flag=' ${wl}-expect_unresolved ${wl}\*'
+	archive_cmds='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	hardcode_libdir_flag_spec='${wl}-rpath ${wl}$libdir'
+      else
+	allow_undefined_flag=' -expect_unresolved \*'
+	archive_cmds='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+	archive_expsym_cmds='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~
+	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib~$rm $lib.exp'
+
+	# Both c and cxx compiler support -rpath directly
+	hardcode_libdir_flag_spec='-rpath $libdir'
+      fi
+      hardcode_libdir_separator=:
+      ;;
+
+    sco3.2v5*)
+      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_shlibpath_var=no
+      export_dynamic_flag_spec='${wl}-Bexport'
+      runpath_var=LD_RUN_PATH
+      hardcode_runpath_var=yes
+      ;;
+
+    solaris*)
+      no_undefined_flag=' -z text'
+      if test "$GCC" = yes; then
+	archive_cmds='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+	  $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp'
+      else
+	archive_cmds='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	archive_expsym_cmds='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+  	$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
+      fi
+      hardcode_libdir_flag_spec='-R$libdir'
+      hardcode_shlibpath_var=no
+      case $host_os in
+      solaris2.[0-5] | solaris2.[0-5].*) ;;
+      *) # Supported since Solaris 2.6 (maybe 2.5.1?)
+	whole_archive_flag_spec='-z allextract$convenience -z defaultextract' ;;
+      esac
+      link_all_deplibs=yes
+      ;;
+
+    sunos4*)
+      if test "x$host_vendor" = xsequent; then
+	# Use $CC to link under sequent, because it throws in some extra .o
+	# files that make .init and .fini sections work.
+	archive_cmds='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      hardcode_libdir_flag_spec='-L$libdir'
+      hardcode_direct=yes
+      hardcode_minus_L=yes
+      hardcode_shlibpath_var=no
+      ;;
+
+    sysv4)
+      case $host_vendor in
+	sni)
+	  archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  hardcode_direct=yes # is this really true???
+	;;
+	siemens)
+	  ## LD is ld it makes a PLAMLIB
+	  ## CC just makes a GrossModule.
+	  archive_cmds='$LD -G -o $lib $libobjs $deplibs $linker_flags'
+	  reload_cmds='$CC -r -o $output$reload_objs'
+	  hardcode_direct=no
+        ;;
+	motorola)
+	  archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  hardcode_direct=no #Motorola manual says yes, but my tests say they lie
+	;;
+      esac
+      runpath_var='LD_RUN_PATH'
+      hardcode_shlibpath_var=no
+      ;;
+
+    sysv4.3*)
+      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_shlibpath_var=no
+      export_dynamic_flag_spec='-Bexport'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	hardcode_shlibpath_var=no
+	runpath_var=LD_RUN_PATH
+	hardcode_runpath_var=yes
+	ld_shlibs=yes
+      fi
+      ;;
+
+    sysv4.2uw2*)
+      archive_cmds='$LD -G -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_direct=yes
+      hardcode_minus_L=no
+      hardcode_shlibpath_var=no
+      hardcode_runpath_var=yes
+      runpath_var=LD_RUN_PATH
+      ;;
+
+   sysv5OpenUNIX8* | sysv5UnixWare7* |  sysv5uw[78]* | unixware7*)
+      no_undefined_flag='${wl}-z ${wl}text'
+      if test "$GCC" = yes; then
+	archive_cmds='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds='$CC -G ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
+      runpath_var='LD_RUN_PATH'
+      hardcode_shlibpath_var=no
+      ;;
+
+    sysv5*)
+      no_undefined_flag=' -z text'
+      # $CC -shared without GNU ld will not create a library from C++
+      # object files and a static libstdc++, better avoid it by now
+      archive_cmds='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      archive_expsym_cmds='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+  		$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
+      hardcode_libdir_flag_spec=
+      hardcode_shlibpath_var=no
+      runpath_var='LD_RUN_PATH'
+      ;;
+
+    uts4*)
+      archive_cmds='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_libdir_flag_spec='-L$libdir'
+      hardcode_shlibpath_var=no
+      ;;
+
+    *)
+      ld_shlibs=no
+      ;;
+    esac
+  fi
+
+echo "$as_me:$LINENO: result: $ld_shlibs" >&5
+echo "${ECHO_T}$ld_shlibs" >&6
+test "$ld_shlibs" = no && can_build_shared=no
+
+variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
+if test "$GCC" = yes; then
+  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
+fi
+
+#
+# Do we need to explicitly link libc?
+#
+case "x$archive_cmds_need_lc" in
+x|xyes)
+  # Assume -lc should be added
+  archive_cmds_need_lc=yes
+
+  if test "$enable_shared" = yes && test "$GCC" = yes; then
+    case $archive_cmds in
+    *'~'*)
+      # FIXME: we may have to deal with multi-command sequences.
+      ;;
+    '$CC '*)
+      # Test whether the compiler implicitly links with -lc since on some
+      # systems, -lgcc has to come before -lc. If gcc already passes -lc
+      # to ld, don't add -lc before -lgcc.
+      echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
+echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6
+      $rm conftest*
+      printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+      if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } 2>conftest.err; then
+        soname=conftest
+        lib=conftest
+        libobjs=conftest.$ac_objext
+        deplibs=
+        wl=$lt_prog_compiler_wl
+        compiler_flags=-v
+        linker_flags=-v
+        verstring=
+        output_objdir=.
+        libname=conftest
+        lt_save_allow_undefined_flag=$allow_undefined_flag
+        allow_undefined_flag=
+        if { (eval echo "$as_me:$LINENO: \"$archive_cmds 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5
+  (eval $archive_cmds 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+        then
+	  archive_cmds_need_lc=no
+        else
+	  archive_cmds_need_lc=yes
+        fi
+        allow_undefined_flag=$lt_save_allow_undefined_flag
+      else
+        cat conftest.err 1>&5
+      fi
+      $rm conftest*
+      echo "$as_me:$LINENO: result: $archive_cmds_need_lc" >&5
+echo "${ECHO_T}$archive_cmds_need_lc" >&6
+      ;;
+    esac
+  fi
+  ;;
+esac
+
+echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
+echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6
+library_names_spec=
+libname_spec='lib$name'
+soname_spec=
+shrext=".so"
+postinstall_cmds=
+postuninstall_cmds=
+finish_cmds=
+finish_eval=
+shlibpath_var=
+shlibpath_overrides_runpath=unknown
+version_type=none
+dynamic_linker="$host_os ld.so"
+sys_lib_dlsearch_path_spec="/lib /usr/lib"
+if test "$GCC" = yes; then
+  sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+  if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then
+    # if the path contains ";" then we assume it to be the separator
+    # otherwise default to the standard path separator (i.e. ":") - it is
+    # assumed that no part of a normal pathname contains ";" but that should
+    # okay in the real world where ";" in dirpaths is itself problematic.
+    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+  else
+    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+  fi
+else
+  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
+fi
+need_lib_prefix=unknown
+hardcode_into_libs=no
+
+# when you set need_version to no, make sure it does not cause -set_version
+# flags to be left without arguments
+need_version=unknown
+
+case $host_os in
+aix3*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
+  shlibpath_var=LIBPATH
+
+  # AIX 3 has no versioning support, so we append a major version to the name.
+  soname_spec='${libname}${release}${shared_ext}$major'
+  ;;
+
+aix4* | aix5*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  hardcode_into_libs=yes
+  if test "$host_cpu" = ia64; then
+    # AIX 5 supports IA64
+    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
+    shlibpath_var=LD_LIBRARY_PATH
+  else
+    # With GCC up to 2.95.x, collect2 would create an import file
+    # for dependence libraries.  The import file would start with
+    # the line `#! .'.  This would cause the generated library to
+    # depend on `.', always an invalid library.  This was fixed in
+    # development snapshots of GCC prior to 3.0.
+    case $host_os in
+      aix4 | aix4.[01] | aix4.[01].*)
+      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
+	   echo ' yes '
+	   echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then
+	:
+      else
+	can_build_shared=no
+      fi
+      ;;
+    esac
+    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
+    # soname into executable. Probably we can add versioning support to
+    # collect2, so additional links can be useful in future.
+    if test "$aix_use_runtimelinking" = yes; then
+      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
+      # instead of lib<name>.a to let people know that these are not
+      # typical AIX shared libraries.
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    else
+      # We preserve .a as extension for shared libraries through AIX4.2
+      # and later when we are not doing run time linking.
+      library_names_spec='${libname}${release}.a $libname.a'
+      soname_spec='${libname}${release}${shared_ext}$major'
+    fi
+    shlibpath_var=LIBPATH
+  fi
+  ;;
+
+amigaos*)
+  library_names_spec='$libname.ixlibrary $libname.a'
+  # Create ${libname}_ixlibrary.a entries in /sys/libs.
+  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
+  ;;
+
+beos*)
+  library_names_spec='${libname}${shared_ext}'
+  dynamic_linker="$host_os ld.so"
+  shlibpath_var=LIBRARY_PATH
+  ;;
+
+bsdi4*)
+  version_type=linux
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
+  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
+  # the default ld.so.conf also contains /usr/contrib/lib and
+  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
+  # libtool to hard-code these into programs
+  ;;
+
+cygwin* | mingw* | pw32*)
+  version_type=windows
+  shrext=".dll"
+  need_version=no
+  need_lib_prefix=no
+
+  case $GCC,$host_os in
+  yes,cygwin* | yes,mingw* | yes,pw32*)
+    library_names_spec='$libname.dll.a'
+    # DLL is installed to $(libdir)/../bin by postinstall_cmds
+    postinstall_cmds='base_file=`basename \${file}`~
+      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
+      dldir=$destdir/`dirname \$dlpath`~
+      test -d \$dldir || mkdir -p \$dldir~
+      $install_prog $dir/$dlname \$dldir/$dlname'
+    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
+      dlpath=$dir/\$dldll~
+       $rm \$dlpath'
+    shlibpath_overrides_runpath=yes
+
+    case $host_os in
+    cygwin*)
+      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
+      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
+      ;;
+    mingw*)
+      # MinGW DLLs use traditional 'lib' prefix
+      soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+      if echo "$sys_lib_search_path_spec" | grep ';[c-zC-Z]:/' >/dev/null; then
+        # It is most probably a Windows format PATH printed by
+        # mingw gcc, but we are running on Cygwin. Gcc prints its search
+        # path with ; separators, and with drive letters. We can handle the
+        # drive letters (cygwin fileutils understands them), so leave them,
+        # especially as we might pass files found there to a mingw objdump,
+        # which wouldn't understand a cygwinified path. Ahh.
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+      else
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+      fi
+      ;;
+    pw32*)
+      # pw32 DLLs use 'pw' prefix rather than 'lib'
+      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/./-/g'`${versuffix}${shared_ext}'
+      ;;
+    esac
+    ;;
+
+  *)
+    library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib'
+    ;;
+  esac
+  dynamic_linker='Win32 ld.exe'
+  # FIXME: first we should search . and the directory the executable is in
+  shlibpath_var=PATH
+  ;;
+
+darwin* | rhapsody*)
+  dynamic_linker="$host_os dyld"
+  version_type=darwin
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
+  soname_spec='${libname}${release}${major}$shared_ext'
+  shlibpath_overrides_runpath=yes
+  shlibpath_var=DYLD_LIBRARY_PATH
+  shrext='$(test .$module = .yes && echo .so || echo .dylib)'
+  # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
+  if test "$GCC" = yes; then
+    sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
+  else
+    sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib'
+  fi
+  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
+  ;;
+
+dgux*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+freebsd1*)
+  dynamic_linker=no
+  ;;
+
+kfreebsd*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='GNU ld.so'
+  ;;
+
+freebsd*)
+  objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo aout`
+  version_type=freebsd-$objformat
+  case $version_type in
+    freebsd-elf*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+      need_version=no
+      need_lib_prefix=no
+      ;;
+    freebsd-*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
+      need_version=yes
+      ;;
+  esac
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_os in
+  freebsd2*)
+    shlibpath_overrides_runpath=yes
+    ;;
+  freebsd3.01* | freebsdelf3.01*)
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  *) # from 3.2 on
+    shlibpath_overrides_runpath=no
+    hardcode_into_libs=yes
+    ;;
+  esac
+  ;;
+
+gnu*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  ;;
+
+hpux9* | hpux10* | hpux11*)
+  # Give a soname corresponding to the major version so that dld.sl refuses to
+  # link against other versions.
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  case "$host_cpu" in
+  ia64*)
+    shrext='.so'
+    hardcode_into_libs=yes
+    dynamic_linker="$host_os dld.so"
+    shlibpath_var=LD_LIBRARY_PATH
+    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    if test "X$HPUX_IA64_MODE" = X32; then
+      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
+    else
+      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
+    fi
+    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+    ;;
+   hppa*64*)
+     shrext='.sl'
+     hardcode_into_libs=yes
+     dynamic_linker="$host_os dld.sl"
+     shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
+     shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+     soname_spec='${libname}${release}${shared_ext}$major'
+     sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
+     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+     ;;
+   *)
+    shrext='.sl'
+    dynamic_linker="$host_os dld.sl"
+    shlibpath_var=SHLIB_PATH
+    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    ;;
+  esac
+  # HP-UX runs *really* slowly unless shared libraries are mode 555.
+  postinstall_cmds='chmod 555 $lib'
+  ;;
+
+irix5* | irix6* | nonstopux*)
+  case $host_os in
+    nonstopux*) version_type=nonstopux ;;
+    *)
+	if test "$lt_cv_prog_gnu_ld" = yes; then
+		version_type=linux
+	else
+		version_type=irix
+	fi ;;
+  esac
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
+  case $host_os in
+  irix5* | nonstopux*)
+    libsuff= shlibsuff=
+    ;;
+  *)
+    case $LD in # libtool.m4 will add one of these switches to LD
+    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
+      libsuff= shlibsuff= libmagic=32-bit;;
+    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
+      libsuff=32 shlibsuff=N32 libmagic=N32;;
+    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
+      libsuff=64 shlibsuff=64 libmagic=64-bit;;
+    *) libsuff= shlibsuff= libmagic=never-match;;
+    esac
+    ;;
+  esac
+  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
+  shlibpath_overrides_runpath=no
+  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
+  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
+  hardcode_into_libs=yes
+  ;;
+
+# No shared lib support for Linux oldld, aout, or coff.
+linux*oldld* | linux*aout* | linux*coff*)
+  dynamic_linker=no
+  ;;
+
+# This must be Linux ELF.
+linux*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  # This implies no fast_install, which is unacceptable.
+  # Some rework will be needed to allow for fast_install
+  # before this can be enabled.
+  hardcode_into_libs=yes
+
+  # Append ld.so.conf contents to the search path
+  if test -f /etc/ld.so.conf; then
+    ld_extra=`$SED -e 's/:,\t/ /g;s/=^=*$//;s/=^= * / /g' /etc/ld.so.conf`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $ld_extra"
+  fi
+
+  # We used to test for /lib/ld.so.1 and disable shared libraries on
+  # powerpc, because MkLinux only supported shared libraries with the
+  # GNU dynamic linker.  Since this was broken with cross compilers,
+  # most powerpc-linux boxes support dynamic linking these days and
+  # people can always --disable-shared, the test was removed, and we
+  # assume the GNU/Linux dynamic linker is in use.
+  dynamic_linker='GNU/Linux ld.so'
+  ;;
+
+knetbsd*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='GNU ld.so'
+  ;;
+
+netbsd*)
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+    dynamic_linker='NetBSD (a.out) ld.so'
+  else
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    dynamic_linker='NetBSD ld.elf_so'
+  fi
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  ;;
+
+newsos6)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+nto-qnx*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+openbsd*)
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=yes
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+    case $host_os in
+      openbsd2.[89] | openbsd2.[89].*)
+	shlibpath_overrides_runpath=no
+	;;
+      *)
+	shlibpath_overrides_runpath=yes
+	;;
+      esac
+  else
+    shlibpath_overrides_runpath=yes
+  fi
+  ;;
+
+os2*)
+  libname_spec='$name'
+  shrext=".dll"
+  need_lib_prefix=no
+  library_names_spec='$libname${shared_ext} $libname.a'
+  dynamic_linker='OS/2 ld.exe'
+  shlibpath_var=LIBPATH
+  ;;
+
+osf3* | osf4* | osf5*)
+  version_type=osf
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
+  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
+  ;;
+
+sco3.2v5*)
+  version_type=osf
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+solaris*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  # ldd complains unless libraries are executable
+  postinstall_cmds='chmod +x $lib'
+  ;;
+
+sunos4*)
+  version_type=sunos
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  if test "$with_gnu_ld" = yes; then
+    need_lib_prefix=no
+  fi
+  need_version=yes
+  ;;
+
+sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_vendor in
+    sni)
+      shlibpath_overrides_runpath=no
+      need_lib_prefix=no
+      export_dynamic_flag_spec='${wl}-Blargedynsym'
+      runpath_var=LD_RUN_PATH
+      ;;
+    siemens)
+      need_lib_prefix=no
+      ;;
+    motorola)
+      need_lib_prefix=no
+      need_version=no
+      shlibpath_overrides_runpath=no
+      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
+      ;;
+  esac
+  ;;
+
+sysv4*MP*)
+  if test -d /usr/nec ;then
+    version_type=linux
+    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
+    soname_spec='$libname${shared_ext}.$major'
+    shlibpath_var=LD_LIBRARY_PATH
+  fi
+  ;;
+
+uts4*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+*)
+  dynamic_linker=no
+  ;;
+esac
+echo "$as_me:$LINENO: result: $dynamic_linker" >&5
+echo "${ECHO_T}$dynamic_linker" >&6
+test "$dynamic_linker" = no && can_build_shared=no
+
+echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
+echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6
+hardcode_action=
+if test -n "$hardcode_libdir_flag_spec" || \
+   test -n "$runpath_var " || \
+   test "X$hardcode_automatic"="Xyes" ; then
+
+  # We can hardcode non-existant directories.
+  if test "$hardcode_direct" != no &&
+     # If the only mechanism to avoid hardcoding is shlibpath_var, we
+     # have to relink, otherwise we might link with an installed library
+     # when we should be linking with a yet-to-be-installed one
+     ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, )" != no &&
+     test "$hardcode_minus_L" != no; then
+    # Linking always hardcodes the temporary library directory.
+    hardcode_action=relink
+  else
+    # We can link without hardcoding, and we can hardcode nonexisting dirs.
+    hardcode_action=immediate
+  fi
+else
+  # We cannot hardcode anything, or else we can only hardcode existing
+  # directories.
+  hardcode_action=unsupported
+fi
+echo "$as_me:$LINENO: result: $hardcode_action" >&5
+echo "${ECHO_T}$hardcode_action" >&6
+
+if test "$hardcode_action" = relink; then
+  # Fast installation is not supported
+  enable_fast_install=no
+elif test "$shlibpath_overrides_runpath" = yes ||
+     test "$enable_shared" = no; then
+  # Fast installation is not necessary
+  enable_fast_install=needless
+fi
+
+striplib=
+old_striplib=
+echo "$as_me:$LINENO: checking whether stripping libraries is possible" >&5
+echo $ECHO_N "checking whether stripping libraries is possible... $ECHO_C" >&6
+if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then
+  test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
+  test -z "$striplib" && striplib="$STRIP --strip-unneeded"
+  echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+else
+# FIXME - insert some real tests, host_os isn't really good enough
+  case $host_os in
+   darwin*)
+       if test -n "$STRIP" ; then
+         striplib="$STRIP -x"
+         echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+       else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+       ;;
+   *)
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+    ;;
+  esac
+fi
+
+if test "x$enable_dlopen" != xyes; then
+  enable_dlopen=unknown
+  enable_dlopen_self=unknown
+  enable_dlopen_self_static=unknown
+else
+  lt_cv_dlopen=no
+  lt_cv_dlopen_libs=
+
+  case $host_os in
+  beos*)
+    lt_cv_dlopen="load_add_on"
+    lt_cv_dlopen_libs=
+    lt_cv_dlopen_self=yes
+    ;;
+
+  mingw* | pw32*)
+    lt_cv_dlopen="LoadLibrary"
+    lt_cv_dlopen_libs=
+   ;;
+
+  cygwin*)
+    lt_cv_dlopen="dlopen"
+    lt_cv_dlopen_libs=
+   ;;
+
+  darwin*)
+  # if libdl is installed we need to link against it
+    echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
+echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6
+if test "${ac_cv_lib_dl_dlopen+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldl  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char dlopen ();
+int
+main ()
+{
+dlopen ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_dl_dlopen=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_lib_dl_dlopen=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
+echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6
+if test $ac_cv_lib_dl_dlopen = yes; then
+  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
+else
+
+    lt_cv_dlopen="dyld"
+    lt_cv_dlopen_libs=
+    lt_cv_dlopen_self=yes
+
+fi
+
+   ;;
+
+  *)
+    echo "$as_me:$LINENO: checking for shl_load" >&5
+echo $ECHO_N "checking for shl_load... $ECHO_C" >&6
+if test "${ac_cv_func_shl_load+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define shl_load to an innocuous variant, in case <limits.h> declares shl_load.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define shl_load innocuous_shl_load
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char shl_load (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef shl_load
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char shl_load ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_shl_load) || defined (__stub___shl_load)
+choke me
+#else
+char (*f) () = shl_load;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != shl_load;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_shl_load=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_shl_load=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_shl_load" >&5
+echo "${ECHO_T}$ac_cv_func_shl_load" >&6
+if test $ac_cv_func_shl_load = yes; then
+  lt_cv_dlopen="shl_load"
+else
+  echo "$as_me:$LINENO: checking for shl_load in -ldld" >&5
+echo $ECHO_N "checking for shl_load in -ldld... $ECHO_C" >&6
+if test "${ac_cv_lib_dld_shl_load+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldld  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char shl_load ();
+int
+main ()
+{
+shl_load ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_dld_shl_load=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_lib_dld_shl_load=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_dld_shl_load" >&5
+echo "${ECHO_T}$ac_cv_lib_dld_shl_load" >&6
+if test $ac_cv_lib_dld_shl_load = yes; then
+  lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-dld"
+else
+  echo "$as_me:$LINENO: checking for dlopen" >&5
+echo $ECHO_N "checking for dlopen... $ECHO_C" >&6
+if test "${ac_cv_func_dlopen+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define dlopen to an innocuous variant, in case <limits.h> declares dlopen.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define dlopen innocuous_dlopen
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char dlopen (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef dlopen
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char dlopen ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_dlopen) || defined (__stub___dlopen)
+choke me
+#else
+char (*f) () = dlopen;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != dlopen;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_dlopen=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_dlopen=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_dlopen" >&5
+echo "${ECHO_T}$ac_cv_func_dlopen" >&6
+if test $ac_cv_func_dlopen = yes; then
+  lt_cv_dlopen="dlopen"
+else
+  echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
+echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6
+if test "${ac_cv_lib_dl_dlopen+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldl  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char dlopen ();
+int
+main ()
+{
+dlopen ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_dl_dlopen=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_lib_dl_dlopen=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
+echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6
+if test $ac_cv_lib_dl_dlopen = yes; then
+  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
+else
+  echo "$as_me:$LINENO: checking for dlopen in -lsvld" >&5
+echo $ECHO_N "checking for dlopen in -lsvld... $ECHO_C" >&6
+if test "${ac_cv_lib_svld_dlopen+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lsvld  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char dlopen ();
+int
+main ()
+{
+dlopen ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_svld_dlopen=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_lib_svld_dlopen=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_svld_dlopen" >&5
+echo "${ECHO_T}$ac_cv_lib_svld_dlopen" >&6
+if test $ac_cv_lib_svld_dlopen = yes; then
+  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"
+else
+  echo "$as_me:$LINENO: checking for dld_link in -ldld" >&5
+echo $ECHO_N "checking for dld_link in -ldld... $ECHO_C" >&6
+if test "${ac_cv_lib_dld_dld_link+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldld  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char dld_link ();
+int
+main ()
+{
+dld_link ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_dld_dld_link=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_lib_dld_dld_link=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_dld_dld_link" >&5
+echo "${ECHO_T}$ac_cv_lib_dld_dld_link" >&6
+if test $ac_cv_lib_dld_dld_link = yes; then
+  lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-dld"
+fi
+
+
+fi
+
+
+fi
+
+
+fi
+
+
+fi
+
+
+fi
+
+    ;;
+  esac
+
+  if test "x$lt_cv_dlopen" != xno; then
+    enable_dlopen=yes
+  else
+    enable_dlopen=no
+  fi
+
+  case $lt_cv_dlopen in
+  dlopen)
+    save_CPPFLAGS="$CPPFLAGS"
+    test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H"
+
+    save_LDFLAGS="$LDFLAGS"
+    eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
+
+    save_LIBS="$LIBS"
+    LIBS="$lt_cv_dlopen_libs $LIBS"
+
+    echo "$as_me:$LINENO: checking whether a program can dlopen itself" >&5
+echo $ECHO_N "checking whether a program can dlopen itself... $ECHO_C" >&6
+if test "${lt_cv_dlopen_self+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  	  if test "$cross_compiling" = yes; then :
+  lt_cv_dlopen_self=cross
+else
+  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
+  lt_status=$lt_dlunknown
+  cat > conftest.$ac_ext <<EOF
+#line 11803 "configure"
+#include "confdefs.h"
+
+#if HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+#include <stdio.h>
+
+#ifdef RTLD_GLOBAL
+#  define LT_DLGLOBAL		RTLD_GLOBAL
+#else
+#  ifdef DL_GLOBAL
+#    define LT_DLGLOBAL		DL_GLOBAL
+#  else
+#    define LT_DLGLOBAL		0
+#  endif
+#endif
+
+/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
+   find out it does not work in some platform. */
+#ifndef LT_DLLAZY_OR_NOW
+#  ifdef RTLD_LAZY
+#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
+#  else
+#    ifdef DL_LAZY
+#      define LT_DLLAZY_OR_NOW		DL_LAZY
+#    else
+#      ifdef RTLD_NOW
+#        define LT_DLLAZY_OR_NOW	RTLD_NOW
+#      else
+#        ifdef DL_NOW
+#          define LT_DLLAZY_OR_NOW	DL_NOW
+#        else
+#          define LT_DLLAZY_OR_NOW	0
+#        endif
+#      endif
+#    endif
+#  endif
+#endif
+
+#ifdef __cplusplus
+extern "C" void exit (int);
+#endif
+
+void fnord() { int i=42;}
+int main ()
+{
+  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
+  int status = $lt_dlunknown;
+
+  if (self)
+    {
+      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
+      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
+      /* dlclose (self); */
+    }
+
+    exit (status);
+}
+EOF
+  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
+    (./conftest; exit; ) 2>/dev/null
+    lt_status=$?
+    case x$lt_status in
+      x$lt_dlno_uscore) lt_cv_dlopen_self=yes ;;
+      x$lt_dlneed_uscore) lt_cv_dlopen_self=yes ;;
+      x$lt_unknown|x*) lt_cv_dlopen_self=no ;;
+    esac
+  else :
+    # compilation failed
+    lt_cv_dlopen_self=no
+  fi
+fi
+rm -fr conftest*
+
+
+fi
+echo "$as_me:$LINENO: result: $lt_cv_dlopen_self" >&5
+echo "${ECHO_T}$lt_cv_dlopen_self" >&6
+
+    if test "x$lt_cv_dlopen_self" = xyes; then
+      LDFLAGS="$LDFLAGS $link_static_flag"
+      echo "$as_me:$LINENO: checking whether a statically linked program can dlopen itself" >&5
+echo $ECHO_N "checking whether a statically linked program can dlopen itself... $ECHO_C" >&6
+if test "${lt_cv_dlopen_self_static+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  	  if test "$cross_compiling" = yes; then :
+  lt_cv_dlopen_self_static=cross
+else
+  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
+  lt_status=$lt_dlunknown
+  cat > conftest.$ac_ext <<EOF
+#line 11901 "configure"
+#include "confdefs.h"
+
+#if HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+#include <stdio.h>
+
+#ifdef RTLD_GLOBAL
+#  define LT_DLGLOBAL		RTLD_GLOBAL
+#else
+#  ifdef DL_GLOBAL
+#    define LT_DLGLOBAL		DL_GLOBAL
+#  else
+#    define LT_DLGLOBAL		0
+#  endif
+#endif
+
+/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
+   find out it does not work in some platform. */
+#ifndef LT_DLLAZY_OR_NOW
+#  ifdef RTLD_LAZY
+#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
+#  else
+#    ifdef DL_LAZY
+#      define LT_DLLAZY_OR_NOW		DL_LAZY
+#    else
+#      ifdef RTLD_NOW
+#        define LT_DLLAZY_OR_NOW	RTLD_NOW
+#      else
+#        ifdef DL_NOW
+#          define LT_DLLAZY_OR_NOW	DL_NOW
+#        else
+#          define LT_DLLAZY_OR_NOW	0
+#        endif
+#      endif
+#    endif
+#  endif
+#endif
+
+#ifdef __cplusplus
+extern "C" void exit (int);
+#endif
+
+void fnord() { int i=42;}
+int main ()
+{
+  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
+  int status = $lt_dlunknown;
+
+  if (self)
+    {
+      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
+      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
+      /* dlclose (self); */
+    }
+
+    exit (status);
+}
+EOF
+  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
+    (./conftest; exit; ) 2>/dev/null
+    lt_status=$?
+    case x$lt_status in
+      x$lt_dlno_uscore) lt_cv_dlopen_self_static=yes ;;
+      x$lt_dlneed_uscore) lt_cv_dlopen_self_static=yes ;;
+      x$lt_unknown|x*) lt_cv_dlopen_self_static=no ;;
+    esac
+  else :
+    # compilation failed
+    lt_cv_dlopen_self_static=no
+  fi
+fi
+rm -fr conftest*
+
+
+fi
+echo "$as_me:$LINENO: result: $lt_cv_dlopen_self_static" >&5
+echo "${ECHO_T}$lt_cv_dlopen_self_static" >&6
+    fi
+
+    CPPFLAGS="$save_CPPFLAGS"
+    LDFLAGS="$save_LDFLAGS"
+    LIBS="$save_LIBS"
+    ;;
+  esac
+
+  case $lt_cv_dlopen_self in
+  yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;;
+  *) enable_dlopen_self=unknown ;;
+  esac
+
+  case $lt_cv_dlopen_self_static in
+  yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;;
+  *) enable_dlopen_self_static=unknown ;;
+  esac
+fi
+
+
+# Report which librarie types wil actually be built
+echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5
+echo $ECHO_N "checking if libtool supports shared libraries... $ECHO_C" >&6
+echo "$as_me:$LINENO: result: $can_build_shared" >&5
+echo "${ECHO_T}$can_build_shared" >&6
+
+echo "$as_me:$LINENO: checking whether to build shared libraries" >&5
+echo $ECHO_N "checking whether to build shared libraries... $ECHO_C" >&6
+test "$can_build_shared" = "no" && enable_shared=no
+
+# On AIX, shared libraries and static libraries use the same namespace, and
+# are all built from PIC.
+case "$host_os" in
+aix3*)
+  test "$enable_shared" = yes && enable_static=no
+  if test -n "$RANLIB"; then
+    archive_cmds="$archive_cmds~\$RANLIB \$lib"
+    postinstall_cmds='$RANLIB $lib'
+  fi
+  ;;
+
+aix4*)
+  if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
+    test "$enable_shared" = yes && enable_static=no
+  fi
+  ;;
+  darwin* | rhapsody*)
+  if test "$GCC" = yes; then
+    archive_cmds_need_lc=no
+    case "$host_os" in
+    rhapsody* | darwin1.[012])
+      allow_undefined_flag='-undefined suppress'
+      ;;
+    *) # Darwin 1.3 on
+      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+      	allow_undefined_flag='-flat_namespace -undefined suppress'
+      else
+        case ${MACOSX_DEPLOYMENT_TARGET} in
+          10.[012])
+            allow_undefined_flag='-flat_namespace -undefined suppress'
+            ;;
+          10.*)
+            allow_undefined_flag='-undefined dynamic_lookup'
+            ;;
+        esac
+      fi
+      ;;
+    esac
+    output_verbose_link_cmd='echo'
+    archive_cmds='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs$compiler_flags -install_name $rpath/$soname $verstring'
+    module_cmds='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+    # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
+    archive_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag  -o $lib $libobjs $deplibs$compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    module_expsym_cmds='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    hardcode_direct=no
+    hardcode_automatic=yes
+    hardcode_shlibpath_var=unsupported
+    whole_archive_flag_spec='-all_load $convenience'
+    link_all_deplibs=yes
+  else
+    ld_shlibs=no
+  fi
+    ;;
+esac
+echo "$as_me:$LINENO: result: $enable_shared" >&5
+echo "${ECHO_T}$enable_shared" >&6
+
+echo "$as_me:$LINENO: checking whether to build static libraries" >&5
+echo $ECHO_N "checking whether to build static libraries... $ECHO_C" >&6
+# Make sure either enable_shared or enable_static is yes.
+test "$enable_shared" = yes || enable_static=yes
+echo "$as_me:$LINENO: result: $enable_static" >&5
+echo "${ECHO_T}$enable_static" >&6
+
+# The else clause should only fire when bootstrapping the
+# libtool distribution, otherwise you forgot to ship ltmain.sh
+# with your package, and you will get complaints that there are
+# no rules to generate ltmain.sh.
+if test -f "$ltmain"; then
+  # See if we are running on zsh, and set the options which allow our commands through
+  # without removal of \ escapes.
+  if test -n "${ZSH_VERSION+set}" ; then
+    setopt NO_GLOB_SUBST
+  fi
+  # Now quote all the things that may contain metacharacters while being
+  # careful not to overquote the AC_SUBSTed values.  We take copies of the
+  # variables and quote the copies for generation of the libtool script.
+  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC NM \
+    SED SHELL STRIP \
+    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
+    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
+    deplibs_check_method reload_flag reload_cmds need_locks \
+    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
+    lt_cv_sys_global_symbol_to_c_name_address \
+    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
+    old_postinstall_cmds old_postuninstall_cmds \
+    compiler \
+    CC \
+    LD \
+    lt_prog_compiler_wl \
+    lt_prog_compiler_pic \
+    lt_prog_compiler_static \
+    lt_prog_compiler_no_builtin_flag \
+    export_dynamic_flag_spec \
+    thread_safe_flag_spec \
+    whole_archive_flag_spec \
+    enable_shared_with_static_runtimes \
+    old_archive_cmds \
+    old_archive_from_new_cmds \
+    predep_objects \
+    postdep_objects \
+    predeps \
+    postdeps \
+    compiler_lib_search_path \
+    archive_cmds \
+    archive_expsym_cmds \
+    postinstall_cmds \
+    postuninstall_cmds \
+    old_archive_from_expsyms_cmds \
+    allow_undefined_flag \
+    no_undefined_flag \
+    export_symbols_cmds \
+    hardcode_libdir_flag_spec \
+    hardcode_libdir_flag_spec_ld \
+    hardcode_libdir_separator \
+    hardcode_automatic \
+    module_cmds \
+    module_expsym_cmds \
+    lt_cv_prog_compiler_c_o \
+    exclude_expsyms \
+    include_expsyms; do
+
+    case $var in
+    old_archive_cmds | \
+    old_archive_from_new_cmds | \
+    archive_cmds | \
+    archive_expsym_cmds | \
+    module_cmds | \
+    module_expsym_cmds | \
+    old_archive_from_expsyms_cmds | \
+    export_symbols_cmds | \
+    extract_expsyms_cmds | reload_cmds | finish_cmds | \
+    postinstall_cmds | postuninstall_cmds | \
+    old_postinstall_cmds | old_postuninstall_cmds | \
+    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
+      # Double-quote double-evaled strings.
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
+      ;;
+    *)
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
+      ;;
+    esac
+  done
+
+  case $lt_echo in
+  *'\$0 --fallback-echo"')
+    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
+    ;;
+  esac
+
+cfgfile="${ofile}T"
+  trap "$rm \"$cfgfile\"; exit 1" 1 2 15
+  $rm -f "$cfgfile"
+  { echo "$as_me:$LINENO: creating $ofile" >&5
+echo "$as_me: creating $ofile" >&6;}
+
+  cat <<__EOF__ >> "$cfgfile"
+#! $SHELL
+
+# `$echo "$cfgfile" | sed 's%^.*/%%'` - Provide generalized library-building support services.
+# Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP)
+# NOTE: Changes made to this file will be lost: look at ltmain.sh.
+#
+# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001
+# Free Software Foundation, Inc.
+#
+# This file is part of GNU Libtool:
+# Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# A sed program that does not truncate output.
+SED=$lt_SED
+
+# Sed that helps us avoid accidentally triggering echo(1) options like -n.
+Xsed="$SED -e s/^X//"
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+if test "X\${CDPATH+set}" = Xset; then CDPATH=:; export CDPATH; fi
+
+# The names of the tagged configurations supported by this script.
+available_tags=
+
+# ### BEGIN LIBTOOL CONFIG
+
+# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+
+# Shell to use when invoking shell scripts.
+SHELL=$lt_SHELL
+
+# Whether or not to build shared libraries.
+build_libtool_libs=$enable_shared
+
+# Whether or not to build static libraries.
+build_old_libs=$enable_static
+
+# Whether or not to add -lc for building shared libraries.
+build_libtool_need_lc=$archive_cmds_need_lc
+
+# Whether or not to disallow shared libs when runtime libs are static
+allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes
+
+# Whether or not to optimize for fast installation.
+fast_install=$enable_fast_install
+
+# The host system.
+host_alias=$host_alias
+host=$host
+
+# An echo program that does not interpret backslashes.
+echo=$lt_echo
+
+# The archiver.
+AR=$lt_AR
+AR_FLAGS=$lt_AR_FLAGS
+
+# A C compiler.
+LTCC=$lt_LTCC
+
+# A language-specific compiler.
+CC=$lt_compiler
+
+# Is the compiler the GNU C compiler?
+with_gcc=$GCC
+
+# An ERE matcher.
+EGREP=$lt_EGREP
+
+# The linker used to build libraries.
+LD=$lt_LD
+
+# Whether we need hard or soft links.
+LN_S=$lt_LN_S
+
+# A BSD-compatible nm program.
+NM=$lt_NM
+
+# A symbol stripping program
+STRIP=$lt_STRIP
+
+# Used to examine libraries when file_magic_cmd begins "file"
+MAGIC_CMD=$MAGIC_CMD
+
+# Used on cygwin: DLL creation program.
+DLLTOOL="$DLLTOOL"
+
+# Used on cygwin: object dumper.
+OBJDUMP="$OBJDUMP"
+
+# Used on cygwin: assembler.
+AS="$AS"
+
+# The name of the directory that contains temporary libtool files.
+objdir=$objdir
+
+# How to create reloadable object files.
+reload_flag=$lt_reload_flag
+reload_cmds=$lt_reload_cmds
+
+# How to pass a linker flag through the compiler.
+wl=$lt_lt_prog_compiler_wl
+
+# Object file suffix (normally "o").
+objext="$ac_objext"
+
+# Old archive suffix (normally "a").
+libext="$libext"
+
+# Shared library suffix (normally ".so").
+shrext='$shrext'
+
+# Executable file suffix (normally "").
+exeext="$exeext"
+
+# Additional compiler flags for building library objects.
+pic_flag=$lt_lt_prog_compiler_pic
+pic_mode=$pic_mode
+
+# What is the maximum length of a command?
+max_cmd_len=$lt_cv_sys_max_cmd_len
+
+# Does compiler simultaneously support -c and -o options?
+compiler_c_o=$lt_lt_cv_prog_compiler_c_o
+
+# Must we lock files when doing compilation ?
+need_locks=$lt_need_locks
+
+# Do we need the lib prefix for modules?
+need_lib_prefix=$need_lib_prefix
+
+# Do we need a version for libraries?
+need_version=$need_version
+
+# Whether dlopen is supported.
+dlopen_support=$enable_dlopen
+
+# Whether dlopen of programs is supported.
+dlopen_self=$enable_dlopen_self
+
+# Whether dlopen of statically linked programs is supported.
+dlopen_self_static=$enable_dlopen_self_static
+
+# Compiler flag to prevent dynamic linking.
+link_static_flag=$lt_lt_prog_compiler_static
+
+# Compiler flag to turn off builtin functions.
+no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag
+
+# Compiler flag to allow reflexive dlopens.
+export_dynamic_flag_spec=$lt_export_dynamic_flag_spec
+
+# Compiler flag to generate shared objects directly from archives.
+whole_archive_flag_spec=$lt_whole_archive_flag_spec
+
+# Compiler flag to generate thread-safe objects.
+thread_safe_flag_spec=$lt_thread_safe_flag_spec
+
+# Library versioning type.
+version_type=$version_type
+
+# Format of library name prefix.
+libname_spec=$lt_libname_spec
+
+# List of archive names.  First name is the real one, the rest are links.
+# The last name is the one that the linker finds with -lNAME.
+library_names_spec=$lt_library_names_spec
+
+# The coded name of the library, if different from the real name.
+soname_spec=$lt_soname_spec
+
+# Commands used to build and install an old-style archive.
+RANLIB=$lt_RANLIB
+old_archive_cmds=$lt_old_archive_cmds
+old_postinstall_cmds=$lt_old_postinstall_cmds
+old_postuninstall_cmds=$lt_old_postuninstall_cmds
+
+# Create an old-style archive from a shared archive.
+old_archive_from_new_cmds=$lt_old_archive_from_new_cmds
+
+# Create a temporary old-style archive to link instead of a shared archive.
+old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds
+
+# Commands used to build and install a shared archive.
+archive_cmds=$lt_archive_cmds
+archive_expsym_cmds=$lt_archive_expsym_cmds
+postinstall_cmds=$lt_postinstall_cmds
+postuninstall_cmds=$lt_postuninstall_cmds
+
+# Commands used to build a loadable module (assumed same as above if empty)
+module_cmds=$lt_module_cmds
+module_expsym_cmds=$lt_module_expsym_cmds
+
+# Commands to strip libraries.
+old_striplib=$lt_old_striplib
+striplib=$lt_striplib
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predep_objects=$lt_predep_objects
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdep_objects=$lt_postdep_objects
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predeps=$lt_predeps
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdeps=$lt_postdeps
+
+# The library search path used internally by the compiler when linking
+# a shared library.
+compiler_lib_search_path=$lt_compiler_lib_search_path
+
+# Method to check whether dependent libraries are shared objects.
+deplibs_check_method=$lt_deplibs_check_method
+
+# Command to use when deplibs_check_method == file_magic.
+file_magic_cmd=$lt_file_magic_cmd
+
+# Flag that allows shared libraries with undefined symbols to be built.
+allow_undefined_flag=$lt_allow_undefined_flag
+
+# Flag that forces no undefined symbols.
+no_undefined_flag=$lt_no_undefined_flag
+
+# Commands used to finish a libtool library installation in a directory.
+finish_cmds=$lt_finish_cmds
+
+# Same as above, but a single script fragment to be evaled but not shown.
+finish_eval=$lt_finish_eval
+
+# Take the output of nm and produce a listing of raw symbols and C names.
+global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
+
+# Transform the output of nm in a proper C declaration
+global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
+
+# Transform the output of nm in a C name address pair
+global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
+
+# This is the shared library runtime path variable.
+runpath_var=$runpath_var
+
+# This is the shared library path variable.
+shlibpath_var=$shlibpath_var
+
+# Is shlibpath searched before the hard-coded library search path?
+shlibpath_overrides_runpath=$shlibpath_overrides_runpath
+
+# How to hardcode a shared library path into an executable.
+hardcode_action=$hardcode_action
+
+# Whether we should hardcode library paths into libraries.
+hardcode_into_libs=$hardcode_into_libs
+
+# Flag to hardcode \$libdir into a binary during linking.
+# This must work even if \$libdir does not exist.
+hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec
+
+# If ld is used when linking, flag to hardcode \$libdir into
+# a binary during linking. This must work even if \$libdir does
+# not exist.
+hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld
+
+# Whether we need a single -rpath flag with a separated argument.
+hardcode_libdir_separator=$lt_hardcode_libdir_separator
+
+# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
+# resulting binary.
+hardcode_direct=$hardcode_direct
+
+# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
+# resulting binary.
+hardcode_minus_L=$hardcode_minus_L
+
+# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
+# the resulting binary.
+hardcode_shlibpath_var=$hardcode_shlibpath_var
+
+# Set to yes if building a shared library automatically hardcodes DIR into the library
+# and all subsequent libraries and executables linked against it.
+hardcode_automatic=$hardcode_automatic
+
+# Variables whose values should be saved in libtool wrapper scripts and
+# restored at relink time.
+variables_saved_for_relink="$variables_saved_for_relink"
+
+# Whether libtool must link a program against all its dependency libraries.
+link_all_deplibs=$link_all_deplibs
+
+# Compile-time system search path for libraries
+sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
+
+# Run-time system search path for libraries
+sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
+
+# Fix the shell variable \$srcfile for the compiler.
+fix_srcfile_path="$fix_srcfile_path"
+
+# Set to yes if exported symbols are required.
+always_export_symbols=$always_export_symbols
+
+# The commands to list exported symbols.
+export_symbols_cmds=$lt_export_symbols_cmds
+
+# The commands to extract the exported symbol list from a shared archive.
+extract_expsyms_cmds=$lt_extract_expsyms_cmds
+
+# Symbols that should not be listed in the preloaded symbols.
+exclude_expsyms=$lt_exclude_expsyms
+
+# Symbols that must always be exported.
+include_expsyms=$lt_include_expsyms
+
+# ### END LIBTOOL CONFIG
+
+__EOF__
+
+
+  case $host_os in
+  aix3*)
+    cat <<\EOF >> "$cfgfile"
+
+# AIX sometimes has problems with the GCC collect2 program.  For some
+# reason, if we set the COLLECT_NAMES environment variable, the problems
+# vanish in a puff of smoke.
+if test "X${COLLECT_NAMES+set}" != Xset; then
+  COLLECT_NAMES=
+  export COLLECT_NAMES
+fi
+EOF
+    ;;
+  esac
+
+  # We use sed instead of cat because bash on DJGPP gets confused if
+  # if finds mixed CR/LF and LF-only lines.  Since sed operates in
+  # text mode, it properly converts lines to CR/LF.  This bash problem
+  # is reportedly fixed, but why not run on old versions too?
+  sed '$q' "$ltmain" >> "$cfgfile" || (rm -f "$cfgfile"; exit 1)
+
+  mv -f "$cfgfile" "$ofile" || \
+    (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile")
+  chmod +x "$ofile"
+
+else
+  # If there is no Makefile yet, we rely on a make rule to execute
+  # `config.status --recheck' to rerun these tests and create the
+  # libtool script then.
+  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
+  if test -f "$ltmain_in"; then
+    test -f Makefile && make "$ltmain"
+  fi
+fi
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+CC="$lt_save_CC"
+
+
+# Check whether --with-tags or --without-tags was given.
+if test "${with_tags+set}" = set; then
+  withval="$with_tags"
+  tagnames="$withval"
+fi;
+
+if test -f "$ltmain" && test -n "$tagnames"; then
+  if test ! -f "${ofile}"; then
+    { echo "$as_me:$LINENO: WARNING: output file \`$ofile' does not exist" >&5
+echo "$as_me: WARNING: output file \`$ofile' does not exist" >&2;}
+  fi
+
+  if test -z "$LTCC"; then
+    eval "`$SHELL ${ofile} --config | grep '^LTCC='`"
+    if test -z "$LTCC"; then
+      { echo "$as_me:$LINENO: WARNING: output file \`$ofile' does not look like a libtool script" >&5
+echo "$as_me: WARNING: output file \`$ofile' does not look like a libtool script" >&2;}
+    else
+      { echo "$as_me:$LINENO: WARNING: using \`LTCC=$LTCC', extracted from \`$ofile'" >&5
+echo "$as_me: WARNING: using \`LTCC=$LTCC', extracted from \`$ofile'" >&2;}
+    fi
+  fi
+
+  # Extract list of available tagged configurations in $ofile.
+  # Note that this assumes the entire list is on one line.
+  available_tags=`grep "^available_tags=" "${ofile}" | $SED -e 's/available_tags=\(.*$\)/\1/' -e 's/\"//g'`
+
+  lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+  for tagname in $tagnames; do
+    IFS="$lt_save_ifs"
+    # Check whether tagname contains only valid characters
+    case `$echo "X$tagname" | $Xsed -e 's:[-_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890,/]::g'` in
+    "") ;;
+    *)  { { echo "$as_me:$LINENO: error: invalid tag name: $tagname" >&5
+echo "$as_me: error: invalid tag name: $tagname" >&2;}
+   { (exit 1); exit 1; }; }
+	;;
+    esac
+
+    if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "${ofile}" > /dev/null
+    then
+      { { echo "$as_me:$LINENO: error: tag name \"$tagname\" already exists" >&5
+echo "$as_me: error: tag name \"$tagname\" already exists" >&2;}
+   { (exit 1); exit 1; }; }
+    fi
+
+    # Update the list of available tags.
+    if test -n "$tagname"; then
+      echo appending configuration tag \"$tagname\" to $ofile
+
+      case $tagname in
+      CXX)
+	if test -n "$CXX" && test "X$CXX" != "Xno"; then
+	  ac_ext=cc
+ac_cpp='$CXXCPP $CPPFLAGS'
+ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_cxx_compiler_gnu
+
+
+
+
+archive_cmds_need_lc_CXX=no
+allow_undefined_flag_CXX=
+always_export_symbols_CXX=no
+archive_expsym_cmds_CXX=
+export_dynamic_flag_spec_CXX=
+hardcode_direct_CXX=no
+hardcode_libdir_flag_spec_CXX=
+hardcode_libdir_flag_spec_ld_CXX=
+hardcode_libdir_separator_CXX=
+hardcode_minus_L_CXX=no
+hardcode_automatic_CXX=no
+module_cmds_CXX=
+module_expsym_cmds_CXX=
+link_all_deplibs_CXX=unknown
+old_archive_cmds_CXX=$old_archive_cmds
+no_undefined_flag_CXX=
+whole_archive_flag_spec_CXX=
+enable_shared_with_static_runtimes_CXX=no
+
+# Dependencies to place before and after the object being linked:
+predep_objects_CXX=
+postdep_objects_CXX=
+predeps_CXX=
+postdeps_CXX=
+compiler_lib_search_path_CXX=
+
+# Source file extension for C++ test sources.
+ac_ext=cc
+
+# Object file extension for compiled C++ test sources.
+objext=o
+objext_CXX=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="int some_variable = 0;\n"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='int main(int, char *) { return(0); }\n'
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+
+# If no C compiler was specified, use CC.
+LTCC=${LTCC-"$CC"}
+
+# Allow CC to be a program name with arguments.
+compiler=$CC
+
+
+# Allow CC to be a program name with arguments.
+lt_save_CC=$CC
+lt_save_LD=$LD
+lt_save_GCC=$GCC
+GCC=$GXX
+lt_save_with_gnu_ld=$with_gnu_ld
+lt_save_path_LD=$lt_cv_path_LD
+if test -n "${lt_cv_prog_gnu_ldcxx+set}"; then
+  lt_cv_prog_gnu_ld=$lt_cv_prog_gnu_ldcxx
+else
+  unset lt_cv_prog_gnu_ld
+fi
+if test -n "${lt_cv_path_LDCXX+set}"; then
+  lt_cv_path_LD=$lt_cv_path_LDCXX
+else
+  unset lt_cv_path_LD
+fi
+test -z "${LDCXX+set}" || LD=$LDCXX
+CC=${CXX-"c++"}
+compiler=$CC
+compiler_CXX=$CC
+cc_basename=`$echo X"$compiler" | $Xsed -e 's%^.*/%%'`
+
+# We don't want -fno-exception wen compiling C++ code, so set the
+# no_builtin_flag separately
+if test "$GXX" = yes; then
+  lt_prog_compiler_no_builtin_flag_CXX=' -fno-builtin'
+else
+  lt_prog_compiler_no_builtin_flag_CXX=
+fi
+
+if test "$GXX" = yes; then
+  # Set up default GNU C++ configuration
+
+
+# Check whether --with-gnu-ld or --without-gnu-ld was given.
+if test "${with_gnu_ld+set}" = set; then
+  withval="$with_gnu_ld"
+  test "$withval" = no || with_gnu_ld=yes
+else
+  with_gnu_ld=no
+fi;
+ac_prog=ld
+if test "$GCC" = yes; then
+  # Check if gcc -print-prog-name=ld gives a path.
+  echo "$as_me:$LINENO: checking for ld used by $CC" >&5
+echo $ECHO_N "checking for ld used by $CC... $ECHO_C" >&6
+  case $host in
+  *-*-mingw*)
+    # gcc leaves a trailing carriage return which upsets mingw
+    ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;;
+  *)
+    ac_prog=`($CC -print-prog-name=ld) 2>&5` ;;
+  esac
+  case $ac_prog in
+    # Accept absolute paths.
+    [\\/]* | ?:[\\/]*)
+      re_direlt='/[^/][^/]*/\.\./'
+      # Canonicalize the pathname of ld
+      ac_prog=`echo $ac_prog| $SED 's%\\\\%/%g'`
+      while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do
+	ac_prog=`echo $ac_prog| $SED "s%$re_direlt%/%"`
+      done
+      test -z "$LD" && LD="$ac_prog"
+      ;;
+  "")
+    # If it fails, then pretend we aren't using GCC.
+    ac_prog=ld
+    ;;
+  *)
+    # If it is relative, then search for the first ld in PATH.
+    with_gnu_ld=unknown
+    ;;
+  esac
+elif test "$with_gnu_ld" = yes; then
+  echo "$as_me:$LINENO: checking for GNU ld" >&5
+echo $ECHO_N "checking for GNU ld... $ECHO_C" >&6
+else
+  echo "$as_me:$LINENO: checking for non-GNU ld" >&5
+echo $ECHO_N "checking for non-GNU ld... $ECHO_C" >&6
+fi
+if test "${lt_cv_path_LD+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  if test -z "$LD"; then
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  for ac_dir in $PATH; do
+    IFS="$lt_save_ifs"
+    test -z "$ac_dir" && ac_dir=.
+    if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
+      lt_cv_path_LD="$ac_dir/$ac_prog"
+      # Check to see if the program is GNU ld.  I'd rather use --version,
+      # but apparently some GNU ld's only accept -v.
+      # Break only if it was the GNU/non-GNU ld that we prefer.
+      case `"$lt_cv_path_LD" -v 2>&1 </dev/null` in
+      *GNU* | *'with BFD'*)
+	test "$with_gnu_ld" != no && break
+	;;
+      *)
+	test "$with_gnu_ld" != yes && break
+	;;
+      esac
+    fi
+  done
+  IFS="$lt_save_ifs"
+else
+  lt_cv_path_LD="$LD" # Let the user override the test with a path.
+fi
+fi
+
+LD="$lt_cv_path_LD"
+if test -n "$LD"; then
+  echo "$as_me:$LINENO: result: $LD" >&5
+echo "${ECHO_T}$LD" >&6
+else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+test -z "$LD" && { { echo "$as_me:$LINENO: error: no acceptable ld found in \$PATH" >&5
+echo "$as_me: error: no acceptable ld found in \$PATH" >&2;}
+   { (exit 1); exit 1; }; }
+echo "$as_me:$LINENO: checking if the linker ($LD) is GNU ld" >&5
+echo $ECHO_N "checking if the linker ($LD) is GNU ld... $ECHO_C" >&6
+if test "${lt_cv_prog_gnu_ld+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  # I'd rather use --version here, but apparently some GNU ld's only accept -v.
+case `$LD -v 2>&1 </dev/null` in
+*GNU* | *'with BFD'*)
+  lt_cv_prog_gnu_ld=yes
+  ;;
+*)
+  lt_cv_prog_gnu_ld=no
+  ;;
+esac
+fi
+echo "$as_me:$LINENO: result: $lt_cv_prog_gnu_ld" >&5
+echo "${ECHO_T}$lt_cv_prog_gnu_ld" >&6
+with_gnu_ld=$lt_cv_prog_gnu_ld
+
+
+
+  # Check if GNU C++ uses GNU ld as the underlying linker, since the
+  # archiving commands below assume that GNU ld is being used.
+  if test "$with_gnu_ld" = yes; then
+    archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+    archive_expsym_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+
+    hardcode_libdir_flag_spec_CXX='${wl}--rpath ${wl}$libdir'
+    export_dynamic_flag_spec_CXX='${wl}--export-dynamic'
+
+    # If archive_cmds runs LD, not CC, wlarc should be empty
+    # XXX I think wlarc can be eliminated in ltcf-cxx, but I need to
+    #     investigate it a little bit more. (MM)
+    wlarc='${wl}'
+
+    # ancient GNU ld didn't support --whole-archive et. al.
+    if eval "`$CC -print-prog-name=ld` --help 2>&1" | \
+	grep 'no-whole-archive' > /dev/null; then
+      whole_archive_flag_spec_CXX="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+    else
+      whole_archive_flag_spec_CXX=
+    fi
+  else
+    with_gnu_ld=no
+    wlarc=
+
+    # A generic and very simple default shared library creation
+    # command for GNU C++ for the case where it uses the native
+    # linker, instead of GNU ld.  If possible, this setting should
+    # overridden to take advantage of the native linker features on
+    # the platform it is being used on.
+    archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
+  fi
+
+  # Commands to make compiler produce verbose output that lists
+  # what "hidden" libraries, object files and flags are used when
+  # linking a shared library.
+  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
+
+else
+  GXX=no
+  with_gnu_ld=no
+  wlarc=
+fi
+
+# PORTME: fill in a description of your system's C++ link characteristics
+echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
+echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6
+ld_shlibs_CXX=yes
+case $host_os in
+  aix3*)
+    # FIXME: insert proper C++ library support
+    ld_shlibs_CXX=no
+    ;;
+  aix4* | aix5*)
+    if test "$host_cpu" = ia64; then
+      # On IA64, the linker does run time linking by default, so we don't
+      # have to do anything special.
+      aix_use_runtimelinking=no
+      exp_sym_flag='-Bexport'
+      no_entry_flag=""
+    else
+      aix_use_runtimelinking=no
+
+      # Test if we are trying to use run time linking or normal
+      # AIX style linking. If -brtl is somewhere in LDFLAGS, we
+      # need to do runtime linking.
+      case $host_os in aix4.[23]|aix4.[23].*|aix5*)
+	for ld_flag in $LDFLAGS; do
+	  case $ld_flag in
+	  *-brtl*)
+	    aix_use_runtimelinking=yes
+	    break
+	    ;;
+	  esac
+	done
+      esac
+
+      exp_sym_flag='-bexport'
+      no_entry_flag='-bnoentry'
+    fi
+
+    # When large executables or shared objects are built, AIX ld can
+    # have problems creating the table of contents.  If linking a library
+    # or program results in "error TOC overflow" add -mminimal-toc to
+    # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
+    # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
+
+    archive_cmds_CXX=''
+    hardcode_direct_CXX=yes
+    hardcode_libdir_separator_CXX=':'
+    link_all_deplibs_CXX=yes
+
+    if test "$GXX" = yes; then
+      case $host_os in aix4.012|aix4.012.*)
+      # We only want to do this on AIX 4.2 and lower, the check
+      # below for broken collect2 doesn't work under 4.3+
+	collect2name=`${CC} -print-prog-name=collect2`
+	if test -f "$collect2name" && \
+	   strings "$collect2name" | grep resolve_lib_name >/dev/null
+	then
+	  # We have reworked collect2
+	  hardcode_direct_CXX=yes
+	else
+	  # We have old collect2
+	  hardcode_direct_CXX=unsupported
+	  # It fails to find uninstalled libraries when the uninstalled
+	  # path is not listed in the libpath.  Setting hardcode_minus_L
+	  # to unsupported forces relinking
+	  hardcode_minus_L_CXX=yes
+	  hardcode_libdir_flag_spec_CXX='-L$libdir'
+	  hardcode_libdir_separator_CXX=
+	fi
+      esac
+      shared_flag='-shared'
+    else
+      # not using gcc
+      if test "$host_cpu" = ia64; then
+	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
+	# chokes on -Wl,-G. The following line is correct:
+	shared_flag='-G'
+      else
+	if test "$aix_use_runtimelinking" = yes; then
+	  shared_flag='${wl}-G'
+	else
+	  shared_flag='${wl}-bM:SRE'
+	fi
+      fi
+    fi
+
+    # It seems that -bexpall does not export symbols beginning with
+    # underscore (_), so it is better to generate a list of symbols to export.
+    always_export_symbols_CXX=yes
+    if test "$aix_use_runtimelinking" = yes; then
+      # Warning - without using the other runtime loading flags (-brtl),
+      # -berok will link without error, but may produce a broken library.
+      allow_undefined_flag_CXX='-berok'
+      # Determine the default libpath from the value encoded in an empty executable.
+      cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_cxx_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`
+# Check for a 64-bit object if we didn't find anything.
+if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`; fi
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+
+      hardcode_libdir_flag_spec_CXX='${wl}-blibpath:$libdir:'"$aix_libpath"
+
+      archive_expsym_cmds_CXX="\$CC"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+     else
+      if test "$host_cpu" = ia64; then
+	hardcode_libdir_flag_spec_CXX='${wl}-R $libdir:/usr/lib:/lib'
+	allow_undefined_flag_CXX="-z nodefs"
+	archive_expsym_cmds_CXX="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols"
+      else
+	# Determine the default libpath from the value encoded in an empty executable.
+	cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_cxx_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`
+# Check for a 64-bit object if we didn't find anything.
+if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`; fi
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+
+	hardcode_libdir_flag_spec_CXX='${wl}-blibpath:$libdir:'"$aix_libpath"
+	# Warning - without using the other run time loading flags,
+	# -berok will link without error, but may produce a broken library.
+	no_undefined_flag_CXX=' ${wl}-bernotok'
+	allow_undefined_flag_CXX=' ${wl}-berok'
+	# -bexpall does not export symbols beginning with underscore (_)
+	always_export_symbols_CXX=yes
+	# Exported symbols can be pulled into shared objects from archives
+	whole_archive_flag_spec_CXX=' '
+	archive_cmds_need_lc_CXX=yes
+	# This is similar to how AIX traditionally builds it's shared libraries.
+	archive_expsym_cmds_CXX="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}-bE:$export_symbols ${wl}-bnoentry${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+      fi
+    fi
+    ;;
+  chorus*)
+    case $cc_basename in
+      *)
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+    esac
+    ;;
+
+  cygwin* | mingw* | pw32*)
+    # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, CXX) is actually meaningless,
+    # as there is no search path for DLLs.
+    hardcode_libdir_flag_spec_CXX='-L$libdir'
+    allow_undefined_flag_CXX=unsupported
+    always_export_symbols_CXX=no
+    enable_shared_with_static_runtimes_CXX=yes
+
+    if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
+      archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
+      # If the export-symbols file already is a .def file (1st line
+      # is EXPORTS), use it as is; otherwise, prepend...
+      archive_expsym_cmds_CXX='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	cp $export_symbols $output_objdir/$soname.def;
+      else
+	echo EXPORTS > $output_objdir/$soname.def;
+	cat $export_symbols >> $output_objdir/$soname.def;
+      fi~
+      $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
+    else
+      ld_shlibs_CXX=no
+    fi
+  ;;
+
+  darwin* | rhapsody*)
+  if test "$GXX" = yes; then
+    archive_cmds_need_lc_CXX=no
+    case "$host_os" in
+    rhapsody* | darwin1.[012])
+      allow_undefined_flag_CXX='-undefined suppress'
+      ;;
+    *) # Darwin 1.3 on
+      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+      	allow_undefined_flag_CXX='-flat_namespace -undefined suppress'
+      else
+        case ${MACOSX_DEPLOYMENT_TARGET} in
+          10.[012])
+            allow_undefined_flag_CXX='-flat_namespace -undefined suppress'
+            ;;
+          10.*)
+            allow_undefined_flag_CXX='-undefined dynamic_lookup'
+            ;;
+        esac
+      fi
+      ;;
+    esac
+    lt_int_apple_cc_single_mod=no
+    output_verbose_link_cmd='echo'
+    if $CC -dumpspecs 2>&1 | grep 'single_module' >/dev/null ; then
+      lt_int_apple_cc_single_mod=yes
+    fi
+    if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+      archive_cmds_CXX='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+    else
+      archive_cmds_CXX='$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+    fi
+    module_cmds_CXX='$CC ${wl}-bind_at_load $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+
+    # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
+    if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+      archive_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    else
+      archive_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    fi
+    module_expsym_cmds_CXX='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    hardcode_direct_CXX=no
+    hardcode_automatic_CXX=yes
+    hardcode_shlibpath_var_CXX=unsupported
+    whole_archive_flag_spec_CXX='-all_load $convenience'
+    link_all_deplibs_CXX=yes
+  else
+    ld_shlibs_CXX=no
+  fi
+    ;;
+
+  dgux*)
+    case $cc_basename in
+      ec++)
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+      ghcx)
+	# Green Hills C++ Compiler
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+    esac
+    ;;
+  freebsd12*)
+    # C++ shared libraries reported to be fairly broken before switch to ELF
+    ld_shlibs_CXX=no
+    ;;
+  freebsd-elf*)
+    archive_cmds_need_lc_CXX=no
+    ;;
+  freebsd* | kfreebsd*-gnu)
+    # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF
+    # conventions
+    ld_shlibs_CXX=yes
+    ;;
+  gnu*)
+    ;;
+  hpux9*)
+    hardcode_libdir_flag_spec_CXX='${wl}+b ${wl}$libdir'
+    hardcode_libdir_separator_CXX=:
+    export_dynamic_flag_spec_CXX='${wl}-E'
+    hardcode_direct_CXX=yes
+    hardcode_minus_L_CXX=yes # Not in the search PATH,
+				# but as the default
+				# location of the library.
+
+    case $cc_basename in
+    CC)
+      # FIXME: insert proper C++ library support
+      ld_shlibs_CXX=no
+      ;;
+    aCC)
+      archive_cmds_CXX='$rm $output_objdir/$soname~$CC -b ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      # Commands to make compiler produce verbose output that lists
+      # what "hidden" libraries, object files and flags are used when
+      # linking a shared library.
+      #
+      # There doesn't appear to be a way to prevent this compiler from
+      # explicitly linking system object files so we need to strip them
+      # from the output so that they don't get included in the library
+      # dependencies.
+      output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | egrep "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+      ;;
+    *)
+      if test "$GXX" = yes; then
+        archive_cmds_CXX='$rm $output_objdir/$soname~$CC -shared -nostdlib -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      else
+        # FIXME: insert proper C++ library support
+        ld_shlibs_CXX=no
+      fi
+      ;;
+    esac
+    ;;
+  hpux10*|hpux11*)
+    if test $with_gnu_ld = no; then
+      case "$host_cpu" in
+      hppa*64*)
+	hardcode_libdir_flag_spec_CXX='${wl}+b ${wl}$libdir'
+	hardcode_libdir_flag_spec_ld_CXX='+b $libdir'
+	hardcode_libdir_separator_CXX=:
+        ;;
+      ia64*)
+	hardcode_libdir_flag_spec_CXX='-L$libdir'
+        ;;
+      *)
+	hardcode_libdir_flag_spec_CXX='${wl}+b ${wl}$libdir'
+	hardcode_libdir_separator_CXX=:
+	export_dynamic_flag_spec_CXX='${wl}-E'
+        ;;
+      esac
+    fi
+    case "$host_cpu" in
+    hppa*64*)
+      hardcode_direct_CXX=no
+      hardcode_shlibpath_var_CXX=no
+      ;;
+    ia64*)
+      hardcode_direct_CXX=no
+      hardcode_shlibpath_var_CXX=no
+      hardcode_minus_L_CXX=yes # Not in the search PATH,
+					      # but as the default
+					      # location of the library.
+      ;;
+    *)
+      hardcode_direct_CXX=yes
+      hardcode_minus_L_CXX=yes # Not in the search PATH,
+					      # but as the default
+					      # location of the library.
+      ;;
+    esac
+
+    case $cc_basename in
+      CC)
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+      aCC)
+	case "$host_cpu" in
+	hppa*64*|ia64*)
+	  archive_cmds_CXX='$LD -b +h $soname -o $lib $linker_flags $libobjs $deplibs'
+	  ;;
+	*)
+	  archive_cmds_CXX='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	  ;;
+	esac
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	;;
+      *)
+	if test "$GXX" = yes; then
+	  if test $with_gnu_ld = no; then
+	    case "$host_cpu" in
+	    ia64*|hppa*64*)
+	      archive_cmds_CXX='$LD -b +h $soname -o $lib $linker_flags $libobjs $deplibs'
+	      ;;
+	    *)
+	      archive_cmds_CXX='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	      ;;
+	    esac
+	  fi
+	else
+	  # FIXME: insert proper C++ library support
+	  ld_shlibs_CXX=no
+	fi
+	;;
+    esac
+    ;;
+  irix5* | irix6*)
+    case $cc_basename in
+      CC)
+	# SGI C++
+	archive_cmds_CXX='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib'
+
+	# Archives containing C++ object files must be created using
+	# "CC -ar", where "CC" is the IRIX C++ compiler.  This is
+	# necessary to make sure instantiated templates are included
+	# in the archive.
+	old_archive_cmds_CXX='$CC -ar -WR,-u -o $oldlib $oldobjs'
+	;;
+      *)
+	if test "$GXX" = yes; then
+	  if test "$with_gnu_ld" = no; then
+	    archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${objdir}/so_locations -o $lib'
+	  else
+	    archive_cmds_CXX='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` -o $lib'
+	  fi
+	fi
+	link_all_deplibs_CXX=yes
+	;;
+    esac
+    hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir'
+    hardcode_libdir_separator_CXX=:
+    ;;
+  linux*)
+    case $cc_basename in
+      KCC)
+	# Kuck and Associates, Inc. (KAI) C++ Compiler
+
+	# KCC will only create a shared library if the output file
+	# ends with ".so" (or ".sl" for HP-UX), so rename the library
+	# to its proper name (with version) after linking.
+	archive_cmds_CXX='tempext=`echo $shared_ext | $SED -e '\''s/\([^()0-9A-Za-z{}]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
+	archive_expsym_cmds_CXX='tempext=`echo $shared_ext | $SED -e '\''s/\([^()0-9A-Za-z{}]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib ${wl}-retain-symbols-file,$export_symbols; mv \$templib $lib'
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 | grep "ld"`; rm -f libconftest$shared_ext; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+
+	hardcode_libdir_flag_spec_CXX='${wl}--rpath,$libdir'
+	export_dynamic_flag_spec_CXX='${wl}--export-dynamic'
+
+	# Archives containing C++ object files must be created using
+	# "CC -Bstatic", where "CC" is the KAI C++ compiler.
+	old_archive_cmds_CXX='$CC -Bstatic -o $oldlib $oldobjs'
+	;;
+      icpc)
+	# Intel C++
+	with_gnu_ld=yes
+	archive_cmds_need_lc_CXX=no
+	archive_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
+	export_dynamic_flag_spec_CXX='${wl}--export-dynamic'
+	whole_archive_flag_spec_CXX='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
+	;;
+      cxx)
+	# Compaq C++
+	archive_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname  -o $lib ${wl}-retain-symbols-file $wl$export_symbols'
+
+	runpath_var=LD_RUN_PATH
+	hardcode_libdir_flag_spec_CXX='-rpath $libdir'
+	hardcode_libdir_separator_CXX=:
+
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	;;
+    esac
+    ;;
+  lynxos*)
+    # FIXME: insert proper C++ library support
+    ld_shlibs_CXX=no
+    ;;
+  m88k*)
+    # FIXME: insert proper C++ library support
+    ld_shlibs_CXX=no
+    ;;
+  mvs*)
+    case $cc_basename in
+      cxx)
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+    esac
+    ;;
+  netbsd*)
+    if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+      archive_cmds_CXX='$LD -Bshareable  -o $lib $predep_objects $libobjs $deplibs $postdep_objects $linker_flags'
+      wlarc=
+      hardcode_libdir_flag_spec_CXX='-R$libdir'
+      hardcode_direct_CXX=yes
+      hardcode_shlibpath_var_CXX=no
+    fi
+    # Workaround some broken pre-1.5 toolchains
+    output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep conftest.$objext | $SED -e "s:-lgcc -lc -lgcc::"'
+    ;;
+  osf3*)
+    case $cc_basename in
+      KCC)
+	# Kuck and Associates, Inc. (KAI) C++ Compiler
+
+	# KCC will only create a shared library if the output file
+	# ends with ".so" (or ".sl" for HP-UX), so rename the library
+	# to its proper name (with version) after linking.
+	archive_cmds_CXX='tempext=`echo $shared_ext | $SED -e '\''s/\([^()0-9A-Za-z{}]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
+
+	hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
+	hardcode_libdir_separator_CXX=:
+
+	# Archives containing C++ object files must be created using
+	# "CC -Bstatic", where "CC" is the KAI C++ compiler.
+	old_archive_cmds_CXX='$CC -Bstatic -o $oldlib $oldobjs'
+
+	;;
+      RCC)
+	# Rational C++ 2.4.1
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+      cxx)
+	allow_undefined_flag_CXX=' ${wl}-expect_unresolved ${wl}\*'
+	archive_cmds_CXX='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && echo ${wl}-set_version $verstring` -update_registry ${objdir}/so_locations -o $lib'
+
+	hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir'
+	hardcode_libdir_separator_CXX=:
+
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	;;
+      *)
+	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
+	  allow_undefined_flag_CXX=' ${wl}-expect_unresolved ${wl}\*'
+	  archive_cmds_CXX='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${objdir}/so_locations -o $lib'
+
+	  hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir'
+	  hardcode_libdir_separator_CXX=:
+
+	  # Commands to make compiler produce verbose output that lists
+	  # what "hidden" libraries, object files and flags are used when
+	  # linking a shared library.
+	  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
+
+	else
+	  # FIXME: insert proper C++ library support
+	  ld_shlibs_CXX=no
+	fi
+	;;
+    esac
+    ;;
+  osf4* | osf5*)
+    case $cc_basename in
+      KCC)
+	# Kuck and Associates, Inc. (KAI) C++ Compiler
+
+	# KCC will only create a shared library if the output file
+	# ends with ".so" (or ".sl" for HP-UX), so rename the library
+	# to its proper name (with version) after linking.
+	archive_cmds_CXX='tempext=`echo $shared_ext | $SED -e '\''s/\([^()0-9A-Za-z{}]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
+
+	hardcode_libdir_flag_spec_CXX='${wl}-rpath,$libdir'
+	hardcode_libdir_separator_CXX=:
+
+	# Archives containing C++ object files must be created using
+	# the KAI C++ compiler.
+	old_archive_cmds_CXX='$CC -o $oldlib $oldobjs'
+	;;
+      RCC)
+	# Rational C++ 2.4.1
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+      cxx)
+	allow_undefined_flag_CXX=' -expect_unresolved \*'
+	archive_cmds_CXX='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib'
+	archive_expsym_cmds_CXX='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done~
+	  echo "-hidden">> $lib.exp~
+	  $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname -Wl,-input -Wl,$lib.exp  `test -n "$verstring" && echo -set_version	$verstring` -update_registry $objdir/so_locations -o $lib~
+	  $rm $lib.exp'
+
+	hardcode_libdir_flag_spec_CXX='-rpath $libdir'
+	hardcode_libdir_separator_CXX=:
+
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	;;
+      *)
+	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
+	  allow_undefined_flag_CXX=' ${wl}-expect_unresolved ${wl}\*'
+	 archive_cmds_CXX='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${objdir}/so_locations -o $lib'
+
+	  hardcode_libdir_flag_spec_CXX='${wl}-rpath ${wl}$libdir'
+	  hardcode_libdir_separator_CXX=:
+
+	  # Commands to make compiler produce verbose output that lists
+	  # what "hidden" libraries, object files and flags are used when
+	  # linking a shared library.
+	  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
+
+	else
+	  # FIXME: insert proper C++ library support
+	  ld_shlibs_CXX=no
+	fi
+	;;
+    esac
+    ;;
+  psos*)
+    # FIXME: insert proper C++ library support
+    ld_shlibs_CXX=no
+    ;;
+  sco*)
+    archive_cmds_need_lc_CXX=no
+    case $cc_basename in
+      CC)
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+    esac
+    ;;
+  sunos4*)
+    case $cc_basename in
+      CC)
+	# Sun C++ 4.x
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+      lcc)
+	# Lucid
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+    esac
+    ;;
+  solaris*)
+    case $cc_basename in
+      CC)
+	# Sun C++ 4.2, 5.x and Centerline C++
+	no_undefined_flag_CXX=' -zdefs'
+	archive_cmds_CXX='$CC -G${allow_undefined_flag} -nolib -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	archive_expsym_cmds_CXX='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+	$CC -G${allow_undefined_flag} -nolib ${wl}-M ${wl}$lib.exp -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
+
+	hardcode_libdir_flag_spec_CXX='-R$libdir'
+	hardcode_shlibpath_var_CXX=no
+	case $host_os in
+	  solaris2.0-5 | solaris2.0-5.*) ;;
+	  *)
+	    # The C++ compiler is used as linker so we must use $wl
+	    # flag to pass the commands to the underlying system
+	    # linker.
+	    # Supported since Solaris 2.6 (maybe 2.5.1?)
+	    whole_archive_flag_spec_CXX='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
+	    ;;
+	esac
+	link_all_deplibs_CXX=yes
+
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC -G $CFLAGS -v conftest.$objext 2>&1 | grep "\-[LR]"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+
+	# Archives containing C++ object files must be created using
+	# "CC -xar", where "CC" is the Sun C++ compiler.  This is
+	# necessary to make sure instantiated templates are included
+	# in the archive.
+	old_archive_cmds_CXX='$CC -xar -o $oldlib $oldobjs'
+	;;
+      gcx)
+	# Green Hills C++ Compiler
+	archive_cmds_CXX='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
+
+	# The C++ compiler must be used to create the archive.
+	old_archive_cmds_CXX='$CC $LDFLAGS -archive -o $oldlib $oldobjs'
+	;;
+      *)
+	# GNU C++ compiler with Solaris linker
+	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
+	  no_undefined_flag_CXX=' ${wl}-z ${wl}defs'
+	  if $CC --version | grep -v '^2\.7' > /dev/null; then
+	    archive_cmds_CXX='$CC -shared -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
+	    archive_expsym_cmds_CXX='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+		$CC -shared -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
+
+	    # Commands to make compiler produce verbose output that lists
+	    # what "hidden" libraries, object files and flags are used when
+	    # linking a shared library.
+	    output_verbose_link_cmd="$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\""
+	  else
+	    # g++ 2.7 appears to require `-G' NOT `-shared' on this
+	    # platform.
+	    archive_cmds_CXX='$CC -G -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
+	    archive_expsym_cmds_CXX='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+		$CC -G -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
+
+	    # Commands to make compiler produce verbose output that lists
+	    # what "hidden" libraries, object files and flags are used when
+	    # linking a shared library.
+	    output_verbose_link_cmd="$CC -G $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\""
+	  fi
+
+	  hardcode_libdir_flag_spec_CXX='${wl}-R $wl$libdir'
+	fi
+	;;
+    esac
+    ;;
+  sysv5OpenUNIX8* | sysv5UnixWare7* | sysv5uw[78]* | unixware7*)
+    archive_cmds_need_lc_CXX=no
+    ;;
+  tandem*)
+    case $cc_basename in
+      NCC)
+	# NonStop-UX NCC 3.20
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	ld_shlibs_CXX=no
+	;;
+    esac
+    ;;
+  vxworks*)
+    # FIXME: insert proper C++ library support
+    ld_shlibs_CXX=no
+    ;;
+  *)
+    # FIXME: insert proper C++ library support
+    ld_shlibs_CXX=no
+    ;;
+esac
+echo "$as_me:$LINENO: result: $ld_shlibs_CXX" >&5
+echo "${ECHO_T}$ld_shlibs_CXX" >&6
+test "$ld_shlibs_CXX" = no && can_build_shared=no
+
+GCC_CXX="$GXX"
+LD_CXX="$LD"
+
+## CAVEAT EMPTOR:
+## There is no encapsulation within the following macros, do not change
+## the running order or otherwise move them around unless you know exactly
+## what you are doing...
+
+cat > conftest.$ac_ext <<EOF
+class Foo
+{
+public:
+  Foo (void) { a = 0; }
+private:
+  int a;
+};
+EOF
+
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; then
+  # Parse the compiler output and extract the necessary
+  # objects, libraries and library flags.
+
+  # Sentinel used to keep track of whether or not we are before
+  # the conftest object file.
+  pre_test_object_deps_done=no
+
+  # The `*' in the case matches for architectures that use `case' in
+  # $output_verbose_cmd can trigger glob expansion during the loop
+  # eval without this substitution.
+  output_verbose_link_cmd="`$echo \"X$output_verbose_link_cmd\" | $Xsed -e \"$no_glob_subst\"`"
+
+  for p in `eval $output_verbose_link_cmd`; do
+    case $p in
+
+    -L* | -R* | -l*)
+       # Some compilers place space between "-{L,R}" and the path.
+       # Remove the space.
+       if test $p = "-L" \
+	  || test $p = "-R"; then
+	 prev=$p
+	 continue
+       else
+	 prev=
+       fi
+
+       if test "$pre_test_object_deps_done" = no; then
+	 case $p in
+	 -L* | -R*)
+	   # Internal compiler library paths should come after those
+	   # provided the user.  The postdeps already come after the
+	   # user supplied libs so there is no need to process them.
+	   if test -z "$compiler_lib_search_path_CXX"; then
+	     compiler_lib_search_path_CXX="${prev}${p}"
+	   else
+	     compiler_lib_search_path_CXX="${compiler_lib_search_path_CXX} ${prev}${p}"
+	   fi
+	   ;;
+	 # The "-l" case would never come before the object being
+	 # linked, so don't bother handling this case.
+	 esac
+       else
+	 if test -z "$postdeps_CXX"; then
+	   postdeps_CXX="${prev}${p}"
+	 else
+	   postdeps_CXX="${postdeps_CXX} ${prev}${p}"
+	 fi
+       fi
+       ;;
+
+    *.$objext)
+       # This assumes that the test object file only shows up
+       # once in the compiler output.
+       if test "$p" = "conftest.$objext"; then
+	 pre_test_object_deps_done=yes
+	 continue
+       fi
+
+       if test "$pre_test_object_deps_done" = no; then
+	 if test -z "$predep_objects_CXX"; then
+	   predep_objects_CXX="$p"
+	 else
+	   predep_objects_CXX="$predep_objects_CXX $p"
+	 fi
+       else
+	 if test -z "$postdep_objects_CXX"; then
+	   postdep_objects_CXX="$p"
+	 else
+	   postdep_objects_CXX="$postdep_objects_CXX $p"
+	 fi
+       fi
+       ;;
+
+    *) ;; # Ignore the rest.
+
+    esac
+  done
+
+  # Clean up.
+  rm -f a.out a.exe
+else
+  echo "libtool.m4: error: problem compiling CXX test program"
+fi
+
+$rm -f confest.$objext
+
+case " $postdeps_CXX " in
+*" -lc "*) archive_cmds_need_lc_CXX=no ;;
+esac
+
+lt_prog_compiler_wl_CXX=
+lt_prog_compiler_pic_CXX=
+lt_prog_compiler_static_CXX=
+
+echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
+echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
+
+  # C++ specific cases for pic, static, wl, etc.
+  if test "$GXX" = yes; then
+    lt_prog_compiler_wl_CXX='-Wl,'
+    lt_prog_compiler_static_CXX='-static'
+
+    case $host_os in
+    aix*)
+      # All AIX code is PIC.
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	lt_prog_compiler_static_CXX='-Bstatic'
+      fi
+      ;;
+    amigaos*)
+      # FIXME: we need at least 68020 code to build shared libraries, but
+      # adding the `-m68020' flag to GCC prevents building anything better,
+      # like `-m68040'.
+      lt_prog_compiler_pic_CXX='-m68020 -resident32 -malways-restore-a4'
+      ;;
+    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+      # PIC is the default for these OSes.
+      ;;
+    mingw* | os2* | pw32*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      lt_prog_compiler_pic_CXX='-DDLL_EXPORT'
+      ;;
+    darwin* | rhapsody*)
+      # PIC is the default on this platform
+      # Common symbols not allowed in MH_DYLIB files
+      lt_prog_compiler_pic_CXX='-fno-common'
+      ;;
+    *djgpp*)
+      # DJGPP does not support shared libraries at all
+      lt_prog_compiler_pic_CXX=
+      ;;
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	lt_prog_compiler_pic_CXX=-Kconform_pic
+      fi
+      ;;
+    hpux*)
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case "$host_cpu" in
+      hppa*64*|ia64*)
+	;;
+      *)
+	lt_prog_compiler_pic_CXX='-fPIC'
+	;;
+      esac
+      ;;
+    *)
+      lt_prog_compiler_pic_CXX='-fPIC'
+      ;;
+    esac
+  else
+    case $host_os in
+      aix4* | aix5*)
+	# All AIX code is PIC.
+	if test "$host_cpu" = ia64; then
+	  # AIX 5 now supports IA64 processor
+	  lt_prog_compiler_static_CXX='-Bstatic'
+	else
+	  lt_prog_compiler_static_CXX='-bnso -bI:/lib/syscalls.exp'
+	fi
+	;;
+      chorus*)
+	case $cc_basename in
+	cxch68)
+	  # Green Hills C++ Compiler
+	  # _LT_AC_TAGVAR(lt_prog_compiler_static, CXX)="--no_auto_instantiation -u __main -u __premain -u _abort -r $COOL_DIR/lib/libOrb.a $MVME_DIR/lib/CC/libC.a $MVME_DIR/lib/classix/libcx.s.a"
+	  ;;
+	esac
+	;;
+      dgux*)
+	case $cc_basename in
+	  ec++)
+	    lt_prog_compiler_pic_CXX='-KPIC'
+	    ;;
+	  ghcx)
+	    # Green Hills C++ Compiler
+	    lt_prog_compiler_pic_CXX='-pic'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      freebsd* | kfreebsd*-gnu)
+	# FreeBSD uses GNU C++
+	;;
+      hpux9* | hpux10* | hpux11*)
+	case $cc_basename in
+	  CC)
+	    lt_prog_compiler_wl_CXX='-Wl,'
+	    lt_prog_compiler_static_CXX="${ac_cv_prog_cc_wl}-a ${ac_cv_prog_cc_wl}archive"
+	    if test "$host_cpu" != ia64; then
+	      lt_prog_compiler_pic_CXX='+Z'
+	    fi
+	    ;;
+	  aCC)
+	    lt_prog_compiler_wl_CXX='-Wl,'
+	    lt_prog_compiler_static_CXX="${ac_cv_prog_cc_wl}-a ${ac_cv_prog_cc_wl}archive"
+	    case "$host_cpu" in
+	    hppa*64*|ia64*)
+	      # +Z the default
+	      ;;
+	    *)
+	      lt_prog_compiler_pic_CXX='+Z'
+	      ;;
+	    esac
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      irix5* | irix6* | nonstopux*)
+	case $cc_basename in
+	  CC)
+	    lt_prog_compiler_wl_CXX='-Wl,'
+	    lt_prog_compiler_static_CXX='-non_shared'
+	    # CC pic flag -KPIC is the default.
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      linux*)
+	case $cc_basename in
+	  KCC)
+	    # KAI C++ Compiler
+	    lt_prog_compiler_wl_CXX='--backend -Wl,'
+	    lt_prog_compiler_pic_CXX='-fPIC'
+	    ;;
+	  icpc)
+	    # Intel C++
+	    lt_prog_compiler_wl_CXX='-Wl,'
+	    lt_prog_compiler_pic_CXX='-KPIC'
+	    lt_prog_compiler_static_CXX='-static'
+	    ;;
+	  cxx)
+	    # Compaq C++
+	    # Make sure the PIC flag is empty.  It appears that all Alpha
+	    # Linux and Compaq Tru64 Unix objects are PIC.
+	    lt_prog_compiler_pic_CXX=
+	    lt_prog_compiler_static_CXX='-non_shared'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      lynxos*)
+	;;
+      m88k*)
+	;;
+      mvs*)
+	case $cc_basename in
+	  cxx)
+	    lt_prog_compiler_pic_CXX='-W c,exportall'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      netbsd*)
+	;;
+      osf3* | osf4* | osf5*)
+	case $cc_basename in
+	  KCC)
+	    lt_prog_compiler_wl_CXX='--backend -Wl,'
+	    ;;
+	  RCC)
+	    # Rational C++ 2.4.1
+	    lt_prog_compiler_pic_CXX='-pic'
+	    ;;
+	  cxx)
+	    # Digital/Compaq C++
+	    lt_prog_compiler_wl_CXX='-Wl,'
+	    # Make sure the PIC flag is empty.  It appears that all Alpha
+	    # Linux and Compaq Tru64 Unix objects are PIC.
+	    lt_prog_compiler_pic_CXX=
+	    lt_prog_compiler_static_CXX='-non_shared'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      psos*)
+	;;
+      sco*)
+	case $cc_basename in
+	  CC)
+	    lt_prog_compiler_pic_CXX='-fPIC'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      solaris*)
+	case $cc_basename in
+	  CC)
+	    # Sun C++ 4.2, 5.x and Centerline C++
+	    lt_prog_compiler_pic_CXX='-KPIC'
+	    lt_prog_compiler_static_CXX='-Bstatic'
+	    lt_prog_compiler_wl_CXX='-Qoption ld '
+	    ;;
+	  gcx)
+	    # Green Hills C++ Compiler
+	    lt_prog_compiler_pic_CXX='-PIC'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      sunos4*)
+	case $cc_basename in
+	  CC)
+	    # Sun C++ 4.x
+	    lt_prog_compiler_pic_CXX='-pic'
+	    lt_prog_compiler_static_CXX='-Bstatic'
+	    ;;
+	  lcc)
+	    # Lucid
+	    lt_prog_compiler_pic_CXX='-pic'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      tandem*)
+	case $cc_basename in
+	  NCC)
+	    # NonStop-UX NCC 3.20
+	    lt_prog_compiler_pic_CXX='-KPIC'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      unixware*)
+	;;
+      vxworks*)
+	;;
+      *)
+	lt_prog_compiler_can_build_shared_CXX=no
+	;;
+    esac
+  fi
+
+echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_CXX" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic_CXX" >&6
+
+#
+# Check to make sure the PIC flag actually works.
+#
+if test -n "$lt_prog_compiler_pic_CXX"; then
+
+echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_CXX works" >&5
+echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic_CXX works... $ECHO_C" >&6
+if test "${lt_prog_compiler_pic_works_CXX+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_prog_compiler_pic_works_CXX=no
+  ac_outfile=conftest.$ac_objext
+   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+   lt_compiler_flag="$lt_prog_compiler_pic_CXX -DPIC"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   # The option is referenced via a variable to avoid confusing sed.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:14084: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>conftest.err)
+   ac_status=$?
+   cat conftest.err >&5
+   echo "$as_me:14088: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s "$ac_outfile"; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test ! -s conftest.err; then
+       lt_prog_compiler_pic_works_CXX=yes
+     fi
+   fi
+   $rm conftest*
+
+fi
+echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_works_CXX" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic_works_CXX" >&6
+
+if test x"$lt_prog_compiler_pic_works_CXX" = xyes; then
+    case $lt_prog_compiler_pic_CXX in
+     "" | " "*) ;;
+     *) lt_prog_compiler_pic_CXX=" $lt_prog_compiler_pic_CXX" ;;
+     esac
+else
+    lt_prog_compiler_pic_CXX=
+     lt_prog_compiler_can_build_shared_CXX=no
+fi
+
+fi
+case "$host_os" in
+  # For platforms which do not support PIC, -DPIC is meaningless:
+  *djgpp*)
+    lt_prog_compiler_pic_CXX=
+    ;;
+  *)
+    lt_prog_compiler_pic_CXX="$lt_prog_compiler_pic_CXX -DPIC"
+    ;;
+esac
+
+echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
+echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6
+if test "${lt_cv_prog_compiler_c_o_CXX+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_prog_compiler_c_o_CXX=no
+   $rm -r conftest 2>/dev/null
+   mkdir conftest
+   cd conftest
+   mkdir out
+   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+   lt_compiler_flag="-o out/conftest2.$ac_objext"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:14144: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>out/conftest.err)
+   ac_status=$?
+   cat out/conftest.err >&5
+   echo "$as_me:14148: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s out/conftest2.$ac_objext
+   then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test ! -s out/conftest.err; then
+       lt_cv_prog_compiler_c_o_CXX=yes
+     fi
+   fi
+   chmod u+w .
+   $rm conftest*
+   # SGI C++ compiler will create directory out/ii_files/ for
+   # template instantiation
+   test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files
+   $rm out/* && rmdir out
+   cd ..
+   rmdir conftest
+   $rm conftest*
+
+fi
+echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_CXX" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_c_o_CXX" >&6
+
+
+hard_links="nottested"
+if test "$lt_cv_prog_compiler_c_o_CXX" = no && test "$need_locks" != no; then
+  # do not overwrite the value of need_locks provided by the user
+  echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
+echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6
+  hard_links=yes
+  $rm conftest*
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  touch conftest.a
+  ln conftest.a conftest.b 2>&5 || hard_links=no
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  echo "$as_me:$LINENO: result: $hard_links" >&5
+echo "${ECHO_T}$hard_links" >&6
+  if test "$hard_links" = no; then
+    { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
+echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
+    need_locks=warn
+  fi
+else
+  need_locks=no
+fi
+
+echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
+echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6
+
+  export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  case $host_os in
+  aix4* | aix5*)
+    # If we're using GNU nm, then we don't want the "-C" option.
+    # -C means demangle to AIX nm, but means don't demangle with GNU nm
+    if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
+      export_symbols_cmds_CXX='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
+    else
+      export_symbols_cmds_CXX='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
+    fi
+    ;;
+  pw32*)
+    export_symbols_cmds_CXX="$ltdll_cmds"
+  ;;
+  cygwin* | mingw*)
+    export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGS] /s/.* \([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols'
+  ;;
+  *)
+    export_symbols_cmds_CXX='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  ;;
+  esac
+
+echo "$as_me:$LINENO: result: $ld_shlibs_CXX" >&5
+echo "${ECHO_T}$ld_shlibs_CXX" >&6
+test "$ld_shlibs_CXX" = no && can_build_shared=no
+
+variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
+if test "$GCC" = yes; then
+  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
+fi
+
+#
+# Do we need to explicitly link libc?
+#
+case "x$archive_cmds_need_lc_CXX" in
+x|xyes)
+  # Assume -lc should be added
+  archive_cmds_need_lc_CXX=yes
+
+  if test "$enable_shared" = yes && test "$GCC" = yes; then
+    case $archive_cmds_CXX in
+    *'~'*)
+      # FIXME: we may have to deal with multi-command sequences.
+      ;;
+    '$CC '*)
+      # Test whether the compiler implicitly links with -lc since on some
+      # systems, -lgcc has to come before -lc. If gcc already passes -lc
+      # to ld, don't add -lc before -lgcc.
+      echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
+echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6
+      $rm conftest*
+      printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+      if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } 2>conftest.err; then
+        soname=conftest
+        lib=conftest
+        libobjs=conftest.$ac_objext
+        deplibs=
+        wl=$lt_prog_compiler_wl_CXX
+        compiler_flags=-v
+        linker_flags=-v
+        verstring=
+        output_objdir=.
+        libname=conftest
+        lt_save_allow_undefined_flag=$allow_undefined_flag_CXX
+        allow_undefined_flag_CXX=
+        if { (eval echo "$as_me:$LINENO: \"$archive_cmds_CXX 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5
+  (eval $archive_cmds_CXX 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+        then
+	  archive_cmds_need_lc_CXX=no
+        else
+	  archive_cmds_need_lc_CXX=yes
+        fi
+        allow_undefined_flag_CXX=$lt_save_allow_undefined_flag
+      else
+        cat conftest.err 1>&5
+      fi
+      $rm conftest*
+      echo "$as_me:$LINENO: result: $archive_cmds_need_lc_CXX" >&5
+echo "${ECHO_T}$archive_cmds_need_lc_CXX" >&6
+      ;;
+    esac
+  fi
+  ;;
+esac
+
+echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
+echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6
+library_names_spec=
+libname_spec='lib$name'
+soname_spec=
+shrext=".so"
+postinstall_cmds=
+postuninstall_cmds=
+finish_cmds=
+finish_eval=
+shlibpath_var=
+shlibpath_overrides_runpath=unknown
+version_type=none
+dynamic_linker="$host_os ld.so"
+sys_lib_dlsearch_path_spec="/lib /usr/lib"
+if test "$GCC" = yes; then
+  sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+  if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then
+    # if the path contains ";" then we assume it to be the separator
+    # otherwise default to the standard path separator (i.e. ":") - it is
+    # assumed that no part of a normal pathname contains ";" but that should
+    # okay in the real world where ";" in dirpaths is itself problematic.
+    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+  else
+    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+  fi
+else
+  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
+fi
+need_lib_prefix=unknown
+hardcode_into_libs=no
+
+# when you set need_version to no, make sure it does not cause -set_version
+# flags to be left without arguments
+need_version=unknown
+
+case $host_os in
+aix3*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
+  shlibpath_var=LIBPATH
+
+  # AIX 3 has no versioning support, so we append a major version to the name.
+  soname_spec='${libname}${release}${shared_ext}$major'
+  ;;
+
+aix4* | aix5*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  hardcode_into_libs=yes
+  if test "$host_cpu" = ia64; then
+    # AIX 5 supports IA64
+    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
+    shlibpath_var=LD_LIBRARY_PATH
+  else
+    # With GCC up to 2.95.x, collect2 would create an import file
+    # for dependence libraries.  The import file would start with
+    # the line `#! .'.  This would cause the generated library to
+    # depend on `.', always an invalid library.  This was fixed in
+    # development snapshots of GCC prior to 3.0.
+    case $host_os in
+      aix4 | aix4.[01] | aix4.[01].*)
+      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
+	   echo ' yes '
+	   echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then
+	:
+      else
+	can_build_shared=no
+      fi
+      ;;
+    esac
+    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
+    # soname into executable. Probably we can add versioning support to
+    # collect2, so additional links can be useful in future.
+    if test "$aix_use_runtimelinking" = yes; then
+      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
+      # instead of lib<name>.a to let people know that these are not
+      # typical AIX shared libraries.
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    else
+      # We preserve .a as extension for shared libraries through AIX4.2
+      # and later when we are not doing run time linking.
+      library_names_spec='${libname}${release}.a $libname.a'
+      soname_spec='${libname}${release}${shared_ext}$major'
+    fi
+    shlibpath_var=LIBPATH
+  fi
+  ;;
+
+amigaos*)
+  library_names_spec='$libname.ixlibrary $libname.a'
+  # Create ${libname}_ixlibrary.a entries in /sys/libs.
+  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
+  ;;
+
+beos*)
+  library_names_spec='${libname}${shared_ext}'
+  dynamic_linker="$host_os ld.so"
+  shlibpath_var=LIBRARY_PATH
+  ;;
+
+bsdi4*)
+  version_type=linux
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
+  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
+  # the default ld.so.conf also contains /usr/contrib/lib and
+  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
+  # libtool to hard-code these into programs
+  ;;
+
+cygwin* | mingw* | pw32*)
+  version_type=windows
+  shrext=".dll"
+  need_version=no
+  need_lib_prefix=no
+
+  case $GCC,$host_os in
+  yes,cygwin* | yes,mingw* | yes,pw32*)
+    library_names_spec='$libname.dll.a'
+    # DLL is installed to $(libdir)/../bin by postinstall_cmds
+    postinstall_cmds='base_file=`basename \${file}`~
+      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
+      dldir=$destdir/`dirname \$dlpath`~
+      test -d \$dldir || mkdir -p \$dldir~
+      $install_prog $dir/$dlname \$dldir/$dlname'
+    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
+      dlpath=$dir/\$dldll~
+       $rm \$dlpath'
+    shlibpath_overrides_runpath=yes
+
+    case $host_os in
+    cygwin*)
+      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
+      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
+      ;;
+    mingw*)
+      # MinGW DLLs use traditional 'lib' prefix
+      soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+      if echo "$sys_lib_search_path_spec" | grep ';[c-zC-Z]:/' >/dev/null; then
+        # It is most probably a Windows format PATH printed by
+        # mingw gcc, but we are running on Cygwin. Gcc prints its search
+        # path with ; separators, and with drive letters. We can handle the
+        # drive letters (cygwin fileutils understands them), so leave them,
+        # especially as we might pass files found there to a mingw objdump,
+        # which wouldn't understand a cygwinified path. Ahh.
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+      else
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+      fi
+      ;;
+    pw32*)
+      # pw32 DLLs use 'pw' prefix rather than 'lib'
+      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/./-/g'`${versuffix}${shared_ext}'
+      ;;
+    esac
+    ;;
+
+  *)
+    library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib'
+    ;;
+  esac
+  dynamic_linker='Win32 ld.exe'
+  # FIXME: first we should search . and the directory the executable is in
+  shlibpath_var=PATH
+  ;;
+
+darwin* | rhapsody*)
+  dynamic_linker="$host_os dyld"
+  version_type=darwin
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
+  soname_spec='${libname}${release}${major}$shared_ext'
+  shlibpath_overrides_runpath=yes
+  shlibpath_var=DYLD_LIBRARY_PATH
+  shrext='$(test .$module = .yes && echo .so || echo .dylib)'
+  # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
+  if test "$GCC" = yes; then
+    sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
+  else
+    sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib'
+  fi
+  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
+  ;;
+
+dgux*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+freebsd1*)
+  dynamic_linker=no
+  ;;
+
+kfreebsd*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='GNU ld.so'
+  ;;
+
+freebsd*)
+  objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo aout`
+  version_type=freebsd-$objformat
+  case $version_type in
+    freebsd-elf*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+      need_version=no
+      need_lib_prefix=no
+      ;;
+    freebsd-*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
+      need_version=yes
+      ;;
+  esac
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_os in
+  freebsd2*)
+    shlibpath_overrides_runpath=yes
+    ;;
+  freebsd3.01* | freebsdelf3.01*)
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  *) # from 3.2 on
+    shlibpath_overrides_runpath=no
+    hardcode_into_libs=yes
+    ;;
+  esac
+  ;;
+
+gnu*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  ;;
+
+hpux9* | hpux10* | hpux11*)
+  # Give a soname corresponding to the major version so that dld.sl refuses to
+  # link against other versions.
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  case "$host_cpu" in
+  ia64*)
+    shrext='.so'
+    hardcode_into_libs=yes
+    dynamic_linker="$host_os dld.so"
+    shlibpath_var=LD_LIBRARY_PATH
+    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    if test "X$HPUX_IA64_MODE" = X32; then
+      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
+    else
+      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
+    fi
+    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+    ;;
+   hppa*64*)
+     shrext='.sl'
+     hardcode_into_libs=yes
+     dynamic_linker="$host_os dld.sl"
+     shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
+     shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+     soname_spec='${libname}${release}${shared_ext}$major'
+     sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
+     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+     ;;
+   *)
+    shrext='.sl'
+    dynamic_linker="$host_os dld.sl"
+    shlibpath_var=SHLIB_PATH
+    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    ;;
+  esac
+  # HP-UX runs *really* slowly unless shared libraries are mode 555.
+  postinstall_cmds='chmod 555 $lib'
+  ;;
+
+irix5* | irix6* | nonstopux*)
+  case $host_os in
+    nonstopux*) version_type=nonstopux ;;
+    *)
+	if test "$lt_cv_prog_gnu_ld" = yes; then
+		version_type=linux
+	else
+		version_type=irix
+	fi ;;
+  esac
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
+  case $host_os in
+  irix5* | nonstopux*)
+    libsuff= shlibsuff=
+    ;;
+  *)
+    case $LD in # libtool.m4 will add one of these switches to LD
+    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
+      libsuff= shlibsuff= libmagic=32-bit;;
+    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
+      libsuff=32 shlibsuff=N32 libmagic=N32;;
+    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
+      libsuff=64 shlibsuff=64 libmagic=64-bit;;
+    *) libsuff= shlibsuff= libmagic=never-match;;
+    esac
+    ;;
+  esac
+  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
+  shlibpath_overrides_runpath=no
+  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
+  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
+  hardcode_into_libs=yes
+  ;;
+
+# No shared lib support for Linux oldld, aout, or coff.
+linux*oldld* | linux*aout* | linux*coff*)
+  dynamic_linker=no
+  ;;
+
+# This must be Linux ELF.
+linux*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  # This implies no fast_install, which is unacceptable.
+  # Some rework will be needed to allow for fast_install
+  # before this can be enabled.
+  hardcode_into_libs=yes
+
+  # Append ld.so.conf contents to the search path
+  if test -f /etc/ld.so.conf; then
+    ld_extra=`$SED -e 's/:,\t/ /g;s/=^=*$//;s/=^= * / /g' /etc/ld.so.conf`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $ld_extra"
+  fi
+
+  # We used to test for /lib/ld.so.1 and disable shared libraries on
+  # powerpc, because MkLinux only supported shared libraries with the
+  # GNU dynamic linker.  Since this was broken with cross compilers,
+  # most powerpc-linux boxes support dynamic linking these days and
+  # people can always --disable-shared, the test was removed, and we
+  # assume the GNU/Linux dynamic linker is in use.
+  dynamic_linker='GNU/Linux ld.so'
+  ;;
+
+knetbsd*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='GNU ld.so'
+  ;;
+
+netbsd*)
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+    dynamic_linker='NetBSD (a.out) ld.so'
+  else
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    dynamic_linker='NetBSD ld.elf_so'
+  fi
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  ;;
+
+newsos6)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+nto-qnx*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+openbsd*)
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=yes
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+    case $host_os in
+      openbsd2.[89] | openbsd2.[89].*)
+	shlibpath_overrides_runpath=no
+	;;
+      *)
+	shlibpath_overrides_runpath=yes
+	;;
+      esac
+  else
+    shlibpath_overrides_runpath=yes
+  fi
+  ;;
+
+os2*)
+  libname_spec='$name'
+  shrext=".dll"
+  need_lib_prefix=no
+  library_names_spec='$libname${shared_ext} $libname.a'
+  dynamic_linker='OS/2 ld.exe'
+  shlibpath_var=LIBPATH
+  ;;
+
+osf3* | osf4* | osf5*)
+  version_type=osf
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
+  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
+  ;;
+
+sco3.2v5*)
+  version_type=osf
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+solaris*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  # ldd complains unless libraries are executable
+  postinstall_cmds='chmod +x $lib'
+  ;;
+
+sunos4*)
+  version_type=sunos
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  if test "$with_gnu_ld" = yes; then
+    need_lib_prefix=no
+  fi
+  need_version=yes
+  ;;
+
+sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_vendor in
+    sni)
+      shlibpath_overrides_runpath=no
+      need_lib_prefix=no
+      export_dynamic_flag_spec='${wl}-Blargedynsym'
+      runpath_var=LD_RUN_PATH
+      ;;
+    siemens)
+      need_lib_prefix=no
+      ;;
+    motorola)
+      need_lib_prefix=no
+      need_version=no
+      shlibpath_overrides_runpath=no
+      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
+      ;;
+  esac
+  ;;
+
+sysv4*MP*)
+  if test -d /usr/nec ;then
+    version_type=linux
+    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
+    soname_spec='$libname${shared_ext}.$major'
+    shlibpath_var=LD_LIBRARY_PATH
+  fi
+  ;;
+
+uts4*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+*)
+  dynamic_linker=no
+  ;;
+esac
+echo "$as_me:$LINENO: result: $dynamic_linker" >&5
+echo "${ECHO_T}$dynamic_linker" >&6
+test "$dynamic_linker" = no && can_build_shared=no
+
+echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
+echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6
+hardcode_action_CXX=
+if test -n "$hardcode_libdir_flag_spec_CXX" || \
+   test -n "$runpath_var CXX" || \
+   test "X$hardcode_automatic_CXX"="Xyes" ; then
+
+  # We can hardcode non-existant directories.
+  if test "$hardcode_direct_CXX" != no &&
+     # If the only mechanism to avoid hardcoding is shlibpath_var, we
+     # have to relink, otherwise we might link with an installed library
+     # when we should be linking with a yet-to-be-installed one
+     ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, CXX)" != no &&
+     test "$hardcode_minus_L_CXX" != no; then
+    # Linking always hardcodes the temporary library directory.
+    hardcode_action_CXX=relink
+  else
+    # We can link without hardcoding, and we can hardcode nonexisting dirs.
+    hardcode_action_CXX=immediate
+  fi
+else
+  # We cannot hardcode anything, or else we can only hardcode existing
+  # directories.
+  hardcode_action_CXX=unsupported
+fi
+echo "$as_me:$LINENO: result: $hardcode_action_CXX" >&5
+echo "${ECHO_T}$hardcode_action_CXX" >&6
+
+if test "$hardcode_action_CXX" = relink; then
+  # Fast installation is not supported
+  enable_fast_install=no
+elif test "$shlibpath_overrides_runpath" = yes ||
+     test "$enable_shared" = no; then
+  # Fast installation is not necessary
+  enable_fast_install=needless
+fi
+
+striplib=
+old_striplib=
+echo "$as_me:$LINENO: checking whether stripping libraries is possible" >&5
+echo $ECHO_N "checking whether stripping libraries is possible... $ECHO_C" >&6
+if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then
+  test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
+  test -z "$striplib" && striplib="$STRIP --strip-unneeded"
+  echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+else
+# FIXME - insert some real tests, host_os isn't really good enough
+  case $host_os in
+   darwin*)
+       if test -n "$STRIP" ; then
+         striplib="$STRIP -x"
+         echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+       else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+       ;;
+   *)
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+    ;;
+  esac
+fi
+
+if test "x$enable_dlopen" != xyes; then
+  enable_dlopen=unknown
+  enable_dlopen_self=unknown
+  enable_dlopen_self_static=unknown
+else
+  lt_cv_dlopen=no
+  lt_cv_dlopen_libs=
+
+  case $host_os in
+  beos*)
+    lt_cv_dlopen="load_add_on"
+    lt_cv_dlopen_libs=
+    lt_cv_dlopen_self=yes
+    ;;
+
+  mingw* | pw32*)
+    lt_cv_dlopen="LoadLibrary"
+    lt_cv_dlopen_libs=
+   ;;
+
+  cygwin*)
+    lt_cv_dlopen="dlopen"
+    lt_cv_dlopen_libs=
+   ;;
+
+  darwin*)
+  # if libdl is installed we need to link against it
+    echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
+echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6
+if test "${ac_cv_lib_dl_dlopen+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldl  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char dlopen ();
+int
+main ()
+{
+dlopen ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_cxx_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_dl_dlopen=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_lib_dl_dlopen=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
+echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6
+if test $ac_cv_lib_dl_dlopen = yes; then
+  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
+else
+
+    lt_cv_dlopen="dyld"
+    lt_cv_dlopen_libs=
+    lt_cv_dlopen_self=yes
+
+fi
+
+   ;;
+
+  *)
+    echo "$as_me:$LINENO: checking for shl_load" >&5
+echo $ECHO_N "checking for shl_load... $ECHO_C" >&6
+if test "${ac_cv_func_shl_load+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define shl_load to an innocuous variant, in case <limits.h> declares shl_load.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define shl_load innocuous_shl_load
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char shl_load (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef shl_load
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char shl_load ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_shl_load) || defined (__stub___shl_load)
+choke me
+#else
+char (*f) () = shl_load;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != shl_load;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_cxx_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_shl_load=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_shl_load=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_shl_load" >&5
+echo "${ECHO_T}$ac_cv_func_shl_load" >&6
+if test $ac_cv_func_shl_load = yes; then
+  lt_cv_dlopen="shl_load"
+else
+  echo "$as_me:$LINENO: checking for shl_load in -ldld" >&5
+echo $ECHO_N "checking for shl_load in -ldld... $ECHO_C" >&6
+if test "${ac_cv_lib_dld_shl_load+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldld  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char shl_load ();
+int
+main ()
+{
+shl_load ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_cxx_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_dld_shl_load=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_lib_dld_shl_load=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_dld_shl_load" >&5
+echo "${ECHO_T}$ac_cv_lib_dld_shl_load" >&6
+if test $ac_cv_lib_dld_shl_load = yes; then
+  lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-dld"
+else
+  echo "$as_me:$LINENO: checking for dlopen" >&5
+echo $ECHO_N "checking for dlopen... $ECHO_C" >&6
+if test "${ac_cv_func_dlopen+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define dlopen to an innocuous variant, in case <limits.h> declares dlopen.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define dlopen innocuous_dlopen
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char dlopen (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef dlopen
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char dlopen ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_dlopen) || defined (__stub___dlopen)
+choke me
+#else
+char (*f) () = dlopen;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != dlopen;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_cxx_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_dlopen=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_dlopen=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_dlopen" >&5
+echo "${ECHO_T}$ac_cv_func_dlopen" >&6
+if test $ac_cv_func_dlopen = yes; then
+  lt_cv_dlopen="dlopen"
+else
+  echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
+echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6
+if test "${ac_cv_lib_dl_dlopen+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldl  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char dlopen ();
+int
+main ()
+{
+dlopen ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_cxx_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_dl_dlopen=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_lib_dl_dlopen=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
+echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6
+if test $ac_cv_lib_dl_dlopen = yes; then
+  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
+else
+  echo "$as_me:$LINENO: checking for dlopen in -lsvld" >&5
+echo $ECHO_N "checking for dlopen in -lsvld... $ECHO_C" >&6
+if test "${ac_cv_lib_svld_dlopen+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lsvld  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char dlopen ();
+int
+main ()
+{
+dlopen ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_cxx_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_svld_dlopen=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_lib_svld_dlopen=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_svld_dlopen" >&5
+echo "${ECHO_T}$ac_cv_lib_svld_dlopen" >&6
+if test $ac_cv_lib_svld_dlopen = yes; then
+  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"
+else
+  echo "$as_me:$LINENO: checking for dld_link in -ldld" >&5
+echo $ECHO_N "checking for dld_link in -ldld... $ECHO_C" >&6
+if test "${ac_cv_lib_dld_dld_link+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldld  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char dld_link ();
+int
+main ()
+{
+dld_link ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_cxx_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_dld_dld_link=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_lib_dld_dld_link=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_dld_dld_link" >&5
+echo "${ECHO_T}$ac_cv_lib_dld_dld_link" >&6
+if test $ac_cv_lib_dld_dld_link = yes; then
+  lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-dld"
+fi
+
+
+fi
+
+
+fi
+
+
+fi
+
+
+fi
+
+
+fi
+
+    ;;
+  esac
+
+  if test "x$lt_cv_dlopen" != xno; then
+    enable_dlopen=yes
+  else
+    enable_dlopen=no
+  fi
+
+  case $lt_cv_dlopen in
+  dlopen)
+    save_CPPFLAGS="$CPPFLAGS"
+    test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H"
+
+    save_LDFLAGS="$LDFLAGS"
+    eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
+
+    save_LIBS="$LIBS"
+    LIBS="$lt_cv_dlopen_libs $LIBS"
+
+    echo "$as_me:$LINENO: checking whether a program can dlopen itself" >&5
+echo $ECHO_N "checking whether a program can dlopen itself... $ECHO_C" >&6
+if test "${lt_cv_dlopen_self+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  	  if test "$cross_compiling" = yes; then :
+  lt_cv_dlopen_self=cross
+else
+  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
+  lt_status=$lt_dlunknown
+  cat > conftest.$ac_ext <<EOF
+#line 15505 "configure"
+#include "confdefs.h"
+
+#if HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+#include <stdio.h>
+
+#ifdef RTLD_GLOBAL
+#  define LT_DLGLOBAL		RTLD_GLOBAL
+#else
+#  ifdef DL_GLOBAL
+#    define LT_DLGLOBAL		DL_GLOBAL
+#  else
+#    define LT_DLGLOBAL		0
+#  endif
+#endif
+
+/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
+   find out it does not work in some platform. */
+#ifndef LT_DLLAZY_OR_NOW
+#  ifdef RTLD_LAZY
+#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
+#  else
+#    ifdef DL_LAZY
+#      define LT_DLLAZY_OR_NOW		DL_LAZY
+#    else
+#      ifdef RTLD_NOW
+#        define LT_DLLAZY_OR_NOW	RTLD_NOW
+#      else
+#        ifdef DL_NOW
+#          define LT_DLLAZY_OR_NOW	DL_NOW
+#        else
+#          define LT_DLLAZY_OR_NOW	0
+#        endif
+#      endif
+#    endif
+#  endif
+#endif
+
+#ifdef __cplusplus
+extern "C" void exit (int);
+#endif
+
+void fnord() { int i=42;}
+int main ()
+{
+  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
+  int status = $lt_dlunknown;
+
+  if (self)
+    {
+      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
+      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
+      /* dlclose (self); */
+    }
+
+    exit (status);
+}
+EOF
+  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
+    (./conftest; exit; ) 2>/dev/null
+    lt_status=$?
+    case x$lt_status in
+      x$lt_dlno_uscore) lt_cv_dlopen_self=yes ;;
+      x$lt_dlneed_uscore) lt_cv_dlopen_self=yes ;;
+      x$lt_unknown|x*) lt_cv_dlopen_self=no ;;
+    esac
+  else :
+    # compilation failed
+    lt_cv_dlopen_self=no
+  fi
+fi
+rm -fr conftest*
+
+
+fi
+echo "$as_me:$LINENO: result: $lt_cv_dlopen_self" >&5
+echo "${ECHO_T}$lt_cv_dlopen_self" >&6
+
+    if test "x$lt_cv_dlopen_self" = xyes; then
+      LDFLAGS="$LDFLAGS $link_static_flag"
+      echo "$as_me:$LINENO: checking whether a statically linked program can dlopen itself" >&5
+echo $ECHO_N "checking whether a statically linked program can dlopen itself... $ECHO_C" >&6
+if test "${lt_cv_dlopen_self_static+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  	  if test "$cross_compiling" = yes; then :
+  lt_cv_dlopen_self_static=cross
+else
+  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
+  lt_status=$lt_dlunknown
+  cat > conftest.$ac_ext <<EOF
+#line 15603 "configure"
+#include "confdefs.h"
+
+#if HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+#include <stdio.h>
+
+#ifdef RTLD_GLOBAL
+#  define LT_DLGLOBAL		RTLD_GLOBAL
+#else
+#  ifdef DL_GLOBAL
+#    define LT_DLGLOBAL		DL_GLOBAL
+#  else
+#    define LT_DLGLOBAL		0
+#  endif
+#endif
+
+/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
+   find out it does not work in some platform. */
+#ifndef LT_DLLAZY_OR_NOW
+#  ifdef RTLD_LAZY
+#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
+#  else
+#    ifdef DL_LAZY
+#      define LT_DLLAZY_OR_NOW		DL_LAZY
+#    else
+#      ifdef RTLD_NOW
+#        define LT_DLLAZY_OR_NOW	RTLD_NOW
+#      else
+#        ifdef DL_NOW
+#          define LT_DLLAZY_OR_NOW	DL_NOW
+#        else
+#          define LT_DLLAZY_OR_NOW	0
+#        endif
+#      endif
+#    endif
+#  endif
+#endif
+
+#ifdef __cplusplus
+extern "C" void exit (int);
+#endif
+
+void fnord() { int i=42;}
+int main ()
+{
+  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
+  int status = $lt_dlunknown;
+
+  if (self)
+    {
+      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
+      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
+      /* dlclose (self); */
+    }
+
+    exit (status);
+}
+EOF
+  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
+    (./conftest; exit; ) 2>/dev/null
+    lt_status=$?
+    case x$lt_status in
+      x$lt_dlno_uscore) lt_cv_dlopen_self_static=yes ;;
+      x$lt_dlneed_uscore) lt_cv_dlopen_self_static=yes ;;
+      x$lt_unknown|x*) lt_cv_dlopen_self_static=no ;;
+    esac
+  else :
+    # compilation failed
+    lt_cv_dlopen_self_static=no
+  fi
+fi
+rm -fr conftest*
+
+
+fi
+echo "$as_me:$LINENO: result: $lt_cv_dlopen_self_static" >&5
+echo "${ECHO_T}$lt_cv_dlopen_self_static" >&6
+    fi
+
+    CPPFLAGS="$save_CPPFLAGS"
+    LDFLAGS="$save_LDFLAGS"
+    LIBS="$save_LIBS"
+    ;;
+  esac
+
+  case $lt_cv_dlopen_self in
+  yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;;
+  *) enable_dlopen_self=unknown ;;
+  esac
+
+  case $lt_cv_dlopen_self_static in
+  yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;;
+  *) enable_dlopen_self_static=unknown ;;
+  esac
+fi
+
+
+# The else clause should only fire when bootstrapping the
+# libtool distribution, otherwise you forgot to ship ltmain.sh
+# with your package, and you will get complaints that there are
+# no rules to generate ltmain.sh.
+if test -f "$ltmain"; then
+  # See if we are running on zsh, and set the options which allow our commands through
+  # without removal of \ escapes.
+  if test -n "${ZSH_VERSION+set}" ; then
+    setopt NO_GLOB_SUBST
+  fi
+  # Now quote all the things that may contain metacharacters while being
+  # careful not to overquote the AC_SUBSTed values.  We take copies of the
+  # variables and quote the copies for generation of the libtool script.
+  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC NM \
+    SED SHELL STRIP \
+    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
+    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
+    deplibs_check_method reload_flag reload_cmds need_locks \
+    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
+    lt_cv_sys_global_symbol_to_c_name_address \
+    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
+    old_postinstall_cmds old_postuninstall_cmds \
+    compiler_CXX \
+    CC_CXX \
+    LD_CXX \
+    lt_prog_compiler_wl_CXX \
+    lt_prog_compiler_pic_CXX \
+    lt_prog_compiler_static_CXX \
+    lt_prog_compiler_no_builtin_flag_CXX \
+    export_dynamic_flag_spec_CXX \
+    thread_safe_flag_spec_CXX \
+    whole_archive_flag_spec_CXX \
+    enable_shared_with_static_runtimes_CXX \
+    old_archive_cmds_CXX \
+    old_archive_from_new_cmds_CXX \
+    predep_objects_CXX \
+    postdep_objects_CXX \
+    predeps_CXX \
+    postdeps_CXX \
+    compiler_lib_search_path_CXX \
+    archive_cmds_CXX \
+    archive_expsym_cmds_CXX \
+    postinstall_cmds_CXX \
+    postuninstall_cmds_CXX \
+    old_archive_from_expsyms_cmds_CXX \
+    allow_undefined_flag_CXX \
+    no_undefined_flag_CXX \
+    export_symbols_cmds_CXX \
+    hardcode_libdir_flag_spec_CXX \
+    hardcode_libdir_flag_spec_ld_CXX \
+    hardcode_libdir_separator_CXX \
+    hardcode_automatic_CXX \
+    module_cmds_CXX \
+    module_expsym_cmds_CXX \
+    lt_cv_prog_compiler_c_o_CXX \
+    exclude_expsyms_CXX \
+    include_expsyms_CXX; do
+
+    case $var in
+    old_archive_cmds_CXX | \
+    old_archive_from_new_cmds_CXX | \
+    archive_cmds_CXX | \
+    archive_expsym_cmds_CXX | \
+    module_cmds_CXX | \
+    module_expsym_cmds_CXX | \
+    old_archive_from_expsyms_cmds_CXX | \
+    export_symbols_cmds_CXX | \
+    extract_expsyms_cmds | reload_cmds | finish_cmds | \
+    postinstall_cmds | postuninstall_cmds | \
+    old_postinstall_cmds | old_postuninstall_cmds | \
+    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
+      # Double-quote double-evaled strings.
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
+      ;;
+    *)
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
+      ;;
+    esac
+  done
+
+  case $lt_echo in
+  *'\$0 --fallback-echo"')
+    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
+    ;;
+  esac
+
+cfgfile="$ofile"
+
+  cat <<__EOF__ >> "$cfgfile"
+# ### BEGIN LIBTOOL TAG CONFIG: $tagname
+
+# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+
+# Shell to use when invoking shell scripts.
+SHELL=$lt_SHELL
+
+# Whether or not to build shared libraries.
+build_libtool_libs=$enable_shared
+
+# Whether or not to build static libraries.
+build_old_libs=$enable_static
+
+# Whether or not to add -lc for building shared libraries.
+build_libtool_need_lc=$archive_cmds_need_lc_CXX
+
+# Whether or not to disallow shared libs when runtime libs are static
+allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes_CXX
+
+# Whether or not to optimize for fast installation.
+fast_install=$enable_fast_install
+
+# The host system.
+host_alias=$host_alias
+host=$host
+
+# An echo program that does not interpret backslashes.
+echo=$lt_echo
+
+# The archiver.
+AR=$lt_AR
+AR_FLAGS=$lt_AR_FLAGS
+
+# A C compiler.
+LTCC=$lt_LTCC
+
+# A language-specific compiler.
+CC=$lt_compiler_CXX
+
+# Is the compiler the GNU C compiler?
+with_gcc=$GCC_CXX
+
+# An ERE matcher.
+EGREP=$lt_EGREP
+
+# The linker used to build libraries.
+LD=$lt_LD_CXX
+
+# Whether we need hard or soft links.
+LN_S=$lt_LN_S
+
+# A BSD-compatible nm program.
+NM=$lt_NM
+
+# A symbol stripping program
+STRIP=$lt_STRIP
+
+# Used to examine libraries when file_magic_cmd begins "file"
+MAGIC_CMD=$MAGIC_CMD
+
+# Used on cygwin: DLL creation program.
+DLLTOOL="$DLLTOOL"
+
+# Used on cygwin: object dumper.
+OBJDUMP="$OBJDUMP"
+
+# Used on cygwin: assembler.
+AS="$AS"
+
+# The name of the directory that contains temporary libtool files.
+objdir=$objdir
+
+# How to create reloadable object files.
+reload_flag=$lt_reload_flag
+reload_cmds=$lt_reload_cmds
+
+# How to pass a linker flag through the compiler.
+wl=$lt_lt_prog_compiler_wl_CXX
+
+# Object file suffix (normally "o").
+objext="$ac_objext"
+
+# Old archive suffix (normally "a").
+libext="$libext"
+
+# Shared library suffix (normally ".so").
+shrext='$shrext'
+
+# Executable file suffix (normally "").
+exeext="$exeext"
+
+# Additional compiler flags for building library objects.
+pic_flag=$lt_lt_prog_compiler_pic_CXX
+pic_mode=$pic_mode
+
+# What is the maximum length of a command?
+max_cmd_len=$lt_cv_sys_max_cmd_len
+
+# Does compiler simultaneously support -c and -o options?
+compiler_c_o=$lt_lt_cv_prog_compiler_c_o_CXX
+
+# Must we lock files when doing compilation ?
+need_locks=$lt_need_locks
+
+# Do we need the lib prefix for modules?
+need_lib_prefix=$need_lib_prefix
+
+# Do we need a version for libraries?
+need_version=$need_version
+
+# Whether dlopen is supported.
+dlopen_support=$enable_dlopen
+
+# Whether dlopen of programs is supported.
+dlopen_self=$enable_dlopen_self
+
+# Whether dlopen of statically linked programs is supported.
+dlopen_self_static=$enable_dlopen_self_static
+
+# Compiler flag to prevent dynamic linking.
+link_static_flag=$lt_lt_prog_compiler_static_CXX
+
+# Compiler flag to turn off builtin functions.
+no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag_CXX
+
+# Compiler flag to allow reflexive dlopens.
+export_dynamic_flag_spec=$lt_export_dynamic_flag_spec_CXX
+
+# Compiler flag to generate shared objects directly from archives.
+whole_archive_flag_spec=$lt_whole_archive_flag_spec_CXX
+
+# Compiler flag to generate thread-safe objects.
+thread_safe_flag_spec=$lt_thread_safe_flag_spec_CXX
+
+# Library versioning type.
+version_type=$version_type
+
+# Format of library name prefix.
+libname_spec=$lt_libname_spec
+
+# List of archive names.  First name is the real one, the rest are links.
+# The last name is the one that the linker finds with -lNAME.
+library_names_spec=$lt_library_names_spec
+
+# The coded name of the library, if different from the real name.
+soname_spec=$lt_soname_spec
+
+# Commands used to build and install an old-style archive.
+RANLIB=$lt_RANLIB
+old_archive_cmds=$lt_old_archive_cmds_CXX
+old_postinstall_cmds=$lt_old_postinstall_cmds
+old_postuninstall_cmds=$lt_old_postuninstall_cmds
+
+# Create an old-style archive from a shared archive.
+old_archive_from_new_cmds=$lt_old_archive_from_new_cmds_CXX
+
+# Create a temporary old-style archive to link instead of a shared archive.
+old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds_CXX
+
+# Commands used to build and install a shared archive.
+archive_cmds=$lt_archive_cmds_CXX
+archive_expsym_cmds=$lt_archive_expsym_cmds_CXX
+postinstall_cmds=$lt_postinstall_cmds
+postuninstall_cmds=$lt_postuninstall_cmds
+
+# Commands used to build a loadable module (assumed same as above if empty)
+module_cmds=$lt_module_cmds_CXX
+module_expsym_cmds=$lt_module_expsym_cmds_CXX
+
+# Commands to strip libraries.
+old_striplib=$lt_old_striplib
+striplib=$lt_striplib
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predep_objects=$lt_predep_objects_CXX
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdep_objects=$lt_postdep_objects_CXX
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predeps=$lt_predeps_CXX
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdeps=$lt_postdeps_CXX
+
+# The library search path used internally by the compiler when linking
+# a shared library.
+compiler_lib_search_path=$lt_compiler_lib_search_path_CXX
+
+# Method to check whether dependent libraries are shared objects.
+deplibs_check_method=$lt_deplibs_check_method
+
+# Command to use when deplibs_check_method == file_magic.
+file_magic_cmd=$lt_file_magic_cmd
+
+# Flag that allows shared libraries with undefined symbols to be built.
+allow_undefined_flag=$lt_allow_undefined_flag_CXX
+
+# Flag that forces no undefined symbols.
+no_undefined_flag=$lt_no_undefined_flag_CXX
+
+# Commands used to finish a libtool library installation in a directory.
+finish_cmds=$lt_finish_cmds
+
+# Same as above, but a single script fragment to be evaled but not shown.
+finish_eval=$lt_finish_eval
+
+# Take the output of nm and produce a listing of raw symbols and C names.
+global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
+
+# Transform the output of nm in a proper C declaration
+global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
+
+# Transform the output of nm in a C name address pair
+global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
+
+# This is the shared library runtime path variable.
+runpath_var=$runpath_var
+
+# This is the shared library path variable.
+shlibpath_var=$shlibpath_var
+
+# Is shlibpath searched before the hard-coded library search path?
+shlibpath_overrides_runpath=$shlibpath_overrides_runpath
+
+# How to hardcode a shared library path into an executable.
+hardcode_action=$hardcode_action_CXX
+
+# Whether we should hardcode library paths into libraries.
+hardcode_into_libs=$hardcode_into_libs
+
+# Flag to hardcode \$libdir into a binary during linking.
+# This must work even if \$libdir does not exist.
+hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec_CXX
+
+# If ld is used when linking, flag to hardcode \$libdir into
+# a binary during linking. This must work even if \$libdir does
+# not exist.
+hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld_CXX
+
+# Whether we need a single -rpath flag with a separated argument.
+hardcode_libdir_separator=$lt_hardcode_libdir_separator_CXX
+
+# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
+# resulting binary.
+hardcode_direct=$hardcode_direct_CXX
+
+# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
+# resulting binary.
+hardcode_minus_L=$hardcode_minus_L_CXX
+
+# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
+# the resulting binary.
+hardcode_shlibpath_var=$hardcode_shlibpath_var_CXX
+
+# Set to yes if building a shared library automatically hardcodes DIR into the library
+# and all subsequent libraries and executables linked against it.
+hardcode_automatic=$hardcode_automatic_CXX
+
+# Variables whose values should be saved in libtool wrapper scripts and
+# restored at relink time.
+variables_saved_for_relink="$variables_saved_for_relink"
+
+# Whether libtool must link a program against all its dependency libraries.
+link_all_deplibs=$link_all_deplibs_CXX
+
+# Compile-time system search path for libraries
+sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
+
+# Run-time system search path for libraries
+sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
+
+# Fix the shell variable \$srcfile for the compiler.
+fix_srcfile_path="$fix_srcfile_path_CXX"
+
+# Set to yes if exported symbols are required.
+always_export_symbols=$always_export_symbols_CXX
+
+# The commands to list exported symbols.
+export_symbols_cmds=$lt_export_symbols_cmds_CXX
+
+# The commands to extract the exported symbol list from a shared archive.
+extract_expsyms_cmds=$lt_extract_expsyms_cmds
+
+# Symbols that should not be listed in the preloaded symbols.
+exclude_expsyms=$lt_exclude_expsyms_CXX
+
+# Symbols that must always be exported.
+include_expsyms=$lt_include_expsyms_CXX
+
+# ### END LIBTOOL TAG CONFIG: $tagname
+
+__EOF__
+
+
+else
+  # If there is no Makefile yet, we rely on a make rule to execute
+  # `config.status --recheck' to rerun these tests and create the
+  # libtool script then.
+  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
+  if test -f "$ltmain_in"; then
+    test -f Makefile && make "$ltmain"
+  fi
+fi
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+CC=$lt_save_CC
+LDCXX=$LD
+LD=$lt_save_LD
+GCC=$lt_save_GCC
+with_gnu_ldcxx=$with_gnu_ld
+with_gnu_ld=$lt_save_with_gnu_ld
+lt_cv_path_LDCXX=$lt_cv_path_LD
+lt_cv_path_LD=$lt_save_path_LD
+lt_cv_prog_gnu_ldcxx=$lt_cv_prog_gnu_ld
+lt_cv_prog_gnu_ld=$lt_save_with_gnu_ld
+
+	else
+	  tagname=""
+	fi
+	;;
+
+      F77)
+	if test -n "$F77" && test "X$F77" != "Xno"; then
+
+ac_ext=f
+ac_compile='$F77 -c $FFLAGS conftest.$ac_ext >&5'
+ac_link='$F77 -o conftest$ac_exeext $FFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_f77_compiler_gnu
+
+
+archive_cmds_need_lc_F77=no
+allow_undefined_flag_F77=
+always_export_symbols_F77=no
+archive_expsym_cmds_F77=
+export_dynamic_flag_spec_F77=
+hardcode_direct_F77=no
+hardcode_libdir_flag_spec_F77=
+hardcode_libdir_flag_spec_ld_F77=
+hardcode_libdir_separator_F77=
+hardcode_minus_L_F77=no
+hardcode_automatic_F77=no
+module_cmds_F77=
+module_expsym_cmds_F77=
+link_all_deplibs_F77=unknown
+old_archive_cmds_F77=$old_archive_cmds
+no_undefined_flag_F77=
+whole_archive_flag_spec_F77=
+enable_shared_with_static_runtimes_F77=no
+
+# Source file extension for f77 test sources.
+ac_ext=f
+
+# Object file extension for compiled f77 test sources.
+objext=o
+objext_F77=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="      subroutine t\n      return\n      end\n"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code="      program t\n      end\n"
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+
+# If no C compiler was specified, use CC.
+LTCC=${LTCC-"$CC"}
+
+# Allow CC to be a program name with arguments.
+compiler=$CC
+
+
+# Allow CC to be a program name with arguments.
+lt_save_CC="$CC"
+CC=${F77-"f77"}
+compiler=$CC
+compiler_F77=$CC
+cc_basename=`$echo X"$compiler" | $Xsed -e 's%^.*/%%'`
+
+echo "$as_me:$LINENO: checking if libtool supports shared libraries" >&5
+echo $ECHO_N "checking if libtool supports shared libraries... $ECHO_C" >&6
+echo "$as_me:$LINENO: result: $can_build_shared" >&5
+echo "${ECHO_T}$can_build_shared" >&6
+
+echo "$as_me:$LINENO: checking whether to build shared libraries" >&5
+echo $ECHO_N "checking whether to build shared libraries... $ECHO_C" >&6
+test "$can_build_shared" = "no" && enable_shared=no
+
+# On AIX, shared libraries and static libraries use the same namespace, and
+# are all built from PIC.
+case "$host_os" in
+aix3*)
+  test "$enable_shared" = yes && enable_static=no
+  if test -n "$RANLIB"; then
+    archive_cmds="$archive_cmds~\$RANLIB \$lib"
+    postinstall_cmds='$RANLIB $lib'
+  fi
+  ;;
+aix4*)
+  test "$enable_shared" = yes && enable_static=no
+  ;;
+esac
+echo "$as_me:$LINENO: result: $enable_shared" >&5
+echo "${ECHO_T}$enable_shared" >&6
+
+echo "$as_me:$LINENO: checking whether to build static libraries" >&5
+echo $ECHO_N "checking whether to build static libraries... $ECHO_C" >&6
+# Make sure either enable_shared or enable_static is yes.
+test "$enable_shared" = yes || enable_static=yes
+echo "$as_me:$LINENO: result: $enable_static" >&5
+echo "${ECHO_T}$enable_static" >&6
+
+test "$ld_shlibs_F77" = no && can_build_shared=no
+
+GCC_F77="$G77"
+LD_F77="$LD"
+
+lt_prog_compiler_wl_F77=
+lt_prog_compiler_pic_F77=
+lt_prog_compiler_static_F77=
+
+echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
+echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
+
+  if test "$GCC" = yes; then
+    lt_prog_compiler_wl_F77='-Wl,'
+    lt_prog_compiler_static_F77='-static'
+
+    case $host_os in
+      aix*)
+      # All AIX code is PIC.
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	lt_prog_compiler_static_F77='-Bstatic'
+      fi
+      ;;
+
+    amigaos*)
+      # FIXME: we need at least 68020 code to build shared libraries, but
+      # adding the `-m68020' flag to GCC prevents building anything better,
+      # like `-m68040'.
+      lt_prog_compiler_pic_F77='-m68020 -resident32 -malways-restore-a4'
+      ;;
+
+    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+      # PIC is the default for these OSes.
+      ;;
+
+    mingw* | pw32* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      lt_prog_compiler_pic_F77='-DDLL_EXPORT'
+      ;;
+
+    darwin* | rhapsody*)
+      # PIC is the default on this platform
+      # Common symbols not allowed in MH_DYLIB files
+      lt_prog_compiler_pic_F77='-fno-common'
+      ;;
+
+    msdosdjgpp*)
+      # Just because we use GCC doesn't mean we suddenly get shared libraries
+      # on systems that don't support them.
+      lt_prog_compiler_can_build_shared_F77=no
+      enable_shared=no
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	lt_prog_compiler_pic_F77=-Kconform_pic
+      fi
+      ;;
+
+    hpux*)
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case "$host_cpu" in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	lt_prog_compiler_pic_F77='-fPIC'
+	;;
+      esac
+      ;;
+
+    *)
+      lt_prog_compiler_pic_F77='-fPIC'
+      ;;
+    esac
+  else
+    # PORTME Check for flag to pass linker flags through the system compiler.
+    case $host_os in
+    aix*)
+      lt_prog_compiler_wl_F77='-Wl,'
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	lt_prog_compiler_static_F77='-Bstatic'
+      else
+	lt_prog_compiler_static_F77='-bnso -bI:/lib/syscalls.exp'
+      fi
+      ;;
+
+    mingw* | pw32* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      lt_prog_compiler_pic_F77='-DDLL_EXPORT'
+      ;;
+
+    hpux9* | hpux10* | hpux11*)
+      lt_prog_compiler_wl_F77='-Wl,'
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case "$host_cpu" in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	lt_prog_compiler_pic_F77='+Z'
+	;;
+      esac
+      # Is there a better lt_prog_compiler_static that works with the bundled CC?
+      lt_prog_compiler_static_F77='${wl}-a ${wl}archive'
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      lt_prog_compiler_wl_F77='-Wl,'
+      # PIC (with -KPIC) is the default.
+      lt_prog_compiler_static_F77='-non_shared'
+      ;;
+
+    newsos6)
+      lt_prog_compiler_pic_F77='-KPIC'
+      lt_prog_compiler_static_F77='-Bstatic'
+      ;;
+
+    linux*)
+      case $CC in
+      icc* | ecc*)
+	lt_prog_compiler_wl_F77='-Wl,'
+	lt_prog_compiler_pic_F77='-KPIC'
+	lt_prog_compiler_static_F77='-static'
+        ;;
+      ccc*)
+        lt_prog_compiler_wl_F77='-Wl,'
+        # All Alpha code is PIC.
+        lt_prog_compiler_static_F77='-non_shared'
+        ;;
+      esac
+      ;;
+
+    osf3* | osf4* | osf5*)
+      lt_prog_compiler_wl_F77='-Wl,'
+      # All OSF/1 code is PIC.
+      lt_prog_compiler_static_F77='-non_shared'
+      ;;
+
+    sco3.2v5*)
+      lt_prog_compiler_pic_F77='-Kpic'
+      lt_prog_compiler_static_F77='-dn'
+      ;;
+
+    solaris*)
+      lt_prog_compiler_wl_F77='-Wl,'
+      lt_prog_compiler_pic_F77='-KPIC'
+      lt_prog_compiler_static_F77='-Bstatic'
+      ;;
+
+    sunos4*)
+      lt_prog_compiler_wl_F77='-Qoption ld '
+      lt_prog_compiler_pic_F77='-PIC'
+      lt_prog_compiler_static_F77='-Bstatic'
+      ;;
+
+    sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+      lt_prog_compiler_wl_F77='-Wl,'
+      lt_prog_compiler_pic_F77='-KPIC'
+      lt_prog_compiler_static_F77='-Bstatic'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec ;then
+	lt_prog_compiler_pic_F77='-Kconform_pic'
+	lt_prog_compiler_static_F77='-Bstatic'
+      fi
+      ;;
+
+    uts4*)
+      lt_prog_compiler_pic_F77='-pic'
+      lt_prog_compiler_static_F77='-Bstatic'
+      ;;
+
+    *)
+      lt_prog_compiler_can_build_shared_F77=no
+      ;;
+    esac
+  fi
+
+echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_F77" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic_F77" >&6
+
+#
+# Check to make sure the PIC flag actually works.
+#
+if test -n "$lt_prog_compiler_pic_F77"; then
+
+echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_F77 works" >&5
+echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic_F77 works... $ECHO_C" >&6
+if test "${lt_prog_compiler_pic_works_F77+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_prog_compiler_pic_works_F77=no
+  ac_outfile=conftest.$ac_objext
+   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+   lt_compiler_flag="$lt_prog_compiler_pic_F77"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   # The option is referenced via a variable to avoid confusing sed.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:16430: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>conftest.err)
+   ac_status=$?
+   cat conftest.err >&5
+   echo "$as_me:16434: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s "$ac_outfile"; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test ! -s conftest.err; then
+       lt_prog_compiler_pic_works_F77=yes
+     fi
+   fi
+   $rm conftest*
+
+fi
+echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_works_F77" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic_works_F77" >&6
+
+if test x"$lt_prog_compiler_pic_works_F77" = xyes; then
+    case $lt_prog_compiler_pic_F77 in
+     "" | " "*) ;;
+     *) lt_prog_compiler_pic_F77=" $lt_prog_compiler_pic_F77" ;;
+     esac
+else
+    lt_prog_compiler_pic_F77=
+     lt_prog_compiler_can_build_shared_F77=no
+fi
+
+fi
+case "$host_os" in
+  # For platforms which do not support PIC, -DPIC is meaningless:
+  *djgpp*)
+    lt_prog_compiler_pic_F77=
+    ;;
+  *)
+    lt_prog_compiler_pic_F77="$lt_prog_compiler_pic_F77"
+    ;;
+esac
+
+echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
+echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6
+if test "${lt_cv_prog_compiler_c_o_F77+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_prog_compiler_c_o_F77=no
+   $rm -r conftest 2>/dev/null
+   mkdir conftest
+   cd conftest
+   mkdir out
+   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+   lt_compiler_flag="-o out/conftest2.$ac_objext"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:16490: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>out/conftest.err)
+   ac_status=$?
+   cat out/conftest.err >&5
+   echo "$as_me:16494: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s out/conftest2.$ac_objext
+   then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test ! -s out/conftest.err; then
+       lt_cv_prog_compiler_c_o_F77=yes
+     fi
+   fi
+   chmod u+w .
+   $rm conftest*
+   # SGI C++ compiler will create directory out/ii_files/ for
+   # template instantiation
+   test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files
+   $rm out/* && rmdir out
+   cd ..
+   rmdir conftest
+   $rm conftest*
+
+fi
+echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_F77" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_c_o_F77" >&6
+
+
+hard_links="nottested"
+if test "$lt_cv_prog_compiler_c_o_F77" = no && test "$need_locks" != no; then
+  # do not overwrite the value of need_locks provided by the user
+  echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
+echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6
+  hard_links=yes
+  $rm conftest*
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  touch conftest.a
+  ln conftest.a conftest.b 2>&5 || hard_links=no
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  echo "$as_me:$LINENO: result: $hard_links" >&5
+echo "${ECHO_T}$hard_links" >&6
+  if test "$hard_links" = no; then
+    { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
+echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
+    need_locks=warn
+  fi
+else
+  need_locks=no
+fi
+
+echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
+echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6
+
+  runpath_var=
+  allow_undefined_flag_F77=
+  enable_shared_with_static_runtimes_F77=no
+  archive_cmds_F77=
+  archive_expsym_cmds_F77=
+  old_archive_From_new_cmds_F77=
+  old_archive_from_expsyms_cmds_F77=
+  export_dynamic_flag_spec_F77=
+  whole_archive_flag_spec_F77=
+  thread_safe_flag_spec_F77=
+  hardcode_libdir_flag_spec_F77=
+  hardcode_libdir_flag_spec_ld_F77=
+  hardcode_libdir_separator_F77=
+  hardcode_direct_F77=no
+  hardcode_minus_L_F77=no
+  hardcode_shlibpath_var_F77=unsupported
+  link_all_deplibs_F77=unknown
+  hardcode_automatic_F77=no
+  module_cmds_F77=
+  module_expsym_cmds_F77=
+  always_export_symbols_F77=no
+  export_symbols_cmds_F77='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  # include_expsyms should be a list of space-separated symbols to be *always*
+  # included in the symbol list
+  include_expsyms_F77=
+  # exclude_expsyms can be an extended regexp of symbols to exclude
+  # it will be wrapped by ` (' and `)$', so one must not match beginning or
+  # end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
+  # as well as any symbol that contains `d'.
+  exclude_expsyms_F77="_GLOBAL_OFFSET_TABLE_"
+  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
+  # platforms (ab)use it in PIC code, but their linkers get confused if
+  # the symbol is explicitly referenced.  Since portable code cannot
+  # rely on this symbol name, it's probably fine to never include it in
+  # preloaded symbol tables.
+  extract_expsyms_cmds=
+
+  case $host_os in
+  cygwin* | mingw* | pw32*)
+    # FIXME: the MSVC++ port hasn't been tested in a loooong time
+    # When not using gcc, we currently assume that we are using
+    # Microsoft Visual C++.
+    if test "$GCC" != yes; then
+      with_gnu_ld=no
+    fi
+    ;;
+  openbsd*)
+    with_gnu_ld=no
+    ;;
+  esac
+
+  ld_shlibs_F77=yes
+  if test "$with_gnu_ld" = yes; then
+    # If archive_cmds runs LD, not CC, wlarc should be empty
+    wlarc='${wl}'
+
+    # See if GNU ld supports shared libraries.
+    case $host_os in
+    aix3* | aix4* | aix5*)
+      # On AIX/PPC, the GNU linker is very broken
+      if test "$host_cpu" != ia64; then
+	ld_shlibs_F77=no
+	cat <<EOF 1>&2
+
+*** Warning: the GNU linker, at least up to release 2.9.1, is reported
+*** to be unable to reliably create shared libraries on AIX.
+*** Therefore, libtool is disabling shared libraries support.  If you
+*** really care for shared libraries, you may want to modify your PATH
+*** so that a non-GNU linker is found, and then restart.
+
+EOF
+      fi
+      ;;
+
+    amigaos*)
+      archive_cmds_F77='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+      hardcode_libdir_flag_spec_F77='-L$libdir'
+      hardcode_minus_L_F77=yes
+
+      # Samuel A. Falvo II <kc5tja@dolphin.openprojects.net> reports
+      # that the semantics of dynamic libraries on AmigaOS, at least up
+      # to version 4, is to share data among multiple programs linked
+      # with the same dynamic library.  Since this doesn't match the
+      # behavior of shared libraries on other platforms, we can't use
+      # them.
+      ld_shlibs_F77=no
+      ;;
+
+    beos*)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	allow_undefined_flag_F77=unsupported
+	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
+	# support --undefined.  This deserves some investigation.  FIXME
+	archive_cmds_F77='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+      else
+	ld_shlibs_F77=no
+      fi
+      ;;
+
+    cygwin* | mingw* | pw32*)
+      # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, F77) is actually meaningless,
+      # as there is no search path for DLLs.
+      hardcode_libdir_flag_spec_F77='-L$libdir'
+      allow_undefined_flag_F77=unsupported
+      always_export_symbols_F77=no
+      enable_shared_with_static_runtimes_F77=yes
+      export_symbols_cmds_F77='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGS] /s/.* \([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols'
+
+      if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
+        archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
+	# If the export-symbols file already is a .def file (1st line
+	# is EXPORTS), use it as is; otherwise, prepend...
+	archive_expsym_cmds_F77='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	  cp $export_symbols $output_objdir/$soname.def;
+	else
+	  echo EXPORTS > $output_objdir/$soname.def;
+	  cat $export_symbols >> $output_objdir/$soname.def;
+	fi~
+	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000  ${wl}--out-implib,$lib'
+      else
+	ld_shlibs=no
+      fi
+      ;;
+
+    netbsd*)
+      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+	archive_cmds_F77='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
+	wlarc=
+      else
+	archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      fi
+      ;;
+
+    solaris* | sysv5*)
+      if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
+	ld_shlibs_F77=no
+	cat <<EOF 1>&2
+
+*** Warning: The releases 2.8.* of the GNU linker cannot reliably
+*** create shared libraries on Solaris systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.9.1 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+EOF
+      elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	ld_shlibs_F77=no
+      fi
+      ;;
+
+    sunos4*)
+      archive_cmds_F77='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      wlarc=
+      hardcode_direct_F77=yes
+      hardcode_shlibpath_var_F77=no
+      ;;
+
+  linux*)
+    if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
+        tmp_archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_cmds_F77="$tmp_archive_cmds"
+      supports_anon_versioning=no
+      case `$LD -v 2>/dev/null` in
+        *\ 01.* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
+        *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
+        *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
+        *\ 2.11.*) ;; # other 2.11 versions
+        *) supports_anon_versioning=yes ;;
+      esac
+      if test $supports_anon_versioning = yes; then
+        archive_expsym_cmds_F77='$echo "{ global:" > $output_objdir/$libname.ver~
+cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+$echo "local: *; };" >> $output_objdir/$libname.ver~
+        $CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+      else
+        archive_expsym_cmds_F77="$tmp_archive_cmds"
+      fi
+    else
+      ld_shlibs_F77=no
+    fi
+    ;;
+
+    *)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	ld_shlibs_F77=no
+      fi
+      ;;
+    esac
+
+    if test "$ld_shlibs_F77" = yes; then
+      runpath_var=LD_RUN_PATH
+      hardcode_libdir_flag_spec_F77='${wl}--rpath ${wl}$libdir'
+      export_dynamic_flag_spec_F77='${wl}--export-dynamic'
+      # ancient GNU ld didn't support --whole-archive et. al.
+      if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
+ 	whole_archive_flag_spec_F77="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+      else
+  	whole_archive_flag_spec_F77=
+      fi
+    fi
+  else
+    # PORTME fill in a description of your system's linker (not GNU ld)
+    case $host_os in
+    aix3*)
+      allow_undefined_flag_F77=unsupported
+      always_export_symbols_F77=yes
+      archive_expsym_cmds_F77='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
+      # Note: this linker hardcodes the directories in LIBPATH if there
+      # are no directories specified by -L.
+      hardcode_minus_L_F77=yes
+      if test "$GCC" = yes && test -z "$link_static_flag"; then
+	# Neither direct hardcoding nor static linking is supported with a
+	# broken collect2.
+	hardcode_direct_F77=unsupported
+      fi
+      ;;
+
+    aix4* | aix5*)
+      if test "$host_cpu" = ia64; then
+	# On IA64, the linker does run time linking by default, so we don't
+	# have to do anything special.
+	aix_use_runtimelinking=no
+	exp_sym_flag='-Bexport'
+	no_entry_flag=""
+      else
+	# If we're using GNU nm, then we don't want the "-C" option.
+	# -C means demangle to AIX nm, but means don't demangle with GNU nm
+	if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
+	  export_symbols_cmds_F77='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
+	else
+	  export_symbols_cmds_F77='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
+	fi
+	aix_use_runtimelinking=no
+
+	# Test if we are trying to use run time linking or normal
+	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
+	# need to do runtime linking.
+	case $host_os in aix4.[23]|aix4.[23].*|aix5*)
+	  for ld_flag in $LDFLAGS; do
+  	  if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
+  	    aix_use_runtimelinking=yes
+  	    break
+  	  fi
+	  done
+	esac
+
+	exp_sym_flag='-bexport'
+	no_entry_flag='-bnoentry'
+      fi
+
+      # When large executables or shared objects are built, AIX ld can
+      # have problems creating the table of contents.  If linking a library
+      # or program results in "error TOC overflow" add -mminimal-toc to
+      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
+      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
+
+      archive_cmds_F77=''
+      hardcode_direct_F77=yes
+      hardcode_libdir_separator_F77=':'
+      link_all_deplibs_F77=yes
+
+      if test "$GCC" = yes; then
+	case $host_os in aix4.012|aix4.012.*)
+	# We only want to do this on AIX 4.2 and lower, the check
+	# below for broken collect2 doesn't work under 4.3+
+	  collect2name=`${CC} -print-prog-name=collect2`
+	  if test -f "$collect2name" && \
+  	   strings "$collect2name" | grep resolve_lib_name >/dev/null
+	  then
+  	  # We have reworked collect2
+  	  hardcode_direct_F77=yes
+	  else
+  	  # We have old collect2
+  	  hardcode_direct_F77=unsupported
+  	  # It fails to find uninstalled libraries when the uninstalled
+  	  # path is not listed in the libpath.  Setting hardcode_minus_L
+  	  # to unsupported forces relinking
+  	  hardcode_minus_L_F77=yes
+  	  hardcode_libdir_flag_spec_F77='-L$libdir'
+  	  hardcode_libdir_separator_F77=
+	  fi
+	esac
+	shared_flag='-shared'
+      else
+	# not using gcc
+	if test "$host_cpu" = ia64; then
+  	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
+  	# chokes on -Wl,-G. The following line is correct:
+	  shared_flag='-G'
+	else
+  	if test "$aix_use_runtimelinking" = yes; then
+	    shared_flag='${wl}-G'
+	  else
+	    shared_flag='${wl}-bM:SRE'
+  	fi
+	fi
+      fi
+
+      # It seems that -bexpall does not export symbols beginning with
+      # underscore (_), so it is better to generate a list of symbols to export.
+      always_export_symbols_F77=yes
+      if test "$aix_use_runtimelinking" = yes; then
+	# Warning - without using the other runtime loading flags (-brtl),
+	# -berok will link without error, but may produce a broken library.
+	allow_undefined_flag_F77='-berok'
+       # Determine the default libpath from the value encoded in an empty executable.
+       cat >conftest.$ac_ext <<_ACEOF
+      program main
+
+      end
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_f77_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`
+# Check for a 64-bit object if we didn't find anything.
+if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`; fi
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+
+       hardcode_libdir_flag_spec_F77='${wl}-blibpath:$libdir:'"$aix_libpath"
+	archive_expsym_cmds_F77="\$CC"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+       else
+	if test "$host_cpu" = ia64; then
+	  hardcode_libdir_flag_spec_F77='${wl}-R $libdir:/usr/lib:/lib'
+	  allow_undefined_flag_F77="-z nodefs"
+	  archive_expsym_cmds_F77="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols"
+	else
+	 # Determine the default libpath from the value encoded in an empty executable.
+	 cat >conftest.$ac_ext <<_ACEOF
+      program main
+
+      end
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_f77_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`
+# Check for a 64-bit object if we didn't find anything.
+if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`; fi
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+
+	 hardcode_libdir_flag_spec_F77='${wl}-blibpath:$libdir:'"$aix_libpath"
+	  # Warning - without using the other run time loading flags,
+	  # -berok will link without error, but may produce a broken library.
+	  no_undefined_flag_F77=' ${wl}-bernotok'
+	  allow_undefined_flag_F77=' ${wl}-berok'
+	  # -bexpall does not export symbols beginning with underscore (_)
+	  always_export_symbols_F77=yes
+	  # Exported symbols can be pulled into shared objects from archives
+	  whole_archive_flag_spec_F77=' '
+	  archive_cmds_need_lc_F77=yes
+	  # This is similar to how AIX traditionally builds it's shared libraries.
+	  archive_expsym_cmds_F77="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}-bE:$export_symbols ${wl}-bnoentry${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+	fi
+      fi
+      ;;
+
+    amigaos*)
+      archive_cmds_F77='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+      hardcode_libdir_flag_spec_F77='-L$libdir'
+      hardcode_minus_L_F77=yes
+      # see comment about different semantics on the GNU ld section
+      ld_shlibs_F77=no
+      ;;
+
+    bsdi4*)
+      export_dynamic_flag_spec_F77=-rdynamic
+      ;;
+
+    cygwin* | mingw* | pw32*)
+      # When not using gcc, we currently assume that we are using
+      # Microsoft Visual C++.
+      # hardcode_libdir_flag_spec is actually meaningless, as there is
+      # no search path for DLLs.
+      hardcode_libdir_flag_spec_F77=' '
+      allow_undefined_flag_F77=unsupported
+      # Tell ltmain to make .lib files, not .a files.
+      libext=lib
+      # Tell ltmain to make .dll files, not .so files.
+      shrext=".dll"
+      # FIXME: Setting linknames here is a bad hack.
+      archive_cmds_F77='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
+      # The linker will automatically build a .lib file if we build a DLL.
+      old_archive_From_new_cmds_F77='true'
+      # FIXME: Should let the user specify the lib program.
+      old_archive_cmds_F77='lib /OUT:$oldlib$oldobjs$old_deplibs'
+      fix_srcfile_path='`cygpath -w "$srcfile"`'
+      enable_shared_with_static_runtimes_F77=yes
+      ;;
+
+    darwin* | rhapsody*)
+    if test "$GXX" = yes ; then
+      archive_cmds_need_lc_F77=no
+      case "$host_os" in
+      rhapsody* | darwin1.[012])
+	allow_undefined_flag_F77='-undefined suppress'
+	;;
+      *) # Darwin 1.3 on
+      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+      	allow_undefined_flag_F77='-flat_namespace -undefined suppress'
+      else
+        case ${MACOSX_DEPLOYMENT_TARGET} in
+          10.[012])
+            allow_undefined_flag_F77='-flat_namespace -undefined suppress'
+            ;;
+          10.*)
+            allow_undefined_flag_F77='-undefined dynamic_lookup'
+            ;;
+        esac
+      fi
+	;;
+      esac
+    	lt_int_apple_cc_single_mod=no
+    	output_verbose_link_cmd='echo'
+    	if $CC -dumpspecs 2>&1 | grep 'single_module' >/dev/null ; then
+    	  lt_int_apple_cc_single_mod=yes
+    	fi
+    	if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+    	  archive_cmds_F77='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+    	else
+        archive_cmds_F77='$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+      fi
+      module_cmds_F77='$CC ${wl}-bind_at_load $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
+        if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+          archive_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+        else
+          archive_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+        fi
+          module_expsym_cmds_F77='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+      hardcode_direct_F77=no
+      hardcode_automatic_F77=yes
+      hardcode_shlibpath_var_F77=unsupported
+      whole_archive_flag_spec_F77='-all_load $convenience'
+      link_all_deplibs_F77=yes
+    else
+      ld_shlibs_F77=no
+    fi
+      ;;
+
+    dgux*)
+      archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_libdir_flag_spec_F77='-L$libdir'
+      hardcode_shlibpath_var_F77=no
+      ;;
+
+    freebsd1*)
+      ld_shlibs_F77=no
+      ;;
+
+    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
+    # support.  Future versions do this automatically, but an explicit c++rt0.o
+    # does not break anything, and helps significantly (at the cost of a little
+    # extra space).
+    freebsd2.2*)
+      archive_cmds_F77='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
+      hardcode_libdir_flag_spec_F77='-R$libdir'
+      hardcode_direct_F77=yes
+      hardcode_shlibpath_var_F77=no
+      ;;
+
+    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
+    freebsd2*)
+      archive_cmds_F77='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_direct_F77=yes
+      hardcode_minus_L_F77=yes
+      hardcode_shlibpath_var_F77=no
+      ;;
+
+    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
+    freebsd* | kfreebsd*-gnu)
+      archive_cmds_F77='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
+      hardcode_libdir_flag_spec_F77='-R$libdir'
+      hardcode_direct_F77=yes
+      hardcode_shlibpath_var_F77=no
+      ;;
+
+    hpux9*)
+      if test "$GCC" = yes; then
+	archive_cmds_F77='$rm $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      else
+	archive_cmds_F77='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      fi
+      hardcode_libdir_flag_spec_F77='${wl}+b ${wl}$libdir'
+      hardcode_libdir_separator_F77=:
+      hardcode_direct_F77=yes
+
+      # hardcode_minus_L: Not really in the search PATH,
+      # but as the default location of the library.
+      hardcode_minus_L_F77=yes
+      export_dynamic_flag_spec_F77='${wl}-E'
+      ;;
+
+    hpux10* | hpux11*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	case "$host_cpu" in
+	hppa*64*|ia64*)
+	  archive_cmds_F77='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  archive_cmds_F77='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	esac
+      else
+	case "$host_cpu" in
+	hppa*64*|ia64*)
+	  archive_cmds_F77='$LD -b +h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  ;;
+	*)
+	  archive_cmds_F77='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+	  ;;
+	esac
+      fi
+      if test "$with_gnu_ld" = no; then
+	case "$host_cpu" in
+	hppa*64*)
+	  hardcode_libdir_flag_spec_F77='${wl}+b ${wl}$libdir'
+	  hardcode_libdir_flag_spec_ld_F77='+b $libdir'
+	  hardcode_libdir_separator_F77=:
+	  hardcode_direct_F77=no
+	  hardcode_shlibpath_var_F77=no
+	  ;;
+	ia64*)
+	  hardcode_libdir_flag_spec_F77='-L$libdir'
+	  hardcode_direct_F77=no
+	  hardcode_shlibpath_var_F77=no
+
+	  # hardcode_minus_L: Not really in the search PATH,
+	  # but as the default location of the library.
+	  hardcode_minus_L_F77=yes
+	  ;;
+	*)
+	  hardcode_libdir_flag_spec_F77='${wl}+b ${wl}$libdir'
+	  hardcode_libdir_separator_F77=:
+	  hardcode_direct_F77=yes
+	  export_dynamic_flag_spec_F77='${wl}-E'
+
+	  # hardcode_minus_L: Not really in the search PATH,
+	  # but as the default location of the library.
+	  hardcode_minus_L_F77=yes
+	  ;;
+	esac
+      fi
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      if test "$GCC" = yes; then
+	archive_cmds_F77='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+      else
+	archive_cmds_F77='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+	hardcode_libdir_flag_spec_ld_F77='-rpath $libdir'
+      fi
+      hardcode_libdir_flag_spec_F77='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator_F77=:
+      link_all_deplibs_F77=yes
+      ;;
+
+    netbsd*)
+      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+	archive_cmds_F77='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
+      else
+	archive_cmds_F77='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
+      fi
+      hardcode_libdir_flag_spec_F77='-R$libdir'
+      hardcode_direct_F77=yes
+      hardcode_shlibpath_var_F77=no
+      ;;
+
+    newsos6)
+      archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_direct_F77=yes
+      hardcode_libdir_flag_spec_F77='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator_F77=:
+      hardcode_shlibpath_var_F77=no
+      ;;
+
+    openbsd*)
+      hardcode_direct_F77=yes
+      hardcode_shlibpath_var_F77=no
+      if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+	archive_cmds_F77='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	hardcode_libdir_flag_spec_F77='${wl}-rpath,$libdir'
+	export_dynamic_flag_spec_F77='${wl}-E'
+      else
+       case $host_os in
+	 openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*)
+	   archive_cmds_F77='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+	   hardcode_libdir_flag_spec_F77='-R$libdir'
+	   ;;
+	 *)
+	   archive_cmds_F77='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	   hardcode_libdir_flag_spec_F77='${wl}-rpath,$libdir'
+	   ;;
+       esac
+      fi
+      ;;
+
+    os2*)
+      hardcode_libdir_flag_spec_F77='-L$libdir'
+      hardcode_minus_L_F77=yes
+      allow_undefined_flag_F77=unsupported
+      archive_cmds_F77='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
+      old_archive_From_new_cmds_F77='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
+      ;;
+
+    osf3*)
+      if test "$GCC" = yes; then
+	allow_undefined_flag_F77=' ${wl}-expect_unresolved ${wl}\*'
+	archive_cmds_F77='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+      else
+	allow_undefined_flag_F77=' -expect_unresolved \*'
+	archive_cmds_F77='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+      fi
+      hardcode_libdir_flag_spec_F77='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator_F77=:
+      ;;
+
+    osf4* | osf5*)	# as osf3* with the addition of -msym flag
+      if test "$GCC" = yes; then
+	allow_undefined_flag_F77=' ${wl}-expect_unresolved ${wl}\*'
+	archive_cmds_F77='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	hardcode_libdir_flag_spec_F77='${wl}-rpath ${wl}$libdir'
+      else
+	allow_undefined_flag_F77=' -expect_unresolved \*'
+	archive_cmds_F77='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+	archive_expsym_cmds_F77='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~
+	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib~$rm $lib.exp'
+
+	# Both c and cxx compiler support -rpath directly
+	hardcode_libdir_flag_spec_F77='-rpath $libdir'
+      fi
+      hardcode_libdir_separator_F77=:
+      ;;
+
+    sco3.2v5*)
+      archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_shlibpath_var_F77=no
+      export_dynamic_flag_spec_F77='${wl}-Bexport'
+      runpath_var=LD_RUN_PATH
+      hardcode_runpath_var=yes
+      ;;
+
+    solaris*)
+      no_undefined_flag_F77=' -z text'
+      if test "$GCC" = yes; then
+	archive_cmds_F77='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_F77='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+	  $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp'
+      else
+	archive_cmds_F77='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	archive_expsym_cmds_F77='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+  	$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
+      fi
+      hardcode_libdir_flag_spec_F77='-R$libdir'
+      hardcode_shlibpath_var_F77=no
+      case $host_os in
+      solaris2.[0-5] | solaris2.[0-5].*) ;;
+      *) # Supported since Solaris 2.6 (maybe 2.5.1?)
+	whole_archive_flag_spec_F77='-z allextract$convenience -z defaultextract' ;;
+      esac
+      link_all_deplibs_F77=yes
+      ;;
+
+    sunos4*)
+      if test "x$host_vendor" = xsequent; then
+	# Use $CC to link under sequent, because it throws in some extra .o
+	# files that make .init and .fini sections work.
+	archive_cmds_F77='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds_F77='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      hardcode_libdir_flag_spec_F77='-L$libdir'
+      hardcode_direct_F77=yes
+      hardcode_minus_L_F77=yes
+      hardcode_shlibpath_var_F77=no
+      ;;
+
+    sysv4)
+      case $host_vendor in
+	sni)
+	  archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  hardcode_direct_F77=yes # is this really true???
+	;;
+	siemens)
+	  ## LD is ld it makes a PLAMLIB
+	  ## CC just makes a GrossModule.
+	  archive_cmds_F77='$LD -G -o $lib $libobjs $deplibs $linker_flags'
+	  reload_cmds_F77='$CC -r -o $output$reload_objs'
+	  hardcode_direct_F77=no
+        ;;
+	motorola)
+	  archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  hardcode_direct_F77=no #Motorola manual says yes, but my tests say they lie
+	;;
+      esac
+      runpath_var='LD_RUN_PATH'
+      hardcode_shlibpath_var_F77=no
+      ;;
+
+    sysv4.3*)
+      archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_shlibpath_var_F77=no
+      export_dynamic_flag_spec_F77='-Bexport'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	hardcode_shlibpath_var_F77=no
+	runpath_var=LD_RUN_PATH
+	hardcode_runpath_var=yes
+	ld_shlibs_F77=yes
+      fi
+      ;;
+
+    sysv4.2uw2*)
+      archive_cmds_F77='$LD -G -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_direct_F77=yes
+      hardcode_minus_L_F77=no
+      hardcode_shlibpath_var_F77=no
+      hardcode_runpath_var=yes
+      runpath_var=LD_RUN_PATH
+      ;;
+
+   sysv5OpenUNIX8* | sysv5UnixWare7* |  sysv5uw[78]* | unixware7*)
+      no_undefined_flag_F77='${wl}-z ${wl}text'
+      if test "$GCC" = yes; then
+	archive_cmds_F77='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds_F77='$CC -G ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
+      runpath_var='LD_RUN_PATH'
+      hardcode_shlibpath_var_F77=no
+      ;;
+
+    sysv5*)
+      no_undefined_flag_F77=' -z text'
+      # $CC -shared without GNU ld will not create a library from C++
+      # object files and a static libstdc++, better avoid it by now
+      archive_cmds_F77='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      archive_expsym_cmds_F77='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+  		$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
+      hardcode_libdir_flag_spec_F77=
+      hardcode_shlibpath_var_F77=no
+      runpath_var='LD_RUN_PATH'
+      ;;
+
+    uts4*)
+      archive_cmds_F77='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_libdir_flag_spec_F77='-L$libdir'
+      hardcode_shlibpath_var_F77=no
+      ;;
+
+    *)
+      ld_shlibs_F77=no
+      ;;
+    esac
+  fi
+
+echo "$as_me:$LINENO: result: $ld_shlibs_F77" >&5
+echo "${ECHO_T}$ld_shlibs_F77" >&6
+test "$ld_shlibs_F77" = no && can_build_shared=no
+
+variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
+if test "$GCC" = yes; then
+  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
+fi
+
+#
+# Do we need to explicitly link libc?
+#
+case "x$archive_cmds_need_lc_F77" in
+x|xyes)
+  # Assume -lc should be added
+  archive_cmds_need_lc_F77=yes
+
+  if test "$enable_shared" = yes && test "$GCC" = yes; then
+    case $archive_cmds_F77 in
+    *'~'*)
+      # FIXME: we may have to deal with multi-command sequences.
+      ;;
+    '$CC '*)
+      # Test whether the compiler implicitly links with -lc since on some
+      # systems, -lgcc has to come before -lc. If gcc already passes -lc
+      # to ld, don't add -lc before -lgcc.
+      echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
+echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6
+      $rm conftest*
+      printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+      if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } 2>conftest.err; then
+        soname=conftest
+        lib=conftest
+        libobjs=conftest.$ac_objext
+        deplibs=
+        wl=$lt_prog_compiler_wl_F77
+        compiler_flags=-v
+        linker_flags=-v
+        verstring=
+        output_objdir=.
+        libname=conftest
+        lt_save_allow_undefined_flag=$allow_undefined_flag_F77
+        allow_undefined_flag_F77=
+        if { (eval echo "$as_me:$LINENO: \"$archive_cmds_F77 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5
+  (eval $archive_cmds_F77 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+        then
+	  archive_cmds_need_lc_F77=no
+        else
+	  archive_cmds_need_lc_F77=yes
+        fi
+        allow_undefined_flag_F77=$lt_save_allow_undefined_flag
+      else
+        cat conftest.err 1>&5
+      fi
+      $rm conftest*
+      echo "$as_me:$LINENO: result: $archive_cmds_need_lc_F77" >&5
+echo "${ECHO_T}$archive_cmds_need_lc_F77" >&6
+      ;;
+    esac
+  fi
+  ;;
+esac
+
+echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
+echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6
+library_names_spec=
+libname_spec='lib$name'
+soname_spec=
+shrext=".so"
+postinstall_cmds=
+postuninstall_cmds=
+finish_cmds=
+finish_eval=
+shlibpath_var=
+shlibpath_overrides_runpath=unknown
+version_type=none
+dynamic_linker="$host_os ld.so"
+sys_lib_dlsearch_path_spec="/lib /usr/lib"
+if test "$GCC" = yes; then
+  sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+  if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then
+    # if the path contains ";" then we assume it to be the separator
+    # otherwise default to the standard path separator (i.e. ":") - it is
+    # assumed that no part of a normal pathname contains ";" but that should
+    # okay in the real world where ";" in dirpaths is itself problematic.
+    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+  else
+    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+  fi
+else
+  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
+fi
+need_lib_prefix=unknown
+hardcode_into_libs=no
+
+# when you set need_version to no, make sure it does not cause -set_version
+# flags to be left without arguments
+need_version=unknown
+
+case $host_os in
+aix3*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
+  shlibpath_var=LIBPATH
+
+  # AIX 3 has no versioning support, so we append a major version to the name.
+  soname_spec='${libname}${release}${shared_ext}$major'
+  ;;
+
+aix4* | aix5*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  hardcode_into_libs=yes
+  if test "$host_cpu" = ia64; then
+    # AIX 5 supports IA64
+    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
+    shlibpath_var=LD_LIBRARY_PATH
+  else
+    # With GCC up to 2.95.x, collect2 would create an import file
+    # for dependence libraries.  The import file would start with
+    # the line `#! .'.  This would cause the generated library to
+    # depend on `.', always an invalid library.  This was fixed in
+    # development snapshots of GCC prior to 3.0.
+    case $host_os in
+      aix4 | aix4.[01] | aix4.[01].*)
+      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
+	   echo ' yes '
+	   echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then
+	:
+      else
+	can_build_shared=no
+      fi
+      ;;
+    esac
+    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
+    # soname into executable. Probably we can add versioning support to
+    # collect2, so additional links can be useful in future.
+    if test "$aix_use_runtimelinking" = yes; then
+      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
+      # instead of lib<name>.a to let people know that these are not
+      # typical AIX shared libraries.
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    else
+      # We preserve .a as extension for shared libraries through AIX4.2
+      # and later when we are not doing run time linking.
+      library_names_spec='${libname}${release}.a $libname.a'
+      soname_spec='${libname}${release}${shared_ext}$major'
+    fi
+    shlibpath_var=LIBPATH
+  fi
+  ;;
+
+amigaos*)
+  library_names_spec='$libname.ixlibrary $libname.a'
+  # Create ${libname}_ixlibrary.a entries in /sys/libs.
+  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
+  ;;
+
+beos*)
+  library_names_spec='${libname}${shared_ext}'
+  dynamic_linker="$host_os ld.so"
+  shlibpath_var=LIBRARY_PATH
+  ;;
+
+bsdi4*)
+  version_type=linux
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
+  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
+  # the default ld.so.conf also contains /usr/contrib/lib and
+  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
+  # libtool to hard-code these into programs
+  ;;
+
+cygwin* | mingw* | pw32*)
+  version_type=windows
+  shrext=".dll"
+  need_version=no
+  need_lib_prefix=no
+
+  case $GCC,$host_os in
+  yes,cygwin* | yes,mingw* | yes,pw32*)
+    library_names_spec='$libname.dll.a'
+    # DLL is installed to $(libdir)/../bin by postinstall_cmds
+    postinstall_cmds='base_file=`basename \${file}`~
+      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
+      dldir=$destdir/`dirname \$dlpath`~
+      test -d \$dldir || mkdir -p \$dldir~
+      $install_prog $dir/$dlname \$dldir/$dlname'
+    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
+      dlpath=$dir/\$dldll~
+       $rm \$dlpath'
+    shlibpath_overrides_runpath=yes
+
+    case $host_os in
+    cygwin*)
+      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
+      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
+      ;;
+    mingw*)
+      # MinGW DLLs use traditional 'lib' prefix
+      soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+      if echo "$sys_lib_search_path_spec" | grep ';[c-zC-Z]:/' >/dev/null; then
+        # It is most probably a Windows format PATH printed by
+        # mingw gcc, but we are running on Cygwin. Gcc prints its search
+        # path with ; separators, and with drive letters. We can handle the
+        # drive letters (cygwin fileutils understands them), so leave them,
+        # especially as we might pass files found there to a mingw objdump,
+        # which wouldn't understand a cygwinified path. Ahh.
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+      else
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+      fi
+      ;;
+    pw32*)
+      # pw32 DLLs use 'pw' prefix rather than 'lib'
+      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/./-/g'`${versuffix}${shared_ext}'
+      ;;
+    esac
+    ;;
+
+  *)
+    library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib'
+    ;;
+  esac
+  dynamic_linker='Win32 ld.exe'
+  # FIXME: first we should search . and the directory the executable is in
+  shlibpath_var=PATH
+  ;;
+
+darwin* | rhapsody*)
+  dynamic_linker="$host_os dyld"
+  version_type=darwin
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
+  soname_spec='${libname}${release}${major}$shared_ext'
+  shlibpath_overrides_runpath=yes
+  shlibpath_var=DYLD_LIBRARY_PATH
+  shrext='$(test .$module = .yes && echo .so || echo .dylib)'
+  # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
+  if test "$GCC" = yes; then
+    sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
+  else
+    sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib'
+  fi
+  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
+  ;;
+
+dgux*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+freebsd1*)
+  dynamic_linker=no
+  ;;
+
+kfreebsd*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='GNU ld.so'
+  ;;
+
+freebsd*)
+  objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo aout`
+  version_type=freebsd-$objformat
+  case $version_type in
+    freebsd-elf*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+      need_version=no
+      need_lib_prefix=no
+      ;;
+    freebsd-*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
+      need_version=yes
+      ;;
+  esac
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_os in
+  freebsd2*)
+    shlibpath_overrides_runpath=yes
+    ;;
+  freebsd3.01* | freebsdelf3.01*)
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  *) # from 3.2 on
+    shlibpath_overrides_runpath=no
+    hardcode_into_libs=yes
+    ;;
+  esac
+  ;;
+
+gnu*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  ;;
+
+hpux9* | hpux10* | hpux11*)
+  # Give a soname corresponding to the major version so that dld.sl refuses to
+  # link against other versions.
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  case "$host_cpu" in
+  ia64*)
+    shrext='.so'
+    hardcode_into_libs=yes
+    dynamic_linker="$host_os dld.so"
+    shlibpath_var=LD_LIBRARY_PATH
+    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    if test "X$HPUX_IA64_MODE" = X32; then
+      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
+    else
+      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
+    fi
+    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+    ;;
+   hppa*64*)
+     shrext='.sl'
+     hardcode_into_libs=yes
+     dynamic_linker="$host_os dld.sl"
+     shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
+     shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+     soname_spec='${libname}${release}${shared_ext}$major'
+     sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
+     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+     ;;
+   *)
+    shrext='.sl'
+    dynamic_linker="$host_os dld.sl"
+    shlibpath_var=SHLIB_PATH
+    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    ;;
+  esac
+  # HP-UX runs *really* slowly unless shared libraries are mode 555.
+  postinstall_cmds='chmod 555 $lib'
+  ;;
+
+irix5* | irix6* | nonstopux*)
+  case $host_os in
+    nonstopux*) version_type=nonstopux ;;
+    *)
+	if test "$lt_cv_prog_gnu_ld" = yes; then
+		version_type=linux
+	else
+		version_type=irix
+	fi ;;
+  esac
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
+  case $host_os in
+  irix5* | nonstopux*)
+    libsuff= shlibsuff=
+    ;;
+  *)
+    case $LD in # libtool.m4 will add one of these switches to LD
+    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
+      libsuff= shlibsuff= libmagic=32-bit;;
+    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
+      libsuff=32 shlibsuff=N32 libmagic=N32;;
+    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
+      libsuff=64 shlibsuff=64 libmagic=64-bit;;
+    *) libsuff= shlibsuff= libmagic=never-match;;
+    esac
+    ;;
+  esac
+  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
+  shlibpath_overrides_runpath=no
+  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
+  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
+  hardcode_into_libs=yes
+  ;;
+
+# No shared lib support for Linux oldld, aout, or coff.
+linux*oldld* | linux*aout* | linux*coff*)
+  dynamic_linker=no
+  ;;
+
+# This must be Linux ELF.
+linux*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  # This implies no fast_install, which is unacceptable.
+  # Some rework will be needed to allow for fast_install
+  # before this can be enabled.
+  hardcode_into_libs=yes
+
+  # Append ld.so.conf contents to the search path
+  if test -f /etc/ld.so.conf; then
+    ld_extra=`$SED -e 's/:,\t/ /g;s/=^=*$//;s/=^= * / /g' /etc/ld.so.conf`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $ld_extra"
+  fi
+
+  # We used to test for /lib/ld.so.1 and disable shared libraries on
+  # powerpc, because MkLinux only supported shared libraries with the
+  # GNU dynamic linker.  Since this was broken with cross compilers,
+  # most powerpc-linux boxes support dynamic linking these days and
+  # people can always --disable-shared, the test was removed, and we
+  # assume the GNU/Linux dynamic linker is in use.
+  dynamic_linker='GNU/Linux ld.so'
+  ;;
+
+knetbsd*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='GNU ld.so'
+  ;;
+
+netbsd*)
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+    dynamic_linker='NetBSD (a.out) ld.so'
+  else
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    dynamic_linker='NetBSD ld.elf_so'
+  fi
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  ;;
+
+newsos6)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+nto-qnx*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+openbsd*)
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=yes
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+    case $host_os in
+      openbsd2.[89] | openbsd2.[89].*)
+	shlibpath_overrides_runpath=no
+	;;
+      *)
+	shlibpath_overrides_runpath=yes
+	;;
+      esac
+  else
+    shlibpath_overrides_runpath=yes
+  fi
+  ;;
+
+os2*)
+  libname_spec='$name'
+  shrext=".dll"
+  need_lib_prefix=no
+  library_names_spec='$libname${shared_ext} $libname.a'
+  dynamic_linker='OS/2 ld.exe'
+  shlibpath_var=LIBPATH
+  ;;
+
+osf3* | osf4* | osf5*)
+  version_type=osf
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
+  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
+  ;;
+
+sco3.2v5*)
+  version_type=osf
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+solaris*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  # ldd complains unless libraries are executable
+  postinstall_cmds='chmod +x $lib'
+  ;;
+
+sunos4*)
+  version_type=sunos
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  if test "$with_gnu_ld" = yes; then
+    need_lib_prefix=no
+  fi
+  need_version=yes
+  ;;
+
+sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_vendor in
+    sni)
+      shlibpath_overrides_runpath=no
+      need_lib_prefix=no
+      export_dynamic_flag_spec='${wl}-Blargedynsym'
+      runpath_var=LD_RUN_PATH
+      ;;
+    siemens)
+      need_lib_prefix=no
+      ;;
+    motorola)
+      need_lib_prefix=no
+      need_version=no
+      shlibpath_overrides_runpath=no
+      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
+      ;;
+  esac
+  ;;
+
+sysv4*MP*)
+  if test -d /usr/nec ;then
+    version_type=linux
+    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
+    soname_spec='$libname${shared_ext}.$major'
+    shlibpath_var=LD_LIBRARY_PATH
+  fi
+  ;;
+
+uts4*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+*)
+  dynamic_linker=no
+  ;;
+esac
+echo "$as_me:$LINENO: result: $dynamic_linker" >&5
+echo "${ECHO_T}$dynamic_linker" >&6
+test "$dynamic_linker" = no && can_build_shared=no
+
+echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
+echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6
+hardcode_action_F77=
+if test -n "$hardcode_libdir_flag_spec_F77" || \
+   test -n "$runpath_var F77" || \
+   test "X$hardcode_automatic_F77"="Xyes" ; then
+
+  # We can hardcode non-existant directories.
+  if test "$hardcode_direct_F77" != no &&
+     # If the only mechanism to avoid hardcoding is shlibpath_var, we
+     # have to relink, otherwise we might link with an installed library
+     # when we should be linking with a yet-to-be-installed one
+     ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, F77)" != no &&
+     test "$hardcode_minus_L_F77" != no; then
+    # Linking always hardcodes the temporary library directory.
+    hardcode_action_F77=relink
+  else
+    # We can link without hardcoding, and we can hardcode nonexisting dirs.
+    hardcode_action_F77=immediate
+  fi
+else
+  # We cannot hardcode anything, or else we can only hardcode existing
+  # directories.
+  hardcode_action_F77=unsupported
+fi
+echo "$as_me:$LINENO: result: $hardcode_action_F77" >&5
+echo "${ECHO_T}$hardcode_action_F77" >&6
+
+if test "$hardcode_action_F77" = relink; then
+  # Fast installation is not supported
+  enable_fast_install=no
+elif test "$shlibpath_overrides_runpath" = yes ||
+     test "$enable_shared" = no; then
+  # Fast installation is not necessary
+  enable_fast_install=needless
+fi
+
+striplib=
+old_striplib=
+echo "$as_me:$LINENO: checking whether stripping libraries is possible" >&5
+echo $ECHO_N "checking whether stripping libraries is possible... $ECHO_C" >&6
+if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then
+  test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
+  test -z "$striplib" && striplib="$STRIP --strip-unneeded"
+  echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+else
+# FIXME - insert some real tests, host_os isn't really good enough
+  case $host_os in
+   darwin*)
+       if test -n "$STRIP" ; then
+         striplib="$STRIP -x"
+         echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+       else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+       ;;
+   *)
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+    ;;
+  esac
+fi
+
+
+
+# The else clause should only fire when bootstrapping the
+# libtool distribution, otherwise you forgot to ship ltmain.sh
+# with your package, and you will get complaints that there are
+# no rules to generate ltmain.sh.
+if test -f "$ltmain"; then
+  # See if we are running on zsh, and set the options which allow our commands through
+  # without removal of \ escapes.
+  if test -n "${ZSH_VERSION+set}" ; then
+    setopt NO_GLOB_SUBST
+  fi
+  # Now quote all the things that may contain metacharacters while being
+  # careful not to overquote the AC_SUBSTed values.  We take copies of the
+  # variables and quote the copies for generation of the libtool script.
+  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC NM \
+    SED SHELL STRIP \
+    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
+    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
+    deplibs_check_method reload_flag reload_cmds need_locks \
+    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
+    lt_cv_sys_global_symbol_to_c_name_address \
+    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
+    old_postinstall_cmds old_postuninstall_cmds \
+    compiler_F77 \
+    CC_F77 \
+    LD_F77 \
+    lt_prog_compiler_wl_F77 \
+    lt_prog_compiler_pic_F77 \
+    lt_prog_compiler_static_F77 \
+    lt_prog_compiler_no_builtin_flag_F77 \
+    export_dynamic_flag_spec_F77 \
+    thread_safe_flag_spec_F77 \
+    whole_archive_flag_spec_F77 \
+    enable_shared_with_static_runtimes_F77 \
+    old_archive_cmds_F77 \
+    old_archive_from_new_cmds_F77 \
+    predep_objects_F77 \
+    postdep_objects_F77 \
+    predeps_F77 \
+    postdeps_F77 \
+    compiler_lib_search_path_F77 \
+    archive_cmds_F77 \
+    archive_expsym_cmds_F77 \
+    postinstall_cmds_F77 \
+    postuninstall_cmds_F77 \
+    old_archive_from_expsyms_cmds_F77 \
+    allow_undefined_flag_F77 \
+    no_undefined_flag_F77 \
+    export_symbols_cmds_F77 \
+    hardcode_libdir_flag_spec_F77 \
+    hardcode_libdir_flag_spec_ld_F77 \
+    hardcode_libdir_separator_F77 \
+    hardcode_automatic_F77 \
+    module_cmds_F77 \
+    module_expsym_cmds_F77 \
+    lt_cv_prog_compiler_c_o_F77 \
+    exclude_expsyms_F77 \
+    include_expsyms_F77; do
+
+    case $var in
+    old_archive_cmds_F77 | \
+    old_archive_from_new_cmds_F77 | \
+    archive_cmds_F77 | \
+    archive_expsym_cmds_F77 | \
+    module_cmds_F77 | \
+    module_expsym_cmds_F77 | \
+    old_archive_from_expsyms_cmds_F77 | \
+    export_symbols_cmds_F77 | \
+    extract_expsyms_cmds | reload_cmds | finish_cmds | \
+    postinstall_cmds | postuninstall_cmds | \
+    old_postinstall_cmds | old_postuninstall_cmds | \
+    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
+      # Double-quote double-evaled strings.
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
+      ;;
+    *)
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
+      ;;
+    esac
+  done
+
+  case $lt_echo in
+  *'\$0 --fallback-echo"')
+    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
+    ;;
+  esac
+
+cfgfile="$ofile"
+
+  cat <<__EOF__ >> "$cfgfile"
+# ### BEGIN LIBTOOL TAG CONFIG: $tagname
+
+# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+
+# Shell to use when invoking shell scripts.
+SHELL=$lt_SHELL
+
+# Whether or not to build shared libraries.
+build_libtool_libs=$enable_shared
+
+# Whether or not to build static libraries.
+build_old_libs=$enable_static
+
+# Whether or not to add -lc for building shared libraries.
+build_libtool_need_lc=$archive_cmds_need_lc_F77
+
+# Whether or not to disallow shared libs when runtime libs are static
+allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes_F77
+
+# Whether or not to optimize for fast installation.
+fast_install=$enable_fast_install
+
+# The host system.
+host_alias=$host_alias
+host=$host
+
+# An echo program that does not interpret backslashes.
+echo=$lt_echo
+
+# The archiver.
+AR=$lt_AR
+AR_FLAGS=$lt_AR_FLAGS
+
+# A C compiler.
+LTCC=$lt_LTCC
+
+# A language-specific compiler.
+CC=$lt_compiler_F77
+
+# Is the compiler the GNU C compiler?
+with_gcc=$GCC_F77
+
+# An ERE matcher.
+EGREP=$lt_EGREP
+
+# The linker used to build libraries.
+LD=$lt_LD_F77
+
+# Whether we need hard or soft links.
+LN_S=$lt_LN_S
+
+# A BSD-compatible nm program.
+NM=$lt_NM
+
+# A symbol stripping program
+STRIP=$lt_STRIP
+
+# Used to examine libraries when file_magic_cmd begins "file"
+MAGIC_CMD=$MAGIC_CMD
+
+# Used on cygwin: DLL creation program.
+DLLTOOL="$DLLTOOL"
+
+# Used on cygwin: object dumper.
+OBJDUMP="$OBJDUMP"
+
+# Used on cygwin: assembler.
+AS="$AS"
+
+# The name of the directory that contains temporary libtool files.
+objdir=$objdir
+
+# How to create reloadable object files.
+reload_flag=$lt_reload_flag
+reload_cmds=$lt_reload_cmds
+
+# How to pass a linker flag through the compiler.
+wl=$lt_lt_prog_compiler_wl_F77
+
+# Object file suffix (normally "o").
+objext="$ac_objext"
+
+# Old archive suffix (normally "a").
+libext="$libext"
+
+# Shared library suffix (normally ".so").
+shrext='$shrext'
+
+# Executable file suffix (normally "").
+exeext="$exeext"
+
+# Additional compiler flags for building library objects.
+pic_flag=$lt_lt_prog_compiler_pic_F77
+pic_mode=$pic_mode
+
+# What is the maximum length of a command?
+max_cmd_len=$lt_cv_sys_max_cmd_len
+
+# Does compiler simultaneously support -c and -o options?
+compiler_c_o=$lt_lt_cv_prog_compiler_c_o_F77
+
+# Must we lock files when doing compilation ?
+need_locks=$lt_need_locks
+
+# Do we need the lib prefix for modules?
+need_lib_prefix=$need_lib_prefix
+
+# Do we need a version for libraries?
+need_version=$need_version
+
+# Whether dlopen is supported.
+dlopen_support=$enable_dlopen
+
+# Whether dlopen of programs is supported.
+dlopen_self=$enable_dlopen_self
+
+# Whether dlopen of statically linked programs is supported.
+dlopen_self_static=$enable_dlopen_self_static
+
+# Compiler flag to prevent dynamic linking.
+link_static_flag=$lt_lt_prog_compiler_static_F77
+
+# Compiler flag to turn off builtin functions.
+no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag_F77
+
+# Compiler flag to allow reflexive dlopens.
+export_dynamic_flag_spec=$lt_export_dynamic_flag_spec_F77
+
+# Compiler flag to generate shared objects directly from archives.
+whole_archive_flag_spec=$lt_whole_archive_flag_spec_F77
+
+# Compiler flag to generate thread-safe objects.
+thread_safe_flag_spec=$lt_thread_safe_flag_spec_F77
+
+# Library versioning type.
+version_type=$version_type
+
+# Format of library name prefix.
+libname_spec=$lt_libname_spec
+
+# List of archive names.  First name is the real one, the rest are links.
+# The last name is the one that the linker finds with -lNAME.
+library_names_spec=$lt_library_names_spec
+
+# The coded name of the library, if different from the real name.
+soname_spec=$lt_soname_spec
+
+# Commands used to build and install an old-style archive.
+RANLIB=$lt_RANLIB
+old_archive_cmds=$lt_old_archive_cmds_F77
+old_postinstall_cmds=$lt_old_postinstall_cmds
+old_postuninstall_cmds=$lt_old_postuninstall_cmds
+
+# Create an old-style archive from a shared archive.
+old_archive_from_new_cmds=$lt_old_archive_from_new_cmds_F77
+
+# Create a temporary old-style archive to link instead of a shared archive.
+old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds_F77
+
+# Commands used to build and install a shared archive.
+archive_cmds=$lt_archive_cmds_F77
+archive_expsym_cmds=$lt_archive_expsym_cmds_F77
+postinstall_cmds=$lt_postinstall_cmds
+postuninstall_cmds=$lt_postuninstall_cmds
+
+# Commands used to build a loadable module (assumed same as above if empty)
+module_cmds=$lt_module_cmds_F77
+module_expsym_cmds=$lt_module_expsym_cmds_F77
+
+# Commands to strip libraries.
+old_striplib=$lt_old_striplib
+striplib=$lt_striplib
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predep_objects=$lt_predep_objects_F77
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdep_objects=$lt_postdep_objects_F77
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predeps=$lt_predeps_F77
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdeps=$lt_postdeps_F77
+
+# The library search path used internally by the compiler when linking
+# a shared library.
+compiler_lib_search_path=$lt_compiler_lib_search_path_F77
+
+# Method to check whether dependent libraries are shared objects.
+deplibs_check_method=$lt_deplibs_check_method
+
+# Command to use when deplibs_check_method == file_magic.
+file_magic_cmd=$lt_file_magic_cmd
+
+# Flag that allows shared libraries with undefined symbols to be built.
+allow_undefined_flag=$lt_allow_undefined_flag_F77
+
+# Flag that forces no undefined symbols.
+no_undefined_flag=$lt_no_undefined_flag_F77
+
+# Commands used to finish a libtool library installation in a directory.
+finish_cmds=$lt_finish_cmds
+
+# Same as above, but a single script fragment to be evaled but not shown.
+finish_eval=$lt_finish_eval
+
+# Take the output of nm and produce a listing of raw symbols and C names.
+global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
+
+# Transform the output of nm in a proper C declaration
+global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
+
+# Transform the output of nm in a C name address pair
+global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
+
+# This is the shared library runtime path variable.
+runpath_var=$runpath_var
+
+# This is the shared library path variable.
+shlibpath_var=$shlibpath_var
+
+# Is shlibpath searched before the hard-coded library search path?
+shlibpath_overrides_runpath=$shlibpath_overrides_runpath
+
+# How to hardcode a shared library path into an executable.
+hardcode_action=$hardcode_action_F77
+
+# Whether we should hardcode library paths into libraries.
+hardcode_into_libs=$hardcode_into_libs
+
+# Flag to hardcode \$libdir into a binary during linking.
+# This must work even if \$libdir does not exist.
+hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec_F77
+
+# If ld is used when linking, flag to hardcode \$libdir into
+# a binary during linking. This must work even if \$libdir does
+# not exist.
+hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld_F77
+
+# Whether we need a single -rpath flag with a separated argument.
+hardcode_libdir_separator=$lt_hardcode_libdir_separator_F77
+
+# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
+# resulting binary.
+hardcode_direct=$hardcode_direct_F77
+
+# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
+# resulting binary.
+hardcode_minus_L=$hardcode_minus_L_F77
+
+# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
+# the resulting binary.
+hardcode_shlibpath_var=$hardcode_shlibpath_var_F77
+
+# Set to yes if building a shared library automatically hardcodes DIR into the library
+# and all subsequent libraries and executables linked against it.
+hardcode_automatic=$hardcode_automatic_F77
+
+# Variables whose values should be saved in libtool wrapper scripts and
+# restored at relink time.
+variables_saved_for_relink="$variables_saved_for_relink"
+
+# Whether libtool must link a program against all its dependency libraries.
+link_all_deplibs=$link_all_deplibs_F77
+
+# Compile-time system search path for libraries
+sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
+
+# Run-time system search path for libraries
+sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
+
+# Fix the shell variable \$srcfile for the compiler.
+fix_srcfile_path="$fix_srcfile_path_F77"
+
+# Set to yes if exported symbols are required.
+always_export_symbols=$always_export_symbols_F77
+
+# The commands to list exported symbols.
+export_symbols_cmds=$lt_export_symbols_cmds_F77
+
+# The commands to extract the exported symbol list from a shared archive.
+extract_expsyms_cmds=$lt_extract_expsyms_cmds
+
+# Symbols that should not be listed in the preloaded symbols.
+exclude_expsyms=$lt_exclude_expsyms_F77
+
+# Symbols that must always be exported.
+include_expsyms=$lt_include_expsyms_F77
+
+# ### END LIBTOOL TAG CONFIG: $tagname
+
+__EOF__
+
+
+else
+  # If there is no Makefile yet, we rely on a make rule to execute
+  # `config.status --recheck' to rerun these tests and create the
+  # libtool script then.
+  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
+  if test -f "$ltmain_in"; then
+    test -f Makefile && make "$ltmain"
+  fi
+fi
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+CC="$lt_save_CC"
+
+	else
+	  tagname=""
+	fi
+	;;
+
+      GCJ)
+	if test -n "$GCJ" && test "X$GCJ" != "Xno"; then
+
+
+
+# Source file extension for Java test sources.
+ac_ext=java
+
+# Object file extension for compiled Java test sources.
+objext=o
+objext_GCJ=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="class foo {}\n"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='public class conftest { public static void main(String argv) {}; }\n'
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+
+# If no C compiler was specified, use CC.
+LTCC=${LTCC-"$CC"}
+
+# Allow CC to be a program name with arguments.
+compiler=$CC
+
+
+# Allow CC to be a program name with arguments.
+lt_save_CC="$CC"
+CC=${GCJ-"gcj"}
+compiler=$CC
+compiler_GCJ=$CC
+
+# GCJ did not exist at the time GCC didn't implicitly link libc in.
+archive_cmds_need_lc_GCJ=no
+
+## CAVEAT EMPTOR:
+## There is no encapsulation within the following macros, do not change
+## the running order or otherwise move them around unless you know exactly
+## what you are doing...
+
+lt_prog_compiler_no_builtin_flag_GCJ=
+
+if test "$GCC" = yes; then
+  lt_prog_compiler_no_builtin_flag_GCJ=' -fno-builtin'
+
+
+echo "$as_me:$LINENO: checking if $compiler supports -fno-rtti -fno-exceptions" >&5
+echo $ECHO_N "checking if $compiler supports -fno-rtti -fno-exceptions... $ECHO_C" >&6
+if test "${lt_cv_prog_compiler_rtti_exceptions+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_prog_compiler_rtti_exceptions=no
+  ac_outfile=conftest.$ac_objext
+   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+   lt_compiler_flag="-fno-rtti -fno-exceptions"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   # The option is referenced via a variable to avoid confusing sed.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:18528: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>conftest.err)
+   ac_status=$?
+   cat conftest.err >&5
+   echo "$as_me:18532: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s "$ac_outfile"; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test ! -s conftest.err; then
+       lt_cv_prog_compiler_rtti_exceptions=yes
+     fi
+   fi
+   $rm conftest*
+
+fi
+echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_rtti_exceptions" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_rtti_exceptions" >&6
+
+if test x"$lt_cv_prog_compiler_rtti_exceptions" = xyes; then
+    lt_prog_compiler_no_builtin_flag_GCJ="$lt_prog_compiler_no_builtin_flag_GCJ -fno-rtti -fno-exceptions"
+else
+    :
+fi
+
+fi
+
+lt_prog_compiler_wl_GCJ=
+lt_prog_compiler_pic_GCJ=
+lt_prog_compiler_static_GCJ=
+
+echo "$as_me:$LINENO: checking for $compiler option to produce PIC" >&5
+echo $ECHO_N "checking for $compiler option to produce PIC... $ECHO_C" >&6
+
+  if test "$GCC" = yes; then
+    lt_prog_compiler_wl_GCJ='-Wl,'
+    lt_prog_compiler_static_GCJ='-static'
+
+    case $host_os in
+      aix*)
+      # All AIX code is PIC.
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	lt_prog_compiler_static_GCJ='-Bstatic'
+      fi
+      ;;
+
+    amigaos*)
+      # FIXME: we need at least 68020 code to build shared libraries, but
+      # adding the `-m68020' flag to GCC prevents building anything better,
+      # like `-m68040'.
+      lt_prog_compiler_pic_GCJ='-m68020 -resident32 -malways-restore-a4'
+      ;;
+
+    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+      # PIC is the default for these OSes.
+      ;;
+
+    mingw* | pw32* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      lt_prog_compiler_pic_GCJ='-DDLL_EXPORT'
+      ;;
+
+    darwin* | rhapsody*)
+      # PIC is the default on this platform
+      # Common symbols not allowed in MH_DYLIB files
+      lt_prog_compiler_pic_GCJ='-fno-common'
+      ;;
+
+    msdosdjgpp*)
+      # Just because we use GCC doesn't mean we suddenly get shared libraries
+      # on systems that don't support them.
+      lt_prog_compiler_can_build_shared_GCJ=no
+      enable_shared=no
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	lt_prog_compiler_pic_GCJ=-Kconform_pic
+      fi
+      ;;
+
+    hpux*)
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case "$host_cpu" in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	lt_prog_compiler_pic_GCJ='-fPIC'
+	;;
+      esac
+      ;;
+
+    *)
+      lt_prog_compiler_pic_GCJ='-fPIC'
+      ;;
+    esac
+  else
+    # PORTME Check for flag to pass linker flags through the system compiler.
+    case $host_os in
+    aix*)
+      lt_prog_compiler_wl_GCJ='-Wl,'
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	lt_prog_compiler_static_GCJ='-Bstatic'
+      else
+	lt_prog_compiler_static_GCJ='-bnso -bI:/lib/syscalls.exp'
+      fi
+      ;;
+
+    mingw* | pw32* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      lt_prog_compiler_pic_GCJ='-DDLL_EXPORT'
+      ;;
+
+    hpux9* | hpux10* | hpux11*)
+      lt_prog_compiler_wl_GCJ='-Wl,'
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case "$host_cpu" in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	lt_prog_compiler_pic_GCJ='+Z'
+	;;
+      esac
+      # Is there a better lt_prog_compiler_static that works with the bundled CC?
+      lt_prog_compiler_static_GCJ='${wl}-a ${wl}archive'
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      lt_prog_compiler_wl_GCJ='-Wl,'
+      # PIC (with -KPIC) is the default.
+      lt_prog_compiler_static_GCJ='-non_shared'
+      ;;
+
+    newsos6)
+      lt_prog_compiler_pic_GCJ='-KPIC'
+      lt_prog_compiler_static_GCJ='-Bstatic'
+      ;;
+
+    linux*)
+      case $CC in
+      icc* | ecc*)
+	lt_prog_compiler_wl_GCJ='-Wl,'
+	lt_prog_compiler_pic_GCJ='-KPIC'
+	lt_prog_compiler_static_GCJ='-static'
+        ;;
+      ccc*)
+        lt_prog_compiler_wl_GCJ='-Wl,'
+        # All Alpha code is PIC.
+        lt_prog_compiler_static_GCJ='-non_shared'
+        ;;
+      esac
+      ;;
+
+    osf3* | osf4* | osf5*)
+      lt_prog_compiler_wl_GCJ='-Wl,'
+      # All OSF/1 code is PIC.
+      lt_prog_compiler_static_GCJ='-non_shared'
+      ;;
+
+    sco3.2v5*)
+      lt_prog_compiler_pic_GCJ='-Kpic'
+      lt_prog_compiler_static_GCJ='-dn'
+      ;;
+
+    solaris*)
+      lt_prog_compiler_wl_GCJ='-Wl,'
+      lt_prog_compiler_pic_GCJ='-KPIC'
+      lt_prog_compiler_static_GCJ='-Bstatic'
+      ;;
+
+    sunos4*)
+      lt_prog_compiler_wl_GCJ='-Qoption ld '
+      lt_prog_compiler_pic_GCJ='-PIC'
+      lt_prog_compiler_static_GCJ='-Bstatic'
+      ;;
+
+    sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+      lt_prog_compiler_wl_GCJ='-Wl,'
+      lt_prog_compiler_pic_GCJ='-KPIC'
+      lt_prog_compiler_static_GCJ='-Bstatic'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec ;then
+	lt_prog_compiler_pic_GCJ='-Kconform_pic'
+	lt_prog_compiler_static_GCJ='-Bstatic'
+      fi
+      ;;
+
+    uts4*)
+      lt_prog_compiler_pic_GCJ='-pic'
+      lt_prog_compiler_static_GCJ='-Bstatic'
+      ;;
+
+    *)
+      lt_prog_compiler_can_build_shared_GCJ=no
+      ;;
+    esac
+  fi
+
+echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_GCJ" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic_GCJ" >&6
+
+#
+# Check to make sure the PIC flag actually works.
+#
+if test -n "$lt_prog_compiler_pic_GCJ"; then
+
+echo "$as_me:$LINENO: checking if $compiler PIC flag $lt_prog_compiler_pic_GCJ works" >&5
+echo $ECHO_N "checking if $compiler PIC flag $lt_prog_compiler_pic_GCJ works... $ECHO_C" >&6
+if test "${lt_prog_compiler_pic_works_GCJ+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_prog_compiler_pic_works_GCJ=no
+  ac_outfile=conftest.$ac_objext
+   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+   lt_compiler_flag="$lt_prog_compiler_pic_GCJ"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   # The option is referenced via a variable to avoid confusing sed.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:18761: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>conftest.err)
+   ac_status=$?
+   cat conftest.err >&5
+   echo "$as_me:18765: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s "$ac_outfile"; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test ! -s conftest.err; then
+       lt_prog_compiler_pic_works_GCJ=yes
+     fi
+   fi
+   $rm conftest*
+
+fi
+echo "$as_me:$LINENO: result: $lt_prog_compiler_pic_works_GCJ" >&5
+echo "${ECHO_T}$lt_prog_compiler_pic_works_GCJ" >&6
+
+if test x"$lt_prog_compiler_pic_works_GCJ" = xyes; then
+    case $lt_prog_compiler_pic_GCJ in
+     "" | " "*) ;;
+     *) lt_prog_compiler_pic_GCJ=" $lt_prog_compiler_pic_GCJ" ;;
+     esac
+else
+    lt_prog_compiler_pic_GCJ=
+     lt_prog_compiler_can_build_shared_GCJ=no
+fi
+
+fi
+case "$host_os" in
+  # For platforms which do not support PIC, -DPIC is meaningless:
+  *djgpp*)
+    lt_prog_compiler_pic_GCJ=
+    ;;
+  *)
+    lt_prog_compiler_pic_GCJ="$lt_prog_compiler_pic_GCJ"
+    ;;
+esac
+
+echo "$as_me:$LINENO: checking if $compiler supports -c -o file.$ac_objext" >&5
+echo $ECHO_N "checking if $compiler supports -c -o file.$ac_objext... $ECHO_C" >&6
+if test "${lt_cv_prog_compiler_c_o_GCJ+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  lt_cv_prog_compiler_c_o_GCJ=no
+   $rm -r conftest 2>/dev/null
+   mkdir conftest
+   cd conftest
+   mkdir out
+   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+   lt_compiler_flag="-o out/conftest2.$ac_objext"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
+   -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:18821: $lt_compile\"" >&5)
+   (eval "$lt_compile" 2>out/conftest.err)
+   ac_status=$?
+   cat out/conftest.err >&5
+   echo "$as_me:18825: \$? = $ac_status" >&5
+   if (exit $ac_status) && test -s out/conftest2.$ac_objext
+   then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test ! -s out/conftest.err; then
+       lt_cv_prog_compiler_c_o_GCJ=yes
+     fi
+   fi
+   chmod u+w .
+   $rm conftest*
+   # SGI C++ compiler will create directory out/ii_files/ for
+   # template instantiation
+   test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files
+   $rm out/* && rmdir out
+   cd ..
+   rmdir conftest
+   $rm conftest*
+
+fi
+echo "$as_me:$LINENO: result: $lt_cv_prog_compiler_c_o_GCJ" >&5
+echo "${ECHO_T}$lt_cv_prog_compiler_c_o_GCJ" >&6
+
+
+hard_links="nottested"
+if test "$lt_cv_prog_compiler_c_o_GCJ" = no && test "$need_locks" != no; then
+  # do not overwrite the value of need_locks provided by the user
+  echo "$as_me:$LINENO: checking if we can lock with hard links" >&5
+echo $ECHO_N "checking if we can lock with hard links... $ECHO_C" >&6
+  hard_links=yes
+  $rm conftest*
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  touch conftest.a
+  ln conftest.a conftest.b 2>&5 || hard_links=no
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  echo "$as_me:$LINENO: result: $hard_links" >&5
+echo "${ECHO_T}$hard_links" >&6
+  if test "$hard_links" = no; then
+    { echo "$as_me:$LINENO: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&5
+echo "$as_me: WARNING: \`$CC' does not support \`-c -o', so \`make -j' may be unsafe" >&2;}
+    need_locks=warn
+  fi
+else
+  need_locks=no
+fi
+
+echo "$as_me:$LINENO: checking whether the $compiler linker ($LD) supports shared libraries" >&5
+echo $ECHO_N "checking whether the $compiler linker ($LD) supports shared libraries... $ECHO_C" >&6
+
+  runpath_var=
+  allow_undefined_flag_GCJ=
+  enable_shared_with_static_runtimes_GCJ=no
+  archive_cmds_GCJ=
+  archive_expsym_cmds_GCJ=
+  old_archive_From_new_cmds_GCJ=
+  old_archive_from_expsyms_cmds_GCJ=
+  export_dynamic_flag_spec_GCJ=
+  whole_archive_flag_spec_GCJ=
+  thread_safe_flag_spec_GCJ=
+  hardcode_libdir_flag_spec_GCJ=
+  hardcode_libdir_flag_spec_ld_GCJ=
+  hardcode_libdir_separator_GCJ=
+  hardcode_direct_GCJ=no
+  hardcode_minus_L_GCJ=no
+  hardcode_shlibpath_var_GCJ=unsupported
+  link_all_deplibs_GCJ=unknown
+  hardcode_automatic_GCJ=no
+  module_cmds_GCJ=
+  module_expsym_cmds_GCJ=
+  always_export_symbols_GCJ=no
+  export_symbols_cmds_GCJ='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  # include_expsyms should be a list of space-separated symbols to be *always*
+  # included in the symbol list
+  include_expsyms_GCJ=
+  # exclude_expsyms can be an extended regexp of symbols to exclude
+  # it will be wrapped by ` (' and `)$', so one must not match beginning or
+  # end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
+  # as well as any symbol that contains `d'.
+  exclude_expsyms_GCJ="_GLOBAL_OFFSET_TABLE_"
+  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
+  # platforms (ab)use it in PIC code, but their linkers get confused if
+  # the symbol is explicitly referenced.  Since portable code cannot
+  # rely on this symbol name, it's probably fine to never include it in
+  # preloaded symbol tables.
+  extract_expsyms_cmds=
+
+  case $host_os in
+  cygwin* | mingw* | pw32*)
+    # FIXME: the MSVC++ port hasn't been tested in a loooong time
+    # When not using gcc, we currently assume that we are using
+    # Microsoft Visual C++.
+    if test "$GCC" != yes; then
+      with_gnu_ld=no
+    fi
+    ;;
+  openbsd*)
+    with_gnu_ld=no
+    ;;
+  esac
+
+  ld_shlibs_GCJ=yes
+  if test "$with_gnu_ld" = yes; then
+    # If archive_cmds runs LD, not CC, wlarc should be empty
+    wlarc='${wl}'
+
+    # See if GNU ld supports shared libraries.
+    case $host_os in
+    aix3* | aix4* | aix5*)
+      # On AIX/PPC, the GNU linker is very broken
+      if test "$host_cpu" != ia64; then
+	ld_shlibs_GCJ=no
+	cat <<EOF 1>&2
+
+*** Warning: the GNU linker, at least up to release 2.9.1, is reported
+*** to be unable to reliably create shared libraries on AIX.
+*** Therefore, libtool is disabling shared libraries support.  If you
+*** really care for shared libraries, you may want to modify your PATH
+*** so that a non-GNU linker is found, and then restart.
+
+EOF
+      fi
+      ;;
+
+    amigaos*)
+      archive_cmds_GCJ='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+      hardcode_libdir_flag_spec_GCJ='-L$libdir'
+      hardcode_minus_L_GCJ=yes
+
+      # Samuel A. Falvo II <kc5tja@dolphin.openprojects.net> reports
+      # that the semantics of dynamic libraries on AmigaOS, at least up
+      # to version 4, is to share data among multiple programs linked
+      # with the same dynamic library.  Since this doesn't match the
+      # behavior of shared libraries on other platforms, we can't use
+      # them.
+      ld_shlibs_GCJ=no
+      ;;
+
+    beos*)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	allow_undefined_flag_GCJ=unsupported
+	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
+	# support --undefined.  This deserves some investigation.  FIXME
+	archive_cmds_GCJ='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+      else
+	ld_shlibs_GCJ=no
+      fi
+      ;;
+
+    cygwin* | mingw* | pw32*)
+      # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, GCJ) is actually meaningless,
+      # as there is no search path for DLLs.
+      hardcode_libdir_flag_spec_GCJ='-L$libdir'
+      allow_undefined_flag_GCJ=unsupported
+      always_export_symbols_GCJ=no
+      enable_shared_with_static_runtimes_GCJ=yes
+      export_symbols_cmds_GCJ='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[BCDGS] /s/.* \([^ ]*\)/\1 DATA/'\'' | $SED -e '\''/^[AITW] /s/.* //'\'' | sort | uniq > $export_symbols'
+
+      if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
+        archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
+	# If the export-symbols file already is a .def file (1st line
+	# is EXPORTS), use it as is; otherwise, prepend...
+	archive_expsym_cmds_GCJ='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	  cp $export_symbols $output_objdir/$soname.def;
+	else
+	  echo EXPORTS > $output_objdir/$soname.def;
+	  cat $export_symbols >> $output_objdir/$soname.def;
+	fi~
+	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000  ${wl}--out-implib,$lib'
+      else
+	ld_shlibs=no
+      fi
+      ;;
+
+    netbsd*)
+      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+	archive_cmds_GCJ='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
+	wlarc=
+      else
+	archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      fi
+      ;;
+
+    solaris* | sysv5*)
+      if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
+	ld_shlibs_GCJ=no
+	cat <<EOF 1>&2
+
+*** Warning: The releases 2.8.* of the GNU linker cannot reliably
+*** create shared libraries on Solaris systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.9.1 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+EOF
+      elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	ld_shlibs_GCJ=no
+      fi
+      ;;
+
+    sunos4*)
+      archive_cmds_GCJ='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      wlarc=
+      hardcode_direct_GCJ=yes
+      hardcode_shlibpath_var_GCJ=no
+      ;;
+
+  linux*)
+    if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
+        tmp_archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_cmds_GCJ="$tmp_archive_cmds"
+      supports_anon_versioning=no
+      case `$LD -v 2>/dev/null` in
+        *\ 01.* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11
+        *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
+        *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
+        *\ 2.11.*) ;; # other 2.11 versions
+        *) supports_anon_versioning=yes ;;
+      esac
+      if test $supports_anon_versioning = yes; then
+        archive_expsym_cmds_GCJ='$echo "{ global:" > $output_objdir/$libname.ver~
+cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+$echo "local: *; };" >> $output_objdir/$libname.ver~
+        $CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+      else
+        archive_expsym_cmds_GCJ="$tmp_archive_cmds"
+      fi
+    else
+      ld_shlibs_GCJ=no
+    fi
+    ;;
+
+    *)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	archive_expsym_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	ld_shlibs_GCJ=no
+      fi
+      ;;
+    esac
+
+    if test "$ld_shlibs_GCJ" = yes; then
+      runpath_var=LD_RUN_PATH
+      hardcode_libdir_flag_spec_GCJ='${wl}--rpath ${wl}$libdir'
+      export_dynamic_flag_spec_GCJ='${wl}--export-dynamic'
+      # ancient GNU ld didn't support --whole-archive et. al.
+      if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
+ 	whole_archive_flag_spec_GCJ="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+      else
+  	whole_archive_flag_spec_GCJ=
+      fi
+    fi
+  else
+    # PORTME fill in a description of your system's linker (not GNU ld)
+    case $host_os in
+    aix3*)
+      allow_undefined_flag_GCJ=unsupported
+      always_export_symbols_GCJ=yes
+      archive_expsym_cmds_GCJ='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
+      # Note: this linker hardcodes the directories in LIBPATH if there
+      # are no directories specified by -L.
+      hardcode_minus_L_GCJ=yes
+      if test "$GCC" = yes && test -z "$link_static_flag"; then
+	# Neither direct hardcoding nor static linking is supported with a
+	# broken collect2.
+	hardcode_direct_GCJ=unsupported
+      fi
+      ;;
+
+    aix4* | aix5*)
+      if test "$host_cpu" = ia64; then
+	# On IA64, the linker does run time linking by default, so we don't
+	# have to do anything special.
+	aix_use_runtimelinking=no
+	exp_sym_flag='-Bexport'
+	no_entry_flag=""
+      else
+	# If we're using GNU nm, then we don't want the "-C" option.
+	# -C means demangle to AIX nm, but means don't demangle with GNU nm
+	if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
+	  export_symbols_cmds_GCJ='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
+	else
+	  export_symbols_cmds_GCJ='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$2 == "T") || (\$2 == "D") || (\$2 == "B")) && (substr(\$3,1,1) != ".")) { print \$3 } }'\'' | sort -u > $export_symbols'
+	fi
+	aix_use_runtimelinking=no
+
+	# Test if we are trying to use run time linking or normal
+	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
+	# need to do runtime linking.
+	case $host_os in aix4.[23]|aix4.[23].*|aix5*)
+	  for ld_flag in $LDFLAGS; do
+  	  if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
+  	    aix_use_runtimelinking=yes
+  	    break
+  	  fi
+	  done
+	esac
+
+	exp_sym_flag='-bexport'
+	no_entry_flag='-bnoentry'
+      fi
+
+      # When large executables or shared objects are built, AIX ld can
+      # have problems creating the table of contents.  If linking a library
+      # or program results in "error TOC overflow" add -mminimal-toc to
+      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
+      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
+
+      archive_cmds_GCJ=''
+      hardcode_direct_GCJ=yes
+      hardcode_libdir_separator_GCJ=':'
+      link_all_deplibs_GCJ=yes
+
+      if test "$GCC" = yes; then
+	case $host_os in aix4.012|aix4.012.*)
+	# We only want to do this on AIX 4.2 and lower, the check
+	# below for broken collect2 doesn't work under 4.3+
+	  collect2name=`${CC} -print-prog-name=collect2`
+	  if test -f "$collect2name" && \
+  	   strings "$collect2name" | grep resolve_lib_name >/dev/null
+	  then
+  	  # We have reworked collect2
+  	  hardcode_direct_GCJ=yes
+	  else
+  	  # We have old collect2
+  	  hardcode_direct_GCJ=unsupported
+  	  # It fails to find uninstalled libraries when the uninstalled
+  	  # path is not listed in the libpath.  Setting hardcode_minus_L
+  	  # to unsupported forces relinking
+  	  hardcode_minus_L_GCJ=yes
+  	  hardcode_libdir_flag_spec_GCJ='-L$libdir'
+  	  hardcode_libdir_separator_GCJ=
+	  fi
+	esac
+	shared_flag='-shared'
+      else
+	# not using gcc
+	if test "$host_cpu" = ia64; then
+  	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
+  	# chokes on -Wl,-G. The following line is correct:
+	  shared_flag='-G'
+	else
+  	if test "$aix_use_runtimelinking" = yes; then
+	    shared_flag='${wl}-G'
+	  else
+	    shared_flag='${wl}-bM:SRE'
+  	fi
+	fi
+      fi
+
+      # It seems that -bexpall does not export symbols beginning with
+      # underscore (_), so it is better to generate a list of symbols to export.
+      always_export_symbols_GCJ=yes
+      if test "$aix_use_runtimelinking" = yes; then
+	# Warning - without using the other runtime loading flags (-brtl),
+	# -berok will link without error, but may produce a broken library.
+	allow_undefined_flag_GCJ='-berok'
+       # Determine the default libpath from the value encoded in an empty executable.
+       cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`
+# Check for a 64-bit object if we didn't find anything.
+if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`; fi
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+
+       hardcode_libdir_flag_spec_GCJ='${wl}-blibpath:$libdir:'"$aix_libpath"
+	archive_expsym_cmds_GCJ="\$CC"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+       else
+	if test "$host_cpu" = ia64; then
+	  hardcode_libdir_flag_spec_GCJ='${wl}-R $libdir:/usr/lib:/lib'
+	  allow_undefined_flag_GCJ="-z nodefs"
+	  archive_expsym_cmds_GCJ="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols"
+	else
+	 # Determine the default libpath from the value encoded in an empty executable.
+	 cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`
+# Check for a 64-bit object if we didn't find anything.
+if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`; fi
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+
+	 hardcode_libdir_flag_spec_GCJ='${wl}-blibpath:$libdir:'"$aix_libpath"
+	  # Warning - without using the other run time loading flags,
+	  # -berok will link without error, but may produce a broken library.
+	  no_undefined_flag_GCJ=' ${wl}-bernotok'
+	  allow_undefined_flag_GCJ=' ${wl}-berok'
+	  # -bexpall does not export symbols beginning with underscore (_)
+	  always_export_symbols_GCJ=yes
+	  # Exported symbols can be pulled into shared objects from archives
+	  whole_archive_flag_spec_GCJ=' '
+	  archive_cmds_need_lc_GCJ=yes
+	  # This is similar to how AIX traditionally builds it's shared libraries.
+	  archive_expsym_cmds_GCJ="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}-bE:$export_symbols ${wl}-bnoentry${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+	fi
+      fi
+      ;;
+
+    amigaos*)
+      archive_cmds_GCJ='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+      hardcode_libdir_flag_spec_GCJ='-L$libdir'
+      hardcode_minus_L_GCJ=yes
+      # see comment about different semantics on the GNU ld section
+      ld_shlibs_GCJ=no
+      ;;
+
+    bsdi4*)
+      export_dynamic_flag_spec_GCJ=-rdynamic
+      ;;
+
+    cygwin* | mingw* | pw32*)
+      # When not using gcc, we currently assume that we are using
+      # Microsoft Visual C++.
+      # hardcode_libdir_flag_spec is actually meaningless, as there is
+      # no search path for DLLs.
+      hardcode_libdir_flag_spec_GCJ=' '
+      allow_undefined_flag_GCJ=unsupported
+      # Tell ltmain to make .lib files, not .a files.
+      libext=lib
+      # Tell ltmain to make .dll files, not .so files.
+      shrext=".dll"
+      # FIXME: Setting linknames here is a bad hack.
+      archive_cmds_GCJ='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
+      # The linker will automatically build a .lib file if we build a DLL.
+      old_archive_From_new_cmds_GCJ='true'
+      # FIXME: Should let the user specify the lib program.
+      old_archive_cmds_GCJ='lib /OUT:$oldlib$oldobjs$old_deplibs'
+      fix_srcfile_path='`cygpath -w "$srcfile"`'
+      enable_shared_with_static_runtimes_GCJ=yes
+      ;;
+
+    darwin* | rhapsody*)
+    if test "$GXX" = yes ; then
+      archive_cmds_need_lc_GCJ=no
+      case "$host_os" in
+      rhapsody* | darwin1.[012])
+	allow_undefined_flag_GCJ='-undefined suppress'
+	;;
+      *) # Darwin 1.3 on
+      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+      	allow_undefined_flag_GCJ='-flat_namespace -undefined suppress'
+      else
+        case ${MACOSX_DEPLOYMENT_TARGET} in
+          10.[012])
+            allow_undefined_flag_GCJ='-flat_namespace -undefined suppress'
+            ;;
+          10.*)
+            allow_undefined_flag_GCJ='-undefined dynamic_lookup'
+            ;;
+        esac
+      fi
+	;;
+      esac
+    	lt_int_apple_cc_single_mod=no
+    	output_verbose_link_cmd='echo'
+    	if $CC -dumpspecs 2>&1 | grep 'single_module' >/dev/null ; then
+    	  lt_int_apple_cc_single_mod=yes
+    	fi
+    	if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+    	  archive_cmds_GCJ='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+    	else
+        archive_cmds_GCJ='$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+      fi
+      module_cmds_GCJ='$CC ${wl}-bind_at_load $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
+        if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+          archive_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+        else
+          archive_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+        fi
+          module_expsym_cmds_GCJ='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+      hardcode_direct_GCJ=no
+      hardcode_automatic_GCJ=yes
+      hardcode_shlibpath_var_GCJ=unsupported
+      whole_archive_flag_spec_GCJ='-all_load $convenience'
+      link_all_deplibs_GCJ=yes
+    else
+      ld_shlibs_GCJ=no
+    fi
+      ;;
+
+    dgux*)
+      archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_libdir_flag_spec_GCJ='-L$libdir'
+      hardcode_shlibpath_var_GCJ=no
+      ;;
+
+    freebsd1*)
+      ld_shlibs_GCJ=no
+      ;;
+
+    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
+    # support.  Future versions do this automatically, but an explicit c++rt0.o
+    # does not break anything, and helps significantly (at the cost of a little
+    # extra space).
+    freebsd2.2*)
+      archive_cmds_GCJ='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
+      hardcode_libdir_flag_spec_GCJ='-R$libdir'
+      hardcode_direct_GCJ=yes
+      hardcode_shlibpath_var_GCJ=no
+      ;;
+
+    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
+    freebsd2*)
+      archive_cmds_GCJ='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_direct_GCJ=yes
+      hardcode_minus_L_GCJ=yes
+      hardcode_shlibpath_var_GCJ=no
+      ;;
+
+    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
+    freebsd* | kfreebsd*-gnu)
+      archive_cmds_GCJ='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
+      hardcode_libdir_flag_spec_GCJ='-R$libdir'
+      hardcode_direct_GCJ=yes
+      hardcode_shlibpath_var_GCJ=no
+      ;;
+
+    hpux9*)
+      if test "$GCC" = yes; then
+	archive_cmds_GCJ='$rm $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      else
+	archive_cmds_GCJ='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      fi
+      hardcode_libdir_flag_spec_GCJ='${wl}+b ${wl}$libdir'
+      hardcode_libdir_separator_GCJ=:
+      hardcode_direct_GCJ=yes
+
+      # hardcode_minus_L: Not really in the search PATH,
+      # but as the default location of the library.
+      hardcode_minus_L_GCJ=yes
+      export_dynamic_flag_spec_GCJ='${wl}-E'
+      ;;
+
+    hpux10* | hpux11*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	case "$host_cpu" in
+	hppa*64*|ia64*)
+	  archive_cmds_GCJ='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  archive_cmds_GCJ='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	esac
+      else
+	case "$host_cpu" in
+	hppa*64*|ia64*)
+	  archive_cmds_GCJ='$LD -b +h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  ;;
+	*)
+	  archive_cmds_GCJ='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+	  ;;
+	esac
+      fi
+      if test "$with_gnu_ld" = no; then
+	case "$host_cpu" in
+	hppa*64*)
+	  hardcode_libdir_flag_spec_GCJ='${wl}+b ${wl}$libdir'
+	  hardcode_libdir_flag_spec_ld_GCJ='+b $libdir'
+	  hardcode_libdir_separator_GCJ=:
+	  hardcode_direct_GCJ=no
+	  hardcode_shlibpath_var_GCJ=no
+	  ;;
+	ia64*)
+	  hardcode_libdir_flag_spec_GCJ='-L$libdir'
+	  hardcode_direct_GCJ=no
+	  hardcode_shlibpath_var_GCJ=no
+
+	  # hardcode_minus_L: Not really in the search PATH,
+	  # but as the default location of the library.
+	  hardcode_minus_L_GCJ=yes
+	  ;;
+	*)
+	  hardcode_libdir_flag_spec_GCJ='${wl}+b ${wl}$libdir'
+	  hardcode_libdir_separator_GCJ=:
+	  hardcode_direct_GCJ=yes
+	  export_dynamic_flag_spec_GCJ='${wl}-E'
+
+	  # hardcode_minus_L: Not really in the search PATH,
+	  # but as the default location of the library.
+	  hardcode_minus_L_GCJ=yes
+	  ;;
+	esac
+      fi
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      if test "$GCC" = yes; then
+	archive_cmds_GCJ='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+      else
+	archive_cmds_GCJ='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+	hardcode_libdir_flag_spec_ld_GCJ='-rpath $libdir'
+      fi
+      hardcode_libdir_flag_spec_GCJ='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator_GCJ=:
+      link_all_deplibs_GCJ=yes
+      ;;
+
+    netbsd*)
+      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+	archive_cmds_GCJ='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
+      else
+	archive_cmds_GCJ='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
+      fi
+      hardcode_libdir_flag_spec_GCJ='-R$libdir'
+      hardcode_direct_GCJ=yes
+      hardcode_shlibpath_var_GCJ=no
+      ;;
+
+    newsos6)
+      archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_direct_GCJ=yes
+      hardcode_libdir_flag_spec_GCJ='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator_GCJ=:
+      hardcode_shlibpath_var_GCJ=no
+      ;;
+
+    openbsd*)
+      hardcode_direct_GCJ=yes
+      hardcode_shlibpath_var_GCJ=no
+      if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+	archive_cmds_GCJ='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	hardcode_libdir_flag_spec_GCJ='${wl}-rpath,$libdir'
+	export_dynamic_flag_spec_GCJ='${wl}-E'
+      else
+       case $host_os in
+	 openbsd[01].* | openbsd2.[0-7] | openbsd2.[0-7].*)
+	   archive_cmds_GCJ='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+	   hardcode_libdir_flag_spec_GCJ='-R$libdir'
+	   ;;
+	 *)
+	   archive_cmds_GCJ='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	   hardcode_libdir_flag_spec_GCJ='${wl}-rpath,$libdir'
+	   ;;
+       esac
+      fi
+      ;;
+
+    os2*)
+      hardcode_libdir_flag_spec_GCJ='-L$libdir'
+      hardcode_minus_L_GCJ=yes
+      allow_undefined_flag_GCJ=unsupported
+      archive_cmds_GCJ='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
+      old_archive_From_new_cmds_GCJ='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
+      ;;
+
+    osf3*)
+      if test "$GCC" = yes; then
+	allow_undefined_flag_GCJ=' ${wl}-expect_unresolved ${wl}\*'
+	archive_cmds_GCJ='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+      else
+	allow_undefined_flag_GCJ=' -expect_unresolved \*'
+	archive_cmds_GCJ='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+      fi
+      hardcode_libdir_flag_spec_GCJ='${wl}-rpath ${wl}$libdir'
+      hardcode_libdir_separator_GCJ=:
+      ;;
+
+    osf4* | osf5*)	# as osf3* with the addition of -msym flag
+      if test "$GCC" = yes; then
+	allow_undefined_flag_GCJ=' ${wl}-expect_unresolved ${wl}\*'
+	archive_cmds_GCJ='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	hardcode_libdir_flag_spec_GCJ='${wl}-rpath ${wl}$libdir'
+      else
+	allow_undefined_flag_GCJ=' -expect_unresolved \*'
+	archive_cmds_GCJ='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+	archive_expsym_cmds_GCJ='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~
+	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib~$rm $lib.exp'
+
+	# Both c and cxx compiler support -rpath directly
+	hardcode_libdir_flag_spec_GCJ='-rpath $libdir'
+      fi
+      hardcode_libdir_separator_GCJ=:
+      ;;
+
+    sco3.2v5*)
+      archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_shlibpath_var_GCJ=no
+      export_dynamic_flag_spec_GCJ='${wl}-Bexport'
+      runpath_var=LD_RUN_PATH
+      hardcode_runpath_var=yes
+      ;;
+
+    solaris*)
+      no_undefined_flag_GCJ=' -z text'
+      if test "$GCC" = yes; then
+	archive_cmds_GCJ='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	archive_expsym_cmds_GCJ='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+	  $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp'
+      else
+	archive_cmds_GCJ='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	archive_expsym_cmds_GCJ='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+  	$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
+      fi
+      hardcode_libdir_flag_spec_GCJ='-R$libdir'
+      hardcode_shlibpath_var_GCJ=no
+      case $host_os in
+      solaris2.[0-5] | solaris2.[0-5].*) ;;
+      *) # Supported since Solaris 2.6 (maybe 2.5.1?)
+	whole_archive_flag_spec_GCJ='-z allextract$convenience -z defaultextract' ;;
+      esac
+      link_all_deplibs_GCJ=yes
+      ;;
+
+    sunos4*)
+      if test "x$host_vendor" = xsequent; then
+	# Use $CC to link under sequent, because it throws in some extra .o
+	# files that make .init and .fini sections work.
+	archive_cmds_GCJ='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds_GCJ='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      hardcode_libdir_flag_spec_GCJ='-L$libdir'
+      hardcode_direct_GCJ=yes
+      hardcode_minus_L_GCJ=yes
+      hardcode_shlibpath_var_GCJ=no
+      ;;
+
+    sysv4)
+      case $host_vendor in
+	sni)
+	  archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  hardcode_direct_GCJ=yes # is this really true???
+	;;
+	siemens)
+	  ## LD is ld it makes a PLAMLIB
+	  ## CC just makes a GrossModule.
+	  archive_cmds_GCJ='$LD -G -o $lib $libobjs $deplibs $linker_flags'
+	  reload_cmds_GCJ='$CC -r -o $output$reload_objs'
+	  hardcode_direct_GCJ=no
+        ;;
+	motorola)
+	  archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  hardcode_direct_GCJ=no #Motorola manual says yes, but my tests say they lie
+	;;
+      esac
+      runpath_var='LD_RUN_PATH'
+      hardcode_shlibpath_var_GCJ=no
+      ;;
+
+    sysv4.3*)
+      archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_shlibpath_var_GCJ=no
+      export_dynamic_flag_spec_GCJ='-Bexport'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	hardcode_shlibpath_var_GCJ=no
+	runpath_var=LD_RUN_PATH
+	hardcode_runpath_var=yes
+	ld_shlibs_GCJ=yes
+      fi
+      ;;
+
+    sysv4.2uw2*)
+      archive_cmds_GCJ='$LD -G -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_direct_GCJ=yes
+      hardcode_minus_L_GCJ=no
+      hardcode_shlibpath_var_GCJ=no
+      hardcode_runpath_var=yes
+      runpath_var=LD_RUN_PATH
+      ;;
+
+   sysv5OpenUNIX8* | sysv5UnixWare7* |  sysv5uw[78]* | unixware7*)
+      no_undefined_flag_GCJ='${wl}-z ${wl}text'
+      if test "$GCC" = yes; then
+	archive_cmds_GCJ='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	archive_cmds_GCJ='$CC -G ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
+      runpath_var='LD_RUN_PATH'
+      hardcode_shlibpath_var_GCJ=no
+      ;;
+
+    sysv5*)
+      no_undefined_flag_GCJ=' -z text'
+      # $CC -shared without GNU ld will not create a library from C++
+      # object files and a static libstdc++, better avoid it by now
+      archive_cmds_GCJ='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      archive_expsym_cmds_GCJ='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+  		$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
+      hardcode_libdir_flag_spec_GCJ=
+      hardcode_shlibpath_var_GCJ=no
+      runpath_var='LD_RUN_PATH'
+      ;;
+
+    uts4*)
+      archive_cmds_GCJ='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      hardcode_libdir_flag_spec_GCJ='-L$libdir'
+      hardcode_shlibpath_var_GCJ=no
+      ;;
+
+    *)
+      ld_shlibs_GCJ=no
+      ;;
+    esac
+  fi
+
+echo "$as_me:$LINENO: result: $ld_shlibs_GCJ" >&5
+echo "${ECHO_T}$ld_shlibs_GCJ" >&6
+test "$ld_shlibs_GCJ" = no && can_build_shared=no
+
+variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
+if test "$GCC" = yes; then
+  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
+fi
+
+#
+# Do we need to explicitly link libc?
+#
+case "x$archive_cmds_need_lc_GCJ" in
+x|xyes)
+  # Assume -lc should be added
+  archive_cmds_need_lc_GCJ=yes
+
+  if test "$enable_shared" = yes && test "$GCC" = yes; then
+    case $archive_cmds_GCJ in
+    *'~'*)
+      # FIXME: we may have to deal with multi-command sequences.
+      ;;
+    '$CC '*)
+      # Test whether the compiler implicitly links with -lc since on some
+      # systems, -lgcc has to come before -lc. If gcc already passes -lc
+      # to ld, don't add -lc before -lgcc.
+      echo "$as_me:$LINENO: checking whether -lc should be explicitly linked in" >&5
+echo $ECHO_N "checking whether -lc should be explicitly linked in... $ECHO_C" >&6
+      $rm conftest*
+      printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+      if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } 2>conftest.err; then
+        soname=conftest
+        lib=conftest
+        libobjs=conftest.$ac_objext
+        deplibs=
+        wl=$lt_prog_compiler_wl_GCJ
+        compiler_flags=-v
+        linker_flags=-v
+        verstring=
+        output_objdir=.
+        libname=conftest
+        lt_save_allow_undefined_flag=$allow_undefined_flag_GCJ
+        allow_undefined_flag_GCJ=
+        if { (eval echo "$as_me:$LINENO: \"$archive_cmds_GCJ 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1\"") >&5
+  (eval $archive_cmds_GCJ 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }
+        then
+	  archive_cmds_need_lc_GCJ=no
+        else
+	  archive_cmds_need_lc_GCJ=yes
+        fi
+        allow_undefined_flag_GCJ=$lt_save_allow_undefined_flag
+      else
+        cat conftest.err 1>&5
+      fi
+      $rm conftest*
+      echo "$as_me:$LINENO: result: $archive_cmds_need_lc_GCJ" >&5
+echo "${ECHO_T}$archive_cmds_need_lc_GCJ" >&6
+      ;;
+    esac
+  fi
+  ;;
+esac
+
+echo "$as_me:$LINENO: checking dynamic linker characteristics" >&5
+echo $ECHO_N "checking dynamic linker characteristics... $ECHO_C" >&6
+library_names_spec=
+libname_spec='lib$name'
+soname_spec=
+shrext=".so"
+postinstall_cmds=
+postuninstall_cmds=
+finish_cmds=
+finish_eval=
+shlibpath_var=
+shlibpath_overrides_runpath=unknown
+version_type=none
+dynamic_linker="$host_os ld.so"
+sys_lib_dlsearch_path_spec="/lib /usr/lib"
+if test "$GCC" = yes; then
+  sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+  if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then
+    # if the path contains ";" then we assume it to be the separator
+    # otherwise default to the standard path separator (i.e. ":") - it is
+    # assumed that no part of a normal pathname contains ";" but that should
+    # okay in the real world where ";" in dirpaths is itself problematic.
+    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+  else
+    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+  fi
+else
+  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
+fi
+need_lib_prefix=unknown
+hardcode_into_libs=no
+
+# when you set need_version to no, make sure it does not cause -set_version
+# flags to be left without arguments
+need_version=unknown
+
+case $host_os in
+aix3*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
+  shlibpath_var=LIBPATH
+
+  # AIX 3 has no versioning support, so we append a major version to the name.
+  soname_spec='${libname}${release}${shared_ext}$major'
+  ;;
+
+aix4* | aix5*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  hardcode_into_libs=yes
+  if test "$host_cpu" = ia64; then
+    # AIX 5 supports IA64
+    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
+    shlibpath_var=LD_LIBRARY_PATH
+  else
+    # With GCC up to 2.95.x, collect2 would create an import file
+    # for dependence libraries.  The import file would start with
+    # the line `#! .'.  This would cause the generated library to
+    # depend on `.', always an invalid library.  This was fixed in
+    # development snapshots of GCC prior to 3.0.
+    case $host_os in
+      aix4 | aix4.[01] | aix4.[01].*)
+      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
+	   echo ' yes '
+	   echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then
+	:
+      else
+	can_build_shared=no
+      fi
+      ;;
+    esac
+    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
+    # soname into executable. Probably we can add versioning support to
+    # collect2, so additional links can be useful in future.
+    if test "$aix_use_runtimelinking" = yes; then
+      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
+      # instead of lib<name>.a to let people know that these are not
+      # typical AIX shared libraries.
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    else
+      # We preserve .a as extension for shared libraries through AIX4.2
+      # and later when we are not doing run time linking.
+      library_names_spec='${libname}${release}.a $libname.a'
+      soname_spec='${libname}${release}${shared_ext}$major'
+    fi
+    shlibpath_var=LIBPATH
+  fi
+  ;;
+
+amigaos*)
+  library_names_spec='$libname.ixlibrary $libname.a'
+  # Create ${libname}_ixlibrary.a entries in /sys/libs.
+  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([^/]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
+  ;;
+
+beos*)
+  library_names_spec='${libname}${shared_ext}'
+  dynamic_linker="$host_os ld.so"
+  shlibpath_var=LIBRARY_PATH
+  ;;
+
+bsdi4*)
+  version_type=linux
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
+  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
+  # the default ld.so.conf also contains /usr/contrib/lib and
+  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
+  # libtool to hard-code these into programs
+  ;;
+
+cygwin* | mingw* | pw32*)
+  version_type=windows
+  shrext=".dll"
+  need_version=no
+  need_lib_prefix=no
+
+  case $GCC,$host_os in
+  yes,cygwin* | yes,mingw* | yes,pw32*)
+    library_names_spec='$libname.dll.a'
+    # DLL is installed to $(libdir)/../bin by postinstall_cmds
+    postinstall_cmds='base_file=`basename \${file}`~
+      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
+      dldir=$destdir/`dirname \$dlpath`~
+      test -d \$dldir || mkdir -p \$dldir~
+      $install_prog $dir/$dlname \$dldir/$dlname'
+    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
+      dlpath=$dir/\$dldll~
+       $rm \$dlpath'
+    shlibpath_overrides_runpath=yes
+
+    case $host_os in
+    cygwin*)
+      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
+      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
+      ;;
+    mingw*)
+      # MinGW DLLs use traditional 'lib' prefix
+      soname_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+      if echo "$sys_lib_search_path_spec" | grep ';[c-zC-Z]:/' >/dev/null; then
+        # It is most probably a Windows format PATH printed by
+        # mingw gcc, but we are running on Cygwin. Gcc prints its search
+        # path with ; separators, and with drive letters. We can handle the
+        # drive letters (cygwin fileutils understands them), so leave them,
+        # especially as we might pass files found there to a mingw objdump,
+        # which wouldn't understand a cygwinified path. Ahh.
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+      else
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+      fi
+      ;;
+    pw32*)
+      # pw32 DLLs use 'pw' prefix rather than 'lib'
+      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/./-/g'`${versuffix}${shared_ext}'
+      ;;
+    esac
+    ;;
+
+  *)
+    library_names_spec='${libname}`echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext} $libname.lib'
+    ;;
+  esac
+  dynamic_linker='Win32 ld.exe'
+  # FIXME: first we should search . and the directory the executable is in
+  shlibpath_var=PATH
+  ;;
+
+darwin* | rhapsody*)
+  dynamic_linker="$host_os dyld"
+  version_type=darwin
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
+  soname_spec='${libname}${release}${major}$shared_ext'
+  shlibpath_overrides_runpath=yes
+  shlibpath_var=DYLD_LIBRARY_PATH
+  shrext='$(test .$module = .yes && echo .so || echo .dylib)'
+  # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
+  if test "$GCC" = yes; then
+    sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
+  else
+    sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib'
+  fi
+  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
+  ;;
+
+dgux*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+freebsd1*)
+  dynamic_linker=no
+  ;;
+
+kfreebsd*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='GNU ld.so'
+  ;;
+
+freebsd*)
+  objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo aout`
+  version_type=freebsd-$objformat
+  case $version_type in
+    freebsd-elf*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+      need_version=no
+      need_lib_prefix=no
+      ;;
+    freebsd-*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
+      need_version=yes
+      ;;
+  esac
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_os in
+  freebsd2*)
+    shlibpath_overrides_runpath=yes
+    ;;
+  freebsd3.01* | freebsdelf3.01*)
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  *) # from 3.2 on
+    shlibpath_overrides_runpath=no
+    hardcode_into_libs=yes
+    ;;
+  esac
+  ;;
+
+gnu*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  ;;
+
+hpux9* | hpux10* | hpux11*)
+  # Give a soname corresponding to the major version so that dld.sl refuses to
+  # link against other versions.
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  case "$host_cpu" in
+  ia64*)
+    shrext='.so'
+    hardcode_into_libs=yes
+    dynamic_linker="$host_os dld.so"
+    shlibpath_var=LD_LIBRARY_PATH
+    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    if test "X$HPUX_IA64_MODE" = X32; then
+      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
+    else
+      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
+    fi
+    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+    ;;
+   hppa*64*)
+     shrext='.sl'
+     hardcode_into_libs=yes
+     dynamic_linker="$host_os dld.sl"
+     shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
+     shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+     soname_spec='${libname}${release}${shared_ext}$major'
+     sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
+     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+     ;;
+   *)
+    shrext='.sl'
+    dynamic_linker="$host_os dld.sl"
+    shlibpath_var=SHLIB_PATH
+    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    ;;
+  esac
+  # HP-UX runs *really* slowly unless shared libraries are mode 555.
+  postinstall_cmds='chmod 555 $lib'
+  ;;
+
+irix5* | irix6* | nonstopux*)
+  case $host_os in
+    nonstopux*) version_type=nonstopux ;;
+    *)
+	if test "$lt_cv_prog_gnu_ld" = yes; then
+		version_type=linux
+	else
+		version_type=irix
+	fi ;;
+  esac
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
+  case $host_os in
+  irix5* | nonstopux*)
+    libsuff= shlibsuff=
+    ;;
+  *)
+    case $LD in # libtool.m4 will add one of these switches to LD
+    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
+      libsuff= shlibsuff= libmagic=32-bit;;
+    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
+      libsuff=32 shlibsuff=N32 libmagic=N32;;
+    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
+      libsuff=64 shlibsuff=64 libmagic=64-bit;;
+    *) libsuff= shlibsuff= libmagic=never-match;;
+    esac
+    ;;
+  esac
+  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
+  shlibpath_overrides_runpath=no
+  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
+  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
+  hardcode_into_libs=yes
+  ;;
+
+# No shared lib support for Linux oldld, aout, or coff.
+linux*oldld* | linux*aout* | linux*coff*)
+  dynamic_linker=no
+  ;;
+
+# This must be Linux ELF.
+linux*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  # This implies no fast_install, which is unacceptable.
+  # Some rework will be needed to allow for fast_install
+  # before this can be enabled.
+  hardcode_into_libs=yes
+
+  # Append ld.so.conf contents to the search path
+  if test -f /etc/ld.so.conf; then
+    ld_extra=`$SED -e 's/:,\t/ /g;s/=^=*$//;s/=^= * / /g' /etc/ld.so.conf`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $ld_extra"
+  fi
+
+  # We used to test for /lib/ld.so.1 and disable shared libraries on
+  # powerpc, because MkLinux only supported shared libraries with the
+  # GNU dynamic linker.  Since this was broken with cross compilers,
+  # most powerpc-linux boxes support dynamic linking these days and
+  # people can always --disable-shared, the test was removed, and we
+  # assume the GNU/Linux dynamic linker is in use.
+  dynamic_linker='GNU/Linux ld.so'
+  ;;
+
+knetbsd*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='GNU ld.so'
+  ;;
+
+netbsd*)
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+    dynamic_linker='NetBSD (a.out) ld.so'
+  else
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    dynamic_linker='NetBSD ld.elf_so'
+  fi
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  ;;
+
+newsos6)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+nto-qnx*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+openbsd*)
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=yes
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+    case $host_os in
+      openbsd2.[89] | openbsd2.[89].*)
+	shlibpath_overrides_runpath=no
+	;;
+      *)
+	shlibpath_overrides_runpath=yes
+	;;
+      esac
+  else
+    shlibpath_overrides_runpath=yes
+  fi
+  ;;
+
+os2*)
+  libname_spec='$name'
+  shrext=".dll"
+  need_lib_prefix=no
+  library_names_spec='$libname${shared_ext} $libname.a'
+  dynamic_linker='OS/2 ld.exe'
+  shlibpath_var=LIBPATH
+  ;;
+
+osf3* | osf4* | osf5*)
+  version_type=osf
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
+  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
+  ;;
+
+sco3.2v5*)
+  version_type=osf
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+solaris*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  # ldd complains unless libraries are executable
+  postinstall_cmds='chmod +x $lib'
+  ;;
+
+sunos4*)
+  version_type=sunos
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  if test "$with_gnu_ld" = yes; then
+    need_lib_prefix=no
+  fi
+  need_version=yes
+  ;;
+
+sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_vendor in
+    sni)
+      shlibpath_overrides_runpath=no
+      need_lib_prefix=no
+      export_dynamic_flag_spec='${wl}-Blargedynsym'
+      runpath_var=LD_RUN_PATH
+      ;;
+    siemens)
+      need_lib_prefix=no
+      ;;
+    motorola)
+      need_lib_prefix=no
+      need_version=no
+      shlibpath_overrides_runpath=no
+      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
+      ;;
+  esac
+  ;;
+
+sysv4*MP*)
+  if test -d /usr/nec ;then
+    version_type=linux
+    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
+    soname_spec='$libname${shared_ext}.$major'
+    shlibpath_var=LD_LIBRARY_PATH
+  fi
+  ;;
+
+uts4*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+*)
+  dynamic_linker=no
+  ;;
+esac
+echo "$as_me:$LINENO: result: $dynamic_linker" >&5
+echo "${ECHO_T}$dynamic_linker" >&6
+test "$dynamic_linker" = no && can_build_shared=no
+
+echo "$as_me:$LINENO: checking how to hardcode library paths into programs" >&5
+echo $ECHO_N "checking how to hardcode library paths into programs... $ECHO_C" >&6
+hardcode_action_GCJ=
+if test -n "$hardcode_libdir_flag_spec_GCJ" || \
+   test -n "$runpath_var GCJ" || \
+   test "X$hardcode_automatic_GCJ"="Xyes" ; then
+
+  # We can hardcode non-existant directories.
+  if test "$hardcode_direct_GCJ" != no &&
+     # If the only mechanism to avoid hardcoding is shlibpath_var, we
+     # have to relink, otherwise we might link with an installed library
+     # when we should be linking with a yet-to-be-installed one
+     ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, GCJ)" != no &&
+     test "$hardcode_minus_L_GCJ" != no; then
+    # Linking always hardcodes the temporary library directory.
+    hardcode_action_GCJ=relink
+  else
+    # We can link without hardcoding, and we can hardcode nonexisting dirs.
+    hardcode_action_GCJ=immediate
+  fi
+else
+  # We cannot hardcode anything, or else we can only hardcode existing
+  # directories.
+  hardcode_action_GCJ=unsupported
+fi
+echo "$as_me:$LINENO: result: $hardcode_action_GCJ" >&5
+echo "${ECHO_T}$hardcode_action_GCJ" >&6
+
+if test "$hardcode_action_GCJ" = relink; then
+  # Fast installation is not supported
+  enable_fast_install=no
+elif test "$shlibpath_overrides_runpath" = yes ||
+     test "$enable_shared" = no; then
+  # Fast installation is not necessary
+  enable_fast_install=needless
+fi
+
+striplib=
+old_striplib=
+echo "$as_me:$LINENO: checking whether stripping libraries is possible" >&5
+echo $ECHO_N "checking whether stripping libraries is possible... $ECHO_C" >&6
+if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then
+  test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
+  test -z "$striplib" && striplib="$STRIP --strip-unneeded"
+  echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+else
+# FIXME - insert some real tests, host_os isn't really good enough
+  case $host_os in
+   darwin*)
+       if test -n "$STRIP" ; then
+         striplib="$STRIP -x"
+         echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+       else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+       ;;
+   *)
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+    ;;
+  esac
+fi
+
+if test "x$enable_dlopen" != xyes; then
+  enable_dlopen=unknown
+  enable_dlopen_self=unknown
+  enable_dlopen_self_static=unknown
+else
+  lt_cv_dlopen=no
+  lt_cv_dlopen_libs=
+
+  case $host_os in
+  beos*)
+    lt_cv_dlopen="load_add_on"
+    lt_cv_dlopen_libs=
+    lt_cv_dlopen_self=yes
+    ;;
+
+  mingw* | pw32*)
+    lt_cv_dlopen="LoadLibrary"
+    lt_cv_dlopen_libs=
+   ;;
+
+  cygwin*)
+    lt_cv_dlopen="dlopen"
+    lt_cv_dlopen_libs=
+   ;;
+
+  darwin*)
+  # if libdl is installed we need to link against it
+    echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
+echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6
+if test "${ac_cv_lib_dl_dlopen+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldl  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char dlopen ();
+int
+main ()
+{
+dlopen ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_dl_dlopen=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_lib_dl_dlopen=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
+echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6
+if test $ac_cv_lib_dl_dlopen = yes; then
+  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
+else
+
+    lt_cv_dlopen="dyld"
+    lt_cv_dlopen_libs=
+    lt_cv_dlopen_self=yes
+
+fi
+
+   ;;
+
+  *)
+    echo "$as_me:$LINENO: checking for shl_load" >&5
+echo $ECHO_N "checking for shl_load... $ECHO_C" >&6
+if test "${ac_cv_func_shl_load+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define shl_load to an innocuous variant, in case <limits.h> declares shl_load.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define shl_load innocuous_shl_load
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char shl_load (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef shl_load
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char shl_load ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_shl_load) || defined (__stub___shl_load)
+choke me
+#else
+char (*f) () = shl_load;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != shl_load;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_shl_load=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_shl_load=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_shl_load" >&5
+echo "${ECHO_T}$ac_cv_func_shl_load" >&6
+if test $ac_cv_func_shl_load = yes; then
+  lt_cv_dlopen="shl_load"
+else
+  echo "$as_me:$LINENO: checking for shl_load in -ldld" >&5
+echo $ECHO_N "checking for shl_load in -ldld... $ECHO_C" >&6
+if test "${ac_cv_lib_dld_shl_load+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldld  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char shl_load ();
+int
+main ()
+{
+shl_load ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_dld_shl_load=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_lib_dld_shl_load=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_dld_shl_load" >&5
+echo "${ECHO_T}$ac_cv_lib_dld_shl_load" >&6
+if test $ac_cv_lib_dld_shl_load = yes; then
+  lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-dld"
+else
+  echo "$as_me:$LINENO: checking for dlopen" >&5
+echo $ECHO_N "checking for dlopen... $ECHO_C" >&6
+if test "${ac_cv_func_dlopen+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define dlopen to an innocuous variant, in case <limits.h> declares dlopen.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define dlopen innocuous_dlopen
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char dlopen (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef dlopen
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char dlopen ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_dlopen) || defined (__stub___dlopen)
+choke me
+#else
+char (*f) () = dlopen;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != dlopen;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_dlopen=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_dlopen=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_dlopen" >&5
+echo "${ECHO_T}$ac_cv_func_dlopen" >&6
+if test $ac_cv_func_dlopen = yes; then
+  lt_cv_dlopen="dlopen"
+else
+  echo "$as_me:$LINENO: checking for dlopen in -ldl" >&5
+echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6
+if test "${ac_cv_lib_dl_dlopen+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldl  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char dlopen ();
+int
+main ()
+{
+dlopen ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_dl_dlopen=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_lib_dl_dlopen=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_dl_dlopen" >&5
+echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6
+if test $ac_cv_lib_dl_dlopen = yes; then
+  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"
+else
+  echo "$as_me:$LINENO: checking for dlopen in -lsvld" >&5
+echo $ECHO_N "checking for dlopen in -lsvld... $ECHO_C" >&6
+if test "${ac_cv_lib_svld_dlopen+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lsvld  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char dlopen ();
+int
+main ()
+{
+dlopen ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_svld_dlopen=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_lib_svld_dlopen=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_svld_dlopen" >&5
+echo "${ECHO_T}$ac_cv_lib_svld_dlopen" >&6
+if test $ac_cv_lib_svld_dlopen = yes; then
+  lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"
+else
+  echo "$as_me:$LINENO: checking for dld_link in -ldld" >&5
+echo $ECHO_N "checking for dld_link in -ldld... $ECHO_C" >&6
+if test "${ac_cv_lib_dld_dld_link+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-ldld  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char dld_link ();
+int
+main ()
+{
+dld_link ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_lib_dld_dld_link=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_lib_dld_dld_link=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+echo "$as_me:$LINENO: result: $ac_cv_lib_dld_dld_link" >&5
+echo "${ECHO_T}$ac_cv_lib_dld_dld_link" >&6
+if test $ac_cv_lib_dld_dld_link = yes; then
+  lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-dld"
+fi
+
+
+fi
+
+
+fi
+
+
+fi
+
+
+fi
+
+
+fi
+
+    ;;
+  esac
+
+  if test "x$lt_cv_dlopen" != xno; then
+    enable_dlopen=yes
+  else
+    enable_dlopen=no
+  fi
+
+  case $lt_cv_dlopen in
+  dlopen)
+    save_CPPFLAGS="$CPPFLAGS"
+    test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H"
+
+    save_LDFLAGS="$LDFLAGS"
+    eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
+
+    save_LIBS="$LIBS"
+    LIBS="$lt_cv_dlopen_libs $LIBS"
+
+    echo "$as_me:$LINENO: checking whether a program can dlopen itself" >&5
+echo $ECHO_N "checking whether a program can dlopen itself... $ECHO_C" >&6
+if test "${lt_cv_dlopen_self+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  	  if test "$cross_compiling" = yes; then :
+  lt_cv_dlopen_self=cross
+else
+  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
+  lt_status=$lt_dlunknown
+  cat > conftest.$ac_ext <<EOF
+#line 21005 "configure"
+#include "confdefs.h"
+
+#if HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+#include <stdio.h>
+
+#ifdef RTLD_GLOBAL
+#  define LT_DLGLOBAL		RTLD_GLOBAL
+#else
+#  ifdef DL_GLOBAL
+#    define LT_DLGLOBAL		DL_GLOBAL
+#  else
+#    define LT_DLGLOBAL		0
+#  endif
+#endif
+
+/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
+   find out it does not work in some platform. */
+#ifndef LT_DLLAZY_OR_NOW
+#  ifdef RTLD_LAZY
+#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
+#  else
+#    ifdef DL_LAZY
+#      define LT_DLLAZY_OR_NOW		DL_LAZY
+#    else
+#      ifdef RTLD_NOW
+#        define LT_DLLAZY_OR_NOW	RTLD_NOW
+#      else
+#        ifdef DL_NOW
+#          define LT_DLLAZY_OR_NOW	DL_NOW
+#        else
+#          define LT_DLLAZY_OR_NOW	0
+#        endif
+#      endif
+#    endif
+#  endif
+#endif
+
+#ifdef __cplusplus
+extern "C" void exit (int);
+#endif
+
+void fnord() { int i=42;}
+int main ()
+{
+  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
+  int status = $lt_dlunknown;
+
+  if (self)
+    {
+      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
+      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
+      /* dlclose (self); */
+    }
+
+    exit (status);
+}
+EOF
+  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
+    (./conftest; exit; ) 2>/dev/null
+    lt_status=$?
+    case x$lt_status in
+      x$lt_dlno_uscore) lt_cv_dlopen_self=yes ;;
+      x$lt_dlneed_uscore) lt_cv_dlopen_self=yes ;;
+      x$lt_unknown|x*) lt_cv_dlopen_self=no ;;
+    esac
+  else :
+    # compilation failed
+    lt_cv_dlopen_self=no
+  fi
+fi
+rm -fr conftest*
+
+
+fi
+echo "$as_me:$LINENO: result: $lt_cv_dlopen_self" >&5
+echo "${ECHO_T}$lt_cv_dlopen_self" >&6
+
+    if test "x$lt_cv_dlopen_self" = xyes; then
+      LDFLAGS="$LDFLAGS $link_static_flag"
+      echo "$as_me:$LINENO: checking whether a statically linked program can dlopen itself" >&5
+echo $ECHO_N "checking whether a statically linked program can dlopen itself... $ECHO_C" >&6
+if test "${lt_cv_dlopen_self_static+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  	  if test "$cross_compiling" = yes; then :
+  lt_cv_dlopen_self_static=cross
+else
+  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
+  lt_status=$lt_dlunknown
+  cat > conftest.$ac_ext <<EOF
+#line 21103 "configure"
+#include "confdefs.h"
+
+#if HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+#include <stdio.h>
+
+#ifdef RTLD_GLOBAL
+#  define LT_DLGLOBAL		RTLD_GLOBAL
+#else
+#  ifdef DL_GLOBAL
+#    define LT_DLGLOBAL		DL_GLOBAL
+#  else
+#    define LT_DLGLOBAL		0
+#  endif
+#endif
+
+/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
+   find out it does not work in some platform. */
+#ifndef LT_DLLAZY_OR_NOW
+#  ifdef RTLD_LAZY
+#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
+#  else
+#    ifdef DL_LAZY
+#      define LT_DLLAZY_OR_NOW		DL_LAZY
+#    else
+#      ifdef RTLD_NOW
+#        define LT_DLLAZY_OR_NOW	RTLD_NOW
+#      else
+#        ifdef DL_NOW
+#          define LT_DLLAZY_OR_NOW	DL_NOW
+#        else
+#          define LT_DLLAZY_OR_NOW	0
+#        endif
+#      endif
+#    endif
+#  endif
+#endif
+
+#ifdef __cplusplus
+extern "C" void exit (int);
+#endif
+
+void fnord() { int i=42;}
+int main ()
+{
+  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
+  int status = $lt_dlunknown;
+
+  if (self)
+    {
+      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
+      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
+      /* dlclose (self); */
+    }
+
+    exit (status);
+}
+EOF
+  if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && test -s conftest${ac_exeext} 2>/dev/null; then
+    (./conftest; exit; ) 2>/dev/null
+    lt_status=$?
+    case x$lt_status in
+      x$lt_dlno_uscore) lt_cv_dlopen_self_static=yes ;;
+      x$lt_dlneed_uscore) lt_cv_dlopen_self_static=yes ;;
+      x$lt_unknown|x*) lt_cv_dlopen_self_static=no ;;
+    esac
+  else :
+    # compilation failed
+    lt_cv_dlopen_self_static=no
+  fi
+fi
+rm -fr conftest*
+
+
+fi
+echo "$as_me:$LINENO: result: $lt_cv_dlopen_self_static" >&5
+echo "${ECHO_T}$lt_cv_dlopen_self_static" >&6
+    fi
+
+    CPPFLAGS="$save_CPPFLAGS"
+    LDFLAGS="$save_LDFLAGS"
+    LIBS="$save_LIBS"
+    ;;
+  esac
+
+  case $lt_cv_dlopen_self in
+  yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;;
+  *) enable_dlopen_self=unknown ;;
+  esac
+
+  case $lt_cv_dlopen_self_static in
+  yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;;
+  *) enable_dlopen_self_static=unknown ;;
+  esac
+fi
+
+
+# The else clause should only fire when bootstrapping the
+# libtool distribution, otherwise you forgot to ship ltmain.sh
+# with your package, and you will get complaints that there are
+# no rules to generate ltmain.sh.
+if test -f "$ltmain"; then
+  # See if we are running on zsh, and set the options which allow our commands through
+  # without removal of \ escapes.
+  if test -n "${ZSH_VERSION+set}" ; then
+    setopt NO_GLOB_SUBST
+  fi
+  # Now quote all the things that may contain metacharacters while being
+  # careful not to overquote the AC_SUBSTed values.  We take copies of the
+  # variables and quote the copies for generation of the libtool script.
+  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC NM \
+    SED SHELL STRIP \
+    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
+    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
+    deplibs_check_method reload_flag reload_cmds need_locks \
+    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
+    lt_cv_sys_global_symbol_to_c_name_address \
+    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
+    old_postinstall_cmds old_postuninstall_cmds \
+    compiler_GCJ \
+    CC_GCJ \
+    LD_GCJ \
+    lt_prog_compiler_wl_GCJ \
+    lt_prog_compiler_pic_GCJ \
+    lt_prog_compiler_static_GCJ \
+    lt_prog_compiler_no_builtin_flag_GCJ \
+    export_dynamic_flag_spec_GCJ \
+    thread_safe_flag_spec_GCJ \
+    whole_archive_flag_spec_GCJ \
+    enable_shared_with_static_runtimes_GCJ \
+    old_archive_cmds_GCJ \
+    old_archive_from_new_cmds_GCJ \
+    predep_objects_GCJ \
+    postdep_objects_GCJ \
+    predeps_GCJ \
+    postdeps_GCJ \
+    compiler_lib_search_path_GCJ \
+    archive_cmds_GCJ \
+    archive_expsym_cmds_GCJ \
+    postinstall_cmds_GCJ \
+    postuninstall_cmds_GCJ \
+    old_archive_from_expsyms_cmds_GCJ \
+    allow_undefined_flag_GCJ \
+    no_undefined_flag_GCJ \
+    export_symbols_cmds_GCJ \
+    hardcode_libdir_flag_spec_GCJ \
+    hardcode_libdir_flag_spec_ld_GCJ \
+    hardcode_libdir_separator_GCJ \
+    hardcode_automatic_GCJ \
+    module_cmds_GCJ \
+    module_expsym_cmds_GCJ \
+    lt_cv_prog_compiler_c_o_GCJ \
+    exclude_expsyms_GCJ \
+    include_expsyms_GCJ; do
+
+    case $var in
+    old_archive_cmds_GCJ | \
+    old_archive_from_new_cmds_GCJ | \
+    archive_cmds_GCJ | \
+    archive_expsym_cmds_GCJ | \
+    module_cmds_GCJ | \
+    module_expsym_cmds_GCJ | \
+    old_archive_from_expsyms_cmds_GCJ | \
+    export_symbols_cmds_GCJ | \
+    extract_expsyms_cmds | reload_cmds | finish_cmds | \
+    postinstall_cmds | postuninstall_cmds | \
+    old_postinstall_cmds | old_postuninstall_cmds | \
+    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
+      # Double-quote double-evaled strings.
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
+      ;;
+    *)
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
+      ;;
+    esac
+  done
+
+  case $lt_echo in
+  *'\$0 --fallback-echo"')
+    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
+    ;;
+  esac
+
+cfgfile="$ofile"
+
+  cat <<__EOF__ >> "$cfgfile"
+# ### BEGIN LIBTOOL TAG CONFIG: $tagname
+
+# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+
+# Shell to use when invoking shell scripts.
+SHELL=$lt_SHELL
+
+# Whether or not to build shared libraries.
+build_libtool_libs=$enable_shared
+
+# Whether or not to build static libraries.
+build_old_libs=$enable_static
+
+# Whether or not to add -lc for building shared libraries.
+build_libtool_need_lc=$archive_cmds_need_lc_GCJ
+
+# Whether or not to disallow shared libs when runtime libs are static
+allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes_GCJ
+
+# Whether or not to optimize for fast installation.
+fast_install=$enable_fast_install
+
+# The host system.
+host_alias=$host_alias
+host=$host
+
+# An echo program that does not interpret backslashes.
+echo=$lt_echo
+
+# The archiver.
+AR=$lt_AR
+AR_FLAGS=$lt_AR_FLAGS
+
+# A C compiler.
+LTCC=$lt_LTCC
+
+# A language-specific compiler.
+CC=$lt_compiler_GCJ
+
+# Is the compiler the GNU C compiler?
+with_gcc=$GCC_GCJ
+
+# An ERE matcher.
+EGREP=$lt_EGREP
+
+# The linker used to build libraries.
+LD=$lt_LD_GCJ
+
+# Whether we need hard or soft links.
+LN_S=$lt_LN_S
+
+# A BSD-compatible nm program.
+NM=$lt_NM
+
+# A symbol stripping program
+STRIP=$lt_STRIP
+
+# Used to examine libraries when file_magic_cmd begins "file"
+MAGIC_CMD=$MAGIC_CMD
+
+# Used on cygwin: DLL creation program.
+DLLTOOL="$DLLTOOL"
+
+# Used on cygwin: object dumper.
+OBJDUMP="$OBJDUMP"
+
+# Used on cygwin: assembler.
+AS="$AS"
+
+# The name of the directory that contains temporary libtool files.
+objdir=$objdir
+
+# How to create reloadable object files.
+reload_flag=$lt_reload_flag
+reload_cmds=$lt_reload_cmds
+
+# How to pass a linker flag through the compiler.
+wl=$lt_lt_prog_compiler_wl_GCJ
+
+# Object file suffix (normally "o").
+objext="$ac_objext"
+
+# Old archive suffix (normally "a").
+libext="$libext"
+
+# Shared library suffix (normally ".so").
+shrext='$shrext'
+
+# Executable file suffix (normally "").
+exeext="$exeext"
+
+# Additional compiler flags for building library objects.
+pic_flag=$lt_lt_prog_compiler_pic_GCJ
+pic_mode=$pic_mode
+
+# What is the maximum length of a command?
+max_cmd_len=$lt_cv_sys_max_cmd_len
+
+# Does compiler simultaneously support -c and -o options?
+compiler_c_o=$lt_lt_cv_prog_compiler_c_o_GCJ
+
+# Must we lock files when doing compilation ?
+need_locks=$lt_need_locks
+
+# Do we need the lib prefix for modules?
+need_lib_prefix=$need_lib_prefix
+
+# Do we need a version for libraries?
+need_version=$need_version
+
+# Whether dlopen is supported.
+dlopen_support=$enable_dlopen
+
+# Whether dlopen of programs is supported.
+dlopen_self=$enable_dlopen_self
+
+# Whether dlopen of statically linked programs is supported.
+dlopen_self_static=$enable_dlopen_self_static
+
+# Compiler flag to prevent dynamic linking.
+link_static_flag=$lt_lt_prog_compiler_static_GCJ
+
+# Compiler flag to turn off builtin functions.
+no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag_GCJ
+
+# Compiler flag to allow reflexive dlopens.
+export_dynamic_flag_spec=$lt_export_dynamic_flag_spec_GCJ
+
+# Compiler flag to generate shared objects directly from archives.
+whole_archive_flag_spec=$lt_whole_archive_flag_spec_GCJ
+
+# Compiler flag to generate thread-safe objects.
+thread_safe_flag_spec=$lt_thread_safe_flag_spec_GCJ
+
+# Library versioning type.
+version_type=$version_type
+
+# Format of library name prefix.
+libname_spec=$lt_libname_spec
+
+# List of archive names.  First name is the real one, the rest are links.
+# The last name is the one that the linker finds with -lNAME.
+library_names_spec=$lt_library_names_spec
+
+# The coded name of the library, if different from the real name.
+soname_spec=$lt_soname_spec
+
+# Commands used to build and install an old-style archive.
+RANLIB=$lt_RANLIB
+old_archive_cmds=$lt_old_archive_cmds_GCJ
+old_postinstall_cmds=$lt_old_postinstall_cmds
+old_postuninstall_cmds=$lt_old_postuninstall_cmds
+
+# Create an old-style archive from a shared archive.
+old_archive_from_new_cmds=$lt_old_archive_from_new_cmds_GCJ
+
+# Create a temporary old-style archive to link instead of a shared archive.
+old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds_GCJ
+
+# Commands used to build and install a shared archive.
+archive_cmds=$lt_archive_cmds_GCJ
+archive_expsym_cmds=$lt_archive_expsym_cmds_GCJ
+postinstall_cmds=$lt_postinstall_cmds
+postuninstall_cmds=$lt_postuninstall_cmds
+
+# Commands used to build a loadable module (assumed same as above if empty)
+module_cmds=$lt_module_cmds_GCJ
+module_expsym_cmds=$lt_module_expsym_cmds_GCJ
+
+# Commands to strip libraries.
+old_striplib=$lt_old_striplib
+striplib=$lt_striplib
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predep_objects=$lt_predep_objects_GCJ
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdep_objects=$lt_postdep_objects_GCJ
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predeps=$lt_predeps_GCJ
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdeps=$lt_postdeps_GCJ
+
+# The library search path used internally by the compiler when linking
+# a shared library.
+compiler_lib_search_path=$lt_compiler_lib_search_path_GCJ
+
+# Method to check whether dependent libraries are shared objects.
+deplibs_check_method=$lt_deplibs_check_method
+
+# Command to use when deplibs_check_method == file_magic.
+file_magic_cmd=$lt_file_magic_cmd
+
+# Flag that allows shared libraries with undefined symbols to be built.
+allow_undefined_flag=$lt_allow_undefined_flag_GCJ
+
+# Flag that forces no undefined symbols.
+no_undefined_flag=$lt_no_undefined_flag_GCJ
+
+# Commands used to finish a libtool library installation in a directory.
+finish_cmds=$lt_finish_cmds
+
+# Same as above, but a single script fragment to be evaled but not shown.
+finish_eval=$lt_finish_eval
+
+# Take the output of nm and produce a listing of raw symbols and C names.
+global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
+
+# Transform the output of nm in a proper C declaration
+global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
+
+# Transform the output of nm in a C name address pair
+global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
+
+# This is the shared library runtime path variable.
+runpath_var=$runpath_var
+
+# This is the shared library path variable.
+shlibpath_var=$shlibpath_var
+
+# Is shlibpath searched before the hard-coded library search path?
+shlibpath_overrides_runpath=$shlibpath_overrides_runpath
+
+# How to hardcode a shared library path into an executable.
+hardcode_action=$hardcode_action_GCJ
+
+# Whether we should hardcode library paths into libraries.
+hardcode_into_libs=$hardcode_into_libs
+
+# Flag to hardcode \$libdir into a binary during linking.
+# This must work even if \$libdir does not exist.
+hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec_GCJ
+
+# If ld is used when linking, flag to hardcode \$libdir into
+# a binary during linking. This must work even if \$libdir does
+# not exist.
+hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld_GCJ
+
+# Whether we need a single -rpath flag with a separated argument.
+hardcode_libdir_separator=$lt_hardcode_libdir_separator_GCJ
+
+# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
+# resulting binary.
+hardcode_direct=$hardcode_direct_GCJ
+
+# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
+# resulting binary.
+hardcode_minus_L=$hardcode_minus_L_GCJ
+
+# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
+# the resulting binary.
+hardcode_shlibpath_var=$hardcode_shlibpath_var_GCJ
+
+# Set to yes if building a shared library automatically hardcodes DIR into the library
+# and all subsequent libraries and executables linked against it.
+hardcode_automatic=$hardcode_automatic_GCJ
+
+# Variables whose values should be saved in libtool wrapper scripts and
+# restored at relink time.
+variables_saved_for_relink="$variables_saved_for_relink"
+
+# Whether libtool must link a program against all its dependency libraries.
+link_all_deplibs=$link_all_deplibs_GCJ
+
+# Compile-time system search path for libraries
+sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
+
+# Run-time system search path for libraries
+sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
+
+# Fix the shell variable \$srcfile for the compiler.
+fix_srcfile_path="$fix_srcfile_path_GCJ"
+
+# Set to yes if exported symbols are required.
+always_export_symbols=$always_export_symbols_GCJ
+
+# The commands to list exported symbols.
+export_symbols_cmds=$lt_export_symbols_cmds_GCJ
+
+# The commands to extract the exported symbol list from a shared archive.
+extract_expsyms_cmds=$lt_extract_expsyms_cmds
+
+# Symbols that should not be listed in the preloaded symbols.
+exclude_expsyms=$lt_exclude_expsyms_GCJ
+
+# Symbols that must always be exported.
+include_expsyms=$lt_include_expsyms_GCJ
+
+# ### END LIBTOOL TAG CONFIG: $tagname
+
+__EOF__
+
+
+else
+  # If there is no Makefile yet, we rely on a make rule to execute
+  # `config.status --recheck' to rerun these tests and create the
+  # libtool script then.
+  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
+  if test -f "$ltmain_in"; then
+    test -f Makefile && make "$ltmain"
+  fi
+fi
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+CC="$lt_save_CC"
+
+	else
+	  tagname=""
+	fi
+	;;
+
+      RC)
+
+
+
+# Source file extension for RC test sources.
+ac_ext=rc
+
+# Object file extension for compiled RC test sources.
+objext=o
+objext_RC=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }\n'
+
+# Code to be used in simple link tests
+lt_simple_link_test_code="$lt_simple_compile_test_code"
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+
+# If no C compiler was specified, use CC.
+LTCC=${LTCC-"$CC"}
+
+# Allow CC to be a program name with arguments.
+compiler=$CC
+
+
+# Allow CC to be a program name with arguments.
+lt_save_CC="$CC"
+CC=${RC-"windres"}
+compiler=$CC
+compiler_RC=$CC
+lt_cv_prog_compiler_c_o_RC=yes
+
+# The else clause should only fire when bootstrapping the
+# libtool distribution, otherwise you forgot to ship ltmain.sh
+# with your package, and you will get complaints that there are
+# no rules to generate ltmain.sh.
+if test -f "$ltmain"; then
+  # See if we are running on zsh, and set the options which allow our commands through
+  # without removal of \ escapes.
+  if test -n "${ZSH_VERSION+set}" ; then
+    setopt NO_GLOB_SUBST
+  fi
+  # Now quote all the things that may contain metacharacters while being
+  # careful not to overquote the AC_SUBSTed values.  We take copies of the
+  # variables and quote the copies for generation of the libtool script.
+  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC NM \
+    SED SHELL STRIP \
+    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
+    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
+    deplibs_check_method reload_flag reload_cmds need_locks \
+    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
+    lt_cv_sys_global_symbol_to_c_name_address \
+    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
+    old_postinstall_cmds old_postuninstall_cmds \
+    compiler_RC \
+    CC_RC \
+    LD_RC \
+    lt_prog_compiler_wl_RC \
+    lt_prog_compiler_pic_RC \
+    lt_prog_compiler_static_RC \
+    lt_prog_compiler_no_builtin_flag_RC \
+    export_dynamic_flag_spec_RC \
+    thread_safe_flag_spec_RC \
+    whole_archive_flag_spec_RC \
+    enable_shared_with_static_runtimes_RC \
+    old_archive_cmds_RC \
+    old_archive_from_new_cmds_RC \
+    predep_objects_RC \
+    postdep_objects_RC \
+    predeps_RC \
+    postdeps_RC \
+    compiler_lib_search_path_RC \
+    archive_cmds_RC \
+    archive_expsym_cmds_RC \
+    postinstall_cmds_RC \
+    postuninstall_cmds_RC \
+    old_archive_from_expsyms_cmds_RC \
+    allow_undefined_flag_RC \
+    no_undefined_flag_RC \
+    export_symbols_cmds_RC \
+    hardcode_libdir_flag_spec_RC \
+    hardcode_libdir_flag_spec_ld_RC \
+    hardcode_libdir_separator_RC \
+    hardcode_automatic_RC \
+    module_cmds_RC \
+    module_expsym_cmds_RC \
+    lt_cv_prog_compiler_c_o_RC \
+    exclude_expsyms_RC \
+    include_expsyms_RC; do
+
+    case $var in
+    old_archive_cmds_RC | \
+    old_archive_from_new_cmds_RC | \
+    archive_cmds_RC | \
+    archive_expsym_cmds_RC | \
+    module_cmds_RC | \
+    module_expsym_cmds_RC | \
+    old_archive_from_expsyms_cmds_RC | \
+    export_symbols_cmds_RC | \
+    extract_expsyms_cmds | reload_cmds | finish_cmds | \
+    postinstall_cmds | postuninstall_cmds | \
+    old_postinstall_cmds | old_postuninstall_cmds | \
+    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
+      # Double-quote double-evaled strings.
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
+      ;;
+    *)
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
+      ;;
+    esac
+  done
+
+  case $lt_echo in
+  *'\$0 --fallback-echo"')
+    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\$0 --fallback-echo"$/$0 --fallback-echo"/'`
+    ;;
+  esac
+
+cfgfile="$ofile"
+
+  cat <<__EOF__ >> "$cfgfile"
+# ### BEGIN LIBTOOL TAG CONFIG: $tagname
+
+# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+
+# Shell to use when invoking shell scripts.
+SHELL=$lt_SHELL
+
+# Whether or not to build shared libraries.
+build_libtool_libs=$enable_shared
+
+# Whether or not to build static libraries.
+build_old_libs=$enable_static
+
+# Whether or not to add -lc for building shared libraries.
+build_libtool_need_lc=$archive_cmds_need_lc_RC
+
+# Whether or not to disallow shared libs when runtime libs are static
+allow_libtool_libs_with_static_runtimes=$enable_shared_with_static_runtimes_RC
+
+# Whether or not to optimize for fast installation.
+fast_install=$enable_fast_install
+
+# The host system.
+host_alias=$host_alias
+host=$host
+
+# An echo program that does not interpret backslashes.
+echo=$lt_echo
+
+# The archiver.
+AR=$lt_AR
+AR_FLAGS=$lt_AR_FLAGS
+
+# A C compiler.
+LTCC=$lt_LTCC
+
+# A language-specific compiler.
+CC=$lt_compiler_RC
+
+# Is the compiler the GNU C compiler?
+with_gcc=$GCC_RC
+
+# An ERE matcher.
+EGREP=$lt_EGREP
+
+# The linker used to build libraries.
+LD=$lt_LD_RC
+
+# Whether we need hard or soft links.
+LN_S=$lt_LN_S
+
+# A BSD-compatible nm program.
+NM=$lt_NM
+
+# A symbol stripping program
+STRIP=$lt_STRIP
+
+# Used to examine libraries when file_magic_cmd begins "file"
+MAGIC_CMD=$MAGIC_CMD
+
+# Used on cygwin: DLL creation program.
+DLLTOOL="$DLLTOOL"
+
+# Used on cygwin: object dumper.
+OBJDUMP="$OBJDUMP"
+
+# Used on cygwin: assembler.
+AS="$AS"
+
+# The name of the directory that contains temporary libtool files.
+objdir=$objdir
+
+# How to create reloadable object files.
+reload_flag=$lt_reload_flag
+reload_cmds=$lt_reload_cmds
+
+# How to pass a linker flag through the compiler.
+wl=$lt_lt_prog_compiler_wl_RC
+
+# Object file suffix (normally "o").
+objext="$ac_objext"
+
+# Old archive suffix (normally "a").
+libext="$libext"
+
+# Shared library suffix (normally ".so").
+shrext='$shrext'
+
+# Executable file suffix (normally "").
+exeext="$exeext"
+
+# Additional compiler flags for building library objects.
+pic_flag=$lt_lt_prog_compiler_pic_RC
+pic_mode=$pic_mode
+
+# What is the maximum length of a command?
+max_cmd_len=$lt_cv_sys_max_cmd_len
+
+# Does compiler simultaneously support -c and -o options?
+compiler_c_o=$lt_lt_cv_prog_compiler_c_o_RC
+
+# Must we lock files when doing compilation ?
+need_locks=$lt_need_locks
+
+# Do we need the lib prefix for modules?
+need_lib_prefix=$need_lib_prefix
+
+# Do we need a version for libraries?
+need_version=$need_version
+
+# Whether dlopen is supported.
+dlopen_support=$enable_dlopen
+
+# Whether dlopen of programs is supported.
+dlopen_self=$enable_dlopen_self
+
+# Whether dlopen of statically linked programs is supported.
+dlopen_self_static=$enable_dlopen_self_static
+
+# Compiler flag to prevent dynamic linking.
+link_static_flag=$lt_lt_prog_compiler_static_RC
+
+# Compiler flag to turn off builtin functions.
+no_builtin_flag=$lt_lt_prog_compiler_no_builtin_flag_RC
+
+# Compiler flag to allow reflexive dlopens.
+export_dynamic_flag_spec=$lt_export_dynamic_flag_spec_RC
+
+# Compiler flag to generate shared objects directly from archives.
+whole_archive_flag_spec=$lt_whole_archive_flag_spec_RC
+
+# Compiler flag to generate thread-safe objects.
+thread_safe_flag_spec=$lt_thread_safe_flag_spec_RC
+
+# Library versioning type.
+version_type=$version_type
+
+# Format of library name prefix.
+libname_spec=$lt_libname_spec
+
+# List of archive names.  First name is the real one, the rest are links.
+# The last name is the one that the linker finds with -lNAME.
+library_names_spec=$lt_library_names_spec
+
+# The coded name of the library, if different from the real name.
+soname_spec=$lt_soname_spec
+
+# Commands used to build and install an old-style archive.
+RANLIB=$lt_RANLIB
+old_archive_cmds=$lt_old_archive_cmds_RC
+old_postinstall_cmds=$lt_old_postinstall_cmds
+old_postuninstall_cmds=$lt_old_postuninstall_cmds
+
+# Create an old-style archive from a shared archive.
+old_archive_from_new_cmds=$lt_old_archive_from_new_cmds_RC
+
+# Create a temporary old-style archive to link instead of a shared archive.
+old_archive_from_expsyms_cmds=$lt_old_archive_from_expsyms_cmds_RC
+
+# Commands used to build and install a shared archive.
+archive_cmds=$lt_archive_cmds_RC
+archive_expsym_cmds=$lt_archive_expsym_cmds_RC
+postinstall_cmds=$lt_postinstall_cmds
+postuninstall_cmds=$lt_postuninstall_cmds
+
+# Commands used to build a loadable module (assumed same as above if empty)
+module_cmds=$lt_module_cmds_RC
+module_expsym_cmds=$lt_module_expsym_cmds_RC
+
+# Commands to strip libraries.
+old_striplib=$lt_old_striplib
+striplib=$lt_striplib
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predep_objects=$lt_predep_objects_RC
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdep_objects=$lt_postdep_objects_RC
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predeps=$lt_predeps_RC
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdeps=$lt_postdeps_RC
+
+# The library search path used internally by the compiler when linking
+# a shared library.
+compiler_lib_search_path=$lt_compiler_lib_search_path_RC
+
+# Method to check whether dependent libraries are shared objects.
+deplibs_check_method=$lt_deplibs_check_method
+
+# Command to use when deplibs_check_method == file_magic.
+file_magic_cmd=$lt_file_magic_cmd
+
+# Flag that allows shared libraries with undefined symbols to be built.
+allow_undefined_flag=$lt_allow_undefined_flag_RC
+
+# Flag that forces no undefined symbols.
+no_undefined_flag=$lt_no_undefined_flag_RC
+
+# Commands used to finish a libtool library installation in a directory.
+finish_cmds=$lt_finish_cmds
+
+# Same as above, but a single script fragment to be evaled but not shown.
+finish_eval=$lt_finish_eval
+
+# Take the output of nm and produce a listing of raw symbols and C names.
+global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
+
+# Transform the output of nm in a proper C declaration
+global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
+
+# Transform the output of nm in a C name address pair
+global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
+
+# This is the shared library runtime path variable.
+runpath_var=$runpath_var
+
+# This is the shared library path variable.
+shlibpath_var=$shlibpath_var
+
+# Is shlibpath searched before the hard-coded library search path?
+shlibpath_overrides_runpath=$shlibpath_overrides_runpath
+
+# How to hardcode a shared library path into an executable.
+hardcode_action=$hardcode_action_RC
+
+# Whether we should hardcode library paths into libraries.
+hardcode_into_libs=$hardcode_into_libs
+
+# Flag to hardcode \$libdir into a binary during linking.
+# This must work even if \$libdir does not exist.
+hardcode_libdir_flag_spec=$lt_hardcode_libdir_flag_spec_RC
+
+# If ld is used when linking, flag to hardcode \$libdir into
+# a binary during linking. This must work even if \$libdir does
+# not exist.
+hardcode_libdir_flag_spec_ld=$lt_hardcode_libdir_flag_spec_ld_RC
+
+# Whether we need a single -rpath flag with a separated argument.
+hardcode_libdir_separator=$lt_hardcode_libdir_separator_RC
+
+# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
+# resulting binary.
+hardcode_direct=$hardcode_direct_RC
+
+# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
+# resulting binary.
+hardcode_minus_L=$hardcode_minus_L_RC
+
+# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
+# the resulting binary.
+hardcode_shlibpath_var=$hardcode_shlibpath_var_RC
+
+# Set to yes if building a shared library automatically hardcodes DIR into the library
+# and all subsequent libraries and executables linked against it.
+hardcode_automatic=$hardcode_automatic_RC
+
+# Variables whose values should be saved in libtool wrapper scripts and
+# restored at relink time.
+variables_saved_for_relink="$variables_saved_for_relink"
+
+# Whether libtool must link a program against all its dependency libraries.
+link_all_deplibs=$link_all_deplibs_RC
+
+# Compile-time system search path for libraries
+sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
+
+# Run-time system search path for libraries
+sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
+
+# Fix the shell variable \$srcfile for the compiler.
+fix_srcfile_path="$fix_srcfile_path_RC"
+
+# Set to yes if exported symbols are required.
+always_export_symbols=$always_export_symbols_RC
+
+# The commands to list exported symbols.
+export_symbols_cmds=$lt_export_symbols_cmds_RC
+
+# The commands to extract the exported symbol list from a shared archive.
+extract_expsyms_cmds=$lt_extract_expsyms_cmds
+
+# Symbols that should not be listed in the preloaded symbols.
+exclude_expsyms=$lt_exclude_expsyms_RC
+
+# Symbols that must always be exported.
+include_expsyms=$lt_include_expsyms_RC
+
+# ### END LIBTOOL TAG CONFIG: $tagname
+
+__EOF__
+
+
+else
+  # If there is no Makefile yet, we rely on a make rule to execute
+  # `config.status --recheck' to rerun these tests and create the
+  # libtool script then.
+  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
+  if test -f "$ltmain_in"; then
+    test -f Makefile && make "$ltmain"
+  fi
+fi
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+CC="$lt_save_CC"
+
+	;;
+
+      *)
+	{ { echo "$as_me:$LINENO: error: Unsupported tag name: $tagname" >&5
+echo "$as_me: error: Unsupported tag name: $tagname" >&2;}
+   { (exit 1); exit 1; }; }
+	;;
+      esac
+
+      # Append the new tag name to the list of available tags.
+      if test -n "$tagname" ; then
+      available_tags="$available_tags $tagname"
+    fi
+    fi
+  done
+  IFS="$lt_save_ifs"
+
+  # Now substitute the updated list of available tags.
+  if eval "sed -e 's/^available_tags=.*\$/available_tags=\"$available_tags\"/' \"$ofile\" > \"${ofile}T\""; then
+    mv "${ofile}T" "$ofile"
+    chmod +x "$ofile"
+  else
+    rm -f "${ofile}T"
+    { { echo "$as_me:$LINENO: error: unable to update list of available tagged configurations." >&5
+echo "$as_me: error: unable to update list of available tagged configurations." >&2;}
+   { (exit 1); exit 1; }; }
+  fi
+fi
+
+
+
+# This can be used to rebuild libtool when needed
+LIBTOOL_DEPS="$ac_aux_dir/ltmain.sh"
+
+# Always use our own libtool.
+LIBTOOL='$(SHELL) $(top_builddir)/libtool'
+
+# Prevent multiple expansion
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+		O=lo
+		A=la
+		LIBTOOL_MKDEP_SED='s;\.o;\.lo;'
+		LIBTOOL_MODE_COMPILE='--mode=compile'
+		LIBTOOL_MODE_INSTALL='--mode=install'
+		LIBTOOL_MODE_LINK='--mode=link'
+		;;
+	*)
+		O=o
+		A=a
+		LIBTOOL=
+
+		LIBTOOL_MKDEP_SED=
+		LIBTOOL_MODE_COMPILE=
+		LIBTOOL_MODE_INSTALL=
+		LIBTOOL_MODE_LINK=
+		;;
+esac
+
+#
+# File name extension for static archive files, for those few places
+# where they are treated differently from dynamic ones.
+#
+SA=a
+
+
+
+
+
+
+
+
+
+#
+# Here begins a very long section to determine the system's networking
+# capabilities.  The order of the tests is signficant.
+#
+
+#
+# IPv6
+#
+# Check whether --enable-ipv6 or --disable-ipv6 was given.
+if test "${enable_ipv6+set}" = set; then
+  enableval="$enable_ipv6"
+
+fi;
+
+case "$enable_ipv6" in
+	yes|''|autodetect)
+		cat >>confdefs.h <<\_ACEOF
+#define WANT_IPV6 1
+_ACEOF
+
+		;;
+	no)
+		;;
+esac
+
+#
+# We do the IPv6 compilation checking after libtool so that we can put
+# the right suffix on the files.
+#
+echo "$as_me:$LINENO: checking for IPv6 structures" >&5
+echo $ECHO_N "checking for IPv6 structures... $ECHO_C" >&6
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+int
+main ()
+{
+struct sockaddr_in6 sin6; return (0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	 found_ipv6=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+	 found_ipv6=no
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+#
+# See whether IPv6 support is provided via a Kame add-on.
+# This is done before other IPv6 linking tests to LIBS is properly set.
+#
+echo "$as_me:$LINENO: checking for Kame IPv6 support" >&5
+echo $ECHO_N "checking for Kame IPv6 support... $ECHO_C" >&6
+
+# Check whether --with-kame or --without-kame was given.
+if test "${with_kame+set}" = set; then
+  withval="$with_kame"
+  use_kame="$withval"
+else
+  use_kame="no"
+fi;
+
+case "$use_kame" in
+	no)
+		;;
+	yes)
+		kame_path=/usr/local/v6
+		;;
+	*)
+		kame_path="$use_kame"
+		;;
+esac
+
+case "$use_kame" in
+	no)
+		echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+		;;
+	*)
+		if test -f $kame_path/lib/libinet6.a; then
+			echo "$as_me:$LINENO: result: $kame_path/lib/libinet6.a" >&5
+echo "${ECHO_T}$kame_path/lib/libinet6.a" >&6
+			LIBS="-L$kame_path/lib -linet6 $LIBS"
+		else
+			{ { echo "$as_me:$LINENO: error: $kame_path/lib/libinet6.a not found.
+
+Please choose the proper path with the following command:
+
+    configure --with-kame=PATH
+" >&5
+echo "$as_me: error: $kame_path/lib/libinet6.a not found.
+
+Please choose the proper path with the following command:
+
+    configure --with-kame=PATH
+" >&2;}
+   { (exit 1); exit 1; }; }
+		fi
+		;;
+esac
+
+#
+# Whether netinet6/in6.h is needed has to be defined in isc/platform.h.
+# Including it on Kame-using platforms is very bad, though, because
+# Kame uses #error against direct inclusion.   So include it on only
+# the platform that is otherwise broken without it -- BSD/OS 4.0 through 4.1.
+# This is done before the in6_pktinfo check because that's what
+# netinet6/in6.h is needed for.
+#
+
+case "$host" in
+*-bsdi4.[01]*)
+	ISC_PLATFORM_NEEDNETINET6IN6H="#define ISC_PLATFORM_NEEDNETINET6IN6H 1"
+	isc_netinet6in6_hack="#include <netinet6/in6.h>"
+	;;
+*)
+	ISC_PLATFORM_NEEDNETINET6IN6H="#undef ISC_PLATFORM_NEEDNETINET6IN6H"
+	isc_netinet6in6_hack=""
+	;;
+esac
+
+
+#
+# This is similar to the netinet6/in6.h issue.
+#
+case "$host" in
+*-UnixWare*)
+	ISC_PLATFORM_NEEDNETINETIN6H="#define ISC_PLATFORM_NEEDNETINETIN6H 1"
+        ISC_PLATFORM_FIXIN6ISADDR="#define ISC_PLATFORM_FIXIN6ISADDR 1"
+	isc_netinetin6_hack="#include <netinet/in6.h>"
+	;;
+*)
+	ISC_PLATFORM_NEEDNETINETIN6H="#undef ISC_PLATFORM_NEEDNETINETIN6H"
+        ISC_PLATFORM_FIXIN6ISADDR="#undef ISC_PLATFORM_FIXIN6ISADDR"
+	isc_netinetin6_hack=""
+	;;
+esac
+
+#
+# Now delve deeper into the suitability of the IPv6 support.
+#
+case "$found_ipv6" in
+	yes)
+		HAS_INET6_STRUCTS="#define HAS_INET6_STRUCTS 1"
+
+		echo "$as_me:$LINENO: checking for in6_addr" >&5
+echo $ECHO_N "checking for in6_addr... $ECHO_C" >&6
+		cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+$isc_netinetin6_hack
+$isc_netinet6in6_hack
+
+int
+main ()
+{
+struct in6_addr in6; return (0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+		 HAS_IN_ADDR6="#undef HAS_IN_ADDR6"
+		 isc_in_addr6_hack=""
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+		 HAS_IN_ADDR6="#define HAS_IN_ADDR6 1"
+		 isc_in_addr6_hack="#define in6_addr in_addr6"
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+		echo "$as_me:$LINENO: checking for in6addr_any" >&5
+echo $ECHO_N "checking for in6addr_any... $ECHO_C" >&6
+		cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+$isc_netinetin6_hack
+$isc_netinet6in6_hack
+$isc_in_addr6_hack
+
+int
+main ()
+{
+struct in6_addr in6; in6 = in6addr_any; return (0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+			 NEED_IN6ADDR_ANY="#undef NEED_IN6ADDR_ANY"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+			 NEED_IN6ADDR_ANY="#define NEED_IN6ADDR_ANY 1"
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+
+		echo "$as_me:$LINENO: checking for sin6_scope_id in struct sockaddr_in6" >&5
+echo $ECHO_N "checking for sin6_scope_id in struct sockaddr_in6... $ECHO_C" >&6
+		cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+$isc_netinetin6_hack
+$isc_netinet6in6_hack
+
+int
+main ()
+{
+struct sockaddr_in6 xyzzy; xyzzy.sin6_scope_id = 0; return (0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+			 result="#define HAVE_SIN6_SCOPE_ID 1"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+			 result="#undef HAVE_SIN6_SCOPE_ID"
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+		HAVE_SIN6_SCOPE_ID="$result"
+
+		echo "$as_me:$LINENO: checking for in6_pktinfo" >&5
+echo $ECHO_N "checking for in6_pktinfo... $ECHO_C" >&6
+		cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+$isc_netinetin6_hack
+$isc_netinet6in6_hack
+
+int
+main ()
+{
+struct in6_pktinfo xyzzy; return (0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+			 ISC_PLATFORM_HAVEIN6PKTINFO="#define ISC_PLATFORM_HAVEIN6PKTINFO 1"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+echo "$as_me:$LINENO: result: no -- disabling runtime ipv6 support" >&5
+echo "${ECHO_T}no -- disabling runtime ipv6 support" >&6
+			 ISC_PLATFORM_HAVEIN6PKTINFO="#undef ISC_PLATFORM_HAVEIN6PKTINFO"
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+		echo "$as_me:$LINENO: checking for sockaddr_storage" >&5
+echo $ECHO_N "checking for sockaddr_storage... $ECHO_C" >&6
+		cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+$isc_netinetin6_hack
+$isc_netinet6in6_hack
+
+int
+main ()
+{
+struct sockaddr_storage xyzzy; return (0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+			 HAVE_SOCKADDR_STORAGE="#define HAVE_SOCKADDR_STORAGE 1"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+			 HAVE_SOCKADDR_STORAGE="#undef HAVE_SOCKADDR_STORAGE"
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+		;;
+	no)
+		HAS_INET6_STRUCTS="#undef HAS_INET6_STRUCTS"
+		NEED_IN6ADDR_ANY="#undef NEED_IN6ADDR_ANY"
+		ISC_PLATFORM_HAVEIN6PKTINFO="#undef ISC_PLATFORM_HAVEIN6PKTINFO"
+		HAVE_SIN6_SCOPE_ID="#define HAVE_SIN6_SCOPE_ID 1"
+		HAVE_SOCKADDR_STORAGE="#undef HAVE_SOCKADDR_STORAGE"
+		ISC_IPV6_H="ipv6.h"
+		ISC_IPV6_O="ipv6.$O"
+		ISC_ISCIPV6_O="unix/ipv6.$O"
+		ISC_IPV6_C="ipv6.c"
+		;;
+esac
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+#
+# Check for network functions that are often missing.  We do this
+# after the libtool checking, so we can put the right suffix on
+# the files.  It also needs to come after checking for a Kame add-on,
+# which provides some (all?) of the desired functions.
+#
+echo "$as_me:$LINENO: checking for inet_ntop" >&5
+echo $ECHO_N "checking for inet_ntop... $ECHO_C" >&6
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+int
+main ()
+{
+inet_ntop(0, 0, 0, 0); return (0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+        ISC_PLATFORM_NEEDNTOP="#undef ISC_PLATFORM_NEEDNTOP"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_ntop.$O"
+        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_ntop.c"
+        ISC_PLATFORM_NEEDNTOP="#define ISC_PLATFORM_NEEDNTOP 1"
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+echo "$as_me:$LINENO: checking for inet_pton" >&5
+echo $ECHO_N "checking for inet_pton... $ECHO_C" >&6
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+int
+main ()
+{
+inet_pton(0, 0, 0); return (0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+        ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_pton.$O"
+        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_pton.c"
+        ISC_PLATFORM_NEEDPTON="#define ISC_PLATFORM_NEEDPTON 1"
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+echo "$as_me:$LINENO: checking for inet_aton" >&5
+echo $ECHO_N "checking for inet_aton... $ECHO_C" >&6
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+int
+main ()
+{
+struct in_addr in; inet_aton(0, &in); return (0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+        ISC_PLATFORM_NEEDATON="#undef ISC_PLATFORM_NEEDATON"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_aton.$O"
+        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_aton.c"
+        ISC_PLATFORM_NEEDATON="#define ISC_PLATFORM_NEEDATON 1"
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+
+
+
+
+
+#
+# Look for a 4.4BSD-style sa_len member in struct sockaddr.
+#
+case "$host" in
+	*-dec-osf*)
+		# Turn on 4.4BSD style sa_len support.
+		cat >>confdefs.h <<\_ACEOF
+#define _SOCKADDR_LEN 1
+_ACEOF
+
+		;;
+esac
+
+echo "$as_me:$LINENO: checking for sa_len in struct sockaddr" >&5
+echo $ECHO_N "checking for sa_len in struct sockaddr... $ECHO_C" >&6
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+int
+main ()
+{
+struct sockaddr sa; sa.sa_len = 0; return (0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	HAVE_SA_LEN="#define HAVE_SA_LEN 1"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+	HAVE_SA_LEN="#undef HAVE_SA_LEN"
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+
+# HAVE_MINIMUM_IFREQ
+
+case "$host" in
+	*-bsdi2345*)	have_minimum_ifreq=yes;;
+	*-darwin*)	have_minimum_ifreq=yes;;
+	*-freebsd*)	have_minimum_ifreq=yes;;
+	*-lynxos*)	have_minimum_ifreq=yes;;
+	*-netbsd*)	have_minimum_ifreq=yes;;
+	*-next*)	have_minimum_ifreq=yes;;
+	*-openbsd*)	have_minimum_ifreq=yes;;
+	*-rhapsody*)	have_minimum_ifreq=yes;;
+esac
+
+case "$have_minimum_ifreq" in
+	yes)
+		HAVE_MINIMUM_IFREQ="#define HAVE_MINIMUM_IFREQ 1";;
+	no)
+		HAVE_MINIMUM_IFREQ="#undef HAVE_MINIMUM_IFREQ";;
+	*)
+		HAVE_MINIMUM_IFREQ="#undef HAVE_MINIMUM_IFREQ";;
+esac
+
+
+# PORT_DIR
+PORT_DIR=port/unknown
+SOLARIS_BITTYPES="#undef NEED_SOLARIS_BITTYPES"
+BSD_COMP="#undef BSD_COMP"
+USE_FIONBIO_IOCTL="#undef USE_FIONBIO_IOCTL"
+case "$host" in
+	*aix3.2*)	PORT_DIR="port/aix32";;
+	*aix4*)		PORT_DIR="port/aix4";;
+	*aux3*)		PORT_DIR="port/aux3";;
+	*-bsdi2*)	PORT_DIR="port/bsdos2";;
+	*-bsdi*)	PORT_DIR="port/bsdos";;
+	*-cygwin*)	PORT_DIR="port/cygwin";;
+	*-darwin*)	PORT_DIR="port/darwin";;
+	*-osf*)		PORT_DIR="port/decunix";;
+	*-freebsd*)	PORT_DIR="port/freebsd";;
+	*-hpux9*)	PORT_DIR="port/hpux9";;
+	*-hpux10*)	PORT_DIR="port/hpux10";;
+	*-hpux11*)	PORT_DIR="port/hpux";;
+	*-irix*)	PORT_DIR="port/irix";;
+	*-linux*)	PORT_DIR="port/linux";;
+	*-lynxos*)	PORT_DIR="port/lynxos";;
+	*-mpe*)		PORT_DIR="port/mpe";;
+	*-netbsd*)	PORT_DIR="port/netbsd";;
+	*-next*)	PORT_DIR="port/next";;
+	*-openbsd*)	PORT_DIR="port/openbsd";;
+	*-qnx*)		PORT_DIR="port/qnx";;
+	*-rhapsody*)	PORT_DIR="port/rhapsody";;
+	*-solaris2.[01234]*)
+			BSD_COMP="#define BSD_COMP 1"
+			SOLARIS_BITTYPES="#define NEED_SOLARIS_BITTYPES 1"
+			USE_FIONBIO_IOCTL="#define USE_FIONBIO_IOCTL 1"
+			PORT_DIR="port/solaris";;
+	*-solaris2.5*)
+			BSD_COMP="#define BSD_COMP 1"
+			SOLARIS_BITTYPES="#define NEED_SOLARIS_BITTYPES 1"
+			PORT_DIR="port/solaris";;
+	*-solaris2*)	BSD_COMP="#define BSD_COMP 1"
+			PORT_DIR="port/solaris";;
+	*-ultrix*)	PORT_DIR="port/ultrix";;
+	*-sco-sysv*uw2.0*)	PORT_DIR="port/unixware20";;
+	*-sco-sysv*uw2.1.2*)	PORT_DIR="port/unixware212";;
+	*-sco-sysv*uw7*)	PORT_DIR="port/unixware7";;
+esac
+
+
+
+
+PORT_INCLUDE=${PORT_DIR}/include
+
+
+
+#
+# Look for a 4.4BSD or 4.3BSD struct msghdr
+#
+echo "$as_me:$LINENO: checking for struct msghdr flavor" >&5
+echo $ECHO_N "checking for struct msghdr flavor... $ECHO_C" >&6
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+int
+main ()
+{
+struct msghdr msg; msg.msg_flags = 0; return (0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  echo "$as_me:$LINENO: result: 4.4BSD" >&5
+echo "${ECHO_T}4.4BSD" >&6
+	ISC_PLATFORM_MSGHDRFLAVOR="#define ISC_NET_BSD44MSGHDR 1"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+echo "$as_me:$LINENO: result: 4.3BSD" >&5
+echo "${ECHO_T}4.3BSD" >&6
+	ISC_PLATFORM_MSGHDRFLAVOR="#define ISC_NET_BSD43MSGHDR 1"
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+
+#
+# Look for in_port_t.
+#
+echo "$as_me:$LINENO: checking for type in_port_t" >&5
+echo $ECHO_N "checking for type in_port_t... $ECHO_C" >&6
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <sys/types.h>
+#include <netinet/in.h>
+int
+main ()
+{
+in_port_t port = 25; return (0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	ISC_PLATFORM_NEEDPORTT="#undef ISC_PLATFORM_NEEDPORTT"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+	ISC_PLATFORM_NEEDPORTT="#define ISC_PLATFORM_NEEDPORTT 1"
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+
+#
+# Check for addrinfo
+#
+echo "$as_me:$LINENO: checking for struct addrinfo" >&5
+echo $ECHO_N "checking for struct addrinfo... $ECHO_C" >&6
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <netdb.h>
+int
+main ()
+{
+struct addrinfo a; return (0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	cat >>confdefs.h <<\_ACEOF
+#define HAVE_ADDRINFO 1
+_ACEOF
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+echo "$as_me:$LINENO: checking for int sethostent" >&5
+echo $ECHO_N "checking for int sethostent... $ECHO_C" >&6
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <netdb.h>
+int
+main ()
+{
+int i = sethostent(0); return(0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+echo "$as_me:$LINENO: checking for int endhostent" >&5
+echo $ECHO_N "checking for int endhostent... $ECHO_C" >&6
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <netdb.h>
+int
+main ()
+{
+int i = endhostent(); return(0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	ISC_LWRES_ENDHOSTENTINT="#define ISC_LWRES_ENDHOSTENTINT 1"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+	ISC_LWRES_ENDHOSTENTINT="#undef ISC_LWRES_ENDHOSTENTINT"
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+
+echo "$as_me:$LINENO: checking for int setnetent" >&5
+echo $ECHO_N "checking for int setnetent... $ECHO_C" >&6
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <netdb.h>
+int
+main ()
+{
+int i = setnetent(0); return(0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	ISC_LWRES_SETNETENTINT="#define ISC_LWRES_SETNETENTINT 1"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+	ISC_LWRES_SETNETENTINT="#undef ISC_LWRES_SETNETENTINT"
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+
+echo "$as_me:$LINENO: checking for int endnetent" >&5
+echo $ECHO_N "checking for int endnetent... $ECHO_C" >&6
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <netdb.h>
+int
+main ()
+{
+int i = endnetent(); return(0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	ISC_LWRES_ENDNETENTINT="#define ISC_LWRES_ENDNETENTINT 1"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+	ISC_LWRES_ENDNETENTINT="#undef ISC_LWRES_ENDNETENTINT"
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+
+echo "$as_me:$LINENO: checking for gethostbyaddr(const void *, size_t, ...)" >&5
+echo $ECHO_N "checking for gethostbyaddr(const void *, size_t, ...)... $ECHO_C" >&6
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <netdb.h>
+struct hostent *gethostbyaddr(const void *, size_t, int);
+int
+main ()
+{
+return(0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	ISC_LWRES_GETHOSTBYADDRVOID="#define ISC_LWRES_GETHOSTBYADDRVOID 1"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+	ISC_LWRES_GETHOSTBYADDRVOID="#undef ISC_LWRES_GETHOSTBYADDRVOID"
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+
+echo "$as_me:$LINENO: checking for h_errno in netdb.h" >&5
+echo $ECHO_N "checking for h_errno in netdb.h... $ECHO_C" >&6
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <netdb.h>
+int
+main ()
+{
+h_errno = 1; return(0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	ISC_LWRES_NEEDHERRNO="#undef ISC_LWRES_NEEDHERRNO"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+	ISC_LWRES_NEEDHERRNO="#define ISC_LWRES_NEEDHERRNO 1"
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+
+echo "$as_me:$LINENO: checking for getipnodebyname" >&5
+echo $ECHO_N "checking for getipnodebyname... $ECHO_C" >&6
+if test "${ac_cv_func_getipnodebyname+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define getipnodebyname to an innocuous variant, in case <limits.h> declares getipnodebyname.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define getipnodebyname innocuous_getipnodebyname
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char getipnodebyname (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef getipnodebyname
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char getipnodebyname ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_getipnodebyname) || defined (__stub___getipnodebyname)
+choke me
+#else
+char (*f) () = getipnodebyname;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != getipnodebyname;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_getipnodebyname=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_getipnodebyname=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_getipnodebyname" >&5
+echo "${ECHO_T}$ac_cv_func_getipnodebyname" >&6
+if test $ac_cv_func_getipnodebyname = yes; then
+  ISC_LWRES_GETIPNODEPROTO="#undef ISC_LWRES_GETIPNODEPROTO"
+else
+  ISC_LWRES_GETIPNODEPROTO="#define ISC_LWRES_GETIPNODEPROTO 1"
+fi
+
+echo "$as_me:$LINENO: checking for getnameinfo" >&5
+echo $ECHO_N "checking for getnameinfo... $ECHO_C" >&6
+if test "${ac_cv_func_getnameinfo+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define getnameinfo to an innocuous variant, in case <limits.h> declares getnameinfo.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define getnameinfo innocuous_getnameinfo
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char getnameinfo (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef getnameinfo
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char getnameinfo ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_getnameinfo) || defined (__stub___getnameinfo)
+choke me
+#else
+char (*f) () = getnameinfo;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != getnameinfo;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_getnameinfo=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_getnameinfo=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_getnameinfo" >&5
+echo "${ECHO_T}$ac_cv_func_getnameinfo" >&6
+if test $ac_cv_func_getnameinfo = yes; then
+  ISC_LWRES_GETNAMEINFOPROTO="#undef ISC_LWRES_GETNAMEINFOPROTO"
+else
+  ISC_LWRES_GETNAMEINFOPROTO="#define ISC_LWRES_GETNAMEINFOPROTO 1"
+fi
+
+echo "$as_me:$LINENO: checking for getaddrinfo" >&5
+echo $ECHO_N "checking for getaddrinfo... $ECHO_C" >&6
+if test "${ac_cv_func_getaddrinfo+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define getaddrinfo to an innocuous variant, in case <limits.h> declares getaddrinfo.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define getaddrinfo innocuous_getaddrinfo
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char getaddrinfo (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef getaddrinfo
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char getaddrinfo ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_getaddrinfo) || defined (__stub___getaddrinfo)
+choke me
+#else
+char (*f) () = getaddrinfo;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != getaddrinfo;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_getaddrinfo=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_getaddrinfo=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_getaddrinfo" >&5
+echo "${ECHO_T}$ac_cv_func_getaddrinfo" >&6
+if test $ac_cv_func_getaddrinfo = yes; then
+  ISC_LWRES_GETADDRINFOPROTO="#undef ISC_LWRES_GETADDRINFOPROTO"
+	cat >>confdefs.h <<\_ACEOF
+#define HAVE_GETADDRINFO 1
+_ACEOF
+
+else
+  ISC_LWRES_GETADDRINFOPROTO="#define ISC_LWRES_GETADDRINFOPROTO 1"
+fi
+
+echo "$as_me:$LINENO: checking for gai_strerror" >&5
+echo $ECHO_N "checking for gai_strerror... $ECHO_C" >&6
+if test "${ac_cv_func_gai_strerror+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define gai_strerror to an innocuous variant, in case <limits.h> declares gai_strerror.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define gai_strerror innocuous_gai_strerror
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char gai_strerror (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef gai_strerror
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char gai_strerror ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_gai_strerror) || defined (__stub___gai_strerror)
+choke me
+#else
+char (*f) () = gai_strerror;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != gai_strerror;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_gai_strerror=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_gai_strerror=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_gai_strerror" >&5
+echo "${ECHO_T}$ac_cv_func_gai_strerror" >&6
+if test $ac_cv_func_gai_strerror = yes; then
+  cat >>confdefs.h <<\_ACEOF
+#define HAVE_GAISTRERROR 1
+_ACEOF
+
+fi
+
+
+
+
+echo "$as_me:$LINENO: checking for pselect" >&5
+echo $ECHO_N "checking for pselect... $ECHO_C" >&6
+if test "${ac_cv_func_pselect+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define pselect to an innocuous variant, in case <limits.h> declares pselect.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define pselect innocuous_pselect
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char pselect (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef pselect
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char pselect ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_pselect) || defined (__stub___pselect)
+choke me
+#else
+char (*f) () = pselect;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != pselect;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_pselect=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_pselect=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_pselect" >&5
+echo "${ECHO_T}$ac_cv_func_pselect" >&6
+if test $ac_cv_func_pselect = yes; then
+  NEED_PSELECT="#undef NEED_PSELECT"
+else
+  NEED_PSELECT="#define NEED_PSELECT"
+fi
+
+
+echo "$as_me:$LINENO: checking for gettimeofday" >&5
+echo $ECHO_N "checking for gettimeofday... $ECHO_C" >&6
+if test "${ac_cv_func_gettimeofday+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define gettimeofday to an innocuous variant, in case <limits.h> declares gettimeofday.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define gettimeofday innocuous_gettimeofday
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char gettimeofday (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef gettimeofday
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char gettimeofday ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_gettimeofday) || defined (__stub___gettimeofday)
+choke me
+#else
+char (*f) () = gettimeofday;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != gettimeofday;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_gettimeofday=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_gettimeofday=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_gettimeofday" >&5
+echo "${ECHO_T}$ac_cv_func_gettimeofday" >&6
+if test $ac_cv_func_gettimeofday = yes; then
+  NEED_GETTIMEOFDAY="#undef NEED_GETTIMEOFDAY"
+else
+  NEED_GETTIMEOFDAY="#define NEED_GETTIMEOFDAY 1"
+fi
+
+
+echo "$as_me:$LINENO: checking for strndup" >&5
+echo $ECHO_N "checking for strndup... $ECHO_C" >&6
+if test "${ac_cv_func_strndup+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define strndup to an innocuous variant, in case <limits.h> declares strndup.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define strndup innocuous_strndup
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char strndup (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef strndup
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char strndup ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_strndup) || defined (__stub___strndup)
+choke me
+#else
+char (*f) () = strndup;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != strndup;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_strndup=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_strndup=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_strndup" >&5
+echo "${ECHO_T}$ac_cv_func_strndup" >&6
+if test $ac_cv_func_strndup = yes; then
+  HAVE_STRNDUP="#define HAVE_STRNDUP 1"
+else
+  HAVE_STRNDUP="#undef HAVE_STRNDUP"
+fi
+
+
+
+#
+# Look for a sysctl call to get the list of network interfaces.
+#
+echo "$as_me:$LINENO: checking for interface list sysctl" >&5
+echo $ECHO_N "checking for interface list sysctl... $ECHO_C" >&6
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <sys/param.h>
+#include <sys/sysctl.h>
+#include <sys/socket.h>
+#ifdef NET_RT_IFLIST
+found_rt_iflist
+#endif
+
+_ACEOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+  $EGREP "found_rt_iflist" >/dev/null 2>&1; then
+  echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+	 cat >>confdefs.h <<\_ACEOF
+#define HAVE_IFLIST_SYSCTL 1
+_ACEOF
+
+else
+  echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+fi
+rm -f conftest*
+
+
+#
+# Check for some other useful functions that are not ever-present.
+#
+echo "$as_me:$LINENO: checking for strsep" >&5
+echo $ECHO_N "checking for strsep... $ECHO_C" >&6
+if test "${ac_cv_func_strsep+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define strsep to an innocuous variant, in case <limits.h> declares strsep.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define strsep innocuous_strsep
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char strsep (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef strsep
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char strsep ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_strsep) || defined (__stub___strsep)
+choke me
+#else
+char (*f) () = strsep;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != strsep;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_strsep=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_strsep=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_strsep" >&5
+echo "${ECHO_T}$ac_cv_func_strsep" >&6
+if test $ac_cv_func_strsep = yes; then
+  ISC_PLATFORM_NEEDSTRSEP="#undef ISC_PLATFORM_NEEDSTRSEP"
+else
+  ISC_PLATFORM_NEEDSTRSEP="#define ISC_PLATFORM_NEEDSTRSEP 1"
+fi
+
+echo "$as_me:$LINENO: checking for vsnprintf" >&5
+echo $ECHO_N "checking for vsnprintf... $ECHO_C" >&6
+if test "${ac_cv_func_vsnprintf+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define vsnprintf to an innocuous variant, in case <limits.h> declares vsnprintf.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define vsnprintf innocuous_vsnprintf
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char vsnprintf (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef vsnprintf
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char vsnprintf ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_vsnprintf) || defined (__stub___vsnprintf)
+choke me
+#else
+char (*f) () = vsnprintf;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != vsnprintf;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_vsnprintf=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_vsnprintf=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_vsnprintf" >&5
+echo "${ECHO_T}$ac_cv_func_vsnprintf" >&6
+if test $ac_cv_func_vsnprintf = yes; then
+  ISC_PLATFORM_NEEDVSNPRINTF="#undef ISC_PLATFORM_NEEDVSNPRINTF"
+else
+  ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS print.$O"
+	 ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS print.c"
+	 ISC_PLATFORM_NEEDVSNPRINTF="#define ISC_PLATFORM_NEEDVSNPRINTF 1"
+fi
+
+
+
+
+
+
+echo "$as_me:$LINENO: checking for strerror" >&5
+echo $ECHO_N "checking for strerror... $ECHO_C" >&6
+if test "${ac_cv_func_strerror+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define strerror to an innocuous variant, in case <limits.h> declares strerror.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define strerror innocuous_strerror
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char strerror (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef strerror
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char strerror ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_strerror) || defined (__stub___strerror)
+choke me
+#else
+char (*f) () = strerror;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != strerror;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_strerror=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_strerror=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_strerror" >&5
+echo "${ECHO_T}$ac_cv_func_strerror" >&6
+if test $ac_cv_func_strerror = yes; then
+  USE_SYSERROR_LIST="#undef USE_SYSERROR_LIST"
+else
+  USE_SYSERROR_LIST="#define USE_SYSERROR_LIST 1"
+fi
+
+
+
+#
+# Determine the printf format characters to use when printing
+# values of type isc_int64_t.  We make the assumption that platforms
+# where a "long long" is the same size as a "long" (e.g., Alpha/OSF1)
+# want "%ld" and everyone else can use "%lld".  Win32 uses "%I64d",
+# but that's defined elsewhere since we don't use configure on Win32.
+#
+echo "$as_me:$LINENO: checking printf format modifier for 64-bit integers" >&5
+echo $ECHO_N "checking printf format modifier for 64-bit integers... $ECHO_C" >&6
+if test "$cross_compiling" = yes; then
+  echo "$as_me:$LINENO: result: default ll" >&5
+echo "${ECHO_T}default ll" >&6
+	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "ll"'
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+main() { exit(!(sizeof(long long int) == sizeof(long int))); }
+_ACEOF
+rm -f conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && { ac_try='./conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  echo "$as_me:$LINENO: result: l" >&5
+echo "${ECHO_T}l" >&6
+	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "l"'
+else
+  echo "$as_me: program exited with status $ac_status" >&5
+echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+( exit $ac_status )
+echo "$as_me:$LINENO: result: ll" >&5
+echo "${ECHO_T}ll" >&6
+	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "ll"'
+fi
+rm -f core *.core gmon.out bb.out conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext
+fi
+
+
+#
+# Security Stuff
+#
+echo "$as_me:$LINENO: checking for chroot" >&5
+echo $ECHO_N "checking for chroot... $ECHO_C" >&6
+if test "${ac_cv_func_chroot+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define chroot to an innocuous variant, in case <limits.h> declares chroot.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define chroot innocuous_chroot
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char chroot (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef chroot
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char chroot ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_chroot) || defined (__stub___chroot)
+choke me
+#else
+char (*f) () = chroot;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != chroot;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_chroot=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_chroot=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_chroot" >&5
+echo "${ECHO_T}$ac_cv_func_chroot" >&6
+if test $ac_cv_func_chroot = yes; then
+  cat >>confdefs.h <<\_ACEOF
+#define HAVE_CHROOT 1
+_ACEOF
+
+fi
+
+
+#
+# for accept, recvfrom, getpeername etc.
+#
+echo "$as_me:$LINENO: checking for socket length type" >&5
+echo $ECHO_N "checking for socket length type... $ECHO_C" >&6
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+int accept(int, struct sockaddr *, socklen_t *);
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ISC_SOCKLEN_T="#define ISC_SOCKLEN_T socklen_t"
+echo "$as_me:$LINENO: result: socklen_t" >&5
+echo "${ECHO_T}socklen_t" >&6
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+int accept(int, struct sockaddr *, unsigned int *);
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ISC_SOCKLEN_T="#define ISC_SOCKLEN_T unsigned int"
+echo "$as_me:$LINENO: result: unsigned int" >&5
+echo "${ECHO_T}unsigned int" >&6
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+int accept(int, struct sockaddr *, unsigned long *);
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ISC_SOCKLEN_T="#define ISC_SOCKLEN_T unsigned long"
+echo "$as_me:$LINENO: result: unsigned long" >&5
+echo "${ECHO_T}unsigned long" >&6
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+int accept(int, struct sockaddr *, long *);
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ISC_SOCKLEN_T="#define ISC_SOCKLEN_T long"
+echo "$as_me:$LINENO: result: long" >&5
+echo "${ECHO_T}long" >&6
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ISC_SOCKLEN_T="#define ISC_SOCKLEN_T int"
+echo "$as_me:$LINENO: result: int" >&5
+echo "${ECHO_T}int" >&6
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+
+echo "$as_me:$LINENO: checking for getgrouplist" >&5
+echo $ECHO_N "checking for getgrouplist... $ECHO_C" >&6
+if test "${ac_cv_func_getgrouplist+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define getgrouplist to an innocuous variant, in case <limits.h> declares getgrouplist.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define getgrouplist innocuous_getgrouplist
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char getgrouplist (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef getgrouplist
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char getgrouplist ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_getgrouplist) || defined (__stub___getgrouplist)
+choke me
+#else
+char (*f) () = getgrouplist;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != getgrouplist;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_getgrouplist=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_getgrouplist=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_getgrouplist" >&5
+echo "${ECHO_T}$ac_cv_func_getgrouplist" >&6
+if test $ac_cv_func_getgrouplist = yes; then
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#include <unistd.h>
+int
+getgrouplist(const char *name, int basegid, int *groups, int *ngroups) {
+}
+
+int
+main ()
+{
+return (0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  GETGROUPLIST_ARGS="#define GETGROUPLIST_ARGS const char *name, int basegid, int *groups, int *ngroups"
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+GETGROUPLIST_ARGS="#define GETGROUPLIST_ARGS const char *name, gid_t basegid, gid_t *groups, int *ngroups"
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+else
+  GETGROUPLIST_ARGS="#define GETGROUPLIST_ARGS const char *name, gid_t basegid, gid_t *groups, int *ngroups"
+cat >>confdefs.h <<\_ACEOF
+#define NEED_GETGROUPLIST 1
+_ACEOF
+
+
+fi
+
+
+
+echo "$as_me:$LINENO: checking for setgroupent" >&5
+echo $ECHO_N "checking for setgroupent... $ECHO_C" >&6
+if test "${ac_cv_func_setgroupent+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define setgroupent to an innocuous variant, in case <limits.h> declares setgroupent.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define setgroupent innocuous_setgroupent
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char setgroupent (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef setgroupent
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char setgroupent ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_setgroupent) || defined (__stub___setgroupent)
+choke me
+#else
+char (*f) () = setgroupent;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != setgroupent;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_setgroupent=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_setgroupent=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_setgroupent" >&5
+echo "${ECHO_T}$ac_cv_func_setgroupent" >&6
+if test $ac_cv_func_setgroupent = yes; then
+  :
+else
+  cat >>confdefs.h <<\_ACEOF
+#define NEED_SETGROUPENT 1
+_ACEOF
+
+fi
+
+
+echo "$as_me:$LINENO: checking for getnetbyaddr_r" >&5
+echo $ECHO_N "checking for getnetbyaddr_r... $ECHO_C" >&6
+if test "${ac_cv_func_getnetbyaddr_r+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define getnetbyaddr_r to an innocuous variant, in case <limits.h> declares getnetbyaddr_r.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define getnetbyaddr_r innocuous_getnetbyaddr_r
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char getnetbyaddr_r (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef getnetbyaddr_r
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char getnetbyaddr_r ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_getnetbyaddr_r) || defined (__stub___getnetbyaddr_r)
+choke me
+#else
+char (*f) () = getnetbyaddr_r;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != getnetbyaddr_r;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_getnetbyaddr_r=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_getnetbyaddr_r=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_getnetbyaddr_r" >&5
+echo "${ECHO_T}$ac_cv_func_getnetbyaddr_r" >&6
+if test $ac_cv_func_getnetbyaddr_r = yes; then
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#undef _REENTRANT
+#define _REENTRANT
+#define _OSF_SOURCE
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+struct netent *
+getnetbyaddr_r(long net, int type, struct netent *result, char *buffer,
+int buflen) {}
+
+int
+main ()
+{
+return (0)
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+NET_R_ARGS="#define NET_R_ARGS char *buf, int buflen"
+NET_R_BAD="#define NET_R_BAD NULL"
+NET_R_COPY="#define NET_R_COPY buf, buflen"
+NET_R_COPY_ARGS="#define NET_R_COPY_ARGS NET_R_ARGS"
+NET_R_OK="#define NET_R_OK nptr"
+NET_R_SETANSWER="#undef NET_R_SETANSWER"
+NET_R_RETURN="#define NET_R_RETURN struct netent *"
+GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T long"
+NETENT_DATA="#undef NETENT_DATA"
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#undef _REENTRANT
+#define _REENTRANT
+#define _OSF_SOURCE
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+int getnetbyaddr_r (unsigned long int, int, struct netent *,
+                    char *, size_t, struct netent **, int *);
+
+int
+main ()
+{
+return (0)
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+NET_R_ARGS="#define NET_R_ARGS char *buf, size_t buflen, struct netent **answerp, int *h_errnop"
+NET_R_BAD="#define NET_R_BAD ERANGE"
+NET_R_COPY="#define NET_R_COPY buf, buflen"
+NET_R_COPY_ARGS="#define NET_R_COPY_ARGS char *buf, size_t buflen"
+NET_R_OK="#define NET_R_OK 0"
+NET_R_SETANSWER="#define NET_R_SETANSWER 1"
+NET_R_RETURN="#define NET_R_RETURN int"
+GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T unsigned long int"
+NETENT_DATA="#undef NETENT_DATA"
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#undef _REENTRANT
+#define _REENTRANT
+#define _OSF_SOURCE
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+extern int getnetbyaddr_r(int, int, struct netent *, struct netent_data *);
+
+int
+main ()
+{
+return (0)
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+NET_R_ARGS="#define NET_R_ARGS struct netent_data *ndptr"
+NET_R_BAD="#define NET_R_BAD (-1)"
+NET_R_COPY="#define NET_R_COPY ndptr"
+NET_R_COPY_ARGS="#define NET_R_COPY_ARGS struct netent_data *ndptr"
+NET_R_OK="#define NET_R_OK 0"
+NET_R_SETANSWER="#undef NET_R_SETANSWER"
+NET_R_RETURN="#define NET_R_RETURN int"
+GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T int"
+NETENT_DATA="#define NETENT_DATA 1"
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+int getnetbyaddr_r (long, int, struct netent *, struct netent_data *);
+
+int
+main ()
+{
+return (0)
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+NET_R_ARGS="#define NET_R_ARGS struct netent_data *ndptr"
+NET_R_BAD="#define NET_R_BAD (-1)"
+NET_R_COPY="#define NET_R_COPY ndptr"
+NET_R_COPY_ARGS="#define NET_R_COPY_ARGS struct netent_data *ndptr"
+NET_R_OK="#define NET_R_OK 0"
+NET_R_SETANSWER="#undef NET_R_SETANSWER"
+NET_R_RETURN="#define NET_R_RETURN int"
+GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T long"
+NETENT_DATA="#define NETENT_DATA 1"
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+else
+  NET_R_ARGS="#define NET_R_ARGS char *buf, int buflen"
+NET_R_BAD="#define NET_R_BAD NULL"
+NET_R_COPY="#define NET_R_COPY buf, buflen"
+NET_R_COPY_ARGS="#define NET_R_COPY_ARGS NET_R_ARGS"
+NET_R_OK="#define NET_R_OK nptr"
+NET_R_SETANSWER="#undef NET_R_SETANSWER"
+NET_R_RETURN="#define NET_R_RETURN struct netent *"
+GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T long"
+NETENT_DATA="#undef NETENT_DATA"
+
+fi
+
+case "$host" in
+*dec-osf*) GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T int" ;;
+esac
+
+
+
+
+
+
+
+
+
+
+echo "$as_me:$LINENO: checking for setnetent_r" >&5
+echo $ECHO_N "checking for setnetent_r... $ECHO_C" >&6
+if test "${ac_cv_func_setnetent_r+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define setnetent_r to an innocuous variant, in case <limits.h> declares setnetent_r.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define setnetent_r innocuous_setnetent_r
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char setnetent_r (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef setnetent_r
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char setnetent_r ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_setnetent_r) || defined (__stub___setnetent_r)
+choke me
+#else
+char (*f) () = setnetent_r;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != setnetent_r;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_setnetent_r=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_setnetent_r=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_setnetent_r" >&5
+echo "${ECHO_T}$ac_cv_func_setnetent_r" >&6
+if test $ac_cv_func_setnetent_r = yes; then
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+void  setnetent_r (int);
+
+int
+main ()
+{
+return (0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+NET_R_ENT_ARGS="#undef NET_R_ENT_ARGS /*empty*/"
+NET_R_SET_RESULT="#undef NET_R_SET_RESULT /*empty*/"
+NET_R_SET_RETURN="#define NET_R_SET_RETURN void"
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+extern int setnetent_r(int, struct netent_data *);
+
+int
+main ()
+{
+return (0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+NET_R_ENT_ARGS="#define NET_R_ENT_ARGS struct netent_data *ndptr"
+NET_R_SET_RESULT="#define NET_R_SET_RESULT NET_R_OK"
+NET_R_SET_RETURN="#define NET_R_SET_RETURN int"
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+else
+  NET_R_ENT_ARGS="#undef NET_R_ENT_ARGS /*empty*/"
+NET_R_SET_RESULT="#undef NET_R_SET_RESULT /*empty*/"
+NET_R_SET_RETURN="#define NET_R_SET_RETURN void"
+
+fi
+
+
+
+
+
+echo "$as_me:$LINENO: checking for endnetent_r" >&5
+echo $ECHO_N "checking for endnetent_r... $ECHO_C" >&6
+if test "${ac_cv_func_endnetent_r+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define endnetent_r to an innocuous variant, in case <limits.h> declares endnetent_r.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define endnetent_r innocuous_endnetent_r
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char endnetent_r (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef endnetent_r
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char endnetent_r ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_endnetent_r) || defined (__stub___endnetent_r)
+choke me
+#else
+char (*f) () = endnetent_r;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != endnetent_r;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_endnetent_r=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_endnetent_r=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_endnetent_r" >&5
+echo "${ECHO_T}$ac_cv_func_endnetent_r" >&6
+if test $ac_cv_func_endnetent_r = yes; then
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+void  endnetent_r (void);
+
+int
+main ()
+{
+return (0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+NET_R_END_RESULT="#define NET_R_END_RESULT(x) /*empty*/"
+NET_R_END_RETURN="#define NET_R_END_RETURN void"
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+extern int endnetent_r(struct netent_data *);
+
+int
+main ()
+{
+return (0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+NET_R_END_RESULT="#define NET_R_END_RESULT(x) return (x)"
+NET_R_END_RETURN="#define NET_R_END_RETURN int"
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+extern void endnetent_r(struct netent_data *);
+
+int
+main ()
+{
+return (0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+NET_R_END_RESULT="#define NET_R_END_RESULT(x) /*empty*/"
+NET_R_END_RETURN="#define NET_R_END_RETURN void"
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+else
+  NET_R_END_RESULT="#define NET_R_END_RESULT(x) /*empty*/"
+NET_R_END_RETURN="#define NET_R_END_RETURN void"
+
+fi
+
+
+
+
+echo "$as_me:$LINENO: checking for getgrnam_r" >&5
+echo $ECHO_N "checking for getgrnam_r... $ECHO_C" >&6
+if test "${ac_cv_func_getgrnam_r+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define getgrnam_r to an innocuous variant, in case <limits.h> declares getgrnam_r.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define getgrnam_r innocuous_getgrnam_r
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char getgrnam_r (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef getgrnam_r
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char getgrnam_r ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_getgrnam_r) || defined (__stub___getgrnam_r)
+choke me
+#else
+char (*f) () = getgrnam_r;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != getgrnam_r;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_getgrnam_r=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_getgrnam_r=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_getgrnam_r" >&5
+echo "${ECHO_T}$ac_cv_func_getgrnam_r" >&6
+if test $ac_cv_func_getgrnam_r = yes; then
+  :
+else
+  cat >>confdefs.h <<\_ACEOF
+#define NEED_GETGRNAM_R 1
+_ACEOF
+
+fi
+
+echo "$as_me:$LINENO: checking for getgrgid_r" >&5
+echo $ECHO_N "checking for getgrgid_r... $ECHO_C" >&6
+if test "${ac_cv_func_getgrgid_r+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define getgrgid_r to an innocuous variant, in case <limits.h> declares getgrgid_r.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define getgrgid_r innocuous_getgrgid_r
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char getgrgid_r (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef getgrgid_r
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char getgrgid_r ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_getgrgid_r) || defined (__stub___getgrgid_r)
+choke me
+#else
+char (*f) () = getgrgid_r;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != getgrgid_r;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_getgrgid_r=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_getgrgid_r=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_getgrgid_r" >&5
+echo "${ECHO_T}$ac_cv_func_getgrgid_r" >&6
+if test $ac_cv_func_getgrgid_r = yes; then
+  :
+else
+  cat >>confdefs.h <<\_ACEOF
+#define NEED_GETGRGID_R 1
+_ACEOF
+
+fi
+
+
+echo "$as_me:$LINENO: checking for getgrent_r" >&5
+echo $ECHO_N "checking for getgrent_r... $ECHO_C" >&6
+if test "${ac_cv_func_getgrent_r+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define getgrent_r to an innocuous variant, in case <limits.h> declares getgrent_r.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define getgrent_r innocuous_getgrent_r
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char getgrent_r (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef getgrent_r
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char getgrent_r ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_getgrent_r) || defined (__stub___getgrent_r)
+choke me
+#else
+char (*f) () = getgrent_r;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != getgrent_r;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_getgrent_r=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_getgrent_r=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_getgrent_r" >&5
+echo "${ECHO_T}$ac_cv_func_getgrent_r" >&6
+if test $ac_cv_func_getgrent_r = yes; then
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <grp.h>
+struct group *getgrent_r(struct group *grp, char *buffer,
+           int buflen) {}
+
+int
+main ()
+{
+return (0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+GROUP_R_ARGS="#define GROUP_R_ARGS char *buf, int buflen"
+GROUP_R_BAD="#define GROUP_R_BAD NULL"
+GROUP_R_OK="#define GROUP_R_OK gptr"
+GROUP_R_RETURN="#define GROUP_R_RETURN struct group *"
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+else
+  GROUP_R_ARGS="#define GROUP_R_ARGS char *buf, int buflen"
+GROUP_R_BAD="#define GROUP_R_BAD NULL"
+GROUP_R_OK="#define GROUP_R_OK gptr"
+GROUP_R_RETURN="#define GROUP_R_RETURN struct group *"
+cat >>confdefs.h <<\_ACEOF
+#define NEED_GETGRENT_R 1
+_ACEOF
+
+
+fi
+
+
+
+
+
+
+echo "$as_me:$LINENO: checking for endgrent_r" >&5
+echo $ECHO_N "checking for endgrent_r... $ECHO_C" >&6
+if test "${ac_cv_func_endgrent_r+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define endgrent_r to an innocuous variant, in case <limits.h> declares endgrent_r.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define endgrent_r innocuous_endgrent_r
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char endgrent_r (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef endgrent_r
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char endgrent_r ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_endgrent_r) || defined (__stub___endgrent_r)
+choke me
+#else
+char (*f) () = endgrent_r;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != endgrent_r;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_endgrent_r=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_endgrent_r=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_endgrent_r" >&5
+echo "${ECHO_T}$ac_cv_func_endgrent_r" >&6
+if test $ac_cv_func_endgrent_r = yes; then
+  :
+else
+  GROUP_R_END_RESULT="#define GROUP_R_END_RESULT(x) /*empty*/"
+GROUP_R_END_RETURN="#define GROUP_R_END_RETURN void"
+GROUP_R_ENT_ARGS="#define GROUP_R_ENT_ARGS void"
+cat >>confdefs.h <<\_ACEOF
+#define NEED_ENDGRENT_R 1
+_ACEOF
+
+
+fi
+
+
+
+
+
+echo "$as_me:$LINENO: checking for setgrent_r" >&5
+echo $ECHO_N "checking for setgrent_r... $ECHO_C" >&6
+if test "${ac_cv_func_setgrent_r+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define setgrent_r to an innocuous variant, in case <limits.h> declares setgrent_r.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define setgrent_r innocuous_setgrent_r
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char setgrent_r (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef setgrent_r
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char setgrent_r ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_setgrent_r) || defined (__stub___setgrent_r)
+choke me
+#else
+char (*f) () = setgrent_r;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != setgrent_r;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_setgrent_r=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_setgrent_r=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_setgrent_r" >&5
+echo "${ECHO_T}$ac_cv_func_setgrent_r" >&6
+if test $ac_cv_func_setgrent_r = yes; then
+  :
+else
+  GROUP_R_SET_RESULT="#undef GROUP_R_SET_RESULT /*empty*/"
+GROUP_R_SET_RETURN="#define GROUP_R_SET_RETURN void"
+cat >>confdefs.h <<\_ACEOF
+#define NEED_SETGRENT_R 1
+_ACEOF
+
+
+fi
+
+
+
+
+
+echo "$as_me:$LINENO: checking for gethostbyname_r" >&5
+echo $ECHO_N "checking for gethostbyname_r... $ECHO_C" >&6
+if test "${ac_cv_func_gethostbyname_r+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define gethostbyname_r to an innocuous variant, in case <limits.h> declares gethostbyname_r.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define gethostbyname_r innocuous_gethostbyname_r
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char gethostbyname_r (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef gethostbyname_r
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char gethostbyname_r ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_gethostbyname_r) || defined (__stub___gethostbyname_r)
+choke me
+#else
+char (*f) () = gethostbyname_r;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != gethostbyname_r;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_gethostbyname_r=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_gethostbyname_r=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_gethostbyname_r" >&5
+echo "${ECHO_T}$ac_cv_func_gethostbyname_r" >&6
+if test $ac_cv_func_gethostbyname_r = yes; then
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+struct hostent  *gethostbyname_r
+(const char *name, struct hostent *hp, char *buf, int len, int *h_errnop) {}
+
+int
+main ()
+{
+return (0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+HOST_R_ARGS="#define HOST_R_ARGS char *buf, int buflen, int *h_errnop"
+HOST_R_BAD="#define HOST_R_BAD NULL"
+HOST_R_COPY="#define HOST_R_COPY buf, buflen"
+HOST_R_COPY_ARGS="#define HOST_R_COPY_ARGS char *buf, int buflen"
+HOST_R_ERRNO="#define HOST_R_ERRNO *h_errnop = h_errno"
+HOST_R_OK="#define HOST_R_OK hptr"
+HOST_R_RETURN="#define HOST_R_RETURN struct hostent *"
+HOST_R_SETANSWER="#undef HOST_R_SETANSWER"
+HOSTENT_DATA="#undef HOSTENT_DATA"
+
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+int gethostbyname_r(const char *name,
+                          struct hostent *result,
+                          struct hostent_data *hdptr);
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+HOST_R_ARGS="#define HOST_R_ARGS struct hostent_data *hdptr"
+HOST_R_BAD="#define HOST_R_BAD (-1)"
+HOST_R_COPY="#define HOST_R_COPY hdptr"
+HOST_R_COPY_ARGS="#define HOST_R_COPY_ARGS HOST_R_ARGS"
+HOST_R_ERRNO="#define HOST_R_ERRNO NULL"
+HOST_R_OK="#define HOST_R_OK 0"
+HOST_R_RETURN="#define HOST_R_RETURN int"
+HOST_R_SETANSWER="#undef HOST_R_SETANSWER"
+HOSTENT_DATA="#define HOSTENT_DATA 1"
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+extern int gethostbyname_r (const char *,
+                                 struct hostent *,
+                                 char *, size_t,
+                                 struct hostent **,
+                                 int *);
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+HOST_R_ARGS="#define HOST_R_ARGS char *buf, size_t buflen, struct hostent **answerp, int *h_errnop"
+HOST_R_BAD="#define HOST_R_BAD ERANGE"
+HOST_R_COPY="#define HOST_R_COPY buf, buflen"
+HOST_R_COPY_ARGS="#define HOST_R_COPY_ARGS char *buf, int buflen"
+HOST_R_ERRNO="#define HOST_R_ERRNO *h_errnop = h_errno"
+HOST_R_OK="#define HOST_R_OK 0"
+HOST_R_RETURN="#define HOST_R_RETURN int"
+HOST_R_SETANSWER="#define HOST_R_SETANSWER 1"
+HOSTENT_DATA="#undef HOSTENT_DATA"
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+else
+  HOST_R_ARGS="#define HOST_R_ARGS char *buf, int buflen, int *h_errnop"
+HOST_R_BAD="#define HOST_R_BAD NULL"
+HOST_R_COPY="#define HOST_R_COPY buf, buflen"
+HOST_R_COPY_ARGS="#define HOST_R_COPY_ARGS char *buf, int buflen"
+HOST_R_ERRNO="#define HOST_R_ERRNO *h_errnop = h_errno"
+HOST_R_OK="#define HOST_R_OK hptr"
+HOST_R_RETURN="#define HOST_R_RETURN struct hostent *"
+HOST_R_SETANSWER="#undef HOST_R_SETANSWER"
+HOSTENT_DATA="#undef HOSTENT_DATA"
+
+fi
+
+
+
+
+
+
+
+
+
+
+
+echo "$as_me:$LINENO: checking for endhostent_r" >&5
+echo $ECHO_N "checking for endhostent_r... $ECHO_C" >&6
+if test "${ac_cv_func_endhostent_r+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define endhostent_r to an innocuous variant, in case <limits.h> declares endhostent_r.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define endhostent_r innocuous_endhostent_r
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char endhostent_r (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef endhostent_r
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char endhostent_r ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_endhostent_r) || defined (__stub___endhostent_r)
+choke me
+#else
+char (*f) () = endhostent_r;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != endhostent_r;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_endhostent_r=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_endhostent_r=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_endhostent_r" >&5
+echo "${ECHO_T}$ac_cv_func_endhostent_r" >&6
+if test $ac_cv_func_endhostent_r = yes; then
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+int endhostent_r(struct hostent_data *buffer);
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  HOST_R_END_RESULT="#define HOST_R_END_RESULT(x) return (x)"
+HOST_R_END_RETURN="#define HOST_R_END_RETURN int"
+HOST_R_ENT_ARGS="#define HOST_R_ENT_ARGS struct hostent_data *hdptr"
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+extern void endhostent_r(struct hostent_data *ht_data);
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+HOST_R_END_RESULT="#define HOST_R_END_RESULT(x)"
+HOST_R_END_RETURN="#define HOST_R_END_RETURN void"
+HOST_R_ENT_ARGS="#define HOST_R_ENT_ARGS struct hostent_data *hdptr"
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+extern void endhostent_r(void);
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+HOST_R_END_RESULT="#define HOST_R_END_RESULT(x) /*empty*/"
+HOST_R_END_RETURN="#define HOST_R_END_RETURN void"
+HOST_R_ENT_ARGS="#undef HOST_R_ENT_ARGS /*empty*/"
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+else
+  HOST_R_END_RESULT="#define HOST_R_END_RESULT(x) /*empty*/"
+HOST_R_END_RETURN="#define HOST_R_END_RETURN void"
+HOST_R_ENT_ARGS="#undef HOST_R_ENT_ARGS /*empty*/"
+
+fi
+
+
+
+
+
+echo "$as_me:$LINENO: checking for sethostent_r" >&5
+echo $ECHO_N "checking for sethostent_r... $ECHO_C" >&6
+if test "${ac_cv_func_sethostent_r+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define sethostent_r to an innocuous variant, in case <limits.h> declares sethostent_r.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define sethostent_r innocuous_sethostent_r
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char sethostent_r (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef sethostent_r
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char sethostent_r ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_sethostent_r) || defined (__stub___sethostent_r)
+choke me
+#else
+char (*f) () = sethostent_r;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != sethostent_r;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_sethostent_r=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_sethostent_r=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_sethostent_r" >&5
+echo "${ECHO_T}$ac_cv_func_sethostent_r" >&6
+if test $ac_cv_func_sethostent_r = yes; then
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+extern void sethostent_r(int flag, struct hostent_data *ht_data);
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  HOST_R_SET_RESULT="#undef HOST_R_SET_RESULT /*empty*/"
+HOST_R_SET_RETURN="#define HOST_R_SET_RETURN void"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+extern int sethostent_r(int flag, struct hostent_data *ht_data);
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  HOST_R_SET_RESULT="#define HOST_R_SET_RESULT 0"
+HOST_R_SET_RETURN="#define HOST_R_SET_RETURN int"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+void            sethostent_r (int);
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  HOST_R_SET_RESULT="#undef HOST_R_SET_RESULT"
+HOST_R_SET_RETURN="#define HOST_R_SET_RETURN void"
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+else
+  HOST_R_SET_RESULT="#undef HOST_R_SET_RESULT"
+HOST_R_SET_RETURN="#define HOST_R_SET_RETURN void"
+
+fi
+
+
+
+
+
+echo "$as_me:$LINENO: checking struct passwd element pw_class" >&5
+echo $ECHO_N "checking struct passwd element pw_class... $ECHO_C" >&6
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <sys/types.h>
+#include <pwd.h>
+
+int
+main ()
+{
+struct passwd *pw; pw->pw_class = "";
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6
+cat >>confdefs.h <<\_ACEOF
+#define HAS_PW_CLASS 1
+_ACEOF
+
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <sys/types.h>
+#include <pwd.h>
+void
+setpwent(void) {}
+
+int
+main ()
+{
+return (0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  SETPWENT_VOID="#define SETPWENT_VOID 1"
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+SETPWENT_VOID="#undef SETPWENT_VOID"
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <sys/types.h>
+#include <grp.h>
+void
+setgrent(void) {}
+
+int
+main ()
+{
+return (0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  SETGRENT_VOID="#define SETGRENT_VOID 1"
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+SETGRENT_VOID="#undef SETGRENT_VOID"
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+
+echo "$as_me:$LINENO: checking for getnetgrent_r" >&5
+echo $ECHO_N "checking for getnetgrent_r... $ECHO_C" >&6
+if test "${ac_cv_func_getnetgrent_r+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define getnetgrent_r to an innocuous variant, in case <limits.h> declares getnetgrent_r.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define getnetgrent_r innocuous_getnetgrent_r
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char getnetgrent_r (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef getnetgrent_r
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char getnetgrent_r ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_getnetgrent_r) || defined (__stub___getnetgrent_r)
+choke me
+#else
+char (*f) () = getnetgrent_r;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != getnetgrent_r;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_getnetgrent_r=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_getnetgrent_r=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_getnetgrent_r" >&5
+echo "${ECHO_T}$ac_cv_func_getnetgrent_r" >&6
+if test $ac_cv_func_getnetgrent_r = yes; then
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+int getnetgrent_r(char **m, char **u, char **d, char *b, int l) {}
+
+
+int
+main ()
+{
+return (0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+NGR_R_ARGS="#define NGR_R_ARGS char *buf, int buflen"
+NGR_R_BAD="#define NGR_R_BAD (0)"
+NGR_R_COPY="#define NGR_R_COPY buf, buflen"
+NGR_R_COPY_ARGS="#define NGR_R_COPY_ARGS NGR_R_ARGS"
+NGR_R_OK="#define NGR_R_OK 1"
+NGR_R_RETURN="#define NGR_R_RETURN int"
+
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+int getnetgrent_r(char **m, char **u, char **d, char *b, size_t l) {}
+
+
+int
+main ()
+{
+return (0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+NGR_R_ARGS="#define NGR_R_ARGS char *buf, size_t buflen"
+NGR_R_BAD="#define NGR_R_BAD (0)"
+NGR_R_COPY="#define NGR_R_COPY buf, buflen"
+NGR_R_COPY_ARGS="#define NGR_R_COPY_ARGS NGR_R_ARGS"
+NGR_R_OK="#define NGR_R_OK 1"
+NGR_R_RETURN="#define NGR_R_RETURN int"
+
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+extern int getnetgrent_r( char **, char **, char **, void **);
+
+
+int
+main ()
+{
+return (0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+NGR_R_ARGS="#define NGR_R_ARGS void **buf"
+NGR_R_BAD="#define NGR_R_BAD (0)"
+NGR_R_COPY="#define NGR_R_COPY buf"
+NGR_R_COPY_ARGS="#define NGR_R_COPY_ARGS NGR_R_ARGS"
+NGR_R_OK="#define NGR_R_OK 1"
+NGR_R_RETURN="#define NGR_R_RETURN int"
+NGR_R_PRIVATE="#define NGR_R_PRIVATE 1"
+
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+else
+  NGR_R_ARGS="#define NGR_R_ARGS char *buf, int buflen"
+NGR_R_BAD="#define NGR_R_BAD (0)"
+NGR_R_COPY="#define NGR_R_COPY buf, buflen"
+NGR_R_COPY_ARGS="#define NGR_R_COPY_ARGS NGR_R_ARGS"
+NGR_R_OK="#define NGR_R_OK 1"
+NGR_R_RETURN="#define NGR_R_RETURN int"
+
+fi
+
+
+
+
+
+
+
+
+
+echo "$as_me:$LINENO: checking for endnetgrent_r" >&5
+echo $ECHO_N "checking for endnetgrent_r... $ECHO_C" >&6
+if test "${ac_cv_func_endnetgrent_r+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define endnetgrent_r to an innocuous variant, in case <limits.h> declares endnetgrent_r.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define endnetgrent_r innocuous_endnetgrent_r
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char endnetgrent_r (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef endnetgrent_r
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char endnetgrent_r ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_endnetgrent_r) || defined (__stub___endnetgrent_r)
+choke me
+#else
+char (*f) () = endnetgrent_r;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != endnetgrent_r;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_endnetgrent_r=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_endnetgrent_r=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_endnetgrent_r" >&5
+echo "${ECHO_T}$ac_cv_func_endnetgrent_r" >&6
+if test $ac_cv_func_endnetgrent_r = yes; then
+  NGR_R_END_RESULT="#define NGR_R_END_RESULT(x)  return (x)"
+NGR_R_END_RETURN="#define NGR_R_END_RETURN int"
+NGR_R_ENT_ARGS="#define NGR_R_ENT_ARGS NGR_R_ARGS"
+
+else
+  NGR_R_END_RESULT="#define NGR_R_END_RESULT(x)  /*empty*/"
+NGR_R_END_RETURN="#define NGR_R_END_RETURN void"
+NGR_R_ENT_ARGS="#undef NGR_R_ENT_ARGS /*empty*/"
+cat >>confdefs.h <<\_ACEOF
+#define NEED_ENDNETGRENT_R 1
+_ACEOF
+
+
+fi
+
+
+
+
+
+echo "$as_me:$LINENO: checking for setnetgrent_r" >&5
+echo $ECHO_N "checking for setnetgrent_r... $ECHO_C" >&6
+if test "${ac_cv_func_setnetgrent_r+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define setnetgrent_r to an innocuous variant, in case <limits.h> declares setnetgrent_r.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define setnetgrent_r innocuous_setnetgrent_r
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char setnetgrent_r (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef setnetgrent_r
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char setnetgrent_r ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_setnetgrent_r) || defined (__stub___setnetgrent_r)
+choke me
+#else
+char (*f) () = setnetgrent_r;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != setnetgrent_r;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_setnetgrent_r=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_setnetgrent_r=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_setnetgrent_r" >&5
+echo "${ECHO_T}$ac_cv_func_setnetgrent_r" >&6
+if test $ac_cv_func_setnetgrent_r = yes; then
+
+case "$host" in
+*bsdi*)
+	NGR_R_SET_RESULT="#undef NGR_R_SET_RESULT /*empty*/"
+	NGR_R_SET_RETURN="#define NGR_R_SET_RETURN void"
+	;;
+*)
+	NGR_R_SET_RESULT="#define NGR_R_SET_RESULT NGR_R_OK"
+	NGR_R_SET_RETURN="#define NGR_R_SET_RETURN int"
+	;;
+esac
+
+
+else
+  NGR_R_SET_RESULT="#undef NGR_R_SET_RESULT /*empty*/"
+NGR_R_SET_RETURN="#define NGR_R_SET_RETURN void"
+
+fi
+
+
+
+
+echo "$as_me:$LINENO: checking for innetgr_r" >&5
+echo $ECHO_N "checking for innetgr_r... $ECHO_C" >&6
+if test "${ac_cv_func_innetgr_r+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define innetgr_r to an innocuous variant, in case <limits.h> declares innetgr_r.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define innetgr_r innocuous_innetgr_r
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char innetgr_r (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef innetgr_r
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char innetgr_r ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_innetgr_r) || defined (__stub___innetgr_r)
+choke me
+#else
+char (*f) () = innetgr_r;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != innetgr_r;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_innetgr_r=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_innetgr_r=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_innetgr_r" >&5
+echo "${ECHO_T}$ac_cv_func_innetgr_r" >&6
+if test $ac_cv_func_innetgr_r = yes; then
+  :
+else
+  cat >>confdefs.h <<\_ACEOF
+#define NEED_INNETGR_R 1
+_ACEOF
+
+fi
+
+
+echo "$as_me:$LINENO: checking for getprotoent_r" >&5
+echo $ECHO_N "checking for getprotoent_r... $ECHO_C" >&6
+if test "${ac_cv_func_getprotoent_r+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define getprotoent_r to an innocuous variant, in case <limits.h> declares getprotoent_r.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define getprotoent_r innocuous_getprotoent_r
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char getprotoent_r (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef getprotoent_r
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char getprotoent_r ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_getprotoent_r) || defined (__stub___getprotoent_r)
+choke me
+#else
+char (*f) () = getprotoent_r;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != getprotoent_r;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_getprotoent_r=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_getprotoent_r=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_getprotoent_r" >&5
+echo "${ECHO_T}$ac_cv_func_getprotoent_r" >&6
+if test $ac_cv_func_getprotoent_r = yes; then
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+struct protoent *getprotoent_r(struct protoent *result,
+		 char *buffer, int buflen) {}
+
+
+int
+main ()
+{
+return (0);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+PROTO_R_ARGS="#define PROTO_R_ARGS char *buf, int buflen"
+PROTO_R_BAD="#define PROTO_R_BAD NULL"
+PROTO_R_COPY="#define PROTO_R_COPY buf, buflen"
+PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS PROTO_R_ARGS"
+PROTO_R_OK="#define PROTO_R_OK pptr"
+PROTO_R_SETANSWER="#undef PROTO_R_SETANSWER"
+PROTO_R_RETURN="#define PROTO_R_RETURN struct protoent *"
+
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+int getprotoent_r (struct protoent *, char *, size_t, struct protoent **);
+
+
+
+int
+main ()
+{
+return (0);
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+PROTO_R_ARGS="#define PROTO_R_ARGS char *buf, size_t buflen, struct protoent **answerp"
+PROTO_R_BAD="#define PROTO_R_BAD ERANGE"
+PROTO_R_COPY="#define PROTO_R_COPY buf, buflen"
+PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS char *buf, size_t buflen"
+PROTO_R_OK="#define PROTO_R_OK 0"
+PROTO_R_SETANSWER="#define PROTO_R_SETANSWER 1"
+PROTO_R_RETURN="#define PROTO_R_RETURN int"
+
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+else
+  PROTO_R_ARGS="#define PROTO_R_ARGS char *buf, int buflen"
+PROTO_R_BAD="#define PROTO_R_BAD NULL"
+PROTO_R_COPY="#define PROTO_R_COPY buf, buflen"
+PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS PROTO_R_ARGS"
+PROTO_R_OK="#define PROTO_R_OK pptr"
+PROTO_R_SETANSWER="#undef PROTO_R_SETANSWER"
+PROTO_R_RETURN="#define PROTO_R_RETURN struct protoent *"
+
+fi
+
+
+
+
+
+
+
+
+
+echo "$as_me:$LINENO: checking for endprotoent_r" >&5
+echo $ECHO_N "checking for endprotoent_r... $ECHO_C" >&6
+if test "${ac_cv_func_endprotoent_r+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define endprotoent_r to an innocuous variant, in case <limits.h> declares endprotoent_r.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define endprotoent_r innocuous_endprotoent_r
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char endprotoent_r (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef endprotoent_r
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char endprotoent_r ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_endprotoent_r) || defined (__stub___endprotoent_r)
+choke me
+#else
+char (*f) () = endprotoent_r;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != endprotoent_r;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_endprotoent_r=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_endprotoent_r=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_endprotoent_r" >&5
+echo "${ECHO_T}$ac_cv_func_endprotoent_r" >&6
+if test $ac_cv_func_endprotoent_r = yes; then
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+void endprotoent_r(void);
+
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+PROTO_R_END_RESULT="#define PROTO_R_END_RESULT(x) /*empty*/"
+PROTO_R_END_RETURN="#define PROTO_R_END_RETURN void"
+PROTO_R_ENT_ARGS="#undef PROTO_R_ENT_ARGS"
+
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+else
+  PROTO_R_END_RESULT="#define PROTO_R_END_RESULT(x) /*empty*/"
+PROTO_R_END_RETURN="#define PROTO_R_END_RETURN void"
+PROTO_R_ENT_ARGS="#undef PROTO_R_ENT_ARGS /*empty*/"
+
+fi
+
+
+
+
+
+echo "$as_me:$LINENO: checking for setprotoent_r" >&5
+echo $ECHO_N "checking for setprotoent_r... $ECHO_C" >&6
+if test "${ac_cv_func_setprotoent_r+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define setprotoent_r to an innocuous variant, in case <limits.h> declares setprotoent_r.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define setprotoent_r innocuous_setprotoent_r
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char setprotoent_r (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef setprotoent_r
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char setprotoent_r ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_setprotoent_r) || defined (__stub___setprotoent_r)
+choke me
+#else
+char (*f) () = setprotoent_r;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != setprotoent_r;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_setprotoent_r=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_setprotoent_r=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_setprotoent_r" >&5
+echo "${ECHO_T}$ac_cv_func_setprotoent_r" >&6
+if test $ac_cv_func_setprotoent_r = yes; then
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+void               setprotoent_r __P((int));
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  PROTO_R_SET_RESULT="#undef PROTO_R_SET_RESULT"
+PROTO_R_SET_RETURN="#define PROTO_R_SET_RETURN void"
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+else
+  PROTO_R_SET_RESULT="#undef PROTO_R_SET_RESULT"
+PROTO_R_SET_RETURN="#define PROTO_R_SET_RETURN void"
+
+fi
+
+
+
+
+echo "$as_me:$LINENO: checking for getpwent_r" >&5
+echo $ECHO_N "checking for getpwent_r... $ECHO_C" >&6
+if test "${ac_cv_func_getpwent_r+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define getpwent_r to an innocuous variant, in case <limits.h> declares getpwent_r.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define getpwent_r innocuous_getpwent_r
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char getpwent_r (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef getpwent_r
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char getpwent_r ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_getpwent_r) || defined (__stub___getpwent_r)
+choke me
+#else
+char (*f) () = getpwent_r;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != getpwent_r;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_getpwent_r=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_getpwent_r=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_getpwent_r" >&5
+echo "${ECHO_T}$ac_cv_func_getpwent_r" >&6
+if test $ac_cv_func_getpwent_r = yes; then
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <sys/types.h>
+#include <pwd.h>
+struct passwd *
+getpwent_r(struct passwd *pwptr, char *buf, int buflen) {}
+
+
+int
+main ()
+{
+
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  PASS_R_ARGS="#define PASS_R_ARGS char *buf, int buflen"
+PASS_R_BAD="#define PASS_R_BAD NULL"
+PASS_R_COPY="#define PASS_R_COPY buf, buflen"
+PASS_R_COPY_ARGS="#define PASS_R_COPY_ARGS PASS_R_ARGS"
+PASS_R_OK="#define PASS_R_OK pwptr"
+PASS_R_RETURN="#define PASS_R_RETURN struct passwd *"
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+else
+  PASS_R_ARGS="#define PASS_R_ARGS char *buf, int buflen"
+PASS_R_BAD="#define PASS_R_BAD NULL"
+PASS_R_COPY="#define PASS_R_COPY buf, buflen"
+PASS_R_COPY_ARGS="#define PASS_R_COPY_ARGS PASS_R_ARGS"
+PASS_R_OK="#define PASS_R_OK pwptr"
+PASS_R_RETURN="#define PASS_R_RETURN struct passwd *"
+cat >>confdefs.h <<\_ACEOF
+#define NEED_GETPWENT_R 1
+_ACEOF
+
+
+fi
+
+
+
+
+
+
+
+
+echo "$as_me:$LINENO: checking for endpwent_r" >&5
+echo $ECHO_N "checking for endpwent_r... $ECHO_C" >&6
+if test "${ac_cv_func_endpwent_r+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define endpwent_r to an innocuous variant, in case <limits.h> declares endpwent_r.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define endpwent_r innocuous_endpwent_r
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char endpwent_r (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef endpwent_r
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char endpwent_r ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_endpwent_r) || defined (__stub___endpwent_r)
+choke me
+#else
+char (*f) () = endpwent_r;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != endpwent_r;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_endpwent_r=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_endpwent_r=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_endpwent_r" >&5
+echo "${ECHO_T}$ac_cv_func_endpwent_r" >&6
+if test $ac_cv_func_endpwent_r = yes; then
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <pwd.h>
+void endpwent_r(FILE **pwfp);
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  PASS_R_END_RESULT="#define PASS_R_END_RESULT(x) /*empty*/"
+PASS_R_END_RETURN="#define PASS_R_END_RETURN void"
+PASS_R_ENT_ARGS="#define PASS_R_ENT_ARGS FILE **pwptr"
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+else
+  PASS_R_END_RESULT="#define PASS_R_END_RESULT(x) /*empty*/"
+PASS_R_END_RETURN="#define PASS_R_END_RETURN void"
+PASS_R_ENT_ARGS="#undef PASS_R_ENT_ARGS"
+cat >>confdefs.h <<\_ACEOF
+#define NEED_ENDPWENT_R 1
+_ACEOF
+
+
+fi
+
+
+
+
+echo "$as_me:$LINENO: checking for setpassent_r" >&5
+echo $ECHO_N "checking for setpassent_r... $ECHO_C" >&6
+if test "${ac_cv_func_setpassent_r+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define setpassent_r to an innocuous variant, in case <limits.h> declares setpassent_r.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define setpassent_r innocuous_setpassent_r
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char setpassent_r (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef setpassent_r
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char setpassent_r ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_setpassent_r) || defined (__stub___setpassent_r)
+choke me
+#else
+char (*f) () = setpassent_r;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != setpassent_r;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_setpassent_r=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_setpassent_r=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_setpassent_r" >&5
+echo "${ECHO_T}$ac_cv_func_setpassent_r" >&6
+if test $ac_cv_func_setpassent_r = yes; then
+  :
+else
+  cat >>confdefs.h <<\_ACEOF
+#define NEED_SETPASSENT_R 1
+_ACEOF
+
+fi
+
+echo "$as_me:$LINENO: checking for setpassent" >&5
+echo $ECHO_N "checking for setpassent... $ECHO_C" >&6
+if test "${ac_cv_func_setpassent+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define setpassent to an innocuous variant, in case <limits.h> declares setpassent.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define setpassent innocuous_setpassent
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char setpassent (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef setpassent
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char setpassent ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_setpassent) || defined (__stub___setpassent)
+choke me
+#else
+char (*f) () = setpassent;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != setpassent;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_setpassent=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_setpassent=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_setpassent" >&5
+echo "${ECHO_T}$ac_cv_func_setpassent" >&6
+if test $ac_cv_func_setpassent = yes; then
+  :
+else
+  cat >>confdefs.h <<\_ACEOF
+#define NEED_SETPASSENT 1
+_ACEOF
+
+fi
+
+
+echo "$as_me:$LINENO: checking for setpwent_r" >&5
+echo $ECHO_N "checking for setpwent_r... $ECHO_C" >&6
+if test "${ac_cv_func_setpwent_r+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define setpwent_r to an innocuous variant, in case <limits.h> declares setpwent_r.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define setpwent_r innocuous_setpwent_r
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char setpwent_r (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef setpwent_r
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char setpwent_r ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_setpwent_r) || defined (__stub___setpwent_r)
+choke me
+#else
+char (*f) () = setpwent_r;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != setpwent_r;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_setpwent_r=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_setpwent_r=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_setpwent_r" >&5
+echo "${ECHO_T}$ac_cv_func_setpwent_r" >&6
+if test $ac_cv_func_setpwent_r = yes; then
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <pwd.h>
+void setpwent_r(FILE **pwfp);
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  PASS_R_SET_RESULT="#undef PASS_R_SET_RESULT /* empty */"
+PASS_R_SET_RETURN="#define PASS_R_SET_RETURN int"
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#include <pwd.h>
+int setpwent_r(FILE **pwfp);
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  PASS_R_SET_RESULT="#define PASS_R_SET_RESULT 0"
+PASS_R_SET_RETURN="#define PASS_R_SET_RETURN int"
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+else
+  PASS_R_SET_RESULT="#undef PASS_R_SET_RESULT /*empty*/"
+PASS_R_SET_RETURN="#define PASS_R_SET_RETURN void"
+cat >>confdefs.h <<\_ACEOF
+#define NEED_SETPWENT_R 1
+_ACEOF
+
+
+fi
+
+
+
+
+echo "$as_me:$LINENO: checking for getpwnam_r" >&5
+echo $ECHO_N "checking for getpwnam_r... $ECHO_C" >&6
+if test "${ac_cv_func_getpwnam_r+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define getpwnam_r to an innocuous variant, in case <limits.h> declares getpwnam_r.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define getpwnam_r innocuous_getpwnam_r
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char getpwnam_r (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef getpwnam_r
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char getpwnam_r ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_getpwnam_r) || defined (__stub___getpwnam_r)
+choke me
+#else
+char (*f) () = getpwnam_r;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != getpwnam_r;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_getpwnam_r=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_getpwnam_r=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_getpwnam_r" >&5
+echo "${ECHO_T}$ac_cv_func_getpwnam_r" >&6
+if test $ac_cv_func_getpwnam_r = yes; then
+  :
+else
+  cat >>confdefs.h <<\_ACEOF
+#define NEED_GETPWNAM_R 1
+_ACEOF
+
+fi
+
+echo "$as_me:$LINENO: checking for getpwuid_r" >&5
+echo $ECHO_N "checking for getpwuid_r... $ECHO_C" >&6
+if test "${ac_cv_func_getpwuid_r+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define getpwuid_r to an innocuous variant, in case <limits.h> declares getpwuid_r.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define getpwuid_r innocuous_getpwuid_r
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char getpwuid_r (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef getpwuid_r
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char getpwuid_r ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_getpwuid_r) || defined (__stub___getpwuid_r)
+choke me
+#else
+char (*f) () = getpwuid_r;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != getpwuid_r;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_getpwuid_r=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_getpwuid_r=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_getpwuid_r" >&5
+echo "${ECHO_T}$ac_cv_func_getpwuid_r" >&6
+if test $ac_cv_func_getpwuid_r = yes; then
+  :
+else
+  cat >>confdefs.h <<\_ACEOF
+#define NEED_GETPWUID_R 1
+_ACEOF
+
+fi
+
+
+echo "$as_me:$LINENO: checking for getservent_r" >&5
+echo $ECHO_N "checking for getservent_r... $ECHO_C" >&6
+if test "${ac_cv_func_getservent_r+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define getservent_r to an innocuous variant, in case <limits.h> declares getservent_r.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define getservent_r innocuous_getservent_r
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char getservent_r (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef getservent_r
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char getservent_r ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_getservent_r) || defined (__stub___getservent_r)
+choke me
+#else
+char (*f) () = getservent_r;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != getservent_r;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_getservent_r=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_getservent_r=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_getservent_r" >&5
+echo "${ECHO_T}$ac_cv_func_getservent_r" >&6
+if test $ac_cv_func_getservent_r = yes; then
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+struct servent *
+getservent_r(struct servent *result, char *buffer, int buflen) {}
+
+int
+main ()
+{
+return (0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+SERV_R_ARGS="#define SERV_R_ARGS char *buf, int buflen"
+SERV_R_BAD="#define SERV_R_BAD NULL"
+SERV_R_COPY="#define SERV_R_COPY buf, buflen"
+SERV_R_COPY_ARGS="#define SERV_R_COPY_ARGS SERV_R_ARGS"
+SERV_R_OK="#define SERV_R_OK sptr"
+SERV_R_SETANSWER="#undef SERV_R_SETANSWER"
+SERV_R_RETURN="#define SERV_R_RETURN struct servent *"
+
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+int
+getservent_r (struct servent *, char *, size_t, struct servent **);
+
+int
+main ()
+{
+return (0);
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+SERV_R_ARGS="#define SERV_R_ARGS char *buf, size_t buflen, struct servent **answerp"
+SERV_R_BAD="#define SERV_R_BAD ERANGE"
+SERV_R_COPY="#define SERV_R_COPY buf, buflen"
+SERV_R_COPY_ARGS="#define SERV_R_COPY_ARGS char *buf, size_t buflen"
+SERV_R_OK="#define SERV_R_OK (0)"
+SERV_R_SETANSWER="#define SERV_R_SETANSWER 1"
+SERV_R_RETURN="#define SERV_R_RETURN int"
+
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+else
+  SERV_R_ARGS="#define SERV_R_ARGS char *buf, int buflen"
+SERV_R_BAD="#define SERV_R_BAD NULL"
+SERV_R_COPY="#define SERV_R_COPY buf, buflen"
+SERV_R_COPY_ARGS="#define SERV_R_COPY_ARGS SERV_R_ARGS"
+SERV_R_OK="#define SERV_R_OK sptr"
+SERV_R_SETANSWER="#undef SERV_R_SETANSWER"
+SERV_R_RETURN="#define SERV_R_RETURN struct servent *"
+
+fi
+
+
+
+
+
+
+
+
+
+echo "$as_me:$LINENO: checking for endservent_r" >&5
+echo $ECHO_N "checking for endservent_r... $ECHO_C" >&6
+if test "${ac_cv_func_endservent_r+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define endservent_r to an innocuous variant, in case <limits.h> declares endservent_r.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define endservent_r innocuous_endservent_r
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char endservent_r (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef endservent_r
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char endservent_r ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_endservent_r) || defined (__stub___endservent_r)
+choke me
+#else
+char (*f) () = endservent_r;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != endservent_r;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_endservent_r=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_endservent_r=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_endservent_r" >&5
+echo "${ECHO_T}$ac_cv_func_endservent_r" >&6
+if test $ac_cv_func_endservent_r = yes; then
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+void endservent_r(void);
+
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+SERV_R_END_RESULT="#define SERV_R_END_RESULT(x) /*empty*/"
+SERV_R_END_RETURN="#define SERV_R_END_RETURN void "
+SERV_R_ENT_ARGS="#undef SERV_R_ENT_ARGS /*empty*/"
+
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+else
+  SERV_R_END_RESULT="#define SERV_R_END_RESULT(x) /*empty*/"
+SERV_R_END_RETURN="#define SERV_R_END_RETURN void "
+SERV_R_ENT_ARGS="#undef SERV_R_ENT_ARGS /*empty*/"
+
+fi
+
+
+
+
+
+echo "$as_me:$LINENO: checking for setservent_r" >&5
+echo $ECHO_N "checking for setservent_r... $ECHO_C" >&6
+if test "${ac_cv_func_setservent_r+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+/* Define setservent_r to an innocuous variant, in case <limits.h> declares setservent_r.
+   For example, HP-UX 11i <limits.h> declares gettimeofday.  */
+#define setservent_r innocuous_setservent_r
+
+/* System header to define __stub macros and hopefully few prototypes,
+    which can conflict with char setservent_r (); below.
+    Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+    <limits.h> exists even on freestanding compilers.  */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef setservent_r
+
+/* Override any gcc2 internal prototype to avoid an error.  */
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+/* We use char because int might match the return type of a gcc2
+   builtin and then its argument prototype would still apply.  */
+char setservent_r ();
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+#if defined (__stub_setservent_r) || defined (__stub___setservent_r)
+choke me
+#else
+char (*f) () = setservent_r;
+#endif
+#ifdef __cplusplus
+}
+#endif
+
+int
+main ()
+{
+return f != setservent_r;
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
+  (eval $ac_link) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest$ac_exeext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+  ac_cv_func_setservent_r=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ac_cv_func_setservent_r=no
+fi
+rm -f conftest.err conftest.$ac_objext \
+      conftest$ac_exeext conftest.$ac_ext
+fi
+echo "$as_me:$LINENO: result: $ac_cv_func_setservent_r" >&5
+echo "${ECHO_T}$ac_cv_func_setservent_r" >&6
+if test $ac_cv_func_setservent_r = yes; then
+  cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+void            setservent_r(int);
+
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+SERV_R_SET_RESULT="#undef SERV_R_SET_RESULT"
+SERV_R_SET_RETURN="#define SERV_R_SET_RETURN void"
+
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+else
+  SERV_R_SET_RESULT="#undef SERV_R_SET_RESULT"
+SERV_R_SET_RETURN="#define SERV_R_SET_RETURN void"
+
+fi
+
+
+
+
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <unistd.h>
+#include <netdb.h>
+int innetgr(const char *netgroup, const char *host, const char *user, const char *domain);
+
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+INNETGR_ARGS="#undef INNETGR_ARGS"
+
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <unistd.h>
+#include <netdb.h>
+int innetgr(char *netgroup, char *host, char *user, char *domain);
+
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+INNETGR_ARGS="#define INNETGR_ARGS char *netgroup, char *host, char *user, char *domain"
+
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <unistd.h>
+#include <netdb.h>
+void setnetgrent(const char *);
+
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+SETNETGRENT_ARGS="#undef SETNETGRENT_ARGS"
+
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <unistd.h>
+#include <netdb.h>
+void setnetgrent(char *);
+
+
+int
+main ()
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
+  (eval $ac_compile) 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } &&
+	 { ac_try='test -z "$ac_c_werror_flag"
+			 || test ! -s conftest.err'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; } &&
+	 { ac_try='test -s conftest.$ac_objext'
+  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
+  (eval $ac_try) 2>&5
+  ac_status=$?
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); }; }; then
+
+SETNETGRENT_ARGS="#define SETNETGRENT_ARGS char *netgroup"
+
+
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext
+
+
+
+#
+# Random remaining OS-specific issues involving compiler warnings.
+# XXXDCL print messages to indicate some compensation is being done?
+#
+
+ISC_PLATFORM_BRACEPTHREADONCEINIT="#undef ISC_PLATFORM_BRACEPTHREADONCEINIT"
+BROKEN_IN6ADDR_INIT_MACROS="#undef BROKEN_IN6ADDR_INIT_MACROS"
+
+case "$host" in
+	*-bsdi3.1*)
+		hack_shutup_sputaux=yes
+		;;
+	*-bsdi4.0*)
+		hack_shutup_sigwait=yes
+		hack_shutup_sputaux=yes
+		hack_shutup_in6addr_init_macros=yes
+		;;
+	*-bsdi4.1*)
+		hack_shutup_stdargcast=yes
+		;;
+	*-solaris2.8)
+		hack_shutup_pthreadonceinit=yes
+		hack_shutup_in6addr_init_macros=yes
+		;;
+esac
+
+case "$hack_shutup_pthreadonceinit" in
+	yes)
+		#
+		# Shut up PTHREAD_ONCE_INIT unbraced initializer warnings.
+		#
+		ISC_PLATFORM_BRACEPTHREADONCEINIT="#define ISC_PLATFORM_BRACEPTHREADONCEINIT 1"
+		;;
+esac
+
+case "$hack_shutup_sigwait" in
+	yes)
+		#
+		# Shut up a -Wmissing-prototypes warning for sigwait().
+		#
+		cat >>confdefs.h <<\_ACEOF
+#define SHUTUP_SIGWAIT 1
+_ACEOF
+
+		;;
+esac
+
+case "$hack_shutup_sputaux" in
+	yes)
+		#
+		# Shut up a -Wmissing-prototypes warning from <stdio.h>.
+		#
+		cat >>confdefs.h <<\_ACEOF
+#define SHUTUP_SPUTAUX 1
+_ACEOF
+
+		;;
+esac
+
+case "$hack_shutup_stdargcast" in
+	yes)
+		#
+		# Shut up a -Wcast-qual warning from va_start().
+		#
+		cat >>confdefs.h <<\_ACEOF
+#define SHUTUP_STDARG_CAST 1
+_ACEOF
+
+		;;
+esac
+
+case "$hack_shutup_in6addr_init_macros" in
+	yes)
+		cat >>confdefs.h <<\_ACEOF
+#define BROKEN_IN6ADDR_INIT_MACROS 1
+_ACEOF
+
+		;;
+esac
+
+#
+# Substitutions
+#
+
+BIND9_TOP_BUILDDIR=`pwd`
+
+
+BIND9_INCLUDES=$BIND9_TOP_BUILDDIR/make/includes
+
+
+BIND9_MAKE_RULES=$BIND9_TOP_BUILDDIR/make/rules
+
+. $srcdir/../../version
+BIND9_VERSION="VERSION=${MAJORVER}.${MINORVER}.${PATCHVER}${RELEASETYPE}${RELEASEVER}"
+
+
+
+LIBBIND_API=$srcdir/api
+
+                                                                                                                                                                          ac_config_files="$ac_config_files make/rules make/mkdep make/includes Makefile bsd/Makefile dst/Makefile include/Makefile inet/Makefile irs/Makefile isc/Makefile nameser/Makefile port_after.h port_before.h resolv/Makefile port/Makefile ${PORT_DIR}/Makefile ${PORT_INCLUDE}/Makefile"
+cat >confcache <<\_ACEOF
+# This file is a shell script that caches the results of configure
+# tests run on this system so they can be shared between configure
+# scripts and configure runs, see configure's option --config-cache.
+# It is not useful on other systems.  If it contains results you don't
+# want to keep, you may remove or edit it.
+#
+# config.status only pays attention to the cache file if you give it
+# the --recheck option to rerun configure.
+#
+# `ac_cv_env_foo' variables (set or unset) will be overridden when
+# loading this file, other *unset* `ac_cv_foo' will be assigned the
+# following values.
+
+_ACEOF
+
+# The following way of writing the cache mishandles newlines in values,
+# but we know of no workaround that is simple, portable, and efficient.
+# So, don't put newlines in cache variables' values.
+# Ultrix sh set writes to stderr and can't be redirected directly,
+# and sets the high bit in the cache file unless we assign to the vars.
+{
+  (set) 2>&1 |
+    case `(ac_space=' '; set | grep ac_space) 2>&1` in
+    *ac_space=\ *)
+      # `set' does not quote correctly, so add quotes (double-quote
+      # substitution turns \\\\ into \\, and sed turns \\ into \).
+      sed -n \
+	"s/'/'\\\\''/g;
+	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p"
+      ;;
+    *)
+      # `set' quotes correctly as required by POSIX, so do not add quotes.
+      sed -n \
+	"s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1=\\2/p"
+      ;;
+    esac;
+} |
+  sed '
+     t clear
+     : clear
+     s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/
+     t end
+     /^ac_cv_env/!s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/
+     : end' >>confcache
+if diff $cache_file confcache >/dev/null 2>&1; then :; else
+  if test -w $cache_file; then
+    test "x$cache_file" != "x/dev/null" && echo "updating cache $cache_file"
+    cat confcache >$cache_file
+  else
+    echo "not updating unwritable cache $cache_file"
+  fi
+fi
+rm -f confcache
+
+test "x$prefix" = xNONE && prefix=$ac_default_prefix
+# Let make expand exec_prefix.
+test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
+
+# VPATH may cause trouble with some makes, so we remove $(srcdir),
+# ${srcdir} and @srcdir@ from VPATH if srcdir is ".", strip leading and
+# trailing colons and then remove the whole line if VPATH becomes empty
+# (actually we leave an empty line to preserve line numbers).
+if test "x$srcdir" = x.; then
+  ac_vpsub='/^[	 ]*VPATH[	 ]*=/{
+s/:*\$(srcdir):*/:/;
+s/:*\${srcdir}:*/:/;
+s/:*@srcdir@:*/:/;
+s/^\([^=]*=[	 ]*\):*/\1/;
+s/:*$//;
+s/^[^=]*=[	 ]*$//;
+}'
+fi
+
+DEFS=-DHAVE_CONFIG_H
+
+ac_libobjs=
+ac_ltlibobjs=
+for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue
+  # 1. Remove the extension, and $U if already installed.
+  ac_i=`echo "$ac_i" |
+	 sed 's/\$U\././;s/\.o$//;s/\.obj$//'`
+  # 2. Add them.
+  ac_libobjs="$ac_libobjs $ac_i\$U.$ac_objext"
+  ac_ltlibobjs="$ac_ltlibobjs $ac_i"'$U.lo'
+done
+LIBOBJS=$ac_libobjs
+
+LTLIBOBJS=$ac_ltlibobjs
+
+
+
+: ${CONFIG_STATUS=./config.status}
+ac_clean_files_save=$ac_clean_files
+ac_clean_files="$ac_clean_files $CONFIG_STATUS"
+{ echo "$as_me:$LINENO: creating $CONFIG_STATUS" >&5
+echo "$as_me: creating $CONFIG_STATUS" >&6;}
+cat >$CONFIG_STATUS <<_ACEOF
+#! $SHELL
+# Generated by $as_me.
+# Run this file to recreate the current configuration.
+# Compiler output produced by configure, useful for debugging
+# configure, is in config.log if it exists.
+
+debug=false
+ac_cs_recheck=false
+ac_cs_silent=false
+SHELL=\${CONFIG_SHELL-$SHELL}
+_ACEOF
+
+cat >>$CONFIG_STATUS <<\_ACEOF
+## --------------------- ##
+## M4sh Initialization.  ##
+## --------------------- ##
+
+# Be Bourne compatible
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+  emulate sh
+  NULLCMD=:
+  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+  # is contrary to our usage.  Disable this feature.
+  alias -g '${1+"$@"}'='"$@"'
+elif test -n "${BASH_VERSION+set}" && (set -o posix) >/dev/null 2>&1; then
+  set -o posix
+fi
+DUALCASE=1; export DUALCASE # for MKS sh
+
+# Support unset when possible.
+if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then
+  as_unset=unset
+else
+  as_unset=false
+fi
+
+
+# Work around bugs in pre-3.0 UWIN ksh.
+$as_unset ENV MAIL MAILPATH
+PS1='$ '
+PS2='> '
+PS4='+ '
+
+# NLS nuisances.
+for as_var in \
+  LANG LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_CTYPE LC_IDENTIFICATION \
+  LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER \
+  LC_TELEPHONE LC_TIME
+do
+  if (set +x; test -z "`(eval $as_var=C; export $as_var) 2>&1`"); then
+    eval $as_var=C; export $as_var
+  else
+    $as_unset $as_var
+  fi
+done
+
+# Required to use basename.
+if expr a : '\(a\)' >/dev/null 2>&1; then
+  as_expr=expr
+else
+  as_expr=false
+fi
+
+if (basename /) >/dev/null 2>&1 && test "X`basename / 2>&1`" = "X/"; then
+  as_basename=basename
+else
+  as_basename=false
+fi
+
+
+# Name of the executable.
+as_me=`$as_basename "$0" ||
+$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
+	 X"$0" : 'X\(//\)$' \| \
+	 X"$0" : 'X\(/\)$' \| \
+	 .     : '\(.\)' 2>/dev/null ||
+echo X/"$0" |
+    sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/; q; }
+  	  /^X\/\(\/\/\)$/{ s//\1/; q; }
+  	  /^X\/\(\/\).*/{ s//\1/; q; }
+  	  s/.*/./; q'`
+
+
+# PATH needs CR, and LINENO needs CR and PATH.
+# Avoid depending upon Character Ranges.
+as_cr_letters='abcdefghijklmnopqrstuvwxyz'
+as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+as_cr_Letters=$as_cr_letters$as_cr_LETTERS
+as_cr_digits='0123456789'
+as_cr_alnum=$as_cr_Letters$as_cr_digits
+
+# The user is always right.
+if test "${PATH_SEPARATOR+set}" != set; then
+  echo "#! /bin/sh" >conf$$.sh
+  echo  "exit 0"   >>conf$$.sh
+  chmod +x conf$$.sh
+  if (PATH="/nonexistent;."; conf$$.sh) >/dev/null 2>&1; then
+    PATH_SEPARATOR=';'
+  else
+    PATH_SEPARATOR=:
+  fi
+  rm -f conf$$.sh
+fi
+
+
+  as_lineno_1=$LINENO
+  as_lineno_2=$LINENO
+  as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
+  test "x$as_lineno_1" != "x$as_lineno_2" &&
+  test "x$as_lineno_3"  = "x$as_lineno_2"  || {
+  # Find who we are.  Look in the path if we contain no path at all
+  # relative or not.
+  case $0 in
+    *[\\/]* ) as_myself=$0 ;;
+    *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
+done
+
+       ;;
+  esac
+  # We did not find ourselves, most probably we were run as `sh COMMAND'
+  # in which case we are not to be found in the path.
+  if test "x$as_myself" = x; then
+    as_myself=$0
+  fi
+  if test ! -f "$as_myself"; then
+    { { echo "$as_me:$LINENO: error: cannot find myself; rerun with an absolute path" >&5
+echo "$as_me: error: cannot find myself; rerun with an absolute path" >&2;}
+   { (exit 1); exit 1; }; }
+  fi
+  case $CONFIG_SHELL in
+  '')
+    as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for as_base in sh bash ksh sh5; do
+	 case $as_dir in
+	 /*)
+	   if ("$as_dir/$as_base" -c '
+  as_lineno_1=$LINENO
+  as_lineno_2=$LINENO
+  as_lineno_3=`(expr $as_lineno_1 + 1) 2>/dev/null`
+  test "x$as_lineno_1" != "x$as_lineno_2" &&
+  test "x$as_lineno_3"  = "x$as_lineno_2" ') 2>/dev/null; then
+	     $as_unset BASH_ENV || test "${BASH_ENV+set}" != set || { BASH_ENV=; export BASH_ENV; }
+	     $as_unset ENV || test "${ENV+set}" != set || { ENV=; export ENV; }
+	     CONFIG_SHELL=$as_dir/$as_base
+	     export CONFIG_SHELL
+	     exec "$CONFIG_SHELL" "$0" ${1+"$@"}
+	   fi;;
+	 esac
+       done
+done
+;;
+  esac
+
+  # Create $as_me.lineno as a copy of $as_myself, but with $LINENO
+  # uniformly replaced by the line number.  The first 'sed' inserts a
+  # line-number line before each line; the second 'sed' does the real
+  # work.  The second script uses 'N' to pair each line-number line
+  # with the numbered line, and appends trailing '-' during
+  # substitution so that $LINENO is not a special case at line end.
+  # (Raja R Harinath suggested sed '=', and Paul Eggert wrote the
+  # second 'sed' script.  Blame Lee E. McMahon for sed's syntax.  :-)
+  sed '=' <$as_myself |
+    sed '
+      N
+      s,$,-,
+      : loop
+      s,^\(['$as_cr_digits']*\)\(.*\)[$]LINENO\([^'$as_cr_alnum'_]\),\1\2\1\3,
+      t loop
+      s,-$,,
+      s,^['$as_cr_digits']*\n,,
+    ' >$as_me.lineno &&
+  chmod +x $as_me.lineno ||
+    { { echo "$as_me:$LINENO: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&5
+echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2;}
+   { (exit 1); exit 1; }; }
+
+  # Don't try to exec as it changes $[0], causing all sort of problems
+  # (the dirname of $[0] is not the place where we might find the
+  # original and so on.  Autoconf is especially sensible to this).
+  . ./$as_me.lineno
+  # Exit status is that of the last command.
+  exit
+}
+
+
+case `echo "testing\c"; echo 1,2,3`,`echo -n testing; echo 1,2,3` in
+  *c*,-n*) ECHO_N= ECHO_C='
+' ECHO_T='	' ;;
+  *c*,*  ) ECHO_N=-n ECHO_C= ECHO_T= ;;
+  *)       ECHO_N= ECHO_C='\c' ECHO_T= ;;
+esac
+
+if expr a : '\(a\)' >/dev/null 2>&1; then
+  as_expr=expr
+else
+  as_expr=false
+fi
+
+rm -f conf$$ conf$$.exe conf$$.file
+echo >conf$$.file
+if ln -s conf$$.file conf$$ 2>/dev/null; then
+  # We could just check for DJGPP; but this test a) works b) is more generic
+  # and c) will remain valid once DJGPP supports symlinks (DJGPP 2.04).
+  if test -f conf$$.exe; then
+    # Don't use ln at all; we don't have any links
+    as_ln_s='cp -p'
+  else
+    as_ln_s='ln -s'
+  fi
+elif ln conf$$.file conf$$ 2>/dev/null; then
+  as_ln_s=ln
+else
+  as_ln_s='cp -p'
+fi
+rm -f conf$$ conf$$.exe conf$$.file
+
+if mkdir -p . 2>/dev/null; then
+  as_mkdir_p=:
+else
+  test -d ./-p && rmdir ./-p
+  as_mkdir_p=false
+fi
+
+as_executable_p="test -f"
+
+# Sed expression to map a string onto a valid CPP name.
+as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
+
+# Sed expression to map a string onto a valid variable name.
+as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
+
+
+# IFS
+# We need space, tab and new line, in precisely that order.
+as_nl='
+'
+IFS=" 	$as_nl"
+
+# CDPATH.
+$as_unset CDPATH
+
+exec 6>&1
+
+# Open the log real soon, to keep \$[0] and so on meaningful, and to
+# report actual input values of CONFIG_FILES etc. instead of their
+# values after options handling.  Logging --version etc. is OK.
+exec 5>>config.log
+{
+  echo
+  sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
+## Running $as_me. ##
+_ASBOX
+} >&5
+cat >&5 <<_CSEOF
+
+This file was extended by $as_me, which was
+generated by GNU Autoconf 2.59.  Invocation command line was
+
+  CONFIG_FILES    = $CONFIG_FILES
+  CONFIG_HEADERS  = $CONFIG_HEADERS
+  CONFIG_LINKS    = $CONFIG_LINKS
+  CONFIG_COMMANDS = $CONFIG_COMMANDS
+  $ $0 $@
+
+_CSEOF
+echo "on `(hostname || uname -n) 2>/dev/null | sed 1q`" >&5
+echo >&5
+_ACEOF
+
+# Files that config.status was made for.
+if test -n "$ac_config_files"; then
+  echo "config_files=\"$ac_config_files\"" >>$CONFIG_STATUS
+fi
+
+if test -n "$ac_config_headers"; then
+  echo "config_headers=\"$ac_config_headers\"" >>$CONFIG_STATUS
+fi
+
+if test -n "$ac_config_links"; then
+  echo "config_links=\"$ac_config_links\"" >>$CONFIG_STATUS
+fi
+
+if test -n "$ac_config_commands"; then
+  echo "config_commands=\"$ac_config_commands\"" >>$CONFIG_STATUS
+fi
+
+cat >>$CONFIG_STATUS <<\_ACEOF
+
+ac_cs_usage="\
+\`$as_me' instantiates files from templates according to the
+current configuration.
+
+Usage: $0 [OPTIONS] [FILE]...
+
+  -h, --help       print this help, then exit
+  -V, --version    print version number, then exit
+  -q, --quiet      do not print progress messages
+  -d, --debug      don't remove temporary files
+      --recheck    update $as_me by reconfiguring in the same conditions
+  --file=FILE[:TEMPLATE]
+		   instantiate the configuration file FILE
+  --header=FILE[:TEMPLATE]
+		   instantiate the configuration header FILE
+
+Configuration files:
+$config_files
+
+Configuration headers:
+$config_headers
+
+Report bugs to <bug-autoconf@gnu.org>."
+_ACEOF
+
+cat >>$CONFIG_STATUS <<_ACEOF
+ac_cs_version="\\
+config.status
+configured by $0, generated by GNU Autoconf 2.59,
+  with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\"
+
+Copyright (C) 2003 Free Software Foundation, Inc.
+This config.status script is free software; the Free Software Foundation
+gives unlimited permission to copy, distribute and modify it."
+srcdir=$srcdir
+INSTALL="$INSTALL"
+_ACEOF
+
+cat >>$CONFIG_STATUS <<\_ACEOF
+# If no file are specified by the user, then we need to provide default
+# value.  By we need to know if files were specified by the user.
+ac_need_defaults=:
+while test $# != 0
+do
+  case $1 in
+  --*=*)
+    ac_option=`expr "x$1" : 'x\([^=]*\)='`
+    ac_optarg=`expr "x$1" : 'x[^=]*=\(.*\)'`
+    ac_shift=:
+    ;;
+  -*)
+    ac_option=$1
+    ac_optarg=$2
+    ac_shift=shift
+    ;;
+  *) # This is not an option, so the user has probably given explicit
+     # arguments.
+     ac_option=$1
+     ac_need_defaults=false;;
+  esac
+
+  case $ac_option in
+  # Handling of the options.
+_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF
+  -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
+    ac_cs_recheck=: ;;
+  --version | --vers* | -V )
+    echo "$ac_cs_version"; exit 0 ;;
+  --he | --h)
+    # Conflict between --help and --header
+    { { echo "$as_me:$LINENO: error: ambiguous option: $1
+Try \`$0 --help' for more information." >&5
+echo "$as_me: error: ambiguous option: $1
+Try \`$0 --help' for more information." >&2;}
+   { (exit 1); exit 1; }; };;
+  --help | --hel | -h )
+    echo "$ac_cs_usage"; exit 0 ;;
+  --debug | --d* | -d )
+    debug=: ;;
+  --file | --fil | --fi | --f )
+    $ac_shift
+    CONFIG_FILES="$CONFIG_FILES $ac_optarg"
+    ac_need_defaults=false;;
+  --header | --heade | --head | --hea )
+    $ac_shift
+    CONFIG_HEADERS="$CONFIG_HEADERS $ac_optarg"
+    ac_need_defaults=false;;
+  -q | -quiet | --quiet | --quie | --qui | --qu | --q \
+  | -silent | --silent | --silen | --sile | --sil | --si | --s)
+    ac_cs_silent=: ;;
+
+  # This is an error.
+  -*) { { echo "$as_me:$LINENO: error: unrecognized option: $1
+Try \`$0 --help' for more information." >&5
+echo "$as_me: error: unrecognized option: $1
+Try \`$0 --help' for more information." >&2;}
+   { (exit 1); exit 1; }; } ;;
+
+  *) ac_config_targets="$ac_config_targets $1" ;;
+
+  esac
+  shift
+done
+
+ac_configure_extra_args=
+
+if $ac_cs_silent; then
+  exec 6>/dev/null
+  ac_configure_extra_args="$ac_configure_extra_args --silent"
+fi
+
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF
+if \$ac_cs_recheck; then
+  echo "running $SHELL $0 " $ac_configure_args \$ac_configure_extra_args " --no-create --no-recursion" >&6
+  exec $SHELL $0 $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
+fi
+
+_ACEOF
+
+
+
+
+
+cat >>$CONFIG_STATUS <<\_ACEOF
+for ac_config_target in $ac_config_targets
+do
+  case "$ac_config_target" in
+  # Handling of arguments.
+  "make/rules" ) CONFIG_FILES="$CONFIG_FILES make/rules" ;;
+  "make/mkdep" ) CONFIG_FILES="$CONFIG_FILES make/mkdep" ;;
+  "make/includes" ) CONFIG_FILES="$CONFIG_FILES make/includes" ;;
+  "Makefile" ) CONFIG_FILES="$CONFIG_FILES Makefile" ;;
+  "bsd/Makefile" ) CONFIG_FILES="$CONFIG_FILES bsd/Makefile" ;;
+  "dst/Makefile" ) CONFIG_FILES="$CONFIG_FILES dst/Makefile" ;;
+  "include/Makefile" ) CONFIG_FILES="$CONFIG_FILES include/Makefile" ;;
+  "inet/Makefile" ) CONFIG_FILES="$CONFIG_FILES inet/Makefile" ;;
+  "irs/Makefile" ) CONFIG_FILES="$CONFIG_FILES irs/Makefile" ;;
+  "isc/Makefile" ) CONFIG_FILES="$CONFIG_FILES isc/Makefile" ;;
+  "nameser/Makefile" ) CONFIG_FILES="$CONFIG_FILES nameser/Makefile" ;;
+  "port_after.h" ) CONFIG_FILES="$CONFIG_FILES port_after.h" ;;
+  "port_before.h" ) CONFIG_FILES="$CONFIG_FILES port_before.h" ;;
+  "resolv/Makefile" ) CONFIG_FILES="$CONFIG_FILES resolv/Makefile" ;;
+  "port/Makefile" ) CONFIG_FILES="$CONFIG_FILES port/Makefile" ;;
+  "${PORT_DIR}/Makefile" ) CONFIG_FILES="$CONFIG_FILES ${PORT_DIR}/Makefile" ;;
+  "${PORT_INCLUDE}/Makefile" ) CONFIG_FILES="$CONFIG_FILES ${PORT_INCLUDE}/Makefile" ;;
+  "config.h" ) CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;;
+  *) { { echo "$as_me:$LINENO: error: invalid argument: $ac_config_target" >&5
+echo "$as_me: error: invalid argument: $ac_config_target" >&2;}
+   { (exit 1); exit 1; }; };;
+  esac
+done
+
+# If the user did not use the arguments to specify the items to instantiate,
+# then the envvar interface is used.  Set only those that are not.
+# We use the long form for the default assignment because of an extremely
+# bizarre bug on SunOS 4.1.3.
+if $ac_need_defaults; then
+  test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files
+  test "${CONFIG_HEADERS+set}" = set || CONFIG_HEADERS=$config_headers
+fi
+
+# Have a temporary directory for convenience.  Make it in the build tree
+# simply because there is no reason to put it here, and in addition,
+# creating and moving files from /tmp can sometimes cause problems.
+# Create a temporary directory, and hook for its removal unless debugging.
+$debug ||
+{
+  trap 'exit_status=$?; rm -rf $tmp && exit $exit_status' 0
+  trap '{ (exit 1); exit 1; }' 1 2 13 15
+}
+
+# Create a (secure) tmp directory for tmp files.
+
+{
+  tmp=`(umask 077 && mktemp -d -q "./confstatXXXXXX") 2>/dev/null` &&
+  test -n "$tmp" && test -d "$tmp"
+}  ||
+{
+  tmp=./confstat$$-$RANDOM
+  (umask 077 && mkdir $tmp)
+} ||
+{
+   echo "$me: cannot create a temporary directory in ." >&2
+   { (exit 1); exit 1; }
+}
+
+_ACEOF
+
+cat >>$CONFIG_STATUS <<_ACEOF
+
+#
+# CONFIG_FILES section.
+#
+
+# No need to generate the scripts if there are no CONFIG_FILES.
+# This happens for instance when ./config.status config.h
+if test -n "\$CONFIG_FILES"; then
+  # Protect against being on the right side of a sed subst in config.status.
+  sed 's/,@/@@/; s/@,/@@/; s/,;t t\$/@;t t/; /@;t t\$/s/[\\\\&,]/\\\\&/g;
+   s/@@/,@/; s/@@/@,/; s/@;t t\$/,;t t/' >\$tmp/subs.sed <<\\CEOF
+s,@SHELL@,$SHELL,;t t
+s,@PATH_SEPARATOR@,$PATH_SEPARATOR,;t t
+s,@PACKAGE_NAME@,$PACKAGE_NAME,;t t
+s,@PACKAGE_TARNAME@,$PACKAGE_TARNAME,;t t
+s,@PACKAGE_VERSION@,$PACKAGE_VERSION,;t t
+s,@PACKAGE_STRING@,$PACKAGE_STRING,;t t
+s,@PACKAGE_BUGREPORT@,$PACKAGE_BUGREPORT,;t t
+s,@exec_prefix@,$exec_prefix,;t t
+s,@prefix@,$prefix,;t t
+s,@program_transform_name@,$program_transform_name,;t t
+s,@bindir@,$bindir,;t t
+s,@sbindir@,$sbindir,;t t
+s,@libexecdir@,$libexecdir,;t t
+s,@datadir@,$datadir,;t t
+s,@sysconfdir@,$sysconfdir,;t t
+s,@sharedstatedir@,$sharedstatedir,;t t
+s,@localstatedir@,$localstatedir,;t t
+s,@libdir@,$libdir,;t t
+s,@includedir@,$includedir,;t t
+s,@oldincludedir@,$oldincludedir,;t t
+s,@infodir@,$infodir,;t t
+s,@mandir@,$mandir,;t t
+s,@build_alias@,$build_alias,;t t
+s,@host_alias@,$host_alias,;t t
+s,@target_alias@,$target_alias,;t t
+s,@DEFS@,$DEFS,;t t
+s,@ECHO_C@,$ECHO_C,;t t
+s,@ECHO_N@,$ECHO_N,;t t
+s,@ECHO_T@,$ECHO_T,;t t
+s,@LIBS@,$LIBS,;t t
+s,@build@,$build,;t t
+s,@build_cpu@,$build_cpu,;t t
+s,@build_vendor@,$build_vendor,;t t
+s,@build_os@,$build_os,;t t
+s,@host@,$host,;t t
+s,@host_cpu@,$host_cpu,;t t
+s,@host_vendor@,$host_vendor,;t t
+s,@host_os@,$host_os,;t t
+s,@SET_MAKE@,$SET_MAKE,;t t
+s,@RANLIB@,$RANLIB,;t t
+s,@ac_ct_RANLIB@,$ac_ct_RANLIB,;t t
+s,@INSTALL_PROGRAM@,$INSTALL_PROGRAM,;t t
+s,@INSTALL_SCRIPT@,$INSTALL_SCRIPT,;t t
+s,@INSTALL_DATA@,$INSTALL_DATA,;t t
+s,@STD_CINCLUDES@,$STD_CINCLUDES,;t t
+s,@STD_CDEFINES@,$STD_CDEFINES,;t t
+s,@STD_CWARNINGS@,$STD_CWARNINGS,;t t
+s,@CCOPT@,$CCOPT,;t t
+s,@AR@,$AR,;t t
+s,@ARFLAGS@,$ARFLAGS,;t t
+s,@LN@,$LN,;t t
+s,@ETAGS@,$ETAGS,;t t
+s,@PERL@,$PERL,;t t
+s,@CC@,$CC,;t t
+s,@CFLAGS@,$CFLAGS,;t t
+s,@LDFLAGS@,$LDFLAGS,;t t
+s,@CPPFLAGS@,$CPPFLAGS,;t t
+s,@ac_ct_CC@,$ac_ct_CC,;t t
+s,@EXEEXT@,$EXEEXT,;t t
+s,@OBJEXT@,$OBJEXT,;t t
+s,@CPP@,$CPP,;t t
+s,@EGREP@,$EGREP,;t t
+s,@ISC_PLATFORM_NEEDSYSSELECTH@,$ISC_PLATFORM_NEEDSYSSELECTH,;t t
+s,@WANT_IRS_GR@,$WANT_IRS_GR,;t t
+s,@WANT_IRS_GR_OBJS@,$WANT_IRS_GR_OBJS,;t t
+s,@WANT_IRS_PW@,$WANT_IRS_PW,;t t
+s,@WANT_IRS_PW_OBJS@,$WANT_IRS_PW_OBJS,;t t
+s,@WANT_IRS_NIS@,$WANT_IRS_NIS,;t t
+s,@WANT_IRS_NIS_OBJS@,$WANT_IRS_NIS_OBJS,;t t
+s,@WANT_IRS_NISGR_OBJS@,$WANT_IRS_NISGR_OBJS,;t t
+s,@WANT_IRS_NISPW_OBJS@,$WANT_IRS_NISPW_OBJS,;t t
+s,@WANT_IRS_DBPW_OBJS@,$WANT_IRS_DBPW_OBJS,;t t
+s,@ALWAYS_DEFINES@,$ALWAYS_DEFINES,;t t
+s,@DO_PTHREADS@,$DO_PTHREADS,;t t
+s,@WANT_IRS_THREADSGR_OBJS@,$WANT_IRS_THREADSGR_OBJS,;t t
+s,@WANT_IRS_THREADSPW_OBJS@,$WANT_IRS_THREADSPW_OBJS,;t t
+s,@WANT_IRS_THREADS_OBJS@,$WANT_IRS_THREADS_OBJS,;t t
+s,@USE_IFNAMELINKID@,$USE_IFNAMELINKID,;t t
+s,@ISC_THREAD_DIR@,$ISC_THREAD_DIR,;t t
+s,@DAEMON_OBJS@,$DAEMON_OBJS,;t t
+s,@NEED_DAEMON@,$NEED_DAEMON,;t t
+s,@STRSEP_OBJS@,$STRSEP_OBJS,;t t
+s,@NEED_STRSEP@,$NEED_STRSEP,;t t
+s,@NEED_STRERROR@,$NEED_STRERROR,;t t
+s,@MKDEPCC@,$MKDEPCC,;t t
+s,@MKDEPCFLAGS@,$MKDEPCFLAGS,;t t
+s,@MKDEPPROG@,$MKDEPPROG,;t t
+s,@IRIX_DNSSEC_WARNINGS_HACK@,$IRIX_DNSSEC_WARNINGS_HACK,;t t
+s,@purify_path@,$purify_path,;t t
+s,@PURIFY@,$PURIFY,;t t
+s,@LN_S@,$LN_S,;t t
+s,@ECHO@,$ECHO,;t t
+s,@ac_ct_AR@,$ac_ct_AR,;t t
+s,@STRIP@,$STRIP,;t t
+s,@ac_ct_STRIP@,$ac_ct_STRIP,;t t
+s,@CXX@,$CXX,;t t
+s,@CXXFLAGS@,$CXXFLAGS,;t t
+s,@ac_ct_CXX@,$ac_ct_CXX,;t t
+s,@CXXCPP@,$CXXCPP,;t t
+s,@F77@,$F77,;t t
+s,@FFLAGS@,$FFLAGS,;t t
+s,@ac_ct_F77@,$ac_ct_F77,;t t
+s,@LIBTOOL@,$LIBTOOL,;t t
+s,@O@,$O,;t t
+s,@A@,$A,;t t
+s,@SA@,$SA,;t t
+s,@LIBTOOL_MKDEP_SED@,$LIBTOOL_MKDEP_SED,;t t
+s,@LIBTOOL_MODE_COMPILE@,$LIBTOOL_MODE_COMPILE,;t t
+s,@LIBTOOL_MODE_INSTALL@,$LIBTOOL_MODE_INSTALL,;t t
+s,@LIBTOOL_MODE_LINK@,$LIBTOOL_MODE_LINK,;t t
+s,@HAS_INET6_STRUCTS@,$HAS_INET6_STRUCTS,;t t
+s,@ISC_PLATFORM_NEEDNETINETIN6H@,$ISC_PLATFORM_NEEDNETINETIN6H,;t t
+s,@ISC_PLATFORM_NEEDNETINET6IN6H@,$ISC_PLATFORM_NEEDNETINET6IN6H,;t t
+s,@HAS_IN_ADDR6@,$HAS_IN_ADDR6,;t t
+s,@NEED_IN6ADDR_ANY@,$NEED_IN6ADDR_ANY,;t t
+s,@ISC_PLATFORM_HAVEIN6PKTINFO@,$ISC_PLATFORM_HAVEIN6PKTINFO,;t t
+s,@ISC_PLATFORM_FIXIN6ISADDR@,$ISC_PLATFORM_FIXIN6ISADDR,;t t
+s,@ISC_IPV6_H@,$ISC_IPV6_H,;t t
+s,@ISC_IPV6_O@,$ISC_IPV6_O,;t t
+s,@ISC_ISCIPV6_O@,$ISC_ISCIPV6_O,;t t
+s,@ISC_IPV6_C@,$ISC_IPV6_C,;t t
+s,@HAVE_SIN6_SCOPE_ID@,$HAVE_SIN6_SCOPE_ID,;t t
+s,@HAVE_SOCKADDR_STORAGE@,$HAVE_SOCKADDR_STORAGE,;t t
+s,@ISC_PLATFORM_NEEDNTOP@,$ISC_PLATFORM_NEEDNTOP,;t t
+s,@ISC_PLATFORM_NEEDPTON@,$ISC_PLATFORM_NEEDPTON,;t t
+s,@ISC_PLATFORM_NEEDATON@,$ISC_PLATFORM_NEEDATON,;t t
+s,@HAVE_SA_LEN@,$HAVE_SA_LEN,;t t
+s,@HAVE_MINIMUM_IFREQ@,$HAVE_MINIMUM_IFREQ,;t t
+s,@BSD_COMP@,$BSD_COMP,;t t
+s,@SOLARIS_BITTYPES@,$SOLARIS_BITTYPES,;t t
+s,@USE_FIONBIO_IOCTL@,$USE_FIONBIO_IOCTL,;t t
+s,@PORT_DIR@,$PORT_DIR,;t t
+s,@PORT_INCLUDE@,$PORT_INCLUDE,;t t
+s,@ISC_PLATFORM_MSGHDRFLAVOR@,$ISC_PLATFORM_MSGHDRFLAVOR,;t t
+s,@ISC_PLATFORM_NEEDPORTT@,$ISC_PLATFORM_NEEDPORTT,;t t
+s,@ISC_LWRES_ENDHOSTENTINT@,$ISC_LWRES_ENDHOSTENTINT,;t t
+s,@ISC_LWRES_SETNETENTINT@,$ISC_LWRES_SETNETENTINT,;t t
+s,@ISC_LWRES_ENDNETENTINT@,$ISC_LWRES_ENDNETENTINT,;t t
+s,@ISC_LWRES_GETHOSTBYADDRVOID@,$ISC_LWRES_GETHOSTBYADDRVOID,;t t
+s,@ISC_LWRES_NEEDHERRNO@,$ISC_LWRES_NEEDHERRNO,;t t
+s,@ISC_LWRES_GETIPNODEPROTO@,$ISC_LWRES_GETIPNODEPROTO,;t t
+s,@ISC_LWRES_GETADDRINFOPROTO@,$ISC_LWRES_GETADDRINFOPROTO,;t t
+s,@ISC_LWRES_GETNAMEINFOPROTO@,$ISC_LWRES_GETNAMEINFOPROTO,;t t
+s,@NEED_PSELECT@,$NEED_PSELECT,;t t
+s,@NEED_GETTIMEOFDAY@,$NEED_GETTIMEOFDAY,;t t
+s,@HAVE_STRNDUP@,$HAVE_STRNDUP,;t t
+s,@ISC_PLATFORM_NEEDSTRSEP@,$ISC_PLATFORM_NEEDSTRSEP,;t t
+s,@ISC_PLATFORM_NEEDVSNPRINTF@,$ISC_PLATFORM_NEEDVSNPRINTF,;t t
+s,@ISC_EXTRA_OBJS@,$ISC_EXTRA_OBJS,;t t
+s,@ISC_EXTRA_SRCS@,$ISC_EXTRA_SRCS,;t t
+s,@USE_SYSERROR_LIST@,$USE_SYSERROR_LIST,;t t
+s,@ISC_PLATFORM_QUADFORMAT@,$ISC_PLATFORM_QUADFORMAT,;t t
+s,@ISC_SOCKLEN_T@,$ISC_SOCKLEN_T,;t t
+s,@GETGROUPLIST_ARGS@,$GETGROUPLIST_ARGS,;t t
+s,@NET_R_ARGS@,$NET_R_ARGS,;t t
+s,@NET_R_BAD@,$NET_R_BAD,;t t
+s,@NET_R_COPY@,$NET_R_COPY,;t t
+s,@NET_R_COPY_ARGS@,$NET_R_COPY_ARGS,;t t
+s,@NET_R_OK@,$NET_R_OK,;t t
+s,@NET_R_SETANSWER@,$NET_R_SETANSWER,;t t
+s,@NET_R_RETURN@,$NET_R_RETURN,;t t
+s,@GETNETBYADDR_ADDR_T@,$GETNETBYADDR_ADDR_T,;t t
+s,@NETENT_DATA@,$NETENT_DATA,;t t
+s,@NET_R_ENT_ARGS@,$NET_R_ENT_ARGS,;t t
+s,@NET_R_SET_RESULT@,$NET_R_SET_RESULT,;t t
+s,@NET_R_SET_RETURN@,$NET_R_SET_RETURN,;t t
+s,@NET_R_END_RESULT@,$NET_R_END_RESULT,;t t
+s,@NET_R_END_RETURN@,$NET_R_END_RETURN,;t t
+s,@GROUP_R_ARGS@,$GROUP_R_ARGS,;t t
+s,@GROUP_R_BAD@,$GROUP_R_BAD,;t t
+s,@GROUP_R_OK@,$GROUP_R_OK,;t t
+s,@GROUP_R_RETURN@,$GROUP_R_RETURN,;t t
+s,@GROUP_R_END_RESULT@,$GROUP_R_END_RESULT,;t t
+s,@GROUP_R_END_RETURN@,$GROUP_R_END_RETURN,;t t
+s,@GROUP_R_ENT_ARGS@,$GROUP_R_ENT_ARGS,;t t
+s,@GROUP_R_SET_RESULT@,$GROUP_R_SET_RESULT,;t t
+s,@GROUP_R_SET_RETURN@,$GROUP_R_SET_RETURN,;t t
+s,@HOST_R_ARGS@,$HOST_R_ARGS,;t t
+s,@HOST_R_BAD@,$HOST_R_BAD,;t t
+s,@HOST_R_COPY@,$HOST_R_COPY,;t t
+s,@HOST_R_COPY_ARGS@,$HOST_R_COPY_ARGS,;t t
+s,@HOST_R_ERRNO@,$HOST_R_ERRNO,;t t
+s,@HOST_R_OK@,$HOST_R_OK,;t t
+s,@HOST_R_RETURN@,$HOST_R_RETURN,;t t
+s,@HOST_R_SETANSWER@,$HOST_R_SETANSWER,;t t
+s,@HOSTENT_DATA@,$HOSTENT_DATA,;t t
+s,@HOST_R_END_RESULT@,$HOST_R_END_RESULT,;t t
+s,@HOST_R_END_RETURN@,$HOST_R_END_RETURN,;t t
+s,@HOST_R_ENT_ARGS@,$HOST_R_ENT_ARGS,;t t
+s,@HOST_R_SET_RESULT@,$HOST_R_SET_RESULT,;t t
+s,@HOST_R_SET_RETURN@,$HOST_R_SET_RETURN,;t t
+s,@SETPWENT_VOID@,$SETPWENT_VOID,;t t
+s,@SETGRENT_VOID@,$SETGRENT_VOID,;t t
+s,@NGR_R_ARGS@,$NGR_R_ARGS,;t t
+s,@NGR_R_BAD@,$NGR_R_BAD,;t t
+s,@NGR_R_COPY@,$NGR_R_COPY,;t t
+s,@NGR_R_COPY_ARGS@,$NGR_R_COPY_ARGS,;t t
+s,@NGR_R_OK@,$NGR_R_OK,;t t
+s,@NGR_R_RETURN@,$NGR_R_RETURN,;t t
+s,@NGR_R_PRIVATE@,$NGR_R_PRIVATE,;t t
+s,@NGR_R_END_RESULT@,$NGR_R_END_RESULT,;t t
+s,@NGR_R_END_RETURN@,$NGR_R_END_RETURN,;t t
+s,@NGR_R_ENT_ARGS@,$NGR_R_ENT_ARGS,;t t
+s,@NGR_R_SET_RESULT@,$NGR_R_SET_RESULT,;t t
+s,@NGR_R_SET_RETURN@,$NGR_R_SET_RETURN,;t t
+s,@PROTO_R_ARGS@,$PROTO_R_ARGS,;t t
+s,@PROTO_R_BAD@,$PROTO_R_BAD,;t t
+s,@PROTO_R_COPY@,$PROTO_R_COPY,;t t
+s,@PROTO_R_COPY_ARGS@,$PROTO_R_COPY_ARGS,;t t
+s,@PROTO_R_OK@,$PROTO_R_OK,;t t
+s,@PROTO_R_SETANSWER@,$PROTO_R_SETANSWER,;t t
+s,@PROTO_R_RETURN@,$PROTO_R_RETURN,;t t
+s,@PROTO_R_END_RESULT@,$PROTO_R_END_RESULT,;t t
+s,@PROTO_R_END_RETURN@,$PROTO_R_END_RETURN,;t t
+s,@PROTO_R_ENT_ARGS@,$PROTO_R_ENT_ARGS,;t t
+s,@PROTO_R_SET_RESULT@,$PROTO_R_SET_RESULT,;t t
+s,@PROTO_R_SET_RETURN@,$PROTO_R_SET_RETURN,;t t
+s,@PASS_R_ARGS@,$PASS_R_ARGS,;t t
+s,@PASS_R_BAD@,$PASS_R_BAD,;t t
+s,@PASS_R_COPY@,$PASS_R_COPY,;t t
+s,@PASS_R_COPY_ARGS@,$PASS_R_COPY_ARGS,;t t
+s,@PASS_R_OK@,$PASS_R_OK,;t t
+s,@PASS_R_RETURN@,$PASS_R_RETURN,;t t
+s,@PASS_R_END_RESULT@,$PASS_R_END_RESULT,;t t
+s,@PASS_R_END_RETURN@,$PASS_R_END_RETURN,;t t
+s,@PASS_R_ENT_ARGS@,$PASS_R_ENT_ARGS,;t t
+s,@PASS_R_SET_RESULT@,$PASS_R_SET_RESULT,;t t
+s,@PASS_R_SET_RETURN@,$PASS_R_SET_RETURN,;t t
+s,@SERV_R_ARGS@,$SERV_R_ARGS,;t t
+s,@SERV_R_BAD@,$SERV_R_BAD,;t t
+s,@SERV_R_COPY@,$SERV_R_COPY,;t t
+s,@SERV_R_COPY_ARGS@,$SERV_R_COPY_ARGS,;t t
+s,@SERV_R_OK@,$SERV_R_OK,;t t
+s,@SERV_R_SETANSWER@,$SERV_R_SETANSWER,;t t
+s,@SERV_R_RETURN@,$SERV_R_RETURN,;t t
+s,@SERV_R_END_RESULT@,$SERV_R_END_RESULT,;t t
+s,@SERV_R_END_RETURN@,$SERV_R_END_RETURN,;t t
+s,@SERV_R_ENT_ARGS@,$SERV_R_ENT_ARGS,;t t
+s,@SERV_R_SET_RESULT@,$SERV_R_SET_RESULT,;t t
+s,@SERV_R_SET_RETURN@,$SERV_R_SET_RETURN,;t t
+s,@SETNETGRENT_ARGS@,$SETNETGRENT_ARGS,;t t
+s,@INNETGR_ARGS@,$INNETGR_ARGS,;t t
+s,@ISC_PLATFORM_BRACEPTHREADONCEINIT@,$ISC_PLATFORM_BRACEPTHREADONCEINIT,;t t
+s,@BIND9_TOP_BUILDDIR@,$BIND9_TOP_BUILDDIR,;t t
+s,@BIND9_VERSION@,$BIND9_VERSION,;t t
+s,@LIBOBJS@,$LIBOBJS,;t t
+s,@LTLIBOBJS@,$LTLIBOBJS,;t t
+/@BIND9_INCLUDES@/r $BIND9_INCLUDES
+s,@BIND9_INCLUDES@,,;t t
+/@BIND9_MAKE_RULES@/r $BIND9_MAKE_RULES
+s,@BIND9_MAKE_RULES@,,;t t
+/@LIBBIND_API@/r $LIBBIND_API
+s,@LIBBIND_API@,,;t t
+CEOF
+
+_ACEOF
+
+  cat >>$CONFIG_STATUS <<\_ACEOF
+  # Split the substitutions into bite-sized pieces for seds with
+  # small command number limits, like on Digital OSF/1 and HP-UX.
+  ac_max_sed_lines=48
+  ac_sed_frag=1 # Number of current file.
+  ac_beg=1 # First line for current file.
+  ac_end=$ac_max_sed_lines # Line after last line for current file.
+  ac_more_lines=:
+  ac_sed_cmds=
+  while $ac_more_lines; do
+    if test $ac_beg -gt 1; then
+      sed "1,${ac_beg}d; ${ac_end}q" $tmp/subs.sed >$tmp/subs.frag
+    else
+      sed "${ac_end}q" $tmp/subs.sed >$tmp/subs.frag
+    fi
+    if test ! -s $tmp/subs.frag; then
+      ac_more_lines=false
+    else
+      # The purpose of the label and of the branching condition is to
+      # speed up the sed processing (if there are no `@' at all, there
+      # is no need to browse any of the substitutions).
+      # These are the two extra sed commands mentioned above.
+      (echo ':t
+  /@[a-zA-Z_][a-zA-Z_0-9]*@/!b' && cat $tmp/subs.frag) >$tmp/subs-$ac_sed_frag.sed
+      if test -z "$ac_sed_cmds"; then
+	ac_sed_cmds="sed -f $tmp/subs-$ac_sed_frag.sed"
+      else
+	ac_sed_cmds="$ac_sed_cmds | sed -f $tmp/subs-$ac_sed_frag.sed"
+      fi
+      ac_sed_frag=`expr $ac_sed_frag + 1`
+      ac_beg=$ac_end
+      ac_end=`expr $ac_end + $ac_max_sed_lines`
+    fi
+  done
+  if test -z "$ac_sed_cmds"; then
+    ac_sed_cmds=cat
+  fi
+fi # test -n "$CONFIG_FILES"
+
+_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF
+for ac_file in : $CONFIG_FILES; do test "x$ac_file" = x: && continue
+  # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in".
+  case $ac_file in
+  - | *:- | *:-:* ) # input from stdin
+	cat >$tmp/stdin
+	ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
+	ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
+  *:* ) ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
+	ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
+  * )   ac_file_in=$ac_file.in ;;
+  esac
+
+  # Compute @srcdir@, @top_srcdir@, and @INSTALL@ for subdirectories.
+  ac_dir=`(dirname "$ac_file") 2>/dev/null ||
+$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	 X"$ac_file" : 'X\(//\)[^/]' \| \
+	 X"$ac_file" : 'X\(//\)$' \| \
+	 X"$ac_file" : 'X\(/\)' \| \
+	 .     : '\(.\)' 2>/dev/null ||
+echo X"$ac_file" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
+  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
+  	  /^X\(\/\/\)$/{ s//\1/; q; }
+  	  /^X\(\/\).*/{ s//\1/; q; }
+  	  s/.*/./; q'`
+  { if $as_mkdir_p; then
+    mkdir -p "$ac_dir"
+  else
+    as_dir="$ac_dir"
+    as_dirs=
+    while test ! -d "$as_dir"; do
+      as_dirs="$as_dir $as_dirs"
+      as_dir=`(dirname "$as_dir") 2>/dev/null ||
+$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	 X"$as_dir" : 'X\(//\)[^/]' \| \
+	 X"$as_dir" : 'X\(//\)$' \| \
+	 X"$as_dir" : 'X\(/\)' \| \
+	 .     : '\(.\)' 2>/dev/null ||
+echo X"$as_dir" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
+  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
+  	  /^X\(\/\/\)$/{ s//\1/; q; }
+  	  /^X\(\/\).*/{ s//\1/; q; }
+  	  s/.*/./; q'`
+    done
+    test ! -n "$as_dirs" || mkdir $as_dirs
+  fi || { { echo "$as_me:$LINENO: error: cannot create directory \"$ac_dir\"" >&5
+echo "$as_me: error: cannot create directory \"$ac_dir\"" >&2;}
+   { (exit 1); exit 1; }; }; }
+
+  ac_builddir=.
+
+if test "$ac_dir" != .; then
+  ac_dir_suffix=/`echo "$ac_dir" | sed 's,^\.[\\/],,'`
+  # A "../" for each directory in $ac_dir_suffix.
+  ac_top_builddir=`echo "$ac_dir_suffix" | sed 's,/[^\\/]*,../,g'`
+else
+  ac_dir_suffix= ac_top_builddir=
+fi
+
+case $srcdir in
+  .)  # No --srcdir option.  We are building in place.
+    ac_srcdir=.
+    if test -z "$ac_top_builddir"; then
+       ac_top_srcdir=.
+    else
+       ac_top_srcdir=`echo $ac_top_builddir | sed 's,/$,,'`
+    fi ;;
+  [\\/]* | ?:[\\/]* )  # Absolute path.
+    ac_srcdir=$srcdir$ac_dir_suffix;
+    ac_top_srcdir=$srcdir ;;
+  *) # Relative path.
+    ac_srcdir=$ac_top_builddir$srcdir$ac_dir_suffix
+    ac_top_srcdir=$ac_top_builddir$srcdir ;;
+esac
+
+# Do not use `cd foo && pwd` to compute absolute paths, because
+# the directories may not exist.
+case `pwd` in
+.) ac_abs_builddir="$ac_dir";;
+*)
+  case "$ac_dir" in
+  .) ac_abs_builddir=`pwd`;;
+  [\\/]* | ?:[\\/]* ) ac_abs_builddir="$ac_dir";;
+  *) ac_abs_builddir=`pwd`/"$ac_dir";;
+  esac;;
+esac
+case $ac_abs_builddir in
+.) ac_abs_top_builddir=${ac_top_builddir}.;;
+*)
+  case ${ac_top_builddir}. in
+  .) ac_abs_top_builddir=$ac_abs_builddir;;
+  [\\/]* | ?:[\\/]* ) ac_abs_top_builddir=${ac_top_builddir}.;;
+  *) ac_abs_top_builddir=$ac_abs_builddir/${ac_top_builddir}.;;
+  esac;;
+esac
+case $ac_abs_builddir in
+.) ac_abs_srcdir=$ac_srcdir;;
+*)
+  case $ac_srcdir in
+  .) ac_abs_srcdir=$ac_abs_builddir;;
+  [\\/]* | ?:[\\/]* ) ac_abs_srcdir=$ac_srcdir;;
+  *) ac_abs_srcdir=$ac_abs_builddir/$ac_srcdir;;
+  esac;;
+esac
+case $ac_abs_builddir in
+.) ac_abs_top_srcdir=$ac_top_srcdir;;
+*)
+  case $ac_top_srcdir in
+  .) ac_abs_top_srcdir=$ac_abs_builddir;;
+  [\\/]* | ?:[\\/]* ) ac_abs_top_srcdir=$ac_top_srcdir;;
+  *) ac_abs_top_srcdir=$ac_abs_builddir/$ac_top_srcdir;;
+  esac;;
+esac
+
+
+  case $INSTALL in
+  [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;;
+  *) ac_INSTALL=$ac_top_builddir$INSTALL ;;
+  esac
+
+  if test x"$ac_file" != x-; then
+    { echo "$as_me:$LINENO: creating $ac_file" >&5
+echo "$as_me: creating $ac_file" >&6;}
+    rm -f "$ac_file"
+  fi
+  # Let's still pretend it is `configure' which instantiates (i.e., don't
+  # use $as_me), people would be surprised to read:
+  #    /* config.h.  Generated by config.status.  */
+  if test x"$ac_file" = x-; then
+    configure_input=
+  else
+    configure_input="$ac_file.  "
+  fi
+  configure_input=$configure_input"Generated from `echo $ac_file_in |
+				     sed 's,.*/,,'` by configure."
+
+  # First look for the input files in the build tree, otherwise in the
+  # src tree.
+  ac_file_inputs=`IFS=:
+    for f in $ac_file_in; do
+      case $f in
+      -) echo $tmp/stdin ;;
+      [\\/$]*)
+	 # Absolute (can't be DOS-style, as IFS=:)
+	 test -f "$f" || { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
+echo "$as_me: error: cannot find input file: $f" >&2;}
+   { (exit 1); exit 1; }; }
+	 echo "$f";;
+      *) # Relative
+	 if test -f "$f"; then
+	   # Build tree
+	   echo "$f"
+	 elif test -f "$srcdir/$f"; then
+	   # Source tree
+	   echo "$srcdir/$f"
+	 else
+	   # /dev/null tree
+	   { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
+echo "$as_me: error: cannot find input file: $f" >&2;}
+   { (exit 1); exit 1; }; }
+	 fi;;
+      esac
+    done` || { (exit 1); exit 1; }
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF
+  sed "$ac_vpsub
+$extrasub
+_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF
+:t
+/@[a-zA-Z_][a-zA-Z_0-9]*@/!b
+s,@configure_input@,$configure_input,;t t
+s,@srcdir@,$ac_srcdir,;t t
+s,@abs_srcdir@,$ac_abs_srcdir,;t t
+s,@top_srcdir@,$ac_top_srcdir,;t t
+s,@abs_top_srcdir@,$ac_abs_top_srcdir,;t t
+s,@builddir@,$ac_builddir,;t t
+s,@abs_builddir@,$ac_abs_builddir,;t t
+s,@top_builddir@,$ac_top_builddir,;t t
+s,@abs_top_builddir@,$ac_abs_top_builddir,;t t
+s,@INSTALL@,$ac_INSTALL,;t t
+" $ac_file_inputs | (eval "$ac_sed_cmds") >$tmp/out
+  rm -f $tmp/stdin
+  if test x"$ac_file" != x-; then
+    mv $tmp/out $ac_file
+  else
+    cat $tmp/out
+    rm -f $tmp/out
+  fi
+
+done
+_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF
+
+#
+# CONFIG_HEADER section.
+#
+
+# These sed commands are passed to sed as "A NAME B NAME C VALUE D", where
+# NAME is the cpp macro being defined and VALUE is the value it is being given.
+#
+# ac_d sets the value in "#define NAME VALUE" lines.
+ac_dA='s,^\([	 ]*\)#\([	 ]*define[	 ][	 ]*\)'
+ac_dB='[	 ].*$,\1#\2'
+ac_dC=' '
+ac_dD=',;t'
+# ac_u turns "#undef NAME" without trailing blanks into "#define NAME VALUE".
+ac_uA='s,^\([	 ]*\)#\([	 ]*\)undef\([	 ][	 ]*\)'
+ac_uB='$,\1#\2define\3'
+ac_uC=' '
+ac_uD=',;t'
+
+for ac_file in : $CONFIG_HEADERS; do test "x$ac_file" = x: && continue
+  # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in".
+  case $ac_file in
+  - | *:- | *:-:* ) # input from stdin
+	cat >$tmp/stdin
+	ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
+	ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
+  *:* ) ac_file_in=`echo "$ac_file" | sed 's,[^:]*:,,'`
+	ac_file=`echo "$ac_file" | sed 's,:.*,,'` ;;
+  * )   ac_file_in=$ac_file.in ;;
+  esac
+
+  test x"$ac_file" != x- && { echo "$as_me:$LINENO: creating $ac_file" >&5
+echo "$as_me: creating $ac_file" >&6;}
+
+  # First look for the input files in the build tree, otherwise in the
+  # src tree.
+  ac_file_inputs=`IFS=:
+    for f in $ac_file_in; do
+      case $f in
+      -) echo $tmp/stdin ;;
+      [\\/$]*)
+	 # Absolute (can't be DOS-style, as IFS=:)
+	 test -f "$f" || { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
+echo "$as_me: error: cannot find input file: $f" >&2;}
+   { (exit 1); exit 1; }; }
+	 # Do quote $f, to prevent DOS paths from being IFS'd.
+	 echo "$f";;
+      *) # Relative
+	 if test -f "$f"; then
+	   # Build tree
+	   echo "$f"
+	 elif test -f "$srcdir/$f"; then
+	   # Source tree
+	   echo "$srcdir/$f"
+	 else
+	   # /dev/null tree
+	   { { echo "$as_me:$LINENO: error: cannot find input file: $f" >&5
+echo "$as_me: error: cannot find input file: $f" >&2;}
+   { (exit 1); exit 1; }; }
+	 fi;;
+      esac
+    done` || { (exit 1); exit 1; }
+  # Remove the trailing spaces.
+  sed 's/[	 ]*$//' $ac_file_inputs >$tmp/in
+
+_ACEOF
+
+# Transform confdefs.h into two sed scripts, `conftest.defines' and
+# `conftest.undefs', that substitutes the proper values into
+# config.h.in to produce config.h.  The first handles `#define'
+# templates, and the second `#undef' templates.
+# And first: Protect against being on the right side of a sed subst in
+# config.status.  Protect against being in an unquoted here document
+# in config.status.
+rm -f conftest.defines conftest.undefs
+# Using a here document instead of a string reduces the quoting nightmare.
+# Putting comments in sed scripts is not portable.
+#
+# `end' is used to avoid that the second main sed command (meant for
+# 0-ary CPP macros) applies to n-ary macro definitions.
+# See the Autoconf documentation for `clear'.
+cat >confdef2sed.sed <<\_ACEOF
+s/[\\&,]/\\&/g
+s,[\\$`],\\&,g
+t clear
+: clear
+s,^[	 ]*#[	 ]*define[	 ][	 ]*\([^	 (][^	 (]*\)\(([^)]*)\)[	 ]*\(.*\)$,${ac_dA}\1${ac_dB}\1\2${ac_dC}\3${ac_dD},gp
+t end
+s,^[	 ]*#[	 ]*define[	 ][	 ]*\([^	 ][^	 ]*\)[	 ]*\(.*\)$,${ac_dA}\1${ac_dB}\1${ac_dC}\2${ac_dD},gp
+: end
+_ACEOF
+# If some macros were called several times there might be several times
+# the same #defines, which is useless.  Nevertheless, we may not want to
+# sort them, since we want the *last* AC-DEFINE to be honored.
+uniq confdefs.h | sed -n -f confdef2sed.sed >conftest.defines
+sed 's/ac_d/ac_u/g' conftest.defines >conftest.undefs
+rm -f confdef2sed.sed
+
+# This sed command replaces #undef with comments.  This is necessary, for
+# example, in the case of _POSIX_SOURCE, which is predefined and required
+# on some systems where configure will not decide to define it.
+cat >>conftest.undefs <<\_ACEOF
+s,^[	 ]*#[	 ]*undef[	 ][	 ]*[a-zA-Z_][a-zA-Z_0-9]*,/* & */,
+_ACEOF
+
+# Break up conftest.defines because some shells have a limit on the size
+# of here documents, and old seds have small limits too (100 cmds).
+echo '  # Handle all the #define templates only if necessary.' >>$CONFIG_STATUS
+echo '  if grep "^[	 ]*#[	 ]*define" $tmp/in >/dev/null; then' >>$CONFIG_STATUS
+echo '  # If there are no defines, we may have an empty if/fi' >>$CONFIG_STATUS
+echo '  :' >>$CONFIG_STATUS
+rm -f conftest.tail
+while grep . conftest.defines >/dev/null
+do
+  # Write a limited-size here document to $tmp/defines.sed.
+  echo '  cat >$tmp/defines.sed <<CEOF' >>$CONFIG_STATUS
+  # Speed up: don't consider the non `#define' lines.
+  echo '/^[	 ]*#[	 ]*define/!b' >>$CONFIG_STATUS
+  # Work around the forget-to-reset-the-flag bug.
+  echo 't clr' >>$CONFIG_STATUS
+  echo ': clr' >>$CONFIG_STATUS
+  sed ${ac_max_here_lines}q conftest.defines >>$CONFIG_STATUS
+  echo 'CEOF
+  sed -f $tmp/defines.sed $tmp/in >$tmp/out
+  rm -f $tmp/in
+  mv $tmp/out $tmp/in
+' >>$CONFIG_STATUS
+  sed 1,${ac_max_here_lines}d conftest.defines >conftest.tail
+  rm -f conftest.defines
+  mv conftest.tail conftest.defines
+done
+rm -f conftest.defines
+echo '  fi # grep' >>$CONFIG_STATUS
+echo >>$CONFIG_STATUS
+
+# Break up conftest.undefs because some shells have a limit on the size
+# of here documents, and old seds have small limits too (100 cmds).
+echo '  # Handle all the #undef templates' >>$CONFIG_STATUS
+rm -f conftest.tail
+while grep . conftest.undefs >/dev/null
+do
+  # Write a limited-size here document to $tmp/undefs.sed.
+  echo '  cat >$tmp/undefs.sed <<CEOF' >>$CONFIG_STATUS
+  # Speed up: don't consider the non `#undef'
+  echo '/^[	 ]*#[	 ]*undef/!b' >>$CONFIG_STATUS
+  # Work around the forget-to-reset-the-flag bug.
+  echo 't clr' >>$CONFIG_STATUS
+  echo ': clr' >>$CONFIG_STATUS
+  sed ${ac_max_here_lines}q conftest.undefs >>$CONFIG_STATUS
+  echo 'CEOF
+  sed -f $tmp/undefs.sed $tmp/in >$tmp/out
+  rm -f $tmp/in
+  mv $tmp/out $tmp/in
+' >>$CONFIG_STATUS
+  sed 1,${ac_max_here_lines}d conftest.undefs >conftest.tail
+  rm -f conftest.undefs
+  mv conftest.tail conftest.undefs
+done
+rm -f conftest.undefs
+
+cat >>$CONFIG_STATUS <<\_ACEOF
+  # Let's still pretend it is `configure' which instantiates (i.e., don't
+  # use $as_me), people would be surprised to read:
+  #    /* config.h.  Generated by config.status.  */
+  if test x"$ac_file" = x-; then
+    echo "/* Generated by configure.  */" >$tmp/config.h
+  else
+    echo "/* $ac_file.  Generated by configure.  */" >$tmp/config.h
+  fi
+  cat $tmp/in >>$tmp/config.h
+  rm -f $tmp/in
+  if test x"$ac_file" != x-; then
+    if diff $ac_file $tmp/config.h >/dev/null 2>&1; then
+      { echo "$as_me:$LINENO: $ac_file is unchanged" >&5
+echo "$as_me: $ac_file is unchanged" >&6;}
+    else
+      ac_dir=`(dirname "$ac_file") 2>/dev/null ||
+$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	 X"$ac_file" : 'X\(//\)[^/]' \| \
+	 X"$ac_file" : 'X\(//\)$' \| \
+	 X"$ac_file" : 'X\(/\)' \| \
+	 .     : '\(.\)' 2>/dev/null ||
+echo X"$ac_file" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
+  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
+  	  /^X\(\/\/\)$/{ s//\1/; q; }
+  	  /^X\(\/\).*/{ s//\1/; q; }
+  	  s/.*/./; q'`
+      { if $as_mkdir_p; then
+    mkdir -p "$ac_dir"
+  else
+    as_dir="$ac_dir"
+    as_dirs=
+    while test ! -d "$as_dir"; do
+      as_dirs="$as_dir $as_dirs"
+      as_dir=`(dirname "$as_dir") 2>/dev/null ||
+$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+	 X"$as_dir" : 'X\(//\)[^/]' \| \
+	 X"$as_dir" : 'X\(//\)$' \| \
+	 X"$as_dir" : 'X\(/\)' \| \
+	 .     : '\(.\)' 2>/dev/null ||
+echo X"$as_dir" |
+    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/; q; }
+  	  /^X\(\/\/\)[^/].*/{ s//\1/; q; }
+  	  /^X\(\/\/\)$/{ s//\1/; q; }
+  	  /^X\(\/\).*/{ s//\1/; q; }
+  	  s/.*/./; q'`
+    done
+    test ! -n "$as_dirs" || mkdir $as_dirs
+  fi || { { echo "$as_me:$LINENO: error: cannot create directory \"$ac_dir\"" >&5
+echo "$as_me: error: cannot create directory \"$ac_dir\"" >&2;}
+   { (exit 1); exit 1; }; }; }
+
+      rm -f $ac_file
+      mv $tmp/config.h $ac_file
+    fi
+  else
+    cat $tmp/config.h
+    rm -f $tmp/config.h
+  fi
+done
+_ACEOF
+
+cat >>$CONFIG_STATUS <<\_ACEOF
+
+{ (exit 0); exit 0; }
+_ACEOF
+chmod +x $CONFIG_STATUS
+ac_clean_files=$ac_clean_files_save
+
+
+# configure is writing to config.log, and then calls config.status.
+# config.status does its own redirection, appending to config.log.
+# Unfortunately, on DOS this fails, as config.log is still kept open
+# by configure, so config.status won't be able to write to it; its
+# output is simply discarded.  So we exec the FD to /dev/null,
+# effectively closing config.log, so it can be properly (re)opened and
+# appended to by config.status.  When coming back to configure, we
+# need to make the FD available again.
+if test "$no_create" != yes; then
+  ac_cs_success=:
+  ac_config_status_args=
+  test "$silent" = yes &&
+    ac_config_status_args="$ac_config_status_args --quiet"
+  exec 5>/dev/null
+  $SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false
+  exec 5>>config.log
+  # Use ||, not &&, to avoid exiting from the if with $? = 1, which
+  # would make configure fail if this is the last instruction.
+  $ac_cs_success || { (exit 1); exit 1; }
+fi
+
+
+# Tell Emacs to edit this file in shell mode.
+# Local Variables:
+# mode: sh
+# End:
diff --git a/contrib/bind9/lib/bind/configure.in b/contrib/bind9/lib/bind/configure.in
new file mode 100644
index 0000000..c92aeda
--- /dev/null
+++ b/contrib/bind9/lib/bind/configure.in
@@ -0,0 +1,2407 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+AC_REVISION($Revision: 1.83.2.5.2.3 $)
+
+AC_INIT(resolv/herror.c)
+AC_PREREQ(2.13)
+
+AC_CONFIG_HEADER(config.h)
+
+AC_CANONICAL_HOST
+
+AC_PROG_MAKE_SET
+AC_PROG_RANLIB
+AC_PROG_INSTALL
+
+AC_SUBST(STD_CINCLUDES)
+AC_SUBST(STD_CDEFINES)
+AC_SUBST(STD_CWARNINGS)
+AC_SUBST(CCOPT)
+
+AC_PATH_PROG(AR, ar)
+ARFLAGS="cruv"
+AC_SUBST(AR)
+AC_SUBST(ARFLAGS)
+
+# The POSIX ln(1) program.  Non-POSIX systems may substitute
+# "copy" or something.
+LN=ln
+AC_SUBST(LN)
+
+case "$AR" in
+	"")
+		AC_MSG_ERROR([
+ar program not found.  Please fix your PATH to include the directory in
+which ar resides, or set AR in the environment with the full path to ar.
+])
+
+		;;
+esac
+
+#
+# Etags.
+#
+AC_PATH_PROGS(ETAGS, etags emacs-etags)
+
+#
+# Some systems, e.g. RH7, have the Exuberant Ctags etags instead of
+# GNU emacs etags, and it requires the -L flag.
+#
+if test "X$ETAGS" != "X"; then
+	AC_MSG_CHECKING(for Exuberant Ctags etags)
+	if $ETAGS --version 2>&1 | grep 'Exuberant Ctags' >/dev/null 2>&1; then
+		AC_MSG_RESULT(yes)
+		ETAGS="$ETAGS -L"
+	else
+		AC_MSG_RESULT(no)
+	fi
+fi
+AC_SUBST(ETAGS)
+
+#
+# Perl is optional; it is used only by some of the system test scripts.
+#
+AC_PATH_PROGS(PERL, perl5 perl)
+AC_SUBST(PERL)
+
+#
+# isc/list.h and others clash with the rest of BIND 9
+#
+case "$includedir" in
+	'${prefix}/include')
+		includedir='${prefix}/bind/include'
+		;;
+esac
+case "$libdir" in
+	'${prefix}/lib')
+		libdir='${prefix}/bind/lib'
+		;;
+esac
+
+#
+# Make sure INSTALL uses an absolute path, else it will be wrong in all
+# Makefiles, since they use make/rules.in and INSTALL will be adjusted by
+# configure based on the location of the file where it is substituted.
+# Since in BIND9 INSTALL is only substituted into make/rules.in, an immediate
+# subdirectory of install-sh, This relative path will be wrong for all
+# directories more than one level down from install-sh.
+#
+case "$INSTALL" in
+	/*)
+                ;;
+        *)
+                #
+                # Not all systems have dirname.
+                #
+                changequote({, })
+                ac_dir="`echo $INSTALL | sed 's%/[^/]*$%%'`"
+                changequote([, ])
+
+                ac_prog="`echo $INSTALL | sed 's%.*/%%'`"
+                test "$ac_dir" = "$ac_prog" && ac_dir=.
+                test -d "$ac_dir" && ac_dir="`(cd \"$ac_dir\" && pwd)`"
+                INSTALL="$ac_dir/$ac_prog"
+                ;;
+esac
+
+#
+# On these hosts, we really want to use cc, not gcc, even if it is
+# found.  The gcc that these systems have will not correctly handle
+# pthreads.
+#
+# However, if the user sets $CC to be something, let that override
+# our change.
+#
+if test "X$CC" = "X" ; then
+	case "$host" in
+		*-dec-osf*)
+			CC="cc"
+			;;
+		*-solaris*)
+                        # Use Sun's cc if it is available, but watch
+                        # out for /usr/ucb/cc; it will never be the right
+                        # compiler to use.
+                        #
+                        # If setting CC here fails, the AC_PROG_CC done
+                        # below might still find gcc.
+			IFS="${IFS=	}"; ac_save_ifs="$IFS"; IFS=":"
+			for ac_dir in $PATH; do
+				test -z "$ac_dir" && ac_dir=.
+				case "$ac_dir" in
+				/usr/ucb)
+					# exclude
+					;;
+				*)
+					if test -f "$ac_dir/cc"; then
+						CC="$ac_dir/cc"
+						break
+					fi
+					;;
+				esac
+			done
+			IFS="$ac_save_ifs"
+			;;
+		*-hp-hpux*)
+			CC="cc"
+			;;
+		mips-sgi-irix*)
+			CC="cc"
+			;;
+	esac
+fi
+
+
+AC_PROG_CC
+
+AC_HEADER_STDC
+
+
+AC_CHECK_HEADERS(fcntl.h db.h paths.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/timers.h)
+
+
+AC_C_CONST
+AC_C_INLINE
+AC_TYPE_SIZE_T
+AC_HEADER_TIME
+#
+# check if we need to #include sys/select.h explicitly
+#
+case $ac_cv_header_unistd_h in
+yes)
+AC_MSG_CHECKING(if unistd.h defines fd_set)
+AC_TRY_COMPILE([
+#include <unistd.h>],
+[fd_set read_set; return (0);],
+	[AC_MSG_RESULT(yes)
+	 ISC_PLATFORM_NEEDSYSSELECTH="#undef ISC_PLATFORM_NEEDSYSSELECTH"
+	 ],
+	[AC_MSG_RESULT(no)
+	case ac_cv_header_sys_select_h in
+	yes)
+         ISC_PLATFORM_NEEDSYSSELECTH="#define ISC_PLATFORM_NEEDSYSSELECTH 1"
+		;;
+	no)
+		AC_MSG_ERROR([need either working unistd.h or sys/select.h])
+		;;
+	esac
+	])
+	;;
+no)
+	case ac_cv_header_sys_select_h in
+	yes)
+             ISC_PLATFORM_NEEDSYSSELECTH="#define ISC_PLATFORM_NEEDSYSSELECTH 1"
+		;;
+	no)
+		AC_MSG_ERROR([need either unistd.h or sys/select.h])
+		;;
+	esac
+	;;
+esac
+AC_SUBST(ISC_PLATFORM_NEEDSYSSELECTH)
+
+#
+# Find the machine's endian flavor.
+#
+AC_C_BIGENDIAN
+
+AC_ARG_WITH(irs-gr,[ --with-irs-gr		Build ....],
+want_irs_gr="$withval", want_irs_gr="no")
+case "$want_irs_gr" in
+yes) WANT_IRS_GR="#define WANT_IRS_GR 1"
+     WANT_IRS_GR_OBJS="\${WANT_IRS_GR_OBJS}"
+	;;
+*) WANT_IRS_GR="#undef WANT_IRS_GR" WANT_IRS_GR_OBJS="";;
+esac
+AC_SUBST(WANT_IRS_GR)
+AC_SUBST(WANT_IRS_GR_OBJS)
+
+AC_ARG_WITH(irs-pw,[ --with-irs-pw		Build ....],
+want_irs_pw="$withval", want_irs_pw="no")
+case "$want_irs_pw" in
+yes) WANT_IRS_PW="#define WANT_IRS_PW 1"
+     WANT_IRS_PW_OBJS="\${WANT_IRS_PW_OBJS}";;
+*) WANT_IRS_PW="#undef WANT_IRS_PW" WANT_IRS_PW_OBJS="";;
+esac
+AC_SUBST(WANT_IRS_PW)
+AC_SUBST(WANT_IRS_PW_OBJS)
+
+AC_ARG_WITH(irs-nis,[ --with-irs-nis		Build ....],
+want_irs_nis="$withval", want_irs_nis="no")
+case "$want_irs_nis" in
+yes)
+	WANT_IRS_NIS="#define WANT_IRS_NIS 1"
+	WANT_IRS_NIS_OBJS="\${WANT_IRS_NIS_OBJS}"
+	case "$want_irs_gr" in
+	yes)
+		WANT_IRS_NISGR_OBJS="\${WANT_IRS_NISGR_OBJS}";;
+	*)
+		WANT_IRS_NISGR_OBJS="";;
+	esac
+	case "$want_irs_pw" in
+	yes)
+		WANT_IRS_NISPW_OBJS="\${WANT_IRS_NISPW_OBJS}";;
+	*)
+		WANT_IRS_NISPW_OBJS="";;
+	esac
+	;;
+*)
+	WANT_IRS_NIS="#undef WANT_IRS_NIS"
+	WANT_IRS_NIS_OBJS=""
+	WANT_IRS_NISGR_OBJS=""
+	WANT_IRS_NISPW_OBJS="";;
+esac
+AC_SUBST(WANT_IRS_NIS)
+AC_SUBST(WANT_IRS_NIS_OBJS)
+AC_SUBST(WANT_IRS_NISGR_OBJS)
+AC_SUBST(WANT_IRS_NISPW_OBJS)
+AC_TRY_RUN([
+#ifdef HAVE_DB_H
+int have_db_h = 1;
+#else
+int have_db_h = 0;
+#endif
+main() { return(!have_db_h); }
+],
+WANT_IRS_DBPW_OBJS="\${WANT_IRS_DBPW_OBJS}"
+,
+WANT_IRS_DBPW_OBJS=""
+,
+WANT_IRS_DBPW_OBJS=""
+)
+AC_SUBST(WANT_IRS_DBPW_OBJS)
+
+#
+# was --with-randomdev specified?
+#
+AC_MSG_CHECKING(for random device)
+AC_ARG_WITH(randomdev,
+[  --with-randomdev=PATH Specify path for random device],
+    use_randomdev="$withval", use_randomdev="unspec")
+
+case "$use_randomdev" in
+	unspec)
+		case "$host" in
+			*-openbsd*)
+				devrandom=/dev/srandom
+				;;
+			*)
+				devrandom=/dev/random
+				;;
+		esac
+		AC_MSG_RESULT($devrandom)
+		AC_CHECK_FILE($devrandom,
+			      AC_DEFINE_UNQUOTED(PATH_RANDOMDEV,
+						 "$devrandom"),)
+		;;
+	yes)
+		AC_MSG_ERROR([--with-randomdev must specify a path])
+		;;
+	*)
+		AC_DEFINE_UNQUOTED(PATH_RANDOMDEV, "$use_randomdev")
+		AC_MSG_RESULT(using "$use_randomdev")
+		;;
+esac
+
+#
+# Begin pthreads checking.
+#
+# First, decide whether to use multithreading or not.
+#
+AC_MSG_CHECKING(whether to look for thread support)
+AC_ARG_ENABLE(threads,
+	[  --disable-threads	disable multithreading])
+case "$enable_threads" in
+	yes|'')
+		AC_MSG_RESULT(yes)
+		use_threads=true
+		;;
+	no)
+		AC_MSG_RESULT(no)	
+		use_threads=false
+		;;
+	*)
+	    	AC_MSG_ERROR([--enable-threads takes yes or no])
+		;;
+esac
+
+if $use_threads
+then
+	#
+	# Search for / configure pthreads in a system-dependent fashion.
+	#
+	case "$host" in
+	  *-netbsd*)
+		# NetBSD has multiple pthreads implementations.	 The
+		# recommended one to use is "unproven-pthreads".  The
+		# older "mit-pthreads" may also work on some NetBSD
+		# versions.  The PTL2 thread library does not
+		# currently work with bind9, but can be chosen with
+		# the --with-ptl2 option for those who wish to
+		# experiment with it.
+		CC="gcc"
+		AC_MSG_CHECKING(which NetBSD thread library to use)
+
+		AC_ARG_WITH(ptl2,
+[  --with-ptl2		on NetBSD, use the ptl2 thread library (experimental)],
+		    use_ptl2="$withval", use_ptl2="no")
+
+		: ${LOCALBASE:=/usr/pkg}
+
+		if test "X$use_ptl2" = "Xyes"
+		then
+			AC_MSG_RESULT(PTL2)
+			AC_MSG_WARN(
+[linking with PTL2 is highly experimental and not expected to work])
+			CC=ptlgcc
+		else
+			if test ! -d $LOCALBASE/pthreads
+			then
+				AC_MSG_RESULT(none)
+				use_threads=false
+			fi
+
+			if $use_threads
+			then
+				AC_MSG_RESULT(mit-pthreads/unproven-pthreads)
+				pkg="$LOCALBASE/pthreads"
+				lib1="-L$pkg/lib -Wl,-R$pkg/lib"
+				lib2="-lpthread -lm -lgcc -lpthread"
+				LIBS="$lib1 $lib2 $LIBS"
+				CPPFLAGS="$CPPFLAGS -I$pkg/include"
+				STD_CINCLUDES="$STD_CINCLUDES -I$pkg/include"
+			fi
+		fi
+		;;
+		*)
+			AC_CHECK_LIB(pthread, pthread_create,,
+				AC_CHECK_LIB(pthread, __pthread_create,,
+				AC_CHECK_LIB(pthread, __pthread_create_system,,
+				AC_CHECK_LIB(c_r, pthread_create,,
+				AC_CHECK_LIB(c, pthread_create,,
+				use_threads=false)))))
+		;;
+	esac
+fi
+
+if $use_threads
+then
+	#
+	# We'd like to use sigwait() too
+	#
+	AC_CHECK_LIB(c, sigwait,
+		     AC_DEFINE(HAVE_SIGWAIT),
+		     AC_CHECK_LIB(pthread, sigwait,
+				  AC_DEFINE(HAVE_SIGWAIT),
+				  AC_CHECK_LIB(pthread, _Psigwait,
+					       AC_DEFINE(HAVE_SIGWAIT),))
+	)
+
+	AC_CHECK_FUNC(pthread_attr_getstacksize,
+		      AC_DEFINE(HAVE_PTHREAD_ATTR_GETSTACKSIZE),)
+
+	#
+	# Additional OS-specific issues related to pthreads and sigwait.
+	#
+	case "$host" in
+		#
+		# One more place to look for sigwait.
+		#
+		*-freebsd*)
+			AC_CHECK_LIB(c_r, sigwait, AC_DEFINE(HAVE_SIGWAIT),)
+			;;
+		#
+		# BSDI 3.0 through 4.0.1 needs pthread_init() to be
+		# called before certain pthreads calls.	 This is deprecated
+		# in BSD/OS 4.1.
+		#
+		*-bsdi3.*|*-bsdi4.0*)
+			AC_DEFINE(NEED_PTHREAD_INIT)
+			;;
+		#
+		# LinuxThreads requires some changes to the way we
+		# deal with signals.
+		#
+		*-linux*)
+			AC_DEFINE(HAVE_LINUXTHREADS)
+			;;
+		#
+		# Ensure the right sigwait() semantics on Solaris and make
+		# sure we call pthread_setconcurrency.
+		#
+		*-solaris*)
+			AC_DEFINE(_POSIX_PTHREAD_SEMANTICS)
+			AC_CHECK_FUNC(pthread_setconcurrency,
+				      AC_DEFINE(CALL_PTHREAD_SETCONCURRENCY))
+			AC_DEFINE(POSIX_GETPWUID_R)
+			AC_DEFINE(POSIX_GETPWNAM_R)
+			AC_DEFINE(POSIX_GETGRGID_R)
+			AC_DEFINE(POSIX_GETGRNAM_R)
+			;;
+		*hpux11*)
+			AC_DEFINE(_PTHREADS_DRAFT4)
+			;;
+		#
+		# UnixWare does things its own way.
+		#
+		*-UnixWare*)
+			AC_DEFINE(HAVE_UNIXWARE_SIGWAIT)
+			;;
+	esac
+
+	#
+	# Look for sysconf to allow detection of the number of processors.
+	#
+	AC_CHECK_FUNC(sysconf, AC_DEFINE(HAVE_SYSCONF),)
+
+	if test "X$GCC" = "Xyes"; then
+		case "$host" in
+		*-freebsd*)
+			CC="$CC -pthread"
+			CCOPT="$CCOPT -pthread"
+			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+			;;
+		*-openbsd*)
+			CC="$CC -pthread"
+			CCOPT="$CCOPT -pthread"
+			;;
+		*-solaris*)
+			LIBS="$LIBS -lthread"
+			;;
+		*-ibm-aix*)
+			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+			;;
+		esac
+	else
+		case $host in
+		*-dec-osf*)
+			CC="$CC -pthread"
+			CCOPT="$CCOPT -pthread"
+			;;
+		*-solaris*)
+			CC="$CC -mt"
+			CCOPT="$CCOPT -mt"
+			;;
+		*-ibm-aix*)
+			STD_CDEFINES="$STD_CDEFINES -D_THREAD_SAFE"
+			;;
+		*-UnixWare*)
+			CC="$CC -Kthread"
+			CCOPT="$CCOPT -Kthread"
+			;;
+		esac
+	fi
+	ALWAYS_DEFINES="-D_REENTRANT"
+	DO_PTHREADS="#define DO_PTHREADS 1"
+	WANT_IRS_THREADSGR_OBJS="\${WANT_IRS_THREADSGR_OBJS}"
+	WANT_IRS_THREADSPW_OBJS="\${WANT_IRS_THREADSPW_OBJS}"
+	WANT_IRS_THREADS_OBJS="\${WANT_IRS_THREADS_OBJS}"
+	thread_dir=pthreads
+else
+	ALWAYS_DEFINES=""
+	DO_PTHREADS="#undef DO_PTHREADS"
+	WANT_IRS_THREADSGR_OBJS=""
+	WANT_IRS_THREADSPW_OBJS=""
+	WANT_IRS_THREADS_OBJS=""
+	thread_dir=nothreads
+fi
+
+AC_CHECK_FUNC(strlcat, AC_DEFINE(HAVE_STRLCAT))
+
+AC_SUBST(ALWAYS_DEFINES)
+AC_SUBST(DO_PTHREADS)
+AC_SUBST(WANT_IRS_THREADSGR_OBJS)
+AC_SUBST(WANT_IRS_THREADSPW_OBJS)
+AC_SUBST(WANT_IRS_THREADS_OBJS)
+
+AC_CHECK_FUNC(if_nametoindex,
+	[USE_IFNAMELINKID="#define USE_IFNAMELINKID 1"],
+	[USE_IFNAMELINKID="#undef USE_IFNAMELINKID"])
+AC_SUBST(USE_IFNAMELINKID)
+
+ISC_THREAD_DIR=$thread_dir
+AC_SUBST(ISC_THREAD_DIR)
+
+AC_CHECK_FUNC(daemon,
+[DAEMON_OBJS="" NEED_DAEMON="#undef NEED_DAEMON"]
+,
+[DAEMON_OBJS="\${DAEMON_OBJS}" NEED_DAEMON="#define NEED_DAEMON 1"]
+)
+AC_SUBST(DAEMON_OBJS)
+AC_SUBST(NEED_DAEMON)
+
+AC_CHECK_FUNC(strsep,
+[STRSEP_OBJS="" NEED_STRSEP="#undef NEED_STRSEP"]
+,
+[STRSEP_OBJS="\${STRSEP_OBJS}" NEED_STRSEP="#define NEED_STRSEP 1"]
+)
+AC_SUBST(STRSEP_OBJS)
+AC_SUBST(NEED_STRSEP)
+
+AC_CHECK_FUNC(strerror, [NEED_STRERROR="#undef NEED_STRERROR"],
+[NEED_STRERROR="#define NEED_STRERROR 1"])
+AC_SUBST(NEED_STRERROR)
+
+#
+# flockfile is usually provided by pthreads, but we may want to use it
+# even if compiled with --disable-threads.
+#
+AC_CHECK_FUNC(flockfile, AC_DEFINE(HAVE_FLOCKFILE),)
+
+# 
+# Indicate what the final decision was regarding threads.
+#
+AC_MSG_CHECKING(whether to build with threads)
+if $use_threads; then
+	AC_MSG_RESULT(yes)
+else
+	AC_MSG_RESULT(no)
+fi
+
+# 
+# End of pthreads stuff.
+#
+
+#
+# Additional compiler settings.
+#
+MKDEPCC="$CC"
+MKDEPCFLAGS="-M"
+IRIX_DNSSEC_WARNINGS_HACK=""
+
+if test "X$GCC" = "Xyes"; then
+	STD_CWARNINGS="$STD_CWARNINGS -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings"
+else
+	case $host in
+	*-dec-osf*)
+		CC="$CC -std"
+		CCOPT="$CCOPT -std"
+		MKDEPCC="$CC"
+		;;
+	*-hp-hpux*)
+		CC="$CC -Ae -z"
+		# The version of the C compiler that constantly warns about
+                # 'const' as well as alignment issues is unfortunately not
+                # able to be discerned via the version of the operating
+                # system, nor does cc have a version flag.
+		case "`$CC +W 123 2>&1`" in
+		*Unknown?option*)
+			STD_CWARNINGS="+w1"
+			;;
+		*)
+			# Turn off the pointlessly noisy warnings.
+			STD_CWARNINGS="+w1 +W 474,530"
+			;;
+		esac
+		CCOPT="$CCOPT -Ae -z"
+		LIBS="-Wl,+vnocompatwarnings $LIBS"
+MKDEPPROG='cc -Ae -E -Wp,-M >/dev/null 2>&1 | awk '"'"'BEGIN {colon=0; rec="";} { for (i = 0 ; i < NF; i++) { if (colon && a[$i]) continue; if ($i == "\\") continue; if (!colon) { rec =  $i continue; } if ($i == ":") { rec = rec " :" colon = 1 continue; } if (length(rec $i) > 76) { print rec " \\"; rec = "\t" $i; a[$i] = 1; } else { rec = rec " " $i a[$i] = 1; } } } END {print rec}'"'"' >>$TMP'
+		MKDEPPROG='cc -Ae -E -Wp,-M >/dev/null 2>>$TMP'
+		;;
+	*-sgi-irix*)
+		STD_CWARNINGS="-fullwarn -woff 1209"
+		#
+		# Silence more than 250 instances of
+		#   "prototyped function redeclared without prototype"
+		# and 11 instances of
+		#   "variable ... was set but never used"
+		# from lib/dns/sec/openssl.
+		#
+		IRIX_DNSSEC_WARNINGS_HACK="-woff 1692,1552"
+		;;
+	*-solaris*)
+		MKDEPCFLAGS="-xM"
+		;;
+	*-UnixWare*)
+		CC="$CC -w"
+		;;
+	esac
+fi
+
+#
+# _GNU_SOURCE is needed to access the fd_bits field of struct fd_set, which
+# is supposed to be opaque.
+#
+case $host in
+	*linux*)
+		STD_CDEFINES="$STD_CDEFINES -D_GNU_SOURCE"
+		;;
+esac
+
+AC_SUBST(MKDEPCC)
+AC_SUBST(MKDEPCFLAGS)
+AC_SUBST(MKDEPPROG)
+AC_SUBST(IRIX_DNSSEC_WARNINGS_HACK)
+
+#
+# NLS
+#
+AC_CHECK_FUNC(catgets, AC_DEFINE(HAVE_CATGETS),)
+
+#
+# -lxnet buys us one big porting headache...  standards, gotta love 'em.
+#
+# AC_CHECK_LIB(xnet, socket, ,
+#    AC_CHECK_LIB(socket, socket)
+#    AC_CHECK_LIB(nsl, inet_ntoa)
+# )
+#
+# Use this for now, instead:
+#
+case "$host" in
+	mips-sgi-irix*)
+		;;
+	*)
+		AC_CHECK_LIB(d4r, gethostbyname_r)
+		AC_CHECK_LIB(socket, socket)
+		AC_CHECK_LIB(nsl, inet_ntoa)
+		;;
+esac
+
+#
+# Purify support
+#
+AC_MSG_CHECKING(whether to use purify)
+AC_ARG_WITH(purify,
+	[  --with-purify[=PATH]	use Rational purify],
+	use_purify="$withval", use_purify="no")
+
+case "$use_purify" in
+	no)
+		;;
+	yes)
+		AC_PATH_PROG(purify_path, purify, purify)
+		;;
+	*)
+		purify_path="$use_purify"
+		;;
+esac
+
+case "$use_purify" in
+	no)
+		AC_MSG_RESULT(no)
+		PURIFY=""
+		;;
+	*)
+		if test -f $purify_path || test $purify_path = purify; then
+			AC_MSG_RESULT($purify_path)
+			PURIFYFLAGS="`echo $PURIFYOPTIONS`"
+			PURIFY="$purify_path $PURIFYFLAGS"
+		else
+			AC_MSG_ERROR([$purify_path not found.
+
+Please choose the proper path with the following command:
+
+    configure --with-purify=PATH
+])
+		fi
+		;;
+esac
+
+AC_SUBST(PURIFY)
+
+#
+# GNU libtool support
+#
+AC_ARG_WITH(libtool,
+	    [  --with-libtool	use GNU libtool (following indented options supported)],
+	    use_libtool="$withval", use_libtool="no")
+
+case $use_libtool in
+	yes)
+		AM_PROG_LIBTOOL
+		O=lo
+		A=la
+		LIBTOOL_MKDEP_SED='s;\.o;\.lo;'
+		LIBTOOL_MODE_COMPILE='--mode=compile'
+		LIBTOOL_MODE_INSTALL='--mode=install'
+		LIBTOOL_MODE_LINK='--mode=link'
+		;;
+	*)
+		O=o
+		A=a
+		LIBTOOL=
+		AC_SUBST(LIBTOOL)
+		LIBTOOL_MKDEP_SED=
+		LIBTOOL_MODE_COMPILE=
+		LIBTOOL_MODE_INSTALL=
+		LIBTOOL_MODE_LINK=
+		;;
+esac
+
+#
+# File name extension for static archive files, for those few places
+# where they are treated differently from dynamic ones.
+#
+SA=a
+
+AC_SUBST(O)
+AC_SUBST(A)
+AC_SUBST(SA)
+AC_SUBST(LIBTOOL_MKDEP_SED)
+AC_SUBST(LIBTOOL_MODE_COMPILE)
+AC_SUBST(LIBTOOL_MODE_INSTALL)
+AC_SUBST(LIBTOOL_MODE_LINK)
+
+#
+# Here begins a very long section to determine the system's networking
+# capabilities.  The order of the tests is signficant.
+#
+
+#
+# IPv6
+#
+AC_ARG_ENABLE(ipv6,
+	[  --enable-ipv6		use IPv6 [default=autodetect]])
+
+case "$enable_ipv6" in
+	yes|''|autodetect)
+		AC_DEFINE(WANT_IPV6)
+		;;
+	no)
+		;;
+esac
+
+#
+# We do the IPv6 compilation checking after libtool so that we can put
+# the right suffix on the files.
+#
+AC_MSG_CHECKING(for IPv6 structures)
+AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>],
+[struct sockaddr_in6 sin6; return (0);],
+	[AC_MSG_RESULT(yes)
+	 found_ipv6=yes],
+	[AC_MSG_RESULT(no)
+	 found_ipv6=no])
+
+#
+# See whether IPv6 support is provided via a Kame add-on.
+# This is done before other IPv6 linking tests to LIBS is properly set.
+#
+AC_MSG_CHECKING(for Kame IPv6 support)
+AC_ARG_WITH(kame,
+	[  --with-kame[=PATH]	use Kame IPv6 [default path /usr/local/v6]],
+	use_kame="$withval", use_kame="no")
+
+case "$use_kame" in
+	no)
+		;;
+	yes)
+		kame_path=/usr/local/v6
+		;;
+	*)
+		kame_path="$use_kame"
+		;;
+esac
+
+case "$use_kame" in
+	no)
+		AC_MSG_RESULT(no)
+		;;
+	*)
+		if test -f $kame_path/lib/libinet6.a; then
+			AC_MSG_RESULT($kame_path/lib/libinet6.a)
+			LIBS="-L$kame_path/lib -linet6 $LIBS"
+		else
+			AC_MSG_ERROR([$kame_path/lib/libinet6.a not found.
+
+Please choose the proper path with the following command:
+
+    configure --with-kame=PATH
+])
+		fi
+		;;
+esac
+
+#
+# Whether netinet6/in6.h is needed has to be defined in isc/platform.h.
+# Including it on Kame-using platforms is very bad, though, because
+# Kame uses #error against direct inclusion.   So include it on only
+# the platform that is otherwise broken without it -- BSD/OS 4.0 through 4.1.
+# This is done before the in6_pktinfo check because that's what
+# netinet6/in6.h is needed for.
+#
+changequote({, })
+case "$host" in
+*-bsdi4.[01]*)
+	ISC_PLATFORM_NEEDNETINET6IN6H="#define ISC_PLATFORM_NEEDNETINET6IN6H 1"
+	isc_netinet6in6_hack="#include <netinet6/in6.h>"
+	;;
+*)
+	ISC_PLATFORM_NEEDNETINET6IN6H="#undef ISC_PLATFORM_NEEDNETINET6IN6H"
+	isc_netinet6in6_hack=""
+	;;
+esac
+changequote([, ])
+
+#
+# This is similar to the netinet6/in6.h issue.
+#
+case "$host" in
+*-UnixWare*)
+	ISC_PLATFORM_NEEDNETINETIN6H="#define ISC_PLATFORM_NEEDNETINETIN6H 1"
+        ISC_PLATFORM_FIXIN6ISADDR="#define ISC_PLATFORM_FIXIN6ISADDR 1"
+	isc_netinetin6_hack="#include <netinet/in6.h>"
+	;;
+*)
+	ISC_PLATFORM_NEEDNETINETIN6H="#undef ISC_PLATFORM_NEEDNETINETIN6H"
+        ISC_PLATFORM_FIXIN6ISADDR="#undef ISC_PLATFORM_FIXIN6ISADDR"
+	isc_netinetin6_hack=""
+	;;
+esac
+
+#
+# Now delve deeper into the suitability of the IPv6 support.
+#
+case "$found_ipv6" in
+	yes)
+		HAS_INET6_STRUCTS="#define HAS_INET6_STRUCTS 1"
+
+		AC_MSG_CHECKING(for in6_addr)
+		AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+$isc_netinetin6_hack
+$isc_netinet6in6_hack
+],
+[struct in6_addr in6; return (0);],
+		[AC_MSG_RESULT(yes)
+		 HAS_IN_ADDR6="#undef HAS_IN_ADDR6"
+		 isc_in_addr6_hack=""],
+		[AC_MSG_RESULT(no)
+		 HAS_IN_ADDR6="#define HAS_IN_ADDR6 1"
+		 isc_in_addr6_hack="#define in6_addr in_addr6"])
+
+		AC_MSG_CHECKING(for in6addr_any)
+		AC_TRY_LINK([
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+$isc_netinetin6_hack
+$isc_netinet6in6_hack
+$isc_in_addr6_hack
+],
+		[struct in6_addr in6; in6 = in6addr_any; return (0);],
+			[AC_MSG_RESULT(yes)
+			 NEED_IN6ADDR_ANY="#undef NEED_IN6ADDR_ANY"],
+			[AC_MSG_RESULT(no)
+			 NEED_IN6ADDR_ANY="#define NEED_IN6ADDR_ANY 1"])
+
+		AC_MSG_CHECKING(for sin6_scope_id in struct sockaddr_in6)
+		AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+$isc_netinetin6_hack
+$isc_netinet6in6_hack
+],
+		[struct sockaddr_in6 xyzzy; xyzzy.sin6_scope_id = 0; return (0);],
+			[AC_MSG_RESULT(yes)
+			 result="#define HAVE_SIN6_SCOPE_ID 1"],
+			[AC_MSG_RESULT(no)
+			 result="#undef HAVE_SIN6_SCOPE_ID"])
+		HAVE_SIN6_SCOPE_ID="$result"
+
+		AC_MSG_CHECKING(for in6_pktinfo)
+		AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+$isc_netinetin6_hack
+$isc_netinet6in6_hack
+],
+		[struct in6_pktinfo xyzzy; return (0);],
+			[AC_MSG_RESULT(yes)
+			 ISC_PLATFORM_HAVEIN6PKTINFO="#define ISC_PLATFORM_HAVEIN6PKTINFO 1"],
+			[AC_MSG_RESULT(no -- disabling runtime ipv6 support)
+			 ISC_PLATFORM_HAVEIN6PKTINFO="#undef ISC_PLATFORM_HAVEIN6PKTINFO"])
+
+		AC_MSG_CHECKING(for sockaddr_storage)
+		AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+$isc_netinetin6_hack
+$isc_netinet6in6_hack
+],
+		[struct sockaddr_storage xyzzy; return (0);],
+			[AC_MSG_RESULT(yes)
+			 HAVE_SOCKADDR_STORAGE="#define HAVE_SOCKADDR_STORAGE 1"],
+			[AC_MSG_RESULT(no)
+			 HAVE_SOCKADDR_STORAGE="#undef HAVE_SOCKADDR_STORAGE"])
+		;;
+	no)
+		HAS_INET6_STRUCTS="#undef HAS_INET6_STRUCTS"
+		NEED_IN6ADDR_ANY="#undef NEED_IN6ADDR_ANY"
+		ISC_PLATFORM_HAVEIN6PKTINFO="#undef ISC_PLATFORM_HAVEIN6PKTINFO"
+		HAVE_SIN6_SCOPE_ID="#define HAVE_SIN6_SCOPE_ID 1"
+		HAVE_SOCKADDR_STORAGE="#undef HAVE_SOCKADDR_STORAGE"
+		ISC_IPV6_H="ipv6.h"
+		ISC_IPV6_O="ipv6.$O"
+		ISC_ISCIPV6_O="unix/ipv6.$O"
+		ISC_IPV6_C="ipv6.c"
+		;;
+esac
+
+AC_SUBST(HAS_INET6_STRUCTS)
+AC_SUBST(ISC_PLATFORM_NEEDNETINETIN6H)
+AC_SUBST(ISC_PLATFORM_NEEDNETINET6IN6H)
+AC_SUBST(HAS_IN_ADDR6)
+AC_SUBST(NEED_IN6ADDR_ANY)
+AC_SUBST(ISC_PLATFORM_HAVEIN6PKTINFO)
+AC_SUBST(ISC_PLATFORM_FIXIN6ISADDR)
+AC_SUBST(ISC_IPV6_H)
+AC_SUBST(ISC_IPV6_O)
+AC_SUBST(ISC_ISCIPV6_O)
+AC_SUBST(ISC_IPV6_C)
+AC_SUBST(HAVE_SIN6_SCOPE_ID)
+AC_SUBST(HAVE_SOCKADDR_STORAGE)
+
+#
+# Check for network functions that are often missing.  We do this
+# after the libtool checking, so we can put the right suffix on
+# the files.  It also needs to come after checking for a Kame add-on,
+# which provides some (all?) of the desired functions.
+#
+AC_MSG_CHECKING([for inet_ntop])
+AC_TRY_LINK([
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>],
+        [inet_ntop(0, 0, 0, 0); return (0);],
+        [AC_MSG_RESULT(yes)
+        ISC_PLATFORM_NEEDNTOP="#undef ISC_PLATFORM_NEEDNTOP"],
+
+        [AC_MSG_RESULT(no)
+        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_ntop.$O"
+        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_ntop.c"
+        ISC_PLATFORM_NEEDNTOP="#define ISC_PLATFORM_NEEDNTOP 1"])
+AC_MSG_CHECKING([for inet_pton])
+AC_TRY_LINK([
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>],
+        [inet_pton(0, 0, 0); return (0);],
+        [AC_MSG_RESULT(yes)
+        ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON"],
+
+        [AC_MSG_RESULT(no)
+        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_pton.$O"
+        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_pton.c"
+        ISC_PLATFORM_NEEDPTON="#define ISC_PLATFORM_NEEDPTON 1"])
+AC_MSG_CHECKING([for inet_aton])
+AC_TRY_LINK([
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>],
+        [struct in_addr in; inet_aton(0, &in); return (0);],
+        [AC_MSG_RESULT(yes)
+        ISC_PLATFORM_NEEDATON="#undef ISC_PLATFORM_NEEDATON"],
+
+        [AC_MSG_RESULT(no)
+        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_aton.$O"
+        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_aton.c"
+        ISC_PLATFORM_NEEDATON="#define ISC_PLATFORM_NEEDATON 1"])
+
+AC_SUBST(ISC_PLATFORM_NEEDNTOP)
+AC_SUBST(ISC_PLATFORM_NEEDPTON)
+AC_SUBST(ISC_PLATFORM_NEEDATON)
+
+#
+# Look for a 4.4BSD-style sa_len member in struct sockaddr.
+#
+case "$host" in
+	*-dec-osf*)
+		# Turn on 4.4BSD style sa_len support.
+		AC_DEFINE(_SOCKADDR_LEN)
+		;;
+esac
+
+AC_MSG_CHECKING(for sa_len in struct sockaddr)
+AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/socket.h>],
+[struct sockaddr sa; sa.sa_len = 0; return (0);],
+	[AC_MSG_RESULT(yes)
+	HAVE_SA_LEN="#define HAVE_SA_LEN 1"],
+	[AC_MSG_RESULT(no)
+	HAVE_SA_LEN="#undef HAVE_SA_LEN"])
+AC_SUBST(HAVE_SA_LEN)
+
+# HAVE_MINIMUM_IFREQ
+
+case "$host" in
+	*-bsdi[2345]*)	have_minimum_ifreq=yes;;
+	*-darwin*)	have_minimum_ifreq=yes;;
+	*-freebsd*)	have_minimum_ifreq=yes;;
+	*-lynxos*)	have_minimum_ifreq=yes;;
+	*-netbsd*)	have_minimum_ifreq=yes;;
+	*-next*)	have_minimum_ifreq=yes;;
+	*-openbsd*)	have_minimum_ifreq=yes;;
+	*-rhapsody*)	have_minimum_ifreq=yes;;
+esac
+
+case "$have_minimum_ifreq" in
+	yes)
+		HAVE_MINIMUM_IFREQ="#define HAVE_MINIMUM_IFREQ 1";;
+	no)
+		HAVE_MINIMUM_IFREQ="#undef HAVE_MINIMUM_IFREQ";;
+	*)
+		HAVE_MINIMUM_IFREQ="#undef HAVE_MINIMUM_IFREQ";;
+esac
+AC_SUBST(HAVE_MINIMUM_IFREQ)
+
+# PORT_DIR
+PORT_DIR=port/unknown
+SOLARIS_BITTYPES="#undef NEED_SOLARIS_BITTYPES"
+BSD_COMP="#undef BSD_COMP"
+USE_FIONBIO_IOCTL="#undef USE_FIONBIO_IOCTL"
+case "$host" in
+	*aix3.2*)	PORT_DIR="port/aix32";;
+	*aix4*)		PORT_DIR="port/aix4";;
+	*aux3*)		PORT_DIR="port/aux3";;
+	*-bsdi2*)	PORT_DIR="port/bsdos2";;
+	*-bsdi*)	PORT_DIR="port/bsdos";;
+	*-cygwin*)	PORT_DIR="port/cygwin";;
+	*-darwin*)	PORT_DIR="port/darwin";;
+	*-osf*)		PORT_DIR="port/decunix";;
+	*-freebsd*)	PORT_DIR="port/freebsd";;
+	*-hpux9*)	PORT_DIR="port/hpux9";;
+	*-hpux10*)	PORT_DIR="port/hpux10";;
+	*-hpux11*)	PORT_DIR="port/hpux";;
+	*-irix*)	PORT_DIR="port/irix";;
+	*-linux*)	PORT_DIR="port/linux";;
+	*-lynxos*)	PORT_DIR="port/lynxos";;
+	*-mpe*)		PORT_DIR="port/mpe";;
+	*-netbsd*)	PORT_DIR="port/netbsd";;
+	*-next*)	PORT_DIR="port/next";;
+	*-openbsd*)	PORT_DIR="port/openbsd";;
+	*-qnx*)		PORT_DIR="port/qnx";;
+	*-rhapsody*)	PORT_DIR="port/rhapsody";;
+	*-solaris2.[[01234]]*)
+			BSD_COMP="#define BSD_COMP 1"
+			SOLARIS_BITTYPES="#define NEED_SOLARIS_BITTYPES 1"
+			USE_FIONBIO_IOCTL="#define USE_FIONBIO_IOCTL 1"
+			PORT_DIR="port/solaris";;
+	*-solaris2.5*)
+			BSD_COMP="#define BSD_COMP 1"
+			SOLARIS_BITTYPES="#define NEED_SOLARIS_BITTYPES 1"
+			PORT_DIR="port/solaris";;
+	*-solaris2*)	BSD_COMP="#define BSD_COMP 1"
+			PORT_DIR="port/solaris";;
+	*-ultrix*)	PORT_DIR="port/ultrix";;
+	*-sco-sysv*uw2.0*)	PORT_DIR="port/unixware20";;
+	*-sco-sysv*uw2.1.2*)	PORT_DIR="port/unixware212";;
+	*-sco-sysv*uw7*)	PORT_DIR="port/unixware7";;
+esac
+AC_SUBST(BSD_COMP)
+AC_SUBST(SOLARIS_BITTYPES)
+AC_SUBST(USE_FIONBIO_IOCTL)
+AC_SUBST(PORT_DIR)
+PORT_INCLUDE=${PORT_DIR}/include
+AC_SUBST(PORT_INCLUDE)
+
+
+#
+# Look for a 4.4BSD or 4.3BSD struct msghdr
+#
+AC_MSG_CHECKING(for struct msghdr flavor)
+AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/socket.h>],
+[struct msghdr msg; msg.msg_flags = 0; return (0);],
+	[AC_MSG_RESULT(4.4BSD)
+	ISC_PLATFORM_MSGHDRFLAVOR="#define ISC_NET_BSD44MSGHDR 1"],
+	[AC_MSG_RESULT(4.3BSD)
+	ISC_PLATFORM_MSGHDRFLAVOR="#define ISC_NET_BSD43MSGHDR 1"])
+AC_SUBST(ISC_PLATFORM_MSGHDRFLAVOR)
+
+#
+# Look for in_port_t.
+#
+AC_MSG_CHECKING(for type in_port_t)
+AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <netinet/in.h>],
+[in_port_t port = 25; return (0);],
+	[AC_MSG_RESULT(yes)
+	ISC_PLATFORM_NEEDPORTT="#undef ISC_PLATFORM_NEEDPORTT"],
+        [AC_MSG_RESULT(no)
+	ISC_PLATFORM_NEEDPORTT="#define ISC_PLATFORM_NEEDPORTT 1"])
+AC_SUBST(ISC_PLATFORM_NEEDPORTT)
+
+#
+# Check for addrinfo
+#
+AC_MSG_CHECKING(for struct addrinfo)
+AC_TRY_COMPILE([
+#include <netdb.h>],
+[struct addrinfo a; return (0);],
+	[AC_MSG_RESULT(yes)
+	AC_DEFINE(HAVE_ADDRINFO)],
+	[AC_MSG_RESULT(no)])
+
+AC_MSG_CHECKING(for int sethostent)
+AC_TRY_COMPILE([
+#include <netdb.h>],
+[int i = sethostent(0); return(0);],
+	[AC_MSG_RESULT(yes)],
+	[AC_MSG_RESULT(no)])
+
+AC_MSG_CHECKING(for int endhostent)
+AC_TRY_COMPILE([
+#include <netdb.h>],
+[int i = endhostent(); return(0);],
+	[AC_MSG_RESULT(yes)
+	ISC_LWRES_ENDHOSTENTINT="#define ISC_LWRES_ENDHOSTENTINT 1"],
+	[AC_MSG_RESULT(no)
+	ISC_LWRES_ENDHOSTENTINT="#undef ISC_LWRES_ENDHOSTENTINT"])
+AC_SUBST(ISC_LWRES_ENDHOSTENTINT)
+
+AC_MSG_CHECKING(for int setnetent)
+AC_TRY_COMPILE([
+#include <netdb.h>],
+[int i = setnetent(0); return(0);],
+	[AC_MSG_RESULT(yes)
+	ISC_LWRES_SETNETENTINT="#define ISC_LWRES_SETNETENTINT 1"],
+	[AC_MSG_RESULT(no)
+	ISC_LWRES_SETNETENTINT="#undef ISC_LWRES_SETNETENTINT"])
+AC_SUBST(ISC_LWRES_SETNETENTINT)
+
+AC_MSG_CHECKING(for int endnetent)
+AC_TRY_COMPILE([
+#include <netdb.h>],
+[int i = endnetent(); return(0);],
+	[AC_MSG_RESULT(yes)
+	ISC_LWRES_ENDNETENTINT="#define ISC_LWRES_ENDNETENTINT 1"],
+	[AC_MSG_RESULT(no)
+	ISC_LWRES_ENDNETENTINT="#undef ISC_LWRES_ENDNETENTINT"])
+AC_SUBST(ISC_LWRES_ENDNETENTINT)
+
+AC_MSG_CHECKING(for gethostbyaddr(const void *, size_t, ...))
+AC_TRY_COMPILE([
+#include <netdb.h>
+struct hostent *gethostbyaddr(const void *, size_t, int);],
+[return(0);],
+	[AC_MSG_RESULT(yes)
+	ISC_LWRES_GETHOSTBYADDRVOID="#define ISC_LWRES_GETHOSTBYADDRVOID 1"],
+	[AC_MSG_RESULT(no)
+	ISC_LWRES_GETHOSTBYADDRVOID="#undef ISC_LWRES_GETHOSTBYADDRVOID"])
+AC_SUBST(ISC_LWRES_GETHOSTBYADDRVOID)
+
+AC_MSG_CHECKING(for h_errno in netdb.h)
+AC_TRY_COMPILE([
+#include <netdb.h>],
+[h_errno = 1; return(0);],
+	[AC_MSG_RESULT(yes)
+	ISC_LWRES_NEEDHERRNO="#undef ISC_LWRES_NEEDHERRNO"],
+	[AC_MSG_RESULT(no)
+	ISC_LWRES_NEEDHERRNO="#define ISC_LWRES_NEEDHERRNO 1"])
+AC_SUBST(ISC_LWRES_NEEDHERRNO)
+
+AC_CHECK_FUNC(getipnodebyname,
+        [ISC_LWRES_GETIPNODEPROTO="#undef ISC_LWRES_GETIPNODEPROTO"],
+        [ISC_LWRES_GETIPNODEPROTO="#define ISC_LWRES_GETIPNODEPROTO 1"])
+AC_CHECK_FUNC(getnameinfo,
+        [ISC_LWRES_GETNAMEINFOPROTO="#undef ISC_LWRES_GETNAMEINFOPROTO"],
+        [ISC_LWRES_GETNAMEINFOPROTO="#define ISC_LWRES_GETNAMEINFOPROTO 1"])
+AC_CHECK_FUNC(getaddrinfo,
+        [ISC_LWRES_GETADDRINFOPROTO="#undef ISC_LWRES_GETADDRINFOPROTO"
+	AC_DEFINE(HAVE_GETADDRINFO)],
+        [ISC_LWRES_GETADDRINFOPROTO="#define ISC_LWRES_GETADDRINFOPROTO 1"])
+AC_CHECK_FUNC(gai_strerror, AC_DEFINE(HAVE_GAISTRERROR))
+AC_SUBST(ISC_LWRES_GETIPNODEPROTO)
+AC_SUBST(ISC_LWRES_GETADDRINFOPROTO)
+AC_SUBST(ISC_LWRES_GETNAMEINFOPROTO)
+AC_CHECK_FUNC(pselect,
+	      [NEED_PSELECT="#undef NEED_PSELECT"],
+	      [NEED_PSELECT="#define NEED_PSELECT"])
+AC_SUBST(NEED_PSELECT)
+AC_CHECK_FUNC(gettimeofday,
+	      [NEED_GETTIMEOFDAY="#undef NEED_GETTIMEOFDAY"],
+	      [NEED_GETTIMEOFDAY="#define NEED_GETTIMEOFDAY 1"])
+AC_SUBST(NEED_GETTIMEOFDAY)
+AC_CHECK_FUNC(strndup,
+	      [HAVE_STRNDUP="#define HAVE_STRNDUP 1"],
+	      [HAVE_STRNDUP="#undef HAVE_STRNDUP"])
+AC_SUBST(HAVE_STRNDUP)
+
+#
+# Look for a sysctl call to get the list of network interfaces.
+#
+AC_MSG_CHECKING(for interface list sysctl)
+AC_EGREP_CPP(found_rt_iflist, [
+#include <sys/param.h>
+#include <sys/sysctl.h>
+#include <sys/socket.h>
+#ifdef NET_RT_IFLIST
+found_rt_iflist
+#endif
+],
+	[AC_MSG_RESULT(yes)
+	 AC_DEFINE(HAVE_IFLIST_SYSCTL)],
+	[AC_MSG_RESULT(no)])
+
+#
+# Check for some other useful functions that are not ever-present.
+#
+AC_CHECK_FUNC(strsep,
+	[ISC_PLATFORM_NEEDSTRSEP="#undef ISC_PLATFORM_NEEDSTRSEP"],
+	[ISC_PLATFORM_NEEDSTRSEP="#define ISC_PLATFORM_NEEDSTRSEP 1"])
+AC_CHECK_FUNC(vsnprintf,
+	[ISC_PLATFORM_NEEDVSNPRINTF="#undef ISC_PLATFORM_NEEDVSNPRINTF"],
+	[ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS print.$O"
+	 ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS print.c"
+	 ISC_PLATFORM_NEEDVSNPRINTF="#define ISC_PLATFORM_NEEDVSNPRINTF 1"])
+AC_SUBST(ISC_PLATFORM_NEEDSTRSEP)
+AC_SUBST(ISC_PLATFORM_NEEDVSNPRINTF)
+
+AC_SUBST(ISC_EXTRA_OBJS)
+AC_SUBST(ISC_EXTRA_SRCS)
+AC_CHECK_FUNC(strerror,
+	[USE_SYSERROR_LIST="#undef USE_SYSERROR_LIST"],
+	[USE_SYSERROR_LIST="#define USE_SYSERROR_LIST 1"])
+AC_SUBST(USE_SYSERROR_LIST)
+
+#
+# Determine the printf format characters to use when printing
+# values of type isc_int64_t.  We make the assumption that platforms
+# where a "long long" is the same size as a "long" (e.g., Alpha/OSF1)
+# want "%ld" and everyone else can use "%lld".  Win32 uses "%I64d",
+# but that's defined elsewhere since we don't use configure on Win32.
+#
+AC_MSG_CHECKING(printf format modifier for 64-bit integers)
+AC_TRY_RUN([main() { exit(!(sizeof(long long int) == sizeof(long int))); }],
+	[AC_MSG_RESULT(l)
+	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "l"'],
+	[AC_MSG_RESULT(ll)
+	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "ll"'],
+	[AC_MSG_RESULT(default ll)
+	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "ll"'])
+AC_SUBST(ISC_PLATFORM_QUADFORMAT)
+
+#
+# Security Stuff
+#
+AC_CHECK_FUNC(chroot, AC_DEFINE(HAVE_CHROOT))
+
+#
+# for accept, recvfrom, getpeername etc.
+#
+AC_MSG_CHECKING(for socket length type)
+AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/socket.h>
+int accept(int, struct sockaddr *, socklen_t *);
+],[],
+[ISC_SOCKLEN_T="#define ISC_SOCKLEN_T socklen_t"
+AC_MSG_RESULT(socklen_t)]
+,
+AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/socket.h>
+int accept(int, struct sockaddr *, unsigned int *);
+],[],
+[ISC_SOCKLEN_T="#define ISC_SOCKLEN_T unsigned int"
+AC_MSG_RESULT(unsigned int)]
+,
+AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/socket.h>
+int accept(int, struct sockaddr *, unsigned long *);
+],[],
+[ISC_SOCKLEN_T="#define ISC_SOCKLEN_T unsigned long"
+AC_MSG_RESULT(unsigned long)]
+,
+AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <sys/socket.h>
+int accept(int, struct sockaddr *, long *);
+],[],
+[ISC_SOCKLEN_T="#define ISC_SOCKLEN_T long"
+AC_MSG_RESULT(long)]
+,
+ISC_SOCKLEN_T="#define ISC_SOCKLEN_T int"
+AC_MSG_RESULT(int)
+))))
+AC_SUBST(ISC_SOCKLEN_T)
+
+AC_CHECK_FUNC(getgrouplist,
+AC_TRY_COMPILE(
+[#include <unistd.h>
+int
+getgrouplist(const char *name, int basegid, int *groups, int *ngroups) {
+}
+],
+[return (0);],
+GETGROUPLIST_ARGS="#define GETGROUPLIST_ARGS const char *name, int basegid, int *groups, int *ngroups"
+,
+GETGROUPLIST_ARGS="#define GETGROUPLIST_ARGS const char *name, gid_t basegid, gid_t *groups, int *ngroups"
+),
+GETGROUPLIST_ARGS="#define GETGROUPLIST_ARGS const char *name, gid_t basegid, gid_t *groups, int *ngroups"
+AC_DEFINE(NEED_GETGROUPLIST)
+)
+AC_SUBST(GETGROUPLIST_ARGS)
+
+AC_CHECK_FUNC(setgroupent,,AC_DEFINE(NEED_SETGROUPENT))
+
+AC_CHECK_FUNC(getnetbyaddr_r,
+AC_TRY_COMPILE(
+[
+#undef _REENTRANT
+#define _REENTRANT
+#define _OSF_SOURCE
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+struct netent *
+getnetbyaddr_r(long net, int type, struct netent *result, char *buffer,
+int buflen) {}
+],
+[return (0)],
+[
+NET_R_ARGS="#define NET_R_ARGS char *buf, int buflen"
+NET_R_BAD="#define NET_R_BAD NULL"
+NET_R_COPY="#define NET_R_COPY buf, buflen"
+NET_R_COPY_ARGS="#define NET_R_COPY_ARGS NET_R_ARGS"
+NET_R_OK="#define NET_R_OK nptr"
+NET_R_SETANSWER="#undef NET_R_SETANSWER"
+NET_R_RETURN="#define NET_R_RETURN struct netent *"
+GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T long"
+NETENT_DATA="#undef NETENT_DATA"
+],
+AC_TRY_COMPILE(
+[
+#undef _REENTRANT
+#define _REENTRANT
+#define _OSF_SOURCE
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+int getnetbyaddr_r (unsigned long int, int, struct netent *,
+                    char *, size_t, struct netent **, int *);
+],
+[return (0)],
+[
+NET_R_ARGS="#define NET_R_ARGS char *buf, size_t buflen, struct netent **answerp, int *h_errnop"
+NET_R_BAD="#define NET_R_BAD ERANGE"
+NET_R_COPY="#define NET_R_COPY buf, buflen"
+NET_R_COPY_ARGS="#define NET_R_COPY_ARGS char *buf, size_t buflen"
+NET_R_OK="#define NET_R_OK 0"
+NET_R_SETANSWER="#define NET_R_SETANSWER 1"
+NET_R_RETURN="#define NET_R_RETURN int"
+GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T unsigned long int"
+NETENT_DATA="#undef NETENT_DATA"
+],
+AC_TRY_COMPILE(
+[
+#undef _REENTRANT
+#define _REENTRANT
+#define _OSF_SOURCE
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+extern int getnetbyaddr_r(int, int, struct netent *, struct netent_data *);
+],
+[return (0)],
+[
+NET_R_ARGS="#define NET_R_ARGS struct netent_data *ndptr"
+NET_R_BAD="#define NET_R_BAD (-1)"
+NET_R_COPY="#define NET_R_COPY ndptr"
+NET_R_COPY_ARGS="#define NET_R_COPY_ARGS struct netent_data *ndptr"
+NET_R_OK="#define NET_R_OK 0"
+NET_R_SETANSWER="#undef NET_R_SETANSWER"
+NET_R_RETURN="#define NET_R_RETURN int"
+GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T int"
+NETENT_DATA="#define NETENT_DATA 1"
+],
+AC_TRY_COMPILE(
+#undef __USE_MISC
+#define __USE_MISC
+[#include <netdb.h>
+int getnetbyaddr_r (long, int, struct netent *, struct netent_data *);
+],
+[return (0)],
+[
+NET_R_ARGS="#define NET_R_ARGS struct netent_data *ndptr"
+NET_R_BAD="#define NET_R_BAD (-1)"
+NET_R_COPY="#define NET_R_COPY ndptr"
+NET_R_COPY_ARGS="#define NET_R_COPY_ARGS struct netent_data *ndptr"
+NET_R_OK="#define NET_R_OK 0"
+NET_R_SETANSWER="#undef NET_R_SETANSWER"
+NET_R_RETURN="#define NET_R_RETURN int"
+GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T long"
+NETENT_DATA="#define NETENT_DATA 1"
+],
+)
+)
+)
+)
+,
+NET_R_ARGS="#define NET_R_ARGS char *buf, int buflen"
+NET_R_BAD="#define NET_R_BAD NULL"
+NET_R_COPY="#define NET_R_COPY buf, buflen"
+NET_R_COPY_ARGS="#define NET_R_COPY_ARGS NET_R_ARGS"
+NET_R_OK="#define NET_R_OK nptr"
+NET_R_SETANSWER="#undef NET_R_SETANSWER"
+NET_R_RETURN="#define NET_R_RETURN struct netent *"
+GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T long"
+NETENT_DATA="#undef NETENT_DATA"
+)
+case "$host" in
+*dec-osf*) GETNETBYADDR_ADDR_T="#define GETNETBYADDR_ADDR_T int" ;;
+esac
+AC_SUBST(NET_R_ARGS)
+AC_SUBST(NET_R_BAD)
+AC_SUBST(NET_R_COPY)
+AC_SUBST(NET_R_COPY_ARGS)
+AC_SUBST(NET_R_OK)
+AC_SUBST(NET_R_SETANSWER)
+AC_SUBST(NET_R_RETURN)
+AC_SUBST(GETNETBYADDR_ADDR_T)
+AC_SUBST(NETENT_DATA)
+
+AC_CHECK_FUNC(setnetent_r,
+AC_TRY_COMPILE(
+[
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+void  setnetent_r (int);
+] ,[return (0);],[
+NET_R_ENT_ARGS="#undef NET_R_ENT_ARGS /*empty*/"
+NET_R_SET_RESULT="#undef NET_R_SET_RESULT /*empty*/"
+NET_R_SET_RETURN="#define NET_R_SET_RETURN void"
+],
+AC_TRY_COMPILE(
+[
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+extern int setnetent_r(int, struct netent_data *);
+] ,[return (0);],[
+NET_R_ENT_ARGS="#define NET_R_ENT_ARGS struct netent_data *ndptr"
+NET_R_SET_RESULT="#define NET_R_SET_RESULT NET_R_OK"
+NET_R_SET_RETURN="#define NET_R_SET_RETURN int"
+],
+)
+)
+,
+NET_R_ENT_ARGS="#undef NET_R_ENT_ARGS /*empty*/"
+NET_R_SET_RESULT="#undef NET_R_SET_RESULT /*empty*/"
+NET_R_SET_RETURN="#define NET_R_SET_RETURN void"
+)
+AC_SUBST(NET_R_ENT_ARGS)
+AC_SUBST(NET_R_SET_RESULT)
+AC_SUBST(NET_R_SET_RETURN)
+
+AC_CHECK_FUNC(endnetent_r,
+AC_TRY_COMPILE(
+[
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+void  endnetent_r (void);
+] ,[return (0);],[
+NET_R_END_RESULT="#define NET_R_END_RESULT(x) /*empty*/"
+NET_R_END_RETURN="#define NET_R_END_RETURN void"
+],
+AC_TRY_COMPILE(
+[
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+extern int endnetent_r(struct netent_data *);
+] ,[return (0);],[
+NET_R_END_RESULT="#define NET_R_END_RESULT(x) return (x)"
+NET_R_END_RETURN="#define NET_R_END_RETURN int"
+],
+AC_TRY_COMPILE(
+[
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+extern void endnetent_r(struct netent_data *);
+] ,[return (0);],[
+NET_R_END_RESULT="#define NET_R_END_RESULT(x) /*empty*/"
+NET_R_END_RETURN="#define NET_R_END_RETURN void"
+],
+)
+)
+)
+,
+NET_R_END_RESULT="#define NET_R_END_RESULT(x) /*empty*/"
+NET_R_END_RETURN="#define NET_R_END_RETURN void"
+)
+AC_SUBST(NET_R_END_RESULT)
+AC_SUBST(NET_R_END_RETURN)
+
+AC_CHECK_FUNC(getgrnam_r,,AC_DEFINE(NEED_GETGRNAM_R))
+AC_CHECK_FUNC(getgrgid_r,,AC_DEFINE(NEED_GETGRGID_R))
+
+AC_CHECK_FUNC(getgrent_r,
+AC_TRY_COMPILE(
+[
+#include <grp.h>
+struct group *getgrent_r(struct group *grp, char *buffer,
+           int buflen) {}
+] ,[return (0);],[
+GROUP_R_ARGS="#define GROUP_R_ARGS char *buf, int buflen"
+GROUP_R_BAD="#define GROUP_R_BAD NULL"
+GROUP_R_OK="#define GROUP_R_OK gptr"
+GROUP_R_RETURN="#define GROUP_R_RETURN struct group *"
+],
+)
+,
+GROUP_R_ARGS="#define GROUP_R_ARGS char *buf, int buflen"
+GROUP_R_BAD="#define GROUP_R_BAD NULL"
+GROUP_R_OK="#define GROUP_R_OK gptr"
+GROUP_R_RETURN="#define GROUP_R_RETURN struct group *"
+AC_DEFINE(NEED_GETGRENT_R)
+)
+AC_SUBST(GROUP_R_ARGS)
+AC_SUBST(GROUP_R_BAD)
+AC_SUBST(GROUP_R_OK)
+AC_SUBST(GROUP_R_RETURN)
+
+AC_CHECK_FUNC(endgrent_r,
+,
+GROUP_R_END_RESULT="#define GROUP_R_END_RESULT(x) /*empty*/"
+GROUP_R_END_RETURN="#define GROUP_R_END_RETURN void"
+GROUP_R_ENT_ARGS="#define GROUP_R_ENT_ARGS void"
+AC_DEFINE(NEED_ENDGRENT_R)
+)
+AC_SUBST(GROUP_R_END_RESULT)
+AC_SUBST(GROUP_R_END_RETURN)
+AC_SUBST(GROUP_R_ENT_ARGS)
+
+AC_CHECK_FUNC(setgrent_r,
+,
+GROUP_R_SET_RESULT="#undef GROUP_R_SET_RESULT /*empty*/"
+GROUP_R_SET_RETURN="#define GROUP_R_SET_RETURN void"
+AC_DEFINE(NEED_SETGRENT_R)
+)
+AC_SUBST(GROUP_R_SET_RESULT)
+AC_SUBST(GROUP_R_SET_RETURN)
+
+
+AC_CHECK_FUNC(gethostbyname_r,
+AC_TRY_COMPILE(
+[
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+struct hostent  *gethostbyname_r
+(const char *name, struct hostent *hp, char *buf, int len, int *h_errnop) {}
+],
+[return (0);],
+[
+HOST_R_ARGS="#define HOST_R_ARGS char *buf, int buflen, int *h_errnop"
+HOST_R_BAD="#define HOST_R_BAD NULL"
+HOST_R_COPY="#define HOST_R_COPY buf, buflen"
+HOST_R_COPY_ARGS="#define HOST_R_COPY_ARGS char *buf, int buflen"
+HOST_R_ERRNO="#define HOST_R_ERRNO *h_errnop = h_errno"
+HOST_R_OK="#define HOST_R_OK hptr"
+HOST_R_RETURN="#define HOST_R_RETURN struct hostent *"
+HOST_R_SETANSWER="#undef HOST_R_SETANSWER"
+HOSTENT_DATA="#undef HOSTENT_DATA"
+]
+,
+AC_TRY_COMPILE([
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+int gethostbyname_r(const char *name,
+                          struct hostent *result,
+                          struct hostent_data *hdptr);
+],,[
+HOST_R_ARGS="#define HOST_R_ARGS struct hostent_data *hdptr"
+HOST_R_BAD="#define HOST_R_BAD (-1)"
+HOST_R_COPY="#define HOST_R_COPY hdptr"
+HOST_R_COPY_ARGS="#define HOST_R_COPY_ARGS HOST_R_ARGS"
+HOST_R_ERRNO="#define HOST_R_ERRNO NULL"
+HOST_R_OK="#define HOST_R_OK 0"
+HOST_R_RETURN="#define HOST_R_RETURN int"
+HOST_R_SETANSWER="#undef HOST_R_SETANSWER"
+HOSTENT_DATA="#define HOSTENT_DATA 1"
+],
+AC_TRY_COMPILE([
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+extern int gethostbyname_r (const char *,
+                                 struct hostent *,
+                                 char *, size_t,
+                                 struct hostent **,
+                                 int *);
+],,[
+HOST_R_ARGS="#define HOST_R_ARGS char *buf, size_t buflen, struct hostent **answerp, int *h_errnop"
+HOST_R_BAD="#define HOST_R_BAD ERANGE"
+HOST_R_COPY="#define HOST_R_COPY buf, buflen"
+HOST_R_COPY_ARGS="#define HOST_R_COPY_ARGS char *buf, int buflen"
+HOST_R_ERRNO="#define HOST_R_ERRNO *h_errnop = h_errno"
+HOST_R_OK="#define HOST_R_OK 0"
+HOST_R_RETURN="#define HOST_R_RETURN int"
+HOST_R_SETANSWER="#define HOST_R_SETANSWER 1"
+HOSTENT_DATA="#undef HOSTENT_DATA"
+],
+)))
+,
+HOST_R_ARGS="#define HOST_R_ARGS char *buf, int buflen, int *h_errnop"
+HOST_R_BAD="#define HOST_R_BAD NULL"
+HOST_R_COPY="#define HOST_R_COPY buf, buflen"
+HOST_R_COPY_ARGS="#define HOST_R_COPY_ARGS char *buf, int buflen"
+HOST_R_ERRNO="#define HOST_R_ERRNO *h_errnop = h_errno"
+HOST_R_OK="#define HOST_R_OK hptr"
+HOST_R_RETURN="#define HOST_R_RETURN struct hostent *"
+HOST_R_SETANSWER="#undef HOST_R_SETANSWER"
+HOSTENT_DATA="#undef HOSTENT_DATA"
+)
+AC_SUBST(HOST_R_ARGS)
+AC_SUBST(HOST_R_BAD)
+AC_SUBST(HOST_R_COPY)
+AC_SUBST(HOST_R_COPY_ARGS)
+AC_SUBST(HOST_R_ERRNO)
+AC_SUBST(HOST_R_OK)
+AC_SUBST(HOST_R_RETURN)
+AC_SUBST(HOST_R_SETANSWER)
+AC_SUBST(HOSTENT_DATA)
+
+AC_CHECK_FUNC(endhostent_r,
+AC_TRY_COMPILE([
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+int endhostent_r(struct hostent_data *buffer);
+], ,
+HOST_R_END_RESULT="#define HOST_R_END_RESULT(x) return (x)"
+HOST_R_END_RETURN="#define HOST_R_END_RETURN int"
+HOST_R_ENT_ARGS="#define HOST_R_ENT_ARGS struct hostent_data *hdptr"
+,
+AC_TRY_COMPILE([
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+extern void endhostent_r(struct hostent_data *ht_data);
+],[],[
+HOST_R_END_RESULT="#define HOST_R_END_RESULT(x)"
+HOST_R_END_RETURN="#define HOST_R_END_RETURN void"
+HOST_R_ENT_ARGS="#define HOST_R_ENT_ARGS struct hostent_data *hdptr"
+],
+AC_TRY_COMPILE([
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+extern void endhostent_r(void);
+],[],[
+HOST_R_END_RESULT="#define HOST_R_END_RESULT(x) /*empty*/"
+HOST_R_END_RETURN="#define HOST_R_END_RETURN void"
+HOST_R_ENT_ARGS="#undef HOST_R_ENT_ARGS /*empty*/"
+],
+)
+)
+)
+,
+HOST_R_END_RESULT="#define HOST_R_END_RESULT(x) /*empty*/"
+HOST_R_END_RETURN="#define HOST_R_END_RETURN void"
+HOST_R_ENT_ARGS="#undef HOST_R_ENT_ARGS /*empty*/"
+)
+AC_SUBST(HOST_R_END_RESULT)
+AC_SUBST(HOST_R_END_RETURN)
+AC_SUBST(HOST_R_ENT_ARGS)
+
+AC_CHECK_FUNC(sethostent_r,
+AC_TRY_COMPILE([
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+extern void sethostent_r(int flag, struct hostent_data *ht_data);],[],
+[HOST_R_SET_RESULT="#undef HOST_R_SET_RESULT /*empty*/"
+HOST_R_SET_RETURN="#define HOST_R_SET_RETURN void"],
+AC_TRY_COMPILE([
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+extern int sethostent_r(int flag, struct hostent_data *ht_data);],[],
+[HOST_R_SET_RESULT="#define HOST_R_SET_RESULT 0"
+HOST_R_SET_RETURN="#define HOST_R_SET_RETURN int"],
+AC_TRY_COMPILE([
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+void            sethostent_r (int);],[],
+[HOST_R_SET_RESULT="#undef HOST_R_SET_RESULT"
+HOST_R_SET_RETURN="#define HOST_R_SET_RETURN void"],
+)
+)
+)
+,
+HOST_R_SET_RESULT="#undef HOST_R_SET_RESULT"
+HOST_R_SET_RETURN="#define HOST_R_SET_RETURN void"
+)
+AC_SUBST(HOST_R_SET_RESULT)
+AC_SUBST(HOST_R_SET_RETURN)
+
+
+AC_MSG_CHECKING(struct passwd element pw_class)
+AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <pwd.h>
+],[struct passwd *pw; pw->pw_class = "";],
+AC_MSG_RESULT(yes)
+AC_DEFINE(HAS_PW_CLASS)
+,
+		AC_MSG_RESULT(no)
+)
+
+AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <pwd.h>
+void
+setpwent(void) {}
+],
+[return (0);],
+SETPWENT_VOID="#define SETPWENT_VOID 1"
+,
+SETPWENT_VOID="#undef SETPWENT_VOID"
+)
+AC_SUBST(SETPWENT_VOID)
+
+AC_TRY_COMPILE([
+#include <sys/types.h>
+#include <grp.h>
+void
+setgrent(void) {}
+],
+[return (0);],
+SETGRENT_VOID="#define SETGRENT_VOID 1"
+,
+SETGRENT_VOID="#undef SETGRENT_VOID"
+)
+AC_SUBST(SETGRENT_VOID)
+
+AC_CHECK_FUNC(getnetgrent_r,
+AC_TRY_COMPILE(
+[
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+int getnetgrent_r(char **m, char **u, char **d, char *b, int l) {}
+]
+,
+[return (0);],
+[
+NGR_R_ARGS="#define NGR_R_ARGS char *buf, int buflen"
+NGR_R_BAD="#define NGR_R_BAD (0)"
+NGR_R_COPY="#define NGR_R_COPY buf, buflen"
+NGR_R_COPY_ARGS="#define NGR_R_COPY_ARGS NGR_R_ARGS"
+NGR_R_OK="#define NGR_R_OK 1"
+NGR_R_RETURN="#define NGR_R_RETURN int"
+]
+,
+AC_TRY_COMPILE(
+[
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+int getnetgrent_r(char **m, char **u, char **d, char *b, size_t l) {}
+]
+,
+[return (0);],
+[
+NGR_R_ARGS="#define NGR_R_ARGS char *buf, size_t buflen"
+NGR_R_BAD="#define NGR_R_BAD (0)"
+NGR_R_COPY="#define NGR_R_COPY buf, buflen"
+NGR_R_COPY_ARGS="#define NGR_R_COPY_ARGS NGR_R_ARGS"
+NGR_R_OK="#define NGR_R_OK 1"
+NGR_R_RETURN="#define NGR_R_RETURN int"
+]
+,
+AC_TRY_COMPILE(
+[
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+extern int getnetgrent_r( char **, char **, char **, void **);
+]
+,
+[return (0);],
+[
+NGR_R_ARGS="#define NGR_R_ARGS void **buf"
+NGR_R_BAD="#define NGR_R_BAD (0)"
+NGR_R_COPY="#define NGR_R_COPY buf"
+NGR_R_COPY_ARGS="#define NGR_R_COPY_ARGS NGR_R_ARGS"
+NGR_R_OK="#define NGR_R_OK 1"
+NGR_R_RETURN="#define NGR_R_RETURN int"
+NGR_R_PRIVATE="#define NGR_R_PRIVATE 1"
+]
+,
+)
+)
+)
+,
+NGR_R_ARGS="#define NGR_R_ARGS char *buf, int buflen"
+NGR_R_BAD="#define NGR_R_BAD (0)"
+NGR_R_COPY="#define NGR_R_COPY buf, buflen"
+NGR_R_COPY_ARGS="#define NGR_R_COPY_ARGS NGR_R_ARGS"
+NGR_R_OK="#define NGR_R_OK 1"
+NGR_R_RETURN="#define NGR_R_RETURN int"
+)
+AC_SUBST(NGR_R_ARGS)
+AC_SUBST(NGR_R_BAD)
+AC_SUBST(NGR_R_COPY)
+AC_SUBST(NGR_R_COPY_ARGS)
+AC_SUBST(NGR_R_OK)
+AC_SUBST(NGR_R_RETURN)
+AC_SUBST(NGR_R_PRIVATE)
+
+AC_CHECK_FUNC(endnetgrent_r,
+NGR_R_END_RESULT="#define NGR_R_END_RESULT(x)  return (x)"
+NGR_R_END_RETURN="#define NGR_R_END_RETURN int"
+NGR_R_ENT_ARGS="#define NGR_R_ENT_ARGS NGR_R_ARGS"
+,
+NGR_R_END_RESULT="#define NGR_R_END_RESULT(x)  /*empty*/"
+NGR_R_END_RETURN="#define NGR_R_END_RETURN void"
+NGR_R_ENT_ARGS="#undef NGR_R_ENT_ARGS /*empty*/"
+AC_DEFINE(NEED_ENDNETGRENT_R)
+)
+AC_SUBST(NGR_R_END_RESULT)
+AC_SUBST(NGR_R_END_RETURN)
+AC_SUBST(NGR_R_ENT_ARGS)
+
+AC_CHECK_FUNC(setnetgrent_r,
+[
+case "$host" in
+*bsdi*)
+	NGR_R_SET_RESULT="#undef NGR_R_SET_RESULT /*empty*/"
+	NGR_R_SET_RETURN="#define NGR_R_SET_RETURN void"
+	;;
+*)
+	NGR_R_SET_RESULT="#define NGR_R_SET_RESULT NGR_R_OK"
+	NGR_R_SET_RETURN="#define NGR_R_SET_RETURN int"
+	;;
+esac
+]
+,
+NGR_R_SET_RESULT="#undef NGR_R_SET_RESULT /*empty*/"
+NGR_R_SET_RETURN="#define NGR_R_SET_RETURN void"
+)
+AC_SUBST(NGR_R_SET_RESULT)
+AC_SUBST(NGR_R_SET_RETURN)
+
+AC_CHECK_FUNC(innetgr_r,,AC_DEFINE(NEED_INNETGR_R))
+
+AC_CHECK_FUNC(getprotoent_r,
+AC_TRY_COMPILE(
+[
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+struct protoent *getprotoent_r(struct protoent *result,
+		 char *buffer, int buflen) {}
+]
+,
+[return (0);]
+,
+[
+PROTO_R_ARGS="#define PROTO_R_ARGS char *buf, int buflen"
+PROTO_R_BAD="#define PROTO_R_BAD NULL"
+PROTO_R_COPY="#define PROTO_R_COPY buf, buflen"
+PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS PROTO_R_ARGS"
+PROTO_R_OK="#define PROTO_R_OK pptr"
+PROTO_R_SETANSWER="#undef PROTO_R_SETANSWER"
+PROTO_R_RETURN="#define PROTO_R_RETURN struct protoent *"
+]
+,
+AC_TRY_COMPILE(
+[
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+int getprotoent_r (struct protoent *, char *, size_t, struct protoent **);
+
+]
+,
+[return (0);]
+,
+[
+PROTO_R_ARGS="#define PROTO_R_ARGS char *buf, size_t buflen, struct protoent **answerp"
+PROTO_R_BAD="#define PROTO_R_BAD ERANGE"
+PROTO_R_COPY="#define PROTO_R_COPY buf, buflen"
+PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS char *buf, size_t buflen"
+PROTO_R_OK="#define PROTO_R_OK 0"
+PROTO_R_SETANSWER="#define PROTO_R_SETANSWER 1"
+PROTO_R_RETURN="#define PROTO_R_RETURN int"
+]
+,
+)
+)
+,
+PROTO_R_ARGS="#define PROTO_R_ARGS char *buf, int buflen"
+PROTO_R_BAD="#define PROTO_R_BAD NULL"
+PROTO_R_COPY="#define PROTO_R_COPY buf, buflen"
+PROTO_R_COPY_ARGS="#define PROTO_R_COPY_ARGS PROTO_R_ARGS"
+PROTO_R_OK="#define PROTO_R_OK pptr"
+PROTO_R_SETANSWER="#undef PROTO_R_SETANSWER"
+PROTO_R_RETURN="#define PROTO_R_RETURN struct protoent *"
+)
+AC_SUBST(PROTO_R_ARGS)
+AC_SUBST(PROTO_R_BAD)
+AC_SUBST(PROTO_R_COPY)
+AC_SUBST(PROTO_R_COPY_ARGS)
+AC_SUBST(PROTO_R_OK)
+AC_SUBST(PROTO_R_SETANSWER)
+AC_SUBST(PROTO_R_RETURN)
+
+AC_CHECK_FUNC(endprotoent_r,
+AC_TRY_COMPILE(
+[
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+void endprotoent_r(void);
+]
+,,
+[
+PROTO_R_END_RESULT="#define PROTO_R_END_RESULT(x) /*empty*/"
+PROTO_R_END_RETURN="#define PROTO_R_END_RETURN void"
+PROTO_R_ENT_ARGS="#undef PROTO_R_ENT_ARGS"
+]
+,
+)
+,
+PROTO_R_END_RESULT="#define PROTO_R_END_RESULT(x) /*empty*/"
+PROTO_R_END_RETURN="#define PROTO_R_END_RETURN void"
+PROTO_R_ENT_ARGS="#undef PROTO_R_ENT_ARGS /*empty*/"
+)
+AC_SUBST(PROTO_R_END_RESULT)
+AC_SUBST(PROTO_R_END_RETURN)
+AC_SUBST(PROTO_R_ENT_ARGS)
+
+AC_CHECK_FUNC(setprotoent_r,
+AC_TRY_COMPILE(
+[
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+void               setprotoent_r __P((int));
+],[],
+PROTO_R_SET_RESULT="#undef PROTO_R_SET_RESULT"
+PROTO_R_SET_RETURN="#define PROTO_R_SET_RETURN void"
+,
+)
+,
+PROTO_R_SET_RESULT="#undef PROTO_R_SET_RESULT"
+PROTO_R_SET_RETURN="#define PROTO_R_SET_RETURN void"
+)
+AC_SUBST(PROTO_R_SET_RESULT)
+AC_SUBST(PROTO_R_SET_RETURN)
+
+AC_CHECK_FUNC(getpwent_r,
+AC_TRY_COMPILE(
+[
+#include <sys/types.h>
+#include <pwd.h>
+struct passwd *
+getpwent_r(struct passwd *pwptr, char *buf, int buflen) {}
+]
+,
+[]
+,
+PASS_R_ARGS="#define PASS_R_ARGS char *buf, int buflen"
+PASS_R_BAD="#define PASS_R_BAD NULL"
+PASS_R_COPY="#define PASS_R_COPY buf, buflen"
+PASS_R_COPY_ARGS="#define PASS_R_COPY_ARGS PASS_R_ARGS"
+PASS_R_OK="#define PASS_R_OK pwptr"
+PASS_R_RETURN="#define PASS_R_RETURN struct passwd *"
+,
+)
+,
+PASS_R_ARGS="#define PASS_R_ARGS char *buf, int buflen"
+PASS_R_BAD="#define PASS_R_BAD NULL"
+PASS_R_COPY="#define PASS_R_COPY buf, buflen"
+PASS_R_COPY_ARGS="#define PASS_R_COPY_ARGS PASS_R_ARGS"
+PASS_R_OK="#define PASS_R_OK pwptr"
+PASS_R_RETURN="#define PASS_R_RETURN struct passwd *"
+AC_DEFINE(NEED_GETPWENT_R)
+)
+AC_SUBST(PASS_R_ARGS)
+AC_SUBST(PASS_R_BAD)
+AC_SUBST(PASS_R_COPY)
+AC_SUBST(PASS_R_COPY_ARGS)
+AC_SUBST(PASS_R_OK)
+AC_SUBST(PASS_R_RETURN)
+
+AC_CHECK_FUNC(endpwent_r,
+AC_TRY_COMPILE(
+[
+#include <pwd.h>
+void endpwent_r(FILE **pwfp);
+], ,
+PASS_R_END_RESULT="#define PASS_R_END_RESULT(x) /*empty*/"
+PASS_R_END_RETURN="#define PASS_R_END_RETURN void"
+PASS_R_ENT_ARGS="#define PASS_R_ENT_ARGS FILE **pwptr"
+,
+)
+,
+PASS_R_END_RESULT="#define PASS_R_END_RESULT(x) /*empty*/"
+PASS_R_END_RETURN="#define PASS_R_END_RETURN void"
+PASS_R_ENT_ARGS="#undef PASS_R_ENT_ARGS"
+AC_DEFINE(NEED_ENDPWENT_R)
+)
+AC_SUBST(PASS_R_END_RESULT)
+AC_SUBST(PASS_R_END_RETURN)
+AC_SUBST(PASS_R_ENT_ARGS)
+AC_CHECK_FUNC(setpassent_r,,AC_DEFINE(NEED_SETPASSENT_R))
+AC_CHECK_FUNC(setpassent,,AC_DEFINE(NEED_SETPASSENT))
+
+AC_CHECK_FUNC(setpwent_r,
+AC_TRY_COMPILE([
+#include <pwd.h>
+void setpwent_r(FILE **pwfp);
+], ,
+PASS_R_SET_RESULT="#undef PASS_R_SET_RESULT /* empty */"
+PASS_R_SET_RETURN="#define PASS_R_SET_RETURN int"
+,
+AC_TRY_COMPILE([
+#include <pwd.h>
+int setpwent_r(FILE **pwfp);
+], ,
+PASS_R_SET_RESULT="#define PASS_R_SET_RESULT 0"
+PASS_R_SET_RETURN="#define PASS_R_SET_RETURN int"
+,
+)
+)
+,
+PASS_R_SET_RESULT="#undef PASS_R_SET_RESULT /*empty*/"
+PASS_R_SET_RETURN="#define PASS_R_SET_RETURN void"
+AC_DEFINE(NEED_SETPWENT_R)
+)
+AC_SUBST(PASS_R_SET_RESULT)
+AC_SUBST(PASS_R_SET_RETURN)
+
+AC_CHECK_FUNC(getpwnam_r,,AC_DEFINE(NEED_GETPWNAM_R))
+AC_CHECK_FUNC(getpwuid_r,,AC_DEFINE(NEED_GETPWUID_R))
+
+AC_CHECK_FUNC(getservent_r,
+AC_TRY_COMPILE([
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+struct servent *
+getservent_r(struct servent *result, char *buffer, int buflen) {}
+],[return (0);],
+[
+SERV_R_ARGS="#define SERV_R_ARGS char *buf, int buflen"
+SERV_R_BAD="#define SERV_R_BAD NULL"
+SERV_R_COPY="#define SERV_R_COPY buf, buflen"
+SERV_R_COPY_ARGS="#define SERV_R_COPY_ARGS SERV_R_ARGS"
+SERV_R_OK="#define SERV_R_OK sptr"
+SERV_R_SETANSWER="#undef SERV_R_SETANSWER"
+SERV_R_RETURN="#define SERV_R_RETURN struct servent *"
+]
+,
+AC_TRY_COMPILE([
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+int
+getservent_r (struct servent *, char *, size_t, struct servent **);
+],[return (0);],
+[
+SERV_R_ARGS="#define SERV_R_ARGS char *buf, size_t buflen, struct servent **answerp"
+SERV_R_BAD="#define SERV_R_BAD ERANGE"
+SERV_R_COPY="#define SERV_R_COPY buf, buflen"
+SERV_R_COPY_ARGS="#define SERV_R_COPY_ARGS char *buf, size_t buflen"
+SERV_R_OK="#define SERV_R_OK (0)"
+SERV_R_SETANSWER="#define SERV_R_SETANSWER 1"
+SERV_R_RETURN="#define SERV_R_RETURN int"
+]
+,
+)
+)
+,
+SERV_R_ARGS="#define SERV_R_ARGS char *buf, int buflen"
+SERV_R_BAD="#define SERV_R_BAD NULL"
+SERV_R_COPY="#define SERV_R_COPY buf, buflen"
+SERV_R_COPY_ARGS="#define SERV_R_COPY_ARGS SERV_R_ARGS"
+SERV_R_OK="#define SERV_R_OK sptr"
+SERV_R_SETANSWER="#undef SERV_R_SETANSWER"
+SERV_R_RETURN="#define SERV_R_RETURN struct servent *"
+)
+AC_SUBST(SERV_R_ARGS)
+AC_SUBST(SERV_R_BAD)
+AC_SUBST(SERV_R_COPY)
+AC_SUBST(SERV_R_COPY_ARGS)
+AC_SUBST(SERV_R_OK)
+AC_SUBST(SERV_R_SETANSWER)
+AC_SUBST(SERV_R_RETURN)
+
+AC_CHECK_FUNC(endservent_r,
+AC_TRY_COMPILE(
+[
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+void endservent_r(void);
+]
+,
+,
+[
+SERV_R_END_RESULT="#define SERV_R_END_RESULT(x) /*empty*/"
+SERV_R_END_RETURN="#define SERV_R_END_RETURN void "
+SERV_R_ENT_ARGS="#undef SERV_R_ENT_ARGS /*empty*/"
+]
+,
+)
+,
+SERV_R_END_RESULT="#define SERV_R_END_RESULT(x) /*empty*/"
+SERV_R_END_RETURN="#define SERV_R_END_RETURN void "
+SERV_R_ENT_ARGS="#undef SERV_R_ENT_ARGS /*empty*/"
+)
+AC_SUBST(SERV_R_END_RESULT)
+AC_SUBST(SERV_R_END_RETURN)
+AC_SUBST(SERV_R_ENT_ARGS)
+
+AC_CHECK_FUNC(setservent_r,
+AC_TRY_COMPILE(
+[
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <netdb.h>
+void            setservent_r(int);
+]
+,,
+[
+SERV_R_SET_RESULT="#undef SERV_R_SET_RESULT"
+SERV_R_SET_RETURN="#define SERV_R_SET_RETURN void"
+]
+,
+)
+,
+SERV_R_SET_RESULT="#undef SERV_R_SET_RESULT"
+SERV_R_SET_RETURN="#define SERV_R_SET_RETURN void"
+)
+AC_SUBST(SERV_R_SET_RESULT)
+AC_SUBST(SERV_R_SET_RETURN)
+
+AC_TRY_COMPILE(
+[
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <unistd.h>
+#include <netdb.h>
+int innetgr(const char *netgroup, const char *host, const char *user, const char *domain);
+]
+,,
+[
+INNETGR_ARGS="#undef INNETGR_ARGS"
+]
+,
+AC_TRY_COMPILE(
+[
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <unistd.h>
+#include <netdb.h>
+int innetgr(char *netgroup, char *host, char *user, char *domain);
+]
+,,
+[
+INNETGR_ARGS="#define INNETGR_ARGS char *netgroup, char *host, char *user, char *domain"
+]
+,
+))
+
+AC_TRY_COMPILE(
+[
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <unistd.h>
+#include <netdb.h>
+void setnetgrent(const char *);
+]
+,,
+[
+SETNETGRENT_ARGS="#undef SETNETGRENT_ARGS"
+]
+,
+AC_TRY_COMPILE(
+[
+#undef _REENTRANT
+#define _REENTRANT
+#undef __USE_MISC
+#define __USE_MISC
+#include <unistd.h>
+#include <netdb.h>
+void setnetgrent(char *);
+]
+,,
+[
+SETNETGRENT_ARGS="#define SETNETGRENT_ARGS char *netgroup"
+]
+,
+))
+AC_SUBST(SETNETGRENT_ARGS)
+AC_SUBST(INNETGR_ARGS)
+
+#
+# Random remaining OS-specific issues involving compiler warnings.
+# XXXDCL print messages to indicate some compensation is being done?
+#
+AC_SUBST(ISC_PLATFORM_BRACEPTHREADONCEINIT)
+ISC_PLATFORM_BRACEPTHREADONCEINIT="#undef ISC_PLATFORM_BRACEPTHREADONCEINIT"
+BROKEN_IN6ADDR_INIT_MACROS="#undef BROKEN_IN6ADDR_INIT_MACROS"
+
+case "$host" in
+	*-bsdi3.1*)
+		hack_shutup_sputaux=yes
+		;;
+	*-bsdi4.0*)
+		hack_shutup_sigwait=yes
+		hack_shutup_sputaux=yes
+		hack_shutup_in6addr_init_macros=yes
+		;;
+	*-bsdi4.1*)
+		hack_shutup_stdargcast=yes
+		;;
+	*-solaris2.8)
+		hack_shutup_pthreadonceinit=yes
+		hack_shutup_in6addr_init_macros=yes
+		;;
+esac
+
+case "$hack_shutup_pthreadonceinit" in
+	yes)
+		#
+		# Shut up PTHREAD_ONCE_INIT unbraced initializer warnings.
+		#
+		ISC_PLATFORM_BRACEPTHREADONCEINIT="#define ISC_PLATFORM_BRACEPTHREADONCEINIT 1"
+		;;
+esac
+
+case "$hack_shutup_sigwait" in
+	yes)
+		#
+		# Shut up a -Wmissing-prototypes warning for sigwait().
+		#
+		AC_DEFINE(SHUTUP_SIGWAIT)
+		;;
+esac
+
+case "$hack_shutup_sputaux" in
+	yes)
+		#
+		# Shut up a -Wmissing-prototypes warning from <stdio.h>.
+		#
+		AC_DEFINE(SHUTUP_SPUTAUX)
+		;;
+esac
+
+case "$hack_shutup_stdargcast" in
+	yes)
+		#
+		# Shut up a -Wcast-qual warning from va_start().
+		#
+		AC_DEFINE(SHUTUP_STDARG_CAST)
+		;;
+esac
+
+case "$hack_shutup_in6addr_init_macros" in
+	yes)
+		AC_DEFINE(BROKEN_IN6ADDR_INIT_MACROS)
+		;;
+esac
+
+#
+# Substitutions
+#
+AC_SUBST(BIND9_TOP_BUILDDIR)
+BIND9_TOP_BUILDDIR=`pwd`
+
+AC_SUBST_FILE(BIND9_INCLUDES)
+BIND9_INCLUDES=$BIND9_TOP_BUILDDIR/make/includes
+
+AC_SUBST_FILE(BIND9_MAKE_RULES)
+BIND9_MAKE_RULES=$BIND9_TOP_BUILDDIR/make/rules
+
+. $srcdir/../../version
+BIND9_VERSION="VERSION=${MAJORVER}.${MINORVER}.${PATCHVER}${RELEASETYPE}${RELEASEVER}"
+AC_SUBST(BIND9_VERSION)
+
+AC_SUBST_FILE(LIBBIND_API)
+LIBBIND_API=$srcdir/api
+
+AC_OUTPUT(
+	make/rules
+	make/mkdep
+	make/includes
+	Makefile
+	bsd/Makefile
+	dst/Makefile
+	include/Makefile
+	inet/Makefile
+	irs/Makefile
+	isc/Makefile
+	nameser/Makefile
+	port_after.h
+	port_before.h
+	resolv/Makefile
+	port/Makefile
+	${PORT_DIR}/Makefile
+	${PORT_INCLUDE}/Makefile
+)
+
+# Tell Emacs to edit this file in shell mode.
+# Local Variables:
+# mode: sh
+# End:
diff --git a/contrib/bind9/lib/bind/dst/Makefile.in b/contrib/bind9/lib/bind/dst/Makefile.in
new file mode 100644
index 0000000..8b30659
--- /dev/null
+++ b/contrib/bind9/lib/bind/dst/Makefile.in
@@ -0,0 +1,32 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.5.206.1 2004/03/06 08:13:22 marka Exp $
+ 
+srcdir=		@srcdir@
+VPATH =         @srcdir@
+
+OBJS=	dst_api.@O@ hmac_link.@O@ md5_dgst.@O@ support.@O@
+
+SRCS=	dst_api.c hmac_link.c md5_dgst.c support.c
+
+TARGETS= ${OBJS}
+
+CRYPTFLAGS=     -DCYLINK_DSS -DHMAC_MD5 -DUSE_MD5 -DDNSSAFE
+
+CINCLUDES= -I.. -I${srcdir}/../include ${CRYPTINCL}
+CDEFINES= ${CRYPTFLAGS}
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/bind/dst/dst_api.c b/contrib/bind9/lib/bind/dst/dst_api.c
new file mode 100644
index 0000000..9b78738
--- /dev/null
+++ b/contrib/bind9/lib/bind/dst/dst_api.c
@@ -0,0 +1,1048 @@
+#ifndef LINT
+static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/dst_api.c,v 1.4.2.6 2002/07/12 00:17:19 marka Exp $";
+#endif
+
+/*
+ * Portions Copyright (c) 1995-1998 by Trusted Information Systems, Inc.
+ *
+ * Permission to use, copy modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND TRUSTED INFORMATION SYSTEMS
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL
+ * TRUSTED INFORMATION SYSTEMS BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ * WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
+ */
+/*
+ * This file contains the interface between the DST API and the crypto API.
+ * This is the only file that needs to be changed if the crypto system is
+ * changed.  Exported functions are:
+ * void dst_init()	 Initialize the toolkit
+ * int  dst_check_algorithm()   Function to determines if alg is suppored.
+ * int  dst_compare_keys()      Function to compare two keys for equality.
+ * int  dst_sign_data()         Incremental signing routine.
+ * int  dst_verify_data()       Incremental verify routine.
+ * int  dst_generate_key()      Function to generate new KEY
+ * DST_KEY *dst_read_key()      Function to retrieve private/public KEY.
+ * void dst_write_key()         Function to write out a key.
+ * DST_KEY *dst_dnskey_to_key() Function to convert DNS KEY RR to a DST
+ *				KEY structure.
+ * int dst_key_to_dnskey() 	Function to return a public key in DNS 
+ *				format binary
+ * DST_KEY *dst_buffer_to_key() Converst a data in buffer to KEY
+ * int *dst_key_to_buffer()	Writes out DST_KEY key matterial in buffer
+ * void dst_free_key()       	Releases all memory referenced by key structure
+ */
+
+#include "port_before.h"
+#include <stdio.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <memory.h>
+#include <ctype.h>
+#include <time.h>
+#include <sys/param.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+
+#include "dst_internal.h"
+#include "port_after.h"
+
+/* static variables */
+static int done_init = 0;
+dst_func *dst_t_func[DST_MAX_ALGS];
+const char *key_file_fmt_str = "Private-key-format: v%s\nAlgorithm: %d (%s)\n";
+const char *dst_path = "";
+
+/* internal I/O functions */
+static DST_KEY *dst_s_read_public_key(const char *in_name, 
+				      const u_int16_t in_id, int in_alg);
+static int dst_s_read_private_key_file(char *name, DST_KEY *pk_key,
+				       u_int16_t in_id, int in_alg);
+static int dst_s_write_public_key(const DST_KEY *key);
+static int dst_s_write_private_key(const DST_KEY *key);
+
+/* internal function to set up data structure */
+static DST_KEY *dst_s_get_key_struct(const char *name, const int alg,
+				     const int flags, const int protocol,
+				     const int bits);
+
+/*
+ *  dst_init
+ *	This function initializes the Digital Signature Toolkit.
+ *	Right now, it just checks the DSTKEYPATH environment variable.
+ *  Parameters
+ *	none
+ *  Returns
+ *	none
+ */
+void
+dst_init()
+{
+	char *s;
+	int len;
+
+	if (done_init != 0)
+		return;
+	done_init = 1;
+
+	s = getenv("DSTKEYPATH");
+	len = 0;
+	if (s) {
+		struct stat statbuf;
+
+		len = strlen(s);
+		if (len > PATH_MAX) {
+			EREPORT(("%s is longer than %d characters, ignoring\n",
+				 s, PATH_MAX));
+		} else if (stat(s, &statbuf) != 0 || !S_ISDIR(statbuf.st_mode)) {
+			EREPORT(("%s is not a valid directory\n", s));
+		} else {
+			char *tmp;
+			tmp = (char *) malloc(len + 2);
+			memcpy(tmp, s, len + 1);
+			if (tmp[strlen(tmp) - 1] != '/') {
+				tmp[strlen(tmp) + 1] = 0;
+				tmp[strlen(tmp)] = '/';
+			}
+			dst_path = tmp;
+		}
+	}
+	memset(dst_t_func, 0, sizeof(dst_t_func));
+	/* first one is selected */
+	dst_hmac_md5_init();
+}
+
+/*
+ *  dst_check_algorithm
+ *	This function determines if the crypto system for the specified
+ *	algorithm is present.
+ *  Parameters
+ *	alg     1       KEY_RSA
+ *		3       KEY_DSA
+ *	      157     KEY_HMAC_MD5
+ *		      future algorithms TBD and registered with IANA.
+ *  Returns
+ *	1 - The algorithm is available.
+ *	0 - The algorithm is not available.
+ */
+int
+dst_check_algorithm(const int alg)
+{
+	return (dst_t_func[alg] != NULL);
+}
+
+/* 
+ * dst_s_get_key_struct 
+ *	This function allocates key structure and fills in some of the 
+ *	fields of the structure. 
+ * Parameters: 
+ *	name:     the name of the key 
+ *	alg:      the algorithm number 
+ *	flags:    the dns flags of the key
+ *	protocol: the dns protocol of the key
+ *	bits:     the size of the key
+ * Returns:
+ *       NULL if error
+ *       valid pointer otherwise
+ */
+static DST_KEY *
+dst_s_get_key_struct(const char *name, const int alg, const int flags,
+		     const int protocol, const int bits)
+{
+	DST_KEY *new_key = NULL; 
+
+	if (dst_check_algorithm(alg)) /* make sure alg is available */
+		new_key = (DST_KEY *) malloc(sizeof(*new_key));
+	if (new_key == NULL)
+		return (NULL);
+
+	memset(new_key, 0, sizeof(*new_key));
+	new_key->dk_key_name = strdup(name);
+	new_key->dk_alg = alg;
+	new_key->dk_flags = flags;
+	new_key->dk_proto = protocol;
+	new_key->dk_KEY_struct = NULL;
+	new_key->dk_key_size = bits;
+	new_key->dk_func = dst_t_func[alg];
+	return (new_key);
+}
+
+/*
+ *  dst_compare_keys
+ *	Compares two keys for equality.
+ *  Parameters
+ *	key1, key2      Two keys to be compared.
+ *  Returns
+ *	0	       The keys are equal.
+ *	non-zero	The keys are not equal.
+ */
+
+int
+dst_compare_keys(const DST_KEY *key1, const DST_KEY *key2)
+{
+	if (key1 == key2)
+		return (0);
+	if (key1 == NULL || key2 == NULL)
+		return (4);
+	if (key1->dk_alg != key2->dk_alg)
+		return (1);
+	if (key1->dk_key_size != key2->dk_key_size)
+		return (2);
+	if (key1->dk_id != key2->dk_id)
+		return (3);
+	return (key1->dk_func->compare(key1, key2));
+}
+
+
+/*
+ * dst_sign_data
+ *	An incremental signing function.  Data is signed in steps.
+ *	First the context must be initialized (SIG_MODE_INIT).
+ *	Then data is hashed (SIG_MODE_UPDATE).  Finally the signature
+ *	itself is created (SIG_MODE_FINAL).  This function can be called
+ *	once with INIT, UPDATE and FINAL modes all set, or it can be
+ *	called separately with a different mode set for each step.  The
+ *	UPDATE step can be repeated.
+ * Parameters
+ *	mode    A bit mask used to specify operation(s) to be performed.
+ *		  SIG_MODE_INIT	   1   Initialize digest
+ *		  SIG_MODE_UPDATE	 2   Add data to digest
+ *		  SIG_MODE_FINAL	  4   Generate signature
+ *					      from signature
+ *		  SIG_MODE_ALL (SIG_MODE_INIT,SIG_MODE_UPDATE,SIG_MODE_FINAL
+ *	data    Data to be signed.
+ *	len     The length in bytes of data to be signed.
+ *	in_key  Contains a private key to sign with.
+ *		  KEY structures should be handled (created, converted,
+ *		  compared, stored, freed) by the DST.
+ *	signature
+ *	      The location to which the signature will be written.
+ *	sig_len Length of the signature field in bytes.
+ * Return
+ *	 0      Successfull INIT or Update operation
+ *	>0      success FINAL (sign) operation
+ *	<0      failure
+ */
+
+int
+dst_sign_data(const int mode, DST_KEY *in_key, void **context, 
+	      const u_char *data, const int len,
+	      u_char *signature, const int sig_len)
+{
+	DUMP(data, mode, len, "dst_sign_data()");
+
+	if (mode & SIG_MODE_FINAL &&
+	    (in_key->dk_KEY_struct == NULL || signature == NULL))
+		return (MISSING_KEY_OR_SIGNATURE);
+
+	if (in_key->dk_func && in_key->dk_func->sign)
+		return (in_key->dk_func->sign(mode, in_key, context, data, len,
+					      signature, sig_len));
+	return (UNKNOWN_KEYALG);
+}
+
+
+/*
+ *  dst_verify_data
+ *	An incremental verify function.  Data is verified in steps.
+ *	First the context must be initialized (SIG_MODE_INIT).
+ *	Then data is hashed (SIG_MODE_UPDATE).  Finally the signature
+ *	is verified (SIG_MODE_FINAL).  This function can be called
+ *	once with INIT, UPDATE and FINAL modes all set, or it can be
+ *	called separately with a different mode set for each step.  The
+ *	UPDATE step can be repeated.
+ *  Parameters
+ *	mode	Operations to perform this time.
+ *		      SIG_MODE_INIT       1   Initialize digest
+ *		      SIG_MODE_UPDATE     2   add data to digest
+ *		      SIG_MODE_FINAL      4   verify signature
+ *		      SIG_MODE_ALL
+ *			  (SIG_MODE_INIT,SIG_MODE_UPDATE,SIG_MODE_FINAL)
+ *	data	Data to pass through the hash function.
+ *	len	 Length of the data in bytes.
+ *	in_key      Key for verification.
+ *	signature   Location of signature.
+ *	sig_len     Length of the signature in bytes.
+ *  Returns
+ *	0	   Verify success
+ *	Non-Zero    Verify Failure
+ */
+
+int
+dst_verify_data(const int mode, DST_KEY *in_key, void **context, 
+		const u_char *data, const int len,
+		const u_char *signature, const int sig_len)
+{
+	DUMP(data, mode, len, "dst_verify_data()");
+	if (mode & SIG_MODE_FINAL &&
+	    (in_key->dk_KEY_struct == NULL || signature == NULL))
+		return (MISSING_KEY_OR_SIGNATURE);
+
+	if (in_key->dk_func == NULL || in_key->dk_func->verify == NULL)
+		return (UNSUPPORTED_KEYALG);
+	return (in_key->dk_func->verify(mode, in_key, context, data, len,
+					signature, sig_len));
+}
+
+
+/*
+ *  dst_read_private_key
+ *	Access a private key.  First the list of private keys that have
+ *	already been read in is searched, then the key accessed on disk.
+ *	If the private key can be found, it is returned.  If the key cannot
+ *	be found, a null pointer is returned.  The options specify required
+ *	key characteristics.  If the private key requested does not have
+ *	these characteristics, it will not be read.
+ *  Parameters
+ *	in_keyname  The private key name.
+ *	in_id	    The id of the private key.
+ *	options     DST_FORCE_READ  Read from disk - don't use a previously
+ *				      read key.
+ *		  DST_CAN_SIGN    The key must be useable for signing.
+ *		  DST_NO_AUTHEN   The key must be useable for authentication.
+ *		  DST_STANDARD    Return any key 
+ *  Returns
+ *	NULL	If there is no key found in the current directory or
+ *		      this key has not been loaded before.
+ *	!NULL       Success - KEY structure returned.
+ */
+
+DST_KEY *
+dst_read_key(const char *in_keyname, const u_int16_t in_id, 
+	     const int in_alg, const int type)
+{
+	char keyname[PATH_MAX];
+	DST_KEY *dg_key = NULL, *pubkey = NULL;
+
+	if (!dst_check_algorithm(in_alg)) { /* make sure alg is available */
+		EREPORT(("dst_read_private_key(): Algorithm %d not suppored\n",
+			 in_alg));
+		return (NULL);
+	}
+	if ((type & (DST_PUBLIC | DST_PRIVATE)) == 0) 
+		return (NULL);
+	if (in_keyname == NULL) {
+		EREPORT(("dst_read_private_key(): Null key name passed in\n"));
+		return (NULL);
+	} else
+		strcpy(keyname, in_keyname);
+
+	/* before I read in the public key, check if it is allowed to sign */
+	if ((pubkey = dst_s_read_public_key(keyname, in_id, in_alg)) == NULL)
+		return (NULL);
+
+	if (type == DST_PUBLIC) 
+		return pubkey; 
+
+	if (!(dg_key = dst_s_get_key_struct(keyname, pubkey->dk_alg,
+					 pubkey->dk_flags, pubkey->dk_proto,
+					    0)))
+		return (dg_key);
+	/* Fill in private key and some fields in the general key structure */
+	if (dst_s_read_private_key_file(keyname, dg_key, pubkey->dk_id,
+					pubkey->dk_alg) == 0)
+		dg_key = dst_free_key(dg_key);
+
+	pubkey = dst_free_key(pubkey);
+	return (dg_key);
+}
+
+int 
+dst_write_key(const DST_KEY *key, const int type)
+{
+	int pub = 0, priv = 0;
+
+	if (key == NULL) 
+		return (0);
+	if (!dst_check_algorithm(key->dk_alg)) { /* make sure alg is available */
+		EREPORT(("dst_write_key(): Algorithm %d not suppored\n", 
+			 key->dk_alg));
+		return (UNSUPPORTED_KEYALG);
+	}
+	if ((type & (DST_PRIVATE|DST_PUBLIC)) == 0)
+		return (0);
+
+	if (type & DST_PUBLIC) 
+		if ((pub = dst_s_write_public_key(key)) < 0)
+			return (pub);
+	if (type & DST_PRIVATE)
+		if ((priv = dst_s_write_private_key(key)) < 0)
+			return (priv);
+	return (priv+pub);
+}
+
+/*
+ *  dst_write_private_key
+ *	Write a private key to disk.  The filename will be of the form:
+ *	K<key->dk_name>+<key->dk_alg>+<key->dk_id>.<private key suffix>.
+ *	If there is already a file with this name, an error is returned.
+ *
+ *  Parameters
+ *	key     A DST managed key structure that contains
+ *	      all information needed about a key.
+ *  Return
+ *	>= 0    Correct behavior.  Returns length of encoded key value
+ *		  written to disk.
+ *	<  0    error.
+ */
+
+static int
+dst_s_write_private_key(const DST_KEY *key)
+{
+	u_char encoded_block[RAW_KEY_SIZE];
+	char file[PATH_MAX];
+	int len;
+	FILE *fp;
+
+	/* First encode the key into the portable key format */
+	if (key == NULL)
+		return (-1);
+	if (key->dk_KEY_struct == NULL)
+		return (0);	/* null key has no private key */
+
+	if (key->dk_func == NULL || key->dk_func->to_file_fmt == NULL) {
+		EREPORT(("dst_write_private_key(): Unsupported operation %d\n",
+			 key->dk_alg));
+		return (-5);
+	} else if ((len = key->dk_func->to_file_fmt(key, (char *)encoded_block,
+					     sizeof(encoded_block))) <= 0) {
+		EREPORT(("dst_write_private_key(): Failed encoding private RSA bsafe key %d\n", len));
+		return (-8);
+	}
+	/* Now I can create the file I want to use */
+	dst_s_build_filename(file, key->dk_key_name, key->dk_id, key->dk_alg,
+			     PRIVATE_KEY, PATH_MAX);
+
+	/* Do not overwrite an existing file */
+	if ((fp = dst_s_fopen(file, "w", 0600)) != NULL) {
+		int nn;
+		if ((nn = fwrite(encoded_block, 1, len, fp)) != len) {
+			EREPORT(("dst_write_private_key(): Write failure on %s %d != %d errno=%d\n",
+				 file, len, nn, errno));
+			return (-5);
+		}
+		fclose(fp);
+	} else {
+		EREPORT(("dst_write_private_key(): Can not create file %s\n"
+			 ,file));
+		return (-6);
+	}
+	memset(encoded_block, 0, len);
+	return (len);
+}
+
+/*
+*
+ *  dst_read_public_key
+ *	Read a public key from disk and store in a DST key structure.
+ *  Parameters
+ *	in_name	 K<in_name><in_id>.<public key suffix> is the
+ *		      filename of the key file to be read.
+ *  Returns
+ *	NULL	    If the key does not exist or no name is supplied.
+ *	NON-NULL	Initialized key structure if the key exists.
+ */
+
+static DST_KEY *
+dst_s_read_public_key(const char *in_name, const u_int16_t in_id, int in_alg)
+{
+	int flags, proto, alg, len, dlen;
+	int c;
+	char name[PATH_MAX], enckey[RAW_KEY_SIZE], *notspace;
+	u_char deckey[RAW_KEY_SIZE];
+	FILE *fp;
+
+	if (in_name == NULL) {
+		EREPORT(("dst_read_public_key(): No key name given\n"));
+		return (NULL);
+	}
+	if (dst_s_build_filename(name, in_name, in_id, in_alg, PUBLIC_KEY,
+				 PATH_MAX) == -1) {
+		EREPORT(("dst_read_public_key(): Cannot make filename from %s, %d, and %s\n",
+			 in_name, in_id, PUBLIC_KEY));
+		return (NULL);
+	}
+	/*
+	 * Open the file and read it's formatted contents up to key
+	 * File format:
+	 *    domain.name [ttl] [IN] KEY  <flags> <protocol> <algorithm> <key>
+	 * flags, proto, alg stored as decimal (or hex numbers FIXME).
+	 * (FIXME: handle parentheses for line continuation.)
+	 */
+	if ((fp = dst_s_fopen(name, "r", 0)) == NULL) {
+		EREPORT(("dst_read_public_key(): Public Key not found %s\n",
+			 name));
+		return (NULL);
+	}
+	/* Skip domain name, which ends at first blank */
+	while ((c = getc(fp)) != EOF)
+		if (isspace(c))
+			break;
+	/* Skip blank to get to next field */
+	while ((c = getc(fp)) != EOF)
+		if (!isspace(c))
+			break;
+
+	/* Skip optional TTL -- if initial digit, skip whole word. */
+	if (isdigit(c)) {
+		while ((c = getc(fp)) != EOF)
+			if (isspace(c))
+				break;
+		while ((c = getc(fp)) != EOF)
+			if (!isspace(c))
+				break;
+	}
+	/* Skip optional "IN" */
+	if (c == 'I' || c == 'i') {
+		while ((c = getc(fp)) != EOF)
+			if (isspace(c))
+				break;
+		while ((c = getc(fp)) != EOF)
+			if (!isspace(c))
+				break;
+	}
+	/* Locate and skip "KEY" */
+	if (c != 'K' && c != 'k') {
+		EREPORT(("\"KEY\" doesn't appear in file: %s", name));
+		return NULL;
+	}
+	while ((c = getc(fp)) != EOF)
+		if (isspace(c))
+			break;
+	while ((c = getc(fp)) != EOF)
+		if (!isspace(c))
+			break;
+	ungetc(c, fp);		/* return the charcter to the input field */
+	/* Handle hex!! FIXME.  */
+
+	if (fscanf(fp, "%d %d %d", &flags, &proto, &alg) != 3) {
+		EREPORT(("dst_read_public_key(): Can not read flag/proto/alg field from %s\n"
+			 ,name));
+		return (NULL);
+	}
+	/* read in the key string */
+	fgets(enckey, sizeof(enckey), fp);
+
+	/* If we aren't at end-of-file, something is wrong.  */
+	while ((c = getc(fp)) != EOF)
+		if (!isspace(c))
+			break;
+	if (!feof(fp)) {
+		EREPORT(("Key too long in file: %s", name));
+		return NULL;
+	}
+	fclose(fp);
+
+	if ((len = strlen(enckey)) <= 0)
+		return (NULL);
+
+	/* discard \n */
+	enckey[--len] = '\0';
+
+	/* remove leading spaces */
+	for (notspace = (char *) enckey; isspace((*notspace)&0xff); len--)
+		notspace++;
+
+	dlen = b64_pton(notspace, deckey, sizeof(deckey));
+	if (dlen < 0) {
+		EREPORT(("dst_read_public_key: bad return from b64_pton = %d",
+			 dlen));
+		return (NULL);
+	}
+	/* store key and info in a key structure that is returned */
+/*	return dst_store_public_key(in_name, alg, proto, 666, flags, deckey,
+				    dlen);*/
+	return dst_buffer_to_key(in_name, alg, flags, proto, deckey, dlen);
+}
+
+
+/*
+ *  dst_write_public_key
+ *	Write a key to disk in DNS format.
+ *  Parameters
+ *	key     Pointer to a DST key structure.
+ *  Returns
+ *	0       Failure
+ *	1       Success
+ */
+
+static int
+dst_s_write_public_key(const DST_KEY *key)
+{
+	FILE *fp;
+	char filename[PATH_MAX];
+	u_char out_key[RAW_KEY_SIZE];
+	char enc_key[RAW_KEY_SIZE];
+	int len = 0;
+	int mode;
+
+	memset(out_key, 0, sizeof(out_key));
+	if (key == NULL) {
+		EREPORT(("dst_write_public_key(): No key specified \n"));
+		return (0);
+	} else if ((len = dst_key_to_dnskey(key, out_key, sizeof(out_key)))< 0)
+		return (0);
+
+	/* Make the filename */
+	if (dst_s_build_filename(filename, key->dk_key_name, key->dk_id,
+				 key->dk_alg, PUBLIC_KEY, PATH_MAX) == -1) {
+		EREPORT(("dst_write_public_key(): Cannot make filename from %s, %d, and %s\n",
+			 key->dk_key_name, key->dk_id, PUBLIC_KEY));
+		return (0);
+	}
+	/* XXX in general this should be a check for symmetric keys */
+	mode = (key->dk_alg == KEY_HMAC_MD5) ? 0600 : 0644;
+	/* create public key file */
+	if ((fp = dst_s_fopen(filename, "w+", mode)) == NULL) {
+		EREPORT(("DST_write_public_key: open of file:%s failed (errno=%d)\n",
+			 filename, errno));
+		return (0);
+	}
+	/*write out key first base64 the key data */
+	if (key->dk_flags & DST_EXTEND_FLAG)
+		b64_ntop(&out_key[6], len - 6, enc_key, sizeof(enc_key));
+	else
+		b64_ntop(&out_key[4], len - 4, enc_key, sizeof(enc_key));
+	fprintf(fp, "%s IN KEY %d %d %d %s\n",
+		key->dk_key_name,
+		key->dk_flags, key->dk_proto, key->dk_alg, enc_key);
+	fclose(fp);
+	return (1);
+}
+
+
+/*
+ *  dst_dnskey_to_public_key
+ *	This function converts the contents of a DNS KEY RR into a DST
+ *	key structure.
+ *  Paramters
+ *	len	 Length of the RDATA of the KEY RR RDATA
+ *	rdata	 A pointer to the the KEY RR RDATA.
+ *	in_name     Key name to be stored in key structure.
+ *  Returns
+ *	NULL	    Failure
+ *	NON-NULL	Success.  Pointer to key structure.
+ *			Caller's responsibility to free() it.
+ */
+
+DST_KEY *
+dst_dnskey_to_key(const char *in_name, const u_char *rdata, const int len)
+{
+	DST_KEY *key_st;
+	int alg ;
+	int start = DST_KEY_START;
+
+	if (rdata == NULL || len <= DST_KEY_ALG) /* no data */
+		return (NULL);
+	alg = (u_int8_t) rdata[DST_KEY_ALG];
+	if (!dst_check_algorithm(alg)) { /* make sure alg is available */
+		EREPORT(("dst_dnskey_to_key(): Algorithm %d not suppored\n",
+			 alg));
+		return (NULL);
+	}
+	if ((key_st = dst_s_get_key_struct(in_name, alg, 0, 0, 0)) == NULL)
+		return (NULL);
+
+	if (in_name == NULL)
+		return (NULL);
+	key_st->dk_id = dst_s_dns_key_id(rdata, len);
+	key_st->dk_flags = dst_s_get_int16(rdata);
+	key_st->dk_proto = (u_int16_t) rdata[DST_KEY_PROT];
+	if (key_st->dk_flags & DST_EXTEND_FLAG) {
+		u_int32_t ext_flags;
+		ext_flags = (u_int32_t) dst_s_get_int16(&rdata[DST_EXT_FLAG]);
+		key_st->dk_flags = key_st->dk_flags | (ext_flags << 16);
+		start += 2;
+	}
+	/*
+	 * now point to the begining of the data representing the encoding
+	 * of the key
+	 */
+	if (key_st->dk_func && key_st->dk_func->from_dns_key) {
+		if (key_st->dk_func->from_dns_key(key_st, &rdata[start],
+						  len - start) > 0)
+			return (key_st);
+	} else
+		EREPORT(("dst_dnskey_to_public_key(): unsuppored alg %d\n",
+			 alg));
+
+	SAFE_FREE(key_st);
+	return (key_st);
+}
+
+
+/*
+ *  dst_public_key_to_dnskey
+ *	Function to encode a public key into DNS KEY wire format 
+ *  Parameters
+ *	key	     Key structure to encode.
+ *	out_storage     Location to write the encoded key to.
+ *	out_len	 Size of the output array.
+ *  Returns
+ *	<0      Failure
+ *	>=0     Number of bytes written to out_storage
+ */
+
+int
+dst_key_to_dnskey(const DST_KEY *key, u_char *out_storage,
+			 const int out_len)
+{
+	u_int16_t val;
+	int loc = 0;
+	int enc_len = 0;
+	if (key == NULL)
+		return (-1);
+
+	if (!dst_check_algorithm(key->dk_alg)) { /* make sure alg is available */
+		EREPORT(("dst_key_to_dnskey(): Algorithm %d not suppored\n",
+			 key->dk_alg));
+		return (UNSUPPORTED_KEYALG);
+	}
+	memset(out_storage, 0, out_len);
+	val = (u_int16_t)(key->dk_flags & 0xffff);
+	dst_s_put_int16(out_storage, val);
+	loc += 2;
+
+	out_storage[loc++] = (u_char) key->dk_proto;
+	out_storage[loc++] = (u_char) key->dk_alg;
+
+	if (key->dk_flags > 0xffff) {	/* Extended flags */
+		val = (u_int16_t)((key->dk_flags >> 16) & 0xffff);
+		dst_s_put_int16(&out_storage[loc], val);
+		loc += 2;
+	}
+	if (key->dk_KEY_struct == NULL)
+		return (loc);
+	if (key->dk_func && key->dk_func->to_dns_key) {
+		enc_len = key->dk_func->to_dns_key(key,
+						 (u_char *) &out_storage[loc],
+						   out_len - loc);
+		if (enc_len > 0)
+			return (enc_len + loc);
+		else
+			return (-1);
+	} else
+		EREPORT(("dst_key_to_dnskey(): Unsupported ALG %d\n",
+			 key->dk_alg));
+	return (-1);
+}
+
+
+/*
+ *  dst_buffer_to_key
+ *	Function to encode a string of raw data into a DST key
+ *  Parameters
+ *	alg		The algorithm (HMAC only)
+ *	key		A pointer to the data
+ *	keylen		The length of the data
+ *  Returns
+ *	NULL	    an error occurred
+ *	NON-NULL	the DST key
+ */
+DST_KEY *
+dst_buffer_to_key(const char *key_name,		/* name of the key */
+		  const int alg,		/* algorithm */
+		  const int flags,		/* dns flags */
+		  const int protocol,		/* dns protocol */
+		  const u_char *key_buf,	/* key in dns wire fmt */
+		  const int key_len)		/* size of key */
+{
+	
+	DST_KEY *dkey = NULL; 
+	int dnslen;
+	u_char dns[2048];
+
+	if (!dst_check_algorithm(alg)) { /* make sure alg is available */
+		EREPORT(("dst_buffer_to_key(): Algorithm %d not suppored\n", alg));
+		return (NULL);
+	}
+
+	dkey = dst_s_get_key_struct(key_name, alg, flags, 
+					     protocol, -1);
+
+	if (dkey == NULL)
+		return (NULL);
+	if (dkey->dk_func == NULL || dkey->dk_func->from_dns_key == NULL)
+		return NULL;
+
+	if (dkey->dk_func->from_dns_key(dkey, key_buf, key_len) < 0) {
+		EREPORT(("dst_buffer_to_key(): dst_buffer_to_hmac failed\n"));
+		return (dst_free_key(dkey));
+	}
+
+	dnslen = dst_key_to_dnskey(dkey, dns, sizeof(dns));
+	dkey->dk_id = dst_s_dns_key_id(dns, dnslen);
+	return (dkey);
+}
+
+int 
+dst_key_to_buffer(DST_KEY *key, u_char *out_buff, int buf_len)
+{
+	int len;
+  /* this function will extrac the secret of HMAC into a buffer */
+	if (key == NULL) 
+		return (0);
+	if (key->dk_func != NULL && key->dk_func->to_dns_key != NULL) {
+		len = key->dk_func->to_dns_key(key, out_buff, buf_len);
+		if (len < 0)
+			return (0);
+		return (len);
+	}
+	return (0);
+}
+
+
+/*
+ * dst_s_read_private_key_file
+ *     Function reads in private key from a file.
+ *     Fills out the KEY structure.
+ * Parameters
+ *     name    Name of the key to be read.
+ *     pk_key  Structure that the key is returned in.
+ *     in_id   Key identifier (tag)
+ * Return
+ *     1 if everthing works
+ *     0 if there is any problem
+ */
+
+static int
+dst_s_read_private_key_file(char *name, DST_KEY *pk_key, u_int16_t in_id,
+			    int in_alg)
+{
+	int cnt, alg, len, major, minor, file_major, file_minor;
+	int ret, id;
+	char filename[PATH_MAX];
+	u_char in_buff[RAW_KEY_SIZE], *p;
+	FILE *fp;
+	int dnslen;
+	u_char dns[2048];
+
+	if (name == NULL || pk_key == NULL) {
+		EREPORT(("dst_read_private_key_file(): No key name given\n"));
+		return (0);
+	}
+	/* Make the filename */
+	if (dst_s_build_filename(filename, name, in_id, in_alg, PRIVATE_KEY,
+				 PATH_MAX) == -1) {
+		EREPORT(("dst_read_private_key(): Cannot make filename from %s, %d, and %s\n",
+			 name, in_id, PRIVATE_KEY));
+		return (0);
+	}
+	/* first check if we can find the key file */
+	if ((fp = dst_s_fopen(filename, "r", 0)) == NULL) {
+		EREPORT(("dst_s_read_private_key_file: Could not open file %s in directory %s\n",
+			 filename, dst_path[0] ? dst_path :
+			 (char *) getcwd(NULL, PATH_MAX - 1)));
+		return (0);
+	}
+	/* now read the header info from the file */
+	if ((cnt = fread(in_buff, 1, sizeof(in_buff), fp)) < 5) {
+		fclose(fp);
+		EREPORT(("dst_s_read_private_key_file: error reading file %s (empty file)\n",
+			 filename));
+		return (0);
+	}
+	/* decrypt key */
+	fclose(fp);
+	if (memcmp(in_buff, "Private-key-format: v", 20) != 0)
+		goto fail;
+	len = cnt;
+	p = in_buff;
+
+	if (!dst_s_verify_str((const char **) &p, "Private-key-format: v")) {
+		EREPORT(("dst_s_read_private_key_file(): Not a Key file/Decrypt failed %s\n", name));
+		goto fail;
+	}
+	/* read in file format */
+	sscanf((char *)p, "%d.%d", &file_major, &file_minor);
+	sscanf(KEY_FILE_FORMAT, "%d.%d", &major, &minor);
+	if (file_major < 1) {
+		EREPORT(("dst_s_read_private_key_file(): Unknown keyfile %d.%d version for %s\n",
+			 file_major, file_minor, name));
+		goto fail;
+	} else if (file_major > major || file_minor > minor)
+		EREPORT((
+				"dst_s_read_private_key_file(): Keyfile %s version higher than mine %d.%d MAY FAIL\n",
+				name, file_major, file_minor));
+
+	while (*p++ != '\n') ;	/* skip to end of line */
+
+	if (!dst_s_verify_str((const char **) &p, "Algorithm: "))
+		goto fail;
+
+	if (sscanf((char *)p, "%d", &alg) != 1)
+		goto fail;
+	while (*p++ != '\n') ;	/* skip to end of line */
+
+	if (pk_key->dk_key_name && !strcmp(pk_key->dk_key_name, name))
+		SAFE_FREE2(pk_key->dk_key_name, strlen(pk_key->dk_key_name));
+	pk_key->dk_key_name = (char *) strdup(name);
+
+	/* allocate and fill in key structure */
+	if (pk_key->dk_func == NULL || pk_key->dk_func->from_file_fmt == NULL)
+		goto fail;
+
+	ret = pk_key->dk_func->from_file_fmt(pk_key, (char *)p, &in_buff[len] - p);
+	if (ret < 0)
+		goto fail;
+
+	dnslen = dst_key_to_dnskey(pk_key, dns, sizeof(dns));
+	id = dst_s_dns_key_id(dns, dnslen);
+
+	/* Make sure the actual key tag matches the input tag used in the filename
+	 */
+	if (id != in_id) {
+		EREPORT(("dst_s_read_private_key_file(): actual tag of key read %d != input tag used to build filename %d.\n", id, in_id));
+		goto fail;
+	}
+	pk_key->dk_id = (u_int16_t) id;
+	pk_key->dk_alg = alg;
+	memset(in_buff, 0, cnt);
+	return (1);
+
+ fail:
+	memset(in_buff, 0, cnt);
+	return (0);
+}
+
+
+/*
+ *  dst_generate_key
+ *	Generate and store a public/private keypair.
+ *	Keys will be stored in formatted files.
+ *  Parameters
+ *	name    Name of the new key.  Used to create key files
+ *		  K<name>+<alg>+<id>.public and K<name>+<alg>+<id>.private.
+ *	bits    Size of the new key in bits.
+ *	exp     What exponent to use:
+ *		  0	   use exponent 3
+ *		  non-zero    use Fermant4
+ *	flags   The default value of the DNS Key flags.
+ *		  The DNS Key RR Flag field is defined in RFC 2065,
+ *		  section 3.3.  The field has 16 bits.
+ *	protocol
+ *	      Default value of the DNS Key protocol field.
+ *		  The DNS Key protocol field is defined in RFC 2065,
+ *		  section 3.4.  The field has 8 bits.
+ *	alg     What algorithm to use.  Currently defined:
+ *		  KEY_RSA       1
+ *		  KEY_DSA       3
+ *		  KEY_HMAC    157
+ *	out_id The key tag is returned.
+ *
+ *  Return
+ *	NULL		Failure
+ *	non-NULL 	the generated key pair
+ *			Caller frees the result, and its dk_name pointer.
+ */
+DST_KEY *
+dst_generate_key(const char *name, const int bits, const int exp,
+		 const int flags, const int protocol, const int alg)
+{
+	DST_KEY *new_key = NULL;
+	int res;
+	int dnslen;
+	u_char dns[2048];
+
+	if (name == NULL)
+		return (NULL);
+
+	if (!dst_check_algorithm(alg)) { /* make sure alg is available */
+		EREPORT(("dst_generate_key(): Algorithm %d not suppored\n", alg));
+		return (NULL);
+	}
+
+	new_key = dst_s_get_key_struct(name, alg, flags, protocol, bits);
+	if (new_key == NULL)
+		return (NULL);
+	if (bits == 0) /* null key we are done */
+		return (new_key);
+	if (new_key->dk_func == NULL || new_key->dk_func->generate == NULL) {
+		EREPORT(("dst_generate_key_pair():Unsupported algorithm %d\n",
+			 alg));
+		return (dst_free_key(new_key));
+	}
+	if ((res = new_key->dk_func->generate(new_key, exp)) <= 0) {
+		EREPORT(("dst_generate_key_pair(): Key generation failure %s %d %d %d\n",
+			 new_key->dk_key_name, new_key->dk_alg,
+			 new_key->dk_key_size, exp));
+		return (dst_free_key(new_key));
+	}
+
+	dnslen = dst_key_to_dnskey(new_key, dns, sizeof(dns));
+	if (dnslen != UNSUPPORTED_KEYALG)
+		new_key->dk_id = dst_s_dns_key_id(dns, dnslen);
+	else
+		new_key->dk_id = 0;
+
+	return (new_key);
+}
+
+
+/*
+ *  dst_free_key
+ *	Release all data structures pointed to by a key structure.
+ *  Parameters
+ *	f_key   Key structure to be freed.
+ */
+
+DST_KEY *
+dst_free_key(DST_KEY *f_key)
+{
+
+	if (f_key == NULL)
+		return (f_key);
+	if (f_key->dk_func && f_key->dk_func->destroy)
+		f_key->dk_KEY_struct =
+			f_key->dk_func->destroy(f_key->dk_KEY_struct);
+	else {
+		EREPORT(("dst_free_key(): Unknown key alg %d\n",
+			 f_key->dk_alg));
+		free(f_key->dk_KEY_struct);	/* SHOULD NOT happen */
+	}
+	if (f_key->dk_KEY_struct) {
+		free(f_key->dk_KEY_struct);
+		f_key->dk_KEY_struct = NULL;
+	}
+	if (f_key->dk_key_name)
+		SAFE_FREE(f_key->dk_key_name);
+	SAFE_FREE(f_key);
+	return (NULL);
+}
+
+/*
+ * dst_sig_size
+ *	Return the maximim size of signature from the key specified in bytes
+ * Parameters
+ *      key 
+ * Returns
+ *     bytes
+ */
+int
+dst_sig_size(DST_KEY *key) {
+	switch (key->dk_alg) {
+	    case KEY_HMAC_MD5:
+		return (16);
+	    case KEY_HMAC_SHA1:
+		return (20);
+	    case KEY_RSA:
+		return (key->dk_key_size + 7) / 8;
+	    case KEY_DSA:
+		return (40);
+	    default:
+		EREPORT(("dst_sig_size(): Unknown key alg %d\n", key->dk_alg));
+		return -1;
+	}
+}
diff --git a/contrib/bind9/lib/bind/dst/dst_internal.h b/contrib/bind9/lib/bind/dst/dst_internal.h
new file mode 100644
index 0000000..928650a
--- /dev/null
+++ b/contrib/bind9/lib/bind/dst/dst_internal.h
@@ -0,0 +1,154 @@
+#ifndef DST_INTERNAL_H
+#define DST_INTERNAL_H
+
+/*
+ * Portions Copyright (c) 1995-1998 by Trusted Information Systems, Inc.
+ *
+ * Permission to use, copy modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND TRUSTED INFORMATION SYSTEMS
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL
+ * TRUSTED INFORMATION SYSTEMS BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ * WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
+ */
+#include <limits.h>
+#include <sys/param.h>
+#if (!defined(BSD)) || (BSD < 199306)
+# include <sys/bitypes.h>
+#else
+# include <sys/types.h>
+#endif
+
+#ifndef PATH_MAX
+# ifdef POSIX_PATH_MAX
+#  define PATH_MAX POSIX_PATH_MAX
+# else
+#  define PATH_MAX 255 /* this is the value of POSIX_PATH_MAX */
+# endif
+#endif 
+
+typedef struct dst_key {
+	char	*dk_key_name;   /* name of the key */
+	int	dk_key_size;    /* this is the size of the key in bits */
+	int	dk_proto;       /* what protocols this key can be used for */
+	int	dk_alg;         /* algorithm number from key record */
+	u_int32_t dk_flags;     /* and the flags of the public key */
+	u_int16_t dk_id;        /* identifier of the key */
+	void	*dk_KEY_struct; /* pointer to key in crypto pkg fmt */
+	struct dst_func *dk_func; /* point to cryptto pgk specific function table */
+} DST_KEY;
+#define HAS_DST_KEY 
+
+#include <isc/dst.h>
+/* 
+ * define what crypto systems are supported for RSA, 
+ * BSAFE is prefered over RSAREF; only one can be set at any time
+ */
+#if defined(BSAFE) && defined(RSAREF)
+# error "Cannot have both BSAFE and RSAREF defined"
+#endif
+
+/* Declare dst_lib specific constants */
+#define KEY_FILE_FORMAT "1.2"
+
+/* suffixes for key file names */
+#define PRIVATE_KEY		"private"
+#define PUBLIC_KEY		"key"
+
+/* error handling */
+#ifdef REPORT_ERRORS
+#define EREPORT(str)		printf str
+#else
+#define EREPORT(str)		(void)0
+#endif
+
+/* use our own special macro to FRRE memory */
+
+#ifndef SAFE_FREE
+#define SAFE_FREE(a) \
+do{if(a != NULL){memset(a,0, sizeof(*a)); free(a); a=NULL;}} while (0)
+#define SAFE_FREE2(a,s) if (a != NULL && (long)s > 0){memset(a,0, s);free(a); a=NULL;}
+#endif
+
+typedef struct dst_func {
+	int (*sign)(const int mode, DST_KEY *key, void **context,
+		     const u_int8_t *data, const int len,
+		     u_int8_t *signature, const int sig_len);
+	int (*verify)(const int mode, DST_KEY *key, void **context,
+		       const u_int8_t *data, const int len,
+		       const u_int8_t *signature, const int sig_len);
+	int (*compare)(const DST_KEY *key1, const DST_KEY *key2);
+	int (*generate)(DST_KEY *key, int parms);
+	void *(*destroy)(void *key);
+	/* conversion functions */
+	int (*to_dns_key)(const DST_KEY *key, u_int8_t *out,
+			   const int out_len);
+	int (*from_dns_key)(DST_KEY *key, const u_int8_t *str,
+			     const int str_len);
+	int (*to_file_fmt)(const DST_KEY *key, char *out,
+			    const int out_len);
+	int (*from_file_fmt)(DST_KEY *key, const char *out,
+			      const int out_len);
+
+} dst_func;
+
+extern dst_func *dst_t_func[DST_MAX_ALGS];
+extern const char *key_file_fmt_str;
+extern const char *dst_path;
+
+#ifndef DST_HASH_SIZE
+#define DST_HASH_SIZE 20	/* RIPEMD160 and SHA-1 are 20 bytes MD5 is 16 */
+#endif
+
+int dst_bsafe_init(void);
+
+int dst_rsaref_init(void);
+
+int dst_hmac_md5_init(void);
+
+int dst_cylink_init(void);
+
+int dst_eay_dss_init(void);
+
+/* from higher level support routines */
+int       dst_s_calculate_bits( const u_int8_t *str, const int max_bits); 
+int       dst_s_verify_str( const char **buf, const char *str);
+
+
+/* conversion between dns names and key file names */
+size_t    dst_s_filename_length( const char *name, const char *suffix); 
+int       dst_s_build_filename(  char *filename, const char *name, 
+			         u_int16_t id, int alg, const char *suffix, 
+			         size_t filename_length);
+
+FILE      *dst_s_fopen (const char *filename, const char *mode, int perm);
+
+/* 
+ * read and write network byte order into u_int?_t  
+ *  all of these should be retired
+ */
+u_int16_t dst_s_get_int16( const u_int8_t *buf);
+void      dst_s_put_int16( u_int8_t *buf, const u_int16_t val);
+
+u_int32_t dst_s_get_int32( const u_int8_t *buf);
+void      dst_s_put_int32( u_int8_t *buf, const u_int32_t val);
+
+#ifdef DUMP
+# undef DUMP
+# define DUMP(a,b,c,d) dst_s_dump(a,b,c,d)
+#else
+# define DUMP(a,b,c,d)
+#endif
+void
+dst_s_dump(const int mode, const u_char *data, const int size,
+            const char *msg);
+
+
+
+#endif /* DST_INTERNAL_H */
diff --git a/contrib/bind9/lib/bind/dst/hmac_link.c b/contrib/bind9/lib/bind/dst/hmac_link.c
new file mode 100644
index 0000000..8a641d0
--- /dev/null
+++ b/contrib/bind9/lib/bind/dst/hmac_link.c
@@ -0,0 +1,468 @@
+#ifdef HMAC_MD5
+#ifndef LINT
+static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/hmac_link.c,v 1.2.2.1 2003/06/27 03:51:36 marka Exp $";
+#endif
+/*
+ * Portions Copyright (c) 1995-1998 by Trusted Information Systems, Inc.
+ *
+ * Permission to use, copy modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND TRUSTED INFORMATION SYSTEMS
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL
+ * TRUSTED INFORMATION SYSTEMS BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ * WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
+ */
+
+/* 
+ * This file contains an implementation of the HMAC-MD5 algorithm.
+ */
+#include "port_before.h"
+
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <memory.h>
+#include <sys/param.h>
+#include <sys/time.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+
+#include "dst_internal.h"
+#ifdef USE_MD5
+# include "md5.h"
+# ifndef _MD5_H_
+#  define _MD5_H_ 1	/* make sure we do not include rsaref md5.h file */
+# endif
+#endif
+
+#include "port_after.h"
+
+
+#define HMAC_LEN	64
+#define HMAC_IPAD	0x36
+#define HMAC_OPAD	0x5c
+#define MD5_LEN		16
+
+
+typedef struct hmackey {
+	u_char hk_ipad[64], hk_opad[64];
+} HMAC_Key;
+
+
+/************************************************************************** 
+ * dst_hmac_md5_sign
+ *     Call HMAC signing functions to sign a block of data.
+ *     There are three steps to signing, INIT (initialize structures), 
+ *     UPDATE (hash (more) data), FINAL (generate a signature).  This
+ *     routine performs one or more of these steps.
+ * Parameters
+ *     mode	SIG_MODE_INIT, SIG_MODE_UPDATE and/or SIG_MODE_FINAL.
+ *     priv_key    key to use for signing.
+ *     context   the context to be used in this digest
+ *     data	data to be signed.
+ *     len	 length in bytes of data.
+ *     signature   location to store signature.
+ *     sig_len     size of the signature location
+ * returns 
+ *	N  Success on SIG_MODE_FINAL = returns signature length in bytes
+ *	0  Success on SIG_MODE_INIT  and UPDATE
+ *	 <0  Failure
+ */
+
+static int
+dst_hmac_md5_sign(const int mode, DST_KEY *d_key, void **context, 
+		  const u_char *data, const int len, 
+		  u_char *signature, const int sig_len)
+{
+	HMAC_Key *key;
+	int sign_len = 0;
+	MD5_CTX *ctx = NULL;
+
+	if (mode & SIG_MODE_INIT) 
+		ctx = (MD5_CTX *) malloc(sizeof(*ctx));
+	else if (context)
+		ctx = (MD5_CTX *) *context;
+	if (ctx == NULL) 
+		return (-1);
+
+	if (d_key == NULL || d_key->dk_KEY_struct == NULL)
+		return (-1);
+	key = (HMAC_Key *) d_key->dk_KEY_struct;
+
+	if (mode & SIG_MODE_INIT) {
+		MD5Init(ctx);
+		MD5Update(ctx, key->hk_ipad, HMAC_LEN);
+	}
+
+	if ((mode & SIG_MODE_UPDATE) && (data && len > 0))
+		MD5Update(ctx, data, len);
+
+	if (mode & SIG_MODE_FINAL) {
+		if (signature == NULL || sig_len < MD5_LEN)
+			return (SIGN_FINAL_FAILURE);
+		MD5Final(signature, ctx);
+
+		/* perform outer MD5 */
+		MD5Init(ctx);
+		MD5Update(ctx, key->hk_opad, HMAC_LEN);
+		MD5Update(ctx, signature, MD5_LEN);
+		MD5Final(signature, ctx);
+		sign_len = MD5_LEN;
+		SAFE_FREE(ctx);
+	}
+	else { 
+		if (context == NULL) 
+			return (-1);
+		*context = (void *) ctx;
+	}		
+	return (sign_len);
+}
+
+
+/************************************************************************** 
+ * dst_hmac_md5_verify() 
+ *     Calls HMAC verification routines.  There are three steps to 
+ *     verification, INIT (initialize structures), UPDATE (hash (more) data), 
+ *     FINAL (generate a signature).  This routine performs one or more of 
+ *     these steps.
+ * Parameters
+ *     mode	SIG_MODE_INIT, SIG_MODE_UPDATE and/or SIG_MODE_FINAL.
+ *     dkey	key to use for verify.
+ *     data	data signed.
+ *     len	 length in bytes of data.
+ *     signature   signature.
+ *     sig_len     length in bytes of signature.
+ * returns 
+ *     0  Success 
+ *    <0  Failure
+ */
+
+static int
+dst_hmac_md5_verify(const int mode, DST_KEY *d_key, void **context,
+		const u_char *data, const int len,
+		const u_char *signature, const int sig_len)
+{
+	HMAC_Key *key;
+	MD5_CTX *ctx = NULL;
+
+	if (mode & SIG_MODE_INIT) 
+		ctx = (MD5_CTX *) malloc(sizeof(*ctx));
+	else if (context)
+		ctx = (MD5_CTX *) *context;
+	if (ctx == NULL) 
+		return (-1);
+
+	if (d_key == NULL || d_key->dk_KEY_struct == NULL)
+		return (-1);
+
+	key = (HMAC_Key *) d_key->dk_KEY_struct;
+	if (mode & SIG_MODE_INIT) {
+		MD5Init(ctx);
+		MD5Update(ctx, key->hk_ipad, HMAC_LEN);
+	}
+	if ((mode & SIG_MODE_UPDATE) && (data && len > 0))
+		MD5Update(ctx, data, len);
+
+	if (mode & SIG_MODE_FINAL) {
+		u_char digest[MD5_LEN];
+		if (signature == NULL || key == NULL || sig_len != MD5_LEN)
+			return (VERIFY_FINAL_FAILURE);
+		MD5Final(digest, ctx);
+
+		/* perform outer MD5 */
+		MD5Init(ctx);
+		MD5Update(ctx, key->hk_opad, HMAC_LEN);
+		MD5Update(ctx, digest, MD5_LEN);
+		MD5Final(digest, ctx);
+
+		SAFE_FREE(ctx);
+		if (memcmp(digest, signature, MD5_LEN) != 0)
+			return (VERIFY_FINAL_FAILURE);
+	}
+	else { 
+		if (context == NULL) 
+			return (-1);
+		*context = (void *) ctx;
+	}		
+	return (0);
+}
+
+
+/************************************************************************** 
+ * dst_buffer_to_hmac_md5
+ *     Converts key from raw data to an HMAC Key
+ *     This function gets in a pointer to the data
+ * Parameters
+ *     hkey	the HMAC key to be filled in
+ *     key	the key in raw format
+ *     keylen	the length of the key
+ * Return
+ *	0	Success
+ *	<0	Failure
+ */
+static int
+dst_buffer_to_hmac_md5(DST_KEY *dkey, const u_char *key, const int keylen)
+{
+	int i;
+	HMAC_Key *hkey = NULL;
+	MD5_CTX ctx;
+	int local_keylen = keylen;
+
+	if (dkey == NULL || key == NULL || keylen < 0)
+		return (-1);
+
+	if ((hkey = (HMAC_Key *) malloc(sizeof(HMAC_Key))) == NULL)
+		  return (-2);
+
+	memset(hkey->hk_ipad, 0, sizeof(hkey->hk_ipad));
+	memset(hkey->hk_opad, 0, sizeof(hkey->hk_opad));
+
+	/* if key is longer than HMAC_LEN bytes reset it to key=MD5(key) */
+	if (keylen > HMAC_LEN) {
+		u_char tk[MD5_LEN];
+		MD5Init(&ctx);
+		MD5Update(&ctx, key, keylen);
+		MD5Final(tk, &ctx);
+		memset((void *) &ctx, 0, sizeof(ctx));
+		key = tk;
+		local_keylen = MD5_LEN;
+	}
+	/* start out by storing key in pads */
+	memcpy(hkey->hk_ipad, key, local_keylen);
+	memcpy(hkey->hk_opad, key, local_keylen);
+
+	/* XOR key with hk_ipad and opad values */
+	for (i = 0; i < HMAC_LEN; i++) {
+		hkey->hk_ipad[i] ^= HMAC_IPAD;
+		hkey->hk_opad[i] ^= HMAC_OPAD;
+	}
+	dkey->dk_key_size = local_keylen;
+	dkey->dk_KEY_struct = (void *) hkey;
+	return (1);
+}
+
+
+/************************************************************************** 
+ *  dst_hmac_md5_key_to_file_format
+ *	Encodes an HMAC Key into the portable file format.
+ *  Parameters 
+ *	hkey      HMAC KEY structure 
+ *	buff      output buffer
+ *	buff_len  size of output buffer 
+ *  Return
+ *	0  Failure - null input hkey
+ *     -1  Failure - not enough space in output area
+ *	N  Success - Length of data returned in buff
+ */
+
+static int
+dst_hmac_md5_key_to_file_format(const DST_KEY *dkey, char *buff,
+			    const int buff_len)
+{
+	char *bp;
+	int len, b_len, i, key_len;
+	u_char key[HMAC_LEN];
+	HMAC_Key *hkey;
+
+	if (dkey == NULL || dkey->dk_KEY_struct == NULL) 
+		return (0);
+	if (buff == NULL || buff_len <= (int) strlen(key_file_fmt_str))
+		return (-1);	/* no OR not enough space in output area */
+
+	hkey = (HMAC_Key *) dkey->dk_KEY_struct;
+	memset(buff, 0, buff_len);	/* just in case */
+	/* write file header */
+	sprintf(buff, key_file_fmt_str, KEY_FILE_FORMAT, KEY_HMAC_MD5, "HMAC");
+
+	bp = (char *) strchr(buff, '\0');
+	b_len = buff_len - (bp - buff);
+
+	memset(key, 0, HMAC_LEN);
+	for (i = 0; i < HMAC_LEN; i++)
+		key[i] = hkey->hk_ipad[i] ^ HMAC_IPAD;
+	for (i = HMAC_LEN - 1; i >= 0; i--)
+		if (key[i] != 0)
+			break;
+	key_len = i + 1;
+
+	strcat(bp, "Key: ");
+	bp += strlen("Key: ");
+	b_len = buff_len - (bp - buff);
+
+	len = b64_ntop(key, key_len, bp, b_len);
+	if (len < 0) 
+		return (-1);
+	bp += len;
+	*(bp++) = '\n';
+	*bp = '\0';
+	b_len = buff_len - (bp - buff);
+
+	return (buff_len - b_len);
+}
+
+
+/************************************************************************** 
+ * dst_hmac_md5_key_from_file_format
+ *     Converts contents of a key file into an HMAC key. 
+ * Parameters 
+ *     hkey    structure to put key into 
+ *     buff       buffer containing the encoded key 
+ *     buff_len   the length of the buffer
+ * Return
+ *     n >= 0 Foot print of the key converted 
+ *     n <  0 Error in conversion 
+ */
+
+static int
+dst_hmac_md5_key_from_file_format(DST_KEY *dkey, const char *buff,
+			      const int buff_len)
+{
+	const char *p = buff, *eol;
+	u_char key[HMAC_LEN+1];	/* b64_pton needs more than 64 bytes do decode
+							 * it should probably be fixed rather than doing
+							 * this
+							 */
+	u_char *tmp;
+	int key_len, len;
+
+	if (dkey == NULL)
+		return (-2);
+	if (buff == NULL || buff_len < 0)
+		return (-1);
+
+	memset(key, 0, sizeof(key));
+
+	if (!dst_s_verify_str(&p, "Key: "))
+		return (-3);
+
+	eol = strchr(p, '\n');
+	if (eol == NULL)
+		return (-4);
+	len = eol - p;
+	tmp = malloc(len + 2);
+	memcpy(tmp, p, len);
+	*(tmp + len) = 0x0;
+	key_len = b64_pton((char *)tmp, key, HMAC_LEN+1);	/* see above */
+	SAFE_FREE2(tmp, len + 2);
+
+	if (dst_buffer_to_hmac_md5(dkey, key, key_len) < 0) {
+		return (-6);
+	}
+	return (0);
+}
+
+/*
+ * dst_hmac_md5_to_dns_key() 
+ *         function to extract hmac key from DST_KEY structure 
+ * intput: 
+ *      in_key:  HMAC-MD5 key 
+ * output: 
+ *	out_str: buffer to write ot
+ *      out_len: size of output buffer 
+ * returns:
+ *      number of bytes written to output buffer 
+ */
+static int
+dst_hmac_md5_to_dns_key(const DST_KEY *in_key, u_char *out_str,
+			const int out_len)
+{
+
+	HMAC_Key *hkey;
+	int i;
+	
+	if (in_key == NULL || in_key->dk_KEY_struct == NULL ||
+	    out_len <= in_key->dk_key_size || out_str == NULL)
+		return (-1);
+
+	hkey = (HMAC_Key *) in_key->dk_KEY_struct;
+	for (i = 0; i < in_key->dk_key_size; i++)
+		out_str[i] = hkey->hk_ipad[i] ^ HMAC_IPAD;
+	return (i);
+}
+
+/************************************************************************** 
+ *  dst_hmac_md5_compare_keys
+ *	Compare two keys for equality.
+ *  Return
+ *	0	  The keys are equal
+ *	NON-ZERO   The keys are not equal
+ */
+
+static int
+dst_hmac_md5_compare_keys(const DST_KEY *key1, const DST_KEY *key2)
+{
+	HMAC_Key *hkey1 = (HMAC_Key *) key1->dk_KEY_struct;
+	HMAC_Key *hkey2 = (HMAC_Key *) key2->dk_KEY_struct;
+	return memcmp(hkey1->hk_ipad, hkey2->hk_ipad, HMAC_LEN);
+}
+
+/************************************************************************** 
+ * dst_hmac_md5_free_key_structure
+ *     Frees all (none) dynamically allocated structures in hkey
+ */
+
+static void *
+dst_hmac_md5_free_key_structure(void *key)
+{
+	HMAC_Key *hkey = key;
+	SAFE_FREE(hkey);
+	return (NULL);
+}
+
+
+/*************************************************************************** 
+ * dst_hmac_md5_generate_key
+ *     Creates a HMAC key of size size with a maximum size of 63 bytes
+ *     generating a HMAC key larger than 63 bytes makes no sense as that key 
+ *     is digested before use. 
+ */
+
+static int
+dst_hmac_md5_generate_key(DST_KEY *key, const int nothing)
+{
+	(void)key;
+	(void)nothing;
+	return (-1);
+}
+
+/*
+ * dst_hmac_md5_init()  Function to answer set up function pointers for HMAC
+ *	   related functions 
+ */
+int
+dst_hmac_md5_init()
+{
+	if (dst_t_func[KEY_HMAC_MD5] != NULL)
+		return (1);
+	dst_t_func[KEY_HMAC_MD5] = malloc(sizeof(struct dst_func));
+	if (dst_t_func[KEY_HMAC_MD5] == NULL)
+		return (0);
+	memset(dst_t_func[KEY_HMAC_MD5], 0, sizeof(struct dst_func));
+	dst_t_func[KEY_HMAC_MD5]->sign = dst_hmac_md5_sign;
+	dst_t_func[KEY_HMAC_MD5]->verify = dst_hmac_md5_verify;
+	dst_t_func[KEY_HMAC_MD5]->compare = dst_hmac_md5_compare_keys;
+	dst_t_func[KEY_HMAC_MD5]->generate = dst_hmac_md5_generate_key;
+	dst_t_func[KEY_HMAC_MD5]->destroy = dst_hmac_md5_free_key_structure;
+	dst_t_func[KEY_HMAC_MD5]->to_dns_key = dst_hmac_md5_to_dns_key;
+	dst_t_func[KEY_HMAC_MD5]->from_dns_key = dst_buffer_to_hmac_md5;
+	dst_t_func[KEY_HMAC_MD5]->to_file_fmt = dst_hmac_md5_key_to_file_format;
+	dst_t_func[KEY_HMAC_MD5]->from_file_fmt = dst_hmac_md5_key_from_file_format;
+	return (1);
+}
+
+#else 
+#define	dst_hmac_md5_init	__dst_hmac_md5_init
+
+int
+dst_hmac_md5_init(){
+	return (0);
+}
+#endif
diff --git a/contrib/bind9/lib/bind/dst/md5.h b/contrib/bind9/lib/bind/dst/md5.h
new file mode 100644
index 0000000..c886d17
--- /dev/null
+++ b/contrib/bind9/lib/bind/dst/md5.h
@@ -0,0 +1,101 @@
+/* crypto/md/md5.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifndef HEADER_MD5_H
+#define HEADER_MD5_H
+
+#ifdef  __cplusplus
+extern "C" {
+#endif
+
+#define MD5_CBLOCK	64
+#define MD5_LBLOCK	16
+#define MD5_BLOCK	16
+#define MD5_LAST_BLOCK  56
+#define MD5_LENGTH_BLOCK 8
+#define MD5_DIGEST_LENGTH 16
+
+typedef struct MD5state_st
+	{
+	unsigned long A,B,C,D;
+	unsigned long Nl,Nh;
+	unsigned long data[MD5_LBLOCK];
+	int num;
+	} MD5_CTX;
+
+#ifndef NOPROTO
+void MD5_Init(MD5_CTX *c);
+void MD5_Update(MD5_CTX *c, const unsigned char *data, unsigned long len);
+void MD5_Final(unsigned char *md, MD5_CTX *c);
+unsigned char *MD5(unsigned char *d, unsigned long n, unsigned char *md);
+#else
+void MD5_Init();
+void MD5_Update();
+void MD5_Final();
+unsigned char *MD5();
+#endif
+
+/* to provide backward compatabilty to RSAREF calls ogud@tis.com 1997/11/14 */
+#define MD5Init(c)             MD5_Init(c)
+#define MD5Update(c,data, len) MD5_Update(c,data,len)
+#define MD5Final(md, c)        MD5_Final(md, c) 
+#ifdef  __cplusplus
+}
+#endif
+
+#endif
diff --git a/contrib/bind9/lib/bind/dst/md5_dgst.c b/contrib/bind9/lib/bind/dst/md5_dgst.c
new file mode 100644
index 0000000..48c327e
--- /dev/null
+++ b/contrib/bind9/lib/bind/dst/md5_dgst.c
@@ -0,0 +1,370 @@
+/* crypto/md/md5_dgst.c */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#ifdef USE_MD5 /* Added by ogud@tis.com 1998/1/26 */
+#include <port_before.h>
+#include <stdio.h>
+#include "md5_locl.h"
+#include <port_after.h>
+
+const char *MD5_version="MD5 part of SSLeay 0.8.1 19-Jul-1997";
+
+/* Implemented from RFC1321 The MD5 Message-Digest Algorithm
+ */
+
+#define INIT_DATA_A (unsigned long)0x67452301L
+#define INIT_DATA_B (unsigned long)0xefcdab89L
+#define INIT_DATA_C (unsigned long)0x98badcfeL
+#define INIT_DATA_D (unsigned long)0x10325476L
+
+#ifndef NOPROTO
+static void md5_block(MD5_CTX *c, unsigned long *p);
+#else
+static void md5_block();
+#endif
+
+void MD5_Init(c)
+MD5_CTX *c;
+	{
+	c->A=INIT_DATA_A;
+	c->B=INIT_DATA_B;
+	c->C=INIT_DATA_C;
+	c->D=INIT_DATA_D;
+	c->Nl=0;
+	c->Nh=0;
+	c->num=0;
+	}
+
+void MD5_Update(c, data, len)
+MD5_CTX *c;
+register const unsigned char *data;
+unsigned long len;
+	{
+	register ULONG *p;
+	int sw,sc;
+	ULONG l;
+
+	if (len == 0U) return;
+
+	l=(c->Nl+(len<<3))&0xffffffffL;
+	/* 95-05-24 eay Fixed a bug with the overflow handling, thanks to
+	 * Wei Dai <weidai@eskimo.com> for pointing it out. */
+	if (l < c->Nl) /* overflow */
+		c->Nh++;
+	c->Nh+=(len>>29);
+	c->Nl=l;
+
+	if (c->num != 0)
+		{
+		p=c->data;
+		sw=c->num>>2;
+		sc=c->num&0x03;
+
+		if ((c->num+len) >= (size_t)MD5_CBLOCK)
+			{
+			l= p[sw];
+			p_c2l(data,l,sc);
+			p[sw++]=l;
+			for (; sw<MD5_LBLOCK; sw++)
+				{
+				c2l(data,l);
+				p[sw]=l;
+				}
+			len-=(MD5_CBLOCK-c->num);
+
+			md5_block(c,p);
+			c->num=0;
+			/* drop through and do the rest */
+			}
+		else
+			{
+			int ew,ec;
+
+			c->num+=(int)len;
+			if ((sc+len) < 4U) /* ugly, add char's to a word */
+				{
+				l= p[sw];
+				p_c2l_p(data,l,sc,len);
+				p[sw]=l;
+				}
+			else
+				{
+				ew=(c->num>>2);
+				ec=(c->num&0x03);
+				l= p[sw];
+				p_c2l(data,l,sc);
+				p[sw++]=l;
+				for (; sw < ew; sw++)
+					{ c2l(data,l); p[sw]=l; }
+				if (ec)
+					{
+					c2l_p(data,l,ec);
+					p[sw]=l;
+					}
+				}
+			return;
+			}
+		}
+	/* we now can process the input data in blocks of MD5_CBLOCK
+	 * chars and save the leftovers to c->data. */
+	p=c->data;
+	while (len >= (size_t)MD5_CBLOCK)
+		{
+#if defined(L_ENDIAN) || defined(B_ENDIAN)
+		memcpy(p,data,MD5_CBLOCK);
+		data+=MD5_CBLOCK;
+#ifdef B_ENDIAN
+		for (sw=(MD5_LBLOCK/4); sw; sw--)
+			{
+			Endian_Reverse32(p[0]);
+			Endian_Reverse32(p[1]);
+			Endian_Reverse32(p[2]);
+			Endian_Reverse32(p[3]);
+			p+=4;
+			}
+#endif
+#else
+		for (sw=(MD5_LBLOCK/4); sw; sw--)
+			{
+			c2l(data,l); *(p++)=l;
+			c2l(data,l); *(p++)=l;
+			c2l(data,l); *(p++)=l;
+			c2l(data,l); *(p++)=l; 
+			} 
+#endif
+		p=c->data;
+		md5_block(c,p);
+		len-=MD5_CBLOCK;
+		}
+	sc=(int)len;
+	c->num=sc;
+	if (sc)
+		{
+		sw=sc>>2;	/* words to copy */
+#ifdef L_ENDIAN
+		p[sw]=0;
+		memcpy(p,data,sc);
+#else
+		sc&=0x03;
+		for ( ; sw; sw--)
+			{ c2l(data,l); *(p++)=l; }
+		c2l_p(data,l,sc);
+		*p=l;
+#endif
+		}
+	}
+
+static void md5_block(c, X)
+MD5_CTX *c;
+register ULONG *X;
+	{
+	register ULONG A,B,C,D;
+
+	A=c->A;
+	B=c->B;
+	C=c->C;
+	D=c->D;
+
+	/* Round 0 */
+	R0(A,B,C,D,X[ 0], 7,0xd76aa478L);
+	R0(D,A,B,C,X[ 1],12,0xe8c7b756L);
+	R0(C,D,A,B,X[ 2],17,0x242070dbL);
+	R0(B,C,D,A,X[ 3],22,0xc1bdceeeL);
+	R0(A,B,C,D,X[ 4], 7,0xf57c0fafL);
+	R0(D,A,B,C,X[ 5],12,0x4787c62aL);
+	R0(C,D,A,B,X[ 6],17,0xa8304613L);
+	R0(B,C,D,A,X[ 7],22,0xfd469501L);
+	R0(A,B,C,D,X[ 8], 7,0x698098d8L);
+	R0(D,A,B,C,X[ 9],12,0x8b44f7afL);
+	R0(C,D,A,B,X[10],17,0xffff5bb1L);
+	R0(B,C,D,A,X[11],22,0x895cd7beL);
+	R0(A,B,C,D,X[12], 7,0x6b901122L);
+	R0(D,A,B,C,X[13],12,0xfd987193L);
+	R0(C,D,A,B,X[14],17,0xa679438eL);
+	R0(B,C,D,A,X[15],22,0x49b40821L);
+	/* Round 1 */
+	R1(A,B,C,D,X[ 1], 5,0xf61e2562L);
+	R1(D,A,B,C,X[ 6], 9,0xc040b340L);
+	R1(C,D,A,B,X[11],14,0x265e5a51L);
+	R1(B,C,D,A,X[ 0],20,0xe9b6c7aaL);
+	R1(A,B,C,D,X[ 5], 5,0xd62f105dL);
+	R1(D,A,B,C,X[10], 9,0x02441453L);
+	R1(C,D,A,B,X[15],14,0xd8a1e681L);
+	R1(B,C,D,A,X[ 4],20,0xe7d3fbc8L);
+	R1(A,B,C,D,X[ 9], 5,0x21e1cde6L);
+	R1(D,A,B,C,X[14], 9,0xc33707d6L);
+	R1(C,D,A,B,X[ 3],14,0xf4d50d87L);
+	R1(B,C,D,A,X[ 8],20,0x455a14edL);
+	R1(A,B,C,D,X[13], 5,0xa9e3e905L);
+	R1(D,A,B,C,X[ 2], 9,0xfcefa3f8L);
+	R1(C,D,A,B,X[ 7],14,0x676f02d9L);
+	R1(B,C,D,A,X[12],20,0x8d2a4c8aL);
+	/* Round 2 */
+	R2(A,B,C,D,X[ 5], 4,0xfffa3942L);
+	R2(D,A,B,C,X[ 8],11,0x8771f681L);
+	R2(C,D,A,B,X[11],16,0x6d9d6122L);
+	R2(B,C,D,A,X[14],23,0xfde5380cL);
+	R2(A,B,C,D,X[ 1], 4,0xa4beea44L);
+	R2(D,A,B,C,X[ 4],11,0x4bdecfa9L);
+	R2(C,D,A,B,X[ 7],16,0xf6bb4b60L);
+	R2(B,C,D,A,X[10],23,0xbebfbc70L);
+	R2(A,B,C,D,X[13], 4,0x289b7ec6L);
+	R2(D,A,B,C,X[ 0],11,0xeaa127faL);
+	R2(C,D,A,B,X[ 3],16,0xd4ef3085L);
+	R2(B,C,D,A,X[ 6],23,0x04881d05L);
+	R2(A,B,C,D,X[ 9], 4,0xd9d4d039L);
+	R2(D,A,B,C,X[12],11,0xe6db99e5L);
+	R2(C,D,A,B,X[15],16,0x1fa27cf8L);
+	R2(B,C,D,A,X[ 2],23,0xc4ac5665L);
+	/* Round 3 */
+	R3(A,B,C,D,X[ 0], 6,0xf4292244L);
+	R3(D,A,B,C,X[ 7],10,0x432aff97L);
+	R3(C,D,A,B,X[14],15,0xab9423a7L);
+	R3(B,C,D,A,X[ 5],21,0xfc93a039L);
+	R3(A,B,C,D,X[12], 6,0x655b59c3L);
+	R3(D,A,B,C,X[ 3],10,0x8f0ccc92L);
+	R3(C,D,A,B,X[10],15,0xffeff47dL);
+	R3(B,C,D,A,X[ 1],21,0x85845dd1L);
+	R3(A,B,C,D,X[ 8], 6,0x6fa87e4fL);
+	R3(D,A,B,C,X[15],10,0xfe2ce6e0L);
+	R3(C,D,A,B,X[ 6],15,0xa3014314L);
+	R3(B,C,D,A,X[13],21,0x4e0811a1L);
+	R3(A,B,C,D,X[ 4], 6,0xf7537e82L);
+	R3(D,A,B,C,X[11],10,0xbd3af235L);
+	R3(C,D,A,B,X[ 2],15,0x2ad7d2bbL);
+	R3(B,C,D,A,X[ 9],21,0xeb86d391L);
+
+	c->A+=A&0xffffffffL;
+	c->B+=B&0xffffffffL;
+	c->C+=C&0xffffffffL;
+	c->D+=D&0xffffffffL;
+	}
+
+void MD5_Final(md, c)
+unsigned char *md;
+MD5_CTX *c;
+	{
+	register int i,j;
+	register ULONG l;
+	register ULONG *p;
+	static unsigned char end[4]={0x80,0x00,0x00,0x00};
+	unsigned char *cp=end;
+
+	/* c->num should definitly have room for at least one more byte. */
+	p=c->data;
+	j=c->num;
+	i=j>>2;
+
+	/* purify often complains about the following line as an
+	 * Uninitialized Memory Read.  While this can be true, the
+	 * following p_c2l macro will reset l when that case is true.
+	 * This is because j&0x03 contains the number of 'valid' bytes
+	 * already in p[i].  If and only if j&0x03 == 0, the UMR will
+	 * occur but this is also the only time p_c2l will do
+	 * l= *(cp++) instead of l|= *(cp++)
+	 * Many thanks to Alex Tang <altitude@cic.net> for pickup this
+	 * 'potential bug' */
+#ifdef PURIFY
+	if ((j&0x03) == 0) p[i]=0;
+#endif
+	l=p[i];
+	p_c2l(cp,l,j&0x03);
+	p[i]=l;
+	i++;
+	/* i is the next 'undefined word' */
+	if (c->num >= MD5_LAST_BLOCK)
+		{
+		for (; i<MD5_LBLOCK; i++)
+			p[i]=0;
+		md5_block(c,p);
+		i=0;
+		}
+	for (; i<(MD5_LBLOCK-2); i++)
+		p[i]=0;
+	p[MD5_LBLOCK-2]=c->Nl;
+	p[MD5_LBLOCK-1]=c->Nh;
+	md5_block(c,p);
+	cp=md;
+	l=c->A; l2c(l,cp);
+	l=c->B; l2c(l,cp);
+	l=c->C; l2c(l,cp);
+	l=c->D; l2c(l,cp);
+
+	/* clear stuff, md5_block may be leaving some stuff on the stack
+	 * but I'm not worried :-) */
+	c->num=0;
+/*	memset((char *)&c,0,sizeof(c));*/
+	}
+
+#ifdef undef
+int printit(l)
+unsigned long *l;
+	{
+	int i,ii;
+
+	for (i=0; i<2; i++)
+		{
+		for (ii=0; ii<8; ii++)
+			{
+			fprintf(stderr,"%08lx ",l[i*8+ii]);
+			}
+		fprintf(stderr,"\n");
+		}
+	}
+#endif
+#endif /* USE_MD5 */
diff --git a/contrib/bind9/lib/bind/dst/md5_locl.h b/contrib/bind9/lib/bind/dst/md5_locl.h
new file mode 100644
index 0000000..ce4c765
--- /dev/null
+++ b/contrib/bind9/lib/bind/dst/md5_locl.h
@@ -0,0 +1,190 @@
+/* crypto/md/md5_locl.h */
+/* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include "md5.h"
+
+#define ULONG	unsigned long
+#define UCHAR	unsigned char
+#define UINT	unsigned int
+
+#if defined(NOCONST)
+#define const
+#endif
+
+#undef c2l
+#define c2l(c,l)	(l = ((unsigned long)(*((c)++)))     , \
+			 l|=(((unsigned long)(*((c)++)))<< 8), \
+			 l|=(((unsigned long)(*((c)++)))<<16), \
+			 l|=(((unsigned long)(*((c)++)))<<24))
+
+#undef p_c2l
+#define p_c2l(c,l,n)	{ \
+			switch (n) { \
+			case 0: l =((unsigned long)(*((c)++))); \
+			case 1: l|=((unsigned long)(*((c)++)))<< 8; \
+			case 2: l|=((unsigned long)(*((c)++)))<<16; \
+			case 3: l|=((unsigned long)(*((c)++)))<<24; \
+				} \
+			}
+
+/* NOTE the pointer is not incremented at the end of this */
+#undef c2l_p
+#define c2l_p(c,l,n)	{ \
+			l=0; \
+			(c)+=n; \
+			switch (n) { \
+			case 3: l =((unsigned long)(*(--(c))))<<16; \
+			case 2: l|=((unsigned long)(*(--(c))))<< 8; \
+			case 1: l|=((unsigned long)(*(--(c))))    ; \
+				} \
+			}
+
+#undef p_c2l_p
+#define p_c2l_p(c,l,sc,len) { \
+			switch (sc) \
+				{ \
+			case 0: l =((unsigned long)(*((c)++))); \
+				if (--len == 0U) break; \
+			case 1: l|=((unsigned long)(*((c)++)))<< 8; \
+				if (--len == 0U) break; \
+			case 2: l|=((unsigned long)(*((c)++)))<<16; \
+				} \
+			}
+
+#undef l2c
+#define l2c(l,c)	(*((c)++)=(unsigned char)(((l)    )&0xff), \
+			 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
+			 *((c)++)=(unsigned char)(((l)>>24)&0xff))
+
+/* NOTE - c is not incremented as per l2c */
+#undef l2cn
+#define l2cn(l1,l2,c,n)	{ \
+			c+=n; \
+			switch (n) { \
+			case 8: *(--(c))=(unsigned char)(((l2)>>24)&0xff); \
+			case 7: *(--(c))=(unsigned char)(((l2)>>16)&0xff); \
+			case 6: *(--(c))=(unsigned char)(((l2)>> 8)&0xff); \
+			case 5: *(--(c))=(unsigned char)(((l2)    )&0xff); \
+			case 4: *(--(c))=(unsigned char)(((l1)>>24)&0xff); \
+			case 3: *(--(c))=(unsigned char)(((l1)>>16)&0xff); \
+			case 2: *(--(c))=(unsigned char)(((l1)>> 8)&0xff); \
+			case 1: *(--(c))=(unsigned char)(((l1)    )&0xff); \
+				} \
+			}
+
+/* A nice byte order reversal from Wei Dai <weidai@eskimo.com> */
+#if defined(WIN32)
+/* 5 instructions with rotate instruction, else 9 */
+#define Endian_Reverse32(a) \
+	{ \
+	unsigned long l=(a); \
+	(a)=((ROTATE(l,8)&0x00FF00FF)|(ROTATE(l,24)&0xFF00FF00)); \
+	}
+#else
+/* 6 instructions with rotate instruction, else 8 */
+#define Endian_Reverse32(a) \
+	{ \
+	unsigned long l=(a); \
+	l=(((l&0xFF00FF00)>>8L)|((l&0x00FF00FF)<<8L)); \
+	(a)=ROTATE(l,16L); \
+	}
+#endif
+/*
+#define	F(x,y,z)	(((x) & (y))  |  ((~(x)) & (z)))
+#define	G(x,y,z)	(((x) & (z))  |  ((y) & (~(z))))
+*/
+
+/* As pointed out by Wei Dai <weidai@eskimo.com>, the above can be
+ * simplified to the code below.  Wei attributes these optimisations
+ * to Peter Gutmann's SHS code, and he attributes it to Rich Schroeppel.
+ */
+#define	F(x,y,z)	((((y) ^ (z)) & (x)) ^ (z))
+#define	G(x,y,z)	((((x) ^ (y)) & (z)) ^ (y))
+#define	H(x,y,z)	((x) ^ (y) ^ (z))
+#define	I(x,y,z)	(((x) | (~(z))) ^ (y))
+
+#undef ROTATE
+#if defined(WIN32)
+#define ROTATE(a,n)     _lrotl(a,n)
+#else
+#define ROTATE(a,n)     (((a)<<(n))|(((a)&0xffffffff)>>(32-(n))))
+#endif
+
+
+#define R0(a,b,c,d,k,s,t) { \
+	a+=((k)+(t)+F((b),(c),(d))); \
+	a=ROTATE(a,s); \
+	a+=b; };\
+
+#define R1(a,b,c,d,k,s,t) { \
+	a+=((k)+(t)+G((b),(c),(d))); \
+	a=ROTATE(a,s); \
+	a+=b; };
+
+#define R2(a,b,c,d,k,s,t) { \
+	a+=((k)+(t)+H((b),(c),(d))); \
+	a=ROTATE(a,s); \
+	a+=b; };
+
+#define R3(a,b,c,d,k,s,t) { \
+	a+=((k)+(t)+I((b),(c),(d))); \
+	a=ROTATE(a,s); \
+	a+=b; };
diff --git a/contrib/bind9/lib/bind/dst/support.c b/contrib/bind9/lib/bind/dst/support.c
new file mode 100644
index 0000000..7b86ea9
--- /dev/null
+++ b/contrib/bind9/lib/bind/dst/support.c
@@ -0,0 +1,350 @@
+static const char rcsid[] = "$Header: /proj/cvs/prod/bind9/lib/bind/dst/support.c,v 1.2.2.1 2001/11/02 22:25:29 gson Exp $";
+
+
+/*
+ * Portions Copyright (c) 1995-1998 by Trusted Information Systems, Inc.
+ *
+ * Permission to use, copy modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND TRUSTED INFORMATION SYSTEMS
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL
+ * TRUSTED INFORMATION SYSTEMS BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ * WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
+ */
+
+#include "port_before.h"
+
+#include <stdio.h>
+#include <unistd.h>
+#include <memory.h>
+#include <string.h>
+#include <errno.h>
+#include <sys/stat.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+
+#include "dst_internal.h"
+
+#include "port_after.h"
+
+/*
+ * dst_s_verify_str()
+ *     Validate that the input string(*str) is at the head of the input
+ *     buffer(**buf).  If so, move the buffer head pointer (*buf) to
+ *     the first byte of data following the string(*str).
+ * Parameters
+ *     buf     Input buffer.
+ *     str     Input string.
+ * Return
+ *	0       *str is not the head of **buff
+ *	1       *str is the head of **buff, *buf is is advanced to
+ *	the tail of **buf.
+ */
+
+int
+dst_s_verify_str(const char **buf, const char *str)
+{
+	int b, s;
+	if (*buf == NULL)	/* error checks */
+		return (0);
+	if (str == NULL || *str == '\0')
+		return (1);
+
+	b = strlen(*buf);	/* get length of strings */
+	s = strlen(str);
+	if (s > b || strncmp(*buf, str, s))	/* check if same */
+		return (0);	/* not a match */
+	(*buf) += s;		/* advance pointer */
+	return (1);
+}
+
+/*
+ * dst_s_calculate_bits
+ *     Given a binary number represented in a u_char[], determine
+ *     the number of significant bits used.
+ * Parameters
+ *     str       An input character string containing a binary number.
+ *     max_bits The maximum possible significant bits.
+ * Return
+ *     N       The number of significant bits in str.
+ */
+
+int
+dst_s_calculate_bits(const u_char *str, const int max_bits)
+{
+	const u_char *p = str;
+	u_char i, j = 0x80;
+	int bits;
+	for (bits = max_bits; *p == 0x00 && bits > 0; p++)
+		bits -= 8;
+	for (i = *p; (i & j) != j; j >>= 1)
+		bits--;
+	return (bits);
+}
+
+
+/*
+ * calculates a checksum used in dst for an id.
+ * takes an array of bytes and a length.
+ * returns a 16  bit checksum.
+ */
+u_int16_t
+dst_s_id_calc(const u_char *key, const int keysize)
+{
+	u_int32_t ac;
+	const u_char *kp = key;
+	int size = keysize;
+
+	if (!key || (keysize <= 0))
+		return (-1);
+ 
+	for (ac = 0; size > 1; size -= 2, kp += 2)
+		ac += ((*kp) << 8) + *(kp + 1);
+
+	if (size > 0)
+		ac += ((*kp) << 8);
+	ac += (ac >> 16) & 0xffff;
+
+	return (ac & 0xffff);
+}
+
+/* 
+ * dst_s_dns_key_id() Function to calculate DNSSEC footprint from KEY record
+ *   rdata
+ * Input:
+ *	dns_key_rdata: the raw data in wire format 
+ *      rdata_len: the size of the input data 
+ * Output:
+ *      the key footprint/id calculated from the key data 
+ */ 
+u_int16_t
+dst_s_dns_key_id(const u_char *dns_key_rdata, const int rdata_len)
+{
+	if (!dns_key_rdata)
+		return 0;
+
+	/* compute id */
+	if (dns_key_rdata[3] == KEY_RSA)	/* Algorithm RSA */
+		return dst_s_get_int16((const u_char *)
+				       &dns_key_rdata[rdata_len - 3]);
+	else if (dns_key_rdata[3] == KEY_HMAC_MD5)
+		/* compatibility */
+		return 0;
+	else
+		/* compute a checksum on the key part of the key rr */
+		return dst_s_id_calc(dns_key_rdata, rdata_len);
+}
+
+/*
+ * dst_s_get_int16
+ *     This routine extracts a 16 bit integer from a two byte character
+ *     string.  The character string is assumed to be in network byte
+ *     order and may be unaligned.  The number returned is in host order.
+ * Parameter
+ *     buf     A two byte character string.
+ * Return
+ *     The converted integer value.
+ */
+
+u_int16_t
+dst_s_get_int16(const u_char *buf)
+{
+	register u_int16_t a = 0;
+	a = ((u_int16_t)(buf[0] << 8)) | ((u_int16_t)(buf[1]));
+	return (a);
+}
+
+
+/*
+ * dst_s_get_int32
+ *     This routine extracts a 32 bit integer from a four byte character
+ *     string.  The character string is assumed to be in network byte
+ *     order and may be unaligned.  The number returned is in host order.
+ * Parameter
+ *     buf     A four byte character string.
+ * Return
+ *     The converted integer value.
+ */
+
+u_int32_t
+dst_s_get_int32(const u_char *buf)
+{
+	register u_int32_t a = 0;
+	a = ((u_int32_t)(buf[0] << 24)) | ((u_int32_t)(buf[1] << 16)) |
+		((u_int32_t)(buf[2] << 8)) | ((u_int32_t)(buf[3]));
+	return (a);
+}
+
+
+/*
+ * dst_s_put_int16
+ *     Take a 16 bit integer and store the value in a two byte
+ *     character string.  The integer is assumed to be in network
+ *     order and the string is returned in host order.
+ *
+ * Parameters
+ *     buf     Storage for a two byte character string.
+ *     val     16 bit integer.
+ */
+
+void
+dst_s_put_int16(u_int8_t *buf, const u_int16_t val)
+{
+	buf[0] = (u_int8_t)(val >> 8);
+	buf[1] = (u_int8_t)(val);
+}
+
+
+/*
+ * dst_s_put_int32
+ *     Take a 32 bit integer and store the value in a four byte
+ *     character string.  The integer is assumed to be in network
+ *     order and the string is returned in host order.
+ *
+ * Parameters
+ *     buf     Storage for a four byte character string.
+ *     val     32 bit integer.
+ */
+
+void
+dst_s_put_int32(u_int8_t *buf, const u_int32_t val)
+{
+	buf[0] = (u_int8_t)(val >> 24);
+	buf[1] = (u_int8_t)(val >> 16);
+	buf[2] = (u_int8_t)(val >> 8);
+	buf[3] = (u_int8_t)(val);
+}
+
+
+/*
+ *  dst_s_filename_length
+ *
+ *	This function returns the number of bytes needed to hold the
+ *	filename for a key file.  '/', '\' and ':' are not allowed.
+ *	form:  K<keyname>+<alg>+<id>.<suffix>
+ *
+ *	Returns 0 if the filename would contain either '\', '/' or ':'
+ */
+size_t
+dst_s_filename_length(const char *name, const char *suffix)
+{
+	if (name == NULL)
+		return (0);
+	if (strrchr(name, '\\'))
+		return (0);
+	if (strrchr(name, '/'))
+		return (0);
+	if (strrchr(name, ':'))
+		return (0);
+	if (suffix == NULL)
+		return (0);
+	if (strrchr(suffix, '\\'))
+		return (0);
+	if (strrchr(suffix, '/'))
+		return (0);
+	if (strrchr(suffix, ':'))
+		return (0);
+	return (1 + strlen(name) + 6 + strlen(suffix));
+}
+
+
+/*
+ *  dst_s_build_filename ()
+ *	Builds a key filename from the key name, it's id, and a
+ *	suffix.  '\', '/' and ':' are not allowed. fA filename is of the
+ *	form:  K<keyname><id>.<suffix>
+ *	form: K<keyname>+<alg>+<id>.<suffix>
+ *
+ *	Returns -1 if the conversion fails:
+ *	  if the filename would be too long for space allotted
+ *	  if the filename would contain a '\', '/' or ':'
+ *	Returns 0 on success
+ */
+
+int
+dst_s_build_filename(char *filename, const char *name, u_int16_t id,
+		     int alg, const char *suffix, size_t filename_length)
+{
+	u_int32_t my_id;
+	if (filename == NULL)
+		return (-1);
+	memset(filename, 0, filename_length);
+	if (name == NULL)
+		return (-1);
+	if (suffix == NULL)
+		return (-1);
+	if (filename_length < 1 + strlen(name) + 4 + 6 + 1 + strlen(suffix))
+		return (-1);
+	my_id = id;
+	sprintf(filename, "K%s+%03d+%05d.%s", name, alg, my_id,
+		(const char *) suffix);
+	if (strrchr(filename, '/'))
+		return (-1);
+	if (strrchr(filename, '\\'))
+		return (-1);
+	if (strrchr(filename, ':'))
+		return (-1);
+	return (0);
+}
+
+/*
+ *  dst_s_fopen ()
+ *     Open a file in the dst_path directory.  If perm is specified, the
+ *     file is checked for existence first, and not opened if it exists.
+ *  Parameters
+ *     filename  File to open
+ *     mode       Mode to open the file (passed directly to fopen)
+ *     perm       File permission, if creating a new file.
+ *  Returns
+ *     NULL       Failure
+ *     NON-NULL  (FILE *) of opened file.
+ */
+FILE *
+dst_s_fopen(const char *filename, const char *mode, int perm)
+{
+	FILE *fp;
+	char pathname[PATH_MAX];
+	size_t plen = sizeof(pathname);
+
+	if (*dst_path != '\0') {
+		strcpy(pathname, dst_path);
+		plen -= strlen(pathname);
+	}
+	else 
+		pathname[0] = '\0';
+
+	if (plen > strlen(filename))
+		strncpy(&pathname[PATH_MAX - plen], filename, plen-1);
+	else 
+		return (NULL);
+	
+	fp = fopen(pathname, mode);
+	if (perm)
+		chmod(pathname, perm);
+	return (fp);
+}
+
+void
+dst_s_dump(const int mode, const u_char *data, const int size, 
+	    const char *msg)
+{
+	UNUSED(data);
+
+	if (size > 0) {
+#ifdef LONG_TEST
+		static u_char scratch[1000];
+		int n ;
+		n = b64_ntop(data, scratch, size, sizeof(scratch));
+		printf("%s: %x %d %s\n", msg, mode, n, scratch);
+#else
+		printf("%s,%x %d\n", msg, mode, size);
+#endif
+	}
+}
diff --git a/contrib/bind9/lib/bind/include/Makefile.in b/contrib/bind9/lib/bind/include/Makefile.in
new file mode 100644
index 0000000..a6e5553
--- /dev/null
+++ b/contrib/bind9/lib/bind/include/Makefile.in
@@ -0,0 +1,47 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.3.206.1 2004/03/06 08:13:22 marka Exp $
+
+srcdir =        @srcdir@
+VPATH =         @srcdir@
+top_srcdir =    @top_srcdir@
+
+HEADERS=fd_setsize.h hesiod.h irp.h irs.h netdb.h netgroup.h res_update.h \
+	resolv.h
+AHEADERS= arpa/inet.h arpa/nameser.h arpa/nameser_compat.h
+IHEADERS= isc/assertions.h isc/ctl.h isc/dst.h isc/eventlib.h isc/heap.h \
+	isc/irpmarshall.h isc/list.h isc/logging.h isc/memcluster.h \
+	isc/misc.h isc/tree.h
+
+all:
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir} \
+	${DESTDIR}${includedir}/arpa ${DESTDIR}${includedir}/isc
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}; \
+	done
+	for i in ${IHEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/isc; \
+	done
+	for i in ${AHEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/arpa; \
+	done
+
diff --git a/contrib/bind9/lib/bind/include/arpa/inet.h b/contrib/bind9/lib/bind/include/arpa/inet.h
new file mode 100644
index 0000000..46caa49
--- /dev/null
+++ b/contrib/bind9/lib/bind/include/arpa/inet.h
@@ -0,0 +1,124 @@
+/*
+ * ++Copyright++ 1983, 1993
+ * -
+ * Copyright (c) 1983, 1993
+ *    The Regents of the University of California.  All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ * 	This product includes software developed by the University of
+ * 	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * -
+ * Portions Copyright (c) 1993 by Digital Equipment Corporation.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies, and that
+ * the name of Digital Equipment Corporation not be used in advertising or
+ * publicity pertaining to distribution of the document or software without
+ * specific, written prior permission.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
+ * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ * -
+ * --Copyright--
+ */
+
+/*
+ *	@(#)inet.h	8.1 (Berkeley) 6/2/93
+ *	$Id: inet.h,v 1.1.206.1 2004/03/09 08:33:30 marka Exp $
+ */
+
+#ifndef _INET_H_
+#define	_INET_H_
+
+/* External definitions for functions in inet(3) */
+
+#include <sys/param.h>
+#if (!defined(BSD)) || (BSD < 199306)
+# include <sys/bitypes.h>
+#else
+# include <sys/types.h>
+#endif
+#include <sys/cdefs.h>
+
+#define	inet_addr		__inet_addr
+#define	inet_aton		__inet_aton
+#define	inet_lnaof		__inet_lnaof
+#define	inet_makeaddr		__inet_makeaddr
+#define	inet_neta		__inet_neta
+#define	inet_netof		__inet_netof
+#define	inet_network		__inet_network
+#define	inet_net_ntop		__inet_net_ntop
+#define	inet_net_pton		__inet_net_pton
+#define	inet_cidr_ntop		__inet_cidr_ntop
+#define	inet_cidr_pton		__inet_cidr_pton
+#define	inet_ntoa		__inet_ntoa
+#define	inet_pton		__inet_pton
+#define	inet_ntop		__inet_ntop
+#define	inet_nsap_addr		__inet_nsap_addr
+#define	inet_nsap_ntoa		__inet_nsap_ntoa
+
+__BEGIN_DECLS
+unsigned long	 inet_addr __P((const char *));
+int		 inet_aton __P((const char *, struct in_addr *));
+unsigned long	 inet_lnaof __P((struct in_addr));
+struct in_addr	 inet_makeaddr __P((u_long , u_long));
+char *		 inet_neta __P((u_long, char *, size_t));
+unsigned long	 inet_netof __P((struct in_addr));
+unsigned long	 inet_network __P((const char *));
+char		*inet_net_ntop __P((int, const void *, int, char *, size_t));
+int		 inet_net_pton __P((int, const char *, void *, size_t));
+char		*inet_cidr_ntop __P((int, const void *, int, char *, size_t));
+int		 inet_cidr_pton __P((int, const char *, void *, int *));
+/*const*/ char	*inet_ntoa __P((struct in_addr));
+int		 inet_pton __P((int, const char *, void *));
+const char	*inet_ntop __P((int, const void *, char *, size_t));
+u_int		 inet_nsap_addr __P((const char *, u_char *, int));
+char		*inet_nsap_ntoa __P((int, const u_char *, char *));
+__END_DECLS
+
+#if defined(__hpux) && defined(_XOPEN_SOURCE_EXTENDED)
+/*
+ * Macros for number representation conversion.
+ *
+ *    netinet/in.h is another location for these macros
+ */
+#ifndef ntohl
+#define ntohl(x)	(x)
+#define ntohs(x)	(x)
+#define htonl(x)	(x)
+#define htons(x)	(x)
+#endif
+#endif
+
+#endif /* !_INET_H_ */
diff --git a/contrib/bind9/lib/bind/include/arpa/nameser.h b/contrib/bind9/lib/bind/include/arpa/nameser.h
new file mode 100644
index 0000000..23db498
--- /dev/null
+++ b/contrib/bind9/lib/bind/include/arpa/nameser.h
@@ -0,0 +1,576 @@
+/*
+ * Copyright (c) 1983, 1989, 1993
+ *    The Regents of the University of California.  All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ * 	This product includes software developed by the University of
+ * 	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ *	$Id: nameser.h,v 1.2.2.4.4.1 2004/03/09 08:33:30 marka Exp $
+ */
+
+#ifndef _ARPA_NAMESER_H_
+#define _ARPA_NAMESER_H_
+
+#define BIND_4_COMPAT
+
+#include <sys/param.h>
+#if (!defined(BSD)) || (BSD < 199306)
+# include <sys/bitypes.h>
+#else
+# include <sys/types.h>
+#endif
+#include <sys/cdefs.h>
+
+/*
+ * Revision information.  This is the release date in YYYYMMDD format.
+ * It can change every day so the right thing to do with it is use it
+ * in preprocessor commands such as "#if (__NAMESER > 19931104)".  Do not
+ * compare for equality; rather, use it to determine whether your libbind.a
+ * contains a new enough lib/nameser/ to support the feature you need.
+ */
+
+#define __NAMESER	19991006	/* New interface version stamp. */
+
+/*
+ * Define constants based on RFC 883, RFC 1034, RFC 1035
+ */
+#define NS_PACKETSZ	512	/* default UDP packet size */
+#define NS_MAXDNAME	1025	/* maximum domain name */
+#define NS_MAXMSG	65535	/* maximum message size */
+#define NS_MAXCDNAME	255	/* maximum compressed domain name */
+#define NS_MAXLABEL	63	/* maximum length of domain label */
+#define NS_HFIXEDSZ	12	/* #/bytes of fixed data in header */
+#define NS_QFIXEDSZ	4	/* #/bytes of fixed data in query */
+#define NS_RRFIXEDSZ	10	/* #/bytes of fixed data in r record */
+#define NS_INT32SZ	4	/* #/bytes of data in a u_int32_t */
+#define NS_INT16SZ	2	/* #/bytes of data in a u_int16_t */
+#define NS_INT8SZ	1	/* #/bytes of data in a u_int8_t */
+#define NS_INADDRSZ	4	/* IPv4 T_A */
+#define NS_IN6ADDRSZ	16	/* IPv6 T_AAAA */
+#define NS_CMPRSFLGS	0xc0	/* Flag bits indicating name compression. */
+#define NS_DEFAULTPORT	53	/* For both TCP and UDP. */
+
+/*
+ * These can be expanded with synonyms, just keep ns_parse.c:ns_parserecord()
+ * in synch with it.
+ */
+typedef enum __ns_sect {
+	ns_s_qd = 0,		/* Query: Question. */
+	ns_s_zn = 0,		/* Update: Zone. */
+	ns_s_an = 1,		/* Query: Answer. */
+	ns_s_pr = 1,		/* Update: Prerequisites. */
+	ns_s_ns = 2,		/* Query: Name servers. */
+	ns_s_ud = 2,		/* Update: Update. */
+	ns_s_ar = 3,		/* Query|Update: Additional records. */
+	ns_s_max = 4
+} ns_sect;
+
+/*
+ * This is a message handle.  It is caller allocated and has no dynamic data.
+ * This structure is intended to be opaque to all but ns_parse.c, thus the
+ * leading _'s on the member names.  Use the accessor functions, not the _'s.
+ */
+typedef struct __ns_msg {
+	const u_char	*_msg, *_eom;
+	u_int16_t	_id, _flags, _counts[ns_s_max];
+	const u_char	*_sections[ns_s_max];
+	ns_sect		_sect;
+	int		_rrnum;
+	const u_char	*_msg_ptr;
+} ns_msg;
+
+/* Private data structure - do not use from outside library. */
+struct _ns_flagdata {  int mask, shift;  };
+extern struct _ns_flagdata _ns_flagdata[];
+
+/* Accessor macros - this is part of the public interface. */
+
+#define ns_msg_id(handle) ((handle)._id + 0)
+#define ns_msg_base(handle) ((handle)._msg + 0)
+#define ns_msg_end(handle) ((handle)._eom + 0)
+#define ns_msg_size(handle) ((handle)._eom - (handle)._msg)
+#define ns_msg_count(handle, section) ((handle)._counts[section] + 0)
+
+/*
+ * This is a parsed record.  It is caller allocated and has no dynamic data.
+ */
+typedef	struct __ns_rr {
+	char		name[NS_MAXDNAME];
+	u_int16_t	type;
+	u_int16_t	rr_class;
+	u_int32_t	ttl;
+	u_int16_t	rdlength;
+	const u_char *	rdata;
+} ns_rr;
+
+/* Accessor macros - this is part of the public interface. */
+#define ns_rr_name(rr)	(((rr).name[0] != '\0') ? (rr).name : ".")
+#define ns_rr_type(rr)	((ns_type)((rr).type + 0))
+#define ns_rr_class(rr)	((ns_class)((rr).rr_class + 0))
+#define ns_rr_ttl(rr)	((rr).ttl + 0)
+#define ns_rr_rdlen(rr)	((rr).rdlength + 0)
+#define ns_rr_rdata(rr)	((rr).rdata + 0)
+
+/*
+ * These don't have to be in the same order as in the packet flags word,
+ * and they can even overlap in some cases, but they will need to be kept
+ * in synch with ns_parse.c:ns_flagdata[].
+ */
+typedef enum __ns_flag {
+	ns_f_qr,		/* Question/Response. */
+	ns_f_opcode,		/* Operation code. */
+	ns_f_aa,		/* Authoritative Answer. */
+	ns_f_tc,		/* Truncation occurred. */
+	ns_f_rd,		/* Recursion Desired. */
+	ns_f_ra,		/* Recursion Available. */
+	ns_f_z,			/* MBZ. */
+	ns_f_ad,		/* Authentic Data (DNSSEC). */
+	ns_f_cd,		/* Checking Disabled (DNSSEC). */
+	ns_f_rcode,		/* Response code. */
+	ns_f_max
+} ns_flag;
+
+/*
+ * Currently defined opcodes.
+ */
+typedef enum __ns_opcode {
+	ns_o_query = 0,		/* Standard query. */
+	ns_o_iquery = 1,	/* Inverse query (deprecated/unsupported). */
+	ns_o_status = 2,	/* Name server status query (unsupported). */
+				/* Opcode 3 is undefined/reserved. */
+	ns_o_notify = 4,	/* Zone change notification. */
+	ns_o_update = 5,	/* Zone update message. */
+	ns_o_max = 6
+} ns_opcode;
+
+/*
+ * Currently defined response codes.
+ */
+typedef	enum __ns_rcode {
+	ns_r_noerror = 0,	/* No error occurred. */
+	ns_r_formerr = 1,	/* Format error. */
+	ns_r_servfail = 2,	/* Server failure. */
+	ns_r_nxdomain = 3,	/* Name error. */
+	ns_r_notimpl = 4,	/* Unimplemented. */
+	ns_r_refused = 5,	/* Operation refused. */
+	/* these are for BIND_UPDATE */
+	ns_r_yxdomain = 6,	/* Name exists */
+	ns_r_yxrrset = 7,	/* RRset exists */
+	ns_r_nxrrset = 8,	/* RRset does not exist */
+	ns_r_notauth = 9,	/* Not authoritative for zone */
+	ns_r_notzone = 10,	/* Zone of record different from zone section */
+	ns_r_max = 11,
+	/* The following are EDNS extended rcodes */
+	ns_r_badvers = 16,
+	/* The following are TSIG errors */
+	ns_r_badsig = 16,
+	ns_r_badkey = 17,
+	ns_r_badtime = 18
+} ns_rcode;
+
+/* BIND_UPDATE */
+typedef enum __ns_update_operation {
+	ns_uop_delete = 0,
+	ns_uop_add = 1,
+	ns_uop_max = 2
+} ns_update_operation;
+
+/*
+ * This structure is used for TSIG authenticated messages
+ */
+struct ns_tsig_key {
+        char name[NS_MAXDNAME], alg[NS_MAXDNAME];
+        unsigned char *data;
+        int len;
+};
+typedef struct ns_tsig_key ns_tsig_key;
+
+/*
+ * This structure is used for TSIG authenticated TCP messages
+ */
+struct ns_tcp_tsig_state {
+	int counter;
+	struct dst_key *key;
+	void *ctx;
+	unsigned char sig[NS_PACKETSZ];
+	int siglen;
+};
+typedef struct ns_tcp_tsig_state ns_tcp_tsig_state;
+
+#define NS_TSIG_FUDGE 300
+#define NS_TSIG_TCP_COUNT 100
+#define NS_TSIG_ALG_HMAC_MD5 "HMAC-MD5.SIG-ALG.REG.INT"
+
+#define NS_TSIG_ERROR_NO_TSIG -10
+#define NS_TSIG_ERROR_NO_SPACE -11
+#define NS_TSIG_ERROR_FORMERR -12
+
+/*
+ * Currently defined type values for resources and queries.
+ */
+typedef enum __ns_type {
+	ns_t_invalid = 0,	/* Cookie. */
+	ns_t_a = 1,		/* Host address. */
+	ns_t_ns = 2,		/* Authoritative server. */
+	ns_t_md = 3,		/* Mail destination. */
+	ns_t_mf = 4,		/* Mail forwarder. */
+	ns_t_cname = 5,		/* Canonical name. */
+	ns_t_soa = 6,		/* Start of authority zone. */
+	ns_t_mb = 7,		/* Mailbox domain name. */
+	ns_t_mg = 8,		/* Mail group member. */
+	ns_t_mr = 9,		/* Mail rename name. */
+	ns_t_null = 10,		/* Null resource record. */
+	ns_t_wks = 11,		/* Well known service. */
+	ns_t_ptr = 12,		/* Domain name pointer. */
+	ns_t_hinfo = 13,	/* Host information. */
+	ns_t_minfo = 14,	/* Mailbox information. */
+	ns_t_mx = 15,		/* Mail routing information. */
+	ns_t_txt = 16,		/* Text strings. */
+	ns_t_rp = 17,		/* Responsible person. */
+	ns_t_afsdb = 18,	/* AFS cell database. */
+	ns_t_x25 = 19,		/* X_25 calling address. */
+	ns_t_isdn = 20,		/* ISDN calling address. */
+	ns_t_rt = 21,		/* Router. */
+	ns_t_nsap = 22,		/* NSAP address. */
+	ns_t_nsap_ptr = 23,	/* Reverse NSAP lookup (deprecated). */
+	ns_t_sig = 24,		/* Security signature. */
+	ns_t_key = 25,		/* Security key. */
+	ns_t_px = 26,		/* X.400 mail mapping. */
+	ns_t_gpos = 27,		/* Geographical position (withdrawn). */
+	ns_t_aaaa = 28,		/* Ip6 Address. */
+	ns_t_loc = 29,		/* Location Information. */
+	ns_t_nxt = 30,		/* Next domain (security). */
+	ns_t_eid = 31,		/* Endpoint identifier. */
+	ns_t_nimloc = 32,	/* Nimrod Locator. */
+	ns_t_srv = 33,		/* Server Selection. */
+	ns_t_atma = 34,		/* ATM Address */
+	ns_t_naptr = 35,	/* Naming Authority PoinTeR */
+	ns_t_kx = 36,		/* Key Exchange */
+	ns_t_cert = 37,		/* Certification record */
+	ns_t_a6 = 38,		/* IPv6 address (deprecates AAAA) */
+	ns_t_dname = 39,	/* Non-terminal DNAME (for IPv6) */
+	ns_t_sink = 40,		/* Kitchen sink (experimentatl) */
+	ns_t_opt = 41,		/* EDNS0 option (meta-RR) */
+	ns_t_apl = 42,		/* Address prefix list (RFC 3123) */
+	ns_t_tkey = 249,	/* Transaction key */
+	ns_t_tsig = 250,	/* Transaction signature. */
+	ns_t_ixfr = 251,	/* Incremental zone transfer. */
+	ns_t_axfr = 252,	/* Transfer zone of authority. */
+	ns_t_mailb = 253,	/* Transfer mailbox records. */
+	ns_t_maila = 254,	/* Transfer mail agent records. */
+	ns_t_any = 255,		/* Wildcard match. */
+	ns_t_zxfr = 256,	/* BIND-specific, nonstandard. */
+	ns_t_max = 65536
+} ns_type;
+
+/* Exclusively a QTYPE? (not also an RTYPE) */
+#define	ns_t_qt_p(t) (ns_t_xfr_p(t) || (t) == ns_t_any || \
+		      (t) == ns_t_mailb || (t) == ns_t_maila)
+/* Some kind of meta-RR? (not a QTYPE, but also not an RTYPE) */
+#define	ns_t_mrr_p(t) ((t) == ns_t_tsig || (t) == ns_t_opt)
+/* Exclusively an RTYPE? (not also a QTYPE or a meta-RR) */
+#define ns_t_rr_p(t) (!ns_t_qt_p(t) && !ns_t_mrr_p(t))
+#define ns_t_udp_p(t) ((t) != ns_t_axfr && (t) != ns_t_zxfr)
+#define ns_t_xfr_p(t) ((t) == ns_t_axfr || (t) == ns_t_ixfr || \
+		       (t) == ns_t_zxfr)
+
+/*
+ * Values for class field
+ */
+typedef enum __ns_class {
+	ns_c_invalid = 0,	/* Cookie. */
+	ns_c_in = 1,		/* Internet. */
+	ns_c_2 = 2,		/* unallocated/unsupported. */
+	ns_c_chaos = 3,		/* MIT Chaos-net. */
+	ns_c_hs = 4,		/* MIT Hesiod. */
+	/* Query class values which do not appear in resource records */
+	ns_c_none = 254,	/* for prereq. sections in update requests */
+	ns_c_any = 255,		/* Wildcard match. */
+	ns_c_max = 65536
+} ns_class;
+
+/* DNSSEC constants. */
+
+typedef enum __ns_key_types {
+	ns_kt_rsa = 1,		/* key type RSA/MD5 */
+	ns_kt_dh  = 2,		/* Diffie Hellman */
+	ns_kt_dsa = 3,		/* Digital Signature Standard (MANDATORY) */
+	ns_kt_private = 254	/* Private key type starts with OID */
+} ns_key_types;
+
+typedef enum __ns_cert_types {
+	cert_t_pkix = 1,	/* PKIX (X.509v3) */
+	cert_t_spki = 2,	/* SPKI */
+	cert_t_pgp  = 3,	/* PGP */
+	cert_t_url  = 253,	/* URL private type */
+	cert_t_oid  = 254	/* OID private type */
+} ns_cert_types;
+
+/* Flags field of the KEY RR rdata. */
+#define	NS_KEY_TYPEMASK		0xC000	/* Mask for "type" bits */
+#define	NS_KEY_TYPE_AUTH_CONF	0x0000	/* Key usable for both */
+#define	NS_KEY_TYPE_CONF_ONLY	0x8000	/* Key usable for confidentiality */
+#define	NS_KEY_TYPE_AUTH_ONLY	0x4000	/* Key usable for authentication */
+#define	NS_KEY_TYPE_NO_KEY	0xC000	/* No key usable for either; no key */
+/* The type bits can also be interpreted independently, as single bits: */
+#define	NS_KEY_NO_AUTH		0x8000	/* Key unusable for authentication */
+#define	NS_KEY_NO_CONF		0x4000	/* Key unusable for confidentiality */
+#define	NS_KEY_RESERVED2	0x2000	/* Security is *mandatory* if bit=0 */
+#define	NS_KEY_EXTENDED_FLAGS	0x1000	/* reserved - must be zero */
+#define	NS_KEY_RESERVED4	0x0800  /* reserved - must be zero */
+#define	NS_KEY_RESERVED5	0x0400  /* reserved - must be zero */
+#define	NS_KEY_NAME_TYPE	0x0300	/* these bits determine the type */
+#define	NS_KEY_NAME_USER	0x0000	/* key is assoc. with user */
+#define	NS_KEY_NAME_ENTITY	0x0200	/* key is assoc. with entity eg host */
+#define	NS_KEY_NAME_ZONE	0x0100	/* key is zone key */
+#define	NS_KEY_NAME_RESERVED	0x0300	/* reserved meaning */
+#define	NS_KEY_RESERVED8	0x0080  /* reserved - must be zero */
+#define	NS_KEY_RESERVED9	0x0040  /* reserved - must be zero */
+#define	NS_KEY_RESERVED10	0x0020  /* reserved - must be zero */
+#define	NS_KEY_RESERVED11	0x0010  /* reserved - must be zero */
+#define	NS_KEY_SIGNATORYMASK	0x000F	/* key can sign RR's of same name */
+#define	NS_KEY_RESERVED_BITMASK ( NS_KEY_RESERVED2 | \
+				  NS_KEY_RESERVED4 | \
+				  NS_KEY_RESERVED5 | \
+				  NS_KEY_RESERVED8 | \
+				  NS_KEY_RESERVED9 | \
+				  NS_KEY_RESERVED10 | \
+				  NS_KEY_RESERVED11 )
+#define NS_KEY_RESERVED_BITMASK2 0xFFFF /* no bits defined here */
+
+/* The Algorithm field of the KEY and SIG RR's is an integer, {1..254} */
+#define	NS_ALG_MD5RSA		1	/* MD5 with RSA */
+#define	NS_ALG_DH               2	/* Diffie Hellman KEY */
+#define	NS_ALG_DSA              3	/* DSA KEY */
+#define	NS_ALG_DSS              NS_ALG_DSA
+#define	NS_ALG_EXPIRE_ONLY	253	/* No alg, no security */
+#define	NS_ALG_PRIVATE_OID	254	/* Key begins with OID giving alg */
+
+/* Protocol values  */
+/* value 0 is reserved */
+#define NS_KEY_PROT_TLS         1
+#define NS_KEY_PROT_EMAIL       2
+#define NS_KEY_PROT_DNSSEC      3
+#define NS_KEY_PROT_IPSEC       4
+#define NS_KEY_PROT_ANY		255
+
+/* Signatures */
+#define	NS_MD5RSA_MIN_BITS	 512	/* Size of a mod or exp in bits */
+#define	NS_MD5RSA_MAX_BITS	4096
+	/* Total of binary mod and exp */
+#define	NS_MD5RSA_MAX_BYTES	((NS_MD5RSA_MAX_BITS+7/8)*2+3)
+	/* Max length of text sig block */
+#define	NS_MD5RSA_MAX_BASE64	(((NS_MD5RSA_MAX_BYTES+2)/3)*4)
+#define NS_MD5RSA_MIN_SIZE	((NS_MD5RSA_MIN_BITS+7)/8)
+#define NS_MD5RSA_MAX_SIZE	((NS_MD5RSA_MAX_BITS+7)/8)
+
+#define NS_DSA_SIG_SIZE         41
+#define NS_DSA_MIN_SIZE         213
+#define NS_DSA_MAX_BYTES        405
+
+/* Offsets into SIG record rdata to find various values */
+#define	NS_SIG_TYPE	0	/* Type flags */
+#define	NS_SIG_ALG	2	/* Algorithm */
+#define	NS_SIG_LABELS	3	/* How many labels in name */
+#define	NS_SIG_OTTL	4	/* Original TTL */
+#define	NS_SIG_EXPIR	8	/* Expiration time */
+#define	NS_SIG_SIGNED	12	/* Signature time */
+#define	NS_SIG_FOOT	16	/* Key footprint */
+#define	NS_SIG_SIGNER	18	/* Domain name of who signed it */
+
+/* How RR types are represented as bit-flags in NXT records */
+#define	NS_NXT_BITS 8
+#define	NS_NXT_BIT_SET(  n,p) (p[(n)/NS_NXT_BITS] |=  (0x80>>((n)%NS_NXT_BITS)))
+#define	NS_NXT_BIT_CLEAR(n,p) (p[(n)/NS_NXT_BITS] &= ~(0x80>>((n)%NS_NXT_BITS)))
+#define	NS_NXT_BIT_ISSET(n,p) (p[(n)/NS_NXT_BITS] &   (0x80>>((n)%NS_NXT_BITS)))
+#define NS_NXT_MAX 127
+
+/*
+ * EDNS0 extended flags, host order.
+ */
+#define NS_OPT_DNSSEC_OK	0x8000U
+
+/*
+ * Inline versions of get/put short/long.  Pointer is advanced.
+ */
+#define NS_GET16(s, cp) do { \
+	register const u_char *t_cp = (const u_char *)(cp); \
+	(s) = ((u_int16_t)t_cp[0] << 8) \
+	    | ((u_int16_t)t_cp[1]) \
+	    ; \
+	(cp) += NS_INT16SZ; \
+} while (0)
+
+#define NS_GET32(l, cp) do { \
+	register const u_char *t_cp = (const u_char *)(cp); \
+	(l) = ((u_int32_t)t_cp[0] << 24) \
+	    | ((u_int32_t)t_cp[1] << 16) \
+	    | ((u_int32_t)t_cp[2] << 8) \
+	    | ((u_int32_t)t_cp[3]) \
+	    ; \
+	(cp) += NS_INT32SZ; \
+} while (0)
+
+#define NS_PUT16(s, cp) do { \
+	register u_int16_t t_s = (u_int16_t)(s); \
+	register u_char *t_cp = (u_char *)(cp); \
+	*t_cp++ = t_s >> 8; \
+	*t_cp   = t_s; \
+	(cp) += NS_INT16SZ; \
+} while (0)
+
+#define NS_PUT32(l, cp) do { \
+	register u_int32_t t_l = (u_int32_t)(l); \
+	register u_char *t_cp = (u_char *)(cp); \
+	*t_cp++ = t_l >> 24; \
+	*t_cp++ = t_l >> 16; \
+	*t_cp++ = t_l >> 8; \
+	*t_cp   = t_l; \
+	(cp) += NS_INT32SZ; \
+} while (0)
+
+/*
+ * ANSI C identifier hiding for bind's lib/nameser.
+ */
+#define	ns_msg_getflag		__ns_msg_getflag
+#define ns_get16		__ns_get16
+#define ns_get32		__ns_get32
+#define ns_put16		__ns_put16
+#define ns_put32		__ns_put32
+#define ns_initparse		__ns_initparse
+#define ns_skiprr		__ns_skiprr
+#define ns_parserr		__ns_parserr
+#define	ns_sprintrr		__ns_sprintrr
+#define	ns_sprintrrf		__ns_sprintrrf
+#define	ns_format_ttl		__ns_format_ttl
+#define	ns_parse_ttl		__ns_parse_ttl
+#define ns_datetosecs		__ns_datetosecs
+#define	ns_name_ntol		__ns_name_ntol
+#define	ns_name_ntop		__ns_name_ntop
+#define	ns_name_pton		__ns_name_pton
+#define	ns_name_unpack		__ns_name_unpack
+#define	ns_name_pack		__ns_name_pack
+#define	ns_name_compress	__ns_name_compress
+#define	ns_name_uncompress	__ns_name_uncompress
+#define	ns_name_skip		__ns_name_skip
+#define	ns_name_rollback	__ns_name_rollback
+#define	ns_sign			__ns_sign
+#define	ns_sign2		__ns_sign2
+#define	ns_sign_tcp		__ns_sign_tcp
+#define	ns_sign_tcp2		__ns_sign_tcp2
+#define	ns_sign_tcp_init	__ns_sign_tcp_init
+#define ns_find_tsig		__ns_find_tsig
+#define	ns_verify		__ns_verify
+#define	ns_verify_tcp		__ns_verify_tcp
+#define	ns_verify_tcp_init	__ns_verify_tcp_init
+#define	ns_samedomain		__ns_samedomain
+#define	ns_subdomain		__ns_subdomain
+#define	ns_makecanon		__ns_makecanon
+#define	ns_samename		__ns_samename
+
+__BEGIN_DECLS
+int		ns_msg_getflag __P((ns_msg, int));
+u_int		ns_get16 __P((const u_char *));
+u_long		ns_get32 __P((const u_char *));
+void		ns_put16 __P((u_int, u_char *));
+void		ns_put32 __P((u_long, u_char *));
+int		ns_initparse __P((const u_char *, int, ns_msg *));
+int		ns_skiprr __P((const u_char *, const u_char *, ns_sect, int));
+int		ns_parserr __P((ns_msg *, ns_sect, int, ns_rr *));
+int		ns_sprintrr __P((const ns_msg *, const ns_rr *,
+				 const char *, const char *, char *, size_t));
+int		ns_sprintrrf __P((const u_char *, size_t, const char *,
+				  ns_class, ns_type, u_long, const u_char *,
+				  size_t, const char *, const char *,
+				  char *, size_t));
+int		ns_format_ttl __P((u_long, char *, size_t));
+int		ns_parse_ttl __P((const char *, u_long *));
+u_int32_t	ns_datetosecs __P((const char *cp, int *errp));
+int		ns_name_ntol __P((const u_char *, u_char *, size_t));
+int		ns_name_ntop __P((const u_char *, char *, size_t));
+int		ns_name_pton __P((const char *, u_char *, size_t));
+int		ns_name_unpack __P((const u_char *, const u_char *,
+				    const u_char *, u_char *, size_t));
+int		ns_name_pack __P((const u_char *, u_char *, int,
+				  const u_char **, const u_char **));
+int		ns_name_uncompress __P((const u_char *, const u_char *,
+					const u_char *, char *, size_t));
+int		ns_name_compress __P((const char *, u_char *, size_t,
+				      const u_char **, const u_char **));
+int		ns_name_skip __P((const u_char **, const u_char *));
+void		ns_name_rollback __P((const u_char *, const u_char **,
+				      const u_char **));
+int		ns_sign __P((u_char *, int *, int, int, void *,
+			     const u_char *, int, u_char *, int *, time_t));
+int		ns_sign2 __P((u_char *, int *, int, int, void *,
+			      const u_char *, int, u_char *, int *, time_t,
+			      u_char **, u_char **));
+int		ns_sign_tcp __P((u_char *, int *, int, int,
+				 ns_tcp_tsig_state *, int));
+int		ns_sign_tcp2 __P((u_char *, int *, int, int,
+				  ns_tcp_tsig_state *, int,
+				  u_char **, u_char **));
+int		ns_sign_tcp_init __P((void *, const u_char *, int,
+					ns_tcp_tsig_state *));
+u_char		*ns_find_tsig __P((u_char *, u_char *));
+int		ns_verify __P((u_char *, int *, void *,
+			       const u_char *, int, u_char *, int *,
+			       time_t *, int));
+int		ns_verify_tcp __P((u_char *, int *, ns_tcp_tsig_state *, int));
+int		ns_verify_tcp_init __P((void *, const u_char *, int,
+					ns_tcp_tsig_state *));
+int		ns_samedomain __P((const char *, const char *));
+int		ns_subdomain __P((const char *, const char *));
+int		ns_makecanon __P((const char *, char *, size_t));
+int		ns_samename __P((const char *, const char *));
+__END_DECLS
+
+#ifdef BIND_4_COMPAT
+#include <arpa/nameser_compat.h>
+#endif
+
+#endif /* !_ARPA_NAMESER_H_ */
diff --git a/contrib/bind9/lib/bind/include/arpa/nameser_compat.h b/contrib/bind9/lib/bind/include/arpa/nameser_compat.h
new file mode 100644
index 0000000..464f12e
--- /dev/null
+++ b/contrib/bind9/lib/bind/include/arpa/nameser_compat.h
@@ -0,0 +1,232 @@
+/* Copyright (c) 1983, 1989
+ *    The Regents of the University of California.  All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ * 	This product includes software developed by the University of
+ * 	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ *      from nameser.h	8.1 (Berkeley) 6/2/93
+ *	$Id: nameser_compat.h,v 1.1.2.3.4.2 2004/07/01 04:43:41 marka Exp $
+ */
+
+#ifndef _ARPA_NAMESER_COMPAT_
+#define	_ARPA_NAMESER_COMPAT_
+
+#define	__BIND		19950621	/* (DEAD) interface version stamp. */
+
+#ifndef BYTE_ORDER
+#if (BSD >= 199103)
+# include <machine/endian.h>
+#else
+#ifdef __linux
+# include <endian.h>
+#else
+#define	LITTLE_ENDIAN	1234	/* least-significant byte first (vax, pc) */
+#define	BIG_ENDIAN	4321	/* most-significant byte first (IBM, net) */
+#define	PDP_ENDIAN	3412	/* LSB first in word, MSW first in long (pdp)*/
+
+#if defined(vax) || defined(ns32000) || defined(sun386) || defined(i386) || \
+    defined(MIPSEL) || defined(_MIPSEL) || defined(BIT_ZERO_ON_RIGHT) || \
+    defined(__alpha__) || defined(__alpha) || \
+    (defined(__Lynx__) && defined(__x86__))
+#define BYTE_ORDER	LITTLE_ENDIAN
+#endif
+
+#if defined(sel) || defined(pyr) || defined(mc68000) || defined(sparc) || \
+    defined(is68k) || defined(tahoe) || defined(ibm032) || defined(ibm370) || \
+    defined(MIPSEB) || defined(_MIPSEB) || defined(_IBMR2) || defined(DGUX) ||\
+    defined(apollo) || defined(__convex__) || defined(_CRAY) || \
+    defined(__hppa) || defined(__hp9000) || \
+    defined(__hp9000s300) || defined(__hp9000s700) || \
+    defined(__hp3000s900) || defined(__hpux) || defined(MPE) || \
+    defined (BIT_ZERO_ON_LEFT) || defined(m68k) || defined(__sparc) ||  \
+    (defined(__Lynx__) && \
+     (defined(__68k__) || defined(__sparc__) || defined(__powerpc__)))
+#define BYTE_ORDER	BIG_ENDIAN
+#endif
+#endif /* __linux */
+#endif /* BSD */
+#endif /* BYTE_ORDER */
+
+#if !defined(BYTE_ORDER) || \
+    (BYTE_ORDER != BIG_ENDIAN && BYTE_ORDER != LITTLE_ENDIAN && \
+    BYTE_ORDER != PDP_ENDIAN)
+	/* you must determine what the correct bit order is for
+	 * your compiler - the next line is an intentional error
+	 * which will force your compiles to bomb until you fix
+	 * the above macros.
+	 */
+  error "Undefined or invalid BYTE_ORDER";
+#endif
+
+/*
+ * Structure for query header.  The order of the fields is machine- and
+ * compiler-dependent, depending on the byte/bit order and the layout
+ * of bit fields.  We use bit fields only in int variables, as this
+ * is all ANSI requires.  This requires a somewhat confusing rearrangement.
+ */
+
+typedef struct {
+	unsigned	id :16;		/* query identification number */
+#if BYTE_ORDER == BIG_ENDIAN
+			/* fields in third byte */
+	unsigned	qr: 1;		/* response flag */
+	unsigned	opcode: 4;	/* purpose of message */
+	unsigned	aa: 1;		/* authoritive answer */
+	unsigned	tc: 1;		/* truncated message */
+	unsigned	rd: 1;		/* recursion desired */
+			/* fields in fourth byte */
+	unsigned	ra: 1;		/* recursion available */
+	unsigned	unused :1;	/* unused bits (MBZ as of 4.9.3a3) */
+	unsigned	ad: 1;		/* authentic data from named */
+	unsigned	cd: 1;		/* checking disabled by resolver */
+	unsigned	rcode :4;	/* response code */
+#endif
+#if BYTE_ORDER == LITTLE_ENDIAN || BYTE_ORDER == PDP_ENDIAN
+			/* fields in third byte */
+	unsigned	rd :1;		/* recursion desired */
+	unsigned	tc :1;		/* truncated message */
+	unsigned	aa :1;		/* authoritive answer */
+	unsigned	opcode :4;	/* purpose of message */
+	unsigned	qr :1;		/* response flag */
+			/* fields in fourth byte */
+	unsigned	rcode :4;	/* response code */
+	unsigned	cd: 1;		/* checking disabled by resolver */
+	unsigned	ad: 1;		/* authentic data from named */
+	unsigned	unused :1;	/* unused bits (MBZ as of 4.9.3a3) */
+	unsigned	ra :1;		/* recursion available */
+#endif
+			/* remaining bytes */
+	unsigned	qdcount :16;	/* number of question entries */
+	unsigned	ancount :16;	/* number of answer entries */
+	unsigned	nscount :16;	/* number of authority entries */
+	unsigned	arcount :16;	/* number of resource entries */
+} HEADER;
+
+#define PACKETSZ	NS_PACKETSZ
+#define MAXDNAME	NS_MAXDNAME
+#define MAXCDNAME	NS_MAXCDNAME
+#define MAXLABEL	NS_MAXLABEL
+#define	HFIXEDSZ	NS_HFIXEDSZ
+#define QFIXEDSZ	NS_QFIXEDSZ
+#define RRFIXEDSZ	NS_RRFIXEDSZ
+#define	INT32SZ		NS_INT32SZ
+#define	INT16SZ		NS_INT16SZ
+#define	INT8SZ		NS_INT8SZ
+#define	INADDRSZ	NS_INADDRSZ
+#define	IN6ADDRSZ	NS_IN6ADDRSZ
+#define	INDIR_MASK	NS_CMPRSFLGS
+#define NAMESERVER_PORT	NS_DEFAULTPORT
+
+#define S_ZONE		ns_s_zn
+#define S_PREREQ	ns_s_pr
+#define S_UPDATE	ns_s_ud
+#define S_ADDT		ns_s_ar
+
+#define QUERY		ns_o_query
+#define IQUERY		ns_o_iquery
+#define STATUS		ns_o_status
+#define	NS_NOTIFY_OP	ns_o_notify
+#define	NS_UPDATE_OP	ns_o_update
+
+#define NOERROR		ns_r_noerror
+#define FORMERR		ns_r_formerr
+#define SERVFAIL	ns_r_servfail
+#define NXDOMAIN	ns_r_nxdomain
+#define NOTIMP		ns_r_notimpl
+#define REFUSED		ns_r_refused
+#define YXDOMAIN	ns_r_yxdomain
+#define YXRRSET		ns_r_yxrrset
+#define NXRRSET		ns_r_nxrrset
+#define NOTAUTH		ns_r_notauth
+#define NOTZONE		ns_r_notzone
+/*#define BADSIG		ns_r_badsig*/
+/*#define BADKEY		ns_r_badkey*/
+/*#define BADTIME		ns_r_badtime*/
+
+
+#define DELETE		ns_uop_delete
+#define ADD		ns_uop_add
+
+#define T_A		ns_t_a
+#define T_NS		ns_t_ns
+#define T_MD		ns_t_md
+#define T_MF		ns_t_mf
+#define T_CNAME		ns_t_cname
+#define T_SOA		ns_t_soa
+#define T_MB		ns_t_mb
+#define T_MG		ns_t_mg
+#define T_MR		ns_t_mr
+#define T_NULL		ns_t_null
+#define T_WKS		ns_t_wks
+#define T_PTR		ns_t_ptr
+#define T_HINFO		ns_t_hinfo
+#define T_MINFO		ns_t_minfo
+#define T_MX		ns_t_mx
+#define T_TXT		ns_t_txt
+#define	T_RP		ns_t_rp
+#define T_AFSDB		ns_t_afsdb
+#define T_X25		ns_t_x25
+#define T_ISDN		ns_t_isdn
+#define T_RT		ns_t_rt
+#define T_NSAP		ns_t_nsap
+#define T_NSAP_PTR	ns_t_nsap_ptr
+#define	T_SIG		ns_t_sig
+#define	T_KEY		ns_t_key
+#define	T_PX		ns_t_px
+#define	T_GPOS		ns_t_gpos
+#define	T_AAAA		ns_t_aaaa
+#define	T_LOC		ns_t_loc
+#define	T_NXT		ns_t_nxt
+#define	T_EID		ns_t_eid
+#define	T_NIMLOC	ns_t_nimloc
+#define	T_SRV		ns_t_srv
+#define T_ATMA		ns_t_atma
+#define T_NAPTR		ns_t_naptr
+#define T_A6		ns_t_a6
+#define	T_TSIG		ns_t_tsig
+#define	T_IXFR		ns_t_ixfr
+#define T_AXFR		ns_t_axfr
+#define T_MAILB		ns_t_mailb
+#define T_MAILA		ns_t_maila
+#define T_ANY		ns_t_any
+
+#define C_IN		ns_c_in
+#define C_CHAOS		ns_c_chaos
+#define C_HS		ns_c_hs
+/* BIND_UPDATE */
+#define C_NONE		ns_c_none
+#define C_ANY		ns_c_any
+
+#define	GETSHORT		NS_GET16
+#define	GETLONG			NS_GET32
+#define	PUTSHORT		NS_PUT16
+#define	PUTLONG			NS_PUT32
+
+#endif /* _ARPA_NAMESER_COMPAT_ */
diff --git a/contrib/bind9/lib/bind/include/fd_setsize.h b/contrib/bind9/lib/bind/include/fd_setsize.h
new file mode 100644
index 0000000..235b1ad
--- /dev/null
+++ b/contrib/bind9/lib/bind/include/fd_setsize.h
@@ -0,0 +1,9 @@
+#ifndef _FD_SETSIZE_H
+#define _FD_SETSIZE_H
+
+/*
+ * If you need a bigger FD_SETSIZE, this is NOT the place to set it.
+ * This file is a fallback for BIND ports which don't specify their own.
+ */
+
+#endif /* _FD_SETSIZE_H */
diff --git a/contrib/bind9/lib/bind/include/hesiod.h b/contrib/bind9/lib/bind/include/hesiod.h
new file mode 100644
index 0000000..7165d48
--- /dev/null
+++ b/contrib/bind9/lib/bind/include/hesiod.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * This file is primarily maintained by <tytso@mit.edu> and <ghudson@mit.edu>.
+ */
+
+/*
+ * $Id: hesiod.h,v 1.1.2.1.4.1 2004/03/09 08:33:29 marka Exp $
+ */
+
+#ifndef _HESIOD_H_INCLUDED
+#define _HESIOD_H_INCLUDED
+
+int		hesiod_init __P((void **));
+void		hesiod_end __P((void *));
+char *		hesiod_to_bind __P((void *, const char *, const char *));
+char **		hesiod_resolve __P((void *, const char *, const char *));
+void		hesiod_free_list __P((void *, char **));
+struct __res_state * __hesiod_res_get __P((void *));
+void		__hesiod_res_set __P((void *, struct __res_state *,
+				      void (*)(void *)));
+
+#endif /*_HESIOD_H_INCLUDED*/
diff --git a/contrib/bind9/lib/bind/include/irp.h b/contrib/bind9/lib/bind/include/irp.h
new file mode 100644
index 0000000..4462f20
--- /dev/null
+++ b/contrib/bind9/lib/bind/include/irp.h
@@ -0,0 +1,103 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * $Id: irp.h,v 1.1.2.1.4.1 2004/03/09 08:33:29 marka Exp $
+ */
+
+#ifndef _IRP_H_INCLUDED
+#define _IRP_H_INCLUDED
+
+#define IRPD_TIMEOUT 30			/* seconds */
+#define IRPD_MAXSESS 50			/* number of simultaneous sessions. */
+#define IRPD_PORT 6660			/* 10 times the number of the beast. */
+#define IRPD_PATH "/var/run/irpd"	/* af_unix socket path */
+
+/* If sets the environment variable IRPDSERVER to an IP address
+   (e.g. "192.5.5.1"), then that's the host the client expects irpd to be
+   running on. */
+#define IRPD_HOST_ENV "IRPDSERVER"
+
+/* Protocol response codes.  */
+#define IRPD_WELCOME_CODE 200
+#define IRPD_NOT_WELCOME_CODE 500
+
+#define IRPD_GETHOST_ERROR 510
+#define IRPD_GETHOST_NONE 210
+#define IRPD_GETHOST_OK 211
+#define IRPD_GETHOST_SETOK 212
+
+#define IRPD_GETNET_ERROR 520
+#define IRPD_GETNET_NONE 220
+#define IRPD_GETNET_OK 221
+#define IRPD_GETNET_SETOK 222
+
+#define IRPD_GETUSER_ERROR 530
+#define IRPD_GETUSER_NONE 230
+#define IRPD_GETUSER_OK 231
+#define IRPD_GETUSER_SETOK 232
+
+#define IRPD_GETGROUP_ERROR 540
+#define IRPD_GETGROUP_NONE 240
+#define IRPD_GETGROUP_OK 241
+#define IRPD_GETGROUP_SETOK 242
+
+#define IRPD_GETSERVICE_ERROR 550
+#define IRPD_GETSERVICE_NONE 250
+#define IRPD_GETSERVICE_OK 251
+#define IRPD_GETSERVICE_SETOK 252
+
+#define IRPD_GETPROTO_ERROR 560
+#define IRPD_GETPROTO_NONE 260
+#define IRPD_GETPROTO_OK 261
+#define IRPD_GETPROTO_SETOK 262
+
+#define IRPD_GETNETGR_ERROR 570
+#define IRPD_GETNETGR_NONE 270
+#define IRPD_GETNETGR_OK 271
+#define IRPD_GETNETGR_NOMORE 272
+#define IRPD_GETNETGR_MATCHES 273
+#define IRPD_GETNETGR_NOMATCH 274
+#define IRPD_GETNETGR_SETOK 275
+#define IRPD_GETNETGR_SETERR 276
+
+#define	irs_irp_read_body __irs_irp_read_body
+#define irs_irp_read_response __irs_irp_read_response
+#define irs_irp_disconnect __irs_irp_disconnect
+#define irs_irp_connect __irs_irp_connect
+#define irs_irp_connection_setup __irs_irp_connection_setup
+#define irs_irp_send_command __irs_irp_send_command
+
+struct irp_p;
+
+char   *irs_irp_read_body(struct irp_p *, size_t *);
+int	irs_irp_read_response(struct irp_p *, char *, size_t);
+void	irs_irp_disconnect(struct irp_p *);
+int	irs_irp_connect(struct irp_p *);
+int	irs_irp_is_connected(struct irp_p *);
+int	irs_irp_connection_setup(struct irp_p *, int *);
+#ifdef __GNUC__
+int	irs_irp_send_command(struct irp_p *, const char *, ...)
+			     __attribute__((__format__(__printf__, 2, 3)));
+#else
+int	irs_irp_send_command(struct irp_p *, const char *, ...);
+#endif
+int	irs_irp_get_full_response(struct irp_p *, int *, char *, size_t,
+				  char **, size_t *);
+int	irs_irp_read_line(struct irp_p *, char *, int);
+
+#endif
diff --git a/contrib/bind9/lib/bind/include/irs.h b/contrib/bind9/lib/bind/include/irs.h
new file mode 100644
index 0000000..a3b7903
--- /dev/null
+++ b/contrib/bind9/lib/bind/include/irs.h
@@ -0,0 +1,345 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * $Id: irs.h,v 1.2.2.1.4.1 2004/03/09 08:33:29 marka Exp $
+ */
+
+#ifndef _IRS_H_INCLUDED
+#define _IRS_H_INCLUDED
+
+#include <sys/types.h>
+
+#include <arpa/nameser.h>
+
+#include <grp.h>
+#include <netdb.h>
+#include <resolv.h>
+#include <pwd.h>
+
+/*
+ * This is the group map class.
+ */
+struct irs_gr {
+	void *		private;
+	void		(*close) __P((struct irs_gr *));
+	struct group *	(*next) __P((struct irs_gr *));
+	struct group *	(*byname) __P((struct irs_gr *, const char *));
+	struct group *	(*bygid) __P((struct irs_gr *, gid_t));
+	int		(*list) __P((struct irs_gr *, const char *,
+				     gid_t, gid_t *, int *));
+	void		(*rewind) __P((struct irs_gr *));
+	void		(*minimize) __P((struct irs_gr *));
+	struct __res_state * (*res_get) __P((struct irs_gr *));
+	void		(*res_set) __P((struct irs_gr *, res_state,
+					void (*)(void *)));
+};
+
+/*
+ * This is the password map class.
+ */
+struct irs_pw {
+	void *		private;
+	void		(*close) __P((struct irs_pw *));
+	struct passwd *	(*next) __P((struct irs_pw *));
+	struct passwd *	(*byname) __P((struct irs_pw *, const char *));
+	struct passwd *	(*byuid) __P((struct irs_pw *, uid_t));
+	void		(*rewind) __P((struct irs_pw *));
+	void		(*minimize) __P((struct irs_pw *));
+	struct __res_state * (*res_get) __P((struct irs_pw *));
+	void		(*res_set) __P((struct irs_pw *, res_state,
+					void (*)(void *)));
+};
+
+/*
+ * This is the service map class.
+ */
+struct irs_sv {
+	void *		private;
+	void		(*close) __P((struct irs_sv *));
+	struct servent *(*byname) __P((struct irs_sv *,
+				       const char *, const char *));
+	struct servent *(*byport) __P((struct irs_sv *, int, const char *));
+	struct servent *(*next) __P((struct irs_sv *));
+	void		(*rewind) __P((struct irs_sv *));
+	void		(*minimize) __P((struct irs_sv *));
+	struct __res_state * (*res_get) __P((struct irs_sv *));
+	void		(*res_set) __P((struct irs_sv *, res_state,
+					void (*)(void *)));
+};
+
+/*
+ * This is the protocols map class.
+ */
+struct irs_pr {
+	void *		private;
+	void		(*close) __P((struct irs_pr *));
+	struct protoent	*(*byname) __P((struct irs_pr *, const char *));
+	struct protoent	*(*bynumber) __P((struct irs_pr *, int));
+	struct protoent	*(*next) __P((struct irs_pr *));
+	void		(*rewind) __P((struct irs_pr *));
+	void		(*minimize) __P((struct irs_pr *));
+	struct __res_state * (*res_get) __P((struct irs_pr *));
+	void		(*res_set) __P((struct irs_pr *, res_state,
+					void (*)(void *)));
+};
+
+/*
+ * This is the hosts map class.
+ */
+struct irs_ho {
+	void *		private;
+	void		(*close) __P((struct irs_ho *));
+	struct hostent *(*byname) __P((struct irs_ho *, const char *));
+	struct hostent *(*byname2) __P((struct irs_ho *, const char *, int));
+	struct hostent *(*byaddr) __P((struct irs_ho *,
+				       const void *, int, int));
+	struct hostent *(*next) __P((struct irs_ho *));
+	void		(*rewind) __P((struct irs_ho *));
+	void		(*minimize) __P((struct irs_ho *));
+	struct __res_state * (*res_get) __P((struct irs_ho *));
+	void		(*res_set) __P((struct irs_ho *, res_state,
+					void (*)(void *)));
+	struct addrinfo *(*addrinfo) __P((struct irs_ho *, const char *,
+					  const struct addrinfo *));
+};
+
+/*
+ * This is the networks map class.
+ */
+struct irs_nw {
+	void *		private;
+	void		(*close) __P((struct irs_nw *));
+	struct nwent *	(*byname) __P((struct irs_nw *, const char *, int));
+	struct nwent *	(*byaddr) __P((struct irs_nw *, void *, int, int));
+	struct nwent *	(*next) __P((struct irs_nw *));
+	void		(*rewind) __P((struct irs_nw *));
+	void		(*minimize) __P((struct irs_nw *));
+	struct __res_state * (*res_get) __P((struct irs_nw *));
+	void		(*res_set) __P((struct irs_nw *, res_state,
+					void (*)(void *)));
+};
+
+/*
+ * This is the netgroups map class.
+ */
+struct irs_ng {
+	void *		private;
+	void		(*close) __P((struct irs_ng *));
+	int		(*next) __P((struct irs_ng *, const char **,
+				     const char **, const char **));
+	int		(*test) __P((struct irs_ng *, const char *,
+				     const char *, const char *,
+				     const char *));
+	void		(*rewind) __P((struct irs_ng *, const char *));
+	void		(*minimize) __P((struct irs_ng *));
+};
+
+/*
+ * This is the generic map class, which copies the front of all others.
+ */
+struct irs_map {
+	void *		private;
+	void		(*close) __P((void *));
+};
+
+/*
+ * This is the accessor class.  It contains pointers to all of the
+ * initializers for the map classes for a particular accessor.
+ */
+struct irs_acc {
+	void *		private;
+	void		(*close) __P((struct irs_acc *));
+	struct irs_gr *	(*gr_map) __P((struct irs_acc *));
+	struct irs_pw *	(*pw_map) __P((struct irs_acc *));
+	struct irs_sv *	(*sv_map) __P((struct irs_acc *));
+	struct irs_pr *	(*pr_map) __P((struct irs_acc *));
+	struct irs_ho *	(*ho_map) __P((struct irs_acc *));
+	struct irs_nw *	(*nw_map) __P((struct irs_acc *));
+	struct irs_ng *	(*ng_map) __P((struct irs_acc *));
+	struct __res_state * (*res_get) __P((struct irs_acc *));
+	void		(*res_set) __P((struct irs_acc *, res_state,
+					void (*)(void *)));
+};
+
+/*
+ * This is because the official definition of "struct netent" has no
+ * concept of CIDR even though it allows variant address families (on
+ * output but not input).  The compatibility stubs convert the structs
+ * below into "struct netent"'s.
+ */
+struct nwent {
+	char		*n_name;	/* official name of net */
+	char		**n_aliases;	/* alias list */
+	int		n_addrtype;	/* net address type */
+	void		*n_addr;	/* network address */
+	int		n_length;	/* address length, in bits */
+};
+
+/*
+ * Hide external function names from POSIX.
+ */
+#define	irs_gen_acc	__irs_gen_acc
+#define	irs_lcl_acc	__irs_lcl_acc
+#define	irs_dns_acc	__irs_dns_acc
+#define	irs_nis_acc	__irs_nis_acc
+#define	irs_irp_acc	__irs_irp_acc
+#define	irs_destroy	__irs_destroy
+#define	irs_dns_gr	__irs_dns_gr
+#define	irs_dns_ho	__irs_dns_ho
+#define	irs_dns_nw	__irs_dns_nw
+#define	irs_dns_pr	__irs_dns_pr
+#define	irs_dns_pw	__irs_dns_pw
+#define	irs_dns_sv	__irs_dns_sv
+#define	irs_gen_gr	__irs_gen_gr
+#define	irs_gen_ho	__irs_gen_ho
+#define	irs_gen_ng	__irs_gen_ng
+#define	irs_gen_nw	__irs_gen_nw
+#define	irs_gen_pr	__irs_gen_pr
+#define	irs_gen_pw	__irs_gen_pw
+#define	irs_gen_sv	__irs_gen_sv
+#define	irs_irp_get_full_response	__irs_irp_get_full_response
+#define	irs_irp_gr	__irs_irp_gr
+#define	irs_irp_ho	__irs_irp_ho
+#define	irs_irp_is_connected	__irs_irp_is_connected
+#define	irs_irp_ng	__irs_irp_ng
+#define	irs_irp_nw	__irs_irp_nw
+#define	irs_irp_pr	__irs_irp_pr
+#define	irs_irp_pw	__irs_irp_pw
+#define	irs_irp_read_line	__irs_irp_read_line
+#define	irs_irp_sv	__irs_irp_sv
+#define	irs_lcl_gr	__irs_lcl_gr
+#define	irs_lcl_ho	__irs_lcl_ho
+#define	irs_lcl_ng	__irs_lcl_ng
+#define	irs_lcl_nw	__irs_lcl_nw
+#define	irs_lcl_pr	__irs_lcl_pr
+#define	irs_lcl_pw	__irs_lcl_pw
+#define	irs_lcl_sv	__irs_lcl_sv
+#define	irs_nis_gr	__irs_nis_gr
+#define	irs_nis_ho	__irs_nis_ho
+#define	irs_nis_ng	__irs_nis_ng
+#define	irs_nis_nw	__irs_nis_nw
+#define	irs_nis_pr	__irs_nis_pr
+#define	irs_nis_pw	__irs_nis_pw
+#define	irs_nis_sv	__irs_nis_sv
+#define	net_data_create	__net_data_create
+#define	net_data_destroy	__net_data_destroy
+#define	net_data_minimize	__net_data_minimize
+
+/*
+ * Externs.
+ */
+extern struct irs_acc *	irs_gen_acc __P((const char *, const char *));
+extern struct irs_acc *	irs_lcl_acc __P((const char *));
+extern struct irs_acc *	irs_dns_acc __P((const char *));
+extern struct irs_acc *	irs_nis_acc __P((const char *));
+extern struct irs_acc *	irs_irp_acc __P((const char *));
+
+extern void		irs_destroy __P((void));
+
+/*
+ * These forward declarations are for the semi-private functions in
+ * the get*.c files. Each of these funcs implements the real get*
+ * functionality and the standard versions are just wrappers that
+ * call these. Apart from the wrappers, only irpd is expected to
+ * call these directly, hence these decls are put here and not in
+ * the /usr/include replacements.
+ */
+
+struct net_data;			/* forward */
+
+/*
+ * net_data_create gets a singleton net_data object.  net_data_init
+ * creates as many net_data objects as times it is called.  Clients using
+ * the default interface will use net_data_create by default.  Servers will
+ * probably want net_data_init (one call per client)
+ */
+struct net_data *net_data_create __P((const char *));
+struct net_data *net_data_init __P((const char *));
+void		net_data_destroy __P((void *));
+	
+extern struct group    *getgrent_p __P((struct net_data *));
+extern struct group    *getgrnam_p __P((const char *, struct net_data *));
+extern struct group    *getgrgid_p __P((gid_t, struct net_data *));
+extern int 		setgroupent_p __P((int, struct net_data *));
+extern void 		endgrent_p __P((struct net_data *));
+extern int		getgrouplist_p __P((const char *, gid_t, gid_t *, int *,
+					    struct net_data *));
+
+#ifdef SETGRENT_VOID
+extern void 		setgrent_p __P((struct net_data *));
+#else
+extern int 		setgrent_p __P((struct net_data *));
+#endif
+
+extern struct hostent 	*gethostbyname_p __P((const char *,
+					      struct net_data *));
+extern struct hostent 	*gethostbyname2_p __P((const char *, int,
+					       struct net_data *));
+extern struct hostent 	*gethostbyaddr_p __P((const char *, int, int,
+					      struct net_data *));
+extern struct hostent 	*gethostent_p __P((struct net_data *));
+extern void 		sethostent_p __P((int, struct net_data *));
+extern void 		endhostent_p __P((struct net_data *));
+extern struct hostent 	*getipnodebyname_p __P((const char *, int, int, int *,
+					       struct net_data *));
+extern struct hostent 	*getipnodebyaddr_p __P((const void *, size_t,
+					      int, int *, struct net_data *));
+
+extern struct netent 	*getnetent_p __P((struct net_data *));
+extern struct netent 	*getnetbyname_p __P((const char *, struct net_data *));
+extern struct netent 	*getnetbyaddr_p __P((unsigned long, int,
+					     struct net_data *));
+extern void		setnetent_p __P((int, struct net_data *));
+extern void		endnetent_p __P((struct net_data *));
+
+extern void		setnetgrent_p __P((const char *, struct net_data *));
+extern void		endnetgrent_p __P((struct net_data *));
+extern int		innetgr_p __P((const char *, const char *, const char *,
+				       const char *, struct net_data *));
+extern int		getnetgrent_p __P((const char **, const char **,
+					   const char **, struct net_data *));
+
+extern struct protoent  *getprotoent_p __P((struct net_data *));
+extern struct protoent  *getprotobyname_p __P((const char *,
+					       struct net_data *));
+extern struct protoent	*getprotobynumber_p __P((int, struct net_data *));
+extern void		setprotoent_p __P((int, struct net_data *));
+extern void		endprotoent_p __P((struct net_data *));
+
+
+extern struct passwd 	*getpwent_p __P((struct net_data *));
+extern struct passwd 	*getpwnam_p __P((const char *, struct net_data *));
+extern struct passwd 	*getpwuid_p __P((uid_t, struct net_data *));
+extern int		setpassent_p __P((int, struct net_data *));
+extern void		endpwent_p __P((struct net_data *));
+
+#ifdef SETPWENT_VOID
+extern void		setpwent_p __P((struct net_data *));
+#else
+extern int		setpwent_p __P((struct net_data *));
+#endif
+
+extern struct servent 	*getservent_p __P((struct net_data *));
+extern struct servent 	*getservbyname_p __P((const char *, const char *,
+					      struct net_data *));
+extern struct servent 	*getservbyport_p __P((int, const char *,
+					      struct net_data *));
+extern void		setservent_p __P((int, struct net_data *));
+extern void		endservent_p __P((struct net_data *));
+
+#endif /*_IRS_H_INCLUDED*/
diff --git a/contrib/bind9/lib/bind/include/isc/assertions.h b/contrib/bind9/lib/bind/include/isc/assertions.h
new file mode 100644
index 0000000..9a9b9de
--- /dev/null
+++ b/contrib/bind9/lib/bind/include/isc/assertions.h
@@ -0,0 +1,122 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1997-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * $Id: assertions.h,v 1.1.206.1 2004/03/09 08:33:30 marka Exp $
+ */
+
+#ifndef ASSERTIONS_H
+#define ASSERTIONS_H		1
+
+typedef enum {
+	assert_require, assert_ensure, assert_insist, assert_invariant
+} assertion_type;
+
+typedef void (*assertion_failure_callback)(const char *, int, assertion_type,
+					   const char *, int);
+
+extern assertion_failure_callback __assertion_failed;
+void set_assertion_failure_callback(assertion_failure_callback f);
+const char *assertion_type_to_text(assertion_type type);
+
+#ifdef CHECK_ALL
+#define CHECK_REQUIRE		1
+#define CHECK_ENSURE		1
+#define CHECK_INSIST		1
+#define CHECK_INVARIANT		1
+#endif
+
+#ifdef CHECK_NONE
+#define CHECK_REQUIRE		0
+#define CHECK_ENSURE		0
+#define CHECK_INSIST		0
+#define CHECK_INVARIANT		0
+#endif
+
+#ifndef CHECK_REQUIRE
+#define CHECK_REQUIRE		1
+#endif
+
+#ifndef CHECK_ENSURE
+#define CHECK_ENSURE		1
+#endif
+
+#ifndef CHECK_INSIST
+#define CHECK_INSIST		1
+#endif
+
+#ifndef CHECK_INVARIANT
+#define CHECK_INVARIANT		1
+#endif
+
+#if CHECK_REQUIRE != 0
+#define REQUIRE(cond) \
+	((void) ((cond) || \
+		 ((__assertion_failed)(__FILE__, __LINE__, assert_require, \
+				       #cond, 0), 0)))
+#define REQUIRE_ERR(cond) \
+	((void) ((cond) || \
+		 ((__assertion_failed)(__FILE__, __LINE__, assert_require, \
+				       #cond, 1), 0)))
+#else
+#define REQUIRE(cond)		((void) (cond))
+#define REQUIRE_ERR(cond)	((void) (cond))
+#endif /* CHECK_REQUIRE */
+
+#if CHECK_ENSURE != 0
+#define ENSURE(cond) \
+	((void) ((cond) || \
+		 ((__assertion_failed)(__FILE__, __LINE__, assert_ensure, \
+				       #cond, 0), 0)))
+#define ENSURE_ERR(cond) \
+	((void) ((cond) || \
+		 ((__assertion_failed)(__FILE__, __LINE__, assert_ensure, \
+				       #cond, 1), 0)))
+#else
+#define ENSURE(cond)		((void) (cond))
+#define ENSURE_ERR(cond)	((void) (cond))
+#endif /* CHECK_ENSURE */
+
+#if CHECK_INSIST != 0
+#define INSIST(cond) \
+	((void) ((cond) || \
+		 ((__assertion_failed)(__FILE__, __LINE__, assert_insist, \
+				       #cond, 0), 0)))
+#define INSIST_ERR(cond) \
+	((void) ((cond) || \
+		 ((__assertion_failed)(__FILE__, __LINE__, assert_insist, \
+				       #cond, 1), 0)))
+#else
+#define INSIST(cond)		((void) (cond))
+#define INSIST_ERR(cond)	((void) (cond))
+#endif /* CHECK_INSIST */
+
+#if CHECK_INVARIANT != 0
+#define INVARIANT(cond) \
+	((void) ((cond) || \
+		 ((__assertion_failed)(__FILE__, __LINE__, assert_invariant, \
+				       #cond, 0), 0)))
+#define INVARIANT_ERR(cond) \
+	((void) ((cond) || \
+		 ((__assertion_failed)(__FILE__, __LINE__, assert_invariant, \
+				       #cond, 1), 0)))
+#else
+#define INVARIANT(cond)		((void) (cond))
+#define INVARIANT_ERR(cond)	((void) (cond))
+#endif /* CHECK_INVARIANT */
+
+#endif /* ASSERTIONS_H */
diff --git a/contrib/bind9/lib/bind/include/isc/ctl.h b/contrib/bind9/lib/bind/include/isc/ctl.h
new file mode 100644
index 0000000..74957bc
--- /dev/null
+++ b/contrib/bind9/lib/bind/include/isc/ctl.h
@@ -0,0 +1,109 @@
+#ifndef ISC_CTL_H
+#define ISC_CTL_H
+
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1998,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * $Id: ctl.h,v 1.1.2.2.4.1 2004/03/09 08:33:30 marka Exp $
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <isc/eventlib.h>
+
+/* Macros. */
+
+#define	CTL_MORE	0x0001	/* More will be / should be sent. */
+#define	CTL_EXIT	0x0002	/* Close connection after this. */
+#define	CTL_DATA	0x0004	/* Go into / this is DATA mode. */
+
+/* Types. */
+
+struct ctl_cctx;
+struct ctl_sctx;
+struct ctl_sess;
+struct ctl_verb;
+
+enum ctl_severity { ctl_debug, ctl_warning, ctl_error };
+
+typedef void (*ctl_logfunc)(enum ctl_severity, const char *, ...);
+
+typedef void (*ctl_verbfunc)(struct ctl_sctx *, struct ctl_sess *,
+			     const struct ctl_verb *, const char *,
+			     u_int, const void *, void *);
+
+typedef void (*ctl_srvrdone)(struct ctl_sctx *, struct ctl_sess *, void *);
+
+typedef void (*ctl_clntdone)(struct ctl_cctx *, void *, const char *, u_int);
+
+struct ctl_verb {
+	const char *	name;
+	ctl_verbfunc	func;
+	const char *	help;
+};
+
+/* General symbols. */
+
+#define	ctl_logger	__ctl_logger
+
+#ifdef __GNUC__
+void			ctl_logger(enum ctl_severity, const char *, ...)
+				__attribute__((__format__(__printf__, 2, 3)));
+#else
+void			ctl_logger(enum ctl_severity, const char *, ...);
+#endif
+
+/* Client symbols. */
+
+#define	ctl_client	__ctl_client
+#define	ctl_endclient	__ctl_endclient
+#define	ctl_command	__ctl_command
+
+struct ctl_cctx *	ctl_client(evContext, const struct sockaddr *, size_t,
+				   const struct sockaddr *, size_t,
+				   ctl_clntdone, void *,
+				   u_int, ctl_logfunc);
+void			ctl_endclient(struct ctl_cctx *);
+int			ctl_command(struct ctl_cctx *, const char *, size_t,
+				    ctl_clntdone, void *);
+
+/* Server symbols. */
+
+#define	ctl_server	__ctl_server
+#define	ctl_endserver	__ctl_endserver
+#define	ctl_response	__ctl_response
+#define	ctl_sendhelp	__ctl_sendhelp
+#define ctl_getcsctx	__ctl_getcsctx
+#define ctl_setcsctx	__ctl_setcsctx
+
+struct ctl_sctx *	ctl_server(evContext, const struct sockaddr *, size_t,
+				   const struct ctl_verb *,
+				   u_int, u_int,
+				   u_int, int, int,
+				   ctl_logfunc, void *);
+void			ctl_endserver(struct ctl_sctx *);
+void			ctl_response(struct ctl_sess *, u_int,
+				     const char *, u_int, const void *,
+				     ctl_srvrdone, void *,
+				     const char *, size_t);
+void			ctl_sendhelp(struct ctl_sess *, u_int);
+void *			ctl_getcsctx(struct ctl_sess *);
+void *			ctl_setcsctx(struct ctl_sess *, void *);
+
+#endif /*ISC_CTL_H*/
diff --git a/contrib/bind9/lib/bind/include/isc/dst.h b/contrib/bind9/lib/bind/include/isc/dst.h
new file mode 100644
index 0000000..fe92297
--- /dev/null
+++ b/contrib/bind9/lib/bind/include/isc/dst.h
@@ -0,0 +1,180 @@
+#ifndef DST_H
+#define DST_H
+
+#ifndef HAS_DST_KEY
+typedef struct dst_key {
+	char	*dk_key_name;   /* name of the key */
+	int	dk_key_size;    /* this is the size of the key in bits */
+	int	dk_proto;       /* what protocols this key can be used for */
+	int	dk_alg;         /* algorithm number from key record */
+	u_int32_t dk_flags;     /* and the flags of the public key */
+	u_int16_t dk_id;        /* identifier of the key */
+} DST_KEY;
+#endif /* HAS_DST_KEY */
+
+/*
+ * do not taint namespace
+ */
+#define	dst_bsafe_init		__dst_bsafe_init
+#define	dst_buffer_to_key	__dst_buffer_to_key
+#define	dst_check_algorithm	__dst_check_algorithm
+#define	dst_compare_keys	__dst_compare_keys
+#define	dst_cylink_init		__dst_cylink_init
+#define	dst_dnskey_to_key	__dst_dnskey_to_key
+#define	dst_eay_dss_init	__dst_eay_dss_init
+#define	dst_free_key		__dst_free_key
+#define	dst_generate_key	__dst_generate_key
+#define	dst_hmac_md5_init	__dst_hmac_md5_init
+#define	dst_init		__dst_init
+#define	dst_key_to_buffer	__dst_key_to_buffer
+#define	dst_key_to_dnskey	__dst_key_to_dnskey
+#define	dst_read_key		__dst_read_key
+#define	dst_rsaref_init		__dst_rsaref_init
+#define	dst_s_build_filename	__dst_s_build_filename
+#define	dst_s_calculate_bits	__dst_s_calculate_bits
+#define	dst_s_conv_bignum_b64_to_u8	__dst_s_conv_bignum_b64_to_u8
+#define	dst_s_conv_bignum_u8_to_b64	__dst_s_conv_bignum_u8_to_b64
+#define	dst_s_dns_key_id	__dst_s_dns_key_id
+#define	dst_s_dump		__dst_s_dump
+#define	dst_s_filename_length	__dst_s_filename_length
+#define	dst_s_fopen		__dst_s_fopen
+#define	dst_s_get_int16		__dst_s_get_int16
+#define	dst_s_get_int32		__dst_s_get_int32
+#define	dst_s_id_calc		__dst_s_id_calc
+#define	dst_s_put_int16		__dst_s_put_int16
+#define	dst_s_put_int32		__dst_s_put_int32
+#define	dst_s_quick_random	__dst_s_quick_random
+#define	dst_s_quick_random_set	__dst_s_quick_random_set
+#define	dst_s_random		__dst_s_random
+#define	dst_s_semi_random	__dst_s_semi_random
+#define	dst_s_verify_str	__dst_s_verify_str
+#define	dst_sig_size		__dst_sig_size
+#define	dst_sign_data		__dst_sign_data
+#define	dst_verify_data		__dst_verify_data
+#define	dst_write_key		__dst_write_key
+
+/* 
+ * DST Crypto API defintions 
+ */
+void     dst_init(void);
+int      dst_check_algorithm(const int);
+
+int dst_sign_data(const int,	 	/* specifies INIT/UPDATE/FINAL/ALL */
+		  DST_KEY *,	 	/* the key to use */
+		  void **,	 	/* pointer to state structure */
+		  const u_char *,	/* data to be signed */
+		  const int,	 	/* length of input data */
+		  u_char *,	 	/* buffer to write signature to */
+		  const int);	 	/* size of output buffer */
+
+int dst_verify_data(const int,	 	/* specifies INIT/UPDATE/FINAL/ALL */
+		    DST_KEY *,	 	/* the key to use */
+		    void **,	 	/* pointer to state structure */
+		    const u_char *,	/* data to be verified */
+		    const int,	 	/* length of input data */
+		    const u_char *,	/* buffer containing signature */
+		    const int);	 	/* length of signature */
+
+
+DST_KEY *dst_read_key(const char *,	/* name of key */
+		      const u_int16_t,	/* key tag identifier */
+		      const int,	/* key algorithm */
+		      const int);	/* Private/PublicKey wanted*/
+
+int      dst_write_key(const DST_KEY *,	/* key to write out */
+		       const int); 	/* Public/Private */
+
+DST_KEY *dst_dnskey_to_key(const char *,	/* KEY record name */
+			   const u_char *,	/* KEY RDATA */
+			   const int);		/* size of input buffer*/
+
+
+int      dst_key_to_dnskey(const DST_KEY *,	/* key to translate */
+			   u_char *,		/* output buffer */
+			   const int);		/* size of out_storage*/
+
+
+DST_KEY *dst_buffer_to_key(const char *,  	/* name of the key */
+			   const int,	  	/* algorithm */
+			   const int,	  	/* dns flags */
+			   const int,	  	/* dns protocol */
+			   const u_char *, 	/* key in dns wire fmt */
+			   const int);	  	/* size of key */
+
+
+int     dst_key_to_buffer(DST_KEY *, u_char *, int);
+
+DST_KEY *dst_generate_key(const char *,    	/* name of new key */
+			  const int,       	/* key algorithm to generate */
+			  const int,      	/* size of new key */
+			  const int,       	/* alg dependent parameter*/
+			  const int,     	/* key DNS flags */
+			  const int);		/* key DNS protocol */
+
+DST_KEY *dst_free_key(DST_KEY *);
+int      dst_compare_keys(const DST_KEY *, const DST_KEY *);
+
+int	dst_sig_size(DST_KEY *);
+
+
+/* support for dns key tags/ids */
+u_int16_t dst_s_dns_key_id(const u_char *, const int);
+u_int16_t dst_s_id_calc(const u_char *, const int);
+
+/* Used by callers as well as by the library.  */
+#define RAW_KEY_SIZE    8192        /* large enough to store any key */
+
+/* DST_API control flags */
+/* These are used used in functions dst_sign_data and dst_verify_data */
+#define SIG_MODE_INIT		1  /* initialize digest */
+#define SIG_MODE_UPDATE		2  /* add data to digest */
+#define SIG_MODE_FINAL		4  /* generate/verify signature */
+#define SIG_MODE_ALL		(SIG_MODE_INIT|SIG_MODE_UPDATE|SIG_MODE_FINAL)
+
+/* Flags for dst_read_private_key()  */
+#define DST_FORCE_READ		0x1000000
+#define DST_CAN_SIGN		0x010F
+#define DST_NO_AUTHEN		0x8000
+#define DST_EXTEND_FLAG         0x1000
+#define DST_STANDARD		0
+#define DST_PRIVATE             0x2000000
+#define DST_PUBLIC              0x4000000
+#define DST_RAND_SEMI           1
+#define DST_RAND_STD            2
+#define DST_RAND_KEY            3
+#define DST_RAND_DSS            4
+
+
+/* DST algorithm codes */
+#define KEY_RSA			1
+#define KEY_DH			2
+#define KEY_DSA			3
+#define KEY_PRIVATE		254
+#define KEY_EXPAND		255
+#define KEY_HMAC_MD5		157
+#define KEY_HMAC_SHA1		158
+#define UNKNOWN_KEYALG		0
+#define DST_MAX_ALGS            KEY_HMAC_SHA1
+
+/* DST constants to locations in KEY record  changes in new KEY record */
+#define DST_FLAGS_SIZE		2
+#define DST_KEY_PROT		2
+#define DST_KEY_ALG		3
+#define DST_EXT_FLAG            4
+#define DST_KEY_START		4
+
+#ifndef SIGN_F_NOKEY 
+#define SIGN_F_NOKEY		0xC000
+#endif
+
+/* error codes from dst routines */
+#define SIGN_INIT_FAILURE	(-23)
+#define SIGN_UPDATE_FAILURE	(-24)
+#define SIGN_FINAL_FAILURE	(-25)
+#define VERIFY_INIT_FAILURE	(-26)
+#define VERIFY_UPDATE_FAILURE	(-27)
+#define VERIFY_FINAL_FAILURE	(-28)
+#define MISSING_KEY_OR_SIGNATURE (-30)
+#define UNSUPPORTED_KEYALG	(-31)
+
+#endif /* DST_H */
diff --git a/contrib/bind9/lib/bind/include/isc/eventlib.h b/contrib/bind9/lib/bind/include/isc/eventlib.h
new file mode 100644
index 0000000..6750e4d
--- /dev/null
+++ b/contrib/bind9/lib/bind/include/isc/eventlib.h
@@ -0,0 +1,200 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1995-1999 by Internet Software Consortium
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* eventlib.h - exported interfaces for eventlib
+ * vix 09sep95 [initial]
+ *
+ * $Id: eventlib.h,v 1.1.2.1.4.1 2004/03/09 08:33:31 marka Exp $
+ */
+
+#ifndef _EVENTLIB_H
+#define _EVENTLIB_H
+
+#include <sys/types.h>
+#include <sys/uio.h>
+#include <sys/time.h>
+#include <stdio.h>
+
+#ifndef __P
+# define __EVENTLIB_P_DEFINED
+# ifdef __STDC__
+#  define __P(x) x
+# else
+#  define __P(x) ()
+# endif
+#endif
+
+/* In the absence of branded types... */
+typedef struct { void *opaque; } evConnID;
+typedef struct { void *opaque; } evFileID;
+typedef struct { void *opaque; } evStreamID;
+typedef struct { void *opaque; } evTimerID;
+typedef struct { void *opaque; } evWaitID;
+typedef struct { void *opaque; } evContext;
+typedef struct { void *opaque; } evEvent;
+
+#define	evInitID(id) ((id)->opaque = NULL)
+#define	evTestID(id) ((id).opaque != NULL)
+
+typedef void (*evConnFunc)__P((evContext, void *, int, const void *, int,
+			       const void *, int));
+typedef void (*evFileFunc)__P((evContext, void *, int, int));
+typedef	void (*evStreamFunc)__P((evContext, void *, int, int));
+typedef void (*evTimerFunc)__P((evContext, void *,
+				struct timespec, struct timespec));
+typedef	void (*evWaitFunc)__P((evContext, void *, const void *));
+
+typedef	struct { unsigned char mask[256/8]; } evByteMask;
+#define	EV_BYTEMASK_BYTE(b) ((b) / 8)
+#define	EV_BYTEMASK_MASK(b) (1 << ((b) % 8))
+#define	EV_BYTEMASK_SET(bm, b) \
+	((bm).mask[EV_BYTEMASK_BYTE(b)] |= EV_BYTEMASK_MASK(b))
+#define	EV_BYTEMASK_CLR(bm, b) \
+	((bm).mask[EV_BYTEMASK_BYTE(b)] &= ~EV_BYTEMASK_MASK(b))
+#define	EV_BYTEMASK_TST(bm, b) \
+	((bm).mask[EV_BYTEMASK_BYTE(b)] & EV_BYTEMASK_MASK(b))
+
+#define	EV_POLL		1
+#define	EV_WAIT		2
+#define	EV_NULL		4
+
+#define	EV_READ		1
+#define	EV_WRITE	2
+#define	EV_EXCEPT	4
+
+/* eventlib.c */
+#define evCreate	__evCreate
+#define evSetDebug	__evSetDebug
+#define evDestroy	__evDestroy
+#define evGetNext	__evGetNext
+#define evDispatch	__evDispatch
+#define evDrop		__evDrop
+#define evMainLoop	__evMainLoop
+#define evHighestFD	__evHighestFD
+#define evGetOption	__evGetOption
+#define evSetOption	__evSetOption
+
+int  evCreate __P((evContext *));
+void evSetDebug __P((evContext, int, FILE *));
+int  evDestroy __P((evContext));
+int  evGetNext __P((evContext, evEvent *, int));
+int  evDispatch __P((evContext, evEvent));
+void evDrop __P((evContext, evEvent));
+int  evMainLoop __P((evContext));
+int  evHighestFD __P((evContext));
+int  evGetOption __P((evContext *, const char *, int *));
+int  evSetOption __P((evContext *, const char *, int));
+
+/* ev_connects.c */
+#define evListen	__evListen
+#define evConnect	__evConnect
+#define evCancelConn	__evCancelConn
+#define evHold		__evHold
+#define evUnhold	__evUnhold
+#define evTryAccept	__evTryAccept
+
+int evListen __P((evContext, int, int, evConnFunc, void *, evConnID *));
+int evConnect __P((evContext, int, const void *, int,
+		   evConnFunc, void *, evConnID *));
+int evCancelConn __P((evContext, evConnID));
+int evHold __P((evContext, evConnID));
+int evUnhold __P((evContext, evConnID));
+int evTryAccept __P((evContext, evConnID, int *));
+
+/* ev_files.c */
+#define evSelectFD	__evSelectFD
+#define evDeselectFD	__evDeselectFD
+
+int evSelectFD __P((evContext, int, int, evFileFunc, void *, evFileID *));
+int evDeselectFD __P((evContext, evFileID));
+
+/* ev_streams.c */
+#define evConsIovec	__evConsIovec
+#define evWrite		__evWrite
+#define evRead		__evRead
+#define evTimeRW	__evTimeRW
+#define evUntimeRW	__evUntimeRW
+#define	evCancelRW	__evCancelRW
+
+struct iovec evConsIovec __P((void *, size_t));
+int evWrite __P((evContext, int, const struct iovec *, int,
+		 evStreamFunc func, void *, evStreamID *));
+int evRead __P((evContext, int, const struct iovec *, int,
+		evStreamFunc func, void *, evStreamID *));
+int evTimeRW __P((evContext, evStreamID, evTimerID timer));
+int evUntimeRW __P((evContext, evStreamID));
+int evCancelRW __P((evContext, evStreamID));
+
+/* ev_timers.c */
+#define evConsTime	__evConsTime
+#define evAddTime	__evAddTime
+#define evSubTime	__evSubTime
+#define evCmpTime	__evCmpTime
+#define	evTimeSpec	__evTimeSpec
+#define	evTimeVal	__evTimeVal
+
+#define evNowTime		__evNowTime
+#define evUTCTime		__evUTCTime
+#define evLastEventTime		__evLastEventTime
+#define evSetTimer		__evSetTimer
+#define evClearTimer		__evClearTimer
+#define evConfigTimer		__evConfigTimer
+#define evResetTimer		__evResetTimer
+#define evSetIdleTimer		__evSetIdleTimer
+#define evClearIdleTimer	__evClearIdleTimer
+#define evResetIdleTimer	__evResetIdleTimer
+#define evTouchIdleTimer	__evTouchIdleTimer
+
+struct timespec evConsTime __P((time_t sec, long nsec));
+struct timespec evAddTime __P((struct timespec, struct timespec));
+struct timespec evSubTime __P((struct timespec, struct timespec));
+struct timespec evNowTime __P((void));
+struct timespec evUTCTime __P((void));
+struct timespec evLastEventTime __P((evContext));
+struct timespec evTimeSpec __P((struct timeval));
+struct timeval evTimeVal __P((struct timespec));
+int evCmpTime __P((struct timespec, struct timespec));
+int evSetTimer __P((evContext, evTimerFunc, void *, struct timespec,
+		    struct timespec, evTimerID *));
+int evClearTimer __P((evContext, evTimerID));
+int evConfigTimer __P((evContext, evTimerID, const char *param,
+		      int value));
+int evResetTimer __P((evContext, evTimerID, evTimerFunc, void *,
+		      struct timespec, struct timespec));
+int evSetIdleTimer __P((evContext, evTimerFunc, void *, struct timespec,
+			evTimerID *));
+int evClearIdleTimer __P((evContext, evTimerID));
+int evResetIdleTimer __P((evContext, evTimerID, evTimerFunc, void *,
+			  struct timespec));
+int evTouchIdleTimer __P((evContext, evTimerID));
+
+/* ev_waits.c */
+#define evWaitFor	__evWaitFor
+#define evDo		__evDo
+#define evUnwait	__evUnwait
+#define evDefer		__evDefer
+
+int evWaitFor __P((evContext, const void *, evWaitFunc, void *, evWaitID *));
+int evDo __P((evContext, const void *));
+int evUnwait __P((evContext, evWaitID));
+int evDefer __P((evContext, evWaitFunc, void *));
+
+#ifdef __EVENTLIB_P_DEFINED
+# undef __P
+#endif
+
+#endif /*_EVENTLIB_H*/
diff --git a/contrib/bind9/lib/bind/include/isc/heap.h b/contrib/bind9/lib/bind/include/isc/heap.h
new file mode 100644
index 0000000..691c821
--- /dev/null
+++ b/contrib/bind9/lib/bind/include/isc/heap.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1997,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+typedef int (*heap_higher_priority_func)(void *, void *);
+typedef void (*heap_index_func)(void *, int);
+typedef void (*heap_for_each_func)(void *, void *);
+
+typedef struct heap_context {
+	int array_size;
+	int array_size_increment;
+	int heap_size;
+	void **heap;
+	heap_higher_priority_func higher_priority;
+	heap_index_func index;
+} *heap_context;
+
+#define heap_new	__heap_new
+#define heap_free	__heap_free
+#define heap_insert	__heap_insert
+#define heap_delete	__heap_delete
+#define heap_increased	__heap_increased
+#define heap_decreased	__heap_decreased
+#define heap_element	__heap_element
+#define heap_for_each	__heap_for_each
+
+heap_context	heap_new(heap_higher_priority_func, heap_index_func, int);
+int		heap_free(heap_context);
+int		heap_insert(heap_context, void *);
+int		heap_delete(heap_context, int);
+int		heap_increased(heap_context, int);
+int		heap_decreased(heap_context, int);
+void *		heap_element(heap_context, int);
+int		heap_for_each(heap_context, heap_for_each_func, void *);
diff --git a/contrib/bind9/lib/bind/include/isc/irpmarshall.h b/contrib/bind9/lib/bind/include/isc/irpmarshall.h
new file mode 100644
index 0000000..e672f97
--- /dev/null
+++ b/contrib/bind9/lib/bind/include/isc/irpmarshall.h
@@ -0,0 +1,115 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * $Id: irpmarshall.h,v 1.1.2.1.4.1 2004/03/09 08:33:31 marka Exp $
+ */
+
+#ifndef _IRPMARSHALL_H_INCLUDED
+#define _IRPMARSHALL_H_INCLUDED
+
+/* Hide function names */
+#define irp_marshall_gr __irp_marshall_gr
+#define irp_marshall_ho __irp_marshall_ho
+#define irp_marshall_ne __irp_marshall_ne
+#define irp_marshall_ng __irp_marshall_ng
+#define irp_marshall_nw __irp_marshall_nw
+#define irp_marshall_pr __irp_marshall_pr
+#define irp_marshall_pw __irp_marshall_pw
+#define irp_marshall_sv __irp_marshall_sv
+#define irp_unmarshall_gr __irp_unmarshall_gr
+#define irp_unmarshall_ho __irp_unmarshall_ho
+#define irp_unmarshall_ne __irp_unmarshall_ne
+#define irp_unmarshall_ng __irp_unmarshall_ng
+#define irp_unmarshall_nw __irp_unmarshall_nw
+#define irp_unmarshall_pr __irp_unmarshall_pr
+#define irp_unmarshall_pw __irp_unmarshall_pw
+#define irp_unmarshall_sv __irp_unmarshall_sv
+
+#define MAXPADDRSIZE (sizeof "255.255.255.255" + 1)
+#define ADDR_T_STR(x) (x == AF_INET ? "AF_INET" :\
+		       (x == AF_INET6 ? "AF_INET6" : "UNKNOWN"))
+
+/* See comment below on usage */
+int irp_marshall_pw(const struct passwd *, char **, size_t *);
+int irp_unmarshall_pw(struct passwd *, char *);
+int irp_marshall_gr(const struct group *, char **, size_t *);
+int irp_unmarshall_gr(struct group *, char *);
+int irp_marshall_sv(const struct servent *, char **, size_t *);
+int irp_unmarshall_sv(struct servent *, char *);
+int irp_marshall_pr(struct protoent *, char **, size_t *);
+int irp_unmarshall_pr(struct protoent *, char *);
+int irp_marshall_ho(struct hostent *, char **, size_t *);
+int irp_unmarshall_ho(struct hostent *, char *);
+int irp_marshall_ng(const char *, const char *, const char *,
+		    char **, size_t *);
+int irp_unmarshall_ng(const char **, const char **, const char **, char *);
+int irp_marshall_nw(struct nwent *, char **, size_t *);
+int irp_unmarshall_nw(struct nwent *, char *);
+int irp_marshall_ne(struct netent *, char **, size_t *);
+int irp_unmarshall_ne(struct netent *, char *);
+
+/*
+ * Functions to marshall and unmarshall various system data structures. We
+ * use a printable ascii format that is as close to various system config
+ * files as reasonable (e.g. /etc/passwd format).
+ *
+ * We are not forgiving with unmarhsalling misformatted buffers. In
+ * particular whitespace in fields is not ignored. So a formatted password
+ * entry "brister  :1364:100:...." will yield a username of "brister   "
+ *
+ * We potentially do a lot of mallocs to fill fields that are of type
+ * (char **) like a hostent h_addr field. Building (for example) the
+ * h_addr field and its associated addresses all in one buffer is
+ * certainly possible, but not done here.
+ *
+ * The following description is true for all the marshalling functions:
+ *
+ */
+
+/* int irp_marshall_XX(struct yyyy *XX, char **buffer, size_t *len);
+ *
+ * The argument XX (of type struct passwd for example) is marshalled in the
+ * buffer pointed at by *BUFFER, which is of length *LEN. Returns 0
+ * on success and -1 on failure. Failure will occur if *LEN is
+ * smaller than needed.
+ *
+ * If BUFFER is NULL, then *LEN is set to the size of the buffer
+ * needed to marshall the data and no marshalling is actually done.
+ *
+ * If *BUFFER is NULL, then a buffer large enough will be allocated
+ * with memget() and the size allocated will be stored in *LEN. An extra 2
+ * bytes will be allocated for the client to append CRLF if wanted. The
+ * value of *LEN will include these two bytes.
+ *
+ * All the marshalling functions produce a buffer with the fields
+ * separated by colons (except for the hostent marshalling, which uses '@'
+ * to separate fields). Fields that have multiple subfields (like the
+ * gr_mem field in struct group) have their subparts separated by
+ * commas.
+ */
+
+/*
+ * int irp_unmarshall_XX(struct YYYYY *XX, char *buffer);
+ *
+ * The unmashalling functions break apart the buffer and store the
+ * values in the struct pointed to by XX. All pointer values inside
+ * XX are allocated with malloc. All arrays of pointers have a NULL
+ * as the last element.
+ */
+
+#endif
diff --git a/contrib/bind9/lib/bind/include/isc/list.h b/contrib/bind9/lib/bind/include/isc/list.h
new file mode 100644
index 0000000..ad574ac
--- /dev/null
+++ b/contrib/bind9/lib/bind/include/isc/list.h
@@ -0,0 +1,112 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1997,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef LIST_H
+#define LIST_H 1
+#include <isc/assertions.h>
+
+#define LIST(type) struct { type *head, *tail; }
+#define INIT_LIST(list) \
+	do { (list).head = NULL; (list).tail = NULL; } while (0)
+
+#define LINK(type) struct { type *prev, *next; }
+#define INIT_LINK_TYPE(elt, link, type) \
+	do { \
+		(elt)->link.prev = (type *)(-1); \
+		(elt)->link.next = (type *)(-1); \
+	} while (0)
+#define INIT_LINK(elt, link) \
+	INIT_LINK_TYPE(elt, link, void)
+#define LINKED(elt, link) ((void *)((elt)->link.prev) != (void *)(-1))
+
+#define HEAD(list) ((list).head)
+#define TAIL(list) ((list).tail)
+#define EMPTY(list) ((list).head == NULL)
+
+#define PREPEND(list, elt, link) \
+	do { \
+		INSIST(!LINKED(elt, link));\
+		if ((list).head != NULL) \
+			(list).head->link.prev = (elt); \
+		else \
+			(list).tail = (elt); \
+		(elt)->link.prev = NULL; \
+		(elt)->link.next = (list).head; \
+		(list).head = (elt); \
+	} while (0)
+
+#define APPEND(list, elt, link) \
+	do { \
+		INSIST(!LINKED(elt, link));\
+		if ((list).tail != NULL) \
+			(list).tail->link.next = (elt); \
+		else \
+			(list).head = (elt); \
+		(elt)->link.prev = (list).tail; \
+		(elt)->link.next = NULL; \
+		(list).tail = (elt); \
+	} while (0)
+
+#define UNLINK_TYPE(list, elt, link, type) \
+	do { \
+		INSIST(LINKED(elt, link));\
+		if ((elt)->link.next != NULL) \
+			(elt)->link.next->link.prev = (elt)->link.prev; \
+		else \
+			(list).tail = (elt)->link.prev; \
+		if ((elt)->link.prev != NULL) \
+			(elt)->link.prev->link.next = (elt)->link.next; \
+		else \
+			(list).head = (elt)->link.next; \
+		INIT_LINK_TYPE(elt, link, type); \
+	} while (0)
+#define UNLINK(list, elt, link) \
+	UNLINK_TYPE(list, elt, link, void)
+
+#define PREV(elt, link) ((elt)->link.prev)
+#define NEXT(elt, link) ((elt)->link.next)
+
+#define INSERT_BEFORE(list, before, elt, link) \
+	do { \
+		INSIST(!LINKED(elt, link));\
+		if ((before)->link.prev == NULL) \
+			PREPEND(list, elt, link); \
+		else { \
+			(elt)->link.prev = (before)->link.prev; \
+			(before)->link.prev = (elt); \
+			(elt)->link.prev->link.next = (elt); \
+			(elt)->link.next = (before); \
+		} \
+	} while (0)
+
+#define INSERT_AFTER(list, after, elt, link) \
+	do { \
+		INSIST(!LINKED(elt, link));\
+		if ((after)->link.next == NULL) \
+			APPEND(list, elt, link); \
+		else { \
+			(elt)->link.next = (after)->link.next; \
+			(after)->link.next = (elt); \
+			(elt)->link.next->link.prev = (elt); \
+			(elt)->link.prev = (after); \
+		} \
+	} while (0)
+
+#define ENQUEUE(list, elt, link) APPEND(list, elt, link)
+#define DEQUEUE(list, elt, link) UNLINK(list, elt, link)
+
+#endif /* LIST_H */
diff --git a/contrib/bind9/lib/bind/include/isc/logging.h b/contrib/bind9/lib/bind/include/isc/logging.h
new file mode 100644
index 0000000..574fd8a
--- /dev/null
+++ b/contrib/bind9/lib/bind/include/isc/logging.h
@@ -0,0 +1,112 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef LOGGING_H
+#define LOGGING_H
+
+#include <sys/types.h>
+#include <stdio.h>
+#include <stdarg.h>
+#include <unistd.h>
+
+#define log_critical		(-5)
+#define log_error   		(-4)
+#define log_warning 		(-3)
+#define log_notice  		(-2)
+#define log_info  		(-1)
+#define log_debug(level)	(level)
+
+typedef enum { log_syslog, log_file, log_null } log_channel_type;
+
+#define LOG_MAX_VERSIONS 99
+
+#define LOG_CLOSE_STREAM		0x0001
+#define LOG_TIMESTAMP			0x0002
+#define LOG_TRUNCATE			0x0004
+#define LOG_USE_CONTEXT_LEVEL		0x0008
+#define LOG_PRINT_LEVEL			0x0010
+#define LOG_REQUIRE_DEBUG		0x0020
+#define LOG_CHANNEL_BROKEN		0x0040
+#define LOG_PRINT_CATEGORY		0x0080
+#define LOG_CHANNEL_OFF			0x0100
+
+typedef struct log_context *log_context;
+typedef struct log_channel *log_channel;
+
+#define LOG_OPTION_DEBUG		0x01
+#define LOG_OPTION_LEVEL		0x02
+
+#define log_open_stream		__log_open_stream
+#define log_close_stream	__log_close_stream
+#define log_get_stream		__log_get_stream
+#define log_get_filename	__log_get_filename
+#define log_check_channel	__log_check_channel
+#define log_check		__log_check
+#define log_vwrite		__log_vwrite
+#define log_write		__log_write
+#define log_new_context		__log_new_context
+#define log_free_context	__log_free_context
+#define log_add_channel		__log_add_channel
+#define log_remove_channel	__log_remove_channel
+#define log_option		__log_option
+#define log_category_is_active	__log_category_is_active
+#define log_new_syslog_channel	__log_new_syslog_channel
+#define log_new_file_channel	__log_new_file_channel
+#define log_set_file_owner	__log_set_file_owner
+#define log_new_null_channel	__log_new_null_channel
+#define log_inc_references	__log_inc_references
+#define log_dec_references	__log_dec_references
+#define log_get_channel_type	__log_get_channel_type
+#define log_free_channel	__log_free_channel
+#define log_close_debug_channels	__log_close_debug_channels
+
+FILE *			log_open_stream(log_channel);
+int			log_close_stream(log_channel);
+FILE *			log_get_stream(log_channel);
+char *			log_get_filename(log_channel);
+int			log_check_channel(log_context, int, log_channel);
+int			log_check(log_context, int, int);
+#ifdef __GNUC__
+void			log_vwrite(log_context, int, int, const char *, 
+				   va_list args)
+				__attribute__((__format__(__printf__, 4, 0)));
+void			log_write(log_context, int, int, const char *, ...)
+				__attribute__((__format__(__printf__, 4, 5)));
+#else
+void			log_vwrite(log_context, int, int, const char *, 
+				   va_list args);
+void			log_write(log_context, int, int, const char *, ...);
+#endif
+int			log_new_context(int, char **, log_context *);
+void			log_free_context(log_context);
+int			log_add_channel(log_context, int, log_channel);
+int			log_remove_channel(log_context, int, log_channel);
+int			log_option(log_context, int, int);
+int			log_category_is_active(log_context, int);
+log_channel		log_new_syslog_channel(unsigned int, int, int);
+log_channel		log_new_file_channel(unsigned int, int, const char *,
+					     FILE *, unsigned int,
+					     unsigned long);
+int			log_set_file_owner(log_channel, uid_t, gid_t);
+log_channel		log_new_null_channel(void);
+int			log_inc_references(log_channel);
+int			log_dec_references(log_channel);
+log_channel_type	log_get_channel_type(log_channel);
+int			log_free_channel(log_channel);
+void			log_close_debug_channels(log_context);
+
+#endif /* !LOGGING_H */
diff --git a/contrib/bind9/lib/bind/include/isc/memcluster.h b/contrib/bind9/lib/bind/include/isc/memcluster.h
new file mode 100644
index 0000000..11e1fa3
--- /dev/null
+++ b/contrib/bind9/lib/bind/include/isc/memcluster.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1997,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef MEMCLUSTER_H
+#define MEMCLUSTER_H
+
+#include <stdio.h>
+
+#define meminit		__meminit
+#ifdef MEMCLUSTER_DEBUG
+#define memget(s)	__memget_debug(s, __FILE__, __LINE__)
+#define memput(p, s)	__memput_debug(p, s, __FILE__, __LINE__)
+#else /*MEMCLUSTER_DEBUG*/
+#ifdef MEMCLUSTER_RECORD
+#define memget(s)	__memget_record(s, __FILE__, __LINE__)
+#define memput(p, s)	__memput_record(p, s, __FILE__, __LINE__)
+#else /*MEMCLUSTER_RECORD*/
+#define memget		__memget
+#define memput		__memput
+#endif /*MEMCLUSTER_RECORD*/
+#endif /*MEMCLUSTER_DEBUG*/
+#define memstats	__memstats
+#define memactive	__memactive
+
+int	meminit(size_t, size_t);
+void *	__memget(size_t);
+void 	__memput(void *, size_t);
+void *	__memget_debug(size_t, const char *, int);
+void 	__memput_debug(void *, size_t, const char *, int);
+void *	__memget_record(size_t, const char *, int);
+void 	__memput_record(void *, size_t, const char *, int);
+void 	memstats(FILE *);
+int	memactive(void);
+
+#endif /* MEMCLUSTER_H */
diff --git a/contrib/bind9/lib/bind/include/isc/misc.h b/contrib/bind9/lib/bind/include/isc/misc.h
new file mode 100644
index 0000000..b08b02d
--- /dev/null
+++ b/contrib/bind9/lib/bind/include/isc/misc.h
@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1995-1999 by Internet Software Consortium
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * $Id: misc.h,v 1.2.2.1.4.1 2004/03/09 08:33:31 marka Exp $
+ */
+
+#ifndef _ISC_MISC_H
+#define _ISC_MISC_H
+
+#include <stdio.h>
+
+#define	bitncmp		__bitncmp
+/*#define isc_movefile	__isc_movefile */
+
+extern int		bitncmp(const void *, const void *, int);
+extern int		isc_movefile(const char *, const char *);
+
+extern int		isc_gethexstring(unsigned char *, size_t, int, FILE *,
+					 int *);
+extern void		isc_puthexstring(FILE *, const unsigned char *, size_t,
+					 size_t, size_t, const char *);
+extern void		isc_tohex(const unsigned char *, size_t, char *);
+
+#endif /*_ISC_MISC_H*/
diff --git a/contrib/bind9/lib/bind/include/isc/tree.h b/contrib/bind9/lib/bind/include/isc/tree.h
new file mode 100644
index 0000000..0572c40
--- /dev/null
+++ b/contrib/bind9/lib/bind/include/isc/tree.h
@@ -0,0 +1,58 @@
+/* tree.h - declare structures used by tree library
+ *
+ * vix 22jan93 [revisited; uses RCS, ANSI, POSIX; has bug fixes]
+ * vix 27jun86 [broken out of tree.c]
+ *
+ * $Id: tree.h,v 1.1.2.1 2003/06/27 03:51:39 marka Exp $
+ */
+
+
+#ifndef	_TREE_H_INCLUDED
+#define	_TREE_H_INCLUDED
+
+
+#ifndef __P
+# if defined(__STDC__) || defined(__GNUC__)
+#  define __P(x) x
+# else
+#  define __P(x) ()
+# endif
+#endif
+
+/*
+ * tree_t is our package-specific anonymous pointer.
+ */
+#if defined(__STDC__) || defined(__GNUC__)
+typedef	void *tree_t;
+#else
+typedef	char *tree_t;
+#endif
+
+/*
+ * Do not taint namespace
+ */
+#define	tree_add	__tree_add
+#define	tree_delete	__tree_delete
+#define	tree_init	__tree_init
+#define	tree_mung	__tree_mung
+#define	tree_srch	__tree_srch
+#define	tree_trav	__tree_trav
+
+
+typedef	struct tree_s {
+		tree_t		data;
+		struct tree_s	*left, *right;
+		short		bal;
+	}
+	tree;
+
+
+void	tree_init	__P((tree **));
+tree_t	tree_srch	__P((tree **, int (*)(), tree_t));
+tree_t	tree_add	__P((tree **, int (*)(), tree_t, void (*)()));
+int	tree_delete	__P((tree **, int (*)(), tree_t, void (*)()));
+int	tree_trav	__P((tree **, int (*)()));
+void	tree_mung	__P((tree **, void (*)()));
+
+
+#endif	/* _TREE_H_INCLUDED */
diff --git a/contrib/bind9/lib/bind/include/netdb.h b/contrib/bind9/lib/bind/include/netdb.h
new file mode 100644
index 0000000..a8a9f5f
--- /dev/null
+++ b/contrib/bind9/lib/bind/include/netdb.h
@@ -0,0 +1,549 @@
+/*
+ * ++Copyright++ 1980, 1983, 1988, 1993
+ * -
+ * Copyright (c) 1980, 1983, 1988, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * -
+ * Portions Copyright (c) 1993 by Digital Equipment Corporation.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies, and that
+ * the name of Digital Equipment Corporation not be used in advertising or
+ * publicity pertaining to distribution of the document or software without
+ * specific, written prior permission.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
+ * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ * -
+ * Portions Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    This product includes software developed by WIDE Project and
+ *    its contributors.
+ * 4. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * -
+ * --Copyright--
+ */
+
+/*
+ *      @(#)netdb.h	8.1 (Berkeley) 6/2/93
+ *	$Id: netdb.h,v 1.12.2.1.4.4 2004/03/16 02:19:19 marka Exp $
+ */
+
+#ifndef _NETDB_H_
+#define _NETDB_H_
+
+#include <sys/param.h>
+#include <sys/types.h>
+#if (!defined(BSD)) || (BSD < 199306)
+# include <sys/bitypes.h>
+#endif
+#include <sys/cdefs.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <stdio.h>
+
+#ifndef _PATH_HEQUIV
+#define _PATH_HEQUIV	"/etc/hosts.equiv"
+#endif
+#ifndef _PATH_HOSTS
+#define	_PATH_HOSTS	"/etc/hosts"
+#endif
+#ifndef _PATH_NETWORKS
+#define	_PATH_NETWORKS	"/etc/networks"
+#endif
+#ifndef _PATH_PROTOCOLS
+#define	_PATH_PROTOCOLS	"/etc/protocols"
+#endif
+#ifndef _PATH_SERVICES
+#define	_PATH_SERVICES	"/etc/services"
+#endif
+
+#if (__GLIBC__ > 2 || __GLIBC__ == 2 &&  __GLIBC_MINOR__ >= 3)
+#define __h_errno __h_errno_location
+#endif
+__BEGIN_DECLS
+extern int * __h_errno __P((void));
+__END_DECLS
+#if defined(_REENTRANT) || \
+    (__GLIBC__ > 2 || __GLIBC__ == 2 &&  __GLIBC_MINOR__ >= 3)
+#define	h_errno (*__h_errno())
+#else
+extern int h_errno;
+#endif
+
+/*
+ * Structures returned by network data base library.  All addresses are
+ * supplied in host order, and returned in network order (suitable for
+ * use in system calls).
+ */
+struct	hostent {
+	char	*h_name;	/* official name of host */
+	char	**h_aliases;	/* alias list */
+	int	h_addrtype;	/* host address type */
+	int	h_length;	/* length of address */
+	char	**h_addr_list;	/* list of addresses from name server */
+#define	h_addr	h_addr_list[0]	/* address, for backward compatiblity */
+};
+
+/*
+ * Assumption here is that a network number
+ * fits in an unsigned long -- probably a poor one.
+ */
+struct	netent {
+	char		*n_name;	/* official name of net */
+	char		**n_aliases;	/* alias list */
+	int		n_addrtype;	/* net address type */
+	unsigned long	n_net;		/* network # */
+};
+
+struct	servent {
+	char	*s_name;	/* official service name */
+	char	**s_aliases;	/* alias list */
+	int	s_port;		/* port # */
+	char	*s_proto;	/* protocol to use */
+};
+
+struct	protoent {
+	char	*p_name;	/* official protocol name */
+	char	**p_aliases;	/* alias list */
+	int	p_proto;	/* protocol # */
+};
+
+struct	addrinfo {
+	int		ai_flags;	/* AI_PASSIVE, AI_CANONNAME */
+	int		ai_family;	/* PF_xxx */
+	int		ai_socktype;	/* SOCK_xxx */
+	int		ai_protocol;	/* 0 or IPPROTO_xxx for IPv4 and IPv6 */
+#if defined(sun) && defined(_SOCKLEN_T)
+#ifdef __sparc9
+	int		_ai_pad;
+#endif
+	socklen_t	ai_addrlen;
+#else
+	size_t		ai_addrlen;	/* length of ai_addr */
+#endif
+#ifdef __linux
+	struct sockaddr	*ai_addr; 	/* binary address */
+	char		*ai_canonname;	/* canonical name for hostname */
+#else
+	char		*ai_canonname;	/* canonical name for hostname */
+	struct sockaddr	*ai_addr; 	/* binary address */
+#endif
+	struct addrinfo	*ai_next; 	/* next structure in linked list */
+};
+
+/*
+ * Error return codes from gethostbyname() and gethostbyaddr()
+ * (left in extern int h_errno).
+ */
+
+#define	NETDB_INTERNAL	-1	/* see errno */
+#define	NETDB_SUCCESS	0	/* no problem */
+#define	HOST_NOT_FOUND	1 /* Authoritative Answer Host not found */
+#define	TRY_AGAIN	2 /* Non-Authoritive Host not found, or SERVERFAIL */
+#define	NO_RECOVERY	3 /* Non recoverable errors, FORMERR, REFUSED, NOTIMP */
+#define	NO_DATA		4 /* Valid name, no data record of requested type */
+#define	NO_ADDRESS	NO_DATA		/* no address, look for MX record */
+
+/*
+ * Error return codes from getaddrinfo()
+ */
+#define	EAI_ADDRFAMILY	 1	/* address family for hostname not supported */
+#define	EAI_AGAIN	 2	/* temporary failure in name resolution */
+#define	EAI_BADFLAGS	 3	/* invalid value for ai_flags */
+#define	EAI_FAIL	 4	/* non-recoverable failure in name resolution */
+#define	EAI_FAMILY	 5	/* ai_family not supported */
+#define	EAI_MEMORY	 6	/* memory allocation failure */
+#define	EAI_NODATA	 7	/* no address associated with hostname */
+#define	EAI_NONAME	 8	/* hostname nor servname provided, or not known */
+#define	EAI_SERVICE	 9	/* servname not supported for ai_socktype */
+#define	EAI_SOCKTYPE	10	/* ai_socktype not supported */
+#define	EAI_SYSTEM	11	/* system error returned in errno */
+#define EAI_BADHINTS	12
+#define EAI_PROTOCOL	13
+#define EAI_MAX		14
+
+/*
+ * Flag values for getaddrinfo()
+ */
+#define	AI_PASSIVE	0x00000001
+#define	AI_CANONNAME	0x00000002
+#define AI_NUMERICHOST	0x00000004
+#define	AI_MASK		0x00000007
+
+/*
+ * Flag values for getipnodebyname()
+ */
+#define AI_V4MAPPED	0x00000008
+#define AI_ALL		0x00000010
+#define AI_ADDRCONFIG	0x00000020
+#define AI_DEFAULT	(AI_V4MAPPED|AI_ADDRCONFIG)
+
+/*
+ * Constants for getnameinfo()
+ */
+#define	NI_MAXHOST	1025
+#define	NI_MAXSERV	32
+
+/*
+ * Flag values for getnameinfo()
+ */
+#define	NI_NOFQDN	0x00000001
+#define	NI_NUMERICHOST	0x00000002
+#define	NI_NAMEREQD	0x00000004
+#define	NI_NUMERICSERV	0x00000008
+#define	NI_DGRAM	0x00000010
+#define	NI_WITHSCOPEID	0x00000020
+#define NI_NUMERICSCOPE	0x00000040
+
+/*
+ * Scope delimit character
+ */
+#define SCOPE_DELIMITER	'%'
+
+
+#ifdef _REENTRANT
+#if defined (__hpux) || defined(__osf__) || defined(_AIX)
+#define	_MAXALIASES	35
+#define	_MAXLINELEN	1024
+#define	_MAXADDRS	35
+#define	_HOSTBUFSIZE	(BUFSIZ + 1)
+
+struct hostent_data {
+	struct in_addr	host_addr;
+	char		*h_addr_ptrs[_MAXADDRS + 1];
+	char		hostaddr[_MAXADDRS];
+	char		hostbuf[_HOSTBUFSIZE];
+	char		*host_aliases[_MAXALIASES];
+	char		*host_addrs[2];
+	FILE		*hostf;
+#ifdef __osf__
+	int		svc_gethostflag;
+	int		svc_gethostbind;
+#endif
+#ifdef __hpux
+	short		_nsw_src;
+	short		_flags;
+	char		*current;
+	int		currentlen;
+#endif
+};
+
+struct  netent_data {
+	FILE	*net_fp;
+#ifdef __osf__
+	char	line[_MAXLINELEN];
+#endif
+#ifdef __hpux
+	char	line[_MAXLINELEN+1];
+#endif
+	char	*net_aliases[_MAXALIASES];
+#ifdef __osf__
+	int	_net_stayopen;
+	int	svc_getnetflag;
+#endif
+#ifdef __hpux
+	short	_nsw_src;
+	short	_flags;
+	char	*current;
+	int	currentlen;
+#endif
+};
+
+struct	protoent_data {
+	FILE	*proto_fp;
+#ifdef __osf__
+	char	line[1024];
+#endif
+#ifdef __hpux
+	char	line[_MAXLINELEN+1];
+#endif
+	char	*proto_aliases[_MAXALIASES];
+#ifdef __osf__
+	int	_proto_stayopen;
+	int	svc_getprotoflag;
+#endif
+#ifdef __hpux
+	short	_nsw_src;
+	short	_flags;
+	char	*current;
+	int	currentlen;
+#endif
+};
+
+struct	servent_data {
+	FILE	*serv_fp;
+#ifdef __osf__
+	char	line[_MAXLINELEN];
+#endif
+#ifdef __hpux
+	char	line[_MAXLINELEN+1];
+#endif
+	char	*serv_aliases[_MAXALIASES];
+#ifdef __osf__
+	int	_serv_stayopen;
+	int	svc_getservflag;
+#endif
+#ifdef __hpux
+	short	_nsw_src;
+	short	_flags;
+	char	*current;
+	int	currentlen;
+#endif
+};
+#endif
+#endif
+__BEGIN_DECLS
+void		endhostent __P((void));
+void		endnetent __P((void));
+void		endprotoent __P((void));
+void		endservent __P((void));
+void		freehostent __P((struct hostent *));
+struct hostent	*gethostbyaddr __P((const char *, int, int));
+struct hostent	*gethostbyname __P((const char *));
+struct hostent	*gethostbyname2 __P((const char *, int));
+struct hostent	*gethostent __P((void));
+struct hostent	*getipnodebyaddr __P((const void *, size_t, int, int *));
+struct hostent	*getipnodebyname __P((const char *, int, int, int *));
+struct netent	*getnetbyaddr __P((unsigned long, int));
+struct netent	*getnetbyname __P((const char *));
+struct netent	*getnetent __P((void));
+struct protoent	*getprotobyname __P((const char *));
+struct protoent	*getprotobynumber __P((int));
+struct protoent	*getprotoent __P((void));
+struct servent	*getservbyname __P((const char *, const char *));
+struct servent	*getservbyport __P((int, const char *));
+struct servent	*getservent __P((void));
+void		herror __P((const char *));
+const char	*hstrerror __P((int));
+void		sethostent __P((int));
+/* void		sethostfile __P((const char *)); */
+void		setnetent __P((int));
+void		setprotoent __P((int));
+void		setservent __P((int));
+int		getaddrinfo __P((const char *, const char *,
+				 const struct addrinfo *, struct addrinfo **));
+int		getnameinfo __P((const struct sockaddr *, size_t, char *,
+				 size_t, char *, size_t, int));
+void		freeaddrinfo __P((struct addrinfo *));
+const char	*gai_strerror __P((int));
+struct hostent  *getipnodebyname __P((const char *, int, int, int *));
+struct hostent	*getipnodebyaddr __P((const void *, size_t, int, int *));
+void		freehostent __P((struct hostent *));
+#ifdef __GLIBC__
+int		getnetgrent __P((/* const */ char **, /* const */ char **,
+				 /* const */ char **));
+void		setnetgrent __P((const char *));
+void		endnetgrent __P((void));
+int		innetgr __P((const char *, const char *, const char *,
+			     const char *));
+#endif
+
+#ifdef _REENTRANT
+#if defined(__hpux) || defined(__osf__) || defined(_AIX)
+int		gethostbyaddr_r __P((const char *, int, int, struct hostent *,
+					struct hostent_data *));
+int		gethostbyname_r __P((const char *, struct hostent *, 
+					struct hostent_data *));
+int		gethostent_r __P((struct hostent *, struct hostent_data *));
+#if defined(_AIX)
+void		sethostent_r __P((int, struct hostent_data *));
+#else
+int		sethostent_r __P((int, struct hostent_data *));
+#endif 
+#if defined(__hpux)
+int		endhostent_r __P((struct hostent_data *));
+#else
+void		endhostent_r __P((struct hostent_data *));
+#endif
+
+#if defined(__hpux) || defined(__osf__)
+int		getnetbyaddr_r __P((int, int,
+				struct netent *, struct netent_data *));
+#else
+int		getnetbyaddr_r __P((long, int,
+				struct netent *, struct netent_data *));
+#endif
+int		getnetbyname_r __P((const char *,
+				struct netent *, struct netent_data *));
+int		getnetent_r __P((struct netent *, struct netent_data *));
+int		setnetent_r __P((int, struct netent_data *));
+#ifdef __hpux
+int		endnetent_r __P((struct netent_data *buffer));
+#else
+void		endnetent_r __P((struct netent_data *buffer));
+#endif
+
+int		getprotobyname_r __P((const char *,
+				struct protoent *, struct protoent_data *));
+int		getprotobynumber_r __P((int,
+				struct protoent *, struct protoent_data *));
+int		getprotoent_r __P((struct protoent *, struct protoent_data *));
+int		setprotoent_r __P((int, struct protoent_data *));
+#ifdef __hpux
+int		endprotoent_r __P((struct protoent_data *));
+#else
+void		endprotoent_r __P((struct protoent_data *));
+#endif
+
+int		getservbyname_r __P((const char *, const char *,
+				struct servent *, struct servent_data *));
+int		getservbyport_r __P((int, const char *,
+				struct servent *, struct servent_data *));
+int		getservent_r __P((struct servent *, struct servent_data *));
+int		setservent_r __P((int, struct servent_data *));
+#ifdef __hpux
+int		endservent_r __P((struct servent_data *));
+#else
+void		endservent_r __P((struct servent_data *));
+#endif
+#else
+ /* defined(sun) || defined(bsdi) */
+#ifdef __GLIBC__
+int gethostbyaddr_r __P((const char *, int, int, struct hostent *,
+		         char *, size_t, struct hostent **, int *));
+int gethostbyname_r __P((const char *, struct hostent *,
+		        char *, size_t, struct hostent **, int *));
+int gethostent_r __P((struct hostent *, char *, size_t,
+			 struct hostent **, int *));
+#else
+struct hostent	*gethostbyaddr_r __P((const char *, int, int, struct hostent *,
+					char *, int, int *));
+struct hostent	*gethostbyname_r __P((const char *, struct hostent *,
+					char *, int, int *));
+struct hostent	*gethostent_r __P((struct hostent *, char *, int, int *));
+#endif
+void		sethostent_r __P((int));
+void		endhostent_r __P((void));
+
+#ifdef __GLIBC__
+int getnetbyname_r __P((const char *, struct netent *,
+			char *, size_t, struct netent **, int*));
+int getnetbyaddr_r __P((unsigned long int, int, struct netent *,
+			char *, size_t, struct netent **, int*));
+int getnetent_r __P((struct netent *, char *, size_t, struct netent **, int*));
+#else
+struct netent	*getnetbyname_r __P((const char *, struct netent *,
+					char *, int));
+struct netent	*getnetbyaddr_r __P((long, int, struct netent *,
+					char *, int));
+struct netent	*getnetent_r __P((struct netent *, char *, int));
+#endif
+void		setnetent_r __P((int));
+void		endnetent_r __P((void));
+
+#ifdef __GLIBC__
+int getprotobyname_r __P((const char *, struct protoent *, char *,
+			  size_t, struct protoent **));
+int getprotobynumber_r __P((int, struct protoent *, char *, size_t,
+			    struct protoent **));
+int getprotoent_r __P((struct protoent *, char *, size_t, struct protoent **));
+#else
+struct protoent	*getprotobyname_r __P((const char *,
+				struct protoent *, char *, int));
+struct protoent	*getprotobynumber_r __P((int,
+				struct protoent *, char *, int));
+struct protoent	*getprotoent_r __P((struct protoent *, char *, int));
+#endif
+void		setprotoent_r __P((int));
+void		endprotoent_r __P((void));
+
+#ifdef __GLIBC__
+int getservbyname_r __P((const char *name, const char *,
+			 struct servent *, char *, size_t, struct servent **));
+int getservbyport_r __P((int port, const char *,
+			 struct servent *, char *, size_t, struct servent **));
+int getservent_r __P((struct servent *, char *, size_t, struct servent **));
+#else
+struct servent	*getservbyname_r __P((const char *name, const char *,
+					struct servent *, char *, int));
+struct servent	*getservbyport_r __P((int port, const char *,
+					struct servent *, char *, int));
+struct servent	*getservent_r __P((struct servent *, char *, int));
+#endif
+void		setservent_r __P((int));
+void		endservent_r __P((void));
+
+#ifdef __GLIBC__
+int		getnetgrent_r __P((char **, char **, char **, char *, size_t));
+#endif
+
+#endif
+#endif
+__END_DECLS
+
+/* This is nec'y to make this include file properly replace the sun version. */
+#ifdef sun
+#ifdef __GNU_LIBRARY__
+#include <rpc/netdb.h>
+#else
+struct rpcent {
+	char	*r_name;	/* name of server for this rpc program */
+	char	**r_aliases;	/* alias list */
+	int	r_number;	/* rpc program number */
+};
+struct rpcent	*getrpcbyname(), *getrpcbynumber(), *getrpcent();
+#endif /* __GNU_LIBRARY__ */
+#endif /* sun */
+
+#endif /* !_NETDB_H_ */
diff --git a/contrib/bind9/lib/bind/include/netgroup.h b/contrib/bind9/lib/bind/include/netgroup.h
new file mode 100644
index 0000000..2296208
--- /dev/null
+++ b/contrib/bind9/lib/bind/include/netgroup.h
@@ -0,0 +1,24 @@
+#ifndef netgroup_h
+#define netgroup_h
+#ifndef __GLIBC__
+
+/*
+ * The standard is crazy.  These values "belong" to getnetgrent() and
+ * shouldn't be altered by the caller.
+ */
+int getnetgrent __P((/* const */ char **, /* const */ char **,
+		     /* const */ char **));
+
+int getnetgrent_r __P((char **, char **, char **, char *, int));
+
+void endnetgrent __P((void));
+
+#ifdef __osf__
+int innetgr __P((char *, char *, char *, char *));
+void setnetgrent __P((char *));
+#else
+void setnetgrent __P((const char *));
+int innetgr __P((const char *, const char *, const char *, const char *));
+#endif
+#endif
+#endif
diff --git a/contrib/bind9/lib/bind/include/res_update.h b/contrib/bind9/lib/bind/include/res_update.h
new file mode 100644
index 0000000..07a37f3
--- /dev/null
+++ b/contrib/bind9/lib/bind/include/res_update.h
@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1999 by Internet Software Consortium, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ *	$Id: res_update.h,v 1.1.206.1 2004/03/09 08:33:29 marka Exp $
+ */
+
+#ifndef __RES_UPDATE_H
+#define __RES_UPDATE_H
+
+#include <sys/types.h>
+#include <arpa/nameser.h>
+#include <isc/list.h>
+#include <resolv.h>
+
+/*
+ * This RR-like structure is particular to UPDATE.
+ */
+struct ns_updrec {
+	LINK(struct ns_updrec) r_link, r_glink;
+	ns_sect		r_section;	/* ZONE/PREREQUISITE/UPDATE */
+	char *		r_dname;	/* owner of the RR */
+	ns_class	r_class;	/* class number */
+	ns_type		r_type;		/* type number */
+	u_int32_t	r_ttl;		/* time to live */
+	u_char *	r_data;		/* rdata fields as text string */
+	u_int		r_size;		/* size of r_data field */
+	int		r_opcode;	/* type of operation */
+	/* following fields for private use by the resolver/server routines */
+	struct databuf *r_dp;		/* databuf to process */
+	struct databuf *r_deldp;	/* databuf's deleted/overwritten */
+	u_int		r_zone;		/* zone number on server */
+};
+typedef struct ns_updrec ns_updrec;
+typedef	LIST(ns_updrec)	ns_updque;
+
+#define res_mkupdate		__res_mkupdate
+#define res_update		__res_update
+#define res_mkupdrec		__res_mkupdrec
+#define res_freeupdrec		__res_freeupdrec
+#define res_nmkupdate		__res_nmkupdate
+#define res_nupdate		__res_nupdate
+
+int		res_mkupdate __P((ns_updrec *, u_char *, int));
+int		res_update __P((ns_updrec *));
+ns_updrec *	res_mkupdrec __P((int, const char *, u_int, u_int, u_long));
+void		res_freeupdrec __P((ns_updrec *));
+int		res_nmkupdate __P((res_state, ns_updrec *, u_char *, int));
+int		res_nupdate __P((res_state, ns_updrec *, ns_tsig_key *));
+
+#endif /*__RES_UPDATE_H*/
diff --git a/contrib/bind9/lib/bind/include/resolv.h b/contrib/bind9/lib/bind/include/resolv.h
new file mode 100644
index 0000000..f4f3fa4
--- /dev/null
+++ b/contrib/bind9/lib/bind/include/resolv.h
@@ -0,0 +1,501 @@
+/*
+ * Copyright (c) 1983, 1987, 1989
+ *    The Regents of the University of California.  All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ * 	This product includes software developed by the University of
+ * 	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ *	@(#)resolv.h	8.1 (Berkeley) 6/2/93
+ *	$Id: resolv.h,v 1.7.2.11.4.2 2004/06/25 00:41:05 marka Exp $
+ */
+
+#ifndef _RESOLV_H_
+#define	_RESOLV_H_
+
+#include <sys/param.h>
+#if (!defined(BSD)) || (BSD < 199306)
+# include <sys/bitypes.h>
+#else
+# include <sys/types.h>
+#endif
+#include <sys/cdefs.h>
+#include <sys/socket.h>
+#include <stdio.h>
+#include <arpa/nameser.h>
+
+/*
+ * Revision information.  This is the release date in YYYYMMDD format.
+ * It can change every day so the right thing to do with it is use it
+ * in preprocessor commands such as "#if (__RES > 19931104)".  Do not
+ * compare for equality; rather, use it to determine whether your resolver
+ * is new enough to contain a certain feature.
+ */
+
+#define	__RES	20030124
+
+/*
+ * This used to be defined in res_query.c, now it's in herror.c.
+ * [XXX no it's not.  It's in irs/irs_data.c]
+ * It was
+ * never extern'd by any *.h file before it was placed here.  For thread
+ * aware programs, the last h_errno value set is stored in res->h_errno.
+ *
+ * XXX:	There doesn't seem to be a good reason for exposing RES_SET_H_ERRNO
+ *	(and __h_errno_set) to the public via <resolv.h>.
+ * XXX:	__h_errno_set is really part of IRS, not part of the resolver.
+ *	If somebody wants to build and use a resolver that doesn't use IRS,
+ *	what do they do?  Perhaps something like
+ *		#ifdef WANT_IRS
+ *		# define RES_SET_H_ERRNO(r,x) __h_errno_set(r,x)
+ *		#else
+ *		# define RES_SET_H_ERRNO(r,x) (h_errno = (r)->res_h_errno = (x))
+ *		#endif
+ */
+
+#define RES_SET_H_ERRNO(r,x) __h_errno_set(r,x)
+struct __res_state; /* forward */
+__BEGIN_DECLS
+void __h_errno_set(struct __res_state *res, int err);
+__END_DECLS
+
+/*
+ * Resolver configuration file.
+ * Normally not present, but may contain the address of the
+ * initial name server(s) to query and the domain search list.
+ */
+
+#ifndef _PATH_RESCONF
+#define _PATH_RESCONF        "/etc/resolv.conf"
+#endif
+
+typedef enum { res_goahead, res_nextns, res_modified, res_done, res_error }
+	res_sendhookact;
+
+#ifndef __PMT
+#if defined(__STDC__) || defined(__cplusplus)
+#define __PMT(args) args
+#else
+#define __PMT(args) ()
+#endif
+#endif
+
+typedef res_sendhookact (*res_send_qhook)__PMT((struct sockaddr * const *,
+						const u_char **, int *,
+						u_char *, int, int *));
+
+typedef res_sendhookact (*res_send_rhook)__PMT((const struct sockaddr *,
+						const u_char *, int, u_char *,
+						int, int *));
+
+struct res_sym {
+	int		number;	   /* Identifying number, like T_MX */
+	const char *	name;	   /* Its symbolic name, like "MX" */
+	const char *	humanname; /* Its fun name, like "mail exchanger" */
+};
+
+/*
+ * Global defines and variables for resolver stub.
+ */
+#define	MAXNS			3	/* max # name servers we'll track */
+#define	MAXDFLSRCH		3	/* # default domain levels to try */
+#define	MAXDNSRCH		6	/* max # domains in search path */
+#define	LOCALDOMAINPARTS	2	/* min levels in name that is "local" */
+
+#define	RES_TIMEOUT		5	/* min. seconds between retries */
+#define	MAXRESOLVSORT		10	/* number of net to sort on */
+#define	RES_MAXNDOTS		15	/* should reflect bit field size */
+#define	RES_MAXRETRANS		30	/* only for resolv.conf/RES_OPTIONS */
+#define	RES_MAXRETRY		5	/* only for resolv.conf/RES_OPTIONS */
+#define	RES_DFLRETRY		2	/* Default #/tries. */
+#define	RES_MAXTIME		65535	/* Infinity, in milliseconds. */
+
+struct __res_state_ext;
+
+struct __res_state {
+	int	retrans;	 	/* retransmission time interval */
+	int	retry;			/* number of times to retransmit */
+#ifdef sun
+	u_int	options;		/* option flags - see below. */
+#else
+	u_long	options;		/* option flags - see below. */
+#endif
+	int	nscount;		/* number of name servers */
+	struct sockaddr_in
+		nsaddr_list[MAXNS];	/* address of name server */
+#define	nsaddr	nsaddr_list[0]		/* for backward compatibility */
+	u_short	id;			/* current message id */
+	char	*dnsrch[MAXDNSRCH+1];	/* components of domain to search */
+	char	defdname[256];		/* default domain (deprecated) */
+#ifdef sun
+	u_int	pfcode;			/* RES_PRF_ flags - see below. */
+#else
+	u_long	pfcode;			/* RES_PRF_ flags - see below. */
+#endif
+	unsigned ndots:4;		/* threshold for initial abs. query */
+	unsigned nsort:4;		/* number of elements in sort_list[] */
+	char	unused[3];
+	struct {
+		struct in_addr	addr;
+		u_int32_t	mask;
+	} sort_list[MAXRESOLVSORT];
+	res_send_qhook qhook;		/* query hook */
+	res_send_rhook rhook;		/* response hook */
+	int	res_h_errno;		/* last one set for this context */
+	int	_vcsock;		/* PRIVATE: for res_send VC i/o */
+	u_int	_flags;			/* PRIVATE: see below */
+	u_int	_pad;			/* make _u 64 bit aligned */
+	union {
+		/* On an 32-bit arch this means 512b total. */
+		char	pad[72 - 4*sizeof (int) - 2*sizeof (void *)];
+		struct {
+			u_int16_t		nscount;
+			u_int16_t		nstimes[MAXNS];	/* ms. */
+			int			nssocks[MAXNS];
+			struct __res_state_ext *ext;	/* extention for IPv6 */
+		} _ext;
+	} _u;
+};
+
+typedef struct __res_state *res_state;
+
+union res_sockaddr_union {
+	struct sockaddr_in	sin;
+#ifdef IN6ADDR_ANY_INIT
+	struct sockaddr_in6	sin6;
+#endif
+#ifdef ISC_ALIGN64
+	int64_t			__align64;	/* 64bit alignment */
+#else
+	int32_t			__align32;	/* 32bit alignment */
+#endif
+	char			__space[128];   /* max size */
+};
+
+/*
+ * Resolver flags (used to be discrete per-module statics ints).
+ */
+#define	RES_F_VC	0x00000001	/* socket is TCP */
+#define	RES_F_CONN	0x00000002	/* socket is connected */
+#define	RES_F_EDNS0ERR	0x00000004	/* EDNS0 caused errors */
+#define	RES_F__UNUSED	0x00000008	/* (unused) */
+#define	RES_F_LASTMASK	0x000000F0	/* ordinal server of last res_nsend */
+#define	RES_F_LASTSHIFT	4		/* bit position of LASTMASK "flag" */
+#define	RES_GETLAST(res) (((res)._flags & RES_F_LASTMASK) >> RES_F_LASTSHIFT)
+
+/* res_findzonecut2() options */
+#define	RES_EXHAUSTIVE	0x00000001	/* always do all queries */
+#define	RES_IPV4ONLY	0x00000002	/* IPv4 only */
+#define	RES_IPV6ONLY	0x00000004	/* IPv6 only */
+
+/*
+ * Resolver options (keep these in synch with res_debug.c, please)
+ */
+#define RES_INIT	0x00000001	/* address initialized */
+#define RES_DEBUG	0x00000002	/* print debug messages */
+#define RES_AAONLY	0x00000004	/* authoritative answers only (!IMPL)*/
+#define RES_USEVC	0x00000008	/* use virtual circuit */
+#define RES_PRIMARY	0x00000010	/* query primary server only (!IMPL) */
+#define RES_IGNTC	0x00000020	/* ignore trucation errors */
+#define RES_RECURSE	0x00000040	/* recursion desired */
+#define RES_DEFNAMES	0x00000080	/* use default domain name */
+#define RES_STAYOPEN	0x00000100	/* Keep TCP socket open */
+#define RES_DNSRCH	0x00000200	/* search up local domain tree */
+#define	RES_INSECURE1	0x00000400	/* type 1 security disabled */
+#define	RES_INSECURE2	0x00000800	/* type 2 security disabled */
+#define	RES_NOALIASES	0x00001000	/* shuts off HOSTALIASES feature */
+#define	RES_USE_INET6	0x00002000	/* use/map IPv6 in gethostbyname() */
+#define RES_ROTATE	0x00004000	/* rotate ns list after each query */
+#define	RES_NOCHECKNAME	0x00008000	/* do not check names for sanity. */
+#define	RES_KEEPTSIG	0x00010000	/* do not strip TSIG records */
+#define	RES_BLAST	0x00020000	/* blast all recursive servers */
+#define RES_NOTLDQUERY	0x00100000	/* don't unqualified name as a tld */
+#define RES_USE_DNSSEC	0x00200000	/* use DNSSEC using OK bit in OPT */
+/* #define RES_DEBUG2	0x00400000 */	/* nslookup internal */
+/* KAME extensions: use higher bit to avoid conflict with ISC use */
+#define RES_USE_DNAME	0x10000000	/* use DNAME */
+#define RES_USE_EDNS0	0x40000000	/* use EDNS0 if configured */
+#define RES_NO_NIBBLE2	0x80000000	/* disable alternate nibble lookup */
+
+#define RES_DEFAULT	(RES_RECURSE | RES_DEFNAMES | \
+			 RES_DNSRCH | RES_NO_NIBBLE2)
+
+/*
+ * Resolver "pfcode" values.  Used by dig.
+ */
+#define RES_PRF_STATS	0x00000001
+#define RES_PRF_UPDATE	0x00000002
+#define RES_PRF_CLASS   0x00000004
+#define RES_PRF_CMD	0x00000008
+#define RES_PRF_QUES	0x00000010
+#define RES_PRF_ANS	0x00000020
+#define RES_PRF_AUTH	0x00000040
+#define RES_PRF_ADD	0x00000080
+#define RES_PRF_HEAD1	0x00000100
+#define RES_PRF_HEAD2	0x00000200
+#define RES_PRF_TTLID	0x00000400
+#define RES_PRF_HEADX	0x00000800
+#define RES_PRF_QUERY	0x00001000
+#define RES_PRF_REPLY	0x00002000
+#define RES_PRF_INIT	0x00004000
+#define RES_PRF_TRUNC	0x00008000
+/*			0x00010000	*/
+
+/* Things involving an internal (static) resolver context. */
+#ifdef _REENTRANT
+__BEGIN_DECLS
+extern struct __res_state *__res_state(void);
+__END_DECLS
+#define _res (*__res_state())
+#else
+#ifndef __BIND_NOSTATIC
+extern struct __res_state _res;
+#endif
+#endif
+
+#ifndef __BIND_NOSTATIC
+#define fp_nquery		__fp_nquery
+#define fp_query		__fp_query
+#define hostalias		__hostalias
+#define p_query			__p_query
+#define res_close		__res_close
+#define res_init		__res_init
+#define res_isourserver		__res_isourserver
+#define res_mkquery		__res_mkquery
+#define res_query		__res_query
+#define res_querydomain		__res_querydomain
+#define res_search		__res_search
+#define res_send		__res_send
+#define res_sendsigned		__res_sendsigned
+
+__BEGIN_DECLS
+void		fp_nquery __P((const u_char *, int, FILE *));
+void		fp_query __P((const u_char *, FILE *));
+const char *	hostalias __P((const char *));
+void		p_query __P((const u_char *));
+void		res_close __P((void));
+int		res_init __P((void));
+int		res_isourserver __P((const struct sockaddr_in *));
+int		res_mkquery __P((int, const char *, int, int, const u_char *,
+				 int, const u_char *, u_char *, int));
+int		res_query __P((const char *, int, int, u_char *, int));
+int		res_querydomain __P((const char *, const char *, int, int,
+				     u_char *, int));
+int		res_search __P((const char *, int, int, u_char *, int));
+int		res_send __P((const u_char *, int, u_char *, int));
+int		res_sendsigned __P((const u_char *, int, ns_tsig_key *,
+				    u_char *, int));
+__END_DECLS
+#endif
+
+#if !defined(SHARED_LIBBIND) || defined(LIB)
+/*
+ * If libbind is a shared object (well, DLL anyway)
+ * these externs break the linker when resolv.h is 
+ * included by a lib client (like named)
+ * Make them go away if a client is including this
+ *
+ */
+extern const struct res_sym __p_key_syms[];
+extern const struct res_sym __p_cert_syms[];
+extern const struct res_sym __p_class_syms[];
+extern const struct res_sym __p_type_syms[];
+extern const struct res_sym __p_rcode_syms[];
+#endif /* SHARED_LIBBIND */
+
+#define b64_ntop		__b64_ntop
+#define b64_pton		__b64_pton
+#define dn_comp			__dn_comp
+#define dn_count_labels		__dn_count_labels
+#define dn_expand		__dn_expand
+#define dn_skipname		__dn_skipname
+#define fp_resstat		__fp_resstat
+#define loc_aton		__loc_aton
+#define loc_ntoa		__loc_ntoa
+#define p_cdname		__p_cdname
+#define p_cdnname		__p_cdnname
+#define p_class			__p_class
+#define p_fqname		__p_fqname
+#define p_fqnname		__p_fqnname
+#define p_option		__p_option
+#define p_secstodate		__p_secstodate
+#define p_section		__p_section
+#define p_time			__p_time
+#define p_type			__p_type
+#define p_rcode			__p_rcode
+#define p_sockun		__p_sockun
+#define putlong			__putlong
+#define putshort		__putshort
+#define res_dnok		__res_dnok
+#define res_findzonecut		__res_findzonecut
+#define res_findzonecut2	__res_findzonecut2
+#define res_hnok		__res_hnok
+#define res_hostalias		__res_hostalias
+#define res_mailok		__res_mailok
+#define res_nameinquery		__res_nameinquery
+#define res_nclose		__res_nclose
+#define res_ninit		__res_ninit
+#define res_nmkquery		__res_nmkquery
+#define res_pquery		__res_pquery
+#define res_nquery		__res_nquery
+#define res_nquerydomain	__res_nquerydomain
+#define res_nsearch		__res_nsearch
+#define res_nsend		__res_nsend
+#define res_nsendsigned		__res_nsendsigned
+#define res_nisourserver	__res_nisourserver
+#define res_ownok		__res_ownok
+#define res_queriesmatch	__res_queriesmatch
+#define res_randomid		__res_randomid
+#define sym_ntop		__sym_ntop
+#define sym_ntos		__sym_ntos
+#define sym_ston		__sym_ston
+#define res_nopt		__res_nopt
+#define res_ndestroy		__res_ndestroy
+#define	res_nametoclass		__res_nametoclass
+#define	res_nametotype		__res_nametotype
+#define	res_setservers		__res_setservers
+#define	res_getservers		__res_getservers
+#define	res_buildprotolist	__res_buildprotolist
+#define	res_destroyprotolist	__res_destroyprotolist
+#define	res_destroyservicelist	__res_destroyservicelist
+#define	res_get_nibblesuffix	__res_get_nibblesuffix
+#define	res_get_nibblesuffix2	__res_get_nibblesuffix2
+#define	res_ourserver_p		__res_ourserver_p
+#define	res_protocolname	__res_protocolname
+#define	res_protocolnumber	__res_protocolnumber
+#define	res_send_setqhook	__res_send_setqhook
+#define	res_send_setrhook	__res_send_setrhook
+#define	res_servicename		__res_servicename
+#define	res_servicenumber	__res_servicenumber
+__BEGIN_DECLS
+int		res_hnok __P((const char *));
+int		res_ownok __P((const char *));
+int		res_mailok __P((const char *));
+int		res_dnok __P((const char *));
+int		sym_ston __P((const struct res_sym *, const char *, int *));
+const char *	sym_ntos __P((const struct res_sym *, int, int *));
+const char *	sym_ntop __P((const struct res_sym *, int, int *));
+int		b64_ntop __P((u_char const *, size_t, char *, size_t));
+int		b64_pton __P((char const *, u_char *, size_t));
+int		loc_aton __P((const char *, u_char *));
+const char *	loc_ntoa __P((const u_char *, char *));
+int		dn_skipname __P((const u_char *, const u_char *));
+void		putlong __P((u_int32_t, u_char *));
+void		putshort __P((u_int16_t, u_char *));
+#ifndef __ultrix__
+u_int16_t	_getshort __P((const u_char *));
+u_int32_t	_getlong __P((const u_char *));
+#endif
+const char *	p_class __P((int));
+const char *	p_time __P((u_int32_t));
+const char *	p_type __P((int));
+const char *	p_rcode __P((int));
+const char *	p_sockun __P((union res_sockaddr_union, char *, size_t));
+const u_char *	p_cdnname __P((const u_char *, const u_char *, int, FILE *));
+const u_char *	p_cdname __P((const u_char *, const u_char *, FILE *));
+const u_char *	p_fqnname __P((const u_char *, const u_char *,
+			       int, char *, int));
+const u_char *	p_fqname __P((const u_char *, const u_char *, FILE *));
+const char *	p_option __P((u_long));
+char *		p_secstodate __P((u_long));
+int		dn_count_labels __P((const char *));
+int		dn_comp __P((const char *, u_char *, int,
+			     u_char **, u_char **));
+int		dn_expand __P((const u_char *, const u_char *, const u_char *,
+			       char *, int));
+u_int		res_randomid __P((void));
+int		res_nameinquery __P((const char *, int, int, const u_char *,
+				     const u_char *));
+int		res_queriesmatch __P((const u_char *, const u_char *,
+				      const u_char *, const u_char *));
+const char *	p_section __P((int, int));
+/* Things involving a resolver context. */
+int		res_ninit __P((res_state));
+int		res_nisourserver __P((const res_state,
+				      const struct sockaddr_in *));
+void		fp_resstat __P((const res_state, FILE *));
+void		res_pquery __P((const res_state, const u_char *, int, FILE *));
+const char *	res_hostalias __P((const res_state, const char *,
+				   char *, size_t));
+int		res_nquery __P((res_state, const char *, int, int,
+				u_char *, int));
+int		res_nsearch __P((res_state, const char *, int, int, u_char *,
+				 int));
+int		res_nquerydomain __P((res_state, const char *, const char *,
+				      int, int, u_char *, int));
+int		res_nmkquery __P((res_state, int, const char *, int, int,
+				  const u_char *, int, const u_char *,
+				  u_char *, int));
+int		res_nsend __P((res_state, const u_char *, int, u_char *, int));
+int		res_nsendsigned __P((res_state, const u_char *, int,
+				     ns_tsig_key *, u_char *, int));
+int		res_findzonecut __P((res_state, const char *, ns_class, int,
+				     char *, size_t, struct in_addr *, int));
+int		res_findzonecut2 __P((res_state, const char *, ns_class, int,
+				      char *, size_t,
+				      union res_sockaddr_union *, int));
+void		res_nclose __P((res_state));
+int		res_nopt __P((res_state, int, u_char *, int, int));
+void		res_send_setqhook __P((res_send_qhook));
+void		res_send_setrhook __P((res_send_rhook));
+int		__res_vinit __P((res_state, int));
+void		res_destroyservicelist __P((void));
+const char *	res_servicename __P((u_int16_t, const char *));
+const char *	res_protocolname __P((int));
+void		res_destroyprotolist __P((void));
+void		res_buildprotolist __P((void));
+const char *	res_get_nibblesuffix __P((res_state));
+const char *	res_get_nibblesuffix2 __P((res_state));
+void		res_ndestroy __P((res_state));
+u_int16_t	res_nametoclass __P((const char *, int *));
+u_int16_t	res_nametotype __P((const char *, int *));
+void		res_setservers __P((res_state,
+				    const union res_sockaddr_union *, int));
+int		res_getservers __P((res_state,
+				    union res_sockaddr_union *, int));
+__END_DECLS
+
+#endif /* !_RESOLV_H_ */
diff --git a/contrib/bind9/lib/bind/inet/Makefile.in b/contrib/bind9/lib/bind/inet/Makefile.in
new file mode 100644
index 0000000..96698fd
--- /dev/null
+++ b/contrib/bind9/lib/bind/inet/Makefile.in
@@ -0,0 +1,35 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.4.206.1 2004/03/06 08:13:23 marka Exp $
+
+srcdir=		@srcdir@
+VPATH =         @srcdir@
+
+OBJS=	inet_addr.@O@ inet_cidr_ntop.@O@ inet_cidr_pton.@O@ inet_data.@O@ \
+	inet_lnaof.@O@ inet_makeaddr.@O@ inet_net_ntop.@O@ inet_net_pton.@O@ \
+	inet_neta.@O@ inet_netof.@O@ inet_network.@O@ inet_ntoa.@O@ \
+	inet_ntop.@O@ inet_pton.@O@ nsap_addr.@O@
+
+SRCS=	inet_addr.c inet_cidr_ntop.c inet_cidr_pton.c inet_data.c \
+	inet_lnaof.c inet_makeaddr.c inet_net_ntop.c inet_net_pton.c \
+	inet_neta.c inet_netof.c inet_network.c inet_ntoa.c \
+	inet_ntop.c inet_pton.c nsap_addr.c
+
+TARGETS= ${OBJS}
+
+CINCLUDES= -I.. -I${srcdir}/../include
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/bind/inet/inet_addr.c b/contrib/bind9/lib/bind/inet/inet_addr.c
new file mode 100644
index 0000000..b967dc2
--- /dev/null
+++ b/contrib/bind9/lib/bind/inet/inet_addr.c
@@ -0,0 +1,206 @@
+/*
+ * Copyright (c) 1983, 1990, 1993
+ *    The Regents of the University of California.  All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ * 	This product includes software developed by the University of
+ * 	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Portions Copyright (c) 1993 by Digital Equipment Corporation.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies, and that
+ * the name of Digital Equipment Corporation not be used in advertising or
+ * publicity pertaining to distribution of the document or software without
+ * specific, written prior permission.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
+ * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
+static const char rcsid[] = "$Id: inet_addr.c,v 1.2.206.2 2004/03/17 00:29:45 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <ctype.h>
+
+#include "port_after.h"
+
+/*
+ * Ascii internet address interpretation routine.
+ * The value returned is in network order.
+ */
+u_long
+inet_addr(const char *cp) {
+	struct in_addr val;
+
+	if (inet_aton(cp, &val))
+		return (val.s_addr);
+	return (INADDR_NONE);
+}
+
+/* 
+ * Check whether "cp" is a valid ascii representation
+ * of an Internet address and convert to a binary address.
+ * Returns 1 if the address is valid, 0 if not.
+ * This replaces inet_addr, the return value from which
+ * cannot distinguish between failure and a local broadcast address.
+ */
+int
+inet_aton(const char *cp, struct in_addr *addr) {
+	u_long val;
+	int base, n;
+	char c;
+	u_int8_t parts[4];
+	u_int8_t *pp = parts;
+	int digit;
+
+	c = *cp;
+	for (;;) {
+		/*
+		 * Collect number up to ``.''.
+		 * Values are specified as for C:
+		 * 0x=hex, 0=octal, isdigit=decimal.
+		 */
+		if (!isdigit((unsigned char)c))
+			return (0);
+		val = 0; base = 10; digit = 0;
+		if (c == '0') {
+			c = *++cp;
+			if (c == 'x' || c == 'X')
+				base = 16, c = *++cp;
+			else {
+				base = 8;
+				digit = 1 ;
+			}
+		}
+		for (;;) {
+			if (isascii(c) && isdigit((unsigned char)c)) {
+				if (base == 8 && (c == '8' || c == '9'))
+					return (0);
+				val = (val * base) + (c - '0');
+				c = *++cp;
+				digit = 1;
+			} else if (base == 16 && isascii(c) && 
+				   isxdigit((unsigned char)c)) {
+				val = (val << 4) |
+					(c + 10 - (islower((unsigned char)c) ? 'a' : 'A'));
+				c = *++cp;
+				digit = 1;
+			} else
+				break;
+		}
+		if (c == '.') {
+			/*
+			 * Internet format:
+			 *	a.b.c.d
+			 *	a.b.c	(with c treated as 16 bits)
+			 *	a.b	(with b treated as 24 bits)
+			 */
+			if (pp >= parts + 3 || val > 0xffU)
+				return (0);
+			*pp++ = val;
+			c = *++cp;
+		} else
+			break;
+	}
+	/*
+	 * Check for trailing characters.
+	 */
+	if (c != '\0' && (!isascii(c) || !isspace((unsigned char)c)))
+		return (0);
+	/*
+	 * Did we get a valid digit?
+	 */
+	if (!digit)
+		return (0);
+	/*
+	 * Concoct the address according to
+	 * the number of parts specified.
+	 */
+	n = pp - parts + 1;
+	switch (n) {
+	case 1:				/* a -- 32 bits */
+		break;
+
+	case 2:				/* a.b -- 8.24 bits */
+		if (val > 0xffffffU)
+			return (0);
+		val |= parts[0] << 24;
+		break;
+
+	case 3:				/* a.b.c -- 8.8.16 bits */
+		if (val > 0xffffU)
+			return (0);
+		val |= (parts[0] << 24) | (parts[1] << 16);
+		break;
+
+	case 4:				/* a.b.c.d -- 8.8.8.8 bits */
+		if (val > 0xffU)
+			return (0);
+		val |= (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8);
+		break;
+	}
+	if (addr != NULL)
+		addr->s_addr = htonl(val);
+	return (1);
+}
diff --git a/contrib/bind9/lib/bind/inet/inet_cidr_ntop.c b/contrib/bind9/lib/bind/inet/inet_cidr_ntop.c
new file mode 100644
index 0000000..184ad7c
--- /dev/null
+++ b/contrib/bind9/lib/bind/inet/inet_cidr_ntop.c
@@ -0,0 +1,259 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1998,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: inet_cidr_ntop.c,v 1.1.2.1.8.2 2004/03/17 00:29:46 marka Exp $";
+#endif
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <arpa/inet.h>
+
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include "port_after.h"
+
+#ifdef SPRINTF_CHAR
+# define SPRINTF(x) strlen(sprintf/**/x)
+#else
+# define SPRINTF(x) ((size_t)sprintf x)
+#endif
+
+static char *	inet_cidr_ntop_ipv4 __P((const u_char *src, int bits,
+					 char *dst, size_t size));
+static char *	inet_cidr_ntop_ipv6 __P((const u_char *src, int bits,
+					 char *dst, size_t size));
+
+/*
+ * char *
+ * inet_cidr_ntop(af, src, bits, dst, size)
+ *	convert network address from network to presentation format.
+ *	"src"'s size is determined from its "af".
+ * return:
+ *	pointer to dst, or NULL if an error occurred (check errno).
+ * note:
+ *	192.5.5.1/28 has a nonzero host part, which means it isn't a network
+ *	as called for by inet_net_ntop() but it can be a host address with
+ *	an included netmask.
+ * author:
+ *	Paul Vixie (ISC), October 1998
+ */
+char *
+inet_cidr_ntop(int af, const void *src, int bits, char *dst, size_t size) {
+	switch (af) {
+	case AF_INET:
+		return (inet_cidr_ntop_ipv4(src, bits, dst, size));
+	case AF_INET6:
+		return (inet_cidr_ntop_ipv6(src, bits, dst, size));
+	default:
+		errno = EAFNOSUPPORT;
+		return (NULL);
+	}
+}
+
+static int
+decoct(const u_char *src, int bytes, char *dst, size_t size) {
+	char *odst = dst;
+	char *t;
+	int b;
+
+	for (b = 1; b <= bytes; b++) {
+		if (size < sizeof "255.")
+			return (0);
+		t = dst;
+		dst += SPRINTF((dst, "%u", *src++));
+		if (b != bytes) {
+			*dst++ = '.';
+			*dst = '\0';
+		}
+		size -= (size_t)(dst - t);
+	}
+	return (dst - odst);
+}
+
+/*
+ * static char *
+ * inet_cidr_ntop_ipv4(src, bits, dst, size)
+ *	convert IPv4 network address from network to presentation format.
+ *	"src"'s size is determined from its "af".
+ * return:
+ *	pointer to dst, or NULL if an error occurred (check errno).
+ * note:
+ *	network byte order assumed.  this means 192.5.5.240/28 has
+ *	0b11110000 in its fourth octet.
+ * author:
+ *	Paul Vixie (ISC), October 1998
+ */
+static char *
+inet_cidr_ntop_ipv4(const u_char *src, int bits, char *dst, size_t size) {
+	char *odst = dst;
+	size_t len = 4;
+	size_t b;
+	size_t bytes;
+
+	if ((bits < -1) || (bits > 32)) {
+		errno = EINVAL;
+		return (NULL);
+	}
+
+	/* Find number of significant bytes in address. */
+	if (bits == -1)
+		len = 4;
+	else
+		for (len = 1, b = 1 ; b < 4U; b++)
+			if (*(src + b))
+				len = b + 1;
+
+	/* Format whole octets plus nonzero trailing octets. */
+	bytes = (((bits <= 0) ? 1 : bits) + 7) / 8;
+	if (len > bytes)
+		bytes = len;
+	b = decoct(src, bytes, dst, size);
+	if (b == 0U)
+		goto emsgsize;
+	dst += b;
+	size -= b;
+
+	if (bits != -1) {
+		/* Format CIDR /width. */
+		if (size < sizeof "/32")
+			goto emsgsize;
+		dst += SPRINTF((dst, "/%u", bits));
+	}
+
+	return (odst);
+
+ emsgsize:
+	errno = EMSGSIZE;
+	return (NULL);
+}
+ 
+static char *
+inet_cidr_ntop_ipv6(const u_char *src, int bits, char *dst, size_t size) {
+	/*
+	 * Note that int32_t and int16_t need only be "at least" large enough
+	 * to contain a value of the specified size.  On some systems, like
+	 * Crays, there is no such thing as an integer variable with 16 bits.
+	 * Keep this in mind if you think this function should have been coded
+	 * to use pointer overlays.  All the world's not a VAX.
+	 */
+	char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255/128"];
+	char *tp;
+	struct { int base, len; } best, cur;
+	u_int words[NS_IN6ADDRSZ / NS_INT16SZ];
+	int i;
+
+	if ((bits < -1) || (bits > 128)) {
+		errno = EINVAL;
+		return (NULL);
+	}
+
+	/*
+	 * Preprocess:
+	 *	Copy the input (bytewise) array into a wordwise array.
+	 *	Find the longest run of 0x00's in src[] for :: shorthanding.
+	 */
+	memset(words, '\0', sizeof words);
+	for (i = 0; i < NS_IN6ADDRSZ; i++)
+		words[i / 2] |= (src[i] << ((1 - (i % 2)) << 3));
+	best.base = -1;
+	cur.base = -1;
+	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
+		if (words[i] == 0) {
+			if (cur.base == -1)
+				cur.base = i, cur.len = 1;
+			else
+				cur.len++;
+		} else {
+			if (cur.base != -1) {
+				if (best.base == -1 || cur.len > best.len)
+					best = cur;
+				cur.base = -1;
+			}
+		}
+	}
+	if (cur.base != -1) {
+		if (best.base == -1 || cur.len > best.len)
+			best = cur;
+	}
+	if (best.base != -1 && best.len < 2)
+		best.base = -1;
+
+	/*
+	 * Format the result.
+	 */
+	tp = tmp;
+	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
+		/* Are we inside the best run of 0x00's? */
+		if (best.base != -1 && i >= best.base &&
+		    i < (best.base + best.len)) {
+			if (i == best.base)
+				*tp++ = ':';
+			continue;
+		}
+		/* Are we following an initial run of 0x00s or any real hex? */
+		if (i != 0)
+			*tp++ = ':';
+		/* Is this address an encapsulated IPv4? */
+		if (i == 6 && best.base == 0 && (best.len == 6 ||
+		    (best.len == 7 && words[7] != 0x0001) ||
+		    (best.len == 5 && words[5] == 0xffff))) {
+			int n;
+
+			if (src[15] || bits == -1 || bits > 120)
+				n = 4;
+			else if (src[14] || bits > 112)
+				n = 3;
+			else
+				n = 2;
+			n = decoct(src+12, n, tp, sizeof tmp - (tp - tmp));
+			if (n == 0) {
+				errno = EMSGSIZE;
+				return (NULL);
+			}
+			tp += strlen(tp);
+			break;
+		}
+		tp += SPRINTF((tp, "%x", words[i]));
+	}
+
+	/* Was it a trailing run of 0x00's? */
+	if (best.base != -1 && (best.base + best.len) == 
+	    (NS_IN6ADDRSZ / NS_INT16SZ))
+		*tp++ = ':';
+	*tp = '\0';
+
+	if (bits != -1)
+		tp += SPRINTF((tp, "/%u", bits));
+
+	/*
+	 * Check for overflow, copy, and we're done.
+	 */
+	if ((size_t)(tp - tmp) > size) {
+		errno = EMSGSIZE;
+		return (NULL);
+	}
+	strcpy(dst, tmp);
+	return (dst);
+}
diff --git a/contrib/bind9/lib/bind/inet/inet_cidr_pton.c b/contrib/bind9/lib/bind/inet/inet_cidr_pton.c
new file mode 100644
index 0000000..5bfef71
--- /dev/null
+++ b/contrib/bind9/lib/bind/inet/inet_cidr_pton.c
@@ -0,0 +1,275 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1998,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: inet_cidr_pton.c,v 1.2.2.1.8.2 2004/03/17 00:29:46 marka Exp $";
+#endif
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <arpa/inet.h>
+
+#include <isc/assertions.h>
+#include <ctype.h>
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include "port_after.h"
+
+#ifdef SPRINTF_CHAR
+# define SPRINTF(x) strlen(sprintf/**/x)
+#else
+# define SPRINTF(x) ((size_t)sprintf x)
+#endif
+
+static int	inet_cidr_pton_ipv4 __P((const char *src, u_char *dst,
+					 int *bits, int ipv6));
+static int	inet_cidr_pton_ipv6 __P((const char *src, u_char *dst,
+					 int *bits));
+
+static int	getbits(const char *, int ipv6);
+
+/*
+ * int
+ * inet_cidr_pton(af, src, dst, *bits)
+ *	convert network address from presentation to network format.
+ *	accepts inet_pton()'s input for this "af" plus trailing "/CIDR".
+ *	"dst" is assumed large enough for its "af".  "bits" is set to the
+ *	/CIDR prefix length, which can have defaults (like /32 for IPv4).
+ * return:
+ *	-1 if an error occurred (inspect errno; ENOENT means bad format).
+ *	0 if successful conversion occurred.
+ * note:
+ *	192.5.5.1/28 has a nonzero host part, which means it isn't a network
+ *	as called for by inet_net_pton() but it can be a host address with
+ *	an included netmask.
+ * author:
+ *	Paul Vixie (ISC), October 1998
+ */
+int
+inet_cidr_pton(int af, const char *src, void *dst, int *bits) {
+	switch (af) {
+	case AF_INET:
+		return (inet_cidr_pton_ipv4(src, dst, bits, 0));
+	case AF_INET6:
+		return (inet_cidr_pton_ipv6(src, dst, bits));
+	default:
+		errno = EAFNOSUPPORT;
+		return (-1);
+	}
+}
+
+static const char digits[] = "0123456789";
+
+static int
+inet_cidr_pton_ipv4(const char *src, u_char *dst, int *pbits, int ipv6) {
+	const u_char *odst = dst;
+	int n, ch, tmp, bits;
+	size_t size = 4;
+
+	/* Get the mantissa. */
+	while (ch = *src++, (isascii(ch) && isdigit(ch))) {
+		tmp = 0;
+		do {
+			n = strchr(digits, ch) - digits;
+			INSIST(n >= 0 && n <= 9);
+			tmp *= 10;
+			tmp += n;
+			if (tmp > 255)
+				goto enoent;
+		} while ((ch = *src++) != '\0' && isascii(ch) && isdigit(ch));
+		if (size-- == 0U)
+			goto emsgsize;
+		*dst++ = (u_char) tmp;
+		if (ch == '\0' || ch == '/')
+			break;
+		if (ch != '.')
+			goto enoent;
+	}
+
+	/* Get the prefix length if any. */
+	bits = -1;
+	if (ch == '/' && dst > odst) {
+		bits = getbits(src, ipv6);
+		if (bits == -2)
+			goto enoent;
+	} else if (ch != '\0')
+		goto enoent;
+
+	/* Prefix length can default to /32 only if all four octets spec'd. */
+	if (bits == -1) {
+		if (dst - odst == 4)
+			bits = ipv6 ? 128 : 32;
+		else
+			goto enoent;
+	}
+
+	/* If nothing was written to the destination, we found no address. */
+	if (dst == odst)
+		goto enoent;
+
+	/* If prefix length overspecifies mantissa, life is bad. */
+	if (((bits - (ipv6 ? 96 : 0)) / 8) > (dst - odst))
+		goto enoent;
+
+	/* Extend address to four octets. */
+	while (size-- > 0U)
+		*dst++ = 0;
+
+	*pbits = bits;
+	return (0);
+
+ enoent:
+	errno = ENOENT;
+	return (-1);
+
+ emsgsize:
+	errno = EMSGSIZE;
+	return (-1);
+}
+
+static int
+inet_cidr_pton_ipv6(const char *src, u_char *dst, int *pbits) {
+	static const char xdigits_l[] = "0123456789abcdef",
+			  xdigits_u[] = "0123456789ABCDEF";
+	u_char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp;
+	const char *xdigits, *curtok;
+	int ch, saw_xdigit;
+	u_int val;
+	int bits;
+
+	memset((tp = tmp), '\0', NS_IN6ADDRSZ);
+	endp = tp + NS_IN6ADDRSZ;
+	colonp = NULL;
+	/* Leading :: requires some special handling. */
+	if (*src == ':')
+		if (*++src != ':')
+			return (0);
+	curtok = src;
+	saw_xdigit = 0;
+	val = 0;
+	bits = -1;
+	while ((ch = *src++) != '\0') {
+		const char *pch;
+
+		if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL)
+			pch = strchr((xdigits = xdigits_u), ch);
+		if (pch != NULL) {
+			val <<= 4;
+			val |= (pch - xdigits);
+			if (val > 0xffff)
+				return (0);
+			saw_xdigit = 1;
+			continue;
+		}
+		if (ch == ':') {
+			curtok = src;
+			if (!saw_xdigit) {
+				if (colonp)
+					return (0);
+				colonp = tp;
+				continue;
+			} else if (*src == '\0') {
+				return (0);
+			}
+			if (tp + NS_INT16SZ > endp)
+				return (0);
+			*tp++ = (u_char) (val >> 8) & 0xff;
+			*tp++ = (u_char) val & 0xff;
+			saw_xdigit = 0;
+			val = 0;
+			continue;
+		}
+		if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) &&
+		    inet_cidr_pton_ipv4(curtok, tp, &bits, 1) == 0) {
+			tp += NS_INADDRSZ;
+			saw_xdigit = 0;
+			break;	/* '\0' was seen by inet_pton4(). */
+		}
+		if (ch == '/') {
+			bits = getbits(src, 1);
+			if (bits == -2)
+				goto enoent;
+			break;
+		}
+		goto enoent;
+	}
+	if (saw_xdigit) {
+		if (tp + NS_INT16SZ > endp)
+			goto emsgsize;
+		*tp++ = (u_char) (val >> 8) & 0xff;
+		*tp++ = (u_char) val & 0xff;
+	}
+	if (colonp != NULL) {
+		/*
+		 * Since some memmove()'s erroneously fail to handle
+		 * overlapping regions, we'll do the shift by hand.
+		 */
+		const int n = tp - colonp;
+		int i;
+
+		if (tp == endp)
+			goto enoent;
+		for (i = 1; i <= n; i++) {
+			endp[- i] = colonp[n - i];
+			colonp[n - i] = 0;
+		}
+		tp = endp;
+	}
+
+	memcpy(dst, tmp, NS_IN6ADDRSZ);
+
+	*pbits = bits;
+	return (0);
+
+ enoent:
+	errno = ENOENT;
+	return (-1);
+
+ emsgsize:
+	errno = EMSGSIZE;
+	return (-1);
+}
+
+static int
+getbits(const char *src, int ipv6) {
+	int bits = 0;
+	char *cp, ch;
+	
+	if (*src == '\0')			/* syntax */
+		return (-2);
+	do {
+		ch = *src++;
+		cp = strchr(digits, ch);
+		if (cp == NULL)			/* syntax */
+			return (-2);
+		bits *= 10;
+		bits += cp - digits;
+		if (bits == 0 && *src != '\0')	/* no leading zeros */
+			return (-2);
+		if (bits > (ipv6 ? 128 : 32))	/* range error */
+			return (-2);
+	} while (*src != '\0');
+
+	return (bits);
+}
diff --git a/contrib/bind9/lib/bind/inet/inet_data.c b/contrib/bind9/lib/bind/inet/inet_data.c
new file mode 100644
index 0000000..e586297
--- /dev/null
+++ b/contrib/bind9/lib/bind/inet/inet_data.c
@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1995-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static char rcsid[] = "$Id: inet_data.c,v 1.2.206.1 2004/03/09 08:33:32 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+
+#include <ctype.h>
+#include <netdb.h>
+#include <resolv.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "port_after.h"
+
+const struct in6_addr isc_in6addr_any = IN6ADDR_ANY_INIT;
+const struct in6_addr isc_in6addr_loopback = IN6ADDR_LOOPBACK_INIT;
diff --git a/contrib/bind9/lib/bind/inet/inet_lnaof.c b/contrib/bind9/lib/bind/inet/inet_lnaof.c
new file mode 100644
index 0000000..97b80cf
--- /dev/null
+++ b/contrib/bind9/lib/bind/inet/inet_lnaof.c
@@ -0,0 +1,63 @@
+/*
+ * Copyright (c) 1983, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char sccsid[] = "@(#)inet_lnaof.c	8.1 (Berkeley) 6/4/93";
+#endif /* LIBC_SCCS and not lint */
+
+#include "port_before.h"
+
+#include <sys/param.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include "port_after.h"
+
+/*
+ * Return the local network address portion of an
+ * internet address; handles class a/b/c network
+ * number formats.
+ */
+u_long
+inet_lnaof(in)
+	struct in_addr in;
+{
+	register u_long i = ntohl(in.s_addr);
+
+	if (IN_CLASSA(i))
+		return ((i)&IN_CLASSA_HOST);
+	else if (IN_CLASSB(i))
+		return ((i)&IN_CLASSB_HOST);
+	else
+		return ((i)&IN_CLASSC_HOST);
+}
diff --git a/contrib/bind9/lib/bind/inet/inet_makeaddr.c b/contrib/bind9/lib/bind/inet/inet_makeaddr.c
new file mode 100644
index 0000000..1d20619
--- /dev/null
+++ b/contrib/bind9/lib/bind/inet/inet_makeaddr.c
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 1983, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char sccsid[] = "@(#)inet_makeaddr.c	8.1 (Berkeley) 6/4/93";
+#endif /* LIBC_SCCS and not lint */
+
+#include "port_before.h"
+
+#include <sys/param.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include "port_after.h"
+
+/*
+ * Formulate an Internet address from network + host.  Used in
+ * building addresses stored in the ifnet structure.
+ */
+struct in_addr
+inet_makeaddr(net, host)
+	u_long net, host;
+{
+	u_long addr;
+
+	if (net < 128U)
+		addr = (net << IN_CLASSA_NSHIFT) | (host & IN_CLASSA_HOST);
+	else if (net < 65536U)
+		addr = (net << IN_CLASSB_NSHIFT) | (host & IN_CLASSB_HOST);
+	else if (net < 16777216L)
+		addr = (net << IN_CLASSC_NSHIFT) | (host & IN_CLASSC_HOST);
+	else
+		addr = net | host;
+	addr = htonl(addr);
+	return (*(struct in_addr *)&addr);
+}
diff --git a/contrib/bind9/lib/bind/inet/inet_net_ntop.c b/contrib/bind9/lib/bind/inet/inet_net_ntop.c
new file mode 100644
index 0000000..f508629
--- /dev/null
+++ b/contrib/bind9/lib/bind/inet/inet_net_ntop.c
@@ -0,0 +1,277 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: inet_net_ntop.c,v 1.1.2.1.8.1 2004/03/09 08:33:32 marka Exp $";
+#endif
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include "port_after.h"
+
+#ifdef SPRINTF_CHAR
+# define SPRINTF(x) strlen(sprintf/**/x)
+#else
+# define SPRINTF(x) ((size_t)sprintf x)
+#endif
+
+static char *	inet_net_ntop_ipv4 __P((const u_char *src, int bits,
+					char *dst, size_t size));
+static char *	inet_net_ntop_ipv6 __P((const u_char *src, int bits,
+					char *dst, size_t size));
+
+/*
+ * char *
+ * inet_net_ntop(af, src, bits, dst, size)
+ *	convert network number from network to presentation format.
+ *	generates CIDR style result always.
+ * return:
+ *	pointer to dst, or NULL if an error occurred (check errno).
+ * author:
+ *	Paul Vixie (ISC), July 1996
+ */
+char *
+inet_net_ntop(af, src, bits, dst, size)
+	int af;
+	const void *src;
+	int bits;
+	char *dst;
+	size_t size;
+{
+	switch (af) {
+	case AF_INET:
+		return (inet_net_ntop_ipv4(src, bits, dst, size));
+	case AF_INET6:
+		return (inet_net_ntop_ipv6(src, bits, dst, size));
+	default:
+		errno = EAFNOSUPPORT;
+		return (NULL);
+	}
+}
+
+/*
+ * static char *
+ * inet_net_ntop_ipv4(src, bits, dst, size)
+ *	convert IPv4 network number from network to presentation format.
+ *	generates CIDR style result always.
+ * return:
+ *	pointer to dst, or NULL if an error occurred (check errno).
+ * note:
+ *	network byte order assumed.  this means 192.5.5.240/28 has
+ *	0b11110000 in its fourth octet.
+ * author:
+ *	Paul Vixie (ISC), July 1996
+ */
+static char *
+inet_net_ntop_ipv4(src, bits, dst, size)
+	const u_char *src;
+	int bits;
+	char *dst;
+	size_t size;
+{
+	char *odst = dst;
+	char *t;
+	u_int m;
+	int b;
+
+	if (bits < 0 || bits > 32) {
+		errno = EINVAL;
+		return (NULL);
+	}
+
+	if (bits == 0) {
+		if (size < sizeof "0")
+			goto emsgsize;
+		*dst++ = '0';
+		size--;
+		*dst = '\0';
+	}
+
+	/* Format whole octets. */
+	for (b = bits / 8; b > 0; b--) {
+		if (size <= sizeof "255.")
+			goto emsgsize;
+		t = dst;
+		dst += SPRINTF((dst, "%u", *src++));
+		if (b > 1) {
+			*dst++ = '.';
+			*dst = '\0';
+		}
+		size -= (size_t)(dst - t);
+	}
+
+	/* Format partial octet. */
+	b = bits % 8;
+	if (b > 0) {
+		if (size <= sizeof ".255")
+			goto emsgsize;
+		t = dst;
+		if (dst != odst)
+			*dst++ = '.';
+		m = ((1 << b) - 1) << (8 - b);
+		dst += SPRINTF((dst, "%u", *src & m));
+		size -= (size_t)(dst - t);
+	}
+
+	/* Format CIDR /width. */
+	if (size <= sizeof "/32")
+		goto emsgsize;
+	dst += SPRINTF((dst, "/%u", bits));
+	return (odst);
+
+ emsgsize:
+	errno = EMSGSIZE;
+	return (NULL);
+}
+
+/*
+ * static char *
+ * inet_net_ntop_ipv6(src, bits, fakebits, dst, size)
+ *	convert IPv6 network number from network to presentation format.
+ *	generates CIDR style result always. Picks the shortest representation
+ *	unless the IP is really IPv4.
+ *	always prints specified number of bits (bits).
+ * return:
+ *	pointer to dst, or NULL if an error occurred (check errno).
+ * note:
+ *	network byte order assumed.  this means 192.5.5.240/28 has
+ *	0x11110000 in its fourth octet.
+ * author:
+ *	Vadim Kogan (UCB), June 2001
+ *  Original version (IPv4) by Paul Vixie (ISC), July 1996
+ */
+
+static char *
+inet_net_ntop_ipv6(const u_char *src, int bits, char *dst, size_t size) {
+	u_int	m;
+	int	b;
+	int	p;
+	int	zero_s, zero_l, tmp_zero_s, tmp_zero_l;
+	int	i;
+	int	is_ipv4 = 0;
+	unsigned char inbuf[16];
+	char outbuf[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:255.255.255.255/128")];
+	char	*cp;
+	int	words;
+	u_char	*s;
+
+	if (bits < 0 || bits > 128) {
+		errno = EINVAL;
+		return (NULL);
+	}
+
+	cp = outbuf;
+
+	if (bits == 0) {
+		*cp++ = ':';
+		*cp++ = ':';
+		*cp = '\0';
+	} else {
+		/* Copy src to private buffer.  Zero host part. */	
+		p = (bits + 7) / 8;
+		memcpy(inbuf, src, p);
+		memset(inbuf + p, 0, 16 - p);
+		b = bits % 8;
+		if (b != 0) {
+			m = ~0 << (8 - b);
+			inbuf[p-1] &= m;
+		}
+
+		s = inbuf;
+
+		/* how many words need to be displayed in output */
+		words = (bits + 15) / 16;
+		if (words == 1)
+			words = 2;
+		
+		/* Find the longest substring of zero's */
+		zero_s = zero_l = tmp_zero_s = tmp_zero_l = 0;
+		for (i = 0; i < (words * 2); i += 2) {
+			if ((s[i] | s[i+1]) == 0) {
+				if (tmp_zero_l == 0)
+					tmp_zero_s = i / 2;
+				tmp_zero_l++;
+			} else {
+				if (tmp_zero_l && zero_l < tmp_zero_l) {
+					zero_s = tmp_zero_s;
+					zero_l = tmp_zero_l;
+					tmp_zero_l = 0;
+				}
+			}
+		}
+
+		if (tmp_zero_l && zero_l < tmp_zero_l) {
+			zero_s = tmp_zero_s;
+			zero_l = tmp_zero_l;
+		}
+
+		if (zero_l != words && zero_s == 0 && ((zero_l == 6) ||
+		    ((zero_l == 5 && s[10] == 0xff && s[11] == 0xff) ||
+		    ((zero_l == 7 && s[14] != 0 && s[15] != 1)))))
+			is_ipv4 = 1;
+
+		/* Format whole words. */
+		for (p = 0; p < words; p++) {
+			if (zero_l != 0 && p >= zero_s && p < zero_s + zero_l) {
+				/* Time to skip some zeros */
+				if (p == zero_s)
+					*cp++ = ':';
+				if (p == words - 1)
+					*cp++ = ':';
+				s++;
+				s++;
+				continue;
+			}
+
+			if (is_ipv4 && p > 5 ) {
+				*cp++ = (p == 6) ? ':' : '.';
+				cp += SPRINTF((cp, "%u", *s++));
+				/* we can potentially drop the last octet */
+				if (p != 7 || bits > 120) {
+					*cp++ = '.';
+					cp += SPRINTF((cp, "%u", *s++));
+				}
+			} else {
+				if (cp != outbuf)
+					*cp++ = ':';
+				cp += SPRINTF((cp, "%x", *s * 256 + s[1]));
+				s += 2;
+			}
+		}
+	}
+	/* Format CIDR /width. */
+	SPRINTF((cp, "/%u", bits));
+	if (strlen(outbuf) + 1 > size)
+		goto emsgsize;
+	strcpy(dst, outbuf);
+	
+	return (dst);
+
+emsgsize:
+	errno = EMSGSIZE;
+	return (NULL);
+}
diff --git a/contrib/bind9/lib/bind/inet/inet_net_pton.c b/contrib/bind9/lib/bind/inet/inet_net_pton.c
new file mode 100644
index 0000000..abecfc7
--- /dev/null
+++ b/contrib/bind9/lib/bind/inet/inet_net_pton.c
@@ -0,0 +1,405 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: inet_net_pton.c,v 1.4.2.1.8.2 2004/03/17 00:29:47 marka Exp $";
+#endif
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <arpa/inet.h>
+
+#include <isc/assertions.h>
+#include <ctype.h>
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include "port_after.h"
+
+#ifdef SPRINTF_CHAR
+# define SPRINTF(x) strlen(sprintf/**/x)
+#else
+# define SPRINTF(x) ((size_t)sprintf x)
+#endif
+
+/*
+ * static int
+ * inet_net_pton_ipv4(src, dst, size)
+ *	convert IPv4 network number from presentation to network format.
+ *	accepts hex octets, hex strings, decimal octets, and /CIDR.
+ *	"size" is in bytes and describes "dst".
+ * return:
+ *	number of bits, either imputed classfully or specified with /CIDR,
+ *	or -1 if some failure occurred (check errno).  ENOENT means it was
+ *	not an IPv4 network specification.
+ * note:
+ *	network byte order assumed.  this means 192.5.5.240/28 has
+ *	0b11110000 in its fourth octet.
+ * author:
+ *	Paul Vixie (ISC), June 1996
+ */
+static int
+inet_net_pton_ipv4(const char *src, u_char *dst, size_t size) {
+	static const char xdigits[] = "0123456789abcdef";
+	static const char digits[] = "0123456789";
+	int n, ch, tmp = 0, dirty, bits;
+	const u_char *odst = dst;
+
+	ch = *src++;
+	if (ch == '0' && (src[0] == 'x' || src[0] == 'X')
+	    && isascii((unsigned char)(src[1]))
+	    && isxdigit((unsigned char)(src[1]))) {
+		/* Hexadecimal: Eat nybble string. */
+		if (size <= 0U)
+			goto emsgsize;
+		dirty = 0;
+		src++;	/* skip x or X. */
+		while ((ch = *src++) != '\0' && isascii(ch) && isxdigit(ch)) {
+			if (isupper(ch))
+				ch = tolower(ch);
+			n = strchr(xdigits, ch) - xdigits;
+			INSIST(n >= 0 && n <= 15);
+			if (dirty == 0)
+				tmp = n;
+			else
+				tmp = (tmp << 4) | n;
+			if (++dirty == 2) {
+				if (size-- <= 0U)
+					goto emsgsize;
+				*dst++ = (u_char) tmp;
+				dirty = 0;
+			}
+		}
+		if (dirty) {  /* Odd trailing nybble? */
+			if (size-- <= 0U)
+				goto emsgsize;
+			*dst++ = (u_char) (tmp << 4);
+		}
+	} else if (isascii(ch) && isdigit(ch)) {
+		/* Decimal: eat dotted digit string. */
+		for (;;) {
+			tmp = 0;
+			do {
+				n = strchr(digits, ch) - digits;
+				INSIST(n >= 0 && n <= 9);
+				tmp *= 10;
+				tmp += n;
+				if (tmp > 255)
+					goto enoent;
+			} while ((ch = *src++) != '\0' &&
+				 isascii(ch) && isdigit(ch));
+			if (size-- <= 0U)
+				goto emsgsize;
+			*dst++ = (u_char) tmp;
+			if (ch == '\0' || ch == '/')
+				break;
+			if (ch != '.')
+				goto enoent;
+			ch = *src++;
+			if (!isascii(ch) || !isdigit(ch))
+				goto enoent;
+		}
+	} else
+		goto enoent;
+
+	bits = -1;
+	if (ch == '/' && isascii((unsigned char)(src[0])) &&
+	    isdigit((unsigned char)(src[0])) && dst > odst) {
+		/* CIDR width specifier.  Nothing can follow it. */
+		ch = *src++;	/* Skip over the /. */
+		bits = 0;
+		do {
+			n = strchr(digits, ch) - digits;
+			INSIST(n >= 0 && n <= 9);
+			bits *= 10;
+			bits += n;
+		} while ((ch = *src++) != '\0' && isascii(ch) && isdigit(ch));
+		if (ch != '\0')
+			goto enoent;
+		if (bits > 32)
+			goto emsgsize;
+	}
+
+	/* Firey death and destruction unless we prefetched EOS. */
+	if (ch != '\0')
+		goto enoent;
+
+	/* If nothing was written to the destination, we found no address. */
+	if (dst == odst)
+		goto enoent;
+	/* If no CIDR spec was given, infer width from net class. */
+	if (bits == -1) {
+		if (*odst >= 240)	/* Class E */
+			bits = 32;
+		else if (*odst >= 224)	/* Class D */
+			bits = 8;
+		else if (*odst >= 192)	/* Class C */
+			bits = 24;
+		else if (*odst >= 128)	/* Class B */
+			bits = 16;
+		else			/* Class A */
+			bits = 8;
+		/* If imputed mask is narrower than specified octets, widen. */
+		if (bits < ((dst - odst) * 8))
+			bits = (dst - odst) * 8;
+		/*
+		 * If there are no additional bits specified for a class D
+		 * address adjust bits to 4.
+		 */
+		if (bits == 8 && *odst == 224)
+			bits = 4;
+	}
+	/* Extend network to cover the actual mask. */
+	while (bits > ((dst - odst) * 8)) {
+		if (size-- <= 0U)
+			goto emsgsize;
+		*dst++ = '\0';
+	}
+	return (bits);
+
+ enoent:
+	errno = ENOENT;
+	return (-1);
+
+ emsgsize:
+	errno = EMSGSIZE;
+	return (-1);
+}
+
+static int
+getbits(const char *src, int *bitsp) {
+	static const char digits[] = "0123456789";
+	int n;
+	int val;
+	char ch;
+
+	val = 0;
+	n = 0;
+	while ((ch = *src++) != '\0') {
+		const char *pch;
+
+		pch = strchr(digits, ch);
+		if (pch != NULL) {
+			if (n++ != 0 && val == 0)	/* no leading zeros */
+				return (0);
+			val *= 10;
+			val += (pch - digits);
+			if (val > 128)			/* range */
+				return (0);
+			continue;
+		}
+		return (0);
+	}
+	if (n == 0)
+		return (0);
+	*bitsp = val;
+	return (1);
+}
+
+static int
+getv4(const char *src, u_char *dst, int *bitsp) {
+	static const char digits[] = "0123456789";
+	u_char *odst = dst;
+	int n;
+	u_int val;
+	char ch;
+
+	val = 0;
+	n = 0;
+	while ((ch = *src++) != '\0') {
+		const char *pch;
+
+		pch = strchr(digits, ch);
+		if (pch != NULL) {
+			if (n++ != 0 && val == 0)	/* no leading zeros */
+				return (0);
+			val *= 10;
+			val += (pch - digits);
+			if (val > 255)			/* range */
+				return (0);
+			continue;
+		}
+		if (ch == '.' || ch == '/') {
+			if (dst - odst > 3)		/* too many octets? */
+				return (0);
+			*dst++ = val;
+			if (ch == '/')
+				return (getbits(src, bitsp));
+			val = 0;
+			n = 0;
+			continue;
+		}
+		return (0);
+	}
+	if (n == 0)
+		return (0);
+	if (dst - odst > 3)		/* too many octets? */
+		return (0);
+	*dst++ = val;
+	return (1);
+}
+
+static int
+inet_net_pton_ipv6(const char *src, u_char *dst, size_t size) {
+	static const char xdigits_l[] = "0123456789abcdef",
+			  xdigits_u[] = "0123456789ABCDEF";
+	u_char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp;
+	const char *xdigits, *curtok;
+	int ch, saw_xdigit;
+	u_int val;
+	int digits;
+	int bits;
+	size_t bytes;
+	int words;
+	int ipv4;
+
+	memset((tp = tmp), '\0', NS_IN6ADDRSZ);
+	endp = tp + NS_IN6ADDRSZ;
+	colonp = NULL;
+	/* Leading :: requires some special handling. */
+	if (*src == ':')
+		if (*++src != ':')
+			goto enoent;
+	curtok = src;
+	saw_xdigit = 0;
+	val = 0;
+	digits = 0;
+	bits = -1;
+	ipv4 = 0;
+	while ((ch = *src++) != '\0') {
+		const char *pch;
+
+		if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL)
+			pch = strchr((xdigits = xdigits_u), ch);
+		if (pch != NULL) {
+			val <<= 4;
+			val |= (pch - xdigits);
+			if (++digits > 4)
+				goto enoent;
+			saw_xdigit = 1;
+			continue;
+		}
+		if (ch == ':') {
+			curtok = src;
+			if (!saw_xdigit) {
+				if (colonp)
+					goto enoent;
+				colonp = tp;
+				continue;
+			} else if (*src == '\0')
+				goto enoent;
+			if (tp + NS_INT16SZ > endp)
+				return (0);
+			*tp++ = (u_char) (val >> 8) & 0xff;
+			*tp++ = (u_char) val & 0xff;
+			saw_xdigit = 0;
+			digits = 0;
+			val = 0;
+			continue;
+		}
+		if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) &&
+		     getv4(curtok, tp, &bits) > 0) {
+			tp += NS_INADDRSZ;
+			saw_xdigit = 0;
+			ipv4 = 1;
+			break;	/* '\0' was seen by inet_pton4(). */
+		}
+		if (ch == '/' && getbits(src, &bits) > 0)
+			break;
+		goto enoent;
+	}
+	if (saw_xdigit) {
+		if (tp + NS_INT16SZ > endp)
+			goto enoent;
+		*tp++ = (u_char) (val >> 8) & 0xff;
+		*tp++ = (u_char) val & 0xff;
+	}
+	if (bits == -1)
+		bits = 128;
+
+	words = (bits + 15) / 16;
+	if (words < 2)
+		words = 2;
+	if (ipv4)
+		words = 8;
+	endp =  tmp + 2 * words;
+
+	if (colonp != NULL) {
+		/*
+		 * Since some memmove()'s erroneously fail to handle
+		 * overlapping regions, we'll do the shift by hand.
+		 */
+		const int n = tp - colonp;
+		int i;
+
+		if (tp == endp)
+			goto enoent;
+		for (i = 1; i <= n; i++) {
+			endp[- i] = colonp[n - i];
+			colonp[n - i] = 0;
+		}
+		tp = endp;
+	}
+	if (tp != endp)
+		goto enoent;
+
+	bytes = (bits + 7) / 8;
+	if (bytes > size)
+		goto emsgsize;
+	memcpy(dst, tmp, bytes);
+	return (bits);
+
+ enoent:
+	errno = ENOENT;
+	return (-1);
+
+ emsgsize:
+	errno = EMSGSIZE;
+	return (-1);
+}
+
+/*
+ * int
+ * inet_net_pton(af, src, dst, size)
+ *	convert network number from presentation to network format.
+ *	accepts hex octets, hex strings, decimal octets, and /CIDR.
+ *	"size" is in bytes and describes "dst".
+ * return:
+ *	number of bits, either imputed classfully or specified with /CIDR,
+ *	or -1 if some failure occurred (check errno).  ENOENT means it was
+ *	not a valid network specification.
+ * author:
+ *	Paul Vixie (ISC), June 1996
+ */
+int
+inet_net_pton(int af, const char *src, void *dst, size_t size) {
+	switch (af) {
+	case AF_INET:
+		return (inet_net_pton_ipv4(src, dst, size));
+	case AF_INET6:
+		return (inet_net_pton_ipv6(src, dst, size));
+	default:
+		errno = EAFNOSUPPORT;
+		return (-1);
+	}
+}
diff --git a/contrib/bind9/lib/bind/inet/inet_neta.c b/contrib/bind9/lib/bind/inet/inet_neta.c
new file mode 100644
index 0000000..325b7ce
--- /dev/null
+++ b/contrib/bind9/lib/bind/inet/inet_neta.c
@@ -0,0 +1,87 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: inet_neta.c,v 1.1.206.1 2004/03/09 08:33:33 marka Exp $";
+#endif
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "port_after.h"
+
+#ifdef SPRINTF_CHAR
+# define SPRINTF(x) strlen(sprintf/**/x)
+#else
+# define SPRINTF(x) ((size_t)sprintf x)
+#endif
+
+/*
+ * char *
+ * inet_neta(src, dst, size)
+ *	format a u_long network number into presentation format.
+ * return:
+ *	pointer to dst, or NULL if an error occurred (check errno).
+ * note:
+ *	format of ``src'' is as for inet_network().
+ * author:
+ *	Paul Vixie (ISC), July 1996
+ */
+char *
+inet_neta(src, dst, size)
+	u_long src;
+	char *dst;
+	size_t size;
+{
+	char *odst = dst;
+	char *tp;
+
+	while (src & 0xffffffff) {
+		u_char b = (src & 0xff000000) >> 24;
+
+		src <<= 8;
+		if (b) {
+			if (size < sizeof "255.")
+				goto emsgsize;
+			tp = dst;
+			dst += SPRINTF((dst, "%u", b));
+			if (src != 0L) {
+				*dst++ = '.';
+				*dst = '\0';
+			}
+			size -= (size_t)(dst - tp);
+		}
+	}
+	if (dst == odst) {
+		if (size < sizeof "0.0.0.0")
+			goto emsgsize;
+		strcpy(dst, "0.0.0.0");
+	}
+	return (odst);
+
+ emsgsize:
+	errno = EMSGSIZE;
+	return (NULL);
+}
diff --git a/contrib/bind9/lib/bind/inet/inet_netof.c b/contrib/bind9/lib/bind/inet/inet_netof.c
new file mode 100644
index 0000000..e887530
--- /dev/null
+++ b/contrib/bind9/lib/bind/inet/inet_netof.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (c) 1983, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char sccsid[] = "@(#)inet_netof.c	8.1 (Berkeley) 6/4/93";
+#endif /* LIBC_SCCS and not lint */
+
+#include "port_before.h"
+
+#include <sys/param.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include "port_after.h"
+
+/*
+ * Return the network number from an internet
+ * address; handles class a/b/c network #'s.
+ */
+u_long
+inet_netof(in)
+	struct in_addr in;
+{
+	register u_long i = ntohl(in.s_addr);
+
+	if (IN_CLASSA(i))
+		return (((i)&IN_CLASSA_NET) >> IN_CLASSA_NSHIFT);
+	else if (IN_CLASSB(i))
+		return (((i)&IN_CLASSB_NET) >> IN_CLASSB_NSHIFT);
+	else
+		return (((i)&IN_CLASSC_NET) >> IN_CLASSC_NSHIFT);
+}
diff --git a/contrib/bind9/lib/bind/inet/inet_network.c b/contrib/bind9/lib/bind/inet/inet_network.c
new file mode 100644
index 0000000..aaa50c8
--- /dev/null
+++ b/contrib/bind9/lib/bind/inet/inet_network.c
@@ -0,0 +1,104 @@
+/*
+ * Copyright (c) 1983, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char sccsid[] = "@(#)inet_network.c	8.1 (Berkeley) 6/4/93";
+#endif /* LIBC_SCCS and not lint */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <ctype.h>
+
+#include "port_after.h"
+
+/*
+ * Internet network address interpretation routine.
+ * The library routines call this routine to interpret
+ * network numbers.
+ */
+u_long
+inet_network(cp)
+	register const char *cp;
+{
+	register u_long val, base, n, i;
+	register char c;
+	u_long parts[4], *pp = parts;
+	int digit;
+
+again:
+	val = 0; base = 10; digit = 0;
+	if (*cp == '0')
+		digit = 1, base = 8, cp++;
+	if (*cp == 'x' || *cp == 'X')
+		base = 16, cp++;
+	while ((c = *cp) != 0) {
+		if (isdigit((unsigned char)c)) {
+			if (base == 8U && (c == '8' || c == '9'))
+				return (INADDR_NONE);
+			val = (val * base) + (c - '0');
+			cp++;
+			digit = 1;
+			continue;
+		}
+		if (base == 16U && isxdigit((unsigned char)c)) {
+			val = (val << 4) +
+			      (c + 10 - (islower((unsigned char)c) ? 'a' : 'A'));
+			cp++;
+			digit = 1;
+			continue;
+		}
+		break;
+	}
+	if (!digit)
+		return (INADDR_NONE);
+	if (*cp == '.') {
+		if (pp >= parts + 4 || val > 0xffU)
+			return (INADDR_NONE);
+		*pp++ = val, cp++;
+		goto again;
+	}
+	if (*cp && !isspace(*cp&0xff))
+		return (INADDR_NONE);
+	*pp++ = val;
+	n = pp - parts;
+	if (n > 4U)
+		return (INADDR_NONE);
+	for (val = 0, i = 0; i < n; i++) {
+		val <<= 8;
+		val |= parts[i] & 0xff;
+	}
+	return (val);
+}
diff --git a/contrib/bind9/lib/bind/inet/inet_ntoa.c b/contrib/bind9/lib/bind/inet/inet_ntoa.c
new file mode 100644
index 0000000..7fad4b8
--- /dev/null
+++ b/contrib/bind9/lib/bind/inet/inet_ntoa.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (c) 1983, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char sccsid[] = "@(#)inet_ntoa.c	8.1 (Berkeley) 6/4/93";
+static const char rcsid[] = "$Id: inet_ntoa.c,v 1.1 2001/03/29 06:31:38 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <stdio.h>
+#include <string.h>
+
+#include "port_after.h"
+
+/*
+ * Convert network-format internet address
+ * to base 256 d.d.d.d representation.
+ */
+/*const*/ char *
+inet_ntoa(struct in_addr in) {
+	static char ret[18];
+
+	strcpy(ret, "[inet_ntoa error]");
+	(void) inet_ntop(AF_INET, &in, ret, sizeof ret);
+	return (ret);
+}
diff --git a/contrib/bind9/lib/bind/inet/inet_ntop.c b/contrib/bind9/lib/bind/inet/inet_ntop.c
new file mode 100644
index 0000000..6141407
--- /dev/null
+++ b/contrib/bind9/lib/bind/inet/inet_ntop.c
@@ -0,0 +1,203 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: inet_ntop.c,v 1.1.2.1.8.1 2004/03/09 08:33:33 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include "port_before.h"
+
+#include <sys/param.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "port_after.h"
+
+#ifdef SPRINTF_CHAR
+# define SPRINTF(x) strlen(sprintf/**/x)
+#else
+# define SPRINTF(x) ((size_t)sprintf x)
+#endif
+
+/*
+ * WARNING: Don't even consider trying to compile this on a system where
+ * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
+ */
+
+static const char *inet_ntop4 __P((const u_char *src, char *dst, size_t size));
+static const char *inet_ntop6 __P((const u_char *src, char *dst, size_t size));
+
+/* char *
+ * inet_ntop(af, src, dst, size)
+ *	convert a network format address to presentation format.
+ * return:
+ *	pointer to presentation format address (`dst'), or NULL (see errno).
+ * author:
+ *	Paul Vixie, 1996.
+ */
+const char *
+inet_ntop(af, src, dst, size)
+	int af;
+	const void *src;
+	char *dst;
+	size_t size;
+{
+	switch (af) {
+	case AF_INET:
+		return (inet_ntop4(src, dst, size));
+	case AF_INET6:
+		return (inet_ntop6(src, dst, size));
+	default:
+		errno = EAFNOSUPPORT;
+		return (NULL);
+	}
+	/* NOTREACHED */
+}
+
+/* const char *
+ * inet_ntop4(src, dst, size)
+ *	format an IPv4 address
+ * return:
+ *	`dst' (as a const)
+ * notes:
+ *	(1) uses no statics
+ *	(2) takes a u_char* not an in_addr as input
+ * author:
+ *	Paul Vixie, 1996.
+ */
+static const char *
+inet_ntop4(src, dst, size)
+	const u_char *src;
+	char *dst;
+	size_t size;
+{
+	static const char fmt[] = "%u.%u.%u.%u";
+	char tmp[sizeof "255.255.255.255"];
+
+	if (SPRINTF((tmp, fmt, src[0], src[1], src[2], src[3])) >= size) {
+		errno = ENOSPC;
+		return (NULL);
+	}
+	strcpy(dst, tmp);
+	return (dst);
+}
+
+/* const char *
+ * inet_ntop6(src, dst, size)
+ *	convert IPv6 binary address into presentation (printable) format
+ * author:
+ *	Paul Vixie, 1996.
+ */
+static const char *
+inet_ntop6(src, dst, size)
+	const u_char *src;
+	char *dst;
+	size_t size;
+{
+	/*
+	 * Note that int32_t and int16_t need only be "at least" large enough
+	 * to contain a value of the specified size.  On some systems, like
+	 * Crays, there is no such thing as an integer variable with 16 bits.
+	 * Keep this in mind if you think this function should have been coded
+	 * to use pointer overlays.  All the world's not a VAX.
+	 */
+	char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255"], *tp;
+	struct { int base, len; } best, cur;
+	u_int words[NS_IN6ADDRSZ / NS_INT16SZ];
+	int i;
+
+	/*
+	 * Preprocess:
+	 *	Copy the input (bytewise) array into a wordwise array.
+	 *	Find the longest run of 0x00's in src[] for :: shorthanding.
+	 */
+	memset(words, '\0', sizeof words);
+	for (i = 0; i < NS_IN6ADDRSZ; i++)
+		words[i / 2] |= (src[i] << ((1 - (i % 2)) << 3));
+	best.base = -1;
+	cur.base = -1;
+	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
+		if (words[i] == 0) {
+			if (cur.base == -1)
+				cur.base = i, cur.len = 1;
+			else
+				cur.len++;
+		} else {
+			if (cur.base != -1) {
+				if (best.base == -1 || cur.len > best.len)
+					best = cur;
+				cur.base = -1;
+			}
+		}
+	}
+	if (cur.base != -1) {
+		if (best.base == -1 || cur.len > best.len)
+			best = cur;
+	}
+	if (best.base != -1 && best.len < 2)
+		best.base = -1;
+
+	/*
+	 * Format the result.
+	 */
+	tp = tmp;
+	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
+		/* Are we inside the best run of 0x00's? */
+		if (best.base != -1 && i >= best.base &&
+		    i < (best.base + best.len)) {
+			if (i == best.base)
+				*tp++ = ':';
+			continue;
+		}
+		/* Are we following an initial run of 0x00s or any real hex? */
+		if (i != 0)
+			*tp++ = ':';
+		/* Is this address an encapsulated IPv4? */
+		if (i == 6 && best.base == 0 && (best.len == 6 ||
+		    (best.len == 7 && words[7] != 0x0001) ||
+		    (best.len == 5 && words[5] == 0xffff))) {
+			if (!inet_ntop4(src+12, tp, sizeof tmp - (tp - tmp)))
+				return (NULL);
+			tp += strlen(tp);
+			break;
+		}
+		tp += SPRINTF((tp, "%x", words[i]));
+	}
+	/* Was it a trailing run of 0x00's? */
+	if (best.base != -1 && (best.base + best.len) == 
+	    (NS_IN6ADDRSZ / NS_INT16SZ))
+		*tp++ = ':';
+	*tp++ = '\0';
+
+	/*
+	 * Check for overflow, copy, and we're done.
+	 */
+	if ((size_t)(tp - tmp) > size) {
+		errno = ENOSPC;
+		return (NULL);
+	}
+	strcpy(dst, tmp);
+	return (dst);
+}
diff --git a/contrib/bind9/lib/bind/inet/inet_pton.c b/contrib/bind9/lib/bind/inet/inet_pton.c
new file mode 100644
index 0000000..c7813f8
--- /dev/null
+++ b/contrib/bind9/lib/bind/inet/inet_pton.c
@@ -0,0 +1,222 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: inet_pton.c,v 1.2.206.1 2004/03/09 08:33:33 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include "port_before.h"
+#include <sys/param.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+#include <string.h>
+#include <errno.h>
+#include "port_after.h"
+
+/*
+ * WARNING: Don't even consider trying to compile this on a system where
+ * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
+ */
+
+static int	inet_pton4 __P((const char *src, u_char *dst));
+static int	inet_pton6 __P((const char *src, u_char *dst));
+
+/* int
+ * inet_pton(af, src, dst)
+ *	convert from presentation format (which usually means ASCII printable)
+ *	to network format (which is usually some kind of binary format).
+ * return:
+ *	1 if the address was valid for the specified address family
+ *	0 if the address wasn't valid (`dst' is untouched in this case)
+ *	-1 if some other error occurred (`dst' is untouched in this case, too)
+ * author:
+ *	Paul Vixie, 1996.
+ */
+int
+inet_pton(af, src, dst)
+	int af;
+	const char *src;
+	void *dst;
+{
+	switch (af) {
+	case AF_INET:
+		return (inet_pton4(src, dst));
+	case AF_INET6:
+		return (inet_pton6(src, dst));
+	default:
+		errno = EAFNOSUPPORT;
+		return (-1);
+	}
+	/* NOTREACHED */
+}
+
+/* int
+ * inet_pton4(src, dst)
+ *	like inet_aton() but without all the hexadecimal and shorthand.
+ * return:
+ *	1 if `src' is a valid dotted quad, else 0.
+ * notice:
+ *	does not touch `dst' unless it's returning 1.
+ * author:
+ *	Paul Vixie, 1996.
+ */
+static int
+inet_pton4(src, dst)
+	const char *src;
+	u_char *dst;
+{
+	static const char digits[] = "0123456789";
+	int saw_digit, octets, ch;
+	u_char tmp[NS_INADDRSZ], *tp;
+
+	saw_digit = 0;
+	octets = 0;
+	*(tp = tmp) = 0;
+	while ((ch = *src++) != '\0') {
+		const char *pch;
+
+		if ((pch = strchr(digits, ch)) != NULL) {
+			u_int new = *tp * 10 + (pch - digits);
+
+			if (saw_digit && *tp == 0)
+				return (0);
+			if (new > 255)
+				return (0);
+			*tp = new;
+			if (!saw_digit) {
+				if (++octets > 4)
+					return (0);
+				saw_digit = 1;
+			}
+		} else if (ch == '.' && saw_digit) {
+			if (octets == 4)
+				return (0);
+			*++tp = 0;
+			saw_digit = 0;
+		} else
+			return (0);
+	}
+	if (octets < 4)
+		return (0);
+	memcpy(dst, tmp, NS_INADDRSZ);
+	return (1);
+}
+
+/* int
+ * inet_pton6(src, dst)
+ *	convert presentation level address to network order binary form.
+ * return:
+ *	1 if `src' is a valid [RFC1884 2.2] address, else 0.
+ * notice:
+ *	(1) does not touch `dst' unless it's returning 1.
+ *	(2) :: in a full address is silently ignored.
+ * credit:
+ *	inspired by Mark Andrews.
+ * author:
+ *	Paul Vixie, 1996.
+ */
+static int
+inet_pton6(src, dst)
+	const char *src;
+	u_char *dst;
+{
+	static const char xdigits_l[] = "0123456789abcdef",
+			  xdigits_u[] = "0123456789ABCDEF";
+	u_char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp;
+	const char *xdigits, *curtok;
+	int ch, saw_xdigit;
+	u_int val;
+
+	memset((tp = tmp), '\0', NS_IN6ADDRSZ);
+	endp = tp + NS_IN6ADDRSZ;
+	colonp = NULL;
+	/* Leading :: requires some special handling. */
+	if (*src == ':')
+		if (*++src != ':')
+			return (0);
+	curtok = src;
+	saw_xdigit = 0;
+	val = 0;
+	while ((ch = *src++) != '\0') {
+		const char *pch;
+
+		if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL)
+			pch = strchr((xdigits = xdigits_u), ch);
+		if (pch != NULL) {
+			val <<= 4;
+			val |= (pch - xdigits);
+			if (val > 0xffff)
+				return (0);
+			saw_xdigit = 1;
+			continue;
+		}
+		if (ch == ':') {
+			curtok = src;
+			if (!saw_xdigit) {
+				if (colonp)
+					return (0);
+				colonp = tp;
+				continue;
+			} else if (*src == '\0') {
+				return (0);
+			}
+			if (tp + NS_INT16SZ > endp)
+				return (0);
+			*tp++ = (u_char) (val >> 8) & 0xff;
+			*tp++ = (u_char) val & 0xff;
+			saw_xdigit = 0;
+			val = 0;
+			continue;
+		}
+		if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) &&
+		    inet_pton4(curtok, tp) > 0) {
+			tp += NS_INADDRSZ;
+			saw_xdigit = 0;
+			break;	/* '\0' was seen by inet_pton4(). */
+		}
+		return (0);
+	}
+	if (saw_xdigit) {
+		if (tp + NS_INT16SZ > endp)
+			return (0);
+		*tp++ = (u_char) (val >> 8) & 0xff;
+		*tp++ = (u_char) val & 0xff;
+	}
+	if (colonp != NULL) {
+		/*
+		 * Since some memmove()'s erroneously fail to handle
+		 * overlapping regions, we'll do the shift by hand.
+		 */
+		const int n = tp - colonp;
+		int i;
+
+		if (tp == endp)
+			return (0);
+		for (i = 1; i <= n; i++) {
+			endp[- i] = colonp[n - i];
+			colonp[n - i] = 0;
+		}
+		tp = endp;
+	}
+	if (tp != endp)
+		return (0);
+	memcpy(dst, tmp, NS_IN6ADDRSZ);
+	return (1);
+}
diff --git a/contrib/bind9/lib/bind/inet/nsap_addr.c b/contrib/bind9/lib/bind/inet/nsap_addr.c
new file mode 100644
index 0000000..0b9108a
--- /dev/null
+++ b/contrib/bind9/lib/bind/inet/nsap_addr.c
@@ -0,0 +1,108 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: nsap_addr.c,v 1.2.206.1 2004/03/09 08:33:33 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+
+#include <ctype.h>
+#include <resolv.h>
+
+#include "port_after.h"
+
+static char
+xtob(int c) {
+	return (c - (((c >= '0') && (c <= '9')) ? '0' : '7'));
+}
+
+u_int
+inet_nsap_addr(const char *ascii, u_char *binary, int maxlen) {
+	u_char c, nib;
+	u_int len = 0;
+
+	if (ascii[0] != '0' || (ascii[1] != 'x' && ascii[1] != 'X'))
+		return (0);
+	ascii += 2;
+
+	while ((c = *ascii++) != '\0' && len < (u_int)maxlen) {
+		if (c == '.' || c == '+' || c == '/')
+			continue;
+		if (!isascii(c))
+			return (0);
+		if (islower(c))
+			c = toupper(c);
+		if (isxdigit(c)) {
+			nib = xtob(c);
+			c = *ascii++;
+			if (c != '\0') {
+				c = toupper(c);
+				if (isxdigit(c)) {
+					*binary++ = (nib << 4) | xtob(c);
+					len++;
+				} else
+					return (0);
+			}
+			else
+				return (0);
+		}
+		else
+			return (0);
+	}
+	return (len);
+}
+
+char *
+inet_nsap_ntoa(int binlen, const u_char *binary, char *ascii) {
+	int nib;
+	int i;
+	static char tmpbuf[2+255*3];
+	char *start;
+
+	if (ascii)
+		start = ascii;
+	else {
+		ascii = tmpbuf;
+		start = tmpbuf;
+	}
+
+	*ascii++ = '0';
+	*ascii++ = 'x';
+
+	if (binlen > 255)
+		binlen = 255;
+
+	for (i = 0; i < binlen; i++) {
+		nib = *binary >> 4;
+		*ascii++ = nib + (nib < 10 ? '0' : '7');
+		nib = *binary++ & 0x0f;
+		*ascii++ = nib + (nib < 10 ? '0' : '7');
+		if (((i % 2) == 0 && (i + 1) < binlen))
+			*ascii++ = '.';
+	}
+	*ascii = '\0';
+	return (start);
+}
diff --git a/contrib/bind9/lib/bind/irs/Makefile.in b/contrib/bind9/lib/bind/irs/Makefile.in
new file mode 100644
index 0000000..ed387d7
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/Makefile.in
@@ -0,0 +1,70 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.7.206.1 2004/03/06 08:13:23 marka Exp $
+
+srcdir=		@srcdir@
+VPATH =         @srcdir@
+
+WANT_IRS_THREADS_OBJS=	gethostent_r.@O@ getnetgrent_r.@O@ \
+	getprotoent_r.@O@ getservent_r.@O@
+
+WANT_IRS_NISGR_OBJS= nis_gr.@O@ 
+WANT_IRS_GR_OBJS= dns_gr.@O@ irp_gr.@O@ lcl_gr.@O@ gen_gr.@O@ getgrent.@O@ \
+	@WANT_IRS_NISGR_OBJS@ @WANT_IRS_THREADSGR_OBJS@
+
+WANT_IRS_THREADSPW_OBJS=getpwent_r.@O@
+WANT_IRS_NISPW_OBJS= nis_pw.@O@
+WANT_IRS_DBPW_OBJS=irp_pw.@O@ lcl_pw.@O@
+WANT_IRS_PW_OBJS= dns_pw.@O@ gen_pw.@O@ getpwent.@O@ \
+	@WANT_IRS_DBPW_OBJS@ @WANT_IRS_NISPW_OBJS@ @WANT_IRS_THREADSPW_OBJS@
+
+WANT_IRS_NIS_OBJS= \
+	nis_ho.@O@ nis_ng.@O@ nis_nw.@O@ nis_pr.@O@ nis_sv.@O@
+
+OBJS=	@WANT_IRS_GR_OBJS@ @WANT_IRS_NIS_OBJS@ @WANT_IRS_THREADS_OBJS@ \
+	@WANT_IRS_PW_OBJS@ \
+	dns.@O@ dns_ho.@O@ dns_nw.@O@ dns_pr.@O@ \
+	dns_sv.@O@ gai_strerror.@O@ gen.@O@ gen_ho.@O@ \
+	gen_ng.@O@ gen_nw.@O@ gen_pr.@O@ gen_sv.@O@ \
+	getaddrinfo.@O@ gethostent.@O@ \
+	getnameinfo.@O@ getnetent.@O@ getnetent_r.@O@ \
+	getnetgrent.@O@ getprotoent.@O@ getservent.@O@ \
+	hesiod.@O@ irp.@O@ irp_ho.@O@ irp_ng.@O@ irp_nw.@O@ \
+	irp_pr.@O@ irp_sv.@O@ irpmarshall.@O@ irs_data.@O@ \
+	lcl.@O@ lcl_ho.@O@ lcl_ng.@O@ lcl_nw.@O@ lcl_pr.@O@ \
+	lcl_sv.@O@ nis.@O@ nul_ng.@O@ util.@O@
+
+SRCS=	dns.c dns_gr.c dns_ho.c dns_nw.c dns_pr.c dns_pw.c \
+	dns_sv.c gai_strerror.c gen.c gen_gr.c gen_ho.c \
+	gen_ng.c gen_nw.c gen_pr.c gen_pw.c gen_sv.c \
+	getaddrinfo.c getgrent.c gethostent.c \
+	getnameinfo.c getnetent.c getnetent_r.c \
+	getnetgrent.c getprotoent.c getpwent.c getservent.c \
+	hesiod.c irp.c irp_gr.c irp_ho.c irp_ng.c irp_nw.c \
+	irp_pr.c irp_pw.c irp_sv.c irpmarshall.c irs_data.c \
+	lcl.c lcl_gr.c lcl_ho.c lcl_ng.c lcl_nw.c lcl_pr.c \
+	lcl_pw.c lcl_sv.c nis.c nis_gr.c nis_ho.c nis_ng.c \
+	nis_nw.c nis_pr.c nis_pw.c nis_sv.c nul_ng.c \
+	util.c getgrent_r.c gethostent_r.c getnetgrent_r.c getprotoent_r.c \
+	getpwent_r.c getservent_r.c
+
+WANT_IRS_THREADSGR_OBJS=getgrent_r.@O@
+
+TARGETS= ${OBJS}
+
+CINCLUDES= -I.. -I${srcdir}/../include
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/bind/irs/dns.c b/contrib/bind9/lib/bind/irs/dns.c
new file mode 100644
index 0000000..ab83b3e
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/dns.c
@@ -0,0 +1,153 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: dns.c,v 1.1.206.2 2004/03/17 00:29:47 marka Exp $";
+#endif
+
+/*
+ * dns.c --- this is the top-level accessor function for the dns
+ */
+
+#include "port_before.h"
+
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+
+#include <resolv.h>
+
+#include <isc/memcluster.h>
+#include <irs.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "hesiod.h"
+#include "dns_p.h"
+
+/* forward */
+
+static void		dns_close(struct irs_acc *);
+static struct __res_state *	dns_res_get(struct irs_acc *);
+static void		dns_res_set(struct irs_acc *, struct __res_state *,
+				void (*)(void *));
+
+/* public */
+
+struct irs_acc *
+irs_dns_acc(const char *options) {
+	struct irs_acc *acc;
+	struct dns_p *dns;
+
+	UNUSED(options);
+
+	if (!(acc = memget(sizeof *acc))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(acc, 0x5e, sizeof *acc);
+	if (!(dns = memget(sizeof *dns))) {
+		errno = ENOMEM;
+		memput(acc, sizeof *acc);
+		return (NULL);
+	}
+	memset(dns, 0x5e, sizeof *dns);
+	dns->res = NULL;
+	dns->free_res = NULL;
+	if (hesiod_init(&dns->hes_ctx) < 0) {
+		/*
+		 * We allow the dns accessor class to initialize
+		 * despite hesiod failing to initialize correctly,
+		 * since dns host queries don't depend on hesiod.
+		 */
+		dns->hes_ctx = NULL;
+	}
+	acc->private = dns;
+#ifdef WANT_IRS_GR
+	acc->gr_map = irs_dns_gr;
+#else
+	acc->gr_map = NULL;
+#endif
+#ifdef WANT_IRS_PW
+	acc->pw_map = irs_dns_pw;
+#else
+	acc->pw_map = NULL;
+#endif
+	acc->sv_map = irs_dns_sv;
+	acc->pr_map = irs_dns_pr;
+	acc->ho_map = irs_dns_ho;
+	acc->nw_map = irs_dns_nw;
+	acc->ng_map = irs_nul_ng;
+	acc->res_get = dns_res_get;
+	acc->res_set = dns_res_set;
+	acc->close = dns_close;
+	return (acc);
+}
+
+/* methods */
+static struct __res_state *
+dns_res_get(struct irs_acc *this) {
+	struct dns_p *dns = (struct dns_p *)this->private;
+
+	if (dns->res == NULL) {
+		struct __res_state *res;
+		res = (struct __res_state *)malloc(sizeof *res);
+		if (res == NULL)
+			return (NULL);
+		memset(dns->res, 0, sizeof *dns->res);
+		dns_res_set(this, res, free);
+	}
+
+	if ((dns->res->options & RES_INIT) == 0U &&
+	    res_ninit(dns->res) < 0)
+		return (NULL);
+
+	return (dns->res);
+}
+
+static void
+dns_res_set(struct irs_acc *this, struct __res_state *res,
+	    void (*free_res)(void *)) {
+	struct dns_p *dns = (struct dns_p *)this->private;
+
+	if (dns->res && dns->free_res) {
+		res_nclose(dns->res);
+		(*dns->free_res)(dns->res);
+	}
+	dns->res = res;
+	dns->free_res = free_res;
+}
+
+static void
+dns_close(struct irs_acc *this) {
+	struct dns_p *dns;
+
+	dns = (struct dns_p *)this->private;
+	if (dns->res && dns->free_res)
+		(*dns->free_res)(dns->res);
+	if (dns->hes_ctx)
+		hesiod_end(dns->hes_ctx);
+	memput(dns, sizeof *dns);
+	memput(this, sizeof *this);
+}
+
diff --git a/contrib/bind9/lib/bind/irs/dns_gr.c b/contrib/bind9/lib/bind/irs/dns_gr.c
new file mode 100644
index 0000000..a35b10c
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/dns_gr.c
@@ -0,0 +1,293 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: dns_gr.c,v 1.1.2.1.4.1 2004/03/09 08:33:34 marka Exp $";
+#endif
+
+/*
+ * dns_gr.c --- this file contains the functions for accessing
+ * 	group information from Hesiod.
+ */
+
+#include "port_before.h"
+
+#ifndef WANT_IRS_GR
+static int __bind_irs_gr_unneeded;
+#else
+
+#include <sys/param.h>
+#include <sys/types.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <unistd.h>
+
+#include <sys/types.h>
+#include <netinet/in.h> 
+#include <arpa/nameser.h>
+#include <resolv.h>
+
+#include <isc/memcluster.h>
+
+#include <irs.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "hesiod.h"
+#include "dns_p.h"
+
+/* Types. */
+
+struct pvt {
+	/*
+	 * This is our private accessor data.  It has a shared hesiod context.
+	 */
+	struct dns_p *	dns;
+	/*
+	 * Need space to store the entries read from the group file.
+	 * The members list also needs space per member, and the
+	 * strings making up the user names must be allocated
+	 * somewhere.  Rather than doing lots of small allocations,
+	 * we keep one buffer and resize it as needed.
+	 */
+	struct group	group;
+	size_t		nmemb;		/* Malloc'd max index of gr_mem[]. */
+	char *		membuf;
+	size_t		membufsize;
+};
+
+/* Forward. */
+
+static struct group *	gr_next(struct irs_gr *);
+static struct group *	gr_byname(struct irs_gr *, const char *);
+static struct group *	gr_bygid(struct irs_gr *, gid_t);
+static void		gr_rewind(struct irs_gr *);
+static void		gr_close(struct irs_gr *);
+static int		gr_list(struct irs_gr *, const char *,
+				gid_t, gid_t *, int *);
+static void		gr_minimize(struct irs_gr *);
+static struct __res_state * gr_res_get(struct irs_gr *);
+static void		gr_res_set(struct irs_gr *,
+				   struct __res_state *,
+				   void (*)(void *));
+
+static struct group *	get_hes_group(struct irs_gr *this,
+				      const char *name,
+				      const char *type);
+
+/* Public. */
+
+struct irs_gr *
+irs_dns_gr(struct irs_acc *this) {
+	struct dns_p *dns = (struct dns_p *)this->private;
+	struct irs_gr *gr;
+	struct pvt *pvt;
+
+	if (!dns || !dns->hes_ctx) {
+		errno = ENODEV;
+		return (NULL);
+	}
+	if (!(pvt = memget(sizeof *pvt))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0, sizeof *pvt);
+	pvt->dns = dns;
+	if (!(gr = memget(sizeof *gr))) {
+		memput(pvt, sizeof *pvt);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(gr, 0x5e, sizeof *gr);
+	gr->private = pvt;
+	gr->next = gr_next;
+	gr->byname = gr_byname;
+	gr->bygid = gr_bygid;
+	gr->rewind = gr_rewind;
+	gr->close = gr_close;
+	gr->list = gr_list;
+	gr->minimize = gr_minimize;
+	gr->res_get = gr_res_get;
+	gr->res_set = gr_res_set;
+	return (gr);
+}
+
+/* methods */
+
+static void
+gr_close(struct irs_gr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (pvt->group.gr_mem)
+		free(pvt->group.gr_mem);
+	if (pvt->membuf)
+		free(pvt->membuf);
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+static struct group *
+gr_next(struct irs_gr *this) {
+
+	UNUSED(this);
+
+	return (NULL);
+}
+
+static struct group *
+gr_byname(struct irs_gr *this, const char *name) {
+	return (get_hes_group(this, name, "group"));
+}
+
+static struct group *
+gr_bygid(struct irs_gr *this, gid_t gid) {
+	char name[32];
+
+	sprintf(name, "%ld", (long)gid);
+	return (get_hes_group(this, name, "gid"));
+}
+
+static void
+gr_rewind(struct irs_gr *this) {
+
+	UNUSED(this);
+
+	/* NOOP */
+}
+
+static int
+gr_list(struct irs_gr *this, const char *name,
+	gid_t basegid, gid_t *groups, int *ngroups)
+{
+	UNUSED(this);
+	UNUSED(name);
+	UNUSED(basegid);
+	UNUSED(groups);
+
+	*ngroups = 0;
+	/* There's some way to do this in Hesiod. */
+	return (-1);
+}
+
+static void
+gr_minimize(struct irs_gr *this) {
+
+	UNUSED(this);
+	/* NOOP */
+}
+
+/* Private. */
+
+static struct group *
+get_hes_group(struct irs_gr *this, const char *name, const char *type) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	char **hes_list, *cp, **new;
+	size_t num_members = 0;
+	u_long t;
+
+	hes_list = hesiod_resolve(pvt->dns->hes_ctx, name, type);
+	if (!hes_list)
+		return (NULL);
+
+	/*
+	 * Copy the returned hesiod string into storage space.
+	 */
+	if (pvt->membuf)
+		free(pvt->membuf);
+	pvt->membuf = strdup(*hes_list);
+	hesiod_free_list(pvt->dns->hes_ctx, hes_list);
+
+	cp = pvt->membuf;
+	pvt->group.gr_name = cp;
+	if (!(cp = strchr(cp, ':')))
+		goto cleanup;
+	*cp++ = '\0';
+	
+	pvt->group.gr_passwd = cp;
+	if (!(cp = strchr(cp, ':')))
+		goto cleanup;
+	*cp++ = '\0';
+
+	errno = 0;
+	t = strtoul(cp, NULL, 10);
+	if (errno == ERANGE)
+		goto cleanup;
+	pvt->group.gr_gid = (gid_t) t;
+	if (!(cp = strchr(cp, ':')))
+		goto cleanup;
+	cp++;
+
+	/*
+	 * Parse the members out.
+	 */
+	while (*cp) {
+		if (num_members+1 >= pvt->nmemb || pvt->group.gr_mem == NULL) {
+			pvt->nmemb += 10;
+			new = realloc(pvt->group.gr_mem,
+				      pvt->nmemb * sizeof(char *));
+			if (new == NULL)
+				goto cleanup;
+			pvt->group.gr_mem = new;
+		}
+		pvt->group.gr_mem[num_members++] = cp;
+		if (!(cp = strchr(cp, ',')))
+			break;
+		*cp++ = '\0';
+	}
+	if (!pvt->group.gr_mem) {
+		pvt->group.gr_mem = malloc(sizeof(char*));
+		if (!pvt->group.gr_mem)
+			goto cleanup;
+	}
+	pvt->group.gr_mem[num_members] = NULL;
+	
+	return (&pvt->group);
+	
+ cleanup:	
+	if (pvt->group.gr_mem) {
+		free(pvt->group.gr_mem);
+		pvt->group.gr_mem = NULL;
+	}
+	if (pvt->membuf) {
+		free(pvt->membuf);
+		pvt->membuf = NULL;
+	}
+	return (NULL);
+}
+
+static struct __res_state *
+gr_res_get(struct irs_gr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct dns_p *dns = pvt->dns;
+
+	return (__hesiod_res_get(dns->hes_ctx));
+}
+
+static void
+gr_res_set(struct irs_gr *this, struct __res_state * res,
+	   void (*free_res)(void *)) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct dns_p *dns = pvt->dns;
+
+	__hesiod_res_set(dns->hes_ctx, res, free_res);
+}
+
+#endif /* WANT_IRS_GR */
diff --git a/contrib/bind9/lib/bind/irs/dns_ho.c b/contrib/bind9/lib/bind/irs/dns_ho.c
new file mode 100644
index 0000000..69b4b4f
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/dns_ho.c
@@ -0,0 +1,1150 @@
+/*
+ * Copyright (c) 1985, 1988, 1993
+ *    The Regents of the University of California.  All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ * 	This product includes software developed by the University of
+ * 	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* from gethostnamadr.c	8.1 (Berkeley) 6/4/93 */
+/* BIND Id: gethnamaddr.c,v 8.15 1996/05/22 04:56:30 vixie Exp $ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: dns_ho.c,v 1.5.2.7.4.5 2004/08/24 00:32:15 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+/* Imports. */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <netdb.h>
+#include <resolv.h>
+#include <stdio.h>
+#include <string.h>
+#include <syslog.h>
+
+#include <isc/memcluster.h>
+#include <irs.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "dns_p.h"
+
+#ifdef SPRINTF_CHAR
+# define SPRINTF(x) strlen(sprintf/**/x)
+#else
+# define SPRINTF(x) sprintf x
+#endif
+
+/* Definitions. */
+
+#define	MAXALIASES	35
+#define	MAXADDRS	35
+
+#define MAXPACKET (65535)	/* Maximum TCP message size */
+
+#define BOUNDS_CHECK(ptr, count) \
+	if ((ptr) + (count) > eom) { \
+		had_error++; \
+		continue; \
+	} else (void)0
+
+typedef union {
+	HEADER hdr;
+	u_char buf[MAXPACKET];
+} querybuf;
+
+struct dns_res_target {
+	struct dns_res_target *next;
+	querybuf qbuf;		/* query buffer */
+	u_char *answer;		/* buffer to put answer */
+	int anslen;		/* size of answer buffer */
+	int qclass, qtype;	/* class and type of query */
+	int action;		/* condition whether query is really issued */
+	char qname[MAXDNAME +1]; /* domain name */
+#if 0
+	int n;			/* result length */
+#endif
+};
+enum {RESTGT_DOALWAYS, RESTGT_AFTERFAILURE, RESTGT_IGNORE};
+enum {RESQRY_SUCCESS, RESQRY_FAIL};
+
+struct pvt {
+	struct hostent	host;
+	char *		h_addr_ptrs[MAXADDRS + 1];
+	char *		host_aliases[MAXALIASES];
+	char		hostbuf[8*1024];
+	u_char		host_addr[16];	/* IPv4 or IPv6 */
+	struct __res_state  *res;
+	void		(*free_res)(void *);
+};
+
+typedef union {
+	int32_t al;
+	char ac;
+} align;
+
+static const u_char mapped[] = { 0,0, 0,0, 0,0, 0,0, 0,0, 0xff,0xff };
+static const u_char tunnelled[] = { 0,0, 0,0, 0,0, 0,0, 0,0, 0,0 };
+/* Note: the IPv6 loopback address is in the "tunnel" space */
+static const u_char v6local[] = { 0,0, 0,1 }; /* last 4 bytes of IPv6 addr */
+
+/* Forwards. */
+
+static void		ho_close(struct irs_ho *this);
+static struct hostent *	ho_byname(struct irs_ho *this, const char *name);
+static struct hostent *	ho_byname2(struct irs_ho *this, const char *name,
+				   int af);
+static struct hostent *	ho_byaddr(struct irs_ho *this, const void *addr,
+				  int len, int af);
+static struct hostent *	ho_next(struct irs_ho *this);
+static void		ho_rewind(struct irs_ho *this);
+static void		ho_minimize(struct irs_ho *this);
+static struct __res_state * ho_res_get(struct irs_ho *this);
+static void		ho_res_set(struct irs_ho *this,
+				   struct __res_state *res,
+				   void (*free_res)(void *));
+static struct addrinfo * ho_addrinfo(struct irs_ho *this, const char *name,
+				     const struct addrinfo *pai);
+
+static void		map_v4v6_hostent(struct hostent *hp, char **bp,
+					 char *ep);
+static void		addrsort(res_state, char **, int);
+static struct hostent *	gethostans(struct irs_ho *this,
+				   const u_char *ansbuf, int anslen,
+				   const char *qname, int qtype,
+				   int af, int size,
+				   struct addrinfo **ret_aip,
+				   const struct addrinfo *pai);
+static int add_hostent(struct pvt *pvt, char *bp, char **hap,
+		       struct addrinfo *ai);
+static int		init(struct irs_ho *this);
+
+/* Exports. */
+
+struct irs_ho *
+irs_dns_ho(struct irs_acc *this) {
+	struct irs_ho *ho;
+	struct pvt *pvt;
+
+	UNUSED(this);
+
+	if (!(pvt = memget(sizeof *pvt))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0, sizeof *pvt);
+
+	if (!(ho = memget(sizeof *ho))) {
+		memput(pvt, sizeof *pvt);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(ho, 0x5e, sizeof *ho);
+	ho->private = pvt;
+	ho->close = ho_close;
+	ho->byname = ho_byname;
+	ho->byname2 = ho_byname2;
+	ho->byaddr = ho_byaddr;
+	ho->next = ho_next;
+	ho->rewind = ho_rewind;
+	ho->minimize = ho_minimize;
+	ho->res_get = ho_res_get;
+	ho->res_set = ho_res_set;
+	ho->addrinfo = ho_addrinfo;
+	return (ho);
+}
+
+/* Methods. */
+
+static void
+ho_close(struct irs_ho *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	ho_minimize(this);
+	if (pvt->res && pvt->free_res)
+		(*pvt->free_res)(pvt->res);
+	if (pvt)
+		memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+static struct hostent *
+ho_byname(struct irs_ho *this, const char *name) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct hostent *hp;
+
+	if (init(this) == -1)
+		return (NULL);
+
+	if (pvt->res->options & RES_USE_INET6) {
+		hp = ho_byname2(this, name, AF_INET6);
+		if (hp)
+			return (hp);
+	}
+	return (ho_byname2(this, name, AF_INET));
+}
+
+static struct hostent *
+ho_byname2(struct irs_ho *this, const char *name, int af)
+{
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct hostent *hp = NULL;
+	int n, size;
+	char tmp[NS_MAXDNAME];
+	const char *cp;
+	struct addrinfo ai;
+	struct dns_res_target *q, *p;
+	int querystate = RESQRY_FAIL;
+
+	if (init(this) == -1)
+		return (NULL);
+
+	q = memget(sizeof(*q));
+	if (q == NULL) {
+		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
+		errno = ENOMEM;
+		goto cleanup;
+	}
+	memset(q, 0, sizeof(q));
+
+	switch (af) {
+	case AF_INET:
+		size = INADDRSZ;
+		q->qclass = C_IN;
+		q->qtype = T_A;
+		q->answer = q->qbuf.buf;
+		q->anslen = sizeof(q->qbuf);
+		q->action = RESTGT_DOALWAYS;
+		break;
+	case AF_INET6:
+		size = IN6ADDRSZ;
+		q->qclass = C_IN;
+		q->qtype = T_AAAA;
+		q->answer = q->qbuf.buf;
+		q->anslen = sizeof(q->qbuf);
+		q->action = RESTGT_DOALWAYS;
+		break;
+	default:
+		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
+		errno = EAFNOSUPPORT;
+		hp = NULL;
+		goto cleanup;
+	}
+
+	/*
+	 * if there aren't any dots, it could be a user-level alias.
+	 * this is also done in res_nquery() since we are not the only
+	 * function that looks up host names.
+	 */
+	if (!strchr(name, '.') && (cp = res_hostalias(pvt->res, name,
+						      tmp, sizeof tmp)))
+		name = cp;
+
+	for (p = q; p; p = p->next) {
+		switch(p->action) {
+		case RESTGT_DOALWAYS:
+			break;
+		case RESTGT_AFTERFAILURE:
+			if (querystate == RESQRY_SUCCESS)
+				continue;
+			break;
+		case RESTGT_IGNORE:
+			continue;
+		}
+
+		if ((n = res_nsearch(pvt->res, name, p->qclass, p->qtype,
+				     p->answer, p->anslen)) < 0) {
+			querystate = RESQRY_FAIL;
+			continue;
+		}
+
+		memset(&ai, 0, sizeof(ai));
+		ai.ai_family = af;
+		if ((hp = gethostans(this, p->answer, n, name, p->qtype,
+				     af, size, NULL,
+				     (const struct addrinfo *)&ai)) != NULL)
+			goto cleanup;	/* no more loop is necessary */
+
+		querystate = RESQRY_FAIL;
+		continue;
+	}
+
+ cleanup:
+	if (q != NULL)
+		memput(q, sizeof(*q));
+	return(hp);
+}
+
+static struct hostent *
+ho_byaddr(struct irs_ho *this, const void *addr, int len, int af)
+{
+	struct pvt *pvt = (struct pvt *)this->private;
+	const u_char *uaddr = addr;
+	char *qp;
+	struct hostent *hp = NULL;
+	struct addrinfo ai;
+	struct dns_res_target *q, *q2, *p;
+	int n, size, i;
+	int querystate = RESQRY_FAIL;
+	
+	if (init(this) == -1)
+		return (NULL);
+
+	q = memget(sizeof(*q));
+	q2 = memget(sizeof(*q2));
+	if (q == NULL || q2 == NULL) {
+		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
+		errno = ENOMEM;
+		goto cleanup;
+	}
+	memset(q, 0, sizeof(q));
+	memset(q2, 0, sizeof(q2));
+
+	if (af == AF_INET6 && len == IN6ADDRSZ &&
+	    (!memcmp(uaddr, mapped, sizeof mapped) ||
+           (!memcmp(uaddr, tunnelled, sizeof tunnelled) &&
+            memcmp(&uaddr[sizeof tunnelled], v6local, sizeof(v6local))))) {
+		/* Unmap. */
+		addr = (const char *)addr + sizeof mapped;
+		uaddr += sizeof mapped;
+		af = AF_INET;
+		len = INADDRSZ;
+	}
+	switch (af) {
+	case AF_INET:
+		size = INADDRSZ;
+		q->qclass = C_IN;
+		q->qtype = T_PTR;
+		q->answer = q->qbuf.buf;
+		q->anslen = sizeof(q->qbuf);
+		q->action = RESTGT_DOALWAYS;
+		break;
+	case AF_INET6:
+		size = IN6ADDRSZ;
+		q->qclass = C_IN;
+		q->qtype = T_PTR;
+		q->answer = q->qbuf.buf;
+		q->anslen = sizeof(q->qbuf);
+		q->next = q2;
+		q->action = RESTGT_DOALWAYS;
+		q2->qclass = C_IN;
+		q2->qtype = T_PTR;
+		q2->answer = q2->qbuf.buf;
+		q2->anslen = sizeof(q2->qbuf);
+		if ((pvt->res->options & RES_NO_NIBBLE2) != 0U)
+			q2->action = RESTGT_IGNORE;
+		else
+			q2->action = RESTGT_AFTERFAILURE;
+		break;
+	default:
+		errno = EAFNOSUPPORT;
+		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
+		hp = NULL;
+		goto cleanup;
+	}
+	if (size > len) {
+		errno = EINVAL;
+		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
+		hp = NULL;
+		goto cleanup;
+	}
+	switch (af) {
+	case AF_INET:
+		qp = q->qname;
+		(void) sprintf(qp, "%u.%u.%u.%u.in-addr.arpa",
+			       (uaddr[3] & 0xff),
+			       (uaddr[2] & 0xff),
+			       (uaddr[1] & 0xff),
+			       (uaddr[0] & 0xff));
+		break;
+	case AF_INET6:
+		if (q->action != RESTGT_IGNORE) {
+			const char *nibsuff = res_get_nibblesuffix(pvt->res);
+			qp = q->qname;
+			for (n = IN6ADDRSZ - 1; n >= 0; n--) {
+				i = SPRINTF((qp, "%x.%x.",
+					       uaddr[n] & 0xf,
+					       (uaddr[n] >> 4) & 0xf));
+				if (i != 4)
+					abort();
+				qp += i;
+			}
+			if (strlen(q->qname) + strlen(nibsuff) + 1 >
+			    sizeof q->qname) {
+				errno = ENAMETOOLONG;
+				RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
+				hp = NULL;
+				goto cleanup;
+			}
+			strcpy(qp, nibsuff);	/* (checked) */
+		}
+		if (q2->action != RESTGT_IGNORE) {
+			const char *nibsuff2 = res_get_nibblesuffix2(pvt->res);
+			qp = q2->qname;
+			for (n = IN6ADDRSZ - 1; n >= 0; n--) {
+				i = SPRINTF((qp, "%x.%x.",
+					       uaddr[n] & 0xf,
+					       (uaddr[n] >> 4) & 0xf));
+				if (i != 4)
+					abort();
+				qp += i;
+			}
+			if (strlen(q2->qname) + strlen(nibsuff2) + 1 >
+			    sizeof q2->qname) {
+				errno = ENAMETOOLONG;
+				RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
+				hp = NULL;
+				goto cleanup;
+			}
+			strcpy(qp, nibsuff2);	/* (checked) */
+		}
+		break;
+	default:
+		abort();
+	}
+
+	for (p = q; p; p = p->next) {
+		switch(p->action) {
+		case RESTGT_DOALWAYS:
+			break;
+		case RESTGT_AFTERFAILURE:
+			if (querystate == RESQRY_SUCCESS)
+				continue;
+			break;
+		case RESTGT_IGNORE:
+			continue;
+		}
+
+		if ((n = res_nquery(pvt->res, p->qname, p->qclass, p->qtype,
+				    p->answer, p->anslen)) < 0) {
+			querystate = RESQRY_FAIL;
+			continue;
+		}
+
+		memset(&ai, 0, sizeof(ai));
+		ai.ai_family = af;
+		hp = gethostans(this, p->answer, n, p->qname, T_PTR, af, size,
+				NULL, (const struct addrinfo *)&ai);
+		if (!hp) {
+			querystate = RESQRY_FAIL;
+			continue;
+		}
+			
+		memcpy(pvt->host_addr, addr, len);
+		pvt->h_addr_ptrs[0] = (char *)pvt->host_addr;
+		pvt->h_addr_ptrs[1] = NULL;
+		if (af == AF_INET && (pvt->res->options & RES_USE_INET6)) {
+			map_v4v6_address((char*)pvt->host_addr,
+					 (char*)pvt->host_addr);
+			pvt->host.h_addrtype = AF_INET6;
+			pvt->host.h_length = IN6ADDRSZ;
+		}
+
+		RES_SET_H_ERRNO(pvt->res, NETDB_SUCCESS);
+		goto cleanup;	/* no more loop is necessary. */
+	}
+	hp = NULL; /* H_ERRNO was set by subroutines */
+
+ cleanup:
+	if (q != NULL)
+		memput(q, sizeof(*q));
+	if (q2 != NULL)
+		memput(q2, sizeof(*q2));
+	return(hp);
+}
+
+static struct hostent *
+ho_next(struct irs_ho *this) {
+
+	UNUSED(this);
+
+	return (NULL);
+}
+
+static void
+ho_rewind(struct irs_ho *this) {
+
+	UNUSED(this);
+
+	/* NOOP */
+}
+
+static void
+ho_minimize(struct irs_ho *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (pvt->res)
+		res_nclose(pvt->res);
+}
+
+static struct __res_state *
+ho_res_get(struct irs_ho *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (!pvt->res) {
+		struct __res_state *res;
+		res = (struct __res_state *)malloc(sizeof *res);
+		if (!res) {
+			errno = ENOMEM;
+			return (NULL);
+		}
+		memset(res, 0, sizeof *res);
+		ho_res_set(this, res, free);
+	}
+
+	return (pvt->res);
+}
+
+/* XXX */
+extern struct addrinfo *addr2addrinfo __P((const struct addrinfo *,
+					   const char *));
+
+static struct addrinfo *
+ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
+{
+	struct pvt *pvt = (struct pvt *)this->private;
+	int n;
+	char tmp[NS_MAXDNAME];
+	const char *cp;
+	struct dns_res_target *q, *q2, *p;
+	struct addrinfo sentinel, *cur;
+	int querystate = RESQRY_FAIL;
+
+	if (init(this) == -1)
+		return (NULL);
+
+	memset(&sentinel, 0, sizeof(sentinel));
+	cur = &sentinel;
+
+	q = memget(sizeof(*q));
+	q2 = memget(sizeof(*q2));
+	if (q == NULL || q2 == NULL) {
+		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
+		errno = ENOMEM;
+		goto cleanup;
+	}
+	memset(q, 0, sizeof(q2));
+	memset(q2, 0, sizeof(q2));
+
+	switch (pai->ai_family) {
+	case AF_UNSPEC:
+		/* prefer IPv6 */
+		q->qclass = C_IN;
+		q->qtype = T_AAAA;
+		q->answer = q->qbuf.buf;
+		q->anslen = sizeof(q->qbuf);
+		q->next = q2;
+		q->action = RESTGT_DOALWAYS;
+		q2->qclass = C_IN;
+		q2->qtype = T_A;
+		q2->answer = q2->qbuf.buf;
+		q2->anslen = sizeof(q2->qbuf);
+		q2->action = RESTGT_DOALWAYS;
+		break;
+	case AF_INET:
+		q->qclass = C_IN;
+		q->qtype = T_A;
+		q->answer = q->qbuf.buf;
+		q->anslen = sizeof(q->qbuf);
+		q->action = RESTGT_DOALWAYS;
+		break;
+	case AF_INET6:
+		q->qclass = C_IN;
+		q->qtype = T_AAAA;
+		q->answer = q->qbuf.buf;
+		q->anslen = sizeof(q->qbuf);
+		q->action = RESTGT_DOALWAYS;
+		break;
+	default:
+		RES_SET_H_ERRNO(pvt->res, NO_RECOVERY); /* better error? */
+		goto cleanup;
+	}
+
+	/*
+	 * if there aren't any dots, it could be a user-level alias.
+	 * this is also done in res_nquery() since we are not the only
+	 * function that looks up host names.
+	 */
+	if (!strchr(name, '.') && (cp = res_hostalias(pvt->res, name,
+						      tmp, sizeof tmp)))
+		name = cp;
+
+	for (p = q; p; p = p->next) {
+		struct addrinfo *ai;
+
+		switch(p->action) {
+		case RESTGT_DOALWAYS:
+			break;
+		case RESTGT_AFTERFAILURE:
+			if (querystate == RESQRY_SUCCESS)
+				continue;
+			break;
+		case RESTGT_IGNORE:
+			continue;
+		}
+
+		if ((n = res_nsearch(pvt->res, name, p->qclass, p->qtype,
+				     p->answer, p->anslen)) < 0) {
+			querystate = RESQRY_FAIL;
+			continue;
+		}
+		(void)gethostans(this, p->answer, n, name, p->qtype,
+				 pai->ai_family, /* XXX: meaningless */
+				 0, &ai, pai);
+		if (ai) {
+			querystate = RESQRY_SUCCESS;
+			cur->ai_next = ai;
+			while (cur && cur->ai_next)
+				cur = cur->ai_next;
+		}
+		else
+			querystate = RESQRY_FAIL;
+	}
+
+ cleanup:
+	if (q != NULL)
+		memput(q, sizeof(*q));
+	if (q2 != NULL)
+		memput(q2, sizeof(*q2));
+	return(sentinel.ai_next);
+}
+
+static void
+ho_res_set(struct irs_ho *this, struct __res_state *res,
+		void (*free_res)(void *)) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (pvt->res && pvt->free_res) {
+		res_nclose(pvt->res);
+		(*pvt->free_res)(pvt->res);
+	}
+
+	pvt->res = res;
+	pvt->free_res = free_res;
+}
+
+/* Private. */
+
+static struct hostent *
+gethostans(struct irs_ho *this,
+	   const u_char *ansbuf, int anslen, const char *qname, int qtype,
+	   int af, int size,	/* meaningless for addrinfo cases */
+	   struct addrinfo **ret_aip, const struct addrinfo *pai)
+{
+	struct pvt *pvt = (struct pvt *)this->private;
+	int type, class, ancount, qdcount, n, haveanswer, had_error;
+	int error = NETDB_SUCCESS, arcount;
+	int (*name_ok)(const char *);
+	const HEADER *hp;
+	const u_char *eom;
+	const u_char *eor;
+	const u_char *cp;
+	const char *tname;
+	const char *hname;
+	char *bp, *ep, **ap, **hap;
+	char tbuf[MAXDNAME+1];
+	struct addrinfo sentinel, *cur, ai;
+
+	if (pai == NULL) abort();
+	if (ret_aip != NULL)
+		*ret_aip = NULL;
+	memset(&sentinel, 0, sizeof(sentinel));
+	cur = &sentinel;
+
+	tname = qname;
+	eom = ansbuf + anslen;
+	switch (qtype) {
+	case T_A:
+	case T_AAAA:
+	case T_ANY:	/* use T_ANY only for T_A/T_AAAA lookup */
+		name_ok = res_hnok;
+		break;
+	case T_PTR:
+		name_ok = res_dnok;
+		break;
+	default:
+		abort();
+	}
+
+	pvt->host.h_addrtype = af;
+	pvt->host.h_length = size;
+	hname = pvt->host.h_name = NULL;
+
+	/*
+	 * Find first satisfactory answer.
+	 */
+	if (ansbuf + HFIXEDSZ > eom) {
+		RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
+		return (NULL);
+	}
+	hp = (const HEADER *)ansbuf;
+	ancount = ntohs(hp->ancount);
+	qdcount = ntohs(hp->qdcount);
+	arcount = ntohs(hp->arcount);
+	bp = pvt->hostbuf;
+	ep = pvt->hostbuf + sizeof(pvt->hostbuf);
+	cp = ansbuf + HFIXEDSZ;
+	if (qdcount != 1) {
+		RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
+		return (NULL);
+	}
+	n = dn_expand(ansbuf, eom, cp, bp, ep - bp);
+	if (n < 0 || !maybe_ok(pvt->res, bp, name_ok)) {
+		RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
+		return (NULL);
+	}
+	cp += n + QFIXEDSZ;
+	if (cp > eom) {
+		RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
+		return (NULL);
+	}
+	if (qtype == T_A || qtype == T_AAAA || qtype == T_ANY) {
+		/* res_nsend() has already verified that the query name is the
+		 * same as the one we sent; this just gets the expanded name
+		 * (i.e., with the succeeding search-domain tacked on).
+		 */
+		n = strlen(bp) + 1;		/* for the \0 */
+		if (n > MAXHOSTNAMELEN) {
+			RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
+			return (NULL);
+		}
+		pvt->host.h_name = bp;
+		hname = bp;
+		bp += n;
+		/* The qname can be abbreviated, but hname is now absolute. */
+		qname = pvt->host.h_name;
+	}
+	ap = pvt->host_aliases;
+	*ap = NULL;
+	pvt->host.h_aliases = pvt->host_aliases;
+	hap = pvt->h_addr_ptrs;
+	*hap = NULL;
+	pvt->host.h_addr_list = pvt->h_addr_ptrs;
+	haveanswer = 0;
+	had_error = 0;
+	while (ancount-- > 0 && cp < eom && !had_error) {
+		n = dn_expand(ansbuf, eom, cp, bp, ep - bp);
+		if (n < 0 || !maybe_ok(pvt->res, bp, name_ok)) {
+			had_error++;
+			continue;
+		}
+		cp += n;			/* name */
+		BOUNDS_CHECK(cp, 3 * INT16SZ + INT32SZ);
+		type = ns_get16(cp);
+ 		cp += INT16SZ;			/* type */
+		class = ns_get16(cp);
+ 		cp += INT16SZ + INT32SZ;	/* class, TTL */
+		n = ns_get16(cp);
+		cp += INT16SZ;			/* len */
+		BOUNDS_CHECK(cp, n);
+		if (class != C_IN) {
+			cp += n;
+			continue;
+		}
+		eor = cp + n;
+		if ((qtype == T_A || qtype == T_AAAA || qtype == T_ANY) &&
+		    type == T_CNAME) {
+			if (haveanswer) {
+				int level = LOG_CRIT;
+#ifdef LOG_SECURITY
+				level |= LOG_SECURITY;
+#endif
+				syslog(level,
+ "gethostans: possible attempt to exploit buffer overflow while looking up %s",
+					*qname ? qname : ".");
+			}
+			n = dn_expand(ansbuf, eor, cp, tbuf, sizeof tbuf);
+			if (n < 0 || !maybe_ok(pvt->res, tbuf, name_ok)) {
+				had_error++;
+				continue;
+			}
+			cp += n;
+			/* Store alias. */
+			if (ap >= &pvt->host_aliases[MAXALIASES-1])
+				continue;
+			*ap++ = bp;
+			n = strlen(bp) + 1;	/* for the \0 */
+			bp += n;
+			/* Get canonical name. */
+			n = strlen(tbuf) + 1;	/* for the \0 */
+			if (n > (ep - bp) || n > MAXHOSTNAMELEN) {
+				had_error++;
+				continue;
+			}
+			strcpy(bp, tbuf);	/* (checked) */
+			pvt->host.h_name = bp;
+			hname = bp;
+			bp += n;
+			continue;
+		}
+		if (qtype == T_PTR && type == T_CNAME) {
+			n = dn_expand(ansbuf, eor, cp, tbuf, sizeof tbuf);
+			if (n < 0 || !maybe_dnok(pvt->res, tbuf)) {
+				had_error++;
+				continue;
+			}
+			cp += n;
+#ifdef RES_USE_DNAME
+			if ((pvt->res->options & RES_USE_DNAME) != 0U)
+#endif
+			{
+				/*
+				 * We may be able to check this regardless
+				 * of the USE_DNAME bit, but we add the check
+				 * for now since the DNAME support is
+				 * experimental.
+				 */
+				if (ns_samename(tname, bp) != 1)
+					continue;
+			}
+			/* Get canonical name. */
+			n = strlen(tbuf) + 1;	/* for the \0 */
+			if (n > (ep - bp)) {
+				had_error++;
+				continue;
+			}
+			strcpy(bp, tbuf);	/* (checked) */
+			tname = bp;
+			bp += n;
+			continue;
+		}
+		if (qtype == T_ANY) {
+			if (!(type == T_A || type == T_AAAA)) {
+				cp += n;
+				continue;
+			}
+		} else if (type != qtype) {
+			cp += n;
+			continue;
+		}
+		switch (type) {
+		case T_PTR:
+			if (ret_aip != NULL) {
+				/* addrinfo never needs T_PTR */
+				cp += n;
+				continue;
+			}
+			if (ns_samename(tname, bp) != 1) {
+				cp += n;
+				continue;
+			}
+			n = dn_expand(ansbuf, eor, cp, bp, ep - bp);
+			if (n < 0 || !maybe_hnok(pvt->res, bp) ||
+			    n >= MAXHOSTNAMELEN) {
+				had_error++;
+				break;
+			}
+			cp += n;
+			if (!haveanswer) {
+				pvt->host.h_name = bp;
+				hname = bp;
+			}
+			else if (ap < &pvt->host_aliases[MAXALIASES-1])
+				*ap++ = bp;
+			else
+				n = -1;
+			if (n != -1) {
+				n = strlen(bp) + 1;	/* for the \0 */
+				bp += n;
+			}
+			break;
+		case T_A:
+		case T_AAAA:
+			if (ns_samename(hname, bp) != 1) {
+				cp += n;
+				continue;
+			}
+			if (type == T_A && n != INADDRSZ) {
+				cp += n;
+				continue;
+			}
+			if (type == T_AAAA && n != IN6ADDRSZ) {
+				cp += n;
+				continue;
+			}
+
+			/* make addrinfo. don't overwrite constant PAI */
+			ai = *pai;
+			ai.ai_family = (type == T_AAAA) ? AF_INET6 : AF_INET;
+			cur->ai_next = addr2addrinfo(
+					(const struct addrinfo *)&ai,
+					(const char *)cp);
+			if (cur->ai_next == NULL)
+				had_error++;
+
+			if (!haveanswer) {
+				int nn;
+
+				nn = strlen(bp) + 1;	/* for the \0 */
+				if (nn >= MAXHOSTNAMELEN) {
+					cp += n;
+					had_error++;
+					continue;
+				}
+				pvt->host.h_name = bp;
+				hname = bp;
+				bp += nn;
+			}
+			/* Ensure alignment. */
+			bp = (char *)(((u_long)bp + (sizeof(align) - 1)) &
+				      ~(sizeof(align) - 1));
+			/* Avoid overflows. */
+			if (bp + n >= &pvt->hostbuf[sizeof pvt->hostbuf]) {
+				had_error++;
+				continue;
+			}
+			if (ret_aip) { /* need addrinfo. keep it. */
+				while (cur && cur->ai_next)
+					cur = cur->ai_next;
+			} else if (cur->ai_next) { /* need hostent */
+				struct addrinfo *aip = cur->ai_next;
+
+				for (aip = cur->ai_next; aip;
+				     aip = aip->ai_next) {
+					int m;
+
+					m = add_hostent(pvt, bp, hap, aip);
+					if (m < 0) {
+						had_error++;
+						break;
+					}
+					if (m == 0)
+						continue;
+					if (hap < &pvt->h_addr_ptrs[MAXADDRS-1])
+						hap++;
+					*hap = NULL;
+					bp += m;
+				}
+
+				freeaddrinfo(cur->ai_next);
+				cur->ai_next = NULL;
+			}
+			cp += n;
+			break;
+		default:
+			abort();
+		}
+		if (!had_error)
+			haveanswer++;
+	}
+	if (haveanswer) {
+		if (ret_aip == NULL) {
+			*ap = NULL;
+			*hap = NULL;
+
+			if (pvt->res->nsort && haveanswer > 1 && qtype == T_A)
+				addrsort(pvt->res, pvt->h_addr_ptrs,
+					 haveanswer);
+			if (pvt->host.h_name == NULL) {
+				n = strlen(qname) + 1;	/* for the \0 */
+				if (n > (ep - bp) || n >= MAXHOSTNAMELEN)
+					goto no_recovery;
+				strcpy(bp, qname);	/* (checked) */
+				pvt->host.h_name = bp;
+				bp += n;
+			}
+			if (pvt->res->options & RES_USE_INET6)
+				map_v4v6_hostent(&pvt->host, &bp, ep);
+			RES_SET_H_ERRNO(pvt->res, NETDB_SUCCESS);
+			return (&pvt->host);
+		} else {
+			if ((pai->ai_flags & AI_CANONNAME) != 0) {
+				if (pvt->host.h_name == NULL) {
+					sentinel.ai_next->ai_canonname =
+						strdup(qname);
+				}
+				else {
+					sentinel.ai_next->ai_canonname =
+						strdup(pvt->host.h_name);
+				}
+			}
+			*ret_aip = sentinel.ai_next;
+			return(NULL);
+		}
+	}
+ no_recovery:
+	if (sentinel.ai_next) {
+		/* this should be impossible, but check it for safety */
+		freeaddrinfo(sentinel.ai_next);
+	}
+	if (error == NETDB_SUCCESS)
+		RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
+	else
+		RES_SET_H_ERRNO(pvt->res, error);
+	return(NULL);
+}
+
+static int
+add_hostent(struct pvt *pvt, char *bp, char **hap, struct addrinfo *ai)
+{
+	int addrlen;
+	char *addrp;
+	const char **tap;
+	char *obp = bp;
+
+	switch(ai->ai_addr->sa_family) {
+	case AF_INET6:
+		addrlen = IN6ADDRSZ;
+		addrp = (char *)&((struct sockaddr_in6 *)ai->ai_addr)->sin6_addr;
+		break;
+	case AF_INET:
+		addrlen = INADDRSZ;
+		addrp = (char *)&((struct sockaddr_in *)ai->ai_addr)->sin_addr;
+		break;
+	default:
+		return(-1);	/* abort? */
+	}
+
+	/* Ensure alignment. */
+	bp = (char *)(((u_long)bp + (sizeof(align) - 1)) &
+		      ~(sizeof(align) - 1));
+	/* Avoid overflows. */
+	if (bp + addrlen >= &pvt->hostbuf[sizeof pvt->hostbuf])
+		return(-1);
+	if (hap >= &pvt->h_addr_ptrs[MAXADDRS-1])
+		return(0); /* fail, but not treat it as an error. */
+
+	/* Suppress duplicates. */
+	for (tap = (const char **)pvt->h_addr_ptrs;
+	     *tap != NULL;
+	     tap++)
+		if (memcmp(*tap, addrp, addrlen) == 0)
+			break;
+	if (*tap != NULL)
+		return (0);
+
+	memcpy(*hap = bp, addrp, addrlen);
+	return((bp + addrlen) - obp);
+}
+
+static void
+map_v4v6_hostent(struct hostent *hp, char **bpp, char *ep) {
+	char **ap;
+
+	if (hp->h_addrtype != AF_INET || hp->h_length != INADDRSZ)
+		return;
+	hp->h_addrtype = AF_INET6;
+	hp->h_length = IN6ADDRSZ;
+	for (ap = hp->h_addr_list; *ap; ap++) {
+		int i = (u_long)*bpp % sizeof(align);
+
+		if (i != 0)
+			i = sizeof(align) - i;
+
+		if ((ep - *bpp) < (i + IN6ADDRSZ)) {
+			/* Out of memory.  Truncate address list here. */
+			*ap = NULL;
+			return;
+		}
+		*bpp += i;
+		map_v4v6_address(*ap, *bpp);
+		*ap = *bpp;
+		*bpp += IN6ADDRSZ;
+	}
+}
+
+static void
+addrsort(res_state statp, char **ap, int num) {
+	int i, j, needsort = 0, aval[MAXADDRS];
+	char **p;
+
+	p = ap;
+	for (i = 0; i < num; i++, p++) {
+		for (j = 0 ; (unsigned)j < statp->nsort; j++)
+			if (statp->sort_list[j].addr.s_addr == 
+			    (((struct in_addr *)(*p))->s_addr &
+			     statp->sort_list[j].mask))
+				break;
+		aval[i] = j;
+		if (needsort == 0 && i > 0 && j < aval[i-1])
+			needsort = i;
+	}
+	if (!needsort)
+		return;
+
+	while (needsort < num) {
+		for (j = needsort - 1; j >= 0; j--) {
+			if (aval[j] > aval[j+1]) {
+				char *hp;
+
+				i = aval[j];
+				aval[j] = aval[j+1];
+				aval[j+1] = i;
+
+				hp = ap[j];
+				ap[j] = ap[j+1];
+				ap[j+1] = hp;
+
+			} else
+				break;
+		}
+		needsort++;
+	}
+}
+
+static int
+init(struct irs_ho *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	
+	if (!pvt->res && !ho_res_get(this))
+		return (-1);
+	if (((pvt->res->options & RES_INIT) == 0U) &&
+	    res_ninit(pvt->res) == -1)
+		return (-1);
+	return (0);
+}
diff --git a/contrib/bind9/lib/bind/irs/dns_nw.c b/contrib/bind9/lib/bind/irs/dns_nw.c
new file mode 100644
index 0000000..9e1a262
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/dns_nw.c
@@ -0,0 +1,589 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: dns_nw.c,v 1.3.2.4.4.3 2004/05/17 07:48:56 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+/* Imports. */
+
+#include "port_before.h"
+
+#include <sys/param.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <netdb.h>
+#include <resolv.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/memcluster.h>
+#include <irs.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "dns_p.h"
+
+#ifdef SPRINTF_CHAR
+# define SPRINTF(x) strlen(sprintf/**/x)
+#else
+# define SPRINTF(x) sprintf x
+#endif
+
+/* Definitions. */
+
+#define	MAXALIASES	35
+
+#define	MAXPACKET	(64*1024)
+
+struct pvt {
+	struct nwent	net;
+	char *		ali[MAXALIASES];
+	char		buf[BUFSIZ+1];
+	struct __res_state * res;
+	void		(*free_res)(void *);
+};
+
+typedef union {
+	long	al;
+	char	ac;
+} align;
+
+enum by_what { by_addr, by_name };
+
+/* Forwards. */
+
+static void		nw_close(struct irs_nw *);
+static struct nwent *	nw_byname(struct irs_nw *, const char *, int);
+static struct nwent *	nw_byaddr(struct irs_nw *, void *, int, int);
+static struct nwent *	nw_next(struct irs_nw *);
+static void		nw_rewind(struct irs_nw *);
+static void		nw_minimize(struct irs_nw *);
+static struct __res_state * nw_res_get(struct irs_nw *this);
+static void		nw_res_set(struct irs_nw *this,
+				   struct __res_state *res,
+				   void (*free_res)(void *));
+
+static struct nwent *	get1101byaddr(struct irs_nw *, u_char *, int);
+static struct nwent *	get1101byname(struct irs_nw *, const char *);
+static struct nwent *	get1101answer(struct irs_nw *,
+				      u_char *ansbuf, int anslen,
+				      enum by_what by_what,
+				      int af, const char *name,
+				      const u_char *addr, int addrlen);
+static struct nwent *	get1101mask(struct irs_nw *this, struct nwent *);
+static int		make1101inaddr(const u_char *, int, char *, int);
+static void		normalize_name(char *name);
+static int		init(struct irs_nw *this);
+
+/* Exports. */
+
+struct irs_nw *
+irs_dns_nw(struct irs_acc *this) {
+	struct irs_nw *nw;
+	struct pvt *pvt;
+
+	UNUSED(this);
+
+	if (!(pvt = memget(sizeof *pvt))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0, sizeof *pvt);
+	if (!(nw = memget(sizeof *nw))) {
+		memput(pvt, sizeof *pvt);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(nw, 0x5e, sizeof *nw);
+	nw->private = pvt;
+	nw->close = nw_close;
+	nw->byname = nw_byname;
+	nw->byaddr = nw_byaddr;
+	nw->next = nw_next;
+	nw->rewind = nw_rewind;
+	nw->minimize = nw_minimize;
+	nw->res_get = nw_res_get;
+	nw->res_set = nw_res_set;
+	return (nw);
+}
+
+/* Methods. */
+
+static void
+nw_close(struct irs_nw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	nw_minimize(this);
+
+	if (pvt->res && pvt->free_res)
+		(*pvt->free_res)(pvt->res);
+
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+static struct nwent *
+nw_byname(struct irs_nw *this, const char *name, int af) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (init(this) == -1)
+		return (NULL);
+
+	switch (af) {
+	case AF_INET:
+		return (get1101byname(this, name));
+	default:
+		(void)NULL;
+	}
+	RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
+	errno = EAFNOSUPPORT;
+	return (NULL);
+}
+
+static struct nwent *
+nw_byaddr(struct irs_nw *this, void *net, int len, int af) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (init(this) == -1)
+		return (NULL);
+
+	switch (af) {
+	case AF_INET:
+		return (get1101byaddr(this, net, len));
+	default:
+		(void)NULL;
+	}
+	RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
+	errno = EAFNOSUPPORT;
+	return (NULL);
+}
+
+static struct nwent *
+nw_next(struct irs_nw *this) {
+
+	UNUSED(this);
+
+	return (NULL);
+}
+
+static void
+nw_rewind(struct irs_nw *this) {
+	UNUSED(this);
+	/* NOOP */
+}
+
+static void
+nw_minimize(struct irs_nw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (pvt->res)
+		res_nclose(pvt->res);
+}
+
+static struct __res_state *
+nw_res_get(struct irs_nw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (!pvt->res) {
+		struct __res_state *res;
+		res = (struct __res_state *)malloc(sizeof *res);
+		if (!res) {
+			errno = ENOMEM;
+			return (NULL);
+		}
+		memset(res, 0, sizeof *res);
+		nw_res_set(this, res, free);
+	}
+
+	return (pvt->res);
+}
+
+static void
+nw_res_set(struct irs_nw *this, struct __res_state *res,
+		void (*free_res)(void *)) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (pvt->res && pvt->free_res) {
+		res_nclose(pvt->res);
+		(*pvt->free_res)(pvt->res);
+	}
+
+	pvt->res = res;
+	pvt->free_res = free_res;
+}
+
+/* Private. */
+
+static struct nwent *
+get1101byname(struct irs_nw *this, const char *name) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	u_char *ansbuf;
+	int anslen;
+	struct nwent *result;
+
+	ansbuf = memget(MAXPACKET);
+	if (ansbuf == NULL) {
+		errno = ENOMEM;
+		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
+		return (NULL);
+	}
+	anslen = res_nsearch(pvt->res, name, C_IN, T_PTR, ansbuf, MAXPACKET);
+	if (anslen < 0) {
+		memput(ansbuf, MAXPACKET);
+		return (NULL);
+	}
+	result = get1101mask(this, get1101answer(this, ansbuf, anslen, by_name,
+						 AF_INET, name, NULL, 0));
+	memput(ansbuf, MAXPACKET);
+	return (result);
+}
+
+static struct nwent *
+get1101byaddr(struct irs_nw *this, u_char *net, int len) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	char qbuf[sizeof "255.255.255.255.in-addr.arpa"];
+	struct nwent *result;
+	u_char *ansbuf;
+	int anslen;
+
+	if (len < 1 || len > 32) {
+		errno = EINVAL;
+		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
+		return (NULL);
+	}
+	if (make1101inaddr(net, len, qbuf, sizeof qbuf) < 0)
+		return (NULL);
+	ansbuf = memget(MAXPACKET);
+	if (ansbuf == NULL) {
+		errno = ENOMEM;
+		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
+		return (NULL);
+	}
+	anslen = res_nquery(pvt->res, qbuf, C_IN, T_PTR, ansbuf, MAXPACKET);
+	if (anslen < 0) {
+		memput(ansbuf, MAXPACKET);
+		return (NULL);
+	}
+	result = get1101mask(this, get1101answer(this, ansbuf, anslen, by_addr,
+						 AF_INET, NULL, net, len));
+	memput(ansbuf, MAXPACKET);
+	return (result);
+}
+
+static struct nwent *
+get1101answer(struct irs_nw *this,
+	      u_char *ansbuf, int anslen, enum by_what by_what,
+	      int af, const char *name, const u_char *addr, int addrlen)
+{
+	struct pvt *pvt = (struct pvt *)this->private;
+	int type, class, ancount, qdcount, haveanswer;
+	char *bp, *ep, **ap;
+	u_char *cp, *eom;
+	HEADER *hp;
+
+	/* Initialize, and parse header. */
+	eom = ansbuf + anslen;
+	if (ansbuf + HFIXEDSZ > eom) {
+		RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
+		return (NULL);
+	}
+	hp = (HEADER *)ansbuf;
+	cp = ansbuf + HFIXEDSZ;
+	qdcount = ntohs(hp->qdcount);
+	while (qdcount-- > 0) {
+		int n = dn_skipname(cp, eom);
+		cp += n + QFIXEDSZ;
+		if (n < 0 || cp > eom) {
+			RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
+			return (NULL);
+		}
+	}
+	ancount = ntohs(hp->ancount);
+	if (!ancount) {
+		if (hp->aa)
+			RES_SET_H_ERRNO(pvt->res, HOST_NOT_FOUND);
+		else
+			RES_SET_H_ERRNO(pvt->res, TRY_AGAIN);
+		return (NULL);
+	}
+
+	/* Prepare a return structure. */
+	bp = pvt->buf;
+	ep = pvt->buf + sizeof(pvt->buf);
+	pvt->net.n_name = NULL;
+	pvt->net.n_aliases = pvt->ali;
+	pvt->net.n_addrtype = af;
+	pvt->net.n_addr = NULL;
+	pvt->net.n_length = addrlen;
+
+	/* Save input key if given. */
+	switch (by_what) {
+	case by_name:
+		if (name != NULL) {
+			int n = strlen(name) + 1;
+
+			if (n > (ep - bp)) {
+				RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
+				return (NULL);
+			}
+			pvt->net.n_name = strcpy(bp, name);	/* (checked) */
+			bp += n;
+		}
+		break;
+	case by_addr:
+		if (addr != NULL && addrlen != 0) {
+			int n = addrlen / 8 + ((addrlen % 8) != 0);
+
+			if (INADDRSZ > (ep - bp)) {
+				RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
+				return (NULL);
+			}
+			memset(bp, 0, INADDRSZ);
+			memcpy(bp, addr, n);
+			pvt->net.n_addr = bp;
+			bp += INADDRSZ;
+		}
+		break;
+	default:
+		abort();
+	}
+
+	/* Parse the answer, collect aliases. */
+	ap = pvt->ali;
+	haveanswer = 0;
+	while (--ancount >= 0 && cp < eom) {
+		int n = dn_expand(ansbuf, eom, cp, bp, ep - bp);
+
+		cp += n;		/* Owner */
+		if (n < 0 || !maybe_dnok(pvt->res, bp) ||
+		    cp + 3 * INT16SZ + INT32SZ > eom) {
+			RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
+			return (NULL);
+		}
+		GETSHORT(type, cp);	/* Type */
+		GETSHORT(class, cp);	/* Class */
+		cp += INT32SZ;		/* TTL */
+		GETSHORT(n, cp);	/* RDLENGTH */
+		if (class == C_IN && type == T_PTR) {
+			int nn;
+
+			nn = dn_expand(ansbuf, eom, cp, bp, ep - bp);
+			if (nn < 0 || !maybe_hnok(pvt->res, bp) || nn != n) {
+				RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
+				return (NULL);
+			}
+			normalize_name(bp);
+			switch (by_what) {
+			case by_addr: {
+				if (pvt->net.n_name == NULL)
+					pvt->net.n_name = bp;
+				else if (ns_samename(pvt->net.n_name, bp) == 1)
+					break;
+				else
+					*ap++ = bp;
+				nn = strlen(bp) + 1;
+				bp += nn;
+				haveanswer++;
+				break;
+			    }
+			case by_name: {
+				u_int b1, b2, b3, b4;
+
+				if (pvt->net.n_addr != NULL ||
+				    sscanf(bp, "%u.%u.%u.%u.in-addr.arpa",
+					   &b1, &b2, &b3, &b4) != 4)
+					break;
+				if ((ep - bp) < INADDRSZ) {
+					RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
+					return (NULL);
+				}
+				pvt->net.n_addr = bp;
+				*bp++ = b4;
+				*bp++ = b3;
+				*bp++ = b2;
+				*bp++ = b1;
+				pvt->net.n_length = INADDRSZ * 8;
+				haveanswer++;
+			    }
+			}
+		}
+		cp += n;		/* RDATA */
+	}
+	if (!haveanswer) {
+		RES_SET_H_ERRNO(pvt->res, TRY_AGAIN);
+		return (NULL);
+	}
+	*ap = NULL;
+
+	return (&pvt->net);
+}
+
+static struct nwent *
+get1101mask(struct irs_nw *this, struct nwent *nwent) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	char qbuf[sizeof "255.255.255.255.in-addr.arpa"], owner[MAXDNAME];
+	int anslen, type, class, ancount, qdcount;
+	u_char *ansbuf, *cp, *eom;
+	HEADER *hp;
+
+	if (!nwent)
+		return (NULL);
+	if (make1101inaddr(nwent->n_addr, nwent->n_length, qbuf, sizeof qbuf)
+	    < 0) {
+		/* "First, do no harm." */
+		return (nwent);
+	}
+
+	ansbuf = memget(MAXPACKET);
+	if (ansbuf == NULL) {
+		errno = ENOMEM;
+		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
+		return (NULL);
+	}
+	/* Query for the A RR that would hold this network's mask. */
+	anslen = res_nquery(pvt->res, qbuf, C_IN, T_A, ansbuf, MAXPACKET);
+	if (anslen < HFIXEDSZ) {
+		memput(ansbuf, MAXPACKET);
+		return (nwent);
+	}
+
+	/* Initialize, and parse header. */
+	hp = (HEADER *)ansbuf;
+	cp = ansbuf + HFIXEDSZ;
+	eom = ansbuf + anslen;
+	qdcount = ntohs(hp->qdcount);
+	while (qdcount-- > 0) {
+		int n = dn_skipname(cp, eom);
+		cp += n + QFIXEDSZ;
+		if (n < 0 || cp > eom) {
+			memput(ansbuf, MAXPACKET);
+			return (nwent);
+		}
+	}
+	ancount = ntohs(hp->ancount);
+
+	/* Parse the answer, collect aliases. */
+	while (--ancount >= 0 && cp < eom) {
+		int n = dn_expand(ansbuf, eom, cp, owner, sizeof owner);
+
+		if (n < 0 || !maybe_dnok(pvt->res, owner))
+			break;
+		cp += n;		/* Owner */
+		if (cp + 3 * INT16SZ + INT32SZ > eom)
+			break;
+		GETSHORT(type, cp);	/* Type */
+		GETSHORT(class, cp);	/* Class */
+		cp += INT32SZ;		/* TTL */
+		GETSHORT(n, cp);	/* RDLENGTH */
+		if (cp + n > eom)
+			break;
+		if (n == INADDRSZ && class == C_IN && type == T_A &&
+		    ns_samename(qbuf, owner) == 1) {
+			/* This A RR indicates the actual netmask. */
+			int nn, mm;
+
+			nwent->n_length = 0;
+			for (nn = 0; nn < INADDRSZ; nn++)
+				for (mm = 7; mm >= 0; mm--)
+					if (cp[nn] & (1 << mm))
+						nwent->n_length++;
+					else
+						break;
+		}
+		cp += n;		/* RDATA */
+	}
+	memput(ansbuf, MAXPACKET);
+	return (nwent);
+}
+
+static int
+make1101inaddr(const u_char *net, int bits, char *name, int size) {
+	int n, m;
+	char *ep;
+
+	ep = name + size;
+
+	/* Zero fill any whole bytes left out of the prefix. */
+	for (n = (32 - bits) / 8; n > 0; n--) {
+		if (ep - name < (int)(sizeof "0."))
+			goto emsgsize;
+		m = SPRINTF((name, "0."));
+		name += m;
+	}
+
+	/* Format the partial byte, if any, within the prefix. */
+	if ((n = bits % 8) != 0) {
+		if (ep - name < (int)(sizeof "255."))
+			goto emsgsize;
+		m = SPRINTF((name, "%u.",
+			     net[bits / 8] & ~((1 << (8 - n)) - 1)));
+		name += m;
+	}
+
+	/* Format the whole bytes within the prefix. */
+	for (n = bits / 8; n > 0; n--) {
+		if (ep - name < (int)(sizeof "255."))
+			goto emsgsize;
+		m = SPRINTF((name, "%u.", net[n - 1]));
+		name += m;
+	}
+
+	/* Add the static text. */
+	if (ep - name < (int)(sizeof "in-addr.arpa"))
+		goto emsgsize;
+	(void) SPRINTF((name, "in-addr.arpa"));
+	return (0);
+
+ emsgsize:
+	errno = EMSGSIZE;
+	return (-1);
+}
+
+static void
+normalize_name(char *name) {
+	char *t;
+
+	/* Make lower case. */
+	for (t = name; *t; t++)
+		if (isascii((unsigned char)*t) && isupper((unsigned char)*t))
+			*t = tolower(*t);
+
+	/* Remove trailing dots. */
+	while (t > name && t[-1] == '.')
+		*--t = '\0';
+}
+
+static int
+init(struct irs_nw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	
+	if (!pvt->res && !nw_res_get(this))
+		return (-1);
+	if (((pvt->res->options & RES_INIT) == 0U) &&
+	    res_ninit(pvt->res) == -1)
+		return (-1);
+	return (0);
+}
diff --git a/contrib/bind9/lib/bind/irs/dns_p.h b/contrib/bind9/lib/bind/irs/dns_p.h
new file mode 100644
index 0000000..f984c1c
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/dns_p.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * $Id: dns_p.h,v 1.1.206.2 2004/03/17 00:29:48 marka Exp $
+ */
+
+#ifndef _DNS_P_H_INCLUDED
+#define	_DNS_P_H_INCLUDED
+
+#define	maybe_ok(res, nm, ok) (((res)->options & RES_NOCHECKNAME) != 0U || \
+			       (ok)(nm) != 0)
+#define maybe_hnok(res, hn) maybe_ok((res), (hn), res_hnok)
+#define maybe_dnok(res, dn) maybe_ok((res), (dn), res_dnok)
+
+/*
+ * Object state.
+ */
+struct dns_p {
+	void			*hes_ctx;
+	struct __res_state	*res;
+	void                    (*free_res) __P((void *));
+};
+
+/*
+ * Methods.
+ */
+
+extern struct irs_gr *	irs_dns_gr __P((struct irs_acc *));
+extern struct irs_pw *	irs_dns_pw __P((struct irs_acc *));
+extern struct irs_sv *	irs_dns_sv __P((struct irs_acc *));
+extern struct irs_pr *	irs_dns_pr __P((struct irs_acc *));
+extern struct irs_ho *	irs_dns_ho __P((struct irs_acc *));
+extern struct irs_nw *	irs_dns_nw __P((struct irs_acc *));
+
+#endif /*_DNS_P_H_INCLUDED*/
diff --git a/contrib/bind9/lib/bind/irs/dns_pr.c b/contrib/bind9/lib/bind/irs/dns_pr.c
new file mode 100644
index 0000000..ffcca15
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/dns_pr.c
@@ -0,0 +1,266 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: dns_pr.c,v 1.3.206.1 2004/03/09 08:33:34 marka Exp $";
+#endif
+
+/* Imports */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+
+#include <stdio.h>
+#include <string.h>
+#include <netdb.h>
+#include <ctype.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#include <isc/memcluster.h>
+#include <irs.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "hesiod.h"
+#include "dns_p.h"
+
+/* Types. */
+
+struct pvt {
+	struct dns_p *		dns;
+	struct protoent		proto;
+	char *			prbuf;
+};
+
+/* Forward. */
+
+static void 			pr_close(struct irs_pr *);
+static struct protoent *	pr_byname(struct irs_pr *, const char *);
+static struct protoent *	pr_bynumber(struct irs_pr *, int);
+static struct protoent *	pr_next(struct irs_pr *);
+static void			pr_rewind(struct irs_pr *);
+static void			pr_minimize(struct irs_pr *);
+static struct __res_state *	pr_res_get(struct irs_pr *);
+static void			pr_res_set(struct irs_pr *,
+					   struct __res_state *,
+					   void (*)(void *));
+
+static struct protoent *	parse_hes_list(struct irs_pr *, char **);
+
+/* Public. */
+
+struct irs_pr *
+irs_dns_pr(struct irs_acc *this) {
+	struct dns_p *dns = (struct dns_p *)this->private;
+	struct pvt *pvt;
+	struct irs_pr *pr;
+
+	if (!dns->hes_ctx) {
+		errno = ENODEV;
+		return (NULL);
+	}
+	if (!(pvt = memget(sizeof *pvt))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0, sizeof *pvt);
+	if (!(pr = memget(sizeof *pr))) {
+		memput(pvt, sizeof *pvt);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pr, 0x5e, sizeof *pr);
+	pvt->dns = dns;
+	pr->private = pvt;
+	pr->byname = pr_byname;
+	pr->bynumber = pr_bynumber;
+	pr->next = pr_next;
+	pr->rewind = pr_rewind;
+	pr->close = pr_close;
+	pr->minimize = pr_minimize;
+	pr->res_get = pr_res_get;
+	pr->res_set = pr_res_set;
+	return (pr);
+}
+
+/* Methods. */
+
+static void
+pr_close(struct irs_pr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (pvt->proto.p_aliases)
+		free(pvt->proto.p_aliases);
+	if (pvt->prbuf)
+		free(pvt->prbuf);
+
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+static struct protoent *
+pr_byname(struct irs_pr *this, const char *name) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct dns_p *dns = pvt->dns;
+	struct protoent *proto;
+	char **hes_list;
+
+	if (!(hes_list = hesiod_resolve(dns->hes_ctx, name, "protocol")))
+		return (NULL);
+
+	proto = parse_hes_list(this, hes_list);
+	hesiod_free_list(dns->hes_ctx, hes_list);
+	return (proto);
+}
+
+static struct protoent *
+pr_bynumber(struct irs_pr *this, int num) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct dns_p *dns = pvt->dns;
+	struct protoent *proto;
+	char numstr[16];
+	char **hes_list;
+
+	sprintf(numstr, "%d", num);
+	if (!(hes_list = hesiod_resolve(dns->hes_ctx, numstr, "protonum")))
+		return (NULL);
+	
+	proto = parse_hes_list(this, hes_list);
+	hesiod_free_list(dns->hes_ctx, hes_list);
+	return (proto);
+}
+
+static struct protoent *
+pr_next(struct irs_pr *this) {
+	UNUSED(this);
+	errno = ENODEV;
+	return (NULL);
+}
+
+static void
+pr_rewind(struct irs_pr *this) {
+	UNUSED(this);
+	/* NOOP */
+}
+
+static void
+pr_minimize(struct irs_pr *this) {
+	UNUSED(this);
+	/* NOOP */
+}
+
+static struct __res_state *
+pr_res_get(struct irs_pr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct dns_p *dns = pvt->dns;
+
+	return (__hesiod_res_get(dns->hes_ctx));
+}
+
+static void
+pr_res_set(struct irs_pr *this, struct __res_state * res,
+	   void (*free_res)(void *)) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct dns_p *dns = pvt->dns;
+
+	__hesiod_res_set(dns->hes_ctx, res, free_res);
+}
+
+/* Private. */
+
+static struct protoent *
+parse_hes_list(struct irs_pr *this, char **hes_list) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	char *p, *cp, **cpp, **new;
+	int num = 0;
+	int max = 0;
+	
+	for (cpp = hes_list; *cpp; cpp++) {
+		cp = *cpp;
+
+		/* Strip away comments, if any. */
+		if ((p = strchr(cp, '#')))
+			*p = 0;
+
+		/* Skip blank lines. */
+		p = cp;
+		while (*p && !isspace((unsigned char)*p))
+			p++;
+		if (!*p)
+			continue;
+
+		/* OK, we've got a live one.  Let's parse it for real. */
+		if (pvt->prbuf)
+			free(pvt->prbuf);
+		pvt->prbuf = strdup(cp);
+
+		p = pvt->prbuf;
+		pvt->proto.p_name = p;
+		while (*p && !isspace((unsigned char)*p))
+			p++;
+		if (!*p)
+			continue;
+		*p++ = '\0';
+
+		pvt->proto.p_proto = atoi(p);
+		while (*p && !isspace((unsigned char)*p))
+			p++;
+		if (*p)
+			*p++ = '\0';
+
+		while (*p) {
+			if ((num + 1) >= max || !pvt->proto.p_aliases) {
+				max += 10;
+				new = realloc(pvt->proto.p_aliases,
+					      max * sizeof(char *));
+				if (!new) {
+					errno = ENOMEM;
+					goto cleanup;
+				}
+				pvt->proto.p_aliases = new;
+			}
+			pvt->proto.p_aliases[num++] = p;
+			while (*p && !isspace((unsigned char)*p))
+				p++;
+			if (*p)
+				*p++ = '\0';
+		}
+		if (!pvt->proto.p_aliases)
+			pvt->proto.p_aliases = malloc(sizeof(char *));
+		if (!pvt->proto.p_aliases)
+			goto cleanup;
+		pvt->proto.p_aliases[num] = NULL;
+		return (&pvt->proto);
+	}
+	
+ cleanup:
+	if (pvt->proto.p_aliases) {
+		free(pvt->proto.p_aliases);
+		pvt->proto.p_aliases = NULL;
+	}
+	if (pvt->prbuf) {
+		free(pvt->prbuf);
+		pvt->prbuf = NULL;
+	}
+	return (NULL);
+}
diff --git a/contrib/bind9/lib/bind/irs/dns_pw.c b/contrib/bind9/lib/bind/irs/dns_pw.c
new file mode 100644
index 0000000..41b3795
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/dns_pw.c
@@ -0,0 +1,231 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: dns_pw.c,v 1.1.206.1 2004/03/09 08:33:34 marka Exp $";
+#endif
+
+#include "port_before.h"
+
+#ifndef WANT_IRS_PW
+static int __bind_irs_pw_unneeded;
+#else
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <string.h>
+
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+
+#include <isc/memcluster.h>
+
+#include <irs.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "hesiod.h"
+#include "dns_p.h"
+
+/* Types. */
+
+struct pvt {
+	struct dns_p *	dns;
+	struct passwd	passwd;
+	char *		pwbuf;
+};
+
+/* Forward. */
+
+static void 			pw_close(struct irs_pw *);
+static struct passwd *		pw_byname(struct irs_pw *, const char *);
+static struct passwd *		pw_byuid(struct irs_pw *, uid_t);
+static struct passwd *		pw_next(struct irs_pw *);
+static void 			pw_rewind(struct irs_pw *);
+static void			pw_minimize(struct irs_pw *);
+static struct __res_state *	pw_res_get(struct irs_pw *);
+static void			pw_res_set(struct irs_pw *,
+					   struct __res_state *,
+					   void (*)(void *));
+
+static struct passwd *		getpwcommon(struct irs_pw *, const char *,
+					    const char *);
+
+/* Public. */
+
+struct irs_pw *
+irs_dns_pw(struct irs_acc *this) {
+	struct dns_p *dns = (struct dns_p *)this->private;
+	struct irs_pw *pw;
+	struct pvt *pvt;
+
+	if (!dns || !dns->hes_ctx) {
+		errno = ENODEV;
+		return (NULL);
+	}
+	if (!(pvt = memget(sizeof *pvt))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0, sizeof *pvt);
+	pvt->dns = dns;
+	if (!(pw = memget(sizeof *pw))) {
+		memput(pvt, sizeof *pvt);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pw, 0x5e, sizeof *pw);
+	pw->private = pvt;
+	pw->close = pw_close;
+	pw->byname = pw_byname;
+	pw->byuid = pw_byuid;
+	pw->next = pw_next;
+	pw->rewind = pw_rewind;
+	pw->minimize = pw_minimize;
+	pw->res_get = pw_res_get;
+	pw->res_set = pw_res_set;
+	return (pw);
+}
+
+/* Methods. */
+
+static void
+pw_close(struct irs_pw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (pvt->pwbuf)
+		free(pvt->pwbuf);
+
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+static struct passwd *
+pw_byname(struct irs_pw *this, const char *nam) {
+	return (getpwcommon(this, nam, "passwd"));
+}
+
+static struct passwd *
+pw_byuid(struct irs_pw *this, uid_t uid) {
+	char uidstr[16];
+
+	sprintf(uidstr, "%lu", (u_long)uid);
+	return (getpwcommon(this, uidstr, "uid"));
+}
+
+static struct passwd *
+pw_next(struct irs_pw *this) {
+	UNUSED(this);
+	errno = ENODEV;
+	return (NULL);
+}
+
+static void
+pw_rewind(struct irs_pw *this) {
+	UNUSED(this);
+	/* NOOP */
+}
+
+static void
+pw_minimize(struct irs_pw *this) {
+	UNUSED(this);
+	/* NOOP */
+}
+
+static struct __res_state *
+pw_res_get(struct irs_pw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct dns_p *dns = pvt->dns;
+
+	return (__hesiod_res_get(dns->hes_ctx));
+}
+
+static void
+pw_res_set(struct irs_pw *this, struct __res_state * res,
+	   void (*free_res)(void *)) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct dns_p *dns = pvt->dns;
+
+	__hesiod_res_set(dns->hes_ctx, res, free_res);
+}
+
+/* Private. */
+
+static struct passwd *
+getpwcommon(struct irs_pw *this, const char *arg, const char *type) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	char **hes_list, *cp;
+
+	if (!(hes_list = hesiod_resolve(pvt->dns->hes_ctx, arg, type)))
+		return (NULL);
+	if (!*hes_list) {
+		hesiod_free_list(pvt->dns->hes_ctx, hes_list);
+		errno = ENOENT;
+		return (NULL);
+	}
+
+	memset(&pvt->passwd, 0, sizeof pvt->passwd);
+	if (pvt->pwbuf)
+		free(pvt->pwbuf);
+	pvt->pwbuf = strdup(*hes_list);
+	hesiod_free_list(pvt->dns->hes_ctx, hes_list);
+
+	cp = pvt->pwbuf;
+	pvt->passwd.pw_name = cp;
+	if (!(cp = strchr(cp, ':')))
+		goto cleanup;
+	*cp++ = '\0';
+
+	pvt->passwd.pw_passwd = cp;
+	if (!(cp = strchr(cp, ':')))
+		goto cleanup;
+	*cp++ = '\0';
+	
+	pvt->passwd.pw_uid = atoi(cp);
+	if (!(cp = strchr(cp, ':')))
+		goto cleanup;
+	*cp++ = '\0';
+
+	pvt->passwd.pw_gid = atoi(cp);
+	if (!(cp = strchr(cp, ':')))
+		goto cleanup;
+	*cp++ = '\0';
+
+	pvt->passwd.pw_gecos = cp;
+	if (!(cp = strchr(cp, ':')))
+		goto cleanup;
+	*cp++ = '\0';
+
+	pvt->passwd.pw_dir = cp;
+	if (!(cp = strchr(cp, ':')))
+		goto cleanup;
+	*cp++ = '\0';
+
+	pvt->passwd.pw_shell = cp;
+	return (&pvt->passwd);
+	
+ cleanup:
+	free(pvt->pwbuf);
+	pvt->pwbuf = NULL;
+	return (NULL);
+}
+
+#endif /* WANT_IRS_PW */
diff --git a/contrib/bind9/lib/bind/irs/dns_sv.c b/contrib/bind9/lib/bind/irs/dns_sv.c
new file mode 100644
index 0000000..a2aafde
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/dns_sv.c
@@ -0,0 +1,298 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: dns_sv.c,v 1.3.206.1 2004/03/09 08:33:34 marka Exp $";
+#endif
+
+/* Imports */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <netinet/in.h>
+
+#include <stdio.h>
+#include <string.h>
+#include <netdb.h>
+#include <ctype.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+
+#include <isc/memcluster.h>
+#include <irs.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "hesiod.h"
+#include "dns_p.h"
+
+/* Definitions */
+
+struct pvt {
+	struct dns_p *		dns;
+	struct servent		serv;
+	char *			svbuf;
+	struct __res_state *	res;
+	void			(*free_res)(void *);
+};
+
+/* Forward. */
+
+static void 			sv_close(struct irs_sv *);
+static struct servent *		sv_byname(struct irs_sv *,
+					  const char *, const char *);
+static struct servent *		sv_byport(struct irs_sv *, int, const char *);
+static struct servent *		sv_next(struct irs_sv *);
+static void			sv_rewind(struct irs_sv *);
+static void			sv_minimize(struct irs_sv *);
+#ifdef SV_RES_SETGET
+static struct __res_state *	sv_res_get(struct irs_sv *);
+static void			sv_res_set(struct irs_sv *,
+					   struct __res_state *,
+					   void (*)(void *));
+#endif
+
+static struct servent *		parse_hes_list(struct irs_sv *,
+					       char **, const char *);
+
+/* Public */
+
+struct irs_sv *
+irs_dns_sv(struct irs_acc *this) {
+	struct dns_p *dns = (struct dns_p *)this->private;
+	struct irs_sv *sv;
+	struct pvt *pvt;
+
+	if (!dns || !dns->hes_ctx) {
+		errno = ENODEV;
+		return (NULL);
+	}
+	if (!(pvt = memget(sizeof *pvt))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0, sizeof *pvt);
+	pvt->dns = dns;
+	if (!(sv = memget(sizeof *sv))) {
+		memput(pvt, sizeof *pvt);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(sv, 0x5e, sizeof *sv);
+	sv->private = pvt;
+	sv->byname = sv_byname;
+	sv->byport = sv_byport;
+	sv->next = sv_next;
+	sv->rewind = sv_rewind;
+	sv->close = sv_close;
+	sv->minimize = sv_minimize;
+#ifdef SV_RES_SETGET
+	sv->res_get = sv_res_get;
+	sv->res_set = sv_res_set;
+#else
+	sv->res_get = NULL; /* sv_res_get; */
+	sv->res_set = NULL; /* sv_res_set; */
+#endif
+	return (sv);
+}
+
+/* Methods */
+
+static void
+sv_close(struct irs_sv *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (pvt->serv.s_aliases)
+		free(pvt->serv.s_aliases);
+	if (pvt->svbuf)
+		free(pvt->svbuf);
+
+	if (pvt->res && pvt->free_res)
+		(*pvt->free_res)(pvt->res);
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+static struct servent *
+sv_byname(struct irs_sv *this, const char *name, const char *proto) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct dns_p *dns = pvt->dns;
+	struct servent *s;
+	char **hes_list;
+
+	if (!(hes_list = hesiod_resolve(dns->hes_ctx, name, "service")))
+		return (NULL);
+
+	s = parse_hes_list(this, hes_list, proto);
+	hesiod_free_list(dns->hes_ctx, hes_list);
+	return (s);
+}
+
+static struct servent *
+sv_byport(struct irs_sv *this, int port, const char *proto) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct dns_p *dns = pvt->dns;
+	struct servent *s;
+	char portstr[16];
+	char **hes_list;
+
+	sprintf(portstr, "%d", ntohs(port));
+	if (!(hes_list = hesiod_resolve(dns->hes_ctx, portstr, "port")))
+		return (NULL);
+	
+	s = parse_hes_list(this, hes_list, proto);
+	hesiod_free_list(dns->hes_ctx, hes_list);
+	return (s);
+}
+
+static struct servent *
+sv_next(struct irs_sv *this) {
+	UNUSED(this);
+	errno = ENODEV;
+	return (NULL);
+}
+
+static void
+sv_rewind(struct irs_sv *this) {
+	UNUSED(this);
+	/* NOOP */
+}
+
+/* Private */
+
+static struct servent *
+parse_hes_list(struct irs_sv *this, char **hes_list, const char *proto) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	char *p, *cp, **cpp, **new;
+	int proto_len;
+	int num = 0;
+	int max = 0;
+	
+	for (cpp = hes_list; *cpp; cpp++) {
+		cp = *cpp;
+
+		/* Strip away comments, if any. */
+		if ((p = strchr(cp, '#')))
+			*p = 0;
+
+		/* Check to make sure the protocol matches. */
+		p = cp;
+		while (*p && !isspace((unsigned char)*p))
+			p++;
+		if (!*p)
+			continue;
+		if (proto) {
+		     proto_len = strlen(proto);
+		     if (strncasecmp(++p, proto, proto_len) != 0)
+			  continue;
+		     if (p[proto_len] && !isspace(p[proto_len]&0xff))
+			  continue;
+		}
+		/* OK, we've got a live one.  Let's parse it for real. */
+		if (pvt->svbuf)
+			free(pvt->svbuf);
+		pvt->svbuf = strdup(cp);
+
+		p = pvt->svbuf;
+		pvt->serv.s_name = p;
+		while (*p && !isspace(*p&0xff))
+			p++;
+		if (!*p)
+			continue;
+		*p++ = '\0';
+
+		pvt->serv.s_proto = p;
+		while (*p && !isspace(*p&0xff))
+			p++;
+		if (!*p)
+			continue;
+		*p++ = '\0';
+
+		pvt->serv.s_port = htons((u_short) atoi(p));
+		while (*p && !isspace(*p&0xff))
+			p++;
+		if (*p)
+			*p++ = '\0';
+
+		while (*p) {
+			if ((num + 1) >= max || !pvt->serv.s_aliases) {
+				max += 10;
+				new = realloc(pvt->serv.s_aliases,
+					      max * sizeof(char *));
+				if (!new) {
+					errno = ENOMEM;
+					goto cleanup;
+				}
+				pvt->serv.s_aliases = new;
+			}
+			pvt->serv.s_aliases[num++] = p;
+			while (*p && !isspace(*p&0xff))
+				p++;
+			if (*p)
+				*p++ = '\0';
+		}
+		if (!pvt->serv.s_aliases)
+			pvt->serv.s_aliases = malloc(sizeof(char *));
+		if (!pvt->serv.s_aliases)
+			goto cleanup;
+		pvt->serv.s_aliases[num] = NULL;
+		return (&pvt->serv);
+	}
+	
+ cleanup:
+	if (pvt->serv.s_aliases) {
+		free(pvt->serv.s_aliases);
+		pvt->serv.s_aliases = NULL;
+	}
+	if (pvt->svbuf) {
+		free(pvt->svbuf);
+		pvt->svbuf = NULL;
+	}
+	return (NULL);
+}
+
+static void
+sv_minimize(struct irs_sv *this) {
+	UNUSED(this);
+	/* NOOP */
+}
+
+#ifdef SV_RES_SETGET
+static struct __res_state *
+sv_res_get(struct irs_sv *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct dns_p *dns = pvt->dns;
+
+	return (__hesiod_res_get(dns->hes_ctx));
+}
+
+static void
+sv_res_set(struct irs_sv *this, struct __res_state * res,
+	   void (*free_res)(void *)) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct dns_p *dns = pvt->dns;
+
+	__hesiod_res_set(dns->hes_ctx, res, free_res);
+}
+#endif
diff --git a/contrib/bind9/lib/bind/irs/gai_strerror.c b/contrib/bind9/lib/bind/irs/gai_strerror.c
new file mode 100644
index 0000000..7355b93
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/gai_strerror.c
@@ -0,0 +1,86 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 2001 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <port_before.h>
+#include <netdb.h>
+#include <port_after.h>
+
+#ifdef DO_PTHREADS
+#include <pthread.h>
+#include <stdlib.h>
+#endif
+
+static const char *gai_errlist[] = {
+	"no error",
+	"address family not supported for name",/* EAI_ADDRFAMILY */
+	"temporary failure",			/* EAI_AGAIN */
+	"invalid flags",			/* EAI_BADFLAGS */
+	"permanent failure",			/* EAI_FAIL */
+	"address family not supported",		/* EAI_FAMILY */
+	"memory failure",			/* EAI_MEMORY */
+	"no address",				/* EAI_NODATA */
+	"unknown name or service",		/* EAI_NONAME */
+	"service not supported for socktype",	/* EAI_SERVICE */
+	"socktype not supported",		/* EAI_SOCKTYPE */
+	"system failure",			/* EAI_SYSTEM */
+	"bad hints",				/* EAI_BADHINTS */
+	"bad protocol",				/* EAI_PROTOCOL */
+
+	"unknown error"				/* Must be last. */
+};
+
+static const int gai_nerr = (sizeof(gai_errlist)/sizeof(*gai_errlist));
+
+#define EAI_BUFSIZE 128
+
+const char *
+gai_strerror(int ecode) {
+#ifndef DO_PTHREADS
+	static char buf[EAI_BUFSIZE];
+#else	/* DO_PTHREADS */
+	static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER;
+	static pthread_key_t key;
+	static int once = 0;
+	char *buf;
+#endif
+
+	if (ecode >= 0 && ecode < (gai_nerr - 1))
+		return (gai_errlist[ecode]);
+
+#ifdef DO_PTHREADS
+        if (!once) {
+                pthread_mutex_lock(&lock);
+                if (!once++)
+                        pthread_key_create(&key, free);
+                pthread_mutex_unlock(&lock);
+        }
+
+	buf = pthread_getspecific(key);
+        if (buf == NULL) {
+		buf = malloc(EAI_BUFSIZE);
+                if (buf == NULL)
+                        return ("unknown error");
+                pthread_setspecific(key, buf);
+        }
+#endif
+	/* 
+	 * XXX This really should be snprintf(buf, EAI_BUFSIZE, ...).
+	 * It is safe until message catalogs are used.
+	 */
+	sprintf(buf, "%s: %d", gai_errlist[gai_nerr - 1], ecode);
+	return (buf);
+}
diff --git a/contrib/bind9/lib/bind/irs/gen.c b/contrib/bind9/lib/bind/irs/gen.c
new file mode 100644
index 0000000..5317821
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/gen.c
@@ -0,0 +1,430 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if !defined(LINT) && !defined(CODECENTER)
+static const char rcsid[] = "$Id: gen.c,v 1.3.206.2 2004/03/17 00:29:48 marka Exp $";
+#endif
+
+/*
+ * this is the top level dispatcher
+ *
+ * The dispatcher is implemented as an accessor class; it is an
+ * accessor class that calls other accessor classes, as controlled by a
+ * configuration file.
+ * 
+ * A big difference between this accessor class and others is that the
+ * map class initializers are NULL, and the map classes are already
+ * filled in with method functions that will do the right thing.
+ */
+
+/* Imports */
+
+#include "port_before.h"
+
+#include <isc/assertions.h>
+#include <ctype.h>
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <sys/types.h>
+#include <netinet/in.h> 
+#include <arpa/nameser.h>
+#include <resolv.h>
+
+#include <isc/memcluster.h>
+#include <irs.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "gen_p.h"
+
+/* Definitions */
+
+struct nameval {
+	const char *	name;
+	int		val;
+};
+
+static const struct nameval acc_names[irs_nacc+1] = {
+	{ "local", irs_lcl },
+	{ "dns", irs_dns },
+	{ "nis", irs_nis },
+	{ "irp", irs_irp },
+	{ NULL, irs_nacc }
+};
+
+typedef struct irs_acc *(*accinit) __P((const char *options));
+
+static const accinit accs[irs_nacc+1] = {
+	irs_lcl_acc,
+	irs_dns_acc,
+#ifdef WANT_IRS_NIS
+	irs_nis_acc,
+#else
+	NULL,
+#endif
+	irs_irp_acc,
+	NULL
+};
+
+static const struct nameval map_names[irs_nmap+1] = {
+	{ "group", irs_gr },
+	{ "passwd", irs_pw },
+	{ "services", irs_sv },
+	{ "protocols", irs_pr },
+	{ "hosts", irs_ho },
+	{ "networks", irs_nw },
+	{ "netgroup", irs_ng },
+	{ NULL, irs_nmap }
+};
+
+static const struct nameval option_names[] = {
+	{ "merge", IRS_MERGE },
+	{ "continue", IRS_CONTINUE },
+	{ NULL, 0 }
+};
+
+/* Forward */
+
+static void		gen_close(struct irs_acc *);
+static struct __res_state * gen_res_get(struct irs_acc *);
+static void		gen_res_set(struct irs_acc *, struct __res_state *,
+				    void (*)(void *));
+static int		find_name(const char *, const struct nameval nv[]);
+static void 		init_map_rules(struct gen_p *, const char *conf_file);
+static struct irs_rule *release_rule(struct irs_rule *);
+static int		add_rule(struct gen_p *,
+				 enum irs_map_id, enum irs_acc_id,
+				 const char *);
+
+/* Public */
+
+struct irs_acc *
+irs_gen_acc(const char *options, const char *conf_file) {
+	struct irs_acc *acc;
+	struct gen_p *irs;
+		
+	if (!(acc = memget(sizeof *acc))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(acc, 0x5e, sizeof *acc);
+	if (!(irs = memget(sizeof *irs))) {
+		errno = ENOMEM;
+		memput(acc, sizeof *acc);
+		return (NULL);
+	}
+	memset(irs, 0x5e, sizeof *irs);
+	irs->options = strdup(options);
+	irs->res = NULL;
+	irs->free_res = NULL;
+	memset(irs->accessors, 0, sizeof irs->accessors);
+	memset(irs->map_rules, 0, sizeof irs->map_rules);
+	init_map_rules(irs, conf_file);
+	acc->private = irs;
+#ifdef WANT_IRS_GR
+	acc->gr_map = irs_gen_gr;
+#else
+	acc->gr_map = NULL;
+#endif
+#ifdef WANT_IRS_PW
+	acc->pw_map = irs_gen_pw;
+#else
+	acc->pw_map = NULL;
+#endif
+	acc->sv_map = irs_gen_sv;
+	acc->pr_map = irs_gen_pr;
+	acc->ho_map = irs_gen_ho;
+	acc->nw_map = irs_gen_nw;
+	acc->ng_map = irs_gen_ng;
+	acc->res_get = gen_res_get;
+	acc->res_set = gen_res_set;
+	acc->close = gen_close;
+	return (acc);
+}
+
+/* Methods */
+
+static struct __res_state *
+gen_res_get(struct irs_acc *this) {
+	struct gen_p *irs = (struct gen_p *)this->private;
+
+	if (irs->res == NULL) {
+		struct __res_state *res;
+		res = (struct __res_state *)malloc(sizeof *res);
+		if (res == NULL)
+			return (NULL);
+		memset(res, 0, sizeof *res);
+		gen_res_set(this, res, free);
+	}
+
+	if (((irs->res->options & RES_INIT) == 0U) && res_ninit(irs->res) < 0)
+		return (NULL);
+
+	return (irs->res);
+}
+
+static void
+gen_res_set(struct irs_acc *this, struct __res_state *res,
+	    void (*free_res)(void *)) {
+	struct gen_p *irs = (struct gen_p *)this->private;
+#if 0
+	struct irs_rule *rule;
+	struct irs_ho *ho;
+	struct irs_nw *nw;
+#endif
+
+	if (irs->res && irs->free_res) {
+		res_nclose(irs->res);
+		(*irs->free_res)(irs->res);
+	}
+
+	irs->res = res;
+	irs->free_res = free_res;
+
+#if 0
+	for (rule = irs->map_rules[irs_ho]; rule; rule = rule->next) {
+                ho = rule->inst->ho;
+
+                (*ho->res_set)(ho, res, NULL);
+	}
+	for (rule = irs->map_rules[irs_nw]; rule; rule = rule->next) {
+                nw = rule->inst->nw;
+
+                (*nw->res_set)(nw, res, NULL);
+	}
+#endif
+}
+
+static void
+gen_close(struct irs_acc *this) {
+	struct gen_p *irs = (struct gen_p *)this->private;
+	int n;
+	
+	/* Search rules. */
+	for (n = 0; n < irs_nmap; n++)
+		while (irs->map_rules[n] != NULL)
+			irs->map_rules[n] = release_rule(irs->map_rules[n]);
+
+	/* Access methods. */
+	for (n = 0; n < irs_nacc; n++) {
+		/* Map objects. */
+		if (irs->accessors[n].gr != NULL)
+			(*irs->accessors[n].gr->close)(irs->accessors[n].gr);
+		if (irs->accessors[n].pw != NULL)
+			(*irs->accessors[n].pw->close)(irs->accessors[n].pw);
+		if (irs->accessors[n].sv != NULL)
+			(*irs->accessors[n].sv->close)(irs->accessors[n].sv);
+		if (irs->accessors[n].pr != NULL)
+			(*irs->accessors[n].pr->close)(irs->accessors[n].pr);
+		if (irs->accessors[n].ho != NULL)
+			(*irs->accessors[n].ho->close)(irs->accessors[n].ho);
+		if (irs->accessors[n].nw != NULL)
+			(*irs->accessors[n].nw->close)(irs->accessors[n].nw);
+		if (irs->accessors[n].ng != NULL)
+			(*irs->accessors[n].ng->close)(irs->accessors[n].ng);
+		/* Enclosing accessor. */
+		if (irs->accessors[n].acc != NULL)
+			(*irs->accessors[n].acc->close)(irs->accessors[n].acc);
+	}
+
+	/* The options string was strdup'd. */
+	free((void*)irs->options);
+
+	if (irs->res && irs->free_res)
+		(*irs->free_res)(irs->res);
+
+	/* The private data container. */
+	memput(irs, sizeof *irs);
+
+	/* The object. */
+	memput(this, sizeof *this);
+}
+
+/* Private */
+
+static int
+find_name(const char *name, const struct nameval names[]) {
+	int n;
+
+	for (n = 0; names[n].name != NULL; n++)
+		if (strcmp(name, names[n].name) == 0)
+			return (names[n].val);
+	return (-1);
+}
+
+static struct irs_rule *
+release_rule(struct irs_rule *rule) {
+	struct irs_rule *next = rule->next;
+
+	memput(rule, sizeof *rule);
+	return (next);
+}
+
+static int
+add_rule(struct gen_p *irs,
+	 enum irs_map_id map, enum irs_acc_id acc,
+	 const char *options)
+{
+	struct irs_rule **rules, *last, *tmp, *new;
+	struct irs_inst *inst;
+	const char *cp;
+	int n;
+
+#ifndef WANT_IRS_GR
+	if (map == irs_gr)
+		return (-1);
+#endif
+#ifndef WANT_IRS_PW
+	if (map == irs_pw)
+		return (-1);
+#endif
+#ifndef WANT_IRS_NIS
+	if (acc == irs_nis)
+		return (-1);
+#endif
+	new = memget(sizeof *new);
+	if (new == NULL)
+		return (-1);
+	memset(new, 0x5e, sizeof *new);
+	new->next = NULL;
+
+	new->inst = &irs->accessors[acc];
+
+	new->flags = 0;
+	cp = options;
+	while (cp && *cp) {
+		char option[50], *next;
+
+		next = strchr(cp, ',');
+		if (next)
+			n = next++ - cp;
+		else
+			n = strlen(cp);
+		if ((size_t)n > sizeof option - 1)
+			n = sizeof option - 1;
+		strncpy(option, cp, n);
+		option[n] = '\0';
+
+		n = find_name(option, option_names);
+		if (n >= 0)
+			new->flags |= n;
+
+		cp = next;
+	}
+
+	rules = &irs->map_rules[map];
+	for (last = NULL, tmp = *rules;
+	     tmp != NULL;
+	     last = tmp, tmp = tmp->next)
+		(void)NULL;
+	if (last == NULL)
+		*rules = new;
+	else
+		last->next = new;
+
+	/* Try to instantiate map accessors for this if necessary & approp. */
+	inst = &irs->accessors[acc];
+	if (inst->acc == NULL && accs[acc] != NULL)
+		inst->acc = (*accs[acc])(irs->options);
+	if (inst->acc != NULL) {
+		if (inst->gr == NULL && inst->acc->gr_map != NULL)
+			inst->gr = (*inst->acc->gr_map)(inst->acc);
+		if (inst->pw == NULL && inst->acc->pw_map != NULL)
+			inst->pw = (*inst->acc->pw_map)(inst->acc);
+		if (inst->sv == NULL && inst->acc->sv_map != NULL)
+			inst->sv = (*inst->acc->sv_map)(inst->acc);
+		if (inst->pr == NULL && inst->acc->pr_map != NULL)
+			inst->pr = (*inst->acc->pr_map)(inst->acc);
+		if (inst->ho == NULL && inst->acc->ho_map != NULL)
+			inst->ho = (*inst->acc->ho_map)(inst->acc);
+		if (inst->nw == NULL && inst->acc->nw_map != NULL)
+			inst->nw = (*inst->acc->nw_map)(inst->acc);
+		if (inst->ng == NULL && inst->acc->ng_map != NULL)
+			inst->ng = (*inst->acc->ng_map)(inst->acc);
+	}
+
+	return (0);
+}
+
+static void
+default_map_rules(struct gen_p *irs) {
+	/* Install time honoured and proved BSD style rules as default. */
+	add_rule(irs, irs_gr, irs_lcl, "");
+	add_rule(irs, irs_pw, irs_lcl, "");
+	add_rule(irs, irs_sv, irs_lcl, "");
+	add_rule(irs, irs_pr, irs_lcl, "");
+	add_rule(irs, irs_ho, irs_dns, "continue");
+	add_rule(irs, irs_ho, irs_lcl, "");
+	add_rule(irs, irs_nw, irs_dns, "continue");
+	add_rule(irs, irs_nw, irs_lcl, "");
+	add_rule(irs, irs_ng, irs_lcl, "");
+}
+
+static void
+init_map_rules(struct gen_p *irs, const char *conf_file) {
+	char line[1024], pattern[40], mapname[20], accname[20], options[100];
+	FILE *conf;
+
+	if (conf_file == NULL) 
+		conf_file = _PATH_IRS_CONF ;
+
+	/* A conf file of "" means compiled in defaults. Irpd wants this */
+	if (conf_file[0] == '\0' || (conf = fopen(conf_file, "r")) == NULL) {
+		default_map_rules(irs);
+		return;
+	}
+	(void) sprintf(pattern, "%%%ds %%%ds %%%ds\n",
+		       sizeof mapname, sizeof accname, sizeof options);
+	while (fgets(line, sizeof line, conf)) {
+		enum irs_map_id map;
+		enum irs_acc_id acc;
+		char *tmp;
+		int n;
+
+		for (tmp = line;
+		     isascii((unsigned char)*tmp) &&
+		     isspace((unsigned char)*tmp);
+		     tmp++)
+			(void)NULL;
+		if (*tmp == '#' || *tmp == '\n' || *tmp == '\0')
+			continue;
+		n = sscanf(tmp, pattern, mapname, accname, options);
+		if (n < 2)
+			continue;
+		if (n < 3)
+			options[0] = '\0';
+
+		n = find_name(mapname, map_names);
+		INSIST(n < irs_nmap);
+		if (n < 0)
+			continue;
+		map = (enum irs_map_id) n;
+
+		n = find_name(accname, acc_names);
+		INSIST(n < irs_nacc);
+		if (n < 0)
+			continue;
+		acc = (enum irs_acc_id) n;
+
+		add_rule(irs, map, acc, options);
+	}
+	fclose(conf);
+}
diff --git a/contrib/bind9/lib/bind/irs/gen_gr.c b/contrib/bind9/lib/bind/irs/gen_gr.c
new file mode 100644
index 0000000..e0c6dba
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/gen_gr.c
@@ -0,0 +1,492 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if !defined(LINT) && !defined(CODECENTER)
+static const char rcsid[] = "$Id: gen_gr.c,v 1.4.2.1.4.2 2004/05/17 07:48:56 marka Exp $";
+#endif
+
+/* Imports */
+
+#include "port_before.h"
+
+#ifndef WANT_IRS_GR
+static int __bind_irs_gr_unneeded;
+#else
+
+#include <sys/types.h>
+
+#include <isc/assertions.h>
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+
+#include <isc/memcluster.h>
+#include <irs.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "gen_p.h"
+
+/* Definitions */
+
+struct pvt {
+	struct irs_rule *	rules;
+	struct irs_rule *	rule;
+	struct irs_gr *		gr;
+	/*
+	 * Need space to store the entries read from the group file.
+	 * The members list also needs space per member, and the
+	 * strings making up the user names must be allocated
+	 * somewhere.  Rather than doing lots of small allocations,
+	 * we keep one buffer and resize it as needed.
+	 */
+	struct group		group;
+	size_t			nmemb;    /* Malloc'd max index of gr_mem[]. */
+	char *			membuf;
+	size_t			membufsize;
+	struct __res_state *	res;
+	void			(*free_res)(void *);
+};
+
+/* Forward */
+
+static void		gr_close(struct irs_gr *);
+static struct group *	gr_next(struct irs_gr *);
+static struct group *	gr_byname(struct irs_gr *, const char *);
+static struct group *	gr_bygid(struct irs_gr *, gid_t);
+static void		gr_rewind(struct irs_gr *);
+static int		gr_list(struct irs_gr *, const char *,
+				gid_t, gid_t *, int *);
+static void		gr_minimize(struct irs_gr *);
+static struct __res_state * gr_res_get(struct irs_gr *);
+static void		gr_res_set(struct irs_gr *,
+				      struct __res_state *,
+				      void (*)(void *));
+
+static int		grmerge(struct irs_gr *gr, const struct group *src,
+				int preserve);
+
+static int		countvec(char **vec);
+static int		isnew(char **old, char *new);
+static int		countnew(char **old, char **new);
+static size_t		sizenew(char **old, char **new);
+static int		newgid(int, gid_t *, gid_t);
+
+/* Macros */
+
+#define FREE_IF(x) do { if ((x) != NULL) { free(x); (x) = NULL; } } while (0)
+
+/* Public */
+
+struct irs_gr *
+irs_gen_gr(struct irs_acc *this) {
+	struct gen_p *accpvt = (struct gen_p *)this->private;
+	struct irs_gr *gr;
+	struct pvt *pvt;
+
+	if (!(gr = memget(sizeof *gr))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(gr, 0x5e, sizeof *gr);
+	if (!(pvt = memget(sizeof *pvt))) {
+		memput(gr, sizeof *gr);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0, sizeof *pvt);
+	pvt->rules = accpvt->map_rules[irs_gr];
+	pvt->rule = pvt->rules;
+	gr->private = pvt;
+	gr->close = gr_close;
+	gr->next = gr_next;
+	gr->byname = gr_byname;
+	gr->bygid = gr_bygid;
+	gr->rewind = gr_rewind;
+	gr->list = gr_list;
+	gr->minimize = gr_minimize;
+	gr->res_get = gr_res_get;
+	gr->res_set = gr_res_set;
+	return (gr);
+}
+
+/* Methods. */
+
+static void
+gr_close(struct irs_gr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+static struct group *
+gr_next(struct irs_gr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct group *rval;
+	struct irs_gr *gr;
+
+	while (pvt->rule) {
+		gr = pvt->rule->inst->gr;
+		rval = (*gr->next)(gr);
+		if (rval)
+			return (rval);
+		if (!(pvt->rule->flags & IRS_CONTINUE))
+			break;
+		pvt->rule = pvt->rule->next;
+		if (pvt->rule) {
+			gr = pvt->rule->inst->gr;
+			(*gr->rewind)(gr);
+		}
+	}
+	return (NULL);
+}
+
+static struct group *
+gr_byname(struct irs_gr *this, const char *name) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_rule *rule;
+	struct group *tval;
+	struct irs_gr *gr;
+	int dirty;
+
+	dirty = 0;
+	for (rule = pvt->rules; rule; rule = rule->next) {
+		gr = rule->inst->gr;
+		tval = (*gr->byname)(gr, name);
+		if (tval) {
+			if (!grmerge(this, tval, dirty++))
+				return (NULL);
+			if (!(rule->flags & IRS_MERGE))
+				break;
+		} else {
+			if (!(rule->flags & IRS_CONTINUE))
+				break;
+		}
+	}
+	if (dirty)
+		return (&pvt->group);
+	return (NULL);
+}
+
+static struct group *
+gr_bygid(struct irs_gr *this, gid_t gid) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_rule *rule;
+	struct group *tval;
+	struct irs_gr *gr;
+	int dirty;
+
+	dirty = 0;
+	for (rule = pvt->rules; rule; rule = rule->next) {
+		gr = rule->inst->gr;
+		tval = (*gr->bygid)(gr, gid);
+		if (tval) {
+			if (!grmerge(this, tval, dirty++))
+				return (NULL);
+			if (!(rule->flags & IRS_MERGE))
+				break;
+		} else {
+			if (!(rule->flags & IRS_CONTINUE))
+				break;
+		}
+	}
+	if (dirty)
+		return (&pvt->group);
+	return (NULL);
+}
+
+static void
+gr_rewind(struct irs_gr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_gr *gr;
+
+	pvt->rule = pvt->rules;
+	if (pvt->rule) {
+		gr = pvt->rule->inst->gr;
+		(*gr->rewind)(gr);
+	}
+}
+
+static int
+gr_list(struct irs_gr *this, const char *name,
+	gid_t basegid, gid_t *groups, int *ngroups)
+{
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_rule *rule;
+	struct irs_gr *gr;
+	int t_ngroups, maxgroups;
+	gid_t *t_groups;
+	int n, t, rval = 0;
+
+	maxgroups = *ngroups;
+	*ngroups = 0;
+	t_groups = (gid_t *)malloc(maxgroups * sizeof(gid_t));
+	if (!t_groups) {
+		errno = ENOMEM;
+		return (-1);
+	}
+
+	for (rule = pvt->rules; rule; rule = rule->next) {
+		t_ngroups = maxgroups;
+		gr = rule->inst->gr;
+		t = (*gr->list)(gr, name, basegid, t_groups, &t_ngroups);
+		for (n = 0; n < t_ngroups; n++) {
+			if (newgid(*ngroups, groups, t_groups[n])) {
+				if (*ngroups == maxgroups) {
+					rval = -1;
+					goto done;
+				}
+				groups[(*ngroups)++] = t_groups[n];
+			}
+		}
+		if (t == 0) {
+			if (!(rule->flags & IRS_MERGE))
+				break;
+		} else {
+			if (!(rule->flags & IRS_CONTINUE))
+				break;
+		}
+	}
+ done:
+	free(t_groups);
+	return (rval);
+}
+
+static void
+gr_minimize(struct irs_gr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_rule *rule;
+
+	for (rule = pvt->rules; rule != NULL; rule = rule->next) {
+		struct irs_gr *gr = rule->inst->gr;
+
+		(*gr->minimize)(gr);
+	}
+}
+
+static struct __res_state *
+gr_res_get(struct irs_gr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (!pvt->res) {
+		struct __res_state *res;
+		res = (struct __res_state *)malloc(sizeof *res);
+		if (!res) {
+			errno = ENOMEM;
+			return (NULL);
+		}
+		memset(res, 0, sizeof *res);
+		gr_res_set(this, res, free);
+	}
+
+	return (pvt->res);
+}
+
+static void
+gr_res_set(struct irs_gr *this, struct __res_state *res,
+		void (*free_res)(void *)) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_rule *rule;
+
+	if (pvt->res && pvt->free_res) {
+		res_nclose(pvt->res);
+		(*pvt->free_res)(pvt->res);
+	}
+
+	pvt->res = res;
+	pvt->free_res = free_res;
+
+	for (rule = pvt->rules; rule != NULL; rule = rule->next) {
+		struct irs_gr *gr = rule->inst->gr;
+
+		if (gr->res_set)
+			(*gr->res_set)(gr, pvt->res, NULL);
+	}
+}
+
+/* Private. */
+
+static int
+grmerge(struct irs_gr *this, const struct group *src, int preserve) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	char *cp, **m, **p, *oldmembuf, *ep;
+	int n, ndst, nnew;
+	size_t used;
+
+	if (!preserve) {
+		pvt->group.gr_gid = src->gr_gid;
+		if (pvt->nmemb < 1) {
+			m = malloc(sizeof *m);
+			if (m == NULL) {
+				/* No harm done, no work done. */
+				return (0);
+			}
+			pvt->group.gr_mem = m;
+			pvt->nmemb = 1;
+		}
+		pvt->group.gr_mem[0] = NULL;
+	}
+	ndst = countvec(pvt->group.gr_mem);
+	nnew = countnew(pvt->group.gr_mem, src->gr_mem);
+
+	/*
+	 * Make sure destination member array is large enough.
+	 * p points to new portion.
+	 */
+	n = ndst + nnew + 1;
+	if ((size_t)n > pvt->nmemb) {
+		m = realloc(pvt->group.gr_mem, n * sizeof *m);
+		if (m == NULL) {
+			/* No harm done, no work done. */
+			return (0);
+		}
+		pvt->group.gr_mem = m;
+		pvt->nmemb = n;
+	}
+	p = pvt->group.gr_mem + ndst;
+
+	/*
+	 * Enlarge destination membuf; cp points at new portion.
+	 */
+	n = sizenew(pvt->group.gr_mem, src->gr_mem);
+	INSIST((nnew == 0) == (n == 0));
+	if (!preserve) {
+		n += strlen(src->gr_name) + 1;
+		n += strlen(src->gr_passwd) + 1;
+	}
+	if (n == 0) {
+		/* No work to do. */
+		return (1);
+	}
+	used = preserve ? pvt->membufsize : 0;
+	cp = malloc(used + n);
+	if (cp == NULL) {
+		/* No harm done, no work done. */
+		return (0);
+	}
+	ep = cp + used + n;
+	if (used != 0)
+		memcpy(cp, pvt->membuf, used);
+	oldmembuf = pvt->membuf;
+	pvt->membuf = cp;
+	pvt->membufsize = used + n;
+	cp += used;
+
+	/*
+	 * Adjust group.gr_mem.
+	 */
+	if (pvt->membuf != oldmembuf)
+		for (m = pvt->group.gr_mem; *m; m++)
+			*m = pvt->membuf + (*m - oldmembuf);
+
+	/*
+	 * Add new elements.
+	 */
+	for (m = src->gr_mem; *m; m++)
+		if (isnew(pvt->group.gr_mem, *m)) {
+			*p++ = cp;
+			*p = NULL;
+			n = strlen(*m) + 1;
+			if (n > ep - cp) {
+				FREE_IF(oldmembuf);
+				return (0);
+			}
+			strcpy(cp, *m);		/* (checked) */
+			cp += n;
+		}
+	if (preserve) {
+		pvt->group.gr_name = pvt->membuf + 
+				     (pvt->group.gr_name - oldmembuf);
+		pvt->group.gr_passwd = pvt->membuf + 
+				       (pvt->group.gr_passwd - oldmembuf);
+	} else {
+		pvt->group.gr_name = cp;
+		n = strlen(src->gr_name) + 1;
+		if (n > ep - cp) {
+			FREE_IF(oldmembuf);
+			return (0);
+		}
+		strcpy(cp, src->gr_name);	/* (checked) */
+		cp += n;
+
+		pvt->group.gr_passwd = cp;
+		n = strlen(src->gr_passwd) + 1;
+		if (n > ep - cp) {
+			FREE_IF(oldmembuf);
+			return (0);
+		}
+		strcpy(cp, src->gr_passwd);	/* (checked) */
+		cp += n;
+	}
+	FREE_IF(oldmembuf);
+	INSIST(cp >= pvt->membuf && cp <= &pvt->membuf[pvt->membufsize]);
+	return (1);
+}
+
+static int
+countvec(char **vec) {
+	int n = 0;
+
+	while (*vec++)
+		n++;
+	return (n);
+}
+
+static int
+isnew(char **old, char *new) {
+	for (; *old; old++)
+		if (strcmp(*old, new) == 0)
+			return (0);
+	return (1);
+}
+
+static int
+countnew(char **old, char **new) {
+	int n = 0;
+
+	for (; *new; new++)
+		n += isnew(old, *new);
+	return (n);
+}
+
+static size_t
+sizenew(char **old, char **new) {
+	size_t n = 0;
+
+	for (; *new; new++)
+		if (isnew(old, *new))
+			n += strlen(*new) + 1;
+	return (n);
+}
+
+static int
+newgid(int ngroups, gid_t *groups, gid_t group) {
+	ngroups--, groups++;
+	for (; ngroups-- > 0; groups++)
+		if (*groups == group)
+			return (0);
+	return (1);
+}
+
+#endif /* WANT_IRS_GR */
diff --git a/contrib/bind9/lib/bind/irs/gen_ho.c b/contrib/bind9/lib/bind/irs/gen_ho.c
new file mode 100644
index 0000000..e9e2c89
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/gen_ho.c
@@ -0,0 +1,391 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: gen_ho.c,v 1.1.206.2 2004/03/17 01:49:39 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+/* Imports */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+
+#include <errno.h>
+#include <stdlib.h>
+#include <netdb.h>
+#include <resolv.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <isc/memcluster.h>
+#include <irs.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "gen_p.h"
+
+/* Definitions */
+
+struct pvt {
+	struct irs_rule *	rules;
+	struct irs_rule *	rule;
+	struct irs_ho *		ho;
+	struct __res_state *	res;
+	void			(*free_res)(void *);
+};
+
+/* Forwards */
+
+static void		ho_close(struct irs_ho *this);
+static struct hostent *	ho_byname(struct irs_ho *this, const char *name);
+static struct hostent *	ho_byname2(struct irs_ho *this, const char *name,
+				   int af);
+static struct hostent *	ho_byaddr(struct irs_ho *this, const void *addr,
+				  int len, int af);
+static struct hostent *	ho_next(struct irs_ho *this);
+static void		ho_rewind(struct irs_ho *this);
+static void		ho_minimize(struct irs_ho *this);
+static struct __res_state * ho_res_get(struct irs_ho *this);
+static void		ho_res_set(struct irs_ho *this,
+				   struct __res_state *res,
+				   void (*free_res)(void *));
+static struct addrinfo * ho_addrinfo(struct irs_ho *this, const char *name,
+				     const struct addrinfo *pai);
+
+static int		init(struct irs_ho *this);
+
+/* Exports */
+
+struct irs_ho *
+irs_gen_ho(struct irs_acc *this) {
+	struct gen_p *accpvt = (struct gen_p *)this->private;
+	struct irs_ho *ho;
+	struct pvt *pvt;
+
+	if (!(pvt = memget(sizeof *pvt))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0, sizeof *pvt);
+	if (!(ho = memget(sizeof *ho))) {
+		memput(pvt, sizeof *pvt);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(ho, 0x5e, sizeof *ho);
+	pvt->rules = accpvt->map_rules[irs_ho];
+	pvt->rule = pvt->rules;
+	ho->private = pvt;
+	ho->close = ho_close;
+	ho->byname = ho_byname;
+	ho->byname2 = ho_byname2;
+	ho->byaddr = ho_byaddr;
+	ho->next = ho_next;
+	ho->rewind = ho_rewind;
+	ho->minimize = ho_minimize;
+	ho->res_get = ho_res_get;
+	ho->res_set = ho_res_set;
+	ho->addrinfo = ho_addrinfo;
+	return (ho);
+}
+
+/* Methods. */
+
+static void
+ho_close(struct irs_ho *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	ho_minimize(this);
+	if (pvt->res && pvt->free_res)
+		(*pvt->free_res)(pvt->res);
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+static struct hostent *
+ho_byname(struct irs_ho *this, const char *name) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_rule *rule;
+	struct hostent *rval;
+	struct irs_ho *ho;
+	int therrno = NETDB_INTERNAL;
+	int softerror = 0;
+
+	if (init(this) == -1)
+		return (NULL);
+
+	for (rule = pvt->rules; rule; rule = rule->next) {
+		ho = rule->inst->ho;
+		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
+		errno = 0;
+		rval = (*ho->byname)(ho, name);
+		if (rval != NULL)
+			return (rval);
+		if (softerror == 0 &&
+		    pvt->res->res_h_errno != HOST_NOT_FOUND &&
+		    pvt->res->res_h_errno != NETDB_INTERNAL) {
+			softerror = 1;
+			therrno = pvt->res->res_h_errno;
+		}
+		if (rule->flags & IRS_CONTINUE)
+			continue;
+		/*
+		 * The value TRY_AGAIN can mean that the service
+		 * is not available, or just that this particular name
+		 * cannot be resolved now.  We use the errno ECONNREFUSED
+		 * to distinguish.  If a lookup sets that errno when
+		 * H_ERRNO is TRY_AGAIN, we continue to try other lookup
+		 * functions, otherwise we return the TRY_AGAIN error.
+		 */
+		if (pvt->res->res_h_errno != TRY_AGAIN || errno != ECONNREFUSED)
+			break;
+	}
+	if (softerror != 0 && pvt->res->res_h_errno == HOST_NOT_FOUND)
+		RES_SET_H_ERRNO(pvt->res, therrno);
+	return (NULL);
+}
+
+static struct hostent *
+ho_byname2(struct irs_ho *this, const char *name, int af) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_rule *rule;
+	struct hostent *rval;
+	struct irs_ho *ho;
+	int therrno = NETDB_INTERNAL;
+	int softerror = 0;
+
+	if (init(this) == -1)
+		return (NULL);
+
+	for (rule = pvt->rules; rule; rule = rule->next) {
+		ho = rule->inst->ho;
+		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
+		errno = 0;
+		rval = (*ho->byname2)(ho, name, af);
+		if (rval != NULL)
+			return (rval);
+		if (softerror == 0 &&
+		    pvt->res->res_h_errno != HOST_NOT_FOUND &&
+		    pvt->res->res_h_errno != NETDB_INTERNAL) {
+			softerror = 1;
+			therrno = pvt->res->res_h_errno;
+		}
+		if (rule->flags & IRS_CONTINUE)
+			continue;
+		/*
+		 * See the comments in ho_byname() explaining
+		 * the interpretation of TRY_AGAIN and ECONNREFUSED.
+		 */
+		if (pvt->res->res_h_errno != TRY_AGAIN || errno != ECONNREFUSED)
+			break;
+	}
+	if (softerror != 0 && pvt->res->res_h_errno == HOST_NOT_FOUND)
+		RES_SET_H_ERRNO(pvt->res, therrno);
+	return (NULL);
+}
+
+static struct hostent *
+ho_byaddr(struct irs_ho *this, const void *addr, int len, int af) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_rule *rule;
+	struct hostent *rval;
+	struct irs_ho *ho;
+	int therrno = NETDB_INTERNAL;
+	int softerror = 0;
+
+
+	if (init(this) == -1)
+		return (NULL);
+
+	for (rule = pvt->rules; rule; rule = rule->next) {
+		ho = rule->inst->ho;
+		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
+		errno = 0;
+		rval = (*ho->byaddr)(ho, addr, len, af);
+		if (rval != NULL)
+			return (rval);
+		if (softerror == 0 &&
+		    pvt->res->res_h_errno != HOST_NOT_FOUND &&
+		    pvt->res->res_h_errno != NETDB_INTERNAL) {
+			softerror = 1;
+			therrno = pvt->res->res_h_errno;
+		}
+
+		if (rule->flags & IRS_CONTINUE)
+			continue;
+		/*
+		 * See the comments in ho_byname() explaining
+		 * the interpretation of TRY_AGAIN and ECONNREFUSED.
+		 */
+		if (pvt->res->res_h_errno != TRY_AGAIN || errno != ECONNREFUSED)
+			break;
+	}
+	if (softerror != 0 && pvt->res->res_h_errno == HOST_NOT_FOUND)
+		RES_SET_H_ERRNO(pvt->res, therrno);
+	return (NULL);
+}
+
+static struct hostent *
+ho_next(struct irs_ho *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct hostent *rval;
+	struct irs_ho *ho;
+
+	while (pvt->rule) {
+		ho = pvt->rule->inst->ho;
+		rval = (*ho->next)(ho);
+		if (rval)
+			return (rval);
+		if (!(pvt->rule->flags & IRS_CONTINUE))
+			break;
+		pvt->rule = pvt->rule->next;
+		if (pvt->rule) {
+			ho = pvt->rule->inst->ho;
+			(*ho->rewind)(ho);
+		}
+	}
+	return (NULL);
+}
+
+static void
+ho_rewind(struct irs_ho *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_ho *ho;
+
+	pvt->rule = pvt->rules;
+	if (pvt->rule) {
+		ho = pvt->rule->inst->ho;
+		(*ho->rewind)(ho);
+	}
+}
+
+static void
+ho_minimize(struct irs_ho *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_rule *rule;
+
+	if (pvt->res)
+		res_nclose(pvt->res);
+	for (rule = pvt->rules; rule != NULL; rule = rule->next) {
+		struct irs_ho *ho = rule->inst->ho;
+
+		(*ho->minimize)(ho);
+	}
+}
+
+static struct __res_state *
+ho_res_get(struct irs_ho *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (!pvt->res) {
+		struct __res_state *res;
+		res = (struct __res_state *)malloc(sizeof *res);
+		if (!res) {
+			errno = ENOMEM;
+			return (NULL);
+		}
+		memset(res, 0, sizeof *res);
+		ho_res_set(this, res, free);
+	}
+
+	return (pvt->res);
+}
+
+static void
+ho_res_set(struct irs_ho *this, struct __res_state *res,
+		void (*free_res)(void *)) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_rule *rule;
+
+	if (pvt->res && pvt->free_res) {
+		res_nclose(pvt->res);
+		(*pvt->free_res)(pvt->res);
+	}
+
+	pvt->res = res;
+	pvt->free_res = free_res;
+
+	for (rule = pvt->rules; rule != NULL; rule = rule->next) {
+		struct irs_ho *ho = rule->inst->ho;
+
+		(*ho->res_set)(ho, pvt->res, NULL);
+	}
+}
+
+static struct addrinfo *
+ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
+{
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_rule *rule;
+	struct addrinfo *rval = NULL;
+	struct irs_ho *ho;
+	int therrno = NETDB_INTERNAL;
+	int softerror = 0;
+
+	if (init(this) == -1)
+		return (NULL);
+
+	for (rule = pvt->rules; rule; rule = rule->next) {
+		ho = rule->inst->ho;
+		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
+		errno = 0;
+		if (ho->addrinfo == NULL) /* for safety */
+			continue;
+		rval = (*ho->addrinfo)(ho, name, pai);
+		if (rval != NULL)
+			return (rval);
+		if (softerror == 0 &&
+		    pvt->res->res_h_errno != HOST_NOT_FOUND &&
+		    pvt->res->res_h_errno != NETDB_INTERNAL) {
+			softerror = 1;
+			therrno = pvt->res->res_h_errno;
+		}
+		if (rule->flags & IRS_CONTINUE)
+			continue;
+		/*
+		 * See the comments in ho_byname() explaining
+		 * the interpretation of TRY_AGAIN and ECONNREFUSED.
+		 */
+		if (pvt->res->res_h_errno != TRY_AGAIN ||
+		    errno != ECONNREFUSED)
+			break;
+	}
+	if (softerror != 0 && pvt->res->res_h_errno == HOST_NOT_FOUND)
+		RES_SET_H_ERRNO(pvt->res, therrno);
+	if (rval)
+		freeaddrinfo(rval);
+	return (NULL);
+}
+
+static int
+init(struct irs_ho *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+        if (!pvt->res && !ho_res_get(this))
+                return (-1);
+
+        if (((pvt->res->options & RES_INIT) == 0U) &&
+            (res_ninit(pvt->res) == -1))
+                return (-1);
+
+        return (0);
+}
diff --git a/contrib/bind9/lib/bind/irs/gen_ng.c b/contrib/bind9/lib/bind/irs/gen_ng.c
new file mode 100644
index 0000000..9f3ecad
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/gen_ng.c
@@ -0,0 +1,172 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if !defined(LINT) && !defined(CODECENTER)
+static const char rcsid[] = "$Id: gen_ng.c,v 1.1.206.1 2004/03/09 08:33:35 marka Exp $";
+#endif
+
+/* Imports */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+
+#include <errno.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/memcluster.h>
+#include <irs.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "gen_p.h"
+
+/* Types */
+
+struct pvt {
+	struct irs_rule *	rules;
+	struct irs_rule *	rule;
+	char *			curgroup;
+};
+
+/* Forward */
+
+static void		ng_close(struct irs_ng *);
+static int		ng_next(struct irs_ng *, const char **,
+				const char **, const char **);
+static int 		ng_test(struct irs_ng *, const char *,
+				const char *, const char *,
+				const char *);
+static void 		ng_rewind(struct irs_ng *, const char *);
+static void		ng_minimize(struct irs_ng *);
+
+/* Public */
+
+struct irs_ng *
+irs_gen_ng(struct irs_acc *this) {
+	struct gen_p *accpvt = (struct gen_p *)this->private;
+	struct irs_ng *ng;
+	struct pvt *pvt;
+	
+	if (!(ng = memget(sizeof *ng))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(ng, 0x5e, sizeof *ng);
+	if (!(pvt = memget(sizeof *pvt))) {
+		memput(ng, sizeof *ng);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0, sizeof *pvt);
+	pvt->rules = accpvt->map_rules[irs_ng];
+	pvt->rule = pvt->rules;
+	ng->private = pvt;
+	ng->close = ng_close;
+	ng->next = ng_next;
+	ng->test = ng_test;
+	ng->rewind = ng_rewind;
+	ng->minimize = ng_minimize;
+	return (ng);
+}
+
+/* Methods */
+
+static void 
+ng_close(struct irs_ng *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	
+	ng_minimize(this);
+	if (pvt->curgroup)
+		free(pvt->curgroup);
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+static int
+ng_next(struct irs_ng *this, const char **host, const char **user,
+	const char **domain)
+{
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_ng *ng;
+	
+	while (pvt->rule) {
+		ng = pvt->rule->inst->ng;
+		if ((*ng->next)(ng, host, user, domain) == 1)
+			return (1);
+		if (!(pvt->rule->flags & IRS_CONTINUE))
+			break;
+		pvt->rule = pvt->rule->next;
+		if (pvt->rule) {
+			ng = pvt->rule->inst->ng;
+			(*ng->rewind)(ng, pvt->curgroup);
+		}
+	}
+	return (0);
+}
+
+static int
+ng_test(struct irs_ng *this, const char *name,
+	const char *user, const char *host, const char *domain)
+{
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_rule *rule;
+	struct irs_ng *ng;
+	int rval;
+	
+	rval = 0;
+	for (rule = pvt->rules; rule; rule = rule->next) {
+		ng = rule->inst->ng;
+		rval = (*ng->test)(ng, name, user, host, domain);
+		if (rval || !(rule->flags & IRS_CONTINUE))
+			break;
+	}
+	return (rval);
+}
+
+static void
+ng_rewind(struct irs_ng *this, const char *group) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_ng *ng;
+	
+	pvt->rule = pvt->rules;
+	if (pvt->rule) {
+		if (pvt->curgroup)
+			free(pvt->curgroup);
+		pvt->curgroup = strdup(group);
+		ng = pvt->rule->inst->ng;
+		(*ng->rewind)(ng, pvt->curgroup);
+	}
+}
+
+static void
+ng_minimize(struct irs_ng *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_rule *rule;
+
+	for (rule = pvt->rules; rule != NULL; rule = rule->next) {
+		struct irs_ng *ng = rule->inst->ng;
+
+		(*ng->minimize)(ng);
+	}
+}
diff --git a/contrib/bind9/lib/bind/irs/gen_nw.c b/contrib/bind9/lib/bind/irs/gen_nw.c
new file mode 100644
index 0000000..cb41f5d
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/gen_nw.c
@@ -0,0 +1,262 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if !defined(LINT) && !defined(CODECENTER)
+static const char rcsid[] = "$Id: gen_nw.c,v 1.1.206.2 2004/03/17 01:49:40 marka Exp $";
+#endif
+
+/* Imports */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+
+#include <errno.h>
+#include <resolv.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/memcluster.h>
+#include <irs.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "gen_p.h"
+
+/* Types */
+
+struct pvt {
+	struct irs_rule *	rules;
+	struct irs_rule *	rule;
+	struct __res_state *	res;
+	void 			(*free_res)(void *);
+};
+
+/* Forward */
+
+static void		nw_close(struct irs_nw*);
+static struct nwent *	nw_next(struct irs_nw *);
+static struct nwent *	nw_byname(struct irs_nw *, const char *, int);
+static struct nwent *	nw_byaddr(struct irs_nw *, void *, int, int);
+static void    		nw_rewind(struct irs_nw *);
+static void		nw_minimize(struct irs_nw *);
+static struct __res_state * nw_res_get(struct irs_nw *this);
+static void		nw_res_set(struct irs_nw *this,
+				   struct __res_state *res,
+				   void (*free_res)(void *));
+
+static int		init(struct irs_nw *this);
+
+/* Public */
+
+struct irs_nw *
+irs_gen_nw(struct irs_acc *this) {
+	struct gen_p *accpvt = (struct gen_p *)this->private;
+	struct irs_nw *nw;
+	struct pvt *pvt;
+
+	if (!(pvt = memget(sizeof *pvt))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0, sizeof *pvt);
+	if (!(nw = memget(sizeof *nw))) {
+		memput(pvt, sizeof *pvt);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(nw, 0x5e, sizeof *nw);
+	pvt->rules = accpvt->map_rules[irs_nw];
+	pvt->rule = pvt->rules;
+	nw->private = pvt;
+	nw->close = nw_close;
+	nw->next = nw_next;
+	nw->byname = nw_byname;
+	nw->byaddr = nw_byaddr;
+	nw->rewind = nw_rewind;
+	nw->minimize = nw_minimize;
+	nw->res_get = nw_res_get;
+	nw->res_set = nw_res_set;
+	return (nw);
+}
+
+/* Methods */
+
+static void
+nw_close(struct irs_nw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	nw_minimize(this);
+
+	if (pvt->res && pvt->free_res)
+		(*pvt->free_res)(pvt->res);
+
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+static struct nwent *
+nw_next(struct irs_nw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct nwent *rval;
+	struct irs_nw *nw;
+
+	if (init(this) == -1)
+		return(NULL);
+
+	while (pvt->rule) {
+		nw = pvt->rule->inst->nw;
+		rval = (*nw->next)(nw);
+		if (rval)
+			return (rval);
+		if (!(pvt->rules->flags & IRS_CONTINUE))
+			break;
+		pvt->rule = pvt->rule->next;
+		if (pvt->rule) {
+			nw = pvt->rule->inst->nw;
+			(*nw->rewind)(nw);
+		}
+	}
+	return (NULL);
+}
+
+static struct nwent *
+nw_byname(struct irs_nw *this, const char *name, int type) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_rule *rule;
+	struct nwent *rval;
+	struct irs_nw *nw;
+	
+	if (init(this) == -1)
+		return(NULL);
+
+	for (rule = pvt->rules; rule; rule = rule->next) {
+		nw = rule->inst->nw;
+		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
+		rval = (*nw->byname)(nw, name, type);
+		if (rval != NULL)
+			return (rval);
+		if (pvt->res->res_h_errno != TRY_AGAIN &&
+		    !(rule->flags & IRS_CONTINUE))
+			break;
+	}
+	return (NULL);
+}
+
+static struct nwent *
+nw_byaddr(struct irs_nw *this, void *net, int length, int type) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_rule *rule;
+	struct nwent *rval;
+	struct irs_nw *nw;
+	
+	if (init(this) == -1)
+		return(NULL);
+
+	for (rule = pvt->rules; rule; rule = rule->next) {
+		nw = rule->inst->nw;
+		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
+		rval = (*nw->byaddr)(nw, net, length, type);
+		if (rval != NULL)
+			return (rval);
+		if (pvt->res->res_h_errno != TRY_AGAIN &&
+		    !(rule->flags & IRS_CONTINUE))
+			break;
+	}
+	return (NULL);
+}
+
+static void
+nw_rewind(struct irs_nw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_nw *nw;
+
+	pvt->rule = pvt->rules;
+	if (pvt->rule) {
+		nw = pvt->rule->inst->nw;
+		(*nw->rewind)(nw);
+	}
+}
+
+static void
+nw_minimize(struct irs_nw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_rule *rule;
+
+	if (pvt->res)
+		res_nclose(pvt->res);
+	for (rule = pvt->rules; rule != NULL; rule = rule->next) {
+		struct irs_nw *nw = rule->inst->nw;
+
+		(*nw->minimize)(nw);
+	}
+}
+
+static struct __res_state *
+nw_res_get(struct irs_nw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (!pvt->res) {
+		struct __res_state *res;
+		res = (struct __res_state *)malloc(sizeof *res);
+		if (!res) {
+			errno = ENOMEM;
+			return (NULL);
+		}
+		memset(res, 0, sizeof *res);
+		nw_res_set(this, res, free);
+	}
+
+	return (pvt->res);
+}
+
+static void
+nw_res_set(struct irs_nw *this, struct __res_state *res,
+		void (*free_res)(void *)) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_rule *rule;
+
+	if (pvt->res && pvt->free_res) {
+		res_nclose(pvt->res);
+		(*pvt->free_res)(pvt->res);
+	}
+
+	pvt->res = res;
+	pvt->free_res = free_res;
+
+	for (rule = pvt->rules; rule != NULL; rule = rule->next) {
+		struct irs_nw *nw = rule->inst->nw;
+
+		(*nw->res_set)(nw, pvt->res, NULL);
+	}
+}
+
+static int
+init(struct irs_nw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	
+	if (!pvt->res && !nw_res_get(this))
+		return (-1);
+	if (((pvt->res->options & RES_INIT) == 0U) &&
+	    res_ninit(pvt->res) == -1)
+		return (-1);
+	return (0);
+}
diff --git a/contrib/bind9/lib/bind/irs/gen_p.h b/contrib/bind9/lib/bind/irs/gen_p.h
new file mode 100644
index 0000000..0a7ea2b
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/gen_p.h
@@ -0,0 +1,113 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * $Id: gen_p.h,v 1.1.206.1 2004/03/09 08:33:35 marka Exp $
+ */
+
+/* Notes:
+ *	We hope to create a complete set of thread-safe entry points someday,
+ *	which will mean a set of getXbyY() functions that take as an argument
+ *	a pointer to the map class, which will have a pointer to the private
+ *	data, which will be used preferentially to the static variables that
+ *	are necessary to support the "classic" interface.  This "classic"
+ *	interface will then be reimplemented as stubs on top of the thread
+ *	safe modules, and will keep the map class pointers as their only
+ *	static data.  HOWEVER, we are not there yet.  So while we will call
+ *	the just-barely-converted map class methods with map class pointers,
+ *	right now they probably all still use statics.  We're not fooling
+ *	anybody, and we're not trying to (yet).
+ */
+
+#ifndef _GEN_P_H_INCLUDED
+#define _GEN_P_H_INCLUDED
+
+/*
+ * These are the access methods.
+ */
+enum irs_acc_id {
+	irs_lcl,	/* Local. */
+	irs_dns,	/* DNS or Hesiod. */
+	irs_nis,	/* Sun NIS ("YP"). */
+	irs_irp,	/* IR protocol.  */
+	irs_nacc
+};
+
+/*
+ * These are the map types.
+ */
+enum irs_map_id {
+	irs_gr,		/* "group" */
+	irs_pw,		/* "passwd" */
+	irs_sv,		/* "services" */
+	irs_pr,		/* "protocols" */
+	irs_ho,		/* "hosts" */
+	irs_nw,		/* "networks" */
+	irs_ng,		/* "netgroup" */
+	irs_nmap
+};
+
+/*
+ * This is an accessor instance.
+ */
+struct irs_inst {
+	struct irs_acc *acc;
+	struct irs_gr *	gr;
+	struct irs_pw *	pw;
+	struct irs_sv *	sv;
+	struct irs_pr *	pr;
+	struct irs_ho *	ho;
+	struct irs_nw *	nw;
+	struct irs_ng *	ng;
+};
+
+/*
+ * This is a search rule for some map type.
+ */
+struct irs_rule {
+	struct irs_rule *	next;
+	struct irs_inst *	inst;
+	int			flags;
+};
+#define IRS_MERGE		0x0001	/* Don't stop if acc. has data? */
+#define	IRS_CONTINUE		0x0002	/* Don't stop if acc. has no data? */
+
+/*
+ * This is the private data for a search access class.
+ */
+struct gen_p {
+	char *			options;
+	struct irs_rule *	map_rules[(int)irs_nmap];
+	struct irs_inst		accessors[(int)irs_nacc];
+	struct __res_state *	res;
+	void			(*free_res) __P((void *));
+};
+
+/*
+ * Externs.
+ */
+
+extern struct irs_acc *	irs_gen_acc __P((const char *, const char *conf_file));
+extern struct irs_gr *	irs_gen_gr __P((struct irs_acc *));
+extern struct irs_pw *	irs_gen_pw __P((struct irs_acc *));
+extern struct irs_sv *	irs_gen_sv __P((struct irs_acc *));
+extern struct irs_pr *	irs_gen_pr __P((struct irs_acc *));
+extern struct irs_ho *	irs_gen_ho __P((struct irs_acc *));
+extern struct irs_nw *	irs_gen_nw __P((struct irs_acc *));
+extern struct irs_ng *	irs_gen_ng __P((struct irs_acc *));
+
+#endif /*_IRS_P_H_INCLUDED*/
diff --git a/contrib/bind9/lib/bind/irs/gen_pr.c b/contrib/bind9/lib/bind/irs/gen_pr.c
new file mode 100644
index 0000000..465fee3
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/gen_pr.c
@@ -0,0 +1,226 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if !defined(LINT) && !defined(CODECENTER)
+static const char rcsid[] = "$Id: gen_pr.c,v 1.1.206.1 2004/03/09 08:33:35 marka Exp $";
+#endif
+
+/* Imports */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+
+#include <errno.h>
+#include <resolv.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/memcluster.h>
+#include <irs.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "gen_p.h"
+
+/* Types */
+
+struct pvt {
+	struct irs_rule *	rules;
+	struct irs_rule *	rule;
+	struct __res_state *	res;
+	void			(*free_res)(void *);
+};
+
+/* Forward */
+
+static void			pr_close(struct irs_pr*);
+static struct protoent *	pr_next(struct irs_pr *);
+static struct protoent *	pr_byname(struct irs_pr *, const char *);
+static struct protoent * 	pr_bynumber(struct irs_pr *, int);
+static void 			pr_rewind(struct irs_pr *);
+static void			pr_minimize(struct irs_pr *);
+static struct __res_state *	pr_res_get(struct irs_pr *);
+static void			pr_res_set(struct irs_pr *,
+					   struct __res_state *,
+					   void (*)(void *));
+
+/* Public */
+
+struct irs_pr *
+irs_gen_pr(struct irs_acc *this) {
+	struct gen_p *accpvt = (struct gen_p *)this->private;
+	struct irs_pr *pr;
+	struct pvt *pvt;
+
+	if (!(pr = memget(sizeof *pr))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pr, 0x5e, sizeof *pr);
+	if (!(pvt = memget(sizeof *pvt))) {
+		memput(pr, sizeof *pr);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0, sizeof *pvt);
+	pvt->rules = accpvt->map_rules[irs_pr];
+	pvt->rule = pvt->rules;
+	pr->private = pvt;
+	pr->close = pr_close;
+	pr->next = pr_next;
+	pr->byname = pr_byname;
+	pr->bynumber = pr_bynumber;
+	pr->rewind = pr_rewind;
+	pr->minimize = pr_minimize;
+	pr->res_get = pr_res_get;
+	pr->res_set = pr_res_set;
+	return (pr);
+}
+
+/* Methods */
+
+static void
+pr_close(struct irs_pr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+static struct protoent *
+pr_next(struct irs_pr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct protoent *rval;
+	struct irs_pr *pr;
+
+	while (pvt->rule) {
+		pr = pvt->rule->inst->pr;
+		rval = (*pr->next)(pr);
+		if (rval)
+			return (rval);
+		if (!(pvt->rules->flags & IRS_CONTINUE))
+			break;
+		pvt->rule = pvt->rule->next;
+		if (pvt->rule) {
+			pr = pvt->rule->inst->pr;
+			(*pr->rewind)(pr);
+		}
+	}
+	return (NULL);
+}
+
+static struct protoent *
+pr_byname(struct irs_pr *this, const char *name) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_rule *rule;
+	struct protoent *rval;
+	struct irs_pr *pr;
+	
+	rval = NULL;
+	for (rule = pvt->rules; rule; rule = rule->next) {
+		pr = rule->inst->pr;
+		rval = (*pr->byname)(pr, name);
+		if (rval || !(rule->flags & IRS_CONTINUE))
+			break;
+	}
+	return (rval);
+}
+
+static struct protoent *
+pr_bynumber(struct irs_pr *this, int proto) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_rule *rule;
+	struct protoent *rval;
+	struct irs_pr *pr;
+	
+	rval = NULL;
+	for (rule = pvt->rules; rule; rule = rule->next) {
+		pr = rule->inst->pr;
+		rval = (*pr->bynumber)(pr, proto);
+		if (rval || !(rule->flags & IRS_CONTINUE))
+			break;
+	}
+	return (rval);
+}
+
+static void
+pr_rewind(struct irs_pr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_pr *pr;
+
+	pvt->rule = pvt->rules;
+	if (pvt->rule) {
+		pr = pvt->rule->inst->pr;
+		(*pr->rewind)(pr);
+	}
+}
+
+static void
+pr_minimize(struct irs_pr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_rule *rule;
+
+	for (rule = pvt->rules; rule != NULL; rule = rule->next) {
+		struct irs_pr *pr = rule->inst->pr;
+
+		(*pr->minimize)(pr);
+	}
+}
+
+static struct __res_state *
+pr_res_get(struct irs_pr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (!pvt->res) {
+		struct __res_state *res;
+		res = (struct __res_state *)malloc(sizeof *res);
+		if (!res) {
+			errno = ENOMEM;
+			return (NULL);
+		}
+		memset(res, 0, sizeof *res);
+		pr_res_set(this, res, free);
+	}
+
+	return (pvt->res);
+}
+
+static void
+pr_res_set(struct irs_pr *this, struct __res_state *res,
+		void (*free_res)(void *)) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_rule *rule;
+
+	if (pvt->res && pvt->free_res) {
+		res_nclose(pvt->res);
+		(*pvt->free_res)(pvt->res);
+	}
+
+	pvt->res = res;
+	pvt->free_res = free_res;
+
+	for (rule = pvt->rules; rule != NULL; rule = rule->next) {
+		struct irs_pr *pr = rule->inst->pr;
+
+		if (pr->res_set)
+			(*pr->res_set)(pr, pvt->res, NULL);
+	}
+}
diff --git a/contrib/bind9/lib/bind/irs/gen_pw.c b/contrib/bind9/lib/bind/irs/gen_pw.c
new file mode 100644
index 0000000..ca31302
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/gen_pw.c
@@ -0,0 +1,233 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if !defined(LINT) && !defined(CODECENTER)
+static const char rcsid[] = "$Id: gen_pw.c,v 1.1.206.1 2004/03/09 08:33:35 marka Exp $";
+#endif
+
+/* Imports */
+
+#include "port_before.h"
+
+#ifndef WANT_IRS_PW
+static int __bind_irs_pw_unneeded;
+#else
+
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+
+#include <errno.h>
+#include <pwd.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/memcluster.h>
+#include <irs.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "gen_p.h"
+
+/* Types */
+
+struct pvt {
+	struct irs_rule *	rules;
+	struct irs_rule *	rule;
+	struct __res_state *	res;
+	void			(*free_res)(void *);
+};
+
+/* Forward */
+
+static void			pw_close(struct irs_pw *);
+static struct passwd *		pw_next(struct irs_pw *);
+static struct passwd *		pw_byname(struct irs_pw *, const char *);
+static struct passwd *		pw_byuid(struct irs_pw *, uid_t);
+static void			pw_rewind(struct irs_pw *);
+static void			pw_minimize(struct irs_pw *);
+static struct __res_state *	pw_res_get(struct irs_pw *);
+static void			pw_res_set(struct irs_pw *,
+					   struct __res_state *,
+					   void (*)(void *));
+
+/* Public */
+
+struct irs_pw *
+irs_gen_pw(struct irs_acc *this) {
+	struct gen_p *accpvt = (struct gen_p *)this->private;
+	struct irs_pw *pw;
+	struct pvt *pvt;
+
+	if (!(pw = memget(sizeof *pw))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pw, 0x5e, sizeof *pw);
+	if (!(pvt = memget(sizeof *pvt))) {
+		memput(pw, sizeof *pvt);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0, sizeof *pvt);
+	pvt->rules = accpvt->map_rules[irs_pw];
+	pvt->rule = pvt->rules;
+	pw->private = pvt;
+	pw->close = pw_close;
+	pw->next = pw_next;
+	pw->byname = pw_byname;
+	pw->byuid = pw_byuid;
+	pw->rewind = pw_rewind;
+	pw->minimize = pw_minimize;
+	pw->res_get = pw_res_get;
+	pw->res_set = pw_res_set;
+	return (pw);
+}
+
+/* Methods */
+
+static void
+pw_close(struct irs_pw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+static struct passwd *
+pw_next(struct irs_pw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct passwd *rval;
+	struct irs_pw *pw;
+	
+	while (pvt->rule) {
+		pw = pvt->rule->inst->pw;
+		rval = (*pw->next)(pw);
+		if (rval)
+			return (rval);
+		if (!(pvt->rule->flags & IRS_CONTINUE))
+			break;
+		pvt->rule = pvt->rule->next;
+		if (pvt->rule) {
+			pw = pvt->rule->inst->pw;
+			(*pw->rewind)(pw);
+		}
+	}
+	return (NULL);
+}
+
+static void
+pw_rewind(struct irs_pw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_pw *pw;
+	
+	pvt->rule = pvt->rules;
+	if (pvt->rule) {
+		pw = pvt->rule->inst->pw;
+		(*pw->rewind)(pw);
+	}
+}
+
+static struct passwd *
+pw_byname(struct irs_pw *this, const char *name) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_rule *rule;
+	struct passwd *rval;
+	struct irs_pw *pw;
+	
+	rval = NULL;
+	for (rule = pvt->rules; rule; rule = rule->next) {
+		pw = rule->inst->pw;
+		rval = (*pw->byname)(pw, name);
+		if (rval || !(rule->flags & IRS_CONTINUE))
+			break;
+	}
+	return (rval);
+}
+
+static struct passwd *
+pw_byuid(struct irs_pw *this, uid_t uid) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_rule *rule;
+	struct passwd *rval;
+	struct irs_pw *pw;
+	
+	rval = NULL;
+	for (rule = pvt->rules; rule; rule = rule->next) {
+		pw = rule->inst->pw;
+		rval = (*pw->byuid)(pw, uid);
+		if (rval || !(rule->flags & IRS_CONTINUE))
+			break;
+	}
+	return (rval);
+}	
+
+static void
+pw_minimize(struct irs_pw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_rule *rule;
+
+	for (rule = pvt->rules; rule != NULL; rule = rule->next) {
+		struct irs_pw *pw = rule->inst->pw;
+
+		(*pw->minimize)(pw);
+	}
+}
+
+static struct __res_state *
+pw_res_get(struct irs_pw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (!pvt->res) {
+		struct __res_state *res;
+		res = (struct __res_state *)malloc(sizeof *res);
+		if (!res) {
+			errno = ENOMEM;
+			return (NULL);
+		}
+		memset(res, 0, sizeof *res);
+		pw_res_set(this, res, free);
+	}
+
+	return (pvt->res);
+}
+
+static void
+pw_res_set(struct irs_pw *this, struct __res_state *res,
+		void (*free_res)(void *)) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_rule *rule;
+
+	if (pvt->res && pvt->free_res) {
+		res_nclose(pvt->res);
+		(*pvt->free_res)(pvt->res);
+	}
+
+	pvt->res = res;
+	pvt->free_res = free_res;
+
+	for (rule = pvt->rules; rule != NULL; rule = rule->next) {
+		struct irs_pw *pw = rule->inst->pw;
+
+		if (pw->res_set)
+			(*pw->res_set)(pw, pvt->res, NULL);
+	}
+}
+
+#endif /* WANT_IRS_PW */
diff --git a/contrib/bind9/lib/bind/irs/gen_sv.c b/contrib/bind9/lib/bind/irs/gen_sv.c
new file mode 100644
index 0000000..e8f6114
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/gen_sv.c
@@ -0,0 +1,227 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if !defined(LINT) && !defined(CODECENTER)
+static const char rcsid[] = "$Id: gen_sv.c,v 1.1.206.1 2004/03/09 08:33:35 marka Exp $";
+#endif
+
+/* Imports */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+
+#include <errno.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/memcluster.h>
+#include <irs.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "gen_p.h"
+
+/* Types */
+
+struct pvt {
+	struct irs_rule *	rules;
+	struct irs_rule *	rule;
+	struct __res_state *	res;
+	void			(*free_res)(void *);
+};
+
+/* Forward */
+
+static void			sv_close(struct irs_sv*);
+static struct servent *		sv_next(struct irs_sv *);
+static struct servent *		sv_byname(struct irs_sv *, const char *,
+					  const char *);
+static struct servent *		sv_byport(struct irs_sv *, int, const char *);
+static void			sv_rewind(struct irs_sv *);
+static void			sv_minimize(struct irs_sv *);
+static struct __res_state *	sv_res_get(struct irs_sv *);
+static void			sv_res_set(struct irs_sv *,
+					      struct __res_state *,
+					      void (*)(void *));
+
+/* Public */
+
+struct irs_sv *
+irs_gen_sv(struct irs_acc *this) {
+	struct gen_p *accpvt = (struct gen_p *)this->private;
+	struct irs_sv *sv;
+	struct pvt *pvt;
+
+	if (!(sv = memget(sizeof *sv))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(sv, 0x5e, sizeof *sv);
+	if (!(pvt = memget(sizeof *pvt))) {
+		memput(sv, sizeof *sv);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0, sizeof *pvt);
+	pvt->rules = accpvt->map_rules[irs_sv];
+	pvt->rule = pvt->rules;
+	sv->private = pvt;
+	sv->close = sv_close;
+	sv->next = sv_next;
+	sv->byname = sv_byname;
+	sv->byport = sv_byport;
+	sv->rewind = sv_rewind;
+	sv->minimize = sv_minimize;
+	sv->res_get = sv_res_get;
+	sv->res_set = sv_res_set;
+	return (sv);
+}
+
+/* Methods */
+
+static void
+sv_close(struct irs_sv *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+static struct servent *
+sv_next(struct irs_sv *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct servent *rval;
+	struct irs_sv *sv;
+	
+	while (pvt->rule) {
+		sv = pvt->rule->inst->sv;
+		rval = (*sv->next)(sv);
+		if (rval)
+			return (rval);
+		if (!(pvt->rule->flags & IRS_CONTINUE))
+			break;
+		pvt->rule = pvt->rule->next;
+		if (pvt->rule) {
+			sv = pvt->rule->inst->sv;
+			(*sv->rewind)(sv);
+		}
+	}
+	return (NULL);
+}
+
+static struct servent *
+sv_byname(struct irs_sv *this, const char *name, const char *proto) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_rule *rule;
+	struct servent *rval;
+	struct irs_sv *sv;
+	
+	rval = NULL;
+	for (rule = pvt->rules; rule; rule = rule->next) {
+		sv = rule->inst->sv;
+		rval = (*sv->byname)(sv, name, proto);
+		if (rval || !(rule->flags & IRS_CONTINUE))
+			break;
+	}
+	return (rval);
+}
+
+static struct servent *
+sv_byport(struct irs_sv *this, int port, const char *proto) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_rule *rule;
+	struct servent *rval;
+	struct irs_sv *sv;
+	
+	rval = NULL;
+	for (rule = pvt->rules; rule; rule = rule->next) {
+		sv = rule->inst->sv;
+		rval = (*sv->byport)(sv, port, proto);
+		if (rval || !(rule->flags & IRS_CONTINUE))
+			break;
+	}
+	return (rval);
+}
+
+static void
+sv_rewind(struct irs_sv *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_sv *sv;
+
+	pvt->rule = pvt->rules;
+	if (pvt->rule) {
+		sv = pvt->rule->inst->sv;
+		(*sv->rewind)(sv);
+	}
+}
+
+static void
+sv_minimize(struct irs_sv *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_rule *rule;
+
+	for (rule = pvt->rules; rule != NULL; rule = rule->next) {
+		struct irs_sv *sv = rule->inst->sv;
+
+		(*sv->minimize)(sv);
+	}
+}
+
+static struct __res_state *
+sv_res_get(struct irs_sv *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (!pvt->res) {
+		struct __res_state *res;
+		res = (struct __res_state *)malloc(sizeof *res);
+		if (!res) {
+			errno = ENOMEM;
+			return (NULL);
+		}
+		memset(res, 0, sizeof *res);
+		sv_res_set(this, res, free);
+	}
+
+	return (pvt->res);
+}
+
+static void
+sv_res_set(struct irs_sv *this, struct __res_state *res,
+		void (*free_res)(void *)) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct irs_rule *rule;
+
+	if (pvt->res && pvt->free_res) {
+		res_nclose(pvt->res);
+		(*pvt->free_res)(pvt->res);
+	}
+
+	pvt->res = res;
+	pvt->free_res = free_res;
+
+	for (rule = pvt->rules; rule != NULL; rule = rule->next) {
+		struct irs_sv *sv = rule->inst->sv;
+
+		if (sv->res_set)
+			(*sv->res_set)(sv, pvt->res, NULL);
+	}
+}
diff --git a/contrib/bind9/lib/bind/irs/getaddrinfo.c b/contrib/bind9/lib/bind/irs/getaddrinfo.c
new file mode 100644
index 0000000..e08cf78
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/getaddrinfo.c
@@ -0,0 +1,1227 @@
+/*	$KAME: getaddrinfo.c,v 1.14 2001/01/06 09:41:15 jinmei Exp $	*/
+
+/*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Issues to be discussed:
+ * - Thread safe-ness must be checked.
+ * - Return values.  There are nonstandard return values defined and used
+ *   in the source code.  This is because RFC2553 is silent about which error
+ *   code must be returned for which situation.
+ * - IPv4 classful (shortened) form.  RFC2553 is silent about it.  XNET 5.2
+ *   says to use inet_aton() to convert IPv4 numeric to binary (allows
+ *   classful form as a result).
+ *   current code - disallow classful form for IPv4 (due to use of inet_pton).
+ * - freeaddrinfo(NULL).  RFC2553 is silent about it.  XNET 5.2 says it is
+ *   invalid.
+ *   current code - SEGV on freeaddrinfo(NULL)
+ * Note:
+ * - We use getipnodebyname() just for thread-safeness.  There's no intent
+ *   to let it do PF_UNSPEC (actually we never pass PF_UNSPEC to
+ *   getipnodebyname().
+ * - The code filters out AFs that are not supported by the kernel,
+ *   when globbing NULL hostname (to loopback, or wildcard).  Is it the right
+ *   thing to do?  What is the relationship with post-RFC2553 AI_ADDRCONFIG
+ *   in ai_flags?
+ * - (post-2553) semantics of AI_ADDRCONFIG itself is too vague.
+ *   (1) what should we do against numeric hostname (2) what should we do
+ *   against NULL hostname (3) what is AI_ADDRCONFIG itself.  AF not ready?
+ *   non-loopback address configured?  global address configured?
+ * - To avoid search order issue, we have a big amount of code duplicate
+ *   from gethnamaddr.c and some other places.  The issues that there's no
+ *   lower layer function to lookup "IPv4 or IPv6" record.  Calling
+ *   gethostbyname2 from getaddrinfo will end up in wrong search order, as
+ *   follows:
+ *	- The code makes use of following calls when asked to resolver with
+ *	  ai_family  = PF_UNSPEC:
+ *		getipnodebyname(host, AF_INET6);
+ *		getipnodebyname(host, AF_INET);
+ *	  This will result in the following queries if the node is configure to
+ *	  prefer /etc/hosts than DNS:
+ *		lookup /etc/hosts for IPv6 address
+ *		lookup DNS for IPv6 address
+ *		lookup /etc/hosts for IPv4 address
+ *		lookup DNS for IPv4 address
+ *	  which may not meet people's requirement.
+ *	  The right thing to happen is to have underlying layer which does
+ *	  PF_UNSPEC lookup (lookup both) and return chain of addrinfos.
+ *	  This would result in a bit of code duplicate with _dns_ghbyname() and
+ *	  friends.
+ */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+
+#include <net/if.h>
+#include <netinet/in.h>
+
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+
+#include <netdb.h>
+#include <resolv.h>
+#include <string.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include <ctype.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <errno.h>
+
+#include <stdarg.h>
+
+#include <irs.h>
+#include <isc/assertions.h>
+
+#include "port_after.h"
+
+#include "irs_data.h"
+
+#define SUCCESS 0
+#define ANY 0
+#define YES 1
+#define NO  0
+
+static const char in_addrany[] = { 0, 0, 0, 0 };
+static const char in6_addrany[] = {
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+};
+static const char in_loopback[] = { 127, 0, 0, 1 };
+static const char in6_loopback[] = {
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1
+};
+
+static const struct afd {
+	int a_af;
+	int a_addrlen;
+	int a_socklen;
+	int a_off;
+	const char *a_addrany;
+	const char *a_loopback;
+	int a_scoped;
+} afdl [] = {
+	{PF_INET6, sizeof(struct in6_addr),
+	 sizeof(struct sockaddr_in6),
+	 offsetof(struct sockaddr_in6, sin6_addr),
+	 in6_addrany, in6_loopback, 1},
+	{PF_INET, sizeof(struct in_addr),
+	 sizeof(struct sockaddr_in),
+	 offsetof(struct sockaddr_in, sin_addr),
+	 in_addrany, in_loopback, 0},
+	{0, 0, 0, 0, NULL, NULL, 0},
+};
+
+struct explore {
+	int e_af;
+	int e_socktype;
+	int e_protocol;
+	const char *e_protostr;
+	int e_wild;
+#define WILD_AF(ex)		((ex)->e_wild & 0x01)
+#define WILD_SOCKTYPE(ex)	((ex)->e_wild & 0x02)
+#define WILD_PROTOCOL(ex)	((ex)->e_wild & 0x04)
+};
+
+static const struct explore explore[] = {
+#if 0
+	{ PF_LOCAL, 0, ANY, ANY, NULL, 0x01 },
+#endif
+	{ PF_INET6, SOCK_DGRAM, IPPROTO_UDP, "udp", 0x07 },
+	{ PF_INET6, SOCK_STREAM, IPPROTO_TCP, "tcp", 0x07 },
+	{ PF_INET6, SOCK_RAW, ANY, NULL, 0x05 },
+	{ PF_INET, SOCK_DGRAM, IPPROTO_UDP, "udp", 0x07 },
+	{ PF_INET, SOCK_STREAM, IPPROTO_TCP, "tcp", 0x07 },
+	{ PF_INET, SOCK_RAW, ANY, NULL, 0x05 },
+	{ -1, 0, 0, NULL, 0 },
+};
+
+#define PTON_MAX	16
+
+static int str_isnumber __P((const char *));
+static int explore_fqdn __P((const struct addrinfo *, const char *,
+	const char *, struct addrinfo **));
+static int explore_copy __P((const struct addrinfo *, const struct addrinfo *,
+	struct addrinfo **));
+static int explore_null __P((const struct addrinfo *,
+	const char *, struct addrinfo **));
+static int explore_numeric __P((const struct addrinfo *, const char *,
+	const char *, struct addrinfo **));
+static int explore_numeric_scope __P((const struct addrinfo *, const char *,
+	const char *, struct addrinfo **));
+static int get_canonname __P((const struct addrinfo *,
+	struct addrinfo *, const char *));
+static struct addrinfo *get_ai __P((const struct addrinfo *,
+	const struct afd *, const char *));
+static struct addrinfo *copy_ai __P((const struct addrinfo *));
+static int get_portmatch __P((const struct addrinfo *, const char *));
+static int get_port __P((const struct addrinfo *, const char *, int));
+static const struct afd *find_afd __P((int));
+static int addrconfig __P((int));
+static int ip6_str2scopeid __P((char *, struct sockaddr_in6 *,
+				u_int32_t *scopeidp));
+static struct net_data *init __P((void));
+
+struct addrinfo *hostent2addrinfo __P((struct hostent *,
+				       const struct addrinfo *));
+struct addrinfo *addr2addrinfo __P((const struct addrinfo *,
+				    const char *));
+
+#if 0
+static const char *ai_errlist[] = {
+	"Success",
+	"Address family for hostname not supported",	/* EAI_ADDRFAMILY */
+	"Temporary failure in name resolution",		/* EAI_AGAIN      */
+	"Invalid value for ai_flags",		       	/* EAI_BADFLAGS   */
+	"Non-recoverable failure in name resolution", 	/* EAI_FAIL       */
+	"ai_family not supported",			/* EAI_FAMILY     */
+	"Memory allocation failure", 			/* EAI_MEMORY     */
+	"No address associated with hostname", 		/* EAI_NODATA     */
+	"hostname nor servname provided, or not known",	/* EAI_NONAME     */
+	"servname not supported for ai_socktype",	/* EAI_SERVICE    */
+	"ai_socktype not supported", 			/* EAI_SOCKTYPE   */
+	"System error returned in errno", 		/* EAI_SYSTEM     */
+	"Invalid value for hints",			/* EAI_BADHINTS	  */
+	"Resolved protocol is unknown",			/* EAI_PROTOCOL   */
+	"Unknown error", 				/* EAI_MAX        */
+};
+#endif
+
+/* XXX macros that make external reference is BAD. */
+
+#define GET_AI(ai, afd, addr) \
+do { \
+	/* external reference: pai, error, and label free */ \
+	(ai) = get_ai(pai, (afd), (addr)); \
+	if ((ai) == NULL) { \
+		error = EAI_MEMORY; \
+		goto free; \
+	} \
+} while (/*CONSTCOND*/0)
+
+#define GET_PORT(ai, serv) \
+do { \
+	/* external reference: error and label free */ \
+	error = get_port((ai), (serv), 0); \
+	if (error != 0) \
+		goto free; \
+} while (/*CONSTCOND*/0)
+
+#define GET_CANONNAME(ai, str) \
+do { \
+	/* external reference: pai, error and label free */ \
+	error = get_canonname(pai, (ai), (str)); \
+	if (error != 0) \
+		goto free; \
+} while (/*CONSTCOND*/0)
+
+#define ERR(err) \
+do { \
+	/* external reference: error, and label bad */ \
+	error = (err); \
+	goto bad; \
+	/*NOTREACHED*/ \
+} while (/*CONSTCOND*/0)
+
+#define MATCH_FAMILY(x, y, w) \
+	((x) == (y) || (/*CONSTCOND*/(w) && ((x) == PF_UNSPEC || (y) == PF_UNSPEC)))
+#define MATCH(x, y, w) \
+	((x) == (y) || (/*CONSTCOND*/(w) && ((x) == ANY || (y) == ANY)))
+
+#if 0				/* bind8 has its own version */
+char *
+gai_strerror(ecode)
+	int ecode;
+{
+	if (ecode < 0 || ecode > EAI_MAX)
+		ecode = EAI_MAX;
+	return ai_errlist[ecode];
+}
+#endif
+
+void
+freeaddrinfo(ai)
+	struct addrinfo *ai;
+{
+	struct addrinfo *next;
+
+	do {
+		next = ai->ai_next;
+		if (ai->ai_canonname)
+			free(ai->ai_canonname);
+		/* no need to free(ai->ai_addr) */
+		free(ai);
+		ai = next;
+	} while (ai);
+}
+
+static int
+str_isnumber(p)
+	const char *p;
+{
+	char *ep;
+
+	if (*p == '\0')
+		return NO;
+	ep = NULL;
+	errno = 0;
+	(void)strtoul(p, &ep, 10);
+	if (errno == 0 && ep && *ep == '\0')
+		return YES;
+	else
+		return NO;
+}
+
+int
+getaddrinfo(hostname, servname, hints, res)
+	const char *hostname, *servname;
+	const struct addrinfo *hints;
+	struct addrinfo **res;
+{
+	struct addrinfo sentinel;
+	struct addrinfo *cur;
+	int error = 0;
+	struct addrinfo ai, ai0, *afai = NULL;
+	struct addrinfo *pai;
+	const struct explore *ex;
+
+	memset(&sentinel, 0, sizeof(sentinel));
+	cur = &sentinel;
+	pai = &ai;
+	pai->ai_flags = 0;
+	pai->ai_family = PF_UNSPEC;
+	pai->ai_socktype = ANY;
+	pai->ai_protocol = ANY;
+	pai->ai_addrlen = 0;
+	pai->ai_canonname = NULL;
+	pai->ai_addr = NULL;
+	pai->ai_next = NULL;
+
+	if (hostname == NULL && servname == NULL)
+		return EAI_NONAME;
+	if (hints) {
+		/* error check for hints */
+		if (hints->ai_addrlen || hints->ai_canonname ||
+		    hints->ai_addr || hints->ai_next)
+			ERR(EAI_BADHINTS); /* xxx */
+		if (hints->ai_flags & ~AI_MASK)
+			ERR(EAI_BADFLAGS);
+		switch (hints->ai_family) {
+		case PF_UNSPEC:
+		case PF_INET:
+		case PF_INET6:
+			break;
+		default:
+			ERR(EAI_FAMILY);
+		}
+		memcpy(pai, hints, sizeof(*pai));
+
+		/*
+		 * if both socktype/protocol are specified, check if they
+		 * are meaningful combination.
+		 */
+		if (pai->ai_socktype != ANY && pai->ai_protocol != ANY) {
+			for (ex = explore; ex->e_af >= 0; ex++) {
+				if (pai->ai_family != ex->e_af)
+					continue;
+				if (ex->e_socktype == ANY)
+					continue;
+				if (ex->e_protocol == ANY)
+					continue;
+				if (pai->ai_socktype == ex->e_socktype &&
+				    pai->ai_protocol != ex->e_protocol) {
+					ERR(EAI_BADHINTS);
+				}
+			}
+		}
+	}
+
+	/*
+	 * post-2553: AI_ALL and AI_V4MAPPED are effective only against
+	 * AF_INET6 query.  They needs to be ignored if specified in other
+	 * occassions.
+	 */
+	switch (pai->ai_flags & (AI_ALL | AI_V4MAPPED)) {
+	case AI_V4MAPPED:
+	case AI_ALL | AI_V4MAPPED:
+		if (pai->ai_family != AF_INET6)
+			pai->ai_flags &= ~(AI_ALL | AI_V4MAPPED);
+		break;
+	case AI_ALL:
+#if 1
+		/* illegal */
+		ERR(EAI_BADFLAGS);
+#else
+		pai->ai_flags &= ~(AI_ALL | AI_V4MAPPED);
+		break;
+#endif
+	}
+
+	/*
+	 * check for special cases.  (1) numeric servname is disallowed if
+	 * socktype/protocol are left unspecified. (2) servname is disallowed
+	 * for raw and other inet{,6} sockets.
+	 */
+	if (MATCH_FAMILY(pai->ai_family, PF_INET, 1)
+#ifdef PF_INET6
+	 || MATCH_FAMILY(pai->ai_family, PF_INET6, 1)
+#endif
+	    ) {
+		ai0 = *pai;	/* backup *pai */
+
+		if (pai->ai_family == PF_UNSPEC) {
+#ifdef PF_INET6
+			pai->ai_family = PF_INET6;
+#else
+			pai->ai_family = PF_INET;
+#endif
+		}
+		error = get_portmatch(pai, servname);
+		if (error)
+			ERR(error);
+
+		*pai = ai0;
+	}
+
+	ai0 = *pai;
+
+	/* NULL hostname, or numeric hostname */
+	for (ex = explore; ex->e_af >= 0; ex++) {
+		*pai = ai0;
+
+		if (!MATCH_FAMILY(pai->ai_family, ex->e_af, WILD_AF(ex)))
+			continue;
+		if (!MATCH(pai->ai_socktype, ex->e_socktype, WILD_SOCKTYPE(ex)))
+			continue;
+		if (!MATCH(pai->ai_protocol, ex->e_protocol, WILD_PROTOCOL(ex)))
+			continue;
+
+		if (pai->ai_family == PF_UNSPEC)
+			pai->ai_family = ex->e_af;
+		if (pai->ai_socktype == ANY && ex->e_socktype != ANY)
+			pai->ai_socktype = ex->e_socktype;
+		if (pai->ai_protocol == ANY && ex->e_protocol != ANY)
+			pai->ai_protocol = ex->e_protocol;
+
+		/*
+		 * if the servname does not match socktype/protocol, ignore it.
+		 */
+		if (get_portmatch(pai, servname) != 0)
+			continue;
+
+		if (hostname == NULL) {
+			/*
+			 * filter out AFs that are not supported by the kernel
+			 * XXX errno?
+			 */
+			if (!addrconfig(pai->ai_family))
+				continue;
+			error = explore_null(pai, servname, &cur->ai_next);
+		} else
+			error = explore_numeric_scope(pai, hostname, servname,
+			    &cur->ai_next);
+
+		if (error)
+			goto free;
+
+		while (cur && cur->ai_next)
+			cur = cur->ai_next;
+	}
+
+	/*
+	 * XXX
+	 * If numreic representation of AF1 can be interpreted as FQDN
+	 * representation of AF2, we need to think again about the code below.
+	 */
+	if (sentinel.ai_next)
+		goto good;
+
+	if (pai->ai_flags & AI_NUMERICHOST)
+		ERR(EAI_NONAME);
+	if (hostname == NULL)
+		ERR(EAI_NONAME);
+
+	/*
+	 * hostname as alphabetical name.
+	 * We'll make sure that
+	 * - if returning addrinfo list is empty, return non-zero error
+	 *   value (already known one or EAI_NONAME).
+	 * - otherwise, 
+	 *   + if we haven't had any errors, return 0 (i.e. success).
+	 *   + if we've had an error, free the list and return the error.
+	 * without any assumption on the behavior of explore_fqdn().
+	 */
+
+	/* first, try to query DNS for all possible address families. */
+	*pai = ai0;
+	error = explore_fqdn(pai, hostname, servname, &afai);
+	if (error) {
+		if (afai != NULL)
+			freeaddrinfo(afai);
+		goto free;
+	}
+	if (afai == NULL) {
+		error = EAI_NONAME; /* we've had no errors. */
+		goto free;
+	}
+
+	/*
+	 * we would like to prefer AF_INET6 than AF_INET, so we'll make an
+	 * outer loop by AFs.
+	 */
+	for (ex = explore; ex->e_af >= 0; ex++) {
+		*pai = ai0;
+
+		if (pai->ai_family == PF_UNSPEC)
+			pai->ai_family = ex->e_af;
+
+		if (!MATCH_FAMILY(pai->ai_family, ex->e_af, WILD_AF(ex)))
+			continue;
+		if (!MATCH(pai->ai_socktype, ex->e_socktype,
+			   WILD_SOCKTYPE(ex))) {
+			continue;
+		}
+		if (!MATCH(pai->ai_protocol, ex->e_protocol,
+			   WILD_PROTOCOL(ex))) {
+			continue;
+		}
+
+#ifdef AI_ADDRCONFIG
+		/*
+		 * If AI_ADDRCONFIG is specified, check if we are
+		 * expected to return the address family or not.
+		 */
+		if ((pai->ai_flags & AI_ADDRCONFIG) != 0 &&
+		    !addrconfig(pai->ai_family))
+			continue;
+#endif
+
+		if (pai->ai_family == PF_UNSPEC)
+			pai->ai_family = ex->e_af;
+		if (pai->ai_socktype == ANY && ex->e_socktype != ANY)
+			pai->ai_socktype = ex->e_socktype;
+		if (pai->ai_protocol == ANY && ex->e_protocol != ANY)
+			pai->ai_protocol = ex->e_protocol;
+
+		/*
+		 * if the servname does not match socktype/protocol, ignore it.
+		 */
+		if (get_portmatch(pai, servname) != 0)
+			continue;
+
+		if ((error = explore_copy(pai, afai, &cur->ai_next)) != 0) {
+			freeaddrinfo(afai);
+			goto free;
+		}
+
+		while (cur && cur->ai_next)
+			cur = cur->ai_next;
+	}
+
+	freeaddrinfo(afai);	/* afai must not be NULL at this point. */
+
+	/* we must not have got any errors. */
+	if (error != 0) /* just for diagnosis */
+		abort();
+
+	if (sentinel.ai_next) {
+good:
+		*res = sentinel.ai_next;
+		return(SUCCESS);
+	} else {
+		/*
+		 * All the process succeeded, but we've had an empty list. 
+		 * This can happen if the given hints do not match our
+		 * candidates.
+		 */
+		error = EAI_NONAME;
+	}
+
+free:
+bad:
+	if (sentinel.ai_next)
+		freeaddrinfo(sentinel.ai_next);
+	*res = NULL;
+	return(error);
+}
+
+/*
+ * FQDN hostname, DNS lookup
+ */
+static int
+explore_fqdn(pai, hostname, servname, res)
+	const struct addrinfo *pai;
+	const char *hostname;
+	const char *servname;
+	struct addrinfo **res;
+{
+	struct addrinfo *result;
+	struct addrinfo *cur;
+	struct net_data *net_data = init();
+	struct irs_ho *ho;
+	int error = 0;
+	char tmp[NS_MAXDNAME];
+	const char *cp;
+
+	INSIST(res != NULL && *res == NULL);
+
+	/*
+	 * if the servname does not match socktype/protocol, ignore it.
+	 */
+	if (get_portmatch(pai, servname) != 0)
+		return(0);
+
+	if (!net_data || !(ho = net_data->ho))
+		return(0);
+#if 0				/* XXX (notyet) */
+	if (net_data->ho_stayopen && net_data->ho_last &&
+	    net_data->ho_last->h_addrtype == af) {
+		if (ns_samename(name, net_data->ho_last->h_name) == 1)
+			return (net_data->ho_last);
+		for (hap = net_data->ho_last->h_aliases; hap && *hap; hap++)
+			if (ns_samename(name, *hap) == 1)
+				return (net_data->ho_last);
+	}
+#endif
+	if (!strchr(hostname, '.') &&
+	    (cp = res_hostalias(net_data->res, hostname,
+				tmp, sizeof(tmp))))
+		hostname = cp;
+	result = (*ho->addrinfo)(ho, hostname, pai);
+	if (!net_data->ho_stayopen) {
+		(*ho->minimize)(ho);
+	}
+	if (result == NULL) {
+		int e = h_errno;
+
+		switch(e) {
+		case NETDB_INTERNAL:
+			error = EAI_SYSTEM;
+			break;
+		case TRY_AGAIN:
+			error = EAI_AGAIN;
+			break;
+		case NO_RECOVERY:
+			error = EAI_FAIL;
+			break;
+		case HOST_NOT_FOUND:
+		case NO_DATA:
+			error = EAI_NONAME;
+			break;
+		default:
+		case NETDB_SUCCESS: /* should be impossible... */
+			error = EAI_NONAME;
+			break;
+		}
+		goto free;
+	}
+
+	for (cur = result; cur; cur = cur->ai_next) {
+		GET_PORT(cur, servname); /* XXX: redundant lookups... */
+		/* canonname should already be filled. */
+	}
+
+	*res = result;
+
+	return(0);
+
+free:
+	if (result)
+		freeaddrinfo(result);
+	return error;
+}
+
+static int
+explore_copy(pai, src0, res)
+	const struct addrinfo *pai;	/* seed */
+	const struct addrinfo *src0;	/* source */
+	struct addrinfo **res;
+{
+	int error;
+	struct addrinfo sentinel, *cur;
+	const struct addrinfo *src;
+
+	error = 0;
+	sentinel.ai_next = NULL;
+	cur = &sentinel;
+
+	for (src = src0; src != NULL; src = src->ai_next) {
+		if (src->ai_family != pai->ai_family)
+			continue;
+
+		cur->ai_next = copy_ai(src);
+		if (!cur->ai_next) {
+			error = EAI_MEMORY;
+			goto fail;
+		}
+
+		cur->ai_next->ai_socktype = pai->ai_socktype;
+		cur->ai_next->ai_protocol = pai->ai_protocol;
+		cur = cur->ai_next;
+	}
+
+	*res = sentinel.ai_next;
+	return 0;
+
+fail:
+	freeaddrinfo(sentinel.ai_next);
+	return error;
+}
+
+/*
+ * hostname == NULL.
+ * passive socket -> anyaddr (0.0.0.0 or ::)
+ * non-passive socket -> localhost (127.0.0.1 or ::1)
+ */
+static int
+explore_null(pai, servname, res)
+	const struct addrinfo *pai;
+	const char *servname;
+	struct addrinfo **res;
+{
+	const struct afd *afd;
+	struct addrinfo *cur;
+	struct addrinfo sentinel;
+	int error;
+
+	*res = NULL;
+	sentinel.ai_next = NULL;
+	cur = &sentinel;
+
+	afd = find_afd(pai->ai_family);
+	if (afd == NULL)
+		return 0;
+
+	if (pai->ai_flags & AI_PASSIVE) {
+		GET_AI(cur->ai_next, afd, afd->a_addrany);
+		/* xxx meaningless?
+		 * GET_CANONNAME(cur->ai_next, "anyaddr");
+		 */
+		GET_PORT(cur->ai_next, servname);
+	} else {
+		GET_AI(cur->ai_next, afd, afd->a_loopback);
+		/* xxx meaningless?
+		 * GET_CANONNAME(cur->ai_next, "localhost");
+		 */
+		GET_PORT(cur->ai_next, servname);
+	}
+	cur = cur->ai_next;
+
+	*res = sentinel.ai_next;
+	return 0;
+
+free:
+	if (sentinel.ai_next)
+		freeaddrinfo(sentinel.ai_next);
+	return error;
+}
+
+/*
+ * numeric hostname
+ */
+static int
+explore_numeric(pai, hostname, servname, res)
+	const struct addrinfo *pai;
+	const char *hostname;
+	const char *servname;
+	struct addrinfo **res;
+{
+	const struct afd *afd;
+	struct addrinfo *cur;
+	struct addrinfo sentinel;
+	int error;
+	char pton[PTON_MAX];
+
+	*res = NULL;
+	sentinel.ai_next = NULL;
+	cur = &sentinel;
+
+	afd = find_afd(pai->ai_family);
+	if (afd == NULL)
+		return 0;
+
+	switch (afd->a_af) {
+#if 0 /*X/Open spec*/
+	case AF_INET:
+		if (inet_aton(hostname, (struct in_addr *)pton) == 1) {
+			if (pai->ai_family == afd->a_af ||
+			    pai->ai_family == PF_UNSPEC /*?*/) {
+				GET_AI(cur->ai_next, afd, pton);
+				GET_PORT(cur->ai_next, servname);
+				while (cur && cur->ai_next)
+					cur = cur->ai_next;
+			} else
+				ERR(EAI_FAMILY);	/*xxx*/
+		}
+		break;
+#endif
+	default:
+		if (inet_pton(afd->a_af, hostname, pton) == 1) {
+			if (pai->ai_family == afd->a_af ||
+			    pai->ai_family == PF_UNSPEC /*?*/) {
+				GET_AI(cur->ai_next, afd, pton);
+				GET_PORT(cur->ai_next, servname);
+				while (cur && cur->ai_next)
+					cur = cur->ai_next;
+			} else
+				ERR(EAI_FAMILY);	/*xxx*/
+		}
+		break;
+	}
+
+	*res = sentinel.ai_next;
+	return 0;
+
+free:
+bad:
+	if (sentinel.ai_next)
+		freeaddrinfo(sentinel.ai_next);
+	return error;
+}
+
+/*
+ * numeric hostname with scope
+ */
+static int
+explore_numeric_scope(pai, hostname, servname, res)
+	const struct addrinfo *pai;
+	const char *hostname;
+	const char *servname;
+	struct addrinfo **res;
+{
+#ifndef SCOPE_DELIMITER
+	return explore_numeric(pai, hostname, servname, res);
+#else
+	const struct afd *afd;
+	struct addrinfo *cur;
+	int error;
+	char *cp, *hostname2 = NULL, *scope, *addr;
+	struct sockaddr_in6 *sin6;
+
+	afd = find_afd(pai->ai_family);
+	if (afd == NULL)
+		return 0;
+
+	if (!afd->a_scoped)
+		return explore_numeric(pai, hostname, servname, res);
+
+	cp = strchr(hostname, SCOPE_DELIMITER);
+	if (cp == NULL)
+		return explore_numeric(pai, hostname, servname, res);
+
+	/*
+	 * Handle special case of <scoped_address><delimiter><scope id>
+	 */
+	hostname2 = strdup(hostname);
+	if (hostname2 == NULL)
+		return EAI_MEMORY;
+	/* terminate at the delimiter */
+	hostname2[cp - hostname] = '\0';
+	addr = hostname2;
+	scope = cp + 1;
+
+	error = explore_numeric(pai, addr, servname, res);
+	if (error == 0) {
+		u_int32_t scopeid = 0;
+
+		for (cur = *res; cur; cur = cur->ai_next) {
+			if (cur->ai_family != AF_INET6)
+				continue;
+			sin6 = (struct sockaddr_in6 *)(void *)cur->ai_addr;
+			if (!ip6_str2scopeid(scope, sin6, &scopeid)) {
+				free(hostname2);
+				return(EAI_NONAME); /* XXX: is return OK? */
+			}
+#ifdef HAVE_SIN6_SCOPE_ID
+			sin6->sin6_scope_id = scopeid;
+#endif
+		}
+	}
+
+	free(hostname2);
+
+	return error;
+#endif
+}
+
+static int
+get_canonname(pai, ai, str)
+	const struct addrinfo *pai;
+	struct addrinfo *ai;
+	const char *str;
+{
+	if ((pai->ai_flags & AI_CANONNAME) != 0) {
+		ai->ai_canonname = (char *)malloc(strlen(str) + 1);
+		if (ai->ai_canonname == NULL)
+			return EAI_MEMORY;
+		strcpy(ai->ai_canonname, str);
+	}
+	return 0;
+}
+
+static struct addrinfo *
+get_ai(pai, afd, addr)
+	const struct addrinfo *pai;
+	const struct afd *afd;
+	const char *addr;
+{
+	char *p;
+	struct addrinfo *ai;
+
+	ai = (struct addrinfo *)malloc(sizeof(struct addrinfo)
+		+ (afd->a_socklen));
+	if (ai == NULL)
+		return NULL;
+
+	memcpy(ai, pai, sizeof(struct addrinfo));
+	ai->ai_addr = (struct sockaddr *)(void *)(ai + 1);
+	memset(ai->ai_addr, 0, (size_t)afd->a_socklen);
+#ifdef HAVE_SA_LEN
+	ai->ai_addr->sa_len = afd->a_socklen;
+#endif
+	ai->ai_addrlen = afd->a_socklen;
+	ai->ai_addr->sa_family = ai->ai_family = afd->a_af;
+	p = (char *)(void *)(ai->ai_addr);
+	memcpy(p + afd->a_off, addr, (size_t)afd->a_addrlen);
+	return ai;
+}
+
+/* XXX need to malloc() the same way we do from other functions! */
+static struct addrinfo *
+copy_ai(pai)
+	const struct addrinfo *pai;
+{
+	struct addrinfo *ai;
+	size_t l;
+
+	l = sizeof(*ai) + pai->ai_addrlen;
+	if ((ai = (struct addrinfo *)malloc(l)) == NULL)
+		return NULL;
+	memset(ai, 0, l);
+	memcpy(ai, pai, sizeof(*ai));
+	ai->ai_addr = (struct sockaddr *)(void *)(ai + 1);
+	memcpy(ai->ai_addr, pai->ai_addr, pai->ai_addrlen);
+
+	if (pai->ai_canonname) {
+		l = strlen(pai->ai_canonname) + 1;
+		if ((ai->ai_canonname = malloc(l)) == NULL) {
+			free(ai);
+			return NULL;
+		}
+		strcpy(ai->ai_canonname, pai->ai_canonname);	/* (checked) */
+	} else {
+		/* just to make sure */
+		ai->ai_canonname = NULL;
+	}
+
+	ai->ai_next = NULL;
+
+	return ai;
+}
+
+static int
+get_portmatch(const struct addrinfo *ai, const char *servname) {
+
+	/* get_port does not touch first argument. when matchonly == 1. */
+	/* LINTED const cast */
+	return get_port((const struct addrinfo *)ai, servname, 1);
+}
+
+static int
+get_port(const struct addrinfo *ai, const char *servname, int matchonly) {
+	const char *proto;
+	struct servent *sp;
+	int port;
+	int allownumeric;
+
+	if (servname == NULL)
+		return 0;
+	switch (ai->ai_family) {
+	case AF_INET:
+#ifdef AF_INET6
+	case AF_INET6:
+#endif
+		break;
+	default:
+		return 0;
+	}
+
+	switch (ai->ai_socktype) {
+	case SOCK_RAW:
+		return EAI_SERVICE;
+	case SOCK_DGRAM:
+	case SOCK_STREAM:
+		allownumeric = 1;
+		break;
+	case ANY:
+		switch (ai->ai_family) {
+		case AF_INET:
+#ifdef AF_INET6
+		case AF_INET6:
+#endif
+			allownumeric = 1;
+			break;
+		default:
+			allownumeric = 0;
+			break;
+		}
+		break;
+	default:
+		return EAI_SOCKTYPE;
+	}
+
+	if (str_isnumber(servname)) {
+		if (!allownumeric)
+			return EAI_SERVICE;
+		port = atoi(servname);
+		if (port < 0 || port > 65535)
+			return EAI_SERVICE;
+		port = htons(port);
+	} else {
+		switch (ai->ai_socktype) {
+		case SOCK_DGRAM:
+			proto = "udp";
+			break;
+		case SOCK_STREAM:
+			proto = "tcp";
+			break;
+		default:
+			proto = NULL;
+			break;
+		}
+
+		if ((sp = getservbyname(servname, proto)) == NULL)
+			return EAI_SERVICE;
+		port = sp->s_port;
+	}
+
+	if (!matchonly) {
+		switch (ai->ai_family) {
+		case AF_INET:
+			((struct sockaddr_in *)(void *)
+			    ai->ai_addr)->sin_port = port;
+			break;
+		case AF_INET6:
+			((struct sockaddr_in6 *)(void *)
+			    ai->ai_addr)->sin6_port = port;
+			break;
+		}
+	}
+
+	return 0;
+}
+
+static const struct afd *
+find_afd(af)
+	int af;
+{
+	const struct afd *afd;
+
+	if (af == PF_UNSPEC)
+		return NULL;
+	for (afd = afdl; afd->a_af; afd++) {
+		if (afd->a_af == af)
+			return afd;
+	}
+	return NULL;
+}
+
+/*
+ * post-2553: AI_ADDRCONFIG check.  if we use getipnodeby* as backend, backend
+ * will take care of it.
+ * the semantics of AI_ADDRCONFIG is not defined well.  we are not sure
+ * if the code is right or not.
+ */
+static int
+addrconfig(af)
+	int af;
+{
+	int s;
+
+	/* XXX errno */
+	s = socket(af, SOCK_DGRAM, 0);
+	if (s < 0) {
+		if (errno != EMFILE)
+			return 0;
+	} else
+		close(s);
+	return 1;
+}
+
+/* convert a string to a scope identifier. XXX: IPv6 specific */
+static int
+ip6_str2scopeid(char *scope, struct sockaddr_in6 *sin6,
+		u_int32_t *scopeidp)
+{
+	u_int32_t scopeid;
+	u_long lscopeid;
+	struct in6_addr *a6 = &sin6->sin6_addr;
+	char *ep;
+	
+	/* empty scopeid portion is invalid */
+	if (*scope == '\0')
+		return (0);
+
+#ifdef USE_IFNAMELINKID
+	if (IN6_IS_ADDR_LINKLOCAL(a6) || IN6_IS_ADDR_MC_LINKLOCAL(a6) ||
+	    IN6_IS_ADDR_MC_NODELOCAL(a6)) {
+		/*
+		 * Using interface names as link indices can be allowed
+		 * only when we can assume a one-to-one mappings between
+		 * links and interfaces.  See comments in getnameinfo.c.
+		 */
+		scopeid = if_nametoindex(scope);
+		if (scopeid == 0)
+			goto trynumeric;
+		*scopeidp = scopeid;
+		return (1);
+	}
+#endif
+
+	/* still unclear about literal, allow numeric only - placeholder */
+	if (IN6_IS_ADDR_SITELOCAL(a6) || IN6_IS_ADDR_MC_SITELOCAL(a6))
+		goto trynumeric;
+	if (IN6_IS_ADDR_MC_ORGLOCAL(a6))
+		goto trynumeric;
+	else
+		goto trynumeric;	/* global */
+
+	/* try to convert to a numeric id as a last resort */
+trynumeric:
+	errno = 0;
+	lscopeid = strtoul(scope, &ep, 10);
+	scopeid = lscopeid & 0xffffffff;
+	if (errno == 0 && ep && *ep == '\0' && scopeid == lscopeid) {
+		*scopeidp = scopeid;
+		return (1);
+	} else
+		return (0);
+}
+
+struct addrinfo *
+hostent2addrinfo(hp, pai)
+	struct hostent *hp;
+	const struct addrinfo *pai;
+{
+	int i, af, error = 0;
+	char **aplist = NULL, *ap;
+	struct addrinfo sentinel, *cur;
+	const struct afd *afd;
+
+	af = hp->h_addrtype;
+	if (pai->ai_family != AF_UNSPEC && af != pai->ai_family)
+		return(NULL);
+
+	afd = find_afd(af);
+	if (afd == NULL)
+		return(NULL);
+
+	aplist = hp->h_addr_list;
+
+	memset(&sentinel, 0, sizeof(sentinel));
+	cur = &sentinel;
+
+	for (i = 0; (ap = aplist[i]) != NULL; i++) {
+#if 0				/* the trick seems too much */
+		af = hp->h_addr_list;
+		if (af == AF_INET6 &&
+		    IN6_IS_ADDR_V4MAPPED((struct in6_addr *)ap)) {
+			af = AF_INET;
+			ap = ap + sizeof(struct in6_addr)
+				- sizeof(struct in_addr);
+		}
+		afd = find_afd(af);
+		if (afd == NULL)
+			continue;
+#endif /* 0 */
+
+		GET_AI(cur->ai_next, afd, ap);
+
+		/* GET_PORT(cur->ai_next, servname); */
+		if ((pai->ai_flags & AI_CANONNAME) != 0) {
+			/*
+			 * RFC2553 says that ai_canonname will be set only for
+			 * the first element.  we do it for all the elements,
+			 * just for convenience.
+			 */
+			GET_CANONNAME(cur->ai_next, hp->h_name);
+		}
+		while (cur && cur->ai_next) /* no need to loop, actually. */
+			cur = cur->ai_next;
+		continue;
+
+	free:
+		if (cur->ai_next)
+			freeaddrinfo(cur->ai_next);
+		cur->ai_next = NULL;
+		/* continue, without tht pointer CUR advanced. */
+	}
+
+	return(sentinel.ai_next);
+}
+
+struct addrinfo *
+addr2addrinfo(pai, cp)
+	const struct addrinfo *pai;
+	const char *cp;
+{
+	const struct afd *afd;
+
+	afd = find_afd(pai->ai_family);
+	if (afd == NULL)
+		return(NULL);
+
+	return(get_ai(pai, afd, cp));
+}
+
+static struct net_data *
+init()
+{
+	struct net_data *net_data;
+
+	if (!(net_data = net_data_init(NULL)))
+		goto error;
+	if (!net_data->ho) {
+		net_data->ho = (*net_data->irs->ho_map)(net_data->irs);
+		if (!net_data->ho || !net_data->res) {
+error:
+			errno = EIO;
+			if (net_data && net_data->res)
+				RES_SET_H_ERRNO(net_data->res, NETDB_INTERNAL);
+			return (NULL);
+		}
+
+		(*net_data->ho->res_set)(net_data->ho, net_data->res, NULL);
+	}
+
+	return (net_data);
+}
diff --git a/contrib/bind9/lib/bind/irs/getgrent.c b/contrib/bind9/lib/bind/irs/getgrent.c
new file mode 100644
index 0000000..7c394f2
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/getgrent.c
@@ -0,0 +1,223 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if !defined(LINT) && !defined(CODECENTER)
+static const char rcsid[] = "$Id: getgrent.c,v 1.3.206.1 2004/03/09 08:33:35 marka Exp $";
+#endif
+
+/* Imports */
+
+#include "port_before.h"
+
+#if !defined(WANT_IRS_GR) || defined(__BIND_NOSTATIC)
+static int __bind_irs_gr_unneeded;
+#else
+
+#include <sys/types.h>
+
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+
+#include <errno.h>
+#include <grp.h>
+#include <resolv.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <irs.h>
+
+#include "port_after.h"
+
+#include "irs_data.h"
+
+/* Forward */
+
+static struct net_data *init(void);
+void			endgrent(void);
+
+/* Public */
+
+struct group *
+getgrent() {
+	struct net_data *net_data = init();
+
+	return (getgrent_p(net_data));
+}
+
+struct group *
+getgrnam(const char *name) {
+	struct net_data *net_data = init();
+
+	return (getgrnam_p(name, net_data));
+}
+
+struct group *
+getgrgid(gid_t gid) {
+	struct net_data *net_data = init();
+
+	return (getgrgid_p(gid, net_data));
+}
+
+int
+setgroupent(int stayopen) {
+	struct net_data *net_data = init();
+
+	return (setgroupent_p(stayopen, net_data));
+}
+
+#ifdef SETGRENT_VOID
+void
+setgrent(void) {
+	struct net_data *net_data = init();
+
+	setgrent_p(net_data);
+}
+#else
+int
+setgrent(void) {
+	struct net_data *net_data = init();
+
+	return (setgrent_p(net_data));
+}
+#endif /* SETGRENT_VOID */
+
+void
+endgrent() {
+	struct net_data *net_data = init();
+
+	endgrent_p(net_data);
+}
+
+int
+getgrouplist(GETGROUPLIST_ARGS) {
+	struct net_data *net_data = init();
+
+	return (getgrouplist_p(name, basegid, groups, ngroups, net_data));
+}
+
+/* Shared private. */
+
+struct group *
+getgrent_p(struct net_data *net_data) {
+	struct irs_gr *gr;
+
+	if (!net_data || !(gr = net_data->gr))
+		return (NULL);
+	net_data->gr_last = (*gr->next)(gr);
+	return (net_data->gr_last);
+}
+
+struct group *
+getgrnam_p(const char *name, struct net_data *net_data) {
+	struct irs_gr *gr;
+
+	if (!net_data || !(gr = net_data->gr))
+		return (NULL);
+	if (net_data->gr_stayopen && net_data->gr_last &&
+	    !strcmp(net_data->gr_last->gr_name, name))
+		return (net_data->gr_last);
+	net_data->gr_last = (*gr->byname)(gr, name);
+	if (!net_data->gr_stayopen)
+		endgrent();
+	return (net_data->gr_last);
+}
+
+struct group *
+getgrgid_p(gid_t gid, struct net_data *net_data) {
+	struct irs_gr *gr;
+
+	if (!net_data || !(gr = net_data->gr))
+		return (NULL);
+	if (net_data->gr_stayopen && net_data->gr_last &&
+	    (gid_t)net_data->gr_last->gr_gid == gid)
+		return (net_data->gr_last);
+	net_data->gr_last = (*gr->bygid)(gr, gid);
+	if (!net_data->gr_stayopen)
+		endgrent();
+	return (net_data->gr_last);
+}
+
+int
+setgroupent_p(int stayopen, struct net_data *net_data) {
+	struct irs_gr *gr;
+
+	if (!net_data || !(gr = net_data->gr))
+		return (0);
+	(*gr->rewind)(gr);
+	net_data->gr_stayopen = (stayopen != 0);
+	if (stayopen == 0)
+		net_data_minimize(net_data);
+	return (1);
+}
+
+#ifdef SETGRENT_VOID
+void
+setgrent_p(struct net_data *net_data) {
+	(void)setgroupent_p(0, net_data);
+}
+#else
+int
+setgrent_p(struct net_data *net_data) {
+	return (setgroupent_p(0, net_data));
+}
+#endif /* SETGRENT_VOID */
+
+void
+endgrent_p(struct net_data *net_data) {
+	struct irs_gr *gr;
+
+	if ((net_data != NULL) && ((gr = net_data->gr) != NULL))
+		(*gr->minimize)(gr);
+}
+
+int
+getgrouplist_p(const char *name, gid_t basegid, gid_t *groups, int *ngroups,
+	       struct net_data *net_data) {
+	struct irs_gr *gr;
+
+	if (!net_data || !(gr = net_data->gr)) {
+		*ngroups = 0;
+		return (-1);
+	}
+	return ((*gr->list)(gr, name, basegid, groups, ngroups));
+}
+
+/* Private */
+
+static struct net_data *
+init() {
+	struct net_data *net_data;
+
+	if (!(net_data = net_data_init(NULL)))
+		goto error;
+	if (!net_data->gr) {
+		net_data->gr = (*net_data->irs->gr_map)(net_data->irs);
+
+		if (!net_data->gr || !net_data->res) {
+ error: 
+			errno = EIO;
+			return (NULL);
+		}
+		(*net_data->gr->res_set)(net_data->gr, net_data->res,
+					 NULL);
+	}
+	
+	return (net_data);
+}
+
+#endif /* WANT_IRS_GR */
diff --git a/contrib/bind9/lib/bind/irs/getgrent_r.c b/contrib/bind9/lib/bind/irs/getgrent_r.c
new file mode 100644
index 0000000..1e8b1a6
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/getgrent_r.c
@@ -0,0 +1,229 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1998-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: getgrent_r.c,v 1.5.206.1 2004/03/09 08:33:35 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include <port_before.h>
+#if !defined(_REENTRANT) || !defined(DO_PTHREADS) || !defined(WANT_IRS_PW)
+	static int getgrent_r_not_required = 0;
+#else
+#include <errno.h>
+#include <string.h>
+#include <stdio.h>
+#include <sys/types.h>
+#if (defined(POSIX_GETGRNAM_R) || defined(POSIX_GETGRGID_R)) && \
+    defined(_POSIX_PTHREAD_SEMANTICS)
+	/* turn off solaris remapping in <grp.h> */
+#define _UNIX95
+#undef _POSIX_PTHREAD_SEMANTICS
+#include <grp.h>
+#define _POSIX_PTHREAD_SEMANTICS 1
+#else
+#include <grp.h>
+#endif
+#include <sys/param.h>
+#include <port_after.h>
+
+#ifdef GROUP_R_RETURN
+
+static int
+copy_group(struct group *, struct group *, char *buf, int buflen);
+
+/* POSIX 1003.1c */
+#ifdef POSIX_GETGRNAM_R
+int
+__posix_getgrnam_r(const char *name,  struct group *gptr,
+		char *buf, int buflen, struct group **result) {
+#else
+int
+getgrnam_r(const char *name,  struct group *gptr,
+		char *buf, size_t buflen, struct group **result) {
+#endif
+	struct group *ge = getgrnam(name);
+	int res;
+
+	if (ge == NULL) {
+		*result = NULL;
+		return (0);
+	}
+
+	res = copy_group(ge, gptr, buf, buflen);
+	*result = res ? NULL : gptr;
+	return (res);
+}
+
+#ifdef POSIX_GETGRNAM_R
+struct group *
+getgrnam_r(const char *name,  struct group *gptr,
+		char *buf, int buflen) {
+	struct group *ge = getgrnam(name);
+	int res;
+
+	if (ge == NULL)
+		return (NULL);
+	res = copy_group(ge, gptr, buf, buflen);
+	return (res ? NULL : gptr);
+}
+#endif /* POSIX_GETGRNAM_R */
+
+/* POSIX 1003.1c */
+#ifdef POSIX_GETGRGID_R
+int
+__posix_getgrgid_r(gid_t gid, struct group *gptr,
+		char *buf, int buflen, struct group **result) {
+#else /* POSIX_GETGRGID_R */
+int
+getgrgid_r(gid_t gid, struct group *gptr,
+		char *buf, size_t buflen, struct group **result) {
+#endif /* POSIX_GETGRGID_R */
+	struct group *ge = getgrgid(gid);
+	int res;
+
+	if (ge == NULL) {
+		*result = NULL;
+		return (0);
+	}
+
+	res = copy_group(ge, gptr, buf, buflen);
+	*result = res ? NULL : gptr;
+	return (res);
+}
+
+#ifdef POSIX_GETGRGID_R
+struct group *
+getgrgid_r(gid_t gid, struct group *gptr,
+		char *buf, int buflen) {
+	struct group *ge = getgrgid(gid);
+	int res;
+
+	if (ge == NULL)
+		return (NULL);
+
+	res = copy_group(ge, gptr, buf, buflen);
+	return (res ? NULL : gptr);
+}
+#endif
+
+/*
+ *	These assume a single context is in operation per thread.
+ *	If this is not the case we will need to call irs directly
+ *	rather than through the base functions.
+ */
+
+GROUP_R_RETURN
+getgrent_r(struct group *gptr, GROUP_R_ARGS) {
+	struct group *ge = getgrent();
+	int res;
+
+	if (ge == NULL) {
+		return (GROUP_R_BAD);
+	}
+
+	res = copy_group(ge, gptr, buf, buflen);
+	return (res ? GROUP_R_BAD : GROUP_R_OK);
+}
+
+GROUP_R_SET_RETURN
+setgrent_r(GROUP_R_ENT_ARGS) {
+
+	setgrent();
+#ifdef GROUP_R_SET_RESULT
+	return (GROUP_R_SET_RESULT);
+#endif
+}
+
+GROUP_R_END_RETURN
+endgrent_r(GROUP_R_ENT_ARGS) {
+
+	endgrent();
+	GROUP_R_END_RESULT(GROUP_R_OK);
+}
+
+
+#if 0
+	/* XXX irs does not have a fgetgrent() */
+GROUP_R_RETURN
+fgetgrent_r(FILE *f, struct group *gptr, GROUP_R_ARGS) {
+	struct group *ge = fgetgrent(f);
+	int res;
+
+	if (ge == NULL)
+		return (GROUP_R_BAD);
+
+	res = copy_group(ge, gptr, buf, buflen);
+	return (res ? GROUP_R_BAD : GROUP_R_OK);
+}
+#endif
+
+/* Private */
+
+static int
+copy_group(struct group *ge, struct group *gptr, char *buf, int buflen) {
+	char *cp;
+	int i, n;
+	int numptr, len;
+
+	/* Find out the amount of space required to store the answer. */
+	numptr = 1; /* NULL ptr */
+	len = (char *)ALIGN(buf) - buf;
+	for (i = 0; ge->gr_mem[i]; i++, numptr++) {
+		len += strlen(ge->gr_mem[i]) + 1;
+	}
+	len += strlen(ge->gr_name) + 1;
+	len += strlen(ge->gr_passwd) + 1;
+	len += numptr * sizeof(char*);
+	
+	if (len > buflen) {
+		errno = ERANGE;
+		return (ERANGE);
+	}
+
+	/* copy group id */
+	gptr->gr_gid = ge->gr_gid;
+
+	cp = (char *)ALIGN(buf) + numptr * sizeof(char *);
+
+	/* copy official name */
+	n = strlen(ge->gr_name) + 1;
+	strcpy(cp, ge->gr_name);
+	gptr->gr_name = cp;
+	cp += n;
+
+	/* copy member list */
+	gptr->gr_mem = (char **)ALIGN(buf);
+	for (i = 0 ; ge->gr_mem[i]; i++) {
+		n = strlen(ge->gr_mem[i]) + 1;
+		strcpy(cp, ge->gr_mem[i]);
+		gptr->gr_mem[i] = cp;
+		cp += n;
+	}
+	gptr->gr_mem[i] = NULL;
+
+	/* copy password */
+	n = strlen(ge->gr_passwd) + 1;
+	strcpy(cp, ge->gr_passwd);
+	gptr->gr_passwd = cp;
+	cp += n;
+
+	return (0);
+}
+#else /* GROUP_R_RETURN */
+	static int getgrent_r_unknown_system = 0;
+#endif /* GROUP_R_RETURN */
+#endif /* !def(_REENTRANT) || !def(DO_PTHREADS) || !def(WANT_IRS_PW) */
diff --git a/contrib/bind9/lib/bind/irs/gethostent.c b/contrib/bind9/lib/bind/irs/gethostent.c
new file mode 100644
index 0000000..b471c52
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/gethostent.c
@@ -0,0 +1,1069 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if !defined(LINT) && !defined(CODECENTER)
+static const char rcsid[] = "$Id: gethostent.c,v 1.1.2.2.4.2 2004/03/17 01:49:40 marka Exp $";
+#endif
+
+/* Imports */
+
+#include "port_before.h"
+
+#if !defined(__BIND_NOSTATIC)
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+#include <netinet/in.h>
+#include <net/if.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <netdb.h>
+#include <resolv.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <irs.h>
+#include <isc/memcluster.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "irs_data.h"
+
+/* Definitions */
+
+struct pvt {
+	char *		aliases[1];
+	char *		addrs[2];
+	char		addr[NS_IN6ADDRSZ];
+	char		name[NS_MAXDNAME + 1];
+	struct hostent	host;
+};
+
+/* Forward */
+
+static struct net_data *init(void);
+static void		freepvt(struct net_data *);
+static struct hostent  *fakeaddr(const char *, int, struct net_data *);
+
+
+/* Public */
+
+struct hostent *
+gethostbyname(const char *name) {
+	struct net_data *net_data = init();
+
+	return (gethostbyname_p(name, net_data));
+}
+
+struct hostent *
+gethostbyname2(const char *name, int af) {
+	struct net_data *net_data = init();
+
+	return (gethostbyname2_p(name, af, net_data));
+}
+
+struct hostent *
+gethostbyaddr(const char *addr, int len, int af) {
+	struct net_data *net_data = init();
+
+	return (gethostbyaddr_p(addr, len, af, net_data));
+}
+
+struct hostent *
+gethostent() {
+	struct net_data *net_data = init();
+
+	return (gethostent_p(net_data));
+}
+
+void
+sethostent(int stayopen) {
+	struct net_data *net_data = init();
+	sethostent_p(stayopen, net_data);
+}
+
+
+void
+endhostent() {
+	struct net_data *net_data = init();
+	endhostent_p(net_data);
+}
+
+/* Shared private. */
+
+struct hostent *
+gethostbyname_p(const char *name, struct net_data *net_data) {
+	struct hostent *hp;
+
+	if (!net_data)
+		return (NULL);
+
+	if (net_data->res->options & RES_USE_INET6) {
+		hp = gethostbyname2_p(name, AF_INET6, net_data);
+		if (hp)
+			return (hp);
+	}
+	return (gethostbyname2_p(name, AF_INET, net_data));
+}
+
+struct hostent *
+gethostbyname2_p(const char *name, int af, struct net_data *net_data) {
+	struct irs_ho *ho;
+	char tmp[NS_MAXDNAME];
+	struct hostent *hp;
+	const char *cp;
+	char **hap;
+
+	if (!net_data || !(ho = net_data->ho))
+		return (NULL);
+	if (net_data->ho_stayopen && net_data->ho_last &&
+	    net_data->ho_last->h_addrtype == af) {
+		if (ns_samename(name, net_data->ho_last->h_name) == 1)
+			return (net_data->ho_last);
+		for (hap = net_data->ho_last->h_aliases; hap && *hap; hap++)
+			if (ns_samename(name, *hap) == 1)
+				return (net_data->ho_last);
+	}
+	if (!strchr(name, '.') && (cp = res_hostalias(net_data->res, name,
+						      tmp, sizeof tmp)))
+		name = cp;
+	if ((hp = fakeaddr(name, af, net_data)) != NULL)
+		return (hp);
+	net_data->ho_last = (*ho->byname2)(ho, name, af);
+	if (!net_data->ho_stayopen)
+		endhostent();
+	return (net_data->ho_last);
+}
+
+struct hostent *
+gethostbyaddr_p(const char *addr, int len, int af, struct net_data *net_data) {
+	struct irs_ho *ho;
+	char **hap;
+
+	if (!net_data || !(ho = net_data->ho))
+		return (NULL);
+	if (net_data->ho_stayopen && net_data->ho_last &&
+	    net_data->ho_last->h_length == len)
+		for (hap = net_data->ho_last->h_addr_list;
+		     hap && *hap;
+		     hap++)
+			if (!memcmp(addr, *hap, len))
+				return (net_data->ho_last);
+	net_data->ho_last = (*ho->byaddr)(ho, addr, len, af);
+	if (!net_data->ho_stayopen)
+		endhostent();
+	return (net_data->ho_last);
+}
+
+
+struct hostent *
+gethostent_p(struct net_data *net_data) {
+	struct irs_ho *ho;
+	struct hostent *hp;
+
+	if (!net_data || !(ho = net_data->ho))
+		return (NULL);
+	while ((hp = (*ho->next)(ho)) != NULL &&
+	       hp->h_addrtype == AF_INET6 &&
+	       (net_data->res->options & RES_USE_INET6) == 0U)
+		continue;
+	net_data->ho_last = hp;
+	return (net_data->ho_last);
+}
+
+
+void
+sethostent_p(int stayopen, struct net_data *net_data) {
+	struct irs_ho *ho;
+
+	if (!net_data || !(ho = net_data->ho))
+		return;
+	freepvt(net_data);
+	(*ho->rewind)(ho);
+	net_data->ho_stayopen = (stayopen != 0);
+	if (stayopen == 0)
+		net_data_minimize(net_data);
+}
+
+void
+endhostent_p(struct net_data *net_data) {
+	struct irs_ho *ho;
+
+	if ((net_data != NULL) && ((ho = net_data->ho) != NULL))
+		(*ho->minimize)(ho);
+}
+
+#ifndef IN6_IS_ADDR_V4COMPAT
+static const unsigned char in6addr_compat[12] = {
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
+#define IN6_IS_ADDR_V4COMPAT(x) (!memcmp((x)->s6_addr, in6addr_compat, 12) && \
+				 ((x)->s6_addr[12] != 0 || \
+				  (x)->s6_addr[13] != 0 || \
+				  (x)->s6_addr[14] != 0 || \
+				   ((x)->s6_addr[15] != 0 && \
+				    (x)->s6_addr[15] != 1)))
+#endif
+#ifndef IN6_IS_ADDR_V4MAPPED
+#define IN6_IS_ADDR_V4MAPPED(x) (!memcmp((x)->s6_addr, in6addr_mapped, 12))
+#endif
+
+static const unsigned char in6addr_mapped[12] = {
+	0, 0, 0, 0,  0, 0, 0, 0,  0, 0, 0xff, 0xff };
+
+static int scan_interfaces(int *, int *);
+static struct hostent *copyandmerge(struct hostent *, struct hostent *, int, int *);
+
+/*
+ *	Public functions
+ */
+
+/*
+ *	AI_V4MAPPED + AF_INET6
+ *	If no IPv6 address then a query for IPv4 and map returned values.
+ *
+ *	AI_ALL + AI_V4MAPPED + AF_INET6
+ *	Return IPv6 and IPv4 mapped.
+ *
+ *	AI_ADDRCONFIG
+ *	Only return IPv6 / IPv4 address if there is an interface of that
+ *	type active.
+ */
+
+struct hostent *
+getipnodebyname(const char *name, int af, int flags, int *error_num) {
+	int have_v4 = 1, have_v6 = 1;
+	struct in_addr in4;
+	struct in6_addr in6;
+	struct hostent he, *he1 = NULL, *he2 = NULL, *he3;
+	int v4 = 0, v6 = 0;
+	struct net_data *net_data = init();
+	u_long options;
+	int tmp_err;
+
+	if (net_data == NULL) {
+		*error_num = NO_RECOVERY;
+		return (NULL);
+	}
+
+	/* If we care about active interfaces then check. */
+	if ((flags & AI_ADDRCONFIG) != 0)
+		if (scan_interfaces(&have_v4, &have_v6) == -1) {
+			*error_num = NO_RECOVERY;
+			return (NULL);
+		}
+
+	/* Check for literal address. */
+	if ((v4 = inet_pton(AF_INET, name, &in4)) != 1)
+		v6 = inet_pton(AF_INET6, name, &in6);
+
+	/* Impossible combination? */
+	 
+	if ((af == AF_INET6 && (flags & AI_V4MAPPED) == 0 && v4 == 1) ||
+	    (af == AF_INET && v6 == 1) ||
+	    (have_v4 == 0 && v4 == 1) ||
+	    (have_v6 == 0 && v6 == 1) ||
+	    (have_v4 == 0 && af == AF_INET) ||
+	    (have_v6 == 0 && af == AF_INET6)) {
+		*error_num = HOST_NOT_FOUND;
+		return (NULL);
+	}
+
+	/* Literal address? */
+	if (v4 == 1 || v6 == 1) {
+		char *addr_list[2];
+		char *aliases[1];
+
+		DE_CONST(name, he.h_name);
+		he.h_addr_list = addr_list;
+		he.h_addr_list[0] = (v4 == 1) ? (char *)&in4 : (char *)&in6;
+		he.h_addr_list[1] = NULL;
+		he.h_aliases = aliases;
+		he.h_aliases[0] = NULL;
+		he.h_length = (v4 == 1) ? INADDRSZ : IN6ADDRSZ;
+		he.h_addrtype = (v4 == 1) ? AF_INET : AF_INET6;
+		return (copyandmerge(&he, NULL, af, error_num));
+	}
+
+	options = net_data->res->options;
+	net_data->res->options &= ~RES_USE_INET6;
+
+	tmp_err = NO_RECOVERY;
+	if (have_v6 && af == AF_INET6) {
+		he2 = gethostbyname2_p(name, AF_INET6, net_data);
+		if (he2 != NULL) {
+			he1 = copyandmerge(he2, NULL, af, error_num);
+			if (he1 == NULL)
+				return (NULL);
+			he2 = NULL;
+		} else {
+			tmp_err = net_data->res->res_h_errno;
+		}
+	}
+
+	if (have_v4 &&
+	    ((af == AF_INET) ||
+	     (af == AF_INET6 && (flags & AI_V4MAPPED) != 0 &&
+	      (he1 == NULL || (flags & AI_ALL) != 0)))) {
+		he2 = gethostbyname2_p(name, AF_INET, net_data);
+		if (he1 == NULL && he2 == NULL) {
+			*error_num = net_data->res->res_h_errno;
+			return (NULL);
+		} 
+	} else
+		*error_num = tmp_err;
+
+	net_data->res->options = options;
+
+	he3 = copyandmerge(he1, he2, af, error_num);
+
+	if (he1 != NULL)
+		freehostent(he1);
+	return (he3);
+}
+
+struct hostent *
+getipnodebyaddr(const void *src, size_t len, int af, int *error_num) {
+	struct hostent *he1, *he2;
+	struct net_data *net_data = init();
+
+	/* Sanity Checks. */
+	if (src == NULL) {
+		*error_num = NO_RECOVERY;
+		return (NULL);
+	}
+		
+	switch (af) {
+	case AF_INET:
+		if (len != (size_t)INADDRSZ) {
+			*error_num = NO_RECOVERY;
+			return (NULL);
+		}
+		break;
+	case AF_INET6:
+		if (len != (size_t)IN6ADDRSZ) {
+			*error_num = NO_RECOVERY;
+			return (NULL);
+		}
+		break;
+	default:
+		*error_num = NO_RECOVERY;
+		return (NULL);
+	}
+
+	/*
+	 * Lookup IPv4 and IPv4 mapped/compatible addresses
+	 */
+	if ((af == AF_INET6 &&
+	     IN6_IS_ADDR_V4COMPAT((const struct in6_addr *)src)) ||
+	    (af == AF_INET6 &&
+	     IN6_IS_ADDR_V4MAPPED((const struct in6_addr *)src)) ||
+	    (af == AF_INET)) {
+		const char *cp = src;
+
+		if (af == AF_INET6)
+			cp += 12;
+		he1 = gethostbyaddr_p(cp, 4, AF_INET, net_data);
+		if (he1 == NULL) {
+			*error_num = net_data->res->res_h_errno;
+			return (NULL);
+		}
+		he2 = copyandmerge(he1, NULL, af, error_num);
+		if (he2 == NULL)
+			return (NULL);
+		/*
+		 * Restore original address if mapped/compatible.
+		 */
+		if (af == AF_INET6)
+			memcpy(he1->h_addr, src, len);
+		return (he2);
+	}
+
+	/*
+	 * Lookup IPv6 address.
+	 */
+	if (memcmp((const struct in6_addr *)src, &in6addr_any, 16) == 0) {
+		*error_num = HOST_NOT_FOUND;
+		return (NULL);
+	}
+
+	he1 = gethostbyaddr_p(src, 16, AF_INET6, net_data);
+	if (he1 == NULL) {
+		*error_num = net_data->res->res_h_errno;
+		return (NULL);
+	}
+	return (copyandmerge(he1, NULL, af, error_num));
+}
+
+void
+freehostent(struct hostent *he) {
+	char **cpp;
+	int names = 1;
+	int addresses = 1;
+
+	memput(he->h_name, strlen(he->h_name) + 1);
+
+	cpp = he->h_addr_list;
+	while (*cpp != NULL) {
+		memput(*cpp, (he->h_addrtype == AF_INET) ?
+			     INADDRSZ : IN6ADDRSZ);
+		*cpp = NULL;
+		cpp++;
+		addresses++;
+	}
+
+	cpp = he->h_aliases;
+	while (*cpp != NULL) {
+		memput(*cpp, strlen(*cpp) + 1);
+		cpp++;
+		names++;
+	}
+
+	memput(he->h_aliases, sizeof(char *) * (names));
+	memput(he->h_addr_list, sizeof(char *) * (addresses));
+	memput(he, sizeof *he);
+}
+
+/*
+ * Private
+ */
+
+/*
+ * Scan the interface table and set have_v4 and have_v6 depending
+ * upon whether there are IPv4 and IPv6 interface addresses.
+ *
+ * Returns:
+ *	0 on success
+ *	-1 on failure.
+ */
+
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR) && \
+    !defined(IRIX_EMUL_IOCTL_SIOCGIFCONF) 
+
+#ifdef __hpux
+#define lifc_len iflc_len
+#define lifc_buf iflc_buf
+#define lifc_req iflc_req
+#define LIFCONF if_laddrconf
+#else
+#define SETFAMILYFLAGS
+#define LIFCONF lifconf
+#endif
+ 
+#ifdef __hpux
+#define lifr_addr iflr_addr
+#define lifr_name iflr_name
+#define lifr_dstaddr iflr_dstaddr
+#define lifr_flags iflr_flags
+#define ss_family sa_family
+#define LIFREQ if_laddrreq
+#else
+#define LIFREQ lifreq
+#endif
+
+static void
+scan_interfaces6(int *have_v4, int *have_v6) {
+	struct LIFCONF lifc;
+	struct LIFREQ lifreq;
+	struct in_addr in4;
+	struct in6_addr in6;
+	char *buf = NULL, *cp, *cplim;
+	static unsigned int bufsiz = 4095;
+	int s, cpsize, n;
+
+	/* Get interface list from system. */
+	if ((s = socket(AF_INET6, SOCK_DGRAM, 0)) == -1)
+		goto cleanup;
+
+	/*
+	 * Grow buffer until large enough to contain all interface
+	 * descriptions.
+	 */
+	for (;;) {
+		buf = memget(bufsiz);
+		if (buf == NULL)
+			goto cleanup;
+#ifdef SETFAMILYFLAGS
+		lifc.lifc_family = AF_UNSPEC;	/* request all families */
+		lifc.lifc_flags = 0;
+#endif
+		lifc.lifc_len = bufsiz;
+		lifc.lifc_buf = buf;
+		if ((n = ioctl(s, SIOCGLIFCONF, (char *)&lifc)) != -1) {
+			/*
+			 * Some OS's just return what will fit rather
+			 * than set EINVAL if the buffer is too small
+			 * to fit all the interfaces in.  If 
+			 * lifc.lifc_len is too near to the end of the
+			 * buffer we will grow it just in case and
+			 * retry.
+			 */
+			if (lifc.lifc_len + 2 * sizeof(lifreq) < bufsiz)
+				break;
+		}
+		if ((n == -1) && errno != EINVAL)
+			goto cleanup;
+
+		if (bufsiz > 1000000)
+			goto cleanup;
+
+		memput(buf, bufsiz);
+		bufsiz += 4096;
+	}
+
+	/* Parse system's interface list. */
+	cplim = buf + lifc.lifc_len;    /* skip over if's with big ifr_addr's */
+	for (cp = buf;
+	     (*have_v4 == 0 || *have_v6 == 0) && cp < cplim;
+	     cp += cpsize) {
+		memcpy(&lifreq, cp, sizeof lifreq);
+#ifdef HAVE_SA_LEN
+#ifdef FIX_ZERO_SA_LEN
+		if (lifreq.lifr_addr.sa_len == 0)
+			lifreq.lifr_addr.sa_len = 16;
+#endif
+#ifdef HAVE_MINIMUM_IFREQ
+		cpsize = sizeof lifreq;
+		if (lifreq.lifr_addr.sa_len > sizeof (struct sockaddr))
+			cpsize += (int)lifreq.lifr_addr.sa_len -
+				(int)(sizeof (struct sockaddr));
+#else
+		cpsize = sizeof lifreq.lifr_name + lifreq.lifr_addr.sa_len;
+#endif /* HAVE_MINIMUM_IFREQ */
+#elif defined SIOCGIFCONF_ADDR
+		cpsize = sizeof lifreq;
+#else
+		cpsize = sizeof lifreq.lifr_name;
+		/* XXX maybe this should be a hard error? */
+		if (ioctl(s, SIOCGLIFADDR, (char *)&lifreq) < 0)
+			continue;
+#endif
+		switch (lifreq.lifr_addr.ss_family) {
+		case AF_INET:
+			if (*have_v4 == 0) {
+				memcpy(&in4,
+				       &((struct sockaddr_in *)
+				       &lifreq.lifr_addr)->sin_addr,
+				       sizeof in4);
+				if (in4.s_addr == INADDR_ANY)
+					break;
+				n = ioctl(s, SIOCGLIFFLAGS, (char *)&lifreq);
+				if (n < 0)
+					break;
+				if ((lifreq.lifr_flags & IFF_UP) == 0)
+					break;
+				*have_v4 = 1;
+			} 
+			break;
+		case AF_INET6:
+			if (*have_v6 == 0) {
+				memcpy(&in6,
+				       &((struct sockaddr_in6 *)
+				       &lifreq.lifr_addr)->sin6_addr, sizeof in6);
+				if (memcmp(&in6, &in6addr_any, sizeof in6) == 0)
+					break;
+				n = ioctl(s, SIOCGLIFFLAGS, (char *)&lifreq);
+				if (n < 0)
+					break;
+				if ((lifreq.lifr_flags & IFF_UP) == 0)
+					break;
+				*have_v6 = 1;
+			}
+			break;
+		}
+	}
+	if (buf != NULL)
+		memput(buf, bufsiz);
+	close(s);
+	/* printf("scan interface -> 4=%d 6=%d\n", *have_v4, *have_v6); */
+	return;
+ cleanup:
+	if (buf != NULL)
+		memput(buf, bufsiz);
+	if (s != -1)
+		close(s);
+	/* printf("scan interface -> 4=%d 6=%d\n", *have_v4, *have_v6); */
+	return;
+}
+#endif
+
+#ifdef __linux
+#ifndef IF_NAMESIZE
+# ifdef IFNAMSIZ
+#  define IF_NAMESIZE  IFNAMSIZ
+# else
+#  define IF_NAMESIZE 16
+# endif
+#endif
+static void
+scan_linux6(int *have_v6) {
+	FILE *proc = NULL;
+	char address[33];
+	char name[IF_NAMESIZE+1];
+	int ifindex, prefix, flag3, flag4;
+	
+	proc = fopen("/proc/net/if_inet6", "r");
+	if (proc == NULL)
+		return;
+
+	if (fscanf(proc, "%32[a-f0-9] %x %x %x %x %16s\n",
+		   address, &ifindex, &prefix, &flag3, &flag4, name) == 6)
+		*have_v6 = 1;
+	fclose(proc);
+	return;
+}
+#endif
+
+static int
+scan_interfaces(int *have_v4, int *have_v6) {
+	struct ifconf ifc;
+	union {
+		char _pad[256];		/* leave space for IPv6 addresses */
+		struct ifreq ifreq;
+	} u;
+	struct in_addr in4;
+	struct in6_addr in6;
+	char *buf = NULL, *cp, *cplim;
+	static unsigned int bufsiz = 4095;
+	int s, n;
+	size_t cpsize;
+
+	/* Set to zero.  Used as loop terminators below. */
+	*have_v4 = *have_v6 = 0;
+
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR) && \
+    !defined(IRIX_EMUL_IOCTL_SIOCGIFCONF) 
+	/*
+	 * Try to scan the interfaces using IPv6 ioctls().
+	 */
+	scan_interfaces6(have_v4, have_v6);
+	if (*have_v4 != 0 && *have_v6 != 0)
+		return (0);
+#endif
+#ifdef __linux
+	scan_linux6(have_v6);
+#endif
+
+	/* Get interface list from system. */
+	if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
+		goto err_ret;
+
+	/*
+	 * Grow buffer until large enough to contain all interface
+	 * descriptions.
+	 */
+	for (;;) {
+		buf = memget(bufsiz);
+		if (buf == NULL)
+			goto err_ret;
+		ifc.ifc_len = bufsiz;
+		ifc.ifc_buf = buf;
+#ifdef IRIX_EMUL_IOCTL_SIOCGIFCONF
+		/*
+		 * This is a fix for IRIX OS in which the call to ioctl with
+		 * the flag SIOCGIFCONF may not return an entry for all the
+		 * interfaces like most flavors of Unix.
+		 */
+		if (emul_ioctl(&ifc) >= 0)
+			break;
+#else
+		if ((n = ioctl(s, SIOCGIFCONF, (char *)&ifc)) != -1) {
+			/*
+			 * Some OS's just return what will fit rather
+			 * than set EINVAL if the buffer is too small
+			 * to fit all the interfaces in.  If 
+			 * ifc.ifc_len is too near to the end of the
+			 * buffer we will grow it just in case and
+			 * retry.
+			 */
+			if (ifc.ifc_len + 2 * sizeof(u.ifreq) < bufsiz)
+				break;
+		}
+#endif
+		if ((n == -1) && errno != EINVAL)
+			goto err_ret;
+
+		if (bufsiz > 1000000)
+			goto err_ret;
+
+		memput(buf, bufsiz);
+		bufsiz += 4096;
+	}
+
+	/* Parse system's interface list. */
+	cplim = buf + ifc.ifc_len;    /* skip over if's with big ifr_addr's */
+	for (cp = buf;
+	     (*have_v4 == 0 || *have_v6 == 0) && cp < cplim;
+	     cp += cpsize) {
+		memcpy(&u.ifreq, cp, sizeof u.ifreq);
+#ifdef HAVE_SA_LEN
+#ifdef FIX_ZERO_SA_LEN
+		if (u.ifreq.ifr_addr.sa_len == 0)
+			u.ifreq.ifr_addr.sa_len = 16;
+#endif
+#ifdef HAVE_MINIMUM_IFREQ
+		cpsize = sizeof u.ifreq;
+		if (u.ifreq.ifr_addr.sa_len > sizeof (struct sockaddr))
+			cpsize += (int)u.ifreq.ifr_addr.sa_len -
+				(int)(sizeof (struct sockaddr));
+#else
+		cpsize = sizeof u.ifreq.ifr_name + u.ifreq.ifr_addr.sa_len;
+#endif /* HAVE_MINIMUM_IFREQ */
+		if (cpsize > sizeof u.ifreq && cpsize <= sizeof u)
+			memcpy(&u.ifreq, cp, cpsize);
+#elif defined SIOCGIFCONF_ADDR
+		cpsize = sizeof u.ifreq;
+#else
+		cpsize = sizeof u.ifreq.ifr_name;
+		/* XXX maybe this should be a hard error? */
+		if (ioctl(s, SIOCGIFADDR, (char *)&u.ifreq) < 0)
+			continue;
+#endif
+		switch (u.ifreq.ifr_addr.sa_family) {
+		case AF_INET:
+			if (*have_v4 == 0) {
+				memcpy(&in4,
+				       &((struct sockaddr_in *)
+				       &u.ifreq.ifr_addr)->sin_addr,
+				       sizeof in4);
+				if (in4.s_addr == INADDR_ANY)
+					break;
+				n = ioctl(s, SIOCGIFFLAGS, (char *)&u.ifreq);
+				if (n < 0)
+					break;
+				if ((u.ifreq.ifr_flags & IFF_UP) == 0)
+					break;
+				*have_v4 = 1;
+			} 
+			break;
+		case AF_INET6:
+			if (*have_v6 == 0) {
+				memcpy(&in6,
+				       &((struct sockaddr_in6 *)
+				       &u.ifreq.ifr_addr)->sin6_addr,
+				       sizeof in6);
+				if (memcmp(&in6, &in6addr_any, sizeof in6) == 0)
+					break;
+				n = ioctl(s, SIOCGIFFLAGS, (char *)&u.ifreq);
+				if (n < 0)
+					break;
+				if ((u.ifreq.ifr_flags & IFF_UP) == 0)
+					break;
+				*have_v6 = 1;
+			}
+			break;
+		}
+	}
+	if (buf != NULL)
+		memput(buf, bufsiz);
+	close(s);
+	/* printf("scan interface -> 4=%d 6=%d\n", *have_v4, *have_v6); */
+	return (0);
+ err_ret:
+	if (buf != NULL)
+		memput(buf, bufsiz);
+	if (s != -1)
+		close(s);
+	/* printf("scan interface -> 4=%d 6=%d\n", *have_v4, *have_v6); */
+	return (-1);
+}
+
+static struct hostent *
+copyandmerge(struct hostent *he1, struct hostent *he2, int af, int *error_num) {
+	struct hostent *he = NULL;
+	int addresses = 1;	/* NULL terminator */
+	int names = 1;		/* NULL terminator */
+	int len = 0;
+	char **cpp, **npp;
+
+	/*
+	 * Work out array sizes;
+	 */
+	if (he1 != NULL) {
+		cpp = he1->h_addr_list;
+		while (*cpp != NULL) {
+			addresses++;
+			cpp++;
+		}
+		cpp = he1->h_aliases;
+		while (*cpp != NULL) {
+			names++;
+			cpp++;
+		}
+	}
+
+	if (he2 != NULL) {
+		cpp = he2->h_addr_list;
+		while (*cpp != NULL) {
+			addresses++;
+			cpp++;
+		}
+		if (he1 == NULL) {
+			cpp = he2->h_aliases;
+			while (*cpp != NULL) {
+				names++;
+				cpp++;
+			}
+		}
+	}
+
+	if (addresses == 1) {
+		*error_num = NO_ADDRESS;
+		return (NULL);
+	}
+
+	he = memget(sizeof *he);
+	if (he == NULL)
+		goto no_recovery;
+
+	he->h_addr_list = memget(sizeof(char *) * (addresses));
+	if (he->h_addr_list == NULL)
+		goto cleanup0;
+	memset(he->h_addr_list, 0, sizeof(char *) * (addresses));
+
+	/* copy addresses */
+	npp = he->h_addr_list;
+	if (he1 != NULL) {
+		cpp = he1->h_addr_list;
+		while (*cpp != NULL) {
+			*npp = memget((af == AF_INET) ? INADDRSZ : IN6ADDRSZ);
+			if (*npp == NULL)
+				goto cleanup1;
+			/* convert to mapped if required */
+			if (af == AF_INET6 && he1->h_addrtype == AF_INET) {
+				memcpy(*npp, in6addr_mapped,
+				       sizeof in6addr_mapped);
+				memcpy(*npp + sizeof in6addr_mapped, *cpp,
+				       INADDRSZ);
+			} else {
+				memcpy(*npp, *cpp,
+				       (af == AF_INET) ? INADDRSZ : IN6ADDRSZ);
+			}
+			cpp++;
+			npp++;
+		}
+	}
+
+	if (he2 != NULL) {
+		cpp = he2->h_addr_list;
+		while (*cpp != NULL) {
+			*npp = memget((af == AF_INET) ? INADDRSZ : IN6ADDRSZ);
+			if (*npp == NULL)
+				goto cleanup1;
+			/* convert to mapped if required */
+			if (af == AF_INET6 && he2->h_addrtype == AF_INET) {
+				memcpy(*npp, in6addr_mapped,
+				       sizeof in6addr_mapped);
+				memcpy(*npp + sizeof in6addr_mapped, *cpp,
+				       INADDRSZ);
+			} else {
+				memcpy(*npp, *cpp,
+				       (af == AF_INET) ? INADDRSZ : IN6ADDRSZ);
+			}
+			cpp++;
+			npp++;
+		}
+	}
+
+	he->h_aliases = memget(sizeof(char *) * (names));
+	if (he->h_aliases == NULL)
+		goto cleanup1;
+	memset(he->h_aliases, 0, sizeof(char *) * (names));
+
+	/* copy aliases */
+	npp = he->h_aliases;
+	cpp = (he1 != NULL) ? he1->h_aliases : he2->h_aliases;
+	while (*cpp != NULL) {
+		len = strlen (*cpp) + 1;
+		*npp = memget(len);
+		if (*npp == NULL)
+			goto cleanup2;
+		strcpy(*npp, *cpp);
+		npp++;
+		cpp++;
+	}
+
+	/* copy hostname */
+	he->h_name = memget(strlen((he1 != NULL) ?
+			    he1->h_name : he2->h_name) + 1);
+	if (he->h_name == NULL)
+		goto cleanup2;
+	strcpy(he->h_name, (he1 != NULL) ? he1->h_name : he2->h_name);
+
+	/* set address type and length */
+	he->h_addrtype = af;
+	he->h_length = (af == AF_INET) ? INADDRSZ : IN6ADDRSZ;
+	return(he);
+
+ cleanup2:
+	cpp = he->h_aliases;
+	while (*cpp != NULL) {
+		memput(*cpp, strlen(*cpp) + 1);
+		cpp++;
+	}
+	memput(he->h_aliases, sizeof(char *) * (names));
+
+ cleanup1:
+	cpp = he->h_addr_list;
+	while (*cpp != NULL) {
+		memput(*cpp, (af == AF_INET) ? INADDRSZ : IN6ADDRSZ);
+		*cpp = NULL;
+		cpp++;
+	}
+	memput(he->h_addr_list, sizeof(char *) * (addresses));
+
+ cleanup0:
+	memput(he, sizeof *he);
+
+ no_recovery:
+	*error_num = NO_RECOVERY;
+	return (NULL);
+}
+
+static struct net_data *
+init() {
+	struct net_data *net_data;
+
+	if (!(net_data = net_data_init(NULL)))
+		goto error;
+	if (!net_data->ho) {
+		net_data->ho = (*net_data->irs->ho_map)(net_data->irs);
+		if (!net_data->ho || !net_data->res) {
+  error:
+			errno = EIO;
+			if (net_data && net_data->res)
+				RES_SET_H_ERRNO(net_data->res, NETDB_INTERNAL);
+			return (NULL);
+		}
+	
+		(*net_data->ho->res_set)(net_data->ho, net_data->res, NULL);
+	}
+	
+	return (net_data);
+}
+
+static void
+freepvt(struct net_data *net_data) {
+	if (net_data->ho_data) {
+		free(net_data->ho_data);
+		net_data->ho_data = NULL;
+	}
+}
+
+static struct hostent *
+fakeaddr(const char *name, int af, struct net_data *net_data) {
+	struct pvt *pvt;
+
+	freepvt(net_data);
+	net_data->ho_data = malloc(sizeof (struct pvt));
+	if (!net_data->ho_data) {
+		errno = ENOMEM;
+		RES_SET_H_ERRNO(net_data->res, NETDB_INTERNAL);
+		return (NULL);
+	}
+	pvt = net_data->ho_data;
+#ifndef __bsdi__
+	/*
+	 * Unlike its forebear(inet_aton), our friendly inet_pton() is strict
+	 * in its interpretation of its input, and it will only return "1" if
+	 * the input string is a formally valid(and thus unambiguous with
+	 * respect to host names) internet address specification for this AF.
+	 *
+	 * This means "telnet 0xdeadbeef" and "telnet 127.1" are dead now.
+	 */
+	if (inet_pton(af, name, pvt->addr) != 1) {
+#else
+	/* BSDI XXX
+	 * We put this back to inet_aton -- we really want the old behavior
+	 * Long live 127.1...
+	 */
+	if ((af != AF_INET ||
+	    inet_aton(name, (struct in_addr *)pvt->addr) != 1) &&
+	    inet_pton(af, name, pvt->addr) != 1) {
+#endif
+		RES_SET_H_ERRNO(net_data->res, HOST_NOT_FOUND);
+		return (NULL);
+	}
+	strncpy(pvt->name, name, NS_MAXDNAME);
+	pvt->name[NS_MAXDNAME] = '\0';
+	if (af == AF_INET && (net_data->res->options & RES_USE_INET6) != 0U) {
+		map_v4v6_address(pvt->addr, pvt->addr);
+		af = AF_INET6;
+	}
+	pvt->host.h_addrtype = af;
+	switch(af) {
+	case AF_INET:
+		pvt->host.h_length = NS_INADDRSZ;
+		break;
+	case AF_INET6:
+		pvt->host.h_length = NS_IN6ADDRSZ;
+		break;
+	default:
+		errno = EAFNOSUPPORT;
+		RES_SET_H_ERRNO(net_data->res, NETDB_INTERNAL);
+		return (NULL);
+	}
+	pvt->host.h_name = pvt->name;
+	pvt->host.h_aliases = pvt->aliases;
+	pvt->aliases[0] = NULL;
+	pvt->addrs[0] = (char *)pvt->addr;
+	pvt->addrs[1] = NULL;
+	pvt->host.h_addr_list = pvt->addrs;
+	RES_SET_H_ERRNO(net_data->res, NETDB_SUCCESS);
+	return (&pvt->host);
+}
+
+#ifdef grot	/* for future use in gethostbyaddr(), for "SUNSECURITY" */
+	struct hostent *rhp;
+	char **haddr;
+	u_long old_options;
+	char hname2[MAXDNAME+1];
+
+	if (af == AF_INET) {
+	    /*
+	     * turn off search as the name should be absolute,
+	     * 'localhost' should be matched by defnames
+	     */
+	    strncpy(hname2, hp->h_name, MAXDNAME);
+	    hname2[MAXDNAME] = '\0';
+	    old_options = net_data->res->options;
+	    net_data->res->options &= ~RES_DNSRCH;
+	    net_data->res->options |= RES_DEFNAMES;
+	    if (!(rhp = gethostbyname(hname2))) {
+		net_data->res->options = old_options;
+		RES_SET_H_ERRNO(net_data->res, HOST_NOT_FOUND);
+		return (NULL);
+	    }
+	    net_data->res->options = old_options;
+	    for (haddr = rhp->h_addr_list; *haddr; haddr++)
+		if (!memcmp(*haddr, addr, INADDRSZ))
+			break;
+	    if (!*haddr) {
+		RES_SET_H_ERRNO(net_data->res, HOST_NOT_FOUND);
+		return (NULL);
+	    }
+	}
+#endif /* grot */
+
+#endif /*__BIND_NOSTATIC*/
diff --git a/contrib/bind9/lib/bind/irs/gethostent_r.c b/contrib/bind9/lib/bind/irs/gethostent_r.c
new file mode 100644
index 0000000..28f1a7f
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/gethostent_r.c
@@ -0,0 +1,262 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1998-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: gethostent_r.c,v 1.4.206.3 2004/09/01 02:03:07 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include <port_before.h>
+#if !defined(_REENTRANT) || !defined(DO_PTHREADS)
+	static int gethostent_r_not_required = 0;
+#else
+#include <errno.h>
+#include <string.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <sys/param.h>
+#include <port_after.h>
+
+#ifdef HOST_R_RETURN
+
+static HOST_R_RETURN 
+copy_hostent(struct hostent *, struct hostent *, HOST_R_COPY_ARGS);
+
+HOST_R_RETURN
+gethostbyname_r(const char *name,  struct hostent *hptr, HOST_R_ARGS) {
+	struct hostent *he = gethostbyname(name);
+#ifdef HOST_R_SETANSWER
+	int n = 0;
+#endif
+
+	HOST_R_ERRNO;
+
+#ifdef HOST_R_SETANSWER
+	if (he == NULL || (n = copy_hostent(he, hptr, HOST_R_COPY)) != 0)
+		*answerp = NULL;
+	else
+		*answerp = hptr;
+	
+	return (n);
+#else
+	if (he == NULL)
+		return (HOST_R_BAD);
+
+	return (copy_hostent(he, hptr, HOST_R_COPY));
+#endif
+}
+
+HOST_R_RETURN
+gethostbyaddr_r(const char *addr, int len, int type,
+		struct hostent *hptr, HOST_R_ARGS) {
+	struct hostent *he = gethostbyaddr(addr, len, type);
+#ifdef HOST_R_SETANSWER
+	int n = 0;
+#endif
+
+	HOST_R_ERRNO;
+
+#ifdef HOST_R_SETANSWER
+	if (he == NULL || (n = copy_hostent(he, hptr, HOST_R_COPY)) != 0)
+		*answerp = NULL;
+	else
+		*answerp = hptr;
+	
+	return (n);
+#else
+	if (he == NULL)
+		return (HOST_R_BAD);
+
+	return (copy_hostent(he, hptr, HOST_R_COPY));
+#endif
+}
+
+/*
+ *	These assume a single context is in operation per thread.
+ *	If this is not the case we will need to call irs directly
+ *	rather than through the base functions.
+ */
+
+HOST_R_RETURN
+gethostent_r(struct hostent *hptr, HOST_R_ARGS) {
+	struct hostent *he = gethostent();
+#ifdef HOST_R_SETANSWER
+	int n = 0;
+#endif
+
+	HOST_R_ERRNO;
+
+#ifdef HOST_R_SETANSWER
+	if (he == NULL || (n = copy_hostent(he, hptr, HOST_R_COPY)) != 0)
+		*answerp = NULL;
+	else
+		*answerp = hptr;
+	
+	return (n);
+#else
+	if (he == NULL)
+		return (HOST_R_BAD);
+
+	return (copy_hostent(he, hptr, HOST_R_COPY));
+#endif
+}
+
+HOST_R_SET_RETURN
+#ifdef HOST_R_ENT_ARGS
+sethostent_r(int stay_open, HOST_R_ENT_ARGS)
+#else
+sethostent_r(int stay_open)
+#endif
+{
+	sethostent(stay_open);
+#ifdef	HOST_R_SET_RESULT
+	return (HOST_R_SET_RESULT);
+#endif
+}
+
+HOST_R_END_RETURN
+#ifdef HOST_R_ENT_ARGS
+endhostent_r(HOST_R_ENT_ARGS)
+#else
+endhostent_r(void)
+#endif
+{
+	endhostent();
+	HOST_R_END_RESULT(HOST_R_OK);
+}
+
+/* Private */
+
+#ifndef HOSTENT_DATA
+static HOST_R_RETURN
+copy_hostent(struct hostent *he, struct hostent *hptr, HOST_R_COPY_ARGS) {
+	char *cp;
+	char **ptr;
+	int i, n;
+	int nptr, len;
+
+	/* Find out the amount of space required to store the answer. */
+	nptr = 2; /* NULL ptrs */
+	len = (char *)ALIGN(buf) - buf;
+	for (i = 0; he->h_addr_list[i]; i++, nptr++) {
+		len += he->h_length;
+	}
+	for (i = 0; he->h_aliases[i]; i++, nptr++) {
+		len += strlen(he->h_aliases[i]) + 1;
+	}
+	len += strlen(he->h_name) + 1;
+	len += nptr * sizeof(char*);
+	
+	if (len > buflen) {
+		errno = ERANGE;
+		return (HOST_R_BAD);
+	}
+
+	/* copy address size and type */
+	hptr->h_addrtype = he->h_addrtype;
+	n = hptr->h_length = he->h_length;
+
+	ptr = (char **)ALIGN(buf);
+	cp = (char *)ALIGN(buf) + nptr * sizeof(char *);
+
+	/* copy address list */
+	hptr->h_addr_list = ptr;
+	for (i = 0; he->h_addr_list[i]; i++ , ptr++) {
+		memcpy(cp, he->h_addr_list[i], n);
+		hptr->h_addr_list[i] = cp;
+		cp += n;
+	}
+	hptr->h_addr_list[i] = NULL;
+	ptr++;
+
+	/* copy official name */
+	n = strlen(he->h_name) + 1;
+	strcpy(cp, he->h_name);
+	hptr->h_name = cp;
+	cp += n;
+
+	/* copy aliases */
+	hptr->h_aliases = ptr;
+	for (i = 0 ; he->h_aliases[i]; i++) {
+		n = strlen(he->h_aliases[i]) + 1;
+		strcpy(cp, he->h_aliases[i]);
+		hptr->h_aliases[i] = cp;
+		cp += n;
+	}
+	hptr->h_aliases[i] = NULL;
+
+	return (HOST_R_OK);
+}
+#else /* !HOSTENT_DATA */
+static int
+copy_hostent(struct hostent *he, struct hostent *hptr, HOST_R_COPY_ARGS) {
+	char *cp, *eob;
+	int i, n;
+
+	/* copy address size and type */
+	hptr->h_addrtype = he->h_addrtype;
+	n = hptr->h_length = he->h_length;
+
+	/* copy up to first 35 addresses */
+	i = 0;
+	cp = hdptr->hostbuf;
+	eob = hdptr->hostbuf + sizeof(hdptr->hostbuf);
+	hptr->h_addr_list = hdptr->h_addr_ptrs;
+	while (he->h_addr_list[i] && i < (_MAXADDRS)) {
+		if (n < (eob - cp)) {
+			memcpy(cp, he->h_addr_list[i], n);
+			hptr->h_addr_list[i] = cp;
+			cp += n;
+		} else {
+			break;
+		}
+		i++;
+	}
+	hptr->h_addr_list[i] = NULL;
+
+	/* copy official name */
+	if ((n = strlen(he->h_name) + 1) < (eob - cp)) {
+		strcpy(cp, he->h_name);
+		hptr->h_name = cp;
+		cp += n;
+	} else {
+		return (-1);
+	}
+
+	/* copy aliases */
+	i = 0;
+	hptr->h_aliases = hdptr->host_aliases;
+	while (he->h_aliases[i] && i < (_MAXALIASES-1)) {
+		if ((n = strlen(he->h_aliases[i]) + 1) < (eob - cp)) {
+			strcpy(cp, he->h_aliases[i]);
+			hptr->h_aliases[i] = cp;
+			cp += n;
+		} else {
+			break;
+		}
+		i++;
+	}
+	hptr->h_aliases[i] = NULL;
+
+	return (HOST_R_OK);
+}
+#endif /* !HOSTENT_DATA */
+#else /* HOST_R_RETURN */
+	static int gethostent_r_unknown_system = 0;
+#endif /* HOST_R_RETURN */
+#endif /* !defined(_REENTRANT) || !defined(DO_PTHREADS) */
diff --git a/contrib/bind9/lib/bind/irs/getnameinfo.c b/contrib/bind9/lib/bind/irs/getnameinfo.c
new file mode 100644
index 0000000..5947c03
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/getnameinfo.c
@@ -0,0 +1,322 @@
+/*
+ * Issues to be discussed:
+ * - Thread safe-ness must be checked
+ */
+
+/*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    This product includes software developed by WIDE Project and
+ *    its contributors.
+ * 4. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <port_before.h>
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <arpa/inet.h>
+#include <net/if.h>
+
+#include <netdb.h>
+#include <resolv.h>
+#include <string.h>
+#include <stddef.h>
+
+#include <port_after.h>
+
+/*
+ * Note that a_off will be dynamically adjusted so that to be consistent
+ * with the definition of sockaddr_in{,6}.
+ * The value presented below is just a guess.
+ */
+static struct afd {
+	int a_af;
+	int a_addrlen;
+	size_t a_socklen;
+	int a_off;
+} afdl [] = {
+	/* first entry is linked last... */
+	{PF_INET, sizeof(struct in_addr), sizeof(struct sockaddr_in),
+	 offsetof(struct sockaddr_in, sin_addr)},
+	{PF_INET6, sizeof(struct in6_addr), sizeof(struct sockaddr_in6),
+	 offsetof(struct sockaddr_in6, sin6_addr)},
+	{0, 0, 0, 0},
+};
+
+struct sockinet {
+#ifdef HAVE_SA_LEN
+	u_char	si_len;
+#endif
+	u_char	si_family;
+	u_short	si_port;
+};
+
+static int ip6_parsenumeric __P((const struct sockaddr *, const char *, char *,
+				 size_t, int));
+#ifdef HAVE_SIN6_SCOPE_ID
+static int ip6_sa2str __P((const struct sockaddr_in6 *, char *, size_t, int));
+#endif
+
+int
+getnameinfo(sa, salen, host, hostlen, serv, servlen, flags)
+	const struct sockaddr *sa;
+	size_t salen;
+	char *host;
+	size_t hostlen;
+	char *serv;
+	size_t servlen;
+	int flags;
+{
+	struct afd *afd;
+	struct servent *sp;
+	struct hostent *hp;
+	u_short port;
+#ifdef HAVE_SA_LEN
+	size_t len;
+#endif
+	int family, i;
+	const char *addr;
+	char *p;
+	char numserv[512];
+	char numaddr[512];
+	const struct sockaddr_in6 *sin6;
+
+	if (sa == NULL)
+		return EAI_FAIL;
+
+#ifdef HAVE_SA_LEN
+	len = sa->sa_len;
+	if (len != salen) return EAI_FAIL;
+#endif
+
+	family = sa->sa_family;
+	for (i = 0; afdl[i].a_af; i++)
+		if (afdl[i].a_af == family) {
+			afd = &afdl[i];
+			goto found;
+		}
+	return EAI_FAMILY;
+
+ found:
+	if (salen != afd->a_socklen) return EAI_FAIL;
+
+	port = ((const struct sockinet *)sa)->si_port; /* network byte order */
+	addr = (const char *)sa + afd->a_off;
+
+	if (serv == NULL || servlen == 0U) {
+		/*
+		 * rfc2553bis says that serv == NULL or servlen == 0 means that
+		 * the caller does not want the result.
+		 */
+	} else if (flags & NI_NUMERICSERV) {
+		sprintf(numserv, "%d", ntohs(port));
+		if (strlen(numserv) > servlen)
+			return EAI_MEMORY;
+		strcpy(serv, numserv);
+	} else {
+		sp = getservbyport(port, (flags & NI_DGRAM) ? "udp" : "tcp");
+		if (sp) {
+			if (strlen(sp->s_name) + 1 > servlen)
+				return EAI_MEMORY;
+			strcpy(serv, sp->s_name);
+		} else
+			return EAI_NONAME;
+	}
+
+	switch (sa->sa_family) {
+	case AF_INET:
+		if (ntohl(*(const u_int32_t *)addr) >> IN_CLASSA_NSHIFT == 0)
+			flags |= NI_NUMERICHOST;			
+		break;
+	case AF_INET6:
+		sin6 = (const struct sockaddr_in6 *)sa;
+		switch (sin6->sin6_addr.s6_addr[0]) {
+		case 0x00:
+			if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr))
+				;
+			else if (IN6_IS_ADDR_LOOPBACK(&sin6->sin6_addr))
+				;
+			else
+				flags |= NI_NUMERICHOST;
+			break;
+		default:
+			if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))
+				flags |= NI_NUMERICHOST;
+			else if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr))
+				flags |= NI_NUMERICHOST;
+			break;
+		}
+		break;
+	}
+	if (host == NULL || hostlen == 0U) {
+		/*
+		 * rfc2553bis says that host == NULL or hostlen == 0 means that
+		 * the caller does not want the result.
+		 */
+	} else if (flags & NI_NUMERICHOST) {
+		goto numeric;
+	} else {
+		hp = gethostbyaddr(addr, afd->a_addrlen, afd->a_af);
+
+		if (hp) {
+			if (flags & NI_NOFQDN) {
+				p = strchr(hp->h_name, '.');
+				if (p) *p = '\0';
+			}
+			if (strlen(hp->h_name) + 1 > hostlen)
+				return EAI_MEMORY;
+			strcpy(host, hp->h_name);
+		} else {
+			if (flags & NI_NAMEREQD)
+				return EAI_NONAME;
+		  numeric:
+			switch(afd->a_af) {
+			case AF_INET6:
+			{
+				int error;
+
+				if ((error = ip6_parsenumeric(sa, addr, host,
+							      hostlen,
+							      flags)) != 0)
+					return(error);
+				break;
+			}
+
+			default:
+				if (inet_ntop(afd->a_af, addr, numaddr,
+					      sizeof(numaddr)) == NULL)
+					return EAI_NONAME;
+				if (strlen(numaddr) + 1 > hostlen)
+					return EAI_MEMORY;
+				strcpy(host, numaddr);
+			}
+		}
+	}
+	return(0);
+}
+
+static int
+ip6_parsenumeric(const struct sockaddr *sa, const char *addr, char *host,
+		 size_t hostlen, int flags)
+{
+	size_t numaddrlen;
+	char numaddr[512];
+
+#ifndef HAVE_SIN6_SCOPE_ID
+	UNUSED(sa);
+	UNUSED(flags);
+#endif
+
+	if (inet_ntop(AF_INET6, addr, numaddr, sizeof(numaddr))
+	    == NULL)
+		return EAI_SYSTEM;
+
+	numaddrlen = strlen(numaddr);
+	if (numaddrlen + 1 > hostlen) /* don't forget terminator */
+		return EAI_MEMORY;
+	strcpy(host, numaddr);
+
+#ifdef HAVE_SIN6_SCOPE_ID
+	if (((const struct sockaddr_in6 *)sa)->sin6_scope_id) {
+		char scopebuf[MAXHOSTNAMELEN]; /* XXX */
+		int scopelen;
+
+		/* ip6_sa2str never fails */
+		scopelen = ip6_sa2str((const struct sockaddr_in6 *)sa,
+				      scopebuf, sizeof(scopebuf), flags);
+
+		if (scopelen + 1 + numaddrlen + 1 > hostlen)
+			return EAI_MEMORY;
+
+		/* construct <numeric-addr><delim><scopeid> */
+		memcpy(host + numaddrlen + 1, scopebuf,
+		       scopelen);
+		host[numaddrlen] = SCOPE_DELIMITER;
+		host[numaddrlen + 1 + scopelen] = '\0';
+	}
+#endif
+
+	return 0;
+}
+
+#ifdef HAVE_SIN6_SCOPE_ID
+/* ARGSUSED */
+static int
+ip6_sa2str(const struct sockaddr_in6 *sa6, char *buf,
+	   size_t bufsiz, int flags)
+{
+#ifdef USE_IFNAMELINKID
+	unsigned int ifindex = (unsigned int)sa6->sin6_scope_id;
+	const struct in6_addr *a6 = &sa6->sin6_addr;
+#endif
+	char tmp[64];
+
+#ifdef NI_NUMERICSCOPE
+	if (flags & NI_NUMERICSCOPE) {
+		sprintf(tmp, "%u", sa6->sin6_scope_id);
+		if (bufsiz != 0U) {
+			strncpy(buf, tmp, bufsiz - 1);
+			buf[bufsiz - 1] = '\0';
+		}
+		return(strlen(tmp));
+	}
+#endif
+
+#ifdef USE_IFNAMELINKID
+	/*
+	 * For a link-local address, convert the index to an interface
+	 * name, assuming a one-to-one mapping between links and interfaces.
+	 * Note, however, that this assumption is stronger than the
+	 * specification of the scoped address architecture;  the
+	 * specficication says that more than one interfaces can belong to
+	 * a single link.
+	 */
+
+	/* if_indextoname() does not take buffer size.  not a good api... */
+	if ((IN6_IS_ADDR_LINKLOCAL(a6) || IN6_IS_ADDR_MC_LINKLOCAL(a6)) &&
+	    bufsiz >= IF_NAMESIZE) {
+		char *p = if_indextoname(ifindex, buf);
+		if (p) {
+			return(strlen(p));
+		}
+	}
+#endif
+
+	/* last resort */
+	sprintf(tmp, "%u", sa6->sin6_scope_id);
+	if (bufsiz != 0U) {
+		strncpy(buf, tmp, bufsiz - 1);
+		buf[bufsiz - 1] = '\0';
+	}
+	return(strlen(tmp));
+}
+#endif
diff --git a/contrib/bind9/lib/bind/irs/getnetent.c b/contrib/bind9/lib/bind/irs/getnetent.c
new file mode 100644
index 0000000..4d1cd1e
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/getnetent.c
@@ -0,0 +1,343 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if !defined(LINT) && !defined(CODECENTER)
+static const char rcsid[] = "$Id: getnetent.c,v 1.4.206.2 2004/03/17 01:49:40 marka Exp $";
+#endif
+
+/* Imports */
+
+#include "port_before.h"
+
+#if !defined(__BIND_NOSTATIC)
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <arpa/inet.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <netdb.h>
+#include <resolv.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <irs.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "irs_data.h"
+
+/* Definitions */
+
+struct pvt {
+	struct netent	netent;
+	char *		aliases[1];
+	char		name[MAXDNAME + 1];
+};
+
+/* Forward */
+
+static struct net_data *init(void);
+static struct netent   *nw_to_net(struct nwent *, struct net_data *);
+static void		freepvt(struct net_data *);
+static struct netent   *fakeaddr(const char *, int af, struct net_data *);
+
+/* Portability */
+
+#ifndef INADDR_NONE
+# define INADDR_NONE 0xffffffff
+#endif
+
+/* Public */
+
+struct netent *
+getnetent() {
+	struct net_data *net_data = init();
+
+	return (getnetent_p(net_data));
+}
+
+struct netent *
+getnetbyname(const char *name) {
+	struct net_data *net_data = init();
+
+	return (getnetbyname_p(name, net_data));
+}
+
+struct netent *
+getnetbyaddr(unsigned long net, int type) {
+	struct net_data *net_data = init();
+
+	return (getnetbyaddr_p(net, type, net_data));
+}
+
+void
+setnetent(int stayopen) {
+	struct net_data *net_data = init();
+
+	setnetent_p(stayopen, net_data);
+}
+
+
+void
+endnetent() {
+	struct net_data *net_data = init();
+
+	endnetent_p(net_data);
+}
+
+/* Shared private. */
+
+struct netent *
+getnetent_p(struct net_data *net_data) {
+	struct irs_nw *nw;
+
+	if (!net_data || !(nw = net_data->nw))
+		return (NULL);
+	net_data->nww_last = (*nw->next)(nw);
+	net_data->nw_last = nw_to_net(net_data->nww_last, net_data);
+	return (net_data->nw_last);
+}
+
+struct netent *
+getnetbyname_p(const char *name, struct net_data *net_data) {
+	struct irs_nw *nw;
+	struct netent *np;
+	char **nap;
+
+	if (!net_data || !(nw = net_data->nw))
+		return (NULL);
+	if (net_data->nw_stayopen && net_data->nw_last) {
+		if (!strcmp(net_data->nw_last->n_name, name))
+			return (net_data->nw_last);
+		for (nap = net_data->nw_last->n_aliases; nap && *nap; nap++)
+			if (!strcmp(name, *nap))
+				return (net_data->nw_last);
+	}
+	if ((np = fakeaddr(name, AF_INET, net_data)) != NULL)
+		return (np);
+	net_data->nww_last = (*nw->byname)(nw, name, AF_INET);
+	net_data->nw_last = nw_to_net(net_data->nww_last, net_data);
+	if (!net_data->nw_stayopen)
+		endnetent();
+	return (net_data->nw_last);
+}
+
+struct netent *
+getnetbyaddr_p(unsigned long net, int type, struct net_data *net_data) {
+	struct irs_nw *nw;
+	u_char addr[4];
+	int bits;
+
+	if (!net_data || !(nw = net_data->nw))
+		return (NULL);
+	if (net_data->nw_stayopen && net_data->nw_last)
+		if (type == net_data->nw_last->n_addrtype &&
+		    net == net_data->nw_last->n_net)
+			return (net_data->nw_last);
+
+	/* cannonize net(host order) */
+	if (net < 256UL) {
+		net <<= 24;
+		bits = 8;
+	} else if (net < 65536UL) {
+		net <<= 16;
+		bits = 16;
+	} else if (net < 16777216UL) {
+		net <<= 8;
+		bits = 24;
+	} else
+		bits = 32;
+
+	/* convert to net order */
+	addr[0] = (0xFF000000 & net) >> 24;
+	addr[1] = (0x00FF0000 & net) >> 16;
+	addr[2] = (0x0000FF00 & net) >> 8;
+	addr[3] = (0x000000FF & net);
+
+	/* reduce bits to as close to natural number as possible */
+	if ((bits == 32) && (addr[0] < 224) && (addr[3] == 0)) {
+		if ((addr[0] < 192) && (addr[2] == 0)) {
+			if ((addr[0] < 128) && (addr[1] == 0))
+				bits = 8;
+			else
+				bits = 16;
+		} else {
+			bits = 24;
+		}
+	}
+
+	net_data->nww_last = (*nw->byaddr)(nw, addr, bits, AF_INET);
+	net_data->nw_last = nw_to_net(net_data->nww_last, net_data);
+	if (!net_data->nw_stayopen)
+		endnetent();
+	return (net_data->nw_last);
+}
+
+
+
+
+void
+setnetent_p(int stayopen, struct net_data *net_data) {
+	struct irs_nw *nw;
+
+	if (!net_data || !(nw = net_data->nw))
+		return;
+	freepvt(net_data);
+	(*nw->rewind)(nw);
+	net_data->nw_stayopen = (stayopen != 0);
+	if (stayopen == 0)
+		net_data_minimize(net_data);
+}
+
+void
+endnetent_p(struct net_data *net_data) {
+	struct irs_nw *nw;
+
+	if ((net_data != NULL) && ((nw	= net_data->nw) != NULL))
+		(*nw->minimize)(nw);
+}
+
+/* Private */
+
+static struct net_data *
+init() {
+	struct net_data *net_data;
+
+	if (!(net_data = net_data_init(NULL)))
+		goto error;
+	if (!net_data->nw) {
+		net_data->nw = (*net_data->irs->nw_map)(net_data->irs);
+
+		if (!net_data->nw || !net_data->res) {
+ error:		
+			errno = EIO;
+			return (NULL);
+		}
+		(*net_data->nw->res_set)(net_data->nw, net_data->res, NULL);
+	}
+	
+	return (net_data);
+}
+
+static void
+freepvt(struct net_data *net_data) {
+	if (net_data->nw_data) {
+		free(net_data->nw_data);
+		net_data->nw_data = NULL;
+	}
+}
+
+static struct netent *
+fakeaddr(const char *name, int af, struct net_data *net_data) {
+	struct pvt *pvt;
+	const char *cp;
+	u_long tmp;
+
+	if (af != AF_INET) {
+		/* XXX should support IPv6 some day */
+		errno = EAFNOSUPPORT;
+		RES_SET_H_ERRNO(net_data->res, NETDB_INTERNAL);
+		return (NULL);
+	}
+	if (!isascii((unsigned char)(name[0])) ||
+	    !isdigit((unsigned char)(name[0])))
+		return (NULL);
+	for (cp = name; *cp; ++cp)
+		if (!isascii(*cp) || (!isdigit((unsigned char)*cp) && *cp != '.'))
+			return (NULL);
+	if (*--cp == '.')
+		return (NULL);
+
+	/* All-numeric, no dot at the end. */
+
+	tmp = inet_network(name);
+	if (tmp == INADDR_NONE) {
+		RES_SET_H_ERRNO(net_data->res, HOST_NOT_FOUND);
+		return (NULL);
+	}
+
+	/* Valid network number specified.
+	 * Fake up a netent as if we'd actually
+	 * done a lookup.
+	 */
+	freepvt(net_data);
+	net_data->nw_data = malloc(sizeof (struct pvt));
+	if (!net_data->nw_data) {
+		errno = ENOMEM;
+		RES_SET_H_ERRNO(net_data->res, NETDB_INTERNAL);
+		return (NULL);
+	}
+	pvt = net_data->nw_data;
+
+	strncpy(pvt->name, name, MAXDNAME);
+	pvt->name[MAXDNAME] = '\0';
+	pvt->netent.n_name = pvt->name;
+	pvt->netent.n_addrtype = AF_INET;
+	pvt->netent.n_aliases = pvt->aliases;
+	pvt->aliases[0] = NULL;
+	pvt->netent.n_net = tmp;
+
+	return (&pvt->netent);
+}
+
+static struct netent *
+nw_to_net(struct nwent *nwent, struct net_data *net_data) {
+	struct pvt *pvt;
+	u_long addr = 0;
+	int i;
+	int msbyte;
+
+	if (!nwent || nwent->n_addrtype != AF_INET)
+		return (NULL);
+	freepvt(net_data);
+	net_data->nw_data = malloc(sizeof (struct pvt));
+	if (!net_data->nw_data) {
+		errno = ENOMEM;
+		RES_SET_H_ERRNO(net_data->res, NETDB_INTERNAL);
+		return (NULL);
+	}
+	pvt = net_data->nw_data;
+	pvt->netent.n_name = nwent->n_name;
+	pvt->netent.n_aliases = nwent->n_aliases;
+	pvt->netent.n_addrtype = nwent->n_addrtype;
+
+/*
+ * What this code does: Converts net addresses from network to host form.
+ *
+ * msbyte: the index of the most significant byte in the n_addr array.
+ *
+ * Shift bytes in significant order into addr. When all signicant
+ * bytes are in, zero out bits in the LSB that are not part of the network.
+ */
+	msbyte = nwent->n_length / 8 +
+		((nwent->n_length % 8) != 0 ? 1 : 0) - 1;
+	for (i = 0; i <= msbyte; i++)
+		addr = (addr << 8) | ((unsigned char *)nwent->n_addr)[i];
+	i = (32 - nwent->n_length) % 8;
+	if (i != 0)
+		addr &= ~((1 << (i + 1)) - 1);
+	pvt->netent.n_net = addr;
+	return (&pvt->netent);
+}
+
+#endif /*__BIND_NOSTATIC*/
diff --git a/contrib/bind9/lib/bind/irs/getnetent_r.c b/contrib/bind9/lib/bind/irs/getnetent_r.c
new file mode 100644
index 0000000..0b540b0
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/getnetent_r.c
@@ -0,0 +1,227 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1998-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: getnetent_r.c,v 1.3.206.1 2004/03/09 08:33:36 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include <port_before.h>
+#if !defined(_REENTRANT) || !defined(DO_PTHREADS)
+	static int getnetent_r_not_required = 0;
+#else
+#include <errno.h>
+#include <string.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <sys/param.h>
+#include <port_after.h>
+
+#ifdef NET_R_RETURN
+
+static NET_R_RETURN 
+copy_netent(struct netent *, struct netent *, NET_R_COPY_ARGS);
+
+NET_R_RETURN
+getnetbyname_r(const char *name,  struct netent *nptr, NET_R_ARGS) {
+	struct netent *ne = getnetbyname(name);
+#ifdef NET_R_SETANSWER
+	int n = 0;
+
+	if (ne == NULL || (n = copy_netent(ne, nptr, NET_R_COPY)) != 0)
+		*answerp = NULL;
+	else
+		*answerp = ne;
+	if (ne == NULL)
+		*h_errnop = h_errno;
+	return (n);
+#else
+	if (ne == NULL)
+		return (NET_R_BAD);
+
+	return (copy_netent(ne, nptr, NET_R_COPY));
+#endif
+}
+
+#ifndef GETNETBYADDR_ADDR_T
+#define GETNETBYADDR_ADDR_T long
+#endif
+NET_R_RETURN
+getnetbyaddr_r(GETNETBYADDR_ADDR_T addr, int type, struct netent *nptr, NET_R_ARGS) {
+	struct netent *ne = getnetbyaddr(addr, type);
+#ifdef NET_R_SETANSWER
+	int n = 0;
+
+	if (ne == NULL || (n = copy_netent(ne, nptr, NET_R_COPY)) != 0)
+		*answerp = NULL;
+	else
+		*answerp = ne;
+	if (ne == NULL)
+		*h_errnop = h_errno;
+	return (n);
+#else
+
+	if (ne == NULL)
+		return (NET_R_BAD);
+
+	return (copy_netent(ne, nptr, NET_R_COPY));
+#endif
+}
+
+/*
+ *	These assume a single context is in operation per thread.
+ *	If this is not the case we will need to call irs directly
+ *	rather than through the base functions.
+ */
+
+NET_R_RETURN
+getnetent_r(struct netent *nptr, NET_R_ARGS) {
+	struct netent *ne = getnetent();
+#ifdef NET_R_SETANSWER
+	int n = 0;
+
+	if (ne == NULL || (n = copy_netent(ne, nptr, NET_R_COPY)) != 0)
+		*answerp = NULL;
+	else
+		*answerp = ne;
+	if (ne == NULL)
+		*h_errnop = h_errno;
+	return (n);
+#else
+
+	if (ne == NULL)
+		return (NET_R_BAD);
+
+	return (copy_netent(ne, nptr, NET_R_COPY));
+#endif
+}
+
+NET_R_SET_RETURN
+#ifdef NET_R_ENT_ARGS
+setnetent_r(int stay_open, NET_R_ENT_ARGS)
+#else
+setnetent_r(int stay_open)
+#endif
+{
+	setnetent(stay_open);
+#ifdef NET_R_SET_RESULT
+	return (NET_R_SET_RESULT);
+#endif
+}
+
+NET_R_END_RETURN
+#ifdef NET_R_ENT_ARGS
+endnetent_r(NET_R_ENT_ARGS)
+#else
+endnetent_r()
+#endif
+{
+	endnetent();
+	NET_R_END_RESULT(NET_R_OK);
+}
+
+/* Private */
+
+#ifndef NETENT_DATA
+static NET_R_RETURN
+copy_netent(struct netent *ne, struct netent *nptr, NET_R_COPY_ARGS) {
+	char *cp;
+	int i, n;
+	int numptr, len;
+
+	/* Find out the amount of space required to store the answer. */
+	numptr = 1; /* NULL ptr */
+	len = (char *)ALIGN(buf) - buf;
+	for (i = 0; ne->n_aliases[i]; i++, numptr++) {
+		len += strlen(ne->n_aliases[i]) + 1;
+	}
+	len += strlen(ne->n_name) + 1;
+	len += numptr * sizeof(char*);
+	
+	if (len > (int)buflen) {
+		errno = ERANGE;
+		return (NET_R_BAD);
+	}
+
+	/* copy net value and type */
+	nptr->n_addrtype = ne->n_addrtype;
+	nptr->n_net = ne->n_net;
+
+	cp = (char *)ALIGN(buf) + numptr * sizeof(char *);
+
+	/* copy official name */
+	n = strlen(ne->n_name) + 1;
+	strcpy(cp, ne->n_name);
+	nptr->n_name = cp;
+	cp += n;
+
+	/* copy aliases */
+	nptr->n_aliases = (char **)ALIGN(buf);
+	for (i = 0 ; ne->n_aliases[i]; i++) {
+		n = strlen(ne->n_aliases[i]) + 1;
+		strcpy(cp, ne->n_aliases[i]);
+		nptr->n_aliases[i] = cp;
+		cp += n;
+	}
+	nptr->n_aliases[i] = NULL;
+
+	return (NET_R_OK);
+}
+#else /* !NETENT_DATA */
+static int
+copy_netent(struct netent *ne, struct netent *nptr, NET_R_COPY_ARGS) {
+	char *cp, *eob;
+	int i, n;
+
+	/* copy net value and type */
+	nptr->n_addrtype = ne->n_addrtype;
+	nptr->n_net = ne->n_net;
+
+	/* copy official name */
+	cp = ndptr->line;
+	eob = ndptr->line + sizeof(ndptr->line);
+	if ((n = strlen(ne->n_name) + 1) < (eob - cp)) {
+		strcpy(cp, ne->n_name);
+		nptr->n_name = cp;
+		cp += n;
+	} else {
+		return (-1);
+	}
+
+	/* copy aliases */
+	i = 0;
+	nptr->n_aliases = ndptr->net_aliases;
+	while (ne->n_aliases[i] && i < (_MAXALIASES-1)) {
+		if ((n = strlen(ne->n_aliases[i]) + 1) < (eob - cp)) {
+			strcpy(cp, ne->n_aliases[i]);
+			nptr->n_aliases[i] = cp;
+			cp += n;
+		} else {
+			break;
+		}
+		i++;
+	}
+	nptr->n_aliases[i] = NULL;
+
+	return (NET_R_OK);
+}
+#endif /* !NETENT_DATA */
+#else /* NET_R_RETURN */
+	static int getnetent_r_unknown_system = 0;
+#endif /* NET_R_RETURN */
+#endif /* !defined(_REENTRANT) || !defined(DO_PTHREADS) */
diff --git a/contrib/bind9/lib/bind/irs/getnetgrent.c b/contrib/bind9/lib/bind/irs/getnetgrent.c
new file mode 100644
index 0000000..b275153
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/getnetgrent.c
@@ -0,0 +1,156 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: getnetgrent.c,v 1.1.2.1.4.1 2004/03/09 08:33:36 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+/* Imports */
+
+#include "port_before.h"
+
+#if !defined(__BIND_NOSTATIC)
+
+#include <sys/types.h>
+
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+
+#include <errno.h>
+#include <resolv.h>
+#include <stdio.h>
+
+#include <irs.h>
+
+#include "port_after.h"
+
+#include "irs_data.h"
+
+/* Forward */
+
+static struct net_data *init(void);
+
+
+/* Public */
+
+#ifndef SETNETGRENT_ARGS
+#define SETNETGRENT_ARGS const char *netgroup
+#endif
+void
+setnetgrent(SETNETGRENT_ARGS) {
+	struct net_data *net_data = init();
+
+	setnetgrent_p(netgroup, net_data);
+}
+
+void
+endnetgrent(void) {
+	struct net_data *net_data = init();
+
+	endnetgrent_p(net_data);
+}
+
+#ifndef INNETGR_ARGS
+#define INNETGR_ARGS const char *netgroup, const char *host, \
+		     const char *user, const char *domain
+#endif
+int
+innetgr(INNETGR_ARGS) {
+	struct net_data *net_data = init();
+
+	return (innetgr_p(netgroup, host, user, domain, net_data));
+}
+
+int
+getnetgrent(char **host, char **user, char **domain) {
+	struct net_data *net_data = init();
+	const char *ch, *cu, *cd;
+	int ret;
+
+	ret = getnetgrent_p(&ch, &cu, &cd, net_data);
+	if (ret != 1)
+		return (ret);
+
+	DE_CONST(ch, *host);
+	DE_CONST(cu, *user);
+	DE_CONST(cd, *domain);
+	return (ret);
+}
+
+/* Shared private. */
+
+void
+setnetgrent_p(const char *netgroup, struct net_data *net_data) {
+	struct irs_ng *ng;
+
+	if ((net_data != NULL) && ((ng = net_data->ng) != NULL))
+		(*ng->rewind)(ng, netgroup);
+}
+
+void
+endnetgrent_p(struct net_data *net_data) {
+	struct irs_ng *ng;
+
+	if (!net_data)
+		return;
+	if ((ng = net_data->ng) != NULL)
+		(*ng->close)(ng);
+	net_data->ng = NULL;
+}
+
+int
+innetgr_p(const char *netgroup, const char *host,
+	  const char *user, const char *domain,
+	  struct net_data *net_data) {
+	struct irs_ng *ng;
+
+	if (!net_data || !(ng = net_data->ng))
+		return (0);
+	return ((*ng->test)(ng, netgroup, host, user, domain));
+}
+
+int
+getnetgrent_p(const char **host, const char **user, const char **domain,
+	      struct net_data *net_data ) {
+	struct irs_ng *ng;
+
+	if (!net_data || !(ng = net_data->ng))
+		return (0);
+	return ((*ng->next)(ng, host, user, domain));
+}
+
+/* Private */
+
+static struct net_data *
+init(void) {
+	struct net_data *net_data;
+
+	if (!(net_data = net_data_init(NULL)))
+		goto error;
+	if (!net_data->ng) {
+		net_data->ng = (*net_data->irs->ng_map)(net_data->irs);
+		if (!net_data->ng) {
+  error:
+			errno = EIO;
+			return (NULL);
+		}
+	}
+	
+	return (net_data);
+}
+
+#endif /*__BIND_NOSTATIC*/
diff --git a/contrib/bind9/lib/bind/irs/getnetgrent_r.c b/contrib/bind9/lib/bind/irs/getnetgrent_r.c
new file mode 100644
index 0000000..0e2a34f
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/getnetgrent_r.c
@@ -0,0 +1,167 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1998-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: getnetgrent_r.c,v 1.5.2.1.4.2 2004/04/13 04:59:29 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include <port_before.h>
+#if !defined(_REENTRANT) || !defined(DO_PTHREADS)
+	static int getnetgrent_r_not_required = 0;
+#else
+#include <errno.h>
+#include <string.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <netgroup.h>
+#include <stdlib.h>
+#include <port_after.h>
+
+#ifdef NGR_R_RETURN
+
+static NGR_R_RETURN 
+copy_protoent(char **, char **, char **, const char *, const char *,
+	      const char *, NGR_R_COPY_ARGS);
+
+NGR_R_RETURN
+innetgr_r(const char *netgroup, const char *host, const char *user,
+	  const char *domain) {
+	char *ng, *ho, *us, *dom;
+
+	DE_CONST(netgroup, ng);
+	DE_CONST(host, ho);
+	DE_CONST(user, us);
+	DE_CONST(domain, dom);
+
+	return (innetgr(ng, ho, us, dom));
+}
+
+/*
+ *	These assume a single context is in operation per thread.
+ *	If this is not the case we will need to call irs directly
+ *	rather than through the base functions.
+ */
+
+NGR_R_RETURN
+getnetgrent_r(char **machinep, char **userp, char **domainp, NGR_R_ARGS) {
+	char *mp, *up, *dp;
+	int res = getnetgrent(&mp, &up, &dp);
+
+	if (res != 1) 
+		return (res);
+
+	return (copy_protoent(machinep, userp, domainp,
+				mp, up, dp, NGR_R_COPY));
+}
+
+NGR_R_SET_RETURN
+#ifdef NGR_R_ENT_ARGS
+setnetgrent_r(const char *netgroup, NGR_R_ENT_ARGS)
+#else
+setnetgrent_r(const char *netgroup)
+#endif
+{
+	char *tmp;
+	DE_CONST(netgroup, tmp);
+	setnetgrent(tmp);
+#ifdef NGR_R_PRIVATE
+	*buf = NULL;
+#endif
+#ifdef NGR_R_SET_RESULT
+	return (NGR_R_SET_RESULT);
+#endif
+}
+
+NGR_R_END_RETURN
+#ifdef NGR_R_ENT_ARGS
+endnetgrent_r(NGR_R_ENT_ARGS)
+#else
+endnetgrent_r(void)
+#endif
+{
+	endnetgrent();
+#ifdef NGR_R_PRIVATE
+	if (*buf != NULL)
+		free(*buf);
+	*buf = NULL;
+#endif
+	NGR_R_END_RESULT(NGR_R_OK);
+}
+
+/* Private */
+
+static int
+copy_protoent(char **machinep, char **userp, char **domainp,
+	      const char *mp, const char *up, const char *dp,
+	      NGR_R_COPY_ARGS) {
+	char *cp;
+	int n;
+	int len;
+
+	/* Find out the amount of space required to store the answer. */
+	len = 0;
+	if (mp != NULL) len += strlen(mp) + 1;
+	if (up != NULL) len += strlen(up) + 1;
+	if (dp != NULL) len += strlen(dp) + 1;
+	
+#ifdef NGR_R_PRIVATE
+	free(*buf);
+	*buf = malloc(len);
+	if (*buf == NULL)
+		return(NGR_R_BAD);
+	cp = *buf;
+#else
+	if (len > (int)buflen) {
+		errno = ERANGE;
+		return (NGR_R_BAD);
+	}
+	cp = buf;
+#endif
+
+
+	if (mp != NULL) {
+		n = strlen(mp) + 1;
+		strcpy(cp, mp);
+		*machinep = cp;
+		cp += n;
+	} else
+		*machinep = NULL;
+
+	if (up != NULL) {
+		n = strlen(up) + 1;
+		strcpy(cp, up);
+		*userp = cp;
+		cp += n;
+	} else
+		*userp = NULL;
+
+	if (dp != NULL) {
+		n = strlen(dp) + 1;
+		strcpy(cp, dp);
+		*domainp = cp;
+		cp += n;
+	} else
+		*domainp = NULL;
+
+	return (NGR_R_OK);
+}
+#else /* NGR_R_RETURN */
+	static int getnetgrent_r_unknown_system = 0;
+#endif /* NGR_R_RETURN */
+#endif /* !defined(_REENTRANT) || !defined(DO_PTHREADS) */
diff --git a/contrib/bind9/lib/bind/irs/getprotoent.c b/contrib/bind9/lib/bind/irs/getprotoent.c
new file mode 100644
index 0000000..145062f
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/getprotoent.c
@@ -0,0 +1,174 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if !defined(LINT) && !defined(CODECENTER)
+static const char rcsid[] = "$Id: getprotoent.c,v 1.2.206.1 2004/03/09 08:33:36 marka Exp $";
+#endif
+
+/* Imports */
+
+#include "port_before.h"
+
+#if !defined(__BIND_NOSTATIC)
+
+#include <sys/types.h>
+
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+
+#include <errno.h>
+#include <resolv.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <irs.h>
+
+#include "port_after.h"
+
+#include "irs_data.h"
+
+/* Forward */
+
+static struct net_data *init(void);
+
+/* Public */
+
+struct protoent *
+getprotoent() {
+	struct net_data *net_data = init();
+
+	return (getprotoent_p(net_data));
+}
+
+struct protoent *
+getprotobyname(const char *name) {
+	struct net_data *net_data = init();
+
+	return (getprotobyname_p(name, net_data));
+}
+
+struct protoent *
+getprotobynumber(int proto) {
+	struct net_data *net_data = init();
+
+	return (getprotobynumber_p(proto, net_data));
+}
+
+void
+setprotoent(int stayopen) {
+	struct net_data *net_data = init();
+
+	setprotoent_p(stayopen, net_data);
+}
+
+void
+endprotoent() {
+	struct net_data *net_data = init();
+
+	endprotoent_p(net_data);
+}
+
+/* Shared private. */
+
+struct protoent *
+getprotoent_p(struct net_data *net_data) {
+	struct irs_pr *pr;
+
+	if (!net_data || !(pr = net_data->pr))
+		return (NULL);
+	net_data->pr_last = (*pr->next)(pr);
+	return (net_data->pr_last);
+}
+
+struct protoent *
+getprotobyname_p(const char *name, struct net_data *net_data) {
+	struct irs_pr *pr;
+	char **pap;
+
+	if (!net_data || !(pr = net_data->pr))
+		return (NULL);
+	if (net_data->pr_stayopen && net_data->pr_last) {
+		if (!strcmp(net_data->pr_last->p_name, name))
+			return (net_data->pr_last);
+		for (pap = net_data->pr_last->p_aliases; pap && *pap; pap++)
+			if (!strcmp(name, *pap))
+				return (net_data->pr_last);
+	}
+	net_data->pr_last = (*pr->byname)(pr, name);
+	if (!net_data->pr_stayopen)
+		endprotoent();
+	return (net_data->pr_last);
+}
+
+struct protoent *
+getprotobynumber_p(int proto, struct net_data *net_data) {
+	struct irs_pr *pr;
+
+	if (!net_data || !(pr = net_data->pr))
+		return (NULL);
+	if (net_data->pr_stayopen && net_data->pr_last)
+		if (net_data->pr_last->p_proto == proto)
+			return (net_data->pr_last);
+	net_data->pr_last = (*pr->bynumber)(pr, proto);
+	if (!net_data->pr_stayopen)
+		endprotoent();
+	return (net_data->pr_last);
+}
+
+void
+setprotoent_p(int stayopen, struct net_data *net_data) {
+	struct irs_pr *pr;
+
+	if (!net_data || !(pr = net_data->pr))
+		return;
+	(*pr->rewind)(pr);
+	net_data->pr_stayopen = (stayopen != 0);
+	if (stayopen == 0)
+		net_data_minimize(net_data);
+}
+
+void
+endprotoent_p(struct net_data *net_data) {
+	struct irs_pr *pr;
+
+	if ((net_data != NULL) && ((pr = net_data->pr) != NULL))
+		(*pr->minimize)(pr);
+}
+
+/* Private */
+
+static struct net_data *
+init() {
+	struct net_data *net_data;
+
+	if (!(net_data = net_data_init(NULL)))
+		goto error;
+	if (!net_data->pr) {
+		net_data->pr = (*net_data->irs->pr_map)(net_data->irs);
+
+		if (!net_data->pr || !net_data->res) {
+ error:		
+			errno = EIO;
+			return (NULL);
+		}
+		(*net_data->pr->res_set)(net_data->pr, net_data->res, NULL);
+	}
+	
+	return (net_data);
+}
+
+#endif /*__BIND_NOSTATIC*/
diff --git a/contrib/bind9/lib/bind/irs/getprotoent_r.c b/contrib/bind9/lib/bind/irs/getprotoent_r.c
new file mode 100644
index 0000000..96bb4e3
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/getprotoent_r.c
@@ -0,0 +1,216 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1998-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: getprotoent_r.c,v 1.3.206.1 2004/03/09 08:33:36 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include <port_before.h>
+#if !defined(_REENTRANT) || !defined(DO_PTHREADS)
+	static int getprotoent_r_not_required = 0;
+#else
+#include <errno.h>
+#include <string.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <port_after.h>
+
+#ifdef PROTO_R_RETURN
+
+static PROTO_R_RETURN 
+copy_protoent(struct protoent *, struct protoent *, PROTO_R_COPY_ARGS);
+
+PROTO_R_RETURN
+getprotobyname_r(const char *name, struct protoent *pptr, PROTO_R_ARGS) {
+	struct protoent *pe = getprotobyname(name);
+#ifdef PROTO_R_SETANSWER
+	int n = 0;
+
+	if (pe == NULL || (n = copy_protoent(pe, pptr, PROTO_R_COPY)) != 0)
+		*answerp = NULL;
+	else
+		*answerp = pptr;
+	
+	return (n);
+#else
+	if (pe == NULL)
+		return (PROTO_R_BAD);
+
+	return (copy_protoent(pe, pptr, PROTO_R_COPY));
+#endif
+}
+
+PROTO_R_RETURN
+getprotobynumber_r(int proto, struct protoent *pptr, PROTO_R_ARGS) {
+	struct protoent *pe = getprotobynumber(proto);
+#ifdef PROTO_R_SETANSWER
+	int n = 0;
+
+	if (pe == NULL || (n = copy_protoent(pe, pptr, PROTO_R_COPY)) != 0)
+		*answerp = NULL;
+	else
+		*answerp = pptr;
+	
+	return (n);
+#else
+	if (pe == NULL)
+		return (PROTO_R_BAD);
+
+	return (copy_protoent(pe, pptr, PROTO_R_COPY));
+#endif
+}
+
+/*
+ *	These assume a single context is in operation per thread.
+ *	If this is not the case we will need to call irs directly
+ *	rather than through the base functions.
+ */
+
+PROTO_R_RETURN
+getprotoent_r(struct protoent *pptr, PROTO_R_ARGS) {
+	struct protoent *pe = getprotoent();
+#ifdef PROTO_R_SETANSWER
+	int n = 0;
+
+	if (pe == NULL || (n = copy_protoent(pe, pptr, PROTO_R_COPY)) != 0)
+		*answerp = NULL;
+	else
+		*answerp = pptr;
+	
+	return (n);
+#else
+	if (pe == NULL)
+		return (PROTO_R_BAD);
+
+	return (copy_protoent(pe, pptr, PROTO_R_COPY));
+#endif
+}
+
+PROTO_R_SET_RETURN
+#ifdef PROTO_R_ENT_ARGS
+setprotoent_r(int stay_open, PROTO_R_ENT_ARGS)
+#else
+setprotoent_r(int stay_open)
+#endif
+{
+	setprotoent(stay_open);
+#ifdef PROTO_R_SET_RESULT
+	return (PROTO_R_SET_RESULT);
+#endif
+}
+
+PROTO_R_END_RETURN
+#ifdef PROTO_R_ENT_ARGS
+endprotoent_r(PROTO_R_ENT_ARGS)
+#else
+endprotoent_r()
+#endif
+{
+	endprotoent();
+	PROTO_R_END_RESULT(PROTO_R_OK);
+}
+
+/* Private */
+
+#ifndef PROTOENT_DATA
+static PROTO_R_RETURN
+copy_protoent(struct protoent *pe, struct protoent *pptr, PROTO_R_COPY_ARGS) {
+	char *cp;
+	int i, n;
+	int numptr, len;
+
+	/* Find out the amount of space required to store the answer. */
+	numptr = 1; /* NULL ptr */
+	len = (char *)ALIGN(buf) - buf;
+	for (i = 0; pe->p_aliases[i]; i++, numptr++) {
+		len += strlen(pe->p_aliases[i]) + 1;
+	}
+	len += strlen(pe->p_name) + 1;
+	len += numptr * sizeof(char*);
+	
+	if (len > (int)buflen) {
+		errno = ERANGE;
+		return (PROTO_R_BAD);
+	}
+
+	/* copy protocol value*/
+	pptr->p_proto = pe->p_proto;
+
+	cp = (char *)ALIGN(buf) + numptr * sizeof(char *);
+
+	/* copy official name */
+	n = strlen(pe->p_name) + 1;
+	strcpy(cp, pe->p_name);
+	pptr->p_name = cp;
+	cp += n;
+
+	/* copy aliases */
+	pptr->p_aliases = (char **)ALIGN(buf);
+	for (i = 0 ; pe->p_aliases[i]; i++) {
+		n = strlen(pe->p_aliases[i]) + 1;
+		strcpy(cp, pe->p_aliases[i]);
+		pptr->p_aliases[i] = cp;
+		cp += n;
+	}
+	pptr->p_aliases[i] = NULL;
+
+	return (PROTO_R_OK);
+}
+#else /* !PROTOENT_DATA */
+static int
+copy_protoent(struct protoent *pe, struct protoent *pptr, PROTO_R_COPY_ARGS) {
+	char *cp, *eob;
+	int i, n;
+
+	/* copy protocol value */
+	pptr->p_proto = pe->p_proto;
+
+	/* copy official name */
+	cp = pdptr->line;
+	eob = pdptr->line + sizeof(pdptr->line);
+	if ((n = strlen(pe->p_name) + 1) < (eob - cp)) {
+		strcpy(cp, pe->p_name);
+		pptr->p_name = cp;
+		cp += n;
+	} else {
+		return (-1);
+	}
+
+	/* copy aliases */
+	i = 0;
+	pptr->p_aliases = pdptr->proto_aliases;
+	while (pe->p_aliases[i] && i < (_MAXALIASES-1)) {
+		if ((n = strlen(pe->p_aliases[i]) + 1) < (eob - cp)) {
+			strcpy(cp, pe->p_aliases[i]);
+			pptr->p_aliases[i] = cp;
+			cp += n;
+		} else {
+			break;
+		}
+		i++;
+	}
+	pptr->p_aliases[i] = NULL;
+
+	return (PROTO_R_OK);
+}
+#endif /* PROTOENT_DATA */
+#else /* PROTO_R_RETURN */
+	static int getprotoent_r_unknown_system = 0;
+#endif /* PROTO_R_RETURN */
+#endif /* !defined(_REENTRANT) || !defined(DO_PTHREADS) */
diff --git a/contrib/bind9/lib/bind/irs/getpwent.c b/contrib/bind9/lib/bind/irs/getpwent.c
new file mode 100644
index 0000000..10c237e
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/getpwent.c
@@ -0,0 +1,200 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if !defined(LINT) && !defined(CODECENTER)
+static const char rcsid[] = "$Id: getpwent.c,v 1.1.206.1 2004/03/09 08:33:36 marka Exp $";
+#endif
+
+/* Imports */
+
+#include "port_before.h"
+
+#if !defined(WANT_IRS_PW) || defined(__BIND_NOSTATIC)
+static int __bind_irs_pw_unneeded;
+#else
+
+#include <sys/types.h>
+
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+
+#include <errno.h>
+#include <pwd.h>
+#include <resolv.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <irs.h>
+
+#include "port_after.h"
+
+#include "irs_data.h"
+
+/* Forward */
+
+static struct net_data * init(void);
+
+/* Public */
+
+struct passwd *
+getpwent(void) {
+	struct net_data *net_data = init();
+
+	return (getpwent_p(net_data));
+}
+
+struct passwd *
+getpwnam(const char *name) {
+	struct net_data *net_data = init();
+
+	return (getpwnam_p(name, net_data));
+}
+
+struct passwd *
+getpwuid(uid_t uid) {
+	struct net_data *net_data = init();
+
+	return (getpwuid_p(uid, net_data));
+}
+
+int
+setpassent(int stayopen) {
+	struct net_data *net_data = init();
+
+	return (setpassent_p(stayopen, net_data));
+}
+
+#ifdef SETPWENT_VOID
+void
+setpwent() {
+	struct net_data *net_data = init();
+
+	setpwent_p(net_data);
+}
+#else
+int
+setpwent() {
+	struct net_data *net_data = init();
+
+	return (setpwent_p(net_data));
+}
+#endif
+
+void
+endpwent() {
+	struct net_data *net_data = init();
+
+	endpwent_p(net_data);
+}
+
+/* Shared private. */
+
+struct passwd *
+getpwent_p(struct net_data *net_data) {
+	struct irs_pw *pw;
+
+	if (!net_data || !(pw = net_data->pw))
+		return (NULL);
+	net_data->pw_last = (*pw->next)(pw);
+	return (net_data->pw_last);
+}
+
+struct passwd *
+getpwnam_p(const char *name, struct net_data *net_data) {
+	struct irs_pw *pw;
+
+	if (!net_data || !(pw = net_data->pw))
+		return (NULL);
+	if (net_data->pw_stayopen && net_data->pw_last &&
+	    !strcmp(net_data->pw_last->pw_name, name))
+		return (net_data->pw_last);
+	net_data->pw_last = (*pw->byname)(pw, name);
+	if (!net_data->pw_stayopen)
+		endpwent();
+	return (net_data->pw_last);
+}
+
+struct passwd *
+getpwuid_p(uid_t uid, struct net_data *net_data) {
+	struct irs_pw *pw;
+
+	if (!net_data || !(pw = net_data->pw))
+		return (NULL);
+	if (net_data->pw_stayopen && net_data->pw_last &&
+	    net_data->pw_last->pw_uid == uid)
+		return (net_data->pw_last);
+	net_data->pw_last = (*pw->byuid)(pw, uid);
+	if (!net_data->pw_stayopen)
+		endpwent();
+	return (net_data->pw_last);
+}
+
+int
+setpassent_p(int stayopen, struct net_data *net_data) {
+	struct irs_pw *pw;
+
+	if (!net_data || !(pw = net_data->pw))
+		return (0);
+	(*pw->rewind)(pw);
+	net_data->pw_stayopen = (stayopen != 0);
+	if (stayopen == 0)
+		net_data_minimize(net_data);
+	return (1);
+}
+
+#ifdef SETPWENT_VOID
+void
+setpwent_p(struct net_data *net_data) {
+	(void) setpassent_p(0, net_data);
+}
+#else
+int
+setpwent_p(struct net_data *net_data) {
+	return (setpassent_p(0, net_data));
+}
+#endif
+
+void
+endpwent_p(struct net_data *net_data) {
+	struct irs_pw *pw;
+
+	if ((net_data != NULL) && ((pw = net_data->pw) != NULL))
+		(*pw->minimize)(pw);
+}
+
+/* Private */
+
+static struct net_data *
+init() {
+	struct net_data *net_data;
+	if (!(net_data = net_data_init(NULL)))
+		goto error;
+	if (!net_data->pw) {
+		net_data->pw = (*net_data->irs->pw_map)(net_data->irs);
+
+		if (!net_data->pw || !net_data->res) {
+ error: 
+			errno = EIO;
+			return (NULL);
+		}
+		(*net_data->pw->res_set)(net_data->pw, net_data->res, NULL);
+	}
+	
+	return (net_data);
+}
+
+#endif /* WANT_IRS_PW */
diff --git a/contrib/bind9/lib/bind/irs/getpwent_r.c b/contrib/bind9/lib/bind/irs/getpwent_r.c
new file mode 100644
index 0000000..689f677
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/getpwent_r.c
@@ -0,0 +1,275 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1998-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: getpwent_r.c,v 1.5.206.1 2004/03/09 08:33:36 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include <port_before.h>
+#if !defined(_REENTRANT) || !defined(DO_PTHREADS) || !defined(WANT_IRS_PW)
+	static int getpwent_r_not_required = 0;
+#else
+#include <errno.h>
+#include <string.h>
+#include <stdio.h>
+#include <sys/types.h>
+#if (defined(POSIX_GETPWNAM_R) || defined(POSIX_GETPWUID_R))
+#if defined(_POSIX_PTHREAD_SEMANTICS)
+	/* turn off solaris remapping in <grp.h> */
+#undef _POSIX_PTHREAD_SEMANTICS
+#include <pwd.h>
+#define _POSIX_PTHREAD_SEMANTICS 1
+#else
+#define _UNIX95 1
+#include <pwd.h>
+#endif
+#else
+#include <pwd.h>
+#endif
+#include <port_after.h>
+
+#ifdef PASS_R_RETURN
+
+static int 
+copy_passwd(struct passwd *, struct passwd *, char *buf, int buflen);
+
+/* POSIX 1003.1c */
+#ifdef POSIX_GETPWNAM_R
+int
+__posix_getpwnam_r(const char *login,  struct passwd *pwptr,
+		char *buf, size_t buflen, struct passwd **result) {
+#else
+int
+getpwnam_r(const char *login,  struct passwd *pwptr,
+		char *buf, size_t buflen, struct passwd **result) {
+#endif
+	struct passwd *pw = getpwnam(login);
+	int res;
+
+	if (pw == NULL) {
+		*result = NULL;
+		return (0);
+	}
+
+	res = copy_passwd(pw, pwptr, buf, buflen);
+	*result = res ? NULL : pwptr;
+	return (res);
+}
+
+#ifdef POSIX_GETPWNAM_R
+struct passwd *
+getpwnam_r(const char *login,  struct passwd *pwptr, char *buf, int buflen) {
+	struct passwd *pw = getpwnam(login);
+	int res;
+
+	if (pw == NULL)
+		return (NULL);
+
+	res = copy_passwd(pw, pwptr, buf, buflen);
+	return (res ? NULL : pwptr);
+}
+#endif
+
+/* POSIX 1003.1c */
+#ifdef POSIX_GETPWUID_R
+int
+__posix_getpwuid_r(uid_t uid, struct passwd *pwptr,
+		char *buf, int buflen, struct passwd **result) {
+#else
+int
+getpwuid_r(uid_t uid, struct passwd *pwptr,
+		char *buf, size_t buflen, struct passwd **result) {
+#endif
+	struct passwd *pw = getpwuid(uid);
+	int res;
+
+	if (pw == NULL) {
+		*result = NULL;
+		return (0);
+	}
+
+	res = copy_passwd(pw, pwptr, buf, buflen);
+	*result = res ? NULL : pwptr;
+	return (res);
+}
+
+#ifdef POSIX_GETPWUID_R
+struct passwd *
+getpwuid_r(uid_t uid,  struct passwd *pwptr, char *buf, int buflen) {
+	struct passwd *pw = getpwuid(uid);
+	int res;
+
+	if (pw == NULL)
+		return (NULL);
+
+	res = copy_passwd(pw, pwptr, buf, buflen);
+	return (res ? NULL : pwptr);
+}
+#endif
+
+/*
+ *	These assume a single context is in operation per thread.
+ *	If this is not the case we will need to call irs directly
+ *	rather than through the base functions.
+ */
+
+PASS_R_RETURN
+getpwent_r(struct passwd *pwptr, PASS_R_ARGS) {
+	struct passwd *pw = getpwent();
+	int res;
+
+	if (pw == NULL)
+		return (PASS_R_BAD);
+
+	res = copy_passwd(pw, pwptr, buf, buflen);
+	return (res ? PASS_R_BAD : PASS_R_OK);
+}
+
+PASS_R_SET_RETURN
+#ifdef PASS_R_ENT_ARGS
+setpassent_r(int stayopen, PASS_R_ENT_ARGS)
+#else
+setpassent_r(int stayopen)
+#endif
+{
+
+	setpassent(stayopen);
+#ifdef PASS_R_SET_RESULT
+	return (PASS_R_SET_RESULT);
+#endif
+}
+
+PASS_R_SET_RETURN
+#ifdef PASS_R_ENT_ARGS
+setpwent_r(PASS_R_ENT_ARGS)
+#else
+setpwent_r(void)
+#endif
+{
+
+	setpwent();
+#ifdef PASS_R_SET_RESULT
+	return (PASS_R_SET_RESULT);
+#endif
+}
+
+PASS_R_END_RETURN
+#ifdef PASS_R_ENT_ARGS
+endpwent_r(PASS_R_ENT_ARGS)
+#else
+endpwent_r(void)
+#endif
+{
+
+	endpwent();
+	PASS_R_END_RESULT(PASS_R_OK);
+}
+
+
+#ifdef HAS_FGETPWENT
+PASS_R_RETURN
+fgetpwent_r(FILE *f, struct passwd *pwptr, PASS_R_COPY_ARGS) {
+	struct passwd *pw = fgetpwent(f);
+	int res;
+
+	if (pw == NULL)
+		return (PASS_R_BAD);
+
+	res = copy_passwd(pw, pwptr, PASS_R_COPY);
+	return (res ? PASS_R_BAD : PASS_R_OK );
+}
+#endif
+
+/* Private */
+
+static int
+copy_passwd(struct passwd *pw, struct passwd *pwptr, char *buf, int buflen) {
+	char *cp;
+	int n;
+	int len;
+
+	/* Find out the amount of space required to store the answer. */
+	len = strlen(pw->pw_name) + 1;
+	len += strlen(pw->pw_passwd) + 1;
+#ifdef HAVE_PW_CLASS
+	len += strlen(pw->pw_class) + 1;
+#endif
+	len += strlen(pw->pw_gecos) + 1;
+	len += strlen(pw->pw_dir) + 1;
+	len += strlen(pw->pw_shell) + 1;
+	
+	if (len > buflen) {
+		errno = ERANGE;
+		return (ERANGE);
+	}
+
+	/* copy fixed atomic values*/
+	pwptr->pw_uid = pw->pw_uid;
+	pwptr->pw_gid = pw->pw_gid;
+#ifdef HAVE_PW_CHANGE
+	pwptr->pw_change = pw->pw_change;
+#endif
+#ifdef HAVE_PW_EXPIRE
+	pwptr->pw_expire = pw->pw_expire;
+#endif
+
+	cp = buf;
+
+	/* copy official name */
+	n = strlen(pw->pw_name) + 1;
+	strcpy(cp, pw->pw_name);
+	pwptr->pw_name = cp;
+	cp += n;
+
+	/* copy password */
+	n = strlen(pw->pw_passwd) + 1;
+	strcpy(cp, pw->pw_passwd);
+	pwptr->pw_passwd = cp;
+	cp += n;
+
+#ifdef HAVE_PW_CLASS
+	/* copy class */
+	n = strlen(pw->pw_class) + 1;
+	strcpy(cp, pw->pw_class);
+	pwptr->pw_class = cp;
+	cp += n;
+#endif
+
+	/* copy gecos */
+	n = strlen(pw->pw_gecos) + 1;
+	strcpy(cp, pw->pw_gecos);
+	pwptr->pw_gecos = cp;
+	cp += n;
+
+	/* copy directory */
+	n = strlen(pw->pw_dir) + 1;
+	strcpy(cp, pw->pw_dir);
+	pwptr->pw_dir = cp;
+	cp += n;
+
+	/* copy login shell */
+	n = strlen(pw->pw_shell) + 1;
+	strcpy(cp, pw->pw_shell);
+	pwptr->pw_shell = cp;
+	cp += n;
+
+	return (0);
+}
+#else /* PASS_R_RETURN */
+	static int getpwent_r_unknown_system = 0;
+#endif /* PASS_R_RETURN */
+#endif /* !def(_REENTRANT) || !def(DO_PTHREADS) || !def(WANT_IRS_PW) */
diff --git a/contrib/bind9/lib/bind/irs/getservent.c b/contrib/bind9/lib/bind/irs/getservent.c
new file mode 100644
index 0000000..a13e36f
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/getservent.c
@@ -0,0 +1,177 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if !defined(LINT) && !defined(CODECENTER)
+static const char rcsid[] = "$Id: getservent.c,v 1.2.206.1 2004/03/09 08:33:36 marka Exp $";
+#endif
+
+/* Imports */
+
+#include "port_before.h"
+
+#if !defined(__BIND_NOSTATIC)
+
+#include <sys/types.h>
+
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+
+#include <errno.h>
+#include <resolv.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <irs.h>
+
+#include "port_after.h"
+
+#include "irs_data.h"
+
+/* Forward */
+
+static struct net_data *init(void);
+
+/* Public */
+
+struct servent *
+getservent(void) {
+	struct net_data *net_data = init();
+
+	return (getservent_p(net_data));
+}
+
+struct servent *
+getservbyname(const char *name, const char *proto) {
+	struct net_data *net_data = init();
+
+	return (getservbyname_p(name, proto, net_data));
+}
+
+struct servent *
+getservbyport(int port, const char *proto) {
+	struct net_data *net_data = init();
+
+	return (getservbyport_p(port, proto, net_data));
+}
+
+void
+setservent(int stayopen) {
+	struct net_data *net_data = init();
+
+	setservent_p(stayopen, net_data);
+}
+
+void
+endservent() {
+	struct net_data *net_data = init();
+
+	endservent_p(net_data);
+}
+
+/* Shared private. */
+
+struct servent *
+getservent_p(struct net_data *net_data) {
+	struct irs_sv *sv;
+
+	if (!net_data || !(sv = net_data->sv))
+		return (NULL);
+	net_data->sv_last = (*sv->next)(sv);
+	return (net_data->sv_last);
+}
+
+struct servent *
+getservbyname_p(const char *name, const char *proto,
+		struct net_data *net_data) {
+	struct irs_sv *sv;
+	char **sap;
+
+	if (!net_data || !(sv = net_data->sv))
+		return (NULL);
+	if (net_data->sv_stayopen && net_data->sv_last)
+		if (!proto || !strcmp(net_data->sv_last->s_proto, proto)) {
+			if (!strcmp(net_data->sv_last->s_name, name))
+				return (net_data->sv_last);
+			for (sap = net_data->sv_last->s_aliases;
+			     sap && *sap; sap++)
+				if (!strcmp(name, *sap))
+					return (net_data->sv_last);
+		}
+	net_data->sv_last = (*sv->byname)(sv, name, proto);
+	if (!net_data->sv_stayopen)
+		endservent();
+	return (net_data->sv_last);
+}
+
+struct servent *
+getservbyport_p(int port, const char *proto, struct net_data *net_data) {
+	struct irs_sv *sv;
+
+	if (!net_data || !(sv = net_data->sv))
+		return (NULL);
+	if (net_data->sv_stayopen && net_data->sv_last)
+		if (port == net_data->sv_last->s_port &&
+		    ( !proto ||
+		     !strcmp(net_data->sv_last->s_proto, proto)))
+			return (net_data->sv_last);
+	net_data->sv_last = (*sv->byport)(sv, port, proto);
+	return (net_data->sv_last);
+}
+
+void
+setservent_p(int stayopen, struct net_data *net_data) {
+	struct irs_sv *sv;
+
+	if (!net_data || !(sv = net_data->sv))
+		return;
+	(*sv->rewind)(sv);
+	net_data->sv_stayopen = (stayopen != 0);
+	if (stayopen == 0)
+		net_data_minimize(net_data);
+}
+
+void
+endservent_p(struct net_data *net_data) {
+	struct irs_sv *sv;
+
+	if ((net_data != NULL) && ((sv = net_data->sv) != NULL))
+		(*sv->minimize)(sv);
+}
+
+/* Private */
+
+static struct net_data *
+init() {
+	struct net_data *net_data;
+
+	if (!(net_data = net_data_init(NULL)))
+		goto error;
+	if (!net_data->sv) {
+		net_data->sv = (*net_data->irs->sv_map)(net_data->irs);
+
+		if (!net_data->sv || !net_data->res) {
+ error:		
+			errno = EIO;
+			return (NULL);
+		}
+		(*net_data->sv->res_set)(net_data->sv, net_data->res, NULL);
+	}
+	
+	return (net_data);
+}
+
+#endif /*__BIND_NOSTATIC*/
diff --git a/contrib/bind9/lib/bind/irs/getservent_r.c b/contrib/bind9/lib/bind/irs/getservent_r.c
new file mode 100644
index 0000000..b24f468
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/getservent_r.c
@@ -0,0 +1,237 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1998-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: getservent_r.c,v 1.3.206.1 2004/03/09 08:33:36 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include <port_before.h>
+#if !defined(_REENTRANT) || !defined(DO_PTHREADS)
+	static int getservent_r_not_required = 0;
+#else
+#include <errno.h>
+#include <string.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <sys/param.h>
+#include <port_after.h>
+
+#ifdef SERV_R_RETURN
+
+static SERV_R_RETURN 
+copy_servent(struct servent *, struct servent *, SERV_R_COPY_ARGS);
+
+SERV_R_RETURN
+getservbyname_r(const char *name, const char *proto,
+		struct servent *sptr, SERV_R_ARGS) {
+	struct servent *se = getservbyname(name, proto);
+#ifdef SERV_R_SETANSWER
+	int n = 0;
+	
+	if (se == NULL || (n = copy_servent(se, sptr, SERV_R_COPY)) != 0)
+		*answerp = NULL;
+	else
+		*answerp = sptr;
+
+	return (n);
+#else
+	if (se == NULL)
+		return (SERV_R_BAD);
+
+	return (copy_servent(se, sptr, SERV_R_COPY));
+#endif
+}
+
+SERV_R_RETURN
+getservbyport_r(int port, const char *proto,
+		struct servent *sptr, SERV_R_ARGS) {
+	struct servent *se = getservbyport(port, proto);
+#ifdef SERV_R_SETANSWER
+	int n = 0;
+	
+	if (se == NULL || (n = copy_servent(se, sptr, SERV_R_COPY)) != 0)
+		*answerp = NULL;
+	else
+		*answerp = sptr;
+
+	return (n);
+#else
+	if (se == NULL)
+		return (SERV_R_BAD);
+
+	return (copy_servent(se, sptr, SERV_R_COPY));
+#endif
+}
+
+/*
+ *	These assume a single context is in operation per thread.
+ *	If this is not the case we will need to call irs directly
+ *	rather than through the base functions.
+ */
+
+SERV_R_RETURN
+getservent_r(struct servent *sptr, SERV_R_ARGS) {
+	struct servent *se = getservent();
+#ifdef SERV_R_SETANSWER
+	int n = 0;
+	
+	if (se == NULL || (n = copy_servent(se, sptr, SERV_R_COPY)) != 0)
+		*answerp = NULL;
+	else
+		*answerp = sptr;
+
+	return (n);
+#else
+	if (se == NULL)
+		return (SERV_R_BAD);
+
+	return (copy_servent(se, sptr, SERV_R_COPY));
+#endif
+}
+
+SERV_R_SET_RETURN
+#ifdef SERV_R_ENT_ARGS
+setservent_r(int stay_open, SERV_R_ENT_ARGS)
+#else
+setservent_r(int stay_open)
+#endif
+{
+
+	setservent(stay_open);
+#ifdef SERV_R_SET_RESULT
+	return (SERV_R_SET_RESULT);
+#endif
+}
+
+SERV_R_END_RETURN
+#ifdef SERV_R_ENT_ARGS
+endservent_r(SERV_R_ENT_ARGS)
+#else
+endservent_r()
+#endif
+{
+
+	endservent();
+	SERV_R_END_RESULT(SERV_R_OK);
+}
+
+/* Private */
+
+#ifndef SERVENT_DATA
+static SERV_R_RETURN
+copy_servent(struct servent *se, struct servent *sptr, SERV_R_COPY_ARGS) {
+	char *cp;
+	int i, n;
+	int numptr, len;
+
+	/* Find out the amount of space required to store the answer. */
+	numptr = 1; /* NULL ptr */
+	len = (char *)ALIGN(buf) - buf;
+	for (i = 0; se->s_aliases[i]; i++, numptr++) {
+		len += strlen(se->s_aliases[i]) + 1;
+	}
+	len += strlen(se->s_name) + 1;
+	len += strlen(se->s_proto) + 1;
+	len += numptr * sizeof(char*);
+	
+	if (len > (int)buflen) {
+		errno = ERANGE;
+		return (SERV_R_BAD);
+	}
+
+	/* copy port value */
+	sptr->s_port = se->s_port;
+
+	cp = (char *)ALIGN(buf) + numptr * sizeof(char *);
+
+	/* copy official name */
+	n = strlen(se->s_name) + 1;
+	strcpy(cp, se->s_name);
+	sptr->s_name = cp;
+	cp += n;
+
+	/* copy aliases */
+	sptr->s_aliases = (char **)ALIGN(buf);
+	for (i = 0 ; se->s_aliases[i]; i++) {
+		n = strlen(se->s_aliases[i]) + 1;
+		strcpy(cp, se->s_aliases[i]);
+		sptr->s_aliases[i] = cp;
+		cp += n;
+	}
+	sptr->s_aliases[i] = NULL;
+
+	/* copy proto */
+	n = strlen(se->s_proto) + 1;
+	strcpy(cp, se->s_proto);
+	sptr->s_proto = cp;
+	cp += n;
+
+	return (SERV_R_OK);
+}
+#else /* !SERVENT_DATA */
+static int
+copy_servent(struct servent *se, struct servent *sptr, SERV_R_COPY_ARGS) {
+	char *cp, *eob;
+	int i, n;
+
+	/* copy port value */
+	sptr->s_port = se->s_port;
+
+	/* copy official name */
+	cp = ndptr->line;
+	eob = ndptr->line + sizeof(ndptr->line);
+	if ((n = strlen(se->s_name) + 1) < (eob - cp)) {
+		strcpy(cp, se->s_name);
+		sptr->s_name = cp;
+		cp += n;
+	} else {
+		return (-1);
+	}
+
+	/* copy aliases */
+	i = 0;
+	sptr->s_aliases = ndptr->serv_aliases;
+	while (se->s_aliases[i] && i < (_MAXALIASES-1)) {
+		if ((n = strlen(se->s_aliases[i]) + 1) < (eob - cp)) {
+			strcpy(cp, se->s_aliases[i]);
+			sptr->s_aliases[i] = cp;
+			cp += n;
+		} else {
+			break;
+		}
+		i++;
+	}
+	sptr->s_aliases[i] = NULL;
+
+	/* copy proto */
+	if ((n = strlen(se->s_proto) + 1) < (eob - cp)) {
+		strcpy(cp, se->s_proto);
+		sptr->s_proto = cp;
+		cp += n;
+	} else {
+		return (-1);
+	}
+
+	return (SERV_R_OK);
+}
+#endif /* !SERVENT_DATA */
+#else /*SERV_R_RETURN */
+	static int getservent_r_unknown_system = 0;
+#endif /*SERV_R_RETURN */
+#endif /* !defined(_REENTRANT) || !defined(DO_PTHREADS) */
diff --git a/contrib/bind9/lib/bind/irs/hesiod.c b/contrib/bind9/lib/bind/irs/hesiod.c
new file mode 100644
index 0000000..9b0efeb
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/hesiod.c
@@ -0,0 +1,507 @@
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: hesiod.c,v 1.1.2.1.4.3 2004/05/17 07:48:56 marka Exp $";
+#endif
+
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * This file is primarily maintained by <tytso@mit.edu> and <ghudson@mit.edu>.
+ */
+
+/*
+ * hesiod.c --- the core portion of the hesiod resolver.
+ *
+ * This file is derived from the hesiod library from Project Athena;
+ * It has been extensively rewritten by Theodore Ts'o to have a more
+ * thread-safe interface.
+ */
+
+/* Imports */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+
+#include <errno.h>
+#include <netdb.h>
+#include <resolv.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "port_after.h"
+
+#include "pathnames.h"
+#include "hesiod.h"
+#include "hesiod_p.h"
+
+/* Forward */
+
+int		hesiod_init(void **context);
+void		hesiod_end(void *context);
+char *		hesiod_to_bind(void *context, const char *name,
+			       const char *type);
+char **		hesiod_resolve(void *context, const char *name,
+			       const char *type);
+void		hesiod_free_list(void *context, char **list);
+
+static int	parse_config_file(struct hesiod_p *ctx, const char *filename);
+static char **	get_txt_records(struct hesiod_p *ctx, int class,
+				const char *name);
+static int	init(struct hesiod_p *ctx);
+
+/* Public */
+
+/*
+ * This function is called to initialize a hesiod_p.
+ */
+int
+hesiod_init(void **context) {
+	struct hesiod_p *ctx;
+	char *cp;
+
+	ctx = malloc(sizeof(struct hesiod_p));
+	if (ctx == 0) {
+		errno = ENOMEM;
+		return (-1);
+	}
+
+	ctx->LHS = NULL;
+	ctx->RHS = NULL;
+	ctx->res = NULL;
+
+	if (parse_config_file(ctx, _PATH_HESIOD_CONF) < 0) {
+#ifdef DEF_RHS
+		/*
+		 * Use compiled in defaults.
+		 */
+		ctx->LHS = malloc(strlen(DEF_LHS) + 1);
+		ctx->RHS = malloc(strlen(DEF_RHS) + 1);
+		if (ctx->LHS == NULL || ctx->RHS == NULL) {
+			errno = ENOMEM;
+			goto cleanup;
+		}
+		strcpy(ctx->LHS, DEF_LHS);	/* (checked) */
+		strcpy(ctx->RHS, DEF_RHS);	/* (checked) */
+#else
+		goto cleanup;
+#endif
+	}
+	/*
+	 * The default RHS can be overridden by an environment
+	 * variable.
+	 */
+	if ((cp = getenv("HES_DOMAIN")) != NULL) {
+		size_t RHSlen = strlen(cp) + 2;
+		if (ctx->RHS)
+			free(ctx->RHS);
+		ctx->RHS = malloc(RHSlen);
+		if (!ctx->RHS) {
+			errno = ENOMEM;
+			goto cleanup;
+		}
+		if (cp[0] == '.') {
+			strcpy(ctx->RHS, cp);	/* (checked) */
+		} else {
+			strcpy(ctx->RHS, ".");	/* (checked) */
+			strcat(ctx->RHS, cp);	/* (checked) */
+		}
+	}
+
+	/*
+	 * If there is no default hesiod realm set, we return an
+	 * error.
+	 */
+	if (!ctx->RHS) {
+		errno = ENOEXEC;
+		goto cleanup;
+	}
+	
+#if 0
+	if (res_ninit(ctx->res) < 0)
+		goto cleanup;
+#endif
+
+	*context = ctx;
+	return (0);
+
+ cleanup:
+	hesiod_end(ctx);
+	return (-1);
+}
+
+/*
+ * This function deallocates the hesiod_p
+ */
+void
+hesiod_end(void *context) {
+	struct hesiod_p *ctx = (struct hesiod_p *) context;
+	int save_errno = errno;
+
+	if (ctx->res)
+		res_nclose(ctx->res);
+	if (ctx->RHS)
+		free(ctx->RHS);
+	if (ctx->LHS)
+		free(ctx->LHS);
+	if (ctx->res && ctx->free_res)
+		(*ctx->free_res)(ctx->res);
+	free(ctx);
+	errno = save_errno;
+}
+
+/*
+ * This function takes a hesiod (name, type) and returns a DNS
+ * name which is to be resolved.
+ */
+char *
+hesiod_to_bind(void *context, const char *name, const char *type) {
+	struct hesiod_p *ctx = (struct hesiod_p *) context;
+	char *bindname;
+	char **rhs_list = NULL;
+	const char *RHS, *cp;
+
+	/* Decide what our RHS is, and set cp to the end of the actual name. */
+	if ((cp = strchr(name, '@')) != NULL) {
+		if (strchr(cp + 1, '.'))
+			RHS = cp + 1;
+		else if ((rhs_list = hesiod_resolve(context, cp + 1,
+		    "rhs-extension")) != NULL)
+			RHS = *rhs_list;
+		else {
+			errno = ENOENT;
+			return (NULL);
+		}
+	} else {
+		RHS = ctx->RHS;
+		cp = name + strlen(name);
+	}
+
+	/*
+	 * Allocate the space we need, including up to three periods and
+	 * the terminating NUL.
+	 */
+	if ((bindname = malloc((cp - name) + strlen(type) + strlen(RHS) +
+	    (ctx->LHS ? strlen(ctx->LHS) : 0) + 4)) == NULL) {
+		errno = ENOMEM;
+		if (rhs_list)
+			hesiod_free_list(context, rhs_list);
+		return NULL;
+	}
+
+	/* Now put together the DNS name. */
+	memcpy(bindname, name, cp - name);
+	bindname[cp - name] = '\0';
+	strcat(bindname, ".");
+	strcat(bindname, type);
+	if (ctx->LHS) {
+		if (ctx->LHS[0] != '.')
+			strcat(bindname, ".");
+		strcat(bindname, ctx->LHS);
+	}
+	if (RHS[0] != '.')
+		strcat(bindname, ".");
+	strcat(bindname, RHS);
+
+	if (rhs_list)
+		hesiod_free_list(context, rhs_list);
+
+	return (bindname);
+}
+
+/*
+ * This is the core function.  Given a hesiod (name, type), it
+ * returns an array of strings returned by the resolver.
+ */
+char **
+hesiod_resolve(void *context, const char *name, const char *type) {
+	struct hesiod_p *ctx = (struct hesiod_p *) context;
+	char *bindname = hesiod_to_bind(context, name, type);
+	char **retvec;
+
+	if (bindname == NULL)
+		return (NULL);
+	if (init(ctx) == -1) {
+		free(bindname);
+		return (NULL);
+	}
+
+	if ((retvec = get_txt_records(ctx, C_IN, bindname))) {
+		free(bindname);
+		return (retvec);
+	}
+	
+	if (errno != ENOENT)
+		return (NULL);
+
+	retvec = get_txt_records(ctx, C_HS, bindname);
+	free(bindname);
+	return (retvec);
+}
+
+void
+hesiod_free_list(void *context, char **list) {
+	char **p;
+
+	UNUSED(context);
+
+	for (p = list; *p; p++)
+		free(*p);
+	free(list);
+}
+
+/*
+ * This function parses the /etc/hesiod.conf file
+ */
+static int
+parse_config_file(struct hesiod_p *ctx, const char *filename) {
+	char *key, *data, *cp, **cpp;
+	char buf[MAXDNAME+7];
+	FILE *fp;
+
+	/*
+	 * Clear the existing configuration variable, just in case
+	 * they're set.
+	 */
+	if (ctx->RHS)
+		free(ctx->RHS);
+	if (ctx->LHS)
+		free(ctx->LHS);
+	ctx->RHS = ctx->LHS = 0;
+
+	/*
+	 * Now open and parse the file...
+	 */
+	if (!(fp = fopen(filename, "r")))
+		return (-1);
+	
+	while (fgets(buf, sizeof(buf), fp) != NULL) {
+		cp = buf;
+		if (*cp == '#' || *cp == '\n' || *cp == '\r')
+			continue;
+		while(*cp == ' ' || *cp == '\t')
+			cp++;
+		key = cp;
+		while(*cp != ' ' && *cp != '\t' && *cp != '=')
+			cp++;
+		*cp++ = '\0';
+		
+		while(*cp == ' ' || *cp == '\t' || *cp == '=')
+			cp++;
+		data = cp;
+		while(*cp != ' ' && *cp != '\n' && *cp != '\r')
+			cp++;
+		*cp++ = '\0';
+
+		if (strcmp(key, "lhs") == 0)
+			cpp = &ctx->LHS;
+		else if (strcmp(key, "rhs") == 0)
+			cpp = &ctx->RHS;
+		else
+			continue;
+
+		*cpp = malloc(strlen(data) + 1);
+		if (!*cpp) {
+			errno = ENOMEM;
+			goto cleanup;
+		}
+		strcpy(*cpp, data);
+	}
+	fclose(fp);
+	return (0);
+	
+ cleanup:
+	fclose(fp);
+	if (ctx->RHS)
+		free(ctx->RHS);
+	if (ctx->LHS)
+		free(ctx->LHS);
+	ctx->RHS = ctx->LHS = 0;
+	return (-1);
+}
+
+/*
+ * Given a DNS class and a DNS name, do a lookup for TXT records, and
+ * return a list of them.
+ */
+static char **
+get_txt_records(struct hesiod_p *ctx, int class, const char *name) {
+	struct {
+		int type;		/* RR type */
+		int class;		/* RR class */
+		int dlen;		/* len of data section */
+		u_char *data;		/* pointer to data */
+	} rr;
+	HEADER *hp;
+	u_char qbuf[MAX_HESRESP], abuf[MAX_HESRESP];
+	u_char *cp, *erdata, *eom;
+	char *dst, *edst, **list;
+	int ancount, qdcount;
+	int i, j, n, skip;
+
+	/*
+	 * Construct the query and send it.
+	 */
+	n = res_nmkquery(ctx->res, QUERY, name, class, T_TXT, NULL, 0,
+			 NULL, qbuf, MAX_HESRESP);
+	if (n < 0) {
+		errno = EMSGSIZE;
+		return (NULL);
+	}
+	n = res_nsend(ctx->res, qbuf, n, abuf, MAX_HESRESP);
+	if (n < 0) {
+		errno = ECONNREFUSED;
+		return (NULL);
+	}
+	if (n < HFIXEDSZ) {
+		errno = EMSGSIZE;
+		return (NULL);
+	}
+
+	/*
+	 * OK, parse the result.
+	 */
+	hp = (HEADER *) abuf;
+	ancount = ntohs(hp->ancount);
+	qdcount = ntohs(hp->qdcount);
+	cp = abuf + sizeof(HEADER);
+	eom = abuf + n;
+
+	/* Skip query, trying to get to the answer section which follows. */
+	for (i = 0; i < qdcount; i++) {
+		skip = dn_skipname(cp, eom);
+		if (skip < 0 || cp + skip + QFIXEDSZ > eom) {
+			errno = EMSGSIZE;
+			return (NULL);
+		}
+		cp += skip + QFIXEDSZ;
+	}
+
+	list = malloc((ancount + 1) * sizeof(char *));
+	if (!list) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	j = 0;
+	for (i = 0; i < ancount; i++) {
+		skip = dn_skipname(cp, eom);
+		if (skip < 0) {
+			errno = EMSGSIZE;
+			goto cleanup;
+		}
+		cp += skip;
+		if (cp + 3 * INT16SZ + INT32SZ > eom) {
+			errno = EMSGSIZE;
+			goto cleanup;
+		}
+		rr.type = ns_get16(cp);
+		cp += INT16SZ;
+		rr.class = ns_get16(cp);
+		cp += INT16SZ + INT32SZ;	/* skip the ttl, too */
+		rr.dlen = ns_get16(cp);
+		cp += INT16SZ;
+		if (cp + rr.dlen > eom) {
+			errno = EMSGSIZE;
+			goto cleanup;
+		}
+		rr.data = cp;
+		cp += rr.dlen;
+		if (rr.class != class || rr.type != T_TXT)
+			continue;
+		if (!(list[j] = malloc(rr.dlen)))
+			goto cleanup;
+		dst = list[j++];
+		edst = dst + rr.dlen;
+		erdata = rr.data + rr.dlen;
+		cp = rr.data;
+		while (cp < erdata) {
+			n = (unsigned char) *cp++;
+			if (cp + n > eom || dst + n > edst) {
+				errno = EMSGSIZE;
+				goto cleanup;
+			}
+			memcpy(dst, cp, n);
+			cp += n;
+			dst += n;
+		}
+		if (cp != erdata) {
+			errno = EMSGSIZE;
+			goto cleanup;
+		}
+		*dst = '\0';
+	}
+	list[j] = NULL;
+	if (j == 0) {
+		errno = ENOENT;
+		goto cleanup;
+	}
+	return (list);
+
+ cleanup:
+	for (i = 0; i < j; i++)
+		free(list[i]);
+	free(list);
+	return (NULL);
+}
+
+struct __res_state *
+__hesiod_res_get(void *context) {
+	struct hesiod_p *ctx = context;
+
+	if (!ctx->res) {
+		struct __res_state *res;
+		res = (struct __res_state *)malloc(sizeof *res);
+		if (res == NULL) {
+			errno = ENOMEM;
+			return (NULL);
+		}
+		memset(res, 0, sizeof *res);
+		__hesiod_res_set(ctx, res, free);
+	}
+
+	return (ctx->res);
+}
+
+void
+__hesiod_res_set(void *context, struct __res_state *res,
+	         void (*free_res)(void *)) {
+	struct hesiod_p *ctx = context;
+
+	if (ctx->res && ctx->free_res) {
+		res_nclose(ctx->res);
+		(*ctx->free_res)(ctx->res);
+	}
+
+	ctx->res = res;
+	ctx->free_res = free_res;
+}
+
+static int
+init(struct hesiod_p *ctx) {
+	
+	if (!ctx->res && !__hesiod_res_get(ctx))
+		return (-1);
+
+	if (((ctx->res->options & RES_INIT) == 0U) &&
+	    (res_ninit(ctx->res) == -1))
+		return (-1);
+
+	return (0);
+}
diff --git a/contrib/bind9/lib/bind/irs/hesiod_p.h b/contrib/bind9/lib/bind/irs/hesiod_p.h
new file mode 100644
index 0000000..5af70a7
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/hesiod_p.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * This file is primarily maintained by <tytso@mit.edu> and <ghudson@mit.edu>.
+ */
+
+/*
+ * $Id: hesiod_p.h,v 1.1.206.1 2004/03/09 08:33:36 marka Exp $
+ */
+
+/*
+ * hesiod_p.h -- private definitions for the hesiod library
+ */
+
+#ifndef _HESIOD_P_H_INCLUDED
+#define _HESIOD_P_H_INCLUDED
+
+#define DEF_RHS		".Athena.MIT.EDU"	/* Defaults if HESIOD_CONF */
+#define DEF_LHS		".ns"			/*    file is not */
+						/*    present. */
+struct hesiod_p {
+	char *		LHS;		/* normally ".ns" */
+	char *		RHS;		/* AKA the default hesiod domain */
+	struct __res_state * res;	/* resolver context */
+	void		(*free_res)(void *);
+	void		(*res_set)(struct hesiod_p *, struct __res_state *,
+				   void (*)(void *));
+	struct __res_state * (*res_get)(struct hesiod_p *);
+};
+
+#define MAX_HESRESP	1024
+
+#endif /*_HESIOD_P_H_INCLUDED*/
diff --git a/contrib/bind9/lib/bind/irs/irp.c b/contrib/bind9/lib/bind/irs/irp.c
new file mode 100644
index 0000000..e5620db
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/irp.c
@@ -0,0 +1,592 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996, 1998 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if !defined(LINT) && !defined(CODECENTER)
+static const char rcsid[] = "$Id: irp.c,v 1.3.2.1.10.2 2004/03/17 01:49:41 marka Exp $";
+#endif
+
+/* Imports */
+
+#include "port_before.h"
+
+#include <syslog.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <string.h>
+#include <stdarg.h>
+#include <fcntl.h>
+#include <syslog.h>
+#include <ctype.h>
+#include <unistd.h>
+
+#include <isc/memcluster.h>
+
+#include <irs.h>
+#include <irp.h>
+
+#include "irs_p.h"
+#include "irp_p.h"
+
+#include "port_after.h"
+
+/* Forward. */
+
+static void		irp_close(struct irs_acc *);
+
+#define LINEINCR 128
+
+#if !defined(SUN_LEN)
+#define SUN_LEN(su) \
+	(sizeof (*(su)) - sizeof ((su)->sun_path) + strlen((su)->sun_path))
+#endif
+
+
+/* Public */
+
+
+/* send errors to syslog if true. */
+int irp_log_errors = 1;
+
+/*
+ * This module handles the irp module connection to irpd.
+ *
+ * The client expects a synchronous interface to functions like
+ * getpwnam(3), so we can't use the ctl_* i/o library on this end of
+ * the wire (it's used in the server).
+ */
+
+/*
+ * irs_acc *irs_irp_acc(const char *options);
+ *
+ *	Initialize the irp module.
+ */
+struct irs_acc *
+irs_irp_acc(const char *options) {
+	struct irs_acc *acc;
+	struct irp_p *irp;
+
+	UNUSED(options);
+
+	if (!(acc = memget(sizeof *acc))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(acc, 0x5e, sizeof *acc);
+	if (!(irp = memget(sizeof *irp))) {
+		errno = ENOMEM;
+		free(acc);
+		return (NULL);
+	}
+	irp->inlast = 0;
+	irp->incurr = 0;
+	irp->fdCxn = -1;
+	acc->private = irp;
+
+#ifdef WANT_IRS_GR
+	acc->gr_map = irs_irp_gr;
+#else
+	acc->gr_map = NULL;
+#endif
+#ifdef WANT_IRS_PW
+	acc->pw_map = irs_irp_pw;
+#else
+	acc->pw_map = NULL;
+#endif
+	acc->sv_map = irs_irp_sv;
+	acc->pr_map = irs_irp_pr;
+	acc->ho_map = irs_irp_ho;
+	acc->nw_map = irs_irp_nw;
+	acc->ng_map = irs_irp_ng;
+	acc->close = irp_close;
+	return (acc);
+}
+
+
+int
+irs_irp_connection_setup(struct irp_p *cxndata, int *warned) {
+	if (irs_irp_is_connected(cxndata)) {
+		return (0);
+	} else if (irs_irp_connect(cxndata) != 0) {
+		if (warned != NULL && !*warned) {
+			syslog(LOG_ERR, "irpd connection failed: %m\n");
+			(*warned)++;
+		}
+
+		return (-1);
+	}
+
+	return (0);
+}
+
+
+/*
+ * int irs_irp_connect(void);
+ *
+ *	Sets up the connection to the remote irpd server.
+ *
+ * Returns:
+ *
+ *	0 on success, -1 on failure.
+ *
+ */
+int
+irs_irp_connect(struct irp_p *pvt) {
+	int flags;
+	struct sockaddr *addr;
+	struct sockaddr_in iaddr;
+#ifndef NO_SOCKADDR_UN
+	struct sockaddr_un uaddr;
+#endif
+	long ipaddr;
+	const char *irphost;
+	int code;
+	char text[256];
+	int socklen = 0;
+
+	if (pvt->fdCxn != -1) {
+		perror("fd != 1");
+		return (-1);
+	}
+
+#ifndef NO_SOCKADDR_UN
+	memset(&uaddr, 0, sizeof uaddr);
+#endif
+	memset(&iaddr, 0, sizeof iaddr);
+
+	irphost = getenv(IRPD_HOST_ENV);
+	if (irphost == NULL) {
+		irphost = "127.0.0.1";
+	}
+
+#ifndef NO_SOCKADDR_UN
+	if (irphost[0] == '/') {
+		addr = (struct sockaddr *)&uaddr;
+		strncpy(uaddr.sun_path, irphost, sizeof uaddr.sun_path);
+		uaddr.sun_family = AF_UNIX;
+		socklen = SUN_LEN(&uaddr);
+#ifdef HAVE_SA_LEN
+		uaddr.sun_len = socklen;
+#endif
+	} else
+#endif
+	{
+		if (inet_pton(AF_INET, irphost, &ipaddr) != 1) {
+			errno = EADDRNOTAVAIL;
+			perror("inet_pton");
+			return (-1);
+		}
+
+		addr = (struct sockaddr *)&iaddr;
+		socklen = sizeof iaddr;
+#ifdef HAVE_SA_LEN
+		iaddr.sin_len = socklen;
+#endif
+		iaddr.sin_family = AF_INET;
+		iaddr.sin_port = htons(IRPD_PORT);
+		iaddr.sin_addr.s_addr = ipaddr;
+	}
+
+
+	pvt->fdCxn = socket(addr->sa_family, SOCK_STREAM, PF_UNSPEC);
+	if (pvt->fdCxn < 0) {
+		perror("socket");
+		return (-1);
+	}
+
+	if (connect(pvt->fdCxn, addr, socklen) != 0) {
+		perror("connect");
+		return (-1);
+	}
+
+	flags = fcntl(pvt->fdCxn, F_GETFL, 0);
+	if (flags < 0) {
+		close(pvt->fdCxn);
+		perror("close");
+		return (-1);
+	}
+
+#if 0
+	flags |= O_NONBLOCK;
+	if (fcntl(pvt->fdCxn, F_SETFL, flags) < 0) {
+		close(pvt->fdCxn);
+		perror("fcntl");
+		return (-1);
+	}
+#endif
+
+	code = irs_irp_read_response(pvt, text, sizeof text);
+	if (code != IRPD_WELCOME_CODE) {
+		if (irp_log_errors) {
+			syslog(LOG_WARNING, "Connection failed: %s", text);
+		}
+		irs_irp_disconnect(pvt);
+		return (-1);
+	}
+
+	return (0);
+}
+
+
+
+/*
+ * int	irs_irp_is_connected(struct irp_p *pvt);
+ *
+ * Returns:
+ *
+ *	Non-zero if streams are setup to remote.
+ *
+ */
+
+int
+irs_irp_is_connected(struct irp_p *pvt) {
+	return (pvt->fdCxn >= 0);
+}
+
+
+
+/*
+ * void
+ * irs_irp_disconnect(struct irp_p *pvt);
+ *
+ *	Closes streams to remote.
+ */
+
+void
+irs_irp_disconnect(struct irp_p *pvt) {
+	if (pvt->fdCxn != -1) {
+		close(pvt->fdCxn);
+		pvt->fdCxn = -1;
+	}
+}
+
+
+
+int
+irs_irp_read_line(struct irp_p *pvt, char *buffer, int len) {
+	char *realstart = &pvt->inbuffer[0];
+	char *p, *start, *end;
+	int spare;
+	int i;
+	int buffpos = 0;
+	int left = len - 1;
+
+	while (left > 0) {
+		start = p = &pvt->inbuffer[pvt->incurr];
+		end = &pvt->inbuffer[pvt->inlast];
+
+		while (p != end && *p != '\n')
+			p++;
+
+		if (p == end) {
+			/* Found no newline so shift data down if necessary
+			 * and append new data to buffer
+			 */
+			if (start > realstart) {
+				memmove(realstart, start, end - start);
+				pvt->inlast = end - start;
+				start = realstart;
+				pvt->incurr = 0;
+				end = &pvt->inbuffer[pvt->inlast];
+			}
+
+			spare = sizeof (pvt->inbuffer) - pvt->inlast;
+
+			p = end;
+			i = read(pvt->fdCxn, end, spare);
+			if (i < 0) {
+				close(pvt->fdCxn);
+				pvt->fdCxn = -1;
+				return (buffpos > 0 ? buffpos : -1);
+			} else if (i == 0) {
+				return (buffpos);
+			}
+
+			end += i;
+			pvt->inlast += i;
+
+			while (p != end && *p != '\n')
+				p++;
+		}
+
+		if (p == end) {
+			/* full buffer and still no newline */
+			i = sizeof pvt->inbuffer;
+		} else {
+			/* include newline */
+			i = p - start + 1;
+		}
+
+		if (i > left)
+			i = left;
+		memcpy(buffer + buffpos, start, i);
+		pvt->incurr += i;
+		buffpos += i;
+		buffer[buffpos] = '\0';
+
+		if (p != end) {
+			left = 0;
+		} else {
+			left -= i;
+		}
+	}
+
+#if 0
+	fprintf(stderr, "read line: %s\n", buffer);
+#endif
+	return (buffpos);
+}
+
+
+
+
+
+/*
+ * int irp_read_response(struct irp_p *pvt);
+ *
+ * Returns:
+ *
+ *	The number found at the beginning of the line read from
+ *	FP. 0 on failure(0 is not a legal response code). The
+ *	rest of the line is discarded.
+ *
+ */
+
+int
+irs_irp_read_response(struct irp_p *pvt, char *text, size_t textlen) {
+	char line[1024];
+	int code;
+	char *p;
+
+	if (irs_irp_read_line(pvt, line, sizeof line) <= 0) {
+		return (0);
+	}
+
+	p = strchr(line, '\n');
+	if (p == NULL) {
+		return (0);
+	}
+
+	if (sscanf(line, "%d", &code) != 1) {
+		code = 0;
+	} else if (text != NULL && textlen > 0U) {
+		p = line;
+		while (isspace((unsigned char)*p)) p++;
+		while (isdigit((unsigned char)*p)) p++;
+		while (isspace((unsigned char)*p)) p++;
+		strncpy(text, p, textlen - 1);
+		p[textlen - 1] = '\0';
+	}
+
+	return (code);
+}
+
+
+
+/*
+ * char *irp_read_body(struct irp_p *pvt, size_t *size);
+ *
+ *	Read in the body of a response. Terminated by a line with
+ *	just a dot on it. Lines should be terminated with a CR-LF
+ *	sequence, but we're nt piccky if the CR is missing.
+ *	No leading dot escaping is done as the protcol doesn't
+ *	use leading dots anywhere.
+ *
+ * Returns:
+ *
+ *	Pointer to null-terminated buffer allocated by memget.
+ *	*SIZE is set to the length of the buffer.
+ *
+ */
+
+char *
+irs_irp_read_body(struct irp_p *pvt, size_t *size) {
+	char line[1024];
+	u_int linelen;
+	size_t len = LINEINCR;
+	char *buffer = memget(len);
+	int idx = 0;
+
+	for (;;) {
+		if (irs_irp_read_line(pvt, line, sizeof line) <= 0 ||
+		    strchr(line, '\n') == NULL)
+			goto death;
+
+		linelen = strlen(line);
+
+		if (line[linelen - 1] != '\n')
+			goto death;
+
+		/* We're not strict about missing \r. Should we be??  */
+		if (linelen > 2 && line[linelen - 2] == '\r') {
+			line[linelen - 2] = '\n';
+			line[linelen - 1] = '\0';
+			linelen--;
+		}
+
+		if (linelen == 2 && line[0] == '.') {
+			*size = len;
+			buffer[idx] = '\0';
+
+			return (buffer);
+		}
+
+		if (linelen > (len - (idx + 1))) {
+			char *p = memget(len + LINEINCR);
+
+			if (p == NULL)
+				goto death;
+			memcpy(p, buffer, len);
+			memput(buffer, len);
+			buffer = p;
+			len += LINEINCR;
+		}
+
+		memcpy(buffer + idx, line, linelen);
+		idx += linelen;
+	}
+ death:
+	memput(buffer, len);
+	return (NULL);
+}
+
+
+/*
+ * int irs_irp_get_full_response(struct irp_p *pvt, int *code,
+ *			char **body, size_t *bodylen);
+ *
+ *	Gets the response to a command. If the response indicates
+ *	there's a body to follow(code % 10 == 1), then the
+ *	body buffer is allcoated with memget and stored in
+ *	*BODY. The length of the allocated body buffer is stored
+ *	in *BODY. The caller must give the body buffer back to
+ *	memput when done. The results code is stored in *CODE.
+ *
+ * Returns:
+ *
+ *	0 if a result was read. -1 on some sort of failure.
+ *
+ */
+
+int
+irs_irp_get_full_response(struct irp_p *pvt, int *code, char *text,
+			  size_t textlen, char **body, size_t *bodylen) {
+	int result = irs_irp_read_response(pvt, text, textlen);
+
+	*body = NULL;
+
+	if (result == 0) {
+		return (-1);
+	}
+
+	*code = result;
+
+	/* Code that matches 2xx is a good result code.
+	 * Code that matches xx1 means there's a response body coming.
+	 */
+	if ((result / 100) == 2 && (result % 10) == 1) {
+		*body = irs_irp_read_body(pvt, bodylen);
+		if (*body == NULL) {
+			return (-1);
+		}
+	}
+
+	return (0);
+}
+
+
+/*
+ * int irs_irp_send_command(struct irp_p *pvt, const char *fmt, ...);
+ *
+ *	Sends command to remote connected via the PVT
+ *	struture. FMT and args after it are fprintf-like
+ *	arguments for formatting.
+ *
+ * Returns:
+ *
+ *	0 on success, -1 on failure.
+ */
+
+int
+irs_irp_send_command(struct irp_p *pvt, const char *fmt, ...) {
+	va_list ap;
+	char buffer[1024];
+	int pos = 0;
+	int i, todo;
+
+
+	if (pvt->fdCxn < 0) {
+		return (-1);
+	}
+
+	va_start(ap, fmt);
+	todo = vsprintf(buffer, fmt, ap);
+	va_end(ap);
+	if (todo > (int)sizeof(buffer) - 3) {
+		syslog(LOG_CRIT, "memory overrun in irs_irp_send_command()");
+		exit(1);
+	}
+	strcat(buffer, "\r\n");
+	todo = strlen(buffer);
+
+	while (todo > 0) {
+		i = write(pvt->fdCxn, buffer + pos, todo);
+#if 0
+		/* XXX brister */
+		fprintf(stderr, "Wrote: \"");
+		fwrite(buffer + pos, sizeof (char), todo, stderr);
+		fprintf(stderr, "\"\n");
+#endif
+		if (i < 0) {
+			close(pvt->fdCxn);
+			pvt->fdCxn = -1;
+			return (-1);
+		}
+		todo -= i;
+	}
+
+	return (0);
+}
+
+
+/* Methods */
+
+
+
+/*
+ * void irp_close(struct irs_acc *this)
+ *
+ */
+
+static void
+irp_close(struct irs_acc *this) {
+	struct irp_p *irp = (struct irp_p *)this->private;
+
+	if (irp != NULL) {
+		irs_irp_disconnect(irp);
+		memput(irp, sizeof *irp);
+	}
+
+	memput(this, sizeof *this);
+}
+
+
+
diff --git a/contrib/bind9/lib/bind/irs/irp_gr.c b/contrib/bind9/lib/bind/irs/irp_gr.c
new file mode 100644
index 0000000..f7e3a2f
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/irp_gr.c
@@ -0,0 +1,408 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright(c) 1996, 1998 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: irp_gr.c,v 1.2.206.1 2004/03/09 08:33:36 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+/* extern */
+
+#include "port_before.h"
+
+#ifndef WANT_IRS_PW
+static int __bind_irs_gr_unneeded;
+#else
+
+#include <syslog.h>
+#include <sys/param.h>
+#include <sys/types.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <grp.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <syslog.h>
+
+#include <irs.h>
+#include <irp.h>
+#include <isc/memcluster.h>
+#include <isc/irpmarshall.h>
+
+#include "irs_p.h"
+#include "lcl_p.h"
+#include "irp_p.h"
+
+#include "port_after.h"
+
+
+/* Types. */
+
+/*
+ * Module for the getnetgrent(3) family to use when connected to a
+ * remote irp daemon.
+ *
+ * See irpd.c for justification of caching done here.
+ *
+ */
+
+struct pvt {
+	struct irp_p   *girpdata;	/* global IRP data */
+	int		warned;
+	struct group	group;
+};
+
+/* Forward. */
+
+static void		gr_close(struct irs_gr *);
+static struct group *	gr_next(struct irs_gr *);
+static struct group *	gr_byname(struct irs_gr *, const char *);
+static struct group *	gr_bygid(struct irs_gr *, gid_t);
+static void		gr_rewind(struct irs_gr *);
+static void		gr_minimize(struct irs_gr *);
+
+/* Private */
+static void		free_group(struct group *gr);
+
+
+/* Public. */
+
+
+
+
+
+/*
+ * struct irs_gr * irs_irp_gr(struct irs_acc *this)
+ *
+ * Notes:
+ *
+ *	Initialize the group sub-module.
+ *
+ * Notes:
+ *
+ *	Module data.
+ *
+ */
+
+struct irs_gr *
+irs_irp_gr(struct irs_acc *this) {
+	struct irs_gr *gr;
+	struct pvt *pvt;
+
+	if (!(gr = memget(sizeof *gr))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(gr, 0x0, sizeof *gr);
+
+	if (!(pvt = memget(sizeof *pvt))) {
+		memput(gr, sizeof *gr);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0x0, sizeof *pvt);
+	pvt->girpdata = this->private;
+
+	gr->private = pvt;
+	gr->close = gr_close;
+	gr->next = gr_next;
+	gr->byname = gr_byname;
+	gr->bygid = gr_bygid;
+	gr->rewind = gr_rewind;
+	gr->list = make_group_list;
+	gr->minimize = gr_minimize;
+	return (gr);
+}
+
+/* Methods. */
+
+
+
+/*
+ * void gr_close(struct irs_gr *this)
+ *
+ * Notes:
+ *
+ *	Close the sub-module.
+ *
+ */
+
+static void
+gr_close(struct irs_gr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	gr_minimize(this);
+
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+
+
+
+/*
+ * struct group * gr_next(struct irs_gr *this)
+ *
+ * Notes:
+ *
+ *	Gets the next group out of the cached data and returns it.
+ *
+ */
+
+static struct group *
+gr_next(struct irs_gr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct group *gr = &pvt->group;
+	char *body;
+	size_t bodylen;
+	int code;
+	char text[256];
+
+	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
+		return (NULL);
+	}
+
+	if (irs_irp_send_command(pvt->girpdata, "getgrent") != 0) {
+		return (NULL);
+	}
+
+	if (irs_irp_get_full_response(pvt->girpdata, &code,
+				      text, sizeof text,
+				      &body, &bodylen) != 0) {
+		if (irp_log_errors) {
+			syslog(LOG_WARNING, "getgrent failed: %s", text);
+		}
+		return (NULL);
+	}
+
+	if (code == IRPD_GETGROUP_OK) {
+		free_group(gr);
+		if (irp_unmarshall_gr(gr, body) != 0) {
+			gr = NULL;
+		}
+	} else {
+		gr = NULL;
+	}
+
+	if (body != NULL) {
+		memput(body, bodylen);
+	}
+
+	return (gr);
+}
+
+
+
+
+
+/*
+ * struct group * gr_byname(struct irs_gr *this, const char *name)
+ *
+ * Notes:
+ *
+ *	Gets a group by name from irpd and returns it.
+ *
+ */
+
+static struct group *
+gr_byname(struct irs_gr *this, const char *name) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct group *gr = &pvt->group;
+	char *body;
+	size_t bodylen;
+	int code;
+	char text[256];
+
+
+	if (gr->gr_name != NULL && strcmp(name, gr->gr_name) == 0) {
+		return (gr);
+	}
+
+	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
+		return (NULL);
+	}
+
+	if (irs_irp_send_command(pvt->girpdata, "getgrnam %s", name) != 0)
+		return (NULL);
+
+	if (irs_irp_get_full_response(pvt->girpdata, &code,
+				      text, sizeof text,
+				      &body, &bodylen) != 0) {
+		return (NULL);
+	}
+
+	if (code == IRPD_GETGROUP_OK) {
+		free_group(gr);
+		if (irp_unmarshall_gr(gr, body) != 0) {
+			gr = NULL;
+		}
+	} else {
+		gr = NULL;
+	}
+
+	if (body != NULL) {
+		memput(body, bodylen);
+	}
+
+	return (gr);
+}
+
+
+
+
+
+/*
+ * struct group * gr_bygid(struct irs_gr *this, gid_t gid)
+ *
+ * Notes:
+ *
+ *	Gets a group by gid from irpd and returns it.
+ *
+ */
+
+static struct group *
+gr_bygid(struct irs_gr *this, gid_t gid) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct group *gr = &pvt->group;
+	char *body;
+	size_t bodylen;
+	int code;
+	char text[256];
+
+	if (gr->gr_name != NULL && (gid_t)gr->gr_gid == gid) {
+		return (gr);
+	}
+
+	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
+		return (NULL);
+	}
+
+	if (irs_irp_send_command(pvt->girpdata, "getgrgid %d", gid) != 0)
+		return (NULL);
+
+	if (irs_irp_get_full_response(pvt->girpdata, &code,
+				      text, sizeof text,
+				      &body, &bodylen) != 0) {
+		return (NULL);
+	}
+
+	if (code == IRPD_GETGROUP_OK) {
+		free_group(gr);
+		if (irp_unmarshall_gr(gr, body) != 0) {
+			gr = NULL;
+		}
+	} else {
+		gr = NULL;
+	}
+
+	if (body != NULL) {
+		memput(body, bodylen);
+	}
+
+	return (gr);
+}
+
+
+
+
+/*
+ * void gr_rewind(struct irs_gr *this)
+ *
+ */
+
+static void
+gr_rewind(struct irs_gr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	char text[256];
+	int code;
+
+	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
+		return;
+	}
+
+	if (irs_irp_send_command(pvt->girpdata, "setgrent") != 0) {
+		return;
+	}
+
+	code = irs_irp_read_response(pvt->girpdata, text, sizeof text);
+	if (code != IRPD_GETGROUP_SETOK) {
+		if (irp_log_errors) {
+			syslog(LOG_WARNING, "setgrent failed: %s", text);
+		}
+	}
+
+	return;
+}
+
+
+
+
+/*
+ * void gr_minimize(struct irs_gr *this)
+ *
+ * Notes:
+ *
+ *	Frees up cached data and disconnects(if necessary) from the remote.
+ *
+ */
+
+static void
+gr_minimize(struct irs_gr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	free_group(&pvt->group);
+	irs_irp_disconnect(pvt->girpdata);
+}
+
+/* Private. */
+
+
+
+/*
+ * static void free_group(struct group *gr);
+ *
+ *	Deallocate all the memory irp_unmarshall_gr allocated.
+ *
+ */
+
+static void
+free_group(struct group *gr) {
+	char **p;
+
+	if (gr == NULL)
+		return;
+
+	if (gr->gr_name != NULL)
+		free(gr->gr_name);
+
+	if (gr->gr_passwd != NULL)
+		free(gr->gr_passwd);
+
+	for (p = gr->gr_mem ; p != NULL && *p != NULL ; p++)
+		free(*p);
+
+	if (gr->gr_mem)
+		free(gr->gr_mem);
+
+	if (p != NULL)
+		free(p);
+}
+
+
+#endif /* WANT_IRS_GR */
diff --git a/contrib/bind9/lib/bind/irs/irp_ho.c b/contrib/bind9/lib/bind/irs/irp_ho.c
new file mode 100644
index 0000000..9056612
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/irp_ho.c
@@ -0,0 +1,429 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (c) 1996,1998 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: irp_ho.c,v 1.1.206.1 2004/03/09 08:33:36 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+/* Imports. */
+
+#include "port_before.h"
+
+#include <syslog.h>
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <netdb.h>
+#include <resolv.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
+
+#include <irs.h>
+#include <irp.h>
+#include <isc/irpmarshall.h>
+#include <isc/memcluster.h>
+
+#include "irs_p.h"
+#include "dns_p.h"
+#include "irp_p.h"
+
+#include "port_after.h"
+
+/* Definitions. */
+
+#define	MAXALIASES	35
+#define	MAXADDRS	35
+#define	Max(a,b)	((a) > (b) ? (a) : (b))
+
+
+struct pvt {
+	struct irp_p	       *girpdata;
+	int			warned;
+	struct hostent		host;
+};
+
+/* Forward. */
+
+static void		ho_close(struct irs_ho *this);
+static struct hostent *	ho_byname(struct irs_ho *this, const char *name);
+static struct hostent *	ho_byname2(struct irs_ho *this, const char *name,
+				   int af);
+static struct hostent *	ho_byaddr(struct irs_ho *this, const void *addr,
+				  int len, int af);
+static struct hostent *	ho_next(struct irs_ho *this);
+static void		ho_rewind(struct irs_ho *this);
+static void		ho_minimize(struct irs_ho *this);
+
+static void		free_host(struct hostent *ho);
+static struct addrinfo * ho_addrinfo(struct irs_ho *this, const char *name,
+				     const struct addrinfo *pai);
+
+/* Public. */
+
+
+
+/*
+ * struct irs_ho * irs_irp_ho(struct irs_acc *this)
+ *
+ * Notes:
+ *
+ *	Initializes the irp_ho module.
+ *
+ */
+
+struct irs_ho *
+irs_irp_ho(struct irs_acc *this) {
+	struct irs_ho *ho;
+	struct pvt *pvt;
+
+	if (!(ho = memget(sizeof *ho))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(ho, 0x0, sizeof *ho);
+
+	if (!(pvt = memget(sizeof *pvt))) {
+		memput(ho, sizeof *ho);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0, sizeof *pvt);
+	pvt->girpdata = this->private;
+
+	ho->private = pvt;
+	ho->close = ho_close;
+	ho->byname = ho_byname;
+	ho->byname2 = ho_byname2;
+	ho->byaddr = ho_byaddr;
+	ho->next = ho_next;
+	ho->rewind = ho_rewind;
+	ho->minimize = ho_minimize;
+	ho->addrinfo = ho_addrinfo;
+
+	return (ho);
+}
+
+/* Methods. */
+
+
+
+/*
+ * void ho_close(struct irs_ho *this)
+ *
+ * Notes:
+ *
+ *	Closes down the module.
+ *
+ */
+
+static void
+ho_close(struct irs_ho *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	ho_minimize(this);
+
+	free_host(&pvt->host);
+
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+
+
+/*
+ * struct hostent * ho_byname(struct irs_ho *this, const char *name)
+ *
+ */
+
+static struct hostent *
+ho_byname(struct irs_ho *this, const char *name) {
+	return (ho_byname2(this, name, AF_INET));
+}
+
+
+
+
+
+/*
+ * struct hostent * ho_byname2(struct irs_ho *this, const char *name, int af)
+ *
+ */
+
+static struct hostent *
+ho_byname2(struct irs_ho *this, const char *name, int af) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct hostent *ho = &pvt->host;
+	char *body = NULL;
+	size_t bodylen;
+	int code;
+	char text[256];
+
+	if (ho->h_name != NULL &&
+	    strcmp(name, ho->h_name) == 0 &&
+	    af == ho->h_addrtype) {
+		return (ho);
+	}
+
+	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
+		return (NULL);
+	}
+
+	if (irs_irp_send_command(pvt->girpdata, "gethostbyname2 %s %s",
+				 name, ADDR_T_STR(af)) != 0)
+		return (NULL);
+
+	if (irs_irp_get_full_response(pvt->girpdata, &code,
+				      text, sizeof text,
+				      &body, &bodylen) != 0) {
+		return (NULL);
+	}
+
+	if (code == IRPD_GETHOST_OK) {
+		free_host(ho);
+		if (irp_unmarshall_ho(ho, body) != 0) {
+			ho = NULL;
+		}
+	} else {
+		ho = NULL;
+	}
+
+	if (body != NULL) {
+		memput(body, bodylen);
+	}
+
+	return (ho);
+}
+
+
+
+/*
+ * struct hostent * ho_byaddr(struct irs_ho *this, const void *addr,
+ *			   int len, int af)
+ *
+ */
+
+static struct hostent *
+ho_byaddr(struct irs_ho *this, const void *addr, int len, int af) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct hostent *ho = &pvt->host;
+	char *body = NULL;
+	size_t bodylen;
+	int code;
+	char **p;
+	char paddr[MAXPADDRSIZE];
+	char text[256];
+
+	if (ho->h_name != NULL &&
+	    af == ho->h_addrtype &&
+	    len == ho->h_length) {
+		for (p = ho->h_addr_list ; *p != NULL ; p++) {
+			if (memcmp(*p, addr, len) == 0)
+				return (ho);
+		}
+	}
+
+	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
+		return (NULL);
+	}
+
+	if (inet_ntop(af, addr, paddr, sizeof paddr) == NULL) {
+		return (NULL);
+	}
+
+	if (irs_irp_send_command(pvt->girpdata, "gethostbyaddr %s %s",
+				 paddr, ADDR_T_STR(af)) != 0) {
+		return (NULL);
+	}
+
+	if (irs_irp_get_full_response(pvt->girpdata, &code,
+				      text, sizeof text,
+				      &body, &bodylen) != 0) {
+		return (NULL);
+	}
+
+	if (code == IRPD_GETHOST_OK) {
+		free_host(ho);
+		if (irp_unmarshall_ho(ho, body) != 0) {
+			ho = NULL;
+		}
+	} else {
+		ho = NULL;
+	}
+
+	if (body != NULL) {
+		memput(body, bodylen);
+	}
+
+	return (ho);
+}
+
+
+
+
+
+/*
+ * struct hostent * ho_next(struct irs_ho *this)
+ *
+ * Notes:
+ *
+ *	The implementation for gethostent(3). The first time it's
+ *	called all the data is pulled from the remote(i.e. what
+ *	the maximum number of gethostent(3) calls would return)
+ *	and that data is cached.
+ *
+ */
+
+static struct hostent *
+ho_next(struct irs_ho *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct hostent *ho = &pvt->host;
+	char *body;
+	size_t bodylen;
+	int code;
+	char text[256];
+
+	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
+		return (NULL);
+	}
+
+	if (irs_irp_send_command(pvt->girpdata, "gethostent") != 0) {
+		return (NULL);
+	}
+
+	if (irs_irp_get_full_response(pvt->girpdata, &code,
+				      text, sizeof text,
+				      &body, &bodylen) != 0) {
+		return (NULL);
+	}
+
+	if (code == IRPD_GETHOST_OK) {
+		free_host(ho);
+		if (irp_unmarshall_ho(ho, body) != 0) {
+			ho = NULL;
+		}
+	} else {
+		ho = NULL;
+	}
+
+	if (body != NULL) {
+		memput(body, bodylen);
+	}
+
+	return (ho);
+}
+
+
+
+
+
+/*
+ * void ho_rewind(struct irs_ho *this)
+ *
+ */
+
+static void
+ho_rewind(struct irs_ho *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	char text[256];
+	int code;
+
+	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
+		return;
+	}
+
+	if (irs_irp_send_command(pvt->girpdata, "sethostent") != 0) {
+		return;
+	}
+
+	code = irs_irp_read_response(pvt->girpdata, text, sizeof text);
+	if (code != IRPD_GETHOST_SETOK) {
+		if (irp_log_errors) {
+			syslog(LOG_WARNING, "sethostent failed: %s", text);
+		}
+	}
+
+	return;
+}
+
+
+
+
+/*
+ * void ho_minimize(struct irs_ho *this)
+ *
+ */
+
+static void
+ho_minimize(struct irs_ho *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	free_host(&pvt->host);
+
+	irs_irp_disconnect(pvt->girpdata);
+}
+
+
+
+
+/*
+ * void free_host(struct hostent *ho)
+ *
+ */
+
+static void
+free_host(struct hostent *ho) {
+	char **p;
+
+	if (ho == NULL) {
+		return;
+	}
+
+	if (ho->h_name != NULL)
+		free(ho->h_name);
+
+	if (ho->h_aliases != NULL) {
+		for (p = ho->h_aliases ; *p != NULL ; p++)
+			free(*p);
+		free(ho->h_aliases);
+	}
+
+	if (ho->h_addr_list != NULL) {
+		for (p = ho->h_addr_list ; *p != NULL ; p++)
+			free(*p);
+		free(ho->h_addr_list);
+	}
+}
+
+/* dummy */
+static struct addrinfo *
+ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
+{
+	UNUSED(this);
+	UNUSED(name);
+	UNUSED(pai);
+	return(NULL);
+}
diff --git a/contrib/bind9/lib/bind/irs/irp_ng.c b/contrib/bind9/lib/bind/irs/irp_ng.c
new file mode 100644
index 0000000..cf7bc7c
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/irp_ng.c
@@ -0,0 +1,272 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996, 1998 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if !defined(LINT) && !defined(CODECENTER)
+static const char rcsid[] = "$Id: irp_ng.c,v 1.1.206.1 2004/03/09 08:33:37 marka Exp $";
+#endif
+
+/* Imports */
+
+#include "port_before.h"
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <syslog.h>
+
+#include <irs.h>
+#include <irp.h>
+#include <isc/memcluster.h>
+#include <isc/irpmarshall.h>
+
+#include "irs_p.h"
+#include "irp_p.h"
+
+#include "port_after.h"
+
+/* Definitions */
+
+struct pvt {
+	struct irp_p	       *girpdata;
+	int			warned;
+};
+
+
+/* Forward */
+
+static void		ng_rewind(struct irs_ng *, const char*);
+static void		ng_close(struct irs_ng *);
+static int		ng_next(struct irs_ng *, const char **, const char **,
+				const char **);
+static int		ng_test(struct irs_ng *, const char *,
+				const char *, const char *,
+				const char *);
+static void		ng_minimize(struct irs_ng *);
+
+
+/* Public */
+
+
+
+/*
+ * struct irs_ng * irs_irp_ng(struct irs_acc *this)
+ *
+ * Notes:
+ *
+ *	Intialize the irp netgroup module.
+ *
+ */
+
+struct irs_ng *
+irs_irp_ng(struct irs_acc *this) {
+	struct irs_ng *ng;
+	struct pvt *pvt;
+
+	if (!(ng = memget(sizeof *ng))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(ng, 0x5e, sizeof *ng);
+
+	if (!(pvt = memget(sizeof *pvt))) {
+		memput(ng, sizeof *ng);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0, sizeof *pvt);
+	pvt->girpdata = this->private;
+
+	ng->private = pvt;
+	ng->close = ng_close;
+	ng->next = ng_next;
+	ng->test = ng_test;
+	ng->rewind = ng_rewind;
+	ng->minimize = ng_minimize;
+	return (ng);
+}
+
+/* Methods */
+
+
+
+/*
+ * void ng_close(struct irs_ng *this)
+ *
+ */
+
+static void
+ng_close(struct irs_ng *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	ng_minimize(this);
+
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+
+
+
+/*
+ * void ng_rewind(struct irs_ng *this, const char *group)
+ *
+ *
+ */
+
+static void
+ng_rewind(struct irs_ng *this, const char *group) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	char text[256];
+	int code;
+
+	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
+		return;
+	}
+
+	if (irs_irp_send_command(pvt->girpdata,
+				 "setnetgrent %s", group) != 0) {
+		return;
+	}
+
+	code = irs_irp_read_response(pvt->girpdata, text, sizeof text);
+	if (code != IRPD_GETNETGR_SETOK) {
+		if (irp_log_errors) {
+			syslog(LOG_WARNING, "setnetgrent(%s) failed: %s",
+			       group, text);
+		}
+	}
+
+	return;
+}
+
+
+
+
+/*
+ * int ng_next(struct irs_ng *this, const char **host, const char **user,
+ *	       const char **domain)
+ *
+ * Notes:
+ *
+ *	Get the next netgroup item from the cache.
+ *
+ */
+
+static int
+ng_next(struct irs_ng *this, const char **host, const char **user,
+        const char **domain)
+{
+	struct pvt *pvt = (struct pvt *)this->private;
+	int code;
+	char *body = NULL;
+	size_t bodylen;
+	int rval = 0;
+	char text[256];
+
+	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
+		return (0);
+	}
+
+	if (irs_irp_send_command(pvt->girpdata, "getnetgrent") != 0)
+		return (0);
+
+	if (irs_irp_get_full_response(pvt->girpdata, &code,
+				      text, sizeof text,
+				      &body, &bodylen) != 0) {
+		return (0);
+	}
+
+	if (code == IRPD_GETNETGR_OK) {
+		if (irp_unmarshall_ng(host, user, domain, body) == 0) {
+			rval = 1;
+		}
+	}
+
+	if (body != NULL) {
+		memput(body, bodylen);
+	}
+
+	return (rval);
+}
+
+
+
+/*
+ * int ng_test(struct irs_ng *this, const char *name, const char *host,
+ *		const char *user, const char *domain)
+ *
+ * Notes:
+ *
+ *	Search for a match in a netgroup.
+ *
+ */
+
+static int
+ng_test(struct irs_ng *this, const char *name,
+	const char *host, const char *user, const char *domain)
+{
+	struct pvt *pvt = (struct pvt *)this->private;
+	char *body = NULL;
+	size_t bodylen = 0;
+	int code;
+	char text[256];
+	int rval = 0;
+
+	UNUSED(name);
+
+	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
+		return (0);
+	}
+
+	if (irp_marshall_ng(host, user, domain, &body, &bodylen) != 0) {
+		return (0);
+	}
+
+	if (irs_irp_send_command(pvt->girpdata, "innetgr %s", body) == 0) {
+		memput(body, bodylen);
+
+		code = irs_irp_read_response(pvt->girpdata, text, sizeof text);
+		if (code == IRPD_GETNETGR_MATCHES) {
+			rval = 1;
+		}
+	}
+
+	return (rval);
+}
+
+
+
+
+/*
+ * void ng_minimize(struct irs_ng *this)
+ *
+ */
+
+static void
+ng_minimize(struct irs_ng *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	irs_irp_disconnect(pvt->girpdata);
+}
+
+
+
+
+/* Private */
+
diff --git a/contrib/bind9/lib/bind/irs/irp_nw.c b/contrib/bind9/lib/bind/irs/irp_nw.c
new file mode 100644
index 0000000..346e5a4
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/irp_nw.c
@@ -0,0 +1,375 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (c) 1996,1998 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: irp_nw.c,v 1.1.206.1 2004/03/09 08:33:37 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#if 0
+
+#endif
+
+/* Imports */
+
+#include "port_before.h"
+
+#include <syslog.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <resolv.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
+
+#include <irs.h>
+#include <irp.h>
+#include <isc/irpmarshall.h>
+
+#include <isc/memcluster.h>
+#include <isc/misc.h>
+
+#include "irs_p.h"
+#include "lcl_p.h"
+#include "irp_p.h"
+
+#include "port_after.h"
+
+#define MAXALIASES 35
+#define MAXADDRSIZE 4
+
+struct pvt {
+	struct irp_p	       *girpdata;
+	int			warned;
+	struct nwent		net;
+};
+
+/* Forward */
+
+static void		nw_close(struct irs_nw *);
+static struct nwent *	nw_byname(struct irs_nw *, const char *, int);
+static struct nwent *	nw_byaddr(struct irs_nw *, void *, int, int);
+static struct nwent *	nw_next(struct irs_nw *);
+static void		nw_rewind(struct irs_nw *);
+static void		nw_minimize(struct irs_nw *);
+
+static void		free_nw(struct nwent *nw);
+
+
+/* Public */
+
+
+
+/*
+ * struct irs_nw * irs_irp_nw(struct irs_acc *this) 
+ *
+ */
+
+struct irs_nw *
+irs_irp_nw(struct irs_acc *this) {
+	struct irs_nw *nw;
+	struct pvt *pvt;
+
+	if (!(pvt = memget(sizeof *pvt))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0, sizeof *pvt);
+
+	if (!(nw = memget(sizeof *nw))) {
+		memput(pvt, sizeof *pvt);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(nw, 0x0, sizeof *nw);
+	pvt->girpdata = this->private;
+
+	nw->private = pvt;
+	nw->close = nw_close;
+	nw->byname = nw_byname;
+	nw->byaddr = nw_byaddr;
+	nw->next = nw_next;
+	nw->rewind = nw_rewind;
+	nw->minimize = nw_minimize;
+	return (nw);
+}
+
+/* Methods */
+
+
+
+/*
+ * void nw_close(struct irs_nw *this) 
+ *
+ */
+
+static void
+nw_close(struct irs_nw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	nw_minimize(this);
+
+	free_nw(&pvt->net);
+
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+
+
+
+/*
+ * struct nwent * nw_byaddr(struct irs_nw *this, void *net, 
+ * 				int length, int type) 
+ *
+ */
+
+static struct nwent *
+nw_byaddr(struct irs_nw *this, void *net, int length, int type) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct nwent *nw = &pvt->net;
+	char *body = NULL;
+	size_t bodylen;
+	int code;
+	char paddr[24];			/* bigenough for ip4 w/ cidr spec. */
+	char text[256];
+
+	if (inet_net_ntop(type, net, length, paddr, sizeof paddr) == NULL) {
+		return (NULL);
+	}
+
+	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
+		return (NULL);
+	}
+
+	if (irs_irp_send_command(pvt->girpdata, "getnetbyaddr %s %s",
+				 paddr, ADDR_T_STR(type)) != 0)
+		return (NULL);
+
+	if (irs_irp_get_full_response(pvt->girpdata, &code,
+				      text, sizeof text,
+				      &body, &bodylen) != 0) {
+		return (NULL);
+	}
+
+	if (code == IRPD_GETNET_OK) {
+		free_nw(nw);
+		if (irp_unmarshall_nw(nw, body) != 0) {
+			nw = NULL;
+		}
+	} else {
+		nw = NULL;
+	}
+		
+	if (body != NULL) {
+		memput(body, bodylen);
+	}
+	
+	return (nw);
+}
+
+
+
+
+/*
+ * struct nwent * nw_byname(struct irs_nw *this, const char *name, int type) 
+ *
+ */
+
+static struct nwent *
+nw_byname(struct irs_nw *this, const char *name, int type) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct nwent *nw = &pvt->net;
+	char *body = NULL;
+	size_t bodylen;
+	int code;
+	char text[256];
+
+	if (nw->n_name != NULL &&
+	    strcmp(name, nw->n_name) == 0 &&
+	    nw->n_addrtype == type) {
+		return (nw);
+	}
+
+	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
+		return (NULL);
+	}
+
+	if (irs_irp_send_command(pvt->girpdata, "getnetbyname %s", name) != 0)
+		return (NULL);
+
+	if (irs_irp_get_full_response(pvt->girpdata, &code,
+				      text, sizeof text,
+				      &body, &bodylen) != 0) {
+		return (NULL);
+	}
+
+	if (code == IRPD_GETNET_OK) {
+		free_nw(nw);
+		if (irp_unmarshall_nw(nw, body) != 0) {
+			nw = NULL;
+		}
+	} else {
+		nw = NULL;
+	}
+	
+	if (body != NULL) {
+		memput(body, bodylen);
+	}
+	
+	return (nw);
+}
+
+
+
+
+/*
+ * void nw_rewind(struct irs_nw *this) 
+ *
+ */
+
+static void
+nw_rewind(struct irs_nw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	char text[256];
+	int code;
+
+	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
+		return;
+	}
+
+	if (irs_irp_send_command(pvt->girpdata, "setnetent") != 0) {
+		return;
+	}
+
+	code = irs_irp_read_response(pvt->girpdata, text, sizeof text);
+	if (code != IRPD_GETNET_SETOK) {
+		if (irp_log_errors) {
+			syslog(LOG_WARNING, "setnetent failed: %s", text);
+		}
+	}
+	
+	return;
+}
+
+
+
+
+
+
+/*
+ * struct nwent * nw_next(struct irs_nw *this) 
+ *
+ * Notes:
+ * 	
+ * 	Prepares the cache if necessary and returns the first, or 
+ * 	next item from it.
+ */
+
+static struct nwent *
+nw_next(struct irs_nw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct nwent *nw = &pvt->net;
+	char *body;
+	size_t bodylen;
+	int code;
+	char text[256];
+
+	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
+		return (NULL);
+	}
+
+	if (irs_irp_send_command(pvt->girpdata, "getnetent") != 0) {
+		return (NULL);
+	}
+
+	if (irs_irp_get_full_response(pvt->girpdata, &code,
+				      text, sizeof text,
+				      &body, &bodylen) != 0) {
+		return (NULL);
+	}
+
+	if (code == IRPD_GETNET_OK) {
+		free_nw(nw);
+		if (irp_unmarshall_nw(nw, body) != 0) {
+			nw = NULL;
+		}
+	} else {
+		nw = NULL;
+	}
+
+	return (nw);
+}
+
+
+
+
+
+
+/*
+ * void nw_minimize(struct irs_nw *this) 
+ *
+ */
+
+static void
+nw_minimize(struct irs_nw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	irs_irp_disconnect(pvt->girpdata);
+}
+
+
+
+
+/* private. */
+
+
+
+/*
+ * static void free_passwd(struct passwd *pw);
+ *
+ *	deallocate all the memory irp_unmarshall_pw allocated.
+ *
+ */
+
+static void
+free_nw(struct nwent *nw) {
+	char **p;
+
+	if (nw == NULL)
+		return;
+
+	if (nw->n_name != NULL)
+		free(nw->n_name);
+
+	if (nw->n_aliases != NULL) {
+		for (p = nw->n_aliases ; *p != NULL ; p++) {
+			free(*p);
+		}
+		free(nw->n_aliases);
+	}
+
+	if (nw->n_addr != NULL)
+		free(nw->n_addr);
+}
diff --git a/contrib/bind9/lib/bind/irs/irp_p.h b/contrib/bind9/lib/bind/irs/irp_p.h
new file mode 100644
index 0000000..fa2858d
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/irp_p.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * $Id: irp_p.h,v 1.1.2.2.4.1 2004/03/09 08:33:37 marka Exp $
+ */
+
+#ifndef _IRP_P_H_INCLUDED
+#define _IRP_P_H_INCLUDED
+
+#include <stdio.h>
+
+struct irp_p {
+	char inbuffer[1024];
+	int inlast; /* index of one past the last char in buffer */
+	int incurr; /* index of the next char to be read from buffer */
+
+	int fdCxn;
+};
+
+/*
+ * Externs.
+ */
+
+extern struct irs_acc *	irs_irp_acc __P((const char *));
+extern struct irs_gr *	irs_irp_gr __P((struct irs_acc *));
+extern struct irs_pw *	irs_irp_pw __P((struct irs_acc *));
+extern struct irs_sv *	irs_irp_sv __P((struct irs_acc *));
+extern struct irs_pr *	irs_irp_pr __P((struct irs_acc *));
+extern struct irs_ho *	irs_irp_ho __P((struct irs_acc *));
+extern struct irs_nw *	irs_irp_nw __P((struct irs_acc *));
+extern struct irs_ng *	irs_irp_ng __P((struct irs_acc *));
+
+int irs_irp_connect(struct irp_p *pvt);
+int irs_irp_is_connected(struct irp_p *pvt);
+void irs_irp_disconnect(struct irp_p *pvt);
+int irs_irp_read_response(struct irp_p *pvt, char *text, size_t textlen);
+char *irs_irp_read_body(struct irp_p *pvt, size_t *size);
+int irs_irp_get_full_response(struct irp_p *pvt, int *code,
+			      char *text, size_t textlen,
+			      char **body, size_t *bodylen);
+
+extern int irp_log_errors;
+
+#endif
diff --git a/contrib/bind9/lib/bind/irs/irp_pr.c b/contrib/bind9/lib/bind/irs/irp_pr.c
new file mode 100644
index 0000000..07d739d
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/irp_pr.c
@@ -0,0 +1,353 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (c) 1996 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: irp_pr.c,v 1.1.206.1 2004/03/09 08:33:37 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+/* extern */
+
+#include "port_before.h"
+
+#include <syslog.h>
+#include <sys/types.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <netdb.h>
+#include <syslog.h>
+
+#include <irs.h>
+#include <irp.h>
+#include <isc/memcluster.h>
+#include <isc/irpmarshall.h>
+
+#include "irs_p.h"
+#include "lcl_p.h"
+#include "irp_p.h"
+
+#include "port_after.h"
+
+
+#define MAXALIASES	35
+
+/* Types */
+
+struct pvt {
+	struct irp_p	       *girpdata;
+	int			warned;
+	struct protoent		proto;
+};
+
+/* Forward */
+
+static void			pr_close(struct irs_pr *);
+static struct protoent *	pr_next(struct irs_pr *);
+static struct protoent *	pr_byname(struct irs_pr *, const char *);
+static struct protoent *	pr_bynumber(struct irs_pr *, int);
+static void			pr_rewind(struct irs_pr *);
+static void			pr_minimize(struct irs_pr *);
+
+static void			free_proto(struct protoent *pr);
+
+/* Public */
+
+
+
+/*
+ * struct irs_pr * irs_irp_pr(struct irs_acc *this)
+ *
+ */
+
+struct irs_pr *
+irs_irp_pr(struct irs_acc *this) {
+	struct irs_pr *pr;
+	struct pvt *pvt;
+
+	if (!(pr = memget(sizeof *pr))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pr, 0x0, sizeof *pr);
+
+	if (!(pvt = memget(sizeof *pvt))) {
+		memput(pr, sizeof *pr);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0, sizeof *pvt);
+	pvt->girpdata = this->private;
+
+	pr->private = pvt;
+	pr->close = pr_close;
+	pr->byname = pr_byname;
+	pr->bynumber = pr_bynumber;
+	pr->next = pr_next;
+	pr->rewind = pr_rewind;
+	pr->minimize = pr_minimize;
+	return (pr);
+}
+
+/* Methods */
+
+
+
+/*
+ * void pr_close(struct irs_pr *this)
+ *
+ */
+
+static void
+pr_close(struct irs_pr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	pr_minimize(this);
+
+	free_proto(&pvt->proto);
+
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+
+
+/*
+ * struct protoent * pr_byname(struct irs_pr *this, const char *name)
+ *
+ */
+
+static struct protoent *
+pr_byname(struct irs_pr *this, const char *name) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct protoent *pr = &pvt->proto;
+	char *body = NULL;
+	size_t bodylen;
+	int code;
+	int i;
+	char text[256];
+
+	if (pr->p_name != NULL && strcmp(name, pr->p_name) == 0) {
+		return (pr);
+	}
+
+	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
+		return (NULL);
+	}
+
+	i = irs_irp_send_command(pvt->girpdata, "getprotobyname %s", name);
+	if (i != 0)
+		return (NULL);
+
+	if (irs_irp_get_full_response(pvt->girpdata, &code,
+				      text, sizeof text,
+				      &body, &bodylen) != 0) {
+		return (NULL);
+	}
+
+	if (code == IRPD_GETPROTO_OK) {
+		free_proto(pr);
+		if (irp_unmarshall_pr(pr, body) != 0) {
+			pr = NULL;
+		}
+	} else {
+		pr = NULL;
+	}
+
+	if (body != NULL) {
+		memput(body, bodylen);
+	}
+
+	return (pr);
+}
+
+
+
+/*
+ * struct protoent * pr_bynumber(struct irs_pr *this, int proto)
+ *
+ */
+
+static struct protoent *
+pr_bynumber(struct irs_pr *this, int proto) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct protoent *pr = &pvt->proto;
+	char *body = NULL;
+	size_t bodylen;
+	int code;
+	int i;
+	char text[256];
+
+	if (pr->p_name != NULL && proto == pr->p_proto) {
+		return (pr);
+	}
+
+	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
+		return (NULL);
+	}
+
+	i = irs_irp_send_command(pvt->girpdata, "getprotobynumber %d", proto);
+	if (i != 0)
+		return (NULL);
+
+	if (irs_irp_get_full_response(pvt->girpdata, &code,
+				      text, sizeof text,
+				      &body, &bodylen) != 0) {
+		return (NULL);
+	}
+
+	if (code == IRPD_GETPROTO_OK) {
+		free_proto(pr);
+		if (irp_unmarshall_pr(pr, body) != 0) {
+			pr = NULL;
+		}
+	} else {
+		pr = NULL;
+	}
+
+	if (body != NULL) {
+		memput(body, bodylen);
+	}
+
+	return (pr);
+}
+
+
+
+
+/*
+ * void pr_rewind(struct irs_pr *this)
+ *
+ */
+
+static void
+pr_rewind(struct irs_pr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	char text[256];
+	int code;
+
+	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
+		return;
+	}
+
+	if (irs_irp_send_command(pvt->girpdata, "setprotoent") != 0) {
+		return;
+	}
+
+	code = irs_irp_read_response(pvt->girpdata, text, sizeof text);
+	if (code != IRPD_GETPROTO_SETOK) {
+		if (irp_log_errors) {
+			syslog(LOG_WARNING, "setprotoent failed: %s", text);
+		}
+	}
+
+	return;
+}
+
+
+
+
+/*
+ * struct protoent * pr_next(struct irs_pr *this)
+ *
+ * Notes:
+ *
+ *	Prepares the cache if necessary and returns the next item in it.
+ *
+ */
+
+static struct protoent *
+pr_next(struct irs_pr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct protoent *pr = &pvt->proto;
+	char *body;
+	size_t bodylen;
+	int code;
+	char text[256];
+
+	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
+		return (NULL);
+	}
+
+	if (irs_irp_send_command(pvt->girpdata, "getprotoent") != 0) {
+		return (NULL);
+	}
+
+	if (irs_irp_get_full_response(pvt->girpdata, &code,
+				      text, sizeof text,
+				      &body, &bodylen) != 0) {
+		return (NULL);
+	}
+
+	if (code == IRPD_GETPROTO_OK) {
+		free_proto(pr);
+		if (irp_unmarshall_pr(pr, body) != 0) {
+			pr = NULL;
+		}
+	} else {
+		pr = NULL;
+	}
+
+	if (body != NULL) {
+		memput(body, bodylen);
+	}
+
+	return (pr);
+}
+
+
+
+
+/*
+ * void pr_minimize(struct irs_pr *this)
+ *
+ */
+
+static void
+pr_minimize(struct irs_pr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	irs_irp_disconnect(pvt->girpdata);
+}
+
+
+
+
+
+
+/*
+ * static void free_proto(struct protoent *pw);
+ *
+ *	Deallocate all the memory irp_unmarshall_pr allocated.
+ *
+ */
+
+static void
+free_proto(struct protoent *pr) {
+	char **p;
+
+	if (pr == NULL)
+		return;
+
+	if (pr->p_name != NULL)
+		free(pr->p_name);
+
+	for (p = pr->p_aliases ; p != NULL && *p != NULL ; p++)
+		free(*p);
+}
diff --git a/contrib/bind9/lib/bind/irs/irp_pw.c b/contrib/bind9/lib/bind/irs/irp_pw.c
new file mode 100644
index 0000000..069f588
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/irp_pw.c
@@ -0,0 +1,358 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (c) 1996 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: irp_pw.c,v 1.2.206.1 2004/03/09 08:33:37 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+/* Extern */
+
+#include "port_before.h"
+
+#ifndef WANT_IRS_PW
+static int __bind_irs_pw_unneeded;
+#else
+
+#include <syslog.h>
+#include <sys/param.h>
+
+#include <db.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <pwd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
+#include <utmp.h>
+#include <unistd.h>
+
+#include <irs.h>
+#include <irp.h>
+#include <isc/memcluster.h>
+#include <isc/irpmarshall.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "irp_p.h"
+
+
+/* Types */
+
+struct	pvt {
+	struct irp_p   *girpdata; /* global IRP data */
+	int		warned;
+	struct passwd	passwd;		/* password structure */
+};
+
+/* Forward */
+
+static void			pw_close(struct irs_pw *);
+static struct passwd *		pw_next(struct irs_pw *);
+static struct passwd *		pw_byname(struct irs_pw *, const char *);
+static struct passwd *		pw_byuid(struct irs_pw *, uid_t);
+static void			pw_rewind(struct irs_pw *);
+static void			pw_minimize(struct irs_pw *);
+
+static void			free_passwd(struct passwd *pw);
+
+/* Public */
+struct irs_pw *
+irs_irp_pw(struct irs_acc *this) {
+	struct irs_pw *pw;
+	struct pvt *pvt;
+
+	if (!(pw = memget(sizeof *pw))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pw, 0, sizeof *pw);
+
+	if (!(pvt = memget(sizeof *pvt))) {
+		memput(pw, sizeof *pw);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0, sizeof *pvt);
+	pvt->girpdata = this->private;
+
+	pw->private = pvt;
+	pw->close = pw_close;
+	pw->next = pw_next;
+	pw->byname = pw_byname;
+	pw->byuid = pw_byuid;
+	pw->rewind = pw_rewind;
+	pw->minimize = pw_minimize;
+
+	return (pw);
+}
+
+/* Methods */
+
+
+
+/*
+ * void pw_close(struct irs_pw *this)
+ *
+ */
+
+static void
+pw_close(struct irs_pw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	pw_minimize(this);
+
+	free_passwd(&pvt->passwd);
+
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+
+
+
+/*
+ * struct passwd * pw_next(struct irs_pw *this)
+ *
+ */
+
+static struct passwd *
+pw_next(struct irs_pw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct passwd *pw = &pvt->passwd;
+	char *body;
+	size_t bodylen;
+	int code;
+	char text[256];
+
+	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
+		return (NULL);
+	}
+
+	if (irs_irp_send_command(pvt->girpdata, "getpwent") != 0) {
+		return (NULL);
+	}
+
+	if (irs_irp_get_full_response(pvt->girpdata, &code,
+				      text, sizeof text,
+				      &body, &bodylen) != 0) {
+		return (NULL);
+	}
+
+	if (code == IRPD_GETUSER_OK) {
+		free_passwd(pw);
+		if (irp_unmarshall_pw(pw, body) != 0) {
+			pw = NULL;
+		}
+	} else {
+		pw = NULL;
+	}
+
+	if (body != NULL) {
+		memput(body, bodylen);
+	}
+
+	return (pw);
+}
+
+
+
+
+/*
+ * struct passwd * pw_byname(struct irs_pw *this, const char *name)
+ *
+ */
+
+static struct passwd *
+pw_byname(struct irs_pw *this, const char *name) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct passwd *pw = &pvt->passwd;
+	char *body = NULL;
+	char text[256];
+	size_t bodylen;
+	int code;
+
+	if (pw->pw_name != NULL && strcmp(name, pw->pw_name) == 0) {
+		return (pw);
+	}
+
+	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
+		return (NULL);
+	}
+
+	if (irs_irp_send_command(pvt->girpdata, "getpwnam %s", name) != 0) {
+		return (NULL);
+	}
+
+	if (irs_irp_get_full_response(pvt->girpdata, &code,
+				      text, sizeof text,
+				      &body, &bodylen) != 0) {
+		return (NULL);
+	}
+
+	if (code == IRPD_GETUSER_OK) {
+		free_passwd(pw);
+		if (irp_unmarshall_pw(pw, body) != 0) {
+			pw = NULL;
+		}
+	} else {
+		pw = NULL;
+	}
+
+	if (body != NULL) {
+		memput(body, bodylen);
+	}
+
+	return (pw);
+}
+
+
+
+
+/*
+ * struct passwd * pw_byuid(struct irs_pw *this, uid_t uid)
+ *
+ */
+
+static struct passwd *
+pw_byuid(struct irs_pw *this, uid_t uid) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	char *body;
+	char text[256];
+	size_t bodylen;
+	int code;
+	struct passwd *pw = &pvt->passwd;
+
+	if (pw->pw_name != NULL && pw->pw_uid == uid) {
+		return (pw);
+	}
+
+	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
+		return (NULL);
+	}
+
+	if (irs_irp_send_command(pvt->girpdata, "getpwuid %d", uid) != 0) {
+		return (NULL);
+	}
+
+	if (irs_irp_get_full_response(pvt->girpdata, &code,
+				      text, sizeof text,
+				      &body, &bodylen) != 0) {
+		return (NULL);
+	}
+
+	if (code == IRPD_GETUSER_OK) {
+		free_passwd(pw);
+		if (irp_unmarshall_pw(pw, body) != 0) {
+			pw = NULL;
+		}
+	} else {
+		pw = NULL;
+	}
+
+	if (body != NULL) {
+		memput(body, bodylen);
+	}
+
+	return (pw);
+}
+
+
+
+
+/*
+ * void pw_rewind(struct irs_pw *this)
+ *
+ */
+
+static void
+pw_rewind(struct irs_pw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	char text[256];
+	int code;
+
+	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
+		return;
+	}
+
+	if (irs_irp_send_command(pvt->girpdata, "setpwent") != 0) {
+		return;
+	}
+
+	code = irs_irp_read_response(pvt->girpdata, text, sizeof text);
+	if (code != IRPD_GETUSER_SETOK) {
+		if (irp_log_errors) {
+			syslog(LOG_WARNING, "setpwent failed: %s", text);
+		}
+	}
+
+	return;
+}
+
+
+/*
+ * void pw_minimize(struct irs_pw *this)
+ *
+ */
+
+static void
+pw_minimize(struct irs_pw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	irs_irp_disconnect(pvt->girpdata);
+}
+
+
+/* Private. */
+
+
+
+/*
+ * static void free_passwd(struct passwd *pw);
+ *
+ *	Deallocate all the memory irp_unmarshall_pw allocated.
+ *
+ */
+
+static void
+free_passwd(struct passwd *pw) {
+	if (pw == NULL)
+		return;
+
+	if (pw->pw_name != NULL)
+		free(pw->pw_name);
+
+	if (pw->pw_passwd != NULL)
+		free(pw->pw_passwd);
+
+#ifdef HAVE_PW_CLASS
+	if (pw->pw_class != NULL)
+		free(pw->pw_class);
+#endif
+
+	if (pw->pw_gecos != NULL)
+		free(pw->pw_gecos);
+
+	if (pw->pw_dir != NULL)
+		free(pw->pw_dir);
+
+	if (pw->pw_shell != NULL)
+		free(pw->pw_shell);
+}
+
+#endif /* WANT_IRS_PW */
diff --git a/contrib/bind9/lib/bind/irs/irp_sv.c b/contrib/bind9/lib/bind/irs/irp_sv.c
new file mode 100644
index 0000000..0c4d6a1
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/irp_sv.c
@@ -0,0 +1,369 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (c) 1996,1998 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: irp_sv.c,v 1.1.206.1 2004/03/09 08:33:37 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+/* extern */
+
+#include "port_before.h"
+
+#include <syslog.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#ifdef IRS_LCL_SV_DB
+#include <db.h>
+#endif
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <syslog.h>
+
+#include <irs.h>
+#include <irp.h>
+#include <isc/irpmarshall.h>
+#include <isc/memcluster.h>
+
+#include "irs_p.h"
+#include "lcl_p.h"
+#include "irp_p.h"
+
+#include "port_after.h"
+
+/* Types */
+
+struct pvt {
+	struct irp_p	       *girpdata;
+	int			warned;
+	struct servent		service;
+};
+
+/* Forward */
+
+static void			sv_close(struct irs_sv*);
+static struct servent *		sv_next(struct irs_sv *);
+static struct servent *		sv_byname(struct irs_sv *, const char *,
+					  const char *);
+static struct servent *		sv_byport(struct irs_sv *, int, const char *);
+static void			sv_rewind(struct irs_sv *);
+static void			sv_minimize(struct irs_sv *);
+
+static void			free_service(struct servent *sv);
+
+
+
+/* Public */
+
+
+
+/*
+ * struct irs_sv * irs_irp_sv(struct irs_acc *this)
+ *
+ */
+
+struct irs_sv *
+irs_irp_sv(struct irs_acc *this) {
+	struct irs_sv *sv;
+	struct pvt *pvt;
+
+	if ((sv = memget(sizeof *sv)) == NULL) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(sv, 0x0, sizeof *sv);
+
+	if ((pvt = memget(sizeof *pvt)) == NULL) {
+		memput(sv, sizeof *sv);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0, sizeof *pvt);
+	pvt->girpdata = this->private;
+
+	sv->private = pvt;
+	sv->close = sv_close;
+	sv->next = sv_next;
+	sv->byname = sv_byname;
+	sv->byport = sv_byport;
+	sv->rewind = sv_rewind;
+	sv->minimize = sv_minimize;
+
+	return (sv);
+}
+
+/* Methods */
+
+
+
+/*
+ * void sv_close(struct irs_sv *this)
+ *
+ */
+
+static void
+sv_close(struct irs_sv *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	sv_minimize(this);
+
+	free_service(&pvt->service);
+
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+
+
+
+/*
+ * struct servent * sv_next(struct irs_sv *this)
+ *
+ * Notes:
+ *
+ *	Fills the cache if necessary and returns the next item from it.
+ *
+ */
+
+static struct servent *
+sv_next(struct irs_sv *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct servent *sv = &pvt->service;
+	char *body;
+	size_t bodylen;
+	int code;
+	char text[256];
+
+	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
+		return (NULL);
+	}
+
+	if (irs_irp_send_command(pvt->girpdata, "getservent") != 0) {
+		return (NULL);
+	}
+
+	if (irs_irp_get_full_response(pvt->girpdata, &code,
+				      text, sizeof text,
+				      &body, &bodylen) != 0) {
+		return (NULL);
+	}
+
+	if (code == IRPD_GETSERVICE_OK) {
+		free_service(sv);
+		if (irp_unmarshall_sv(sv, body) != 0) {
+			sv = NULL;
+		}
+	} else {
+		sv = NULL;
+	}
+
+	if (body != NULL) {
+		memput(body, bodylen);
+	}
+
+	return (sv);
+}
+
+
+
+
+/*
+ * struct servent * sv_byname(struct irs_sv *this, const char *name,
+ *				const char *proto)
+ *
+ */
+
+static struct servent *
+sv_byname(struct irs_sv *this, const char *name, const char *proto) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct servent *sv = &pvt->service;
+	char *body;
+	char text[256];
+	size_t bodylen;
+	int code;
+
+	if (sv->s_name != NULL &&
+	    strcmp(name, sv->s_name) == 0 &&
+	    strcasecmp(proto, sv->s_proto) == 0) {
+		return (sv);
+	}
+
+	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
+		return (NULL);
+	}
+
+	if (irs_irp_send_command(pvt->girpdata, "getservbyname %s %s",
+				 name, proto) != 0)
+		return (NULL);
+
+	if (irs_irp_get_full_response(pvt->girpdata, &code,
+				      text, sizeof text,
+				      &body, &bodylen) != 0) {
+		return (NULL);
+	}
+
+	if (code == IRPD_GETSERVICE_OK) {
+		free_service(sv);
+		if (irp_unmarshall_sv(sv, body) != 0) {
+			sv = NULL;
+		}
+	} else {
+		sv = NULL;
+	}
+
+	if (body != NULL) {
+		memput(body, bodylen);
+	}
+
+	return (sv);
+}
+
+
+
+
+/*
+ * struct servent * sv_byport(struct irs_sv *this, int port,
+ *				const char *proto)
+ *
+ */
+
+static struct servent *
+sv_byport(struct irs_sv *this, int port, const char *proto) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct servent *sv = &pvt->service;
+	char *body;
+	size_t bodylen;
+	char text[256];
+	int code;
+
+	if (sv->s_name != NULL &&
+	    port == sv->s_port &&
+	    strcasecmp(proto, sv->s_proto) == 0) {
+		return (sv);
+	}
+
+	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
+		return (NULL);
+	}
+
+	if (irs_irp_send_command(pvt->girpdata, "getservbyport %d %s",
+				 ntohs((short)port), proto) != 0) {
+		return (NULL);
+	}
+
+	if (irs_irp_get_full_response(pvt->girpdata, &code,
+				      text, sizeof text,
+				      &body, &bodylen) != 0) {
+		return (NULL);
+	}
+
+	if (code == IRPD_GETSERVICE_OK) {
+		free_service(sv);
+		if (irp_unmarshall_sv(sv, body) != 0) {
+			sv = NULL;
+		}
+	} else {
+		sv = NULL;
+	}
+
+	if (body != NULL) {
+		memput(body, bodylen);
+	}
+
+	return (sv);
+}
+
+
+
+
+
+/*
+ * void sv_rewind(struct irs_sv *this)
+ *
+ */
+
+static void
+sv_rewind(struct irs_sv *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	char text[256];
+	int code;
+
+	if (irs_irp_connection_setup(pvt->girpdata, &pvt->warned) != 0) {
+		return;
+	}
+
+	if (irs_irp_send_command(pvt->girpdata, "setservent") != 0) {
+		return;
+	}
+
+	code = irs_irp_read_response(pvt->girpdata, text, sizeof text);
+	if (code != IRPD_GETSERVICE_SETOK) {
+		if (irp_log_errors) {
+			syslog(LOG_WARNING, "setservent failed: %s", text);
+		}
+	}
+
+	return;
+}
+
+
+
+
+
+/*
+ * void sv_minimize(struct irs_sv *this)
+ *
+ */
+
+static void
+sv_minimize(struct irs_sv *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	irs_irp_disconnect(pvt->girpdata);
+}
+
+
+
+
+
+
+static void
+free_service(struct servent *sv) {
+	char **p;
+
+	if (sv == NULL) {
+		return;
+	}
+
+	if (sv->s_name != NULL) {
+		free(sv->s_name);
+	}
+
+	for (p = sv->s_aliases ; p != NULL && *p != NULL ; p++) {
+		free(*p);
+	}
+
+	if (sv->s_proto != NULL) {
+		free(sv->s_proto);
+	}
+}
+
+
diff --git a/contrib/bind9/lib/bind/irs/irpmarshall.c b/contrib/bind9/lib/bind/irs/irpmarshall.c
new file mode 100644
index 0000000..6d2ebd4
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/irpmarshall.c
@@ -0,0 +1,2344 @@
+/*
+ * Copyright(c) 1989, 1993, 1995
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (c) 1996 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: irpmarshall.c,v 1.3.206.3 2004/03/17 01:13:34 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#if 0
+
+Check values are in approrpriate endian order.
+
+Double check memory allocations on unmarhsalling
+
+#endif
+
+
+/* Extern */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+
+#include <stdio.h>
+#include <ctype.h>
+#include <pwd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
+#include <utmp.h>
+#include <unistd.h>
+#include <assert.h>
+#include <errno.h>
+
+#include <irs.h>
+#include <isc/memcluster.h>
+#include <isc/irpmarshall.h>
+
+#include "port_after.h"
+
+
+#ifndef HAVE_STRNDUP
+static char    *strndup(const char *str, size_t len);
+#endif
+
+static char   **splitarray(const char *buffer, const char *buffend, char delim);
+static int	joinarray(char * const * argv, char *buffer, char delim);
+static char    *getfield(char **res, size_t reslen, char **buffer, char delim);
+static size_t	joinlength(char * const *argv);
+static void	free_array(char **argv, size_t entries);
+
+#define ADDR_T_STR(x) (x == AF_INET ? "AF_INET" :\
+		       (x == AF_INET6 ? "AF_INET6" : "UNKNOWN"))
+
+#define MAXPADDRSIZE (sizeof "255.255.255.255" + 1)
+
+static char COMMA = ',';
+
+static const char *COMMASTR = ",";
+static const char *COLONSTR = ":";
+
+
+
+/* See big comment at bottom of irpmarshall.h for description. */
+
+
+#ifdef WANT_IRS_PW
+/* +++++++++++++++++++++++++ struct passwd +++++++++++++++++++++++++ */
+
+
+/*
+ * int irp_marshall_pw(const struct passwd *pw, char **buffer, size_t *len)
+ *
+ * notes:
+ *
+ *	See above
+ *
+ * return:
+ *
+ *	0 on sucess, -1 on failure.
+ *
+ */
+
+int
+irp_marshall_pw(const struct passwd *pw, char **buffer, size_t *len) {
+	size_t need = 1 ;		/* for null byte */
+	char pwUid[24];
+	char pwGid[24];
+	char pwChange[24];
+	char pwExpire[24];
+	const char *pwClass;
+	const char *fieldsep = COLONSTR;
+
+	if (pw == NULL || len == NULL) {
+		errno = EINVAL;
+		return (-1);
+	}
+
+	sprintf(pwUid, "%ld", (long)pw->pw_uid);
+	sprintf(pwGid, "%ld", (long)pw->pw_gid);
+
+#ifdef HAVE_PW_CHANGE
+	sprintf(pwChange, "%ld", (long)pw->pw_change);
+#else
+	pwChange[0] = '0';
+	pwChange[1] = '\0';
+#endif
+
+#ifdef HAVE_PW_EXPIRE
+	sprintf(pwExpire, "%ld", (long)pw->pw_expire);
+#else
+	pwExpire[0] = '0';
+	pwExpire[1] = '\0';
+#endif
+
+#ifdef HAVE_PW_CLASS
+	pwClass = pw->pw_class;
+#else
+	pwClass = "";
+#endif
+
+	need += strlen(pw->pw_name)	+ 1; /* one for fieldsep */
+	need += strlen(pw->pw_passwd)	+ 1;
+	need += strlen(pwUid)		+ 1;
+	need += strlen(pwGid)		+ 1;
+	need += strlen(pwClass)		+ 1;
+	need += strlen(pwChange)	+ 1;
+	need += strlen(pwExpire)	+ 1;
+	need += strlen(pw->pw_gecos)	+ 1;
+	need += strlen(pw->pw_dir)	+ 1;
+	need += strlen(pw->pw_shell)	+ 1;
+
+	if (buffer == NULL) {
+		*len = need;
+		return (0);
+	}
+
+	if (*buffer != NULL && need > *len) {
+		errno = EINVAL;
+		return (-1);
+	}
+
+	if (*buffer == NULL) {
+		need += 2;		/* for CRLF */
+		*buffer = memget(need);
+		if (*buffer == NULL) {
+			errno = ENOMEM;
+			return (-1);
+		}
+
+		*len = need;
+	}
+
+	strcpy(*buffer, pw->pw_name);		strcat(*buffer, fieldsep);
+	strcat(*buffer, pw->pw_passwd);		strcat(*buffer, fieldsep);
+	strcat(*buffer, pwUid);			strcat(*buffer, fieldsep);
+	strcat(*buffer, pwGid);			strcat(*buffer, fieldsep);
+	strcat(*buffer, pwClass);		strcat(*buffer, fieldsep);
+	strcat(*buffer, pwChange);		strcat(*buffer, fieldsep);
+	strcat(*buffer, pwExpire);		strcat(*buffer, fieldsep);
+	strcat(*buffer, pw->pw_gecos);		strcat(*buffer, fieldsep);
+	strcat(*buffer, pw->pw_dir);		strcat(*buffer, fieldsep);
+	strcat(*buffer, pw->pw_shell);		strcat(*buffer, fieldsep);
+
+	return (0);
+}
+
+
+
+
+
+/*
+ * int irp_unmarshall_pw(struct passwd *pw, char *buffer)
+ *
+ * notes:
+ *
+ *	see above
+ *
+ * return:
+ *
+ *	0 on success, -1 on failure
+ *
+ */
+
+int
+irp_unmarshall_pw(struct passwd *pw, char *buffer) {
+	char *name, *pass, *class, *gecos, *dir, *shell;
+	uid_t pwuid;
+	gid_t pwgid;
+	time_t pwchange;
+	time_t pwexpire;
+	char *p;
+	long t;
+	char tmpbuf[24];
+	char *tb = &tmpbuf[0];
+	char fieldsep = ':';
+	int myerrno = EINVAL;
+
+	name = pass = class = gecos = dir = shell = NULL;
+	p = buffer;
+
+	/* pw_name field */
+	name = NULL;
+	if (getfield(&name, 0, &p, fieldsep) == NULL || strlen(name) == 0) {
+		goto error;
+	}
+
+	/* pw_passwd field */
+	pass = NULL;
+	if (getfield(&pass, 0, &p, fieldsep) == NULL) { /* field can be empty */
+		goto error;
+	}
+
+
+	/* pw_uid field */
+	tb = tmpbuf;
+	if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL ||
+	    strlen(tb) == 0) {
+		goto error;
+	}
+	t = strtol(tmpbuf, &tb, 10);
+	if (*tb) {
+		goto error;	/* junk in value */
+	}
+	pwuid = (uid_t)t;
+	if ((long) pwuid != t) {	/* value must have been too big. */
+		goto error;
+	}
+
+
+
+	/* pw_gid field */
+	tb = tmpbuf;
+	if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL ||
+	    strlen(tb) == 0) {
+		goto error;
+	}
+	t = strtol(tmpbuf, &tb, 10);
+	if (*tb) {
+		goto error;	/* junk in value */
+	}
+	pwgid = (gid_t)t;
+	if ((long)pwgid != t) {	/* value must have been too big. */
+		goto error;
+	}
+
+
+
+	/* pw_class field */
+	class = NULL;
+	if (getfield(&class, 0, &p, fieldsep) == NULL) {
+		goto error;
+	}
+
+
+
+	/* pw_change field */
+	tb = tmpbuf;
+	if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL ||
+	    strlen(tb) == 0) {
+		goto error;
+	}
+	t = strtol(tmpbuf, &tb, 10);
+	if (*tb) {
+		goto error;	/* junk in value */
+	}
+	pwchange = (time_t)t;
+	if ((long)pwchange != t) {	/* value must have been too big. */
+		goto error;
+	}
+
+
+
+	/* pw_expire field */
+	tb = tmpbuf;
+	if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL ||
+	    strlen(tb) == 0) {
+		goto error;
+	}
+	t = strtol(tmpbuf, &tb, 10);
+	if (*tb) {
+		goto error;	/* junk in value */
+	}
+	pwexpire = (time_t)t;
+	if ((long) pwexpire != t) {	/* value must have been too big. */
+		goto error;
+	}
+
+
+
+	/* pw_gecos field */
+	gecos = NULL;
+	if (getfield(&gecos, 0, &p, fieldsep) == NULL) {
+		goto error;
+	}
+
+
+
+	/* pw_dir field */
+	dir = NULL;
+	if (getfield(&dir, 0, &p, fieldsep) == NULL) {
+		goto error;
+	}
+
+
+
+	/* pw_shell field */
+	shell = NULL;
+	if (getfield(&shell, 0, &p, fieldsep) == NULL) {
+		goto error;
+	}
+
+
+
+	pw->pw_name = name;
+	pw->pw_passwd = pass;
+	pw->pw_uid = pwuid;
+	pw->pw_gid = pwgid;
+	pw->pw_gecos = gecos;
+	pw->pw_dir = dir;
+	pw->pw_shell = shell;
+
+#ifdef HAVE_PW_CHANGE
+	pw->pw_change = pwchange;
+#endif
+#ifdef HAVE_PW_CLASS
+	pw->pw_class = class;
+#endif
+#ifdef HAVE_PW_EXPIRE
+	pw->pw_expire = pwexpire;
+#endif
+
+	return (0);
+
+ error:
+	errno = myerrno;
+
+	if (name != NULL) free(name);
+	if (pass != NULL) free(pass);
+	if (gecos != NULL) free(gecos);
+	if (dir != NULL) free(dir);
+	if (shell != NULL) free(shell);
+
+	return (-1);
+}
+
+/* ------------------------- struct passwd ------------------------- */
+#endif /* WANT_IRS_PW */
+
+
+
+/* +++++++++++++++++++++++++ struct group +++++++++++++++++++++++++ */
+
+
+
+/*
+ * int irp_marshall_gr(const struct group *gr, char **buffer, size_t *len)
+ *
+ * notes:
+ *
+ *	see above.
+ *
+ * return:
+ *
+ *	0 on success, -1 on failure
+ */
+
+int
+irp_marshall_gr(const struct group *gr, char **buffer, size_t *len) {
+	size_t need = 1;	/* for null byte */
+	char grGid[24];
+	const char *fieldsep = COLONSTR;
+
+	if (gr == NULL || len == NULL) {
+		errno = EINVAL;
+		return (-1);
+	}
+
+	sprintf(grGid, "%ld", (long)gr->gr_gid);
+
+	need += strlen(gr->gr_name) + 1;
+#ifndef MISSING_GR_PASSWD
+	need += strlen(gr->gr_passwd) + 1;
+#else
+	need++;
+#endif
+	need += strlen(grGid) + 1;
+	need += joinlength(gr->gr_mem) + 1;
+
+	if (buffer == NULL) {
+		*len = need;
+		return (0);
+	}
+
+	if (*buffer != NULL && need > *len) {
+		errno = EINVAL;
+		return (-1);
+	}
+
+	if (*buffer == NULL) {
+		need += 2;		/* for CRLF */
+		*buffer = memget(need);
+		if (*buffer == NULL) {
+			errno = ENOMEM;
+			return (-1);
+		}
+
+		*len = need;
+	}
+
+	strcpy(*buffer, gr->gr_name);		strcat(*buffer, fieldsep);
+#ifndef MISSING_GR_PASSWD
+	strcat(*buffer, gr->gr_passwd);
+#endif
+	strcat(*buffer, fieldsep);
+	strcat(*buffer, grGid);			strcat(*buffer, fieldsep);
+	joinarray(gr->gr_mem, *buffer, COMMA) ;	strcat(*buffer, fieldsep);
+
+	return (0);
+}
+
+
+
+
+/*
+ * int irp_unmarshall_gr(struct group *gr, char *buffer)
+ *
+ * notes:
+ *
+ *	see above
+ *
+ * return:
+ *
+ *	0 on success and -1 on failure.
+ *
+ */
+
+int
+irp_unmarshall_gr(struct group *gr, char *buffer) {
+	char *p, *q;
+	gid_t grgid;
+	long t;
+	char *name = NULL;
+	char *pass = NULL;
+	char **members = NULL;
+	char tmpbuf[24];
+	char *tb;
+	char fieldsep = ':';
+	int myerrno = EINVAL;
+
+	if (gr == NULL || buffer == NULL) {
+		errno = EINVAL;
+		return (-1);
+	}
+
+	p = buffer;
+
+	/* gr_name field */
+	name = NULL;
+	if (getfield(&name, 0, &p, fieldsep) == NULL || strlen(name) == 0U) {
+		goto error;
+	}
+
+
+	/* gr_passwd field */
+	pass = NULL;
+	if (getfield(&pass, 0, &p, fieldsep) == NULL) {
+		goto error;
+	}
+
+
+	/* gr_gid field */
+	tb = tmpbuf;
+	if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL ||
+	    strlen(tb) == 0U) {
+		goto error;
+	}
+	t = strtol(tmpbuf, &tb, 10);
+	if (*tb) {
+		goto error;	/* junk in value */
+	}
+	grgid = (gid_t)t;
+	if ((long) grgid != t) {	/* value must have been too big. */
+		goto error;
+	}
+
+
+	/* gr_mem field. Member names are separated by commas */
+	q = strchr(p, fieldsep);
+	if (q == NULL) {
+		goto error;
+	}
+	members = splitarray(p, q, COMMA);
+	if (members == NULL) {
+		myerrno = errno;
+		goto error;
+	}
+	p = q + 1;
+
+
+	gr->gr_name = name;
+#ifndef MISSING_GR_PASSWD
+	gr->gr_passwd = pass;
+#endif
+	gr->gr_gid = grgid;
+	gr->gr_mem = members;
+
+	return (0);
+
+ error:
+	errno = myerrno;
+
+	if (name != NULL) free(name);
+	if (pass != NULL) free(pass);
+
+	return (-1);
+}
+
+
+/* ------------------------- struct group ------------------------- */
+
+
+
+
+/* +++++++++++++++++++++++++ struct servent +++++++++++++++++++++++++ */
+
+
+
+/*
+ * int irp_marshall_sv(const struct servent *sv, char **buffer, size_t *len)
+ *
+ * notes:
+ *
+ *	see above
+ *
+ * return:
+ *
+ *	0 on success, -1 on failure.
+ *
+ */
+
+int
+irp_marshall_sv(const struct servent *sv, char **buffer, size_t *len) {
+	size_t need = 1;	/* for null byte */
+	char svPort[24];
+	const char *fieldsep = COLONSTR;
+	short realport;
+
+	if (sv == NULL || len == NULL) {
+		errno = EINVAL;
+		return (-1);
+	}
+
+	/* the int s_port field is actually a short in network order. We
+	   want host order to make the marshalled data look correct */
+	realport = ntohs((short)sv->s_port);
+	sprintf(svPort, "%d", realport);
+
+	need += strlen(sv->s_name) + 1;
+	need += joinlength(sv->s_aliases) + 1;
+	need += strlen(svPort) + 1;
+	need += strlen(sv->s_proto) + 1;
+
+	if (buffer == NULL) {
+		*len = need;
+		return (0);
+	}
+
+	if (*buffer != NULL && need > *len) {
+		errno = EINVAL;
+		return (-1);
+	}
+
+	if (*buffer == NULL) {
+		need += 2;		/* for CRLF */
+		*buffer = memget(need);
+		if (*buffer == NULL) {
+			errno = ENOMEM;
+			return (-1);
+		}
+
+		*len = need;
+	}
+
+	strcpy(*buffer, sv->s_name);		strcat(*buffer, fieldsep);
+	joinarray(sv->s_aliases, *buffer, COMMA); strcat(*buffer, fieldsep);
+	strcat(*buffer, svPort);		strcat(*buffer, fieldsep);
+	strcat(*buffer, sv->s_proto);		strcat(*buffer, fieldsep);
+
+	return (0);
+}
+
+
+
+
+
+/*
+ * int irp_unmarshall_sv(struct servent *sv, char *buffer)
+ *
+ * notes:
+ *
+ *	see above
+ *
+ * return:
+ *
+ *	0 on success, -1 on failure.
+ *
+ */
+
+int
+irp_unmarshall_sv(struct servent *sv, char *buffer) {
+	char *p, *q;
+	short svport;
+	long t;
+	char *name = NULL;
+	char *proto = NULL;
+	char **aliases = NULL;
+	char tmpbuf[24];
+	char *tb;
+	char fieldsep = ':';
+	int myerrno = EINVAL;
+
+	if (sv == NULL || buffer == NULL)
+		return (-1);
+
+	p = buffer;
+
+
+	/* s_name field */
+	name = NULL;
+	if (getfield(&name, 0, &p, fieldsep) == NULL || strlen(name) == 0U) {
+		goto error;
+	}
+
+
+	/* s_aliases field */
+	q = strchr(p, fieldsep);
+	if (q == NULL) {
+		goto error;
+	}
+	aliases = splitarray(p, q, COMMA);
+	if (aliases == NULL) {
+		myerrno = errno;
+		goto error;
+	}
+	p = q + 1;
+
+
+	/* s_port field */
+	tb = tmpbuf;
+	if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL ||
+	    strlen(tb) == 0U) {
+		goto error;
+	}
+	t = strtol(tmpbuf, &tb, 10);
+	if (*tb) {
+		goto error;	/* junk in value */
+	}
+	svport = (short)t;
+	if ((long) svport != t) {	/* value must have been too big. */
+		goto error;
+	}
+	svport = htons(svport);
+
+	/* s_proto field */
+	proto = NULL;
+	if (getfield(&proto, 0, &p, fieldsep) == NULL) {
+		goto error;
+	}
+
+	sv->s_name = name;
+	sv->s_aliases = aliases;
+	sv->s_port = svport;
+	sv->s_proto = proto;
+
+	return (0);
+
+ error:
+	errno = myerrno;
+
+	if (name != NULL) free(name);
+	if (proto != NULL) free(proto);
+	free_array(aliases, 0);
+
+	return (-1);
+}
+
+
+/* ------------------------- struct servent ------------------------- */
+
+/* +++++++++++++++++++++++++ struct protoent +++++++++++++++++++++++++ */
+
+
+
+/*
+ * int irp_marshall_pr(struct protoent *pr, char **buffer, size_t *len)
+ *
+ * notes:
+ *
+ *	see above
+ *
+ * return:
+ *
+ *	0 on success and -1 on failure.
+ *
+ */
+
+int
+irp_marshall_pr(struct protoent *pr, char **buffer, size_t *len) {
+	size_t need = 1;	/* for null byte */
+	char prProto[24];
+	const char *fieldsep = COLONSTR;
+
+	if (pr == NULL || len == NULL) {
+		errno = EINVAL;
+		return (-1);
+	}
+
+	sprintf(prProto, "%d", (int)pr->p_proto);
+
+	need += strlen(pr->p_name) + 1;
+	need += joinlength(pr->p_aliases) + 1;
+	need += strlen(prProto) + 1;
+
+	if (buffer == NULL) {
+		*len = need;
+		return (0);
+	}
+
+	if (*buffer != NULL && need > *len) {
+		errno = EINVAL;
+		return (-1);
+	}
+
+	if (*buffer == NULL) {
+		need += 2;		/* for CRLF */
+		*buffer = memget(need);
+		if (*buffer == NULL) {
+			errno = ENOMEM;
+			return (-1);
+		}
+
+		*len = need;
+	}
+
+	strcpy(*buffer, pr->p_name);		strcat(*buffer, fieldsep);
+	joinarray(pr->p_aliases, *buffer, COMMA); strcat(*buffer, fieldsep);
+	strcat(*buffer, prProto);		strcat(*buffer, fieldsep);
+
+	return (0);
+
+}
+
+
+
+/*
+ * int irp_unmarshall_pr(struct protoent *pr, char *buffer)
+ *
+ * notes:
+ *
+ *	See above
+ *
+ * return:
+ *
+ *	0 on success, -1 on failure
+ *
+ */
+
+int irp_unmarshall_pr(struct protoent *pr, char *buffer) {
+	char *p, *q;
+	int prproto;
+	long t;
+	char *name = NULL;
+	char **aliases = NULL;
+	char tmpbuf[24];
+	char *tb;
+	char fieldsep = ':';
+	int myerrno = EINVAL;
+
+	if (pr == NULL || buffer == NULL) {
+		errno = EINVAL;
+		return (-1);
+	}
+
+	p = buffer;
+
+	/* p_name field */
+	name = NULL;
+	if (getfield(&name, 0, &p, fieldsep) == NULL || strlen(name) == 0U) {
+		goto error;
+	}
+
+
+	/* p_aliases field */
+	q = strchr(p, fieldsep);
+	if (q == NULL) {
+		goto error;
+	}
+	aliases = splitarray(p, q, COMMA);
+	if (aliases == NULL) {
+		myerrno = errno;
+		goto error;
+	}
+	p = q + 1;
+
+
+	/* p_proto field */
+	tb = tmpbuf;
+	if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL ||
+	    strlen(tb) == 0U) {
+		goto error;
+	}
+	t = strtol(tmpbuf, &tb, 10);
+	if (*tb) {
+		goto error;	/* junk in value */
+	}
+	prproto = (int)t;
+	if ((long) prproto != t) {	/* value must have been too big. */
+		goto error;
+	}
+
+	pr->p_name = name;
+	pr->p_aliases = aliases;
+	pr->p_proto = prproto;
+
+	return (0);
+
+ error:
+	errno = myerrno;
+
+	if (name != NULL) free(name);
+	free_array(aliases, 0);
+
+	return (-1);
+}
+
+/* ------------------------- struct protoent ------------------------- */
+
+
+
+/* +++++++++++++++++++++++++ struct hostent +++++++++++++++++++++++++ */
+
+
+/*
+ * int irp_marshall_ho(struct hostent *ho, char **buffer, size_t *len)
+ *
+ * notes:
+ *
+ *	see above.
+ *
+ * return:
+ *
+ *	0 on success, -1 on failure.
+ *
+ */
+
+int
+irp_marshall_ho(struct hostent *ho, char **buffer, size_t *len) {
+	size_t need = 1;	/* for null byte */
+	char hoaddrtype[24];
+	char holength[24];
+	char **av;
+	char *p;
+	int addrlen;
+	int malloced = 0;
+	size_t remlen;
+	const char *fieldsep = "@";
+
+	if (ho == NULL || len == NULL) {
+		errno = EINVAL;
+		return (-1);
+	}
+
+	switch(ho->h_addrtype) {
+	case AF_INET:
+		strcpy(hoaddrtype, "AF_INET");
+		break;
+
+	case AF_INET6:
+		strcpy(hoaddrtype, "AF_INET6");
+		break;
+
+	default:
+		errno = EINVAL;
+		return (-1);
+	}
+
+	sprintf(holength, "%d", ho->h_length);
+
+	need += strlen(ho->h_name) + 1;
+	need += joinlength(ho->h_aliases) + 1;
+	need += strlen(hoaddrtype) + 1;
+	need += strlen(holength) + 1;
+
+	/* we determine an upper bound on the string length needed, not an
+	   exact length. */
+	addrlen = (ho->h_addrtype == AF_INET ? 16 : 46) ; /* XX other AF's?? */
+	for (av = ho->h_addr_list; av != NULL && *av != NULL ; av++)
+		need += addrlen;
+
+	if (buffer == NULL) {
+		*len = need;
+		return (0);
+	}
+
+	if (*buffer != NULL && need > *len) {
+		errno = EINVAL;
+		return (-1);
+	}
+
+	if (*buffer == NULL) {
+		need += 2;		/* for CRLF */
+		*buffer = memget(need);
+		if (*buffer == NULL) {
+			errno = ENOMEM;
+			return (-1);
+		}
+
+		*len = need;
+		malloced = 1;
+	}
+
+	strcpy(*buffer, ho->h_name);		strcat(*buffer, fieldsep);
+	joinarray(ho->h_aliases, *buffer, COMMA); strcat(*buffer, fieldsep);
+	strcat(*buffer, hoaddrtype);		strcat(*buffer, fieldsep);
+	strcat(*buffer, holength);		strcat(*buffer, fieldsep);
+
+	p = *buffer + strlen(*buffer);
+	remlen = need - strlen(*buffer);
+	for (av = ho->h_addr_list ; av != NULL && *av != NULL ; av++) {
+		if (inet_ntop(ho->h_addrtype, *av, p, remlen) == NULL) {
+			goto error;
+		}
+		if (*(av + 1) != NULL)
+			strcat(p, COMMASTR);
+		remlen -= strlen(p);
+		p += strlen(p);
+	}
+	strcat(*buffer, fieldsep);
+
+	return (0);
+
+ error:
+	if (malloced) {
+		memput(*buffer, need);
+	}
+
+	return (-1);
+}
+
+
+
+/*
+ * int irp_unmarshall_ho(struct hostent *ho, char *buffer)
+ *
+ * notes:
+ *
+ *	See above.
+ *
+ * return:
+ *
+ *	0 on success, -1 on failure.
+ *
+ */
+
+int
+irp_unmarshall_ho(struct hostent *ho, char *buffer) {
+	char *p, *q, *r;
+	int hoaddrtype;
+	int holength;
+	long t;
+	char *name = NULL;
+	char **aliases = NULL;
+	char **hohaddrlist = NULL;
+	size_t hoaddrsize;
+	char tmpbuf[24];
+	char *tb;
+	char **alist;
+	int addrcount;
+	char fieldsep = '@';
+	int myerrno = EINVAL;
+
+	if (ho == NULL || buffer == NULL) {
+		errno = EINVAL;
+		return (-1);
+	}
+
+	p = buffer;
+
+	/* h_name field */
+	name = NULL;
+	if (getfield(&name, 0, &p, fieldsep) == NULL || strlen(name) == 0U) {
+		goto error;
+	}
+
+
+	/* h_aliases field */
+	q = strchr(p, fieldsep);
+	if (q == NULL) {
+		goto error;
+	}
+	aliases = splitarray(p, q, COMMA);
+	if (aliases == NULL) {
+		myerrno = errno;
+		goto error;
+	}
+	p = q + 1;
+
+
+	/* h_addrtype field */
+	tb = tmpbuf;
+	if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL ||
+	    strlen(tb) == 0U) {
+		goto error;
+	}
+	if (strcmp(tmpbuf, "AF_INET") == 0)
+		hoaddrtype = AF_INET;
+	else if (strcmp(tmpbuf, "AF_INET6") == 0)
+		hoaddrtype = AF_INET6;
+	else
+		goto error;
+
+
+	/* h_length field */
+	tb = tmpbuf;
+	if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL ||
+	    strlen(tb) == 0U) {
+		goto error;
+	}
+	t = strtol(tmpbuf, &tb, 10);
+	if (*tb) {
+		goto error;	/* junk in value */
+	}
+	holength = (int)t;
+	if ((long) holength != t) {	/* value must have been too big. */
+		goto error;
+	}
+
+
+	/* h_addr_list field */
+	q = strchr(p, fieldsep);
+	if (q == NULL)
+		goto error;
+
+	/* count how many addresss are in there */
+	if (q > p + 1) {
+		for (addrcount = 1, r = p ; r != q ; r++) {
+			if (*r == COMMA)
+				addrcount++;
+		}
+	} else {
+		addrcount = 0;
+	}
+
+	hoaddrsize = (addrcount + 1) * sizeof (char *);
+	hohaddrlist = malloc(hoaddrsize);
+	if (hohaddrlist == NULL) {
+		myerrno = ENOMEM;
+		goto error;
+	}
+
+	memset(hohaddrlist, 0x0, hoaddrsize);
+
+	alist = hohaddrlist;
+	for (t = 0, r = p ; r != q ; p = r + 1, t++) {
+		char saved;
+		while (r != q && *r != COMMA) r++;
+		saved = *r;
+		*r = 0x0;
+
+		alist[t] = malloc(hoaddrtype == AF_INET ? 4 : 16);
+		if (alist[t] == NULL) {
+			myerrno = ENOMEM;
+			goto error;
+		}
+
+		if (inet_pton(hoaddrtype, p, alist[t]) == -1)
+			goto error;
+		*r = saved;
+	}
+	alist[t] = NULL;
+
+	ho->h_name = name;
+	ho->h_aliases = aliases;
+	ho->h_addrtype = hoaddrtype;
+	ho->h_length = holength;
+	ho->h_addr_list = hohaddrlist;
+
+	return (0);
+
+ error:
+	errno = myerrno;
+
+	if (name != NULL) free(name);
+	free_array(aliases, 0);
+
+	return (-1);
+}
+
+/* ------------------------- struct hostent------------------------- */
+
+
+
+/* +++++++++++++++++++++++++ struct netgrp +++++++++++++++++++++++++ */
+
+
+/*
+ * int irp_marshall_ng(const char *host, const char *user,
+ *		       const char *domain, char *buffer, size_t *len)
+ *
+ * notes:
+ *
+ *	See note for irp_marshall_ng_start
+ *
+ * return:
+ *
+ *	0 on success, 0 on failure.
+ *
+ */
+
+int
+irp_marshall_ng(const char *host, const char *user, const char *domain,
+		char **buffer, size_t *len) {
+	size_t need = 1; /* for nul byte */
+	const char *fieldsep = ",";
+
+	if (len == NULL) {
+		errno = EINVAL;
+		return (-1);
+	}
+
+	need += 4;		       /* two parens and two commas */
+	need += (host == NULL ? 0 : strlen(host));
+	need += (user == NULL ? 0 : strlen(user));
+	need += (domain == NULL ? 0 : strlen(domain));
+
+	if (buffer == NULL) {
+		*len = need;
+		return (0);
+	} else if (*buffer != NULL && need > *len) {
+		errno = EINVAL;
+		return (-1);
+	}
+
+	if (*buffer == NULL) {
+		need += 2;		/* for CRLF */
+		*buffer = memget(need);
+		if (*buffer == NULL) {
+			errno = ENOMEM;
+			return (-1);
+		}
+
+		*len = need;
+	}
+
+	(*buffer)[0] = '(';
+	(*buffer)[1] = '\0';
+
+	if (host != NULL)
+		strcat(*buffer, host);
+	strcat(*buffer, fieldsep);
+
+	if (user != NULL)
+		strcat(*buffer, user);
+	strcat(*buffer, fieldsep);
+
+	if (domain != NULL)
+		strcat(*buffer, domain);
+	strcat(*buffer, ")");
+
+	return (0);
+}
+
+
+
+/* ---------- */
+
+
+/*
+ * int irp_unmarshall_ng(const char **host, const char **user,
+ *			 const char **domain, char *buffer)
+ *
+ * notes:
+ *
+ *	Unpacks the BUFFER into 3 character arrays it allocates and assigns
+ *	to *HOST, *USER and *DOMAIN. If any field of the value is empty,
+ *	then the corresponding paramater value will be set to NULL.
+ *
+ * return:
+ *
+ *	0 on success and -1 on failure.
+ */
+
+int
+irp_unmarshall_ng(const char **hostp, const char **userp, const char **domainp,
+		  char *buffer)
+{
+	char *p, *q;
+	char fieldsep = ',';
+	int myerrno = EINVAL;
+	char *host, *user, *domain;
+
+	if (userp == NULL || hostp == NULL ||
+	    domainp == NULL || buffer == NULL) {
+		errno = EINVAL;
+		return (-1);
+	}
+
+	host = user = domain = NULL;
+
+	p = buffer;
+	while (isspace((unsigned char)*p)) {
+		p++;
+	}
+	if (*p != '(') {
+		goto error;
+	}
+
+	q = p + 1;
+	while (*q && *q != fieldsep)
+		q++;
+	if (!*q) {
+		goto error;
+	} else if (q > p + 1) {
+		host = strndup(p, q - p);
+	}
+
+	p = q + 1;
+	if (!*p) {
+		goto error;
+	} else if (*p != fieldsep) {
+		q = p + 1;
+		while (*q && *q != fieldsep)
+			q++;
+		if (!*q) {
+			goto error;
+		}
+		user = strndup(p, q - p);
+	} else {
+		p++;
+	}
+
+	if (!*p) {
+		goto error;
+	} else if (*p != ')') {
+		q = p + 1;
+		while (*q && *q != ')')
+			q++;
+		if (!*q) {
+			goto error;
+		}
+		domain = strndup(p, q - p);
+	}
+	*hostp = host;
+	*userp = user;
+	*domainp = domain;
+
+	return (0);
+
+ error:
+	errno = myerrno;
+
+	if (host != NULL) free(host);
+	if (user != NULL) free(user);
+	if (domain != NULL) free(domain);
+
+	return (-1);
+}
+
+/* ------------------------- struct netgrp ------------------------- */
+
+
+
+
+/* +++++++++++++++++++++++++ struct nwent +++++++++++++++++++++++++ */
+
+
+/*
+ * int irp_marshall_nw(struct nwent *ne, char **buffer, size_t *len)
+ *
+ * notes:
+ *
+ *	See at top.
+ *
+ * return:
+ *
+ *	0 on success and -1 on failure.
+ *
+ */
+
+int
+irp_marshall_nw(struct nwent *ne, char **buffer, size_t *len) {
+	size_t need = 1;	/* for null byte */
+	char nAddrType[24];
+	char nNet[MAXPADDRSIZE];
+	const char *fieldsep = COLONSTR;
+
+	if (ne == NULL || len == NULL) {
+		return (-1);
+	}
+
+	strcpy(nAddrType, ADDR_T_STR(ne->n_addrtype));
+
+	if (inet_net_ntop(ne->n_addrtype, ne->n_addr, ne->n_length,
+			  nNet, sizeof nNet) == NULL) {
+		return (-1);
+	}
+
+
+	need += strlen(ne->n_name) + 1;
+	need += joinlength(ne->n_aliases) + 1;
+	need += strlen(nAddrType) + 1;
+	need += strlen(nNet) + 1;
+
+	if (buffer == NULL) {
+		*len = need;
+		return (0);
+	}
+
+	if (*buffer != NULL && need > *len) {
+		errno = EINVAL;
+		return (-1);
+	}
+
+	if (*buffer == NULL) {
+		need += 2;		/* for CRLF */
+		*buffer = memget(need);
+		if (*buffer == NULL) {
+			errno = ENOMEM;
+			return (-1);
+		}
+
+		*len = need;
+	}
+
+	strcpy(*buffer, ne->n_name);		strcat(*buffer, fieldsep);
+	joinarray(ne->n_aliases, *buffer, COMMA) ; strcat(*buffer, fieldsep);
+	strcat(*buffer, nAddrType);		strcat(*buffer, fieldsep);
+	strcat(*buffer, nNet);			strcat(*buffer, fieldsep);
+
+	return (0);
+}
+
+
+
+/*
+ * int irp_unmarshall_nw(struct nwent *ne, char *buffer)
+ *
+ * notes:
+ *
+ *	See note up top.
+ *
+ * return:
+ *
+ *	0 on success and -1 on failure.
+ *
+ */
+
+int
+irp_unmarshall_nw(struct nwent *ne, char *buffer) {
+	char *p, *q;
+	int naddrtype;
+	long nnet;
+	int bits;
+	char *name = NULL;
+	char **aliases = NULL;
+	char tmpbuf[24];
+	char *tb;
+	char fieldsep = ':';
+	int myerrno = EINVAL;
+
+	if (ne == NULL || buffer == NULL) {
+		goto error;
+	}
+
+	p = buffer;
+
+	/* n_name field */
+	name = NULL;
+	if (getfield(&name, 0, &p, fieldsep) == NULL || strlen(name) == 0U) {
+		goto error;
+	}
+
+
+	/* n_aliases field. Aliases are separated by commas */
+	q = strchr(p, fieldsep);
+	if (q == NULL) {
+		goto error;
+	}
+	aliases = splitarray(p, q, COMMA);
+	if (aliases == NULL) {
+		myerrno = errno;
+		goto error;
+	}
+	p = q + 1;
+
+
+	/* h_addrtype field */
+	tb = tmpbuf;
+	if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL ||
+	    strlen(tb) == 0U) {
+		goto error;
+	}
+	if (strcmp(tmpbuf, "AF_INET") == 0)
+		naddrtype = AF_INET;
+	else if (strcmp(tmpbuf, "AF_INET6") == 0)
+		naddrtype = AF_INET6;
+	else
+		goto error;
+
+
+	/* n_net field */
+	tb = tmpbuf;
+	if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL ||
+	    strlen(tb) == 0U) {
+		goto error;
+	}
+	nnet = 0;
+	bits = inet_net_pton(naddrtype, tmpbuf, &nnet, sizeof nnet);
+	if (bits < 0) {
+		goto error;
+	}
+
+	/* nnet = ntohl(nnet); */ /* keep in network order for nwent */
+
+	ne->n_name = name;
+	ne->n_aliases = aliases;
+	ne->n_addrtype = naddrtype;
+	ne->n_length = bits;
+	ne->n_addr = malloc(sizeof nnet);
+	if (ne->n_addr == NULL) {
+		goto error;
+	}
+
+	memcpy(ne->n_addr, &nnet, sizeof nnet);
+
+	return (0);
+
+ error:
+	errno = myerrno;
+
+	if (name != NULL) free(name);
+	free_array(aliases, 0);
+
+	return (-1);
+}
+
+
+/* ------------------------- struct nwent ------------------------- */
+
+
+/* +++++++++++++++++++++++++ struct netent +++++++++++++++++++++++++ */
+
+
+/*
+ * int irp_marshall_ne(struct netent *ne, char **buffer, size_t *len)
+ *
+ * notes:
+ *
+ *	See at top.
+ *
+ * return:
+ *
+ *	0 on success and -1 on failure.
+ *
+ */
+
+int
+irp_marshall_ne(struct netent *ne, char **buffer, size_t *len) {
+	size_t need = 1;	/* for null byte */
+	char nAddrType[24];
+	char nNet[MAXPADDRSIZE];
+	const char *fieldsep = COLONSTR;
+	long nval;
+
+	if (ne == NULL || len == NULL) {
+		return (-1);
+	}
+
+	strcpy(nAddrType, ADDR_T_STR(ne->n_addrtype));
+
+	nval = htonl(ne->n_net);
+	if (inet_ntop(ne->n_addrtype, &nval, nNet, sizeof nNet) == NULL) {
+		return (-1);
+	}
+
+	need += strlen(ne->n_name) + 1;
+	need += joinlength(ne->n_aliases) + 1;
+	need += strlen(nAddrType) + 1;
+	need += strlen(nNet) + 1;
+
+	if (buffer == NULL) {
+		*len = need;
+		return (0);
+	}
+
+	if (*buffer != NULL && need > *len) {
+		errno = EINVAL;
+		return (-1);
+	}
+
+	if (*buffer == NULL) {
+		need += 2;		/* for CRLF */
+		*buffer = memget(need);
+		if (*buffer == NULL) {
+			errno = ENOMEM;
+			return (-1);
+		}
+
+		*len = need;
+	}
+
+	strcpy(*buffer, ne->n_name);		strcat(*buffer, fieldsep);
+	joinarray(ne->n_aliases, *buffer, COMMA) ; strcat(*buffer, fieldsep);
+	strcat(*buffer, nAddrType);		strcat(*buffer, fieldsep);
+	strcat(*buffer, nNet);			strcat(*buffer, fieldsep);
+
+	return (0);
+}
+
+
+
+/*
+ * int irp_unmarshall_ne(struct netent *ne, char *buffer)
+ *
+ * notes:
+ *
+ *	See note up top.
+ *
+ * return:
+ *
+ *	0 on success and -1 on failure.
+ *
+ */
+
+int
+irp_unmarshall_ne(struct netent *ne, char *buffer) {
+	char *p, *q;
+	int naddrtype;
+	long nnet;
+	int bits;
+	char *name = NULL;
+	char **aliases = NULL;
+	char tmpbuf[24];
+	char *tb;
+	char fieldsep = ':';
+	int myerrno = EINVAL;
+
+	if (ne == NULL || buffer == NULL) {
+		goto error;
+	}
+
+	p = buffer;
+
+	/* n_name field */
+	name = NULL;
+	if (getfield(&name, 0, &p, fieldsep) == NULL || strlen(name) == 0U) {
+		goto error;
+	}
+
+
+	/* n_aliases field. Aliases are separated by commas */
+	q = strchr(p, fieldsep);
+	if (q == NULL) {
+		goto error;
+	}
+	aliases = splitarray(p, q, COMMA);
+	if (aliases == NULL) {
+		myerrno = errno;
+		goto error;
+	}
+	p = q + 1;
+
+
+	/* h_addrtype field */
+	tb = tmpbuf;
+	if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL ||
+	    strlen(tb) == 0U) {
+		goto error;
+	}
+	if (strcmp(tmpbuf, "AF_INET") == 0)
+		naddrtype = AF_INET;
+	else if (strcmp(tmpbuf, "AF_INET6") == 0)
+		naddrtype = AF_INET6;
+	else
+		goto error;
+
+
+	/* n_net field */
+	tb = tmpbuf;
+	if (getfield(&tb, sizeof tmpbuf, &p, fieldsep) == NULL ||
+	    strlen(tb) == 0U) {
+		goto error;
+	}
+	bits = inet_net_pton(naddrtype, tmpbuf, &nnet, sizeof nnet);
+	if (bits < 0) {
+		goto error;
+	}
+	nnet = ntohl(nnet);
+
+	ne->n_name = name;
+	ne->n_aliases = aliases;
+	ne->n_addrtype = naddrtype;
+	ne->n_net = nnet;
+
+	return (0);
+
+ error:
+	errno = myerrno;
+
+	if (name != NULL) free(name);
+	free_array(aliases, 0);
+
+	return (-1);
+}
+
+
+/* ------------------------- struct netent ------------------------- */
+
+
+/* =========================================================================== */
+
+
+/*
+ * static char ** splitarray(const char *buffer, const char *buffend, char delim)
+ *
+ * notes:
+ *
+ *	Split a delim separated astring. Not allowed
+ *	to have two delims next to each other. BUFFER points to begining of
+ *	string, BUFFEND points to one past the end of the string
+ *	(i.e. points at where the null byte would be if null
+ *	terminated).
+ *
+ * return:
+ *
+ *	Returns a malloced array of pointers, each pointer pointing to a
+ *	malloced string. If BUFEER is an empty string, then return values is
+ *	array of 1 pointer that is NULL. Returns NULL on failure.
+ *
+ */
+
+static char **
+splitarray(const char *buffer, const char *buffend, char delim) {
+	const char *p, *q;
+	int count = 0;
+	char **arr = NULL;
+	char **aptr;
+
+	if (buffend < buffer)
+		return (NULL);
+	else if (buffend > buffer && *buffer == delim)
+		return (NULL);
+	else if (buffend > buffer && *(buffend - 1) == delim)
+		return (NULL);
+
+	/* count the number of field and make sure none are empty */
+	if (buffend > buffer + 1) {
+		for (count = 1, q = buffer ; q != buffend ; q++) {
+			if (*q == delim) {
+				if (q > buffer && (*(q - 1) == delim)) {
+					errno = EINVAL;
+					return (NULL);
+				}
+				count++;
+			}
+		}
+	}
+
+	if (count > 0) {
+		count++ ;		/* for NULL at end */
+		aptr = arr = malloc(count * sizeof (char *));
+		if (aptr == NULL) {
+			 errno = ENOMEM;
+			 return (NULL);
+		 }
+
+		memset(arr, 0x0, count * sizeof (char *));
+		for (p = buffer ; p < buffend ; p++) {
+			for (q = p ; *q != delim && q != buffend ; q++)
+				/* nothing */;
+			*aptr = strndup(p, q - p);
+
+			p = q;
+			aptr++;
+		}
+		*aptr = NULL;
+	} else {
+		arr = malloc(sizeof (char *));
+		if (arr == NULL) {
+			errno = ENOMEM;
+			return (NULL);
+		}
+
+		*arr = NULL;
+	}
+
+	return (arr);
+}
+
+
+
+
+/*
+ * static size_t joinlength(char * const *argv)
+ *
+ * return:
+ *
+ *	the number of bytes in all the arrays pointed at
+ *	by argv, including their null bytes(which will usually be turned
+ *	into commas).
+ *
+ *
+ */
+
+static size_t
+joinlength(char * const *argv) {
+	int len = 0;
+
+	while (argv && *argv) {
+		len += (strlen(*argv) + 1);
+		argv++;
+	}
+
+	return (len);
+}
+
+
+
+/*
+ * int joinarray(char * const *argv, char *buffer, char delim)
+ *
+ * notes:
+ *
+ *	Copy all the ARGV strings into the end of BUFFER
+ *	separating them with DELIM.  BUFFER is assumed to have
+ *	enough space to hold everything and to be already null-terminated.
+ *
+ * return:
+ *
+ *	0 unless argv or buffer is NULL.
+ *
+ *
+ */
+
+static int
+joinarray(char * const *argv, char *buffer, char delim) {
+	char * const *p;
+	char sep[2];
+
+	if (argv == NULL || buffer == NULL) {
+		errno = EINVAL;
+		return (-1);
+	}
+
+	sep[0] = delim;
+	sep[1] = 0x0;
+
+	for (p = argv ; *p != NULL ; p++) {
+		strcat(buffer, *p);
+		if (*(p + 1) != NULL) {
+			strcat(buffer, sep);
+		}
+	}
+
+	return (0);
+}
+
+
+/*
+ * static char * getfield(char **res, size_t reslen, char **ptr, char delim)
+ *
+ * notes:
+ *
+ *	Stores in *RES, which is a buffer of length RESLEN, a
+ *	copy of the bytes from *PTR up to and including the first
+ *	instance of DELIM. If *RES is NULL, then it will be
+ *	assigned a malloced buffer to hold the copy. *PTR is
+ *	modified to point at the found delimiter.
+ *
+ * return:
+ *
+ *	If there was no delimiter, then NULL is returned,
+ *	otherewise *RES is returned.
+ *
+ */
+
+static char *
+getfield(char **res, size_t reslen, char **ptr, char delim) {
+	char *q;
+
+	if (res == NULL || ptr == NULL || *ptr == NULL) {
+		errno = EINVAL;
+		return (NULL);
+	}
+
+	q = strchr(*ptr, delim);
+
+	if (q == NULL) {
+		errno = EINVAL;
+		return (NULL);
+	} else {
+		if (*res == NULL) {
+			*res = strndup(*ptr, q - *ptr);
+		} else {
+			if ((size_t)(q - *ptr + 1) > reslen) { /* to big for res */
+				errno = EINVAL;
+				return (NULL);
+			} else {
+				strncpy(*res, *ptr, q - *ptr);
+				(*res)[q - *ptr] = 0x0;
+			}
+		}
+		*ptr = q + 1;
+	}
+
+	return (*res);
+}
+
+
+
+
+
+#ifndef HAVE_STRNDUP
+/*
+ * static char * strndup(const char *str, size_t len)
+ *
+ * notes:
+ *
+ *	like strdup, except do len bytes instead of the whole string. Always
+ *	null-terminates.
+ *
+ * return:
+ *
+ *	The newly malloced string.
+ *
+ */
+
+static char *
+strndup(const char *str, size_t len) {
+	char *p = malloc(len + 1);
+
+	if (p == NULL)
+		return (NULL);
+	strncpy(p, str, len);
+	p[len] = 0x0;
+	return (p);
+}
+#endif
+
+#if WANT_MAIN
+
+/*
+ * static int strcmp_nws(const char *a, const char *b)
+ *
+ * notes:
+ *
+ *	do a strcmp, except uneven lengths of whitespace compare the same
+ *
+ * return:
+ *
+ */
+
+static int
+strcmp_nws(const char *a, const char *b) {
+	while (*a && *b) {
+		if (isspace(*a) && isspace(*b)) {
+			do {
+				a++;
+			} while (isspace(*a));
+			do {
+				b++;
+			} while (isspace(*b));
+		}
+		if (*a < *b)
+			return (-1);
+		else if (*a > *b)
+			return (1);
+
+		a++;
+		b++;;
+	}
+
+	if (*a == *b)
+		return (0);
+	else if (*a > *b)
+		return (1);
+	else
+		return (-1);
+}
+
+#endif
+
+
+
+
+
+/*
+ * static void free_array(char **argv, size_t entries)
+ *
+ * notes:
+ *
+ *	Free argv and each of the pointers inside it. The end of
+ *	the array is when a NULL pointer is found inside. If
+ *	entries is > 0, then NULL pointers inside the array do
+ *	not indicate the end of the array.
+ *
+ */
+
+static void
+free_array(char **argv, size_t entries) {
+	char **p = argv;
+	int useEntries = (entries > 0U);
+
+	if (argv == NULL)
+		return;
+
+	while ((useEntries && entries > 0U) || *p) {
+		if (*p)
+			free(*p);
+		p++;
+		if (useEntries)
+			entries--;
+	}
+	free(argv);
+}
+
+
+
+
+
+/* ************************************************** */
+
+#if WANT_MAIN
+
+/* takes an option to indicate what sort of marshalling(read the code) and
+   an argument. If the argument looks like a marshalled buffer(has a ':'
+   embedded) then it's unmarshalled and the remarshalled and the new string
+   is compared to the old one.
+*/
+
+int
+main(int argc, char **argv) {
+	char buffer[1024];
+	char *b = &buffer[0];
+	size_t len = sizeof buffer;
+	char option;
+
+	if (argc < 2 || argv[1][0] != '-')
+		exit(1);
+
+	option = argv[1][1];
+	argv++;
+	argc--;
+
+
+#if 0
+	{
+		char buff[10];
+		char *p = argv[1], *q = &buff[0];
+
+		while (getfield(&q, sizeof buff, &p, ':') != NULL) {
+			printf("field: \"%s\"\n", q);
+			p++;
+		}
+		printf("p is now \"%s\"\n", p);
+	}
+#endif
+
+#if 0
+	{
+		char **x = splitarray(argv[1], argv[1] + strlen(argv[1]),
+				      argv[2][0]);
+		char **p;
+
+		if (x == NULL)
+			printf("split failed\n");
+
+		for (p = x ; p != NULL && *p != NULL ; p++) {
+			printf("\"%s\"\n", *p);
+		}
+	}
+#endif
+
+#if 1
+	switch(option) {
+	case 'n': {
+		struct nwent ne;
+		int i;
+
+		if (strchr(argv[1], ':') != NULL) {
+			if (irp_unmarshall_nw(&ne, argv[1]) != 0) {
+				printf("Unmarhsalling failed\n");
+				exit(1);
+			}
+
+			printf("Name: \"%s\"\n", ne.n_name);
+			printf("Aliases:");
+			for (i = 0 ; ne.n_aliases[i] != NULL ; i++)
+				printf("\n\t\"%s\"", ne.n_aliases[i]);
+			printf("\nAddrtype: %s\n", ADDR_T_STR(ne.n_addrtype));
+			inet_net_ntop(ne.n_addrtype, ne.n_addr, ne.n_length,
+				      buffer, sizeof buffer);
+			printf("Net: \"%s\"\n", buffer);
+			*((long*)ne.n_addr) = htonl(*((long*)ne.n_addr));
+			inet_net_ntop(ne.n_addrtype, ne.n_addr, ne.n_length,
+				      buffer, sizeof buffer);
+			printf("Corrected Net: \"%s\"\n", buffer);
+		} else {
+			struct netent *np1 = getnetbyname(argv[1]);
+			ne.n_name = np1->n_name;
+			ne.n_aliases = np1->n_aliases;
+			ne.n_addrtype = np1->n_addrtype;
+			ne.n_addr = &np1->n_net;
+			ne.n_length = (IN_CLASSA(np1->n_net) ?
+				       8 :
+				       (IN_CLASSB(np1->n_net) ?
+					16 :
+					(IN_CLASSC(np1->n_net) ?
+					 24 : -1)));
+			np1->n_net = htonl(np1->n_net);
+			if (irp_marshall_nw(&ne, &b, &len) != 0) {
+				printf("Marshalling failed\n");
+			}
+			printf("%s\n", b);
+		}
+		break;
+	}
+
+
+	case 'r': {
+		char **hosts, **users, **domains;
+		size_t entries;
+		int i;
+		char *buff;
+		size_t size;
+		char *ngname;
+
+		if (strchr(argv[1], '(') != NULL) {
+			if (irp_unmarshall_ng(&ngname, &entries,
+					      &hosts, &users, &domains,
+					      argv[1]) != 0) {
+				printf("unmarshall failed\n");
+				exit(1);
+			}
+
+#define STRVAL(x) (x == NULL ? "*" : x)
+
+			printf("%s {\n", ngname);
+			for (i = 0 ; i < entries ; i++)
+				printf("\t\"%s\" : \"%s\" : \"%s\"\n",
+				       STRVAL(hosts[i]),
+				       STRVAL(users[i]),
+				       STRVAL(domains[i]));
+			printf("}\n\n\n");
+
+
+			irp_marshall_ng_start(ngname, NULL, &size);
+			for (i = 0 ; i < entries ; i++)
+				irp_marshall_ng_next(hosts[i], users[i],
+						     domains[i], NULL, &size);
+			irp_marshall_ng_end(NULL, &size);
+
+			buff = malloc(size);
+
+			irp_marshall_ng_start(ngname, buff, &size);
+			for (i = 0 ; i < entries ; i++) {
+				if (irp_marshall_ng_next(hosts[i], users[i],
+							 domains[i], buff,
+							 &size) != 0)
+					printf("next marshalling failed.\n");
+			}
+			irp_marshall_ng_end(buff, &size);
+
+			if (strcmp_nws(argv[1], buff) != 0) {
+				printf("compare failed:\n\t%s\n\t%s\n",
+				       buffer, argv[1]);
+			} else {
+				printf("compare ok\n");
+			}
+		} else {
+			char *h, *u, *d, *buff;
+			size_t size;
+
+			/* run through two times. First to figure out how
+			   much of a buffer we need. Second to do the
+			   actual marshalling */
+
+			setnetgrent(argv[1]);
+			irp_marshall_ng_start(argv[1], NULL, &size);
+			while (getnetgrent(&h, &u, &d) == 1)
+				irp_marshall_ng_next(h, u, d, NULL, &size);
+			irp_marshall_ng_end(NULL, &size);
+			endnetgrent(argv[1]);
+
+			buff = malloc(size);
+
+			setnetgrent(argv[1]);
+			if (irp_marshall_ng_start(argv[1], buff, &size) != 0)
+				printf("Marshalling start failed\n");
+
+			while (getnetgrent(&h, &u, &d) == 1) {
+				if (irp_marshall_ng_next(h, u, d, buff, &size)
+				    != 0) {
+					printf("Marshalling failed\n");
+				}
+			}
+
+			irp_marshall_ng_end(buff, &size);
+			endnetgrent();
+
+			printf("success: %s\n", buff);
+		}
+		break;
+	}
+
+
+
+	case 'h': {
+		struct hostent he, *hp;
+		int i;
+
+
+		if (strchr(argv[1], '@') != NULL) {
+			if (irp_unmarshall_ho(&he, argv[1]) != 0) {
+				printf("unmarshall failed\n");
+				exit(1);
+			}
+
+			printf("Host: \"%s\"\nAliases:", he.h_name);
+			for (i = 0 ; he.h_aliases[i] != NULL ; i++)
+				printf("\n\t\t\"%s\"", he.h_aliases[i]);
+			printf("\nAddr Type: \"%s\"\n",
+			       ADDR_T_STR(he.h_addrtype));
+			printf("Length: %d\nAddresses:", he.h_length);
+			for (i = 0 ; he.h_addr_list[i] != 0 ; i++) {
+				inet_ntop(he.h_addrtype, he.h_addr_list[i],
+					  buffer, sizeof buffer);
+				printf("\n\t\"%s\"\n", buffer);
+			}
+			printf("\n\n");
+
+			irp_marshall_ho(&he, &b, &len);
+			if (strcmp(argv[1], buffer) != 0) {
+				printf("compare failed:\n\t\"%s\"\n\t\"%s\"\n",
+				       buffer, argv[1]);
+			} else {
+				printf("compare ok\n");
+			}
+		} else {
+			if ((hp = gethostbyname(argv[1])) == NULL) {
+				perror("gethostbyname");
+				printf("\"%s\"\n", argv[1]);
+				exit(1);
+			}
+
+			if (irp_marshall_ho(hp, &b, &len) != 0) {
+				printf("irp_marshall_ho failed\n");
+				exit(1);
+			}
+
+			printf("success: \"%s\"\n", buffer);
+		}
+		break;
+	}
+
+
+	case 's': {
+		struct servent *sv;
+		struct servent sv1;
+
+		if (strchr(argv[1], ':') != NULL) {
+			sv = &sv1;
+			memset(sv, 0xef, sizeof (struct servent));
+			if (irp_unmarshall_sv(sv, argv[1]) != 0) {
+				printf("unmarshall failed\n");
+
+			}
+
+			irp_marshall_sv(sv, &b, &len);
+			if (strcmp(argv[1], buffer) != 0) {
+				printf("compare failed:\n\t\"%s\"\n\t\"%s\"\n",
+				       buffer, argv[1]);
+			} else {
+				printf("compare ok\n");
+			}
+		} else {
+			if ((sv = getservbyname(argv[1], argv[2])) == NULL) {
+				perror("getservent");
+				exit(1);
+			}
+
+			if (irp_marshall_sv(sv, &b, &len) != 0) {
+				printf("irp_marshall_sv failed\n");
+				exit(1);
+			}
+
+			printf("success: \"%s\"\n", buffer);
+		}
+		break;
+	}
+
+	case 'g': {
+		struct group *gr;
+		struct group gr1;
+
+		if (strchr(argv[1], ':') != NULL) {
+			gr = &gr1;
+			memset(gr, 0xef, sizeof (struct group));
+			if (irp_unmarshall_gr(gr, argv[1]) != 0) {
+				printf("unmarshall failed\n");
+
+			}
+
+			irp_marshall_gr(gr, &b, &len);
+			if (strcmp(argv[1], buffer) != 0) {
+				printf("compare failed:\n\t\"%s\"\n\t\"%s\"\n",
+				       buffer, argv[1]);
+			} else {
+				printf("compare ok\n");
+			}
+		} else {
+			if ((gr = getgrnam(argv[1])) == NULL) {
+				perror("getgrnam");
+				exit(1);
+			}
+
+			if (irp_marshall_gr(gr, &b, &len) != 0) {
+				printf("irp_marshall_gr failed\n");
+				exit(1);
+			}
+
+			printf("success: \"%s\"\n", buffer);
+		}
+		break;
+	}
+
+
+	case 'p': {
+		struct passwd *pw;
+		struct passwd pw1;
+
+		if (strchr(argv[1], ':') != NULL) {
+			pw = &pw1;
+			memset(pw, 0xef, sizeof (*pw));
+			if (irp_unmarshall_pw(pw, argv[1]) != 0) {
+				printf("unmarshall failed\n");
+				exit(1);
+			}
+
+			printf("User: \"%s\"\nPasswd: \"%s\"\nUid: %ld\nGid: %ld\n",
+			       pw->pw_name, pw->pw_passwd, (long)pw->pw_uid,
+			       (long)pw->pw_gid);
+			printf("Class: \"%s\"\nChange: %ld\nGecos: \"%s\"\n",
+			       pw->pw_class, (long)pw->pw_change, pw->pw_gecos);
+			printf("Shell: \"%s\"\nDirectory: \"%s\"\n",
+			       pw->pw_shell, pw->pw_dir);
+
+			pw = getpwnam(pw->pw_name);
+			irp_marshall_pw(pw, &b, &len);
+			if (strcmp(argv[1], buffer) != 0) {
+				printf("compare failed:\n\t\"%s\"\n\t\"%s\"\n",
+				       buffer, argv[1]);
+			} else {
+				printf("compare ok\n");
+			}
+		} else {
+			if ((pw = getpwnam(argv[1])) == NULL) {
+				perror("getpwnam");
+				exit(1);
+			}
+
+			if (irp_marshall_pw(pw, &b, &len) != 0) {
+				printf("irp_marshall_pw failed\n");
+				exit(1);
+			}
+
+			printf("success: \"%s\"\n", buffer);
+		}
+		break;
+	}
+
+	default:
+		printf("Wrong option: %c\n", option);
+		break;
+	}
+
+#endif
+
+	return (0);
+}
+
+#endif
diff --git a/contrib/bind9/lib/bind/irs/irs_data.c b/contrib/bind9/lib/bind/irs/irs_data.c
new file mode 100644
index 0000000..dbe5177
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/irs_data.c
@@ -0,0 +1,230 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if !defined(LINT) && !defined(CODECENTER)
+static const char rcsid[] = "$Id: irs_data.c,v 1.3.2.2.4.2 2004/03/17 00:29:49 marka Exp $";
+#endif
+
+#include "port_before.h"
+
+#ifndef __BIND_NOSTATIC
+
+#include <sys/types.h>
+
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+
+#include <resolv.h>
+#include <stdio.h>
+#include <string.h>
+#include <isc/memcluster.h>
+
+#ifdef DO_PTHREADS
+#include <pthread.h>
+#endif
+
+#include <irs.h>
+#include <stdlib.h>
+
+#include "port_after.h"
+
+#include "irs_data.h"
+#undef _res
+#if !(__GLIBC__ > 2 || __GLIBC__ == 2 &&  __GLIBC_MINOR__ >= 3)
+#undef h_errno
+extern int h_errno;
+#endif
+
+extern struct __res_state _res;
+
+#ifdef	DO_PTHREADS
+static pthread_key_t	key;
+static int		once = 0;
+#else
+static struct net_data	*net_data;
+#endif
+
+void
+irs_destroy(void) {
+#ifndef DO_PTHREADS
+	if (net_data != NULL)
+		net_data_destroy(net_data);
+	net_data = NULL;
+#endif
+}
+
+void
+net_data_destroy(void *p) {
+	struct net_data *net_data = p;
+
+	res_ndestroy(net_data->res);
+	if (net_data->gr != NULL) {
+		(*net_data->gr->close)(net_data->gr);
+		net_data->gr = NULL;
+	}
+	if (net_data->pw != NULL) {
+		(*net_data->pw->close)(net_data->pw);
+		net_data->pw = NULL;
+	}
+	if (net_data->sv != NULL) {
+		(*net_data->sv->close)(net_data->sv);
+		net_data->sv = NULL;
+	}
+	if (net_data->pr != NULL) {
+		(*net_data->pr->close)(net_data->pr);
+		net_data->pr = NULL;
+	}
+	if (net_data->ho != NULL) {
+		(*net_data->ho->close)(net_data->ho);
+		net_data->ho = NULL;
+	}
+	if (net_data->nw != NULL) {
+		(*net_data->nw->close)(net_data->nw);
+		net_data->nw = NULL;
+	}
+	if (net_data->ng != NULL) {
+		(*net_data->ng->close)(net_data->ng);
+		net_data->ng = NULL;
+	}
+	if (net_data->ho_data != NULL) {
+		free(net_data->ho_data);
+		net_data->ho_data = NULL;
+	}
+	if (net_data->nw_data != NULL) {
+		free(net_data->nw_data);
+		net_data->nw_data = NULL;
+	}
+
+	(*net_data->irs->close)(net_data->irs);
+	memput(net_data, sizeof *net_data);
+}
+
+/* applications that need a specific config file other than
+ * _PATH_IRS_CONF should call net_data_init directly rather than letting
+ *   the various wrapper functions make the first call. - brister
+ */
+
+struct net_data *
+net_data_init(const char *conf_file) {
+#ifdef	DO_PTHREADS
+	static pthread_mutex_t keylock = PTHREAD_MUTEX_INITIALIZER;
+	struct net_data *net_data;
+
+	if (!once) {
+		pthread_mutex_lock(&keylock);
+		if (!once++)
+			pthread_key_create(&key, net_data_destroy);
+		pthread_mutex_unlock(&keylock);
+	}
+	net_data = pthread_getspecific(key);
+#endif
+
+	if (net_data == NULL) {
+		net_data = net_data_create(conf_file);
+		if (net_data == NULL)
+			return (NULL);
+#ifdef	DO_PTHREADS
+		pthread_setspecific(key, net_data);
+#endif
+	}
+
+	return (net_data);
+}
+
+struct net_data *
+net_data_create(const char *conf_file) {
+	struct net_data *net_data;
+
+	net_data = memget(sizeof (struct net_data));
+	if (net_data == NULL)
+		return (NULL);
+	memset(net_data, 0, sizeof (struct net_data));
+
+	if ((net_data->irs = irs_gen_acc("", conf_file)) == NULL) {
+		memput(net_data, sizeof (struct net_data));
+		return (NULL);
+	}
+#ifndef DO_PTHREADS
+	(*net_data->irs->res_set)(net_data->irs, &_res, NULL);
+#endif
+
+	net_data->res = (*net_data->irs->res_get)(net_data->irs);
+	if (net_data->res == NULL) {
+		(*net_data->irs->close)(net_data->irs);
+		memput(net_data, sizeof (struct net_data));
+		return (NULL);
+	}
+
+	if ((net_data->res->options & RES_INIT) == 0U &&
+	    res_ninit(net_data->res) == -1) {
+		(*net_data->irs->close)(net_data->irs);
+		memput(net_data, sizeof (struct net_data));
+		return (NULL);
+	}
+
+	return (net_data);
+}
+
+void
+net_data_minimize(struct net_data *net_data) {
+	res_nclose(net_data->res);
+}
+
+#ifdef _REENTRANT
+struct __res_state *
+__res_state(void) {
+	/* NULL param here means use the default config file. */
+	struct net_data *net_data = net_data_init(NULL);
+	if (net_data && net_data->res)
+		return (net_data->res);
+
+	return (&_res);
+}
+#else
+#ifdef __linux
+struct __res_state *
+__res_state(void) {
+	return (&_res);
+}
+#endif
+#endif
+
+int *
+__h_errno(void) {
+	/* NULL param here means use the default config file. */
+	struct net_data *net_data = net_data_init(NULL);
+	if (net_data && net_data->res)
+		return (&net_data->res->res_h_errno);
+#if !(__GLIBC__ > 2 || __GLIBC__ == 2 &&  __GLIBC_MINOR__ >= 3)
+	return(&_res.res_h_errno);
+#else
+	return (&h_errno);
+#endif
+}
+
+void
+__h_errno_set(struct __res_state *res, int err) {
+
+
+#if (__GLIBC__ > 2 || __GLIBC__ == 2 &&  __GLIBC_MINOR__ >= 3)
+	res->res_h_errno = err;
+#else
+	h_errno = res->res_h_errno = err;
+#endif
+}
+
+#endif /*__BIND_NOSTATIC*/
diff --git a/contrib/bind9/lib/bind/irs/irs_data.h b/contrib/bind9/lib/bind/irs/irs_data.h
new file mode 100644
index 0000000..90eb78c
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/irs_data.h
@@ -0,0 +1,62 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * $Id: irs_data.h,v 1.1.206.1 2004/03/09 08:33:37 marka Exp $
+ */
+
+#ifndef __BIND_NOSTATIC
+
+#define	net_data_init		__net_data_init
+
+struct net_data {
+	struct irs_acc *	irs;
+
+	struct irs_gr *		gr;
+	struct irs_pw *		pw;
+	struct irs_sv *		sv;
+	struct irs_pr *		pr;
+	struct irs_ho *		ho;
+	struct irs_nw *		nw;
+	struct irs_ng *		ng;
+
+	struct group *		gr_last;
+	struct passwd *		pw_last;
+	struct servent *	sv_last;
+	struct protoent *	pr_last;
+	struct netent *		nw_last; /* should have been ne_last */
+	struct nwent *		nww_last;
+	struct hostent *	ho_last;
+
+	unsigned int		gr_stayopen :1;
+	unsigned int		pw_stayopen :1;
+	unsigned int		sv_stayopen :1;
+	unsigned int		pr_stayopen :1;
+	unsigned int		ho_stayopen :1;
+	unsigned int		nw_stayopen :1;
+
+	void *			nw_data;
+	void *			ho_data;
+
+	struct __res_state *	res;	/* for gethostent.c */
+
+};
+
+extern struct net_data *	net_data_init(const char *conf_file);
+extern void			net_data_minimize(struct net_data *);
+
+#endif /*__BIND_NOSTATIC*/
diff --git a/contrib/bind9/lib/bind/irs/irs_p.h b/contrib/bind9/lib/bind/irs/irs_p.h
new file mode 100644
index 0000000..6d340f2
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/irs_p.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * $Id: irs_p.h,v 1.1.206.1 2004/03/09 08:33:37 marka Exp $
+ */
+
+#ifndef _IRS_P_H_INCLUDED
+#define _IRS_P_H_INCLUDED
+
+#include <stdio.h>
+
+#include "pathnames.h"
+
+#define IRS_SV_MAXALIASES	35
+
+struct lcl_sv {
+	FILE *		fp;
+	char		line[BUFSIZ+1];
+	struct servent	serv;
+	char *		serv_aliases[IRS_SV_MAXALIASES];
+};
+
+#define	irs_nul_ng	__irs_nul_ng
+#define	map_v4v6_address __map_v4v6_address
+#define	make_group_list	__make_group_list
+#define	irs_lclsv_fnxt	__irs_lclsv_fnxt
+
+extern void		map_v4v6_address(const char *src, char *dst);
+extern int		make_group_list(struct irs_gr *, const char *,
+					gid_t, gid_t *, int *);
+extern struct irs_ng *	irs_nul_ng(struct irs_acc *);
+extern struct servent * irs_lclsv_fnxt(struct lcl_sv *);
+
+#endif
diff --git a/contrib/bind9/lib/bind/irs/lcl.c b/contrib/bind9/lib/bind/irs/lcl.c
new file mode 100644
index 0000000..e02c90d
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/lcl.c
@@ -0,0 +1,140 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if !defined(LINT) && !defined(CODECENTER)
+static const char rcsid[] = "$Id: lcl.c,v 1.1.206.2 2004/03/17 00:29:49 marka Exp $";
+#endif
+
+/* Imports */
+
+#include "port_before.h"
+
+#include <stdlib.h>
+#include <errno.h>
+#include <string.h>
+
+#include <sys/types.h>
+#include <netinet/in.h> 
+#include <arpa/nameser.h>
+#include <resolv.h>
+
+#include <isc/memcluster.h>
+
+#include <irs.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "lcl_p.h"
+
+/* Forward. */
+
+static void		lcl_close(struct irs_acc *);
+static struct __res_state *	lcl_res_get(struct irs_acc *);
+static void		lcl_res_set(struct irs_acc *, struct __res_state *,
+				void (*)(void *));
+
+/* Public */
+
+struct irs_acc *
+irs_lcl_acc(const char *options) {
+	struct irs_acc *acc;
+	struct lcl_p *lcl;
+
+	UNUSED(options);
+
+	if (!(acc = memget(sizeof *acc))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(acc, 0x5e, sizeof *acc);
+	if (!(lcl = memget(sizeof *lcl))) {
+		errno = ENOMEM;
+		free(acc);
+		return (NULL);
+	}
+	memset(lcl, 0x5e, sizeof *lcl);
+	lcl->res = NULL;
+	lcl->free_res = NULL;
+	acc->private = lcl;
+#ifdef WANT_IRS_GR
+	acc->gr_map = irs_lcl_gr;
+#else
+	acc->gr_map = NULL;
+#endif
+#ifdef WANT_IRS_PW
+	acc->pw_map = irs_lcl_pw;
+#else
+	acc->pw_map = NULL;
+#endif
+	acc->sv_map = irs_lcl_sv;
+	acc->pr_map = irs_lcl_pr;
+	acc->ho_map = irs_lcl_ho;
+	acc->nw_map = irs_lcl_nw;
+	acc->ng_map = irs_lcl_ng;
+	acc->res_get = lcl_res_get;
+	acc->res_set = lcl_res_set;
+	acc->close = lcl_close;
+	return (acc);
+}
+
+/* Methods */
+static struct __res_state *
+lcl_res_get(struct irs_acc *this) {
+	struct lcl_p *lcl = (struct lcl_p *)this->private;
+
+	if (lcl->res == NULL) {
+		struct __res_state *res;
+		res = (struct __res_state *)malloc(sizeof *res);
+		if (res == NULL)
+			return (NULL);
+		memset(res, 0, sizeof *res);
+		lcl_res_set(this, res, free);
+	}
+
+	if ((lcl->res->options & RES_INIT) == 0U &&
+	    res_ninit(lcl->res) < 0)
+		return (NULL);
+
+	return (lcl->res);
+}
+
+static void
+lcl_res_set(struct irs_acc *this, struct __res_state *res,
+		void (*free_res)(void *)) {
+	struct lcl_p *lcl = (struct lcl_p *)this->private;
+
+	if (lcl->res && lcl->free_res) {
+		res_nclose(lcl->res);
+		(*lcl->free_res)(lcl->res);
+	}
+
+	lcl->res = res;
+	lcl->free_res = free_res;
+}
+
+static void
+lcl_close(struct irs_acc *this) {
+	struct lcl_p *lcl = (struct lcl_p *)this->private;
+
+	if (lcl) {
+		if (lcl->free_res)
+			(*lcl->free_res)(lcl->res);
+		memput(lcl, sizeof *lcl);
+	}
+	memput(this, sizeof *this);
+}
diff --git a/contrib/bind9/lib/bind/irs/lcl_gr.c b/contrib/bind9/lib/bind/irs/lcl_gr.c
new file mode 100644
index 0000000..ccf7b79
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/lcl_gr.c
@@ -0,0 +1,354 @@
+/*
+ * Copyright (c) 1989, 1993, 1995
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: lcl_gr.c,v 1.1.206.1 2004/03/09 08:33:37 marka Exp $";
+/* from getgrent.c 8.2 (Berkeley) 3/21/94"; */
+/* from BSDI Id: getgrent.c,v 2.8 1996/05/28 18:15:14 bostic Exp $	*/
+#endif /* LIBC_SCCS and not lint */
+
+/* extern */
+
+#include "port_before.h"
+
+#ifndef WANT_IRS_PW
+static int __bind_irs_gr_unneeded;
+#else
+
+#include <sys/param.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <grp.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <irs.h>
+#include <isc/memcluster.h>
+
+#include "irs_p.h"
+#include "lcl_p.h"
+#include "irp_p.h"
+
+#include "port_after.h"
+
+
+/* Types. */
+
+struct pvt {
+	FILE *		fp;
+	/*
+	 * Need space to store the entries read from the group file.
+	 * The members list also needs space per member, and the
+	 * strings making up the user names must be allocated
+	 * somewhere.  Rather than doing lots of small allocations,
+	 * we keep one buffer and resize it as needed.
+	 */
+	struct group	group;
+	size_t		nmemb;		/* Malloc'd max index of gr_mem[]. */
+	char *		membuf;
+	size_t		membufsize;
+};
+
+/* Forward. */
+
+static void		gr_close(struct irs_gr *);
+static struct group *	gr_next(struct irs_gr *);
+static struct group *	gr_byname(struct irs_gr *, const char *);
+static struct group *	gr_bygid(struct irs_gr *, gid_t);
+static void		gr_rewind(struct irs_gr *);
+static void		gr_minimize(struct irs_gr *);
+
+static int		grstart(struct pvt *);
+static char *		grnext(struct pvt *);
+static struct group *	grscan(struct irs_gr *, int, gid_t, const char *);
+
+/* Portability. */
+
+#ifndef SEEK_SET
+# define SEEK_SET 0
+#endif
+
+/* Public. */
+
+struct irs_gr *
+irs_lcl_gr(struct irs_acc *this) {
+	struct irs_gr *gr;
+	struct pvt *pvt;
+
+	UNUSED(this);
+
+	if (!(gr = memget(sizeof *gr))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(gr, 0x5e, sizeof *gr);
+	if (!(pvt = memget(sizeof *pvt))) {
+		memput(gr, sizeof *gr);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0, sizeof *pvt);
+	gr->private = pvt;
+	gr->close = gr_close;
+	gr->next = gr_next;
+	gr->byname = gr_byname;
+	gr->bygid = gr_bygid;
+	gr->rewind = gr_rewind;
+	gr->list = make_group_list;
+	gr->minimize = gr_minimize;
+	gr->res_get = NULL;
+	gr->res_set = NULL;
+	return (gr);
+}
+
+/* Methods. */
+
+static void
+gr_close(struct irs_gr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (pvt->fp)
+		(void)fclose(pvt->fp);
+	if (pvt->group.gr_mem)
+		free(pvt->group.gr_mem);
+	if (pvt->membuf)
+		free(pvt->membuf);
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+static struct group *
+gr_next(struct irs_gr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (!pvt->fp && !grstart(pvt))
+		return (NULL);
+	return (grscan(this, 0, 0, NULL));
+}
+
+static struct group *
+gr_byname(struct irs_gr *this, const char *name) {
+	if (!grstart((struct pvt *)this->private))
+		return (NULL);
+	return (grscan(this, 1, 0, name));
+}
+
+static struct group *
+gr_bygid(struct irs_gr *this, gid_t gid) {
+	if (!grstart((struct pvt *)this->private))
+		return (NULL);
+	return (grscan(this, 1, gid, NULL));
+}
+
+static void
+gr_rewind(struct irs_gr *this) {
+	(void) grstart((struct pvt *)this->private);
+}
+
+static void
+gr_minimize(struct irs_gr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (pvt->fp != NULL) {
+		(void)fclose(pvt->fp);
+		pvt->fp = NULL;
+	}
+}
+
+/* Private. */
+
+static int
+grstart(struct pvt *pvt) {
+	if (pvt->fp) {
+		if (fseek(pvt->fp, 0L, SEEK_SET) == 0)
+			return (1);
+		(void)fclose(pvt->fp);
+	}
+	if (!(pvt->fp = fopen(_PATH_GROUP, "r")))
+		return (0);
+	if (fcntl(fileno(pvt->fp), F_SETFD, 1) < 0) {
+		fclose(pvt->fp);
+		return (0);
+	}
+	return (1);
+}
+
+#define	INITIAL_NMEMB	30			/* about 120 bytes */
+#define	INITIAL_BUFSIZ	(INITIAL_NMEMB * 8)	/* about 240 bytes */
+
+static char *
+grnext(struct pvt *pvt) {
+	char *w, *e;
+	int ch;
+
+	/* Make sure we have a buffer. */
+	if (pvt->membuf == NULL) {
+		pvt->membuf = malloc(INITIAL_BUFSIZ);
+		if (pvt->membuf == NULL) {
+ enomem:
+			errno = ENOMEM;
+			return (NULL);
+		}
+		pvt->membufsize = INITIAL_BUFSIZ;
+	}
+
+	/* Read until EOF or EOL. */
+	w = pvt->membuf;
+	e = pvt->membuf + pvt->membufsize;
+	while ((ch = fgetc(pvt->fp)) != EOF && ch != '\n') {
+		/* Make sure we have room for this character and a \0. */
+		if (w + 1 == e) {
+			size_t o = w - pvt->membuf;
+			size_t n = pvt->membufsize * 2;
+			char *t = realloc(pvt->membuf, n);
+
+			if (t == NULL)
+				goto enomem;
+			pvt->membuf = t;
+			pvt->membufsize = n;
+			w = pvt->membuf + o;
+			e = pvt->membuf + pvt->membufsize;
+		}
+		/* Store it. */
+		*w++ = (char)ch;
+	}
+
+	/* Hitting EOF on the first character really does mean EOF. */
+	if (w == pvt->membuf && ch == EOF) {
+		errno = ENOENT;
+		return (NULL);
+	}
+
+	/* Last line of /etc/group need not end with \n; we don't care. */
+	*w = '\0';
+	return (pvt->membuf);
+}
+
+static struct group *
+grscan(struct irs_gr *this, int search, gid_t gid, const char *name) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	size_t n;
+	char *bp, **m, *p;
+
+	/* Read lines until we find one that matches our search criteria. */
+	for (;;) {
+		if ((bp = grnext(pvt)) == NULL)
+			return (NULL);
+
+		/* Optimize the usual case of searching for a name. */
+		pvt->group.gr_name = strsep(&bp, ":");
+		if (search && name != NULL &&
+		    strcmp(pvt->group.gr_name, name) != 0)
+			continue;
+		if (bp == NULL || *bp == '\0')
+			goto corrupt;
+
+		/* Skip past the password field. */
+		pvt->group.gr_passwd = strsep(&bp, ":");
+		if (bp == NULL || *bp == '\0')
+			goto corrupt;
+
+		/* Checking for a gid. */
+		if ((p = strsep(&bp, ":")) == NULL)
+			continue;
+		/*
+		 * Unlike the tests above, the test below is supposed to be
+		 * testing 'p' and not 'bp', in case you think it's a typo.
+		 */
+		if (p == NULL || *p == '\0') {
+ corrupt:
+			/* warning: corrupted %s file!", _PATH_GROUP */
+			continue;
+		}
+		pvt->group.gr_gid = atoi(p);
+		if (search && name == NULL && (gid_t)pvt->group.gr_gid != gid)
+			continue;
+
+		/* We want this record. */
+		break;
+	}
+
+	/*
+	 * Count commas to find out how many members there might be.
+	 * Note that commas separate, so if there is one comma there
+	 * can be two members (group:*:id:user1,user2).  Add another
+	 * to account for the NULL terminator.  As above, allocate
+	 * largest of INITIAL_NMEMB, or 2*n.
+	 */
+	n = 1;
+	if (bp != NULL)
+		for (n = 2, p = bp; (p = strpbrk(p, ", ")) != NULL; ++n)
+			p += strspn(p, ", ");
+	if (n > pvt->nmemb || pvt->group.gr_mem == NULL) {
+		if ((n *= 2) < INITIAL_NMEMB)
+			n = INITIAL_NMEMB;
+		if ((m = realloc(pvt->group.gr_mem, n * sizeof *m)) == NULL)
+			return (NULL);
+		pvt->group.gr_mem = m;
+		pvt->nmemb = n;
+	}
+
+	/* Set the name pointers. */
+	for (m = pvt->group.gr_mem; (p = strsep(&bp, ", ")) != NULL;)
+		if (p[0] != '\0')
+			*m++ = p;
+	*m = NULL;
+
+	return (&pvt->group);
+}
+
+#endif /* WANT_IRS_GR */
diff --git a/contrib/bind9/lib/bind/irs/lcl_ho.c b/contrib/bind9/lib/bind/irs/lcl_ho.c
new file mode 100644
index 0000000..45d2677
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/lcl_ho.c
@@ -0,0 +1,576 @@
+/*
+ * Copyright (c) 1985, 1988, 1993
+ *    The Regents of the University of California.  All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ * 	This product includes software developed by the University of
+ * 	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* from gethostnamadr.c	8.1 (Berkeley) 6/4/93 */
+/* BIND Id: gethnamaddr.c,v 8.15 1996/05/22 04:56:30 vixie Exp $ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: lcl_ho.c,v 1.1.206.2 2004/03/17 00:29:50 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+/* Imports. */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <netdb.h>
+#include <resolv.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <irs.h>
+#include <isc/memcluster.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "dns_p.h"
+#include "lcl_p.h"
+
+#ifdef SPRINTF_CHAR
+# define SPRINTF(x) strlen(sprintf/**/x)
+#else
+# define SPRINTF(x) sprintf x
+#endif
+
+/* Definitions. */
+
+#define	MAXALIASES	35
+#define	MAXADDRS	35
+#define	Max(a,b)	((a) > (b) ? (a) : (b))
+
+#if PACKETSZ > 1024
+#define	MAXPACKET	PACKETSZ
+#else
+#define	MAXPACKET	1024
+#endif
+
+struct pvt {
+	FILE *		fp;
+	struct hostent	host;
+	char *		h_addr_ptrs[MAXADDRS + 1];
+	char *		host_aliases[MAXALIASES];
+	char		hostbuf[8*1024];
+	u_char		host_addr[16];	/* IPv4 or IPv6 */
+	struct __res_state  *res;
+	void		(*free_res)(void *);
+};
+
+typedef union {
+	int32_t al;
+	char ac;
+} align;
+
+static const u_char mapped[] = { 0,0, 0,0, 0,0, 0,0, 0,0, 0xff,0xff };
+static const u_char tunnelled[] = { 0,0, 0,0, 0,0, 0,0, 0,0, 0,0 };
+
+/* Forward. */
+
+static void		ho_close(struct irs_ho *this);
+static struct hostent *	ho_byname(struct irs_ho *this, const char *name);
+static struct hostent *	ho_byname2(struct irs_ho *this, const char *name,
+				   int af);
+static struct hostent *	ho_byaddr(struct irs_ho *this, const void *addr,
+				  int len, int af);
+static struct hostent *	ho_next(struct irs_ho *this);
+static void		ho_rewind(struct irs_ho *this);
+static void		ho_minimize(struct irs_ho *this);
+static struct __res_state * ho_res_get(struct irs_ho *this);
+static void		ho_res_set(struct irs_ho *this,
+				   struct __res_state *res,
+				   void (*free_res)(void *));
+static struct addrinfo * ho_addrinfo(struct irs_ho *this, const char *name,
+				     const struct addrinfo *pai);
+
+static size_t		ns_namelen(const char *);
+static int		init(struct irs_ho *this);
+
+/* Portability. */
+
+#ifndef SEEK_SET
+# define SEEK_SET 0
+#endif
+
+/* Public. */
+
+struct irs_ho *
+irs_lcl_ho(struct irs_acc *this) {
+	struct irs_ho *ho;
+	struct pvt *pvt;
+
+	UNUSED(this);
+
+	if (!(pvt = memget(sizeof *pvt))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0, sizeof *pvt);
+	if (!(ho = memget(sizeof *ho))) {
+		memput(pvt, sizeof *pvt);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(ho, 0x5e, sizeof *ho);
+	ho->private = pvt;
+	ho->close = ho_close;
+	ho->byname = ho_byname;
+	ho->byname2 = ho_byname2;
+	ho->byaddr = ho_byaddr;
+	ho->next = ho_next;
+	ho->rewind = ho_rewind;
+	ho->minimize = ho_minimize;
+	ho->res_get = ho_res_get;
+	ho->res_set = ho_res_set;
+	ho->addrinfo = ho_addrinfo;
+	return (ho);
+}
+
+/* Methods. */
+
+static void
+ho_close(struct irs_ho *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	ho_minimize(this);
+	if (pvt->fp)
+		(void) fclose(pvt->fp);
+	if (pvt->res && pvt->free_res)
+		(*pvt->free_res)(pvt->res);
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+static struct hostent *
+ho_byname(struct irs_ho *this, const char *name) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct hostent *hp;
+
+	if (init(this) == -1)
+		return (NULL);
+
+	if (pvt->res->options & RES_USE_INET6) {
+		hp = ho_byname2(this, name, AF_INET6);
+		if (hp)
+			return (hp);
+	}
+	return (ho_byname2(this, name, AF_INET));
+}
+
+static struct hostent *
+ho_byname2(struct irs_ho *this, const char *name, int af) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct hostent *hp;
+	char **hap;
+	size_t n;
+	
+	if (init(this) == -1)
+		return (NULL);
+
+	ho_rewind(this);
+	n = ns_namelen(name);
+	while ((hp = ho_next(this)) != NULL) {
+		size_t nn;
+
+		if (hp->h_addrtype != af)
+			continue;
+		nn = ns_namelen(hp->h_name);
+		if (strncasecmp(hp->h_name, name, Max(n, nn)) == 0)
+			goto found;
+		for (hap = hp->h_aliases; *hap; hap++) {
+			nn = ns_namelen(*hap);
+			if (strncasecmp(*hap, name, Max(n, nn)) == 0)
+				goto found;
+		}
+	}
+ found:
+	if (!hp) {
+		RES_SET_H_ERRNO(pvt->res, HOST_NOT_FOUND);
+		return (NULL);
+	}
+	RES_SET_H_ERRNO(pvt->res, NETDB_SUCCESS);
+	return (hp);
+}
+
+static struct hostent *
+ho_byaddr(struct irs_ho *this, const void *addr, int len, int af) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	const u_char *uaddr = addr;
+	struct hostent *hp;
+	int size;
+	
+	if (init(this) == -1)
+		return (NULL);
+
+	if (af == AF_INET6 && len == IN6ADDRSZ &&
+	    (!memcmp(uaddr, mapped, sizeof mapped) ||
+	     !memcmp(uaddr, tunnelled, sizeof tunnelled))) {
+		/* Unmap. */
+		addr = (const u_char *)addr + sizeof mapped;
+		uaddr += sizeof mapped;
+		af = AF_INET;
+		len = INADDRSZ;
+	}
+	switch (af) {
+	case AF_INET:
+		size = INADDRSZ;
+		break;
+	case AF_INET6:
+		size = IN6ADDRSZ;
+		break;
+	default:
+		errno = EAFNOSUPPORT;
+		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
+		return (NULL);
+	}
+	if (size > len) {
+		errno = EINVAL;
+		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
+		return (NULL);
+	}
+
+	/*
+	 * Do the search.
+	 */
+	ho_rewind(this);
+	while ((hp = ho_next(this)) != NULL) {
+		char **hap;
+
+		for (hap = hp->h_addr_list; *hap; hap++) {
+			const u_char *taddr = (const u_char *)*hap;
+			int taf = hp->h_addrtype;
+			int tlen = hp->h_length;
+
+			if (taf == AF_INET6 && tlen == IN6ADDRSZ &&
+			    (!memcmp(taddr, mapped, sizeof mapped) ||
+			     !memcmp(taddr, tunnelled, sizeof tunnelled))) {
+				/* Unmap. */
+				taddr += sizeof mapped;
+				taf = AF_INET;
+				tlen = INADDRSZ;
+			}
+			if (taf == af && tlen == len &&
+			    !memcmp(taddr, uaddr, tlen))
+				goto found;
+		}
+	}
+ found:
+	if (!hp) {
+		RES_SET_H_ERRNO(pvt->res, HOST_NOT_FOUND);
+		return (NULL);
+	}
+	RES_SET_H_ERRNO(pvt->res, NETDB_SUCCESS);
+	return (hp);
+}
+
+static struct hostent *
+ho_next(struct irs_ho *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	char *cp, **q, *p;
+	char *bufp, *ndbuf, *dbuf = NULL;
+	int c, af, len, bufsiz, offset;
+
+	if (init(this) == -1)
+		return (NULL);
+
+	if (!pvt->fp)
+		ho_rewind(this);
+	if (!pvt->fp) {
+		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
+		return (NULL);
+	}
+	bufp = pvt->hostbuf;
+	bufsiz = sizeof pvt->hostbuf;
+	offset = 0;
+ again:
+	if (!(p = fgets(bufp + offset, bufsiz - offset, pvt->fp))) {
+		RES_SET_H_ERRNO(pvt->res, HOST_NOT_FOUND);
+		if (dbuf)
+			free(dbuf);
+		return (NULL);
+	}
+	if (!strchr(p, '\n') && !feof(pvt->fp)) {
+#define GROWBUF 1024
+		/* allocate space for longer line */
+		if (dbuf == NULL) {
+			if ((ndbuf = malloc(bufsiz + GROWBUF)) != NULL)
+				strcpy(ndbuf, bufp);
+		} else
+			ndbuf = realloc(dbuf, bufsiz + GROWBUF);
+		if (ndbuf) {
+			dbuf = ndbuf;
+			bufp = dbuf;
+			bufsiz += GROWBUF;
+			offset = strlen(dbuf);
+		} else {
+			/* allocation failed; skip this long line */
+			while ((c = getc(pvt->fp)) != EOF)
+				if (c == '\n')
+					break;
+			if (c != EOF)
+				ungetc(c, pvt->fp);
+		}
+		goto again;
+	}
+
+	p -= offset;
+	offset = 0;
+
+	if (*p == '#')
+		goto again;
+	if ((cp = strpbrk(p, "#\n")) != NULL)
+		*cp = '\0';
+	if (!(cp = strpbrk(p, " \t")))
+		goto again;
+	*cp++ = '\0';
+	if (inet_pton(AF_INET6, p, pvt->host_addr) > 0) {
+		af = AF_INET6;
+		len = IN6ADDRSZ;
+	} else if (inet_aton(p, (struct in_addr *)pvt->host_addr) > 0) {
+		if (pvt->res->options & RES_USE_INET6) {
+			map_v4v6_address((char*)pvt->host_addr,
+					 (char*)pvt->host_addr);
+			af = AF_INET6;
+			len = IN6ADDRSZ;
+		} else {
+			af = AF_INET;
+			len = INADDRSZ;
+		}
+	} else {
+		goto again;
+	}
+	pvt->h_addr_ptrs[0] = (char *)pvt->host_addr;
+	pvt->h_addr_ptrs[1] = NULL;
+	pvt->host.h_addr_list = pvt->h_addr_ptrs;
+	pvt->host.h_length = len;
+	pvt->host.h_addrtype = af;
+	while (*cp == ' ' || *cp == '\t')
+		cp++;
+	pvt->host.h_name = cp;
+	q = pvt->host.h_aliases = pvt->host_aliases;
+	if ((cp = strpbrk(cp, " \t")) != NULL)
+		*cp++ = '\0';
+	while (cp && *cp) {
+		if (*cp == ' ' || *cp == '\t') {
+			cp++;
+			continue;
+		}
+		if (q < &pvt->host_aliases[MAXALIASES - 1])
+			*q++ = cp;
+		if ((cp = strpbrk(cp, " \t")) != NULL)
+			*cp++ = '\0';
+	}
+	*q = NULL;
+	if (dbuf)
+		free(dbuf);
+	RES_SET_H_ERRNO(pvt->res, NETDB_SUCCESS);
+	return (&pvt->host);
+}
+
+static void
+ho_rewind(struct irs_ho *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (pvt->fp) {
+		if (fseek(pvt->fp, 0L, SEEK_SET) == 0)
+			return;
+		(void)fclose(pvt->fp);
+	}
+	if (!(pvt->fp = fopen(_PATH_HOSTS, "r")))
+		return;
+	if (fcntl(fileno(pvt->fp), F_SETFD, 1) < 0) {
+		(void)fclose(pvt->fp);
+		pvt->fp = NULL;
+	}
+}
+
+static void
+ho_minimize(struct irs_ho *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (pvt->fp != NULL) {
+		(void)fclose(pvt->fp);
+		pvt->fp = NULL;
+	}
+	if (pvt->res)
+		res_nclose(pvt->res);
+} 
+
+static struct __res_state *
+ho_res_get(struct irs_ho *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (!pvt->res) {
+		struct __res_state *res;
+		res = (struct __res_state *)malloc(sizeof *res);
+		if (!res) {
+			errno = ENOMEM;
+			return (NULL);
+		}
+		memset(res, 0, sizeof *res);
+		ho_res_set(this, res, free);
+	}
+
+	return (pvt->res);
+}
+
+static void
+ho_res_set(struct irs_ho *this, struct __res_state *res,
+		void (*free_res)(void *)) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (pvt->res && pvt->free_res) {
+		res_nclose(pvt->res);
+		(*pvt->free_res)(pvt->res);
+	}
+
+	pvt->res = res;
+	pvt->free_res = free_res;
+}
+
+struct lcl_res_target {
+	struct lcl_res_target *next;
+	int family;
+};
+
+/* XXX */
+extern struct addrinfo *hostent2addrinfo __P((struct hostent *,
+					      const struct addrinfo *pai));
+
+static struct addrinfo *
+ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
+{
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct hostent *hp;
+	struct lcl_res_target q, q2, *p;
+	struct addrinfo sentinel, *cur;
+
+	memset(&q, 0, sizeof(q2));
+	memset(&q2, 0, sizeof(q2));
+	memset(&sentinel, 0, sizeof(sentinel));
+	cur = &sentinel;
+
+	switch(pai->ai_family) {
+	case AF_UNSPEC:		/* INET6 then INET4 */
+		q.family = AF_INET6;
+		q.next = &q2;
+		q2.family = AF_INET;
+		break;
+	case AF_INET6:
+		q.family = AF_INET6;
+		break;
+	case AF_INET:
+		q.family = AF_INET;
+		break;
+	default:
+		RES_SET_H_ERRNO(pvt->res, NO_RECOVERY); /* ??? */
+		return(NULL);
+	}
+
+	for (p = &q; p; p = p->next) {
+		struct addrinfo *ai;
+
+		hp = (*this->byname2)(this, name, p->family);
+		if (hp == NULL) {
+			/* byname2 should've set an appropriate error */
+			continue;
+		}
+		if ((hp->h_name == NULL) || (hp->h_name[0] == 0) ||
+		    (hp->h_addr_list[0] == NULL)) {
+			RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
+			continue;
+		}
+
+		ai = hostent2addrinfo(hp, pai);
+		if (ai) {
+			cur->ai_next = ai;
+			while (cur && cur->ai_next)
+				cur = cur->ai_next;
+		}
+	}
+
+	if (sentinel.ai_next == NULL)
+		RES_SET_H_ERRNO(pvt->res, HOST_NOT_FOUND);
+
+	return(sentinel.ai_next);
+}
+
+/* Private. */
+
+static size_t
+ns_namelen(const char *s) {
+	int i;
+
+	for (i = strlen(s); i > 0 && s[i-1] == '.'; i--)
+		(void)NULL;
+	return ((size_t) i);
+}
+
+static int
+init(struct irs_ho *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	
+	if (!pvt->res && !ho_res_get(this))
+		return (-1);
+	if (((pvt->res->options & RES_INIT) == 0U) &&
+	    res_ninit(pvt->res) == -1)
+		return (-1);
+	return (0);
+}
diff --git a/contrib/bind9/lib/bind/irs/lcl_ng.c b/contrib/bind9/lib/bind/irs/lcl_ng.c
new file mode 100644
index 0000000..3c678f2
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/lcl_ng.c
@@ -0,0 +1,444 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if !defined(LINT) && !defined(CODECENTER)
+static const char rcsid[] = "$Id: lcl_ng.c,v 1.1.206.1 2004/03/09 08:33:38 marka Exp $";
+#endif
+
+/* Imports */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <irs.h>
+#include <isc/memcluster.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "lcl_p.h"
+
+/* Definitions */
+
+#define NG_HOST         0       /* Host name */
+#define NG_USER         1       /* User name */
+#define NG_DOM          2       /* and Domain name */
+#define LINSIZ		1024    /* Length of netgroup file line */
+
+/*
+ * XXX Warning XXX
+ * This code is a hack-and-slash special.  It realy needs to be
+ * rewritten with things like strdup, and realloc in mind.
+ * More reasonable data structures would not be a bad thing.
+ */
+
+/*
+ * Static Variables and functions used by setnetgrent(), getnetgrent() and
+ * endnetgrent().
+ * There are two linked lists:
+ * - linelist is just used by setnetgrent() to parse the net group file via.
+ *   parse_netgrp()
+ * - netgrp is the list of entries for the current netgroup
+ */
+struct linelist {
+	struct linelist *l_next;	/* Chain ptr. */
+	int		l_parsed;	/* Flag for cycles */
+	char *		l_groupname;	/* Name of netgroup */
+	char *		l_line;		/* Netgroup entrie(s) to be parsed */
+};
+
+struct ng_old_struct {
+	struct ng_old_struct *ng_next;	/* Chain ptr */
+	char *		ng_str[3];	/* Field pointers, see below */
+};
+
+struct pvt {
+	FILE			*fp;
+	struct linelist		*linehead;
+	struct ng_old_struct    *nextgrp;
+	struct {
+		struct ng_old_struct	*gr;
+		char			*grname;
+	} grouphead;
+};
+
+/* Forward */
+
+static void 		ng_rewind(struct irs_ng *, const char*);
+static void 		ng_close(struct irs_ng *);
+static int		ng_next(struct irs_ng *, const char **,
+				const char **, const char **);
+static int 		ng_test(struct irs_ng *, const char *,
+				const char *, const char *,
+				const char *);
+static void		ng_minimize(struct irs_ng *);
+
+static int 		parse_netgrp(struct irs_ng *, const char*);
+static struct linelist *read_for_group(struct irs_ng *, const char *);
+static void		freelists(struct irs_ng *);
+
+/* Public */
+
+struct irs_ng *
+irs_lcl_ng(struct irs_acc *this) {
+	struct irs_ng *ng;
+	struct pvt *pvt;
+
+	UNUSED(this);
+	
+	if (!(ng = memget(sizeof *ng))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(ng, 0x5e, sizeof *ng);
+	if (!(pvt = memget(sizeof *pvt))) {
+		memput(ng, sizeof *ng);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0, sizeof *pvt);
+	ng->private = pvt;
+	ng->close = ng_close;
+	ng->next = ng_next;
+	ng->test = ng_test;
+	ng->rewind = ng_rewind;
+	ng->minimize = ng_minimize;
+	return (ng);
+}
+
+/* Methods */
+
+static void
+ng_close(struct irs_ng *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	
+	if (pvt->fp != NULL)
+		fclose(pvt->fp);
+	freelists(this);
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+	
+/*
+ * Parse the netgroup file looking for the netgroup and build the list
+ * of netgrp structures. Let parse_netgrp() and read_for_group() do
+ * most of the work.
+ */
+static void
+ng_rewind(struct irs_ng *this, const char *group) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	
+	if (pvt->fp != NULL && fseek(pvt->fp, SEEK_CUR, 0L) == -1) {
+		fclose(pvt->fp);
+		pvt->fp = NULL;
+	}
+
+	if (pvt->fp == NULL || pvt->grouphead.gr == NULL || 
+	    strcmp(group, pvt->grouphead.grname)) {
+		freelists(this);
+		if (pvt->fp != NULL)
+			fclose(pvt->fp);
+		pvt->fp = fopen(_PATH_NETGROUP, "r");
+		if (pvt->fp != NULL) {
+			if (parse_netgrp(this, group))
+				freelists(this);
+			if (!(pvt->grouphead.grname = strdup(group)))
+				freelists(this);
+			fclose(pvt->fp);
+			pvt->fp = NULL;
+		}
+	}
+	pvt->nextgrp = pvt->grouphead.gr;
+}
+
+/*
+ * Get the next netgroup off the list.
+ */
+static int
+ng_next(struct irs_ng *this, const char **host, const char **user,
+	const char **domain)
+{
+	struct pvt *pvt = (struct pvt *)this->private;
+	
+	if (pvt->nextgrp) {
+		*host = pvt->nextgrp->ng_str[NG_HOST];
+		*user = pvt->nextgrp->ng_str[NG_USER];
+		*domain = pvt->nextgrp->ng_str[NG_DOM];
+		pvt->nextgrp = pvt->nextgrp->ng_next;
+		return (1);
+	}
+	return (0);
+}
+
+/*
+ * Search for a match in a netgroup.
+ */
+static int
+ng_test(struct irs_ng *this, const char *name,
+	const char *host, const char *user, const char *domain)
+{
+	const char *ng_host, *ng_user, *ng_domain;
+
+	ng_rewind(this, name);
+	while (ng_next(this, &ng_host, &ng_user, &ng_domain))
+		if ((host == NULL || ng_host == NULL || 
+		     !strcmp(host, ng_host)) &&
+		    (user ==  NULL || ng_user == NULL || 
+		     !strcmp(user, ng_user)) &&
+		    (domain == NULL || ng_domain == NULL ||
+		     !strcmp(domain, ng_domain))) {
+			freelists(this);
+			return (1);
+		}
+	freelists(this);
+	return (0);
+}
+
+static void
+ng_minimize(struct irs_ng *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (pvt->fp != NULL) {
+		(void)fclose(pvt->fp);
+		pvt->fp = NULL;
+	}
+}
+
+/* Private */
+
+/*
+ * endnetgrent() - cleanup
+ */
+static void
+freelists(struct irs_ng *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct linelist *lp, *olp;
+	struct ng_old_struct *gp, *ogp;
+
+	lp = pvt->linehead;
+	while (lp) {
+		olp = lp;
+		lp = lp->l_next;
+		free(olp->l_groupname);
+		free(olp->l_line);
+		free((char *)olp);
+	}
+	pvt->linehead = NULL;
+	if (pvt->grouphead.grname) {
+		free(pvt->grouphead.grname);
+		pvt->grouphead.grname = NULL;
+	}
+	gp = pvt->grouphead.gr;
+	while (gp) {
+		ogp = gp;
+		gp = gp->ng_next;
+		if (ogp->ng_str[NG_HOST])
+			free(ogp->ng_str[NG_HOST]);
+		if (ogp->ng_str[NG_USER])
+			free(ogp->ng_str[NG_USER]);
+		if (ogp->ng_str[NG_DOM])
+			free(ogp->ng_str[NG_DOM]);
+		free((char *)ogp);
+	}
+	pvt->grouphead.gr = NULL;
+}
+
+/*
+ * Parse the netgroup file setting up the linked lists.
+ */
+static int
+parse_netgrp(struct irs_ng *this, const char *group) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	char *spos, *epos;
+	int len, strpos;
+	char *pos, *gpos;
+	struct ng_old_struct *grp;
+	struct linelist *lp = pvt->linehead;
+
+        /*
+         * First, see if the line has already been read in.
+         */
+	while (lp) {
+		if (!strcmp(group, lp->l_groupname))
+			break;
+		lp = lp->l_next;
+	}
+	if (lp == NULL &&
+	    (lp = read_for_group(this, group)) == NULL)
+		return (1);
+	if (lp->l_parsed) {
+		/*fprintf(stderr, "Cycle in netgroup %s\n", lp->l_groupname);*/
+		return (1);
+	} else
+		lp->l_parsed = 1;
+	pos = lp->l_line;
+	while (*pos != '\0') {
+		if (*pos == '(') {
+			if (!(grp = malloc(sizeof (struct ng_old_struct)))) {
+				freelists(this);
+				errno = ENOMEM;
+				return (1);
+			}
+			memset(grp, 0, sizeof (struct ng_old_struct));
+			grp->ng_next = pvt->grouphead.gr;
+			pvt->grouphead.gr = grp;
+			pos++;
+			gpos = strsep(&pos, ")");
+			for (strpos = 0; strpos < 3; strpos++) {
+				if ((spos = strsep(&gpos, ","))) {
+					while (*spos == ' ' || *spos == '\t')
+						spos++;
+					if ((epos = strpbrk(spos, " \t"))) {
+						*epos = '\0';
+						len = epos - spos;
+					} else
+						len = strlen(spos);
+					if (len > 0) {
+						if(!(grp->ng_str[strpos] 
+						   =  (char *)
+						   malloc(len + 1))) {
+							freelists(this);
+							return (1);
+						}
+						memcpy(grp->ng_str[strpos],
+						       spos,
+						       len + 1);
+					}
+				} else
+					goto errout;
+			}
+		} else {
+			spos = strsep(&pos, ", \t");
+			if (spos != NULL && parse_netgrp(this, spos)) {
+				freelists(this);
+				return (1);
+			}
+		}
+		if (pos == NULL)
+			break;
+		while (*pos == ' ' || *pos == ',' || *pos == '\t')
+			pos++;
+	}
+	return (0);
+ errout:
+	/*fprintf(stderr, "Bad netgroup %s at ..%s\n", lp->l_groupname,
+		  spos);*/
+	return (1);
+}
+
+/*
+ * Read the netgroup file and save lines until the line for the netgroup
+ * is found. Return 1 if eof is encountered.
+ */
+static struct linelist *
+read_for_group(struct irs_ng *this, const char *group) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	char *pos, *spos, *linep = NULL, *olinep;
+	int len, olen, cont;
+	struct linelist *lp;
+	char line[LINSIZ + 1];
+	
+	while (fgets(line, LINSIZ, pvt->fp) != NULL) {
+		pos = line;
+		if (*pos == '#')
+			continue;
+		while (*pos == ' ' || *pos == '\t')
+			pos++;
+		spos = pos;
+		while (*pos != ' ' && *pos != '\t' && *pos != '\n' &&
+			*pos != '\0')
+			pos++;
+		len = pos - spos;
+		while (*pos == ' ' || *pos == '\t')
+			pos++;
+		if (*pos != '\n' && *pos != '\0') {
+			if (!(lp = malloc(sizeof (*lp)))) {
+				freelists(this);
+				return (NULL);
+			}
+			lp->l_parsed = 0;
+			if (!(lp->l_groupname = malloc(len + 1))) {
+				free(lp);
+				freelists(this);
+				return (NULL);
+			}
+			memcpy(lp->l_groupname, spos,  len);
+			*(lp->l_groupname + len) = '\0';
+			len = strlen(pos);
+			olen = 0;
+			olinep = NULL;
+
+			/*
+			 * Loop around handling line continuations.
+			 */
+			do {
+				if (*(pos + len - 1) == '\n')
+					len--;
+				if (*(pos + len - 1) == '\\') {
+					len--;
+					cont = 1;
+				} else
+					cont = 0;
+				if (len > 0) {
+					if (!(linep = malloc(olen + len + 1))){
+						if (olen > 0)
+							free(olinep);
+						free(lp->l_groupname);
+						free(lp);
+						freelists(this);
+						errno = ENOMEM;
+						return (NULL);
+					}
+					if (olen > 0) {
+						memcpy(linep, olinep, olen);
+						free(olinep);
+					}
+					memcpy(linep + olen, pos, len);
+					olen += len;
+					*(linep + olen) = '\0';
+					olinep = linep;
+				}
+				if (cont) {
+					if (fgets(line, LINSIZ, pvt->fp)) {
+						pos = line;
+						len = strlen(pos);
+					} else
+						cont = 0;
+				}
+			} while (cont);
+			lp->l_line = linep;
+			lp->l_next = pvt->linehead;
+			pvt->linehead = lp;
+			
+			/*
+			 * If this is the one we wanted, we are done.
+			 */
+			if (!strcmp(lp->l_groupname, group))
+				return (lp);
+		}
+	}
+	return (NULL);
+}
diff --git a/contrib/bind9/lib/bind/irs/lcl_nw.c b/contrib/bind9/lib/bind/irs/lcl_nw.c
new file mode 100644
index 0000000..7d04672
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/lcl_nw.c
@@ -0,0 +1,371 @@
+/*
+ * Copyright (c) 1989, 1993, 1995
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: lcl_nw.c,v 1.1.206.2 2004/03/17 00:29:50 marka Exp $";
+/* from getgrent.c 8.2 (Berkeley) 3/21/94"; */
+/* from BSDI Id: getgrent.c,v 2.8 1996/05/28 18:15:14 bostic Exp $	*/
+#endif /* LIBC_SCCS and not lint */
+
+/* Imports */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <resolv.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <irs.h>
+#include <isc/memcluster.h>
+
+#include "port_after.h"
+
+#include <isc/misc.h>
+#include "irs_p.h"
+#include "lcl_p.h"
+
+#define MAXALIASES 35
+#define MAXADDRSIZE 4
+
+struct pvt {
+	FILE *		fp;
+	char 		line[BUFSIZ+1];
+	struct nwent 	net;
+	char *		aliases[MAXALIASES];
+	char		addr[MAXADDRSIZE];
+	struct __res_state *  res;
+	void		(*free_res)(void *);
+};
+
+/* Forward */
+
+static void 		nw_close(struct irs_nw *);
+static struct nwent *	nw_byname(struct irs_nw *, const char *, int);
+static struct nwent *	nw_byaddr(struct irs_nw *, void *, int, int);
+static struct nwent *	nw_next(struct irs_nw *);
+static void		nw_rewind(struct irs_nw *);
+static void		nw_minimize(struct irs_nw *);
+static struct __res_state * nw_res_get(struct irs_nw *this);
+static void		nw_res_set(struct irs_nw *this,
+				   struct __res_state *res,
+				   void (*free_res)(void *));
+
+static int		init(struct irs_nw *this);
+
+/* Portability. */
+
+#ifndef SEEK_SET
+# define SEEK_SET 0
+#endif
+
+/* Public */
+
+struct irs_nw *
+irs_lcl_nw(struct irs_acc *this) {
+	struct irs_nw *nw;
+	struct pvt *pvt;
+
+	UNUSED(this);
+
+	if (!(pvt = memget(sizeof *pvt))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0, sizeof *pvt);
+	if (!(nw = memget(sizeof *nw))) {
+		memput(pvt, sizeof *pvt);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(nw, 0x5e, sizeof *nw);
+	nw->private = pvt;
+	nw->close = nw_close;
+	nw->byname = nw_byname;
+	nw->byaddr = nw_byaddr;
+	nw->next = nw_next;
+	nw->rewind = nw_rewind;
+	nw->minimize = nw_minimize;
+	nw->res_get = nw_res_get;
+	nw->res_set = nw_res_set;
+	return (nw);
+}
+
+/* Methods */
+
+static void
+nw_close(struct irs_nw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	
+	nw_minimize(this);
+	if (pvt->res && pvt->free_res)
+		(*pvt->free_res)(pvt->res);
+	if (pvt->fp)
+		(void)fclose(pvt->fp);
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+static struct nwent *
+nw_byaddr(struct irs_nw *this, void *net, int length, int type) {
+	struct nwent *p;
+	
+	if (init(this) == -1)
+		return(NULL);
+
+	nw_rewind(this);
+	while ((p = nw_next(this)) != NULL)
+		if (p->n_addrtype == type && p->n_length == length)
+			if (bitncmp(p->n_addr, net, length) == 0)
+				break;
+	return (p);
+}
+
+static struct nwent *
+nw_byname(struct irs_nw *this, const char *name, int type) {
+	struct nwent *p;
+	char **ap;
+	
+	if (init(this) == -1)
+		return(NULL);
+
+	nw_rewind(this);
+	while ((p = nw_next(this)) != NULL) {
+		if (ns_samename(p->n_name, name) == 1 &&
+		    p->n_addrtype == type)
+			break;
+		for (ap = p->n_aliases; *ap; ap++)
+			if ((ns_samename(*ap, name) == 1) &&
+			    (p->n_addrtype == type))
+				goto found;
+	}
+ found:
+	return (p);
+}
+
+static void
+nw_rewind(struct irs_nw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	
+	if (pvt->fp) {
+		if (fseek(pvt->fp, 0L, SEEK_SET) == 0)
+			return;
+		(void)fclose(pvt->fp);
+	}
+	if (!(pvt->fp = fopen(_PATH_NETWORKS, "r")))
+		return;
+	if (fcntl(fileno(pvt->fp), F_SETFD, 1) < 0) {
+		(void)fclose(pvt->fp);
+		pvt->fp = NULL;
+	}
+}
+
+static struct nwent *
+nw_next(struct irs_nw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct nwent *ret = NULL;
+	char *p, *cp, **q;
+	char *bufp, *ndbuf, *dbuf = NULL;
+	int c, bufsiz, offset = 0;
+
+	if (init(this) == -1)
+		return(NULL);
+
+	if (pvt->fp == NULL)
+		nw_rewind(this);
+	if (pvt->fp == NULL) {
+		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
+		return (NULL);
+	}
+	bufp = pvt->line;
+	bufsiz = sizeof(pvt->line);
+
+ again:
+	p = fgets(bufp + offset, bufsiz - offset, pvt->fp);
+	if (p == NULL)
+		goto cleanup;
+	if (!strchr(p, '\n') && !feof(pvt->fp)) {
+#define GROWBUF 1024
+		/* allocate space for longer line */
+	  	if (dbuf == NULL) {
+			if ((ndbuf = malloc(bufsiz + GROWBUF)) != NULL)
+				strcpy(ndbuf, bufp);
+		} else
+			ndbuf = realloc(dbuf, bufsiz + GROWBUF);
+		if (ndbuf) {
+			dbuf = ndbuf;
+			bufp = dbuf;
+			bufsiz += GROWBUF;
+			offset = strlen(dbuf);
+		} else {
+			/* allocation failed; skip this long line */
+			while ((c = getc(pvt->fp)) != EOF)
+				if (c == '\n')
+					break;
+			if (c != EOF)
+				ungetc(c, pvt->fp);
+		}
+		goto again;
+	}
+
+	p -= offset;
+	offset = 0;
+
+	if (*p == '#')
+		goto again;
+
+	cp = strpbrk(p, "#\n");
+	if (cp != NULL)
+		*cp = '\0';
+	pvt->net.n_name = p;
+	cp = strpbrk(p, " \t");
+	if (cp == NULL)
+		goto again;
+	*cp++ = '\0';
+	while (*cp == ' ' || *cp == '\t')
+		cp++;
+	p = strpbrk(cp, " \t");
+	if (p != NULL)
+		*p++ = '\0';
+	pvt->net.n_length = inet_net_pton(AF_INET, cp, pvt->addr,
+					  sizeof pvt->addr);
+	if (pvt->net.n_length < 0)
+		goto again;
+	pvt->net.n_addrtype = AF_INET;
+	pvt->net.n_addr = pvt->addr;
+	q = pvt->net.n_aliases = pvt->aliases;
+	if (p != NULL) {
+		cp = p;
+		while (cp && *cp) {
+			if (*cp == ' ' || *cp == '\t') {
+				cp++;
+				continue;
+			}
+			if (q < &pvt->aliases[MAXALIASES - 1])
+				*q++ = cp;
+			cp = strpbrk(cp, " \t");
+			if (cp != NULL)
+				*cp++ = '\0';
+		}
+	}
+	*q = NULL;
+	ret = &pvt->net;
+
+ cleanup:
+	if (dbuf)
+		free(dbuf);
+
+	return (ret);
+}
+
+static void
+nw_minimize(struct irs_nw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (pvt->res)
+		res_nclose(pvt->res);
+	if (pvt->fp != NULL) {
+		(void)fclose(pvt->fp);
+		pvt->fp = NULL;
+	}
+}
+
+static struct __res_state *
+nw_res_get(struct irs_nw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (!pvt->res) {
+		struct __res_state *res;
+		res = (struct __res_state *)malloc(sizeof *res);
+		if (!res) {
+			errno = ENOMEM;
+			return (NULL);
+		}
+		memset(res, 0, sizeof *res);
+		nw_res_set(this, res, free);
+	}
+
+	return (pvt->res);
+}
+
+static void
+nw_res_set(struct irs_nw *this, struct __res_state *res,
+		void (*free_res)(void *)) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (pvt->res && pvt->free_res) {
+		res_nclose(pvt->res);
+		(*pvt->free_res)(pvt->res);
+	}
+
+	pvt->res = res;
+	pvt->free_res = free_res;
+}
+
+static int
+init(struct irs_nw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	
+	if (!pvt->res && !nw_res_get(this))
+		return (-1);
+	if (((pvt->res->options & RES_INIT) == 0U) &&
+	    res_ninit(pvt->res) == -1)
+		return (-1);
+	return (0);
+}
diff --git a/contrib/bind9/lib/bind/irs/lcl_p.h b/contrib/bind9/lib/bind/irs/lcl_p.h
new file mode 100644
index 0000000..44dd621
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/lcl_p.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * $Id: lcl_p.h,v 1.1.206.1 2004/03/09 08:33:38 marka Exp $
+ */
+
+/*
+ * lcl_p.h - private include file for the local accessor functions.
+ */
+
+#ifndef _LCL_P_H_INCLUDED
+#define _LCL_P_H_INCLUDED
+
+/*
+ * Object state.
+ */
+struct lcl_p {
+	struct __res_state *	res;
+	void                    (*free_res) __P((void *));
+};
+
+/*
+ * Externs.
+ */
+
+extern struct irs_acc *	irs_lcl_acc __P((const char *));
+extern struct irs_gr *	irs_lcl_gr __P((struct irs_acc *));
+extern struct irs_pw *	irs_lcl_pw __P((struct irs_acc *));
+extern struct irs_sv *	irs_lcl_sv __P((struct irs_acc *));
+extern struct irs_pr *	irs_lcl_pr __P((struct irs_acc *));
+extern struct irs_ho *	irs_lcl_ho __P((struct irs_acc *));
+extern struct irs_nw *	irs_lcl_nw __P((struct irs_acc *));
+extern struct irs_ng *	irs_lcl_ng __P((struct irs_acc *));
+
+#endif /*_LCL_P_H_INCLUDED*/
diff --git a/contrib/bind9/lib/bind/irs/lcl_pr.c b/contrib/bind9/lib/bind/irs/lcl_pr.c
new file mode 100644
index 0000000..d8f909e
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/lcl_pr.c
@@ -0,0 +1,284 @@
+/*
+ * Copyright (c) 1989, 1993, 1995
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: lcl_pr.c,v 1.1.206.1 2004/03/09 08:33:38 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+/* extern */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <irs.h>
+#include <isc/memcluster.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "lcl_p.h"
+
+#ifndef _PATH_PROTOCOLS
+#define _PATH_PROTOCOLS "/etc/protocols"
+#endif
+#define MAXALIASES      35
+
+/* Types */
+
+struct pvt {
+	FILE *		fp;
+	char		line[BUFSIZ+1];
+	struct protoent	proto;
+	char *		proto_aliases[MAXALIASES];
+};
+
+/* Forward */
+
+static void			pr_close(struct irs_pr *);
+static struct protoent *	pr_next(struct irs_pr *);
+static struct protoent *	pr_byname(struct irs_pr *, const char *);
+static struct protoent *	pr_bynumber(struct irs_pr *, int);
+static void			pr_rewind(struct irs_pr *);
+static void			pr_minimize(struct irs_pr *);
+
+/* Portability. */
+
+#ifndef SEEK_SET
+# define SEEK_SET 0
+#endif
+
+/* Public */
+
+struct irs_pr *
+irs_lcl_pr(struct irs_acc *this) {
+	struct irs_pr *pr;
+	struct pvt *pvt;
+	
+	if (!(pr = memget(sizeof *pr))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	if (!(pvt = memget(sizeof *pvt))) {
+		memput(pr, sizeof *this);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0, sizeof *pvt);
+	pr->private = pvt;
+	pr->close = pr_close;
+	pr->byname = pr_byname;
+	pr->bynumber = pr_bynumber;
+	pr->next = pr_next;
+	pr->rewind = pr_rewind;
+	pr->minimize = pr_minimize;
+	pr->res_get = NULL;
+	pr->res_set = NULL;
+	return (pr);
+}
+
+/* Methods */
+
+static void
+pr_close(struct irs_pr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (pvt->fp)
+		(void) fclose(pvt->fp);
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+static struct protoent *
+pr_byname(struct irs_pr *this, const char *name) {
+		
+	struct protoent *p;
+	char **cp;
+
+	pr_rewind(this);
+	while ((p = pr_next(this))) {
+		if (!strcmp(p->p_name, name))
+			goto found;
+		for (cp = p->p_aliases; *cp; cp++)
+			if (!strcmp(*cp, name))
+				goto found;
+	}
+ found:
+	return (p);
+}
+
+static struct protoent *
+pr_bynumber(struct irs_pr *this, int proto) {
+	struct protoent *p;
+
+	pr_rewind(this);
+	while ((p = pr_next(this)))
+		if (p->p_proto == proto)
+			break;
+	return (p);
+}
+
+static void
+pr_rewind(struct irs_pr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	
+	if (pvt->fp) {
+		if (fseek(pvt->fp, 0L, SEEK_SET) == 0)
+			return;
+		(void)fclose(pvt->fp);
+	}
+	if (!(pvt->fp = fopen(_PATH_PROTOCOLS, "r" )))
+		return;
+	if (fcntl(fileno(pvt->fp), F_SETFD, 1) < 0) {
+		(void)fclose(pvt->fp);
+		pvt->fp = NULL;
+	}
+}
+
+static struct protoent *
+pr_next(struct irs_pr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	char *p, *cp, **q;
+	char *bufp, *ndbuf, *dbuf = NULL;
+	int c, bufsiz, offset;
+
+	if (!pvt->fp)
+		pr_rewind(this);
+	if (!pvt->fp)
+		return (NULL);
+	bufp = pvt->line;
+	bufsiz = BUFSIZ;
+	offset = 0;
+ again:
+	if ((p = fgets(bufp + offset, bufsiz - offset, pvt->fp)) == NULL) {
+		if (dbuf)
+			free(dbuf);
+		return (NULL);
+	}
+	if (!strchr(p, '\n') && !feof(pvt->fp)) {
+#define GROWBUF 1024
+		/* allocate space for longer line */
+		if (dbuf == NULL) {
+			if ((ndbuf = malloc(bufsiz + GROWBUF)) != NULL)
+				strcpy(ndbuf, bufp);
+		} else
+			ndbuf = realloc(dbuf, bufsiz + GROWBUF);
+		if (ndbuf) {
+			dbuf = ndbuf;
+			bufp = dbuf;
+			bufsiz += GROWBUF;
+			offset = strlen(dbuf);
+		} else {
+			/* allocation failed; skip this long line */
+			while ((c = getc(pvt->fp)) != EOF)
+				if (c == '\n')
+					break;
+			if (c != EOF)
+				ungetc(c, pvt->fp);
+		}
+		goto again;
+	}
+
+	p -= offset;
+	offset = 0;
+
+	if (*p == '#')
+		goto again;
+	cp = strpbrk(p, "#\n");
+	if (cp != NULL)
+		*cp = '\0';
+	pvt->proto.p_name = p;
+	cp = strpbrk(p, " \t");
+	if (cp == NULL)
+		goto again;
+	*cp++ = '\0';
+	while (*cp == ' ' || *cp == '\t')
+		cp++;
+	p = strpbrk(cp, " \t");
+	if (p != NULL)
+		*p++ = '\0';
+	pvt->proto.p_proto = atoi(cp);
+	q = pvt->proto.p_aliases = pvt->proto_aliases;
+	if (p != NULL) {
+		cp = p;
+		while (cp && *cp) {
+			if (*cp == ' ' || *cp == '\t') {
+				cp++;
+				continue;
+			}
+			if (q < &pvt->proto_aliases[MAXALIASES - 1])
+				*q++ = cp;
+			cp = strpbrk(cp, " \t");
+			if (cp != NULL)
+				*cp++ = '\0';
+		}
+	}
+	*q = NULL;
+	return (&pvt->proto);
+}
+
+static void
+pr_minimize(struct irs_pr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (pvt->fp != NULL) {
+		(void)fclose(pvt->fp);
+		pvt->fp = NULL;
+	}
+}
diff --git a/contrib/bind9/lib/bind/irs/lcl_pw.c b/contrib/bind9/lib/bind/irs/lcl_pw.c
new file mode 100644
index 0000000..dc31dd2
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/lcl_pw.c
@@ -0,0 +1,308 @@
+/*
+ * Copyright (c) 1989, 1993, 1995
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: lcl_pw.c,v 1.1.206.1 2004/03/09 08:33:38 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+/* Extern */
+
+#include "port_before.h"
+
+#ifndef WANT_IRS_PW
+static int __bind_irs_pw_unneeded;
+#else
+
+#include <sys/param.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+
+#include <db.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <pwd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
+#include <utmp.h>
+#include <unistd.h>
+
+#include <isc/memcluster.h>
+#include <irs.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "lcl_p.h"
+
+/*
+ * The lookup techniques and data extraction code here must be kept
+ * in sync with that in `pwd_mkdb'.
+ */
+ 
+
+/* Types */
+
+struct  pvt {
+	struct passwd	passwd;		/* password structure */
+	DB 		*pw_db;		/* password database */
+	int		pw_keynum;	/* key counter */
+	int		warned;
+	u_int		max;
+	char *		line;
+};
+
+/* Forward */
+
+static void			pw_close(struct irs_pw *);
+static struct passwd *		pw_next(struct irs_pw *);
+static struct passwd *		pw_byname(struct irs_pw *, const char *);
+static struct passwd *		pw_byuid(struct irs_pw *, uid_t);
+static void			pw_rewind(struct irs_pw *);
+static void			pw_minimize(struct irs_pw *);
+
+static int			initdb(struct pvt *);
+static int			hashpw(struct irs_pw *, DBT *);
+
+/* Public */
+struct irs_pw *
+irs_lcl_pw(struct irs_acc *this) {
+	struct irs_pw *pw;
+	struct pvt *pvt;
+
+	UNUSED(this);
+		 
+        if (!(pw = memget(sizeof *pw))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pw, 0x5e, sizeof *pw);
+	if (!(pvt = memget(sizeof *pvt))) {
+		free(pw);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0, sizeof *pvt);
+	pw->private = pvt;
+	pw->close = pw_close;
+	pw->next = pw_next;
+	pw->byname = pw_byname;
+	pw->byuid = pw_byuid;
+	pw->rewind = pw_rewind;
+	pw->minimize = pw_minimize;
+	pw->res_get = NULL;
+	pw->res_set = NULL;
+	return (pw);
+}
+
+/* Methods */
+
+static void
+pw_close(struct irs_pw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	
+	if (pvt->pw_db) {
+		(void)(pvt->pw_db->close)(pvt->pw_db);
+		pvt->pw_db = NULL;
+	}
+	if (pvt->line)
+		memput(pvt->line, pvt->max);
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+static struct passwd *
+pw_next(struct irs_pw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	
+	DBT key;
+	char bf[sizeof(pvt->pw_keynum) + 1];
+ 
+	if (!initdb(pvt))
+		return (NULL);
+ 
+	++pvt->pw_keynum;
+	bf[0] = _PW_KEYBYNUM;
+	memcpy(bf + 1, (char *)&pvt->pw_keynum, sizeof(pvt->pw_keynum));
+	key.data = (u_char *)bf;
+	key.size = sizeof(pvt->pw_keynum) + 1;
+	return (hashpw(this, &key) ? &pvt->passwd : NULL);
+}
+ 
+static struct passwd *
+pw_byname(struct irs_pw *this, const char *name) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	DBT key;
+	int len, rval;
+	char bf[UT_NAMESIZE + 1];
+ 
+	if (!initdb(pvt))
+		return (NULL);
+ 
+	bf[0] = _PW_KEYBYNAME;
+	len = strlen(name);
+	memcpy(bf + 1, name, MIN(len, UT_NAMESIZE));
+	key.data = (u_char *)bf;
+	key.size = len + 1;
+	rval = hashpw(this, &key);
+ 
+	return (rval ? &pvt->passwd : NULL);
+}
+ 
+
+static struct passwd *
+pw_byuid(struct irs_pw *this, uid_t uid) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	DBT key;
+	int keyuid, rval;
+	char bf[sizeof(keyuid) + 1];
+ 
+	if (!initdb(pvt))
+		return (NULL);
+ 
+	bf[0] = _PW_KEYBYUID;
+	keyuid = uid;
+	memcpy(bf + 1, &keyuid, sizeof(keyuid));
+	key.data = (u_char *)bf;
+	key.size = sizeof(keyuid) + 1;
+	rval = hashpw(this, &key);
+ 
+	return (rval ? &pvt->passwd : NULL);
+}
+
+static void
+pw_rewind(struct irs_pw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	pvt->pw_keynum = 0;
+}
+
+static void
+pw_minimize(struct irs_pw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (pvt->pw_db != NULL) {
+		(void) (*pvt->pw_db->close)(pvt->pw_db);
+		pvt->pw_db = NULL;
+	}
+}
+
+/* Private. */
+
+static int
+initdb(struct pvt *pvt) {
+	const char *p;
+
+	if (pvt->pw_db) {
+		if (lseek((*pvt->pw_db->fd)(pvt->pw_db), 0L, SEEK_CUR) >= 0L)
+			return (1);
+		else
+			(void) (*pvt->pw_db->close)(pvt->pw_db);
+	}
+	pvt->pw_db = dbopen((p = _PATH_SMP_DB), O_RDONLY, 0, DB_HASH, NULL);
+	if (!pvt->pw_db)
+		pvt->pw_db = dbopen((p =_PATH_MP_DB), O_RDONLY,
+				    0, DB_HASH, NULL);
+	if (pvt->pw_db)
+		return (1);
+	if (!pvt->warned) {
+		syslog(LOG_ERR, "%s: %m", p);
+		pvt->warned++;
+	}
+	return (0);
+}
+
+static int
+hashpw(struct irs_pw *this, DBT *key) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	char *p, *t, *l;
+	DBT data;
+ 
+	if ((pvt->pw_db->get)(pvt->pw_db, key, &data, 0))
+		return (0);
+	p = (char *)data.data;
+	if (data.size > pvt->max) {
+		size_t newlen = pvt->max + 1024;
+		char *p = memget(newlen);
+		if (p == NULL) {
+			return (0);
+		}
+		if (pvt->line != NULL) {
+			memcpy(p, pvt->line, pvt->max);
+			memput(pvt->line, pvt->max);
+		}
+		pvt->max = newlen;
+		pvt->line = p;
+	}
+
+	/* THIS CODE MUST MATCH THAT IN pwd_mkdb. */
+	t = pvt->line;
+	l = pvt->line + pvt->max;
+#define EXPAND(e) if ((e = t) == NULL) return (0); else \
+		  do if (t >= l) return (0); while ((*t++ = *p++) != '\0')
+#define SCALAR(v) if (t + sizeof v >= l) return (0); else \
+		  (memmove(&(v), p, sizeof v), p += sizeof v)
+	EXPAND(pvt->passwd.pw_name);
+	EXPAND(pvt->passwd.pw_passwd);
+	SCALAR(pvt->passwd.pw_uid);
+	SCALAR(pvt->passwd.pw_gid);
+	SCALAR(pvt->passwd.pw_change);
+	EXPAND(pvt->passwd.pw_class);
+	EXPAND(pvt->passwd.pw_gecos);
+	EXPAND(pvt->passwd.pw_dir);
+	EXPAND(pvt->passwd.pw_shell);
+	SCALAR(pvt->passwd.pw_expire);
+	return (1);
+}
+
+#endif /* WANT_IRS_PW */
diff --git a/contrib/bind9/lib/bind/irs/lcl_sv.c b/contrib/bind9/lib/bind/irs/lcl_sv.c
new file mode 100644
index 0000000..b407d7f
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/lcl_sv.c
@@ -0,0 +1,431 @@
+/*
+ * Copyright (c) 1989, 1993, 1995
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: lcl_sv.c,v 1.2.206.1 2004/03/09 08:33:38 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+/* extern */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+
+#ifdef IRS_LCL_SV_DB
+#include <db.h>
+#endif
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include <irs.h>
+#include <isc/memcluster.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "lcl_p.h"
+
+#ifdef SPRINTF_CHAR
+# define SPRINTF(x) strlen(sprintf/**/x)
+#else
+# define SPRINTF(x) ((size_t)sprintf x)
+#endif
+
+/* Types */
+
+struct pvt {
+#ifdef IRS_LCL_SV_DB
+	DB *		dbh;
+	int		dbf;
+#endif
+	struct lcl_sv	sv;
+};
+
+/* Forward */
+
+static void			sv_close(struct irs_sv*);
+static struct servent *		sv_next(struct irs_sv *);
+static struct servent *		sv_byname(struct irs_sv *, const char *,
+					  const char *);
+static struct servent *		sv_byport(struct irs_sv *, int, const char *);
+static void			sv_rewind(struct irs_sv *);
+static void			sv_minimize(struct irs_sv *);
+/*global*/ struct servent *	irs_lclsv_fnxt(struct lcl_sv *);
+#ifdef IRS_LCL_SV_DB
+static struct servent *		sv_db_rec(struct lcl_sv *, DBT *, DBT *);
+#endif
+
+/* Portability */
+
+#ifndef SEEK_SET
+# define SEEK_SET 0
+#endif
+
+/* Public */
+
+struct irs_sv *
+irs_lcl_sv(struct irs_acc *this) {
+	struct irs_sv *sv;
+	struct pvt *pvt;
+
+	UNUSED(this);
+	
+	if ((sv = memget(sizeof *sv)) == NULL) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(sv, 0x5e, sizeof *sv);
+	if ((pvt = memget(sizeof *pvt)) == NULL) {
+		memput(sv, sizeof *sv);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0, sizeof *pvt);
+	sv->private = pvt;
+	sv->close = sv_close;
+	sv->next = sv_next;
+	sv->byname = sv_byname;
+	sv->byport = sv_byport;
+	sv->rewind = sv_rewind;
+	sv->minimize = sv_minimize;
+	sv->res_get = NULL;
+	sv->res_set = NULL;
+#ifdef IRS_LCL_SV_DB
+	pvt->dbf = R_FIRST;
+#endif
+	return (sv);
+}
+
+/* Methods */
+
+static void
+sv_close(struct irs_sv *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	
+#ifdef IRS_LCL_SV_DB
+	if (pvt->dbh != NULL)
+		(*pvt->dbh->close)(pvt->dbh);
+#endif
+	if (pvt->sv.fp)
+		fclose(pvt->sv.fp);
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+static struct servent *
+sv_byname(struct irs_sv *this, const char *name, const char *proto) {
+#ifdef IRS_LCL_SV_DB
+	struct pvt *pvt = (struct pvt *)this->private;
+#endif
+	struct servent *p;
+	char **cp;
+
+	sv_rewind(this);
+#ifdef IRS_LCL_SV_DB
+	if (pvt->dbh != NULL) {
+		DBT key, data;
+
+		/* Note that (sizeof "/") == 2. */
+		if ((strlen(name) + sizeof "/" + proto ? strlen(proto) : 0)
+		    > sizeof pvt->sv.line)
+			goto try_local;
+		key.data = pvt->sv.line;
+		key.size = SPRINTF((pvt->sv.line, "%s/%s", name,
+				    proto ? proto : "")) + 1;
+		if (proto != NULL) {
+			if ((*pvt->dbh->get)(pvt->dbh, &key, &data, 0) != 0)
+				return (NULL);
+		} else if ((*pvt->dbh->seq)(pvt->dbh, &key, &data, R_CURSOR)
+			   != 0)
+			return (NULL);
+		return (sv_db_rec(&pvt->sv, &key, &data));
+	}
+ try_local:
+#endif
+
+	while ((p = sv_next(this))) {
+		if (strcmp(name, p->s_name) == 0)
+			goto gotname;
+		for (cp = p->s_aliases; *cp; cp++)
+			if (strcmp(name, *cp) == 0)
+				goto gotname;
+		continue;
+ gotname:
+		if (proto == NULL || strcmp(p->s_proto, proto) == 0)
+			break;
+	}
+	return (p);
+}
+
+static struct servent *
+sv_byport(struct irs_sv *this, int port, const char *proto) {
+#ifdef IRS_LCL_SV_DB
+	struct pvt *pvt = (struct pvt *)this->private;
+#endif
+	struct servent *p;
+
+	sv_rewind(this);
+#ifdef IRS_LCL_SV_DB
+	if (pvt->dbh != NULL) {
+		DBT key, data;
+		u_short *ports;
+
+		ports = (u_short *)pvt->sv.line;
+		ports[0] = 0;
+		ports[1] = port;
+		key.data = ports;
+		key.size = sizeof(u_short) * 2;
+		if (proto && *proto) {
+			strncpy((char *)ports + key.size, proto,
+				BUFSIZ - key.size);
+			key.size += strlen((char *)ports + key.size) + 1;
+			if ((*pvt->dbh->get)(pvt->dbh, &key, &data, 0) != 0)
+				return (NULL);
+		} else {
+			if ((*pvt->dbh->seq)(pvt->dbh, &key, &data, R_CURSOR)
+			    != 0)
+				return (NULL);
+		}
+		return (sv_db_rec(&pvt->sv, &key, &data));
+	}
+#endif
+	while ((p = sv_next(this))) {
+		if (p->s_port != port)
+			continue;
+		if (proto == NULL || strcmp(p->s_proto, proto) == 0)
+			break;
+	}
+	return (p);
+}
+
+static void
+sv_rewind(struct irs_sv *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (pvt->sv.fp) {
+		if (fseek(pvt->sv.fp, 0L, SEEK_SET) == 0)
+			return;
+		(void)fclose(pvt->sv.fp);
+		pvt->sv.fp = NULL;
+	}
+#ifdef IRS_LCL_SV_DB
+	pvt->dbf = R_FIRST;
+	if (pvt->dbh != NULL)
+		return;
+	pvt->dbh = dbopen(_PATH_SERVICES_DB, O_RDONLY,O_RDONLY,DB_BTREE, NULL);
+	if (pvt->dbh != NULL) {
+		if (fcntl((*pvt->dbh->fd)(pvt->dbh), F_SETFD, 1) < 0) {
+			(*pvt->dbh->close)(pvt->dbh);
+			pvt->dbh = NULL;
+		}
+		return;
+	}
+#endif
+	if ((pvt->sv.fp = fopen(_PATH_SERVICES, "r")) == NULL)
+		return;
+	if (fcntl(fileno(pvt->sv.fp), F_SETFD, 1) < 0) {
+		(void)fclose(pvt->sv.fp);
+		pvt->sv.fp = NULL;
+	}
+}
+
+static struct servent *
+sv_next(struct irs_sv *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+#ifdef IRS_LCL_SV_DB
+	if (pvt->dbh == NULL && pvt->sv.fp == NULL)
+#else
+	if (pvt->sv.fp == NULL)
+#endif
+		sv_rewind(this);
+
+#ifdef IRS_LCL_SV_DB
+	if (pvt->dbh != NULL) {
+		DBT key, data;
+
+		while ((*pvt->dbh->seq)(pvt->dbh, &key, &data, pvt->dbf) == 0){
+			pvt->dbf = R_NEXT;
+			if (((char *)key.data)[0])
+				continue;
+			return (sv_db_rec(&pvt->sv, &key, &data));
+		}
+	}
+#endif
+
+	if (pvt->sv.fp == NULL)
+		return (NULL);
+	return (irs_lclsv_fnxt(&pvt->sv));
+}
+
+static void
+sv_minimize(struct irs_sv *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+#ifdef IRS_LCL_SV_DB
+	if (pvt->dbh != NULL) {
+		(*pvt->dbh->close)(pvt->dbh);
+		pvt->dbh = NULL;
+	}
+#endif
+	if (pvt->sv.fp != NULL) {
+		(void)fclose(pvt->sv.fp);
+		pvt->sv.fp = NULL;
+	}
+}
+
+/* Quasipublic. */
+
+struct servent *
+irs_lclsv_fnxt(struct lcl_sv *sv) {
+	char *p, *cp, **q;
+
+ again:
+	if ((p = fgets(sv->line, BUFSIZ, sv->fp)) == NULL)
+		return (NULL);
+	if (*p == '#')
+		goto again;
+	sv->serv.s_name = p;
+	while (*p && *p != '\n' && *p != ' ' && *p != '\t' && *p != '#')
+		++p;
+	if (*p == '\0' || *p == '#' || *p == '\n')
+		goto again;
+	*p++ = '\0';
+	while (*p == ' ' || *p == '\t')
+		p++;
+	if (*p == '\0' || *p == '#' || *p == '\n')
+		goto again;
+	sv->serv.s_port = htons((u_short)strtol(p, &cp, 10));
+	if (cp == p || (*cp != '/' && *cp != ','))
+		goto again;
+	p = cp + 1;
+	sv->serv.s_proto = p;
+
+	q = sv->serv.s_aliases = sv->serv_aliases;
+
+	while (*p && *p != '\n' && *p != ' ' && *p != '\t' && *p != '#')
+		++p;
+
+	while (*p == ' ' || *p == '\t') {
+		*p++ = '\0';
+		while (*p == ' ' || *p == '\t')
+			++p;
+		if (*p == '\0' || *p == '#' || *p == '\n')
+			break;
+		if (q < &sv->serv_aliases[IRS_SV_MAXALIASES - 1])
+			*q++ = p;
+		while (*p && *p != '\n' && *p != ' ' && *p != '\t' && *p != '#')
+			++p;
+	}
+		
+	*p = '\0';
+	*q = NULL;
+	return (&sv->serv);
+}
+
+/* Private. */
+
+#ifdef IRS_LCL_SV_DB
+static struct servent *
+sv_db_rec(struct lcl_sv *sv, DBT *key, DBT *data) {
+	char *p, **q;
+	int n;
+
+	p = data->data;
+	p[data->size - 1] = '\0';	/* should be, but we depend on it */
+
+	if (((char *)key->data)[0] == '\0') {
+		if (key->size < sizeof(u_short)*2 || data->size < 2)
+			return (NULL);
+		sv->serv.s_port = ((u_short *)key->data)[1];
+		n = strlen(p) + 1;
+		if ((size_t)n > sizeof(sv->line)) {
+			n = sizeof(sv->line);
+		}
+		memcpy(sv->line, p, n);
+		sv->serv.s_name = sv->line;
+		if ((sv->serv.s_proto = strchr(sv->line, '/')) != NULL)
+			*(sv->serv.s_proto)++ = '\0';
+		p += n;
+		data->size -= n;
+	} else {
+		if (data->size < sizeof(u_short) + 1)
+			return (NULL);
+		if (key->size > sizeof(sv->line))
+			key->size = sizeof(sv->line);
+		((char *)key->data)[key->size - 1] = '\0';
+		memcpy(sv->line, key->data, key->size);
+		sv->serv.s_name = sv->line;
+		if ((sv->serv.s_proto = strchr(sv->line, '/')) != NULL)
+			*(sv->serv.s_proto)++ = '\0';
+		sv->serv.s_port = *(u_short *)data->data;
+		p += sizeof(u_short);
+		data->size -= sizeof(u_short);
+	}
+	q = sv->serv.s_aliases = sv->serv_aliases;
+	while (data->size > 0 && q < &sv->serv_aliases[IRS_SV_MAXALIASES - 1]) {
+
+		*q++ = p;
+		n = strlen(p) + 1;
+		data->size -= n;
+		p += n;
+	}
+	*q = NULL;
+	return (&sv->serv);
+}
+#endif
diff --git a/contrib/bind9/lib/bind/irs/nis.c b/contrib/bind9/lib/bind/irs/nis.c
new file mode 100644
index 0000000..70eaaed
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/nis.c
@@ -0,0 +1,154 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: nis.c,v 1.1.206.1 2004/03/09 08:33:38 marka Exp $";
+#endif
+
+/* Imports */
+
+#include "port_before.h"
+
+#ifdef WANT_IRS_NIS
+
+#include <rpc/rpc.h>
+#include <rpc/xdr.h>
+#include <rpcsvc/yp_prot.h>
+#include <rpcsvc/ypclnt.h>
+
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+
+#include <sys/types.h>
+#include <netinet/in.h> 
+#ifdef T_NULL
+#undef T_NULL			/* Silence re-definition warning of T_NULL. */
+#endif
+#include <arpa/nameser.h>
+#include <resolv.h>
+
+#include <isc/memcluster.h>
+#include <irs.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "hesiod.h"
+#include "nis_p.h"
+
+/* Forward */
+
+static void		nis_close(struct irs_acc *);
+static struct __res_state * nis_res_get(struct irs_acc *);
+static void		nis_res_set(struct irs_acc *, struct __res_state *,
+				void (*)(void *));
+
+/* Public */
+
+struct irs_acc *
+irs_nis_acc(const char *options) {
+	struct nis_p *nis;
+	struct irs_acc *acc;
+	char *domain;
+
+	UNUSED(options);
+
+	if (yp_get_default_domain(&domain) != 0)
+		return (NULL);
+	if (!(nis = memget(sizeof *nis))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(nis, 0, sizeof *nis);
+	if (!(acc = memget(sizeof *acc))) {
+		memput(nis, sizeof *nis);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(acc, 0x5e, sizeof *acc);
+	acc->private = nis;
+	nis->domain = strdup(domain);
+#ifdef WANT_IRS_GR
+	acc->gr_map = irs_nis_gr;
+#else
+	acc->gr_map = NULL;
+#endif
+#ifdef WANT_IRS_PW
+	acc->pw_map = irs_nis_pw;
+#else
+	acc->pw_map = NULL;
+#endif
+	acc->sv_map = irs_nis_sv;
+	acc->pr_map = irs_nis_pr;
+	acc->ho_map = irs_nis_ho;
+	acc->nw_map = irs_nis_nw;
+	acc->ng_map = irs_nis_ng;
+	acc->res_get = nis_res_get;
+	acc->res_set = nis_res_set;
+	acc->close = nis_close;
+	return (acc);
+}
+
+/* Methods */
+
+static struct __res_state *
+nis_res_get(struct irs_acc *this) {
+	struct nis_p *nis = (struct nis_p *)this->private;
+
+	if (nis->res == NULL) {
+		struct __res_state *res;
+		res = (struct __res_state *)malloc(sizeof *res);
+		if (res == NULL)
+			return (NULL);
+		memset(res, 0, sizeof *res);
+		nis_res_set(this, res, free);
+	}
+
+	if ((nis->res->options & RES_INIT) == 0 &&
+	    res_ninit(nis->res) < 0)
+		return (NULL);
+
+	return (nis->res);
+}
+
+static void
+nis_res_set(struct irs_acc *this, struct __res_state *res,
+		void (*free_res)(void *)) {
+	struct nis_p *nis = (struct nis_p *)this->private;
+
+	if (nis->res && nis->free_res) {
+		res_nclose(nis->res);
+		(*nis->free_res)(nis->res);
+	}
+
+	nis->res = res;
+	nis->free_res = free_res;
+}
+
+static void
+nis_close(struct irs_acc *this) {
+	struct nis_p *nis = (struct nis_p *)this->private;
+
+	if (nis->res && nis->free_res)
+		(*nis->free_res)(nis->res);
+	free(nis->domain);
+	memput(nis, sizeof *nis);
+	memput(this, sizeof *this);
+}
+
+#endif /*WANT_IRS_NIS*/
diff --git a/contrib/bind9/lib/bind/irs/nis_gr.c b/contrib/bind9/lib/bind/irs/nis_gr.c
new file mode 100644
index 0000000..e06861f
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/nis_gr.c
@@ -0,0 +1,353 @@
+/*
+ * Copyright (c) 1989, 1993, 1995
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: nis_gr.c,v 1.1.2.1.4.1 2004/03/09 08:33:38 marka Exp $";
+/* from getgrent.c 8.2 (Berkeley) 3/21/94"; */
+/* from BSDI Id: getgrent.c,v 2.8 1996/05/28 18:15:14 bostic Exp $	*/
+#endif /* LIBC_SCCS and not lint */
+
+/* Imports */
+
+#include "port_before.h"
+
+#if !defined(WANT_IRS_GR) || !defined(WANT_IRS_NIS)
+static int __bind_irs_gr_unneeded;
+#else
+
+#include <sys/param.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+#include <isc/memcluster.h>
+
+#include <rpc/rpc.h>
+#include <rpc/xdr.h>
+#include <rpcsvc/yp_prot.h>
+#include <rpcsvc/ypclnt.h>
+
+#include <errno.h>
+#include <grp.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <isc/memcluster.h>
+
+#include <irs.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "nis_p.h"
+
+/* Definitions */
+
+struct pvt {
+	int		needrewind;
+	char *		nis_domain;
+	char *		curkey_data;
+	int		curkey_len;
+	char *		curval_data;
+	int		curval_len;
+	/*
+	 * Need space to store the entries read from the group file.
+	 * The members list also needs space per member, and the
+	 * strings making up the user names must be allocated
+	 * somewhere.  Rather than doing lots of small allocations,
+	 * we keep one buffer and resize it as needed.
+	 */
+	struct group	group;
+	size_t		nmemb;		/* Malloc'd max index of gr_mem[]. */
+	char *		membuf;
+	size_t		membufsize;
+};
+
+enum do_what { do_none = 0x0, do_key = 0x1, do_val = 0x2, do_all = 0x3 };
+
+static /*const*/ char group_bygid[] =	"group.bygid";
+static /*const*/ char group_byname[] =	"group.byname";
+
+/* Forward */
+
+static void		gr_close(struct irs_gr *);
+static struct group *	gr_next(struct irs_gr *);
+static struct group *	gr_byname(struct irs_gr *, const char *);
+static struct group *	gr_bygid(struct irs_gr *, gid_t);
+static void		gr_rewind(struct irs_gr *);
+static void		gr_minimize(struct irs_gr *);
+
+static struct group *	makegroupent(struct irs_gr *);
+static void		nisfree(struct pvt *, enum do_what);
+
+/* Public */
+
+struct irs_gr *
+irs_nis_gr(struct irs_acc *this) {
+	struct irs_gr *gr;
+	struct pvt *pvt;
+
+	if (!(gr = memget(sizeof *gr))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(gr, 0x5e, sizeof *gr);
+	if (!(pvt = memget(sizeof *pvt))) {
+		memput(gr, sizeof *gr);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0, sizeof *pvt);
+	pvt->needrewind = 1;
+	pvt->nis_domain = ((struct nis_p *)this->private)->domain;
+	gr->private = pvt;
+	gr->close = gr_close;
+	gr->next = gr_next;
+	gr->byname = gr_byname;
+	gr->bygid = gr_bygid;
+	gr->rewind = gr_rewind;
+	gr->list = make_group_list;
+	gr->minimize = gr_minimize;
+	gr->res_get = NULL;
+	gr->res_set = NULL;
+	return (gr);
+}
+
+/* Methods */
+
+static void
+gr_close(struct irs_gr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (pvt->group.gr_mem)
+		free(pvt->group.gr_mem);
+	if (pvt->membuf)
+		free(pvt->membuf);
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+static struct group *
+gr_next(struct irs_gr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct group *rval;
+	int r;
+
+	do {
+		if (pvt->needrewind) {
+			nisfree(pvt, do_all);
+			r = yp_first(pvt->nis_domain, group_byname,
+				     &pvt->curkey_data, &pvt->curkey_len,
+				     &pvt->curval_data, &pvt->curval_len);
+			pvt->needrewind = 0;
+		} else {
+			char *newkey_data;
+			int newkey_len;
+
+			nisfree(pvt, do_val);
+			r = yp_next(pvt->nis_domain, group_byname,
+				    pvt->curkey_data, pvt->curkey_len,
+				    &newkey_data, &newkey_len,
+				    &pvt->curval_data, &pvt->curval_len);
+			nisfree(pvt, do_key);
+			pvt->curkey_data = newkey_data;
+			pvt->curkey_len = newkey_len;
+		}
+		if (r != 0) {
+			errno = ENOENT;
+			return (NULL);
+		}
+		rval = makegroupent(this);
+	} while (rval == NULL);
+	return (rval);
+}
+
+static struct group *
+gr_byname(struct irs_gr *this, const char *name) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	int r;
+
+	nisfree(pvt, do_val);
+	r = yp_match(pvt->nis_domain, group_byname, name, strlen(name),
+		     &pvt->curval_data, &pvt->curval_len);
+	if (r != 0) {
+		errno = ENOENT;
+		return (NULL);
+	}
+	return (makegroupent(this));
+}
+
+static struct group *
+gr_bygid(struct irs_gr *this, gid_t gid) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	char tmp[sizeof "4294967295"];
+	int r;
+
+	nisfree(pvt, do_val);
+	(void) sprintf(tmp, "%u", (unsigned int)gid);
+	r = yp_match(pvt->nis_domain, group_bygid, tmp, strlen(tmp),
+		     &pvt->curval_data, &pvt->curval_len);
+	if (r != 0) {
+		errno = ENOENT;
+		return (NULL);
+	}
+	return (makegroupent(this));
+}
+
+static void
+gr_rewind(struct irs_gr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	pvt->needrewind = 1;
+}
+
+static void
+gr_minimize(struct irs_gr *this) {
+	UNUSED(this);
+	/* NOOP */
+}
+
+/* Private */
+
+static struct group *
+makegroupent(struct irs_gr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	unsigned int num_members = 0;
+	char *cp, **new;
+	u_long t;
+
+	if (pvt->group.gr_mem) {
+		free(pvt->group.gr_mem);
+		pvt->group.gr_mem = NULL;
+		pvt->nmemb = 0;
+	}
+	if (pvt->membuf)
+		free(pvt->membuf);
+	pvt->membuf = pvt->curval_data;
+	pvt->curval_data = NULL;
+
+	cp = pvt->membuf;
+	pvt->group.gr_name = cp;
+	if (!(cp = strchr(cp, ':')))
+		goto cleanup;
+	*cp++ = '\0';
+	
+	pvt->group.gr_passwd = cp;
+	if (!(cp = strchr(cp, ':')))
+		goto cleanup;
+	*cp++ = '\0';
+
+	errno = 0;
+	t = strtoul(cp, NULL, 10);
+	if (errno == ERANGE)
+		goto cleanup;
+	pvt->group.gr_gid = (gid_t) t;
+	if (!(cp = strchr(cp, ':')))
+		goto cleanup;
+	cp++;
+
+        if (*cp && cp[strlen(cp)-1] == '\n')
+          cp[strlen(cp)-1] = '\0';
+
+	/*
+	 * Parse the members out.
+	 */
+	while (*cp) {
+		if (num_members+1 >= pvt->nmemb || pvt->group.gr_mem == NULL) {
+			pvt->nmemb += 10;
+			new = realloc(pvt->group.gr_mem,
+				      pvt->nmemb * sizeof(char *));
+			if (new == NULL)
+				goto cleanup;
+			pvt->group.gr_mem = new;
+		}
+		pvt->group.gr_mem[num_members++] = cp;
+		if (!(cp = strchr(cp, ',')))
+			break;
+		*cp++ = '\0';
+	}
+	if (pvt->group.gr_mem == NULL) {
+		pvt->group.gr_mem = malloc(sizeof(char*));
+		if (!pvt->group.gr_mem)
+			goto cleanup;
+		pvt->nmemb = 1;
+	}
+	pvt->group.gr_mem[num_members] = NULL;
+	
+	return (&pvt->group);
+	
+ cleanup:	
+	if (pvt->group.gr_mem) {
+		free(pvt->group.gr_mem);
+		pvt->group.gr_mem = NULL;
+		pvt->nmemb = 0;
+	}
+	if (pvt->membuf) {
+		free(pvt->membuf);
+		pvt->membuf = NULL;
+	}
+	return (NULL);
+}
+
+static void
+nisfree(struct pvt *pvt, enum do_what do_what) {
+	if ((do_what & do_key) && pvt->curkey_data) {
+		free(pvt->curkey_data);
+		pvt->curkey_data = NULL;
+	}
+	if ((do_what & do_val) && pvt->curval_data) {
+		free(pvt->curval_data);
+		pvt->curval_data = NULL;
+	}
+}
+
+#endif /* WANT_IRS_GR && WANT_IRS_NIS */
diff --git a/contrib/bind9/lib/bind/irs/nis_ho.c b/contrib/bind9/lib/bind/irs/nis_ho.c
new file mode 100644
index 0000000..7f0b125
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/nis_ho.c
@@ -0,0 +1,533 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: nis_ho.c,v 1.2.2.1.4.1 2004/03/09 08:33:38 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+/* Imports */
+
+#include "port_before.h"
+
+#ifndef WANT_IRS_NIS
+static int __bind_irs_nis_unneeded;
+#else
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+#ifdef T_NULL
+#undef T_NULL			/* Silence re-definition warning of T_NULL. */
+#endif
+#include <rpc/rpc.h>
+#include <rpc/xdr.h>
+#include <rpcsvc/yp_prot.h>
+#include <rpcsvc/ypclnt.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <netdb.h>
+#include <resolv.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <isc/memcluster.h>
+#include <irs.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "nis_p.h"
+
+/* Definitions */
+
+#define	MAXALIASES	35
+#define	MAXADDRS	35
+
+#if PACKETSZ > 1024
+#define	MAXPACKET	PACKETSZ
+#else
+#define	MAXPACKET	1024
+#endif
+
+struct pvt {
+	int		needrewind;
+	char *		nis_domain;
+	char *		curkey_data;
+	int		curkey_len;
+	char *		curval_data;
+	int		curval_len;
+	struct hostent	host;
+	char *		h_addr_ptrs[MAXADDRS + 1];
+	char *		host_aliases[MAXALIASES + 1];
+	char		hostbuf[8*1024];
+	u_char		host_addr[16];	/* IPv4 or IPv6 */
+	struct __res_state  *res;
+	void		(*free_res)(void *);
+};
+
+enum do_what { do_none = 0x0, do_key = 0x1, do_val = 0x2, do_all = 0x3 };
+
+static const u_char mapped[] = { 0,0, 0,0, 0,0, 0,0, 0,0, 0xff,0xff };
+static const u_char tunnelled[] = { 0,0, 0,0, 0,0, 0,0, 0,0, 0,0 };
+static /*const*/ char hosts_byname[] = "hosts.byname";
+static /*const*/ char hosts_byaddr[] = "hosts.byaddr";
+static /*const*/ char ipnode_byname[] = "ipnode.byname";
+static /*const*/ char ipnode_byaddr[] = "ipnode.byaddr";
+static /*const*/ char yp_multi[] = "YP_MULTI_";
+
+/* Forwards */
+
+static void		ho_close(struct irs_ho *this);
+static struct hostent *	ho_byname(struct irs_ho *this, const char *name);
+static struct hostent *	ho_byname2(struct irs_ho *this, const char *name,
+					int af);
+static struct hostent *	ho_byaddr(struct irs_ho *this, const void *addr,
+				       int len, int af);
+static struct hostent *	ho_next(struct irs_ho *this);
+static void		ho_rewind(struct irs_ho *this);
+static void		ho_minimize(struct irs_ho *this);
+static struct __res_state * ho_res_get(struct irs_ho *this);
+static void		ho_res_set(struct irs_ho *this,
+				   struct __res_state *res,
+				   void (*free_res)(void *));
+static struct addrinfo * ho_addrinfo(struct irs_ho *this, const char *name,
+				     const struct addrinfo *pai);
+
+static struct hostent *	makehostent(struct irs_ho *this);
+static void		nisfree(struct pvt *, enum do_what);
+static int		init(struct irs_ho *this);
+
+/* Public */
+
+struct irs_ho *
+irs_nis_ho(struct irs_acc *this) {
+	struct irs_ho *ho;
+	struct pvt *pvt;
+
+	if (!(pvt = memget(sizeof *pvt))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0, sizeof *pvt);
+	if (!(ho = memget(sizeof *ho))) {
+		memput(pvt, sizeof *pvt);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(ho, 0x5e, sizeof *ho);
+	pvt->needrewind = 1;
+	pvt->nis_domain = ((struct nis_p *)this->private)->domain;
+	ho->private = pvt;
+	ho->close = ho_close;
+	ho->byname = ho_byname;
+	ho->byname2 = ho_byname2;
+	ho->byaddr = ho_byaddr;
+	ho->next = ho_next;
+	ho->rewind = ho_rewind;
+	ho->minimize = ho_minimize;
+	ho->res_set = ho_res_set;
+	ho->res_get = ho_res_get;
+	ho->addrinfo = ho_addrinfo;
+	return (ho);
+}
+
+/* Methods */
+
+static void
+ho_close(struct irs_ho *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	ho_minimize(this);
+	nisfree(pvt, do_all);
+	if (pvt->res && pvt->free_res)
+		(*pvt->free_res)(pvt->res);
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+static struct hostent *
+ho_byname(struct irs_ho *this, const char *name) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct hostent *hp;
+
+	if (init(this) == -1)
+		return (NULL);
+
+	if (pvt->res->options & RES_USE_INET6) {
+		hp = ho_byname2(this, name, AF_INET6);
+		if (hp)
+			return (hp);
+	}
+	return (ho_byname2(this, name, AF_INET));
+}
+
+static struct hostent *
+ho_byname2(struct irs_ho *this, const char *name, int af) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	int r;
+	char *tmp;
+
+	UNUSED(af);
+	
+	if (init(this) == -1)
+		return (NULL);
+
+	nisfree(pvt, do_val);
+
+	strcpy(pvt->hostbuf, yp_multi);
+	strncat(pvt->hostbuf, name, sizeof(pvt->hostbuf) - sizeof(yp_multi));
+	pvt->hostbuf[sizeof(pvt->hostbuf) - 1] = '\0';
+	for (r = sizeof(yp_multi) - 1; pvt->hostbuf[r] != '\0'; r++)
+		if (isupper((unsigned char)pvt->hostbuf[r]))
+			tolower(pvt->hostbuf[r]);
+
+	tmp = pvt->hostbuf;
+	r = yp_match(pvt->nis_domain, ipnode_byname, tmp,
+		     strlen(tmp), &pvt->curval_data, &pvt->curval_len);
+	if (r != 0) {
+		tmp = pvt->hostbuf + sizeof(yp_multi) - 1;
+		r = yp_match(pvt->nis_domain, ipnode_byname, tmp,
+			     strlen(tmp), &pvt->curval_data, &pvt->curval_len);
+	}
+	if (r != 0) {
+		tmp = pvt->hostbuf;
+		r = yp_match(pvt->nis_domain, hosts_byname, tmp,
+			     strlen(tmp), &pvt->curval_data, &pvt->curval_len);
+	}
+	if (r != 0) {
+		tmp = pvt->hostbuf + sizeof(yp_multi) - 1;
+		r = yp_match(pvt->nis_domain, hosts_byname, tmp,
+			     strlen(tmp), &pvt->curval_data, &pvt->curval_len);
+	}
+	if (r != 0) {
+		RES_SET_H_ERRNO(pvt->res, HOST_NOT_FOUND);
+		return (NULL);
+	}
+	return (makehostent(this));
+}
+
+static struct hostent *
+ho_byaddr(struct irs_ho *this, const void *addr, int len, int af) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255"];
+	const u_char *uaddr = addr;
+	int r;
+	
+	if (init(this) == -1)
+		return (NULL);
+
+	if (af == AF_INET6 && len == IN6ADDRSZ &&
+	    (!memcmp(uaddr, mapped, sizeof mapped) ||
+	     !memcmp(uaddr, tunnelled, sizeof tunnelled))) {
+		/* Unmap. */
+		addr = (const u_char *)addr + sizeof mapped;
+		uaddr += sizeof mapped;
+		af = AF_INET;
+		len = INADDRSZ;
+	}
+	if (inet_ntop(af, uaddr, tmp, sizeof tmp) == NULL) {
+		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
+		return (NULL);
+	}
+	nisfree(pvt, do_val);
+	r = yp_match(pvt->nis_domain, ipnode_byaddr, tmp, strlen(tmp),
+		     &pvt->curval_data, &pvt->curval_len);
+	if (r != 0)
+		r = yp_match(pvt->nis_domain, hosts_byaddr, tmp, strlen(tmp),
+			     &pvt->curval_data, &pvt->curval_len);
+	if (r != 0) {
+		RES_SET_H_ERRNO(pvt->res, HOST_NOT_FOUND);
+		return (NULL);
+	}
+	return (makehostent(this));
+}
+
+static struct hostent *
+ho_next(struct irs_ho *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct hostent *rval;
+	int r;
+
+	if (init(this) == -1)
+		return (NULL);
+
+	do {
+		if (pvt->needrewind) {
+			nisfree(pvt, do_all);
+			r = yp_first(pvt->nis_domain, hosts_byaddr,
+				     &pvt->curkey_data, &pvt->curkey_len,
+				     &pvt->curval_data, &pvt->curval_len);
+			pvt->needrewind = 0;
+		} else {
+			char *newkey_data;
+			int newkey_len;
+
+			nisfree(pvt, do_val);
+			r = yp_next(pvt->nis_domain, hosts_byaddr,
+				    pvt->curkey_data, pvt->curkey_len,
+				    &newkey_data, &newkey_len,
+				    &pvt->curval_data, &pvt->curval_len);
+			nisfree(pvt, do_key);
+			pvt->curkey_data = newkey_data;
+			pvt->curkey_len = newkey_len;
+		}
+		if (r != 0) {
+			RES_SET_H_ERRNO(pvt->res, HOST_NOT_FOUND);
+			return (NULL);
+		}
+		rval = makehostent(this);
+	} while (rval == NULL);
+	return (rval);
+}
+
+static void
+ho_rewind(struct irs_ho *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	pvt->needrewind = 1;
+}
+
+static void
+ho_minimize(struct irs_ho *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (pvt->res)
+		res_nclose(pvt->res);
+}
+
+static struct __res_state *
+ho_res_get(struct irs_ho *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (!pvt->res) {
+		struct __res_state *res;
+		res = (struct __res_state *)malloc(sizeof *res);
+		if (!res) {
+			errno = ENOMEM;
+			return (NULL);
+		}
+		memset(res, 0, sizeof *res);
+		ho_res_set(this, res, free);
+	}
+
+	return (pvt->res);
+}
+
+static void
+ho_res_set(struct irs_ho *this, struct __res_state *res,
+		void (*free_res)(void *)) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (pvt->res && pvt->free_res) {
+		res_nclose(pvt->res);
+		(*pvt->free_res)(pvt->res);
+	}
+
+	pvt->res = res;
+	pvt->free_res = free_res;
+}
+
+struct nis_res_target {
+	struct nis_res_target *next;
+	int family;
+};
+
+/* XXX */
+extern struct addrinfo *hostent2addrinfo __P((struct hostent *,
+					      const struct addrinfo *pai));
+
+static struct addrinfo *
+ho_addrinfo(struct irs_ho *this, const char *name, const struct addrinfo *pai)
+{
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct hostent *hp;
+	struct nis_res_target q, q2, *p;
+	struct addrinfo sentinel, *cur;
+
+	memset(&q, 0, sizeof(q2));
+	memset(&q2, 0, sizeof(q2));
+	memset(&sentinel, 0, sizeof(sentinel));
+	cur = &sentinel;
+
+	switch(pai->ai_family) {
+	case AF_UNSPEC:		/* INET6 then INET4 */
+		q.family = AF_INET6;
+		q.next = &q2;
+		q2.family = AF_INET;
+		break;
+	case AF_INET6:
+		q.family = AF_INET6;
+		break;
+	case AF_INET:
+		q.family = AF_INET;
+		break;
+	default:
+		RES_SET_H_ERRNO(pvt->res, NO_RECOVERY); /* ??? */
+		return(NULL);
+	}
+
+	for (p = &q; p; p = p->next) {
+		struct addrinfo *ai;
+
+		hp = (*this->byname2)(this, name, p->family);
+		if (hp == NULL) {
+			/* byname2 should've set an appropriate error */
+			continue;
+		}
+		if ((hp->h_name == NULL) || (hp->h_name[0] == 0) ||
+		    (hp->h_addr_list[0] == NULL)) {
+			RES_SET_H_ERRNO(pvt->res, NO_RECOVERY);
+			continue;
+		}
+		ai = hostent2addrinfo(hp, pai);
+		if (ai) {
+			cur->ai_next = ai;
+			while (cur && cur->ai_next)
+				cur = cur->ai_next;
+		}
+	}
+
+	if (sentinel.ai_next == NULL)
+		RES_SET_H_ERRNO(pvt->res, HOST_NOT_FOUND);
+
+	return(sentinel.ai_next);
+}
+
+/* Private */
+
+/*
+ipnodes:
+::1             localhost
+127.0.0.1       localhost
+1.2.3.4         FOO bar
+1.2.6.4         FOO bar
+1.2.6.5         host
+
+ipnodes.byname:
+YP_MULTI_localhost ::1,127.0.0.1        localhost
+YP_MULTI_foo 1.2.3.4,1.2.6.4    FOO bar
+YP_MULTI_bar 1.2.3.4,1.2.6.4    FOO bar
+host 1.2.6.5    host
+
+hosts.byname:
+localhost 127.0.0.1     localhost
+host 1.2.6.5    host
+YP_MULTI_foo 1.2.3.4,1.2.6.4    FOO bar
+YP_MULTI_bar 1.2.3.4,1.2.6.4    FOO bar
+*/
+
+static struct hostent *
+makehostent(struct irs_ho *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	static const char spaces[] = " \t";
+	char *cp, **q, *p, *comma, *ap;
+	int af = 0, len = 0;
+	int multi = 0;
+	int addr = 0;
+
+	p = pvt->curval_data;
+	if ((cp = strpbrk(p, "#\n")) != NULL)
+		*cp = '\0';
+	if (!(cp = strpbrk(p, spaces)))
+		return (NULL);
+	*cp++ = '\0';
+	ap = pvt->hostbuf;
+	do {
+		if ((comma = strchr(p, ',')) != NULL) {
+			*comma++ = '\0';
+			multi = 1;
+		}
+		if ((ap + IN6ADDRSZ) > (pvt->hostbuf + sizeof(pvt->hostbuf)))
+			break;
+		if ((pvt->res->options & RES_USE_INET6) &&
+		    inet_pton(AF_INET6, p, ap) > 0) {
+			af = AF_INET6;
+			len = IN6ADDRSZ;
+		} else if (inet_pton(AF_INET, p, pvt->host_addr) > 0) {
+			if (pvt->res->options & RES_USE_INET6) {
+				map_v4v6_address((char*)pvt->host_addr, ap);
+				af = AF_INET6;
+				len = IN6ADDRSZ;
+			} else {
+				af = AF_INET;
+				len = INADDRSZ;
+			}
+		} else {
+			if (!multi)
+				return (NULL);
+			continue;
+		}
+		if (addr < MAXADDRS) {
+			pvt->h_addr_ptrs[addr++] = ap;
+			pvt->h_addr_ptrs[addr] = NULL;
+			ap += len;
+		}
+	} while ((p = comma) != NULL);
+	if (ap == pvt->hostbuf)
+		return (NULL);
+	pvt->host.h_addr_list = pvt->h_addr_ptrs;
+	pvt->host.h_length = len;
+	pvt->host.h_addrtype = af;
+	cp += strspn(cp, spaces);
+	pvt->host.h_name = cp;
+	q = pvt->host.h_aliases = pvt->host_aliases;
+	if ((cp = strpbrk(cp, spaces)) != NULL)
+		*cp++ = '\0';
+	while (cp && *cp) {
+		if (*cp == ' ' || *cp == '\t') {
+			cp++;
+			continue;
+		}
+		if (q < &pvt->host_aliases[MAXALIASES])
+			*q++ = cp;
+		if ((cp = strpbrk(cp, spaces)) != NULL)
+			*cp++ = '\0';
+	}
+	*q = NULL;
+	RES_SET_H_ERRNO(pvt->res, NETDB_SUCCESS);
+	return (&pvt->host);
+}
+
+static void
+nisfree(struct pvt *pvt, enum do_what do_what) {
+	if ((do_what & do_key) && pvt->curkey_data) {
+		free(pvt->curkey_data);
+		pvt->curkey_data = NULL;
+	}
+	if ((do_what & do_val) && pvt->curval_data) {
+		free(pvt->curval_data);
+		pvt->curval_data = NULL;
+	}
+}
+
+static int
+init(struct irs_ho *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	
+	if (!pvt->res && !ho_res_get(this))
+		return (-1);
+	if (((pvt->res->options & RES_INIT) == 0) &&
+	    res_ninit(pvt->res) == -1)
+		return (-1);
+	return (0);
+}
+#endif /*WANT_IRS_NIS*/
diff --git a/contrib/bind9/lib/bind/irs/nis_ng.c b/contrib/bind9/lib/bind/irs/nis_ng.c
new file mode 100644
index 0000000..4ee700c
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/nis_ng.c
@@ -0,0 +1,302 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: nis_ng.c,v 1.2.206.1 2004/03/09 08:33:38 marka Exp $";
+#endif
+
+/* Imports */
+
+#include "port_before.h"
+
+#ifndef WANT_IRS_NIS
+static int __bind_irs_nis_unneeded;
+#else
+
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <rpc/rpc.h>
+#include <rpc/xdr.h>
+#include <rpcsvc/yp_prot.h>
+#include <rpcsvc/ypclnt.h>
+
+#include <isc/assertions.h>
+#include <ctype.h>
+#include <errno.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <netinet/in.h>
+#ifdef T_NULL
+#undef T_NULL			/* Silence re-definition warning of T_NULL. */
+#endif
+#include <arpa/nameser.h>
+#include <resolv.h>
+
+#include <isc/memcluster.h>
+#include <irs.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "nis_p.h"
+
+/* Definitions */
+
+struct tmpgrp {
+	const char *	name;
+	const char *	host;
+	const char *	user;
+	const char *	domain;
+	struct tmpgrp *	next;
+};
+
+struct pvt {
+	char *		nis_domain;
+	struct tmpgrp *	tmp;
+	struct tmpgrp *	cur;
+	char *		tmpgroup;
+};
+
+enum do_what { do_none = 0x0, do_key = 0x1, do_val = 0x2, do_all = 0x3 };
+
+static /*const*/ char netgroup_map[]	= "netgroup";
+
+/* Forward */
+
+static void 		ng_close(struct irs_ng *);
+static int		ng_next(struct irs_ng *, const char **,
+				const char **, const char **);
+static int		ng_test(struct irs_ng *,
+ 				const char *, const char *,
+				const char *, const char *);
+static void		ng_rewind(struct irs_ng *, const char *);
+static void		ng_minimize(struct irs_ng *);
+
+static void		add_group_to_list(struct pvt *, const char *, int);
+static void		add_tuple_to_list(struct pvt *, const char *, char *);
+static void		tmpfree(struct pvt *);
+
+/* Public */
+
+struct irs_ng *
+irs_nis_ng(struct irs_acc *this) {
+	struct irs_ng *ng;
+	struct pvt *pvt;
+
+	if (!(ng = memget(sizeof *ng))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(ng, 0x5e, sizeof *ng);
+	if (!(pvt = memget(sizeof *pvt))) {
+		memput(ng, sizeof *ng);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0, sizeof *pvt);
+	pvt->nis_domain = ((struct nis_p *)this->private)->domain;
+	ng->private = pvt;
+	ng->close = ng_close;
+	ng->next = ng_next;
+	ng->test = ng_test;
+	ng->rewind = ng_rewind;
+	ng->minimize = ng_minimize;
+	return (ng);
+}
+
+/* Methods */
+
+static void
+ng_close(struct irs_ng *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	tmpfree(pvt);
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+static int
+ng_next(struct irs_ng *this, const char **host, const char **user, const char **domain) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (!pvt->cur)
+		return (0);
+	*host = pvt->cur->host;
+	*user = pvt->cur->user;
+	*domain = pvt->cur->domain;
+	pvt->cur = pvt->cur->next;
+	return (1);
+}
+
+static int
+ng_test(struct irs_ng *this, const char *name,
+	const char *host, const char *user, const char *domain)
+{
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct tmpgrp *cur;
+
+	tmpfree(pvt);
+	add_group_to_list(pvt, name, strlen(name));
+	for (cur = pvt->tmp; cur; cur = cur->next) {
+		if ((!host || !cur->host || !strcmp(host, cur->host)) &&
+		    (!user || !cur->user || !strcmp(user, cur->user)) &&
+		    (!domain || !cur->domain || !strcmp(domain, cur->domain)))
+			break;
+	}
+	tmpfree(pvt);
+	return ((cur == NULL) ? 0 : 1);
+}
+
+static void
+ng_rewind(struct irs_ng *this, const char *name) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	/* Either hand back or free the existing list. */
+	if (pvt->tmpgroup) {
+		if (pvt->tmp && !strcmp(pvt->tmpgroup, name))
+			goto reset;
+		tmpfree(pvt);
+	}
+	pvt->tmpgroup = strdup(name);
+	add_group_to_list(pvt, name, strlen(name));
+ reset:
+	pvt->cur = pvt->tmp;
+}
+
+static void
+ng_minimize(struct irs_ng *this) {
+	UNUSED(this);
+	/* NOOP */
+}
+
+/* Private */
+
+static void
+add_group_to_list(struct pvt *pvt, const char *name, int len) {
+	char *vdata, *cp, *np;
+	struct tmpgrp *tmp;
+	int vlen, r;
+	char *nametmp;
+
+	/* Don't add the same group to the list more than once. */
+	for (tmp = pvt->tmp; tmp; tmp = tmp->next)
+		if (!strcmp(tmp->name, name))
+			return;
+
+	DE_CONST(name, nametmp);
+	r = yp_match(pvt->nis_domain, netgroup_map, nametmp, len,
+		     &vdata, &vlen);
+	if (r == 0) {
+		cp = vdata;
+		if (*cp && cp[strlen(cp)-1] == '\n')
+                  cp[strlen(cp)-1] = '\0';
+		for ( ; cp; cp = np) {
+			np = strchr(cp, ' ');
+			if (np)
+				*np++ = '\0';
+			if (*cp == '(')
+				add_tuple_to_list(pvt, name, cp);
+			else
+				add_group_to_list(pvt, cp, strlen(cp));
+		}
+		free(vdata);
+	}
+}
+
+static void
+add_tuple_to_list(struct pvt *pvt, const char *name, char *cp) {
+	struct tmpgrp *tmp;
+	char *tp, *np;
+
+	INSIST(*cp++ == '(');
+
+	tmp = malloc(sizeof *tmp + strlen(name) + sizeof '\0' +
+		     strlen(cp) - sizeof ')');
+	if (!tmp)
+		return;
+	memset(tmp, 0, sizeof *tmp);
+	tp = ((char *)tmp) + sizeof *tmp;
+
+	/* Name */
+	strcpy(tp, name);
+	tmp->name = tp;
+	tp += strlen(tp) + 1;
+
+	/* Host */
+	if (!(np = strchr(cp, ',')))
+		goto cleanup;
+	*np++ = '\0';
+	strcpy(tp, cp);
+	tmp->host = tp;
+	tp += strlen(tp) + 1;
+	cp = np;
+
+	/* User */
+	if (!(np = strchr(cp, ',')))
+		goto cleanup;
+	*np++ = '\0';
+	strcpy(tp, cp);
+	tmp->user = tp;
+	tp += strlen(tp) + 1;
+	cp = np;
+
+	/* Domain */
+	if (!(np = strchr(cp, ')')))
+		goto cleanup;
+	*np++ = '\0';
+	strcpy(tp, cp);
+	tmp->domain = tp;
+
+	/*
+	 * Empty string in file means wildcard, but
+	 * NULL string in return value means wildcard.
+	 */
+	if (!*tmp->host)
+		tmp->host = NULL;
+	if (!*tmp->user)
+		tmp->user = NULL;
+	if (!*tmp->domain)
+		tmp->domain = NULL;
+
+	/* Add to list (LIFO). */
+	tmp->next = pvt->tmp;
+	pvt->tmp = tmp;
+	return;
+
+ cleanup:
+	free(tmp);
+}
+
+static void
+tmpfree(struct pvt *pvt) {
+	struct tmpgrp *cur, *next;
+
+	if (pvt->tmpgroup) {
+		free(pvt->tmpgroup);
+		pvt->tmpgroup = NULL;
+	}
+	for (cur = pvt->tmp; cur; cur = next) {
+		next = cur->next;
+		free(cur);
+	}
+	pvt->tmp = NULL;
+}
+
+#endif /*WANT_IRS_NIS*/
diff --git a/contrib/bind9/lib/bind/irs/nis_nw.c b/contrib/bind9/lib/bind/irs/nis_nw.c
new file mode 100644
index 0000000..669b29d
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/nis_nw.c
@@ -0,0 +1,383 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: nis_nw.c,v 1.2.206.1 2004/03/09 08:33:38 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+/* Imports */
+
+#include "port_before.h"
+
+#ifndef WANT_IRS_NIS
+static int __bind_irs_nis_unneeded;
+#else
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+#ifdef T_NULL
+#undef T_NULL		/* Silence re-definition warning of T_NULL. */
+#endif
+#include <rpc/rpc.h>
+#include <rpc/xdr.h>
+#include <rpcsvc/yp_prot.h>
+#include <rpcsvc/ypclnt.h>
+
+#include <errno.h>
+#include <resolv.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/memcluster.h>
+#include <irs.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "nis_p.h"
+
+/* Definitions */
+
+#define MAXALIASES 35
+#define MAXADDRSIZE 4
+
+struct pvt {
+	int		needrewind;
+	char *		nis_domain;
+	char *		curkey_data;
+	int		curkey_len;
+	char *		curval_data;
+	int		curval_len;
+
+	struct nwent 	nwent;
+	char *		nwbuf;
+
+	char *		aliases[MAXALIASES + 1];
+	u_char		addr[MAXADDRSIZE];
+
+	struct __res_state *  res;
+	void		(*free_res)(void *);
+};
+
+enum do_what { do_none = 0x0, do_key = 0x1, do_val = 0x2, do_all = 0x3 };
+
+static /*const*/ char networks_byname[] = "networks.byname";
+static /*const*/ char networks_byaddr[] = "networks.byaddr";
+
+/* Forward */
+
+static void 		nw_close(struct irs_nw *);
+static struct nwent *	nw_byname(struct irs_nw *, const char *, int);
+static struct nwent *	nw_byaddr(struct irs_nw *, void *, int, int);
+static struct nwent *	nw_next(struct irs_nw *);
+static void		nw_rewind(struct irs_nw *);
+static void		nw_minimize(struct irs_nw *);
+static struct __res_state * nw_res_get(struct irs_nw *this);
+static void		nw_res_set(struct irs_nw *this,
+				   struct __res_state *res,
+				   void (*free_res)(void *));
+
+static struct nwent *	makenwent(struct irs_nw *this);
+static void		nisfree(struct pvt *, enum do_what);
+static int		init(struct irs_nw *this);
+
+/* Public */
+
+struct irs_nw *
+irs_nis_nw(struct irs_acc *this) {
+	struct irs_nw *nw;
+	struct pvt *pvt;
+
+	if (!(pvt = memget(sizeof *pvt))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0, sizeof *pvt);
+	if (!(nw = memget(sizeof *nw))) {
+		memput(pvt, sizeof *pvt);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(nw, 0x5e, sizeof *nw);
+	pvt->needrewind = 1;
+	pvt->nis_domain = ((struct nis_p *)this->private)->domain;
+	nw->private = pvt;
+	nw->close = nw_close;
+	nw->byname = nw_byname;
+	nw->byaddr = nw_byaddr;
+	nw->next = nw_next;
+	nw->rewind = nw_rewind;
+	nw->minimize = nw_minimize;
+	nw->res_get = nw_res_get;
+	nw->res_set = nw_res_set;
+	return (nw);
+}
+
+/* Methods */
+
+static void
+nw_close(struct irs_nw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;	
+
+	nw_minimize(this);
+	if (pvt->res && pvt->free_res)
+		(*pvt->free_res)(pvt->res);
+	if (pvt->nwbuf)
+		free(pvt->nwbuf);
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+static struct nwent *
+nw_byaddr(struct irs_nw *this, void *net, int length, int af) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	char tmp[sizeof "255.255.255.255/32"], *t;
+	int r;
+
+	if (init(this) == -1)
+		return (NULL);
+
+	if (af != AF_INET) {
+		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
+		errno = EAFNOSUPPORT;
+		return (NULL);
+	}
+	nisfree(pvt, do_val);
+	/* Try it with /CIDR first. */
+	if (inet_net_ntop(AF_INET, net, length, tmp, sizeof tmp) == NULL) {
+		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
+		return (NULL);
+	}
+	r = yp_match(pvt->nis_domain, networks_byaddr, tmp, strlen(tmp),
+		     &pvt->curval_data, &pvt->curval_len);
+	if (r != 0) {
+		/* Give it a shot without the /CIDR. */
+		if ((t = strchr(tmp, '/')) != NULL) {
+			*t = '\0';
+			r = yp_match(pvt->nis_domain, networks_byaddr,
+				     tmp, strlen(tmp),
+				     &pvt->curval_data, &pvt->curval_len);
+		}
+		if (r != 0) {
+			RES_SET_H_ERRNO(pvt->res, HOST_NOT_FOUND);
+			return (NULL);
+		}
+	}
+	return (makenwent(this));
+}
+
+static struct nwent *
+nw_byname(struct irs_nw *this, const char *name, int af) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	int r;
+	char *tmp;
+	
+	if (init(this) == -1)
+		return (NULL);
+
+	if (af != AF_INET) {
+		RES_SET_H_ERRNO(pvt->res, NETDB_INTERNAL);
+		errno = EAFNOSUPPORT;
+		return (NULL);
+	}
+	nisfree(pvt, do_val);
+	DE_CONST(name, tmp);
+	r = yp_match(pvt->nis_domain, networks_byname, tmp,
+		     strlen(tmp), &pvt->curval_data, &pvt->curval_len);
+	if (r != 0) {
+		RES_SET_H_ERRNO(pvt->res, HOST_NOT_FOUND);
+		return (NULL);
+	}
+	return (makenwent(this));
+}
+
+static void
+nw_rewind(struct irs_nw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	pvt->needrewind = 1;
+}
+
+static struct nwent *
+nw_next(struct irs_nw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct nwent *rval;
+	int r;
+
+	if (init(this) == -1)
+		return (NULL);
+
+	do {
+		if (pvt->needrewind) {
+			nisfree(pvt, do_all);
+			r = yp_first(pvt->nis_domain, networks_byaddr,
+				     &pvt->curkey_data, &pvt->curkey_len,
+				     &pvt->curval_data, &pvt->curval_len);
+			pvt->needrewind = 0;
+		} else {
+			char *newkey_data;
+			int newkey_len;
+
+			nisfree(pvt, do_val);
+			r = yp_next(pvt->nis_domain, networks_byaddr,
+				    pvt->curkey_data, pvt->curkey_len,
+				    &newkey_data, &newkey_len,
+				    &pvt->curval_data, &pvt->curval_len);
+			nisfree(pvt, do_key);
+			pvt->curkey_data = newkey_data;
+			pvt->curkey_len = newkey_len;
+		}
+		if (r != 0) {
+			RES_SET_H_ERRNO(pvt->res, HOST_NOT_FOUND);
+			return (NULL);
+		}
+		rval = makenwent(this);
+	} while (rval == NULL);
+	return (rval);
+}
+
+static void
+nw_minimize(struct irs_nw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (pvt->res)
+		res_nclose(pvt->res);
+}
+
+static struct __res_state *
+nw_res_get(struct irs_nw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (!pvt->res) {
+		struct __res_state *res;
+		res = (struct __res_state *)malloc(sizeof *res);
+		if (!res) {
+			errno = ENOMEM;
+			return (NULL);
+		}
+		memset(res, 0, sizeof *res);
+		nw_res_set(this, res, free);
+	}
+
+	return (pvt->res);
+}
+
+static void
+nw_res_set(struct irs_nw *this, struct __res_state *res,
+		void (*free_res)(void *)) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	if (pvt->res && pvt->free_res) {
+		res_nclose(pvt->res);
+		(*pvt->free_res)(pvt->res);
+	}
+
+	pvt->res = res;
+	pvt->free_res = free_res;
+}
+
+/* Private */
+
+static struct nwent *
+makenwent(struct irs_nw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	static const char spaces[] = " \t";
+	char *t, *cp, **ap;
+
+	if (pvt->nwbuf)
+		free(pvt->nwbuf);
+	pvt->nwbuf = pvt->curval_data;
+	pvt->curval_data = NULL;
+
+	if ((cp = strpbrk(pvt->nwbuf, "#\n")) != NULL)
+		*cp = '\0';
+	cp = pvt->nwbuf;
+
+	/* Name */
+	pvt->nwent.n_name = cp;
+	cp += strcspn(cp, spaces);
+	if (!*cp)
+		goto cleanup;
+	*cp++ = '\0';
+	cp += strspn(cp, spaces);
+
+	/* Network */
+	pvt->nwent.n_addrtype = AF_INET;
+	t = cp + strcspn(cp, spaces);
+	if (*t)
+		*t++ = '\0';
+	pvt->nwent.n_length = inet_net_pton(AF_INET, cp,
+					    pvt->addr, sizeof pvt->addr);
+	if (pvt->nwent.n_length < 0)
+		goto cleanup;
+	pvt->nwent.n_addr = pvt->addr;
+	cp = t;
+
+	/* Aliases */
+	ap = pvt->nwent.n_aliases = pvt->aliases;
+	while (*cp) {
+		if (ap >= &pvt->aliases[MAXALIASES])
+			break;
+		*ap++ = cp;
+		cp += strcspn(cp, spaces);
+		if (!*cp)
+			break;
+		*cp++ = '\0';
+		cp += strspn(cp, spaces);
+	}
+	*ap = NULL;
+
+	return (&pvt->nwent);
+
+ cleanup:
+	if (pvt->nwbuf) {
+		free(pvt->nwbuf);
+		pvt->nwbuf = NULL;
+	}
+	return (NULL);
+}
+
+static void
+nisfree(struct pvt *pvt, enum do_what do_what) {
+	if ((do_what & do_key) && pvt->curkey_data) {
+		free(pvt->curkey_data);
+		pvt->curkey_data = NULL;
+	}
+	if ((do_what & do_val) && pvt->curval_data) {
+		free(pvt->curval_data);
+		pvt->curval_data = NULL;
+	}
+}
+
+static int
+init(struct irs_nw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	
+	if (!pvt->res && !nw_res_get(this))
+		return (-1);
+	if (((pvt->res->options & RES_INIT) == 0) &&
+	    res_ninit(pvt->res) == -1)
+		return (-1);
+	return (0);
+}
+
+#endif /*WANT_IRS_NIS*/
diff --git a/contrib/bind9/lib/bind/irs/nis_p.h b/contrib/bind9/lib/bind/irs/nis_p.h
new file mode 100644
index 0000000..95f5851
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/nis_p.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * $Id: nis_p.h,v 1.1.206.1 2004/03/09 08:33:38 marka Exp $
+ */
+
+/*
+ * nis_p.h - private include file for the NIS functions.
+ */
+
+/*
+ * Object state.
+ */
+struct nis_p {
+	char *			domain;
+	struct __res_state *	res;
+	void                    (*free_res) __P((void *));
+};
+
+
+/*
+ * Methods.
+ */
+
+extern struct irs_gr *	irs_nis_gr __P((struct irs_acc *));
+extern struct irs_pw *	irs_nis_pw __P((struct irs_acc *));
+extern struct irs_sv *	irs_nis_sv __P((struct irs_acc *));
+extern struct irs_pr *	irs_nis_pr __P((struct irs_acc *));
+extern struct irs_ho *	irs_nis_ho __P((struct irs_acc *));
+extern struct irs_nw *	irs_nis_nw __P((struct irs_acc *));
+extern struct irs_ng *	irs_nis_ng __P((struct irs_acc *));
diff --git a/contrib/bind9/lib/bind/irs/nis_pr.c b/contrib/bind9/lib/bind/irs/nis_pr.c
new file mode 100644
index 0000000..8173f3e
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/nis_pr.c
@@ -0,0 +1,300 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: nis_pr.c,v 1.2.206.1 2004/03/09 08:33:38 marka Exp $";
+#endif
+
+/* Imports */
+
+#include "port_before.h"
+
+#ifndef WANT_IRS_NIS
+static int __bind_irs_nis_unneeded;
+#else
+
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+#ifdef T_NULL
+#undef T_NULL			/* Silence re-definition warning of T_NULL. */
+#endif
+#include <rpc/rpc.h>
+#include <rpc/xdr.h>
+#include <rpcsvc/yp_prot.h>
+#include <rpcsvc/ypclnt.h>
+
+#include <stdio.h>
+#include <string.h>
+#include <netdb.h>
+#include <ctype.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#include <isc/memcluster.h>
+#include <irs.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "nis_p.h"
+
+/* Definitions */
+
+struct pvt {
+	int		needrewind;
+	char *		nis_domain;
+	char *		curkey_data;
+	int		curkey_len;
+	char *		curval_data;
+	int		curval_len;
+	struct protoent	proto;
+	char *		prbuf;
+};
+
+enum do_what { do_none = 0x0, do_key = 0x1, do_val = 0x2, do_all = 0x3 };
+
+static /*const*/ char protocols_byname[] =	"protocols.byname";
+static /*const*/ char protocols_bynumber[] =	"protocols.bynumber";
+
+/* Forward */
+
+static void 			pr_close(struct irs_pr *);
+static struct protoent *	pr_byname(struct irs_pr *, const char *);
+static struct protoent *	pr_bynumber(struct irs_pr *, int);
+static struct protoent *	pr_next(struct irs_pr *);
+static void			pr_rewind(struct irs_pr *);
+static void			pr_minimize(struct irs_pr *);
+
+static struct protoent *	makeprotoent(struct irs_pr *this);
+static void			nisfree(struct pvt *, enum do_what);
+
+/* Public */
+
+struct irs_pr *
+irs_nis_pr(struct irs_acc *this) {
+	struct irs_pr *pr;
+	struct pvt *pvt;
+
+	if (!(pr = memget(sizeof *pr))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pr, 0x5e, sizeof *pr);
+	if (!(pvt = memget(sizeof *pvt))) {
+		memput(pr, sizeof *pr);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0, sizeof *pvt);
+	pvt->needrewind = 1;
+	pvt->nis_domain = ((struct nis_p *)this->private)->domain;
+	pr->private = pvt;
+	pr->byname = pr_byname;
+	pr->bynumber = pr_bynumber;
+	pr->next = pr_next;
+	pr->rewind = pr_rewind;
+	pr->close = pr_close;
+	pr->minimize = pr_minimize;
+	pr->res_get = NULL;
+	pr->res_set = NULL;
+	return (pr);
+}
+
+/* Methods. */
+
+static void
+pr_close(struct irs_pr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	nisfree(pvt, do_all);
+	if (pvt->proto.p_aliases)
+		free(pvt->proto.p_aliases);
+	if (pvt->prbuf)
+		free(pvt->prbuf);
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+static struct protoent *
+pr_byname(struct irs_pr *this, const char *name) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	int r;
+	char *tmp;
+	
+	nisfree(pvt, do_val);
+	DE_CONST(name, tmp);
+	r = yp_match(pvt->nis_domain, protocols_byname, tmp,
+		     strlen(tmp), &pvt->curval_data, &pvt->curval_len);
+	if (r != 0) {
+		errno = ENOENT;
+		return (NULL);
+	}
+	return (makeprotoent(this));
+}
+
+static struct protoent *
+pr_bynumber(struct irs_pr *this, int num) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	char tmp[sizeof "-4294967295"];
+	int r;
+	
+	nisfree(pvt, do_val);
+	(void) sprintf(tmp, "%d", num);
+	r = yp_match(pvt->nis_domain, protocols_bynumber, tmp, strlen(tmp),
+		     &pvt->curval_data, &pvt->curval_len);
+	if (r != 0) {
+		errno = ENOENT;
+		return (NULL);
+	}
+	return (makeprotoent(this));
+}
+
+static struct protoent *
+pr_next(struct irs_pr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct protoent *rval;
+	int r;
+
+	do {
+		if (pvt->needrewind) {
+			nisfree(pvt, do_all);
+			r = yp_first(pvt->nis_domain, protocols_bynumber,
+				     &pvt->curkey_data, &pvt->curkey_len,
+				     &pvt->curval_data, &pvt->curval_len);
+			pvt->needrewind = 0;
+		} else {
+			char *newkey_data;
+			int newkey_len;
+
+			nisfree(pvt, do_val);
+			r = yp_next(pvt->nis_domain, protocols_bynumber,
+				    pvt->curkey_data, pvt->curkey_len,
+				    &newkey_data, &newkey_len,
+				    &pvt->curval_data, &pvt->curval_len);
+			nisfree(pvt, do_key);
+			pvt->curkey_data = newkey_data;
+			pvt->curkey_len = newkey_len;
+		}
+		if (r != 0) {
+			errno = ENOENT;
+			return (NULL);
+		}
+		rval = makeprotoent(this);
+	} while (rval == NULL);
+	return (rval);
+}
+
+static void
+pr_rewind(struct irs_pr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	pvt->needrewind = 1;
+}
+
+static void
+pr_minimize(struct irs_pr *this) {
+	UNUSED(this);
+	/* NOOP */
+}
+
+/* Private */
+
+static struct protoent *
+makeprotoent(struct irs_pr *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	char *p, **t;
+	int n, m;
+
+	if (pvt->prbuf)
+		free(pvt->prbuf);
+	pvt->prbuf = pvt->curval_data;
+	pvt->curval_data = NULL;
+
+	for (p = pvt->prbuf; *p && *p != '#';)
+		p++;
+	while (p > pvt->prbuf && isspace((unsigned char)(p[-1])))
+		p--;
+	*p = '\0';
+
+	p = pvt->prbuf;
+	n = m = 0;
+
+	pvt->proto.p_name = p;
+	while (*p && !isspace((unsigned char)*p))
+		p++;
+	if (!*p)
+		return (NULL);
+	*p++ = '\0';
+
+	while (*p && isspace((unsigned char)*p))
+		p++;
+	pvt->proto.p_proto = atoi(p);
+	while (*p && !isspace((unsigned char)*p))
+		p++;
+	*p++ = '\0';
+
+	while (*p) {
+		if ((n + 1) >= m || !pvt->proto.p_aliases) {
+			m += 10;
+			t = realloc(pvt->proto.p_aliases,
+				      m * sizeof(char *));
+			if (!t) {
+				errno = ENOMEM;
+				goto cleanup;
+			}
+			pvt->proto.p_aliases = t;
+		}
+		pvt->proto.p_aliases[n++] = p;
+		while (*p && !isspace((unsigned char)*p))
+			p++;
+		if (*p)
+			*p++ = '\0';
+	}
+	if (!pvt->proto.p_aliases)
+		pvt->proto.p_aliases = malloc(sizeof(char *));
+	if (!pvt->proto.p_aliases)
+		goto cleanup;
+	pvt->proto.p_aliases[n] = NULL;
+	return (&pvt->proto);
+	
+ cleanup:
+	if (pvt->proto.p_aliases) {
+		free(pvt->proto.p_aliases);
+		pvt->proto.p_aliases = NULL;
+	}
+	if (pvt->prbuf) {
+		free(pvt->prbuf);
+		pvt->prbuf = NULL;
+	}
+	return (NULL);
+}
+
+static void
+nisfree(struct pvt *pvt, enum do_what do_what) {
+	if ((do_what & do_key) && pvt->curkey_data) {
+		free(pvt->curkey_data);
+		pvt->curkey_data = NULL;
+	}
+	if ((do_what & do_val) && pvt->curval_data) {
+		free(pvt->curval_data);
+		pvt->curval_data = NULL;
+	}
+}
+
+#endif /*WANT_IRS_NIS*/
diff --git a/contrib/bind9/lib/bind/irs/nis_pw.c b/contrib/bind9/lib/bind/irs/nis_pw.c
new file mode 100644
index 0000000..889d97f
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/nis_pw.c
@@ -0,0 +1,287 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: nis_pw.c,v 1.2.206.1 2004/03/09 08:33:38 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+/* Imports */
+
+#include "port_before.h"
+
+#if !defined(WANT_IRS_PW) || !defined(WANT_IRS_NIS)
+static int __bind_irs_pw_unneeded;
+#else
+
+#include <sys/param.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+#include <isc/memcluster.h>
+#include <rpc/rpc.h>
+#include <rpc/xdr.h>
+#include <rpcsvc/yp_prot.h>
+#include <rpcsvc/ypclnt.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <pwd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <isc/memcluster.h>
+
+#include <irs.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "nis_p.h"
+
+/* Definitions */
+
+struct pvt {
+	int		needrewind;
+	char *		nis_domain;
+	char *		curkey_data;
+	int		curkey_len;
+	char *		curval_data;
+	int		curval_len;
+	struct passwd 	passwd;
+	char *		pwbuf;
+};
+
+enum do_what { do_none = 0x0, do_key = 0x1, do_val = 0x2, do_all = 0x3 };
+
+static /*const*/ char passwd_byname[] =	"passwd.byname";
+static /*const*/ char passwd_byuid[] =	"passwd.byuid";
+
+/* Forward */
+
+static void			pw_close(struct irs_pw *);
+static struct passwd *		pw_next(struct irs_pw *);
+static struct passwd *		pw_byname(struct irs_pw *, const char *);
+static struct passwd *		pw_byuid(struct irs_pw *, uid_t);
+static void			pw_rewind(struct irs_pw *);
+static void			pw_minimize(struct irs_pw *);
+
+static struct passwd *		makepasswdent(struct irs_pw *);
+static void			nisfree(struct pvt *, enum do_what);
+
+/* Public */
+
+struct irs_pw *
+irs_nis_pw(struct irs_acc *this) {
+	struct irs_pw *pw;
+	struct pvt *pvt;
+		 
+        if (!(pw = memget(sizeof *pw))) {
+                errno = ENOMEM;
+                return (NULL);
+        }
+        memset(pw, 0x5e, sizeof *pw);
+        if (!(pvt = memget(sizeof *pvt))) {
+                memput(pw, sizeof *pw);
+                errno = ENOMEM;
+                return (NULL);
+        }
+        memset(pvt, 0, sizeof *pvt);
+	pvt->needrewind = 1;
+	pvt->nis_domain = ((struct nis_p *)this->private)->domain;
+	pw->private = pvt;
+	pw->close = pw_close;
+	pw->next = pw_next;
+	pw->byname = pw_byname;
+	pw->byuid = pw_byuid;
+	pw->rewind = pw_rewind;
+	pw->minimize = pw_minimize;
+	pw->res_get = NULL;
+	pw->res_set = NULL;
+	return (pw);
+}
+
+/* Methods */
+
+static void
+pw_close(struct irs_pw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	
+	if (pvt->pwbuf)
+		free(pvt->pwbuf);
+	nisfree(pvt, do_all);
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+static struct passwd *
+pw_next(struct irs_pw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct passwd *rval;
+	int r;
+
+	do {
+		if (pvt->needrewind) {
+			nisfree(pvt, do_all);
+			r = yp_first(pvt->nis_domain, passwd_byname,
+				     &pvt->curkey_data, &pvt->curkey_len,
+				     &pvt->curval_data, &pvt->curval_len);
+			pvt->needrewind = 0;
+		} else {
+			char *newkey_data;
+			int newkey_len;
+
+			nisfree(pvt, do_val);
+			r = yp_next(pvt->nis_domain, passwd_byname,
+				    pvt->curkey_data, pvt->curkey_len,
+				    &newkey_data, &newkey_len,
+				    &pvt->curval_data, &pvt->curval_len);
+			nisfree(pvt, do_key);
+			pvt->curkey_data = newkey_data;
+			pvt->curkey_len = newkey_len;
+		}
+		if (r != 0) {
+			errno = ENOENT;
+			return (NULL);
+		}
+		rval = makepasswdent(this);
+	} while (rval == NULL);
+	return (rval);
+}
+
+static struct passwd *
+pw_byname(struct irs_pw *this, const char *name) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	int r;
+	char *tmp;
+
+	nisfree(pvt, do_val);
+	DE_CONST(name, tmp);
+	r = yp_match(pvt->nis_domain, passwd_byname, tmp, strlen(tmp),
+		     &pvt->curval_data, &pvt->curval_len);
+	if (r != 0) {
+		errno = ENOENT;
+		return (NULL);
+	}
+	return (makepasswdent(this));
+}
+
+static struct passwd *
+pw_byuid(struct irs_pw *this, uid_t uid) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	char tmp[sizeof "4294967295"];
+	int r;
+
+	nisfree(pvt, do_val);
+	(void) sprintf(tmp, "%u", (unsigned int)uid);
+	r = yp_match(pvt->nis_domain, passwd_byuid, tmp, strlen(tmp),
+		     &pvt->curval_data, &pvt->curval_len);
+	if (r != 0) {
+		errno = ENOENT;
+		return (NULL);
+	}
+	return (makepasswdent(this));
+}
+
+static void
+pw_rewind(struct irs_pw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	pvt->needrewind = 1;
+}
+
+static void
+pw_minimize(struct irs_pw *this) {
+	UNUSED(this);
+	/* NOOP */
+}
+
+/* Private */
+
+static struct passwd *
+makepasswdent(struct irs_pw *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	char *cp;
+
+	memset(&pvt->passwd, 0, sizeof pvt->passwd);
+	if (pvt->pwbuf)
+		free(pvt->pwbuf);
+	pvt->pwbuf = pvt->curval_data;
+	pvt->curval_data = NULL;
+
+	cp = pvt->pwbuf;
+	pvt->passwd.pw_name = cp;
+	if (!(cp = strchr(cp, ':')))
+		goto cleanup;
+#ifdef HAS_PW_CLASS
+	pvt->passwd.pw_class = cp;	/* Needs to point at a \0. */
+#endif
+	*cp++ = '\0';
+
+	pvt->passwd.pw_passwd = cp;
+	if (!(cp = strchr(cp, ':')))
+		goto cleanup;
+	*cp++ = '\0';
+	
+	pvt->passwd.pw_uid = atoi(cp);
+	if (!(cp = strchr(cp, ':')))
+		goto cleanup;
+	*cp++ = '\0';
+
+	pvt->passwd.pw_gid = atoi(cp);
+	if (!(cp = strchr(cp, ':')))
+		goto cleanup;
+	*cp++ = '\0';
+
+	pvt->passwd.pw_gecos = cp;
+	if (!(cp = strchr(cp, ':')))
+		goto cleanup;
+	*cp++ = '\0';
+
+	pvt->passwd.pw_dir = cp;
+	if (!(cp = strchr(cp, ':')))
+		goto cleanup;
+	*cp++ = '\0';
+
+	pvt->passwd.pw_shell = cp;
+
+	if ((cp = strchr(cp, '\n')) != NULL)
+		*cp = '\0';
+
+	return (&pvt->passwd);
+	
+ cleanup:
+	free(pvt->pwbuf);
+	pvt->pwbuf = NULL;
+	return (NULL);
+}
+
+static void
+nisfree(struct pvt *pvt, enum do_what do_what) {
+	if ((do_what & do_key) && pvt->curkey_data) {
+		free(pvt->curkey_data);
+		pvt->curkey_data = NULL;
+	}
+	if ((do_what & do_val) && pvt->curval_data) {
+		free(pvt->curval_data);
+		pvt->curval_data = NULL;
+	}
+}
+
+#endif /* WANT_IRS_PW && WANT_IRS_NIS */
diff --git a/contrib/bind9/lib/bind/irs/nis_sv.c b/contrib/bind9/lib/bind/irs/nis_sv.c
new file mode 100644
index 0000000..b8c1c6b
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/nis_sv.c
@@ -0,0 +1,308 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: nis_sv.c,v 1.2.206.1 2004/03/09 08:33:38 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+/* Imports */
+
+#include "port_before.h"
+
+#ifndef WANT_IRS_NIS
+static int __bind_irs_nis_unneeded;
+#else
+
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+#include <sys/socket.h>
+#ifdef T_NULL
+#undef T_NULL			/* Silence re-definition warning of T_NULL. */
+#endif
+#include <rpc/rpc.h>
+#include <rpc/xdr.h>
+#include <rpcsvc/yp_prot.h>
+#include <rpcsvc/ypclnt.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/memcluster.h>
+#include <irs.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "nis_p.h"
+
+/* Definitions */
+
+struct pvt {
+	int		needrewind;
+	char *		nis_domain;
+	char *		curkey_data;
+	int		curkey_len;
+	char *		curval_data;
+	int		curval_len;
+	char		line[BUFSIZ+1];
+	struct servent	serv;
+	char *		svbuf;
+};
+
+enum do_what { do_none = 0x0, do_key = 0x1, do_val = 0x2, do_all = 0x3 };
+
+static /*const*/ char services_byname[] = "services.byname";
+
+/* Forward */
+
+static void			sv_close(struct irs_sv*);
+static struct servent *		sv_next(struct irs_sv *);
+static struct servent *		sv_byname(struct irs_sv *, const char *,
+					  const char *);
+static struct servent *		sv_byport(struct irs_sv *, int, const char *);
+static void			sv_rewind(struct irs_sv *);
+static void			sv_minimize(struct irs_sv *);
+
+static struct servent *		makeservent(struct irs_sv *this);
+static void			nisfree(struct pvt *, enum do_what);
+
+/* Public */
+
+struct irs_sv *
+irs_nis_sv(struct irs_acc *this) {
+	struct irs_sv *sv;
+	struct pvt *pvt;
+	
+	if (!(sv = memget(sizeof *sv))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(sv, 0x5e, sizeof *sv);
+	if (!(pvt = memget(sizeof *pvt))) {
+		memput(sv, sizeof *sv);
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(pvt, 0, sizeof *pvt);
+	pvt->needrewind = 1;
+	pvt->nis_domain = ((struct nis_p *)this->private)->domain;
+	sv->private = pvt;
+	sv->close = sv_close;
+	sv->next = sv_next;
+	sv->byname = sv_byname;
+	sv->byport = sv_byport;
+	sv->rewind = sv_rewind;
+	sv->minimize = sv_minimize;
+	sv->res_get = NULL;
+	sv->res_set = NULL;
+	return (sv);
+}
+
+/* Methods */
+
+static void
+sv_close(struct irs_sv *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	
+	nisfree(pvt, do_all);
+	if (pvt->serv.s_aliases)
+		free(pvt->serv.s_aliases);
+	if (pvt->svbuf)
+		free(pvt->svbuf);
+	memput(pvt, sizeof *pvt);
+	memput(this, sizeof *this);
+}
+
+static struct servent *
+sv_byname(struct irs_sv *this, const char *name, const char *proto) {
+	struct servent *serv;
+	char **sap;
+
+	sv_rewind(this);
+	while ((serv = sv_next(this)) != NULL) {
+		if (proto != NULL && strcmp(proto, serv->s_proto))
+			continue;
+		if (!strcmp(name, serv->s_name))
+			break;
+		for (sap = serv->s_aliases; sap && *sap; sap++)
+			if (!strcmp(name, *sap))
+				break;
+	}
+	return (serv);
+}
+
+static struct servent *
+sv_byport(struct irs_sv *this, int port, const char *proto) {
+	struct servent *serv;
+
+	sv_rewind(this);
+	while ((serv = sv_next(this)) != NULL) {
+		if (proto != NULL && strcmp(proto, serv->s_proto))
+			continue;
+		if (serv->s_port == port)
+			break;
+	}
+	return (serv);
+}
+
+static void
+sv_rewind(struct irs_sv *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+
+	pvt->needrewind = 1;
+}
+
+static struct servent *
+sv_next(struct irs_sv *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	struct servent *rval;
+	int r;
+
+	do {
+		if (pvt->needrewind) {
+			nisfree(pvt, do_all);
+			r = yp_first(pvt->nis_domain, services_byname,
+				     &pvt->curkey_data, &pvt->curkey_len,
+				     &pvt->curval_data, &pvt->curval_len);
+			pvt->needrewind = 0;
+		} else {
+			char *newkey_data;
+			int newkey_len;
+
+			nisfree(pvt, do_val);
+			r = yp_next(pvt->nis_domain, services_byname,
+				    pvt->curkey_data, pvt->curkey_len,
+				    &newkey_data, &newkey_len,
+				    &pvt->curval_data, &pvt->curval_len);
+			nisfree(pvt, do_key);
+			pvt->curkey_data = newkey_data;
+			pvt->curkey_len = newkey_len;
+		}
+		if (r != 0) {
+			errno = ENOENT;
+			return (NULL);
+		}
+		rval = makeservent(this);
+	} while (rval == NULL);
+	return (rval);
+}
+
+static void
+sv_minimize(struct irs_sv *this) {
+	UNUSED(this);
+	/* NOOP */
+}
+
+/* Private */
+
+static struct servent *
+makeservent(struct irs_sv *this) {
+	struct pvt *pvt = (struct pvt *)this->private;
+	static const char spaces[] = " \t";
+	char *p, **t;
+	int n, m;
+
+	if (pvt->svbuf)
+		free(pvt->svbuf);
+	pvt->svbuf = pvt->curval_data;
+	pvt->curval_data = NULL;
+
+	if (pvt->serv.s_aliases) {
+		free(pvt->serv.s_aliases);
+		pvt->serv.s_aliases = NULL;
+	}
+
+	if ((p = strpbrk(pvt->svbuf, "#\n")))
+		*p = '\0';
+
+	p = pvt->svbuf;
+
+	pvt->serv.s_name = p;
+	p += strcspn(p, spaces);
+	if (!*p)
+		goto cleanup;
+	*p++ = '\0';
+	p += strspn(p, spaces);
+
+	pvt->serv.s_port = htons((u_short) atoi(p));
+	pvt->serv.s_proto = NULL;
+	
+	while (*p && !isspace((unsigned char)*p))
+		if (*p++ == '/')
+			pvt->serv.s_proto = p;
+	if (!pvt->serv.s_proto)
+		goto cleanup;
+	if (*p) {
+		*p++ = '\0';
+		p += strspn(p, spaces);
+	}
+
+	n = m = 0;
+	while (*p) {
+		if ((n + 1) >= m || !pvt->serv.s_aliases) {
+			m += 10;
+			t = realloc(pvt->serv.s_aliases, m * sizeof(char *));
+			if (!t) {
+				errno = ENOMEM;
+				goto cleanup;
+			}
+			pvt->serv.s_aliases = t;
+		}
+		pvt->serv.s_aliases[n++] = p;
+		p += strcspn(p, spaces);
+		if (!*p)
+			break;
+		*p++ = '\0';
+		p += strspn(p, spaces);
+	}
+	if (!pvt->serv.s_aliases)
+		pvt->serv.s_aliases = malloc(sizeof(char *));
+	if (!pvt->serv.s_aliases)
+		goto cleanup;
+	pvt->serv.s_aliases[n] = NULL;
+	return (&pvt->serv);
+	
+ cleanup:
+	if (pvt->serv.s_aliases) {
+		free(pvt->serv.s_aliases);
+		pvt->serv.s_aliases = NULL;
+	}
+	if (pvt->svbuf) {
+		free(pvt->svbuf);
+		pvt->svbuf = NULL;
+	}
+	return (NULL);
+}
+
+static void
+nisfree(struct pvt *pvt, enum do_what do_what) {
+	if ((do_what & do_key) && pvt->curkey_data) {
+		free(pvt->curkey_data);
+		pvt->curkey_data = NULL;
+	}
+	if ((do_what & do_val) && pvt->curval_data) {
+		free(pvt->curval_data);
+		pvt->curval_data = NULL;
+	}
+}
+
+#endif /*WANT_IRS_NIS*/
diff --git a/contrib/bind9/lib/bind/irs/nul_ng.c b/contrib/bind9/lib/bind/irs/nul_ng.c
new file mode 100644
index 0000000..828bebe
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/nul_ng.c
@@ -0,0 +1,126 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: nul_ng.c,v 1.1.206.1 2004/03/09 08:33:39 marka Exp $";
+#endif
+
+/*
+ * nul_ng.c - the netgroup accessor null map
+ */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+
+#include <stdio.h>
+#include <string.h>
+#include <netdb.h>
+#include <ctype.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#include <irs.h>
+#include <isc/memcluster.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+#include "hesiod.h"
+#include "dns_p.h"
+
+/* Forward. */
+
+static void 		ng_close(struct irs_ng *);
+static int		ng_next(struct irs_ng *, const char **,
+				const char **, const char **);
+static int		ng_test(struct irs_ng *,
+ 				const char *, const char *,
+				const char *, const char *);
+static void		ng_rewind(struct irs_ng *, const char *);
+static void		ng_minimize(struct irs_ng *);
+
+/* Public. */
+
+struct irs_ng *
+irs_nul_ng(struct irs_acc *this) {
+	struct irs_ng *ng;
+
+	UNUSED(this);
+
+	if (!(ng = memget(sizeof *ng))) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	memset(ng, 0x5e, sizeof *ng);
+	ng->private = NULL;
+	ng->close = ng_close;
+	ng->next = ng_next;
+	ng->test = ng_test;
+	ng->rewind = ng_rewind;
+	ng->minimize = ng_minimize;
+	return (ng);
+}
+
+/* Methods. */
+
+static void
+ng_close(struct irs_ng *this) {
+	memput(this, sizeof *this);
+}
+
+/* ARGSUSED */
+static int
+ng_next(struct irs_ng *this, const char **host, const char **user,
+	const char **domain)
+{
+	UNUSED(this);
+	UNUSED(host);
+	UNUSED(user);
+	UNUSED(domain);
+	errno = ENOENT;
+	return (-1);
+}
+
+static int
+ng_test(struct irs_ng *this, const char *name,
+	const char *user, const char *host, const char *domain)
+{
+	UNUSED(this);
+	UNUSED(name);
+	UNUSED(user);
+	UNUSED(host);
+	UNUSED(domain);
+	errno = ENODEV;
+	return (-1);
+}
+
+static void
+ng_rewind(struct irs_ng *this, const char *netgroup) {
+	UNUSED(this);
+	UNUSED(netgroup);
+	/* NOOP */
+}
+
+static void
+ng_minimize(struct irs_ng *this) {
+	UNUSED(this);
+	/* NOOP */
+}
diff --git a/contrib/bind9/lib/bind/irs/pathnames.h b/contrib/bind9/lib/bind/irs/pathnames.h
new file mode 100644
index 0000000..412dc76
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/pathnames.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * $Id: pathnames.h,v 1.1.206.1 2004/03/09 08:33:39 marka Exp $
+ */
+
+#ifndef _PATH_IRS_CONF
+#define	_PATH_IRS_CONF "/etc/irs.conf"
+#endif
+
+#ifndef _PATH_NETWORKS 
+#define _PATH_NETWORKS  "/etc/networks"
+#endif
+
+#ifndef _PATH_GROUP
+#define _PATH_GROUP "/etc/group"
+#endif
+
+#ifndef _PATH_NETGROUP
+#define _PATH_NETGROUP "/etc/netgroup"
+#endif
+
+#ifndef _PATH_SERVICES 
+#define _PATH_SERVICES "/etc/services"
+#endif
+
+#ifdef IRS_LCL_SV_DB
+#ifndef _PATH_SERVICES_DB
+#define	_PATH_SERVICES_DB _PATH_SERVICES ".db"
+#endif
+#endif
+
+#ifndef _PATH_HESIOD_CONF
+#define _PATH_HESIOD_CONF "/etc/hesiod.conf"
+#endif
diff --git a/contrib/bind9/lib/bind/irs/util.c b/contrib/bind9/lib/bind/irs/util.c
new file mode 100644
index 0000000..095e7ad
--- /dev/null
+++ b/contrib/bind9/lib/bind/irs/util.c
@@ -0,0 +1,107 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: util.c,v 1.1.206.1 2004/03/09 08:33:39 marka Exp $";
+#endif
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include <irs.h>
+
+#include "port_after.h"
+
+#include "irs_p.h"
+
+#ifdef SPRINTF_CHAR
+# define SPRINTF(x) strlen(sprintf/**/x)
+#else
+# define SPRINTF(x) sprintf x
+#endif
+
+void
+map_v4v6_address(const char *src, char *dst) {
+	u_char *p = (u_char *)dst;
+	char tmp[NS_INADDRSZ];
+	int i;
+
+	/* Stash a temporary copy so our caller can update in place. */
+	memcpy(tmp, src, NS_INADDRSZ);
+	/* Mark this ipv6 addr as a mapped ipv4. */
+	for (i = 0; i < 10; i++)
+		*p++ = 0x00;
+	*p++ = 0xff;
+	*p++ = 0xff;
+	/* Retrieve the saved copy and we're done. */
+	memcpy((void*)p, tmp, NS_INADDRSZ);
+}
+
+int
+make_group_list(struct irs_gr *this, const char *name,
+	gid_t basegid, gid_t *groups, int *ngroups)
+{
+	struct group *grp;
+	int i, ng;
+	int ret, maxgroups;
+
+	ret = -1;
+	ng = 0;
+	maxgroups = *ngroups;
+	/*
+	 * When installing primary group, duplicate it;
+	 * the first element of groups is the effective gid
+	 * and will be overwritten when a setgid file is executed.
+	 */
+	if (ng >= maxgroups)
+		goto done;
+	groups[ng++] = basegid;
+	if (ng >= maxgroups)
+		goto done;
+	groups[ng++] = basegid;
+	/*
+	 * Scan the group file to find additional groups.
+	 */
+	(*this->rewind)(this);
+	while ((grp = (*this->next)(this)) != NULL) {
+		if ((gid_t)grp->gr_gid == basegid)
+			continue;
+		for (i = 0; grp->gr_mem[i]; i++) {
+			if (!strcmp(grp->gr_mem[i], name)) {
+				if (ng >= maxgroups)
+					goto done;
+				groups[ng++] = grp->gr_gid;
+				break;
+			}
+		}
+	}
+	ret = 0;
+ done:
+	*ngroups = ng;
+	return (ret);
+}
diff --git a/contrib/bind9/lib/bind/isc/Makefile.in b/contrib/bind9/lib/bind/isc/Makefile.in
new file mode 100644
index 0000000..d8e8889
--- /dev/null
+++ b/contrib/bind9/lib/bind/isc/Makefile.in
@@ -0,0 +1,35 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.6.206.1 2004/03/06 08:13:23 marka Exp $
+
+srcdir=		@srcdir@
+VPATH =         @srcdir@
+
+OBJS=	assertions.@O@ base64.@O@ bitncmp.@O@ ctl_clnt.@O@ ctl_p.@O@ \
+	ctl_srvr.@O@ ev_connects.@O@ ev_files.@O@ ev_streams.@O@ \
+	ev_timers.@O@ ev_waits.@O@ eventlib.@O@ heap.@O@ hex.@O@ \
+	logging.@O@ memcluster.@O@ movefile.@O@ tree.@O@
+
+SRCS=	assertions.c base64.c bitncmp.c ctl_clnt.c ctl_p.c \
+	ctl_srvr.c ev_connects.c ev_files.c ev_streams.c \
+	ev_timers.c ev_waits.c eventlib.c heap.c hex.c logging.c \
+	memcluster.c movefile.c tree.c
+
+TARGETS= ${OBJS}
+
+CINCLUDES= -I.. -I${srcdir}/../include
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/bind/isc/assertions.c b/contrib/bind9/lib/bind/isc/assertions.c
new file mode 100644
index 0000000..f1fb2ef
--- /dev/null
+++ b/contrib/bind9/lib/bind/isc/assertions.c
@@ -0,0 +1,91 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1997,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if !defined(LINT) && !defined(CODECENTER)
+static const char rcsid[] = "$Id: assertions.c,v 1.1.206.1 2004/03/09 08:33:39 marka Exp $";
+#endif
+
+#include "port_before.h"
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/assertions.h>
+
+#include "port_after.h"
+
+/*
+ * Forward.
+ */
+
+static void default_assertion_failed(const char *, int, assertion_type,
+				     const char *, int);
+
+/*
+ * Public.
+ */
+
+assertion_failure_callback __assertion_failed = default_assertion_failed;
+
+void
+set_assertion_failure_callback(assertion_failure_callback f) {
+	if (f == NULL)
+		__assertion_failed = default_assertion_failed;
+	else
+		__assertion_failed = f;
+}
+
+const char *
+assertion_type_to_text(assertion_type type) {
+	const char *result;
+
+	switch (type) {
+	case assert_require:
+		result = "REQUIRE";
+		break;
+	case assert_ensure:
+		result = "ENSURE";
+		break;
+	case assert_insist:
+		result = "INSIST";
+		break;
+	case assert_invariant:
+		result = "INVARIANT";
+		break;
+	default:
+		result = NULL;
+	}
+	return (result);
+}
+
+/*
+ * Private.
+ */
+
+static void
+default_assertion_failed(const char *file, int line, assertion_type type,
+			 const char *cond, int print_errno)
+{
+	fprintf(stderr, "%s:%d: %s(%s)%s%s failed.\n",
+		file, line, assertion_type_to_text(type), cond,
+		(print_errno) ? ": " : "",
+		(print_errno) ? strerror(errno) : "");
+	abort();
+	/* NOTREACHED */
+}
diff --git a/contrib/bind9/lib/bind/isc/assertions.mdoc b/contrib/bind9/lib/bind/isc/assertions.mdoc
new file mode 100644
index 0000000..c214453
--- /dev/null
+++ b/contrib/bind9/lib/bind/isc/assertions.mdoc
@@ -0,0 +1,138 @@
+.\" $Id: assertions.mdoc,v 1.1.2.1.10.1 2004/03/09 08:33:39 marka Exp $
+.\"
+.\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (c) 1997,1999 by Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+.\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd November 17, 1997
+.Dt ASSERTIONS 3
+.Os ISC
+.Sh NAME
+.Nm REQUIRE ,
+.Nm REQUIRE_ERR ,
+.Nm ENSURE ,
+.Nm ENSURE_ERR ,
+.Nm INSIST ,
+.Nm INSIST_ERR ,
+.Nm INVARIANT ,
+.Nm INVARIANT_ERR ,
+.Nm set_assertion_failure_callback
+.Nd assertion system
+.Sh SYNOPSIS
+.Fd #include <isc/assertions.h>
+.Fo "typedef void (*assertion_failure_callback)"
+.Fa "char *filename"
+.Fa "int line"
+.Fa "assertion_type type"
+.Fa "char *condition"
+.Fa "int print_errno"
+.Fc
+.Fn REQUIRE "int boolean_expression"
+.Fn REQUIRE_ERR "int boolean_expression"
+.Fn ENSURE "int boolean_expression"
+.Fn ENSURE_ERR "int boolean_expression"
+.Fn INSIST "int boolean_expression"
+.Fn INSIST_ERR "int boolean_expression"
+.Fn INVARIANT "int boolean_expression"
+.Fn INVARIANT_ERR "int boolean_expression"
+.Ft void
+.Fn set_assertion_failure_callback "assertion_failure_callback callback"
+.Ft char *
+.Fn assertion_type_to_text "assertion_type type"
+.Sh DESCRIPTION
+The
+.Fn REQUIRE ,
+.Fn ENSURE ,
+.Fn INSIST ,
+and
+.Fn INVARIANT
+macros evaluate a boolean expression, and if it is false, they invoke the
+current assertion failure callback.  The default callback will print a message
+to 
+.Li stderr
+describing the failure, and then cause the program to dump core.
+If the
+.Dq Fn _ERR
+variant of the assertion is used, the callback will include
+.Fn strerror "errno"
+in its message.
+.Pp
+Each assertion type has an associated
+.Li CHECK
+macro.  If this macro's value is
+.Dq 0
+when
+.Dq "<isc/assertions.h>"
+is included, then assertions of that type will not be checked.  E.g.
+.Pp
+.Dl #define CHECK_ENSURE 0
+.Pp
+will disable checking of
+.Fn ENSURE
+and
+.Fn ENSURE_ERR .
+The macros
+.Li CHECK_ALL
+and
+.Li CHECK_NONE
+may also be used, respectively specifying that either all or none of the
+assertion types should be checked.
+.Pp
+.Fn set_assertion_failure_callback
+specifies the function to call when an assertion fails.
+.Pp
+When an
+.Fn assertion_failure_callback
+is called, the 
+.Fa filename
+and
+.Fa line
+arguments specify the filename and line number of the failing assertion.
+The
+.Fa type
+is one of:
+.Bd -literal -offset indent
+assert_require
+assert_ensure
+assert_insist
+assert_invariant
+.Ed
+.Pp
+and may be used by the callback to determine the type of the failing
+assertion.
+.Fa condition
+is the literal text of the assertion that failed. 
+.Fa print_errno
+will be non-zero if the callback should print
+.Fa strerror "errno"
+as part of its output.
+.Pp
+.Fn assertion_type_to_text
+returns a textual representation of
+.Fa type .
+For example,
+.Fn assertion_type_to_text "assert_require"
+returns the string
+.Dq REQUIRE .
+.Sh SEE ALSO
+.Rs
+.%A Bertrand Meyer
+.%B Object-Oriented Software Construction, 2nd edition
+.%Q Prentice\-Hall
+.%D 1997
+.%O ISBN 0\-13\-629155\-4
+.%P chapter 11
+.Re
+.Sh AUTHOR
+Bob Halley (ISC).
diff --git a/contrib/bind9/lib/bind/isc/base64.c b/contrib/bind9/lib/bind/isc/base64.c
new file mode 100644
index 0000000..51676f3
--- /dev/null
+++ b/contrib/bind9/lib/bind/isc/base64.c
@@ -0,0 +1,320 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions Copyright (c) 1995 by International Business Machines, Inc.
+ *
+ * International Business Machines, Inc. (hereinafter called IBM) grants
+ * permission under its copyrights to use, copy, modify, and distribute this
+ * Software with or without fee, provided that the above copyright notice and
+ * all paragraphs of this notice appear in all copies, and that the name of IBM
+ * not be used in connection with the marketing of any product incorporating
+ * the Software or modifications thereof, without specific, written prior
+ * permission.
+ *
+ * To the extent it has a right to do so, IBM grants an immunity from suit
+ * under its patents, if any, for the use, sale or manufacture of products to
+ * the extent that such products are used for performing Domain Name System
+ * dynamic updates in TCP/IP networks by means of the Software.  No immunity is
+ * granted for any product per se or for any other function of any product.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES,
+ * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE.  IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL,
+ * DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING
+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN
+ * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
+ */
+
+#if !defined(LINT) && !defined(CODECENTER)
+static const char rcsid[] = "$Id: base64.c,v 1.1.206.2 2004/03/17 00:29:50 marka Exp $";
+#endif /* not lint */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+
+#include <ctype.h>
+#include <resolv.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "port_after.h"
+
+#define Assert(Cond) if (!(Cond)) abort()
+
+static const char Base64[] =
+	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+static const char Pad64 = '=';
+
+/* (From RFC1521 and draft-ietf-dnssec-secext-03.txt)
+   The following encoding technique is taken from RFC 1521 by Borenstein
+   and Freed.  It is reproduced here in a slightly edited form for
+   convenience.
+
+   A 65-character subset of US-ASCII is used, enabling 6 bits to be
+   represented per printable character. (The extra 65th character, "=",
+   is used to signify a special processing function.)
+
+   The encoding process represents 24-bit groups of input bits as output
+   strings of 4 encoded characters. Proceeding from left to right, a
+   24-bit input group is formed by concatenating 3 8-bit input groups.
+   These 24 bits are then treated as 4 concatenated 6-bit groups, each
+   of which is translated into a single digit in the base64 alphabet.
+
+   Each 6-bit group is used as an index into an array of 64 printable
+   characters. The character referenced by the index is placed in the
+   output string.
+
+                         Table 1: The Base64 Alphabet
+
+      Value Encoding  Value Encoding  Value Encoding  Value Encoding
+          0 A            17 R            34 i            51 z
+          1 B            18 S            35 j            52 0
+          2 C            19 T            36 k            53 1
+          3 D            20 U            37 l            54 2
+          4 E            21 V            38 m            55 3
+          5 F            22 W            39 n            56 4
+          6 G            23 X            40 o            57 5
+          7 H            24 Y            41 p            58 6
+          8 I            25 Z            42 q            59 7
+          9 J            26 a            43 r            60 8
+         10 K            27 b            44 s            61 9
+         11 L            28 c            45 t            62 +
+         12 M            29 d            46 u            63 /
+         13 N            30 e            47 v
+         14 O            31 f            48 w         (pad) =
+         15 P            32 g            49 x
+         16 Q            33 h            50 y
+
+   Special processing is performed if fewer than 24 bits are available
+   at the end of the data being encoded.  A full encoding quantum is
+   always completed at the end of a quantity.  When fewer than 24 input
+   bits are available in an input group, zero bits are added (on the
+   right) to form an integral number of 6-bit groups.  Padding at the
+   end of the data is performed using the '=' character.
+
+   Since all base64 input is an integral number of octets, only the
+         -------------------------------------------------                       
+   following cases can arise:
+   
+       (1) the final quantum of encoding input is an integral
+           multiple of 24 bits; here, the final unit of encoded
+	   output will be an integral multiple of 4 characters
+	   with no "=" padding,
+       (2) the final quantum of encoding input is exactly 8 bits;
+           here, the final unit of encoded output will be two
+	   characters followed by two "=" padding characters, or
+       (3) the final quantum of encoding input is exactly 16 bits;
+           here, the final unit of encoded output will be three
+	   characters followed by one "=" padding character.
+   */
+
+int
+b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize) {
+	size_t datalength = 0;
+	u_char input[3];
+	u_char output[4];
+	size_t i;
+
+	while (2U < srclength) {
+		input[0] = *src++;
+		input[1] = *src++;
+		input[2] = *src++;
+		srclength -= 3;
+
+		output[0] = input[0] >> 2;
+		output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4);
+		output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6);
+		output[3] = input[2] & 0x3f;
+		Assert(output[0] < 64);
+		Assert(output[1] < 64);
+		Assert(output[2] < 64);
+		Assert(output[3] < 64);
+
+		if (datalength + 4 > targsize)
+			return (-1);
+		target[datalength++] = Base64[output[0]];
+		target[datalength++] = Base64[output[1]];
+		target[datalength++] = Base64[output[2]];
+		target[datalength++] = Base64[output[3]];
+	}
+    
+	/* Now we worry about padding. */
+	if (0U != srclength) {
+		/* Get what's left. */
+		input[0] = input[1] = input[2] = '\0';
+		for (i = 0; i < srclength; i++)
+			input[i] = *src++;
+	
+		output[0] = input[0] >> 2;
+		output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4);
+		output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6);
+		Assert(output[0] < 64);
+		Assert(output[1] < 64);
+		Assert(output[2] < 64);
+
+		if (datalength + 4 > targsize)
+			return (-1);
+		target[datalength++] = Base64[output[0]];
+		target[datalength++] = Base64[output[1]];
+		if (srclength == 1U)
+			target[datalength++] = Pad64;
+		else
+			target[datalength++] = Base64[output[2]];
+		target[datalength++] = Pad64;
+	}
+	if (datalength >= targsize)
+		return (-1);
+	target[datalength] = '\0';	/* Returned value doesn't count \0. */
+	return (datalength);
+}
+
+/* skips all whitespace anywhere.
+   converts characters, four at a time, starting at (or after)
+   src from base - 64 numbers into three 8 bit bytes in the target area.
+   it returns the number of data bytes stored at the target, or -1 on error.
+ */
+
+int
+b64_pton(src, target, targsize)
+	char const *src;
+	u_char *target;
+	size_t targsize;
+{
+	int tarindex, state, ch;
+	char *pos;
+
+	state = 0;
+	tarindex = 0;
+
+	while ((ch = *src++) != '\0') {
+		if (isspace(ch))	/* Skip whitespace anywhere. */
+			continue;
+
+		if (ch == Pad64)
+			break;
+
+		pos = strchr(Base64, ch);
+		if (pos == 0) 		/* A non-base64 character. */
+			return (-1);
+
+		switch (state) {
+		case 0:
+			if (target) {
+				if ((size_t)tarindex >= targsize)
+					return (-1);
+				target[tarindex] = (pos - Base64) << 2;
+			}
+			state = 1;
+			break;
+		case 1:
+			if (target) {
+				if ((size_t)tarindex + 1 >= targsize)
+					return (-1);
+				target[tarindex]   |=  (pos - Base64) >> 4;
+				target[tarindex+1]  = ((pos - Base64) & 0x0f)
+							<< 4 ;
+			}
+			tarindex++;
+			state = 2;
+			break;
+		case 2:
+			if (target) {
+				if ((size_t)tarindex + 1 >= targsize)
+					return (-1);
+				target[tarindex]   |=  (pos - Base64) >> 2;
+				target[tarindex+1]  = ((pos - Base64) & 0x03)
+							<< 6;
+			}
+			tarindex++;
+			state = 3;
+			break;
+		case 3:
+			if (target) {
+				if ((size_t)tarindex >= targsize)
+					return (-1);
+				target[tarindex] |= (pos - Base64);
+			}
+			tarindex++;
+			state = 0;
+			break;
+		default:
+			abort();
+		}
+	}
+
+	/*
+	 * We are done decoding Base-64 chars.  Let's see if we ended
+	 * on a byte boundary, and/or with erroneous trailing characters.
+	 */
+
+	if (ch == Pad64) {		/* We got a pad char. */
+		ch = *src++;		/* Skip it, get next. */
+		switch (state) {
+		case 0:		/* Invalid = in first position */
+		case 1:		/* Invalid = in second position */
+			return (-1);
+
+		case 2:		/* Valid, means one byte of info */
+			/* Skip any number of spaces. */
+			for ((void)NULL; ch != '\0'; ch = *src++)
+				if (!isspace(ch))
+					break;
+			/* Make sure there is another trailing = sign. */
+			if (ch != Pad64)
+				return (-1);
+			ch = *src++;		/* Skip the = */
+			/* Fall through to "single trailing =" case. */
+			/* FALLTHROUGH */
+
+		case 3:		/* Valid, means two bytes of info */
+			/*
+			 * We know this char is an =.  Is there anything but
+			 * whitespace after it?
+			 */
+			for ((void)NULL; ch != '\0'; ch = *src++)
+				if (!isspace(ch))
+					return (-1);
+
+			/*
+			 * Now make sure for cases 2 and 3 that the "extra"
+			 * bits that slopped past the last full byte were
+			 * zeros.  If we don't check them, they become a
+			 * subliminal channel.
+			 */
+			if (target && target[tarindex] != 0)
+				return (-1);
+		}
+	} else {
+		/*
+		 * We ended by seeing the end of the string.  Make sure we
+		 * have no partial bytes lying around.
+		 */
+		if (state != 0)
+			return (-1);
+	}
+
+	return (tarindex);
+}
diff --git a/contrib/bind9/lib/bind/isc/bitncmp.c b/contrib/bind9/lib/bind/isc/bitncmp.c
new file mode 100644
index 0000000..fcff9f7
--- /dev/null
+++ b/contrib/bind9/lib/bind/isc/bitncmp.c
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: bitncmp.c,v 1.1.206.1 2004/03/09 08:33:39 marka Exp $";
+#endif
+
+#include "port_before.h"
+
+#include <sys/types.h>
+
+#include <string.h>
+
+#include "port_after.h"
+
+#include <isc/misc.h>
+
+/*
+ * int
+ * bitncmp(l, r, n)
+ *	compare bit masks l and r, for n bits.
+ * return:
+ *	-1, 1, or 0 in the libc tradition.
+ * note:
+ *	network byte order assumed.  this means 192.5.5.240/28 has
+ *	0x11110000 in its fourth octet.
+ * author:
+ *	Paul Vixie (ISC), June 1996
+ */
+int
+bitncmp(const void *l, const void *r, int n) {
+	u_int lb, rb;
+	int x, b;
+
+	b = n / 8;
+	x = memcmp(l, r, b);
+	if (x)
+		return (x);
+
+	lb = ((const u_char *)l)[b];
+	rb = ((const u_char *)r)[b];
+	for (b = n % 8; b > 0; b--) {
+		if ((lb & 0x80) != (rb & 0x80)) {
+			if (lb & 0x80)
+				return (1);
+			return (-1);
+		}
+		lb <<= 1;
+		rb <<= 1;
+	}
+	return (0);
+}
diff --git a/contrib/bind9/lib/bind/isc/bitncmp.mdoc b/contrib/bind9/lib/bind/isc/bitncmp.mdoc
new file mode 100644
index 0000000..5462c2f
--- /dev/null
+++ b/contrib/bind9/lib/bind/isc/bitncmp.mdoc
@@ -0,0 +1,82 @@
+.\" $Id: bitncmp.mdoc,v 1.1.2.1.10.1 2004/03/09 08:33:39 marka Exp $
+.\"
+.\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (c) 1996,1999 by Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+.\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd June 1, 1996
+.Dt BITNCMP 3
+.Os BSD 4
+.Sh NAME
+.Nm bitncmp 
+.Nd compare bit masks
+.Sh SYNOPSIS
+.Ft int
+.Fn bitncmp "const void *l" "const void *r" "int n"
+.Sh DESCRIPTION
+The function
+.Fn bitncmp
+compares the
+.Dq Fa n
+most-significant bits of the two masks pointed to by
+.Dq Fa l
+and
+.Dq Fa r ,
+and returns an integer less than, equal to, or greater than 0, according to
+whether or not
+.Dq Fa l
+is lexicographically less than, equal to, or greater than
+.Dq Fa r
+when taken to be unsigned characters (this behaviour is just like that of
+.Xr memcmp 3 ) .
+.Pp
+.Sy NOTE :
+.Fn Bitncmp 
+assumes 
+.Sy network byte order ;
+this means that the fourth octet of 
+.Li 192.5.5.240/28 
+.Li 0x11110000 .
+.Sh RETURN VALUES
+.Fn Bitncmp
+returns values in the manner of
+.Xr memcmp 3 :
+.Bd -ragged -offset indent
++1 if 
+.Dq Fa 1
+is greater than 
+.Dq Fa r ;
+.Pp
+-1 if 
+.Dq Fa l
+is less than 
+.Dq Fa r ; 
+and
+.Pp
+0 if 
+.Dq Fa l
+is equal to
+.Dq Fa r ,
+.Ed
+.Pp
+where 
+.Dq Fa l
+and 
+.Dq Fa r
+are both interpreted as strings of unsigned characters (through bit 
+.Dq Fa n . )
+.Sh SEE ALSO
+.Xr memcmp 3 .
+.Sh AUTHOR
+Paul Vixie (ISC). 
diff --git a/contrib/bind9/lib/bind/isc/ctl_clnt.c b/contrib/bind9/lib/bind/isc/ctl_clnt.c
new file mode 100644
index 0000000..e1fa7e7
--- /dev/null
+++ b/contrib/bind9/lib/bind/isc/ctl_clnt.c
@@ -0,0 +1,602 @@
+#if !defined(lint) && !defined(SABER)
+static const char rcsid[] = "$Id: ctl_clnt.c,v 1.4.2.1.4.3 2004/03/17 01:13:35 marka Exp $";
+#endif /* not lint */
+
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1998,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* Extern. */
+
+#include "port_before.h"
+
+#include <sys/param.h>
+#include <sys/file.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <arpa/inet.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/assertions.h>
+#include <isc/ctl.h>
+#include <isc/eventlib.h>
+#include <isc/list.h>
+#include <isc/memcluster.h>
+
+#include "ctl_p.h"
+
+#include "port_after.h"
+
+/* Constants. */
+
+
+/* Macros. */
+
+#define donefunc_p(ctx) ((ctx).donefunc != NULL)
+#define arpacode_p(line) (isdigit((unsigned char)(line[0])) && \
+			  isdigit((unsigned char)(line[1])) && \
+			  isdigit((unsigned char)(line[2])))
+#define arpacont_p(line) (line[3] == '-')
+#define arpadone_p(line) (line[3] == ' ' || line[3] == '\t' || \
+			  line[3] == '\r' || line[3] == '\0')
+
+/* Types. */
+
+enum state {
+	initializing = 0, connecting, connected, destroyed
+};
+
+struct ctl_tran {
+	LINK(struct ctl_tran)	link;
+	LINK(struct ctl_tran)	wlink;
+	struct ctl_cctx *	ctx;
+	struct ctl_buf		outbuf;
+	ctl_clntdone		donefunc;
+	void *			uap;
+};
+
+struct ctl_cctx {
+	enum state		state;
+	evContext		ev;
+	int			sock;
+	ctl_logfunc		logger;
+	ctl_clntdone		donefunc;
+	void *			uap;
+	evConnID		coID;
+	evTimerID		tiID;
+	evFileID		rdID;
+	evStreamID		wrID;
+	struct ctl_buf		inbuf;
+	struct timespec		timeout;
+	LIST(struct ctl_tran)	tran;
+	LIST(struct ctl_tran)	wtran;
+};
+
+/* Forward. */
+
+static struct ctl_tran *new_tran(struct ctl_cctx *, ctl_clntdone, void *, int);
+static void		start_write(struct ctl_cctx *);
+static void		destroy(struct ctl_cctx *, int);
+static void		error(struct ctl_cctx *);
+static void		new_state(struct ctl_cctx *, enum state);
+static void		conn_done(evContext, void *, int,
+				  const void *, int,
+				  const void *, int);
+static void		write_done(evContext, void *, int, int);
+static void		start_read(struct ctl_cctx *);
+static void		stop_read(struct ctl_cctx *);
+static void		readable(evContext, void *, int, int);
+static void		start_timer(struct ctl_cctx *);
+static void		stop_timer(struct ctl_cctx *);
+static void		touch_timer(struct ctl_cctx *);
+static void		timer(evContext, void *,
+			      struct timespec, struct timespec);
+
+/* Private data. */
+
+static const char * const state_names[] = {
+	"initializing", "connecting", "connected", "destroyed"
+};
+
+/* Public. */
+
+/*
+ * void
+ * ctl_client()
+ *	create, condition, and connect to a listener on the control port.
+ */
+struct ctl_cctx *
+ctl_client(evContext lev, const struct sockaddr *cap, size_t cap_len,
+	   const struct sockaddr *sap, size_t sap_len,
+	   ctl_clntdone donefunc, void *uap,
+	   u_int timeout, ctl_logfunc logger)
+{
+	static const char me[] = "ctl_client";
+	static const int on = 1;
+	struct ctl_cctx *ctx;
+	struct sockaddr *captmp;
+
+	if (logger == NULL)
+		logger = ctl_logger;
+	ctx = memget(sizeof *ctx);
+	if (ctx == NULL) {
+		(*logger)(ctl_error, "%s: getmem: %s", me, strerror(errno));
+		goto fatal;
+	}
+	ctx->state = initializing;
+	ctx->ev = lev;
+	ctx->logger = logger;
+	ctx->timeout = evConsTime(timeout, 0);
+	ctx->donefunc = donefunc;
+	ctx->uap = uap;
+	ctx->coID.opaque = NULL;
+	ctx->tiID.opaque = NULL;
+	ctx->rdID.opaque = NULL;
+	ctx->wrID.opaque = NULL;
+	buffer_init(ctx->inbuf);
+	INIT_LIST(ctx->tran);
+	INIT_LIST(ctx->wtran);
+	ctx->sock = socket(sap->sa_family, SOCK_STREAM, PF_UNSPEC);
+	if (ctx->sock > evHighestFD(ctx->ev)) {
+		ctx->sock = -1;
+		errno = ENOTSOCK;
+	}
+	if (ctx->sock < 0) {
+		(*ctx->logger)(ctl_error, "%s: socket: %s",
+			       me, strerror(errno));
+		goto fatal;
+	}
+	if (cap != NULL) {
+		if (setsockopt(ctx->sock, SOL_SOCKET, SO_REUSEADDR,
+			       (const char *)&on, sizeof on) != 0) {
+			(*ctx->logger)(ctl_warning,
+				       "%s: setsockopt(REUSEADDR): %s",
+				       me, strerror(errno));
+		}
+		DE_CONST(cap, captmp);
+		if (bind(ctx->sock, captmp, cap_len) < 0) {
+			(*ctx->logger)(ctl_error, "%s: bind: %s", me,
+				       strerror(errno));
+			goto fatal;
+		}
+	}
+	if (evConnect(lev, ctx->sock, (const struct sockaddr *)sap, sap_len,
+		      conn_done, ctx, &ctx->coID) < 0) {
+		(*ctx->logger)(ctl_error, "%s: evConnect(fd %d): %s",
+			       me, ctx->sock, strerror(errno));
+ fatal:
+		if (ctx != NULL) {
+			if (ctx->sock >= 0)
+				close(ctx->sock);
+			memput(ctx, sizeof *ctx);
+		}
+		return (NULL);
+	}
+	new_state(ctx, connecting);
+	return (ctx);
+}
+
+/*
+ * void
+ * ctl_endclient(ctx)
+ *	close a client and release all of its resources.
+ */
+void
+ctl_endclient(struct ctl_cctx *ctx) {
+	if (ctx->state != destroyed)
+		destroy(ctx, 0);
+	memput(ctx, sizeof *ctx);
+}
+
+/*
+ * int
+ * ctl_command(ctx, cmd, len, donefunc, uap)
+ *	Queue a transaction, which will begin with sending cmd
+ *	and complete by calling donefunc with the answer.
+ */
+int
+ctl_command(struct ctl_cctx *ctx, const char *cmd, size_t len,
+	    ctl_clntdone donefunc, void *uap)
+{
+	struct ctl_tran *tran;
+	char *pc;
+	unsigned int n;
+
+	switch (ctx->state) {
+	case destroyed:
+		errno = ENOTCONN;
+		return (-1);
+	case connecting:
+	case connected:
+		break;
+	default:
+		abort();
+	}
+	if (len >= (size_t)MAX_LINELEN) {
+		errno = EMSGSIZE;
+		return (-1);
+	}
+	tran = new_tran(ctx, donefunc, uap, 1);
+	if (tran == NULL)
+		return (-1);
+	if (ctl_bufget(&tran->outbuf, ctx->logger) < 0)
+		return (-1);
+	memcpy(tran->outbuf.text, cmd, len);
+	tran->outbuf.used = len;
+	for (pc = tran->outbuf.text, n = 0; n < tran->outbuf.used; pc++, n++)
+		if (!isascii((unsigned char)*pc) ||
+		    !isprint((unsigned char)*pc))
+			*pc = '\040';
+	start_write(ctx);
+	return (0);
+}
+
+/* Private. */
+
+static struct ctl_tran *
+new_tran(struct ctl_cctx *ctx, ctl_clntdone donefunc, void *uap, int w) {
+	struct ctl_tran *new = memget(sizeof *new);
+
+	if (new == NULL)
+		return (NULL);
+	new->ctx = ctx;
+	buffer_init(new->outbuf);
+	new->donefunc = donefunc;
+	new->uap = uap;
+	INIT_LINK(new, link);
+	INIT_LINK(new, wlink);
+	APPEND(ctx->tran, new, link);
+	if (w)
+		APPEND(ctx->wtran, new, wlink);
+	return (new);
+}
+
+static void
+start_write(struct ctl_cctx *ctx) {
+	static const char me[] = "isc/ctl_clnt::start_write";
+	struct ctl_tran *tran;
+	struct iovec iov[2], *iovp = iov;
+	char * tmp;
+
+	REQUIRE(ctx->state == connecting || ctx->state == connected);
+	/* If there is a write in progress, don't try to write more yet. */
+	if (ctx->wrID.opaque != NULL)
+		return;
+	/* If there are no trans, make sure timer is off, and we're done. */
+	if (EMPTY(ctx->wtran)) {
+		if (ctx->tiID.opaque != NULL)
+			stop_timer(ctx);
+		return;
+	}
+	/* Pull it off the head of the write queue. */
+	tran = HEAD(ctx->wtran);
+	UNLINK(ctx->wtran, tran, wlink);
+	/* Since there are some trans, make sure timer is successfully "on". */
+	if (ctx->tiID.opaque != NULL)
+		touch_timer(ctx);
+	else
+		start_timer(ctx);
+	if (ctx->state == destroyed)
+		return;
+	/* Marshall a newline-terminated message and clock it out. */
+	*iovp++ = evConsIovec(tran->outbuf.text, tran->outbuf.used);
+	DE_CONST("\r\n", tmp);
+	*iovp++ = evConsIovec(tmp, 2);
+	if (evWrite(ctx->ev, ctx->sock, iov, iovp - iov,
+		    write_done, tran, &ctx->wrID) < 0) {
+		(*ctx->logger)(ctl_error, "%s: evWrite: %s", me,
+			       strerror(errno));
+		error(ctx);
+		return;
+	}
+	if (evTimeRW(ctx->ev, ctx->wrID, ctx->tiID) < 0) {
+		(*ctx->logger)(ctl_error, "%s: evTimeRW: %s", me,
+			       strerror(errno));
+		error(ctx);
+		return;
+	}
+}
+
+static void
+destroy(struct ctl_cctx *ctx, int notify) {
+	struct ctl_tran *this, *next;
+
+	if (ctx->sock != -1) {
+		(void) close(ctx->sock);
+		ctx->sock = -1;
+	}
+	switch (ctx->state) {
+	case connecting:
+		REQUIRE(ctx->wrID.opaque == NULL);
+		REQUIRE(EMPTY(ctx->tran));
+		/*
+		 * This test is nec'y since destroy() can be called from
+		 * start_read() while the state is still "connecting".
+		 */
+		if (ctx->coID.opaque != NULL) {
+			(void)evCancelConn(ctx->ev, ctx->coID);
+			ctx->coID.opaque = NULL;
+		}
+		break;
+	case connected:
+		REQUIRE(ctx->coID.opaque == NULL);
+		if (ctx->wrID.opaque != NULL) {
+			(void)evCancelRW(ctx->ev, ctx->wrID);
+			ctx->wrID.opaque = NULL;
+		}
+		if (ctx->rdID.opaque != NULL)
+			stop_read(ctx);
+		break;
+	case destroyed:
+		break;
+	default:
+		abort();
+	}
+	if (allocated_p(ctx->inbuf))
+		ctl_bufput(&ctx->inbuf);
+	for (this = HEAD(ctx->tran); this != NULL; this = next) {
+		next = NEXT(this, link);
+		if (allocated_p(this->outbuf))
+			ctl_bufput(&this->outbuf);
+		if (notify && this->donefunc != NULL)
+			(*this->donefunc)(ctx, this->uap, NULL, 0);
+		memput(this, sizeof *this);
+	}
+	if (ctx->tiID.opaque != NULL)
+		stop_timer(ctx);
+	new_state(ctx, destroyed);
+}
+
+static void
+error(struct ctl_cctx *ctx) {
+	REQUIRE(ctx->state != destroyed);
+	destroy(ctx, 1);
+}
+
+static void
+new_state(struct ctl_cctx *ctx, enum state new_state) {
+	static const char me[] = "isc/ctl_clnt::new_state";
+
+	(*ctx->logger)(ctl_debug, "%s: %s -> %s", me,
+		       state_names[ctx->state], state_names[new_state]);
+	ctx->state = new_state;
+}
+
+static void
+conn_done(evContext ev, void *uap, int fd,
+	  const void *la, int lalen,
+	  const void *ra, int ralen)
+{
+	static const char me[] = "isc/ctl_clnt::conn_done";
+	struct ctl_cctx *ctx = uap;
+	struct ctl_tran *tran;
+
+	UNUSED(ev);
+	UNUSED(la);
+	UNUSED(lalen);
+	UNUSED(ra);
+	UNUSED(ralen);
+
+	ctx->coID.opaque = NULL;
+	if (fd < 0) {
+		(*ctx->logger)(ctl_error, "%s: evConnect: %s", me,
+			       strerror(errno));
+		error(ctx);
+		return;
+	}
+	new_state(ctx, connected);
+	tran = new_tran(ctx, ctx->donefunc, ctx->uap, 0);
+	if (tran == NULL) {
+		(*ctx->logger)(ctl_error, "%s: new_tran failed: %s", me,
+			       strerror(errno));
+		error(ctx);
+		return;
+	}
+	start_read(ctx);
+	if (ctx->state == destroyed) {
+		(*ctx->logger)(ctl_error, "%s: start_read failed: %s",
+			       me, strerror(errno));
+		error(ctx);
+		return;
+	}
+}
+
+static void
+write_done(evContext lev, void *uap, int fd, int bytes) {
+	struct ctl_tran *tran = (struct ctl_tran *)uap;
+	struct ctl_cctx *ctx = tran->ctx;
+
+	UNUSED(lev);
+	UNUSED(fd);
+
+	ctx->wrID.opaque = NULL;
+	if (ctx->tiID.opaque != NULL)
+		touch_timer(ctx);
+	ctl_bufput(&tran->outbuf);
+	start_write(ctx);
+	if (bytes < 0)
+		destroy(ctx, 1);
+	else
+		start_read(ctx);
+}
+
+static void
+start_read(struct ctl_cctx *ctx) {
+	static const char me[] = "isc/ctl_clnt::start_read";
+
+	REQUIRE(ctx->state == connecting || ctx->state == connected);
+	REQUIRE(ctx->rdID.opaque == NULL);
+	if (evSelectFD(ctx->ev, ctx->sock, EV_READ, readable, ctx,
+		       &ctx->rdID) < 0)
+	{
+		(*ctx->logger)(ctl_error, "%s: evSelect(fd %d): %s", me,
+			       ctx->sock, strerror(errno));
+		error(ctx);
+		return;
+	}
+}
+
+static void
+stop_read(struct ctl_cctx *ctx) {
+	REQUIRE(ctx->coID.opaque == NULL);
+	REQUIRE(ctx->rdID.opaque != NULL);
+	(void)evDeselectFD(ctx->ev, ctx->rdID);
+	ctx->rdID.opaque = NULL;
+}
+
+static void
+readable(evContext ev, void *uap, int fd, int evmask) {
+	static const char me[] = "isc/ctl_clnt::readable";
+	struct ctl_cctx *ctx = uap;
+	struct ctl_tran *tran;
+	ssize_t n;
+	char *eos;
+
+	UNUSED(ev);
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(fd >= 0);
+	REQUIRE(evmask == EV_READ);
+	REQUIRE(ctx->state == connected);
+	REQUIRE(!EMPTY(ctx->tran));
+	tran = HEAD(ctx->tran);
+	if (!allocated_p(ctx->inbuf) &&
+	    ctl_bufget(&ctx->inbuf, ctx->logger) < 0) {
+		(*ctx->logger)(ctl_error, "%s: can't get an input buffer", me);
+		error(ctx);
+		return;
+	}
+	n = read(ctx->sock, ctx->inbuf.text + ctx->inbuf.used,
+		 MAX_LINELEN - ctx->inbuf.used);
+	if (n <= 0) {
+		(*ctx->logger)(ctl_warning, "%s: read: %s", me,
+			       (n == 0) ? "Unexpected EOF" : strerror(errno));
+		error(ctx);
+		return;
+	}
+	if (ctx->tiID.opaque != NULL)
+		touch_timer(ctx);
+	ctx->inbuf.used += n;
+	(*ctx->logger)(ctl_debug, "%s: read %d, used %d", me,
+		       n, ctx->inbuf.used);
+ again:
+	eos = memchr(ctx->inbuf.text, '\n', ctx->inbuf.used);
+	if (eos != NULL && eos != ctx->inbuf.text && eos[-1] == '\r') {
+		int done = 0;
+
+		eos[-1] = '\0';
+		if (!arpacode_p(ctx->inbuf.text)) {
+			/* XXX Doesn't FTP do this sometimes? Is it legal? */
+			(*ctx->logger)(ctl_error, "%s: no arpa code (%s)", me,
+				       ctx->inbuf.text);
+			error(ctx);
+			return;
+		}
+		if (arpadone_p(ctx->inbuf.text))
+			done = 1;
+		else if (arpacont_p(ctx->inbuf.text))
+			done = 0;
+		else {
+			/* XXX Doesn't FTP do this sometimes? Is it legal? */
+			(*ctx->logger)(ctl_error, "%s: no arpa flag (%s)", me,
+				       ctx->inbuf.text);
+			error(ctx);
+			return;
+		}
+		(*tran->donefunc)(ctx, tran->uap, ctx->inbuf.text,
+				  (done ? 0 : CTL_MORE));
+		ctx->inbuf.used -= ((eos - ctx->inbuf.text) + 1);
+		if (ctx->inbuf.used == 0U)
+			ctl_bufput(&ctx->inbuf);
+		else
+			memmove(ctx->inbuf.text, eos + 1, ctx->inbuf.used);
+		if (done) {
+			UNLINK(ctx->tran, tran, link);
+			memput(tran, sizeof *tran);
+			stop_read(ctx);
+			start_write(ctx);
+			return;
+		}
+		if (allocated_p(ctx->inbuf))
+			goto again;
+		return;
+	}
+	if (ctx->inbuf.used == (size_t)MAX_LINELEN) {
+		(*ctx->logger)(ctl_error, "%s: line too long (%-10s...)", me,
+			       ctx->inbuf.text);
+		error(ctx);
+	}
+}
+
+/* Timer related stuff. */
+
+static void
+start_timer(struct ctl_cctx *ctx) {
+	static const char me[] = "isc/ctl_clnt::start_timer";
+
+	REQUIRE(ctx->tiID.opaque == NULL);
+	if (evSetIdleTimer(ctx->ev, timer, ctx, ctx->timeout, &ctx->tiID) < 0){
+		(*ctx->logger)(ctl_error, "%s: evSetIdleTimer: %s", me,
+			       strerror(errno));
+		error(ctx);
+		return;
+	}
+}
+
+static void
+stop_timer(struct ctl_cctx *ctx) {
+	static const char me[] = "isc/ctl_clnt::stop_timer";
+
+	REQUIRE(ctx->tiID.opaque != NULL);
+	if (evClearIdleTimer(ctx->ev, ctx->tiID) < 0) {
+		(*ctx->logger)(ctl_error, "%s: evClearIdleTimer: %s", me,
+			       strerror(errno));
+		error(ctx);
+		return;
+	}
+	ctx->tiID.opaque = NULL;
+}
+
+static void
+touch_timer(struct ctl_cctx *ctx) {
+	REQUIRE(ctx->tiID.opaque != NULL);
+
+	evTouchIdleTimer(ctx->ev, ctx->tiID);
+}
+
+static void
+timer(evContext ev, void *uap, struct timespec due, struct timespec itv) {
+	static const char me[] = "isc/ctl_clnt::timer";
+	struct ctl_cctx *ctx = uap;
+
+	UNUSED(ev);
+	UNUSED(due);
+	UNUSED(itv);
+
+	ctx->tiID.opaque = NULL;
+	(*ctx->logger)(ctl_error, "%s: timeout after %u seconds while %s", me,
+		       ctx->timeout.tv_sec, state_names[ctx->state]);
+	error(ctx);
+}
diff --git a/contrib/bind9/lib/bind/isc/ctl_p.c b/contrib/bind9/lib/bind/isc/ctl_p.c
new file mode 100644
index 0000000..bc45004
--- /dev/null
+++ b/contrib/bind9/lib/bind/isc/ctl_p.c
@@ -0,0 +1,186 @@
+#if !defined(lint) && !defined(SABER)
+static const char rcsid[] = "$Id: ctl_p.c,v 1.1.206.2 2004/03/17 00:29:51 marka Exp $";
+#endif /* not lint */
+
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1998,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* Extern. */
+
+#include "port_before.h"
+
+#include <sys/param.h>
+#include <sys/file.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <arpa/inet.h>
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+
+#include <isc/assertions.h>
+#include <isc/eventlib.h>
+#include <isc/logging.h>
+#include <isc/memcluster.h>
+#include <isc/ctl.h>
+
+#include "ctl_p.h"
+
+#include "port_after.h"
+
+/* Constants. */
+
+const char * const ctl_sevnames[] = {
+	"debug", "warning", "error"
+};
+
+/* Public. */
+
+/*
+ * ctl_logger()
+ *	if ctl_startup()'s caller didn't specify a logger, this one
+ *	is used.  this pollutes stderr with all kinds of trash so it will
+ *	probably never be used in real applications.
+ */
+void
+ctl_logger(enum ctl_severity severity, const char *format, ...) {
+	va_list ap;
+	static const char me[] = "ctl_logger";
+
+	fprintf(stderr, "%s(%s): ", me, ctl_sevnames[severity]);
+	va_start(ap, format);
+	vfprintf(stderr, format, ap);
+	va_end(ap);
+	fputc('\n', stderr);
+}
+
+int
+ctl_bufget(struct ctl_buf *buf, ctl_logfunc logger) {
+	static const char me[] = "ctl_bufget";
+
+	REQUIRE(!allocated_p(*buf) && buf->used == 0U);
+	buf->text = memget(MAX_LINELEN);
+	if (!allocated_p(*buf)) {
+		(*logger)(ctl_error, "%s: getmem: %s", me, strerror(errno));
+		return (-1);
+	}
+	buf->used = 0;
+	return (0);
+}
+
+void
+ctl_bufput(struct ctl_buf *buf) {
+
+	REQUIRE(allocated_p(*buf));
+	memput(buf->text, MAX_LINELEN);
+	buf->text = NULL;
+	buf->used = 0;
+}
+
+const char *
+ctl_sa_ntop(const struct sockaddr *sa,
+	    char *buf, size_t size,
+	    ctl_logfunc logger)
+{
+	static const char me[] = "ctl_sa_ntop";
+	static const char punt[] = "[0].-1";
+	char tmp[INET6_ADDRSTRLEN];
+
+	switch (sa->sa_family) {
+	case AF_INET6: {
+		const struct sockaddr_in6 *in6 =
+					(const struct sockaddr_in6 *) sa;
+
+		if (inet_ntop(in6->sin6_family, &in6->sin6_addr, tmp, sizeof tmp)
+		    == NULL) {
+			(*logger)(ctl_error, "%s: inet_ntop(%u %04x): %s",
+				  me, in6->sin6_family,
+				  in6->sin6_port, strerror(errno));
+			return (punt);
+		}
+		if (strlen(tmp) + sizeof "[].65535" > size) {
+			(*logger)(ctl_error, "%s: buffer overflow", me);
+			return (punt);
+		}
+		(void) sprintf(buf, "[%s].%u", tmp, ntohs(in6->sin6_port));
+		return (buf);
+	    }
+	case AF_INET: {
+		const struct sockaddr_in *in =
+					      (const struct sockaddr_in *) sa;
+
+		if (inet_ntop(in->sin_family, &in->sin_addr, tmp, sizeof tmp)
+		    == NULL) {
+			(*logger)(ctl_error, "%s: inet_ntop(%u %04x %08x): %s",
+				  me, in->sin_family,
+				  in->sin_port, in->sin_addr.s_addr,
+				  strerror(errno));
+			return (punt);
+		}
+		if (strlen(tmp) + sizeof "[].65535" > size) {
+			(*logger)(ctl_error, "%s: buffer overflow", me);
+			return (punt);
+		}
+		(void) sprintf(buf, "[%s].%u", tmp, ntohs(in->sin_port));
+		return (buf);
+	    }
+#ifndef NO_SOCKADDR_UN
+	case AF_UNIX: {
+		const struct sockaddr_un *un = 
+					      (const struct sockaddr_un *) sa;
+		unsigned int x = sizeof un->sun_path;
+
+		if (x > size)
+			x = size;
+		strncpy(buf, un->sun_path, x - 1);
+		buf[x - 1] = '\0';
+		return (buf);
+	    }
+#endif
+	default:
+		return (punt);
+	}
+}
+
+void
+ctl_sa_copy(const struct sockaddr *src, struct sockaddr *dst) {
+	switch (src->sa_family) {
+	case AF_INET6:
+		*((struct sockaddr_in6 *)dst) =
+					 *((const struct sockaddr_in6 *)src);
+		break;
+	case AF_INET:
+		*((struct sockaddr_in *)dst) =
+					  *((const struct sockaddr_in *)src);
+		break;
+#ifndef NO_SOCKADDR_UN
+	case AF_UNIX:
+		*((struct sockaddr_un *)dst) =
+					  *((const struct sockaddr_un *)src);
+		break;
+#endif
+	default:
+		*dst = *src;
+		break;
+	}
+}
diff --git a/contrib/bind9/lib/bind/isc/ctl_p.h b/contrib/bind9/lib/bind/isc/ctl_p.h
new file mode 100644
index 0000000..42aade7
--- /dev/null
+++ b/contrib/bind9/lib/bind/isc/ctl_p.h
@@ -0,0 +1,26 @@
+struct ctl_buf {
+	char *			text;
+	size_t			used;
+};
+
+#define	MAX_LINELEN		990	/* Like SMTP. */
+#ifndef NO_SOCKADDR_UN
+#define MAX_NTOP			PATH_MAX
+#else
+#define	MAX_NTOP		(sizeof "[255.255.255.255].65535")
+#endif
+
+#define	allocated_p(Buf) ((Buf).text != NULL)
+#define	buffer_init(Buf) ((Buf).text = 0, (Buf.used) = 0)
+
+#define	ctl_bufget	__ctl_bufget
+#define	ctl_bufput	__ctl_bufput
+#define	ctl_sa_ntop	__ctl_sa_ntop
+#define	ctl_sa_copy	__ctl_sa_copy
+
+int			ctl_bufget(struct ctl_buf *, ctl_logfunc);
+void			ctl_bufput(struct ctl_buf *);
+const char *		ctl_sa_ntop(const struct sockaddr *, char *, size_t,
+				    ctl_logfunc);
+void			ctl_sa_copy(const struct sockaddr *,
+				    struct sockaddr *);
diff --git a/contrib/bind9/lib/bind/isc/ctl_srvr.c b/contrib/bind9/lib/bind/isc/ctl_srvr.c
new file mode 100644
index 0000000..56c7684
--- /dev/null
+++ b/contrib/bind9/lib/bind/isc/ctl_srvr.c
@@ -0,0 +1,780 @@
+#if !defined(lint) && !defined(SABER)
+static const char rcsid[] = "$Id: ctl_srvr.c,v 1.3.2.1.4.3 2004/03/17 01:13:35 marka Exp $";
+#endif /* not lint */
+
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1998,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* Extern. */
+
+#include "port_before.h"
+
+#include <sys/param.h>
+#include <sys/file.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <arpa/inet.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+#include <fcntl.h>
+
+#include <isc/assertions.h>
+#include <isc/ctl.h>
+#include <isc/eventlib.h>
+#include <isc/list.h>
+#include <isc/logging.h>
+#include <isc/memcluster.h>
+
+#include "ctl_p.h"
+
+#include "port_after.h"
+
+#ifdef SPRINTF_CHAR
+# define SPRINTF(x) strlen(sprintf/**/x)
+#else
+# define SPRINTF(x) ((size_t)sprintf x)
+#endif
+
+/* Macros. */
+
+#define	lastverb_p(verb)	(verb->name == NULL || verb->func == NULL)
+#define	address_expr		ctl_sa_ntop((struct sockaddr *)&sess->sa, \
+					    tmp, sizeof tmp, ctx->logger)
+
+/* Types. */
+
+enum state {
+	available = 0, initializing, writing, reading, reading_data,
+	processing, idling, quitting, closing
+};
+
+union sa_un {
+	struct sockaddr_in in;
+#ifndef NO_SOCKADDR_UN
+	struct sockaddr_un un;
+#endif
+};
+
+struct ctl_sess {
+	LINK(struct ctl_sess)	link;
+	struct ctl_sctx *	ctx;
+	enum state		state;
+	int			sock;
+	union sa_un		sa;
+	evFileID		rdID;
+	evStreamID		wrID;
+	evTimerID		rdtiID;
+	evTimerID		wrtiID;
+	struct ctl_buf		inbuf;
+	struct ctl_buf		outbuf;
+	const struct ctl_verb *	verb;
+	u_int			helpcode;
+	const void *		respctx;
+	u_int			respflags;
+	ctl_srvrdone		donefunc;
+	void *			uap;
+	void *			csctx;
+};
+
+struct ctl_sctx {
+	evContext		ev;
+	void *			uctx;
+	u_int			unkncode;
+	u_int			timeoutcode;
+	const struct ctl_verb *	verbs;
+	const struct ctl_verb *	connverb;
+	int			sock;
+	int			max_sess;
+	int			cur_sess;
+	struct timespec		timeout;
+	ctl_logfunc		logger;
+	evConnID		acID;
+	LIST(struct ctl_sess)	sess;
+};
+
+/* Forward. */
+
+static void			ctl_accept(evContext, void *, int,
+					   const void *, int,
+					   const void *, int);
+static void			ctl_close(struct ctl_sess *);
+static void			ctl_new_state(struct ctl_sess *,
+					      enum state,
+					      const char *);
+static void			ctl_start_read(struct ctl_sess *);
+static void			ctl_stop_read(struct ctl_sess *);
+static void			ctl_readable(evContext, void *, int, int);
+static void			ctl_rdtimeout(evContext, void *,
+					      struct timespec,
+					      struct timespec);
+static void			ctl_wrtimeout(evContext, void *,
+					      struct timespec,
+					      struct timespec);
+static void			ctl_docommand(struct ctl_sess *);
+static void			ctl_writedone(evContext, void *, int, int);
+static void			ctl_morehelp(struct ctl_sctx *,
+					     struct ctl_sess *,
+					     const struct ctl_verb *,
+					     const char *,
+					     u_int, const void *, void *);
+static void			ctl_signal_done(struct ctl_sctx *,
+						struct ctl_sess *);
+
+/* Private data. */
+
+static const char *		state_names[] = {
+	"available", "initializing", "writing", "reading",
+	"reading_data", "processing", "idling", "quitting", "closing"
+};
+
+static const char		space[] = " ";
+
+static const struct ctl_verb	fakehelpverb = {
+	"fakehelp", ctl_morehelp , NULL
+};
+
+/* Public. */
+
+/*
+ * void
+ * ctl_server()
+ *	create, condition, and start a listener on the control port.
+ */
+struct ctl_sctx *
+ctl_server(evContext lev, const struct sockaddr *sap, size_t sap_len,
+	   const struct ctl_verb *verbs,
+	   u_int unkncode, u_int timeoutcode,
+	   u_int timeout, int backlog, int max_sess,
+	   ctl_logfunc logger, void *uctx)
+{
+	static const char me[] = "ctl_server";
+	static const int on = 1;
+	const struct ctl_verb *connverb;
+	struct ctl_sctx *ctx;
+	int save_errno;
+
+	if (logger == NULL)
+		logger = ctl_logger;
+	for (connverb = verbs;
+	     connverb->name != NULL && connverb->func != NULL;
+	     connverb++)
+		if (connverb->name[0] == '\0')
+			break;
+	if (connverb->func == NULL) {
+		(*logger)(ctl_error, "%s: no connection verb found", me);
+		return (NULL);
+	}
+	ctx = memget(sizeof *ctx);
+	if (ctx == NULL) {
+		(*logger)(ctl_error, "%s: getmem: %s", me, strerror(errno));
+		return (NULL);
+	}
+	ctx->ev = lev;
+	ctx->uctx = uctx;
+	ctx->unkncode = unkncode;
+	ctx->timeoutcode = timeoutcode;
+	ctx->verbs = verbs;
+	ctx->timeout = evConsTime(timeout, 0);
+	ctx->logger = logger;
+	ctx->connverb = connverb;
+	ctx->max_sess = max_sess;
+	ctx->cur_sess = 0;
+	INIT_LIST(ctx->sess);
+	ctx->sock = socket(sap->sa_family, SOCK_STREAM, PF_UNSPEC);
+	if (ctx->sock > evHighestFD(ctx->ev)) {
+		ctx->sock = -1;
+		errno = ENOTSOCK;
+	}
+	if (ctx->sock < 0) {
+		save_errno = errno;
+		(*ctx->logger)(ctl_error, "%s: socket: %s",
+			       me, strerror(errno));
+		memput(ctx, sizeof *ctx);
+		errno = save_errno;
+		return (NULL);
+	}
+	if (ctx->sock > evHighestFD(lev)) {
+		close(ctx->sock);
+		(*ctx->logger)(ctl_error, "%s: file descriptor > evHighestFD");
+		errno = ENFILE;
+		memput(ctx, sizeof *ctx);
+		return (NULL);
+	}
+#ifdef NO_UNIX_REUSEADDR
+	if (sap->sa_family != AF_UNIX)
+#endif
+		if (setsockopt(ctx->sock, SOL_SOCKET, SO_REUSEADDR,
+			       (const char *)&on, sizeof on) != 0) {
+			(*ctx->logger)(ctl_warning,
+				       "%s: setsockopt(REUSEADDR): %s",
+				       me, strerror(errno));
+		}
+	if (bind(ctx->sock, sap, sap_len) < 0) {
+		char tmp[MAX_NTOP];
+		save_errno = errno;
+		(*ctx->logger)(ctl_error, "%s: bind: %s: %s",
+			       me, ctl_sa_ntop((const struct sockaddr *)sap,
+			       tmp, sizeof tmp, ctx->logger),
+			       strerror(save_errno));
+		close(ctx->sock);
+		memput(ctx, sizeof *ctx);
+		errno = save_errno;
+		return (NULL);
+	}
+	if (fcntl(ctx->sock, F_SETFD, 1) < 0) {
+		(*ctx->logger)(ctl_warning, "%s: fcntl: %s", me,
+			       strerror(errno));
+	}
+	if (evListen(lev, ctx->sock, backlog, ctl_accept, ctx,
+		     &ctx->acID) < 0) {
+		save_errno = errno;
+		(*ctx->logger)(ctl_error, "%s: evListen(fd %d): %s",
+			       me, ctx->sock, strerror(errno));
+		close(ctx->sock);
+		memput(ctx, sizeof *ctx);
+		errno = save_errno;
+		return (NULL);
+	}
+	(*ctx->logger)(ctl_debug, "%s: new ctx %p, sock %d",
+		       me, ctx, ctx->sock);
+	return (ctx);
+}
+
+/*
+ * void
+ * ctl_endserver(ctx)
+ *	if the control listener is open, close it.  clean out all eventlib
+ *	stuff.  close all active sessions.
+ */
+void
+ctl_endserver(struct ctl_sctx *ctx) {
+	static const char me[] = "ctl_endserver";
+	struct ctl_sess *this, *next;
+
+	(*ctx->logger)(ctl_debug, "%s: ctx %p, sock %d, acID %p, sess %p",
+		       me, ctx, ctx->sock, ctx->acID.opaque, ctx->sess);
+	if (ctx->acID.opaque != NULL) {
+		(void)evCancelConn(ctx->ev, ctx->acID);
+		ctx->acID.opaque = NULL;
+	}
+	if (ctx->sock != -1) {
+		(void) close(ctx->sock);
+		ctx->sock = -1;
+	}
+	for (this = HEAD(ctx->sess); this != NULL; this = next) {
+		next = NEXT(this, link);
+		ctl_close(this);
+	}
+	memput(ctx, sizeof *ctx);
+}
+
+/*
+ * If body is non-NULL then it we add a "." line after it.
+ * Caller must have  escaped lines with leading ".".
+ */
+void
+ctl_response(struct ctl_sess *sess, u_int code, const char *text,
+	     u_int flags, const void *respctx, ctl_srvrdone donefunc,
+	     void *uap, const char *body, size_t bodylen)
+{
+	static const char me[] = "ctl_response";
+	struct iovec iov[3], *iovp = iov;
+	struct ctl_sctx *ctx = sess->ctx;
+	char tmp[MAX_NTOP], *pc;
+	int n;
+
+	REQUIRE(sess->state == initializing ||
+		sess->state == processing ||
+		sess->state == reading_data ||
+		sess->state == writing);
+	REQUIRE(sess->wrtiID.opaque == NULL);
+	REQUIRE(sess->wrID.opaque == NULL);
+	ctl_new_state(sess, writing, me);
+	sess->donefunc = donefunc;
+	sess->uap = uap;
+	if (!allocated_p(sess->outbuf) &&
+	    ctl_bufget(&sess->outbuf, ctx->logger) < 0) {
+		(*ctx->logger)(ctl_error, "%s: %s: cant get an output buffer",
+			       me, address_expr);
+		goto untimely;
+	}
+	if (sizeof "000-\r\n" + strlen(text) > (size_t)MAX_LINELEN) {
+		(*ctx->logger)(ctl_error, "%s: %s: output buffer ovf, closing",
+			       me, address_expr);
+		goto untimely;
+	}
+	sess->outbuf.used = SPRINTF((sess->outbuf.text, "%03d%c%s\r\n",
+				     code, (flags & CTL_MORE) != 0 ? '-' : ' ',
+				     text));
+	for (pc = sess->outbuf.text, n = 0;
+	     n < (int)sess->outbuf.used-2; pc++, n++)
+		if (!isascii((unsigned char)*pc) ||
+		    !isprint((unsigned char)*pc))
+			*pc = '\040';
+	*iovp++ = evConsIovec(sess->outbuf.text, sess->outbuf.used);
+	if (body != NULL) {
+		char *tmp;
+		DE_CONST(body, tmp);
+		*iovp++ = evConsIovec(tmp, bodylen);
+		DE_CONST(".\r\n", tmp);
+		*iovp++ = evConsIovec(tmp, 3);
+	}
+	(*ctx->logger)(ctl_debug, "%s: [%d] %s", me,
+		       sess->outbuf.used, sess->outbuf.text);
+	if (evWrite(ctx->ev, sess->sock, iov, iovp - iov,
+		    ctl_writedone, sess, &sess->wrID) < 0) {
+		(*ctx->logger)(ctl_error, "%s: %s: evWrite: %s", me,
+			       address_expr, strerror(errno));
+		goto untimely;
+	}
+	if (evSetIdleTimer(ctx->ev, ctl_wrtimeout, sess, ctx->timeout,
+			   &sess->wrtiID) < 0)
+	{
+		(*ctx->logger)(ctl_error, "%s: %s: evSetIdleTimer: %s", me,
+			       address_expr, strerror(errno));
+		goto untimely;
+	}
+	if (evTimeRW(ctx->ev, sess->wrID, sess->wrtiID) < 0) {
+		(*ctx->logger)(ctl_error, "%s: %s: evTimeRW: %s", me,
+			       address_expr, strerror(errno));
+ untimely:
+		ctl_signal_done(ctx, sess);
+		ctl_close(sess);
+		return;
+	}
+	sess->respctx = respctx;
+	sess->respflags = flags;
+}
+
+void
+ctl_sendhelp(struct ctl_sess *sess, u_int code) {
+	static const char me[] = "ctl_sendhelp";
+	struct ctl_sctx *ctx = sess->ctx;
+
+	sess->helpcode = code;
+	sess->verb = &fakehelpverb;
+	ctl_morehelp(ctx, sess, NULL, me, CTL_MORE,
+		     (const void *)ctx->verbs, NULL);
+}
+
+void *
+ctl_getcsctx(struct ctl_sess *sess) {
+	return (sess->csctx);
+}
+
+void *
+ctl_setcsctx(struct ctl_sess *sess, void *csctx) {
+	void *old = sess->csctx;
+
+	sess->csctx = csctx;
+	return (old);
+}
+
+/* Private functions. */
+
+static void
+ctl_accept(evContext lev, void *uap, int fd,
+	   const void *lav, int lalen,
+	   const void *rav, int ralen)
+{
+	static const char me[] = "ctl_accept";
+	struct ctl_sctx *ctx = uap;
+	struct ctl_sess *sess = NULL;
+	char tmp[MAX_NTOP];
+
+	UNUSED(lev);
+	UNUSED(lalen);
+	UNUSED(ralen);
+
+	if (fd < 0) {
+		(*ctx->logger)(ctl_error, "%s: accept: %s",
+			       me, strerror(errno));
+		return;
+	}
+	if (ctx->cur_sess == ctx->max_sess) {
+		(*ctx->logger)(ctl_error, "%s: %s: too many control sessions",
+			       me, ctl_sa_ntop((const struct sockaddr *)rav,
+					       tmp, sizeof tmp,
+					       ctx->logger));
+		(void) close(fd);
+		return;
+	}
+	sess = memget(sizeof *sess);
+	if (sess == NULL) {
+		(*ctx->logger)(ctl_error, "%s: memget: %s", me,
+			       strerror(errno));
+		(void) close(fd);
+		return;
+	}
+	if (fcntl(fd, F_SETFD, 1) < 0) {
+		(*ctx->logger)(ctl_warning, "%s: fcntl: %s", me,
+			       strerror(errno));
+	}
+	ctx->cur_sess++;
+	INIT_LINK(sess, link);
+	APPEND(ctx->sess, sess, link);
+	sess->ctx = ctx;
+	sess->sock = fd;
+	sess->wrID.opaque = NULL;
+	sess->rdID.opaque = NULL;
+	sess->wrtiID.opaque = NULL;
+	sess->rdtiID.opaque = NULL;
+	sess->respctx = NULL;
+	sess->csctx = NULL;
+	if (((const struct sockaddr *)rav)->sa_family == AF_UNIX)
+		ctl_sa_copy((const struct sockaddr *)lav,
+			    (struct sockaddr *)&sess->sa);
+	else
+		ctl_sa_copy((const struct sockaddr *)rav,
+			    (struct sockaddr *)&sess->sa);
+	sess->donefunc = NULL;
+	buffer_init(sess->inbuf);
+	buffer_init(sess->outbuf);
+	sess->state = available;
+	ctl_new_state(sess, initializing, me);
+	sess->verb = ctx->connverb;
+	(*ctx->logger)(ctl_debug, "%s: %s: accepting (fd %d)",
+		       me, address_expr, sess->sock);
+	(*ctx->connverb->func)(ctx, sess, ctx->connverb, "", 0,
+			       (const struct sockaddr *)rav, ctx->uctx);
+}
+
+static void
+ctl_new_state(struct ctl_sess *sess, enum state new_state, const char *reason)
+{
+	static const char me[] = "ctl_new_state";
+	struct ctl_sctx *ctx = sess->ctx;
+	char tmp[MAX_NTOP];
+
+	(*ctx->logger)(ctl_debug, "%s: %s: %s -> %s (%s)",
+		       me, address_expr,
+		       state_names[sess->state],
+		       state_names[new_state], reason);
+	sess->state = new_state;
+}
+
+static void
+ctl_close(struct ctl_sess *sess) {
+	static const char me[] = "ctl_close";
+	struct ctl_sctx *ctx = sess->ctx;
+	char tmp[MAX_NTOP];
+
+	REQUIRE(sess->state == initializing ||
+		sess->state == writing ||
+		sess->state == reading ||
+		sess->state == processing ||
+		sess->state == reading_data ||
+		sess->state == idling);
+	REQUIRE(sess->sock != -1);
+	if (sess->state == reading || sess->state == reading_data)
+		ctl_stop_read(sess);
+	else if (sess->state == writing) {
+		if (sess->wrID.opaque != NULL) {
+			(void) evCancelRW(ctx->ev, sess->wrID);
+			sess->wrID.opaque = NULL;
+		}
+		if (sess->wrtiID.opaque != NULL) {
+			(void) evClearIdleTimer(ctx->ev, sess->wrtiID);
+			sess->wrtiID.opaque = NULL;
+		}
+	}
+	ctl_new_state(sess, closing, me);
+	(void) close(sess->sock);
+	if (allocated_p(sess->inbuf))
+		ctl_bufput(&sess->inbuf);
+	if (allocated_p(sess->outbuf))
+		ctl_bufput(&sess->outbuf);
+	(*ctx->logger)(ctl_debug, "%s: %s: closed (fd %d)",
+		       me, address_expr, sess->sock);
+	UNLINK(ctx->sess, sess, link);
+	memput(sess, sizeof *sess);
+	ctx->cur_sess--;
+}
+
+static void
+ctl_start_read(struct ctl_sess *sess) {
+	static const char me[] = "ctl_start_read";
+	struct ctl_sctx *ctx = sess->ctx;
+	char tmp[MAX_NTOP];
+
+	REQUIRE(sess->state == initializing ||
+		sess->state == writing ||
+		sess->state == processing ||
+		sess->state == idling);
+	REQUIRE(sess->rdtiID.opaque == NULL);
+	REQUIRE(sess->rdID.opaque == NULL);
+	sess->inbuf.used = 0;
+	if (evSetIdleTimer(ctx->ev, ctl_rdtimeout, sess, ctx->timeout,
+			   &sess->rdtiID) < 0)
+	{
+		(*ctx->logger)(ctl_error, "%s: %s: evSetIdleTimer: %s", me,
+			       address_expr, strerror(errno));
+		ctl_close(sess);
+		return;
+	}
+	if (evSelectFD(ctx->ev, sess->sock, EV_READ,
+		       ctl_readable, sess, &sess->rdID) < 0) {
+		(*ctx->logger)(ctl_error, "%s: %s: evSelectFD: %s", me,
+			       address_expr, strerror(errno));
+		return;
+	}
+	ctl_new_state(sess, reading, me);
+}
+
+static void
+ctl_stop_read(struct ctl_sess *sess) {
+	static const char me[] = "ctl_stop_read";
+	struct ctl_sctx *ctx = sess->ctx;
+
+	REQUIRE(sess->state == reading || sess->state == reading_data);
+	REQUIRE(sess->rdID.opaque != NULL);
+	(void) evDeselectFD(ctx->ev, sess->rdID);
+	sess->rdID.opaque = NULL;
+	if (sess->rdtiID.opaque != NULL) {
+		(void) evClearIdleTimer(ctx->ev, sess->rdtiID);
+		sess->rdtiID.opaque = NULL;
+	}
+	ctl_new_state(sess, idling, me);
+}
+
+static void
+ctl_readable(evContext lev, void *uap, int fd, int evmask) {
+	static const char me[] = "ctl_readable";
+	struct ctl_sess *sess = uap;
+	struct ctl_sctx *ctx = sess->ctx;
+	char *eos, tmp[MAX_NTOP];
+	ssize_t n;
+
+	REQUIRE(sess != NULL);
+	REQUIRE(fd >= 0);
+	REQUIRE(evmask == EV_READ);
+	REQUIRE(sess->state == reading || sess->state == reading_data);
+	evTouchIdleTimer(lev, sess->rdtiID);
+	if (!allocated_p(sess->inbuf) &&
+	    ctl_bufget(&sess->inbuf, ctx->logger) < 0) {
+		(*ctx->logger)(ctl_error, "%s: %s: cant get an input buffer",
+			       me, address_expr);
+		ctl_close(sess);
+		return;
+	}
+	n = read(sess->sock, sess->inbuf.text + sess->inbuf.used,
+		 MAX_LINELEN - sess->inbuf.used);
+	if (n <= 0) {
+		(*ctx->logger)(ctl_debug, "%s: %s: read: %s",
+			       me, address_expr,
+			       (n == 0) ? "Unexpected EOF" : strerror(errno));
+		ctl_close(sess);
+		return;
+	}
+	sess->inbuf.used += n;
+	eos = memchr(sess->inbuf.text, '\n', sess->inbuf.used);
+	if (eos != NULL && eos != sess->inbuf.text && eos[-1] == '\r') {
+		eos[-1] = '\0';
+		if ((sess->respflags & CTL_DATA) != 0) {
+			INSIST(sess->verb != NULL);
+			(*sess->verb->func)(sess->ctx, sess, sess->verb,
+					    sess->inbuf.text,
+					    CTL_DATA, sess->respctx,
+					    sess->ctx->uctx);
+		} else {
+			ctl_stop_read(sess);
+			ctl_docommand(sess);
+		}
+		sess->inbuf.used -= ((eos - sess->inbuf.text) + 1);
+		if (sess->inbuf.used == 0U)
+			ctl_bufput(&sess->inbuf);
+		else
+			memmove(sess->inbuf.text, eos + 1, sess->inbuf.used);
+		return;
+	}
+	if (sess->inbuf.used == (size_t)MAX_LINELEN) {
+		(*ctx->logger)(ctl_error, "%s: %s: line too long, closing",
+			       me, address_expr);
+		ctl_close(sess);
+	}
+}
+
+static void
+ctl_wrtimeout(evContext lev, void *uap,
+	      struct timespec due,
+	      struct timespec itv)
+{
+	static const char me[] = "ctl_wrtimeout";
+	struct ctl_sess *sess = uap;
+	struct ctl_sctx *ctx = sess->ctx;
+	char tmp[MAX_NTOP];
+	
+	UNUSED(lev);
+	UNUSED(due);
+	UNUSED(itv);
+
+	REQUIRE(sess->state == writing);
+	sess->wrtiID.opaque = NULL;
+	(*ctx->logger)(ctl_warning, "%s: %s: write timeout, closing",
+		       me, address_expr);
+	if (sess->wrID.opaque != NULL) {
+		(void) evCancelRW(ctx->ev, sess->wrID);
+		sess->wrID.opaque = NULL;
+	}
+	ctl_signal_done(ctx, sess);
+	ctl_new_state(sess, processing, me);
+	ctl_close(sess);
+}
+
+static void
+ctl_rdtimeout(evContext lev, void *uap,
+	      struct timespec due,
+	      struct timespec itv)
+{
+	static const char me[] = "ctl_rdtimeout";
+	struct ctl_sess *sess = uap;
+	struct ctl_sctx *ctx = sess->ctx;
+	char tmp[MAX_NTOP];
+
+	UNUSED(lev);
+	UNUSED(due);
+	UNUSED(itv);
+
+	REQUIRE(sess->state == reading);
+	sess->rdtiID.opaque = NULL;
+	(*ctx->logger)(ctl_warning, "%s: %s: timeout, closing",
+		       me, address_expr);
+	if (sess->state == reading || sess->state == reading_data)
+		ctl_stop_read(sess);
+	ctl_signal_done(ctx, sess);
+	ctl_new_state(sess, processing, me);
+	ctl_response(sess, ctx->timeoutcode, "Timeout.", CTL_EXIT, NULL,
+		     NULL, NULL, NULL, 0);
+}
+
+static void
+ctl_docommand(struct ctl_sess *sess) {
+	static const char me[] = "ctl_docommand";
+	char *name, *rest, tmp[MAX_NTOP];
+	struct ctl_sctx *ctx = sess->ctx;
+	const struct ctl_verb *verb;
+
+	REQUIRE(allocated_p(sess->inbuf));
+	(*ctx->logger)(ctl_debug, "%s: %s: \"%s\" [%u]",
+		       me, address_expr,
+		       sess->inbuf.text, (u_int)sess->inbuf.used);
+	ctl_new_state(sess, processing, me);
+	name = sess->inbuf.text + strspn(sess->inbuf.text, space);
+	rest = name + strcspn(name, space);
+	if (*rest != '\0') {
+		*rest++ = '\0';
+		rest += strspn(rest, space);
+	}
+	for (verb = ctx->verbs;
+	     verb != NULL && verb->name != NULL && verb->func != NULL;
+	     verb++)
+		if (verb->name[0] != '\0' && strcasecmp(name, verb->name) == 0)
+			break;
+	if (verb != NULL && verb->name != NULL && verb->func != NULL) {
+		sess->verb = verb;
+		(*verb->func)(ctx, sess, verb, rest, 0, NULL, ctx->uctx);
+	} else {
+		char buf[1100];
+
+		if (sizeof "Unrecognized command \"\" (args \"\")" +
+		    strlen(name) + strlen(rest) > sizeof buf)
+			strcpy(buf, "Unrecognized command (buf ovf)");
+		else
+			sprintf(buf,
+				"Unrecognized command \"%s\" (args \"%s\")",
+				name, rest);
+		ctl_response(sess, ctx->unkncode, buf, 0, NULL, NULL, NULL,
+			     NULL, 0);
+	}
+}
+
+static void
+ctl_writedone(evContext lev, void *uap, int fd, int bytes) {
+	static const char me[] = "ctl_writedone";
+	struct ctl_sess *sess = uap;
+	struct ctl_sctx *ctx = sess->ctx;
+	char tmp[MAX_NTOP];
+	int save_errno = errno;
+
+	UNUSED(lev);
+	UNUSED(uap);
+
+	REQUIRE(sess->state == writing);
+	REQUIRE(fd == sess->sock);
+	REQUIRE(sess->wrtiID.opaque != NULL);
+	sess->wrID.opaque = NULL;
+	(void) evClearIdleTimer(ctx->ev, sess->wrtiID);
+	sess->wrtiID.opaque = NULL;
+	if (bytes < 0) {
+		(*ctx->logger)(ctl_error, "%s: %s: %s",
+			       me, address_expr, strerror(save_errno));
+		ctl_close(sess);
+		return;
+	}
+
+	INSIST(allocated_p(sess->outbuf));
+	ctl_bufput(&sess->outbuf);
+	if ((sess->respflags & CTL_EXIT) != 0) {
+		ctl_signal_done(ctx, sess);
+		ctl_close(sess);
+		return;
+	} else if ((sess->respflags & CTL_MORE) != 0) {
+		INSIST(sess->verb != NULL);
+		(*sess->verb->func)(sess->ctx, sess, sess->verb, "",
+				    CTL_MORE, sess->respctx, sess->ctx->uctx);
+	} else {
+		ctl_signal_done(ctx, sess);
+		ctl_start_read(sess);
+	}
+}
+
+static void
+ctl_morehelp(struct ctl_sctx *ctx, struct ctl_sess *sess,
+	     const struct ctl_verb *verb, const char *text,
+	     u_int respflags, const void *respctx, void *uctx)
+{
+	const struct ctl_verb *this = respctx, *next = this + 1;
+
+	UNUSED(ctx);
+	UNUSED(verb);
+	UNUSED(text);
+	UNUSED(uctx);
+
+	REQUIRE(!lastverb_p(this));
+	REQUIRE((respflags & CTL_MORE) != 0);
+	if (lastverb_p(next))
+		respflags &= ~CTL_MORE;
+	ctl_response(sess, sess->helpcode, this->help, respflags, next,
+		     NULL, NULL, NULL, 0);
+}
+
+static void
+ctl_signal_done(struct ctl_sctx *ctx, struct ctl_sess *sess) {
+	if (sess->donefunc != NULL) {
+		(*sess->donefunc)(ctx, sess, sess->uap);
+		sess->donefunc = NULL;
+	}
+}
diff --git a/contrib/bind9/lib/bind/isc/ev_connects.c b/contrib/bind9/lib/bind/isc/ev_connects.c
new file mode 100644
index 0000000..043e5f4
--- /dev/null
+++ b/contrib/bind9/lib/bind/isc/ev_connects.c
@@ -0,0 +1,367 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1995-1999 by Internet Software Consortium
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* ev_connects.c - implement asynch connect/accept for the eventlib
+ * vix 16sep96 [initial]
+ */
+
+#if !defined(LINT) && !defined(CODECENTER)
+static const char rcsid[] = "$Id: ev_connects.c,v 1.4.206.1 2004/03/09 08:33:40 marka Exp $";
+#endif
+
+/* Import. */
+
+#include "port_before.h"
+#include "fd_setsize.h"
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/ioctl.h>
+
+#include <unistd.h>
+
+#include <isc/eventlib.h>
+#include <isc/assertions.h>
+#include "eventlib_p.h"
+
+#include "port_after.h"
+
+/* Macros. */
+
+#define GETXXXNAME(f, s, sa, len) ( \
+	(f((s), (&sa), (&len)) >= 0) ? 0 : \
+		(errno != EAFNOSUPPORT && errno != EOPNOTSUPP) ? -1 : ( \
+			memset(&(sa), 0, sizeof (sa)), \
+			(len) = sizeof (sa), \
+			(sa).sa_family = AF_UNIX, \
+			0 \
+		) \
+	)
+
+/* Forward. */
+
+static void	listener(evContext ctx, void *uap, int fd, int evmask);
+static void	connector(evContext ctx, void *uap, int fd, int evmask);
+
+/* Public. */
+
+int
+evListen(evContext opaqueCtx, int fd, int maxconn,
+	 evConnFunc func, void *uap, evConnID *id)
+{
+	evContext_p *ctx = opaqueCtx.opaque;
+	evConn *new;
+	int mode;
+
+	OKNEW(new);
+	new->flags = EV_CONN_LISTEN;
+	OK(mode = fcntl(fd, F_GETFL, NULL));	/* side effect: validate fd. */
+	/*
+	 * Remember the nonblocking status.  We assume that either evSelectFD
+	 * has not been done to this fd, or that if it has then the caller
+	 * will evCancelConn before they evDeselectFD.  If our assumptions
+	 * are not met, then we might restore the old nonblocking status
+	 * incorrectly.
+	 */
+	if ((mode & PORT_NONBLOCK) == 0) {
+#ifdef USE_FIONBIO_IOCTL
+		int on = 1;
+		OK(ioctl(fd, FIONBIO, (char *)&on));
+#else
+		OK(fcntl(fd, F_SETFL, mode | PORT_NONBLOCK));
+#endif
+		new->flags |= EV_CONN_BLOCK;
+	}
+	OK(listen(fd, maxconn));
+	if (evSelectFD(opaqueCtx, fd, EV_READ, listener, new, &new->file) < 0){
+		int save = errno;
+
+		FREE(new);
+		errno = save;
+		return (-1);
+	}
+	new->flags |= EV_CONN_SELECTED;
+	new->func = func;
+	new->uap = uap;
+	new->fd = fd;
+	if (ctx->conns != NULL)
+		ctx->conns->prev = new;
+	new->prev = NULL;
+	new->next = ctx->conns;
+	ctx->conns = new;
+	if (id)
+		id->opaque = new;
+	return (0);
+}
+
+int
+evConnect(evContext opaqueCtx, int fd, const void *ra, int ralen,
+	  evConnFunc func, void *uap, evConnID *id)
+{
+	evContext_p *ctx = opaqueCtx.opaque;
+	evConn *new;
+
+	OKNEW(new);
+	new->flags = 0;
+	/* Do the select() first to get the socket into nonblocking mode. */
+	if (evSelectFD(opaqueCtx, fd, EV_MASK_ALL,
+		       connector, new, &new->file) < 0) {
+		int save = errno;
+
+		FREE(new);
+		errno = save;
+		return (-1);
+	}
+	new->flags |= EV_CONN_SELECTED;
+	if (connect(fd, ra, ralen) < 0 &&
+	    errno != EWOULDBLOCK &&
+	    errno != EAGAIN &&
+	    errno != EINPROGRESS) {
+		int save = errno;
+
+		(void) evDeselectFD(opaqueCtx, new->file);
+		FREE(new);
+		errno = save;
+		return (-1);
+	}
+	/* No error, or EWOULDBLOCK.  select() tells when it's ready. */
+	new->func = func;
+	new->uap = uap;
+	new->fd = fd;
+	if (ctx->conns != NULL)
+		ctx->conns->prev = new;
+	new->prev = NULL;
+	new->next = ctx->conns;
+	ctx->conns = new;
+	if (id)
+		id->opaque = new;
+	return (0);
+}
+
+int
+evCancelConn(evContext opaqueCtx, evConnID id) {
+	evContext_p *ctx = opaqueCtx.opaque;
+	evConn *this = id.opaque;
+	evAccept *acc, *nxtacc;
+	int mode;
+
+	if ((this->flags & EV_CONN_SELECTED) != 0)
+		(void) evDeselectFD(opaqueCtx, this->file);
+	if ((this->flags & EV_CONN_BLOCK) != 0) {
+		mode = fcntl(this->fd, F_GETFL, NULL);
+		if (mode == -1) {
+			if (errno != EBADF)
+				return (-1);
+		} else {
+#ifdef USE_FIONBIO_IOCTL
+			int on = 1;
+			OK(ioctl(this->fd, FIONBIO, (char *)&on));
+#else
+			OK(fcntl(this->fd, F_SETFL, mode | PORT_NONBLOCK));
+#endif
+		}
+	}
+	
+	/* Unlink from ctx->conns. */
+	if (this->prev != NULL)
+		this->prev->next = this->next;
+	else
+		ctx->conns = this->next;
+	if (this->next != NULL)
+		this->next->prev = this->prev;
+
+	/*
+	 * Remove `this' from the ctx->accepts list (zero or more times).
+	 */
+	for (acc = HEAD(ctx->accepts), nxtacc = NULL;
+	     acc != NULL;
+	     acc = nxtacc)
+	{
+		nxtacc = NEXT(acc, link);
+		if (acc->conn == this) {
+			UNLINK(ctx->accepts, acc, link);
+			close(acc->fd);
+			FREE(acc);
+		}
+	}
+
+	/* Wrap up and get out. */
+	FREE(this);
+	return (0);
+}
+
+int evHold(evContext opaqueCtx, evConnID id) {
+	evConn *this = id.opaque;
+
+	if ((this->flags & EV_CONN_LISTEN) == 0) {
+		errno = EINVAL;
+		return (-1);
+	}
+	if ((this->flags & EV_CONN_SELECTED) == 0)
+		return (0);
+	this->flags &= ~EV_CONN_SELECTED;
+	return (evDeselectFD(opaqueCtx, this->file));
+}
+
+int evUnhold(evContext opaqueCtx, evConnID id) {
+	evConn *this = id.opaque;
+	int ret;
+
+	if ((this->flags & EV_CONN_LISTEN) == 0) {
+		errno = EINVAL;
+		return (-1);
+	}
+	if ((this->flags & EV_CONN_SELECTED) != 0)
+		return (0);
+	ret = evSelectFD(opaqueCtx, this->fd, EV_READ, listener, this,
+			 &this->file);
+	if (ret == 0)
+		this->flags |= EV_CONN_SELECTED;
+	return (ret);
+}
+
+int
+evTryAccept(evContext opaqueCtx, evConnID id, int *sys_errno) {
+	evContext_p *ctx = opaqueCtx.opaque;
+	evConn *conn = id.opaque;
+	evAccept *new;
+
+	if ((conn->flags & EV_CONN_LISTEN) == 0) {
+		errno = EINVAL;
+		return (-1);
+	}
+	OKNEW(new);
+	new->conn = conn;
+	new->ralen = sizeof new->ra;
+	new->fd = accept(conn->fd, &new->ra.sa, &new->ralen);
+	if (new->fd > ctx->highestFD) {
+		close(new->fd);
+		new->fd = -1;
+		new->ioErrno = ENOTSOCK;
+	}
+	if (new->fd >= 0) {
+		new->lalen = sizeof new->la;
+		if (GETXXXNAME(getsockname, new->fd, new->la.sa, new->lalen) < 0) {
+			new->ioErrno = errno;
+			(void) close(new->fd);
+			new->fd = -1;
+		} else
+			new->ioErrno = 0;
+	} else {
+		new->ioErrno = errno;
+		if (errno == EAGAIN || errno == EWOULDBLOCK) {
+			FREE(new);
+			return (-1);
+		}
+	}
+	INIT_LINK(new, link);
+	APPEND(ctx->accepts, new, link);
+	*sys_errno = new->ioErrno;
+	return (0);
+}
+
+/* Private. */
+
+static void
+listener(evContext opaqueCtx, void *uap, int fd, int evmask) {
+	evContext_p *ctx = opaqueCtx.opaque;
+	evConn *conn = uap;
+	union {
+		struct sockaddr    sa;
+		struct sockaddr_in in;
+#ifndef NO_SOCKADDR_UN
+		struct sockaddr_un un;
+#endif
+	} la, ra;
+	int new; 
+	ISC_SOCKLEN_T lalen = 0, ralen;
+
+	REQUIRE((evmask & EV_READ) != 0);
+	ralen = sizeof ra;
+	new = accept(fd, &ra.sa, &ralen);
+	if (new > ctx->highestFD) {
+		close(new);
+		new = -1;
+		errno = ENOTSOCK;
+	}
+	if (new >= 0) {
+		lalen = sizeof la;
+		if (GETXXXNAME(getsockname, new, la.sa, lalen) < 0) {
+			int save = errno;
+
+			(void) close(new);
+			errno = save;
+			new = -1;
+		}
+	} else if (errno == EAGAIN || errno == EWOULDBLOCK)
+		return;
+	(*conn->func)(opaqueCtx, conn->uap, new, &la.sa, lalen, &ra.sa, ralen);
+}
+
+static void
+connector(evContext opaqueCtx, void *uap, int fd, int evmask) {
+	evConn *conn = uap;
+	union {
+		struct sockaddr    sa;
+		struct sockaddr_in in;
+#ifndef NO_SOCKADDR_UN
+		struct sockaddr_un un;
+#endif
+	} la, ra;
+	ISC_SOCKLEN_T lalen, ralen;
+#ifndef NETREAD_BROKEN
+	char buf[1];
+#endif
+	void *conn_uap;
+	evConnFunc conn_func;
+	evConnID id;
+	int socket_errno = 0;
+	ISC_SOCKLEN_T optlen;
+
+	UNUSED(evmask);
+
+	lalen = sizeof la;
+	ralen = sizeof ra;
+	conn_uap = conn->uap;
+	conn_func = conn->func;
+	id.opaque = conn;
+#ifdef SO_ERROR
+	optlen = sizeof socket_errno;
+	if (fd < 0 &&
+	    getsockopt(conn->fd, SOL_SOCKET, SO_ERROR, (char *)&socket_errno,
+		       &optlen) < 0)
+		socket_errno = errno;
+	else
+		errno = socket_errno;
+#endif
+	if (evCancelConn(opaqueCtx, id) < 0 ||
+	    socket_errno ||
+#ifdef NETREAD_BROKEN
+	    0 ||
+#else
+	    read(fd, buf, 0) < 0 ||
+#endif
+	    GETXXXNAME(getsockname, fd, la.sa, lalen) < 0 ||
+	    GETXXXNAME(getpeername, fd, ra.sa, ralen) < 0) {
+		int save = errno;
+
+		(void) close(fd);	/* XXX closing caller's fd */
+		errno = save;
+		fd = -1;
+	}
+	(*conn_func)(opaqueCtx, conn_uap, fd, &la.sa, lalen, &ra.sa, ralen);
+}
diff --git a/contrib/bind9/lib/bind/isc/ev_files.c b/contrib/bind9/lib/bind/isc/ev_files.c
new file mode 100644
index 0000000..4d5eb55
--- /dev/null
+++ b/contrib/bind9/lib/bind/isc/ev_files.c
@@ -0,0 +1,283 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1995-1999 by Internet Software Consortium
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* ev_files.c - implement asynch file IO for the eventlib
+ * vix 11sep95 [initial]
+ */
+
+#if !defined(LINT) && !defined(CODECENTER)
+static const char rcsid[] = "$Id: ev_files.c,v 1.3.2.1.4.1 2004/03/09 08:33:42 marka Exp $";
+#endif
+
+#include "port_before.h"
+#include "fd_setsize.h"
+
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/ioctl.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+
+#include <isc/eventlib.h>
+#include "eventlib_p.h"
+
+#include "port_after.h"
+
+static evFile *FindFD(const evContext_p *ctx, int fd, int eventmask);
+
+int
+evSelectFD(evContext opaqueCtx,
+	   int fd,
+	   int eventmask,
+	   evFileFunc func,
+	   void *uap,
+	   evFileID *opaqueID
+) {
+	evContext_p *ctx = opaqueCtx.opaque;
+	evFile *id;
+	int mode;
+
+	evPrintf(ctx, 1,
+		 "evSelectFD(ctx %p, fd %d, mask 0x%x, func %p, uap %p)\n",
+		 ctx, fd, eventmask, func, uap);
+	if (eventmask == 0 || (eventmask & ~EV_MASK_ALL) != 0)
+		EV_ERR(EINVAL);
+	if (fd > ctx->highestFD)
+		EV_ERR(EINVAL);
+	OK(mode = fcntl(fd, F_GETFL, NULL));	/* side effect: validate fd. */
+
+	/*
+	 * The first time we touch a file descriptor, we need to check to see
+	 * if the application already had it in O_NONBLOCK mode and if so, all
+	 * of our deselect()'s have to leave it in O_NONBLOCK.  If not, then
+	 * all but our last deselect() has to leave it in O_NONBLOCK.
+	 */
+	id = FindFD(ctx, fd, EV_MASK_ALL);
+	if (id == NULL) {
+		if (mode & PORT_NONBLOCK)
+			FD_SET(fd, &ctx->nonblockBefore);
+		else {
+#ifdef USE_FIONBIO_IOCTL
+			int on = 1;
+			OK(ioctl(fd, FIONBIO, (char *)&on));
+#else
+			OK(fcntl(fd, F_SETFL, mode | PORT_NONBLOCK));
+#endif
+			FD_CLR(fd, &ctx->nonblockBefore);
+		}
+	}
+
+	/*
+	 * If this descriptor is already in use, search for it again to see
+	 * if any of the eventmask bits we want to set are already captured.
+	 * We cannot usefully capture the same fd event more than once in the
+	 * same context.
+	 */
+	if (id != NULL && FindFD(ctx, fd, eventmask) != NULL)
+		EV_ERR(ETOOMANYREFS);
+
+	/* Allocate and fill. */
+	OKNEW(id);
+	id->func = func;
+	id->uap = uap;
+	id->fd = fd;
+	id->eventmask = eventmask;
+
+	/*
+	 * Insert at head.  Order could be important for performance if we
+	 * believe that evGetNext()'s accesses to the fd_sets will be more
+	 * serial and therefore more cache-lucky if the list is ordered by
+	 * ``fd.''  We do not believe these things, so we don't do it.
+	 *
+	 * The interesting sequence is where GetNext() has cached a select()
+	 * result and the caller decides to evSelectFD() on some descriptor.
+	 * Since GetNext() starts at the head, it can miss new entries we add
+	 * at the head.  This is not a serious problem since the event being
+	 * evSelectFD()'d for has to occur before evSelectFD() is called for
+	 * the file event to be considered "missed" -- a real corner case.
+	 * Maintaining a "tail" pointer for ctx->files would fix this, but I'm
+	 * not sure it would be ``more correct.''
+	 */
+	if (ctx->files != NULL)
+		ctx->files->prev = id;
+	id->prev = NULL;
+	id->next = ctx->files;
+	ctx->files = id;
+
+	/* Insert into fd table. */
+	if (ctx->fdTable[fd] != NULL)
+		ctx->fdTable[fd]->fdprev = id;
+	id->fdprev = NULL;
+	id->fdnext = ctx->fdTable[fd];
+	ctx->fdTable[fd] = id;
+
+	/* Turn on the appropriate bits in the {rd,wr,ex}Next fd_set's. */
+	if (eventmask & EV_READ)
+		FD_SET(fd, &ctx->rdNext);
+	if (eventmask & EV_WRITE)
+		FD_SET(fd, &ctx->wrNext);
+	if (eventmask & EV_EXCEPT)
+		FD_SET(fd, &ctx->exNext);
+
+	/* Update fdMax. */
+	if (fd > ctx->fdMax)
+		ctx->fdMax = fd;
+
+	/* Remember the ID if the caller provided us a place for it. */
+	if (opaqueID)
+		opaqueID->opaque = id;
+
+	evPrintf(ctx, 5,
+		"evSelectFD(fd %d, mask 0x%x): new masks: 0x%lx 0x%lx 0x%lx\n",
+		 fd, eventmask,
+		 (u_long)ctx->rdNext.fds_bits[0],
+		 (u_long)ctx->wrNext.fds_bits[0],
+		 (u_long)ctx->exNext.fds_bits[0]);
+
+	return (0);
+}
+
+int
+evDeselectFD(evContext opaqueCtx, evFileID opaqueID) {
+	evContext_p *ctx = opaqueCtx.opaque;
+	evFile *del = opaqueID.opaque;
+	evFile *cur;
+	int mode, eventmask;
+
+	if (!del) {
+		evPrintf(ctx, 11, "evDeselectFD(NULL) ignored\n");
+		errno = EINVAL;
+		return (-1);
+	}
+
+	evPrintf(ctx, 1, "evDeselectFD(fd %d, mask 0x%x)\n",
+		 del->fd, del->eventmask);
+
+	/* Get the mode.  Unless the file has been closed, errors are bad. */
+	mode = fcntl(del->fd, F_GETFL, NULL);
+	if (mode == -1 && errno != EBADF)
+		EV_ERR(errno);
+
+	/* Remove from the list of files. */
+	if (del->prev != NULL)
+		del->prev->next = del->next;
+	else
+		ctx->files = del->next;
+	if (del->next != NULL)
+		del->next->prev = del->prev;
+
+	/* Remove from the fd table. */
+	if (del->fdprev != NULL)
+		del->fdprev->fdnext = del->fdnext;
+	else
+		ctx->fdTable[del->fd] = del->fdnext;
+	if (del->fdnext != NULL)
+		del->fdnext->fdprev = del->fdprev;
+
+	/*
+	 * If the file descriptor does not appear in any other select() entry,
+	 * and if !EV_WASNONBLOCK, and if we got no EBADF when we got the mode
+	 * earlier, then: restore the fd to blocking status.
+	 */
+	if (!(cur = FindFD(ctx, del->fd, EV_MASK_ALL)) &&
+	    !FD_ISSET(del->fd, &ctx->nonblockBefore) &&
+	    mode != -1) {
+		/*
+		 * Note that we won't return an error status to the caller if
+		 * this fcntl() fails since (a) we've already done the work
+		 * and (b) the caller didn't ask us anything about O_NONBLOCK.
+		 */
+#ifdef USE_FIONBIO_IOCTL
+		int off = 1;
+		(void) ioctl(del->fd, FIONBIO, (char *)&off);
+#else
+		(void) fcntl(del->fd, F_SETFL, mode & ~PORT_NONBLOCK);
+#endif
+	}
+
+	/*
+	 * Now find all other uses of this descriptor and OR together an event
+	 * mask so that we don't turn off {rd,wr,ex}Next bits that some other
+	 * file event is using.  As an optimization, stop if the event mask
+	 * fills.
+	 */
+	eventmask = 0;
+	for ((void)NULL;
+	     cur != NULL && eventmask != EV_MASK_ALL;
+	     cur = cur->next)
+		if (cur->fd == del->fd)
+			eventmask |= cur->eventmask;
+
+	/* OK, now we know which bits we can clear out. */
+	if (!(eventmask & EV_READ)) {
+		FD_CLR(del->fd, &ctx->rdNext);
+		if (FD_ISSET(del->fd, &ctx->rdLast)) {
+			FD_CLR(del->fd, &ctx->rdLast);
+			ctx->fdCount--;
+		}
+	}
+	if (!(eventmask & EV_WRITE)) {
+		FD_CLR(del->fd, &ctx->wrNext);
+		if (FD_ISSET(del->fd, &ctx->wrLast)) {
+			FD_CLR(del->fd, &ctx->wrLast);
+			ctx->fdCount--;
+		}
+	}
+	if (!(eventmask & EV_EXCEPT)) {
+		FD_CLR(del->fd, &ctx->exNext);
+		if (FD_ISSET(del->fd, &ctx->exLast)) {
+			FD_CLR(del->fd, &ctx->exLast);
+			ctx->fdCount--;
+		}
+	}
+
+	/* If this was the maxFD, find the new one. */
+	if (del->fd == ctx->fdMax) {
+		ctx->fdMax = -1;
+		for (cur = ctx->files; cur; cur = cur->next)
+			if (cur->fd > ctx->fdMax)
+				ctx->fdMax = cur->fd;
+	}
+
+	/* If this was the fdNext, cycle that to the next entry. */
+	if (del == ctx->fdNext)
+		ctx->fdNext = del->next;
+
+	evPrintf(ctx, 5,
+	      "evDeselectFD(fd %d, mask 0x%x): new masks: 0x%lx 0x%lx 0x%lx\n",
+		 del->fd, eventmask,
+		 (u_long)ctx->rdNext.fds_bits[0],
+		 (u_long)ctx->wrNext.fds_bits[0],
+		 (u_long)ctx->exNext.fds_bits[0]);
+
+	/* Couldn't free it before now since we were using fields out of it. */
+	FREE(del);
+
+	return (0);
+}
+
+static evFile *
+FindFD(const evContext_p *ctx, int fd, int eventmask) {
+	evFile *id;
+
+	for (id = ctx->fdTable[fd]; id != NULL; id = id->fdnext)
+		if (id->fd == fd && (id->eventmask & eventmask) != 0)
+			break;
+	return (id);
+}
diff --git a/contrib/bind9/lib/bind/isc/ev_streams.c b/contrib/bind9/lib/bind/isc/ev_streams.c
new file mode 100644
index 0000000..64e88b0
--- /dev/null
+++ b/contrib/bind9/lib/bind/isc/ev_streams.c
@@ -0,0 +1,306 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996-1999 by Internet Software Consortium
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* ev_streams.c - implement asynch stream file IO for the eventlib
+ * vix 04mar96 [initial]
+ */
+
+#if !defined(LINT) && !defined(CODECENTER)
+static const char rcsid[] = "$Id: ev_streams.c,v 1.2.206.2 2004/03/17 00:29:51 marka Exp $";
+#endif
+
+#include "port_before.h"
+#include "fd_setsize.h"
+
+#include <sys/types.h>
+#include <sys/uio.h>
+
+#include <errno.h>
+
+#include <isc/eventlib.h>
+#include <isc/assertions.h>
+#include "eventlib_p.h"
+
+#include "port_after.h"
+
+static int	copyvec(evStream *str, const struct iovec *iov, int iocnt);
+static void	consume(evStream *str, size_t bytes);
+static void	done(evContext opaqueCtx, evStream *str);
+static void	writable(evContext opaqueCtx, void *uap, int fd, int evmask);
+static void	readable(evContext opaqueCtx, void *uap, int fd, int evmask);
+
+struct iovec
+evConsIovec(void *buf, size_t cnt) {
+	struct iovec ret;
+
+	memset(&ret, 0xf5, sizeof ret);
+	ret.iov_base = buf;
+	ret.iov_len = cnt;
+	return (ret);
+}
+
+int
+evWrite(evContext opaqueCtx, int fd, const struct iovec *iov, int iocnt,
+	evStreamFunc func, void *uap, evStreamID *id)
+{
+	evContext_p *ctx = opaqueCtx.opaque;
+	evStream *new;
+	int save;
+
+	OKNEW(new);
+	new->func = func;
+	new->uap = uap;
+	new->fd = fd;
+	new->flags = 0;
+	if (evSelectFD(opaqueCtx, fd, EV_WRITE, writable, new, &new->file) < 0)
+		goto free;
+	if (copyvec(new, iov, iocnt) < 0)
+		goto free;
+	new->prevDone = NULL;
+	new->nextDone = NULL;
+	if (ctx->streams != NULL)
+		ctx->streams->prev = new;
+	new->prev = NULL;
+	new->next = ctx->streams;
+	ctx->streams = new;
+	if (id != NULL)
+		id->opaque = new;
+	return (0);
+ free:
+	save = errno;
+	FREE(new);
+	errno = save;
+	return (-1);
+}
+
+int
+evRead(evContext opaqueCtx, int fd, const struct iovec *iov, int iocnt,
+       evStreamFunc func, void *uap, evStreamID *id)
+{
+	evContext_p *ctx = opaqueCtx.opaque;
+	evStream *new;
+	int save;
+
+	OKNEW(new);
+	new->func = func;
+	new->uap = uap;
+	new->fd = fd;
+	new->flags = 0;
+	if (evSelectFD(opaqueCtx, fd, EV_READ, readable, new, &new->file) < 0)
+		goto free;
+	if (copyvec(new, iov, iocnt) < 0)
+		goto free;
+	new->prevDone = NULL;
+	new->nextDone = NULL;
+	if (ctx->streams != NULL)
+		ctx->streams->prev = new;
+	new->prev = NULL;
+	new->next = ctx->streams;
+	ctx->streams = new;
+	if (id)
+		id->opaque = new;
+	return (0);
+ free:
+	save = errno;
+	FREE(new);
+	errno = save;
+	return (-1);
+}
+
+int
+evTimeRW(evContext opaqueCtx, evStreamID id, evTimerID timer) /*ARGSUSED*/ {
+	evStream *str = id.opaque;
+
+	UNUSED(opaqueCtx);
+
+	str->timer = timer;
+	str->flags |= EV_STR_TIMEROK;
+	return (0);
+}
+
+int
+evUntimeRW(evContext opaqueCtx, evStreamID id) /*ARGSUSED*/ {
+	evStream *str = id.opaque;
+
+	UNUSED(opaqueCtx);
+
+	str->flags &= ~EV_STR_TIMEROK;
+	return (0);
+}
+
+int
+evCancelRW(evContext opaqueCtx, evStreamID id) {
+	evContext_p *ctx = opaqueCtx.opaque;
+	evStream *old = id.opaque;
+
+	/*
+	 * The streams list is doubly threaded.  First, there's ctx->streams
+	 * that's used by evDestroy() to find and cancel all streams.  Second,
+	 * there's ctx->strDone (head) and ctx->strLast (tail) which thread
+	 * through the potentially smaller number of "IO completed" streams,
+	 * used in evGetNext() to avoid scanning the entire list.
+	 */
+
+	/* Unlink from ctx->streams. */
+	if (old->prev != NULL)
+		old->prev->next = old->next;
+	else
+		ctx->streams = old->next;
+	if (old->next != NULL)
+		old->next->prev = old->prev;
+
+	/*
+	 * If 'old' is on the ctx->strDone list, remove it.  Update
+	 * ctx->strLast if necessary.
+	 */
+	if (old->prevDone == NULL && old->nextDone == NULL) {
+		/*
+		 * Either 'old' is the only item on the done list, or it's
+		 * not on the done list.  If the former, then we unlink it
+		 * from the list.  If the latter, we leave the list alone.
+		 */
+		if (ctx->strDone == old) {
+			ctx->strDone = NULL;
+			ctx->strLast = NULL;
+		}
+	} else {
+		if (old->prevDone != NULL)
+			old->prevDone->nextDone = old->nextDone;
+		else
+			ctx->strDone = old->nextDone;
+		if (old->nextDone != NULL)
+			old->nextDone->prevDone = old->prevDone;
+		else
+			ctx->strLast = old->prevDone;
+	}
+
+	/* Deallocate the stream. */
+	if (old->file.opaque)
+		evDeselectFD(opaqueCtx, old->file);
+	memput(old->iovOrig, sizeof (struct iovec) * old->iovOrigCount);
+	FREE(old);
+	return (0);
+}
+
+/* Copy a scatter/gather vector and initialize a stream handler's IO. */
+static int
+copyvec(evStream *str, const struct iovec *iov, int iocnt) {
+	int i;
+
+	str->iovOrig = (struct iovec *)memget(sizeof(struct iovec) * iocnt);
+	if (str->iovOrig == NULL) {
+		errno = ENOMEM;
+		return (-1);
+	}
+	str->ioTotal = 0;
+	for (i = 0; i < iocnt; i++) {
+		str->iovOrig[i] = iov[i];
+		str->ioTotal += iov[i].iov_len;
+	}
+	str->iovOrigCount = iocnt;
+	str->iovCur = str->iovOrig;
+	str->iovCurCount = str->iovOrigCount;
+	str->ioDone = 0;
+	return (0);
+}
+
+/* Pull off or truncate lead iovec(s). */
+static void
+consume(evStream *str, size_t bytes) {
+	while (bytes > 0U) {
+		if (bytes < (size_t)str->iovCur->iov_len) {
+			str->iovCur->iov_len -= bytes;
+			str->iovCur->iov_base = (void *)
+				((u_char *)str->iovCur->iov_base + bytes);
+			str->ioDone += bytes;
+			bytes = 0;
+		} else {
+			bytes -= str->iovCur->iov_len;
+			str->ioDone += str->iovCur->iov_len;
+			str->iovCur++;
+			str->iovCurCount--;
+		}
+	}
+}
+
+/* Add a stream to Done list and deselect the FD. */
+static void
+done(evContext opaqueCtx, evStream *str) {
+	evContext_p *ctx = opaqueCtx.opaque;
+
+	if (ctx->strLast != NULL) {
+		str->prevDone = ctx->strLast;
+		ctx->strLast->nextDone = str;
+		ctx->strLast = str;
+	} else {
+		INSIST(ctx->strDone == NULL);
+		ctx->strDone = ctx->strLast = str;
+	}
+	evDeselectFD(opaqueCtx, str->file);
+	str->file.opaque = NULL;
+	/* evDrop() will call evCancelRW() on us. */
+}
+
+/* Dribble out some bytes on the stream.  (Called by evDispatch().) */
+static void
+writable(evContext opaqueCtx, void *uap, int fd, int evmask) {
+	evStream *str = uap;
+	int bytes;
+
+	UNUSED(evmask);
+
+	bytes = writev(fd, str->iovCur, str->iovCurCount);
+	if (bytes > 0) {
+		if ((str->flags & EV_STR_TIMEROK) != 0)
+			evTouchIdleTimer(opaqueCtx, str->timer);
+		consume(str, bytes);
+	} else {
+		if (bytes < 0 && errno != EINTR) {
+			str->ioDone = -1;
+			str->ioErrno = errno;
+		}
+	}
+	if (str->ioDone == -1 || str->ioDone == str->ioTotal)
+		done(opaqueCtx, str);
+}
+
+/* Scoop up some bytes from the stream.  (Called by evDispatch().) */
+static void
+readable(evContext opaqueCtx, void *uap, int fd, int evmask) {
+	evStream *str = uap;
+	int bytes;
+
+	UNUSED(evmask);
+
+	bytes = readv(fd, str->iovCur, str->iovCurCount);
+	if (bytes > 0) {
+		if ((str->flags & EV_STR_TIMEROK) != 0)
+			evTouchIdleTimer(opaqueCtx, str->timer);
+		consume(str, bytes);
+	} else {
+		if (bytes == 0)
+			str->ioDone = 0;
+		else {
+			if (errno != EINTR) {
+				str->ioDone = -1;
+				str->ioErrno = errno;
+			}
+		}
+	}
+	if (str->ioDone <= 0 || str->ioDone == str->ioTotal)
+		done(opaqueCtx, str);
+}
diff --git a/contrib/bind9/lib/bind/isc/ev_timers.c b/contrib/bind9/lib/bind/isc/ev_timers.c
new file mode 100644
index 0000000..11433fb
--- /dev/null
+++ b/contrib/bind9/lib/bind/isc/ev_timers.c
@@ -0,0 +1,497 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1995-1999 by Internet Software Consortium
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* ev_timers.c - implement timers for the eventlib
+ * vix 09sep95 [initial]
+ */
+
+#if !defined(LINT) && !defined(CODECENTER)
+static const char rcsid[] = "$Id: ev_timers.c,v 1.2.2.1.4.5 2004/03/17 02:39:13 marka Exp $";
+#endif
+
+/* Import. */
+
+#include "port_before.h"
+#include "fd_setsize.h"
+
+#include <errno.h>
+
+#include <isc/assertions.h>
+#include <isc/eventlib.h>
+#include "eventlib_p.h"
+
+#include "port_after.h"
+
+/* Constants. */
+
+#define	MILLION 1000000
+#define BILLION 1000000000
+
+/* Forward. */
+
+static int due_sooner(void *, void *);
+static void set_index(void *, int);
+static void free_timer(void *, void *);
+static void print_timer(void *, void *);
+static void idle_timeout(evContext, void *, struct timespec, struct timespec);
+
+/* Private type. */
+
+typedef struct {
+	evTimerFunc	func;
+	void *		uap;
+	struct timespec	lastTouched;
+	struct timespec	max_idle;
+	evTimer *	timer;
+} idle_timer;
+
+/* Public. */
+
+struct timespec
+evConsTime(time_t sec, long nsec) {
+	struct timespec x;
+
+	x.tv_sec = sec;
+	x.tv_nsec = nsec;
+	return (x);
+}
+
+struct timespec
+evAddTime(struct timespec addend1, struct timespec addend2) {
+	struct timespec x;
+
+	x.tv_sec = addend1.tv_sec + addend2.tv_sec;
+	x.tv_nsec = addend1.tv_nsec + addend2.tv_nsec;
+	if (x.tv_nsec >= BILLION) {
+		x.tv_sec++;
+		x.tv_nsec -= BILLION;
+	}
+	return (x);
+}
+
+struct timespec
+evSubTime(struct timespec minuend, struct timespec subtrahend) {
+	struct timespec x;
+
+	x.tv_sec = minuend.tv_sec - subtrahend.tv_sec;
+	if (minuend.tv_nsec >= subtrahend.tv_nsec)
+		x.tv_nsec = minuend.tv_nsec - subtrahend.tv_nsec;
+	else {
+		x.tv_nsec = BILLION - subtrahend.tv_nsec + minuend.tv_nsec;
+		x.tv_sec--;
+	}
+	return (x);
+}
+
+int
+evCmpTime(struct timespec a, struct timespec b) {
+	long x = a.tv_sec - b.tv_sec;
+
+	if (x == 0L)
+		x = a.tv_nsec - b.tv_nsec;
+	return (x < 0L ? (-1) : x > 0L ? (1) : (0));
+}
+
+struct timespec
+evNowTime() {
+	struct timeval now;
+#ifdef CLOCK_REALTIME
+	struct timespec tsnow;
+	int m = CLOCK_REALTIME;
+
+#ifdef CLOCK_MONOTONIC
+	if (__evOptMonoTime)
+		m = CLOCK_MONOTONIC;
+#endif
+	if (clock_gettime(m, &tsnow) == 0)
+		return (tsnow);
+#endif
+	if (gettimeofday(&now, NULL) < 0)
+		return (evConsTime(0, 0));
+	return (evTimeSpec(now));
+}
+
+struct timespec
+evUTCTime() {
+	struct timeval now;
+#ifdef CLOCK_REALTIME
+	struct timespec tsnow;
+	if (clock_gettime(CLOCK_REALTIME, &tsnow) == 0)
+		return (tsnow);
+#endif
+	if (gettimeofday(&now, NULL) < 0)
+		return (evConsTime(0, 0));
+	return (evTimeSpec(now));
+}
+
+struct timespec
+evLastEventTime(evContext opaqueCtx) {
+	evContext_p *ctx = opaqueCtx.opaque;
+
+	return (ctx->lastEventTime);
+}
+
+struct timespec
+evTimeSpec(struct timeval tv) {
+	struct timespec ts;
+
+	ts.tv_sec = tv.tv_sec;
+	ts.tv_nsec = tv.tv_usec * 1000;
+	return (ts);
+}
+
+struct timeval
+evTimeVal(struct timespec ts) {
+	struct timeval tv;
+
+	tv.tv_sec = ts.tv_sec;
+	tv.tv_usec = ts.tv_nsec / 1000;
+	return (tv);
+}
+
+int
+evSetTimer(evContext opaqueCtx,
+	   evTimerFunc func,
+	   void *uap,
+	   struct timespec due,
+	   struct timespec inter,
+	   evTimerID *opaqueID
+) {
+	evContext_p *ctx = opaqueCtx.opaque;
+	evTimer *id;
+
+	evPrintf(ctx, 1,
+"evSetTimer(ctx %p, func %p, uap %p, due %ld.%09ld, inter %ld.%09ld)\n",
+		 ctx, func, uap,
+		 (long)due.tv_sec, due.tv_nsec,
+		 (long)inter.tv_sec, inter.tv_nsec);
+
+#ifdef __hpux
+	/*
+	 * tv_sec and tv_nsec are unsigned.
+	 */
+	if (due.tv_nsec >= BILLION)
+		EV_ERR(EINVAL);
+
+	if (inter.tv_nsec >= BILLION)
+		EV_ERR(EINVAL);
+#else
+	if (due.tv_sec < 0 || due.tv_nsec < 0 || due.tv_nsec >= BILLION)
+		EV_ERR(EINVAL);
+
+	if (inter.tv_sec < 0 || inter.tv_nsec < 0 || inter.tv_nsec >= BILLION)
+		EV_ERR(EINVAL);
+#endif
+
+	/* due={0,0} is a magic cookie meaning "now." */
+	if (due.tv_sec == (time_t)0 && due.tv_nsec == 0L)
+		due = evNowTime();
+
+	/* Allocate and fill. */
+	OKNEW(id);
+	id->func = func;
+	id->uap = uap;
+	id->due = due;
+	id->inter = inter;
+
+	if (heap_insert(ctx->timers, id) < 0)
+		return (-1);
+
+	/* Remember the ID if the caller provided us a place for it. */
+	if (opaqueID)
+		opaqueID->opaque = id;
+
+	if (ctx->debug > 7) {
+		evPrintf(ctx, 7, "timers after evSetTimer:\n");
+		(void) heap_for_each(ctx->timers, print_timer, (void *)ctx);
+	}
+
+	return (0);
+}
+
+int
+evClearTimer(evContext opaqueCtx, evTimerID id) {
+	evContext_p *ctx = opaqueCtx.opaque;
+	evTimer *del = id.opaque;
+
+	if (ctx->cur != NULL &&
+	    ctx->cur->type == Timer &&
+	    ctx->cur->u.timer.this == del) {
+		evPrintf(ctx, 8, "deferring delete of timer (executing)\n");
+		/*
+		 * Setting the interval to zero ensures that evDrop() will
+		 * clean up the timer.
+		 */
+		del->inter = evConsTime(0, 0);
+		return (0);
+	}
+
+	if (heap_element(ctx->timers, del->index) != del)
+		EV_ERR(ENOENT);
+
+	if (heap_delete(ctx->timers, del->index) < 0)
+		return (-1);
+	FREE(del);
+
+	if (ctx->debug > 7) {
+		evPrintf(ctx, 7, "timers after evClearTimer:\n");
+		(void) heap_for_each(ctx->timers, print_timer, (void *)ctx);
+	}
+
+	return (0);
+}
+
+int
+evConfigTimer(evContext opaqueCtx,
+	     evTimerID id,
+	     const char *param,
+	     int value
+) {
+	evContext_p *ctx = opaqueCtx.opaque;
+	evTimer *timer = id.opaque;
+	int result=0;
+
+	UNUSED(value);
+
+	if (heap_element(ctx->timers, timer->index) != timer)
+		EV_ERR(ENOENT);
+
+	if (strcmp(param, "rate") == 0)
+		timer->mode |= EV_TMR_RATE;
+	else if (strcmp(param, "interval") == 0)
+		timer->mode &= ~EV_TMR_RATE;
+	else
+		EV_ERR(EINVAL);
+
+	return (result);
+}
+
+int
+evResetTimer(evContext opaqueCtx,
+	     evTimerID id,
+	     evTimerFunc func,
+	     void *uap,
+	     struct timespec due,
+	     struct timespec inter
+) {
+	evContext_p *ctx = opaqueCtx.opaque;
+	evTimer *timer = id.opaque;
+	struct timespec old_due;
+	int result=0;
+
+	if (heap_element(ctx->timers, timer->index) != timer)
+		EV_ERR(ENOENT);
+
+#ifdef __hpux
+	/*
+	 * tv_sec and tv_nsec are unsigned.
+	 */
+	if (due.tv_nsec >= BILLION)
+		EV_ERR(EINVAL);
+
+	if (inter.tv_nsec >= BILLION)
+		EV_ERR(EINVAL);
+#else
+	if (due.tv_sec < 0 || due.tv_nsec < 0 || due.tv_nsec >= BILLION)
+		EV_ERR(EINVAL);
+
+	if (inter.tv_sec < 0 || inter.tv_nsec < 0 || inter.tv_nsec >= BILLION)
+		EV_ERR(EINVAL);
+#endif
+
+	old_due = timer->due;
+
+	timer->func = func;
+	timer->uap = uap;
+	timer->due = due;
+	timer->inter = inter;
+
+	switch (evCmpTime(due, old_due)) {
+	case -1:
+		result = heap_increased(ctx->timers, timer->index);
+		break;
+	case 0:
+		result = 0;
+		break;
+	case 1:
+		result = heap_decreased(ctx->timers, timer->index);
+		break;
+	}
+
+	if (ctx->debug > 7) {
+		evPrintf(ctx, 7, "timers after evResetTimer:\n");
+		(void) heap_for_each(ctx->timers, print_timer, (void *)ctx);
+	}
+
+	return (result);
+}
+
+int
+evSetIdleTimer(evContext opaqueCtx,
+		evTimerFunc func,
+		void *uap,
+		struct timespec max_idle,
+		evTimerID *opaqueID
+) {
+	evContext_p *ctx = opaqueCtx.opaque;
+	idle_timer *tt;
+
+	/* Allocate and fill. */
+	OKNEW(tt);
+	tt->func = func;
+	tt->uap = uap;
+	tt->lastTouched = ctx->lastEventTime;
+	tt->max_idle = max_idle;
+
+	if (evSetTimer(opaqueCtx, idle_timeout, tt,
+		       evAddTime(ctx->lastEventTime, max_idle),
+		       max_idle, opaqueID) < 0) {
+		FREE(tt);
+		return (-1);
+	}
+
+	tt->timer = opaqueID->opaque;
+
+	return (0);
+}
+
+int
+evClearIdleTimer(evContext opaqueCtx, evTimerID id) {
+	evTimer *del = id.opaque;
+	idle_timer *tt = del->uap;
+
+	FREE(tt);
+	return (evClearTimer(opaqueCtx, id));
+}
+
+int
+evResetIdleTimer(evContext opaqueCtx,
+		 evTimerID opaqueID,
+		 evTimerFunc func,
+		 void *uap,
+		 struct timespec max_idle
+) {
+	evContext_p *ctx = opaqueCtx.opaque;
+	evTimer *timer = opaqueID.opaque;
+	idle_timer *tt = timer->uap;
+
+	tt->func = func;
+	tt->uap = uap;
+	tt->lastTouched = ctx->lastEventTime;
+	tt->max_idle = max_idle;
+
+	return (evResetTimer(opaqueCtx, opaqueID, idle_timeout, tt,
+			     evAddTime(ctx->lastEventTime, max_idle),
+			     max_idle));
+}
+
+int
+evTouchIdleTimer(evContext opaqueCtx, evTimerID id) {
+	evContext_p *ctx = opaqueCtx.opaque;
+	evTimer *t = id.opaque;
+	idle_timer *tt = t->uap;
+
+	tt->lastTouched = ctx->lastEventTime;
+
+	return (0);
+}
+
+/* Public to the rest of eventlib. */
+
+heap_context
+evCreateTimers(const evContext_p *ctx) {
+
+	UNUSED(ctx);
+
+	return (heap_new(due_sooner, set_index, 2048));
+}
+
+void
+evDestroyTimers(const evContext_p *ctx) {
+	(void) heap_for_each(ctx->timers, free_timer, NULL);
+	(void) heap_free(ctx->timers);
+}
+
+/* Private. */
+
+static int
+due_sooner(void *a, void *b) {
+	evTimer *a_timer, *b_timer;
+
+	a_timer = a;
+	b_timer = b;
+	return (evCmpTime(a_timer->due, b_timer->due) < 0);
+}
+
+static void
+set_index(void *what, int index) {
+	evTimer *timer;
+
+	timer = what;
+	timer->index = index;
+}
+
+static void
+free_timer(void *what, void *uap) {
+	evTimer *t = what;
+
+	UNUSED(uap);
+
+	FREE(t);
+}
+
+static void
+print_timer(void *what, void *uap) {
+	evTimer *cur = what;
+	evContext_p *ctx = uap;
+
+	cur = what;
+	evPrintf(ctx, 7,
+	    "  func %p, uap %p, due %ld.%09ld, inter %ld.%09ld\n",
+		 cur->func, cur->uap,
+		 (long)cur->due.tv_sec, cur->due.tv_nsec,
+		 (long)cur->inter.tv_sec, cur->inter.tv_nsec);
+}
+
+static void
+idle_timeout(evContext opaqueCtx,
+	     void *uap,
+	     struct timespec due,
+	     struct timespec inter
+) {
+	evContext_p *ctx = opaqueCtx.opaque;
+	idle_timer *this = uap;
+	struct timespec idle;
+
+	UNUSED(due);
+	UNUSED(inter);
+	
+	idle = evSubTime(ctx->lastEventTime, this->lastTouched);
+	if (evCmpTime(idle, this->max_idle) >= 0) {
+		(this->func)(opaqueCtx, this->uap, this->timer->due,
+			     this->max_idle);
+		/*
+		 * Setting the interval to zero will cause the timer to
+		 * be cleaned up in evDrop().
+		 */
+		this->timer->inter = evConsTime(0, 0);
+		FREE(this);
+	} else {
+		/* evDrop() will reschedule the timer. */
+		this->timer->inter = evSubTime(this->max_idle, idle);
+	}
+}
diff --git a/contrib/bind9/lib/bind/isc/ev_waits.c b/contrib/bind9/lib/bind/isc/ev_waits.c
new file mode 100644
index 0000000..f30280d
--- /dev/null
+++ b/contrib/bind9/lib/bind/isc/ev_waits.c
@@ -0,0 +1,245 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996-1999 by Internet Software Consortium
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* ev_waits.c - implement deferred function calls for the eventlib
+ * vix 05dec95 [initial]
+ */
+
+#if !defined(LINT) && !defined(CODECENTER)
+static const char rcsid[] = "$Id: ev_waits.c,v 1.1.2.1.4.1 2004/03/09 08:33:43 marka Exp $";
+#endif
+
+#include "port_before.h"
+#include "fd_setsize.h"
+
+#include <errno.h>
+
+#include <isc/eventlib.h>
+#include <isc/assertions.h>
+#include "eventlib_p.h"
+
+#include "port_after.h"
+
+/* Forward. */
+
+static void		print_waits(evContext_p *ctx);
+static evWaitList *	evNewWaitList(evContext_p *);
+static void		evFreeWaitList(evContext_p *, evWaitList *);
+static evWaitList *	evGetWaitList(evContext_p *, const void *, int);
+
+
+/* Public. */
+
+/*
+ * Enter a new wait function on the queue.
+ */
+int
+evWaitFor(evContext opaqueCtx, const void *tag,
+	  evWaitFunc func, void *uap, evWaitID *id)
+{
+	evContext_p *ctx = opaqueCtx.opaque;
+	evWait *new;
+	evWaitList *wl = evGetWaitList(ctx, tag, 1);
+
+	OKNEW(new);
+	new->func = func;
+	new->uap = uap;
+	new->tag = tag;
+	new->next = NULL;
+	if (wl->last != NULL)
+		wl->last->next = new;
+	else
+		wl->first = new;
+	wl->last = new;
+	if (id != NULL)
+		id->opaque = new;
+	if (ctx->debug >= 9)
+		print_waits(ctx);
+	return (0);
+}
+
+/*
+ * Mark runnable all waiting functions having a certain tag.
+ */
+int
+evDo(evContext opaqueCtx, const void *tag) {
+	evContext_p *ctx = opaqueCtx.opaque;
+	evWaitList *wl = evGetWaitList(ctx, tag, 0);
+	evWait *first;
+
+	if (!wl) {
+		errno = ENOENT;
+		return (-1);
+	}
+
+	first = wl->first;
+	INSIST(first != NULL);
+
+	if (ctx->waitDone.last != NULL)
+		ctx->waitDone.last->next = first;
+	else
+		ctx->waitDone.first = first;
+	ctx->waitDone.last = wl->last;
+	evFreeWaitList(ctx, wl);
+
+	return (0);
+}
+
+/*
+ * Remove a waiting (or ready to run) function from the queue.
+ */
+int
+evUnwait(evContext opaqueCtx, evWaitID id) {
+	evContext_p *ctx = opaqueCtx.opaque;
+	evWait *this, *prev;
+	evWaitList *wl;
+	int found = 0;
+
+	this = id.opaque;
+	INSIST(this != NULL);
+	wl = evGetWaitList(ctx, this->tag, 0);
+	if (wl != NULL) {
+		for (prev = NULL, this = wl->first;
+		     this != NULL;
+		     prev = this, this = this->next)
+			if (this == (evWait *)id.opaque) {
+				found = 1;
+				if (prev != NULL)
+					prev->next = this->next;
+				else
+					wl->first = this->next;
+				if (wl->last == this)
+					wl->last = prev;
+				if (wl->first == NULL)
+					evFreeWaitList(ctx, wl);
+				break;
+			}
+	}
+
+	if (!found) {
+		/* Maybe it's done */
+		for (prev = NULL, this = ctx->waitDone.first;
+		     this != NULL;
+		     prev = this, this = this->next)
+			if (this == (evWait *)id.opaque) {
+				found = 1;
+				if (prev != NULL)
+					prev->next = this->next;
+				else
+					ctx->waitDone.first = this->next;
+				if (ctx->waitDone.last == this)
+					ctx->waitDone.last = prev;
+				break;
+			}
+	}
+
+	if (!found) {
+		errno = ENOENT;
+		return (-1);
+	}
+
+	FREE(this);
+
+	if (ctx->debug >= 9)
+		print_waits(ctx);
+
+	return (0);
+}
+
+int
+evDefer(evContext opaqueCtx, evWaitFunc func, void *uap) {
+	evContext_p *ctx = opaqueCtx.opaque;
+	evWait *new;
+
+	OKNEW(new);
+	new->func = func;
+	new->uap = uap;
+	new->tag = NULL;
+	new->next = NULL;
+	if (ctx->waitDone.last != NULL)
+		ctx->waitDone.last->next = new;
+	else
+		ctx->waitDone.first = new;
+	ctx->waitDone.last = new;
+	if (ctx->debug >= 9)
+		print_waits(ctx);
+	return (0);
+}
+
+/* Private. */
+
+static void
+print_waits(evContext_p *ctx) {
+	evWaitList *wl;
+	evWait *this;
+
+	evPrintf(ctx, 9, "wait waiting:\n");
+	for (wl = ctx->waitLists; wl != NULL; wl = wl->next) {
+		INSIST(wl->first != NULL);
+		evPrintf(ctx, 9, "  tag %p:", wl->first->tag);
+		for (this = wl->first; this != NULL; this = this->next)
+			evPrintf(ctx, 9, " %p", this);
+		evPrintf(ctx, 9, "\n");
+	}
+	evPrintf(ctx, 9, "wait done:");
+	for (this = ctx->waitDone.first; this != NULL; this = this->next)
+		evPrintf(ctx, 9, " %p", this);
+	evPrintf(ctx, 9, "\n");
+}
+
+static evWaitList *
+evNewWaitList(evContext_p *ctx) {
+	evWaitList *new;
+
+	NEW(new);
+	if (new == NULL)
+		return (NULL);
+	new->first = new->last = NULL;
+	new->prev = NULL;
+	new->next = ctx->waitLists;
+	if (new->next != NULL)
+		new->next->prev = new;
+	ctx->waitLists = new;
+	return (new);
+}
+
+static void
+evFreeWaitList(evContext_p *ctx, evWaitList *this) {
+
+	INSIST(this != NULL);
+
+	if (this->prev != NULL)
+		this->prev->next = this->next;
+	else
+		ctx->waitLists = this->next;
+	if (this->next != NULL)
+		this->next->prev = this->prev;
+	FREE(this);
+}
+
+static evWaitList *
+evGetWaitList(evContext_p *ctx, const void *tag, int should_create) {
+	evWaitList *this;
+
+	for (this = ctx->waitLists; this != NULL; this = this->next) {
+		if (this->first != NULL && this->first->tag == tag)
+			break;
+	}
+	if (this == NULL && should_create)
+		this = evNewWaitList(ctx);
+	return (this);
+}
diff --git a/contrib/bind9/lib/bind/isc/eventlib.c b/contrib/bind9/lib/bind/isc/eventlib.c
new file mode 100644
index 0000000..527fec1
--- /dev/null
+++ b/contrib/bind9/lib/bind/isc/eventlib.c
@@ -0,0 +1,728 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1995-1999 by Internet Software Consortium
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* eventlib.c - implement glue for the eventlib
+ * vix 09sep95 [initial]
+ */
+
+#if !defined(LINT) && !defined(CODECENTER)
+static const char rcsid[] = "$Id: eventlib.c,v 1.2.2.1.4.2 2004/03/17 01:49:41 marka Exp $";
+#endif
+
+#include "port_before.h"
+#include "fd_setsize.h"
+
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/stat.h>
+
+#include <errno.h>
+#include <signal.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <isc/eventlib.h>
+#include <isc/assertions.h>
+#include "eventlib_p.h"
+
+#include "port_after.h"
+
+/* Forward. */
+
+#ifdef NEED_PSELECT
+static int		pselect(int, void *, void *, void *,
+				struct timespec *,
+				const sigset_t *);
+#endif
+
+/* Public. */
+
+int
+evCreate(evContext *opaqueCtx) {
+	evContext_p *ctx;
+
+	/* Make sure the memory heap is initialized. */
+	if (meminit(0, 0) < 0 && errno != EEXIST)
+		return (-1);
+
+	OKNEW(ctx);
+
+	/* Global. */
+	ctx->cur = NULL;
+
+	/* Debugging. */
+	ctx->debug = 0;
+	ctx->output = NULL;
+
+	/* Connections. */
+	ctx->conns = NULL;
+	INIT_LIST(ctx->accepts);
+
+	/* Files. */
+	ctx->files = NULL;
+	FD_ZERO(&ctx->rdNext);
+	FD_ZERO(&ctx->wrNext);
+	FD_ZERO(&ctx->exNext);
+	FD_ZERO(&ctx->nonblockBefore);
+	ctx->fdMax = -1;
+	ctx->fdNext = NULL;
+	ctx->fdCount = 0;	/* Invalidate {rd,wr,ex}Last. */
+	ctx->highestFD = FD_SETSIZE - 1;
+#ifdef EVENTLIB_TIME_CHECKS
+	ctx->lastFdCount = 0;
+#endif
+	memset(ctx->fdTable, 0, sizeof ctx->fdTable);
+
+	/* Streams. */
+	ctx->streams = NULL;
+	ctx->strDone = NULL;
+	ctx->strLast = NULL;
+
+	/* Timers. */
+	ctx->lastEventTime = evNowTime();
+#ifdef EVENTLIB_TIME_CHECKS
+	ctx->lastSelectTime = ctx->lastEventTime;
+#endif
+	ctx->timers = evCreateTimers(ctx);
+	if (ctx->timers == NULL)
+		return (-1);
+
+	/* Waits. */
+	ctx->waitLists = NULL;
+	ctx->waitDone.first = ctx->waitDone.last = NULL;
+	ctx->waitDone.prev = ctx->waitDone.next = NULL;
+
+	opaqueCtx->opaque = ctx;
+	return (0);
+}
+
+void
+evSetDebug(evContext opaqueCtx, int level, FILE *output) {
+	evContext_p *ctx = opaqueCtx.opaque;
+
+	ctx->debug = level;
+	ctx->output = output;
+}
+
+int
+evDestroy(evContext opaqueCtx) {
+	evContext_p *ctx = opaqueCtx.opaque;
+	int revs = 424242;	/* Doug Adams. */
+	evWaitList *this_wl, *next_wl;
+	evWait *this_wait, *next_wait;
+
+	/* Connections. */
+	while (revs-- > 0 && ctx->conns != NULL) {
+		evConnID id;
+
+		id.opaque = ctx->conns;
+		(void) evCancelConn(opaqueCtx, id);
+	}
+	INSIST(revs >= 0);
+
+	/* Streams. */
+	while (revs-- > 0 && ctx->streams != NULL) {
+		evStreamID id;
+
+		id.opaque = ctx->streams;
+		(void) evCancelRW(opaqueCtx, id);
+	}
+
+	/* Files. */
+	while (revs-- > 0 && ctx->files != NULL) {
+		evFileID id;
+
+		id.opaque = ctx->files;
+		(void) evDeselectFD(opaqueCtx, id);
+	}
+	INSIST(revs >= 0);
+
+	/* Timers. */
+	evDestroyTimers(ctx);
+
+	/* Waits. */
+	for (this_wl = ctx->waitLists;
+	     revs-- > 0 && this_wl != NULL;
+	     this_wl = next_wl) {
+		next_wl = this_wl->next;
+		for (this_wait = this_wl->first;
+		     revs-- > 0 && this_wait != NULL;
+		     this_wait = next_wait) {
+			next_wait = this_wait->next;
+			FREE(this_wait);
+		}
+		FREE(this_wl);
+	}
+	for (this_wait = ctx->waitDone.first;
+	     revs-- > 0 && this_wait != NULL;
+	     this_wait = next_wait) {
+		next_wait = this_wait->next;
+		FREE(this_wait);
+	}
+
+	FREE(ctx);
+	return (0);
+}
+
+int
+evGetNext(evContext opaqueCtx, evEvent *opaqueEv, int options) {
+	evContext_p *ctx = opaqueCtx.opaque;
+	struct timespec nextTime;
+	evTimer *nextTimer;
+	evEvent_p *new;
+	int x, pselect_errno, timerPast;
+#ifdef EVENTLIB_TIME_CHECKS
+	struct timespec interval;
+#endif
+
+	/* Ensure that exactly one of EV_POLL or EV_WAIT was specified. */
+	x = ((options & EV_POLL) != 0) + ((options & EV_WAIT) != 0);
+	if (x != 1)
+		EV_ERR(EINVAL);
+
+	/* Get the time of day.  We'll do this again after select() blocks. */
+	ctx->lastEventTime = evNowTime();
+
+ again:
+	/* Finished accept()'s do not require a select(). */
+	if (!EMPTY(ctx->accepts)) {
+		OKNEW(new);
+		new->type = Accept;
+		new->u.accept.this = HEAD(ctx->accepts);
+		UNLINK(ctx->accepts, HEAD(ctx->accepts), link);
+		opaqueEv->opaque = new;
+		return (0);
+	}
+
+	/* Stream IO does not require a select(). */
+	if (ctx->strDone != NULL) {
+		OKNEW(new);
+		new->type = Stream;
+		new->u.stream.this = ctx->strDone;
+		ctx->strDone = ctx->strDone->nextDone;
+		if (ctx->strDone == NULL)
+			ctx->strLast = NULL;
+		opaqueEv->opaque = new;
+		return (0);
+	}
+
+	/* Waits do not require a select(). */
+	if (ctx->waitDone.first != NULL) {
+		OKNEW(new);
+		new->type = Wait;
+		new->u.wait.this = ctx->waitDone.first;
+		ctx->waitDone.first = ctx->waitDone.first->next;
+		if (ctx->waitDone.first == NULL)
+			ctx->waitDone.last = NULL;
+		opaqueEv->opaque = new;
+		return (0);
+	}
+
+	/* Get the status and content of the next timer. */
+	if ((nextTimer = heap_element(ctx->timers, 1)) != NULL) {
+		nextTime = nextTimer->due;
+		timerPast = (evCmpTime(nextTime, ctx->lastEventTime) <= 0);
+	} else
+		timerPast = 0;	/* Make gcc happy. */
+
+	evPrintf(ctx, 9, "evGetNext: fdCount %d\n", ctx->fdCount);
+	if (ctx->fdCount == 0) {
+		static const struct timespec NoTime = {0, 0L};
+		enum { JustPoll, Block, Timer } m;
+		struct timespec t, *tp;
+
+		/* Are there any events at all? */
+		if ((options & EV_WAIT) != 0 && !nextTimer && ctx->fdMax == -1)
+			EV_ERR(ENOENT);
+
+		/* Figure out what select()'s timeout parameter should be. */
+		if ((options & EV_POLL) != 0) {
+			m = JustPoll;
+			t = NoTime;
+			tp = &t;
+		} else if (nextTimer == NULL) {
+			m = Block;
+			/* ``t'' unused. */
+			tp = NULL;
+		} else if (timerPast) {
+			m = JustPoll;
+			t = NoTime;
+			tp = &t;
+		} else {
+			m = Timer;
+			/* ``t'' filled in later. */
+			tp = &t;
+		}
+#ifdef EVENTLIB_TIME_CHECKS
+		if (ctx->debug > 0) {
+			interval = evSubTime(ctx->lastEventTime,
+					     ctx->lastSelectTime);
+			if (interval.tv_sec > 0 || interval.tv_nsec > 0)
+				evPrintf(ctx, 1,
+				   "time between pselect() %u.%09u count %d\n",
+					 interval.tv_sec, interval.tv_nsec,
+					 ctx->lastFdCount);
+		}
+#endif
+		do {
+			/* XXX need to copy only the bits we are using. */
+			ctx->rdLast = ctx->rdNext;
+			ctx->wrLast = ctx->wrNext;
+			ctx->exLast = ctx->exNext;
+
+			if (m == Timer) {
+				INSIST(tp == &t);
+				t = evSubTime(nextTime, ctx->lastEventTime);
+			}
+
+			evPrintf(ctx, 4,
+				"pselect(%d, 0x%lx, 0x%lx, 0x%lx, %ld.%09ld)\n",
+				 ctx->fdMax+1,
+				 (u_long)ctx->rdLast.fds_bits[0],
+				 (u_long)ctx->wrLast.fds_bits[0],
+				 (u_long)ctx->exLast.fds_bits[0],
+				 tp ? (long)tp->tv_sec : -1L,
+				 tp ? tp->tv_nsec : -1);
+
+			/* XXX should predict system's earliness and adjust. */
+			x = pselect(ctx->fdMax+1,
+				    &ctx->rdLast, &ctx->wrLast, &ctx->exLast,
+				    tp, NULL);
+			pselect_errno = errno;
+
+			evPrintf(ctx, 4, "select() returns %d (err: %s)\n",
+				 x, (x == -1) ? strerror(errno) : "none");
+
+			/* Anything but a poll can change the time. */
+			if (m != JustPoll)
+				ctx->lastEventTime = evNowTime();
+
+			/* Select() likes to finish about 10ms early. */
+		} while (x == 0 && m == Timer &&
+			 evCmpTime(ctx->lastEventTime, nextTime) < 0);
+#ifdef EVENTLIB_TIME_CHECKS
+		ctx->lastSelectTime = ctx->lastEventTime;
+#endif
+		if (x < 0) {
+			if (pselect_errno == EINTR) {
+				if ((options & EV_NULL) != 0)
+					goto again;
+				OKNEW(new);
+				new->type = Null;
+				/* No data. */
+				opaqueEv->opaque = new;
+				return (0);
+			}
+			if (pselect_errno == EBADF) {
+				for (x = 0; x <= ctx->fdMax; x++) {
+					struct stat sb;
+
+					if (FD_ISSET(x, &ctx->rdNext) == 0 &&
+					    FD_ISSET(x, &ctx->wrNext) == 0 &&
+					    FD_ISSET(x, &ctx->exNext) == 0)
+						continue;
+					if (fstat(x, &sb) == -1 &&
+					    errno == EBADF)
+						evPrintf(ctx, 1, "EBADF: %d\n",
+							 x);
+				}
+				abort();
+			}
+			EV_ERR(pselect_errno);
+		}
+		if (x == 0 && (nextTimer == NULL || !timerPast) &&
+		    (options & EV_POLL))
+			EV_ERR(EWOULDBLOCK);
+		ctx->fdCount = x;
+#ifdef EVENTLIB_TIME_CHECKS
+		ctx->lastFdCount = x;
+#endif
+	}
+	INSIST(nextTimer || ctx->fdCount);
+
+	/* Timers go first since we'd like them to be accurate. */
+	if (nextTimer && !timerPast) {
+		/* Has anything happened since we blocked? */
+		timerPast = (evCmpTime(nextTime, ctx->lastEventTime) <= 0);
+	}
+	if (nextTimer && timerPast) {
+		OKNEW(new);
+		new->type = Timer;
+		new->u.timer.this = nextTimer;
+		opaqueEv->opaque = new;
+		return (0);
+	}
+
+	/* No timers, so there should be a ready file descriptor. */
+	x = 0;
+	while (ctx->fdCount > 0) {
+		evFile *fid;
+		int fd, eventmask;
+
+		if (ctx->fdNext == NULL) {
+			if (++x == 2) {
+				/*
+				 * Hitting the end twice means that the last
+				 * select() found some FD's which have since
+				 * been deselected.
+				 *
+				 * On some systems, the count returned by
+				 * selects is the total number of bits in
+				 * all masks that are set, and on others it's
+				 * the number of fd's that have some bit set,
+				 * and on others, it's just broken.  We 
+				 * always assume that it's the number of
+				 * bits set in all masks, because that's what
+				 * the man page says it should do, and
+				 * the worst that can happen is we do an
+				 * extra select().
+				 */
+				ctx->fdCount = 0;
+				break;
+			}
+			ctx->fdNext = ctx->files;
+		}
+		fid = ctx->fdNext;
+		ctx->fdNext = fid->next;
+
+		fd = fid->fd;
+		eventmask = 0;
+		if (FD_ISSET(fd, &ctx->rdLast))
+			eventmask |= EV_READ;
+		if (FD_ISSET(fd, &ctx->wrLast))
+			eventmask |= EV_WRITE;
+		if (FD_ISSET(fd, &ctx->exLast))
+			eventmask |= EV_EXCEPT;
+		eventmask &= fid->eventmask;
+		if (eventmask != 0) {
+			if ((eventmask & EV_READ) != 0) {
+				FD_CLR(fd, &ctx->rdLast);
+				ctx->fdCount--;
+			}
+			if ((eventmask & EV_WRITE) != 0) {
+				FD_CLR(fd, &ctx->wrLast);
+				ctx->fdCount--;
+			}
+			if ((eventmask & EV_EXCEPT) != 0) {
+				FD_CLR(fd, &ctx->exLast);
+				ctx->fdCount--;
+			}
+			OKNEW(new);
+			new->type = File;
+			new->u.file.this = fid;
+			new->u.file.eventmask = eventmask;
+			opaqueEv->opaque = new;
+			return (0);
+		}
+	}
+	if (ctx->fdCount < 0) {
+		/*
+		 * select()'s count is off on a number of systems, and
+		 * can result in fdCount < 0.
+		 */
+		evPrintf(ctx, 4, "fdCount < 0 (%d)\n", ctx->fdCount);
+		ctx->fdCount = 0;
+	}
+
+	/* We get here if the caller deselect()'s an FD. Gag me with a goto. */
+	goto again;
+}
+
+int
+evDispatch(evContext opaqueCtx, evEvent opaqueEv) {
+	evContext_p *ctx = opaqueCtx.opaque;
+	evEvent_p *ev = opaqueEv.opaque;
+#ifdef EVENTLIB_TIME_CHECKS
+	void *func;
+	struct timespec start_time;
+	struct timespec interval;
+#endif
+
+#ifdef EVENTLIB_TIME_CHECKS
+	if (ctx->debug > 0)
+		start_time = evNowTime();
+#endif
+	ctx->cur = ev;
+	switch (ev->type) {
+	    case Accept: {
+		evAccept *this = ev->u.accept.this;
+
+		evPrintf(ctx, 5,
+			"Dispatch.Accept: fd %d -> %d, func %p, uap %p\n",
+			 this->conn->fd, this->fd,
+			 this->conn->func, this->conn->uap);
+		errno = this->ioErrno;
+		(this->conn->func)(opaqueCtx, this->conn->uap, this->fd,
+				   &this->la, this->lalen,
+				   &this->ra, this->ralen);
+#ifdef EVENTLIB_TIME_CHECKS
+		func = this->conn->func;
+#endif
+		break;
+	    }
+	    case File: {
+		evFile *this = ev->u.file.this;
+		int eventmask = ev->u.file.eventmask;
+
+		evPrintf(ctx, 5,
+			"Dispatch.File: fd %d, mask 0x%x, func %p, uap %p\n",
+			 this->fd, this->eventmask, this->func, this->uap);
+		(this->func)(opaqueCtx, this->uap, this->fd, eventmask);
+#ifdef EVENTLIB_TIME_CHECKS
+		func = this->func;
+#endif
+		break;
+	    }
+	    case Stream: {
+		evStream *this = ev->u.stream.this;
+
+		evPrintf(ctx, 5,
+			 "Dispatch.Stream: fd %d, func %p, uap %p\n",
+			 this->fd, this->func, this->uap);
+		errno = this->ioErrno;
+		(this->func)(opaqueCtx, this->uap, this->fd, this->ioDone);
+#ifdef EVENTLIB_TIME_CHECKS
+		func = this->func;
+#endif
+		break;
+	    }
+	    case Timer: {
+		evTimer *this = ev->u.timer.this;
+
+		evPrintf(ctx, 5, "Dispatch.Timer: func %p, uap %p\n",
+			 this->func, this->uap);
+		(this->func)(opaqueCtx, this->uap, this->due, this->inter);
+#ifdef EVENTLIB_TIME_CHECKS
+		func = this->func;
+#endif
+		break;
+	    }
+	    case Wait: {
+		evWait *this = ev->u.wait.this;
+
+		evPrintf(ctx, 5,
+			 "Dispatch.Wait: tag %p, func %p, uap %p\n",
+			 this->tag, this->func, this->uap);
+		(this->func)(opaqueCtx, this->uap, this->tag);
+#ifdef EVENTLIB_TIME_CHECKS
+		func = this->func;
+#endif
+		break;
+	    }
+	    case Null: {
+		/* No work. */
+#ifdef EVENTLIB_TIME_CHECKS
+		func = NULL;
+#endif
+		break;
+	    }
+	    default: {
+		abort();
+	    }
+	}
+#ifdef EVENTLIB_TIME_CHECKS
+	if (ctx->debug > 0) {
+		interval = evSubTime(evNowTime(), start_time);
+		/* 
+		 * Complain if it took longer than 50 milliseconds.
+		 *
+		 * We call getuid() to make an easy to find mark in a kernel
+		 * trace.
+		 */
+		if (interval.tv_sec > 0 || interval.tv_nsec > 50000000)
+			evPrintf(ctx, 1,
+			 "dispatch interval %u.%09u uid %d type %d func %p\n",
+				 interval.tv_sec, interval.tv_nsec,
+				 getuid(), ev->type, func);
+	}
+#endif
+	ctx->cur = NULL;
+	evDrop(opaqueCtx, opaqueEv);
+	return (0);
+}
+
+void
+evDrop(evContext opaqueCtx, evEvent opaqueEv) {
+	evContext_p *ctx = opaqueCtx.opaque;
+	evEvent_p *ev = opaqueEv.opaque;
+
+	switch (ev->type) {
+	    case Accept: {
+		FREE(ev->u.accept.this);
+		break;
+	    }
+	    case File: {
+		/* No work. */
+		break;
+	    }
+	    case Stream: {
+		evStreamID id;
+
+		id.opaque = ev->u.stream.this;
+		(void) evCancelRW(opaqueCtx, id);
+		break;
+	    }
+	    case Timer: {
+		evTimer *this = ev->u.timer.this;
+		evTimerID opaque;
+
+		/* Check to see whether the user func cleared the timer. */
+		if (heap_element(ctx->timers, this->index) != this) {
+			evPrintf(ctx, 5, "Dispatch.Timer: timer rm'd?\n");
+			break;
+		}
+		/*
+		 * Timer is still there.  Delete it if it has expired,
+		 * otherwise set it according to its next interval.
+		 */
+		if (this->inter.tv_sec == (time_t)0 &&
+		    this->inter.tv_nsec == 0L) {
+			opaque.opaque = this;			
+			(void) evClearTimer(opaqueCtx, opaque);
+		} else {
+			opaque.opaque = this;
+			(void) evResetTimer(opaqueCtx, opaque, this->func,
+					    this->uap,
+					    evAddTime((this->mode & EV_TMR_RATE) ?
+						      this->due :
+						      ctx->lastEventTime,
+						      this->inter),
+					    this->inter);
+		}
+		break;
+	    }
+	    case Wait: {
+		FREE(ev->u.wait.this);
+		break;
+	    }
+	    case Null: {
+		/* No work. */
+		break;
+	    }
+	    default: {
+		abort();
+	    }
+	}
+	FREE(ev);
+}
+
+int
+evMainLoop(evContext opaqueCtx) {
+	evEvent event;
+	int x;
+
+	while ((x = evGetNext(opaqueCtx, &event, EV_WAIT)) == 0)
+		if ((x = evDispatch(opaqueCtx, event)) < 0)
+			break;
+	return (x);
+}
+
+int
+evHighestFD(evContext opaqueCtx) {
+	evContext_p *ctx = opaqueCtx.opaque;
+
+	return (ctx->highestFD);
+}
+
+void
+evPrintf(const evContext_p *ctx, int level, const char *fmt, ...) {
+	va_list ap;
+
+	va_start(ap, fmt);
+	if (ctx->output != NULL && ctx->debug >= level) {
+		vfprintf(ctx->output, fmt, ap);
+		fflush(ctx->output);
+	}
+	va_end(ap);
+}
+
+int
+evSetOption(evContext *opaqueCtx, const char *option, int value) {
+	/* evContext_p *ctx = opaqueCtx->opaque; */
+
+	UNUSED(opaqueCtx);
+	UNUSED(value);
+#ifndef CLOCK_MONOTONIC
+	UNUSED(option);
+#endif 
+
+#ifdef CLOCK_MONOTONIC
+	if (strcmp(option, "monotime") == 0) {
+		if (opaqueCtx  != NULL)
+			errno = EINVAL;
+		if (value == 0 || value == 1) {
+			__evOptMonoTime = value;
+			return (0);
+		} else {
+			errno = EINVAL;
+			return (-1);
+		}
+	} 
+#endif
+	errno = ENOENT;
+	return (-1);
+}
+
+int
+evGetOption(evContext *opaqueCtx, const char *option, int *value) {
+	/* evContext_p *ctx = opaqueCtx->opaque; */
+
+	UNUSED(opaqueCtx);
+#ifndef CLOCK_MONOTONIC
+	UNUSED(value);
+	UNUSED(option);
+#endif 
+
+#ifdef CLOCK_MONOTONIC
+	if (strcmp(option, "monotime") == 0) {
+		if (opaqueCtx  != NULL)
+			errno = EINVAL;
+		*value = __evOptMonoTime;
+		return (0);
+	}
+#endif
+	errno = ENOENT;
+	return (-1);
+}
+
+#ifdef NEED_PSELECT
+/* XXX needs to move to the porting library. */
+static int
+pselect(int nfds, void *rfds, void *wfds, void *efds,
+	struct timespec *tsp,
+	const sigset_t *sigmask)
+{
+	struct timeval tv, *tvp;
+	sigset_t sigs;
+	int n;
+
+	if (tsp) {
+		tvp = &tv;
+		tv = evTimeVal(*tsp);
+	} else
+		tvp = NULL;
+	if (sigmask)
+		sigprocmask(SIG_SETMASK, sigmask, &sigs);
+	n = select(nfds, rfds, wfds, efds, tvp);
+	if (sigmask)
+		sigprocmask(SIG_SETMASK, &sigs, NULL);
+	if (tsp)
+		*tsp = evTimeSpec(tv);
+	return (n);
+}
+#endif
diff --git a/contrib/bind9/lib/bind/isc/eventlib.mdoc b/contrib/bind9/lib/bind/isc/eventlib.mdoc
new file mode 100644
index 0000000..3bf6ffb
--- /dev/null
+++ b/contrib/bind9/lib/bind/isc/eventlib.mdoc
@@ -0,0 +1,918 @@
+.\" $Id: eventlib.mdoc,v 1.1.2.1.10.1 2004/03/09 08:33:43 marka Exp $
+.\"
+.\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (c) 1995-1999 by Internet Software Consortium
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+.\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd March 6, 1996
+.Dt EVENTLIB 3
+.Os BSD 4
+.Sh NAME
+.Nm evConnFunc ,
+.Nm evFileFunc ,
+.Nm evStreamFunc ,
+.Nm evTimerFunc ,
+.Nm evWaitFunc ,
+.Nm evCreate ,
+.Nm evDestroy ,
+.Nm evGetNext ,
+.Nm evDispatch ,
+.Nm evDrop ,
+.Nm evMainLoop ,
+.Nm evConsTime ,
+.Nm evTimeSpec ,
+.Nm evTimeVal ,
+.Nm evAddTime ,
+.Nm evSubTime ,
+.Nm evCmpTime ,
+.Nm evNowTime ,
+.Nm evUTCTime ,
+.Nm evLastEventTime ,
+.Nm evSetTimer ,
+.Nm evResetTimer ,
+.Nm evConfigTimer ,
+.Nm evClearTimer ,
+.Nm evSetIdleTimer ,
+.Nm evTouchIdleTimer ,
+.Nm evClearIdleTimer ,
+.Nm evWaitFor ,
+.Nm evDo ,
+.Nm evUnwait ,
+.Nm evDefer ,
+.Nm evSelectFD ,
+.Nm evDeselectFD ,
+.Nm evWrite ,
+.Nm evRead ,
+.Nm evCancelRW ,
+.Nm evTimeRW ,
+.Nm evUntimeRW ,
+.Nm evListen ,
+.Nm evConnect ,
+.Nm evCancelConn ,
+.Nm evHold ,
+.Nm evUnhold ,
+.Nm evTryAccept ,
+.Nm evConsIovec ,
+.Nm evSetDebug ,
+.Nm evPrintf ,
+.Nm evInitID ,
+.Nm evTestID ,
+.Nm evGetOption ,
+.Nm evSetOption
+.Nd event handling library
+.Sh SYNOPSIS
+.Fd #include <isc/eventlib.h>
+.Ft typedef void
+.Fn \*(lp*evConnFunc\*(rp "evContext ctx" "void *uap" "int fd" \
+"const void *la" "int lalen" "const void *ra" "int ralen"
+.Ft typedef void
+.Fn \*(lp*evTimerFunc\*(rp "evContext ctx" "void *uap" \
+"struct timespec due" "struct timespec inter"
+.Ft typedef void
+.Fn \*(lp*evFileFunc\*(rp "evContext ctx" "void *uap" "int fd" "int eventmask"
+.Ft typedef void
+.Fn \*(lp*evStreamFunc\*(rp "evContext ctx" "void *uap" "int fd" "int bytes"
+.Ft typedef void
+.Fn \*(lp*evWaitFunc\*(rp "evContext ctx" "void *uap" "const void *tag"
+.Ft int
+.Fn evCreate "evContext *ctx"
+.Ft int
+.Fn evDestroy "evContext ctx"
+.Ft int
+.Fn evGetNext "evContext ctx" "evEvent *ev" "int options"
+.Ft int
+.Fn evDispatch "evContext ctx" "evEvent ev"
+.Ft void
+.Fn evDrop "evContext ctx" "evEvent ev"
+.Ft int
+.Fn evMainLoop "evContext ctx"
+.Ft struct timespec
+.Fn evConsTime "int sec" "int usec"
+.Ft struct timespec
+.Fn evTimeSpec "struct timeval tv"
+.Ft struct timeval
+.Fn evTimeVal "struct timespec ts"
+.Ft struct timespec
+.Fn evAddTime "struct timespec addend1" "struct timespec addend2"
+.Ft struct timespec
+.Fn evSubTime "struct timespec minuend" "struct timespec subtrahend"
+.Ft struct timespec
+.Fn evCmpTime "struct timespec a" "struct timespec b"
+.Ft struct timespec
+.Fn evNowTime "void"
+.Ft struct timespec
+.Fn evUTCTime "void"
+.Ft struct timespec
+.Fn evLastEventTime "evContext opaqueCtx"
+.Ft int
+.Fn evSetTimer "evContext ctx" "evTimerFunc func" "void *uap" \
+"struct timespec due" "struct timespec inter" "evTimerID *id"
+.Ft int
+.Fn evResetTimer "evContext ctx" "evTimerID id" "evTimerFunc func" \
+"void *uap" "struct timespec due" "struct timespec inter"
+.Ft int
+.Fn evConfigTimer "evContext ctx" "evTimerID id" "const char *param" \
+"int value"
+.Ft int
+.Fn evClearTimer "evContext ctx" "evTimerID id"
+.Ft int
+.Fn evSetIdleTimer "evContext opaqueCtx" "evTimerFunc func" "void *uap" \
+"struct timespec max_idle" "evTimerID *opaqueID"
+.Ft int 
+.Fn evTouchIdleTimer "evContext opaqueCtx" "evTimerID id"
+.Ft int 
+.Fn evResetIdleTimer "evContext opaqueCtx" "evTimerID id" "evTimerFunc func" \
+"void *uap" "struct timespec max_idle"
+.Ft int
+.Fn evClearIdleTimer "evContext opaqueCtx" "evTimerID id"
+.Ft int
+.Fn evWaitFor "evContext opaqueCtx" "const void *tag" \
+"evWaitFunc func" "void *uap" "evWaitID *id"
+.Ft int
+.Fn evDo "evContext opaqueCtx" "const void *tag"
+.Ft int
+.Fn evUnwait "evContext opaqueCtx" "evWaitID id"
+.Ft int
+.Fn evDefer "evContext opaqueCtx" "evWaitFunc func" "void *uap"
+.Ft int
+.Fn evSelectFD "evContext ctx" "int fd" "int eventmask" \
+"evFileFunc func" "void *uap" "evFileID *id"
+.Ft int
+.Fn evDeselectFD "evContext ctx" "evFileID id"
+.Ft struct iovec
+.Fn evConsIovec "void *buf" "size_t cnt"
+.Ft int
+.Fn evWrite "evContext ctx" "int fd" "const struct iovec *iov" "int cnt" \
+"evStreamFunc func" "void *uap" "evStreamID *id"
+.Ft int
+.Fn evRead "evContext ctx" "int fd" "const struct iovec *iov" "int cnt" \
+"evStreamFunc func" "void *uap" "evStreamID *id"
+.Ft int
+.Fn evCancelRW "evContext ctx" "evStreamID id"
+.Ft int
+.Fn evTimeRW "evContext opaqueCtx" "evStreamID id" "evTimerID timer"
+.Ft int
+.Fn evUntimeRW "evContext opaqueCtx" "evStreamID id"
+.Ft int
+.Fn evListen "evContext ctx" "int fd" "int maxconn" \
+"evConnFunc func" "void *uap" "evConnID *id"
+.Ft int
+.Fn evConnect "evContext ctx" "int fd" "void *ra" "int ralen" \
+"evConnFunc func" "void *uap" "evConnID *id"
+.Ft int
+.Fn evCancelConn "evContext ctx" "evConnID id"
+.Ft int
+.Fn evHold "evContext ctx" "evConnID id"
+.Ft int
+.Fn evUnhold "evContext ctx" "evConnID id"
+.Ft int
+.Fn evTryAccept "evContext ctx" "evConnID id" "int *sys_errno"
+.Ft void
+.Fn evSetDebug "evContext ctx" "int level" "FILE *output"
+.Ft void
+.Fn evPrintf "const evContext_p *ctx" "int level" "const char *fmt" "..."
+.Ft void
+.Fn evInitID "*\s-1ID\s+1"
+.Ft int
+.Fn evTestID "\s-1ID\s+1"
+.Ft int
+.Fn evGetOption "evContext *ctx" "const char *option" "int *ret"
+.Ft int
+.Fn evSetOption "evContext *ctx" "const char *option" "int val"
+.Sh DESCRIPTION
+This library provides multiple outstanding asynchronous timers and I/O
+to a cooperating application.  The model is similar to that of the X
+Toolkit, in that events are registered with the library and the application
+spends most of its time in the
+.Fn evMainLoop
+function.  If an application already has a main loop, it can safely register
+events with this library as long as it periodically calls the
+.Fn evGetNext
+and
+.Fn evDispatch
+functions.  (Note that
+.Fn evGetNext
+has both polling and blocking modes.)
+.Pp
+The function
+.Fn evCreate
+creates an event context which is needed by all the other functions in this
+library.  All information used internally by this library is bound to this
+context, rather than to static storage.  This makes the library 
+.Dq thread safe ,
+and permits other library functions to use events without
+disrupting the application's use of events.
+.Pp
+The function
+.Fn evDestroy
+destroys a context that has been created by
+.Fn evCreate .
+All dynamic memory bound to this context will be freed.  An implicit
+.Fn evTimerClear
+will be done on all timers set in this event context.  An implicit
+.Fn evDeselectFD
+will be done on all file descriptors selected in this event context.
+.Pp
+The function
+.Fn evGetNext
+potentially waits for and then retrieves the next asynchronous event,
+placing it in the object of the
+.Fa ev
+pointer argument.  The following
+.Fa options
+are available:
+.Fa EV_POLL ,
+meaning that
+.Fn evGetNext
+should not block, but rather return
+.Dq Fa -1
+with
+.Fa errno
+set to
+.Fa EWOULDBLOCK
+if no events have occurred;
+.Fa EV_WAIT ,
+which tells
+.Fn evGetNext
+to block internally until the next event occurs; and
+.Fa EV_NULL ,
+which tells
+.Fn evGetNext
+that it should return a special 
+.Dq no-op 
+event, which is ignored by
+.Fn evDispatch
+but handled correctly by
+.Fn evDrop .
+.Fa EV_NULL
+can be necessary to the correct functioning of a caller\-written equivilent to
+.Fn evMainLoop ,
+wherein perterbations caused by external system events must be polled for, and
+the default behaviour of internally ignoring such events is undesirable.
+Note that
+.Fa EV_POLL
+and
+.Fa EV_WAIT
+are mutually exclusive.
+.Pp
+The function
+.Fn evDispatch
+dispatches an event retrieved by
+.Fn evGetNext .
+This usually involves calling the function that was associated with the event
+when the event was registered with
+.Fn evSetTimer ,
+.Fn evResetTimer ,
+or
+.Fn evSelectFD .
+All events retrieved by
+.Fn evGetNext
+must be given over to
+.Fn evDispatch
+at some point, since there is some dynamic memory associated with each event.
+.Pp
+The function
+.Fn evDrop
+deallocates dynamic memory that has been allocated by
+.Fn evGetNext .
+Calling
+.Fn evDispatch
+has the side effect of calling
+.Fn evDrop ,
+but if you are going to drop the event rather than dispatch it, you will have
+to call
+.Fn evDrop
+directly.
+.Pp
+The function
+.Fn evMainLoop
+is just:
+.Bd -literal -offset indent
+while ((x = evGetNext(opaqueCtx, &event, EV_WAIT)) == 0)
+	if ((x = evDispatch(opaqueCtx, event)) < 0)
+		break;
+return (x);
+.Ed
+.Pp
+In other words, get events and dispatch them until an error occurs.  One such
+error would be that all the events under this context become unregistered; in
+that event, there will be nothing to wait for and
+.Fn evGetNext
+becomes an undefined operation.
+.Pp
+The function
+.Fn evConsTime
+is a constructor for
+.Dq Fa struct timespec
+which allows these structures to be created and then passed as arguments to
+other functions without the use of temporary variables.  (If C had inline
+constructors, there would be no need for this function.)
+.Pp
+The functions
+.Fn evTimeSpec
+and
+.Fn evTimeVal 
+are utilities which allow the caller to convert a
+.Dq Fa struct timeval
+to a 
+.Dq Fa struct timespec
+(the function of
+.Fn evTimeSpec )
+or vice versa (the function of
+.Fn evTimeVal ) .
+Note that the name of the function indicates the type of the return value.
+.Pp
+The function
+.Fn evAddTime
+adds two
+.Dq Fa struct timespec
+values and returns the result as a
+.Dq Fa struct timespec .
+.Pp
+The function
+.Fn evSubTime
+subtracts its second
+.Dq Fa struct timespec
+argument from its first
+.Dq Fa struct timespec
+argument and returns the result as a
+.Dq Fa struct timespec .
+.Pp
+The function
+.Fn evCmpTime
+compares its two
+.Dq Fa struct timespec
+arguments and returns an
+.Dq Fa int
+that is less than zero if the first argument specifies an earlier time than
+the second, or more than zero if the first argument specifies a later time
+than the second, or equal to zero if both arguments specify the same time.
+.Pp
+The function
+.Fn evNowTime
+returns a
+.Dq Fa struct timespec
+which either describes the current time
+(using
+.Xr clock_gettime 2 or
+.Xr gettimeofday 2 ) ,
+if successful, or has its fields set to zero, if there is an error.
+(In the latter case, the caller can check
+.Va errno ,
+since it will be set by
+.Xr gettimeofday 2 . )
+The timestamp returned may not be UTC time if
+the "monotime" option has been enabled with
+.Fn evSetOption .
+.Pp
+The function 
+.Fn evUTCTime
+is like 
+.Fn evNowTime
+except the result is always on the UTC timescale.
+.Pp
+The function
+.Fn evLastEventTime 
+returns the
+.Dq Fa struct timespec
+which describes the last time that certain events happened to the 
+event context indicated by 
+.Fa opaqueCtx .
+This value is updated by
+.Fn evCreate 
+and
+.Fn evGetNext 
+(upon entry and after
+.Xr select 2
+returns); it is routinely compared with other times in the internal handling
+of, e.g., timers.
+.Pp
+The function
+.Fn evSetTimer
+registers a timer event, which will be delivered as a function call to the
+function specified by the
+.Fa func
+argument.  The event will be delivered at absolute time
+.Fa due ,
+and then if time
+.Fa inter
+is not equal to
+.Dq Fn evConsTime 0 0 ,
+subsequently at intervals equal to time
+.Fa inter .
+As a special case, specifying a
+.Fa due
+argument equal to
+.Dq Fn evConsTime 0 0
+means 
+.Dq due immediately .
+The
+.Fa opaqueID
+argument, if specified as a value other than
+.Fa NULL ,
+will be used to store the resulting 
+.Dq timer \s-1ID\s+1 , 
+useful as an argument to
+.Fn evClearTimer .
+Note that in a 
+.Dq one\-shot 
+timer (which has an
+.Fa inter
+argument equal to
+.Dq Fa evConsTime(0,0) )
+the user function
+.Fa func
+should deallocate any dynamic memory that is uniquely bound to the
+.Fa uap ,
+since no handles to this memory will exist within the event library
+after a one\-shot timer has been delivered.
+.Pp
+The function
+.Fn evResetTimer
+resets the values of the timer specified by
+.Fa id
+to the given arguments.  The arguments are the same as in the description of
+.Fn evSetTimer
+above.
+.Pp
+The function
+.Fn evClearTimer
+will unregister the timer event specified by
+.Fa id .
+Note that if the
+.Fa uap
+specified in the corresponding
+.Fn evSetTimer
+call is uniquely bound to any dynamic memory, then that dynamic memory should
+be freed by the caller before the handle is lost.  After a call to
+.Fn evClearTimer ,
+no handles to this
+.Fa uap
+will exist within the event library.
+.Pp
+The function
+.Fn evConfigTimer
+can be used to manipulate other aspects of a timer.
+Currently two modes are defined "rate" and "interval" which affect the
+way recurrent timers are scheduled.
+The default mode is "interval" where the event gets scheduled
+.Fa inter
+after last time it was run.
+If mode "rate" is selected the event gets scheduled
+.Fa inter
+after last time it was scheduled.
+For both "rate" and "interval" the numerical argument
+.Fa value
+is ignored.
+.Pp
+The function
+.Fn evSetIdleTimer 
+is similar to (and built on)
+.Fn evSetTimer ;
+it registers an idle timer event which provides for the function call to
+.Fa func
+to occur.  However, for an
+.Em idle
+timer, the call will occur after at least
+.Dq Fa max_idle
+time has passed since the time the idle timer was
+.Dq last touched ;
+originally, this is set to the time returned by
+.Fn evLastEventTime 
+(described above) for the event context specified by 
+.Fa opaqueCtx .  
+This is a 
+.Dq one\-shot 
+timer, but the time at which the
+.Fa func
+is actually called can be changed by recourse to
+.Fn evTouchIdleTimer
+(described below).  The pointer to the underlying 
+.Dq timer \s-1ID\s+1 
+is returned in
+.Fa opaqueID ,
+if it is
+.No non- Ns Dv NULL .
+.Pp
+The
+.Fn evTouchIdleTimer 
+function updates the idle timer associated with
+.Fa id ,
+setting its idea of the time it was last accessed to the value returned by
+.Fn evLastEventTime
+(described above) for the event context specified by
+.Fa opaqueCtx .
+This means that the idle timer will expire after at least
+.Fa max_idle
+time has passed since this (possibly new) time, providing a caller mechanism
+for resetting the call to the
+.Fa func
+associated with the idle timer.  (See the description of
+.Fn evSetIdleTimer ,
+above, for information about
+.Fa func
+and
+.Fa max_idle . )
+.Pp
+The
+.Fn evResetIdleTimer
+function reschedules a timer and resets the callback function and its argument.
+Note that resetting a timer also ``touches'' it.
+.Pp
+The
+.Fn evClearIdleTimer
+function unregisters the idle timer associated with
+.Fa id .
+See the discussion under
+.Fn evClearTimer , 
+above, for information regarding caller handling of the
+.Fa uap
+associated with the corresponding
+.Fn evSetIdleTimer
+call.
+.Pp
+The function
+.Fn evWaitFor
+places the function
+.Fa func
+on the given event context's wait queue with the associated (possibly
+.Dv NULL )
+.Dq Fa tag ;
+if 
+.Fa id
+is 
+.No non- Ns Dv NULL ,
+then it will contain the 
+.Dq wait \s-1ID\s+1 
+associated with the created queue element.
+.Pp
+The function
+.Fn evDo 
+marks 
+.Em all
+of the 
+.Dq waiting 
+functions in the given event context's wait queue with the associated (possibly
+.Dv NULL )
+.Dq Fa tag
+as runnable.  This places these functions in a
+.Dq done
+queue which will be read by
+.Fn evGetNext .
+.Pp
+The function
+.Fn evUnwait 
+will search for the
+.Dq wait \s-1ID\s+1 
+.Fa id
+in the wait queue of the given event context; if an element with the given
+.Fa id 
+is not found, then the
+.Dq done
+queue of that context is searched.  If found, the queue element is removed
+from the appropriate list.
+.Pp
+The function
+.Fn evDefer
+causes a function (specified as
+.Fa func ,
+with argument
+.Fa uap )
+to be dispatched at some later time.  Note that the
+.Fa tag
+argument to
+.Fa func
+will always be
+.Fa NULL
+when dispatched.
+.Pp
+The function
+.Fn evSelectFD
+registers a file I/O event for the file descriptor specified by
+.Fa fd .
+Bits in the
+.Fa eventmask
+argument are named
+.Fa EV_READ ,
+.Fa EV_WRITE ,
+and
+.Fa EV_EXCEPT .
+At least one of these bits must be specified.  If the
+.Fa id
+argument is not equal to
+.Fa NULL ,
+it will be used to store a unique ``file event \s-1ID\s+1'' for this event,
+which is useful in subsequent calls to
+.Fn evDeselectFD .
+A file descriptor will be made nonblocking using the
+.Fa O_NONBLOCK
+flag with
+.Xr fcntl 2
+on its first concurrent registration via
+.Fn evSelectFD .
+An
+.Fn evSelectFD
+remains in effect until cancelled via
+.Fn evDeselectFD .
+.Pp
+The function
+.Fn evDeselectFD
+unregisters the ``file event'' specified by the
+.Fa id
+argument.  If the corresponding
+.Fa uap
+uniquely points to dynamic memory, that memory should be freed before its
+handle is lost, since after a call to
+.Fn evDeselectFD ,
+no handles to this event's
+.Fa uap
+will remain within the event library.  A file descriptor will be taken out of
+nonblocking mode (see
+.Fa O_NONBLOCK
+and
+.Xr fcntl 2 )
+when its last event registration is removed via
+.Fn evDeselectFD ,
+if it was in blocking mode before the first registration via
+.Fn evSelectFD .
+.Pp
+The function
+.Fn evConsIovec
+is a constructor for a single
+.Ft struct iovec
+structure, which is useful for
+.Fn evWrite
+and
+.Fn evRead .
+.Pp
+The functions
+.Fn evWrite
+and
+.Fn evRead
+start asynchronous stream I/O operations on file descriptor
+.Fa fd .
+The data to be written or read is in the scatter/gather descriptor specified by
+.Fa iov
+and
+.Fa cnt .
+The supplied function
+.Fa func
+will be called with argument
+.Fa uap
+when the I/O operation is complete.  If
+.Fa id
+is not
+.Fa NULL ,
+it will be filled a with the stream event identifier suitable for use with
+.Fn evCancelRW .
+.Pp
+The function
+.Fn evCancelRW
+extinguishes an outstanding
+.Fn evWrite
+or
+.Fn evRead
+call.  System I/O calls cannot always be cancelled, but you are guaranteed
+that the
+.Fa func
+function supplied to
+.Fn evWrite
+or
+.Fn evRead
+will not be called after a call to
+.Fn evCancelRW .
+Care should be taken not to deallocate or otherwise reuse the space pointed
+to by the segment descriptors in
+.Fa iov
+unless the underlying file descriptor is closed first.
+.Pp
+The function
+.Fn evTimeRW
+sets the stream associated with the given stream \s-1ID\s+1 
+.Dq Fa id
+to have the idle timer associated with the timer \s-1ID\s+1 
+.Dq Fa timer .
+.Pp
+The function
+.Fn evUntimeRW
+says that the stream associated with the given stream \s-1ID\s+1
+.Dq Fa id
+should ignore its idle timer, if present.
+.Pp
+The functions
+.Fn evListen ,
+.Fn evConnect ,
+and
+.Fn evCancelConn
+can be used to manage asynchronous incoming and outgoing socket connections.
+Sockets to be used with these functions should first be created with
+.Xr socket 2
+and given a local name with
+.Xr bind 2 .
+It is extremely unlikely that the same socket will ever be
+useful for both incoming and outgoing connections.  The
+.Fa id
+argument to
+.Fn evListen
+and
+.Fn evConnect
+is either
+.Fa NULL
+or the address of a
+.Ft evFileID
+variable which can then be used in a subsequent call to
+.Fn evCancelConn .
+.Pp
+After a call to
+.Fn evListen ,
+each incoming connection arriving on
+.Fa fd
+will cause
+.Fa func
+to be called with
+.Fa uap
+as one of its arguments.
+.Fn evConnect
+initiates an outgoing connection on
+.Fa fd
+to destination address
+.Fa ra
+(whose length is
+.Fa ralen ) .
+When the connection is complete,
+.Fa func
+will be called with
+.Fa uap
+as one of its arguments.  The argument
+.Fa fd
+to
+.Fn \*(lp*func\*(rp
+will be
+.Fa -1
+if an error occurred that prevented this connection from completing 
+successfully.  In this case
+.Fn errno
+will have been set and the socket described by
+.Fa fd
+will have been closed.  The
+.Fn evCancelConn
+function will prevent delivery of all pending and subsequent
+events for the outstanding connection.  The
+.Fn evHold
+function will suspend the acceptance of new connections on the listener
+specified by
+.Fa id .
+Connections will be queued by the protocol stack up to the system's limit.  The
+.Fn evUnhold
+function will reverse the effects of
+.Fn evHold ,
+allowing incoming connections to be delivered for listener
+.Fa id .
+The
+.Fn evTryAccept
+function will poll the listener specified by
+.Fa id ,
+accepting a new connection if one is available, and queuing a connection event
+for later retrieval by
+.Fn evGetNext .
+If the connection event queued is an accept error(), sys_errno will contain
+the error code; otherwise it will be zero.  All connection events queued by
+.Fn evTryAccept
+will be delivered by
+.Fn evGetNext
+before a new select is done on the listener.
+.Pp
+The function
+.Fn evSetDebug
+sets the debugging
+.Fa level
+and diagnostic
+.Fa output
+file handle for an event context.  Greater numeric levels will
+result in more verbose output being sent to the output FILE during program
+execution.
+.Pp
+The function
+.Fn evPrintf
+prints a message with the format
+.Dq Fa fmt
+and the following arguments (if any), on the output stream associated
+with the event context pointed to by
+.Fa ctx .
+The message is output if the event context's debug level is greater than
+or equal to the indicated
+.Fa level .
+.Pp
+The function
+.Fn evInitID
+will initialize an opaque 
+.Dq evConn \s-1ID\s+1 , 
+.Dq evFile \s-1ID\s+1 , 
+.Dq evStream \s-1ID\s+1 , 
+.Dq evTimer \s-1ID\s+1 , 
+.Dq evWait \s-1ID\s+1 , 
+.Dq evContext , 
+or
+.Dq evEvent ,
+which is passed by reference to a state which
+.Fn evTestID
+will recognize.
+This is useful to make a handle as "not in use".
+.Pp
+The function
+.Fn evTestID
+will examine an opaque \s-1ID\s+1 and return
+.Dq TRUE
+only if it is not in its initialized state.
+.Pp
+The functions
+.Fn evGetOption
+and 
+.Fn evSetOption
+can be used to inspect and modify options.
+Currently there is only one option,  "monotime" and it is global for all 
+instances of eventlib so the ctx argument must be passed as NULL.
+.Pp
+The default value for the "monotime" option is zero which selects
+the UTC timescale.
+When set to a value of one, eventlib will use the
+CLOCK_MONOTONIC timescale from
+.Xr clock_gettime
+instead.
+The CLOCK_MONOTONIC timescale is never stepped and should
+run at a rate as close to TAI as possible, so it is unaffected
+when the system clock is set.
+If timerevents should run at a predictable rate, set the value
+to one, of they should run at a predictable time of day, leave
+it at zero.
+If the CLOCK_MONOTONIC timescale is not available on the system,
+attempts to set/get this option will fail.
+.Sh RETURN VALUES
+All the functions whose return type is
+.Dq Fa int
+use the standard convention of returning zero (0) to indicate success, or
+returning
+.Dq Fa -1
+and setting
+.Fa errno
+to indicate failure.
+.Sh FILE
+.Pa heap.h ,
+which is in the 
+.Pa src/lib/isc
+directory of the current 
+.Sy BIND
+distribution.
+.Sh ERRORS
+The possible values for
+.Fa errno
+when one of the
+.Dq Fa int
+functions in this library returns
+.Dq Fa -1
+include those of the Standard C Library and also:
+.Bl -tag -width EWOULDBLOCKAA
+.It Bq Er EINVAL
+Some function argument has an unreasonable value.
+.It Bq Er EINVAL
+The specified file descriptor has an integer value greater than the default
+.Fa FD_SETSIZE ,
+meaning that the application's limit is higher than the library's.
+.It Bq Er ENOENT
+The specified 
+.Dq event \s-1ID\s+1 
+does not exist.
+.It Bq Er EWOULDBLOCK
+No events have occurred and the
+.Fa EV_POLL
+option was specified.
+.It Bq Er EBADF
+The specified signal was unblocked outside the library.
+.El
+.Sh SEE ALSO
+.Xr gettimeofday 2 ,
+.Xr select 2 ,
+.Xr fcntl 3 ,
+.Xr malloc 3 ,
+.Xr @INDOT@named @SYS_OPS_EXT@ ,
+.Xr readv 3 ,
+.Xr writev 3 .
+.Sh BUGS
+This huge man page needs to be broken up into a handful of smaller ones.
+.Sh HISTORY
+The
+.Nm eventlib
+library was designed by Paul Vixie with excellent advice from his friends
+and with tips 'o the cap to the X Consortium and the implementors of DEC SRC
+Modula-3.
diff --git a/contrib/bind9/lib/bind/isc/eventlib_p.h b/contrib/bind9/lib/bind/isc/eventlib_p.h
new file mode 100644
index 0000000..506ec5d
--- /dev/null
+++ b/contrib/bind9/lib/bind/isc/eventlib_p.h
@@ -0,0 +1,219 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1995-1999 by Internet Software Consortium
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* eventlib_p.h - private interfaces for eventlib
+ * vix 09sep95 [initial]
+ *
+ * $Id: eventlib_p.h,v 1.3.2.1.4.1 2004/03/09 08:33:43 marka Exp $
+ */
+
+#ifndef _EVENTLIB_P_H
+#define _EVENTLIB_P_H
+
+#include <sys/param.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <sys/un.h>
+
+#define EVENTLIB_DEBUG 1
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/heap.h>
+#include <isc/list.h>
+#include <isc/memcluster.h>
+
+#define	EV_MASK_ALL	(EV_READ | EV_WRITE | EV_EXCEPT)
+#define EV_ERR(e)		return (errno = (e), -1)
+#define OK(x)		if ((x) < 0) EV_ERR(errno); else (void)NULL
+
+#define	NEW(p)		if (((p) = memget(sizeof *(p))) != NULL) \
+				FILL(p); \
+			else \
+				(void)NULL;
+#define OKNEW(p)	if (!((p) = memget(sizeof *(p)))) { \
+				errno = ENOMEM; \
+				return (-1); \
+			} else \
+				FILL(p)
+#define FREE(p)		memput((p), sizeof *(p))
+
+#if EVENTLIB_DEBUG
+#define FILL(p)		memset((p), 0xF5, sizeof *(p))
+#else
+#define FILL(p)
+#endif
+
+typedef struct evConn {
+	evConnFunc	func;
+	void *		uap;
+	int		fd;
+	int		flags;
+#define EV_CONN_LISTEN		0x0001		/* Connection is a listener. */
+#define EV_CONN_SELECTED	0x0002		/* evSelectFD(conn->file). */
+#define EV_CONN_BLOCK		0x0004		/* Listener fd was blocking. */
+	evFileID	file;
+	struct evConn *	prev;
+	struct evConn *	next;
+} evConn;
+
+typedef struct evAccept {
+	int		fd;
+	union {
+		struct sockaddr		sa;
+		struct sockaddr_in	in;
+#ifndef NO_SOCKADDR_UN
+		struct sockaddr_un	un;
+#endif
+	}		la;
+	ISC_SOCKLEN_T	lalen;
+	union {
+		struct sockaddr		sa;
+		struct sockaddr_in	in;
+#ifndef NO_SOCKADDR_UN
+		struct sockaddr_un	un;
+#endif
+	}		ra;
+	ISC_SOCKLEN_T	ralen;
+	int		ioErrno;
+	evConn *	conn;
+	LINK(struct evAccept) link;
+} evAccept;
+
+typedef struct evFile {
+	evFileFunc	func;
+	void *		uap;
+	int		fd;
+	int		eventmask;
+	int		preemptive;
+	struct evFile *	prev;
+	struct evFile *	next;
+	struct evFile *	fdprev;
+	struct evFile *	fdnext;
+} evFile;
+
+typedef struct evStream {
+	evStreamFunc	func;
+	void *		uap;
+	evFileID	file;
+	evTimerID	timer;
+	int		flags;
+#define EV_STR_TIMEROK	0x0001	/* IFF timer valid. */
+	int		fd;
+	struct iovec *	iovOrig;
+	int		iovOrigCount;
+	struct iovec *	iovCur;
+	int		iovCurCount;
+	int		ioTotal;
+	int		ioDone;
+	int		ioErrno;
+	struct evStream	*prevDone, *nextDone;
+	struct evStream	*prev, *next;
+} evStream;
+
+typedef struct evTimer {
+	evTimerFunc	func;
+	void *		uap;
+	struct timespec	due, inter;
+	int		index;
+	int		mode;
+#define EV_TMR_RATE	1
+} evTimer;
+
+typedef struct evWait {
+	evWaitFunc	func;
+	void *		uap;
+	const void *	tag;
+	struct evWait *	next;
+} evWait;
+
+typedef struct evWaitList {
+	evWait *		first;
+	evWait *		last;
+	struct evWaitList *	prev;
+	struct evWaitList *	next;
+} evWaitList;
+
+typedef struct evEvent_p {
+	enum {  Accept, File, Stream, Timer, Wait, Free, Null  } type;
+	union {
+		struct {  evAccept *this;  }			accept;
+		struct {  evFile *this; int eventmask;  }	file;
+		struct {  evStream *this;  }			stream;
+		struct {  evTimer *this;  }			timer;
+		struct {  evWait *this;  }			wait;
+		struct {  struct evEvent_p *next;  }		free;
+		struct {  const void *placeholder;  }		null;
+	} u;
+} evEvent_p;
+
+typedef struct {
+	/* Global. */
+	const evEvent_p	*cur;
+	/* Debugging. */
+	int		debug;
+	FILE		*output;
+	/* Connections. */
+	evConn		*conns;
+	LIST(evAccept)	accepts;
+	/* Files. */
+	evFile		*files, *fdNext;
+	fd_set		rdLast, rdNext;
+	fd_set		wrLast, wrNext;
+	fd_set		exLast, exNext;
+	fd_set		nonblockBefore;
+	int		fdMax, fdCount, highestFD;
+	evFile		*fdTable[FD_SETSIZE];
+#ifdef EVENTLIB_TIME_CHECKS
+	struct timespec	lastSelectTime;
+	int		lastFdCount;
+#endif
+	/* Streams. */
+	evStream	*streams;
+	evStream	*strDone, *strLast;
+	/* Timers. */
+	struct timespec	lastEventTime;
+	heap_context	timers;
+	/* Waits. */
+	evWaitList	*waitLists;
+	evWaitList	waitDone;
+} evContext_p;
+
+/* eventlib.c */
+#define evPrintf __evPrintf
+void evPrintf(const evContext_p *ctx, int level, const char *fmt, ...)
+     ISC_FORMAT_PRINTF(3, 4);
+
+/* ev_timers.c */
+#define evCreateTimers __evCreateTimers
+heap_context evCreateTimers(const evContext_p *);
+#define evDestroyTimers __evDestroyTimers
+void evDestroyTimers(const evContext_p *);
+
+/* ev_waits.c */
+#define evFreeWait __evFreeWait
+evWait *evFreeWait(evContext_p *ctx, evWait *old);
+
+/* Global options */
+int		__evOptMonoTime;
+
+#endif /*_EVENTLIB_P_H*/
diff --git a/contrib/bind9/lib/bind/isc/heap.c b/contrib/bind9/lib/bind/isc/heap.c
new file mode 100644
index 0000000..f63619f
--- /dev/null
+++ b/contrib/bind9/lib/bind/isc/heap.c
@@ -0,0 +1,230 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1997,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Heap implementation of priority queues adapted from the following:
+ *
+ *	_Introduction to Algorithms_, Cormen, Leiserson, and Rivest,
+ *	MIT Press / McGraw Hill, 1990, ISBN 0-262-03141-8, chapter 7.
+ *
+ *	_Algorithms_, Second Edition, Sedgewick, Addison-Wesley, 1988,
+ *	ISBN 0-201-06673-4, chapter 11.
+ */
+
+#if !defined(LINT) && !defined(CODECENTER)
+static const char rcsid[] = "$Id: heap.c,v 1.1.206.1 2004/03/09 08:33:43 marka Exp $";
+#endif /* not lint */
+
+#include "port_before.h"
+
+#include <stddef.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#include "port_after.h"
+
+#include <isc/heap.h>
+
+/*
+ * Note: to make heap_parent and heap_left easy to compute, the first
+ * element of the heap array is not used; i.e. heap subscripts are 1-based,
+ * not 0-based.
+ */
+#define heap_parent(i) ((i) >> 1)
+#define heap_left(i) ((i) << 1)
+
+#define ARRAY_SIZE_INCREMENT 512
+
+heap_context
+heap_new(heap_higher_priority_func higher_priority, heap_index_func index,
+	 int array_size_increment) {
+	heap_context ctx;
+
+	ctx = (heap_context)malloc(sizeof (struct heap_context));
+	if (ctx == NULL || higher_priority == NULL)
+		return (NULL);
+	ctx->array_size = 0;
+	if (array_size_increment == 0)
+		ctx->array_size_increment = ARRAY_SIZE_INCREMENT;
+	else
+		ctx->array_size_increment = array_size_increment;
+	ctx->heap_size = 0;
+	ctx->heap = NULL;
+	ctx->higher_priority = higher_priority;
+	ctx->index = index;
+	return (ctx);
+}
+
+int
+heap_free(heap_context ctx) {
+	if (ctx == NULL) {
+		errno = EINVAL;
+		return (-1);
+	}
+
+	if (ctx->heap != NULL)
+		free(ctx->heap);
+	free(ctx);
+
+	return (0);
+}
+
+static int
+heap_resize(heap_context ctx) {
+	void **new_heap;
+
+	ctx->array_size += ctx->array_size_increment;
+	new_heap = (void **)realloc(ctx->heap,
+				    (ctx->array_size) * (sizeof (void *)));
+	if (new_heap == NULL) {
+		errno = ENOMEM;
+		return (-1);
+	}
+	ctx->heap = new_heap;
+	return (0);
+}
+
+static void
+float_up(heap_context ctx, int i, void *elt) {
+	int p;
+
+	for ( p = heap_parent(i); 
+	      i > 1 && ctx->higher_priority(elt, ctx->heap[p]);
+	      i = p, p = heap_parent(i) ) {
+		ctx->heap[i] = ctx->heap[p];
+		if (ctx->index != NULL)
+			(ctx->index)(ctx->heap[i], i);
+	}
+	ctx->heap[i] = elt;
+	if (ctx->index != NULL)
+		(ctx->index)(ctx->heap[i], i);
+}
+
+static void
+sink_down(heap_context ctx, int i, void *elt) {
+	int j, size, half_size;
+
+	size = ctx->heap_size;
+	half_size = size / 2;
+	while (i <= half_size) {
+		/* find smallest of the (at most) two children */
+		j = heap_left(i);
+		if (j < size && ctx->higher_priority(ctx->heap[j+1],
+						     ctx->heap[j]))
+			j++;
+		if (ctx->higher_priority(elt, ctx->heap[j]))
+			break;
+		ctx->heap[i] = ctx->heap[j];
+		if (ctx->index != NULL)
+			(ctx->index)(ctx->heap[i], i);
+		i = j;
+	}
+	ctx->heap[i] = elt;
+	if (ctx->index != NULL)
+		(ctx->index)(ctx->heap[i], i);
+}
+
+int
+heap_insert(heap_context ctx, void *elt) {
+	int i;
+
+	if (ctx == NULL || elt == NULL) {
+		errno = EINVAL;
+		return (-1);
+	}
+
+	i = ++ctx->heap_size;
+	if (ctx->heap_size >= ctx->array_size && heap_resize(ctx) < 0)
+		return (-1);
+	
+	float_up(ctx, i, elt);
+
+	return (0);
+}
+
+int
+heap_delete(heap_context ctx, int i) {
+	void *elt;
+	int less;
+
+	if (ctx == NULL || i < 1 || i > ctx->heap_size) {
+		errno = EINVAL;
+		return (-1);
+	}
+
+	if (i == ctx->heap_size) {
+		ctx->heap_size--;
+	} else {
+		elt = ctx->heap[ctx->heap_size--];
+		less = ctx->higher_priority(elt, ctx->heap[i]);
+		ctx->heap[i] = elt;
+		if (less)
+			float_up(ctx, i, ctx->heap[i]);
+		else
+			sink_down(ctx, i, ctx->heap[i]);
+	}
+
+	return (0);
+}
+
+int
+heap_increased(heap_context ctx, int i) {
+     	if (ctx == NULL || i < 1 || i > ctx->heap_size) {
+		errno = EINVAL;
+		return (-1);
+	}
+	
+	float_up(ctx, i, ctx->heap[i]);
+
+	return (0);
+}
+
+int
+heap_decreased(heap_context ctx, int i) {
+     	if (ctx == NULL || i < 1 || i > ctx->heap_size) {
+		errno = EINVAL;
+		return (-1);
+	}
+	
+	sink_down(ctx, i, ctx->heap[i]);
+
+	return (0);
+}
+
+void *
+heap_element(heap_context ctx, int i) {
+	if (ctx == NULL || i < 1 || i > ctx->heap_size) {
+		errno = EINVAL;
+		return (NULL);
+	}
+
+	return (ctx->heap[i]);
+}
+
+int
+heap_for_each(heap_context ctx, heap_for_each_func action, void *uap) {
+	int i;
+
+	if (ctx == NULL || action == NULL) {
+		errno = EINVAL;
+		return (-1);
+	}
+
+	for (i = 1; i <= ctx->heap_size; i++)
+		(action)(ctx->heap[i], uap);
+	return (0);
+}
diff --git a/contrib/bind9/lib/bind/isc/heap.mdoc b/contrib/bind9/lib/bind/isc/heap.mdoc
new file mode 100644
index 0000000..95c9444
--- /dev/null
+++ b/contrib/bind9/lib/bind/isc/heap.mdoc
@@ -0,0 +1,378 @@
+.\" $Id: heap.mdoc,v 1.1.2.1.10.1 2004/03/09 08:33:43 marka Exp $
+.\"
+.\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (c) 1997,1999 by Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+.\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd January 1, 1997
+.\"Os OPERATING_SYSTEM [version/release]
+.Os BSD 4
+.Dt HEAP @SYSCALL_EXT@
+.Sh NAME
+.Nm heap_new ,
+.Nm heap_free ,
+.Nm heap_insert ,
+.Nm heap_delete ,
+.Nm heap_increased ,
+.Nm heap_decreased ,
+.Nm heap_element ,
+.Nm heap_for_each 
+.Nd heap implementation of priority queues
+.Sh SYNOPSIS
+.Fd #include \&"heap.h\&"
+.Ft heap_context    
+.Fn heap_new "heap_higher_priority_func higher_priority" \
+"heap_index_func index" "int array_size_increment"
+.Ft int
+.Fn heap_free "heap_context ctx"
+.Ft int
+.Fn heap_insert "heap_context ctx" "void *elt"
+.Ft int
+.Fn heap_delete "heap_context ctx" "int i"
+.Ft int
+.Fn heap_increased "heap_context ctx" "int i"
+.Ft int
+.Fn heap_decreased "heap_context ctx" "int i"
+.Ft void *
+.Fn heap_element "heap_context ctx" "int i"
+.Ft int 
+.Fn heap_for_each "heap_context ctx" "heap_for_each_func action" "void *uap"
+.Sh DESCRIPTION
+These functions implement heap\-based priority queues.  The user defines a
+priority scheme, and provides a function for comparison of the priority
+of heap elements
+(see the description of the
+.Ft heap_higher_priority_func
+function pointer, below).
+.Pp
+Each of the functions depends upon the
+.Ft heap_context
+type, which is a pointer to a
+.Ft struct heap_context 
+.Pq see Pa heap.h No for more information .
+.Pp
+The
+.Pa heap.h
+header file also defines the following set of function
+function pointers:
+.Bd -literal -offset indent
+typedef int (*heap_higher_priority_func)(void *, void *);
+typedef void (*heap_index_func)(void *, int);
+typedef void (*heap_for_each_func)(void *, void *);
+.Ed
+.Pp
+These are pointers to user-defined functions.
+The 
+.Ft heap_higher_priority_func
+type is a pointer to a function which compares two
+different heap (queue) elements and returns an
+.Ft int
+which answers the question, "Does the first queue element 
+have a higher priority than the second?"  In other words, 
+a function pointer of this type 
+.Em must 
+return a number greater than zero
+if the element indicated by the first argument is of a higher priority than 
+that indicated by the second element, and zero otherwise.  
+.Pp
+The other two function pointers are documented in the descriptions
+of 
+.Fn heap_new
+.Pq Va heap_index_func
+and
+.Fn heap_for_each
+.Pq Va heap_for_each_func ,
+below.
+.Pp
+The function
+.Fn heap_new
+initializes a 
+.Ft struct heap_context
+and returns a pointer to it.  The
+.Fa higher_priority
+function pointer 
+.Em must 
+be 
+.No non\- Ns Dv NULL .
+As explained above, this refers to a 
+function supplied by the user which compares the priority of two different
+queue or heap elements; see above for more information. 
+The second argument, 
+.Fa index ,
+is a pointer to a user-defined function whose arguments are
+a heap element and its index in the heap.
+.Fa Index 
+is intended to provide the user a means of knowing the internal index
+of an element in the heap while maintaining the opacity of the implementation;
+since the user has to know the actual indexes of heap elements in order to use,
+e.g., 
+.Fn heap_delete
+or
+.Fn heap_element ,
+the user 
+.Fa index
+function could store the index in the heap element, itself.  If 
+.Fa index
+is 
+.No non\- Ns Dv NULL ,
+then it is called 
+.Em whenever 
+the index of an element changes, allowing the user to stay up\-to\-date
+with index changes.
+The last argument, 
+.Fa array_size_increment
+will be used, as its name suggests, by
+.Xr malloc 3
+or
+.Xr realloc 3
+to increment the array which implements the heap; if zero, a default value 
+will be used.
+.Pp
+The
+.Fn heap_free
+function frees the given
+.Ft heap_context
+argument 
+.Pq Fa ctx ,
+which also frees the entire
+.Nm heap ,
+if it is
+.No non\- Ns Dv NULL .
+The argument
+.Fa ctx
+should be
+.No non\- Ns Dv NULL .
+.Pp
+The 
+.Fn heap_insert
+function is used to insert the new heap element
+.Fa elt
+into the appropriate place (priority\-wise) in the
+.Ft heap
+indicated by 
+.Fa ctx
+(a pointer to a
+.Ft heap_context ) .
+If 
+.No non\- Ns Dv NULL ,
+the user-defined
+.Ft higher_priority
+function pointer associated with the indicated 
+.Nm heap
+is used to determine that
+.Dq appropriate place ;
+the highest\-priority elements are at the front of the queue (top of
+the heap).
+(See the description of 
+.Fn heap_new , 
+above, for more information.)
+.Pp
+The function
+.Fn heap_delete
+is used to delete the 
+.Fa i\- Ns th
+element of the queue (heap), and fixing up the queue (heap) from that
+element onward via the priority as determined by the user function
+pointed to by
+.Ft higher_priority 
+function pointer
+(see description of
+.Fn heap_new ,
+above).
+.Pp
+.Fn heap_increased
+.Pp
+.Fn heap_decreased
+.Pp
+The 
+.Fn heap_element
+function returns the
+.Fa i\- Ns th
+element of the queue/heap indicated by
+.Fa ctx ,
+if possible.
+.Pp
+The
+.Fn heap_for_each
+function provides a mechanism for the user to increment through the entire
+queue (heap) and perform some
+.Fa action 
+upon each of the queue elements.  This
+.Fa action 
+is pointer to a user\-defined function with two arguments, the first of
+which should be interpreted by the user's function as a heap element.  The 
+second value passed to the user function is just the
+.Fa uap
+argument to 
+.Fn heap_for_each ;
+this allows the user to specify additional arguments, if necessary, to
+the function pointed to by 
+.Fa action .
+.\" The following requests should be uncommented and
+.\" used where appropriate.  This next request is
+.\" for sections 2 and 3 function return values only.
+.Sh RETURN VALUES
+.Bl -tag -width "heap_decreased()"
+.It Fn heap_new
+.Dv NULL
+if unable to 
+.Xr malloc 3
+a 
+.Ft struct heap_context
+or if the
+.Fa higher_priority
+function pointer is 
+.Dv NULL ;
+otherwise, a valid
+.Ft heap_context 
+.Ns .
+.It Fn heap_free
+-1 if 
+.Fa ctx
+is 
+.Dv NULL 
+(with 
+.Va errno
+set to
+.Dv EINVAL ) ;
+otherwise, 0.
+.It Fn heap_insert
+-1 
+if either
+.Fa ctx
+or 
+.Fa elt
+is 
+.Dv NULL ,
+or if an attempt to 
+.Xr malloc 3
+or 
+.Xr realloc 3
+the heap array fails (with
+.Va errno
+set to 
+.Dv EINVAL
+or 
+.Dv ENOMEM ,
+respectively).
+Otherwise, 0.
+.It Fn heap_delete
+-1 if 
+.Fa ctx
+is 
+.Dv NULL
+or 
+.Fa i 
+is out\-of\-range (with
+.Va errno
+set to
+.Dv EINVAL ) ;
+0 otherwise.
+.It Fn heap_increased
+As for
+.Fn heap_delete .
+.It Fn heap_decreased
+As for
+.Fn heap_delete .
+.It Fn heap_element
+NULL if 
+.Fa ctx 
+is 
+.Dv NULL
+or
+.Fa i
+out\-of-bounds (with
+.Va errno
+set to
+.Dv EINVAL ) ;
+otherwise, a pointer to the
+.Fa i\- Ns th
+queue element.
+.It Fn heap_for_each
+-1 if either
+.Fa ctx
+or 
+.Fa action
+is 
+.Dv NULL
+(with 
+.Va errno
+set to
+.Dv EINVAL ) ;
+0 otherwise.
+.El
+.\" This next request is for sections 1, 6, 7 & 8 only
+.\" .Sh ENVIRONMENT
+.Sh FILES
+.Bl -tag -width "heap.h000"
+.It Pa heap.h
+ heap library header file
+.El
+.\" .Sh EXAMPLES
+.\" This next request is for sections 1, 6, 7 & 8 only
+.\"     (command return values (to shell) and
+.\"    fprintf/stderr type diagnostics)
+.Sh DIAGNOSTICS
+Please refer to
+.Sx RETURN VALUES .
+.\" The next request is for sections 2 and 3 error
+.\" and signal handling only.
+.Sh ERRORS
+The variable
+.Va errno
+is set by
+.Fn heap_free , 
+.Fn heap_insert , 
+.Fn heap_delete , 
+.Fn heap_increased , 
+and
+.Fn heap_decreased 
+under the conditions of invalid input
+.Pq Dv EINVAL
+or lack of memory
+.Pq Dv ENOMEM ;
+please refer to
+.Sx RETURN VALUES .
+.Sh SEE ALSO
+.Xr malloc 3 ,
+.Xr realloc 3 .
+.Rs
+.%A Cormen
+.%A Leiserson
+.%A Rivest
+.%B Introduction to Algorithms
+.%Q "MIT Press / McGraw Hill"
+.%D 1990
+.%O ISBN 0\-262\-03141\-8
+.%P chapter 7
+.Re
+.Rs
+.%A Sedgewick
+.%B Algorithms, 2nd ed'n
+.%Q Addison\-Wesley
+.%D 1988
+.%O ISBN 0\-201\-06673\-4
+.%P chapter 11
+.Re
+.\" .Sh STANDARDS
+.\" .Sh HISTORY
+.Sh AUTHORS
+The
+.Nm heap
+library was implemented by Bob Halley (halley@vix.com) of Vixie Enterprises, 
+Inc., for the Internet Software consortium, and was adapted from
+the two books listed in the 
+.Sx SEE ALSO
+section, above.
+.\" .Sh BUGS
diff --git a/contrib/bind9/lib/bind/isc/hex.c b/contrib/bind9/lib/bind/isc/hex.c
new file mode 100644
index 0000000..c177ca0
--- /dev/null
+++ b/contrib/bind9/lib/bind/isc/hex.c
@@ -0,0 +1,116 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 2001 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <port_before.h>
+#include <ctype.h>
+#include <stdio.h>
+#include <string.h>
+#include <isc/misc.h>
+#include <port_after.h>
+
+static const char hex[17] = "0123456789abcdef";
+
+int
+isc_gethexstring(unsigned char *buf, size_t len, int count, FILE *fp,
+		 int *multiline)
+{
+	int c, n;
+	unsigned char x;
+	char *s;
+	int result = count;
+	
+	x = 0; /* silence compiler */
+	n = 0;
+	while (count > 0) {
+		c = fgetc(fp);
+
+		if ((c == EOF) ||
+		    (c == '\n' && !*multiline) ||
+		    (c == '(' && *multiline) ||
+		    (c == ')' && !*multiline))
+			goto formerr;
+		/* comment */
+		if (c == ';') {
+			while ((c = fgetc(fp)) != EOF && c != '\n')
+				/* empty */
+			if (c == '\n' && *multiline)
+				continue;
+			goto formerr;
+		}
+		/* white space */
+		if (c == ' ' || c == '\t' || c == '\n' || c == '\r')
+			continue;
+		/* multiline */
+		if ('(' == c || c == ')') {
+			*multiline = (c == '(' /*)*/);
+			continue;
+		}
+		if ((s = strchr(hex, tolower(c))) == NULL)
+			goto formerr;
+		x = (x<<4) | (s - hex);
+		if (++n == 2) {
+			if (len > 0U) {
+				*buf++ = x;
+				len--;
+			} else
+				result = -1;
+			count--;
+			n = 0;
+		}
+	}
+	return (result);
+
+ formerr:
+	if (c == '\n')
+		ungetc(c, fp);
+	return (-1);
+}
+
+void
+isc_puthexstring(FILE *fp, const unsigned char *buf, size_t buflen,
+		 size_t len1, size_t len2, const char *sep)
+{
+	size_t i = 0;
+
+	if (len1 < 4U)
+		len1 = 4;
+	if (len2 < 4U)
+		len2 = 4;
+	while (buflen > 0U) {
+		fputc(hex[(buf[0]>>4)&0xf], fp);
+		fputc(hex[buf[0]&0xf], fp);
+		i += 2;
+		buflen--;
+		buf++;
+		if (i >= len1 && sep != NULL) {
+			fputs(sep, fp);
+			i = 0;
+			len1 = len2;
+		}
+	}
+}
+
+void
+isc_tohex(const unsigned char *buf, size_t buflen, char *t) {
+	while (buflen > 0U) {
+		*t++ = hex[(buf[0]>>4)&0xf];
+		*t++ = hex[buf[0]&0xf];
+		buf++;
+		buflen--;
+	}
+	*t = '\0';
+}
diff --git a/contrib/bind9/lib/bind/isc/logging.c b/contrib/bind9/lib/bind/isc/logging.c
new file mode 100644
index 0000000..d4c7be2
--- /dev/null
+++ b/contrib/bind9/lib/bind/isc/logging.c
@@ -0,0 +1,720 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if !defined(LINT) && !defined(CODECENTER)
+static const char rcsid[] = "$Id: logging.c,v 1.3.2.1.4.2 2004/03/17 01:49:42 marka Exp $";
+#endif /* not lint */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/stat.h>
+
+#include <fcntl.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+#include <syslog.h>
+#include <errno.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/assertions.h>
+#include <isc/logging.h>
+#include <isc/memcluster.h>
+#include <isc/misc.h>
+
+#include "port_after.h"
+
+#ifdef VSPRINTF_CHAR
+# define VSPRINTF(x) strlen(vsprintf/**/x)
+#else
+# define VSPRINTF(x) ((size_t)vsprintf x)
+#endif
+
+#include "logging_p.h"
+
+static const int syslog_priority[] = { LOG_DEBUG, LOG_INFO, LOG_NOTICE,
+				       LOG_WARNING, LOG_ERR, LOG_CRIT };
+
+static const char *months[] = { "Jan", "Feb", "Mar", "Apr", "May", "Jun",
+				"Jul", "Aug", "Sep", "Oct", "Nov", "Dec" };
+
+static const char *level_text[] = {
+	"info: ", "notice: ", "warning: ", "error: ", "critical: "
+};
+
+static void
+version_rename(log_channel chan) {
+	unsigned int ver;
+	char old_name[PATH_MAX+1];
+	char new_name[PATH_MAX+1];
+	
+	ver = chan->out.file.versions;
+	if (ver < 1)
+		return;
+	if (ver > LOG_MAX_VERSIONS)
+		ver = LOG_MAX_VERSIONS;
+	/*
+	 * Need to have room for '.nn' (XXX assumes LOG_MAX_VERSIONS < 100)
+	 */
+	if (strlen(chan->out.file.name) > (size_t)(PATH_MAX-3))
+		return;
+	for (ver--; ver > 0; ver--) {
+		sprintf(old_name, "%s.%d", chan->out.file.name, ver-1);
+		sprintf(new_name, "%s.%d", chan->out.file.name, ver);
+		(void)isc_movefile(old_name, new_name);
+	}
+	sprintf(new_name, "%s.0", chan->out.file.name);
+	(void)isc_movefile(chan->out.file.name, new_name);
+}
+
+FILE *
+log_open_stream(log_channel chan) {
+	FILE *stream;
+	int fd, flags;
+	struct stat sb;
+	int regular;
+
+	if (chan == NULL || chan->type != log_file) {
+		errno = EINVAL;
+		return (NULL);
+	}
+	
+	/*
+	 * Don't open already open streams
+	 */
+	if (chan->out.file.stream != NULL)
+		return (chan->out.file.stream);
+
+	if (stat(chan->out.file.name, &sb) < 0) {
+		if (errno != ENOENT) {
+			syslog(LOG_ERR,
+			       "log_open_stream: stat of %s failed: %s",
+			       chan->out.file.name, strerror(errno));
+			chan->flags |= LOG_CHANNEL_BROKEN;
+			return (NULL);
+		}
+		regular = 1;
+	} else
+		regular = (sb.st_mode & S_IFREG);
+
+	if (chan->out.file.versions) {
+		if (!regular) {
+			syslog(LOG_ERR,
+       "log_open_stream: want versions but %s isn't a regular file",
+			       chan->out.file.name);
+			chan->flags |= LOG_CHANNEL_BROKEN;
+			errno = EINVAL;
+			return (NULL);
+		}
+	}
+
+	flags = O_WRONLY|O_CREAT|O_APPEND;
+
+	if ((chan->flags & LOG_TRUNCATE) != 0) {
+		if (regular) {
+			(void)unlink(chan->out.file.name);
+			flags |= O_EXCL;
+		} else {
+			syslog(LOG_ERR,
+       "log_open_stream: want truncation but %s isn't a regular file",
+			       chan->out.file.name);
+			chan->flags |= LOG_CHANNEL_BROKEN;
+			errno = EINVAL;
+			return (NULL);
+		}
+	}
+
+	fd = open(chan->out.file.name, flags,
+		  S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH);
+	if (fd < 0) {
+		syslog(LOG_ERR, "log_open_stream: open(%s) failed: %s",
+		       chan->out.file.name, strerror(errno));
+		chan->flags |= LOG_CHANNEL_BROKEN;
+		return (NULL);
+	}
+	stream = fdopen(fd, "a");
+	if (stream == NULL) {
+		syslog(LOG_ERR, "log_open_stream: fdopen() failed");
+		chan->flags |= LOG_CHANNEL_BROKEN;
+		return (NULL);
+	}
+	(void) fchown(fd, chan->out.file.owner, chan->out.file.group);
+
+	chan->out.file.stream = stream;
+	return (stream);
+}
+
+int
+log_close_stream(log_channel chan) {
+	FILE *stream;
+
+	if (chan == NULL || chan->type != log_file) {
+		errno = EINVAL;
+		return (0);
+	}
+	stream = chan->out.file.stream;
+	chan->out.file.stream = NULL;
+	if (stream != NULL && fclose(stream) == EOF)
+		return (-1);
+	return (0);
+}
+
+void
+log_close_debug_channels(log_context lc) {
+	log_channel_list lcl;
+	int i;
+
+	for (i = 0; i < lc->num_categories; i++)
+		for (lcl = lc->categories[i]; lcl != NULL; lcl = lcl->next)
+			if (lcl->channel->type == log_file &&
+			    lcl->channel->out.file.stream != NULL &&
+			    lcl->channel->flags & LOG_REQUIRE_DEBUG)
+				(void)log_close_stream(lcl->channel);
+}
+
+FILE *
+log_get_stream(log_channel chan) {
+	if (chan == NULL || chan->type != log_file) {
+		errno = EINVAL;
+		return (NULL);
+	}
+	return (chan->out.file.stream);
+}
+
+char *
+log_get_filename(log_channel chan) {
+	if (chan == NULL || chan->type != log_file) {
+		errno = EINVAL;
+		return (NULL);
+	}
+	return (chan->out.file.name);
+}
+
+int
+log_check_channel(log_context lc, int level, log_channel chan) {
+	int debugging, chan_level;
+
+	REQUIRE(lc != NULL);
+
+	debugging = ((lc->flags & LOG_OPTION_DEBUG) != 0);
+
+	/*
+	 * If not debugging, short circuit debugging messages very early.
+	 */
+	if (level > 0 && !debugging)
+		return (0);
+
+	if ((chan->flags & (LOG_CHANNEL_BROKEN|LOG_CHANNEL_OFF)) != 0)
+		return (0);
+
+	/* Some channels only log when debugging is on. */
+	if ((chan->flags & LOG_REQUIRE_DEBUG) && !debugging)
+		return (0);
+
+	/* Some channels use the global level. */
+	if ((chan->flags & LOG_USE_CONTEXT_LEVEL) != 0) {
+		chan_level = lc->level;
+	} else
+		chan_level = chan->level;
+
+	if (level > chan_level)
+		return (0);
+
+	return (1);
+}
+
+int 
+log_check(log_context lc, int category, int level) {
+	log_channel_list lcl;
+	int debugging;
+
+	REQUIRE(lc != NULL);
+
+	debugging = ((lc->flags & LOG_OPTION_DEBUG) != 0);
+
+	/*
+	 * If not debugging, short circuit debugging messages very early.
+	 */
+	if (level > 0 && !debugging)
+		return (0);
+
+	if (category < 0 || category > lc->num_categories)
+		category = 0;		/* use default */
+	lcl = lc->categories[category];
+	if (lcl == NULL) {
+		category = 0;
+		lcl = lc->categories[0];
+	}
+
+	for ( /* nothing */; lcl != NULL; lcl = lcl->next) {
+		if (log_check_channel(lc, level, lcl->channel))
+			return (1);
+	}
+	return (0);
+}
+
+void
+log_vwrite(log_context lc, int category, int level, const char *format, 
+	   va_list args) {
+	log_channel_list lcl;
+	int pri, debugging, did_vsprintf = 0;
+	int original_category;
+	FILE *stream;
+	log_channel chan;
+	struct timeval tv;
+	struct tm *local_tm;
+#ifdef HAVE_TIME_R
+	struct tm tm_tmp;
+#endif
+	time_t tt;
+	const char *category_name;
+	const char *level_str;
+	char time_buf[256];
+	char level_buf[256];
+
+	REQUIRE(lc != NULL);
+
+	debugging = (lc->flags & LOG_OPTION_DEBUG);
+
+	/*
+	 * If not debugging, short circuit debugging messages very early.
+	 */
+	if (level > 0 && !debugging)
+		return;
+
+	if (category < 0 || category > lc->num_categories)
+		category = 0;		/* use default */
+	original_category = category;
+	lcl = lc->categories[category];
+	if (lcl == NULL) {
+		category = 0;
+		lcl = lc->categories[0];
+	}
+
+	/*
+	 * Get the current time and format it.
+	 */
+	time_buf[0]='\0';
+	if (gettimeofday(&tv, NULL) < 0) {
+		syslog(LOG_INFO, "gettimeofday failed in log_vwrite()");
+	} else {
+		tt = tv.tv_sec;
+#ifdef HAVE_TIME_R
+		local_tm = localtime_r(&tt, &tm_tmp);
+#else
+		local_tm = localtime(&tt);
+#endif
+		if (local_tm != NULL) {
+			sprintf(time_buf, "%02d-%s-%4d %02d:%02d:%02d.%03ld ",
+				local_tm->tm_mday, months[local_tm->tm_mon],
+				local_tm->tm_year+1900, local_tm->tm_hour,
+				local_tm->tm_min, local_tm->tm_sec,
+				(long)tv.tv_usec/1000);
+		}
+	}
+
+	/*
+	 * Make a string representation of the current category and level
+	 */
+
+	if (lc->category_names != NULL &&
+	    lc->category_names[original_category] != NULL)
+		category_name = lc->category_names[original_category];
+	else
+		category_name = "";
+
+	if (level >= log_critical) {
+		if (level >= 0) {
+			sprintf(level_buf, "debug %d: ", level);
+			level_str = level_buf;
+		} else
+			level_str = level_text[-level-1];
+	} else {
+		sprintf(level_buf, "level %d: ", level);
+		level_str = level_buf;
+	}
+
+	/*
+	 * Write the message to channels.
+	 */
+	for ( /* nothing */; lcl != NULL; lcl = lcl->next) {
+		chan = lcl->channel;
+
+		if (!log_check_channel(lc, level, chan))
+			continue;
+
+		if (!did_vsprintf) {
+			if (VSPRINTF((lc->buffer, format, args)) >
+			    (size_t)LOG_BUFFER_SIZE) {
+				syslog(LOG_CRIT,
+				       "memory overrun in log_vwrite()");
+				exit(1);
+			}
+			did_vsprintf = 1;
+		}
+
+		switch (chan->type) {
+		case log_syslog:
+			if (level >= log_critical)
+				pri = (level >= 0) ? 0 : -level;
+			else
+				pri = -log_critical;
+			syslog(chan->out.facility|syslog_priority[pri],
+			       "%s%s%s%s",
+			       (chan->flags & LOG_TIMESTAMP) ?	time_buf : "",
+			       (chan->flags & LOG_PRINT_CATEGORY) ?
+			       category_name : "",
+			       (chan->flags & LOG_PRINT_LEVEL) ?
+			       level_str : "",
+			       lc->buffer);
+			break;
+		case log_file:
+			stream = chan->out.file.stream;
+			if (stream == NULL) {
+				stream = log_open_stream(chan);
+				if (stream == NULL)
+					break;
+			}
+			if (chan->out.file.max_size != ULONG_MAX) {
+				long pos;
+				
+				pos = ftell(stream);
+				if (pos >= 0 &&
+				    (unsigned long)pos >
+				    chan->out.file.max_size) {
+					/*
+					 * try to roll over the log files,
+					 * ignoring all all return codes
+					 * except the open (we don't want
+					 * to write any more anyway)
+					 */
+					log_close_stream(chan);
+					version_rename(chan);
+					stream = log_open_stream(chan);
+					if (stream == NULL)
+						break;
+				}
+			}
+			fprintf(stream, "%s%s%s%s\n", 
+				(chan->flags & LOG_TIMESTAMP) ?	time_buf : "",
+				(chan->flags & LOG_PRINT_CATEGORY) ?
+				category_name : "",
+				(chan->flags & LOG_PRINT_LEVEL) ?
+				level_str : "",
+				lc->buffer);
+			fflush(stream);
+			break;
+		case log_null:
+			break;
+		default:
+			syslog(LOG_ERR,
+			       "unknown channel type in log_vwrite()");
+		}
+	}
+}
+
+void
+log_write(log_context lc, int category, int level, const char *format, ...) {
+	va_list args;
+
+	va_start(args, format);
+	log_vwrite(lc, category, level, format, args);
+	va_end(args);
+}
+
+/*
+ * Functions to create, set, or destroy contexts
+ */
+
+int
+log_new_context(int num_categories, char **category_names, log_context *lc) {
+	log_context nlc;
+
+	nlc = memget(sizeof (struct log_context));
+	if (nlc == NULL) {
+		errno = ENOMEM;
+		return (-1);
+	}
+	nlc->num_categories = num_categories;
+	nlc->category_names = category_names;
+	nlc->categories = memget(num_categories * sizeof (log_channel_list));
+	if (nlc->categories == NULL) {
+		memput(nlc, sizeof (struct log_context));
+		errno = ENOMEM;
+		return (-1);
+	}
+	memset(nlc->categories, '\0',
+	       num_categories * sizeof (log_channel_list));
+	nlc->flags = 0U;
+	nlc->level = 0;
+	*lc = nlc;
+	return (0);
+}
+
+void
+log_free_context(log_context lc) {
+	log_channel_list lcl, lcl_next;
+	log_channel chan;
+	int i;
+
+	REQUIRE(lc != NULL);
+
+	for (i = 0; i < lc->num_categories; i++)
+		for (lcl = lc->categories[i]; lcl != NULL; lcl = lcl_next) {
+			lcl_next = lcl->next;
+			chan = lcl->channel;
+			(void)log_free_channel(chan);
+			memput(lcl, sizeof (struct log_channel_list));
+		}
+	memput(lc->categories,
+	       lc->num_categories * sizeof (log_channel_list));
+	memput(lc, sizeof (struct log_context));
+}
+
+int
+log_add_channel(log_context lc, int category, log_channel chan) {
+	log_channel_list lcl;
+
+	if (lc == NULL || category < 0 || category >= lc->num_categories) {
+		errno = EINVAL;
+		return (-1);
+	}
+
+	lcl = memget(sizeof (struct log_channel_list));
+	if (lcl == NULL) {
+		errno = ENOMEM;
+		return(-1);
+	}
+	lcl->channel = chan;
+	lcl->next = lc->categories[category];
+	lc->categories[category] = lcl;
+	chan->references++;
+	return (0);
+}
+
+int
+log_remove_channel(log_context lc, int category, log_channel chan) {
+	log_channel_list lcl, prev_lcl, next_lcl;
+	int found = 0;
+
+	if (lc == NULL || category < 0 || category >= lc->num_categories) {
+		errno = EINVAL;
+		return (-1);
+	}
+
+	for (prev_lcl = NULL, lcl = lc->categories[category];
+	     lcl != NULL;
+	     lcl = next_lcl) {
+		next_lcl = lcl->next;
+		if (lcl->channel == chan) {
+			log_free_channel(chan);
+			if (prev_lcl != NULL)
+				prev_lcl->next = next_lcl;
+			else
+				lc->categories[category] = next_lcl;
+			memput(lcl, sizeof (struct log_channel_list));
+			/*
+			 * We just set found instead of returning because
+			 * the channel might be on the list more than once.
+			 */
+			found = 1;
+		} else
+			prev_lcl = lcl;
+	}
+	if (!found) {
+		errno = ENOENT;
+		return (-1);
+	}
+	return (0);
+}
+
+int
+log_option(log_context lc, int option, int value) {
+	if (lc == NULL) {
+		errno = EINVAL;
+		return (-1);
+	}
+	switch (option) {
+	case LOG_OPTION_DEBUG:
+		if (value)
+			lc->flags |= option;
+		else
+			lc->flags &= ~option;
+		break;
+	case LOG_OPTION_LEVEL:
+		lc->level = value;
+		break;
+	default:
+		errno = EINVAL;
+		return (-1);
+	}
+	return (0);
+}
+
+int
+log_category_is_active(log_context lc, int category) {
+	if (lc == NULL) {
+		errno = EINVAL;
+		return (-1);
+	}
+	if (category >= 0 && category < lc->num_categories &&
+	    lc->categories[category] != NULL)
+		return (1);
+	return (0);
+}
+
+log_channel
+log_new_syslog_channel(unsigned int flags, int level, int facility) {
+	log_channel chan;
+
+	chan = memget(sizeof (struct log_channel));
+	if (chan == NULL) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	chan->type = log_syslog;
+	chan->flags = flags;
+	chan->level = level;
+	chan->out.facility = facility;
+	chan->references = 0;
+	return (chan);
+}
+
+log_channel
+log_new_file_channel(unsigned int flags, int level,
+		     const char *name, FILE *stream, unsigned int versions,
+		     unsigned long max_size) {
+	log_channel chan;
+
+	chan = memget(sizeof (struct log_channel));
+	if (chan == NULL) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	chan->type = log_file;
+	chan->flags = flags;
+	chan->level = level;
+	if (name != NULL) {
+		size_t len;
+		
+		len = strlen(name);
+		/* 
+		 * Quantize length to a multiple of 256.  There's space for the
+		 * NUL, since if len is a multiple of 256, the size chosen will
+		 * be the next multiple.
+		 */
+		chan->out.file.name_size = ((len / 256) + 1) * 256;
+		chan->out.file.name = memget(chan->out.file.name_size);
+		if (chan->out.file.name == NULL) {
+			memput(chan, sizeof (struct log_channel));
+			errno = ENOMEM;
+			return (NULL);
+		}
+		/* This is safe. */
+		strcpy(chan->out.file.name, name);
+	} else {
+		chan->out.file.name_size = 0;
+		chan->out.file.name = NULL;
+	}
+	chan->out.file.stream = stream;
+	chan->out.file.versions = versions;
+	chan->out.file.max_size = max_size;
+	chan->out.file.owner = getuid();
+	chan->out.file.group = getgid();
+	chan->references = 0;
+	return (chan);
+}
+
+int
+log_set_file_owner(log_channel chan, uid_t owner, gid_t group) {
+	if (chan->type != log_file) {
+		errno = EBADF;
+		return (-1);
+	}
+	chan->out.file.owner = owner;
+	chan->out.file.group = group;
+	return (0);
+}
+
+log_channel
+log_new_null_channel() {
+	log_channel chan;
+
+	chan = memget(sizeof (struct log_channel));
+	if (chan == NULL) {
+		errno = ENOMEM;
+		return (NULL);
+	}
+	chan->type = log_null;
+	chan->flags = LOG_CHANNEL_OFF;
+	chan->level = log_info;
+	chan->references = 0;
+	return (chan);
+}
+
+int
+log_inc_references(log_channel chan) {
+	if (chan == NULL) {
+		errno = EINVAL;
+		return (-1);
+	}
+	chan->references++;
+	return (0);
+}
+
+int
+log_dec_references(log_channel chan) {
+	if (chan == NULL || chan->references <= 0) {
+		errno = EINVAL;
+		return (-1);
+	}
+	chan->references--;
+	return (0);
+}
+
+log_channel_type
+log_get_channel_type(log_channel chan) {
+	REQUIRE(chan != NULL);
+	
+	return (chan->type);
+}
+
+int
+log_free_channel(log_channel chan) {
+	if (chan == NULL || chan->references <= 0) {
+		errno = EINVAL;
+		return (-1);
+	}
+	chan->references--;
+	if (chan->references == 0) {
+		if (chan->type == log_file) {
+			if ((chan->flags & LOG_CLOSE_STREAM) &&
+			    chan->out.file.stream != NULL)
+				(void)fclose(chan->out.file.stream);
+			if (chan->out.file.name != NULL)
+				memput(chan->out.file.name,
+				       chan->out.file.name_size);
+		}
+		memput(chan, sizeof (struct log_channel));
+	}
+	return (0);
+}
diff --git a/contrib/bind9/lib/bind/isc/logging.mdoc b/contrib/bind9/lib/bind/isc/logging.mdoc
new file mode 100644
index 0000000..fc6351f
--- /dev/null
+++ b/contrib/bind9/lib/bind/isc/logging.mdoc
@@ -0,0 +1,1056 @@
+.\" $Id: logging.mdoc,v 1.1.2.1.10.1 2004/03/09 08:33:43 marka Exp $
+.\"
+.\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (c) 1995-1999 by Internet Software Consortium
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+.\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" The following six UNCOMMENTED lines are required.
+.Dd January 1, 1996
+.\"Os OPERATING_SYSTEM [version/release]
+.Os BSD 4
+.\"Dt DOCUMENT_TITLE [section number] [volume]
+.Dt LOGGING @SYSCALL_EXT@
+.Sh NAME
+.Nm log_open_stream ,
+.Nm log_close_stream ,
+.Nm log_get_stream ,
+.Nm log_get_filename ,
+.Nm log_vwrite ,
+.Nm log_write ,
+.Nm log_new_context ,
+.Nm log_free_context ,
+.Nm log_add_channel ,
+.Nm log_remove_channel ,
+.Nm log_option ,
+.Nm log_category_is_active ,
+.Nm log_new_syslog_channel ,
+.Nm log_new_file_channel ,
+.Nm log_set_file_owner ,
+.Nm log_new_null_channel ,
+.Nm log_inc_references ,
+.Nm log_dec_references ,
+.Nm log_free_channel
+.Nd logging system
+.Sh SYNOPSIS
+.Fd #include <isc/logging.h>
+.Ft FILE *
+.Fn log_open_stream "log_channel chan"
+.Ft int
+.Fn log_close_stream "log_channel chan"
+.Ft FILE * 
+.Fn log_get_stream "log_channel chan"
+.Ft char * 
+.Fn log_get_filename "log_channel chan"
+.Ft void 
+.Fn log_vwrite "log_context lc" "int category" "int level" \
+    "const char *format" va_list args"
+.Ft void 
+.Fn log_write "log_context lc" "int category" "int level" \
+    "const char *format" "..."
+.Ft int
+.Fn log_check_channel "log_context lc" "int level" "log_channel chan"
+.Ft int
+.Fn log_check "log_context lc" "int category" "int level"
+.Ft int 
+.Fn log_new_context "int num_categories" "char **category_names" \
+    "log_context *lc"
+.Ft void 
+.Fn log_free_context "log_context lc"
+.Ft int 
+.Fn log_add_channel "log_context lc" "int category" "log_channel chan"
+.Ft int 
+.Fn log_remove_channel "log_context lc" "int category" "log_channel chan"
+.Ft int 
+.Fn log_option "log_context lc" "int option" "int value"
+.Ft int 
+.Fn log_category_is_active "log_context lc" "int category"
+.Ft log_channel 
+.Fn log_new_syslog_channel "unsigned int flags" "int level" "int facility"
+.Ft log_channel 
+.Fn log_new_file_channel "unsigned int flags" "int level" \
+    "char *name" "FILE *stream" "unsigned int versions" \
+    "unsigned long max_size"
+.Ft int
+.Fn log_set_file_owner "log_channel chan" "uid_t owner" "gid_t group"
+.Ft log_channel 
+.Fn log_new_null_channel "void"
+.Ft int 
+.Fn log_inc_references "log_channel chan"
+.Ft int 
+.Fn log_dec_references "log_channel chan"
+.Ft int 
+.Fn log_free_channel "log_channel chan"
+.Sh DESCRIPTION
+The
+.Sy ISC
+.Nm logging library
+is flexible logging system which is based upon a set of concepts:
+.Nm logging channels ,
+.Nm categories ,
+and 
+.Nm logging contexts .
+.Pp
+The basic building block is the
+.Dq Nm logging channel , 
+which includes a 
+.Nm priority 
+(logging level), which type of logging is to occur, and other
+flags and information associated with technical aspects of the logging.  
+The set of priorities which are supported is shown below, in the section
+.Sx Message Priorities .
+A priority sets a threshold for message logging; a logging channel will
+.Em only
+log those messages which are 
+.Em at least as important
+as its priority indicates.  (The fact that 
+.Dq more important
+means 
+.Dq more negative ,
+under the current scheme, is an implementation detail; if a channel has
+a priority of
+.Dv log_error ,
+then it will
+.Em not
+log messages with the
+.Dv log_warning
+priority, but it
+.Em will
+log messages with the
+.Dv log_error
+or 
+.Dv log_critical
+priority.)
+.Pp
+The
+.Nm logging channel
+also has an indication of the type of logging performed.  Currently, 
+the supported
+.Nm logging types 
+include (see also 
+.Sx Logging Types ,
+below):
+.Bl -tag -width "log_syslog" -compact -offset indent
+.It Dv log_syslog
+for 
+.Xr syslog 3 Ns -style
+logging
+.It Dv log_file
+for use of a file
+.It Dv log_null
+for 
+.Em no
+logging
+.El
+A new logging channel is created by calling either
+.Fn log_new_syslog_channel ,
+.Fn log_new_file_channel ,
+or
+.Fn log_new_null_channel ,
+respectively.  
+When a channel is no longer to be used, it can be freed using
+.Fn log_free_channel .
+.Pp
+Both 
+.Dv log_syslog
+and
+.Dv log_file
+channel types can include more information; for instance, a
+.Dv log_syslog Ns -type 
+channel allows the specification of a 
+.Xr syslog 3 Ns -style
+.Dq facility , 
+and a
+.Dv log_file Ns -type
+channels allows the caller to set a maximum file size and number
+of versions.  (See 
+.Fn log_new_syslog_channel
+or
+.Fn log_new_file_channel ,
+below.)
+Additionally, once a logging channel of type
+.Dv log_file
+is defined, the functions
+.Fn log_open_stream
+and 
+.Fn log_close_stream
+can open or close the stream associated with the logging channel's logging
+filename.  The
+.Fn log_get_stream
+and
+.Fn log_get_filename
+functions return the stream or filename, respectively, of such a logging 
+channel.  Also unique to logging channels of type
+.Dv log_file
+is the
+.Fn log_set_file_owner
+function, which tells the logging system what user and group ought to own
+newly created files (which is only effective if the caller is privileged.)
+.Pp
+Callers provide
+.Dq Nm categories ,
+determining both the number of such categories and any (optional) names.
+Categories are like array indexes in C; if the caller declares 
+.Dq Va n
+categories, then they are considered to run from 0 to
+.Va n-1 ;
+with this scheme, a category number would be invalid if it were negative or 
+greater than/equal to 
+.Va n .
+Each category can have its own list of 
+.Nm logging channels 
+associated with it; we say that such a channel is 
+.Dq in 
+the particular category.
+.Sy NOTE :
+Individual logging channels can appear in more than one category.
+.Pp
+A
+.Dq Nm logging context
+is the set of all 
+.Nm logging channels 
+associated with the context's
+.Nm categories ;
+thus, a particular 
+.Nm category 
+scheme is associated with a particular
+.Nm logging context .
+.Sy NOTE :
+A logging channel may appear in more than one logging context, and in 
+multiple categories within each logging context.
+.Pp
+Use 
+.Fn log_add_channel
+and
+.Fn log_remove_channel
+to add or remove a logging channel to some category in a logging context.
+To see if a given category in a logging context is being used, use the
+Boolean test
+.Fn log_category_is_active .
+.Pp
+A 
+.Nm logging context
+can also have a 
+.Nm priority
+(logging level)
+and various flags associated with the whole context; in order to alter the
+flags or change the priority of a context, use
+.Fn log_option .
+.Ss Message Priorities
+Currently, five 
+.Nm priorities
+(logging levels) are supported (they can also be found in the header file):
+.Bd -literal -offset indent
+#define log_critical            (-5)
+#define log_error               (-4)
+#define log_warning             (-3)
+#define log_notice              (-2)
+#define log_info                (-1)
+.Ed
+.Pp
+In the current implementation, logging messages which have a level greater
+than 0 are considered to be debugging messages.
+.Ss Logging Types
+The three different
+.Nm logging types 
+currently supported are different values of the enumerated type
+.Ft log_output_type 
+(these are also listed in the header file): 
+.Bd -literal -offset indent
+typedef enum { log_syslog, log_file, log_null } log_output_type;
+.Ed
+.Ss Logging Channel Flags 
+There are several flags which can be set on a logging channel; the flags 
+and their meanings are as follows (they are also found in the header file):
+.Bl -tag -width "LOG_USE_CONTEXT_LEVEL  " -offset indent
+.It Dv LOG_CHANNEL_BROKEN
+This is set only when some portion of 
+.Fn log_open_stream
+fails:
+.Xr open 2 
+or
+.Xr fdopen 3  
+fail;
+.Xr stat 2
+fails in a
+.Dq bad
+way; versioning or truncation is requested on a non-normal file.
+.It Dv LOG_CHANNEL_OFF
+This is set for channels opened by 
+.Fn log_new_null_channel .
+.It Dv LOG_CLOSE_STREAM
+If this flag is set, then 
+.Fn log_free_channel
+will free a 
+.No non- Dv NULL
+stream of a logging channel which is being
+.Xr free 3 Ns -d 
+(if the logging channel is of type
+.Dv log_file ,
+of course).
+.It Dv LOG_PRINT_CATEGORY
+If set, 
+.Fn log_vwrite
+will insert the category name, if available, into logging messages which are 
+logged to channels of type
+.Dv log_syslog
+or 
+.Dv log_file .
+.It Dv LOG_PRINT_LEVEL
+If set, 
+.Fn log_vwrite
+will insert a string identifying the message priority level into the 
+information logged to channels of type
+.Dv log_syslog
+or 
+.Dv log_file .
+.It Dv LOG_REQUIRE_DEBUG
+Only log debugging messages (i.e., those with a priority greater than zero).
+.It Dv LOG_TIMESTAMP
+If set, 
+.Fn log_vwrite
+will insert a timestamp into logging messages which are logged to channels of
+type
+.Dv log_syslog
+or 
+.Dv log_file .
+.It Dv LOG_TRUNCATE
+Truncate logging file when re-opened
+.Fn ( log_open_stream 
+will
+.Xr unlink 2
+the file and then 
+.Xr open 2
+a new file of the same name with the
+.Dv O_EXCL
+bit set).
+.It Dv LOG_USE_CONTEXT_LEVEL
+Use the logging context's priority or logging level, rather than the logging 
+channel's own priority.  This can be useful for those channels which are 
+included in multiple logging contexts.
+.El
+.Ss FUNCTION DESCRIPTIONS
+The function
+.Fn log_open_stream 
+is for use with channels which log to a file; i.e., logging channels with a
+.Va type 
+field set to
+.Dq Dv log_file .
+If the logging channel pointed to by 
+.Dq Fa chan
+is valid, it attempts to open (and return) the stream associated with that
+channel.  If the stream is already opened, then it is returned; otherwise,
+.Xr stat 2
+is used to test the filename for the stream.
+.Pp
+At this point, if the logging file is supposed to have different
+.Va versions 
+(i.e., incremented version numbers; higher numbers indicate older versions
+of the logging file).  If so, then any existing versions are
+.Xr rename 2 Ns -d
+to have one version-number higher than previously, and the
+.Dq current
+filename for the stream is set to the
+.Dq \&.0
+form of the name.  Next, if the logging file is supposed to be truncated
+(i.e., the
+.Dv LOG_TRUNCATE
+bit of the
+.Va flags
+field of the logging channel structure is set), then any file with the
+.Dq current
+filename for the stream is
+.Xr unlink 2 Ns -d .
+.Sy NOTE :
+If the logging file is 
+.Em not 
+a regular file, and either of the above operations (version numbering
+or truncation) is supposed to take place, a
+.Dv NULL
+file pointer is returned.
+.Pp
+Finally, the filename associated with the logging channel is
+.Xr open 2 Ns -d
+using the appropriate flags and a mode which sets the read/write permissions
+for the user, group, and others.  The file descriptor returned by 
+.Xr open 2
+is then passed to
+.Xr fopen 3 ,
+with the append mode set, and the stream returned by this call is stored
+in the 
+.Fa chan
+structure and returned.
+.Pp
+If 
+.Fn log_open_stream
+fails at any point, then the 
+.Dv LOG_CHANNEL_BROKEN 
+bit of the
+.Va flags 
+field of the logging channel pointed to by
+.Fa chan
+is set, a 
+.Dv NULL
+is returned, and 
+.Va errno
+contains pertinent information.
+.Pp
+The
+.Fn log_close_stream
+function closes the stream associated with the logging channel pointed to by
+.Dq Fa chan 
+(if
+.Fa chan 
+is valid and the stream exists and can be closed properly by
+.Xr fclose 3 ) .  
+The stream is set to 
+.Dv NULL
+even if the call to 
+.Xr fclose 3
+fails.
+.Pp
+The function
+.Fn log_get_stream
+returns the stream associated with the logging channel pointed to by
+.Dq Fa chan ,
+if it is 
+.No non- Ns Dv NULL
+and specifies a logging channel which has a 
+.Dv FILE *
+or stream associated with it.
+.Pp
+The
+.Fn log_get_filename
+function returns the name of the file associated with the logging channel 
+pointed to by
+.Dq Fa chan ,
+if it is 
+.No non- Ns Dv NULL
+and specifies a logging channel which has a file associated with it.
+.Pp
+The
+.Fn log_vwrite 
+function performs the actual logging of a message to the various logging
+channels of a logging context
+.Fa lc .
+The message consists of an
+.Xr fprint 3 Ns -style
+.Fa format 
+and its associated
+.Fa args 
+(if any); it will be written to all logging channels in the given
+.Fa category
+which have a priority set to
+.Fa level
+or any 
+.Em less important
+priority value.  If the
+.Fa category
+is not valid or has no logging channels, then the category defaults to 0.
+.Pp
+There are a number of conditions under which a call to 
+.Fn log_vwrite
+will not result in actually logging the message: if there is no logging channel 
+at even the default category (0), or if a given channel is either 
+.Dq broken
+or
+.Dq off
+(i.e., its flags have 
+.Dv LOG_CHANNEL_BROKEN
+or
+.Dv LOG_CHANNEL_OFF
+set, respectively), or if the logging channel channel is of type
+.Dv log_null .
+Additionally, if the logging channel's flag has
+.Dv LOG_REQUIRE_DEBUG
+set and the message is not a debugging message (i.e., has a level greater
+than 0), then it will not be logged.
+Finally, if the message's priority is less important than the
+channel's logging level (the priority threshold), will not be logged.
+.Sy NOTE :
+If a logging channel's flag has
+.Dv LOG_USE_CONTEXT_LEVEL
+set, it will use the logging context's priority, rather than its own.
+.Pp
+If all of these hurdles are passed, then only
+.Dv log_syslog
+and
+.Dv log_file
+channels actually can have logging.  For channels which use
+.Xr syslog 3 ,
+the channel's 
+.Xr syslog 3
+facility is used in conjunction with a potentially modified form of the
+message's priority level, since 
+.Xr syslog 3
+has its own system of priorities
+.Pq Pa /usr/include/syslog.h . 
+All debug messages (priority >= 0) are mapped to 
+.Xr syslog 3 Ns 's
+.Dv LOG_DEBUG
+priority, all messages 
+.Dq more important
+than
+.Dv log_critical
+are mapped to
+.Dv LOG_CRIT ,
+and the priorities corresponding to the ones listed in the section
+.Sx Message Priorities
+are given the obvious corresponding 
+.Xr syslog 3
+priority.
+.Pp
+For 
+.Dv log_file
+type logging channels, if the file size is greater than the maximum file 
+size, then no logging occurs.  (The same thing happens if a 
+.Dv NULL
+stream is encountered and
+.Fn log_open_stream
+fails to open the channel's stream.)
+.Pp
+For both logging to normal files and logging via
+.Xr syslog 3 ,
+the value of the flags
+.Dv LOG_TIMESTAMP ,
+.Dv LOG_PRINT_CATEGORY , 
+and
+.Dv LOG_PRINT_LEVEL 
+are used in determining whether or not these items are included in the logged 
+information.
+.Pp
+The 
+.Fn log_write 
+function is merely a front-end to a call to 
+.Fn log_vwrite ;
+see the description of that function, above, for more information.
+.Pp
+.Fn log_check
+and
+.Fn log_check_channel
+are used to see if a contemplated logging call will actually generate any
+output, which is useful when creating a log message involves non-trivial
+work.
+.Fn log_check
+will return non-zero if a call to
+.Fn log_vwrite
+with the given 
+.Fa category
+and
+.Fa level
+would generate output on any channels, and zero otherwise.
+.Fn log_check_channel
+will return non-zero if writing to the
+.Fa chan
+at the given
+.Fa level
+would generate output.
+.Pp
+The function
+.Fn log_new_context 
+creates a new 
+.Nm logging context ,
+and stores this in the
+.Dq Va opaque
+field of the argument
+.Dq Fa lc , 
+and opaque structure used internally.  This new 
+.Nm context 
+will include the
+.Dq Fa num_categories
+and
+.Dq Fa category_names
+which are supplied; the latter can be
+.Dv NULL .
+.Sy NOTE :
+Since 
+.Dq Fa category_names
+is used directly, it 
+.Em must not 
+be freed by the caller, if it is 
+.No non- Ns Dv NULL .
+The initial logging flags and priority are both set to zero.
+.Pp
+The
+.Fn log_free_context 
+function is used to free the opaque structure 
+.Dq Va lc.opaque
+and its components.
+.Sy NOTE :
+The
+.Dq Va opaque
+field of 
+.Dq Fa lc
+.Em must 
+be
+.No non- Ns Dv NULL .
+For each of the various
+.Dq categories
+(indicated by the
+.Dq Va num_categories
+which were in the corresponding call to
+.Fn log_new_context ) 
+associated with the given 
+.Nm logging context ,
+.Em all 
+of the 
+.Nm logging channels
+are 
+.Xr free 3 Ns -d .
+The opaque structure itself is then
+.Xr free 3 Ns -d ,
+and 
+.Dq Va lc.opaque
+is set to
+.Dv NULL .
+.Pp
+.Sy NOTE :
+The function 
+.Fn log_free_context 
+does
+.Em not
+free the memory associated with 
+.Fa category_names ,
+since the logging library did not allocate the memory for it, originally;
+it was supplied in the call to
+.Fn log_new_context .
+.Pp
+The function
+.Fn log_add_channel 
+adds the 
+.Nm logging channel
+.Dq Fa chan
+to the list of logging channels in the given 
+.Fa category
+of the 
+.Nm logging context
+.Dq Fa lc .
+No checking is performed to see whether or not
+.Fa chan
+is already present in the given
+.Fa category ,
+so multiple instances in a single 
+.Fa category 
+can occur (but see
+.Fn log_remove_channel ,
+below).
+.Pp
+The
+.Fn log_remove_channel 
+function
+removes 
+.Em all
+occurrences of the
+.Nm logging channel
+.Dq Fa chan
+from the list of logging channels in the given 
+.Fa category
+of the 
+.Nm logging context
+.Dq Fa lc .
+It also attempts to free the channel by calling
+.Fn log_free_channel 
+(see its description, below).
+.Pp
+The
+.Fn log_option 
+function is used to change the
+.Fa option 
+of the indicated logging context
+.Fa lc
+to the given
+.Fa value .
+The 
+.Fa option
+can be either
+.Dv LOG_OPTION_LEVEL
+or
+.Dv LOG_OPTION_DEBUG ;
+in the first case, the log context's debugging level is reset to the
+indicated level.  If the
+.Fa option 
+is 
+.Dv LOG_OPTION_DEBUG , 
+then a non-zero
+.Fa value
+results in setting the debug flag of the logging context, while a zero
+.Fa value
+means that the debug flag is reset.
+.Pp
+The
+.Fn log_category_is_active 
+test returns a 1 if the given
+.Fa category
+of the indicated logging context
+.Fa lc
+has at least one logging channel, and 0, otherwise.
+.Pp
+The functions
+.Fn log_new_syslog_channel ,
+.Fn log_new_file_channel ,
+and 
+.Fn log_new_null_channel
+create a new channel of the type specified (thus, the difference in arguments);
+the 
+.Dq Va type
+field of the new
+.Do
+.Ft struct log_channel
+.Dc
+is always set to the appropriate value.
+.Pp
+The 
+.Fn log_new_syslog_channel
+function 
+.Xr malloc 3 Ns -s
+a new
+.Ft struct log_channel
+of
+.Va type
+.Dv log_syslog ,
+i.e., a logging channel which will use
+.Xr syslog 3 .
+The new structure is filled out with the 
+.Dq Fa flags ,
+.Dq Fa level , 
+and 
+.Dq Fa facility 
+which are given; the 
+.Va references
+field is initialized to zero.
+See 
+.Sx Logging Channel Flags
+and
+.Sx Message Priorities ,
+above, or the header file for information about acceptable values for
+.Dq Fa flags ,
+and 
+.Dq Fa level .
+The
+.Dq Fa facility .
+can be any valid
+.Xr syslog 3
+facility; see the appropriate system header file or manpage for more 
+information.
+.Pp
+.Ft log_channel 
+.Fn log_new_file_channel "unsigned int flags" "int level" \
+    "char *name" "FILE *stream" "unsigned int versions" \
+    "unsigned long max_size"
+.Pp
+.Fn log_new_null_channel 
+.Pp
+The functions
+.Fn log_inc_references 
+and
+.Fn log_dec_references 
+increment or decrements, respectively, the
+.Va references 
+field of the logging channel pointed to by
+.Dq Fa chan ,
+if it is a valid channel (and if the 
+.Va references
+field is strictly positive, in the case of
+.Fn log_dec_references ) .
+These functions are meant to track changes in the number of different clients
+which refer to the given logging channel.
+.Pp
+The 
+.Fn log_free_channel
+function frees the 
+field of the logging channel pointed to by
+.Dq Fa chan 
+if there are no more outstanding references to it.  If the channel uses a file, 
+the stream is 
+.Xr fclose 3 Ns -d 
+(if the
+.Dv LOG_CLOSE_STREAM
+flag is set), and the filename, if 
+.No non- Ns Dv NULL ,
+is 
+.Xr free 3 Ns -d 
+before 
+.Dq Fa chan
+is 
+.Xr free 3 Ns -d .
+.Pp
+.\" The following requests should be uncommented and
+.\" used where appropriate.  This next request is
+.\" for sections 2 and 3 function return values only.
+.Sh RETURN VALUES
+.\" This next request is for sections 1, 6, 7 & 8 only
+.Bl -tag -width "log_category_is_active()"
+.It Fn log_open_stream
+.Dv NULL 
+is returned under any of several error conditions:
+a) if 
+.Dq Fa chan
+is either
+.Dv NULL
+or a 
+.No non- Ns Dv log_file
+channel
+.Pq Va errno No is set to Dv EINVAL ;
+b) if either versioning or truncation is requested for a non-normal file
+.Pq Va errno No is set to Dv EINVAL ;
+c) if any of
+.Xr stat 2 , 
+.Xr open 2 , 
+or
+.Xr fdopen 3
+fails
+.Po
+.Va errno 
+is set by the call which failed 
+.Pc .
+If some value other than
+.Dv NULL
+is returned, then it is a valid logging stream (either newly-opened or 
+already-open).
+.It Fn log_close_stream
+-1 if the stream associated with
+.Dq Fa chan
+is 
+.No non- Ns Dv NULL
+and the call to
+.Xr fclose 3
+fails.
+0 if successful or the logging channel pointed to by
+.Dq Fa chan
+is invalid (i.e.,
+.Dv NULL
+or not a logging channel which has uses a file); in the latter case, 
+.Va errno
+is set to 
+.Dv EINVAL .  
+.It Fn log_get_stream
+.Dv NULL 
+under the same conditions as those under which
+.Fn log_close_stream ,
+above, returns 0 (including the setting of 
+.Va errno ) .
+Otherwise, the stream associated with the logging channel is returned.
+.It Fn log_get_filename
+.Dv NULL 
+under the same conditions as those under which
+.Fn log_close_stream ,
+above, returns 0 (including the setting of 
+.Va errno ) .
+Otherwise, the name of the file associated with the logging channel is 
+returned.
+.It Fn log_new_context
+-1 if 
+.Xr malloc 3
+fails
+.Pq with Va errno No set to Dv ENOMEM .
+Otherwise, 0, with 
+.Dq Va lc->opaque
+containing the new structures and information.
+.It Fn log_add_channel
+-1 if
+a) either
+.Dq Va lc.opaque
+is
+.Dv NULL 
+or 
+.Fa category
+is invalid (negative or greater than or equal to 
+.Va lcp->num_categories ) ,
+with
+.Va errno 
+set to 
+.Dv EINVAL ;
+b) 
+.Xr malloc 3
+fails
+.Pq with Va errno No set to Dv ENOMEM .
+Otherwise, 0.
+.It Fn log_remove_channel
+-1 if
+a) either
+.Dq Va lc.opaque
+is 
+.Dv NULL
+or 
+.Fa category
+is invalid, as under failure condition a) for
+.Fn log_add_channel ,
+above, including the setting of
+.Va errno ;
+b) no channel numbered
+.Fa chan
+is found in the logging context indicated by
+.Fa lc 
+.Pq with Va errno No set to Dv ENOENT .
+Otherwise, 0.
+.It Fn log_option
+-1 if
+a) 
+.Dq Va lc.opaque
+is
+.Dv NULL , 
+b)
+.Fa option
+specifies an unknown logging option;
+in either case, 
+.Va errno 
+is set to 
+.Dv EINVAL .
+Otherwise, 0.
+.It Fn log_category_is_active
+-1 if
+.Dq Va lc.opaque
+is
+.Dv NULL 
+.Pq with Va errno No set to Dv EINVAL ;
+1 if the
+.Fa category
+number is valid and there are logging channels in this 
+.Fa category
+within the indicated logging context; 0 if the
+.Fa category
+number is invalid or there are no logging channels in this
+.Fa category
+within the indicated logging context.
+.It Fn log_new_syslog_channel
+.Dv NULL
+if
+.Xr malloc 3
+fails
+.Pq with Va errno No set to ENOMEM ;
+otherwise, a valid 
+.Dv log_syslog Ns -type
+.Ft log_channel .
+.It Fn log_new_file_channel
+.Dv NULL
+if
+.Xr malloc 3
+fails
+.Pq with Va errno No set to ENOMEM ;
+otherwise, a valid
+.Dv log_file Ns -type
+.Ft log_channel .
+.It Fn log_new_null_channel
+.Dv NULL
+if
+.Xr malloc 3
+fails
+.Pq with Va errno No set to ENOMEM ;
+otherwise, a valid 
+.Dv log_null Ns -type
+.Ft log_channel .
+.It Fn log_inc_references
+-1 if 
+.Dq Fa chan
+is 
+.Dv NULL 
+.Pq with Va errno set to Dv EINVAL .
+Otherwise, 0.
+.It Fn log_dec_references
+-1 if 
+.Dq Fa chan
+is 
+.Dv NULL 
+or its
+.Va references
+field is already <= 0
+.Pq with Va errno set to Dv EINVAL .
+Otherwise, 0.
+.It Fn log_free_channel
+-1 under the same conditions as
+.Fn log_dec_references ,
+above, including the setting of 
+.Va errno ;
+0 otherwise.
+.El
+.\" .Sh ENVIRONMENT
+.Sh FILES
+.Bl -tag -width "isc/logging.h"
+.It Pa isc/logging.h
+include file for logging library
+.It Pa syslog.h
+.Xr syslog 3 Ns -style
+priorities
+.El
+.\" .Sh EXAMPLES
+.\" This next request is for sections 1, 6, 7 & 8 only
+.\"     (command return values (to shell) and
+.\"    fprintf/stderr type diagnostics)
+.\" .Sh DIAGNOSTICS
+.\" The next request is for sections 2 and 3 error
+.\" and signal handling only.
+.Sh ERRORS
+This table shows which functions can return the indicated error in the
+.Va errno
+variable; see the
+.Sx RETURN VALUES
+section, above, for more information.
+.Bl -tag -width "(any0other0value)0"
+.It Dv EINVAL
+.Fn log_open_stream ,
+.Fn log_close_stream ,
+.Fn log_get_stream ,
+.Fn log_get_filename ,
+.Fn log_add_channel ,
+.Fn log_remove_channel ,
+.Fn log_option ,
+.Fn log_category_is_active ,
+.Fn log_inc_references ,
+.Fn log_dec_references ,
+.Fn log_free_channel .
+.It Dv ENOENT
+.Fn log_remove_channel .
+.It Dv ENOMEM
+.Fn log_new_context ,
+.Fn log_add_channel ,
+.Fn log_new_syslog_channel ,
+.Fn log_new_file_channel ,
+.Fn log_new_null_channel .
+.It (any other value)
+returned via a pass-through of an error code from
+.Xr stat 2 , 
+.Xr open 2 , 
+or
+.Xr fdopen 3 ,
+which can occur in 
+.Fn log_open_stream
+and functions which call it
+.Pq currently, only Fn log_vwrite .
+.El
+.Pp
+Additionally, 
+.Fn log_vwrite
+and
+.Fn log_free_context
+will fail via 
+.Fn assert
+if 
+.Dq Va lc.opaque
+is
+.Dv NULL .
+The function
+.Fn log_vwrite
+can also exit with a critical error logged via
+.Xr syslog 3
+indicating a memory overrun
+.Sh SEE ALSO
+.Xr @INDOT@named @SYS_OPS_EXT@ ,
+.Xr syslog 3 .
+The HTML documentation includes a file,
+.Pa logging.html ,
+which has more information about this logging system.
+.\" .Sh STANDARDS
+.\" .Sh HISTORY
+.Sh AUTHORS
+Bob Halley...TODO
+.\" .Sh BUGS
diff --git a/contrib/bind9/lib/bind/isc/logging_p.h b/contrib/bind9/lib/bind/isc/logging_p.h
new file mode 100644
index 0000000..99f6976
--- /dev/null
+++ b/contrib/bind9/lib/bind/isc/logging_p.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef LOGGING_P_H
+#define LOGGING_P_H
+
+typedef struct log_file_desc {
+	char *name;
+	size_t name_size;
+	FILE *stream;
+	unsigned int versions;
+	unsigned long max_size;
+	uid_t owner;
+	gid_t group;
+} log_file_desc;
+
+typedef union log_output {
+	int facility;
+	log_file_desc file;
+} log_output;
+
+struct log_channel {
+	int level;			/* don't log messages > level */
+	log_channel_type type;
+	log_output out;
+	unsigned int flags;
+	int references;
+};
+
+typedef struct log_channel_list {
+	log_channel channel;
+	struct log_channel_list *next;
+} *log_channel_list;
+
+#define LOG_BUFFER_SIZE 20480
+
+struct log_context {
+	int num_categories;
+	char **category_names;
+	log_channel_list *categories;
+	int flags;
+	int level;
+	char buffer[LOG_BUFFER_SIZE];
+};
+
+#endif /* !LOGGING_P_H */
diff --git a/contrib/bind9/lib/bind/isc/memcluster.c b/contrib/bind9/lib/bind/isc/memcluster.c
new file mode 100644
index 0000000..8874181
--- /dev/null
+++ b/contrib/bind9/lib/bind/isc/memcluster.c
@@ -0,0 +1,545 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1997,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+/* When this symbol is defined allocations via memget are made slightly 
+   bigger and some debugging info stuck before and after the region given 
+   back to the caller. */
+/* #define DEBUGGING_MEMCLUSTER */
+#define MEMCLUSTER_ATEND
+
+
+#if !defined(LINT) && !defined(CODECENTER)
+static const char rcsid[] = "$Id: memcluster.c,v 1.3.206.3 2004/03/17 00:29:52 marka Exp $";
+#endif /* not lint */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <sys/uio.h>
+#include <sys/param.h>
+#include <sys/stat.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+
+#include <isc/memcluster.h>
+#include <isc/assertions.h>
+
+#include "port_after.h"
+
+#ifdef MEMCLUSTER_RECORD
+#ifndef DEBUGGING_MEMCLUSTER
+#define DEBUGGING_MEMCLUSTER
+#endif
+#endif
+
+#define DEF_MAX_SIZE		1100
+#define DEF_MEM_TARGET		4096
+
+typedef u_int32_t fence_t;
+
+typedef struct {
+	void *			next;
+#if defined(DEBUGGING_MEMCLUSTER)
+#if defined(MEMCLUSTER_RECORD)
+	const char *		file;
+	int			line;
+#endif
+	size_t			size;
+	fence_t			fencepost;
+#endif
+} memcluster_element;
+
+#define SMALL_SIZE_LIMIT sizeof(memcluster_element)
+#define P_SIZE sizeof(void *)
+#define FRONT_FENCEPOST 0xfebafeba
+#define BACK_FENCEPOST 0xabefabef
+#define FENCEPOST_SIZE 4
+
+#ifndef MEMCLUSTER_LITTLE_MALLOC
+#define MEMCLUSTER_BIG_MALLOC 1
+#define NUM_BASIC_BLOCKS 64
+#endif
+
+struct stats {
+	u_long			gets;
+	u_long			totalgets;
+	u_long			blocks;
+	u_long			freefrags;
+};
+
+/* Private data. */
+
+static size_t			max_size;
+static size_t			mem_target;
+static size_t			mem_target_half;
+static size_t			mem_target_fudge;
+static memcluster_element **	freelists;
+#ifdef MEMCLUSTER_RECORD
+static memcluster_element **	activelists;
+#endif
+#ifdef MEMCLUSTER_BIG_MALLOC
+static memcluster_element *	basic_blocks;
+#endif
+static struct stats *		stats;
+
+/* Forward. */
+
+static size_t			quantize(size_t);
+#if defined(DEBUGGING_MEMCLUSTER)
+static void			check(unsigned char *, int, size_t);
+#endif
+
+/* Public. */
+
+int
+meminit(size_t init_max_size, size_t target_size) {
+
+#if defined(DEBUGGING_MEMCLUSTER)
+	INSIST(sizeof(fence_t) == FENCEPOST_SIZE);
+#endif
+	if (freelists != NULL) {
+		errno = EEXIST;
+		return (-1);
+	}
+	if (init_max_size == 0U)
+		max_size = DEF_MAX_SIZE;
+	else
+		max_size = init_max_size;
+	if (target_size == 0U)
+		mem_target = DEF_MEM_TARGET;
+	else
+		mem_target = target_size;
+	mem_target_half = mem_target / 2;
+	mem_target_fudge = mem_target + mem_target / 4;
+	freelists = malloc(max_size * sizeof (memcluster_element *));
+	stats = malloc((max_size+1) * sizeof (struct stats));
+	if (freelists == NULL || stats == NULL) {
+		errno = ENOMEM;
+		return (-1);
+	}
+	memset(freelists, 0,
+	       max_size * sizeof (memcluster_element *));
+	memset(stats, 0, (max_size + 1) * sizeof (struct stats));
+#ifdef MEMCLUSTER_RECORD
+	activelists = malloc((max_size + 1) * sizeof (memcluster_element *));
+	if (activelists == NULL) {
+		errno = ENOMEM;
+		return (-1);
+	}
+	memset(activelists, 0,
+	       (max_size + 1) * sizeof (memcluster_element *));
+#endif
+#ifdef MEMCLUSTER_BIG_MALLOC
+	basic_blocks = NULL;
+#endif
+	return (0);
+}
+
+void *
+__memget(size_t size) {
+	return (__memget_record(size, NULL, 0));
+}
+
+void *
+__memget_record(size_t size, const char *file, int line) {
+	size_t new_size = quantize(size);
+#if defined(DEBUGGING_MEMCLUSTER)
+	memcluster_element *e;
+	char *p;
+	fence_t fp = BACK_FENCEPOST;
+#endif
+	void *ret;
+
+#if !defined(MEMCLUSTER_RECORD)
+	UNUSED(file);
+	UNUSED(line);
+#endif
+	if (freelists == NULL)
+		if (meminit(0, 0) == -1)
+			return (NULL);
+	if (size == 0U) {
+		errno = EINVAL;
+		return (NULL);
+	}
+	if (size >= max_size || new_size >= max_size) {
+		/* memget() was called on something beyond our upper limit. */
+		stats[max_size].gets++;
+		stats[max_size].totalgets++;
+#if defined(DEBUGGING_MEMCLUSTER)
+		e = malloc(new_size);
+		if (e == NULL) {
+			errno = ENOMEM;
+			return (NULL);
+		}
+		e->next = NULL;
+		e->size = size;
+#ifdef MEMCLUSTER_RECORD
+		e->file = file;
+		e->line = line;
+		e->next = activelists[max_size];
+		activelists[max_size] = e;
+#endif
+		e->fencepost = FRONT_FENCEPOST;
+		p = (char *)e + sizeof *e + size;
+		memcpy(p, &fp, sizeof fp);
+		return ((char *)e + sizeof *e);
+#else
+		return (malloc(size));
+#endif
+	}
+
+	/* 
+	 * If there are no blocks in the free list for this size, get a chunk
+	 * of memory and then break it up into "new_size"-sized blocks, adding
+	 * them to the free list.
+	 */
+	if (freelists[new_size] == NULL) {
+		int i, frags;
+		size_t total_size;
+		void *new;
+		char *curr, *next;
+
+#ifdef MEMCLUSTER_BIG_MALLOC
+		if (basic_blocks == NULL) {
+			new = malloc(NUM_BASIC_BLOCKS * mem_target);
+			if (new == NULL) {
+				errno = ENOMEM;
+				return (NULL);
+			}
+			curr = new;
+			next = curr + mem_target;
+			for (i = 0; i < (NUM_BASIC_BLOCKS - 1); i++) {
+				((memcluster_element *)curr)->next = next;
+				curr = next;
+				next += mem_target;
+			}
+			/*
+			 * curr is now pointing at the last block in the
+			 * array.
+			 */
+			((memcluster_element *)curr)->next = NULL;
+			basic_blocks = new;
+		}
+		total_size = mem_target;
+		new = basic_blocks;
+		basic_blocks = basic_blocks->next;
+#else
+		if (new_size > mem_target_half)
+			total_size = mem_target_fudge;
+		else
+			total_size = mem_target;
+		new = malloc(total_size);
+		if (new == NULL) {
+			errno = ENOMEM;
+			return (NULL);
+		}
+#endif
+		frags = total_size / new_size;
+		stats[new_size].blocks++;
+		stats[new_size].freefrags += frags;
+		/* Set up a linked-list of blocks of size "new_size". */
+		curr = new;
+		next = curr + new_size;
+		for (i = 0; i < (frags - 1); i++) {
+#if defined (DEBUGGING_MEMCLUSTER)
+			memset(curr, 0xa5, new_size);
+#endif
+			((memcluster_element *)curr)->next = next;
+			curr = next;
+			next += new_size;
+		}
+		/* curr is now pointing at the last block in the array. */
+#if defined (DEBUGGING_MEMCLUSTER)
+		memset(curr, 0xa5, new_size);
+#endif
+		((memcluster_element *)curr)->next = freelists[new_size];
+		freelists[new_size] = new;
+	}
+
+	/* The free list uses the "rounded-up" size "new_size". */
+#if defined (DEBUGGING_MEMCLUSTER)
+	e = freelists[new_size];
+	ret = (char *)e + sizeof *e;
+	/*
+	 * Check to see if this buffer has been written to while on free list.
+	 */
+	check(ret, 0xa5, new_size - sizeof *e);
+	/*
+	 * Mark memory we are returning.
+	 */
+	memset(ret, 0xe5, size);
+#else
+	ret = freelists[new_size];
+#endif
+	freelists[new_size] = freelists[new_size]->next;
+#if defined(DEBUGGING_MEMCLUSTER)
+	e->next = NULL;
+	e->size = size;
+	e->fencepost = FRONT_FENCEPOST;
+#ifdef MEMCLUSTER_RECORD
+	e->file = file;
+	e->line = line;
+	e->next = activelists[size];
+	activelists[size] = e;
+#endif
+	p = (char *)e + sizeof *e + size;
+	memcpy(p, &fp, sizeof fp);
+#endif
+
+	/* 
+	 * The stats[] uses the _actual_ "size" requested by the
+	 * caller, with the caveat (in the code above) that "size" >= the
+	 * max. size (max_size) ends up getting recorded as a call to
+	 * max_size.
+	 */
+	stats[size].gets++;
+	stats[size].totalgets++;
+	stats[new_size].freefrags--;
+#if defined(DEBUGGING_MEMCLUSTER)
+	return ((char *)e + sizeof *e);
+#else
+	return (ret);
+#endif
+}
+
+/* 
+ * This is a call from an external caller, 
+ * so we want to count this as a user "put". 
+ */
+void
+__memput(void *mem, size_t size) {
+	__memput_record(mem, size, NULL, 0);
+}
+
+void
+__memput_record(void *mem, size_t size, const char *file, int line) {
+	size_t new_size = quantize(size);
+#if defined (DEBUGGING_MEMCLUSTER)
+	memcluster_element *e;
+	memcluster_element *el;
+#ifdef MEMCLUSTER_RECORD
+	memcluster_element *prev;
+#endif
+	fence_t fp;
+	char *p;
+#endif
+
+#if !defined (MEMCLUSTER_RECORD)
+	UNUSED(file);
+	UNUSED(line);
+#endif
+
+	REQUIRE(freelists != NULL);
+
+	if (size == 0U) {
+		errno = EINVAL;
+		return;
+	}
+
+#if defined (DEBUGGING_MEMCLUSTER)
+	e = (memcluster_element *) ((char *)mem - sizeof *e);
+	INSIST(e->fencepost == FRONT_FENCEPOST);
+	INSIST(e->size == size);
+	p = (char *)e + sizeof *e + size;
+	memcpy(&fp, p, sizeof fp);
+	INSIST(fp == BACK_FENCEPOST);
+	INSIST(((int)mem % 4) == 0);
+#ifdef MEMCLUSTER_RECORD
+	prev = NULL;
+	if (size == max_size || new_size >= max_size)
+		el = activelists[max_size];
+	else
+		el = activelists[size];
+	while (el != NULL && el != e) {
+		prev = el;
+		el = el->next;
+	}
+	INSIST(el != NULL);	/* double free */
+	if (prev == NULL) {
+		if (size == max_size || new_size >= max_size)
+			activelists[max_size] = el->next;
+		else
+			activelists[size] = el->next;
+	} else
+		prev->next = el->next;
+#endif
+#endif
+
+	if (size == max_size || new_size >= max_size) {
+		/* memput() called on something beyond our upper limit */
+#if defined(DEBUGGING_MEMCLUSTER)
+		free(e);
+#else
+		free(mem);
+#endif
+
+		INSIST(stats[max_size].gets != 0U);
+		stats[max_size].gets--;
+		return;
+	}
+
+	/* The free list uses the "rounded-up" size "new_size": */
+#if defined(DEBUGGING_MEMCLUSTER)
+	memset(mem, 0xa5, new_size - sizeof *e); /* catch write after free */
+	e->size = 0;	/* catch double memput() */
+#ifdef MEMCLUSTER_RECORD
+	e->file = file;
+	e->line = line;
+#endif
+#ifdef MEMCLUSTER_ATEND
+	e->next = NULL;
+	el = freelists[new_size];
+	while (el != NULL && el->next != NULL)
+		el = el->next;
+	if (el)
+		el->next = e;
+	else
+		freelists[new_size] = e;
+#else
+	e->next = freelists[new_size];
+	freelists[new_size] = (void *)e;
+#endif
+#else
+	((memcluster_element *)mem)->next = freelists[new_size];
+	freelists[new_size] = (memcluster_element *)mem;
+#endif
+
+	/* 
+	 * The stats[] uses the _actual_ "size" requested by the
+	 * caller, with the caveat (in the code above) that "size" >= the
+	 * max. size (max_size) ends up getting recorded as a call to
+	 * max_size.
+	 */
+	INSIST(stats[size].gets != 0U);
+	stats[size].gets--;
+	stats[new_size].freefrags++;
+}
+
+void *
+__memget_debug(size_t size, const char *file, int line) {
+	void *ptr;
+	ptr = __memget_record(size, file, line);
+	fprintf(stderr, "%s:%d: memget(%lu) -> %p\n", file, line,
+		(u_long)size, ptr);
+	return (ptr);
+}
+
+void
+__memput_debug(void *ptr, size_t size, const char *file, int line) {
+	fprintf(stderr, "%s:%d: memput(%p, %lu)\n", file, line, ptr,
+		(u_long)size);
+	__memput_record(ptr, size, file, line);
+}
+
+/*
+ * Print the stats[] on the stream "out" with suitable formatting.
+ */
+void
+memstats(FILE *out) {
+	size_t i;
+#ifdef MEMCLUSTER_RECORD
+	memcluster_element *e;
+#endif
+
+	if (freelists == NULL)
+		return;
+	for (i = 1; i <= max_size; i++) {
+		const struct stats *s = &stats[i];
+
+		if (s->totalgets == 0U && s->gets == 0U)
+			continue;
+		fprintf(out, "%s%5d: %11lu gets, %11lu rem",
+			(i == max_size) ? ">=" : "  ",
+			i, s->totalgets, s->gets);
+		if (s->blocks != 0U)
+			fprintf(out, " (%lu bl, %lu ff)",
+				s->blocks, s->freefrags);
+		fputc('\n', out);
+	}
+#ifdef MEMCLUSTER_RECORD
+	fprintf(out, "Active Memory:\n");
+	for (i = 1; i <= max_size; i++) {
+		if ((e = activelists[i]) != NULL)
+			while (e != NULL) {
+				fprintf(out, "%s:%d %p:%d\n",
+				        e->file != NULL ? e->file :
+						"<UNKNOWN>", e->line,
+					(char *)e + sizeof *e, e->size);
+				e = e->next;
+			}
+	}
+#endif
+}
+
+int
+memactive(void) {
+	size_t i;
+
+	if (stats == NULL)
+		return (0);
+	for (i = 1; i <= max_size; i++)
+		if (stats[i].gets != 0U)
+			return (1);
+	return (0);
+}
+
+/* Private. */
+
+/* 
+ * Round up size to a multiple of sizeof(void *).  This guarantees that a
+ * block is at least sizeof void *, and that we won't violate alignment
+ * restrictions, both of which are needed to make lists of blocks.
+ */
+static size_t
+quantize(size_t size) {
+	int remainder;
+	/*
+	 * If there is no remainder for the integer division of 
+	 *
+	 *	(rightsize/P_SIZE)
+	 *
+	 * then we already have a good size; if not, then we need
+	 * to round up the result in order to get a size big
+	 * enough to satisfy the request _and_ aligned on P_SIZE boundaries.
+	 */
+	remainder = size % P_SIZE;
+	if (remainder != 0)
+		size += P_SIZE - remainder;
+#if defined(DEBUGGING_MEMCLUSTER)
+	return (size + SMALL_SIZE_LIMIT + sizeof (int));
+#else
+	return (size);
+#endif
+}
+
+#if defined(DEBUGGING_MEMCLUSTER)
+static void
+check(unsigned char *a, int value, size_t len) {
+	size_t i;
+	for (i = 0; i < len; i++)
+		INSIST(a[i] == value);
+}
+#endif
diff --git a/contrib/bind9/lib/bind/isc/memcluster.mdoc b/contrib/bind9/lib/bind/isc/memcluster.mdoc
new file mode 100644
index 0000000..cd4e6fb
--- /dev/null
+++ b/contrib/bind9/lib/bind/isc/memcluster.mdoc
@@ -0,0 +1,376 @@
+.\" $Id: memcluster.mdoc,v 1.1.2.1.10.1 2004/03/09 08:33:43 marka Exp $
+.\"
+.\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (c) 1995-1999 by Internet Software Consortium
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+.\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" The following six UNCOMMENTED lines are required.
+.Dd Month day, year
+.\"Os OPERATING_SYSTEM [version/release]
+.Os BSD 4
+.\"Dt DOCUMENT_TITLE [section number] [volume]
+.Dt MEMCLUSTER 3
+.Sh NAME
+.Nm meminit ,
+.Nm memget ,
+.Nm memput ,
+.Nm memstats 
+.Nd memory allocation/deallocation system
+.Sh SYNOPSIS
+.Fd #include \&<isc/memcluster.h\&>
+.Ft void * 
+.Fn memget "size_t size"
+.Ft void 
+.Fn memput "void *mem" "size_t size"
+.Ft void 
+.Fn memstats "FILE *out"
+.Sh DESCRIPTION
+These functions access a memory management system which allows callers to not 
+fragment memory to the extent which can ordinarily occur through many random 
+calls to
+.Xr malloc 3 .
+Instead, 
+.Fn memget
+gets a large contiguous chunk of blocks of the requested 
+.Fa size 
+and parcels out these blocks as requested.  The symmetric call is
+.Fn memput ,
+which callers use to return a piece of memory obtained from
+.Fn memget .
+Statistics about memory usage are returned by
+.Fn memstats , 
+which prints a report on the stream
+.Fa out .
+.Ss INTERNALS
+Internally, linked lists of free memory blocks are stored in an array.
+The size of this array is determined by the value
+.Dv MEM_FREECOUNT ,
+currently set to 1100.  In general, for any requested blocksize
+.Dq Fa size ,
+any free blocks will be stored on the linked list at that index.
+No free lists are managed for blocks greater than or equal to
+.Dv MEM_FREECOUNT
+bytes; instead, calls to
+.Xr malloc 3
+or
+.Xr free 3
+are made, directly.
+.Pp
+Since the blocks are actually stored as linked lists, they must at least
+be large enough to hold a pointer to the next block.  This size, which is
+.Dv SMALL_SIZE_LIMIT ,
+is currently defined as
+.Bd -literal -offset indent
+#define SMALL_SIZE_LIMIT sizeof(struct { void *next; })
+.Ed
+.Pp
+Both 
+.Fn memget
+and
+.Fn memput
+enforce this limit; for example, any call to 
+.Fn memget 
+requesting a block smaller than
+.Dv SMALL_SIZE_LIMIT
+bytes will actually be considered to be of size
+.Dv SMALL_SIZE_LIMIT 
+internally.  (Such a caller request will be logged for 
+.Fn memstats
+purposes using the caller-requested
+.Fa size ;
+see the discussion of
+.Fn memstats ,
+below, for more information.)
+.Pp
+Additionally, the requested
+.Fa size
+will be adjusted so that when a large 
+.Xr malloc 3 Ns No -d
+chunk of memory is broken up into a linked list, the blocks will all fall on
+the correct memory alignment boundaries.  Thus, one can conceptualize a call
+which mentions
+.Fa size
+as resulting in a
+.Fa new_size
+which is used internally.
+.Pp
+In order to more efficiently allocate memory, there is a 
+.Dq target
+size for calls to 
+.Xr malloc 3 .
+It is given by the pre-defined value
+.Dv MEM_TARGET , 
+which is currently 4096 bytes.
+For any requested block
+.Fa size ,
+enough memory is 
+.Xr malloc 3 Ns No -d
+in order to fill up a block of about
+.Dv MEM_TARGET
+bytes.  
+.No [ Ns Sy NOTE :
+For allocations larger than
+.Dv MEM_TARGET Ns No /2
+bytes, there is a 
+.Dq fudge factor
+introduced which boosts the target size by 25% of
+.Dv MEM_TARGET .
+This means that enough memory for two blocks
+will actually be allocated for any 
+.Fa size
+such that
+.Pq Dv MEM_TARGET Ns No / 3 
+.No < Fa size No < 
+.Pq Dv MEM_TARGET Ns No *5/8 ,
+provided that the value of
+.Dv MEM_FREECOUNT 
+is at least as large as the upper limit shown above.]
+.Pp
+.Ss FUNCTION DESCRIPTIONS
+.Pp
+The function
+.Fn memget
+returns a pointer to a block of memory of at least the requested
+.Fa size .
+After adjusting
+.Fa size
+to the value
+.Va new_size
+as mentioned above in the 
+.Sx INTERNALS
+subsection, the internal array of free lists is checked.
+If there is no block of the needed
+.Va new_size ,
+then
+.Fn memget 
+will 
+.Xr malloc 3
+a chunk of memory which is as many times as 
+.Va new_size
+will fit into the target size.  This memory is then turned into a linked list 
+of 
+.Va new_size Ns No -sized
+blocks which are given out as requested; the last such block is the first one 
+returned by 
+.Fn memget .
+If the requested
+.Fa size
+is zero or negative, then 
+.Dv NULL
+is returned and
+.Va errno
+is set to
+.Dv EINVAL ;
+if 
+.Fa size
+is larger than or equal to the pre-defined maximum size
+.Dv MEM_FREECOUNT ,
+then only a single block of exactly 
+.Fa size
+will be
+.Xr malloc 3 Ns No -d
+and returned.
+.Pp
+The
+.Fn memput
+call is used to return memory once the caller is finished with it.
+After adjusting
+.Fa size
+the the value
+.Va new_size
+as mentioned in the 
+.Sx INTERNALS 
+subsection, above, the block is placed at the head of the free list of 
+.Va new_size Ns -sized
+blocks.
+If the given
+.Fa size
+is zero or negative, then 
+.Va errno
+is set to
+.Dv EINVAL ,
+as for
+.Fn memget .
+If 
+.Fa size
+is larger than or equal to the pre-defined maximum size
+.Dv MEM_FREECOUNT ,
+then the block is immediately
+.Xr free 3 Ns No -d .
+.Pp
+.Sy NOTE :
+It is important that callers give 
+.Fn memput
+.Em only
+blocks of memory which were previously obtained from
+.Fn memget 
+if the block is 
+.Em actually 
+less than
+.Dv SMALL_SIZE_LIMIT
+bytes in size.  Since all blocks will be added to a free list, any block 
+which is not at least
+.Dv SMALL_SIZE_LIMIT
+bytes long will not be able to hold a pointer to the next block in the
+free list.
+.Pp
+The
+.Fn memstats
+function will summarize the number of calls to 
+.Fn memget
+and
+.Fn memput
+for any block size from 1 byte up to
+.Pq Dv MEM_FREECOUNT No - 1  
+bytes, followed by a single line for any calls using a 
+.Fa size
+greater than or equal to 
+.Dv MEM_FREECOUNT ; 
+a brief header with shell-style comment lines prefaces the report and
+explains the information.  The 
+.Dv FILE 
+pointer
+.Fa out
+identifies the stream which is used for this report.  Currently, 
+.Fn memstat
+reports the number of calls to 
+.Fn memget
+and
+.Fn memput
+using the caller-supplied value 
+.Fa size ; 
+the percentage of outstanding blocks of a given size (i.e., the percentage
+by which calls to
+.Fn memget
+exceed 
+.Fn memput )
+are also reported on the line for blocks of the given
+.Fa size .
+However, the percent of blocks used is computed using the number of 
+blocks allocated according to the internal parameter
+.Va new_size ;
+it is the percentage of blocks used to those available at a given
+.Va new_size ,
+and is computed using the
+.Em total
+number of caller 
+.Dq gets
+for any caller
+.Fa size Ns No -s
+which map to the internally-computed
+.Va new_size .
+Keep in mind that
+.Va new_size
+is generally 
+.Em not
+equal to
+.Fa size , 
+which has these implications:
+.Bl -enum -offset indent
+.It
+For
+.Fa size
+smaller than
+.Dv SMALL_SIZE_LIMIT ,
+.Fn memstat
+.Em will 
+show statistics for caller requests under
+.Fa size , 
+but "percent used" information about such blocks will be reported under
+.Dv SMALL_SIZE_LIMIT Ns No -sized
+blocks.  
+.It
+As a general case of point 1, internal statistics are reported on the the
+line corresponding to
+.Va new_size ,
+so that, for a given caller-supplied
+.Fa size ,
+the associated internal information will appear on that line or on the next
+line which shows "percent used" information.
+.El
+.Pp
+.Sy NOTE :
+If the caller returns blocks of a given
+.Fa size
+and requests others of 
+.Fa size Ns No -s 
+which map to the same internal
+.Va new_size ,
+it is possible for
+.Fn memstats
+to report usage of greater than 100% for blocks of size
+.Va new_size .
+This should be viewed as A Good Thing.
+.Sh RETURN VALUES
+The function
+.Fn memget
+returns a 
+.No non- Ns Dv NULL
+pointer to a block of memory of the requested
+.Fa size .
+It returns
+.Dv NULL
+if either the
+.Fa size
+is invalid (less than or equal to zero) or a 
+.Xr malloc 3
+of a new block of memory fails.  In the former case, 
+.Va errno
+is set to 
+.Dv EINVAL ; 
+in the latter, it is set to
+.Dv ENOMEM .
+.Pp
+Neither
+.Fn memput
+nor
+.Fn memstats
+return a value.
+.\" This next request is for sections 1, 6, 7 & 8 only
+.\" .Sh ENVIRONMENT
+.\" .Sh FILES
+.\" .Sh EXAMPLES
+.\" This next request is for sections 1, 6, 7 & 8 only
+.\"     (command return values (to shell) and
+.\"    fprintf/stderr type diagnostics)
+.\" .Sh DIAGNOSTICS
+.\" The next request is for sections 2 and 3 error
+.\" and signal handling only.
+.Sh ERRORS
+.Va errno
+is set as follows:
+.Bl -tag -width "ENOMEM  " -offset indent
+.It Dv EINVAL
+set by both
+.Fn memget
+and
+.Fn memput
+if the 
+.Fa size
+is zero or negative
+.It Dv ENOMEM
+set by 
+.Fn memget
+if a call to
+.Xr malloc 3
+fails
+.El
+.Sh SEE ALSO
+.Xr free 3 ,
+.Xr malloc 3 .
+.\" .Sh STANDARDS
+.\" .Sh HISTORY
+.Sh AUTHORS
+Steven J. Richardson and Paul Vixie, Vixie Enterprises.
+.\" .Sh BUGS
diff --git a/contrib/bind9/lib/bind/isc/movefile.c b/contrib/bind9/lib/bind/isc/movefile.c
new file mode 100644
index 0000000..8582aa7
--- /dev/null
+++ b/contrib/bind9/lib/bind/isc/movefile.c
@@ -0,0 +1,35 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 2000 by Internet Software Consortium, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+#include <port_before.h>
+#include <stdio.h>
+#include <isc/misc.h>
+#include <port_after.h>
+#ifndef HAVE_MOVEFILE
+/*
+ * rename() is lame (can't overwrite an existing file) on some systems.
+ * use movefile() instead, and let lame OS ports do what they need to.
+ */
+
+int
+isc_movefile(const char *oldname, const char *newname) {
+	return (rename(oldname, newname));
+}
+#else
+	static int os_port_has_isc_movefile = 1;
+#endif
diff --git a/contrib/bind9/lib/bind/isc/tree.c b/contrib/bind9/lib/bind/isc/tree.c
new file mode 100644
index 0000000..9bdf6d6
--- /dev/null
+++ b/contrib/bind9/lib/bind/isc/tree.c
@@ -0,0 +1,532 @@
+#ifndef LINT
+static const char rcsid[] = "$Id: tree.c,v 1.2.206.1 2004/03/09 08:33:43 marka Exp $";
+#endif
+
+/*
+ * tree - balanced binary tree library
+ *
+ * vix 05apr94 [removed vixie.h dependencies; cleaned up formatting, names]
+ * vix 22jan93 [revisited; uses RCS, ANSI, POSIX; has bug fixes]
+ * vix 23jun86 [added delete uar to add for replaced nodes]
+ * vix 20jun86 [added tree_delete per wirth a+ds (mod2 v.) p. 224]
+ * vix 06feb86 [added tree_mung()]
+ * vix 02feb86 [added tree balancing from wirth "a+ds=p" p. 220-221]
+ * vix 14dec85 [written]
+ */
+
+/*
+ * This program text was created by Paul Vixie using examples from the book:
+ * "Algorithms & Data Structures," Niklaus Wirth, Prentice-Hall, 1986, ISBN
+ * 0-13-022005-1.  Any errors in the conversion from Modula-2 to C are Paul
+ * Vixie's.
+ */
+
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*#define		DEBUG	"tree"*/
+
+#include "port_before.h"
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "port_after.h"
+
+#include <isc/memcluster.h>
+#include <isc/tree.h>
+
+#ifdef DEBUG
+static int	debugDepth = 0;
+static char	*debugFuncs[256];
+# define ENTER(proc) { \
+			debugFuncs[debugDepth] = proc; \
+			fprintf(stderr, "ENTER(%d:%s.%s)\n", \
+				debugDepth, DEBUG, \
+				debugFuncs[debugDepth]); \
+			debugDepth++; \
+		}
+# define RET(value) { \
+			debugDepth--; \
+			fprintf(stderr, "RET(%d:%s.%s)\n", \
+				debugDepth, DEBUG, \
+				debugFuncs[debugDepth]); \
+			return (value); \
+		}
+# define RETV { \
+			debugDepth--; \
+			fprintf(stderr, "RETV(%d:%s.%s)\n", \
+				debugDepth, DEBUG, \
+				debugFuncs[debugDepth]); \
+			return; \
+		}
+# define MSG(msg)	fprintf(stderr, "MSG(%s)\n", msg);
+#else
+# define ENTER(proc)	;
+# define RET(value)	return (value);
+# define RETV		return;
+# define MSG(msg)	;
+#endif
+
+#ifndef TRUE
+# define TRUE		1
+# define FALSE		0
+#endif
+
+static tree *	sprout(tree **, tree_t, int *, int (*)(), void (*)());
+static int	delete(tree **, int (*)(), tree_t, void (*)(), int *, int *);
+static void	del(tree **, int *, tree **, void (*)(), int *);
+static void	bal_L(tree **, int *);
+static void	bal_R(tree **, int *);
+
+void
+tree_init(tree **ppr_tree) {
+	ENTER("tree_init")
+	*ppr_tree = NULL;
+	RETV
+}
+	
+tree_t
+tree_srch(tree **ppr_tree, int (*pfi_compare)(tree_t, tree_t), tree_t	p_user) {
+	ENTER("tree_srch")
+
+	if (*ppr_tree) {
+		int i_comp = (*pfi_compare)(p_user, (**ppr_tree).data);
+
+		if (i_comp > 0)
+			RET(tree_srch(&(**ppr_tree).right,
+				      pfi_compare,
+				      p_user))
+
+		if (i_comp < 0)
+			RET(tree_srch(&(**ppr_tree).left,
+				      pfi_compare,
+				      p_user))
+
+		/* not higher, not lower... this must be the one.
+		 */
+		RET((**ppr_tree).data)
+	}
+
+	/* grounded. NOT found.
+	 */
+	RET(NULL)
+}
+
+tree_t
+tree_add(tree **ppr_tree, int (*pfi_compare)(tree_t, tree_t),
+	 tree_t p_user, void (*pfv_uar)())
+{
+	int i_balance = FALSE;
+
+	ENTER("tree_add")
+	if (!sprout(ppr_tree, p_user, &i_balance, pfi_compare, pfv_uar))
+		RET(NULL)
+	RET(p_user)
+}
+
+int
+tree_delete(tree **ppr_p, int (*pfi_compare)(tree_t, tree_t),
+	    tree_t p_user, void	(*pfv_uar)())
+{
+	int i_balance = FALSE, i_uar_called = FALSE;
+
+	ENTER("tree_delete");
+	RET(delete(ppr_p, pfi_compare, p_user, pfv_uar,
+		   &i_balance, &i_uar_called))
+}
+
+int
+tree_trav(tree **ppr_tree, int (*pfi_uar)(tree_t)) {
+	ENTER("tree_trav")
+
+	if (!*ppr_tree)
+		RET(TRUE)
+
+	if (!tree_trav(&(**ppr_tree).left, pfi_uar))
+		RET(FALSE)
+	if (!(*pfi_uar)((**ppr_tree).data))
+		RET(FALSE)
+	if (!tree_trav(&(**ppr_tree).right, pfi_uar))
+		RET(FALSE)
+	RET(TRUE)
+}
+
+void
+tree_mung(tree **ppr_tree, void	(*pfv_uar)(tree_t)) {
+	ENTER("tree_mung")
+	if (*ppr_tree) {
+		tree_mung(&(**ppr_tree).left, pfv_uar);
+		tree_mung(&(**ppr_tree).right, pfv_uar);
+		if (pfv_uar)
+			(*pfv_uar)((**ppr_tree).data);
+		memput(*ppr_tree, sizeof(tree));
+		*ppr_tree = NULL;
+	}
+	RETV
+}
+
+static tree *
+sprout(tree **ppr, tree_t p_data, int *pi_balance,
+       int (*pfi_compare)(tree_t, tree_t), void (*pfv_delete)(tree_t))
+{
+	tree *p1, *p2, *sub;
+	int cmp;
+
+	ENTER("sprout")
+
+	/* are we grounded?  if so, add the node "here" and set the rebalance
+	 * flag, then exit.
+	 */
+	if (!*ppr) {
+		MSG("grounded. adding new node, setting h=true")
+		*ppr = (tree *) memget(sizeof(tree));
+		if (*ppr) {
+			(*ppr)->left = NULL;
+			(*ppr)->right = NULL;
+			(*ppr)->bal = 0;
+			(*ppr)->data = p_data;
+			*pi_balance = TRUE;
+		}
+		RET(*ppr);
+	}
+
+	/* compare the data using routine passed by caller.
+	 */
+	cmp = (*pfi_compare)(p_data, (*ppr)->data);
+
+	/* if LESS, prepare to move to the left.
+	 */
+	if (cmp < 0) {
+		MSG("LESS. sprouting left.")
+		sub = sprout(&(*ppr)->left, p_data, pi_balance,
+			     pfi_compare, pfv_delete);
+		if (sub && *pi_balance) {	/* left branch has grown */
+			MSG("LESS: left branch has grown")
+			switch ((*ppr)->bal) {
+			case 1:
+				/* right branch WAS longer; bal is ok now */
+				MSG("LESS: case 1.. bal restored implicitly")
+				(*ppr)->bal = 0;
+				*pi_balance = FALSE;
+				break;
+			case 0:
+				/* balance WAS okay; now left branch longer */
+				MSG("LESS: case 0.. balnce bad but still ok")
+				(*ppr)->bal = -1;
+				break;
+			case -1:
+				/* left branch was already too long. rebal */
+				MSG("LESS: case -1: rebalancing")
+				p1 = (*ppr)->left;
+				if (p1->bal == -1) {		/* LL */
+					MSG("LESS: single LL")
+					(*ppr)->left = p1->right;
+					p1->right = *ppr;
+					(*ppr)->bal = 0;
+					*ppr = p1;
+				} else {			/* double LR */
+					MSG("LESS: double LR")
+
+					p2 = p1->right;
+					p1->right = p2->left;
+					p2->left = p1;
+
+					(*ppr)->left = p2->right;
+					p2->right = *ppr;
+
+					if (p2->bal == -1)
+						(*ppr)->bal = 1;
+					else
+						(*ppr)->bal = 0;
+
+					if (p2->bal == 1)
+						p1->bal = -1;
+					else
+						p1->bal = 0;
+					*ppr = p2;
+				} /*else*/
+				(*ppr)->bal = 0;
+				*pi_balance = FALSE;
+			} /*switch*/
+		} /*if*/
+		RET(sub)
+	} /*if*/
+
+	/* if MORE, prepare to move to the right.
+	 */
+	if (cmp > 0) {
+		MSG("MORE: sprouting to the right")
+		sub = sprout(&(*ppr)->right, p_data, pi_balance,
+			     pfi_compare, pfv_delete);
+		if (sub && *pi_balance) {
+			MSG("MORE: right branch has grown")
+
+			switch ((*ppr)->bal) {
+			case -1:
+				MSG("MORE: balance was off, fixed implicitly")
+				(*ppr)->bal = 0;
+				*pi_balance = FALSE;
+				break;
+			case 0:
+				MSG("MORE: balance was okay, now off but ok")
+				(*ppr)->bal = 1;
+				break;
+			case 1:
+				MSG("MORE: balance was off, need to rebalance")
+				p1 = (*ppr)->right;
+				if (p1->bal == 1) {		/* RR */
+					MSG("MORE: single RR")
+					(*ppr)->right = p1->left;
+					p1->left = *ppr;
+					(*ppr)->bal = 0;
+					*ppr = p1;
+				} else {			/* double RL */
+					MSG("MORE: double RL")
+
+					p2 = p1->left;
+					p1->left = p2->right;
+					p2->right = p1;
+
+					(*ppr)->right = p2->left;
+					p2->left = *ppr;
+
+					if (p2->bal == 1)
+						(*ppr)->bal = -1;
+					else
+						(*ppr)->bal = 0;
+
+					if (p2->bal == -1)
+						p1->bal = 1;
+					else
+						p1->bal = 0;
+
+					*ppr = p2;
+				} /*else*/
+				(*ppr)->bal = 0;
+				*pi_balance = FALSE;
+			} /*switch*/
+		} /*if*/
+		RET(sub)
+	} /*if*/
+
+	/* not less, not more: this is the same key!  replace...
+	 */
+	MSG("FOUND: Replacing data value")
+	*pi_balance = FALSE;
+	if (pfv_delete)
+		(*pfv_delete)((*ppr)->data);
+	(*ppr)->data = p_data;
+	RET(*ppr)
+}
+
+static int
+delete(tree **ppr_p, int (*pfi_compare)(tree_t, tree_t), tree_t p_user,
+       void (*pfv_uar)(tree_t), int *pi_balance, int *pi_uar_called)
+{
+	tree *pr_q;
+	int i_comp, i_ret;
+
+	ENTER("delete")
+
+	if (*ppr_p == NULL) {
+		MSG("key not in tree")
+		RET(FALSE)
+	}
+
+	i_comp = (*pfi_compare)((*ppr_p)->data, p_user);
+	if (i_comp > 0) {
+		MSG("too high - scan left")
+		i_ret = delete(&(*ppr_p)->left, pfi_compare, p_user, pfv_uar,
+			       pi_balance, pi_uar_called);
+		if (*pi_balance)
+			bal_L(ppr_p, pi_balance);
+	} else if (i_comp < 0) {
+		MSG("too low - scan right")
+		i_ret = delete(&(*ppr_p)->right, pfi_compare, p_user, pfv_uar,
+			       pi_balance, pi_uar_called);
+		if (*pi_balance)
+			bal_R(ppr_p, pi_balance);
+	} else {
+		MSG("equal")
+		pr_q = *ppr_p;
+		if (pr_q->right == NULL) {
+			MSG("right subtree null")
+			*ppr_p = pr_q->left;
+			*pi_balance = TRUE;
+		} else if (pr_q->left == NULL) {
+			MSG("right subtree non-null, left subtree null")
+			*ppr_p = pr_q->right;
+			*pi_balance = TRUE;
+		} else {
+			MSG("neither subtree null")
+			del(&pr_q->left, pi_balance, &pr_q,
+			    pfv_uar, pi_uar_called);
+			if (*pi_balance)
+				bal_L(ppr_p, pi_balance);
+		}
+		if (!*pi_uar_called && pfv_uar)
+			(*pfv_uar)(pr_q->data);
+		/* Thanks to wuth@castrov.cuc.ab.ca for the following stmt. */
+		memput(pr_q, sizeof(tree));
+		i_ret = TRUE;
+	}
+	RET(i_ret)
+}
+
+static void
+del(tree **ppr_r, int *pi_balance, tree **ppr_q,
+    void (*pfv_uar)(tree_t), int *pi_uar_called)
+{
+	ENTER("del")
+
+	if ((*ppr_r)->right != NULL) {
+		del(&(*ppr_r)->right, pi_balance, ppr_q,
+		    pfv_uar, pi_uar_called);
+		if (*pi_balance)
+			bal_R(ppr_r, pi_balance);
+	} else {
+		if (pfv_uar)
+			(*pfv_uar)((*ppr_q)->data);
+		*pi_uar_called = TRUE;
+		(*ppr_q)->data = (*ppr_r)->data;
+		*ppr_q = *ppr_r;
+		*ppr_r = (*ppr_r)->left;
+		*pi_balance = TRUE;
+	}
+
+	RETV
+}
+
+static void
+bal_L(tree **ppr_p, int *pi_balance) {
+	tree *p1, *p2;
+	int b1, b2;
+
+	ENTER("bal_L")
+	MSG("left branch has shrunk")
+
+	switch ((*ppr_p)->bal) {
+	case -1:
+		MSG("was imbalanced, fixed implicitly")
+		(*ppr_p)->bal = 0;
+		break;
+	case 0:
+		MSG("was okay, is now one off")
+		(*ppr_p)->bal = 1;
+		*pi_balance = FALSE;
+		break;
+	case 1:
+		MSG("was already off, this is too much")
+		p1 = (*ppr_p)->right;
+		b1 = p1->bal;
+		if (b1 >= 0) {
+			MSG("single RR")
+			(*ppr_p)->right = p1->left;
+			p1->left = *ppr_p;
+			if (b1 == 0) {
+				MSG("b1 == 0")
+				(*ppr_p)->bal = 1;
+				p1->bal = -1;
+				*pi_balance = FALSE;
+			} else {
+				MSG("b1 != 0")
+				(*ppr_p)->bal = 0;
+				p1->bal = 0;
+			}
+			*ppr_p = p1;
+		} else {
+			MSG("double RL")
+			p2 = p1->left;
+			b2 = p2->bal;
+			p1->left = p2->right;
+			p2->right = p1;
+			(*ppr_p)->right = p2->left;
+			p2->left = *ppr_p;
+			if (b2 == 1)
+				(*ppr_p)->bal = -1;
+			else
+				(*ppr_p)->bal = 0;
+			if (b2 == -1)
+				p1->bal = 1;
+			else
+				p1->bal = 0;
+			*ppr_p = p2;
+			p2->bal = 0;
+		}
+	}
+	RETV
+}
+
+static void
+bal_R(tree **ppr_p, int *pi_balance) {
+	tree *p1, *p2;
+	int b1, b2;
+
+	ENTER("bal_R")
+	MSG("right branch has shrunk")
+	switch ((*ppr_p)->bal) {
+	case 1:
+		MSG("was imbalanced, fixed implicitly")
+		(*ppr_p)->bal = 0;
+		break;
+	case 0:
+		MSG("was okay, is now one off")
+		(*ppr_p)->bal = -1;
+		*pi_balance = FALSE;
+		break;
+	case -1:
+		MSG("was already off, this is too much")
+		p1 = (*ppr_p)->left;
+		b1 = p1->bal;
+		if (b1 <= 0) {
+			MSG("single LL")
+			(*ppr_p)->left = p1->right;
+			p1->right = *ppr_p;
+			if (b1 == 0) {
+				MSG("b1 == 0")
+				(*ppr_p)->bal = -1;
+				p1->bal = 1;
+				*pi_balance = FALSE;
+			} else {
+				MSG("b1 != 0")
+				(*ppr_p)->bal = 0;
+				p1->bal = 0;
+			}
+			*ppr_p = p1;
+		} else {
+			MSG("double LR")
+			p2 = p1->right;
+			b2 = p2->bal;
+			p1->right = p2->left;
+			p2->left = p1;
+			(*ppr_p)->left = p2->right;
+			p2->right = *ppr_p;
+			if (b2 == -1)
+				(*ppr_p)->bal = 1;
+			else
+				(*ppr_p)->bal = 0;
+			if (b2 == 1)
+				p1->bal = -1;
+			else
+				p1->bal = 0;
+			*ppr_p = p2;
+			p2->bal = 0;
+		}
+	}
+	RETV
+}
diff --git a/contrib/bind9/lib/bind/isc/tree.mdoc b/contrib/bind9/lib/bind/isc/tree.mdoc
new file mode 100644
index 0000000..c46fa7d
--- /dev/null
+++ b/contrib/bind9/lib/bind/isc/tree.mdoc
@@ -0,0 +1,154 @@
+.\" $Id: tree.mdoc,v 1.1.2.1.10.1 2004/03/09 08:33:44 marka Exp $
+.\"
+.\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (c) 1995-1999 by Internet Software Consortium
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+.\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd April 5, 1994
+.Dt TREE 3
+.Os BSD 4
+.Sh NAME
+.Nm tree_init ,
+.Nm tree_mung ,
+.Nm tree_srch ,
+.Nm tree_add ,
+.Nm tree_delete ,
+.Nm tree_trav
+.Nd balanced binary tree routines
+.Sh SYNOPSIS
+.Ft void
+.Fn tree_init "void **tree"
+.Ft void *
+.Fn tree_srch "void **tree" "int (*compare)()" "void *data"
+.Ft void
+.Fn tree_add "void **tree" "int (*compare)()" \
+"void *data" "void (*del_uar)()"
+.Ft int
+.Fn tree_delete "void **tree" "int (*compare)()" \
+"void *data" "void (*del_uar)()"
+.Ft int
+.Fn tree_trav "void **tree" "int (*trav_uar)()"
+.Ft void
+.Fn tree_mung "void **tree" "void (*del_uar)()"
+.Sh DESCRIPTION
+These functions create and manipulate a balanced binary (AVL) tree.  Each node
+of the tree contains the expected left & right subtree pointers, a short int
+balance indicator, and a pointer to the user data.  On a 32 bit system, this
+means an overhead of 4+4+2+4 bytes per node (or, on a RISC or otherwise
+alignment constrained system with implied padding, 4+4+4+4 bytes per node).
+There is no key data type enforced by this package; a caller supplied
+compare routine is used to compare user data blocks.
+.Pp
+Balanced binary trees are very fast on searches and replacements, but have a
+moderately high cost for additions and deletions.  If your application does a
+lot more searches and replacements than it does additions and deletions, the
+balanced (AVL) binary tree is a good choice for a data structure.
+.Pp
+.Fn Tree_init
+creates an empty tree and binds it to
+.Dq Fa tree
+(which for this and all other routines in this package should be declared as
+a pointer to void or int, and passed by reference), which can then be used by
+other routines in this package.  Note that more than one
+.Dq Fa tree
+variable can exist at once; thus multiple trees can be manipulated
+simultaneously.
+.Pp
+.Fn Tree_srch
+searches a tree for a specific node and returns either
+.Fa NULL
+if no node was found, or the value of the user data pointer if the node
+was found.
+.Fn compare
+is the address of a function to compare two user data blocks.  This routine
+should work much the way 
+.Xr strcmp 3
+does; in fact,
+.Xr strcmp
+could be used if the user data was a \s-2NUL\s+2 terminated string.
+.Dq Fa Data
+is the address of a user data block to be used by
+.Fn compare
+as the search criteria.  The tree is searched for a node where
+.Fn compare
+returns 0.
+.Pp
+.Fn Tree_add
+inserts or replaces a node in the specified tree.  The tree specified by
+.Dq Fa tree
+is searched as in
+.Fn tree_srch ,
+and if a node is found to match
+.Dq Fa data ,
+then the
+.Fn del_uar
+function, if non\-\s-2NULL\s+2, is called with the address of the user data
+block for the node (this routine should deallocate any dynamic memory which
+is referenced exclusively by the node); the user data pointer for the node
+is then replaced by the value of
+.Dq Fa data .
+If no node is found to match, a new node is added (which may or may not
+cause a transparent rebalance operation), with a user data pointer equal to
+.Dq Fa data .
+A rebalance may or may not occur, depending on where the node is added
+and what the rest of the tree looks like.
+.Fn Tree_add
+will return the
+.Dq Fa data
+pointer unless catastrophe occurs in which case it will return \s-2NULL\s+2.
+.Pp
+.Fn Tree_delete
+deletes a node from
+.Dq Fa tree .
+A rebalance may or may not occur, depending on where the node is removed from
+and what the rest of the tree looks like.
+.Fn Tree_delete
+returns TRUE if a node was deleted, FALSE otherwise.
+.Pp
+.Fn Tree_trav
+traverses all of
+.Dq Fa tree ,
+calling
+.Fn trav_uar
+with the address of each user data block.  If
+.Fn trav_uar
+returns FALSE at any time,
+.Fn tree_trav
+will immediately return FALSE to its caller.  Otherwise all nodes will be 
+reached and
+.Fn tree_trav
+will return TRUE.
+.Pp
+.Fn Tree_mung
+deletes every node in
+.Dq Fa tree ,
+calling
+.Fn del_uar
+(if it is not \s-2NULL\s+2) with the user data address from each node (see
+.Fn tree_add
+and
+.Fn tree_delete
+above).  The tree is left in the same state that
+.Fn tree_init
+leaves it in \- i.e., empty.
+.Sh BUGS
+Should have a way for the caller to specify application-specific
+.Xr malloc
+and
+.Xr free
+functions to be used internally when allocating meta data.
+.Sh AUTHOR
+Paul Vixie, converted and augumented from Modula\-2 examples in
+.Dq Algorithms & Data Structures ,
+Niklaus Wirth, Prentice\-Hall, ISBN 0\-13\-022005\-1.
diff --git a/contrib/bind9/lib/bind/libtool.m4 b/contrib/bind9/lib/bind/libtool.m4
new file mode 100644
index 0000000..bbcc5f2
--- /dev/null
+++ b/contrib/bind9/lib/bind/libtool.m4
@@ -0,0 +1,5943 @@
+# libtool.m4 - Configure libtool for the host system. -*-Autoconf-*-
+## Copyright 1996, 1997, 1998, 1999, 2000, 2001
+## Free Software Foundation, Inc.
+## Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; either version 2 of the License, or
+## (at your option) any later version.
+##
+## This program is distributed in the hope that it will be useful, but
+## WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+## General Public License for more details.
+##
+## You should have received a copy of the GNU General Public License
+## along with this program; if not, write to the Free Software
+## Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+##
+## As a special exception to the GNU General Public License, if you
+## distribute this file as part of a program that contains a
+## configuration script generated by Autoconf, you may include it under
+## the same distribution terms that you use for the rest of that program.
+
+# serial 47 AC_PROG_LIBTOOL
+
+
+# AC_PROVIDE_IFELSE(MACRO-NAME, IF-PROVIDED, IF-NOT-PROVIDED)
+# -----------------------------------------------------------
+# If this macro is not defined by Autoconf, define it here.
+m4_ifdef([AC_PROVIDE_IFELSE],
+         [],
+         [m4_define([AC_PROVIDE_IFELSE],
+	         [m4_ifdef([AC_PROVIDE_$1],
+		           [$2], [$3])])])
+
+
+# AC_PROG_LIBTOOL
+# ---------------
+AC_DEFUN([AC_PROG_LIBTOOL],
+[AC_REQUIRE([_AC_PROG_LIBTOOL])dnl
+dnl If AC_PROG_CXX has already been expanded, run AC_LIBTOOL_CXX
+dnl immediately, otherwise, hook it in at the end of AC_PROG_CXX.
+  AC_PROVIDE_IFELSE([AC_PROG_CXX],
+    [AC_LIBTOOL_CXX],
+    [define([AC_PROG_CXX], defn([AC_PROG_CXX])[AC_LIBTOOL_CXX
+  ])])
+dnl And a similar setup for Fortran 77 support
+  AC_PROVIDE_IFELSE([AC_PROG_F77],
+    [AC_LIBTOOL_F77],
+    [define([AC_PROG_F77], defn([AC_PROG_F77])[AC_LIBTOOL_F77
+])])
+
+dnl Quote A][M_PROG_GCJ so that aclocal doesn't bring it in needlessly.
+dnl If either AC_PROG_GCJ or A][M_PROG_GCJ have already been expanded, run
+dnl AC_LIBTOOL_GCJ immediately, otherwise, hook it in at the end of both.
+  AC_PROVIDE_IFELSE([AC_PROG_GCJ],
+    [AC_LIBTOOL_GCJ],
+    [AC_PROVIDE_IFELSE([A][M_PROG_GCJ],
+      [AC_LIBTOOL_GCJ],
+      [AC_PROVIDE_IFELSE([LT_AC_PROG_GCJ],
+	[AC_LIBTOOL_GCJ],
+      [ifdef([AC_PROG_GCJ],
+	     [define([AC_PROG_GCJ], defn([AC_PROG_GCJ])[AC_LIBTOOL_GCJ])])
+       ifdef([A][M_PROG_GCJ],
+	     [define([A][M_PROG_GCJ], defn([A][M_PROG_GCJ])[AC_LIBTOOL_GCJ])])
+       ifdef([LT_AC_PROG_GCJ],
+	     [define([LT_AC_PROG_GCJ],
+		defn([LT_AC_PROG_GCJ])[AC_LIBTOOL_GCJ])])])])
+])])# AC_PROG_LIBTOOL
+
+
+# _AC_PROG_LIBTOOL
+# ----------------
+AC_DEFUN([_AC_PROG_LIBTOOL],
+[AC_REQUIRE([AC_LIBTOOL_SETUP])dnl
+AC_BEFORE([$0],[AC_LIBTOOL_CXX])dnl
+AC_BEFORE([$0],[AC_LIBTOOL_F77])dnl
+AC_BEFORE([$0],[AC_LIBTOOL_GCJ])dnl
+
+# This can be used to rebuild libtool when needed
+LIBTOOL_DEPS="$ac_aux_dir/ltmain.sh"
+
+# Always use our own libtool.
+LIBTOOL='$(SHELL) $(top_builddir)/libtool'
+AC_SUBST(LIBTOOL)dnl
+
+# Prevent multiple expansion
+define([AC_PROG_LIBTOOL], [])
+])# _AC_PROG_LIBTOOL
+
+
+# AC_LIBTOOL_SETUP
+# ----------------
+AC_DEFUN([AC_LIBTOOL_SETUP],
+[AC_PREREQ(2.50)dnl
+AC_REQUIRE([AC_ENABLE_SHARED])dnl
+AC_REQUIRE([AC_ENABLE_STATIC])dnl
+AC_REQUIRE([AC_ENABLE_FAST_INSTALL])dnl
+AC_REQUIRE([AC_CANONICAL_HOST])dnl
+AC_REQUIRE([AC_CANONICAL_BUILD])dnl
+AC_REQUIRE([AC_PROG_CC])dnl
+AC_REQUIRE([AC_PROG_LD])dnl
+AC_REQUIRE([AC_PROG_LD_RELOAD_FLAG])dnl
+AC_REQUIRE([AC_PROG_NM])dnl
+
+AC_REQUIRE([AC_PROG_LN_S])dnl
+AC_REQUIRE([AC_DEPLIBS_CHECK_METHOD])dnl
+# Autoconf 2.13's AC_OBJEXT and AC_EXEEXT macros only works for C compilers!
+AC_REQUIRE([AC_OBJEXT])dnl
+AC_REQUIRE([AC_EXEEXT])dnl
+dnl
+
+AC_LIBTOOL_SYS_MAX_CMD_LEN
+AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE
+AC_LIBTOOL_OBJDIR
+
+AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl
+_LT_AC_PROG_ECHO_BACKSLASH
+
+case $host_os in
+aix3*)
+  # AIX sometimes has problems with the GCC collect2 program.  For some
+  # reason, if we set the COLLECT_NAMES environment variable, the problems
+  # vanish in a puff of smoke.
+  if test "X${COLLECT_NAMES+set}" != Xset; then
+    COLLECT_NAMES=
+    export COLLECT_NAMES
+  fi
+  ;;
+esac
+
+# Sed substitution that helps us do robust quoting.  It backslashifies
+# metacharacters that are still active within double-quoted strings.
+Xsed='sed -e s/^X//'
+[sed_quote_subst='s/\([\\"\\`$\\\\]\)/\\\1/g']
+
+# Same as above, but do not quote variable references.
+[double_quote_subst='s/\([\\"\\`\\\\]\)/\\\1/g']
+
+# Sed substitution to delay expansion of an escaped shell variable in a
+# double_quote_subst'ed string.
+delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
+
+# Sed substitution to avoid accidental globbing in evaled expressions
+no_glob_subst='s/\*/\\\*/g'
+
+# Constants:
+rm="rm -f"
+
+# Global variables:
+default_ofile=libtool
+can_build_shared=yes
+
+# All known linkers require a `.a' archive for static linking (except M$VC,
+# which needs '.lib').
+libext=a
+ltmain="$ac_aux_dir/ltmain.sh"
+ofile="$default_ofile"
+with_gnu_ld="$lt_cv_prog_gnu_ld"
+
+AC_CHECK_TOOL(AR, ar, false)
+AC_CHECK_TOOL(RANLIB, ranlib, :)
+AC_CHECK_TOOL(STRIP, strip, :)
+
+old_CC="$CC"
+old_CFLAGS="$CFLAGS"
+
+# Set sane defaults for various variables
+test -z "$AR" && AR=ar
+test -z "$AR_FLAGS" && AR_FLAGS=cru
+test -z "$AS" && AS=as
+test -z "$CC" && CC=cc
+test -z "$LTCC" && LTCC=$CC
+test -z "$DLLTOOL" && DLLTOOL=dlltool
+test -z "$LD" && LD=ld
+test -z "$LN_S" && LN_S="ln -s"
+test -z "$MAGIC_CMD" && MAGIC_CMD=file
+test -z "$NM" && NM=nm
+test -z "$SED" && SED=sed
+test -z "$OBJDUMP" && OBJDUMP=objdump
+test -z "$RANLIB" && RANLIB=:
+test -z "$STRIP" && STRIP=:
+test -z "$ac_objext" && ac_objext=o
+
+# Determine commands to create old-style static archives.
+old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs$old_deplibs'
+old_postinstall_cmds='chmod 644 $oldlib'
+old_postuninstall_cmds=
+
+if test -n "$RANLIB"; then
+  case $host_os in
+  openbsd*)
+    old_postinstall_cmds="\$RANLIB -t \$oldlib~$old_postinstall_cmds"
+    ;;
+  *)
+    old_postinstall_cmds="\$RANLIB \$oldlib~$old_postinstall_cmds"
+    ;;
+  esac
+  old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
+fi
+
+# Only perform the check for file, if the check method requires it
+case $deplibs_check_method in
+file_magic*)
+  if test "$file_magic_cmd" = '$MAGIC_CMD'; then
+    AC_PATH_MAGIC
+  fi
+  ;;
+esac
+
+AC_PROVIDE_IFELSE([AC_LIBTOOL_DLOPEN], enable_dlopen=yes, enable_dlopen=no)
+AC_PROVIDE_IFELSE([AC_LIBTOOL_WIN32_DLL],
+enable_win32_dll=yes, enable_win32_dll=no)
+
+AC_ARG_ENABLE([libtool-lock],
+    [AC_HELP_STRING([--disable-libtool-lock],
+	[avoid locking (might break parallel builds)])])
+test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
+
+AC_ARG_WITH([pic],
+    [AC_HELP_STRING([--with-pic],
+	[try to use only PIC/non-PIC objects @<:@default=use both@:>@])],
+    [pic_mode="$withval"],
+    [pic_mode=default])
+test -z "$pic_mode" && pic_mode=default
+
+# Use C for the default configuration in the libtool script
+tagname=
+AC_LIBTOOL_LANG_C_CONFIG
+_LT_AC_TAGCONFIG
+])# AC_LIBTOOL_SETUP
+
+
+# _LT_AC_SYS_COMPILER
+# -------------------
+AC_DEFUN([_LT_AC_SYS_COMPILER],
+[AC_REQUIRE([AC_PROG_CC])dnl
+
+# If no C compiler was specified, use CC.
+LTCC=${LTCC-"$CC"}
+
+# Allow CC to be a program name with arguments.
+compiler=$CC
+])# _LT_AC_SYS_COMPILER
+
+
+# _LT_AC_SYS_LIBPATH_AIX
+# ----------------------
+# Links a minimal program and checks the executable
+# for the system default hardcoded library path. In most cases,
+# this is /usr/lib:/lib, but when the MPI compilers are used
+# the location of the communication and MPI libs are included too.
+# If we don't find anything, use the default library path according
+# to the aix ld manual.
+AC_DEFUN([_LT_AC_SYS_LIBPATH_AIX],
+[AC_LINK_IFELSE(AC_LANG_PROGRAM,[
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`
+# Check for a 64-bit object if we didn't find anything.
+if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`; fi],[])
+if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+])# _LT_AC_SYS_LIBPATH_AIX
+
+
+# _LT_AC_SHELL_INIT(ARG)
+# ----------------------
+AC_DEFUN([_LT_AC_SHELL_INIT],
+[ifdef([AC_DIVERSION_NOTICE],
+	     [AC_DIVERT_PUSH(AC_DIVERSION_NOTICE)],
+	 [AC_DIVERT_PUSH(NOTICE)])
+$1
+AC_DIVERT_POP
+])# _LT_AC_SHELL_INIT
+
+
+# _LT_AC_PROG_ECHO_BACKSLASH
+# --------------------------
+# Add some code to the start of the generated configure script which
+# will find an echo command which doesn't interpret backslashes.
+AC_DEFUN([_LT_AC_PROG_ECHO_BACKSLASH],
+[_LT_AC_SHELL_INIT([
+# Check that we are running under the correct shell.
+SHELL=${CONFIG_SHELL-/bin/sh}
+
+case X$ECHO in
+X*--fallback-echo)
+  # Remove one level of quotation (which was required for Make).
+  ECHO=`echo "$ECHO" | sed 's,\\\\\[$]\\[$]0,'[$]0','`
+  ;;
+esac
+
+echo=${ECHO-echo}
+if test "X[$]1" = X--no-reexec; then
+  # Discard the --no-reexec flag, and continue.
+  shift
+elif test "X[$]1" = X--fallback-echo; then
+  # Avoid inline document here, it may be left over
+  :
+elif test "X`($echo '\t') 2>/dev/null`" = 'X\t' ; then
+  # Yippee, $echo works!
+  :
+else
+  # Restart under the correct shell.
+  exec $SHELL "[$]0" --no-reexec ${1+"[$]@"}
+fi
+
+if test "X[$]1" = X--fallback-echo; then
+  # used as fallback echo
+  shift
+  cat <<EOF
+[$]*
+EOF
+  exit 0
+fi
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+if test "X${CDPATH+set}" = Xset; then CDPATH=:; export CDPATH; fi
+
+if test -z "$ECHO"; then
+if test "X${echo_test_string+set}" != Xset; then
+# find a string as large as possible, as long as the shell can cope with it
+  for cmd in 'sed 50q "[$]0"' 'sed 20q "[$]0"' 'sed 10q "[$]0"' 'sed 2q "[$]0"' 'echo test'; do
+    # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ...
+    if (echo_test_string="`eval $cmd`") 2>/dev/null &&
+       echo_test_string="`eval $cmd`" &&
+       (test "X$echo_test_string" = "X$echo_test_string") 2>/dev/null
+    then
+      break
+    fi
+  done
+fi
+
+if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
+   echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` &&
+   test "X$echo_testing_string" = "X$echo_test_string"; then
+  :
+else
+  # The Solaris, AIX, and Digital Unix default echo programs unquote
+  # backslashes.  This makes it impossible to quote backslashes using
+  #   echo "$something" | sed 's/\\/\\\\/g'
+  #
+  # So, first we look for a working echo in the user's PATH.
+
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  for dir in $PATH /usr/ucb; do
+    IFS="$lt_save_ifs"
+    if (test -f $dir/echo || test -f $dir/echo$ac_exeext) &&
+       test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' &&
+       echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` &&
+       test "X$echo_testing_string" = "X$echo_test_string"; then
+      echo="$dir/echo"
+      break
+    fi
+  done
+  IFS="$lt_save_ifs"
+
+  if test "X$echo" = Xecho; then
+    # We didn't find a better echo, so look for alternatives.
+    if test "X`(print -r '\t') 2>/dev/null`" = 'X\t' &&
+       echo_testing_string=`(print -r "$echo_test_string") 2>/dev/null` &&
+       test "X$echo_testing_string" = "X$echo_test_string"; then
+      # This shell has a builtin print -r that does the trick.
+      echo='print -r'
+    elif (test -f /bin/ksh || test -f /bin/ksh$ac_exeext) &&
+	 test "X$CONFIG_SHELL" != X/bin/ksh; then
+      # If we have ksh, try running configure again with it.
+      ORIGINAL_CONFIG_SHELL=${CONFIG_SHELL-/bin/sh}
+      export ORIGINAL_CONFIG_SHELL
+      CONFIG_SHELL=/bin/ksh
+      export CONFIG_SHELL
+      exec $CONFIG_SHELL "[$]0" --no-reexec ${1+"[$]@"}
+    else
+      # Try using printf.
+      echo='printf %s\n'
+      if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
+	 echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` &&
+	 test "X$echo_testing_string" = "X$echo_test_string"; then
+	# Cool, printf works
+	:
+      elif echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` &&
+	   test "X$echo_testing_string" = 'X\t' &&
+	   echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
+	   test "X$echo_testing_string" = "X$echo_test_string"; then
+	CONFIG_SHELL=$ORIGINAL_CONFIG_SHELL
+	export CONFIG_SHELL
+	SHELL="$CONFIG_SHELL"
+	export SHELL
+	echo="$CONFIG_SHELL [$]0 --fallback-echo"
+      elif echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` &&
+	   test "X$echo_testing_string" = 'X\t' &&
+	   echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
+	   test "X$echo_testing_string" = "X$echo_test_string"; then
+	echo="$CONFIG_SHELL [$]0 --fallback-echo"
+      else
+	# maybe with a smaller string...
+	prev=:
+
+	for cmd in 'echo test' 'sed 2q "[$]0"' 'sed 10q "[$]0"' 'sed 20q "[$]0"' 'sed 50q "[$]0"'; do
+	  if (test "X$echo_test_string" = "X`eval $cmd`") 2>/dev/null
+	  then
+	    break
+	  fi
+	  prev="$cmd"
+	done
+
+	if test "$prev" != 'sed 50q "[$]0"'; then
+	  echo_test_string=`eval $prev`
+	  export echo_test_string
+	  exec ${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}} "[$]0" ${1+"[$]@"}
+	else
+	  # Oops.  We lost completely, so just stick with echo.
+	  echo=echo
+	fi
+      fi
+    fi
+  fi
+fi
+fi
+
+# Copy echo and quote the copy suitably for passing to libtool from
+# the Makefile, instead of quoting the original, which is used later.
+ECHO=$echo
+if test "X$ECHO" = "X$CONFIG_SHELL [$]0 --fallback-echo"; then
+   ECHO="$CONFIG_SHELL \\\$\[$]0 --fallback-echo"
+fi
+
+AC_SUBST(ECHO)
+])])# _LT_AC_PROG_ECHO_BACKSLASH
+
+
+# _LT_AC_LOCK
+# -----------
+AC_DEFUN([_LT_AC_LOCK],
+[AC_ARG_ENABLE([libtool-lock],
+    [AC_HELP_STRING([--disable-libtool-lock],
+	[avoid locking (might break parallel builds)])])
+test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
+
+# Some flags need to be propagated to the compiler or linker for good
+# libtool support.
+case $host in
+ia64-*-hpux*)
+  # Find out which ABI we are using.
+  echo 'int i;' > conftest.$ac_ext
+  if AC_TRY_EVAL(ac_compile); then
+    case `/usr/bin/file conftest.$ac_objext` in
+    *ELF-32*)
+      HPUX_IA64_MODE="32"
+      ;;
+    *ELF-64*)
+      HPUX_IA64_MODE="64"
+      ;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+*-*-irix6*)
+  # Find out which ABI we are using.
+  echo '[#]line __oline__ "configure"' > conftest.$ac_ext
+  if AC_TRY_EVAL(ac_compile); then
+   if test "$lt_cv_prog_gnu_ld" = yes; then
+    case `/usr/bin/file conftest.$ac_objext` in
+    *32-bit*)
+      LD="${LD-ld} -melf32bsmip"
+      ;;
+    *N32*)
+      LD="${LD-ld} -melf32bmipn32"
+      ;;
+    *64-bit*)
+      LD="${LD-ld} -melf64bmip"
+      ;;
+    esac
+   else
+    case `/usr/bin/file conftest.$ac_objext` in
+    *32-bit*)
+      LD="${LD-ld} -32"
+      ;;
+    *N32*)
+      LD="${LD-ld} -n32"
+      ;;
+    *64-bit*)
+      LD="${LD-ld} -64"
+      ;;
+    esac
+   fi
+  fi
+  rm -rf conftest*
+  ;;
+
+x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*|s390*-*linux*|sparc*-*linux*)
+  # Find out which ABI we are using.
+  echo 'int i;' > conftest.$ac_ext
+  if AC_TRY_EVAL(ac_compile); then
+    case "`/usr/bin/file conftest.o`" in
+    *32-bit*)
+      case $host in
+        x86_64-*linux*)
+          LD="${LD-ld} -m elf_i386"
+          ;;
+        ppc64-*linux*|powerpc64-*linux*)
+          LD="${LD-ld} -m elf32ppclinux"
+          ;;
+        s390x-*linux*)
+          LD="${LD-ld} -m elf_s390"
+          ;;
+        sparc64-*linux*)
+          LD="${LD-ld} -m elf32_sparc"
+          ;;
+      esac
+      ;;
+    *64-bit*)
+      case $host in
+        x86_64-*linux*)
+          LD="${LD-ld} -m elf_x86_64"
+          ;;
+        ppc*-*linux*|powerpc*-*linux*)
+          LD="${LD-ld} -m elf64ppc"
+          ;;
+        s390*-*linux*)
+          LD="${LD-ld} -m elf64_s390"
+          ;;
+        sparc*-*linux*)
+          LD="${LD-ld} -m elf64_sparc"
+          ;;
+      esac
+      ;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+
+*-*-sco3.2v5*)
+  # On SCO OpenServer 5, we need -belf to get full-featured binaries.
+  SAVE_CFLAGS="$CFLAGS"
+  CFLAGS="$CFLAGS -belf"
+  AC_CACHE_CHECK([whether the C compiler needs -belf], lt_cv_cc_needs_belf,
+    [AC_LANG_PUSH(C)
+     AC_TRY_LINK([],[],[lt_cv_cc_needs_belf=yes],[lt_cv_cc_needs_belf=no])
+     AC_LANG_POP])
+  if test x"$lt_cv_cc_needs_belf" != x"yes"; then
+    # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf
+    CFLAGS="$SAVE_CFLAGS"
+  fi
+  ;;
+AC_PROVIDE_IFELSE([AC_LIBTOOL_WIN32_DLL],
+[*-*-cygwin* | *-*-mingw* | *-*-pw32*)
+  AC_CHECK_TOOL(DLLTOOL, dlltool, false)
+  AC_CHECK_TOOL(AS, as, false)
+  AC_CHECK_TOOL(OBJDUMP, objdump, false)
+  ;;
+  ])
+esac
+
+need_locks="$enable_libtool_lock"
+
+])# _LT_AC_LOCK
+
+
+# AC_LIBTOOL_COMPILER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS,
+#		[OUTPUT-FILE], [ACTION-SUCCESS], [ACTION-FAILURE])
+# ----------------------------------------------------------------
+# Check whether the given compiler option works
+AC_DEFUN([AC_LIBTOOL_COMPILER_OPTION],
+[AC_REQUIRE([LT_AC_PROG_SED])
+AC_CACHE_CHECK([$1], [$2],
+  [$2=no
+  ifelse([$4], , [ac_outfile=conftest.$ac_objext], [ac_outfile=$4])
+   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+   lt_compiler_flag="$3"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   # The option is referenced via a variable to avoid confusing sed.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
+   -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
+   (eval "$lt_compile" 2>conftest.err)
+   ac_status=$?
+   cat conftest.err >&AS_MESSAGE_LOG_FD
+   echo "$as_me:__oline__: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
+   if (exit $ac_status) && test -s "$ac_outfile"; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test ! -s conftest.err; then
+       $2=yes
+     fi
+   fi
+   $rm conftest*
+])
+
+if test x"[$]$2" = xyes; then
+    ifelse([$5], , :, [$5])
+else
+    ifelse([$6], , :, [$6])
+fi
+])# AC_LIBTOOL_COMPILER_OPTION
+
+
+# AC_LIBTOOL_LINKER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS,
+#                          [ACTION-SUCCESS], [ACTION-FAILURE])
+# ------------------------------------------------------------
+# Check whether the given compiler option works
+AC_DEFUN([AC_LIBTOOL_LINKER_OPTION],
+[AC_CACHE_CHECK([$1], [$2],
+  [$2=no
+   save_LDFLAGS="$LDFLAGS"
+   LDFLAGS="$LDFLAGS $3"
+   printf "$lt_simple_link_test_code" > conftest.$ac_ext
+   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test -s conftest.err; then
+       # Append any errors to the config.log.
+       cat conftest.err 1>&AS_MESSAGE_LOG_FD
+     else
+       $2=yes
+     fi
+   fi
+   $rm conftest*
+   LDFLAGS="$save_LDFLAGS"
+])
+
+if test x"[$]$2" = xyes; then
+    ifelse([$4], , :, [$4])
+else
+    ifelse([$5], , :, [$5])
+fi
+])# AC_LIBTOOL_LINKER_OPTION
+
+
+# AC_LIBTOOL_SYS_MAX_CMD_LEN
+# --------------------------
+AC_DEFUN([AC_LIBTOOL_SYS_MAX_CMD_LEN],
+[# find the maximum length of command line arguments
+AC_MSG_CHECKING([the maximum length of command line arguments])
+AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
+  i=0
+  testring="ABCD"
+
+  case $build_os in
+  msdosdjgpp*)
+    # On DJGPP, this test can blow up pretty badly due to problems in libc
+    # (any single argument exceeding 2000 bytes causes a buffer overrun
+    # during glob expansion).  Even if it were fixed, the result of this
+    # check would be larger than it should be.
+    lt_cv_sys_max_cmd_len=12288;    # 12K is about right
+    ;;
+
+  gnu*)
+    # Under GNU Hurd, this test is not required because there is
+    # no limit to the length of command line arguments.
+    # Libtool will interpret -1 as no limit whatsoever
+    lt_cv_sys_max_cmd_len=-1;
+    ;;
+
+  cygwin* | mingw*)
+    # On Win9x/ME, this test blows up -- it succeeds, but takes
+    # about 5 minutes as the teststring grows exponentially.
+    # Worse, since 9x/ME are not pre-emptively multitasking,
+    # you end up with a "frozen" computer, even though with patience
+    # the test eventually succeeds (with a max line length of 256k).
+    # Instead, let's just punt: use the minimum linelength reported by
+    # all of the supported platforms: 8192 (on NT/2K/XP).
+    lt_cv_sys_max_cmd_len=8192;
+    ;;
+
+  amigaos*)
+    # On AmigaOS with pdksh, this test takes hours, literally.
+    # So we just punt and use a minimum line length of 8192.
+    lt_cv_sys_max_cmd_len=8192;
+    ;;
+
+ *)
+    # If test is not a shell built-in, we'll probably end up computing a
+    # maximum length that is only half of the actual maximum length, but
+    # we can't tell.
+    while (test "X"`$CONFIG_SHELL [$]0 --fallback-echo "X$testring" 2>/dev/null` \
+	       = "XX$testring") >/dev/null 2>&1 &&
+	    new_result=`expr "X$testring" : ".*" 2>&1` &&
+	    lt_cv_sys_max_cmd_len=$new_result &&
+	    test $i != 17 # 1/2 MB should be enough
+    do
+      i=`expr $i + 1`
+      testring=$testring$testring
+    done
+    testring=
+    # Add a significant safety factor because C++ compilers can tack on massive
+    # amounts of additional arguments before passing them to the linker.
+    # It appears as though 1/2 is a usable value.
+    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2`
+    ;;
+  esac
+])
+if test -n $lt_cv_sys_max_cmd_len ; then
+  AC_MSG_RESULT($lt_cv_sys_max_cmd_len)
+else
+  AC_MSG_RESULT(none)
+fi
+])# AC_LIBTOOL_SYS_MAX_CMD_LEN
+
+
+# _LT_AC_CHECK_DLFCN
+# --------------------
+AC_DEFUN([_LT_AC_CHECK_DLFCN],
+[AC_CHECK_HEADERS(dlfcn.h)dnl
+])# _LT_AC_CHECK_DLFCN
+
+
+# _LT_AC_TRY_DLOPEN_SELF (ACTION-IF-TRUE, ACTION-IF-TRUE-W-USCORE,
+#                           ACTION-IF-FALSE, ACTION-IF-CROSS-COMPILING)
+# ------------------------------------------------------------------
+AC_DEFUN([_LT_AC_TRY_DLOPEN_SELF],
+[AC_REQUIRE([_LT_AC_CHECK_DLFCN])dnl
+if test "$cross_compiling" = yes; then :
+  [$4]
+else
+  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
+  lt_status=$lt_dlunknown
+  cat > conftest.$ac_ext <<EOF
+[#line __oline__ "configure"
+#include "confdefs.h"
+
+#if HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+#include <stdio.h>
+
+#ifdef RTLD_GLOBAL
+#  define LT_DLGLOBAL		RTLD_GLOBAL
+#else
+#  ifdef DL_GLOBAL
+#    define LT_DLGLOBAL		DL_GLOBAL
+#  else
+#    define LT_DLGLOBAL		0
+#  endif
+#endif
+
+/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
+   find out it does not work in some platform. */
+#ifndef LT_DLLAZY_OR_NOW
+#  ifdef RTLD_LAZY
+#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
+#  else
+#    ifdef DL_LAZY
+#      define LT_DLLAZY_OR_NOW		DL_LAZY
+#    else
+#      ifdef RTLD_NOW
+#        define LT_DLLAZY_OR_NOW	RTLD_NOW
+#      else
+#        ifdef DL_NOW
+#          define LT_DLLAZY_OR_NOW	DL_NOW
+#        else
+#          define LT_DLLAZY_OR_NOW	0
+#        endif
+#      endif
+#    endif
+#  endif
+#endif
+
+#ifdef __cplusplus
+extern "C" void exit (int);
+#endif
+
+void fnord() { int i=42;}
+int main ()
+{
+  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
+  int status = $lt_dlunknown;
+
+  if (self)
+    {
+      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
+      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
+      /* dlclose (self); */
+    }
+
+    exit (status);
+}]
+EOF
+  if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext} 2>/dev/null; then
+    (./conftest; exit; ) 2>/dev/null
+    lt_status=$?
+    case x$lt_status in
+      x$lt_dlno_uscore) $1 ;;
+      x$lt_dlneed_uscore) $2 ;;
+      x$lt_unknown|x*) $3 ;;
+    esac
+  else :
+    # compilation failed
+    $3
+  fi
+fi
+rm -fr conftest*
+])# _LT_AC_TRY_DLOPEN_SELF
+
+
+# AC_LIBTOOL_DLOPEN_SELF
+# -------------------
+AC_DEFUN([AC_LIBTOOL_DLOPEN_SELF],
+[AC_REQUIRE([_LT_AC_CHECK_DLFCN])dnl
+if test "x$enable_dlopen" != xyes; then
+  enable_dlopen=unknown
+  enable_dlopen_self=unknown
+  enable_dlopen_self_static=unknown
+else
+  lt_cv_dlopen=no
+  lt_cv_dlopen_libs=
+
+  case $host_os in
+  beos*)
+    lt_cv_dlopen="load_add_on"
+    lt_cv_dlopen_libs=
+    lt_cv_dlopen_self=yes
+    ;;
+
+  mingw* | pw32*)
+    lt_cv_dlopen="LoadLibrary"
+    lt_cv_dlopen_libs=
+   ;;
+
+  cygwin*)
+    lt_cv_dlopen="dlopen"
+    lt_cv_dlopen_libs=
+   ;;
+
+  darwin*)
+  # if libdl is installed we need to link against it
+    AC_CHECK_LIB([dl], [dlopen],
+		[lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"],[
+    lt_cv_dlopen="dyld"
+    lt_cv_dlopen_libs=
+    lt_cv_dlopen_self=yes
+    ])
+   ;;
+
+  *)
+    AC_CHECK_FUNC([shl_load],
+	  [lt_cv_dlopen="shl_load"],
+      [AC_CHECK_LIB([dld], [shl_load],
+	    [lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-dld"],
+	[AC_CHECK_FUNC([dlopen],
+	      [lt_cv_dlopen="dlopen"],
+	  [AC_CHECK_LIB([dl], [dlopen],
+		[lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"],
+	    [AC_CHECK_LIB([svld], [dlopen],
+		  [lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"],
+	      [AC_CHECK_LIB([dld], [dld_link],
+		    [lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-dld"])
+	      ])
+	    ])
+	  ])
+	])
+      ])
+    ;;
+  esac
+
+  if test "x$lt_cv_dlopen" != xno; then
+    enable_dlopen=yes
+  else
+    enable_dlopen=no
+  fi
+
+  case $lt_cv_dlopen in
+  dlopen)
+    save_CPPFLAGS="$CPPFLAGS"
+    test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H"
+
+    save_LDFLAGS="$LDFLAGS"
+    eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
+
+    save_LIBS="$LIBS"
+    LIBS="$lt_cv_dlopen_libs $LIBS"
+
+    AC_CACHE_CHECK([whether a program can dlopen itself],
+	  lt_cv_dlopen_self, [dnl
+	  _LT_AC_TRY_DLOPEN_SELF(
+	    lt_cv_dlopen_self=yes, lt_cv_dlopen_self=yes,
+	    lt_cv_dlopen_self=no, lt_cv_dlopen_self=cross)
+    ])
+
+    if test "x$lt_cv_dlopen_self" = xyes; then
+      LDFLAGS="$LDFLAGS $link_static_flag"
+      AC_CACHE_CHECK([whether a statically linked program can dlopen itself],
+    	  lt_cv_dlopen_self_static, [dnl
+	  _LT_AC_TRY_DLOPEN_SELF(
+	    lt_cv_dlopen_self_static=yes, lt_cv_dlopen_self_static=yes,
+	    lt_cv_dlopen_self_static=no,  lt_cv_dlopen_self_static=cross)
+      ])
+    fi
+
+    CPPFLAGS="$save_CPPFLAGS"
+    LDFLAGS="$save_LDFLAGS"
+    LIBS="$save_LIBS"
+    ;;
+  esac
+
+  case $lt_cv_dlopen_self in
+  yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;;
+  *) enable_dlopen_self=unknown ;;
+  esac
+
+  case $lt_cv_dlopen_self_static in
+  yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;;
+  *) enable_dlopen_self_static=unknown ;;
+  esac
+fi
+])# AC_LIBTOOL_DLOPEN_SELF
+
+
+# AC_LIBTOOL_PROG_CC_C_O([TAGNAME])
+# ---------------------------------
+# Check to see if options -c and -o are simultaneously supported by compiler
+AC_DEFUN([AC_LIBTOOL_PROG_CC_C_O],
+[AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl
+AC_CACHE_CHECK([if $compiler supports -c -o file.$ac_objext],
+  [_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)],
+  [_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=no
+   $rm -r conftest 2>/dev/null
+   mkdir conftest
+   cd conftest
+   mkdir out
+   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+   lt_compiler_flag="-o out/conftest2.$ac_objext"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
+   -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
+   (eval "$lt_compile" 2>out/conftest.err)
+   ac_status=$?
+   cat out/conftest.err >&AS_MESSAGE_LOG_FD
+   echo "$as_me:__oline__: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
+   if (exit $ac_status) && test -s out/conftest2.$ac_objext
+   then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test ! -s out/conftest.err; then
+       _LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
+     fi
+   fi
+   chmod u+w .
+   $rm conftest*
+   # SGI C++ compiler will create directory out/ii_files/ for
+   # template instantiation
+   test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files
+   $rm out/* && rmdir out
+   cd ..
+   rmdir conftest
+   $rm conftest*
+])
+])# AC_LIBTOOL_PROG_CC_C_O
+
+
+# AC_LIBTOOL_SYS_HARD_LINK_LOCKS([TAGNAME])
+# -----------------------------------------
+# Check to see if we can do hard links to lock some files if needed
+AC_DEFUN([AC_LIBTOOL_SYS_HARD_LINK_LOCKS],
+[AC_REQUIRE([_LT_AC_LOCK])dnl
+
+hard_links="nottested"
+if test "$_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)" = no && test "$need_locks" != no; then
+  # do not overwrite the value of need_locks provided by the user
+  AC_MSG_CHECKING([if we can lock with hard links])
+  hard_links=yes
+  $rm conftest*
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  touch conftest.a
+  ln conftest.a conftest.b 2>&5 || hard_links=no
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  AC_MSG_RESULT([$hard_links])
+  if test "$hard_links" = no; then
+    AC_MSG_WARN([`$CC' does not support `-c -o', so `make -j' may be unsafe])
+    need_locks=warn
+  fi
+else
+  need_locks=no
+fi
+])# AC_LIBTOOL_SYS_HARD_LINK_LOCKS
+
+
+# AC_LIBTOOL_OBJDIR
+# -----------------
+AC_DEFUN([AC_LIBTOOL_OBJDIR],
+[AC_CACHE_CHECK([for objdir], [lt_cv_objdir],
+[rm -f .libs 2>/dev/null
+mkdir .libs 2>/dev/null
+if test -d .libs; then
+  lt_cv_objdir=.libs
+else
+  # MS-DOS does not allow filenames that begin with a dot.
+  lt_cv_objdir=_libs
+fi
+rmdir .libs 2>/dev/null])
+objdir=$lt_cv_objdir
+])# AC_LIBTOOL_OBJDIR
+
+
+# AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH([TAGNAME])
+# ----------------------------------------------
+# Check hardcoding attributes.
+AC_DEFUN([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH],
+[AC_MSG_CHECKING([how to hardcode library paths into programs])
+_LT_AC_TAGVAR(hardcode_action, $1)=
+if test -n "$_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)" || \
+   test -n "$_LT_AC_TAGVAR(runpath_var $1)" || \
+   test "X$_LT_AC_TAGVAR(hardcode_automatic, $1)"="Xyes" ; then
+
+  # We can hardcode non-existant directories.
+  if test "$_LT_AC_TAGVAR(hardcode_direct, $1)" != no &&
+     # If the only mechanism to avoid hardcoding is shlibpath_var, we
+     # have to relink, otherwise we might link with an installed library
+     # when we should be linking with a yet-to-be-installed one
+     ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)" != no &&
+     test "$_LT_AC_TAGVAR(hardcode_minus_L, $1)" != no; then
+    # Linking always hardcodes the temporary library directory.
+    _LT_AC_TAGVAR(hardcode_action, $1)=relink
+  else
+    # We can link without hardcoding, and we can hardcode nonexisting dirs.
+    _LT_AC_TAGVAR(hardcode_action, $1)=immediate
+  fi
+else
+  # We cannot hardcode anything, or else we can only hardcode existing
+  # directories.
+  _LT_AC_TAGVAR(hardcode_action, $1)=unsupported
+fi
+AC_MSG_RESULT([$_LT_AC_TAGVAR(hardcode_action, $1)])
+
+if test "$_LT_AC_TAGVAR(hardcode_action, $1)" = relink; then
+  # Fast installation is not supported
+  enable_fast_install=no
+elif test "$shlibpath_overrides_runpath" = yes ||
+     test "$enable_shared" = no; then
+  # Fast installation is not necessary
+  enable_fast_install=needless
+fi
+])# AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH
+
+
+# AC_LIBTOOL_SYS_LIB_STRIP
+# ------------------------
+AC_DEFUN([AC_LIBTOOL_SYS_LIB_STRIP],
+[striplib=
+old_striplib=
+AC_MSG_CHECKING([whether stripping libraries is possible])
+if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then
+  test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
+  test -z "$striplib" && striplib="$STRIP --strip-unneeded"
+  AC_MSG_RESULT([yes])
+else
+# FIXME - insert some real tests, host_os isn't really good enough
+  case $host_os in
+   darwin*)
+       if test -n "$STRIP" ; then
+         striplib="$STRIP -x"
+         AC_MSG_RESULT([yes])
+       else
+  AC_MSG_RESULT([no])
+fi
+       ;;
+   *)
+  AC_MSG_RESULT([no])
+    ;;
+  esac
+fi
+])# AC_LIBTOOL_SYS_LIB_STRIP
+
+
+# AC_LIBTOOL_SYS_DYNAMIC_LINKER
+# -----------------------------
+# PORTME Fill in your ld.so characteristics
+AC_DEFUN([AC_LIBTOOL_SYS_DYNAMIC_LINKER],
+[AC_MSG_CHECKING([dynamic linker characteristics])
+library_names_spec=
+libname_spec='lib$name'
+soname_spec=
+shrext=".so"
+postinstall_cmds=
+postuninstall_cmds=
+finish_cmds=
+finish_eval=
+shlibpath_var=
+shlibpath_overrides_runpath=unknown
+version_type=none
+dynamic_linker="$host_os ld.so"
+sys_lib_dlsearch_path_spec="/lib /usr/lib"
+if test "$GCC" = yes; then
+  sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+  if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then
+    # if the path contains ";" then we assume it to be the separator
+    # otherwise default to the standard path separator (i.e. ":") - it is
+    # assumed that no part of a normal pathname contains ";" but that should
+    # okay in the real world where ";" in dirpaths is itself problematic.
+    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+  else
+    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+  fi
+else
+  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
+fi
+need_lib_prefix=unknown
+hardcode_into_libs=no
+
+# when you set need_version to no, make sure it does not cause -set_version
+# flags to be left without arguments
+need_version=unknown
+
+case $host_os in
+aix3*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
+  shlibpath_var=LIBPATH
+
+  # AIX 3 has no versioning support, so we append a major version to the name.
+  soname_spec='${libname}${release}${shared_ext}$major'
+  ;;
+
+aix4* | aix5*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  hardcode_into_libs=yes
+  if test "$host_cpu" = ia64; then
+    # AIX 5 supports IA64
+    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
+    shlibpath_var=LD_LIBRARY_PATH
+  else
+    # With GCC up to 2.95.x, collect2 would create an import file
+    # for dependence libraries.  The import file would start with
+    # the line `#! .'.  This would cause the generated library to
+    # depend on `.', always an invalid library.  This was fixed in
+    # development snapshots of GCC prior to 3.0.
+    case $host_os in
+      aix4 | aix4.[[01]] | aix4.[[01]].*)
+      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
+	   echo ' yes '
+	   echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then
+	:
+      else
+	can_build_shared=no
+      fi
+      ;;
+    esac
+    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
+    # soname into executable. Probably we can add versioning support to
+    # collect2, so additional links can be useful in future.
+    if test "$aix_use_runtimelinking" = yes; then
+      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
+      # instead of lib<name>.a to let people know that these are not
+      # typical AIX shared libraries.
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    else
+      # We preserve .a as extension for shared libraries through AIX4.2
+      # and later when we are not doing run time linking.
+      library_names_spec='${libname}${release}.a $libname.a'
+      soname_spec='${libname}${release}${shared_ext}$major'
+    fi
+    shlibpath_var=LIBPATH
+  fi
+  ;;
+
+amigaos*)
+  library_names_spec='$libname.ixlibrary $libname.a'
+  # Create ${libname}_ixlibrary.a entries in /sys/libs.
+  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([[^/]]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
+  ;;
+
+beos*)
+  library_names_spec='${libname}${shared_ext}'
+  dynamic_linker="$host_os ld.so"
+  shlibpath_var=LIBRARY_PATH
+  ;;
+
+bsdi4*)
+  version_type=linux
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
+  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
+  # the default ld.so.conf also contains /usr/contrib/lib and
+  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
+  # libtool to hard-code these into programs
+  ;;
+
+cygwin* | mingw* | pw32*)
+  version_type=windows
+  shrext=".dll"
+  need_version=no
+  need_lib_prefix=no
+
+  case $GCC,$host_os in
+  yes,cygwin* | yes,mingw* | yes,pw32*)
+    library_names_spec='$libname.dll.a'
+    # DLL is installed to $(libdir)/../bin by postinstall_cmds
+    postinstall_cmds='base_file=`basename \${file}`~
+      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
+      dldir=$destdir/`dirname \$dlpath`~
+      test -d \$dldir || mkdir -p \$dldir~
+      $install_prog $dir/$dlname \$dldir/$dlname'
+    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
+      dlpath=$dir/\$dldll~
+       $rm \$dlpath'
+    shlibpath_overrides_runpath=yes
+
+    case $host_os in
+    cygwin*)
+      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
+      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
+      ;;
+    mingw*)
+      # MinGW DLLs use traditional 'lib' prefix
+      soname_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+      if echo "$sys_lib_search_path_spec" | [grep ';[c-zC-Z]:/' >/dev/null]; then
+        # It is most probably a Windows format PATH printed by
+        # mingw gcc, but we are running on Cygwin. Gcc prints its search
+        # path with ; separators, and with drive letters. We can handle the
+        # drive letters (cygwin fileutils understands them), so leave them,
+        # especially as we might pass files found there to a mingw objdump,
+        # which wouldn't understand a cygwinified path. Ahh.
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+      else
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+      fi
+      ;;
+    pw32*)
+      # pw32 DLLs use 'pw' prefix rather than 'lib'
+      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      ;;
+    esac
+    ;;
+
+  *)
+    library_names_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext} $libname.lib'
+    ;;
+  esac
+  dynamic_linker='Win32 ld.exe'
+  # FIXME: first we should search . and the directory the executable is in
+  shlibpath_var=PATH
+  ;;
+
+darwin* | rhapsody*)
+  dynamic_linker="$host_os dyld"
+  version_type=darwin
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
+  soname_spec='${libname}${release}${major}$shared_ext'
+  shlibpath_overrides_runpath=yes
+  shlibpath_var=DYLD_LIBRARY_PATH
+  shrext='$(test .$module = .yes && echo .so || echo .dylib)'
+  # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
+  if test "$GCC" = yes; then
+    sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
+  else
+    sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib'
+  fi
+  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
+  ;;
+
+dgux*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+freebsd1*)
+  dynamic_linker=no
+  ;;
+
+kfreebsd*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='GNU ld.so'
+  ;;
+
+freebsd*)
+  objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo aout`
+  version_type=freebsd-$objformat
+  case $version_type in
+    freebsd-elf*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+      need_version=no
+      need_lib_prefix=no
+      ;;
+    freebsd-*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
+      need_version=yes
+      ;;
+  esac
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_os in
+  freebsd2*)
+    shlibpath_overrides_runpath=yes
+    ;;
+  freebsd3.[01]* | freebsdelf3.[01]*)
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  *) # from 3.2 on
+    shlibpath_overrides_runpath=no
+    hardcode_into_libs=yes
+    ;;
+  esac
+  ;;
+
+gnu*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  ;;
+
+hpux9* | hpux10* | hpux11*)
+  # Give a soname corresponding to the major version so that dld.sl refuses to
+  # link against other versions.
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  case "$host_cpu" in
+  ia64*)
+    shrext='.so'
+    hardcode_into_libs=yes
+    dynamic_linker="$host_os dld.so"
+    shlibpath_var=LD_LIBRARY_PATH
+    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    if test "X$HPUX_IA64_MODE" = X32; then
+      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
+    else
+      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
+    fi
+    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+    ;;
+   hppa*64*)
+     shrext='.sl'
+     hardcode_into_libs=yes
+     dynamic_linker="$host_os dld.sl"
+     shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
+     shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+     soname_spec='${libname}${release}${shared_ext}$major'
+     sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
+     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+     ;;
+   *)
+    shrext='.sl'
+    dynamic_linker="$host_os dld.sl"
+    shlibpath_var=SHLIB_PATH
+    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    ;;
+  esac
+  # HP-UX runs *really* slowly unless shared libraries are mode 555.
+  postinstall_cmds='chmod 555 $lib'
+  ;;
+
+irix5* | irix6* | nonstopux*)
+  case $host_os in
+    nonstopux*) version_type=nonstopux ;;
+    *)
+	if test "$lt_cv_prog_gnu_ld" = yes; then
+		version_type=linux
+	else
+		version_type=irix
+	fi ;;
+  esac
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
+  case $host_os in
+  irix5* | nonstopux*)
+    libsuff= shlibsuff=
+    ;;
+  *)
+    case $LD in # libtool.m4 will add one of these switches to LD
+    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
+      libsuff= shlibsuff= libmagic=32-bit;;
+    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
+      libsuff=32 shlibsuff=N32 libmagic=N32;;
+    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
+      libsuff=64 shlibsuff=64 libmagic=64-bit;;
+    *) libsuff= shlibsuff= libmagic=never-match;;
+    esac
+    ;;
+  esac
+  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
+  shlibpath_overrides_runpath=no
+  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
+  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
+  hardcode_into_libs=yes
+  ;;
+
+# No shared lib support for Linux oldld, aout, or coff.
+linux*oldld* | linux*aout* | linux*coff*)
+  dynamic_linker=no
+  ;;
+
+# This must be Linux ELF.
+linux*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  # This implies no fast_install, which is unacceptable.
+  # Some rework will be needed to allow for fast_install
+  # before this can be enabled.
+  hardcode_into_libs=yes
+
+  # Append ld.so.conf contents to the search path
+  if test -f /etc/ld.so.conf; then
+    ld_extra=`$SED -e 's/[:,\t]/ /g;s/=[^=]*$//;s/=[^= ]* / /g' /etc/ld.so.conf`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $ld_extra"
+  fi
+
+  # We used to test for /lib/ld.so.1 and disable shared libraries on
+  # powerpc, because MkLinux only supported shared libraries with the
+  # GNU dynamic linker.  Since this was broken with cross compilers,
+  # most powerpc-linux boxes support dynamic linking these days and
+  # people can always --disable-shared, the test was removed, and we
+  # assume the GNU/Linux dynamic linker is in use.
+  dynamic_linker='GNU/Linux ld.so'
+  ;;
+
+knetbsd*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='GNU ld.so'
+  ;;
+
+netbsd*)
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+    dynamic_linker='NetBSD (a.out) ld.so'
+  else
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    dynamic_linker='NetBSD ld.elf_so'
+  fi
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  ;;
+
+newsos6)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+nto-qnx*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+openbsd*)
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=yes
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+    case $host_os in
+      openbsd2.[[89]] | openbsd2.[[89]].*)
+	shlibpath_overrides_runpath=no
+	;;
+      *)
+	shlibpath_overrides_runpath=yes
+	;;
+      esac
+  else
+    shlibpath_overrides_runpath=yes
+  fi
+  ;;
+
+os2*)
+  libname_spec='$name'
+  shrext=".dll"
+  need_lib_prefix=no
+  library_names_spec='$libname${shared_ext} $libname.a'
+  dynamic_linker='OS/2 ld.exe'
+  shlibpath_var=LIBPATH
+  ;;
+
+osf3* | osf4* | osf5*)
+  version_type=osf
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
+  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
+  ;;
+
+sco3.2v5*)
+  version_type=osf
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+solaris*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  # ldd complains unless libraries are executable
+  postinstall_cmds='chmod +x $lib'
+  ;;
+
+sunos4*)
+  version_type=sunos
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  if test "$with_gnu_ld" = yes; then
+    need_lib_prefix=no
+  fi
+  need_version=yes
+  ;;
+
+sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_vendor in
+    sni)
+      shlibpath_overrides_runpath=no
+      need_lib_prefix=no
+      export_dynamic_flag_spec='${wl}-Blargedynsym'
+      runpath_var=LD_RUN_PATH
+      ;;
+    siemens)
+      need_lib_prefix=no
+      ;;
+    motorola)
+      need_lib_prefix=no
+      need_version=no
+      shlibpath_overrides_runpath=no
+      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
+      ;;
+  esac
+  ;;
+
+sysv4*MP*)
+  if test -d /usr/nec ;then
+    version_type=linux
+    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
+    soname_spec='$libname${shared_ext}.$major'
+    shlibpath_var=LD_LIBRARY_PATH
+  fi
+  ;;
+
+uts4*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+*)
+  dynamic_linker=no
+  ;;
+esac
+AC_MSG_RESULT([$dynamic_linker])
+test "$dynamic_linker" = no && can_build_shared=no
+])# AC_LIBTOOL_SYS_DYNAMIC_LINKER
+
+
+# _LT_AC_TAGCONFIG
+# ----------------
+AC_DEFUN([_LT_AC_TAGCONFIG],
+[AC_ARG_WITH([tags],
+    [AC_HELP_STRING([--with-tags@<:@=TAGS@:>@],
+        [include additional configurations @<:@automatic@:>@])],
+    [tagnames="$withval"])
+
+if test -f "$ltmain" && test -n "$tagnames"; then
+  if test ! -f "${ofile}"; then
+    AC_MSG_WARN([output file `$ofile' does not exist])
+  fi
+
+  if test -z "$LTCC"; then
+    eval "`$SHELL ${ofile} --config | grep '^LTCC='`"
+    if test -z "$LTCC"; then
+      AC_MSG_WARN([output file `$ofile' does not look like a libtool script])
+    else
+      AC_MSG_WARN([using `LTCC=$LTCC', extracted from `$ofile'])
+    fi
+  fi
+
+  # Extract list of available tagged configurations in $ofile.
+  # Note that this assumes the entire list is on one line.
+  available_tags=`grep "^available_tags=" "${ofile}" | $SED -e 's/available_tags=\(.*$\)/\1/' -e 's/\"//g'`
+
+  lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+  for tagname in $tagnames; do
+    IFS="$lt_save_ifs"
+    # Check whether tagname contains only valid characters
+    case `$echo "X$tagname" | $Xsed -e 's:[[-_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890,/]]::g'` in
+    "") ;;
+    *)  AC_MSG_ERROR([invalid tag name: $tagname])
+	;;
+    esac
+
+    if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "${ofile}" > /dev/null
+    then
+      AC_MSG_ERROR([tag name \"$tagname\" already exists])
+    fi
+
+    # Update the list of available tags.
+    if test -n "$tagname"; then
+      echo appending configuration tag \"$tagname\" to $ofile
+
+      case $tagname in
+      CXX)
+	if test -n "$CXX" && test "X$CXX" != "Xno"; then
+	  AC_LIBTOOL_LANG_CXX_CONFIG
+	else
+	  tagname=""
+	fi
+	;;
+
+      F77)
+	if test -n "$F77" && test "X$F77" != "Xno"; then
+	  AC_LIBTOOL_LANG_F77_CONFIG
+	else
+	  tagname=""
+	fi
+	;;
+
+      GCJ)
+	if test -n "$GCJ" && test "X$GCJ" != "Xno"; then
+	  AC_LIBTOOL_LANG_GCJ_CONFIG
+	else
+	  tagname=""
+	fi
+	;;
+
+      RC)
+	AC_LIBTOOL_LANG_RC_CONFIG
+	;;
+
+      *)
+	AC_MSG_ERROR([Unsupported tag name: $tagname])
+	;;
+      esac
+
+      # Append the new tag name to the list of available tags.
+      if test -n "$tagname" ; then
+      available_tags="$available_tags $tagname"
+    fi
+    fi
+  done
+  IFS="$lt_save_ifs"
+
+  # Now substitute the updated list of available tags.
+  if eval "sed -e 's/^available_tags=.*\$/available_tags=\"$available_tags\"/' \"$ofile\" > \"${ofile}T\""; then
+    mv "${ofile}T" "$ofile"
+    chmod +x "$ofile"
+  else
+    rm -f "${ofile}T"
+    AC_MSG_ERROR([unable to update list of available tagged configurations.])
+  fi
+fi
+])# _LT_AC_TAGCONFIG
+
+
+# AC_LIBTOOL_DLOPEN
+# -----------------
+# enable checks for dlopen support
+AC_DEFUN([AC_LIBTOOL_DLOPEN],
+ [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])
+])# AC_LIBTOOL_DLOPEN
+
+
+# AC_LIBTOOL_WIN32_DLL
+# --------------------
+# declare package support for building win32 dll's
+AC_DEFUN([AC_LIBTOOL_WIN32_DLL],
+[AC_BEFORE([$0], [AC_LIBTOOL_SETUP])
+])# AC_LIBTOOL_WIN32_DLL
+
+
+# AC_ENABLE_SHARED([DEFAULT])
+# ---------------------------
+# implement the --enable-shared flag
+# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
+AC_DEFUN([AC_ENABLE_SHARED],
+[define([AC_ENABLE_SHARED_DEFAULT], ifelse($1, no, no, yes))dnl
+AC_ARG_ENABLE([shared],
+    [AC_HELP_STRING([--enable-shared@<:@=PKGS@:>@],
+	[build shared libraries @<:@default=]AC_ENABLE_SHARED_DEFAULT[@:>@])],
+    [p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_shared=yes ;;
+    no) enable_shared=no ;;
+    *)
+      enable_shared=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_shared=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac],
+    [enable_shared=]AC_ENABLE_SHARED_DEFAULT)
+])# AC_ENABLE_SHARED
+
+
+# AC_DISABLE_SHARED
+# -----------------
+#- set the default shared flag to --disable-shared
+AC_DEFUN([AC_DISABLE_SHARED],
+[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+AC_ENABLE_SHARED(no)
+])# AC_DISABLE_SHARED
+
+
+# AC_ENABLE_STATIC([DEFAULT])
+# ---------------------------
+# implement the --enable-static flag
+# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
+AC_DEFUN([AC_ENABLE_STATIC],
+[define([AC_ENABLE_STATIC_DEFAULT], ifelse($1, no, no, yes))dnl
+AC_ARG_ENABLE([static],
+    [AC_HELP_STRING([--enable-static@<:@=PKGS@:>@],
+	[build static libraries @<:@default=]AC_ENABLE_STATIC_DEFAULT[@:>@])],
+    [p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_static=yes ;;
+    no) enable_static=no ;;
+    *)
+     enable_static=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_static=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac],
+    [enable_static=]AC_ENABLE_STATIC_DEFAULT)
+])# AC_ENABLE_STATIC
+
+
+# AC_DISABLE_STATIC
+# -----------------
+# set the default static flag to --disable-static
+AC_DEFUN([AC_DISABLE_STATIC],
+[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+AC_ENABLE_STATIC(no)
+])# AC_DISABLE_STATIC
+
+
+# AC_ENABLE_FAST_INSTALL([DEFAULT])
+# ---------------------------------
+# implement the --enable-fast-install flag
+# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
+AC_DEFUN([AC_ENABLE_FAST_INSTALL],
+[define([AC_ENABLE_FAST_INSTALL_DEFAULT], ifelse($1, no, no, yes))dnl
+AC_ARG_ENABLE([fast-install],
+    [AC_HELP_STRING([--enable-fast-install@<:@=PKGS@:>@],
+    [optimize for fast installation @<:@default=]AC_ENABLE_FAST_INSTALL_DEFAULT[@:>@])],
+    [p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_fast_install=yes ;;
+    no) enable_fast_install=no ;;
+    *)
+      enable_fast_install=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_fast_install=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac],
+    [enable_fast_install=]AC_ENABLE_FAST_INSTALL_DEFAULT)
+])# AC_ENABLE_FAST_INSTALL
+
+
+# AC_DISABLE_FAST_INSTALL
+# -----------------------
+# set the default to --disable-fast-install
+AC_DEFUN([AC_DISABLE_FAST_INSTALL],
+[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+AC_ENABLE_FAST_INSTALL(no)
+])# AC_DISABLE_FAST_INSTALL
+
+
+# AC_LIBTOOL_PICMODE([MODE])
+# --------------------------
+# implement the --with-pic flag
+# MODE is either `yes' or `no'.  If omitted, it defaults to `both'.
+AC_DEFUN([AC_LIBTOOL_PICMODE],
+[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+pic_mode=ifelse($#,1,$1,default)
+])# AC_LIBTOOL_PICMODE
+
+
+# AC_PROG_EGREP
+# -------------
+# This is predefined starting with Autoconf 2.54, so this conditional
+# definition can be removed once we require Autoconf 2.54 or later.
+m4_ifndef([AC_PROG_EGREP], [AC_DEFUN([AC_PROG_EGREP],
+[AC_CACHE_CHECK([for egrep], [ac_cv_prog_egrep],
+   [if echo a | (grep -E '(a|b)') >/dev/null 2>&1
+    then ac_cv_prog_egrep='grep -E'
+    else ac_cv_prog_egrep='egrep'
+    fi])
+ EGREP=$ac_cv_prog_egrep
+ AC_SUBST([EGREP])
+])])
+
+
+# AC_PATH_TOOL_PREFIX
+# -------------------
+# find a file program which can recognise shared library
+AC_DEFUN([AC_PATH_TOOL_PREFIX],
+[AC_REQUIRE([AC_PROG_EGREP])dnl
+AC_MSG_CHECKING([for $1])
+AC_CACHE_VAL(lt_cv_path_MAGIC_CMD,
+[case $MAGIC_CMD in
+[[\\/*] |  ?:[\\/]*])
+  lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path.
+  ;;
+*)
+  lt_save_MAGIC_CMD="$MAGIC_CMD"
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+dnl $ac_dummy forces splitting on constant user-supplied paths.
+dnl POSIX.2 word splitting is done only on the output of word expansions,
+dnl not every word.  This closes a longstanding sh security hole.
+  ac_dummy="ifelse([$2], , $PATH, [$2])"
+  for ac_dir in $ac_dummy; do
+    IFS="$lt_save_ifs"
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$1; then
+      lt_cv_path_MAGIC_CMD="$ac_dir/$1"
+      if test -n "$file_magic_test_file"; then
+	case $deplibs_check_method in
+	"file_magic "*)
+	  file_magic_regex="`expr \"$deplibs_check_method\" : \"file_magic \(.*\)\"`"
+	  MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
+	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
+	    $EGREP "$file_magic_regex" > /dev/null; then
+	    :
+	  else
+	    cat <<EOF 1>&2
+
+*** Warning: the command libtool uses to detect shared libraries,
+*** $file_magic_cmd, produces output that libtool cannot recognize.
+*** The result is that libtool may fail to recognize shared libraries
+*** as such.  This will affect the creation of libtool libraries that
+*** depend on shared libraries, but programs linked with such libtool
+*** libraries will work regardless of this problem.  Nevertheless, you
+*** may want to report the problem to your system manager and/or to
+*** bug-libtool@gnu.org
+
+EOF
+	  fi ;;
+	esac
+      fi
+      break
+    fi
+  done
+  IFS="$lt_save_ifs"
+  MAGIC_CMD="$lt_save_MAGIC_CMD"
+  ;;
+esac])
+MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
+if test -n "$MAGIC_CMD"; then
+  AC_MSG_RESULT($MAGIC_CMD)
+else
+  AC_MSG_RESULT(no)
+fi
+])# AC_PATH_TOOL_PREFIX
+
+
+# AC_PATH_MAGIC
+# -------------
+# find a file program which can recognise a shared library
+AC_DEFUN([AC_PATH_MAGIC],
+[AC_PATH_TOOL_PREFIX(${ac_tool_prefix}file, /usr/bin$PATH_SEPARATOR$PATH)
+if test -z "$lt_cv_path_MAGIC_CMD"; then
+  if test -n "$ac_tool_prefix"; then
+    AC_PATH_TOOL_PREFIX(file, /usr/bin$PATH_SEPARATOR$PATH)
+  else
+    MAGIC_CMD=:
+  fi
+fi
+])# AC_PATH_MAGIC
+
+
+# AC_PROG_LD
+# ----------
+# find the pathname to the GNU or non-GNU linker
+AC_DEFUN([AC_PROG_LD],
+[AC_ARG_WITH([gnu-ld],
+    [AC_HELP_STRING([--with-gnu-ld],
+	[assume the C compiler uses GNU ld @<:@default=no@:>@])],
+    [test "$withval" = no || with_gnu_ld=yes],
+    [with_gnu_ld=no])
+AC_REQUIRE([LT_AC_PROG_SED])dnl
+AC_REQUIRE([AC_PROG_CC])dnl
+AC_REQUIRE([AC_CANONICAL_HOST])dnl
+AC_REQUIRE([AC_CANONICAL_BUILD])dnl
+ac_prog=ld
+if test "$GCC" = yes; then
+  # Check if gcc -print-prog-name=ld gives a path.
+  AC_MSG_CHECKING([for ld used by $CC])
+  case $host in
+  *-*-mingw*)
+    # gcc leaves a trailing carriage return which upsets mingw
+    ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;;
+  *)
+    ac_prog=`($CC -print-prog-name=ld) 2>&5` ;;
+  esac
+  case $ac_prog in
+    # Accept absolute paths.
+    [[\\/]]* | ?:[[\\/]]*)
+      re_direlt='/[[^/]][[^/]]*/\.\./'
+      # Canonicalize the pathname of ld
+      ac_prog=`echo $ac_prog| $SED 's%\\\\%/%g'`
+      while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do
+	ac_prog=`echo $ac_prog| $SED "s%$re_direlt%/%"`
+      done
+      test -z "$LD" && LD="$ac_prog"
+      ;;
+  "")
+    # If it fails, then pretend we aren't using GCC.
+    ac_prog=ld
+    ;;
+  *)
+    # If it is relative, then search for the first ld in PATH.
+    with_gnu_ld=unknown
+    ;;
+  esac
+elif test "$with_gnu_ld" = yes; then
+  AC_MSG_CHECKING([for GNU ld])
+else
+  AC_MSG_CHECKING([for non-GNU ld])
+fi
+AC_CACHE_VAL(lt_cv_path_LD,
+[if test -z "$LD"; then
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  for ac_dir in $PATH; do
+    IFS="$lt_save_ifs"
+    test -z "$ac_dir" && ac_dir=.
+    if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
+      lt_cv_path_LD="$ac_dir/$ac_prog"
+      # Check to see if the program is GNU ld.  I'd rather use --version,
+      # but apparently some GNU ld's only accept -v.
+      # Break only if it was the GNU/non-GNU ld that we prefer.
+      case `"$lt_cv_path_LD" -v 2>&1 </dev/null` in
+      *GNU* | *'with BFD'*)
+	test "$with_gnu_ld" != no && break
+	;;
+      *)
+	test "$with_gnu_ld" != yes && break
+	;;
+      esac
+    fi
+  done
+  IFS="$lt_save_ifs"
+else
+  lt_cv_path_LD="$LD" # Let the user override the test with a path.
+fi])
+LD="$lt_cv_path_LD"
+if test -n "$LD"; then
+  AC_MSG_RESULT($LD)
+else
+  AC_MSG_RESULT(no)
+fi
+test -z "$LD" && AC_MSG_ERROR([no acceptable ld found in \$PATH])
+AC_PROG_LD_GNU
+])# AC_PROG_LD
+
+
+# AC_PROG_LD_GNU
+# --------------
+AC_DEFUN([AC_PROG_LD_GNU],
+[AC_REQUIRE([AC_PROG_EGREP])dnl
+AC_CACHE_CHECK([if the linker ($LD) is GNU ld], lt_cv_prog_gnu_ld,
+[# I'd rather use --version here, but apparently some GNU ld's only accept -v.
+case `$LD -v 2>&1 </dev/null` in
+*GNU* | *'with BFD'*)
+  lt_cv_prog_gnu_ld=yes
+  ;;
+*)
+  lt_cv_prog_gnu_ld=no
+  ;;
+esac])
+with_gnu_ld=$lt_cv_prog_gnu_ld
+])# AC_PROG_LD_GNU
+
+
+# AC_PROG_LD_RELOAD_FLAG
+# ----------------------
+# find reload flag for linker
+#   -- PORTME Some linkers may need a different reload flag.
+AC_DEFUN([AC_PROG_LD_RELOAD_FLAG],
+[AC_CACHE_CHECK([for $LD option to reload object files],
+  lt_cv_ld_reload_flag,
+  [lt_cv_ld_reload_flag='-r'])
+reload_flag=$lt_cv_ld_reload_flag
+case $reload_flag in
+"" | " "*) ;;
+*) reload_flag=" $reload_flag" ;;
+esac
+reload_cmds='$LD$reload_flag -o $output$reload_objs'
+])# AC_PROG_LD_RELOAD_FLAG
+
+
+# AC_DEPLIBS_CHECK_METHOD
+# -----------------------
+# how to check for library dependencies
+#  -- PORTME fill in with the dynamic library characteristics
+AC_DEFUN([AC_DEPLIBS_CHECK_METHOD],
+[AC_CACHE_CHECK([how to recognise dependent libraries],
+lt_cv_deplibs_check_method,
+[lt_cv_file_magic_cmd='$MAGIC_CMD'
+lt_cv_file_magic_test_file=
+lt_cv_deplibs_check_method='unknown'
+# Need to set the preceding variable on all platforms that support
+# interlibrary dependencies.
+# 'none' -- dependencies not supported.
+# `unknown' -- same as none, but documents that we really don't know.
+# 'pass_all' -- all dependencies passed with no checks.
+# 'test_compile' -- check by making test program.
+# 'file_magic [[regex]]' -- check by looking for files in library path
+# which responds to the $file_magic_cmd with a given extended regex.
+# If you have `file' or equivalent on your system and you're not sure
+# whether `pass_all' will *always* work, you probably want this one.
+
+case $host_os in
+aix4* | aix5*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+beos*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+bsdi4*)
+  lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib)'
+  lt_cv_file_magic_cmd='/usr/bin/file -L'
+  lt_cv_file_magic_test_file=/shlib/libc.so
+  ;;
+
+cygwin*)
+  # win32_libid is a shell function defined in ltmain.sh
+  lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
+  lt_cv_file_magic_cmd='win32_libid'
+  ;;
+
+mingw* | pw32*)
+  # Base MSYS/MinGW do not provide the 'file' command needed by
+  # win32_libid shell function, so use a weaker test based on 'objdump'.
+  lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
+  lt_cv_file_magic_cmd='$OBJDUMP -f'
+  ;;
+
+darwin* | rhapsody*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+freebsd* | kfreebsd*-gnu)
+  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
+    case $host_cpu in
+    i*86 )
+      # Not sure whether the presence of OpenBSD here was a mistake.
+      # Let's accept both of them until this is cleared up.
+      lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD)/i[[3-9]]86 (compact )?demand paged shared library'
+      lt_cv_file_magic_cmd=/usr/bin/file
+      lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
+      ;;
+    esac
+  else
+    lt_cv_deplibs_check_method=pass_all
+  fi
+  ;;
+
+gnu*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+hpux10.20* | hpux11*)
+  lt_cv_file_magic_cmd=/usr/bin/file
+  case "$host_cpu" in
+  ia64*)
+    lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|ELF-[[0-9]][[0-9]]) shared object file - IA64'
+    lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so
+    ;;
+  hppa*64*)
+    [lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - PA-RISC [0-9].[0-9]']
+    lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl
+    ;;
+  *)
+    lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|PA-RISC[[0-9]].[[0-9]]) shared library'
+    lt_cv_file_magic_test_file=/usr/lib/libc.sl
+    ;;
+  esac
+  ;;
+
+irix5* | irix6* | nonstopux*)
+  case $LD in
+  *-32|*"-32 ") libmagic=32-bit;;
+  *-n32|*"-n32 ") libmagic=N32;;
+  *-64|*"-64 ") libmagic=64-bit;;
+  *) libmagic=never-match;;
+  esac
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+# This must be Linux ELF.
+linux*)
+  case $host_cpu in
+  alpha*|hppa*|i*86|ia64*|m68*|mips*|powerpc*|sparc*|s390*|sh*)
+    lt_cv_deplibs_check_method=pass_all ;;
+  *)
+    # glibc up to 2.1.1 does not perform some relocations on ARM
+    # this will be overridden with pass_all, but let us keep it just in case
+    lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB (shared object|dynamic lib )' ;;
+  esac
+  lt_cv_file_magic_test_file=`echo /lib/libc.so* /lib/libc-*.so`
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+netbsd*)
+  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
+    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
+  else
+    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|_pic\.a)$'
+  fi
+  ;;
+
+newos6*)
+  lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (executable|dynamic lib)'
+  lt_cv_file_magic_cmd=/usr/bin/file
+  lt_cv_file_magic_test_file=/usr/lib/libnls.so
+  ;;
+
+nto-qnx*)
+  lt_cv_deplibs_check_method=unknown
+  ;;
+
+openbsd*)
+  lt_cv_file_magic_cmd=/usr/bin/file
+  lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
+  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+    lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB shared object'
+  else
+    lt_cv_deplibs_check_method='file_magic OpenBSD.* shared library'
+  fi
+  ;;
+
+osf3* | osf4* | osf5*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+sco3.2v5*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+solaris*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+  case $host_vendor in
+  motorola)
+    lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib) M[[0-9]][[0-9]]* Version [[0-9]]'
+    lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*`
+    ;;
+  ncr)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  sequent)
+    lt_cv_file_magic_cmd='/bin/file'
+    lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB (shared object|dynamic lib )'
+    ;;
+  sni)
+    lt_cv_file_magic_cmd='/bin/file'
+    lt_cv_deplibs_check_method="file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB dynamic lib"
+    lt_cv_file_magic_test_file=/lib/libc.so
+    ;;
+  siemens)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  esac
+  ;;
+
+sysv5OpenUNIX8* | sysv5UnixWare7* | sysv5uw[[78]]* | unixware7* | sysv4*uw2*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+esac
+])
+file_magic_cmd=$lt_cv_file_magic_cmd
+deplibs_check_method=$lt_cv_deplibs_check_method
+test -z "$deplibs_check_method" && deplibs_check_method=unknown
+])# AC_DEPLIBS_CHECK_METHOD
+
+
+# AC_PROG_NM
+# ----------
+# find the pathname to a BSD-compatible name lister
+AC_DEFUN([AC_PROG_NM],
+[AC_CACHE_CHECK([for BSD-compatible nm], lt_cv_path_NM,
+[if test -n "$NM"; then
+  # Let the user override the test.
+  lt_cv_path_NM="$NM"
+else
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  for ac_dir in $PATH /usr/ccs/bin /usr/ucb /bin; do
+    IFS="$lt_save_ifs"
+    test -z "$ac_dir" && ac_dir=.
+    tmp_nm="$ac_dir/${ac_tool_prefix}nm"
+    if test -f "$tmp_nm" || test -f "$tmp_nm$ac_exeext" ; then
+      # Check to see if the nm accepts a BSD-compat flag.
+      # Adding the `sed 1q' prevents false positives on HP-UX, which says:
+      #   nm: unknown option "B" ignored
+      # Tru64's nm complains that /dev/null is an invalid object file
+      case `"$tmp_nm" -B /dev/null 2>&1 | sed '1q'` in
+      */dev/null* | *'Invalid file or object type'*)
+	lt_cv_path_NM="$tmp_nm -B"
+	break
+        ;;
+      *)
+	case `"$tmp_nm" -p /dev/null 2>&1 | sed '1q'` in
+	*/dev/null*)
+	  lt_cv_path_NM="$tmp_nm -p"
+	  break
+	  ;;
+	*)
+	  lt_cv_path_NM=${lt_cv_path_NM="$tmp_nm"} # keep the first match, but
+	  continue # so that we can try to find one that supports BSD flags
+	  ;;
+	esac
+      esac
+    fi
+  done
+  IFS="$lt_save_ifs"
+  test -z "$lt_cv_path_NM" && lt_cv_path_NM=nm
+fi])
+NM="$lt_cv_path_NM"
+])# AC_PROG_NM
+
+
+# AC_CHECK_LIBM
+# -------------
+# check for math library
+AC_DEFUN([AC_CHECK_LIBM],
+[AC_REQUIRE([AC_CANONICAL_HOST])dnl
+LIBM=
+case $host in
+*-*-beos* | *-*-cygwin* | *-*-pw32* | *-*-darwin*)
+  # These system don't have libm, or don't need it
+  ;;
+*-ncr-sysv4.3*)
+  AC_CHECK_LIB(mw, _mwvalidcheckl, LIBM="-lmw")
+  AC_CHECK_LIB(m, cos, LIBM="$LIBM -lm")
+  ;;
+*)
+  AC_CHECK_LIB(m, cos, LIBM="-lm")
+  ;;
+esac
+])# AC_CHECK_LIBM
+
+
+# AC_LIBLTDL_CONVENIENCE([DIRECTORY])
+# -----------------------------------
+# sets LIBLTDL to the link flags for the libltdl convenience library and
+# LTDLINCL to the include flags for the libltdl header and adds
+# --enable-ltdl-convenience to the configure arguments.  Note that LIBLTDL
+# and LTDLINCL are not AC_SUBSTed, nor is AC_CONFIG_SUBDIRS called.  If
+# DIRECTORY is not provided, it is assumed to be `libltdl'.  LIBLTDL will
+# be prefixed with '${top_builddir}/' and LTDLINCL will be prefixed with
+# '${top_srcdir}/' (note the single quotes!).  If your package is not
+# flat and you're not using automake, define top_builddir and
+# top_srcdir appropriately in the Makefiles.
+AC_DEFUN([AC_LIBLTDL_CONVENIENCE],
+[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+  case $enable_ltdl_convenience in
+  no) AC_MSG_ERROR([this package needs a convenience libltdl]) ;;
+  "") enable_ltdl_convenience=yes
+      ac_configure_args="$ac_configure_args --enable-ltdl-convenience" ;;
+  esac
+  LIBLTDL='${top_builddir}/'ifelse($#,1,[$1],['libltdl'])/libltdlc.la
+  LTDLINCL='-I${top_srcdir}/'ifelse($#,1,[$1],['libltdl'])
+  # For backwards non-gettext consistent compatibility...
+  INCLTDL="$LTDLINCL"
+])# AC_LIBLTDL_CONVENIENCE
+
+
+# AC_LIBLTDL_INSTALLABLE([DIRECTORY])
+# -----------------------------------
+# sets LIBLTDL to the link flags for the libltdl installable library and
+# LTDLINCL to the include flags for the libltdl header and adds
+# --enable-ltdl-install to the configure arguments.  Note that LIBLTDL
+# and LTDLINCL are not AC_SUBSTed, nor is AC_CONFIG_SUBDIRS called.  If
+# DIRECTORY is not provided and an installed libltdl is not found, it is
+# assumed to be `libltdl'.  LIBLTDL will be prefixed with '${top_builddir}/'
+# and LTDLINCL will be prefixed with '${top_srcdir}/' (note the single
+# quotes!).  If your package is not flat and you're not using automake,
+# define top_builddir and top_srcdir appropriately in the Makefiles.
+# In the future, this macro may have to be called after AC_PROG_LIBTOOL.
+AC_DEFUN([AC_LIBLTDL_INSTALLABLE],
+[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+  AC_CHECK_LIB(ltdl, lt_dlinit,
+  [test x"$enable_ltdl_install" != xyes && enable_ltdl_install=no],
+  [if test x"$enable_ltdl_install" = xno; then
+     AC_MSG_WARN([libltdl not installed, but installation disabled])
+   else
+     enable_ltdl_install=yes
+   fi
+  ])
+  if test x"$enable_ltdl_install" = x"yes"; then
+    ac_configure_args="$ac_configure_args --enable-ltdl-install"
+    LIBLTDL='${top_builddir}/'ifelse($#,1,[$1],['libltdl'])/libltdl.la
+    LTDLINCL='-I${top_srcdir}/'ifelse($#,1,[$1],['libltdl'])
+  else
+    ac_configure_args="$ac_configure_args --enable-ltdl-install=no"
+    LIBLTDL="-lltdl"
+    LTDLINCL=
+  fi
+  # For backwards non-gettext consistent compatibility...
+  INCLTDL="$LTDLINCL"
+])# AC_LIBLTDL_INSTALLABLE
+
+
+# AC_LIBTOOL_CXX
+# --------------
+# enable support for C++ libraries
+AC_DEFUN([AC_LIBTOOL_CXX],
+[AC_REQUIRE([_LT_AC_LANG_CXX])
+])# AC_LIBTOOL_CXX
+
+
+# _LT_AC_LANG_CXX
+# ---------------
+AC_DEFUN([_LT_AC_LANG_CXX],
+[AC_REQUIRE([AC_PROG_CXX])
+AC_REQUIRE([AC_PROG_CXXCPP])
+_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}CXX])
+])# _LT_AC_LANG_CXX
+
+
+# AC_LIBTOOL_F77
+# --------------
+# enable support for Fortran 77 libraries
+AC_DEFUN([AC_LIBTOOL_F77],
+[AC_REQUIRE([_LT_AC_LANG_F77])
+])# AC_LIBTOOL_F77
+
+
+# _LT_AC_LANG_F77
+# ---------------
+AC_DEFUN([_LT_AC_LANG_F77],
+[AC_REQUIRE([AC_PROG_F77])
+_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}F77])
+])# _LT_AC_LANG_F77
+
+
+# AC_LIBTOOL_GCJ
+# --------------
+# enable support for GCJ libraries
+AC_DEFUN([AC_LIBTOOL_GCJ],
+[AC_REQUIRE([_LT_AC_LANG_GCJ])
+])# AC_LIBTOOL_GCJ
+
+
+# _LT_AC_LANG_GCJ
+# ---------------
+AC_DEFUN([_LT_AC_LANG_GCJ],
+[AC_PROVIDE_IFELSE([AC_PROG_GCJ],[],
+  [AC_PROVIDE_IFELSE([A][M_PROG_GCJ],[],
+    [AC_PROVIDE_IFELSE([LT_AC_PROG_GCJ],[],
+      [ifdef([AC_PROG_GCJ],[AC_REQUIRE([AC_PROG_GCJ])],
+	 [ifdef([A][M_PROG_GCJ],[AC_REQUIRE([A][M_PROG_GCJ])],
+	   [AC_REQUIRE([A][C_PROG_GCJ_OR_A][M_PROG_GCJ])])])])])])
+_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}GCJ])
+])# _LT_AC_LANG_GCJ
+
+
+# AC_LIBTOOL_RC
+# --------------
+# enable support for Windows resource files
+AC_DEFUN([AC_LIBTOOL_RC],
+[AC_REQUIRE([LT_AC_PROG_RC])
+_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}RC])
+])# AC_LIBTOOL_RC
+
+
+# AC_LIBTOOL_LANG_C_CONFIG
+# ------------------------
+# Ensure that the configuration vars for the C compiler are
+# suitably defined.  Those variables are subsequently used by
+# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
+AC_DEFUN([AC_LIBTOOL_LANG_C_CONFIG], [_LT_AC_LANG_C_CONFIG])
+AC_DEFUN([_LT_AC_LANG_C_CONFIG],
+[lt_save_CC="$CC"
+AC_LANG_PUSH(C)
+
+# Source file extension for C test sources.
+ac_ext=c
+
+# Object file extension for compiled C test sources.
+objext=o
+_LT_AC_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="int some_variable = 0;\n"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='int main(){return(0);}\n'
+
+_LT_AC_SYS_COMPILER
+
+#
+# Check for any special shared library compilation flags.
+#
+_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)=
+if test "$GCC" = no; then
+  case $host_os in
+  sco3.2v5*)
+    _LT_AC_TAGVAR(lt_prog_cc_shlib, $1)='-belf'
+    ;;
+  esac
+fi
+if test -n "$_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)"; then
+  AC_MSG_WARN([`$CC' requires `$_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)' to build shared libraries])
+  if echo "$old_CC $old_CFLAGS " | grep "[[ 	]]$_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)[[ 	]]" >/dev/null; then :
+  else
+    AC_MSG_WARN([add `$_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)' to the CC or CFLAGS env variable and reconfigure])
+    _LT_AC_TAGVAR(lt_cv_prog_cc_can_build_shared, $1)=no
+  fi
+fi
+
+
+#
+# Check to make sure the static flag actually works.
+#
+AC_LIBTOOL_LINKER_OPTION([if $compiler static flag $_LT_AC_TAGVAR(lt_prog_compiler_static, $1) works],
+  _LT_AC_TAGVAR(lt_prog_compiler_static_works, $1),
+  $_LT_AC_TAGVAR(lt_prog_compiler_static, $1),
+  [],
+  [_LT_AC_TAGVAR(lt_prog_compiler_static, $1)=])
+
+
+## CAVEAT EMPTOR:
+## There is no encapsulation within the following macros, do not change
+## the running order or otherwise move them around unless you know exactly
+## what you are doing...
+AC_LIBTOOL_PROG_COMPILER_NO_RTTI($1)
+AC_LIBTOOL_PROG_COMPILER_PIC($1)
+AC_LIBTOOL_PROG_CC_C_O($1)
+AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
+AC_LIBTOOL_PROG_LD_SHLIBS($1)
+AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
+AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
+AC_LIBTOOL_SYS_LIB_STRIP
+AC_LIBTOOL_DLOPEN_SELF($1)
+
+# Report which librarie types wil actually be built
+AC_MSG_CHECKING([if libtool supports shared libraries])
+AC_MSG_RESULT([$can_build_shared])
+
+AC_MSG_CHECKING([whether to build shared libraries])
+test "$can_build_shared" = "no" && enable_shared=no
+
+# On AIX, shared libraries and static libraries use the same namespace, and
+# are all built from PIC.
+case "$host_os" in
+aix3*)
+  test "$enable_shared" = yes && enable_static=no
+  if test -n "$RANLIB"; then
+    archive_cmds="$archive_cmds~\$RANLIB \$lib"
+    postinstall_cmds='$RANLIB $lib'
+  fi
+  ;;
+
+aix4*)
+  if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
+    test "$enable_shared" = yes && enable_static=no
+  fi
+  ;;
+  darwin* | rhapsody*)
+  if test "$GCC" = yes; then
+    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+    case "$host_os" in
+    rhapsody* | darwin1.[[012]])
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined suppress'
+      ;;
+    *) # Darwin 1.3 on
+      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+      	_LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress'
+      else
+        case ${MACOSX_DEPLOYMENT_TARGET} in
+          10.[[012]])
+            _LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress'
+            ;;
+          10.*)
+            _LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined dynamic_lookup'
+            ;;
+        esac
+      fi
+      ;;
+    esac
+    output_verbose_link_cmd='echo'
+    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs$compiler_flags -install_name $rpath/$soname $verstring'
+    _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+    # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
+    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag  -o $lib $libobjs $deplibs$compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    _LT_AC_TAGVAR(hardcode_direct, $1)=no
+    _LT_AC_TAGVAR(hardcode_automatic, $1)=yes
+    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
+    _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-all_load $convenience'
+    _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+  else
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+  fi
+    ;;
+esac
+AC_MSG_RESULT([$enable_shared])
+
+AC_MSG_CHECKING([whether to build static libraries])
+# Make sure either enable_shared or enable_static is yes.
+test "$enable_shared" = yes || enable_static=yes
+AC_MSG_RESULT([$enable_static])
+
+AC_LIBTOOL_CONFIG($1)
+
+AC_LANG_POP
+CC="$lt_save_CC"
+])# AC_LIBTOOL_LANG_C_CONFIG
+
+
+# AC_LIBTOOL_LANG_CXX_CONFIG
+# --------------------------
+# Ensure that the configuration vars for the C compiler are
+# suitably defined.  Those variables are subsequently used by
+# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
+AC_DEFUN([AC_LIBTOOL_LANG_CXX_CONFIG], [_LT_AC_LANG_CXX_CONFIG(CXX)])
+AC_DEFUN([_LT_AC_LANG_CXX_CONFIG],
+[AC_LANG_PUSH(C++)
+AC_REQUIRE([AC_PROG_CXX])
+AC_REQUIRE([AC_PROG_CXXCPP])
+
+_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+_LT_AC_TAGVAR(allow_undefined_flag, $1)=
+_LT_AC_TAGVAR(always_export_symbols, $1)=no
+_LT_AC_TAGVAR(archive_expsym_cmds, $1)=
+_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=
+_LT_AC_TAGVAR(hardcode_direct, $1)=no
+_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
+_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
+_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
+_LT_AC_TAGVAR(hardcode_minus_L, $1)=no
+_LT_AC_TAGVAR(hardcode_automatic, $1)=no
+_LT_AC_TAGVAR(module_cmds, $1)=
+_LT_AC_TAGVAR(module_expsym_cmds, $1)=
+_LT_AC_TAGVAR(link_all_deplibs, $1)=unknown
+_LT_AC_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_AC_TAGVAR(no_undefined_flag, $1)=
+_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
+_LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=no
+
+# Dependencies to place before and after the object being linked:
+_LT_AC_TAGVAR(predep_objects, $1)=
+_LT_AC_TAGVAR(postdep_objects, $1)=
+_LT_AC_TAGVAR(predeps, $1)=
+_LT_AC_TAGVAR(postdeps, $1)=
+_LT_AC_TAGVAR(compiler_lib_search_path, $1)=
+
+# Source file extension for C++ test sources.
+ac_ext=cc
+
+# Object file extension for compiled C++ test sources.
+objext=o
+_LT_AC_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="int some_variable = 0;\n"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='int main(int, char *[]) { return(0); }\n'
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+_LT_AC_SYS_COMPILER
+
+# Allow CC to be a program name with arguments.
+lt_save_CC=$CC
+lt_save_LD=$LD
+lt_save_GCC=$GCC
+GCC=$GXX
+lt_save_with_gnu_ld=$with_gnu_ld
+lt_save_path_LD=$lt_cv_path_LD
+if test -n "${lt_cv_prog_gnu_ldcxx+set}"; then
+  lt_cv_prog_gnu_ld=$lt_cv_prog_gnu_ldcxx
+else
+  unset lt_cv_prog_gnu_ld
+fi
+if test -n "${lt_cv_path_LDCXX+set}"; then
+  lt_cv_path_LD=$lt_cv_path_LDCXX
+else
+  unset lt_cv_path_LD
+fi
+test -z "${LDCXX+set}" || LD=$LDCXX
+CC=${CXX-"c++"}
+compiler=$CC
+_LT_AC_TAGVAR(compiler, $1)=$CC
+cc_basename=`$echo X"$compiler" | $Xsed -e 's%^.*/%%'`
+
+# We don't want -fno-exception wen compiling C++ code, so set the
+# no_builtin_flag separately
+if test "$GXX" = yes; then
+  _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin'
+else
+  _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=
+fi
+
+if test "$GXX" = yes; then
+  # Set up default GNU C++ configuration
+
+  AC_PROG_LD
+
+  # Check if GNU C++ uses GNU ld as the underlying linker, since the
+  # archiving commands below assume that GNU ld is being used.
+  if test "$with_gnu_ld" = yes; then
+    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
+    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+
+    # If archive_cmds runs LD, not CC, wlarc should be empty
+    # XXX I think wlarc can be eliminated in ltcf-cxx, but I need to
+    #     investigate it a little bit more. (MM)
+    wlarc='${wl}'
+
+    # ancient GNU ld didn't support --whole-archive et. al.
+    if eval "`$CC -print-prog-name=ld` --help 2>&1" | \
+	grep 'no-whole-archive' > /dev/null; then
+      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+    else
+      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
+    fi
+  else
+    with_gnu_ld=no
+    wlarc=
+
+    # A generic and very simple default shared library creation
+    # command for GNU C++ for the case where it uses the native
+    # linker, instead of GNU ld.  If possible, this setting should
+    # overridden to take advantage of the native linker features on
+    # the platform it is being used on.
+    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
+  fi
+
+  # Commands to make compiler produce verbose output that lists
+  # what "hidden" libraries, object files and flags are used when
+  # linking a shared library.
+  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
+
+else
+  GXX=no
+  with_gnu_ld=no
+  wlarc=
+fi
+
+# PORTME: fill in a description of your system's C++ link characteristics
+AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
+_LT_AC_TAGVAR(ld_shlibs, $1)=yes
+case $host_os in
+  aix3*)
+    # FIXME: insert proper C++ library support
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  aix4* | aix5*)
+    if test "$host_cpu" = ia64; then
+      # On IA64, the linker does run time linking by default, so we don't
+      # have to do anything special.
+      aix_use_runtimelinking=no
+      exp_sym_flag='-Bexport'
+      no_entry_flag=""
+    else
+      aix_use_runtimelinking=no
+
+      # Test if we are trying to use run time linking or normal
+      # AIX style linking. If -brtl is somewhere in LDFLAGS, we
+      # need to do runtime linking.
+      case $host_os in aix4.[[23]]|aix4.[[23]].*|aix5*)
+	for ld_flag in $LDFLAGS; do
+	  case $ld_flag in
+	  *-brtl*)
+	    aix_use_runtimelinking=yes
+	    break
+	    ;;
+	  esac
+	done
+      esac
+
+      exp_sym_flag='-bexport'
+      no_entry_flag='-bnoentry'
+    fi
+
+    # When large executables or shared objects are built, AIX ld can
+    # have problems creating the table of contents.  If linking a library
+    # or program results in "error TOC overflow" add -mminimal-toc to
+    # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
+    # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
+
+    _LT_AC_TAGVAR(archive_cmds, $1)=''
+    _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+    _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':'
+    _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+
+    if test "$GXX" = yes; then
+      case $host_os in aix4.[012]|aix4.[012].*)
+      # We only want to do this on AIX 4.2 and lower, the check
+      # below for broken collect2 doesn't work under 4.3+
+	collect2name=`${CC} -print-prog-name=collect2`
+	if test -f "$collect2name" && \
+	   strings "$collect2name" | grep resolve_lib_name >/dev/null
+	then
+	  # We have reworked collect2
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+	else
+	  # We have old collect2
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=unsupported
+	  # It fails to find uninstalled libraries when the uninstalled
+	  # path is not listed in the libpath.  Setting hardcode_minus_L
+	  # to unsupported forces relinking
+	  _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
+	fi
+      esac
+      shared_flag='-shared'
+    else
+      # not using gcc
+      if test "$host_cpu" = ia64; then
+	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
+	# chokes on -Wl,-G. The following line is correct:
+	shared_flag='-G'
+      else
+	if test "$aix_use_runtimelinking" = yes; then
+	  shared_flag='${wl}-G'
+	else
+	  shared_flag='${wl}-bM:SRE'
+	fi
+      fi
+    fi
+
+    # It seems that -bexpall does not export symbols beginning with
+    # underscore (_), so it is better to generate a list of symbols to export.
+    _LT_AC_TAGVAR(always_export_symbols, $1)=yes
+    if test "$aix_use_runtimelinking" = yes; then
+      # Warning - without using the other runtime loading flags (-brtl),
+      # -berok will link without error, but may produce a broken library.
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)='-berok'
+      # Determine the default libpath from the value encoded in an empty executable.
+      _LT_AC_SYS_LIBPATH_AIX
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
+
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+     else
+      if test "$host_cpu" = ia64; then
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)="-z nodefs"
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols"
+      else
+	# Determine the default libpath from the value encoded in an empty executable.
+	_LT_AC_SYS_LIBPATH_AIX
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
+	# Warning - without using the other run time loading flags,
+	# -berok will link without error, but may produce a broken library.
+	_LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
+	# -bexpall does not export symbols beginning with underscore (_)
+	_LT_AC_TAGVAR(always_export_symbols, $1)=yes
+	# Exported symbols can be pulled into shared objects from archives
+	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=' '
+	_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
+	# This is similar to how AIX traditionally builds it's shared libraries.
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}-bE:$export_symbols ${wl}-bnoentry${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+      fi
+    fi
+    ;;
+  chorus*)
+    case $cc_basename in
+      *)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+    esac
+    ;;
+
+  cygwin* | mingw* | pw32*)
+    # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
+    # as there is no search path for DLLs.
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+    _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+    _LT_AC_TAGVAR(always_export_symbols, $1)=no
+    _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+
+    if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
+      # If the export-symbols file already is a .def file (1st line
+      # is EXPORTS), use it as is; otherwise, prepend...
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	cp $export_symbols $output_objdir/$soname.def;
+      else
+	echo EXPORTS > $output_objdir/$soname.def;
+	cat $export_symbols >> $output_objdir/$soname.def;
+      fi~
+      $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
+    else
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    fi
+  ;;
+
+  darwin* | rhapsody*)
+  if test "$GXX" = yes; then
+    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+    case "$host_os" in
+    rhapsody* | darwin1.[[012]])
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined suppress'
+      ;;
+    *) # Darwin 1.3 on
+      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+      	_LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress'
+      else
+        case ${MACOSX_DEPLOYMENT_TARGET} in
+          10.[[012]])
+            _LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress'
+            ;;
+          10.*)
+            _LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined dynamic_lookup'
+            ;;
+        esac
+      fi
+      ;;
+    esac
+    lt_int_apple_cc_single_mod=no
+    output_verbose_link_cmd='echo'
+    if $CC -dumpspecs 2>&1 | grep 'single_module' >/dev/null ; then
+      lt_int_apple_cc_single_mod=yes
+    fi
+    if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+    else
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+    fi
+    _LT_AC_TAGVAR(module_cmds, $1)='$CC ${wl}-bind_at_load $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+
+    # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
+    if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    else
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    fi
+    _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    _LT_AC_TAGVAR(hardcode_direct, $1)=no
+    _LT_AC_TAGVAR(hardcode_automatic, $1)=yes
+    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
+    _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-all_load $convenience'
+    _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+  else
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+  fi
+    ;;
+
+  dgux*)
+    case $cc_basename in
+      ec++)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      ghcx)
+	# Green Hills C++ Compiler
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+    esac
+    ;;
+  freebsd[12]*)
+    # C++ shared libraries reported to be fairly broken before switch to ELF
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  freebsd-elf*)
+    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+    ;;
+  freebsd* | kfreebsd*-gnu)
+    # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF
+    # conventions
+    _LT_AC_TAGVAR(ld_shlibs, $1)=yes
+    ;;
+  gnu*)
+    ;;
+  hpux9*)
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+    _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+    _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+    _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
+				# but as the default
+				# location of the library.
+
+    case $cc_basename in
+    CC)
+      # FIXME: insert proper C++ library support
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+      ;;
+    aCC)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$CC -b ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      # Commands to make compiler produce verbose output that lists
+      # what "hidden" libraries, object files and flags are used when
+      # linking a shared library.
+      #
+      # There doesn't appear to be a way to prevent this compiler from
+      # explicitly linking system object files so we need to strip them
+      # from the output so that they don't get included in the library
+      # dependencies.
+      output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | egrep "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+      ;;
+    *)
+      if test "$GXX" = yes; then
+        _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$CC -shared -nostdlib -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      else
+        # FIXME: insert proper C++ library support
+        _LT_AC_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+    esac
+    ;;
+  hpux10*|hpux11*)
+    if test $with_gnu_ld = no; then
+      case "$host_cpu" in
+      hppa*64*)
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+        ;;
+      ia64*)
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+        ;;
+      *)
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+        ;;
+      esac
+    fi
+    case "$host_cpu" in
+    hppa*64*)
+      _LT_AC_TAGVAR(hardcode_direct, $1)=no
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+    ia64*)
+      _LT_AC_TAGVAR(hardcode_direct, $1)=no
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
+					      # but as the default
+					      # location of the library.
+      ;;
+    *)
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
+					      # but as the default
+					      # location of the library.
+      ;;
+    esac
+
+    case $cc_basename in
+      CC)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      aCC)
+	case "$host_cpu" in
+	hppa*64*|ia64*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname -o $lib $linker_flags $libobjs $deplibs'
+	  ;;
+	*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	  ;;
+	esac
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	;;
+      *)
+	if test "$GXX" = yes; then
+	  if test $with_gnu_ld = no; then
+	    case "$host_cpu" in
+	    ia64*|hppa*64*)
+	      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname -o $lib $linker_flags $libobjs $deplibs'
+	      ;;
+	    *)
+	      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	      ;;
+	    esac
+	  fi
+	else
+	  # FIXME: insert proper C++ library support
+	  _LT_AC_TAGVAR(ld_shlibs, $1)=no
+	fi
+	;;
+    esac
+    ;;
+  irix5* | irix6*)
+    case $cc_basename in
+      CC)
+	# SGI C++
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib'
+
+	# Archives containing C++ object files must be created using
+	# "CC -ar", where "CC" is the IRIX C++ compiler.  This is
+	# necessary to make sure instantiated templates are included
+	# in the archive.
+	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -ar -WR,-u -o $oldlib $oldobjs'
+	;;
+      *)
+	if test "$GXX" = yes; then
+	  if test "$with_gnu_ld" = no; then
+	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${objdir}/so_locations -o $lib'
+	  else
+	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` -o $lib'
+	  fi
+	fi
+	_LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+	;;
+    esac
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+    _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+    ;;
+  linux*)
+    case $cc_basename in
+      KCC)
+	# Kuck and Associates, Inc. (KAI) C++ Compiler
+
+	# KCC will only create a shared library if the output file
+	# ends with ".so" (or ".sl" for HP-UX), so rename the library
+	# to its proper name (with version) after linking.
+	_LT_AC_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib ${wl}-retain-symbols-file,$export_symbols; mv \$templib $lib'
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 | grep "ld"`; rm -f libconftest$shared_ext; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath,$libdir'
+	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+
+	# Archives containing C++ object files must be created using
+	# "CC -Bstatic", where "CC" is the KAI C++ compiler.
+	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs'
+	;;
+      icpc)
+	# Intel C++
+	with_gnu_ld=yes
+	_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
+	;;
+      cxx)
+	# Compaq C++
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname  -o $lib ${wl}-retain-symbols-file $wl$export_symbols'
+
+	runpath_var=LD_RUN_PATH
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	;;
+    esac
+    ;;
+  lynxos*)
+    # FIXME: insert proper C++ library support
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  m88k*)
+    # FIXME: insert proper C++ library support
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  mvs*)
+    case $cc_basename in
+      cxx)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+    esac
+    ;;
+  netbsd*)
+    if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable  -o $lib $predep_objects $libobjs $deplibs $postdep_objects $linker_flags'
+      wlarc=
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+    fi
+    # Workaround some broken pre-1.5 toolchains
+    output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep conftest.$objext | $SED -e "s:-lgcc -lc -lgcc::"'
+    ;;
+  osf3*)
+    case $cc_basename in
+      KCC)
+	# Kuck and Associates, Inc. (KAI) C++ Compiler
+
+	# KCC will only create a shared library if the output file
+	# ends with ".so" (or ".sl" for HP-UX), so rename the library
+	# to its proper name (with version) after linking.
+	_LT_AC_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	# Archives containing C++ object files must be created using
+	# "CC -Bstatic", where "CC" is the KAI C++ compiler.
+	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs'
+
+	;;
+      RCC)
+	# Rational C++ 2.4.1
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      cxx)
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && echo ${wl}-set_version $verstring` -update_registry ${objdir}/so_locations -o $lib'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	;;
+      *)
+	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
+	  _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${objdir}/so_locations -o $lib'
+
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	  # Commands to make compiler produce verbose output that lists
+	  # what "hidden" libraries, object files and flags are used when
+	  # linking a shared library.
+	  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
+
+	else
+	  # FIXME: insert proper C++ library support
+	  _LT_AC_TAGVAR(ld_shlibs, $1)=no
+	fi
+	;;
+    esac
+    ;;
+  osf4* | osf5*)
+    case $cc_basename in
+      KCC)
+	# Kuck and Associates, Inc. (KAI) C++ Compiler
+
+	# KCC will only create a shared library if the output file
+	# ends with ".so" (or ".sl" for HP-UX), so rename the library
+	# to its proper name (with version) after linking.
+	_LT_AC_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	# Archives containing C++ object files must be created using
+	# the KAI C++ compiler.
+	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -o $oldlib $oldobjs'
+	;;
+      RCC)
+	# Rational C++ 2.4.1
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      cxx)
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done~
+	  echo "-hidden">> $lib.exp~
+	  $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname -Wl,-input -Wl,$lib.exp  `test -n "$verstring" && echo -set_version	$verstring` -update_registry $objdir/so_locations -o $lib~
+	  $rm $lib.exp'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	;;
+      *)
+	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
+	  _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	 _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${objdir}/so_locations -o $lib'
+
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	  # Commands to make compiler produce verbose output that lists
+	  # what "hidden" libraries, object files and flags are used when
+	  # linking a shared library.
+	  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
+
+	else
+	  # FIXME: insert proper C++ library support
+	  _LT_AC_TAGVAR(ld_shlibs, $1)=no
+	fi
+	;;
+    esac
+    ;;
+  psos*)
+    # FIXME: insert proper C++ library support
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  sco*)
+    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+    case $cc_basename in
+      CC)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+    esac
+    ;;
+  sunos4*)
+    case $cc_basename in
+      CC)
+	# Sun C++ 4.x
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      lcc)
+	# Lucid
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+    esac
+    ;;
+  solaris*)
+    case $cc_basename in
+      CC)
+	# Sun C++ 4.2, 5.x and Centerline C++
+	_LT_AC_TAGVAR(no_undefined_flag, $1)=' -zdefs'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -nolib -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+	$CC -G${allow_undefined_flag} -nolib ${wl}-M ${wl}$lib.exp -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+	_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+	case $host_os in
+	  solaris2.[0-5] | solaris2.[0-5].*) ;;
+	  *)
+	    # The C++ compiler is used as linker so we must use $wl
+	    # flag to pass the commands to the underlying system
+	    # linker.
+	    # Supported since Solaris 2.6 (maybe 2.5.1?)
+	    _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
+	    ;;
+	esac
+	_LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC -G $CFLAGS -v conftest.$objext 2>&1 | grep "\-[[LR]]"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+
+	# Archives containing C++ object files must be created using
+	# "CC -xar", where "CC" is the Sun C++ compiler.  This is
+	# necessary to make sure instantiated templates are included
+	# in the archive.
+	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs'
+	;;
+      gcx)
+	# Green Hills C++ Compiler
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
+
+	# The C++ compiler must be used to create the archive.
+	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC $LDFLAGS -archive -o $oldlib $oldobjs'
+	;;
+      *)
+	# GNU C++ compiler with Solaris linker
+	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
+	  _LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-z ${wl}defs'
+	  if $CC --version | grep -v '^2\.7' > /dev/null; then
+	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
+	    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+		$CC -shared -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
+
+	    # Commands to make compiler produce verbose output that lists
+	    # what "hidden" libraries, object files and flags are used when
+	    # linking a shared library.
+	    output_verbose_link_cmd="$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\""
+	  else
+	    # g++ 2.7 appears to require `-G' NOT `-shared' on this
+	    # platform.
+	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -G -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
+	    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+		$CC -G -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
+
+	    # Commands to make compiler produce verbose output that lists
+	    # what "hidden" libraries, object files and flags are used when
+	    # linking a shared library.
+	    output_verbose_link_cmd="$CC -G $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\""
+	  fi
+
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $wl$libdir'
+	fi
+	;;
+    esac
+    ;;
+  sysv5OpenUNIX8* | sysv5UnixWare7* | sysv5uw[[78]]* | unixware7*)
+    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+    ;;
+  tandem*)
+    case $cc_basename in
+      NCC)
+	# NonStop-UX NCC 3.20
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+    esac
+    ;;
+  vxworks*)
+    # FIXME: insert proper C++ library support
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  *)
+    # FIXME: insert proper C++ library support
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+esac
+AC_MSG_RESULT([$_LT_AC_TAGVAR(ld_shlibs, $1)])
+test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no
+
+_LT_AC_TAGVAR(GCC, $1)="$GXX"
+_LT_AC_TAGVAR(LD, $1)="$LD"
+
+## CAVEAT EMPTOR:
+## There is no encapsulation within the following macros, do not change
+## the running order or otherwise move them around unless you know exactly
+## what you are doing...
+AC_LIBTOOL_POSTDEP_PREDEP($1)
+AC_LIBTOOL_PROG_COMPILER_PIC($1)
+AC_LIBTOOL_PROG_CC_C_O($1)
+AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
+AC_LIBTOOL_PROG_LD_SHLIBS($1)
+AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
+AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
+AC_LIBTOOL_SYS_LIB_STRIP
+AC_LIBTOOL_DLOPEN_SELF($1)
+
+AC_LIBTOOL_CONFIG($1)
+
+AC_LANG_POP
+CC=$lt_save_CC
+LDCXX=$LD
+LD=$lt_save_LD
+GCC=$lt_save_GCC
+with_gnu_ldcxx=$with_gnu_ld
+with_gnu_ld=$lt_save_with_gnu_ld
+lt_cv_path_LDCXX=$lt_cv_path_LD
+lt_cv_path_LD=$lt_save_path_LD
+lt_cv_prog_gnu_ldcxx=$lt_cv_prog_gnu_ld
+lt_cv_prog_gnu_ld=$lt_save_with_gnu_ld
+])# AC_LIBTOOL_LANG_CXX_CONFIG
+
+# AC_LIBTOOL_POSTDEP_PREDEP([TAGNAME])
+# ------------------------
+# Figure out "hidden" library dependencies from verbose
+# compiler output when linking a shared library.
+# Parse the compiler output and extract the necessary
+# objects, libraries and library flags.
+AC_DEFUN([AC_LIBTOOL_POSTDEP_PREDEP],[
+dnl we can't use the lt_simple_compile_test_code here,
+dnl because it contains code intended for an executable,
+dnl not a library.  It's possible we should let each
+dnl tag define a new lt_????_link_test_code variable,
+dnl but it's only used here...
+ifelse([$1],[],[cat > conftest.$ac_ext <<EOF
+int a;
+void foo (void) { a = 0; }
+EOF
+],[$1],[CXX],[cat > conftest.$ac_ext <<EOF
+class Foo
+{
+public:
+  Foo (void) { a = 0; }
+private:
+  int a;
+};
+EOF
+],[$1],[F77],[cat > conftest.$ac_ext <<EOF
+      subroutine foo
+      implicit none
+      integer*4 a
+      a=0
+      return
+      end
+EOF
+],[$1],[GCJ],[cat > conftest.$ac_ext <<EOF
+public class foo {
+  private int a;
+  public void bar (void) {
+    a = 0;
+  }
+};
+EOF
+])
+dnl Parse the compiler output and extract the necessary
+dnl objects, libraries and library flags.
+if AC_TRY_EVAL(ac_compile); then
+  # Parse the compiler output and extract the necessary
+  # objects, libraries and library flags.
+
+  # Sentinel used to keep track of whether or not we are before
+  # the conftest object file.
+  pre_test_object_deps_done=no
+
+  # The `*' in the case matches for architectures that use `case' in
+  # $output_verbose_cmd can trigger glob expansion during the loop
+  # eval without this substitution.
+  output_verbose_link_cmd="`$echo \"X$output_verbose_link_cmd\" | $Xsed -e \"$no_glob_subst\"`"
+
+  for p in `eval $output_verbose_link_cmd`; do
+    case $p in
+
+    -L* | -R* | -l*)
+       # Some compilers place space between "-{L,R}" and the path.
+       # Remove the space.
+       if test $p = "-L" \
+	  || test $p = "-R"; then
+	 prev=$p
+	 continue
+       else
+	 prev=
+       fi
+
+       if test "$pre_test_object_deps_done" = no; then
+	 case $p in
+	 -L* | -R*)
+	   # Internal compiler library paths should come after those
+	   # provided the user.  The postdeps already come after the
+	   # user supplied libs so there is no need to process them.
+	   if test -z "$_LT_AC_TAGVAR(compiler_lib_search_path, $1)"; then
+	     _LT_AC_TAGVAR(compiler_lib_search_path, $1)="${prev}${p}"
+	   else
+	     _LT_AC_TAGVAR(compiler_lib_search_path, $1)="${_LT_AC_TAGVAR(compiler_lib_search_path, $1)} ${prev}${p}"
+	   fi
+	   ;;
+	 # The "-l" case would never come before the object being
+	 # linked, so don't bother handling this case.
+	 esac
+       else
+	 if test -z "$_LT_AC_TAGVAR(postdeps, $1)"; then
+	   _LT_AC_TAGVAR(postdeps, $1)="${prev}${p}"
+	 else
+	   _LT_AC_TAGVAR(postdeps, $1)="${_LT_AC_TAGVAR(postdeps, $1)} ${prev}${p}"
+	 fi
+       fi
+       ;;
+
+    *.$objext)
+       # This assumes that the test object file only shows up
+       # once in the compiler output.
+       if test "$p" = "conftest.$objext"; then
+	 pre_test_object_deps_done=yes
+	 continue
+       fi
+
+       if test "$pre_test_object_deps_done" = no; then
+	 if test -z "$_LT_AC_TAGVAR(predep_objects, $1)"; then
+	   _LT_AC_TAGVAR(predep_objects, $1)="$p"
+	 else
+	   _LT_AC_TAGVAR(predep_objects, $1)="$_LT_AC_TAGVAR(predep_objects, $1) $p"
+	 fi
+       else
+	 if test -z "$_LT_AC_TAGVAR(postdep_objects, $1)"; then
+	   _LT_AC_TAGVAR(postdep_objects, $1)="$p"
+	 else
+	   _LT_AC_TAGVAR(postdep_objects, $1)="$_LT_AC_TAGVAR(postdep_objects, $1) $p"
+	 fi
+       fi
+       ;;
+
+    *) ;; # Ignore the rest.
+
+    esac
+  done
+
+  # Clean up.
+  rm -f a.out a.exe
+else
+  echo "libtool.m4: error: problem compiling $1 test program"
+fi
+
+$rm -f confest.$objext
+
+case " $_LT_AC_TAGVAR(postdeps, $1) " in
+*" -lc "*) _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no ;;
+esac
+])# AC_LIBTOOL_POSTDEP_PREDEP
+
+# AC_LIBTOOL_LANG_F77_CONFIG
+# ------------------------
+# Ensure that the configuration vars for the C compiler are
+# suitably defined.  Those variables are subsequently used by
+# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
+AC_DEFUN([AC_LIBTOOL_LANG_F77_CONFIG], [_LT_AC_LANG_F77_CONFIG(F77)])
+AC_DEFUN([_LT_AC_LANG_F77_CONFIG],
+[AC_REQUIRE([AC_PROG_F77])
+AC_LANG_PUSH(Fortran 77)
+
+_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+_LT_AC_TAGVAR(allow_undefined_flag, $1)=
+_LT_AC_TAGVAR(always_export_symbols, $1)=no
+_LT_AC_TAGVAR(archive_expsym_cmds, $1)=
+_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=
+_LT_AC_TAGVAR(hardcode_direct, $1)=no
+_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
+_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
+_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
+_LT_AC_TAGVAR(hardcode_minus_L, $1)=no
+_LT_AC_TAGVAR(hardcode_automatic, $1)=no
+_LT_AC_TAGVAR(module_cmds, $1)=
+_LT_AC_TAGVAR(module_expsym_cmds, $1)=
+_LT_AC_TAGVAR(link_all_deplibs, $1)=unknown
+_LT_AC_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_AC_TAGVAR(no_undefined_flag, $1)=
+_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
+_LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=no
+
+# Source file extension for f77 test sources.
+ac_ext=f
+
+# Object file extension for compiled f77 test sources.
+objext=o
+_LT_AC_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="      subroutine t\n      return\n      end\n"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code="      program t\n      end\n"
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+_LT_AC_SYS_COMPILER
+
+# Allow CC to be a program name with arguments.
+lt_save_CC="$CC"
+CC=${F77-"f77"}
+compiler=$CC
+_LT_AC_TAGVAR(compiler, $1)=$CC
+cc_basename=`$echo X"$compiler" | $Xsed -e 's%^.*/%%'`
+
+AC_MSG_CHECKING([if libtool supports shared libraries])
+AC_MSG_RESULT([$can_build_shared])
+
+AC_MSG_CHECKING([whether to build shared libraries])
+test "$can_build_shared" = "no" && enable_shared=no
+
+# On AIX, shared libraries and static libraries use the same namespace, and
+# are all built from PIC.
+case "$host_os" in
+aix3*)
+  test "$enable_shared" = yes && enable_static=no
+  if test -n "$RANLIB"; then
+    archive_cmds="$archive_cmds~\$RANLIB \$lib"
+    postinstall_cmds='$RANLIB $lib'
+  fi
+  ;;
+aix4*)
+  test "$enable_shared" = yes && enable_static=no
+  ;;
+esac
+AC_MSG_RESULT([$enable_shared])
+
+AC_MSG_CHECKING([whether to build static libraries])
+# Make sure either enable_shared or enable_static is yes.
+test "$enable_shared" = yes || enable_static=yes
+AC_MSG_RESULT([$enable_static])
+
+test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no
+
+_LT_AC_TAGVAR(GCC, $1)="$G77"
+_LT_AC_TAGVAR(LD, $1)="$LD"
+
+AC_LIBTOOL_PROG_COMPILER_PIC($1)
+AC_LIBTOOL_PROG_CC_C_O($1)
+AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
+AC_LIBTOOL_PROG_LD_SHLIBS($1)
+AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
+AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
+AC_LIBTOOL_SYS_LIB_STRIP
+
+
+AC_LIBTOOL_CONFIG($1)
+
+AC_LANG_POP
+CC="$lt_save_CC"
+])# AC_LIBTOOL_LANG_F77_CONFIG
+
+
+# AC_LIBTOOL_LANG_GCJ_CONFIG
+# --------------------------
+# Ensure that the configuration vars for the C compiler are
+# suitably defined.  Those variables are subsequently used by
+# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
+AC_DEFUN([AC_LIBTOOL_LANG_GCJ_CONFIG], [_LT_AC_LANG_GCJ_CONFIG(GCJ)])
+AC_DEFUN([_LT_AC_LANG_GCJ_CONFIG],
+[AC_LANG_SAVE
+
+# Source file extension for Java test sources.
+ac_ext=java
+
+# Object file extension for compiled Java test sources.
+objext=o
+_LT_AC_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="class foo {}\n"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='public class conftest { public static void main(String[] argv) {}; }\n'
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+_LT_AC_SYS_COMPILER
+
+# Allow CC to be a program name with arguments.
+lt_save_CC="$CC"
+CC=${GCJ-"gcj"}
+compiler=$CC
+_LT_AC_TAGVAR(compiler, $1)=$CC
+
+# GCJ did not exist at the time GCC didn't implicitly link libc in.
+_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+
+## CAVEAT EMPTOR:
+## There is no encapsulation within the following macros, do not change
+## the running order or otherwise move them around unless you know exactly
+## what you are doing...
+AC_LIBTOOL_PROG_COMPILER_NO_RTTI($1)
+AC_LIBTOOL_PROG_COMPILER_PIC($1)
+AC_LIBTOOL_PROG_CC_C_O($1)
+AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
+AC_LIBTOOL_PROG_LD_SHLIBS($1)
+AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
+AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
+AC_LIBTOOL_SYS_LIB_STRIP
+AC_LIBTOOL_DLOPEN_SELF($1)
+
+AC_LIBTOOL_CONFIG($1)
+
+AC_LANG_RESTORE
+CC="$lt_save_CC"
+])# AC_LIBTOOL_LANG_GCJ_CONFIG
+
+
+# AC_LIBTOOL_LANG_RC_CONFIG
+# --------------------------
+# Ensure that the configuration vars for the Windows resource compiler are
+# suitably defined.  Those variables are subsequently used by
+# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
+AC_DEFUN([AC_LIBTOOL_LANG_RC_CONFIG], [_LT_AC_LANG_RC_CONFIG(RC)])
+AC_DEFUN([_LT_AC_LANG_RC_CONFIG],
+[AC_LANG_SAVE
+
+# Source file extension for RC test sources.
+ac_ext=rc
+
+# Object file extension for compiled RC test sources.
+objext=o
+_LT_AC_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }\n'
+
+# Code to be used in simple link tests
+lt_simple_link_test_code="$lt_simple_compile_test_code"
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+_LT_AC_SYS_COMPILER
+
+# Allow CC to be a program name with arguments.
+lt_save_CC="$CC"
+CC=${RC-"windres"}
+compiler=$CC
+_LT_AC_TAGVAR(compiler, $1)=$CC
+_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
+
+AC_LIBTOOL_CONFIG($1)
+
+AC_LANG_RESTORE
+CC="$lt_save_CC"
+])# AC_LIBTOOL_LANG_RC_CONFIG
+
+
+# AC_LIBTOOL_CONFIG([TAGNAME])
+# ----------------------------
+# If TAGNAME is not passed, then create an initial libtool script
+# with a default configuration from the untagged config vars.  Otherwise
+# add code to config.status for appending the configuration named by
+# TAGNAME from the matching tagged config vars.
+AC_DEFUN([AC_LIBTOOL_CONFIG],
+[# The else clause should only fire when bootstrapping the
+# libtool distribution, otherwise you forgot to ship ltmain.sh
+# with your package, and you will get complaints that there are
+# no rules to generate ltmain.sh.
+if test -f "$ltmain"; then
+  # See if we are running on zsh, and set the options which allow our commands through
+  # without removal of \ escapes.
+  if test -n "${ZSH_VERSION+set}" ; then
+    setopt NO_GLOB_SUBST
+  fi
+  # Now quote all the things that may contain metacharacters while being
+  # careful not to overquote the AC_SUBSTed values.  We take copies of the
+  # variables and quote the copies for generation of the libtool script.
+  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC NM \
+    SED SHELL STRIP \
+    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
+    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
+    deplibs_check_method reload_flag reload_cmds need_locks \
+    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
+    lt_cv_sys_global_symbol_to_c_name_address \
+    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
+    old_postinstall_cmds old_postuninstall_cmds \
+    _LT_AC_TAGVAR(compiler, $1) \
+    _LT_AC_TAGVAR(CC, $1) \
+    _LT_AC_TAGVAR(LD, $1) \
+    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1) \
+    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1) \
+    _LT_AC_TAGVAR(lt_prog_compiler_static, $1) \
+    _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1) \
+    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1) \
+    _LT_AC_TAGVAR(thread_safe_flag_spec, $1) \
+    _LT_AC_TAGVAR(whole_archive_flag_spec, $1) \
+    _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1) \
+    _LT_AC_TAGVAR(old_archive_cmds, $1) \
+    _LT_AC_TAGVAR(old_archive_from_new_cmds, $1) \
+    _LT_AC_TAGVAR(predep_objects, $1) \
+    _LT_AC_TAGVAR(postdep_objects, $1) \
+    _LT_AC_TAGVAR(predeps, $1) \
+    _LT_AC_TAGVAR(postdeps, $1) \
+    _LT_AC_TAGVAR(compiler_lib_search_path, $1) \
+    _LT_AC_TAGVAR(archive_cmds, $1) \
+    _LT_AC_TAGVAR(archive_expsym_cmds, $1) \
+    _LT_AC_TAGVAR(postinstall_cmds, $1) \
+    _LT_AC_TAGVAR(postuninstall_cmds, $1) \
+    _LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1) \
+    _LT_AC_TAGVAR(allow_undefined_flag, $1) \
+    _LT_AC_TAGVAR(no_undefined_flag, $1) \
+    _LT_AC_TAGVAR(export_symbols_cmds, $1) \
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) \
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1) \
+    _LT_AC_TAGVAR(hardcode_libdir_separator, $1) \
+    _LT_AC_TAGVAR(hardcode_automatic, $1) \
+    _LT_AC_TAGVAR(module_cmds, $1) \
+    _LT_AC_TAGVAR(module_expsym_cmds, $1) \
+    _LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1) \
+    _LT_AC_TAGVAR(exclude_expsyms, $1) \
+    _LT_AC_TAGVAR(include_expsyms, $1); do
+
+    case $var in
+    _LT_AC_TAGVAR(old_archive_cmds, $1) | \
+    _LT_AC_TAGVAR(old_archive_from_new_cmds, $1) | \
+    _LT_AC_TAGVAR(archive_cmds, $1) | \
+    _LT_AC_TAGVAR(archive_expsym_cmds, $1) | \
+    _LT_AC_TAGVAR(module_cmds, $1) | \
+    _LT_AC_TAGVAR(module_expsym_cmds, $1) | \
+    _LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1) | \
+    _LT_AC_TAGVAR(export_symbols_cmds, $1) | \
+    extract_expsyms_cmds | reload_cmds | finish_cmds | \
+    postinstall_cmds | postuninstall_cmds | \
+    old_postinstall_cmds | old_postuninstall_cmds | \
+    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
+      # Double-quote double-evaled strings.
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
+      ;;
+    *)
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
+      ;;
+    esac
+  done
+
+  case $lt_echo in
+  *'\[$]0 --fallback-echo"')
+    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\[$]0 --fallback-echo"[$]/[$]0 --fallback-echo"/'`
+    ;;
+  esac
+
+ifelse([$1], [],
+  [cfgfile="${ofile}T"
+  trap "$rm \"$cfgfile\"; exit 1" 1 2 15
+  $rm -f "$cfgfile"
+  AC_MSG_NOTICE([creating $ofile])],
+  [cfgfile="$ofile"])
+
+  cat <<__EOF__ >> "$cfgfile"
+ifelse([$1], [],
+[#! $SHELL
+
+# `$echo "$cfgfile" | sed 's%^.*/%%'` - Provide generalized library-building support services.
+# Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP)
+# NOTE: Changes made to this file will be lost: look at ltmain.sh.
+#
+# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001
+# Free Software Foundation, Inc.
+#
+# This file is part of GNU Libtool:
+# Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# A sed program that does not truncate output.
+SED=$lt_SED
+
+# Sed that helps us avoid accidentally triggering echo(1) options like -n.
+Xsed="$SED -e s/^X//"
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+if test "X\${CDPATH+set}" = Xset; then CDPATH=:; export CDPATH; fi
+
+# The names of the tagged configurations supported by this script.
+available_tags=
+
+# ### BEGIN LIBTOOL CONFIG],
+[# ### BEGIN LIBTOOL TAG CONFIG: $tagname])
+
+# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+
+# Shell to use when invoking shell scripts.
+SHELL=$lt_SHELL
+
+# Whether or not to build shared libraries.
+build_libtool_libs=$enable_shared
+
+# Whether or not to build static libraries.
+build_old_libs=$enable_static
+
+# Whether or not to add -lc for building shared libraries.
+build_libtool_need_lc=$_LT_AC_TAGVAR(archive_cmds_need_lc, $1)
+
+# Whether or not to disallow shared libs when runtime libs are static
+allow_libtool_libs_with_static_runtimes=$_LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)
+
+# Whether or not to optimize for fast installation.
+fast_install=$enable_fast_install
+
+# The host system.
+host_alias=$host_alias
+host=$host
+
+# An echo program that does not interpret backslashes.
+echo=$lt_echo
+
+# The archiver.
+AR=$lt_AR
+AR_FLAGS=$lt_AR_FLAGS
+
+# A C compiler.
+LTCC=$lt_LTCC
+
+# A language-specific compiler.
+CC=$lt_[]_LT_AC_TAGVAR(compiler, $1)
+
+# Is the compiler the GNU C compiler?
+with_gcc=$_LT_AC_TAGVAR(GCC, $1)
+
+# An ERE matcher.
+EGREP=$lt_EGREP
+
+# The linker used to build libraries.
+LD=$lt_[]_LT_AC_TAGVAR(LD, $1)
+
+# Whether we need hard or soft links.
+LN_S=$lt_LN_S
+
+# A BSD-compatible nm program.
+NM=$lt_NM
+
+# A symbol stripping program
+STRIP=$lt_STRIP
+
+# Used to examine libraries when file_magic_cmd begins "file"
+MAGIC_CMD=$MAGIC_CMD
+
+# Used on cygwin: DLL creation program.
+DLLTOOL="$DLLTOOL"
+
+# Used on cygwin: object dumper.
+OBJDUMP="$OBJDUMP"
+
+# Used on cygwin: assembler.
+AS="$AS"
+
+# The name of the directory that contains temporary libtool files.
+objdir=$objdir
+
+# How to create reloadable object files.
+reload_flag=$lt_reload_flag
+reload_cmds=$lt_reload_cmds
+
+# How to pass a linker flag through the compiler.
+wl=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)
+
+# Object file suffix (normally "o").
+objext="$ac_objext"
+
+# Old archive suffix (normally "a").
+libext="$libext"
+
+# Shared library suffix (normally ".so").
+shrext='$shrext'
+
+# Executable file suffix (normally "").
+exeext="$exeext"
+
+# Additional compiler flags for building library objects.
+pic_flag=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)
+pic_mode=$pic_mode
+
+# What is the maximum length of a command?
+max_cmd_len=$lt_cv_sys_max_cmd_len
+
+# Does compiler simultaneously support -c and -o options?
+compiler_c_o=$lt_[]_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)
+
+# Must we lock files when doing compilation ?
+need_locks=$lt_need_locks
+
+# Do we need the lib prefix for modules?
+need_lib_prefix=$need_lib_prefix
+
+# Do we need a version for libraries?
+need_version=$need_version
+
+# Whether dlopen is supported.
+dlopen_support=$enable_dlopen
+
+# Whether dlopen of programs is supported.
+dlopen_self=$enable_dlopen_self
+
+# Whether dlopen of statically linked programs is supported.
+dlopen_self_static=$enable_dlopen_self_static
+
+# Compiler flag to prevent dynamic linking.
+link_static_flag=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_static, $1)
+
+# Compiler flag to turn off builtin functions.
+no_builtin_flag=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)
+
+# Compiler flag to allow reflexive dlopens.
+export_dynamic_flag_spec=$lt_[]_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)
+
+# Compiler flag to generate shared objects directly from archives.
+whole_archive_flag_spec=$lt_[]_LT_AC_TAGVAR(whole_archive_flag_spec, $1)
+
+# Compiler flag to generate thread-safe objects.
+thread_safe_flag_spec=$lt_[]_LT_AC_TAGVAR(thread_safe_flag_spec, $1)
+
+# Library versioning type.
+version_type=$version_type
+
+# Format of library name prefix.
+libname_spec=$lt_libname_spec
+
+# List of archive names.  First name is the real one, the rest are links.
+# The last name is the one that the linker finds with -lNAME.
+library_names_spec=$lt_library_names_spec
+
+# The coded name of the library, if different from the real name.
+soname_spec=$lt_soname_spec
+
+# Commands used to build and install an old-style archive.
+RANLIB=$lt_RANLIB
+old_archive_cmds=$lt_[]_LT_AC_TAGVAR(old_archive_cmds, $1)
+old_postinstall_cmds=$lt_old_postinstall_cmds
+old_postuninstall_cmds=$lt_old_postuninstall_cmds
+
+# Create an old-style archive from a shared archive.
+old_archive_from_new_cmds=$lt_[]_LT_AC_TAGVAR(old_archive_from_new_cmds, $1)
+
+# Create a temporary old-style archive to link instead of a shared archive.
+old_archive_from_expsyms_cmds=$lt_[]_LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1)
+
+# Commands used to build and install a shared archive.
+archive_cmds=$lt_[]_LT_AC_TAGVAR(archive_cmds, $1)
+archive_expsym_cmds=$lt_[]_LT_AC_TAGVAR(archive_expsym_cmds, $1)
+postinstall_cmds=$lt_postinstall_cmds
+postuninstall_cmds=$lt_postuninstall_cmds
+
+# Commands used to build a loadable module (assumed same as above if empty)
+module_cmds=$lt_[]_LT_AC_TAGVAR(module_cmds, $1)
+module_expsym_cmds=$lt_[]_LT_AC_TAGVAR(module_expsym_cmds, $1)
+
+# Commands to strip libraries.
+old_striplib=$lt_old_striplib
+striplib=$lt_striplib
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predep_objects=$lt_[]_LT_AC_TAGVAR(predep_objects, $1)
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdep_objects=$lt_[]_LT_AC_TAGVAR(postdep_objects, $1)
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predeps=$lt_[]_LT_AC_TAGVAR(predeps, $1)
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdeps=$lt_[]_LT_AC_TAGVAR(postdeps, $1)
+
+# The library search path used internally by the compiler when linking
+# a shared library.
+compiler_lib_search_path=$lt_[]_LT_AC_TAGVAR(compiler_lib_search_path, $1)
+
+# Method to check whether dependent libraries are shared objects.
+deplibs_check_method=$lt_deplibs_check_method
+
+# Command to use when deplibs_check_method == file_magic.
+file_magic_cmd=$lt_file_magic_cmd
+
+# Flag that allows shared libraries with undefined symbols to be built.
+allow_undefined_flag=$lt_[]_LT_AC_TAGVAR(allow_undefined_flag, $1)
+
+# Flag that forces no undefined symbols.
+no_undefined_flag=$lt_[]_LT_AC_TAGVAR(no_undefined_flag, $1)
+
+# Commands used to finish a libtool library installation in a directory.
+finish_cmds=$lt_finish_cmds
+
+# Same as above, but a single script fragment to be evaled but not shown.
+finish_eval=$lt_finish_eval
+
+# Take the output of nm and produce a listing of raw symbols and C names.
+global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
+
+# Transform the output of nm in a proper C declaration
+global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
+
+# Transform the output of nm in a C name address pair
+global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
+
+# This is the shared library runtime path variable.
+runpath_var=$runpath_var
+
+# This is the shared library path variable.
+shlibpath_var=$shlibpath_var
+
+# Is shlibpath searched before the hard-coded library search path?
+shlibpath_overrides_runpath=$shlibpath_overrides_runpath
+
+# How to hardcode a shared library path into an executable.
+hardcode_action=$_LT_AC_TAGVAR(hardcode_action, $1)
+
+# Whether we should hardcode library paths into libraries.
+hardcode_into_libs=$hardcode_into_libs
+
+# Flag to hardcode \$libdir into a binary during linking.
+# This must work even if \$libdir does not exist.
+hardcode_libdir_flag_spec=$lt_[]_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)
+
+# If ld is used when linking, flag to hardcode \$libdir into
+# a binary during linking. This must work even if \$libdir does
+# not exist.
+hardcode_libdir_flag_spec_ld=$lt_[]_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)
+
+# Whether we need a single -rpath flag with a separated argument.
+hardcode_libdir_separator=$lt_[]_LT_AC_TAGVAR(hardcode_libdir_separator, $1)
+
+# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
+# resulting binary.
+hardcode_direct=$_LT_AC_TAGVAR(hardcode_direct, $1)
+
+# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
+# resulting binary.
+hardcode_minus_L=$_LT_AC_TAGVAR(hardcode_minus_L, $1)
+
+# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
+# the resulting binary.
+hardcode_shlibpath_var=$_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)
+
+# Set to yes if building a shared library automatically hardcodes DIR into the library
+# and all subsequent libraries and executables linked against it.
+hardcode_automatic=$_LT_AC_TAGVAR(hardcode_automatic, $1)
+
+# Variables whose values should be saved in libtool wrapper scripts and
+# restored at relink time.
+variables_saved_for_relink="$variables_saved_for_relink"
+
+# Whether libtool must link a program against all its dependency libraries.
+link_all_deplibs=$_LT_AC_TAGVAR(link_all_deplibs, $1)
+
+# Compile-time system search path for libraries
+sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
+
+# Run-time system search path for libraries
+sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
+
+# Fix the shell variable \$srcfile for the compiler.
+fix_srcfile_path="$_LT_AC_TAGVAR(fix_srcfile_path, $1)"
+
+# Set to yes if exported symbols are required.
+always_export_symbols=$_LT_AC_TAGVAR(always_export_symbols, $1)
+
+# The commands to list exported symbols.
+export_symbols_cmds=$lt_[]_LT_AC_TAGVAR(export_symbols_cmds, $1)
+
+# The commands to extract the exported symbol list from a shared archive.
+extract_expsyms_cmds=$lt_extract_expsyms_cmds
+
+# Symbols that should not be listed in the preloaded symbols.
+exclude_expsyms=$lt_[]_LT_AC_TAGVAR(exclude_expsyms, $1)
+
+# Symbols that must always be exported.
+include_expsyms=$lt_[]_LT_AC_TAGVAR(include_expsyms, $1)
+
+ifelse([$1],[],
+[# ### END LIBTOOL CONFIG],
+[# ### END LIBTOOL TAG CONFIG: $tagname])
+
+__EOF__
+
+ifelse([$1],[], [
+  case $host_os in
+  aix3*)
+    cat <<\EOF >> "$cfgfile"
+
+# AIX sometimes has problems with the GCC collect2 program.  For some
+# reason, if we set the COLLECT_NAMES environment variable, the problems
+# vanish in a puff of smoke.
+if test "X${COLLECT_NAMES+set}" != Xset; then
+  COLLECT_NAMES=
+  export COLLECT_NAMES
+fi
+EOF
+    ;;
+  esac
+
+  # We use sed instead of cat because bash on DJGPP gets confused if
+  # if finds mixed CR/LF and LF-only lines.  Since sed operates in
+  # text mode, it properly converts lines to CR/LF.  This bash problem
+  # is reportedly fixed, but why not run on old versions too?
+  sed '$q' "$ltmain" >> "$cfgfile" || (rm -f "$cfgfile"; exit 1)
+
+  mv -f "$cfgfile" "$ofile" || \
+    (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile")
+  chmod +x "$ofile"
+])
+else
+  # If there is no Makefile yet, we rely on a make rule to execute
+  # `config.status --recheck' to rerun these tests and create the
+  # libtool script then.
+  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
+  if test -f "$ltmain_in"; then
+    test -f Makefile && make "$ltmain"
+  fi
+fi
+])# AC_LIBTOOL_CONFIG
+
+
+# AC_LIBTOOL_PROG_COMPILER_NO_RTTI([TAGNAME])
+# -------------------------------------------
+AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_NO_RTTI],
+[AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl
+
+_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=
+
+if test "$GCC" = yes; then
+  _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin'
+
+  AC_LIBTOOL_COMPILER_OPTION([if $compiler supports -fno-rtti -fno-exceptions],
+    lt_cv_prog_compiler_rtti_exceptions,
+    [-fno-rtti -fno-exceptions], [],
+    [_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)="$_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1) -fno-rtti -fno-exceptions"])
+fi
+])# AC_LIBTOOL_PROG_COMPILER_NO_RTTI
+
+
+# AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE
+# ---------------------------------
+AC_DEFUN([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE],
+[AC_REQUIRE([AC_CANONICAL_HOST])
+AC_REQUIRE([AC_PROG_NM])
+AC_REQUIRE([AC_OBJEXT])
+# Check for command to grab the raw symbol name followed by C symbol from nm.
+AC_MSG_CHECKING([command to parse $NM output from $compiler object])
+AC_CACHE_VAL([lt_cv_sys_global_symbol_pipe],
+[
+# These are sane defaults that work on at least a few old systems.
+# [They come from Ultrix.  What could be older than Ultrix?!! ;)]
+
+# Character class describing NM global symbol codes.
+symcode='[[BCDEGRST]]'
+
+# Regexp to match symbols that can be accessed directly from C.
+sympat='\([[_A-Za-z]][[_A-Za-z0-9]]*\)'
+
+# Transform the above into a raw symbol and a C symbol.
+symxfrm='\1 \2\3 \3'
+
+# Transform an extracted symbol line into a proper C declaration
+lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^. .* \(.*\)$/extern int \1;/p'"
+
+# Transform an extracted symbol line into symbol name and symbol address
+lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
+
+# Define system-specific variables.
+case $host_os in
+aix*)
+  symcode='[[BCDT]]'
+  ;;
+cygwin* | mingw* | pw32*)
+  symcode='[[ABCDGISTW]]'
+  ;;
+hpux*) # Its linker distinguishes data from code symbols
+  if test "$host_cpu" = ia64; then
+    symcode='[[ABCDEGRST]]'
+  fi
+  lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
+  lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
+  ;;
+irix* | nonstopux*)
+  symcode='[[BCDEGRST]]'
+  ;;
+osf*)
+  symcode='[[BCDEGQRST]]'
+  ;;
+solaris* | sysv5*)
+  symcode='[[BDRT]]'
+  ;;
+sysv4)
+  symcode='[[DFNSTU]]'
+  ;;
+esac
+
+# Handle CRLF in mingw tool chain
+opt_cr=
+case $build_os in
+mingw*)
+  opt_cr=`echo 'x\{0,1\}' | tr x '\015'` # option cr in regexp
+  ;;
+esac
+
+# If we're using GNU nm, then use its standard symbol codes.
+case `$NM -V 2>&1` in
+*GNU* | *'with BFD'*)
+  symcode='[[ABCDGIRSTW]]' ;;
+esac
+
+# Try without a prefix undercore, then with it.
+for ac_symprfx in "" "_"; do
+
+  # Write the raw and C identifiers.
+  lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[[ 	]]\($symcode$symcode*\)[[ 	]][[ 	]]*\($ac_symprfx\)$sympat$opt_cr$/$symxfrm/p'"
+
+  # Check to see that the pipe works correctly.
+  pipe_works=no
+
+  rm -f conftest*
+  cat > conftest.$ac_ext <<EOF
+#ifdef __cplusplus
+extern "C" {
+#endif
+char nm_test_var;
+void nm_test_func(){}
+#ifdef __cplusplus
+}
+#endif
+int main(){nm_test_var='a';nm_test_func();return(0);}
+EOF
+
+  if AC_TRY_EVAL(ac_compile); then
+    # Now try to grab the symbols.
+    nlist=conftest.nm
+    if AC_TRY_EVAL(NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) && test -s "$nlist"; then
+      # Try sorting and uniquifying the output.
+      if sort "$nlist" | uniq > "$nlist"T; then
+	mv -f "$nlist"T "$nlist"
+      else
+	rm -f "$nlist"T
+      fi
+
+      # Make sure that we snagged all the symbols we need.
+      if grep ' nm_test_var$' "$nlist" >/dev/null; then
+	if grep ' nm_test_func$' "$nlist" >/dev/null; then
+	  cat <<EOF > conftest.$ac_ext
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+EOF
+	  # Now generate the symbol file.
+	  eval "$lt_cv_sys_global_symbol_to_cdecl"' < "$nlist" | grep -v main >> conftest.$ac_ext'
+
+	  cat <<EOF >> conftest.$ac_ext
+#if defined (__STDC__) && __STDC__
+# define lt_ptr_t void *
+#else
+# define lt_ptr_t char *
+# define const
+#endif
+
+/* The mapping between symbol names and symbols. */
+const struct {
+  const char *name;
+  lt_ptr_t address;
+}
+lt_preloaded_symbols[[]] =
+{
+EOF
+	  $SED "s/^$symcode$symcode* \(.*\) \(.*\)$/  {\"\2\", (lt_ptr_t) \&\2},/" < "$nlist" | grep -v main >> conftest.$ac_ext
+	  cat <<\EOF >> conftest.$ac_ext
+  {0, (lt_ptr_t) 0}
+};
+
+#ifdef __cplusplus
+}
+#endif
+EOF
+	  # Now try linking the two files.
+	  mv conftest.$ac_objext conftstm.$ac_objext
+	  lt_save_LIBS="$LIBS"
+	  lt_save_CFLAGS="$CFLAGS"
+	  LIBS="conftstm.$ac_objext"
+	  CFLAGS="$CFLAGS$_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)"
+	  if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext}; then
+	    pipe_works=yes
+	  fi
+	  LIBS="$lt_save_LIBS"
+	  CFLAGS="$lt_save_CFLAGS"
+	else
+	  echo "cannot find nm_test_func in $nlist" >&AS_MESSAGE_LOG_FD
+	fi
+      else
+	echo "cannot find nm_test_var in $nlist" >&AS_MESSAGE_LOG_FD
+      fi
+    else
+      echo "cannot run $lt_cv_sys_global_symbol_pipe" >&AS_MESSAGE_LOG_FD
+    fi
+  else
+    echo "$progname: failed program was:" >&AS_MESSAGE_LOG_FD
+    cat conftest.$ac_ext >&5
+  fi
+  rm -f conftest* conftst*
+
+  # Do not use the global_symbol_pipe unless it works.
+  if test "$pipe_works" = yes; then
+    break
+  else
+    lt_cv_sys_global_symbol_pipe=
+  fi
+done
+])
+if test -z "$lt_cv_sys_global_symbol_pipe"; then
+  lt_cv_sys_global_symbol_to_cdecl=
+fi
+if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then
+  AC_MSG_RESULT(failed)
+else
+  AC_MSG_RESULT(ok)
+fi
+]) # AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE
+
+
+# AC_LIBTOOL_PROG_COMPILER_PIC([TAGNAME])
+# ---------------------------------------
+AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_PIC],
+[_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)=
+_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
+_LT_AC_TAGVAR(lt_prog_compiler_static, $1)=
+
+AC_MSG_CHECKING([for $compiler option to produce PIC])
+ ifelse([$1],[CXX],[
+  # C++ specific cases for pic, static, wl, etc.
+  if test "$GXX" = yes; then
+    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
+
+    case $host_os in
+    aix*)
+      # All AIX code is PIC.
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      fi
+      ;;
+    amigaos*)
+      # FIXME: we need at least 68020 code to build shared libraries, but
+      # adding the `-m68020' flag to GCC prevents building anything better,
+      # like `-m68040'.
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4'
+      ;;
+    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+      # PIC is the default for these OSes.
+      ;;
+    mingw* | os2* | pw32*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'
+      ;;
+    darwin* | rhapsody*)
+      # PIC is the default on this platform
+      # Common symbols not allowed in MH_DYLIB files
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common'
+      ;;
+    *djgpp*)
+      # DJGPP does not support shared libraries at all
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
+      ;;
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic
+      fi
+      ;;
+    hpux*)
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case "$host_cpu" in
+      hppa*64*|ia64*)
+	;;
+      *)
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	;;
+      esac
+      ;;
+    *)
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+      ;;
+    esac
+  else
+    case $host_os in
+      aix4* | aix5*)
+	# All AIX code is PIC.
+	if test "$host_cpu" = ia64; then
+	  # AIX 5 now supports IA64 processor
+	  _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	else
+	  _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp'
+	fi
+	;;
+      chorus*)
+	case $cc_basename in
+	cxch68)
+	  # Green Hills C++ Compiler
+	  # _LT_AC_TAGVAR(lt_prog_compiler_static, $1)="--no_auto_instantiation -u __main -u __premain -u _abort -r $COOL_DIR/lib/libOrb.a $MVME_DIR/lib/CC/libC.a $MVME_DIR/lib/classix/libcx.s.a"
+	  ;;
+	esac
+	;;
+      dgux*)
+	case $cc_basename in
+	  ec++)
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    ;;
+	  ghcx)
+	    # Green Hills C++ Compiler
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      freebsd* | kfreebsd*-gnu)
+	# FreeBSD uses GNU C++
+	;;
+      hpux9* | hpux10* | hpux11*)
+	case $cc_basename in
+	  CC)
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)="${ac_cv_prog_cc_wl}-a ${ac_cv_prog_cc_wl}archive"
+	    if test "$host_cpu" != ia64; then
+	      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
+	    fi
+	    ;;
+	  aCC)
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)="${ac_cv_prog_cc_wl}-a ${ac_cv_prog_cc_wl}archive"
+	    case "$host_cpu" in
+	    hppa*64*|ia64*)
+	      # +Z the default
+	      ;;
+	    *)
+	      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
+	      ;;
+	    esac
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      irix5* | irix6* | nonstopux*)
+	case $cc_basename in
+	  CC)
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+	    # CC pic flag -KPIC is the default.
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      linux*)
+	case $cc_basename in
+	  KCC)
+	    # KAI C++ Compiler
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	    ;;
+	  icpc)
+	    # Intel C++
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
+	    ;;
+	  cxx)
+	    # Compaq C++
+	    # Make sure the PIC flag is empty.  It appears that all Alpha
+	    # Linux and Compaq Tru64 Unix objects are PIC.
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      lynxos*)
+	;;
+      m88k*)
+	;;
+      mvs*)
+	case $cc_basename in
+	  cxx)
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-W c,exportall'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      netbsd*)
+	;;
+      osf3* | osf4* | osf5*)
+	case $cc_basename in
+	  KCC)
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,'
+	    ;;
+	  RCC)
+	    # Rational C++ 2.4.1
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+	    ;;
+	  cxx)
+	    # Digital/Compaq C++
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    # Make sure the PIC flag is empty.  It appears that all Alpha
+	    # Linux and Compaq Tru64 Unix objects are PIC.
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      psos*)
+	;;
+      sco*)
+	case $cc_basename in
+	  CC)
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      solaris*)
+	case $cc_basename in
+	  CC)
+	    # Sun C++ 4.2, 5.x and Centerline C++
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
+	    ;;
+	  gcx)
+	    # Green Hills C++ Compiler
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      sunos4*)
+	case $cc_basename in
+	  CC)
+	    # Sun C++ 4.x
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	    ;;
+	  lcc)
+	    # Lucid
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      tandem*)
+	case $cc_basename in
+	  NCC)
+	    # NonStop-UX NCC 3.20
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      unixware*)
+	;;
+      vxworks*)
+	;;
+      *)
+	_LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
+	;;
+    esac
+  fi
+],
+[
+  if test "$GCC" = yes; then
+    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
+
+    case $host_os in
+      aix*)
+      # All AIX code is PIC.
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      fi
+      ;;
+
+    amigaos*)
+      # FIXME: we need at least 68020 code to build shared libraries, but
+      # adding the `-m68020' flag to GCC prevents building anything better,
+      # like `-m68040'.
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4'
+      ;;
+
+    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+      # PIC is the default for these OSes.
+      ;;
+
+    mingw* | pw32* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'
+      ;;
+
+    darwin* | rhapsody*)
+      # PIC is the default on this platform
+      # Common symbols not allowed in MH_DYLIB files
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common'
+      ;;
+
+    msdosdjgpp*)
+      # Just because we use GCC doesn't mean we suddenly get shared libraries
+      # on systems that don't support them.
+      _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
+      enable_shared=no
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic
+      fi
+      ;;
+
+    hpux*)
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case "$host_cpu" in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	;;
+      esac
+      ;;
+
+    *)
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+      ;;
+    esac
+  else
+    # PORTME Check for flag to pass linker flags through the system compiler.
+    case $host_os in
+    aix*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      else
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp'
+      fi
+      ;;
+
+    mingw* | pw32* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'
+      ;;
+
+    hpux9* | hpux10* | hpux11*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case "$host_cpu" in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
+	;;
+      esac
+      # Is there a better lt_prog_compiler_static that works with the bundled CC?
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive'
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      # PIC (with -KPIC) is the default.
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+      ;;
+
+    newsos6)
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    linux*)
+      case $CC in
+      icc* | ecc*)
+	_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
+        ;;
+      ccc*)
+        _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+        # All Alpha code is PIC.
+        _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+        ;;
+      esac
+      ;;
+
+    osf3* | osf4* | osf5*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      # All OSF/1 code is PIC.
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+      ;;
+
+    sco3.2v5*)
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-Kpic'
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-dn'
+      ;;
+
+    solaris*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    sunos4*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec ;then
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-Kconform_pic'
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      fi
+      ;;
+
+    uts4*)
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    *)
+      _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
+      ;;
+    esac
+  fi
+])
+AC_MSG_RESULT([$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)])
+
+#
+# Check to make sure the PIC flag actually works.
+#
+if test -n "$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)"; then
+  AC_LIBTOOL_COMPILER_OPTION([if $compiler PIC flag $_LT_AC_TAGVAR(lt_prog_compiler_pic, $1) works],
+    _LT_AC_TAGVAR(lt_prog_compiler_pic_works, $1),
+    [$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)ifelse([$1],[],[ -DPIC],[ifelse([$1],[CXX],[ -DPIC],[])])], [],
+    [case $_LT_AC_TAGVAR(lt_prog_compiler_pic, $1) in
+     "" | " "*) ;;
+     *) _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=" $_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)" ;;
+     esac],
+    [_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
+     _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no])
+fi
+case "$host_os" in
+  # For platforms which do not support PIC, -DPIC is meaningless:
+  *djgpp*)
+    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
+    ;;
+  *)
+    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)="$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)ifelse([$1],[],[ -DPIC],[ifelse([$1],[CXX],[ -DPIC],[])])"
+    ;;
+esac
+])
+
+
+# AC_LIBTOOL_PROG_LD_SHLIBS([TAGNAME])
+# ------------------------------------
+# See if the linker supports building shared libraries.
+AC_DEFUN([AC_LIBTOOL_PROG_LD_SHLIBS],
+[AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
+ifelse([$1],[CXX],[
+  _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  case $host_os in
+  aix4* | aix5*)
+    # If we're using GNU nm, then we don't want the "-C" option.
+    # -C means demangle to AIX nm, but means don't demangle with GNU nm
+    if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
+      _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols'
+    else
+      _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols'
+    fi
+    ;;
+  pw32*)
+    _LT_AC_TAGVAR(export_symbols_cmds, $1)="$ltdll_cmds"
+  ;;
+  cygwin* | mingw*)
+    _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGS]] /s/.* \([[^ ]]*\)/\1 DATA/'\'' | $SED -e '\''/^[[AITW]] /s/.* //'\'' | sort | uniq > $export_symbols'
+  ;;
+  *)
+    _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  ;;
+  esac
+],[
+  runpath_var=
+  _LT_AC_TAGVAR(allow_undefined_flag, $1)=
+  _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=no
+  _LT_AC_TAGVAR(archive_cmds, $1)=
+  _LT_AC_TAGVAR(archive_expsym_cmds, $1)=
+  _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)=
+  _LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1)=
+  _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=
+  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
+  _LT_AC_TAGVAR(thread_safe_flag_spec, $1)=
+  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
+  _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
+  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
+  _LT_AC_TAGVAR(hardcode_direct, $1)=no
+  _LT_AC_TAGVAR(hardcode_minus_L, $1)=no
+  _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
+  _LT_AC_TAGVAR(link_all_deplibs, $1)=unknown
+  _LT_AC_TAGVAR(hardcode_automatic, $1)=no
+  _LT_AC_TAGVAR(module_cmds, $1)=
+  _LT_AC_TAGVAR(module_expsym_cmds, $1)=
+  _LT_AC_TAGVAR(always_export_symbols, $1)=no
+  _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  # include_expsyms should be a list of space-separated symbols to be *always*
+  # included in the symbol list
+  _LT_AC_TAGVAR(include_expsyms, $1)=
+  # exclude_expsyms can be an extended regexp of symbols to exclude
+  # it will be wrapped by ` (' and `)$', so one must not match beginning or
+  # end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
+  # as well as any symbol that contains `d'.
+  _LT_AC_TAGVAR(exclude_expsyms, $1)="_GLOBAL_OFFSET_TABLE_"
+  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
+  # platforms (ab)use it in PIC code, but their linkers get confused if
+  # the symbol is explicitly referenced.  Since portable code cannot
+  # rely on this symbol name, it's probably fine to never include it in
+  # preloaded symbol tables.
+  extract_expsyms_cmds=
+
+  case $host_os in
+  cygwin* | mingw* | pw32*)
+    # FIXME: the MSVC++ port hasn't been tested in a loooong time
+    # When not using gcc, we currently assume that we are using
+    # Microsoft Visual C++.
+    if test "$GCC" != yes; then
+      with_gnu_ld=no
+    fi
+    ;;
+  openbsd*)
+    with_gnu_ld=no
+    ;;
+  esac
+
+  _LT_AC_TAGVAR(ld_shlibs, $1)=yes
+  if test "$with_gnu_ld" = yes; then
+    # If archive_cmds runs LD, not CC, wlarc should be empty
+    wlarc='${wl}'
+
+    # See if GNU ld supports shared libraries.
+    case $host_os in
+    aix3* | aix4* | aix5*)
+      # On AIX/PPC, the GNU linker is very broken
+      if test "$host_cpu" != ia64; then
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	cat <<EOF 1>&2
+
+*** Warning: the GNU linker, at least up to release 2.9.1, is reported
+*** to be unable to reliably create shared libraries on AIX.
+*** Therefore, libtool is disabling shared libraries support.  If you
+*** really care for shared libraries, you may want to modify your PATH
+*** so that a non-GNU linker is found, and then restart.
+
+EOF
+      fi
+      ;;
+
+    amigaos*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+
+      # Samuel A. Falvo II <kc5tja@dolphin.openprojects.net> reports
+      # that the semantics of dynamic libraries on AmigaOS, at least up
+      # to version 4, is to share data among multiple programs linked
+      # with the same dynamic library.  Since this doesn't match the
+      # behavior of shared libraries on other platforms, we can't use
+      # them.
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+      ;;
+
+    beos*)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
+	# support --undefined.  This deserves some investigation.  FIXME
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+      else
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+
+    cygwin* | mingw* | pw32*)
+      # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
+      # as there is no search path for DLLs.
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+      _LT_AC_TAGVAR(always_export_symbols, $1)=no
+      _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+      _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGS]] /s/.* \([[^ ]]*\)/\1 DATA/'\'' | $SED -e '\''/^[[AITW]] /s/.* //'\'' | sort | uniq > $export_symbols'
+
+      if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
+        _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
+	# If the export-symbols file already is a .def file (1st line
+	# is EXPORTS), use it as is; otherwise, prepend...
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	  cp $export_symbols $output_objdir/$soname.def;
+	else
+	  echo EXPORTS > $output_objdir/$soname.def;
+	  cat $export_symbols >> $output_objdir/$soname.def;
+	fi~
+	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000  ${wl}--out-implib,$lib'
+      else
+	ld_shlibs=no
+      fi
+      ;;
+
+    netbsd*)
+      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
+	wlarc=
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      fi
+      ;;
+
+    solaris* | sysv5*)
+      if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	cat <<EOF 1>&2
+
+*** Warning: The releases 2.8.* of the GNU linker cannot reliably
+*** create shared libraries on Solaris systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.9.1 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+EOF
+      elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+
+    sunos4*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      wlarc=
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+  linux*)
+    if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
+        tmp_archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_AC_TAGVAR(archive_cmds, $1)="$tmp_archive_cmds"
+      supports_anon_versioning=no
+      case `$LD -v 2>/dev/null` in
+        *\ [01].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11
+        *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
+        *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
+        *\ 2.11.*) ;; # other 2.11 versions
+        *) supports_anon_versioning=yes ;;
+      esac
+      if test $supports_anon_versioning = yes; then
+        _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $output_objdir/$libname.ver~
+cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+$echo "local: *; };" >> $output_objdir/$libname.ver~
+        $CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+      else
+        _LT_AC_TAGVAR(archive_expsym_cmds, $1)="$tmp_archive_cmds"
+      fi
+    else
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    fi
+    ;;
+
+    *)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+    esac
+
+    if test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = yes; then
+      runpath_var=LD_RUN_PATH
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+      # ancient GNU ld didn't support --whole-archive et. al.
+      if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
+ 	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+      else
+  	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
+      fi
+    fi
+  else
+    # PORTME fill in a description of your system's linker (not GNU ld)
+    case $host_os in
+    aix3*)
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+      _LT_AC_TAGVAR(always_export_symbols, $1)=yes
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
+      # Note: this linker hardcodes the directories in LIBPATH if there
+      # are no directories specified by -L.
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      if test "$GCC" = yes && test -z "$link_static_flag"; then
+	# Neither direct hardcoding nor static linking is supported with a
+	# broken collect2.
+	_LT_AC_TAGVAR(hardcode_direct, $1)=unsupported
+      fi
+      ;;
+
+    aix4* | aix5*)
+      if test "$host_cpu" = ia64; then
+	# On IA64, the linker does run time linking by default, so we don't
+	# have to do anything special.
+	aix_use_runtimelinking=no
+	exp_sym_flag='-Bexport'
+	no_entry_flag=""
+      else
+	# If we're using GNU nm, then we don't want the "-C" option.
+	# -C means demangle to AIX nm, but means don't demangle with GNU nm
+	if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
+	  _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols'
+	else
+	  _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols'
+	fi
+	aix_use_runtimelinking=no
+
+	# Test if we are trying to use run time linking or normal
+	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
+	# need to do runtime linking.
+	case $host_os in aix4.[[23]]|aix4.[[23]].*|aix5*)
+	  for ld_flag in $LDFLAGS; do
+  	  if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
+  	    aix_use_runtimelinking=yes
+  	    break
+  	  fi
+	  done
+	esac
+
+	exp_sym_flag='-bexport'
+	no_entry_flag='-bnoentry'
+      fi
+
+      # When large executables or shared objects are built, AIX ld can
+      # have problems creating the table of contents.  If linking a library
+      # or program results in "error TOC overflow" add -mminimal-toc to
+      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
+      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
+
+      _LT_AC_TAGVAR(archive_cmds, $1)=''
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':'
+      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+
+      if test "$GCC" = yes; then
+	case $host_os in aix4.[012]|aix4.[012].*)
+	# We only want to do this on AIX 4.2 and lower, the check
+	# below for broken collect2 doesn't work under 4.3+
+	  collect2name=`${CC} -print-prog-name=collect2`
+	  if test -f "$collect2name" && \
+  	   strings "$collect2name" | grep resolve_lib_name >/dev/null
+	  then
+  	  # We have reworked collect2
+  	  _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+	  else
+  	  # We have old collect2
+  	  _LT_AC_TAGVAR(hardcode_direct, $1)=unsupported
+  	  # It fails to find uninstalled libraries when the uninstalled
+  	  # path is not listed in the libpath.  Setting hardcode_minus_L
+  	  # to unsupported forces relinking
+  	  _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+  	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+  	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
+	  fi
+	esac
+	shared_flag='-shared'
+      else
+	# not using gcc
+	if test "$host_cpu" = ia64; then
+  	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
+  	# chokes on -Wl,-G. The following line is correct:
+	  shared_flag='-G'
+	else
+  	if test "$aix_use_runtimelinking" = yes; then
+	    shared_flag='${wl}-G'
+	  else
+	    shared_flag='${wl}-bM:SRE'
+  	fi
+	fi
+      fi
+
+      # It seems that -bexpall does not export symbols beginning with
+      # underscore (_), so it is better to generate a list of symbols to export.
+      _LT_AC_TAGVAR(always_export_symbols, $1)=yes
+      if test "$aix_use_runtimelinking" = yes; then
+	# Warning - without using the other runtime loading flags (-brtl),
+	# -berok will link without error, but may produce a broken library.
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)='-berok'
+       # Determine the default libpath from the value encoded in an empty executable.
+       _LT_AC_SYS_LIBPATH_AIX
+       _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+       else
+	if test "$host_cpu" = ia64; then
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
+	  _LT_AC_TAGVAR(allow_undefined_flag, $1)="-z nodefs"
+	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols"
+	else
+	 # Determine the default libpath from the value encoded in an empty executable.
+	 _LT_AC_SYS_LIBPATH_AIX
+	 _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
+	  # Warning - without using the other run time loading flags,
+	  # -berok will link without error, but may produce a broken library.
+	  _LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
+	  _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
+	  # -bexpall does not export symbols beginning with underscore (_)
+	  _LT_AC_TAGVAR(always_export_symbols, $1)=yes
+	  # Exported symbols can be pulled into shared objects from archives
+	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=' '
+	  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
+	  # This is similar to how AIX traditionally builds it's shared libraries.
+	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}-bE:$export_symbols ${wl}-bnoentry${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+	fi
+      fi
+      ;;
+
+    amigaos*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      # see comment about different semantics on the GNU ld section
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+      ;;
+
+    bsdi4*)
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=-rdynamic
+      ;;
+
+    cygwin* | mingw* | pw32*)
+      # When not using gcc, we currently assume that we are using
+      # Microsoft Visual C++.
+      # hardcode_libdir_flag_spec is actually meaningless, as there is
+      # no search path for DLLs.
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+      # Tell ltmain to make .lib files, not .a files.
+      libext=lib
+      # Tell ltmain to make .dll files, not .so files.
+      shrext=".dll"
+      # FIXME: Setting linknames here is a bad hack.
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
+      # The linker will automatically build a .lib file if we build a DLL.
+      _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)='true'
+      # FIXME: Should let the user specify the lib program.
+      _LT_AC_TAGVAR(old_archive_cmds, $1)='lib /OUT:$oldlib$oldobjs$old_deplibs'
+      fix_srcfile_path='`cygpath -w "$srcfile"`'
+      _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+      ;;
+
+    darwin* | rhapsody*)
+    if test "$GXX" = yes ; then
+      _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+      case "$host_os" in
+      rhapsody* | darwin1.[[012]])
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined suppress'
+	;;
+      *) # Darwin 1.3 on
+      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+      	_LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress'
+      else
+        case ${MACOSX_DEPLOYMENT_TARGET} in
+          10.[[012]])
+            _LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress'
+            ;;
+          10.*)
+            _LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined dynamic_lookup'
+            ;;
+        esac
+      fi
+	;;
+      esac
+    	lt_int_apple_cc_single_mod=no
+    	output_verbose_link_cmd='echo'
+    	if $CC -dumpspecs 2>&1 | grep 'single_module' >/dev/null ; then
+    	  lt_int_apple_cc_single_mod=yes
+    	fi
+    	if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+    	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+    	else
+        _LT_AC_TAGVAR(archive_cmds, $1)='$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+      fi
+      _LT_AC_TAGVAR(module_cmds, $1)='$CC ${wl}-bind_at_load $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
+        if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+          _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+        else
+          _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+        fi
+          _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=no
+      _LT_AC_TAGVAR(hardcode_automatic, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
+      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-all_load $convenience'
+      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+    else
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    fi
+      ;;
+
+    dgux*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    freebsd1*)
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+      ;;
+
+    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
+    # support.  Future versions do this automatically, but an explicit c++rt0.o
+    # does not break anything, and helps significantly (at the cost of a little
+    # extra space).
+    freebsd2.2*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
+    freebsd2*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
+    freebsd* | kfreebsd*-gnu)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    hpux9*)
+      if test "$GCC" = yes; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+
+      # hardcode_minus_L: Not really in the search PATH,
+      # but as the default location of the library.
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+      ;;
+
+    hpux10* | hpux11*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	case "$host_cpu" in
+	hppa*64*|ia64*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	esac
+      else
+	case "$host_cpu" in
+	hppa*64*|ia64*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  ;;
+	*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+	  ;;
+	esac
+      fi
+      if test "$with_gnu_ld" = no; then
+	case "$host_cpu" in
+	hppa*64*)
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir'
+	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=no
+	  _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+	  ;;
+	ia64*)
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=no
+	  _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+
+	  # hardcode_minus_L: Not really in the search PATH,
+	  # but as the default location of the library.
+	  _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+	  ;;
+	*)
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+	  _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+
+	  # hardcode_minus_L: Not really in the search PATH,
+	  # but as the default location of the library.
+	  _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+	  ;;
+	esac
+      fi
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      if test "$GCC" = yes; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='-rpath $libdir'
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+      ;;
+
+    netbsd*)
+      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    newsos6)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    openbsd*)
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+      else
+       case $host_os in
+	 openbsd[[01]].* | openbsd2.[[0-7]] | openbsd2.[[0-7]].*)
+	   _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+	   _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+	   ;;
+	 *)
+	   _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	   _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	   ;;
+       esac
+      fi
+      ;;
+
+    os2*)
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+      _LT_AC_TAGVAR(archive_cmds, $1)='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
+      _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
+      ;;
+
+    osf3*)
+      if test "$GCC" = yes; then
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+      else
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+      ;;
+
+    osf4* | osf5*)	# as osf3* with the addition of -msym flag
+      if test "$GCC" = yes; then
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+      else
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~
+	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib~$rm $lib.exp'
+
+	# Both c and cxx compiler support -rpath directly
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+      ;;
+
+    sco3.2v5*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport'
+      runpath_var=LD_RUN_PATH
+      hardcode_runpath_var=yes
+      ;;
+
+    solaris*)
+      _LT_AC_TAGVAR(no_undefined_flag, $1)=' -z text'
+      if test "$GCC" = yes; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+	  $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp'
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+  	$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      case $host_os in
+      solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
+      *) # Supported since Solaris 2.6 (maybe 2.5.1?)
+	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract' ;;
+      esac
+      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+      ;;
+
+    sunos4*)
+      if test "x$host_vendor" = xsequent; then
+	# Use $CC to link under sequent, because it throws in some extra .o
+	# files that make .init and .fini sections work.
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    sysv4)
+      case $host_vendor in
+	sni)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=yes # is this really true???
+	;;
+	siemens)
+	  ## LD is ld it makes a PLAMLIB
+	  ## CC just makes a GrossModule.
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -o $lib $libobjs $deplibs $linker_flags'
+	  _LT_AC_TAGVAR(reload_cmds, $1)='$CC -r -o $output$reload_objs'
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=no
+        ;;
+	motorola)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=no #Motorola manual says yes, but my tests say they lie
+	;;
+      esac
+      runpath_var='LD_RUN_PATH'
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    sysv4.3*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='-Bexport'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+	runpath_var=LD_RUN_PATH
+	hardcode_runpath_var=yes
+	_LT_AC_TAGVAR(ld_shlibs, $1)=yes
+      fi
+      ;;
+
+    sysv4.2uw2*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=no
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      hardcode_runpath_var=yes
+      runpath_var=LD_RUN_PATH
+      ;;
+
+   sysv5OpenUNIX8* | sysv5UnixWare7* |  sysv5uw[[78]]* | unixware7*)
+      _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z ${wl}text'
+      if test "$GCC" = yes; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
+      runpath_var='LD_RUN_PATH'
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    sysv5*)
+      _LT_AC_TAGVAR(no_undefined_flag, $1)=' -z text'
+      # $CC -shared without GNU ld will not create a library from C++
+      # object files and a static libstdc++, better avoid it by now
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+  		$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      runpath_var='LD_RUN_PATH'
+      ;;
+
+    uts4*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    *)
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+      ;;
+    esac
+  fi
+])
+AC_MSG_RESULT([$_LT_AC_TAGVAR(ld_shlibs, $1)])
+test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no
+
+variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
+if test "$GCC" = yes; then
+  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
+fi
+
+#
+# Do we need to explicitly link libc?
+#
+case "x$_LT_AC_TAGVAR(archive_cmds_need_lc, $1)" in
+x|xyes)
+  # Assume -lc should be added
+  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
+
+  if test "$enable_shared" = yes && test "$GCC" = yes; then
+    case $_LT_AC_TAGVAR(archive_cmds, $1) in
+    *'~'*)
+      # FIXME: we may have to deal with multi-command sequences.
+      ;;
+    '$CC '*)
+      # Test whether the compiler implicitly links with -lc since on some
+      # systems, -lgcc has to come before -lc. If gcc already passes -lc
+      # to ld, don't add -lc before -lgcc.
+      AC_MSG_CHECKING([whether -lc should be explicitly linked in])
+      $rm conftest*
+      printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+      if AC_TRY_EVAL(ac_compile) 2>conftest.err; then
+        soname=conftest
+        lib=conftest
+        libobjs=conftest.$ac_objext
+        deplibs=
+        wl=$_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)
+        compiler_flags=-v
+        linker_flags=-v
+        verstring=
+        output_objdir=.
+        libname=conftest
+        lt_save_allow_undefined_flag=$_LT_AC_TAGVAR(allow_undefined_flag, $1)
+        _LT_AC_TAGVAR(allow_undefined_flag, $1)=
+        if AC_TRY_EVAL(_LT_AC_TAGVAR(archive_cmds, $1) 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1)
+        then
+	  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+        else
+	  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
+        fi
+        _LT_AC_TAGVAR(allow_undefined_flag, $1)=$lt_save_allow_undefined_flag
+      else
+        cat conftest.err 1>&5
+      fi
+      $rm conftest*
+      AC_MSG_RESULT([$_LT_AC_TAGVAR(archive_cmds_need_lc, $1)])
+      ;;
+    esac
+  fi
+  ;;
+esac
+])# AC_LIBTOOL_PROG_LD_SHLIBS
+
+
+# _LT_AC_FILE_LTDLL_C
+# -------------------
+# Be careful that the start marker always follows a newline.
+AC_DEFUN([_LT_AC_FILE_LTDLL_C], [
+# /* ltdll.c starts here */
+# #define WIN32_LEAN_AND_MEAN
+# #include <windows.h>
+# #undef WIN32_LEAN_AND_MEAN
+# #include <stdio.h>
+#
+# #ifndef __CYGWIN__
+# #  ifdef __CYGWIN32__
+# #    define __CYGWIN__ __CYGWIN32__
+# #  endif
+# #endif
+#
+# #ifdef __cplusplus
+# extern "C" {
+# #endif
+# BOOL APIENTRY DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved);
+# #ifdef __cplusplus
+# }
+# #endif
+#
+# #ifdef __CYGWIN__
+# #include <cygwin/cygwin_dll.h>
+# DECLARE_CYGWIN_DLL( DllMain );
+# #endif
+# HINSTANCE __hDllInstance_base;
+#
+# BOOL APIENTRY
+# DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved)
+# {
+#   __hDllInstance_base = hInst;
+#   return TRUE;
+# }
+# /* ltdll.c ends here */
+])# _LT_AC_FILE_LTDLL_C
+
+
+# _LT_AC_TAGVAR(VARNAME, [TAGNAME])
+# ---------------------------------
+AC_DEFUN([_LT_AC_TAGVAR], [ifelse([$2], [], [$1], [$1_$2])])
+
+
+# old names
+AC_DEFUN([AM_PROG_LIBTOOL],   [AC_PROG_LIBTOOL])
+AC_DEFUN([AM_ENABLE_SHARED],  [AC_ENABLE_SHARED($@)])
+AC_DEFUN([AM_ENABLE_STATIC],  [AC_ENABLE_STATIC($@)])
+AC_DEFUN([AM_DISABLE_SHARED], [AC_DISABLE_SHARED($@)])
+AC_DEFUN([AM_DISABLE_STATIC], [AC_DISABLE_STATIC($@)])
+AC_DEFUN([AM_PROG_LD],        [AC_PROG_LD])
+AC_DEFUN([AM_PROG_NM],        [AC_PROG_NM])
+
+# This is just to silence aclocal about the macro not being used
+ifelse([AC_DISABLE_FAST_INSTALL])
+
+AC_DEFUN([LT_AC_PROG_GCJ],
+[AC_CHECK_TOOL(GCJ, gcj, no)
+  test "x${GCJFLAGS+set}" = xset || GCJFLAGS="-g -O2"
+  AC_SUBST(GCJFLAGS)
+])
+
+AC_DEFUN([LT_AC_PROG_RC],
+[AC_CHECK_TOOL(RC, windres, no)
+])
+
+############################################################
+# NOTE: This macro has been submitted for inclusion into   #
+#  GNU Autoconf as AC_PROG_SED.  When it is available in   #
+#  a released version of Autoconf we should remove this    #
+#  macro and use it instead.                               #
+############################################################
+# LT_AC_PROG_SED
+# --------------
+# Check for a fully-functional sed program, that truncates
+# as few characters as possible.  Prefer GNU sed if found.
+AC_DEFUN([LT_AC_PROG_SED],
+[AC_MSG_CHECKING([for a sed that does not truncate output])
+AC_CACHE_VAL(lt_cv_path_SED,
+[# Loop through the user's path and test for sed and gsed.
+# Then use that list of sed's as ones to test for truncation.
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for lt_ac_prog in sed gsed; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
+      if $as_executable_p "$as_dir/$lt_ac_prog$ac_exec_ext"; then
+        lt_ac_sed_list="$lt_ac_sed_list $as_dir/$lt_ac_prog$ac_exec_ext"
+      fi
+    done
+  done
+done
+lt_ac_max=0
+lt_ac_count=0
+# Add /usr/xpg4/bin/sed as it is typically found on Solaris
+# along with /bin/sed that truncates output.
+for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do
+  test ! -f $lt_ac_sed && break
+  cat /dev/null > conftest.in
+  lt_ac_count=0
+  echo $ECHO_N "0123456789$ECHO_C" >conftest.in
+  # Check for GNU sed and select it if it is found.
+  if "$lt_ac_sed" --version 2>&1 < /dev/null | grep 'GNU' > /dev/null; then
+    lt_cv_path_SED=$lt_ac_sed
+    break
+  fi
+  while true; do
+    cat conftest.in conftest.in >conftest.tmp
+    mv conftest.tmp conftest.in
+    cp conftest.in conftest.nl
+    echo >>conftest.nl
+    $lt_ac_sed -e 's/a$//' < conftest.nl >conftest.out || break
+    cmp -s conftest.out conftest.nl || break
+    # 10000 chars as input seems more than enough
+    test $lt_ac_count -gt 10 && break
+    lt_ac_count=`expr $lt_ac_count + 1`
+    if test $lt_ac_count -gt $lt_ac_max; then
+      lt_ac_max=$lt_ac_count
+      lt_cv_path_SED=$lt_ac_sed
+    fi
+  done
+done
+SED=$lt_cv_path_SED
+])
+AC_MSG_RESULT([$SED])
+])
diff --git a/contrib/bind9/lib/bind/ltmain.sh b/contrib/bind9/lib/bind/ltmain.sh
new file mode 100644
index 0000000..96c5835
--- /dev/null
+++ b/contrib/bind9/lib/bind/ltmain.sh
@@ -0,0 +1,4950 @@
+# ltmain.sh - Provide generalized library-building support services.
+# NOTE: Changing this file will not affect anything until you rerun configure.
+#
+# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001
+# Free Software Foundation, Inc.
+# Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# Check that we have a working $echo.
+if test "X$1" = X--no-reexec; then
+  # Discard the --no-reexec flag, and continue.
+  shift
+elif test "X$1" = X--fallback-echo; then
+  # Avoid inline document here, it may be left over
+  :
+elif test "X`($echo '\t') 2>/dev/null`" = 'X\t'; then
+  # Yippee, $echo works!
+  :
+else
+  # Restart under the correct shell, and then maybe $echo will work.
+  exec $SHELL "$0" --no-reexec ${1+"$@"}
+fi
+
+if test "X$1" = X--fallback-echo; then
+  # used as fallback echo
+  shift
+  cat <<EOF
+$*
+EOF
+  exit 0
+fi
+
+# The name of this program.
+progname=`$echo "$0" | sed 's%^.*/%%'`
+modename="$progname"
+
+# Constants.
+PROGRAM=ltmain.sh
+PACKAGE=libtool
+VERSION=1.4
+TIMESTAMP=" (1.920 2001/04/24 23:26:18)"
+
+default_mode=
+help="Try \`$progname --help' for more information."
+magic="%%%MAGIC variable%%%"
+mkdir="mkdir"
+mv="mv -f"
+rm="rm -f"
+
+# Sed substitution that helps us do robust quoting.  It backslashifies
+# metacharacters that are still active within double-quoted strings.
+Xsed='sed -e 1s/^X//'
+sed_quote_subst='s/\([\\`\\"$\\\\]\)/\\\1/g'
+SP2NL='tr \040 \012'
+NL2SP='tr \015\012 \040\040'
+
+# NLS nuisances.
+# Only set LANG and LC_ALL to C if already set.
+# These must not be set unconditionally because not all systems understand
+# e.g. LANG=C (notably SCO).
+# We save the old values to restore during execute mode.
+if test "${LC_ALL+set}" = set; then
+  save_LC_ALL="$LC_ALL"; LC_ALL=C; export LC_ALL
+fi
+if test "${LANG+set}" = set; then
+  save_LANG="$LANG"; LANG=C; export LANG
+fi
+
+if test "$build_libtool_libs" != yes && test "$build_old_libs" != yes; then
+  echo "$modename: not configured to build any kind of library" 1>&2
+  echo "Fatal configuration error.  See the $PACKAGE docs for more information." 1>&2
+  exit 1
+fi
+
+# Global variables.
+mode=$default_mode
+nonopt=
+prev=
+prevopt=
+run=
+show="$echo"
+show_help=
+execute_dlfiles=
+lo2o="s/\\.lo\$/.${objext}/"
+o2lo="s/\\.${objext}\$/.lo/"
+
+# Parse our command line options once, thoroughly.
+while test $# -gt 0
+do
+  arg="$1"
+  shift
+
+  case $arg in
+  -*=*) optarg=`$echo "X$arg" | $Xsed -e 's/[-_a-zA-Z0-9]*=//'` ;;
+  *) optarg= ;;
+  esac
+
+  # If the previous option needs an argument, assign it.
+  if test -n "$prev"; then
+    case $prev in
+    execute_dlfiles)
+      execute_dlfiles="$execute_dlfiles $arg"
+      ;;
+    *)
+      eval "$prev=\$arg"
+      ;;
+    esac
+
+    prev=
+    prevopt=
+    continue
+  fi
+
+  # Have we seen a non-optional argument yet?
+  case $arg in
+  --help)
+    show_help=yes
+    ;;
+
+  --version)
+    echo "$PROGRAM (GNU $PACKAGE) $VERSION$TIMESTAMP"
+    exit 0
+    ;;
+
+  --config)
+    sed -e '1,/^# ### BEGIN LIBTOOL CONFIG/d' -e '/^# ### END LIBTOOL CONFIG/,$d' $0
+    exit 0
+    ;;
+
+  --debug)
+    echo "$progname: enabling shell trace mode"
+    set -x
+    ;;
+
+  --dry-run | -n)
+    run=:
+    ;;
+
+  --features)
+    echo "host: $host"
+    if test "$build_libtool_libs" = yes; then
+      echo "enable shared libraries"
+    else
+      echo "disable shared libraries"
+    fi
+    if test "$build_old_libs" = yes; then
+      echo "enable static libraries"
+    else
+      echo "disable static libraries"
+    fi
+    exit 0
+    ;;
+
+  --finish) mode="finish" ;;
+
+  --mode) prevopt="--mode" prev=mode ;;
+  --mode=*) mode="$optarg" ;;
+
+  --quiet | --silent)
+    show=:
+    ;;
+
+  -dlopen)
+    prevopt="-dlopen"
+    prev=execute_dlfiles
+    ;;
+
+  -*)
+    $echo "$modename: unrecognized option \`$arg'" 1>&2
+    $echo "$help" 1>&2
+    exit 1
+    ;;
+
+  *)
+    nonopt="$arg"
+    break
+    ;;
+  esac
+done
+
+if test -n "$prevopt"; then
+  $echo "$modename: option \`$prevopt' requires an argument" 1>&2
+  $echo "$help" 1>&2
+  exit 1
+fi
+
+if test -z "$show_help"; then
+
+  # Infer the operation mode.
+  if test -z "$mode"; then
+    case $nonopt in
+    *cc | *++ | gcc* | *-gcc*)
+      mode=link
+      for arg
+      do
+	case $arg in
+	-c)
+	   mode=compile
+	   break
+	   ;;
+	esac
+      done
+      ;;
+    *db | *dbx | *strace | *truss)
+      mode=execute
+      ;;
+    *install*|cp|mv)
+      mode=install
+      ;;
+    *rm)
+      mode=uninstall
+      ;;
+    *)
+      # If we have no mode, but dlfiles were specified, then do execute mode.
+      test -n "$execute_dlfiles" && mode=execute
+
+      # Just use the default operation mode.
+      if test -z "$mode"; then
+	if test -n "$nonopt"; then
+	  $echo "$modename: warning: cannot infer operation mode from \`$nonopt'" 1>&2
+	else
+	  $echo "$modename: warning: cannot infer operation mode without MODE-ARGS" 1>&2
+	fi
+      fi
+      ;;
+    esac
+  fi
+
+  # Only execute mode is allowed to have -dlopen flags.
+  if test -n "$execute_dlfiles" && test "$mode" != execute; then
+    $echo "$modename: unrecognized option \`-dlopen'" 1>&2
+    $echo "$help" 1>&2
+    exit 1
+  fi
+
+  # Change the help message to a mode-specific one.
+  generic_help="$help"
+  help="Try \`$modename --help --mode=$mode' for more information."
+
+  # These modes are in order of execution frequency so that they run quickly.
+  case $mode in
+  # libtool compile mode
+  compile)
+    modename="$modename: compile"
+    # Get the compilation command and the source file.
+    base_compile=
+    prev=
+    lastarg=
+    srcfile="$nonopt"
+    suppress_output=
+
+    user_target=no
+    for arg
+    do
+      case $prev in
+      "") ;;
+      xcompiler)
+	# Aesthetically quote the previous argument.
+	prev=
+	lastarg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+
+	case $arg in
+	# Double-quote args containing other shell metacharacters.
+	# Many Bourne shells cannot handle close brackets correctly
+	# in scan sets, so we specify it separately.
+	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	  arg="\"$arg\""
+	  ;;
+	esac
+
+	# Add the previous argument to base_compile.
+	if test -z "$base_compile"; then
+	  base_compile="$lastarg"
+	else
+	  base_compile="$base_compile $lastarg"
+	fi
+	continue
+	;;
+      esac
+
+      # Accept any command-line options.
+      case $arg in
+      -o)
+	if test "$user_target" != "no"; then
+	  $echo "$modename: you cannot specify \`-o' more than once" 1>&2
+	  exit 1
+	fi
+	user_target=next
+	;;
+
+      -static)
+	build_old_libs=yes
+	continue
+	;;
+
+      -prefer-pic)
+	pic_mode=yes
+	continue
+	;;
+
+      -prefer-non-pic)
+	pic_mode=no
+	continue
+	;;
+
+      -Xcompiler)
+	prev=xcompiler
+	continue
+	;;
+
+      -Wc,*)
+	args=`$echo "X$arg" | $Xsed -e "s/^-Wc,//"`
+	lastarg=
+	IFS="${IFS= 	}"; save_ifs="$IFS"; IFS=','
+	for arg in $args; do
+	  IFS="$save_ifs"
+
+	  # Double-quote args containing other shell metacharacters.
+	  # Many Bourne shells cannot handle close brackets correctly
+	  # in scan sets, so we specify it separately.
+	  case $arg in
+	    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	    arg="\"$arg\""
+	    ;;
+	  esac
+	  lastarg="$lastarg $arg"
+	done
+	IFS="$save_ifs"
+	lastarg=`$echo "X$lastarg" | $Xsed -e "s/^ //"`
+
+	# Add the arguments to base_compile.
+	if test -z "$base_compile"; then
+	  base_compile="$lastarg"
+	else
+	  base_compile="$base_compile $lastarg"
+	fi
+	continue
+	;;
+      esac
+
+      case $user_target in
+      next)
+	# The next one is the -o target name
+	user_target=yes
+	continue
+	;;
+      yes)
+	# We got the output file
+	user_target=set
+	libobj="$arg"
+	continue
+	;;
+      esac
+
+      # Accept the current argument as the source file.
+      lastarg="$srcfile"
+      srcfile="$arg"
+
+      # Aesthetically quote the previous argument.
+
+      # Backslashify any backslashes, double quotes, and dollar signs.
+      # These are the only characters that are still specially
+      # interpreted inside of double-quoted scrings.
+      lastarg=`$echo "X$lastarg" | $Xsed -e "$sed_quote_subst"`
+
+      # Double-quote args containing other shell metacharacters.
+      # Many Bourne shells cannot handle close brackets correctly
+      # in scan sets, so we specify it separately.
+      case $lastarg in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	lastarg="\"$lastarg\""
+	;;
+      esac
+
+      # Add the previous argument to base_compile.
+      if test -z "$base_compile"; then
+	base_compile="$lastarg"
+      else
+	base_compile="$base_compile $lastarg"
+      fi
+    done
+
+    case $user_target in
+    set)
+      ;;
+    no)
+      # Get the name of the library object.
+      libobj=`$echo "X$srcfile" | $Xsed -e 's%^.*/%%'`
+      ;;
+    *)
+      $echo "$modename: you must specify a target with \`-o'" 1>&2
+      exit 1
+      ;;
+    esac
+
+    # Recognize several different file suffixes.
+    # If the user specifies -o file.o, it is replaced with file.lo
+    xform='[cCFSfmso]'
+    case $libobj in
+    *.ada) xform=ada ;;
+    *.adb) xform=adb ;;
+    *.ads) xform=ads ;;
+    *.asm) xform=asm ;;
+    *.c++) xform=c++ ;;
+    *.cc) xform=cc ;;
+    *.cpp) xform=cpp ;;
+    *.cxx) xform=cxx ;;
+    *.f90) xform=f90 ;;
+    *.for) xform=for ;;
+    esac
+
+    libobj=`$echo "X$libobj" | $Xsed -e "s/\.$xform$/.lo/"`
+
+    case $libobj in
+    *.lo) obj=`$echo "X$libobj" | $Xsed -e "$lo2o"` ;;
+    *)
+      $echo "$modename: cannot determine name of library object from \`$libobj'" 1>&2
+      exit 1
+      ;;
+    esac
+
+    if test -z "$base_compile"; then
+      $echo "$modename: you must specify a compilation command" 1>&2
+      $echo "$help" 1>&2
+      exit 1
+    fi
+
+    # Delete any leftover library objects.
+    if test "$build_old_libs" = yes; then
+      removelist="$obj $libobj"
+    else
+      removelist="$libobj"
+    fi
+
+    $run $rm $removelist
+    trap "$run $rm $removelist; exit 1" 1 2 15
+
+    # On Cygwin there's no "real" PIC flag so we must build both object types
+    case $host_os in
+    cygwin* | mingw* | pw32* | os2*)
+      pic_mode=default
+      ;;
+    esac
+    if test $pic_mode = no && test "$deplibs_check_method" != pass_all; then
+      # non-PIC code in shared libraries is not supported
+      pic_mode=default
+    fi
+
+    # Calculate the filename of the output object if compiler does
+    # not support -o with -c
+    if test "$compiler_c_o" = no; then
+      output_obj=`$echo "X$srcfile" | $Xsed -e 's%^.*/%%' -e 's%\.[^.]*$%%'`.${objext}
+      lockfile="$output_obj.lock"
+      removelist="$removelist $output_obj $lockfile"
+      trap "$run $rm $removelist; exit 1" 1 2 15
+    else
+      need_locks=no
+      lockfile=
+    fi
+
+    # Lock this critical section if it is needed
+    # We use this script file to make the link, it avoids creating a new file
+    if test "$need_locks" = yes; then
+      until $run ln "$0" "$lockfile" 2>/dev/null; do
+	$show "Waiting for $lockfile to be removed"
+	sleep 2
+      done
+    elif test "$need_locks" = warn; then
+      if test -f "$lockfile"; then
+	echo "\
+*** ERROR, $lockfile exists and contains:
+`cat $lockfile 2>/dev/null`
+
+This indicates that another process is trying to use the same
+temporary object file, and libtool could not work around it because
+your compiler does not support \`-c' and \`-o' together.  If you
+repeat this compilation, it may succeed, by chance, but you had better
+avoid parallel builds (make -j) in this platform, or get a better
+compiler."
+
+	$run $rm $removelist
+	exit 1
+      fi
+      echo $srcfile > "$lockfile"
+    fi
+
+    if test -n "$fix_srcfile_path"; then
+      eval srcfile=\"$fix_srcfile_path\"
+    fi
+
+    # Only build a PIC object if we are building libtool libraries.
+    if test "$build_libtool_libs" = yes; then
+      # Without this assignment, base_compile gets emptied.
+      fbsd_hideous_sh_bug=$base_compile
+
+      if test "$pic_mode" != no; then
+	# All platforms use -DPIC, to notify preprocessed assembler code.
+	command="$base_compile $srcfile $pic_flag -DPIC"
+      else
+	# Don't build PIC code
+	command="$base_compile $srcfile"
+      fi
+      if test "$build_old_libs" = yes; then
+	lo_libobj="$libobj"
+	dir=`$echo "X$libobj" | $Xsed -e 's%/[^/]*$%%'`
+	if test "X$dir" = "X$libobj"; then
+	  dir="$objdir"
+	else
+	  dir="$dir/$objdir"
+	fi
+	libobj="$dir/"`$echo "X$libobj" | $Xsed -e 's%^.*/%%'`
+
+	if test -d "$dir"; then
+	  $show "$rm $libobj"
+	  $run $rm $libobj
+	else
+	  $show "$mkdir $dir"
+	  $run $mkdir $dir
+	  status=$?
+	  if test $status -ne 0 && test ! -d $dir; then
+	    exit $status
+	  fi
+	fi
+      fi
+      if test "$compiler_o_lo" = yes; then
+	output_obj="$libobj"
+	command="$command -o $output_obj"
+      elif test "$compiler_c_o" = yes; then
+	output_obj="$obj"
+	command="$command -o $output_obj"
+      fi
+
+      $run $rm "$output_obj"
+      $show "$command"
+      if $run eval "$command"; then :
+      else
+	test -n "$output_obj" && $run $rm $removelist
+	exit 1
+      fi
+
+      if test "$need_locks" = warn &&
+	 test x"`cat $lockfile 2>/dev/null`" != x"$srcfile"; then
+	echo "\
+*** ERROR, $lockfile contains:
+`cat $lockfile 2>/dev/null`
+
+but it should contain:
+$srcfile
+
+This indicates that another process is trying to use the same
+temporary object file, and libtool could not work around it because
+your compiler does not support \`-c' and \`-o' together.  If you
+repeat this compilation, it may succeed, by chance, but you had better
+avoid parallel builds (make -j) in this platform, or get a better
+compiler."
+
+	$run $rm $removelist
+	exit 1
+      fi
+
+      # Just move the object if needed, then go on to compile the next one
+      if test x"$output_obj" != x"$libobj"; then
+	$show "$mv $output_obj $libobj"
+	if $run $mv $output_obj $libobj; then :
+	else
+	  error=$?
+	  $run $rm $removelist
+	  exit $error
+	fi
+      fi
+
+      # If we have no pic_flag, then copy the object into place and finish.
+      if (test -z "$pic_flag" || test "$pic_mode" != default) &&
+	 test "$build_old_libs" = yes; then
+	# Rename the .lo from within objdir to obj
+	if test -f $obj; then
+	  $show $rm $obj
+	  $run $rm $obj
+	fi
+
+	$show "$mv $libobj $obj"
+	if $run $mv $libobj $obj; then :
+	else
+	  error=$?
+	  $run $rm $removelist
+	  exit $error
+	fi
+
+	xdir=`$echo "X$obj" | $Xsed -e 's%/[^/]*$%%'`
+	if test "X$xdir" = "X$obj"; then
+	  xdir="."
+	else
+	  xdir="$xdir"
+	fi
+	baseobj=`$echo "X$obj" | $Xsed -e "s%.*/%%"`
+	libobj=`$echo "X$baseobj" | $Xsed -e "$o2lo"`
+	# Now arrange that obj and lo_libobj become the same file
+	$show "(cd $xdir && $LN_S $baseobj $libobj)"
+	if $run eval '(cd $xdir && $LN_S $baseobj $libobj)'; then
+	  exit 0
+	else
+	  error=$?
+	  $run $rm $removelist
+	  exit $error
+	fi
+      fi
+
+      # Allow error messages only from the first compilation.
+      suppress_output=' >/dev/null 2>&1'
+    fi
+
+    # Only build a position-dependent object if we build old libraries.
+    if test "$build_old_libs" = yes; then
+      if test "$pic_mode" != yes; then
+	# Don't build PIC code
+	command="$base_compile $srcfile"
+      else
+	# All platforms use -DPIC, to notify preprocessed assembler code.
+	command="$base_compile $srcfile $pic_flag -DPIC"
+      fi
+      if test "$compiler_c_o" = yes; then
+	command="$command -o $obj"
+	output_obj="$obj"
+      fi
+
+      # Suppress compiler output if we already did a PIC compilation.
+      command="$command$suppress_output"
+      $run $rm "$output_obj"
+      $show "$command"
+      if $run eval "$command"; then :
+      else
+	$run $rm $removelist
+	exit 1
+      fi
+
+      if test "$need_locks" = warn &&
+	 test x"`cat $lockfile 2>/dev/null`" != x"$srcfile"; then
+	echo "\
+*** ERROR, $lockfile contains:
+`cat $lockfile 2>/dev/null`
+
+but it should contain:
+$srcfile
+
+This indicates that another process is trying to use the same
+temporary object file, and libtool could not work around it because
+your compiler does not support \`-c' and \`-o' together.  If you
+repeat this compilation, it may succeed, by chance, but you had better
+avoid parallel builds (make -j) in this platform, or get a better
+compiler."
+
+	$run $rm $removelist
+	exit 1
+      fi
+
+      # Just move the object if needed
+      if test x"$output_obj" != x"$obj"; then
+	$show "$mv $output_obj $obj"
+	if $run $mv $output_obj $obj; then :
+	else
+	  error=$?
+	  $run $rm $removelist
+	  exit $error
+	fi
+      fi
+
+      # Create an invalid libtool object if no PIC, so that we do not
+      # accidentally link it into a program.
+      if test "$build_libtool_libs" != yes; then
+	$show "echo timestamp > $libobj"
+	$run eval "echo timestamp > \$libobj" || exit $?
+      else
+	# Move the .lo from within objdir
+	$show "$mv $libobj $lo_libobj"
+	if $run $mv $libobj $lo_libobj; then :
+	else
+	  error=$?
+	  $run $rm $removelist
+	  exit $error
+	fi
+      fi
+    fi
+
+    # Unlock the critical section if it was locked
+    if test "$need_locks" != no; then
+      $run $rm "$lockfile"
+    fi
+
+    exit 0
+    ;;
+
+  # libtool link mode
+  link | relink)
+    modename="$modename: link"
+    case $host in
+    *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
+      # It is impossible to link a dll without this setting, and
+      # we shouldn't force the makefile maintainer to figure out
+      # which system we are compiling for in order to pass an extra
+      # flag for every libtool invokation.
+      # allow_undefined=no
+
+      # FIXME: Unfortunately, there are problems with the above when trying
+      # to make a dll which has undefined symbols, in which case not
+      # even a static library is built.  For now, we need to specify
+      # -no-undefined on the libtool link line when we can be certain
+      # that all symbols are satisfied, otherwise we get a static library.
+      allow_undefined=yes
+      ;;
+    *-*-aix*)
+      allow_undefined=no
+      ;;
+    *)
+      allow_undefined=yes
+      ;;
+    esac
+    libtool_args="$nonopt"
+    compile_command="$nonopt"
+    finalize_command="$nonopt"
+
+    compile_rpath=
+    finalize_rpath=
+    compile_shlibpath=
+    finalize_shlibpath=
+    convenience=
+    old_convenience=
+    deplibs=
+    old_deplibs=
+    compiler_flags=
+    linker_flags=
+    dllsearchpath=
+    lib_search_path=`pwd`
+
+    avoid_version=no
+    dlfiles=
+    dlprefiles=
+    dlself=no
+    export_dynamic=no
+    export_symbols=
+    export_symbols_regex=
+    generated=
+    libobjs=
+    ltlibs=
+    module=no
+    no_install=no
+    objs=
+    prefer_static_libs=no
+    preload=no
+    prev=
+    prevarg=
+    release=
+    rpath=
+    xrpath=
+    perm_rpath=
+    temp_rpath=
+    thread_safe=no
+    vinfo=
+
+    # We need to know -static, to get the right output filenames.
+    for arg
+    do
+      case $arg in
+      -all-static | -static)
+	if test "X$arg" = "X-all-static"; then
+	  if test "$build_libtool_libs" = yes && test -z "$link_static_flag"; then
+	    $echo "$modename: warning: complete static linking is impossible in this configuration" 1>&2
+	  fi
+	  if test -n "$link_static_flag"; then
+	    dlopen_self=$dlopen_self_static
+	  fi
+	else
+	  if test -z "$pic_flag" && test -n "$link_static_flag"; then
+	    dlopen_self=$dlopen_self_static
+	  fi
+	fi
+	build_libtool_libs=no
+	build_old_libs=yes
+	prefer_static_libs=yes
+	break
+	;;
+      esac
+    done
+
+    # See if our shared archives depend on static archives.
+    test -n "$old_archive_from_new_cmds" && build_old_libs=yes
+
+    # Go through the arguments, transforming them on the way.
+    while test $# -gt 0; do
+      arg="$1"
+      shift
+      case $arg in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	qarg=\"`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`\" ### testsuite: skip nested quoting test
+	;;
+      *) qarg=$arg ;;
+      esac
+      libtool_args="$libtool_args $qarg"
+
+      # If the previous option needs an argument, assign it.
+      if test -n "$prev"; then
+	case $prev in
+	output)
+	  compile_command="$compile_command @OUTPUT@"
+	  finalize_command="$finalize_command @OUTPUT@"
+	  ;;
+	esac
+
+	case $prev in
+	dlfiles|dlprefiles)
+	  if test "$preload" = no; then
+	    # Add the symbol object into the linking commands.
+	    compile_command="$compile_command @SYMFILE@"
+	    finalize_command="$finalize_command @SYMFILE@"
+	    preload=yes
+	  fi
+	  case $arg in
+	  *.la | *.lo) ;;  # We handle these cases below.
+	  force)
+	    if test "$dlself" = no; then
+	      dlself=needless
+	      export_dynamic=yes
+	    fi
+	    prev=
+	    continue
+	    ;;
+	  self)
+	    if test "$prev" = dlprefiles; then
+	      dlself=yes
+	    elif test "$prev" = dlfiles && test "$dlopen_self" != yes; then
+	      dlself=yes
+	    else
+	      dlself=needless
+	      export_dynamic=yes
+	    fi
+	    prev=
+	    continue
+	    ;;
+	  *)
+	    if test "$prev" = dlfiles; then
+	      dlfiles="$dlfiles $arg"
+	    else
+	      dlprefiles="$dlprefiles $arg"
+	    fi
+	    prev=
+	    continue
+	    ;;
+	  esac
+	  ;;
+	expsyms)
+	  export_symbols="$arg"
+	  if test ! -f "$arg"; then
+	    $echo "$modename: symbol file \`$arg' does not exist"
+	    exit 1
+	  fi
+	  prev=
+	  continue
+	  ;;
+	expsyms_regex)
+	  export_symbols_regex="$arg"
+	  prev=
+	  continue
+	  ;;
+	release)
+	  release="-$arg"
+	  prev=
+	  continue
+	  ;;
+	rpath | xrpath)
+	  # We need an absolute path.
+	  case $arg in
+	  [\\/]* | [A-Za-z]:[\\/]*) ;;
+	  *)
+	    $echo "$modename: only absolute run-paths are allowed" 1>&2
+	    exit 1
+	    ;;
+	  esac
+	  if test "$prev" = rpath; then
+	    case "$rpath " in
+	    *" $arg "*) ;;
+	    *) rpath="$rpath $arg" ;;
+	    esac
+	  else
+	    case "$xrpath " in
+	    *" $arg "*) ;;
+	    *) xrpath="$xrpath $arg" ;;
+	    esac
+	  fi
+	  prev=
+	  continue
+	  ;;
+	xcompiler)
+	  compiler_flags="$compiler_flags $qarg"
+	  prev=
+	  compile_command="$compile_command $qarg"
+	  finalize_command="$finalize_command $qarg"
+	  continue
+	  ;;
+	xlinker)
+	  linker_flags="$linker_flags $qarg"
+	  compiler_flags="$compiler_flags $wl$qarg"
+	  prev=
+	  compile_command="$compile_command $wl$qarg"
+	  finalize_command="$finalize_command $wl$qarg"
+	  continue
+	  ;;
+	*)
+	  eval "$prev=\"\$arg\""
+	  prev=
+	  continue
+	  ;;
+	esac
+      fi # test -n $prev
+
+      prevarg="$arg"
+
+      case $arg in
+      -all-static)
+	if test -n "$link_static_flag"; then
+	  compile_command="$compile_command $link_static_flag"
+	  finalize_command="$finalize_command $link_static_flag"
+	fi
+	continue
+	;;
+
+      -allow-undefined)
+	# FIXME: remove this flag sometime in the future.
+	$echo "$modename: \`-allow-undefined' is deprecated because it is the default" 1>&2
+	allow_undefined=yes
+	continue
+	;;
+
+      -avoid-version)
+	avoid_version=yes
+	continue
+	;;
+
+      -dlopen)
+	prev=dlfiles
+	continue
+	;;
+
+      -dlpreopen)
+	prev=dlprefiles
+	continue
+	;;
+
+      -export-dynamic)
+	export_dynamic=yes
+	continue
+	;;
+
+      -export-symbols | -export-symbols-regex)
+	if test -n "$export_symbols" || test -n "$export_symbols_regex"; then
+	  $echo "$modename: more than one -exported-symbols argument is not allowed"
+	  exit 1
+	fi
+	if test "X$arg" = "X-export-symbols"; then
+	  prev=expsyms
+	else
+	  prev=expsyms_regex
+	fi
+	continue
+	;;
+
+      # The native IRIX linker understands -LANG:*, -LIST:* and -LNO:*
+      # so, if we see these flags be careful not to treat them like -L
+      -L[A-Z][A-Z]*:*)
+	case $with_gcc/$host in
+	no/*-*-irix*)
+	  compile_command="$compile_command $arg"
+	  finalize_command="$finalize_command $arg"
+	  ;;
+	esac
+	continue
+	;;
+
+      -L*)
+	dir=`$echo "X$arg" | $Xsed -e 's/^-L//'`
+	# We need an absolute path.
+	case $dir in
+	[\\/]* | [A-Za-z]:[\\/]*) ;;
+	*)
+	  absdir=`cd "$dir" && pwd`
+	  if test -z "$absdir"; then
+	    $echo "$modename: cannot determine absolute directory name of \`$dir'" 1>&2
+	    exit 1
+	  fi
+	  dir="$absdir"
+	  ;;
+	esac
+	case "$deplibs " in
+	*" -L$dir "*) ;;
+	*)
+	  deplibs="$deplibs -L$dir"
+	  lib_search_path="$lib_search_path $dir"
+	  ;;
+	esac
+	case $host in
+	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
+	  case :$dllsearchpath: in
+	  *":$dir:"*) ;;
+	  *) dllsearchpath="$dllsearchpath:$dir";;
+	  esac
+	  ;;
+	esac
+	continue
+	;;
+
+      -l*)
+	if test "X$arg" = "X-lc" || test "X$arg" = "X-lm"; then
+	  case $host in
+	  *-*-cygwin* | *-*-pw32* | *-*-beos*)
+	    # These systems don't actually have a C or math library (as such)
+	    continue
+	    ;;
+	  *-*-mingw* | *-*-os2*)
+	    # These systems don't actually have a C library (as such)
+	    test "X$arg" = "X-lc" && continue
+	    ;;
+	  esac
+	fi
+	deplibs="$deplibs $arg"
+	continue
+	;;
+
+      -module)
+	module=yes
+	continue
+	;;
+
+      -no-fast-install)
+	fast_install=no
+	continue
+	;;
+
+      -no-install)
+	case $host in
+	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
+	  # The PATH hackery in wrapper scripts is required on Windows
+	  # in order for the loader to find any dlls it needs.
+	  $echo "$modename: warning: \`-no-install' is ignored for $host" 1>&2
+	  $echo "$modename: warning: assuming \`-no-fast-install' instead" 1>&2
+	  fast_install=no
+	  ;;
+	*) no_install=yes ;;
+	esac
+	continue
+	;;
+
+      -no-undefined)
+	allow_undefined=no
+	continue
+	;;
+
+      -o) prev=output ;;
+
+      -release)
+	prev=release
+	continue
+	;;
+
+      -rpath)
+	prev=rpath
+	continue
+	;;
+
+      -R)
+	prev=xrpath
+	continue
+	;;
+
+      -R*)
+	dir=`$echo "X$arg" | $Xsed -e 's/^-R//'`
+	# We need an absolute path.
+	case $dir in
+	[\\/]* | [A-Za-z]:[\\/]*) ;;
+	*)
+	  $echo "$modename: only absolute run-paths are allowed" 1>&2
+	  exit 1
+	  ;;
+	esac
+	case "$xrpath " in
+	*" $dir "*) ;;
+	*) xrpath="$xrpath $dir" ;;
+	esac
+	continue
+	;;
+
+      -static)
+	# The effects of -static are defined in a previous loop.
+	# We used to do the same as -all-static on platforms that
+	# didn't have a PIC flag, but the assumption that the effects
+	# would be equivalent was wrong.  It would break on at least
+	# Digital Unix and AIX.
+	continue
+	;;
+
+      -thread-safe)
+	thread_safe=yes
+	continue
+	;;
+
+      -version-info)
+	prev=vinfo
+	continue
+	;;
+
+      -Wc,*)
+	args=`$echo "X$arg" | $Xsed -e "$sed_quote_subst" -e 's/^-Wc,//'`
+	arg=
+	IFS="${IFS= 	}"; save_ifs="$IFS"; IFS=','
+	for flag in $args; do
+	  IFS="$save_ifs"
+	  case $flag in
+	    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	    flag="\"$flag\""
+	    ;;
+	  esac
+	  arg="$arg $wl$flag"
+	  compiler_flags="$compiler_flags $flag"
+	done
+	IFS="$save_ifs"
+	arg=`$echo "X$arg" | $Xsed -e "s/^ //"`
+	;;
+
+      -Wl,*)
+	args=`$echo "X$arg" | $Xsed -e "$sed_quote_subst" -e 's/^-Wl,//'`
+	arg=
+	IFS="${IFS= 	}"; save_ifs="$IFS"; IFS=','
+	for flag in $args; do
+	  IFS="$save_ifs"
+	  case $flag in
+	    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	    flag="\"$flag\""
+	    ;;
+	  esac
+	  arg="$arg $wl$flag"
+	  compiler_flags="$compiler_flags $wl$flag"
+	  linker_flags="$linker_flags $flag"
+	done
+	IFS="$save_ifs"
+	arg=`$echo "X$arg" | $Xsed -e "s/^ //"`
+	;;
+
+      -Xcompiler)
+	prev=xcompiler
+	continue
+	;;
+
+      -Xlinker)
+	prev=xlinker
+	continue
+	;;
+
+      # Some other compiler flag.
+      -* | +*)
+	# Unknown arguments in both finalize_command and compile_command need
+	# to be aesthetically quoted because they are evaled later.
+	arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+	case $arg in
+	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	  arg="\"$arg\""
+	  ;;
+	esac
+	;;
+
+      *.lo | *.$objext)
+	# A library or standard object.
+	if test "$prev" = dlfiles; then
+	  # This file was specified with -dlopen.
+	  if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then
+	    dlfiles="$dlfiles $arg"
+	    prev=
+	    continue
+	  else
+	    # If libtool objects are unsupported, then we need to preload.
+	    prev=dlprefiles
+	  fi
+	fi
+
+	if test "$prev" = dlprefiles; then
+	  # Preload the old-style object.
+	  dlprefiles="$dlprefiles "`$echo "X$arg" | $Xsed -e "$lo2o"`
+	  prev=
+	else
+	  case $arg in
+	  *.lo) libobjs="$libobjs $arg" ;;
+	  *) objs="$objs $arg" ;;
+	  esac
+	fi
+	;;
+
+      *.$libext)
+	# An archive.
+	deplibs="$deplibs $arg"
+	old_deplibs="$old_deplibs $arg"
+	continue
+	;;
+
+      *.la)
+	# A libtool-controlled library.
+
+	if test "$prev" = dlfiles; then
+	  # This library was specified with -dlopen.
+	  dlfiles="$dlfiles $arg"
+	  prev=
+	elif test "$prev" = dlprefiles; then
+	  # The library was specified with -dlpreopen.
+	  dlprefiles="$dlprefiles $arg"
+	  prev=
+	else
+	  deplibs="$deplibs $arg"
+	fi
+	continue
+	;;
+
+      # Some other compiler argument.
+      *)
+	# Unknown arguments in both finalize_command and compile_command need
+	# to be aesthetically quoted because they are evaled later.
+	arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+	case $arg in
+	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	  arg="\"$arg\""
+	  ;;
+	esac
+	;;
+      esac # arg
+
+      # Now actually substitute the argument into the commands.
+      if test -n "$arg"; then
+	compile_command="$compile_command $arg"
+	finalize_command="$finalize_command $arg"
+      fi
+    done # argument parsing loop
+
+    if test -n "$prev"; then
+      $echo "$modename: the \`$prevarg' option requires an argument" 1>&2
+      $echo "$help" 1>&2
+      exit 1
+    fi
+
+    if test "$export_dynamic" = yes && test -n "$export_dynamic_flag_spec"; then
+      eval arg=\"$export_dynamic_flag_spec\"
+      compile_command="$compile_command $arg"
+      finalize_command="$finalize_command $arg"
+    fi
+
+    # calculate the name of the file, without its directory
+    outputname=`$echo "X$output" | $Xsed -e 's%^.*/%%'`
+    libobjs_save="$libobjs"
+
+    if test -n "$shlibpath_var"; then
+      # get the directories listed in $shlibpath_var
+      eval shlib_search_path=\`\$echo \"X\${$shlibpath_var}\" \| \$Xsed -e \'s/:/ /g\'\`
+    else
+      shlib_search_path=
+    fi
+    eval sys_lib_search_path=\"$sys_lib_search_path_spec\"
+    eval sys_lib_dlsearch_path=\"$sys_lib_dlsearch_path_spec\"
+
+    output_objdir=`$echo "X$output" | $Xsed -e 's%/[^/]*$%%'`
+    if test "X$output_objdir" = "X$output"; then
+      output_objdir="$objdir"
+    else
+      output_objdir="$output_objdir/$objdir"
+    fi
+    # Create the object directory.
+    if test ! -d $output_objdir; then
+      $show "$mkdir $output_objdir"
+      $run $mkdir $output_objdir
+      status=$?
+      if test $status -ne 0 && test ! -d $output_objdir; then
+	exit $status
+      fi
+    fi
+
+    # Determine the type of output
+    case $output in
+    "")
+      $echo "$modename: you must specify an output file" 1>&2
+      $echo "$help" 1>&2
+      exit 1
+      ;;
+    *.$libext) linkmode=oldlib ;;
+    *.lo | *.$objext) linkmode=obj ;;
+    *.la) linkmode=lib ;;
+    *) linkmode=prog ;; # Anything else should be a program.
+    esac
+
+    specialdeplibs=
+    libs=
+    # Find all interdependent deplibs by searching for libraries
+    # that are linked more than once (e.g. -la -lb -la)
+    for deplib in $deplibs; do
+      case "$libs " in
+      *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+      esac
+      libs="$libs $deplib"
+    done
+    deplibs=
+    newdependency_libs=
+    newlib_search_path=
+    need_relink=no # whether we're linking any uninstalled libtool libraries
+    notinst_deplibs= # not-installed libtool libraries
+    notinst_path= # paths that contain not-installed libtool libraries
+    case $linkmode in
+    lib)
+	passes="conv link"
+	for file in $dlfiles $dlprefiles; do
+	  case $file in
+	  *.la) ;;
+	  *)
+	    $echo "$modename: libraries can \`-dlopen' only libtool libraries: $file" 1>&2
+	    exit 1
+	    ;;
+	  esac
+	done
+	;;
+    prog)
+	compile_deplibs=
+	finalize_deplibs=
+	alldeplibs=no
+	newdlfiles=
+	newdlprefiles=
+	passes="conv scan dlopen dlpreopen link"
+	;;
+    *)  passes="conv"
+	;;
+    esac
+    for pass in $passes; do
+      if test $linkmode = prog; then
+	# Determine which files to process
+	case $pass in
+	dlopen)
+	  libs="$dlfiles"
+	  save_deplibs="$deplibs" # Collect dlpreopened libraries
+	  deplibs=
+	  ;;
+	dlpreopen) libs="$dlprefiles" ;;
+	link) libs="$deplibs %DEPLIBS% $dependency_libs" ;;
+	esac
+      fi
+      for deplib in $libs; do
+	lib=
+	found=no
+	case $deplib in
+	-l*)
+	  if test $linkmode = oldlib && test $linkmode = obj; then
+	    $echo "$modename: warning: \`-l' is ignored for archives/objects: $deplib" 1>&2
+	    continue
+	  fi
+	  if test $pass = conv; then
+	    deplibs="$deplib $deplibs"
+	    continue
+	  fi
+	  name=`$echo "X$deplib" | $Xsed -e 's/^-l//'`
+	  for searchdir in $newlib_search_path $lib_search_path $sys_lib_search_path $shlib_search_path; do
+	    # Search the libtool library
+	    lib="$searchdir/lib${name}.la"
+	    if test -f "$lib"; then
+	      found=yes
+	      break
+	    fi
+	  done
+	  if test "$found" != yes; then
+	    # deplib doesn't seem to be a libtool library
+	    if test "$linkmode,$pass" = "prog,link"; then
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    else
+	      deplibs="$deplib $deplibs"
+	      test $linkmode = lib && newdependency_libs="$deplib $newdependency_libs"
+	    fi
+	    continue
+	  fi
+	  ;; # -l
+	-L*)
+	  case $linkmode in
+	  lib)
+	    deplibs="$deplib $deplibs"
+	    test $pass = conv && continue
+	    newdependency_libs="$deplib $newdependency_libs"
+	    newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`
+	    ;;
+	  prog)
+	    if test $pass = conv; then
+	      deplibs="$deplib $deplibs"
+	      continue
+	    fi
+	    if test $pass = scan; then
+	      deplibs="$deplib $deplibs"
+	      newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`
+	    else
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    fi
+	    ;;
+	  *)
+	    $echo "$modename: warning: \`-L' is ignored for archives/objects: $deplib" 1>&2
+	    ;;
+	  esac # linkmode
+	  continue
+	  ;; # -L
+	-R*)
+	  if test $pass = link; then
+	    dir=`$echo "X$deplib" | $Xsed -e 's/^-R//'`
+	    # Make sure the xrpath contains only unique directories.
+	    case "$xrpath " in
+	    *" $dir "*) ;;
+	    *) xrpath="$xrpath $dir" ;;
+	    esac
+	  fi
+	  deplibs="$deplib $deplibs"
+	  continue
+	  ;;
+	*.la) lib="$deplib" ;;
+	*.$libext)
+	  if test $pass = conv; then
+	    deplibs="$deplib $deplibs"
+	    continue
+	  fi
+	  case $linkmode in
+	  lib)
+	    if test "$deplibs_check_method" != pass_all; then
+	      echo
+	      echo "*** Warning: This library needs some functionality provided by $deplib."
+	      echo "*** I have the capability to make that library automatically link in when"
+	      echo "*** you link to this library.  But I can only do this if you have a"
+	      echo "*** shared version of the library, which you do not appear to have."
+	    else
+	      echo
+	      echo "*** Warning: Linking the shared library $output against the"
+	      echo "*** static library $deplib is not portable!"
+	      deplibs="$deplib $deplibs"
+	    fi
+	    continue
+	    ;;
+	  prog)
+	    if test $pass != link; then
+	      deplibs="$deplib $deplibs"
+	    else
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    fi
+	    continue
+	    ;;
+	  esac # linkmode
+	  ;; # *.$libext
+	*.lo | *.$objext)
+	  if test $pass = dlpreopen || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then
+	    # If there is no dlopen support or we're linking statically,
+	    # we need to preload.
+	    newdlprefiles="$newdlprefiles $deplib"
+	    compile_deplibs="$deplib $compile_deplibs"
+	    finalize_deplibs="$deplib $finalize_deplibs"
+	  else
+	    newdlfiles="$newdlfiles $deplib"
+	  fi
+	  continue
+	  ;;
+	%DEPLIBS%)
+	  alldeplibs=yes
+	  continue
+	  ;;
+	esac # case $deplib
+	if test $found = yes || test -f "$lib"; then :
+	else
+	  $echo "$modename: cannot find the library \`$lib'" 1>&2
+	  exit 1
+	fi
+
+	# Check to see that this really is a libtool archive.
+	if (sed -e '2q' $lib | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
+	else
+	  $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
+	  exit 1
+	fi
+
+	ladir=`$echo "X$lib" | $Xsed -e 's%/[^/]*$%%'`
+	test "X$ladir" = "X$lib" && ladir="."
+
+	dlname=
+	dlopen=
+	dlpreopen=
+	libdir=
+	library_names=
+	old_library=
+	# If the library was installed with an old release of libtool,
+	# it will not redefine variable installed.
+	installed=yes
+
+	# Read the .la file
+	case $lib in
+	*/* | *\\*) . $lib ;;
+	*) . ./$lib ;;
+	esac
+
+	if test "$linkmode,$pass" = "lib,link" ||
+	   test "$linkmode,$pass" = "prog,scan" ||
+	   { test $linkmode = oldlib && test $linkmode = obj; }; then
+	   # Add dl[pre]opened files of deplib
+	  test -n "$dlopen" && dlfiles="$dlfiles $dlopen"
+	  test -n "$dlpreopen" && dlprefiles="$dlprefiles $dlpreopen"
+	fi
+
+	if test $pass = conv; then
+	  # Only check for convenience libraries
+	  deplibs="$lib $deplibs"
+	  if test -z "$libdir"; then
+	    if test -z "$old_library"; then
+	      $echo "$modename: cannot find name of link library for \`$lib'" 1>&2
+	      exit 1
+	    fi
+	    # It is a libtool convenience library, so add in its objects.
+	    convenience="$convenience $ladir/$objdir/$old_library"
+	    old_convenience="$old_convenience $ladir/$objdir/$old_library"
+	    tmp_libs=
+	    for deplib in $dependency_libs; do
+	      deplibs="$deplib $deplibs"
+	      case "$tmp_libs " in
+	      *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	      esac
+	      tmp_libs="$tmp_libs $deplib"
+	    done
+	  elif test $linkmode != prog && test $linkmode != lib; then
+	    $echo "$modename: \`$lib' is not a convenience library" 1>&2
+	    exit 1
+	  fi
+	  continue
+	fi # $pass = conv
+
+	# Get the name of the library we link against.
+	linklib=
+	for l in $old_library $library_names; do
+	  linklib="$l"
+	done
+	if test -z "$linklib"; then
+	  $echo "$modename: cannot find name of link library for \`$lib'" 1>&2
+	  exit 1
+	fi
+
+	# This library was specified with -dlopen.
+	if test $pass = dlopen; then
+	  if test -z "$libdir"; then
+	    $echo "$modename: cannot -dlopen a convenience library: \`$lib'" 1>&2
+	    exit 1
+	  fi
+	  if test -z "$dlname" || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then
+	    # If there is no dlname, no dlopen support or we're linking
+	    # statically, we need to preload.
+	    dlprefiles="$dlprefiles $lib"
+	  else
+	    newdlfiles="$newdlfiles $lib"
+	  fi
+	  continue
+	fi # $pass = dlopen
+
+	# We need an absolute path.
+	case $ladir in
+	[\\/]* | [A-Za-z]:[\\/]*) abs_ladir="$ladir" ;;
+	*)
+	  abs_ladir=`cd "$ladir" && pwd`
+	  if test -z "$abs_ladir"; then
+	    $echo "$modename: warning: cannot determine absolute directory name of \`$ladir'" 1>&2
+	    $echo "$modename: passing it literally to the linker, although it might fail" 1>&2
+	    abs_ladir="$ladir"
+	  fi
+	  ;;
+	esac
+	laname=`$echo "X$lib" | $Xsed -e 's%^.*/%%'`
+
+	# Find the relevant object directory and library name.
+	if test "X$installed" = Xyes; then
+	  if test ! -f "$libdir/$linklib" && test -f "$abs_ladir/$linklib"; then
+	    $echo "$modename: warning: library \`$lib' was moved." 1>&2
+	    dir="$ladir"
+	    absdir="$abs_ladir"
+	    libdir="$abs_ladir"
+	  else
+	    dir="$libdir"
+	    absdir="$libdir"
+	  fi
+	else
+	  dir="$ladir/$objdir"
+	  absdir="$abs_ladir/$objdir"
+	  # Remove this search path later
+	  notinst_path="$notinst_path $abs_ladir"
+	fi # $installed = yes
+	name=`$echo "X$laname" | $Xsed -e 's/\.la$//' -e 's/^lib//'`
+
+	# This library was specified with -dlpreopen.
+	if test $pass = dlpreopen; then
+	  if test -z "$libdir"; then
+	    $echo "$modename: cannot -dlpreopen a convenience library: \`$lib'" 1>&2
+	    exit 1
+	  fi
+	  # Prefer using a static library (so that no silly _DYNAMIC symbols
+	  # are required to link).
+	  if test -n "$old_library"; then
+	    newdlprefiles="$newdlprefiles $dir/$old_library"
+	  # Otherwise, use the dlname, so that lt_dlopen finds it.
+	  elif test -n "$dlname"; then
+	    newdlprefiles="$newdlprefiles $dir/$dlname"
+	  else
+	    newdlprefiles="$newdlprefiles $dir/$linklib"
+	  fi
+	fi # $pass = dlpreopen
+
+	if test -z "$libdir"; then
+	  # Link the convenience library
+	  if test $linkmode = lib; then
+	    deplibs="$dir/$old_library $deplibs"
+	  elif test "$linkmode,$pass" = "prog,link"; then
+	    compile_deplibs="$dir/$old_library $compile_deplibs"
+	    finalize_deplibs="$dir/$old_library $finalize_deplibs"
+	  else
+	    deplibs="$lib $deplibs"
+	  fi
+	  continue
+	fi
+
+	if test $linkmode = prog && test $pass != link; then
+	  newlib_search_path="$newlib_search_path $ladir"
+	  deplibs="$lib $deplibs"
+
+	  linkalldeplibs=no
+	  if test "$link_all_deplibs" != no || test -z "$library_names" ||
+	     test "$build_libtool_libs" = no; then
+	    linkalldeplibs=yes
+	  fi
+
+	  tmp_libs=
+	  for deplib in $dependency_libs; do
+	    case $deplib in
+	    -L*) newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`;; ### testsuite: skip nested quoting test
+	    esac
+	    # Need to link against all dependency_libs?
+	    if test $linkalldeplibs = yes; then
+	      deplibs="$deplib $deplibs"
+	    else
+	      # Need to hardcode shared library paths
+	      # or/and link against static libraries
+	      newdependency_libs="$deplib $newdependency_libs"
+	    fi
+	    case "$tmp_libs " in
+	    *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	    esac
+	    tmp_libs="$tmp_libs $deplib"
+	  done # for deplib
+	  continue
+	fi # $linkmode = prog...
+
+	link_static=no # Whether the deplib will be linked statically
+	if test -n "$library_names" &&
+	   { test "$prefer_static_libs" = no || test -z "$old_library"; }; then
+	  # Link against this shared library
+
+	  if test "$linkmode,$pass" = "prog,link" ||
+	   { test $linkmode = lib && test $hardcode_into_libs = yes; }; then
+	    # Hardcode the library path.
+	    # Skip directories that are in the system default run-time
+	    # search path.
+	    case " $sys_lib_dlsearch_path " in
+	    *" $absdir "*) ;;
+	    *)
+	      case "$compile_rpath " in
+	      *" $absdir "*) ;;
+	      *) compile_rpath="$compile_rpath $absdir"
+	      esac
+	      ;;
+	    esac
+	    case " $sys_lib_dlsearch_path " in
+	    *" $libdir "*) ;;
+	    *)
+	      case "$finalize_rpath " in
+	      *" $libdir "*) ;;
+	      *) finalize_rpath="$finalize_rpath $libdir"
+	      esac
+	      ;;
+	    esac
+	    if test $linkmode = prog; then
+	      # We need to hardcode the library path
+	      if test -n "$shlibpath_var"; then
+		# Make sure the rpath contains only unique directories.
+		case "$temp_rpath " in
+		*" $dir "*) ;;
+		*" $absdir "*) ;;
+		*) temp_rpath="$temp_rpath $dir" ;;
+		esac
+	      fi
+	    fi
+	  fi # $linkmode,$pass = prog,link...
+
+	  if test "$alldeplibs" = yes &&
+	     { test "$deplibs_check_method" = pass_all ||
+	       { test "$build_libtool_libs" = yes &&
+		 test -n "$library_names"; }; }; then
+	    # We only need to search for static libraries
+	    continue
+	  fi
+
+	  if test "$installed" = no; then
+	    notinst_deplibs="$notinst_deplibs $lib"
+	    need_relink=yes
+	  fi
+
+	  if test -n "$old_archive_from_expsyms_cmds"; then
+	    # figure out the soname
+	    set dummy $library_names
+	    realname="$2"
+	    shift; shift
+	    libname=`eval \\$echo \"$libname_spec\"`
+	    # use dlname if we got it. it's perfectly good, no?
+	    if test -n "$dlname"; then
+	      soname="$dlname"
+	    elif test -n "$soname_spec"; then
+	      # bleh windows
+	      case $host in
+	      *cygwin*)
+		major=`expr $current - $age`
+		versuffix="-$major"
+		;;
+	      esac
+	      eval soname=\"$soname_spec\"
+	    else
+	      soname="$realname"
+	    fi
+
+	    # Make a new name for the extract_expsyms_cmds to use
+	    soroot="$soname"
+	    soname=`echo $soroot | sed -e 's/^.*\///'`
+	    newlib="libimp-`echo $soname | sed 's/^lib//;s/\.dll$//'`.a"
+
+	    # If the library has no export list, then create one now
+	    if test -f "$output_objdir/$soname-def"; then :
+	    else
+	      $show "extracting exported symbol list from \`$soname'"
+	      IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	      eval cmds=\"$extract_expsyms_cmds\"
+	      for cmd in $cmds; do
+		IFS="$save_ifs"
+		$show "$cmd"
+		$run eval "$cmd" || exit $?
+	      done
+	      IFS="$save_ifs"
+	    fi
+
+	    # Create $newlib
+	    if test -f "$output_objdir/$newlib"; then :; else
+	      $show "generating import library for \`$soname'"
+	      IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	      eval cmds=\"$old_archive_from_expsyms_cmds\"
+	      for cmd in $cmds; do
+		IFS="$save_ifs"
+		$show "$cmd"
+		$run eval "$cmd" || exit $?
+	      done
+	      IFS="$save_ifs"
+	    fi
+	    # make sure the library variables are pointing to the new library
+	    dir=$output_objdir
+	    linklib=$newlib
+	  fi # test -n $old_archive_from_expsyms_cmds
+
+	  if test $linkmode = prog || test "$mode" != relink; then
+	    add_shlibpath=
+	    add_dir=
+	    add=
+	    lib_linked=yes
+	    case $hardcode_action in
+	    immediate | unsupported)
+	      if test "$hardcode_direct" = no; then
+		add="$dir/$linklib"
+	      elif test "$hardcode_minus_L" = no; then
+		case $host in
+		*-*-sunos*) add_shlibpath="$dir" ;;
+		esac
+		add_dir="-L$dir"
+		add="-l$name"
+	      elif test "$hardcode_shlibpath_var" = no; then
+		add_shlibpath="$dir"
+		add="-l$name"
+	      else
+		lib_linked=no
+	      fi
+	      ;;
+	    relink)
+	      if test "$hardcode_direct" = yes; then
+		add="$dir/$linklib"
+	      elif test "$hardcode_minus_L" = yes; then
+		add_dir="-L$dir"
+		add="-l$name"
+	      elif test "$hardcode_shlibpath_var" = yes; then
+		add_shlibpath="$dir"
+		add="-l$name"
+	      else
+		lib_linked=no
+	      fi
+	      ;;
+	    *) lib_linked=no ;;
+	    esac
+
+	    if test "$lib_linked" != yes; then
+	      $echo "$modename: configuration error: unsupported hardcode properties"
+	      exit 1
+	    fi
+
+	    if test -n "$add_shlibpath"; then
+	      case :$compile_shlibpath: in
+	      *":$add_shlibpath:"*) ;;
+	      *) compile_shlibpath="$compile_shlibpath$add_shlibpath:" ;;
+	      esac
+	    fi
+	    if test $linkmode = prog; then
+	      test -n "$add_dir" && compile_deplibs="$add_dir $compile_deplibs"
+	      test -n "$add" && compile_deplibs="$add $compile_deplibs"
+	    else
+	      test -n "$add_dir" && deplibs="$add_dir $deplibs"
+	      test -n "$add" && deplibs="$add $deplibs"
+	      if test "$hardcode_direct" != yes && \
+		 test "$hardcode_minus_L" != yes && \
+		 test "$hardcode_shlibpath_var" = yes; then
+		case :$finalize_shlibpath: in
+		*":$libdir:"*) ;;
+		*) finalize_shlibpath="$finalize_shlibpath$libdir:" ;;
+		esac
+	      fi
+	    fi
+	  fi
+
+	  if test $linkmode = prog || test "$mode" = relink; then
+	    add_shlibpath=
+	    add_dir=
+	    add=
+	    # Finalize command for both is simple: just hardcode it.
+	    if test "$hardcode_direct" = yes; then
+	      add="$libdir/$linklib"
+	    elif test "$hardcode_minus_L" = yes; then
+	      add_dir="-L$libdir"
+	      add="-l$name"
+	    elif test "$hardcode_shlibpath_var" = yes; then
+	      case :$finalize_shlibpath: in
+	      *":$libdir:"*) ;;
+	      *) finalize_shlibpath="$finalize_shlibpath$libdir:" ;;
+	      esac
+	      add="-l$name"
+	    else
+	      # We cannot seem to hardcode it, guess we'll fake it.
+	      add_dir="-L$libdir"
+	      add="-l$name"
+	    fi
+
+	    if test $linkmode = prog; then
+	      test -n "$add_dir" && finalize_deplibs="$add_dir $finalize_deplibs"
+	      test -n "$add" && finalize_deplibs="$add $finalize_deplibs"
+	    else
+	      test -n "$add_dir" && deplibs="$add_dir $deplibs"
+	      test -n "$add" && deplibs="$add $deplibs"
+	    fi
+	  fi
+	elif test $linkmode = prog; then
+	  if test "$alldeplibs" = yes &&
+	     { test "$deplibs_check_method" = pass_all ||
+	       { test "$build_libtool_libs" = yes &&
+		 test -n "$library_names"; }; }; then
+	    # We only need to search for static libraries
+	    continue
+	  fi
+
+	  # Try to link the static library
+	  # Here we assume that one of hardcode_direct or hardcode_minus_L
+	  # is not unsupported.  This is valid on all known static and
+	  # shared platforms.
+	  if test "$hardcode_direct" != unsupported; then
+	    test -n "$old_library" && linklib="$old_library"
+	    compile_deplibs="$dir/$linklib $compile_deplibs"
+	    finalize_deplibs="$dir/$linklib $finalize_deplibs"
+	  else
+	    compile_deplibs="-l$name -L$dir $compile_deplibs"
+	    finalize_deplibs="-l$name -L$dir $finalize_deplibs"
+	  fi
+	elif test "$build_libtool_libs" = yes; then
+	  # Not a shared library
+	  if test "$deplibs_check_method" != pass_all; then
+	    # We're trying link a shared library against a static one
+	    # but the system doesn't support it.
+
+	    # Just print a warning and add the library to dependency_libs so
+	    # that the program can be linked against the static library.
+	    echo
+	    echo "*** Warning: This library needs some functionality provided by $lib."
+	    echo "*** I have the capability to make that library automatically link in when"
+	    echo "*** you link to this library.  But I can only do this if you have a"
+	    echo "*** shared version of the library, which you do not appear to have."
+	    if test "$module" = yes; then
+	      echo "*** Therefore, libtool will create a static module, that should work "
+	      echo "*** as long as the dlopening application is linked with the -dlopen flag."
+	      if test -z "$global_symbol_pipe"; then
+	        echo
+	        echo "*** However, this would only work if libtool was able to extract symbol"
+	        echo "*** lists from a program, using \`nm' or equivalent, but libtool could"
+	        echo "*** not find such a program.  So, this module is probably useless."
+	        echo "*** \`nm' from GNU binutils and a full rebuild may help."
+	      fi
+	      if test "$build_old_libs" = no; then
+	        build_libtool_libs=module
+	        build_old_libs=yes
+	      else
+	        build_libtool_libs=no
+	      fi
+	    fi
+	  else
+	    convenience="$convenience $dir/$old_library"
+	    old_convenience="$old_convenience $dir/$old_library"
+	    deplibs="$dir/$old_library $deplibs"
+	    link_static=yes
+	  fi
+	fi # link shared/static library?
+
+	if test $linkmode = lib; then
+	  if test -n "$dependency_libs" &&
+	     { test $hardcode_into_libs != yes || test $build_old_libs = yes ||
+	       test $link_static = yes; }; then
+	    # Extract -R from dependency_libs
+	    temp_deplibs=
+	    for libdir in $dependency_libs; do
+	      case $libdir in
+	      -R*) temp_xrpath=`$echo "X$libdir" | $Xsed -e 's/^-R//'`
+		   case " $xrpath " in
+		   *" $temp_xrpath "*) ;;
+		   *) xrpath="$xrpath $temp_xrpath";;
+		   esac;;
+	      *) temp_deplibs="$temp_deplibs $libdir";;
+	      esac
+	    done
+	    dependency_libs="$temp_deplibs"
+	  fi
+
+	  newlib_search_path="$newlib_search_path $absdir"
+	  # Link against this library
+	  test "$link_static" = no && newdependency_libs="$abs_ladir/$laname $newdependency_libs"
+	  # ... and its dependency_libs
+	  tmp_libs=
+	  for deplib in $dependency_libs; do
+	    newdependency_libs="$deplib $newdependency_libs"
+	    case "$tmp_libs " in
+	    *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	    esac
+	    tmp_libs="$tmp_libs $deplib"
+	  done
+
+	  if test $link_all_deplibs != no; then
+	    # Add the search paths of all dependency libraries
+	    for deplib in $dependency_libs; do
+	      case $deplib in
+	      -L*) path="$deplib" ;;
+	      *.la)
+		dir=`$echo "X$deplib" | $Xsed -e 's%/[^/]*$%%'`
+		test "X$dir" = "X$deplib" && dir="."
+		# We need an absolute path.
+		case $dir in
+		[\\/]* | [A-Za-z]:[\\/]*) absdir="$dir" ;;
+		*)
+		  absdir=`cd "$dir" && pwd`
+		  if test -z "$absdir"; then
+		    $echo "$modename: warning: cannot determine absolute directory name of \`$dir'" 1>&2
+		    absdir="$dir"
+		  fi
+		  ;;
+		esac
+		if grep "^installed=no" $deplib > /dev/null; then
+		  path="-L$absdir/$objdir"
+		else
+		  eval libdir=`sed -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
+		  if test -z "$libdir"; then
+		    $echo "$modename: \`$deplib' is not a valid libtool archive" 1>&2
+		    exit 1
+		  fi
+		  if test "$absdir" != "$libdir"; then
+		    $echo "$modename: warning: \`$deplib' seems to be moved" 1>&2
+		  fi
+		  path="-L$absdir"
+		fi
+		;;
+	      *) continue ;;
+	      esac
+	      case " $deplibs " in
+	      *" $path "*) ;;
+	      *) deplibs="$deplibs $path" ;;
+	      esac
+	    done
+	  fi # link_all_deplibs != no
+	fi # linkmode = lib
+      done # for deplib in $libs
+      if test $pass = dlpreopen; then
+	# Link the dlpreopened libraries before other libraries
+	for deplib in $save_deplibs; do
+	  deplibs="$deplib $deplibs"
+	done
+      fi
+      if test $pass != dlopen; then
+	test $pass != scan && dependency_libs="$newdependency_libs"
+	if test $pass != conv; then
+	  # Make sure lib_search_path contains only unique directories.
+	  lib_search_path=
+	  for dir in $newlib_search_path; do
+	    case "$lib_search_path " in
+	    *" $dir "*) ;;
+	    *) lib_search_path="$lib_search_path $dir" ;;
+	    esac
+	  done
+	  newlib_search_path=
+	fi
+
+	if test "$linkmode,$pass" != "prog,link"; then
+	  vars="deplibs"
+	else
+	  vars="compile_deplibs finalize_deplibs"
+	fi
+	for var in $vars dependency_libs; do
+	  # Add libraries to $var in reverse order
+	  eval tmp_libs=\"\$$var\"
+	  new_libs=
+	  for deplib in $tmp_libs; do
+	    case $deplib in
+	    -L*) new_libs="$deplib $new_libs" ;;
+	    *)
+	      case " $specialdeplibs " in
+	      *" $deplib "*) new_libs="$deplib $new_libs" ;;
+	      *)
+		case " $new_libs " in
+		*" $deplib "*) ;;
+		*) new_libs="$deplib $new_libs" ;;
+		esac
+		;;
+	      esac
+	      ;;
+	    esac
+	  done
+	  tmp_libs=
+	  for deplib in $new_libs; do
+	    case $deplib in
+	    -L*)
+	      case " $tmp_libs " in
+	      *" $deplib "*) ;;
+	      *) tmp_libs="$tmp_libs $deplib" ;;
+	      esac
+	      ;;
+	    *) tmp_libs="$tmp_libs $deplib" ;;
+	    esac
+	  done
+	  eval $var=\"$tmp_libs\"
+	done # for var
+      fi
+      if test "$pass" = "conv" &&
+       { test "$linkmode" = "lib" || test "$linkmode" = "prog"; }; then
+	libs="$deplibs" # reset libs
+	deplibs=
+      fi
+    done # for pass
+    if test $linkmode = prog; then
+      dlfiles="$newdlfiles"
+      dlprefiles="$newdlprefiles"
+    fi
+
+    case $linkmode in
+    oldlib)
+      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
+	$echo "$modename: warning: \`-dlopen' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$rpath"; then
+	$echo "$modename: warning: \`-rpath' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$xrpath"; then
+	$echo "$modename: warning: \`-R' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$vinfo"; then
+	$echo "$modename: warning: \`-version-info' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$release"; then
+	$echo "$modename: warning: \`-release' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$export_symbols" || test -n "$export_symbols_regex"; then
+	$echo "$modename: warning: \`-export-symbols' is ignored for archives" 1>&2
+      fi
+
+      # Now set the variables for building old libraries.
+      build_libtool_libs=no
+      oldlibs="$output"
+      objs="$objs$old_deplibs"
+      ;;
+
+    lib)
+      # Make sure we only generate libraries of the form `libNAME.la'.
+      case $outputname in
+      lib*)
+	name=`$echo "X$outputname" | $Xsed -e 's/\.la$//' -e 's/^lib//'`
+	eval libname=\"$libname_spec\"
+	;;
+      *)
+	if test "$module" = no; then
+	  $echo "$modename: libtool library \`$output' must begin with \`lib'" 1>&2
+	  $echo "$help" 1>&2
+	  exit 1
+	fi
+	if test "$need_lib_prefix" != no; then
+	  # Add the "lib" prefix for modules if required
+	  name=`$echo "X$outputname" | $Xsed -e 's/\.la$//'`
+	  eval libname=\"$libname_spec\"
+	else
+	  libname=`$echo "X$outputname" | $Xsed -e 's/\.la$//'`
+	fi
+	;;
+      esac
+
+      if test -n "$objs"; then
+	if test "$deplibs_check_method" != pass_all; then
+	  $echo "$modename: cannot build libtool library \`$output' from non-libtool objects on this host:$objs" 2>&1
+	  exit 1
+	else
+	  echo
+	  echo "*** Warning: Linking the shared library $output against the non-libtool"
+	  echo "*** objects $objs is not portable!"
+	  libobjs="$libobjs $objs"
+	fi
+      fi
+
+      if test "$dlself" != no; then
+	$echo "$modename: warning: \`-dlopen self' is ignored for libtool libraries" 1>&2
+      fi
+
+      set dummy $rpath
+      if test $# -gt 2; then
+	$echo "$modename: warning: ignoring multiple \`-rpath's for a libtool library" 1>&2
+      fi
+      install_libdir="$2"
+
+      oldlibs=
+      if test -z "$rpath"; then
+	if test "$build_libtool_libs" = yes; then
+	  # Building a libtool convenience library.
+	  libext=al
+	  oldlibs="$output_objdir/$libname.$libext $oldlibs"
+	  build_libtool_libs=convenience
+	  build_old_libs=yes
+	fi
+
+	if test -n "$vinfo"; then
+	  $echo "$modename: warning: \`-version-info' is ignored for convenience libraries" 1>&2
+	fi
+
+	if test -n "$release"; then
+	  $echo "$modename: warning: \`-release' is ignored for convenience libraries" 1>&2
+	fi
+      else
+
+	# Parse the version information argument.
+	IFS="${IFS= 	}"; save_ifs="$IFS"; IFS=':'
+	set dummy $vinfo 0 0 0
+	IFS="$save_ifs"
+
+	if test -n "$8"; then
+	  $echo "$modename: too many parameters to \`-version-info'" 1>&2
+	  $echo "$help" 1>&2
+	  exit 1
+	fi
+
+	current="$2"
+	revision="$3"
+	age="$4"
+
+	# Check that each of the things are valid numbers.
+	case $current in
+	0 | [1-9] | [1-9][0-9] | [1-9][0-9][0-9]) ;;
+	*)
+	  $echo "$modename: CURRENT \`$current' is not a nonnegative integer" 1>&2
+	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
+	  exit 1
+	  ;;
+	esac
+
+	case $revision in
+	0 | [1-9] | [1-9][0-9] | [1-9][0-9][0-9]) ;;
+	*)
+	  $echo "$modename: REVISION \`$revision' is not a nonnegative integer" 1>&2
+	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
+	  exit 1
+	  ;;
+	esac
+
+	case $age in
+	0 | [1-9] | [1-9][0-9] | [1-9][0-9][0-9]) ;;
+	*)
+	  $echo "$modename: AGE \`$age' is not a nonnegative integer" 1>&2
+	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
+	  exit 1
+	  ;;
+	esac
+
+	if test $age -gt $current; then
+	  $echo "$modename: AGE \`$age' is greater than the current interface number \`$current'" 1>&2
+	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
+	  exit 1
+	fi
+
+	# Calculate the version variables.
+	major=
+	versuffix=
+	verstring=
+	case $version_type in
+	none) ;;
+
+	darwin)
+	  # Like Linux, but with the current version available in
+	  # verstring for coding it into the library header
+	  major=.`expr $current - $age`
+	  versuffix="$major.$age.$revision"
+	  # Darwin ld doesn't like 0 for these options...
+	  minor_current=`expr $current + 1`
+	  verstring="-compatibility_version $minor_current -current_version $minor_current.$revision"
+	  ;;
+
+	freebsd-aout)
+	  major=".$current"
+	  versuffix=".$current.$revision";
+	  ;;
+
+	freebsd-elf)
+	  major=".$current"
+	  versuffix=".$current";
+	  ;;
+
+	irix)
+	  major=`expr $current - $age + 1`
+	  verstring="sgi$major.$revision"
+
+	  # Add in all the interfaces that we are compatible with.
+	  loop=$revision
+	  while test $loop != 0; do
+	    iface=`expr $revision - $loop`
+	    loop=`expr $loop - 1`
+	    verstring="sgi$major.$iface:$verstring"
+	  done
+
+	  # Before this point, $major must not contain `.'.
+	  major=.$major
+	  versuffix="$major.$revision"
+	  ;;
+
+	linux)
+	  major=.`expr $current - $age`
+	  versuffix="$major.$age.$revision"
+	  ;;
+
+	osf)
+	  major=`expr $current - $age`
+	  versuffix=".$current.$age.$revision"
+	  verstring="$current.$age.$revision"
+
+	  # Add in all the interfaces that we are compatible with.
+	  loop=$age
+	  while test $loop != 0; do
+	    iface=`expr $current - $loop`
+	    loop=`expr $loop - 1`
+	    verstring="$verstring:${iface}.0"
+	  done
+
+	  # Make executables depend on our current version.
+	  verstring="$verstring:${current}.0"
+	  ;;
+
+	sunos)
+	  major=".$current"
+	  versuffix=".$current.$revision"
+	  ;;
+
+	windows)
+	  # Use '-' rather than '.', since we only want one
+	  # extension on DOS 8.3 filesystems.
+	  major=`expr $current - $age`
+	  versuffix="-$major"
+	  ;;
+
+	*)
+	  $echo "$modename: unknown library version type \`$version_type'" 1>&2
+	  echo "Fatal configuration error.  See the $PACKAGE docs for more information." 1>&2
+	  exit 1
+	  ;;
+	esac
+
+	# Clear the version info if we defaulted, and they specified a release.
+	if test -z "$vinfo" && test -n "$release"; then
+	  major=
+	  verstring="0.0"
+	  if test "$need_version" = no; then
+	    versuffix=
+	  else
+	    versuffix=".0.0"
+	  fi
+	fi
+
+	# Remove version info from name if versioning should be avoided
+	if test "$avoid_version" = yes && test "$need_version" = no; then
+	  major=
+	  versuffix=
+	  verstring=""
+	fi
+
+	# Check to see if the archive will have undefined symbols.
+	if test "$allow_undefined" = yes; then
+	  if test "$allow_undefined_flag" = unsupported; then
+	    $echo "$modename: warning: undefined symbols not allowed in $host shared libraries" 1>&2
+	    build_libtool_libs=no
+	    build_old_libs=yes
+	  fi
+	else
+	  # Don't allow undefined symbols.
+	  allow_undefined_flag="$no_undefined_flag"
+	fi
+      fi
+
+      if test "$mode" != relink; then
+	# Remove our outputs.
+	$show "${rm}r $output_objdir/$outputname $output_objdir/$libname.* $output_objdir/${libname}${release}.*"
+	$run ${rm}r $output_objdir/$outputname $output_objdir/$libname.* $output_objdir/${libname}${release}.*
+      fi
+
+      # Now set the variables for building old libraries.
+      if test "$build_old_libs" = yes && test "$build_libtool_libs" != convenience ; then
+	oldlibs="$oldlibs $output_objdir/$libname.$libext"
+
+	# Transform .lo files to .o files.
+	oldobjs="$objs "`$echo "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}'$/d' -e "$lo2o" | $NL2SP`
+      fi
+
+      # Eliminate all temporary directories.
+      for path in $notinst_path; do
+	lib_search_path=`echo "$lib_search_path " | sed -e 's% $path % %g'`
+	deplibs=`echo "$deplibs " | sed -e 's% -L$path % %g'`
+	dependency_libs=`echo "$dependency_libs " | sed -e 's% -L$path % %g'`
+      done
+
+      if test -n "$xrpath"; then
+	# If the user specified any rpath flags, then add them.
+	temp_xrpath=
+	for libdir in $xrpath; do
+	  temp_xrpath="$temp_xrpath -R$libdir"
+	  case "$finalize_rpath " in
+	  *" $libdir "*) ;;
+	  *) finalize_rpath="$finalize_rpath $libdir" ;;
+	  esac
+	done
+	if test $hardcode_into_libs != yes || test $build_old_libs = yes; then
+	  dependency_libs="$temp_xrpath $dependency_libs"
+	fi
+      fi
+
+      # Make sure dlfiles contains only unique files that won't be dlpreopened
+      old_dlfiles="$dlfiles"
+      dlfiles=
+      for lib in $old_dlfiles; do
+	case " $dlprefiles $dlfiles " in
+	*" $lib "*) ;;
+	*) dlfiles="$dlfiles $lib" ;;
+	esac
+      done
+
+      # Make sure dlprefiles contains only unique files
+      old_dlprefiles="$dlprefiles"
+      dlprefiles=
+      for lib in $old_dlprefiles; do
+	case "$dlprefiles " in
+	*" $lib "*) ;;
+	*) dlprefiles="$dlprefiles $lib" ;;
+	esac
+      done
+
+      if test "$build_libtool_libs" = yes; then
+	if test -n "$rpath"; then
+	  case $host in
+	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-beos*)
+	    # these systems don't actually have a c library (as such)!
+	    ;;
+	  *-*-rhapsody* | *-*-darwin1.[012])
+	    # Rhapsody C library is in the System framework
+	    deplibs="$deplibs -framework System"
+	    ;;
+	  *-*-netbsd*)
+	    # Don't link with libc until the a.out ld.so is fixed.
+	    ;;
+	  *)
+	    # Add libc to deplibs on all other systems if necessary.
+	    if test $build_libtool_need_lc = "yes"; then
+	      deplibs="$deplibs -lc"
+	    fi
+	    ;;
+	  esac
+	fi
+
+	# Transform deplibs into only deplibs that can be linked in shared.
+	name_save=$name
+	libname_save=$libname
+	release_save=$release
+	versuffix_save=$versuffix
+	major_save=$major
+	# I'm not sure if I'm treating the release correctly.  I think
+	# release should show up in the -l (ie -lgmp5) so we don't want to
+	# add it in twice.  Is that correct?
+	release=""
+	versuffix=""
+	major=""
+	newdeplibs=
+	droppeddeps=no
+	case $deplibs_check_method in
+	pass_all)
+	  # Don't check for shared/static.  Everything works.
+	  # This might be a little naive.  We might want to check
+	  # whether the library exists or not.  But this is on
+	  # osf3 & osf4 and I'm not really sure... Just
+	  # implementing what was already the behaviour.
+	  newdeplibs=$deplibs
+	  ;;
+	test_compile)
+	  # This code stresses the "libraries are programs" paradigm to its
+	  # limits. Maybe even breaks it.  We compile a program, linking it
+	  # against the deplibs as a proxy for the library.  Then we can check
+	  # whether they linked in statically or dynamically with ldd.
+	  $rm conftest.c
+	  cat > conftest.c <<EOF
+	  int main() { return 0; }
+EOF
+	  $rm conftest
+	  $CC -o conftest conftest.c $deplibs
+	  if test $? -eq 0 ; then
+	    ldd_output=`ldd conftest`
+	    for i in $deplibs; do
+	      name="`expr $i : '-l\(.*\)'`"
+	      # If $name is empty we are operating on a -L argument.
+	      if test -n "$name" && test "$name" != "0"; then
+		libname=`eval \\$echo \"$libname_spec\"`
+		deplib_matches=`eval \\$echo \"$library_names_spec\"`
+		set dummy $deplib_matches
+		deplib_match=$2
+		if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
+		  newdeplibs="$newdeplibs $i"
+		else
+		  droppeddeps=yes
+		  echo
+		  echo "*** Warning: This library needs some functionality provided by $i."
+		  echo "*** I have the capability to make that library automatically link in when"
+		  echo "*** you link to this library.  But I can only do this if you have a"
+		  echo "*** shared version of the library, which you do not appear to have."
+		fi
+	      else
+		newdeplibs="$newdeplibs $i"
+	      fi
+	    done
+	  else
+	    # Error occured in the first compile.  Let's try to salvage the situation:
+	    # Compile a seperate program for each library.
+	    for i in $deplibs; do
+	      name="`expr $i : '-l\(.*\)'`"
+	     # If $name is empty we are operating on a -L argument.
+	      if test -n "$name" && test "$name" != "0"; then
+		$rm conftest
+		$CC -o conftest conftest.c $i
+		# Did it work?
+		if test $? -eq 0 ; then
+		  ldd_output=`ldd conftest`
+		  libname=`eval \\$echo \"$libname_spec\"`
+		  deplib_matches=`eval \\$echo \"$library_names_spec\"`
+		  set dummy $deplib_matches
+		  deplib_match=$2
+		  if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
+		    newdeplibs="$newdeplibs $i"
+		  else
+		    droppeddeps=yes
+		    echo
+		    echo "*** Warning: This library needs some functionality provided by $i."
+		    echo "*** I have the capability to make that library automatically link in when"
+		    echo "*** you link to this library.  But I can only do this if you have a"
+		    echo "*** shared version of the library, which you do not appear to have."
+		  fi
+		else
+		  droppeddeps=yes
+		  echo
+		  echo "*** Warning!  Library $i is needed by this library but I was not able to"
+		  echo "***  make it link in!  You will probably need to install it or some"
+		  echo "*** library that it depends on before this library will be fully"
+		  echo "*** functional.  Installing it before continuing would be even better."
+		fi
+	      else
+		newdeplibs="$newdeplibs $i"
+	      fi
+	    done
+	  fi
+	  ;;
+	file_magic*)
+	  set dummy $deplibs_check_method
+	  file_magic_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"`
+	  for a_deplib in $deplibs; do
+	    name="`expr $a_deplib : '-l\(.*\)'`"
+	    # If $name is empty we are operating on a -L argument.
+	    if test -n "$name" && test "$name" != "0"; then
+	      libname=`eval \\$echo \"$libname_spec\"`
+	      for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do
+		    potential_libs=`ls $i/$libname[.-]* 2>/dev/null`
+		    for potent_lib in $potential_libs; do
+		      # Follow soft links.
+		      if ls -lLd "$potent_lib" 2>/dev/null \
+			 | grep " -> " >/dev/null; then
+			continue
+		      fi
+		      # The statement above tries to avoid entering an
+		      # endless loop below, in case of cyclic links.
+		      # We might still enter an endless loop, since a link
+		      # loop can be closed while we follow links,
+		      # but so what?
+		      potlib="$potent_lib"
+		      while test -h "$potlib" 2>/dev/null; do
+			potliblink=`ls -ld $potlib | sed 's/.* -> //'`
+			case $potliblink in
+			[\\/]* | [A-Za-z]:[\\/]*) potlib="$potliblink";;
+			*) potlib=`$echo "X$potlib" | $Xsed -e 's,[^/]*$,,'`"$potliblink";;
+			esac
+		      done
+		      if eval $file_magic_cmd \"\$potlib\" 2>/dev/null \
+			 | sed 10q \
+			 | egrep "$file_magic_regex" > /dev/null; then
+			newdeplibs="$newdeplibs $a_deplib"
+			a_deplib=""
+			break 2
+		      fi
+		    done
+	      done
+	      if test -n "$a_deplib" ; then
+		droppeddeps=yes
+		echo
+		echo "*** Warning: This library needs some functionality provided by $a_deplib."
+		echo "*** I have the capability to make that library automatically link in when"
+		echo "*** you link to this library.  But I can only do this if you have a"
+		echo "*** shared version of the library, which you do not appear to have."
+	      fi
+	    else
+	      # Add a -L argument.
+	      newdeplibs="$newdeplibs $a_deplib"
+	    fi
+	  done # Gone through all deplibs.
+	  ;;
+	match_pattern*)
+	  set dummy $deplibs_check_method
+	  match_pattern_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"`
+	  for a_deplib in $deplibs; do
+	    name="`expr $a_deplib : '-l\(.*\)'`"
+	    # If $name is empty we are operating on a -L argument.
+	    if test -n "$name" && test "$name" != "0"; then
+	      libname=`eval \\$echo \"$libname_spec\"`
+	      for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do
+		potential_libs=`ls $i/$libname[.-]* 2>/dev/null`
+		for potent_lib in $potential_libs; do
+		  if eval echo \"$potent_lib\" 2>/dev/null \
+		      | sed 10q \
+		      | egrep "$match_pattern_regex" > /dev/null; then
+		    newdeplibs="$newdeplibs $a_deplib"
+		    a_deplib=""
+		    break 2
+		  fi
+		done
+	      done
+	      if test -n "$a_deplib" ; then
+		droppeddeps=yes
+		echo
+		echo "*** Warning: This library needs some functionality provided by $a_deplib."
+		echo "*** I have the capability to make that library automatically link in when"
+		echo "*** you link to this library.  But I can only do this if you have a"
+		echo "*** shared version of the library, which you do not appear to have."
+	      fi
+	    else
+	      # Add a -L argument.
+	      newdeplibs="$newdeplibs $a_deplib"
+	    fi
+	  done # Gone through all deplibs.
+	  ;;
+	none | unknown | *)
+	  newdeplibs=""
+	  if $echo "X $deplibs" | $Xsed -e 's/ -lc$//' \
+	       -e 's/ -[LR][^ ]*//g' -e 's/[ 	]//g' |
+	     grep . >/dev/null; then
+	    echo
+	    if test "X$deplibs_check_method" = "Xnone"; then
+	      echo "*** Warning: inter-library dependencies are not supported in this platform."
+	    else
+	      echo "*** Warning: inter-library dependencies are not known to be supported."
+	    fi
+	    echo "*** All declared inter-library dependencies are being dropped."
+	    droppeddeps=yes
+	  fi
+	  ;;
+	esac
+	versuffix=$versuffix_save
+	major=$major_save
+	release=$release_save
+	libname=$libname_save
+	name=$name_save
+
+	case $host in
+	*-*-rhapsody* | *-*-darwin1.[012])
+	  # On Rhapsody replace the C library is the System framework
+	  newdeplibs=`$echo "X $newdeplibs" | $Xsed -e 's/ -lc / -framework System /'`
+	  ;;
+	esac
+
+	if test "$droppeddeps" = yes; then
+	  if test "$module" = yes; then
+	    echo
+	    echo "*** Warning: libtool could not satisfy all declared inter-library"
+	    echo "*** dependencies of module $libname.  Therefore, libtool will create"
+	    echo "*** a static module, that should work as long as the dlopening"
+	    echo "*** application is linked with the -dlopen flag."
+	    if test -z "$global_symbol_pipe"; then
+	      echo
+	      echo "*** However, this would only work if libtool was able to extract symbol"
+	      echo "*** lists from a program, using \`nm' or equivalent, but libtool could"
+	      echo "*** not find such a program.  So, this module is probably useless."
+	      echo "*** \`nm' from GNU binutils and a full rebuild may help."
+	    fi
+	    if test "$build_old_libs" = no; then
+	      oldlibs="$output_objdir/$libname.$libext"
+	      build_libtool_libs=module
+	      build_old_libs=yes
+	    else
+	      build_libtool_libs=no
+	    fi
+	  else
+	    echo "*** The inter-library dependencies that have been dropped here will be"
+	    echo "*** automatically added whenever a program is linked with this library"
+	    echo "*** or is declared to -dlopen it."
+
+	    if test $allow_undefined = no; then
+	      echo
+	      echo "*** Since this library must not contain undefined symbols,"
+	      echo "*** because either the platform does not support them or"
+	      echo "*** it was explicitly requested with -no-undefined,"
+	      echo "*** libtool will only create a static version of it."
+	      if test "$build_old_libs" = no; then
+		oldlibs="$output_objdir/$libname.$libext"
+		build_libtool_libs=module
+		build_old_libs=yes
+	      else
+		build_libtool_libs=no
+	      fi
+	    fi
+	  fi
+	fi
+	# Done checking deplibs!
+	deplibs=$newdeplibs
+      fi
+
+      # All the library-specific variables (install_libdir is set above).
+      library_names=
+      old_library=
+      dlname=
+
+      # Test again, we may have decided not to build it any more
+      if test "$build_libtool_libs" = yes; then
+	if test $hardcode_into_libs = yes; then
+	  # Hardcode the library paths
+	  hardcode_libdirs=
+	  dep_rpath=
+	  rpath="$finalize_rpath"
+	  test "$mode" != relink && rpath="$compile_rpath$rpath"
+	  for libdir in $rpath; do
+	    if test -n "$hardcode_libdir_flag_spec"; then
+	      if test -n "$hardcode_libdir_separator"; then
+		if test -z "$hardcode_libdirs"; then
+		  hardcode_libdirs="$libdir"
+		else
+		  # Just accumulate the unique libdirs.
+		  case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
+		  *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
+		    ;;
+		  *)
+		    hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		    ;;
+		  esac
+		fi
+	      else
+		eval flag=\"$hardcode_libdir_flag_spec\"
+		dep_rpath="$dep_rpath $flag"
+	      fi
+	    elif test -n "$runpath_var"; then
+	      case "$perm_rpath " in
+	      *" $libdir "*) ;;
+	      *) perm_rpath="$perm_rpath $libdir" ;;
+	      esac
+	    fi
+	  done
+	  # Substitute the hardcoded libdirs into the rpath.
+	  if test -n "$hardcode_libdir_separator" &&
+	     test -n "$hardcode_libdirs"; then
+	    libdir="$hardcode_libdirs"
+	    eval dep_rpath=\"$hardcode_libdir_flag_spec\"
+	  fi
+	  if test -n "$runpath_var" && test -n "$perm_rpath"; then
+	    # We should set the runpath_var.
+	    rpath=
+	    for dir in $perm_rpath; do
+	      rpath="$rpath$dir:"
+	    done
+	    eval "$runpath_var='$rpath\$$runpath_var'; export $runpath_var"
+	  fi
+	  test -n "$dep_rpath" && deplibs="$dep_rpath $deplibs"
+	fi
+
+	shlibpath="$finalize_shlibpath"
+	test "$mode" != relink && shlibpath="$compile_shlibpath$shlibpath"
+	if test -n "$shlibpath"; then
+	  eval "$shlibpath_var='$shlibpath\$$shlibpath_var'; export $shlibpath_var"
+	fi
+
+	# Get the real and link names of the library.
+	eval library_names=\"$library_names_spec\"
+	set dummy $library_names
+	realname="$2"
+	shift; shift
+
+	if test -n "$soname_spec"; then
+	  eval soname=\"$soname_spec\"
+	else
+	  soname="$realname"
+	fi
+	test -z "$dlname" && dlname=$soname
+
+	lib="$output_objdir/$realname"
+	for link
+	do
+	  linknames="$linknames $link"
+	done
+
+	# Ensure that we have .o objects for linkers which dislike .lo
+	# (e.g. aix) in case we are running --disable-static
+	for obj in $libobjs; do
+	  xdir=`$echo "X$obj" | $Xsed -e 's%/[^/]*$%%'`
+	  if test "X$xdir" = "X$obj"; then
+	    xdir="."
+	  else
+	    xdir="$xdir"
+	  fi
+	  baseobj=`$echo "X$obj" | $Xsed -e 's%^.*/%%'`
+	  oldobj=`$echo "X$baseobj" | $Xsed -e "$lo2o"`
+	  if test ! -f $xdir/$oldobj; then
+	    $show "(cd $xdir && ${LN_S} $baseobj $oldobj)"
+	    $run eval '(cd $xdir && ${LN_S} $baseobj $oldobj)' || exit $?
+	  fi
+	done
+
+	# Use standard objects if they are pic
+	test -z "$pic_flag" && libobjs=`$echo "X$libobjs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+
+	# Prepare the list of exported symbols
+	if test -z "$export_symbols"; then
+	  if test "$always_export_symbols" = yes || test -n "$export_symbols_regex"; then
+	    $show "generating symbol list for \`$libname.la'"
+	    export_symbols="$output_objdir/$libname.exp"
+	    $run $rm $export_symbols
+	    eval cmds=\"$export_symbols_cmds\"
+	    IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	    for cmd in $cmds; do
+	      IFS="$save_ifs"
+	      $show "$cmd"
+	      $run eval "$cmd" || exit $?
+	    done
+	    IFS="$save_ifs"
+	    if test -n "$export_symbols_regex"; then
+	      $show "egrep -e \"$export_symbols_regex\" \"$export_symbols\" > \"${export_symbols}T\""
+	      $run eval 'egrep -e "$export_symbols_regex" "$export_symbols" > "${export_symbols}T"'
+	      $show "$mv \"${export_symbols}T\" \"$export_symbols\""
+	      $run eval '$mv "${export_symbols}T" "$export_symbols"'
+	    fi
+	  fi
+	fi
+
+	if test -n "$export_symbols" && test -n "$include_expsyms"; then
+	  $run eval '$echo "X$include_expsyms" | $SP2NL >> "$export_symbols"'
+	fi
+
+	if test -n "$convenience"; then
+	  if test -n "$whole_archive_flag_spec"; then
+	    eval libobjs=\"\$libobjs $whole_archive_flag_spec\"
+	  else
+	    gentop="$output_objdir/${outputname}x"
+	    $show "${rm}r $gentop"
+	    $run ${rm}r "$gentop"
+	    $show "mkdir $gentop"
+	    $run mkdir "$gentop"
+	    status=$?
+	    if test $status -ne 0 && test ! -d "$gentop"; then
+	      exit $status
+	    fi
+	    generated="$generated $gentop"
+
+	    for xlib in $convenience; do
+	      # Extract the objects.
+	      case $xlib in
+	      [\\/]* | [A-Za-z]:[\\/]*) xabs="$xlib" ;;
+	      *) xabs=`pwd`"/$xlib" ;;
+	      esac
+	      xlib=`$echo "X$xlib" | $Xsed -e 's%^.*/%%'`
+	      xdir="$gentop/$xlib"
+
+	      $show "${rm}r $xdir"
+	      $run ${rm}r "$xdir"
+	      $show "mkdir $xdir"
+	      $run mkdir "$xdir"
+	      status=$?
+	      if test $status -ne 0 && test ! -d "$xdir"; then
+		exit $status
+	      fi
+	      $show "(cd $xdir && $AR x $xabs)"
+	      $run eval "(cd \$xdir && $AR x \$xabs)" || exit $?
+
+	      libobjs="$libobjs "`find $xdir -name \*.o -print -o -name \*.lo -print | $NL2SP`
+	    done
+	  fi
+	fi
+
+	if test "$thread_safe" = yes && test -n "$thread_safe_flag_spec"; then
+	  eval flag=\"$thread_safe_flag_spec\"
+	  linker_flags="$linker_flags $flag"
+	fi
+
+	# Make a backup of the uninstalled library when relinking
+	if test "$mode" = relink; then
+	  $run eval '(cd $output_objdir && $rm ${realname}U && $mv $realname ${realname}U)' || exit $?
+	fi
+
+	# Do each of the archive commands.
+	if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then
+	  eval cmds=\"$archive_expsym_cmds\"
+	else
+	  eval cmds=\"$archive_cmds\"
+	fi
+	IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	for cmd in $cmds; do
+	  IFS="$save_ifs"
+	  $show "$cmd"
+	  $run eval "$cmd" || exit $?
+	done
+	IFS="$save_ifs"
+
+	# Restore the uninstalled library and exit
+	if test "$mode" = relink; then
+	  $run eval '(cd $output_objdir && $rm ${realname}T && $mv $realname ${realname}T && $mv "$realname"U $realname)' || exit $?
+	  exit 0
+	fi
+
+	# Create links to the real library.
+	for linkname in $linknames; do
+	  if test "$realname" != "$linkname"; then
+	    $show "(cd $output_objdir && $rm $linkname && $LN_S $realname $linkname)"
+	    $run eval '(cd $output_objdir && $rm $linkname && $LN_S $realname $linkname)' || exit $?
+	  fi
+	done
+
+	# If -module or -export-dynamic was specified, set the dlname.
+	if test "$module" = yes || test "$export_dynamic" = yes; then
+	  # On all known operating systems, these are identical.
+	  dlname="$soname"
+	fi
+      fi
+      ;;
+
+    obj)
+      if test -n "$deplibs"; then
+	$echo "$modename: warning: \`-l' and \`-L' are ignored for objects" 1>&2
+      fi
+
+      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
+	$echo "$modename: warning: \`-dlopen' is ignored for objects" 1>&2
+      fi
+
+      if test -n "$rpath"; then
+	$echo "$modename: warning: \`-rpath' is ignored for objects" 1>&2
+      fi
+
+      if test -n "$xrpath"; then
+	$echo "$modename: warning: \`-R' is ignored for objects" 1>&2
+      fi
+
+      if test -n "$vinfo"; then
+	$echo "$modename: warning: \`-version-info' is ignored for objects" 1>&2
+      fi
+
+      if test -n "$release"; then
+	$echo "$modename: warning: \`-release' is ignored for objects" 1>&2
+      fi
+
+      case $output in
+      *.lo)
+	if test -n "$objs$old_deplibs"; then
+	  $echo "$modename: cannot build library object \`$output' from non-libtool objects" 1>&2
+	  exit 1
+	fi
+	libobj="$output"
+	obj=`$echo "X$output" | $Xsed -e "$lo2o"`
+	;;
+      *)
+	libobj=
+	obj="$output"
+	;;
+      esac
+
+      # Delete the old objects.
+      $run $rm $obj $libobj
+
+      # Objects from convenience libraries.  This assumes
+      # single-version convenience libraries.  Whenever we create
+      # different ones for PIC/non-PIC, this we'll have to duplicate
+      # the extraction.
+      reload_conv_objs=
+      gentop=
+      # reload_cmds runs $LD directly, so let us get rid of
+      # -Wl from whole_archive_flag_spec
+      wl=
+
+      if test -n "$convenience"; then
+	if test -n "$whole_archive_flag_spec"; then
+	  eval reload_conv_objs=\"\$reload_objs $whole_archive_flag_spec\"
+	else
+	  gentop="$output_objdir/${obj}x"
+	  $show "${rm}r $gentop"
+	  $run ${rm}r "$gentop"
+	  $show "mkdir $gentop"
+	  $run mkdir "$gentop"
+	  status=$?
+	  if test $status -ne 0 && test ! -d "$gentop"; then
+	    exit $status
+	  fi
+	  generated="$generated $gentop"
+
+	  for xlib in $convenience; do
+	    # Extract the objects.
+	    case $xlib in
+	    [\\/]* | [A-Za-z]:[\\/]*) xabs="$xlib" ;;
+	    *) xabs=`pwd`"/$xlib" ;;
+	    esac
+	    xlib=`$echo "X$xlib" | $Xsed -e 's%^.*/%%'`
+	    xdir="$gentop/$xlib"
+
+	    $show "${rm}r $xdir"
+	    $run ${rm}r "$xdir"
+	    $show "mkdir $xdir"
+	    $run mkdir "$xdir"
+	    status=$?
+	    if test $status -ne 0 && test ! -d "$xdir"; then
+	      exit $status
+	    fi
+	    $show "(cd $xdir && $AR x $xabs)"
+	    $run eval "(cd \$xdir && $AR x \$xabs)" || exit $?
+
+	    reload_conv_objs="$reload_objs "`find $xdir -name \*.o -print -o -name \*.lo -print | $NL2SP`
+	  done
+	fi
+      fi
+
+      # Create the old-style object.
+      reload_objs="$objs$old_deplibs "`$echo "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}$'/d' -e '/\.lib$/d' -e "$lo2o" | $NL2SP`" $reload_conv_objs" ### testsuite: skip nested quoting test
+
+      output="$obj"
+      eval cmds=\"$reload_cmds\"
+      IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+      for cmd in $cmds; do
+	IFS="$save_ifs"
+	$show "$cmd"
+	$run eval "$cmd" || exit $?
+      done
+      IFS="$save_ifs"
+
+      # Exit if we aren't doing a library object file.
+      if test -z "$libobj"; then
+	if test -n "$gentop"; then
+	  $show "${rm}r $gentop"
+	  $run ${rm}r $gentop
+	fi
+
+	exit 0
+      fi
+
+      if test "$build_libtool_libs" != yes; then
+	if test -n "$gentop"; then
+	  $show "${rm}r $gentop"
+	  $run ${rm}r $gentop
+	fi
+
+	# Create an invalid libtool object if no PIC, so that we don't
+	# accidentally link it into a program.
+	$show "echo timestamp > $libobj"
+	$run eval "echo timestamp > $libobj" || exit $?
+	exit 0
+      fi
+
+      if test -n "$pic_flag" || test "$pic_mode" != default; then
+	# Only do commands if we really have different PIC objects.
+	reload_objs="$libobjs $reload_conv_objs"
+	output="$libobj"
+	eval cmds=\"$reload_cmds\"
+	IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	for cmd in $cmds; do
+	  IFS="$save_ifs"
+	  $show "$cmd"
+	  $run eval "$cmd" || exit $?
+	done
+	IFS="$save_ifs"
+      else
+	# Just create a symlink.
+	$show $rm $libobj
+	$run $rm $libobj
+	xdir=`$echo "X$libobj" | $Xsed -e 's%/[^/]*$%%'`
+	if test "X$xdir" = "X$libobj"; then
+	  xdir="."
+	else
+	  xdir="$xdir"
+	fi
+	baseobj=`$echo "X$libobj" | $Xsed -e 's%^.*/%%'`
+	oldobj=`$echo "X$baseobj" | $Xsed -e "$lo2o"`
+	$show "(cd $xdir && $LN_S $oldobj $baseobj)"
+	$run eval '(cd $xdir && $LN_S $oldobj $baseobj)' || exit $?
+      fi
+
+      if test -n "$gentop"; then
+	$show "${rm}r $gentop"
+	$run ${rm}r $gentop
+      fi
+
+      exit 0
+      ;;
+
+    prog)
+      case $host in
+	*cygwin*) output=`echo $output | sed -e 's,.exe$,,;s,$,.exe,'` ;;
+      esac
+      if test -n "$vinfo"; then
+	$echo "$modename: warning: \`-version-info' is ignored for programs" 1>&2
+      fi
+
+      if test -n "$release"; then
+	$echo "$modename: warning: \`-release' is ignored for programs" 1>&2
+      fi
+
+      if test "$preload" = yes; then
+	if test "$dlopen_support" = unknown && test "$dlopen_self" = unknown &&
+	   test "$dlopen_self_static" = unknown; then
+	  $echo "$modename: warning: \`AC_LIBTOOL_DLOPEN' not used. Assuming no dlopen support."
+	fi
+      fi
+
+      case $host in
+      *-*-rhapsody* | *-*-darwin1.[012])
+	# On Rhapsody replace the C library is the System framework
+	compile_deplibs=`$echo "X $compile_deplibs" | $Xsed -e 's/ -lc / -framework System /'`
+	finalize_deplibs=`$echo "X $finalize_deplibs" | $Xsed -e 's/ -lc / -framework System /'`
+	;;
+      esac
+
+      compile_command="$compile_command $compile_deplibs"
+      finalize_command="$finalize_command $finalize_deplibs"
+
+      if test -n "$rpath$xrpath"; then
+	# If the user specified any rpath flags, then add them.
+	for libdir in $rpath $xrpath; do
+	  # This is the magic to use -rpath.
+	  case "$finalize_rpath " in
+	  *" $libdir "*) ;;
+	  *) finalize_rpath="$finalize_rpath $libdir" ;;
+	  esac
+	done
+      fi
+
+      # Now hardcode the library paths
+      rpath=
+      hardcode_libdirs=
+      for libdir in $compile_rpath $finalize_rpath; do
+	if test -n "$hardcode_libdir_flag_spec"; then
+	  if test -n "$hardcode_libdir_separator"; then
+	    if test -z "$hardcode_libdirs"; then
+	      hardcode_libdirs="$libdir"
+	    else
+	      # Just accumulate the unique libdirs.
+	      case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
+	      *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
+		;;
+	      *)
+		hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		;;
+	      esac
+	    fi
+	  else
+	    eval flag=\"$hardcode_libdir_flag_spec\"
+	    rpath="$rpath $flag"
+	  fi
+	elif test -n "$runpath_var"; then
+	  case "$perm_rpath " in
+	  *" $libdir "*) ;;
+	  *) perm_rpath="$perm_rpath $libdir" ;;
+	  esac
+	fi
+	case $host in
+	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
+	  case :$dllsearchpath: in
+	  *":$libdir:"*) ;;
+	  *) dllsearchpath="$dllsearchpath:$libdir";;
+	  esac
+	  ;;
+	esac
+      done
+      # Substitute the hardcoded libdirs into the rpath.
+      if test -n "$hardcode_libdir_separator" &&
+	 test -n "$hardcode_libdirs"; then
+	libdir="$hardcode_libdirs"
+	eval rpath=\" $hardcode_libdir_flag_spec\"
+      fi
+      compile_rpath="$rpath"
+
+      rpath=
+      hardcode_libdirs=
+      for libdir in $finalize_rpath; do
+	if test -n "$hardcode_libdir_flag_spec"; then
+	  if test -n "$hardcode_libdir_separator"; then
+	    if test -z "$hardcode_libdirs"; then
+	      hardcode_libdirs="$libdir"
+	    else
+	      # Just accumulate the unique libdirs.
+	      case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
+	      *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
+		;;
+	      *)
+		hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		;;
+	      esac
+	    fi
+	  else
+	    eval flag=\"$hardcode_libdir_flag_spec\"
+	    rpath="$rpath $flag"
+	  fi
+	elif test -n "$runpath_var"; then
+	  case "$finalize_perm_rpath " in
+	  *" $libdir "*) ;;
+	  *) finalize_perm_rpath="$finalize_perm_rpath $libdir" ;;
+	  esac
+	fi
+      done
+      # Substitute the hardcoded libdirs into the rpath.
+      if test -n "$hardcode_libdir_separator" &&
+	 test -n "$hardcode_libdirs"; then
+	libdir="$hardcode_libdirs"
+	eval rpath=\" $hardcode_libdir_flag_spec\"
+      fi
+      finalize_rpath="$rpath"
+
+      if test -n "$libobjs" && test "$build_old_libs" = yes; then
+	# Transform all the library objects into standard objects.
+	compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+	finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+      fi
+
+      dlsyms=
+      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
+	if test -n "$NM" && test -n "$global_symbol_pipe"; then
+	  dlsyms="${outputname}S.c"
+	else
+	  $echo "$modename: not configured to extract global symbols from dlpreopened files" 1>&2
+	fi
+      fi
+
+      if test -n "$dlsyms"; then
+	case $dlsyms in
+	"") ;;
+	*.c)
+	  # Discover the nlist of each of the dlfiles.
+	  nlist="$output_objdir/${outputname}.nm"
+
+	  $show "$rm $nlist ${nlist}S ${nlist}T"
+	  $run $rm "$nlist" "${nlist}S" "${nlist}T"
+
+	  # Parse the name list into a source file.
+	  $show "creating $output_objdir/$dlsyms"
+
+	  test -z "$run" && $echo > "$output_objdir/$dlsyms" "\
+/* $dlsyms - symbol resolution table for \`$outputname' dlsym emulation. */
+/* Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP */
+
+#ifdef __cplusplus
+extern \"C\" {
+#endif
+
+/* Prevent the only kind of declaration conflicts we can make. */
+#define lt_preloaded_symbols some_other_symbol
+
+/* External symbol declarations for the compiler. */\
+"
+
+	  if test "$dlself" = yes; then
+	    $show "generating symbol list for \`$output'"
+
+	    test -z "$run" && $echo ': @PROGRAM@ ' > "$nlist"
+
+	    # Add our own program objects to the symbol list.
+	    progfiles=`$echo "X$objs$old_deplibs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+	    for arg in $progfiles; do
+	      $show "extracting global C symbols from \`$arg'"
+	      $run eval "$NM $arg | $global_symbol_pipe >> '$nlist'"
+	    done
+
+	    if test -n "$exclude_expsyms"; then
+	      $run eval 'egrep -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T'
+	      $run eval '$mv "$nlist"T "$nlist"'
+	    fi
+
+	    if test -n "$export_symbols_regex"; then
+	      $run eval 'egrep -e "$export_symbols_regex" "$nlist" > "$nlist"T'
+	      $run eval '$mv "$nlist"T "$nlist"'
+	    fi
+
+	    # Prepare the list of exported symbols
+	    if test -z "$export_symbols"; then
+	      export_symbols="$output_objdir/$output.exp"
+	      $run $rm $export_symbols
+	      $run eval "sed -n -e '/^: @PROGRAM@$/d' -e 's/^.* \(.*\)$/\1/p' "'< "$nlist" > "$export_symbols"'
+	    else
+	      $run eval "sed -e 's/\([][.*^$]\)/\\\1/g' -e 's/^/ /' -e 's/$/$/'"' < "$export_symbols" > "$output_objdir/$output.exp"'
+	      $run eval 'grep -f "$output_objdir/$output.exp" < "$nlist" > "$nlist"T'
+	      $run eval 'mv "$nlist"T "$nlist"'
+	    fi
+	  fi
+
+	  for arg in $dlprefiles; do
+	    $show "extracting global C symbols from \`$arg'"
+	    name=`echo "$arg" | sed -e 's%^.*/%%'`
+	    $run eval 'echo ": $name " >> "$nlist"'
+	    $run eval "$NM $arg | $global_symbol_pipe >> '$nlist'"
+	  done
+
+	  if test -z "$run"; then
+	    # Make sure we have at least an empty file.
+	    test -f "$nlist" || : > "$nlist"
+
+	    if test -n "$exclude_expsyms"; then
+	      egrep -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T
+	      $mv "$nlist"T "$nlist"
+	    fi
+
+	    # Try sorting and uniquifying the output.
+	    if grep -v "^: " < "$nlist" | sort +2 | uniq > "$nlist"S; then
+	      :
+	    else
+	      grep -v "^: " < "$nlist" > "$nlist"S
+	    fi
+
+	    if test -f "$nlist"S; then
+	      eval "$global_symbol_to_cdecl"' < "$nlist"S >> "$output_objdir/$dlsyms"'
+	    else
+	      echo '/* NONE */' >> "$output_objdir/$dlsyms"
+	    fi
+
+	    $echo >> "$output_objdir/$dlsyms" "\
+
+#undef lt_preloaded_symbols
+
+#if defined (__STDC__) && __STDC__
+# define lt_ptr_t void *
+#else
+# define lt_ptr_t char *
+# define const
+#endif
+
+/* The mapping between symbol names and symbols. */
+const struct {
+  const char *name;
+  lt_ptr_t address;
+}
+lt_preloaded_symbols[] =
+{\
+"
+
+	    sed -n -e 's/^: \([^ ]*\) $/  {\"\1\", (lt_ptr_t) 0},/p' \
+		-e 's/^. \([^ ]*\) \([^ ]*\)$/  {"\2", (lt_ptr_t) \&\2},/p' \
+		  < "$nlist" >> "$output_objdir/$dlsyms"
+
+	    $echo >> "$output_objdir/$dlsyms" "\
+  {0, (lt_ptr_t) 0}
+};
+
+/* This works around a problem in FreeBSD linker */
+#ifdef FREEBSD_WORKAROUND
+static const void *lt_preloaded_setup() {
+  return lt_preloaded_symbols;
+}
+#endif
+
+#ifdef __cplusplus
+}
+#endif\
+"
+	  fi
+
+	  pic_flag_for_symtable=
+	  case $host in
+	  # compiling the symbol table file with pic_flag works around
+	  # a FreeBSD bug that causes programs to crash when -lm is
+	  # linked before any other PIC object.  But we must not use
+	  # pic_flag when linking with -static.  The problem exists in
+	  # FreeBSD 2.2.6 and is fixed in FreeBSD 3.1.
+	  *-*-freebsd2*|*-*-freebsd3.0*|*-*-freebsdelf3.0*)
+	    case "$compile_command " in
+	    *" -static "*) ;;
+	    *) pic_flag_for_symtable=" $pic_flag -DPIC -DFREEBSD_WORKAROUND";;
+	    esac;;
+	  *-*-hpux*)
+	    case "$compile_command " in
+	    *" -static "*) ;;
+	    *) pic_flag_for_symtable=" $pic_flag -DPIC";;
+	    esac
+	  esac
+
+	  # Now compile the dynamic symbol file.
+	  $show "(cd $output_objdir && $CC -c$no_builtin_flag$pic_flag_for_symtable \"$dlsyms\")"
+	  $run eval '(cd $output_objdir && $CC -c$no_builtin_flag$pic_flag_for_symtable "$dlsyms")' || exit $?
+
+	  # Clean up the generated files.
+	  $show "$rm $output_objdir/$dlsyms $nlist ${nlist}S ${nlist}T"
+	  $run $rm "$output_objdir/$dlsyms" "$nlist" "${nlist}S" "${nlist}T"
+
+	  # Transform the symbol file into the correct name.
+	  compile_command=`$echo "X$compile_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%"`
+	  finalize_command=`$echo "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%"`
+	  ;;
+	*)
+	  $echo "$modename: unknown suffix for \`$dlsyms'" 1>&2
+	  exit 1
+	  ;;
+	esac
+      else
+	# We keep going just in case the user didn't refer to
+	# lt_preloaded_symbols.  The linker will fail if global_symbol_pipe
+	# really was required.
+
+	# Nullify the symbol file.
+	compile_command=`$echo "X$compile_command" | $Xsed -e "s% @SYMFILE@%%"`
+	finalize_command=`$echo "X$finalize_command" | $Xsed -e "s% @SYMFILE@%%"`
+      fi
+
+      if test $need_relink = no || test "$build_libtool_libs" != yes; then
+	# Replace the output file specification.
+	compile_command=`$echo "X$compile_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'`
+	link_command="$compile_command$compile_rpath"
+
+	# We have no uninstalled library dependencies, so finalize right now.
+	$show "$link_command"
+	$run eval "$link_command"
+	status=$?
+
+	# Delete the generated files.
+	if test -n "$dlsyms"; then
+	  $show "$rm $output_objdir/${outputname}S.${objext}"
+	  $run $rm "$output_objdir/${outputname}S.${objext}"
+	fi
+
+	exit $status
+      fi
+
+      if test -n "$shlibpath_var"; then
+	# We should set the shlibpath_var
+	rpath=
+	for dir in $temp_rpath; do
+	  case $dir in
+	  [\\/]* | [A-Za-z]:[\\/]*)
+	    # Absolute path.
+	    rpath="$rpath$dir:"
+	    ;;
+	  *)
+	    # Relative path: add a thisdir entry.
+	    rpath="$rpath\$thisdir/$dir:"
+	    ;;
+	  esac
+	done
+	temp_rpath="$rpath"
+      fi
+
+      if test -n "$compile_shlibpath$finalize_shlibpath"; then
+	compile_command="$shlibpath_var=\"$compile_shlibpath$finalize_shlibpath\$$shlibpath_var\" $compile_command"
+      fi
+      if test -n "$finalize_shlibpath"; then
+	finalize_command="$shlibpath_var=\"$finalize_shlibpath\$$shlibpath_var\" $finalize_command"
+      fi
+
+      compile_var=
+      finalize_var=
+      if test -n "$runpath_var"; then
+	if test -n "$perm_rpath"; then
+	  # We should set the runpath_var.
+	  rpath=
+	  for dir in $perm_rpath; do
+	    rpath="$rpath$dir:"
+	  done
+	  compile_var="$runpath_var=\"$rpath\$$runpath_var\" "
+	fi
+	if test -n "$finalize_perm_rpath"; then
+	  # We should set the runpath_var.
+	  rpath=
+	  for dir in $finalize_perm_rpath; do
+	    rpath="$rpath$dir:"
+	  done
+	  finalize_var="$runpath_var=\"$rpath\$$runpath_var\" "
+	fi
+      fi
+
+      if test "$no_install" = yes; then
+	# We don't need to create a wrapper script.
+	link_command="$compile_var$compile_command$compile_rpath"
+	# Replace the output file specification.
+	link_command=`$echo "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'`
+	# Delete the old output file.
+	$run $rm $output
+	# Link the executable and exit
+	$show "$link_command"
+	$run eval "$link_command" || exit $?
+	exit 0
+      fi
+
+      if test "$hardcode_action" = relink; then
+	# Fast installation is not supported
+	link_command="$compile_var$compile_command$compile_rpath"
+	relink_command="$finalize_var$finalize_command$finalize_rpath"
+
+	$echo "$modename: warning: this platform does not like uninstalled shared libraries" 1>&2
+	$echo "$modename: \`$output' will be relinked during installation" 1>&2
+      else
+	if test "$fast_install" != no; then
+	  link_command="$finalize_var$compile_command$finalize_rpath"
+	  if test "$fast_install" = yes; then
+	    relink_command=`$echo "X$compile_var$compile_command$compile_rpath" | $Xsed -e 's%@OUTPUT@%\$progdir/\$file%g'`
+	  else
+	    # fast_install is set to needless
+	    relink_command=
+	  fi
+	else
+	  link_command="$compile_var$compile_command$compile_rpath"
+	  relink_command="$finalize_var$finalize_command$finalize_rpath"
+	fi
+      fi
+
+      # Replace the output file specification.
+      link_command=`$echo "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output_objdir/$outputname"'%g'`
+
+      # Delete the old output files.
+      $run $rm $output $output_objdir/$outputname $output_objdir/lt-$outputname
+
+      $show "$link_command"
+      $run eval "$link_command" || exit $?
+
+      # Now create the wrapper script.
+      $show "creating $output"
+
+      # Quote the relink command for shipping.
+      if test -n "$relink_command"; then
+	# Preserve any variables that may affect compiler behavior
+	for var in $variables_saved_for_relink; do
+	  if eval test -z \"\${$var+set}\"; then
+	    relink_command="{ test -z \"\${$var+set}\" || unset $var || { $var=; export $var; }; }; $relink_command"
+	  elif eval var_value=\$$var; test -z "$var_value"; then
+	    relink_command="$var=; export $var; $relink_command"
+	  else
+	    var_value=`$echo "X$var_value" | $Xsed -e "$sed_quote_subst"`
+	    relink_command="$var=\"$var_value\"; export $var; $relink_command"
+	  fi
+	done
+	relink_command="cd `pwd`; $relink_command"
+	relink_command=`$echo "X$relink_command" | $Xsed -e "$sed_quote_subst"`
+      fi
+
+      # Quote $echo for shipping.
+      if test "X$echo" = "X$SHELL $0 --fallback-echo"; then
+	case $0 in
+	[\\/]* | [A-Za-z]:[\\/]*) qecho="$SHELL $0 --fallback-echo";;
+	*) qecho="$SHELL `pwd`/$0 --fallback-echo";;
+	esac
+	qecho=`$echo "X$qecho" | $Xsed -e "$sed_quote_subst"`
+      else
+	qecho=`$echo "X$echo" | $Xsed -e "$sed_quote_subst"`
+      fi
+
+      # Only actually do things if our run command is non-null.
+      if test -z "$run"; then
+	# win32 will think the script is a binary if it has
+	# a .exe suffix, so we strip it off here.
+	case $output in
+	  *.exe) output=`echo $output|sed 's,.exe$,,'` ;;
+	esac
+	# test for cygwin because mv fails w/o .exe extensions
+	case $host in
+	  *cygwin*) exeext=.exe ;;
+	  *) exeext= ;;
+	esac
+	$rm $output
+	trap "$rm $output; exit 1" 1 2 15
+
+	$echo > $output "\
+#! $SHELL
+
+# $output - temporary wrapper script for $objdir/$outputname
+# Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP
+#
+# The $output program cannot be directly executed until all the libtool
+# libraries that it depends on are installed.
+#
+# This wrapper script should never be moved out of the build directory.
+# If it is, it will not operate correctly.
+
+# Sed substitution that helps us do robust quoting.  It backslashifies
+# metacharacters that are still active within double-quoted strings.
+Xsed='sed -e 1s/^X//'
+sed_quote_subst='$sed_quote_subst'
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+if test \"\${CDPATH+set}\" = set; then CDPATH=:; export CDPATH; fi
+
+relink_command=\"$relink_command\"
+
+# This environment variable determines our operation mode.
+if test \"\$libtool_install_magic\" = \"$magic\"; then
+  # install mode needs the following variable:
+  notinst_deplibs='$notinst_deplibs'
+else
+  # When we are sourced in execute mode, \$file and \$echo are already set.
+  if test \"\$libtool_execute_magic\" != \"$magic\"; then
+    echo=\"$qecho\"
+    file=\"\$0\"
+    # Make sure echo works.
+    if test \"X\$1\" = X--no-reexec; then
+      # Discard the --no-reexec flag, and continue.
+      shift
+    elif test \"X\`(\$echo '\t') 2>/dev/null\`\" = 'X\t'; then
+      # Yippee, \$echo works!
+      :
+    else
+      # Restart under the correct shell, and then maybe \$echo will work.
+      exec $SHELL \"\$0\" --no-reexec \${1+\"\$@\"}
+    fi
+  fi\
+"
+	$echo >> $output "\
+
+  # Find the directory that this script lives in.
+  thisdir=\`\$echo \"X\$file\" | \$Xsed -e 's%/[^/]*$%%'\`
+  test \"x\$thisdir\" = \"x\$file\" && thisdir=.
+
+  # Follow symbolic links until we get to the real thisdir.
+  file=\`ls -ld \"\$file\" | sed -n 's/.*-> //p'\`
+  while test -n \"\$file\"; do
+    destdir=\`\$echo \"X\$file\" | \$Xsed -e 's%/[^/]*\$%%'\`
+
+    # If there was a directory component, then change thisdir.
+    if test \"x\$destdir\" != \"x\$file\"; then
+      case \"\$destdir\" in
+      [\\\\/]* | [A-Za-z]:[\\\\/]*) thisdir=\"\$destdir\" ;;
+      *) thisdir=\"\$thisdir/\$destdir\" ;;
+      esac
+    fi
+
+    file=\`\$echo \"X\$file\" | \$Xsed -e 's%^.*/%%'\`
+    file=\`ls -ld \"\$thisdir/\$file\" | sed -n 's/.*-> //p'\`
+  done
+
+  # Try to get the absolute directory name.
+  absdir=\`cd \"\$thisdir\" && pwd\`
+  test -n \"\$absdir\" && thisdir=\"\$absdir\"
+"
+
+	if test "$fast_install" = yes; then
+	  echo >> $output "\
+  program=lt-'$outputname'$exeext
+  progdir=\"\$thisdir/$objdir\"
+
+  if test ! -f \"\$progdir/\$program\" || \\
+     { file=\`ls -1dt \"\$progdir/\$program\" \"\$progdir/../\$program\" 2>/dev/null | sed 1q\`; \\
+       test \"X\$file\" != \"X\$progdir/\$program\"; }; then
+
+    file=\"\$\$-\$program\"
+
+    if test ! -d \"\$progdir\"; then
+      $mkdir \"\$progdir\"
+    else
+      $rm \"\$progdir/\$file\"
+    fi"
+
+	  echo >> $output "\
+
+    # relink executable if necessary
+    if test -n \"\$relink_command\"; then
+      if (eval \$relink_command); then :
+      else
+	$rm \"\$progdir/\$file\"
+	exit 1
+      fi
+    fi
+
+    $mv \"\$progdir/\$file\" \"\$progdir/\$program\" 2>/dev/null ||
+    { $rm \"\$progdir/\$program\";
+      $mv \"\$progdir/\$file\" \"\$progdir/\$program\"; }
+    $rm \"\$progdir/\$file\"
+  fi"
+	else
+	  echo >> $output "\
+  program='$outputname'
+  progdir=\"\$thisdir/$objdir\"
+"
+	fi
+
+	echo >> $output "\
+
+  if test -f \"\$progdir/\$program\"; then"
+
+	# Export our shlibpath_var if we have one.
+	if test "$shlibpath_overrides_runpath" = yes && test -n "$shlibpath_var" && test -n "$temp_rpath"; then
+	  $echo >> $output "\
+    # Add our own library path to $shlibpath_var
+    $shlibpath_var=\"$temp_rpath\$$shlibpath_var\"
+
+    # Some systems cannot cope with colon-terminated $shlibpath_var
+    # The second colon is a workaround for a bug in BeOS R4 sed
+    $shlibpath_var=\`\$echo \"X\$$shlibpath_var\" | \$Xsed -e 's/::*\$//'\`
+
+    export $shlibpath_var
+"
+	fi
+
+	# fixup the dll searchpath if we need to.
+	if test -n "$dllsearchpath"; then
+	  $echo >> $output "\
+    # Add the dll search path components to the executable PATH
+    PATH=$dllsearchpath:\$PATH
+"
+	fi
+
+	$echo >> $output "\
+    if test \"\$libtool_execute_magic\" != \"$magic\"; then
+      # Run the actual program with our arguments.
+"
+	case $host in
+	# win32 systems need to use the prog path for dll
+	# lookup to work
+	*-*-cygwin* | *-*-pw32*)
+	  $echo >> $output "\
+      exec \$progdir/\$program \${1+\"\$@\"}
+"
+	  ;;
+
+	# Backslashes separate directories on plain windows
+	*-*-mingw | *-*-os2*)
+	  $echo >> $output "\
+      exec \$progdir\\\\\$program \${1+\"\$@\"}
+"
+	  ;;
+
+	*)
+	  $echo >> $output "\
+      # Export the path to the program.
+      PATH=\"\$progdir:\$PATH\"
+      export PATH
+
+      exec \$program \${1+\"\$@\"}
+"
+	  ;;
+	esac
+	$echo >> $output "\
+      \$echo \"\$0: cannot exec \$program \${1+\"\$@\"}\"
+      exit 1
+    fi
+  else
+    # The program doesn't exist.
+    \$echo \"\$0: error: \$progdir/\$program does not exist\" 1>&2
+    \$echo \"This script is just a wrapper for \$program.\" 1>&2
+    echo \"See the $PACKAGE documentation for more information.\" 1>&2
+    exit 1
+  fi
+fi\
+"
+	chmod +x $output
+      fi
+      exit 0
+      ;;
+    esac
+
+    # See if we need to build an old-fashioned archive.
+    for oldlib in $oldlibs; do
+
+      if test "$build_libtool_libs" = convenience; then
+	oldobjs="$libobjs_save"
+	addlibs="$convenience"
+	build_libtool_libs=no
+      else
+	if test "$build_libtool_libs" = module; then
+	  oldobjs="$libobjs_save"
+	  build_libtool_libs=no
+	else
+	  oldobjs="$objs$old_deplibs "`$echo "X$libobjs_save" | $SP2NL | $Xsed -e '/\.'${libext}'$/d' -e '/\.lib$/d' -e "$lo2o" | $NL2SP`
+	fi
+	addlibs="$old_convenience"
+      fi
+
+      if test -n "$addlibs"; then
+	gentop="$output_objdir/${outputname}x"
+	$show "${rm}r $gentop"
+	$run ${rm}r "$gentop"
+	$show "mkdir $gentop"
+	$run mkdir "$gentop"
+	status=$?
+	if test $status -ne 0 && test ! -d "$gentop"; then
+	  exit $status
+	fi
+	generated="$generated $gentop"
+
+	# Add in members from convenience archives.
+	for xlib in $addlibs; do
+	  # Extract the objects.
+	  case $xlib in
+	  [\\/]* | [A-Za-z]:[\\/]*) xabs="$xlib" ;;
+	  *) xabs=`pwd`"/$xlib" ;;
+	  esac
+	  xlib=`$echo "X$xlib" | $Xsed -e 's%^.*/%%'`
+	  xdir="$gentop/$xlib"
+
+	  $show "${rm}r $xdir"
+	  $run ${rm}r "$xdir"
+	  $show "mkdir $xdir"
+	  $run mkdir "$xdir"
+	  status=$?
+	  if test $status -ne 0 && test ! -d "$xdir"; then
+	    exit $status
+	  fi
+	  $show "(cd $xdir && $AR x $xabs)"
+	  $run eval "(cd \$xdir && $AR x \$xabs)" || exit $?
+
+	  oldobjs="$oldobjs "`find $xdir -name \*.${objext} -print -o -name \*.lo -print | $NL2SP`
+	done
+      fi
+
+      # Do each command in the archive commands.
+      if test -n "$old_archive_from_new_cmds" && test "$build_libtool_libs" = yes; then
+	eval cmds=\"$old_archive_from_new_cmds\"
+      else
+	# Ensure that we have .o objects in place in case we decided
+	# not to build a shared library, and have fallen back to building
+	# static libs even though --disable-static was passed!
+	for oldobj in $oldobjs; do
+	  if test ! -f $oldobj; then
+	    xdir=`$echo "X$oldobj" | $Xsed -e 's%/[^/]*$%%'`
+	    if test "X$xdir" = "X$oldobj"; then
+	      xdir="."
+	    else
+	      xdir="$xdir"
+	    fi
+	    baseobj=`$echo "X$oldobj" | $Xsed -e 's%^.*/%%'`
+	    obj=`$echo "X$baseobj" | $Xsed -e "$o2lo"`
+	    $show "(cd $xdir && ${LN_S} $obj $baseobj)"
+	    $run eval '(cd $xdir && ${LN_S} $obj $baseobj)' || exit $?
+	  fi
+	done
+
+	eval cmds=\"$old_archive_cmds\"
+      fi
+      IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+      for cmd in $cmds; do
+	IFS="$save_ifs"
+	$show "$cmd"
+	$run eval "$cmd" || exit $?
+      done
+      IFS="$save_ifs"
+    done
+
+    if test -n "$generated"; then
+      $show "${rm}r$generated"
+      $run ${rm}r$generated
+    fi
+
+    # Now create the libtool archive.
+    case $output in
+    *.la)
+      old_library=
+      test "$build_old_libs" = yes && old_library="$libname.$libext"
+      $show "creating $output"
+
+      # Preserve any variables that may affect compiler behavior
+      for var in $variables_saved_for_relink; do
+	if eval test -z \"\${$var+set}\"; then
+	  relink_command="{ test -z \"\${$var+set}\" || unset $var || { $var=; export $var; }; }; $relink_command"
+	elif eval var_value=\$$var; test -z "$var_value"; then
+	  relink_command="$var=; export $var; $relink_command"
+	else
+	  var_value=`$echo "X$var_value" | $Xsed -e "$sed_quote_subst"`
+	  relink_command="$var=\"$var_value\"; export $var; $relink_command"
+	fi
+      done
+      # Quote the link command for shipping.
+      relink_command="cd `pwd`; $SHELL $0 --mode=relink $libtool_args"
+      relink_command=`$echo "X$relink_command" | $Xsed -e "$sed_quote_subst"`
+
+      # Only create the output if not a dry run.
+      if test -z "$run"; then
+	for installed in no yes; do
+	  if test "$installed" = yes; then
+	    if test -z "$install_libdir"; then
+	      break
+	    fi
+	    output="$output_objdir/$outputname"i
+	    # Replace all uninstalled libtool libraries with the installed ones
+	    newdependency_libs=
+	    for deplib in $dependency_libs; do
+	      case $deplib in
+	      *.la)
+		name=`$echo "X$deplib" | $Xsed -e 's%^.*/%%'`
+		eval libdir=`sed -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
+		if test -z "$libdir"; then
+		  $echo "$modename: \`$deplib' is not a valid libtool archive" 1>&2
+		  exit 1
+		fi
+		newdependency_libs="$newdependency_libs $libdir/$name"
+		;;
+	      *) newdependency_libs="$newdependency_libs $deplib" ;;
+	      esac
+	    done
+	    dependency_libs="$newdependency_libs"
+	    newdlfiles=
+	    for lib in $dlfiles; do
+	      name=`$echo "X$lib" | $Xsed -e 's%^.*/%%'`
+	      eval libdir=`sed -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
+	      if test -z "$libdir"; then
+		$echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
+		exit 1
+	      fi
+	      newdlfiles="$newdlfiles $libdir/$name"
+	    done
+	    dlfiles="$newdlfiles"
+	    newdlprefiles=
+	    for lib in $dlprefiles; do
+	      name=`$echo "X$lib" | $Xsed -e 's%^.*/%%'`
+	      eval libdir=`sed -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
+	      if test -z "$libdir"; then
+		$echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
+		exit 1
+	      fi
+	      newdlprefiles="$newdlprefiles $libdir/$name"
+	    done
+	    dlprefiles="$newdlprefiles"
+	  fi
+	  $rm $output
+	  # place dlname in correct position for cygwin
+	  tdlname=$dlname
+	  case $host,$output,$installed,$module,$dlname in
+	    *cygwin*,*lai,yes,no,*.dll) tdlname=../bin/$dlname ;;
+	  esac
+	  $echo > $output "\
+# $outputname - a libtool library file
+# Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP
+#
+# Please DO NOT delete this file!
+# It is necessary for linking the library.
+
+# The name that we can dlopen(3).
+dlname='$tdlname'
+
+# Names of this library.
+library_names='$library_names'
+
+# The name of the static archive.
+old_library='$old_library'
+
+# Libraries that this one depends upon.
+dependency_libs='$dependency_libs'
+
+# Version information for $libname.
+current=$current
+age=$age
+revision=$revision
+
+# Is this an already installed library?
+installed=$installed
+
+# Files to dlopen/dlpreopen
+dlopen='$dlfiles'
+dlpreopen='$dlprefiles'
+
+# Directory that this library needs to be installed in:
+libdir='$install_libdir'"
+	  if test "$installed" = no && test $need_relink = yes; then
+	    $echo >> $output "\
+relink_command=\"$relink_command\""
+	  fi
+	done
+      fi
+
+      # Do a symbolic link so that the libtool archive can be found in
+      # LD_LIBRARY_PATH before the program is installed.
+      $show "(cd $output_objdir && $rm $outputname && $LN_S ../$outputname $outputname)"
+      $run eval '(cd $output_objdir && $rm $outputname && $LN_S ../$outputname $outputname)' || exit $?
+      ;;
+    esac
+    exit 0
+    ;;
+
+  # libtool install mode
+  install)
+    modename="$modename: install"
+
+    # There may be an optional sh(1) argument at the beginning of
+    # install_prog (especially on Windows NT).
+    if test "$nonopt" = "$SHELL" || test "$nonopt" = /bin/sh ||
+       # Allow the use of GNU shtool's install command.
+       $echo "X$nonopt" | $Xsed | grep shtool > /dev/null; then
+      # Aesthetically quote it.
+      arg=`$echo "X$nonopt" | $Xsed -e "$sed_quote_subst"`
+      case $arg in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*)
+	arg="\"$arg\""
+	;;
+      esac
+      install_prog="$arg "
+      arg="$1"
+      shift
+    else
+      install_prog=
+      arg="$nonopt"
+    fi
+
+    # The real first argument should be the name of the installation program.
+    # Aesthetically quote it.
+    arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+    case $arg in
+    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*)
+      arg="\"$arg\""
+      ;;
+    esac
+    install_prog="$install_prog$arg"
+
+    # We need to accept at least all the BSD install flags.
+    dest=
+    files=
+    opts=
+    prev=
+    install_type=
+    isdir=no
+    stripme=
+    for arg
+    do
+      if test -n "$dest"; then
+	files="$files $dest"
+	dest="$arg"
+	continue
+      fi
+
+      case $arg in
+      -d) isdir=yes ;;
+      -f) prev="-f" ;;
+      -g) prev="-g" ;;
+      -m) prev="-m" ;;
+      -o) prev="-o" ;;
+      -s)
+	stripme=" -s"
+	continue
+	;;
+      -*) ;;
+
+      *)
+	# If the previous option needed an argument, then skip it.
+	if test -n "$prev"; then
+	  prev=
+	else
+	  dest="$arg"
+	  continue
+	fi
+	;;
+      esac
+
+      # Aesthetically quote the argument.
+      arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+      case $arg in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*)
+	arg="\"$arg\""
+	;;
+      esac
+      install_prog="$install_prog $arg"
+    done
+
+    if test -z "$install_prog"; then
+      $echo "$modename: you must specify an install program" 1>&2
+      $echo "$help" 1>&2
+      exit 1
+    fi
+
+    if test -n "$prev"; then
+      $echo "$modename: the \`$prev' option requires an argument" 1>&2
+      $echo "$help" 1>&2
+      exit 1
+    fi
+
+    if test -z "$files"; then
+      if test -z "$dest"; then
+	$echo "$modename: no file or destination specified" 1>&2
+      else
+	$echo "$modename: you must specify a destination" 1>&2
+      fi
+      $echo "$help" 1>&2
+      exit 1
+    fi
+
+    # Strip any trailing slash from the destination.
+    dest=`$echo "X$dest" | $Xsed -e 's%/$%%'`
+
+    # Check to see that the destination is a directory.
+    test -d "$dest" && isdir=yes
+    if test "$isdir" = yes; then
+      destdir="$dest"
+      destname=
+    else
+      destdir=`$echo "X$dest" | $Xsed -e 's%/[^/]*$%%'`
+      test "X$destdir" = "X$dest" && destdir=.
+      destname=`$echo "X$dest" | $Xsed -e 's%^.*/%%'`
+
+      # Not a directory, so check to see that there is only one file specified.
+      set dummy $files
+      if test $# -gt 2; then
+	$echo "$modename: \`$dest' is not a directory" 1>&2
+	$echo "$help" 1>&2
+	exit 1
+      fi
+    fi
+    case $destdir in
+    [\\/]* | [A-Za-z]:[\\/]*) ;;
+    *)
+      for file in $files; do
+	case $file in
+	*.lo) ;;
+	*)
+	  $echo "$modename: \`$destdir' must be an absolute directory name" 1>&2
+	  $echo "$help" 1>&2
+	  exit 1
+	  ;;
+	esac
+      done
+      ;;
+    esac
+
+    # This variable tells wrapper scripts just to set variables rather
+    # than running their programs.
+    libtool_install_magic="$magic"
+
+    staticlibs=
+    future_libdirs=
+    current_libdirs=
+    for file in $files; do
+
+      # Do each installation.
+      case $file in
+      *.$libext)
+	# Do the static libraries later.
+	staticlibs="$staticlibs $file"
+	;;
+
+      *.la)
+	# Check to see that this really is a libtool archive.
+	if (sed -e '2q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
+	else
+	  $echo "$modename: \`$file' is not a valid libtool archive" 1>&2
+	  $echo "$help" 1>&2
+	  exit 1
+	fi
+
+	library_names=
+	old_library=
+	relink_command=
+	# If there is no directory component, then add one.
+	case $file in
+	*/* | *\\*) . $file ;;
+	*) . ./$file ;;
+	esac
+
+	# Add the libdir to current_libdirs if it is the destination.
+	if test "X$destdir" = "X$libdir"; then
+	  case "$current_libdirs " in
+	  *" $libdir "*) ;;
+	  *) current_libdirs="$current_libdirs $libdir" ;;
+	  esac
+	else
+	  # Note the libdir as a future libdir.
+	  case "$future_libdirs " in
+	  *" $libdir "*) ;;
+	  *) future_libdirs="$future_libdirs $libdir" ;;
+	  esac
+	fi
+
+	dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`/
+	test "X$dir" = "X$file/" && dir=
+	dir="$dir$objdir"
+
+	if test -n "$relink_command"; then
+	  $echo "$modename: warning: relinking \`$file'" 1>&2
+	  $show "$relink_command"
+	  if $run eval "$relink_command"; then :
+	  else
+	    $echo "$modename: error: relink \`$file' with the above command before installing it" 1>&2
+	    continue
+	  fi
+	fi
+
+	# See the names of the shared library.
+	set dummy $library_names
+	if test -n "$2"; then
+	  realname="$2"
+	  shift
+	  shift
+
+	  srcname="$realname"
+	  test -n "$relink_command" && srcname="$realname"T
+
+	  # Install the shared library and build the symlinks.
+	  $show "$install_prog $dir/$srcname $destdir/$realname"
+	  $run eval "$install_prog $dir/$srcname $destdir/$realname" || exit $?
+	  if test -n "$stripme" && test -n "$striplib"; then
+	    $show "$striplib $destdir/$realname"
+	    $run eval "$striplib $destdir/$realname" || exit $?
+	  fi
+
+	  if test $# -gt 0; then
+	    # Delete the old symlinks, and create new ones.
+	    for linkname
+	    do
+	      if test "$linkname" != "$realname"; then
+		$show "(cd $destdir && $rm $linkname && $LN_S $realname $linkname)"
+		$run eval "(cd $destdir && $rm $linkname && $LN_S $realname $linkname)"
+	      fi
+	    done
+	  fi
+
+	  # Do each command in the postinstall commands.
+	  lib="$destdir/$realname"
+	  eval cmds=\"$postinstall_cmds\"
+	  IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	  for cmd in $cmds; do
+	    IFS="$save_ifs"
+	    $show "$cmd"
+	    $run eval "$cmd" || exit $?
+	  done
+	  IFS="$save_ifs"
+	fi
+
+	# Install the pseudo-library for information purposes.
+	name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+	instname="$dir/$name"i
+	$show "$install_prog $instname $destdir/$name"
+	$run eval "$install_prog $instname $destdir/$name" || exit $?
+
+	# Maybe install the static library, too.
+	test -n "$old_library" && staticlibs="$staticlibs $dir/$old_library"
+	;;
+
+      *.lo)
+	# Install (i.e. copy) a libtool object.
+
+	# Figure out destination file name, if it wasn't already specified.
+	if test -n "$destname"; then
+	  destfile="$destdir/$destname"
+	else
+	  destfile=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+	  destfile="$destdir/$destfile"
+	fi
+
+	# Deduce the name of the destination old-style object file.
+	case $destfile in
+	*.lo)
+	  staticdest=`$echo "X$destfile" | $Xsed -e "$lo2o"`
+	  ;;
+	*.$objext)
+	  staticdest="$destfile"
+	  destfile=
+	  ;;
+	*)
+	  $echo "$modename: cannot copy a libtool object to \`$destfile'" 1>&2
+	  $echo "$help" 1>&2
+	  exit 1
+	  ;;
+	esac
+
+	# Install the libtool object if requested.
+	if test -n "$destfile"; then
+	  $show "$install_prog $file $destfile"
+	  $run eval "$install_prog $file $destfile" || exit $?
+	fi
+
+	# Install the old object if enabled.
+	if test "$build_old_libs" = yes; then
+	  # Deduce the name of the old-style object file.
+	  staticobj=`$echo "X$file" | $Xsed -e "$lo2o"`
+
+	  $show "$install_prog $staticobj $staticdest"
+	  $run eval "$install_prog \$staticobj \$staticdest" || exit $?
+	fi
+	exit 0
+	;;
+
+      *)
+	# Figure out destination file name, if it wasn't already specified.
+	if test -n "$destname"; then
+	  destfile="$destdir/$destname"
+	else
+	  destfile=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+	  destfile="$destdir/$destfile"
+	fi
+
+	# Do a test to see if this is really a libtool program.
+	if (sed -e '4q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+	  notinst_deplibs=
+	  relink_command=
+
+	  # If there is no directory component, then add one.
+	  case $file in
+	  */* | *\\*) . $file ;;
+	  *) . ./$file ;;
+	  esac
+
+	  # Check the variables that should have been set.
+	  if test -z "$notinst_deplibs"; then
+	    $echo "$modename: invalid libtool wrapper script \`$file'" 1>&2
+	    exit 1
+	  fi
+
+	  finalize=yes
+	  for lib in $notinst_deplibs; do
+	    # Check to see that each library is installed.
+	    libdir=
+	    if test -f "$lib"; then
+	      # If there is no directory component, then add one.
+	      case $lib in
+	      */* | *\\*) . $lib ;;
+	      *) . ./$lib ;;
+	      esac
+	    fi
+	    libfile="$libdir/"`$echo "X$lib" | $Xsed -e 's%^.*/%%g'` ### testsuite: skip nested quoting test
+	    if test -n "$libdir" && test ! -f "$libfile"; then
+	      $echo "$modename: warning: \`$lib' has not been installed in \`$libdir'" 1>&2
+	      finalize=no
+	    fi
+	  done
+
+	  relink_command=
+	  # If there is no directory component, then add one.
+	  case $file in
+	  */* | *\\*) . $file ;;
+	  *) . ./$file ;;
+	  esac
+
+	  outputname=
+	  if test "$fast_install" = no && test -n "$relink_command"; then
+	    if test "$finalize" = yes && test -z "$run"; then
+	      tmpdir="/tmp"
+	      test -n "$TMPDIR" && tmpdir="$TMPDIR"
+	      tmpdir="$tmpdir/libtool-$$"
+	      if $mkdir -p "$tmpdir" && chmod 700 "$tmpdir"; then :
+	      else
+		$echo "$modename: error: cannot create temporary directory \`$tmpdir'" 1>&2
+		continue
+	      fi
+	      file=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+	      outputname="$tmpdir/$file"
+	      # Replace the output file specification.
+	      relink_command=`$echo "X$relink_command" | $Xsed -e 's%@OUTPUT@%'"$outputname"'%g'`
+
+	      $show "$relink_command"
+	      if $run eval "$relink_command"; then :
+	      else
+		$echo "$modename: error: relink \`$file' with the above command before installing it" 1>&2
+		${rm}r "$tmpdir"
+		continue
+	      fi
+	      file="$outputname"
+	    else
+	      $echo "$modename: warning: cannot relink \`$file'" 1>&2
+	    fi
+	  else
+	    # Install the binary that we compiled earlier.
+	    file=`$echo "X$file" | $Xsed -e "s%\([^/]*\)$%$objdir/\1%"`
+	  fi
+	fi
+
+	# remove .exe since cygwin /usr/bin/install will append another
+	# one anyways
+	case $install_prog,$host in
+	/usr/bin/install*,*cygwin*)
+	  case $file:$destfile in
+	  *.exe:*.exe)
+	    # this is ok
+	    ;;
+	  *.exe:*)
+	    destfile=$destfile.exe
+	    ;;
+	  *:*.exe)
+	    destfile=`echo $destfile | sed -e 's,.exe$,,'`
+	    ;;
+	  esac
+	  ;;
+	esac
+	$show "$install_prog$stripme $file $destfile"
+	$run eval "$install_prog\$stripme \$file \$destfile" || exit $?
+	test -n "$outputname" && ${rm}r "$tmpdir"
+	;;
+      esac
+    done
+
+    for file in $staticlibs; do
+      name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+
+      # Set up the ranlib parameters.
+      oldlib="$destdir/$name"
+
+      $show "$install_prog $file $oldlib"
+      $run eval "$install_prog \$file \$oldlib" || exit $?
+
+      if test -n "$stripme" && test -n "$striplib"; then
+	$show "$old_striplib $oldlib"
+	$run eval "$old_striplib $oldlib" || exit $?
+      fi
+
+      # Do each command in the postinstall commands.
+      eval cmds=\"$old_postinstall_cmds\"
+      IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+      for cmd in $cmds; do
+	IFS="$save_ifs"
+	$show "$cmd"
+	$run eval "$cmd" || exit $?
+      done
+      IFS="$save_ifs"
+    done
+
+    if test -n "$future_libdirs"; then
+      $echo "$modename: warning: remember to run \`$progname --finish$future_libdirs'" 1>&2
+    fi
+
+    if test -n "$current_libdirs"; then
+      # Maybe just do a dry run.
+      test -n "$run" && current_libdirs=" -n$current_libdirs"
+      exec $SHELL $0 --finish$current_libdirs
+      exit 1
+    fi
+
+    exit 0
+    ;;
+
+  # libtool finish mode
+  finish)
+    modename="$modename: finish"
+    libdirs="$nonopt"
+    admincmds=
+
+    if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then
+      for dir
+      do
+	libdirs="$libdirs $dir"
+      done
+
+      for libdir in $libdirs; do
+	if test -n "$finish_cmds"; then
+	  # Do each command in the finish commands.
+	  eval cmds=\"$finish_cmds\"
+	  IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	  for cmd in $cmds; do
+	    IFS="$save_ifs"
+	    $show "$cmd"
+	    $run eval "$cmd" || admincmds="$admincmds
+       $cmd"
+	  done
+	  IFS="$save_ifs"
+	fi
+	if test -n "$finish_eval"; then
+	  # Do the single finish_eval.
+	  eval cmds=\"$finish_eval\"
+	  $run eval "$cmds" || admincmds="$admincmds
+       $cmds"
+	fi
+      done
+    fi
+
+    # Exit here if they wanted silent mode.
+    test "$show" = ":" && exit 0
+
+    echo "----------------------------------------------------------------------"
+    echo "Libraries have been installed in:"
+    for libdir in $libdirs; do
+      echo "   $libdir"
+    done
+    echo
+    echo "If you ever happen to want to link against installed libraries"
+    echo "in a given directory, LIBDIR, you must either use libtool, and"
+    echo "specify the full pathname of the library, or use the \`-LLIBDIR'"
+    echo "flag during linking and do at least one of the following:"
+    if test -n "$shlibpath_var"; then
+      echo "   - add LIBDIR to the \`$shlibpath_var' environment variable"
+      echo "     during execution"
+    fi
+    if test -n "$runpath_var"; then
+      echo "   - add LIBDIR to the \`$runpath_var' environment variable"
+      echo "     during linking"
+    fi
+    if test -n "$hardcode_libdir_flag_spec"; then
+      libdir=LIBDIR
+      eval flag=\"$hardcode_libdir_flag_spec\"
+
+      echo "   - use the \`$flag' linker flag"
+    fi
+    if test -n "$admincmds"; then
+      echo "   - have your system administrator run these commands:$admincmds"
+    fi
+    if test -f /etc/ld.so.conf; then
+      echo "   - have your system administrator add LIBDIR to \`/etc/ld.so.conf'"
+    fi
+    echo
+    echo "See any operating system documentation about shared libraries for"
+    echo "more information, such as the ld(1) and ld.so(8) manual pages."
+    echo "----------------------------------------------------------------------"
+    exit 0
+    ;;
+
+  # libtool execute mode
+  execute)
+    modename="$modename: execute"
+
+    # The first argument is the command name.
+    cmd="$nonopt"
+    if test -z "$cmd"; then
+      $echo "$modename: you must specify a COMMAND" 1>&2
+      $echo "$help"
+      exit 1
+    fi
+
+    # Handle -dlopen flags immediately.
+    for file in $execute_dlfiles; do
+      if test ! -f "$file"; then
+	$echo "$modename: \`$file' is not a file" 1>&2
+	$echo "$help" 1>&2
+	exit 1
+      fi
+
+      dir=
+      case $file in
+      *.la)
+	# Check to see that this really is a libtool archive.
+	if (sed -e '2q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
+	else
+	  $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
+	  $echo "$help" 1>&2
+	  exit 1
+	fi
+
+	# Read the libtool library.
+	dlname=
+	library_names=
+
+	# If there is no directory component, then add one.
+	case $file in
+	*/* | *\\*) . $file ;;
+	*) . ./$file ;;
+	esac
+
+	# Skip this library if it cannot be dlopened.
+	if test -z "$dlname"; then
+	  # Warn if it was a shared library.
+	  test -n "$library_names" && $echo "$modename: warning: \`$file' was not linked with \`-export-dynamic'"
+	  continue
+	fi
+
+	dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`
+	test "X$dir" = "X$file" && dir=.
+
+	if test -f "$dir/$objdir/$dlname"; then
+	  dir="$dir/$objdir"
+	else
+	  $echo "$modename: cannot find \`$dlname' in \`$dir' or \`$dir/$objdir'" 1>&2
+	  exit 1
+	fi
+	;;
+
+      *.lo)
+	# Just add the directory containing the .lo file.
+	dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`
+	test "X$dir" = "X$file" && dir=.
+	;;
+
+      *)
+	$echo "$modename: warning \`-dlopen' is ignored for non-libtool libraries and objects" 1>&2
+	continue
+	;;
+      esac
+
+      # Get the absolute pathname.
+      absdir=`cd "$dir" && pwd`
+      test -n "$absdir" && dir="$absdir"
+
+      # Now add the directory to shlibpath_var.
+      if eval "test -z \"\$$shlibpath_var\""; then
+	eval "$shlibpath_var=\"\$dir\""
+      else
+	eval "$shlibpath_var=\"\$dir:\$$shlibpath_var\""
+      fi
+    done
+
+    # This variable tells wrapper scripts just to set shlibpath_var
+    # rather than running their programs.
+    libtool_execute_magic="$magic"
+
+    # Check if any of the arguments is a wrapper script.
+    args=
+    for file
+    do
+      case $file in
+      -*) ;;
+      *)
+	# Do a test to see if this is really a libtool program.
+	if (sed -e '4q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+	  # If there is no directory component, then add one.
+	  case $file in
+	  */* | *\\*) . $file ;;
+	  *) . ./$file ;;
+	  esac
+
+	  # Transform arg to wrapped name.
+	  file="$progdir/$program"
+	fi
+	;;
+      esac
+      # Quote arguments (to preserve shell metacharacters).
+      file=`$echo "X$file" | $Xsed -e "$sed_quote_subst"`
+      args="$args \"$file\""
+    done
+
+    if test -z "$run"; then
+      if test -n "$shlibpath_var"; then
+	# Export the shlibpath_var.
+	eval "export $shlibpath_var"
+      fi
+
+      # Restore saved enviroment variables
+      if test "${save_LC_ALL+set}" = set; then
+	LC_ALL="$save_LC_ALL"; export LC_ALL
+      fi
+      if test "${save_LANG+set}" = set; then
+	LANG="$save_LANG"; export LANG
+      fi
+
+      # Now actually exec the command.
+      eval "exec \$cmd$args"
+
+      $echo "$modename: cannot exec \$cmd$args"
+      exit 1
+    else
+      # Display what would be done.
+      if test -n "$shlibpath_var"; then
+	eval "\$echo \"\$shlibpath_var=\$$shlibpath_var\""
+	$echo "export $shlibpath_var"
+      fi
+      $echo "$cmd$args"
+      exit 0
+    fi
+    ;;
+
+  # libtool clean and uninstall mode
+  clean | uninstall)
+    modename="$modename: $mode"
+    rm="$nonopt"
+    files=
+    rmforce=
+    exit_status=0
+
+    # This variable tells wrapper scripts just to set variables rather
+    # than running their programs.
+    libtool_install_magic="$magic"
+
+    for arg
+    do
+      case $arg in
+      -f) rm="$rm $arg"; rmforce=yes ;;
+      -*) rm="$rm $arg" ;;
+      *) files="$files $arg" ;;
+      esac
+    done
+
+    if test -z "$rm"; then
+      $echo "$modename: you must specify an RM program" 1>&2
+      $echo "$help" 1>&2
+      exit 1
+    fi
+
+    rmdirs=
+
+    for file in $files; do
+      dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`
+      if test "X$dir" = "X$file"; then
+	dir=.
+	objdir="$objdir"
+      else
+	objdir="$dir/$objdir"
+      fi
+      name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+      test $mode = uninstall && objdir="$dir"
+
+      # Remember objdir for removal later, being careful to avoid duplicates
+      if test $mode = clean; then
+	case " $rmdirs " in
+	  *" $objdir "*) ;;
+	  *) rmdirs="$rmdirs $objdir" ;;
+	esac
+      fi
+
+      # Don't error if the file doesn't exist and rm -f was used.
+      if (test -L "$file") >/dev/null 2>&1 \
+        || (test -h "$file") >/dev/null 2>&1 \
+	|| test -f "$file"; then
+        :
+      elif test -d "$file"; then
+        exit_status=1
+	continue
+      elif test "$rmforce" = yes; then
+        continue
+      fi
+
+      rmfiles="$file"
+
+      case $name in
+      *.la)
+	# Possibly a libtool archive, so verify it.
+	if (sed -e '2q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+	  . $dir/$name
+
+	  # Delete the libtool libraries and symlinks.
+	  for n in $library_names; do
+	    rmfiles="$rmfiles $objdir/$n"
+	  done
+	  test -n "$old_library" && rmfiles="$rmfiles $objdir/$old_library"
+	  test $mode = clean && rmfiles="$rmfiles $objdir/$name $objdir/${name}i"
+
+	  if test $mode = uninstall; then
+	    if test -n "$library_names"; then
+	      # Do each command in the postuninstall commands.
+	      eval cmds=\"$postuninstall_cmds\"
+	      IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	      for cmd in $cmds; do
+		IFS="$save_ifs"
+		$show "$cmd"
+		$run eval "$cmd"
+		if test $? != 0 && test "$rmforce" != yes; then
+		  exit_status=1
+		fi
+	      done
+	      IFS="$save_ifs"
+	    fi
+
+	    if test -n "$old_library"; then
+	      # Do each command in the old_postuninstall commands.
+	      eval cmds=\"$old_postuninstall_cmds\"
+	      IFS="${IFS= 	}"; save_ifs="$IFS"; IFS='~'
+	      for cmd in $cmds; do
+		IFS="$save_ifs"
+		$show "$cmd"
+		$run eval "$cmd"
+		if test $? != 0 && test "$rmforce" != yes; then
+		  exit_status=1
+		fi
+	      done
+	      IFS="$save_ifs"
+	    fi
+	    # FIXME: should reinstall the best remaining shared library.
+	  fi
+	fi
+	;;
+
+      *.lo)
+	if test "$build_old_libs" = yes; then
+	  oldobj=`$echo "X$name" | $Xsed -e "$lo2o"`
+	  rmfiles="$rmfiles $dir/$oldobj"
+	fi
+	;;
+
+      *)
+	# Do a test to see if this is a libtool program.
+	if test $mode = clean &&
+	   (sed -e '4q' $file | egrep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+	  relink_command=
+	  . $dir/$file
+
+	  rmfiles="$rmfiles $objdir/$name $objdir/${name}S.${objext}"
+	  if test "$fast_install" = yes && test -n "$relink_command"; then
+	    rmfiles="$rmfiles $objdir/lt-$name"
+	  fi
+	fi
+	;;
+      esac
+      $show "$rm $rmfiles"
+      $run $rm $rmfiles || exit_status=1
+    done
+
+    # Try to remove the ${objdir}s in the directories where we deleted files
+    for dir in $rmdirs; do
+      if test -d "$dir"; then
+	$show "rmdir $dir"
+	$run rmdir $dir >/dev/null 2>&1
+      fi
+    done
+
+    exit $exit_status
+    ;;
+
+  "")
+    $echo "$modename: you must specify a MODE" 1>&2
+    $echo "$generic_help" 1>&2
+    exit 1
+    ;;
+  esac
+
+  $echo "$modename: invalid operation mode \`$mode'" 1>&2
+  $echo "$generic_help" 1>&2
+  exit 1
+fi # test -z "$show_help"
+
+# We need to display help for each of the modes.
+case $mode in
+"") $echo \
+"Usage: $modename [OPTION]... [MODE-ARG]...
+
+Provide generalized library-building support services.
+
+    --config          show all configuration variables
+    --debug           enable verbose shell tracing
+-n, --dry-run         display commands without modifying any files
+    --features        display basic configuration information and exit
+    --finish          same as \`--mode=finish'
+    --help            display this help message and exit
+    --mode=MODE       use operation mode MODE [default=inferred from MODE-ARGS]
+    --quiet           same as \`--silent'
+    --silent          don't print informational messages
+    --version         print version information
+
+MODE must be one of the following:
+
+      clean           remove files from the build directory
+      compile         compile a source file into a libtool object
+      execute         automatically set library path, then run a program
+      finish          complete the installation of libtool libraries
+      install         install libraries or executables
+      link            create a library or an executable
+      uninstall       remove libraries from an installed directory
+
+MODE-ARGS vary depending on the MODE.  Try \`$modename --help --mode=MODE' for
+a more detailed description of MODE."
+  exit 0
+  ;;
+
+clean)
+  $echo \
+"Usage: $modename [OPTION]... --mode=clean RM [RM-OPTION]... FILE...
+
+Remove files from the build directory.
+
+RM is the name of the program to use to delete files associated with each FILE
+(typically \`/bin/rm').  RM-OPTIONS are options (such as \`-f') to be passed
+to RM.
+
+If FILE is a libtool library, object or program, all the files associated
+with it are deleted. Otherwise, only FILE itself is deleted using RM."
+  ;;
+
+compile)
+  $echo \
+"Usage: $modename [OPTION]... --mode=compile COMPILE-COMMAND... SOURCEFILE
+
+Compile a source file into a libtool library object.
+
+This mode accepts the following additional options:
+
+  -o OUTPUT-FILE    set the output file name to OUTPUT-FILE
+  -prefer-pic       try to building PIC objects only
+  -prefer-non-pic   try to building non-PIC objects only
+  -static           always build a \`.o' file suitable for static linking
+
+COMPILE-COMMAND is a command to be used in creating a \`standard' object file
+from the given SOURCEFILE.
+
+The output file name is determined by removing the directory component from
+SOURCEFILE, then substituting the C source code suffix \`.c' with the
+library object suffix, \`.lo'."
+  ;;
+
+execute)
+  $echo \
+"Usage: $modename [OPTION]... --mode=execute COMMAND [ARGS]...
+
+Automatically set library path, then run a program.
+
+This mode accepts the following additional options:
+
+  -dlopen FILE      add the directory containing FILE to the library path
+
+This mode sets the library path environment variable according to \`-dlopen'
+flags.
+
+If any of the ARGS are libtool executable wrappers, then they are translated
+into their corresponding uninstalled binary, and any of their required library
+directories are added to the library path.
+
+Then, COMMAND is executed, with ARGS as arguments."
+  ;;
+
+finish)
+  $echo \
+"Usage: $modename [OPTION]... --mode=finish [LIBDIR]...
+
+Complete the installation of libtool libraries.
+
+Each LIBDIR is a directory that contains libtool libraries.
+
+The commands that this mode executes may require superuser privileges.  Use
+the \`--dry-run' option if you just want to see what would be executed."
+  ;;
+
+install)
+  $echo \
+"Usage: $modename [OPTION]... --mode=install INSTALL-COMMAND...
+
+Install executables or libraries.
+
+INSTALL-COMMAND is the installation command.  The first component should be
+either the \`install' or \`cp' program.
+
+The rest of the components are interpreted as arguments to that command (only
+BSD-compatible install options are recognized)."
+  ;;
+
+link)
+  $echo \
+"Usage: $modename [OPTION]... --mode=link LINK-COMMAND...
+
+Link object files or libraries together to form another library, or to
+create an executable program.
+
+LINK-COMMAND is a command using the C compiler that you would use to create
+a program from several object files.
+
+The following components of LINK-COMMAND are treated specially:
+
+  -all-static       do not do any dynamic linking at all
+  -avoid-version    do not add a version suffix if possible
+  -dlopen FILE      \`-dlpreopen' FILE if it cannot be dlopened at runtime
+  -dlpreopen FILE   link in FILE and add its symbols to lt_preloaded_symbols
+  -export-dynamic   allow symbols from OUTPUT-FILE to be resolved with dlsym(3)
+  -export-symbols SYMFILE
+		    try to export only the symbols listed in SYMFILE
+  -export-symbols-regex REGEX
+		    try to export only the symbols matching REGEX
+  -LLIBDIR          search LIBDIR for required installed libraries
+  -lNAME            OUTPUT-FILE requires the installed library libNAME
+  -module           build a library that can dlopened
+  -no-fast-install  disable the fast-install mode
+  -no-install       link a not-installable executable
+  -no-undefined     declare that a library does not refer to external symbols
+  -o OUTPUT-FILE    create OUTPUT-FILE from the specified objects
+  -release RELEASE  specify package release information
+  -rpath LIBDIR     the created library will eventually be installed in LIBDIR
+  -R[ ]LIBDIR       add LIBDIR to the runtime path of programs and libraries
+  -static           do not do any dynamic linking of libtool libraries
+  -version-info CURRENT[:REVISION[:AGE]]
+		    specify library version info [each variable defaults to 0]
+
+All other options (arguments beginning with \`-') are ignored.
+
+Every other argument is treated as a filename.  Files ending in \`.la' are
+treated as uninstalled libtool libraries, other files are standard or library
+object files.
+
+If the OUTPUT-FILE ends in \`.la', then a libtool library is created,
+only library objects (\`.lo' files) may be specified, and \`-rpath' is
+required, except when creating a convenience library.
+
+If OUTPUT-FILE ends in \`.a' or \`.lib', then a standard library is created
+using \`ar' and \`ranlib', or on Windows using \`lib'.
+
+If OUTPUT-FILE ends in \`.lo' or \`.${objext}', then a reloadable object file
+is created, otherwise an executable program is created."
+  ;;
+
+uninstall)
+  $echo \
+"Usage: $modename [OPTION]... --mode=uninstall RM [RM-OPTION]... FILE...
+
+Remove libraries from an installation directory.
+
+RM is the name of the program to use to delete files associated with each FILE
+(typically \`/bin/rm').  RM-OPTIONS are options (such as \`-f') to be passed
+to RM.
+
+If FILE is a libtool library, all the files associated with it are deleted.
+Otherwise, only FILE itself is deleted using RM."
+  ;;
+
+*)
+  $echo "$modename: invalid operation mode \`$mode'" 1>&2
+  $echo "$help" 1>&2
+  exit 1
+  ;;
+esac
+
+echo
+$echo "Try \`$modename --help' for more information about other modes."
+
+exit 0
+
+# Local Variables:
+# mode:shell-script
+# sh-indentation:2
+# End:
diff --git a/contrib/bind9/lib/bind/make/includes.in b/contrib/bind9/lib/bind/make/includes.in
new file mode 100644
index 0000000..f080202
--- /dev/null
+++ b/contrib/bind9/lib/bind/make/includes.in
@@ -0,0 +1,44 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: includes.in,v 1.1.206.1 2004/03/15 01:02:44 marka Exp $
+
+# Search for machine-generated header files in the build tree,
+# and for normal headers in the source tree (${top_srcdir}).
+# We only need to look in OS-specific subdirectories for the
+# latter case, because there are no machine-generated OS-specific
+# headers.
+
+ISC_INCLUDES = @BIND9_ISC_BUILDINCLUDE@ \
+	-I${top_srcdir}/lib/isc \
+	-I${top_srcdir}/lib/isc/include \
+	-I${top_srcdir}/lib/isc/unix/include \
+	-I${top_srcdir}/lib/isc/@ISC_THREAD_DIR@/include
+
+ISCCFG_INCLUDES = @BIND9_ISCCFG_BUILDINCLUDE@ \
+       -I${top_srcdir}/lib/isccfg/include
+
+DNS_INCLUDES = @BIND9_DNS_BUILDINCLUDE@ \
+	-I${top_srcdir}/lib/dns/include \
+	-I${top_srcdir}/lib/dns/sec/dst/include
+
+OMAPI_INCLUDES = @BIND9_OMAPI_BUILDINCLUDE@ \
+	-I${top_srcdir}/lib/omapi/include
+
+LWRES_INCLUDES = @BIND9_LWRES_BUILDINCLUDE@ \
+	-I${top_srcdir}/lib/lwres/include
+
+TEST_INCLUDES = \
+	-I${top_srcdir}/lib/tests/include
diff --git a/contrib/bind9/lib/bind/make/mkdep.in b/contrib/bind9/lib/bind/make/mkdep.in
new file mode 100644
index 0000000..60aea6f
--- /dev/null
+++ b/contrib/bind9/lib/bind/make/mkdep.in
@@ -0,0 +1,147 @@
+#!/bin/sh -
+
+## ++Copyright++ 1987
+## -
+## Copyright (c) 1987 Regents of the University of California.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted provided that the following conditions
+## are met:
+## 1. Redistributions of source code must retain the above copyright
+##    notice, this list of conditions and the following disclaimer.
+## 2. Redistributions in binary form must reproduce the above copyright
+##    notice, this list of conditions and the following disclaimer in the
+##    documentation and/or other materials provided with the distribution.
+## 3. All advertising materials mentioning features or use of this software
+##    must display the following acknowledgement:
+## This product includes software developed by the University of
+## California, Berkeley and its contributors.
+## 4. Neither the name of the University nor the names of its contributors
+##    may be used to endorse or promote products derived from this software
+##    without specific prior written permission.
+## THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+## ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+## SUCH DAMAGE.
+## -
+## Portions Copyright (c) 1993 by Digital Equipment Corporation.
+##
+## Permission to use, copy, modify, and distribute this software for any
+## purpose with or without fee is hereby granted, provided that the above
+## copyright notice and this permission notice appear in all copies, and that
+## the name of Digital Equipment Corporation not be used in advertising or
+## publicity pertaining to distribution of the document or software without
+## specific, written prior permission.
+##
+## THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
+## WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
+## OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
+## CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+## DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+## PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+## ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+## SOFTWARE.
+## -
+## --Copyright--
+
+#
+#	@(#)mkdep.sh	5.12 (Berkeley) 6/30/88
+#
+
+MAKE=Makefile			# default makefile name is "Makefile"
+
+while :
+	do case "$1" in
+		# -f allows you to select a makefile name
+		-f)
+			MAKE=$2
+			shift; shift ;;
+
+		# the -p flag produces "program: program.c" style dependencies
+		# so .o's don't get produced
+		-p)
+			SED='s;\.o;;'
+			shift ;;
+		*)
+			break ;;
+	esac
+done
+
+if [ $# = 0 ] ; then
+	echo 'usage: mkdep [-p] [-f makefile] [flags] file ...'
+	exit 1
+fi
+
+if [ ! -w $MAKE ]; then
+	echo "mkdep: no writeable file \"$MAKE\""
+	exit 1
+fi
+
+TMP=mkdep$$
+
+trap 'rm -f $TMP ; exit 1' 1 2 3 13 15
+
+cp $MAKE ${MAKE}.bak
+
+sed -e '/DO NOT DELETE THIS LINE/,$d' < $MAKE > $TMP
+
+cat << _EOF_ >> $TMP
+# DO NOT DELETE THIS LINE -- mkdep uses it.
+# DO NOT PUT ANYTHING AFTER THIS LINE, IT WILL GO AWAY.
+
+_EOF_
+
+# If your compiler doesn't have -M, add it.  If you can't, the next two
+# lines will try and replace the "cc -M".  The real problem is that this
+# hack can't deal with anything that requires a search path, and doesn't
+# even try for anything using bracket (<>) syntax.
+#
+# egrep '^#include[ 	]*".*"' /dev/null $* |
+# sed -e 's/:[^"]*"\([^"]*\)".*/: \1/' -e 's/\.c/.o/' |
+
+MKDEPPROG="@MKDEPPROG@"
+if [ X"${MKDEPPROG}" != X ]; then
+    @SHELL@ -c "${MKDEPPROG} $*"
+else
+    @MKDEPCC@ @MKDEPCFLAGS@ $* |
+    sed "
+	s; \./; ;g
+	$SED" |
+    awk '{
+	if ($1 != prev) {
+		if (rec != "")
+			print rec;
+		rec = $0;
+		prev = $1;
+	}
+	else {
+		if (length(rec $2) > 78) {
+			print rec;
+			rec = $0;
+		}
+		else
+			rec = rec " " $2
+	}
+    }
+    END {
+	print rec
+    }' >> $TMP
+fi
+
+cat << _EOF_ >> $TMP
+
+# IF YOU PUT ANYTHING HERE IT WILL GO AWAY
+_EOF_
+
+# copy to preserve permissions
+cp $TMP $MAKE
+rm -f ${MAKE}.bak $TMP
+exit 0
diff --git a/contrib/bind9/lib/bind/make/rules.in b/contrib/bind9/lib/bind/make/rules.in
new file mode 100644
index 0000000..15edddb
--- /dev/null
+++ b/contrib/bind9/lib/bind/make/rules.in
@@ -0,0 +1,177 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: rules.in,v 1.3.2.3.4.3 2004/03/15 01:02:44 marka Exp $
+
+###
+### Common Makefile rules for BIND 9.
+###
+
+###
+### Paths
+###
+### Note: paths that vary by Makefile MUST NOT be listed
+### here, or they won't get expanded correctly.
+
+prefix =	@prefix@
+exec_prefix =	@exec_prefix@
+bindir =	@bindir@
+sbindir =	@sbindir@
+includedir =	@includedir@
+libdir =	@libdir@
+sysconfdir =	@sysconfdir@
+localstatedir =	@localstatedir@
+mandir =	@mandir@
+
+DESTDIR =
+MAKEDEFS= 'DESTDIR=${DESTDIR}'
+
+@SET_MAKE@
+
+top_builddir =	@BIND9_TOP_BUILDDIR@
+abs_top_srcdir = @abs_top_srcdir@
+
+###
+### All
+###
+### Makefile may define:
+###	TARGETS
+
+all: subdirs ${TARGETS}
+
+###
+### Subdirectories
+###
+### Makefile may define:
+###	SUBDIRS
+
+ALL_SUBDIRS = ${SUBDIRS} nulldir
+
+#
+# We use a single-colon rule so that additional dependencies of
+# subdirectories can be specified after the inclusion of this file.
+# The "depend" target is treated the same way.
+#
+subdirs:
+	@for i in ${ALL_SUBDIRS}; do \
+		if [ "$$i" != "nulldir" -a -d $$i ]; then \
+			echo "making all in `pwd`/$$i"; \
+			(cd $$i; ${MAKE} ${MAKEDEFS} all) || exit 1; \
+		fi \
+	done
+
+install clean distclean docclean manclean::
+	@for i in ${ALL_SUBDIRS}; do \
+		if [ "$$i" != "nulldir" -a -d $$i ]; then \
+			echo "making $@ in `pwd`/$$i"; \
+			(cd $$i; ${MAKE} ${MAKEDEFS} $@) || exit 1; \
+		fi \
+	done
+
+###
+### C Programs
+###
+### Makefile must define
+###	CC
+### Makefile may define
+###	CFLAGS
+###	CINCLUDES
+###	CDEFINES
+###	CWARNINGS
+### User may define externally
+###     EXT_CFLAGS
+
+CC = 		@CC@
+CFLAGS =	@CFLAGS@
+STD_CINCLUDES =	@STD_CINCLUDES@
+STD_CDEFINES =	@STD_CDEFINES@
+STD_CWARNINGS =	@STD_CWARNINGS@
+
+.SUFFIXES:
+.SUFFIXES: .c .@O@
+
+ALWAYS_INCLUDES = -I${top_builddir} -I${abs_top_srcdir}/@PORT_INCLUDE@
+ALWAYS_DEFINES = @ALWAYS_DEFINES@
+ALWAYS_WARNINGS =
+
+ALL_CPPFLAGS = \
+	${ALWAYS_INCLUDES} ${CINCLUDES} ${STD_CINCLUDES} \
+	${ALWAYS_DEFINES} ${CDEFINES} ${STD_CDEFINES}
+
+ALL_CFLAGS = ${EXT_CFLAGS} ${CFLAGS} \
+	${ALL_CPPFLAGS} \
+	${ALWAYS_WARNINGS} ${STD_CWARNINGS} ${CWARNINGS}
+
+.c.@O@:
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c $<
+
+SHELL = @SHELL@
+LIBTOOL = @LIBTOOL@
+LIBTOOL_MODE_COMPILE = ${LIBTOOL} @LIBTOOL_MODE_COMPILE@
+LIBTOOL_MODE_INSTALL = ${LIBTOOL} @LIBTOOL_MODE_INSTALL@
+LIBTOOL_MODE_LINK = ${LIBTOOL} @LIBTOOL_MODE_LINK@
+PURIFY = @PURIFY@
+
+MKDEP = ${SHELL} ${top_builddir}/make/mkdep
+
+cleandir: distclean
+
+clean distclean::
+	rm -f *.@O@ *.lo *.la core *.core .depend
+	rm -rf .libs
+
+distclean::
+	rm -f Makefile
+
+depend:
+	@for i in ${ALL_SUBDIRS}; do \
+		if [ "$$i" != "nulldir" -a -d $$i ]; then \
+			echo "making depend in `pwd`/$$i"; \
+			(cd $$i; ${MAKE} ${MAKEDEFS} $@) || exit 1; \
+		fi \
+	done
+	@if [ X"${SRCS}" != X -a X"${PSRCS}" != X ] ; then \
+		echo ${MKDEP} ${ALL_CPPFLAGS} ${SRCS}; \
+		${MKDEP} ${ALL_CPPFLAGS} ${SRCS}; \
+		echo ${MKDEP} -ap ${ALL_CPPFLAGS} ${PSRCS}; \
+		${MKDEP} -ap ${ALL_CPPFLAGS} ${PSRCS}; \
+		${DEPENDEXTRA} \
+	elif [ X"${SRCS}" != X ] ; then \
+		echo ${MKDEP} ${ALL_CPPFLAGS} ${SRCS}; \
+		${MKDEP} ${ALL_CPPFLAGS} ${SRCS}; \
+		${DEPENDEXTRA} \
+	elif [ X"${PSRCS}" != X ] ; then \
+		echo ${MKDEP} ${ALL_CPPFLAGS} ${PSRCS}; \
+		${MKDEP} -p ${ALL_CPPFLAGS} ${PSRCS}; \
+		${DEPENDEXTRA} \
+	fi
+
+FORCE:
+
+###
+### Libraries
+###
+
+AR =		@AR@
+ARFLAGS =	@ARFLAGS@
+RANLIB =	@RANLIB@
+
+###
+### Installation
+###
+
+INSTALL =		@INSTALL@
+INSTALL_PROGRAM =	@INSTALL_PROGRAM@
+INSTALL_DATA =		@INSTALL_DATA@
diff --git a/contrib/bind9/lib/bind/mkinstalldirs b/contrib/bind9/lib/bind/mkinstalldirs
new file mode 100755
index 0000000..74a611a
--- /dev/null
+++ b/contrib/bind9/lib/bind/mkinstalldirs
@@ -0,0 +1,40 @@
+#! /bin/sh
+# mkinstalldirs --- make directory hierarchy
+# Author: Noah Friedman <friedman@prep.ai.mit.edu>
+# Created: 1993-05-16
+# Public domain
+
+# $Id: mkinstalldirs,v 1.1 2001/07/06 22:23:42 gson Exp $
+
+errstatus=0
+
+for file
+do
+   set fnord `echo ":$file" | sed -ne 's/^:\//#/;s/^://;s/\// /g;s/^#/\//;p'`
+   shift
+
+   pathcomp=
+   for d
+   do
+     pathcomp="$pathcomp$d"
+     case "$pathcomp" in
+       -* ) pathcomp=./$pathcomp ;;
+     esac
+
+     if test ! -d "$pathcomp"; then
+        echo "mkdir $pathcomp" 1>&2
+
+        mkdir "$pathcomp" || lasterr=$?
+
+        if test ! -d "$pathcomp"; then
+  	  errstatus=$lasterr
+        fi
+     fi
+
+     pathcomp="$pathcomp/"
+   done
+done
+
+exit $errstatus
+
+# mkinstalldirs ends here
diff --git a/contrib/bind9/lib/bind/nameser/Makefile.in b/contrib/bind9/lib/bind/nameser/Makefile.in
new file mode 100644
index 0000000..aa4bc6c
--- /dev/null
+++ b/contrib/bind9/lib/bind/nameser/Makefile.in
@@ -0,0 +1,31 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.4.206.1 2004/03/15 01:02:45 marka Exp $
+
+srcdir=		@srcdir@
+VPATH =         @srcdir@
+
+OBJS=	ns_date.@O@ ns_name.@O@ ns_netint.@O@ ns_parse.@O@ ns_print.@O@ \
+	ns_samedomain.@O@ ns_sign.@O@ ns_ttl.@O@ ns_verify.@O@
+
+SRCS=	ns_date.c ns_name.c ns_netint.c ns_parse.c ns_print.c \
+	ns_samedomain.c ns_sign.c ns_ttl.c ns_verify.c
+
+TARGETS= ${OBJS}
+
+CINCLUDES= -I.. -I${srcdir}/../include
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/bind/nameser/ns_date.c b/contrib/bind9/lib/bind/nameser/ns_date.c
new file mode 100644
index 0000000..d6b347a
--- /dev/null
+++ b/contrib/bind9/lib/bind/nameser/ns_date.c
@@ -0,0 +1,128 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef lint
+static const char rcsid[] = "$Id: ns_date.c,v 1.3.206.2 2004/03/16 12:34:16 marka Exp $";
+#endif
+
+/* Import. */
+
+#include "port_before.h"
+
+#include <arpa/nameser.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+
+#include "port_after.h"
+
+#ifdef SPRINTF_CHAR
+# define SPRINTF(x) strlen(sprintf/**/x)
+#else
+# define SPRINTF(x) ((size_t)sprintf x)
+#endif
+
+/* Forward. */
+
+static int	datepart(const char *, int, int, int, int *);
+
+/* Public. */
+
+/* Convert a date in ASCII into the number of seconds since
+   1 January 1970 (GMT assumed).  Format is yyyymmddhhmmss, all
+   digits required, no spaces allowed.  */
+
+u_int32_t
+ns_datetosecs(const char *cp, int *errp) {
+	struct tm time;
+	u_int32_t result;
+	int mdays, i;
+	static const int days_per_month[12] =
+		{31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31};
+
+	if (strlen(cp) != 14U) {
+		*errp = 1;
+		return (0);
+	}
+	*errp = 0;
+
+	memset(&time, 0, sizeof time);
+	time.tm_year  = datepart(cp +  0, 4, 1990, 9999, errp) - 1900;
+	time.tm_mon   = datepart(cp +  4, 2,   01,   12, errp) - 1;
+	time.tm_mday  = datepart(cp +  6, 2,   01,   31, errp);
+	time.tm_hour  = datepart(cp +  8, 2,   00,   23, errp);
+	time.tm_min   = datepart(cp + 10, 2,   00,   59, errp);
+	time.tm_sec   = datepart(cp + 12, 2,   00,   59, errp);
+	if (*errp)		/* Any parse errors? */
+		return (0);
+
+	/* 
+	 * OK, now because timegm() is not available in all environments,
+	 * we will do it by hand.  Roll up sleeves, curse the gods, begin!
+	 */
+
+#define SECS_PER_DAY    ((u_int32_t)24*60*60)
+#define isleap(y) ((((y) % 4) == 0 && ((y) % 100) != 0) || ((y) % 400) == 0)
+
+	result  = time.tm_sec;				/* Seconds */
+	result += time.tm_min * 60;			/* Minutes */
+	result += time.tm_hour * (60*60);		/* Hours */
+	result += (time.tm_mday - 1) * SECS_PER_DAY;	/* Days */
+
+	/* Months are trickier.  Look without leaping, then leap */
+	mdays = 0;
+	for (i = 0; i < time.tm_mon; i++)
+		mdays += days_per_month[i];
+	result += mdays * SECS_PER_DAY;			/* Months */
+	if (time.tm_mon > 1 && isleap(1900+time.tm_year))
+		result += SECS_PER_DAY;		/* Add leapday for this year */
+
+	/* First figure years without leapdays, then add them in.  */
+	/* The loop is slow, FIXME, but simple and accurate.  */
+	result += (time.tm_year - 70) * (SECS_PER_DAY*365); /* Years */
+	for (i = 70; i < time.tm_year; i++)
+		if (isleap(1900+i))
+			result += SECS_PER_DAY; /* Add leapday for prev year */
+
+	return (result);
+}
+
+/* Private. */
+
+/*
+ * Parse part of a date.  Set error flag if any error.
+ * Don't reset the flag if there is no error.
+ */
+static int
+datepart(const char *buf, int size, int min, int max, int *errp) {
+	int result = 0;
+	int i;
+
+	for (i = 0; i < size; i++) {
+		if (!isdigit((unsigned char)(buf[i])))
+			*errp = 1;
+		result = (result * 10) + buf[i] - '0';
+	}
+	if (result < min)
+		*errp = 1;
+	if (result > max)
+		*errp = 1;
+	return (result);
+}
diff --git a/contrib/bind9/lib/bind/nameser/ns_name.c b/contrib/bind9/lib/bind/nameser/ns_name.c
new file mode 100644
index 0000000..5ac91e3
--- /dev/null
+++ b/contrib/bind9/lib/bind/nameser/ns_name.c
@@ -0,0 +1,963 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef lint
+static const char rcsid[] = "$Id: ns_name.c,v 1.3.2.4.4.2 2004/05/04 03:27:47 marka Exp $";
+#endif
+
+#include "port_before.h"
+
+#include <sys/types.h>
+
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+
+#include <errno.h>
+#include <resolv.h>
+#include <string.h>
+#include <ctype.h>
+#include <stdlib.h>
+#include <limits.h>
+
+#include "port_after.h"
+
+#ifdef SPRINTF_CHAR
+# define SPRINTF(x) strlen(sprintf/**/x)
+#else
+# define SPRINTF(x) ((size_t)sprintf x)
+#endif
+
+#define NS_TYPE_ELT			0x40 /* EDNS0 extended label type */
+#define DNS_LABELTYPE_BITSTRING		0x41
+
+/* Data. */
+
+static const char	digits[] = "0123456789";
+
+static const char digitvalue[256] = {
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,	/*16*/
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*32*/
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*48*/
+	 0,  1,  2,  3,  4,  5,  6,  7,  8,  9, -1, -1, -1, -1, -1, -1, /*64*/
+	-1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*80*/
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*96*/
+	-1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*112*/
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*128*/
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*256*/
+};
+
+/* Forward. */
+
+static int		special(int);
+static int		printable(int);
+static int		dn_find(const u_char *, const u_char *,
+				const u_char * const *,
+				const u_char * const *);
+static int		encode_bitsring(const char **, const char *,
+					unsigned char **, unsigned char **,
+					unsigned const char *);
+static int		labellen(const u_char *);
+static int		decode_bitstring(const unsigned char **,
+					 char *, const char *);
+
+/* Public. */
+
+/*
+ * ns_name_ntop(src, dst, dstsiz)
+ *	Convert an encoded domain name to printable ascii as per RFC1035.
+ * return:
+ *	Number of bytes written to buffer, or -1 (with errno set)
+ * notes:
+ *	The root is returned as "."
+ *	All other domains are returned in non absolute form
+ */
+int
+ns_name_ntop(const u_char *src, char *dst, size_t dstsiz)
+{
+	const u_char *cp;
+	char *dn, *eom;
+	u_char c;
+	u_int n;
+	int l;
+
+	cp = src;
+	dn = dst;
+	eom = dst + dstsiz;
+
+	while ((n = *cp++) != 0) {
+		if ((n & NS_CMPRSFLGS) == NS_CMPRSFLGS) {
+			/* Some kind of compression pointer. */
+			errno = EMSGSIZE;
+			return (-1);
+		}
+		if (dn != dst) {
+			if (dn >= eom) {
+				errno = EMSGSIZE;
+				return (-1);
+			}
+			*dn++ = '.';
+		}
+		if ((l = labellen(cp - 1)) < 0) {
+			errno = EMSGSIZE; /* XXX */
+			return(-1);
+		}
+		if (dn + l >= eom) {
+			errno = EMSGSIZE;
+			return (-1);
+		}
+		if ((n & NS_CMPRSFLGS) == NS_TYPE_ELT) {
+			int m;
+
+			if (n != DNS_LABELTYPE_BITSTRING) {
+				/* XXX: labellen should reject this case */
+				errno = EINVAL;
+				return(-1);
+			}
+			if ((m = decode_bitstring(&cp, dn, eom)) < 0)
+			{
+				errno = EMSGSIZE;
+				return(-1);
+			}
+			dn += m; 
+			continue;
+		}
+		for ((void)NULL; l > 0; l--) {
+			c = *cp++;
+			if (special(c)) {
+				if (dn + 1 >= eom) {
+					errno = EMSGSIZE;
+					return (-1);
+				}
+				*dn++ = '\\';
+				*dn++ = (char)c;
+			} else if (!printable(c)) {
+				if (dn + 3 >= eom) {
+					errno = EMSGSIZE;
+					return (-1);
+				}
+				*dn++ = '\\';
+				*dn++ = digits[c / 100];
+				*dn++ = digits[(c % 100) / 10];
+				*dn++ = digits[c % 10];
+			} else {
+				if (dn >= eom) {
+					errno = EMSGSIZE;
+					return (-1);
+				}
+				*dn++ = (char)c;
+			}
+		}
+	}
+	if (dn == dst) {
+		if (dn >= eom) {
+			errno = EMSGSIZE;
+			return (-1);
+		}
+		*dn++ = '.';
+	}
+	if (dn >= eom) {
+		errno = EMSGSIZE;
+		return (-1);
+	}
+	*dn++ = '\0';
+	return (dn - dst);
+}
+
+/*
+ * ns_name_pton(src, dst, dstsiz)
+ *	Convert a ascii string into an encoded domain name as per RFC1035.
+ * return:
+ *	-1 if it fails
+ *	1 if string was fully qualified
+ *	0 is string was not fully qualified
+ * notes:
+ *	Enforces label and domain length limits.
+ */
+
+int
+ns_name_pton(const char *src, u_char *dst, size_t dstsiz)
+{
+	u_char *label, *bp, *eom;
+	int c, n, escaped, e = 0;
+	char *cp;
+
+	escaped = 0;
+	bp = dst;
+	eom = dst + dstsiz;
+	label = bp++;
+
+	while ((c = *src++) != 0) {
+		if (escaped) {
+			if (c == '[') { /* start a bit string label */
+				if ((cp = strchr(src, ']')) == NULL) {
+					errno = EINVAL; /* ??? */
+					return(-1);
+				}
+				if ((e = encode_bitsring(&src, cp + 2,
+							 &label, &bp, eom))
+				    != 0) {
+					errno = e;
+					return(-1);
+				}
+				escaped = 0;
+				label = bp++;
+				if ((c = *src++) == 0)
+					goto done;
+				else if (c != '.') {
+					errno = EINVAL;
+					return(-1);
+				}
+				continue;
+			}
+			else if ((cp = strchr(digits, c)) != NULL) {
+				n = (cp - digits) * 100;
+				if ((c = *src++) == 0 ||
+				    (cp = strchr(digits, c)) == NULL) {
+					errno = EMSGSIZE;
+					return (-1);
+				}
+				n += (cp - digits) * 10;
+				if ((c = *src++) == 0 ||
+				    (cp = strchr(digits, c)) == NULL) {
+					errno = EMSGSIZE;
+					return (-1);
+				}
+				n += (cp - digits);
+				if (n > 255) {
+					errno = EMSGSIZE;
+					return (-1);
+				}
+				c = n;
+			}
+			escaped = 0;
+		} else if (c == '\\') {
+			escaped = 1;
+			continue;
+		} else if (c == '.') {
+			c = (bp - label - 1);
+			if ((c & NS_CMPRSFLGS) != 0) {	/* Label too big. */
+				errno = EMSGSIZE;
+				return (-1);
+			}
+			if (label >= eom) {
+				errno = EMSGSIZE;
+				return (-1);
+			}
+			*label = c;
+			/* Fully qualified ? */
+			if (*src == '\0') {
+				if (c != 0) {
+					if (bp >= eom) {
+						errno = EMSGSIZE;
+						return (-1);
+					}
+					*bp++ = '\0';
+				}
+				if ((bp - dst) > MAXCDNAME) {
+					errno = EMSGSIZE;
+					return (-1);
+				}
+				return (1);
+			}
+			if (c == 0 || *src == '.') {
+				errno = EMSGSIZE;
+				return (-1);
+			}
+			label = bp++;
+			continue;
+		}
+		if (bp >= eom) {
+			errno = EMSGSIZE;
+			return (-1);
+		}
+		*bp++ = (u_char)c;
+	}
+	c = (bp - label - 1);
+	if ((c & NS_CMPRSFLGS) != 0) {		/* Label too big. */
+		errno = EMSGSIZE;
+		return (-1);
+	}
+  done:
+	if (label >= eom) {
+		errno = EMSGSIZE;
+		return (-1);
+	}
+	*label = c;
+	if (c != 0) {
+		if (bp >= eom) {
+			errno = EMSGSIZE;
+			return (-1);
+		}
+		*bp++ = 0;
+	}
+	if ((bp - dst) > MAXCDNAME) {	/* src too big */
+		errno = EMSGSIZE;
+		return (-1);
+	}
+	return (0);
+}
+
+/*
+ * ns_name_ntol(src, dst, dstsiz)
+ *	Convert a network strings labels into all lowercase.
+ * return:
+ *	Number of bytes written to buffer, or -1 (with errno set)
+ * notes:
+ *	Enforces label and domain length limits.
+ */
+
+int
+ns_name_ntol(const u_char *src, u_char *dst, size_t dstsiz)
+{
+	const u_char *cp;
+	u_char *dn, *eom;
+	u_char c;
+	u_int n;
+	int l;
+
+	cp = src;
+	dn = dst;
+	eom = dst + dstsiz;
+
+	if (dn >= eom) {
+		errno = EMSGSIZE;
+		return (-1);
+	}
+	while ((n = *cp++) != 0) {
+		if ((n & NS_CMPRSFLGS) == NS_CMPRSFLGS) {
+			/* Some kind of compression pointer. */
+			errno = EMSGSIZE;
+			return (-1);
+		}
+		*dn++ = n;
+		if ((l = labellen(cp - 1)) < 0) {
+			errno = EMSGSIZE;
+			return (-1);
+		}
+		if (dn + l >= eom) {
+			errno = EMSGSIZE;
+			return (-1);
+		}
+		for ((void)NULL; l > 0; l--) {
+			c = *cp++;
+			if (isupper(c))
+				*dn++ = tolower(c);
+			else
+				*dn++ = c;
+		}
+	}
+	*dn++ = '\0';
+	return (dn - dst);
+}
+
+/*
+ * ns_name_unpack(msg, eom, src, dst, dstsiz)
+ *	Unpack a domain name from a message, source may be compressed.
+ * return:
+ *	-1 if it fails, or consumed octets if it succeeds.
+ */
+int
+ns_name_unpack(const u_char *msg, const u_char *eom, const u_char *src,
+	       u_char *dst, size_t dstsiz)
+{
+	const u_char *srcp, *dstlim;
+	u_char *dstp;
+	int n, len, checked, l;
+
+	len = -1;
+	checked = 0;
+	dstp = dst;
+	srcp = src;
+	dstlim = dst + dstsiz;
+	if (srcp < msg || srcp >= eom) {
+		errno = EMSGSIZE;
+		return (-1);
+	}
+	/* Fetch next label in domain name. */
+	while ((n = *srcp++) != 0) {
+		/* Check for indirection. */
+		switch (n & NS_CMPRSFLGS) {
+		case 0:
+		case NS_TYPE_ELT:
+			/* Limit checks. */
+			if ((l = labellen(srcp - 1)) < 0) {
+				errno = EMSGSIZE;
+				return(-1);
+			}
+			if (dstp + l + 1 >= dstlim || srcp + l >= eom) {
+				errno = EMSGSIZE;
+				return (-1);
+			}
+			checked += l + 1;
+			*dstp++ = n;
+			memcpy(dstp, srcp, l);
+			dstp += l;
+			srcp += l;
+			break;
+
+		case NS_CMPRSFLGS:
+			if (srcp >= eom) {
+				errno = EMSGSIZE;
+				return (-1);
+			}
+			if (len < 0)
+				len = srcp - src + 1;
+			srcp = msg + (((n & 0x3f) << 8) | (*srcp & 0xff));
+			if (srcp < msg || srcp >= eom) {  /* Out of range. */
+				errno = EMSGSIZE;
+				return (-1);
+			}
+			checked += 2;
+			/*
+			 * Check for loops in the compressed name;
+			 * if we've looked at the whole message,
+			 * there must be a loop.
+			 */
+			if (checked >= eom - msg) {
+				errno = EMSGSIZE;
+				return (-1);
+			}
+			break;
+
+		default:
+			errno = EMSGSIZE;
+			return (-1);			/* flag error */
+		}
+	}
+	*dstp = '\0';
+	if (len < 0)
+		len = srcp - src;
+	return (len);
+}
+
+/*
+ * ns_name_pack(src, dst, dstsiz, dnptrs, lastdnptr)
+ *	Pack domain name 'domain' into 'comp_dn'.
+ * return:
+ *	Size of the compressed name, or -1.
+ * notes:
+ *	'dnptrs' is an array of pointers to previous compressed names.
+ *	dnptrs[0] is a pointer to the beginning of the message. The array
+ *	ends with NULL.
+ *	'lastdnptr' is a pointer to the end of the array pointed to
+ *	by 'dnptrs'.
+ * Side effects:
+ *	The list of pointers in dnptrs is updated for labels inserted into
+ *	the message as we compress the name.  If 'dnptr' is NULL, we don't
+ *	try to compress names. If 'lastdnptr' is NULL, we don't update the
+ *	list.
+ */
+int
+ns_name_pack(const u_char *src, u_char *dst, int dstsiz,
+	     const u_char **dnptrs, const u_char **lastdnptr)
+{
+	u_char *dstp;
+	const u_char **cpp, **lpp, *eob, *msg;
+	const u_char *srcp;
+	int n, l, first = 1;
+
+	srcp = src;
+	dstp = dst;
+	eob = dstp + dstsiz;
+	lpp = cpp = NULL;
+	if (dnptrs != NULL) {
+		if ((msg = *dnptrs++) != NULL) {
+			for (cpp = dnptrs; *cpp != NULL; cpp++)
+				(void)NULL;
+			lpp = cpp;	/* end of list to search */
+		}
+	} else
+		msg = NULL;
+
+	/* make sure the domain we are about to add is legal */
+	l = 0;
+	do {
+		int l0;
+
+		n = *srcp;
+		if ((n & NS_CMPRSFLGS) == NS_CMPRSFLGS) {
+			errno = EMSGSIZE;
+			return (-1);
+		}
+		if ((l0 = labellen(srcp)) < 0) {
+			errno = EINVAL;
+			return(-1);
+		}
+		l += l0 + 1;
+		if (l > MAXCDNAME) {
+			errno = EMSGSIZE;
+			return (-1);
+		}
+		srcp += l0 + 1;
+	} while (n != 0);
+
+	/* from here on we need to reset compression pointer array on error */
+	srcp = src;
+	do {
+		/* Look to see if we can use pointers. */
+		n = *srcp;
+		if (n != 0 && msg != NULL) {
+			l = dn_find(srcp, msg, (const u_char * const *)dnptrs,
+				    (const u_char * const *)lpp);
+			if (l >= 0) {
+				if (dstp + 1 >= eob) {
+					goto cleanup;
+				}
+				*dstp++ = (l >> 8) | NS_CMPRSFLGS;
+				*dstp++ = l % 256;
+				return (dstp - dst);
+			}
+			/* Not found, save it. */
+			if (lastdnptr != NULL && cpp < lastdnptr - 1 &&
+			    (dstp - msg) < 0x4000 && first) {
+				*cpp++ = dstp;
+				*cpp = NULL;
+				first = 0;
+			}
+		}
+		/* copy label to buffer */
+		if ((n & NS_CMPRSFLGS) == NS_CMPRSFLGS) {
+			/* Should not happen. */
+			goto cleanup;
+		}
+		n = labellen(srcp);
+		if (dstp + 1 + n >= eob) {
+			goto cleanup;
+		}
+		memcpy(dstp, srcp, n + 1);
+		srcp += n + 1;
+		dstp += n + 1;
+	} while (n != 0);
+
+	if (dstp > eob) {
+cleanup:
+		if (msg != NULL)
+			*lpp = NULL;
+		errno = EMSGSIZE;
+		return (-1);
+	} 
+	return (dstp - dst);
+}
+
+/*
+ * ns_name_uncompress(msg, eom, src, dst, dstsiz)
+ *	Expand compressed domain name to presentation format.
+ * return:
+ *	Number of bytes read out of `src', or -1 (with errno set).
+ * note:
+ *	Root domain returns as "." not "".
+ */
+int
+ns_name_uncompress(const u_char *msg, const u_char *eom, const u_char *src,
+		   char *dst, size_t dstsiz)
+{
+	u_char tmp[NS_MAXCDNAME];
+	int n;
+	
+	if ((n = ns_name_unpack(msg, eom, src, tmp, sizeof tmp)) == -1)
+		return (-1);
+	if (ns_name_ntop(tmp, dst, dstsiz) == -1)
+		return (-1);
+	return (n);
+}
+
+/*
+ * ns_name_compress(src, dst, dstsiz, dnptrs, lastdnptr)
+ *	Compress a domain name into wire format, using compression pointers.
+ * return:
+ *	Number of bytes consumed in `dst' or -1 (with errno set).
+ * notes:
+ *	'dnptrs' is an array of pointers to previous compressed names.
+ *	dnptrs[0] is a pointer to the beginning of the message.
+ *	The list ends with NULL.  'lastdnptr' is a pointer to the end of the
+ *	array pointed to by 'dnptrs'. Side effect is to update the list of
+ *	pointers for labels inserted into the message as we compress the name.
+ *	If 'dnptr' is NULL, we don't try to compress names. If 'lastdnptr'
+ *	is NULL, we don't update the list.
+ */
+int
+ns_name_compress(const char *src, u_char *dst, size_t dstsiz,
+		 const u_char **dnptrs, const u_char **lastdnptr)
+{
+	u_char tmp[NS_MAXCDNAME];
+
+	if (ns_name_pton(src, tmp, sizeof tmp) == -1)
+		return (-1);
+	return (ns_name_pack(tmp, dst, dstsiz, dnptrs, lastdnptr));
+}
+
+/*
+ * Reset dnptrs so that there are no active references to pointers at or
+ * after src.
+ */
+void
+ns_name_rollback(const u_char *src, const u_char **dnptrs,
+		 const u_char **lastdnptr)
+{
+	while (dnptrs < lastdnptr && *dnptrs != NULL) {
+		if (*dnptrs >= src) {
+			*dnptrs = NULL;
+			break;
+		}
+		dnptrs++;
+	}
+}
+
+/*
+ * ns_name_skip(ptrptr, eom)
+ *	Advance *ptrptr to skip over the compressed name it points at.
+ * return:
+ *	0 on success, -1 (with errno set) on failure.
+ */
+int
+ns_name_skip(const u_char **ptrptr, const u_char *eom)
+{
+	const u_char *cp;
+	u_int n;
+	int l;
+
+	cp = *ptrptr;
+	while (cp < eom && (n = *cp++) != 0) {
+		/* Check for indirection. */
+		switch (n & NS_CMPRSFLGS) {
+		case 0:			/* normal case, n == len */
+			cp += n;
+			continue;
+		case NS_TYPE_ELT: /* EDNS0 extended label */
+			if ((l = labellen(cp - 1)) < 0) {
+				errno = EMSGSIZE; /* XXX */
+				return(-1);
+			}
+			cp += l;
+			continue;
+		case NS_CMPRSFLGS:	/* indirection */
+			cp++;
+			break;
+		default:		/* illegal type */
+			errno = EMSGSIZE;
+			return (-1);
+		}
+		break;
+	}
+	if (cp > eom) {
+		errno = EMSGSIZE;
+		return (-1);
+	}
+	*ptrptr = cp;
+	return (0);
+}
+
+/* Private. */
+
+/*
+ * special(ch)
+ *	Thinking in noninternationalized USASCII (per the DNS spec),
+ *	is this characted special ("in need of quoting") ?
+ * return:
+ *	boolean.
+ */
+static int
+special(int ch) {
+	switch (ch) {
+	case 0x22: /* '"' */
+	case 0x2E: /* '.' */
+	case 0x3B: /* ';' */
+	case 0x5C: /* '\\' */
+	case 0x28: /* '(' */
+	case 0x29: /* ')' */
+	/* Special modifiers in zone files. */
+	case 0x40: /* '@' */
+	case 0x24: /* '$' */
+		return (1);
+	default:
+		return (0);
+	}
+}
+
+/*
+ * printable(ch)
+ *	Thinking in noninternationalized USASCII (per the DNS spec),
+ *	is this character visible and not a space when printed ?
+ * return:
+ *	boolean.
+ */
+static int
+printable(int ch) {
+	return (ch > 0x20 && ch < 0x7f);
+}
+
+/*
+ *	Thinking in noninternationalized USASCII (per the DNS spec),
+ *	convert this character to lower case if it's upper case.
+ */
+static int
+mklower(int ch) {
+	if (ch >= 0x41 && ch <= 0x5A)
+		return (ch + 0x20);
+	return (ch);
+}
+
+/*
+ * dn_find(domain, msg, dnptrs, lastdnptr)
+ *	Search for the counted-label name in an array of compressed names.
+ * return:
+ *	offset from msg if found, or -1.
+ * notes:
+ *	dnptrs is the pointer to the first name on the list,
+ *	not the pointer to the start of the message.
+ */
+static int
+dn_find(const u_char *domain, const u_char *msg,
+	const u_char * const *dnptrs,
+	const u_char * const *lastdnptr)
+{
+	const u_char *dn, *cp, *sp;
+	const u_char * const *cpp;
+	u_int n;
+
+	for (cpp = dnptrs; cpp < lastdnptr; cpp++) {
+		sp = *cpp;
+		/*
+		 * terminate search on:
+		 * root label
+		 * compression pointer
+		 * unusable offset
+		 */
+		while (*sp != 0 && (*sp & NS_CMPRSFLGS) == 0 &&
+		       (sp - msg) < 0x4000) {
+			dn = domain;
+			cp = sp;
+			while ((n = *cp++) != 0) {
+				/*
+				 * check for indirection
+				 */
+				switch (n & NS_CMPRSFLGS) {
+				case 0:		/* normal case, n == len */
+					n = labellen(cp - 1); /* XXX */
+
+					if (n != *dn++)
+						goto next;
+
+					for ((void)NULL; n > 0; n--)
+						if (mklower(*dn++) !=
+						    mklower(*cp++))
+							goto next;
+					/* Is next root for both ? */
+					if (*dn == '\0' && *cp == '\0')
+						return (sp - msg);
+					if (*dn)
+						continue;
+					goto next;
+				case NS_CMPRSFLGS:	/* indirection */
+					cp = msg + (((n & 0x3f) << 8) | *cp);
+					break;
+
+				default:	/* illegal type */
+					errno = EMSGSIZE;
+					return (-1);
+				}
+			}
+ next: ;
+			sp += *sp + 1;
+		}
+	}
+	errno = ENOENT;
+	return (-1);
+}
+
+static int
+decode_bitstring(const unsigned char **cpp, char *dn, const char *eom)
+{
+	const unsigned char *cp = *cpp;
+	char *beg = dn, tc;
+	int b, blen, plen, i;
+
+	if ((blen = (*cp & 0xff)) == 0)
+		blen = 256;
+	plen = (blen + 3) / 4;
+	plen += sizeof("\\[x/]") + (blen > 99 ? 3 : (blen > 9) ? 2 : 1);
+	if (dn + plen >= eom)
+		return(-1);
+
+	cp++;
+	i = SPRINTF((dn, "\\[x"));
+	if (i < 0)
+		return (-1);
+	dn += i;
+	for (b = blen; b > 7; b -= 8, cp++) {
+		i = SPRINTF((dn, "%02x", *cp & 0xff));
+		if (i < 0)
+			return (-1);
+		dn += i;
+	}
+	if (b > 4) {
+		tc = *cp++;
+		i = SPRINTF((dn, "%02x", tc & (0xff << (8 - b))));
+		if (i < 0)
+			return (-1);
+		dn += i;
+	} else if (b > 0) {
+		tc = *cp++;
+		i = SPRINTF((dn, "%1x",
+			       ((tc >> 4) & 0x0f) & (0x0f << (4 - b)))); 
+		if (i < 0)
+			return (-1);
+		dn += i;
+	}
+	i = SPRINTF((dn, "/%d]", blen));
+	if (i < 0)
+		return (-1);
+	dn += i;
+
+	*cpp = cp;
+	return(dn - beg);
+}
+
+static int
+encode_bitsring(const char **bp, const char *end, unsigned char **labelp,
+	        unsigned char ** dst, unsigned const char *eom)
+{
+	int afterslash = 0;
+	const char *cp = *bp;
+	unsigned char *tp;
+	char c;
+	const char *beg_blen;
+	char *end_blen = NULL;
+	int value = 0, count = 0, tbcount = 0, blen = 0;
+
+	beg_blen = end_blen = NULL;
+
+	/* a bitstring must contain at least 2 characters */
+	if (end - cp < 2)
+		return(EINVAL);
+
+	/* XXX: currently, only hex strings are supported */
+	if (*cp++ != 'x')
+		return(EINVAL);
+	if (!isxdigit((*cp) & 0xff)) /* reject '\[x/BLEN]' */
+		return(EINVAL);
+
+	for (tp = *dst + 1; cp < end && tp < eom; cp++) {
+		switch((c = *cp)) {
+		case ']':	/* end of the bitstring */
+			if (afterslash) {
+				if (beg_blen == NULL)
+					return(EINVAL);
+				blen = (int)strtol(beg_blen, &end_blen, 10);
+				if (*end_blen != ']')
+					return(EINVAL);
+			}
+			if (count)
+				*tp++ = ((value << 4) & 0xff);
+			cp++;	/* skip ']' */
+			goto done;
+		case '/':
+			afterslash = 1;
+			break;
+		default:
+			if (afterslash) {
+				if (!isdigit(c&0xff))
+					return(EINVAL);
+				if (beg_blen == NULL) {
+					
+					if (c == '0') {
+						/* blen never begings with 0 */
+						return(EINVAL);
+					}
+					beg_blen = cp;
+				}
+			} else {
+				if (!isxdigit(c&0xff))
+					return(EINVAL);
+				value <<= 4;
+				value += digitvalue[(int)c];
+				count += 4;
+				tbcount += 4;
+				if (tbcount > 256)
+					return(EINVAL);
+				if (count == 8) {
+					*tp++ = value;
+					count = 0;
+				}
+			}
+			break;
+		}
+	}
+  done:
+	if (cp >= end || tp >= eom)
+		return(EMSGSIZE);
+
+	/*
+	 * bit length validation:
+	 * If a <length> is present, the number of digits in the <bit-data>
+	 * MUST be just sufficient to contain the number of bits specified
+	 * by the <length>. If there are insignificant bits in a final
+	 * hexadecimal or octal digit, they MUST be zero.
+	 * RFC 2673, Section 3.2.
+	 */
+	if (blen > 0) {
+		int traillen;
+
+		if (((blen + 3) & ~3) != tbcount)
+			return(EINVAL);
+		traillen = tbcount - blen; /* between 0 and 3 */
+		if (((value << (8 - traillen)) & 0xff) != 0)
+			return(EINVAL);
+	}
+	else
+		blen = tbcount;
+	if (blen == 256)
+		blen = 0;
+
+	/* encode the type and the significant bit fields */
+	**labelp = DNS_LABELTYPE_BITSTRING;
+	**dst = blen;
+
+	*bp = cp;
+	*dst = tp;
+
+	return(0);
+}
+
+static int
+labellen(const u_char *lp)
+{
+	int bitlen;
+	u_char l = *lp;
+
+	if ((l & NS_CMPRSFLGS) == NS_CMPRSFLGS) {
+		/* should be avoided by the caller */
+		return(-1);
+	}
+
+	if ((l & NS_CMPRSFLGS) == NS_TYPE_ELT) {
+		if (l == DNS_LABELTYPE_BITSTRING) {
+			if ((bitlen = *(lp + 1)) == 0)
+				bitlen = 256;
+			return((bitlen + 7 ) / 8 + 1);
+		}
+		return(-1);	/* unknwon ELT */
+	}
+	return(l);
+}
diff --git a/contrib/bind9/lib/bind/nameser/ns_netint.c b/contrib/bind9/lib/bind/nameser/ns_netint.c
new file mode 100644
index 0000000..15fc93e
--- /dev/null
+++ b/contrib/bind9/lib/bind/nameser/ns_netint.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef lint
+static const char rcsid[] = "$Id: ns_netint.c,v 1.1.206.1 2004/03/09 08:33:44 marka Exp $";
+#endif
+
+/* Import. */
+
+#include "port_before.h"
+
+#include <arpa/nameser.h>
+
+#include "port_after.h"
+
+/* Public. */
+
+u_int
+ns_get16(const u_char *src) {
+	u_int dst;
+
+	NS_GET16(dst, src);
+	return (dst);
+}
+
+u_long
+ns_get32(const u_char *src) {
+	u_long dst;
+
+	NS_GET32(dst, src);
+	return (dst);
+}
+
+void
+ns_put16(u_int src, u_char *dst) {
+	NS_PUT16(src, dst);
+}
+
+void
+ns_put32(u_long src, u_char *dst) {
+	NS_PUT32(src, dst);
+}
diff --git a/contrib/bind9/lib/bind/nameser/ns_parse.c b/contrib/bind9/lib/bind/nameser/ns_parse.c
new file mode 100644
index 0000000..34ebd3d
--- /dev/null
+++ b/contrib/bind9/lib/bind/nameser/ns_parse.c
@@ -0,0 +1,203 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef lint
+static const char rcsid[] = "$Id: ns_parse.c,v 1.3.2.1.4.1 2004/03/09 08:33:44 marka Exp $";
+#endif
+
+/* Import. */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+
+#include <errno.h>
+#include <resolv.h>
+#include <string.h>
+
+#include "port_after.h"
+
+/* Forward. */
+
+static void	setsection(ns_msg *msg, ns_sect sect);
+
+/* Macros. */
+
+#define RETERR(err) do { errno = (err); return (-1); } while (0)
+
+/* Public. */
+
+/* These need to be in the same order as the nres.h:ns_flag enum. */
+struct _ns_flagdata _ns_flagdata[16] = {
+	{ 0x8000, 15 },		/* qr. */
+	{ 0x7800, 11 },		/* opcode. */
+	{ 0x0400, 10 },		/* aa. */
+	{ 0x0200, 9 },		/* tc. */
+	{ 0x0100, 8 },		/* rd. */
+	{ 0x0080, 7 },		/* ra. */
+	{ 0x0040, 6 },		/* z. */
+	{ 0x0020, 5 },		/* ad. */
+	{ 0x0010, 4 },		/* cd. */
+	{ 0x000f, 0 },		/* rcode. */
+	{ 0x0000, 0 },		/* expansion (1/6). */
+	{ 0x0000, 0 },		/* expansion (2/6). */
+	{ 0x0000, 0 },		/* expansion (3/6). */
+	{ 0x0000, 0 },		/* expansion (4/6). */
+	{ 0x0000, 0 },		/* expansion (5/6). */
+	{ 0x0000, 0 },		/* expansion (6/6). */
+};
+
+int ns_msg_getflag(ns_msg handle, int flag) {
+	return(((handle)._flags & _ns_flagdata[flag].mask) >> _ns_flagdata[flag].shift);
+}
+
+int
+ns_skiprr(const u_char *ptr, const u_char *eom, ns_sect section, int count) {
+	const u_char *optr = ptr;
+
+	for ((void)NULL; count > 0; count--) {
+		int b, rdlength;
+
+		b = dn_skipname(ptr, eom);
+		if (b < 0)
+			RETERR(EMSGSIZE);
+		ptr += b/*Name*/ + NS_INT16SZ/*Type*/ + NS_INT16SZ/*Class*/;
+		if (section != ns_s_qd) {
+			if (ptr + NS_INT32SZ + NS_INT16SZ > eom)
+				RETERR(EMSGSIZE);
+			ptr += NS_INT32SZ/*TTL*/;
+			NS_GET16(rdlength, ptr);
+			ptr += rdlength/*RData*/;
+		}
+	}
+	if (ptr > eom)
+		RETERR(EMSGSIZE);
+	return (ptr - optr);
+}
+
+int
+ns_initparse(const u_char *msg, int msglen, ns_msg *handle) {
+	const u_char *eom = msg + msglen;
+	int i;
+
+	memset(handle, 0x5e, sizeof *handle);
+	handle->_msg = msg;
+	handle->_eom = eom;
+	if (msg + NS_INT16SZ > eom)
+		RETERR(EMSGSIZE);
+	NS_GET16(handle->_id, msg);
+	if (msg + NS_INT16SZ > eom)
+		RETERR(EMSGSIZE);
+	NS_GET16(handle->_flags, msg);
+	for (i = 0; i < ns_s_max; i++) {
+		if (msg + NS_INT16SZ > eom)
+			RETERR(EMSGSIZE);
+		NS_GET16(handle->_counts[i], msg);
+	}
+	for (i = 0; i < ns_s_max; i++)
+		if (handle->_counts[i] == 0)
+			handle->_sections[i] = NULL;
+		else {
+			int b = ns_skiprr(msg, eom, (ns_sect)i,
+					  handle->_counts[i]);
+
+			if (b < 0)
+				return (-1);
+			handle->_sections[i] = msg;
+			msg += b;
+		}
+	if (msg != eom)
+		RETERR(EMSGSIZE);
+	setsection(handle, ns_s_max);
+	return (0);
+}
+
+int
+ns_parserr(ns_msg *handle, ns_sect section, int rrnum, ns_rr *rr) {
+	int b;
+	int tmp;
+
+	/* Make section right. */
+	if ((tmp = section) < 0 || section >= ns_s_max)
+		RETERR(ENODEV);
+	if (section != handle->_sect)
+		setsection(handle, section);
+
+	/* Make rrnum right. */
+	if (rrnum == -1)
+		rrnum = handle->_rrnum;
+	if (rrnum < 0 || rrnum >= handle->_counts[(int)section])
+		RETERR(ENODEV);
+	if (rrnum < handle->_rrnum)
+		setsection(handle, section);
+	if (rrnum > handle->_rrnum) {
+		b = ns_skiprr(handle->_msg_ptr, handle->_eom, section,
+			      rrnum - handle->_rrnum);
+
+		if (b < 0)
+			return (-1);
+		handle->_msg_ptr += b;
+		handle->_rrnum = rrnum;
+	}
+
+	/* Do the parse. */
+	b = dn_expand(handle->_msg, handle->_eom,
+		      handle->_msg_ptr, rr->name, NS_MAXDNAME);
+	if (b < 0)
+		return (-1);
+	handle->_msg_ptr += b;
+	if (handle->_msg_ptr + NS_INT16SZ + NS_INT16SZ > handle->_eom)
+		RETERR(EMSGSIZE);
+	NS_GET16(rr->type, handle->_msg_ptr);
+	NS_GET16(rr->rr_class, handle->_msg_ptr);
+	if (section == ns_s_qd) {
+		rr->ttl = 0;
+		rr->rdlength = 0;
+		rr->rdata = NULL;
+	} else {
+		if (handle->_msg_ptr + NS_INT32SZ + NS_INT16SZ > handle->_eom)
+			RETERR(EMSGSIZE);
+		NS_GET32(rr->ttl, handle->_msg_ptr);
+		NS_GET16(rr->rdlength, handle->_msg_ptr);
+		if (handle->_msg_ptr + rr->rdlength > handle->_eom)
+			RETERR(EMSGSIZE);
+		rr->rdata = handle->_msg_ptr;
+		handle->_msg_ptr += rr->rdlength;
+	}
+	if (++handle->_rrnum > handle->_counts[(int)section])
+		setsection(handle, (ns_sect)((int)section + 1));
+
+	/* All done. */
+	return (0);
+}
+
+/* Private. */
+
+static void
+setsection(ns_msg *msg, ns_sect sect) {
+	msg->_sect = sect;
+	if (sect == ns_s_max) {
+		msg->_rrnum = -1;
+		msg->_msg_ptr = NULL;
+	} else {
+		msg->_rrnum = 0;
+		msg->_msg_ptr = msg->_sections[(int)sect];
+	}
+}
diff --git a/contrib/bind9/lib/bind/nameser/ns_print.c b/contrib/bind9/lib/bind/nameser/ns_print.c
new file mode 100644
index 0000000..1c66dde
--- /dev/null
+++ b/contrib/bind9/lib/bind/nameser/ns_print.c
@@ -0,0 +1,898 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef lint
+static const char rcsid[] = "$Id: ns_print.c,v 1.3.2.1.4.5 2004/07/28 20:16:45 marka Exp $";
+#endif
+
+/* Import. */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <arpa/inet.h>
+
+#include <isc/assertions.h>
+#include <isc/dst.h>
+#include <errno.h>
+#include <resolv.h>
+#include <string.h>
+#include <ctype.h>
+
+#include "port_after.h"
+
+#ifdef SPRINTF_CHAR
+# define SPRINTF(x) strlen(sprintf/**/x)
+#else
+# define SPRINTF(x) ((size_t)sprintf x)
+#endif
+
+/* Forward. */
+
+static size_t	prune_origin(const char *name, const char *origin);
+static int	charstr(const u_char *rdata, const u_char *edata,
+			char **buf, size_t *buflen);
+static int	addname(const u_char *msg, size_t msglen,
+			const u_char **p, const char *origin,
+			char **buf, size_t *buflen);
+static void	addlen(size_t len, char **buf, size_t *buflen);
+static int	addstr(const char *src, size_t len,
+		       char **buf, size_t *buflen);
+static int	addtab(size_t len, size_t target, int spaced,
+		       char **buf, size_t *buflen);
+
+/* Macros. */
+
+#define	T(x) \
+	do { \
+		if ((x) < 0) \
+			return (-1); \
+	} while (0)
+
+/* Public. */
+
+/*
+ * int
+ * ns_sprintrr(handle, rr, name_ctx, origin, buf, buflen)
+ *	Convert an RR to presentation format.
+ * return:
+ *	Number of characters written to buf, or -1 (check errno).
+ */
+int
+ns_sprintrr(const ns_msg *handle, const ns_rr *rr,
+	    const char *name_ctx, const char *origin,
+	    char *buf, size_t buflen)
+{
+	int n;
+
+	n = ns_sprintrrf(ns_msg_base(*handle), ns_msg_size(*handle),
+			 ns_rr_name(*rr), ns_rr_class(*rr), ns_rr_type(*rr),
+			 ns_rr_ttl(*rr), ns_rr_rdata(*rr), ns_rr_rdlen(*rr),
+			 name_ctx, origin, buf, buflen);
+	return (n);
+}
+
+/*
+ * int
+ * ns_sprintrrf(msg, msglen, name, class, type, ttl, rdata, rdlen,
+ *	       name_ctx, origin, buf, buflen)
+ *	Convert the fields of an RR into presentation format.
+ * return:
+ *	Number of characters written to buf, or -1 (check errno).
+ */
+int
+ns_sprintrrf(const u_char *msg, size_t msglen,
+	    const char *name, ns_class class, ns_type type,
+	    u_long ttl, const u_char *rdata, size_t rdlen,
+	    const char *name_ctx, const char *origin,
+	    char *buf, size_t buflen)
+{
+	const char *obuf = buf;
+	const u_char *edata = rdata + rdlen;
+	int spaced = 0;
+
+	const char *comment;
+	char tmp[100];
+	int len, x;
+
+	/*
+	 * Owner.
+	 */
+	if (name_ctx != NULL && ns_samename(name_ctx, name) == 1) {
+		T(addstr("\t\t\t", 3, &buf, &buflen));
+	} else {
+		len = prune_origin(name, origin);
+		if (*name == '\0') {
+			goto root;
+		} else if (len == 0) {
+			T(addstr("@\t\t\t", 4, &buf, &buflen));
+		} else {
+			T(addstr(name, len, &buf, &buflen));
+			/* Origin not used or not root, and no trailing dot? */
+			if (((origin == NULL || origin[0] == '\0') ||
+			    (origin[0] != '.' && origin[1] != '\0' &&
+			    name[len] == '\0')) && name[len - 1] != '.') {
+ root:
+				T(addstr(".", 1, &buf, &buflen));
+				len++;
+			}
+			T(spaced = addtab(len, 24, spaced, &buf, &buflen));
+		}
+	}
+
+	/*
+	 * TTL, Class, Type.
+	 */
+	T(x = ns_format_ttl(ttl, buf, buflen));
+	addlen(x, &buf, &buflen);
+	len = SPRINTF((tmp, " %s %s", p_class(class), p_type(type)));
+	T(addstr(tmp, len, &buf, &buflen));
+	T(spaced = addtab(x + len, 16, spaced, &buf, &buflen));
+
+	/*
+	 * RData.
+	 */
+	switch (type) {
+	case ns_t_a:
+		if (rdlen != (size_t)NS_INADDRSZ)
+			goto formerr;
+		(void) inet_ntop(AF_INET, rdata, buf, buflen);
+		addlen(strlen(buf), &buf, &buflen);
+		break;
+
+	case ns_t_cname:
+	case ns_t_mb:
+	case ns_t_mg:
+	case ns_t_mr:
+	case ns_t_ns:
+	case ns_t_ptr:
+	case ns_t_dname:
+		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
+		break;
+
+	case ns_t_hinfo:
+	case ns_t_isdn:
+		/* First word. */
+		T(len = charstr(rdata, edata, &buf, &buflen));
+		if (len == 0)
+			goto formerr;
+		rdata += len;
+		T(addstr(" ", 1, &buf, &buflen));
+
+		    
+		/* Second word, optional in ISDN records. */
+		if (type == ns_t_isdn && rdata == edata)
+			break;
+		    
+		T(len = charstr(rdata, edata, &buf, &buflen));
+		if (len == 0)
+			goto formerr;
+		rdata += len;
+		break;
+
+	case ns_t_soa: {
+		u_long t;
+
+		/* Server name. */
+		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
+		T(addstr(" ", 1, &buf, &buflen));
+
+		/* Administrator name. */
+		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
+		T(addstr(" (\n", 3, &buf, &buflen));
+		spaced = 0;
+
+		if ((edata - rdata) != 5*NS_INT32SZ)
+			goto formerr;
+
+		/* Serial number. */
+		t = ns_get32(rdata);  rdata += NS_INT32SZ;
+		T(addstr("\t\t\t\t\t", 5, &buf, &buflen));
+		len = SPRINTF((tmp, "%lu", t));
+		T(addstr(tmp, len, &buf, &buflen));
+		T(spaced = addtab(len, 16, spaced, &buf, &buflen));
+		T(addstr("; serial\n", 9, &buf, &buflen));
+		spaced = 0;
+
+		/* Refresh interval. */
+		t = ns_get32(rdata);  rdata += NS_INT32SZ;
+		T(addstr("\t\t\t\t\t", 5, &buf, &buflen));
+		T(len = ns_format_ttl(t, buf, buflen));
+		addlen(len, &buf, &buflen);
+		T(spaced = addtab(len, 16, spaced, &buf, &buflen));
+		T(addstr("; refresh\n", 10, &buf, &buflen));
+		spaced = 0;
+
+		/* Retry interval. */
+		t = ns_get32(rdata);  rdata += NS_INT32SZ;
+		T(addstr("\t\t\t\t\t", 5, &buf, &buflen));
+		T(len = ns_format_ttl(t, buf, buflen));
+		addlen(len, &buf, &buflen);
+		T(spaced = addtab(len, 16, spaced, &buf, &buflen));
+		T(addstr("; retry\n", 8, &buf, &buflen));
+		spaced = 0;
+
+		/* Expiry. */
+		t = ns_get32(rdata);  rdata += NS_INT32SZ;
+		T(addstr("\t\t\t\t\t", 5, &buf, &buflen));
+		T(len = ns_format_ttl(t, buf, buflen));
+		addlen(len, &buf, &buflen);
+		T(spaced = addtab(len, 16, spaced, &buf, &buflen));
+		T(addstr("; expiry\n", 9, &buf, &buflen));
+		spaced = 0;
+
+		/* Minimum TTL. */
+		t = ns_get32(rdata);  rdata += NS_INT32SZ;
+		T(addstr("\t\t\t\t\t", 5, &buf, &buflen));
+		T(len = ns_format_ttl(t, buf, buflen));
+		addlen(len, &buf, &buflen);
+		T(addstr(" )", 2, &buf, &buflen));
+		T(spaced = addtab(len, 16, spaced, &buf, &buflen));
+		T(addstr("; minimum\n", 10, &buf, &buflen));
+
+		break;
+	    }
+
+	case ns_t_mx:
+	case ns_t_afsdb:
+	case ns_t_rt: {
+		u_int t;
+
+		if (rdlen < (size_t)NS_INT16SZ)
+			goto formerr;
+
+		/* Priority. */
+		t = ns_get16(rdata);
+		rdata += NS_INT16SZ;
+		len = SPRINTF((tmp, "%u ", t));
+		T(addstr(tmp, len, &buf, &buflen));
+
+		/* Target. */
+		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
+
+		break;
+	    }
+
+	case ns_t_px: {
+		u_int t;
+
+		if (rdlen < (size_t)NS_INT16SZ)
+			goto formerr;
+
+		/* Priority. */
+		t = ns_get16(rdata);
+		rdata += NS_INT16SZ;
+		len = SPRINTF((tmp, "%u ", t));
+		T(addstr(tmp, len, &buf, &buflen));
+
+		/* Name1. */
+		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
+		T(addstr(" ", 1, &buf, &buflen));
+
+		/* Name2. */
+		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
+
+		break;
+	    }
+
+	case ns_t_x25:
+		T(len = charstr(rdata, edata, &buf, &buflen));
+		if (len == 0)
+			goto formerr;
+		rdata += len;
+		break;
+
+	case ns_t_txt:
+		while (rdata < edata) {
+			T(len = charstr(rdata, edata, &buf, &buflen));
+			if (len == 0)
+				goto formerr;
+			rdata += len;
+			if (rdata < edata)
+				T(addstr(" ", 1, &buf, &buflen));
+		}
+		break;
+
+	case ns_t_nsap: {
+		char t[2+255*3];
+
+		(void) inet_nsap_ntoa(rdlen, rdata, t);
+		T(addstr(t, strlen(t), &buf, &buflen));
+		break;
+	    }
+
+	case ns_t_aaaa:
+		if (rdlen != (size_t)NS_IN6ADDRSZ)
+			goto formerr;
+		(void) inet_ntop(AF_INET6, rdata, buf, buflen);
+		addlen(strlen(buf), &buf, &buflen);
+		break;
+
+	case ns_t_loc: {
+		char t[255];
+
+		/* XXX protocol format checking? */
+		(void) loc_ntoa(rdata, t);
+		T(addstr(t, strlen(t), &buf, &buflen));
+		break;
+	    }
+
+	case ns_t_naptr: {
+		u_int order, preference;
+		char t[50];
+
+		if (rdlen < 2U*NS_INT16SZ)
+			goto formerr;
+
+		/* Order, Precedence. */
+		order = ns_get16(rdata);	rdata += NS_INT16SZ;
+		preference = ns_get16(rdata);	rdata += NS_INT16SZ;
+		len = SPRINTF((t, "%u %u ", order, preference));
+		T(addstr(t, len, &buf, &buflen));
+
+		/* Flags. */
+		T(len = charstr(rdata, edata, &buf, &buflen));
+		if (len == 0)
+			goto formerr;
+		rdata += len;
+		T(addstr(" ", 1, &buf, &buflen));
+
+		/* Service. */
+		T(len = charstr(rdata, edata, &buf, &buflen));
+		if (len == 0)
+			goto formerr;
+		rdata += len;
+		T(addstr(" ", 1, &buf, &buflen));
+
+		/* Regexp. */
+		T(len = charstr(rdata, edata, &buf, &buflen));
+		if (len < 0)
+			return (-1);
+		if (len == 0)
+			goto formerr;
+		rdata += len;
+		T(addstr(" ", 1, &buf, &buflen));
+
+		/* Server. */
+		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
+		break;
+	    }
+
+	case ns_t_srv: {
+		u_int priority, weight, port;
+		char t[50];
+
+		if (rdlen < 3U*NS_INT16SZ)
+			goto formerr;
+
+		/* Priority, Weight, Port. */
+		priority = ns_get16(rdata);  rdata += NS_INT16SZ;
+		weight   = ns_get16(rdata);  rdata += NS_INT16SZ;
+		port     = ns_get16(rdata);  rdata += NS_INT16SZ;
+		len = SPRINTF((t, "%u %u %u ", priority, weight, port));
+		T(addstr(t, len, &buf, &buflen));
+
+		/* Server. */
+		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
+		break;
+	    }
+
+	case ns_t_minfo:
+	case ns_t_rp:
+		/* Name1. */
+		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
+		T(addstr(" ", 1, &buf, &buflen));
+
+		/* Name2. */
+		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
+
+		break;
+
+	case ns_t_wks: {
+		int n, lcnt;
+
+		if (rdlen < 1U + NS_INT32SZ)
+			goto formerr;
+
+		/* Address. */
+		(void) inet_ntop(AF_INET, rdata, buf, buflen);
+		addlen(strlen(buf), &buf, &buflen);
+		rdata += NS_INADDRSZ;
+
+		/* Protocol. */
+		len = SPRINTF((tmp, " %u ( ", *rdata));
+		T(addstr(tmp, len, &buf, &buflen));
+		rdata += NS_INT8SZ;
+
+		/* Bit map. */
+		n = 0;
+		lcnt = 0;
+		while (rdata < edata) {
+			u_int c = *rdata++;
+			do {
+				if (c & 0200) {
+					if (lcnt == 0) {
+						T(addstr("\n\t\t\t\t", 5,
+							 &buf, &buflen));
+						lcnt = 10;
+						spaced = 0;
+					}
+					len = SPRINTF((tmp, "%d ", n));
+					T(addstr(tmp, len, &buf, &buflen));
+					lcnt--;
+				}
+				c <<= 1;
+			} while (++n & 07);
+		}
+		T(addstr(")", 1, &buf, &buflen));
+
+		break;
+	    }
+
+	case ns_t_key: {
+		char base64_key[NS_MD5RSA_MAX_BASE64];
+		u_int keyflags, protocol, algorithm, key_id;
+		const char *leader;
+		int n;
+
+		if (rdlen < 0U + NS_INT16SZ + NS_INT8SZ + NS_INT8SZ)
+			goto formerr;
+
+		/* Key flags, Protocol, Algorithm. */
+		key_id = dst_s_dns_key_id(rdata, edata-rdata);
+		keyflags = ns_get16(rdata);  rdata += NS_INT16SZ;
+		protocol = *rdata++;
+		algorithm = *rdata++;
+		len = SPRINTF((tmp, "0x%04x %u %u",
+			       keyflags, protocol, algorithm));
+		T(addstr(tmp, len, &buf, &buflen));
+
+		/* Public key data. */
+		len = b64_ntop(rdata, edata - rdata,
+			       base64_key, sizeof base64_key);
+		if (len < 0)
+			goto formerr;
+		if (len > 15) {
+			T(addstr(" (", 2, &buf, &buflen));
+			leader = "\n\t\t";
+			spaced = 0;
+		} else
+			leader = " ";
+		for (n = 0; n < len; n += 48) {
+			T(addstr(leader, strlen(leader), &buf, &buflen));
+			T(addstr(base64_key + n, MIN(len - n, 48),
+				 &buf, &buflen));
+		}
+		if (len > 15)
+			T(addstr(" )", 2, &buf, &buflen));
+		n = SPRINTF((tmp, " ; key_tag= %u", key_id));
+		T(addstr(tmp, n, &buf, &buflen));
+
+		break;
+	    }
+
+	case ns_t_sig: {
+		char base64_key[NS_MD5RSA_MAX_BASE64];
+		u_int type, algorithm, labels, footprint;
+		const char *leader;
+		u_long t;
+		int n;
+
+		if (rdlen < 22U)
+			goto formerr;
+
+		/* Type covered, Algorithm, Label count, Original TTL. */
+	        type = ns_get16(rdata);  rdata += NS_INT16SZ;
+		algorithm = *rdata++;
+		labels = *rdata++;
+		t = ns_get32(rdata);  rdata += NS_INT32SZ;
+		len = SPRINTF((tmp, "%s %d %d %lu ",
+			       p_type(type), algorithm, labels, t));
+		T(addstr(tmp, len, &buf, &buflen));
+		if (labels > (u_int)dn_count_labels(name))
+			goto formerr;
+
+		/* Signature expiry. */
+		t = ns_get32(rdata);  rdata += NS_INT32SZ;
+		len = SPRINTF((tmp, "%s ", p_secstodate(t)));
+		T(addstr(tmp, len, &buf, &buflen));
+
+		/* Time signed. */
+		t = ns_get32(rdata);  rdata += NS_INT32SZ;
+		len = SPRINTF((tmp, "%s ", p_secstodate(t)));
+		T(addstr(tmp, len, &buf, &buflen));
+
+		/* Signature Footprint. */
+		footprint = ns_get16(rdata);  rdata += NS_INT16SZ;
+		len = SPRINTF((tmp, "%u ", footprint));
+		T(addstr(tmp, len, &buf, &buflen));
+
+		/* Signer's name. */
+		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
+
+		/* Signature. */
+		len = b64_ntop(rdata, edata - rdata,
+			       base64_key, sizeof base64_key);
+		if (len > 15) {
+			T(addstr(" (", 2, &buf, &buflen));
+			leader = "\n\t\t";
+			spaced = 0;
+		} else
+			leader = " ";
+		if (len < 0)
+			goto formerr;
+		for (n = 0; n < len; n += 48) {
+			T(addstr(leader, strlen(leader), &buf, &buflen));
+			T(addstr(base64_key + n, MIN(len - n, 48),
+				 &buf, &buflen));
+		}
+		if (len > 15)
+			T(addstr(" )", 2, &buf, &buflen));
+		break;
+	    }
+
+	case ns_t_nxt: {
+		int n, c;
+
+		/* Next domain name. */
+		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
+
+		/* Type bit map. */
+		n = edata - rdata;
+		for (c = 0; c < n*8; c++)
+			if (NS_NXT_BIT_ISSET(c, rdata)) {
+				len = SPRINTF((tmp, " %s", p_type(c)));
+				T(addstr(tmp, len, &buf, &buflen));
+			}
+		break;
+	    }
+
+	case ns_t_cert: {
+		u_int c_type, key_tag, alg;
+		int n;
+		unsigned int siz;
+		char base64_cert[8192], tmp[40];
+		const char *leader;
+
+		c_type  = ns_get16(rdata); rdata += NS_INT16SZ;
+		key_tag = ns_get16(rdata); rdata += NS_INT16SZ;
+		alg = (u_int) *rdata++;
+
+		len = SPRINTF((tmp, "%d %d %d ", c_type, key_tag, alg));
+		T(addstr(tmp, len, &buf, &buflen));
+		siz = (edata-rdata)*4/3 + 4; /* "+4" accounts for trailing \0 */
+		if (siz > sizeof(base64_cert) * 3/4) {
+			const char *str = "record too long to print";
+			T(addstr(str, strlen(str), &buf, &buflen));
+		}
+		else {
+			len = b64_ntop(rdata, edata-rdata, base64_cert, siz);
+
+			if (len < 0)
+				goto formerr;
+			else if (len > 15) {
+				T(addstr(" (", 2, &buf, &buflen));
+				leader = "\n\t\t";
+				spaced = 0;
+			}
+			else
+				leader = " ";
+	
+			for (n = 0; n < len; n += 48) {
+				T(addstr(leader, strlen(leader),
+					 &buf, &buflen));
+				T(addstr(base64_cert + n, MIN(len - n, 48),
+					 &buf, &buflen));
+			}
+			if (len > 15)
+				T(addstr(" )", 2, &buf, &buflen));
+		}
+		break;
+	    }
+
+	case ns_t_tkey: {
+		/* KJD - need to complete this */
+		u_long t;
+		int mode, err, keysize;
+
+		/* Algorithm name. */
+		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
+		T(addstr(" ", 1, &buf, &buflen));
+
+		/* Inception. */
+		t = ns_get32(rdata);  rdata += NS_INT32SZ;
+		len = SPRINTF((tmp, "%s ", p_secstodate(t)));
+		T(addstr(tmp, len, &buf, &buflen));
+
+		/* Experation. */
+		t = ns_get32(rdata);  rdata += NS_INT32SZ;
+		len = SPRINTF((tmp, "%s ", p_secstodate(t)));
+		T(addstr(tmp, len, &buf, &buflen));
+
+		/* Mode , Error, Key Size. */
+		/* Priority, Weight, Port. */
+		mode = ns_get16(rdata);  rdata += NS_INT16SZ;
+		err  = ns_get16(rdata);  rdata += NS_INT16SZ;
+		keysize  = ns_get16(rdata);  rdata += NS_INT16SZ;
+		len = SPRINTF((tmp, "%u %u %u ", mode, err, keysize));
+		T(addstr(tmp, len, &buf, &buflen));
+
+		/* XXX need to dump key, print otherdata length & other data */
+		break;
+	    }
+
+	case ns_t_tsig: {
+		/* BEW - need to complete this */
+		int n;
+
+		T(len = addname(msg, msglen, &rdata, origin, &buf, &buflen));
+		T(addstr(" ", 1, &buf, &buflen));
+		rdata += 8; /* time */
+		n = ns_get16(rdata); rdata += INT16SZ;
+		rdata += n; /* sig */
+		n = ns_get16(rdata); rdata += INT16SZ; /* original id */
+		sprintf(buf, "%d", ns_get16(rdata));
+		rdata += INT16SZ;
+		addlen(strlen(buf), &buf, &buflen);
+		break;
+	    }
+
+	case ns_t_a6: {
+		struct in6_addr a;
+		int pbyte, pbit;
+
+		/* prefix length */
+		if (rdlen == 0U) goto formerr;
+		len = SPRINTF((tmp, "%d ", *rdata));
+		T(addstr(tmp, len, &buf, &buflen));
+		pbit = *rdata;
+		if (pbit > 128) goto formerr;
+		pbyte = (pbit & ~7) / 8;
+		rdata++;
+
+		/* address suffix: provided only when prefix len != 128 */
+		if (pbit < 128) {
+			if (rdata + pbyte >= edata) goto formerr;
+			memset(&a, 0, sizeof(a));
+			memcpy(&a.s6_addr[pbyte], rdata, sizeof(a) - pbyte);
+			(void) inet_ntop(AF_INET6, &a, buf, buflen);
+			addlen(strlen(buf), &buf, &buflen);
+			rdata += sizeof(a) - pbyte;
+		}
+
+		/* prefix name: provided only when prefix len > 0 */
+		if (pbit == 0)
+			break;
+		if (rdata >= edata) goto formerr;
+		T(addstr(" ", 1, &buf, &buflen));
+		T(addname(msg, msglen, &rdata, origin, &buf, &buflen));
+		
+		break;
+	    }
+
+	case ns_t_opt: {
+		len = SPRINTF((tmp, "%u bytes", class));
+		T(addstr(tmp, len, &buf, &buflen));
+		break;
+	    }
+
+	default:
+		comment = "unknown RR type";
+		goto hexify;
+	}
+	return (buf - obuf);
+ formerr:
+	comment = "RR format error";
+ hexify: {
+	int n, m;
+	char *p;
+
+	len = SPRINTF((tmp, "\\# %u%s\t; %s", edata - rdata,
+		       rdlen != 0 ? " (" : "", comment));
+	T(addstr(tmp, len, &buf, &buflen));
+	while (rdata < edata) {
+		p = tmp;
+		p += SPRINTF((p, "\n\t"));
+		spaced = 0;
+		n = MIN(16, edata - rdata);
+		for (m = 0; m < n; m++)
+			p += SPRINTF((p, "%02x ", rdata[m]));
+		T(addstr(tmp, p - tmp, &buf, &buflen));
+		if (n < 16) {
+			T(addstr(")", 1, &buf, &buflen));
+			T(addtab(p - tmp + 1, 48, spaced, &buf, &buflen));
+		}
+		p = tmp;
+		p += SPRINTF((p, "; "));
+		for (m = 0; m < n; m++)
+			*p++ = (isascii(rdata[m]) && isprint(rdata[m]))
+				? rdata[m]
+				: '.';
+		T(addstr(tmp, p - tmp, &buf, &buflen));
+		rdata += n;
+	}
+	return (buf - obuf);
+    }
+}
+
+/* Private. */
+
+/*
+ * size_t
+ * prune_origin(name, origin)
+ *	Find out if the name is at or under the current origin.
+ * return:
+ *	Number of characters in name before start of origin,
+ *	or length of name if origin does not match.
+ * notes:
+ *	This function should share code with samedomain().
+ */
+static size_t
+prune_origin(const char *name, const char *origin) {
+	const char *oname = name;
+
+	while (*name != '\0') {
+		if (origin != NULL && ns_samename(name, origin) == 1)
+			return (name - oname - (name > oname));
+		while (*name != '\0') {
+			if (*name == '\\') {
+				name++;
+				/* XXX need to handle \nnn form. */
+				if (*name == '\0')
+					break;
+			} else if (*name == '.') {
+				name++;
+				break;
+			}
+			name++;
+		}
+	}
+	return (name - oname);
+}
+
+/*
+ * int
+ * charstr(rdata, edata, buf, buflen)
+ *	Format a <character-string> into the presentation buffer.
+ * return:
+ *	Number of rdata octets consumed
+ *	0 for protocol format error
+ *	-1 for output buffer error
+ * side effects:
+ *	buffer is advanced on success.
+ */
+static int
+charstr(const u_char *rdata, const u_char *edata, char **buf, size_t *buflen) {
+	const u_char *odata = rdata;
+	size_t save_buflen = *buflen;
+	char *save_buf = *buf;
+
+	if (addstr("\"", 1, buf, buflen) < 0)
+		goto enospc;
+	if (rdata < edata) {
+		int n = *rdata;
+
+		if (rdata + 1 + n <= edata) {
+			rdata++;
+			while (n-- > 0) {
+				if (strchr("\n\"\\", *rdata) != NULL)
+					if (addstr("\\", 1, buf, buflen) < 0)
+						goto enospc;
+				if (addstr((const char *)rdata, 1,
+					   buf, buflen) < 0)
+					goto enospc;
+				rdata++;
+			}
+		}
+	}
+	if (addstr("\"", 1, buf, buflen) < 0)
+		goto enospc;
+	return (rdata - odata);
+ enospc:
+	errno = ENOSPC;
+	*buf = save_buf;
+	*buflen = save_buflen;
+	return (-1);
+}
+
+static int
+addname(const u_char *msg, size_t msglen,
+	const u_char **pp, const char *origin,
+	char **buf, size_t *buflen)
+{
+	size_t newlen, save_buflen = *buflen;
+	char *save_buf = *buf;
+	int n;
+
+	n = dn_expand(msg, msg + msglen, *pp, *buf, *buflen);
+	if (n < 0)
+		goto enospc;	/* Guess. */
+	newlen = prune_origin(*buf, origin);
+	if (**buf == '\0') {
+		goto root;
+	} else if (newlen == 0U) {
+		/* Use "@" instead of name. */
+		if (newlen + 2 > *buflen)
+			goto enospc;        /* No room for "@\0". */
+		(*buf)[newlen++] = '@';
+		(*buf)[newlen] = '\0';
+	} else {
+		if (((origin == NULL || origin[0] == '\0') ||
+		    (origin[0] != '.' && origin[1] != '\0' &&
+		    (*buf)[newlen] == '\0')) && (*buf)[newlen - 1] != '.') {
+			/* No trailing dot. */
+ root:
+			if (newlen + 2 > *buflen)
+				goto enospc;	/* No room for ".\0". */
+			(*buf)[newlen++] = '.';
+			(*buf)[newlen] = '\0';
+		}
+	}
+	*pp += n;
+	addlen(newlen, buf, buflen);
+	**buf = '\0';
+	return (newlen);
+ enospc:
+	errno = ENOSPC;
+	*buf = save_buf;
+	*buflen = save_buflen;
+	return (-1);
+}
+
+static void
+addlen(size_t len, char **buf, size_t *buflen) {
+	INSIST(len <= *buflen);
+	*buf += len;
+	*buflen -= len;
+}
+
+static int
+addstr(const char *src, size_t len, char **buf, size_t *buflen) {
+	if (len >= *buflen) {
+		errno = ENOSPC;
+		return (-1);
+	}
+	memcpy(*buf, src, len);
+	addlen(len, buf, buflen);
+	**buf = '\0';
+	return (0);
+}
+
+static int
+addtab(size_t len, size_t target, int spaced, char **buf, size_t *buflen) {
+	size_t save_buflen = *buflen;
+	char *save_buf = *buf;
+	int t;
+
+	if (spaced || len >= target - 1) {
+		T(addstr("  ", 2, buf, buflen));
+		spaced = 1;
+	} else {
+		for (t = (target - len - 1) / 8; t >= 0; t--)
+			if (addstr("\t", 1, buf, buflen) < 0) {
+				*buflen = save_buflen;
+				*buf = save_buf;
+				return (-1);
+			}
+		spaced = 0;
+	}
+	return (spaced);
+}
diff --git a/contrib/bind9/lib/bind/nameser/ns_samedomain.c b/contrib/bind9/lib/bind/nameser/ns_samedomain.c
new file mode 100644
index 0000000..d4ca550
--- /dev/null
+++ b/contrib/bind9/lib/bind/nameser/ns_samedomain.c
@@ -0,0 +1,206 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1995,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef lint
+static const char rcsid[] = "$Id: ns_samedomain.c,v 1.1.2.2.4.2 2004/03/16 12:34:17 marka Exp $";
+#endif
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <arpa/nameser.h>
+#include <errno.h>
+#include <string.h>
+
+#include "port_after.h"
+
+/*
+ * int
+ * ns_samedomain(a, b)
+ *	Check whether a name belongs to a domain.
+ * Inputs:
+ *	a - the domain whose ancestory is being verified
+ *	b - the potential ancestor we're checking against
+ * Return:
+ *	boolean - is a at or below b?
+ * Notes:
+ *	Trailing dots are first removed from name and domain.
+ *	Always compare complete subdomains, not only whether the
+ *	domain name is the trailing string of the given name.
+ *
+ *	"host.foobar.top" lies in "foobar.top" and in "top" and in ""
+ *	but NOT in "bar.top"
+ */
+
+int
+ns_samedomain(const char *a, const char *b) {
+	size_t la, lb;
+	int diff, i, escaped;
+	const char *cp;
+
+	la = strlen(a);
+	lb = strlen(b);
+
+	/* Ignore a trailing label separator (i.e. an unescaped dot) in 'a'. */
+	if (la != 0U && a[la - 1] == '.') {
+		escaped = 0;
+		/* Note this loop doesn't get executed if la==1. */
+		for (i = la - 2; i >= 0; i--)
+			if (a[i] == '\\') {
+				if (escaped)
+					escaped = 0;
+				else
+					escaped = 1;
+			} else
+				break;
+		if (!escaped)
+			la--;
+	}
+
+	/* Ignore a trailing label separator (i.e. an unescaped dot) in 'b'. */
+	if (lb != 0U && b[lb - 1] == '.') {
+		escaped = 0;
+		/* note this loop doesn't get executed if lb==1 */
+		for (i = lb - 2; i >= 0; i--)
+			if (b[i] == '\\') {
+				if (escaped)
+					escaped = 0;
+				else
+					escaped = 1;
+			} else
+				break;
+		if (!escaped)
+			lb--;
+	}
+
+	/* lb == 0 means 'b' is the root domain, so 'a' must be in 'b'. */
+	if (lb == 0U)
+		return (1);
+
+	/* 'b' longer than 'a' means 'a' can't be in 'b'. */
+	if (lb > la)
+		return (0);
+
+	/* 'a' and 'b' being equal at this point indicates sameness. */
+	if (lb == la)
+		return (strncasecmp(a, b, lb) == 0);
+
+	/* Ok, we know la > lb. */
+
+	diff = la - lb;
+
+	/*
+	 * If 'a' is only 1 character longer than 'b', then it can't be
+	 * a subdomain of 'b' (because of the need for the '.' label
+	 * separator).
+	 */
+	if (diff < 2)
+		return (0);
+
+	/*
+	 * If the character before the last 'lb' characters of 'b'
+	 * isn't '.', then it can't be a match (this lets us avoid
+	 * having "foobar.com" match "bar.com").
+	 */
+	if (a[diff - 1] != '.')
+		return (0);
+
+	/*
+	 * We're not sure about that '.', however.  It could be escaped
+         * and thus not a really a label separator.
+	 */
+	escaped = 0;
+	for (i = diff - 2; i >= 0; i--)
+		if (a[i] == '\\') {
+			if (escaped)
+				escaped = 0;
+			else
+				escaped = 1;
+		} else
+			break;
+	if (escaped)
+		return (0);
+	  
+	/* Now compare aligned trailing substring. */
+	cp = a + diff;
+	return (strncasecmp(cp, b, lb) == 0);
+}
+
+/*
+ * int
+ * ns_subdomain(a, b)
+ *	is "a" a subdomain of "b"?
+ */
+int
+ns_subdomain(const char *a, const char *b) {
+	return (ns_samename(a, b) != 1 && ns_samedomain(a, b));
+}
+
+/*
+ * int
+ * ns_makecanon(src, dst, dstsize)
+ *	make a canonical copy of domain name "src"
+ * notes:
+ *	foo -> foo.
+ *	foo. -> foo.
+ *	foo.. -> foo.
+ *	foo\. -> foo\..
+ *	foo\\. -> foo\\.
+ */
+
+int
+ns_makecanon(const char *src, char *dst, size_t dstsize) {
+	size_t n = strlen(src);
+
+	if (n + sizeof "." > dstsize) {			/* Note: sizeof == 2 */
+		errno = EMSGSIZE;
+		return (-1);
+	}
+	strcpy(dst, src);
+	while (n >= 1U && dst[n - 1] == '.')		/* Ends in "." */
+		if (n >= 2U && dst[n - 2] == '\\' &&	/* Ends in "\." */
+		    (n < 3U || dst[n - 3] != '\\'))	/* But not "\\." */
+			break;
+		else
+			dst[--n] = '\0';
+	dst[n++] = '.';
+	dst[n] = '\0';
+	return (0);
+}
+
+/*
+ * int
+ * ns_samename(a, b)
+ *	determine whether domain name "a" is the same as domain name "b"
+ * return:
+ *	-1 on error
+ *	0 if names differ
+ *	1 if names are the same
+ */
+
+int
+ns_samename(const char *a, const char *b) {
+	char ta[NS_MAXDNAME], tb[NS_MAXDNAME];
+
+	if (ns_makecanon(a, ta, sizeof ta) < 0 ||
+	    ns_makecanon(b, tb, sizeof tb) < 0)
+		return (-1);
+	if (strcasecmp(ta, tb) == 0)
+		return (1);
+	else
+		return (0);
+}
diff --git a/contrib/bind9/lib/bind/nameser/ns_sign.c b/contrib/bind9/lib/bind/nameser/ns_sign.c
new file mode 100644
index 0000000..56248a5
--- /dev/null
+++ b/contrib/bind9/lib/bind/nameser/ns_sign.c
@@ -0,0 +1,380 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1999 by Internet Software Consortium, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef lint
+static const char rcsid[] = "$Id: ns_sign.c,v 1.1.2.2.4.1 2004/03/09 08:33:45 marka Exp $";
+#endif
+
+/* Import. */
+
+#include "port_before.h"
+#include "fd_setsize.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <arpa/inet.h>
+
+#include <errno.h>
+#include <netdb.h>
+#include <resolv.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/dst.h>
+#include <isc/assertions.h>
+
+#include "port_after.h"
+
+#define BOUNDS_CHECK(ptr, count) \
+	do { \
+		if ((ptr) + (count) > eob) { \
+			errno = EMSGSIZE; \
+			return(NS_TSIG_ERROR_NO_SPACE); \
+		} \
+	} while (0)
+
+/* ns_sign
+ * Parameters:
+ *	msg		message to be sent
+ *	msglen		input - length of message
+ *			output - length of signed message
+ *	msgsize		length of buffer containing message
+ *	error		value to put in the error field
+ *	key		tsig key used for signing
+ *	querysig	(response), the signature in the query
+ *	querysiglen	(response), the length of the signature in the query
+ *	sig		a buffer to hold the generated signature
+ *	siglen		input - length of signature buffer
+ *			output - length of signature
+ *
+ * Errors:
+ *	- bad input data (-1)
+ *	- bad key / sign failed (-BADKEY)
+ *	- not enough space (NS_TSIG_ERROR_NO_SPACE)
+ */
+int
+ns_sign(u_char *msg, int *msglen, int msgsize, int error, void *k,
+	const u_char *querysig, int querysiglen, u_char *sig, int *siglen,
+	time_t in_timesigned)
+{
+	return(ns_sign2(msg, msglen, msgsize, error, k,
+			querysig, querysiglen, sig, siglen,
+			in_timesigned, NULL, NULL));
+}
+
+int
+ns_sign2(u_char *msg, int *msglen, int msgsize, int error, void *k,
+	 const u_char *querysig, int querysiglen, u_char *sig, int *siglen,
+	 time_t in_timesigned, u_char **dnptrs, u_char **lastdnptr)
+{
+	HEADER *hp = (HEADER *)msg;
+	DST_KEY *key = (DST_KEY *)k;
+	u_char *cp = msg + *msglen, *eob = msg + msgsize;
+	u_char *lenp;
+	u_char *alg;
+	int n;
+	time_t timesigned;
+        u_char name[NS_MAXCDNAME];
+
+	dst_init();
+	if (msg == NULL || msglen == NULL || sig == NULL || siglen == NULL)
+		return (-1);
+
+	/* Name. */
+	if (key != NULL && error != ns_r_badsig && error != ns_r_badkey) {
+		n = ns_name_pton(key->dk_key_name, name, sizeof name);
+		if (n != -1)
+			n = ns_name_pack(name, cp, eob - cp,
+					 (const u_char **)dnptrs,
+					 (const u_char **)lastdnptr);
+
+	} else {
+		n = ns_name_pton("", name, sizeof name);
+		if (n != -1)
+			n = ns_name_pack(name, cp, eob - cp, NULL, NULL);
+	}
+	if (n < 0)
+		return (NS_TSIG_ERROR_NO_SPACE);
+	cp += n;
+
+	/* Type, class, ttl, length (not filled in yet). */
+	BOUNDS_CHECK(cp, INT16SZ + INT16SZ + INT32SZ + INT16SZ);
+	PUTSHORT(ns_t_tsig, cp);
+	PUTSHORT(ns_c_any, cp);
+	PUTLONG(0, cp);		/* TTL */
+	lenp = cp;
+	cp += 2;
+
+	/* Alg. */
+	if (key != NULL && error != ns_r_badsig && error != ns_r_badkey) {
+		if (key->dk_alg != KEY_HMAC_MD5)
+			return (-ns_r_badkey);
+		n = dn_comp(NS_TSIG_ALG_HMAC_MD5, cp, eob - cp, NULL, NULL);
+	}
+	else
+		n = dn_comp("", cp, eob - cp, NULL, NULL);
+	if (n < 0)
+		return (NS_TSIG_ERROR_NO_SPACE);
+	alg = cp;
+	cp += n;
+	
+	/* Time. */
+	BOUNDS_CHECK(cp, INT16SZ + INT32SZ + INT16SZ);
+	PUTSHORT(0, cp);
+	timesigned = time(NULL);
+	if (error != ns_r_badtime)
+		PUTLONG(timesigned, cp);
+	else
+		PUTLONG(in_timesigned, cp);
+	PUTSHORT(NS_TSIG_FUDGE, cp);
+
+	/* Compute the signature. */
+	if (key != NULL && error != ns_r_badsig && error != ns_r_badkey) {
+		void *ctx;
+		u_char buf[NS_MAXCDNAME], *cp2;
+		int n;
+
+		dst_sign_data(SIG_MODE_INIT, key, &ctx, NULL, 0, NULL, 0);
+
+		/* Digest the query signature, if this is a response. */
+		if (querysiglen > 0 && querysig != NULL) {
+			u_int16_t len_n = htons(querysiglen);
+			dst_sign_data(SIG_MODE_UPDATE, key, &ctx,
+				      (u_char *)&len_n, INT16SZ, NULL, 0);
+			dst_sign_data(SIG_MODE_UPDATE, key, &ctx,
+				      querysig, querysiglen, NULL, 0);
+		}
+
+		/* Digest the message. */
+		dst_sign_data(SIG_MODE_UPDATE, key, &ctx, msg, *msglen,
+			      NULL, 0);
+
+		/* Digest the key name. */
+		n = ns_name_ntol(name, buf, sizeof(buf));
+		INSIST(n > 0);
+		dst_sign_data(SIG_MODE_UPDATE, key, &ctx, buf, n, NULL, 0);
+
+		/* Digest the class and TTL. */
+		cp2 = buf;
+		PUTSHORT(ns_c_any, cp2);
+		PUTLONG(0, cp2);
+		dst_sign_data(SIG_MODE_UPDATE, key, &ctx, buf, cp2-buf,
+			      NULL, 0);
+
+		/* Digest the algorithm. */
+		n = ns_name_ntol(alg, buf, sizeof(buf));
+		INSIST(n > 0);
+		dst_sign_data(SIG_MODE_UPDATE, key, &ctx, buf, n, NULL, 0);
+
+		/* Digest the time signed, fudge, error, and other data */
+		cp2 = buf;
+		PUTSHORT(0, cp2);	/* Top 16 bits of time */
+		if (error != ns_r_badtime)
+			PUTLONG(timesigned, cp2);
+		else
+			PUTLONG(in_timesigned, cp2);
+		PUTSHORT(NS_TSIG_FUDGE, cp2);
+		PUTSHORT(error, cp2);	/* Error */
+		if (error != ns_r_badtime)
+			PUTSHORT(0, cp2);	/* Other data length */
+		else {
+			PUTSHORT(INT16SZ+INT32SZ, cp2);	/* Other data length */
+			PUTSHORT(0, cp2);	/* Top 16 bits of time */
+			PUTLONG(timesigned, cp2);
+		}
+		dst_sign_data(SIG_MODE_UPDATE, key, &ctx, buf, cp2-buf,
+			      NULL, 0);
+
+		n = dst_sign_data(SIG_MODE_FINAL, key, &ctx, NULL, 0,
+				  sig, *siglen);
+		if (n < 0)
+			return (-ns_r_badkey);
+		*siglen = n;
+	} else
+		*siglen = 0;
+
+	/* Add the signature. */
+	BOUNDS_CHECK(cp, INT16SZ + (*siglen));
+	PUTSHORT(*siglen, cp);
+	memcpy(cp, sig, *siglen);
+	cp += (*siglen);
+
+	/* The original message ID & error. */
+	BOUNDS_CHECK(cp, INT16SZ + INT16SZ);
+	PUTSHORT(ntohs(hp->id), cp);	/* already in network order */
+	PUTSHORT(error, cp);
+
+	/* Other data. */
+	BOUNDS_CHECK(cp, INT16SZ);
+	if (error != ns_r_badtime)
+		PUTSHORT(0, cp);	/* Other data length */
+	else {
+		PUTSHORT(INT16SZ+INT32SZ, cp);	/* Other data length */
+		BOUNDS_CHECK(cp, INT32SZ+INT16SZ);
+		PUTSHORT(0, cp);	/* Top 16 bits of time */
+		PUTLONG(timesigned, cp);
+	}
+
+	/* Go back and fill in the length. */
+	PUTSHORT(cp - lenp - INT16SZ, lenp);
+
+	hp->arcount = htons(ntohs(hp->arcount) + 1);
+	*msglen = (cp - msg);
+	return (0);
+}
+
+int
+ns_sign_tcp_init(void *k, const u_char *querysig, int querysiglen,
+		 ns_tcp_tsig_state *state)
+{
+	dst_init();
+	if (state == NULL || k == NULL || querysig == NULL || querysiglen < 0)
+		return (-1);
+	state->counter = -1;
+	state->key = k;
+	if (state->key->dk_alg != KEY_HMAC_MD5)
+		return (-ns_r_badkey);
+	if (querysiglen > (int)sizeof(state->sig))
+		return (-1);
+	memcpy(state->sig, querysig, querysiglen);
+	state->siglen = querysiglen;
+	return (0);
+}
+
+int
+ns_sign_tcp(u_char *msg, int *msglen, int msgsize, int error,
+	    ns_tcp_tsig_state *state, int done)
+{
+	return (ns_sign_tcp2(msg, msglen, msgsize, error, state,
+			     done, NULL, NULL));
+}
+
+int
+ns_sign_tcp2(u_char *msg, int *msglen, int msgsize, int error,
+	     ns_tcp_tsig_state *state, int done,
+	     u_char **dnptrs, u_char **lastdnptr)
+{
+	u_char *cp, *eob, *lenp;
+	u_char buf[MAXDNAME], *cp2;
+	HEADER *hp = (HEADER *)msg;
+	time_t timesigned;
+	int n;
+
+	if (msg == NULL || msglen == NULL || state == NULL)
+		return (-1);
+
+	state->counter++;
+	if (state->counter == 0)
+		return (ns_sign2(msg, msglen, msgsize, error, state->key,
+				 state->sig, state->siglen,
+				 state->sig, &state->siglen, 0,
+				 dnptrs, lastdnptr));
+
+	if (state->siglen > 0) {
+		u_int16_t siglen_n = htons(state->siglen);
+		dst_sign_data(SIG_MODE_INIT, state->key, &state->ctx,
+			      NULL, 0, NULL, 0);
+		dst_sign_data(SIG_MODE_UPDATE, state->key, &state->ctx,
+			      (u_char *)&siglen_n, INT16SZ, NULL, 0);
+		dst_sign_data(SIG_MODE_UPDATE, state->key, &state->ctx,
+			      state->sig, state->siglen, NULL, 0);
+		state->siglen = 0;
+	}
+
+	dst_sign_data(SIG_MODE_UPDATE, state->key, &state->ctx, msg, *msglen,
+		      NULL, 0);
+
+	if (done == 0 && (state->counter % 100 != 0))
+		return (0);
+
+	cp = msg + *msglen;
+	eob = msg + msgsize;
+
+	/* Name. */
+	n = dn_comp(state->key->dk_key_name, cp, eob - cp, dnptrs, lastdnptr);
+	if (n < 0)
+		return (NS_TSIG_ERROR_NO_SPACE);
+	cp += n;
+
+	/* Type, class, ttl, length (not filled in yet). */
+	BOUNDS_CHECK(cp, INT16SZ + INT16SZ + INT32SZ + INT16SZ);
+	PUTSHORT(ns_t_tsig, cp);
+	PUTSHORT(ns_c_any, cp);
+	PUTLONG(0, cp);		/* TTL */
+	lenp = cp;
+	cp += 2;
+
+	/* Alg. */
+	n = dn_comp(NS_TSIG_ALG_HMAC_MD5, cp, eob - cp, NULL, NULL);
+	if (n < 0)
+		return (NS_TSIG_ERROR_NO_SPACE);
+	cp += n;
+	
+	/* Time. */
+	BOUNDS_CHECK(cp, INT16SZ + INT32SZ + INT16SZ);
+	PUTSHORT(0, cp);
+	timesigned = time(NULL);
+	PUTLONG(timesigned, cp);
+	PUTSHORT(NS_TSIG_FUDGE, cp);
+
+	/*
+	 * Compute the signature.
+	 */
+
+	/* Digest the time signed and fudge. */
+	cp2 = buf;
+	PUTSHORT(0, cp2);	/* Top 16 bits of time */
+	PUTLONG(timesigned, cp2);
+	PUTSHORT(NS_TSIG_FUDGE, cp2);
+
+	dst_sign_data(SIG_MODE_UPDATE, state->key, &state->ctx,
+		      buf, cp2 - buf, NULL, 0);
+
+	n = dst_sign_data(SIG_MODE_FINAL, state->key, &state->ctx, NULL, 0,
+			  state->sig, sizeof(state->sig));
+	if (n < 0)
+		return (-ns_r_badkey);
+	state->siglen = n;
+
+	/* Add the signature. */
+	BOUNDS_CHECK(cp, INT16SZ + state->siglen);
+	PUTSHORT(state->siglen, cp);
+	memcpy(cp, state->sig, state->siglen);
+	cp += state->siglen;
+
+	/* The original message ID & error. */
+	BOUNDS_CHECK(cp, INT16SZ + INT16SZ);
+	PUTSHORT(ntohs(hp->id), cp);	/* already in network order */
+	PUTSHORT(error, cp);
+
+	/* Other data. */
+	BOUNDS_CHECK(cp, INT16SZ);
+	PUTSHORT(0, cp);
+
+	/* Go back and fill in the length. */
+	PUTSHORT(cp - lenp - INT16SZ, lenp);
+
+	hp->arcount = htons(ntohs(hp->arcount) + 1);
+	*msglen = (cp - msg);
+	return (0);
+}
diff --git a/contrib/bind9/lib/bind/nameser/ns_ttl.c b/contrib/bind9/lib/bind/nameser/ns_ttl.c
new file mode 100644
index 0000000..368b05a
--- /dev/null
+++ b/contrib/bind9/lib/bind/nameser/ns_ttl.c
@@ -0,0 +1,159 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef lint
+static const char rcsid[] = "$Id: ns_ttl.c,v 1.1.206.1 2004/03/09 08:33:45 marka Exp $";
+#endif
+
+/* Import. */
+
+#include "port_before.h"
+
+#include <arpa/nameser.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "port_after.h"
+
+#ifdef SPRINTF_CHAR
+# define SPRINTF(x) strlen(sprintf/**/x)
+#else
+# define SPRINTF(x) ((size_t)sprintf x)
+#endif
+
+/* Forward. */
+
+static int	fmt1(int t, char s, char **buf, size_t *buflen);
+
+/* Macros. */
+
+#define T(x) if ((x) < 0) return (-1); else (void)NULL
+
+/* Public. */
+
+int
+ns_format_ttl(u_long src, char *dst, size_t dstlen) {
+	char *odst = dst;
+	int secs, mins, hours, days, weeks, x;
+	char *p;
+
+	secs = src % 60;   src /= 60;
+	mins = src % 60;   src /= 60;
+	hours = src % 24;  src /= 24;
+	days = src % 7;    src /= 7;
+	weeks = src;       src = 0;
+
+	x = 0;
+	if (weeks) {
+		T(fmt1(weeks, 'W', &dst, &dstlen));
+		x++;
+	}
+	if (days) {
+		T(fmt1(days, 'D', &dst, &dstlen));
+		x++;
+	}
+	if (hours) {
+		T(fmt1(hours, 'H', &dst, &dstlen));
+		x++;
+	}
+	if (mins) {
+		T(fmt1(mins, 'M', &dst, &dstlen));
+		x++;
+	}
+	if (secs || !(weeks || days || hours || mins)) {
+		T(fmt1(secs, 'S', &dst, &dstlen));
+		x++;
+	}
+
+	if (x > 1) {
+		int ch;
+
+		for (p = odst; (ch = *p) != '\0'; p++)
+			if (isascii(ch) && isupper(ch))
+				*p = tolower(ch);
+	}
+
+	return (dst - odst);
+}
+
+int
+ns_parse_ttl(const char *src, u_long *dst) {
+	u_long ttl, tmp;
+	int ch, digits, dirty;
+
+	ttl = 0;
+	tmp = 0;
+	digits = 0;
+	dirty = 0;
+	while ((ch = *src++) != '\0') {
+		if (!isascii(ch) || !isprint(ch))
+			goto einval;
+		if (isdigit(ch)) {
+			tmp *= 10;
+			tmp += (ch - '0');
+			digits++;
+			continue;
+		}
+		if (digits == 0)
+			goto einval;
+		if (islower(ch))
+			ch = toupper(ch);
+		switch (ch) {
+		case 'W':  tmp *= 7;
+		case 'D':  tmp *= 24;
+		case 'H':  tmp *= 60;
+		case 'M':  tmp *= 60;
+		case 'S':  break;
+		default:   goto einval;
+		}
+		ttl += tmp;
+		tmp = 0;
+		digits = 0;
+		dirty = 1;
+	}
+	if (digits > 0) {
+		if (dirty)
+			goto einval;
+		else
+			ttl += tmp;
+	}
+	*dst = ttl;
+	return (0);
+
+ einval:
+	errno = EINVAL;
+	return (-1);
+}
+
+/* Private. */
+
+static int
+fmt1(int t, char s, char **buf, size_t *buflen) {
+	char tmp[50];
+	size_t len;
+
+	len = SPRINTF((tmp, "%d%c", t, s));
+	if (len + 1 > *buflen)
+		return (-1);
+	strcpy(*buf, tmp);
+	*buf += len;
+	*buflen -= len;
+	return (0);
+}
diff --git a/contrib/bind9/lib/bind/nameser/ns_verify.c b/contrib/bind9/lib/bind/nameser/ns_verify.c
new file mode 100644
index 0000000..7ee00a6
--- /dev/null
+++ b/contrib/bind9/lib/bind/nameser/ns_verify.c
@@ -0,0 +1,480 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1999 by Internet Software Consortium, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef lint
+static const char rcsid[] = "$Id: ns_verify.c,v 1.1.206.1 2004/03/09 08:33:45 marka Exp $";
+#endif
+
+/* Import. */
+
+#include "port_before.h"
+#include "fd_setsize.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <arpa/inet.h>
+
+#include <errno.h>
+#include <netdb.h>
+#include <resolv.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <isc/dst.h>
+
+#include "port_after.h"
+
+/* Private. */
+
+#define BOUNDS_CHECK(ptr, count) \
+	do { \
+		if ((ptr) + (count) > eom) { \
+			return (NS_TSIG_ERROR_FORMERR); \
+		} \
+	} while (0)
+
+/* Public. */
+
+u_char *
+ns_find_tsig(u_char *msg, u_char *eom) {
+	HEADER *hp = (HEADER *)msg;
+	int n, type;
+	u_char *cp = msg, *start;
+
+	if (msg == NULL || eom == NULL || msg > eom)
+		return (NULL);
+
+	if (cp + HFIXEDSZ >= eom)
+		return (NULL);
+
+	if (hp->arcount == 0)
+		return (NULL);
+
+	cp += HFIXEDSZ;
+
+	n = ns_skiprr(cp, eom, ns_s_qd, ntohs(hp->qdcount));
+	if (n < 0)
+		return (NULL);
+	cp += n;
+
+	n = ns_skiprr(cp, eom, ns_s_an, ntohs(hp->ancount));
+	if (n < 0)
+		return (NULL);
+	cp += n;
+
+	n = ns_skiprr(cp, eom, ns_s_ns, ntohs(hp->nscount));
+	if (n < 0)
+		return (NULL);
+	cp += n;
+
+	n = ns_skiprr(cp, eom, ns_s_ar, ntohs(hp->arcount) - 1);
+	if (n < 0)
+		return (NULL);
+	cp += n;
+
+	start = cp;
+	n = dn_skipname(cp, eom);
+	if (n < 0)
+		return (NULL);
+	cp += n;
+	if (cp + INT16SZ >= eom)
+		return (NULL);
+
+	GETSHORT(type, cp);
+	if (type != ns_t_tsig)
+		return (NULL);
+	return (start);
+}
+
+/* ns_verify
+ * Parameters:
+ *	statp		res stuff
+ *	msg		received message
+ *	msglen		length of message
+ *	key		tsig key used for verifying.
+ *	querysig	(response), the signature in the query
+ *	querysiglen	(response), the length of the signature in the query
+ *	sig		(query), a buffer to hold the signature
+ *	siglen		(query), input - length of signature buffer
+ *				 output - length of signature
+ *
+ * Errors:
+ *	- bad input (-1)
+ *	- invalid dns message (NS_TSIG_ERROR_FORMERR)
+ *	- TSIG is not present (NS_TSIG_ERROR_NO_TSIG)
+ *	- key doesn't match (-ns_r_badkey)
+ *	- TSIG verification fails with BADKEY (-ns_r_badkey)
+ *	- TSIG verification fails with BADSIG (-ns_r_badsig)
+ *	- TSIG verification fails with BADTIME (-ns_r_badtime)
+ *	- TSIG verification succeeds, error set to BAKEY (ns_r_badkey)
+ *	- TSIG verification succeeds, error set to BADSIG (ns_r_badsig)
+ *	- TSIG verification succeeds, error set to BADTIME (ns_r_badtime)
+ */
+int
+ns_verify(u_char *msg, int *msglen, void *k,
+	  const u_char *querysig, int querysiglen, u_char *sig, int *siglen,
+	  time_t *timesigned, int nostrip)
+{
+	HEADER *hp = (HEADER *)msg;
+	DST_KEY *key = (DST_KEY *)k;
+	u_char *cp = msg, *eom;
+	char name[MAXDNAME], alg[MAXDNAME];
+	u_char *recstart, *rdatastart;
+	u_char *sigstart, *otherstart;
+	int n;
+	int error;
+	u_int16_t type, length;
+	u_int16_t fudge, sigfieldlen, id, otherfieldlen;
+
+	dst_init();
+	if (msg == NULL || msglen == NULL || *msglen < 0)
+		return (-1);
+
+	eom = msg + *msglen;
+
+	recstart = ns_find_tsig(msg, eom);
+	if (recstart == NULL)
+		return (NS_TSIG_ERROR_NO_TSIG);
+
+	cp = recstart;
+
+	/* Read the key name. */
+	n = dn_expand(msg, eom, cp, name, MAXDNAME);
+	if (n < 0)
+		return (NS_TSIG_ERROR_FORMERR);
+	cp += n;
+
+	/* Read the type. */
+	BOUNDS_CHECK(cp, 2*INT16SZ + INT32SZ + INT16SZ);
+	GETSHORT(type, cp);
+	if (type != ns_t_tsig)
+		return (NS_TSIG_ERROR_NO_TSIG);
+
+	/* Skip the class and TTL, save the length. */
+	cp += INT16SZ + INT32SZ;
+	GETSHORT(length, cp);
+	if (eom - cp != length)
+		return (NS_TSIG_ERROR_FORMERR);
+
+	/* Read the algorithm name. */
+	rdatastart = cp;
+	n = dn_expand(msg, eom, cp, alg, MAXDNAME);
+	if (n < 0)
+		return (NS_TSIG_ERROR_FORMERR);
+	if (ns_samename(alg, NS_TSIG_ALG_HMAC_MD5) != 1)
+		return (-ns_r_badkey);
+	cp += n;
+
+	/* Read the time signed and fudge. */
+	BOUNDS_CHECK(cp, INT16SZ + INT32SZ + INT16SZ);
+	cp += INT16SZ;
+	GETLONG((*timesigned), cp);
+	GETSHORT(fudge, cp);
+
+	/* Read the signature. */
+	BOUNDS_CHECK(cp, INT16SZ);
+	GETSHORT(sigfieldlen, cp);
+	BOUNDS_CHECK(cp, sigfieldlen);
+	sigstart = cp;
+	cp += sigfieldlen;
+
+	/* Read the original id and error. */
+	BOUNDS_CHECK(cp, 2*INT16SZ);
+	GETSHORT(id, cp);
+	GETSHORT(error, cp);
+
+	/* Parse the other data. */
+	BOUNDS_CHECK(cp, INT16SZ);
+	GETSHORT(otherfieldlen, cp);
+	BOUNDS_CHECK(cp, otherfieldlen);
+	otherstart = cp;
+	cp += otherfieldlen;
+
+	if (cp != eom)
+		return (NS_TSIG_ERROR_FORMERR);
+
+	/* Verify that the key used is OK. */
+	if (key != NULL) {
+		if (key->dk_alg != KEY_HMAC_MD5)
+			return (-ns_r_badkey);
+		if (error != ns_r_badsig && error != ns_r_badkey) {
+			if (ns_samename(key->dk_key_name, name) != 1)
+				return (-ns_r_badkey);
+		}
+	}
+
+	hp->arcount = htons(ntohs(hp->arcount) - 1);
+
+	/*
+	 * Do the verification.
+	 */
+
+	if (key != NULL && error != ns_r_badsig && error != ns_r_badkey) {
+		void *ctx;
+		u_char buf[MAXDNAME];
+		u_char buf2[MAXDNAME];
+
+		/* Digest the query signature, if this is a response. */
+		dst_verify_data(SIG_MODE_INIT, key, &ctx, NULL, 0, NULL, 0);
+		if (querysiglen > 0 && querysig != NULL) {
+			u_int16_t len_n = htons(querysiglen);
+			dst_verify_data(SIG_MODE_UPDATE, key, &ctx,
+					(u_char *)&len_n, INT16SZ, NULL, 0);
+			dst_verify_data(SIG_MODE_UPDATE, key, &ctx,
+					querysig, querysiglen, NULL, 0);
+		}
+		
+ 		/* Digest the message. */
+		dst_verify_data(SIG_MODE_UPDATE, key, &ctx, msg, recstart - msg,
+				NULL, 0);
+
+		/* Digest the key name. */
+		n = ns_name_pton(name, buf2, sizeof(buf2));
+		if (n < 0)
+			return (-1);
+		n = ns_name_ntol(buf2, buf, sizeof(buf));
+		if (n < 0)
+			return (-1);
+		dst_verify_data(SIG_MODE_UPDATE, key, &ctx, buf, n, NULL, 0);
+
+		/* Digest the class and TTL. */
+		dst_verify_data(SIG_MODE_UPDATE, key, &ctx,
+				recstart + dn_skipname(recstart, eom) + INT16SZ,
+				INT16SZ + INT32SZ, NULL, 0);
+
+		/* Digest the algorithm. */
+		n = ns_name_pton(alg, buf2, sizeof(buf2));
+		if (n < 0)
+			return (-1);
+		n = ns_name_ntol(buf2, buf, sizeof(buf));
+		if (n < 0)
+			return (-1);
+		dst_verify_data(SIG_MODE_UPDATE, key, &ctx, buf, n, NULL, 0);
+
+		/* Digest the time signed and fudge. */
+		dst_verify_data(SIG_MODE_UPDATE, key, &ctx,
+				rdatastart + dn_skipname(rdatastart, eom),
+				INT16SZ + INT32SZ + INT16SZ, NULL, 0);
+
+		/* Digest the error and other data. */
+		dst_verify_data(SIG_MODE_UPDATE, key, &ctx,
+				otherstart - INT16SZ - INT16SZ,
+				otherfieldlen + INT16SZ + INT16SZ, NULL, 0);
+
+		n = dst_verify_data(SIG_MODE_FINAL, key, &ctx, NULL, 0,
+				    sigstart, sigfieldlen);
+
+		if (n < 0)
+			return (-ns_r_badsig);
+
+		if (sig != NULL && siglen != NULL) {
+			if (*siglen < sigfieldlen)
+				return (NS_TSIG_ERROR_NO_SPACE);
+			memcpy(sig, sigstart, sigfieldlen);
+			*siglen = sigfieldlen;
+		}
+	} else {
+		if (sigfieldlen > 0)
+			return (NS_TSIG_ERROR_FORMERR);
+		if (sig != NULL && siglen != NULL)
+			*siglen = 0;
+	}
+
+	/* Reset the counter, since we still need to check for badtime. */
+	hp->arcount = htons(ntohs(hp->arcount) + 1);
+
+	/* Verify the time. */
+	if (abs((*timesigned) - time(NULL)) > fudge)
+		return (-ns_r_badtime);
+
+	if (nostrip == 0) {
+		*msglen = recstart - msg;
+		hp->arcount = htons(ntohs(hp->arcount) - 1);
+	}
+
+	if (error != NOERROR)
+		return (error);
+
+	return (0);
+}
+
+int
+ns_verify_tcp_init(void *k, const u_char *querysig, int querysiglen,
+		   ns_tcp_tsig_state *state)
+{
+	dst_init();
+	if (state == NULL || k == NULL || querysig == NULL || querysiglen < 0)
+		return (-1);
+	state->counter = -1;
+	state->key = k;
+	if (state->key->dk_alg != KEY_HMAC_MD5)
+		return (-ns_r_badkey);
+	if (querysiglen > (int)sizeof(state->sig))
+		return (-1);
+	memcpy(state->sig, querysig, querysiglen);
+	state->siglen = querysiglen;
+	return (0);
+}
+
+int
+ns_verify_tcp(u_char *msg, int *msglen, ns_tcp_tsig_state *state,
+	      int required)
+{
+	HEADER *hp = (HEADER *)msg;
+	u_char *recstart, *rdatastart, *sigstart;
+	unsigned int sigfieldlen, otherfieldlen;
+	u_char *cp, *eom = msg + *msglen, *cp2;
+	char name[MAXDNAME], alg[MAXDNAME];
+	u_char buf[MAXDNAME];
+	int n, type, length, fudge, id, error;
+	time_t timesigned;
+
+	if (msg == NULL || msglen == NULL || state == NULL)
+		return (-1);
+
+	state->counter++;
+	if (state->counter == 0)
+		return (ns_verify(msg, msglen, state->key,
+				  state->sig, state->siglen,
+				  state->sig, &state->siglen, &timesigned, 0));
+
+	if (state->siglen > 0) {
+		u_int16_t siglen_n = htons(state->siglen);
+
+		dst_verify_data(SIG_MODE_INIT, state->key, &state->ctx,
+				NULL, 0, NULL, 0);
+		dst_verify_data(SIG_MODE_UPDATE, state->key, &state->ctx,
+				(u_char *)&siglen_n, INT16SZ, NULL, 0);
+		dst_verify_data(SIG_MODE_UPDATE, state->key, &state->ctx,
+				state->sig, state->siglen, NULL, 0);
+		state->siglen = 0;
+	}
+
+	cp = recstart = ns_find_tsig(msg, eom);
+
+	if (recstart == NULL) {
+		if (required)
+			return (NS_TSIG_ERROR_NO_TSIG);
+		dst_verify_data(SIG_MODE_UPDATE, state->key, &state->ctx,
+				msg, *msglen, NULL, 0);
+		return (0);
+	}
+
+	hp->arcount = htons(ntohs(hp->arcount) - 1);
+	dst_verify_data(SIG_MODE_UPDATE, state->key, &state->ctx,
+			msg, recstart - msg, NULL, 0);
+	
+	/* Read the key name. */
+	n = dn_expand(msg, eom, cp, name, MAXDNAME);
+	if (n < 0)
+		return (NS_TSIG_ERROR_FORMERR);
+	cp += n;
+
+	/* Read the type. */
+	BOUNDS_CHECK(cp, 2*INT16SZ + INT32SZ + INT16SZ);
+	GETSHORT(type, cp);
+	if (type != ns_t_tsig)
+		return (NS_TSIG_ERROR_NO_TSIG);
+
+	/* Skip the class and TTL, save the length. */
+	cp += INT16SZ + INT32SZ;
+	GETSHORT(length, cp);
+	if (eom - cp != length)
+		return (NS_TSIG_ERROR_FORMERR);
+
+	/* Read the algorithm name. */
+	rdatastart = cp;
+	n = dn_expand(msg, eom, cp, alg, MAXDNAME);
+	if (n < 0)
+		return (NS_TSIG_ERROR_FORMERR);
+	if (ns_samename(alg, NS_TSIG_ALG_HMAC_MD5) != 1)
+		return (-ns_r_badkey);
+	cp += n;
+
+	/* Verify that the key used is OK. */
+	if ((ns_samename(state->key->dk_key_name, name) != 1 ||
+	     state->key->dk_alg != KEY_HMAC_MD5))
+		return (-ns_r_badkey);
+
+	/* Read the time signed and fudge. */
+	BOUNDS_CHECK(cp, INT16SZ + INT32SZ + INT16SZ);
+	cp += INT16SZ;
+	GETLONG(timesigned, cp);
+	GETSHORT(fudge, cp);
+
+	/* Read the signature. */
+	BOUNDS_CHECK(cp, INT16SZ);
+	GETSHORT(sigfieldlen, cp);
+	BOUNDS_CHECK(cp, sigfieldlen);
+	sigstart = cp;
+	cp += sigfieldlen;
+
+	/* Read the original id and error. */
+	BOUNDS_CHECK(cp, 2*INT16SZ);
+	GETSHORT(id, cp);
+	GETSHORT(error, cp);
+
+	/* Parse the other data. */
+	BOUNDS_CHECK(cp, INT16SZ);
+	GETSHORT(otherfieldlen, cp);
+	BOUNDS_CHECK(cp, otherfieldlen);
+	cp += otherfieldlen;
+
+	if (cp != eom)
+		return (NS_TSIG_ERROR_FORMERR);
+
+	/*
+	 * Do the verification.
+	 */
+
+	/* Digest the time signed and fudge. */
+	cp2 = buf;
+	PUTSHORT(0, cp2);       /* Top 16 bits of time. */
+	PUTLONG(timesigned, cp2);
+	PUTSHORT(NS_TSIG_FUDGE, cp2);
+
+	dst_verify_data(SIG_MODE_UPDATE, state->key, &state->ctx,
+			buf, cp2 - buf, NULL, 0);
+
+	n = dst_verify_data(SIG_MODE_FINAL, state->key, &state->ctx, NULL, 0,
+			    sigstart, sigfieldlen);
+	if (n < 0)
+		return (-ns_r_badsig);
+
+	if (sigfieldlen > sizeof(state->sig))
+		return (NS_TSIG_ERROR_NO_SPACE);
+
+	memcpy(state->sig, sigstart, sigfieldlen);
+	state->siglen = sigfieldlen;
+
+	/* Verify the time. */
+	if (abs(timesigned - time(NULL)) > fudge)
+		return (-ns_r_badtime);
+
+	*msglen = recstart - msg;
+
+	if (error != NOERROR)
+		return (error);
+
+	return (0);
+}
diff --git a/contrib/bind9/lib/bind/port/Makefile.in b/contrib/bind9/lib/bind/port/Makefile.in
new file mode 100644
index 0000000..99e5985
--- /dev/null
+++ b/contrib/bind9/lib/bind/port/Makefile.in
@@ -0,0 +1,14 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
diff --git a/contrib/bind9/lib/bind/port/freebsd/Makefile.in b/contrib/bind9/lib/bind/port/freebsd/Makefile.in
new file mode 100644
index 0000000..99e5985
--- /dev/null
+++ b/contrib/bind9/lib/bind/port/freebsd/Makefile.in
@@ -0,0 +1,14 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
diff --git a/contrib/bind9/lib/bind/port/freebsd/include/Makefile.in b/contrib/bind9/lib/bind/port/freebsd/include/Makefile.in
new file mode 100644
index 0000000..c18acf2
--- /dev/null
+++ b/contrib/bind9/lib/bind/port/freebsd/include/Makefile.in
@@ -0,0 +1,34 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.1.206.1 2004/03/15 01:02:47 marka Exp $
+
+srcdir =        @srcdir@
+VPATH =         @srcdir@
+top_srcdir =    @top_srcdir@
+
+HEADERS= sys/bitypes.h
+
+all:
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/sys 
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/sys; \
+	done
diff --git a/contrib/bind9/lib/bind/port/freebsd/include/sys/bitypes.h b/contrib/bind9/lib/bind/port/freebsd/include/sys/bitypes.h
new file mode 100644
index 0000000..ef3a6d4
--- /dev/null
+++ b/contrib/bind9/lib/bind/port/freebsd/include/sys/bitypes.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef __BIT_TYPES_DEFINED__
+#define __BIT_TYPES_DEFINED__
+
+	/*
+	 * Basic integral types.  Omit the typedef if
+	 * not possible for a machine/compiler combination.
+	 */
+	typedef /*signed*/ char            int8_t;
+	typedef unsigned char            u_int8_t;
+	typedef short                     int16_t;
+	typedef unsigned short          u_int16_t;
+	typedef int                       int32_t;
+	typedef unsigned int            u_int32_t;
+
+# if 0	/* don't fight with these unless you need them */
+	typedef long long                 int64_t;
+	typedef unsigned long long      u_int64_t;
+# endif
+
+#endif	/* __BIT_TYPES_DEFINED__ */
diff --git a/contrib/bind9/lib/bind/port_after.h.in b/contrib/bind9/lib/bind/port_after.h.in
new file mode 100644
index 0000000..6d5f4dc
--- /dev/null
+++ b/contrib/bind9/lib/bind/port_after.h.in
@@ -0,0 +1,395 @@
+#ifndef port_after_h
+#define port_after_h
+
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/param.h>
+#if (!defined(BSD)) || (BSD < 199306)
+#include <sys/bitypes.h>
+#endif
+
+@NEED_PSELECT@
+@HAVE_SA_LEN@
+@HAVE_MINIMUM_IFREQ@
+@NEED_DAEMON@
+@NEED_STRSEP@
+@NEED_STRERROR@
+@HAS_INET6_STRUCTS@
+@HAVE_SIN6_SCOPE_ID@
+@NEED_IN6ADDR_ANY@
+@HAS_IN_ADDR6@
+@HAVE_SOCKADDR_STORAGE@
+@NEED_GETTIMEOFDAY@
+@HAVE_STRNDUP@
+@USE_FIONBIO_IOCTL@
+@USE_SYSERROR_LIST@
+@INNETGR_ARGS@
+@SETNETGRENT_ARGS@
+@USE_IFNAMELINKID@
+
+/* XXX sunos and cygwin needs O_NDELAY */
+#define PORT_NONBLOCK O_NONBLOCK
+
+/*
+ * We need to know the IPv6 address family number even on IPv4-only systems.
+ * Note that this is NOT a protocol constant, and that if the system has its
+ * own AF_INET6, different from ours below, all of BIND's libraries and
+ * executables will need to be recompiled after the system <sys/socket.h>
+ * has had this type added.  The type number below is correct on most BSD-
+ * derived systems for which AF_INET6 is defined.
+ */
+#ifndef AF_INET6
+#define AF_INET6        24
+#endif
+
+#ifndef PF_INET6
+#define PF_INET6        AF_INET6
+#endif
+
+#ifdef HAS_IN_ADDR6
+/* Map to pre-RFC structure. */
+#define in6_addr in_addr6
+#endif
+
+#ifndef HAS_INET6_STRUCTS
+/* Replace with structure from later rev of O/S if known. */
+struct in6_addr {
+        u_int8_t        s6_addr[16];
+};
+
+#define IN6ADDR_ANY_INIT \
+	{{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \
+	   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }}
+
+#define IN6ADDR_LOOPBACK_INIT \
+	{{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \
+	   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }}
+
+/* Replace with structure from later rev of O/S if known. */
+struct sockaddr_in6 {
+#ifdef  HAVE_SA_LEN
+        u_int8_t        sin6_len;       /* length of this struct */
+        u_int8_t        sin6_family;    /* AF_INET6 */
+#else
+        u_int16_t       sin6_family;    /* AF_INET6 */
+#endif
+        u_int16_t       sin6_port;      /* transport layer port # */
+        u_int32_t       sin6_flowinfo;  /* IPv6 flow information */
+        struct in6_addr sin6_addr;      /* IPv6 address */
+        u_int32_t       sin6_scope_id;  /* set of interfaces for a scope */
+};
+#endif  /* HAS_INET6_STRUCTS */
+
+#ifdef BROKEN_IN6ADDR_INIT_MACROS
+#undef IN6ADDR_ANY_INIT
+#undef IN6ADDR_LOOPBACK_INIT
+#endif
+
+#ifndef IN6ADDR_ANY_INIT
+#ifdef s6_addr
+#define IN6ADDR_ANY_INIT \
+	{{{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \
+	    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }}}
+#else
+#define IN6ADDR_ANY_INIT \
+	{{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \
+	   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }}
+#endif
+
+#endif
+#ifndef IN6ADDR_LOOPBACK_INIT
+#ifdef s6_addr
+#define IN6ADDR_LOOPBACK_INIT \
+	{{{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \
+	    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }}}
+#else
+#define IN6ADDR_LOOPBACK_INIT \
+	{{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, \
+	   0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }}
+#endif
+#endif
+
+#ifndef HAVE_SOCKADDR_STORAGE
+#define __SS_MAXSIZE 128 
+#define __SS_ALLIGSIZE (sizeof (long)) 
+
+struct sockaddr_storage {
+#ifdef  HAVE_SA_LEN
+        u_int8_t        ss_len;       /* address length */
+        u_int8_t        ss_family;    /* address family */
+        char            __ss_pad1[__SS_ALLIGSIZE - 2 * sizeof(u_int8_t)];
+        long            __ss_align;
+        char            __ss_pad2[__SS_MAXSIZE - 2 * __SS_ALLIGSIZE];
+#else   
+        u_int16_t       ss_family;    /* address family */
+        char            __ss_pad1[__SS_ALLIGSIZE - sizeof(u_int16_t)];
+        long            __ss_align;
+        char            __ss_pad2[__SS_MAXSIZE - 2 * __SS_ALLIGSIZE];
+#endif
+};
+#endif
+
+
+#if !defined(HAS_INET6_STRUCTS) || defined(NEED_IN6ADDR_ANY)
+#define in6addr_any isc_in6addr_any
+extern const struct in6_addr in6addr_any;
+#endif
+
+/*
+ * IN6_ARE_ADDR_EQUAL, IN6_IS_ADDR_UNSPECIFIED, IN6_IS_ADDR_V4COMPAT and
+ * IN6_IS_ADDR_V4MAPPED are broken in glibc 2.1.
+ */
+#ifdef __GLIBC__
+#if __GLIBC__ < 2 || (__GLIBC__ == 2 && __GLIBC_MINOR__ < 2)
+#undef IN6_ARE_ADDR_EQUAL
+#undef IN6_IS_ADDR_UNSPECIFIED
+#undef IN6_IS_ADDR_V4COMPAT
+#undef IN6_IS_ADDR_V4MAPPED
+#endif
+#endif
+
+#ifndef IN6_ARE_ADDR_EQUAL
+#define IN6_ARE_ADDR_EQUAL(a,b) \
+   (memcmp(&(a)->s6_addr[0], &(b)->s6_addr[0], sizeof(struct in6_addr)) == 0)
+#endif
+
+#ifndef IN6_IS_ADDR_UNSPECIFIED
+#define IN6_IS_ADDR_UNSPECIFIED(a)      \
+	IN6_ARE_ADDR_EQUAL(a, &in6addr_any)
+#endif
+
+#ifndef IN6_IS_ADDR_LOOPBACK
+extern const struct in6_addr isc_in6addr_loopback;
+#define IN6_IS_ADDR_LOOPBACK(a) \
+	IN6_ARE_ADDR_EQUAL(a, &isc_in6addr_loopback)
+#endif
+
+#ifndef IN6_IS_ADDR_V4MAPPED
+#define IN6_IS_ADDR_V4MAPPED(a)	\
+	((a)->s6_addr[0] == 0x00 && (a)->s6_addr[1] == 0x00 && \
+	(a)->s6_addr[2] == 0x00 && (a)->s6_addr[3] == 0x00 && \
+	(a)->s6_addr[4] == 0x00 && (a)->s6_addr[5] == 0x00 && \
+	(a)->s6_addr[6] == 0x00 && (a)->s6_addr[9] == 0x00 && \
+	(a)->s6_addr[8] == 0x00 && (a)->s6_addr[9] == 0x00 && \
+	(a)->s6_addr[10] == 0xff && (a)->s6_addr[11] == 0xff)
+#endif
+
+#ifndef IN6_IS_ADDR_SITELOCAL
+#define IN6_IS_ADDR_SITELOCAL(a)        \
+	(((a)->s6_addr[0] == 0xfe) && (((a)->s6_addr[1] & 0xc0) == 0xc0))
+#endif
+
+#ifndef IN6_IS_ADDR_LINKLOCAL
+#define IN6_IS_ADDR_LINKLOCAL(a)        \
+	(((a)->s6_addr[0] == 0xfe) && (((a)->s6_addr[1] & 0xc0) == 0x80))
+#endif
+
+#ifndef IN6_IS_ADDR_MULTICAST
+#define IN6_IS_ADDR_MULTICAST(a)        ((a)->s6_addr[0] == 0xff)
+#endif
+
+#ifndef __IPV6_ADDR_MC_SCOPE
+#define __IPV6_ADDR_MC_SCOPE(a)         ((a)->s6_addr[1] & 0x0f)
+#endif
+
+#ifndef __IPV6_ADDR_SCOPE_SITELOCAL
+#define __IPV6_ADDR_SCOPE_SITELOCAL 0x05
+#endif
+#ifndef __IPV6_ADDR_SCOPE_ORGLOCAL
+#define __IPV6_ADDR_SCOPE_ORGLOCAL  0x08
+#endif
+
+#ifndef IN6_IS_ADDR_MC_SITELOCAL
+#define IN6_IS_ADDR_MC_SITELOCAL(a)     \
+	(IN6_IS_ADDR_MULTICAST(a) &&    \
+	 (__IPV6_ADDR_MC_SCOPE(a) == __IPV6_ADDR_SCOPE_SITELOCAL))
+#endif
+
+#ifndef IN6_IS_ADDR_MC_ORGLOCAL
+#define IN6_IS_ADDR_MC_ORGLOCAL(a)      \
+	(IN6_IS_ADDR_MULTICAST(a) &&    \
+	 (__IPV6_ADDR_MC_SCOPE(a) == __IPV6_ADDR_SCOPE_ORGLOCAL))
+#endif
+
+#ifndef INADDR_NONE
+#define INADDR_NONE 0xffffffff
+#endif
+
+#ifndef MAXHOSTNAMELEN
+#define MAXHOSTNAMELEN 256
+#endif
+
+#ifndef INET6_ADDRSTRLEN
+/* sizeof("aaaa:bbbb:cccc:dddd:eeee:ffff:123.123.123.123") */
+#define INET6_ADDRSTRLEN 46
+#endif
+
+#ifndef MIN
+#define MIN(x,y) (((x) <= (y)) ? (x) : (y))
+#endif
+
+#ifndef MAX
+#define MAX(x,y) (((x) >= (y)) ? (x) : (y))
+#endif
+
+#ifdef NEED_DAEMON
+int daemon(int nochdir, int noclose);
+#endif
+  
+#ifdef NEED_STRSEP
+char * strsep(char **stringp, const char *delim);
+#endif
+
+#ifndef ALIGN
+#define ALIGN(p) (((unsigned int)(p) + (sizeof(int) - 1)) & ~(sizeof(int) - 1))
+#endif
+
+#ifdef NEED_SETGROUPENT
+int setgroupent(int stayopen);
+#endif
+
+#ifdef NEED_GETGROUPLIST
+int getgrouplist(GETGROUPLIST_ARGS);
+#endif
+
+#ifdef POSIX_GETGRNAM_R
+int
+__posix_getgrnam_r(const char *, struct group *, char *, int, struct group **);
+#endif
+
+#ifdef NEED_GETGRNAM_R
+int
+getgrnam_r(const char *,  struct group *, char *, size_t, struct group **);
+#endif
+
+#ifdef POSIX_GETGRGID_R
+int
+__posix_getgrgid_r(gid_t, struct group *, char *, int, struct group **) ;
+#endif
+
+#ifdef NEED_GETGRGID_R
+int
+getgrgid_r(gid_t, struct group *, char *, size_t, struct group **);
+#endif
+
+#ifdef NEED_GETGRENT_R
+GROUP_R_RETURN getgrent_r(struct group *gptr, GROUP_R_ARGS);
+#endif
+
+#ifdef NEED_SETGRENT_R
+GROUP_R_SET_RETURN setgrent_r(GROUP_R_ENT_ARGS);
+#endif
+
+#ifdef NEED_ENDGRENT_R
+GROUP_R_END_RETURN endgrent_r(GROUP_R_ENT_ARGS);
+#endif
+
+#ifdef NEED_INNETGR_R
+NGR_R_RETURN
+innetgr_r(const char *, const char *, const char *, const char *);
+#endif
+
+#ifdef NEED_SETNETGRENT_R
+#ifdef NGR_R_ENT_ARGS
+NGR_R_SET_RETURN setnetgrent_r(const char *netgroup, NGR_R_ENT_ARGS);
+#else
+NGR_R_SET_RETURN setnetgrent_r(const char *netgroup);
+#endif
+#endif
+
+#ifdef NEED_ENDNETGRENT_R
+#ifdef NGR_R_ENT_ARGS
+NGR_R_END_RETURN endnetgrent_r(NGR_R_ENT_ARGS);
+#else
+NGR_R_END_RETURN endnetgrent_r(void);
+#endif
+#endif
+
+#ifdef POSIX_GETPWNAM_R
+int
+__posix_getpwnam_r(const char *login,  struct passwd *pwptr,
+                char *buf, size_t buflen, struct passwd **result);
+#endif
+
+#ifdef NEED_GETPWNAM_R
+int
+getpwnam_r(const char *login,  struct passwd *pwptr,
+                char *buf, size_t buflen, struct passwd **result);
+#endif
+
+#ifdef POSIX_GETPWUID_R
+int
+__posix_getpwuid_r(uid_t uid, struct passwd *pwptr,
+                char *buf, int buflen, struct passwd **result);
+#endif
+
+#ifdef NEED_GETPWUID_R
+int
+getpwuid_r(uid_t uid, struct passwd *pwptr,
+                char *buf, size_t buflen, struct passwd **result);
+#endif
+
+#ifdef NEED_SETPWENT_R
+#ifdef PASS_R_ENT_ARGS
+PASS_R_SET_RETURN setpwent_r(PASS_R_ENT_ARGS);
+#else
+PASS_R_SET_RETURN setpwent_r(void);
+#endif
+
+#endif
+
+#ifdef NEED_SETPASSENT_R
+#ifdef PASS_R_ENT_ARGS
+PASS_R_SET_RETURN setpassent_r(int stayopen, PASS_R_ENT_ARGS);
+#else
+PASS_R_SET_RETURN setpassent_r(int stayopen);
+#endif
+#endif
+
+#ifdef NEED_GETPWENT_R
+PASS_R_RETURN getpwent_r(struct passwd *pwptr, PASS_R_ARGS);
+#endif
+
+#ifdef NEED_ENDPWENT_R
+void endpwent_r(void);
+#endif
+
+#ifdef NEED_SETPASSENT
+int setpassent(int stayopen);
+#endif
+
+#define gettimeofday isc__gettimeofday
+#ifdef NEED_GETTIMEOFDAY
+int isc__gettimeofday(struct timeval *tvp, struct _TIMEZONE *tzp);
+#else
+int isc__gettimeofday(struct timeval *tp, struct timezone *tzp);
+#endif
+
+int getnetgrent(char **machinep, char **userp, char **domainp);
+
+int getnetgrent_r(char **machinep, char **userp, char **domainp, NGR_R_ARGS);
+
+#ifdef SETNETGRENT_ARGS
+void setnetgrent(SETNETGRENT_ARGS);
+#else
+void setnetgrent(const char *netgroup);
+#endif
+
+void endnetgrent(void);
+
+#ifdef INNETGR_ARGS
+int innetgr(INNETGR_ARGS);
+#else
+int innetgr(const char *netgroup, const char *machine,
+	    const char *user, const char *domain);
+#endif
+
+#ifdef NGR_R_ENT_ARGS
+NGR_R_SET_RETURN
+setnetgrent_r(const char *netgroup, NGR_R_ENT_ARGS);
+#else
+NGR_R_SET_RETURN
+setnetgrent_r(const char *netgroup);
+#endif
+#endif
diff --git a/contrib/bind9/lib/bind/port_before.h.in b/contrib/bind9/lib/bind/port_before.h.in
new file mode 100644
index 0000000..d6fbe86
--- /dev/null
+++ b/contrib/bind9/lib/bind/port_before.h.in
@@ -0,0 +1,138 @@
+#ifndef port_before_h
+#define port_before_h
+#include <config.h>
+
+struct group;           /* silence warning */
+struct passwd;          /* silence warning */
+struct timeval;         /* silence warning */
+struct timezone;        /* silence warning */
+
+#ifdef HAVE_SYS_TIMERS_H
+#include <sys/timers.h>
+#endif
+#include <limits.h>
+
+
+@WANT_IRS_GR@
+@WANT_IRS_NIS@
+@WANT_IRS_PW@
+
+@BSD_COMP@
+
+@DO_PTHREADS@
+@GETGROUPLIST_ARGS@
+@GETNETBYADDR_ADDR_T@
+@SETPWENT_VOID@
+@SETGRENT_VOID@
+
+@NET_R_ARGS@
+@NET_R_BAD@
+@NET_R_COPY@
+@NET_R_COPY_ARGS@
+@NET_R_END_RESULT@
+@NET_R_END_RETURN@
+@NET_R_ENT_ARGS@
+@NET_R_OK@
+@NET_R_RETURN@
+@NET_R_SET_RESULT@
+@NET_R_SETANSWER@
+@NET_R_SET_RETURN@
+@NETENT_DATA@
+
+@GROUP_R_RETURN@
+@GROUP_R_SET_RETURN@
+@GROUP_R_SET_RESULT@
+@GROUP_R_END_RETURN@
+@GROUP_R_END_RESULT@
+@GROUP_R_ARGS@
+@GROUP_R_ENT_ARGS@
+@GROUP_R_OK@
+@GROUP_R_BAD@
+
+@HOST_R_ARGS@
+@HOST_R_BAD@
+@HOST_R_COPY@
+@HOST_R_COPY_ARGS@
+@HOST_R_END_RESULT@
+@HOST_R_END_RETURN@
+@HOST_R_ENT_ARGS@
+@HOST_R_ERRNO@
+@HOST_R_OK@
+@HOST_R_RETURN@
+@HOST_R_SETANSWER@
+@HOST_R_SET_RESULT@
+@HOST_R_SET_RETURN@
+@HOSTENT_DATA@
+
+@NGR_R_ARGS@
+@NGR_R_BAD@
+@NGR_R_COPY@
+@NGR_R_COPY_ARGS@
+@NGR_R_END_RESULT@
+@NGR_R_END_RETURN@
+@NGR_R_ENT_ARGS@
+@NGR_R_OK@
+@NGR_R_RETURN@
+@NGR_R_SET_RESULT@
+@NGR_R_SET_RETURN@
+@NGR_R_PRIVATE@
+
+@PROTO_R_ARGS@
+@PROTO_R_BAD@
+@PROTO_R_COPY@
+@PROTO_R_COPY_ARGS@
+@PROTO_R_END_RESULT@
+@PROTO_R_END_RETURN@
+@PROTO_R_ENT_ARGS@
+@PROTO_R_OK@
+@PROTO_R_SETANSWER@
+@PROTO_R_RETURN@
+@PROTO_R_SET_RESULT@
+@PROTO_R_SET_RETURN@
+
+@PASS_R_ARGS@
+@PASS_R_BAD@
+@PASS_R_COPY@
+@PASS_R_COPY_ARGS@
+@PASS_R_END_RESULT@
+@PASS_R_END_RETURN@
+@PASS_R_ENT_ARGS@
+@PASS_R_OK@
+@PASS_R_RETURN@
+@PASS_R_SET_RESULT@
+@PASS_R_SET_RETURN@
+
+@SERV_R_ARGS@
+@SERV_R_BAD@
+@SERV_R_COPY@
+@SERV_R_COPY_ARGS@
+@SERV_R_END_RESULT@
+@SERV_R_END_RETURN@
+@SERV_R_ENT_ARGS@
+@SERV_R_OK@
+@SERV_R_SETANSWER@
+@SERV_R_RETURN@
+@SERV_R_SET_RESULT@
+@SERV_R_SET_RETURN@
+
+
+#define DE_CONST(konst, var) \
+        do { \
+                union { const void *k; void *v; } _u; \
+                _u.k = konst; \
+                var = _u.v; \
+        } while (0)
+
+#define UNUSED(x) (x) = (x)
+
+@SOLARIS_BITTYPES@
+@ISC_SOCKLEN_T@
+
+#ifdef __GNUC__
+#define ISC_FORMAT_PRINTF(fmt, args) \
+	__attribute__((__format__(__printf__, fmt, args)))
+#else
+#define ISC_FORMAT_PRINTF(fmt, args)
+#endif
+
+#endif
diff --git a/contrib/bind9/lib/bind/resolv/Makefile.in b/contrib/bind9/lib/bind/resolv/Makefile.in
new file mode 100644
index 0000000..74a20e7
--- /dev/null
+++ b/contrib/bind9/lib/bind/resolv/Makefile.in
@@ -0,0 +1,34 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.3.206.1 2004/03/15 01:02:54 marka Exp $
+
+srcdir=		@srcdir@
+VPATH =         @srcdir@
+
+OBJS=	herror.@O@ res_comp.@O@ res_data.@O@ res_debug.@O@ \
+	res_findzonecut.@O@ res_init.@O@ res_mkquery.@O@ res_mkupdate.@O@ \
+	res_query.@O@ res_send.@O@ res_sendsigned.@O@ res_update.@O@
+
+SRCS=	herror.c res_comp.c res_data.c res_debug.c \
+	res_findzonecut.c res_init.c res_mkquery.c res_mkupdate.c \
+	res_query.c res_send.c res_sendsigned.c res_update.c
+
+TARGETS= ${OBJS}
+
+CINCLUDES= -I.. -I${srcdir}/../include
+CWARNINGS=
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/bind/resolv/herror.c b/contrib/bind9/lib/bind/resolv/herror.c
new file mode 100644
index 0000000..58807e9
--- /dev/null
+++ b/contrib/bind9/lib/bind/resolv/herror.c
@@ -0,0 +1,127 @@
+/*
+ * Copyright (c) 1987, 1993
+ *    The Regents of the University of California.  All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ * 	This product includes software developed by the University of
+ * 	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char sccsid[] = "@(#)herror.c	8.1 (Berkeley) 6/4/93";
+static const char rcsid[] = "$Id: herror.c,v 1.2.206.1 2004/03/09 08:33:54 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/uio.h>
+
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+
+#include <netdb.h>
+#include <resolv.h>
+#include <string.h>
+#include <unistd.h>
+#include <irs.h>
+
+#include "port_after.h"
+
+const char *h_errlist[] = {
+	"Resolver Error 0 (no error)",
+	"Unknown host",				/* 1 HOST_NOT_FOUND */
+	"Host name lookup failure",		/* 2 TRY_AGAIN */
+	"Unknown server error",			/* 3 NO_RECOVERY */
+	"No address associated with name",	/* 4 NO_ADDRESS */
+};
+int	h_nerr = { sizeof h_errlist / sizeof h_errlist[0] };
+
+#if !(__GLIBC__ > 2 || __GLIBC__ == 2 &&  __GLIBC_MINOR__ >= 3)
+#undef	h_errno
+int	h_errno;
+#endif
+
+/*
+ * herror --
+ *	print the error indicated by the h_errno value.
+ */
+void
+herror(const char *s) {
+	struct iovec iov[4], *v = iov;
+	char *t;
+
+	if (s != NULL && *s != '\0') {
+		DE_CONST(s, t);
+		v->iov_base = t;
+		v->iov_len = strlen(t);
+		v++;
+		DE_CONST(": ", t);
+		v->iov_base = t;
+		v->iov_len = 2;
+		v++;
+	}
+	DE_CONST(hstrerror(*__h_errno()), t);
+	v->iov_base = t;
+	v->iov_len = strlen(v->iov_base);
+	v++;
+	DE_CONST("\n", t);
+	v->iov_base = t;
+	v->iov_len = 1;
+	writev(STDERR_FILENO, iov, (v - iov) + 1);
+}
+
+/*
+ * hstrerror --
+ *	return the string associated with a given "host" errno value.
+ */
+const char *
+hstrerror(int err) {
+	if (err < 0)
+		return ("Resolver internal error");
+	else if (err < h_nerr)
+		return (h_errlist[err]);
+	return ("Unknown resolver error");
+}
diff --git a/contrib/bind9/lib/bind/resolv/res_comp.c b/contrib/bind9/lib/bind/resolv/res_comp.c
new file mode 100644
index 0000000..6468dbc
--- /dev/null
+++ b/contrib/bind9/lib/bind/resolv/res_comp.c
@@ -0,0 +1,251 @@
+/*
+ * Copyright (c) 1985, 1993
+ *    The Regents of the University of California.  All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ * 	This product includes software developed by the University of
+ * 	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Portions Copyright (c) 1993 by Digital Equipment Corporation.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies, and that
+ * the name of Digital Equipment Corporation not be used in advertising or
+ * publicity pertaining to distribution of the document or software without
+ * specific, written prior permission.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
+ * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char sccsid[] = "@(#)res_comp.c	8.1 (Berkeley) 6/4/93";
+static const char rcsid[] = "$Id: res_comp.c,v 1.1.2.1.4.1 2004/03/09 08:33:54 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include "port_before.h"
+#include <sys/types.h>
+#include <sys/param.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <ctype.h>
+#include <resolv.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include "port_after.h"
+
+/*
+ * Expand compressed domain name 'src' to full domain name.
+ * 'msg' is a pointer to the begining of the message,
+ * 'eom' points to the first location after the message,
+ * 'dst' is a pointer to a buffer of size 'dstsiz' for the result.
+ * Return size of compressed name or -1 if there was an error.
+ */
+int
+dn_expand(const u_char *msg, const u_char *eom, const u_char *src,
+	  char *dst, int dstsiz)
+{
+	int n = ns_name_uncompress(msg, eom, src, dst, (size_t)dstsiz);
+
+	if (n > 0 && dst[0] == '.')
+		dst[0] = '\0';
+	return (n);
+}
+
+/*
+ * Pack domain name 'exp_dn' in presentation form into 'comp_dn'.
+ * Return the size of the compressed name or -1.
+ * 'length' is the size of the array pointed to by 'comp_dn'.
+ */
+int
+dn_comp(const char *src, u_char *dst, int dstsiz,
+	u_char **dnptrs, u_char **lastdnptr)
+{
+	return (ns_name_compress(src, dst, (size_t)dstsiz,
+				 (const u_char **)dnptrs,
+				 (const u_char **)lastdnptr));
+}
+
+/*
+ * Skip over a compressed domain name. Return the size or -1.
+ */
+int
+dn_skipname(const u_char *ptr, const u_char *eom) {
+	const u_char *saveptr = ptr;
+
+	if (ns_name_skip(&ptr, eom) == -1)
+		return (-1);
+	return (ptr - saveptr);
+}
+
+/*
+ * Verify that a domain name uses an acceptable character set.
+ */
+
+/*
+ * Note the conspicuous absence of ctype macros in these definitions.  On
+ * non-ASCII hosts, we can't depend on string literals or ctype macros to
+ * tell us anything about network-format data.  The rest of the BIND system
+ * is not careful about this, but for some reason, we're doing it right here.
+ */
+#define PERIOD 0x2e
+#define	hyphenchar(c) ((c) == 0x2d)
+#define bslashchar(c) ((c) == 0x5c)
+#define periodchar(c) ((c) == PERIOD)
+#define asterchar(c) ((c) == 0x2a)
+#define alphachar(c) (((c) >= 0x41 && (c) <= 0x5a) \
+		   || ((c) >= 0x61 && (c) <= 0x7a))
+#define digitchar(c) ((c) >= 0x30 && (c) <= 0x39)
+
+#define borderchar(c) (alphachar(c) || digitchar(c))
+#define middlechar(c) (borderchar(c) || hyphenchar(c))
+#define	domainchar(c) ((c) > 0x20 && (c) < 0x7f)
+
+int
+res_hnok(const char *dn) {
+	int pch = PERIOD, ch = *dn++;
+
+	while (ch != '\0') {
+		int nch = *dn++;
+
+		if (periodchar(ch)) {
+			(void)NULL;
+		} else if (periodchar(pch)) {
+			if (!borderchar(ch))
+				return (0);
+		} else if (periodchar(nch) || nch == '\0') {
+			if (!borderchar(ch))
+				return (0);
+		} else {
+			if (!middlechar(ch))
+				return (0);
+		}
+		pch = ch, ch = nch;
+	}
+	return (1);
+}
+
+/*
+ * hostname-like (A, MX, WKS) owners can have "*" as their first label
+ * but must otherwise be as a host name.
+ */
+int
+res_ownok(const char *dn) {
+	if (asterchar(dn[0])) {
+		if (periodchar(dn[1]))
+			return (res_hnok(dn+2));
+		if (dn[1] == '\0')
+			return (1);
+	}
+	return (res_hnok(dn));
+}
+
+/*
+ * SOA RNAMEs and RP RNAMEs can have any printable character in their first
+ * label, but the rest of the name has to look like a host name.
+ */
+int
+res_mailok(const char *dn) {
+	int ch, escaped = 0;
+
+	/* "." is a valid missing representation */
+	if (*dn == '\0')
+		return (1);
+
+	/* otherwise <label>.<hostname> */
+	while ((ch = *dn++) != '\0') {
+		if (!domainchar(ch))
+			return (0);
+		if (!escaped && periodchar(ch))
+			break;
+		if (escaped)
+			escaped = 0;
+		else if (bslashchar(ch))
+			escaped = 1;
+	}
+	if (periodchar(ch))
+		return (res_hnok(dn));
+	return (0);
+}
+
+/*
+ * This function is quite liberal, since RFC 1034's character sets are only
+ * recommendations.
+ */
+int
+res_dnok(const char *dn) {
+	int ch;
+
+	while ((ch = *dn++) != '\0')
+		if (!domainchar(ch))
+			return (0);
+	return (1);
+}
+
+#ifdef BIND_4_COMPAT
+/*
+ * This module must export the following externally-visible symbols:
+ *	___putlong
+ *	___putshort
+ *	__getlong
+ *	__getshort
+ * Note that one _ comes from C and the others come from us.
+ */
+void __putlong(u_int32_t src, u_char *dst) { ns_put32(src, dst); }
+void __putshort(u_int16_t src, u_char *dst) { ns_put16(src, dst); }
+#ifndef __ultrix__
+u_int32_t _getlong(const u_char *src) { return (ns_get32(src)); }
+u_int16_t _getshort(const u_char *src) { return (ns_get16(src)); }
+#endif /*__ultrix__*/
+#endif /*BIND_4_COMPAT*/
diff --git a/contrib/bind9/lib/bind/resolv/res_data.c b/contrib/bind9/lib/bind/resolv/res_data.c
new file mode 100644
index 0000000..204e03d
--- /dev/null
+++ b/contrib/bind9/lib/bind/resolv/res_data.c
@@ -0,0 +1,291 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1995-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char rcsid[] = "$Id: res_data.c,v 1.1.206.2 2004/03/16 12:34:18 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+
+#include <ctype.h>
+#include <netdb.h>
+#include <resolv.h>
+#include <res_update.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "port_after.h"
+#undef _res
+
+const char *_res_opcodes[] = {
+	"QUERY",
+	"IQUERY",
+	"CQUERYM",
+	"CQUERYU",	/* experimental */
+	"NOTIFY",	/* experimental */
+	"UPDATE",
+	"6",
+	"7",
+	"8",
+	"9",
+	"10",
+	"11",
+	"12",
+	"13",
+	"ZONEINIT",
+	"ZONEREF",
+};
+
+#ifdef BIND_UPDATE
+const char *_res_sectioncodes[] = {
+	"ZONE",
+	"PREREQUISITES",
+	"UPDATE",
+	"ADDITIONAL",
+};
+#endif
+
+#ifndef __BIND_NOSTATIC
+struct __res_state _res
+# if defined(__BIND_RES_TEXT)
+	= { RES_TIMEOUT, }	/* Motorola, et al. */
+# endif
+        ;
+
+/* Proto. */
+
+int  res_ourserver_p(const res_state, const struct sockaddr_in *);
+
+int
+res_init(void) {
+	extern int __res_vinit(res_state, int);
+
+	/*
+	 * These three fields used to be statically initialized.  This made
+	 * it hard to use this code in a shared library.  It is necessary,
+	 * now that we're doing dynamic initialization here, that we preserve
+	 * the old semantics: if an application modifies one of these three
+	 * fields of _res before res_init() is called, res_init() will not
+	 * alter them.  Of course, if an application is setting them to
+	 * _zero_ before calling res_init(), hoping to override what used
+	 * to be the static default, we can't detect it and unexpected results
+	 * will follow.  Zero for any of these fields would make no sense,
+	 * so one can safely assume that the applications were already getting
+	 * unexpected results.
+	 *
+	 * _res.options is tricky since some apps were known to diddle the bits
+	 * before res_init() was first called. We can't replicate that semantic
+	 * with dynamic initialization (they may have turned bits off that are
+	 * set in RES_DEFAULT).  Our solution is to declare such applications
+	 * "broken".  They could fool us by setting RES_INIT but none do (yet).
+	 */
+	if (!_res.retrans)
+		_res.retrans = RES_TIMEOUT;
+	if (!_res.retry)
+		_res.retry = 4;
+	if (!(_res.options & RES_INIT))
+		_res.options = RES_DEFAULT;
+
+	/*
+	 * This one used to initialize implicitly to zero, so unless the app
+	 * has set it to something in particular, we can randomize it now.
+	 */
+	if (!_res.id)
+		_res.id = res_randomid();
+
+	return (__res_vinit(&_res, 1));
+}
+
+void
+p_query(const u_char *msg) {
+	fp_query(msg, stdout);
+}
+
+void
+fp_query(const u_char *msg, FILE *file) {
+	fp_nquery(msg, PACKETSZ, file);
+}
+
+void
+fp_nquery(const u_char *msg, int len, FILE *file) {
+	if ((_res.options & RES_INIT) == 0U && res_init() == -1)
+		return;
+
+	res_pquery(&_res, msg, len, file);
+}
+
+int
+res_mkquery(int op,			/* opcode of query */
+	    const char *dname,		/* domain name */
+	    int class, int type,	/* class and type of query */
+	    const u_char *data,		/* resource record data */
+	    int datalen,		/* length of data */
+	    const u_char *newrr_in,	/* new rr for modify or append */
+	    u_char *buf,		/* buffer to put query */
+	    int buflen)			/* size of buffer */
+{
+	if ((_res.options & RES_INIT) == 0U && res_init() == -1) {
+		RES_SET_H_ERRNO(&_res, NETDB_INTERNAL);
+		return (-1);
+	}
+	return (res_nmkquery(&_res, op, dname, class, type,
+			     data, datalen,
+			     newrr_in, buf, buflen));
+}
+
+int
+res_mkupdate(ns_updrec *rrecp_in, u_char *buf, int buflen) {
+	if ((_res.options & RES_INIT) == 0U && res_init() == -1) {
+		RES_SET_H_ERRNO(&_res, NETDB_INTERNAL);
+		return (-1);
+	}
+
+	return (res_nmkupdate(&_res, rrecp_in, buf, buflen));
+}
+
+int
+res_query(const char *name,	/* domain name */
+	  int class, int type,	/* class and type of query */
+	  u_char *answer,	/* buffer to put answer */
+	  int anslen)		/* size of answer buffer */
+{
+	if ((_res.options & RES_INIT) == 0U && res_init() == -1) {
+		RES_SET_H_ERRNO(&_res, NETDB_INTERNAL);
+		return (-1);
+	}
+	return (res_nquery(&_res, name, class, type, answer, anslen));
+}
+
+void
+res_send_setqhook(res_send_qhook hook) {
+	_res.qhook = hook;
+}
+
+void
+res_send_setrhook(res_send_rhook hook) {
+	_res.rhook = hook;
+}
+
+int
+res_isourserver(const struct sockaddr_in *inp) {
+	return (res_ourserver_p(&_res, inp));
+}
+
+int
+res_send(const u_char *buf, int buflen, u_char *ans, int anssiz) {
+	if ((_res.options & RES_INIT) == 0U && res_init() == -1) {
+		/* errno should have been set by res_init() in this case. */
+		return (-1);
+	}
+
+	return (res_nsend(&_res, buf, buflen, ans, anssiz));
+}
+
+int
+res_sendsigned(const u_char *buf, int buflen, ns_tsig_key *key,
+	       u_char *ans, int anssiz)
+{
+	if ((_res.options & RES_INIT) == 0U && res_init() == -1) {
+		/* errno should have been set by res_init() in this case. */
+		return (-1);
+	}
+
+	return (res_nsendsigned(&_res, buf, buflen, key, ans, anssiz));
+}
+
+void
+res_close(void) {
+	res_nclose(&_res);
+}
+
+int
+res_update(ns_updrec *rrecp_in) {
+	if ((_res.options & RES_INIT) == 0U && res_init() == -1) {
+		RES_SET_H_ERRNO(&_res, NETDB_INTERNAL);
+		return (-1);
+	}
+
+	return (res_nupdate(&_res, rrecp_in, NULL));
+}
+
+int
+res_search(const char *name,	/* domain name */
+	   int class, int type,	/* class and type of query */
+	   u_char *answer,	/* buffer to put answer */
+	   int anslen)		/* size of answer */
+{
+	if ((_res.options & RES_INIT) == 0U && res_init() == -1) {
+		RES_SET_H_ERRNO(&_res, NETDB_INTERNAL);
+		return (-1);
+	}
+
+	return (res_nsearch(&_res, name, class, type, answer, anslen));
+}
+
+int
+res_querydomain(const char *name,
+		const char *domain,
+		int class, int type,	/* class and type of query */
+		u_char *answer,		/* buffer to put answer */
+		int anslen)		/* size of answer */
+{
+	if ((_res.options & RES_INIT) == 0U && res_init() == -1) {
+		RES_SET_H_ERRNO(&_res, NETDB_INTERNAL);
+		return (-1);
+	}
+
+	return (res_nquerydomain(&_res, name, domain,
+				 class, type,
+				 answer, anslen));
+}
+
+const char *
+hostalias(const char *name) {
+	static char abuf[MAXDNAME];
+
+	return (res_hostalias(&_res, name, abuf, sizeof abuf));
+}
+
+#ifdef ultrix
+int
+local_hostname_length(const char *hostname) {
+	int len_host, len_domain;
+
+	if (!*_res.defdname)
+		res_init();
+	len_host = strlen(hostname);
+	len_domain = strlen(_res.defdname);
+	if (len_host > len_domain &&
+	    !strcasecmp(hostname + len_host - len_domain, _res.defdname) &&
+	    hostname[len_host - len_domain - 1] == '.')
+		return (len_host - len_domain - 1);
+	return (0);
+}
+#endif /*ultrix*/
+
+#endif
diff --git a/contrib/bind9/lib/bind/resolv/res_debug.c b/contrib/bind9/lib/bind/resolv/res_debug.c
new file mode 100644
index 0000000..1e228be
--- /dev/null
+++ b/contrib/bind9/lib/bind/resolv/res_debug.c
@@ -0,0 +1,1163 @@
+/*
+ * Copyright (c) 1985
+ *    The Regents of the University of California.  All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ * 	This product includes software developed by the University of
+ * 	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Portions Copyright (c) 1993 by Digital Equipment Corporation.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies, and that
+ * the name of Digital Equipment Corporation not be used in advertising or
+ * publicity pertaining to distribution of the document or software without
+ * specific, written prior permission.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
+ * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/*
+ * Portions Copyright (c) 1995 by International Business Machines, Inc.
+ *
+ * International Business Machines, Inc. (hereinafter called IBM) grants
+ * permission under its copyrights to use, copy, modify, and distribute this
+ * Software with or without fee, provided that the above copyright notice and
+ * all paragraphs of this notice appear in all copies, and that the name of IBM
+ * not be used in connection with the marketing of any product incorporating
+ * the Software or modifications thereof, without specific, written prior
+ * permission.
+ *
+ * To the extent it has a right to do so, IBM grants an immunity from suit
+ * under its patents, if any, for the use, sale or manufacture of products to
+ * the extent that such products are used for performing Domain Name System
+ * dynamic updates in TCP/IP networks by means of the Software.  No immunity is
+ * granted for any product per se or for any other function of any product.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES,
+ * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE.  IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL,
+ * DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING
+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN
+ * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
+ */
+
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char sccsid[] = "@(#)res_debug.c	8.1 (Berkeley) 6/4/93";
+static const char rcsid[] = "$Id: res_debug.c,v 1.3.2.5.4.5 2004/07/28 20:16:46 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <math.h>
+#include <netdb.h>
+#include <resolv.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+
+#include "port_after.h"
+
+#ifdef SPRINTF_CHAR
+# define SPRINTF(x) strlen(sprintf/**/x)
+#else
+# define SPRINTF(x) sprintf x
+#endif
+
+extern const char *_res_opcodes[];
+extern const char *_res_sectioncodes[];
+
+/*
+ * Print the current options.
+ */
+void
+fp_resstat(const res_state statp, FILE *file) {
+	u_long mask;
+
+	fprintf(file, ";; res options:");
+	for (mask = 1;  mask != 0U;  mask <<= 1)
+		if (statp->options & mask)
+			fprintf(file, " %s", p_option(mask));
+	putc('\n', file);
+}
+
+static void
+do_section(const res_state statp,
+	   ns_msg *handle, ns_sect section,
+	   int pflag, FILE *file)
+{
+	int n, sflag, rrnum;
+	static int buflen = 2048;
+	char *buf;
+	ns_opcode opcode;
+	ns_rr rr;
+
+	/*
+	 * Print answer records.
+	 */
+	sflag = (statp->pfcode & pflag);
+	if (statp->pfcode && !sflag)
+		return;
+
+	buf = malloc(buflen);
+	if (buf == NULL) {
+		fprintf(file, ";; memory allocation failure\n");
+		return;
+	}
+
+	opcode = (ns_opcode) ns_msg_getflag(*handle, ns_f_opcode);
+	rrnum = 0;
+	for (;;) {
+		if (ns_parserr(handle, section, rrnum, &rr)) {
+			if (errno != ENODEV)
+				fprintf(file, ";; ns_parserr: %s\n",
+					strerror(errno));
+			else if (rrnum > 0 && sflag != 0 &&
+				 (statp->pfcode & RES_PRF_HEAD1))
+				putc('\n', file);
+			goto cleanup;
+		}
+		if (rrnum == 0 && sflag != 0 && (statp->pfcode & RES_PRF_HEAD1))
+			fprintf(file, ";; %s SECTION:\n",
+				p_section(section, opcode));
+		if (section == ns_s_qd)
+			fprintf(file, ";;\t%s, type = %s, class = %s\n",
+				ns_rr_name(rr),
+				p_type(ns_rr_type(rr)),
+				p_class(ns_rr_class(rr)));
+		else if (section == ns_s_ar && ns_rr_type(rr) == ns_t_opt) {
+			u_int32_t ttl = ns_rr_ttl(rr);
+			fprintf(file,
+				"; EDNS: version: %u, udp=%u, flags=%04x\n",
+				(ttl>>16)&0xff, ns_rr_class(rr), ttl&0xffff);
+		} else {
+			n = ns_sprintrr(handle, &rr, NULL, NULL,
+					buf, buflen);
+			if (n < 0) {
+				if (errno == ENOSPC) {
+					free(buf);
+					buf = NULL;
+					if (buflen < 131072)
+						buf = malloc(buflen += 1024);
+					if (buf == NULL) {
+						fprintf(file,
+				              ";; memory allocation failure\n");
+					      return;
+					}
+					continue;
+				}
+				fprintf(file, ";; ns_sprintrr: %s\n",
+					strerror(errno));
+				goto cleanup;
+			}
+			fputs(buf, file);
+			fputc('\n', file);
+		}
+		rrnum++;
+	}
+ cleanup:
+	if (buf != NULL)
+		free(buf);
+}
+
+/*
+ * Print the contents of a query.
+ * This is intended to be primarily a debugging routine.
+ */
+void
+res_pquery(const res_state statp, const u_char *msg, int len, FILE *file) {
+	ns_msg handle;
+	int qdcount, ancount, nscount, arcount;
+	u_int opcode, rcode, id;
+
+	if (ns_initparse(msg, len, &handle) < 0) {
+		fprintf(file, ";; ns_initparse: %s\n", strerror(errno));
+		return;
+	}
+	opcode = ns_msg_getflag(handle, ns_f_opcode);
+	rcode = ns_msg_getflag(handle, ns_f_rcode);
+	id = ns_msg_id(handle);
+	qdcount = ns_msg_count(handle, ns_s_qd);
+	ancount = ns_msg_count(handle, ns_s_an);
+	nscount = ns_msg_count(handle, ns_s_ns);
+	arcount = ns_msg_count(handle, ns_s_ar);
+
+	/*
+	 * Print header fields.
+	 */
+	if ((!statp->pfcode) || (statp->pfcode & RES_PRF_HEADX) || rcode)
+		fprintf(file,
+			";; ->>HEADER<<- opcode: %s, status: %s, id: %d\n",
+			_res_opcodes[opcode], p_rcode(rcode), id);
+	if ((!statp->pfcode) || (statp->pfcode & RES_PRF_HEADX))
+		putc(';', file);
+	if ((!statp->pfcode) || (statp->pfcode & RES_PRF_HEAD2)) {
+		fprintf(file, "; flags:");
+		if (ns_msg_getflag(handle, ns_f_qr))
+			fprintf(file, " qr");
+		if (ns_msg_getflag(handle, ns_f_aa))
+			fprintf(file, " aa");
+		if (ns_msg_getflag(handle, ns_f_tc))
+			fprintf(file, " tc");
+		if (ns_msg_getflag(handle, ns_f_rd))
+			fprintf(file, " rd");
+		if (ns_msg_getflag(handle, ns_f_ra))
+			fprintf(file, " ra");
+		if (ns_msg_getflag(handle, ns_f_z))
+			fprintf(file, " ??");
+		if (ns_msg_getflag(handle, ns_f_ad))
+			fprintf(file, " ad");
+		if (ns_msg_getflag(handle, ns_f_cd))
+			fprintf(file, " cd");
+	}
+	if ((!statp->pfcode) || (statp->pfcode & RES_PRF_HEAD1)) {
+		fprintf(file, "; %s: %d",
+			p_section(ns_s_qd, opcode), qdcount);
+		fprintf(file, ", %s: %d",
+			p_section(ns_s_an, opcode), ancount);
+		fprintf(file, ", %s: %d",
+			p_section(ns_s_ns, opcode), nscount);
+		fprintf(file, ", %s: %d",
+			p_section(ns_s_ar, opcode), arcount);
+	}
+	if ((!statp->pfcode) || (statp->pfcode & 
+		(RES_PRF_HEADX | RES_PRF_HEAD2 | RES_PRF_HEAD1))) {
+		putc('\n',file);
+	}
+	/*
+	 * Print the various sections.
+	 */
+	do_section(statp, &handle, ns_s_qd, RES_PRF_QUES, file);
+	do_section(statp, &handle, ns_s_an, RES_PRF_ANS, file);
+	do_section(statp, &handle, ns_s_ns, RES_PRF_AUTH, file);
+	do_section(statp, &handle, ns_s_ar, RES_PRF_ADD, file);
+	if (qdcount == 0 && ancount == 0 &&
+	    nscount == 0 && arcount == 0)
+		putc('\n', file);
+}
+
+const u_char *
+p_cdnname(const u_char *cp, const u_char *msg, int len, FILE *file) {
+	char name[MAXDNAME];
+	int n;
+
+	if ((n = dn_expand(msg, msg + len, cp, name, sizeof name)) < 0)
+		return (NULL);
+	if (name[0] == '\0')
+		putc('.', file);
+	else
+		fputs(name, file);
+	return (cp + n);
+}
+
+const u_char *
+p_cdname(const u_char *cp, const u_char *msg, FILE *file) {
+	return (p_cdnname(cp, msg, PACKETSZ, file));
+}
+
+/* Return a fully-qualified domain name from a compressed name (with
+   length supplied).  */
+
+const u_char *
+p_fqnname(cp, msg, msglen, name, namelen)
+	const u_char *cp, *msg;
+	int msglen;
+	char *name;
+	int namelen;
+{
+	int n, newlen;
+
+	if ((n = dn_expand(msg, cp + msglen, cp, name, namelen)) < 0)
+		return (NULL);
+	newlen = strlen(name);
+	if (newlen == 0 || name[newlen - 1] != '.') {
+		if (newlen + 1 >= namelen)	/* Lack space for final dot */
+			return (NULL);
+		else
+			strcpy(name + newlen, ".");
+	}
+	return (cp + n);
+}
+
+/* XXX:	the rest of these functions need to become length-limited, too. */
+
+const u_char *
+p_fqname(const u_char *cp, const u_char *msg, FILE *file) {
+	char name[MAXDNAME];
+	const u_char *n;
+
+	n = p_fqnname(cp, msg, MAXCDNAME, name, sizeof name);
+	if (n == NULL)
+		return (NULL);
+	fputs(name, file);
+	return (n);
+}
+
+/*
+ * Names of RR classes and qclasses.  Classes and qclasses are the same, except
+ * that C_ANY is a qclass but not a class.  (You can ask for records of class
+ * C_ANY, but you can't have any records of that class in the database.)
+ */
+const struct res_sym __p_class_syms[] = {
+	{C_IN,		"IN",		(char *)0},
+	{C_CHAOS,	"CH",		(char *)0},
+	{C_CHAOS,	"CHAOS",	(char *)0},
+	{C_HS,		"HS",		(char *)0},
+	{C_HS,		"HESIOD",	(char *)0},
+	{C_ANY,		"ANY",		(char *)0},
+	{C_NONE,	"NONE",		(char *)0},
+	{C_IN, 		(char *)0,	(char *)0}
+};
+
+/*
+ * Names of message sections.
+ */
+const struct res_sym __p_default_section_syms[] = {
+	{ns_s_qd,	"QUERY",	(char *)0},
+	{ns_s_an,	"ANSWER",	(char *)0},
+	{ns_s_ns,	"AUTHORITY",	(char *)0},
+	{ns_s_ar,	"ADDITIONAL",	(char *)0},
+	{0,             (char *)0,	(char *)0}
+};
+
+const struct res_sym __p_update_section_syms[] = {
+	{S_ZONE,	"ZONE",		(char *)0},
+	{S_PREREQ,	"PREREQUISITE",	(char *)0},
+	{S_UPDATE,	"UPDATE",	(char *)0},
+	{S_ADDT,	"ADDITIONAL",	(char *)0},
+	{0,             (char *)0,	(char *)0}
+};
+
+const struct res_sym __p_key_syms[] = {
+	{NS_ALG_MD5RSA,		"RSA",		"RSA KEY with MD5 hash"},
+	{NS_ALG_DH,		"DH",		"Diffie Hellman"},
+	{NS_ALG_DSA,		"DSA",		"Digital Signature Algorithm"},
+	{NS_ALG_EXPIRE_ONLY,	"EXPIREONLY",	"No algorithm"},
+	{NS_ALG_PRIVATE_OID,	"PRIVATE",	"Algorithm obtained from OID"},
+	{0,			NULL,		NULL}
+};
+
+const struct res_sym __p_cert_syms[] = {
+	{cert_t_pkix,	"PKIX",		"PKIX (X.509v3) Certificate"},
+	{cert_t_spki,	"SPKI",		"SPKI certificate"},
+	{cert_t_pgp,	"PGP",		"PGP certificate"},
+	{cert_t_url,	"URL",		"URL Private"},
+	{cert_t_oid,	"OID",		"OID Private"},
+	{0,		NULL,		NULL}
+};
+
+/*
+ * Names of RR types and qtypes.  Types and qtypes are the same, except
+ * that T_ANY is a qtype but not a type.  (You can ask for records of type
+ * T_ANY, but you can't have any records of that type in the database.)
+ */
+const struct res_sym __p_type_syms[] = {
+	{ns_t_a,	"A",		"address"},
+	{ns_t_ns,	"NS",		"name server"},
+	{ns_t_md,	"MD",		"mail destination (deprecated)"},
+	{ns_t_mf,	"MF",		"mail forwarder (deprecated)"},
+	{ns_t_cname,	"CNAME",	"canonical name"},
+	{ns_t_soa,	"SOA",		"start of authority"},
+	{ns_t_mb,	"MB",		"mailbox"},
+	{ns_t_mg,	"MG",		"mail group member"},
+	{ns_t_mr,	"MR",		"mail rename"},
+	{ns_t_null,	"NULL",		"null"},
+	{ns_t_wks,	"WKS",		"well-known service (deprecated)"},
+	{ns_t_ptr,	"PTR",		"domain name pointer"},
+	{ns_t_hinfo,	"HINFO",	"host information"},
+	{ns_t_minfo,	"MINFO",	"mailbox information"},
+	{ns_t_mx,	"MX",		"mail exchanger"},
+	{ns_t_txt,	"TXT",		"text"},
+	{ns_t_rp,	"RP",		"responsible person"},
+	{ns_t_afsdb,	"AFSDB",	"DCE or AFS server"},
+	{ns_t_x25,	"X25",		"X25 address"},
+	{ns_t_isdn,	"ISDN",		"ISDN address"},
+	{ns_t_rt,	"RT",		"router"},
+	{ns_t_nsap,	"NSAP",		"nsap address"},
+	{ns_t_nsap_ptr,	"NSAP_PTR",	"domain name pointer"},
+	{ns_t_sig,	"SIG",		"signature"},
+	{ns_t_key,	"KEY",		"key"},
+	{ns_t_px,	"PX",		"mapping information"},
+	{ns_t_gpos,	"GPOS",		"geographical position (withdrawn)"},
+	{ns_t_aaaa,	"AAAA",		"IPv6 address"},
+	{ns_t_loc,	"LOC",		"location"},
+	{ns_t_nxt,	"NXT",		"next valid name (unimplemented)"},
+	{ns_t_eid,	"EID",		"endpoint identifier (unimplemented)"},
+	{ns_t_nimloc,	"NIMLOC",	"NIMROD locator (unimplemented)"},
+	{ns_t_srv,	"SRV",		"server selection"},
+	{ns_t_atma,	"ATMA",		"ATM address (unimplemented)"},
+	{ns_t_tkey,	"TKEY",		"tkey"},
+	{ns_t_tsig,	"TSIG",		"transaction signature"},
+	{ns_t_ixfr,	"IXFR",		"incremental zone transfer"},
+	{ns_t_axfr,	"AXFR",		"zone transfer"},
+	{ns_t_zxfr,	"ZXFR",		"compressed zone transfer"},
+	{ns_t_mailb,	"MAILB",	"mailbox-related data (deprecated)"},
+	{ns_t_maila,	"MAILA",	"mail agent (deprecated)"},
+	{ns_t_naptr,	"NAPTR",	"URN Naming Authority"},
+	{ns_t_kx,	"KX",		"Key Exchange"},
+	{ns_t_cert,	"CERT",		"Certificate"},
+	{ns_t_a6,	"A6",		"IPv6 Address"},
+	{ns_t_dname,	"DNAME",	"dname"},
+	{ns_t_sink,	"SINK",		"Kitchen Sink (experimental)"},
+	{ns_t_opt,	"OPT",		"EDNS Options"},
+	{ns_t_any,	"ANY",		"\"any\""},
+	{0, 		NULL,		NULL}
+};
+
+/*
+ * Names of DNS rcodes.
+ */
+const struct res_sym __p_rcode_syms[] = {
+	{ns_r_noerror,	"NOERROR",		"no error"},
+	{ns_r_formerr,	"FORMERR",		"format error"},
+	{ns_r_servfail,	"SERVFAIL",		"server failed"},
+	{ns_r_nxdomain,	"NXDOMAIN",		"no such domain name"},
+	{ns_r_notimpl,	"NOTIMP",		"not implemented"},
+	{ns_r_refused,	"REFUSED",		"refused"},
+	{ns_r_yxdomain,	"YXDOMAIN",		"domain name exists"},
+	{ns_r_yxrrset,	"YXRRSET",		"rrset exists"},
+	{ns_r_nxrrset,	"NXRRSET",		"rrset doesn't exist"},
+	{ns_r_notauth,	"NOTAUTH",		"not authoritative"},
+	{ns_r_notzone,	"NOTZONE",		"Not in zone"},
+	{ns_r_max,	"",			""},
+	{ns_r_badsig,	"BADSIG",		"bad signature"},
+	{ns_r_badkey,	"BADKEY",		"bad key"},
+	{ns_r_badtime,	"BADTIME",		"bad time"},
+	{0, 		NULL,			NULL}
+};
+
+int
+sym_ston(const struct res_sym *syms, const char *name, int *success) {
+	for ((void)NULL; syms->name != 0; syms++) {
+		if (strcasecmp (name, syms->name) == 0) {
+			if (success)
+				*success = 1;
+			return (syms->number);
+		}
+	}
+	if (success)
+		*success = 0;
+	return (syms->number);		/* The default value. */
+}
+
+const char *
+sym_ntos(const struct res_sym *syms, int number, int *success) {
+	static char unname[20];
+
+	for ((void)NULL; syms->name != 0; syms++) {
+		if (number == syms->number) {
+			if (success)
+				*success = 1;
+			return (syms->name);
+		}
+	}
+
+	sprintf(unname, "%d", number);		/* XXX nonreentrant */
+	if (success)
+		*success = 0;
+	return (unname);
+}
+
+const char *
+sym_ntop(const struct res_sym *syms, int number, int *success) {
+	static char unname[20];
+
+	for ((void)NULL; syms->name != 0; syms++) {
+		if (number == syms->number) {
+			if (success)
+				*success = 1;
+			return (syms->humanname);
+		}
+	}
+	sprintf(unname, "%d", number);		/* XXX nonreentrant */
+	if (success)
+		*success = 0;
+	return (unname);
+}
+
+/*
+ * Return a string for the type.
+ */
+const char *
+p_type(int type) {
+	int success;
+	const char *result;
+	static char typebuf[20];
+
+	result = sym_ntos(__p_type_syms, type, &success);
+	if (success)
+		return (result);
+	if (type < 0 || type > 0xffff)
+		return ("BADTYPE");
+	sprintf(typebuf, "TYPE%d", type);
+	return (typebuf);
+}
+
+/*
+ * Return a string for the type.
+ */
+const char *
+p_section(int section, int opcode) {
+	const struct res_sym *symbols;
+
+	switch (opcode) {
+	case ns_o_update:
+		symbols = __p_update_section_syms;
+		break;
+	default:
+		symbols = __p_default_section_syms;
+		break;
+	}
+	return (sym_ntos(symbols, section, (int *)0));
+}
+
+/*
+ * Return a mnemonic for class.
+ */
+const char *
+p_class(int class) {
+	int success;
+	const char *result;
+	static char classbuf[20];
+
+	result = sym_ntos(__p_class_syms, class, &success);
+	if (success)
+		return (result);
+	if (class < 0 || class > 0xffff)
+		return ("BADCLASS");
+	sprintf(classbuf, "CLASS%d", class);
+	return (classbuf);
+}
+
+/*
+ * Return a mnemonic for an option
+ */
+const char *
+p_option(u_long option) {
+	static char nbuf[40];
+
+	switch (option) {
+	case RES_INIT:		return "init";
+	case RES_DEBUG:		return "debug";
+	case RES_AAONLY:	return "aaonly(unimpl)";
+	case RES_USEVC:		return "usevc";
+	case RES_PRIMARY:	return "primry(unimpl)";
+	case RES_IGNTC:		return "igntc";
+	case RES_RECURSE:	return "recurs";
+	case RES_DEFNAMES:	return "defnam";
+	case RES_STAYOPEN:	return "styopn";
+	case RES_DNSRCH:	return "dnsrch";
+	case RES_INSECURE1:	return "insecure1";
+	case RES_INSECURE2:	return "insecure2";
+	case RES_NOALIASES:	return "noaliases";
+	case RES_USE_INET6:	return "inet6";
+#ifdef RES_USE_EDNS0	/* KAME extension */
+	case RES_USE_EDNS0:	return "edns0";
+#endif
+#ifdef RES_USE_DNAME
+	case RES_USE_DNAME:	return "dname";
+#endif
+#ifdef RES_USE_DNSSEC
+	case RES_USE_DNSSEC:	return "dnssec";
+#endif
+#ifdef RES_NOTLDQUERY
+	case RES_NOTLDQUERY:	return "no-tld-query";
+#endif
+#ifdef RES_NO_NIBBLE2
+	case RES_NO_NIBBLE2:	return "no-nibble2";
+#endif
+				/* XXX nonreentrant */
+	default:		sprintf(nbuf, "?0x%lx?", (u_long)option);
+				return (nbuf);
+	}
+}
+
+/*
+ * Return a mnemonic for a time to live.
+ */
+const char *
+p_time(u_int32_t value) {
+	static char nbuf[40];		/* XXX nonreentrant */
+
+	if (ns_format_ttl(value, nbuf, sizeof nbuf) < 0)
+		sprintf(nbuf, "%u", value);
+	return (nbuf);
+}
+
+/*
+ * Return a string for the rcode.
+ */
+const char *
+p_rcode(int rcode) {
+	return (sym_ntos(__p_rcode_syms, rcode, (int *)0));
+}
+
+/*
+ * Return a string for a res_sockaddr_union.
+ */
+const char *
+p_sockun(union res_sockaddr_union u, char *buf, size_t size) {
+	char ret[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:123.123.123.123"];
+
+	switch (u.sin.sin_family) {
+	case AF_INET:
+		inet_ntop(AF_INET, &u.sin.sin_addr, ret, sizeof ret);
+		break;
+#ifdef HAS_INET6_STRUCTS
+	case AF_INET6:
+		inet_ntop(AF_INET6, &u.sin6.sin6_addr, ret, sizeof ret);
+		break;
+#endif
+	default:
+		sprintf(ret, "[af%d]", u.sin.sin_family);
+		break;
+	}
+	if (size > 0U) {
+		strncpy(buf, ret, size - 1);
+		buf[size - 1] = '0';
+	}
+	return (buf);
+}
+
+/*
+ * routines to convert between on-the-wire RR format and zone file format.
+ * Does not contain conversion to/from decimal degrees; divide or multiply
+ * by 60*60*1000 for that.
+ */
+
+static unsigned int poweroften[10] = {1, 10, 100, 1000, 10000, 100000,
+				      1000000,10000000,100000000,1000000000};
+
+/* takes an XeY precision/size value, returns a string representation. */
+static const char *
+precsize_ntoa(prec)
+	u_int8_t prec;
+{
+	static char retbuf[sizeof "90000000.00"];	/* XXX nonreentrant */
+	unsigned long val;
+	int mantissa, exponent;
+
+	mantissa = (int)((prec >> 4) & 0x0f) % 10;
+	exponent = (int)((prec >> 0) & 0x0f) % 10;
+
+	val = mantissa * poweroften[exponent];
+
+	(void) sprintf(retbuf, "%lu.%.2lu", val/100, val%100);
+	return (retbuf);
+}
+
+/* converts ascii size/precision X * 10**Y(cm) to 0xXY.  moves pointer. */
+static u_int8_t
+precsize_aton(const char **strptr) {
+	unsigned int mval = 0, cmval = 0;
+	u_int8_t retval = 0;
+	const char *cp;
+	int exponent;
+	int mantissa;
+
+	cp = *strptr;
+
+	while (isdigit((unsigned char)*cp))
+		mval = mval * 10 + (*cp++ - '0');
+
+	if (*cp == '.') {		/* centimeters */
+		cp++;
+		if (isdigit((unsigned char)*cp)) {
+			cmval = (*cp++ - '0') * 10;
+			if (isdigit((unsigned char)*cp)) {
+				cmval += (*cp++ - '0');
+			}
+		}
+	}
+	cmval = (mval * 100) + cmval;
+
+	for (exponent = 0; exponent < 9; exponent++)
+		if (cmval < poweroften[exponent+1])
+			break;
+
+	mantissa = cmval / poweroften[exponent];
+	if (mantissa > 9)
+		mantissa = 9;
+
+	retval = (mantissa << 4) | exponent;
+
+	*strptr = cp;
+
+	return (retval);
+}
+
+/* converts ascii lat/lon to unsigned encoded 32-bit number.  moves pointer. */
+static u_int32_t
+latlon2ul(const char **latlonstrptr, int *which) {
+	const char *cp;
+	u_int32_t retval;
+	int deg = 0, min = 0, secs = 0, secsfrac = 0;
+
+	cp = *latlonstrptr;
+
+	while (isdigit((unsigned char)*cp))
+		deg = deg * 10 + (*cp++ - '0');
+
+	while (isspace((unsigned char)*cp))
+		cp++;
+
+	if (!(isdigit((unsigned char)*cp)))
+		goto fndhemi;
+
+	while (isdigit((unsigned char)*cp))
+		min = min * 10 + (*cp++ - '0');
+
+	while (isspace((unsigned char)*cp))
+		cp++;
+
+	if (!(isdigit((unsigned char)*cp)))
+		goto fndhemi;
+
+	while (isdigit((unsigned char)*cp))
+		secs = secs * 10 + (*cp++ - '0');
+
+	if (*cp == '.') {		/* decimal seconds */
+		cp++;
+		if (isdigit((unsigned char)*cp)) {
+			secsfrac = (*cp++ - '0') * 100;
+			if (isdigit((unsigned char)*cp)) {
+				secsfrac += (*cp++ - '0') * 10;
+				if (isdigit((unsigned char)*cp)) {
+					secsfrac += (*cp++ - '0');
+				}
+			}
+		}
+	}
+
+	while (!isspace((unsigned char)*cp))	/* if any trailing garbage */
+		cp++;
+
+	while (isspace((unsigned char)*cp))
+		cp++;
+
+ fndhemi:
+	switch (*cp) {
+	case 'N': case 'n':
+	case 'E': case 'e':
+		retval = ((unsigned)1<<31)
+			+ (((((deg * 60) + min) * 60) + secs) * 1000)
+			+ secsfrac;
+		break;
+	case 'S': case 's':
+	case 'W': case 'w':
+		retval = ((unsigned)1<<31)
+			- (((((deg * 60) + min) * 60) + secs) * 1000)
+			- secsfrac;
+		break;
+	default:
+		retval = 0;	/* invalid value -- indicates error */
+		break;
+	}
+
+	switch (*cp) {
+	case 'N': case 'n':
+	case 'S': case 's':
+		*which = 1;	/* latitude */
+		break;
+	case 'E': case 'e':
+	case 'W': case 'w':
+		*which = 2;	/* longitude */
+		break;
+	default:
+		*which = 0;	/* error */
+		break;
+	}
+
+	cp++;			/* skip the hemisphere */
+
+	while (!isspace((unsigned char)*cp))	/* if any trailing garbage */
+		cp++;
+
+	while (isspace((unsigned char)*cp))	/* move to next field */
+		cp++;
+
+	*latlonstrptr = cp;
+
+	return (retval);
+}
+
+/* converts a zone file representation in a string to an RDATA on-the-wire
+ * representation. */
+int
+loc_aton(ascii, binary)
+	const char *ascii;
+	u_char *binary;
+{
+	const char *cp, *maxcp;
+	u_char *bcp;
+
+	u_int32_t latit = 0, longit = 0, alt = 0;
+	u_int32_t lltemp1 = 0, lltemp2 = 0;
+	int altmeters = 0, altfrac = 0, altsign = 1;
+	u_int8_t hp = 0x16;	/* default = 1e6 cm = 10000.00m = 10km */
+	u_int8_t vp = 0x13;	/* default = 1e3 cm = 10.00m */
+	u_int8_t siz = 0x12;	/* default = 1e2 cm = 1.00m */
+	int which1 = 0, which2 = 0;
+
+	cp = ascii;
+	maxcp = cp + strlen(ascii);
+
+	lltemp1 = latlon2ul(&cp, &which1);
+
+	lltemp2 = latlon2ul(&cp, &which2);
+
+	switch (which1 + which2) {
+	case 3:			/* 1 + 2, the only valid combination */
+		if ((which1 == 1) && (which2 == 2)) { /* normal case */
+			latit = lltemp1;
+			longit = lltemp2;
+		} else if ((which1 == 2) && (which2 == 1)) { /* reversed */
+			longit = lltemp1;
+			latit = lltemp2;
+		} else {	/* some kind of brokenness */
+			return (0);
+		}
+		break;
+	default:		/* we didn't get one of each */
+		return (0);
+	}
+
+	/* altitude */
+	if (*cp == '-') {
+		altsign = -1;
+		cp++;
+	}
+    
+	if (*cp == '+')
+		cp++;
+
+	while (isdigit((unsigned char)*cp))
+		altmeters = altmeters * 10 + (*cp++ - '0');
+
+	if (*cp == '.') {		/* decimal meters */
+		cp++;
+		if (isdigit((unsigned char)*cp)) {
+			altfrac = (*cp++ - '0') * 10;
+			if (isdigit((unsigned char)*cp)) {
+				altfrac += (*cp++ - '0');
+			}
+		}
+	}
+
+	alt = (10000000 + (altsign * (altmeters * 100 + altfrac)));
+
+	while (!isspace((unsigned char)*cp) && (cp < maxcp)) /* if trailing garbage or m */
+		cp++;
+
+	while (isspace((unsigned char)*cp) && (cp < maxcp))
+		cp++;
+
+	if (cp >= maxcp)
+		goto defaults;
+
+	siz = precsize_aton(&cp);
+	
+	while (!isspace((unsigned char)*cp) && (cp < maxcp))	/* if trailing garbage or m */
+		cp++;
+
+	while (isspace((unsigned char)*cp) && (cp < maxcp))
+		cp++;
+
+	if (cp >= maxcp)
+		goto defaults;
+
+	hp = precsize_aton(&cp);
+
+	while (!isspace((unsigned char)*cp) && (cp < maxcp))	/* if trailing garbage or m */
+		cp++;
+
+	while (isspace((unsigned char)*cp) && (cp < maxcp))
+		cp++;
+
+	if (cp >= maxcp)
+		goto defaults;
+
+	vp = precsize_aton(&cp);
+
+ defaults:
+
+	bcp = binary;
+	*bcp++ = (u_int8_t) 0;	/* version byte */
+	*bcp++ = siz;
+	*bcp++ = hp;
+	*bcp++ = vp;
+	PUTLONG(latit,bcp);
+	PUTLONG(longit,bcp);
+	PUTLONG(alt,bcp);
+    
+	return (16);		/* size of RR in octets */
+}
+
+/* takes an on-the-wire LOC RR and formats it in a human readable format. */
+const char *
+loc_ntoa(binary, ascii)
+	const u_char *binary;
+	char *ascii;
+{
+	static const char *error = "?";
+	static char tmpbuf[sizeof
+"1000 60 60.000 N 1000 60 60.000 W -12345678.00m 90000000.00m 90000000.00m 90000000.00m"];
+	const u_char *cp = binary;
+
+	int latdeg, latmin, latsec, latsecfrac;
+	int longdeg, longmin, longsec, longsecfrac;
+	char northsouth, eastwest;
+	const char *altsign;
+	int altmeters, altfrac;
+
+	const u_int32_t referencealt = 100000 * 100;
+
+	int32_t latval, longval, altval;
+	u_int32_t templ;
+	u_int8_t sizeval, hpval, vpval, versionval;
+    
+	char *sizestr, *hpstr, *vpstr;
+
+	versionval = *cp++;
+
+	if (ascii == NULL)
+		ascii = tmpbuf;
+
+	if (versionval) {
+		(void) sprintf(ascii, "; error: unknown LOC RR version");
+		return (ascii);
+	}
+
+	sizeval = *cp++;
+
+	hpval = *cp++;
+	vpval = *cp++;
+
+	GETLONG(templ, cp);
+	latval = (templ - ((unsigned)1<<31));
+
+	GETLONG(templ, cp);
+	longval = (templ - ((unsigned)1<<31));
+
+	GETLONG(templ, cp);
+	if (templ < referencealt) { /* below WGS 84 spheroid */
+		altval = referencealt - templ;
+		altsign = "-";
+	} else {
+		altval = templ - referencealt;
+		altsign = "";
+	}
+
+	if (latval < 0) {
+		northsouth = 'S';
+		latval = -latval;
+	} else
+		northsouth = 'N';
+
+	latsecfrac = latval % 1000;
+	latval = latval / 1000;
+	latsec = latval % 60;
+	latval = latval / 60;
+	latmin = latval % 60;
+	latval = latval / 60;
+	latdeg = latval;
+
+	if (longval < 0) {
+		eastwest = 'W';
+		longval = -longval;
+	} else
+		eastwest = 'E';
+
+	longsecfrac = longval % 1000;
+	longval = longval / 1000;
+	longsec = longval % 60;
+	longval = longval / 60;
+	longmin = longval % 60;
+	longval = longval / 60;
+	longdeg = longval;
+
+	altfrac = altval % 100;
+	altmeters = (altval / 100);
+
+	sizestr = strdup(precsize_ntoa(sizeval));
+	hpstr = strdup(precsize_ntoa(hpval));
+	vpstr = strdup(precsize_ntoa(vpval));
+
+	sprintf(ascii,
+	    "%d %.2d %.2d.%.3d %c %d %.2d %.2d.%.3d %c %s%d.%.2dm %sm %sm %sm",
+		latdeg, latmin, latsec, latsecfrac, northsouth,
+		longdeg, longmin, longsec, longsecfrac, eastwest,
+		altsign, altmeters, altfrac,
+		(sizestr != NULL) ? sizestr : error,
+		(hpstr != NULL) ? hpstr : error,
+		(vpstr != NULL) ? vpstr : error);
+
+	if (sizestr != NULL)
+		free(sizestr);
+	if (hpstr != NULL)
+		free(hpstr);
+	if (vpstr != NULL)
+		free(vpstr);
+
+	return (ascii);
+}
+
+
+/* Return the number of DNS hierarchy levels in the name. */
+int
+dn_count_labels(const char *name) {
+	int i, len, count;
+
+	len = strlen(name);
+	for (i = 0, count = 0; i < len; i++) {
+		/* XXX need to check for \. or use named's nlabels(). */
+		if (name[i] == '.')
+			count++;
+	}
+
+	/* don't count initial wildcard */
+	if (name[0] == '*')
+		if (count)
+			count--;
+
+	/* don't count the null label for root. */
+	/* if terminating '.' not found, must adjust */
+	/* count to include last label */
+	if (len > 0 && name[len-1] != '.')
+		count++;
+	return (count);
+}
+
+
+/* 
+ * Make dates expressed in seconds-since-Jan-1-1970 easy to read.  
+ * SIG records are required to be printed like this, by the Secure DNS RFC.
+ */
+char *
+p_secstodate (u_long secs) {
+	/* XXX nonreentrant */
+	static char output[15];		/* YYYYMMDDHHMMSS and null */
+	time_t clock = secs;
+	struct tm *time;
+#ifdef HAVE_TIME_R
+	struct tm res;
+	
+	time = gmtime_r(&clock, &res);
+#else
+	time = gmtime(&clock);
+#endif
+	time->tm_year += 1900;
+	time->tm_mon += 1;
+	sprintf(output, "%04d%02d%02d%02d%02d%02d",
+		time->tm_year, time->tm_mon, time->tm_mday,
+		time->tm_hour, time->tm_min, time->tm_sec);
+	return (output);
+}
+
+u_int16_t
+res_nametoclass(const char *buf, int *successp) {
+	unsigned long result;
+	char *endptr;
+	int success;
+
+	result = sym_ston(__p_class_syms, buf, &success);
+	if (success)
+		goto done;
+
+	if (strncasecmp(buf, "CLASS", 5) != 0 ||
+	    !isdigit((unsigned char)buf[5]))
+		goto done;
+	errno = 0;
+	result = strtoul(buf + 5, &endptr, 10);
+	if (errno == 0 && *endptr == '\0' && result <= 0xffffU)
+		success = 1;
+ done:
+	if (successp)
+		*successp = success;
+	return (result);
+}
+
+u_int16_t
+res_nametotype(const char *buf, int *successp) {
+	unsigned long result;
+	char *endptr;
+	int success;
+
+	result = sym_ston(__p_type_syms, buf, &success);
+	if (success)
+		goto done;
+
+	if (strncasecmp(buf, "type", 4) != 0 ||
+	    !isdigit((unsigned char)buf[4]))
+		goto done;
+	errno = 0;
+	result = strtoul(buf + 4, &endptr, 10);
+	if (errno == 0 && *endptr == '\0' && result <= 0xffffU)
+		success = 1;
+ done:
+	if (successp)
+		*successp = success;
+	return (result);
+}
diff --git a/contrib/bind9/lib/bind/resolv/res_debug.h b/contrib/bind9/lib/bind/resolv/res_debug.h
new file mode 100644
index 0000000..2a9c0ae
--- /dev/null
+++ b/contrib/bind9/lib/bind/resolv/res_debug.h
@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef _RES_DEBUG_H_
+#define _RES_DEBUG_H_
+
+#ifndef DEBUG
+#   define Dprint(cond, args) /*empty*/
+#   define DprintQ(cond, args, query, size) /*empty*/
+#   define Aerror(statp, file, string, error, address) /*empty*/
+#   define Perror(statp, file, string, error) /*empty*/
+#else
+#   define Dprint(cond, args) if (cond) {fprintf args;} else {}
+#   define DprintQ(cond, args, query, size) if (cond) {\
+			fprintf args;\
+			res_pquery(statp, query, size, stdout);\
+		} else {}
+#endif
+
+#endif /* _RES_DEBUG_H_ */ 
diff --git a/contrib/bind9/lib/bind/resolv/res_findzonecut.c b/contrib/bind9/lib/bind/resolv/res_findzonecut.c
new file mode 100644
index 0000000..d462228
--- /dev/null
+++ b/contrib/bind9/lib/bind/resolv/res_findzonecut.c
@@ -0,0 +1,722 @@
+#if !defined(lint) && !defined(SABER)
+static const char rcsid[] = "$Id: res_findzonecut.c,v 1.2.2.3.4.2 2004/03/16 12:34:18 marka Exp $";
+#endif /* not lint */
+
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* Import. */
+
+#include "port_before.h"
+
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+
+#include <errno.h>
+#include <limits.h>
+#include <netdb.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/list.h>
+
+#include "port_after.h"
+
+#include <resolv.h>
+
+/* Data structures. */
+
+typedef struct rr_a {
+	LINK(struct rr_a)	link;
+	union res_sockaddr_union addr;
+} rr_a;
+typedef LIST(rr_a) rrset_a;
+
+typedef struct rr_ns {
+	LINK(struct rr_ns)	link;
+	const char *		name;
+	unsigned int		flags;
+	rrset_a			addrs;
+} rr_ns;
+typedef LIST(rr_ns) rrset_ns;
+
+#define	RR_NS_HAVE_V4		0x01
+#define	RR_NS_HAVE_V6		0x02
+
+/* Forward. */
+
+static int	satisfy(res_state, const char *, rrset_ns *,
+			union res_sockaddr_union *, int);
+static int	add_addrs(res_state, rr_ns *,
+			  union res_sockaddr_union *, int);
+static int	get_soa(res_state, const char *, ns_class, int,
+			char *, size_t, char *, size_t,
+			rrset_ns *);
+static int	get_ns(res_state, const char *, ns_class, int, rrset_ns *);
+static int	get_glue(res_state, ns_class, int, rrset_ns *);
+static int	save_ns(res_state, ns_msg *, ns_sect,
+			const char *, ns_class, int, rrset_ns *);
+static int	save_a(res_state, ns_msg *, ns_sect,
+		       const char *, ns_class, int, rr_ns *);
+static void	free_nsrrset(rrset_ns *);
+static void	free_nsrr(rrset_ns *, rr_ns *);
+static rr_ns *	find_ns(rrset_ns *, const char *);
+static int	do_query(res_state, const char *, ns_class, ns_type,
+			 u_char *, ns_msg *);
+static void	res_dprintf(const char *, ...) ISC_FORMAT_PRINTF(1, 2);
+
+/* Macros. */
+
+#define DPRINTF(x) do {\
+		int save_errno = errno; \
+		if ((statp->options & RES_DEBUG) != 0U) res_dprintf x; \
+		errno = save_errno; \
+	} while (0)
+
+/* Public. */
+
+/*
+ * int
+ * res_findzonecut(res, dname, class, zname, zsize, addrs, naddrs)
+ *	find enclosing zone for a <dname,class>, and some server addresses
+ * parameters:
+ *	res - resolver context to work within (is modified)
+ *	dname - domain name whose enclosing zone is desired
+ *	class - class of dname (and its enclosing zone)
+ *	zname - found zone name
+ *	zsize - allocated size of zname
+ *	addrs - found server addresses
+ *	naddrs - max number of addrs
+ * return values:
+ *	< 0 - an error occurred (check errno)
+ *	= 0 - zname is now valid, but addrs[] wasn't changed
+ *	> 0 - zname is now valid, and return value is number of addrs[] found
+ * notes:
+ *	this function calls res_nsend() which means it depends on correctly
+ *	functioning recursive nameservers (usually defined in /etc/resolv.conf
+ *	or its local equivilent).
+ *
+ *	we start by asking for an SOA<dname,class>.  if we get one as an
+ *	answer, that just means <dname,class> is a zone top, which is fine.
+ *	more than likely we'll be told to go pound sand, in the form of a
+ *	negative answer.
+ *
+ *	note that we are not prepared to deal with referrals since that would
+ *	only come from authority servers and our correctly functioning local
+ *	recursive server would have followed the referral and got us something
+ *	more definite.
+ *
+ *	if the authority section contains an SOA, this SOA should also be the
+ *	closest enclosing zone, since any intermediary zone cuts would've been
+ *	returned as referrals and dealt with by our correctly functioning local
+ *	recursive name server.  but an SOA in the authority section should NOT
+ *	match our dname (since that would have been returned in the answer
+ *	section).  an authority section SOA has to be "above" our dname.
+ *
+ *	however, since authority section SOA's were once optional, it's
+ *	possible that we'll have to go hunting for the enclosing SOA by
+ *	ripping labels off the front of our dname -- this is known as "doing
+ *	it the hard way."
+ *
+ *	ultimately we want some server addresses, which are ideally the ones
+ *	pertaining to the SOA.MNAME, but only if there is a matching NS RR.
+ *	so the second phase (after we find an SOA) is to go looking for the
+ *	NS RRset for that SOA's zone.
+ *
+ *	no answer section processed by this code is allowed to contain CNAME
+ *	or DNAME RR's.  for the SOA query this means we strip a label and
+ *	keep going.  for the NS and A queries this means we just give up.
+ */
+
+int
+res_findzonecut(res_state statp, const char *dname, ns_class class, int opts,
+		char *zname, size_t zsize, struct in_addr *addrs, int naddrs)
+{
+	int result, i;
+	union res_sockaddr_union *u;
+
+	
+	opts |= RES_IPV4ONLY;
+	opts &= ~RES_IPV6ONLY;
+
+	u = calloc(naddrs, sizeof(*u));
+	if (u == NULL)
+		return(-1);
+
+	result = res_findzonecut2(statp, dname, class, opts, zname, zsize,
+				  u, naddrs);
+
+	for (i = 0; i < result; i++) {
+		addrs[i] = u[i].sin.sin_addr;
+	}
+	free(u);
+	return (result);
+}
+
+int
+res_findzonecut2(res_state statp, const char *dname, ns_class class, int opts,
+		 char *zname, size_t zsize, union res_sockaddr_union *addrs,
+		 int naddrs)
+{
+	char mname[NS_MAXDNAME];
+	u_long save_pfcode;
+	rrset_ns nsrrs;
+	int n;
+
+	DPRINTF(("START dname='%s' class=%s, zsize=%ld, naddrs=%d",
+		 dname, p_class(class), (long)zsize, naddrs));
+	save_pfcode = statp->pfcode;
+	statp->pfcode |= RES_PRF_HEAD2 | RES_PRF_HEAD1 | RES_PRF_HEADX |
+			 RES_PRF_QUES | RES_PRF_ANS |
+			 RES_PRF_AUTH | RES_PRF_ADD;
+	INIT_LIST(nsrrs);
+
+	DPRINTF(("get the soa, and see if it has enough glue"));
+	if ((n = get_soa(statp, dname, class, opts, zname, zsize,
+			 mname, sizeof mname, &nsrrs)) < 0 ||
+	    ((opts & RES_EXHAUSTIVE) == 0 &&
+	     (n = satisfy(statp, mname, &nsrrs, addrs, naddrs)) > 0))
+		goto done;
+
+	DPRINTF(("get the ns rrset and see if it has enough glue"));
+	if ((n = get_ns(statp, zname, class, opts, &nsrrs)) < 0 ||
+	    ((opts & RES_EXHAUSTIVE) == 0 &&
+	     (n = satisfy(statp, mname, &nsrrs, addrs, naddrs)) > 0))
+		goto done;
+
+	DPRINTF(("get the missing glue and see if it's finally enough"));
+	if ((n = get_glue(statp, class, opts, &nsrrs)) >= 0)
+		n = satisfy(statp, mname, &nsrrs, addrs, naddrs);
+
+ done:
+	DPRINTF(("FINISH n=%d (%s)", n, (n < 0) ? strerror(errno) : "OK"));
+	free_nsrrset(&nsrrs);
+	statp->pfcode = save_pfcode;
+	return (n);
+}
+
+/* Private. */
+
+static int
+satisfy(res_state statp, const char *mname, rrset_ns *nsrrsp,
+	union res_sockaddr_union *addrs, int naddrs)
+{
+	rr_ns *nsrr;
+	int n, x;
+
+	n = 0;
+	nsrr = find_ns(nsrrsp, mname);
+	if (nsrr != NULL) {
+		x = add_addrs(statp, nsrr, addrs, naddrs);
+		addrs += x;
+		naddrs -= x;
+		n += x;
+	}
+	for (nsrr = HEAD(*nsrrsp);
+	     nsrr != NULL && naddrs > 0;
+	     nsrr = NEXT(nsrr, link))
+		if (ns_samename(nsrr->name, mname) != 1) {
+			x = add_addrs(statp, nsrr, addrs, naddrs);
+			addrs += x;
+			naddrs -= x;
+			n += x;
+		}
+	DPRINTF(("satisfy(%s): %d", mname, n));
+	return (n);
+}
+
+static int
+add_addrs(res_state statp, rr_ns *nsrr,
+	  union res_sockaddr_union *addrs, int naddrs)
+{
+	rr_a *arr;
+	int n = 0;
+
+	for (arr = HEAD(nsrr->addrs); arr != NULL; arr = NEXT(arr, link)) {
+		if (naddrs <= 0)
+			return (0);
+		*addrs++ = arr->addr;
+		naddrs--;
+		n++;
+	}
+	DPRINTF(("add_addrs: %d", n));
+	return (n);
+}
+
+static int
+get_soa(res_state statp, const char *dname, ns_class class, int opts,
+	char *zname, size_t zsize, char *mname, size_t msize,
+	rrset_ns *nsrrsp)
+{
+	char tname[NS_MAXDNAME];
+	u_char *resp = NULL;
+	int n, i, ancount, nscount;
+	ns_sect sect;
+	ns_msg msg;
+	u_int rcode;
+
+	/*
+	 * Find closest enclosing SOA, even if it's for the root zone.
+	 */
+
+	/* First canonicalize dname (exactly one unescaped trailing "."). */
+	if (ns_makecanon(dname, tname, sizeof tname) < 0)
+		goto cleanup;
+	dname = tname;
+
+	resp = malloc(NS_MAXMSG);
+	if (resp == NULL)
+		goto cleanup;
+
+	/* Now grovel the subdomains, hunting for an SOA answer or auth. */
+	for (;;) {
+		/* Leading or inter-label '.' are skipped here. */
+		while (*dname == '.')
+			dname++;
+
+		/* Is there an SOA? */
+		n = do_query(statp, dname, class, ns_t_soa, resp, &msg);
+		if (n < 0) {
+			DPRINTF(("get_soa: do_query('%s', %s) failed (%d)",
+				 dname, p_class(class), n));
+			goto cleanup;
+		}
+		if (n > 0) {
+			DPRINTF(("get_soa: CNAME or DNAME found"));
+			sect = ns_s_max, n = 0;
+		} else {
+			rcode = ns_msg_getflag(msg, ns_f_rcode);
+			ancount = ns_msg_count(msg, ns_s_an);
+			nscount = ns_msg_count(msg, ns_s_ns);
+			if (ancount > 0 && rcode == ns_r_noerror)
+				sect = ns_s_an, n = ancount;
+			else if (nscount > 0)
+				sect = ns_s_ns, n = nscount;
+			else
+				sect = ns_s_max, n = 0;
+		}
+		for (i = 0; i < n; i++) {
+			const char *t;
+			const u_char *rdata;
+			int rdlen;
+			ns_rr rr;
+
+			if (ns_parserr(&msg, sect, i, &rr) < 0) {
+				DPRINTF(("get_soa: ns_parserr(%s, %d) failed",
+					 p_section(sect, ns_o_query), i));
+				goto cleanup;
+			}
+			if (ns_rr_type(rr) == ns_t_cname ||
+			    ns_rr_type(rr) == ns_t_dname)
+				break;
+			if (ns_rr_type(rr) != ns_t_soa ||
+			    ns_rr_class(rr) != class)
+				continue;
+			t = ns_rr_name(rr);
+			switch (sect) {
+			case ns_s_an:
+				if (ns_samedomain(dname, t) == 0) {
+					DPRINTF(
+				    ("get_soa: ns_samedomain('%s', '%s') == 0",
+						dname, t)
+						);
+					errno = EPROTOTYPE;
+					goto cleanup;
+				}
+				break;
+			case ns_s_ns:
+				if (ns_samename(dname, t) == 1 ||
+				    ns_samedomain(dname, t) == 0) {
+					DPRINTF(
+		       ("get_soa: ns_samename() || !ns_samedomain('%s', '%s')",
+						dname, t)
+						);
+					errno = EPROTOTYPE;
+					goto cleanup;
+				}
+				break;
+			default:
+				abort();
+			}
+			if (strlen(t) + 1 > zsize) {
+				DPRINTF(("get_soa: zname(%d) too small (%d)",
+					 zsize, strlen(t) + 1));
+				errno = EMSGSIZE;
+				goto cleanup;
+			}
+			strcpy(zname, t);
+			rdata = ns_rr_rdata(rr);
+			rdlen = ns_rr_rdlen(rr);
+			if (ns_name_uncompress(resp, ns_msg_end(msg), rdata,
+					       mname, msize) < 0) {
+				DPRINTF(("get_soa: ns_name_uncompress failed")
+					);
+				goto cleanup;
+			}
+			if (save_ns(statp, &msg, ns_s_ns,
+				    zname, class, opts, nsrrsp) < 0) {
+				DPRINTF(("get_soa: save_ns failed"));
+				goto cleanup;
+			}
+			free(resp);
+			return (0);
+		}
+
+		/* If we're out of labels, then not even "." has an SOA! */
+		if (*dname == '\0')
+			break;
+
+		/* Find label-terminating "."; top of loop will skip it. */
+		while (*dname != '.') {
+			if (*dname == '\\')
+				if (*++dname == '\0') {
+					errno = EMSGSIZE;
+					goto cleanup;
+				}
+			dname++;
+		}
+	}
+	DPRINTF(("get_soa: out of labels"));
+	errno = EDESTADDRREQ;
+ cleanup:
+	if (resp != NULL)
+		free(resp);
+	return (-1);
+}
+
+static int
+get_ns(res_state statp, const char *zname, ns_class class, int opts,
+      rrset_ns *nsrrsp)
+{
+	u_char *resp;
+	ns_msg msg;
+	int n;
+
+	resp = malloc(NS_MAXMSG);
+	if (resp == NULL)
+		return (-1);
+
+	/* Go and get the NS RRs for this zone. */
+	n = do_query(statp, zname, class, ns_t_ns, resp, &msg);
+	if (n != 0) {
+		DPRINTF(("get_ns: do_query('%s', %s) failed (%d)",
+			 zname, p_class(class), n));
+		free(resp);
+		return (-1);
+	}
+
+	/* Remember the NS RRs and associated A RRs that came back. */
+	if (save_ns(statp, &msg, ns_s_an, zname, class, opts, nsrrsp) < 0) {
+		DPRINTF(("get_ns save_ns('%s', %s) failed",
+			 zname, p_class(class)));
+		free(resp);
+		return (-1);
+	}
+
+	free(resp);
+	return (0);
+}
+
+static int
+get_glue(res_state statp, ns_class class, int opts, rrset_ns *nsrrsp) {
+	rr_ns *nsrr, *nsrr_n;
+	u_char *resp;
+
+	resp = malloc(NS_MAXMSG);
+	if (resp == NULL)
+		return(-1);
+
+	/* Go and get the A RRs for each empty NS RR on our list. */
+	for (nsrr = HEAD(*nsrrsp); nsrr != NULL; nsrr = nsrr_n) {
+		ns_msg msg;
+		int n;
+
+		nsrr_n = NEXT(nsrr, link);
+
+		if ((nsrr->flags & RR_NS_HAVE_V4) == 0) {
+			n = do_query(statp, nsrr->name, class, ns_t_a,
+				     resp, &msg);
+			if (n < 0) {
+				DPRINTF(
+				       ("get_glue: do_query('%s', %s') failed",
+					nsrr->name, p_class(class)));
+				goto cleanup;
+			}
+			if (n > 0) {
+				DPRINTF((
+			"get_glue: do_query('%s', %s') CNAME or DNAME found",
+					 nsrr->name, p_class(class)));
+			}
+			if (save_a(statp, &msg, ns_s_an, nsrr->name, class,
+				   opts, nsrr) < 0) {
+				DPRINTF(("get_glue: save_r('%s', %s) failed",
+					 nsrr->name, p_class(class)));
+				goto cleanup;
+			}
+		}
+
+		if ((nsrr->flags & RR_NS_HAVE_V6) == 0) {
+			n = do_query(statp, nsrr->name, class, ns_t_aaaa,
+				     resp, &msg);
+			if (n < 0) {
+				DPRINTF(
+				       ("get_glue: do_query('%s', %s') failed",
+					nsrr->name, p_class(class)));
+				goto cleanup;
+			}
+			if (n > 0) {
+				DPRINTF((
+			"get_glue: do_query('%s', %s') CNAME or DNAME found",
+					 nsrr->name, p_class(class)));
+			}
+			if (save_a(statp, &msg, ns_s_an, nsrr->name, class,
+				   opts, nsrr) < 0) {
+				DPRINTF(("get_glue: save_r('%s', %s) failed",
+					 nsrr->name, p_class(class)));
+				goto cleanup;
+			}
+		}
+
+		/* If it's still empty, it's just chaff. */
+		if (EMPTY(nsrr->addrs)) {
+			DPRINTF(("get_glue: removing empty '%s' NS",
+				 nsrr->name));
+			free_nsrr(nsrrsp, nsrr);
+		}
+	}
+	free(resp);
+	return (0);
+
+ cleanup:
+	free(resp);
+	return (-1);
+}
+
+static int
+save_ns(res_state statp, ns_msg *msg, ns_sect sect,
+	const char *owner, ns_class class, int opts,
+	rrset_ns *nsrrsp)
+{
+	int i;
+
+	for (i = 0; i < ns_msg_count(*msg, sect); i++) {
+		char tname[MAXDNAME];
+		const u_char *rdata;
+		rr_ns *nsrr;
+		ns_rr rr;
+		int rdlen;
+
+		if (ns_parserr(msg, sect, i, &rr) < 0) {
+			DPRINTF(("save_ns: ns_parserr(%s, %d) failed",
+				 p_section(sect, ns_o_query), i));
+			return (-1);
+		}
+		if (ns_rr_type(rr) != ns_t_ns ||
+		    ns_rr_class(rr) != class ||
+		    ns_samename(ns_rr_name(rr), owner) != 1)
+			continue;
+		nsrr = find_ns(nsrrsp, ns_rr_name(rr));
+		if (nsrr == NULL) {
+			nsrr = malloc(sizeof *nsrr);
+			if (nsrr == NULL) {
+				DPRINTF(("save_ns: malloc failed"));
+				return (-1);
+			}
+			rdata = ns_rr_rdata(rr);
+			rdlen = ns_rr_rdlen(rr);
+			if (ns_name_uncompress(ns_msg_base(*msg),
+					       ns_msg_end(*msg), rdata,
+					       tname, sizeof tname) < 0) {
+				DPRINTF(("save_ns: ns_name_uncompress failed")
+					);
+				free(nsrr);
+				return (-1);
+			}
+			nsrr->name = strdup(tname);
+			if (nsrr->name == NULL) {
+				DPRINTF(("save_ns: strdup failed"));
+				free(nsrr);
+				return (-1);
+			}
+			INIT_LINK(nsrr, link);
+			INIT_LIST(nsrr->addrs);
+			nsrr->flags = 0;
+			APPEND(*nsrrsp, nsrr, link);
+		}
+		if (save_a(statp, msg, ns_s_ar,
+			   nsrr->name, class, opts, nsrr) < 0) {
+			DPRINTF(("save_ns: save_r('%s', %s) failed",
+				 nsrr->name, p_class(class)));
+			return (-1);
+		}
+	}
+	return (0);
+}
+
+static int
+save_a(res_state statp, ns_msg *msg, ns_sect sect,
+       const char *owner, ns_class class, int opts,
+       rr_ns *nsrr)
+{
+	int i;
+
+	for (i = 0; i < ns_msg_count(*msg, sect); i++) {
+		ns_rr rr;
+		rr_a *arr;
+
+		if (ns_parserr(msg, sect, i, &rr) < 0) {
+			DPRINTF(("save_a: ns_parserr(%s, %d) failed",
+				 p_section(sect, ns_o_query), i));
+			return (-1);
+		}
+		if ((ns_rr_type(rr) != ns_t_a &&
+		     ns_rr_type(rr) != ns_t_aaaa) ||
+		    ns_rr_class(rr) != class ||
+		    ns_samename(ns_rr_name(rr), owner) != 1 ||
+		    ns_rr_rdlen(rr) != NS_INADDRSZ)
+			continue;
+		if ((opts & RES_IPV6ONLY) != 0 && ns_rr_type(rr) != ns_t_aaaa)
+			continue;
+		if ((opts & RES_IPV4ONLY) != 0 && ns_rr_type(rr) != ns_t_a)
+			continue;
+		arr = malloc(sizeof *arr);
+		if (arr == NULL) {
+			DPRINTF(("save_a: malloc failed"));
+			return (-1);
+		}
+		INIT_LINK(arr, link);
+		memset(&arr->addr, 0, sizeof(arr->addr));
+		switch (ns_rr_type(rr)) {
+		case ns_t_a:
+			arr->addr.sin.sin_family = AF_INET;
+#ifdef HAVE_SA_LEN
+			arr->addr.sin.sin_len = sizeof(arr->addr.sin);
+#endif
+			memcpy(&arr->addr.sin.sin_addr, ns_rr_rdata(rr),
+			       NS_INADDRSZ);
+			arr->addr.sin.sin_port = htons(NAMESERVER_PORT);
+			nsrr->flags |= RR_NS_HAVE_V4;
+			break;
+		case ns_t_aaaa:
+			arr->addr.sin6.sin6_family = AF_INET6;
+#ifdef HAVE_SA_LEN
+			arr->addr.sin6.sin6_len = sizeof(arr->addr.sin6);
+#endif
+			memcpy(&arr->addr.sin6.sin6_addr, ns_rr_rdata(rr), 16);
+			arr->addr.sin.sin_port = htons(NAMESERVER_PORT);
+			nsrr->flags |= RR_NS_HAVE_V6;
+			break;
+		default:
+			abort();
+		}
+		APPEND(nsrr->addrs, arr, link);
+	}
+	return (0);
+}
+
+static void
+free_nsrrset(rrset_ns *nsrrsp) {
+	rr_ns *nsrr;
+
+	while ((nsrr = HEAD(*nsrrsp)) != NULL)
+		free_nsrr(nsrrsp, nsrr);
+}
+
+static void
+free_nsrr(rrset_ns *nsrrsp, rr_ns *nsrr) {
+	rr_a *arr;
+	char *tmp;
+
+	while ((arr = HEAD(nsrr->addrs)) != NULL) {
+		UNLINK(nsrr->addrs, arr, link);
+		free(arr);
+	}
+	DE_CONST(nsrr->name, tmp);
+	free(tmp);
+	UNLINK(*nsrrsp, nsrr, link);
+	free(nsrr);
+}
+
+static rr_ns *
+find_ns(rrset_ns *nsrrsp, const char *dname) {
+	rr_ns *nsrr;
+
+	for (nsrr = HEAD(*nsrrsp); nsrr != NULL; nsrr = NEXT(nsrr, link))
+		if (ns_samename(nsrr->name, dname) == 1)
+			return (nsrr);
+	return (NULL);
+}
+
+static int
+do_query(res_state statp, const char *dname, ns_class class, ns_type qtype,
+	 u_char *resp, ns_msg *msg)
+{
+	u_char req[NS_PACKETSZ];
+	int i, n;
+
+	n = res_nmkquery(statp, ns_o_query, dname, class, qtype,
+			 NULL, 0, NULL, req, NS_PACKETSZ);
+	if (n < 0) {
+		DPRINTF(("do_query: res_nmkquery failed"));
+		return (-1);
+	}
+	n = res_nsend(statp, req, n, resp, NS_MAXMSG);
+	if (n < 0) {
+		DPRINTF(("do_query: res_nsend failed"));
+		return (-1);
+	}
+	if (n == 0) {
+		DPRINTF(("do_query: res_nsend returned 0"));
+		errno = EMSGSIZE;
+		return (-1);
+	}
+	if (ns_initparse(resp, n, msg) < 0) {
+		DPRINTF(("do_query: ns_initparse failed"));
+		return (-1);
+	}
+	n = 0;
+	for (i = 0; i < ns_msg_count(*msg, ns_s_an); i++) {
+		ns_rr rr;
+
+		if (ns_parserr(msg, ns_s_an, i, &rr) < 0) {
+			DPRINTF(("do_query: ns_parserr failed"));
+			return (-1);
+		}
+		n += (ns_rr_class(rr) == class &&
+		      (ns_rr_type(rr) == ns_t_cname ||
+		       ns_rr_type(rr) == ns_t_dname));
+	}
+	return (n);
+}
+
+static void
+res_dprintf(const char *fmt, ...) {
+	va_list ap;
+
+	va_start(ap, fmt);
+	fputs(";; res_findzonecut: ", stderr);
+	vfprintf(stderr, fmt, ap);
+	fputc('\n', stderr);
+	va_end(ap);
+}
diff --git a/contrib/bind9/lib/bind/resolv/res_init.c b/contrib/bind9/lib/bind/resolv/res_init.c
new file mode 100644
index 0000000..241f5f7
--- /dev/null
+++ b/contrib/bind9/lib/bind/resolv/res_init.c
@@ -0,0 +1,740 @@
+/*
+ * Copyright (c) 1985, 1989, 1993
+ *    The Regents of the University of California.  All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ * 	This product includes software developed by the University of
+ * 	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Portions Copyright (c) 1993 by Digital Equipment Corporation.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies, and that
+ * the name of Digital Equipment Corporation not be used in advertising or
+ * publicity pertaining to distribution of the document or software without
+ * specific, written prior permission.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
+ * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char sccsid[] = "@(#)res_init.c	8.1 (Berkeley) 6/7/93";
+static const char rcsid[] = "$Id: res_init.c,v 1.9.2.5.4.2 2004/03/16 12:34:18 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+
+#include <ctype.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <netdb.h>
+
+#include "port_after.h"
+
+/* ensure that sockaddr_in6 and IN6ADDR_ANY_INIT are declared / defined */
+#include <resolv.h>
+
+#include "res_private.h"
+
+/* Options.  Should all be left alone. */
+#define RESOLVSORT
+#define DEBUG
+
+static void res_setoptions __P((res_state, const char *, const char *));
+
+#ifdef RESOLVSORT
+static const char sort_mask[] = "/&";
+#define ISSORTMASK(ch) (strchr(sort_mask, ch) != NULL)
+static u_int32_t net_mask __P((struct in_addr));
+#endif
+
+#if !defined(isascii)	/* XXX - could be a function */
+# define isascii(c) (!(c & 0200))
+#endif
+
+/*
+ * Resolver state default settings.
+ */
+
+/*
+ * Set up default settings.  If the configuration file exist, the values
+ * there will have precedence.  Otherwise, the server address is set to
+ * INADDR_ANY and the default domain name comes from the gethostname().
+ *
+ * An interrim version of this code (BIND 4.9, pre-4.4BSD) used 127.0.0.1
+ * rather than INADDR_ANY ("0.0.0.0") as the default name server address
+ * since it was noted that INADDR_ANY actually meant ``the first interface
+ * you "ifconfig"'d at boot time'' and if this was a SLIP or PPP interface,
+ * it had to be "up" in order for you to reach your own name server.  It
+ * was later decided that since the recommended practice is to always 
+ * install local static routes through 127.0.0.1 for all your network
+ * interfaces, that we could solve this problem without a code change.
+ *
+ * The configuration file should always be used, since it is the only way
+ * to specify a default domain.  If you are running a server on your local
+ * machine, you should say "nameserver 0.0.0.0" or "nameserver 127.0.0.1"
+ * in the configuration file.
+ *
+ * Return 0 if completes successfully, -1 on error
+ */
+int
+res_ninit(res_state statp) {
+	extern int __res_vinit(res_state, int);
+
+	return (__res_vinit(statp, 0));
+}
+
+/* This function has to be reachable by res_data.c but not publically. */
+int
+__res_vinit(res_state statp, int preinit) {
+	register FILE *fp;
+	register char *cp, **pp;
+	register int n;
+	char buf[BUFSIZ];
+	int nserv = 0;    /* number of nameserver records read from file */
+	int haveenv = 0;
+	int havesearch = 0;
+#ifdef RESOLVSORT
+	int nsort = 0;
+	char *net;
+#endif
+	int dots;
+	union res_sockaddr_union u[2];
+
+	if (!preinit) {
+		statp->retrans = RES_TIMEOUT;
+		statp->retry = RES_DFLRETRY;
+		statp->options = RES_DEFAULT;
+		statp->id = res_randomid();
+	}
+
+	if ((statp->options & RES_INIT) != 0U)
+		res_ndestroy(statp);
+
+	memset(u, 0, sizeof(u));
+#ifdef USELOOPBACK
+	u[nserv].sin.sin_addr = inet_makeaddr(IN_LOOPBACKNET, 1);
+#else
+	u[nserv].sin.sin_addr.s_addr = INADDR_ANY;
+#endif
+	u[nserv].sin.sin_family = AF_INET;
+	u[nserv].sin.sin_port = htons(NAMESERVER_PORT);
+#ifdef HAVE_SA_LEN
+	u[nserv].sin.sin_len = sizeof(struct sockaddr_in);
+#endif
+	nserv++;
+#ifdef HAS_INET6_STRUCTS
+#ifdef USELOOPBACK
+	u[nserv].sin6.sin6_addr = in6addr_loopback;
+#else
+	u[nserv].sin6.sin6_addr = in6addr_any;
+#endif
+	u[nserv].sin6.sin6_family = AF_INET6;
+	u[nserv].sin6.sin6_port = htons(NAMESERVER_PORT);
+#ifdef HAVE_SA_LEN
+	u[nserv].sin6.sin6_len = sizeof(struct sockaddr_in6);
+#endif
+	nserv++;
+#endif
+	statp->nscount = 0;
+	statp->ndots = 1;
+	statp->pfcode = 0;
+	statp->_vcsock = -1;
+	statp->_flags = 0;
+	statp->qhook = NULL;
+	statp->rhook = NULL;
+	statp->_u._ext.nscount = 0;
+	statp->_u._ext.ext = malloc(sizeof(*statp->_u._ext.ext));
+	if (statp->_u._ext.ext != NULL) {
+	        memset(statp->_u._ext.ext, 0, sizeof(*statp->_u._ext.ext));
+		statp->_u._ext.ext->nsaddrs[0].sin = statp->nsaddr;
+		strcpy(statp->_u._ext.ext->nsuffix, "ip6.arpa");
+		strcpy(statp->_u._ext.ext->nsuffix2, "ip6.int");
+	}
+#ifdef RESOLVSORT
+	statp->nsort = 0;
+#endif
+	res_setservers(statp, u, nserv);
+
+	/* Allow user to override the local domain definition */
+	if ((cp = getenv("LOCALDOMAIN")) != NULL) {
+		(void)strncpy(statp->defdname, cp, sizeof(statp->defdname) - 1);
+		statp->defdname[sizeof(statp->defdname) - 1] = '\0';
+		haveenv++;
+
+		/*
+		 * Set search list to be blank-separated strings
+		 * from rest of env value.  Permits users of LOCALDOMAIN
+		 * to still have a search list, and anyone to set the
+		 * one that they want to use as an individual (even more
+		 * important now that the rfc1535 stuff restricts searches)
+		 */
+		cp = statp->defdname;
+		pp = statp->dnsrch;
+		*pp++ = cp;
+		for (n = 0; *cp && pp < statp->dnsrch + MAXDNSRCH; cp++) {
+			if (*cp == '\n')	/* silly backwards compat */
+				break;
+			else if (*cp == ' ' || *cp == '\t') {
+				*cp = 0;
+				n = 1;
+			} else if (n) {
+				*pp++ = cp;
+				n = 0;
+				havesearch = 1;
+			}
+		}
+		/* null terminate last domain if there are excess */
+		while (*cp != '\0' && *cp != ' ' && *cp != '\t' && *cp != '\n')
+			cp++;
+		*cp = '\0';
+		*pp++ = 0;
+	}
+
+#define	MATCH(line, name) \
+	(!strncmp(line, name, sizeof(name) - 1) && \
+	(line[sizeof(name) - 1] == ' ' || \
+	 line[sizeof(name) - 1] == '\t'))
+
+	nserv = 0;
+	if ((fp = fopen(_PATH_RESCONF, "r")) != NULL) {
+	    /* read the config file */
+	    while (fgets(buf, sizeof(buf), fp) != NULL) {
+		/* skip comments */
+		if (*buf == ';' || *buf == '#')
+			continue;
+		/* read default domain name */
+		if (MATCH(buf, "domain")) {
+		    if (haveenv)	/* skip if have from environ */
+			    continue;
+		    cp = buf + sizeof("domain") - 1;
+		    while (*cp == ' ' || *cp == '\t')
+			    cp++;
+		    if ((*cp == '\0') || (*cp == '\n'))
+			    continue;
+		    strncpy(statp->defdname, cp, sizeof(statp->defdname) - 1);
+		    statp->defdname[sizeof(statp->defdname) - 1] = '\0';
+		    if ((cp = strpbrk(statp->defdname, " \t\n")) != NULL)
+			    *cp = '\0';
+		    havesearch = 0;
+		    continue;
+		}
+		/* set search list */
+		if (MATCH(buf, "search")) {
+		    if (haveenv)	/* skip if have from environ */
+			    continue;
+		    cp = buf + sizeof("search") - 1;
+		    while (*cp == ' ' || *cp == '\t')
+			    cp++;
+		    if ((*cp == '\0') || (*cp == '\n'))
+			    continue;
+		    strncpy(statp->defdname, cp, sizeof(statp->defdname) - 1);
+		    statp->defdname[sizeof(statp->defdname) - 1] = '\0';
+		    if ((cp = strchr(statp->defdname, '\n')) != NULL)
+			    *cp = '\0';
+		    /*
+		     * Set search list to be blank-separated strings
+		     * on rest of line.
+		     */
+		    cp = statp->defdname;
+		    pp = statp->dnsrch;
+		    *pp++ = cp;
+		    for (n = 0; *cp && pp < statp->dnsrch + MAXDNSRCH; cp++) {
+			    if (*cp == ' ' || *cp == '\t') {
+				    *cp = 0;
+				    n = 1;
+			    } else if (n) {
+				    *pp++ = cp;
+				    n = 0;
+			    }
+		    }
+		    /* null terminate last domain if there are excess */
+		    while (*cp != '\0' && *cp != ' ' && *cp != '\t')
+			    cp++;
+		    *cp = '\0';
+		    *pp++ = 0;
+		    havesearch = 1;
+		    continue;
+		}
+		/* read nameservers to query */
+		if (MATCH(buf, "nameserver") && nserv < MAXNS) {
+		    struct addrinfo hints, *ai;
+		    char sbuf[NI_MAXSERV];
+		    const size_t minsiz =
+		        sizeof(statp->_u._ext.ext->nsaddrs[0]);
+
+		    cp = buf + sizeof("nameserver") - 1;
+		    while (*cp == ' ' || *cp == '\t')
+			cp++;
+		    cp[strcspn(cp, ";# \t\n")] = '\0';
+		    if ((*cp != '\0') && (*cp != '\n')) {
+			memset(&hints, 0, sizeof(hints));
+			hints.ai_family = PF_UNSPEC;
+			hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
+			hints.ai_flags = AI_NUMERICHOST;
+			sprintf(sbuf, "%u", NAMESERVER_PORT);
+			if (getaddrinfo(cp, sbuf, &hints, &ai) == 0 &&
+			    ai->ai_addrlen <= minsiz) {
+			    if (statp->_u._ext.ext != NULL) {
+				memcpy(&statp->_u._ext.ext->nsaddrs[nserv],
+				    ai->ai_addr, ai->ai_addrlen);
+			    }
+			    if (ai->ai_addrlen <=
+			        sizeof(statp->nsaddr_list[nserv])) {
+				memcpy(&statp->nsaddr_list[nserv],
+				    ai->ai_addr, ai->ai_addrlen);
+			    } else
+				statp->nsaddr_list[nserv].sin_family = 0;
+			    freeaddrinfo(ai);
+			    nserv++;
+			}
+		    }
+		    continue;
+		}
+#ifdef RESOLVSORT
+		if (MATCH(buf, "sortlist")) {
+		    struct in_addr a;
+
+		    cp = buf + sizeof("sortlist") - 1;
+		    while (nsort < MAXRESOLVSORT) {
+			while (*cp == ' ' || *cp == '\t')
+			    cp++;
+			if (*cp == '\0' || *cp == '\n' || *cp == ';')
+			    break;
+			net = cp;
+			while (*cp && !ISSORTMASK(*cp) && *cp != ';' &&
+			       isascii(*cp) && !isspace((unsigned char)*cp))
+				cp++;
+			n = *cp;
+			*cp = 0;
+			if (inet_aton(net, &a)) {
+			    statp->sort_list[nsort].addr = a;
+			    if (ISSORTMASK(n)) {
+				*cp++ = n;
+				net = cp;
+				while (*cp && *cp != ';' &&
+					isascii(*cp) &&
+					!isspace((unsigned char)*cp))
+				    cp++;
+				n = *cp;
+				*cp = 0;
+				if (inet_aton(net, &a)) {
+				    statp->sort_list[nsort].mask = a.s_addr;
+				} else {
+				    statp->sort_list[nsort].mask = 
+					net_mask(statp->sort_list[nsort].addr);
+				}
+			    } else {
+				statp->sort_list[nsort].mask = 
+				    net_mask(statp->sort_list[nsort].addr);
+			    }
+			    nsort++;
+			}
+			*cp = n;
+		    }
+		    continue;
+		}
+#endif
+		if (MATCH(buf, "options")) {
+		    res_setoptions(statp, buf + sizeof("options") - 1, "conf");
+		    continue;
+		}
+	    }
+	    if (nserv > 0) 
+		statp->nscount = nserv;
+#ifdef RESOLVSORT
+	    statp->nsort = nsort;
+#endif
+	    (void) fclose(fp);
+	}
+/*
+ * Last chance to get a nameserver.  This should not normally
+ * be necessary
+ */
+#ifdef NO_RESOLV_CONF
+	if(nserv == 0)
+		nserv = get_nameservers(statp);
+#endif
+
+	if (statp->defdname[0] == 0 &&
+	    gethostname(buf, sizeof(statp->defdname) - 1) == 0 &&
+	    (cp = strchr(buf, '.')) != NULL)
+		strcpy(statp->defdname, cp + 1);
+
+	/* find components of local domain that might be searched */
+	if (havesearch == 0) {
+		pp = statp->dnsrch;
+		*pp++ = statp->defdname;
+		*pp = NULL;
+
+		dots = 0;
+		for (cp = statp->defdname; *cp; cp++)
+			dots += (*cp == '.');
+
+		cp = statp->defdname;
+		while (pp < statp->dnsrch + MAXDFLSRCH) {
+			if (dots < LOCALDOMAINPARTS)
+				break;
+			cp = strchr(cp, '.') + 1;    /* we know there is one */
+			*pp++ = cp;
+			dots--;
+		}
+		*pp = NULL;
+#ifdef DEBUG
+		if (statp->options & RES_DEBUG) {
+			printf(";; res_init()... default dnsrch list:\n");
+			for (pp = statp->dnsrch; *pp; pp++)
+				printf(";;\t%s\n", *pp);
+			printf(";;\t..END..\n");
+		}
+#endif
+	}
+
+	if ((cp = getenv("RES_OPTIONS")) != NULL)
+		res_setoptions(statp, cp, "env");
+	statp->options |= RES_INIT;
+	return (0);
+}
+
+static void
+res_setoptions(res_state statp, const char *options, const char *source)
+{
+	const char *cp = options;
+	int i;
+	struct __res_state_ext *ext = statp->_u._ext.ext;
+
+#ifdef DEBUG
+	if (statp->options & RES_DEBUG)
+		printf(";; res_setoptions(\"%s\", \"%s\")...\n",
+		       options, source);
+#endif
+	while (*cp) {
+		/* skip leading and inner runs of spaces */
+		while (*cp == ' ' || *cp == '\t')
+			cp++;
+		/* search for and process individual options */
+		if (!strncmp(cp, "ndots:", sizeof("ndots:") - 1)) {
+			i = atoi(cp + sizeof("ndots:") - 1);
+			if (i <= RES_MAXNDOTS)
+				statp->ndots = i;
+			else
+				statp->ndots = RES_MAXNDOTS;
+#ifdef DEBUG
+			if (statp->options & RES_DEBUG)
+				printf(";;\tndots=%d\n", statp->ndots);
+#endif
+		} else if (!strncmp(cp, "timeout:", sizeof("timeout:") - 1)) {
+			i = atoi(cp + sizeof("timeout:") - 1);
+			if (i <= RES_MAXRETRANS)
+				statp->retrans = i;
+			else
+				statp->retrans = RES_MAXRETRANS;
+#ifdef DEBUG
+			if (statp->options & RES_DEBUG)
+				printf(";;\ttimeout=%d\n", statp->retrans);
+#endif
+		} else if (!strncmp(cp, "attempts:", sizeof("attempts:") - 1)){
+			i = atoi(cp + sizeof("attempts:") - 1);
+			if (i <= RES_MAXRETRY)
+				statp->retry = i;
+			else
+				statp->retry = RES_MAXRETRY;
+#ifdef DEBUG
+			if (statp->options & RES_DEBUG)
+				printf(";;\tattempts=%d\n", statp->retry);
+#endif
+		} else if (!strncmp(cp, "debug", sizeof("debug") - 1)) {
+#ifdef DEBUG
+			if (!(statp->options & RES_DEBUG)) {
+				printf(";; res_setoptions(\"%s\", \"%s\")..\n",
+				       options, source);
+				statp->options |= RES_DEBUG;
+			}
+			printf(";;\tdebug\n");
+#endif
+		} else if (!strncmp(cp, "no_tld_query",
+				    sizeof("no_tld_query") - 1) ||
+			   !strncmp(cp, "no-tld-query",
+				    sizeof("no-tld-query") - 1)) {
+			statp->options |= RES_NOTLDQUERY;
+		} else if (!strncmp(cp, "inet6", sizeof("inet6") - 1)) {
+			statp->options |= RES_USE_INET6;
+		} else if (!strncmp(cp, "rotate", sizeof("rotate") - 1)) {
+			statp->options |= RES_ROTATE;
+		} else if (!strncmp(cp, "no-check-names",
+				    sizeof("no-check-names") - 1)) {
+			statp->options |= RES_NOCHECKNAME;
+		}
+#ifdef RES_USE_EDNS0
+		else if (!strncmp(cp, "edns0", sizeof("edns0") - 1)) {
+			statp->options |= RES_USE_EDNS0;
+		}
+#endif
+		else if (!strncmp(cp, "dname", sizeof("dname") - 1)) {
+			statp->options |= RES_USE_DNAME;
+		}
+		else if (!strncmp(cp, "nibble:", sizeof("nibble:") - 1)) {
+			if (ext == NULL)
+				goto skip;
+			cp += sizeof("nibble:") - 1;
+			i = MIN(strcspn(cp, " \t"), sizeof(ext->nsuffix) - 1);
+			strncpy(ext->nsuffix, cp, i);
+			ext->nsuffix[i] = '\0';
+		}
+		else if (!strncmp(cp, "nibble2:", sizeof("nibble2:") - 1)) {
+			if (ext == NULL)
+				goto skip;
+			cp += sizeof("nibble2:") - 1;
+			i = MIN(strcspn(cp, " \t"), sizeof(ext->nsuffix2) - 1);
+			strncpy(ext->nsuffix2, cp, i);
+			ext->nsuffix2[i] = '\0';
+		}
+		else if (!strncmp(cp, "v6revmode:", sizeof("v6revmode:") - 1)) {
+			cp += sizeof("v6revmode:") - 1;
+			/* "nibble" and "bitstring" used to be valid */
+			if (!strncmp(cp, "single", sizeof("single") - 1)) {
+				statp->options |= RES_NO_NIBBLE2;
+			} else if (!strncmp(cp, "both", sizeof("both") - 1)) {
+				statp->options &=
+					 ~RES_NO_NIBBLE2;
+			}
+		}
+		else {
+			/* XXX - print a warning here? */
+		}
+   skip:
+		/* skip to next run of spaces */
+		while (*cp && *cp != ' ' && *cp != '\t')
+			cp++;
+	}
+}
+
+#ifdef RESOLVSORT
+/* XXX - should really support CIDR which means explicit masks always. */
+static u_int32_t
+net_mask(in)		/* XXX - should really use system's version of this */
+	struct in_addr in;
+{
+	register u_int32_t i = ntohl(in.s_addr);
+
+	if (IN_CLASSA(i))
+		return (htonl(IN_CLASSA_NET));
+	else if (IN_CLASSB(i))
+		return (htonl(IN_CLASSB_NET));
+	return (htonl(IN_CLASSC_NET));
+}
+#endif
+
+u_int
+res_randomid(void) {
+	struct timeval now;
+
+	gettimeofday(&now, NULL);
+	return (0xffff & (now.tv_sec ^ now.tv_usec ^ getpid()));
+}
+
+/*
+ * This routine is for closing the socket if a virtual circuit is used and
+ * the program wants to close it.  This provides support for endhostent()
+ * which expects to close the socket.
+ *
+ * This routine is not expected to be user visible.
+ */
+void
+res_nclose(res_state statp) {
+	int ns;
+
+	if (statp->_vcsock >= 0) { 
+		(void) close(statp->_vcsock);
+		statp->_vcsock = -1;
+		statp->_flags &= ~(RES_F_VC | RES_F_CONN);
+	}
+	for (ns = 0; ns < statp->_u._ext.nscount; ns++) {
+		if (statp->_u._ext.nssocks[ns] != -1) {
+			(void) close(statp->_u._ext.nssocks[ns]);
+			statp->_u._ext.nssocks[ns] = -1;
+		}
+	}
+}
+
+void
+res_ndestroy(res_state statp) {
+	res_nclose(statp);
+	if (statp->_u._ext.ext != NULL)
+		free(statp->_u._ext.ext);
+	statp->options &= ~RES_INIT;
+	statp->_u._ext.ext = NULL;
+}
+
+const char *
+res_get_nibblesuffix(res_state statp) {
+	if (statp->_u._ext.ext)
+		return (statp->_u._ext.ext->nsuffix);
+	return ("ip6.arpa");
+}
+
+const char *
+res_get_nibblesuffix2(res_state statp) {
+	if (statp->_u._ext.ext)
+		return (statp->_u._ext.ext->nsuffix2);
+	return ("ip6.int");
+}
+
+void
+res_setservers(res_state statp, const union res_sockaddr_union *set, int cnt) {
+	int i, nserv;
+	size_t size;
+
+	/* close open servers */
+	res_nclose(statp);
+
+	/* cause rtt times to be forgotten */
+	statp->_u._ext.nscount = 0;
+
+	nserv = 0;
+	for (i = 0; i < cnt && nserv < MAXNS; i++) {
+		switch (set->sin.sin_family) {
+		case AF_INET:
+			size = sizeof(set->sin);
+			if (statp->_u._ext.ext)
+				memcpy(&statp->_u._ext.ext->nsaddrs[nserv],
+					&set->sin, size);
+			if (size <= sizeof(statp->nsaddr_list[nserv]))
+				memcpy(&statp->nsaddr_list[nserv],
+					&set->sin, size);
+			else
+				statp->nsaddr_list[nserv].sin_family = 0;
+			nserv++;
+			break;
+
+#ifdef HAS_INET6_STRUCTS
+		case AF_INET6:
+			size = sizeof(set->sin6);
+			if (statp->_u._ext.ext)
+				memcpy(&statp->_u._ext.ext->nsaddrs[nserv],
+					&set->sin6, size);
+			if (size <= sizeof(statp->nsaddr_list[nserv]))
+				memcpy(&statp->nsaddr_list[nserv],
+					&set->sin6, size);
+			else
+				statp->nsaddr_list[nserv].sin_family = 0;
+			nserv++;
+			break;
+#endif
+
+		default:
+			break;
+		}
+		set++;
+	}
+	statp->nscount = nserv;
+	
+}
+
+int
+res_getservers(res_state statp, union res_sockaddr_union *set, int cnt) {
+	int i;
+	size_t size;
+	u_int16_t family;
+
+	for (i = 0; i < statp->nscount && i < cnt; i++) {
+		if (statp->_u._ext.ext)
+			family = statp->_u._ext.ext->nsaddrs[i].sin.sin_family;
+		else 
+			family = statp->nsaddr_list[i].sin_family;
+
+		switch (family) {
+		case AF_INET:
+			size = sizeof(set->sin);
+			if (statp->_u._ext.ext)
+				memcpy(&set->sin,
+				       &statp->_u._ext.ext->nsaddrs[i],
+				       size);
+			else
+				memcpy(&set->sin, &statp->nsaddr_list[i],
+				       size);
+			break;
+
+#ifdef HAS_INET6_STRUCTS
+		case AF_INET6:
+			size = sizeof(set->sin6);
+			if (statp->_u._ext.ext)
+				memcpy(&set->sin6,
+				       &statp->_u._ext.ext->nsaddrs[i],
+				       size);
+			else
+				memcpy(&set->sin6, &statp->nsaddr_list[i],
+				       size);
+			break;
+#endif
+
+		default:
+			set->sin.sin_family = 0;
+			break;
+		}
+		set++;
+	}
+	return (statp->nscount);
+}
diff --git a/contrib/bind9/lib/bind/resolv/res_mkquery.c b/contrib/bind9/lib/bind/resolv/res_mkquery.c
new file mode 100644
index 0000000..89000ed
--- /dev/null
+++ b/contrib/bind9/lib/bind/resolv/res_mkquery.c
@@ -0,0 +1,256 @@
+/*
+ * Copyright (c) 1985, 1993
+ *    The Regents of the University of California.  All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ * 	This product includes software developed by the University of
+ * 	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Portions Copyright (c) 1993 by Digital Equipment Corporation.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies, and that
+ * the name of Digital Equipment Corporation not be used in advertising or
+ * publicity pertaining to distribution of the document or software without
+ * specific, written prior permission.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
+ * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char sccsid[] = "@(#)res_mkquery.c	8.1 (Berkeley) 6/4/93";
+static const char rcsid[] = "$Id: res_mkquery.c,v 1.1.2.2.4.2 2004/03/16 12:34:18 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include "port_before.h"
+#include <sys/types.h>
+#include <sys/param.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <netdb.h>
+#include <resolv.h>
+#include <stdio.h>
+#include <string.h>
+#include "port_after.h"
+
+/* Options.  Leave them on. */
+#define DEBUG
+
+extern const char *_res_opcodes[];
+
+/*
+ * Form all types of queries.
+ * Returns the size of the result or -1.
+ */
+int
+res_nmkquery(res_state statp,
+	     int op,			/* opcode of query */
+	     const char *dname,		/* domain name */
+	     int class, int type,	/* class and type of query */
+	     const u_char *data,	/* resource record data */
+	     int datalen,		/* length of data */
+	     const u_char *newrr_in,	/* new rr for modify or append */
+	     u_char *buf,		/* buffer to put query */
+	     int buflen)		/* size of buffer */
+{
+	register HEADER *hp;
+	register u_char *cp, *ep;
+	register int n;
+	u_char *dnptrs[20], **dpp, **lastdnptr;
+
+	UNUSED(newrr_in);
+
+#ifdef DEBUG
+	if (statp->options & RES_DEBUG)
+		printf(";; res_nmkquery(%s, %s, %s, %s)\n",
+		       _res_opcodes[op], dname, p_class(class), p_type(type));
+#endif
+	/*
+	 * Initialize header fields.
+	 */
+	if ((buf == NULL) || (buflen < HFIXEDSZ))
+		return (-1);
+	memset(buf, 0, HFIXEDSZ);
+	hp = (HEADER *) buf;
+	hp->id = htons(++statp->id);
+	hp->opcode = op;
+	hp->rd = (statp->options & RES_RECURSE) != 0U;
+	hp->rcode = NOERROR;
+	cp = buf + HFIXEDSZ;
+	ep = buf + buflen;
+	dpp = dnptrs;
+	*dpp++ = buf;
+	*dpp++ = NULL;
+	lastdnptr = dnptrs + sizeof dnptrs / sizeof dnptrs[0];
+	/*
+	 * perform opcode specific processing
+	 */
+	switch (op) {
+	case QUERY:	/*FALLTHROUGH*/
+	case NS_NOTIFY_OP:
+		if (ep - cp < QFIXEDSZ)
+			return (-1);
+		if ((n = dn_comp(dname, cp, ep - cp - QFIXEDSZ, dnptrs,
+		    lastdnptr)) < 0)
+			return (-1);
+		cp += n;
+		ns_put16(type, cp);
+		cp += INT16SZ;
+		ns_put16(class, cp);
+		cp += INT16SZ;
+		hp->qdcount = htons(1);
+		if (op == QUERY || data == NULL)
+			break;
+		/*
+		 * Make an additional record for completion domain.
+		 */
+		if ((ep - cp) < RRFIXEDSZ)
+			return (-1);
+		n = dn_comp((const char *)data, cp, ep - cp - RRFIXEDSZ,
+			    dnptrs, lastdnptr);
+		if (n < 0)
+			return (-1);
+		cp += n;
+		ns_put16(T_NULL, cp);
+		cp += INT16SZ;
+		ns_put16(class, cp);
+		cp += INT16SZ;
+		ns_put32(0, cp);
+		cp += INT32SZ;
+		ns_put16(0, cp);
+		cp += INT16SZ;
+		hp->arcount = htons(1);
+		break;
+
+	case IQUERY:
+		/*
+		 * Initialize answer section
+		 */
+		if (ep - cp < 1 + RRFIXEDSZ + datalen)
+			return (-1);
+		*cp++ = '\0';	/* no domain name */
+		ns_put16(type, cp);
+		cp += INT16SZ;
+		ns_put16(class, cp);
+		cp += INT16SZ;
+		ns_put32(0, cp);
+		cp += INT32SZ;
+		ns_put16(datalen, cp);
+		cp += INT16SZ;
+		if (datalen) {
+			memcpy(cp, data, datalen);
+			cp += datalen;
+		}
+		hp->ancount = htons(1);
+		break;
+
+	default:
+		return (-1);
+	}
+	return (cp - buf);
+}
+
+#ifdef RES_USE_EDNS0
+/* attach OPT pseudo-RR, as documented in RFC2671 (EDNS0). */
+#ifndef T_OPT
+#define T_OPT	41
+#endif
+
+int
+res_nopt(res_state statp,
+	 int n0,		/* current offset in buffer */
+	 u_char *buf,		/* buffer to put query */
+	 int buflen,		/* size of buffer */
+	 int anslen)		/* UDP answer buffer size */
+{
+	register HEADER *hp;
+	register u_char *cp, *ep;
+	u_int16_t flags = 0;
+
+#ifdef DEBUG
+	if ((statp->options & RES_DEBUG) != 0U)
+		printf(";; res_nopt()\n");
+#endif
+
+	hp = (HEADER *) buf;
+	cp = buf + n0;
+	ep = buf + buflen;
+
+	if ((ep - cp) < 1 + RRFIXEDSZ)
+		return (-1);
+
+	*cp++ = 0;	/* "." */
+
+	ns_put16(T_OPT, cp);	/* TYPE */
+	cp += INT16SZ;
+	ns_put16(anslen & 0xffff, cp);	/* CLASS = UDP payload size */
+	cp += INT16SZ;
+	*cp++ = NOERROR;	/* extended RCODE */
+	*cp++ = 0;		/* EDNS version */
+	if (statp->options & RES_USE_DNSSEC) {
+#ifdef DEBUG
+		if (statp->options & RES_DEBUG)
+			printf(";; res_opt()... ENDS0 DNSSEC\n");
+#endif
+		flags |= NS_OPT_DNSSEC_OK;
+	}
+	ns_put16(flags, cp);
+	cp += INT16SZ;
+	ns_put16(0, cp);	/* RDLEN */
+	cp += INT16SZ;
+	hp->arcount = htons(ntohs(hp->arcount) + 1);
+
+	return (cp - buf);
+}
+#endif
diff --git a/contrib/bind9/lib/bind/resolv/res_mkupdate.c b/contrib/bind9/lib/bind/resolv/res_mkupdate.c
new file mode 100644
index 0000000..aac95e5
--- /dev/null
+++ b/contrib/bind9/lib/bind/resolv/res_mkupdate.c
@@ -0,0 +1,1159 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Based on the Dynamic DNS reference implementation by Viraj Bais
+ * <viraj_bais@ccm.fm.intel.com>
+ */
+
+#if !defined(lint) && !defined(SABER)
+static const char rcsid[] = "$Id: res_mkupdate.c,v 1.1.2.1.4.3 2004/06/03 04:44:48 marka Exp $";
+#endif /* not lint */
+
+#include "port_before.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <arpa/inet.h>
+
+#include <errno.h>
+#include <limits.h>
+#include <netdb.h>
+#include <resolv.h>
+#include <res_update.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <ctype.h>
+
+#include "port_after.h"
+
+/* Options.  Leave them on. */
+#define DEBUG
+#define MAXPORT 1024
+
+static int getnum_str(u_char **, u_char *);
+static int gethexnum_str(u_char **, u_char *);
+static int getword_str(char *, int, u_char **, u_char *);
+static int getstr_str(char *, int, u_char **, u_char *);
+
+#define ShrinkBuffer(x)  if ((buflen -= x) < 0) return (-2);
+
+/* Forward. */
+
+int res_protocolnumber(const char *);
+int res_servicenumber(const char *);
+
+/*
+ * Form update packets.
+ * Returns the size of the resulting packet if no error
+ * On error,
+ *	returns -1 if error in reading a word/number in rdata
+ *		   portion for update packets
+ *		-2 if length of buffer passed is insufficient
+ *		-3 if zone section is not the first section in
+ *		   the linked list, or section order has a problem
+ *		-4 on a number overflow
+ *		-5 unknown operation or no records
+ */
+int
+res_nmkupdate(res_state statp, ns_updrec *rrecp_in, u_char *buf, int buflen) {
+	ns_updrec *rrecp_start = rrecp_in;
+	HEADER *hp;
+	u_char *cp, *sp1, *sp2, *startp, *endp;
+	int n, i, soanum, multiline;
+	ns_updrec *rrecp;
+	struct in_addr ina;
+	struct in6_addr in6a;
+        char buf2[MAXDNAME];
+	u_char buf3[MAXDNAME];
+	int section, numrrs = 0, counts[ns_s_max];
+	u_int16_t rtype, rclass;
+	u_int32_t n1, rttl;
+	u_char *dnptrs[20], **dpp, **lastdnptr;
+	int siglen, keylen, certlen;
+
+	/*
+	 * Initialize header fields.
+	 */
+	if ((buf == NULL) || (buflen < HFIXEDSZ))
+		return (-1);
+	memset(buf, 0, HFIXEDSZ);
+	hp = (HEADER *) buf;
+	hp->id = htons(++statp->id);
+	hp->opcode = ns_o_update;
+	hp->rcode = NOERROR;
+	sp1 = buf + 2*INT16SZ;  /* save pointer to zocount */
+	cp = buf + HFIXEDSZ;
+	buflen -= HFIXEDSZ;
+	dpp = dnptrs;
+	*dpp++ = buf;
+	*dpp++ = NULL;
+	lastdnptr = dnptrs + sizeof dnptrs / sizeof dnptrs[0];
+
+	if (rrecp_start == NULL)
+		return (-5);
+	else if (rrecp_start->r_section != S_ZONE)
+		return (-3);
+
+	memset(counts, 0, sizeof counts);
+	for (rrecp = rrecp_start; rrecp; rrecp = NEXT(rrecp, r_glink)) {
+		numrrs++;
+                section = rrecp->r_section;
+		if (section < 0 || section >= ns_s_max)
+			return (-1);
+		counts[section]++;
+		for (i = section + 1; i < ns_s_max; i++)
+			if (counts[i])
+				return (-3);
+		rtype = rrecp->r_type;
+		rclass = rrecp->r_class;
+		rttl = rrecp->r_ttl;
+		/* overload class and type */
+		if (section == S_PREREQ) {
+			rttl = 0;
+			switch (rrecp->r_opcode) {
+			case YXDOMAIN:
+				rclass = C_ANY;
+				rtype = T_ANY;
+				rrecp->r_size = 0;
+				break;
+			case NXDOMAIN:
+				rclass = C_NONE;
+				rtype = T_ANY;
+				rrecp->r_size = 0;
+				break;
+			case NXRRSET:
+				rclass = C_NONE;
+				rrecp->r_size = 0;
+				break;
+			case YXRRSET:
+				if (rrecp->r_size == 0)
+					rclass = C_ANY;
+				break;
+			default:
+				fprintf(stderr,
+					"res_mkupdate: incorrect opcode: %d\n",
+					rrecp->r_opcode);
+				fflush(stderr);
+				return (-1);
+			}
+		} else if (section == S_UPDATE) {
+			switch (rrecp->r_opcode) {
+			case DELETE:
+				rclass = rrecp->r_size == 0 ? C_ANY : C_NONE;
+				break;
+			case ADD:
+				break;
+			default:
+				fprintf(stderr,
+					"res_mkupdate: incorrect opcode: %d\n",
+					rrecp->r_opcode);
+				fflush(stderr);
+				return (-1);
+			}
+		}
+
+		/*
+		 * XXX	appending default domain to owner name is omitted,
+		 *	fqdn must be provided
+		 */
+		if ((n = dn_comp(rrecp->r_dname, cp, buflen, dnptrs,
+				 lastdnptr)) < 0)
+			return (-1);
+		cp += n;
+		ShrinkBuffer(n + 2*INT16SZ);
+		PUTSHORT(rtype, cp);
+		PUTSHORT(rclass, cp);
+		if (section == S_ZONE) {
+			if (numrrs != 1 || rrecp->r_type != T_SOA)
+				return (-3);
+			continue;
+		}
+		ShrinkBuffer(INT32SZ + INT16SZ);
+		PUTLONG(rttl, cp);
+		sp2 = cp;  /* save pointer to length byte */
+		cp += INT16SZ;
+		if (rrecp->r_size == 0) {
+			if (section == S_UPDATE && rclass != C_ANY)
+				return (-1);
+			else {
+				PUTSHORT(0, sp2);
+				continue;
+			}
+		}
+		startp = rrecp->r_data;
+		endp = startp + rrecp->r_size - 1;
+		/* XXX this should be done centrally. */
+		switch (rrecp->r_type) {
+		case T_A:
+			if (!getword_str(buf2, sizeof buf2, &startp, endp))
+				return (-1);
+			if (!inet_aton(buf2, &ina))
+				return (-1);
+			n1 = ntohl(ina.s_addr);
+			ShrinkBuffer(INT32SZ);
+			PUTLONG(n1, cp);
+			break;
+		case T_CNAME:
+		case T_MB:
+		case T_MG:
+		case T_MR:
+		case T_NS:
+		case T_PTR:
+		case ns_t_dname:
+			if (!getword_str(buf2, sizeof buf2, &startp, endp))
+				return (-1);
+			n = dn_comp(buf2, cp, buflen, dnptrs, lastdnptr);
+			if (n < 0)
+				return (-1);
+			cp += n;
+			ShrinkBuffer(n);
+			break;
+		case T_MINFO:
+		case T_SOA:
+		case T_RP:
+			for (i = 0; i < 2; i++) {
+				if (!getword_str(buf2, sizeof buf2, &startp,
+						 endp))
+				return (-1);
+				n = dn_comp(buf2, cp, buflen,
+					    dnptrs, lastdnptr);
+				if (n < 0)
+					return (-1);
+				cp += n;
+				ShrinkBuffer(n);
+			}
+			if (rrecp->r_type == T_SOA) {
+				ShrinkBuffer(5 * INT32SZ);
+				while (isspace(*startp) || !*startp)
+					startp++;
+				if (*startp == '(') {
+					multiline = 1;
+					startp++;
+				} else
+					multiline = 0;
+				/* serial, refresh, retry, expire, minimum */
+				for (i = 0; i < 5; i++) {
+					soanum = getnum_str(&startp, endp);
+					if (soanum < 0)
+						return (-1);
+					PUTLONG(soanum, cp);
+				}
+				if (multiline) {
+					while (isspace(*startp) || !*startp)
+						startp++;
+					if (*startp != ')')
+						return (-1);
+				}
+			}
+			break;
+		case T_MX:
+		case T_AFSDB:
+		case T_RT:
+			n = getnum_str(&startp, endp);
+			if (n < 0)
+				return (-1);
+			ShrinkBuffer(INT16SZ);
+			PUTSHORT(n, cp);
+			if (!getword_str(buf2, sizeof buf2, &startp, endp))
+				return (-1);
+			n = dn_comp(buf2, cp, buflen, dnptrs, lastdnptr);
+			if (n < 0)
+				return (-1);
+			cp += n;
+			ShrinkBuffer(n);
+			break;
+		case T_SRV:
+			n = getnum_str(&startp, endp);
+			if (n < 0)
+				return (-1);
+			ShrinkBuffer(INT16SZ);
+			PUTSHORT(n, cp);
+
+			n = getnum_str(&startp, endp);
+			if (n < 0)
+				return (-1);
+			ShrinkBuffer(INT16SZ);
+			PUTSHORT(n, cp);
+
+			n = getnum_str(&startp, endp);
+			if (n < 0)
+				return (-1);
+			ShrinkBuffer(INT16SZ);
+			PUTSHORT(n, cp);
+
+			if (!getword_str(buf2, sizeof buf2, &startp, endp))
+				return (-1);
+			n = dn_comp(buf2, cp, buflen, NULL, NULL);
+			if (n < 0)
+				return (-1);
+			cp += n;
+			ShrinkBuffer(n);
+			break;
+		case T_PX:
+			n = getnum_str(&startp, endp);
+			if (n < 0)
+				return (-1);
+			PUTSHORT(n, cp);
+			ShrinkBuffer(INT16SZ);
+			for (i = 0; i < 2; i++) {
+				if (!getword_str(buf2, sizeof buf2, &startp,
+						 endp))
+					return (-1);
+				n = dn_comp(buf2, cp, buflen, dnptrs,
+					    lastdnptr);
+				if (n < 0)
+					return (-1);
+				cp += n;
+				ShrinkBuffer(n);
+			}
+			break;
+		case T_WKS: {
+			char bm[MAXPORT/8];
+			unsigned int maxbm = 0;
+
+			if (!getword_str(buf2, sizeof buf2, &startp, endp))
+				return (-1);
+			if (!inet_aton(buf2, &ina))
+				return (-1);
+			n1 = ntohl(ina.s_addr);
+			ShrinkBuffer(INT32SZ);
+			PUTLONG(n1, cp);
+
+			if (!getword_str(buf2, sizeof buf2, &startp, endp))
+				return (-1);
+			if ((i = res_protocolnumber(buf2)) < 0)
+				return (-1);
+			ShrinkBuffer(1);
+			*cp++ = i & 0xff;
+			 
+			for (i = 0; i < MAXPORT/8 ; i++)
+				bm[i] = 0;
+
+			while (getword_str(buf2, sizeof buf2, &startp, endp)) {
+				if ((n = res_servicenumber(buf2)) <= 0)
+					return (-1);
+
+				if (n < MAXPORT) {
+					bm[n/8] |= (0x80>>(n%8));
+					if ((unsigned)n > maxbm)
+						maxbm = n;
+				} else
+					return (-1);
+			}
+			maxbm = maxbm/8 + 1;
+			ShrinkBuffer(maxbm);
+			memcpy(cp, bm, maxbm);
+			cp += maxbm;
+			break;
+		}
+		case T_HINFO:
+			for (i = 0; i < 2; i++) {
+				if ((n = getstr_str(buf2, sizeof buf2,
+						&startp, endp)) < 0)
+					return (-1);
+				if (n > 255)
+					return (-1);
+				ShrinkBuffer(n+1);
+				*cp++ = n;
+				memcpy(cp, buf2, n);
+				cp += n;
+			}
+			break;
+		case T_TXT:
+			for (;;) {
+				if ((n = getstr_str(buf2, sizeof buf2,
+						&startp, endp)) < 0) {
+					if (cp != (sp2 + INT16SZ))
+						break;
+					return (-1);
+				}
+				if (n > 255)
+					return (-1);
+				ShrinkBuffer(n+1);
+				*cp++ = n;
+				memcpy(cp, buf2, n);
+				cp += n;
+			}
+			break;
+		case T_X25:
+			/* RFC 1183 */
+			if ((n = getstr_str(buf2, sizeof buf2, &startp,
+					 endp)) < 0)
+				return (-1);
+			if (n > 255)
+				return (-1);
+			ShrinkBuffer(n+1);
+			*cp++ = n;
+			memcpy(cp, buf2, n);
+			cp += n;
+			break;
+		case T_ISDN:
+			/* RFC 1183 */
+			if ((n = getstr_str(buf2, sizeof buf2, &startp,
+					 endp)) < 0)
+				return (-1);
+			if ((n > 255) || (n == 0))
+				return (-1);
+			ShrinkBuffer(n+1);
+			*cp++ = n;
+			memcpy(cp, buf2, n);
+			cp += n;
+			if ((n = getstr_str(buf2, sizeof buf2, &startp,
+					 endp)) < 0)
+				n = 0;
+			if (n > 255)
+				return (-1);
+			ShrinkBuffer(n+1);
+			*cp++ = n;
+			memcpy(cp, buf2, n);
+			cp += n;
+			break;
+		case T_NSAP:
+			if ((n = inet_nsap_addr((char *)startp, (u_char *)buf2, sizeof(buf2))) != 0) {
+				ShrinkBuffer(n);
+				memcpy(cp, buf2, n);
+				cp += n;
+			} else {
+				return (-1);
+			}
+			break;
+		case T_LOC:
+			if ((n = loc_aton((char *)startp, (u_char *)buf2)) != 0) {
+				ShrinkBuffer(n);
+				memcpy(cp, buf2, n);
+				cp += n;
+			} else
+				return (-1);
+			break;
+		case ns_t_sig:
+		    {
+			int sig_type, success, dateerror;
+			u_int32_t exptime, timesigned;
+
+			/* type */
+			if ((n = getword_str(buf2, sizeof buf2,
+					     &startp, endp)) < 0)
+				return (-1);
+			sig_type = sym_ston(__p_type_syms, buf2, &success);
+			if (!success || sig_type == ns_t_any)
+				return (-1);
+			ShrinkBuffer(INT16SZ);
+			PUTSHORT(sig_type, cp);
+			/* alg */
+			n = getnum_str(&startp, endp);
+			if (n < 0)
+				return (-1);
+			ShrinkBuffer(1);
+			*cp++ = n;
+			/* labels */
+			n = getnum_str(&startp, endp);
+			if (n <= 0 || n > 255)
+				return (-1);
+			ShrinkBuffer(1);
+			*cp++ = n;
+			/* ottl  & expire */
+			if (!getword_str(buf2, sizeof buf2, &startp, endp))
+				return (-1);
+			exptime = ns_datetosecs(buf2, &dateerror);
+			if (!dateerror) {
+				ShrinkBuffer(INT32SZ);
+				PUTLONG(rttl, cp);
+			}
+			else {
+				char *ulendp;
+				u_int32_t ottl;
+
+				errno = 0;
+				ottl = strtoul(buf2, &ulendp, 10);
+				if (errno != 0 ||
+				    (ulendp != NULL && *ulendp != '\0'))
+					return (-1);
+				ShrinkBuffer(INT32SZ);
+				PUTLONG(ottl, cp);
+				if (!getword_str(buf2, sizeof buf2, &startp,
+						 endp))
+					return (-1);
+				exptime = ns_datetosecs(buf2, &dateerror);
+				if (dateerror)
+					return (-1);
+			}
+			/* expire */
+			ShrinkBuffer(INT32SZ);
+			PUTLONG(exptime, cp);
+			/* timesigned */
+			if (!getword_str(buf2, sizeof buf2, &startp, endp))
+				return (-1);
+			timesigned = ns_datetosecs(buf2, &dateerror);
+			if (!dateerror) {
+				ShrinkBuffer(INT32SZ);
+				PUTLONG(timesigned, cp);
+			}
+			else
+				return (-1);
+			/* footprint */
+			n = getnum_str(&startp, endp);
+			if (n < 0)
+				return (-1);
+			ShrinkBuffer(INT16SZ);
+			PUTSHORT(n, cp);
+			/* signer name */
+			if (!getword_str(buf2, sizeof buf2, &startp, endp))
+				return (-1);
+			n = dn_comp(buf2, cp, buflen, dnptrs, lastdnptr);
+			if (n < 0)
+				return (-1);
+			cp += n;
+			ShrinkBuffer(n);
+			/* sig */
+			if ((n = getword_str(buf2, sizeof buf2,
+					     &startp, endp)) < 0)
+				return (-1);
+			siglen = b64_pton(buf2, buf3, sizeof(buf3));
+			if (siglen < 0)
+				return (-1);
+			ShrinkBuffer(siglen);
+			memcpy(cp, buf3, siglen);
+			cp += siglen;
+			break;
+		    }
+		case ns_t_key:
+			/* flags */
+			n = gethexnum_str(&startp, endp);
+			if (n < 0)
+				return (-1);
+			ShrinkBuffer(INT16SZ);
+			PUTSHORT(n, cp);
+			/* proto */
+			n = getnum_str(&startp, endp);
+			if (n < 0)
+				return (-1);
+			ShrinkBuffer(1);
+			*cp++ = n;
+			/* alg */
+			n = getnum_str(&startp, endp);
+			if (n < 0)
+				return (-1);
+			ShrinkBuffer(1);
+			*cp++ = n;
+			/* key */
+			if ((n = getword_str(buf2, sizeof buf2,
+					     &startp, endp)) < 0)
+				return (-1);
+			keylen = b64_pton(buf2, buf3, sizeof(buf3));
+			if (keylen < 0)
+				return (-1);
+			ShrinkBuffer(keylen);
+			memcpy(cp, buf3, keylen);
+			cp += keylen;
+			break;
+		case ns_t_nxt:
+		    {
+			int success, nxt_type;
+			u_char data[32];
+			int maxtype;
+
+			/* next name */
+			if (!getword_str(buf2, sizeof buf2, &startp, endp))
+				return (-1);
+			n = dn_comp(buf2, cp, buflen, NULL, NULL);
+			if (n < 0)
+				return (-1);
+			cp += n;
+			ShrinkBuffer(n);
+			maxtype = 0;
+			memset(data, 0, sizeof data);
+			for (;;) {
+				if (!getword_str(buf2, sizeof buf2, &startp,
+						 endp))
+					break;
+				nxt_type = sym_ston(__p_type_syms, buf2,
+						    &success);
+				if (!success || !ns_t_rr_p(nxt_type))
+					return (-1);
+				NS_NXT_BIT_SET(nxt_type, data);
+				if (nxt_type > maxtype)
+					maxtype = nxt_type;
+			}
+			n = maxtype/NS_NXT_BITS+1;
+			ShrinkBuffer(n);
+			memcpy(cp, data, n);
+			cp += n;
+			break;
+		    }
+		case ns_t_cert:
+			/* type */
+			n = getnum_str(&startp, endp);
+			if (n < 0)
+				return (-1);
+			ShrinkBuffer(INT16SZ);
+			PUTSHORT(n, cp);
+			/* key tag */
+			n = getnum_str(&startp, endp);
+			if (n < 0)
+				return (-1);
+			ShrinkBuffer(INT16SZ);
+			PUTSHORT(n, cp);
+			/* alg */
+			n = getnum_str(&startp, endp);
+			if (n < 0)
+				return (-1);
+			ShrinkBuffer(1);
+			*cp++ = n;
+			/* cert */
+			if ((n = getword_str(buf2, sizeof buf2,
+					     &startp, endp)) < 0)
+				return (-1);
+			certlen = b64_pton(buf2, buf3, sizeof(buf3));
+			if (certlen < 0)
+				return (-1);
+			ShrinkBuffer(certlen);
+			memcpy(cp, buf3, certlen);
+			cp += certlen;
+			break;
+		case ns_t_aaaa:
+			if (!getword_str(buf2, sizeof buf2, &startp, endp))
+				return (-1);
+			if (inet_pton(AF_INET6, buf2, &in6a) <= 0)
+				return (-1);
+			ShrinkBuffer(NS_IN6ADDRSZ);
+			memcpy(cp, &in6a, NS_IN6ADDRSZ);
+			cp += NS_IN6ADDRSZ;
+			break;
+		case ns_t_naptr:
+			/* Order Preference Flags Service Replacement Regexp */
+			/* Order */
+			n = getnum_str(&startp, endp);
+			if (n < 0 || n > 65535)
+				return (-1);
+			ShrinkBuffer(INT16SZ);
+			PUTSHORT(n, cp);
+			/* Preference */
+			n = getnum_str(&startp, endp);
+			if (n < 0 || n > 65535)
+				return (-1);
+			ShrinkBuffer(INT16SZ);
+			PUTSHORT(n, cp);
+			/* Flags */
+			if ((n = getstr_str(buf2, sizeof buf2,
+					&startp, endp)) < 0) {
+				return (-1);
+			}
+			if (n > 255)
+				return (-1);
+			ShrinkBuffer(n+1);
+			*cp++ = n;
+			memcpy(cp, buf2, n);
+			cp += n;
+			/* Service Classes */
+			if ((n = getstr_str(buf2, sizeof buf2,
+					&startp, endp)) < 0) {
+				return (-1);
+			}
+			if (n > 255)
+				return (-1);
+			ShrinkBuffer(n+1);
+			*cp++ = n;
+			memcpy(cp, buf2, n);
+			cp += n;
+			/* Pattern */
+			if ((n = getstr_str(buf2, sizeof buf2,
+					&startp, endp)) < 0) {
+				return (-1);
+			}
+			if (n > 255)
+				return (-1);
+			ShrinkBuffer(n+1);
+			*cp++ = n;
+			memcpy(cp, buf2, n);
+			cp += n;
+			/* Replacement */
+			if (!getword_str(buf2, sizeof buf2, &startp, endp))
+				return (-1);
+			n = dn_comp(buf2, cp, buflen, NULL, NULL);
+			if (n < 0)
+				return (-1);
+			cp += n;
+			ShrinkBuffer(n);
+			break;
+		default:
+			return (-1);
+		} /*switch*/
+		n = (u_int16_t)((cp - sp2) - INT16SZ);
+		PUTSHORT(n, sp2);
+	} /*for*/
+		
+	hp->qdcount = htons(counts[0]);
+	hp->ancount = htons(counts[1]);
+	hp->nscount = htons(counts[2]);
+	hp->arcount = htons(counts[3]);
+	return (cp - buf);
+}
+
+/*
+ * Get a whitespace delimited word from a string (not file)
+ * into buf. modify the start pointer to point after the
+ * word in the string.
+ */
+static int
+getword_str(char *buf, int size, u_char **startpp, u_char *endp) {
+        char *cp;
+        int c;
+ 
+        for (cp = buf; *startpp <= endp; ) {
+                c = **startpp;
+                if (isspace(c) || c == '\0') {
+                        if (cp != buf) /* trailing whitespace */
+                                break;
+                        else { /* leading whitespace */
+                                (*startpp)++;
+                                continue;
+                        }
+                }
+                (*startpp)++;
+                if (cp >= buf+size-1)
+                        break;
+                *cp++ = (u_char)c;
+        }
+        *cp = '\0';
+        return (cp != buf);
+}
+
+/*
+ * get a white spae delimited string from memory.  Process quoted strings
+ * and \DDD escapes.  Return length or -1 on error.  Returned string may
+ * contain nulls.
+ */
+static char digits[] = "0123456789";
+static int
+getstr_str(char *buf, int size, u_char **startpp, u_char *endp) {
+        char *cp;
+        int c, c1 = 0;
+	int inquote = 0;
+	int seen_quote = 0;
+	int escape = 0;
+	int dig = 0;
+ 
+	for (cp = buf; *startpp <= endp; ) {
+                if ((c = **startpp) == '\0')
+			break;
+		/* leading white space */
+		if ((cp == buf) && !seen_quote && isspace(c)) {
+			(*startpp)++;
+			continue;
+		}
+
+		switch (c) {
+		case '\\':
+			if (!escape)  {
+				escape = 1;
+				dig = 0;
+				c1 = 0;
+				(*startpp)++;
+				continue;
+			} 
+			goto do_escape;
+		case '"':
+			if (!escape) {
+				inquote = !inquote;
+				seen_quote = 1;
+				(*startpp)++;
+				continue;
+			}
+			/* fall through */
+		default:
+		do_escape:
+			if (escape) {
+				switch (c) {
+				case '0':
+				case '1':
+				case '2':
+				case '3':
+				case '4':
+				case '5':
+				case '6':
+				case '7':
+				case '8':
+				case '9':
+					c1 = c1 * 10 + 
+						(strchr(digits, c) - digits);
+
+					if (++dig == 3) {
+						c = c1 &0xff;
+						break;
+					}
+					(*startpp)++;
+					continue;
+				}
+				escape = 0;
+			} else if (!inquote && isspace(c))
+				goto done;
+			if (cp >= buf+size-1)
+				goto done;
+			*cp++ = (u_char)c;
+			(*startpp)++;
+		}
+	}
+ done:
+	*cp = '\0';
+	return ((cp == buf)?  (seen_quote? 0: -1): (cp - buf));
+}
+/*
+ * Get a whitespace delimited base 16 number from a string (not file) into buf
+ * update the start pointer to point after the number in the string.
+ */
+static int
+gethexnum_str(u_char **startpp, u_char *endp) {
+        int c, n;
+        int seendigit = 0;
+        int m = 0;
+
+	if (*startpp + 2 >= endp || strncasecmp((char *)*startpp, "0x", 2) != 0)
+		return getnum_str(startpp, endp);
+	(*startpp)+=2;
+        for (n = 0; *startpp <= endp; ) {
+                c = **startpp;
+                if (isspace(c) || c == '\0') {
+                        if (seendigit) /* trailing whitespace */
+                                break;
+                        else { /* leading whitespace */
+                                (*startpp)++;
+                                continue;
+                        }
+                }
+                if (c == ';') {
+                        while ((*startpp <= endp) &&
+			       ((c = **startpp) != '\n'))
+					(*startpp)++;
+                        if (seendigit)
+                                break;
+                        continue;
+                }
+                if (!isxdigit(c)) {
+                        if (c == ')' && seendigit) {
+                                (*startpp)--;
+                                break;
+                        }
+			return (-1);
+                }        
+                (*startpp)++;
+		if (isdigit(c))
+	                n = n * 16 + (c - '0');
+		else
+			n = n * 16 + (tolower(c) - 'a' + 10);
+                seendigit = 1;
+        }
+        return (n + m);
+}
+
+/*
+ * Get a whitespace delimited base 10 number from a string (not file) into buf
+ * update the start pointer to point after the number in the string.
+ */
+static int
+getnum_str(u_char **startpp, u_char *endp) {
+        int c, n;
+        int seendigit = 0;
+        int m = 0;
+
+        for (n = 0; *startpp <= endp; ) {
+                c = **startpp;
+                if (isspace(c) || c == '\0') {
+                        if (seendigit) /* trailing whitespace */
+                                break;
+                        else { /* leading whitespace */
+                                (*startpp)++;
+                                continue;
+                        }
+                }
+                if (c == ';') {
+                        while ((*startpp <= endp) &&
+			       ((c = **startpp) != '\n'))
+					(*startpp)++;
+                        if (seendigit)
+                                break;
+                        continue;
+                }
+                if (!isdigit(c)) {
+                        if (c == ')' && seendigit) {
+                                (*startpp)--;
+                                break;
+                        }
+			return (-1);
+                }        
+                (*startpp)++;
+                n = n * 10 + (c - '0');
+                seendigit = 1;
+        }
+        return (n + m);
+}
+
+/*
+ * Allocate a resource record buffer & save rr info.
+ */
+ns_updrec *
+res_mkupdrec(int section, const char *dname,
+	     u_int class, u_int type, u_long ttl) {
+	ns_updrec *rrecp = (ns_updrec *)calloc(1, sizeof(ns_updrec));
+
+	if (!rrecp || !(rrecp->r_dname = strdup(dname))) {
+		if (rrecp)
+			free((char *)rrecp);
+		return (NULL);
+	}
+	INIT_LINK(rrecp, r_link);
+	INIT_LINK(rrecp, r_glink);
+ 	rrecp->r_class = class;
+	rrecp->r_type = type;
+	rrecp->r_ttl = ttl;
+	rrecp->r_section = section;
+	return (rrecp);
+}
+
+/*
+ * Free a resource record buffer created by res_mkupdrec.
+ */
+void
+res_freeupdrec(ns_updrec *rrecp) {
+	/* Note: freeing r_dp is the caller's responsibility. */
+	if (rrecp->r_dname != NULL)
+		free(rrecp->r_dname);
+	free(rrecp);
+}
+
+struct valuelist {
+	struct valuelist *	next;
+	struct valuelist *	prev;
+	char *			name;
+	char *			proto;
+	int			port;
+};
+static struct valuelist *servicelist, *protolist;
+
+static void
+res_buildservicelist() {
+	struct servent *sp;
+	struct valuelist *slp;
+
+#ifdef MAYBE_HESIOD
+	setservent(0);
+#else
+	setservent(1);
+#endif
+	while ((sp = getservent()) != NULL) {
+		slp = (struct valuelist *)malloc(sizeof(struct valuelist));
+		if (!slp)
+			break;
+		slp->name = strdup(sp->s_name);
+		slp->proto = strdup(sp->s_proto);
+		if ((slp->name == NULL) || (slp->proto == NULL)) {
+			if (slp->name) free(slp->name);
+			if (slp->proto) free(slp->proto);
+			free(slp);
+			break;
+		}
+		slp->port = ntohs((u_int16_t)sp->s_port);  /* host byt order */
+		slp->next = servicelist;
+		slp->prev = NULL;
+		if (servicelist)
+			servicelist->prev = slp;
+		servicelist = slp;
+	}
+	endservent();
+}
+
+void
+res_destroyservicelist() {
+	struct valuelist *slp, *slp_next;
+
+	for (slp = servicelist; slp != NULL; slp = slp_next) {
+		slp_next = slp->next;
+		free(slp->name);
+		free(slp->proto);
+		free(slp);
+	}
+	servicelist = (struct valuelist *)0;
+}
+
+void
+res_buildprotolist(void) {
+	struct protoent *pp;
+	struct valuelist *slp;
+
+#ifdef MAYBE_HESIOD
+	setprotoent(0);
+#else
+	setprotoent(1);
+#endif
+	while ((pp = getprotoent()) != NULL) {
+		slp = (struct valuelist *)malloc(sizeof(struct valuelist));
+		if (!slp)
+			break;
+		slp->name = strdup(pp->p_name);
+		if (slp->name == NULL) {
+			free(slp);
+			break;
+		}
+		slp->port = pp->p_proto;	/* host byte order */
+		slp->next = protolist;
+		slp->prev = NULL;
+		if (protolist)
+			protolist->prev = slp;
+		protolist = slp;
+	}
+	endprotoent();
+}
+
+void
+res_destroyprotolist(void) {
+	struct valuelist *plp, *plp_next;
+
+	for (plp = protolist; plp != NULL; plp = plp_next) {
+		plp_next = plp->next;
+		free(plp->name);
+		free(plp);
+	}
+	protolist = (struct valuelist *)0;
+}
+
+static int
+findservice(const char *s, struct valuelist **list) {
+	struct valuelist *lp = *list;
+	int n;
+
+	for (; lp != NULL; lp = lp->next)
+		if (strcasecmp(lp->name, s) == 0) {
+			if (lp != *list) {
+				lp->prev->next = lp->next;
+				if (lp->next)
+					lp->next->prev = lp->prev;
+				(*list)->prev = lp;
+				lp->next = *list;
+				*list = lp;
+			}
+			return (lp->port);	/* host byte order */
+		}
+	if (sscanf(s, "%d", &n) != 1 || n <= 0)
+		n = -1;
+	return (n);
+}
+
+/*
+ * Convert service name or (ascii) number to int.
+ */
+int
+res_servicenumber(const char *p) {
+	if (servicelist == (struct valuelist *)0)
+		res_buildservicelist();
+	return (findservice(p, &servicelist));
+}
+
+/*
+ * Convert protocol name or (ascii) number to int.
+ */
+int
+res_protocolnumber(const char *p) {
+	if (protolist == (struct valuelist *)0)
+		res_buildprotolist();
+	return (findservice(p, &protolist));
+}
+
+static struct servent *
+cgetservbyport(u_int16_t port, const char *proto) {	/* Host byte order. */
+	struct valuelist **list = &servicelist;
+	struct valuelist *lp = *list;
+	static struct servent serv;
+
+	port = ntohs(port);
+	for (; lp != NULL; lp = lp->next) {
+		if (port != (u_int16_t)lp->port)	/* Host byte order. */
+			continue;
+		if (strcasecmp(lp->proto, proto) == 0) {
+			if (lp != *list) {
+				lp->prev->next = lp->next;
+				if (lp->next)
+					lp->next->prev = lp->prev;
+				(*list)->prev = lp;
+				lp->next = *list;
+				*list = lp;
+			}
+			serv.s_name = lp->name;
+			serv.s_port = htons((u_int16_t)lp->port);
+			serv.s_proto = lp->proto;
+			return (&serv);
+		}
+	}
+	return (0);
+}
+
+static struct protoent *
+cgetprotobynumber(int proto) {				/* Host byte order. */
+	struct valuelist **list = &protolist;
+	struct valuelist *lp = *list;
+	static struct protoent prot;
+
+	for (; lp != NULL; lp = lp->next)
+		if (lp->port == proto) {		/* Host byte order. */
+			if (lp != *list) {
+				lp->prev->next = lp->next;
+				if (lp->next)
+					lp->next->prev = lp->prev;
+				(*list)->prev = lp;
+				lp->next = *list;
+				*list = lp;
+			}
+			prot.p_name = lp->name;
+			prot.p_proto = lp->port;	/* Host byte order. */
+			return (&prot);
+		}
+	return (0);
+}
+
+const char *
+res_protocolname(int num) {
+	static char number[8];
+	struct protoent *pp;
+
+	if (protolist == (struct valuelist *)0)
+		res_buildprotolist();
+	pp = cgetprotobynumber(num);
+	if (pp == 0)  {
+		(void) sprintf(number, "%d", num);
+		return (number);
+	}
+	return (pp->p_name);
+}
+
+const char *
+res_servicename(u_int16_t port, const char *proto) {	/* Host byte order. */
+	static char number[8];
+	struct servent *ss;
+
+	if (servicelist == (struct valuelist *)0)
+		res_buildservicelist();
+	ss = cgetservbyport(htons(port), proto);
+	if (ss == 0)  {
+		(void) sprintf(number, "%d", port);
+		return (number);
+	}
+	return (ss->s_name);
+}
diff --git a/contrib/bind9/lib/bind/resolv/res_mkupdate.h b/contrib/bind9/lib/bind/resolv/res_mkupdate.h
new file mode 100644
index 0000000..a8f1e7c
--- /dev/null
+++ b/contrib/bind9/lib/bind/resolv/res_mkupdate.h
@@ -0,0 +1,24 @@
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1998,1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef _RES_MKUPDATE_H_
+#define _RES_MKUPDATE_H_
+
+__BEGIN_DECLS
+__END_DECLS
+
+#endif /* _RES_MKUPDATE_H_ */ 
diff --git a/contrib/bind9/lib/bind/resolv/res_private.h b/contrib/bind9/lib/bind/resolv/res_private.h
new file mode 100644
index 0000000..d7b66cd
--- /dev/null
+++ b/contrib/bind9/lib/bind/resolv/res_private.h
@@ -0,0 +1,20 @@
+#ifndef res_private_h
+#define res_private_h
+
+struct __res_state_ext {
+	union res_sockaddr_union nsaddrs[MAXNS];
+	struct sort_list {
+		int     af;
+		union {
+			struct in_addr  ina;
+			struct in6_addr in6a;
+		} addr, mask;
+	} sort_list[MAXRESOLVSORT];
+	char nsuffix[64];
+	char nsuffix2[64];
+};
+
+extern int
+res_ourserver_p(const res_state statp, const struct sockaddr *sa);
+
+#endif
diff --git a/contrib/bind9/lib/bind/resolv/res_query.c b/contrib/bind9/lib/bind/resolv/res_query.c
new file mode 100644
index 0000000..5156ce8
--- /dev/null
+++ b/contrib/bind9/lib/bind/resolv/res_query.c
@@ -0,0 +1,432 @@
+/*
+ * Copyright (c) 1988, 1993
+ *    The Regents of the University of California.  All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ * 	This product includes software developed by the University of
+ * 	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Portions Copyright (c) 1993 by Digital Equipment Corporation.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies, and that
+ * the name of Digital Equipment Corporation not be used in advertising or
+ * publicity pertaining to distribution of the document or software without
+ * specific, written prior permission.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
+ * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char sccsid[] = "@(#)res_query.c	8.1 (Berkeley) 6/4/93";
+static const char rcsid[] = "$Id: res_query.c,v 1.2.2.3.4.2 2004/03/16 12:34:19 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include "port_before.h"
+#include <sys/types.h>
+#include <sys/param.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+#include <ctype.h>
+#include <errno.h>
+#include <netdb.h>
+#include <resolv.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "port_after.h"
+
+/* Options.  Leave them on. */
+#define DEBUG
+
+#if PACKETSZ > 1024
+#define MAXPACKET	PACKETSZ
+#else
+#define MAXPACKET	1024
+#endif
+
+/*
+ * Formulate a normal query, send, and await answer.
+ * Returned answer is placed in supplied buffer "answer".
+ * Perform preliminary check of answer, returning success only
+ * if no error is indicated and the answer count is nonzero.
+ * Return the size of the response on success, -1 on error.
+ * Error number is left in H_ERRNO.
+ *
+ * Caller must parse answer and determine whether it answers the question.
+ */
+int
+res_nquery(res_state statp,
+	   const char *name,	/* domain name */
+	   int class, int type,	/* class and type of query */
+	   u_char *answer,	/* buffer to put answer */
+	   int anslen)		/* size of answer buffer */
+{
+	u_char buf[MAXPACKET];
+	HEADER *hp = (HEADER *) answer;
+	int n;
+	u_int oflags;
+
+	oflags = statp->_flags;
+
+again:
+	hp->rcode = NOERROR;	/* default */
+
+#ifdef DEBUG
+	if (statp->options & RES_DEBUG)
+		printf(";; res_query(%s, %d, %d)\n", name, class, type);
+#endif
+
+	n = res_nmkquery(statp, QUERY, name, class, type, NULL, 0, NULL,
+			 buf, sizeof(buf));
+#ifdef RES_USE_EDNS0
+	if (n > 0 && (statp->_flags & RES_F_EDNS0ERR) == 0 &&
+	    (statp->options & (RES_USE_EDNS0|RES_USE_DNSSEC)) != 0U)
+		n = res_nopt(statp, n, buf, sizeof(buf), anslen);
+#endif
+	if (n <= 0) {
+#ifdef DEBUG
+		if (statp->options & RES_DEBUG)
+			printf(";; res_query: mkquery failed\n");
+#endif
+		RES_SET_H_ERRNO(statp, NO_RECOVERY);
+		return (n);
+	}
+	n = res_nsend(statp, buf, n, answer, anslen);
+	if (n < 0) {
+#ifdef RES_USE_EDNS0
+		/* if the query choked with EDNS0, retry without EDNS0 */
+		if ((statp->options & (RES_USE_EDNS0|RES_USE_DNSSEC)) != 0U &&
+		    ((oflags ^ statp->_flags) & RES_F_EDNS0ERR) != 0) {
+			statp->_flags |= RES_F_EDNS0ERR;
+			if (statp->options & RES_DEBUG)
+				printf(";; res_nquery: retry without EDNS0\n");
+			goto again;
+		}
+#endif
+#ifdef DEBUG
+		if (statp->options & RES_DEBUG)
+			printf(";; res_query: send error\n");
+#endif
+		RES_SET_H_ERRNO(statp, TRY_AGAIN);
+		return (n);
+	}
+
+	if (hp->rcode != NOERROR || ntohs(hp->ancount) == 0) {
+#ifdef DEBUG
+		if (statp->options & RES_DEBUG)
+			printf(";; rcode = (%s), counts = an:%d ns:%d ar:%d\n",
+			       p_rcode(hp->rcode),
+			       ntohs(hp->ancount),
+			       ntohs(hp->nscount),
+			       ntohs(hp->arcount));
+#endif
+		switch (hp->rcode) {
+		case NXDOMAIN:
+			RES_SET_H_ERRNO(statp, HOST_NOT_FOUND);
+			break;
+		case SERVFAIL:
+			RES_SET_H_ERRNO(statp, TRY_AGAIN);
+			break;
+		case NOERROR:
+			RES_SET_H_ERRNO(statp, NO_DATA);
+			break;
+		case FORMERR:
+		case NOTIMP:
+		case REFUSED:
+		default:
+			RES_SET_H_ERRNO(statp, NO_RECOVERY);
+			break;
+		}
+		return (-1);
+	}
+	return (n);
+}
+
+/*
+ * Formulate a normal query, send, and retrieve answer in supplied buffer.
+ * Return the size of the response on success, -1 on error.
+ * If enabled, implement search rules until answer or unrecoverable failure
+ * is detected.  Error code, if any, is left in H_ERRNO.
+ */
+int
+res_nsearch(res_state statp,
+	    const char *name,	/* domain name */
+	    int class, int type,	/* class and type of query */
+	    u_char *answer,	/* buffer to put answer */
+	    int anslen)		/* size of answer */
+{
+	const char *cp, * const *domain;
+	HEADER *hp = (HEADER *) answer;
+	char tmp[NS_MAXDNAME];
+	u_int dots;
+	int trailing_dot, ret, saved_herrno;
+	int got_nodata = 0, got_servfail = 0, root_on_list = 0;
+	int tried_as_is = 0;
+	int searched = 0;
+
+	errno = 0;
+	RES_SET_H_ERRNO(statp, HOST_NOT_FOUND);  /* True if we never query. */
+
+	dots = 0;
+	for (cp = name; *cp != '\0'; cp++)
+		dots += (*cp == '.');
+	trailing_dot = 0;
+	if (cp > name && *--cp == '.')
+		trailing_dot++;
+
+	/* If there aren't any dots, it could be a user-level alias. */
+	if (!dots && (cp = res_hostalias(statp, name, tmp, sizeof tmp))!= NULL)
+		return (res_nquery(statp, cp, class, type, answer, anslen));
+
+	/*
+	 * If there are enough dots in the name, let's just give it a
+	 * try 'as is'. The threshold can be set with the "ndots" option.
+	 * Also, query 'as is', if there is a trailing dot in the name.
+	 */
+	saved_herrno = -1;
+	if (dots >= statp->ndots || trailing_dot) {
+		ret = res_nquerydomain(statp, name, NULL, class, type,
+					 answer, anslen);
+		if (ret > 0 || trailing_dot)
+			return (ret);
+		saved_herrno = statp->res_h_errno;
+		tried_as_is++;
+	}
+
+	/*
+	 * We do at least one level of search if
+	 *	- there is no dot and RES_DEFNAME is set, or
+	 *	- there is at least one dot, there is no trailing dot,
+	 *	  and RES_DNSRCH is set.
+	 */
+	if ((!dots && (statp->options & RES_DEFNAMES) != 0U) ||
+	    (dots && !trailing_dot && (statp->options & RES_DNSRCH) != 0U)) {
+		int done = 0;
+
+		for (domain = (const char * const *)statp->dnsrch;
+		     *domain && !done;
+		     domain++) {
+			searched = 1;
+
+			if (domain[0][0] == '\0' ||
+			    (domain[0][0] == '.' && domain[0][1] == '\0'))
+				root_on_list++;
+
+			ret = res_nquerydomain(statp, name, *domain,
+					       class, type,
+					       answer, anslen);
+			if (ret > 0)
+				return (ret);
+
+			/*
+			 * If no server present, give up.
+			 * If name isn't found in this domain,
+			 * keep trying higher domains in the search list
+			 * (if that's enabled).
+			 * On a NO_DATA error, keep trying, otherwise
+			 * a wildcard entry of another type could keep us
+			 * from finding this entry higher in the domain.
+			 * If we get some other error (negative answer or
+			 * server failure), then stop searching up,
+			 * but try the input name below in case it's
+			 * fully-qualified.
+			 */
+			if (errno == ECONNREFUSED) {
+				RES_SET_H_ERRNO(statp, TRY_AGAIN);
+				return (-1);
+			}
+
+			switch (statp->res_h_errno) {
+			case NO_DATA:
+				got_nodata++;
+				/* FALLTHROUGH */
+			case HOST_NOT_FOUND:
+				/* keep trying */
+				break;
+			case TRY_AGAIN:
+				if (hp->rcode == SERVFAIL) {
+					/* try next search element, if any */
+					got_servfail++;
+					break;
+				}
+				/* FALLTHROUGH */
+			default:
+				/* anything else implies that we're done */
+				done++;
+			}
+
+			/* if we got here for some reason other than DNSRCH,
+			 * we only wanted one iteration of the loop, so stop.
+			 */
+			if ((statp->options & RES_DNSRCH) == 0U)
+				done++;
+		}
+	}
+
+	/*
+	 * If the query has not already been tried as is then try it
+	 * unless RES_NOTLDQUERY is set and there were no dots.
+	 */
+	if ((dots || !searched || (statp->options & RES_NOTLDQUERY) == 0U) &&
+	    !(tried_as_is || root_on_list)) {
+		ret = res_nquerydomain(statp, name, NULL, class, type,
+				       answer, anslen);
+		if (ret > 0)
+			return (ret);
+	}
+
+	/* if we got here, we didn't satisfy the search.
+	 * if we did an initial full query, return that query's H_ERRNO
+	 * (note that we wouldn't be here if that query had succeeded).
+	 * else if we ever got a nodata, send that back as the reason.
+	 * else send back meaningless H_ERRNO, that being the one from
+	 * the last DNSRCH we did.
+	 */
+	if (saved_herrno != -1)
+		RES_SET_H_ERRNO(statp, saved_herrno);
+	else if (got_nodata)
+		RES_SET_H_ERRNO(statp, NO_DATA);
+	else if (got_servfail)
+		RES_SET_H_ERRNO(statp, TRY_AGAIN);
+	return (-1);
+}
+
+/*
+ * Perform a call on res_query on the concatenation of name and domain,
+ * removing a trailing dot from name if domain is NULL.
+ */
+int
+res_nquerydomain(res_state statp,
+	    const char *name,
+	    const char *domain,
+	    int class, int type,	/* class and type of query */
+	    u_char *answer,		/* buffer to put answer */
+	    int anslen)		/* size of answer */
+{
+	char nbuf[MAXDNAME];
+	const char *longname = nbuf;
+	int n, d;
+
+#ifdef DEBUG
+	if (statp->options & RES_DEBUG)
+		printf(";; res_nquerydomain(%s, %s, %d, %d)\n",
+		       name, domain?domain:"<Nil>", class, type);
+#endif
+	if (domain == NULL) {
+		/*
+		 * Check for trailing '.';
+		 * copy without '.' if present.
+		 */
+		n = strlen(name);
+		if (n >= MAXDNAME) {
+			RES_SET_H_ERRNO(statp, NO_RECOVERY);
+			return (-1);
+		}
+		n--;
+		if (n >= 0 && name[n] == '.') {
+			strncpy(nbuf, name, n);
+			nbuf[n] = '\0';
+		} else
+			longname = name;
+	} else {
+		n = strlen(name);
+		d = strlen(domain);
+		if (n + d + 1 >= MAXDNAME) {
+			RES_SET_H_ERRNO(statp, NO_RECOVERY);
+			return (-1);
+		}
+		sprintf(nbuf, "%s.%s", name, domain);
+	}
+	return (res_nquery(statp, longname, class, type, answer, anslen));
+}
+
+const char *
+res_hostalias(const res_state statp, const char *name, char *dst, size_t siz) {
+	char *file, *cp1, *cp2;
+	char buf[BUFSIZ];
+	FILE *fp;
+
+	if (statp->options & RES_NOALIASES)
+		return (NULL);
+	file = getenv("HOSTALIASES");
+	if (file == NULL || (fp = fopen(file, "r")) == NULL)
+		return (NULL);
+	setbuf(fp, NULL);
+	buf[sizeof(buf) - 1] = '\0';
+	while (fgets(buf, sizeof(buf), fp)) {
+		for (cp1 = buf; *cp1 && !isspace((unsigned char)*cp1); ++cp1)
+			;
+		if (!*cp1)
+			break;
+		*cp1 = '\0';
+		if (ns_samename(buf, name) == 1) {
+			while (isspace((unsigned char)*++cp1))
+				;
+			if (!*cp1)
+				break;
+			for (cp2 = cp1 + 1; *cp2 &&
+			     !isspace((unsigned char)*cp2); ++cp2)
+				;
+			*cp2 = '\0';
+			strncpy(dst, cp1, siz - 1);
+			dst[siz - 1] = '\0';
+			fclose(fp);
+			return (dst);
+		}
+	}
+	fclose(fp);
+	return (NULL);
+}
diff --git a/contrib/bind9/lib/bind/resolv/res_send.c b/contrib/bind9/lib/bind/resolv/res_send.c
new file mode 100644
index 0000000..81c2425
--- /dev/null
+++ b/contrib/bind9/lib/bind/resolv/res_send.c
@@ -0,0 +1,1052 @@
+/*
+ * Copyright (c) 1985, 1989, 1993
+ *    The Regents of the University of California.  All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ * 	This product includes software developed by the University of
+ * 	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Portions Copyright (c) 1993 by Digital Equipment Corporation.
+ * 
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies, and that
+ * the name of Digital Equipment Corporation not be used in advertising or
+ * publicity pertaining to distribution of the document or software without
+ * specific, written prior permission.
+ * 
+ * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
+ * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char sccsid[] = "@(#)res_send.c	8.1 (Berkeley) 6/4/93";
+static const char rcsid[] = "$Id: res_send.c,v 1.5.2.2.4.5 2004/08/10 02:19:56 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+/*
+ * Send query to name server and wait for reply.
+ */
+
+#include "port_before.h"
+#include "fd_setsize.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/time.h>
+#include <sys/socket.h>
+#include <sys/uio.h>
+
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <arpa/inet.h>
+
+#include <errno.h>
+#include <netdb.h>
+#include <resolv.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <isc/eventlib.h>
+
+#include "port_after.h"
+
+/* Options.  Leave them on. */
+#define DEBUG
+#include "res_debug.h"
+#include "res_private.h"
+
+#define EXT(res) ((res)->_u._ext)
+
+static const int highestFD = FD_SETSIZE - 1;
+
+/* Forward. */
+
+static int		get_salen __P((const struct sockaddr *));
+static struct sockaddr * get_nsaddr __P((res_state, size_t));
+static int		send_vc(res_state, const u_char *, int,
+				u_char *, int, int *, int);
+static int		send_dg(res_state, const u_char *, int,
+				u_char *, int, int *, int,
+				int *, int *);
+static void		Aerror(const res_state, FILE *, const char *, int,
+			       const struct sockaddr *, int);
+static void		Perror(const res_state, FILE *, const char *, int);
+static int		sock_eq(struct sockaddr *, struct sockaddr *);
+#ifdef NEED_PSELECT
+static int		pselect(int, void *, void *, void *,
+				struct timespec *,
+				const sigset_t *);
+#endif
+void res_pquery(const res_state, const u_char *, int, FILE *);
+
+static const int niflags = NI_NUMERICHOST | NI_NUMERICSERV;
+
+/* Public. */
+
+/* int
+ * res_isourserver(ina)
+ *	looks up "ina" in _res.ns_addr_list[]
+ * returns:
+ *	0  : not found
+ *	>0 : found
+ * author:
+ *	paul vixie, 29may94
+ */
+int
+res_ourserver_p(const res_state statp, const struct sockaddr *sa) {
+	const struct sockaddr_in *inp, *srv;
+	const struct sockaddr_in6 *in6p, *srv6;
+	int ns;
+
+	switch (sa->sa_family) {
+	case AF_INET:
+		inp = (const struct sockaddr_in *)sa;
+		for (ns = 0;  ns < statp->nscount;  ns++) {
+			srv = (struct sockaddr_in *)get_nsaddr(statp, ns);
+			if (srv->sin_family == inp->sin_family &&
+			    srv->sin_port == inp->sin_port &&
+			    (srv->sin_addr.s_addr == INADDR_ANY ||
+			     srv->sin_addr.s_addr == inp->sin_addr.s_addr))
+				return (1);
+		}
+		break;
+	case AF_INET6:
+		if (EXT(statp).ext == NULL)
+			break;
+		in6p = (const struct sockaddr_in6 *)sa;
+		for (ns = 0;  ns < statp->nscount;  ns++) {
+			srv6 = (struct sockaddr_in6 *)get_nsaddr(statp, ns);
+			if (srv6->sin6_family == in6p->sin6_family &&
+			    srv6->sin6_port == in6p->sin6_port &&
+#ifdef HAVE_SIN6_SCOPE_ID
+			    (srv6->sin6_scope_id == 0 ||
+			     srv6->sin6_scope_id == in6p->sin6_scope_id) &&
+#endif
+			    (IN6_IS_ADDR_UNSPECIFIED(&srv6->sin6_addr) ||
+			     IN6_ARE_ADDR_EQUAL(&srv6->sin6_addr, &in6p->sin6_addr)))
+				return (1);
+		}
+		break;
+	default:
+		break;
+	}
+	return (0);
+}
+
+/* int
+ * res_nameinquery(name, type, class, buf, eom)
+ *	look for (name,type,class) in the query section of packet (buf,eom)
+ * requires:
+ *	buf + HFIXEDSZ <= eom
+ * returns:
+ *	-1 : format error
+ *	0  : not found
+ *	>0 : found
+ * author:
+ *	paul vixie, 29may94
+ */
+int
+res_nameinquery(const char *name, int type, int class,
+		const u_char *buf, const u_char *eom)
+{
+	const u_char *cp = buf + HFIXEDSZ;
+	int qdcount = ntohs(((const HEADER*)buf)->qdcount);
+
+	while (qdcount-- > 0) {
+		char tname[MAXDNAME+1];
+		int n, ttype, tclass;
+
+		n = dn_expand(buf, eom, cp, tname, sizeof tname);
+		if (n < 0)
+			return (-1);
+		cp += n;
+		if (cp + 2 * INT16SZ > eom)
+			return (-1);
+		ttype = ns_get16(cp); cp += INT16SZ;
+		tclass = ns_get16(cp); cp += INT16SZ;
+		if (ttype == type && tclass == class &&
+		    ns_samename(tname, name) == 1)
+			return (1);
+	}
+	return (0);
+}
+
+/* int
+ * res_queriesmatch(buf1, eom1, buf2, eom2)
+ *	is there a 1:1 mapping of (name,type,class)
+ *	in (buf1,eom1) and (buf2,eom2)?
+ * returns:
+ *	-1 : format error
+ *	0  : not a 1:1 mapping
+ *	>0 : is a 1:1 mapping
+ * author:
+ *	paul vixie, 29may94
+ */
+int
+res_queriesmatch(const u_char *buf1, const u_char *eom1,
+		 const u_char *buf2, const u_char *eom2)
+{
+	const u_char *cp = buf1 + HFIXEDSZ;
+	int qdcount = ntohs(((const HEADER*)buf1)->qdcount);
+
+	if (buf1 + HFIXEDSZ > eom1 || buf2 + HFIXEDSZ > eom2)
+		return (-1);
+
+	/*
+	 * Only header section present in replies to
+	 * dynamic update packets.
+	 */
+	if ((((const HEADER *)buf1)->opcode == ns_o_update) &&
+	    (((const HEADER *)buf2)->opcode == ns_o_update))
+		return (1);
+
+	if (qdcount != ntohs(((const HEADER*)buf2)->qdcount))
+		return (0);
+	while (qdcount-- > 0) {
+		char tname[MAXDNAME+1];
+		int n, ttype, tclass;
+
+		n = dn_expand(buf1, eom1, cp, tname, sizeof tname);
+		if (n < 0)
+			return (-1);
+		cp += n;
+		if (cp + 2 * INT16SZ > eom1)
+			return (-1);
+		ttype = ns_get16(cp);	cp += INT16SZ;
+		tclass = ns_get16(cp); cp += INT16SZ;
+		if (!res_nameinquery(tname, ttype, tclass, buf2, eom2))
+			return (0);
+	}
+	return (1);
+}
+
+int
+res_nsend(res_state statp,
+	  const u_char *buf, int buflen, u_char *ans, int anssiz)
+{
+	int gotsomewhere, terrno, try, v_circuit, resplen, ns, n;
+	char abuf[NI_MAXHOST];
+
+	if (statp->nscount == 0) {
+		errno = ESRCH;
+		return (-1);
+	}
+	if (anssiz < HFIXEDSZ) {
+		errno = EINVAL;
+		return (-1);
+	}
+	DprintQ((statp->options & RES_DEBUG) || (statp->pfcode & RES_PRF_QUERY),
+		(stdout, ";; res_send()\n"), buf, buflen);
+	v_circuit = (statp->options & RES_USEVC) || buflen > PACKETSZ;
+	gotsomewhere = 0;
+	terrno = ETIMEDOUT;
+
+	/*
+	 * If the ns_addr_list in the resolver context has changed, then
+	 * invalidate our cached copy and the associated timing data.
+	 */
+	if (EXT(statp).nscount != 0) {
+		int needclose = 0;
+		struct sockaddr_storage peer;
+		ISC_SOCKLEN_T peerlen;
+
+		if (EXT(statp).nscount != statp->nscount)
+			needclose++;
+		else
+			for (ns = 0; ns < statp->nscount; ns++) {
+				if (statp->nsaddr_list[ns].sin_family &&
+				    !sock_eq((struct sockaddr *)&statp->nsaddr_list[ns],
+					     (struct sockaddr *)&EXT(statp).ext->nsaddrs[ns])) {
+					needclose++;
+					break;
+				}
+
+				if (EXT(statp).nssocks[ns] == -1)
+					continue;
+				peerlen = sizeof(peer);
+				if (getsockname(EXT(statp).nssocks[ns],
+				    (struct sockaddr *)&peer, &peerlen) < 0) {
+					needclose++;
+					break;
+				}
+				if (!sock_eq((struct sockaddr *)&peer,
+				    get_nsaddr(statp, ns))) {
+					needclose++;
+					break;
+				}
+			}
+		if (needclose) {
+			res_nclose(statp);
+			EXT(statp).nscount = 0;
+		}
+	}
+
+	/*
+	 * Maybe initialize our private copy of the ns_addr_list.
+	 */
+	if (EXT(statp).nscount == 0) {
+		for (ns = 0; ns < statp->nscount; ns++) {
+			EXT(statp).nstimes[ns] = RES_MAXTIME;
+			EXT(statp).nssocks[ns] = -1;
+			if (!statp->nsaddr_list[ns].sin_family)
+				continue;
+			EXT(statp).ext->nsaddrs[ns].sin =
+				 statp->nsaddr_list[ns];
+		}
+		EXT(statp).nscount = statp->nscount;
+	}
+
+	/*
+	 * Some resolvers want to even out the load on their nameservers.
+	 * Note that RES_BLAST overrides RES_ROTATE.
+	 */
+	if ((statp->options & RES_ROTATE) != 0U &&
+	    (statp->options & RES_BLAST) == 0U) {
+		union res_sockaddr_union inu;
+		struct sockaddr_in ina;
+		int lastns = statp->nscount - 1;
+		int fd;
+		u_int16_t nstime;
+
+		if (EXT(statp).ext != NULL)
+			inu = EXT(statp).ext->nsaddrs[0];
+		ina = statp->nsaddr_list[0];
+		fd = EXT(statp).nssocks[0];
+		nstime = EXT(statp).nstimes[0];
+		for (ns = 0; ns < lastns; ns++) {
+			if (EXT(statp).ext != NULL)
+                                EXT(statp).ext->nsaddrs[ns] = 
+					EXT(statp).ext->nsaddrs[ns + 1];
+			statp->nsaddr_list[ns] = statp->nsaddr_list[ns + 1];
+			EXT(statp).nssocks[ns] = EXT(statp).nssocks[ns + 1];
+			EXT(statp).nstimes[ns] = EXT(statp).nstimes[ns + 1];
+		}
+		if (EXT(statp).ext != NULL)
+			EXT(statp).ext->nsaddrs[lastns] = inu;
+		statp->nsaddr_list[lastns] = ina;
+		EXT(statp).nssocks[lastns] = fd;
+		EXT(statp).nstimes[lastns] = nstime;
+	}
+
+	/*
+	 * Send request, RETRY times, or until successful.
+	 */
+	for (try = 0; try < statp->retry; try++) {
+	    for (ns = 0; ns < statp->nscount; ns++) {
+		struct sockaddr *nsap;
+		int nsaplen;
+		nsap = get_nsaddr(statp, ns);
+		nsaplen = get_salen(nsap);
+		statp->_flags &= ~RES_F_LASTMASK;
+		statp->_flags |= (ns << RES_F_LASTSHIFT);
+ same_ns:
+		if (statp->qhook) {
+			int done = 0, loops = 0;
+
+			do {
+				res_sendhookact act;
+
+				act = (*statp->qhook)(&nsap, &buf, &buflen,
+						      ans, anssiz, &resplen);
+				switch (act) {
+				case res_goahead:
+					done = 1;
+					break;
+				case res_nextns:
+					res_nclose(statp);
+					goto next_ns;
+				case res_done:
+					return (resplen);
+				case res_modified:
+					/* give the hook another try */
+					if (++loops < 42) /*doug adams*/
+						break;
+					/*FALLTHROUGH*/
+				case res_error:
+					/*FALLTHROUGH*/
+				default:
+					goto fail;
+				}
+			} while (!done);
+		}
+
+		Dprint(((statp->options & RES_DEBUG) &&
+			getnameinfo(nsap, nsaplen, abuf, sizeof(abuf),
+				    NULL, 0, niflags) == 0),
+		       (stdout, ";; Querying server (# %d) address = %s\n",
+			ns + 1, abuf));
+
+
+		if (v_circuit) {
+			/* Use VC; at most one attempt per server. */
+			try = statp->retry;
+			n = send_vc(statp, buf, buflen, ans, anssiz, &terrno,
+				    ns);
+			if (n < 0)
+				goto fail;
+			if (n == 0)
+				goto next_ns;
+			resplen = n;
+		} else {
+			/* Use datagrams. */
+			n = send_dg(statp, buf, buflen, ans, anssiz, &terrno,
+				    ns, &v_circuit, &gotsomewhere);
+			if (n < 0)
+				goto fail;
+			if (n == 0)
+				goto next_ns;
+			if (v_circuit)
+				goto same_ns;
+			resplen = n;
+		}
+
+		Dprint((statp->options & RES_DEBUG) ||
+		       ((statp->pfcode & RES_PRF_REPLY) &&
+			(statp->pfcode & RES_PRF_HEAD1)),
+		       (stdout, ";; got answer:\n"));
+
+		DprintQ((statp->options & RES_DEBUG) ||
+			(statp->pfcode & RES_PRF_REPLY),
+			(stdout, "%s", ""),
+			ans, (resplen > anssiz) ? anssiz : resplen);
+
+		/*
+		 * If we have temporarily opened a virtual circuit,
+		 * or if we haven't been asked to keep a socket open,
+		 * close the socket.
+		 */
+		if ((v_circuit && (statp->options & RES_USEVC) == 0U) ||
+		    (statp->options & RES_STAYOPEN) == 0U) {
+			res_nclose(statp);
+		}
+		if (statp->rhook) {
+			int done = 0, loops = 0;
+
+			do {
+				res_sendhookact act;
+
+				act = (*statp->rhook)(nsap, buf, buflen,
+						      ans, anssiz, &resplen);
+				switch (act) {
+				case res_goahead:
+				case res_done:
+					done = 1;
+					break;
+				case res_nextns:
+					res_nclose(statp);
+					goto next_ns;
+				case res_modified:
+					/* give the hook another try */
+					if (++loops < 42) /*doug adams*/
+						break;
+					/*FALLTHROUGH*/
+				case res_error:
+					/*FALLTHROUGH*/
+				default:
+					goto fail;
+				}
+			} while (!done);
+
+		}
+		return (resplen);
+ next_ns: ;
+	   } /*foreach ns*/
+	} /*foreach retry*/
+	res_nclose(statp);
+	if (!v_circuit) {
+		if (!gotsomewhere)
+			errno = ECONNREFUSED;	/* no nameservers found */
+		else
+			errno = ETIMEDOUT;	/* no answer obtained */
+	} else
+		errno = terrno;
+	return (-1);
+ fail:
+	res_nclose(statp);
+	return (-1);
+}
+
+/* Private */
+
+static int
+get_salen(sa)
+	const struct sockaddr *sa;
+{
+
+#ifdef HAVE_SA_LEN
+	/* There are people do not set sa_len.  Be forgiving to them. */
+	if (sa->sa_len)
+		return (sa->sa_len);
+#endif
+
+	if (sa->sa_family == AF_INET)
+		return (sizeof(struct sockaddr_in));
+	else if (sa->sa_family == AF_INET6)
+		return (sizeof(struct sockaddr_in6));
+	else
+		return (0);	/* unknown, die on connect */
+}
+
+/*
+ * pick appropriate nsaddr_list for use.  see res_init() for initialization.
+ */
+static struct sockaddr *
+get_nsaddr(statp, n)
+	res_state statp;
+	size_t n;
+{
+
+	if (!statp->nsaddr_list[n].sin_family && EXT(statp).ext) {
+		/*
+		 * - EXT(statp).ext->nsaddrs[n] holds an address that is larger
+		 *   than struct sockaddr, and
+		 * - user code did not update statp->nsaddr_list[n].
+		 */
+		return (struct sockaddr *)(void *)&EXT(statp).ext->nsaddrs[n];
+	} else {
+		/*
+		 * - user code updated statp->nsaddr_list[n], or
+		 * - statp->nsaddr_list[n] has the same content as
+		 *   EXT(statp).ext->nsaddrs[n].
+		 */
+		return (struct sockaddr *)(void *)&statp->nsaddr_list[n];
+	}
+}
+
+static int
+send_vc(res_state statp,
+	const u_char *buf, int buflen, u_char *ans, int anssiz,
+	int *terrno, int ns)
+{
+	const HEADER *hp = (const HEADER *) buf;
+	HEADER *anhp = (HEADER *) ans;
+	struct sockaddr *nsap;
+	int nsaplen;
+	int truncating, connreset, resplen, n;
+	struct iovec iov[2];
+	u_short len;
+	u_char *cp;
+	void *tmp;
+
+	nsap = get_nsaddr(statp, ns);
+	nsaplen = get_salen(nsap);
+
+	connreset = 0;
+ same_ns:
+	truncating = 0;
+
+	/* Are we still talking to whom we want to talk to? */
+	if (statp->_vcsock >= 0 && (statp->_flags & RES_F_VC) != 0) {
+		struct sockaddr_storage peer;
+		ISC_SOCKLEN_T size = sizeof peer;
+
+		if (getpeername(statp->_vcsock,
+				(struct sockaddr *)&peer, &size) < 0 ||
+		    !sock_eq((struct sockaddr *)&peer, nsap)) {
+			res_nclose(statp);
+			statp->_flags &= ~RES_F_VC;
+		}
+	}
+
+	if (statp->_vcsock < 0 || (statp->_flags & RES_F_VC) == 0) {
+		if (statp->_vcsock >= 0)
+			res_nclose(statp);
+
+		statp->_vcsock = socket(nsap->sa_family, SOCK_STREAM, 0);
+		if (statp->_vcsock > highestFD) {
+			res_nclose(statp);
+			errno = ENOTSOCK;
+		}
+		if (statp->_vcsock < 0) {
+			switch (errno) {
+			case EPROTONOSUPPORT:
+#ifdef EPFNOSUPPORT
+			case EPFNOSUPPORT:
+#endif
+			case EAFNOSUPPORT:
+				Perror(statp, stderr, "socket(vc)", errno);
+				return (0);
+			default:
+				*terrno = errno;
+				Perror(statp, stderr, "socket(vc)", errno);
+				return (-1);
+			}
+		}
+		errno = 0;
+		if (connect(statp->_vcsock, nsap, nsaplen) < 0) {
+			*terrno = errno;
+			Aerror(statp, stderr, "connect/vc", errno, nsap,
+			    nsaplen);
+			res_nclose(statp);
+			return (0);
+		}
+		statp->_flags |= RES_F_VC;
+	}
+
+	/*
+	 * Send length & message
+	 */
+	ns_put16((u_short)buflen, (u_char*)&len);
+	iov[0] = evConsIovec(&len, INT16SZ);
+	DE_CONST(buf, tmp);
+	iov[1] = evConsIovec(tmp, buflen);
+	if (writev(statp->_vcsock, iov, 2) != (INT16SZ + buflen)) {
+		*terrno = errno;
+		Perror(statp, stderr, "write failed", errno);
+		res_nclose(statp);
+		return (0);
+	}
+	/*
+	 * Receive length & response
+	 */
+ read_len:
+	cp = ans;
+	len = INT16SZ;
+	while ((n = read(statp->_vcsock, (char *)cp, (int)len)) > 0) {
+		cp += n;
+		if ((len -= n) == 0)
+			break;
+	}
+	if (n <= 0) {
+		*terrno = errno;
+		Perror(statp, stderr, "read failed", errno);
+		res_nclose(statp);
+		/*
+		 * A long running process might get its TCP
+		 * connection reset if the remote server was
+		 * restarted.  Requery the server instead of
+		 * trying a new one.  When there is only one
+		 * server, this means that a query might work
+		 * instead of failing.  We only allow one reset
+		 * per query to prevent looping.
+		 */
+		if (*terrno == ECONNRESET && !connreset) {
+			connreset = 1;
+			res_nclose(statp);
+			goto same_ns;
+		}
+		res_nclose(statp);
+		return (0);
+	}
+	resplen = ns_get16(ans);
+	if (resplen > anssiz) {
+		Dprint(statp->options & RES_DEBUG,
+		       (stdout, ";; response truncated\n")
+		       );
+		truncating = 1;
+		len = anssiz;
+	} else
+		len = resplen;
+	if (len < HFIXEDSZ) {
+		/*
+		 * Undersized message.
+		 */
+		Dprint(statp->options & RES_DEBUG,
+		       (stdout, ";; undersized: %d\n", len));
+		*terrno = EMSGSIZE;
+		res_nclose(statp);
+		return (0);
+	}
+	cp = ans;
+	while (len != 0 && (n = read(statp->_vcsock, (char *)cp, (int)len)) > 0){
+		cp += n;
+		len -= n;
+	}
+	if (n <= 0) {
+		*terrno = errno;
+		Perror(statp, stderr, "read(vc)", errno);
+		res_nclose(statp);
+		return (0);
+	}
+	if (truncating) {
+		/*
+		 * Flush rest of answer so connection stays in synch.
+		 */
+		anhp->tc = 1;
+		len = resplen - anssiz;
+		while (len != 0) {
+			char junk[PACKETSZ];
+
+			n = read(statp->_vcsock, junk,
+				 (len > sizeof junk) ? sizeof junk : len);
+			if (n > 0)
+				len -= n;
+			else
+				break;
+		}
+	}
+	/*
+	 * If the calling applicating has bailed out of
+	 * a previous call and failed to arrange to have
+	 * the circuit closed or the server has got
+	 * itself confused, then drop the packet and
+	 * wait for the correct one.
+	 */
+	if (hp->id != anhp->id) {
+		DprintQ((statp->options & RES_DEBUG) ||
+			(statp->pfcode & RES_PRF_REPLY),
+			(stdout, ";; old answer (unexpected):\n"),
+			ans, (resplen > anssiz) ? anssiz: resplen);
+		goto read_len;
+	}
+
+	/*
+	 * All is well, or the error is fatal.  Signal that the
+	 * next nameserver ought not be tried.
+	 */
+	return (resplen);
+}
+
+static int
+send_dg(res_state statp,
+	const u_char *buf, int buflen, u_char *ans, int anssiz,
+	int *terrno, int ns, int *v_circuit, int *gotsomewhere)
+{
+	const HEADER *hp = (const HEADER *) buf;
+	HEADER *anhp = (HEADER *) ans;
+	const struct sockaddr *nsap;
+	int nsaplen;
+	struct timespec now, timeout, finish;
+	fd_set dsmask;
+	struct sockaddr_storage from;
+	ISC_SOCKLEN_T fromlen;
+	int resplen, seconds, n, s;
+
+	nsap = get_nsaddr(statp, ns);
+	nsaplen = get_salen(nsap);
+	if (EXT(statp).nssocks[ns] == -1) {
+		EXT(statp).nssocks[ns] = socket(nsap->sa_family, SOCK_DGRAM, 0);
+		if (EXT(statp).nssocks[ns] > highestFD) {
+			res_nclose(statp);
+			errno = ENOTSOCK;
+		}
+		if (EXT(statp).nssocks[ns] < 0) {
+			switch (errno) {
+			case EPROTONOSUPPORT:
+#ifdef EPFNOSUPPORT
+			case EPFNOSUPPORT:
+#endif
+			case EAFNOSUPPORT:
+				Perror(statp, stderr, "socket(dg)", errno);
+				return (0);
+			default:
+				*terrno = errno;
+				Perror(statp, stderr, "socket(dg)", errno);
+				return (-1);
+			}
+		}
+#ifndef CANNOT_CONNECT_DGRAM
+		/*
+		 * On a 4.3BSD+ machine (client and server,
+		 * actually), sending to a nameserver datagram
+		 * port with no nameserver will cause an
+		 * ICMP port unreachable message to be returned.
+		 * If our datagram socket is "connected" to the
+		 * server, we get an ECONNREFUSED error on the next
+		 * socket operation, and select returns if the
+		 * error message is received.  We can thus detect
+		 * the absence of a nameserver without timing out.
+		 */
+		if (connect(EXT(statp).nssocks[ns], nsap, nsaplen) < 0) {
+			Aerror(statp, stderr, "connect(dg)", errno, nsap,
+			    nsaplen);
+			res_nclose(statp);
+			return (0);
+		}
+#endif /* !CANNOT_CONNECT_DGRAM */
+		Dprint(statp->options & RES_DEBUG,
+		       (stdout, ";; new DG socket\n"))
+	}
+	s = EXT(statp).nssocks[ns];
+#ifndef CANNOT_CONNECT_DGRAM
+	if (send(s, (const char*)buf, buflen, 0) != buflen) {
+		Perror(statp, stderr, "send", errno);
+		res_nclose(statp);
+		return (0);
+	}
+#else /* !CANNOT_CONNECT_DGRAM */
+	if (sendto(s, (const char*)buf, buflen, 0, nsap, nsaplen) != buflen)
+	{
+		Aerror(statp, stderr, "sendto", errno, nsap, nsaplen);
+		res_nclose(statp);
+		return (0);
+	}
+#endif /* !CANNOT_CONNECT_DGRAM */
+
+	/*
+	 * Wait for reply.
+	 */
+	seconds = (statp->retrans << ns);
+	if (ns > 0)
+		seconds /= statp->nscount;
+	if (seconds <= 0)
+		seconds = 1;
+	now = evNowTime();
+	timeout = evConsTime(seconds, 0);
+	finish = evAddTime(now, timeout);
+	goto nonow;
+ wait:
+	now = evNowTime();
+ nonow:
+	FD_ZERO(&dsmask);
+	FD_SET(s, &dsmask);
+	if (evCmpTime(finish, now) > 0)
+		timeout = evSubTime(finish, now);
+	else
+		timeout = evConsTime(0, 0);
+	n = pselect(s + 1, &dsmask, NULL, NULL, &timeout, NULL);
+	if (n == 0) {
+		Dprint(statp->options & RES_DEBUG, (stdout, ";; timeout\n"));
+		*gotsomewhere = 1;
+		return (0);
+	}
+	if (n < 0) {
+		if (errno == EINTR)
+			goto wait;
+		Perror(statp, stderr, "select", errno);
+		res_nclose(statp);
+		return (0);
+	}
+	errno = 0;
+	fromlen = sizeof(from);
+	resplen = recvfrom(s, (char*)ans, anssiz,0,
+			   (struct sockaddr *)&from, &fromlen);
+	if (resplen <= 0) {
+		Perror(statp, stderr, "recvfrom", errno);
+		res_nclose(statp);
+		return (0);
+	}
+	*gotsomewhere = 1;
+	if (resplen < HFIXEDSZ) {
+		/*
+		 * Undersized message.
+		 */
+		Dprint(statp->options & RES_DEBUG,
+		       (stdout, ";; undersized: %d\n",
+			resplen));
+		*terrno = EMSGSIZE;
+		res_nclose(statp);
+		return (0);
+	}
+	if (hp->id != anhp->id) {
+		/*
+		 * response from old query, ignore it.
+		 * XXX - potential security hazard could
+		 *	 be detected here.
+		 */
+		DprintQ((statp->options & RES_DEBUG) ||
+			(statp->pfcode & RES_PRF_REPLY),
+			(stdout, ";; old answer:\n"),
+			ans, (resplen > anssiz) ? anssiz : resplen);
+		goto wait;
+	}
+	if (!(statp->options & RES_INSECURE1) &&
+	    !res_ourserver_p(statp, (struct sockaddr *)&from)) {
+		/*
+		 * response from wrong server? ignore it.
+		 * XXX - potential security hazard could
+		 *	 be detected here.
+		 */
+		DprintQ((statp->options & RES_DEBUG) ||
+			(statp->pfcode & RES_PRF_REPLY),
+			(stdout, ";; not our server:\n"),
+			ans, (resplen > anssiz) ? anssiz : resplen);
+		goto wait;
+	}
+#ifdef RES_USE_EDNS0
+	if (anhp->rcode == FORMERR && (statp->options & RES_USE_EDNS0) != 0U) {
+		/*
+		 * Do not retry if the server do not understand EDNS0.
+		 * The case has to be captured here, as FORMERR packet do not
+		 * carry query section, hence res_queriesmatch() returns 0.
+		 */
+		DprintQ(statp->options & RES_DEBUG,
+			(stdout, "server rejected query with EDNS0:\n"),
+			ans, (resplen > anssiz) ? anssiz : resplen);
+		/* record the error */
+		statp->_flags |= RES_F_EDNS0ERR;
+		res_nclose(statp);
+		return (0);
+	}
+#endif
+	if (!(statp->options & RES_INSECURE2) &&
+	    !res_queriesmatch(buf, buf + buflen,
+			      ans, ans + anssiz)) {
+		/*
+		 * response contains wrong query? ignore it.
+		 * XXX - potential security hazard could
+		 *	 be detected here.
+		 */
+		DprintQ((statp->options & RES_DEBUG) ||
+			(statp->pfcode & RES_PRF_REPLY),
+			(stdout, ";; wrong query name:\n"),
+			ans, (resplen > anssiz) ? anssiz : resplen);
+		goto wait;
+	}
+	if (anhp->rcode == SERVFAIL ||
+	    anhp->rcode == NOTIMP ||
+	    anhp->rcode == REFUSED) {
+		DprintQ(statp->options & RES_DEBUG,
+			(stdout, "server rejected query:\n"),
+			ans, (resplen > anssiz) ? anssiz : resplen);
+		res_nclose(statp);
+		/* don't retry if called from dig */
+		if (!statp->pfcode)
+			return (0);
+	}
+	if (!(statp->options & RES_IGNTC) && anhp->tc) {
+		/*
+		 * To get the rest of answer,
+		 * use TCP with same server.
+		 */
+		Dprint(statp->options & RES_DEBUG,
+		       (stdout, ";; truncated answer\n"));
+		*v_circuit = 1;
+		res_nclose(statp);
+		return (1);
+	}
+	/*
+	 * All is well, or the error is fatal.  Signal that the
+	 * next nameserver ought not be tried.
+	 */
+	return (resplen);
+}
+
+static void
+Aerror(const res_state statp, FILE *file, const char *string, int error,
+       const struct sockaddr *address, int alen)
+{
+	int save = errno;
+	char hbuf[NI_MAXHOST];
+	char sbuf[NI_MAXSERV];
+
+	alen = alen;
+
+	if ((statp->options & RES_DEBUG) != 0U) {
+		if (getnameinfo(address, alen, hbuf, sizeof(hbuf),
+		    sbuf, sizeof(sbuf), niflags)) {
+			strncpy(hbuf, "?", sizeof(hbuf) - 1);
+			hbuf[sizeof(hbuf) - 1] = '\0';
+			strncpy(sbuf, "?", sizeof(sbuf) - 1);
+			sbuf[sizeof(sbuf) - 1] = '\0';
+		}
+		fprintf(file, "res_send: %s ([%s].%s): %s\n",
+			string, hbuf, sbuf, strerror(error));
+	}
+	errno = save;
+}
+
+static void
+Perror(const res_state statp, FILE *file, const char *string, int error) {
+	int save = errno;
+
+	if ((statp->options & RES_DEBUG) != 0U)
+		fprintf(file, "res_send: %s: %s\n",
+			string, strerror(error));
+	errno = save;
+}
+
+static int
+sock_eq(struct sockaddr *a, struct sockaddr *b) {
+	struct sockaddr_in *a4, *b4;
+	struct sockaddr_in6 *a6, *b6;
+
+	if (a->sa_family != b->sa_family)
+		return 0;
+	switch (a->sa_family) {
+	case AF_INET:
+		a4 = (struct sockaddr_in *)a;
+		b4 = (struct sockaddr_in *)b;
+		return a4->sin_port == b4->sin_port &&
+		    a4->sin_addr.s_addr == b4->sin_addr.s_addr;
+	case AF_INET6:
+		a6 = (struct sockaddr_in6 *)a;
+		b6 = (struct sockaddr_in6 *)b;
+		return a6->sin6_port == b6->sin6_port &&
+#ifdef HAVE_SIN6_SCOPE_ID
+		    a6->sin6_scope_id == b6->sin6_scope_id &&
+#endif
+		    IN6_ARE_ADDR_EQUAL(&a6->sin6_addr, &b6->sin6_addr);
+	default:
+		return 0;
+	}
+}
+
+#ifdef NEED_PSELECT
+/* XXX needs to move to the porting library. */
+static int
+pselect(int nfds, void *rfds, void *wfds, void *efds,
+	struct timespec *tsp, const sigset_t *sigmask)
+{
+	struct timeval tv, *tvp;
+	sigset_t sigs;
+	int n;
+
+	if (tsp) {
+		tvp = &tv;
+		tv = evTimeVal(*tsp);
+	} else
+		tvp = NULL;
+	if (sigmask)
+		sigprocmask(SIG_SETMASK, sigmask, &sigs);
+	n = select(nfds, rfds, wfds, efds, tvp);
+	if (sigmask)
+		sigprocmask(SIG_SETMASK, &sigs, NULL);
+	if (tsp)
+		*tsp = evTimeSpec(tv);
+	return (n);
+}
+#endif
diff --git a/contrib/bind9/lib/bind/resolv/res_sendsigned.c b/contrib/bind9/lib/bind/resolv/res_sendsigned.c
new file mode 100644
index 0000000..1984377
--- /dev/null
+++ b/contrib/bind9/lib/bind/resolv/res_sendsigned.c
@@ -0,0 +1,159 @@
+#include "port_before.h"
+#include "fd_setsize.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <arpa/inet.h>
+
+#include <isc/dst.h>
+
+#include <errno.h>
+#include <netdb.h>
+#include <resolv.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "port_after.h"
+
+#define DEBUG
+#include "res_debug.h"
+
+
+/* res_nsendsigned */
+int
+res_nsendsigned(res_state statp, const u_char *msg, int msglen,
+		ns_tsig_key *key, u_char *answer, int anslen)
+{
+	res_state nstatp;
+	DST_KEY *dstkey;
+	int usingTCP = 0;
+	u_char *newmsg;
+	int newmsglen, bufsize, siglen;
+	u_char sig[64];
+	HEADER *hp;
+	time_t tsig_time;
+	int ret;
+	int len;
+
+	dst_init();
+
+	nstatp = (res_state) malloc(sizeof(*statp));
+	if (nstatp == NULL) {
+		errno = ENOMEM;
+		return (-1);
+	}
+	memcpy(nstatp, statp, sizeof(*statp));
+
+	bufsize = msglen + 1024;
+	newmsg = (u_char *) malloc(bufsize);
+	if (newmsg == NULL) {
+		errno = ENOMEM;
+		return (-1);
+	}
+	memcpy(newmsg, msg, msglen);
+	newmsglen = msglen;
+
+	if (ns_samename(key->alg, NS_TSIG_ALG_HMAC_MD5) != 1)
+		dstkey = NULL;
+	else
+		dstkey = dst_buffer_to_key(key->name, KEY_HMAC_MD5,
+					   NS_KEY_TYPE_AUTH_ONLY,
+					   NS_KEY_PROT_ANY,
+					   key->data, key->len);
+	if (dstkey == NULL) {
+		errno = EINVAL;
+		free(nstatp);
+		free(newmsg);
+		return (-1);
+	}
+
+	nstatp->nscount = 1;
+	siglen = sizeof(sig);
+	ret = ns_sign(newmsg, &newmsglen, bufsize, NOERROR, dstkey, NULL, 0,
+		      sig, &siglen, 0);
+	if (ret < 0) {
+		free (nstatp);
+		free (newmsg);
+		dst_free_key(dstkey);
+		if (ret == NS_TSIG_ERROR_NO_SPACE)
+			errno  = EMSGSIZE;
+		else if (ret == -1)
+			errno  = EINVAL;
+		return (ret);
+	}
+
+	if (newmsglen > PACKETSZ || nstatp->options & RES_USEVC)
+		usingTCP = 1;
+	if (usingTCP == 0)
+		nstatp->options |= RES_IGNTC;
+	else
+		nstatp->options |= RES_USEVC;
+	/*
+	 * Stop res_send printing the answer.
+	 */
+	nstatp->options &= ~RES_DEBUG;
+	nstatp->pfcode &= ~RES_PRF_REPLY;
+
+retry:
+
+	len = res_nsend(nstatp, newmsg, newmsglen, answer, anslen);
+	if (ret < 0) {
+		free (nstatp);
+		free (newmsg);
+		dst_free_key(dstkey);
+		return (ret);
+	}
+
+	ret = ns_verify(answer, &len, dstkey, sig, siglen,
+			NULL, NULL, &tsig_time, nstatp->options & RES_KEEPTSIG);
+	if (ret != 0) {
+		Dprint((statp->options & RES_DEBUG) ||
+		       ((statp->pfcode & RES_PRF_REPLY) &&
+			(statp->pfcode & RES_PRF_HEAD1)),
+		       (stdout, ";; got answer:\n"));
+
+		DprintQ((statp->options & RES_DEBUG) ||
+			(statp->pfcode & RES_PRF_REPLY),
+			(stdout, "%s", ""),
+			answer, (anslen > len) ? len : anslen);
+
+		Dprint(statp->pfcode & RES_PRF_REPLY,
+		       (stdout, ";; TSIG invalid (%s)\n", p_rcode(ret)));
+		free (nstatp);
+		free (newmsg);
+		dst_free_key(dstkey);
+		if (ret == -1)
+			errno = EINVAL;
+		else
+			errno = ENOTTY;
+		return (-1);
+	}
+
+	hp = (HEADER *) answer;
+	if (hp->tc && !usingTCP && (statp->options & RES_IGNTC) == 0U) {
+		nstatp->options &= ~RES_IGNTC;
+		usingTCP = 1;
+		goto retry;
+	}
+	Dprint((statp->options & RES_DEBUG) ||
+	       ((statp->pfcode & RES_PRF_REPLY) &&
+		(statp->pfcode & RES_PRF_HEAD1)),
+	       (stdout, ";; got answer:\n"));
+
+	DprintQ((statp->options & RES_DEBUG) ||
+		(statp->pfcode & RES_PRF_REPLY),
+		(stdout, "%s", ""),
+		answer, (anslen > len) ? len : anslen);
+
+	Dprint(statp->pfcode & RES_PRF_REPLY, (stdout, ";; TSIG ok\n"));
+
+	free (nstatp);
+	free (newmsg);
+	dst_free_key(dstkey);
+	return (len);
+}
diff --git a/contrib/bind9/lib/bind/resolv/res_update.c b/contrib/bind9/lib/bind/resolv/res_update.c
new file mode 100644
index 0000000..8783d8a
--- /dev/null
+++ b/contrib/bind9/lib/bind/resolv/res_update.c
@@ -0,0 +1,212 @@
+#if !defined(lint) && !defined(SABER)
+static const char rcsid[] = "$Id: res_update.c,v 1.6.2.4.4.2 2004/03/16 12:34:20 marka Exp $";
+#endif /* not lint */
+
+/*
+ * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (c) 1996-1999 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Based on the Dynamic DNS reference implementation by Viraj Bais
+ * <viraj_bais@ccm.fm.intel.com>
+ */
+
+#include "port_before.h"
+
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <arpa/nameser.h>
+
+#include <errno.h>
+#include <limits.h>
+#include <netdb.h>
+#include <res_update.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/list.h>
+#include <resolv.h>
+
+#include "port_after.h"
+#include "res_private.h"
+
+/*
+ * Separate a linked list of records into groups so that all records
+ * in a group will belong to a single zone on the nameserver.
+ * Create a dynamic update packet for each zone and send it to the
+ * nameservers for that zone, and await answer.
+ * Abort if error occurs in updating any zone.
+ * Return the number of zones updated on success, < 0 on error.
+ *
+ * On error, caller must deal with the unsynchronized zones
+ * eg. an A record might have been successfully added to the forward
+ * zone but the corresponding PTR record would be missing if error
+ * was encountered while updating the reverse zone.
+ */
+
+struct zonegrp {
+	char			z_origin[MAXDNAME];
+	ns_class		z_class;
+	union res_sockaddr_union z_nsaddrs[MAXNS];
+	int			z_nscount;
+	int			z_flags;
+	LIST(ns_updrec)		z_rrlist;
+	LINK(struct zonegrp)	z_link;
+};
+
+#define ZG_F_ZONESECTADDED	0x0001
+
+/* Forward. */
+
+static void	res_dprintf(const char *, ...) ISC_FORMAT_PRINTF(1, 2);
+
+/* Macros. */
+
+#define DPRINTF(x) do {\
+		int save_errno = errno; \
+		if ((statp->options & RES_DEBUG) != 0U) res_dprintf x; \
+		errno = save_errno; \
+	} while (0)
+
+/* Public. */
+
+int
+res_nupdate(res_state statp, ns_updrec *rrecp_in, ns_tsig_key *key) {
+	ns_updrec *rrecp;
+	u_char answer[PACKETSZ];
+	u_char *packet;
+	struct zonegrp *zptr, tgrp;
+	LIST(struct zonegrp) zgrps;
+	int nzones = 0, nscount = 0, n;
+	union res_sockaddr_union nsaddrs[MAXNS];
+
+	packet = malloc(NS_MAXMSG);
+	if (packet == NULL) {
+		DPRINTF(("malloc failed"));
+		return (0);
+	}
+	/* Thread all of the updates onto a list of groups. */
+	INIT_LIST(zgrps);
+	memset(&tgrp, 0, sizeof (tgrp));
+	for (rrecp = rrecp_in; rrecp;
+	     rrecp = LINKED(rrecp, r_link) ? NEXT(rrecp, r_link) : NULL) {
+		int nscnt;
+		/* Find the origin for it if there is one. */
+		tgrp.z_class = rrecp->r_class;
+		nscnt = res_findzonecut2(statp, rrecp->r_dname, tgrp.z_class,
+					 RES_EXHAUSTIVE, tgrp.z_origin,
+					 sizeof tgrp.z_origin, 
+					 tgrp.z_nsaddrs, MAXNS);
+		if (nscnt <= 0) {
+			DPRINTF(("res_findzonecut failed (%d)", nscnt));
+			goto done;
+		}
+		tgrp.z_nscount = nscnt;
+		/* Find the group for it if there is one. */
+		for (zptr = HEAD(zgrps); zptr != NULL; zptr = NEXT(zptr, z_link))
+			if (ns_samename(tgrp.z_origin, zptr->z_origin) == 1 &&
+			    tgrp.z_class == zptr->z_class)
+				break;
+		/* Make a group for it if there isn't one. */
+		if (zptr == NULL) {
+			zptr = malloc(sizeof *zptr);
+			if (zptr == NULL) {
+				DPRINTF(("malloc failed"));
+				goto done;
+			}
+			*zptr = tgrp;
+			zptr->z_flags = 0;
+			INIT_LINK(zptr, z_link);
+			INIT_LIST(zptr->z_rrlist);
+			APPEND(zgrps, zptr, z_link);
+		}
+		/* Thread this rrecp onto the right group. */
+		APPEND(zptr->z_rrlist, rrecp, r_glink);
+	}
+
+	for (zptr = HEAD(zgrps); zptr != NULL; zptr = NEXT(zptr, z_link)) {
+		/* Construct zone section and prepend it. */
+		rrecp = res_mkupdrec(ns_s_zn, zptr->z_origin,
+				     zptr->z_class, ns_t_soa, 0);
+		if (rrecp == NULL) {
+			DPRINTF(("res_mkupdrec failed"));
+			goto done;
+		}
+		PREPEND(zptr->z_rrlist, rrecp, r_glink);
+		zptr->z_flags |= ZG_F_ZONESECTADDED;
+
+		/* Marshall the update message. */
+		n = res_nmkupdate(statp, HEAD(zptr->z_rrlist),
+				  packet, NS_MAXMSG);
+		DPRINTF(("res_mkupdate -> %d", n));
+		if (n < 0)
+			goto done;
+
+		/* Temporarily replace the resolver's nameserver set. */
+		nscount = res_getservers(statp, nsaddrs, MAXNS);
+		res_setservers(statp, zptr->z_nsaddrs, zptr->z_nscount);
+
+		/* Send the update and remember the result. */
+		if (key != NULL)
+			n = res_nsendsigned(statp, packet, n, key,
+					    answer, sizeof answer);
+		else
+			n = res_nsend(statp, packet, n, answer, sizeof answer);
+		if (n < 0) {
+			DPRINTF(("res_nsend: send error, n=%d (%s)\n",
+				 n, strerror(errno)));
+			goto done;
+		}
+		if (((HEADER *)answer)->rcode == NOERROR)
+			nzones++;
+
+		/* Restore resolver's nameserver set. */
+		res_setservers(statp, nsaddrs, nscount);
+		nscount = 0;
+	}
+ done:
+	while (!EMPTY(zgrps)) {
+		zptr = HEAD(zgrps);
+		if ((zptr->z_flags & ZG_F_ZONESECTADDED) != 0)
+			res_freeupdrec(HEAD(zptr->z_rrlist));
+		UNLINK(zgrps, zptr, z_link);
+		free(zptr);
+	}
+	if (nscount != 0)
+		res_setservers(statp, nsaddrs, nscount);
+
+	free(packet);
+	return (nzones);
+}
+
+/* Private. */
+
+static void
+res_dprintf(const char *fmt, ...) {
+	va_list ap;
+
+	va_start(ap, fmt);
+	fputs(";; res_nupdate: ", stderr);
+	vfprintf(stderr, fmt, ap);
+	fputc('\n', stderr);
+	va_end(ap);
+}
diff --git a/contrib/bind9/lib/bind9/Makefile.in b/contrib/bind9/lib/bind9/Makefile.in
new file mode 100644
index 0000000..b526cd7
--- /dev/null
+++ b/contrib/bind9/lib/bind9/Makefile.in
@@ -0,0 +1,76 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2.200.6 2004/07/20 07:01:57 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+@LIBBIND9_API@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
+		${ISCCFG_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+LIBS =		@LIBS@
+
+SUBDIRS =	include
+
+# Alphabetically
+OBJS =		check.@O@ getaddresses.@O@ version.@O@
+
+# Alphabetically
+SRCS =		check.c getaddresses.c version.c
+
+TARGETS = 	timestamp
+
+@BIND9_MAKE_RULES@
+
+version.@O@: version.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-DLIBINTERFACE=${LIBINTERFACE} \
+		-DLIBREVISION=${LIBREVISION} \
+		-DLIBAGE=${LIBAGE} \
+		-c ${srcdir}/version.c
+
+libbind9.@SA@: ${OBJS}
+	${AR} ${ARFLAGS} $@ ${OBJS}
+	${RANLIB} $@
+
+libbind9.la: ${OBJS}
+	${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libbind9.la -rpath ${libdir} \
+		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+		${OBJS} ${LIBS}
+
+timestamp: libbind9.@A@
+	touch timestamp
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
+
+install:: timestamp installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libbind9.@A@ ${DESTDIR}${libdir}
+
+clean distclean::
+	rm -f libbind9.@A@ timestamp
diff --git a/contrib/bind9/lib/bind9/api b/contrib/bind9/lib/bind9/api
new file mode 100644
index 0000000..dbaaf58
--- /dev/null
+++ b/contrib/bind9/lib/bind9/api
@@ -0,0 +1,3 @@
+LIBINTERFACE = 0
+LIBREVISION = 4
+LIBAGE = 0
diff --git a/contrib/bind9/lib/bind9/check.c b/contrib/bind9/lib/bind9/check.c
new file mode 100644
index 0000000..23b183e
--- /dev/null
+++ b/contrib/bind9/lib/bind9/check.c
@@ -0,0 +1,1412 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: check.c,v 1.37.6.28 2004/07/29 00:08:08 marka Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/buffer.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/netaddr.h>
+#include <isc/parseint.h>
+#include <isc/region.h>
+#include <isc/result.h>
+#include <isc/sockaddr.h>
+#include <isc/symtab.h>
+#include <isc/util.h>
+
+#include <dns/fixedname.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatatype.h>
+#include <dns/secalg.h>
+
+#include <isccfg/cfg.h>
+
+#include <bind9/check.h>
+
+static void
+freekey(char *key, unsigned int type, isc_symvalue_t value, void *userarg) {
+	UNUSED(type);
+	UNUSED(value);
+	isc_mem_free(userarg, key);
+}
+
+static isc_result_t
+check_orderent(cfg_obj_t *ent, isc_log_t *logctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	isc_textregion_t r;
+	dns_fixedname_t fixed;
+	cfg_obj_t *obj;
+	dns_rdataclass_t rdclass;
+	dns_rdatatype_t rdtype;
+	isc_buffer_t b;
+	const char *str;
+
+	dns_fixedname_init(&fixed);
+	obj = cfg_tuple_get(ent, "class");
+	if (cfg_obj_isstring(obj)) {
+
+		DE_CONST(cfg_obj_asstring(obj), r.base);
+		r.length = strlen(r.base);
+		tresult = dns_rdataclass_fromtext(&rdclass, &r);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "rrset-order: invalid class '%s'",
+				    r.base);
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	obj = cfg_tuple_get(ent, "type");
+	if (cfg_obj_isstring(obj)) {
+
+		DE_CONST(cfg_obj_asstring(obj), r.base);
+		r.length = strlen(r.base);
+		tresult = dns_rdatatype_fromtext(&rdtype, &r);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "rrset-order: invalid type '%s'",
+				    r.base);
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	obj = cfg_tuple_get(ent, "name");
+	if (cfg_obj_isstring(obj)) {
+		str = cfg_obj_asstring(obj);
+		isc_buffer_init(&b, str, strlen(str));
+		isc_buffer_add(&b, strlen(str));
+		tresult = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
+					    dns_rootname, ISC_FALSE, NULL);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "rrset-order: invalid name '%s'", str);
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	obj = cfg_tuple_get(ent, "order");
+	if (!cfg_obj_isstring(obj) ||
+	    strcasecmp("order", cfg_obj_asstring(obj)) != 0) {
+		cfg_obj_log(ent, logctx, ISC_LOG_ERROR,
+			    "rrset-order: keyword 'order' missing");
+		result = ISC_R_FAILURE;
+	}
+
+	obj = cfg_tuple_get(ent, "ordering");
+	if (!cfg_obj_isstring(obj)) {
+	    cfg_obj_log(ent, logctx, ISC_LOG_ERROR,
+			"rrset-order: missing ordering");
+		result = ISC_R_FAILURE;
+	} else if (strcasecmp(cfg_obj_asstring(obj), "fixed") == 0) {
+		cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+			    "rrset-order: order 'fixed' not implemented");
+	} else if (/* strcasecmp(cfg_obj_asstring(obj), "fixed") != 0 && */
+		   strcasecmp(cfg_obj_asstring(obj), "random") != 0 &&
+		   strcasecmp(cfg_obj_asstring(obj), "cyclic") != 0) {
+		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+			    "rrset-order: invalid order '%s'",
+			    cfg_obj_asstring(obj));
+		result = ISC_R_FAILURE;
+	}
+	return (result);
+}
+
+static isc_result_t
+check_order(cfg_obj_t *options, isc_log_t *logctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	cfg_listelt_t *element;
+	cfg_obj_t *obj = NULL;
+
+	if (cfg_map_get(options, "rrset-order", &obj) != ISC_R_SUCCESS)
+		return (result);
+
+	for (element = cfg_list_first(obj);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		tresult = check_orderent(cfg_listelt_value(element), logctx);
+		if (tresult != ISC_R_SUCCESS)
+			result = tresult;
+	}
+	return (result);
+}
+
+static isc_result_t
+check_dual_stack(cfg_obj_t *options, isc_log_t *logctx) {
+	cfg_listelt_t *element;
+	cfg_obj_t *alternates = NULL;
+	cfg_obj_t *value;
+	cfg_obj_t *obj;
+	char *str;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	isc_buffer_t buffer;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+
+	(void)cfg_map_get(options, "dual-stack-servers", &alternates);
+
+	if (alternates == NULL)
+		return (ISC_R_SUCCESS);
+
+	obj = cfg_tuple_get(alternates, "port");
+	if (cfg_obj_isuint32(obj)) {
+		isc_uint32_t val = cfg_obj_asuint32(obj);
+		if (val > ISC_UINT16_MAX) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "port '%u' out of range", val);
+			result = ISC_R_FAILURE;
+		}
+	}
+	obj = cfg_tuple_get(alternates, "addresses");
+	for (element = cfg_list_first(obj);
+	     element != NULL;
+	     element = cfg_list_next(element)) {
+		value = cfg_listelt_value(element);
+		if (cfg_obj_issockaddr(value))
+			continue;
+		obj = cfg_tuple_get(value, "name");
+		str = cfg_obj_asstring(obj);
+		isc_buffer_init(&buffer, str, strlen(str));
+		isc_buffer_add(&buffer, strlen(str));
+		dns_fixedname_init(&fixed);
+		name = dns_fixedname_name(&fixed);
+		tresult = dns_name_fromtext(name, &buffer, dns_rootname,
+					   ISC_FALSE, NULL);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "bad name '%s'", str);
+			result = ISC_R_FAILURE;
+		}
+		obj = cfg_tuple_get(value, "port");
+		if (cfg_obj_isuint32(obj)) {
+			isc_uint32_t val = cfg_obj_asuint32(obj);
+			if (val > ISC_UINT16_MAX) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "port '%u' out of range", val);
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+	return (result);
+}
+
+static isc_result_t
+check_forward(cfg_obj_t *options, isc_log_t *logctx) {
+	cfg_obj_t *forward = NULL;
+	cfg_obj_t *forwarders = NULL;
+
+	(void)cfg_map_get(options, "forward", &forward);
+	(void)cfg_map_get(options, "forwarders", &forwarders);
+
+	if (forward != NULL && forwarders == NULL) {
+		cfg_obj_log(forward, logctx, ISC_LOG_ERROR,
+			    "no matching 'forwarders' statement");
+		return (ISC_R_FAILURE);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+disabled_algorithms(cfg_obj_t *disabled, isc_log_t *logctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	cfg_listelt_t *element;
+	const char *str;
+	isc_buffer_t b;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	cfg_obj_t *obj;
+
+	dns_fixedname_init(&fixed);
+	name = dns_fixedname_name(&fixed);
+	obj = cfg_tuple_get(disabled, "name");
+	str = cfg_obj_asstring(obj);
+	isc_buffer_init(&b, str, strlen(str));
+	isc_buffer_add(&b, strlen(str));
+	tresult = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL);
+	if (tresult != ISC_R_SUCCESS) {
+		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+			    "bad domain name '%s'", str);
+		result = tresult;
+	}
+
+	obj = cfg_tuple_get(disabled, "algorithms");
+
+	for (element = cfg_list_first(obj);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		isc_textregion_t r;
+		dns_secalg_t alg;
+		isc_result_t tresult;
+
+		r.base = cfg_obj_asstring(cfg_listelt_value(element));
+		r.length = strlen(r.base);
+
+		tresult = dns_secalg_fromtext(&alg, &r);
+		if (tresult != ISC_R_SUCCESS) {
+			isc_uint8_t ui;
+			result = isc_parse_uint8(&ui, r.base, 10);
+		}
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(cfg_listelt_value(element), logctx,
+				    ISC_LOG_ERROR, "invalid algorithm");
+			result = tresult;
+		}
+	}
+	return (result);
+}
+
+static isc_result_t
+nameexist(cfg_obj_t *obj, const char *name, int value, isc_symtab_t *symtab,
+	  const char *fmt, isc_log_t *logctx, isc_mem_t *mctx)
+{
+	char *key;
+	const char *file;
+	unsigned int line;
+	isc_result_t result;
+	isc_symvalue_t symvalue;
+
+	key = isc_mem_strdup(mctx, name);
+	if (key == NULL)
+		return (ISC_R_NOMEMORY);
+	symvalue.as_pointer = obj;
+	result = isc_symtab_define(symtab, key, value, symvalue,
+				   isc_symexists_reject);
+	if (result == ISC_R_EXISTS) {
+		RUNTIME_CHECK(isc_symtab_lookup(symtab, key, value,
+						&symvalue) == ISC_R_SUCCESS);
+		file = cfg_obj_file(symvalue.as_pointer);
+		line = cfg_obj_line(symvalue.as_pointer);
+
+		if (file == NULL)
+			file = "<unknown file>";
+		cfg_obj_log(obj, logctx, ISC_LOG_ERROR, fmt, key, file, line);
+		isc_mem_free(mctx, key);
+		result = ISC_R_EXISTS;
+	} else if (result != ISC_R_SUCCESS) {
+		isc_mem_free(mctx, key);
+	}
+	return (result);
+}
+
+static isc_result_t
+mustbesecure(cfg_obj_t *secure, isc_symtab_t *symtab, isc_log_t *logctx,
+	     isc_mem_t *mctx)
+{
+	cfg_obj_t *obj;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	const char *str;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	isc_buffer_t b;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	dns_fixedname_init(&fixed);
+	name = dns_fixedname_name(&fixed);
+	obj = cfg_tuple_get(secure, "name");
+	str = cfg_obj_asstring(obj);
+	isc_buffer_init(&b, str, strlen(str));
+	isc_buffer_add(&b, strlen(str));
+	result = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+			    "bad domain name '%s'", str);
+	} else {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		result = nameexist(secure, namebuf, 1, symtab,
+				   "dnssec-must-be-secure '%s': already "
+				   "exists previous definition: %s:%u",
+				   logctx, mctx);
+	}
+	return (result);
+}
+
+typedef struct {
+	const char *name;
+	unsigned int scale;
+	unsigned int max;
+} intervaltable;
+
+static isc_result_t
+check_options(cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	unsigned int i;
+	cfg_obj_t *obj = NULL;
+	cfg_listelt_t *element;
+	isc_symtab_t *symtab = NULL;
+
+	static intervaltable intervals[] = {
+	{ "cleaning-interval", 60, 28 * 24 * 60 },	/* 28 days */
+	{ "heartbeat-interval", 60, 28 * 24 * 60 },	/* 28 days */
+	{ "interface-interval", 60, 28 * 24 * 60 },	/* 28 days */
+	{ "max-transfer-idle-in", 60, 28 * 24 * 60 },	/* 28 days */
+	{ "max-transfer-idle-out", 60, 28 * 24 * 60 },	/* 28 days */
+	{ "max-transfer-time-in", 60, 28 * 24 * 60 },	/* 28 days */
+	{ "max-transfer-time-out", 60, 28 * 24 * 60 },	/* 28 days */
+	{ "sig-validity-interval", 86400, 10 * 366 },	/* 10 years */
+	{ "statistics-interval", 60, 28 * 24 * 60 },	/* 28 days */
+	};
+
+	/*
+	 * Check that fields specified in units of time other than seconds
+	 * have reasonable values.
+	 */
+	for (i = 0; i < sizeof(intervals) / sizeof(intervals[0]); i++) {
+		isc_uint32_t val;
+		obj = NULL;
+		(void)cfg_map_get(options, intervals[i].name, &obj);
+		if (obj == NULL)
+			continue;
+		val = cfg_obj_asuint32(obj);
+		if (val > intervals[i].max) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "%s '%u' is out of range (0..%u)",
+				    intervals[i].name, val,
+				    intervals[i].max);
+			result = ISC_R_RANGE;
+		} else if (val > (ISC_UINT32_MAX / intervals[i].scale)) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "%s '%d' is out of range",
+				    intervals[i].name, val);
+			result = ISC_R_RANGE;
+		}
+	}
+	obj = NULL;
+	(void)cfg_map_get(options, "preferred-glue", &obj);
+	if (obj != NULL) {
+		const char *str;
+                str = cfg_obj_asstring(obj);
+                if (strcasecmp(str, "a") != 0 &&
+		    strcasecmp(str, "aaaa") != 0 &&
+		    strcasecmp(str, "none") != 0)
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "preferred-glue unexpected value '%s'",
+				    str);
+	}
+	obj = NULL;
+	(void)cfg_map_get(options, "root-delegation-only", &obj);
+	if (obj != NULL) {
+		if (!cfg_obj_isvoid(obj)) {
+			cfg_listelt_t *element;
+			cfg_obj_t *exclude;
+			char *str;
+			dns_fixedname_t fixed;
+			dns_name_t *name;
+			isc_buffer_t b;
+
+			dns_fixedname_init(&fixed);
+			name = dns_fixedname_name(&fixed);
+			for (element = cfg_list_first(obj);
+			     element != NULL;
+			     element = cfg_list_next(element)) {
+				exclude = cfg_listelt_value(element);
+				str = cfg_obj_asstring(exclude);
+				isc_buffer_init(&b, str, strlen(str));
+				isc_buffer_add(&b, strlen(str));
+				tresult = dns_name_fromtext(name, &b,
+							   dns_rootname,
+                                                           ISC_FALSE, NULL);
+				if (tresult != ISC_R_SUCCESS) {
+					cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+						    "bad domain name '%s'",
+						    str);
+					result = tresult;
+				}
+			}
+		}
+	}
+       
+	/*
+	 * Set supported DNSSEC algorithms.
+	 */
+	obj = NULL;
+	(void)cfg_map_get(options, "disable-algorithms", &obj);
+	if (obj != NULL) {
+		for (element = cfg_list_first(obj);
+		     element != NULL;
+		     element = cfg_list_next(element))
+		{
+			obj = cfg_listelt_value(element);
+			tresult = disabled_algorithms(obj, logctx);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+		}
+	}
+
+	/*
+	 * Check the DLV zone name.
+	 */
+	obj = NULL;
+	(void)cfg_map_get(options, "dnssec-lookaside", &obj);
+	if (obj != NULL) {
+		tresult = isc_symtab_create(mctx, 100, freekey, mctx,
+					    ISC_TRUE, &symtab);
+		if (tresult != ISC_R_SUCCESS)
+			result = tresult;
+		for (element = cfg_list_first(obj);
+		     element != NULL;
+		     element = cfg_list_next(element))
+		{
+			dns_fixedname_t fixedname;
+			dns_name_t *name;
+			const char *dlv;
+			isc_buffer_t b;
+
+			obj = cfg_listelt_value(element);
+
+			dlv = cfg_obj_asstring(cfg_tuple_get(obj, "domain"));
+			dns_fixedname_init(&fixedname);
+			name = dns_fixedname_name(&fixedname);
+			isc_buffer_init(&b, dlv, strlen(dlv));
+			isc_buffer_add(&b, strlen(dlv));
+			tresult = dns_name_fromtext(name, &b, dns_rootname,
+						    ISC_TRUE, NULL);
+			if (tresult != ISC_R_SUCCESS) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "bad domain name '%s'", dlv);
+				result = tresult;
+			}
+			if (symtab != NULL) {
+				tresult = nameexist(obj, dlv, 1, symtab,
+						    "dnssec-lookaside '%s': "
+						    "already exists previous "
+						    "definition: %s:%u",
+						    logctx, mctx);
+				if (tresult != ISC_R_SUCCESS &&
+				    result == ISC_R_SUCCESS)
+					result = tresult;
+			}
+			/*
+			 * XXXMPA to be removed when multiple lookaside
+			 * namespaces are supported.
+			 */
+			if (!dns_name_equal(dns_rootname, name)) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "dnssec-lookaside '%s': "
+					    "non-root not yet supported", dlv);
+				if (result == ISC_R_SUCCESS)
+					result = ISC_R_FAILURE;
+			}
+			dlv = cfg_obj_asstring(cfg_tuple_get(obj,
+					       "trust-anchor"));
+			dns_fixedname_init(&fixedname);
+			isc_buffer_init(&b, dlv, strlen(dlv));
+			isc_buffer_add(&b, strlen(dlv));
+			tresult = dns_name_fromtext(name, &b, dns_rootname,
+						    ISC_TRUE, NULL);
+			if (tresult != ISC_R_SUCCESS) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "bad domain name '%s'", dlv);
+				if (result == ISC_R_SUCCESS)
+					result = tresult;
+			}
+		}
+		if (symtab != NULL)
+			isc_symtab_destroy(&symtab);
+	}
+
+	/*
+	 * Check dnssec-must-be-secure.
+	 */
+	obj = NULL;
+	(void)cfg_map_get(options, "dnssec-must-be-secure", &obj);
+	if (obj != NULL) {
+		isc_symtab_t *symtab = NULL;
+		tresult = isc_symtab_create(mctx, 100, freekey, mctx,
+					    ISC_FALSE, &symtab);
+		if (tresult != ISC_R_SUCCESS)
+			result = tresult;
+		for (element = cfg_list_first(obj);
+		     element != NULL;
+		     element = cfg_list_next(element))
+		{
+			obj = cfg_listelt_value(element);
+			tresult = mustbesecure(obj, symtab, logctx, mctx);
+			if (tresult != ISC_R_SUCCESS)
+				result = tresult;
+		}
+		if (symtab != NULL)
+			isc_symtab_destroy(&symtab);
+	}
+
+	return (result);
+}
+
+static isc_result_t
+get_masters_def(cfg_obj_t *cctx, char *name, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *masters = NULL;
+	cfg_listelt_t *elt;
+
+	result = cfg_map_get(cctx, "masters", &masters);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	for (elt = cfg_list_first(masters);
+	     elt != NULL;
+	     elt = cfg_list_next(elt)) {
+		cfg_obj_t *list;
+		const char *listname;
+
+		list = cfg_listelt_value(elt);
+		listname = cfg_obj_asstring(cfg_tuple_get(list, "name"));
+
+		if (strcasecmp(listname, name) == 0) {
+			*ret = list;
+			return (ISC_R_SUCCESS);
+		}
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+validate_masters(cfg_obj_t *obj, cfg_obj_t *config, isc_uint32_t *countp,
+		 isc_log_t *logctx, isc_mem_t *mctx)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	isc_uint32_t count = 0;
+	isc_symtab_t *symtab = NULL;
+	isc_symvalue_t symvalue;
+	cfg_listelt_t *element;
+	cfg_listelt_t **stack = NULL;
+	isc_uint32_t stackcount = 0, pushed = 0;
+	cfg_obj_t *list;
+
+	REQUIRE(countp != NULL);
+	result = isc_symtab_create(mctx, 100, NULL, NULL, ISC_FALSE, &symtab);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+ newlist:
+	list = cfg_tuple_get(obj, "addresses");
+	element = cfg_list_first(list);
+ resume:	
+	for ( ;
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		char *listname;
+		cfg_obj_t *addr;
+		cfg_obj_t *key;
+
+		addr = cfg_tuple_get(cfg_listelt_value(element),
+				     "masterselement");
+		key = cfg_tuple_get(cfg_listelt_value(element), "key");
+
+		if (cfg_obj_issockaddr(addr)) {
+			count++;
+			continue;
+		}
+		if (!cfg_obj_isvoid(key)) {
+			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+				    "unexpected token '%s'",
+				    cfg_obj_asstring(key));
+			if (result == ISC_R_SUCCESS)
+				result = ISC_R_FAILURE;
+		}
+		listname = cfg_obj_asstring(addr);
+		symvalue.as_pointer = addr;
+		tresult = isc_symtab_define(symtab, listname, 1, symvalue,
+					    isc_symexists_reject);
+		if (tresult == ISC_R_EXISTS)
+			continue;
+		tresult = get_masters_def(config, listname, &obj);
+		if (tresult != ISC_R_SUCCESS) {
+			if (result == ISC_R_SUCCESS)
+				result = tresult;
+			cfg_obj_log(addr, logctx, ISC_LOG_ERROR,
+				    "unable to find masters list '%s'",
+				    listname);
+			continue;
+		}
+		/* Grow stack? */
+		if (stackcount == pushed) {
+			void * new;
+			isc_uint32_t newlen = stackcount + 16;
+			size_t newsize, oldsize;
+
+			newsize = newlen * sizeof(*stack);
+			oldsize = stackcount * sizeof(*stack);
+			new = isc_mem_get(mctx, newsize);
+			if (new == NULL)
+				goto cleanup;
+			if (stackcount != 0) {
+				memcpy(new, stack, oldsize);
+				isc_mem_put(mctx, stack, oldsize);
+			}
+			stack = new;
+			stackcount = newlen;
+		}
+		stack[pushed++] = cfg_list_next(element);
+		goto newlist;
+	}
+	if (pushed != 0) {
+		element = stack[--pushed];
+		goto resume;
+	}
+ cleanup:
+	if (stack != NULL)
+		isc_mem_put(mctx, stack, stackcount * sizeof(*stack));
+	isc_symtab_destroy(&symtab);
+	*countp = count;
+	return (result);
+}
+
+#define MASTERZONE	1
+#define SLAVEZONE	2
+#define STUBZONE	4
+#define HINTZONE	8
+#define FORWARDZONE	16
+#define DELEGATIONZONE	32
+
+typedef struct {
+	const char *name;
+	int allowed;
+} optionstable;
+
+static isc_result_t
+check_zoneconf(cfg_obj_t *zconfig, cfg_obj_t *config, isc_symtab_t *symtab,
+	       dns_rdataclass_t defclass, isc_log_t *logctx, isc_mem_t *mctx)
+{
+	const char *zname;
+	const char *typestr;
+	unsigned int ztype;
+	cfg_obj_t *zoptions;
+	cfg_obj_t *obj = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	unsigned int i;
+	dns_rdataclass_t zclass;
+	dns_fixedname_t fixedname;
+	isc_buffer_t b;
+
+	static optionstable options[] = {
+	{ "allow-query", MASTERZONE | SLAVEZONE | STUBZONE },
+	{ "allow-notify", SLAVEZONE },
+	{ "allow-transfer", MASTERZONE | SLAVEZONE },
+	{ "notify", MASTERZONE | SLAVEZONE },
+	{ "also-notify", MASTERZONE | SLAVEZONE },
+	{ "dialup", MASTERZONE | SLAVEZONE | STUBZONE },
+	{ "delegation-only", HINTZONE | STUBZONE },
+	{ "forward", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE},
+	{ "forwarders", MASTERZONE | SLAVEZONE | STUBZONE | FORWARDZONE},
+	{ "maintain-ixfr-base", MASTERZONE | SLAVEZONE },
+	{ "max-ixfr-log-size", MASTERZONE | SLAVEZONE },
+	{ "notify-source", MASTERZONE | SLAVEZONE },
+	{ "notify-source-v6", MASTERZONE | SLAVEZONE },
+	{ "transfer-source", SLAVEZONE | STUBZONE },
+	{ "transfer-source-v6", SLAVEZONE | STUBZONE },
+	{ "max-transfer-time-in", SLAVEZONE | STUBZONE },
+	{ "max-transfer-time-out", MASTERZONE | SLAVEZONE },
+	{ "max-transfer-idle-in", SLAVEZONE | STUBZONE },
+	{ "max-transfer-idle-out", MASTERZONE | SLAVEZONE },
+	{ "max-retry-time", SLAVEZONE | STUBZONE },
+	{ "min-retry-time", SLAVEZONE | STUBZONE },
+	{ "max-refresh-time", SLAVEZONE | STUBZONE },
+	{ "min-refresh-time", SLAVEZONE | STUBZONE },
+	{ "sig-validity-interval", MASTERZONE },
+	{ "zone-statistics", MASTERZONE | SLAVEZONE | STUBZONE },
+	{ "allow-update", MASTERZONE },
+	{ "allow-update-forwarding", SLAVEZONE },
+	{ "file", MASTERZONE | SLAVEZONE | STUBZONE | HINTZONE},
+	{ "ixfr-base", MASTERZONE | SLAVEZONE },
+	{ "ixfr-tmp-file", MASTERZONE | SLAVEZONE },
+	{ "masters", SLAVEZONE | STUBZONE },
+	{ "pubkey", MASTERZONE | SLAVEZONE | STUBZONE },
+	{ "update-policy", MASTERZONE },
+	{ "database", MASTERZONE | SLAVEZONE | STUBZONE },
+	{ "key-directory", MASTERZONE },
+	};
+
+	static optionstable dialups[] = {
+	{ "notify", MASTERZONE | SLAVEZONE },
+	{ "notify-passive", SLAVEZONE },
+	{ "refresh", SLAVEZONE | STUBZONE },
+	{ "passive", SLAVEZONE | STUBZONE },
+	};
+
+	zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
+
+	zoptions = cfg_tuple_get(zconfig, "options");
+
+	obj = NULL;
+	(void)cfg_map_get(zoptions, "type", &obj);
+	if (obj == NULL) {
+		cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
+			    "zone '%s': type not present", zname);
+		return (ISC_R_FAILURE);
+	}
+
+	typestr = cfg_obj_asstring(obj);
+	if (strcasecmp(typestr, "master") == 0)
+		ztype = MASTERZONE;
+	else if (strcasecmp(typestr, "slave") == 0)
+		ztype = SLAVEZONE;
+	else if (strcasecmp(typestr, "stub") == 0)
+		ztype = STUBZONE;
+	else if (strcasecmp(typestr, "forward") == 0)
+		ztype = FORWARDZONE;
+	else if (strcasecmp(typestr, "hint") == 0)
+		ztype = HINTZONE;
+	else if (strcasecmp(typestr, "delegation-only") == 0)
+		ztype = DELEGATIONZONE;
+	else {
+		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+			    "zone '%s': invalid type %s",
+			    zname, typestr);
+		return (ISC_R_FAILURE);
+	}
+
+	obj = cfg_tuple_get(zconfig, "class");
+	if (cfg_obj_isstring(obj)) {
+		isc_textregion_t r;
+
+		DE_CONST(cfg_obj_asstring(obj), r.base);
+		r.length = strlen(r.base);
+		result = dns_rdataclass_fromtext(&zclass, &r);
+		if (result != ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "zone '%s': invalid class %s",
+				    zname, r.base);
+			return (ISC_R_FAILURE);
+		}
+		if (zclass != defclass) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "zone '%s': class '%s' does not "
+				    "match view/default class",
+				    zname, r.base);
+			return (ISC_R_FAILURE);
+		}
+	}
+
+	/*
+	 * Look for an already existing zone.
+	 * We need to make this cannonical as isc_symtab_define()
+	 * deals with strings.
+	 */
+	dns_fixedname_init(&fixedname);
+	isc_buffer_init(&b, zname, strlen(zname));
+	isc_buffer_add(&b, strlen(zname));
+	tresult = dns_name_fromtext(dns_fixedname_name(&fixedname), &b,
+				   dns_rootname, ISC_TRUE, NULL);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
+			    "zone '%s': is not a valid name", zname);
+		tresult = ISC_R_FAILURE;
+	} else {
+		char namebuf[DNS_NAME_FORMATSIZE];
+
+		dns_name_format(dns_fixedname_name(&fixedname),
+				namebuf, sizeof(namebuf));
+		tresult = nameexist(zconfig, namebuf, ztype == HINTZONE ? 1 : 2,
+				   symtab, "zone '%s': already exists "
+				   "previous definition: %s:%u", logctx, mctx);
+		if (tresult != ISC_R_SUCCESS)
+			result = tresult;
+	}
+
+	/*
+	 * Look for inappropriate options for the given zone type.
+	 */
+	for (i = 0; i < sizeof(options) / sizeof(options[0]); i++) {
+		obj = NULL;
+		if ((options[i].allowed & ztype) == 0 &&
+		    cfg_map_get(zoptions, options[i].name, &obj) ==
+		    ISC_R_SUCCESS)
+		{
+			if (strcmp(options[i].name, "allow-update") != 0 ||
+			    ztype != SLAVEZONE) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "option '%s' is not allowed "
+					    "in '%s' zone '%s'",
+					    options[i].name, typestr, zname);
+					result = ISC_R_FAILURE;
+			} else
+				cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+					    "option '%s' is not allowed "
+					    "in '%s' zone '%s'",
+					    options[i].name, typestr, zname);
+		}
+	}
+
+	/*
+	 * Slave & stub zones must have a "masters" field.
+	 */
+	if (ztype == SLAVEZONE || ztype == STUBZONE) {
+		obj = NULL;
+		if (cfg_map_get(zoptions, "masters", &obj) != ISC_R_SUCCESS) {
+			cfg_obj_log(zoptions, logctx, ISC_LOG_ERROR,
+				    "zone '%s': missing 'masters' entry",
+				    zname);
+			result = ISC_R_FAILURE;
+		} else {
+			isc_uint32_t count;
+			tresult = validate_masters(obj, config, &count,
+						   logctx, mctx);
+			if (tresult != ISC_R_SUCCESS && result == ISC_R_SUCCESS)
+				result = tresult;
+			if (tresult == ISC_R_SUCCESS && count == 0) {
+				cfg_obj_log(zoptions, logctx, ISC_LOG_ERROR,
+					    "zone '%s': empty 'masters' entry",
+					    zname);
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+
+	/*
+	 * Master zones can't have both "allow-update" and "update-policy".
+	 */
+	if (ztype == MASTERZONE) {
+		isc_result_t res1, res2;
+		obj = NULL;
+		res1 = cfg_map_get(zoptions, "allow-update", &obj);
+		obj = NULL;
+		res2 = cfg_map_get(zoptions, "update-policy", &obj);
+		if (res1 == ISC_R_SUCCESS && res2 == ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "zone '%s': 'allow-update' is ignored "
+				    "when 'update-policy' is present",
+				    zname);
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	/*
+	 * Check the excessively complicated "dialup" option.
+	 */
+	if (ztype == MASTERZONE || ztype == SLAVEZONE || ztype == STUBZONE) {
+		cfg_obj_t *dialup = NULL;
+		(void)cfg_map_get(zoptions, "dialup", &dialup);
+		if (dialup != NULL && cfg_obj_isstring(dialup)) {
+			char *str = cfg_obj_asstring(dialup);
+			for (i = 0;
+			     i < sizeof(dialups) / sizeof(dialups[0]);
+			     i++)
+			{
+				if (strcasecmp(dialups[i].name, str) != 0)
+					continue;
+				if ((dialups[i].allowed & ztype) == 0) {
+					cfg_obj_log(obj, logctx,
+						    ISC_LOG_ERROR,
+						    "dialup type '%s' is not "
+						    "allowed in '%s' "
+						    "zone '%s'",
+						    str, typestr, zname);
+					result = ISC_R_FAILURE;
+				}
+				break;
+			}
+			if (i == sizeof(dialups) / sizeof(dialups[0])) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "invalid dialup type '%s' in zone "
+					    "'%s'", str, zname);
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+
+	/*
+	 * Check that forwarding is reasonable.
+	 */
+	if (check_forward(zoptions, logctx) != ISC_R_SUCCESS)
+		result = ISC_R_FAILURE;
+
+	/*
+	 * Check various options.
+	 */
+	tresult = check_options(zoptions, logctx, mctx);
+	if (tresult != ISC_R_SUCCESS)
+		result = tresult;
+
+	return (result);
+}
+
+isc_result_t
+bind9_check_key(cfg_obj_t *key, isc_log_t *logctx) {
+	cfg_obj_t *algobj = NULL;
+	cfg_obj_t *secretobj = NULL;
+	const char *keyname = cfg_obj_asstring(cfg_map_getname(key));
+	
+	(void)cfg_map_get(key, "algorithm", &algobj);
+	(void)cfg_map_get(key, "secret", &secretobj);
+	if (secretobj == NULL || algobj == NULL) {
+		cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+			    "key '%s' must have both 'secret' and "
+			    "'algorithm' defined",
+			    keyname);
+		return (ISC_R_FAILURE);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+check_keylist(cfg_obj_t *keys, isc_symtab_t *symtab, isc_log_t *logctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	cfg_listelt_t *element;
+
+	for (element = cfg_list_first(keys);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		cfg_obj_t *key = cfg_listelt_value(element);
+		const char *keyname = cfg_obj_asstring(cfg_map_getname(key));
+		isc_symvalue_t symvalue;
+
+		symvalue.as_pointer = key;
+		tresult = isc_symtab_define(symtab, keyname, 1,
+					    symvalue, isc_symexists_reject);
+		if (tresult == ISC_R_EXISTS) {
+			const char *file;
+			unsigned int line;
+
+			RUNTIME_CHECK(isc_symtab_lookup(symtab, keyname,
+					    1, &symvalue) == ISC_R_SUCCESS);
+			file = cfg_obj_file(symvalue.as_pointer);
+			line = cfg_obj_line(symvalue.as_pointer);
+
+			if (file == NULL)
+				file = "<unknown file>";
+			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+				    "key '%s': already exists "
+				    "previous definition: %s:%u",
+				    keyname, file, line);
+			result = tresult;
+		} else if (tresult != ISC_R_SUCCESS)
+			return (tresult);
+
+		tresult = bind9_check_key(key, logctx);
+		if (tresult != ISC_R_SUCCESS)
+			return (tresult);
+	}
+	return (result);
+}
+
+static isc_result_t
+check_servers(cfg_obj_t *servers, isc_log_t *logctx) {
+	isc_result_t result = ISC_R_SUCCESS;
+	cfg_listelt_t *e1, *e2;
+	cfg_obj_t *v1, *v2;
+	isc_sockaddr_t *s1, *s2;
+	isc_netaddr_t na;
+	cfg_obj_t *ts;
+	char buf[128];
+	const char *xfr;
+	isc_buffer_t target;
+
+	for (e1 = cfg_list_first(servers); e1 != NULL; e1 = cfg_list_next(e1)) {
+		v1 = cfg_listelt_value(e1);
+		s1 = cfg_obj_assockaddr(cfg_map_getname(v1));
+		ts = NULL;
+		if (isc_sockaddr_pf(s1) == AF_INET)
+			xfr = "transfer-source-v6";
+		else
+			xfr = "transfer-source";
+		(void)cfg_map_get(v1, xfr, &ts);
+		if (ts != NULL) {
+			isc_netaddr_fromsockaddr(&na, s1);
+			isc_buffer_init(&target, buf, sizeof(buf) - 1);
+			RUNTIME_CHECK(isc_netaddr_totext(&na, &target)
+				      == ISC_R_SUCCESS);
+			buf[isc_buffer_usedlength(&target)] = '\0';
+			cfg_obj_log(v1, logctx, ISC_LOG_ERROR,
+				    "server '%s': %s not valid", buf, xfr);
+			result = ISC_R_FAILURE;
+		}
+		e2 = e1;
+		while ((e2 = cfg_list_next(e2)) != NULL) {
+			v2 = cfg_listelt_value(e2);
+			s2 = cfg_obj_assockaddr(cfg_map_getname(v2));
+			if (isc_sockaddr_eqaddr(s1, s2)) {
+				const char *file = cfg_obj_file(v1);
+				unsigned int line = cfg_obj_line(v1);
+
+				if (file == NULL)
+					file = "<unknown file>";
+
+				isc_netaddr_fromsockaddr(&na, s2);
+				isc_buffer_init(&target, buf, sizeof(buf) - 1);
+				RUNTIME_CHECK(isc_netaddr_totext(&na, &target)
+					      == ISC_R_SUCCESS);
+				buf[isc_buffer_usedlength(&target)] = '\0';
+
+				cfg_obj_log(v2, logctx, ISC_LOG_ERROR,
+					    "server '%s': already exists "
+					    "previous definition: %s:%u",
+					    buf, file, line);
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+	return (result);
+}
+		
+static isc_result_t
+check_viewconf(cfg_obj_t *config, cfg_obj_t *vconfig, dns_rdataclass_t vclass,
+	       isc_log_t *logctx, isc_mem_t *mctx)
+{
+	cfg_obj_t *servers = NULL;
+	cfg_obj_t *zones = NULL;
+	cfg_obj_t *keys = NULL;
+	cfg_listelt_t *element;
+	isc_symtab_t *symtab = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult = ISC_R_SUCCESS;
+
+	/*
+	 * Check that all zone statements are syntactically correct and
+	 * there are no duplicate zones.
+	 */
+	tresult = isc_symtab_create(mctx, 100, freekey, mctx,
+				    ISC_FALSE, &symtab);
+	if (tresult != ISC_R_SUCCESS)
+		return (ISC_R_NOMEMORY);
+
+	if (vconfig != NULL)
+		(void)cfg_map_get(vconfig, "zone", &zones);
+	else
+		(void)cfg_map_get(config, "zone", &zones);
+
+	for (element = cfg_list_first(zones);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		isc_result_t tresult;
+		cfg_obj_t *zone = cfg_listelt_value(element);
+
+		tresult = check_zoneconf(zone, config, symtab, vclass,
+					 logctx, mctx);
+		if (tresult != ISC_R_SUCCESS)
+			result = ISC_R_FAILURE;
+	}
+
+	isc_symtab_destroy(&symtab);
+
+	/*
+	 * Check that all key statements are syntactically correct and
+	 * there are no duplicate keys.
+	 */
+	tresult = isc_symtab_create(mctx, 100, NULL, NULL, ISC_TRUE, &symtab);
+	if (tresult != ISC_R_SUCCESS)
+		return (ISC_R_NOMEMORY);
+
+	(void)cfg_map_get(config, "key", &keys);
+	tresult = check_keylist(keys, symtab, logctx);
+	if (tresult == ISC_R_EXISTS)
+		result = ISC_R_FAILURE;
+	else if (tresult != ISC_R_SUCCESS) {
+		isc_symtab_destroy(&symtab);
+		return (tresult);
+	}
+	
+	if (vconfig != NULL) {
+		keys = NULL;
+		(void)cfg_map_get(vconfig, "key", &keys);
+		tresult = check_keylist(keys, symtab, logctx);
+		if (tresult == ISC_R_EXISTS)
+			result = ISC_R_FAILURE;
+		else if (tresult != ISC_R_SUCCESS) {
+			isc_symtab_destroy(&symtab);
+			return (tresult);
+		}
+	}
+
+	isc_symtab_destroy(&symtab);
+
+	/*
+	 * Check that forwarding is reasonable.
+	 */
+	if (vconfig == NULL) {
+		cfg_obj_t *options = NULL;
+		(void)cfg_map_get(config, "options", &options);
+		if (options != NULL)
+			if (check_forward(options, logctx) != ISC_R_SUCCESS)
+				result = ISC_R_FAILURE;
+	} else {
+		if (check_forward(vconfig, logctx) != ISC_R_SUCCESS)
+			result = ISC_R_FAILURE;
+	}
+	/*
+	 * Check that dual-stack-servers is reasonable.
+	 */
+	if (vconfig == NULL) {
+		cfg_obj_t *options = NULL;
+		(void)cfg_map_get(config, "options", &options);
+		if (options != NULL)
+			if (check_dual_stack(options, logctx) != ISC_R_SUCCESS)
+				result = ISC_R_FAILURE;
+	} else {
+		if (check_dual_stack(vconfig, logctx) != ISC_R_SUCCESS)
+			result = ISC_R_FAILURE;
+	}
+
+	/*
+	 * Check that rrset-order is reasonable.
+	 */
+	if (vconfig != NULL) {
+		if (check_order(vconfig, logctx) != ISC_R_SUCCESS)
+			result = ISC_R_FAILURE;
+	}
+
+	if (vconfig != NULL) {
+		(void)cfg_map_get(vconfig, "server", &servers);
+		if (servers != NULL &&
+		    check_servers(servers, logctx) != ISC_R_SUCCESS)
+			result = ISC_R_FAILURE;
+	}
+
+	if (vconfig != NULL)
+		tresult = check_options(vconfig, logctx, mctx);
+	else
+		tresult = check_options(config, logctx, mctx);
+	if (tresult != ISC_R_SUCCESS)
+		result = tresult;
+
+	return (result);
+}
+
+
+isc_result_t
+bind9_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) {
+	cfg_obj_t *options = NULL;
+	cfg_obj_t *servers = NULL;
+	cfg_obj_t *views = NULL;
+	cfg_obj_t *acls = NULL;
+	cfg_obj_t *kals = NULL;
+	cfg_obj_t *obj;
+	cfg_listelt_t *velement;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+	isc_symtab_t *symtab = NULL;
+
+	static const char *builtin[] = { "localhost", "localnets",
+					 "any", "none"};
+
+	(void)cfg_map_get(config, "options", &options);
+
+	if (options != NULL &&
+	    check_options(options, logctx, mctx) != ISC_R_SUCCESS)
+		result = ISC_R_FAILURE;
+
+	(void)cfg_map_get(config, "server", &servers);
+	if (servers != NULL &&
+	    check_servers(servers, logctx) != ISC_R_SUCCESS)
+		result = ISC_R_FAILURE;
+
+	if (options != NULL && 
+	    check_order(options, logctx) != ISC_R_SUCCESS)
+		result = ISC_R_FAILURE;
+
+	(void)cfg_map_get(config, "view", &views);
+
+	if (views != NULL && options != NULL)
+		if (check_dual_stack(options, logctx) != ISC_R_SUCCESS)
+			result = ISC_R_FAILURE;
+
+	if (views == NULL) {
+		if (check_viewconf(config, NULL, dns_rdataclass_in,
+				   logctx, mctx) != ISC_R_SUCCESS)
+			result = ISC_R_FAILURE;
+	} else {
+		cfg_obj_t *zones = NULL;
+
+		(void)cfg_map_get(config, "zone", &zones);
+		if (zones != NULL) {
+			cfg_obj_log(zones, logctx, ISC_LOG_ERROR,
+				    "when using 'view' statements, "
+				    "all zones must be in views");
+			result = ISC_R_FAILURE;
+		}
+	}
+
+	tresult = isc_symtab_create(mctx, 100, NULL, NULL, ISC_TRUE, &symtab);
+	if (tresult != ISC_R_SUCCESS)
+		result = tresult;
+	for (velement = cfg_list_first(views);
+	     velement != NULL;
+	     velement = cfg_list_next(velement))
+	{
+		cfg_obj_t *view = cfg_listelt_value(velement);
+		cfg_obj_t *vname = cfg_tuple_get(view, "name");
+		cfg_obj_t *voptions = cfg_tuple_get(view, "options");
+		cfg_obj_t *vclassobj = cfg_tuple_get(view, "class");
+		dns_rdataclass_t vclass = dns_rdataclass_in;
+		isc_result_t tresult = ISC_R_SUCCESS;
+		const char *key = cfg_obj_asstring(vname);
+		isc_symvalue_t symvalue;
+
+		if (cfg_obj_isstring(vclassobj)) {
+			isc_textregion_t r;
+
+			DE_CONST(cfg_obj_asstring(vclassobj), r.base);
+			r.length = strlen(r.base);
+			tresult = dns_rdataclass_fromtext(&vclass, &r);
+			if (tresult != ISC_R_SUCCESS)
+				cfg_obj_log(vclassobj, logctx, ISC_LOG_ERROR,
+					    "view '%s': invalid class %s",
+					    cfg_obj_asstring(vname), r.base);
+		}
+		if (tresult == ISC_R_SUCCESS && symtab != NULL) {
+			symvalue.as_pointer = view;
+			tresult = isc_symtab_define(symtab, key, vclass,
+						    symvalue,
+						    isc_symexists_reject);
+			if (tresult == ISC_R_EXISTS) {
+				const char *file;
+				unsigned int line;
+				RUNTIME_CHECK(isc_symtab_lookup(symtab, key,
+				           vclass, &symvalue) == ISC_R_SUCCESS);
+				file = cfg_obj_file(symvalue.as_pointer);
+				line = cfg_obj_line(symvalue.as_pointer);
+				cfg_obj_log(view, logctx, ISC_LOG_ERROR,
+					    "view '%s': already exists "
+					    "previous definition: %s:%u",
+					    key, file, line);
+				result = tresult;
+			} else if (result != ISC_R_SUCCESS) {
+				result = tresult;
+			} else if ((strcasecmp(key, "_bind") == 0 &&
+				    vclass == dns_rdataclass_ch) ||
+				   (strcasecmp(key, "_default") == 0 &&
+				    vclass == dns_rdataclass_in)) {
+				cfg_obj_log(view, logctx, ISC_LOG_ERROR,
+					    "attempt to redefine builtin view "
+					    "'%s'", key);
+				result = ISC_R_EXISTS;
+			}
+		}
+		if (tresult == ISC_R_SUCCESS)
+			tresult = check_viewconf(config, voptions,
+						 vclass, logctx, mctx);
+		if (tresult != ISC_R_SUCCESS)
+			result = ISC_R_FAILURE;
+	}
+	if (symtab != NULL)
+		isc_symtab_destroy(&symtab);
+
+	if (views != NULL && options != NULL) {
+		obj = NULL;
+		tresult = cfg_map_get(options, "cache-file", &obj);
+		if (tresult == ISC_R_SUCCESS) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "'cache-file' cannot be a global "
+				    "option if views are present");
+			result = ISC_R_FAILURE;
+		}
+	}
+
+        tresult = cfg_map_get(config, "acl", &acls);
+        if (tresult == ISC_R_SUCCESS) {
+		cfg_listelt_t *elt;
+		cfg_listelt_t *elt2;
+		const char *aclname;
+
+		for (elt = cfg_list_first(acls);
+		     elt != NULL;
+		     elt = cfg_list_next(elt)) {
+			cfg_obj_t *acl = cfg_listelt_value(elt);
+			unsigned int i;
+
+			aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
+			for (i = 0;
+			     i < sizeof(builtin) / sizeof(builtin[0]);
+			     i++)
+				if (strcasecmp(aclname, builtin[i]) == 0) {
+					cfg_obj_log(acl, logctx, ISC_LOG_ERROR,
+						    "attempt to redefine "
+						    "builtin acl '%s'",
+				    		    aclname);
+					result = ISC_R_FAILURE;
+					break;
+				}
+
+			for (elt2 = cfg_list_next(elt);
+			     elt2 != NULL;
+			     elt2 = cfg_list_next(elt2)) {
+				cfg_obj_t *acl2 = cfg_listelt_value(elt2);
+				const char *name;
+				name = cfg_obj_asstring(cfg_tuple_get(acl2,
+								      "name"));
+				if (strcasecmp(aclname, name) == 0) {
+					const char *file = cfg_obj_file(acl);
+					unsigned int line = cfg_obj_line(acl);
+
+					if (file == NULL)
+						file = "<unknown file>";
+
+					cfg_obj_log(acl2, logctx, ISC_LOG_ERROR,
+						    "attempt to redefine "
+						    "acl '%s' previous "
+						    "definition: %s:%u",
+						     name, file, line);
+					result = ISC_R_FAILURE;
+				}
+			}
+		}
+	}
+
+        tresult = cfg_map_get(config, "kal", &kals);
+        if (tresult == ISC_R_SUCCESS) {
+		cfg_listelt_t *elt;
+		cfg_listelt_t *elt2;
+		const char *aclname;
+
+		for (elt = cfg_list_first(kals);
+		     elt != NULL;
+		     elt = cfg_list_next(elt)) {
+			cfg_obj_t *acl = cfg_listelt_value(elt);
+
+			aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
+
+			for (elt2 = cfg_list_next(elt);
+			     elt2 != NULL;
+			     elt2 = cfg_list_next(elt2)) {
+				cfg_obj_t *acl2 = cfg_listelt_value(elt2);
+				const char *name;
+				name = cfg_obj_asstring(cfg_tuple_get(acl2,
+								      "name"));
+				if (strcasecmp(aclname, name) == 0) {
+					const char *file = cfg_obj_file(acl);
+					unsigned int line = cfg_obj_line(acl);
+
+					if (file == NULL)
+						file = "<unknown file>";
+
+					cfg_obj_log(acl2, logctx, ISC_LOG_ERROR,
+						    "attempt to redefine "
+						    "kal '%s' previous "
+						    "definition: %s:%u",
+						     name, file, line);
+					result = ISC_R_FAILURE;
+				}
+			}
+		}
+	}
+
+	return (result);
+}
diff --git a/contrib/bind9/lib/bind9/getaddresses.c b/contrib/bind9/lib/bind9/getaddresses.c
new file mode 100644
index 0000000..16c9e13
--- /dev/null
+++ b/contrib/bind9/lib/bind9/getaddresses.c
@@ -0,0 +1,229 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001, 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: getaddresses.c,v 1.13.126.5 2004/05/15 03:46:12 jinmei Exp $ */
+
+#include <config.h>
+#include <string.h>
+
+#include <isc/net.h>
+#include <isc/netaddr.h>
+#include <isc/netdb.h>
+#include <isc/netscope.h>
+#include <isc/result.h>
+#include <isc/sockaddr.h>
+#include <isc/util.h>
+
+#include <bind9/getaddresses.h>
+
+#ifdef HAVE_ADDRINFO
+#ifdef HAVE_GETADDRINFO
+#ifdef HAVE_GAISTRERROR
+#define USE_GETADDRINFO
+#endif
+#endif
+#endif
+
+#ifndef USE_GETADDRINFO
+#ifndef ISC_PLATFORM_NONSTDHERRNO
+extern int h_errno;
+#endif
+#endif
+
+isc_result_t
+bind9_getaddresses(const char *hostname, in_port_t port,
+		   isc_sockaddr_t *addrs, int addrsize, int *addrcount)
+{
+	struct in_addr in4;
+	struct in6_addr in6;
+	isc_boolean_t have_ipv4, have_ipv6;
+	int i;
+
+#ifdef USE_GETADDRINFO
+	struct addrinfo *ai = NULL, *tmpai, hints;
+	int result;
+#else
+	struct hostent *he;
+#endif
+
+	REQUIRE(hostname != NULL);
+	REQUIRE(addrs != NULL);
+	REQUIRE(addrcount != NULL);
+	REQUIRE(addrsize > 0);
+
+	have_ipv4 = (isc_net_probeipv4() == ISC_R_SUCCESS);
+	have_ipv6 = (isc_net_probeipv6() == ISC_R_SUCCESS);
+
+	/*
+	 * Try IPv4, then IPv6.  In order to handle the extended format
+	 * for IPv6 scoped addresses (address%scope_ID), we'll use a local
+	 * working buffer of 128 bytes.  The length is an ad-hoc value, but
+	 * should be enough for this purpose; the buffer can contain a string
+	 * of at least 80 bytes for scope_ID in addition to any IPv6 numeric
+	 * addresses (up to 46 bytes), the delimiter character and the
+	 * terminating NULL character.
+	 */
+	if (inet_pton(AF_INET, hostname, &in4) == 1) {
+		if (have_ipv4)
+			isc_sockaddr_fromin(&addrs[0], &in4, port);
+		else
+			isc_sockaddr_v6fromin(&addrs[0], &in4, port);
+		*addrcount = 1;
+		return (ISC_R_SUCCESS);
+	} else if (strlen(hostname) <= 127) {
+		char tmpbuf[128], *d;
+		isc_uint32_t zone = 0;
+
+		strcpy(tmpbuf, hostname);
+		d = strchr(tmpbuf, '%');
+		if (d != NULL)
+			*d = '\0';
+
+		if (inet_pton(AF_INET6, tmpbuf, &in6) == 1) {
+			isc_netaddr_t na;
+
+			if (!have_ipv6)
+				return (ISC_R_FAMILYNOSUPPORT);
+
+			if (d != NULL) {
+#ifdef ISC_PLATFORM_HAVESCOPEID
+				isc_result_t result;
+
+				result = isc_netscope_pton(AF_INET6, d + 1,
+							   &in6, &zone);
+				    
+				if (result != ISC_R_SUCCESS)
+					return (result);
+#else
+				/*
+				 * The extended format is specified while the
+				 * system does not provide the ability to use
+				 * it.  Throw an explicit error instead of
+				 * ignoring the specified value.
+				 */
+				return (ISC_R_BADADDRESSFORM);
+#endif
+			}
+
+			isc_netaddr_fromin6(&na, &in6);
+			isc_netaddr_setzone(&na, zone);
+			isc_sockaddr_fromnetaddr(&addrs[0],
+						 (const isc_netaddr_t *)&na,
+						 port);
+
+			*addrcount = 1;
+			return (ISC_R_SUCCESS);
+			
+		}
+	}
+#ifdef USE_GETADDRINFO
+	memset(&hints, 0, sizeof(hints));
+	if (!have_ipv6)
+		hints.ai_family = PF_INET;
+	else if (!have_ipv4)
+		hints.ai_family = PF_INET6;
+	else {
+		hints.ai_family = PF_UNSPEC;
+#ifdef AI_ADDRCONFIG
+		hints.ai_flags = AI_ADDRCONFIG;
+#endif
+	}
+	hints.ai_socktype = SOCK_STREAM;
+#ifdef AI_ADDRCONFIG
+ again:
+#endif
+	result = getaddrinfo(hostname, NULL, &hints, &ai);
+	switch (result) {
+	case 0:
+		break;
+	case EAI_NONAME:
+#if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
+	case EAI_NODATA:
+#endif
+		return (ISC_R_NOTFOUND);
+#ifdef AI_ADDRCONFIG
+	case EAI_BADFLAGS:
+		if ((hints.ai_flags & AI_ADDRCONFIG) != 0) {
+			hints.ai_flags &= ~AI_ADDRCONFIG;
+			goto again;
+		}
+#endif
+	default:
+		return (ISC_R_FAILURE);
+	}
+	for (tmpai = ai, i = 0;
+	     tmpai != NULL && i < addrsize;
+	     tmpai = tmpai->ai_next)
+	{
+		if (tmpai->ai_family != AF_INET &&
+		    tmpai->ai_family != AF_INET6)
+			continue;
+		if (tmpai->ai_family == AF_INET) {
+			struct sockaddr_in *sin;
+			sin = (struct sockaddr_in *)tmpai->ai_addr;
+			isc_sockaddr_fromin(&addrs[i], &sin->sin_addr, port);
+		} else {
+			struct sockaddr_in6 *sin6;
+			sin6 = (struct sockaddr_in6 *)tmpai->ai_addr;
+			isc_sockaddr_fromin6(&addrs[i], &sin6->sin6_addr,
+					     port);
+		}
+		i++;
+
+	}
+	freeaddrinfo(ai);
+	*addrcount = i;
+#else
+	he = gethostbyname(hostname);
+	if (he == NULL) {
+		switch (h_errno) {
+		case HOST_NOT_FOUND:
+#ifdef NO_DATA
+		case NO_DATA:
+#endif
+#if defined(NO_ADDRESS) && (!defined(NO_DATA) || (NO_DATA != NO_ADDRESS))
+		case NO_ADDRESS:
+#endif
+			return (ISC_R_NOTFOUND);
+		default:
+			return (ISC_R_FAILURE);
+		}
+	}
+	if (he->h_addrtype != AF_INET && he->h_addrtype != AF_INET6)
+		return (ISC_R_NOTFOUND);
+	for (i = 0; i < addrsize; i++) {
+		if (he->h_addrtype == AF_INET) {
+			struct in_addr *inp;
+			inp = (struct in_addr *)(he->h_addr_list[i]);
+			if (inp == NULL)
+				break;
+			isc_sockaddr_fromin(&addrs[i], inp, port);
+		} else {
+			struct in6_addr *in6p;
+			in6p = (struct in6_addr *)(he->h_addr_list[i]);
+			if (in6p == NULL)
+				break;
+			isc_sockaddr_fromin6(&addrs[i], in6p, port);
+		}
+	}
+	*addrcount = i;
+#endif
+	if (*addrcount == 0)
+		return (ISC_R_NOTFOUND);
+	else
+		return (ISC_R_SUCCESS);
+}
diff --git a/contrib/bind9/lib/bind9/include/Makefile.in b/contrib/bind9/lib/bind9/include/Makefile.in
new file mode 100644
index 0000000..9081d9e
--- /dev/null
+++ b/contrib/bind9/lib/bind9/include/Makefile.in
@@ -0,0 +1,25 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.1.200.3 2004/03/08 09:04:27 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	bind9
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/bind9/include/bind9/Makefile.in b/contrib/bind9/lib/bind9/include/bind9/Makefile.in
new file mode 100644
index 0000000..dec2982
--- /dev/null
+++ b/contrib/bind9/lib/bind9/include/bind9/Makefile.in
@@ -0,0 +1,42 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.5.200.4 2004/03/08 09:04:28 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+#
+# Only list headers that are to be installed and are not
+# machine generated.  The latter are handled specially in the
+# install target below.
+#
+HEADERS =	check.h getaddresses.h version.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/bind9
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/bind9 ; \
+	done
diff --git a/contrib/bind9/lib/bind9/include/bind9/check.h b/contrib/bind9/lib/bind9/include/bind9/check.h
new file mode 100644
index 0000000..dcda517
--- /dev/null
+++ b/contrib/bind9/lib/bind9/include/bind9/check.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: check.h,v 1.1.200.4 2004/03/08 09:04:28 marka Exp $ */
+
+#ifndef BIND9_CHECK_H
+#define BIND9_CHECK_H 1
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#include <isccfg/cfg.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+bind9_check_namedconf(cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx);
+/*
+ * Check the syntactic validity of a configuration parse tree generated from
+ * a named.conf file.
+ *
+ * Requires:
+ *	config is a valid parse tree
+ *
+ *	logctx is a valid logging context.
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS
+ * 	ISC_R_FAILURE
+ */
+
+isc_result_t
+bind9_check_key(cfg_obj_t *config, isc_log_t *logctx);
+/*
+ * As above, but for a single 'key' statement.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* BIND9_CHECK_H */
diff --git a/contrib/bind9/lib/bind9/include/bind9/getaddresses.h b/contrib/bind9/lib/bind9/include/bind9/getaddresses.h
new file mode 100644
index 0000000..4a3a546
--- /dev/null
+++ b/contrib/bind9/lib/bind9/include/bind9/getaddresses.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: getaddresses.h,v 1.2.200.3 2004/03/08 09:04:28 marka Exp $ */
+
+#ifndef BIND9_GETADDRESSES_H
+#define BIND9_GETADDRESSES_H 1
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#include <isc/net.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+bind9_getaddresses(const char *hostname, in_port_t port,
+		   isc_sockaddr_t *addrs, int addrsize, int *addrcount);
+/*
+ * Use the system resolver to get the addresses associated with a hostname.
+ * If successful, the number of addresses found is returned in 'addrcount'.
+ * If a hostname lookup is performed and addresses of an unknown family is
+ * seen, it is ignored.  If more than 'addrsize' addresses are seen, the
+ * first 'addrsize' are returned and the remainder silently truncated.
+ *
+ * This routine may block.  If called by a program using the isc_app
+ * framework, it should be surounded by isc_app_block()/isc_app_unblock().
+ *
+ *  Requires:
+ *	'hostname' is not NULL.
+ *	'addrs' is not NULL.
+ *	'addrsize' > 0
+ *	'addrcount' is not NULL.
+ *
+ * 
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOTFOUND
+ *	ISC_R_NOFAMILYSUPPORT - 'hostname' is an IPv6 address, and IPv6 is
+ *		not supported.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* BIND9_GETADDRESSES_H */
diff --git a/contrib/bind9/lib/bind9/include/bind9/version.h b/contrib/bind9/lib/bind9/include/bind9/version.h
new file mode 100644
index 0000000..a3b812e
--- /dev/null
+++ b/contrib/bind9/lib/bind9/include/bind9/version.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: version.h,v 1.2.208.3 2004/03/08 09:04:28 marka Exp $ */
+
+#include <isc/platform.h>
+
+LIBBIND9_EXTERNAL_DATA extern const char bind9_version[];
+
+LIBBIND9_EXTERNAL_DATA extern const unsigned int bind9_libinterface;
+LIBBIND9_EXTERNAL_DATA extern const unsigned int bind9_librevision;
+LIBBIND9_EXTERNAL_DATA extern const unsigned int bind9_libage;
diff --git a/contrib/bind9/lib/bind9/version.c b/contrib/bind9/lib/bind9/version.c
new file mode 100644
index 0000000..5fee2cf
--- /dev/null
+++ b/contrib/bind9/lib/bind9/version.c
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: version.c,v 1.3.200.4 2004/03/08 09:04:27 marka Exp $ */
+
+#include <bind9/version.h>
+
+const char bind9_version[] = VERSION;
+
+const unsigned int bind9_libinterface = LIBINTERFACE;
+const unsigned int bind9_librevision = LIBREVISION;
+const unsigned int bind9_libage = LIBAGE;
diff --git a/contrib/bind9/lib/dns/Makefile.in b/contrib/bind9/lib/dns/Makefile.in
new file mode 100644
index 0000000..e88d2b4
--- /dev/null
+++ b/contrib/bind9/lib/dns/Makefile.in
@@ -0,0 +1,164 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1998-2003  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.126.2.3.2.15 2004/07/20 07:01:57 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+# Attempt to disable parallel processing.
+.NOTPARALLEL:
+.NO_PARALLEL:
+
+@BIND9_VERSION@
+
+@LIBDNS_API@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. ${DNS_INCLUDES} ${ISC_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+ISCLIBS =	../../lib/isc/libisc.@A@
+
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+
+LIBS =		@LIBS@
+
+# Alphabetically
+
+DSTOBJS =	sec/dst/dst_api.@O@ \
+		sec/dst/dst_lib.@O@ sec/dst/dst_parse.@O@ \
+		sec/dst/dst_result.@O@ sec/dst/gssapi_link.@O@ \
+		sec/dst/gssapictx.@O@ sec/dst/hmac_link.@O@ \
+		sec/dst/key.@O@ sec/dst/openssl_link.@O@ \
+		sec/dst/openssldh_link.@O@ sec/dst/openssldsa_link.@O@ \
+		sec/dst/opensslrsa_link.@O@
+
+# Alphabetically
+DNSOBJS =	acl.@O@ adb.@O@ byaddr.@O@ \
+		cache.@O@ callbacks.@O@ compress.@O@ \
+		db.@O@ dbiterator.@O@ dbtable.@O@ diff.@O@ dispatch.@O@ \
+		dnssec.@O@ ds.@O@ forward.@O@ journal.@O@ keytable.@O@ \
+		lib.@O@ log.@O@ lookup.@O@ \
+		master.@O@ masterdump.@O@ message.@O@ \
+		name.@O@ ncache.@O@ nsec.@O@ order.@O@ peer.@O@ portlist.@O@ \
+		rbt.@O@ rbtdb.@O@ rbtdb64.@O@ rcode.@O@ rdata.@O@ \
+		rdatalist.@O@ \
+		rdataset.@O@ rdatasetiter.@O@ rdataslab.@O@ request.@O@ \
+		resolver.@O@ result.@O@ rootns.@O@ sdb.@O@ soa.@O@ ssu.@O@ \
+		stats.@O@ tcpmsg.@O@ time.@O@ timer.@O@ tkey.@O@ \
+		tsig.@O@ ttl.@O@ validator.@O@ \
+		version.@O@ view.@O@ xfrin.@O@ zone.@O@ zonekey.@O@ zt.@O@
+
+OBJS=		${DNSOBJS} ${OTHEROBJS} ${DSTOBJS}
+
+# Alphabetically
+SRCS =		acl.c adb.c byaddr.c \
+		cache.c callbacks.c compress.c \
+		db.c dbiterator.c dbtable.c diff.c dispatch.c \
+		dnssec.c ds.c forward.c journal.c keytable.c \
+		lib.c log.c lookup.c \
+		master.c masterdump.c message.c \
+		name.c ncache.c nsec.c order.c peer.c portlist.c \
+		rbt.c rbtdb.c rbtdb64.c rcode.c rdata.c \
+		rdatalist.c \
+		rdataset.c rdatasetiter.c rdataslab.c request.c \
+		resolver.c result.c rootns.c sdb.c soa.c ssu.c \
+		stats.c tcpmsg.c time.c timer.c tkey.c \
+		tsig.c ttl.c validator.c \
+		version.c view.c xfrin.c zone.c zonekey.c zt.c ${OTHERSRCS}
+
+SUBDIRS =	include sec
+TARGETS =	include/dns/enumtype.h include/dns/enumclass.h \
+		include/dns/rdatastruct.h timestamp
+
+DEPENDEXTRA =	./gen -F include/dns/rdatastruct.h \
+		-s ${srcdir} -d >> Makefile ;
+
+@BIND9_MAKE_RULES@
+
+version.@O@: version.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-DLIBINTERFACE=${LIBINTERFACE} \
+		-DLIBREVISION=${LIBREVISION} \
+		-DLIBAGE=${LIBAGE} \
+		-c ${srcdir}/version.c
+
+libdns.@SA@: ${OBJS}
+	${AR} ${ARFLAGS} $@ ${OBJS}
+	${RANLIB} $@
+
+libdns.la: ${OBJS}
+	${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \
+		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+		${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
+
+timestamp: libdns.@A@
+	touch timestamp
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
+
+install:: timestamp installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libdns.@A@ ${DESTDIR}${libdir}
+
+clean distclean::
+	rm -f libdns.@A@ timestamp
+	rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h
+	rm -f include/dns/rdatastruct.h
+
+newrr::
+	rm -f code.h include/dns/enumtype.h include/dns/enumclass.h
+	rm -f include/dns/rdatastruct.h
+
+include: include/dns/enumtype.h include/dns/enumclass.h \
+	include/dns/rdatastruct.h
+
+rdata.@O@: code.h
+
+include/dns/enumtype.h: gen
+	./gen -s ${srcdir} -t > $@
+
+include/dns/enumclass.h: gen
+	./gen -s ${srcdir} -c > $@
+
+include/dns/rdatastruct.h: gen \
+		${srcdir}/rdata/rdatastructpre.h \
+		${srcdir}/rdata/rdatastructsuf.h
+	./gen -s ${srcdir} -i \
+		-P ${srcdir}/rdata/rdatastructpre.h \
+		-S ${srcdir}/rdata/rdatastructsuf.h > $@
+
+code.h:	gen
+	./gen -s ${srcdir} > code.h
+
+gen: gen.c
+	${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ ${srcdir}/gen.c ${LIBS}
+
+rbtdb64.@O@: rbtdb.c
+
+depend: include/dns/enumtype.h include/dns/enumclass.h \
+	include/dns/rdatastruct.h code.h
+subdirs: include/dns/enumtype.h include/dns/enumclass.h \
+	include/dns/rdatastruct.h code.h
+${DNSOBJS}: include/dns/enumtype.h include/dns/enumclass.h \
+	include/dns/rdatastruct.h
+rdata.${0}: code.h
diff --git a/contrib/bind9/lib/dns/acl.c b/contrib/bind9/lib/dns/acl.c
new file mode 100644
index 0000000..d281440
--- /dev/null
+++ b/contrib/bind9/lib/dns/acl.c
@@ -0,0 +1,446 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: acl.c,v 1.23.52.4 2004/03/09 05:21:08 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/acl.h>
+
+isc_result_t
+dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target) {
+	isc_result_t result;
+	dns_acl_t *acl;
+
+	/*
+	 * Work around silly limitation of isc_mem_get().
+	 */
+	if (n == 0)
+		n = 1;
+
+	acl = isc_mem_get(mctx, sizeof(*acl));
+	if (acl == NULL)
+		return (ISC_R_NOMEMORY);
+	acl->mctx = mctx;
+	acl->name = NULL;
+	isc_refcount_init(&acl->refcount, 1);
+	acl->elements = NULL;
+	acl->alloc = 0;
+	acl->length = 0;
+
+	ISC_LINK_INIT(acl, nextincache);
+	/*
+	 * Must set magic early because we use dns_acl_detach() to clean up.
+	 */
+	acl->magic = DNS_ACL_MAGIC;
+
+	acl->elements = isc_mem_get(mctx, n * sizeof(dns_aclelement_t));
+	if (acl->elements == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	acl->alloc = n;
+	memset(acl->elements, 0, n * sizeof(dns_aclelement_t));
+	*target = acl;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	dns_acl_detach(&acl);
+	return (result);
+}
+
+isc_result_t
+dns_acl_appendelement(dns_acl_t *acl, dns_aclelement_t *elt) {
+	if (acl->length + 1 > acl->alloc) {
+		/*
+		 * Resize the ACL.
+		 */
+		unsigned int newalloc;
+		void *newmem;
+
+		newalloc = acl->alloc * 2;
+		if (newalloc < 4)
+			newalloc = 4;
+		newmem = isc_mem_get(acl->mctx,
+				     newalloc * sizeof(dns_aclelement_t));
+		if (newmem == NULL)
+			return (ISC_R_NOMEMORY);
+		memcpy(newmem, acl->elements,
+		       acl->length * sizeof(dns_aclelement_t));
+		isc_mem_put(acl->mctx, acl->elements,
+			    acl->alloc * sizeof(dns_aclelement_t));
+		acl->elements = newmem;
+		acl->alloc = newalloc;
+	}
+	/*
+	 * Append the new element.
+	 */
+	acl->elements[acl->length++] = *elt;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dns_acl_anyornone(isc_mem_t *mctx, isc_boolean_t neg, dns_acl_t **target) {
+	isc_result_t result;
+	dns_acl_t *acl = NULL;
+	result = dns_acl_create(mctx, 1, &acl);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	acl->elements[0].negative = neg;
+	acl->elements[0].type = dns_aclelementtype_any;
+	acl->length = 1;
+	*target = acl;
+	return (result);
+}
+
+isc_result_t
+dns_acl_any(isc_mem_t *mctx, dns_acl_t **target) {
+	return (dns_acl_anyornone(mctx, ISC_FALSE, target));
+}
+
+isc_result_t
+dns_acl_none(isc_mem_t *mctx, dns_acl_t **target) {
+	return (dns_acl_anyornone(mctx, ISC_TRUE, target));
+}
+
+isc_result_t
+dns_acl_match(isc_netaddr_t *reqaddr,
+	      dns_name_t *reqsigner,
+	      dns_acl_t *acl,
+	      dns_aclenv_t *env,
+	      int *match,
+	      dns_aclelement_t **matchelt)
+{
+	unsigned int i;
+
+	REQUIRE(reqaddr != NULL);
+	REQUIRE(matchelt == NULL || *matchelt == NULL);
+	
+	for (i = 0; i < acl->length; i++) {
+		dns_aclelement_t *e = &acl->elements[i];
+
+		if (dns_aclelement_match(reqaddr, reqsigner,
+					 e, env, matchelt)) {
+			*match = e->negative ? -((int)i+1) : ((int)i+1);
+			return (ISC_R_SUCCESS);
+		}
+	}
+	/* No match. */
+	*match = 0;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_acl_elementmatch(dns_acl_t *acl,
+		     dns_aclelement_t *elt,
+		     dns_aclelement_t **matchelt)
+{
+	unsigned int i;
+
+	REQUIRE(elt != NULL);
+	REQUIRE(matchelt == NULL || *matchelt == NULL);
+	
+	for (i = 0; i < acl->length; i++) {
+		dns_aclelement_t *e = &acl->elements[i];
+
+		if (dns_aclelement_equal(e, elt) == ISC_TRUE) {
+			if (matchelt != NULL)
+				*matchelt = e;
+			return (ISC_R_SUCCESS);
+		}
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+isc_boolean_t
+dns_aclelement_match(isc_netaddr_t *reqaddr,
+		     dns_name_t *reqsigner,
+		     dns_aclelement_t *e,
+		     dns_aclenv_t *env,
+		     dns_aclelement_t **matchelt)
+{
+	dns_acl_t *inner = NULL;
+	isc_netaddr_t *addr;
+	isc_netaddr_t v4addr;
+	int indirectmatch;
+	isc_result_t result;
+
+	switch (e->type) {
+	case dns_aclelementtype_ipprefix:
+		if (env == NULL ||
+		    env->match_mapped == ISC_FALSE ||
+		    reqaddr->family != AF_INET6 ||
+		    !IN6_IS_ADDR_V4MAPPED(&reqaddr->type.in6))
+			addr = reqaddr;
+		else {
+			isc_netaddr_fromv4mapped(&v4addr, reqaddr);
+			addr = &v4addr;
+		}
+
+		if (isc_netaddr_eqprefix(addr,
+					 &e->u.ip_prefix.address, 
+					 e->u.ip_prefix.prefixlen))
+			goto matched;
+		break;
+		
+	case dns_aclelementtype_keyname:
+		if (reqsigner != NULL &&
+		    dns_name_equal(reqsigner, &e->u.keyname))
+			goto matched;
+		break;
+		
+	case dns_aclelementtype_nestedacl:
+		inner = e->u.nestedacl;
+	nested:
+		result = dns_acl_match(reqaddr, reqsigner,
+				       inner,
+				       env,
+				       &indirectmatch, matchelt);
+		INSIST(result == ISC_R_SUCCESS);
+
+		/*
+		 * Treat negative matches in indirect ACLs as
+		 * "no match".
+		 * That way, a negated indirect ACL will never become 
+		 * a surprise positive match through double negation.
+		 * XXXDCL this should be documented.
+		 */
+		if (indirectmatch > 0)
+			goto matchelt_set;
+		
+		/*
+		 * A negative indirect match may have set *matchelt,
+		 * but we don't want it set when we return.
+		 */
+		if (matchelt != NULL)
+			*matchelt = NULL;
+		break;
+		
+	case dns_aclelementtype_any:
+	matched:
+		if (matchelt != NULL)
+			*matchelt = e;
+	matchelt_set:
+		return (ISC_TRUE);
+			
+	case dns_aclelementtype_localhost:
+		if (env != NULL && env->localhost != NULL) {
+			inner = env->localhost;
+			goto nested;
+		} else {
+			break;
+		}
+		
+	case dns_aclelementtype_localnets:
+		if (env != NULL && env->localnets != NULL) {
+			inner = env->localnets;
+			goto nested;
+		} else {
+			break;
+		}
+		
+	default:
+		INSIST(0);
+		break;
+	}
+
+	return (ISC_FALSE);
+}	
+
+void
+dns_acl_attach(dns_acl_t *source, dns_acl_t **target) {
+	REQUIRE(DNS_ACL_VALID(source));
+	isc_refcount_increment(&source->refcount, NULL);
+	*target = source;
+}
+
+static void
+destroy(dns_acl_t *dacl) {
+	unsigned int i;
+	for (i = 0; i < dacl->length; i++) {
+		dns_aclelement_t *de = &dacl->elements[i];
+		switch (de->type) {
+		case dns_aclelementtype_keyname:
+			dns_name_free(&de->u.keyname, dacl->mctx);
+			break;
+		case dns_aclelementtype_nestedacl:
+			dns_acl_detach(&de->u.nestedacl);
+			break;
+		default:
+			break;
+		}
+	}
+	if (dacl->elements != NULL)
+		isc_mem_put(dacl->mctx, dacl->elements,
+			    dacl->alloc * sizeof(dns_aclelement_t));
+	if (dacl->name != NULL)
+		isc_mem_free(dacl->mctx, dacl->name);
+	isc_refcount_destroy(&dacl->refcount);
+	dacl->magic = 0;
+	isc_mem_put(dacl->mctx, dacl, sizeof(*dacl));
+}
+
+void
+dns_acl_detach(dns_acl_t **aclp) {
+	dns_acl_t *acl = *aclp;
+	unsigned int refs;
+	REQUIRE(DNS_ACL_VALID(acl));
+	isc_refcount_decrement(&acl->refcount, &refs);
+	if (refs == 0)
+		destroy(acl);
+	*aclp = NULL;
+}
+
+isc_boolean_t
+dns_aclelement_equal(dns_aclelement_t *ea, dns_aclelement_t *eb) {
+	if (ea->type != eb->type)
+		return (ISC_FALSE);
+	switch (ea->type) {
+	case dns_aclelementtype_ipprefix:
+		if (ea->u.ip_prefix.prefixlen !=
+		    eb->u.ip_prefix.prefixlen)
+			return (ISC_FALSE);
+		return (isc_netaddr_eqprefix(&ea->u.ip_prefix.address,
+					     &eb->u.ip_prefix.address,
+					     ea->u.ip_prefix.prefixlen));
+	case dns_aclelementtype_keyname:
+		return (dns_name_equal(&ea->u.keyname, &eb->u.keyname));
+	case dns_aclelementtype_nestedacl:
+		return (dns_acl_equal(ea->u.nestedacl, eb->u.nestedacl));
+	case dns_aclelementtype_localhost:
+	case dns_aclelementtype_localnets:
+	case dns_aclelementtype_any:
+		return (ISC_TRUE);
+	default:
+		INSIST(0);
+		return (ISC_FALSE);
+	}
+}
+
+isc_boolean_t
+dns_acl_equal(dns_acl_t *a, dns_acl_t *b) {
+	unsigned int i;
+	if (a == b)
+		return (ISC_TRUE);
+	if (a->length != b->length)
+		return (ISC_FALSE);
+	for (i = 0; i < a->length; i++) {
+		if (! dns_aclelement_equal(&a->elements[i],
+					   &b->elements[i]))
+			return (ISC_FALSE);
+	}
+	return (ISC_TRUE);
+}
+
+static isc_boolean_t
+is_loopback(dns_aclipprefix_t *p) {
+	switch (p->address.family) {
+	case AF_INET:
+		if (p->prefixlen == 32 &&
+		    htonl(p->address.type.in.s_addr) == INADDR_LOOPBACK)
+			return (ISC_TRUE);
+		break;
+	case AF_INET6:
+		if (p->prefixlen == 128 &&
+		    IN6_IS_ADDR_LOOPBACK(&p->address.type.in6))
+			return (ISC_TRUE);
+		break;
+	default:
+		break;
+	}
+	return (ISC_FALSE);
+}
+
+isc_boolean_t
+dns_acl_isinsecure(dns_acl_t *a) {
+	unsigned int i;
+	for (i = 0; i < a->length; i++) {
+		dns_aclelement_t *e = &a->elements[i];
+
+		/* A negated match can never be insecure. */
+		if (e->negative)
+			continue;
+
+		switch (e->type) {
+		case dns_aclelementtype_ipprefix:
+			/* The loopback address is considered secure. */
+			if (! is_loopback(&e->u.ip_prefix))
+				return (ISC_TRUE);
+			continue;
+			
+		case dns_aclelementtype_keyname:
+		case dns_aclelementtype_localhost:
+			continue;
+
+		case dns_aclelementtype_nestedacl:
+			if (dns_acl_isinsecure(e->u.nestedacl))
+				return (ISC_TRUE);
+			continue;
+			
+		case dns_aclelementtype_localnets:
+		case dns_aclelementtype_any:
+			return (ISC_TRUE);
+
+		default:
+			INSIST(0);
+			return (ISC_TRUE);
+		}
+	}
+	/* No insecure elements were found. */
+	return (ISC_FALSE);
+}
+
+isc_result_t
+dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env) {
+	isc_result_t result;
+	env->localhost = NULL;
+	env->localnets = NULL;
+	result = dns_acl_create(mctx, 0, &env->localhost);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_nothing;
+	result = dns_acl_create(mctx, 0, &env->localnets);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_localhost;
+	env->match_mapped = ISC_FALSE;
+	return (ISC_R_SUCCESS);
+
+ cleanup_localhost:
+	dns_acl_detach(&env->localhost);
+ cleanup_nothing:
+	return (result);
+}
+
+void
+dns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s) {
+	dns_acl_detach(&t->localhost);
+	dns_acl_attach(s->localhost, &t->localhost);
+	dns_acl_detach(&t->localnets);
+	dns_acl_attach(s->localnets, &t->localnets);
+	t->match_mapped = s->match_mapped;
+}
+
+void
+dns_aclenv_destroy(dns_aclenv_t *env) {
+	dns_acl_detach(&env->localhost);
+	dns_acl_detach(&env->localnets);
+}
diff --git a/contrib/bind9/lib/dns/adb.c b/contrib/bind9/lib/dns/adb.c
new file mode 100644
index 0000000..43b6669
--- /dev/null
+++ b/contrib/bind9/lib/dns/adb.c
@@ -0,0 +1,3575 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: adb.c,v 1.181.2.11.2.19 2004/09/01 05:19:57 marka Exp $ */
+
+/*
+ * Implementation notes
+ * --------------------
+ *
+ * In finds, if task == NULL, no events will be generated, and no events
+ * have been sent.  If task != NULL but taskaction == NULL, an event has been
+ * posted but not yet freed.  If neither are NULL, no event was posted.
+ *
+ */
+
+/*
+ * After we have cleaned all buckets, dump the database contents.
+ */
+#if 0
+#define DUMP_ADB_AFTER_CLEANING
+#endif
+
+#include <config.h>
+
+#include <limits.h>
+
+#include <isc/mutexblock.h>
+#include <isc/netaddr.h>
+#include <isc/random.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/adb.h>
+#include <dns/db.h>
+#include <dns/events.h>
+#include <dns/log.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+
+#define DNS_ADB_MAGIC		  ISC_MAGIC('D', 'a', 'd', 'b')
+#define DNS_ADB_VALID(x)	  ISC_MAGIC_VALID(x, DNS_ADB_MAGIC)
+#define DNS_ADBNAME_MAGIC	  ISC_MAGIC('a', 'd', 'b', 'N')
+#define DNS_ADBNAME_VALID(x)	  ISC_MAGIC_VALID(x, DNS_ADBNAME_MAGIC)
+#define DNS_ADBNAMEHOOK_MAGIC	  ISC_MAGIC('a', 'd', 'N', 'H')
+#define DNS_ADBNAMEHOOK_VALID(x)  ISC_MAGIC_VALID(x, DNS_ADBNAMEHOOK_MAGIC)
+#define DNS_ADBZONEINFO_MAGIC	  ISC_MAGIC('a', 'd', 'b', 'Z')
+#define DNS_ADBZONEINFO_VALID(x)  ISC_MAGIC_VALID(x, DNS_ADBZONEINFO_MAGIC)
+#define DNS_ADBENTRY_MAGIC	  ISC_MAGIC('a', 'd', 'b', 'E')
+#define DNS_ADBENTRY_VALID(x)	  ISC_MAGIC_VALID(x, DNS_ADBENTRY_MAGIC)
+#define DNS_ADBFETCH_MAGIC	  ISC_MAGIC('a', 'd', 'F', '4')
+#define DNS_ADBFETCH_VALID(x)	  ISC_MAGIC_VALID(x, DNS_ADBFETCH_MAGIC)
+#define DNS_ADBFETCH6_MAGIC	  ISC_MAGIC('a', 'd', 'F', '6')
+#define DNS_ADBFETCH6_VALID(x)	  ISC_MAGIC_VALID(x, DNS_ADBFETCH6_MAGIC)
+
+/*
+ * The number of buckets needs to be a prime (for good hashing).
+ *
+ * XXXRTH  How many buckets do we need?
+ */
+#define NBUCKETS	       1009	/* how many buckets for names/addrs */
+
+/*
+ * For type 3 negative cache entries, we will remember that the address is
+ * broken for this long.  XXXMLG This is also used for actual addresses, too.
+ * The intent is to keep us from constantly asking about A/AAAA records
+ * if the zone has extremely low TTLs.
+ */
+#define ADB_CACHE_MINIMUM	10	/* seconds */
+#define ADB_CACHE_MAXIMUM	86400	/* seconds (86400 = 24 hours) */
+#define ADB_ENTRY_WINDOW	1800	/* seconds */
+
+/*
+ * Wake up every CLEAN_SECONDS and clean CLEAN_BUCKETS buckets, so that all
+ * buckets are cleaned in CLEAN_PERIOD seconds.
+ */
+#define CLEAN_PERIOD		3600
+#define CLEAN_SECONDS		30
+#define CLEAN_BUCKETS		((NBUCKETS * CLEAN_SECONDS) / CLEAN_PERIOD)
+
+#define FREE_ITEMS		64	/* free count for memory pools */
+#define FILL_COUNT		16	/* fill count for memory pools */
+
+#define DNS_ADB_INVALIDBUCKET (-1)	/* invalid bucket address */
+
+#define DNS_ADB_MINADBSIZE	(1024*1024)	/* 1 Megabyte */
+
+typedef ISC_LIST(dns_adbname_t) dns_adbnamelist_t;
+typedef struct dns_adbnamehook dns_adbnamehook_t;
+typedef ISC_LIST(dns_adbnamehook_t) dns_adbnamehooklist_t;
+typedef struct dns_adbzoneinfo dns_adbzoneinfo_t;
+typedef ISC_LIST(dns_adbentry_t) dns_adbentrylist_t;
+typedef struct dns_adbfetch dns_adbfetch_t;
+typedef struct dns_adbfetch6 dns_adbfetch6_t;
+
+struct dns_adb {
+	unsigned int			magic;
+
+	isc_mutex_t			lock;
+	isc_mutex_t			reflock; /* Covers irefcnt, erefcnt */
+	isc_mem_t		       *mctx;
+	dns_view_t		       *view;
+	isc_timermgr_t		       *timermgr;
+	isc_timer_t		       *timer;
+	isc_taskmgr_t		       *taskmgr;
+	isc_task_t		       *task;
+	isc_boolean_t			overmem;
+
+	isc_interval_t			tick_interval;
+	int				next_cleanbucket;
+
+	unsigned int			irefcnt;
+	unsigned int			erefcnt;
+
+	isc_mutex_t			mplock;
+	isc_mempool_t		       *nmp;	/* dns_adbname_t */
+	isc_mempool_t		       *nhmp;	/* dns_adbnamehook_t */
+	isc_mempool_t		       *zimp;	/* dns_adbzoneinfo_t */
+	isc_mempool_t		       *emp;	/* dns_adbentry_t */
+	isc_mempool_t		       *ahmp;	/* dns_adbfind_t */
+	isc_mempool_t		       *aimp;	/* dns_adbaddrinfo_t */
+	isc_mempool_t		       *afmp;	/* dns_adbfetch_t */
+
+	/*
+	 * Bucketized locks and lists for names.
+	 *
+	 * XXXRTH  Have a per-bucket structure that contains all of these?
+	 */
+	dns_adbnamelist_t		names[NBUCKETS];
+	isc_mutex_t			namelocks[NBUCKETS];
+	isc_boolean_t			name_sd[NBUCKETS];
+	unsigned int			name_refcnt[NBUCKETS];
+
+	/*
+	 * Bucketized locks for entries.
+	 *
+	 * XXXRTH  Have a per-bucket structure that contains all of these?
+	 */
+	dns_adbentrylist_t		entries[NBUCKETS];
+	isc_mutex_t			entrylocks[NBUCKETS];
+	isc_boolean_t			entry_sd[NBUCKETS]; /* shutting down */
+	unsigned int			entry_refcnt[NBUCKETS];
+
+	isc_event_t			cevent;
+	isc_boolean_t			cevent_sent;
+	isc_boolean_t			shutting_down;
+	isc_eventlist_t			whenshutdown;
+};
+
+/*
+ * XXXMLG  Document these structures.
+ */
+
+struct dns_adbname {
+	unsigned int			magic;
+	dns_name_t			name;
+	dns_adb_t		       *adb;
+	unsigned int			partial_result;
+	unsigned int			flags;
+	int				lock_bucket;
+	dns_name_t			target;
+	isc_stdtime_t			expire_target;
+	isc_stdtime_t			expire_v4;
+	isc_stdtime_t			expire_v6;
+	unsigned int			chains;
+	dns_adbnamehooklist_t		v4;
+	dns_adbnamehooklist_t		v6;
+	dns_adbfetch_t		       *fetch_a;
+	dns_adbfetch_t		       *fetch_aaaa;
+	unsigned int			fetch_err;
+	unsigned int			fetch6_err;
+	dns_adbfindlist_t		finds;
+	ISC_LINK(dns_adbname_t)		plink;
+};
+
+struct dns_adbfetch {
+	unsigned int			magic;
+	dns_adbnamehook_t	       *namehook;
+	dns_adbentry_t		       *entry;
+	dns_fetch_t		       *fetch;
+	dns_rdataset_t			rdataset;
+};
+
+/*
+ * dns_adbnamehook_t
+ *
+ * This is a small widget that dangles off a dns_adbname_t.  It contains a
+ * pointer to the address information about this host, and a link to the next
+ * namehook that will contain the next address this host has.
+ */
+struct dns_adbnamehook {
+	unsigned int			magic;
+	dns_adbentry_t		       *entry;
+	ISC_LINK(dns_adbnamehook_t)	plink;
+};
+
+/*
+ * dns_adbzoneinfo_t
+ *
+ * This is a small widget that holds zone-specific information about an
+ * address.  Currently limited to lameness, but could just as easily be
+ * extended to other types of information about zones.
+ */
+struct dns_adbzoneinfo {
+	unsigned int			magic;
+
+	dns_name_t			zone;
+	isc_stdtime_t			lame_timer;
+
+	ISC_LINK(dns_adbzoneinfo_t)	plink;
+};
+
+/*
+ * An address entry.  It holds quite a bit of information about addresses,
+ * including edns state (in "flags"), rtt, and of course the address of
+ * the host.
+ */
+struct dns_adbentry {
+	unsigned int			magic;
+
+	int				lock_bucket;
+	unsigned int			refcnt;
+
+	unsigned int			flags;
+	unsigned int			srtt;
+	isc_sockaddr_t			sockaddr;
+
+	isc_stdtime_t			expires;
+	/*
+	 * A nonzero 'expires' field indicates that the entry should
+	 * persist until that time.  This allows entries found
+	 * using dns_adb_findaddrinfo() to persist for a limited time
+	 * even though they are not necessarily associated with a
+	 * name.
+	 */
+
+	ISC_LIST(dns_adbzoneinfo_t)	zoneinfo;
+	ISC_LINK(dns_adbentry_t)	plink;
+};
+
+/*
+ * Internal functions (and prototypes).
+ */
+static inline dns_adbname_t *new_adbname(dns_adb_t *, dns_name_t *);
+static inline void free_adbname(dns_adb_t *, dns_adbname_t **);
+static inline dns_adbnamehook_t *new_adbnamehook(dns_adb_t *,
+						 dns_adbentry_t *);
+static inline void free_adbnamehook(dns_adb_t *, dns_adbnamehook_t **);
+static inline dns_adbzoneinfo_t *new_adbzoneinfo(dns_adb_t *, dns_name_t *);
+static inline void free_adbzoneinfo(dns_adb_t *, dns_adbzoneinfo_t **);
+static inline dns_adbentry_t *new_adbentry(dns_adb_t *);
+static inline void free_adbentry(dns_adb_t *, dns_adbentry_t **);
+static inline dns_adbfind_t *new_adbfind(dns_adb_t *);
+static inline isc_boolean_t free_adbfind(dns_adb_t *, dns_adbfind_t **);
+static inline dns_adbaddrinfo_t *new_adbaddrinfo(dns_adb_t *, dns_adbentry_t *,
+						 in_port_t);
+static inline dns_adbfetch_t *new_adbfetch(dns_adb_t *);
+static inline void free_adbfetch(dns_adb_t *, dns_adbfetch_t **);
+static inline dns_adbname_t *find_name_and_lock(dns_adb_t *, dns_name_t *,
+						unsigned int, int *);
+static inline dns_adbentry_t *find_entry_and_lock(dns_adb_t *,
+						  isc_sockaddr_t *, int *);
+static void dump_adb(dns_adb_t *, FILE *, isc_boolean_t debug);
+static void print_dns_name(FILE *, dns_name_t *);
+static void print_namehook_list(FILE *, const char *legend,
+				dns_adbnamehooklist_t *list,
+				isc_boolean_t debug,
+				isc_stdtime_t now);
+static void print_find_list(FILE *, dns_adbname_t *);
+static void print_fetch_list(FILE *, dns_adbname_t *);
+static inline isc_boolean_t dec_adb_irefcnt(dns_adb_t *);
+static inline void inc_adb_irefcnt(dns_adb_t *);
+static inline void inc_adb_erefcnt(dns_adb_t *);
+static inline void inc_entry_refcnt(dns_adb_t *, dns_adbentry_t *,
+				    isc_boolean_t);
+static inline isc_boolean_t dec_entry_refcnt(dns_adb_t *, dns_adbentry_t *,
+					     isc_boolean_t);
+static inline void violate_locking_hierarchy(isc_mutex_t *, isc_mutex_t *);
+static isc_boolean_t clean_namehooks(dns_adb_t *, dns_adbnamehooklist_t *);
+static void clean_target(dns_adb_t *, dns_name_t *);
+static void clean_finds_at_name(dns_adbname_t *, isc_eventtype_t,
+				unsigned int);
+static isc_boolean_t check_expire_namehooks(dns_adbname_t *, isc_stdtime_t,
+					    isc_boolean_t);
+static void cancel_fetches_at_name(dns_adbname_t *);
+static isc_result_t dbfind_name(dns_adbname_t *, isc_stdtime_t,
+				dns_rdatatype_t);
+static isc_result_t fetch_name(dns_adbname_t *, isc_boolean_t,
+			       dns_rdatatype_t);
+static inline void check_exit(dns_adb_t *);
+static void timer_cleanup(isc_task_t *, isc_event_t *);
+static void destroy(dns_adb_t *);
+static isc_boolean_t shutdown_names(dns_adb_t *);
+static isc_boolean_t shutdown_entries(dns_adb_t *);
+static inline void link_name(dns_adb_t *, int, dns_adbname_t *);
+static inline isc_boolean_t unlink_name(dns_adb_t *, dns_adbname_t *);
+static inline void link_entry(dns_adb_t *, int, dns_adbentry_t *);
+static inline isc_boolean_t unlink_entry(dns_adb_t *, dns_adbentry_t *);
+static isc_boolean_t kill_name(dns_adbname_t **, isc_eventtype_t);
+static void water(void *arg, int mark);
+
+/*
+ * MUST NOT overlap DNS_ADBFIND_* flags!
+ */
+#define FIND_EVENT_SENT		0x40000000
+#define FIND_EVENT_FREED	0x80000000
+#define FIND_EVENTSENT(h)	(((h)->flags & FIND_EVENT_SENT) != 0)
+#define FIND_EVENTFREED(h)	(((h)->flags & FIND_EVENT_FREED) != 0)
+
+#define NAME_NEEDS_POKE		0x80000000
+#define NAME_IS_DEAD		0x40000000
+#define NAME_HINT_OK		DNS_ADBFIND_HINTOK
+#define NAME_GLUE_OK		DNS_ADBFIND_GLUEOK
+#define NAME_STARTATZONE	DNS_ADBFIND_STARTATZONE
+#define NAME_DEAD(n)		(((n)->flags & NAME_IS_DEAD) != 0)
+#define NAME_NEEDSPOKE(n)	(((n)->flags & NAME_NEEDS_POKE) != 0)
+#define NAME_GLUEOK(n)		(((n)->flags & NAME_GLUE_OK) != 0)
+#define NAME_HINTOK(n)		(((n)->flags & NAME_HINT_OK) != 0)
+
+/*
+ * To the name, address classes are all that really exist.  If it has a
+ * V6 address it doesn't care if it came from a AAAA query.
+ */
+#define NAME_HAS_V4(n)		(!ISC_LIST_EMPTY((n)->v4))
+#define NAME_HAS_V6(n)		(!ISC_LIST_EMPTY((n)->v6))
+#define NAME_HAS_ADDRS(n)	(NAME_HAS_V4(n) || NAME_HAS_V6(n))
+
+/*
+ * Fetches are broken out into A and AAAA types.  In some cases,
+ * however, it makes more sense to test for a particular class of fetches,
+ * like V4 or V6 above.
+ * Note: since we have removed the support of A6 in adb, FETCH_A and FETCH_AAAA
+ * are now equal to FETCH_V4 and FETCH_V6, respectively.
+ */
+#define NAME_FETCH_A(n)		((n)->fetch_a != NULL)
+#define NAME_FETCH_AAAA(n)	((n)->fetch_aaaa != NULL)
+#define NAME_FETCH_V4(n)	(NAME_FETCH_A(n))
+#define NAME_FETCH_V6(n)	(NAME_FETCH_AAAA(n))
+#define NAME_FETCH(n)		(NAME_FETCH_V4(n) || NAME_FETCH_V6(n))
+
+/*
+ * Find options and tests to see if there are addresses on the list.
+ */
+#define FIND_WANTEVENT(fn)	(((fn)->options & DNS_ADBFIND_WANTEVENT) != 0)
+#define FIND_WANTEMPTYEVENT(fn)	(((fn)->options & DNS_ADBFIND_EMPTYEVENT) != 0)
+#define FIND_AVOIDFETCHES(fn)	(((fn)->options & DNS_ADBFIND_AVOIDFETCHES) \
+				 != 0)
+#define FIND_STARTATZONE(fn)	(((fn)->options & DNS_ADBFIND_STARTATZONE) \
+				 != 0)
+#define FIND_HINTOK(fn)		(((fn)->options & DNS_ADBFIND_HINTOK) != 0)
+#define FIND_GLUEOK(fn)		(((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
+#define FIND_HAS_ADDRS(fn)	(!ISC_LIST_EMPTY((fn)->list))
+#define FIND_RETURNLAME(fn)	(((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
+
+/*
+ * These are currently used on simple unsigned ints, so they are
+ * not really associated with any particular type.
+ */
+#define WANT_INET(x)		(((x) & DNS_ADBFIND_INET) != 0)
+#define WANT_INET6(x)		(((x) & DNS_ADBFIND_INET6) != 0)
+
+#define EXPIRE_OK(exp, now)	((exp == INT_MAX) || (exp < now))
+
+/*
+ * Find out if the flags on a name (nf) indicate if it is a hint or
+ * glue, and compare this to the appropriate bits set in o, to see if
+ * this is ok.
+ */
+#define GLUE_OK(nf, o) (!NAME_GLUEOK(nf) || (((o) & DNS_ADBFIND_GLUEOK) != 0))
+#define HINT_OK(nf, o) (!NAME_HINTOK(nf) || (((o) & DNS_ADBFIND_HINTOK) != 0))
+#define GLUEHINT_OK(nf, o) (GLUE_OK(nf, o) || HINT_OK(nf, o))
+#define STARTATZONE_MATCHES(nf, o) (((nf)->flags & NAME_STARTATZONE) == \
+				    ((o) & DNS_ADBFIND_STARTATZONE))
+
+#define ENTER_LEVEL		ISC_LOG_DEBUG(50)
+#define EXIT_LEVEL		ENTER_LEVEL
+#define CLEAN_LEVEL		ISC_LOG_DEBUG(100)
+#define DEF_LEVEL		ISC_LOG_DEBUG(5)
+#define NCACHE_LEVEL		ISC_LOG_DEBUG(20)
+
+#define NCACHE_RESULT(r)	((r) == DNS_R_NCACHENXDOMAIN || \
+				 (r) == DNS_R_NCACHENXRRSET)
+#define AUTH_NX(r)		((r) == DNS_R_NXDOMAIN || \
+				 (r) == DNS_R_NXRRSET)
+#define NXDOMAIN_RESULT(r)	((r) == DNS_R_NXDOMAIN || \
+				 (r) == DNS_R_NCACHENXDOMAIN)
+#define NXRRSET_RESULT(r)	((r) == DNS_R_NCACHENXRRSET || \
+				 (r) == DNS_R_NXRRSET || \
+				 (r) == DNS_R_HINTNXRRSET)
+
+/*
+ * Error state rankings.
+ */
+
+#define FIND_ERR_SUCCESS		0  /* highest rank */
+#define FIND_ERR_CANCELED		1
+#define FIND_ERR_FAILURE		2
+#define FIND_ERR_NXDOMAIN		3
+#define FIND_ERR_NXRRSET		4
+#define FIND_ERR_UNEXPECTED		5
+#define FIND_ERR_NOTFOUND		6
+#define FIND_ERR_MAX			7
+
+static const char *errnames[] = {
+	"success",
+	"canceled",
+	"failure",
+	"nxdomain",
+	"nxrrset",
+	"unexpected",
+	"not_found"
+};
+
+#define NEWERR(old, new)	(ISC_MIN((old), (new)))
+
+static isc_result_t find_err_map[FIND_ERR_MAX] = {
+	ISC_R_SUCCESS,
+	ISC_R_CANCELED,
+	ISC_R_FAILURE,
+	DNS_R_NXDOMAIN,
+	DNS_R_NXRRSET,
+	ISC_R_UNEXPECTED,
+	ISC_R_NOTFOUND		/* not YET found */
+};
+
+static void
+DP(int level, const char *format, ...) ISC_FORMAT_PRINTF(2, 3);
+
+static void
+DP(int level, const char *format, ...) {
+	va_list args;
+
+	va_start(args, format);
+	isc_log_vwrite(dns_lctx,
+		       DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_ADB,
+		       level, format, args);
+	va_end(args);
+}
+
+static inline dns_ttl_t
+ttlclamp(dns_ttl_t ttl) {
+	if (ttl < ADB_CACHE_MINIMUM)
+		ttl = ADB_CACHE_MINIMUM;
+	if (ttl > ADB_CACHE_MAXIMUM)
+		ttl = ADB_CACHE_MAXIMUM;
+
+	return (ttl);
+}
+
+/*
+ * Requires the adbname bucket be locked and that no entry buckets be locked.
+ *
+ * This code handles A and AAAA rdatasets only.
+ */
+static isc_result_t
+import_rdataset(dns_adbname_t *adbname, dns_rdataset_t *rdataset,
+		isc_stdtime_t now)
+{
+	isc_result_t result;
+	dns_adb_t *adb;
+	dns_adbnamehook_t *nh;
+	dns_adbnamehook_t *anh;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	struct in_addr ina;
+	struct in6_addr in6a;
+	isc_sockaddr_t sockaddr;
+	dns_adbentry_t *foundentry;  /* NO CLEAN UP! */
+	int addr_bucket;
+	isc_boolean_t new_addresses_added;
+	dns_rdatatype_t rdtype;
+	unsigned int findoptions;
+
+	INSIST(DNS_ADBNAME_VALID(adbname));
+	adb = adbname->adb;
+	INSIST(DNS_ADB_VALID(adb));
+
+	rdtype = rdataset->type;
+	INSIST((rdtype == dns_rdatatype_a) || (rdtype == dns_rdatatype_aaaa));
+	if (rdtype == dns_rdatatype_a)
+		findoptions = DNS_ADBFIND_INET;
+	else
+		findoptions = DNS_ADBFIND_INET6;
+
+	addr_bucket = DNS_ADB_INVALIDBUCKET;
+	new_addresses_added = ISC_FALSE;
+
+	nh = NULL;
+	result = dns_rdataset_first(rdataset);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(rdataset, &rdata);
+		if (rdtype == dns_rdatatype_a) {
+			INSIST(rdata.length == 4);
+			memcpy(&ina.s_addr, rdata.data, 4);
+			isc_sockaddr_fromin(&sockaddr, &ina, 0);
+		} else {
+			INSIST(rdata.length == 16);
+			memcpy(in6a.s6_addr, rdata.data, 16);
+			isc_sockaddr_fromin6(&sockaddr, &in6a, 0);
+		}
+
+		INSIST(nh == NULL);
+		nh = new_adbnamehook(adb, NULL);
+		if (nh == NULL) {
+			adbname->partial_result |= findoptions;
+			result = ISC_R_NOMEMORY;
+			goto fail;
+		}
+
+		foundentry = find_entry_and_lock(adb, &sockaddr, &addr_bucket);
+		if (foundentry == NULL) {
+			dns_adbentry_t *entry;
+
+			entry = new_adbentry(adb);
+			if (entry == NULL) {
+				adbname->partial_result |= findoptions;
+				result = ISC_R_NOMEMORY;
+				goto fail;
+			}
+
+			entry->sockaddr = sockaddr;
+			entry->refcnt = 1;
+
+			nh->entry = entry;
+
+			link_entry(adb, addr_bucket, entry);
+		} else {
+			for (anh = ISC_LIST_HEAD(adbname->v4);
+			     anh != NULL;
+			     anh = ISC_LIST_NEXT(anh, plink))
+				if (anh->entry == foundentry)
+					break;
+			if (anh == NULL) {
+				foundentry->refcnt++;
+				nh->entry = foundentry;
+			} else
+				free_adbnamehook(adb, &nh);
+		}
+
+		new_addresses_added = ISC_TRUE;
+		if (nh != NULL) {
+			if (rdtype == dns_rdatatype_a)
+				ISC_LIST_APPEND(adbname->v4, nh, plink);
+			else
+				ISC_LIST_APPEND(adbname->v6, nh, plink);
+		}
+		nh = NULL;
+		result = dns_rdataset_next(rdataset);
+	}
+
+ fail:
+	if (nh != NULL)
+		free_adbnamehook(adb, &nh);
+
+	if (addr_bucket != DNS_ADB_INVALIDBUCKET)
+		UNLOCK(&adb->entrylocks[addr_bucket]);
+
+	if (rdataset->trust == dns_trust_glue ||
+	    rdataset->trust == dns_trust_additional)
+		rdataset->ttl = ADB_CACHE_MINIMUM;
+	else
+		rdataset->ttl = ttlclamp(rdataset->ttl);
+
+	if (rdtype == dns_rdatatype_a) {
+		DP(NCACHE_LEVEL, "expire_v4 set to MIN(%u,%u) import_rdataset",
+		   adbname->expire_v4, now + rdataset->ttl);
+		adbname->expire_v4 = ISC_MIN(adbname->expire_v4,
+					     now + rdataset->ttl);
+	} else {
+		DP(NCACHE_LEVEL, "expire_v6 set to MIN(%u,%u) import_rdataset",
+		   adbname->expire_v6, now + rdataset->ttl);
+		adbname->expire_v6 = ISC_MIN(adbname->expire_v6,
+					     now + rdataset->ttl);
+	}
+
+	if (new_addresses_added) {
+		/*
+		 * Lie a little here.  This is more or less so code that cares
+		 * can find out if any new information was added or not.
+		 */
+		return (ISC_R_SUCCESS);
+	}
+
+	return (result);
+}
+
+/*
+ * Requires the name's bucket be locked.
+ */
+static isc_boolean_t
+kill_name(dns_adbname_t **n, isc_eventtype_t ev) {
+	dns_adbname_t *name;
+	isc_boolean_t result = ISC_FALSE;
+	isc_boolean_t result4, result6;
+	dns_adb_t *adb;
+
+	INSIST(n != NULL);
+	name = *n;
+	*n = NULL;
+	INSIST(DNS_ADBNAME_VALID(name));
+	adb = name->adb;
+	INSIST(DNS_ADB_VALID(adb));
+
+	DP(DEF_LEVEL, "killing name %p", name);
+
+	/*
+	 * If we're dead already, just check to see if we should go
+	 * away now or not.
+	 */
+	if (NAME_DEAD(name) && !NAME_FETCH(name)) {
+		result = unlink_name(adb, name);
+		free_adbname(adb, &name);
+		if (result)
+			result = dec_adb_irefcnt(adb);
+		return (result);
+	}
+
+	/*
+	 * Clean up the name's various lists.  These two are destructive
+	 * in that they will always empty the list.
+	 */
+	clean_finds_at_name(name, ev, DNS_ADBFIND_ADDRESSMASK);
+	result4 = clean_namehooks(adb, &name->v4);
+	result6 = clean_namehooks(adb, &name->v6);
+	clean_target(adb, &name->target);
+	result = ISC_TF(result4 || result6);
+
+	/*
+	 * If fetches are running, cancel them.  If none are running, we can
+	 * just kill the name here.
+	 */
+	if (!NAME_FETCH(name)) {
+		INSIST(result == ISC_FALSE);
+		result = unlink_name(adb, name);
+		free_adbname(adb, &name);
+		if (result)
+			result = dec_adb_irefcnt(adb);
+	} else {
+		name->flags |= NAME_IS_DEAD;
+		cancel_fetches_at_name(name);
+	}
+	return (result);
+}
+
+/*
+ * Requires the name's bucket be locked and no entry buckets be locked.
+ */
+static isc_boolean_t
+check_expire_namehooks(dns_adbname_t *name, isc_stdtime_t now,
+		       isc_boolean_t overmem)
+{
+	dns_adb_t *adb;
+	isc_boolean_t expire;
+	isc_boolean_t result4 = ISC_FALSE;
+	isc_boolean_t result6 = ISC_FALSE;
+
+	INSIST(DNS_ADBNAME_VALID(name));
+	adb = name->adb;
+	INSIST(DNS_ADB_VALID(adb));
+
+	if (overmem) {
+		isc_uint32_t val;
+
+		isc_random_get(&val);
+
+		expire = ISC_TF((val % 4) == 0);
+	} else
+		expire = ISC_FALSE;
+
+	/*
+	 * Check to see if we need to remove the v4 addresses
+	 */
+	if (!NAME_FETCH_V4(name) &&
+	    (expire || EXPIRE_OK(name->expire_v4, now))) {
+		if (NAME_HAS_V4(name)) {
+			DP(DEF_LEVEL, "expiring v4 for name %p", name);
+			result4 = clean_namehooks(adb, &name->v4);
+			name->partial_result &= ~DNS_ADBFIND_INET;
+		}
+		name->expire_v4 = INT_MAX;
+		name->fetch_err = FIND_ERR_UNEXPECTED;
+	}
+
+	/*
+	 * Check to see if we need to remove the v6 addresses
+	 */
+	if (!NAME_FETCH_V6(name) &&
+	    (expire || EXPIRE_OK(name->expire_v6, now))) {
+		if (NAME_HAS_V6(name)) {
+			DP(DEF_LEVEL, "expiring v6 for name %p", name);
+			result6 = clean_namehooks(adb, &name->v6);
+			name->partial_result &= ~DNS_ADBFIND_INET6;
+		}
+		name->expire_v6 = INT_MAX;
+		name->fetch6_err = FIND_ERR_UNEXPECTED;
+	}
+
+	/*
+	 * Check to see if we need to remove the alias target.
+	 */
+	if (expire || EXPIRE_OK(name->expire_target, now)) {
+		clean_target(adb, &name->target);
+		name->expire_target = INT_MAX;
+	}
+	return (ISC_TF(result4 || result6));
+}
+
+/*
+ * Requires the name's bucket be locked.
+ */
+static inline void
+link_name(dns_adb_t *adb, int bucket, dns_adbname_t *name) {
+	INSIST(name->lock_bucket == DNS_ADB_INVALIDBUCKET);
+
+	ISC_LIST_PREPEND(adb->names[bucket], name, plink);
+	name->lock_bucket = bucket;
+	adb->name_refcnt[bucket]++;
+}
+
+/*
+ * Requires the name's bucket be locked.
+ */
+static inline isc_boolean_t
+unlink_name(dns_adb_t *adb, dns_adbname_t *name) {
+	int bucket;
+	isc_boolean_t result = ISC_FALSE;
+
+	bucket = name->lock_bucket;
+	INSIST(bucket != DNS_ADB_INVALIDBUCKET);
+
+	ISC_LIST_UNLINK(adb->names[bucket], name, plink);
+	name->lock_bucket = DNS_ADB_INVALIDBUCKET;
+	INSIST(adb->name_refcnt[bucket] > 0);
+	adb->name_refcnt[bucket]--;
+	if (adb->name_sd[bucket] && adb->name_refcnt[bucket] == 0)
+		result = ISC_TRUE;
+	return (result);
+}
+
+/*
+ * Requires the entry's bucket be locked.
+ */
+static inline void
+link_entry(dns_adb_t *adb, int bucket, dns_adbentry_t *entry) {
+	ISC_LIST_PREPEND(adb->entries[bucket], entry, plink);
+	entry->lock_bucket = bucket;
+	adb->entry_refcnt[bucket]++;
+}
+
+/*
+ * Requires the entry's bucket be locked.
+ */
+static inline isc_boolean_t
+unlink_entry(dns_adb_t *adb, dns_adbentry_t *entry) {
+	int bucket;
+	isc_boolean_t result = ISC_FALSE;
+
+	bucket = entry->lock_bucket;
+	INSIST(bucket != DNS_ADB_INVALIDBUCKET);
+
+	ISC_LIST_UNLINK(adb->entries[bucket], entry, plink);
+	entry->lock_bucket = DNS_ADB_INVALIDBUCKET;
+	INSIST(adb->entry_refcnt[bucket] > 0);
+	adb->entry_refcnt[bucket]--;
+	if (adb->entry_sd[bucket] && adb->entry_refcnt[bucket] == 0)
+		result = ISC_TRUE;
+	return (result);
+}
+
+static inline void
+violate_locking_hierarchy(isc_mutex_t *have, isc_mutex_t *want) {
+	if (isc_mutex_trylock(want) != ISC_R_SUCCESS) {
+		UNLOCK(have);
+		LOCK(want);
+		LOCK(have);
+	}
+}
+
+/*
+ * The ADB _MUST_ be locked before calling.  Also, exit conditions must be
+ * checked after calling this function.
+ */
+static isc_boolean_t
+shutdown_names(dns_adb_t *adb) {
+	int bucket;
+	isc_boolean_t result = ISC_FALSE;
+	dns_adbname_t *name;
+	dns_adbname_t *next_name;
+
+	for (bucket = 0; bucket < NBUCKETS; bucket++) {
+		LOCK(&adb->namelocks[bucket]);
+		adb->name_sd[bucket] = ISC_TRUE;
+
+		name = ISC_LIST_HEAD(adb->names[bucket]);
+		if (name == NULL) {
+			/*
+			 * This bucket has no names.  We must decrement the
+			 * irefcnt ourselves, since it will not be
+			 * automatically triggered by a name being unlinked.
+			 */
+			INSIST(result == ISC_FALSE);
+			result = dec_adb_irefcnt(adb);
+		} else {
+			/*
+			 * Run through the list.  For each name, clean up finds
+			 * found there, and cancel any fetches running.  When
+			 * all the fetches are canceled, the name will destroy
+			 * itself.
+			 */
+			while (name != NULL) {
+				next_name = ISC_LIST_NEXT(name, plink);
+				INSIST(result == ISC_FALSE);
+				result = kill_name(&name,
+						   DNS_EVENT_ADBSHUTDOWN);
+				name = next_name;
+			}
+		}
+
+		UNLOCK(&adb->namelocks[bucket]);
+	}
+	return (result);
+}
+
+/*
+ * The ADB _MUST_ be locked before calling.  Also, exit conditions must be
+ * checked after calling this function.
+ */
+static isc_boolean_t
+shutdown_entries(dns_adb_t *adb) {
+	int bucket;
+	isc_boolean_t result = ISC_FALSE;
+	dns_adbentry_t *entry;
+	dns_adbentry_t *next_entry;
+
+	for (bucket = 0; bucket < NBUCKETS; bucket++) {
+		LOCK(&adb->entrylocks[bucket]);
+		adb->entry_sd[bucket] = ISC_TRUE;
+
+		entry = ISC_LIST_HEAD(adb->entries[bucket]);
+		if (entry == NULL) {
+			/*
+			 * This bucket has no entries.  We must decrement the
+			 * irefcnt ourselves, since it will not be
+			 * automatically triggered by an entry being unlinked.
+			 */
+			result = dec_adb_irefcnt(adb);
+		} else {
+			/*
+			 * Run through the list.  Cleanup any entries not
+			 * associated with names, and which are not in use.
+			 */
+			while (entry != NULL) {
+				next_entry = ISC_LIST_NEXT(entry, plink);
+				if (entry->refcnt == 0 &&
+				    entry->expires != 0) {
+					result = unlink_entry(adb, entry);
+					free_adbentry(adb, &entry);
+					if (result)
+						result = dec_adb_irefcnt(adb);
+				}
+				entry = next_entry;
+			}
+		}
+
+		UNLOCK(&adb->entrylocks[bucket]);
+	}
+	return (result);
+}
+
+/*
+ * Name bucket must be locked
+ */
+static void
+cancel_fetches_at_name(dns_adbname_t *name) {
+	if (NAME_FETCH_A(name))
+	    dns_resolver_cancelfetch(name->fetch_a->fetch);
+
+	if (NAME_FETCH_AAAA(name))
+	    dns_resolver_cancelfetch(name->fetch_aaaa->fetch);
+}
+
+/*
+ * Assumes the name bucket is locked.
+ */
+static isc_boolean_t
+clean_namehooks(dns_adb_t *adb, dns_adbnamehooklist_t *namehooks) {
+	dns_adbentry_t *entry;
+	dns_adbnamehook_t *namehook;
+	int addr_bucket;
+	isc_boolean_t result = ISC_FALSE;
+
+	addr_bucket = DNS_ADB_INVALIDBUCKET;
+	namehook = ISC_LIST_HEAD(*namehooks);
+	while (namehook != NULL) {
+		INSIST(DNS_ADBNAMEHOOK_VALID(namehook));
+
+		/*
+		 * Clean up the entry if needed.
+		 */
+		entry = namehook->entry;
+		if (entry != NULL) {
+			INSIST(DNS_ADBENTRY_VALID(entry));
+
+			if (addr_bucket != entry->lock_bucket) {
+				if (addr_bucket != DNS_ADB_INVALIDBUCKET)
+					UNLOCK(&adb->entrylocks[addr_bucket]);
+				addr_bucket = entry->lock_bucket;
+				LOCK(&adb->entrylocks[addr_bucket]);
+			}
+
+			result = dec_entry_refcnt(adb, entry, ISC_FALSE);
+		}
+
+		/*
+		 * Free the namehook
+		 */
+		namehook->entry = NULL;
+		ISC_LIST_UNLINK(*namehooks, namehook, plink);
+		free_adbnamehook(adb, &namehook);
+
+		namehook = ISC_LIST_HEAD(*namehooks);
+	}
+
+	if (addr_bucket != DNS_ADB_INVALIDBUCKET)
+		UNLOCK(&adb->entrylocks[addr_bucket]);
+	return (result);
+}
+
+static void
+clean_target(dns_adb_t *adb, dns_name_t *target) {
+	if (dns_name_countlabels(target) > 0) {
+		dns_name_free(target, adb->mctx);
+		dns_name_init(target, NULL);
+	}
+}
+
+static isc_result_t
+set_target(dns_adb_t *adb, dns_name_t *name, dns_name_t *fname,
+	   dns_rdataset_t *rdataset, dns_name_t *target)
+{
+	isc_result_t result;
+	dns_namereln_t namereln;
+	unsigned int nlabels;
+	int order;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_fixedname_t fixed1, fixed2;
+	dns_name_t *prefix, *new_target;
+
+	REQUIRE(dns_name_countlabels(target) == 0);
+
+	if (rdataset->type == dns_rdatatype_cname) {
+		dns_rdata_cname_t cname;
+
+		/*
+		 * Copy the CNAME's target into the target name.
+		 */
+		result = dns_rdataset_first(rdataset);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		dns_rdataset_current(rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &cname, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		result = dns_name_dup(&cname.cname, adb->mctx, target);
+		dns_rdata_freestruct(&cname);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	} else {
+		dns_rdata_dname_t dname;
+
+		INSIST(rdataset->type == dns_rdatatype_dname);
+		namereln = dns_name_fullcompare(name, fname, &order, &nlabels);
+		INSIST(namereln == dns_namereln_subdomain);
+		/*
+		 * Get the target name of the DNAME.
+		 */
+		result = dns_rdataset_first(rdataset);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		dns_rdataset_current(rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &dname, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		/*
+		 * Construct the new target name.
+		 */
+		dns_fixedname_init(&fixed1);
+		prefix = dns_fixedname_name(&fixed1);
+		dns_fixedname_init(&fixed2);
+		new_target = dns_fixedname_name(&fixed2);
+		dns_name_split(name, nlabels, prefix, NULL);
+		result = dns_name_concatenate(prefix, &dname.dname, new_target,
+					      NULL);
+		dns_rdata_freestruct(&dname);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		result = dns_name_dup(new_target, adb->mctx, target);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Assumes nothing is locked, since this is called by the client.
+ */
+static void
+event_free(isc_event_t *event) {
+	dns_adbfind_t *find;
+
+	INSIST(event != NULL);
+	find = event->ev_destroy_arg;
+	INSIST(DNS_ADBFIND_VALID(find));
+
+	LOCK(&find->lock);
+	find->flags |= FIND_EVENT_FREED;
+	event->ev_destroy_arg = NULL;
+	UNLOCK(&find->lock);
+}
+
+/*
+ * Assumes the name bucket is locked.
+ */
+static void
+clean_finds_at_name(dns_adbname_t *name, isc_eventtype_t evtype,
+		    unsigned int addrs)
+{
+	isc_event_t *ev;
+	isc_task_t *task;
+	dns_adbfind_t *find;
+	dns_adbfind_t *next_find;
+	isc_boolean_t process;
+	unsigned int wanted, notify;
+
+	DP(ENTER_LEVEL,
+	   "ENTER clean_finds_at_name, name %p, evtype %08x, addrs %08x",
+	   name, evtype, addrs);
+
+	find = ISC_LIST_HEAD(name->finds);
+	while (find != NULL) {
+		LOCK(&find->lock);
+		next_find = ISC_LIST_NEXT(find, plink);
+
+		process = ISC_FALSE;
+		wanted = find->flags & DNS_ADBFIND_ADDRESSMASK;
+		notify = wanted & addrs;
+
+		switch (evtype) {
+		case DNS_EVENT_ADBMOREADDRESSES:
+			DP(ISC_LOG_DEBUG(3), "DNS_EVENT_ADBMOREADDRESSES");
+			if ((notify) != 0) {
+				find->flags &= ~addrs;
+				process = ISC_TRUE;
+			}
+			break;
+		case DNS_EVENT_ADBNOMOREADDRESSES:
+			DP(ISC_LOG_DEBUG(3), "DNS_EVENT_ADBNOMOREADDRESSES");
+			find->flags &= ~addrs;
+			wanted = find->flags & DNS_ADBFIND_ADDRESSMASK;
+			if (wanted == 0)
+				process = ISC_TRUE;
+			break;
+		default:
+			find->flags &= ~addrs;
+			process = ISC_TRUE;
+		}
+
+		if (process) {
+			DP(DEF_LEVEL, "cfan: processing find %p", find);
+			/*
+			 * Unlink the find from the name, letting the caller
+			 * call dns_adb_destroyfind() on it to clean it up
+			 * later.
+			 */
+			ISC_LIST_UNLINK(name->finds, find, plink);
+			find->adbname = NULL;
+			find->name_bucket = DNS_ADB_INVALIDBUCKET;
+
+			INSIST(!FIND_EVENTSENT(find));
+
+			ev = &find->event;
+			task = ev->ev_sender;
+			ev->ev_sender = find;
+			find->result_v4 = find_err_map[name->fetch_err];
+			find->result_v6 = find_err_map[name->fetch6_err];
+			ev->ev_type = evtype;
+			ev->ev_destroy = event_free;
+			ev->ev_destroy_arg = find;
+
+			DP(DEF_LEVEL,
+			   "sending event %p to task %p for find %p",
+			   ev, task, find);
+
+			isc_task_sendanddetach(&task, (isc_event_t **)&ev);
+		} else {
+			DP(DEF_LEVEL, "cfan: skipping find %p", find);
+		}
+
+		UNLOCK(&find->lock);
+		find = next_find;
+	}
+
+	DP(ENTER_LEVEL, "EXIT clean_finds_at_name, name %p", name);
+}
+
+static inline void
+check_exit(dns_adb_t *adb) {
+	isc_event_t *event;
+	/*
+	 * The caller must be holding the adb lock.
+	 */
+	if (adb->shutting_down) {
+		/*
+		 * If there aren't any external references either, we're
+		 * done.  Send the control event to initiate shutdown.
+		 */
+		INSIST(!adb->cevent_sent);	/* Sanity check. */
+		event = &adb->cevent;
+		isc_task_send(adb->task, &event);
+		adb->cevent_sent = ISC_TRUE;
+	}
+}
+
+static inline isc_boolean_t
+dec_adb_irefcnt(dns_adb_t *adb) {
+	isc_event_t *event;
+	isc_task_t *etask;
+	isc_boolean_t result = ISC_FALSE;
+
+	LOCK(&adb->reflock);
+
+	INSIST(adb->irefcnt > 0);
+	adb->irefcnt--;
+
+	if (adb->irefcnt == 0) {
+		event = ISC_LIST_HEAD(adb->whenshutdown);
+		while (event != NULL) {
+			ISC_LIST_UNLINK(adb->whenshutdown, event, ev_link);
+			etask = event->ev_sender;
+			event->ev_sender = adb;
+			isc_task_sendanddetach(&etask, &event);
+			event = ISC_LIST_HEAD(adb->whenshutdown);
+		}
+	}
+
+	if (adb->irefcnt == 0 && adb->erefcnt == 0)
+		result = ISC_TRUE;
+	UNLOCK(&adb->reflock);
+	return (result);
+}
+
+static inline void
+inc_adb_irefcnt(dns_adb_t *adb) {
+	LOCK(&adb->reflock);
+	adb->irefcnt++;
+	UNLOCK(&adb->reflock);
+}
+
+static inline void
+inc_adb_erefcnt(dns_adb_t *adb) {
+	LOCK(&adb->reflock);
+	adb->erefcnt++;
+	UNLOCK(&adb->reflock);
+}
+
+static inline void
+inc_entry_refcnt(dns_adb_t *adb, dns_adbentry_t *entry, isc_boolean_t lock) {
+	int bucket;
+
+	bucket = entry->lock_bucket;
+
+	if (lock)
+		LOCK(&adb->entrylocks[bucket]);
+
+	entry->refcnt++;
+
+	if (lock)
+		UNLOCK(&adb->entrylocks[bucket]);
+}
+
+static inline isc_boolean_t
+dec_entry_refcnt(dns_adb_t *adb, dns_adbentry_t *entry, isc_boolean_t lock) {
+	int bucket;
+	isc_boolean_t destroy_entry;
+	isc_boolean_t result = ISC_FALSE;
+
+	bucket = entry->lock_bucket;
+
+	if (lock)
+		LOCK(&adb->entrylocks[bucket]);
+
+	INSIST(entry->refcnt > 0);
+	entry->refcnt--;
+
+	destroy_entry = ISC_FALSE;
+	if (entry->refcnt == 0 &&
+	    (adb->entry_sd[bucket] || entry->expires == 0)) {
+		destroy_entry = ISC_TRUE;
+		result = unlink_entry(adb, entry);
+	}
+
+	if (lock)
+		UNLOCK(&adb->entrylocks[bucket]);
+
+	if (!destroy_entry)
+		return (result);
+
+	entry->lock_bucket = DNS_ADB_INVALIDBUCKET;
+
+	free_adbentry(adb, &entry);
+	if (result)
+		result =dec_adb_irefcnt(adb);
+
+	return (result);
+}
+
+static inline dns_adbname_t *
+new_adbname(dns_adb_t *adb, dns_name_t *dnsname) {
+	dns_adbname_t *name;
+
+	name = isc_mempool_get(adb->nmp);
+	if (name == NULL)
+		return (NULL);
+
+	dns_name_init(&name->name, NULL);
+	if (dns_name_dup(dnsname, adb->mctx, &name->name) != ISC_R_SUCCESS) {
+		isc_mempool_put(adb->nmp, name);
+		return (NULL);
+	}
+	dns_name_init(&name->target, NULL);
+	name->magic = DNS_ADBNAME_MAGIC;
+	name->adb = adb;
+	name->partial_result = 0;
+	name->flags = 0;
+	name->expire_v4 = INT_MAX;
+	name->expire_v6 = INT_MAX;
+	name->expire_target = INT_MAX;
+	name->chains = 0;
+	name->lock_bucket = DNS_ADB_INVALIDBUCKET;
+	ISC_LIST_INIT(name->v4);
+	ISC_LIST_INIT(name->v6);
+	name->fetch_a = NULL;
+	name->fetch_aaaa = NULL;
+	name->fetch_err = FIND_ERR_UNEXPECTED;
+	name->fetch6_err = FIND_ERR_UNEXPECTED;
+	ISC_LIST_INIT(name->finds);
+	ISC_LINK_INIT(name, plink);
+
+	return (name);
+}
+
+static inline void
+free_adbname(dns_adb_t *adb, dns_adbname_t **name) {
+	dns_adbname_t *n;
+
+	INSIST(name != NULL && DNS_ADBNAME_VALID(*name));
+	n = *name;
+	*name = NULL;
+
+	INSIST(!NAME_HAS_V4(n));
+	INSIST(!NAME_HAS_V6(n));
+	INSIST(!NAME_FETCH(n));
+	INSIST(ISC_LIST_EMPTY(n->finds));
+	INSIST(!ISC_LINK_LINKED(n, plink));
+	INSIST(n->lock_bucket == DNS_ADB_INVALIDBUCKET);
+	INSIST(n->adb == adb);
+
+	n->magic = 0;
+	dns_name_free(&n->name, adb->mctx);
+
+	isc_mempool_put(adb->nmp, n);
+}
+
+static inline dns_adbnamehook_t *
+new_adbnamehook(dns_adb_t *adb, dns_adbentry_t *entry) {
+	dns_adbnamehook_t *nh;
+
+	nh = isc_mempool_get(adb->nhmp);
+	if (nh == NULL)
+		return (NULL);
+
+	nh->magic = DNS_ADBNAMEHOOK_MAGIC;
+	nh->entry = entry;
+	ISC_LINK_INIT(nh, plink);
+
+	return (nh);
+}
+
+static inline void
+free_adbnamehook(dns_adb_t *adb, dns_adbnamehook_t **namehook) {
+	dns_adbnamehook_t *nh;
+
+	INSIST(namehook != NULL && DNS_ADBNAMEHOOK_VALID(*namehook));
+	nh = *namehook;
+	*namehook = NULL;
+
+	INSIST(nh->entry == NULL);
+	INSIST(!ISC_LINK_LINKED(nh, plink));
+
+	nh->magic = 0;
+	isc_mempool_put(adb->nhmp, nh);
+}
+
+static inline dns_adbzoneinfo_t *
+new_adbzoneinfo(dns_adb_t *adb, dns_name_t *zone) {
+	dns_adbzoneinfo_t *zi;
+
+	zi = isc_mempool_get(adb->zimp);
+	if (zi == NULL)
+		return (NULL);
+
+	dns_name_init(&zi->zone, NULL);
+	if (dns_name_dup(zone, adb->mctx, &zi->zone) != ISC_R_SUCCESS) {
+		isc_mempool_put(adb->zimp, zi);
+		return (NULL);
+	}
+
+	zi->magic = DNS_ADBZONEINFO_MAGIC;
+	zi->lame_timer = 0;
+	ISC_LINK_INIT(zi, plink);
+
+	return (zi);
+}
+
+static inline void
+free_adbzoneinfo(dns_adb_t *adb, dns_adbzoneinfo_t **zoneinfo) {
+	dns_adbzoneinfo_t *zi;
+
+	INSIST(zoneinfo != NULL && DNS_ADBZONEINFO_VALID(*zoneinfo));
+	zi = *zoneinfo;
+	*zoneinfo = NULL;
+
+	INSIST(!ISC_LINK_LINKED(zi, plink));
+
+	dns_name_free(&zi->zone, adb->mctx);
+
+	zi->magic = 0;
+
+	isc_mempool_put(adb->zimp, zi);
+}
+
+static inline dns_adbentry_t *
+new_adbentry(dns_adb_t *adb) {
+	dns_adbentry_t *e;
+	isc_uint32_t r;
+
+	e = isc_mempool_get(adb->emp);
+	if (e == NULL)
+		return (NULL);
+
+	e->magic = DNS_ADBENTRY_MAGIC;
+	e->lock_bucket = DNS_ADB_INVALIDBUCKET;
+	e->refcnt = 0;
+	e->flags = 0;
+	isc_random_get(&r);
+	e->srtt = (r & 0x1f) + 1;
+	e->expires = 0;
+	ISC_LIST_INIT(e->zoneinfo);
+	ISC_LINK_INIT(e, plink);
+
+	return (e);
+}
+
+static inline void
+free_adbentry(dns_adb_t *adb, dns_adbentry_t **entry) {
+	dns_adbentry_t *e;
+	dns_adbzoneinfo_t *zi;
+
+	INSIST(entry != NULL && DNS_ADBENTRY_VALID(*entry));
+	e = *entry;
+	*entry = NULL;
+
+	INSIST(e->lock_bucket == DNS_ADB_INVALIDBUCKET);
+	INSIST(e->refcnt == 0);
+	INSIST(!ISC_LINK_LINKED(e, plink));
+
+	e->magic = 0;
+
+	zi = ISC_LIST_HEAD(e->zoneinfo);
+	while (zi != NULL) {
+		ISC_LIST_UNLINK(e->zoneinfo, zi, plink);
+		free_adbzoneinfo(adb, &zi);
+		zi = ISC_LIST_HEAD(e->zoneinfo);
+	}
+
+	isc_mempool_put(adb->emp, e);
+}
+
+static inline dns_adbfind_t *
+new_adbfind(dns_adb_t *adb) {
+	dns_adbfind_t *h;
+	isc_result_t result;
+
+	h = isc_mempool_get(adb->ahmp);
+	if (h == NULL)
+		return (NULL);
+
+	/*
+	 * Public members.
+	 */
+	h->magic = 0;
+	h->adb = adb;
+	h->partial_result = 0;
+	h->options = 0;
+	h->flags = 0;
+	h->result_v4 = ISC_R_UNEXPECTED;
+	h->result_v6 = ISC_R_UNEXPECTED;
+	ISC_LINK_INIT(h, publink);
+	ISC_LINK_INIT(h, plink);
+	ISC_LIST_INIT(h->list);
+	h->adbname = NULL;
+	h->name_bucket = DNS_ADB_INVALIDBUCKET;
+
+	/*
+	 * private members
+	 */
+	result = isc_mutex_init(&h->lock);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init failed in new_adbfind()");
+		isc_mempool_put(adb->ahmp, h);
+		return (NULL);
+	}
+
+	ISC_EVENT_INIT(&h->event, sizeof(isc_event_t), 0, 0, 0, NULL, NULL,
+		       NULL, NULL, h);
+
+	inc_adb_irefcnt(adb);
+	h->magic = DNS_ADBFIND_MAGIC;
+	return (h);
+}
+
+static inline dns_adbfetch_t *
+new_adbfetch(dns_adb_t *adb) {
+	dns_adbfetch_t *f;
+
+	f = isc_mempool_get(adb->afmp);
+	if (f == NULL)
+		return (NULL);
+
+	f->magic = 0;
+	f->namehook = NULL;
+	f->entry = NULL;
+	f->fetch = NULL;
+
+	f->namehook = new_adbnamehook(adb, NULL);
+	if (f->namehook == NULL)
+		goto err;
+
+	f->entry = new_adbentry(adb);
+	if (f->entry == NULL)
+		goto err;
+
+	dns_rdataset_init(&f->rdataset);
+
+	f->magic = DNS_ADBFETCH_MAGIC;
+
+	return (f);
+
+ err:
+	if (f->namehook != NULL)
+		free_adbnamehook(adb, &f->namehook);
+	if (f->entry != NULL)
+		free_adbentry(adb, &f->entry);
+	isc_mempool_put(adb->afmp, f);
+	return (NULL);
+}
+
+static inline void
+free_adbfetch(dns_adb_t *adb, dns_adbfetch_t **fetch) {
+	dns_adbfetch_t *f;
+
+	INSIST(fetch != NULL && DNS_ADBFETCH_VALID(*fetch));
+	f = *fetch;
+	*fetch = NULL;
+
+	f->magic = 0;
+
+	if (f->namehook != NULL)
+		free_adbnamehook(adb, &f->namehook);
+	if (f->entry != NULL)
+		free_adbentry(adb, &f->entry);
+
+	if (dns_rdataset_isassociated(&f->rdataset))
+		dns_rdataset_disassociate(&f->rdataset);
+
+	isc_mempool_put(adb->afmp, f);
+}
+
+static inline isc_boolean_t
+free_adbfind(dns_adb_t *adb, dns_adbfind_t **findp) {
+	dns_adbfind_t *find;
+
+	INSIST(findp != NULL && DNS_ADBFIND_VALID(*findp));
+	find = *findp;
+	*findp = NULL;
+
+	INSIST(!FIND_HAS_ADDRS(find));
+	INSIST(!ISC_LINK_LINKED(find, publink));
+	INSIST(!ISC_LINK_LINKED(find, plink));
+	INSIST(find->name_bucket == DNS_ADB_INVALIDBUCKET);
+	INSIST(find->adbname == NULL);
+
+	find->magic = 0;
+
+	DESTROYLOCK(&find->lock);
+	isc_mempool_put(adb->ahmp, find);
+	return (dec_adb_irefcnt(adb));
+}
+
+/*
+ * Copy bits from the entry into the newly allocated addrinfo.  The entry
+ * must be locked, and the reference count must be bumped up by one
+ * if this function returns a valid pointer.
+ */
+static inline dns_adbaddrinfo_t *
+new_adbaddrinfo(dns_adb_t *adb, dns_adbentry_t *entry, in_port_t port) {
+	dns_adbaddrinfo_t *ai;
+
+	ai = isc_mempool_get(adb->aimp);
+	if (ai == NULL)
+		return (NULL);
+
+	ai->magic = DNS_ADBADDRINFO_MAGIC;
+	ai->sockaddr = entry->sockaddr;
+	isc_sockaddr_setport(&ai->sockaddr, port);
+	ai->srtt = entry->srtt;
+	ai->flags = entry->flags;
+	ai->entry = entry;
+	ISC_LINK_INIT(ai, publink);
+
+	return (ai);
+}
+
+static inline void
+free_adbaddrinfo(dns_adb_t *adb, dns_adbaddrinfo_t **ainfo) {
+	dns_adbaddrinfo_t *ai;
+
+	INSIST(ainfo != NULL && DNS_ADBADDRINFO_VALID(*ainfo));
+	ai = *ainfo;
+	*ainfo = NULL;
+
+	INSIST(ai->entry == NULL);
+	INSIST(!ISC_LINK_LINKED(ai, publink));
+
+	ai->magic = 0;
+
+	isc_mempool_put(adb->aimp, ai);
+}
+
+/*
+ * Search for the name.  NOTE:  The bucket is kept locked on both
+ * success and failure, so it must always be unlocked by the caller!
+ *
+ * On the first call to this function, *bucketp must be set to
+ * DNS_ADB_INVALIDBUCKET.
+ */
+static inline dns_adbname_t *
+find_name_and_lock(dns_adb_t *adb, dns_name_t *name,
+		   unsigned int options, int *bucketp)
+{
+	dns_adbname_t *adbname;
+	int bucket;
+
+	bucket = dns_name_fullhash(name, ISC_FALSE) % NBUCKETS;
+
+	if (*bucketp == DNS_ADB_INVALIDBUCKET) {
+		LOCK(&adb->namelocks[bucket]);
+		*bucketp = bucket;
+	} else if (*bucketp != bucket) {
+		UNLOCK(&adb->namelocks[*bucketp]);
+		LOCK(&adb->namelocks[bucket]);
+		*bucketp = bucket;
+	}
+
+	adbname = ISC_LIST_HEAD(adb->names[bucket]);
+	while (adbname != NULL) {
+		if (!NAME_DEAD(adbname)) {
+			if (dns_name_equal(name, &adbname->name)
+			    && GLUEHINT_OK(adbname, options)
+			    && STARTATZONE_MATCHES(adbname, options))
+				return (adbname);
+		}
+		adbname = ISC_LIST_NEXT(adbname, plink);
+	}
+
+	return (NULL);
+}
+
+/*
+ * Search for the address.  NOTE:  The bucket is kept locked on both
+ * success and failure, so it must always be unlocked by the caller.
+ *
+ * On the first call to this function, *bucketp must be set to
+ * DNS_ADB_INVALIDBUCKET.  This will cause a lock to occur.  On
+ * later calls (within the same "lock path") it can be left alone, so
+ * if this function is called multiple times locking is only done if
+ * the bucket changes.
+ */
+static inline dns_adbentry_t *
+find_entry_and_lock(dns_adb_t *adb, isc_sockaddr_t *addr, int *bucketp) {
+	dns_adbentry_t *entry;
+	int bucket;
+
+	bucket = isc_sockaddr_hash(addr, ISC_TRUE) % NBUCKETS;
+
+	if (*bucketp == DNS_ADB_INVALIDBUCKET) {
+		LOCK(&adb->entrylocks[bucket]);
+		*bucketp = bucket;
+	} else if (*bucketp != bucket) {
+		UNLOCK(&adb->entrylocks[*bucketp]);
+		LOCK(&adb->entrylocks[bucket]);
+		*bucketp = bucket;
+	}
+
+	entry = ISC_LIST_HEAD(adb->entries[bucket]);
+	while (entry != NULL) {
+		if (isc_sockaddr_equal(addr, &entry->sockaddr))
+			return (entry);
+		entry = ISC_LIST_NEXT(entry, plink);
+	}
+
+	return (NULL);
+}
+
+/*
+ * Entry bucket MUST be locked!
+ */
+static isc_boolean_t
+entry_is_bad_for_zone(dns_adb_t *adb, dns_adbentry_t *entry, dns_name_t *zone,
+		      isc_stdtime_t now)
+{
+	dns_adbzoneinfo_t *zi, *next_zi;
+	isc_boolean_t is_bad;
+
+	is_bad = ISC_FALSE;
+
+	zi = ISC_LIST_HEAD(entry->zoneinfo);
+	if (zi == NULL)
+		return (ISC_FALSE);
+	while (zi != NULL) {
+		next_zi = ISC_LIST_NEXT(zi, plink);
+
+		/*
+		 * Has the entry expired?
+		 */
+		if (zi->lame_timer < now) {
+			ISC_LIST_UNLINK(entry->zoneinfo, zi, plink);
+			free_adbzoneinfo(adb, &zi);
+		}
+
+		/*
+		 * Order tests from least to most expensive.
+		 */
+		if (zi != NULL && !is_bad) {
+			if (dns_name_equal(zone, &zi->zone))
+				is_bad = ISC_TRUE;
+		}
+
+		zi = next_zi;
+	}
+
+	return (is_bad);
+}
+
+static void
+copy_namehook_lists(dns_adb_t *adb, dns_adbfind_t *find, dns_name_t *zone,
+		    dns_adbname_t *name, isc_stdtime_t now)
+{
+	dns_adbnamehook_t *namehook;
+	dns_adbaddrinfo_t *addrinfo;
+	dns_adbentry_t *entry;
+	int bucket;
+
+	bucket = DNS_ADB_INVALIDBUCKET;
+
+	if (find->options & DNS_ADBFIND_INET) {
+		namehook = ISC_LIST_HEAD(name->v4);
+		while (namehook != NULL) {
+			entry = namehook->entry;
+			bucket = entry->lock_bucket;
+			LOCK(&adb->entrylocks[bucket]);
+
+			if (!FIND_RETURNLAME(find)
+			    && entry_is_bad_for_zone(adb, entry, zone, now)) {
+				find->options |= DNS_ADBFIND_LAMEPRUNED;
+				goto nextv4;
+			}
+			addrinfo = new_adbaddrinfo(adb, entry, find->port);
+			if (addrinfo == NULL) {
+				find->partial_result |= DNS_ADBFIND_INET;
+				goto out;
+			}
+			/*
+			 * Found a valid entry.  Add it to the find's list.
+			 */
+			inc_entry_refcnt(adb, entry, ISC_FALSE);
+			ISC_LIST_APPEND(find->list, addrinfo, publink);
+			addrinfo = NULL;
+		nextv4:
+			UNLOCK(&adb->entrylocks[bucket]);
+			bucket = DNS_ADB_INVALIDBUCKET;
+			namehook = ISC_LIST_NEXT(namehook, plink);
+		}
+	}
+
+	if (find->options & DNS_ADBFIND_INET6) {
+		namehook = ISC_LIST_HEAD(name->v6);
+		while (namehook != NULL) {
+			entry = namehook->entry;
+			bucket = entry->lock_bucket;
+			LOCK(&adb->entrylocks[bucket]);
+
+			if (entry_is_bad_for_zone(adb, entry, zone, now))
+				goto nextv6;
+			addrinfo = new_adbaddrinfo(adb, entry, find->port);
+			if (addrinfo == NULL) {
+				find->partial_result |= DNS_ADBFIND_INET6;
+				goto out;
+			}
+			/*
+			 * Found a valid entry.  Add it to the find's list.
+			 */
+			inc_entry_refcnt(adb, entry, ISC_FALSE);
+			ISC_LIST_APPEND(find->list, addrinfo, publink);
+			addrinfo = NULL;
+		nextv6:
+			UNLOCK(&adb->entrylocks[bucket]);
+			bucket = DNS_ADB_INVALIDBUCKET;
+			namehook = ISC_LIST_NEXT(namehook, plink);
+		}
+	}
+
+ out:
+	if (bucket != DNS_ADB_INVALIDBUCKET)
+		UNLOCK(&adb->entrylocks[bucket]);
+}
+
+static void
+shutdown_task(isc_task_t *task, isc_event_t *ev) {
+	dns_adb_t *adb;
+
+	UNUSED(task);
+
+	adb = ev->ev_arg;
+	INSIST(DNS_ADB_VALID(adb));
+
+	/*
+	 * Kill the timer, and then the ADB itself.  Note that this implies
+	 * that this task was the one scheduled to get timer events.  If
+	 * this is not true (and it is unfortunate there is no way to INSIST()
+	 * this) badness will occur.
+	 */
+	LOCK(&adb->lock);
+	isc_timer_detach(&adb->timer);
+	UNLOCK(&adb->lock);
+	isc_event_free(&ev);
+	destroy(adb);
+}
+
+/*
+ * Name bucket must be locked; adb may be locked; no other locks held.
+ */
+static isc_boolean_t
+check_expire_name(dns_adbname_t **namep, isc_stdtime_t now) {
+	dns_adbname_t *name;
+	isc_result_t result = ISC_FALSE;
+
+	INSIST(namep != NULL && DNS_ADBNAME_VALID(*namep));
+	name = *namep;
+
+	if (NAME_HAS_V4(name) || NAME_HAS_V6(name))
+		return (result);
+	if (NAME_FETCH(name))
+		return (result);
+	if (!EXPIRE_OK(name->expire_v4, now))
+		return (result);
+	if (!EXPIRE_OK(name->expire_v6, now))
+		return (result);
+	if (!EXPIRE_OK(name->expire_target, now))
+		return (result);
+
+	/*
+	 * The name is empty.  Delete it.
+	 */
+	result = kill_name(&name, DNS_EVENT_ADBEXPIRED);
+	*namep = NULL;
+
+	/*
+	 * Our caller, or one of its callers, will be calling check_exit() at
+	 * some point, so we don't need to do it here.
+	 */
+	return (result);
+}
+
+/*
+ * Entry bucket must be locked; adb may be locked; no other locks held.
+ */
+static isc_boolean_t
+check_expire_entry(dns_adb_t *adb, dns_adbentry_t **entryp, isc_stdtime_t now)
+{
+	dns_adbentry_t *entry;
+	isc_boolean_t expire;
+	isc_boolean_t result = ISC_FALSE;
+
+	INSIST(entryp != NULL && DNS_ADBENTRY_VALID(*entryp));
+	entry = *entryp;
+
+	if (entry->refcnt != 0)
+		return (result);
+
+	if (adb->overmem) {
+		isc_uint32_t val;
+
+		isc_random_get(&val);
+
+		expire = ISC_TF((val % 4) == 0);
+	} else
+		expire = ISC_FALSE;
+
+	if (entry->expires == 0 || (! expire && entry->expires > now))
+		return (result);
+
+	/*
+	 * The entry is not in use.  Delete it.
+	 */
+	DP(DEF_LEVEL, "killing entry %p", entry);
+	INSIST(ISC_LINK_LINKED(entry, plink));
+	result = unlink_entry(adb, entry);
+	free_adbentry(adb, &entry);
+	if (result)
+		dec_adb_irefcnt(adb);
+	*entryp = NULL;
+	return (result);
+}
+
+/*
+ * ADB must be locked, and no other locks held.
+ */
+static isc_boolean_t
+cleanup_names(dns_adb_t *adb, int bucket, isc_stdtime_t now) {
+	dns_adbname_t *name;
+	dns_adbname_t *next_name;
+	isc_result_t result = ISC_FALSE;
+
+	DP(CLEAN_LEVEL, "cleaning name bucket %d", bucket);
+
+	LOCK(&adb->namelocks[bucket]);
+	if (adb->name_sd[bucket]) {
+		UNLOCK(&adb->namelocks[bucket]);
+		return (result);
+	}
+
+	name = ISC_LIST_HEAD(adb->names[bucket]);
+	while (name != NULL) {
+		next_name = ISC_LIST_NEXT(name, plink);
+		INSIST(result == ISC_FALSE);
+		result = check_expire_namehooks(name, now, adb->overmem);
+		if (!result)
+			result = check_expire_name(&name, now);
+		name = next_name;
+	}
+	UNLOCK(&adb->namelocks[bucket]);
+	return (result);
+}
+
+/*
+ * ADB must be locked, and no other locks held.
+ */
+static isc_boolean_t
+cleanup_entries(dns_adb_t *adb, int bucket, isc_stdtime_t now) {
+	dns_adbentry_t *entry, *next_entry;
+	isc_boolean_t result = ISC_FALSE;
+
+	DP(CLEAN_LEVEL, "cleaning entry bucket %d", bucket);
+
+	LOCK(&adb->entrylocks[bucket]);
+	entry = ISC_LIST_HEAD(adb->entries[bucket]);
+	while (entry != NULL) {
+		next_entry = ISC_LIST_NEXT(entry, plink);
+		INSIST(result == ISC_FALSE);
+		result = check_expire_entry(adb, &entry, now);
+		entry = next_entry;
+	}
+	UNLOCK(&adb->entrylocks[bucket]);
+	return (result);
+}
+
+static void
+timer_cleanup(isc_task_t *task, isc_event_t *ev) {
+	dns_adb_t *adb;
+	isc_stdtime_t now;
+	unsigned int i;
+	isc_interval_t interval;
+
+	UNUSED(task);
+
+	adb = ev->ev_arg;
+	INSIST(DNS_ADB_VALID(adb));
+
+	LOCK(&adb->lock);
+
+	isc_stdtime_get(&now);
+
+	for (i = 0; i < CLEAN_BUCKETS; i++) {
+		/*
+		 * Call our cleanup routines.
+		 */
+		RUNTIME_CHECK(cleanup_names(adb, adb->next_cleanbucket, now) ==
+			      ISC_FALSE);
+		RUNTIME_CHECK(cleanup_entries(adb, adb->next_cleanbucket, now)
+			      == ISC_FALSE);
+
+		/*
+		 * Set the next bucket to be cleaned.
+		 */
+		adb->next_cleanbucket++;
+		if (adb->next_cleanbucket >= NBUCKETS) {
+			adb->next_cleanbucket = 0;
+#ifdef DUMP_ADB_AFTER_CLEANING
+			dump_adb(adb, stdout, ISC_TRUE);
+#endif
+		}
+	}
+
+	/*
+	 * Reset the timer.
+	 * XXXDCL isc_timer_reset might return ISC_R_UNEXPECTED or
+	 * ISC_R_NOMEMORY, but it isn't clear what could be done here
+	 * if either one of those things happened.
+	 */
+	interval = adb->tick_interval;
+	if (adb->overmem)
+		isc_interval_set(&interval, 0, 1);
+	(void)isc_timer_reset(adb->timer, isc_timertype_once, NULL,
+			      &interval, ISC_FALSE);
+
+	UNLOCK(&adb->lock);
+
+	isc_event_free(&ev);
+}
+
+static void
+destroy(dns_adb_t *adb) {
+	adb->magic = 0;
+
+	/*
+	 * The timer is already dead, from the task's shutdown callback.
+	 */
+	isc_task_detach(&adb->task);
+
+	isc_mempool_destroy(&adb->nmp);
+	isc_mempool_destroy(&adb->nhmp);
+	isc_mempool_destroy(&adb->zimp);
+	isc_mempool_destroy(&adb->emp);
+	isc_mempool_destroy(&adb->ahmp);
+	isc_mempool_destroy(&adb->aimp);
+	isc_mempool_destroy(&adb->afmp);
+
+	DESTROYMUTEXBLOCK(adb->entrylocks, NBUCKETS);
+	DESTROYMUTEXBLOCK(adb->namelocks, NBUCKETS);
+
+	DESTROYLOCK(&adb->reflock);
+	DESTROYLOCK(&adb->lock);
+	DESTROYLOCK(&adb->mplock);
+
+	isc_mem_putanddetach(&adb->mctx, adb, sizeof(dns_adb_t));
+}
+
+
+/*
+ * Public functions.
+ */
+
+isc_result_t
+dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
+	       isc_taskmgr_t *taskmgr, dns_adb_t **newadb)
+{
+	dns_adb_t *adb;
+	isc_result_t result;
+	int i;
+
+	REQUIRE(mem != NULL);
+	REQUIRE(view != NULL);
+	REQUIRE(timermgr != NULL);
+	REQUIRE(taskmgr != NULL);
+	REQUIRE(newadb != NULL && *newadb == NULL);
+
+	adb = isc_mem_get(mem, sizeof(dns_adb_t));
+	if (adb == NULL)
+		return (ISC_R_NOMEMORY);
+
+	/*
+	 * Initialize things here that cannot fail, and especially things
+	 * that must be NULL for the error return to work properly.
+	 */
+	adb->magic = 0;
+	adb->erefcnt = 1;
+	adb->irefcnt = 0;
+	adb->nmp = NULL;
+	adb->nhmp = NULL;
+	adb->zimp = NULL;
+	adb->emp = NULL;
+	adb->ahmp = NULL;
+	adb->aimp = NULL;
+	adb->afmp = NULL;
+	adb->task = NULL;
+	adb->timer = NULL;
+	adb->mctx = NULL;
+	adb->view = view;
+	adb->timermgr = timermgr;
+	adb->taskmgr = taskmgr;
+	adb->next_cleanbucket = 0;
+	ISC_EVENT_INIT(&adb->cevent, sizeof(adb->cevent), 0, NULL,
+		       DNS_EVENT_ADBCONTROL, shutdown_task, adb,
+		       adb, NULL, NULL);
+	adb->cevent_sent = ISC_FALSE;
+	adb->shutting_down = ISC_FALSE;
+	adb->overmem = ISC_FALSE;
+	ISC_LIST_INIT(adb->whenshutdown);
+
+	isc_mem_attach(mem, &adb->mctx);
+
+	result = isc_mutex_init(&adb->lock);
+	if (result != ISC_R_SUCCESS)
+		goto fail0b;
+
+	result = isc_mutex_init(&adb->mplock);
+	if (result != ISC_R_SUCCESS)
+		goto fail0c;
+
+	result = isc_mutex_init(&adb->reflock);
+	if (result != ISC_R_SUCCESS)
+		goto fail0d;
+
+	/*
+	 * Initialize the bucket locks for names and elements.
+	 * May as well initialize the list heads, too.
+	 */
+	result = isc_mutexblock_init(adb->namelocks, NBUCKETS);
+	if (result != ISC_R_SUCCESS)
+		goto fail1;
+	for (i = 0; i < NBUCKETS; i++) {
+		ISC_LIST_INIT(adb->names[i]);
+		adb->name_sd[i] = ISC_FALSE;
+		adb->name_refcnt[i] = 0;
+		adb->irefcnt++;
+	}
+	for (i = 0; i < NBUCKETS; i++) {
+		ISC_LIST_INIT(adb->entries[i]);
+		adb->entry_sd[i] = ISC_FALSE;
+		adb->entry_refcnt[i] = 0;
+		adb->irefcnt++;
+	}
+	result = isc_mutexblock_init(adb->entrylocks, NBUCKETS);
+	if (result != ISC_R_SUCCESS)
+		goto fail2;
+
+	/*
+	 * Memory pools
+	 */
+#define MPINIT(t, p, n) do { \
+	result = isc_mempool_create(mem, sizeof(t), &(p)); \
+	if (result != ISC_R_SUCCESS) \
+		goto fail3; \
+	isc_mempool_setfreemax((p), FREE_ITEMS); \
+	isc_mempool_setfillcount((p), FILL_COUNT); \
+	isc_mempool_setname((p), n); \
+	isc_mempool_associatelock((p), &adb->mplock); \
+} while (0)
+
+	MPINIT(dns_adbname_t, adb->nmp, "adbname");
+	MPINIT(dns_adbnamehook_t, adb->nhmp, "adbnamehook");
+	MPINIT(dns_adbzoneinfo_t, adb->zimp, "adbzoneinfo");
+	MPINIT(dns_adbentry_t, adb->emp, "adbentry");
+	MPINIT(dns_adbfind_t, adb->ahmp, "adbfind");
+	MPINIT(dns_adbaddrinfo_t, adb->aimp, "adbaddrinfo");
+	MPINIT(dns_adbfetch_t, adb->afmp, "adbfetch");
+
+#undef MPINIT
+
+	/*
+	 * Allocate a timer and a task for our periodic cleanup.
+	 */
+	result = isc_task_create(adb->taskmgr, 0, &adb->task);
+	if (result != ISC_R_SUCCESS)
+		goto fail3;
+	isc_task_setname(adb->task, "ADB", adb);
+	/*
+	 * XXXMLG When this is changed to be a config file option,
+	 */
+	isc_interval_set(&adb->tick_interval, CLEAN_SECONDS, 0);
+	result = isc_timer_create(adb->timermgr, isc_timertype_once,
+				  NULL, &adb->tick_interval, adb->task,
+				  timer_cleanup, adb, &adb->timer);
+	if (result != ISC_R_SUCCESS)
+		goto fail3;
+
+	DP(ISC_LOG_DEBUG(5), "cleaning interval for adb: "
+	   "%u buckets every %u seconds, %u buckets in system, %u cl.interval",
+	   CLEAN_BUCKETS, CLEAN_SECONDS, NBUCKETS, CLEAN_PERIOD);
+
+	/*
+	 * Normal return.
+	 */
+	adb->magic = DNS_ADB_MAGIC;
+	*newadb = adb;
+	return (ISC_R_SUCCESS);
+
+ fail3:
+	if (adb->task != NULL)
+		isc_task_detach(&adb->task);
+	if (adb->timer != NULL)
+		isc_timer_detach(&adb->timer);
+
+	/* clean up entrylocks */
+	DESTROYMUTEXBLOCK(adb->entrylocks, NBUCKETS);
+
+ fail2: /* clean up namelocks */
+	DESTROYMUTEXBLOCK(adb->namelocks, NBUCKETS);
+
+ fail1: /* clean up only allocated memory */
+	if (adb->nmp != NULL)
+		isc_mempool_destroy(&adb->nmp);
+	if (adb->nhmp != NULL)
+		isc_mempool_destroy(&adb->nhmp);
+	if (adb->zimp != NULL)
+		isc_mempool_destroy(&adb->zimp);
+	if (adb->emp != NULL)
+		isc_mempool_destroy(&adb->emp);
+	if (adb->ahmp != NULL)
+		isc_mempool_destroy(&adb->ahmp);
+	if (adb->aimp != NULL)
+		isc_mempool_destroy(&adb->aimp);
+	if (adb->afmp != NULL)
+		isc_mempool_destroy(&adb->afmp);
+
+	DESTROYLOCK(&adb->reflock);
+ fail0d:
+	DESTROYLOCK(&adb->mplock);
+ fail0c:
+	DESTROYLOCK(&adb->lock);
+ fail0b:
+	isc_mem_putanddetach(&adb->mctx, adb, sizeof(dns_adb_t));
+
+	return (result);
+}
+
+void
+dns_adb_attach(dns_adb_t *adb, dns_adb_t **adbx) {
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(adbx != NULL && *adbx == NULL);
+
+	inc_adb_erefcnt(adb);
+	*adbx = adb;
+}
+
+void
+dns_adb_detach(dns_adb_t **adbx) {
+	dns_adb_t *adb;
+	isc_boolean_t need_exit_check;
+
+	REQUIRE(adbx != NULL && DNS_ADB_VALID(*adbx));
+
+	adb = *adbx;
+	*adbx = NULL;
+
+	INSIST(adb->erefcnt > 0);
+
+	LOCK(&adb->reflock);
+	adb->erefcnt--;
+	need_exit_check = ISC_TF(adb->erefcnt == 0 && adb->irefcnt == 0);
+	UNLOCK(&adb->reflock);
+
+	if (need_exit_check) {
+		LOCK(&adb->lock);
+		INSIST(adb->shutting_down);
+		check_exit(adb);
+		UNLOCK(&adb->lock);
+	}
+}
+
+void
+dns_adb_whenshutdown(dns_adb_t *adb, isc_task_t *task, isc_event_t **eventp) {
+	isc_task_t *clone;
+	isc_event_t *event;
+	isc_boolean_t zeroirefcnt = ISC_FALSE;
+
+	/*
+	 * Send '*eventp' to 'task' when 'adb' has shutdown.
+	 */
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(eventp != NULL);
+
+	event = *eventp;
+	*eventp = NULL;
+
+	LOCK(&adb->lock);
+
+	LOCK(&adb->reflock);
+	zeroirefcnt = ISC_TF(adb->irefcnt == 0);
+
+	if (adb->shutting_down && zeroirefcnt &&
+	    isc_mempool_getallocated(adb->ahmp) == 0) {
+		/*
+		 * We're already shutdown.  Send the event.
+		 */
+		event->ev_sender = adb;
+		isc_task_send(task, &event);
+	} else {
+		clone = NULL;
+		isc_task_attach(task, &clone);
+		event->ev_sender = clone;
+		ISC_LIST_APPEND(adb->whenshutdown, event, ev_link);
+	}
+
+	UNLOCK(&adb->reflock);
+	UNLOCK(&adb->lock);
+}
+
+void
+dns_adb_shutdown(dns_adb_t *adb) {
+	isc_boolean_t need_check_exit;
+
+	/*
+	 * Shutdown 'adb'.
+	 */
+
+	LOCK(&adb->lock);
+
+	if (!adb->shutting_down) {
+		adb->shutting_down = ISC_TRUE;
+		isc_mem_setwater(adb->mctx, water, adb, 0, 0);
+		need_check_exit = shutdown_names(adb);
+		if (!need_check_exit)
+			need_check_exit = shutdown_entries(adb);
+		if (need_check_exit)
+			check_exit(adb);
+	}
+
+	UNLOCK(&adb->lock);
+}
+
+isc_result_t
+dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
+		   void *arg, dns_name_t *name, dns_name_t *zone,
+		   unsigned int options, isc_stdtime_t now, dns_name_t *target,
+		   in_port_t port, dns_adbfind_t **findp)
+{
+	dns_adbfind_t *find;
+	dns_adbname_t *adbname;
+	int bucket;
+	isc_boolean_t want_event, start_at_zone, alias, have_address;
+	isc_result_t result;
+	unsigned int wanted_addresses;
+	unsigned int wanted_fetches;
+	unsigned int query_pending;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	if (task != NULL) {
+		REQUIRE(action != NULL);
+	}
+	REQUIRE(name != NULL);
+	REQUIRE(zone != NULL);
+	REQUIRE(findp != NULL && *findp == NULL);
+	REQUIRE(target == NULL || dns_name_hasbuffer(target));
+
+	REQUIRE((options & DNS_ADBFIND_ADDRESSMASK) != 0);
+
+	result = ISC_R_UNEXPECTED;
+	wanted_addresses = (options & DNS_ADBFIND_ADDRESSMASK);
+	wanted_fetches = 0;
+	query_pending = 0;
+	want_event = ISC_FALSE;
+	start_at_zone = ISC_FALSE;
+	alias = ISC_FALSE;
+
+	if (now == 0)
+		isc_stdtime_get(&now);
+
+	/*
+	 * XXXMLG  Move this comment somewhere else!
+	 *
+	 * Look up the name in our internal database.
+	 *
+	 * Possibilities:  Note that these are not always exclusive.
+	 *
+	 *	No name found.  In this case, allocate a new name header and
+	 *	an initial namehook or two.  If any of these allocations
+	 *	fail, clean up and return ISC_R_NOMEMORY.
+	 *
+	 *	Name found, valid addresses present.  Allocate one addrinfo
+	 *	structure for each found and append it to the linked list
+	 *	of addresses for this header.
+	 *
+	 *	Name found, queries pending.  In this case, if a task was
+	 *	passed in, allocate a job id, attach it to the name's job
+	 *	list and remember to tell the caller that there will be
+	 *	more info coming later.
+	 */
+
+	find = new_adbfind(adb);
+	if (find == NULL)
+		return (ISC_R_NOMEMORY);
+
+	find->port = port;
+
+	/*
+	 * Remember what types of addresses we are interested in.
+	 */
+	find->options = options;
+	find->flags |= wanted_addresses;
+	if (FIND_WANTEVENT(find)) {
+		REQUIRE(task != NULL);
+	}
+
+	/*
+	 * Try to see if we know anything about this name at all.
+	 */
+	bucket = DNS_ADB_INVALIDBUCKET;
+	adbname = find_name_and_lock(adb, name, find->options, &bucket);
+	if (adb->name_sd[bucket]) {
+		DP(DEF_LEVEL,
+		   "dns_adb_createfind: returning ISC_R_SHUTTINGDOWN");
+		RUNTIME_CHECK(free_adbfind(adb, &find) == ISC_FALSE);
+		result = ISC_R_SHUTTINGDOWN;
+		goto out;
+	}
+
+	/*
+	 * Nothing found.  Allocate a new adbname structure for this name.
+	 */
+	if (adbname == NULL) {
+		adbname = new_adbname(adb, name);
+		if (adbname == NULL) {
+			RUNTIME_CHECK(free_adbfind(adb, &find) == ISC_FALSE);
+			result = ISC_R_NOMEMORY;
+			goto out;
+		}
+		link_name(adb, bucket, adbname);
+		if (FIND_HINTOK(find))
+			adbname->flags |= NAME_HINT_OK;
+		if (FIND_GLUEOK(find))
+			adbname->flags |= NAME_GLUE_OK;
+		if (FIND_STARTATZONE(find))
+			adbname->flags |= NAME_STARTATZONE;
+	}
+
+	/*
+	 * Expire old entries, etc.
+	 */
+	RUNTIME_CHECK(check_expire_namehooks(adbname, now, adb->overmem) ==
+		      ISC_FALSE);
+
+	/*
+	 * Do we know that the name is an alias?
+	 */
+	if (!EXPIRE_OK(adbname->expire_target, now)) {
+		/*
+		 * Yes, it is.
+		 */
+		DP(DEF_LEVEL,
+		   "dns_adb_createfind: name %p is an alias (cached)",
+		   adbname);
+		alias = ISC_TRUE;
+		goto post_copy;
+	}
+
+	/*
+	 * Try to populate the name from the database and/or
+	 * start fetches.  First try looking for an A record
+	 * in the database.
+	 */
+	if (!NAME_HAS_V4(adbname) && EXPIRE_OK(adbname->expire_v4, now)
+	    && WANT_INET(wanted_addresses)) {
+		result = dbfind_name(adbname, now, dns_rdatatype_a);
+		if (result == ISC_R_SUCCESS) {
+			DP(DEF_LEVEL,
+			   "dns_adb_createfind: found A for name %p in db",
+			   adbname);
+			goto v6;
+		}
+
+		/*
+		 * Did we get a CNAME or DNAME?
+		 */
+		if (result == DNS_R_ALIAS) {
+			DP(DEF_LEVEL,
+			   "dns_adb_createfind: name %p is an alias",
+			   adbname);
+			alias = ISC_TRUE;
+			goto post_copy;
+		}
+
+		/*
+		 * If the name doesn't exist at all, don't bother with
+		 * v6 queries; they won't work.
+		 *
+		 * If the name does exist but we didn't get our data, go
+		 * ahead and try AAAA.
+		 *
+		 * If the result is neither of these, try a fetch for A.
+		 */
+		if (NXDOMAIN_RESULT(result))
+			goto fetch;
+		else if (NXRRSET_RESULT(result))
+			goto v6;
+
+		if (!NAME_FETCH_V4(adbname))
+			wanted_fetches |= DNS_ADBFIND_INET;
+	}
+
+ v6:
+	if (!NAME_HAS_V6(adbname) && EXPIRE_OK(adbname->expire_v6, now)
+	    && WANT_INET6(wanted_addresses)) {
+		result = dbfind_name(adbname, now, dns_rdatatype_aaaa);
+		if (result == ISC_R_SUCCESS) {
+			DP(DEF_LEVEL,
+			   "dns_adb_createfind: found AAAA for name %p",
+			   adbname);
+			goto fetch;
+		}
+
+		/*
+		 * Did we get a CNAME or DNAME?
+		 */
+		if (result == DNS_R_ALIAS) {
+			DP(DEF_LEVEL,
+			   "dns_adb_createfind: name %p is an alias",
+			   adbname);
+			alias = ISC_TRUE;
+			goto post_copy;
+		}
+
+		/*
+		 * Listen to negative cache hints, and don't start
+		 * another query.
+		 */
+		if (NCACHE_RESULT(result) || AUTH_NX(result))
+			goto fetch;
+
+		if (!NAME_FETCH_V6(adbname))
+			wanted_fetches |= DNS_ADBFIND_INET6;
+	}
+
+ fetch:
+	if ((WANT_INET(wanted_addresses) && NAME_HAS_V4(adbname)) ||
+	    (WANT_INET6(wanted_addresses) && NAME_HAS_V6(adbname)))
+		have_address = ISC_TRUE;
+	else
+		have_address = ISC_FALSE;
+	if (wanted_fetches != 0 &&
+	    ! (FIND_AVOIDFETCHES(find) && have_address)) {
+		/*
+		 * We're missing at least one address family.  Either the
+		 * caller hasn't instructed us to avoid fetches, or we don't
+		 * know anything about any of the address families that would
+		 * be acceptable so we have to launch fetches.
+		 */
+
+		if (FIND_STARTATZONE(find))
+			start_at_zone = ISC_TRUE;
+
+		/*
+		 * Start V4.
+		 */
+		if (WANT_INET(wanted_fetches) &&
+		    fetch_name(adbname, start_at_zone,
+			       dns_rdatatype_a) == ISC_R_SUCCESS) {
+			DP(DEF_LEVEL,
+			   "dns_adb_createfind: started A fetch for name %p",
+			   adbname);
+		}
+
+		/*
+		 * Start V6.
+		 */
+		if (WANT_INET6(wanted_fetches) &&
+		    fetch_name(adbname, start_at_zone,
+			       dns_rdatatype_aaaa) == ISC_R_SUCCESS) {
+			DP(DEF_LEVEL,
+			   "dns_adb_createfind: "
+			   "started AAAA fetch for name %p",
+			   adbname);
+		}
+	}
+
+	/*
+	 * Run through the name and copy out the bits we are
+	 * interested in.
+	 */
+	copy_namehook_lists(adb, find, zone, adbname, now);
+
+ post_copy:
+	if (NAME_FETCH_V4(adbname))
+		query_pending |= DNS_ADBFIND_INET;
+	if (NAME_FETCH_V6(adbname))
+		query_pending |= DNS_ADBFIND_INET6;
+
+	/*
+	 * Attach to the name's query list if there are queries
+	 * already running, and we have been asked to.
+	 */
+	want_event = ISC_TRUE;
+	if (!FIND_WANTEVENT(find))
+		want_event = ISC_FALSE;
+	if (FIND_WANTEMPTYEVENT(find) && FIND_HAS_ADDRS(find))
+		want_event = ISC_FALSE;
+	if ((wanted_addresses & query_pending) == 0)
+		want_event = ISC_FALSE;
+	if (alias)
+		want_event = ISC_FALSE;
+	if (want_event) {
+		find->adbname = adbname;
+		find->name_bucket = bucket;
+		ISC_LIST_APPEND(adbname->finds, find, plink);
+		find->query_pending = (query_pending & wanted_addresses);
+		find->flags &= ~DNS_ADBFIND_ADDRESSMASK;
+		find->flags |= (find->query_pending & DNS_ADBFIND_ADDRESSMASK);
+		DP(DEF_LEVEL, "createfind: attaching find %p to adbname %p",
+		   find, adbname);
+	} else {
+		/*
+		 * Remove the flag so the caller knows there will never
+		 * be an event, and set internal flags to fake that
+		 * the event was sent and freed, so dns_adb_destroyfind() will
+		 * do the right thing.
+		 */
+		find->query_pending = (query_pending & wanted_addresses);
+		find->options &= ~DNS_ADBFIND_WANTEVENT;
+		find->flags |= (FIND_EVENT_SENT | FIND_EVENT_FREED);
+		find->flags &= ~DNS_ADBFIND_ADDRESSMASK;
+	}
+
+	find->partial_result |= (adbname->partial_result & wanted_addresses);
+	if (alias) {
+		if (target != NULL) {
+			result = dns_name_copy(&adbname->target, target, NULL);
+			if (result != ISC_R_SUCCESS)
+				goto out;
+		}
+		result = DNS_R_ALIAS;
+	} else
+		result = ISC_R_SUCCESS;
+
+	/*
+	 * Copy out error flags from the name structure into the find.
+	 */
+	find->result_v4 = find_err_map[adbname->fetch_err];
+	find->result_v6 = find_err_map[adbname->fetch6_err];
+
+ out:
+	if (find != NULL) {
+		*findp = find;
+
+		if (want_event) {
+			isc_task_t *taskp;
+
+			INSIST((find->flags & DNS_ADBFIND_ADDRESSMASK) != 0);
+			taskp = NULL;
+			isc_task_attach(task, &taskp);
+			find->event.ev_sender = taskp;
+			find->event.ev_action = action;
+			find->event.ev_arg = arg;
+		}
+	}
+
+	if (bucket != DNS_ADB_INVALIDBUCKET)
+		UNLOCK(&adb->namelocks[bucket]);
+
+	return (result);
+}
+
+void
+dns_adb_destroyfind(dns_adbfind_t **findp) {
+	dns_adbfind_t *find;
+	dns_adbentry_t *entry;
+	dns_adbaddrinfo_t *ai;
+	int bucket;
+	dns_adb_t *adb;
+
+	REQUIRE(findp != NULL && DNS_ADBFIND_VALID(*findp));
+	find = *findp;
+	*findp = NULL;
+
+	LOCK(&find->lock);
+
+	DP(DEF_LEVEL, "dns_adb_destroyfind on find %p", find);
+
+	adb = find->adb;
+	REQUIRE(DNS_ADB_VALID(adb));
+
+	REQUIRE(FIND_EVENTFREED(find));
+
+	bucket = find->name_bucket;
+	INSIST(bucket == DNS_ADB_INVALIDBUCKET);
+
+	UNLOCK(&find->lock);
+
+	/*
+	 * The find doesn't exist on any list, and nothing is locked.
+	 * Return the find to the memory pool, and decrement the adb's
+	 * reference count.
+	 */
+	ai = ISC_LIST_HEAD(find->list);
+	while (ai != NULL) {
+		ISC_LIST_UNLINK(find->list, ai, publink);
+		entry = ai->entry;
+		ai->entry = NULL;
+		INSIST(DNS_ADBENTRY_VALID(entry));
+		RUNTIME_CHECK(dec_entry_refcnt(adb, entry, ISC_TRUE) ==
+			      ISC_FALSE);
+		free_adbaddrinfo(adb, &ai);
+		ai = ISC_LIST_HEAD(find->list);
+	}
+
+	/*
+	 * WARNING:  The find is freed with the adb locked.  This is done
+	 * to avoid a race condition where we free the find, some other
+	 * thread tests to see if it should be destroyed, detects it should
+	 * be, destroys it, and then we try to lock it for our check, but the
+	 * lock is destroyed.
+	 */
+	LOCK(&adb->lock);
+	if (free_adbfind(adb, &find))
+		check_exit(adb);
+	UNLOCK(&adb->lock);
+}
+
+void
+dns_adb_cancelfind(dns_adbfind_t *find) {
+	isc_event_t *ev;
+	isc_task_t *task;
+	dns_adb_t *adb;
+	int bucket;
+	int unlock_bucket;
+
+	LOCK(&find->lock);
+
+	DP(DEF_LEVEL, "dns_adb_cancelfind on find %p", find);
+
+	adb = find->adb;
+	REQUIRE(DNS_ADB_VALID(adb));
+
+	REQUIRE(!FIND_EVENTFREED(find));
+	REQUIRE(FIND_WANTEVENT(find));
+
+	bucket = find->name_bucket;
+	if (bucket == DNS_ADB_INVALIDBUCKET)
+		goto cleanup;
+
+	/*
+	 * We need to get the adbname's lock to unlink the find.
+	 */
+	unlock_bucket = bucket;
+	violate_locking_hierarchy(&find->lock, &adb->namelocks[unlock_bucket]);
+	bucket = find->name_bucket;
+	if (bucket != DNS_ADB_INVALIDBUCKET) {
+		ISC_LIST_UNLINK(find->adbname->finds, find, plink);
+		find->adbname = NULL;
+		find->name_bucket = DNS_ADB_INVALIDBUCKET;
+	}
+	UNLOCK(&adb->namelocks[unlock_bucket]);
+	bucket = DNS_ADB_INVALIDBUCKET;
+
+ cleanup:
+
+	if (!FIND_EVENTSENT(find)) {
+		ev = &find->event;
+		task = ev->ev_sender;
+		ev->ev_sender = find;
+		ev->ev_type = DNS_EVENT_ADBCANCELED;
+		ev->ev_destroy = event_free;
+		ev->ev_destroy_arg = find;
+		find->result_v4 = ISC_R_CANCELED;
+		find->result_v6 = ISC_R_CANCELED;
+
+		DP(DEF_LEVEL, "sending event %p to task %p for find %p",
+		   ev, task, find);
+
+		isc_task_sendanddetach(&task, (isc_event_t **)&ev);
+	}
+
+	UNLOCK(&find->lock);
+}
+
+void
+dns_adb_dump(dns_adb_t *adb, FILE *f) {
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(f != NULL);
+
+	/*
+	 * Lock the adb itself, lock all the name buckets, then lock all
+	 * the entry buckets.  This should put the adb into a state where
+	 * nothing can change, so we can iterate through everything and
+	 * print at our leisure.
+	 */
+
+	LOCK(&adb->lock);
+	dump_adb(adb, f, ISC_FALSE);
+	UNLOCK(&adb->lock);
+}
+
+static void
+dump_ttl(FILE *f, const char *legend, isc_stdtime_t value, isc_stdtime_t now) {
+	if (value == INT_MAX)
+		return;
+	fprintf(f, " [%s TTL %d]", legend, value - now);
+}
+
+static void
+dump_adb(dns_adb_t *adb, FILE *f, isc_boolean_t debug) {
+	int i;
+	dns_adbname_t *name;
+	isc_stdtime_t now;
+
+	isc_stdtime_get(&now);
+
+	fprintf(f, ";\n; Address database dump\n;\n");
+	if (debug)
+		fprintf(f, "; addr %p, erefcnt %u, irefcnt %u, finds out %u\n",
+			adb, adb->erefcnt, adb->irefcnt,
+			isc_mempool_getallocated(adb->nhmp));
+
+	for (i = 0; i < NBUCKETS; i++)
+		LOCK(&adb->namelocks[i]);
+	for (i = 0; i < NBUCKETS; i++)
+		LOCK(&adb->entrylocks[i]);
+
+	/*
+	 * Dump the names
+	 */
+	for (i = 0; i < NBUCKETS; i++) {
+		name = ISC_LIST_HEAD(adb->names[i]);
+		if (name == NULL)
+			continue;
+		if (debug)
+			fprintf(f, "; bucket %d\n", i);
+		for (;
+		     name != NULL;
+		     name = ISC_LIST_NEXT(name, plink))
+		{
+			if (debug)
+				fprintf(f, "; name %p (flags %08x)\n",
+					name, name->flags);
+
+			fprintf(f, "; ");
+			print_dns_name(f, &name->name);
+			if (dns_name_countlabels(&name->target) > 0) {
+				fprintf(f, " alias ");
+				print_dns_name(f, &name->target);
+			}
+
+			dump_ttl(f, "v4", name->expire_v4, now);
+			dump_ttl(f, "v6", name->expire_v6, now);
+			dump_ttl(f, "target", name->expire_target, now);
+
+			fprintf(f, " [v4 %s] [v6 %s]",
+				errnames[name->fetch_err],
+				errnames[name->fetch6_err]);
+
+			fprintf(f, "\n");
+
+			print_namehook_list(f, "v4", &name->v4, debug, now);
+			print_namehook_list(f, "v6", &name->v6, debug, now);
+
+			if (debug)
+				print_fetch_list(f, name);
+			if (debug)
+				print_find_list(f, name);
+
+		}
+	}
+
+	/*
+	 * Unlock everything
+	 */
+	for (i = 0; i < NBUCKETS; i++)
+		UNLOCK(&adb->entrylocks[i]);
+	for (i = 0; i < NBUCKETS; i++)
+		UNLOCK(&adb->namelocks[i]);
+}
+
+static void
+dump_entry(FILE *f, dns_adbentry_t *entry, isc_boolean_t debug,
+	   isc_stdtime_t now)
+{
+	char addrbuf[ISC_NETADDR_FORMATSIZE];
+	isc_netaddr_t netaddr;
+	dns_adbzoneinfo_t *zi;
+
+	isc_netaddr_fromsockaddr(&netaddr, &entry->sockaddr);
+	isc_netaddr_format(&netaddr, addrbuf, sizeof(addrbuf));
+
+	if (debug)
+		fprintf(f, ";\t%p: refcnt %u\n", entry, entry->refcnt);
+
+	fprintf(f, ";\t%s [srtt %u] [flags %08x]",
+		addrbuf, entry->srtt, entry->flags);
+	fprintf(f, "\n");
+	for (zi = ISC_LIST_HEAD(entry->zoneinfo);
+	     zi != NULL;
+	     zi = ISC_LIST_NEXT(zi, plink)) {
+		fprintf(f, ";\t\t");
+		print_dns_name(f, &zi->zone);
+		fprintf(f, " [lame TTL %d]\n", zi->lame_timer - now);
+	}
+}
+
+void
+dns_adb_dumpfind(dns_adbfind_t *find, FILE *f) {
+	char tmp[512];
+	const char *tmpp;
+	dns_adbaddrinfo_t *ai;
+	isc_sockaddr_t *sa;
+
+	/*
+	 * Not used currently, in the API Just In Case we
+	 * want to dump out the name and/or entries too.
+	 */
+
+	LOCK(&find->lock);
+
+	fprintf(f, ";Find %p\n", find);
+	fprintf(f, ";\tqpending %08x partial %08x options %08x flags %08x\n",
+		find->query_pending, find->partial_result,
+		find->options, find->flags);
+	fprintf(f, ";\tname_bucket %d, name %p, event sender %p\n",
+		find->name_bucket, find->adbname, find->event.ev_sender);
+
+	ai = ISC_LIST_HEAD(find->list);
+	if (ai != NULL)
+		fprintf(f, "\tAddresses:\n");
+	while (ai != NULL) {
+		sa = &ai->sockaddr;
+		switch (sa->type.sa.sa_family) {
+		case AF_INET:
+			tmpp = inet_ntop(AF_INET, &sa->type.sin.sin_addr,
+					 tmp, sizeof(tmp));
+			break;
+		case AF_INET6:
+			tmpp = inet_ntop(AF_INET6, &sa->type.sin6.sin6_addr,
+					 tmp, sizeof(tmp));
+			break;
+		default:
+			tmpp = "UnkFamily";
+		}
+
+		if (tmpp == NULL)
+			tmpp = "BadAddress";
+
+		fprintf(f, "\t\tentry %p, flags %08x"
+			" srtt %u addr %s\n",
+			ai->entry, ai->flags, ai->srtt, tmpp);
+
+		ai = ISC_LIST_NEXT(ai, publink);
+	}
+
+	UNLOCK(&find->lock);
+}
+
+static void
+print_dns_name(FILE *f, dns_name_t *name) {
+	char buf[DNS_NAME_FORMATSIZE];
+
+	INSIST(f != NULL);
+
+	dns_name_format(name, buf, sizeof(buf));
+	fprintf(f, "%s", buf);
+}
+
+static void
+print_namehook_list(FILE *f, const char *legend, dns_adbnamehooklist_t *list,
+		    isc_boolean_t debug, isc_stdtime_t now)
+{
+	dns_adbnamehook_t *nh;
+
+	for (nh = ISC_LIST_HEAD(*list);
+	     nh != NULL;
+	     nh = ISC_LIST_NEXT(nh, plink))
+	{
+		if (debug)
+			fprintf(f, ";\tHook(%s) %p\n", legend, nh);
+		dump_entry(f, nh->entry, debug, now);
+	}
+}
+
+static inline void
+print_fetch(FILE *f, dns_adbfetch_t *ft, const char *type) {
+	fprintf(f, "\t\tFetch(%s): %p -> { nh %p, entry %p, fetch %p }\n",
+		type, ft, ft->namehook, ft->entry, ft->fetch);
+}
+
+static void
+print_fetch_list(FILE *f, dns_adbname_t *n) {
+	if (NAME_FETCH_A(n))
+		print_fetch(f, n->fetch_a, "A");
+	if (NAME_FETCH_AAAA(n))
+		print_fetch(f, n->fetch_aaaa, "AAAA");
+}
+
+static void
+print_find_list(FILE *f, dns_adbname_t *name) {
+	dns_adbfind_t *find;
+
+	find = ISC_LIST_HEAD(name->finds);
+	while (find != NULL) {
+		dns_adb_dumpfind(find, f);
+		find = ISC_LIST_NEXT(find, plink);
+	}
+}
+
+static isc_result_t
+dbfind_name(dns_adbname_t *adbname, isc_stdtime_t now, dns_rdatatype_t rdtype)
+{
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+	dns_adb_t *adb;
+	dns_fixedname_t foundname;
+	dns_name_t *fname;
+
+	INSIST(DNS_ADBNAME_VALID(adbname));
+	adb = adbname->adb;
+	INSIST(DNS_ADB_VALID(adb));
+	INSIST(rdtype == dns_rdatatype_a || rdtype == dns_rdatatype_aaaa);
+
+	dns_fixedname_init(&foundname);
+	fname =	dns_fixedname_name(&foundname);
+	dns_rdataset_init(&rdataset);
+
+	if (rdtype == dns_rdatatype_a)
+		adbname->fetch_err = FIND_ERR_UNEXPECTED;
+	else
+		adbname->fetch6_err = FIND_ERR_UNEXPECTED;
+
+	result = dns_view_find(adb->view, &adbname->name, rdtype, now,
+			       NAME_GLUEOK(adbname),
+			       ISC_TF(NAME_HINTOK(adbname)),
+			       NULL, NULL, fname, &rdataset, NULL);
+
+	/* XXXVIX this switch statement is too sparse to gen a jump table. */
+	switch (result) {
+	case DNS_R_GLUE:
+	case DNS_R_HINT:
+	case ISC_R_SUCCESS:
+		/*
+		 * Found in the database.  Even if we can't copy out
+		 * any information, return success, or else a fetch
+		 * will be made, which will only make things worse.
+		 */
+		if (rdtype == dns_rdatatype_a)
+			adbname->fetch_err = FIND_ERR_SUCCESS;
+		else
+			adbname->fetch6_err = FIND_ERR_SUCCESS;
+		result = import_rdataset(adbname, &rdataset, now);
+		break;
+	case DNS_R_NXDOMAIN:
+	case DNS_R_NXRRSET:
+		/*
+		 * We're authoritative and the data doesn't exist.
+		 * Make up a negative cache entry so we don't ask again
+		 * for a while.
+		 *
+		 * XXXRTH  What time should we use?  I'm putting in 30 seconds
+		 * for now.
+		 */
+		if (rdtype == dns_rdatatype_a) {
+			adbname->expire_v4 = now + 30;
+			DP(NCACHE_LEVEL,
+			   "adb name %p: Caching auth negative entry for A",
+			   adbname);
+			if (result == DNS_R_NXDOMAIN)
+				adbname->fetch_err = FIND_ERR_NXDOMAIN;
+			else
+				adbname->fetch_err = FIND_ERR_NXRRSET;
+		} else {
+			DP(NCACHE_LEVEL,
+			   "adb name %p: Caching auth negative entry for AAAA",
+			   adbname);
+			adbname->expire_v6 = now + 30;
+			if (result == DNS_R_NXDOMAIN)
+				adbname->fetch6_err = FIND_ERR_NXDOMAIN;
+			else
+				adbname->fetch6_err = FIND_ERR_NXRRSET;
+		}
+		break;
+	case DNS_R_NCACHENXDOMAIN:
+	case DNS_R_NCACHENXRRSET:
+		/*
+		 * We found a negative cache entry.  Pull the TTL from it
+		 * so we won't ask again for a while.
+		 */
+		rdataset.ttl = ttlclamp(rdataset.ttl);
+		if (rdtype == dns_rdatatype_a) {
+			adbname->expire_v4 = rdataset.ttl + now;
+			if (result == DNS_R_NCACHENXDOMAIN)
+				adbname->fetch_err = FIND_ERR_NXDOMAIN;
+			else
+				adbname->fetch_err = FIND_ERR_NXRRSET;
+			DP(NCACHE_LEVEL,
+			  "adb name %p: Caching negative entry for A (ttl %u)",
+			   adbname, rdataset.ttl);
+		} else {
+			DP(NCACHE_LEVEL,
+		       "adb name %p: Caching negative entry for AAAA (ttl %u)",
+			   adbname, rdataset.ttl);
+			adbname->expire_v6 = rdataset.ttl + now;
+			if (result == DNS_R_NCACHENXDOMAIN)
+				adbname->fetch6_err = FIND_ERR_NXDOMAIN;
+			else
+				adbname->fetch6_err = FIND_ERR_NXRRSET;
+		}
+		break;
+	case DNS_R_CNAME:
+	case DNS_R_DNAME:
+		/*
+		 * Clear the hint and glue flags, so this will match
+		 * more often.
+		 */
+		adbname->flags &= ~(DNS_ADBFIND_GLUEOK | DNS_ADBFIND_HINTOK);
+
+		rdataset.ttl = ttlclamp(rdataset.ttl);
+		clean_target(adb, &adbname->target);
+		adbname->expire_target = INT_MAX;
+		result = set_target(adb, &adbname->name, fname, &rdataset,
+				    &adbname->target);
+		if (result == ISC_R_SUCCESS) {
+			result = DNS_R_ALIAS;
+			DP(NCACHE_LEVEL,
+			   "adb name %p: caching alias target",
+			   adbname);
+			adbname->expire_target = rdataset.ttl + now;
+		}
+		if (rdtype == dns_rdatatype_a)
+			adbname->fetch_err = FIND_ERR_SUCCESS;
+		else
+			adbname->fetch6_err = FIND_ERR_SUCCESS;
+		break;
+	}
+
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+
+	return (result);
+}
+
+static void
+fetch_callback(isc_task_t *task, isc_event_t *ev) {
+	dns_fetchevent_t *dev;
+	dns_adbname_t *name;
+	dns_adb_t *adb;
+	dns_adbfetch_t *fetch;
+	int bucket;
+	isc_eventtype_t ev_status;
+	isc_stdtime_t now;
+	isc_result_t result;
+	unsigned int address_type;
+	isc_boolean_t want_check_exit = ISC_FALSE;
+
+	UNUSED(task);
+
+	INSIST(ev->ev_type == DNS_EVENT_FETCHDONE);
+	dev = (dns_fetchevent_t *)ev;
+	name = ev->ev_arg;
+	INSIST(DNS_ADBNAME_VALID(name));
+	adb = name->adb;
+	INSIST(DNS_ADB_VALID(adb));
+
+	bucket = name->lock_bucket;
+	LOCK(&adb->namelocks[bucket]);
+
+	INSIST(NAME_FETCH_A(name) || NAME_FETCH_AAAA(name));
+	address_type = 0;
+	if (NAME_FETCH_A(name) && (name->fetch_a->fetch == dev->fetch)) {
+		address_type = DNS_ADBFIND_INET;
+		fetch = name->fetch_a;
+		name->fetch_a = NULL;
+	} else if (NAME_FETCH_AAAA(name)
+		   && (name->fetch_aaaa->fetch == dev->fetch)) {
+		address_type = DNS_ADBFIND_INET6;
+		fetch = name->fetch_aaaa;
+		name->fetch_aaaa = NULL;
+	}
+	INSIST(address_type != 0);
+
+	dns_resolver_destroyfetch(&fetch->fetch);
+	dev->fetch = NULL;
+
+	ev_status = DNS_EVENT_ADBNOMOREADDRESSES;
+
+	/*
+	 * Cleanup things we don't care about.
+	 */
+	if (dev->node != NULL)
+		dns_db_detachnode(dev->db, &dev->node);
+	if (dev->db != NULL)
+		dns_db_detach(&dev->db);
+
+	/*
+	 * If this name is marked as dead, clean up, throwing away
+	 * potentially good data.
+	 */
+	if (NAME_DEAD(name)) {
+		free_adbfetch(adb, &fetch);
+		isc_event_free(&ev);
+
+		want_check_exit = kill_name(&name, DNS_EVENT_ADBCANCELED);
+
+		UNLOCK(&adb->namelocks[bucket]);
+
+		if (want_check_exit) {
+			LOCK(&adb->lock);
+			check_exit(adb);
+			UNLOCK(&adb->lock);
+		}
+
+		return;
+	}
+
+	isc_stdtime_get(&now);
+
+	/*
+	 * If we got a negative cache response, remember it.
+	 */
+	if (NCACHE_RESULT(dev->result)) {
+		dev->rdataset->ttl = ttlclamp(dev->rdataset->ttl);
+		if (address_type == DNS_ADBFIND_INET) {
+			DP(NCACHE_LEVEL, "adb fetch name %p: "
+			   "caching negative entry for A (ttl %u)",
+			   name, dev->rdataset->ttl);
+			name->expire_v4 = ISC_MIN(name->expire_v4,
+						  dev->rdataset->ttl + now);
+			if (dev->result == DNS_R_NCACHENXDOMAIN)
+				name->fetch_err = FIND_ERR_NXDOMAIN;
+			else
+				name->fetch_err = FIND_ERR_NXRRSET;
+		} else {
+			DP(NCACHE_LEVEL, "adb fetch name %p: "
+			   "caching negative entry for AAAA (ttl %u)",
+			   name, dev->rdataset->ttl);
+			name->expire_v6 = ISC_MIN(name->expire_v6,
+						  dev->rdataset->ttl + now);
+			if (dev->result == DNS_R_NCACHENXDOMAIN)
+				name->fetch6_err = FIND_ERR_NXDOMAIN;
+			else
+				name->fetch6_err = FIND_ERR_NXRRSET;
+		}
+		goto out;
+	}
+
+	/*
+	 * Handle CNAME/DNAME.
+	 */
+	if (dev->result == DNS_R_CNAME || dev->result == DNS_R_DNAME) {
+		dev->rdataset->ttl = ttlclamp(dev->rdataset->ttl);
+		clean_target(adb, &name->target);
+		name->expire_target = INT_MAX;
+		result = set_target(adb, &name->name,
+				    dns_fixedname_name(&dev->foundname),
+				    dev->rdataset,
+				    &name->target);
+		if (result == ISC_R_SUCCESS) {
+			DP(NCACHE_LEVEL,
+			   "adb fetch name %p: caching alias target",
+			   name);
+			name->expire_target = dev->rdataset->ttl + now;
+		}
+		goto check_result;
+	}
+
+	/*
+	 * Did we get back junk?  If so, and there are no more fetches
+	 * sitting out there, tell all the finds about it.
+	 */
+	if (dev->result != ISC_R_SUCCESS) {
+		char buf[DNS_NAME_FORMATSIZE];
+
+		dns_name_format(&name->name, buf, sizeof(buf));
+		DP(DEF_LEVEL, "adb: fetch of '%s' %s failed: %s",
+		   buf, address_type == DNS_ADBFIND_INET ? "A" : "AAAA",
+		   dns_result_totext(dev->result));
+		/* XXXMLG Don't pound on bad servers. */
+		if (address_type == DNS_ADBFIND_INET) {
+			name->expire_v4 = ISC_MIN(name->expire_v4, now + 300);
+			name->fetch_err = FIND_ERR_FAILURE;
+		} else {
+			name->expire_v6 = ISC_MIN(name->expire_v6, now + 300);
+			name->fetch6_err = FIND_ERR_FAILURE;
+		}
+		goto out;
+	}
+
+	/*
+	 * We got something potentially useful.
+	 */
+	result = import_rdataset(name, &fetch->rdataset, now);
+
+ check_result:
+	if (result == ISC_R_SUCCESS) {
+		ev_status = DNS_EVENT_ADBMOREADDRESSES;
+		if (address_type == DNS_ADBFIND_INET)
+			name->fetch_err = FIND_ERR_SUCCESS;
+		else
+			name->fetch6_err = FIND_ERR_SUCCESS;
+	}
+
+ out:
+	free_adbfetch(adb, &fetch);
+	isc_event_free(&ev);
+
+	clean_finds_at_name(name, ev_status, address_type);
+
+	UNLOCK(&adb->namelocks[bucket]);
+}
+
+static isc_result_t
+fetch_name(dns_adbname_t *adbname,
+	   isc_boolean_t start_at_zone,
+	   dns_rdatatype_t type)
+{
+	isc_result_t result;
+	dns_adbfetch_t *fetch = NULL;
+	dns_adb_t *adb;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	dns_rdataset_t rdataset;
+	dns_rdataset_t *nameservers;
+	unsigned int options;
+
+	INSIST(DNS_ADBNAME_VALID(adbname));
+	adb = adbname->adb;
+	INSIST(DNS_ADB_VALID(adb));
+
+	INSIST((type == dns_rdatatype_a && !NAME_FETCH_V4(adbname)) ||
+	       (type == dns_rdatatype_aaaa && !NAME_FETCH_V6(adbname)));
+
+	adbname->fetch_err = FIND_ERR_NOTFOUND;
+
+	name = NULL;
+	nameservers = NULL;
+	dns_rdataset_init(&rdataset);
+
+	options = DNS_FETCHOPT_NOVALIDATE;
+	if (start_at_zone) {
+		DP(ENTER_LEVEL,
+		   "fetch_name: starting at zone for name %p",
+		   adbname);
+		dns_fixedname_init(&fixed);
+		name = dns_fixedname_name(&fixed);
+		result = dns_view_findzonecut2(adb->view, &adbname->name, name,
+					       0, 0, ISC_TRUE, ISC_FALSE,
+					       &rdataset, NULL);
+		if (result != ISC_R_SUCCESS && result != DNS_R_HINT)
+			goto cleanup;
+		nameservers = &rdataset;
+		options |= DNS_FETCHOPT_UNSHARED;
+	}
+
+	fetch = new_adbfetch(adb);
+	if (fetch == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
+	result = dns_resolver_createfetch(adb->view->resolver, &adbname->name,
+					  type, name, nameservers, NULL,
+					  options, adb->task, fetch_callback,
+					  adbname, &fetch->rdataset, NULL,
+					  &fetch->fetch);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	if (type == dns_rdatatype_a)
+		adbname->fetch_a = fetch;
+	else
+		adbname->fetch_aaaa = fetch;
+	fetch = NULL;  /* Keep us from cleaning this up below. */
+
+ cleanup:
+	if (fetch != NULL)
+		free_adbfetch(adb, &fetch);
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+
+	return (result);
+}
+
+/*
+ * XXXMLG Needs to take a find argument and an address info, no zone or adb,
+ * since these can be extracted from the find itself.
+ */
+isc_result_t
+dns_adb_marklame(dns_adb_t *adb, dns_adbaddrinfo_t *addr, dns_name_t *zone,
+		 isc_stdtime_t expire_time)
+{
+	dns_adbzoneinfo_t *zi;
+	int bucket;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+	REQUIRE(zone != NULL);
+
+	bucket = addr->entry->lock_bucket;
+	LOCK(&adb->entrylocks[bucket]);
+	zi = ISC_LIST_HEAD(addr->entry->zoneinfo);
+	while (zi != NULL && dns_name_equal(zone, &zi->zone))
+		zi = ISC_LIST_NEXT(zi, plink);
+	if (zi != NULL) {
+		if (expire_time > zi->lame_timer)
+			zi->lame_timer = expire_time;
+		goto unlock;
+	}
+	zi = new_adbzoneinfo(adb, zone);
+	if (zi == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto unlock;
+	}
+
+	zi->lame_timer = expire_time;
+
+	ISC_LIST_PREPEND(addr->entry->zoneinfo, zi, plink);
+ unlock:
+	UNLOCK(&adb->entrylocks[bucket]);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_adb_adjustsrtt(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
+		   unsigned int rtt, unsigned int factor)
+{
+	int bucket;
+	unsigned int new_srtt;
+	isc_stdtime_t now;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+	REQUIRE(factor <= 10);
+
+	bucket = addr->entry->lock_bucket;
+	LOCK(&adb->entrylocks[bucket]);
+
+	if (factor == DNS_ADB_RTTADJAGE)
+		new_srtt = addr->entry->srtt * 98 / 100;
+	else
+		new_srtt = (addr->entry->srtt / 10 * factor)
+			+ (rtt / 10 * (10 - factor));
+
+	addr->entry->srtt = new_srtt;
+	addr->srtt = new_srtt;
+
+	isc_stdtime_get(&now);
+	addr->entry->expires = now + ADB_ENTRY_WINDOW;
+
+	UNLOCK(&adb->entrylocks[bucket]);
+}
+
+void
+dns_adb_changeflags(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
+		    unsigned int bits, unsigned int mask)
+{
+	int bucket;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+
+	bucket = addr->entry->lock_bucket;
+	LOCK(&adb->entrylocks[bucket]);
+
+	addr->entry->flags = (addr->entry->flags & ~mask) | (bits & mask);
+	/*
+	 * Note that we do not update the other bits in addr->flags with
+	 * the most recent values from addr->entry->flags.
+	 */
+	addr->flags = (addr->flags & ~mask) | (bits & mask);
+
+	UNLOCK(&adb->entrylocks[bucket]);
+}
+
+isc_result_t
+dns_adb_findaddrinfo(dns_adb_t *adb, isc_sockaddr_t *sa,
+		     dns_adbaddrinfo_t **addrp, isc_stdtime_t now)
+{
+	int bucket;
+	dns_adbentry_t *entry;
+	dns_adbaddrinfo_t *addr;
+	isc_result_t result;
+	in_port_t port;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(addrp != NULL && *addrp == NULL);
+
+	UNUSED(now);
+
+	result = ISC_R_SUCCESS;
+	bucket = DNS_ADB_INVALIDBUCKET;
+	entry = find_entry_and_lock(adb, sa, &bucket);
+	if (adb->entry_sd[bucket]) {
+		result = ISC_R_SHUTTINGDOWN;
+		goto unlock;
+	}
+	if (entry == NULL) {
+		/*
+		 * We don't know anything about this address.
+		 */
+		entry = new_adbentry(adb);
+		if (entry == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto unlock;
+		}
+		entry->sockaddr = *sa;
+		link_entry(adb, bucket, entry);
+		DP(ENTER_LEVEL, "findaddrinfo: new entry %p", entry);
+	} else
+		DP(ENTER_LEVEL, "findaddrinfo: found entry %p", entry);
+
+	port = isc_sockaddr_getport(sa);
+	addr = new_adbaddrinfo(adb, entry, port);
+	if (addr != NULL) {
+		inc_entry_refcnt(adb, entry, ISC_FALSE);
+		*addrp = addr;
+	}
+
+ unlock:
+	UNLOCK(&adb->entrylocks[bucket]);
+
+	return (result);
+}
+
+void
+dns_adb_freeaddrinfo(dns_adb_t *adb, dns_adbaddrinfo_t **addrp) {
+	dns_adbaddrinfo_t *addr;
+	dns_adbentry_t *entry;
+	int bucket;
+	isc_stdtime_t now;
+	isc_boolean_t want_check_exit = ISC_FALSE;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+	REQUIRE(addrp != NULL);
+	addr = *addrp;
+	REQUIRE(DNS_ADBADDRINFO_VALID(addr));
+	entry = addr->entry;
+	REQUIRE(DNS_ADBENTRY_VALID(entry));
+
+	isc_stdtime_get(&now);
+
+	*addrp = NULL;
+
+	bucket = addr->entry->lock_bucket;
+	LOCK(&adb->entrylocks[bucket]);
+
+	entry->expires = now + ADB_ENTRY_WINDOW;
+
+	want_check_exit = dec_entry_refcnt(adb, entry, ISC_FALSE);
+
+	UNLOCK(&adb->entrylocks[bucket]);
+
+	addr->entry = NULL;
+	free_adbaddrinfo(adb, &addr);
+
+	if (want_check_exit) {
+		LOCK(&adb->lock);
+		check_exit(adb);
+		UNLOCK(&adb->lock);
+	}
+}
+
+void
+dns_adb_flush(dns_adb_t *adb) {
+	unsigned int i;
+
+	INSIST(DNS_ADB_VALID(adb));
+
+	LOCK(&adb->lock);
+
+	for (i = 0; i < NBUCKETS; i++) {
+		/*
+		 * Call our cleanup routines.
+		 */
+		RUNTIME_CHECK(cleanup_names(adb, i, INT_MAX) == ISC_FALSE);
+		RUNTIME_CHECK(cleanup_entries(adb, i, INT_MAX) == ISC_FALSE);
+	}
+
+#ifdef DUMP_ADB_AFTER_CLEANING
+	dump_adb(adb, stdout, ISC_TRUE);
+#endif
+
+	UNLOCK(&adb->lock);
+}
+
+void
+dns_adb_flushname(dns_adb_t *adb, dns_name_t *name) {
+	dns_adbname_t *adbname;
+	dns_adbname_t *nextname;
+	int bucket;
+
+	INSIST(DNS_ADB_VALID(adb));
+
+	LOCK(&adb->lock);
+	bucket = dns_name_hash(name, ISC_FALSE) % NBUCKETS;
+	LOCK(&adb->namelocks[bucket]);
+	adbname = ISC_LIST_HEAD(adb->names[bucket]);
+	while (adbname != NULL) {
+		nextname = ISC_LIST_NEXT(adbname, plink);
+		if (!NAME_DEAD(adbname) &&
+		    dns_name_equal(name, &adbname->name)) {
+			RUNTIME_CHECK(kill_name(&adbname,
+						DNS_EVENT_ADBCANCELED) ==
+				      ISC_FALSE);
+		}
+		adbname = nextname;
+	}
+	UNLOCK(&adb->namelocks[bucket]);
+	UNLOCK(&adb->lock);
+}
+
+static void
+water(void *arg, int mark) {
+	dns_adb_t *adb = arg;
+	isc_boolean_t overmem = ISC_TF(mark == ISC_MEM_HIWATER);
+	isc_interval_t interval;
+
+	REQUIRE(DNS_ADB_VALID(adb));
+
+	DP(ISC_LOG_DEBUG(1),
+	   "adb reached %s water mark", overmem ? "high" : "low");
+
+	adb->overmem = overmem;
+	if (overmem) {
+		isc_interval_set(&interval, 0, 1);
+		(void)isc_timer_reset(adb->timer, isc_timertype_once, NULL,
+				      &interval, ISC_TRUE);
+	}
+}
+
+void
+dns_adb_setadbsize(dns_adb_t *adb, isc_uint32_t size) {
+	isc_uint32_t hiwater;
+	isc_uint32_t lowater;
+
+	INSIST(DNS_ADB_VALID(adb));
+
+	if (size != 0 && size < DNS_ADB_MINADBSIZE)
+		size = DNS_ADB_MINADBSIZE;
+
+	hiwater = size - (size >> 3);   /* Approximately 7/8ths. */
+	lowater = size - (size >> 2);   /* Approximately 3/4ths. */
+
+	if (size == 0 || hiwater == 0 || lowater == 0)
+		isc_mem_setwater(adb->mctx, water, adb, 0, 0);
+	else
+		isc_mem_setwater(adb->mctx, water, adb, hiwater, lowater);
+}
diff --git a/contrib/bind9/lib/dns/api b/contrib/bind9/lib/dns/api
new file mode 100644
index 0000000..444e0c5
--- /dev/null
+++ b/contrib/bind9/lib/dns/api
@@ -0,0 +1,3 @@
+LIBINTERFACE = 20
+LIBREVISION = 0
+LIBAGE = 0
diff --git a/contrib/bind9/lib/dns/byaddr.c b/contrib/bind9/lib/dns/byaddr.c
new file mode 100644
index 0000000..ace4fb0
--- /dev/null
+++ b/contrib/bind9/lib/dns/byaddr.c
@@ -0,0 +1,314 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: byaddr.c,v 1.29.2.1.2.8 2004/08/28 06:25:18 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/mem.h>
+#include <isc/netaddr.h>
+#include <isc/print.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/byaddr.h>
+#include <dns/db.h>
+#include <dns/events.h>
+#include <dns/lookup.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/view.h>
+
+/*
+ * XXXRTH  We could use a static event...
+ */
+
+struct dns_byaddr {
+	/* Unlocked. */
+	unsigned int		magic;
+	isc_mem_t *		mctx;
+	isc_mutex_t		lock;
+	dns_fixedname_t		name;
+	/* Locked by lock. */
+	unsigned int		options;
+	dns_lookup_t *		lookup;
+	isc_task_t *		task;
+	dns_byaddrevent_t *	event;
+	isc_boolean_t		canceled;
+};
+
+#define BYADDR_MAGIC			ISC_MAGIC('B', 'y', 'A', 'd')
+#define VALID_BYADDR(b)			ISC_MAGIC_VALID(b, BYADDR_MAGIC)
+
+#define MAX_RESTARTS 16
+
+static char hex_digits[] = {
+	'0', '1', '2', '3', '4', '5', '6', '7',
+	'8', '9', 'a', 'b', 'c', 'd', 'e', 'f'
+};
+
+isc_result_t
+dns_byaddr_createptrname(isc_netaddr_t *address, isc_boolean_t nibble,
+			 dns_name_t *name)
+{
+	/*
+	 * We dropped bitstring labels, so all lookups will use nibbles.
+	 */
+	UNUSED(nibble);
+
+	return (dns_byaddr_createptrname2(address,
+					  DNS_BYADDROPT_IPV6INT, name));
+}
+
+isc_result_t
+dns_byaddr_createptrname2(isc_netaddr_t *address, unsigned int options,
+			  dns_name_t *name)
+{
+	char textname[128];
+	unsigned char *bytes;
+	int i;
+	char *cp;
+	isc_buffer_t buffer;
+	unsigned int len;
+
+	REQUIRE(address != NULL);
+
+	/*
+	 * We create the text representation and then convert to a
+	 * dns_name_t.  This is not maximally efficient, but it keeps all
+	 * of the knowledge of wire format in the dns_name_ routines.
+	 */
+
+	bytes = (unsigned char *)(&address->type);
+	if (address->family == AF_INET) {
+		(void)snprintf(textname, sizeof(textname),
+			       "%u.%u.%u.%u.in-addr.arpa.",
+			       (bytes[3] & 0xff),
+			       (bytes[2] & 0xff),
+			       (bytes[1] & 0xff),
+			       (bytes[0] & 0xff));
+	} else if (address->family == AF_INET6) {
+		cp = textname;
+		for (i = 15; i >= 0; i--) {
+			*cp++ = hex_digits[bytes[i] & 0x0f];
+			*cp++ = '.';
+			*cp++ = hex_digits[(bytes[i] >> 4) & 0x0f];
+			*cp++ = '.';
+		}
+		if ((options & DNS_BYADDROPT_IPV6INT) != 0)
+			strcpy(cp, "ip6.int.");
+		else
+			strcpy(cp, "ip6.arpa.");
+	} else
+		return (ISC_R_NOTIMPLEMENTED);
+
+	len = (unsigned int)strlen(textname);
+	isc_buffer_init(&buffer, textname, len);
+	isc_buffer_add(&buffer, len);
+	return (dns_name_fromtext(name, &buffer, dns_rootname,
+				  ISC_FALSE, NULL));
+}
+
+static inline isc_result_t
+copy_ptr_targets(dns_byaddr_t *byaddr, dns_rdataset_t *rdataset) {
+	isc_result_t result;
+	dns_name_t *name;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+
+	/*
+	 * The caller must be holding the byaddr's lock.
+	 */
+
+	result = dns_rdataset_first(rdataset);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdata_ptr_t ptr;
+		dns_rdataset_current(rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &ptr, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		name = isc_mem_get(byaddr->mctx, sizeof(*name));
+		if (name == NULL) {
+			dns_rdata_freestruct(&ptr);
+			return (ISC_R_NOMEMORY);
+		}
+		dns_name_init(name, NULL);
+		result = dns_name_dup(&ptr.ptr, byaddr->mctx, name);
+		dns_rdata_freestruct(&ptr);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(byaddr->mctx, name, sizeof(*name));
+			return (ISC_R_NOMEMORY);
+		}
+		ISC_LIST_APPEND(byaddr->event->names, name, link);
+		dns_rdata_reset(&rdata);
+		result = dns_rdataset_next(rdataset);
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+	return (result);
+}
+
+static void
+lookup_done(isc_task_t *task, isc_event_t *event) {
+	dns_byaddr_t *byaddr = event->ev_arg;
+	dns_lookupevent_t *levent;
+	isc_result_t result;
+
+	REQUIRE(event->ev_type == DNS_EVENT_LOOKUPDONE);
+	REQUIRE(VALID_BYADDR(byaddr));
+	REQUIRE(byaddr->task == task);
+
+	UNUSED(task);
+
+	levent = (dns_lookupevent_t *)event;
+
+	if (levent->result == ISC_R_SUCCESS) {
+		result = copy_ptr_targets(byaddr, levent->rdataset);
+		byaddr->event->result = result;
+	} else
+		byaddr->event->result = levent->result;
+	isc_event_free(&event);
+	isc_task_sendanddetach(&byaddr->task, (isc_event_t **)&byaddr->event);
+}
+
+static void
+bevent_destroy(isc_event_t *event) {
+	dns_byaddrevent_t *bevent;
+	dns_name_t *name, *next_name;
+	isc_mem_t *mctx;
+
+	REQUIRE(event->ev_type == DNS_EVENT_BYADDRDONE);
+	mctx = event->ev_destroy_arg;
+	bevent = (dns_byaddrevent_t *)event;
+
+	for (name = ISC_LIST_HEAD(bevent->names);
+	     name != NULL;
+	     name = next_name) {
+		next_name = ISC_LIST_NEXT(name, link);
+		ISC_LIST_UNLINK(bevent->names, name, link);
+		dns_name_free(name, mctx);
+		isc_mem_put(mctx, name, sizeof(*name));
+	}
+	isc_mem_put(mctx, event, event->ev_size);
+}
+
+isc_result_t
+dns_byaddr_create(isc_mem_t *mctx, isc_netaddr_t *address, dns_view_t *view,
+		  unsigned int options, isc_task_t *task,
+		  isc_taskaction_t action, void *arg, dns_byaddr_t **byaddrp)
+{
+	isc_result_t result;
+	dns_byaddr_t *byaddr;
+	isc_event_t *ievent;
+
+	byaddr = isc_mem_get(mctx, sizeof(*byaddr));
+	if (byaddr == NULL)
+		return (ISC_R_NOMEMORY);
+	byaddr->mctx = mctx;
+	byaddr->options = options;
+
+	byaddr->event = isc_mem_get(mctx, sizeof(*byaddr->event));
+	if (byaddr->event == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup_byaddr;
+	}
+	ISC_EVENT_INIT(byaddr->event, sizeof(*byaddr->event), 0, NULL,
+		       DNS_EVENT_BYADDRDONE, action, arg, byaddr,
+		       bevent_destroy, mctx);
+	byaddr->event->result = ISC_R_FAILURE;
+	ISC_LIST_INIT(byaddr->event->names);
+
+	byaddr->task = NULL;
+	isc_task_attach(task, &byaddr->task);
+
+	result = isc_mutex_init(&byaddr->lock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_event;
+
+	dns_fixedname_init(&byaddr->name);
+
+	result = dns_byaddr_createptrname2(address, options,
+					   dns_fixedname_name(&byaddr->name));
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_lock;
+
+	byaddr->lookup = NULL;
+	result = dns_lookup_create(mctx, dns_fixedname_name(&byaddr->name),
+				   dns_rdatatype_ptr, view, 0, task,
+				   lookup_done, byaddr, &byaddr->lookup);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_lock;
+
+	byaddr->canceled = ISC_FALSE;
+	byaddr->magic = BYADDR_MAGIC;
+
+	*byaddrp = byaddr;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup_lock:
+	DESTROYLOCK(&byaddr->lock);
+
+ cleanup_event:
+	ievent = (isc_event_t *)byaddr->event;
+	isc_event_free(&ievent);
+	byaddr->event = NULL;
+
+	isc_task_detach(&byaddr->task);
+
+ cleanup_byaddr:
+	isc_mem_put(mctx, byaddr, sizeof(*byaddr));
+
+	return (result);
+}
+
+void
+dns_byaddr_cancel(dns_byaddr_t *byaddr) {
+	REQUIRE(VALID_BYADDR(byaddr));
+
+	LOCK(&byaddr->lock);
+
+	if (!byaddr->canceled) {
+		byaddr->canceled = ISC_TRUE;
+		if (byaddr->lookup != NULL)
+			dns_lookup_cancel(byaddr->lookup);
+	}
+
+	UNLOCK(&byaddr->lock);
+}
+
+void
+dns_byaddr_destroy(dns_byaddr_t **byaddrp) {
+	dns_byaddr_t *byaddr;
+
+	REQUIRE(byaddrp != NULL);
+	byaddr = *byaddrp;
+	REQUIRE(VALID_BYADDR(byaddr));
+	REQUIRE(byaddr->event == NULL);
+	REQUIRE(byaddr->task == NULL);
+	dns_lookup_destroy(&byaddr->lookup);
+
+	DESTROYLOCK(&byaddr->lock);
+	byaddr->magic = 0;
+	isc_mem_put(byaddr->mctx, byaddr, sizeof(*byaddr));
+
+	*byaddrp = NULL;
+}
diff --git a/contrib/bind9/lib/dns/cache.c b/contrib/bind9/lib/dns/cache.c
new file mode 100644
index 0000000..b148f60
--- /dev/null
+++ b/contrib/bind9/lib/dns/cache.c
@@ -0,0 +1,1058 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: cache.c,v 1.45.2.4.8.7 2004/03/08 02:07:52 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/mem.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/cache.h>
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/events.h>
+#include <dns/log.h>
+#include <dns/masterdump.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/result.h>
+
+#define CACHE_MAGIC		ISC_MAGIC('$', '$', '$', '$')
+#define VALID_CACHE(cache)	ISC_MAGIC_VALID(cache, CACHE_MAGIC)
+
+/*
+ * The following two variables control incremental cleaning.
+ * MINSIZE is how many bytes is the floor for dns_cache_setcachesize().
+ * CLEANERINCREMENT is how many nodes are examined in one pass.
+ */
+#define DNS_CACHE_MINSIZE 		2097152	/* Bytes.  2097152 = 2 MB */
+#define DNS_CACHE_CLEANERINCREMENT	1000	/* Number of nodes. */
+
+/***
+ ***	Types
+ ***/
+
+/*
+ * A cache_cleaner_t encapsulsates the state of the periodic
+ * cache cleaning.
+ */
+
+typedef struct cache_cleaner cache_cleaner_t;
+
+typedef enum {
+	cleaner_s_idle,	/* Waiting for cleaning-interval to expire. */
+	cleaner_s_busy,	/* Currently cleaning. */
+	cleaner_s_done  /* Freed enough memory after being overmem. */
+} cleaner_state_t;
+
+/*
+ * Convenience macros for comprehensive assertion checking.
+ */
+#define CLEANER_IDLE(c) ((c)->state == cleaner_s_idle && \
+			 (c)->iterator == NULL && \
+			 (c)->resched_event != NULL)
+#define CLEANER_BUSY(c) ((c)->state == cleaner_s_busy && \
+			 (c)->iterator != NULL && \
+			 (c)->resched_event == NULL)
+
+/*
+ * Accesses to a cache cleaner object are synchronized through
+ * task/event serialization, or locked from the cache object.
+ */
+struct cache_cleaner {
+	isc_mutex_t	lock;
+	/*
+	 * Locks overmem_event, overmem.  Note: never allocate memory
+	 * while holding this lock - that could lead to deadlock since
+	 * the lock is take by water() which is called from the memory
+	 * allocator.
+	 */
+
+	dns_cache_t	*cache;
+	isc_task_t 	*task;
+	unsigned int	cleaning_interval; /* The cleaning-interval from
+					      named.conf, in seconds. */
+	isc_timer_t 	*cleaning_timer;
+	isc_event_t	*resched_event;	/* Sent by cleaner task to
+					   itself to reschedule */
+	isc_event_t	*overmem_event;
+
+	dns_dbiterator_t *iterator;
+	int 		 increment;	/* Number of names to
+					   clean in one increment */
+	cleaner_state_t  state;		/* Idle/Busy. */
+	isc_boolean_t	 overmem;	/* The cache is in an overmem state. */
+};
+
+/*
+ * The actual cache object.
+ */
+
+struct dns_cache {
+	/* Unlocked. */
+	unsigned int		magic;
+	isc_mutex_t		lock;
+	isc_mutex_t		filelock;
+	isc_mem_t		*mctx;
+
+	/* Locked by 'lock'. */
+	int			references;
+	int			live_tasks;
+	dns_rdataclass_t	rdclass;
+	dns_db_t		*db;
+	cache_cleaner_t		cleaner;
+	char			*db_type;
+	int			db_argc;
+	char			**db_argv;
+
+	/* Locked by 'filelock'. */
+	char *			filename;
+	/* Access to the on-disk cache file is also locked by 'filelock'. */
+};
+
+/***
+ ***	Functions
+ ***/
+
+static isc_result_t
+cache_cleaner_init(dns_cache_t *cache, isc_taskmgr_t *taskmgr,
+		   isc_timermgr_t *timermgr, cache_cleaner_t *cleaner);
+
+static void
+cleaning_timer_action(isc_task_t *task, isc_event_t *event);
+
+static void
+incremental_cleaning_action(isc_task_t *task, isc_event_t *event);
+
+static void
+cleaner_shutdown_action(isc_task_t *task, isc_event_t *event);
+
+static void
+overmem_cleaning_action(isc_task_t *task, isc_event_t *event);
+
+static inline isc_result_t
+cache_create_db(dns_cache_t *cache, dns_db_t **db) {
+	return (dns_db_create(cache->mctx, cache->db_type, dns_rootname,
+			      dns_dbtype_cache, cache->rdclass,
+			      cache->db_argc, cache->db_argv, db));
+}
+
+isc_result_t
+dns_cache_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
+		 isc_timermgr_t *timermgr, dns_rdataclass_t rdclass,
+		 const char *db_type, unsigned int db_argc, char **db_argv,
+		 dns_cache_t **cachep)
+{
+	isc_result_t result;
+	dns_cache_t *cache;
+	int i;
+
+	REQUIRE(cachep != NULL);
+	REQUIRE(*cachep == NULL);
+	REQUIRE(mctx != NULL);
+
+	cache = isc_mem_get(mctx, sizeof(*cache));
+	if (cache == NULL)
+		return (ISC_R_NOMEMORY);
+
+	cache->mctx = NULL;
+	isc_mem_attach(mctx, &cache->mctx);
+
+	result = isc_mutex_init(&cache->lock);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() failed: %s",
+				 dns_result_totext(result));
+		result = ISC_R_UNEXPECTED;
+		goto cleanup_mem;
+	}
+
+	result = isc_mutex_init(&cache->filelock);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() failed: %s",
+				 dns_result_totext(result));
+		result = ISC_R_UNEXPECTED;
+		goto cleanup_lock;
+	}
+
+	cache->references = 1;
+	cache->live_tasks = 0;
+	cache->rdclass = rdclass;
+
+	cache->db_type = isc_mem_strdup(mctx, db_type);
+	if (cache->db_type == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup_filelock;
+	}
+
+	cache->db_argc = db_argc;
+	if (cache->db_argc == 0)
+		cache->db_argv = NULL;
+	else {
+		cache->db_argv = isc_mem_get(mctx,
+					     cache->db_argc * sizeof(char *));
+		if (cache->db_argv == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup_dbtype;
+		}
+		for (i = 0; i < cache->db_argc; i++)
+			cache->db_argv[i] = NULL;
+		for (i = 0; i < cache->db_argc; i++) {
+			cache->db_argv[i] = isc_mem_strdup(mctx, db_argv[i]);
+			if (cache->db_argv[i] == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto cleanup_dbargv;
+			}
+		}
+	}
+
+	cache->db = NULL;
+	result = cache_create_db(cache, &cache->db);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_dbargv;
+
+	cache->filename = NULL;
+
+	cache->magic = CACHE_MAGIC;
+
+	result = cache_cleaner_init(cache, taskmgr, timermgr, &cache->cleaner);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_db;
+
+	*cachep = cache;
+	return (ISC_R_SUCCESS);
+
+ cleanup_db:
+	dns_db_detach(&cache->db);
+ cleanup_dbargv:
+	for (i = 0; i < cache->db_argc; i++)
+		if (cache->db_argv[i] != NULL)
+			isc_mem_free(mctx, cache->db_argv[i]);
+	if (cache->db_argv != NULL)
+		isc_mem_put(mctx, cache->db_argv,
+			    cache->db_argc * sizeof(char *));
+ cleanup_dbtype:
+	isc_mem_free(mctx, cache->db_type);
+ cleanup_filelock:
+	DESTROYLOCK(&cache->filelock);
+ cleanup_lock:
+	DESTROYLOCK(&cache->lock);
+ cleanup_mem:
+	isc_mem_put(mctx, cache, sizeof(*cache));
+	isc_mem_detach(&mctx);
+	return (result);
+}
+
+static void
+cache_free(dns_cache_t *cache) {
+	isc_mem_t *mctx;
+	int i;
+
+	REQUIRE(VALID_CACHE(cache));
+	REQUIRE(cache->references == 0);
+
+	isc_mem_setwater(cache->mctx, NULL, NULL, 0, 0);
+
+	if (cache->cleaner.task != NULL)
+		isc_task_detach(&cache->cleaner.task);
+
+	if (cache->cleaner.overmem_event != NULL)
+		isc_event_free(&cache->cleaner.overmem_event);
+
+	if (cache->cleaner.resched_event != NULL)
+		isc_event_free(&cache->cleaner.resched_event);
+
+	if (cache->cleaner.iterator != NULL)
+		dns_dbiterator_destroy(&cache->cleaner.iterator);
+
+	DESTROYLOCK(&cache->cleaner.lock);
+
+	if (cache->filename) {
+		isc_mem_free(cache->mctx, cache->filename);
+		cache->filename = NULL;
+	}
+
+	if (cache->db != NULL)
+		dns_db_detach(&cache->db);
+
+	if (cache->db_argv != NULL) {
+		for (i = 0; i < cache->db_argc; i++)
+			if (cache->db_argv[i] != NULL)
+				isc_mem_free(cache->mctx, cache->db_argv[i]);
+		isc_mem_put(cache->mctx, cache->db_argv,
+			    cache->db_argc * sizeof(char *));
+	}
+
+	if (cache->db_type != NULL)
+		isc_mem_free(cache->mctx, cache->db_type);
+
+	DESTROYLOCK(&cache->lock);
+	DESTROYLOCK(&cache->filelock);
+	cache->magic = 0;
+	mctx = cache->mctx;
+	isc_mem_put(cache->mctx, cache, sizeof(*cache));
+	isc_mem_detach(&mctx);
+}
+
+
+void
+dns_cache_attach(dns_cache_t *cache, dns_cache_t **targetp) {
+
+	REQUIRE(VALID_CACHE(cache));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	LOCK(&cache->lock);
+	cache->references++;
+	UNLOCK(&cache->lock);
+
+	*targetp = cache;
+}
+
+void
+dns_cache_detach(dns_cache_t **cachep) {
+	dns_cache_t *cache;
+	isc_boolean_t free_cache = ISC_FALSE;
+
+	REQUIRE(cachep != NULL);
+	cache = *cachep;
+	REQUIRE(VALID_CACHE(cache));
+
+	LOCK(&cache->lock);
+	REQUIRE(cache->references > 0);
+	cache->references--;
+	if (cache->references == 0) {
+		cache->cleaner.overmem = ISC_FALSE;
+		free_cache = ISC_TRUE;
+	}
+
+	*cachep = NULL;
+
+	if (free_cache) {
+		/*
+		 * When the cache is shut down, dump it to a file if one is
+		 * specified.
+		 */
+		isc_result_t result = dns_cache_dump(cache);
+		if (result != ISC_R_SUCCESS)
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
+				      "error dumping cache: %s ",
+				      isc_result_totext(result));
+
+		/*
+		 * If the cleaner task exists, let it free the cache.
+		 */
+		if (cache->live_tasks > 0) {
+			isc_task_shutdown(cache->cleaner.task);
+			free_cache = ISC_FALSE;
+		}
+	}
+
+	UNLOCK(&cache->lock);
+
+	if (free_cache)
+		cache_free(cache);
+}
+
+void
+dns_cache_attachdb(dns_cache_t *cache, dns_db_t **dbp) {
+	REQUIRE(VALID_CACHE(cache));
+	REQUIRE(dbp != NULL && *dbp == NULL);
+	REQUIRE(cache->db != NULL);
+
+	LOCK(&cache->lock);
+	dns_db_attach(cache->db, dbp);
+	UNLOCK(&cache->lock);
+
+}
+
+isc_result_t
+dns_cache_setfilename(dns_cache_t *cache, char *filename) {
+	char *newname;
+
+	REQUIRE(VALID_CACHE(cache));
+	REQUIRE(filename != NULL);
+
+	newname = isc_mem_strdup(cache->mctx, filename);
+	if (newname == NULL)
+		return (ISC_R_NOMEMORY);
+
+	LOCK(&cache->filelock);
+	if (cache->filename)
+		isc_mem_free(cache->mctx, cache->filename);
+	cache->filename = newname;
+	UNLOCK(&cache->filelock);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_cache_load(dns_cache_t *cache) {
+	isc_result_t result;
+
+	REQUIRE(VALID_CACHE(cache));
+
+	if (cache->filename == NULL)
+		return (ISC_R_SUCCESS);
+
+	LOCK(&cache->filelock);
+	result = dns_db_load(cache->db, cache->filename);
+	UNLOCK(&cache->filelock);
+
+	return (result);
+}
+
+isc_result_t
+dns_cache_dump(dns_cache_t *cache) {
+	isc_result_t result;
+
+	REQUIRE(VALID_CACHE(cache));
+
+	if (cache->filename == NULL)
+		return (ISC_R_SUCCESS);
+
+	LOCK(&cache->filelock);
+	result = dns_master_dump(cache->mctx, cache->db, NULL,
+				 &dns_master_style_cache, cache->filename);
+	UNLOCK(&cache->filelock);
+
+	return (result);
+}
+
+void
+dns_cache_setcleaninginterval(dns_cache_t *cache, unsigned int t) {
+	isc_interval_t interval;
+	isc_result_t result;
+
+	LOCK(&cache->lock);
+
+	/*
+	 * It may be the case that the cache has already shut down.
+	 * If so, it has no timer.
+	 */
+	if (cache->cleaner.cleaning_timer == NULL)
+		goto unlock;
+
+	cache->cleaner.cleaning_interval = t;
+
+	if (t == 0) {
+		result = isc_timer_reset(cache->cleaner.cleaning_timer,
+					 isc_timertype_inactive,
+					 NULL, NULL, ISC_TRUE);
+	} else {
+		isc_interval_set(&interval, cache->cleaner.cleaning_interval,
+				 0);
+		result = isc_timer_reset(cache->cleaner.cleaning_timer,
+					 isc_timertype_ticker,
+					 NULL, &interval, ISC_FALSE);
+	}
+	if (result != ISC_R_SUCCESS)	
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
+			      "could not set cache cleaning interval: %s",
+			      isc_result_totext(result));
+
+ unlock:
+	UNLOCK(&cache->lock);
+}
+
+/*
+ * Initialize the cache cleaner object at *cleaner.
+ * Space for the object must be allocated by the caller.
+ */
+
+static isc_result_t
+cache_cleaner_init(dns_cache_t *cache, isc_taskmgr_t *taskmgr,
+		   isc_timermgr_t *timermgr, cache_cleaner_t *cleaner)
+{
+	isc_result_t result;
+
+	result = isc_mutex_init(&cleaner->lock);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() failed: %s",
+				 dns_result_totext(result));
+		result = ISC_R_UNEXPECTED;
+		goto fail;
+	}
+
+	cleaner->increment = DNS_CACHE_CLEANERINCREMENT;
+	cleaner->state = cleaner_s_idle;
+	cleaner->cache = cache;
+	cleaner->iterator = NULL;
+	cleaner->overmem = ISC_FALSE;
+
+	cleaner->task = NULL;
+	cleaner->cleaning_timer = NULL;
+	cleaner->resched_event = NULL;
+	cleaner->overmem_event = NULL;
+
+	if (taskmgr != NULL && timermgr != NULL) {
+		result = isc_task_create(taskmgr, 1, &cleaner->task);
+		if (result != ISC_R_SUCCESS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "isc_task_create() failed: %s",
+					 dns_result_totext(result));
+			result = ISC_R_UNEXPECTED;
+			goto cleanup;
+		}
+		cleaner->cache->live_tasks++;
+		isc_task_setname(cleaner->task, "cachecleaner", cleaner);
+
+		result = isc_task_onshutdown(cleaner->task,
+					     cleaner_shutdown_action, cache);
+		if (result != ISC_R_SUCCESS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "cache cleaner: "
+					 "isc_task_onshutdown() failed: %s",
+					 dns_result_totext(result));
+			goto cleanup;
+		}
+
+		cleaner->cleaning_interval = 0; /* Initially turned off. */
+		result = isc_timer_create(timermgr, isc_timertype_inactive,
+					   NULL, NULL,
+					   cleaner->task,
+					   cleaning_timer_action, cleaner,
+					   &cleaner->cleaning_timer);
+		if (result != ISC_R_SUCCESS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "isc_timer_create() failed: %s",
+					 dns_result_totext(result));
+			result = ISC_R_UNEXPECTED;
+			goto cleanup;
+		}
+
+		cleaner->resched_event =
+			isc_event_allocate(cache->mctx, cleaner,
+					   DNS_EVENT_CACHECLEAN,
+					   incremental_cleaning_action,
+					   cleaner, sizeof(isc_event_t));
+		if (cleaner->resched_event == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+		
+		cleaner->overmem_event =
+			isc_event_allocate(cache->mctx, cleaner,
+					   DNS_EVENT_CACHEOVERMEM,
+					   overmem_cleaning_action,
+					   cleaner, sizeof(isc_event_t));
+		if (cleaner->overmem_event == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (cleaner->overmem_event != NULL)
+		isc_event_free(&cleaner->overmem_event);
+	if (cleaner->resched_event != NULL)
+		isc_event_free(&cleaner->resched_event);
+	if (cleaner->cleaning_timer != NULL)
+		isc_timer_detach(&cleaner->cleaning_timer);
+	if (cleaner->task != NULL)
+		isc_task_detach(&cleaner->task);
+	DESTROYLOCK(&cleaner->lock);
+ fail:
+	return (result);
+}
+
+static void
+begin_cleaning(cache_cleaner_t *cleaner) {
+	isc_result_t result;
+
+	REQUIRE(CLEANER_IDLE(cleaner));
+
+	/*
+	 * Create an iterator and position it at the beginning of the cache.
+	 */
+	result = dns_db_createiterator(cleaner->cache->db, ISC_FALSE,
+				       &cleaner->iterator);
+	if (result != ISC_R_SUCCESS)
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
+			      "cache cleaner could not create "
+			      "iterator: %s", isc_result_totext(result));
+	else {
+		dns_dbiterator_setcleanmode(cleaner->iterator, ISC_TRUE);
+		result = dns_dbiterator_first(cleaner->iterator);
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * If the result is ISC_R_NOMORE, the database is empty,
+		 * so there is nothing to be cleaned.
+		 */
+		if (result != ISC_R_NOMORE)
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "cache cleaner: "
+					 "dns_dbiterator_first() failed: %s",
+					 dns_result_totext(result));
+
+		if (cleaner->iterator != NULL)
+			dns_dbiterator_destroy(&cleaner->iterator);
+	} else {
+		/*
+		 * Pause the iterator to free its lock.
+		 */
+		result = dns_dbiterator_pause(cleaner->iterator);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
+			      "begin cache cleaning, mem inuse %lu",
+		            (unsigned long)isc_mem_inuse(cleaner->cache->mctx));
+		cleaner->state = cleaner_s_busy;
+		isc_task_send(cleaner->task, &cleaner->resched_event);
+	}
+
+	return;
+}
+
+static void
+end_cleaning(cache_cleaner_t *cleaner, isc_event_t *event) {
+	REQUIRE(CLEANER_BUSY(cleaner));
+	REQUIRE(event != NULL);
+
+	dns_dbiterator_destroy(&cleaner->iterator);
+
+	dns_cache_setcleaninginterval(cleaner->cache,
+				      cleaner->cleaning_interval);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
+		      ISC_LOG_DEBUG(1), "end cache cleaning, mem inuse %lu",
+		      (unsigned long)isc_mem_inuse(cleaner->cache->mctx));
+
+	cleaner->state = cleaner_s_idle;
+	cleaner->resched_event = event;
+}
+
+/*
+ * This is run once for every cache-cleaning-interval as defined in named.conf.
+ */
+static void
+cleaning_timer_action(isc_task_t *task, isc_event_t *event) {
+	cache_cleaner_t *cleaner = event->ev_arg;
+
+	UNUSED(task);
+
+	INSIST(task == cleaner->task);
+	INSIST(event->ev_type == ISC_TIMEREVENT_TICK);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
+		      ISC_LOG_DEBUG(1), "cache cleaning timer fired, "
+		      "cleaner state = %d", cleaner->state);
+
+	if (cleaner->state == cleaner_s_idle)
+		begin_cleaning(cleaner);
+
+	isc_event_free(&event);
+}
+
+/*
+ * This is called when the cache either surpasses its upper limit
+ * or shrinks beyond its lower limit.
+ */
+static void
+overmem_cleaning_action(isc_task_t *task, isc_event_t *event) {
+	cache_cleaner_t *cleaner = event->ev_arg;
+	isc_boolean_t want_cleaning = ISC_FALSE;
+	
+	UNUSED(task);
+
+	INSIST(task == cleaner->task);
+	INSIST(event->ev_type == DNS_EVENT_CACHEOVERMEM);
+	INSIST(cleaner->overmem_event == NULL);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
+		      ISC_LOG_DEBUG(1), "overmem_cleaning_action called, "
+		      "overmem = %d, state = %d", cleaner->overmem,
+		      cleaner->state);
+
+	LOCK(&cleaner->lock);
+
+	if (cleaner->overmem) {
+		if (cleaner->state == cleaner_s_idle)
+			want_cleaning = ISC_TRUE;
+	} else {
+		if (cleaner->state == cleaner_s_busy)
+			/*
+			 * end_cleaning() can't be called here because
+			 * then both cleaner->overmem_event and
+			 * cleaner->resched_event will point to this
+			 * event.  Set the state to done, and then
+			 * when the incremental_cleaning_action() event
+			 * is posted, it will handle the end_cleaning.
+			 */
+			cleaner->state = cleaner_s_done;
+	}
+
+	cleaner->overmem_event = event;
+
+	UNLOCK(&cleaner->lock);
+
+	if (want_cleaning)
+		begin_cleaning(cleaner);
+}
+
+/*
+ * Do incremental cleaning.
+ */
+static void
+incremental_cleaning_action(isc_task_t *task, isc_event_t *event) {
+	cache_cleaner_t *cleaner = event->ev_arg;
+	isc_result_t result;
+	int n_names;
+
+	UNUSED(task);
+
+	INSIST(task == cleaner->task);
+	INSIST(event->ev_type == DNS_EVENT_CACHECLEAN);
+
+	if (cleaner->state == cleaner_s_done) {
+		cleaner->state = cleaner_s_busy;
+		end_cleaning(cleaner, event);
+		return;
+	}
+
+	INSIST(CLEANER_BUSY(cleaner));
+
+	n_names = cleaner->increment;
+
+	REQUIRE(DNS_DBITERATOR_VALID(cleaner->iterator));
+
+	while (n_names-- > 0) {
+		dns_dbnode_t *node = NULL;
+
+		result = dns_dbiterator_current(cleaner->iterator, &node,
+						NULL);
+		if (result != ISC_R_SUCCESS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "cache cleaner: dns_dbiterator_current() "
+				 "failed: %s", dns_result_totext(result));
+
+			end_cleaning(cleaner, event);
+			return;
+		}
+
+		/*
+		 * The node was not needed, but was required by
+		 * dns_dbiterator_current().  Give up its reference.
+		 */
+		dns_db_detachnode(cleaner->cache->db, &node);
+
+		/*
+		 * Step to the next node.
+		 */
+		result = dns_dbiterator_next(cleaner->iterator);
+
+		if (result != ISC_R_SUCCESS) {
+			/*
+			 * Either the end was reached (ISC_R_NOMORE) or
+			 * some error was signaled.  If the cache is still
+			 * overmem and no error was encountered,
+			 * keep trying to clean it, otherwise stop cleanng.
+			 */
+			if (result != ISC_R_NOMORE)
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 "cache cleaner: "
+						 "dns_dbiterator_next() "
+						 "failed: %s",
+						 dns_result_totext(result));
+			else if (cleaner->overmem) {
+				result = dns_dbiterator_first(cleaner->
+							      iterator);
+				if (result == ISC_R_SUCCESS) {
+					isc_log_write(dns_lctx,
+						      DNS_LOGCATEGORY_DATABASE,
+						      DNS_LOGMODULE_CACHE,
+						      ISC_LOG_DEBUG(1),
+						      "cache cleaner: "
+						      "still overmem, "
+						      "reset and try again");
+					continue;
+				}
+			}
+
+			end_cleaning(cleaner, event);
+			return;
+		}
+	}
+
+	/*
+	 * We have successfully performed a cleaning increment but have
+	 * not gone through the entire cache.  Free the iterator locks
+	 * and reschedule another batch.  If it fails, just try to continue
+	 * anyway.
+	 */
+	result = dns_dbiterator_pause(cleaner->iterator);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
+		      ISC_LOG_DEBUG(1), "cache cleaner: checked %d nodes, "
+		      "mem inuse %lu, sleeping", cleaner->increment,
+		      (unsigned long)isc_mem_inuse(cleaner->cache->mctx));
+
+	isc_task_send(task, &event);
+	INSIST(CLEANER_BUSY(cleaner));
+	return;
+}
+
+/*
+ * Do immediate cleaning.
+ */
+isc_result_t
+dns_cache_clean(dns_cache_t *cache, isc_stdtime_t now) {
+	isc_result_t result;
+	dns_dbiterator_t *iterator = NULL;
+
+	REQUIRE(VALID_CACHE(cache));
+
+	result = dns_db_createiterator(cache->db, ISC_FALSE, &iterator);
+	if (result != ISC_R_SUCCESS)
+		return result;
+
+	result = dns_dbiterator_first(iterator);
+
+	while (result == ISC_R_SUCCESS) {
+		dns_dbnode_t *node = NULL;
+		result = dns_dbiterator_current(iterator, &node,
+						(dns_name_t *)NULL);
+		if (result != ISC_R_SUCCESS)
+			break;
+
+		/*
+		 * Check TTLs, mark expired rdatasets stale.
+		 */
+		result = dns_db_expirenode(cache->db, node, now);
+		if (result != ISC_R_SUCCESS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "cache cleaner: dns_db_expirenode() "
+					 "failed: %s",
+					 dns_result_totext(result));
+			/*
+			 * Continue anyway.
+			 */
+		}
+
+		/*
+		 * This is where the actual freeing takes place.
+		 */
+		dns_db_detachnode(cache->db, &node);
+
+		result = dns_dbiterator_next(iterator);
+	}
+
+	dns_dbiterator_destroy(&iterator);
+
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+	return (result);
+}
+
+static void
+water(void *arg, int mark) {
+	dns_cache_t *cache = arg;
+	isc_boolean_t overmem = ISC_TF(mark == ISC_MEM_HIWATER);
+
+	REQUIRE(VALID_CACHE(cache));
+
+	LOCK(&cache->cleaner.lock);
+	
+	dns_db_overmem(cache->db, overmem);
+	cache->cleaner.overmem = overmem;
+
+	if (cache->cleaner.overmem_event != NULL)
+		isc_task_send(cache->cleaner.task,
+			      &cache->cleaner.overmem_event);
+
+	UNLOCK(&cache->cleaner.lock);
+}
+
+void
+dns_cache_setcachesize(dns_cache_t *cache, isc_uint32_t size) {
+	isc_uint32_t lowater;
+	isc_uint32_t hiwater;
+
+	REQUIRE(VALID_CACHE(cache));
+
+	/*
+	 * Impose a minumum cache size; pathological things happen if there
+	 * is too little room.
+	 */
+	if (size != 0 && size < DNS_CACHE_MINSIZE)
+		size = DNS_CACHE_MINSIZE;
+
+	hiwater = size - (size >> 3);	/* Approximately 7/8ths. */
+	lowater = size - (size >> 2);	/* Approximately 3/4ths. */
+
+	/*
+	 * If the cache was overmem and cleaning, but now with the new limits
+	 * it is no longer in an overmem condition, then the next
+	 * isc_mem_put for cache memory will do the right thing and trigger
+	 * water().
+	 */
+
+	if (size == 0 || hiwater == 0 || lowater == 0)
+		/*
+		 * Disable cache memory limiting.
+		 */
+		isc_mem_setwater(cache->mctx, water, cache, 0, 0);
+	else
+		/*
+		 * Establish new cache memory limits (either for the first
+		 * time, or replacing other limits).
+		 */
+		isc_mem_setwater(cache->mctx, water, cache, hiwater, lowater);
+}
+
+/*
+ * The cleaner task is shutting down; do the necessary cleanup.
+ */
+static void
+cleaner_shutdown_action(isc_task_t *task, isc_event_t *event) {
+	dns_cache_t *cache = event->ev_arg;
+	isc_boolean_t should_free = ISC_FALSE;
+
+	UNUSED(task);
+
+	INSIST(task == cache->cleaner.task);
+	INSIST(event->ev_type == ISC_TASKEVENT_SHUTDOWN);
+
+	if (CLEANER_BUSY(&cache->cleaner))
+		end_cleaning(&cache->cleaner, event);
+	else
+		isc_event_free(&event);
+
+	LOCK(&cache->lock);
+
+	cache->live_tasks--;
+	INSIST(cache->live_tasks == 0);
+
+	if (cache->references == 0)
+		should_free = ISC_TRUE;
+
+	/*
+	 * By detaching the timer in the context of its task,
+	 * we are guaranteed that there will be no further timer
+	 * events.
+	 */
+	if (cache->cleaner.cleaning_timer != NULL)
+		isc_timer_detach(&cache->cleaner.cleaning_timer);
+
+	/* Make sure we don't reschedule anymore. */
+	(void)isc_task_purge(task, NULL, DNS_EVENT_CACHECLEAN, NULL);
+
+	UNLOCK(&cache->lock);
+
+	if (should_free)
+		cache_free(cache);
+}
+
+isc_result_t
+dns_cache_flush(dns_cache_t *cache) {
+	dns_db_t *db = NULL;
+	isc_result_t result;
+
+	result = cache_create_db(cache, &db);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	dns_db_detach(&cache->db);
+	cache->db = db;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_cache_flushname(dns_cache_t *cache, dns_name_t *name) {
+	isc_result_t result;
+	dns_rdatasetiter_t *iter = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_db_t *db = NULL;
+	
+	LOCK(&cache->lock);
+	if (cache->db != NULL)
+		dns_db_attach(cache->db, &db);
+	UNLOCK(&cache->lock);
+	if (db == NULL)
+		return (ISC_R_SUCCESS);
+	result = dns_db_findnode(cache->db, name, ISC_FALSE, &node);
+	if (result == ISC_R_NOTFOUND) {
+		result = ISC_R_SUCCESS;
+		goto cleanup_db;
+	}
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_db;
+
+	result = dns_db_allrdatasets(cache->db, node, NULL,
+				     (isc_stdtime_t)0, &iter);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_node;
+
+	for (result = dns_rdatasetiter_first(iter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(iter))
+	{
+		dns_rdataset_t rdataset;
+		dns_rdataset_init(&rdataset);
+
+		dns_rdatasetiter_current(iter, &rdataset);
+
+		for (result = dns_rdataset_first(&rdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&rdataset))
+		{
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+			dns_rdatatype_t covers;
+
+			dns_rdataset_current(&rdataset, &rdata);
+			if (rdata.type == dns_rdatatype_rrsig)
+				covers = dns_rdata_covers(&rdata);
+			else
+				covers = 0;
+			result = dns_db_deleterdataset(cache->db, node, NULL,
+						       rdata.type, covers);
+			if (result != ISC_R_SUCCESS &&
+			    result != DNS_R_UNCHANGED)
+				break;
+		}
+		dns_rdataset_disassociate(&rdataset);
+		if (result != ISC_R_NOMORE)
+			break;
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+	dns_rdatasetiter_destroy(&iter);
+
+ cleanup_node:
+	dns_db_detachnode(cache->db, &node);
+
+ cleanup_db:
+	dns_db_detach(&db);
+	return (result);
+}
diff --git a/contrib/bind9/lib/dns/callbacks.c b/contrib/bind9/lib/dns/callbacks.c
new file mode 100644
index 0000000..431c7ef
--- /dev/null
+++ b/contrib/bind9/lib/dns/callbacks.c
@@ -0,0 +1,111 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: callbacks.c,v 1.12.206.1 2004/03/06 08:13:36 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/log.h>
+
+static void
+stdio_error_warn_callback(dns_rdatacallbacks_t *, const char *, ...)
+     ISC_FORMAT_PRINTF(2, 3);
+
+static void
+isclog_error_callback(dns_rdatacallbacks_t *callbacks, const char *fmt, ...)
+     ISC_FORMAT_PRINTF(2, 3);
+
+static void
+isclog_warn_callback(dns_rdatacallbacks_t *callbacks, const char *fmt, ...)
+     ISC_FORMAT_PRINTF(2, 3);
+
+/*
+ * Private
+ */
+
+static void
+stdio_error_warn_callback(dns_rdatacallbacks_t *callbacks,
+			  const char *fmt, ...)
+{
+	va_list ap;
+
+	UNUSED(callbacks);
+
+	va_start(ap, fmt);
+	vfprintf(stderr, fmt, ap);
+	va_end(ap);
+	fprintf(stderr, "\n");
+}
+
+static void
+isclog_error_callback(dns_rdatacallbacks_t *callbacks, const char *fmt, ...) {
+	va_list ap;
+
+	UNUSED(callbacks);
+
+	va_start(ap, fmt);
+	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+		       DNS_LOGMODULE_MASTER, /* XXX */
+		       ISC_LOG_ERROR, fmt, ap);
+	va_end(ap);
+}
+
+static void
+isclog_warn_callback(dns_rdatacallbacks_t *callbacks, const char *fmt, ...) {
+	va_list ap;
+
+	UNUSED(callbacks);
+
+	va_start(ap, fmt);
+
+	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+		       DNS_LOGMODULE_MASTER, /* XXX */
+		       ISC_LOG_WARNING, fmt, ap);
+	va_end(ap);
+}
+
+static void
+dns_rdatacallbacks_initcommon(dns_rdatacallbacks_t *callbacks) {
+	REQUIRE(callbacks != NULL);
+
+	callbacks->add = NULL;
+	callbacks->add_private = NULL;
+	callbacks->error_private = NULL;
+	callbacks->warn_private = NULL;
+}
+
+/*
+ * Public.
+ */
+
+void
+dns_rdatacallbacks_init(dns_rdatacallbacks_t *callbacks) {
+	dns_rdatacallbacks_initcommon(callbacks);
+	callbacks->error = isclog_error_callback;
+	callbacks->warn = isclog_warn_callback;
+}
+
+void
+dns_rdatacallbacks_init_stdio(dns_rdatacallbacks_t *callbacks) {
+	dns_rdatacallbacks_initcommon(callbacks);
+	callbacks->error = stdio_error_warn_callback;
+	callbacks->warn = stdio_error_warn_callback;
+}
+
diff --git a/contrib/bind9/lib/dns/compress.c b/contrib/bind9/lib/dns/compress.c
new file mode 100644
index 0000000..e0fe8c2
--- /dev/null
+++ b/contrib/bind9/lib/dns/compress.c
@@ -0,0 +1,316 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: compress.c,v 1.50.206.2 2004/03/06 08:13:37 marka Exp $ */
+
+#define DNS_NAME_USEINLINE 1
+
+#include <config.h>
+
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/compress.h>
+#include <dns/fixedname.h>
+#include <dns/rbt.h>
+#include <dns/result.h>
+
+#define CCTX_MAGIC	ISC_MAGIC('C', 'C', 'T', 'X')
+#define VALID_CCTX(x)	ISC_MAGIC_VALID(x, CCTX_MAGIC)
+
+#define DCTX_MAGIC	ISC_MAGIC('D', 'C', 'T', 'X')
+#define VALID_DCTX(x)	ISC_MAGIC_VALID(x, DCTX_MAGIC)
+
+/***
+ ***	Compression
+ ***/
+
+isc_result_t
+dns_compress_init(dns_compress_t *cctx, int edns, isc_mem_t *mctx) {
+	unsigned int i;
+
+	REQUIRE(cctx != NULL);
+	REQUIRE(mctx != NULL);	/* See: rdataset.c:towiresorted(). */
+
+	cctx->allowed = 0;
+	cctx->edns = edns;
+	for (i = 0; i < DNS_COMPRESS_TABLESIZE; i++)
+		cctx->table[i] = NULL;
+	cctx->mctx = mctx;
+	cctx->count = 0;
+	cctx->magic = CCTX_MAGIC;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_compress_invalidate(dns_compress_t *cctx) {
+	dns_compressnode_t *node;
+	unsigned int i;
+
+	REQUIRE(VALID_CCTX(cctx));
+
+	cctx->magic = 0;
+	for (i = 0; i < DNS_COMPRESS_TABLESIZE; i++) {
+		while (cctx->table[i] != NULL) {
+			node = cctx->table[i];
+			cctx->table[i] = cctx->table[i]->next;
+			if (node->count < DNS_COMPRESS_INITIALNODES)
+				continue;
+			isc_mem_put(cctx->mctx, node, sizeof(*node));
+		}
+	}
+	cctx->allowed = 0;
+	cctx->edns = -1;
+}
+
+void
+dns_compress_setmethods(dns_compress_t *cctx, unsigned int allowed) {
+	REQUIRE(VALID_CCTX(cctx));
+
+	cctx->allowed = allowed;
+}
+
+unsigned int
+dns_compress_getmethods(dns_compress_t *cctx) {
+	REQUIRE(VALID_CCTX(cctx));
+	return (cctx->allowed);
+}
+
+int
+dns_compress_getedns(dns_compress_t *cctx) {
+	REQUIRE(VALID_CCTX(cctx));
+	return (cctx->edns);
+}
+
+#define NODENAME(node, name) \
+do { \
+	(name)->length = (node)->r.length; \
+	(name)->labels = (node)->labels; \
+	(name)->ndata = (node)->r.base; \
+	(name)->attributes = DNS_NAMEATTR_ABSOLUTE; \
+} while (0)
+
+/*
+ * Find the longest match of name in the table.
+ * If match is found return ISC_TRUE. prefix, suffix and offset are updated.
+ * If no match is found return ISC_FALSE.
+ */
+isc_boolean_t
+dns_compress_findglobal(dns_compress_t *cctx, dns_name_t *name,
+			dns_name_t *prefix, isc_uint16_t *offset)
+{
+	dns_name_t tname, nname;
+	dns_compressnode_t *node = NULL;
+	unsigned int labels, hash, n;
+
+	REQUIRE(VALID_CCTX(cctx));
+	REQUIRE(dns_name_isabsolute(name) == ISC_TRUE);
+	REQUIRE(offset != NULL);
+
+	if (cctx->count == 0)
+		return (ISC_FALSE);
+
+	labels = dns_name_countlabels(name);
+	INSIST(labels > 0);
+
+	dns_name_init(&tname, NULL);
+	dns_name_init(&nname, NULL);
+
+	for (n = 0; n < labels - 1; n++) {
+		dns_name_getlabelsequence(name, n, labels - n, &tname);
+		hash = dns_name_hash(&tname, ISC_FALSE) %
+		       DNS_COMPRESS_TABLESIZE;
+		for (node = cctx->table[hash]; node != NULL; node = node->next)
+		{
+			NODENAME(node, &nname);
+			if (dns_name_equal(&nname, &tname))
+				break;
+		}
+		if (node != NULL)
+			break;
+	}
+
+	/*
+	 * If node == NULL, we found no match at all.
+	 */
+	if (node == NULL)
+		return (ISC_FALSE);
+
+	if (n == 0)
+		dns_name_reset(prefix);
+	else
+		dns_name_getlabelsequence(name, 0, n, prefix);
+
+	*offset = node->offset;
+	return (ISC_TRUE);
+}
+
+static inline unsigned int
+name_length(dns_name_t *name) {
+	isc_region_t r;
+	dns_name_toregion(name, &r);
+	return (r.length);
+}
+
+void
+dns_compress_add(dns_compress_t *cctx, dns_name_t *name, dns_name_t *prefix,
+		 isc_uint16_t offset)
+{
+	dns_name_t tname;
+	unsigned int start;
+	unsigned int n;
+	unsigned int count;
+	unsigned int hash;
+	dns_compressnode_t *node;
+	unsigned int length;
+	unsigned int tlength;
+	isc_uint16_t toffset;
+
+	REQUIRE(VALID_CCTX(cctx));
+	REQUIRE(dns_name_isabsolute(name));
+
+	dns_name_init(&tname, NULL);
+
+	n = dns_name_countlabels(name);
+	count = dns_name_countlabels(prefix);
+	if (dns_name_isabsolute(prefix))
+		count--;
+	start = 0;
+	length = name_length(name);
+	while (count > 0) {
+		if (offset >= 0x4000)
+			break;
+		dns_name_getlabelsequence(name, start, n, &tname);
+		hash = dns_name_hash(&tname, ISC_FALSE) %
+		       DNS_COMPRESS_TABLESIZE;
+		tlength = name_length(&tname);
+		toffset = (isc_uint16_t)(offset + (length - tlength));
+		/*
+		 * Create a new node and add it.
+		 */
+		if (cctx->count < DNS_COMPRESS_INITIALNODES)
+			node = &cctx->initialnodes[cctx->count];
+		else {
+			node = isc_mem_get(cctx->mctx,
+					   sizeof(dns_compressnode_t));
+			if (node == NULL)
+				return;
+		}
+		node->count = cctx->count++;
+		node->offset = toffset;
+		dns_name_toregion(&tname, &node->r);
+		node->labels = (isc_uint8_t)dns_name_countlabels(&tname);
+		node->next = cctx->table[hash];
+		cctx->table[hash] = node;
+		start++;
+		n--;
+		count--;
+	}
+}
+
+void
+dns_compress_rollback(dns_compress_t *cctx, isc_uint16_t offset) {
+	unsigned int i;
+	dns_compressnode_t *node;
+
+	REQUIRE(VALID_CCTX(cctx));
+
+	for (i = 0; i < DNS_COMPRESS_TABLESIZE; i++) {
+		node = cctx->table[i];
+		/*
+		 * This relies on nodes with greater offsets being
+		 * closer to the beginning of the list, and the
+		 * items with the greatest offsets being at the end 
+		 * of the initialnodes[] array.
+		 */
+		while (node != NULL && node->offset >= offset) {
+			cctx->table[i] = node->next;
+			if (node->count >= DNS_COMPRESS_INITIALNODES)
+				isc_mem_put(cctx->mctx, node, sizeof(*node));
+			cctx->count--;
+			node = cctx->table[i];
+		}
+	}
+}
+
+/***
+ ***	Decompression
+ ***/
+
+void
+dns_decompress_init(dns_decompress_t *dctx, int edns,
+		    dns_decompresstype_t type) {
+
+	REQUIRE(dctx != NULL);
+	REQUIRE(edns >= -1 && edns <= 255);
+
+	dctx->allowed = DNS_COMPRESS_NONE;
+	dctx->edns = edns;
+	dctx->type = type;
+	dctx->magic = DCTX_MAGIC;
+}
+
+void
+dns_decompress_invalidate(dns_decompress_t *dctx) {
+
+	REQUIRE(VALID_DCTX(dctx));
+
+	dctx->magic = 0;
+}
+
+void
+dns_decompress_setmethods(dns_decompress_t *dctx, unsigned int allowed) {
+
+	REQUIRE(VALID_DCTX(dctx));
+
+	switch (dctx->type) {
+	case DNS_DECOMPRESS_ANY:
+		dctx->allowed = DNS_COMPRESS_ALL;
+		break;
+	case DNS_DECOMPRESS_NONE:
+		dctx->allowed = DNS_COMPRESS_NONE;
+		break;
+	case DNS_DECOMPRESS_STRICT:
+		dctx->allowed = allowed;
+		break;
+	}
+}
+
+unsigned int
+dns_decompress_getmethods(dns_decompress_t *dctx) {
+
+	REQUIRE(VALID_DCTX(dctx));
+
+	return (dctx->allowed);
+}
+
+int
+dns_decompress_edns(dns_decompress_t *dctx) {
+
+	REQUIRE(VALID_DCTX(dctx));
+
+	return (dctx->edns);
+}
+
+dns_decompresstype_t
+dns_decompress_type(dns_decompress_t *dctx) {
+
+	REQUIRE(VALID_DCTX(dctx));
+
+	return (dctx->type);
+}
diff --git a/contrib/bind9/lib/dns/db.c b/contrib/bind9/lib/dns/db.c
new file mode 100644
index 0000000..347ce1e
--- /dev/null
+++ b/contrib/bind9/lib/dns/db.c
@@ -0,0 +1,793 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: db.c,v 1.69.2.1.10.4 2004/03/08 02:07:52 marka Exp $ */
+
+/***
+ *** Imports
+ ***/
+
+#include <config.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/rwlock.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/db.h>
+#include <dns/log.h>
+#include <dns/master.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/result.h>
+
+/***
+ *** Private Types
+ ***/
+
+struct dns_dbimplementation {
+	const char *				name;
+	dns_dbcreatefunc_t			create;
+	isc_mem_t *				mctx;
+	void *					driverarg;
+	ISC_LINK(dns_dbimplementation_t)	link;
+};
+
+/***
+ *** Supported DB Implementations Registry
+ ***/
+
+/*
+ * Built in database implementations are registered here.
+ */
+
+#include "rbtdb.h"
+#include "rbtdb64.h"
+
+static ISC_LIST(dns_dbimplementation_t) implementations;
+static isc_rwlock_t implock;
+static isc_once_t once = ISC_ONCE_INIT;
+
+static dns_dbimplementation_t rbtimp;
+static dns_dbimplementation_t rbt64imp;
+
+static void
+initialize(void) {
+	RUNTIME_CHECK(isc_rwlock_init(&implock, 0, 0) == ISC_R_SUCCESS);
+
+	rbtimp.name = "rbt";
+	rbtimp.create = dns_rbtdb_create;
+	rbtimp.mctx = NULL;
+	rbtimp.driverarg = NULL;
+	ISC_LINK_INIT(&rbtimp, link);
+
+	rbt64imp.name = "rbt64";
+	rbt64imp.create = dns_rbtdb64_create;
+	rbt64imp.mctx = NULL;
+	rbt64imp.driverarg = NULL;
+	ISC_LINK_INIT(&rbt64imp, link);
+
+	ISC_LIST_INIT(implementations);
+	ISC_LIST_APPEND(implementations, &rbtimp, link);
+	ISC_LIST_APPEND(implementations, &rbt64imp, link);
+}
+
+static inline dns_dbimplementation_t *
+impfind(const char *name) {
+	dns_dbimplementation_t *imp;
+
+	for (imp = ISC_LIST_HEAD(implementations); 
+	     imp != NULL;
+	     imp = ISC_LIST_NEXT(imp, link))
+		if (strcasecmp(name, imp->name) == 0)
+			return (imp);
+	return (NULL);
+}
+
+
+/***
+ *** Basic DB Methods
+ ***/
+
+isc_result_t
+dns_db_create(isc_mem_t *mctx, const char *db_type, dns_name_t *origin,
+	      dns_dbtype_t type, dns_rdataclass_t rdclass,
+	      unsigned int argc, char *argv[], dns_db_t **dbp)
+{
+	dns_dbimplementation_t *impinfo;
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
+
+	/*
+	 * Create a new database using implementation 'db_type'.
+	 */
+
+	REQUIRE(dbp != NULL && *dbp == NULL);
+	REQUIRE(dns_name_isabsolute(origin));
+
+	RWLOCK(&implock, isc_rwlocktype_read);
+	impinfo = impfind(db_type);
+	if (impinfo != NULL) {
+		isc_result_t result;
+		result = ((impinfo->create)(mctx, origin, type,
+					    rdclass, argc, argv,
+					    impinfo->driverarg, dbp));
+		RWUNLOCK(&implock, isc_rwlocktype_read);
+		return (result);
+	}
+
+	RWUNLOCK(&implock, isc_rwlocktype_read);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+		      DNS_LOGMODULE_DB, ISC_LOG_ERROR,
+		      "unsupported database type '%s'", db_type);
+
+	return (ISC_R_NOTFOUND);
+}
+
+void
+dns_db_attach(dns_db_t *source, dns_db_t **targetp) {
+
+	/*
+	 * Attach *targetp to source.
+	 */
+
+	REQUIRE(DNS_DB_VALID(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	(source->methods->attach)(source, targetp);
+
+	ENSURE(*targetp == source);
+}
+
+void
+dns_db_detach(dns_db_t **dbp) {
+
+	/*
+	 * Detach *dbp from its database.
+	 */
+
+	REQUIRE(dbp != NULL);
+	REQUIRE(DNS_DB_VALID(*dbp));
+
+	((*dbp)->methods->detach)(dbp);
+
+	ENSURE(*dbp == NULL);
+}
+
+isc_result_t
+dns_db_ondestroy(dns_db_t *db, isc_task_t *task, isc_event_t **eventp)
+{
+	REQUIRE(DNS_DB_VALID(db));
+
+	return (isc_ondestroy_register(&db->ondest, task, eventp));
+}
+
+
+isc_boolean_t
+dns_db_iscache(dns_db_t *db) {
+
+	/*
+	 * Does 'db' have cache semantics?
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+
+	if ((db->attributes & DNS_DBATTR_CACHE) != 0)
+		return (ISC_TRUE);
+
+	return (ISC_FALSE);
+}
+
+isc_boolean_t
+dns_db_iszone(dns_db_t *db) {
+
+	/*
+	 * Does 'db' have zone semantics?
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+
+	if ((db->attributes & (DNS_DBATTR_CACHE|DNS_DBATTR_STUB)) == 0)
+		return (ISC_TRUE);
+
+	return (ISC_FALSE);
+}
+
+isc_boolean_t
+dns_db_isstub(dns_db_t *db) {
+
+	/*
+	 * Does 'db' have stub semantics?
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+
+	if ((db->attributes & DNS_DBATTR_STUB) != 0)
+		return (ISC_TRUE);
+
+	return (ISC_FALSE);
+}
+
+isc_boolean_t
+dns_db_issecure(dns_db_t *db) {
+
+	/*
+	 * Is 'db' secure?
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0);
+
+	return ((db->methods->issecure)(db));
+}
+
+isc_boolean_t
+dns_db_ispersistent(dns_db_t *db) {
+
+	/*
+	 * Is 'db' persistent?
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+
+	return ((db->methods->ispersistent)(db));
+}
+
+dns_name_t *
+dns_db_origin(dns_db_t *db) {
+	/*
+	 * The origin of the database.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+
+	return (&db->origin);
+}
+
+dns_rdataclass_t
+dns_db_class(dns_db_t *db) {
+	/*
+	 * The class of the database.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+
+	return (db->rdclass);
+}
+
+isc_result_t
+dns_db_beginload(dns_db_t *db, dns_addrdatasetfunc_t *addp,
+		 dns_dbload_t **dbloadp) {
+	/*
+	 * Begin loading 'db'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(addp != NULL && *addp == NULL);
+	REQUIRE(dbloadp != NULL && *dbloadp == NULL);
+
+	return ((db->methods->beginload)(db, addp, dbloadp));
+}
+
+isc_result_t
+dns_db_endload(dns_db_t *db, dns_dbload_t **dbloadp) {
+	/*
+	 * Finish loading 'db'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(dbloadp != NULL && *dbloadp != NULL);
+
+	return ((db->methods->endload)(db, dbloadp));
+}
+
+isc_result_t
+dns_db_load(dns_db_t *db, const char *filename) {
+	isc_result_t result, eresult;
+	dns_rdatacallbacks_t callbacks;
+	unsigned int options = 0;
+
+	/*
+	 * Load master file 'filename' into 'db'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+
+	if ((db->attributes & DNS_DBATTR_CACHE) != 0)
+		options |= DNS_MASTER_AGETTL;
+
+	dns_rdatacallbacks_init(&callbacks);
+
+	result = dns_db_beginload(db, &callbacks.add, &callbacks.add_private);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = dns_master_loadfile(filename, &db->origin, &db->origin,
+				     db->rdclass, options,
+				     &callbacks, db->mctx);
+	eresult = dns_db_endload(db, &callbacks.add_private);
+	/*
+	 * We always call dns_db_endload(), but we only want to return its
+	 * result if dns_master_loadfile() succeeded.  If dns_master_loadfile()
+	 * failed, we want to return the result code it gave us.
+	 */
+	if (eresult != ISC_R_SUCCESS &&
+	    (result == ISC_R_SUCCESS || result == DNS_R_SEENINCLUDE))
+		result = eresult;
+
+	return (result);
+}
+
+isc_result_t
+dns_db_dump(dns_db_t *db, dns_dbversion_t *version, const char *filename) {
+	/*
+	 * Dump 'db' into master file 'filename'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+
+	return ((db->methods->dump)(db, version, filename));
+}
+
+/***
+ *** Version Methods
+ ***/
+
+void
+dns_db_currentversion(dns_db_t *db, dns_dbversion_t **versionp) {
+
+	/*
+	 * Open the current version for reading.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0);
+	REQUIRE(versionp != NULL && *versionp == NULL);
+
+	(db->methods->currentversion)(db, versionp);
+}
+
+isc_result_t
+dns_db_newversion(dns_db_t *db, dns_dbversion_t **versionp) {
+
+	/*
+	 * Open a new version for reading and writing.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0);
+	REQUIRE(versionp != NULL && *versionp == NULL);
+
+	return ((db->methods->newversion)(db, versionp));
+}
+
+void
+dns_db_attachversion(dns_db_t *db, dns_dbversion_t *source,
+		     dns_dbversion_t **targetp)
+{
+	/*
+	 * Attach '*targetp' to 'source'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0);
+	REQUIRE(source != NULL);
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	(db->methods->attachversion)(db, source, targetp);
+
+	ENSURE(*targetp != NULL);
+}
+
+void
+dns_db_closeversion(dns_db_t *db, dns_dbversion_t **versionp,
+		    isc_boolean_t commit)
+{
+
+	/*
+	 * Close version '*versionp'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0);
+	REQUIRE(versionp != NULL && *versionp != NULL);
+
+	(db->methods->closeversion)(db, versionp, commit);
+
+	ENSURE(*versionp == NULL);
+}
+
+/***
+ *** Node Methods
+ ***/
+
+isc_result_t
+dns_db_findnode(dns_db_t *db, dns_name_t *name,
+		isc_boolean_t create, dns_dbnode_t **nodep)
+{
+
+	/*
+	 * Find the node with name 'name'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(nodep != NULL && *nodep == NULL);
+
+	return ((db->methods->findnode)(db, name, create, nodep));
+}
+
+isc_result_t
+dns_db_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
+	    dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
+	    dns_dbnode_t **nodep, dns_name_t *foundname,
+	    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+
+	/*
+	 * Find the best match for 'name' and 'type' in version 'version'
+	 * of 'db'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(type != dns_rdatatype_rrsig);
+	REQUIRE(nodep == NULL || (nodep != NULL && *nodep == NULL));
+	REQUIRE(dns_name_hasbuffer(foundname));
+	REQUIRE(rdataset == NULL ||
+		(DNS_RDATASET_VALID(rdataset) &&
+		 ! dns_rdataset_isassociated(rdataset)));
+	REQUIRE(sigrdataset == NULL ||
+		(DNS_RDATASET_VALID(sigrdataset) &&
+		 ! dns_rdataset_isassociated(sigrdataset)));
+
+	return ((db->methods->find)(db, name, version, type, options, now,
+				    nodep, foundname, rdataset, sigrdataset));
+}
+
+isc_result_t
+dns_db_findzonecut(dns_db_t *db, dns_name_t *name,
+		   unsigned int options, isc_stdtime_t now,
+		   dns_dbnode_t **nodep, dns_name_t *foundname,
+		   dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	/*
+	 * Find the deepest known zonecut which encloses 'name' in 'db'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE((db->attributes & DNS_DBATTR_CACHE) != 0);
+	REQUIRE(nodep == NULL || (nodep != NULL && *nodep == NULL));
+	REQUIRE(dns_name_hasbuffer(foundname));
+	REQUIRE(sigrdataset == NULL ||
+		(DNS_RDATASET_VALID(sigrdataset) &&
+		 ! dns_rdataset_isassociated(sigrdataset)));
+
+	return ((db->methods->findzonecut)(db, name, options, now, nodep,
+					   foundname, rdataset, sigrdataset));
+}
+
+void
+dns_db_attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp) {
+
+	/*
+	 * Attach *targetp to source.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(source != NULL);
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	(db->methods->attachnode)(db, source, targetp);
+}
+
+void
+dns_db_detachnode(dns_db_t *db, dns_dbnode_t **nodep) {
+
+	/*
+	 * Detach *nodep from its node.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(nodep != NULL && *nodep != NULL);
+
+	(db->methods->detachnode)(db, nodep);
+
+	ENSURE(*nodep == NULL);
+}
+
+isc_result_t
+dns_db_expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
+
+	/*
+	 * Mark as stale all records at 'node' which expire at or before 'now'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE((db->attributes & DNS_DBATTR_CACHE) != 0);
+	REQUIRE(node != NULL);
+
+	return ((db->methods->expirenode)(db, node, now));
+}
+
+void
+dns_db_printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out) {
+	/*
+	 * Print a textual representation of the contents of the node to
+	 * 'out'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(node != NULL);
+
+	(db->methods->printnode)(db, node, out);
+}
+
+/***
+ *** DB Iterator Creation
+ ***/
+
+isc_result_t
+dns_db_createiterator(dns_db_t *db, isc_boolean_t relative_names,
+		      dns_dbiterator_t **iteratorp)
+{
+	/*
+	 * Create an iterator for version 'version' of 'db'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(iteratorp != NULL && *iteratorp == NULL);
+
+	return (db->methods->createiterator(db, relative_names, iteratorp));
+}
+
+/***
+ *** Rdataset Methods
+ ***/
+
+isc_result_t
+dns_db_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		    dns_rdatatype_t type, dns_rdatatype_t covers,
+		    isc_stdtime_t now, dns_rdataset_t *rdataset,
+		    dns_rdataset_t *sigrdataset)
+{
+	/*
+	 * Search for an rdataset of type 'type' at 'node' that are in version
+	 * 'version' of 'db'.  If found, make 'rdataset' refer to it.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(node != NULL);
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(! dns_rdataset_isassociated(rdataset));
+	REQUIRE(covers == 0 || type == dns_rdatatype_rrsig);
+	REQUIRE(type != dns_rdatatype_any);
+	REQUIRE(sigrdataset == NULL ||
+		(DNS_RDATASET_VALID(sigrdataset) &&
+		 ! dns_rdataset_isassociated(sigrdataset)));
+
+	return ((db->methods->findrdataset)(db, node, version, type, covers,
+					    now, rdataset, sigrdataset));
+}
+
+isc_result_t
+dns_db_allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		    isc_stdtime_t now, dns_rdatasetiter_t **iteratorp)
+{
+	/*
+	 * Make '*iteratorp' an rdataset iteratator for all rdatasets at
+	 * 'node' in version 'version' of 'db'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(iteratorp != NULL && *iteratorp == NULL);
+
+	return ((db->methods->allrdatasets)(db, node, version, now,
+					    iteratorp));
+}
+
+isc_result_t
+dns_db_addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		   isc_stdtime_t now, dns_rdataset_t *rdataset,
+		   unsigned int options, dns_rdataset_t *addedrdataset)
+{
+	/*
+	 * Add 'rdataset' to 'node' in version 'version' of 'db'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(node != NULL);
+	REQUIRE(((db->attributes & DNS_DBATTR_CACHE) == 0 && version != NULL)||
+		((db->attributes & DNS_DBATTR_CACHE) != 0 &&
+		 version == NULL && (options & DNS_DBADD_MERGE) == 0));
+	REQUIRE((options & DNS_DBADD_EXACT) == 0 ||
+		(options & DNS_DBADD_MERGE) != 0);
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(dns_rdataset_isassociated(rdataset));
+	REQUIRE(rdataset->rdclass == db->rdclass);
+	REQUIRE(addedrdataset == NULL ||
+		(DNS_RDATASET_VALID(addedrdataset) &&
+		 ! dns_rdataset_isassociated(addedrdataset)));
+
+	return ((db->methods->addrdataset)(db, node, version, now, rdataset,
+					   options, addedrdataset));
+}
+
+isc_result_t
+dns_db_subtractrdataset(dns_db_t *db, dns_dbnode_t *node,
+			dns_dbversion_t *version, dns_rdataset_t *rdataset,
+			unsigned int options, dns_rdataset_t *newrdataset)
+{
+	/*
+	 * Remove any rdata in 'rdataset' from 'node' in version 'version' of
+	 * 'db'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(node != NULL);
+	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0 && version != NULL);
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(dns_rdataset_isassociated(rdataset));
+	REQUIRE(rdataset->rdclass == db->rdclass);
+	REQUIRE(newrdataset == NULL ||
+		(DNS_RDATASET_VALID(newrdataset) &&
+		 ! dns_rdataset_isassociated(newrdataset)));
+
+	return ((db->methods->subtractrdataset)(db, node, version, rdataset,
+						options, newrdataset));
+}
+
+isc_result_t
+dns_db_deleterdataset(dns_db_t *db, dns_dbnode_t *node,
+		      dns_dbversion_t *version, dns_rdatatype_t type,
+		      dns_rdatatype_t covers)
+{
+	/*
+	 * Make it so that no rdataset of type 'type' exists at 'node' in
+	 * version version 'version' of 'db'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(node != NULL);
+	REQUIRE(((db->attributes & DNS_DBATTR_CACHE) == 0 && version != NULL)||
+		((db->attributes & DNS_DBATTR_CACHE) != 0 && version == NULL));
+
+	return ((db->methods->deleterdataset)(db, node, version,
+					      type, covers));
+}
+
+void 
+dns_db_overmem(dns_db_t *db, isc_boolean_t overmem) {
+
+	REQUIRE(DNS_DB_VALID(db));
+
+	(db->methods->overmem)(db, overmem);
+}
+
+isc_result_t
+dns_db_getsoaserial(dns_db_t *db, dns_dbversion_t *ver, isc_uint32_t *serialp)
+{
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_buffer_t buffer;
+
+	REQUIRE(dns_db_iszone(db) || dns_db_isstub(db));
+
+	result = dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_soa, 0,
+				     (isc_stdtime_t)0, &rdataset, NULL);
+ 	if (result != ISC_R_SUCCESS)
+		goto freenode;
+
+	result = dns_rdataset_first(&rdataset);
+ 	if (result != ISC_R_SUCCESS)
+		goto freerdataset;
+	dns_rdataset_current(&rdataset, &rdata);
+	result = dns_rdataset_next(&rdataset);
+	INSIST(result == ISC_R_NOMORE);
+
+	INSIST(rdata.length > 20);
+	isc_buffer_init(&buffer, rdata.data, rdata.length);
+	isc_buffer_add(&buffer, rdata.length);
+	isc_buffer_forward(&buffer, rdata.length - 20);
+	*serialp = isc_buffer_getuint32(&buffer);
+
+	result = ISC_R_SUCCESS;
+
+ freerdataset:
+	dns_rdataset_disassociate(&rdataset);
+
+ freenode:
+	dns_db_detachnode(db, &node);
+	return (result);
+}
+
+unsigned int
+dns_db_nodecount(dns_db_t *db) {
+	REQUIRE(DNS_DB_VALID(db));
+
+	return ((db->methods->nodecount)(db));
+}
+
+void
+dns_db_settask(dns_db_t *db, isc_task_t *task) {
+	REQUIRE(DNS_DB_VALID(db));
+
+	(db->methods->settask)(db, task);
+}
+
+isc_result_t
+dns_db_register(const char *name, dns_dbcreatefunc_t create, void *driverarg,
+		isc_mem_t *mctx, dns_dbimplementation_t **dbimp)
+{
+	dns_dbimplementation_t *imp;
+
+	REQUIRE(name != NULL);
+	REQUIRE(dbimp != NULL && *dbimp == NULL);
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
+
+	RWLOCK(&implock, isc_rwlocktype_write);
+	imp = impfind(name);
+	if (imp != NULL) {
+		RWUNLOCK(&implock, isc_rwlocktype_write);
+		return (ISC_R_EXISTS);
+	}
+	
+	imp = isc_mem_get(mctx, sizeof(dns_dbimplementation_t));
+	if (imp == NULL) {
+		RWUNLOCK(&implock, isc_rwlocktype_write);
+		return (ISC_R_NOMEMORY);
+	}
+	imp->name = name;
+	imp->create = create;
+	imp->mctx = NULL;
+	imp->driverarg = driverarg;
+	isc_mem_attach(mctx, &imp->mctx);
+	ISC_LINK_INIT(imp, link);
+	ISC_LIST_APPEND(implementations, imp, link);
+	RWUNLOCK(&implock, isc_rwlocktype_write);
+
+	*dbimp = imp;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_db_unregister(dns_dbimplementation_t **dbimp) {
+	dns_dbimplementation_t *imp;
+	isc_mem_t *mctx;
+
+	REQUIRE(dbimp != NULL && *dbimp != NULL);
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize) == ISC_R_SUCCESS);
+
+	imp = *dbimp;
+	RWLOCK(&implock, isc_rwlocktype_write);
+	ISC_LIST_UNLINK(implementations, imp, link);
+	mctx = imp->mctx;
+	isc_mem_put(mctx, imp, sizeof(dns_dbimplementation_t));
+	isc_mem_detach(&mctx);
+	RWUNLOCK(&implock, isc_rwlocktype_write);
+}
diff --git a/contrib/bind9/lib/dns/dbiterator.c b/contrib/bind9/lib/dns/dbiterator.c
new file mode 100644
index 0000000..0bf354b
--- /dev/null
+++ b/contrib/bind9/lib/dns/dbiterator.c
@@ -0,0 +1,141 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dbiterator.c,v 1.13.206.1 2004/03/06 08:13:37 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/util.h>
+
+#include <dns/dbiterator.h>
+#include <dns/name.h>
+
+void
+dns_dbiterator_destroy(dns_dbiterator_t **iteratorp) {
+	/*
+	 * Destroy '*iteratorp'.
+	 */
+
+	REQUIRE(iteratorp != NULL);
+	REQUIRE(DNS_DBITERATOR_VALID(*iteratorp));
+
+	(*iteratorp)->methods->destroy(iteratorp);
+
+	ENSURE(*iteratorp == NULL);
+}
+
+isc_result_t
+dns_dbiterator_first(dns_dbiterator_t *iterator) {
+	/*
+	 * Move the node cursor to the first node in the database (if any).
+	 */
+
+	REQUIRE(DNS_DBITERATOR_VALID(iterator));
+
+	return (iterator->methods->first(iterator));
+}
+
+isc_result_t
+dns_dbiterator_last(dns_dbiterator_t *iterator) {
+	/*
+	 * Move the node cursor to the first node in the database (if any).
+	 */
+
+	REQUIRE(DNS_DBITERATOR_VALID(iterator));
+
+	return (iterator->methods->last(iterator));
+}
+
+isc_result_t
+dns_dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name) {
+	/*
+	 * Move the node cursor to the node with name 'name'.
+	 */
+
+	REQUIRE(DNS_DBITERATOR_VALID(iterator));
+
+	return (iterator->methods->seek(iterator, name));
+}
+
+isc_result_t
+dns_dbiterator_prev(dns_dbiterator_t *iterator) {
+	/*
+	 * Move the node cursor to the previous node in the database (if any).
+	 */
+
+	REQUIRE(DNS_DBITERATOR_VALID(iterator));
+
+	return (iterator->methods->prev(iterator));
+}
+
+isc_result_t
+dns_dbiterator_next(dns_dbiterator_t *iterator) {
+	/*
+	 * Move the node cursor to the next node in the database (if any).
+	 */
+
+	REQUIRE(DNS_DBITERATOR_VALID(iterator));
+
+	return (iterator->methods->next(iterator));
+}
+
+isc_result_t
+dns_dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
+		       dns_name_t *name)
+{
+	/*
+	 * Return the current node.
+	 */
+
+	REQUIRE(DNS_DBITERATOR_VALID(iterator));
+	REQUIRE(nodep != NULL && *nodep == NULL);
+	REQUIRE(name == NULL || dns_name_hasbuffer(name));
+
+	return (iterator->methods->current(iterator, nodep, name));
+}
+
+isc_result_t
+dns_dbiterator_pause(dns_dbiterator_t *iterator) {
+	/*
+	 * Pause iteration.
+	 */
+
+	REQUIRE(DNS_DBITERATOR_VALID(iterator));
+
+	return (iterator->methods->pause(iterator));
+}
+
+isc_result_t
+dns_dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name) {
+
+	/*
+	 * Return the origin to which returned node names are relative.
+	 */
+
+	REQUIRE(DNS_DBITERATOR_VALID(iterator));
+	REQUIRE(iterator->relative_names);
+	REQUIRE(dns_name_hasbuffer(name));
+
+	return (iterator->methods->origin(iterator, name));
+}
+
+void
+dns_dbiterator_setcleanmode(dns_dbiterator_t *iterator, isc_boolean_t mode) {
+	REQUIRE(DNS_DBITERATOR_VALID(iterator));
+
+	iterator->cleaning = mode;
+}
diff --git a/contrib/bind9/lib/dns/dbtable.c b/contrib/bind9/lib/dns/dbtable.c
new file mode 100644
index 0000000..d027fa3
--- /dev/null
+++ b/contrib/bind9/lib/dns/dbtable.c
@@ -0,0 +1,291 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * $Id: dbtable.c,v 1.25.12.4 2004/03/09 05:21:08 marka Exp $
+ */
+
+/*
+ * Principal Author: DCL
+ */
+
+#include <config.h>
+
+#include <isc/mem.h>
+#include <isc/rwlock.h>
+#include <isc/util.h>
+
+#include <dns/dbtable.h>
+#include <dns/db.h>
+#include <dns/rbt.h>
+#include <dns/result.h>
+
+struct dns_dbtable {
+	/* Unlocked. */
+	unsigned int		magic;
+	isc_mem_t *		mctx;
+	dns_rdataclass_t	rdclass;
+	isc_mutex_t		lock;
+	isc_rwlock_t		tree_lock;
+	/* Locked by lock. */
+	unsigned int		references;
+	/* Locked by tree_lock. */
+	dns_rbt_t *		rbt;
+	dns_db_t *		default_db;
+};
+
+#define DBTABLE_MAGIC		ISC_MAGIC('D', 'B', '-', '-')
+#define VALID_DBTABLE(dbtable)	ISC_MAGIC_VALID(dbtable, DBTABLE_MAGIC)
+
+static void
+dbdetach(void *data, void *arg) {
+	dns_db_t *db = data;
+
+	UNUSED(arg);
+
+	dns_db_detach(&db);
+}
+
+isc_result_t
+dns_dbtable_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
+		   dns_dbtable_t **dbtablep)
+{
+	dns_dbtable_t *dbtable;
+	isc_result_t result;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(dbtablep != NULL && *dbtablep == NULL);
+
+	dbtable = (dns_dbtable_t *)isc_mem_get(mctx, sizeof(*dbtable));
+	if (dbtable == NULL)
+		return (ISC_R_NOMEMORY);
+
+	dbtable->rbt = NULL;
+	result = dns_rbt_create(mctx, dbdetach, NULL, &dbtable->rbt);
+	if (result != ISC_R_SUCCESS)
+		goto clean1;
+
+	result = isc_mutex_init(&dbtable->lock);
+	if (result != ISC_R_SUCCESS)
+		goto clean2;
+
+	result = isc_rwlock_init(&dbtable->tree_lock, 0, 0);
+	if (result != ISC_R_SUCCESS)
+		goto clean3;
+	
+
+	dbtable->default_db = NULL;
+	dbtable->mctx = mctx;
+	dbtable->rdclass = rdclass;
+	dbtable->magic = DBTABLE_MAGIC;
+	dbtable->references = 1;
+
+	*dbtablep = dbtable;
+
+	return (ISC_R_SUCCESS);
+
+ clean3:
+	DESTROYLOCK(&dbtable->lock);
+
+ clean2:
+	dns_rbt_destroy(&dbtable->rbt);
+
+ clean1:
+	isc_mem_put(mctx, dbtable, sizeof(*dbtable));
+
+	return (result);
+}
+
+static inline void
+dbtable_free(dns_dbtable_t *dbtable) {
+	/*
+	 * Caller must ensure that it is safe to call.
+	 */
+
+	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
+
+	if (dbtable->default_db != NULL)
+		dns_db_detach(&dbtable->default_db);
+
+	dns_rbt_destroy(&dbtable->rbt);
+
+	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
+
+	isc_rwlock_destroy(&dbtable->tree_lock);
+
+	dbtable->magic = 0;
+
+	isc_mem_put(dbtable->mctx, dbtable, sizeof(*dbtable));
+}
+
+void
+dns_dbtable_attach(dns_dbtable_t *source, dns_dbtable_t **targetp) {
+	REQUIRE(VALID_DBTABLE(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	LOCK(&source->lock);
+
+	INSIST(source->references > 0);
+	source->references++;
+	INSIST(source->references != 0);
+
+	UNLOCK(&source->lock);
+
+	*targetp = source;
+}
+
+void
+dns_dbtable_detach(dns_dbtable_t **dbtablep) {
+	dns_dbtable_t *dbtable;
+	isc_boolean_t free_dbtable = ISC_FALSE;
+
+	REQUIRE(dbtablep != NULL);
+	dbtable = *dbtablep;
+	REQUIRE(VALID_DBTABLE(dbtable));
+
+	LOCK(&dbtable->lock);
+
+	INSIST(dbtable->references > 0);
+	dbtable->references--;
+	if (dbtable->references == 0)
+		free_dbtable = ISC_TRUE;
+
+	UNLOCK(&dbtable->lock);
+
+	if (free_dbtable)
+		dbtable_free(dbtable);
+
+	*dbtablep = NULL;
+}
+
+isc_result_t
+dns_dbtable_add(dns_dbtable_t *dbtable, dns_db_t *db) {
+	isc_result_t result;
+	dns_db_t *clone;
+
+	REQUIRE(VALID_DBTABLE(dbtable));
+	REQUIRE(dns_db_class(db) == dbtable->rdclass);
+
+	clone = NULL;
+	dns_db_attach(db, &clone);
+
+	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
+	result = dns_rbt_addname(dbtable->rbt, dns_db_origin(clone), clone);
+	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
+
+	return (result);
+}
+
+void
+dns_dbtable_remove(dns_dbtable_t *dbtable, dns_db_t *db) {
+	dns_db_t *stored_data = NULL;
+	isc_result_t result;
+	dns_name_t *name;
+
+	REQUIRE(VALID_DBTABLE(dbtable));
+
+	name = dns_db_origin(db);
+
+	/*
+	 * There is a requirement that the association of name with db
+	 * be verified.  With the current rbt.c this is expensive to do,
+	 * because effectively two find operations are being done, but
+	 * deletion is relatively infrequent.
+	 * XXXDCL ... this could be cheaper now with dns_rbt_deletenode.
+	 */
+
+	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
+
+	result = dns_rbt_findname(dbtable->rbt, name, 0, NULL,
+				  (void **) (void *)&stored_data);
+
+	if (result == ISC_R_SUCCESS) {
+		INSIST(stored_data == db);
+
+		(void)dns_rbt_deletename(dbtable->rbt, name, ISC_FALSE);
+	}
+
+	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
+}
+
+void
+dns_dbtable_adddefault(dns_dbtable_t *dbtable, dns_db_t *db) {
+	REQUIRE(VALID_DBTABLE(dbtable));
+	REQUIRE(dbtable->default_db == NULL);
+	REQUIRE(dns_name_compare(dns_db_origin(db), dns_rootname) == 0);
+
+	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
+
+	dbtable->default_db = NULL;
+	dns_db_attach(db, &dbtable->default_db);
+
+	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
+}
+
+void
+dns_dbtable_getdefault(dns_dbtable_t *dbtable, dns_db_t **dbp) {
+	REQUIRE(VALID_DBTABLE(dbtable));
+	REQUIRE(dbp != NULL && *dbp == NULL);
+
+	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_read);
+
+	dns_db_attach(dbtable->default_db, dbp);
+
+	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_read);
+}
+
+void
+dns_dbtable_removedefault(dns_dbtable_t *dbtable) {
+	REQUIRE(VALID_DBTABLE(dbtable));
+
+	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
+
+	dns_db_detach(&dbtable->default_db);
+
+	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_write);
+}
+
+isc_result_t
+dns_dbtable_find(dns_dbtable_t *dbtable, dns_name_t *name,
+		 unsigned int options, dns_db_t **dbp)
+{
+	dns_db_t *stored_data = NULL;
+	isc_result_t result;
+	unsigned int rbtoptions = 0;
+
+	REQUIRE(dbp != NULL && *dbp == NULL);
+
+	if ((options & DNS_DBTABLEFIND_NOEXACT) != 0)
+		rbtoptions |= DNS_RBTFIND_NOEXACT;
+
+	RWLOCK(&dbtable->tree_lock, isc_rwlocktype_read);
+
+	result = dns_rbt_findname(dbtable->rbt, name, rbtoptions, NULL,
+				  (void **) (void *)&stored_data);
+
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
+		dns_db_attach(stored_data, dbp);
+	else if (dbtable->default_db != NULL) {
+		dns_db_attach(dbtable->default_db, dbp);
+		result = DNS_R_PARTIALMATCH;
+	} else
+		result = ISC_R_NOTFOUND;
+
+	RWUNLOCK(&dbtable->tree_lock, isc_rwlocktype_read);
+
+	return (result);
+}
diff --git a/contrib/bind9/lib/dns/diff.c b/contrib/bind9/lib/dns/diff.c
new file mode 100644
index 0000000..8cd5643
--- /dev/null
+++ b/contrib/bind9/lib/dns/diff.c
@@ -0,0 +1,539 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: diff.c,v 1.4.2.1.8.4 2004/03/08 02:07:52 marka Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/file.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/diff.h>
+#include <dns/log.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/result.h>
+
+#define CHECK(op) \
+	do { result = (op);					\
+		if (result != ISC_R_SUCCESS) goto failure;	\
+	} while (0)
+
+#define DIFF_COMMON_LOGARGS \
+	dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_DIFF
+
+static dns_rdatatype_t
+rdata_covers(dns_rdata_t *rdata) {
+	return (rdata->type == dns_rdatatype_rrsig ?
+		dns_rdata_covers(rdata) : 0);
+}
+
+isc_result_t
+dns_difftuple_create(isc_mem_t *mctx,
+		     dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl,
+		     dns_rdata_t *rdata, dns_difftuple_t **tp)
+{
+	dns_difftuple_t *t;
+	unsigned int size;
+	unsigned char *datap;
+
+	REQUIRE(tp != NULL && *tp == NULL);
+
+	/*
+	 * Create a new tuple.  The variable-size wire-format name data and
+	 * rdata immediately follow the dns_difftuple_t structure
+	 * in memory.
+	 */
+	size = sizeof(*t) + name->length + rdata->length;
+	t = isc_mem_allocate(mctx, size);
+	if (t == NULL)
+		return (ISC_R_NOMEMORY);
+	t->mctx = mctx;
+	t->op = op;
+
+	datap = (unsigned char *)(t + 1);
+
+	memcpy(datap, name->ndata, name->length);
+	dns_name_init(&t->name, NULL);
+	dns_name_clone(name, &t->name);
+	t->name.ndata = datap;
+	datap += name->length;
+
+	t->ttl = ttl;
+
+	memcpy(datap, rdata->data, rdata->length);
+	dns_rdata_init(&t->rdata);
+	dns_rdata_clone(rdata, &t->rdata);
+	t->rdata.data = datap;
+	datap += rdata->length;
+
+	ISC_LINK_INIT(&t->rdata, link);
+	ISC_LINK_INIT(t, link);
+	t->magic = DNS_DIFFTUPLE_MAGIC;
+
+	INSIST(datap == (unsigned char *)t + size);
+
+	*tp = t;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_difftuple_free(dns_difftuple_t **tp) {
+	dns_difftuple_t *t = *tp;
+	REQUIRE(DNS_DIFFTUPLE_VALID(t));
+	dns_name_invalidate(&t->name);
+	t->magic = 0;
+	isc_mem_free(t->mctx, t);
+	*tp = NULL;
+}
+
+isc_result_t
+dns_difftuple_copy(dns_difftuple_t *orig, dns_difftuple_t **copyp) {
+	return (dns_difftuple_create(orig->mctx, orig->op, &orig->name,
+				     orig->ttl, &orig->rdata, copyp));
+}
+
+void
+dns_diff_init(isc_mem_t *mctx, dns_diff_t *diff) {
+	diff->mctx = mctx;
+	ISC_LIST_INIT(diff->tuples);
+	diff->magic = DNS_DIFF_MAGIC;
+}
+
+void
+dns_diff_clear(dns_diff_t *diff) {
+	dns_difftuple_t *t;
+	REQUIRE(DNS_DIFF_VALID(diff));
+	while ((t = ISC_LIST_HEAD(diff->tuples)) != NULL) {
+		ISC_LIST_UNLINK(diff->tuples, t, link);
+		dns_difftuple_free(&t);
+	}
+	ENSURE(ISC_LIST_EMPTY(diff->tuples));
+}
+
+void
+dns_diff_append(dns_diff_t *diff, dns_difftuple_t **tuplep)
+{
+	ISC_LIST_APPEND(diff->tuples, *tuplep, link);
+	*tuplep = NULL;
+}
+
+/* XXX this is O(N) */
+
+void
+dns_diff_appendminimal(dns_diff_t *diff, dns_difftuple_t **tuplep)
+{
+	dns_difftuple_t *ot, *next_ot;
+
+	REQUIRE(DNS_DIFF_VALID(diff));
+	REQUIRE(DNS_DIFFTUPLE_VALID(*tuplep));
+
+	/*
+	 * Look for an existing tuple with the same owner name,
+	 * rdata, and TTL.   If we are doing an addition and find a
+	 * deletion or vice versa, remove both the old and the
+	 * new tuple since they cancel each other out (assuming
+	 * that we never delete nonexistent data or add existing
+	 * data).
+	 *
+	 * If we find an old update of the same kind as
+	 * the one we are doing, there must be a programming
+	 * error.  We report it but try to continue anyway.
+	 */
+	for (ot = ISC_LIST_HEAD(diff->tuples); ot != NULL;
+	     ot = next_ot)
+	{
+		next_ot = ISC_LIST_NEXT(ot, link);
+		if (dns_name_equal(&ot->name, &(*tuplep)->name) &&
+		    dns_rdata_compare(&ot->rdata, &(*tuplep)->rdata) == 0 &&
+		    ot->ttl == (*tuplep)->ttl)
+		{
+			ISC_LIST_UNLINK(diff->tuples, ot, link);
+			if ((*tuplep)->op == ot->op) {
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "unexpected non-minimal diff");
+			} else {
+				dns_difftuple_free(tuplep);
+			}
+			dns_difftuple_free(&ot);
+			break;
+		}
+	}
+
+	if (*tuplep != NULL) {
+		ISC_LIST_APPEND(diff->tuples, *tuplep, link);
+		*tuplep = NULL;
+	}
+
+	ENSURE(*tuplep == NULL);
+}
+
+static isc_result_t
+diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
+	   isc_boolean_t warn)
+{
+	dns_difftuple_t *t;
+	dns_dbnode_t *node = NULL;
+	isc_result_t result;
+
+	REQUIRE(DNS_DIFF_VALID(diff));
+	REQUIRE(DNS_DB_VALID(db));
+
+	t = ISC_LIST_HEAD(diff->tuples);
+	while (t != NULL) {
+		dns_name_t *name;
+
+		INSIST(node == NULL);
+		name = &t->name;
+		/*
+		 * Find the node.
+		 * We create the node if it does not exist.
+		 * This will cause an empty node to be created if the diff
+		 * contains a deletion of an RR at a nonexistent name,
+		 * but such diffs should never be created in the first
+		 * place.
+		 */
+		node = NULL;
+		CHECK(dns_db_findnode(db, name, ISC_TRUE, &node));
+
+		while (t != NULL && dns_name_equal(&t->name, name)) {
+			dns_rdatatype_t type, covers;
+			dns_diffop_t op;
+			dns_rdatalist_t rdl;
+			dns_rdataset_t rds;
+
+			op = t->op;
+			type = t->rdata.type;
+			covers = rdata_covers(&t->rdata);
+
+			/*
+			 * Collect a contiguous set of updates with
+			 * the same operation (add/delete) and RR type
+			 * into a single rdatalist so that the
+			 * database rrset merging/subtraction code
+			 * can work more efficiently than if each
+			 * RR were merged into / subtracted from
+			 * the database separately.
+			 *
+			 * This is done by linking rdata structures from the
+			 * diff into "rdatalist".  This uses the rdata link
+			 * field, not the diff link field, so the structure
+			 * of the diff itself is not affected.
+			 */
+
+			rdl.type = type;
+			rdl.covers = covers;
+			rdl.rdclass = t->rdata.rdclass;
+			rdl.ttl = t->ttl;
+			ISC_LIST_INIT(rdl.rdata);
+			ISC_LINK_INIT(&rdl, link);
+
+			while (t != NULL &&
+			       dns_name_equal(&t->name, name) &&
+			       t->op == op &&
+			       t->rdata.type == type &&
+			       rdata_covers(&t->rdata) == covers)
+			{
+				if (t->ttl != rdl.ttl && warn)
+					isc_log_write(DIFF_COMMON_LOGARGS,
+					      	ISC_LOG_WARNING,
+						"TTL differs in rdataset, "
+						"adjusting %lu -> %lu",
+						(unsigned long) t->ttl,
+						(unsigned long) rdl.ttl);
+				ISC_LIST_APPEND(rdl.rdata, &t->rdata, link);
+				t = ISC_LIST_NEXT(t, link);
+			}
+
+			/*
+			 * Convert the rdatalist into a rdataset.
+			 */
+			dns_rdataset_init(&rds);
+			CHECK(dns_rdatalist_tordataset(&rdl, &rds));
+			rds.trust = dns_trust_ultimate;
+
+			/*
+			 * Merge the rdataset into the database.
+			 */
+			if (op == DNS_DIFFOP_ADD) {
+				result = dns_db_addrdataset(db, node, ver,
+							    0, &rds,
+							    DNS_DBADD_MERGE|
+							    DNS_DBADD_EXACT|
+							    DNS_DBADD_EXACTTTL,
+							    NULL);
+			} else if (op == DNS_DIFFOP_DEL) {
+				result = dns_db_subtractrdataset(db, node, ver,
+							       &rds,
+							       DNS_DBSUB_EXACT,
+							       NULL);
+			} else {
+				INSIST(0);
+			}
+			if (result == DNS_R_UNCHANGED) {
+			  	/*
+				 * This will not happen when executing a
+				 * dynamic update, because that code will
+				 * generate strictly minimal diffs.
+				 * It may happen when receiving an IXFR
+				 * from a server that is not as careful.
+				 * Issue a warning and continue.
+				 */
+				if (warn)
+					isc_log_write(DIFF_COMMON_LOGARGS,
+						      ISC_LOG_WARNING,
+						      "update with no effect");
+			} else if (result == ISC_R_SUCCESS ||
+				   result == DNS_R_NXRRSET) {
+				/*
+				 * OK.
+				 */
+			} else {
+				CHECK(result);
+			}
+		}
+		dns_db_detachnode(db, &node);
+	}
+	return (ISC_R_SUCCESS);
+
+ failure:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (result);
+}
+
+isc_result_t
+dns_diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver) {
+	return (diff_apply(diff, db, ver, ISC_TRUE));
+}
+
+isc_result_t
+dns_diff_applysilently(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver) {
+	return (diff_apply(diff, db, ver, ISC_FALSE));
+}
+
+/* XXX this duplicates lots of code in diff_apply(). */
+
+isc_result_t
+dns_diff_load(dns_diff_t *diff, dns_addrdatasetfunc_t addfunc,
+	      void *add_private)
+{
+	dns_difftuple_t *t;
+	isc_result_t result;
+
+	REQUIRE(DNS_DIFF_VALID(diff));
+
+	t = ISC_LIST_HEAD(diff->tuples);
+	while (t != NULL) {
+		dns_name_t *name;
+
+		name = &t->name;
+		while (t != NULL && dns_name_equal(&t->name, name)) {
+			dns_rdatatype_t type, covers;
+			dns_diffop_t op;
+			dns_rdatalist_t rdl;
+			dns_rdataset_t rds;
+
+			op = t->op;
+			type = t->rdata.type;
+			covers = rdata_covers(&t->rdata);
+
+			rdl.type = type;
+			rdl.covers = covers;
+			rdl.rdclass = t->rdata.rdclass;
+			rdl.ttl = t->ttl;
+			ISC_LIST_INIT(rdl.rdata);
+			ISC_LINK_INIT(&rdl, link);
+
+			while (t != NULL && dns_name_equal(&t->name, name) &&
+			       t->op == op && t->rdata.type == type &&
+			       rdata_covers(&t->rdata) == covers)
+			{
+				ISC_LIST_APPEND(rdl.rdata, &t->rdata, link);
+				t = ISC_LIST_NEXT(t, link);
+			}
+
+			/*
+			 * Convert the rdatalist into a rdataset.
+			 */
+			dns_rdataset_init(&rds);
+			CHECK(dns_rdatalist_tordataset(&rdl, &rds));
+			rds.trust = dns_trust_ultimate;
+
+			INSIST(op == DNS_DIFFOP_ADD);
+			result = (*addfunc)(add_private, name, &rds);
+			if (result == DNS_R_UNCHANGED) {
+				isc_log_write(DIFF_COMMON_LOGARGS,
+					      ISC_LOG_WARNING,
+					      "update with no effect");
+			} else if (result == ISC_R_SUCCESS ||
+				   result == DNS_R_NXRRSET) {
+				/*
+				 * OK.
+				 */
+			} else {
+				CHECK(result);
+			}
+		}
+	}
+	result = ISC_R_SUCCESS;
+ failure:
+	return (result);
+}
+
+/*
+ * XXX uses qsort(); a merge sort would be more natural for lists,
+ * and perhaps safer wrt thread stack overflow.
+ */
+isc_result_t
+dns_diff_sort(dns_diff_t *diff, dns_diff_compare_func *compare) {
+	unsigned int length = 0;
+	unsigned int i;
+	dns_difftuple_t **v;
+	dns_difftuple_t *p;
+	REQUIRE(DNS_DIFF_VALID(diff));
+
+	for (p = ISC_LIST_HEAD(diff->tuples);
+	     p != NULL;
+	     p = ISC_LIST_NEXT(p, link))
+		length++;
+	if (length == 0)
+		return (ISC_R_SUCCESS);
+	v = isc_mem_get(diff->mctx, length * sizeof(dns_difftuple_t *));
+	if (v == NULL)
+		return (ISC_R_NOMEMORY);
+	i = 0;
+	for (i = 0; i < length; i++) {
+		p = ISC_LIST_HEAD(diff->tuples);
+		v[i] = p;
+		ISC_LIST_UNLINK(diff->tuples, p, link);
+	}
+	INSIST(ISC_LIST_HEAD(diff->tuples) == NULL);
+	qsort(v, length, sizeof(v[0]), compare);
+	for (i = 0; i < length; i++) {
+		ISC_LIST_APPEND(diff->tuples, v[i], link);
+	}
+	isc_mem_put(diff->mctx, v, length * sizeof(dns_difftuple_t *));
+	return (ISC_R_SUCCESS);
+}
+
+
+/*
+ * Create an rdataset containing the single RR of the given
+ * tuple.  The caller must allocate the the rdata, rdataset and
+ * an rdatalist structure for it to refer to.
+ */
+
+static isc_result_t
+diff_tuple_tordataset(dns_difftuple_t *t, dns_rdata_t *rdata,
+		      dns_rdatalist_t *rdl, dns_rdataset_t *rds)
+{
+	REQUIRE(DNS_DIFFTUPLE_VALID(t));
+	REQUIRE(rdl != NULL);
+	REQUIRE(rds != NULL);
+
+	rdl->type = t->rdata.type;
+	rdl->rdclass = t->rdata.rdclass;
+	rdl->ttl = t->ttl;
+	ISC_LIST_INIT(rdl->rdata);
+	ISC_LINK_INIT(rdl, link);
+	dns_rdataset_init(rds);
+	ISC_LINK_INIT(rdata, link);
+	dns_rdata_clone(&t->rdata, rdata);
+	ISC_LIST_APPEND(rdl->rdata, rdata, link);
+	return (dns_rdatalist_tordataset(rdl, rds));
+}
+
+isc_result_t
+dns_diff_print(dns_diff_t *diff, FILE *file) {
+	isc_result_t result;
+	dns_difftuple_t *t;
+	char *mem = NULL;
+	unsigned int size = 2048;
+
+	REQUIRE(DNS_DIFF_VALID(diff));
+
+	mem = isc_mem_get(diff->mctx, size);
+	if (mem == NULL)
+		return (ISC_R_NOMEMORY);
+
+	for (t = ISC_LIST_HEAD(diff->tuples); t != NULL;
+	     t = ISC_LIST_NEXT(t, link))
+	{
+		isc_buffer_t buf;
+		isc_region_t r;
+
+		dns_rdatalist_t rdl;
+		dns_rdataset_t rds;
+		dns_rdata_t rd = DNS_RDATA_INIT;
+
+		result = diff_tuple_tordataset(t, &rd, &rdl, &rds);
+		if (result != ISC_R_SUCCESS) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "diff_tuple_tordataset failed: %s",
+					 dns_result_totext(result));
+			result =  ISC_R_UNEXPECTED;
+			goto cleanup;
+		}
+ again:
+		isc_buffer_init(&buf, mem, size);
+		result = dns_rdataset_totext(&rds, &t->name,
+					     ISC_FALSE, ISC_FALSE, &buf);
+
+		if (result == ISC_R_NOSPACE) {
+			isc_mem_put(diff->mctx, mem, size);
+			size += 1024;
+			mem = isc_mem_get(diff->mctx, size);
+			if (mem == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto cleanup;
+			}
+			goto again;
+		}
+
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		/*
+		 * Get rid of final newline.
+		 */
+		INSIST(buf.used >= 1 &&
+		       ((char *) buf.base)[buf.used-1] == '\n');
+		buf.used--;
+
+		isc_buffer_usedregion(&buf, &r);
+		if (file != NULL)
+			fprintf(file, "%s %.*s\n",
+				t->op == DNS_DIFFOP_ADD ?  "add" : "del",
+				(int) r.length, (char *) r.base);
+		else
+			isc_log_write(DIFF_COMMON_LOGARGS, ISC_LOG_DEBUG(7),
+				      "%s %.*s",
+				      t->op == DNS_DIFFOP_ADD ?  "add" : "del",
+				      (int) r.length, (char *) r.base);
+	}
+	result = ISC_R_SUCCESS;
+ cleanup:
+	if (mem != NULL)
+		isc_mem_put(diff->mctx, mem, size);
+	return (result);
+}
diff --git a/contrib/bind9/lib/dns/dispatch.c b/contrib/bind9/lib/dns/dispatch.c
new file mode 100644
index 0000000..8534fe1
--- /dev/null
+++ b/contrib/bind9/lib/dns/dispatch.c
@@ -0,0 +1,2199 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dispatch.c,v 1.101.2.6.2.10 2004/09/01 04:27:41 marka Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/entropy.h>
+#include <isc/lfsr.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/acl.h>
+#include <dns/dispatch.h>
+#include <dns/events.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/portlist.h>
+#include <dns/tcpmsg.h>
+#include <dns/types.h>
+
+typedef ISC_LIST(dns_dispentry_t)	dns_displist_t;
+
+typedef struct dns_qid {
+	unsigned int	magic;
+	unsigned int	qid_nbuckets;	/* hash table size */
+	unsigned int	qid_increment;	/* id increment on collision */
+	isc_mutex_t	lock;
+	isc_lfsr_t	qid_lfsr1;	/* state generator info */
+	isc_lfsr_t	qid_lfsr2;	/* state generator info */
+	dns_displist_t	*qid_table;	/* the table itself */
+} dns_qid_t;
+
+struct dns_dispatchmgr {
+	/* Unlocked. */
+	unsigned int			magic;
+	isc_mem_t		       *mctx;
+	dns_acl_t		       *blackhole;
+	dns_portlist_t		       *portlist;
+
+	/* Locked by "lock". */
+	isc_mutex_t			lock;
+	unsigned int			state;
+	ISC_LIST(dns_dispatch_t)	list;
+
+	/* locked by buffer lock */
+	dns_qid_t			*qid;
+	isc_mutex_t			buffer_lock;
+	unsigned int			buffers;    /* allocated buffers */
+	unsigned int			buffersize; /* size of each buffer */
+	unsigned int			maxbuffers; /* max buffers */
+
+	/* Locked internally. */
+	isc_mutex_t			pool_lock;
+	isc_mempool_t		       *epool;	/* memory pool for events */
+	isc_mempool_t		       *rpool;	/* memory pool for replies */
+	isc_mempool_t		       *dpool;  /* dispatch allocations */
+	isc_mempool_t		       *bpool;	/* memory pool for buffers */
+
+	isc_entropy_t		       *entropy; /* entropy source */
+};
+
+#define MGR_SHUTTINGDOWN		0x00000001U
+#define MGR_IS_SHUTTINGDOWN(l)	(((l)->state & MGR_SHUTTINGDOWN) != 0)
+
+#define IS_PRIVATE(d)	(((d)->attributes & DNS_DISPATCHATTR_PRIVATE) != 0)
+
+struct dns_dispentry {
+	unsigned int			magic;
+	dns_dispatch_t		       *disp;
+	dns_messageid_t			id;
+	unsigned int			bucket;
+	isc_sockaddr_t			host;
+	isc_task_t		       *task;
+	isc_taskaction_t		action;
+	void			       *arg;
+	isc_boolean_t			item_out;
+	ISC_LIST(dns_dispatchevent_t)	items;
+	ISC_LINK(dns_dispentry_t)	link;
+};
+
+#define INVALID_BUCKET		(0xffffdead)
+
+struct dns_dispatch {
+	/* Unlocked. */
+	unsigned int		magic;		/* magic */
+	dns_dispatchmgr_t      *mgr;		/* dispatch manager */
+	isc_task_t	       *task;		/* internal task */
+	isc_socket_t	       *socket;		/* isc socket attached to */
+	isc_sockaddr_t		local;		/* local address */
+	unsigned int		maxrequests;	/* max requests */
+	isc_event_t	       *ctlevent;
+
+	/* Locked by mgr->lock. */
+	ISC_LINK(dns_dispatch_t) link;
+
+	/* Locked by "lock". */
+	isc_mutex_t		lock;		/* locks all below */
+	isc_sockettype_t	socktype;
+	unsigned int		attributes;
+	unsigned int		refcount;	/* number of users */
+	dns_dispatchevent_t    *failsafe_ev;	/* failsafe cancel event */
+	unsigned int		shutting_down : 1,
+				shutdown_out : 1,
+				connected : 1,
+				tcpmsg_valid : 1,
+				recv_pending : 1; /* is a recv() pending? */
+	isc_result_t		shutdown_why;
+	unsigned int		requests;	/* how many requests we have */
+	unsigned int		tcpbuffers;	/* allocated buffers */
+	dns_tcpmsg_t		tcpmsg;		/* for tcp streams */
+	dns_qid_t		*qid;
+};
+
+#define QID_MAGIC		ISC_MAGIC('Q', 'i', 'd', ' ')
+#define VALID_QID(e)		ISC_MAGIC_VALID((e), QID_MAGIC)
+
+#define RESPONSE_MAGIC		ISC_MAGIC('D', 'r', 's', 'p')
+#define VALID_RESPONSE(e)	ISC_MAGIC_VALID((e), RESPONSE_MAGIC)
+
+#define DISPATCH_MAGIC		ISC_MAGIC('D', 'i', 's', 'p')
+#define VALID_DISPATCH(e)	ISC_MAGIC_VALID((e), DISPATCH_MAGIC)
+
+#define DNS_DISPATCHMGR_MAGIC	ISC_MAGIC('D', 'M', 'g', 'r')
+#define VALID_DISPATCHMGR(e)	ISC_MAGIC_VALID((e), DNS_DISPATCHMGR_MAGIC)
+
+#define DNS_QID(disp) ((disp)->socktype == isc_sockettype_tcp) ? \
+		       (disp)->qid : (disp)->mgr->qid
+/*
+ * Statics.
+ */
+static dns_dispentry_t *bucket_search(dns_qid_t *, isc_sockaddr_t *,
+				      dns_messageid_t, unsigned int);
+static isc_boolean_t destroy_disp_ok(dns_dispatch_t *);
+static void destroy_disp(isc_task_t *task, isc_event_t *event);
+static void udp_recv(isc_task_t *, isc_event_t *);
+static void tcp_recv(isc_task_t *, isc_event_t *);
+static void startrecv(dns_dispatch_t *);
+static dns_messageid_t dns_randomid(dns_qid_t *);
+static isc_uint32_t dns_hash(dns_qid_t *, isc_sockaddr_t *, dns_messageid_t);
+static void free_buffer(dns_dispatch_t *disp, void *buf, unsigned int len);
+static void *allocate_udp_buffer(dns_dispatch_t *disp);
+static inline void free_event(dns_dispatch_t *disp, dns_dispatchevent_t *ev);
+static inline dns_dispatchevent_t *allocate_event(dns_dispatch_t *disp);
+static void do_cancel(dns_dispatch_t *disp);
+static dns_dispentry_t *linear_first(dns_qid_t *disp);
+static dns_dispentry_t *linear_next(dns_qid_t *disp,
+				    dns_dispentry_t *resp);
+static void dispatch_free(dns_dispatch_t **dispp);
+static isc_result_t dispatch_createudp(dns_dispatchmgr_t *mgr,
+				       isc_socketmgr_t *sockmgr,
+				       isc_taskmgr_t *taskmgr,
+				       isc_sockaddr_t *localaddr,
+				       unsigned int maxrequests,
+				       unsigned int attributes,
+				       dns_dispatch_t **dispp);
+static isc_boolean_t destroy_mgr_ok(dns_dispatchmgr_t *mgr);
+static void destroy_mgr(dns_dispatchmgr_t **mgrp);
+static isc_result_t qid_allocate(dns_dispatchmgr_t *mgr, unsigned int buckets,
+				 unsigned int increment, dns_qid_t **qidp);
+static void qid_destroy(isc_mem_t *mctx, dns_qid_t **qidp);
+
+#define LVL(x) ISC_LOG_DEBUG(x)
+
+static void
+mgr_log(dns_dispatchmgr_t *mgr, int level, const char *fmt, ...)
+     ISC_FORMAT_PRINTF(3, 4);
+
+static void
+mgr_log(dns_dispatchmgr_t *mgr, int level, const char *fmt, ...) {
+	char msgbuf[2048];
+	va_list ap;
+
+	if (! isc_log_wouldlog(dns_lctx, level))
+		return;
+
+	va_start(ap, fmt);
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	va_end(ap);
+
+	isc_log_write(dns_lctx,
+		      DNS_LOGCATEGORY_DISPATCH, DNS_LOGMODULE_DISPATCH,
+		      level, "dispatchmgr %p: %s", mgr, msgbuf);
+}
+
+static void
+dispatch_log(dns_dispatch_t *disp, int level, const char *fmt, ...)
+     ISC_FORMAT_PRINTF(3, 4);
+
+static void
+dispatch_log(dns_dispatch_t *disp, int level, const char *fmt, ...) {
+	char msgbuf[2048];
+	va_list ap;
+
+	if (! isc_log_wouldlog(dns_lctx, level))
+		return;
+
+	va_start(ap, fmt);
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	va_end(ap);
+
+	isc_log_write(dns_lctx,
+		      DNS_LOGCATEGORY_DISPATCH, DNS_LOGMODULE_DISPATCH,
+		      level, "dispatch %p: %s", disp, msgbuf);
+}
+
+static void
+request_log(dns_dispatch_t *disp, dns_dispentry_t *resp,
+	    int level, const char *fmt, ...)
+     ISC_FORMAT_PRINTF(4, 5);
+
+static void
+request_log(dns_dispatch_t *disp, dns_dispentry_t *resp,
+	    int level, const char *fmt, ...)
+{
+	char msgbuf[2048];
+	char peerbuf[256];
+	va_list ap;
+
+	if (! isc_log_wouldlog(dns_lctx, level))
+		return;
+
+	va_start(ap, fmt);
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	va_end(ap);
+
+	if (VALID_RESPONSE(resp)) {
+		isc_sockaddr_format(&resp->host, peerbuf, sizeof(peerbuf));
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DISPATCH,
+			      DNS_LOGMODULE_DISPATCH, level,
+			      "dispatch %p response %p %s: %s", disp, resp,
+			      peerbuf, msgbuf);
+	} else {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DISPATCH,
+			      DNS_LOGMODULE_DISPATCH, level,
+			      "dispatch %p req/resp %p: %s", disp, resp,
+			      msgbuf);
+	}
+}
+
+static void
+reseed_lfsr(isc_lfsr_t *lfsr, void *arg)
+{
+	dns_dispatchmgr_t *mgr = arg;
+	isc_result_t result;
+	isc_uint32_t val;
+
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+
+	if (mgr->entropy != NULL) {
+		result = isc_entropy_getdata(mgr->entropy, &val, sizeof(val),
+					     NULL, 0);
+		INSIST(result == ISC_R_SUCCESS);
+		lfsr->count = (val & 0x1f) + 32;
+		lfsr->state = val;
+		return;
+	}
+
+	lfsr->count = (random() & 0x1f) + 32;	/* From 32 to 63 states */
+	lfsr->state = random();
+}
+
+/*
+ * Return an unpredictable message ID.
+ */
+static dns_messageid_t
+dns_randomid(dns_qid_t *qid) {
+	isc_uint32_t id;
+
+	id = isc_lfsr_generate32(&qid->qid_lfsr1, &qid->qid_lfsr2);
+
+	return (dns_messageid_t)(id & 0xFFFF);
+}
+
+/*
+ * Return a hash of the destination and message id.
+ */
+static isc_uint32_t
+dns_hash(dns_qid_t *qid, isc_sockaddr_t *dest, dns_messageid_t id) {
+	unsigned int ret;
+
+	ret = isc_sockaddr_hash(dest, ISC_TRUE);
+	ret ^= id;
+	ret %= qid->qid_nbuckets;
+
+	INSIST(ret < qid->qid_nbuckets);
+
+	return (ret);
+}
+
+/*
+ * Find the first entry in 'qid'.  Returns NULL if there are no entries.
+ */
+static dns_dispentry_t *
+linear_first(dns_qid_t *qid) {
+	dns_dispentry_t *ret;
+	unsigned int bucket;
+
+	bucket = 0;
+
+	while (bucket < qid->qid_nbuckets) {
+		ret = ISC_LIST_HEAD(qid->qid_table[bucket]);
+		if (ret != NULL)
+			return (ret);
+		bucket++;
+	}
+
+	return (NULL);
+}
+
+/*
+ * Find the next entry after 'resp' in 'qid'.  Return NULL if there are
+ * no more entries.
+ */
+static dns_dispentry_t *
+linear_next(dns_qid_t *qid, dns_dispentry_t *resp) {
+	dns_dispentry_t *ret;
+	unsigned int bucket;
+
+	ret = ISC_LIST_NEXT(resp, link);
+	if (ret != NULL)
+		return (ret);
+
+	bucket = resp->bucket;
+	bucket++;
+	while (bucket < qid->qid_nbuckets) {
+		ret = ISC_LIST_HEAD(qid->qid_table[bucket]);
+		if (ret != NULL)
+			return (ret);
+		bucket++;
+	}
+
+	return (NULL);
+}
+
+/*
+ * The dispatch must be locked.
+ */
+static isc_boolean_t
+destroy_disp_ok(dns_dispatch_t *disp)
+{
+	if (disp->refcount != 0)
+		return (ISC_FALSE);
+
+	if (disp->recv_pending != 0)
+		return (ISC_FALSE);
+
+	if (disp->shutting_down == 0)
+		return (ISC_FALSE);
+
+	return (ISC_TRUE);
+}
+
+
+/*
+ * Called when refcount reaches 0 (and safe to destroy).
+ *
+ * The dispatcher must not be locked.
+ * The manager must be locked.
+ */
+static void
+destroy_disp(isc_task_t *task, isc_event_t *event) {
+	dns_dispatch_t *disp;
+	dns_dispatchmgr_t *mgr;
+	isc_boolean_t killmgr;
+
+	INSIST(event->ev_type == DNS_EVENT_DISPATCHCONTROL);
+
+	UNUSED(task);
+
+	disp = event->ev_arg;
+	mgr = disp->mgr;
+
+	LOCK(&mgr->lock);
+	ISC_LIST_UNLINK(mgr->list, disp, link);
+
+	dispatch_log(disp, LVL(90),
+		     "shutting down; detaching from sock %p, task %p",
+		     disp->socket, disp->task);
+
+	isc_socket_detach(&disp->socket);
+	isc_task_detach(&disp->task);
+	isc_event_free(&event);
+
+	dispatch_free(&disp);
+
+	killmgr = destroy_mgr_ok(mgr);
+	UNLOCK(&mgr->lock);
+	if (killmgr)
+		destroy_mgr(&mgr);
+}
+
+
+/*
+ * Find an entry for query ID 'id' and socket address 'dest' in 'qid'.
+ * Return NULL if no such entry exists.
+ */
+static dns_dispentry_t *
+bucket_search(dns_qid_t *qid, isc_sockaddr_t *dest, dns_messageid_t id,
+	      unsigned int bucket)
+{
+	dns_dispentry_t *res;
+
+	REQUIRE(bucket < qid->qid_nbuckets);
+
+	res = ISC_LIST_HEAD(qid->qid_table[bucket]);
+
+	while (res != NULL) {
+		if ((res->id == id) && isc_sockaddr_equal(dest, &res->host))
+			return (res);
+		res = ISC_LIST_NEXT(res, link);
+	}
+
+	return (NULL);
+}
+
+static void
+free_buffer(dns_dispatch_t *disp, void *buf, unsigned int len) {
+	INSIST(buf != NULL && len != 0);
+
+
+	switch (disp->socktype) {
+	case isc_sockettype_tcp:
+		INSIST(disp->tcpbuffers > 0);
+		disp->tcpbuffers--;
+		isc_mem_put(disp->mgr->mctx, buf, len);
+		break;
+	case isc_sockettype_udp:
+		LOCK(&disp->mgr->buffer_lock);
+		INSIST(disp->mgr->buffers > 0);
+		INSIST(len == disp->mgr->buffersize);
+		disp->mgr->buffers--;
+		isc_mempool_put(disp->mgr->bpool, buf);
+		UNLOCK(&disp->mgr->buffer_lock);
+		break;
+	default:
+		INSIST(0);
+		break;
+	}
+}
+
+static void *
+allocate_udp_buffer(dns_dispatch_t *disp) {
+	void *temp;
+
+	LOCK(&disp->mgr->buffer_lock);
+	temp = isc_mempool_get(disp->mgr->bpool);
+
+	if (temp != NULL)
+		disp->mgr->buffers++;
+	UNLOCK(&disp->mgr->buffer_lock);
+
+	return (temp);
+}
+
+static inline void
+free_event(dns_dispatch_t *disp, dns_dispatchevent_t *ev) {
+	if (disp->failsafe_ev == ev) {
+		INSIST(disp->shutdown_out == 1);
+		disp->shutdown_out = 0;
+
+		return;
+	}
+
+	isc_mempool_put(disp->mgr->epool, ev);
+}
+
+static inline dns_dispatchevent_t *
+allocate_event(dns_dispatch_t *disp) {
+	dns_dispatchevent_t *ev;
+
+	ev = isc_mempool_get(disp->mgr->epool);
+	if (ev == NULL)
+		return (NULL);
+	ISC_EVENT_INIT(ev, sizeof(*ev), 0, NULL, 0,
+		       NULL, NULL, NULL, NULL, NULL);
+
+	return (ev);
+}
+
+/*
+ * General flow:
+ *
+ * If I/O result == CANCELED or error, free the buffer.
+ *
+ * If query, free the buffer, restart.
+ *
+ * If response:
+ *	Allocate event, fill in details.
+ *		If cannot allocate, free buffer, restart.
+ *	find target.  If not found, free buffer, restart.
+ *	if event queue is not empty, queue.  else, send.
+ *	restart.
+ */
+static void
+udp_recv(isc_task_t *task, isc_event_t *ev_in) {
+	isc_socketevent_t *ev = (isc_socketevent_t *)ev_in;
+	dns_dispatch_t *disp = ev_in->ev_arg;
+	dns_messageid_t id;
+	isc_result_t dres;
+	isc_buffer_t source;
+	unsigned int flags;
+	dns_dispentry_t *resp;
+	dns_dispatchevent_t *rev;
+	unsigned int bucket;
+	isc_boolean_t killit;
+	isc_boolean_t queue_response;
+	dns_dispatchmgr_t *mgr;
+	dns_qid_t *qid;
+	isc_netaddr_t netaddr;
+	int match;
+
+	UNUSED(task);
+
+	LOCK(&disp->lock);
+
+	mgr = disp->mgr;
+	qid = mgr->qid;
+
+	dispatch_log(disp, LVL(90),
+		     "got packet: requests %d, buffers %d, recvs %d",
+		     disp->requests, disp->mgr->buffers, disp->recv_pending);
+
+	if (ev->ev_type == ISC_SOCKEVENT_RECVDONE) {
+		/*
+		 * Unless the receive event was imported from a listening
+		 * interface, in which case the event type is
+		 * DNS_EVENT_IMPORTRECVDONE, receive operation must be pending.
+		 */
+		INSIST(disp->recv_pending != 0);
+		disp->recv_pending = 0;
+	}
+
+	if (disp->shutting_down) {
+		/*
+		 * This dispatcher is shutting down.
+		 */
+		free_buffer(disp, ev->region.base, ev->region.length);
+
+		isc_event_free(&ev_in);
+		ev = NULL;
+
+		killit = destroy_disp_ok(disp);
+		UNLOCK(&disp->lock);
+		if (killit)
+			isc_task_send(disp->task, &disp->ctlevent);
+
+		return;
+	}
+
+	if (ev->result != ISC_R_SUCCESS) {
+		free_buffer(disp, ev->region.base, ev->region.length);
+
+		if (ev->result != ISC_R_CANCELED)
+			dispatch_log(disp, ISC_LOG_ERROR,
+				     "odd socket result in udp_recv(): %s",
+				     isc_result_totext(ev->result));
+
+		UNLOCK(&disp->lock);
+		isc_event_free(&ev_in);
+		return;
+	}
+
+	/*
+	 * If this is from a blackholed address, drop it.
+	 */
+	isc_netaddr_fromsockaddr(&netaddr, &ev->address);
+	if (disp->mgr->blackhole != NULL &&
+	    dns_acl_match(&netaddr, NULL, disp->mgr->blackhole,
+		    	  NULL, &match, NULL) == ISC_R_SUCCESS &&
+	    match > 0)
+	{
+		if (isc_log_wouldlog(dns_lctx, LVL(10))) {
+			char netaddrstr[ISC_NETADDR_FORMATSIZE];
+			isc_netaddr_format(&netaddr, netaddrstr,
+					   sizeof(netaddrstr));
+			dispatch_log(disp, LVL(10),
+				     "blackholed packet from %s",
+				     netaddrstr);
+		}
+		free_buffer(disp, ev->region.base, ev->region.length);
+		goto restart;
+	}
+
+	/*
+	 * Peek into the buffer to see what we can see.
+	 */
+	isc_buffer_init(&source, ev->region.base, ev->region.length);
+	isc_buffer_add(&source, ev->n);
+	dres = dns_message_peekheader(&source, &id, &flags);
+	if (dres != ISC_R_SUCCESS) {
+		free_buffer(disp, ev->region.base, ev->region.length);
+		dispatch_log(disp, LVL(10), "got garbage packet");
+		goto restart;
+	}
+
+	dispatch_log(disp, LVL(92),
+		     "got valid DNS message header, /QR %c, id %u",
+		     ((flags & DNS_MESSAGEFLAG_QR) ? '1' : '0'), id);
+
+	/*
+	 * Look at flags.  If query, drop it. If response,
+	 * look to see where it goes.
+	 */
+	queue_response = ISC_FALSE;
+	if ((flags & DNS_MESSAGEFLAG_QR) == 0) {
+		/* query */
+		free_buffer(disp, ev->region.base, ev->region.length);
+		goto restart;
+	}
+
+	/* response */
+	bucket = dns_hash(qid, &ev->address, id);
+	LOCK(&qid->lock);
+	resp = bucket_search(qid, &ev->address, id, bucket);
+	dispatch_log(disp, LVL(90),
+		     "search for response in bucket %d: %s",
+		     bucket, (resp == NULL ? "not found" : "found"));
+
+	if (resp == NULL) {
+		free_buffer(disp, ev->region.base, ev->region.length);
+		goto unlock;
+	} 
+	queue_response = resp->item_out;
+	rev = allocate_event(resp->disp);
+	if (rev == NULL) {
+		free_buffer(disp, ev->region.base, ev->region.length);
+		goto unlock;
+	}
+
+	/*
+	 * At this point, rev contains the event we want to fill in, and
+	 * resp contains the information on the place to send it to.
+	 * Send the event off.
+	 */
+	isc_buffer_init(&rev->buffer, ev->region.base, ev->region.length);
+	isc_buffer_add(&rev->buffer, ev->n);
+	rev->result = ISC_R_SUCCESS;
+	rev->id = id;
+	rev->addr = ev->address;
+	rev->pktinfo = ev->pktinfo;
+	rev->attributes = ev->attributes;
+	if (queue_response) {
+		ISC_LIST_APPEND(resp->items, rev, ev_link);
+	} else {
+		ISC_EVENT_INIT(rev, sizeof(*rev), 0, NULL,
+			       DNS_EVENT_DISPATCH,
+			       resp->action, resp->arg, resp, NULL, NULL);
+		request_log(disp, resp, LVL(90),
+			    "[a] Sent event %p buffer %p len %d to task %p",
+			    rev, rev->buffer.base, rev->buffer.length,
+			    resp->task);
+		resp->item_out = ISC_TRUE;
+		isc_task_send(resp->task, ISC_EVENT_PTR(&rev));
+	}
+ unlock:
+	UNLOCK(&qid->lock);
+
+	/*
+	 * Restart recv() to get the next packet.
+	 */
+ restart:
+	startrecv(disp);
+
+	UNLOCK(&disp->lock);
+
+	isc_event_free(&ev_in);
+}
+
+/*
+ * General flow:
+ *
+ * If I/O result == CANCELED, EOF, or error, notify everyone as the
+ * various queues drain.
+ *
+ * If query, restart.
+ *
+ * If response:
+ *	Allocate event, fill in details.
+ *		If cannot allocate, restart.
+ *	find target.  If not found, restart.
+ *	if event queue is not empty, queue.  else, send.
+ *	restart.
+ */
+static void
+tcp_recv(isc_task_t *task, isc_event_t *ev_in) {
+	dns_dispatch_t *disp = ev_in->ev_arg;
+	dns_tcpmsg_t *tcpmsg = &disp->tcpmsg;
+	dns_messageid_t id;
+	isc_result_t dres;
+	unsigned int flags;
+	dns_dispentry_t *resp;
+	dns_dispatchevent_t *rev;
+	unsigned int bucket;
+	isc_boolean_t killit;
+	isc_boolean_t queue_response;
+	dns_qid_t *qid;
+	int level;
+	char buf[ISC_SOCKADDR_FORMATSIZE];
+
+	UNUSED(task);
+
+	REQUIRE(VALID_DISPATCH(disp));
+
+	qid = disp->qid;
+
+	dispatch_log(disp, LVL(90),
+		     "got TCP packet: requests %d, buffers %d, recvs %d",
+		     disp->requests, disp->tcpbuffers, disp->recv_pending);
+
+	LOCK(&disp->lock);
+
+	INSIST(disp->recv_pending != 0);
+	disp->recv_pending = 0;
+
+	if (disp->refcount == 0) {
+		/*
+		 * This dispatcher is shutting down.  Force cancelation.
+		 */
+		tcpmsg->result = ISC_R_CANCELED;
+	}
+
+	if (tcpmsg->result != ISC_R_SUCCESS) {
+		switch (tcpmsg->result) {
+		case ISC_R_CANCELED:
+			break;
+			
+		case ISC_R_EOF:
+			dispatch_log(disp, LVL(90), "shutting down on EOF");
+			do_cancel(disp);
+			break;
+
+		case ISC_R_CONNECTIONRESET:
+			level = ISC_LOG_INFO;
+			goto logit;
+
+		default:
+			level = ISC_LOG_ERROR;
+		logit:
+			isc_sockaddr_format(&tcpmsg->address, buf, sizeof(buf));
+			dispatch_log(disp, level, "shutting down due to TCP "
+				     "receive error: %s: %s", buf,
+				     isc_result_totext(tcpmsg->result));
+			do_cancel(disp);
+			break;
+		}
+
+		/*
+		 * The event is statically allocated in the tcpmsg
+		 * structure, and destroy_disp() frees the tcpmsg, so we must
+		 * free the event *before* calling destroy_disp().
+		 */
+		isc_event_free(&ev_in);
+
+		disp->shutting_down = 1;
+		disp->shutdown_why = tcpmsg->result;
+
+		/*
+		 * If the recv() was canceled pass the word on.
+		 */
+		killit = destroy_disp_ok(disp);
+		UNLOCK(&disp->lock);
+		if (killit)
+			isc_task_send(disp->task, &disp->ctlevent);
+		return;
+	}
+
+	dispatch_log(disp, LVL(90), "result %d, length == %d, addr = %p",
+		     tcpmsg->result,
+		     tcpmsg->buffer.length, tcpmsg->buffer.base);
+
+	/*
+	 * Peek into the buffer to see what we can see.
+	 */
+	dres = dns_message_peekheader(&tcpmsg->buffer, &id, &flags);
+	if (dres != ISC_R_SUCCESS) {
+		dispatch_log(disp, LVL(10), "got garbage packet");
+		goto restart;
+	}
+
+	dispatch_log(disp, LVL(92),
+		     "got valid DNS message header, /QR %c, id %u",
+		     ((flags & DNS_MESSAGEFLAG_QR) ? '1' : '0'), id);
+
+	/*
+	 * Allocate an event to send to the query or response client, and
+	 * allocate a new buffer for our use.
+	 */
+
+	/*
+	 * Look at flags.  If query, drop it. If response,
+	 * look to see where it goes.
+	 */
+	queue_response = ISC_FALSE;
+	if ((flags & DNS_MESSAGEFLAG_QR) == 0) {
+		/*
+		 * Query.
+		 */
+		goto restart;
+	}
+
+	/*
+	 * Response.
+	 */
+	bucket = dns_hash(qid, &tcpmsg->address, id);
+	LOCK(&qid->lock);
+	resp = bucket_search(qid, &tcpmsg->address, id, bucket);
+	dispatch_log(disp, LVL(90),
+		     "search for response in bucket %d: %s",
+		     bucket, (resp == NULL ? "not found" : "found"));
+
+	if (resp == NULL)
+		goto unlock;
+	queue_response = resp->item_out;
+	rev = allocate_event(disp);
+	if (rev == NULL)
+		goto unlock;
+
+	/*
+	 * At this point, rev contains the event we want to fill in, and
+	 * resp contains the information on the place to send it to.
+	 * Send the event off.
+	 */
+	dns_tcpmsg_keepbuffer(tcpmsg, &rev->buffer);
+	disp->tcpbuffers++;
+	rev->result = ISC_R_SUCCESS;
+	rev->id = id;
+	rev->addr = tcpmsg->address;
+	if (queue_response) {
+		ISC_LIST_APPEND(resp->items, rev, ev_link);
+	} else {
+		ISC_EVENT_INIT(rev, sizeof(*rev), 0, NULL, DNS_EVENT_DISPATCH,
+			       resp->action, resp->arg, resp, NULL, NULL);
+		request_log(disp, resp, LVL(90),
+			    "[b] Sent event %p buffer %p len %d to task %p",
+			    rev, rev->buffer.base, rev->buffer.length,
+			    resp->task);
+		resp->item_out = ISC_TRUE;
+		isc_task_send(resp->task, ISC_EVENT_PTR(&rev));
+	}
+ unlock:
+	UNLOCK(&qid->lock);
+
+	/*
+	 * Restart recv() to get the next packet.
+	 */
+ restart:
+	startrecv(disp);
+
+	UNLOCK(&disp->lock);
+
+	isc_event_free(&ev_in);
+}
+
+/*
+ * disp must be locked.
+ */
+static void
+startrecv(dns_dispatch_t *disp) {
+	isc_result_t res;
+	isc_region_t region;
+
+	if (disp->shutting_down == 1)
+		return;
+
+	if ((disp->attributes & DNS_DISPATCHATTR_NOLISTEN) != 0)
+		return;
+
+	if (disp->recv_pending != 0)
+		return;
+
+	if (disp->mgr->buffers >= disp->mgr->maxbuffers)
+		return;
+
+	switch (disp->socktype) {
+		/*
+		 * UDP reads are always maximal.
+		 */
+	case isc_sockettype_udp:
+		region.length = disp->mgr->buffersize;
+		region.base = allocate_udp_buffer(disp);
+		if (region.base == NULL)
+			return;
+		res = isc_socket_recv(disp->socket, &region, 1,
+				      disp->task, udp_recv, disp);
+		if (res != ISC_R_SUCCESS) {
+			free_buffer(disp, region.base, region.length);
+			disp->shutdown_why = res;
+			disp->shutting_down = 1;
+			do_cancel(disp);
+			return;
+		}
+		INSIST(disp->recv_pending == 0);
+		disp->recv_pending = 1;
+		break;
+
+	case isc_sockettype_tcp:
+		res = dns_tcpmsg_readmessage(&disp->tcpmsg, disp->task,
+					     tcp_recv, disp);
+		if (res != ISC_R_SUCCESS) {
+			disp->shutdown_why = res;
+			disp->shutting_down = 1;
+			do_cancel(disp);
+			return;
+		}
+		INSIST(disp->recv_pending == 0);
+		disp->recv_pending = 1;
+		break;
+	}
+}
+
+/*
+ * Mgr must be locked when calling this function.
+ */
+static isc_boolean_t
+destroy_mgr_ok(dns_dispatchmgr_t *mgr) {
+	mgr_log(mgr, LVL(90),
+		"destroy_mgr_ok: shuttingdown=%d, listnonempty=%d, "
+		"epool=%d, rpool=%d, dpool=%d",
+		MGR_IS_SHUTTINGDOWN(mgr), !ISC_LIST_EMPTY(mgr->list),
+		isc_mempool_getallocated(mgr->epool),
+		isc_mempool_getallocated(mgr->rpool),
+		isc_mempool_getallocated(mgr->dpool));
+	if (!MGR_IS_SHUTTINGDOWN(mgr))
+		return (ISC_FALSE);
+	if (!ISC_LIST_EMPTY(mgr->list))
+		return (ISC_FALSE);
+	if (isc_mempool_getallocated(mgr->epool) != 0)
+		return (ISC_FALSE);
+	if (isc_mempool_getallocated(mgr->rpool) != 0)
+		return (ISC_FALSE);
+	if (isc_mempool_getallocated(mgr->dpool) != 0)
+		return (ISC_FALSE);
+
+	return (ISC_TRUE);
+}
+
+/*
+ * Mgr must be unlocked when calling this function.
+ */
+static void
+destroy_mgr(dns_dispatchmgr_t **mgrp) {
+	isc_mem_t *mctx;
+	dns_dispatchmgr_t *mgr;
+
+	mgr = *mgrp;
+	*mgrp = NULL;
+
+	mctx = mgr->mctx;
+
+	mgr->magic = 0;
+	mgr->mctx = NULL;
+	DESTROYLOCK(&mgr->lock);
+	mgr->state = 0;
+
+	isc_mempool_destroy(&mgr->epool);
+	isc_mempool_destroy(&mgr->rpool);
+	isc_mempool_destroy(&mgr->dpool);
+	isc_mempool_destroy(&mgr->bpool);
+
+	DESTROYLOCK(&mgr->pool_lock);
+
+	if (mgr->entropy != NULL)
+		isc_entropy_detach(&mgr->entropy);
+	if (mgr->qid != NULL)
+		qid_destroy(mctx, &mgr->qid);
+
+	DESTROYLOCK(&mgr->buffer_lock);
+
+	if (mgr->blackhole != NULL)
+		dns_acl_detach(&mgr->blackhole);
+
+	if (mgr->portlist != NULL)
+		dns_portlist_detach(&mgr->portlist);
+
+	isc_mem_put(mctx, mgr, sizeof(dns_dispatchmgr_t));
+	isc_mem_detach(&mctx);
+}
+
+static isc_result_t
+create_socket(isc_socketmgr_t *mgr, isc_sockaddr_t *local,
+	      isc_socket_t **sockp)
+{
+	isc_socket_t *sock;
+	isc_result_t result;
+
+	sock = NULL;
+	result = isc_socket_create(mgr, isc_sockaddr_pf(local),
+				   isc_sockettype_udp, &sock);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+#ifndef ISC_ALLOW_MAPPED
+	isc_socket_ipv6only(sock, ISC_TRUE);
+#endif
+	result = isc_socket_bind(sock, local);
+	if (result != ISC_R_SUCCESS) {
+		isc_socket_detach(&sock);
+		return (result);
+	}
+
+	*sockp = sock;
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Publics.
+ */
+
+isc_result_t
+dns_dispatchmgr_create(isc_mem_t *mctx, isc_entropy_t *entropy,
+		       dns_dispatchmgr_t **mgrp)
+{
+	dns_dispatchmgr_t *mgr;
+	isc_result_t result;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(mgrp != NULL && *mgrp == NULL);
+
+	mgr = isc_mem_get(mctx, sizeof(dns_dispatchmgr_t));
+	if (mgr == NULL)
+		return (ISC_R_NOMEMORY);
+
+	mgr->mctx = NULL;
+	isc_mem_attach(mctx, &mgr->mctx);
+
+	mgr->blackhole = NULL;
+	mgr->portlist = NULL;
+
+	result = isc_mutex_init(&mgr->lock);
+	if (result != ISC_R_SUCCESS)
+		goto deallocate;
+
+	result = isc_mutex_init(&mgr->buffer_lock);
+	if (result != ISC_R_SUCCESS)
+		goto kill_lock;
+
+	result = isc_mutex_init(&mgr->pool_lock);
+	if (result != ISC_R_SUCCESS)
+		goto kill_buffer_lock;
+
+	mgr->epool = NULL;
+	if (isc_mempool_create(mgr->mctx, sizeof(dns_dispatchevent_t),
+			       &mgr->epool) != ISC_R_SUCCESS) {
+		result = ISC_R_NOMEMORY;
+		goto kill_pool_lock;
+	}
+
+	mgr->rpool = NULL;
+	if (isc_mempool_create(mgr->mctx, sizeof(dns_dispentry_t),
+			       &mgr->rpool) != ISC_R_SUCCESS) {
+		result = ISC_R_NOMEMORY;
+		goto kill_epool;
+	}
+
+	mgr->dpool = NULL;
+	if (isc_mempool_create(mgr->mctx, sizeof(dns_dispatch_t),
+			       &mgr->dpool) != ISC_R_SUCCESS) {
+		result = ISC_R_NOMEMORY;
+		goto kill_rpool;
+	}
+
+	isc_mempool_setname(mgr->epool, "dispmgr_epool");
+	isc_mempool_setfreemax(mgr->epool, 1024);
+	isc_mempool_associatelock(mgr->epool, &mgr->pool_lock);
+
+	isc_mempool_setname(mgr->rpool, "dispmgr_rpool");
+	isc_mempool_setfreemax(mgr->rpool, 1024);
+	isc_mempool_associatelock(mgr->rpool, &mgr->pool_lock);
+
+	isc_mempool_setname(mgr->dpool, "dispmgr_dpool");
+	isc_mempool_setfreemax(mgr->dpool, 1024);
+	isc_mempool_associatelock(mgr->dpool, &mgr->pool_lock);
+
+	mgr->buffers = 0;
+	mgr->buffersize = 0;
+	mgr->maxbuffers = 0;
+	mgr->bpool = NULL;
+	mgr->entropy = NULL;
+	mgr->qid = NULL;
+	mgr->state = 0;
+	ISC_LIST_INIT(mgr->list);
+	mgr->magic = DNS_DISPATCHMGR_MAGIC;
+
+	if (entropy != NULL)
+		isc_entropy_attach(entropy, &mgr->entropy);
+
+	*mgrp = mgr;
+	return (ISC_R_SUCCESS);
+
+ kill_rpool:
+	isc_mempool_destroy(&mgr->rpool);
+ kill_epool:
+	isc_mempool_destroy(&mgr->epool);
+ kill_pool_lock:
+	DESTROYLOCK(&mgr->pool_lock);
+ kill_buffer_lock:
+	DESTROYLOCK(&mgr->buffer_lock);
+ kill_lock:
+	DESTROYLOCK(&mgr->lock);
+ deallocate:
+	isc_mem_put(mctx, mgr, sizeof(dns_dispatchmgr_t));
+	isc_mem_detach(&mctx);
+
+	return (result);
+}
+
+void
+dns_dispatchmgr_setblackhole(dns_dispatchmgr_t *mgr, dns_acl_t *blackhole) {
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	if (mgr->blackhole != NULL)
+		dns_acl_detach(&mgr->blackhole);
+	dns_acl_attach(blackhole, &mgr->blackhole);
+}
+
+dns_acl_t *
+dns_dispatchmgr_getblackhole(dns_dispatchmgr_t *mgr) {
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	return (mgr->blackhole);
+}
+
+void
+dns_dispatchmgr_setblackportlist(dns_dispatchmgr_t *mgr,
+				 dns_portlist_t *portlist)
+{
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	if (mgr->portlist != NULL)
+		dns_portlist_detach(&mgr->portlist);
+	if (portlist != NULL)
+		dns_portlist_attach(portlist, &mgr->portlist);
+}
+
+dns_portlist_t *
+dns_dispatchmgr_getblackportlist(dns_dispatchmgr_t *mgr) {
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	return (mgr->portlist);
+}
+
+static isc_result_t
+dns_dispatchmgr_setudp(dns_dispatchmgr_t *mgr,
+			unsigned int buffersize, unsigned int maxbuffers,
+			unsigned int buckets, unsigned int increment)
+{
+	isc_result_t result;
+
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	REQUIRE(buffersize >= 512 && buffersize < (64 * 1024));
+	REQUIRE(maxbuffers > 0);
+	REQUIRE(buckets < 2097169);  /* next prime > 65536 * 32 */
+	REQUIRE(increment > buckets);
+
+	/*
+	 * Keep some number of items around.  This should be a config
+	 * option.  For now, keep 8, but later keep at least two even
+	 * if the caller wants less.  This allows us to ensure certain
+	 * things, like an event can be "freed" and the next allocation
+	 * will always succeed.
+	 *
+	 * Note that if limits are placed on anything here, we use one
+	 * event internally, so the actual limit should be "wanted + 1."
+	 *
+	 * XXXMLG
+	 */
+
+	if (maxbuffers < 8)
+		maxbuffers = 8;
+
+	LOCK(&mgr->buffer_lock);
+	if (mgr->bpool != NULL) {
+		isc_mempool_setmaxalloc(mgr->bpool, maxbuffers);
+		mgr->maxbuffers = maxbuffers;
+		UNLOCK(&mgr->buffer_lock);
+		return (ISC_R_SUCCESS);
+	}
+
+	if (isc_mempool_create(mgr->mctx, buffersize,
+			       &mgr->bpool) != ISC_R_SUCCESS) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	isc_mempool_setname(mgr->bpool, "dispmgr_bpool");
+	isc_mempool_setmaxalloc(mgr->bpool, maxbuffers);
+	isc_mempool_associatelock(mgr->bpool, &mgr->pool_lock);
+
+	result = qid_allocate(mgr, buckets, increment, &mgr->qid);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	mgr->buffersize = buffersize;
+	mgr->maxbuffers = maxbuffers;
+	UNLOCK(&mgr->buffer_lock);
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	isc_mempool_destroy(&mgr->bpool);
+	UNLOCK(&mgr->buffer_lock);
+	return (ISC_R_NOMEMORY);
+}
+
+void
+dns_dispatchmgr_destroy(dns_dispatchmgr_t **mgrp) {
+	dns_dispatchmgr_t *mgr;
+	isc_boolean_t killit;
+
+	REQUIRE(mgrp != NULL);
+	REQUIRE(VALID_DISPATCHMGR(*mgrp));
+
+	mgr = *mgrp;
+	*mgrp = NULL;
+
+	LOCK(&mgr->lock);
+	mgr->state |= MGR_SHUTTINGDOWN;
+
+	killit = destroy_mgr_ok(mgr);
+	UNLOCK(&mgr->lock);
+
+	mgr_log(mgr, LVL(90), "destroy: killit=%d", killit);
+
+	if (killit)
+		destroy_mgr(&mgr);
+}
+
+static isc_boolean_t
+blacklisted(dns_dispatchmgr_t *mgr, isc_socket_t *sock) {
+	isc_sockaddr_t sockaddr;
+	isc_result_t result;
+
+	if (mgr->portlist == NULL)
+		return (ISC_FALSE);
+
+	result = isc_socket_getsockname(sock, &sockaddr);
+	if (result != ISC_R_SUCCESS)
+		return (ISC_FALSE);
+
+	if (mgr->portlist != NULL &&
+	    dns_portlist_match(mgr->portlist, isc_sockaddr_pf(&sockaddr),
+			       isc_sockaddr_getport(&sockaddr)))
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+#define ATTRMATCH(_a1, _a2, _mask) (((_a1) & (_mask)) == ((_a2) & (_mask)))
+
+static isc_boolean_t
+local_addr_match(dns_dispatch_t *disp, isc_sockaddr_t *addr) {
+	isc_sockaddr_t sockaddr;
+	isc_result_t result;
+
+	if (addr == NULL)
+		return (ISC_TRUE);
+
+	/*
+	 * Don't match wildcard ports against newly blacklisted ports.
+	 */
+	if (disp->mgr->portlist != NULL &&
+	    isc_sockaddr_getport(addr) == 0 &&
+	    isc_sockaddr_getport(&disp->local) == 0 &&
+	    blacklisted(disp->mgr, disp->socket))
+		return (ISC_FALSE);
+
+	/*
+	 * Check if we match the binding <address,port>.
+	 * Wildcard ports match/fail here.
+	 */
+	if (isc_sockaddr_equal(&disp->local, addr))
+		return (ISC_TRUE);
+	if (isc_sockaddr_getport(addr) == 0)
+		return (ISC_FALSE);
+
+	/*
+	 * Check if we match a bound wildcard port <address,port>.
+	 */
+	if (!isc_sockaddr_eqaddr(&disp->local, addr))
+		return (ISC_FALSE);
+	result = isc_socket_getsockname(disp->socket, &sockaddr);
+	if (result != ISC_R_SUCCESS)
+		return (ISC_FALSE);
+
+	return (isc_sockaddr_equal(&sockaddr, addr));
+}
+
+/*
+ * Requires mgr be locked.
+ *
+ * No dispatcher can be locked by this thread when calling this function.
+ *
+ *
+ * NOTE:
+ *	If a matching dispatcher is found, it is locked after this function
+ *	returns, and must be unlocked by the caller.
+ */
+static isc_result_t
+dispatch_find(dns_dispatchmgr_t *mgr, isc_sockaddr_t *local,
+	      unsigned int attributes, unsigned int mask,
+	      dns_dispatch_t **dispp)
+{
+	dns_dispatch_t *disp;
+	isc_result_t result;
+
+	/*
+	 * Make certain that we will not match a private dispatch.
+	 */
+	attributes &= ~DNS_DISPATCHATTR_PRIVATE;
+	mask |= DNS_DISPATCHATTR_PRIVATE;
+
+	disp = ISC_LIST_HEAD(mgr->list);
+	while (disp != NULL) {
+		LOCK(&disp->lock);
+		if ((disp->shutting_down == 0)
+		    && ATTRMATCH(disp->attributes, attributes, mask)
+		    && local_addr_match(disp, local))
+			break;
+		UNLOCK(&disp->lock);
+		disp = ISC_LIST_NEXT(disp, link);
+	}
+
+	if (disp == NULL) {
+		result = ISC_R_NOTFOUND;
+		goto out;
+	}
+
+	*dispp = disp;
+	result = ISC_R_SUCCESS;
+ out:
+
+	return (result);
+}
+
+static isc_result_t
+qid_allocate(dns_dispatchmgr_t *mgr, unsigned int buckets,
+	     unsigned int increment, dns_qid_t **qidp)
+{
+	dns_qid_t *qid;
+	unsigned int i;
+
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	REQUIRE(buckets < 2097169);  /* next prime > 65536 * 32 */
+	REQUIRE(increment > buckets);
+	REQUIRE(qidp != NULL && *qidp == NULL);
+
+	qid = isc_mem_get(mgr->mctx, sizeof(*qid));
+	if (qid == NULL)
+		return (ISC_R_NOMEMORY);
+
+	qid->qid_table = isc_mem_get(mgr->mctx,
+				     buckets * sizeof(dns_displist_t));
+	if (qid->qid_table == NULL) {
+		isc_mem_put(mgr->mctx, qid, sizeof(*qid));
+		return (ISC_R_NOMEMORY);
+	}
+
+	if (isc_mutex_init(&qid->lock) != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "isc_mutex_init failed");
+		isc_mem_put(mgr->mctx, qid->qid_table,
+			    buckets * sizeof(dns_displist_t));
+		isc_mem_put(mgr->mctx, qid, sizeof(*qid));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	for (i = 0; i < buckets; i++)
+		ISC_LIST_INIT(qid->qid_table[i]);
+
+	qid->qid_nbuckets = buckets;
+	qid->qid_increment = increment;
+	qid->magic = QID_MAGIC;
+
+	/*
+	 * Initialize to a 32-bit LFSR.  Both of these are from Applied
+	 * Cryptography.
+	 *
+	 * lfsr1:
+	 *	x^32 + x^7 + x^5 + x^3 + x^2 + x + 1
+	 *
+	 * lfsr2:
+	 *	x^32 + x^7 + x^6 + x^2 + 1
+	 */
+	isc_lfsr_init(&qid->qid_lfsr1, 0, 32, 0x80000057U,
+		      0, reseed_lfsr, mgr);
+	isc_lfsr_init(&qid->qid_lfsr2, 0, 32, 0x80000062U,
+		      0, reseed_lfsr, mgr);
+	*qidp = qid;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+qid_destroy(isc_mem_t *mctx, dns_qid_t **qidp) {
+	dns_qid_t *qid;
+
+	REQUIRE(qidp != NULL);
+	qid = *qidp;
+
+	REQUIRE(VALID_QID(qid));
+
+	*qidp = NULL;
+	qid->magic = 0;
+	isc_mem_put(mctx, qid->qid_table,
+		    qid->qid_nbuckets * sizeof(dns_displist_t));
+	DESTROYLOCK(&qid->lock);
+	isc_mem_put(mctx, qid, sizeof(*qid));
+}
+
+/*
+ * Allocate and set important limits.
+ */
+static isc_result_t
+dispatch_allocate(dns_dispatchmgr_t *mgr, unsigned int maxrequests,
+		  dns_dispatch_t **dispp)
+{
+	dns_dispatch_t *disp;
+	isc_result_t res;
+
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	REQUIRE(dispp != NULL && *dispp == NULL);
+
+	/*
+	 * Set up the dispatcher, mostly.  Don't bother setting some of
+	 * the options that are controlled by tcp vs. udp, etc.
+	 */
+
+	disp = isc_mempool_get(mgr->dpool);
+	if (disp == NULL)
+		return (ISC_R_NOMEMORY);
+
+	disp->magic = 0;
+	disp->mgr = mgr;
+	disp->maxrequests = maxrequests;
+	disp->attributes = 0;
+	ISC_LINK_INIT(disp, link);
+	disp->refcount = 1;
+	disp->recv_pending = 0;
+	memset(&disp->local, 0, sizeof(disp->local));
+	disp->shutting_down = 0;
+	disp->shutdown_out = 0;
+	disp->connected = 0;
+	disp->tcpmsg_valid = 0;
+	disp->shutdown_why = ISC_R_UNEXPECTED;
+	disp->requests = 0;
+	disp->tcpbuffers = 0;
+	disp->qid = NULL;
+
+	if (isc_mutex_init(&disp->lock) != ISC_R_SUCCESS) {
+		res = ISC_R_UNEXPECTED;
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "isc_mutex_init failed");
+		goto deallocate;
+	}
+
+	disp->failsafe_ev = allocate_event(disp);
+	if (disp->failsafe_ev == NULL) {
+		res = ISC_R_NOMEMORY;
+		goto kill_lock;
+	}
+
+	disp->magic = DISPATCH_MAGIC;
+
+	*dispp = disp;
+	return (ISC_R_SUCCESS);
+
+	/*
+	 * error returns
+	 */
+ kill_lock:
+	DESTROYLOCK(&disp->lock);
+ deallocate:
+	isc_mempool_put(mgr->dpool, disp);
+
+	return (res);
+}
+
+
+/*
+ * MUST be unlocked, and not used by anthing.
+ */
+static void
+dispatch_free(dns_dispatch_t **dispp)
+{
+	dns_dispatch_t *disp;
+	dns_dispatchmgr_t *mgr;
+
+	REQUIRE(VALID_DISPATCH(*dispp));
+	disp = *dispp;
+	*dispp = NULL;
+
+	mgr = disp->mgr;
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+
+	if (disp->tcpmsg_valid) {
+		dns_tcpmsg_invalidate(&disp->tcpmsg);
+		disp->tcpmsg_valid = 0;
+	}
+
+	INSIST(disp->tcpbuffers == 0);
+	INSIST(disp->requests == 0);
+	INSIST(disp->recv_pending == 0);
+
+	isc_mempool_put(mgr->epool, disp->failsafe_ev);
+	disp->failsafe_ev = NULL;
+
+	if (disp->qid != NULL)
+		qid_destroy(mgr->mctx, &disp->qid);
+	disp->mgr = NULL;
+	DESTROYLOCK(&disp->lock);
+	disp->magic = 0;
+	isc_mempool_put(mgr->dpool, disp);
+}
+
+isc_result_t
+dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
+		       isc_taskmgr_t *taskmgr, unsigned int buffersize,
+		       unsigned int maxbuffers, unsigned int maxrequests,
+		       unsigned int buckets, unsigned int increment,
+		       unsigned int attributes, dns_dispatch_t **dispp)
+{
+	isc_result_t result;
+	dns_dispatch_t *disp;
+
+	UNUSED(maxbuffers);
+	UNUSED(buffersize);
+
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	REQUIRE(isc_socket_gettype(sock) == isc_sockettype_tcp);
+	REQUIRE((attributes & DNS_DISPATCHATTR_TCP) != 0);
+	REQUIRE((attributes & DNS_DISPATCHATTR_UDP) == 0);
+
+	attributes |= DNS_DISPATCHATTR_PRIVATE;  /* XXXMLG */
+
+	LOCK(&mgr->lock);
+
+	/*
+	 * dispatch_allocate() checks mgr for us.
+	 * qid_allocate() checks buckets and increment for us.
+	 */
+	disp = NULL;
+	result = dispatch_allocate(mgr, maxrequests, &disp);
+	if (result != ISC_R_SUCCESS) {
+		UNLOCK(&mgr->lock);
+		return (result);
+	}
+
+	result = qid_allocate(mgr, buckets, increment, &disp->qid);
+	if (result != ISC_R_SUCCESS)
+		goto deallocate_dispatch;
+
+	disp->socktype = isc_sockettype_tcp;
+	disp->socket = NULL;
+	isc_socket_attach(sock, &disp->socket);
+
+	disp->task = NULL;
+	result = isc_task_create(taskmgr, 0, &disp->task);
+	if (result != ISC_R_SUCCESS)
+		goto kill_socket;
+
+	disp->ctlevent = isc_event_allocate(mgr->mctx, disp,
+					    DNS_EVENT_DISPATCHCONTROL,
+					    destroy_disp, disp,
+					    sizeof(isc_event_t));
+	if (disp->ctlevent == NULL)
+		goto kill_task;
+
+	isc_task_setname(disp->task, "tcpdispatch", disp);
+
+	dns_tcpmsg_init(mgr->mctx, disp->socket, &disp->tcpmsg);
+	disp->tcpmsg_valid = 1;
+
+	disp->attributes = attributes;
+
+	/*
+	 * Append it to the dispatcher list.
+	 */
+	ISC_LIST_APPEND(mgr->list, disp, link);
+	UNLOCK(&mgr->lock);
+
+	mgr_log(mgr, LVL(90), "created TCP dispatcher %p", disp);
+	dispatch_log(disp, LVL(90), "created task %p", disp->task);
+
+	*dispp = disp;
+
+	return (ISC_R_SUCCESS);
+
+	/*
+	 * Error returns.
+	 */
+ kill_task:
+	isc_task_detach(&disp->task);
+ kill_socket:
+	isc_socket_detach(&disp->socket);
+ deallocate_dispatch:
+	dispatch_free(&disp);
+
+	UNLOCK(&mgr->lock);
+
+	return (result);
+}
+
+isc_result_t
+dns_dispatch_getudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
+		    isc_taskmgr_t *taskmgr, isc_sockaddr_t *localaddr,
+		    unsigned int buffersize,
+		    unsigned int maxbuffers, unsigned int maxrequests,
+		    unsigned int buckets, unsigned int increment,
+		    unsigned int attributes, unsigned int mask,
+		    dns_dispatch_t **dispp)
+{
+	isc_result_t result;
+	dns_dispatch_t *disp;
+
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	REQUIRE(sockmgr != NULL);
+	REQUIRE(localaddr != NULL);
+	REQUIRE(taskmgr != NULL);
+	REQUIRE(buffersize >= 512 && buffersize < (64 * 1024));
+	REQUIRE(maxbuffers > 0);
+	REQUIRE(buckets < 2097169);  /* next prime > 65536 * 32 */
+	REQUIRE(increment > buckets);
+	REQUIRE(dispp != NULL && *dispp == NULL);
+	REQUIRE((attributes & DNS_DISPATCHATTR_TCP) == 0);
+
+	result = dns_dispatchmgr_setudp(mgr, buffersize, maxbuffers,
+					buckets, increment);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	LOCK(&mgr->lock);
+
+	/*
+	 * First, see if we have a dispatcher that matches.
+	 */
+	disp = NULL;
+	result = dispatch_find(mgr, localaddr, attributes, mask, &disp);
+	if (result == ISC_R_SUCCESS) {
+		disp->refcount++;
+
+		if (disp->maxrequests < maxrequests)
+			disp->maxrequests = maxrequests;
+
+		if ((disp->attributes & DNS_DISPATCHATTR_NOLISTEN) == 0 &&
+		    (attributes & DNS_DISPATCHATTR_NOLISTEN) != 0)
+		{
+			disp->attributes |= DNS_DISPATCHATTR_NOLISTEN;
+			if (disp->recv_pending != 0)
+				isc_socket_cancel(disp->socket, disp->task,
+						  ISC_SOCKCANCEL_RECV);
+		}
+
+		UNLOCK(&disp->lock);
+		UNLOCK(&mgr->lock);
+
+		*dispp = disp;
+
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Nope, create one.
+	 */
+	result = dispatch_createudp(mgr, sockmgr, taskmgr, localaddr,
+				    maxrequests, attributes, &disp);
+	if (result != ISC_R_SUCCESS) {
+		UNLOCK(&mgr->lock);
+		return (result);
+	}
+
+	UNLOCK(&mgr->lock);
+	*dispp = disp;
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * mgr should be locked.
+ */
+static isc_result_t
+dispatch_createudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
+		   isc_taskmgr_t *taskmgr,
+		   isc_sockaddr_t *localaddr,
+		   unsigned int maxrequests,
+		   unsigned int attributes,
+		   dns_dispatch_t **dispp)
+{
+	isc_result_t result;
+	dns_dispatch_t *disp;
+	isc_socket_t *sock;
+
+	/*
+	 * dispatch_allocate() checks mgr for us.
+	 */
+	disp = NULL;
+	result = dispatch_allocate(mgr, maxrequests, &disp);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * This assumes that the IP stack will *not* quickly reallocate
+	 * the same port.  If it does continually reallocate the same port
+	 * then we need a mechanism to hold all the blacklisted sockets
+	 * until we find a usable socket.
+	 */
+ getsocket:
+	result = create_socket(sockmgr, localaddr, &sock);
+	if (result != ISC_R_SUCCESS)
+		goto deallocate_dispatch;
+	if (isc_sockaddr_getport(localaddr) == 0 && blacklisted(mgr, sock)) {
+		isc_socket_detach(&sock);
+		goto getsocket;
+	}
+
+	disp->socktype = isc_sockettype_udp;
+	disp->socket = sock;
+	disp->local = *localaddr;
+
+	disp->task = NULL;
+	result = isc_task_create(taskmgr, 0, &disp->task);
+	if (result != ISC_R_SUCCESS)
+		goto kill_socket;
+
+	disp->ctlevent = isc_event_allocate(mgr->mctx, disp,
+					    DNS_EVENT_DISPATCHCONTROL,
+					    destroy_disp, disp,
+					    sizeof(isc_event_t));
+	if (disp->ctlevent == NULL)
+		goto kill_task;
+
+	isc_task_setname(disp->task, "udpdispatch", disp);
+
+	attributes &= ~DNS_DISPATCHATTR_TCP;
+	attributes |= DNS_DISPATCHATTR_UDP;
+	disp->attributes = attributes;
+
+	/*
+	 * Append it to the dispatcher list.
+	 */
+	ISC_LIST_APPEND(mgr->list, disp, link);
+
+	mgr_log(mgr, LVL(90), "created UDP dispatcher %p", disp);
+	dispatch_log(disp, LVL(90), "created task %p", disp->task);
+	dispatch_log(disp, LVL(90), "created socket %p", disp->socket);
+
+	*dispp = disp;
+
+	return (ISC_R_SUCCESS);
+
+	/*
+	 * Error returns.
+	 */
+ kill_task:
+	isc_task_detach(&disp->task);
+ kill_socket:
+	isc_socket_detach(&disp->socket);
+ deallocate_dispatch:
+	dispatch_free(&disp);
+
+	return (result);
+}
+
+void
+dns_dispatch_attach(dns_dispatch_t *disp, dns_dispatch_t **dispp) {
+	REQUIRE(VALID_DISPATCH(disp));
+	REQUIRE(dispp != NULL && *dispp == NULL);
+
+	LOCK(&disp->lock);
+	disp->refcount++;
+	UNLOCK(&disp->lock);
+
+	*dispp = disp;
+}
+
+/*
+ * It is important to lock the manager while we are deleting the dispatch,
+ * since dns_dispatch_getudp will call dispatch_find, which returns to
+ * the caller a dispatch but does not attach to it until later.  _getudp
+ * locks the manager, however, so locking it here will keep us from attaching
+ * to a dispatcher that is in the process of going away.
+ */
+void
+dns_dispatch_detach(dns_dispatch_t **dispp) {
+	dns_dispatch_t *disp;
+	isc_boolean_t killit;
+
+	REQUIRE(dispp != NULL && VALID_DISPATCH(*dispp));
+
+	disp = *dispp;
+	*dispp = NULL;
+
+	LOCK(&disp->lock);
+
+	INSIST(disp->refcount > 0);
+	disp->refcount--;
+	killit = ISC_FALSE;
+	if (disp->refcount == 0) {
+		if (disp->recv_pending > 0)
+			isc_socket_cancel(disp->socket, disp->task,
+					  ISC_SOCKCANCEL_RECV);
+		disp->shutting_down = 1;
+	}
+
+	dispatch_log(disp, LVL(90), "detach: refcount %d", disp->refcount);
+
+	killit = destroy_disp_ok(disp);
+	UNLOCK(&disp->lock);
+	if (killit)
+		isc_task_send(disp->task, &disp->ctlevent);
+}
+
+isc_result_t
+dns_dispatch_addresponse(dns_dispatch_t *disp, isc_sockaddr_t *dest,
+			 isc_task_t *task, isc_taskaction_t action, void *arg,
+			 dns_messageid_t *idp, dns_dispentry_t **resp)
+{
+	dns_dispentry_t *res;
+	unsigned int bucket;
+	dns_messageid_t id;
+	int i;
+	isc_boolean_t ok;
+	dns_qid_t *qid;
+
+	REQUIRE(VALID_DISPATCH(disp));
+	REQUIRE(task != NULL);
+	REQUIRE(dest != NULL);
+	REQUIRE(resp != NULL && *resp == NULL);
+	REQUIRE(idp != NULL);
+
+	LOCK(&disp->lock);
+
+	if (disp->shutting_down == 1) {
+		UNLOCK(&disp->lock);
+		return (ISC_R_SHUTTINGDOWN);
+	}
+
+	if (disp->requests >= disp->maxrequests) {
+		UNLOCK(&disp->lock);
+		return (ISC_R_QUOTA);
+	}
+
+	/*
+	 * Try somewhat hard to find an unique ID.
+	 */
+	qid = DNS_QID(disp);
+	LOCK(&qid->lock);
+	id = dns_randomid(qid);
+	bucket = dns_hash(qid, dest, id);
+	ok = ISC_FALSE;
+	for (i = 0; i < 64; i++) {
+		if (bucket_search(qid, dest, id, bucket) == NULL) {
+			ok = ISC_TRUE;
+			break;
+		}
+		id += qid->qid_increment;
+		id &= 0x0000ffff;
+		bucket = dns_hash(qid, dest, id);
+	}
+
+	if (!ok) {
+		UNLOCK(&qid->lock);
+		UNLOCK(&disp->lock);
+		return (ISC_R_NOMORE);
+	}
+
+	res = isc_mempool_get(disp->mgr->rpool);
+	if (res == NULL) {
+		UNLOCK(&qid->lock);
+		UNLOCK(&disp->lock);
+		return (ISC_R_NOMEMORY);
+	}
+
+	disp->refcount++;
+	disp->requests++;
+	res->task = NULL;
+	isc_task_attach(task, &res->task);
+	res->disp = disp;
+	res->id = id;
+	res->bucket = bucket;
+	res->host = *dest;
+	res->action = action;
+	res->arg = arg;
+	res->item_out = ISC_FALSE;
+	ISC_LIST_INIT(res->items);
+	ISC_LINK_INIT(res, link);
+	res->magic = RESPONSE_MAGIC;
+	ISC_LIST_APPEND(qid->qid_table[bucket], res, link);
+	UNLOCK(&qid->lock);
+
+	request_log(disp, res, LVL(90),
+		    "attached to task %p", res->task);
+
+	if (((disp->attributes & DNS_DISPATCHATTR_UDP) != 0) ||
+	    ((disp->attributes & DNS_DISPATCHATTR_CONNECTED) != 0))
+		startrecv(disp);
+
+	UNLOCK(&disp->lock);
+
+	*idp = id;
+	*resp = res;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_dispatch_starttcp(dns_dispatch_t *disp) {
+
+	REQUIRE(VALID_DISPATCH(disp));
+
+	dispatch_log(disp, LVL(90), "starttcp %p", disp->task);
+
+	LOCK(&disp->lock);
+	disp->attributes |= DNS_DISPATCHATTR_CONNECTED;
+	startrecv(disp);
+	UNLOCK(&disp->lock);
+}
+
+void
+dns_dispatch_removeresponse(dns_dispentry_t **resp,
+			    dns_dispatchevent_t **sockevent)
+{
+	dns_dispatchmgr_t *mgr;
+	dns_dispatch_t *disp;
+	dns_dispentry_t *res;
+	dns_dispatchevent_t *ev;
+	unsigned int bucket;
+	isc_boolean_t killit;
+	unsigned int n;
+	isc_eventlist_t events;
+	dns_qid_t *qid;
+
+	REQUIRE(resp != NULL);
+	REQUIRE(VALID_RESPONSE(*resp));
+
+	res = *resp;
+	*resp = NULL;
+
+	disp = res->disp;
+	REQUIRE(VALID_DISPATCH(disp));
+	mgr = disp->mgr;
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+
+	qid = DNS_QID(disp);
+
+	if (sockevent != NULL) {
+		REQUIRE(*sockevent != NULL);
+		ev = *sockevent;
+		*sockevent = NULL;
+	} else {
+		ev = NULL;
+	}
+
+	LOCK(&disp->lock);
+
+	INSIST(disp->requests > 0);
+	disp->requests--;
+	INSIST(disp->refcount > 0);
+	disp->refcount--;
+	killit = ISC_FALSE;
+	if (disp->refcount == 0) {
+		if (disp->recv_pending > 0)
+			isc_socket_cancel(disp->socket, disp->task,
+					  ISC_SOCKCANCEL_RECV);
+		disp->shutting_down = 1;
+	}
+
+	bucket = res->bucket;
+
+	LOCK(&qid->lock);
+	ISC_LIST_UNLINK(qid->qid_table[bucket], res, link);
+	UNLOCK(&qid->lock);
+
+	if (ev == NULL && res->item_out) {
+		/*
+		 * We've posted our event, but the caller hasn't gotten it
+		 * yet.  Take it back.
+		 */
+		ISC_LIST_INIT(events);
+		n = isc_task_unsend(res->task, res, DNS_EVENT_DISPATCH,
+				    NULL, &events);
+		/*
+		 * We had better have gotten it back.
+		 */
+		INSIST(n == 1);
+		ev = (dns_dispatchevent_t *)ISC_LIST_HEAD(events);
+	}
+
+	if (ev != NULL) {
+		REQUIRE(res->item_out == ISC_TRUE);
+		res->item_out = ISC_FALSE;
+		if (ev->buffer.base != NULL)
+			free_buffer(disp, ev->buffer.base, ev->buffer.length);
+		free_event(disp, ev);
+	}
+
+	request_log(disp, res, LVL(90), "detaching from task %p", res->task);
+	isc_task_detach(&res->task);
+
+	/*
+	 * Free any buffered requests as well
+	 */
+	ev = ISC_LIST_HEAD(res->items);
+	while (ev != NULL) {
+		ISC_LIST_UNLINK(res->items, ev, ev_link);
+		if (ev->buffer.base != NULL)
+			free_buffer(disp, ev->buffer.base, ev->buffer.length);
+		free_event(disp, ev);
+		ev = ISC_LIST_HEAD(res->items);
+	}
+	res->magic = 0;
+	isc_mempool_put(disp->mgr->rpool, res);
+	if (disp->shutting_down == 1)
+		do_cancel(disp);
+	else
+		startrecv(disp);
+
+	killit = destroy_disp_ok(disp);
+	UNLOCK(&disp->lock);
+	if (killit)
+		isc_task_send(disp->task, &disp->ctlevent);
+}
+
+static void
+do_cancel(dns_dispatch_t *disp) {
+	dns_dispatchevent_t *ev;
+	dns_dispentry_t *resp;
+	dns_qid_t *qid;
+
+	if (disp->shutdown_out == 1)
+		return;
+
+	qid = DNS_QID(disp);
+
+	/*
+	 * Search for the first response handler without packets outstanding.
+	 */
+	LOCK(&qid->lock);
+	for (resp = linear_first(qid);
+	     resp != NULL && resp->item_out != ISC_FALSE;
+	     /* Empty. */)
+		resp = linear_next(qid, resp);
+	/*
+	 * No one to send the cancel event to, so nothing to do.
+	 */
+	if (resp == NULL)
+		goto unlock;
+
+	/*
+	 * Send the shutdown failsafe event to this resp.
+	 */
+	ev = disp->failsafe_ev;
+	ISC_EVENT_INIT(ev, sizeof(*ev), 0, NULL, DNS_EVENT_DISPATCH,
+		       resp->action, resp->arg, resp, NULL, NULL);
+	ev->result = disp->shutdown_why;
+	ev->buffer.base = NULL;
+	ev->buffer.length = 0;
+	disp->shutdown_out = 1;
+	request_log(disp, resp, LVL(10),
+		    "cancel: failsafe event %p -> task %p",
+		    ev, resp->task);
+	resp->item_out = ISC_TRUE;
+	isc_task_send(resp->task, ISC_EVENT_PTR(&ev));
+ unlock:
+	UNLOCK(&qid->lock);
+}
+
+isc_socket_t *
+dns_dispatch_getsocket(dns_dispatch_t *disp) {
+	REQUIRE(VALID_DISPATCH(disp));
+
+	return (disp->socket);
+}
+
+isc_result_t
+dns_dispatch_getlocaladdress(dns_dispatch_t *disp, isc_sockaddr_t *addrp) {
+
+	REQUIRE(VALID_DISPATCH(disp));
+	REQUIRE(addrp != NULL);
+
+	if (disp->socktype == isc_sockettype_udp) {
+		*addrp = disp->local;
+		return (ISC_R_SUCCESS);
+	}
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+void
+dns_dispatch_cancel(dns_dispatch_t *disp) {
+	REQUIRE(VALID_DISPATCH(disp));
+
+	LOCK(&disp->lock);
+
+	if (disp->shutting_down == 1) {
+		UNLOCK(&disp->lock);
+		return;
+	}
+
+	disp->shutdown_why = ISC_R_CANCELED;
+	disp->shutting_down = 1;
+	do_cancel(disp);
+
+	UNLOCK(&disp->lock);
+
+	return;
+}
+
+void
+dns_dispatch_changeattributes(dns_dispatch_t *disp,
+			      unsigned int attributes, unsigned int mask)
+{
+	REQUIRE(VALID_DISPATCH(disp));
+
+	/* XXXMLG
+	 * Should check for valid attributes here!
+	 */
+
+	LOCK(&disp->lock);
+
+	if ((mask & DNS_DISPATCHATTR_NOLISTEN) != 0) {
+		if ((disp->attributes & DNS_DISPATCHATTR_NOLISTEN) != 0 &&
+		    (attributes & DNS_DISPATCHATTR_NOLISTEN) == 0) {
+			disp->attributes &= ~DNS_DISPATCHATTR_NOLISTEN;
+			startrecv(disp);
+		} else if ((disp->attributes & DNS_DISPATCHATTR_NOLISTEN)
+			   == 0 &&
+			   (attributes & DNS_DISPATCHATTR_NOLISTEN) != 0) {
+			disp->attributes |= DNS_DISPATCHATTR_NOLISTEN;
+			if (disp->recv_pending != 0)
+				isc_socket_cancel(disp->socket, disp->task,
+						  ISC_SOCKCANCEL_RECV);
+		}
+	}
+
+	disp->attributes &= ~mask;
+	disp->attributes |= (attributes & mask);
+	UNLOCK(&disp->lock);
+}
+
+void
+dns_dispatch_importrecv(dns_dispatch_t *disp, isc_event_t *event) {
+	void *buf;
+	isc_socketevent_t *sevent, *newsevent;
+
+	REQUIRE(VALID_DISPATCH(disp));
+	REQUIRE((disp->attributes & DNS_DISPATCHATTR_NOLISTEN) != 0);
+	REQUIRE(event != NULL);
+
+	sevent = (isc_socketevent_t *)event;
+
+	INSIST(sevent->n <= disp->mgr->buffersize);
+	newsevent = (isc_socketevent_t *)
+		    isc_event_allocate(disp->mgr->mctx, NULL,
+				      DNS_EVENT_IMPORTRECVDONE, udp_recv,
+				      disp, sizeof(isc_socketevent_t));
+	if (newsevent == NULL)
+		return;
+
+	buf = allocate_udp_buffer(disp);
+	if (buf == NULL) {
+		isc_event_free(ISC_EVENT_PTR(&newsevent));
+		return;
+	}
+	memcpy(buf, sevent->region.base, sevent->n);
+	newsevent->region.base = buf;
+	newsevent->region.length = disp->mgr->buffersize;
+	newsevent->n = sevent->n;
+	newsevent->result = sevent->result;
+	newsevent->address = sevent->address;
+	newsevent->timestamp = sevent->timestamp;
+	newsevent->pktinfo = sevent->pktinfo;
+	newsevent->attributes = sevent->attributes;
+	
+	isc_task_send(disp->task, ISC_EVENT_PTR(&newsevent));
+}
+
+#if 0
+void
+dns_dispatchmgr_dump(dns_dispatchmgr_t *mgr) {
+	dns_dispatch_t *disp;
+	char foo[1024];
+
+	disp = ISC_LIST_HEAD(mgr->list);
+	while (disp != NULL) {
+		isc_sockaddr_format(&disp->local, foo, sizeof(foo));
+		printf("\tdispatch %p, addr %s\n", disp, foo);
+		disp = ISC_LIST_NEXT(disp, link);
+	}
+}
+#endif
diff --git a/contrib/bind9/lib/dns/dnssec.c b/contrib/bind9/lib/dns/dnssec.c
new file mode 100644
index 0000000..34ff3d3
--- /dev/null
+++ b/contrib/bind9/lib/dns/dnssec.c
@@ -0,0 +1,857 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * $Id: dnssec.c,v 1.69.2.5.2.7 2004/06/11 00:30:54 marka Exp $
+ */
+
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/serial.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dnssec.h>
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/message.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+#include <dns/tsig.h>		/* for DNS_TSIG_FUDGE */
+
+#include <dst/result.h>
+
+#define is_response(msg) (msg->flags & DNS_MESSAGEFLAG_QR)
+
+#define RETERR(x) do { \
+	result = (x); \
+	if (result != ISC_R_SUCCESS) \
+		goto failure; \
+	} while (0)
+
+
+#define TYPE_SIGN 0
+#define TYPE_VERIFY 1
+
+static isc_result_t
+digest_callback(void *arg, isc_region_t *data);
+
+static int
+rdata_compare_wrapper(const void *rdata1, const void *rdata2);
+
+static isc_result_t
+rdataset_to_sortedarray(dns_rdataset_t *set, isc_mem_t *mctx,
+			dns_rdata_t **rdata, int *nrdata);
+
+static isc_result_t
+digest_callback(void *arg, isc_region_t *data) {
+	dst_context_t *ctx = arg;
+
+	return (dst_context_adddata(ctx, data));
+}
+
+/*
+ * Make qsort happy.
+ */
+static int
+rdata_compare_wrapper(const void *rdata1, const void *rdata2) {
+	return (dns_rdata_compare((const dns_rdata_t *)rdata1,
+				  (const dns_rdata_t *)rdata2));
+}
+
+/*
+ * Sort the rdataset into an array.
+ */
+static isc_result_t
+rdataset_to_sortedarray(dns_rdataset_t *set, isc_mem_t *mctx,
+			dns_rdata_t **rdata, int *nrdata)
+{
+	isc_result_t ret;
+	int i = 0, n;
+	dns_rdata_t *data;
+
+	n = dns_rdataset_count(set);
+
+	data = isc_mem_get(mctx, n * sizeof(dns_rdata_t));
+	if (data == NULL)
+		return (ISC_R_NOMEMORY);
+
+	ret = dns_rdataset_first(set);
+	if (ret != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, data, n * sizeof(dns_rdata_t));
+		return (ret);
+	}
+
+	/*
+	 * Put them in the array.
+	 */
+	do {
+		dns_rdata_init(&data[i]);
+		dns_rdataset_current(set, &data[i++]);
+	} while (dns_rdataset_next(set) == ISC_R_SUCCESS);
+
+	/*
+	 * Sort the array.
+	 */
+	qsort(data, n, sizeof(dns_rdata_t), rdata_compare_wrapper);
+	*rdata = data;
+	*nrdata = n;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_dnssec_keyfromrdata(dns_name_t *name, dns_rdata_t *rdata, isc_mem_t *mctx,
+			dst_key_t **key)
+{
+	isc_buffer_t b;
+	isc_region_t r;
+
+	INSIST(name != NULL);
+	INSIST(rdata != NULL);
+	INSIST(mctx != NULL);
+	INSIST(key != NULL);
+	INSIST(*key == NULL);
+	REQUIRE(rdata->type == dns_rdatatype_key ||
+		rdata->type == dns_rdatatype_dnskey);
+
+	dns_rdata_toregion(rdata, &r);
+	isc_buffer_init(&b, r.base, r.length);
+	isc_buffer_add(&b, r.length);
+	return (dst_key_fromdns(name, rdata->rdclass, &b, mctx, key));
+}
+
+static isc_result_t
+digest_sig(dst_context_t *ctx, dns_rdata_t *sigrdata, dns_rdata_rrsig_t *sig) {
+	isc_region_t r;
+	isc_result_t ret;
+	dns_fixedname_t fname;
+
+	dns_rdata_toregion(sigrdata, &r);
+	INSIST(r.length >= 19);
+
+	r.length = 18;
+	ret = dst_context_adddata(ctx, &r);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+	dns_fixedname_init(&fname);
+	RUNTIME_CHECK(dns_name_downcase(&sig->signer,
+					dns_fixedname_name(&fname), NULL)
+		      == ISC_R_SUCCESS);
+	dns_name_toregion(dns_fixedname_name(&fname), &r);
+	return (dst_context_adddata(ctx, &r));
+}
+
+isc_result_t
+dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
+		isc_stdtime_t *inception, isc_stdtime_t *expire,
+		isc_mem_t *mctx, isc_buffer_t *buffer, dns_rdata_t *sigrdata)
+{
+	dns_rdata_rrsig_t sig;
+	dns_rdata_t tmpsigrdata;
+	dns_rdata_t *rdatas;
+	int nrdatas, i;
+	isc_buffer_t sigbuf, envbuf;
+	isc_region_t r;
+	dst_context_t *ctx = NULL;
+	isc_result_t ret;
+	isc_buffer_t *databuf = NULL;
+	char data[256 + 8];
+	isc_uint32_t flags;
+	unsigned int sigsize;
+	dns_fixedname_t fnewname;
+
+	REQUIRE(name != NULL);
+	REQUIRE(dns_name_countlabels(name) <= 255);
+	REQUIRE(set != NULL);
+	REQUIRE(key != NULL);
+	REQUIRE(inception != NULL);
+	REQUIRE(expire != NULL);
+	REQUIRE(mctx != NULL);
+	REQUIRE(sigrdata != NULL);
+
+	if (*inception >= *expire)
+		return (DNS_R_INVALIDTIME);
+
+	/*
+	 * Is the key allowed to sign data?
+	 */
+	flags = dst_key_flags(key);
+	if (flags & DNS_KEYTYPE_NOAUTH)
+		return (DNS_R_KEYUNAUTHORIZED);
+	if ((flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
+		return (DNS_R_KEYUNAUTHORIZED);
+
+	sig.mctx = mctx;
+	sig.common.rdclass = set->rdclass;
+	sig.common.rdtype = dns_rdatatype_rrsig;
+	ISC_LINK_INIT(&sig.common, link);
+
+	dns_name_init(&sig.signer, NULL);
+	dns_name_clone(dst_key_name(key), &sig.signer);
+
+	sig.covered = set->type;
+	sig.algorithm = dst_key_alg(key);
+	sig.labels = dns_name_countlabels(name) - 1;
+	if (dns_name_iswildcard(name))
+		sig.labels--;
+	sig.originalttl = set->ttl;
+	sig.timesigned = *inception;
+	sig.timeexpire = *expire;
+	sig.keyid = dst_key_id(key);
+	ret = dst_key_sigsize(key, &sigsize);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+	sig.siglen = sigsize;
+	/*
+	 * The actual contents of sig.signature are not important yet, since
+	 * they're not used in digest_sig().
+	 */
+	sig.signature = isc_mem_get(mctx, sig.siglen);
+	if (sig.signature == NULL)
+		return (ISC_R_NOMEMORY);
+
+	ret = isc_buffer_allocate(mctx, &databuf, sigsize + 256 + 18);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_signature;
+
+	dns_rdata_init(&tmpsigrdata);
+	ret = dns_rdata_fromstruct(&tmpsigrdata, sig.common.rdclass,
+				   sig.common.rdtype, &sig, databuf);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_databuf;
+
+	ret = dst_context_create(key, mctx, &ctx);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_databuf;
+
+	/*
+	 * Digest the SIG rdata.
+	 */
+	ret = digest_sig(ctx, &tmpsigrdata, &sig);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_context;
+
+	dns_fixedname_init(&fnewname);
+	RUNTIME_CHECK(dns_name_downcase(name, dns_fixedname_name(&fnewname),
+					NULL) == ISC_R_SUCCESS);
+	dns_name_toregion(dns_fixedname_name(&fnewname), &r);
+
+	/*
+	 * Create an envelope for each rdata: <name|type|class|ttl>.
+	 */
+	isc_buffer_init(&envbuf, data, sizeof(data));
+	memcpy(data, r.base, r.length);
+	isc_buffer_add(&envbuf, r.length);
+	isc_buffer_putuint16(&envbuf, set->type);
+	isc_buffer_putuint16(&envbuf, set->rdclass);
+	isc_buffer_putuint32(&envbuf, set->ttl);
+
+	ret = rdataset_to_sortedarray(set, mctx, &rdatas, &nrdatas);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_context;
+	isc_buffer_usedregion(&envbuf, &r);
+
+	for (i = 0; i < nrdatas; i++) {
+		isc_uint16_t len;
+		isc_buffer_t lenbuf;
+		isc_region_t lenr;
+
+		/*
+		 * Skip duplicates.
+		 */
+		if (i > 0 && dns_rdata_compare(&rdatas[i], &rdatas[i-1]) == 0)
+		    continue;
+
+		/*
+		 * Digest the envelope.
+		 */
+		ret = dst_context_adddata(ctx, &r);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_array;
+
+		/*
+		 * Digest the length of the rdata.
+		 */
+		isc_buffer_init(&lenbuf, &len, sizeof(len));
+		INSIST(rdatas[i].length < 65536);
+		isc_buffer_putuint16(&lenbuf, (isc_uint16_t)rdatas[i].length);
+		isc_buffer_usedregion(&lenbuf, &lenr);
+		ret = dst_context_adddata(ctx, &lenr);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_array;
+
+		/*
+		 * Digest the rdata.
+		 */
+		ret = dns_rdata_digest(&rdatas[i], digest_callback, ctx);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_array;
+	}
+
+	isc_buffer_init(&sigbuf, sig.signature, sig.siglen);
+	ret = dst_context_sign(ctx, &sigbuf);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_array;
+	isc_buffer_usedregion(&sigbuf, &r);
+	if (r.length != sig.siglen) {
+		ret = ISC_R_NOSPACE;
+		goto cleanup_array;
+	}
+	memcpy(sig.signature, r.base, sig.siglen);
+
+	ret = dns_rdata_fromstruct(sigrdata, sig.common.rdclass,
+				  sig.common.rdtype, &sig, buffer);
+
+cleanup_array:
+	isc_mem_put(mctx, rdatas, nrdatas * sizeof(dns_rdata_t));
+cleanup_context:
+	dst_context_destroy(&ctx);
+cleanup_databuf:
+	if (databuf != NULL)
+		isc_buffer_free(&databuf);
+cleanup_signature:
+	isc_mem_put(mctx, sig.signature, sig.siglen);
+
+	return (ret);
+}
+
+isc_result_t
+dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
+		   isc_boolean_t ignoretime, isc_mem_t *mctx,
+		   dns_rdata_t *sigrdata, dns_name_t *wild)
+{
+	dns_rdata_rrsig_t sig;
+	dns_fixedname_t fnewname;
+	isc_region_t r;
+	isc_buffer_t envbuf;
+	dns_rdata_t *rdatas;
+	int nrdatas, i;
+	isc_stdtime_t now;
+	isc_result_t ret;
+	unsigned char data[300];
+	dst_context_t *ctx = NULL;
+	int labels = 0;
+	isc_uint32_t flags;
+
+	REQUIRE(name != NULL);
+	REQUIRE(set != NULL);
+	REQUIRE(key != NULL);
+	REQUIRE(mctx != NULL);
+	REQUIRE(sigrdata != NULL && sigrdata->type == dns_rdatatype_rrsig);
+
+	ret = dns_rdata_tostruct(sigrdata, &sig, NULL);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	if (isc_serial_lt(sig.timeexpire, sig.timesigned))
+		return (DNS_R_SIGINVALID);
+
+	if (!ignoretime) {
+		isc_stdtime_get(&now);
+
+		/*
+		 * Is SIG temporally valid?
+		 */
+		if (isc_serial_lt((isc_uint32_t)now, sig.timesigned))
+			return (DNS_R_SIGFUTURE);
+		else if (isc_serial_lt(sig.timeexpire, (isc_uint32_t)now))
+			return (DNS_R_SIGEXPIRED);
+	}
+
+	/*
+	 * Is the key allowed to sign data?
+	 */
+	flags = dst_key_flags(key);
+	if (flags & DNS_KEYTYPE_NOAUTH)
+		return (DNS_R_KEYUNAUTHORIZED);
+	if ((flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
+		return (DNS_R_KEYUNAUTHORIZED);
+
+	ret = dst_context_create(key, mctx, &ctx);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_struct;
+
+	/*
+	 * Digest the SIG rdata (not including the signature).
+	 */
+	ret = digest_sig(ctx, sigrdata, &sig);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_context;
+
+	/*
+	 * If the name is an expanded wildcard, use the wildcard name.
+	 */
+	dns_fixedname_init(&fnewname);
+	labels = dns_name_countlabels(name) - 1;
+	if (labels - sig.labels > 0) {
+		dns_name_split(name, sig.labels + 1, NULL,
+			       dns_fixedname_name(&fnewname));
+		RUNTIME_CHECK(dns_name_downcase(dns_fixedname_name(&fnewname),
+						dns_fixedname_name(&fnewname),
+						NULL)
+			      == ISC_R_SUCCESS);
+	}
+	else
+		dns_name_downcase(name, dns_fixedname_name(&fnewname), NULL);
+
+	dns_name_toregion(dns_fixedname_name(&fnewname), &r);
+
+	/*
+	 * Create an envelope for each rdata: <name|type|class|ttl>.
+	 */
+	isc_buffer_init(&envbuf, data, sizeof(data));
+	if (labels - sig.labels > 0) {
+		isc_buffer_putuint8(&envbuf, 1);
+		isc_buffer_putuint8(&envbuf, '*');
+		memcpy(data + 2, r.base, r.length);
+	}
+	else
+		memcpy(data, r.base, r.length);
+	isc_buffer_add(&envbuf, r.length);
+	isc_buffer_putuint16(&envbuf, set->type);
+	isc_buffer_putuint16(&envbuf, set->rdclass);
+	isc_buffer_putuint32(&envbuf, sig.originalttl);
+
+	ret = rdataset_to_sortedarray(set, mctx, &rdatas, &nrdatas);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_context;
+
+	isc_buffer_usedregion(&envbuf, &r);
+
+	for (i = 0; i < nrdatas; i++) {
+		isc_uint16_t len;
+		isc_buffer_t lenbuf;
+		isc_region_t lenr;
+
+		/*
+		 * Skip duplicates.
+		 */
+		if (i > 0 && dns_rdata_compare(&rdatas[i], &rdatas[i-1]) == 0)
+		    continue;
+
+		/*
+		 * Digest the envelope.
+		 */
+		ret = dst_context_adddata(ctx, &r);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_array;
+
+		/*
+		 * Digest the rdata length.
+		 */
+		isc_buffer_init(&lenbuf, &len, sizeof(len));
+		INSIST(rdatas[i].length < 65536);
+		isc_buffer_putuint16(&lenbuf, (isc_uint16_t)rdatas[i].length);
+		isc_buffer_usedregion(&lenbuf, &lenr);
+
+		/*
+		 * Digest the rdata.
+		 */
+		ret = dst_context_adddata(ctx, &lenr);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_array;
+		ret = dns_rdata_digest(&rdatas[i], digest_callback, ctx);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_array;
+	}
+
+	r.base = sig.signature;
+	r.length = sig.siglen;
+	ret = dst_context_verify(ctx, &r);
+	if (ret == DST_R_VERIFYFAILURE)
+		ret = DNS_R_SIGINVALID;
+
+cleanup_array:
+	isc_mem_put(mctx, rdatas, nrdatas * sizeof(dns_rdata_t));
+cleanup_context:
+	dst_context_destroy(&ctx);
+cleanup_struct:
+	dns_rdata_freestruct(&sig);
+
+	if (ret == ISC_R_SUCCESS && labels - sig.labels > 0) {
+		if (wild != NULL) 
+			RUNTIME_CHECK(dns_name_concatenate(dns_wildcardname,
+					         dns_fixedname_name(&fnewname),
+						 wild, NULL) == ISC_R_SUCCESS);
+		ret = DNS_R_FROMWILDCARD;
+	}
+	return (ret);
+}
+
+isc_result_t
+dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
+		  isc_boolean_t ignoretime, isc_mem_t *mctx,
+		  dns_rdata_t *sigrdata)
+{
+	isc_result_t result;
+
+	result = dns_dnssec_verify2(name, set, key, ignoretime, mctx,
+				    sigrdata, NULL);
+	if (result == DNS_R_FROMWILDCARD)
+		result = ISC_R_SUCCESS;
+	return (result);
+}
+
+#define is_zone_key(key) ((dst_key_flags(key) & DNS_KEYFLAG_OWNERMASK) \
+			  == DNS_KEYOWNER_ZONE)
+
+isc_result_t
+dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
+			dns_dbnode_t *node, dns_name_t *name,
+			const char *directory, isc_mem_t *mctx,
+			unsigned int maxkeys, dst_key_t **keys,
+			unsigned int *nkeys)
+{
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_result_t result;
+	dst_key_t *pubkey = NULL;
+	unsigned int count = 0;
+
+	*nkeys = 0;
+	dns_rdataset_init(&rdataset);
+	RETERR(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0,
+				   &rdataset, NULL));
+	RETERR(dns_rdataset_first(&rdataset));
+	while (result == ISC_R_SUCCESS && count < maxkeys) {
+		pubkey = NULL;
+		dns_rdataset_current(&rdataset, &rdata);
+		RETERR(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey));
+		if (!is_zone_key(pubkey))
+			goto next;
+		keys[count] = NULL;
+		result = dst_key_fromfile(dst_key_name(pubkey),
+					  dst_key_id(pubkey),
+					  dst_key_alg(pubkey),
+					  DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
+					  directory,
+					  mctx, &keys[count]);
+		if (result == ISC_R_FILENOTFOUND)
+			goto next;
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+		if ((dst_key_flags(keys[count]) & DNS_KEYTYPE_NOAUTH) != 0) {
+			dst_key_free(&keys[count]);
+			goto next;
+		}
+		count++;
+ next:
+		dst_key_free(&pubkey);
+		dns_rdata_reset(&rdata);
+		result = dns_rdataset_next(&rdataset);
+	}
+	if (result != ISC_R_NOMORE)
+		goto failure;
+	if (count == 0)
+		result = ISC_R_NOTFOUND;
+	else
+		result = ISC_R_SUCCESS;
+
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (pubkey != NULL)
+		dst_key_free(&pubkey);
+	*nkeys = count;
+	return (result);
+}
+
+isc_result_t
+dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver,
+			dns_dbnode_t *node, dns_name_t *name, isc_mem_t *mctx,
+			unsigned int maxkeys, dst_key_t **keys,
+			unsigned int *nkeys)
+{
+	return (dns_dnssec_findzonekeys2(db, ver, node, name, NULL, mctx,
+					 maxkeys, keys, nkeys));
+}
+
+isc_result_t
+dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
+	dns_rdata_sig_t sig;	/* SIG(0) */
+	unsigned char data[512];
+	unsigned char header[DNS_MESSAGE_HEADERLEN];
+	isc_buffer_t headerbuf, databuf, sigbuf;
+	unsigned int sigsize;
+	isc_buffer_t *dynbuf = NULL;
+	dns_rdata_t *rdata;
+	dns_rdatalist_t *datalist;
+	dns_rdataset_t *dataset;
+	isc_region_t r;
+	isc_stdtime_t now;
+	dst_context_t *ctx = NULL;
+	isc_mem_t *mctx;
+	isc_result_t result;
+	isc_boolean_t signeedsfree = ISC_TRUE;
+
+	REQUIRE(msg != NULL);
+	REQUIRE(key != NULL);
+
+	if (is_response(msg))
+		REQUIRE(msg->query.base != NULL);
+
+	mctx = msg->mctx;
+
+	memset(&sig, 0, sizeof(sig));
+
+	sig.mctx = mctx;
+	sig.common.rdclass = dns_rdataclass_any;
+	sig.common.rdtype = dns_rdatatype_sig;	/* SIG(0) */
+	ISC_LINK_INIT(&sig.common, link);
+
+	sig.covered = 0;
+	sig.algorithm = dst_key_alg(key);
+	sig.labels = 0; /* the root name */
+	sig.originalttl = 0;
+
+	isc_stdtime_get(&now);
+	sig.timesigned = now - DNS_TSIG_FUDGE;
+	sig.timeexpire = now + DNS_TSIG_FUDGE;
+
+	sig.keyid = dst_key_id(key);
+
+	dns_name_init(&sig.signer, NULL);
+	dns_name_clone(dst_key_name(key), &sig.signer);
+
+	sig.siglen = 0;
+	sig.signature = NULL;
+
+	isc_buffer_init(&databuf, data, sizeof(data));
+
+	RETERR(dst_context_create(key, mctx, &ctx));
+
+	/*
+	 * Digest the fields of the SIG - we can cheat and use
+	 * dns_rdata_fromstruct.  Since siglen is 0, the digested data
+	 * is identical to dns format.
+	 */
+	RETERR(dns_rdata_fromstruct(NULL, dns_rdataclass_any,
+				    dns_rdatatype_sig /* SIG(0) */,
+				    &sig, &databuf));
+	isc_buffer_usedregion(&databuf, &r);
+	RETERR(dst_context_adddata(ctx, &r));
+
+	/*
+	 * If this is a response, digest the query.
+	 */
+	if (is_response(msg))
+		RETERR(dst_context_adddata(ctx, &msg->query));
+
+	/*
+	 * Digest the header.
+	 */
+	isc_buffer_init(&headerbuf, header, sizeof(header));
+	dns_message_renderheader(msg, &headerbuf);
+	isc_buffer_usedregion(&headerbuf, &r);
+	RETERR(dst_context_adddata(ctx, &r));
+
+	/*
+	 * Digest the remainder of the message.
+	 */
+	isc_buffer_usedregion(msg->buffer, &r);
+	isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
+	RETERR(dst_context_adddata(ctx, &r));
+
+	RETERR(dst_key_sigsize(key, &sigsize));
+	sig.siglen = sigsize;
+	sig.signature = (unsigned char *) isc_mem_get(mctx, sig.siglen);
+	if (sig.signature == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto failure;
+	}
+
+	isc_buffer_init(&sigbuf, sig.signature, sig.siglen);
+	RETERR(dst_context_sign(ctx, &sigbuf));
+	dst_context_destroy(&ctx);
+
+	rdata = NULL;
+	RETERR(dns_message_gettemprdata(msg, &rdata));
+	RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 1024));
+	RETERR(dns_rdata_fromstruct(rdata, dns_rdataclass_any,
+				    dns_rdatatype_sig /* SIG(0) */,
+				    &sig, dynbuf));
+
+	isc_mem_put(mctx, sig.signature, sig.siglen);
+	signeedsfree = ISC_FALSE;
+
+	dns_message_takebuffer(msg, &dynbuf);
+
+	datalist = NULL;
+	RETERR(dns_message_gettemprdatalist(msg, &datalist));
+	datalist->rdclass = dns_rdataclass_any;
+	datalist->type = dns_rdatatype_sig;	/* SIG(0) */
+	datalist->covers = 0;
+	datalist->ttl = 0;
+	ISC_LIST_INIT(datalist->rdata);
+	ISC_LIST_APPEND(datalist->rdata, rdata, link);
+	dataset = NULL;
+	RETERR(dns_message_gettemprdataset(msg, &dataset));
+	dns_rdataset_init(dataset);
+	RUNTIME_CHECK(dns_rdatalist_tordataset(datalist, dataset) == ISC_R_SUCCESS);
+	msg->sig0 = dataset;
+
+	return (ISC_R_SUCCESS);
+
+failure:
+	if (dynbuf != NULL)
+		isc_buffer_free(&dynbuf);
+	if (signeedsfree)
+		isc_mem_put(mctx, sig.signature, sig.siglen);
+	if (ctx != NULL)
+		dst_context_destroy(&ctx);
+
+	return (result);
+}
+
+isc_result_t
+dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
+			 dst_key_t *key)
+{
+	dns_rdata_sig_t sig;	/* SIG(0) */
+	unsigned char header[DNS_MESSAGE_HEADERLEN];
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_region_t r, source_r, sig_r, header_r;
+	isc_stdtime_t now;
+	dst_context_t *ctx = NULL;
+	isc_mem_t *mctx;
+	isc_result_t result;
+	isc_uint16_t addcount;
+	isc_boolean_t signeedsfree = ISC_FALSE;
+
+	REQUIRE(source != NULL);
+	REQUIRE(msg != NULL);
+	REQUIRE(key != NULL);
+
+	mctx = msg->mctx;
+
+	msg->verify_attempted = 1;
+
+	if (is_response(msg)) {
+		if (msg->query.base == NULL)
+			return (DNS_R_UNEXPECTEDTSIG);
+	}
+
+	isc_buffer_usedregion(source, &source_r);
+
+	RETERR(dns_rdataset_first(msg->sig0));
+	dns_rdataset_current(msg->sig0, &rdata);
+
+	RETERR(dns_rdata_tostruct(&rdata, &sig, NULL));
+	signeedsfree = ISC_TRUE;
+
+	if (sig.labels != 0) {
+		result = DNS_R_SIGINVALID;
+		goto failure;
+	}
+
+	if (isc_serial_lt(sig.timeexpire, sig.timesigned)) {
+		result = DNS_R_SIGINVALID;
+		msg->sig0status = dns_tsigerror_badtime;
+		goto failure;
+	}
+
+	isc_stdtime_get(&now);
+	if (isc_serial_lt((isc_uint32_t)now, sig.timesigned)) {
+		result = DNS_R_SIGFUTURE;
+		msg->sig0status = dns_tsigerror_badtime;
+		goto failure;
+	}
+	else if (isc_serial_lt(sig.timeexpire, (isc_uint32_t)now)) {
+		result = DNS_R_SIGEXPIRED;
+		msg->sig0status = dns_tsigerror_badtime;
+		goto failure;
+	}
+
+	if (!dns_name_equal(dst_key_name(key), &sig.signer)) {
+		result = DNS_R_SIGINVALID;
+		msg->sig0status = dns_tsigerror_badkey;
+		goto failure;
+	}
+
+	RETERR(dst_context_create(key, mctx, &ctx));
+
+	/*
+ 	 * Digest the SIG(0) record, except for the signature.
+	 */
+	dns_rdata_toregion(&rdata, &r);
+	r.length -= sig.siglen;
+	RETERR(dst_context_adddata(ctx, &r));
+
+	/*
+	 * If this is a response, digest the query.
+	 */
+	if (is_response(msg))
+		RETERR(dst_context_adddata(ctx, &msg->query));
+
+	/*
+	 * Extract the header.
+	 */
+	memcpy(header, source_r.base, DNS_MESSAGE_HEADERLEN);
+
+	/*
+	 * Decrement the additional field counter.
+	 */
+	memcpy(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
+	addcount = htons((isc_uint16_t)(ntohs(addcount) - 1));
+	memcpy(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
+
+	/*
+	 * Digest the modified header.
+	 */
+	header_r.base = (unsigned char *) header;
+	header_r.length = DNS_MESSAGE_HEADERLEN;
+	RETERR(dst_context_adddata(ctx, &header_r));
+
+	/*
+	 * Digest all non-SIG(0) records.
+	 */
+	r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
+	r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
+	RETERR(dst_context_adddata(ctx, &r));
+
+	sig_r.base = sig.signature;
+	sig_r.length = sig.siglen;
+	result = dst_context_verify(ctx, &sig_r);
+	if (result != ISC_R_SUCCESS) {
+		msg->sig0status = dns_tsigerror_badsig;
+		goto failure;
+	}
+
+	msg->verified_sig = 1;
+
+	dst_context_destroy(&ctx);
+	dns_rdata_freestruct(&sig);
+
+	return (ISC_R_SUCCESS);
+
+failure:
+	if (signeedsfree)
+		dns_rdata_freestruct(&sig);
+	if (ctx != NULL)
+		dst_context_destroy(&ctx);
+
+	return (result);
+}
diff --git a/contrib/bind9/lib/dns/ds.c b/contrib/bind9/lib/dns/ds.c
new file mode 100644
index 0000000..b0ca523
--- /dev/null
+++ b/contrib/bind9/lib/dns/ds.c
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ds.c,v 1.4.2.1 2004/03/08 02:07:53 marka Exp $ */
+
+#include <config.h>
+
+#include <string.h>
+
+#include <isc/buffer.h>
+#include <isc/region.h>
+#include <isc/sha1.h>
+#include <isc/util.h>
+
+#include <dns/ds.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+
+#include <dst/dst.h>
+
+isc_result_t
+dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
+		  unsigned int digest_type, unsigned char *buffer,
+		  dns_rdata_t *rdata)
+{
+	isc_sha1_t sha1;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
+	isc_region_t r;
+	isc_buffer_t b;
+	dns_rdata_ds_t ds;
+
+	REQUIRE(key != NULL);
+	REQUIRE(key->type == dns_rdatatype_dnskey);
+
+	if (digest_type != DNS_DSDIGEST_SHA1)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	dns_fixedname_init(&fname);
+	name = dns_fixedname_name(&fname);
+	(void)dns_name_downcase(owner, name, NULL);
+
+	memset(buffer, 0, DNS_DS_BUFFERSIZE);
+	isc_buffer_init(&b, buffer, DNS_DS_BUFFERSIZE);
+
+	isc_sha1_init(&sha1);
+	dns_name_toregion(name, &r);
+	isc_sha1_update(&sha1, r.base, r.length);
+	dns_rdata_toregion(key, &r);
+	INSIST(r.length >= 4);
+	isc_sha1_update(&sha1, r.base, r.length);
+	isc_sha1_final(&sha1, digest);
+
+	ds.mctx = NULL;
+	ds.common.rdclass = key->rdclass;
+	ds.common.rdtype = dns_rdatatype_ds;
+	ds.algorithm = r.base[3];
+	ds.key_tag = dst_region_computeid(&r, ds.algorithm);
+	ds.digest_type = DNS_DSDIGEST_SHA1;
+	ds.length = ISC_SHA1_DIGESTLENGTH;
+	ds.digest = digest;
+
+	return (dns_rdata_fromstruct(rdata, key->rdclass, dns_rdatatype_ds,
+				     &ds, &b));
+}
diff --git a/contrib/bind9/lib/dns/forward.c b/contrib/bind9/lib/dns/forward.c
new file mode 100644
index 0000000..f94abfe
--- /dev/null
+++ b/contrib/bind9/lib/dns/forward.c
@@ -0,0 +1,195 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: forward.c,v 1.5.206.1 2004/03/06 08:13:38 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/rwlock.h>
+#include <isc/sockaddr.h>
+#include <isc/util.h>
+
+#include <dns/forward.h>
+#include <dns/rbt.h>
+#include <dns/result.h>
+#include <dns/types.h>
+
+struct dns_fwdtable {
+	/* Unlocked. */
+	unsigned int		magic;
+	isc_mem_t		*mctx;
+	isc_rwlock_t		rwlock;
+	/* Locked by lock. */
+	dns_rbt_t		*table;
+};
+
+#define FWDTABLEMAGIC		ISC_MAGIC('F', 'w', 'd', 'T')
+#define VALID_FWDTABLE(ft) 	ISC_MAGIC_VALID(ft, FWDTABLEMAGIC)
+
+static void
+auto_detach(void *, void *);
+
+isc_result_t
+dns_fwdtable_create(isc_mem_t *mctx, dns_fwdtable_t **fwdtablep) {
+	dns_fwdtable_t *fwdtable;
+	isc_result_t result;
+
+	REQUIRE(fwdtablep != NULL && *fwdtablep == NULL);
+
+	fwdtable = isc_mem_get(mctx, sizeof(dns_fwdtable_t));
+	if (fwdtable == NULL)
+		return (ISC_R_NOMEMORY);
+
+	fwdtable->table = NULL;
+	result = dns_rbt_create(mctx, auto_detach, fwdtable, &fwdtable->table);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_fwdtable;
+
+	result = isc_rwlock_init(&fwdtable->rwlock, 0, 0);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_rwlock_init() failed: %s",
+				 isc_result_totext(result));
+		result = ISC_R_UNEXPECTED;
+		goto cleanup_rbt;
+	}
+
+	fwdtable->mctx = NULL;
+	isc_mem_attach(mctx, &fwdtable->mctx);
+	fwdtable->magic = FWDTABLEMAGIC;
+	*fwdtablep = fwdtable;
+
+	return (ISC_R_SUCCESS);
+
+   cleanup_rbt:
+	dns_rbt_destroy(&fwdtable->table);
+
+   cleanup_fwdtable:
+	isc_mem_put(mctx, fwdtable, sizeof(dns_fwdtable_t));
+
+	return (result);
+}
+
+isc_result_t
+dns_fwdtable_add(dns_fwdtable_t *fwdtable, dns_name_t *name,
+		 isc_sockaddrlist_t *addrs, dns_fwdpolicy_t fwdpolicy)
+{
+	isc_result_t result;
+	dns_forwarders_t *forwarders;
+	isc_sockaddr_t *sa, *nsa;
+
+	REQUIRE(VALID_FWDTABLE(fwdtable));
+
+	forwarders = isc_mem_get(fwdtable->mctx, sizeof(dns_forwarders_t));
+	if (forwarders == NULL)
+		return (ISC_R_NOMEMORY);
+
+	ISC_LIST_INIT(forwarders->addrs);
+	for (sa = ISC_LIST_HEAD(*addrs);
+	     sa != NULL;
+	     sa = ISC_LIST_NEXT(sa, link))
+	{
+		nsa = isc_mem_get(fwdtable->mctx, sizeof(isc_sockaddr_t));
+		if (nsa == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+		*nsa = *sa;
+		ISC_LINK_INIT(nsa, link);
+		ISC_LIST_APPEND(forwarders->addrs, nsa, link);
+	}
+	forwarders->fwdpolicy = fwdpolicy;
+
+	RWLOCK(&fwdtable->rwlock, isc_rwlocktype_write);
+	result = dns_rbt_addname(fwdtable->table, name, forwarders);
+	RWUNLOCK(&fwdtable->rwlock, isc_rwlocktype_write);
+
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	while (!ISC_LIST_EMPTY(forwarders->addrs)) {
+		sa = ISC_LIST_HEAD(forwarders->addrs);
+		ISC_LIST_UNLINK(forwarders->addrs, sa, link);
+		isc_mem_put(fwdtable->mctx, sa, sizeof(isc_sockaddr_t));
+	}
+	isc_mem_put(fwdtable->mctx, forwarders, sizeof(dns_forwarders_t));
+	return (result);
+}
+
+isc_result_t
+dns_fwdtable_find(dns_fwdtable_t *fwdtable, dns_name_t *name,
+		  dns_forwarders_t **forwardersp)
+{
+	isc_result_t result;
+
+	REQUIRE(VALID_FWDTABLE(fwdtable));
+
+	RWLOCK(&fwdtable->rwlock, isc_rwlocktype_read);
+
+	result = dns_rbt_findname(fwdtable->table, name, 0, NULL,
+				  (void **)forwardersp);
+	if (result == DNS_R_PARTIALMATCH)
+		result = ISC_R_SUCCESS;
+
+	RWUNLOCK(&fwdtable->rwlock, isc_rwlocktype_read);
+
+	return (result);
+}
+
+void
+dns_fwdtable_destroy(dns_fwdtable_t **fwdtablep) {
+	dns_fwdtable_t *fwdtable;
+	isc_mem_t *mctx;
+
+	REQUIRE(fwdtablep != NULL && VALID_FWDTABLE(*fwdtablep));
+
+	fwdtable = *fwdtablep;
+
+	dns_rbt_destroy(&fwdtable->table);
+	isc_rwlock_destroy(&fwdtable->rwlock);
+	fwdtable->magic = 0;
+	mctx = fwdtable->mctx;
+	isc_mem_put(mctx, fwdtable, sizeof(dns_fwdtable_t));
+	isc_mem_detach(&mctx);
+
+	*fwdtablep = NULL;
+}
+
+/***
+ *** Private
+ ***/
+
+static void
+auto_detach(void *data, void *arg) {
+	dns_forwarders_t *forwarders = data;
+	dns_fwdtable_t *fwdtable = arg;
+	isc_sockaddr_t *sa;
+
+	UNUSED(arg);
+
+	while (!ISC_LIST_EMPTY(forwarders->addrs)) {
+		sa = ISC_LIST_HEAD(forwarders->addrs);
+		ISC_LIST_UNLINK(forwarders->addrs, sa, link);
+		isc_mem_put(fwdtable->mctx, sa, sizeof(isc_sockaddr_t));
+	}
+	isc_mem_put(fwdtable->mctx, forwarders, sizeof(dns_forwarders_t));
+}
diff --git a/contrib/bind9/lib/dns/gen-unix.h b/contrib/bind9/lib/dns/gen-unix.h
new file mode 100644
index 0000000..8c1818d
--- /dev/null
+++ b/contrib/bind9/lib/dns/gen-unix.h
@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: gen-unix.h,v 1.12.12.3 2004/03/08 09:04:29 marka Exp $ */
+
+/*
+ * This file is responsible for defining two operations that are not
+ * directly portable between Unix-like systems and Windows NT, option
+ * parsing and directory scanning.  It is here because it was decided
+ * that the "gen" build utility was not to depend on libisc.a, so
+ * the functions delcared in isc/commandline.h and isc/dir.h could not
+ * be used.
+ *
+ * The commandline stuff is really just a wrapper around getopt().
+ * The dir stuff was shrunk to fit the needs of gen.c.
+ */
+
+#ifndef DNS_GEN_UNIX_H
+#define DNS_GEN_UNIX_H 1
+
+#include <sys/types.h>          /* Required on some systems for dirent.h. */
+
+#include <dirent.h>
+#include <unistd.h>		/* XXXDCL Required for ?. */
+
+#include <isc/boolean.h>
+#include <isc/lang.h>
+
+#define isc_commandline_parse		getopt
+#define isc_commandline_argument 	optarg
+
+typedef struct {
+	DIR *handle;
+	char *filename;
+} isc_dir_t;
+
+ISC_LANG_BEGINDECLS
+
+static isc_boolean_t
+start_directory(const char *path, isc_dir_t *dir) {
+	dir->handle = opendir(path);
+
+	if (dir->handle != NULL)
+		return (ISC_TRUE);
+	else
+		return (ISC_FALSE);
+
+}
+
+static isc_boolean_t
+next_file(isc_dir_t *dir) {
+	struct dirent *dirent;
+
+	dir->filename = NULL;
+
+	if (dir->handle != NULL) {
+		dirent = readdir(dir->handle);
+		if (dirent != NULL)
+			dir->filename = dirent->d_name;
+	}
+
+	if (dir->filename != NULL)
+		return (ISC_TRUE);
+	else
+		return (ISC_FALSE);
+}
+
+static void
+end_directory(isc_dir_t *dir) {
+	if (dir->handle != NULL)
+		(void)closedir(dir->handle);
+
+	dir->handle = NULL;
+}
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_GEN_UNIX_H */
diff --git a/contrib/bind9/lib/dns/gen.c b/contrib/bind9/lib/dns/gen.c
new file mode 100644
index 0000000..4a6cc0d
--- /dev/null
+++ b/contrib/bind9/lib/dns/gen.c
@@ -0,0 +1,878 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: gen.c,v 1.65.2.5.2.6 2004/03/15 01:02:54 marka Exp $ */
+
+#include <config.h>
+
+#include <sys/types.h>
+
+#include <ctype.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+
+#ifdef WIN32
+#include "gen-win32.h"
+#else
+#include "gen-unix.h"
+#endif
+
+#define FROMTEXTARGS "rdclass, type, lexer, origin, options, target, callbacks"
+#define FROMTEXTCLASS "rdclass"
+#define FROMTEXTTYPE "type"
+#define FROMTEXTDEF "result = DNS_R_UNKNOWN"
+
+#define TOTEXTARGS "rdata, tctx, target"
+#define TOTEXTCLASS "rdata->rdclass"
+#define TOTEXTTYPE "rdata->type"
+#define TOTEXTDEF "use_default = ISC_TRUE"
+
+#define FROMWIREARGS "rdclass, type, source, dctx, options, target"
+#define FROMWIRECLASS "rdclass"
+#define FROMWIRETYPE "type"
+#define FROMWIREDEF "use_default = ISC_TRUE"
+
+#define TOWIREARGS "rdata, cctx, target"
+#define TOWIRECLASS "rdata->rdclass"
+#define TOWIRETYPE "rdata->type"
+#define TOWIREDEF "use_default = ISC_TRUE"
+
+#define FROMSTRUCTARGS "rdclass, type, source, target"
+#define FROMSTRUCTCLASS "rdclass"
+#define FROMSTRUCTTYPE "type"
+#define FROMSTRUCTDEF "use_default = ISC_TRUE"
+
+#define TOSTRUCTARGS "rdata, target, mctx"
+#define TOSTRUCTCLASS "rdata->rdclass"
+#define TOSTRUCTTYPE "rdata->type"
+#define TOSTRUCTDEF "use_default = ISC_TRUE"
+
+#define FREESTRUCTARGS "source"
+#define FREESTRUCTCLASS "common->rdclass"
+#define FREESTRUCTTYPE "common->rdtype"
+#define FREESTRUCTDEF NULL
+
+#define COMPAREARGS "rdata1, rdata2"
+#define COMPARECLASS "rdata1->rdclass"
+#define COMPARETYPE "rdata1->type"
+#define COMPAREDEF "use_default = ISC_TRUE"
+
+#define ADDITIONALDATAARGS "rdata, add, arg"
+#define ADDITIONALDATACLASS "rdata->rdclass"
+#define ADDITIONALDATATYPE "rdata->type"
+#define ADDITIONALDATADEF "use_default = ISC_TRUE"
+
+#define DIGESTARGS "rdata, digest, arg"
+#define DIGESTCLASS "rdata->rdclass"
+#define DIGESTTYPE "rdata->type"
+#define DIGESTDEF "use_default = ISC_TRUE"
+
+#define CHECKOWNERARGS "name, rdclass, type, wildcard"
+#define CHECKOWNERCLASS "rdclass"
+#define CHECKOWNERTYPE "type"
+#define CHECKOWNERDEF "result = ISC_TRUE"
+
+#define CHECKNAMESARGS "rdata, owner, bad"
+#define CHECKNAMESCLASS "rdata->rdclass"
+#define CHECKNAMESTYPE "rdata->type"
+#define CHECKNAMESDEF "result = ISC_TRUE"
+
+const char copyright[] =
+"/*\n"
+" * Copyright (C) 2004%s Internet Systems Consortium, Inc. (\"ISC\")\n"
+" * Copyright (C) 1998-2003 Internet Software Consortium.\n"
+" *\n"
+" * Permission to use, copy, modify, and distribute this software for any\n"
+" * purpose with or without fee is hereby granted, provided that the above\n"
+" * copyright notice and this permission notice appear in all copies.\n"
+" *\n"
+" * THE SOFTWARE IS PROVIDED \"AS IS\" AND ISC DISCLAIMS ALL WARRANTIES WITH\n"
+" * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY\n"
+" * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,\n"
+" * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM\n"
+" * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE\n"
+" * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR\n"
+" * PERFORMANCE OF THIS SOFTWARE.\n"
+" */\n"
+"\n"
+"/***************\n"
+" ***************\n"
+" ***************   THIS FILE IS AUTOMATICALLY GENERATED BY gen.c.\n"
+" ***************   DO NOT EDIT!\n"
+" ***************\n"
+" ***************/\n"
+"\n";
+
+#define TYPENAMES 256
+
+struct cc {
+	struct cc *next;
+	int rdclass;
+	char classname[11];
+} *classes;
+
+struct tt {
+	struct tt *next;
+	int rdclass;
+	int type;
+	char classname[11];
+	char typename[11];
+	char dirname[256];		/* XXX Should be max path length */
+} *types;
+
+struct ttnam {
+	char typename[11];
+	char macroname[11];
+	char attr[256];
+	unsigned int sorted;
+	int type;
+} typenames[TYPENAMES];
+
+int maxtype = -1;
+
+char *
+upper(char *);
+char *
+funname(const char *, char *);
+void
+doswitch(const char *, const char *, const char *, const char *,
+	 const char *, const char *);
+void
+dodecl(char *, char *, char *);
+void
+add(int, const char *, int, const char *, const char *);
+void
+sd(int, const char *, const char *, char);
+void
+insert_into_typenames(int, const char *, const char *);
+
+/*
+ * If you use more than 10 of these in, say, a printf(), you'll have problems.
+ */
+char *
+upper(char *s) {
+	static int buf_to_use = 0;
+	static char buf[10][256];
+	char *b;
+	int c;
+
+	buf_to_use++;
+	if (buf_to_use > 9)
+		buf_to_use = 0;
+
+	b = buf[buf_to_use];
+	memset(b, 0, 256);
+
+	while ((c = (*s++) & 0xff))
+		*b++ = islower(c) ? toupper(c) : c;
+	*b = '\0';
+	return (buf[buf_to_use]);
+}
+
+char *
+funname(const char *s, char *buf) {
+	char *b = buf;
+	char c;
+
+	while ((c = *s++)) {
+		*b++ = (c == '-') ? '_' : c;
+	}
+	*b = '\0';
+	return (buf);
+}
+
+void
+doswitch(const char *name, const char *function, const char *args,
+	 const char *tsw, const char *csw, const char *res)
+{
+	struct tt *tt;
+	int first = 1;
+	int lasttype = 0;
+	int subswitch = 0;
+	char buf1[11], buf2[11];
+	const char *result = " result =";
+
+	if (res == NULL)
+		result = "";
+
+	for (tt = types; tt != NULL; tt = tt->next) {
+		if (first) {
+			fprintf(stdout, "\n#define %s \\\n", name);
+			fprintf(stdout, "\tswitch (%s) { \\\n" /*}*/, tsw);
+			first = 0;
+		}
+		if (tt->type != lasttype && subswitch) {
+			if (res == NULL)
+				fprintf(stdout, "\t\tdefault: break; \\\n");
+			else
+				fprintf(stdout,
+					"\t\tdefault: %s; break; \\\n", res);
+			fputs(/*{*/ "\t\t} \\\n", stdout);
+			fputs("\t\tbreak; \\\n", stdout);
+			subswitch = 0;
+		}
+		if (tt->rdclass && tt->type != lasttype) {
+			fprintf(stdout, "\tcase %d: switch (%s) { \\\n" /*}*/,
+				tt->type, csw);
+			subswitch = 1;
+		}
+		if (tt->rdclass == 0)
+			fprintf(stdout,
+				"\tcase %d:%s %s_%s(%s); break;",
+				tt->type, result, function,
+				funname(tt->typename, buf1), args);
+		else
+			fprintf(stdout,
+				"\t\tcase %d:%s %s_%s_%s(%s); break;",
+				tt->rdclass, result, function,
+				funname(tt->classname, buf1),
+				funname(tt->typename, buf2), args);
+		fputs(" \\\n", stdout);
+		lasttype = tt->type;
+	}
+	if (subswitch) {
+		if (res == NULL)
+			fprintf(stdout, "\t\tdefault: break; \\\n");
+		else
+			fprintf(stdout, "\t\tdefault: %s; break; \\\n", res);
+		fputs(/*{*/ "\t\t} \\\n", stdout);
+		fputs("\t\tbreak; \\\n", stdout);
+	}
+	if (first) {
+		if (res == NULL)
+			fprintf(stdout, "\n#define %s\n", name);
+		else
+			fprintf(stdout, "\n#define %s %s;\n", name, res);
+	} else {
+		if (res == NULL)
+			fprintf(stdout, "\tdefault: break; \\\n");
+		else
+			fprintf(stdout, "\tdefault: %s; break; \\\n", res);
+		fputs(/*{*/ "\t}\n", stdout);
+	}
+}
+
+void
+dodecl(char *type, char *function, char *args) {
+	struct tt *tt;
+	char buf1[11], buf2[11];
+
+	fputs("\n", stdout);
+	for (tt = types; tt; tt = tt->next)
+		if (tt->rdclass)
+			fprintf(stdout,
+				"static inline %s %s_%s_%s(%s);\n",
+				type, function,
+				funname(tt->classname, buf1),
+				funname(tt->typename, buf2), args);
+		else
+			fprintf(stdout,
+				"static inline %s %s_%s(%s);\n",
+				type, function,
+				funname(tt->typename, buf1), args);
+}
+
+static struct ttnam *
+find_typename(int type) {
+	int i;
+
+	for (i = 0; i < TYPENAMES; i++) {
+		if (typenames[i].typename[0] != 0 &&
+		    typenames[i].type == type)
+			return (&typenames[i]);
+	}
+	return (NULL);
+}
+
+void
+insert_into_typenames(int type, const char *typename, const char *attr) {
+	struct ttnam *ttn = NULL;
+	int c, i;
+	char tmp[256];
+
+	for (i = 0; i < TYPENAMES; i++) {
+		if (typenames[i].typename[0] != 0 &&
+		    typenames[i].type == type &&
+		    strcmp(typename, typenames[i].typename) != 0) {
+			fprintf(stderr,
+				"Error:  type %d has two names: %s, %s\n",
+				type, typenames[i].typename, typename);
+			exit(1);
+		}
+		if (typenames[i].typename[0] == 0 && ttn == NULL)
+			ttn = &typenames[i];
+	}
+	if (ttn == NULL) {
+		fprintf(stderr, "Error: typenames array too small\n");
+		exit(1);
+	}
+	
+	if (strlen(typename) > sizeof(ttn->typename) - 1) {
+		fprintf(stderr, "Error:  type name %s is too long\n",
+			typename);
+		exit(1);
+	}
+	strcpy(ttn->typename, typename);
+	ttn->type = type;
+
+	strcpy(ttn->macroname, ttn->typename);
+	c = strlen(ttn->macroname);
+	while (c > 0) {
+		if (ttn->macroname[c - 1] == '-')
+			ttn->macroname[c - 1] = '_';
+		c--;
+	}
+
+	if (attr == NULL) {
+		sprintf(tmp, "RRTYPE_%s_ATTRIBUTES", upper(ttn->macroname));
+		attr = tmp;
+	}
+
+	if (ttn->attr[0] != 0 && strcmp(attr, ttn->attr) != 0) {
+		fprintf(stderr, "Error:  type %d has different attributes: "
+			"%s, %s\n", type, ttn->attr, attr);
+		exit(1);
+	}
+
+	if (strlen(attr) > sizeof(ttn->attr) - 1) {
+		fprintf(stderr, "Error:  attr (%s) [name %s] is too long\n",
+			attr, typename);
+		exit(1);
+	}
+	strcpy(ttn->attr, attr);
+	ttn->sorted = 0;
+	if (maxtype < type)
+		maxtype = type;
+}
+
+void
+add(int rdclass, const char *classname, int type, const char *typename,
+    const char *dirname)
+{
+	struct tt *newtt = (struct tt *)malloc(sizeof(*newtt));
+	struct tt *tt, *oldtt;
+	struct cc *newcc;
+	struct cc *cc, *oldcc;
+
+	insert_into_typenames(type, typename, NULL);
+
+	if (newtt == NULL) {
+		fprintf(stderr, "malloc() failed\n");
+		exit(1);
+	}
+
+	newtt->next = NULL;
+	newtt->rdclass = rdclass;
+	newtt->type = type;
+	strcpy(newtt->classname, classname);
+	strcpy(newtt->typename, typename);
+	strcpy(newtt->dirname, dirname);
+
+	tt = types;
+	oldtt = NULL;
+
+	while ((tt != NULL) && (tt->type < type)) {
+		oldtt = tt;
+		tt = tt->next;
+	}
+
+	while ((tt != NULL) && (tt->type == type) && (tt->rdclass < rdclass)) {
+		if (strcmp(tt->typename, typename) != 0)
+			exit(1);
+		oldtt = tt;
+		tt = tt->next;
+	}
+
+	if ((tt != NULL) && (tt->type == type) && (tt->rdclass == rdclass))
+		exit(1);
+
+	newtt->next = tt;
+	if (oldtt != NULL)
+		oldtt->next = newtt;
+	else
+		types = newtt;
+
+	/*
+	 * Do a class switch for this type.
+	 */
+	if (rdclass == 0)
+		return;
+
+	newcc = (struct cc *)malloc(sizeof(*newcc));
+	newcc->rdclass = rdclass;
+	strcpy(newcc->classname, classname);
+	cc = classes;
+	oldcc = NULL;
+
+	while ((cc != NULL) && (cc->rdclass < rdclass)) {
+		oldcc = cc;
+		cc = cc->next;
+	}
+
+	if ((cc != NULL) && cc->rdclass == rdclass) {
+		free((char *)newcc);
+		return;
+	}
+
+	newcc->next = cc;
+	if (oldcc != NULL)
+		oldcc->next = newcc;
+	else
+		classes = newcc;
+}
+
+void
+sd(int rdclass, const char *classname, const char *dirname, char filetype) {
+	char buf[sizeof("0123456789_65535.h")];
+	char fmt[sizeof("%10[-0-9a-z]_%d.h")];
+	int type;
+	char typename[11];
+	isc_dir_t dir;
+
+	if (!start_directory(dirname, &dir))
+		return;
+
+	sprintf(fmt,"%s%c", "%10[-0-9a-z]_%d.", filetype);
+	while (next_file(&dir)) {
+		if (sscanf(dir.filename, fmt, typename, &type) != 2)
+			continue;
+		if ((type > 65535) || (type < 0))
+			continue;
+
+		sprintf(buf, "%s_%d.%c", typename, type, filetype);
+		if (strcmp(buf, dir.filename) != 0)
+			continue;
+		add(rdclass, classname, type, typename, dirname);
+	}
+
+	end_directory(&dir);
+}
+
+static unsigned int
+HASH(char *string) {
+	unsigned int n;
+	unsigned char a, b;
+
+	n = strlen(string);
+	if (n == 0) {
+		fprintf(stderr, "n == 0?\n");
+		exit(1);
+	}
+	a = tolower((unsigned char)string[0]);
+	b = tolower((unsigned char)string[n - 1]);
+
+	return ((a + n) * b) % 256;
+}
+
+int
+main(int argc, char **argv) {
+	char buf[256];			/* XXX Should be max path length */
+	char srcdir[256];		/* XXX Should be max path length */
+	int rdclass;
+	char classname[11];
+	struct tt *tt;
+	struct cc *cc;
+	struct ttnam *ttn, *ttn2;
+	unsigned int hash;
+	struct tm *tm;
+	time_t now;
+	char year[11];
+	int lasttype;
+	int code = 1;
+	int class_enum = 0;
+	int type_enum = 0;
+	int structs = 0;
+	int depend = 0;
+	int c, i, j;
+	char buf1[11];
+	char filetype = 'c';
+	FILE *fd;
+	char *prefix = NULL;
+	char *suffix = NULL;
+	char *file = NULL;
+	isc_dir_t dir;
+
+	for (i = 0; i < TYPENAMES; i++)
+		memset(&typenames[i], 0, sizeof(typenames[i]));
+
+	strcpy(srcdir, "");
+	while ((c = isc_commandline_parse(argc, argv, "cdits:F:P:S:")) != -1)
+		switch (c) {
+		case 'c':
+			code = 0;
+			depend = 0;
+			type_enum = 0;
+			class_enum = 1;
+			filetype = 'c';
+			structs = 0;
+			break;
+		case 'd':
+			code = 0;
+			depend = 1;
+			class_enum = 0;
+			type_enum = 0;
+			structs = 0;
+			filetype = 'h';
+			break;
+		case 't':
+			code = 0;
+			depend = 0;
+			class_enum = 0;
+			type_enum = 1;
+			filetype = 'c';
+			structs = 0;
+			break;
+		case 'i':
+			code = 0;
+			depend = 0;
+			class_enum = 0;
+			type_enum = 0;
+			structs = 1;
+			filetype = 'h';
+			break;
+		case 's':
+			sprintf(srcdir, "%s/", isc_commandline_argument);
+			break;
+		case 'F':
+			file = isc_commandline_argument;
+			break;
+		case 'P':
+			prefix = isc_commandline_argument;
+			break;
+		case 'S':
+			suffix = isc_commandline_argument;
+			break;
+		case '?':
+			exit(1);
+		}
+
+	sprintf(buf, "%srdata", srcdir);
+
+	if (!start_directory(buf, &dir))
+		exit(1);
+
+	while (next_file(&dir)) {
+		if (sscanf(dir.filename, "%10[0-9a-z]_%d",
+			   classname, &rdclass) != 2)
+			continue;
+		if ((rdclass > 65535) || (rdclass < 0))
+			continue;
+
+		sprintf(buf, "%srdata/%s_%d", srcdir, classname, rdclass);
+		if (strcmp(buf + 6 + strlen(srcdir), dir.filename) != 0)
+			continue;
+		sd(rdclass, classname, buf, filetype);
+	}
+	end_directory(&dir);
+	sprintf(buf, "%srdata/generic", srcdir);
+	sd(0, "", buf, filetype);
+
+	if (time(&now) != -1) {
+		if ((tm = localtime(&now)) != NULL && tm->tm_year > 104) 
+			sprintf(year, "-%d", tm->tm_year + 1900);
+		else
+			year[0] = 0;
+	} else
+		year[0] = 0;
+
+	if (!depend) fprintf(stdout, copyright, year);
+
+	if (code) {
+		fputs("#ifndef DNS_CODE_H\n", stdout);
+		fputs("#define DNS_CODE_H 1\n\n", stdout);
+
+		fputs("#include <isc/boolean.h>\n", stdout);
+		fputs("#include <isc/result.h>\n\n", stdout);
+		fputs("#include <dns/name.h>\n\n", stdout);
+
+		for (tt = types; tt != NULL; tt = tt->next)
+			fprintf(stdout, "#include \"%s/%s_%d.c\"\n",
+				tt->dirname, tt->typename, tt->type);
+
+		fputs("\n\n", stdout);
+
+		doswitch("FROMTEXTSWITCH", "fromtext", FROMTEXTARGS,
+			 FROMTEXTTYPE, FROMTEXTCLASS, FROMTEXTDEF);
+		doswitch("TOTEXTSWITCH", "totext", TOTEXTARGS,
+			 TOTEXTTYPE, TOTEXTCLASS, TOTEXTDEF);
+		doswitch("FROMWIRESWITCH", "fromwire", FROMWIREARGS,
+			 FROMWIRETYPE, FROMWIRECLASS, FROMWIREDEF);
+		doswitch("TOWIRESWITCH", "towire", TOWIREARGS,
+			 TOWIRETYPE, TOWIRECLASS, TOWIREDEF);
+		doswitch("COMPARESWITCH", "compare", COMPAREARGS,
+			  COMPARETYPE, COMPARECLASS, COMPAREDEF);
+		doswitch("FROMSTRUCTSWITCH", "fromstruct", FROMSTRUCTARGS,
+			  FROMSTRUCTTYPE, FROMSTRUCTCLASS, FROMSTRUCTDEF);
+		doswitch("TOSTRUCTSWITCH", "tostruct", TOSTRUCTARGS,
+			  TOSTRUCTTYPE, TOSTRUCTCLASS, TOSTRUCTDEF);
+		doswitch("FREESTRUCTSWITCH", "freestruct", FREESTRUCTARGS,
+			  FREESTRUCTTYPE, FREESTRUCTCLASS, FREESTRUCTDEF);
+		doswitch("ADDITIONALDATASWITCH", "additionaldata",
+			 ADDITIONALDATAARGS, ADDITIONALDATATYPE,
+			 ADDITIONALDATACLASS, ADDITIONALDATADEF);
+		doswitch("DIGESTSWITCH", "digest",
+			 DIGESTARGS, DIGESTTYPE,
+			 DIGESTCLASS, DIGESTDEF);
+		doswitch("CHECKOWNERSWITCH", "checkowner",
+			CHECKOWNERARGS, CHECKOWNERTYPE,
+			CHECKOWNERCLASS, CHECKOWNERDEF);
+		doswitch("CHECKNAMESSWITCH", "checknames",
+			CHECKNAMESARGS, CHECKNAMESTYPE,
+			CHECKNAMESCLASS, CHECKNAMESDEF);
+
+		/*
+		 * From here down, we are processing the rdata names and
+		 * attributes.
+		 */
+
+#define PRINT_COMMA(x) (x == maxtype ? "" : ",")
+
+#define METANOTQUESTION  "DNS_RDATATYPEATTR_META | " \
+			 "DNS_RDATATYPEATTR_NOTQUESTION"
+#define METAQUESTIONONLY "DNS_RDATATYPEATTR_META | " \
+			 "DNS_RDATATYPEATTR_QUESTIONONLY"
+#define RESERVED "DNS_RDATATYPEATTR_RESERVED"
+
+		/*
+		 * Add in reserved/special types.  This will let us
+		 * sort them without special cases.
+		 */
+		insert_into_typenames(0, "reserved0", RESERVED);
+		insert_into_typenames(31, "eid", RESERVED);
+		insert_into_typenames(32, "nimloc", RESERVED);
+		insert_into_typenames(34, "atma", RESERVED);
+		insert_into_typenames(100, "uinfo", RESERVED);
+		insert_into_typenames(101, "uid", RESERVED);
+		insert_into_typenames(102, "gid", RESERVED);
+		insert_into_typenames(251, "ixfr", METAQUESTIONONLY);
+		insert_into_typenames(252, "axfr", METAQUESTIONONLY);
+		insert_into_typenames(253, "mailb", METAQUESTIONONLY);
+		insert_into_typenames(254, "maila", METAQUESTIONONLY);
+		insert_into_typenames(255, "any", METAQUESTIONONLY);
+
+		/*
+		 * Spit out a quick and dirty hash function.  Here,
+		 * we walk through the list of type names, and calculate
+		 * a hash.  This isn't perfect, but it will generate "pretty
+		 * good" estimates.  Lowercase the characters before
+		 * computing in all cases.
+		 *
+		 * Here, walk the list from top to bottom, calculating
+		 * the hash (mod 256) for each name.
+		 */
+		fprintf(stdout, "#define RDATATYPE_COMPARE(_s, _d, _tn, _n, _tp) \\\n");
+		fprintf(stdout, "\tdo { \\\n");
+		fprintf(stdout, "\t\tif (sizeof(_s) - 1 == _n && \\\n"
+				"\t\t    strncasecmp(_s,(_tn),"
+				"(sizeof(_s) - 1)) == 0) { \\\n");
+		fprintf(stdout, "\t\t\tif ((dns_rdatatype_attributes(_d) & "
+		       		  "DNS_RDATATYPEATTR_RESERVED) != 0) \\\n");
+		fprintf(stdout, "\t\t\t\treturn (ISC_R_NOTIMPLEMENTED); \\\n");
+		fprintf(stdout, "\t\t\t*(_tp) = _d; \\\n");
+		fprintf(stdout, "\t\t\treturn (ISC_R_SUCCESS); \\\n");
+		fprintf(stdout, "\t\t} \\\n");
+		fprintf(stdout, "\t} while (0)\n\n");
+
+		fprintf(stdout, "#define RDATATYPE_FROMTEXT_SW(_hash,"
+				"_typename,_length,_typep) \\\n");
+		fprintf(stdout, "\tswitch (_hash) { \\\n");
+		for (i = 0; i <= maxtype; i++) {
+			ttn = find_typename(i);
+			if (ttn == NULL)
+				continue;
+
+			/*
+			 * Skip entries we already processed.
+			 */
+			if (ttn->sorted != 0)
+				continue;
+
+			hash = HASH(ttn->typename);
+			fprintf(stdout, "\t\tcase %u: \\\n", hash);
+
+			/*
+			 * Find all other entries that happen to match
+			 * this hash.
+			 */
+			for (j = 0; j <= maxtype; j++) {
+				ttn2 = find_typename(j);
+				if (ttn2 == NULL)
+					continue;
+				if (hash == HASH(ttn2->typename)) {
+					fprintf(stdout, "\t\t\tRDATATYPE_COMPARE"
+					       "(\"%s\", %u, "
+					       "_typename, _length, _typep); \\\n",
+					       ttn2->typename, ttn2->type);
+					ttn2->sorted = 1;
+				}
+			}
+			fprintf(stdout, "\t\t\tbreak; \\\n");
+		}
+		fprintf(stdout, "\t}\n");
+
+		fprintf(stdout, "#define RDATATYPE_ATTRIBUTE_SW \\\n");
+		fprintf(stdout, "\tswitch (type) { \\\n");
+		for (i = 0; i <= maxtype; i++) {
+			ttn = find_typename(i);
+			if (ttn == NULL)
+				continue;
+			fprintf(stdout, "\tcase %u: return (%s); \\\n",
+			        i, upper(ttn->attr));
+		}
+		fprintf(stdout, "\t}\n");
+
+		fprintf(stdout, "#define RDATATYPE_TOTEXT_SW \\\n");
+		fprintf(stdout, "\tswitch (type) { \\\n");
+		for (i = 0; i <= maxtype; i++) {
+			ttn = find_typename(i);
+			if (ttn == NULL)
+				continue;
+			fprintf(stdout, "\tcase %u: return "
+				"(str_totext(\"%s\", target)); \\\n",
+			        i, upper(ttn->typename));
+		}
+		fprintf(stdout, "\t}\n");
+
+		fputs("#endif /* DNS_CODE_H */\n", stdout);
+	} else if (type_enum) {
+		char *s;
+
+		fprintf(stdout, "#ifndef DNS_ENUMTYPE_H\n");
+		fprintf(stdout, "#define DNS_ENUMTYPE_H 1\n\n");
+
+		fprintf(stdout, "enum {\n");
+		fprintf(stdout, "\tdns_rdatatype_none = 0,\n");
+
+		lasttype = 0;
+		for (tt = types; tt != NULL; tt = tt->next)
+			if (tt->type != lasttype)
+				fprintf(stdout,
+					"\tdns_rdatatype_%s = %d,\n",
+					funname(tt->typename, buf1),
+					lasttype = tt->type);
+
+		fprintf(stdout, "\tdns_rdatatype_ixfr = 251,\n");
+		fprintf(stdout, "\tdns_rdatatype_axfr = 252,\n");
+		fprintf(stdout, "\tdns_rdatatype_mailb = 253,\n");
+		fprintf(stdout, "\tdns_rdatatype_maila = 254,\n");
+		fprintf(stdout, "\tdns_rdatatype_any = 255\n");
+
+		fprintf(stdout, "};\n\n");
+
+		fprintf(stdout, "#define dns_rdatatype_none\t"
+			"((dns_rdatatype_t)dns_rdatatype_none)\n");
+
+		for (tt = types; tt != NULL; tt = tt->next)
+			if (tt->type != lasttype) {
+				s = funname(tt->typename, buf1);
+				fprintf(stdout,
+					"#define dns_rdatatype_%s\t%s"
+					"((dns_rdatatype_t)dns_rdatatype_%s)"
+					"\n",
+					s, strlen(s) < 2U ? "\t" : "", s);
+				lasttype = tt->type;
+			}
+
+		fprintf(stdout, "#define dns_rdatatype_ixfr\t"
+			"((dns_rdatatype_t)dns_rdatatype_ixfr)\n");
+		fprintf(stdout, "#define dns_rdatatype_axfr\t"
+			"((dns_rdatatype_t)dns_rdatatype_axfr)\n");
+		fprintf(stdout, "#define dns_rdatatype_mailb\t"
+			"((dns_rdatatype_t)dns_rdatatype_mailb)\n");
+		fprintf(stdout, "#define dns_rdatatype_maila\t"
+			"((dns_rdatatype_t)dns_rdatatype_maila)\n");
+		fprintf(stdout, "#define dns_rdatatype_any\t"
+			"((dns_rdatatype_t)dns_rdatatype_any)\n");
+
+		fprintf(stdout, "\n#endif /* DNS_ENUMTYPE_H */\n");
+
+	} else if (class_enum) {
+		char *s;
+		int classnum;
+
+		fprintf(stdout, "#ifndef DNS_ENUMCLASS_H\n");
+		fprintf(stdout, "#define DNS_ENUMCLASS_H 1\n\n");
+
+		fprintf(stdout, "enum {\n");
+
+		fprintf(stdout, "\tdns_rdataclass_reserved0 = 0,\n");
+		fprintf(stdout, "#define dns_rdataclass_reserved0 \\\n\t\t\t\t"
+			"((dns_rdataclass_t)dns_rdataclass_reserved0)\n");
+
+#define PRINTCLASS(name, num) \
+	do { \
+		s = funname(name, buf1); \
+		classnum = num; \
+		fprintf(stdout, "\tdns_rdataclass_%s = %d%s\n", s, classnum, \
+		       classnum != 255 ? "," : ""); \
+		fprintf(stdout, "#define dns_rdataclass_%s\t" \
+		       "((dns_rdataclass_t)dns_rdataclass_%s)\n", s, s); \
+	} while (0)
+
+		for (cc = classes; cc != NULL; cc = cc->next) {
+			if (cc->rdclass == 4) {
+				PRINTCLASS("ch", 3);
+				PRINTCLASS("chaos", 3);
+
+			} else if (cc->rdclass == 255) {
+				PRINTCLASS("none", 254);
+			}
+			PRINTCLASS(cc->classname, cc->rdclass);
+		}
+
+#undef PRINTCLASS
+
+		fprintf(stdout, "};\n\n");
+		fprintf(stdout, "#endif /* DNS_ENUMCLASS_H */\n");
+	} else if (structs) {
+		if (prefix != NULL) {
+			if ((fd = fopen(prefix,"r")) != NULL) {
+				while (fgets(buf, sizeof(buf), fd) != NULL)
+					fputs(buf, stdout);
+				fclose(fd);
+			}
+		}
+		for (tt = types; tt != NULL; tt = tt->next) {
+			sprintf(buf, "%s/%s_%d.h",
+				tt->dirname, tt->typename, tt->type);
+			if ((fd = fopen(buf,"r")) != NULL) {
+				while (fgets(buf, sizeof(buf), fd) != NULL)
+					fputs(buf, stdout);
+				fclose(fd);
+			}
+		}
+		if (suffix != NULL) {
+			if ((fd = fopen(suffix,"r")) != NULL) {
+				while (fgets(buf, sizeof(buf), fd) != NULL)
+					fputs(buf, stdout);
+				fclose(fd);
+			}
+		}
+	} else if (depend) {
+		for (tt = types; tt != NULL; tt = tt->next)
+			fprintf(stdout, "%s:\t%s/%s_%d.h\n", file,
+				tt->dirname, tt->typename, tt->type);
+	}
+
+	if (ferror(stdout) != 0)
+		exit(1);
+
+	return (0);
+}
diff --git a/contrib/bind9/lib/dns/include/Makefile.in b/contrib/bind9/lib/dns/include/Makefile.in
new file mode 100644
index 0000000..0e411da
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/Makefile.in
@@ -0,0 +1,25 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1998-2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.11.206.1 2004/03/06 08:13:50 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	dns
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/dns/include/dns/Makefile.in b/contrib/bind9/lib/dns/include/dns/Makefile.in
new file mode 100644
index 0000000..267bc8d
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/Makefile.in
@@ -0,0 +1,54 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1998-2003  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.43.2.1.10.6 2004/03/08 09:04:34 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+HEADERS =	acl.h adb.h byaddr.h cache.h callbacks.h \
+		cert.h compress.h \
+		db.h dbiterator.h dbtable.h diff.h dispatch.h \
+		dnssec.h ds.h events.h fixedname.h journal.h keyflags.h \
+		keytable.h keyvalues.h lib.h log.h master.h masterdump.h \
+		message.h name.h ncache.h \
+		nsec.h peer.h portlist.h rbt.h rcode.h \
+		rdata.h rdataclass.h rdatalist.h rdataset.h rdatasetiter.h \
+		rdataslab.h rdatatype.h request.h resolver.h result.h \
+		rootns.h sdb.h secalg.h secproto.h soa.h ssu.h \
+		tcpmsg.h time.h tkey.h \
+		tsig.h ttl.h types.h validator.h version.h view.h xfrin.h \
+		zone.h zonekey.h zt.h
+
+GENHEADERS =	enumclass.h enumtype.h rdatastruct.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/dns
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/dns ; \
+	done
+	for i in ${GENHEADERS}; do \
+		${INSTALL_DATA} $$i ${DESTDIR}${includedir}/dns ; \
+	done
diff --git a/contrib/bind9/lib/dns/include/dns/acl.h b/contrib/bind9/lib/dns/include/dns/acl.h
new file mode 100644
index 0000000..bc723f4
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/acl.h
@@ -0,0 +1,221 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: acl.h,v 1.20.52.3 2004/03/08 09:04:34 marka Exp $ */
+
+#ifndef DNS_ACL_H
+#define DNS_ACL_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Address match list handling.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/netaddr.h>
+#include <isc/refcount.h>
+
+#include <dns/name.h>
+#include <dns/types.h>
+
+/***
+ *** Types
+ ***/
+
+typedef enum {
+	dns_aclelementtype_ipprefix,
+	dns_aclelementtype_keyname,
+	dns_aclelementtype_nestedacl,
+	dns_aclelementtype_localhost,
+	dns_aclelementtype_localnets,
+	dns_aclelementtype_any
+} dns_aclelemettype_t;
+
+typedef struct dns_aclipprefix dns_aclipprefix_t;
+
+struct dns_aclipprefix {
+	isc_netaddr_t address; /* IP4/IP6 */
+	unsigned int prefixlen;
+};
+
+struct dns_aclelement {
+	dns_aclelemettype_t type;
+	isc_boolean_t negative;
+	union {
+		dns_aclipprefix_t ip_prefix;
+		dns_name_t 	  keyname;
+		dns_acl_t 	  *nestedacl;
+	} u;
+};
+
+struct dns_acl {
+	unsigned int		magic;
+	isc_mem_t		*mctx;
+	isc_refcount_t		refcount;
+	dns_aclelement_t	*elements;
+	unsigned int 		alloc;		/* Elements allocated */
+	unsigned int 		length;		/* Elements initialized */
+	char 			*name;		/* Temporary use only */
+	ISC_LINK(dns_acl_t) 	nextincache;	/* Ditto */
+};
+
+struct dns_aclenv {
+	dns_acl_t *localhost;
+	dns_acl_t *localnets;
+	isc_boolean_t match_mapped;
+};
+
+#define DNS_ACL_MAGIC		ISC_MAGIC('D','a','c','l')
+#define DNS_ACL_VALID(a)	ISC_MAGIC_VALID(a, DNS_ACL_MAGIC)
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target);
+/*
+ * Create a new ACL with room for 'n' elements.
+ * The elements are uninitialized and the length is 0.
+ */
+
+isc_result_t
+dns_acl_appendelement(dns_acl_t *acl, dns_aclelement_t *elt);
+/*
+ * Append an element to an existing ACL.
+ */
+
+isc_result_t
+dns_acl_any(isc_mem_t *mctx, dns_acl_t **target);
+/*
+ * Create a new ACL that matches everything.
+ */
+
+isc_result_t
+dns_acl_none(isc_mem_t *mctx, dns_acl_t **target);
+/*
+ * Create a new ACL that matches nothing.
+ */
+
+void
+dns_acl_attach(dns_acl_t *source, dns_acl_t **target);
+
+void
+dns_acl_detach(dns_acl_t **aclp);
+
+isc_boolean_t
+dns_aclelement_equal(dns_aclelement_t *ea, dns_aclelement_t *eb);
+
+isc_boolean_t
+dns_acl_equal(dns_acl_t *a, dns_acl_t *b);
+
+isc_boolean_t
+dns_acl_isinsecure(dns_acl_t *a);
+/*
+ * Return ISC_TRUE iff the acl 'a' is considered insecure, that is,
+ * if it contains IP addresses other than those of the local host.
+ * This is intended for applications such as printing warning 
+ * messages for suspect ACLs; it is not intended for making access
+ * control decisions.  We make no guarantee that an ACL for which
+ * this function returns ISC_FALSE is safe.
+ */
+
+isc_result_t
+dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env);
+
+void
+dns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s);
+
+void
+dns_aclenv_destroy(dns_aclenv_t *env);
+
+isc_result_t
+dns_acl_match(isc_netaddr_t *reqaddr,
+	      dns_name_t *reqsigner,
+	      dns_acl_t *acl,
+	      dns_aclenv_t *env,
+	      int *match,
+	      dns_aclelement_t **matchelt);
+/*
+ * General, low-level ACL matching.  This is expected to
+ * be useful even for weird stuff like the topology and sortlist statements.
+ *
+ * Match the address 'reqaddr', and optionally the key name 'reqsigner',
+ * against 'acl'.  'reqsigner' may be NULL.
+ *
+ * If there is a positive match, '*match' will be set to a positive value
+ * indicating the distance from the beginning of the list.
+ *
+ * If there is a negative match, '*match' will be set to a negative value
+ * whose absolute value indicates the distance from the beginning of
+ * the list.
+ *
+ * If there is a match (either positive or negative) and 'matchelt' is
+ * non-NULL, *matchelt will be attached to the primitive
+ * (non-indirect) address match list element that matched.
+ *
+ * If there is no match, *match will be set to zero.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		Always succeeds.
+ */
+
+isc_boolean_t
+dns_aclelement_match(isc_netaddr_t *reqaddr,
+		     dns_name_t *reqsigner,
+		     dns_aclelement_t *e,
+		     dns_aclenv_t *env,		     
+		     dns_aclelement_t **matchelt);
+/*
+ * Like dns_acl_match, but matches against the single ACL element 'e'
+ * rather than a complete list and returns ISC_TRUE iff it matched.
+ * To determine whether the match was prositive or negative, the 
+ * caller should examine e->negative.  Since the element 'e' may be
+ * a reference to a named ACL or a nested ACL, the matching element
+ * returned through 'matchelt' is not necessarily 'e' itself.
+ */
+
+isc_result_t
+dns_acl_elementmatch(dns_acl_t *acl,
+		     dns_aclelement_t *elt,
+		     dns_aclelement_t **matchelt);
+/*
+ * Search for an ACL element in 'acl' which is exactly the same as 'elt'.
+ * If there is one, and 'matchelt' is non NULL, then '*matchelt' will point
+ * to the entry.
+ *
+ * This function is intended to be used for avoiding duplicated ACL entries
+ * before adding an entry.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		Match succeeds.
+ *	ISC_R_NOTFOUND		Match fails.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ACL_H */
diff --git a/contrib/bind9/lib/dns/include/dns/adb.h b/contrib/bind9/lib/dns/include/dns/adb.h
new file mode 100644
index 0000000..7a17eff
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/adb.h
@@ -0,0 +1,596 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: adb.h,v 1.66.2.5.2.4 2004/03/06 08:13:50 marka Exp $ */
+
+#ifndef DNS_ADB_H
+#define DNS_ADB_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DNS Address Database
+ *
+ * This module implements an address database (ADB) for mapping a name
+ * to an isc_sockaddr_t. It also provides statistical information on
+ * how good that address might be.
+ *
+ * A client will pass in a dns_name_t, and the ADB will walk through
+ * the rdataset looking up addresses associated with the name.  If it
+ * is found on the internal lists, a structure is filled in with the
+ * address information and stats for found addresses.
+ *
+ * If the name cannot be found on the internal lists, a new entry will
+ * be created for a name if all the information needed can be found
+ * in the zone table or cache.  This new address will then be returned.
+ *
+ * If a request must be made to remote servers to satisfy a name lookup,
+ * this module will start fetches to try to complete these addresses.  When
+ * at least one more completes, an event is sent to the caller.  If none of
+ * them resolve before the fetch times out, an event indicating this is
+ * sent instead.
+ *
+ * Records are stored internally until a timer expires. The timer is the
+ * smaller of the TTL or signature validity period.
+ *
+ * Lameness is stored per-zone, and this data hangs off each address field.
+ * When an address is marked lame for a given zone the address will not
+ * be returned to a caller.
+ *
+ *
+ * MP:
+ *
+ *	The ADB takes care of all necessary locking.
+ *
+ *	Only the task which initiated the name lookup can cancel the lookup.
+ *
+ *
+ * Security:
+ *
+ *	None, since all data stored is required to be pre-filtered.
+ *	(Cache needs to be sane, fetches return bounds-checked and sanity-
+ *       checked data, caller passes a good dns_name_t for the zone, etc)
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/sockaddr.h>
+
+#include <dns/types.h>
+#include <dns/view.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Magic number checks
+ ***/
+
+#define DNS_ADBFIND_MAGIC	  ISC_MAGIC('a','d','b','H')
+#define DNS_ADBFIND_VALID(x)	  ISC_MAGIC_VALID(x, DNS_ADBFIND_MAGIC)
+#define DNS_ADBADDRINFO_MAGIC	  ISC_MAGIC('a','d','A','I')
+#define DNS_ADBADDRINFO_VALID(x)  ISC_MAGIC_VALID(x, DNS_ADBADDRINFO_MAGIC)
+
+
+/***
+ *** TYPES
+ ***/
+
+typedef struct dns_adbname		dns_adbname_t;
+
+/* dns_adbfind_t
+ *
+ * Represents a lookup for a single name.
+ *
+ * On return, the client can safely use "list", and can reorder the list.
+ * Items may not be _deleted_ from this list, however, or added to it
+ * other than by using the dns_adb_*() API.
+ */
+struct dns_adbfind {
+	/* Public */
+	unsigned int			magic;		/* RO: magic */
+	dns_adbaddrinfolist_t		list;		/* RO: list of addrs */
+	unsigned int			query_pending;	/* RO: partial list */
+	unsigned int			partial_result;	/* RO: addrs missing */
+	unsigned int			options;	/* RO: options */
+	isc_result_t			result_v4;	/* RO: v4 result */
+	isc_result_t			result_v6;	/* RO: v6 result */
+	ISC_LINK(dns_adbfind_t)		publink;	/* RW: client use */
+
+	/* Private */
+	isc_mutex_t			lock;		/* locks all below */
+	in_port_t			port;
+	int				name_bucket;
+	unsigned int			flags;
+	dns_adbname_t		       *adbname;
+	dns_adb_t		       *adb;
+	isc_event_t			event;
+	ISC_LINK(dns_adbfind_t)		plink;
+};
+
+/*
+ * _INET:
+ * _INET6:
+ *	return addresses of that type.
+ *
+ * _EMPTYEVENT:
+ *	Only schedule an event if no addresses are known.
+ *	Must set _WANTEVENT for this to be meaningful.
+ *
+ * _WANTEVENT:
+ *	An event is desired.  Check this bit in the returned find to see
+ *	if one will actually be generated.
+ *
+ * _AVOIDFETCHES:
+ *	If set, fetches will not be generated unless no addresses are
+ *	available in any of the address families requested.
+ *
+ * _STARTATZONE:
+ *	Fetches will start using the closest zone data or use the root servers.
+ *	This is useful for reestablishing glue that has expired.
+ *
+ * _GLUEOK:
+ * _HINTOK:
+ *	Glue or hints are ok.  These are used when matching names already
+ *	in the adb, and when dns databases are searched.
+ *
+ * _RETURNLAME:
+ *	Return lame servers in a find, so that all addresses are returned.
+ *
+ * _LAMEPRUNED:
+ *	At least one address was omitted from the list because it was lame.
+ *	This bit will NEVER be set if _RETURNLAME is set in the createfind().
+ */
+#define DNS_ADBFIND_INET		0x00000001
+#define DNS_ADBFIND_INET6		0x00000002
+#define DNS_ADBFIND_ADDRESSMASK		0x00000003
+
+#define DNS_ADBFIND_EMPTYEVENT		0x00000004
+#define DNS_ADBFIND_WANTEVENT		0x00000008
+#define DNS_ADBFIND_AVOIDFETCHES	0x00000010
+#define DNS_ADBFIND_STARTATZONE		0x00000020
+#define DNS_ADBFIND_GLUEOK		0x00000040
+#define DNS_ADBFIND_HINTOK		0x00000080
+#define DNS_ADBFIND_RETURNLAME		0x00000100
+#define DNS_ADBFIND_LAMEPRUNED		0x00000200
+
+/* dns_adbaddrinfo_t
+ *
+ * The answers to queries come back as a list of these.
+ */
+struct dns_adbaddrinfo {
+	unsigned int			magic;		/* private */
+
+	isc_sockaddr_t			sockaddr;	/* [rw] */
+	unsigned int			srtt;		/* [rw] microseconds */
+	unsigned int			flags;		/* [rw] */
+	dns_adbentry_t		       *entry;		/* private */
+	ISC_LINK(dns_adbaddrinfo_t)	publink;
+};
+
+/*
+ * The event sent to the caller task is just a plain old isc_event_t.  It
+ * contains no data other than a simple status, passed in the "type" field
+ * to indicate that another address resolved, or all partially resolved
+ * addresses have failed to resolve.
+ *
+ * "sender" is the dns_adbfind_t used to issue this query.
+ *
+ * This is simply a standard event, with the "type" set to:
+ *
+ *	DNS_EVENT_ADBMOREADDRESSES   -- another address resolved.
+ *	DNS_EVENT_ADBNOMOREADDRESSES -- all pending addresses failed,
+ *					were canceled, or otherwise will
+ *					not be usable.
+ *	DNS_EVENT_ADBCANCELED	     -- The request was canceled by a
+ *					3rd party.
+ *	DNS_EVENT_ADBNAMEDELETED     -- The name was deleted, so this request
+ *					was canceled.
+ *
+ * In each of these cases, the addresses returned by the initial call
+ * to dns_adb_createfind() can still be used until they are no longer needed.
+ */
+
+/****
+ **** FUNCTIONS
+ ****/
+
+
+isc_result_t
+dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *tmgr,
+	       isc_taskmgr_t *taskmgr, dns_adb_t **newadb);
+/*
+ * Create a new ADB.
+ *
+ * Notes:
+ *
+ *	Generally, applications should not create an ADB directly, but
+ *	should instead call dns_view_createresolver().
+ *
+ * Requires:
+ *
+ *	'mem' must be a valid memory context.
+ *
+ *	'view' be a pointer to a valid view.
+ *
+ *	'tmgr' be a pointer to a valid timer manager.
+ *
+ *	'taskmgr' be a pointer to a valid task manager.
+ *
+ *	'newadb' != NULL && '*newadb' == NULL.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS	after happiness.
+ *	ISC_R_NOMEMORY	after resource allocation failure.
+ */
+
+void
+dns_adb_attach(dns_adb_t *adb, dns_adb_t **adbp);
+/*
+ * Attach to an 'adb' to 'adbp'.
+ *
+ * Requires:
+ *	'adb' to be a valid dns_adb_t, created via dns_adb_create().
+ *	'adbp' to be a valid pointer to a *dns_adb_t which is initialized
+ *	to NULL.
+ */
+
+void
+dns_adb_detach(dns_adb_t **adb);
+/*
+ * Delete the ADB. Sets *ADB to NULL. Cancels any outstanding requests.
+ *
+ * Requires:
+ *
+ *	'adb' be non-NULL and '*adb' be a valid dns_adb_t, created via
+ *	dns_adb_create().
+ */
+
+void
+dns_adb_whenshutdown(dns_adb_t *adb, isc_task_t *task, isc_event_t **eventp);
+/*
+ * Send '*eventp' to 'task' when 'adb' has shutdown.
+ *
+ * Requires:
+ *
+ *	'*adb' is a valid dns_adb_t.
+ *
+ *	eventp != NULL && *eventp is a valid event.
+ *
+ * Ensures:
+ *
+ *	*eventp == NULL
+ *
+ *	The event's sender field is set to the value of adb when the event
+ *	is sent.
+ */
+
+void
+dns_adb_shutdown(dns_adb_t *adb);
+/*
+ * Shutdown 'adb'.
+ *
+ * Requires:
+ *
+ * 	'*adb' is a valid dns_adb_t.
+ */
+
+isc_result_t
+dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
+		   void *arg, dns_name_t *name, dns_name_t *zone,
+		   unsigned int options, isc_stdtime_t now, dns_name_t *target,
+		   in_port_t port, dns_adbfind_t **find);
+/*
+ * Main interface for clients. The adb will look up the name given in
+ * "name" and will build up a list of found addresses, and perhaps start
+ * internal fetches to resolve names that are unknown currently.
+ *
+ * If other addresses resolve after this call completes, an event will
+ * be sent to the <task, taskaction, arg> with the sender of that event
+ * set to a pointer to the dns_adbfind_t returned by this function.
+ *
+ * If no events will be generated, the *find->result_v4 and/or result_v6
+ * members may be examined for address lookup status.  The usual ISC_R_SUCCESS,
+ * ISC_R_FAILURE, and DNS_R_NX{DOMAIN,RRSET} are returned, along with
+ * ISC_R_NOTFOUND meaning the ADB has not _yet_ found the values.  In this
+ * latter case, retrying may produce more addresses.
+ *
+ * If events will be returned, the result_v[46] members are only valid
+ * when that event is actually returned.
+ *
+ * The list of addresses returned is unordered.  The caller must impose
+ * any ordering required.  The list will not contain "known bad" addresses,
+ * however.  For instance, it will not return hosts that are known to be
+ * lame for the zone in question.
+ *
+ * The caller cannot (directly) modify the contents of the address list's
+ * fields other than the "link" field.  All values can be read at any
+ * time, however.
+ *
+ * The "now" parameter is used only for determining which entries that
+ * have a specific time to live or expire time should be removed from
+ * the running database.  If specified as zero, the current time will
+ * be retrieved and used.
+ *
+ * If 'target' is not NULL and 'name' is an alias (i.e. the name is
+ * CNAME'd or DNAME'd to another name), then 'target' will be updated with
+ * the domain name that 'name' is aliased to.
+ *
+ * All addresses returned will have the sockaddr's port set to 'port.'
+ * The caller may change them directly in the dns_adbaddrinfo_t since
+ * they are copies of the internal address only.
+ *
+ * XXXMLG  Document options, especially the flags which control how
+ *         events are sent.
+ *
+ * Requires:
+ *
+ *	*adb be a valid isc_adb_t object.
+ *
+ *	If events are to be sent, *task be a valid task,
+ *	and isc_taskaction_t != NULL.
+ *
+ *	*name is a valid dns_name_t.
+ *
+ *	zone != NULL and *zone be a valid dns_name_t.
+ *
+ *	target == NULL or target is a valid name with a buffer.
+ *
+ *	find != NULL && *find == NULL.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS	Addresses might have been returned, and events will be
+ *			delivered for unresolved addresses.
+ *	ISC_R_NOMORE	Addresses might have been returned, but no events
+ *			will ever be posted for this context.  This is only
+ *			returned if task != NULL.
+ *	ISC_R_NOMEMORY	insufficient resources
+ *	DNS_R_ALIAS	'name' is an alias for another name.
+ *
+ * Calls, and returns error codes from:
+ *
+ *	isc_stdtime_get()
+ *
+ * Notes:
+ *
+ *	No internal reference to "name" exists after this function
+ *	returns.
+ */
+
+void
+dns_adb_cancelfind(dns_adbfind_t *find);
+/*
+ * Cancels the find, and sends the event off to the caller.
+ *
+ * It is an error to call dns_adb_cancelfind() on a find where
+ * no event is wanted, or will ever be sent.
+ *
+ * Note:
+ *
+ *	It is possible that the real completion event was posted just
+ *	before the dns_adb_cancelfind() call was made.  In this case,
+ *	dns_adb_cancelfind() will do nothing.  The event callback needs
+ *	to be prepared to find this situation (i.e. result is valid but
+ *	the caller expects it to be canceled).
+ *
+ * Requires:
+ *
+ *	'find' be a valid dns_adbfind_t pointer.
+ *
+ *	events would have been posted to the task.  This can be checked
+ *	with (find->options & DNS_ADBFIND_WANTEVENT).
+ *
+ * Ensures:
+ *
+ *	The event was posted to the task.
+ */
+
+void
+dns_adb_destroyfind(dns_adbfind_t **find);
+/*
+ * Destroys the find reference.
+ *
+ * Note:
+ *
+ *	This can only be called after the event was delivered for a
+ *	find.  Additionally, the event MUST have been freed via
+ *	isc_event_free() BEFORE this function is called.
+ *
+ * Requires:
+ *
+ *	'find' != NULL and *find be valid dns_adbfind_t pointer.
+ *
+ * Ensures:
+ *
+ *	No "address found" events will be posted to the originating task
+ *	after this function returns.
+ */
+
+void
+dns_adb_dump(dns_adb_t *adb, FILE *f);
+/*
+ * This function is only used for debugging.  It will dump as much of the
+ * state of the running system as possible.
+ *
+ * Requires:
+ *
+ *	adb be valid.
+ *
+ *	f != NULL, and is a file open for writing.
+ */
+
+void
+dns_adb_dumpfind(dns_adbfind_t *find, FILE *f);
+/*
+ * This function is only used for debugging.  Dump the data associated
+ * with a find.
+ *
+ * Requires:
+ *
+ *	find is valid.
+ *
+ * 	f != NULL, and is a file open for writing.
+ */
+
+isc_result_t
+dns_adb_marklame(dns_adb_t *adb, dns_adbaddrinfo_t *addr, dns_name_t *zone,
+		 isc_stdtime_t expire_time);
+/*
+ * Mark the given address as lame for the zone "zone".  expire_time should
+ * be set to the time when the entry should expire.  That is, if it is to
+ * expire 10 minutes in the future, it should set it to (now + 10 * 60).
+ *
+ * Requires:
+ *
+ *	adb be valid.
+ *
+ *	addr be valid.
+ *
+ *	zone be the zone used in the dns_adb_createfind() call.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		-- all is well.
+ *	ISC_R_NOMEMORY		-- could not mark address as lame.
+ */
+
+/*
+ * A reasonable default for RTT adjustments
+ */
+#define DNS_ADB_RTTADJDEFAULT		7	/* default scale */
+#define DNS_ADB_RTTADJREPLACE		0	/* replace with our rtt */
+#define DNS_ADB_RTTADJAGE		10	/* age this rtt */
+
+void
+dns_adb_adjustsrtt(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
+		   unsigned int rtt, unsigned int factor);
+/*
+ * Mix the round trip time into the existing smoothed rtt.  The formula used
+ * (where srtt is the existing rtt value, and rtt and factor are arguments to
+ * this function):
+ *
+ *	new_srtt = (old_srtt / 10 * factor) + (rtt / 10 * (10 - factor));
+ *
+ * XXXRTH  Do we want to publish the formula?  What if we want to change how
+ *         this works later on?  Recommend/require that the units are
+ *	   microseconds?
+ *
+ * Requires:
+ *
+ *	adb be valid.
+ *
+ *	addr be valid.
+ *
+ *	0 <= factor <= 10
+ *
+ * Note:
+ *
+ *	The srtt in addr will be updated to reflect the new global
+ *	srtt value.  This may include changes made by others.
+ */
+
+void
+dns_adb_changeflags(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
+		    unsigned int bits, unsigned int mask);
+/*
+ * Set the flags as given by:
+ *
+ *	newflags = (oldflags & ~mask) | (bits & mask);
+ *
+ * Requires:
+ *
+ *	adb be valid.
+ *
+ *	addr be valid.
+ */
+
+isc_result_t
+dns_adb_findaddrinfo(dns_adb_t *adb, isc_sockaddr_t *sa,
+		     dns_adbaddrinfo_t **addrp, isc_stdtime_t now);
+/*
+ * Return a dns_adbaddrinfo_t that is associated with address 'sa'.
+ *
+ * Requires:
+ *
+ *	adb is valid.
+ *
+ *	sa is valid.
+ *
+ *	addrp != NULL && *addrp == NULL
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_SHUTTINGDOWN
+ */
+
+void
+dns_adb_freeaddrinfo(dns_adb_t *adb, dns_adbaddrinfo_t **addrp);
+/*
+ * Free a dns_adbaddrinfo_t allocated by dns_adb_findaddrinfo().
+ *
+ * Requires:
+ *
+ *	adb is valid.
+ *
+ *	*addrp is a valid dns_adbaddrinfo_t *.
+ */
+
+void
+dns_adb_flush(dns_adb_t *adb);
+/*
+ * Flushes all cached data from the adb.
+ *
+ * Requires:
+ * 	adb is valid.
+ */
+
+void
+dns_adb_setadbsize(dns_adb_t *adb, isc_uint32_t size);
+/*
+ * Set a target memory size.  If memory usage exceeds the target
+ * size entries will be removed before they would have expired on
+ * a random basis.
+ *
+ * If 'size' is 0 then memory usage is unlimited.
+ *
+ * Requires:
+ *	'adb' is valid.
+ */
+
+void
+dns_adb_flushname(dns_adb_t *adb, dns_name_t *name);
+/*
+ * Flush 'name' from the adb cache.
+ * 
+ * Requires:
+ *	'adb' is valid.
+ *	'name' is valid.
+ */
+
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ADB_H */
diff --git a/contrib/bind9/lib/dns/include/dns/bit.h b/contrib/bind9/lib/dns/include/dns/bit.h
new file mode 100644
index 0000000..e4a7d20
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/bit.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: bit.h,v 1.7.206.1 2004/03/06 08:13:51 marka Exp $ */
+
+#ifndef DNS_BIT_H
+#define DNS_BIT_H 1
+
+#include <isc/int.h>
+#include <isc/boolean.h>
+
+typedef isc_uint64_t dns_bitset_t;
+
+#define DNS_BIT_SET(bit, bitset) \
+     (*(bitset) |= ((dns_bitset_t)1 << (bit)))
+#define DNS_BIT_CLEAR(bit, bitset) \
+     (*(bitset) &= ~((dns_bitset_t)1 << (bit)))
+#define DNS_BIT_CHECK(bit, bitset) \
+     ISC_TF((*(bitset) & ((dns_bitset_t)1 << (bit))) \
+	    == ((dns_bitset_t)1 << (bit)))
+
+#endif /* DNS_BIT_H */
+
diff --git a/contrib/bind9/lib/dns/include/dns/byaddr.h b/contrib/bind9/lib/dns/include/dns/byaddr.h
new file mode 100644
index 0000000..8f69cd9
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/byaddr.h
@@ -0,0 +1,169 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: byaddr.h,v 1.12.2.1.2.4 2004/03/08 09:04:34 marka Exp $ */
+
+#ifndef DNS_BYADDR_H
+#define DNS_BYADDR_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DNS ByAddr
+ *
+ * The byaddr module provides reverse lookup services for IPv4 and IPv6
+ * addresses.
+ *
+ * MP:
+ *	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	<TBS>
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	RFCs:	1034, 1035, 2181, <TBS>
+ *	Drafts:	<TBS>
+ */
+
+#include <isc/lang.h>
+#include <isc/event.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * A 'dns_byaddrevent_t' is returned when a byaddr completes.
+ * The sender field will be set to the byaddr that completed.  If 'result'
+ * is ISC_R_SUCCESS, then 'names' will contain a list of names associated
+ * with the address.  The recipient of the event must not change the list
+ * and must not refer to any of the name data after the event is freed.
+ */
+typedef struct dns_byaddrevent {
+	ISC_EVENT_COMMON(struct dns_byaddrevent);
+	isc_result_t			result;
+	dns_namelist_t			names;
+} dns_byaddrevent_t;
+
+/*
+ * This option is deprecated since we now only consider nibbles.
+#define DNS_BYADDROPT_IPV6NIBBLE	0x0001
+ */
+#define DNS_BYADDROPT_IPV6INT		0x0002
+
+isc_result_t
+dns_byaddr_create(isc_mem_t *mctx, isc_netaddr_t *address, dns_view_t *view,
+		  unsigned int options, isc_task_t *task,
+		  isc_taskaction_t action, void *arg, dns_byaddr_t **byaddrp);
+/*
+ * Find the domain name of 'address'.
+ *
+ * Notes:
+ *
+ *	There is a reverse lookup format for IPv6 addresses, 'nibble'
+ *
+ *	The 'nibble' format for that address is
+ *
+ *   1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa.
+ *
+ *	DNS_BYADDROPT_IPV6INT can be used to get nibble lookups under ip6.int.
+ *
+ * Requires:
+ *
+ *	'mctx' is a valid mctx.
+ *
+ *	'address' is a valid IPv4 or IPv6 address.
+ *
+ *	'view' is a valid view which has a resolver.
+ *
+ *	'task' is a valid task.
+ *
+ *	byaddrp != NULL && *byaddrp == NULL
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *
+ *	Any resolver-related error (e.g. ISC_R_SHUTTINGDOWN) may also be
+ *	returned.
+ */
+
+void
+dns_byaddr_cancel(dns_byaddr_t *byaddr);
+/*
+ * Cancel 'byaddr'.
+ *
+ * Notes:
+ *
+ *	If 'byaddr' has not completed, post its BYADDRDONE event with a
+ *	result code of ISC_R_CANCELED.
+ *
+ * Requires:
+ *
+ *	'byaddr' is a valid byaddr.
+ */
+
+void
+dns_byaddr_destroy(dns_byaddr_t **byaddrp);
+/*
+ * Destroy 'byaddr'.
+ *
+ * Requires:
+ *
+ *	'*byaddrp' is a valid byaddr.
+ *
+ *	The caller has received the BYADDRDONE event (either because the
+ *	byaddr completed or because dns_byaddr_cancel() was called).
+ *
+ * Ensures:
+ *
+ *	*byaddrp == NULL.
+ */
+
+isc_result_t
+dns_byaddr_createptrname(isc_netaddr_t *address, isc_boolean_t nibble,
+			 dns_name_t *name);
+
+isc_result_t
+dns_byaddr_createptrname2(isc_netaddr_t *address, unsigned int options,
+			  dns_name_t *name);
+/*
+ * Creates a name that would be used in a PTR query for this address.  The
+ * nibble flag indicates that the 'nibble' format is to be used if an IPv6
+ * address is provided, instead of the 'bitstring' format.  Since we dropped
+ * the support of the bitstring labels, it is expected that the flag is always
+ * set.  'options' are the same as for dns_byaddr_create().
+ *
+ * Requires:
+ * 
+ * 	'address' is a valid address.
+ * 	'name' is a valid name with a dedicated buffer.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_BYADDR_H */
diff --git a/contrib/bind9/lib/dns/include/dns/cache.h b/contrib/bind9/lib/dns/include/dns/cache.h
new file mode 100644
index 0000000..79c53de
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/cache.h
@@ -0,0 +1,255 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: cache.h,v 1.17.12.3 2004/03/08 09:04:34 marka Exp $ */
+
+#ifndef DNS_CACHE_H
+#define DNS_CACHE_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * cache
+ *
+ * Defines dns_cache_t, the cache object.
+ *
+ * Notes:
+ * 	A cache object contains DNS data of a single class.
+ *	Multiple classes will be handled by creating multiple
+ *	views, each with a different class and its own cache.
+ *
+ * MP:
+ *	See notes at the individual functions.
+ *
+ * Reliability:
+ *
+ * Resources:
+ *
+ * Security:
+ *
+ * Standards:
+ */
+
+/***
+ ***	Imports
+ ***/
+
+#include <isc/lang.h>
+#include <isc/stdtime.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ ***	Functions
+ ***/
+
+isc_result_t
+dns_cache_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
+		 isc_timermgr_t *timermgr, dns_rdataclass_t rdclass,
+		 const char *db_type, unsigned int db_argc, char **db_argv,
+		 dns_cache_t **cachep);
+/*
+ * Create a new DNS cache.
+ *
+ * Requires:
+ *
+ *	'mctx' is a valid memory context
+ *
+ *	'taskmgr' is a valid task manager and 'timermgr' is a valid timer
+ * 	manager, or both are NULL.  If NULL, no periodic cleaning of the
+ * 	cache will take place.
+ *
+ *	'cachep' is a valid pointer, and *cachep == NULL
+ *
+ * Ensures:
+ *
+ *	'*cachep' is attached to the newly created cache
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ */
+
+void
+dns_cache_attach(dns_cache_t *cache, dns_cache_t **targetp);
+/*
+ * Attach *targetp to cache.
+ *
+ * Requires:
+ *
+ *	'cache' is a valid cache.
+ *
+ *	'targetp' points to a NULL dns_cache_t *.
+ *
+ * Ensures:
+ *
+ *	*targetp is attached to cache.
+ */
+
+void
+dns_cache_detach(dns_cache_t **cachep);
+/*
+ * Detach *cachep from its cache.
+ *
+ * Requires:
+ *
+ *	'cachep' points to a valid cache.
+ *
+ * Ensures:
+ *
+ *	*cachep is NULL.
+ *
+ *	If '*cachep' is the last reference to the cache,
+ *
+ *		All resources used by the cache will be freed
+ */
+
+void
+dns_cache_attachdb(dns_cache_t *cache, dns_db_t **dbp);
+/*
+ * Attach *dbp to the cache's database.
+ *
+ * Notes:
+ *
+ *	This may be used to get a reference to the database for
+ *	the purpose of cache lookups (XXX currently it is also
+ * 	the way to add data to the cache, but having a
+ * 	separate dns_cache_add() interface instead would allow
+ * 	more control over memory usage).
+ *	The caller should call dns_db_detach() on the reference
+ *	when it is no longer needed.
+ *
+ * Requires:
+ *
+ *	'cache' is a valid cache.
+ *
+ *	'dbp' points to a NULL dns_db *.
+ *
+ * Ensures:
+ *
+ *	*dbp is attached to the database.
+ */
+
+
+isc_result_t
+dns_cache_setfilename(dns_cache_t *cahce, char *filename);
+/*
+ * If 'filename' is non-NULL, make the cache persistent.
+ * The cache's data will be stored in the given file.
+ * If 'filename' is NULL, make the cache non-persistent.
+ * Files that are no longer used are not unlinked automatically.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	Various file-related failures
+ */
+
+isc_result_t
+dns_cache_load(dns_cache_t *cache);
+/*
+ * If the cache has a file name, load the cache contents from the file.
+ * Previous cache contents are not discarded.
+ * If no file name has been set, do nothing and return success.
+ *
+ * MT:
+ *	Multiple simultaneous attempts to load or dump the cache
+ * 	will be serialized with respect to one another, but
+ *	the cache may be read and updated while the dump is
+ *	in progress.  Updates performed during loading
+ *	may or may not be preserved, and reads may return
+ * 	either the old or the newly loaded data.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *      Various failures depending on the database implementation type
+ */
+
+isc_result_t
+dns_cache_dump(dns_cache_t *cache);
+/*
+ * If the cache has a file name, write the cache contents to disk,
+ * overwriting any preexisting file.  If no file name has been set,
+ * do nothing and return success.
+ *
+ * MT:
+ *	Multiple simultaneous attempts to load or dump the cache
+ * 	will be serialized with respect to one another, but
+ *	the cache may be read and updated while the dump is
+ *	in progress.  Updates performed during the dump may
+ * 	or may not be reflected in the dumped file.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *      Various failures depending on the database implementation type
+ */
+
+isc_result_t
+dns_cache_clean(dns_cache_t *cache, isc_stdtime_t now);
+/*
+ * Force immediate cleaning of the cache, freeing all rdatasets
+ * whose TTL has expired as of 'now' and that have no pending
+ * references.
+ */
+
+void
+dns_cache_setcleaninginterval(dns_cache_t *cache, unsigned int interval);
+/*
+ * Set the periodic cache cleaning interval to 'interval' seconds.
+ */
+
+void
+dns_cache_setcachesize(dns_cache_t *cache, isc_uint32_t size);
+/*
+ * Set the maximum cache size.  0 means unlimited.
+ */
+
+isc_result_t
+dns_cache_flush(dns_cache_t *cache);
+/*
+ * Flushes all data from the cache.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_cache_flushname(dns_cache_t *cache, dns_name_t *name);
+/*
+ * Flushes a given name from the cache.
+ *
+ * Requires:
+ *	'cache' to be valid.
+ *	'name' to be valid.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	other error returns.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_CACHE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/callbacks.h b/contrib/bind9/lib/dns/include/dns/callbacks.h
new file mode 100644
index 0000000..9c2710a
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/callbacks.h
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: callbacks.h,v 1.15.2.2.8.1 2004/03/06 08:13:51 marka Exp $ */
+
+#ifndef DNS_CALLBACKS_H
+#define DNS_CALLBACKS_H 1
+
+/***
+ ***	Imports
+ ***/
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ ***	Types
+ ***/
+
+struct dns_rdatacallbacks {
+	/*
+	 * dns_load_master calls this when it has rdatasets to commit.
+	 */
+	dns_addrdatasetfunc_t add;
+	/*
+	 * dns_load_master / dns_rdata_fromtext call this to issue a error.
+	 */
+	void	(*error)(struct dns_rdatacallbacks *, const char *, ...);
+	/*
+	 * dns_load_master / dns_rdata_fromtext call this to issue a warning.
+	 */
+	void	(*warn)(struct dns_rdatacallbacks *, const char *, ...);
+	/*
+	 * Private data handles for use by the above callback functions.
+	 */
+	void	*add_private;
+	void	*error_private;
+	void	*warn_private;
+};
+
+/***
+ ***	Initialization
+ ***/
+
+void
+dns_rdatacallbacks_init(dns_rdatacallbacks_t *callbacks);
+/*
+ * Initialize 'callbacks'.
+ * 	'error' and 'warn' are set to default callbacks that print the
+ *	error message through the DNS library log context.
+ *
+ *	All other elements are initialized to NULL.
+ *
+ * Requires:
+ *      'callbacks' is a valid dns_rdatacallbacks_t,
+ */
+
+void
+dns_rdatacallbacks_init_stdio(dns_rdatacallbacks_t *callbacks);
+/*
+ * Like dns_rdatacallbacks_init, but logs to stdio.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_CALLBACKS_H */
diff --git a/contrib/bind9/lib/dns/include/dns/cert.h b/contrib/bind9/lib/dns/include/dns/cert.h
new file mode 100644
index 0000000..28a3d4c
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/cert.h
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: cert.h,v 1.12.206.1 2004/03/06 08:13:51 marka Exp $ */
+
+#ifndef DNS_CERT_H
+#define DNS_CERT_H 1
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_cert_fromtext(dns_cert_t *certp, isc_textregion_t *source);
+/*
+ * Convert the text 'source' refers to into a certificate type.
+ * The text may contain either a mnemonic type name or a decimal type number.
+ *
+ * Requires:
+ *	'certp' is a valid pointer.
+ *
+ *	'source' is a valid text region.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS			on success
+ *	ISC_R_RANGE			numeric type is out of range
+ *	DNS_R_UNKNOWN			mnemonic type is unknown
+ */
+
+isc_result_t
+dns_cert_totext(dns_cert_t cert, isc_buffer_t *target);
+/*
+ * Put a textual representation of certificate type 'cert' into 'target'.
+ *
+ * Requires:
+ *	'cert' is a valid cert.
+ *
+ *	'target' is a valid text buffer.
+ *
+ * Ensures:
+ *	If the result is success:
+ *		The used space in 'target' is updated.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS			on success
+ *	ISC_R_NOSPACE			target buffer is too small
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_CERT_H */
diff --git a/contrib/bind9/lib/dns/include/dns/compress.h b/contrib/bind9/lib/dns/include/dns/compress.h
new file mode 100644
index 0000000..0f6451c
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/compress.h
@@ -0,0 +1,248 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: compress.h,v 1.29.2.2.8.1 2004/03/06 08:13:51 marka Exp $ */
+
+#ifndef DNS_COMPRESS_H
+#define DNS_COMPRESS_H 1
+
+#include <isc/lang.h>
+#include <isc/region.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+#define DNS_COMPRESS_NONE		0x00	/* no compression */
+#define DNS_COMPRESS_GLOBAL14		0x01	/* "normal" compression. */
+#define DNS_COMPRESS_ALL		0x01	/* all compression. */
+
+/*
+ *	Direct manipulation of the structures is strongly discouraged.
+ */
+
+#define DNS_COMPRESS_TABLESIZE 64
+#define DNS_COMPRESS_INITIALNODES 16
+
+typedef struct dns_compressnode dns_compressnode_t;
+
+struct dns_compressnode {
+	isc_region_t		r;
+	isc_uint16_t		offset;
+	isc_uint16_t		count;
+	isc_uint8_t		labels;
+	dns_compressnode_t	*next;
+};
+
+struct dns_compress {
+	unsigned int		magic;		/* Magic number. */
+	unsigned int		allowed;	/* Allowed methods. */
+	int			edns;		/* Edns version or -1. */
+	/* Global compression table. */
+	dns_compressnode_t	*table[DNS_COMPRESS_TABLESIZE];
+	/* Preallocated nodes for the table. */
+	dns_compressnode_t	initialnodes[DNS_COMPRESS_INITIALNODES];
+	isc_uint16_t		count;		/* Number of nodes. */
+	isc_mem_t		*mctx;		/* Memory context. */
+};
+
+typedef enum {
+	DNS_DECOMPRESS_ANY,			/* Any compression */
+	DNS_DECOMPRESS_STRICT,			/* Allowed compression */
+	DNS_DECOMPRESS_NONE			/* No compression */
+} dns_decompresstype_t;
+
+struct dns_decompress {
+	unsigned int		magic;		/* Magic number. */
+	unsigned int		allowed;	/* Allowed methods. */
+	int			edns;		/* Edns version or -1. */
+	dns_decompresstype_t	type;		/* Strict checking */
+};
+
+isc_result_t
+dns_compress_init(dns_compress_t *cctx, int edns, isc_mem_t *mctx);
+/*
+ *	Inialise the compression context structure pointed to by 'cctx'.
+ *
+ *	Requires:
+ *		'cctx' is a valid dns_compress_t structure.
+ *		'mctx' is an initialized memory context.
+ *	Ensures:
+ *		cctx->global is initialized.
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ *		failures from dns_rbt_create()
+ */
+
+void
+dns_compress_invalidate(dns_compress_t *cctx);
+
+/*
+ *	Invalidate the compression structure pointed to by cctx.
+ *
+ *	Requires:
+ *		'cctx' to be initialized.
+ */
+
+void
+dns_compress_setmethods(dns_compress_t *cctx, unsigned int allowed);
+
+/*
+ *	Sets allowed compression methods.
+ *
+ *	Requires:
+ *		'cctx' to be initialized.
+ */
+
+unsigned int
+dns_compress_getmethods(dns_compress_t *cctx);
+
+/*
+ *	Gets allowed compression methods.
+ *
+ *	Requires:
+ *		'cctx' to be initialized.
+ *
+ *	Returns:
+ *		allowed compression bitmap.
+ */
+
+int
+dns_compress_getedns(dns_compress_t *cctx);
+
+/*
+ *	Gets edns value.
+ *
+ *	Requires:
+ *		'cctx' to be initialized.
+ *
+ *	Returns:
+ *		-1 .. 255
+ */
+
+isc_boolean_t
+dns_compress_findglobal(dns_compress_t *cctx, dns_name_t *name,
+			dns_name_t *prefix, isc_uint16_t *offset);
+/*
+ *	Finds longest possible match of 'name' in the global compression table.
+ *
+ *	Requires:
+ *		'cctx' to be initialized.
+ *		'name' to be a absolute name.
+ *		'prefix' to be initialized.
+ *		'offset' to point to an isc_uint16_t.
+ *
+ *	Ensures:
+ *		'prefix' and 'offset' are valid if ISC_TRUE is 	returned.
+ *
+ *	Returns:
+ *		ISC_TRUE / ISC_FALSE
+ */
+
+void
+dns_compress_add(dns_compress_t *cctx, dns_name_t *name, dns_name_t *prefix,
+		 isc_uint16_t offset);
+/*
+ *	Add compression pointers for 'name' to the compression table,
+ *	not replacing existing pointers.
+ *
+ *	Requires:
+ *		'cctx' initialized
+ *
+ *		'name' must be initialized and absolute, and must remain
+ *		valid until the message compression is complete.
+ *
+ *		'prefix' must be a prefix returned by
+ *		dns_compress_findglobal(), or the same as 'name'.
+ */
+
+void
+dns_compress_rollback(dns_compress_t *cctx, isc_uint16_t offset);
+
+/*
+ *	Remove any compression pointers from global table >= offset.
+ *
+ *	Requires:
+ *		'cctx' is initialized.
+ */
+
+void
+dns_decompress_init(dns_decompress_t *dctx, int edns,
+		    dns_decompresstype_t type);
+
+/*
+ *	Initializes 'dctx'.
+ *	Records 'edns' and 'type' into the structure.
+ *
+ *	Requires:
+ *		'dctx' to be a valid pointer.
+ */
+
+void
+dns_decompress_invalidate(dns_decompress_t *dctx);
+
+/*
+ *	Invalidates 'dctx'.
+ *
+ *	Requires:
+ *		'dctx' to be initialized
+ */
+
+void
+dns_decompress_setmethods(dns_decompress_t *dctx, unsigned int allowed);
+
+/*
+ *	Sets 'dctx->allowed' to 'allowed'.
+ *
+ *	Requires:
+ *		'dctx' to be initialized
+ */
+
+unsigned int
+dns_decompress_getmethods(dns_decompress_t *dctx);
+
+/*
+ *	Returns 'dctx->allowed'
+ *
+ *	Requires:
+ *		'dctx' to be initialized
+ */
+
+int
+dns_decompress_edns(dns_decompress_t *dctx);
+
+/*
+ *	Returns 'dctx->edns'
+ *
+ *	Requires:
+ *		'dctx' to be initialized
+ */
+
+dns_decompresstype_t
+dns_decompress_type(dns_decompress_t *dctx);
+
+/*
+ *	Returns 'dctx->type'
+ *
+ *	Requires:
+ *		'dctx' to be initialized
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_COMPRESS_H */
diff --git a/contrib/bind9/lib/dns/include/dns/db.h b/contrib/bind9/lib/dns/include/dns/db.h
new file mode 100644
index 0000000..8e08882
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/db.h
@@ -0,0 +1,1271 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: db.h,v 1.67.12.8 2004/05/14 05:06:41 marka Exp $ */
+
+#ifndef DNS_DB_H
+#define DNS_DB_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DNS DB
+ *
+ * The DNS DB interface allows named rdatasets to be stored and retrieved.
+ *
+ * The dns_db_t type is like a "virtual class".  To actually use
+ * DBs, an implementation of the class is required.
+ *
+ * XXX <more> XXX
+ *
+ * MP:
+ *	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	<TBS>
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	None.
+ */
+
+/*****
+ ***** Imports
+ *****/
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/ondestroy.h>
+#include <isc/stdtime.h>
+
+#include <dns/name.h>
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+ ***** Types
+ *****/
+
+typedef struct dns_dbmethods {
+	void		(*attach)(dns_db_t *source, dns_db_t **targetp);
+	void		(*detach)(dns_db_t **dbp);
+	isc_result_t	(*beginload)(dns_db_t *db, dns_addrdatasetfunc_t *addp,
+				     dns_dbload_t **dbloadp);
+	isc_result_t	(*endload)(dns_db_t *db, dns_dbload_t **dbloadp);
+	isc_result_t	(*dump)(dns_db_t *db, dns_dbversion_t *version,
+				const char *filename);
+	void		(*currentversion)(dns_db_t *db,
+					  dns_dbversion_t **versionp);
+	isc_result_t	(*newversion)(dns_db_t *db,
+				      dns_dbversion_t **versionp);
+	void		(*attachversion)(dns_db_t *db, dns_dbversion_t *source,
+					 dns_dbversion_t **targetp);
+	void		(*closeversion)(dns_db_t *db,
+					dns_dbversion_t **versionp,
+					isc_boolean_t commit);
+	isc_result_t	(*findnode)(dns_db_t *db, dns_name_t *name,
+				    isc_boolean_t create,
+				    dns_dbnode_t **nodep);
+	isc_result_t	(*find)(dns_db_t *db, dns_name_t *name,
+				dns_dbversion_t *version,
+				dns_rdatatype_t type, unsigned int options,
+				isc_stdtime_t now,
+				dns_dbnode_t **nodep, dns_name_t *foundname,
+				dns_rdataset_t *rdataset,
+				dns_rdataset_t *sigrdataset);
+	isc_result_t	(*findzonecut)(dns_db_t *db, dns_name_t *name,
+				       unsigned int options, isc_stdtime_t now,
+				       dns_dbnode_t **nodep,
+				       dns_name_t *foundname,
+				       dns_rdataset_t *rdataset,
+				       dns_rdataset_t *sigrdataset);
+	void		(*attachnode)(dns_db_t *db,
+				      dns_dbnode_t *source,
+				      dns_dbnode_t **targetp);
+	void		(*detachnode)(dns_db_t *db,
+				      dns_dbnode_t **targetp);
+	isc_result_t	(*expirenode)(dns_db_t *db, dns_dbnode_t *node,
+				      isc_stdtime_t now);
+	void		(*printnode)(dns_db_t *db, dns_dbnode_t *node,
+				     FILE *out);
+	isc_result_t 	(*createiterator)(dns_db_t *db,
+					  isc_boolean_t relative_names,
+					  dns_dbiterator_t **iteratorp);
+	isc_result_t	(*findrdataset)(dns_db_t *db, dns_dbnode_t *node,
+					dns_dbversion_t *version,
+					dns_rdatatype_t type,
+					dns_rdatatype_t covers,
+					isc_stdtime_t now,
+					dns_rdataset_t *rdataset,
+					dns_rdataset_t *sigrdataset);
+	isc_result_t	(*allrdatasets)(dns_db_t *db, dns_dbnode_t *node,
+					dns_dbversion_t *version,
+					isc_stdtime_t now,
+					dns_rdatasetiter_t **iteratorp);
+	isc_result_t	(*addrdataset)(dns_db_t *db, dns_dbnode_t *node,
+				       dns_dbversion_t *version,
+				       isc_stdtime_t now,
+				       dns_rdataset_t *rdataset,
+				       unsigned int options,
+				       dns_rdataset_t *addedrdataset);
+	isc_result_t	(*subtractrdataset)(dns_db_t *db, dns_dbnode_t *node,
+					    dns_dbversion_t *version,
+					    dns_rdataset_t *rdataset,
+					    unsigned int options,
+					    dns_rdataset_t *newrdataset);
+	isc_result_t	(*deleterdataset)(dns_db_t *db, dns_dbnode_t *node,
+					  dns_dbversion_t *version,
+					  dns_rdatatype_t type,
+					  dns_rdatatype_t covers);
+	isc_boolean_t	(*issecure)(dns_db_t *db);
+	unsigned int	(*nodecount)(dns_db_t *db);
+	isc_boolean_t	(*ispersistent)(dns_db_t *db);
+	void		(*overmem)(dns_db_t *db, isc_boolean_t overmem);
+	void		(*settask)(dns_db_t *db, isc_task_t *);
+} dns_dbmethods_t;
+
+typedef isc_result_t
+(*dns_dbcreatefunc_t)(isc_mem_t *mctx, dns_name_t *name,
+		      dns_dbtype_t type, dns_rdataclass_t rdclass,
+		      unsigned int argc, char *argv[], void *driverarg,
+		      dns_db_t **dbp);
+					
+#define DNS_DB_MAGIC		ISC_MAGIC('D','N','S','D')
+#define DNS_DB_VALID(db)	ISC_MAGIC_VALID(db, DNS_DB_MAGIC)
+
+/*
+ * This structure is actually just the common prefix of a DNS db
+ * implementation's version of a dns_db_t.
+ *
+ * Direct use of this structure by clients is forbidden.  DB implementations
+ * may change the structure.  'magic' must be DNS_DB_MAGIC for any of the
+ * dns_db_ routines to work.  DB implementations must maintain all DB
+ * invariants.
+ */
+struct dns_db {
+	unsigned int			magic;
+	unsigned int			impmagic;
+	dns_dbmethods_t *		methods;
+	isc_uint16_t			attributes;
+	dns_rdataclass_t		rdclass;
+	dns_name_t			origin;
+	isc_ondestroy_t			ondest;
+	isc_mem_t *			mctx;
+};
+
+#define DNS_DBATTR_CACHE		0x01
+#define DNS_DBATTR_STUB			0x02
+
+/*
+ * Options that can be specified for dns_db_find().
+ */
+#define DNS_DBFIND_GLUEOK		0x01
+#define DNS_DBFIND_VALIDATEGLUE		0x02
+#define DNS_DBFIND_NOWILD		0x04
+#define DNS_DBFIND_PENDINGOK		0x08
+#define DNS_DBFIND_NOEXACT		0x10
+#define DNS_DBFIND_FORCENSEC		0x20
+#define DNS_DBFIND_COVERINGNSEC		0x40
+
+/*
+ * Options that can be specified for dns_db_addrdataset().
+ */
+#define DNS_DBADD_MERGE			0x01
+#define DNS_DBADD_FORCE			0x02
+#define DNS_DBADD_EXACT			0x04
+#define DNS_DBADD_EXACTTTL		0x08
+
+/*
+ * Options that can be specified for dns_db_subtractrdataset().
+ */
+#define DNS_DBSUB_EXACT			0x01
+
+/*****
+ ***** Methods
+ *****/
+
+/***
+ *** Basic DB Methods
+ ***/
+
+isc_result_t
+dns_db_create(isc_mem_t *mctx, const char *db_type, dns_name_t *origin,
+	      dns_dbtype_t type, dns_rdataclass_t rdclass,
+	      unsigned int argc, char *argv[], dns_db_t **dbp);
+/*
+ * Create a new database using implementation 'db_type'.
+ *
+ * Notes:
+ *	All names in the database must be subdomains of 'origin' and in class
+ *	'rdclass'.  The database makes its own copy of the origin, so the
+ *	caller may do whatever they like with 'origin' and its storage once the
+ *	call returns.
+ *
+ *	DB implementation-specific parameters are passed using argc and argv.
+ *
+ * Requires:
+ *
+ *	dbp != NULL and *dbp == NULL
+ *
+ *	'origin' is a valid absolute domain name.
+ *
+ *	mctx is a valid memory context
+ *
+ * Ensures:
+ *
+ *	A copy of 'origin' has been made for the databases use, and the
+ *	caller is free to do whatever they want with the name and storage
+ *	associated with 'origin'.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_NOTFOUND				db_type not found
+ *
+ *	Many other errors are possible, depending on what db_type was
+ *	specified.
+ */
+
+void
+dns_db_attach(dns_db_t *source, dns_db_t **targetp);
+/*
+ * Attach *targetp to source.
+ *
+ * Requires:
+ *
+ *	'source' is a valid database.
+ *
+ *	'targetp' points to a NULL dns_db_t *.
+ *
+ * Ensures:
+ *
+ *	*targetp is attached to source.
+ */
+
+void
+dns_db_detach(dns_db_t **dbp);
+/*
+ * Detach *dbp from its database.
+ *
+ * Requires:
+ *
+ *	'dbp' points to a valid database.
+ *
+ * Ensures:
+ *
+ *	*dbp is NULL.
+ *
+ *	If '*dbp' is the last reference to the database,
+ *
+ *		All resources used by the database will be freed
+ */
+
+isc_result_t
+dns_db_ondestroy(dns_db_t *db, isc_task_t *task, isc_event_t **eventp);
+/*
+ * Causes 'eventp' to be sent to be sent to 'task' when the database is
+ * destroyed.
+ *
+ * Note; ownership of the eventp is taken from the caller (and *eventp is
+ * set to NULL). The sender field of the event is set to 'db' before it is
+ * sent to the task.
+ */
+
+isc_boolean_t
+dns_db_iscache(dns_db_t *db);
+/*
+ * Does 'db' have cache semantics?
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ * Returns:
+ *	ISC_TRUE	'db' has cache semantics
+ *	ISC_FALSE	otherwise
+ */
+
+isc_boolean_t
+dns_db_iszone(dns_db_t *db);
+/*
+ * Does 'db' have zone semantics?
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ * Returns:
+ *	ISC_TRUE	'db' has zone semantics
+ *	ISC_FALSE	otherwise
+ */
+
+isc_boolean_t
+dns_db_isstub(dns_db_t *db);
+/*
+ * Does 'db' have stub semantics?
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ * Returns:
+ *	ISC_TRUE	'db' has zone semantics
+ *	ISC_FALSE	otherwise
+ */
+
+isc_boolean_t
+dns_db_issecure(dns_db_t *db);
+/*
+ * Is 'db' secure?
+ *
+ * Requires:
+ *
+ *	'db' is a valid database with zone semantics.
+ *
+ * Returns:
+ *	ISC_TRUE	'db' is secure.
+ *	ISC_FALSE	'db' is not secure.
+ */
+
+dns_name_t *
+dns_db_origin(dns_db_t *db);
+/*
+ * The origin of the database.
+ *
+ * Note: caller must not try to change this name.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ * Returns:
+ *
+ *	The origin of the database.
+ */
+
+dns_rdataclass_t
+dns_db_class(dns_db_t *db);
+/*
+ * The class of the database.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ * Returns:
+ *
+ *	The class of the database.
+ */
+
+isc_result_t
+dns_db_beginload(dns_db_t *db, dns_addrdatasetfunc_t *addp,
+		 dns_dbload_t **dbloadp);
+/*
+ * Begin loading 'db'.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ *	This is the first attempt to load 'db'.
+ *
+ *	addp != NULL && *addp == NULL
+ *
+ *	dbloadp != NULL && *dbloadp == NULL
+ *
+ * Ensures:
+ *
+ *	On success, *addp will be a valid dns_addrdatasetfunc_t suitable
+ *	for loading 'db'.  *dbloadp will be a valid DB load context which
+ *	should be used as 'arg' when *addp is called.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *
+ *	Other results are possible, depending upon the database
+ *	implementation used, syntax errors in the master file, etc.
+ */
+
+isc_result_t
+dns_db_endload(dns_db_t *db, dns_dbload_t **dbloadp);
+/*
+ * Finish loading 'db'.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database that is being loaded.
+ *
+ *	dbloadp != NULL and *dbloadp is a valid database load context.
+ *
+ * Ensures:
+ *
+ *	*dbloadp == NULL
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *
+ *	Other results are possible, depending upon the database
+ *	implementation used, syntax errors in the master file, etc.
+ */
+
+isc_result_t
+dns_db_load(dns_db_t *db, const char *filename);
+/*
+ * Load master file 'filename' into 'db'.
+ *
+ * Notes:
+ *	This routine is equivalent to calling
+ *
+ *		dns_db_beginload();
+ *		dns_master_loadfile();
+ *		dns_db_endload();
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ *	This is the first attempt to load 'db'.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *
+ *	Other results are possible, depending upon the database
+ *	implementation used, syntax errors in the master file, etc.
+ */
+
+isc_result_t
+dns_db_dump(dns_db_t *db, dns_dbversion_t *version, const char *filename);
+/*
+ * Dump version 'version' of 'db' to master file 'filename'.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ *	'version' is a valid version.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *
+ *	Other results are possible, depending upon the database
+ *	implementation used, OS file errors, etc.
+ */
+
+/***
+ *** Version Methods
+ ***/
+
+void
+dns_db_currentversion(dns_db_t *db, dns_dbversion_t **versionp);
+/*
+ * Open the current version for reading.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database with zone semantics.
+ *
+ *	versionp != NULL && *verisonp == NULL
+ *
+ * Ensures:
+ *
+ *	On success, '*versionp' is attached to the current version.
+ *
+ */
+
+isc_result_t
+dns_db_newversion(dns_db_t *db, dns_dbversion_t **versionp);
+/*
+ * Open a new version for reading and writing.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database with zone semantics.
+ *
+ *	versionp != NULL && *verisonp == NULL
+ *
+ * Ensures:
+ *
+ *	On success, '*versionp' is attached to the current version.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *
+ *	Other results are possible, depending upon the database
+ *	implementation used.
+ */
+
+void
+dns_db_attachversion(dns_db_t *db, dns_dbversion_t *source,
+		     dns_dbversion_t **targetp);
+/*
+ * Attach '*targetp' to 'source'.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database with zone semantics.
+ *
+ *	source is a valid open version
+ *
+ *	targetp != NULL && *targetp == NULL
+ *
+ * Ensures:
+ *
+ *	'*targetp' is attached to source.
+ */
+
+void
+dns_db_closeversion(dns_db_t *db, dns_dbversion_t **versionp,
+		    isc_boolean_t commit);
+/*
+ * Close version '*versionp'.
+ *
+ * Note: if '*versionp' is a read-write version and 'commit' is ISC_TRUE,
+ * then all changes made in the version will take effect, otherwise they
+ * will be rolled back.  The value if 'commit' is ignored for read-only
+ * versions.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database with zone semantics.
+ *
+ *	'*versionp' refers to a valid version.
+ *
+ *	If committing a writable version, then there must be no other
+ *	outstanding references to the version (e.g. an active rdataset
+ *	iterator).
+ *
+ * Ensures:
+ *
+ *	*versionp == NULL
+ *
+ *	If *versionp is a read-write version, and commit is ISC_TRUE, then
+ *	the version will become the current version.  If !commit, then all
+ *	changes made in the version will be undone, and the version will
+ *	not become the current version.
+ */
+
+/***
+ *** Node Methods
+ ***/
+
+isc_result_t
+dns_db_findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
+		dns_dbnode_t **nodep);
+/*
+ * Find the node with name 'name'.
+ *
+ * Notes:
+ *	If 'create' is ISC_TRUE and no node with name 'name' exists, then
+ *	such a node will be created.
+ *
+ *	This routine is for finding or creating a node with the specified
+ *	name.  There are no partial matches.  It is not suitable for use
+ *	in building responses to ordinary DNS queries; clients which wish
+ *	to do that should use dns_db_find() instead.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ *	'name' is a valid, non-empty, absolute name.
+ *
+ *	nodep != NULL && *nodep == NULL
+ *
+ * Ensures:
+ *
+ *	On success, *nodep is attached to the node with name 'name'.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOTFOUND			If !create and name not found.
+ *	ISC_R_NOMEMORY		        Can only happen if create is ISC_TRUE.
+ *
+ *	Other results are possible, depending upon the database
+ *	implementation used.
+ */
+
+isc_result_t
+dns_db_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
+	    dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
+	    dns_dbnode_t **nodep, dns_name_t *foundname,
+	    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
+/*
+ * Find the best match for 'name' and 'type' in version 'version' of 'db'.
+ *
+ * Notes:
+ *
+ *	If type == dns_rdataset_any, then rdataset will not be bound.
+ *
+ *	If 'options' does not have DNS_DBFIND_GLUEOK set, then no glue will
+ *	be returned.  For zone databases, glue is as defined in RFC 2181.
+ *	For cache databases, glue is any rdataset with a trust of
+ *	dns_trust_glue.
+ *
+ *	If 'options' does not have DNS_DBFIND_PENDINGOK set, then no
+ *	pending data will be returned.  This option is only meaningful for
+ *	cache databases.
+ *
+ *	If the DNS_DBFIND_NOWILD option is set, then wildcard matching will
+ *	be disabled.  This option is only meaningful for zone databases.
+ *
+ *	If the DNS_DBFIND_FORCENSEC option is set, the database is assumed to
+ *	have NSEC records, and these will be returned when appropriate.  This
+ *	is only necessary when querying a database that was not secure
+ *	when created.
+ *
+ *	If the DNS_DBFIND_COVERINGNSEC option is set, then look for a
+ *	NSEC record that potentially covers 'name' if a answer cannot
+ *	be found.  Note the returned NSEC needs to be checked to ensure
+ *	that it is correct.  This only affects answers returned from the
+ *	cache.
+ *
+ *	To respond to a query for SIG records, the caller should create a
+ *	rdataset iterator and extract the signatures from each rdataset.
+ *
+ *	Making queries of type ANY with DNS_DBFIND_GLUEOK is not recommended,
+ *	because the burden of determining whether a given rdataset is valid
+ *	glue or not falls upon the caller.
+ *
+ *	The 'now' field is ignored if 'db' is a zone database.  If 'db' is a
+ *	cache database, an rdataset will not be found unless it expires after
+ *	'now'.  Any ANY query will not match unless at least one rdataset at
+ *	the node expires after 'now'.  If 'now' is zero, then the current time
+ *	will be used.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ *	'type' is not SIG, or a meta-RR type other than 'ANY' (e.g. 'OPT').
+ *
+ *	'nodep' is NULL, or nodep is a valid pointer and *nodep == NULL.
+ *
+ *	'foundname' is a valid name with a dedicated buffer.
+ *
+ *	'rdataset' is NULL, or is a valid unassociated rdataset.
+ *
+ * Ensures:
+ *	On a non-error completion:
+ *
+ *		If nodep != NULL, then it is bound to the found node.
+ *
+ *		If foundname != NULL, then it contains the full name of the
+ *		found node.
+ *
+ *		If rdataset != NULL and type != dns_rdatatype_any, then
+ *		rdataset is bound to the found rdataset.
+ *
+ * Returns:
+ *
+ *	Non-error results are:
+ *
+ *		ISC_R_SUCCESS			The desired node and type were
+ *						found.
+ *
+ *		DNS_R_WILDCARD			The desired node and type were
+ *						found after performing
+ *						wildcard matching.  This is
+ *						only returned if the
+ *						DNS_DBFIND_INDICATEWILD
+ *						option is set; otherwise
+ *						ISC_R_SUCCESS is returned.
+ *
+ *		DNS_R_GLUE			The desired node and type were
+ *						found, but are glue.  This
+ *						result can only occur if
+ *						the DNS_DBFIND_GLUEOK option
+ *						is set.  This result can only
+ *						occur if 'db' is a zone
+ *						database.  If type ==
+ *						dns_rdatatype_any, then the
+ *						node returned may contain, or
+ *						consist entirely of invalid
+ *						glue (i.e. data occluded by a
+ *						zone cut).  The caller must
+ *						take care not to return invalid
+ *						glue to a client.
+ *
+ *		DNS_R_DELEGATION		The data requested is beneath
+ *						a zone cut.  node, foundname,
+ *						and rdataset reference the
+ *						NS RRset of the zone cut.
+ *						If 'db' is a cache database,
+ *						then this is the deepest known
+ *						delegation.
+ *
+ *		DNS_R_ZONECUT			type == dns_rdatatype_any, and
+ *						the desired node is a zonecut.
+ *						The caller must take care not
+ *						to return inappropriate glue
+ *						to a client.  This result can
+ *						only occur if 'db' is a zone
+ *						database and DNS_DBFIND_GLUEOK
+ *						is set.
+ *
+ *		DNS_R_DNAME			The data requested is beneath
+ *						a DNAME.  node, foundname,
+ *						and rdataset reference the
+ *						DNAME RRset.
+ *
+ *		DNS_R_CNAME			The rdataset requested was not
+ *						found, but there is a CNAME
+ *						at the desired name.  node,
+ *						foundname, and rdataset
+ *						reference the CNAME RRset.
+ *
+ *		DNS_R_NXDOMAIN			The desired name does not
+ *						exist.
+ *
+ *		DNS_R_NXRRSET			The desired name exists, but
+ *						the desired type does not.
+ *
+ *		ISC_R_NOTFOUND			The desired name does not
+ *						exist, and no delegation could
+ *						be found.  This result can only
+ *						occur if 'db' is a cache
+ *						database.  The caller should
+ *						use its nameserver(s) of last
+ *						resort (e.g. root hints).
+ *
+ *		DNS_R_NCACHENXDOMAIN		The desired name does not
+ *						exist.  'node' is bound to the
+ *						cache node with the desired
+ *						name, and 'rdataset' contains
+ *						the negative caching proof.
+ *
+ *		DNS_R_NCACHENXRRSET		The desired type does not
+ *						exist.  'node' is bound to the
+ *						cache node with the desired
+ *						name, and 'rdataset' contains
+ *						the negative caching proof.
+ *
+ *		DNS_R_EMPTYNAME			The name exists but there is
+ *						no data at the name. 
+ *
+ *		DNS_R_COVERINGNSEC		The returned data is a NSEC
+ *						that potentially covers 'name'.
+ *
+ *	Error results:
+ *
+ *		ISC_R_NOMEMORY
+ *
+ *		DNS_R_BADDB			Data that is required to be
+ *						present in the DB, e.g. an NSEC
+ *						record in a secure zone, is not
+ *						present.
+ *
+ *		Other results are possible, and should all be treated as
+ *		errors.
+ */
+
+isc_result_t
+dns_db_findzonecut(dns_db_t *db, dns_name_t *name,
+		   unsigned int options, isc_stdtime_t now,
+		   dns_dbnode_t **nodep, dns_name_t *foundname,
+		   dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
+/*
+ * Find the deepest known zonecut which encloses 'name' in 'db'.
+ *
+ * Notes:
+ *
+ *	If the DNS_DBFIND_NOEXACT option is set, then the zonecut returned
+ *	(if any) will be the deepest known ancestor of 'name'.
+ *
+ *	If 'now' is zero, then the current time will be used.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database with cache semantics.
+ *
+ *	'nodep' is NULL, or nodep is a valid pointer and *nodep == NULL.
+ *
+ *	'foundname' is a valid name with a dedicated buffer.
+ *
+ *	'rdataset' is NULL, or is a valid unassociated rdataset.
+ *
+ * Ensures:
+ *	On a non-error completion:
+ *
+ *		If nodep != NULL, then it is bound to the found node.
+ *
+ *		If foundname != NULL, then it contains the full name of the
+ *		found node.
+ *
+ *		If rdataset != NULL and type != dns_rdatatype_any, then
+ *		rdataset is bound to the found rdataset.
+ *
+ * Returns:
+ *
+ *	Non-error results are:
+ *
+ *		ISC_R_SUCCESS
+ *
+ *		ISC_R_NOTFOUND
+ *
+ *		Other results are possible, and should all be treated as
+ *		errors.
+ */
+
+void
+dns_db_attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp);
+/*
+ * Attach *targetp to source.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ *	'source' is a valid node.
+ *
+ *	'targetp' points to a NULL dns_node_t *.
+ *
+ * Ensures:
+ *
+ *	*targetp is attached to source.
+ */
+
+void
+dns_db_detachnode(dns_db_t *db, dns_dbnode_t **nodep);
+/*
+ * Detach *nodep from its node.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ *	'nodep' points to a valid node.
+ *
+ * Ensures:
+ *
+ *	*nodep is NULL.
+ */
+
+isc_result_t
+dns_db_expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now);
+/*
+ * Mark as stale all records at 'node' which expire at or before 'now'.
+ *
+ * Note: if 'now' is zero, then the current time will be used.
+ *
+ * Requires:
+ *
+ *	'db' is a valid cache database.
+ *
+ *	'node' is a valid node.
+ */
+
+void
+dns_db_printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out);
+/*
+ * Print a textual representation of the contents of the node to
+ * 'out'.
+ *
+ * Note: this function is intended for debugging, not general use.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ *	'node' is a valid node.
+ */
+
+/***
+ *** DB Iterator Creation
+ ***/
+
+isc_result_t
+dns_db_createiterator(dns_db_t *db, isc_boolean_t relative_names,
+		      dns_dbiterator_t **iteratorp);
+/*
+ * Create an iterator for version 'version' of 'db'.
+ *
+ * Notes:
+ *
+ *	If 'relative_names' is ISC_TRUE, then node names returned by the
+ *	iterator will be relative to the iterator's current origin.  If
+ *	ISC_FALSE, then the node names will be absolute.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ *	iteratorp != NULL && *iteratorp == NULL
+ *
+ * Ensures:
+ *
+ *	On success, *iteratorp will be a valid database iterator.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ */
+
+/***
+ *** Rdataset Methods
+ ***/
+
+/*
+ * XXXRTH  Should we check for glue and pending data in dns_db_findrdataset()?
+ */
+
+isc_result_t
+dns_db_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		    dns_rdatatype_t type, dns_rdatatype_t covers,
+		    isc_stdtime_t now, dns_rdataset_t *rdataset,
+		    dns_rdataset_t *sigrdataset);
+/*
+ * Search for an rdataset of type 'type' at 'node' that are in version
+ * 'version' of 'db'.  If found, make 'rdataset' refer to it.
+ *
+ * Notes:
+ *
+ *	If 'version' is NULL, then the current version will be used.
+ *
+ *	Care must be used when using this routine to build a DNS response:
+ *	'node' should have been found with dns_db_find(), not
+ *	dns_db_findnode().  No glue checking is done.  No checking for
+ *	pending data is done.
+ *
+ *	The 'now' field is ignored if 'db' is a zone database.  If 'db' is a
+ *	cache database, an rdataset will not be found unless it expires after
+ *	'now'.  If 'now' is zero, then the current time will be used.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ *	'node' is a valid node.
+ *
+ *	'rdataset' is a valid, disassociated rdataset.
+ *
+ *	'sigrdataset' is a valid, disassociated rdataset, or it is NULL.
+ *
+ *	If 'covers' != 0, 'type' must be SIG.
+ *
+ *	'type' is not a meta-RR type such as 'ANY' or 'OPT'.
+ *
+ * Ensures:
+ *
+ *	On success, 'rdataset' is associated with the found rdataset.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOTFOUND
+ *
+ *	Other results are possible, depending upon the database
+ *	implementation used.
+ */
+
+isc_result_t
+dns_db_allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		    isc_stdtime_t now, dns_rdatasetiter_t **iteratorp);
+/*
+ * Make '*iteratorp' an rdataset iteratator for all rdatasets at 'node' in
+ * version 'version' of 'db'.
+ *
+ * Notes:
+ *
+ *	If 'version' is NULL, then the current version will be used.
+ *
+ *	The 'now' field is ignored if 'db' is a zone database.  If 'db' is a
+ *	cache database, an rdataset will not be found unless it expires after
+ *	'now'.  Any ANY query will not match unless at least one rdataset at
+ *	the node expires after 'now'.  If 'now' is zero, then the current time
+ *	will be used.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ *	'node' is a valid node.
+ *
+ *	iteratorp != NULL && *iteratorp == NULL
+ *
+ * Ensures:
+ *
+ *	On success, '*iteratorp' is a valid rdataset iterator.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOTFOUND
+ *
+ *	Other results are possible, depending upon the database
+ *	implementation used.
+ */
+
+isc_result_t
+dns_db_addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		   isc_stdtime_t now, dns_rdataset_t *rdataset,
+		   unsigned int options, dns_rdataset_t *addedrdataset);
+/*
+ * Add 'rdataset' to 'node' in version 'version' of 'db'.
+ *
+ * Notes:
+ *
+ *	If the database has zone semantics, the DNS_DBADD_MERGE option is set,
+ *	and an rdataset of the same type as 'rdataset' already exists at
+ *	'node' then the contents of 'rdataset' will be merged with the existing
+ *	rdataset.  If the option is not set, then rdataset will replace any
+ *	existing rdataset of the same type.  If not merging and the
+ *	DNS_DBADD_FORCE option is set, then the data will update the database
+ *	without regard to trust levels.  If not forcing the data, then the
+ *	rdataset will only be added if its trust level is >= the trust level of
+ *	any existing rdataset.  Forcing is only meaningful for cache databases.
+ *	If DNS_DBADD_EXACT is set then there must be no rdata in common between
+ *	the old and new rdata sets.  If DNS_DBADD_EXACTTTL is set then both
+ *	the old and new rdata sets must have the same ttl.
+ *
+ *	The 'now' field is ignored if 'db' is a zone database.  If 'db' is
+ *	a cache database, then the added rdataset will expire no later than
+ *	now + rdataset->ttl.
+ *
+ *	If 'addedrdataset' is not NULL, then it will be attached to the
+ *	resulting new rdataset in the database, or to the existing data if
+ *	the existing data was better.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ *	'node' is a valid node.
+ *
+ *	'rdataset' is a valid, associated rdataset with the same class
+ *	as 'db'.
+ *
+ *	'addedrdataset' is NULL, or a valid, unassociated rdataset.
+ *
+ *	The database has zone semantics and 'version' is a valid
+ *	read-write version, or the database has cache semantics
+ *	and version is NULL.
+ *
+ *	If the database has cache semantics, the DNS_DBADD_MERGE option must
+ *	not be set.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	DNS_R_UNCHANGED			The operation did not change anything.
+ *	ISC_R_NOMEMORY
+ *	DNS_R_NOTEXACT
+ *
+ *	Other results are possible, depending upon the database
+ *	implementation used.
+ */
+
+isc_result_t
+dns_db_subtractrdataset(dns_db_t *db, dns_dbnode_t *node,
+			dns_dbversion_t *version, dns_rdataset_t *rdataset,
+			unsigned int options, dns_rdataset_t *newrdataset);
+/*
+ * Remove any rdata in 'rdataset' from 'node' in version 'version' of
+ * 'db'.
+ *
+ * Notes:
+ *
+ *	If 'newrdataset' is not NULL, then it will be attached to the
+ *	resulting new rdataset in the database, unless the rdataset has
+ *	become nonexistent.  If DNS_DBSUB_EXACT is set then all elements
+ *	of 'rdataset' must exist at 'node'.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ *	'node' is a valid node.
+ *
+ *	'rdataset' is a valid, associated rdataset with the same class
+ *	as 'db'.
+ *
+ *	'newrdataset' is NULL, or a valid, unassociated rdataset.
+ *
+ *	The database has zone semantics and 'version' is a valid
+ *	read-write version.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	DNS_R_UNCHANGED			The operation did not change anything.
+ *	DNS_R_NXRRSET			All rdata of the same type as those
+ *					in 'rdataset' have been deleted.
+ *	DNS_R_NOTEXACT			Some part of 'rdataset' did not
+ *					exist and DNS_DBSUB_EXACT was set.
+ *
+ *	Other results are possible, depending upon the database
+ *	implementation used.
+ */
+
+isc_result_t
+dns_db_deleterdataset(dns_db_t *db, dns_dbnode_t *node,
+		      dns_dbversion_t *version, dns_rdatatype_t type,
+		      dns_rdatatype_t covers);
+/*
+ * Make it so that no rdataset of type 'type' exists at 'node' in version
+ * version 'version' of 'db'.
+ *
+ * Notes:
+ *
+ *	If 'type' is dns_rdatatype_any, then no rdatasets will exist in
+ *	'version' (provided that the dns_db_deleterdataset() isn't followed
+ *	by one or more dns_db_addrdataset() calls).
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ *	'node' is a valid node.
+ *
+ *	The database has zone semantics and 'version' is a valid
+ *	read-write version, or the database has cache semantics
+ *	and version is NULL.
+ *
+ *	'type' is not a meta-RR type, except for dns_rdatatype_any, which is
+ *	allowed.
+ *
+ *	If 'covers' != 0, 'type' must be SIG.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	DNS_R_UNCHANGED			No rdatasets of 'type' existed before
+ *					the operation was attempted.
+ *
+ *	Other results are possible, depending upon the database
+ *	implementation used.
+ */
+
+isc_result_t
+dns_db_getsoaserial(dns_db_t *db, dns_dbversion_t *ver, isc_uint32_t *serialp);
+/*
+ * Get the current SOA serial number from a zone database.
+ *
+ * Requires:
+ *      'db' is a valid database with zone semantics.
+ *      'ver' is a valid version.
+ */
+
+void
+dns_db_overmem(dns_db_t *db, isc_boolean_t overmem);
+/*
+ * Enable / disable agressive cache cleaning.
+ */
+
+unsigned int
+dns_db_nodecount(dns_db_t *db);
+/*
+ * Count the number of nodes in 'db'.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ * Returns:
+ * 	The number of nodes in the database
+ */
+
+void
+dns_db_settask(dns_db_t *db, isc_task_t *task);
+/*
+ * If task is set then the final detach maybe performed asynchronously.
+ *
+ * Requires:
+ *	'db' is a valid database.
+ *	'task' to be valid or NULL.
+ */
+
+isc_boolean_t
+dns_db_ispersistent(dns_db_t *db);
+/*
+ * Is 'db' persistent?  A persistent database does not need to be loaded
+ * from disk or written to disk.
+ *
+ * Requires:
+ *
+ *	'db' is a valid database.
+ *
+ * Returns:
+ *	ISC_TRUE	'db' is persistent.
+ *	ISC_FALSE	'db' is not persistent.
+ */
+
+isc_result_t
+dns_db_register(const char *name, dns_dbcreatefunc_t create, void *driverarg,
+		isc_mem_t *mctx, dns_dbimplementation_t **dbimp);
+
+/*
+ * Register a new database implementation and add it to the list of
+ * supported implementations.
+ *
+ * Requires:
+ *
+ * 	'name' is not NULL
+ * 	'order' is a valid function pointer
+ * 	'mctx' is a valid memory context
+ * 	dbimp != NULL && *dbimp == NULL
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS	The registration succeeded
+ * 	ISC_R_NOMEMORY	Out of memory
+ * 	ISC_R_EXISTS	A database implementation with the same name exists
+ *
+ * Ensures:
+ *
+ *	*dbimp points to an opaque structure which must be passed to
+ *	dns_db_unregister().
+ */
+
+void
+dns_db_unregister(dns_dbimplementation_t **dbimp);
+/*
+ * Remove a database implementation from the the list of supported
+ * implementations.  No databases of this type can be active when this
+ * is called.
+ *
+ * Requires:
+ * 	dbimp != NULL && *dbimp == NULL
+ *
+ * Ensures:
+ *
+ * 	Any memory allocated in *dbimp will be freed.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DB_H */
diff --git a/contrib/bind9/lib/dns/include/dns/dbiterator.h b/contrib/bind9/lib/dns/include/dns/dbiterator.h
new file mode 100644
index 0000000..8b8cb1b
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/dbiterator.h
@@ -0,0 +1,298 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dbiterator.h,v 1.18.206.1 2004/03/06 08:13:54 marka Exp $ */
+
+#ifndef DNS_DBITERATOR_H
+#define DNS_DBITERATOR_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DNS DB Iterator
+ *
+ * The DNS DB Iterator interface allows iteration of all of the nodes in a
+ * database.
+ *
+ * The dns_dbiterator_t type is like a "virtual class".  To actually use
+ * it, an implementation of the class is required.  This implementation is
+ * supplied by the database.
+ *
+ * It is the client's responsibility to call dns_db_detachnode() on all
+ * nodes returned.
+ *
+ * XXX <more> XXX
+ *
+ * MP:
+ *	The iterator itself is not locked.  The caller must ensure
+ *	synchronization.
+ *
+ *	The iterator methods ensure appropriate database locking.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	<TBS>
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	None.
+ */
+
+/*****
+ ***** Imports
+ *****/
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+ ***** Types
+ *****/
+
+typedef struct dns_dbiteratormethods {
+	void		(*destroy)(dns_dbiterator_t **iteratorp);
+	isc_result_t	(*first)(dns_dbiterator_t *iterator);
+	isc_result_t	(*last)(dns_dbiterator_t *iterator);
+	isc_result_t	(*seek)(dns_dbiterator_t *iterator, dns_name_t *name);
+	isc_result_t	(*prev)(dns_dbiterator_t *iterator);
+	isc_result_t	(*next)(dns_dbiterator_t *iterator);
+	isc_result_t	(*current)(dns_dbiterator_t *iterator,
+				   dns_dbnode_t **nodep, dns_name_t *name);
+	isc_result_t	(*pause)(dns_dbiterator_t *iterator);
+	isc_result_t	(*origin)(dns_dbiterator_t *iterator,
+				  dns_name_t *name);
+} dns_dbiteratormethods_t;
+
+#define DNS_DBITERATOR_MAGIC	     ISC_MAGIC('D','N','S','I')
+#define DNS_DBITERATOR_VALID(dbi)    ISC_MAGIC_VALID(dbi, DNS_DBITERATOR_MAGIC)
+/*
+ * This structure is actually just the common prefix of a DNS db
+ * implementation's version of a dns_dbiterator_t.
+ *
+ * Clients may use the 'db' field of this structure.  Except for that field,
+ * direct use of this structure by clients is forbidden.  DB implementations
+ * may change the structure.  'magic' must be DNS_DBITERATOR_MAGIC for any of
+ * the dns_dbiterator routines to work.  DB iterator implementations must
+ * maintain all DB iterator invariants.
+ */
+struct dns_dbiterator {
+	/* Unlocked. */
+	unsigned int			magic;
+	dns_dbiteratormethods_t *	methods;
+	dns_db_t *			db;
+	isc_boolean_t			relative_names;
+	isc_boolean_t			cleaning;
+};
+
+void
+dns_dbiterator_destroy(dns_dbiterator_t **iteratorp);
+/*
+ * Destroy '*iteratorp'.
+ *
+ * Requires:
+ *
+ *	'*iteratorp' is a valid iterator.
+ *
+ * Ensures:
+ *
+ *	All resources used by the iterator are freed.
+ *
+ *	*iteratorp == NULL.
+ */
+
+isc_result_t
+dns_dbiterator_first(dns_dbiterator_t *iterator);
+/*
+ * Move the node cursor to the first node in the database (if any).
+ *
+ * Requires:
+ *	'iterator' is a valid iterator.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMORE			There are no nodes in the database.
+ *
+ *	Other results are possible, depending on the DB implementation.
+ */
+
+isc_result_t
+dns_dbiterator_last(dns_dbiterator_t *iterator);
+/*
+ * Move the node cursor to the last node in the database (if any).
+ *
+ * Requires:
+ *	'iterator' is a valid iterator.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMORE			There are no nodes in the database.
+ *
+ *	Other results are possible, depending on the DB implementation.
+ */
+
+isc_result_t
+dns_dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name);
+/*
+ * Move the node cursor to the node with name 'name'.
+ *
+ * Requires:
+ *	'iterator' is a valid iterator.
+ *
+ *	'name' is a valid name.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOTFOUND
+ *
+ *	Other results are possible, depending on the DB implementation.
+ */
+
+isc_result_t
+dns_dbiterator_prev(dns_dbiterator_t *iterator);
+/*
+ * Move the node cursor to the previous node in the database (if any).
+ *
+ * Requires:
+ *	'iterator' is a valid iterator.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMORE			There are no more nodes in the
+ *					database.
+ *
+ *	Other results are possible, depending on the DB implementation.
+ */
+
+isc_result_t
+dns_dbiterator_next(dns_dbiterator_t *iterator);
+/*
+ * Move the node cursor to the next node in the database (if any).
+ *
+ * Requires:
+ *	'iterator' is a valid iterator.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMORE			There are no more nodes in the
+ *					database.
+ *
+ *	Other results are possible, depending on the DB implementation.
+ */
+
+isc_result_t
+dns_dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
+		       dns_name_t *name);
+/*
+ * Return the current node.
+ *
+ * Notes:
+ *	If 'name' is not NULL, it will be set to the name of the node.
+ *
+ * Requires:
+ *	'iterator' is a valid iterator.
+ *
+ *	nodep != NULL && *nodep == NULL
+ *
+ *	The node cursor of 'iterator' is at a valid location (i.e. the
+ *	result of last call to a cursor movement command was ISC_R_SUCCESS).
+ *
+ *	'name' is NULL, or is a valid name with a dedicated buffer.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	DNS_R_NEWORIGIN			If this iterator was created with
+ *					'relative_names' set to ISC_TRUE,
+ *					then DNS_R_NEWORIGIN will be returned
+ *					when the origin the names are
+ *					relative to changes.  This result
+ *					can occur only when 'name' is not
+ *					NULL.  This is also a successful
+ *					result.
+ *
+ *	Other results are possible, depending on the DB implementation.
+ */
+
+isc_result_t
+dns_dbiterator_pause(dns_dbiterator_t *iterator);
+/*
+ * Pause iteration.
+ *
+ * Calling a cursor movement method or dns_dbiterator_current() may cause
+ * database locks to be acquired.  Rather than reacquire these locks every
+ * time one of these routines is called, the locks may simply be held.
+ * Calling dns_dbiterator_pause() releases any such locks.  Iterator clients
+ * should call this routine any time they are not going to execute another
+ * iterator method in the immediate future.
+ *
+ * Requires:
+ *	'iterator' is a valid iterator.
+ *
+ * Ensures:
+ *	Any database locks being held for efficiency of iterator access are
+ *	released.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *
+ *	Other results are possible, depending on the DB implementation.
+ */
+
+isc_result_t
+dns_dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name);
+/*
+ * Return the origin to which returned node names are relative.
+ *
+ * Requires:
+ *
+ *	'iterator' is a valid relative_names iterator.
+ *
+ *	'name' is a valid name with a dedicated buffer.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOSPACE
+ *
+ *	Other results are possible, depending on the DB implementation.
+ */
+
+void
+dns_dbiterator_setcleanmode(dns_dbiterator_t *iterator, isc_boolean_t mode);
+/*
+ * Indicate that the given iterator is/is not cleaning the DB.
+ *
+ * Notes:
+ *	When 'mode' is ISC_TRUE, 
+ *
+ * Requires:
+ *	'iterator' is a valid iterator.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DBITERATOR_H */
diff --git a/contrib/bind9/lib/dns/include/dns/dbtable.h b/contrib/bind9/lib/dns/include/dns/dbtable.h
new file mode 100644
index 0000000..3874b46
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/dbtable.h
@@ -0,0 +1,164 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dbtable.h,v 1.16.206.1 2004/03/06 08:13:55 marka Exp $ */
+
+#ifndef DNS_DBTABLE_H
+#define DNS_DBTABLE_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DNS DB Tables
+ *
+ * XXX <TBS> XXX
+ *
+ * MP:
+ *	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	None.
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	None.
+ */
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+#define DNS_DBTABLEFIND_NOEXACT		0x01
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_dbtable_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
+		   dns_dbtable_t **dbtablep);
+/*
+ * Make a new dbtable of class 'rdclass'
+ *
+ * Requires:
+ *	mctx != NULL
+ * 	dbtablep != NULL && *dptablep == NULL
+ *	'rdclass' is a valid class
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_UNEXPECTED
+ */
+
+void
+dns_dbtable_attach(dns_dbtable_t *source, dns_dbtable_t **targetp);
+/*
+ * Attach '*targetp' to 'source'.
+ *
+ * Requires:
+ *
+ *	'source' is a valid dbtable.
+ *
+ *	'targetp' points to a NULL dns_dbtable_t *.
+ *
+ * Ensures:
+ *
+ *	*targetp is attached to source.
+ */
+
+void
+dns_dbtable_detach(dns_dbtable_t **dbtablep);
+/*
+ * Detach *dbtablep from its dbtable.
+ *
+ * Requires:
+ *
+ *	'*dbtablep' points to a valid dbtable.
+ *
+ * Ensures:
+ *
+ *	*dbtablep is NULL.
+ *
+ *	If '*dbtablep' is the last reference to the dbtable,
+ *
+ *		All resources used by the dbtable will be freed
+ */
+
+isc_result_t
+dns_dbtable_add(dns_dbtable_t *dbtable, dns_db_t *db);
+/*
+ * Add 'db' to 'dbtable'.
+ *
+ * Requires:
+ *	'dbtable' is a valid dbtable.
+ *
+ *	'db' is a valid database with the same class as 'dbtable'
+ */
+
+void
+dns_dbtable_remove(dns_dbtable_t *dbtable, dns_db_t *db);
+/*
+ * Remove 'db' from 'dbtable'.
+ *
+ * Requires:
+ *	'db' was previously added to 'dbtable'.
+ */
+
+void
+dns_dbtable_adddefault(dns_dbtable_t *dbtable, dns_db_t *db);
+/*
+ * Use 'db' as the result of a dns_dbtable_find() if no better match is
+ * available.
+ */
+
+void
+dns_dbtable_getdefault(dns_dbtable_t *dbtable, dns_db_t **db);
+/*
+ * Get the 'db' used as the result of a dns_dbtable_find()
+ * if no better match is available.
+ */
+
+void
+dns_dbtable_removedefault(dns_dbtable_t *dbtable);
+/*
+ * Remove the default db from 'dbtable'.
+ */
+
+isc_result_t
+dns_dbtable_find(dns_dbtable_t *dbtable, dns_name_t *name,
+		 unsigned int options, dns_db_t **dbp);
+/*
+ * Find the deepest match to 'name' in the dbtable, and return it
+ *
+ * Notes:
+ *	If the DNS_DBTABLEFIND_NOEXACT option is set, the best partial
+ *	match (if any) to 'name' will be returned.
+ *
+ * Returns:  ISC_R_SUCCESS		on success
+ *	     <something else>		no default and match
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DBTABLE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/diff.h b/contrib/bind9/lib/dns/include/dns/diff.h
new file mode 100644
index 0000000..604f702
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/diff.h
@@ -0,0 +1,279 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: diff.h,v 1.4.12.3 2004/03/08 09:04:35 marka Exp $ */
+
+#ifndef DNS_DIFF_H
+#define DNS_DIFF_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * A diff is a convenience type representing a list of changes to be
+ * made to a database.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/types.h>
+
+/***
+ *** Types
+ ***/
+
+/*
+ * A dns_difftuple_t represents a single RR being added or deleted.
+ * The RR type and class are in the 'rdata' member; the class is always
+ * the real one, not a DynDNS meta-class, so that the rdatas can be
+ * compared using dns_rdata_compare().  The TTL is significant
+ * even for deletions, because a deletion/addition pair cannot
+ * be canceled out if the TTL differs (it might be an explicit
+ * TTL update).
+ *
+ * Tuples are also used to represent complete RRs with owner
+ * names for a couple of other purposes, such as the
+ * individual RRs of a "RRset exists (value dependent)"
+ * prerequisite set.  In this case, op==DNS_DIFFOP_EXISTS,
+ * and the TTL is ignored.
+ */
+
+typedef enum {
+	DNS_DIFFOP_ADD,	        /* Add an RR. */
+	DNS_DIFFOP_DEL,		/* Delete an RR. */
+	DNS_DIFFOP_EXISTS	/* Assert RR existence. */
+} dns_diffop_t;
+
+typedef struct dns_difftuple dns_difftuple_t;
+
+#define DNS_DIFFTUPLE_MAGIC	ISC_MAGIC('D','I','F','T')
+#define DNS_DIFFTUPLE_VALID(t)	ISC_MAGIC_VALID(t, DNS_DIFFTUPLE_MAGIC)
+
+struct dns_difftuple {
+        unsigned int			magic;
+	isc_mem_t			*mctx;
+	dns_diffop_t			op;
+	dns_name_t			name;
+	dns_ttl_t			ttl;
+	dns_rdata_t			rdata;
+	ISC_LINK(dns_difftuple_t)	link;
+	/* Variable-size name data and rdata follows. */
+};
+
+/*
+ * A dns_diff_t represents a set of changes being applied to
+ * a zone.  Diffs are also used to represent "RRset exists
+ * (value dependent)" prerequisites.
+ */
+typedef struct dns_diff dns_diff_t;
+
+#define DNS_DIFF_MAGIC		ISC_MAGIC('D','I','F','F')
+#define DNS_DIFF_VALID(t)	ISC_MAGIC_VALID(t, DNS_DIFF_MAGIC)
+
+struct dns_diff {
+	unsigned int			magic;
+	isc_mem_t *			mctx;
+	ISC_LIST(dns_difftuple_t)	tuples;
+};
+
+/* Type of comparision function for sorting diffs. */
+typedef int dns_diff_compare_func(const void *, const void *);
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+/**************************************************************************/
+/*
+ * Maniuplation of diffs and tuples.
+ */
+
+isc_result_t
+dns_difftuple_create(isc_mem_t *mctx,
+		     dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl,
+		     dns_rdata_t *rdata, dns_difftuple_t **tp);
+/*
+ * Create a tuple.  Deep copies are made of the name and rdata, so
+ * they need not remain valid after the call.
+ *
+ * Requires:
+ *	*tp != NULL && *tp == NULL.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *      ISC_R_NOMEMORY
+ */
+
+void
+dns_difftuple_free(dns_difftuple_t **tp);
+/*
+ * Free a tuple.
+ *
+ * Requires:
+ *       **tp is a valid tuple.
+ *
+ * Ensures:
+ *       *tp == NULL
+ *       All memory used by the tuple is freed.
+ */
+
+isc_result_t
+dns_difftuple_copy(dns_difftuple_t *orig, dns_difftuple_t **copyp);
+/*
+ * Copy a tuple.
+ *
+ * Requires:
+ * 	'orig' points to a valid tuple
+ *	copyp != NULL && *copyp == NULL
+ */
+
+void
+dns_diff_init(isc_mem_t *mctx, dns_diff_t *diff);
+/*
+ * Initialize a diff.
+ *
+ * Requires:
+ *    'diff' points to an uninitialized dns_diff_t
+ *    allocated by the caller.
+ *
+ * Ensures:
+ *    '*diff' is a valid, empty diff.
+ */
+
+void
+dns_diff_clear(dns_diff_t *diff);
+/*
+ * Clear a diff, destroying all its tuples.
+ *
+ * Requires:
+ *    'diff' points to a valid dns_diff_t.
+ *
+ * Ensures:
+ *     Any tuples in the diff are destroyed.
+ *     The diff now empty, but it is still valid
+ *     and may be reused without calling dns_diff_init
+ *     again.  The only memory used is that of the
+ *     dns_diff_t structure itself.
+ *
+ * Notes:
+ *     Managing the memory of the dns_diff_t structure itself
+ *     is the caller's responsibility.
+ */
+
+void
+dns_diff_append(dns_diff_t *diff, dns_difftuple_t **tuple);
+/*
+ * Append a single tuple to a diff.
+ *
+ *	'diff' is a valid diff.
+ * 	'*tuple' is a valid tuple.
+ *
+ * Ensures:
+ *	*tuple is NULL.
+ *	The tuple has been freed, or will be freed when the diff is cleared.
+ */
+
+void
+dns_diff_appendminimal(dns_diff_t *diff, dns_difftuple_t **tuple);
+/*
+ * Append 'tuple' to 'diff', removing any duplicate
+ * or conflicting updates as needed to create a minimal diff.
+ *
+ * Requires:
+ *	'diff' is a minimal diff.
+ *
+ * Ensures:
+ *	'diff' is still a minimal diff.
+ *   	*tuple is NULL.
+ *   	The tuple has been freed, or will be freed when the diff is cleared.
+ *
+ */
+
+isc_result_t
+dns_diff_sort(dns_diff_t *diff, dns_diff_compare_func *compare);
+/*
+ * Sort 'diff' in-place according to the comparison function 'compare'.
+ */
+
+isc_result_t
+dns_diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver);
+isc_result_t
+dns_diff_applysilently(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver);
+/*
+ * Apply 'diff' to the database 'db'.
+ *
+ * dns_diff_apply() logs warnings about updates with no effect or
+ * with inconsistent TTLs; dns_diff_applysilently() does not.
+ *
+ * For efficiency, the diff should be sorted by owner name.
+ * If it is not sorted, operation will still be correct,
+ * but less efficient.
+ *
+ * Requires:
+ *	*diff is a valid diff (possibly empty), containing
+ *   	tuples of type DNS_DIFFOP_ADD and/or
+ *   	For DNS_DIFFOP_DEL tuples, the TTL is ignored.
+ *
+ */
+
+isc_result_t
+dns_diff_load(dns_diff_t *diff, dns_addrdatasetfunc_t addfunc,
+	      void *add_private);
+/*
+ * Like dns_diff_apply, but for use when loading a new database
+ * instead of modifying an existing one.  This bypasses the
+ * database transaction mechanisms.
+ *
+ * Requires:
+ * 	'addfunc' is a valid dns_addradatasetfunc_t obtained from
+ * 	dns_db_beginload()
+ *
+ *	'add_private' points to a corresponding dns_dbload_t *
+ *      (XXX why is it a void pointer, then?)
+ */
+
+isc_result_t
+dns_diff_print(dns_diff_t *diff, FILE *file);
+
+/*
+ * Print the differences to 'file' or if 'file' is NULL via the
+ * logging system.
+ *
+ * Require:
+ *	'diff' to be valid.
+ *	'file' to refer to a open file or NULL.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_UNEXPECTED
+ *	any error from dns_rdataset_totext()
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DIFF_H */
diff --git a/contrib/bind9/lib/dns/include/dns/dispatch.h b/contrib/bind9/lib/dns/include/dns/dispatch.h
new file mode 100644
index 0000000..201a65a
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/dispatch.h
@@ -0,0 +1,442 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dispatch.h,v 1.45.2.2.4.2 2004/03/06 08:13:55 marka Exp $ */
+
+#ifndef DNS_DISPATCH_H
+#define DNS_DISPATCH_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DNS Dispatch Management
+ *
+ * 	Shared UDP and single-use TCP dispatches for queries and responses.
+ *
+ * MP:
+ *
+ *     	All locking is performed internally to each dispatch.
+ * 	Restrictions apply to dns_dispatch_removeresponse().
+ *
+ * Reliability:
+ *
+ * Resources:
+ *
+ * Security:
+ *
+ *	Depends on the isc_socket_t and dns_message_t for prevention of
+ *	buffer overruns.
+ *
+ * Standards:
+ *
+ *	None.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/buffer.h>
+#include <isc/lang.h>
+#include <isc/socket.h>
+#include <dns/types.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * This event is sent to a task when a response comes in.
+ * No part of this structure should ever be modified by the caller,
+ * other than parts of the buffer.  The holy parts of the buffer are
+ * the base and size of the buffer.  All other parts of the buffer may
+ * be used.  On event delivery the used region contains the packet.
+ *
+ * "id" is the received message id,
+ *
+ * "addr" is the host that sent it to us,
+ *
+ * "buffer" holds state on the received data.
+ *
+ * The "free" routine for this event will clean up itself as well as
+ * any buffer space allocated from common pools.
+ */
+
+struct dns_dispatchevent {
+	ISC_EVENT_COMMON(dns_dispatchevent_t);	/* standard event common */
+	isc_result_t		result;		/* result code */
+	isc_int32_t		id;		/* message id */
+	isc_sockaddr_t		addr;		/* address recv'd from */
+	struct in6_pktinfo	pktinfo;	/* reply info for v6 */
+	isc_buffer_t	        buffer;		/* data buffer */
+	isc_uint32_t		attributes;	/* mirrored from socket.h */
+};
+
+/*
+ * Attributes for added dispatchers.
+ *
+ * Values with the mask 0xffff0000 are application defined.
+ * Values with the mask 0x0000ffff are library defined.
+ *
+ * Insane values (like setting both TCP and UDP) are not caught.  Don't
+ * do that.
+ *
+ * _PRIVATE
+ *	The dispatcher cannot be shared.
+ *
+ * _TCP, _UDP
+ *	The dispatcher is a TCP or UDP socket.
+ *
+ * _IPV4, _IPV6
+ *	The dispatcher uses an ipv4 or ipv6 socket.
+ *
+ * _NOLISTEN
+ *	The dispatcher should not listen on the socket.
+ *
+ * _MAKEQUERY
+ *	The dispatcher can be used to issue queries to other servers, and
+ *	accept replies from them.
+ */
+#define DNS_DISPATCHATTR_PRIVATE	0x00000001U
+#define DNS_DISPATCHATTR_TCP		0x00000002U
+#define DNS_DISPATCHATTR_UDP		0x00000004U
+#define DNS_DISPATCHATTR_IPV4		0x00000008U
+#define DNS_DISPATCHATTR_IPV6		0x00000010U
+#define DNS_DISPATCHATTR_NOLISTEN	0x00000020U
+#define DNS_DISPATCHATTR_MAKEQUERY	0x00000040U
+#define DNS_DISPATCHATTR_CONNECTED	0x00000080U
+
+isc_result_t
+dns_dispatchmgr_create(isc_mem_t *mctx, isc_entropy_t *entropy,
+		       dns_dispatchmgr_t **mgrp);
+/*
+ * Creates a new dispatchmgr object.
+ *
+ * Requires:
+ *	"mctx" be a valid memory context.
+ *
+ *	mgrp != NULL && *mgrp == NULL
+ *
+ *	"entropy" may be NULL, in which case an insecure random generator
+ *	will be used.  If it is non-NULL, it must be a valid entropy
+ *	source.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	-- all ok
+ *
+ *	anything else	-- failure
+ */
+
+
+void
+dns_dispatchmgr_destroy(dns_dispatchmgr_t **mgrp);
+/*
+ * Destroys the dispatchmgr when it becomes empty.  This could be
+ * immediately.
+ *
+ * Requires:
+ *	mgrp != NULL && *mgrp is a valid dispatchmgr.
+ */
+
+
+void
+dns_dispatchmgr_setblackhole(dns_dispatchmgr_t *mgr, dns_acl_t *blackhole);
+/*
+ * Sets the dispatcher's "blackhole list," a list of addresses that will
+ * be ignored by all dispatchers created by the dispatchmgr.
+ *
+ * Requires:
+ * 	mgrp is a valid dispatchmgr
+ * 	blackhole is a valid acl
+ */
+
+
+dns_acl_t *
+dns_dispatchmgr_getblackhole(dns_dispatchmgr_t *mgr);
+/*
+ * Gets a pointer to the dispatcher's current blackhole list,
+ * without incrementing its reference count.
+ *
+ * Requires:
+ * 	mgr is a valid dispatchmgr
+ * Returns:
+ *	A pointer to the current blackhole list, or NULL.
+ */
+
+void
+dns_dispatchmgr_setblackportlist(dns_dispatchmgr_t *mgr,
+                                 dns_portlist_t *portlist);
+/*
+ * Sets a list of UDP ports that won't be used when creating a udp
+ * dispatch with a wildcard port.
+ *
+ * Requires:
+ *	mgr is a valid dispatchmgr
+ *	portlist to be NULL or a valid port list.
+ */
+
+dns_portlist_t *
+dns_dispatchmgr_getblackportlist(dns_dispatchmgr_t *mgr);
+/*
+ * Return the current port list.
+ *
+ * Requires:
+ *	mgr is a valid dispatchmgr
+ */
+
+
+
+isc_result_t
+dns_dispatch_getudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
+		    isc_taskmgr_t *taskmgr, isc_sockaddr_t *localaddr,
+		    unsigned int buffersize,
+		    unsigned int maxbuffers, unsigned int maxrequests,
+		    unsigned int buckets, unsigned int increment,
+		    unsigned int attributes, unsigned int mask,
+		    dns_dispatch_t **dispp);
+/*
+ * Attach to existing dns_dispatch_t if one is found with dns_dispatchmgr_find,
+ * otherwise create a new UDP dispatch.
+ *
+ * Requires:
+ *	All pointer parameters be valid for their respective types.
+ *
+ *	dispp != NULL && *disp == NULL
+ *
+ *	512 <= buffersize <= 64k
+ *
+ *	maxbuffers > 0
+ *
+ *	buckets < 2097169
+ *
+ *	increment > buckets
+ *
+ *	(attributes & DNS_DISPATCHATTR_TCP) == 0
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	-- success.
+ *
+ *	Anything else	-- failure.
+ */
+
+isc_result_t
+dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, isc_socket_t *sock,
+		       isc_taskmgr_t *taskmgr, unsigned int buffersize,
+		       unsigned int maxbuffers, unsigned int maxrequests,
+		       unsigned int buckets, unsigned int increment,
+		       unsigned int attributes, dns_dispatch_t **dispp);
+/*
+ * Create a new dns_dispatch and attach it to the provided isc_socket_t.
+ *
+ * For all dispatches, "buffersize" is the maximum packet size we will
+ * accept.
+ *
+ * "maxbuffers" and "maxrequests" control the number of buffers in the
+ * overall system and the number of buffers which can be allocated to
+ * requests.
+ *
+ * "buckets" is the number of buckets to use, and should be prime.
+ *
+ * "increment" is used in a collision avoidance function, and needs to be
+ * a prime > buckets, and not 2.
+ *
+ * Requires:
+ *
+ *	mgr is a valid dispatch manager.
+ *
+ *	sock is a valid.
+ *
+ *	task is a valid task that can be used internally to this dispatcher.
+ *
+ * 	512 <= buffersize <= 64k
+ *
+ *	maxbuffers > 0.
+ *
+ *	maxrequests <= maxbuffers.
+ *
+ *	buckets < 2097169 (the next prime after 65536 * 32)
+ *
+ *	increment > buckets (and prime).
+ *
+ *	attributes includes DNS_DISPATCHATTR_TCP and does not include
+ *	DNS_DISPATCHATTR_UDP.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	-- success.
+ *
+ *	Anything else	-- failure.
+ */
+
+void
+dns_dispatch_attach(dns_dispatch_t *disp, dns_dispatch_t **dispp);
+/*
+ * Attach to a dispatch handle.
+ *
+ * Requires:
+ *	disp is valid.
+ *
+ *	dispp != NULL && *dispp == NULL
+ */
+
+void
+dns_dispatch_detach(dns_dispatch_t **dispp);
+/*
+ * Detaches from the dispatch.
+ *
+ * Requires:
+ *	dispp != NULL and *dispp be a valid dispatch.
+ */
+
+void
+dns_dispatch_starttcp(dns_dispatch_t *disp);
+/*
+ * Start processing of a TCP dispatch once the socket connects.
+ *
+ * Requires:
+ *	'disp' is valid.
+ */
+
+isc_result_t
+dns_dispatch_addresponse(dns_dispatch_t *disp, isc_sockaddr_t *dest,
+			 isc_task_t *task, isc_taskaction_t action, void *arg,
+			 isc_uint16_t *idp, dns_dispentry_t **resp);
+/*
+ * Add a response entry for this dispatch.
+ *
+ * "*idp" is filled in with the assigned message ID, and *resp is filled in
+ * to contain the magic token used to request event flow stop.
+ *
+ * Arranges for the given task to get a callback for response packets.  When
+ * the event is delivered, it must be returned using dns_dispatch_freeevent()
+ * or through dns_dispatch_removeresponse() for another to be delivered.
+ *
+ * Requires:
+ *	"idp" be non-NULL.
+ *
+ *	"task" "action" and "arg" be set as appropriate.
+ *
+ *	"dest" be non-NULL and valid.
+ *
+ *	"resp" be non-NULL and *resp be NULL
+ *
+ * Ensures:
+ *
+ *	<id, dest> is a unique tuple.  That means incoming messages
+ *	are identifiable.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		-- all is well.
+ *	ISC_R_NOMEMORY		-- memory could not be allocated.
+ *	ISC_R_NOMORE		-- no more message ids can be allocated
+ *				   for this destination.
+ */
+
+
+void
+dns_dispatch_removeresponse(dns_dispentry_t **resp,
+			    dns_dispatchevent_t **sockevent);
+/*
+ * Stops the flow of responses for the provided id and destination.
+ * If "sockevent" is non-NULL, the dispatch event and associated buffer is
+ * also returned to the system.
+ *
+ * Requires:
+ *	"resp" != NULL and "*resp" contain a value previously allocated
+ *	by dns_dispatch_addresponse();
+ *
+ *	May only be called from within the task given as the 'task' 
+ * 	argument to dns_dispatch_addresponse() when allocating '*resp'.
+ */
+
+
+isc_socket_t *
+dns_dispatch_getsocket(dns_dispatch_t *disp);
+/*
+ * Return the socket associated with this dispatcher.
+ *
+ * Requires:
+ *	disp is valid.
+ *
+ * Returns:
+ *	The socket the dispatcher is using.
+ */
+
+isc_result_t 
+dns_dispatch_getlocaladdress(dns_dispatch_t *disp, isc_sockaddr_t *addrp);
+/*
+ * Return the local address for this dispatch.
+ * This currently only works for dispatches using UDP sockets.
+ *
+ * Requires:
+ *	disp is valid.
+ *	addrp to be non null.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	
+ *	ISC_R_NOTIMPLEMENTED
+ */
+
+void
+dns_dispatch_cancel(dns_dispatch_t *disp);
+/*
+ * cancel outstanding clients
+ *
+ * Requires:
+ *	disp is valid.
+ */
+
+void
+dns_dispatch_changeattributes(dns_dispatch_t *disp,
+			      unsigned int attributes, unsigned int mask);
+/*
+ * Set the bits described by "mask" to the corresponding values in
+ * "attributes".
+ *
+ * That is:
+ *
+ *	new = (old & ~mask) | (attributes & mask)
+ *
+ * This function has a side effect when DNS_DISPATCHATTR_NOLISTEN changes. 
+ * When the flag becomes off, the dispatch will start receiving on the
+ * corresponding socket.  When the flag becomes on, receive events on the
+ * corresponding socket will be canceled.
+ *
+ * Requires:
+ *	disp is valid.
+ *
+ *	attributes are reasonable for the dispatch.  That is, setting the UDP
+ *	attribute on a TCP socket isn't reasonable.
+ */
+
+void
+dns_dispatch_importrecv(dns_dispatch_t *disp, isc_event_t *event);
+/*
+ * Inform the dispatcher of a socket receive.  This is used for sockets
+ * shared between dispatchers and clients.  If the dispatcher fails to copy
+ * or send the event, nothing happens.
+ *
+ * Requires:
+ * 	disp is valid, and the attribute DNS_DISPATCHATTR_NOLISTEN is set.
+ * 	event != NULL
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DISPATCH_H */
diff --git a/contrib/bind9/lib/dns/include/dns/dnssec.h b/contrib/bind9/lib/dns/include/dns/dnssec.h
new file mode 100644
index 0000000..5f86178
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/dnssec.h
@@ -0,0 +1,179 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnssec.h,v 1.21.12.5 2004/03/08 09:04:35 marka Exp $ */
+
+#ifndef DNS_DNSSEC_H
+#define DNS_DNSSEC_H 1
+
+#include <isc/lang.h>
+#include <isc/stdtime.h>
+
+#include <dns/types.h>
+
+#include <dst/dst.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_dnssec_keyfromrdata(dns_name_t *name, dns_rdata_t *rdata, isc_mem_t *mctx,
+			dst_key_t **key);
+/*
+ *	Creates a DST key from a DNS record.  Basically a wrapper around
+ *	dst_key_fromdns().
+ *
+ *	Requires:
+ *		'name' is not NULL
+ *		'rdata' is not NULL
+ *		'mctx' is not NULL
+ *		'key' is not NULL
+ *		'*key' is NULL
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ *		ISC_R_NOMEMORY
+ *		DST_R_INVALIDPUBLICKEY
+ *		various errors from dns_name_totext
+ */
+
+isc_result_t
+dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
+		isc_stdtime_t *inception, isc_stdtime_t *expire,
+		isc_mem_t *mctx, isc_buffer_t *buffer, dns_rdata_t *sigrdata);
+/*
+ *	Generates a SIG record covering this rdataset.  This has no effect
+ *	on existing SIG records.
+ *
+ *	Requires:
+ *		'name' (the owner name of the record) is a valid name
+ *		'set' is a valid rdataset
+ *		'key' is a valid key
+ *		'inception' is not NULL
+ *		'expire' is not NULL
+ *		'mctx' is not NULL
+ *		'buffer' is not NULL
+ *		'sigrdata' is not NULL
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ *		ISC_R_NOMEMORY
+ *		ISC_R_NOSPACE
+ *		DNS_R_INVALIDTIME - the expiration is before the inception
+ *		DNS_R_KEYUNAUTHORIZED - the key cannot sign this data (either
+ *			it is not a zone key or its flags prevent
+ *			authentication)
+ *		DST_R_*
+ */
+
+isc_result_t
+dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
+		  isc_boolean_t ignoretime, isc_mem_t *mctx,
+		  dns_rdata_t *sigrdata);
+
+isc_result_t
+dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
+		   isc_boolean_t ignoretime, isc_mem_t *mctx,
+		   dns_rdata_t *sigrdata, dns_name_t *wild);
+/*
+ *	Verifies the SIG record covering this rdataset signed by a specific
+ *	key.  This does not determine if the key's owner is authorized to
+ *	sign this record, as this requires a resolver or database.
+ *	If 'ignoretime' is ISC_TRUE, temporal validity will not be checked.
+ *
+ *	Requires:
+ *		'name' (the owner name of the record) is a valid name
+ *		'set' is a valid rdataset
+ *		'key' is a valid key
+ *		'mctx' is not NULL
+ *		'sigrdata' is a valid rdata containing a SIG record
+ *		'wild' if non-NULL then is a valid and has a buffer.
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ *		ISC_R_NOMEMORY
+ *		DNS_R_FROMWILDCARD - the signature is valid and is from
+ *			a wildcard expansion.  dns_dnssec_verify2() only.
+ *			'wild' contains the name of the wildcard if non-NULL.
+ *		DNS_R_SIGINVALID - the signature fails to verify
+ *		DNS_R_SIGEXPIRED - the signature has expired
+ *		DNS_R_SIGFUTURE - the signature's validity period has not begun
+ *		DNS_R_KEYUNAUTHORIZED - the key cannot sign this data (either
+ *			it is not a zone key or its flags prevent
+ *			authentication)
+ *		DST_R_*
+ */
+
+isc_result_t
+dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
+			dns_name_t *name, isc_mem_t *mctx,
+			unsigned int maxkeys, dst_key_t **keys,
+			unsigned int *nkeys);
+isc_result_t
+dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
+			 dns_dbnode_t *node, dns_name_t *name,
+			 const char *directory, isc_mem_t *mctx,
+			 unsigned int maxkeys, dst_key_t **keys,
+			 unsigned int *nkeys);
+/*
+ * 	Finds a set of zone keys.
+ * 	XXX temporary - this should be handled in dns_zone_t.
+ */
+
+isc_result_t
+dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key);
+/*
+ *	Signs a message with a SIG(0) record.  This is implicitly called by
+ *	dns_message_renderend() if msg->sig0key is not NULL.
+ *
+ *	Requires:
+ *		'msg' is a valid message
+ *		'key' is a valid key that can be used for signing
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ *		ISC_R_NOMEMORY
+ *		DST_R_*
+ */
+
+isc_result_t
+dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
+			 dst_key_t *key);
+/*
+ *	Verifies a message signed by a SIG(0) record.  This is not
+ *	called implicitly by dns_message_parse().  If dns_message_signer()
+ *	is called before dns_dnssec_verifymessage(), it will return
+ *	DNS_R_NOTVERIFIEDYET.  dns_dnssec_verifymessage() will set
+ *	the verified_sig0 flag in msg if the verify succeeds, and
+ *	the sig0status field otherwise.
+ *
+ *	Requires:
+ *		'source' is a valid buffer containing the unparsed message
+ *		'msg' is a valid message
+ *		'key' is a valid key
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ *		ISC_R_NOMEMORY
+ *		ISC_R_NOTFOUND - no SIG(0) was found
+ *		DNS_R_SIGINVALID - the SIG record is not well-formed or
+ *				   was not generated by the key.
+ *		DST_R_*
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DNSSEC_H */
diff --git a/contrib/bind9/lib/dns/include/dns/ds.h b/contrib/bind9/lib/dns/include/dns/ds.h
new file mode 100644
index 0000000..979ac9f
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/ds.h
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ds.h,v 1.3.2.1 2004/03/08 02:08:00 marka Exp $ */
+
+#ifndef DNS_DS_H
+#define DNS_DS_H 1
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+#define DNS_DSDIGEST_SHA1 (1)
+
+/*
+ * Assuming SHA-1 digest type.
+ */
+#define DNS_DS_BUFFERSIZE (24)
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_ds_buildrdata(dns_name_t *owner, dns_rdata_t *key,
+		  unsigned int digest_type, unsigned char *buffer,
+		  dns_rdata_t *rdata);
+/*
+ * Build the rdata of a DS record.
+ *
+ * Requires:
+ *	key	Points to a valid DNS KEY record.
+ *	buffer	Points to a temporary buffer of at least
+ * 		DNS_DS_BUFFERSIZE bytes.
+ *	rdata	Points to an initialized dns_rdata_t.
+ *
+ * Ensures:
+ *      *rdata	Contains a valid DS rdata.  The 'data' member refers
+ *		to 'buffer'.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_DS_H */
diff --git a/contrib/bind9/lib/dns/include/dns/events.h b/contrib/bind9/lib/dns/include/dns/events.h
new file mode 100644
index 0000000..1e66139
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/events.h
@@ -0,0 +1,70 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: events.h,v 1.37.2.1.4.4 2004/03/08 09:04:36 marka Exp $ */
+
+#ifndef DNS_EVENTS_H
+#define DNS_EVENTS_H 1
+
+#include <isc/eventclass.h>
+
+/*
+ * Registry of DNS event numbers.
+ */
+
+#define DNS_EVENT_FETCHCONTROL			(ISC_EVENTCLASS_DNS + 0)
+#define DNS_EVENT_FETCHDONE			(ISC_EVENTCLASS_DNS + 1)
+#define DNS_EVENT_VIEWRESSHUTDOWN		(ISC_EVENTCLASS_DNS + 2)
+#define DNS_EVENT_VIEWADBSHUTDOWN		(ISC_EVENTCLASS_DNS + 3)
+#define DNS_EVENT_UPDATE			(ISC_EVENTCLASS_DNS + 4)
+#define DNS_EVENT_UPDATEDONE			(ISC_EVENTCLASS_DNS + 5)
+#define DNS_EVENT_DISPATCH			(ISC_EVENTCLASS_DNS + 6)
+#define DNS_EVENT_TCPMSG			(ISC_EVENTCLASS_DNS + 7)
+#define DNS_EVENT_ADBMOREADDRESSES		(ISC_EVENTCLASS_DNS + 8)
+#define DNS_EVENT_ADBNOMOREADDRESSES		(ISC_EVENTCLASS_DNS + 9)
+#define DNS_EVENT_ADBCANCELED			(ISC_EVENTCLASS_DNS + 10)
+#define DNS_EVENT_ADBNAMEDELETED		(ISC_EVENTCLASS_DNS + 11)
+#define DNS_EVENT_ADBSHUTDOWN			(ISC_EVENTCLASS_DNS + 12)
+#define DNS_EVENT_ADBEXPIRED			(ISC_EVENTCLASS_DNS + 13)
+#define DNS_EVENT_ADBCONTROL			(ISC_EVENTCLASS_DNS + 14)
+#define DNS_EVENT_CACHECLEAN			(ISC_EVENTCLASS_DNS + 15)
+#define DNS_EVENT_BYADDRDONE			(ISC_EVENTCLASS_DNS + 16)
+#define DNS_EVENT_ZONECONTROL			(ISC_EVENTCLASS_DNS + 17)
+#define DNS_EVENT_DBDESTROYED			(ISC_EVENTCLASS_DNS + 18)
+#define DNS_EVENT_VALIDATORDONE			(ISC_EVENTCLASS_DNS + 19)
+#define DNS_EVENT_REQUESTDONE			(ISC_EVENTCLASS_DNS + 20)
+#define DNS_EVENT_VALIDATORSTART		(ISC_EVENTCLASS_DNS + 21)
+#define DNS_EVENT_VIEWREQSHUTDOWN		(ISC_EVENTCLASS_DNS + 22)
+#define DNS_EVENT_NOTIFYSENDTOADDR		(ISC_EVENTCLASS_DNS + 23)
+#define DNS_EVENT_ZONE				(ISC_EVENTCLASS_DNS + 24)
+#define DNS_EVENT_ZONESTARTXFRIN		(ISC_EVENTCLASS_DNS + 25)
+#define DNS_EVENT_MASTERQUANTUM			(ISC_EVENTCLASS_DNS + 26)
+#define DNS_EVENT_CACHEOVERMEM			(ISC_EVENTCLASS_DNS + 27)
+#define DNS_EVENT_MASTERNEXTZONE		(ISC_EVENTCLASS_DNS + 28)
+#define DNS_EVENT_IOREADY			(ISC_EVENTCLASS_DNS + 29)
+#define DNS_EVENT_LOOKUPDONE			(ISC_EVENTCLASS_DNS + 30)
+/* #define DNS_EVENT_unused			(ISC_EVENTCLASS_DNS + 31) */
+#define DNS_EVENT_DISPATCHCONTROL		(ISC_EVENTCLASS_DNS + 32)
+#define DNS_EVENT_REQUESTCONTROL		(ISC_EVENTCLASS_DNS + 33)
+#define DNS_EVENT_DUMPQUANTUM			(ISC_EVENTCLASS_DNS + 34)
+#define DNS_EVENT_IMPORTRECVDONE		(ISC_EVENTCLASS_DNS + 35)
+#define DNS_EVENT_FREESTORAGE			(ISC_EVENTCLASS_DNS + 36)
+
+#define DNS_EVENT_FIRSTEVENT			(ISC_EVENTCLASS_DNS + 0)
+#define DNS_EVENT_LASTEVENT			(ISC_EVENTCLASS_DNS + 65535)
+
+#endif /* DNS_EVENTS_H */
diff --git a/contrib/bind9/lib/dns/include/dns/fixedname.h b/contrib/bind9/lib/dns/include/dns/fixedname.h
new file mode 100644
index 0000000..3ee306f
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/fixedname.h
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: fixedname.h,v 1.12.206.1 2004/03/06 08:13:55 marka Exp $ */
+
+#ifndef DNS_FIXEDNAME_H
+#define DNS_FIXEDNAME_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Fixed-size Names
+ *
+ * dns_fixedname_t is a convenience type containing a name, an offsets table,
+ * and a dedicated buffer big enough for the longest possible name.
+ *
+ * MP:
+ *	The caller must ensure any required synchronization.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	Per dns_fixedname_t:
+ *		sizeof(dns_name_t) + sizeof(dns_offsets_t) +
+ *		sizeof(isc_buffer_t) + 255 bytes + structure padding
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	None.
+ */
+
+/*****
+ ***** Imports
+ *****/
+
+#include <isc/buffer.h>
+
+#include <dns/name.h>
+
+/*****
+ ***** Types
+ *****/
+
+struct dns_fixedname {
+	dns_name_t			name;
+	dns_offsets_t			offsets;
+	isc_buffer_t			buffer;
+	unsigned char			data[DNS_NAME_MAXWIRE];
+};
+
+#define dns_fixedname_init(fn) \
+	do { \
+		dns_name_init(&((fn)->name), (fn)->offsets); \
+		isc_buffer_init(&((fn)->buffer), (fn)->data, \
+                                  DNS_NAME_MAXWIRE); \
+		dns_name_setbuffer(&((fn)->name), &((fn)->buffer)); \
+	} while (0)
+
+#define dns_fixedname_invalidate(fn) \
+	dns_name_invalidate(&((fn)->name))
+
+#define dns_fixedname_name(fn)		(&((fn)->name))
+
+#endif /* DNS_FIXEDNAME_H */
diff --git a/contrib/bind9/lib/dns/include/dns/forward.h b/contrib/bind9/lib/dns/include/dns/forward.h
new file mode 100644
index 0000000..f1bf5ab
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/forward.h
@@ -0,0 +1,98 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: forward.h,v 1.2.206.1 2004/03/06 08:13:56 marka Exp $ */
+
+#ifndef DNS_FORWARD_H
+#define DNS_FORWARD_H 1
+
+#include <isc/lang.h>
+#include <isc/result.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+struct dns_forwarders {
+	isc_sockaddrlist_t	addrs;
+	dns_fwdpolicy_t		fwdpolicy;
+};
+
+isc_result_t
+dns_fwdtable_create(isc_mem_t *mctx, dns_fwdtable_t **fwdtablep);
+/*
+ * Creates a new forwarding table.
+ *
+ * Requires:
+ * 	mctx is a valid memory context.
+ * 	fwdtablep != NULL && *fwdtablep == NULL
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_fwdtable_add(dns_fwdtable_t *fwdtable, dns_name_t *name,
+		 isc_sockaddrlist_t *addrs, dns_fwdpolicy_t policy);
+/*
+ * Adds an entry to the forwarding table.  The entry associates
+ * a domain with a list of forwarders and a forwarding policy.  The
+ * addrs list is copied if not empty, so the caller should free its copy.
+ *
+ * Requires:
+ * 	fwdtable is a valid forwarding table.
+ * 	name is a valid name
+ * 	addrs is a valid list of sockaddrs, which may be empty.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_fwdtable_find(dns_fwdtable_t *fwdtable, dns_name_t *name,
+		  dns_forwarders_t **forwardersp);
+/*
+ * Finds a domain in the forwarding table.  The closest matching parent
+ * domain is returned.
+ *
+ * Requires:
+ * 	fwdtable is a valid forwarding table.
+ * 	name is a valid name
+ * 	forwardersp != NULL && *forwardersp == NULL
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS
+ * 	ISC_R_NOTFOUND
+ */
+
+void
+dns_fwdtable_destroy(dns_fwdtable_t **fwdtablep);
+/*
+ * Destroys a forwarding table.
+ *
+ * Requires:
+ * 	fwtablep != NULL && *fwtablep != NULL
+ *
+ * Ensures:
+ * 	all memory associated with the forwarding table is freed.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_FORWARD_H */
diff --git a/contrib/bind9/lib/dns/include/dns/journal.h b/contrib/bind9/lib/dns/include/dns/journal.h
new file mode 100644
index 0000000..fdf6094
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/journal.h
@@ -0,0 +1,271 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: journal.h,v 1.23.12.3 2004/03/08 09:04:36 marka Exp $ */
+
+#ifndef DNS_JOURNAL_H
+#define DNS_JOURNAL_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Database journalling.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+
+#include <dns/name.h>
+#include <dns/diff.h>
+#include <dns/rdata.h>
+#include <dns/types.h>
+
+/***
+ *** Types
+ ***/
+
+/*
+ * A dns_journal_t represents an open journal file.  This is an opaque type.
+ *
+ * A particular dns_journal_t object may be opened for writing, in which case
+ * it can be used for writing transactions to a journal file, or it can be
+ * opened for reading, in which case it can be used for reading transactions
+ * from (iterating over) a journal file.  A single dns_journal_t object may
+ * not be used for both purposes.
+ */
+typedef struct dns_journal dns_journal_t;
+
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+/**************************************************************************/
+
+isc_result_t
+dns_db_createsoatuple(dns_db_t *db, dns_dbversion_t *ver, isc_mem_t *mctx,
+		   dns_diffop_t op, dns_difftuple_t **tp);
+/*
+ * Create a diff tuple for the current database SOA.
+ * XXX this probably belongs somewhere else.
+ */
+
+
+#define DNS_SERIAL_GT(a, b) ((int)(((a) - (b)) & 0xFFFFFFFF) > 0)
+#define DNS_SERIAL_GE(a, b) ((int)(((a) - (b)) & 0xFFFFFFFF) >= 0)
+/*
+ * Compare SOA serial numbers.  DNS_SERIAL_GT(a, b) returns true iff
+ * a is "greater than" b where "greater than" is as defined in RFC1982.
+ * DNS_SERIAL_GE(a, b) returns true iff a is "greater than or equal to" b.
+ */
+
+/**************************************************************************/
+/*
+ * Journal object creation and destruction.
+ */
+
+isc_result_t
+dns_journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write,
+		 dns_journal_t **journalp);
+/*
+ * Open the journal file 'filename' and create a dns_journal_t object for it.
+ *
+ * If 'write' is ISC_TRUE, the journal is open for writing.  If it does
+ * not exist, it is created.
+ *
+ * If 'write' is ISC_FALSE, the journal is open for reading.  If it does
+ * not exist, ISC_R_NOTFOUND is returned.
+ */
+
+void
+dns_journal_destroy(dns_journal_t **journalp);
+/*
+ * Destroy a dns_journal_t, closing any open files and freeing its memory.
+ */
+
+/**************************************************************************/
+/*
+ * Writing transactions to journals.
+ */
+
+isc_result_t
+dns_journal_begin_transaction(dns_journal_t *j);
+/*
+ * Prepare to write a new transaction to the open journal file 'j'.
+ *
+ * Requires:
+ *      'j' is open for writing.
+ */
+
+isc_result_t
+dns_journal_writediff(dns_journal_t *j, dns_diff_t *diff);
+/*
+ * Write 'diff' to the current transaction of journal file 'j'.
+ *
+ * Requires:
+ *      'j' is open for writing and dns_journal_begin_transaction()
+ * 	has been called.
+ *
+ * 	'diff' is a full or partial, correctly ordered IXFR
+ *      difference sequence.
+ */
+
+isc_result_t
+dns_journal_commit(dns_journal_t *j);
+/*
+ * Commit the current transaction of journal file 'j'.
+ *
+ * Requires:
+ *      'j' is open for writing and dns_journal_begin_transaction()
+ * 	has been called.
+ *
+ *      dns_journal_writediff() has been called one or more times
+ * 	to form a complete, correctly ordered IXFR difference
+ *      sequence.
+ */
+
+isc_result_t
+dns_journal_write_transaction(dns_journal_t *j, dns_diff_t *diff);
+/*
+ * Write a complete transaction at once to a journal file,
+ * sorting it if necessary, and commit it.  Equivalent to calling
+ * dns_diff_sort(), dns_journal_begin_transaction(),
+ * dns_journal_writediff(), and dns_journal_commit().
+ *
+ * Requires:
+ *      'j' is open for writing.
+ *
+ * 	'diff' contains exactly one SOA deletion, one SOA addition
+ *       with a greater serial number, and possibly other changes,
+ *       in arbitrary order.
+ */
+
+/**************************************************************************/
+/*
+ * Reading transactions from journals.
+ */
+
+isc_uint32_t
+dns_journal_first_serial(dns_journal_t *j);
+isc_uint32_t
+dns_journal_last_serial(dns_journal_t *j);
+/*
+ * Get the first and last addressable serial number in the journal.
+ */
+
+isc_result_t
+dns_journal_iter_init(dns_journal_t *j,
+		      isc_uint32_t begin_serial, isc_uint32_t end_serial);
+/*
+ * Prepare to iterate over the transactions that will bring the database
+ * from SOA serial number 'begin_serial' to 'end_serial'.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_RANGE	begin_serial is outside the addressable range.
+ *	ISC_R_NOTFOUND	begin_serial is within the range of adressable
+ *			serial numbers covered by the journal, but
+ *			this particular serial number does not exist.
+ */
+
+isc_result_t
+dns_journal_first_rr(dns_journal_t *j);
+isc_result_t
+dns_journal_next_rr(dns_journal_t *j);
+/*
+ * Position the iterator at the first/next RR in a journal
+ * transaction sequence established using dns_journal_iter_init().
+ *
+ * Requires:
+ *      dns_journal_iter_init() has been called.
+ *
+ */
+
+void
+dns_journal_current_rr(dns_journal_t *j, dns_name_t **name, isc_uint32_t *ttl,
+		       dns_rdata_t **rdata);
+/*
+ * Get the name, ttl, and rdata of the current journal RR.
+ *
+ * Requires:
+ *      The last call to dns_journal_first_rr() or dns_journal_next_rr()
+ *      returned ISC_R_SUCCESS.
+ */
+
+/**************************************************************************/
+/*
+ * Database roll-forward.
+ */
+
+isc_result_t
+dns_journal_rollforward(isc_mem_t *mctx, dns_db_t *db, const char *filename);
+/*
+ * Roll forward (play back) the journal file "filename" into the
+ * database "db".  This should be called when the server starts
+ * after a shutdown or crash.
+ *
+ * Requires:
+ *      'mctx' is a valid memory context.
+ *	'db' is a valid database which does not have a version
+ *           open for writing.
+ *      'filename' is the name of the journal file belonging to 'db'.
+ *
+ * Returns:
+ *	DNS_R_NOJOURNAL when journal does not exist.
+ *	ISC_R_NOTFOUND when current serial in not in journal.
+ *	ISC_R_RANGE when current serial in not in journals range.
+ *	ISC_R_SUCCESS journal has been applied successfully to database.
+ *	others
+ */
+
+isc_result_t
+dns_journal_print(isc_mem_t *mctx, const char *filename, FILE *file);
+/* For debugging not general use */
+
+isc_result_t
+dns_db_diff(isc_mem_t *mctx,
+	    dns_db_t *dba, dns_dbversion_t *dbvera,
+	    dns_db_t *dbb, dns_dbversion_t *dbverb,
+	    const char *journal_filename);
+/*
+ * Compare the databases 'dba' and 'dbb' and generate a journal
+ * entry containing the changes to make 'dba' from 'dbb' (note
+ * the order).  This journal entry will consist of a single,
+ * possibly very large transaction.  Append the journal
+ * entry to the journal file specified by 'journal_filename'.
+ */
+
+isc_result_t
+dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial,
+                    isc_uint32_t target_size);
+/*
+ * Attempt to compact the journal if it is greater that 'target_size'.
+ * Changes from 'serial' onwards will be preserved.  If the journal
+ * exists and is non-empty 'serial' must exist in the journal.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_JOURNAL_H */
diff --git a/contrib/bind9/lib/dns/include/dns/keyflags.h b/contrib/bind9/lib/dns/include/dns/keyflags.h
new file mode 100644
index 0000000..025b137
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/keyflags.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: keyflags.h,v 1.9.206.1 2004/03/06 08:13:56 marka Exp $ */
+
+#ifndef DNS_KEYFLAGS_H
+#define DNS_KEYFLAGS_H 1
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_keyflags_fromtext(dns_keyflags_t *flagsp, isc_textregion_t *source);
+/*
+ * Convert the text 'source' refers to into a DNSSEC KEY flags value.
+ * The text may contain either a set of flag mnemonics separated by
+ * vertical bars or a decimal flags value.  For compatibility with
+ * older versions of BIND and the DNSSEC signer, octal values
+ * prefixed with a zero and hexadecimal values prefixed with "0x"
+ * are also accepted.
+ *
+ * Requires:
+ *	'flagsp' is a valid pointer.
+ *
+ *	'source' is a valid text region.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS			on success
+ *	ISC_R_RANGE			numeric flag value is out of range
+ *	DNS_R_UNKNOWN			mnemonic flag is unknown
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_KEYFLAGS_H */
diff --git a/contrib/bind9/lib/dns/include/dns/keytable.h b/contrib/bind9/lib/dns/include/dns/keytable.h
new file mode 100644
index 0000000..a07c052
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/keytable.h
@@ -0,0 +1,255 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: keytable.h,v 1.10.206.1 2004/03/06 08:13:56 marka Exp $ */
+
+#ifndef DNS_KEYTABLE_H
+#define DNS_KEYTABLE_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Key Tables
+ *
+ * The keytable module provides services for storing and retrieving DNSSEC
+ * trusted keys, as well as the ability to find the deepest matching key
+ * for a given domain name.
+ *
+ * MP:
+ *	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *
+ * Resources:
+ *	<TBS>
+ *
+ * Security:
+ *	No anticipated impact.
+ */
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+#include <dst/dst.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_keytable_create(isc_mem_t *mctx, dns_keytable_t **keytablep);
+/*
+ * Create a keytable.
+ *
+ * Requires:
+ *
+ *	'mctx' is a valid memory context.
+ *
+ *	keytablep != NULL && *keytablep == NULL
+ *
+ * Ensures:
+ *
+ *	On success, *keytablep is a valid, empty key table.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *
+ *	Any other result indicates failure.
+ */
+
+
+void
+dns_keytable_attach(dns_keytable_t *source, dns_keytable_t **targetp);
+/*
+ * Attach *targetp to source.
+ *
+ * Requires:
+ *
+ *	'source' is a valid keytable.
+ *
+ *	'targetp' points to a NULL dns_keytable_t *.
+ *
+ * Ensures:
+ *
+ *	*targetp is attached to source.
+ */
+
+void
+dns_keytable_detach(dns_keytable_t **keytablep);
+/*
+ * Detach *keytablep from its keytable.
+ *
+ * Requires:
+ *
+ *	'keytablep' points to a valid keytable.
+ *
+ * Ensures:
+ *
+ *	*keytablep is NULL.
+ *
+ *	If '*keytablep' is the last reference to the keytable,
+ *
+ *		All resources used by the keytable will be freed
+ */
+
+isc_result_t
+dns_keytable_add(dns_keytable_t *keytable, dst_key_t **keyp);
+/*
+ * Add '*keyp' to 'keytable'.
+ *
+ * Notes:
+ *
+ *	Ownership of *keyp is transferred to the keytable.
+ *
+ * Requires:
+ *
+ *	keyp != NULL && *keyp is a valid dst_key_t *.
+ *
+ * Ensures:
+ *
+ *	On success, *keyp == NULL
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *
+ *	Any other result indicates failure.
+ */
+
+isc_result_t
+dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
+			 dns_secalg_t algorithm, dns_keytag_t tag,
+			 dns_keynode_t **keynodep);
+/*
+ * Search for a key named 'name', matching 'algorithm' and 'tag' in
+ * 'keytable'.
+ *
+ * Requires:
+ *
+ *	'keytable' is a valid keytable.
+ *
+ *	'name' is a valid absolute name.
+ *
+ *	keynodep != NULL && *keynodep == NULL
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOTFOUND
+ *
+ *	Any other result indicates an error.
+ */
+
+isc_result_t
+dns_keytable_findnextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
+		                             dns_keynode_t **nextnodep);
+/*
+ * Search for the next key with the same properties as 'keynode' in
+ * 'keytable'.
+ *
+ * Requires:
+ *
+ *	'keytable' is a valid keytable.
+ *
+ *	'keynode' is a valid keynode.
+ *
+ *	nextnodep != NULL && *nextnodep == NULL
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOTFOUND
+ *
+ *	Any other result indicates an error.
+ */
+
+isc_result_t
+dns_keytable_finddeepestmatch(dns_keytable_t *keytable, dns_name_t *name,
+			      dns_name_t *foundname);
+/*
+ * Search for the deepest match of 'name' in 'keytable'.
+ *
+ * Requires:
+ *
+ *	'keytable' is a valid keytable.
+ *
+ *	'name' is a valid absolute name.
+ *
+ *	'foundname' is a name with a dedicated buffer.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOTFOUND
+ *
+ *	Any other result indicates an error.
+ */
+
+void
+dns_keytable_detachkeynode(dns_keytable_t *keytable,
+			   dns_keynode_t **keynodep);
+/*
+ * Give back a keynode found via dns_keytable_findkeynode().
+ *
+ * Requires:
+ *
+ *	'keytable' is a valid keytable.
+ *
+ *	*keynodep is a valid keynode returned by a call to
+ *	dns_keytable_findkeynode().
+ *
+ * Ensures:
+ *
+ *	*keynodep == NULL
+ */
+
+isc_result_t
+dns_keytable_issecuredomain(dns_keytable_t *keytable, dns_name_t *name,
+			    isc_boolean_t *wantdnssecp);
+/*
+ * Is 'name' at or beneath a trusted key?
+ *
+ * Requires:
+ *
+ *	'keytable' is a valid keytable.
+ *
+ *	'name' is a valid absolute name.
+ *
+ *	'*wantsdnssecp' is a valid isc_boolean_t.
+ *
+ * Ensures:
+ *
+ *	On success, *wantsdnssecp will be ISC_TRUE if and only if 'name'
+ *	is at or beneath a trusted key.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *
+ *	Any other result is an error.
+ */
+
+dst_key_t *
+dns_keynode_key(dns_keynode_t *keynode);
+/*
+ * Get the DST key associated with keynode.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_KEYTABLE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/keyvalues.h b/contrib/bind9/lib/dns/include/dns/keyvalues.h
new file mode 100644
index 0000000..ef9e821
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/keyvalues.h
@@ -0,0 +1,96 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: keyvalues.h,v 1.11.12.3 2004/03/06 08:13:56 marka Exp $ */
+
+#ifndef DNS_KEYVALUES_H
+#define DNS_KEYVALUES_H 1
+
+/*
+ * Flags field of the KEY RR rdata
+ */
+#define DNS_KEYFLAG_TYPEMASK	0xC000	/* Mask for "type" bits */
+#define DNS_KEYTYPE_AUTHCONF	0x0000	/* Key usable for both */
+#define DNS_KEYTYPE_CONFONLY	0x8000	/* Key usable for confidentiality */
+#define DNS_KEYTYPE_AUTHONLY	0x4000	/* Key usable for authentication */
+#define DNS_KEYTYPE_NOKEY	0xC000	/* No key usable for either; no key */
+#define DNS_KEYTYPE_NOAUTH	DNS_KEYTYPE_CONFONLY
+#define DNS_KEYTYPE_NOCONF	DNS_KEYTYPE_AUTHONLY
+
+#define DNS_KEYFLAG_RESERVED2	0x2000	/* reserved - must be zero */
+#define DNS_KEYFLAG_EXTENDED	0x1000	/* key has extended flags */
+#define DNS_KEYFLAG_RESERVED4	0x0800	/* reserved - must be zero */
+#define DNS_KEYFLAG_RESERVED5	0x0400	/* reserved - must be zero */
+#define DNS_KEYFLAG_OWNERMASK	0x0300	/* these bits determine the type */
+#define DNS_KEYOWNER_USER	0x0000	/* key is assoc. with user */
+#define DNS_KEYOWNER_ENTITY	0x0200	/* key is assoc. with entity eg host */
+#define DNS_KEYOWNER_ZONE	0x0100	/* key is zone key */
+#define DNS_KEYOWNER_RESERVED	0x0300	/* reserved meaning */
+#define DNS_KEYFLAG_RESERVED8	0x0080	/* reserved - must be zero */
+#define DNS_KEYFLAG_RESERVED9	0x0040	/* reserved - must be zero */
+#define DNS_KEYFLAG_RESERVED10	0x0020	/* reserved - must be zero */
+#define DNS_KEYFLAG_RESERVED11	0x0010	/* reserved - must be zero */
+#define DNS_KEYFLAG_SIGNATORYMASK 0x000F /* key can sign RR's of same name */
+
+#define DNS_KEYFLAG_RESERVEDMASK (DNS_KEYFLAG_RESERVED2 | \
+				  DNS_KEYFLAG_RESERVED4 | \
+				  DNS_KEYFLAG_RESERVED5 | \
+				  DNS_KEYFLAG_RESERVED8 | \
+				  DNS_KEYFLAG_RESERVED9 | \
+				  DNS_KEYFLAG_RESERVED10 | \
+				  DNS_KEYFLAG_RESERVED11 )
+#define DNS_KEYFLAG_KSK		0x0001	/* key signing key */
+
+#define DNS_KEYFLAG_RESERVEDMASK2 0xFFFF	/* no bits defined here */
+
+/* The Algorithm field of the KEY and SIG RR's is an integer, {1..254} */
+#define DNS_KEYALG_RSAMD5	1       /* RSA with MD5 */
+#define DNS_KEYALG_RSA		DNS_KEYALG_RSAMD5
+#define DNS_KEYALG_DH		2       /* Diffie Hellman KEY */
+#define DNS_KEYALG_DSA		3       /* DSA KEY */
+#define DNS_KEYALG_DSS		NS_ALG_DSA
+#define DNS_KEYALG_ECC		4
+#define DNS_KEYALG_RSASHA1	5
+#define DNS_KEYALG_INDIRECT	252
+#define DNS_KEYALG_PRIVATEDNS	253
+#define DNS_KEYALG_PRIVATEOID	254     /* Key begins with OID giving alg */
+
+/* Protocol values  */
+#define	DNS_KEYPROTO_RESERVED	0
+#define DNS_KEYPROTO_TLS	1
+#define DNS_KEYPROTO_EMAIL	2
+#define DNS_KEYPROTO_DNSSEC	3
+#define DNS_KEYPROTO_IPSEC	4
+#define DNS_KEYPROTO_ANY	255
+
+/* Signatures */
+#define DNS_SIG_RSAMINBITS	512	/* Size of a mod or exp in bits */
+#define DNS_SIG_RSAMAXBITS	2552
+	/* Total of binary mod and exp */
+#define DNS_SIG_RSAMAXBYTES	((DNS_SIG_RSAMAXBITS+7/8)*2+3)
+	/* Max length of text sig block */
+#define DNS_SIG_RSAMAXBASE64	(((DNS_SIG_RSAMAXBYTES+2)/3)*4)
+#define DNS_SIG_RSAMINSIZE	((DNS_SIG_RSAMINBITS+7)/8)
+#define DNS_SIG_RSAMAXSIZE	((DNS_SIG_RSAMAXBITS+7)/8)
+
+#define DNS_SIG_DSASIGSIZE	41
+#define DNS_SIG_DSAMINBITS	512
+#define DNS_SIG_DSAMAXBITS	1024
+#define DNS_SIG_DSAMINBYTES	213
+#define DNS_SIG_DSAMAXBYTES	405
+
+#endif /* DNS_KEYVALUES_H */
diff --git a/contrib/bind9/lib/dns/include/dns/lib.h b/contrib/bind9/lib/dns/include/dns/lib.h
new file mode 100644
index 0000000..e53dd2b
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/lib.h
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lib.h,v 1.6.12.3 2004/03/08 09:04:36 marka Exp $ */
+
+#ifndef DNS_LIB_H
+#define DNS_LIB_H 1
+
+#include <isc/types.h>
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+LIBDNS_EXTERNAL_DATA extern isc_msgcat_t *dns_msgcat;
+
+void
+dns_lib_initmsgcat(void);
+/*
+ * Initialize the DNS library's message catalog, dns_msgcat, if it
+ * has not already been initialized.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_LIB_H */
diff --git a/contrib/bind9/lib/dns/include/dns/log.h b/contrib/bind9/lib/dns/include/dns/log.h
new file mode 100644
index 0000000..9901fc9
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/log.h
@@ -0,0 +1,103 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: log.h,v 1.30.2.1.10.2 2004/03/06 08:13:57 marka Exp $ */
+
+/* Principal Authors: DCL */
+
+#ifndef DNS_LOG_H
+#define DNS_LOG_H 1
+
+#include <isc/lang.h>
+#include <isc/log.h>
+
+LIBDNS_EXTERNAL_DATA extern isc_log_t *dns_lctx;
+LIBDNS_EXTERNAL_DATA extern isc_logcategory_t dns_categories[];
+LIBDNS_EXTERNAL_DATA extern isc_logmodule_t dns_modules[];
+
+#define DNS_LOGCATEGORY_NOTIFY		(&dns_categories[0])
+#define DNS_LOGCATEGORY_DATABASE	(&dns_categories[1])
+#define DNS_LOGCATEGORY_SECURITY	(&dns_categories[2])
+/* DNS_LOGCATEGORY_CONFIG superseded by CFG_LOGCATEGORY_CONFIG */
+#define DNS_LOGCATEGORY_DNSSEC		(&dns_categories[4])
+#define DNS_LOGCATEGORY_RESOLVER	(&dns_categories[5])
+#define DNS_LOGCATEGORY_XFER_IN		(&dns_categories[6])
+#define DNS_LOGCATEGORY_XFER_OUT	(&dns_categories[7])
+#define DNS_LOGCATEGORY_DISPATCH	(&dns_categories[8])
+#define DNS_LOGCATEGORY_LAME_SERVERS	(&dns_categories[9])
+#define DNS_LOGCATEGORY_DELEGATION_ONLY	(&dns_categories[10])
+
+/* Backwards compatibility. */
+#define DNS_LOGCATEGORY_GENERAL		ISC_LOGCATEGORY_GENERAL
+
+#define DNS_LOGMODULE_DB		(&dns_modules[0])
+#define DNS_LOGMODULE_RBTDB		(&dns_modules[1])
+#define DNS_LOGMODULE_RBTDB64		(&dns_modules[2])
+#define DNS_LOGMODULE_RBT		(&dns_modules[3])
+#define DNS_LOGMODULE_RDATA		(&dns_modules[4])
+#define DNS_LOGMODULE_MASTER		(&dns_modules[5])
+#define DNS_LOGMODULE_MESSAGE		(&dns_modules[6])
+#define DNS_LOGMODULE_CACHE		(&dns_modules[7])
+#define DNS_LOGMODULE_CONFIG		(&dns_modules[8])
+#define DNS_LOGMODULE_RESOLVER		(&dns_modules[9])
+#define DNS_LOGMODULE_ZONE		(&dns_modules[10])
+#define DNS_LOGMODULE_JOURNAL		(&dns_modules[11])
+#define DNS_LOGMODULE_ADB		(&dns_modules[12])
+#define DNS_LOGMODULE_XFER_IN		(&dns_modules[13])
+#define DNS_LOGMODULE_XFER_OUT		(&dns_modules[14])
+#define DNS_LOGMODULE_ACL		(&dns_modules[15])
+#define DNS_LOGMODULE_VALIDATOR		(&dns_modules[16])
+#define DNS_LOGMODULE_DISPATCH		(&dns_modules[17])
+#define DNS_LOGMODULE_REQUEST		(&dns_modules[18])
+#define DNS_LOGMODULE_MASTERDUMP	(&dns_modules[19])
+#define DNS_LOGMODULE_TSIG		(&dns_modules[20])
+#define DNS_LOGMODULE_TKEY		(&dns_modules[21])
+#define DNS_LOGMODULE_SDB		(&dns_modules[22])
+#define DNS_LOGMODULE_DIFF		(&dns_modules[23])
+#define DNS_LOGMODULE_HINTS		(&dns_modules[24])
+
+ISC_LANG_BEGINDECLS
+
+void
+dns_log_init(isc_log_t *lctx);
+/*
+ * Make the libdns categories and modules available for use with the
+ * ISC logging library.
+ *
+ * Requires:
+ *	lctx is a valid logging context.
+ *
+ *	dns_log_init() is called only once.
+ *
+ * Ensures:
+ * 	The catgories and modules defined above are available for
+ * 	use by isc_log_usechannnel() and isc_log_write().
+ */
+
+void
+dns_log_setcontext(isc_log_t *lctx);
+/*
+ * Make the libdns library use the provided context for logging internal
+ * messages.
+ *
+ * Requires:
+ *	lctx is a valid logging context.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_LOG_H */
diff --git a/contrib/bind9/lib/dns/include/dns/lookup.h b/contrib/bind9/lib/dns/include/dns/lookup.h
new file mode 100644
index 0000000..2be254c
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/lookup.h
@@ -0,0 +1,138 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lookup.h,v 1.5.206.1 2004/03/06 08:13:57 marka Exp $ */
+
+#ifndef DNS_LOOKUP_H
+#define DNS_LOOKUP_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DNS Lookup
+ *
+ * The lookup module performs simple DNS lookups.  It implements
+ * the full resolver algorithm, both looking for local data and 
+ * resoving external names as necessary.
+ *
+ * MP:
+ *	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	<TBS>
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	RFCs:	1034, 1035, 2181, <TBS>
+ *	Drafts:	<TBS>
+ */
+
+#include <isc/lang.h>
+#include <isc/event.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * A 'dns_lookupevent_t' is returned when a lookup completes.
+ * The sender field will be set to the lookup that completed.  If 'result'
+ * is ISC_R_SUCCESS, then 'names' will contain a list of names associated
+ * with the address.  The recipient of the event must not change the list
+ * and must not refer to any of the name data after the event is freed.
+ */
+typedef struct dns_lookupevent {
+	ISC_EVENT_COMMON(struct dns_lookupevent);
+	isc_result_t			result;
+	dns_name_t			*name;
+	dns_rdataset_t			*rdataset;
+	dns_rdataset_t			*sigrdataset;
+	dns_db_t			*db;
+	dns_dbnode_t			*node;
+} dns_lookupevent_t;
+
+isc_result_t
+dns_lookup_create(isc_mem_t *mctx, dns_name_t *name, dns_rdatatype_t type,
+		  dns_view_t *view, unsigned int options, isc_task_t *task,
+		  isc_taskaction_t action, void *arg, dns_lookup_t **lookupp);
+/*
+ * Finds the rrsets matching 'name' and 'type'.
+ *
+ * Requires:
+ *
+ *	'mctx' is a valid mctx.
+ *
+ *	'name' is a valid name.
+ *
+ *	'view' is a valid view which has a resolver.
+ *
+ *	'task' is a valid task.
+ *
+ *	lookupp != NULL && *lookupp == NULL
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *
+ *	Any resolver-related error (e.g. ISC_R_SHUTTINGDOWN) may also be
+ *	returned.
+ */
+
+void
+dns_lookup_cancel(dns_lookup_t *lookup);
+/*
+ * Cancel 'lookup'.
+ *
+ * Notes:
+ *
+ *	If 'lookup' has not completed, post its LOOKUPDONE event with a
+ *	result code of ISC_R_CANCELED.
+ *
+ * Requires:
+ *
+ *	'lookup' is a valid lookup.
+ */
+
+void
+dns_lookup_destroy(dns_lookup_t **lookupp);
+/*
+ * Destroy 'lookup'.
+ *
+ * Requires:
+ *
+ *	'*lookupp' is a valid lookup.
+ *
+ *	The caller has received the LOOKUPDONE event (either because the
+ *	lookup completed or because dns_lookup_cancel() was called).
+ *
+ * Ensures:
+ *
+ *	*lookupp == NULL.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_LOOKUP_H */
diff --git a/contrib/bind9/lib/dns/include/dns/master.h b/contrib/bind9/lib/dns/include/dns/master.h
new file mode 100644
index 0000000..0b861c6
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/master.h
@@ -0,0 +1,214 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: master.h,v 1.31.2.3.2.7 2004/03/08 09:04:36 marka Exp $ */
+
+#ifndef DNS_MASTER_H
+#define DNS_MASTER_H 1
+
+/***
+ ***	Imports
+ ***/
+
+#include <stdio.h>
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+/*
+ * Flags to be passed in the 'options' argument in the functions below.
+ */
+#define	DNS_MASTER_AGETTL 	0x00000001	/* Age the ttl based on $DATE. */
+#define DNS_MASTER_MANYERRORS 	0x00000002	/* Continue processing on errors. */
+#define DNS_MASTER_NOINCLUDE 	0x00000004	/* Disallow $INCLUDE directives. */
+#define DNS_MASTER_ZONE 	0x00000008	/* Loading a zone master file. */
+#define DNS_MASTER_HINT 	0x00000010	/* Loading a hint master file. */
+#define DNS_MASTER_SLAVE 	0x00000020	/* Loading a slave master file. */
+#define DNS_MASTER_CHECKNS 	0x00000040	/* Check NS records to see if
+						 * they are an address */
+#define DNS_MASTER_FATALNS 	0x00000080	/* Treat DNS_MASTER_CHECKNS
+						 * matches as fatal */
+#define DNS_MASTER_CHECKNAMES   0x00000100
+#define DNS_MASTER_CHECKNAMESFAIL 0x00000200
+
+ISC_LANG_BEGINDECLS
+
+/***
+ ***	Function
+ ***/
+
+isc_result_t
+dns_master_loadfile(const char *master_file,
+		    dns_name_t *top,
+		    dns_name_t *origin,
+		    dns_rdataclass_t zclass,
+		    unsigned int options,
+		    dns_rdatacallbacks_t *callbacks,
+		    isc_mem_t *mctx);
+
+isc_result_t
+dns_master_loadstream(FILE *stream,
+		      dns_name_t *top,
+		      dns_name_t *origin,
+		      dns_rdataclass_t zclass,
+		      unsigned int options,
+		      dns_rdatacallbacks_t *callbacks,
+		      isc_mem_t *mctx);
+
+isc_result_t
+dns_master_loadbuffer(isc_buffer_t *buffer,
+		      dns_name_t *top,
+		      dns_name_t *origin,
+		      dns_rdataclass_t zclass,
+		      unsigned int options,
+		      dns_rdatacallbacks_t *callbacks,
+		      isc_mem_t *mctx);
+
+isc_result_t
+dns_master_loadlexer(isc_lex_t *lex,
+		     dns_name_t *top,
+		     dns_name_t *origin,
+		     dns_rdataclass_t zclass,
+		     unsigned int options,
+		     dns_rdatacallbacks_t *callbacks,
+		     isc_mem_t *mctx);
+
+isc_result_t
+dns_master_loadfileinc(const char *master_file,
+		       dns_name_t *top,
+		       dns_name_t *origin,
+		       dns_rdataclass_t zclass,
+		       unsigned int options,
+		       dns_rdatacallbacks_t *callbacks,
+		       isc_task_t *task,
+		       dns_loaddonefunc_t done, void *done_arg,
+		       dns_loadctx_t **ctxp, isc_mem_t *mctx);
+
+isc_result_t
+dns_master_loadstreaminc(FILE *stream,
+			 dns_name_t *top,
+			 dns_name_t *origin,
+			 dns_rdataclass_t zclass,
+			 unsigned int options,
+			 dns_rdatacallbacks_t *callbacks,
+			 isc_task_t *task,
+			 dns_loaddonefunc_t done, void *done_arg,
+			 dns_loadctx_t **ctxp, isc_mem_t *mctx);
+
+isc_result_t
+dns_master_loadbufferinc(isc_buffer_t *buffer,
+			 dns_name_t *top,
+			 dns_name_t *origin,
+			 dns_rdataclass_t zclass,
+			 unsigned int options,
+			 dns_rdatacallbacks_t *callbacks,
+			 isc_task_t *task,
+			 dns_loaddonefunc_t done, void *done_arg,
+			 dns_loadctx_t **ctxp, isc_mem_t *mctx);
+
+isc_result_t
+dns_master_loadlexerinc(isc_lex_t *lex,
+			dns_name_t *top,
+			dns_name_t *origin,
+			dns_rdataclass_t zclass,
+			unsigned int options,
+			dns_rdatacallbacks_t *callbacks,
+			isc_task_t *task,
+			dns_loaddonefunc_t done, void *done_arg,
+			dns_loadctx_t **ctxp, isc_mem_t *mctx);
+
+/*
+ * Loads a RFC 1305 master file from a file, stream, buffer, or existing
+ * lexer into rdatasets and then calls 'callbacks->commit' to commit the
+ * rdatasets.  Rdata memory belongs to dns_master_load and will be
+ * reused / released when the callback completes.  dns_load_master will
+ * abort if callbacks->commit returns any value other than ISC_R_SUCCESS.
+ *
+ * If 'DNS_MASTER_AGETTL' is set and the master file contains one or more
+ * $DATE directives, the TTLs of the data will be aged accordingly.
+ *
+ * 'callbacks->commit' is assumed to call 'callbacks->error' or
+ * 'callbacks->warn' to generate any error messages required.
+ *
+ * 'done' is called with 'done_arg' and a result code when the loading
+ * is completed or has failed.  If the initial setup fails 'done' is
+ * not called.
+ *
+ * Requires:
+ *	'master_file' points to a valid string.
+ *	'lexer' points to a valid lexer.
+ *	'top' points to a valid name.
+ *	'origin' points to a valid name.
+ *	'callbacks->commit' points to a valid function.
+ *	'callbacks->error' points to a valid function.
+ *	'callbacks->warn' points to a valid function.
+ *	'mctx' points to a valid memory context.
+ *	'task' and 'done' to be valid.
+ *	'lmgr' to be valid.
+ *	'ctxp != NULL && ctxp == NULL'.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS upon successfully loading the master file.
+ *	ISC_R_SEENINCLUDE upon successfully loading the master file with
+ *		a $INCLUDE statement.
+ *	ISC_R_NOMEMORY out of memory.
+ *	ISC_R_UNEXPECTEDEND expected to be able to read a input token and
+ *		there was not one.
+ *	ISC_R_UNEXPECTED
+ *	DNS_R_NOOWNER failed to specify a ownername.
+ *	DNS_R_NOTTL failed to specify a ttl.
+ *	DNS_R_BADCLASS record class did not match zone class.
+ *	DNS_R_CONTINUE load still in progress (dns_master_load*inc() only).
+ *	Any dns_rdata_fromtext() error code.
+ *	Any error code from callbacks->commit().
+ */
+
+void
+dns_loadctx_detach(dns_loadctx_t **ctxp);
+/*
+ * Detach from the load context.
+ *
+ * Requires:
+ *	'*ctxp' to be valid.
+ *
+ * Ensures:
+ *	'*ctxp == NULL'
+ */
+
+void
+dns_loadctx_attach(dns_loadctx_t *source, dns_loadctx_t **target);
+/*
+ * Attach to the load context.
+ *
+ * Requires:
+ *	'source' to be valid.
+ *	'target != NULL && *target == NULL'.
+ */
+
+void
+dns_loadctx_cancel(dns_loadctx_t *ctx);
+/*
+ * Cancel loading the zone file associated with this load context.
+ *
+ * Requires:
+ *	'ctx' to be valid
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_MASTER_H */
diff --git a/contrib/bind9/lib/dns/include/dns/masterdump.h b/contrib/bind9/lib/dns/include/dns/masterdump.h
new file mode 100644
index 0000000..5058945
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/masterdump.h
@@ -0,0 +1,303 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: masterdump.h,v 1.22.12.8 2004/03/19 05:00:49 marka Exp $ */
+
+#ifndef DNS_MASTERDUMP_H
+#define DNS_MASTERDUMP_H 1
+
+/***
+ ***	Imports
+ ***/
+
+#include <stdio.h>
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+/***
+ *** Types
+ ***/
+
+typedef struct dns_master_style dns_master_style_t;
+
+/***
+ *** Definitions
+ ***/
+
+/*
+ * Flags affecting master file formatting.  Flags 0x0000FFFF
+ * define the formatting of the rdata part and are defined in
+ * rdata.h.
+ */
+
+/* Omit the owner name when possible. */
+#define	DNS_STYLEFLAG_OMIT_OWNER        0x00010000U
+
+/*
+ * Omit the TTL when possible.  If DNS_STYLEFLAG_TTL is
+ * also set, this means no TTLs are ever printed
+ * because $TTL directives are generated before every
+ * change in the TTL.  In this case, no columns need to
+ * be reserved for the TTL.  Master files generated with
+ * these options will be rejected by BIND 4.x because it
+ * does not recognize the $TTL directive.
+ *
+ * If DNS_STYLEFLAG_TTL is not also set, the TTL will be
+ * omitted when it is equal to the previous TTL.
+ * This is correct according to RFC1035, but the
+ * TTLs may be silently misinterpreted by older
+ * versions of BIND which use the SOA MINTTL as a
+ * default TTL value.
+ */
+#define	DNS_STYLEFLAG_OMIT_TTL		0x00020000U
+
+/* Omit the class when possible. */
+#define	DNS_STYLEFLAG_OMIT_CLASS	0x00040000U
+
+/* Output $TTL directives. */
+#define	DNS_STYLEFLAG_TTL		0x00080000U
+
+/*
+ * Output $ORIGIN directives and print owner names relative to
+ * the origin when possible.
+ */
+#define	DNS_STYLEFLAG_REL_OWNER		0x00100000U
+
+/* Print domain names in RR data in relative form when possible.
+   For this to take effect, DNS_STYLEFLAG_REL_OWNER must also be set. */
+#define	DNS_STYLEFLAG_REL_DATA		0x00200000U
+
+/* Print the trust level of each rdataset. */
+#define	DNS_STYLEFLAG_TRUST		0x00400000U
+
+/* Print negative caching entries. */
+#define	DNS_STYLEFLAG_NCACHE		0x00800000U
+
+/* Never print the TTL */
+#define	DNS_STYLEFLAG_NO_TTL		0x01000000U
+                    
+/* Never print the CLASS */
+#define	DNS_STYLEFLAG_NO_CLASS		0x02000000U 
+
+ISC_LANG_BEGINDECLS
+
+/***
+ ***	Constants
+ ***/
+
+/*
+ * The default master file style.
+ *
+ * This uses $TTL directives to avoid the need to dedicate a
+ * tab stop for the TTL.  The class is only printed for the first
+ * rrset in the file and shares a tab stop with the RR type.
+ */
+LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_default;
+
+/*
+ * A master file style that dumps zones to a very generic format easily
+ * imported/checked with external tools.
+ */
+LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_full;
+
+/*
+ * A master file style that prints explicit TTL values on each 
+ * record line, never using $TTL statements.  The TTL has a tab 
+ * stop of its own, but the class and type share one.
+ */
+LIBDNS_EXTERNAL_DATA extern const dns_master_style_t
+				  dns_master_style_explicitttl;
+
+/*
+ * A master style format designed for cache files.  It prints explicit TTL
+ * values on each record line and never uses $ORIGIN or relative names.
+ */
+LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_cache;
+
+/*
+ * A master style that prints name, ttl, class, type, and value on 
+ * every line.  Similar to explicitttl above, but more verbose.  
+ * Intended for generating master files which can be easily parsed 
+ * by perl scripts and similar applications.
+ */
+LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_simple;
+
+/*
+ * The style used for debugging, "dig" output, etc.
+ */
+LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_debug;
+
+/***
+ ***	Functions
+ ***/
+
+void
+dns_dumpctx_attach(dns_dumpctx_t *source, dns_dumpctx_t **target);
+/*
+ * Attach to a dump context.
+ *
+ * Require:
+ *	'source' to be valid.
+ *	'target' to be non NULL and '*target' to be NULL.
+ */
+
+void
+dns_dumpctx_detach(dns_dumpctx_t **dctxp);
+/*
+ * Detach from a dump context.
+ *
+ * Require:
+ *	'dctxp' to point to a valid dump context.
+ *
+ * Ensures:
+ *	'*dctxp' is NULL.
+ */
+
+void
+dns_dumpctx_cancel(dns_dumpctx_t *dctx);
+/*
+ * Cancel a in progress dump.
+ *
+ * Require:
+ *	'dctx' to be valid.
+ */
+
+dns_dbversion_t *
+dns_dumpctx_version(dns_dumpctx_t *dctx);
+/*
+ * Return the version handle (if any) of the database being dumped.
+ *
+ * Require:
+ *	'dctx' to be valid.
+ */
+
+dns_db_t *
+dns_dumpctx_db(dns_dumpctx_t *dctx);
+/*
+ * Return the database being dumped.
+ *
+ * Require:
+ *	'dctx' to be valid.
+ */
+
+
+isc_result_t
+dns_master_dumptostreaminc(isc_mem_t *mctx, dns_db_t *db,
+			   dns_dbversion_t *version,
+			   const dns_master_style_t *style, FILE *f,
+			   isc_task_t *task, dns_dumpdonefunc_t done,
+			   void *done_arg, dns_dumpctx_t **dctxp);
+
+isc_result_t
+dns_master_dumptostream(isc_mem_t *mctx, dns_db_t *db,
+			dns_dbversion_t *version,
+			const dns_master_style_t *style, FILE *f);
+/*
+ * Dump the database 'db' to the steam 'f' in RFC1035 master
+ * file format, in the style defined by 'style'
+ * (e.g., &dns_default_master_style_default)
+ *
+ * Temporary dynamic memory may be allocated from 'mctx'.
+ *
+ * Require:
+ *	'task' to be valid.
+ *	'done' to be non NULL.
+ *	'dctxp' to be non NULL && '*dctxp' to be NULL.
+ * 
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	DNS_R_CONTINUE	dns_master_dumptostreaminc() only.
+ *	ISC_R_NOMEMORY
+ * 	Any database or rrset iterator error.
+ *	Any dns_rdata_totext() error code.
+ */
+
+isc_result_t
+dns_master_dumpinc(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+		   const dns_master_style_t *style, const char *filename,
+		   isc_task_t *task, dns_dumpdonefunc_t done, void *done_arg,
+		   dns_dumpctx_t **dctxp);
+
+isc_result_t
+dns_master_dump(isc_mem_t *mctx, dns_db_t *db,
+		dns_dbversion_t *version,
+		const dns_master_style_t *style, const char *filename);
+/*
+ * Dump the database 'db' to the file 'filename' in RFC1035 master
+ * file format, in the style defined by 'style'
+ * (e.g., &dns_default_master_style_default)
+ *
+ * Temporary dynamic memory may be allocated from 'mctx'.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	DNS_R_CONTINUE	dns_master_dumpinc() only.
+ *	ISC_R_NOMEMORY
+ * 	Any database or rrset iterator error.
+ *	Any dns_rdata_totext() error code.
+ */
+
+isc_result_t
+dns_master_rdatasettotext(dns_name_t *owner_name,
+			  dns_rdataset_t *rdataset,
+			  const dns_master_style_t *style,
+			  isc_buffer_t *target);
+/*
+ * Convert 'rdataset' to text format, storing the result in 'target'.
+ *
+ * Notes:
+ *	The rdata cursor position will be changed.
+ *
+ * Requires:
+ *	'rdataset' is a valid non-question rdataset.
+ *
+ *	'rdataset' is not empty.
+ */
+
+isc_result_t
+dns_master_questiontotext(dns_name_t *owner_name,
+			  dns_rdataset_t *rdataset,
+			  const dns_master_style_t *style,
+			  isc_buffer_t *target);
+
+isc_result_t
+dns_master_dumpnodetostream(isc_mem_t *mctx, dns_db_t *db,
+			    dns_dbversion_t *version,
+			    dns_dbnode_t *node, dns_name_t *name,
+			    const dns_master_style_t *style,
+			    FILE *f);
+
+isc_result_t
+dns_master_dumpnode(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+		    dns_dbnode_t *node, dns_name_t *name,
+		    const dns_master_style_t *style, const char *filename);
+
+isc_result_t
+dns_master_stylecreate(dns_master_style_t **style, unsigned int flags,
+		       unsigned int ttl_column, unsigned int class_column,
+		       unsigned int type_column, unsigned int rdata_column,
+		       unsigned int line_length, unsigned int tab_width,
+		       isc_mem_t *mctx);
+
+void
+dns_master_styledestroy(dns_master_style_t **style, isc_mem_t *mctx);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_MASTERDUMP_H */
diff --git a/contrib/bind9/lib/dns/include/dns/message.h b/contrib/bind9/lib/dns/include/dns/message.h
new file mode 100644
index 0000000..c827322
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/message.h
@@ -0,0 +1,1297 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: message.h,v 1.100.2.3.8.7 2004/03/08 02:08:00 marka Exp $ */
+
+#ifndef DNS_MESSAGE_H
+#define DNS_MESSAGE_H 1
+
+/***
+ ***	Imports
+ ***/
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+
+#include <dns/compress.h>
+#include <dns/masterdump.h>
+#include <dns/types.h>
+
+#include <dst/dst.h>
+
+/*
+ * How this beast works:
+ *
+ * When a dns message is received in a buffer, dns_message_fromwire() is called
+ * on the memory region.  Various items are checked including the format
+ * of the message (if counts are right, if counts consume the entire sections,
+ * and if sections consume the entire message) and known pseudo-RRs in the
+ * additional data section are analyzed and removed.
+ *
+ * TSIG checking is also done at this layer, and any DNSSEC transaction
+ * signatures should also be checked here.
+ *
+ * Notes on using the gettemp*() and puttemp*() functions:
+ *
+ * These functions return items (names, rdatasets, etc) allocated from some
+ * internal state of the dns_message_t.
+ *
+ * Names and rdatasets must be put back into the dns_message_t in
+ * one of two ways.  Assume a name was allocated via
+ * dns_message_gettempname():
+ *
+ *	(1) insert it into a section, using dns_message_addname().
+ *
+ *	(2) return it to the message using dns_message_puttempname().
+ *
+ * The same applies to rdatasets.
+ *
+ * On the other hand, offsets, rdatalists and rdatas allocated using
+ * dns_message_gettemp*() will always be freed automatically
+ * when the message is reset or destroyed; calling dns_message_puttemp*()
+ * on rdatalists and rdatas is optional and serves only to enable the item
+ * to be reused multiple times during the lifetime of the message; offsets
+ * cannot be reused.
+ *
+ * Buffers allocated using isc_buffer_allocate() can be automatically freed
+ * as well by giving the buffer to the message using dns_message_takebuffer().
+ * Doing this will cause the buffer to be freed using isc_buffer_free()
+ * when the section lists are cleared, such as in a reset or in a destroy.
+ * Since the buffer itself exists until the message is destroyed, this sort
+ * of code can be written:
+ *
+ *	buffer = isc_buffer_allocate(mctx, 512);
+ *	name = NULL;
+ *	name = dns_message_gettempname(message, &name);
+ *	dns_name_init(name, NULL);
+ *	result = dns_name_fromtext(name, &source, dns_rootname, ISC_FALSE,
+ *				   buffer);
+ *	dns_message_takebuffer(message, &buffer);
+ *
+ *
+ * TODO:
+ *
+ * XXX Needed:  ways to set and retrieve EDNS information, add rdata to a
+ * section, move rdata from one section to another, remove rdata, etc.
+ */
+
+#define DNS_MESSAGEFLAG_QR		0x8000U
+#define DNS_MESSAGEFLAG_AA		0x0400U
+#define DNS_MESSAGEFLAG_TC		0x0200U
+#define DNS_MESSAGEFLAG_RD		0x0100U
+#define DNS_MESSAGEFLAG_RA		0x0080U
+#define DNS_MESSAGEFLAG_AD		0x0020U
+#define DNS_MESSAGEFLAG_CD		0x0010U
+
+#define DNS_MESSAGEEXTFLAG_DO		0x8000U
+
+#define DNS_MESSAGE_REPLYPRESERVE	(DNS_MESSAGEFLAG_RD|DNS_MESSAGEFLAG_CD)
+#define DNS_MESSAGEEXTFLAG_REPLYPRESERVE (DNS_MESSAGEEXTFLAG_DO)
+
+#define DNS_MESSAGE_HEADERLEN		12 /* 6 isc_uint16_t's */
+
+#define DNS_MESSAGE_MAGIC		ISC_MAGIC('M','S','G','@')
+#define DNS_MESSAGE_VALID(msg)		ISC_MAGIC_VALID(msg, DNS_MESSAGE_MAGIC)
+
+/*
+ * Ordering here matters.  DNS_SECTION_ANY must be the lowest and negative,
+ * and DNS_SECTION_MAX must be one greater than the last used section.
+ */
+typedef int dns_section_t;
+#define DNS_SECTION_ANY			(-1)
+#define DNS_SECTION_QUESTION		0
+#define DNS_SECTION_ANSWER		1
+#define DNS_SECTION_AUTHORITY		2
+#define DNS_SECTION_ADDITIONAL		3
+#define DNS_SECTION_MAX			4
+
+typedef int dns_pseudosection_t;
+#define DNS_PSEUDOSECTION_ANY		(-1)
+#define DNS_PSEUDOSECTION_OPT           0
+#define DNS_PSEUDOSECTION_TSIG          1
+#define DNS_PSEUDOSECTION_SIG0          2
+#define DNS_PSEUDOSECTION_MAX           3
+
+typedef int dns_messagetextflag_t;
+#define DNS_MESSAGETEXTFLAG_NOCOMMENTS	0x0001
+#define DNS_MESSAGETEXTFLAG_NOHEADERS	0x0002
+
+/*
+ * Dynamic update names for these sections.
+ */
+#define DNS_SECTION_ZONE		DNS_SECTION_QUESTION
+#define DNS_SECTION_PREREQUISITE	DNS_SECTION_ANSWER
+#define DNS_SECTION_UPDATE		DNS_SECTION_AUTHORITY
+
+/*
+ * These tell the message library how the created dns_message_t will be used.
+ */
+#define DNS_MESSAGE_INTENTUNKNOWN	0 /* internal use only */
+#define DNS_MESSAGE_INTENTPARSE		1 /* parsing messages */
+#define DNS_MESSAGE_INTENTRENDER	2 /* rendering */
+
+/*
+ * Control behavior of parsing
+ */
+#define DNS_MESSAGEPARSE_PRESERVEORDER	0x0001	/* preserve rdata order */
+#define DNS_MESSAGEPARSE_BESTEFFORT	0x0002	/* return a message if a
+						   recoverable parse error
+						   occurs */
+#define DNS_MESSAGEPARSE_CLONEBUFFER	0x0004	/* save a copy of the
+						   source buffer */
+#define DNS_MESSAGEPARSE_IGNORETRUNCATION 0x0008 /* trucation errors are
+						  * not fatal. */
+
+/*
+ * Control behavior of rendering
+ */
+#define DNS_MESSAGERENDER_ORDERED	0x0001	/* don't change order */
+#define DNS_MESSAGERENDER_PARTIAL	0x0002	/* allow a partial rdataset */
+#define DNS_MESSAGERENDER_OMITDNSSEC	0x0004	/* omit DNSSEC records */
+#define DNS_MESSAGERENDER_PREFER_A	0x0008	/* prefer A records in
+						 * additional section. */
+#define DNS_MESSAGERENDER_PREFER_AAAA	0x0010	/* prefer AAAA records in
+						 * additional section. */
+
+typedef struct dns_msgblock dns_msgblock_t;
+
+struct dns_message {
+	/* public from here down */
+	unsigned int			magic;
+
+	dns_messageid_t			id;
+	unsigned int			flags;
+	dns_rcode_t			rcode;
+	unsigned int			opcode;
+	dns_rdataclass_t		rdclass;
+
+	/* 4 real, 1 pseudo */
+	unsigned int			counts[DNS_SECTION_MAX];
+
+	/* private from here down */
+	dns_namelist_t			sections[DNS_SECTION_MAX];
+	dns_name_t		       *cursors[DNS_SECTION_MAX];
+	dns_rdataset_t		       *opt;
+	dns_rdataset_t		       *sig0;
+	dns_rdataset_t		       *tsig;
+
+	int				state;
+	unsigned int			from_to_wire : 2;
+	unsigned int			header_ok : 1;
+	unsigned int			question_ok : 1;
+	unsigned int			tcp_continuation : 1;
+	unsigned int			verified_sig : 1;
+	unsigned int			verify_attempted : 1;
+	unsigned int			free_query : 1;
+	unsigned int			free_saved : 1;
+
+	unsigned int			opt_reserved;
+	unsigned int			sig_reserved;
+	unsigned int			reserved; /* reserved space (render) */
+
+	isc_buffer_t		       *buffer;
+	dns_compress_t		       *cctx;
+
+	isc_mem_t		       *mctx;
+	isc_mempool_t		       *namepool;
+	isc_mempool_t		       *rdspool;
+
+	isc_bufferlist_t		scratchpad;
+	isc_bufferlist_t		cleanup;
+
+	ISC_LIST(dns_msgblock_t)	rdatas;
+	ISC_LIST(dns_msgblock_t)	rdatalists;
+	ISC_LIST(dns_msgblock_t)	offsets;
+
+	ISC_LIST(dns_rdata_t)		freerdata;
+	ISC_LIST(dns_rdatalist_t)	freerdatalist;
+
+	dns_rcode_t			tsigstatus;
+	dns_rcode_t			querytsigstatus;
+	dns_name_t		       *tsigname; /* Owner name of TSIG, if any */
+	dns_rdataset_t		       *querytsig;
+	dns_tsigkey_t		       *tsigkey;
+	dst_context_t		       *tsigctx;
+	int				sigstart;
+	int				timeadjust;
+
+	dns_name_t		       *sig0name; /* Owner name of SIG0, if any */
+	dst_key_t		       *sig0key;
+	dns_rcode_t			sig0status;
+	isc_region_t			query;
+	isc_region_t			saved;
+
+	dns_rdatasetorderfunc_t		order;
+	void *				order_arg;
+};
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_message_create(isc_mem_t *mctx, unsigned int intent, dns_message_t **msgp);
+
+/*
+ * Create msg structure.
+ *
+ * This function will allocate some internal blocks of memory that are
+ * expected to be needed for parsing or rendering nearly any type of message.
+ *
+ * Requires:
+ *	'mctx' be a valid memory context.
+ *
+ *	'msgp' be non-null and '*msg' be NULL.
+ *
+ *	'intent' must be one of DNS_MESSAGE_INTENTPARSE or
+ *	DNS_MESSAGE_INTENTRENDER.
+ *
+ * Ensures:
+ *	The data in "*msg" is set to indicate an unused and empty msg
+ *	structure.
+ *
+ * Returns:
+ *	ISC_R_NOMEMORY		-- out of memory
+ *	ISC_R_SUCCESS		-- success
+ */
+
+void
+dns_message_reset(dns_message_t *msg, unsigned int intent);
+/*
+ * Reset a message structure to default state.  All internal lists are freed
+ * or reset to a default state as well.  This is simply a more efficient
+ * way to call dns_message_destroy() followed by dns_message_allocate(),
+ * since it avoid many memory allocations.
+ *
+ * If any data loanouts (buffers, names, rdatas, etc) were requested,
+ * the caller must no longer use them after this call.
+ *
+ * The intended next use of the message will be 'intent'.
+ *
+ * Requires:
+ *
+ *	'msg' be valid.
+ *
+ *	'intent' is DNS_MESSAGE_INTENTPARSE or DNS_MESSAGE_INTENTRENDER
+ */
+
+void
+dns_message_destroy(dns_message_t **msgp);
+/*
+ * Destroy all state in the message.
+ *
+ * Requires:
+ *
+ *	'msgp' be valid.
+ *
+ * Ensures:
+ *	'*msgp' == NULL
+ */
+
+isc_result_t
+dns_message_sectiontotext(dns_message_t *msg, dns_section_t section,
+			  const dns_master_style_t *style,
+			  dns_messagetextflag_t flags,
+			  isc_buffer_t *target);
+
+isc_result_t
+dns_message_pseudosectiontotext(dns_message_t *msg,
+				dns_pseudosection_t section,
+				const dns_master_style_t *style,
+				dns_messagetextflag_t flags,
+				isc_buffer_t *target);
+/*
+ * Convert section 'section' or 'pseudosection' of message 'msg' to
+ * a cleartext representation
+ *
+ * Notes:
+ *      See dns_message_totext for meanings of flags.
+ *
+ * Requires:
+ *
+ *	'msg' is a valid message.
+ *
+ *	'style' is a valid master dump style.
+ *
+ *	'target' is a valid buffer.
+ *
+ *	'section' is a valid section label.
+ *
+ * Ensures:
+ *
+ *	If the result is success:
+ *
+ *		The used space in 'target' is updated.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOSPACE
+ *	ISC_R_NOMORE
+ *
+ *	Note: On error return, *target may be partially filled with data.
+*/
+
+isc_result_t
+dns_message_totext(dns_message_t *msg, const dns_master_style_t *style,
+		   dns_messagetextflag_t flags, isc_buffer_t *target);
+/*
+ * Convert all sections of message 'msg' to a cleartext representation
+ *
+ * Notes:
+ *      In flags, If DNS_MESSAGETEXTFLAG_OMITDOT is set, then the
+ *      final '.' in absolute names will not be emitted.  If
+ *      DNS_MESSAGETEXTFLAG_NOCOMMENTS is cleared, lines beginning
+ *      with ";;" will be emitted indicating section name.  If
+ *      DNS_MESSAGETEXTFLAG_NOHEADERS is cleared, header lines will
+ *      be emitted.
+ *
+ * Requires:
+ *
+ *	'msg' is a valid message.
+ *
+ *	'style' is a valid master dump style.
+ *
+ *	'target' is a valid buffer.
+ *
+ * Ensures:
+ *
+ *	If the result is success:
+ *
+ *		The used space in 'target' is updated.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOSPACE
+ *	ISC_R_NOMORE
+ *
+ *	Note: On error return, *target may be partially filled with data.
+ */
+
+isc_result_t
+dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
+		  unsigned int options);
+/*
+ * Parse raw wire data in 'source' as a DNS message.
+ *
+ * OPT records are detected and stored in the pseudo-section "opt".
+ * TSIGs are detected and stored in the pseudo-section "tsig".
+ *
+ * If DNS_MESSAGEPARSE_PRESERVEORDER is set, or if the opcode of the message
+ * is UPDATE, a separate dns_name_t object will be created for each RR in the
+ * message.  Each such dns_name_t will have a single rdataset containing the
+ * single RR, and the order of the RRs in the message is preserved.
+ * Otherwise, only one dns_name_t object will be created for each unique
+ * owner name in the section, and each such dns_name_t will have a list
+ * of rdatasets.  To access the names and their data, use
+ * dns_message_firstname() and dns_message_nextname().
+ *
+ * If DNS_MESSAGEPARSE_BESTEFFORT is set, errors in message content will
+ * not be considered FORMERRs.  If the entire message can be parsed, it
+ * will be returned and DNS_R_RECOVERABLE will be returned.
+ *
+ * If DNS_MESSAGEPARSE_IGNORETRUNCATION is set then return as many complete
+ * RR's as possible, DNS_R_RECOVERABLE will be returned.
+ *
+ * OPT and TSIG records are always handled specially, regardless of the
+ * 'preserve_order' setting.
+ *
+ * Requires:
+ *	"msg" be valid.
+ *
+ *	"buffer" be a wire format buffer.
+ *
+ * Ensures:
+ *	The buffer's data format is correct.
+ *
+ *	The buffer's contents verify as correct regarding header bits, buffer
+ * 	and rdata sizes, etc.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		-- all is well
+ *	ISC_R_NOMEMORY		-- no memory
+ *	DNS_R_RECOVERABLE	-- the message parsed properly, but contained
+ *				   errors.
+ *	Many other errors possible XXXMLG
+ */
+
+isc_result_t
+dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx,
+			isc_buffer_t *buffer);
+/*
+ * Begin rendering on a message.  Only one call can be made to this function
+ * per message.
+ *
+ * The compression context is "owned" by the message library until
+ * dns_message_renderend() is called.  It must be invalidated by the caller.
+ *
+ * The buffer is "owned" by the message library until dns_message_renderend()
+ * is called.
+ *
+ * Requires:
+ *
+ *	'msg' be valid.
+ *
+ *	'cctx' be valid.
+ *
+ *	'buffer' is a valid buffer.
+ *
+ * Side Effects:
+ *
+ *	The buffer is cleared before it is used.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		-- all is well
+ *	ISC_R_NOSPACE		-- output buffer is too small
+ */
+
+isc_result_t
+dns_message_renderchangebuffer(dns_message_t *msg, isc_buffer_t *buffer);
+/*
+ * Reset the buffer.  This can be used after growing the old buffer
+ * on a ISC_R_NOSPACE return from most of the render functions.
+ *
+ * On successful completion, the old buffer is no longer used by the
+ * library.  The new buffer is owned by the library until
+ * dns_message_renderend() is called.
+ *
+ * Requires:
+ *
+ *	'msg' be valid.
+ *
+ *	dns_message_renderbegin() was called.
+ *
+ *	buffer != NULL.
+ *
+ * Returns:
+ *	ISC_R_NOSPACE		-- new buffer is too small
+ *	ISC_R_SUCCESS		-- all is well.
+ */
+
+isc_result_t
+dns_message_renderreserve(dns_message_t *msg, unsigned int space);
+/*
+ * XXXMLG should use size_t rather than unsigned int once the buffer
+ * API is cleaned up
+ *
+ * Reserve "space" bytes in the given buffer.
+ *
+ * Requires:
+ *
+ *	'msg' be valid.
+ *
+ *	dns_message_renderbegin() was called.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		-- all is well.
+ *	ISC_R_NOSPACE		-- not enough free space in the buffer.
+ */
+
+void
+dns_message_renderrelease(dns_message_t *msg, unsigned int space);
+/*
+ * XXXMLG should use size_t rather than unsigned int once the buffer
+ * API is cleaned up
+ *
+ * Release "space" bytes in the given buffer that was previously reserved.
+ *
+ * Requires:
+ *
+ *	'msg' be valid.
+ *
+ *	'space' is less than or equal to the total amount of space reserved
+ *	via prior calls to dns_message_renderreserve().
+ *
+ *	dns_message_renderbegin() was called.
+ */
+
+isc_result_t
+dns_message_rendersection(dns_message_t *msg, dns_section_t section,
+			  unsigned int options);
+/*
+ * Render all names, rdatalists, etc from the given section at the
+ * specified priority or higher.
+ *
+ * Requires:
+ *	'msg' be valid.
+ *
+ *	'section' be a valid section.
+ *
+ *	dns_message_renderbegin() was called.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		-- all records were written, and there are
+ *				   no more records for this section.
+ *	ISC_R_NOSPACE		-- Not enough room in the buffer to write
+ *				   all records requested.
+ *	DNS_R_MOREDATA		-- All requested records written, and there
+ *				   are records remaining for this section.
+ */
+
+void
+dns_message_renderheader(dns_message_t *msg, isc_buffer_t *target);
+/*
+ * Render the message header.  This is implicitly called by
+ * dns_message_renderend().
+ *
+ * Requires:
+ *
+ *	'msg' be a valid message.
+ *
+ *	dns_message_renderbegin() was called.
+ *
+ *	'target' is a valid buffer with enough space to hold a message header
+ */
+
+isc_result_t
+dns_message_renderend(dns_message_t *msg);
+/*
+ * Finish rendering to the buffer.  Note that more data can be in the
+ * 'msg' structure.  Destroying the structure will free this, or in a multi-
+ * part EDNS1 message this data can be rendered to another buffer later.
+ *
+ * Requires:
+ *
+ *	'msg' be a valid message.
+ *
+ *	dns_message_renderbegin() was called.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		-- all is well.
+ */
+
+void
+dns_message_renderreset(dns_message_t *msg);
+/*
+ * Reset the message so that it may be rendered again.
+ *
+ * Notes:
+ *
+ *	If dns_message_renderbegin() has been called, dns_message_renderend()
+ *	must be called before calling this function.
+ *
+ * Requires:
+ *
+ *	'msg' be a valid message with rendering intent.
+ */
+
+isc_result_t
+dns_message_firstname(dns_message_t *msg, dns_section_t section);
+/*
+ * Set internal per-section name pointer to the beginning of the section.
+ *
+ * The functions dns_message_firstname() and dns_message_nextname() may
+ * be used for iterating over the owner names in a section.
+ *
+ * Requires:
+ *
+ *   	'msg' be valid.
+ *
+ *	'section' be a valid section.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		-- All is well.
+ *	ISC_R_NOMORE		-- No names on given section.
+ */
+
+isc_result_t
+dns_message_nextname(dns_message_t *msg, dns_section_t section);
+/*
+ * Sets the internal per-section name pointer to point to the next name
+ * in that section.
+ *
+ * Requires:
+ *
+ *   	'msg' be valid.
+ *
+ *	'section' be a valid section.
+ *
+ *	dns_message_firstname() must have been called on this section,
+ *	and the result was ISC_R_SUCCESS.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		-- All is well.
+ *	ISC_R_NOMORE		-- No more names in given section.
+ */
+
+void
+dns_message_currentname(dns_message_t *msg, dns_section_t section,
+			dns_name_t **name);
+/*
+ * Sets 'name' to point to the name where the per-section internal name
+ * pointer is currently set.
+ *
+ * This function returns the name in the database, so any data associated
+ * with it (via the name's "list" member) contains the actual rdatasets.
+ *
+ * Requires:
+ *
+ *	'msg' be valid.
+ *
+ *	'name' be non-NULL, and *name be NULL.
+ *
+ *	'section' be a valid section.
+ *
+ *	dns_message_firstname() must have been called on this section,
+ *	and the result of it and any dns_message_nextname() calls was
+ *	ISC_R_SUCCESS.
+ */
+
+isc_result_t
+dns_message_findname(dns_message_t *msg, dns_section_t section,
+		     dns_name_t *target, dns_rdatatype_t type,
+		     dns_rdatatype_t covers, dns_name_t **foundname,
+		     dns_rdataset_t **rdataset);
+/*
+ * Search for a name in the specified section.  If it is found, *name is
+ * set to point to the name, and *rdataset is set to point to the found
+ * rdataset (if type is specified as other than dns_rdatatype_any).
+ *
+ * Requires:
+ *	'msg' be valid.
+ *
+ *	'section' be a valid section.
+ *
+ *	If a pointer to the name is desired, 'foundname' should be non-NULL.
+ *	If it is non-NULL, '*foundname' MUST be NULL.
+ *
+ *	If a type other than dns_datatype_any is searched for, 'rdataset'
+ *	may be non-NULL, '*rdataset' be NULL, and will point at the found
+ *	rdataset.  If the type is dns_datatype_any, 'rdataset' must be NULL.
+ *
+ *	'target' be a valid name.
+ *
+ *	'type' be a valid type.
+ *
+ *	If 'type' is dns_rdatatype_rrsig, 'covers' must be a valid type.
+ *	Otherwise it should be 0.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		-- all is well.
+ *	DNS_R_NXDOMAIN		-- name does not exist in that section.
+ *	DNS_R_NXRRSET		-- The name does exist, but the desired
+ *				   type does not.
+ */
+
+isc_result_t
+dns_message_findtype(dns_name_t *name, dns_rdatatype_t type,
+		     dns_rdatatype_t covers, dns_rdataset_t **rdataset);
+/*
+ * Search the name for the specified type.  If it is found, *rdataset is
+ * filled in with a pointer to that rdataset.
+ *
+ * Requires:
+ *	if '**rdataset' is non-NULL, *rdataset needs to be NULL.
+ *
+ *	'type' be a valid type, and NOT dns_rdatatype_any.
+ *
+ *	If 'type' is dns_rdatatype_rrsig, 'covers' must be a valid type.
+ *	Otherwise it should be 0.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		-- all is well.
+ *	ISC_R_NOTFOUND		-- the desired type does not exist.
+ */
+
+void
+dns_message_movename(dns_message_t *msg, dns_name_t *name,
+		     dns_section_t fromsection,
+		     dns_section_t tosection);
+/*
+ * Move a name from one section to another.
+ *
+ * Requires:
+ *
+ *	'msg' be valid.
+ *
+ *	'name' must be a name already in 'fromsection'.
+ *
+ *	'fromsection' must be a valid section.
+ *
+ *	'tosection' must be a valid section.
+ */
+
+void
+dns_message_addname(dns_message_t *msg, dns_name_t *name,
+		    dns_section_t section);
+/*
+ * Adds the name to the given section.
+ *
+ * It is the caller's responsibility to enforce any unique name requirements
+ * in a section.
+ *
+ * Requires:
+ *
+ *	'msg' be valid, and be a renderable message.
+ *
+ *	'name' be a valid absolute name.
+ *
+ *	'section' be a named section.
+ */
+
+/*
+ * LOANOUT FUNCTIONS
+ *
+ * Each of these functions loan a particular type of data to the caller.
+ * The storage for these will vanish when the message is destroyed or
+ * reset, and must NOT be used after these operations.
+ */
+
+isc_result_t
+dns_message_gettempname(dns_message_t *msg, dns_name_t **item);
+/*
+ * Return a name that can be used for any temporary purpose, including
+ * inserting into the message's linked lists.  The name must be returned
+ * to the message code using dns_message_puttempname() or inserted into
+ * one of the message's sections before the message is destroyed.
+ *
+ * It is the caller's responsibility to initialize this name.
+ *
+ * Requires:
+ *	msg be a valid message
+ *
+ *	item != NULL && *item == NULL
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		-- All is well.
+ *	ISC_R_NOMEMORY		-- No item can be allocated.
+ */
+
+isc_result_t
+dns_message_gettempoffsets(dns_message_t *msg, dns_offsets_t **item);
+/*
+ * Return an offsets array that can be used for any temporary purpose,
+ * such as attaching to a temporary name.  The offsets will be freed
+ * when the message is destroyed or reset.
+ *
+ * Requires:
+ *	msg be a valid message
+ *
+ *	item != NULL && *item == NULL
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		-- All is well.
+ *	ISC_R_NOMEMORY		-- No item can be allocated.
+ */
+
+isc_result_t
+dns_message_gettemprdata(dns_message_t *msg, dns_rdata_t **item);
+/*
+ * Return a rdata that can be used for any temporary purpose, including
+ * inserting into the message's linked lists.  The rdata will be freed
+ * when the message is destroyed or reset.
+ *
+ * Requires:
+ *	msg be a valid message
+ *
+ *	item != NULL && *item == NULL
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		-- All is well.
+ *	ISC_R_NOMEMORY		-- No item can be allocated.
+ */
+
+isc_result_t
+dns_message_gettemprdataset(dns_message_t *msg, dns_rdataset_t **item);
+/*
+ * Return a rdataset that can be used for any temporary purpose, including
+ * inserting into the message's linked lists. The name must be returned
+ * to the message code using dns_message_puttempname() or inserted into
+ * one of the message's sections before the message is destroyed.
+ *
+ * Requires:
+ *	msg be a valid message
+ *
+ *	item != NULL && *item == NULL
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		-- All is well.
+ *	ISC_R_NOMEMORY		-- No item can be allocated.
+ */
+
+isc_result_t
+dns_message_gettemprdatalist(dns_message_t *msg, dns_rdatalist_t **item);
+/*
+ * Return a rdatalist that can be used for any temporary purpose, including
+ * inserting into the message's linked lists.  The rdatalist will be
+ * destroyed when the message is destroyed or reset.
+ *
+ * Requires:
+ *	msg be a valid message
+ *
+ *	item != NULL && *item == NULL
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		-- All is well.
+ *	ISC_R_NOMEMORY		-- No item can be allocated.
+ */
+
+void
+dns_message_puttempname(dns_message_t *msg, dns_name_t **item);
+/*
+ * Return a borrowed name to the message's name free list.
+ *
+ * Requires:
+ *	msg be a valid message
+ *
+ *	item != NULL && *item point to a name returned by
+ *	dns_message_gettempname()
+ *
+ * Ensures:
+ *	*item == NULL
+ */
+
+void
+dns_message_puttemprdata(dns_message_t *msg, dns_rdata_t **item);
+/*
+ * Return a borrowed rdata to the message's rdata free list.
+ *
+ * Requires:
+ *	msg be a valid message
+ *
+ *	item != NULL && *item point to a rdata returned by
+ *	dns_message_gettemprdata()
+ *
+ * Ensures:
+ *	*item == NULL
+ */
+
+void
+dns_message_puttemprdataset(dns_message_t *msg, dns_rdataset_t **item);
+/*
+ * Return a borrowed rdataset to the message's rdataset free list.
+ *
+ * Requires:
+ *	msg be a valid message
+ *
+ *	item != NULL && *item point to a rdataset returned by
+ *	dns_message_gettemprdataset()
+ *
+ * Ensures:
+ *	*item == NULL
+ */
+
+void
+dns_message_puttemprdatalist(dns_message_t *msg, dns_rdatalist_t **item);
+/*
+ * Return a borrowed rdatalist to the message's rdatalist free list.
+ *
+ * Requires:
+ *	msg be a valid message
+ *
+ *	item != NULL && *item point to a rdatalist returned by
+ *	dns_message_gettemprdatalist()
+ *
+ * Ensures:
+ *	*item == NULL
+ */
+
+isc_result_t
+dns_message_peekheader(isc_buffer_t *source, dns_messageid_t *idp,
+		       unsigned int *flagsp);
+/*
+ * Assume the remaining region of "source" is a DNS message.  Peek into
+ * it and fill in "*idp" with the message id, and "*flagsp" with the flags.
+ *
+ * Requires:
+ *
+ *	source != NULL
+ *
+ * Ensures:
+ *
+ *	if (idp != NULL) *idp == message id.
+ *
+ *	if (flagsp != NULL) *flagsp == message flags.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		-- all is well.
+ *
+ *	ISC_R_UNEXPECTEDEND	-- buffer doesn't contain enough for a header.
+ */
+
+isc_result_t
+dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section);
+/*
+ * Start formatting a reply to the query in 'msg'.
+ *
+ * Requires:
+ *
+ *	'msg' is a valid message with parsing intent, and contains a query.
+ *
+ * Ensures:
+ *
+ *	The message will have a rendering intent.  If 'want_question_section'
+ *	is true, the message opcode is query or notify, and the question
+ *	section is present and properly formatted, then the question section
+ *	will be included in the reply.  All other sections will be cleared.
+ *	The QR flag will be set, the RD flag will be preserved, and all other
+ *	flags will be cleared.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		-- all is well.
+ *
+ *	DNS_R_FORMERR		-- the header or question section of the
+ *				   message is invalid, replying is impossible.
+ *				   If DNS_R_FORMERR is returned when
+ *				   want_question_section is ISC_FALSE, then
+ *				   it's the header section that's bad;
+ *				   otherwise either of the header or question
+ *				   sections may be bad.
+ */
+
+dns_rdataset_t *
+dns_message_getopt(dns_message_t *msg);
+/*
+ * Get the OPT record for 'msg'.
+ *
+ * Requires:
+ *
+ *	'msg' is a valid message.
+ *
+ * Returns:
+ *
+ *	The OPT rdataset of 'msg', or NULL if there isn't one.
+ */
+
+isc_result_t
+dns_message_setopt(dns_message_t *msg, dns_rdataset_t *opt);
+/*
+ * Set the OPT record for 'msg'.
+ *
+ * Requires:
+ *
+ *	'msg' is a valid message with rendering intent
+ *	and no sections have been rendered.
+ *
+ *	'opt' is a valid OPT record.
+ *
+ * Ensures:
+ *
+ *	The OPT record has either been freed or ownership of it has
+ *	been transferred to the message.
+ *
+ *	If ISC_R_SUCCESS was returned, the OPT record will be rendered 
+ *	when dns_message_renderend() is called.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		-- all is well.
+ *
+ *	ISC_R_NOSPACE		-- there is no space for the OPT record.
+ */
+
+dns_rdataset_t *
+dns_message_gettsig(dns_message_t *msg, dns_name_t **owner);
+/*
+ * Get the TSIG record and owner for 'msg'.
+ *
+ * Requires:
+ *
+ *	'msg' is a valid message.
+ *	'owner' is NULL or *owner is NULL.
+ *
+ * Returns:
+ *
+ *	The TSIG rdataset of 'msg', or NULL if there isn't one.
+ *
+ * Ensures:
+ *
+ * 	If 'owner' is not NULL, it will point to the owner name.
+ */
+
+isc_result_t
+dns_message_settsigkey(dns_message_t *msg, dns_tsigkey_t *key);
+/*
+ * Set the tsig key for 'msg'.  This is only necessary for when rendering a
+ * query or parsing a response.  The key (if non-NULL) is attached to, and
+ * will be detached when the message is destroyed.
+ *
+ * Requires:
+ *
+ *	'msg' is a valid message with rendering intent,
+ *	dns_message_renderbegin() has been called, and no sections have been
+ *	rendered.
+ *	'key' is a valid tsig key or NULL.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		-- all is well.
+ *
+ *	ISC_R_NOSPACE		-- there is no space for the TSIG record.
+ */
+
+dns_tsigkey_t *
+dns_message_gettsigkey(dns_message_t *msg);
+/*
+ * Gets the tsig key for 'msg'.
+ *
+ * Requires:
+ *
+ *	'msg' is a valid message
+ */
+
+isc_result_t
+dns_message_setquerytsig(dns_message_t *msg, isc_buffer_t *querytsig);
+/*
+ * Indicates that 'querytsig' is the TSIG from the signed query for which
+ * 'msg' is the response.  This is also used for chained TSIGs in TCP
+ * responses.
+ *
+ * Requires:
+ *
+ *	'querytsig' is a valid buffer as returned by dns_message_getquerytsig()
+ *	or NULL
+ *
+ *	'msg' is a valid message
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_message_getquerytsig(dns_message_t *msg, isc_mem_t *mctx,
+			 isc_buffer_t **querytsig);
+/*
+ * Gets the tsig from the TSIG from the signed query 'msg'.  This is also used
+ * for chained TSIGs in TCP responses.  Unlike dns_message_gettsig, this makes
+ * a copy of the data, so can be used if the message is destroyed.
+ *
+ * Requires:
+ *
+ *	'msg' is a valid signed message
+ *	'mctx' is a valid memory context
+ *	querytsig != NULL && *querytsig == NULL
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *
+ * Ensures:
+ * 	'tsig' points to NULL or an allocated buffer which must be freed
+ * 	by the caller.
+ */
+
+dns_rdataset_t *
+dns_message_getsig0(dns_message_t *msg, dns_name_t **owner);
+/*
+ * Get the SIG(0) record and owner for 'msg'.
+ *
+ * Requires:
+ *
+ *	'msg' is a valid message.
+ *	'owner' is NULL or *owner is NULL.
+ *
+ * Returns:
+ *
+ *	The SIG(0) rdataset of 'msg', or NULL if there isn't one.
+ *
+ * Ensures:
+ *
+ * 	If 'owner' is not NULL, it will point to the owner name.
+ */
+
+isc_result_t
+dns_message_setsig0key(dns_message_t *msg, dst_key_t *key);
+/*
+ * Set the SIG(0) key for 'msg'.
+ *
+ * Requires:
+ *
+ *	'msg' is a valid message with rendering intent,
+ *	dns_message_renderbegin() has been called, and no sections have been
+ *	rendered.
+ *	'key' is a valid sig key or NULL.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		-- all is well.
+ *
+ *	ISC_R_NOSPACE		-- there is no space for the SIG(0) record.
+ */
+
+dst_key_t *
+dns_message_getsig0key(dns_message_t *msg);
+/*
+ * Gets the SIG(0) key for 'msg'.
+ *
+ * Requires:
+ *
+ *	'msg' is a valid message
+ */
+
+void
+dns_message_takebuffer(dns_message_t *msg, isc_buffer_t **buffer);
+/*
+ * Give the *buffer to the message code to clean up when it is no
+ * longer needed.  This is usually when the message is reset or
+ * destroyed.
+ *
+ * Requires:
+ *
+ *	msg be a valid message.
+ *
+ *	buffer != NULL && *buffer is a valid isc_buffer_t, which was
+ *	dynamincally allocated via isc_buffer_allocate().
+ */
+
+isc_result_t
+dns_message_signer(dns_message_t *msg, dns_name_t *signer);
+/*
+ * If this message was signed, return the identity of the signer.
+ * Unless ISC_R_NOTFOUND is returned, signer will reflect the name of the
+ * key that signed the message.
+ *
+ * Requires:
+ *
+ *	msg is a valid parsed message.
+ *	signer is a valid name
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		- the message was signed, and *signer
+ *				  contains the signing identity
+ *
+ *	ISC_R_NOTFOUND		- no TSIG or SIG(0) record is present in the
+ *				  message
+ *
+ *	DNS_R_TSIGVERIFYFAILURE	- the message was signed by a TSIG, but the
+ *				  signature failed to verify
+ *
+ *	DNS_R_TSIGERRORSET	- the message was signed by a TSIG and
+ *				  verified, but the query was rejected by
+ *				  the server
+ *
+ *	DNS_R_NOIDENTITY	- the message was signed by a TSIG and
+ *				  verified, but the key has no identity since
+ *				  it was generated by an unsigned TKEY process
+ *
+ *	DNS_R_SIGINVALID	- the message was signed by a SIG(0), but
+ *				  the signature failed to verify
+ *
+ *	DNS_R_NOTVERIFIEDYET	- the message was signed by a TSIG or SIG(0),
+ *				  but the signature has not been verified yet
+ */
+
+isc_result_t
+dns_message_checksig(dns_message_t *msg, dns_view_t *view);
+/*
+ * If this message was signed, verify the signature.
+ *
+ * Requires:
+ *
+ *	msg is a valid parsed message.
+ *	view is a valid view or NULL
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		- the message was unsigned, or the message
+ *				  was signed correctly.
+ *
+ *	DNS_R_EXPECTEDTSIG	- A TSIG was expected, but not seen
+ *	DNS_R_UNEXPECTEDTSIG	- A TSIG was seen but not expected
+ *	DNS_R_TSIGVERIFYFAILURE - The TSIG failed to verify
+ */
+
+isc_result_t
+dns_message_rechecksig(dns_message_t *msg, dns_view_t *view);
+/*
+ * Reset the signature state and then if the message was signed,
+ * verify the message.
+ *
+ * Requires:
+ *
+ *	msg is a valid parsed message.
+ *	view is a valid view or NULL
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		- the message was unsigned, or the message
+ *				  was signed correctly.
+ *
+ *	DNS_R_EXPECTEDTSIG	- A TSIG was expected, but not seen
+ *	DNS_R_UNEXPECTEDTSIG	- A TSIG was seen but not expected
+ *	DNS_R_TSIGVERIFYFAILURE - The TSIG failed to verify
+ */
+
+void
+dns_message_resetsig(dns_message_t *msg);
+/*
+ * Reset the signature state.
+ *
+ * Requires:
+ *	'msg' is a valid parsed message.
+ */
+
+isc_region_t *
+dns_message_getrawmessage(dns_message_t *msg);
+/*
+ * Retrieve the raw message in compressed wire format.  The message must
+ * have been successfully parsed for it to have been saved.
+ *
+ * Requires:
+ *	msg is a valid parsed message.
+ *
+ * Returns:
+ *	NULL	if there is no saved message.
+ *	a pointer to a region which refers the dns message.
+ */
+
+void
+dns_message_setsortorder(dns_message_t *msg, dns_rdatasetorderfunc_t order,
+			 void *order_arg);
+/*
+ * Define the order in which RR sets get rendered by
+ * dns_message_rendersection() to be the ascending order
+ * defined by the integer value returned by 'order' when
+ * given each RR and 'arg' as arguments.  If 'order' and
+ * 'order_arg' are NULL, a default order is used.
+ *
+ * Requires:
+ *	msg be a valid message.
+ *	order_arg is NULL if and only if order is NULL.
+ */
+
+void 
+dns_message_settimeadjust(dns_message_t *msg, int timeadjust);
+/*
+ * Adjust the time used to sign/verify a message by timeadjust.
+ * Currently only TSIG.
+ *
+ * Requires:
+ *	msg be a valid message.
+ */
+
+int 
+dns_message_gettimeadjust(dns_message_t *msg);
+/*
+ * Return the current time adjustment.
+ *
+ * Requires:
+ *	msg be a valid message.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_MESSAGE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/name.h b/contrib/bind9/lib/dns/include/dns/name.h
new file mode 100644
index 0000000..dd6a123
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/name.h
@@ -0,0 +1,1246 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: name.h,v 1.95.2.3.2.11 2004/09/01 05:19:59 marka Exp $ */
+
+#ifndef DNS_NAME_H
+#define DNS_NAME_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DNS Names and Labels
+ *
+ * Provides facilities for manipulating DNS names and labels, including
+ * conversions to and from wire format and text format.
+ *
+ * Given the large number of names possible in a nameserver, and because
+ * names occur in rdata, it was important to come up with a very efficient
+ * way of storing name data, but at the same time allow names to be
+ * manipulated.  The decision was to store names in uncompressed wire format,
+ * and not to make them fully abstracted objects; i.e. certain parts of the
+ * server know names are stored that way.  This saves a lot of memory, and
+ * makes adding names to messages easy.  Having much of the server know
+ * the representation would be perilous, and we certainly don't want each
+ * user of names to be manipulating such a low-level structure.  This is
+ * where the Names and Labels module comes in.  The module allows name or
+ * label handles to be created and attached to uncompressed wire format
+ * regions.  All name operations and conversions are done through these
+ * handles.
+ *
+ * MP:
+ *	Clients of this module must impose any required synchronization.
+ *
+ * Reliability:
+ *	This module deals with low-level byte streams.  Errors in any of
+ *	the functions are likely to crash the server or corrupt memory.
+ *
+ * Resources:
+ *	None.
+ *
+ * Security:
+ *
+ *	*** WARNING ***
+ *
+ *	dns_name_fromwire() deals with raw network data.  An error in
+ *	this routine could result in the failure or hijacking of the server.
+ *
+ * Standards:
+ *	RFC 1035
+ *	Draft EDNS0 (0)
+ *	Draft Binary Labels (2)
+ *
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <stdio.h>
+
+#include <isc/boolean.h>
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/region.h>		/* Required for storage size of dns_label_t. */
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+ ***** Labels
+ *****
+ ***** A 'label' is basically a region.  It contains one DNS wire format
+ ***** label of type 00 (ordinary).
+ *****/
+
+/*****
+ ***** Names
+ *****
+ ***** A 'name' is a handle to a binary region.  It contains a sequence of one
+ ***** or more DNS wire format labels of type 00 (ordinary).
+ ***** Note that all names are not required to end with the root label,
+ ***** as they are in the actual DNS wire protocol.
+ *****/
+
+/***
+ *** Compression pointer chaining limit
+ ***/
+
+#define DNS_POINTER_MAXHOPS		16
+
+/***
+ *** Types
+ ***/
+
+/*
+ * Clients are strongly discouraged from using this type directly,  with
+ * the exception of the 'link' and 'list' fields which may be used directly
+ * for whatever purpose the client desires.
+ */
+struct dns_name {
+	unsigned int			magic;
+	unsigned char *			ndata;
+	unsigned int			length;
+	unsigned int			labels;
+	unsigned int			attributes;
+	unsigned char *			offsets;
+	isc_buffer_t *			buffer;
+	ISC_LINK(dns_name_t)		link;
+	ISC_LIST(dns_rdataset_t)	list;
+};
+
+#define DNS_NAME_MAGIC			ISC_MAGIC('D','N','S','n')
+
+#define DNS_NAMEATTR_ABSOLUTE		0x0001
+#define DNS_NAMEATTR_READONLY		0x0002
+#define DNS_NAMEATTR_DYNAMIC		0x0004
+#define DNS_NAMEATTR_DYNOFFSETS		0x0008
+/*
+ * Attributes below 0x0100 reserved for name.c usage.
+ */
+#define DNS_NAMEATTR_CACHE		0x0100		/* Used by resolver. */
+#define DNS_NAMEATTR_ANSWER		0x0200		/* Used by resolver. */
+#define DNS_NAMEATTR_NCACHE		0x0400		/* Used by resolver. */
+#define DNS_NAMEATTR_CHAINING		0x0800		/* Used by resolver. */
+#define DNS_NAMEATTR_CHASE		0x1000		/* Used by resolver. */
+#define DNS_NAMEATTR_WILDCARD		0x2000		/* Used by server. */
+
+#define DNS_NAME_DOWNCASE		0x0001
+#define DNS_NAME_CHECKNAMES		0x0002		/* Used by rdata. */
+#define DNS_NAME_CHECKNAMESFAIL		0x0004		/* Used by rdata. */
+#define DNS_NAME_CHECKREVERSE		0x0008		/* Used by rdata. */
+
+LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_rootname;
+LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_wildcardname;
+
+/*
+ * Standard size of a wire format name
+ */
+#define DNS_NAME_MAXWIRE 255
+
+/***
+ *** Initialization
+ ***/
+
+void
+dns_name_init(dns_name_t *name, unsigned char *offsets);
+/*
+ * Initialize 'name'.
+ *
+ * Notes:
+ *	'offsets' is never required to be non-NULL, but specifying a
+ *	dns_offsets_t for 'offsets' will improve the performance of most
+ *	name operations if the name is used more than once.
+ *
+ * Requires:
+ *	'name' is not NULL and points to a struct dns_name.
+ *
+ *	offsets == NULL or offsets is a dns_offsets_t.
+ *
+ * Ensures:
+ *	'name' is a valid name.
+ *	dns_name_countlabels(name) == 0
+ *	dns_name_isabsolute(name) == ISC_FALSE
+ */
+
+void
+dns_name_reset(dns_name_t *name);
+/*
+ * Reinitialize 'name'.
+ *
+ * Notes:
+ *	This function distinguishes itself from dns_name_init() in two
+ *	key ways:
+ *
+ *	+ If any buffer is associated with 'name' (via dns_name_setbuffer()
+ *	  or by being part of a dns_fixedname_t) the link to the buffer
+ *	  is retained but the buffer itself is cleared.
+ *
+ *	+ Of the attributes associated with 'name', all are retained except
+ *	  DNS_NAMEATTR_ABSOLUTE.
+ *
+ * Requires:
+ *	'name' is a valid name.
+ *
+ * Ensures:
+ *	'name' is a valid name.
+ *	dns_name_countlabels(name) == 0
+ *	dns_name_isabsolute(name) == ISC_FALSE
+ */
+
+void
+dns_name_invalidate(dns_name_t *name);
+/*
+ * Make 'name' invalid.
+ *
+ * Requires:
+ *	'name' is a valid name.
+ *
+ * Ensures:
+ *	If assertion checking is enabled, future attempts to use 'name'
+ *	without initializing it will cause an assertion failure.
+ *
+ *	If the name had a dedicated buffer, that association is ended.
+ */
+
+
+/***
+ *** Dedicated Buffers
+ ***/
+
+void
+dns_name_setbuffer(dns_name_t *name, isc_buffer_t *buffer);
+/*
+ * Dedicate a buffer for use with 'name'.
+ *
+ * Notes:
+ *	Specification of a target buffer in dns_name_fromwire(),
+ *	dns_name_fromtext(), and dns_name_concatentate() is optional if
+ *	'name' has a dedicated buffer.
+ *
+ *	The caller must not write to buffer until the name has been
+ *	invalidated or is otherwise known not to be in use.
+ *
+ *	If buffer is NULL and the name previously had a dedicated buffer,
+ *	than that buffer is no longer dedicated to use with this name.
+ *	The caller is responsible for ensuring that the storage used by
+ *	the name remains valid.
+ *
+ * Requires:
+ *	'name' is a valid name.
+ *
+ *	'buffer' is a valid binary buffer and 'name' doesn't have a
+ *	dedicated buffer already, or 'buffer' is NULL.
+ */
+
+isc_boolean_t
+dns_name_hasbuffer(const dns_name_t *name);
+/*
+ * Does 'name' have a dedicated buffer?
+ *
+ * Requires:
+ *	'name' is a valid name.
+ *
+ * Returns:
+ *	ISC_TRUE	'name' has a dedicated buffer.
+ *	ISC_FALSE	'name' does not have a dedicated buffer.
+ */
+
+
+/***
+ *** Properties
+ ***/
+
+isc_boolean_t
+dns_name_isabsolute(const dns_name_t *name);
+/*
+ * Does 'name' end in the root label?
+ *
+ * Requires:
+ *	'name' is a valid name
+ *
+ * Returns:
+ *	TRUE		The last label in 'name' is the root label.
+ *	FALSE		The last label in 'name' is not the root label.
+ */
+
+isc_boolean_t
+dns_name_iswildcard(const dns_name_t *name);
+/*
+ * Is 'name' a wildcard name?
+ *
+ * Requires:
+ *	'name' is a valid name
+ *
+ *	dns_name_countlabels(name) > 0
+ *
+ * Returns:
+ *	TRUE		The least significant label of 'name' is '*'.
+ *	FALSE		The least significant label of 'name' is not '*'.
+ */
+
+unsigned int
+dns_name_hash(dns_name_t *name, isc_boolean_t case_sensitive);
+/*
+ * Provide a hash value for 'name'.
+ *
+ * Note: if 'case_sensitive' is ISC_FALSE, then names which differ only in
+ * case will have the same hash value.
+ *
+ * Requires:
+ *	'name' is a valid name
+ *
+ * Returns:
+ *	A hash value
+ */
+
+unsigned int
+dns_name_fullhash(dns_name_t *name, isc_boolean_t case_sensitive);
+/*
+ * Provide a hash value for 'name'.  Unlike dns_name_hash(), this function
+ * always takes into account of the entire name to calculate the hash value.
+ *
+ * Note: if 'case_sensitive' is ISC_FALSE, then names which differ only in
+ * case will have the same hash value.
+ *
+ * Requires:
+ *	'name' is a valid name
+ *
+ * Returns:
+ *	A hash value
+ */
+
+unsigned int
+dns_name_hashbylabel(dns_name_t *name, isc_boolean_t case_sensitive);
+/*
+ * Provide a hash value for 'name', where the hash value is the sum
+ * of the hash values of each label.
+ *
+ * Note: if 'case_sensitive' is ISC_FALSE, then names which differ only in
+ * case will have the same hash value.
+ *
+ * Requires:
+ *	'name' is a valid name
+ *
+ * Returns:
+ *	A hash value
+ */
+
+/***
+ *** Comparisons
+ ***/
+
+dns_namereln_t
+dns_name_fullcompare(const dns_name_t *name1, const dns_name_t *name2,
+		     int *orderp, unsigned int *nlabelsp);
+/*
+ * Determine the relative ordering under the DNSSEC order relation of
+ * 'name1' and 'name2', and also determine the hierarchical
+ * relationship of the names.
+ *
+ * Note: It makes no sense for one of the names to be relative and the
+ * other absolute.  If both names are relative, then to be meaningfully
+ * compared the caller must ensure that they are both relative to the
+ * same domain.
+ *
+ * Requires:
+ *	'name1' is a valid name
+ *
+ *	dns_name_countlabels(name1) > 0
+ *
+ *	'name2' is a valid name
+ *
+ *	dns_name_countlabels(name2) > 0
+ *
+ *	orderp and nlabelsp are valid pointers.
+ *
+ *	Either name1 is absolute and name2 is absolute, or neither is.
+ *
+ * Ensures:
+ *
+ *	*orderp is < 0 if name1 < name2, 0 if name1 = name2, > 0 if
+ *	name1 > name2.
+ *
+ *	*nlabelsp is the number of common significant labels.
+ *
+ * Returns:
+ *	dns_namereln_none		There's no hierarchical relationship
+ *					between name1 and name2.
+ *	dns_namereln_contains		name1 properly contains name2; i.e.
+ *					name2 is a proper subdomain of name1.
+ *	dns_namereln_subdomain		name1 is a proper subdomain of name2.
+ *	dns_namereln_equal		name1 and name2 are equal.
+ *	dns_namereln_commonancestor	name1 and name2 share a common
+ *					ancestor.
+ */
+
+int
+dns_name_compare(const dns_name_t *name1, const dns_name_t *name2);
+/*
+ * Determine the relative ordering under the DNSSEC order relation of
+ * 'name1' and 'name2'.
+ *
+ * Note: It makes no sense for one of the names to be relative and the
+ * other absolute.  If both names are relative, then to be meaningfully
+ * compared the caller must ensure that they are both relative to the
+ * same domain.
+ *
+ * Requires:
+ *	'name1' is a valid name
+ *
+ *	'name2' is a valid name
+ *
+ *	Either name1 is absolute and name2 is absolute, or neither is.
+ *
+ * Returns:
+ *	< 0		'name1' is less than 'name2'
+ *	0		'name1' is equal to 'name2'
+ *	> 0		'name1' is greater than 'name2'
+ */
+
+isc_boolean_t
+dns_name_equal(const dns_name_t *name1, const dns_name_t *name2);
+/*
+ * Are 'name1' and 'name2' equal?
+ *
+ * Notes:
+ *	Because it only needs to test for equality, dns_name_equal() can be
+ *	significantly faster than dns_name_fullcompare() or dns_name_compare().
+ *
+ *	Offsets tables are not used in the comparision.
+ *
+ * 	It makes no sense for one of the names to be relative and the
+ *	other absolute.  If both names are relative, then to be meaningfully
+ * 	compared the caller must ensure that they are both relative to the
+ * 	same domain.
+ *
+ * Requires:
+ *	'name1' is a valid name
+ *
+ *	'name2' is a valid name
+ *
+ *	Either name1 is absolute and name2 is absolute, or neither is.
+ *
+ * Returns:
+ *	ISC_TRUE	'name1' and 'name2' are equal
+ *	ISC_FALSE	'name1' and 'name2' are not equal
+ */
+
+int
+dns_name_rdatacompare(const dns_name_t *name1, const dns_name_t *name2);
+/*
+ * Compare two names as if they are part of rdata in DNSSEC canonical
+ * form.
+ *
+ * Requires:
+ *	'name1' is a valid absolute name
+ *
+ *	dns_name_countlabels(name1) > 0
+ *
+ *	'name2' is a valid absolute name
+ *
+ *	dns_name_countlabels(name2) > 0
+ *
+ * Returns:
+ *	< 0		'name1' is less than 'name2'
+ *	0		'name1' is equal to 'name2'
+ *	> 0		'name1' is greater than 'name2'
+ */
+
+isc_boolean_t
+dns_name_issubdomain(const dns_name_t *name1, const dns_name_t *name2);
+/*
+ * Is 'name1' a subdomain of 'name2'?
+ *
+ * Notes:
+ *	name1 is a subdomain of name2 if name1 is contained in name2, or
+ *	name1 equals name2.
+ *
+ *	It makes no sense for one of the names to be relative and the
+ *	other absolute.  If both names are relative, then to be meaningfully
+ *	compared the caller must ensure that they are both relative to the
+ *	same domain.
+ *
+ * Requires:
+ *	'name1' is a valid name
+ *
+ *	'name2' is a valid name
+ *
+ *	Either name1 is absolute and name2 is absolute, or neither is.
+ *
+ * Returns:
+ *	TRUE		'name1' is a subdomain of 'name2'
+ *	FALSE		'name1' is not a subdomain of 'name2'
+ */
+
+isc_boolean_t
+dns_name_matcheswildcard(const dns_name_t *name, const dns_name_t *wname);
+/*
+ * Does 'name' match the wildcard specified in 'wname'?
+ *
+ * Notes:
+ *	name matches the wildcard specified in wname if all labels
+ *	following the wildcard in wname are identical to the same number
+ *	of labels at the end of name.
+ *
+ *	It makes no sense for one of the names to be relative and the
+ *	other absolute.  If both names are relative, then to be meaningfully
+ *	compared the caller must ensure that they are both relative to the
+ *	same domain.
+ *
+ * Requires:
+ *	'name' is a valid name
+ *
+ *	dns_name_countlabels(name) > 0
+ *
+ *	'wname' is a valid name
+ *
+ *	dns_name_countlabels(wname) > 0
+ *
+ *	dns_name_iswildcard(wname) is true
+ *
+ *	Either name is absolute and wname is absolute, or neither is.
+ *
+ * Returns:
+ *	TRUE		'name' matches the wildcard specified in 'wname'
+ *	FALSE		'name' does not match the wildcard specified in 'wname'
+ */
+
+/***
+ *** Labels
+ ***/
+
+unsigned int
+dns_name_countlabels(const dns_name_t *name);
+/*
+ * How many labels does 'name' have?
+ *
+ * Notes:
+ *	In this case, as in other places, a 'label' is an ordinary label.
+ *
+ * Requires:
+ *	'name' is a valid name
+ *
+ * Ensures:
+ *	The result is <= 128.
+ *
+ * Returns:
+ *	The number of labels in 'name'.
+ */
+
+void
+dns_name_getlabel(const dns_name_t *name, unsigned int n, dns_label_t *label);
+/*
+ * Make 'label' refer to the 'n'th least significant label of 'name'.
+ *
+ * Notes:
+ *	Numbering starts at 0.
+ *
+ *	Given "rc.vix.com.", the label 0 is "rc", and label 3 is the
+ *	root label.
+ *
+ *	'label' refers to the same memory as 'name', so 'name' must not
+ *	be changed while 'label' is still in use.
+ *
+ * Requires:
+ *	n < dns_label_countlabels(name)
+ */
+
+void
+dns_name_getlabelsequence(const dns_name_t *source, unsigned int first,
+			  unsigned int n, dns_name_t *target);
+/*
+ * Make 'target' refer to the 'n' labels including and following 'first'
+ * in 'source'.
+ *
+ * Notes:
+ *	Numbering starts at 0.
+ *
+ *	Given "rc.vix.com.", the label 0 is "rc", and label 3 is the
+ *	root label.
+ *
+ *	'target' refers to the same memory as 'source', so 'source'
+ *	must not be changed while 'target' is still in use.
+ *
+ * Requires:
+ *	'source' and 'target' are valid names.
+ *
+ *	first < dns_label_countlabels(name)
+ *
+ *	first + n <= dns_label_countlabels(name)
+ */
+
+
+void
+dns_name_clone(dns_name_t *source, dns_name_t *target);
+/*
+ * Make 'target' refer to the same name as 'source'.
+ *
+ * Notes:
+ *
+ *	'target' refers to the same memory as 'source', so 'source'
+ *	must not be changed while 'target' is still in use.
+ *
+ *	This call is functionally equivalent to:
+ *
+ *		dns_name_getlabelsequence(source, 0,
+ *					  dns_label_countlabels(source),
+ *					  target);
+ *
+ *	but is more efficient.  Also, dns_name_clone() works even if 'source'
+ *	is empty.
+ *
+ * Requires:
+ *
+ *	'source' is a valid name.
+ *
+ *	'target' is a valid name that is not read-only.
+ */
+
+/***
+ *** Conversions
+ ***/
+
+void
+dns_name_fromregion(dns_name_t *name, const isc_region_t *r);
+/*
+ * Make 'name' refer to region 'r'.
+ *
+ * Note:
+ *	If the conversion encounters a root label before the end of the
+ *	region the conversion stops and the length is set to the length
+ *	so far converted.  A maximum of 255 bytes is converted.
+ *
+ * Requires:
+ *	The data in 'r' is a sequence of one or more type 00 or type 01000001
+ *	labels.
+ */
+
+void
+dns_name_toregion(dns_name_t *name, isc_region_t *r);
+/*
+ * Make 'r' refer to 'name'.
+ *
+ * Requires:
+ *
+ *	'name' is a valid name.
+ *
+ *	'r' is a valid region.
+ */
+
+isc_result_t
+dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
+		  dns_decompress_t *dctx, unsigned int options,
+		  isc_buffer_t *target);
+/*
+ * Copy the possibly-compressed name at source (active region) into target,
+ * decompressing it.
+ *
+ * Notes:
+ *	Decompression policy is controlled by 'dctx'.
+ *
+ *	If DNS_NAME_DOWNCASE is set, any uppercase letters in 'source' will be
+ *	downcased when they are copied into 'target'.
+ *
+ * Security:
+ *
+ *	*** WARNING ***
+ *
+ *	This routine will often be used when 'source' contains raw network
+ *	data.  A programming error in this routine could result in a denial
+ *	of service, or in the hijacking of the server.
+ *
+ * Requires:
+ *
+ *	'name' is a valid name.
+ *
+ *	'source' is a valid buffer and the first byte of the active
+ *	region should be the first byte of a DNS wire format domain name.
+ *
+ *	'target' is a valid buffer or 'target' is NULL and 'name' has
+ *	a dedicated buffer.
+ *
+ *	'dctx' is a valid decompression context.
+ *
+ * Ensures:
+ *
+ *	If result is success:
+ *	 	If 'target' is not NULL, 'name' is attached to it.
+ *
+ *		Uppercase letters are downcased in the copy iff
+ *		DNS_NAME_DOWNCASE is set in options.
+ *
+ *		The current location in source is advanced, and the used space
+ *		in target is updated.
+ *
+ * Result:
+ *	Success
+ *	Bad Form: Label Length
+ *	Bad Form: Unknown Label Type
+ *	Bad Form: Name Length
+ *	Bad Form: Compression type not allowed
+ *	Bad Form: Bad compression pointer
+ *	Bad Form: Input too short
+ *	Resource Limit: Too many compression pointers
+ *	Resource Limit: Not enough space in buffer
+ */
+
+isc_result_t
+dns_name_towire(dns_name_t *name, dns_compress_t *cctx, isc_buffer_t *target);
+/*
+ * Convert 'name' into wire format, compressing it as specified by the
+ * compression context 'cctx', and storing the result in 'target'.
+ *
+ * Notes:
+ *	If the compression context allows global compression, then the
+ *	global compression table may be updated.
+ *
+ * Requires:
+ *	'name' is a valid name
+ *
+ *	dns_name_countlabels(name) > 0
+ *
+ *	dns_name_isabsolute(name) == TRUE
+ *
+ *	target is a valid buffer.
+ *
+ *	Any offsets specified in a global compression table are valid
+ *	for buffer.
+ *
+ * Ensures:
+ *
+ *	If the result is success:
+ *
+ *		The used space in target is updated.
+ *
+ * Returns:
+ *	Success
+ *	Resource Limit: Not enough space in buffer
+ */
+
+isc_result_t
+dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
+		  dns_name_t *origin, unsigned int options,
+		  isc_buffer_t *target);
+/*
+ * Convert the textual representation of a DNS name at source
+ * into uncompressed wire form stored in target.
+ *
+ * Notes:
+ *	Relative domain names will have 'origin' appended to them
+ *	unless 'origin' is NULL, in which case relative domain names
+ *	will remain relative.
+ *
+ *	If DNS_NAME_DOWNCASE is set in 'options', any uppercase letters
+ *	in 'source' will be downcased when they are copied into 'target'.
+ *
+ * Requires:
+ *
+ *	'name' is a valid name.
+ *
+ *	'source' is a valid buffer.
+ *
+ *	'target' is a valid buffer or 'target' is NULL and 'name' has
+ *	a dedicated buffer.
+ *
+ * Ensures:
+ *
+ *	If result is success:
+ *	 	If 'target' is not NULL, 'name' is attached to it.
+ *
+ *		Uppercase letters are downcased in the copy iff
+ *		DNS_NAME_DOWNCASE is set in 'options'.
+ *
+ *		The current location in source is advanced, and the used space
+ *		in target is updated.
+ *
+ * Result:
+ *	ISC_R_SUCCESS
+ *	DNS_R_EMPTYLABEL
+ *	DNS_R_LABELTOOLONG
+ *	DNS_R_BADESCAPE
+ *	(DNS_R_BADBITSTRING: should not be returned)
+ *	(DNS_R_BITSTRINGTOOLONG: should not be returned)
+ *	DNS_R_BADDOTTEDQUAD
+ *	ISC_R_NOSPACE
+ *	ISC_R_UNEXPECTEDEND
+ */
+
+isc_result_t
+dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
+		isc_buffer_t *target);
+/*
+ * Convert 'name' into text format, storing the result in 'target'.
+ *
+ * Notes:
+ *	If 'omit_final_dot' is true, then the final '.' in absolute
+ *	names other than the root name will be omitted.
+ *
+ *	If dns_name_countlabels == 0, the name will be "@", representing the
+ *	current origin as described by RFC 1035.
+ *
+ *	The name is not NUL terminated.
+ *
+ * Requires:
+ *
+ *	'name' is a valid name
+ *
+ *	'target' is a valid buffer.
+ *
+ *	if dns_name_isabsolute == FALSE, then omit_final_dot == FALSE
+ *
+ * Ensures:
+ *
+ *	If the result is success:
+ *
+ *		The used space in target is updated.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOSPACE
+ */
+
+#define DNS_NAME_MAXTEXT 1023
+/*
+ * The maximum length of the text representation of a domain
+ * name as generated by dns_name_totext().  This does not
+ * include space for a terminating NULL.
+ *
+ * This definition is conservative - the actual maximum 
+ * is 1004, derived as follows:
+ *
+ *   A backslash-decimal escaped character takes 4 bytes.
+ *   A wire-encoded name can be up to 255 bytes and each
+ *   label is one length byte + at most 63 bytes of data.
+ *   Maximizing the label lengths gives us a name of
+ *   three 63-octet labels, one 61-octet label, and the
+ *   root label:
+ *
+ *      1 + 63 + 1 + 63 + 1 + 63 + 1 + 61 + 1 = 255
+ *
+ *   When printed, this is (3 * 63 + 61) * 4
+ *   bytes for the escaped label data + 4 bytes for the
+ *   dot terminating each label = 1004 bytes total.
+ */
+
+isc_result_t
+dns_name_tofilenametext(dns_name_t *name, isc_boolean_t omit_final_dot,
+			isc_buffer_t *target);
+/*
+ * Convert 'name' into an alternate text format appropriate for filenames,
+ * storing the result in 'target'.  The name data is downcased, guaranteeing
+ * that the filename does not depend on the case of the converted name.
+ *
+ * Notes:
+ *	If 'omit_final_dot' is true, then the final '.' in absolute
+ *	names other than the root name will be omitted.
+ *
+ *	The name is not NUL terminated.
+ *
+ * Requires:
+ *
+ *	'name' is a valid absolute name
+ *
+ *	'target' is a valid buffer.
+ *
+ * Ensures:
+ *
+ *	If the result is success:
+ *
+ *		The used space in target is updated.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOSPACE
+ */
+
+isc_result_t
+dns_name_downcase(dns_name_t *source, dns_name_t *name,
+		  isc_buffer_t *target);
+/*
+ * Downcase 'source'.
+ *
+ * Requires:
+ *
+ *	'source' and 'name' are valid names.
+ *
+ *	If source == name, then
+ *
+ *		'source' must not be read-only
+ *
+ *	Otherwise,
+ *
+ *		'target' is a valid buffer or 'target' is NULL and
+ *		'name' has a dedicated buffer.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOSPACE
+ *
+ * Note: if source == name, then the result will always be ISC_R_SUCCESS.
+ */
+
+isc_result_t
+dns_name_concatenate(dns_name_t *prefix, dns_name_t *suffix,
+		     dns_name_t *name, isc_buffer_t *target);
+/*
+ *	Concatenate 'prefix' and 'suffix'.
+ *
+ * Requires:
+ *
+ *	'prefix' is a valid name or NULL.
+ *
+ *	'suffix' is a valid name or NULL.
+ *
+ *	'name' is a valid name or NULL.
+ *
+ *	'target' is a valid buffer or 'target' is NULL and 'name' has
+ *	a dedicated buffer.
+ *
+ *	If 'prefix' is absolute, 'suffix' must be NULL or the empty name.
+ *
+ * Ensures:
+ *
+ *	On success,
+ *	 	If 'target' is not NULL and 'name' is not NULL, then 'name'
+ *		is attached to it.
+ *
+ *		The used space in target is updated.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOSPACE
+ *	DNS_R_NAMETOOLONG
+ */
+
+void
+dns_name_split(dns_name_t *name, unsigned int suffixlabels,
+	       dns_name_t *prefix, dns_name_t *suffix);
+/*
+ *
+ * Split 'name' into two pieces on a label boundary.
+ *
+ * Notes:
+ *      'name' is split such that 'suffix' holds the most significant
+ *      'suffixlabels' labels.  All other labels are stored in 'prefix'. 
+ *
+ *	Copying name data is avoided as much as possible, so 'prefix'
+ *	and 'suffix' will end up pointing at the data for 'name'.
+ *
+ *	It is legitimate to pass a 'prefix' or 'suffix' that has
+ *	its name data stored someplace other than the dedicated buffer.
+ *	This is useful to avoid name copying in the calling function.
+ *
+ *	It is also legitimate to pass a 'prefix' or 'suffix' that is
+ *	the same dns_name_t as 'name'.
+ *
+ * Requires:
+ *	'name' is a valid name.
+ *
+ * 	'suffixlabels' cannot exceed the number of labels in 'name'.
+ *
+ *	'prefix' is a valid name or NULL, and cannot be read-only.
+ *
+ *	'suffix' is a valid name or NULL, and cannot be read-only.
+ *
+ *	If non-NULL, 'prefix' and 'suffix' must have dedicated buffers.
+ *
+ *	'prefix' and 'suffix' cannot point to the same buffer.
+ *
+ * Ensures:
+ *
+ *	On success:
+ *		If 'prefix' is not NULL it will contain the least significant
+ *		labels.
+ *
+ *		If 'suffix' is not NULL it will contain the most significant
+ *		labels.  dns_name_countlabels(suffix) will be equal to
+ *		suffixlabels.
+ *
+ *	On failure:
+ *		Either 'prefix' or 'suffix' is invalidated (depending
+ *		on which one the problem was encountered with).
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	No worries.  (This function should always success).
+ */
+
+isc_result_t
+dns_name_dup(dns_name_t *source, isc_mem_t *mctx, dns_name_t *target);
+/*
+ * Make 'target' a dynamically allocated copy of 'source'.
+ *
+ * Requires:
+ *
+ *	'source' is a valid non-empty name.
+ *
+ *	'target' is a valid name that is not read-only.
+ *
+ *	'mctx' is a valid memory context.
+ */
+
+isc_result_t
+dns_name_dupwithoffsets(dns_name_t *source, isc_mem_t *mctx,
+			dns_name_t *target);
+/*
+ * Make 'target' a read-only dynamically allocated copy of 'source'.
+ * 'target' will also have a dynamically allocated offsets table.
+ *
+ * Requires:
+ *
+ *	'source' is a valid non-empty name.
+ *
+ *	'target' is a valid name that is not read-only.
+ *
+ *	'target' has no offsets table.
+ *
+ *	'mctx' is a valid memory context.
+ */
+
+void
+dns_name_free(dns_name_t *name, isc_mem_t *mctx);
+/*
+ * Free 'name'.
+ *
+ * Requires:
+ *
+ *	'name' is a valid name created previously in 'mctx' by dns_name_dup().
+ *
+ *	'mctx' is a valid memory context.
+ *
+ * Ensures:
+ *
+ *	All dynamic resources used by 'name' are freed and the name is
+ *	invalidated.
+ */
+
+isc_result_t
+dns_name_digest(dns_name_t *name, dns_digestfunc_t digest, void *arg);
+/*
+ * Send 'name' in DNSSEC canonical form to 'digest'.
+ *
+ * Requires:
+ *
+ *	'name' is a valid name.
+ *
+ *	'digest' is a valid dns_digestfunc_t.
+ *
+ * Ensures:
+ *
+ *	If successful, the DNSSEC canonical form of 'name' will have been
+ *	sent to 'digest'.
+ *
+ *	If digest() returns something other than ISC_R_SUCCESS, that result
+ *	will be returned as the result of dns_name_digest().
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *
+ *	Many other results are possible if not successful.
+ *
+ */
+
+isc_boolean_t
+dns_name_dynamic(dns_name_t *name);
+/*
+ * Returns whether there is dynamic memory associated with this name.
+ *
+ * Requires:
+ *
+ *	'name' is a valid name.
+ *
+ * Returns:
+ *
+ *	'ISC_TRUE' if the name is dynamic othewise 'ISC_FALSE'.
+ */
+
+isc_result_t
+dns_name_print(dns_name_t *name, FILE *stream);
+/*
+ * Print 'name' on 'stream'.
+ *
+ * Requires:
+ *
+ *	'name' is a valid name.
+ *
+ *	'stream' is a valid stream.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *
+ *	Any error that dns_name_totext() can return.
+ */
+
+void
+dns_name_format(dns_name_t *name, char *cp, unsigned int size);
+/*
+ * Format 'name' as text appropriate for use in log messages.
+ *
+ * Store the formatted name at 'cp', writing no more than
+ * 'size' bytes.  The resulting string is guaranteed to be
+ * null terminated.
+ *
+ * The formatted name will have a terminating dot only if it is
+ * the root.
+ *
+ * This function cannot fail, instead any errors are indicated
+ * in the returned text.
+ *
+ * Requires:
+ *
+ *	'name' is a valid name.
+ *
+ *	'cp' points a valid character array of size 'size'.
+ *
+ *	'size' > 0.
+ *
+ */
+
+#define DNS_NAME_FORMATSIZE (DNS_NAME_MAXTEXT + 1)
+/*
+ * Suggested size of buffer passed to dns_name_format().
+ * Includes space for the terminating NULL.
+ */
+
+isc_result_t
+dns_name_copy(dns_name_t *source, dns_name_t *dest, isc_buffer_t *target);
+/*
+ * Makes 'dest' refer to a copy of the name in 'source'.  The data are
+ * either copied to 'target' or the dedicated buffer in 'dest'.
+ *
+ * Requires:
+ * 	'source' is a valid name.
+ *
+ * 	'dest' is an initialized name with a dedicated buffer.
+ *
+ * 	'target' is NULL or an initialized buffer.
+ *
+ * 	Either dest has a dedicated buffer or target != NULL.
+ *
+ * Ensures:
+ *
+ *	On success, the used space in target is updated.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOSPACE
+ */
+
+isc_boolean_t
+dns_name_ishostname(const dns_name_t *name, isc_boolean_t wildcard);
+/*
+ * Return if 'name' is a valid hostname.  RFC 952 / RFC 1123.
+ * If 'wildcard' is ISC_TRUE then allow the first label of name to
+ * be a wildcard.
+ * The root is also accepted.
+ *
+ * Requires:
+ *	'name' to be valid.
+ */
+ 
+
+isc_boolean_t
+dns_name_ismailbox(const dns_name_t *name);
+/*
+ * Return if 'name' is a valid mailbox.  RFC 821.
+ *
+ * Requires:
+ *	'name' to be valid.
+ */
+
+ISC_LANG_ENDDECLS
+
+/***
+ *** High Peformance Macros
+ ***/
+
+/*
+ * WARNING:  Use of these macros by applications may require recompilation
+ *           of the application in some situations where calling the function
+ *           would not.
+ *
+ * WARNING:  No assertion checking is done for these macros.
+ */
+
+#define DNS_NAME_INIT(n, o) \
+do { \
+	(n)->magic = DNS_NAME_MAGIC; \
+	(n)->ndata = NULL; \
+	(n)->length = 0; \
+	(n)->labels = 0; \
+	(n)->attributes = 0; \
+	(n)->offsets = (o); \
+	(n)->buffer = NULL; \
+	ISC_LINK_INIT((n), link); \
+	ISC_LIST_INIT((n)->list); \
+} while (0)
+
+#define DNS_NAME_RESET(n) \
+do { \
+	(n)->ndata = NULL; \
+	(n)->length = 0; \
+	(n)->labels = 0; \
+	(n)->attributes &= ~DNS_NAMEATTR_ABSOLUTE; \
+	if ((n)->buffer != NULL) \
+		isc_buffer_clear((n)->buffer); \
+} while (0)
+
+#define DNS_NAME_SETBUFFER(n, b) \
+	(n)->buffer = (b)
+
+#define DNS_NAME_ISABSOLUTE(n) \
+	(((n)->attributes & DNS_NAMEATTR_ABSOLUTE) != 0 ? ISC_TRUE : ISC_FALSE)
+
+#define DNS_NAME_COUNTLABELS(n) \
+	((n)->labels)
+
+#define DNS_NAME_TOREGION(n, r) \
+do { \
+	(r)->base = (n)->ndata; \
+	(r)->length = (n)->length; \
+} while (0)
+
+#define DNS_NAME_SPLIT(n, l, p, s) \
+do { \
+	dns_name_t *_n = (n); \
+	dns_name_t *_p = (p); \
+	dns_name_t *_s = (s); \
+	unsigned int _l = (l); \
+	if (_p != NULL) \
+		dns_name_getlabelsequence(_n, 0, _n->labels - _l, _p); \
+	if (_s != NULL) \
+		dns_name_getlabelsequence(_n, _n->labels - _l, _l, _s); \
+} while (0)
+
+#ifdef DNS_NAME_USEINLINE
+
+#define dns_name_init(n, o)		DNS_NAME_INIT(n, o)
+#define dns_name_reset(n)		DNS_NAME_RESET(n)
+#define dns_name_setbuffer(n, b)	DNS_NAME_SETBUFFER(n, b)
+#define dns_name_countlabels(n)		DNS_NAME_COUNTLABELS(n)
+#define dns_name_isabsolute(n)		DNS_NAME_ISABSOLUTE(n)
+#define dns_name_toregion(n, r)		DNS_NAME_TOREGION(n, r)
+#define dns_name_split(n, l, p, s)	DNS_NAME_SPLIT(n, l, p, s)
+
+#endif /* DNS_NAME_USEINLINE */
+
+#endif /* DNS_NAME_H */
diff --git a/contrib/bind9/lib/dns/include/dns/ncache.h b/contrib/bind9/lib/dns/include/dns/ncache.h
new file mode 100644
index 0000000..6bf6003
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/ncache.h
@@ -0,0 +1,158 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ncache.h,v 1.12.12.5 2004/03/08 09:04:37 marka Exp $ */
+
+#ifndef DNS_NCACHE_H
+#define DNS_NCACHE_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DNS Ncache
+ *
+ * XXX <TBS> XXX
+ *
+ * MP:
+ *	The caller must ensure any required synchronization.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	<TBS>
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	RFC 2308
+ */
+
+#include <isc/lang.h>
+#include <isc/stdtime.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * _OMITDNSSEC:
+ *      Omit DNSSEC records when rendering.
+ */
+#define DNS_NCACHETOWIRE_OMITDNSSEC   0x0001
+
+isc_result_t
+dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
+	       dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
+	       dns_rdataset_t *addedrdataset);
+/*
+ * Convert the authority data from 'message' into a negative cache
+ * rdataset, and store it in 'cache' at 'node' with a TTL limited to
+ * 'maxttl'.
+ *
+ * The 'covers' argument is the RR type whose nonexistence we are caching,
+ * or dns_rdatatype_any when caching a NXDOMAIN response.
+ *
+ * Note:
+ *	If 'addedrdataset' is not NULL, then it will be attached to the added
+ *	rdataset.  See dns_db_addrdataset() for more details.
+ *
+ * Requires:
+ *	'message' is a valid message with a properly formatting negative cache
+ *	authority section.
+ *
+ *	The requirements of dns_db_addrdataset() apply to 'cache', 'node',
+ *	'now', and 'addedrdataset'.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOSPACE
+ *
+ *	Any result code of dns_db_addrdataset() is a possible result code
+ *	of dns_ncache_add().
+ */
+
+isc_result_t
+dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
+		  isc_buffer_t *target, unsigned int options,
+		  unsigned int *countp);
+/*
+ * Convert the negative caching rdataset 'rdataset' to wire format,
+ * compressing names as specified in 'cctx', and storing the result in
+ * 'target'.  If 'omit_dnssec' is set, DNSSEC records will not
+ * be added to 'target'.
+ *
+ * Notes:
+ *	The number of RRs added to target will be added to *countp.
+ *
+ * Requires:
+ *	'rdataset' is a valid negative caching rdataset.
+ *
+ *	'rdataset' is not empty.
+ *
+ *	'countp' is a valid pointer.
+ *
+ * Ensures:
+ *	On a return of ISC_R_SUCCESS, 'target' contains a wire format
+ *	for the data contained in 'rdataset'.  Any error return leaves
+ *	the buffer unchanged.
+ *
+ *	*countp has been incremented by the number of RRs added to
+ *	target.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		- all ok
+ *	ISC_R_NOSPACE		- 'target' doesn't have enough room
+ *
+ *	Any error returned by dns_rdata_towire(), dns_rdataset_next(),
+ *	dns_name_towire().
+ */
+
+isc_result_t
+dns_ncache_getrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
+		       dns_rdatatype_t type, dns_rdataset_t *rdataset);
+/*
+ * Search the negative caching rdataset for an rdataset with the
+ * specified name and type.
+ *
+ * Requires:
+ *	'ncacherdataset' is a valid negative caching rdataset.
+ *
+ *	'ncacherdataset' is not empty.
+ *
+ *	'name' is a valid name.
+ *
+ *	'type' is not SIG, or a meta-RR type.
+ *
+ *	'rdataset' is a valid disassociated rdataset.
+ *
+ * Ensures:
+ *	On a return of ISC_R_SUCCESS, 'rdataset' is bound to the found
+ *	rdataset.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		- the rdataset was found.
+ *	ISC_R_NOTFOUND		- the rdataset was not found.
+ *
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_NCACHE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/nsec.h b/contrib/bind9/lib/dns/include/dns/nsec.h
new file mode 100644
index 0000000..68a5833
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/nsec.h
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: nsec.h,v 1.4.2.1 2004/03/08 02:08:00 marka Exp $ */
+
+#ifndef DNS_NSEC_H
+#define DNS_NSEC_H 1
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+#include <dns/name.h>
+
+#define DNS_NSEC_BUFFERSIZE (DNS_NAME_MAXWIRE + 8192 + 512)
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_nsec_buildrdata(dns_db_t *db, dns_dbversion_t *version,
+		    dns_dbnode_t *node, dns_name_t *target,
+		    unsigned char *buffer, dns_rdata_t *rdata);
+/*
+ * Build the rdata of a NSEC record.
+ *
+ * Requires:
+ *	buffer	Points to a temporary buffer of at least
+ * 		DNS_NSEC_BUFFERSIZE bytes.
+ *	rdata	Points to an initialized dns_rdata_t.
+ *
+ * Ensures:
+ *      *rdata	Contains a valid NSEC rdata.  The 'data' member refers
+ *		to 'buffer'.
+ */
+
+isc_result_t
+dns_nsec_build(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
+	       dns_name_t *target, dns_ttl_t ttl);
+/*
+ * Build a NSEC record and add it to a database.
+ */
+
+isc_boolean_t
+dns_nsec_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type);
+/*
+ * Determine if a type is marked as present in an NSEC record.
+ *
+ * Requires:
+ *	'nsec' points to a valid rdataset of type NSEC
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_NSEC_H */
diff --git a/contrib/bind9/lib/dns/include/dns/opcode.h b/contrib/bind9/lib/dns/include/dns/opcode.h
new file mode 100644
index 0000000..4d656b8
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/opcode.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: opcode.h,v 1.1.200.3 2004/03/08 09:04:37 marka Exp $ */
+
+#ifndef DNS_OPCODE_H
+#define DNS_OPCODE_H 1
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t dns_opcode_totext(dns_opcode_t opcode, isc_buffer_t *target);
+/*
+ * Put a textual representation of error 'opcode' into 'target'.
+ *
+ * Requires:
+ *	'opcode' is a valid opcode.
+ *
+ *	'target' is a valid text buffer.
+ *
+ * Ensures:
+ *	If the result is success:
+ *		The used space in 'target' is updated.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS			on success
+ *	ISC_R_NOSPACE			target buffer is too small
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_OPCODE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/order.h b/contrib/bind9/lib/dns/include/dns/order.h
new file mode 100644
index 0000000..e28e3ca
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/order.h
@@ -0,0 +1,97 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: order.h,v 1.2.202.3 2004/03/08 09:04:37 marka Exp $ */
+
+#ifndef DNS_ORDER_H
+#define DNS_ORDER_H 1
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_order_create(isc_mem_t *mctx, dns_order_t **orderp);
+/*
+ * Create a order object.
+ *
+ * Requires:
+ * 	'orderp' to be non NULL and '*orderp == NULL'.
+ *	'mctx' to be valid.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_order_add(dns_order_t *order, dns_name_t *name,
+	      dns_rdatatype_t rdtype, dns_rdataclass_t rdclass,
+	      unsigned int mode);
+/*
+ * Add a entry to the end of the order list.
+ *
+ * Requires:
+ * 	'order' to be valid.
+ *	'name' to be valid.
+ *	'mode' to be one of DNS_RDATASERATTR_RANDOMIZE,
+ *		DNS_RDATASERATTR_RANDOMIZE or zero (DNS_RDATASERATTR_CYCLIC).
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ */
+
+unsigned int
+dns_order_find(dns_order_t *order, dns_name_t *name,
+	       dns_rdatatype_t rdtype, dns_rdataclass_t rdclass);
+/*
+ * Find the first matching entry on the list.
+ *
+ * Requires:
+ *	'order' to be valid.
+ *	'name' to be valid.
+ *
+ * Returns the mode set by dns_order_add() or zero.
+ */
+
+void
+dns_order_attach(dns_order_t *source, dns_order_t **target);
+/*
+ * Attach to the 'source' object.
+ *
+ * Requires:
+ * 	'source' to be valid.
+ *	'target' to be non NULL and '*target == NULL'.
+ */
+
+void
+dns_order_detach(dns_order_t **orderp);
+/*
+ * Detach from the object.  Clean up if last this was the last
+ * reference.
+ *
+ * Requires:
+ *	'*orderp' to be valid.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ORDER_H */
diff --git a/contrib/bind9/lib/dns/include/dns/peer.h b/contrib/bind9/lib/dns/include/dns/peer.h
new file mode 100644
index 0000000..03f720a
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/peer.h
@@ -0,0 +1,177 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: peer.h,v 1.16.2.1.10.3 2004/03/06 08:13:58 marka Exp $ */
+
+#ifndef DNS_PEER_H
+#define DNS_PEER_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Data structures for peers (e.g. a 'server' config file statement)
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/netaddr.h>
+
+#include <dns/types.h>
+
+#define DNS_PEERLIST_MAGIC	ISC_MAGIC('s','e','R','L')
+#define DNS_PEER_MAGIC		ISC_MAGIC('S','E','r','v')
+
+#define DNS_PEERLIST_VALID(ptr)	ISC_MAGIC_VALID(ptr, DNS_PEERLIST_MAGIC)
+#define DNS_PEER_VALID(ptr)	ISC_MAGIC_VALID(ptr, DNS_PEER_MAGIC)
+
+/***
+ *** Types
+ ***/
+
+struct dns_peerlist {
+	unsigned int		magic;
+	isc_uint32_t		refs;
+
+	isc_mem_t	       *mem;
+
+	ISC_LIST(dns_peer_t) elements;
+};
+
+struct dns_peer {
+	unsigned int		magic;
+	isc_uint32_t		refs;
+
+	isc_mem_t	       *mem;
+
+	isc_netaddr_t		address;
+	isc_boolean_t		bogus;
+	dns_transfer_format_t	transfer_format;
+	isc_uint32_t		transfers;
+	isc_boolean_t		support_ixfr;
+	isc_boolean_t		provide_ixfr;
+	isc_boolean_t		request_ixfr;
+	isc_boolean_t		support_edns;
+	dns_name_t	       *key;
+	isc_sockaddr_t	       *transfer_source;
+
+	isc_uint32_t		bitflags;
+
+	ISC_LINK(dns_peer_t)	next;
+};
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_peerlist_new(isc_mem_t *mem, dns_peerlist_t **list);
+
+void
+dns_peerlist_attach(dns_peerlist_t *source, dns_peerlist_t **target);
+
+void
+dns_peerlist_detach(dns_peerlist_t **list);
+
+/*
+ * After return caller still holds a reference to peer.
+ */
+void
+dns_peerlist_addpeer(dns_peerlist_t *peers, dns_peer_t *peer);
+
+/*
+ * Ditto. */
+isc_result_t
+dns_peerlist_peerbyaddr(dns_peerlist_t *peers, isc_netaddr_t *addr,
+			dns_peer_t **retval);
+
+/*
+ * What he said.
+ */
+isc_result_t
+dns_peerlist_currpeer(dns_peerlist_t *peers, dns_peer_t **retval);
+
+isc_result_t
+dns_peer_new(isc_mem_t *mem, isc_netaddr_t *ipaddr, dns_peer_t **peer);
+
+void
+dns_peer_attach(dns_peer_t *source, dns_peer_t **target);
+
+void
+dns_peer_detach(dns_peer_t **list);
+
+isc_result_t
+dns_peer_setbogus(dns_peer_t *peer, isc_boolean_t newval);
+
+isc_result_t
+dns_peer_getbogus(dns_peer_t *peer, isc_boolean_t *retval);
+
+isc_result_t
+dns_peer_setrequestixfr(dns_peer_t *peer, isc_boolean_t newval);
+
+isc_result_t
+dns_peer_getrequestixfr(dns_peer_t *peer, isc_boolean_t *retval);
+
+isc_result_t
+dns_peer_setprovideixfr(dns_peer_t *peer, isc_boolean_t newval);
+
+isc_result_t
+dns_peer_getprovideixfr(dns_peer_t *peer, isc_boolean_t *retval);
+
+isc_result_t
+dns_peer_setsupportedns(dns_peer_t *peer, isc_boolean_t newval);
+
+isc_result_t
+dns_peer_getsupportedns(dns_peer_t *peer, isc_boolean_t *retval);
+
+isc_result_t
+dns_peer_settransfers(dns_peer_t *peer, isc_uint32_t newval);
+
+isc_result_t
+dns_peer_gettransfers(dns_peer_t *peer, isc_uint32_t *retval);
+
+isc_result_t
+dns_peer_settransferformat(dns_peer_t *peer, dns_transfer_format_t newval);
+
+isc_result_t
+dns_peer_gettransferformat(dns_peer_t *peer, dns_transfer_format_t *retval);
+
+isc_result_t
+dns_peer_setkeybycharp(dns_peer_t *peer, const char *keyval);
+
+isc_result_t
+dns_peer_getkey(dns_peer_t *peer, dns_name_t **retval);
+
+isc_result_t
+dns_peer_setkey(dns_peer_t *peer, dns_name_t **keyval);
+
+isc_result_t
+dns_peer_settransfersource(dns_peer_t *peer, isc_sockaddr_t *transfer_source);
+
+isc_result_t
+dns_peer_gettransfersource(dns_peer_t *peer, isc_sockaddr_t *transfer_source);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_PEER_H */
diff --git a/contrib/bind9/lib/dns/include/dns/portlist.h b/contrib/bind9/lib/dns/include/dns/portlist.h
new file mode 100644
index 0000000..ea672a9
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/portlist.h
@@ -0,0 +1,99 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: portlist.h,v 1.2.84.2 2004/03/06 08:13:58 marka Exp $ */
+
+#include <isc/lang.h>
+#include <isc/net.h>
+#include <isc/types.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_portlist_create(isc_mem_t *mctx, dns_portlist_t **portlistp);
+/*
+ * Create a port list.
+ * 
+ * Requires:
+ *	'mctx' to be valid.
+ *	'portlistp' to be non NULL and '*portlistp' to be NULL;
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+dns_portlist_add(dns_portlist_t *portlist, int af, in_port_t port);
+/*
+ * Add the given <port,af> tuple to the portlist.
+ *
+ * Requires:
+ *	'portlist' to be valid.
+ *	'af' to be AF_INET or AF_INET6
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ */
+
+void
+dns_portlist_remove(dns_portlist_t *portlist, int af, in_port_t port);
+/*
+ * Remove the given <port,af> tuple to the portlist.
+ *
+ * Requires:
+ *	'portlist' to be valid.
+ *	'af' to be AF_INET or AF_INET6
+ */
+
+isc_boolean_t
+dns_portlist_match(dns_portlist_t *portlist, int af, in_port_t port);
+/*
+ * Find the given <port,af> tuple to the portlist.
+ *
+ * Requires:
+ *	'portlist' to be valid.
+ *	'af' to be AF_INET or AF_INET6
+ *
+ * Returns
+ * 	ISC_TRUE if the tuple is found, ISC_FALSE otherwise.
+ */
+
+void
+dns_portlist_attach(dns_portlist_t *portlist, dns_portlist_t **portlistp);
+/*
+ * Attach to a port list.
+ *
+ * Requires:
+ *	'portlist' to be valid.
+ *	'portlistp' to be non NULL and '*portlistp' to be NULL;
+ */
+
+void
+dns_portlist_detach(dns_portlist_t **portlistp);
+/*
+ * Detach from a port list.
+ *
+ * Requires:
+ *	'*portlistp' to be valid.
+ */
+
+ISC_LANG_ENDDECLS
diff --git a/contrib/bind9/lib/dns/include/dns/rbt.h b/contrib/bind9/lib/dns/include/dns/rbt.h
new file mode 100644
index 0000000..de2d309
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/rbt.h
@@ -0,0 +1,835 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rbt.h,v 1.55.12.5 2004/03/08 09:04:38 marka Exp $ */
+
+#ifndef DNS_RBT_H
+#define DNS_RBT_H 1
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+#define DNS_RBT_USEHASH 1
+
+/*
+ * Option values for dns_rbt_findnode() and dns_rbt_findname().
+ * These are used to form a bitmask.
+ */
+#define DNS_RBTFIND_NOOPTIONS			0x00
+#define DNS_RBTFIND_EMPTYDATA			0x01
+#define DNS_RBTFIND_NOEXACT			0x02
+#define DNS_RBTFIND_NOPREDECESSOR		0x04
+
+/*
+ * These should add up to 30.
+ */
+#define DNS_RBT_LOCKLENGTH			10
+#define DNS_RBT_REFLENGTH			20
+
+#define DNS_RBTNODE_MAGIC		ISC_MAGIC('R','B','N','O')
+#if DNS_RBT_USEMAGIC
+#define DNS_RBTNODE_VALID(n)		ISC_MAGIC_VALID(n, DNS_RBTNODE_MAGIC)
+#else
+#define DNS_RBTNODE_VALID(n)		ISC_TRUE
+#endif
+
+/*
+ * This is the structure that is used for each node in the red/black
+ * tree of trees.  NOTE WELL:  the implementation manages this as a variable
+ * length structure, with the actual wire-format name and other data
+ * appended to this structure.  Allocating a contiguous block of memory for
+ * multiple dns_rbtnode structures will not work.
+ */
+typedef struct dns_rbtnode {
+#if DNS_RBT_USEMAGIC
+	unsigned int magic;
+#endif
+	struct dns_rbtnode *parent;
+	struct dns_rbtnode *left;
+	struct dns_rbtnode *right;
+	struct dns_rbtnode *down;
+#ifdef DNS_RBT_USEHASH
+	struct dns_rbtnode *hashnext;
+#endif
+	/*
+	 * The following bitfields add up to a total bitwidth of 32.
+	 * The range of values necessary for each item is indicated,
+	 * but in the case of "attributes" the field is wider to accomodate
+	 * possible future expansion.  "offsetlen" could be one bit
+	 * narrower by always adjusting its value by 1 to find the real
+	 * offsetlen, but doing so does not gain anything (except perhaps
+	 * another bit for "attributes", which doesn't yet need any more).
+	 *
+	 * In each case below the "range" indicated is what's _necessary_ for
+	 * the bitfield to hold, not what it actually _can_ hold.
+	 */
+	unsigned int is_root : 1;	/* range is 0..1 */
+	unsigned int color : 1;		/* range is 0..1 */
+	unsigned int find_callback : 1;	/* range is 0..1 */
+	unsigned int attributes : 4;	/* range is 0..2 */
+	unsigned int namelen : 8;	/* range is 1..255 */
+	unsigned int offsetlen : 8;	/* range is 1..128 */
+	unsigned int padbytes : 9;	/* range is 0..380 */
+
+#ifdef DNS_RBT_USEHASH
+	unsigned int hashval;
+#endif
+
+	/*
+	 * These values are used in the RBT DB implementation.  The appropriate
+	 * node lock must be held before accessing them.
+	 */
+	void *data;
+	unsigned int dirty:1;
+	unsigned int wild:1;
+	unsigned int locknum:DNS_RBT_LOCKLENGTH;
+	unsigned int references:DNS_RBT_REFLENGTH;
+} dns_rbtnode_t;
+
+typedef isc_result_t (*dns_rbtfindcallback_t)(dns_rbtnode_t *node,
+					      dns_name_t *name,
+					      void *callback_arg);
+
+/*****
+ *****	Chain Info
+ *****/
+
+/*
+ * A chain is used to keep track of the sequence of nodes to reach any given
+ * node from the root of the tree.  Originally nodes did not have parent
+ * pointers in them (for memory usage reasons) so there was no way to find
+ * the path back to the root from any given node.  Now that nodes have parent
+ * pointers, chains might be going away in a future release, though the
+ * movement functionality would remain.
+ *
+ * In any event, parent information, whether via parent pointers or chains, is
+ * necessary information for iterating through the tree or for basic internal
+ * tree maintenance issues (ie, the rotations that are done to rebalance the
+ * tree when a node is added).  The obvious implication of this is that for a
+ * chain to remain valid, the tree has to be locked down against writes for the
+ * duration of the useful life of the chain, because additions or removals can
+ * change the path from the root to the node the chain has targetted.
+ *
+ * The dns_rbtnodechain_ functions _first, _last, _prev and _next all take
+ * dns_name_t parameters for the name and the origin, which can be NULL.  If
+ * non-NULL, 'name' will end up pointing to the name data and offsets that are
+ * stored at the node (and thus it will be read-only), so it should be a
+ * regular dns_name_t that has been initialized with dns_name_init.  When
+ * 'origin' is non-NULL, it will get the name of the origin stored in it, so it
+ * needs to have its own buffer space and offsets, which is most easily
+ * accomplished with a dns_fixedname_t.  It is _not_ necessary to reinitialize
+ * either 'name' or 'origin' between calls to the chain functions.
+ *
+ * NOTE WELL: even though the name data at the root of the tree of trees will
+ * be absolute (typically just "."), it will will be made into a relative name
+ * with an origin of "." -- an empty name when the node is ".".  This is
+ * because a common on operation on 'name' and 'origin' is to use
+ * dns_name_concatenate() on them to generate the complete name.  An empty name
+ * can be detected when dns_name_countlabels == 0, and is printed by
+ * dns_name_totext()/dns_name_format() as "@", consistent with RFC1035's
+ * definition of "@" as the current origin.
+ *
+ * dns_rbtnodechain_current is similar to the _first, _last, _prev and _next
+ * functions but additionally can provide the node to which the chain points.
+ */
+
+/*
+ * The number of level blocks to allocate at a time.  Currently the maximum
+ * number of levels is allocated directly in the structure, but future
+ * revisions of this code might have a static initial block with dynamic
+ * growth.  Allocating space for 256 levels when the tree is almost never that
+ * deep is wasteful, but it's not clear that it matters, since the waste is
+ * only 2MB for 1000 concurrently active chains on a system with 64-bit
+ * pointers.
+ */
+#define DNS_RBT_LEVELBLOCK 254
+
+typedef struct dns_rbtnodechain {
+	unsigned int		magic;
+	isc_mem_t *		mctx;
+	/*
+	 * The terminal node of the chain.  It is not in levels[].
+	 * This is ostensibly private ... but in a pinch it could be
+	 * used tell that the chain points nowhere without needing to
+	 * call dns_rbtnodechain_current().
+	 */
+	dns_rbtnode_t *		end;
+	/*
+	 * The maximum number of labels in a name is 128; bitstrings mean
+	 * a conceptually very large number (which I have not bothered to
+	 * compute) of logical levels because splitting can potentially occur
+	 * at each bit.  However, DNSSEC restricts the number of "logical"
+	 * labels in a name to 255, meaning only 254 pointers are needed
+	 * in the worst case.
+	 */
+	dns_rbtnode_t *		levels[DNS_RBT_LEVELBLOCK];
+	/*
+	 * level_count indicates how deep the chain points into the
+	 * tree of trees, and is the index into the levels[] array.
+	 * Thus, levels[level_count - 1] is the last level node stored.
+	 * A chain that points to the top level of the tree of trees has
+	 * a level_count of 0, the first level has a level_count of 1, and
+	 * so on.
+	 */
+	unsigned int		level_count;
+	/*
+	 * level_matches tells how many levels matched above the node
+	 * returned by dns_rbt_findnode().  A match (partial or exact) found
+	 * in the first level thus results in level_matches being set to 1.
+	 * This is used by the rbtdb to set the start point for a recursive
+	 * search of superdomains until the RR it is looking for is found.
+	 */
+	unsigned int		level_matches;
+} dns_rbtnodechain_t;
+
+/*****
+ ***** Public interfaces.
+ *****/
+
+isc_result_t
+dns_rbt_create(isc_mem_t *mctx, void (*deleter)(void *, void *),
+	       void *deleter_arg, dns_rbt_t **rbtp);
+/*
+ * Initialize a red-black tree of trees.
+ *
+ * Notes:
+ *	The deleter argument, if non-null, points to a function that is
+ *	responsible for cleaning up any memory associated with the data
+ *	pointer of a node when the node is deleted.  It is passed the
+ *	deleted node's data pointer as its first argument and deleter_arg
+ *	as its second argument.
+ *
+ * Requires:
+ * 	mctx is a pointer to a valid memory context.
+ *	rbtp != NULL && *rbtp == NULL
+ *	arg == NULL iff deleter == NULL
+ *
+ * Ensures:
+ *	If result is ISC_R_SUCCESS:
+ *		*rbtp points to a valid red-black tree manager
+ *
+ *	If result is failure:
+ *		*rbtp does not point to a valid red-black tree manager.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	Success
+ *	ISC_R_NOMEMORY	Resource limit: Out of Memory
+ */
+
+isc_result_t
+dns_rbt_addname(dns_rbt_t *rbt, dns_name_t *name, void *data);
+/*
+ * Add 'name' to the tree of trees, associated with 'data'.
+ *
+ * Notes:
+ *	'data' is never required to be non-NULL, but specifying it
+ *	when the name is added is faster than searching for 'name'
+ *	again and then setting the data pointer.  The lack of a data pointer
+ *	for a node also has other ramifications regarding whether
+ *	dns_rbt_findname considers a node to exist, or dns_rbt_deletename
+ *	joins nodes.
+ *
+ * Requires:
+ *	rbt is a valid rbt manager.
+ *	dns_name_isabsolute(name) == TRUE
+ *
+ * Ensures:
+ *	'name' is not altered in any way.
+ *
+ *	Any external references to nodes in the tree are unaffected by
+ *	node splits that are necessary to insert the new name.
+ *
+ *	If result is ISC_R_SUCCESS:
+ *		'name' is findable in the red/black tree of trees in O(log N).
+ *
+ *		The data pointer of the node for 'name' is set to 'data'.
+ *
+ *	If result is ISC_R_EXISTS or ISC_R_NOSPACE:
+ *		The tree of trees is unaltered.
+ *
+ *	If result is ISC_R_NOMEMORY:
+ *		No guarantees.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	Success
+ *	ISC_R_EXISTS	The name already exists with associated data.
+ *	ISC_R_NOSPACE 	The name had more logical labels than are allowed.
+ *	ISC_R_NOMEMORY	Resource Limit: Out of Memory
+ */
+
+isc_result_t
+dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep);
+
+/*
+ * Just like dns_rbt_addname, but returns the address of the node.
+ *
+ * Requires:
+ *	rbt is a valid rbt structure.
+ *	dns_name_isabsolute(name) == TRUE
+ *	nodep != NULL && *nodep == NULL
+ *
+ * Ensures:
+ *	'name' is not altered in any way.
+ *
+ *	Any external references to nodes in the tree are unaffected by
+ *	node splits that are necessary to insert the new name.
+ *
+ *	If result is ISC_R_SUCCESS:
+ *		'name' is findable in the red/black tree of trees in O(log N).
+ *
+ *		*nodep is the node that was added for 'name'.
+ *
+ *	If result is ISC_R_EXISTS:
+ *		The tree of trees is unaltered.
+ *
+ *		*nodep is the existing node for 'name'.
+ *
+ *	If result is ISC_R_NOMEMORY:
+ *		No guarantees.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	Success
+ *	ISC_R_EXISTS	The name already exists, possibly without data.
+ *	ISC_R_NOMEMORY	Resource Limit: Out of Memory
+ */
+
+isc_result_t
+dns_rbt_findname(dns_rbt_t *rbt, dns_name_t *name, unsigned int options,
+		 dns_name_t *foundname, void **data);
+/*
+ * Get the data pointer associated with 'name'.
+ *
+ * Notes:
+ *	When DNS_RBTFIND_NOEXACT is set, the closest matching superdomain is
+ *      returned (also subject to DNS_RBTFIND_EMPTYDATA), even when there is
+ *	an exact match in the tree.
+ *
+ *      A node that has no data is considered not to exist for this function,
+ *      unless the DNS_RBTFIND_EMPTYDATA option is set.
+ *
+ * Requires:
+ *	rbt is a valid rbt manager.
+ *	dns_name_isabsolute(name) == TRUE
+ *	data != NULL && *data == NULL
+ *
+ * Ensures:
+ *	'name' and the tree are not altered in any way.
+ *
+ *	If result is ISC_R_SUCCESS:
+ *		*data is the data associated with 'name'.
+ *
+ *	If result is DNS_R_PARTIALMATCH:
+ *		*data is the data associated with the deepest superdomain
+ * 		of 'name' which has data.
+ *
+ *	If result is ISC_R_NOTFOUND:
+ *		Neither the name nor a superdomain was found with data.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		Success
+ *	DNS_R_PARTIALMATCH	Superdomain found with data
+ *	ISC_R_NOTFOUND		No match
+ *	ISC_R_NOSPACE		Concatenating nodes to form foundname failed
+ */
+
+isc_result_t
+dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
+		 dns_rbtnode_t **node, dns_rbtnodechain_t *chain,
+		 unsigned int options, dns_rbtfindcallback_t callback,
+		 void *callback_arg);
+/*
+ * Find the node for 'name'.
+ *
+ * Notes:
+ *	A node that has no data is considered not to exist for this function,
+ *	unless the DNS_RBTFIND_EMPTYDATA option is set.  This applies to both
+ *	exact matches and partial matches.
+ *
+ *	If the chain parameter is non-NULL, then the path through the tree
+ *	to the DNSSEC predecessor of the searched for name is maintained,
+ *	unless the DNS_RBTFIND_NOPREDECESSOR or DNS_RBTFIND_NOEXACT option
+ *	is used. (For more details on those options, see below.)
+ *
+ *	If there is no predecessor, then the chain will point to nowhere, as
+ *	indicated by chain->end being NULL or dns_rbtnodechain_current
+ *	returning ISC_R_NOTFOUND.  Note that in a normal Internet DNS RBT
+ *	there will always be a predecessor for all names except the root
+ *	name, because '.' will exist and '.' is the predecessor of
+ *	everything.  But you can certainly construct a trivial tree and a
+ *	search for it that has no predecessor.
+ *
+ *	Within the chain structure, the 'levels' member of the structure holds
+ *	the root node of each level except the first.
+ *
+ *	The 'level_count' of the chain indicates how deep the chain to the
+ *	predecessor name is, as an index into the 'levels[]' array.  It does
+ *	not count name elements, per se, but only levels of the tree of trees,
+ *	the distinction arrising because multiple labels from a name can be
+ *	stored on only one level.  It is also does not include the level
+ *	that has the node, since that level is not stored in levels[].
+ *
+ *	The chain's 'level_matches' is not directly related to the predecessor.
+ *	It is the number of levels above the level of the found 'node',
+ *	regardless of whether it was a partial match or exact match.  When
+ *	the node is found in the top level tree, or no node is found at all,
+ *	level_matches is 0.
+ *
+ *	When DNS_RBTFIND_NOEXACT is set, the closest matching superdomain is
+ *      returned (also subject to DNS_RBTFIND_EMPTYDATA), even when
+ *      there is an exact match in the tree.  In this case, the chain
+ *	will not point to the DNSSEC predecessor, but will instead point
+ *	to the exact match, if there was any.  Thus the preceding paragraphs
+ *	should have "exact match" substituted for "predecessor" to describe
+ *	how the various elements of the chain are set.  This was done to
+ * 	ensure that the chain's state was sane, and to prevent problems that
+ *	occurred when running the predecessor location code under conditions
+ *	it was not designed for.  It is not clear *where* the chain should
+ *	point when DNS_RBTFIND_NOEXACT is set, so if you end up using a chain
+ *	with this option because you want a particular node, let us know
+ *	where you want the chain pointed, so this can be made more firm.
+ *
+ * Requires:
+ *	rbt is a valid rbt manager.
+ *	dns_name_isabsolute(name) == TRUE.
+ *	node != NULL && *node == NULL.
+ *	DNS_RBTFIND_NOEXACT and DNS_RBTFIND_NOPREDECESSOR are mutally
+ *		exclusive.
+ *
+ * Ensures:
+ *	'name' and the tree are not altered in any way.
+ *
+ *	If result is ISC_R_SUCCESS:
+ *		*node is the terminal node for 'name'.
+ *
+ *		'foundname' and 'name' represent the same name (though not
+ *		the same memory).
+ *
+ *		'chain' points to the DNSSEC predecessor, if any, of 'name'.
+ *
+ *		chain->level_matches and chain->level_count are equal.
+ *
+ * 	If result is DNS_R_PARTIALMATCH:
+ *		*node is the data associated with the deepest superdomain
+ * 		of 'name' which has data.
+ *
+ *		'foundname' is the name of deepest superdomain (which has
+ *		data, unless the DNS_RBTFIND_EMPTYDATA option is set).
+ *
+ *		'chain' points to the DNSSEC predecessor, if any, of 'name'.
+ *
+ *	If result is ISC_R_NOTFOUND:
+ *		Neither the name nor a superdomain was found.  *node is NULL.
+ *
+ *		'chain' points to the DNSSEC predecessor, if any, of 'name'.
+ *
+ *		chain->level_matches is 0.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		Success
+ *	DNS_R_PARTIALMATCH	Superdomain found with data
+ *	ISC_R_NOTFOUND		No match, or superdomain with no data
+ *	ISC_R_NOSPACE Concatenating nodes to form foundname failed
+ */
+
+isc_result_t
+dns_rbt_deletename(dns_rbt_t *rbt, dns_name_t *name, isc_boolean_t recurse);
+/*
+ * Delete 'name' from the tree of trees.
+ *
+ * Notes:
+ *	When 'name' is removed, if recurse is ISC_TRUE then all of its
+ *      subnames are removed too.
+ *
+ * Requires:
+ *	rbt is a valid rbt manager.
+ *	dns_name_isabsolute(name) == TRUE
+ *
+ * Ensures:
+ *	'name' is not altered in any way.
+ *
+ *	Does NOT ensure that any external references to nodes in the tree
+ *	are unaffected by node joins.
+ *
+ *	If result is ISC_R_SUCCESS:
+ *		'name' does not appear in the tree with data; however,
+ *		the node for the name might still exist which can be
+ *		found with dns_rbt_findnode (but not dns_rbt_findname).
+ *
+ *	If result is ISC_R_NOTFOUND:
+ *		'name' does not appear in the tree with data, because
+ *		it did not appear in the tree before the function was called.
+ *
+ *	If result is something else:
+ *		See result codes for dns_rbt_findnode (if it fails, the
+ *		node is not deleted) or dns_rbt_deletenode (if it fails,
+ *		the node is deleted, but the tree is not optimized when
+ *		it could have been).
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	Success
+ *	ISC_R_NOTFOUND	No match
+ *	something_else	Any return code from dns_rbt_findnode except
+ *			DNS_R_PARTIALMATCH (which causes ISC_R_NOTFOUND
+ *			to be returned instead), and any code from
+ *			dns_rbt_deletenode.
+ */
+
+isc_result_t
+dns_rbt_deletenode(dns_rbt_t *rbt, dns_rbtnode_t *node, isc_boolean_t recurse);
+/*
+ * Delete 'node' from the tree of trees.
+ *
+ * Notes:
+ *	When 'node' is removed, if recurse is ISC_TRUE then all nodes
+ *	in levels down from it are removed too.
+ *
+ * Requires:
+ *	rbt is a valid rbt manager.
+ *	node != NULL.
+ *
+ * Ensures:
+ *	Does NOT ensure that any external references to nodes in the tree
+ *	are unaffected by node joins.
+ *
+ *	If result is ISC_R_SUCCESS:
+ *		'node' does not appear in the tree with data; however,
+ *		the node might still exist if it serves as a pointer to
+ *		a lower tree level as long as 'recurse' was false, hence
+ *		the node could can be found with dns_rbt_findnode whem
+ *		that function's empty_data_ok parameter is true.
+ *
+ *	If result is ISC_R_NOMEMORY or ISC_R_NOSPACE:
+ *		The node was deleted, but the tree structure was not
+ *		optimized.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	Success
+ *	ISC_R_NOMEMORY	Resource Limit: Out of Memory when joining nodes.
+ *	ISC_R_NOSPACE	dns_name_concatenate failed when joining nodes.
+ */
+
+void
+dns_rbt_namefromnode(dns_rbtnode_t *node, dns_name_t *name);
+/*
+ * Convert the sequence of labels stored at 'node' into a 'name'.
+ *
+ * Notes:
+ *	This function does not return the full name, from the root, but
+ *	just the labels at the indicated node.
+ *
+ *	The name data pointed to by 'name' is the information stored
+ *	in the node, not a copy.  Altering the data at this pointer
+ *	will likely cause grief.
+ *
+ * Requires:
+ *	name->offsets == NULL
+ *
+ * Ensures:
+ *	'name' is DNS_NAMEATTR_READONLY.
+ *
+ *	'name' will point directly to the labels stored after the
+ *	dns_rbtnode_t struct.
+ *
+ *	'name' will have offsets that also point to the information stored
+ *	as part of the node.
+ */
+
+isc_result_t
+dns_rbt_fullnamefromnode(dns_rbtnode_t *node, dns_name_t *name);
+/*
+ * Like dns_rbt_namefromnode, but returns the full name from the root.
+ *
+ * Notes:
+ *	Unlike dns_rbt_namefromnode, the name will not point directly
+ *	to node data.  Rather, dns_name_concatenate will be used to copy
+ *	the name data from each node into the 'name' argument.
+ *
+ * Requires:
+ *	name != NULL
+ *	name has a dedicated buffer.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOSPACE		(possible via dns_name_concatenate)
+ *	DNS_R_NAMETOOLONG	(possible via dns_name_concatenate)
+ */
+
+char *
+dns_rbt_formatnodename(dns_rbtnode_t *node, char *printname,
+		       unsigned int size);
+/*
+ * Format the full name of a node for printing, using dns_name_format().
+ *
+ * Notes:
+ *	'size' is the length of the printname buffer.  This should be
+ *	DNS_NAME_FORMATSIZE or larger.
+ *
+ * Requires:
+ *	node and printname are not NULL.
+ *
+ * Returns:
+ *	The 'printname' pointer.
+ */
+
+unsigned int
+dns_rbt_nodecount(dns_rbt_t *rbt);
+/*
+ * Obtain the number of nodes in the tree of trees.
+ *
+ * Requires:
+ *	rbt is a valid rbt manager.
+ */
+
+void
+dns_rbt_destroy(dns_rbt_t **rbtp);
+isc_result_t
+dns_rbt_destroy2(dns_rbt_t **rbtp, unsigned int quantum);
+/*
+ * Stop working with a red-black tree of trees.  Once dns_rbt_destroy2()
+ * has been called on a 'rbt' only dns_rbt_destroy() or dns_rbt_destroy2()
+ * may be used on the tree.  If 'quantum' is zero then the entire tree will
+ * be destroyed.
+ *
+ * Requires:
+ * 	*rbt is a valid rbt manager.
+ *
+ * Ensures:
+ *	All space allocated by the RBT library has been returned.
+ *
+ *	*rbt is invalidated as an rbt manager.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_QUOTA if 'quantum' nodes have been destroyed.
+ */
+
+void
+dns_rbt_printall(dns_rbt_t *rbt);
+/*
+ * Print an ASCII representation of the internal structure of the red-black
+ * tree of trees.
+ *
+ * Notes:
+ *	The name stored at each node, along with the node's color, is printed.
+ *	Then the down pointer, left and right pointers are displayed
+ *	recursively in turn.  NULL down pointers are silently omitted;
+ *	NULL left and right pointers are printed.
+ */
+
+/*****
+ ***** Chain Functions
+ *****/
+
+void
+dns_rbtnodechain_init(dns_rbtnodechain_t *chain, isc_mem_t *mctx);
+/*
+ * Initialize 'chain'.
+ *
+ * Requires:
+ *	'chain' is a valid pointer.
+ *
+ *	'mctx' is a valid memory context.
+ *
+ * Ensures:
+ *	'chain' is suitable for use.
+ */
+
+void
+dns_rbtnodechain_reset(dns_rbtnodechain_t *chain);
+/*
+ * Free any dynamic storage associated with 'chain', and then reinitialize
+ * 'chain'.
+ *
+ * Requires:
+ *	'chain' is a valid pointer.
+ *
+ * Ensures:
+ *	'chain' is suitable for use, and uses no dynamic storage.
+ */
+
+void
+dns_rbtnodechain_invalidate(dns_rbtnodechain_t *chain);
+/*
+ * Free any dynamic storage associated with 'chain', and then invalidates it.
+ *
+ * Notes:
+ * 	Future calls to any dns_rbtnodechain_ function will need to call
+ * 	dns_rbtnodechain_init on the chain first (except, of course,
+ *	dns_rbtnodechain_init itself).
+ *
+ * Requires:
+ *	'chain' is a valid chain.
+ *
+ * Ensures:
+ *	'chain' is no longer suitable for use, and uses no dynamic storage.
+ */
+
+isc_result_t
+dns_rbtnodechain_current(dns_rbtnodechain_t *chain, dns_name_t *name,
+			 dns_name_t *origin, dns_rbtnode_t **node);
+/*
+ * Provide the name, origin and node to which the chain is currently pointed.
+ *
+ * Notes:
+ *	The tree need not have be locked against additions for the chain
+ *	to remain valid, however there are no guarantees if any deletion
+ *	has been made since the chain was established.
+ *
+ * Requires:
+ *	'chain' is a valid chain.
+ *
+ * Ensures:
+ *	'node', if non-NULL, is the node to which the chain was pointed
+ *	by dns_rbt_findnode, dns_rbtnodechain_first or dns_rbtnodechain_last.
+ *	If none were called for the chain since it was initialized or reset,
+ *	or if the was no predecessor to the name searched for with
+ *	dns_rbt_findnode, then '*node' is NULL and ISC_R_NOTFOUND is returned.
+ *
+ *	'name', if non-NULL, is the name stored at the terminal level of
+ *	the chain.  This is typically a single label, like the "www" of
+ *	"www.isc.org", but need not be so.  At the root of the tree of trees,
+ *	if the node is "." then 'name' is ".", otherwise it is relative to ".".
+ *	(Minimalist and atypical case:  if the tree has just the name
+ *	"isc.org." then the root node's stored name is "isc.org." but 'name'
+ *	will be "isc.org".)
+ *
+ *	'origin', if non-NULL, is the sequence of labels in the levels
+ *	above the terminal level, such as "isc.org." in the above example.
+ *	'origin' is always "." for the root node.
+ *
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		name, origin & node were successfully set.
+ *	ISC_R_NOTFOUND		The chain does not point to any node.
+ *	<something_else>	Any error return from dns_name_concatenate.
+ */
+
+isc_result_t
+dns_rbtnodechain_first(dns_rbtnodechain_t *chain, dns_rbt_t *rbt,
+		       dns_name_t *name, dns_name_t *origin);
+/*
+ * Set the chain to the lexically first node in the tree of trees.
+ *
+ * Notes:
+ *	By the definition of ordering for DNS names, the root of the tree of
+ *	trees is the very first node, since everything else in the megatree
+ *	uses it as a common suffix.
+ *
+ * Requires:
+ *	'chain' is a valid chain.
+ *	'rbt' is a valid rbt manager.
+ *
+ * Ensures:
+ *	The chain points to the very first node of the tree.
+ *
+ *	'name' and 'origin', if non-NULL, are set as described for
+ *	dns_rbtnodechain_current.  Thus 'origin' will always be ".".
+ *
+ * Returns:
+ *	DNS_R_NEWORIGIN		The name & origin were successfully set.
+ *	<something_else>	Any error result from dns_rbtnodechain_current.
+ */
+
+isc_result_t
+dns_rbtnodechain_last(dns_rbtnodechain_t *chain, dns_rbt_t *rbt,
+		       dns_name_t *name, dns_name_t *origin);
+/*
+ * Set the chain to the lexically last node in the tree of trees.
+ *
+ * Requires:
+ *	'chain' is a valid chain.
+ *	'rbt' is a valid rbt manager.
+ *
+ * Ensures:
+ *	The chain points to the very last node of the tree.
+ *
+ *	'name' and 'origin', if non-NULL, are set as described for
+ *	dns_rbtnodechain_current.
+ *
+ * Returns:
+ *	DNS_R_NEWORIGIN		The name & origin were successfully set.
+ *	ISC_R_NOMEMORY		Resource Limit: Out of Memory building chain.
+ *	<something_else>	Any error result from dns_name_concatenate.
+ */
+
+isc_result_t
+dns_rbtnodechain_prev(dns_rbtnodechain_t *chain, dns_name_t *name,
+		      dns_name_t *origin);
+/*
+ * Adjusts chain to point the DNSSEC predecessor of the name to which it
+ * is currently pointed.
+ *
+ * Requires:
+ *	'chain' is a valid chain.
+ *	'chain' has been pointed somewhere in the tree with dns_rbt_findnode,
+ *	dns_rbtnodechain_first or dns_rbtnodechain_last -- and remember that
+ *	dns_rbt_findnode is not guaranteed to point the chain somewhere,
+ *	since there may have been no predecessor to the searched for name.
+ *
+ * Ensures:
+ *	The chain is pointed to the predecessor of its current target.
+ *
+ *	'name' and 'origin', if non-NULL, are set as described for
+ *	dns_rbtnodechain_current.
+ *
+ *	'origin' is only if a new origin was found.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		The predecessor was found and 'name' was set.
+ *	DNS_R_NEWORIGIN		The predecessor was found with a different
+ *				origin and 'name' and 'origin' were set.
+ *	ISC_R_NOMORE		There was no predecessor.
+ *	<something_else>	Any error result from dns_rbtnodechain_current.
+ */
+
+isc_result_t
+dns_rbtnodechain_next(dns_rbtnodechain_t *chain, dns_name_t *name,
+		      dns_name_t *origin);
+/*
+ * Adjusts chain to point the DNSSEC successor of the name to which it
+ * is currently pointed.
+ *
+ * Requires:
+ *	'chain' is a valid chain.
+ *	'chain' has been pointed somewhere in the tree with dns_rbt_findnode,
+ *	dns_rbtnodechain_first or dns_rbtnodechain_last -- and remember that
+ *	dns_rbt_findnode is not guaranteed to point the chain somewhere,
+ *	since there may have been no predecessor to the searched for name.
+ *
+ * Ensures:
+ *	The chain is pointed to the successor of its current target.
+ *
+ *	'name' and 'origin', if non-NULL, are set as described for
+ *	dns_rbtnodechain_current.
+ *
+ *	'origin' is only if a new origin was found.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		The successor was found and 'name' was set.
+ *	DNS_R_NEWORIGIN		The successor was found with a different
+ *				origin and 'name' and 'origin' were set.
+ *	ISC_R_NOMORE		There was no successor.
+ *	<something_else>	Any error result from dns_name_concatenate.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RBT_H */
diff --git a/contrib/bind9/lib/dns/include/dns/rcode.h b/contrib/bind9/lib/dns/include/dns/rcode.h
new file mode 100644
index 0000000..b2494f7
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/rcode.h
@@ -0,0 +1,96 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rcode.h,v 1.12.206.1 2004/03/06 08:13:59 marka Exp $ */
+
+#ifndef DNS_RCODE_H
+#define DNS_RCODE_H 1
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t dns_rcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source);
+/*
+ * Convert the text 'source' refers to into a DNS error value.
+ *
+ * Requires:
+ *	'rcodep' is a valid pointer.
+ *
+ *	'source' is a valid text region.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS			on success
+ *	DNS_R_UNKNOWN			type is unknown
+ */
+
+isc_result_t dns_rcode_totext(dns_rcode_t rcode, isc_buffer_t *target);
+/*
+ * Put a textual representation of error 'rcode' into 'target'.
+ *
+ * Requires:
+ *	'rcode' is a valid rcode.
+ *
+ *	'target' is a valid text buffer.
+ *
+ * Ensures:
+ *	If the result is success:
+ *		The used space in 'target' is updated.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS			on success
+ *	ISC_R_NOSPACE			target buffer is too small
+ */
+
+isc_result_t dns_tsigrcode_fromtext(dns_rcode_t *rcodep,
+				    isc_textregion_t *source);
+/*
+ * Convert the text 'source' refers to into a TSIG/TKEY error value.
+ *
+ * Requires:
+ *	'rcodep' is a valid pointer.
+ *
+ *	'source' is a valid text region.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS			on success
+ *	DNS_R_UNKNOWN			type is unknown
+ */
+
+isc_result_t dns_tsigrcode_totext(dns_rcode_t rcode, isc_buffer_t *target);
+/*
+ * Put a textual representation of TSIG/TKEY error 'rcode' into 'target'.
+ *
+ * Requires:
+ *	'rcode' is a valid TSIG/TKEY error code.
+ *
+ *	'target' is a valid text buffer.
+ *
+ * Ensures:
+ *	If the result is success:
+ *		The used space in 'target' is updated.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS			on success
+ *	ISC_R_NOSPACE			target buffer is too small
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RCODE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/rdata.h b/contrib/bind9/lib/dns/include/dns/rdata.h
new file mode 100644
index 0000000..b006b17
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/rdata.h
@@ -0,0 +1,706 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rdata.h,v 1.51.2.3.2.4 2004/03/08 02:08:01 marka Exp $ */
+
+#ifndef DNS_RDATA_H
+#define DNS_RDATA_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DNS Rdata
+ *
+ * Provides facilities for manipulating DNS rdata, including conversions to
+ * and from wire format and text format.
+ *
+ * Given the large amount of rdata possible in a nameserver, it was important
+ * to come up with a very efficient way of storing rdata, but at the same
+ * time allow it to be manipulated.
+ *
+ * The decision was to store rdata in uncompressed wire format,
+ * and not to make it a fully abstracted object; i.e. certain parts of the
+ * server know rdata is stored that way.  This saves a lot of memory, and
+ * makes adding rdata to messages easy.  Having much of the server know
+ * the representation would be perilous, and we certainly don't want each
+ * user of rdata to be manipulating such a low-level structure.  This is
+ * where the rdata module comes in.  The module allows rdata handles to be
+ * created and attached to uncompressed wire format regions.  All rdata
+ * operations and conversions are done through these handles.
+ *
+ * Implementation Notes:
+ *
+ *	The routines in this module are expected to be synthesized by the
+ *	build process from a set of source files, one per rdata type.  For
+ *	portability, it's probably best that the building be done by a C
+ *	program.  Adding a new rdata type will be a simple matter of adding
+ *	a file to a directory and rebuilding the server.  *All* knowlege of
+ *	the format of a particular rdata type is in this file.
+ *
+ * MP:
+ *	Clients of this module must impose any required synchronization.
+ *
+ * Reliability:
+ *	This module deals with low-level byte streams.  Errors in any of
+ *	the functions are likely to crash the server or corrupt memory.
+ *
+ *	Rdata is typed, and the caller must know what type of rdata it has.
+ *	A caller that gets this wrong could crash the server.
+ *
+ *	The fromstruct() and tostruct() routines use a void * pointer to
+ *	represent the structure.  The caller must ensure that it passes a
+ *	pointer to the appropriate type, or the server could crash or memory
+ *	could be corrupted.
+ *
+ * Resources:
+ *	None.
+ *
+ * Security:
+ *
+ *	*** WARNING ***
+ *
+ *	dns_rdata_fromwire() deals with raw network data.  An error in
+ *	this routine could result in the failure or hijacking of the server.
+ *
+ * Standards:
+ *	RFC 1035
+ *	Draft EDNS0 (0)
+ *	Draft EDNS1 (0)
+ *	Draft Binary Labels (2)
+ *	Draft Local Compression (1)
+ *	<Various RFCs for particular types; these will be documented in the
+ *	 sources files of the types.>
+ *
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+#include <dns/name.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+ ***** RData
+ *****
+ ***** An 'rdata' is a handle to a binary region.  The handle has an RR
+ ***** class and type, and the data in the binary region is in the format
+ ***** of the given class and type.
+ *****/
+
+/***
+ *** Types
+ ***/
+
+/*
+ * Clients are strongly discouraged from using this type directly, with
+ * the exception of the 'link' field which may be used directly for whatever
+ * purpose the client desires.
+ */
+struct dns_rdata {
+	unsigned char *			data;
+	unsigned int			length;
+	dns_rdataclass_t		rdclass;
+	dns_rdatatype_t			type;
+	unsigned int			flags;
+	ISC_LINK(dns_rdata_t)		link;
+};
+
+#define DNS_RDATA_INIT { NULL, 0, 0, 0, 0, {(void*)(-1), (void *)(-1)}}
+
+#define DNS_RDATA_UPDATE	0x0001		/* update pseudo record */
+
+/*
+ * Flags affecting rdata formatting style.  Flags 0xFFFF0000
+ * are used by masterfile-level formatting and defined elsewhere.
+ * See additional comments at dns_rdata_tofmttext().
+ */
+
+/* Split the rdata into multiple lines to try to keep it
+ within the "width". */
+#define DNS_STYLEFLAG_MULTILINE		0x00000001U
+
+/* Output explanatory comments. */
+#define DNS_STYLEFLAG_COMMENT		0x00000002U
+
+#define DNS_RDATA_DOWNCASE		DNS_NAME_DOWNCASE
+#define DNS_RDATA_CHECKNAMES		DNS_NAME_CHECKNAMES
+#define DNS_RDATA_CHECKNAMESFAIL	DNS_NAME_CHECKNAMESFAIL
+#define DNS_RDATA_CHECKREVERSE		DNS_NAME_CHECKREVERSE
+
+/***
+ *** Initialization
+ ***/
+
+void
+dns_rdata_init(dns_rdata_t *rdata);
+/*
+ * Make 'rdata' empty.
+ *
+ * Requires:
+ *	'rdata' is a valid rdata (i.e. not NULL, points to a struct dns_rdata)
+ */
+
+void
+dns_rdata_reset(dns_rdata_t *rdata);
+/*
+ * Make 'rdata' empty.
+ *
+ * Requires:
+ *	'rdata' is a previously initialized rdata and is not linked.
+ */
+
+void
+dns_rdata_clone(const dns_rdata_t *src, dns_rdata_t *target);
+/*
+ * Clone 'target' from 'src'.
+ *
+ * Requires:
+ *	'src' to be initialized.
+ *	'target' to be initialized.
+ */
+
+/***
+ *** Comparisons
+ ***/
+
+int
+dns_rdata_compare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2);
+/*
+ * Determine the relative ordering under the DNSSEC order relation of
+ * 'rdata1' and 'rdata2'.
+ *
+ * Requires:
+ *
+ *	'rdata1' is a valid, non-empty rdata
+ *
+ *	'rdata2' is a valid, non-empty rdata
+ *
+ * Returns:
+ *	< 0		'rdata1' is less than 'rdata2'
+ *	0		'rdata1' is equal to 'rdata2'
+ *	> 0		'rdata1' is greater than 'rdata2'
+ */
+
+/***
+ *** Conversions
+ ***/
+
+void
+dns_rdata_fromregion(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
+		     dns_rdatatype_t type, isc_region_t *r);
+/*
+ * Make 'rdata' refer to region 'r'.
+ *
+ * Requires:
+ *
+ *	The data in 'r' is properly formatted for whatever type it is.
+ */
+
+void
+dns_rdata_toregion(const dns_rdata_t *rdata, isc_region_t *r);
+/*
+ * Make 'r' refer to 'rdata'.
+ */
+
+isc_result_t
+dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
+		   dns_rdatatype_t type, isc_buffer_t *source,
+		   dns_decompress_t *dctx, unsigned int options,
+		   isc_buffer_t *target);
+/*
+ * Copy the possibly-compressed rdata at source into the target region.
+ *
+ * Notes:
+ *	Name decompression policy is controlled by 'dctx'.
+ *
+ *	'options'
+ *	DNS_RDATA_DOWNCASE	downcase domain names when they are copied
+ *				into target.
+ *
+ * Requires:
+ *
+ *	'rdclass' and 'type' are valid.
+ *
+ *	'source' is a valid buffer, and the active region of 'source'
+ *	references the rdata to be processed.
+ *
+ *	'target' is a valid buffer.
+ *
+ *	'dctx' is a valid decompression context.
+ *
+ * Ensures:
+ *
+ *	If result is success:
+ *	 	If 'rdata' is not NULL, it is attached to the target.
+ *
+ *		The conditions dns_name_fromwire() ensures for names hold
+ *		for all names in the rdata.
+ *
+ *		The current location in source is advanced, and the used space
+ *		in target is updated.
+ *
+ * Result:
+ *	Success
+ *	<Any non-success status from dns_name_fromwire()>
+ *	<Various 'Bad Form' class failures depending on class and type>
+ *	Bad Form: Input too short
+ *	Resource Limit: Not enough space
+ */
+
+isc_result_t
+dns_rdata_towire(dns_rdata_t *rdata, dns_compress_t *cctx,
+		 isc_buffer_t *target);
+/*
+ * Convert 'rdata' into wire format, compressing it as specified by the
+ * compression context 'cctx', and storing the result in 'target'.
+ *
+ * Notes:
+ *	If the compression context allows global compression, then the
+ *	global compression table may be updated.
+ *
+ * Requires:
+ *	'rdata' is a valid, non-empty rdata
+ *
+ *	target is a valid buffer
+ *
+ *	Any offsets specified in a global compression table are valid
+ *	for target.
+ *
+ * Ensures:
+ *	If the result is success:
+ *		The used space in target is updated.
+ *
+ * Returns:
+ *	Success
+ *	<Any non-success status from dns_name_towire()>
+ *	Resource Limit: Not enough space
+ */
+
+isc_result_t
+dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
+		   dns_rdatatype_t type, isc_lex_t *lexer, dns_name_t *origin,
+		   unsigned int options, isc_mem_t *mctx,
+		   isc_buffer_t *target, dns_rdatacallbacks_t *callbacks);
+/*
+ * Convert the textual representation of a DNS rdata into uncompressed wire
+ * form stored in the target region.  Tokens constituting the text of the rdata
+ * are taken from 'lexer'.
+ *
+ * Notes:
+ *	Relative domain names in the rdata will have 'origin' appended to them.
+ *	A NULL origin implies "origin == dns_rootname".
+ *
+ *
+ *	'options'
+ *	DNS_RDATA_DOWNCASE	downcase domain names when they are copied
+ *				into target.
+ *	DNS_RDATA_CHECKNAMES 	perform checknames checks.
+ *	DNS_RDATA_CHECKNAMESFAIL fail if the checknames check fail.  If
+ *				not set a warning will be issued.
+ *	DNS_RDATA_CHECKREVERSE  this should set if the owner name ends
+ *				in IP6.ARPA, IP6.INT or IN-ADDR.ARPA.
+ *
+ * Requires:
+ *
+ *	'rdclass' and 'type' are valid.
+ *
+ *	'lexer' is a valid isc_lex_t.
+ *
+ *	'mctx' is a valid isc_mem_t.
+ *
+ *	'target' is a valid region.
+ *
+ *	'origin' if non NULL it must be absolute.
+ *	
+ *	'callbacks' to be NULL or callbacks->warn and callbacks->error be
+ *	initialized.
+ *
+ * Ensures:
+ *	If result is success:
+ *	 	If 'rdata' is not NULL, it is attached to the target.
+ *
+ *		The conditions dns_name_fromtext() ensures for names hold
+ *		for all names in the rdata.
+ *
+ *		The used space in target is updated.
+ *
+ * Result:
+ *	Success
+ *	<Translated result codes from isc_lex_gettoken>
+ *	<Various 'Bad Form' class failures depending on class and type>
+ *	Bad Form: Input too short
+ *	Resource Limit: Not enough space
+ *	Resource Limit: Not enough memory
+ */
+
+isc_result_t
+dns_rdata_totext(dns_rdata_t *rdata, dns_name_t *origin, isc_buffer_t *target);
+/*
+ * Convert 'rdata' into text format, storing the result in 'target'.
+ * The text will consist of a single line, with fields separated by
+ * single spaces.
+ *
+ * Notes:
+ *	If 'origin' is not NULL, then any names in the rdata that are
+ *	subdomains of 'origin' will be made relative it.
+ *
+ *	XXX Do we *really* want to support 'origin'?  I'm inclined towards "no"
+ *	at the moment.
+ *
+ * Requires:
+ *
+ *	'rdata' is a valid, non-empty rdata
+ *
+ *	'origin' is NULL, or is a valid name
+ *
+ *	'target' is a valid text buffer
+ *
+ * Ensures:
+ *	If the result is success:
+ *
+ *		The used space in target is updated.
+ *
+ * Returns:
+ *	Success
+ *	<Any non-success status from dns_name_totext()>
+ *	Resource Limit: Not enough space
+ */
+
+isc_result_t
+dns_rdata_tofmttext(dns_rdata_t *rdata, dns_name_t *origin, unsigned int flags,
+		    unsigned int width, char *linebreak, isc_buffer_t *target);
+/*
+ * Like dns_rdata_totext, but do formatted output suitable for
+ * database dumps.  This is intended for use by dns_db_dump();
+ * library users are discouraged from calling it directly.
+ *
+ * If (flags & DNS_STYLEFLAG_MULTILINE) != 0, attempt to stay
+ * within 'width' by breaking the text into multiple lines.
+ * The string 'linebreak' is inserted between lines, and parentheses
+ * are added when necessary.  Because RRs contain unbreakable elements
+ * such as domain names whose length is variable, unpredictable, and
+ * potentially large, there is no guarantee that the lines will
+ * not exceed 'width' anyway.
+ *
+ * If (flags & DNS_STYLEFLAG_MULTILINE) == 0, the rdata is always
+ * printed as a single line, and no parentheses are used.
+ * The 'width' and 'linebreak' arguments are ignored.
+ *
+ * If (flags & DNS_STYLEFLAG_COMMENT) != 0, output explanatory
+ * comments next to things like the SOA timer fields.  Some
+ * comments (e.g., the SOA ones) are only printed when multiline
+ * output is selected.
+ */
+
+isc_result_t
+dns_rdata_fromstruct(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
+		     dns_rdatatype_t type, void *source, isc_buffer_t *target);
+/*
+ * Convert the C structure representation of an rdata into uncompressed wire
+ * format in 'target'.
+ *
+ * XXX  Should we have a 'size' parameter as a sanity check on target?
+ *
+ * Requires:
+ *
+ *	'rdclass' and 'type' are valid.
+ *
+ *	'source' points to a valid C struct for the class and type.
+ *
+ *	'target' is a valid buffer.
+ *
+ *	All structure pointers to memory blocks should be NULL if their
+ *	corresponding length values are zero.
+ *
+ * Ensures:
+ *	If result is success:
+ *	 	If 'rdata' is not NULL, it is attached to the target.
+ *
+ *		The used space in 'target' is updated.
+ *
+ * Result:
+ *	Success
+ *	<Various 'Bad Form' class failures depending on class and type>
+ *	Resource Limit: Not enough space
+ */
+
+isc_result_t
+dns_rdata_tostruct(dns_rdata_t *rdata, void *target, isc_mem_t *mctx);
+/*
+ * Convert an rdata into its C structure representation.
+ *
+ * If 'mctx' is NULL then 'rdata' must persist while 'target' is being used.
+ *
+ * If 'mctx' is non NULL then memory will be allocated if required.
+ *
+ * Requires:
+ *
+ *	'rdata' is a valid, non-empty rdata.
+ *
+ *	'target' to point to a valid pointer for the type and class.
+ *
+ * Result:
+ *	Success
+ *	Resource Limit: Not enough memory
+ */
+
+void
+dns_rdata_freestruct(void *source);
+/*
+ * Free dynamic memory attached to 'source' (if any).
+ *
+ * Requires:
+ *
+ *	'source' to point to the structure previously filled in by
+ *	dns_rdata_tostruct().
+ */
+
+isc_boolean_t
+dns_rdatatype_ismeta(dns_rdatatype_t type);
+/*
+ * Return true iff the rdata type 'type' is a meta-type
+ * like ANY or AXFR.
+ */
+
+isc_boolean_t
+dns_rdatatype_issingleton(dns_rdatatype_t type);
+/*
+ * Return true iff the rdata type 'type' is a singleton type,
+ * like CNAME or SOA.
+ *
+ * Requires:
+ * 	'type' is a valid rdata type.
+ *
+ */
+
+isc_boolean_t
+dns_rdataclass_ismeta(dns_rdataclass_t rdclass);
+/*
+ * Return true iff the rdata class 'rdclass' is a meta-class
+ * like ANY or NONE.
+ */
+
+isc_boolean_t
+dns_rdatatype_isdnssec(dns_rdatatype_t type);
+/*
+ * Return true iff 'type' is one of the DNSSEC
+ * rdata types that may exist alongside a CNAME record.
+ *
+ * Requires:
+ * 	'type' is a valid rdata type.
+ */
+
+isc_boolean_t
+dns_rdatatype_iszonecutauth(dns_rdatatype_t type);
+/*
+ * Return true iff rdata of type 'type' is considered authoritative
+ * data (not glue) in the NSEC chain when it occurs in the parent zone
+ * at a zone cut.
+ *
+ * Requires:
+ * 	'type' is a valid rdata type.
+ *
+ */
+
+isc_boolean_t
+dns_rdatatype_isknown(dns_rdatatype_t type);
+/*
+ * Return true iff the rdata type 'type' is known.
+ *
+ * Requires:
+ * 	'type' is a valid rdata type.
+ *
+ */
+
+
+isc_result_t
+dns_rdata_additionaldata(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
+			 void *arg);
+/*
+ * Call 'add' for each name and type from 'rdata' which is subject to
+ * additional section processing.
+ *
+ * Requires:
+ *
+ *	'rdata' is a valid, non-empty rdata.
+ *
+ *	'add' is a valid dns_additionalfunc_t.
+ *
+ * Ensures:
+ *
+ *	If successful, then add() will have been called for each name
+ *	and type subject to additional section processing.
+ *
+ *	If add() returns something other than ISC_R_SUCCESS, that result
+ *	will be returned as the result of dns_rdata_additionaldata().
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *
+ *	Many other results are possible if not successful.
+ */
+
+isc_result_t
+dns_rdata_digest(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg);
+/*
+ * Send 'rdata' in DNSSEC canonical form to 'digest'.
+ *
+ * Note:
+ *	'digest' may be called more than once by dns_rdata_digest().  The
+ *	concatenation of all the regions, in the order they were given
+ *	to 'digest', will be the DNSSEC canonical form of 'rdata'.
+ *
+ * Requires:
+ *
+ *	'rdata' is a valid, non-empty rdata.
+ *
+ *	'digest' is a valid dns_digestfunc_t.
+ *
+ * Ensures:
+ *
+ *	If successful, then all of the rdata's data has been sent, in
+ *	DNSSEC canonical form, to 'digest'.
+ *
+ *	If digest() returns something other than ISC_R_SUCCESS, that result
+ *	will be returned as the result of dns_rdata_digest().
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *
+ *	Many other results are possible if not successful.
+ */
+
+isc_boolean_t
+dns_rdatatype_questiononly(dns_rdatatype_t type);
+/*
+ * Return true iff rdata of type 'type' can only appear in the question
+ * section of a properly formatted message.
+ *
+ * Requires:
+ * 	'type' is a valid rdata type.
+ *
+ */
+
+isc_boolean_t
+dns_rdatatype_notquestion(dns_rdatatype_t type);
+/*
+ * Return true iff rdata of type 'type' can not appear in the question
+ * section of a properly formatted message.
+ *
+ * Requires:
+ * 	'type' is a valid rdata type.
+ *
+ */
+
+isc_boolean_t
+dns_rdatatype_atparent(dns_rdatatype_t type);
+/*
+ * Return true iff rdata of type 'type' should appear at the parent of
+ * a zone cut.
+ *
+ * Requires:
+ * 	'type' is a valid rdata type.
+ *
+ */
+
+unsigned int
+dns_rdatatype_attributes(dns_rdatatype_t rdtype);
+/*
+ * Return attributes for the given type.
+ *
+ * Requires:
+ *	'rdtype' are known.
+ *
+ * Returns:
+ *	a bitmask consisting of the following flags.
+ */
+
+/* only one may exist for a name */
+#define DNS_RDATATYPEATTR_SINGLETON		0x00000001U
+/* requires no other data be present */
+#define DNS_RDATATYPEATTR_EXCLUSIVE		0x00000002U
+/* Is a meta type */
+#define DNS_RDATATYPEATTR_META			0x00000004U
+/* Is a DNSSEC type, like RRSIG or NSEC */
+#define DNS_RDATATYPEATTR_DNSSEC		0x00000008U
+/* Is a zone cut authority type */
+#define DNS_RDATATYPEATTR_ZONECUTAUTH		0x00000010U
+/* Is reserved (unusable) */
+#define DNS_RDATATYPEATTR_RESERVED		0x00000020U
+/* Is an unknown type */
+#define DNS_RDATATYPEATTR_UNKNOWN		0x00000040U
+/* Is META, and can only be in a question section */
+#define DNS_RDATATYPEATTR_QUESTIONONLY		0x00000080U
+/* is META, and can NOT be in a question section */
+#define DNS_RDATATYPEATTR_NOTQUESTION		0x00000100U
+/* Is present at zone cuts in the parent, not the child */
+#define DNS_RDATATYPEATTR_ATPARENT		0x00000200U
+
+dns_rdatatype_t
+dns_rdata_covers(dns_rdata_t *rdata);
+/*
+ * Return the rdatatype that this type covers.
+ *
+ * Requires:
+ *	'rdata' is a valid, non-empty rdata.
+ *
+ *	'rdata' is a type that covers other rdata types.
+ *
+ * Returns:
+ *	The type covered.
+ */
+
+isc_boolean_t
+dns_rdata_checkowner(dns_name_t* name, dns_rdataclass_t rdclass,
+		     dns_rdatatype_t type, isc_boolean_t wildcard);
+/*
+ * Returns whether this is a valid ownername for this <type,class>.
+ * If wildcard is true allow the first label to be a wildcard if
+ * appropriate.
+ *
+ * Requires:
+ *	'name' is a valid name.
+ */
+
+isc_boolean_t
+dns_rdata_checknames(dns_rdata_t *rdata, dns_name_t *owner, dns_name_t *bad);
+/*
+ * Returns whether 'rdata' contains valid domain names.  The checks are
+ * sensitive to the owner name.
+ *
+ * If 'bad' is non-NULL and a domain name fails the check the
+ * the offending name will be return in 'bad' by cloning from
+ * the 'rdata' contents.
+ *
+ * Requires:
+ *	'rdata' to be valid.
+ *	'owner' to be valid.
+ *	'bad'	to be NULL or valid.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATA_H */
diff --git a/contrib/bind9/lib/dns/include/dns/rdataclass.h b/contrib/bind9/lib/dns/include/dns/rdataclass.h
new file mode 100644
index 0000000..359a2be
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/rdataclass.h
@@ -0,0 +1,79 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rdataclass.h,v 1.17.206.1 2004/03/06 08:13:59 marka Exp $ */
+
+#ifndef DNS_RDATACLASS_H
+#define DNS_RDATACLASS_H 1
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_rdataclass_fromtext(dns_rdataclass_t *classp, isc_textregion_t *source);
+/*
+ * Convert the text 'source' refers to into a DNS class.
+ *
+ * Requires:
+ *	'classp' is a valid pointer.
+ *
+ *	'source' is a valid text region.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS			on success
+ *	DNS_R_UNKNOWN			class is unknown
+ */
+
+isc_result_t
+dns_rdataclass_totext(dns_rdataclass_t rdclass, isc_buffer_t *target);
+/*
+ * Put a textual representation of class 'rdclass' into 'target'.
+ *
+ * Requires:
+ *	'rdclass' is a valid class.
+ *
+ *	'target' is a valid text buffer.
+ *
+ * Ensures:
+ *	If the result is success:
+ *		The used space in 'target' is updated.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS			on success
+ *	ISC_R_NOSPACE			target buffer is too small
+ */
+
+void
+dns_rdataclass_format(dns_rdataclass_t rdclass,
+		      char *array, unsigned int size);
+/*
+ * Format a human-readable representation of the class 'rdclass'
+ * into the character array 'array', which is of size 'size'.
+ * The resulting string is guaranteed to be null-terminated.
+ */
+
+#define DNS_RDATACLASS_FORMATSIZE sizeof("CLASS65535")
+/*
+ * Minimum size of array to pass to dns_rdataclass_format().
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATACLASS_H */
diff --git a/contrib/bind9/lib/dns/include/dns/rdatalist.h b/contrib/bind9/lib/dns/include/dns/rdatalist.h
new file mode 100644
index 0000000..a846c89
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/rdatalist.h
@@ -0,0 +1,104 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rdatalist.h,v 1.13.206.1 2004/03/06 08:13:59 marka Exp $ */
+
+#ifndef DNS_RDATALIST_H
+#define DNS_RDATALIST_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DNS Rdatalist
+ *
+ * A DNS rdatalist is a list of rdata of a common type and class.
+ *
+ * MP:
+ *	Clients of this module must impose any required synchronization.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	<TBS>
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	None.
+ */
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+/*
+ * Clients may use this type directly.
+ */
+struct dns_rdatalist {
+	dns_rdataclass_t		rdclass;
+	dns_rdatatype_t			type;
+	dns_rdatatype_t			covers;
+	dns_ttl_t			ttl;
+	ISC_LIST(dns_rdata_t)		rdata;
+	ISC_LINK(dns_rdatalist_t)	link;
+};
+
+ISC_LANG_BEGINDECLS
+
+void
+dns_rdatalist_init(dns_rdatalist_t *rdatalist);
+/*
+ * Initialize rdatalist.
+ *
+ * Ensures:
+ *	All fields of rdatalist have been initialized to their default
+ *	values.
+ */
+
+isc_result_t
+dns_rdatalist_tordataset(dns_rdatalist_t *rdatalist,
+			 dns_rdataset_t *rdataset);
+/*
+ * Make 'rdataset' refer to the rdata in 'rdatalist'.
+ *
+ * Note:
+ *	The caller must ensure that 'rdatalist' remains valid and unchanged
+ *	while 'rdataset' is associated with it.
+ *
+ * Requires:
+ *
+ *	'rdatalist' is a valid rdatalist.
+ *
+ *	'rdataset' is a valid rdataset that is not currently associated with
+ *	any rdata.
+ *
+ * Ensures:
+ *	On success,
+ *
+ *		'rdataset' is associated with the rdata in rdatalist.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATALIST_H */
diff --git a/contrib/bind9/lib/dns/include/dns/rdataset.h b/contrib/bind9/lib/dns/include/dns/rdataset.h
new file mode 100644
index 0000000..e2b0753
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/rdataset.h
@@ -0,0 +1,468 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rdataset.h,v 1.41.2.5.2.6 2004/03/08 02:08:01 marka Exp $ */
+
+#ifndef DNS_RDATASET_H
+#define DNS_RDATASET_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DNS Rdataset
+ *
+ * A DNS rdataset is a handle that can be associated with a collection of
+ * rdata all having a common owner name, class, and type.
+ *
+ * The dns_rdataset_t type is like a "virtual class".  To actually use
+ * rdatasets, an implementation of the method suite (e.g. "slabbed rdata") is
+ * required.
+ *
+ * XXX <more> XXX
+ *
+ * MP:
+ *	Clients of this module must impose any required synchronization.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	<TBS>
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	None.
+ */
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+typedef struct dns_rdatasetmethods {
+	void			(*disassociate)(dns_rdataset_t *rdataset);
+	isc_result_t		(*first)(dns_rdataset_t *rdataset);
+	isc_result_t		(*next)(dns_rdataset_t *rdataset);
+	void			(*current)(dns_rdataset_t *rdataset,
+					   dns_rdata_t *rdata);
+	void			(*clone)(dns_rdataset_t *source,
+					 dns_rdataset_t *target);
+	unsigned int		(*count)(dns_rdataset_t *rdataset);
+	isc_result_t		(*addnoqname)(dns_rdataset_t *rdataset,
+					      dns_name_t *name);
+	isc_result_t		(*getnoqname)(dns_rdataset_t *rdataset,
+					      dns_name_t *name,
+					      dns_rdataset_t *nsec,
+					      dns_rdataset_t *nsecsig);
+} dns_rdatasetmethods_t;
+
+#define DNS_RDATASET_MAGIC	       ISC_MAGIC('D','N','S','R')
+#define DNS_RDATASET_VALID(set)	       ISC_MAGIC_VALID(set, DNS_RDATASET_MAGIC)
+
+/*
+ * Direct use of this structure by clients is strongly discouraged, except
+ * for the 'link' field which may be used however the client wishes.  The
+ * 'private', 'current', and 'index' fields MUST NOT be changed by clients.
+ * rdataset implementations may change any of the fields.
+ */
+struct dns_rdataset {
+	unsigned int			magic;		/* XXX ? */
+	dns_rdatasetmethods_t *		methods;
+	ISC_LINK(dns_rdataset_t)	link;
+	/*
+	 * XXX do we need these, or should they be retrieved by methods?
+	 * Leaning towards the latter, since they are not frequently required
+	 * once you have the rdataset.
+	 */
+	dns_rdataclass_t		rdclass;
+	dns_rdatatype_t			type;
+	dns_ttl_t			ttl;
+	dns_trust_t			trust;
+	dns_rdatatype_t			covers;
+	/*
+	 * attributes
+	 */
+	unsigned int			attributes;
+	/*
+	 * the counter provides the starting point in the "cyclic" order.
+	 * The value ISC_UINT32_MAX has a special meaning of "picking up a
+	 * random value." in order to take care of databases that do not
+	 * increment the counter.
+	 */
+	isc_uint32_t			count;
+	/*
+	 * These are for use by the rdataset implementation, and MUST NOT
+	 * be changed by clients.
+	 */
+	void *				private1;
+	void *				private2;
+	void *				private3;
+	unsigned int			privateuint4;
+	void *				private5;
+	void *				private6;
+};
+
+/*
+ * _RENDERED:
+ *	Used by message.c to indicate that the rdataset was rendered.
+ *
+ * _TTLADJUSTED:
+ *	Used by message.c to indicate that the rdataset's rdata had differing
+ *	TTL values, and the rdataset->ttl holds the smallest.
+ */
+#define DNS_RDATASETATTR_QUESTION	0x0001
+#define DNS_RDATASETATTR_RENDERED	0x0002		/* Used by message.c */
+#define DNS_RDATASETATTR_ANSWERED	0x0004		/* Used by server. */
+#define DNS_RDATASETATTR_CACHE		0x0008		/* Used by resolver. */
+#define DNS_RDATASETATTR_ANSWER		0x0010		/* Used by resolver. */
+#define DNS_RDATASETATTR_ANSWERSIG	0x0020		/* Used by resolver. */
+#define DNS_RDATASETATTR_EXTERNAL	0x0040		/* Used by resolver. */
+#define DNS_RDATASETATTR_NCACHE		0x0080		/* Used by resolver. */
+#define DNS_RDATASETATTR_CHAINING	0x0100		/* Used by resolver. */
+#define DNS_RDATASETATTR_TTLADJUSTED	0x0200		/* Used by message.c */
+#define DNS_RDATASETATTR_FIXEDORDER	0x0400
+#define DNS_RDATASETATTR_RANDOMIZE	0x0800
+#define DNS_RDATASETATTR_CHASE		0x1000		/* Used by resolver. */
+#define DNS_RDATASETATTR_NXDOMAIN	0x2000
+#define DNS_RDATASETATTR_NOQNAME	0x4000
+#define DNS_RDATASETATTR_CHECKNAMES	0x8000		/* Used by resolver. */
+
+/*
+ * _OMITDNSSEC:
+ * 	Omit DNSSEC records when rendering ncache records.
+ */
+#define DNS_RDATASETTOWIRE_OMITDNSSEC	0x0001
+
+void
+dns_rdataset_init(dns_rdataset_t *rdataset);
+/*
+ * Make 'rdataset' a valid, disassociated rdataset.
+ *
+ * Requires:
+ *	'rdataset' is not NULL.
+ *
+ * Ensures:
+ *	'rdataset' is a valid, disassociated rdataset.
+ */
+
+void
+dns_rdataset_invalidate(dns_rdataset_t *rdataset);
+/*
+ * Invalidate 'rdataset'.
+ *
+ * Requires:
+ *	'rdataset' is a valid, disassociated rdataset.
+ *
+ * Ensures:
+ *	If assertion checking is enabled, future attempts to use 'rdataset'
+ *	without initializing it will cause an assertion failure.
+ */
+
+void
+dns_rdataset_disassociate(dns_rdataset_t *rdataset);
+/*
+ * Disassociate 'rdataset' from its rdata, allowing it to be reused.
+ *
+ * Notes:
+ *	The client must ensure it has no references to rdata in the rdataset
+ *	before disassociating.
+ *
+ * Requires:
+ *	'rdataset' is a valid, associated rdataset.
+ *
+ * Ensures:
+ *	'rdataset' is a valid, disassociated rdataset.
+ */
+
+isc_boolean_t
+dns_rdataset_isassociated(dns_rdataset_t *rdataset);
+/*
+ * Is 'rdataset' associated?
+ *
+ * Requires:
+ *	'rdataset' is a valid rdataset.
+ *
+ * Returns:
+ *	ISC_TRUE			'rdataset' is associated.
+ *	ISC_FALSE			'rdataset' is not associated.
+ */
+
+void
+dns_rdataset_makequestion(dns_rdataset_t *rdataset, dns_rdataclass_t rdclass,
+			  dns_rdatatype_t type);
+/*
+ * Make 'rdataset' a valid, associated, question rdataset, with a
+ * question class of 'rdclass' and type 'type'.
+ *
+ * Notes:
+ *	Question rdatasets have a class and type, but no rdata.
+ *
+ * Requires:
+ *	'rdataset' is a valid, disassociated rdataset.
+ *
+ * Ensures:
+ *	'rdataset' is a valid, associated, question rdataset.
+ */
+
+void
+dns_rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target);
+/*
+ * Make 'target' refer to the same rdataset as 'source'.
+ *
+ * Requires:
+ *	'source' is a valid, associated rdataset.
+ *
+ *	'target' is a valid, dissociated rdataset.
+ *
+ * Ensures:
+ *	'target' references the same rdataset as 'source'.
+ */
+
+unsigned int
+dns_rdataset_count(dns_rdataset_t *rdataset);
+/*
+ * Return the number of records in 'rdataset'.
+ *
+ * Requires:
+ *	'rdataset' is a valid, associated rdataset.
+ *
+ * Returns:
+ *	The number of records in 'rdataset'.
+ */
+
+isc_result_t
+dns_rdataset_first(dns_rdataset_t *rdataset);
+/*
+ * Move the rdata cursor to the first rdata in the rdataset (if any).
+ *
+ * Requires:
+ *	'rdataset' is a valid, associated rdataset.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMORE			There are no rdata in the set.
+ */
+
+isc_result_t
+dns_rdataset_next(dns_rdataset_t *rdataset);
+/*
+ * Move the rdata cursor to the next rdata in the rdataset (if any).
+ *
+ * Requires:
+ *	'rdataset' is a valid, associated rdataset.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMORE			There are no more rdata in the set.
+ */
+
+void
+dns_rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata);
+/*
+ * Make 'rdata' refer to the current rdata.
+ *
+ * Notes:
+ *
+ *	The data returned in 'rdata' is valid for the life of the
+ *	rdataset; in particular, subsequent changes in the cursor position
+ *	do not invalidate 'rdata'.
+ *
+ * Requires:
+ *	'rdataset' is a valid, associated rdataset.
+ *
+ *	The rdata cursor of 'rdataset' is at a valid location (i.e. the
+ *	result of last call to a cursor movement command was ISC_R_SUCCESS).
+ *
+ * Ensures:
+ *	'rdata' refers to the rdata at the rdata cursor location of
+ *	'rdataset'.
+ */
+
+isc_result_t
+dns_rdataset_totext(dns_rdataset_t *rdataset,
+		    dns_name_t *owner_name,
+		    isc_boolean_t omit_final_dot,
+		    isc_boolean_t question,
+		    isc_buffer_t *target);
+/*
+ * Convert 'rdataset' to text format, storing the result in 'target'.
+ *
+ * Notes:
+ *	The rdata cursor position will be changed.
+ *
+ *	The 'question' flag should normally be ISC_FALSE.  If it is 
+ *	ISC_TRUE, the TTL and rdata fields are not printed.  This is 
+ *	for use when printing an rdata representing a question section.
+ *
+ *	This interface is deprecated; use dns_master_rdatasettottext()
+ * 	and/or dns_master_questiontotext() instead.
+ *
+ * Requires:
+ *	'rdataset' is a valid rdataset.
+ *
+ *	'rdataset' is not empty.
+ */
+
+isc_result_t
+dns_rdataset_towire(dns_rdataset_t *rdataset,
+		    dns_name_t *owner_name,
+		    dns_compress_t *cctx,
+		    isc_buffer_t *target,
+		    unsigned int options,
+		    unsigned int *countp);
+/*
+ * Convert 'rdataset' to wire format, compressing names as specified
+ * in 'cctx', and storing the result in 'target'.
+ *
+ * Notes:
+ *	The rdata cursor position will be changed.
+ *
+ *	The number of RRs added to target will be added to *countp.
+ *
+ * Requires:
+ *	'rdataset' is a valid rdataset.
+ *
+ *	'rdataset' is not empty.
+ *
+ *	'countp' is a valid pointer.
+ *
+ * Ensures:
+ *	On a return of ISC_R_SUCCESS, 'target' contains a wire format
+ *	for the data contained in 'rdataset'.  Any error return leaves
+ *	the buffer unchanged.
+ *
+ *	*countp has been incremented by the number of RRs added to
+ *	target.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		- all ok
+ *	ISC_R_NOSPACE		- 'target' doesn't have enough room
+ *
+ *	Any error returned by dns_rdata_towire(), dns_rdataset_next(),
+ *	dns_name_towire().
+ */
+
+isc_result_t
+dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
+			  dns_name_t *owner_name,
+			  dns_compress_t *cctx,
+			  isc_buffer_t *target,
+			  dns_rdatasetorderfunc_t order,
+			  void *order_arg,
+			  unsigned int options,
+			  unsigned int *countp);
+/*
+ * Like dns_rdataset_towire(), but sorting the rdatasets according to
+ * the integer value returned by 'order' when called witih the rdataset
+ * and 'order_arg' as arguments.
+ *
+ * Requires:
+ *	All the requirements of dns_rdataset_towire(), and
+ *	that order_arg is NULL if and only if order is NULL.
+ */
+
+isc_result_t
+dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
+			   dns_name_t *owner_name,
+			   dns_compress_t *cctx,
+			   isc_buffer_t *target,
+			   dns_rdatasetorderfunc_t order,
+			   void *order_arg,
+			   unsigned int options,
+			   unsigned int *countp,
+			   void **state);
+/*
+ * Like dns_rdataset_towiresorted() except that a partial rdataset
+ * may be written.
+ *
+ * Requires:
+ *	All the requirements of dns_rdataset_towiresorted().
+ *	If 'state' is non NULL then the current position in the
+ *	rdataset will be remembered if the rdataset in not
+ *	completely written and should be passed on on subsequent
+ *	calls (NOT CURRENTLY IMPLEMENTED).
+ *
+ * Returns:
+ *	ISC_R_SUCCESS if all of the records were written.
+ *	ISC_R_NOSPACE if unable to fit in all of the records. *countp
+ *		      will be updated to reflect the number of records
+ *		      written.
+ */
+
+
+isc_result_t
+dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
+			    dns_additionaldatafunc_t add, void *arg);
+/*
+ * For each rdata in rdataset, call 'add' for each name and type in the
+ * rdata which is subject to additional section processing.
+ *
+ * Requires:
+ *
+ *	'rdataset' is a valid, non-question rdataset.
+ *
+ *	'add' is a valid dns_additionaldatafunc_t
+ *
+ * Ensures:
+ *
+ *	If successful, dns_rdata_additionaldata() will have been called for
+ *	each rdata in 'rdataset'.
+ *
+ *	If a call to dns_rdata_additionaldata() is not successful, the
+ *	result returned will be the result of dns_rdataset_additionaldata().
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *
+ *	Any error that dns_rdata_additionaldata() can return.
+ */
+
+isc_result_t
+dns_rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
+			dns_rdataset_t *nsec, dns_rdataset_t *nsecsig);
+/*
+ * Return the noqname proof for this record.
+ *
+ * Requires:
+ *	'rdataset' to be valid and DNS_RDATASETATTR_NOQNAME to be set.
+ *	'name' to be valid.
+ *	'nsec' and 'nsecsig' to be valid and not associated.
+ */
+
+isc_result_t
+dns_rdataset_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name);
+/*
+ * Associate a noqname proof with this record.
+ * Sets DNS_RDATASETATTR_NOQNAME if successful.
+ * Adjusts the 'rdataset->ttl' to minimum of the 'rdataset->ttl' and
+ * the 'nsec' and 'rrsig(nsec)' ttl.
+ *
+ * Requires:
+ *	'rdataset' to be valid and DNS_RDATASETATTR_NOQNAME to be set.
+ *	'name' to be valid and have NSEC and RRSIG(NSEC) rdatasets.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATASET_H */
diff --git a/contrib/bind9/lib/dns/include/dns/rdatasetiter.h b/contrib/bind9/lib/dns/include/dns/rdatasetiter.h
new file mode 100644
index 0000000..198aebb
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/rdatasetiter.h
@@ -0,0 +1,171 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rdatasetiter.h,v 1.14.206.1 2004/03/06 08:13:59 marka Exp $ */
+
+#ifndef DNS_RDATASETITER_H
+#define DNS_RDATASETITER_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DNS Rdataset Iterator
+ *
+ * The DNS Rdataset Iterator interface allows iteration of all of the
+ * rdatasets at a node.
+ *
+ * The dns_rdatasetiter_t type is like a "virtual class".  To actually use
+ * it, an implementation of the class is required.  This implementation is
+ * supplied by the database.
+ *
+ * It is the client's responsibility to call dns_rdataset_disassociate()
+ * on all rdatasets returned.
+ *
+ * XXX <more> XXX
+ *
+ * MP:
+ *	The iterator itself is not locked.  The caller must ensure
+ *	synchronization.
+ *
+ *	The iterator methods ensure appropriate database locking.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	<TBS>
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	None.
+ */
+
+/*****
+ ***** Imports
+ *****/
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/stdtime.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+ ***** Types
+ *****/
+
+typedef struct dns_rdatasetitermethods {
+	void		(*destroy)(dns_rdatasetiter_t **iteratorp);
+	isc_result_t	(*first)(dns_rdatasetiter_t *iterator);
+	isc_result_t	(*next)(dns_rdatasetiter_t *iterator);
+	void		(*current)(dns_rdatasetiter_t *iterator,
+				   dns_rdataset_t *rdataset);
+} dns_rdatasetitermethods_t;
+
+#define DNS_RDATASETITER_MAGIC	     ISC_MAGIC('D','N','S','i')
+#define DNS_RDATASETITER_VALID(i)    ISC_MAGIC_VALID(i, DNS_RDATASETITER_MAGIC)
+
+/*
+ * This structure is actually just the common prefix of a DNS db
+ * implementation's version of a dns_rdatasetiter_t.
+ *
+ * Direct use of this structure by clients is forbidden.  DB implementations
+ * may change the structure.  'magic' must be DNS_RDATASETITER_MAGIC for
+ * any of the dns_rdatasetiter routines to work.  DB implementations must
+ * maintain all DB rdataset iterator invariants.
+ */
+struct dns_rdatasetiter {
+	/* Unlocked. */
+	unsigned int			magic;
+	dns_rdatasetitermethods_t *	methods;
+	dns_db_t *			db;
+	dns_dbnode_t *			node;
+	dns_dbversion_t *		version;
+	isc_stdtime_t			now;
+};
+
+void
+dns_rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp);
+/*
+ * Destroy '*iteratorp'.
+ *
+ * Requires:
+ *
+ *	'*iteratorp' is a valid iterator.
+ *
+ * Ensures:
+ *
+ *	All resources used by the iterator are freed.
+ *
+ *	*iteratorp == NULL.
+ */
+
+isc_result_t
+dns_rdatasetiter_first(dns_rdatasetiter_t *iterator);
+/*
+ * Move the rdataset cursor to the first rdataset at the node (if any).
+ *
+ * Requires:
+ *	'iterator' is a valid iterator.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMORE			There are no rdatasets at the node.
+ *
+ *	Other results are possible, depending on the DB implementation.
+ */
+
+isc_result_t
+dns_rdatasetiter_next(dns_rdatasetiter_t *iterator);
+/*
+ * Move the rdataset cursor to the next rdataset at the node (if any).
+ *
+ * Requires:
+ *	'iterator' is a valid iterator.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMORE			There are no more rdatasets at the
+ *					node.
+ *
+ *	Other results are possible, depending on the DB implementation.
+ */
+
+void
+dns_rdatasetiter_current(dns_rdatasetiter_t *iterator,
+			 dns_rdataset_t *rdataset);
+/*
+ * Return the current rdataset.
+ *
+ * Requires:
+ *	'iterator' is a valid iterator.
+ *
+ *	'rdataset' is a valid, disassociated rdataset.
+ *
+ *	The rdataset cursor of 'iterator' is at a valid location (i.e. the
+ *	result of last call to a cursor movement command was ISC_R_SUCCESS).
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATASETITER_H */
diff --git a/contrib/bind9/lib/dns/include/dns/rdataslab.h b/contrib/bind9/lib/dns/include/dns/rdataslab.h
new file mode 100644
index 0000000..a0912db
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/rdataslab.h
@@ -0,0 +1,167 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rdataslab.h,v 1.20.2.2.2.4 2004/03/08 09:04:39 marka Exp $ */
+
+#ifndef DNS_RDATASLAB_H
+#define DNS_RDATASLAB_H 1
+
+/*
+ * DNS Rdata Slab
+ *
+ * Implements storage of rdatasets into slabs of memory.
+ *
+ * MP:
+ *	Clients of this module must impose any required synchronization.
+ *
+ * Reliability:
+ *	This module deals with low-level byte streams.  Errors in any of
+ *	the functions are likely to crash the server or corrupt memory.
+ *
+ *	If the caller passes invalid memory references, these functions are
+ *	likely to crash the server or corrupt memory.
+ *
+ * Resources:
+ *	None.
+ *
+ * Security:
+ *	None.
+ *
+ * Standards:
+ *	None.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+#define DNS_RDATASLAB_FORCE 0x1
+#define DNS_RDATASLAB_EXACT 0x2
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
+			   isc_region_t *region, unsigned int reservelen);
+/*
+ * Slabify a rdataset.  The slab area will be allocated and returned
+ * in 'region'.
+ *
+ * Requires:
+ *	'rdataset' is valid.
+ *
+ * Ensures:
+ *	'region' will have base pointing to the start of allocated memory,
+ *	with the slabified region beginning at region->base + reservelen.
+ *	region->length contains the total length allocated.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		- successful completion
+ *	ISC_R_NOMEMORY		- no memory.
+ *	<XXX others>
+ */
+
+void
+dns_rdataslab_tordataset(unsigned char *slab, unsigned int reservelen,
+			 dns_rdataclass_t rdclass, dns_rdatatype_t rdtype,
+			 dns_rdatatype_t covers, dns_ttl_t ttl,
+			 dns_rdataset_t *rdataset);
+/*
+ * Construct an rdataset from a slab.
+ *
+ * Requires:
+ *	'slab' points to a slab.
+ *	'rdataset' is disassociated.
+ *
+ * Ensures:
+ *	'rdataset' is associated and points to a valid rdataest.
+ */
+
+unsigned int
+dns_rdataslab_size(unsigned char *slab, unsigned int reservelen);
+/*
+ * Return the total size of an rdataslab.
+ *
+ * Requires:
+ *	'slab' points to a slab.
+ *
+ * Returns:
+ *	The number of bytes in the slab, including the reservelen.
+ */
+
+isc_result_t
+dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
+		    unsigned int reservelen, isc_mem_t *mctx,
+		    dns_rdataclass_t rdclass, dns_rdatatype_t type,
+		    unsigned int flags, unsigned char **tslabp);
+/*
+ * Merge 'oslab' and 'nslab'.
+ */
+
+isc_result_t
+dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab,
+		       unsigned int reservelen, isc_mem_t *mctx,
+		       dns_rdataclass_t rdclass, dns_rdatatype_t type,
+		       unsigned int flags, unsigned char **tslabp);
+/*
+ * Subtract 'sslab' from 'mslab'.  If 'exact' is true then all elements
+ * of 'sslab' must exist in 'mslab'.
+ *
+ * XXX
+ * valid flags are DNS_RDATASLAB_EXACT
+ */
+
+isc_boolean_t
+dns_rdataslab_equal(unsigned char *slab1, unsigned char *slab2,
+		    unsigned int reservelen);
+
+/*
+ * Compare two rdataslabs for equality.  This does _not_ do a full
+ * DNSSEC comparison.
+ *
+ * Requires:
+ *	'slab1' and 'slab2' point to slabs.
+ *
+ * Returns:
+ *	ISC_TRUE if the slabs are equal, ISC_FALSE otherwise.
+ */
+
+isc_boolean_t
+dns_rdataslab_equalx(unsigned char *slab1, unsigned char *slab2,
+		     unsigned int reservelen, dns_rdataclass_t rdclass, 
+		     dns_rdatatype_t type);
+/*
+ * Compare two rdataslabs for DNSSEC equality. 
+ *
+ * Requires:
+ *	'slab1' and 'slab2' point to slabs.
+ *
+ * Returns:
+ *	ISC_TRUE if the slabs are equal, ISC_FALSE otherwise.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATASLAB_H */
diff --git a/contrib/bind9/lib/dns/include/dns/rdatatype.h b/contrib/bind9/lib/dns/include/dns/rdatatype.h
new file mode 100644
index 0000000..0fa865d
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/rdatatype.h
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rdatatype.h,v 1.17.206.1 2004/03/06 08:13:59 marka Exp $ */
+
+#ifndef DNS_RDATATYPE_H
+#define DNS_RDATATYPE_H 1
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_rdatatype_fromtext(dns_rdatatype_t *typep, isc_textregion_t *source);
+/*
+ * Convert the text 'source' refers to into a DNS rdata type.
+ *
+ * Requires:
+ *	'typep' is a valid pointer.
+ *
+ *	'source' is a valid text region.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS			on success
+ *	DNS_R_UNKNOWN			type is unknown
+ */
+
+isc_result_t
+dns_rdatatype_totext(dns_rdatatype_t type, isc_buffer_t *target);
+/*
+ * Put a textual representation of type 'type' into 'target'.
+ *
+ * Requires:
+ *	'type' is a valid type.
+ *
+ *	'target' is a valid text buffer.
+ *
+ * Ensures:
+ *	If the result is success:
+ *		The used space in 'target' is updated.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS			on success
+ *	ISC_R_NOSPACE			target buffer is too small
+ */
+
+void
+dns_rdatatype_format(dns_rdatatype_t rdtype,
+		     char *array, unsigned int size);
+/*
+ * Format a human-readable representation of the type 'rdtype'
+ * into the character array 'array', which is of size 'size'.
+ * The resulting string is guaranteed to be null-terminated.
+ */
+
+#define DNS_RDATATYPE_FORMATSIZE sizeof("TYPE65535")
+/*
+ * Minimum size of array to pass to dns_rdatatype_format().
+ * May need to be adjusted if a new RR type with a very long
+ * name is defined.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATATYPE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/request.h b/contrib/bind9/lib/dns/include/dns/request.h
new file mode 100644
index 0000000..b3e7bcd
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/request.h
@@ -0,0 +1,371 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: request.h,v 1.17.12.5 2004/03/08 09:04:39 marka Exp $ */
+
+#ifndef DNS_REQUEST_H
+#define DNS_REQUEST_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DNS Request
+ *
+ * The request module provides simple request/response services useful for
+ * sending SOA queries, DNS Notify messages, and dynamic update requests.
+ *
+ * MP:
+ *	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *
+ * Resources:
+ *	<TBS>
+ *
+ * Security:
+ *	No anticipated impact.
+ */
+
+#include <isc/lang.h>
+#include <isc/event.h>
+
+#include <dns/types.h>
+
+#define DNS_REQUESTOPT_TCP 0x00000001U
+
+typedef struct dns_requestevent {
+        ISC_EVENT_COMMON(struct dns_requestevent);
+	isc_result_t result;
+	dns_request_t *request;
+} dns_requestevent_t;
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_requestmgr_create(isc_mem_t *mctx, isc_timermgr_t *timermgr,
+		      isc_socketmgr_t *socketmgr, isc_taskmgr_t *taskmgr,
+		      dns_dispatchmgr_t *dispatchmgr,
+		      dns_dispatch_t *dispatchv4, dns_dispatch_t *dispatchv6,
+		      dns_requestmgr_t **requestmgrp);
+/*
+ * Create a request manager.
+ *
+ * Requires:
+ *
+ *	'mctx' is a valid memory context.
+ *
+ *	'timermgr' is a valid timer manager.
+ *
+ *	'socketmgr' is a valid socket manager.
+ *
+ *	'taskmgr' is a valid task manager.
+ *
+ *	'dispatchv4' is a valid dispatcher with an IPv4 UDP socket, or is NULL.
+ *
+ *	'dispatchv6' is a valid dispatcher with an IPv6 UDP socket, or is NULL.
+ *
+ *	requestmgrp != NULL && *requestmgrp == NULL
+ *
+ * Ensures:
+ *
+ *	On success, *requestmgrp is a valid request manager.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *
+ *	Any other result indicates failure.
+ */
+
+void
+dns_requestmgr_whenshutdown(dns_requestmgr_t *requestmgr, isc_task_t *task,
+			    isc_event_t **eventp);
+/*
+ * Send '*eventp' to 'task' when 'requestmgr' has completed shutdown.
+ *
+ * Notes:
+ *
+ *	It is not safe to detach the last reference to 'requestmgr' until
+ *	shutdown is complete.
+ *
+ * Requires:
+ *
+ *	'requestmgr' is a valid request manager.
+ *
+ *	'task' is a valid task.
+ *
+ *	*eventp is a valid event.
+ *
+ * Ensures:
+ *
+ *	*eventp == NULL.
+ */
+
+void
+dns_requestmgr_shutdown(dns_requestmgr_t *requestmgr);
+/*
+ * Start the shutdown process for 'requestmgr'.
+ *
+ * Notes:
+ *
+ *	This call has no effect if the request manager is already shutting
+ *	down.
+ *
+ * Requires:
+ *
+ *	'requestmgr' is a valid requestmgr.
+ */
+
+void
+dns_requestmgr_attach(dns_requestmgr_t *source, dns_requestmgr_t **targetp);
+/*
+ *	Attach to the request manager.  dns_requestmgr_shutdown() must not
+ *	have been called on 'source' prior to calling dns_requestmgr_attach().
+ *
+ * Requires:
+ *
+ *	'source' is a valid requestmgr.
+ *
+ *	'targetp' to be non NULL and '*targetp' to be NULL.
+ */
+
+void
+dns_requestmgr_detach(dns_requestmgr_t **requestmgrp);
+/*
+ *
+ *	Detach from the given requestmgr.  If this is the final detach
+ *	requestmgr will be destroyed.  dns_requestmgr_shutdown() must
+ *	be called before the final detach.
+ *
+ * Requires:
+ *
+ *	'*requestmgrp' is a valid requestmgr.
+ *
+ * Ensures:
+ *	'*requestmgrp' is NULL.
+ */
+
+isc_result_t
+dns_request_create(dns_requestmgr_t *requestmgr, dns_message_t *message,
+		   isc_sockaddr_t *address, unsigned int options,
+		   dns_tsigkey_t *key,
+		   unsigned int timeout, isc_task_t *task,
+		   isc_taskaction_t action, void *arg,
+		   dns_request_t **requestp);
+/*
+ * Create and send a request.
+ *
+ * Notes:
+ *
+ *	'message' will be rendered and sent to 'address'.  If the
+ *	DNS_REQUESTOPT_TCP option is set, TCP will be used.  The request
+ *	will timeout after 'timeout' seconds.
+ *
+ *	When the request completes, successfully, due to a timeout, or
+ *	because it was canceled, a completion event will be sent to 'task'.
+ *
+ * Requires:
+ *
+ *	'message' is a valid DNS message.
+ *
+ *	'address' is a valid sockaddr.
+ *
+ *	'timeout' > 0
+ *
+ *	'task' is a valid task.
+ *
+ *	requestp != NULL && *requestp == NULL
+ */
+
+isc_result_t
+dns_request_createvia(dns_requestmgr_t *requestmgr, dns_message_t *message,
+		      isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		      unsigned int options, dns_tsigkey_t *key,
+		      unsigned int timeout, isc_task_t *task,
+		      isc_taskaction_t action, void *arg,
+		      dns_request_t **requestp);
+
+isc_result_t
+dns_request_createvia2(dns_requestmgr_t *requestmgr, dns_message_t *message,
+		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		       unsigned int options, dns_tsigkey_t *key,
+		       unsigned int timeout, unsigned int udptimeout,
+		       isc_task_t *task, isc_taskaction_t action, void *arg,
+		       dns_request_t **requestp);
+
+isc_result_t
+dns_request_createvia3(dns_requestmgr_t *requestmgr, dns_message_t *message,
+		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		       unsigned int options, dns_tsigkey_t *key,
+		       unsigned int timeout, unsigned int udptimeout,
+		       unsigned int udpretries, isc_task_t *task,
+		       isc_taskaction_t action, void *arg,
+		       dns_request_t **requestp);
+/*
+ * Create and send a request.
+ *
+ * Notes:
+ *
+ *	'message' will be rendered and sent to 'address'.  If the
+ *	DNS_REQUESTOPT_TCP option is set, TCP will be used.  The request
+ *	will timeout after 'timeout' seconds.  UDP requests will be resent
+ *	at 'udptimeout' intervals if non-zero or 'udpretries' is non-zero.
+ *
+ *	When the request completes, successfully, due to a timeout, or
+ *	because it was canceled, a completion event will be sent to 'task'.
+ *
+ * Requires:
+ *
+ *	'message' is a valid DNS message.
+ *
+ *	'dstaddr' is a valid sockaddr.
+ *
+ *	'srcaddr' is a valid sockaddr or NULL.
+ *
+ *	'srcaddr' and 'dstaddr' are the same protocol family.
+ *
+ *	'timeout' > 0
+ *
+ *	'task' is a valid task.
+ *
+ *	requestp != NULL && *requestp == NULL
+ */
+
+isc_result_t
+dns_request_createraw(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
+		      isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		      unsigned int options, unsigned int timeout,
+		      isc_task_t *task, isc_taskaction_t action, void *arg,
+		      dns_request_t **requestp);
+
+isc_result_t
+dns_request_createraw2(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
+		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		       unsigned int options, unsigned int timeout,
+		       unsigned int udptimeout, isc_task_t *task,
+		       isc_taskaction_t action, void *arg,
+		       dns_request_t **requestp);
+
+isc_result_t
+dns_request_createraw3(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
+		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		       unsigned int options, unsigned int timeout,
+		       unsigned int udptimeout, unsigned int udpretries,
+		       isc_task_t *task, isc_taskaction_t action, void *arg,
+		       dns_request_t **requestp);
+/*
+ * Create and send a request.
+ *
+ * Notes:
+ *
+ *	'msgbuf' will be sent to 'destaddr' after setting the id.  If the
+ *	DNS_REQUESTOPT_TCP option is set, TCP will be used.  The request
+ *	will timeout after 'timeout' seconds.   UDP requests will be resent
+ *	at 'udptimeout' intervals if non-zero or if 'udpretries' is not zero.
+ *	
+ *	When the request completes, successfully, due to a timeout, or
+ *	because it was canceled, a completion event will be sent to 'task'.
+ *
+ * Requires:
+ *
+ *	'msgbuf' is a valid DNS message in compressed wire format.
+ *
+ *	'destaddr' is a valid sockaddr.
+ *
+ *	'srcaddr' is a valid sockaddr or NULL.
+ *
+ *	'srcaddr' and 'dstaddr' are the same protocol family.
+ *
+ *	'timeout' > 0
+ *
+ *	'task' is a valid task.
+ *
+ *	requestp != NULL && *requestp == NULL
+ */
+
+void
+dns_request_cancel(dns_request_t *request);
+/*
+ * Cancel 'request'.
+ *
+ * Requires:
+ *
+ *	'request' is a valid request.
+ *
+ * Ensures:
+ *
+ *	If the completion event for 'request' has not yet been sent, it
+ *	will be sent, and the result code will be ISC_R_CANCELED.
+ */
+
+isc_result_t
+dns_request_getresponse(dns_request_t *request, dns_message_t *message,
+			unsigned int options);
+/*
+ * Get the response to 'request' by filling in 'message'.
+ *
+ * 'options' is passed to dns_message_parse().  See dns_message_parse()
+ * for more details.
+ *
+ * Requires:
+ *
+ *	'request' is a valid request for which the caller has received the
+ *	completion event.
+ *
+ *	The result code of the completion event was ISC_R_SUCCESS.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *
+ *	Any result that dns_message_parse() can return.
+ */
+
+isc_boolean_t
+dns_request_usedtcp(dns_request_t *request);
+/*
+ * Return whether this query used TCP or not.  Setting DNS_REQUESTOPT_TCP
+ * in the call to dns_request_create() will cause the function to return
+ * ISC_TRUE, othewise the result is based on the query message size.
+ *
+ * Requires:
+ *	'request' is a valid request.
+ *
+ * Returns:
+ *	ISC_TRUE	if TCP was used.
+ *	ISC_FALSE	if UDP was used.
+ */
+
+void
+dns_request_destroy(dns_request_t **requestp);
+/*
+ * Destroy 'request'.
+ *
+ * Requires:
+ *
+ *	'request' is a valid request for which the caller has received the
+ *	completion event.
+ *
+ * Ensures:
+ *
+ *	*requestp == NULL
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_REQUEST_H */
diff --git a/contrib/bind9/lib/dns/include/dns/resolver.h b/contrib/bind9/lib/dns/include/dns/resolver.h
new file mode 100644
index 0000000..0a6080d
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/resolver.h
@@ -0,0 +1,431 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: resolver.h,v 1.34.12.7 2004/04/15 23:56:31 marka Exp $ */
+
+#ifndef DNS_RESOLVER_H
+#define DNS_RESOLVER_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DNS Resolver
+ *
+ * This is the BIND 9 resolver, the module responsible for resolving DNS
+ * requests by iteratively querying authoritative servers and following
+ * referrals.  This is a "full resolver", not to be confused with
+ * the stub resolvers most people associate with the word "resolver".
+ * The full resolver is part of the caching name server or resolver
+ * daemon the stub resolver talks to.
+ *
+ * MP:
+ *	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	<TBS>
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	RFCs:	1034, 1035, 2181, <TBS>
+ *	Drafts:	<TBS>
+ */
+
+#include <isc/lang.h>
+#include <isc/socket.h>
+
+#include <dns/types.h>
+#include <dns/fixedname.h>
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * A dns_fetchevent_t is sent when a 'fetch' completes.  Any of 'db',
+ * 'node', 'rdataset', and 'sigrdataset' may be bound.  It is the
+ * receiver's responsibility to detach before freeing the event.
+ *
+ * 'rdataset' and 'sigrdataset' are the values that were supplied when
+ * dns_resolver_createfetch() was called.  They are returned to the
+ * caller so that they may be freed.
+ */
+typedef struct dns_fetchevent {
+	ISC_EVENT_COMMON(struct dns_fetchevent);
+	dns_fetch_t *			fetch;
+	isc_result_t			result;
+	dns_rdatatype_t			qtype;
+	dns_db_t *			db;
+	dns_dbnode_t *			node;
+	dns_rdataset_t *		rdataset;
+	dns_rdataset_t *		sigrdataset;
+	dns_fixedname_t			foundname;
+} dns_fetchevent_t;
+
+/*
+ * Options that modify how a 'fetch' is done.
+ */
+#define DNS_FETCHOPT_TCP		0x01	     /* Use TCP. */
+#define DNS_FETCHOPT_UNSHARED		0x02	     /* See below. */
+#define DNS_FETCHOPT_RECURSIVE		0x04	     /* Set RD? */
+#define DNS_FETCHOPT_NOEDNS0		0x08	     /* Do not use EDNS. */
+#define DNS_FETCHOPT_FORWARDONLY	0x10	     /* Only use forwarders. */
+#define DNS_FETCHOPT_NOVALIDATE		0x20	     /* Disable validation. */
+
+/*
+ * XXXRTH  Should this API be made semi-private?  (I.e.
+ * _dns_resolver_create()).
+ */
+
+#define DNS_RESOLVER_CHECKNAMES		0x01
+#define DNS_RESOLVER_CHECKNAMESFAIL	0x02
+
+isc_result_t
+dns_resolver_create(dns_view_t *view,
+		    isc_taskmgr_t *taskmgr, unsigned int ntasks,
+		    isc_socketmgr_t *socketmgr,
+		    isc_timermgr_t *timermgr,
+		    unsigned int options,
+		    dns_dispatchmgr_t *dispatchmgr,
+		    dns_dispatch_t *dispatchv4,
+		    dns_dispatch_t *dispatchv6,
+		    dns_resolver_t **resp);
+
+/*
+ * Create a resolver.
+ *
+ * Notes:
+ *
+ *	Generally, applications should not create a resolver directly, but
+ *	should instead call dns_view_createresolver().
+ *
+ *	No options are currently defined.
+ *
+ * Requires:
+ *
+ *	'view' is a valid view.
+ *
+ *	'taskmgr' is a valid task manager.
+ *
+ *	'ntasks' > 0.
+ *
+ *	'socketmgr' is a valid socket manager.
+ *
+ *	'timermgr' is a valid timer manager.
+ *
+ *	'dispatchv4' is a valid dispatcher with an IPv4 UDP socket, or is NULL.
+ *
+ *	'dispatchv6' is a valid dispatcher with an IPv6 UDP socket, or is NULL.
+ *
+ *	*resp != NULL && *resp == NULL.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS				On success.
+ *
+ *	Anything else				Failure.
+ */
+
+void
+dns_resolver_freeze(dns_resolver_t *res);
+/*
+ * Freeze resolver.
+ *
+ * Notes:
+ *
+ *	Certain configuration changes cannot be made after the resolver
+ *	is frozen.  Fetches cannot be created until the resolver is frozen.
+ *
+ * Requires:
+ *
+ *	'res' is a valid, unfrozen resolver.
+ *
+ * Ensures:
+ *
+ *	'res' is frozen.
+ */
+
+void
+dns_resolver_prime(dns_resolver_t *res);
+/*
+ * Prime resolver.
+ *
+ * Notes:
+ *
+ *	Resolvers which have a forwarding policy other than dns_fwdpolicy_only
+ *	need to be primed with the root nameservers, otherwise the root
+ *	nameserver hints data may be used indefinitely.  This function requests
+ *	that the resolver start a priming fetch, if it isn't already priming.
+ *
+ * Requires:
+ *
+ *	'res' is a valid, frozen resolver.
+ */
+
+
+void
+dns_resolver_whenshutdown(dns_resolver_t *res, isc_task_t *task,
+			  isc_event_t **eventp);
+/*
+ * Send '*eventp' to 'task' when 'res' has completed shutdown.
+ *
+ * Notes:
+ *
+ *	It is not safe to detach the last reference to 'res' until
+ *	shutdown is complete.
+ *
+ * Requires:
+ *
+ *	'res' is a valid resolver.
+ *
+ *	'task' is a valid task.
+ *
+ *	*eventp is a valid event.
+ *
+ * Ensures:
+ *
+ *	*eventp == NULL.
+ */
+
+void
+dns_resolver_shutdown(dns_resolver_t *res);
+/*
+ * Start the shutdown process for 'res'.
+ *
+ * Notes:
+ *
+ *	This call has no effect if the resolver is already shutting down.
+ *
+ * Requires:
+ *
+ *	'res' is a valid resolver.
+ */
+
+void
+dns_resolver_attach(dns_resolver_t *source, dns_resolver_t **targetp);
+
+void
+dns_resolver_detach(dns_resolver_t **resp);
+
+isc_result_t
+dns_resolver_createfetch(dns_resolver_t *res, dns_name_t *name,
+			 dns_rdatatype_t type,
+			 dns_name_t *domain, dns_rdataset_t *nameservers,
+			 dns_forwarders_t *forwarders,
+			 unsigned int options, isc_task_t *task,
+			 isc_taskaction_t action, void *arg,
+			 dns_rdataset_t *rdataset,
+			 dns_rdataset_t *sigrdataset,
+			 dns_fetch_t **fetchp);
+/*
+ * Recurse to answer a question.
+ *
+ * Notes:
+ *
+ *	This call starts a query for 'name', type 'type'.
+ *
+ *	The 'domain' is a parent domain of 'name' for which
+ *	a set of name servers 'nameservers' is known.  If no
+ *	such name server information is available, set
+ * 	'domain' and 'nameservers' to NULL.
+ *
+ *	'forwarders' is unimplemented, and subject to change when
+ *	we figure out how selective forwarding will work.
+ *
+ *	When the fetch completes (successfully or otherwise), a
+ *	DNS_EVENT_FETCHDONE event with action 'action' and arg 'arg' will be
+ *	posted to 'task'.
+ *
+ *	The values of 'rdataset' and 'sigrdataset' will be returned in
+ *	the FETCHDONE event.
+ *
+ * Requires:
+ *
+ *	'res' is a valid resolver that has been frozen.
+ *
+ *	'name' is a valid name.
+ *
+ *	'type' is not a meta type other than ANY.
+ *
+ *	'domain' is a valid name or NULL.
+ *
+ *	'nameservers' is a valid NS rdataset (whose owner name is 'domain')
+ *	iff. 'domain' is not NULL.
+ *
+ *	'forwarders' is NULL.
+ *
+ *	'options' contains valid options.
+ *
+ *	'rdataset' is a valid, disassociated rdataset.
+ *
+ *	'sigrdataset' is NULL, or is a valid, disassociated rdataset.
+ *
+ *	fetchp != NULL && *fetchp == NULL.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS					Success
+ *
+ *	Many other values are possible, all of which indicate failure.
+ */
+
+void
+dns_resolver_cancelfetch(dns_fetch_t *fetch);
+/*
+ * Cancel 'fetch'.
+ *
+ * Notes:
+ *
+ *	If 'fetch' has not completed, post its FETCHDONE event with a
+ *	result code of ISC_R_CANCELED.
+ *
+ * Requires:
+ *
+ *	'fetch' is a valid fetch.
+ */
+
+void
+dns_resolver_destroyfetch(dns_fetch_t **fetchp);
+/*
+ * Destroy 'fetch'.
+ *
+ * Requires:
+ *
+ *	'*fetchp' is a valid fetch.
+ *
+ *	The caller has received the FETCHDONE event (either because the
+ *	fetch completed or because dns_resolver_cancelfetch() was called).
+ *
+ * Ensures:
+ *
+ *	*fetchp == NULL.
+ */
+
+dns_dispatchmgr_t *
+dns_resolver_dispatchmgr(dns_resolver_t *resolver);
+
+dns_dispatch_t *
+dns_resolver_dispatchv4(dns_resolver_t *resolver);
+
+dns_dispatch_t *
+dns_resolver_dispatchv6(dns_resolver_t *resolver);
+
+isc_socketmgr_t *
+dns_resolver_socketmgr(dns_resolver_t *resolver);
+
+isc_taskmgr_t *
+dns_resolver_taskmgr(dns_resolver_t *resolver);
+
+isc_uint32_t
+dns_resolver_getlamettl(dns_resolver_t *resolver);
+/*
+ * Get the resolver's lame-ttl.  zero => no lame processing.
+ *
+ * Requires:
+ *	'resolver' to be valid.
+ */
+
+void
+dns_resolver_setlamettl(dns_resolver_t *resolver, isc_uint32_t lame_ttl);
+/*
+ * Set the resolver's lame-ttl.  zero => no lame processing.
+ *
+ * Requires:
+ *	'resolver' to be valid.
+ */
+
+unsigned int
+dns_resolver_nrunning(dns_resolver_t *resolver);
+/*
+ * Return the number of currently running resolutions in this
+ * resolver.  This is may be less than the number of outstanding
+ * fetches due to multiple identical fetches, or more than the
+ * number of of outstanding fetches due to the fact that resolution
+ * can continue even though a fetch has been canceled.
+ */
+
+isc_result_t
+dns_resolver_addalternate(dns_resolver_t *resolver, isc_sockaddr_t *alt,
+			  dns_name_t *name, in_port_t port);
+/*
+ * Add alternate addresses to be tried in the event that the nameservers
+ * for a zone are not available in the address families supported by the
+ * operating system.
+ *
+ * Require:
+ * 	only one of 'name' or 'alt' to be valid.
+ */
+
+void
+dns_resolver_setudpsize(dns_resolver_t *resolver, isc_uint16_t udpsize);
+/*
+ * Set the EDNS UDP buffer size advertised by the server.
+ */
+
+isc_uint16_t
+dns_resolver_getudpsize(dns_resolver_t *resolver);
+/*
+ * Get the current EDNS UDP buffer size.
+ */
+
+void
+dns_resolver_reset_algorithms(dns_resolver_t *resolver);
+/*
+ * Clear the disabled DNSSEC algorithms.
+ */
+
+isc_result_t
+dns_resolver_disable_algorithm(dns_resolver_t *resolver, dns_name_t *name,
+			       unsigned int alg);
+/*
+ * Mark the give DNSSEC algorithm as disabled and below 'name'.
+ * Valid algorithms are less than 256.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_RANGE
+ *	ISC_R_NOMEMORY
+ */
+
+isc_boolean_t
+dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name,
+				 unsigned int alg);
+/*
+ * Check if the given algorithm is supported by this resolver.
+ * This checks if the algorithm has been disabled via
+ * dns_resolver_disable_algorithm() then the underlying
+ * crypto libraries if not specifically disabled.
+ */
+
+void
+dns_resolver_resetmustbesecure(dns_resolver_t *resolver);
+
+isc_result_t
+dns_resolver_setmustbesecure(dns_resolver_t *resolver, dns_name_t *name,
+			     isc_boolean_t value);
+
+isc_boolean_t
+dns_resolver_getmustbesecure(dns_resolver_t *resolver, dns_name_t *name);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RESOLVER_H */
diff --git a/contrib/bind9/lib/dns/include/dns/result.h b/contrib/bind9/lib/dns/include/dns/result.h
new file mode 100644
index 0000000..f1a71d9
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/result.h
@@ -0,0 +1,186 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: result.h,v 1.81.2.7.2.13 2004/05/14 05:06:41 marka Exp $ */
+
+#ifndef DNS_RESULT_H
+#define DNS_RESULT_H 1
+
+#include <isc/lang.h>
+#include <isc/resultclass.h>
+
+#include <dns/types.h>
+
+/*
+ * Nothing in this file truly depends on <isc/result.h>, but the
+ * DNS result codes are considered to be publicly derived from
+ * the ISC result codes, so including this file buys you the ISC_R_
+ * namespace too.
+ */
+#include <isc/result.h>		/* Contractual promise. */
+
+/*
+ * DNS library result codes
+ */
+#define DNS_R_LABELTOOLONG		(ISC_RESULTCLASS_DNS + 0)
+#define DNS_R_BADESCAPE			(ISC_RESULTCLASS_DNS + 1)
+/*
+ * Since we dropped the support of bitstring labels, deprecate the related
+ * result codes too.
+
+#define DNS_R_BADBITSTRING		(ISC_RESULTCLASS_DNS + 2)
+#define DNS_R_BITSTRINGTOOLONG		(ISC_RESULTCLASS_DNS + 3)
+*/
+#define DNS_R_EMPTYLABEL		(ISC_RESULTCLASS_DNS + 4)
+#define DNS_R_BADDOTTEDQUAD		(ISC_RESULTCLASS_DNS + 5)
+#define DNS_R_INVALIDNS			(ISC_RESULTCLASS_DNS + 6)
+#define DNS_R_UNKNOWN			(ISC_RESULTCLASS_DNS + 7)
+#define DNS_R_BADLABELTYPE		(ISC_RESULTCLASS_DNS + 8)
+#define DNS_R_BADPOINTER		(ISC_RESULTCLASS_DNS + 9)
+#define DNS_R_TOOMANYHOPS		(ISC_RESULTCLASS_DNS + 10)
+#define DNS_R_DISALLOWED		(ISC_RESULTCLASS_DNS + 11)
+#define DNS_R_EXTRATOKEN		(ISC_RESULTCLASS_DNS + 12)
+#define DNS_R_EXTRADATA			(ISC_RESULTCLASS_DNS + 13)
+#define DNS_R_TEXTTOOLONG		(ISC_RESULTCLASS_DNS + 14)
+#define DNS_R_NOTZONETOP		(ISC_RESULTCLASS_DNS + 15)
+#define DNS_R_SYNTAX			(ISC_RESULTCLASS_DNS + 16)
+#define DNS_R_BADCKSUM			(ISC_RESULTCLASS_DNS + 17)
+#define DNS_R_BADAAAA			(ISC_RESULTCLASS_DNS + 18)
+#define DNS_R_NOOWNER			(ISC_RESULTCLASS_DNS + 19)
+#define DNS_R_NOTTL			(ISC_RESULTCLASS_DNS + 20)
+#define DNS_R_BADCLASS			(ISC_RESULTCLASS_DNS + 21)
+#define DNS_R_NAMETOOLONG		(ISC_RESULTCLASS_DNS + 22)
+#define DNS_R_PARTIALMATCH		(ISC_RESULTCLASS_DNS + 23)
+#define DNS_R_NEWORIGIN			(ISC_RESULTCLASS_DNS + 24)
+#define DNS_R_UNCHANGED			(ISC_RESULTCLASS_DNS + 25)
+#define DNS_R_BADTTL			(ISC_RESULTCLASS_DNS + 26)
+#define DNS_R_NOREDATA			(ISC_RESULTCLASS_DNS + 27)
+#define DNS_R_CONTINUE			(ISC_RESULTCLASS_DNS + 28)
+#define DNS_R_DELEGATION		(ISC_RESULTCLASS_DNS + 29)
+#define DNS_R_GLUE			(ISC_RESULTCLASS_DNS + 30)
+#define DNS_R_DNAME			(ISC_RESULTCLASS_DNS + 31)
+#define DNS_R_CNAME			(ISC_RESULTCLASS_DNS + 32)
+#define DNS_R_BADDB			(ISC_RESULTCLASS_DNS + 33)
+#define DNS_R_ZONECUT			(ISC_RESULTCLASS_DNS + 34)
+#define DNS_R_BADZONE			(ISC_RESULTCLASS_DNS + 35)
+#define DNS_R_MOREDATA			(ISC_RESULTCLASS_DNS + 36)
+#define DNS_R_UPTODATE			(ISC_RESULTCLASS_DNS + 37)
+#define DNS_R_TSIGVERIFYFAILURE		(ISC_RESULTCLASS_DNS + 38)
+#define DNS_R_TSIGERRORSET		(ISC_RESULTCLASS_DNS + 39)
+#define DNS_R_SIGINVALID		(ISC_RESULTCLASS_DNS + 40)
+#define DNS_R_SIGEXPIRED		(ISC_RESULTCLASS_DNS + 41)
+#define DNS_R_SIGFUTURE			(ISC_RESULTCLASS_DNS + 42)
+#define DNS_R_KEYUNAUTHORIZED		(ISC_RESULTCLASS_DNS + 43)
+#define DNS_R_INVALIDTIME		(ISC_RESULTCLASS_DNS + 44)
+#define DNS_R_EXPECTEDTSIG		(ISC_RESULTCLASS_DNS + 45)
+#define DNS_R_UNEXPECTEDTSIG		(ISC_RESULTCLASS_DNS + 46)
+#define DNS_R_INVALIDTKEY		(ISC_RESULTCLASS_DNS + 47)
+#define DNS_R_HINT			(ISC_RESULTCLASS_DNS + 48)
+#define DNS_R_DROP			(ISC_RESULTCLASS_DNS + 49)
+#define DNS_R_NOTLOADED			(ISC_RESULTCLASS_DNS + 50)
+#define DNS_R_NCACHENXDOMAIN		(ISC_RESULTCLASS_DNS + 51)
+#define DNS_R_NCACHENXRRSET		(ISC_RESULTCLASS_DNS + 52)
+#define DNS_R_WAIT			(ISC_RESULTCLASS_DNS + 53)
+#define DNS_R_NOTVERIFIEDYET		(ISC_RESULTCLASS_DNS + 54)
+#define DNS_R_NOIDENTITY		(ISC_RESULTCLASS_DNS + 55)
+#define DNS_R_NOJOURNAL			(ISC_RESULTCLASS_DNS + 56)
+#define DNS_R_ALIAS			(ISC_RESULTCLASS_DNS + 57)
+#define DNS_R_USETCP			(ISC_RESULTCLASS_DNS + 58)
+#define DNS_R_NOVALIDSIG		(ISC_RESULTCLASS_DNS + 59)
+#define DNS_R_NOVALIDNSEC		(ISC_RESULTCLASS_DNS + 60)
+#define DNS_R_NOTINSECURE		(ISC_RESULTCLASS_DNS + 61)
+#define DNS_R_UNKNOWNSERVICE		(ISC_RESULTCLASS_DNS + 62)
+#define DNS_R_RECOVERABLE		(ISC_RESULTCLASS_DNS + 63)
+#define DNS_R_UNKNOWNOPT		(ISC_RESULTCLASS_DNS + 64)
+#define DNS_R_UNEXPECTEDID		(ISC_RESULTCLASS_DNS + 65)
+#define DNS_R_SEENINCLUDE		(ISC_RESULTCLASS_DNS + 66)
+#define DNS_R_NOTEXACT			(ISC_RESULTCLASS_DNS + 67)
+#define DNS_R_BLACKHOLED		(ISC_RESULTCLASS_DNS + 68)
+#define DNS_R_BADALG			(ISC_RESULTCLASS_DNS + 69)
+#define DNS_R_METATYPE			(ISC_RESULTCLASS_DNS + 70)
+#define DNS_R_CNAMEANDOTHER		(ISC_RESULTCLASS_DNS + 71)
+#define DNS_R_SINGLETON			(ISC_RESULTCLASS_DNS + 72)
+#define DNS_R_HINTNXRRSET		(ISC_RESULTCLASS_DNS + 73)
+#define DNS_R_NOMASTERFILE		(ISC_RESULTCLASS_DNS + 74)
+#define DNS_R_UNKNOWNPROTO		(ISC_RESULTCLASS_DNS + 75)
+#define DNS_R_CLOCKSKEW			(ISC_RESULTCLASS_DNS + 76)
+#define DNS_R_BADIXFR			(ISC_RESULTCLASS_DNS + 77)
+#define DNS_R_NOTAUTHORITATIVE		(ISC_RESULTCLASS_DNS + 78)
+#define DNS_R_NOVALIDKEY		(ISC_RESULTCLASS_DNS + 79)
+#define DNS_R_OBSOLETE			(ISC_RESULTCLASS_DNS + 80)
+#define DNS_R_FROZEN			(ISC_RESULTCLASS_DNS + 81)
+#define DNS_R_UNKNOWNFLAG		(ISC_RESULTCLASS_DNS + 82)
+#define DNS_R_EXPECTEDRESPONSE		(ISC_RESULTCLASS_DNS + 83)
+#define DNS_R_NOVALIDDS			(ISC_RESULTCLASS_DNS + 84)
+#define DNS_R_NSISADDRESS		(ISC_RESULTCLASS_DNS + 85)
+#define DNS_R_REMOTEFORMERR		(ISC_RESULTCLASS_DNS + 86)
+#define DNS_R_TRUNCATEDTCP		(ISC_RESULTCLASS_DNS + 87)
+#define DNS_R_LAME			(ISC_RESULTCLASS_DNS + 88)
+#define DNS_R_UNEXPECTEDRCODE		(ISC_RESULTCLASS_DNS + 89)
+#define DNS_R_UNEXPECTEDOPCODE		(ISC_RESULTCLASS_DNS + 90)
+#define DNS_R_CHASEDSSERVERS		(ISC_RESULTCLASS_DNS + 91)
+#define DNS_R_EMPTYNAME			(ISC_RESULTCLASS_DNS + 92)
+#define DNS_R_EMPTYWILD			(ISC_RESULTCLASS_DNS + 93)
+#define DNS_R_BADBITMAP			(ISC_RESULTCLASS_DNS + 94)
+#define DNS_R_FROMWILDCARD		(ISC_RESULTCLASS_DNS + 95)
+#define DNS_R_BADOWNERNAME		(ISC_RESULTCLASS_DNS + 96)
+#define DNS_R_BADNAME			(ISC_RESULTCLASS_DNS + 97)
+#define DNS_R_DYNAMIC			(ISC_RESULTCLASS_DNS + 98)
+#define DNS_R_UNKNOWNCOMMAND		(ISC_RESULTCLASS_DNS + 99)
+#define DNS_R_MUSTBESECURE		(ISC_RESULTCLASS_DNS + 100)
+#define DNS_R_COVERINGNSEC		(ISC_RESULTCLASS_DNS + 101)
+
+#define DNS_R_NRESULTS			102	/* Number of results */
+
+/*
+ * DNS wire format rcodes.
+ *
+ * By making these their own class we can easily convert them into the
+ * wire-format rcode value simply by masking off the resultclass.
+ */
+#define DNS_R_NOERROR			(ISC_RESULTCLASS_DNSRCODE + 0)
+#define DNS_R_FORMERR			(ISC_RESULTCLASS_DNSRCODE + 1)
+#define DNS_R_SERVFAIL			(ISC_RESULTCLASS_DNSRCODE + 2)
+#define DNS_R_NXDOMAIN			(ISC_RESULTCLASS_DNSRCODE + 3)
+#define DNS_R_NOTIMP			(ISC_RESULTCLASS_DNSRCODE + 4)
+#define DNS_R_REFUSED			(ISC_RESULTCLASS_DNSRCODE + 5)
+#define DNS_R_YXDOMAIN			(ISC_RESULTCLASS_DNSRCODE + 6)
+#define DNS_R_YXRRSET			(ISC_RESULTCLASS_DNSRCODE + 7)
+#define DNS_R_NXRRSET			(ISC_RESULTCLASS_DNSRCODE + 8)
+#define DNS_R_NOTAUTH			(ISC_RESULTCLASS_DNSRCODE + 9)
+#define DNS_R_NOTZONE			(ISC_RESULTCLASS_DNSRCODE + 10)
+#define DNS_R_BADVERS			(ISC_RESULTCLASS_DNSRCODE + 16)
+
+#define DNS_R_NRCODERESULTS		17	/* Number of rcode results */
+
+#define DNS_RESULT_ISRCODE(result) \
+	(ISC_RESULTCLASS_INCLASS(ISC_RESULTCLASS_DNSRCODE, (result)))
+
+ISC_LANG_BEGINDECLS
+
+const char *
+dns_result_totext(isc_result_t);
+
+void
+dns_result_register(void);
+
+dns_rcode_t
+dns_result_torcode(isc_result_t result);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RESULT_H */
diff --git a/contrib/bind9/lib/dns/include/dns/rootns.h b/contrib/bind9/lib/dns/include/dns/rootns.h
new file mode 100644
index 0000000..02da556
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/rootns.h
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rootns.h,v 1.8.206.1 2004/03/06 08:14:00 marka Exp $ */
+
+#ifndef DNS_ROOTNS_H
+#define DNS_ROOTNS_H 1
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_rootns_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
+                  const char *filename, dns_db_t **target);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ROOTNS_H */
diff --git a/contrib/bind9/lib/dns/include/dns/sdb.h b/contrib/bind9/lib/dns/include/dns/sdb.h
new file mode 100644
index 0000000..5fdeace
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/sdb.h
@@ -0,0 +1,206 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: sdb.h,v 1.12.12.3 2004/03/08 09:04:39 marka Exp $ */
+
+#ifndef DNS_SDB_H
+#define DNS_SDB_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Simple database API.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+/***
+ *** Types
+ ***/
+
+/*
+ * A simple database.  This is an opaque type.
+ */
+typedef struct dns_sdb dns_sdb_t;
+
+/*
+ * A simple database lookup in progress.  This is an opaque type.
+ */
+typedef struct dns_sdblookup dns_sdblookup_t;
+
+/*
+ * A simple database traversal in progress.  This is an opaque type.
+ */
+typedef struct dns_sdballnodes dns_sdballnodes_t;
+
+typedef isc_result_t
+(*dns_sdblookupfunc_t)(const char *zone, const char *name, void *dbdata,
+		       dns_sdblookup_t *);
+
+typedef isc_result_t
+(*dns_sdbauthorityfunc_t)(const char *zone, void *dbdata, dns_sdblookup_t *);
+
+typedef isc_result_t
+(*dns_sdballnodesfunc_t)(const char *zone, void *dbdata,
+			 dns_sdballnodes_t *allnodes);
+
+typedef isc_result_t
+(*dns_sdbcreatefunc_t)(const char *zone, int argc, char **argv,
+		       void *driverdata, void **dbdata);
+
+typedef void
+(*dns_sdbdestroyfunc_t)(const char *zone, void *driverdata, void **dbdata);
+
+
+typedef struct dns_sdbmethods {
+	dns_sdblookupfunc_t	lookup;
+	dns_sdbauthorityfunc_t	authority;
+	dns_sdballnodesfunc_t	allnodes;
+	dns_sdbcreatefunc_t	create;
+	dns_sdbdestroyfunc_t	destroy;
+} dns_sdbmethods_t;
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+#define DNS_SDBFLAG_RELATIVEOWNER 0x00000001U
+#define DNS_SDBFLAG_RELATIVERDATA 0x00000002U
+#define DNS_SDBFLAG_THREADSAFE 0x00000004U
+
+isc_result_t
+dns_sdb_register(const char *drivername, const dns_sdbmethods_t *methods,
+		 void *driverdata, unsigned int flags, isc_mem_t *mctx,
+		 dns_sdbimplementation_t **sdbimp);
+/*
+ * Register a simple database driver for the database type 'drivername',
+ * implemented by the functions in '*methods'.
+ *
+ * sdbimp must point to a NULL dns_sdbimplementation_t pointer.  That is,
+ * sdbimp != NULL && *sdbimp == NULL.  It will be assigned a value that
+ * will later be used to identify the driver when deregistering it.
+ *
+ * The name server will perform lookups in the database by calling the
+ * function 'lookup', passing it a printable zone name 'zone', a printable
+ * domain name 'name', and a copy of the argument 'dbdata' that
+ * was potentially returned by the create function.  The 'dns_sdblookup_t'
+ * argument to 'lookup' and 'authority' is an opaque pointer to be passed to
+ * ns_sdb_putrr().
+ *
+ * The lookup function returns the lookup results to the name server
+ * by calling ns_sdb_putrr() once for each record found.  On success,
+ * the return value of the lookup function should be ISC_R_SUCCESS.
+ * If the domain name 'name' does not exist, the lookup function should
+ * ISC_R_NOTFOUND.  Any other return value is treated as an error.
+ *
+ * Lookups at the zone apex will cause the server to also call the
+ * function 'authority' (if non-NULL), which must provide an SOA record
+ * and NS records for the zone by calling ns_sdb_putrr() once for each of
+ * these records.  The 'authority' function may be NULL if invoking
+ * the 'lookup' function on the zone apex will return SOA and NS records.
+ *
+ * The allnodes function, if non-NULL, fills in an opaque structure to be
+ * used by a database iterator.  This allows the zone to be transferred.
+ * This may use a considerable amount of memory for large zones, and the
+ * zone transfer may not be fully RFC 1035 compliant if the zone is 
+ * frequently changed.
+ *
+ * The create function will be called for each zone configured
+ * into the name server using this database type.  It can be used
+ * to create a "database object" containg zone specific data,
+ * which can make use of the database arguments specified in the
+ * name server configuration.
+ *
+ * The destroy function will be called to free the database object
+ * when its zone is destroyed.
+ *
+ * The create and destroy functions may be NULL.
+ *
+ * If flags includes DNS_SDBFLAG_RELATIVEOWNER, the lookup and authority
+ * functions will be called with relative names rather than absolute names.
+ * The string "@" represents the zone apex in this case.
+ *
+ * If flags includes DNS_SDBFLAG_RELATIVERDATA, the rdata strings may
+ * include relative names.  Otherwise, all names in the rdata string must
+ * be absolute.  Be aware that if relative names are allowed, any
+ * absolute names must contain a trailing dot.
+ *
+ * If flags includes DNS_SDBFLAG_THREADSAFE, the driver must be able to
+ * handle multiple lookups in parallel.  Otherwise, calls into the driver
+ * are serialized.
+ */
+
+void
+dns_sdb_unregister(dns_sdbimplementation_t **sdbimp);
+/*
+ * Removes the simple database driver from the list of registered database
+ * types.  There must be no active databases of this type when this function
+ * is called.
+ */
+
+isc_result_t
+dns_sdb_putrr(dns_sdblookup_t *lookup, const char *type, dns_ttl_t ttl,
+	      const char *data);
+isc_result_t
+dns_sdb_putrdata(dns_sdblookup_t *lookup, dns_rdatatype_t type, dns_ttl_t ttl,
+		 const unsigned char *rdata, unsigned int rdlen);
+/*
+ * Add a single resource record to the lookup structure to be
+ * returned in the query response.  dns_sdb_putrr() takes the
+ * resource record in master file text format as a null-terminated
+ * string, and dns_sdb_putrdata() takes the raw RDATA in
+ * uncompressed wire format.
+ */
+
+isc_result_t
+dns_sdb_putnamedrr(dns_sdballnodes_t *allnodes, const char *name,
+		   const char *type, dns_ttl_t ttl, const char *data);
+isc_result_t
+dns_sdb_putnamedrdata(dns_sdballnodes_t *allnodes, const char *name,
+		      dns_rdatatype_t type, dns_ttl_t ttl,
+		      const void *rdata, unsigned int rdlen);
+/*
+ * Add a single resource record to the allnodes structure to be
+ * included in a zone transfer response, in text or wire
+ * format as above.
+ */
+
+isc_result_t
+dns_sdb_putsoa(dns_sdblookup_t *lookup, const char *mname, const char *rname,
+	       isc_uint32_t serial);
+/*
+ * This function may optionally be called from the 'authority' callback
+ * to simplify construction of the SOA record for 'zone'.  It will
+ * provide a SOA listing 'mname' as as the master server and 'rname' as
+ * the responsible person mailbox.  It is the responsibility of the
+ * driver to increment the serial number between responses if necessary.
+ * All other SOA fields will have reasonable default values.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_SDB_H */
diff --git a/contrib/bind9/lib/dns/include/dns/secalg.h b/contrib/bind9/lib/dns/include/dns/secalg.h
new file mode 100644
index 0000000..3f7a16f
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/secalg.h
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: secalg.h,v 1.12.206.1 2004/03/06 08:14:00 marka Exp $ */
+
+#ifndef DNS_SECALG_H
+#define DNS_SECALG_H 1
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source);
+/*
+ * Convert the text 'source' refers to into a DNSSEC security algorithm value.
+ * The text may contain either a mnemonic algorithm name or a decimal algorithm
+ * number.
+ *
+ * Requires:
+ *	'secalgp' is a valid pointer.
+ *
+ *	'source' is a valid text region.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS			on success
+ *	ISC_R_RANGE			numeric type is out of range
+ *	DNS_R_UNKNOWN			mnemonic type is unknown
+ */
+
+isc_result_t
+dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target);
+/*
+ * Put a textual representation of the DNSSEC security algorithm 'secalg'
+ * into 'target'.
+ *
+ * Requires:
+ *	'secalg' is a valid secalg.
+ *
+ *	'target' is a valid text buffer.
+ *
+ * Ensures:
+ *	If the result is success:
+ *		The used space in 'target' is updated.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS			on success
+ *	ISC_R_NOSPACE			target buffer is too small
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_SECALG_H */
diff --git a/contrib/bind9/lib/dns/include/dns/secproto.h b/contrib/bind9/lib/dns/include/dns/secproto.h
new file mode 100644
index 0000000..da8c1dd
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/secproto.h
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: secproto.h,v 1.9.206.1 2004/03/06 08:14:00 marka Exp $ */
+
+#ifndef DNS_SECPROTO_H
+#define DNS_SECPROTO_H 1
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_secproto_fromtext(dns_secproto_t *secprotop, isc_textregion_t *source);
+/*
+ * Convert the text 'source' refers to into a DNSSEC security protocol value.
+ * The text may contain either a mnemonic protocol name or a decimal protocol
+ * number.
+ *
+ * Requires:
+ *	'secprotop' is a valid pointer.
+ *
+ *	'source' is a valid text region.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS			on success
+ *	ISC_R_RANGE			numeric type is out of range
+ *	DNS_R_UNKNOWN			mnemonic type is unknown
+ */
+
+isc_result_t
+dns_secproto_totext(dns_secproto_t secproto, isc_buffer_t *target);
+/*
+ * Put a textual representation of the DNSSEC security protocol 'secproto'
+ * into 'target'.
+ *
+ * Requires:
+ *	'secproto' is a valid secproto.
+ *
+ *	'target' is a valid text buffer.
+ *
+ * Ensures:
+ *	If the result is success:
+ *		The used space in 'target' is updated.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS			on success
+ *	ISC_R_NOSPACE			target buffer is too small
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_SECPROTO_H */
diff --git a/contrib/bind9/lib/dns/include/dns/soa.h b/contrib/bind9/lib/dns/include/dns/soa.h
new file mode 100644
index 0000000..304ae15
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/soa.h
@@ -0,0 +1,80 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: soa.h,v 1.2.206.1 2004/03/06 08:14:00 marka Exp $ */
+
+#ifndef DNS_SOA_H
+#define DNS_SOA_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * SOA utilities.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_uint32_t
+dns_soa_getserial(dns_rdata_t *rdata);
+isc_uint32_t
+dns_soa_getrefresh(dns_rdata_t *rdata);
+isc_uint32_t
+dns_soa_getretry(dns_rdata_t *rdata);
+isc_uint32_t
+dns_soa_getexpire(dns_rdata_t *rdata);
+isc_uint32_t
+dns_soa_getminimum(dns_rdata_t *rdata);
+/*
+ * Extract an integer field from the rdata of a SOA record.
+ *
+ * Requires:
+ *	rdata refers to the rdata of a well-formed SOA record.
+ */
+
+void
+dns_soa_setserial(isc_uint32_t val, dns_rdata_t *rdata);
+void
+dns_soa_setrefresh(isc_uint32_t val, dns_rdata_t *rdata);
+void
+dns_soa_setretry(isc_uint32_t val, dns_rdata_t *rdata);
+void
+dns_soa_setexpire(isc_uint32_t val, dns_rdata_t *rdata);
+void
+dns_soa_setminimum(isc_uint32_t val, dns_rdata_t *rdata);
+/*
+ * Change an integer field of a SOA record by modifying the
+ * rdata in-place.
+ *
+ * Requires:
+ *	rdata refers to the rdata of a well-formed SOA record.
+ */
+
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_SOA_H */
diff --git a/contrib/bind9/lib/dns/include/dns/ssu.h b/contrib/bind9/lib/dns/include/dns/ssu.h
new file mode 100644
index 0000000..f26a039
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/ssu.h
@@ -0,0 +1,157 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ssu.h,v 1.11.206.3 2004/03/08 09:04:39 marka Exp $ */
+
+#ifndef DNS_SSU_H
+#define DNS_SSU_H 1
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+#define DNS_SSUMATCHTYPE_NAME 0
+#define DNS_SSUMATCHTYPE_SUBDOMAIN 1
+#define DNS_SSUMATCHTYPE_WILDCARD 2
+#define DNS_SSUMATCHTYPE_SELF 3
+
+isc_result_t
+dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **table);
+/*
+ *	Creates a table that will be used to store simple-secure-update rules.
+ *	Note: all locking must be provided by the client.
+ *
+ *	Requires:
+ *		'mctx' is a valid memory context
+ *		'table' is not NULL, and '*table' is NULL
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ *		ISC_R_NOMEMORY
+ */
+
+void
+dns_ssutable_attach(dns_ssutable_t *source, dns_ssutable_t **targetp);
+/*
+ *	Attach '*targetp' to 'source'.
+ *
+ *	Requires:
+ *		'source' is a valid SSU table
+ *		'targetp' points to a NULL dns_ssutable_t *.
+ *
+ *	Ensures:
+ *		*targetp is attached to source.
+ */
+
+void
+dns_ssutable_detach(dns_ssutable_t **tablep);
+/*
+ *	Detach '*tablep' from its simple-secure-update rule table.
+ *
+ *	Requires:
+ *		'tablep' points to a valid dns_ssutable_t
+ *
+ *	Ensures:
+ *		*tablep is NULL
+ *		If '*tablep' is the last reference to the SSU table, all
+ *			resources used by the table will be freed.
+ */
+
+isc_result_t
+dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
+		     dns_name_t *identity, unsigned int matchtype,
+		     dns_name_t *name, unsigned int ntypes,
+		     dns_rdatatype_t *types);
+/*
+ *	Adds a new rule to a simple-secure-update rule table.  The rule
+ *	either grants or denies update privileges of an identity (or set of
+ *	identities) to modify a name (or set of names) or certain types present
+ *	at that name.
+ *
+ *	Notes:
+ *		If 'matchtype' is SELF, this rule only matches if the name
+ *		to be updated matches the signing identity.
+ *
+ *		If 'ntypes' is 0, this rule applies to all types except
+ *		NS, SOA, RRSIG, and NSEC.
+ *
+ *		If 'types' includes ANY, this rule applies to all types
+ *		except NSEC.
+ *
+ *	Requires:
+ *		'table' is a valid SSU table
+ *		'identity' is a valid absolute name
+ *		'matchtype' must be one of the defined constants.
+ *		'name' is a valid absolute name
+ *		If 'ntypes' > 0, 'types' must not be NULL
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ *		ISC_R_NOMEMORY
+ */
+
+isc_boolean_t
+dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
+			dns_name_t *name, dns_rdatatype_t type);
+/*
+ *	Checks that the attempted update of (name, type) is allowed according
+ *	to the rules specified in the simple-secure-update rule table.  If
+ *	no rules are matched, access is denied.  If signer is NULL, access
+ *	is denied.
+ *
+ *	Requires:
+ *		'table' is a valid SSU table
+ *		'signer' is NULL or a valid absolute name
+ *		'name' is a valid absolute name
+ */
+
+
+isc_boolean_t	dns_ssurule_isgrant(const dns_ssurule_t *rule);
+dns_name_t *	dns_ssurule_identity(const dns_ssurule_t *rule);
+unsigned int	dns_ssurule_matchtype(const dns_ssurule_t *rule);
+dns_name_t *	dns_ssurule_name(const dns_ssurule_t *rule);
+unsigned int	dns_ssurule_types(const dns_ssurule_t *rule,
+				  dns_rdatatype_t **types);
+/*
+ * Accessor functions to extract rule components
+ */
+
+isc_result_t	dns_ssutable_firstrule(const dns_ssutable_t *table,
+				       dns_ssurule_t **rule);
+/*
+ * Initiates a rule iterator.  There is no need to maintain any state.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMORE
+ */
+
+isc_result_t	dns_ssutable_nextrule(dns_ssurule_t *rule,
+				      dns_ssurule_t **nextrule);
+/*
+ * Returns the next rule in the table.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMORE
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_SSU_H */
diff --git a/contrib/bind9/lib/dns/include/dns/stats.h b/contrib/bind9/lib/dns/include/dns/stats.h
new file mode 100644
index 0000000..db94b52
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/stats.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: stats.h,v 1.4.206.1 2004/03/06 08:14:00 marka Exp $ */
+
+#ifndef DNS_STATS_H
+#define DNS_STATS_H 1
+
+#include <dns/types.h>
+
+/*
+ * Query statistics counter types.
+ */
+typedef enum {
+	dns_statscounter_success = 0,    /* Successful lookup */
+	dns_statscounter_referral = 1,   /* Referral result */
+	dns_statscounter_nxrrset = 2,    /* NXRRSET result */
+	dns_statscounter_nxdomain = 3,   /* NXDOMAIN result */
+	dns_statscounter_recursion = 4,  /* Recursion was used */
+	dns_statscounter_failure = 5     /* Some other failure */
+} dns_statscounter_t;
+
+#define DNS_STATS_NCOUNTERS 6
+
+LIBDNS_EXTERNAL_DATA extern const char *dns_statscounter_names[];
+
+isc_result_t
+dns_stats_alloccounters(isc_mem_t *mctx, isc_uint64_t **ctrp);
+/*
+ * Allocate an array of query statistics counters from the memory
+ * context 'mctx'.
+ */
+
+void
+dns_stats_freecounters(isc_mem_t *mctx, isc_uint64_t **ctrp);
+/*
+ * Free an array of query statistics counters allocated from the memory
+ * context 'mctx'.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_STATS_H */
diff --git a/contrib/bind9/lib/dns/include/dns/tcpmsg.h b/contrib/bind9/lib/dns/include/dns/tcpmsg.h
new file mode 100644
index 0000000..ae1d704
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/tcpmsg.h
@@ -0,0 +1,145 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: tcpmsg.h,v 1.15.206.1 2004/03/06 08:14:00 marka Exp $ */
+
+#ifndef DNS_TCPMSG_H
+#define DNS_TCPMSG_H 1
+
+#include <isc/buffer.h>
+#include <isc/lang.h>
+#include <isc/socket.h>
+
+typedef struct dns_tcpmsg {
+	/* private (don't touch!) */
+	unsigned int		magic;
+	isc_uint16_t		size;
+	isc_buffer_t		buffer;
+	unsigned int		maxsize;
+	isc_mem_t	       *mctx;
+	isc_socket_t	       *sock;
+	isc_task_t	       *task;
+	isc_taskaction_t	action;
+	void		       *arg;
+	isc_event_t		event;
+	/* public (read-only) */
+	isc_result_t		result;
+	isc_sockaddr_t		address;
+} dns_tcpmsg_t;
+
+ISC_LANG_BEGINDECLS
+
+void
+dns_tcpmsg_init(isc_mem_t *mctx, isc_socket_t *sock, dns_tcpmsg_t *tcpmsg);
+/*
+ * Associate a tcp message state with a given memory context and
+ * TCP socket.
+ *
+ * Requires:
+ *
+ *	"mctx" and "sock" be non-NULL and valid types.
+ *
+ *	"sock" be a read/write TCP socket.
+ *
+ *	"tcpmsg" be non-NULL and an uninitialized or invalidated structure.
+ *
+ * Ensures:
+ *
+ *	"tcpmsg" is a valid structure.
+ */
+
+void
+dns_tcpmsg_setmaxsize(dns_tcpmsg_t *tcpmsg, unsigned int maxsize);
+/*
+ * Set the maximum packet size to "maxsize"
+ *
+ * Requires:
+ *
+ *	"tcpmsg" be valid.
+ *
+ *	512 <= "maxsize" <= 65536
+ */
+
+isc_result_t
+dns_tcpmsg_readmessage(dns_tcpmsg_t *tcpmsg,
+		       isc_task_t *task, isc_taskaction_t action, void *arg);
+/*
+ * Schedule an event to be delivered when a DNS message is readable, or
+ * when an error occurs on the socket.
+ *
+ * Requires:
+ *
+ *	"tcpmsg" be valid.
+ *
+ *	"task", "taskaction", and "arg" be valid.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		-- no error
+ *	Anything that the isc_socket_recv() call can return.  XXXMLG
+ *
+ * Notes:
+ *
+ *	The event delivered is a fully generic event.  It will contain no
+ *	actual data.  The sender will be a pointer to the dns_tcpmsg_t.
+ *	The result code inside that structure should be checked to see
+ *	what the final result was.
+ */
+
+void
+dns_tcpmsg_cancelread(dns_tcpmsg_t *tcpmsg);
+/*
+ * Cancel a readmessage() call.  The event will still be posted with a
+ * CANCELED result code.
+ *
+ * Requires:
+ *
+ *	"tcpmsg" be valid.
+ */
+
+void
+dns_tcpmsg_keepbuffer(dns_tcpmsg_t *tcpmsg, isc_buffer_t *buffer);
+/*
+ * If a dns buffer is to be kept between calls, this function marks the
+ * internal state-machine buffer as invalid, and copies all the contents
+ * of the state into "buffer".
+ *
+ * Requires:
+ *
+ *	"tcpmsg" be valid.
+ *
+ *	"buffer" be non-NULL.
+ */
+
+void
+dns_tcpmsg_invalidate(dns_tcpmsg_t *tcpmsg);
+/*
+ * Clean up all allocated state, and invalidate the structure.
+ *
+ * Requires:
+ *
+ *	"tcpmsg" be valid.
+ *
+ * Ensures:
+ *
+ *	"tcpmsg" is invalidated and disassociated with all memory contexts,
+ *	sockets, etc.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_TCPMSG_H */
diff --git a/contrib/bind9/lib/dns/include/dns/time.h b/contrib/bind9/lib/dns/include/dns/time.h
new file mode 100644
index 0000000..0b82443
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/time.h
@@ -0,0 +1,70 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: time.h,v 1.9.12.3 2004/03/08 09:04:39 marka Exp $ */
+
+#ifndef DNS_TIME_H
+#define DNS_TIME_H 1
+
+/***
+ ***	Imports
+ ***/
+
+#include <isc/buffer.h>
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ ***	Functions
+ ***/
+
+isc_result_t
+dns_time64_fromtext(const char *source, isc_int64_t *target);
+/*
+ * Convert a date and time in YYYYMMDDHHMMSS text format at 'source'
+ * into to a 64-bit count of seconds since Jan 1 1970 0:00 GMT.
+ * Store the count at 'target'.
+ */
+
+isc_result_t
+dns_time32_fromtext(const char *source, isc_uint32_t *target);
+/*
+ * Like dns_time64_fromtext, but returns the second count modulo 2^32
+ * as per RFC2535.
+ */
+
+
+isc_result_t
+dns_time64_totext(isc_int64_t value, isc_buffer_t *target);
+/*
+ * Convert a 64-bit count of seconds since Jan 1 1970 0:00 GMT into
+ * a YYYYMMDDHHMMSS text representation and append it to 'target'.
+ */
+
+isc_result_t
+dns_time32_totext(isc_uint32_t value, isc_buffer_t *target);
+/*
+ * Like dns_time64_totext, but for a 32-bit cyclic time value.
+ * Of those dates whose counts of seconds since Jan 1 1970 0:00 GMT
+ * are congruent with 'value' modulo 2^32, the one closest to the
+ * current date is chosen.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_TIME_H */
diff --git a/contrib/bind9/lib/dns/include/dns/timer.h b/contrib/bind9/lib/dns/include/dns/timer.h
new file mode 100644
index 0000000..36e2ac3
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/timer.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: timer.h,v 1.2.206.1 2004/03/06 08:14:00 marka Exp $ */
+
+#ifndef DNS_TIMER_H
+#define DNS_TIMER_H 1
+
+/***
+ ***	Imports
+ ***/
+
+#include <isc/buffer.h>
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ ***	Functions
+ ***/
+
+isc_result_t
+dns_timer_setidle(isc_timer_t *timer, unsigned int maxtime,
+		  unsigned int idletime, isc_boolean_t purge);
+/*
+ * Convenience function for setting up simple, one-second-granularity
+ * idle timers as used by zone transfers.
+ *
+ * Set the timer 'timer' to go off after 'idletime' seconds of inactivity,
+ * or after 'maxtime' at the very latest.  Events are purged iff
+ * 'purge' is ISC_TRUE.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_TIMER_H */
diff --git a/contrib/bind9/lib/dns/include/dns/tkey.h b/contrib/bind9/lib/dns/include/dns/tkey.h
new file mode 100644
index 0000000..e5ca3b3
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/tkey.h
@@ -0,0 +1,196 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: tkey.h,v 1.18.206.1 2004/03/06 08:14:00 marka Exp $ */
+
+#ifndef DNS_TKEY_H
+#define DNS_TKEY_H 1
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+#include <dst/dst.h>
+
+ISC_LANG_BEGINDECLS
+
+/* Key agreement modes */
+#define DNS_TKEYMODE_SERVERASSIGNED		1
+#define DNS_TKEYMODE_DIFFIEHELLMAN		2
+#define DNS_TKEYMODE_GSSAPI			3
+#define DNS_TKEYMODE_RESOLVERASSIGNED		4
+#define DNS_TKEYMODE_DELETE			5
+
+struct dns_tkeyctx {
+	dst_key_t *dhkey;
+	dns_name_t *domain;
+	void *gsscred;
+	isc_mem_t *mctx;
+	isc_entropy_t *ectx;
+};
+
+isc_result_t
+dns_tkeyctx_create(isc_mem_t *mctx, isc_entropy_t *ectx, dns_tkeyctx_t **tctxp);
+/*
+ *	Create an empty TKEY context.
+ *
+ * 	Requires:
+ *		'mctx' is not NULL
+ *		'tctx' is not NULL
+ *		'*tctx' is NULL
+ *
+ *	Returns
+ *		ISC_R_SUCCESS
+ *		ISC_R_NOMEMORY
+ *		return codes from dns_name_fromtext()
+ */
+
+void
+dns_tkeyctx_destroy(dns_tkeyctx_t **tctxp);
+/*
+ *      Frees all data associated with the TKEY context
+ *
+ * 	Requires:
+ *		'tctx' is not NULL
+ *		'*tctx' is not NULL
+ */
+
+isc_result_t
+dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
+		      dns_tsig_keyring_t *ring);
+/*
+ *	Processes a query containing a TKEY record, adding or deleting TSIG
+ *	keys if necessary, and modifies the message to contain the response.
+ *
+ *	Requires:
+ *		'msg' is a valid message
+ *		'tctx' is a valid TKEY context
+ *		'ring' is a valid TSIG keyring
+ *
+ *	Returns
+ *		ISC_R_SUCCESS	msg was updated (the TKEY operation succeeded,
+ *				or msg now includes a TKEY with an error set)
+ *		DNS_R_FORMERR	the packet was malformed (missing a TKEY
+ *				or KEY).
+ *		other		An error occurred while processing the message
+ */
+
+isc_result_t
+dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
+		      dns_name_t *algorithm, isc_buffer_t *nonce,
+		      isc_uint32_t lifetime);
+/*
+ *	Builds a query containing a TKEY that will generate a shared
+ *	secret using a Diffie-Hellman key exchange.  The shared key
+ *	will be of the specified algorithm (only DNS_TSIG_HMACMD5_NAME
+ *	is supported), and will be named either 'name',
+ *	'name' + server chosen domain, or random data + server chosen domain
+ *	if 'name' == dns_rootname.  If nonce is not NULL, it supplies
+ *	random data used in the shared secret computation.  The key is
+ *	requested to have the specified lifetime (in seconds)
+ *
+ *
+ *	Requires:
+ *		'msg' is a valid message
+ *		'key' is a valid Diffie Hellman dst key
+ *		'name' is a valid name
+ *		'algorithm' is a valid name
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS	msg was successfully updated to include the
+ *				query to be sent
+ *		other		an error occurred while building the message
+ */
+
+isc_result_t
+dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name,
+		       dns_name_t *gname, void *cred,
+		       isc_uint32_t lifetime, void **context);
+/*
+ * XXX
+ */
+
+isc_result_t
+dns_tkey_builddeletequery(dns_message_t *msg, dns_tsigkey_t *key);
+/*
+ *	Builds a query containing a TKEY record that will delete the
+ *	specified shared secret from the server.
+ *
+ *	Requires:
+ *		'msg' is a valid message
+ *		'key' is a valid TSIG key
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS	msg was successfully updated to include the
+ *				query to be sent
+ *		other		an error occurred while building the message
+ */
+
+isc_result_t
+dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
+                           dst_key_t *key, isc_buffer_t *nonce,
+			   dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring);
+/*
+ *	Processes a response to a query containing a TKEY that was
+ *	designed to generate a shared secret using a Diffie-Hellman key
+ *	exchange.  If the query was successful, a new shared key
+ *	is created and added to the list of shared keys.
+ *
+ *	Requires:
+ *		'qmsg' is a valid message (the query)
+ *		'rmsg' is a valid message (the response)
+ *		'key' is a valid Diffie Hellman dst key
+ *		'outkey' is either NULL or a pointer to NULL
+ *		'ring' is a valid keyring or NULL
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS	the shared key was successfully added
+ *		ISC_R_NOTFOUND	an error occurred while looking for a
+ *				component of the query or response
+ */
+
+isc_result_t
+dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
+			    dns_name_t *gname, void *cred, void **context,
+			    dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring);
+/*
+ * XXX
+ */
+
+isc_result_t
+dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg,
+			       dns_tsig_keyring_t *ring);
+/*
+ *	Processes a response to a query containing a TKEY that was
+ *	designed to delete a shared secret.  If the query was successful,
+ *	the shared key is deleted from the list of shared keys.
+ *
+ *	Requires:
+ *		'qmsg' is a valid message (the query)
+ *		'rmsg' is a valid message (the response)
+ *		'ring' is not NULL
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS	the shared key was successfully deleted
+ *		ISC_R_NOTFOUND	an error occurred while looking for a
+ *				component of the query or response
+ */
+
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_TKEY_H */
diff --git a/contrib/bind9/lib/dns/include/dns/tsig.h b/contrib/bind9/lib/dns/include/dns/tsig.h
new file mode 100644
index 0000000..7b5b458
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/tsig.h
@@ -0,0 +1,242 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: tsig.h,v 1.40.2.2.8.3 2004/03/08 09:04:39 marka Exp $ */
+
+#ifndef DNS_TSIG_H
+#define DNS_TSIG_H 1
+
+#include <isc/lang.h>
+#include <isc/refcount.h>
+#include <isc/rwlock.h>
+#include <isc/stdtime.h>
+
+#include <dns/types.h>
+#include <dns/name.h>
+
+#include <dst/dst.h>
+
+/*
+ * Algorithms.
+ */
+LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_hmacmd5_name;
+#define DNS_TSIG_HMACMD5_NAME		dns_tsig_hmacmd5_name
+LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_gssapi_name;
+#define DNS_TSIG_GSSAPI_NAME		dns_tsig_gssapi_name
+LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_gssapims_name;
+#define DNS_TSIG_GSSAPIMS_NAME		dns_tsig_gssapims_name
+
+/*
+ * Default fudge value.
+ */
+#define DNS_TSIG_FUDGE			300
+
+struct dns_tsig_keyring {
+	dns_rbt_t *keys;
+	isc_rwlock_t lock;
+	isc_mem_t *mctx;
+};
+
+struct dns_tsigkey {
+	/* Unlocked */
+	unsigned int		magic;		/* Magic number. */
+	isc_mem_t		*mctx;
+	dst_key_t		*key;		/* Key */
+	dns_name_t		name;		/* Key name */
+	dns_name_t		*algorithm;	/* Algorithm name */
+	dns_name_t		*creator;	/* name that created secret */
+	isc_boolean_t		generated;	/* was this generated? */
+	isc_stdtime_t		inception;	/* start of validity period */
+	isc_stdtime_t		expire;		/* end of validity period */
+	dns_tsig_keyring_t	*ring;		/* the enclosing keyring */
+	isc_refcount_t		refs;		/* reference counter */
+};
+
+#define dns_tsigkey_identity(tsigkey) \
+	((tsigkey)->generated ? ((tsigkey)->creator) : (&((tsigkey)->name)))
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
+		   unsigned char *secret, int length, isc_boolean_t generated,
+		   dns_name_t *creator, isc_stdtime_t inception,
+		   isc_stdtime_t expire, isc_mem_t *mctx,
+		   dns_tsig_keyring_t *ring, dns_tsigkey_t **key);
+
+isc_result_t
+dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
+			  dst_key_t *dstkey, isc_boolean_t generated,
+			  dns_name_t *creator, isc_stdtime_t inception,
+			  isc_stdtime_t expire, isc_mem_t *mctx,
+			  dns_tsig_keyring_t *ring, dns_tsigkey_t **key);
+/*
+ *	Creates a tsig key structure and saves it in the keyring.  If key is
+ *	not NULL, *key will contain a copy of the key.  The keys validity
+ *	period is specified by (inception, expire), and will not expire if
+ *	inception == expire.  If the key was generated, the creating identity,
+ *	if there is one, should be in the creator parameter.  Specifying an
+ *	unimplemented algorithm will cause failure only if dstkey != NULL; this
+ *	allows a transient key with an invalid algorithm to exist long enough
+ *	to generate a BADKEY response.
+ *
+ *	Requires:
+ *		'name' is a valid dns_name_t
+ *		'algorithm' is a valid dns_name_t
+ *		'secret' is a valid pointer
+ *		'length' is an integer >= 0
+ *		'key' is a valid dst key or NULL
+ *		'creator' points to a valid dns_name_t or is NULL
+ *		'mctx' is a valid memory context
+ *		'ring' is a valid TSIG keyring or NULL
+ *		'key' or '*key' must be NULL
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ *		ISC_R_EXISTS - a key with this name already exists
+ *		ISC_R_NOTIMPLEMENTED - algorithm is not implemented
+ *		ISC_R_NOMEMORY
+ */
+
+void
+dns_tsigkey_attach(dns_tsigkey_t *source, dns_tsigkey_t **targetp);
+/*
+ *	Attach '*targetp' to 'source'.
+ *
+ *	Requires:
+ *		'key' is a valid TSIG key
+ *
+ *	Ensures:
+ *		*targetp is attached to source.
+ */
+
+void
+dns_tsigkey_detach(dns_tsigkey_t **keyp);
+/*
+ *	Detaches from the tsig key structure pointed to by '*key'.
+ *
+ *	Requires:
+ *		'keyp' is not NULL and '*keyp' is a valid TSIG key
+ *
+ *	Ensures:
+ *		'keyp' points to NULL
+ */
+
+void
+dns_tsigkey_setdeleted(dns_tsigkey_t *key);
+/*
+ *	Prevents this key from being used again.  It will be deleted when
+ *	no references exist.
+ *
+ *	Requires:
+ *		'key' is a valid TSIG key on a keyring
+ */
+
+isc_result_t
+dns_tsig_sign(dns_message_t *msg);
+/*
+ *	Generates a TSIG record for this message
+ *
+ *	Requires:
+ *		'msg' is a valid message
+ *		'msg->tsigkey' is a valid TSIG key
+ *		'msg->tsig' is NULL
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ *		ISC_R_NOMEMORY
+ *		ISC_R_NOSPACE
+ *		DNS_R_EXPECTEDTSIG
+ *			- this is a response & msg->querytsig is NULL
+ */
+
+isc_result_t
+dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+		dns_tsig_keyring_t *ring1, dns_tsig_keyring_t *ring2);
+/*
+ *	Verifies the TSIG record in this message
+ *
+ *	Requires:
+ *		'source' is a valid buffer containing the unparsed message
+ *		'msg' is a valid message
+ *		'msg->tsigkey' is a valid TSIG key if this is a response
+ *		'msg->tsig' is NULL
+ *		'msg->querytsig' is not NULL if this is a response
+ *		'ring1' and 'ring2' are each either a valid keyring or NULL
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ *		ISC_R_NOMEMORY
+ *		DNS_R_EXPECTEDTSIG - A TSIG was expected but not seen
+ *		DNS_R_UNEXPECTEDTSIG - A TSIG was seen but not expected
+ *		DNS_R_TSIGERRORSET - the TSIG verified but ->error was set
+ *				     and this is a query
+ *		DNS_R_CLOCKSKEW - the TSIG failed to verify because of
+ *				  the time was out of the allowed range.
+ *		DNS_R_TSIGVERIFYFAILURE - the TSIG failed to verify
+ *		DNS_R_EXPECTEDRESPONSE - the message was set over TCP and
+ *					 should have been a response,
+ *					 but was not.
+ */
+
+isc_result_t
+dns_tsigkey_find(dns_tsigkey_t **tsigkey, dns_name_t *name,
+		 dns_name_t *algorithm, dns_tsig_keyring_t *ring);
+/*
+ *	Returns the TSIG key corresponding to this name and (possibly)
+ *	algorithm.  Also increments the key's reference counter.
+ *
+ *	Requires:
+ *		'tsigkey' is not NULL
+ *		'*tsigkey' is NULL
+ *		'name' is a valid dns_name_t
+ *		'algorithm' is a valid dns_name_t or NULL
+ *		'ring' is a valid keyring
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ *		ISC_R_NOTFOUND
+ */
+
+
+isc_result_t
+dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ringp);
+/*
+ *	Create an empty TSIG key ring.
+ *
+ *	Requires:
+ *		'mctx' is not NULL
+ *		'ringp' is not NULL, and '*ringp' is NULL
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ *		ISC_R_NOMEMORY
+ */
+
+
+void
+dns_tsigkeyring_destroy(dns_tsig_keyring_t **ringp);
+/*
+ *	Destroy a TSIG key ring.
+ *
+ *	Requires:
+ *		'ringp' is not NULL
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_TSIG_H */
diff --git a/contrib/bind9/lib/dns/include/dns/ttl.h b/contrib/bind9/lib/dns/include/dns/ttl.h
new file mode 100644
index 0000000..dc7167d
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/ttl.h
@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ttl.h,v 1.12.206.1 2004/03/06 08:14:01 marka Exp $ */
+
+#ifndef DNS_TTL_H
+#define DNS_TTL_H 1
+
+/***
+ ***	Imports
+ ***/
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ ***	Functions
+ ***/
+
+isc_result_t
+dns_ttl_totext(isc_uint32_t src, isc_boolean_t verbose,
+	       isc_buffer_t *target);
+/*
+ * Output a TTL or other time interval in a human-readable form.
+ * The time interval is given as a count of seconds in 'src'.
+ * The text representation is appended to 'target'.
+ *
+ * If 'verbose' is ISC_FALSE, use the terse BIND 8 style, like "1w2d3h4m5s".
+ *
+ * If 'verbose' is ISC_TRUE, use a verbose style like the SOA comments
+ * in "dig", like "1 week 2 days 3 hours 4 minutes 5 seconds".
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS
+ * 	ISC_R_NOSPACE
+ */
+
+isc_result_t
+dns_counter_fromtext(isc_textregion_t *source, isc_uint32_t *ttl);
+/*
+ * Converts a counter from either a plain number or a BIND 8 style value.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	DNS_R_SYNTAX
+ */
+
+isc_result_t
+dns_ttl_fromtext(isc_textregion_t *source, isc_uint32_t *ttl);
+/*
+ * Converts a ttl from either a plain number or a BIND 8 style value.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	DNS_R_BADTTL
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_TTL_H */
diff --git a/contrib/bind9/lib/dns/include/dns/types.h b/contrib/bind9/lib/dns/include/dns/types.h
new file mode 100644
index 0000000..2bad7ea
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/types.h
@@ -0,0 +1,299 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: types.h,v 1.103.12.7 2004/03/08 09:04:39 marka Exp $ */
+
+#ifndef DNS_TYPES_H
+#define DNS_TYPES_H 1
+
+/*
+ * Including this file gives you type declarations suitable for use in
+ * .h files, which lets us avoid circular type reference problems.
+ *
+ * To actually use a type or get declarations of its methods, you must
+ * include the appropriate .h file too.
+ */
+
+#include <isc/types.h>
+
+typedef struct dns_acl 				dns_acl_t;
+typedef struct dns_aclelement 			dns_aclelement_t;
+typedef struct dns_aclenv			dns_aclenv_t;
+typedef struct dns_adb				dns_adb_t;
+typedef struct dns_adbaddrinfo			dns_adbaddrinfo_t;
+typedef ISC_LIST(dns_adbaddrinfo_t)		dns_adbaddrinfolist_t;
+typedef struct dns_adbentry			dns_adbentry_t;
+typedef struct dns_adbfind			dns_adbfind_t;
+typedef ISC_LIST(dns_adbfind_t)			dns_adbfindlist_t;
+typedef struct dns_byaddr			dns_byaddr_t;
+typedef struct dns_cache			dns_cache_t;
+typedef isc_uint16_t				dns_cert_t;
+typedef struct dns_compress			dns_compress_t;
+typedef struct dns_db				dns_db_t;
+typedef struct dns_dbimplementation		dns_dbimplementation_t;
+typedef struct dns_dbiterator			dns_dbiterator_t;
+typedef void					dns_dbload_t;
+typedef void					dns_dbnode_t;
+typedef struct dns_dbtable			dns_dbtable_t;
+typedef void					dns_dbversion_t;
+typedef struct dns_decompress			dns_decompress_t;
+typedef struct dns_dispatch			dns_dispatch_t;
+typedef struct dns_dispatchevent		dns_dispatchevent_t;
+typedef struct dns_dispatchlist			dns_dispatchlist_t;
+typedef struct dns_dispatchmgr			dns_dispatchmgr_t;
+typedef struct dns_dispentry			dns_dispentry_t;
+typedef struct dns_dumpctx			dns_dumpctx_t;
+typedef struct dns_fetch			dns_fetch_t;
+typedef struct dns_fixedname			dns_fixedname_t;
+typedef struct dns_forwarders			dns_forwarders_t;
+typedef struct dns_fwdtable			dns_fwdtable_t;
+typedef isc_uint16_t				dns_keyflags_t;
+typedef struct dns_keynode			dns_keynode_t;
+typedef struct dns_keytable			dns_keytable_t;
+typedef isc_uint16_t				dns_keytag_t;
+typedef struct dns_loadctx			dns_loadctx_t;
+typedef struct dns_loadmgr			dns_loadmgr_t;
+typedef struct dns_message			dns_message_t;
+typedef isc_uint16_t				dns_messageid_t;
+typedef isc_region_t				dns_label_t;
+typedef struct dns_lookup			dns_lookup_t;
+typedef struct dns_name				dns_name_t;
+typedef ISC_LIST(dns_name_t)			dns_namelist_t;
+typedef isc_uint16_t				dns_opcode_t;
+typedef unsigned char				dns_offsets_t[128];
+typedef struct dns_order			dns_order_t;
+typedef struct dns_peer				dns_peer_t;
+typedef struct dns_peerlist			dns_peerlist_t;
+typedef struct dns_portlist			dns_portlist_t;
+typedef struct dns_rbt				dns_rbt_t;
+typedef isc_uint16_t				dns_rcode_t;
+typedef struct dns_rdata			dns_rdata_t;
+typedef struct dns_rdatacallbacks		dns_rdatacallbacks_t;
+typedef isc_uint16_t				dns_rdataclass_t;
+typedef struct dns_rdatalist			dns_rdatalist_t;
+typedef struct dns_rdataset			dns_rdataset_t;
+typedef ISC_LIST(dns_rdataset_t)		dns_rdatasetlist_t;
+typedef struct dns_rdatasetiter			dns_rdatasetiter_t;
+typedef isc_uint16_t				dns_rdatatype_t;
+typedef struct dns_request			dns_request_t;
+typedef struct dns_requestmgr			dns_requestmgr_t;
+typedef struct dns_resolver			dns_resolver_t;
+typedef struct dns_sdbimplementation		dns_sdbimplementation_t;
+typedef isc_uint8_t				dns_secalg_t;
+typedef isc_uint8_t				dns_secproto_t;
+typedef struct dns_signature			dns_signature_t;
+typedef struct dns_ssurule			dns_ssurule_t;
+typedef struct dns_ssutable			dns_ssutable_t;
+typedef struct dns_tkeyctx			dns_tkeyctx_t;
+typedef isc_uint16_t				dns_trust_t;
+typedef struct dns_tsig_keyring			dns_tsig_keyring_t;
+typedef struct dns_tsigkey			dns_tsigkey_t;
+typedef isc_uint32_t				dns_ttl_t;
+typedef struct dns_validator			dns_validator_t;
+typedef struct dns_view				dns_view_t;
+typedef ISC_LIST(dns_view_t)			dns_viewlist_t;
+typedef struct dns_zone				dns_zone_t;
+typedef ISC_LIST(dns_zone_t)			dns_zonelist_t;
+typedef struct dns_zonemgr			dns_zonemgr_t;
+typedef struct dns_zt				dns_zt_t;
+
+typedef enum {
+	dns_fwdpolicy_none = 0,
+	dns_fwdpolicy_first = 1,
+	dns_fwdpolicy_only = 2
+} dns_fwdpolicy_t;
+
+typedef enum {
+	dns_namereln_none = 0,
+	dns_namereln_contains = 1,
+	dns_namereln_subdomain = 2,
+	dns_namereln_equal = 3,
+	dns_namereln_commonancestor = 4
+} dns_namereln_t;
+
+typedef enum {
+	dns_one_answer, dns_many_answers
+} dns_transfer_format_t;
+
+typedef enum {
+	dns_dbtype_zone = 0, dns_dbtype_cache = 1, dns_dbtype_stub = 3
+} dns_dbtype_t;
+
+typedef enum {
+	dns_notifytype_no = 0,
+	dns_notifytype_yes = 1,
+	dns_notifytype_explicit = 2
+} dns_notifytype_t;
+
+typedef enum {
+	dns_dialuptype_no = 0,
+	dns_dialuptype_yes = 1,
+	dns_dialuptype_notify = 2,
+	dns_dialuptype_notifypassive = 3,
+	dns_dialuptype_refresh = 4,
+	dns_dialuptype_passive = 5
+} dns_dialuptype_t;
+
+/*
+ * These are generated by gen.c.
+ */
+#include <dns/enumtype.h>	/* Provides dns_rdatatype_t. */
+#include <dns/enumclass.h>	/* Provides dns_rdataclass_t. */
+
+/*
+ * rcodes.
+ */
+enum {
+	/*
+	 * Standard rcodes.
+	 */
+	dns_rcode_noerror = 0,
+#define dns_rcode_noerror		((dns_rcode_t)dns_rcode_noerror)
+	dns_rcode_formerr = 1,
+#define dns_rcode_formerr		((dns_rcode_t)dns_rcode_formerr)
+	dns_rcode_servfail = 2,
+#define dns_rcode_servfail		((dns_rcode_t)dns_rcode_servfail)
+	dns_rcode_nxdomain = 3,
+#define dns_rcode_nxdomain		((dns_rcode_t)dns_rcode_nxdomain)
+	dns_rcode_notimp = 4,
+#define dns_rcode_notimp		((dns_rcode_t)dns_rcode_notimp)
+	dns_rcode_refused = 5,
+#define dns_rcode_refused		((dns_rcode_t)dns_rcode_refused)
+	dns_rcode_yxdomain = 6,
+#define dns_rcode_yxdomain		((dns_rcode_t)dns_rcode_yxdomain)
+	dns_rcode_yxrrset = 7,
+#define dns_rcode_yxrrset		((dns_rcode_t)dns_rcode_yxrrset)
+	dns_rcode_nxrrset = 8,
+#define dns_rcode_nxrrset		((dns_rcode_t)dns_rcode_nxrrset)
+	dns_rcode_notauth = 9,
+#define dns_rcode_notauth		((dns_rcode_t)dns_rcode_notauth)
+	dns_rcode_notzone = 10,
+#define dns_rcode_notzone		((dns_rcode_t)dns_rcode_notzone)
+	/*
+	 * Extended rcodes.
+	 */
+	dns_rcode_badvers = 16
+#define dns_rcode_badvers		((dns_rcode_t)dns_rcode_badvers)
+};
+
+/*
+ * TSIG errors.
+ */
+enum {
+	dns_tsigerror_badsig = 16,
+	dns_tsigerror_badkey = 17,
+	dns_tsigerror_badtime = 18,
+	dns_tsigerror_badmode = 19,
+	dns_tsigerror_badname = 20,
+	dns_tsigerror_badalg = 21
+};
+
+/*
+ * Opcodes.
+ */
+enum {
+	dns_opcode_query = 0,
+#define dns_opcode_query		((dns_opcode_t)dns_opcode_query)
+	dns_opcode_iquery = 1,
+#define dns_opcode_iquery		((dns_opcode_t)dns_opcode_iquery)
+	dns_opcode_status = 2,
+#define dns_opcode_status		((dns_opcode_t)dns_opcode_status)
+	dns_opcode_notify = 4,
+#define dns_opcode_notify		((dns_opcode_t)dns_opcode_notify)
+	dns_opcode_update = 5		/* dynamic update */
+#define dns_opcode_update		((dns_opcode_t)dns_opcode_update)
+};
+
+/*
+ * Trust levels.  Must be kept in sync with trustnames[] in masterdump.c.
+ */
+enum {
+	/* Sentinel value; no data should have this trust level. */
+	dns_trust_none = 0,
+#define dns_trust_none			((dns_trust_t)dns_trust_none)
+
+	/* Subject to DNSSEC validation but has not yet been validated */
+	dns_trust_pending = 1,
+#define dns_trust_pending		((dns_trust_t)dns_trust_pending)
+
+	/* Received in the additional section of a response. */
+	dns_trust_additional = 2,
+#define dns_trust_additional		((dns_trust_t)dns_trust_additional)
+
+	/* Received in a referral response. */ 
+	dns_trust_glue = 3,
+#define dns_trust_glue			((dns_trust_t)dns_trust_glue)
+
+	/* Answser from a non-authoritative server */
+	dns_trust_answer = 4,
+#define dns_trust_answer		((dns_trust_t)dns_trust_answer)
+
+	/*  Received in the authority section as part of an
+	    authoritative response */
+	dns_trust_authauthority = 5,
+#define dns_trust_authauthority		((dns_trust_t)dns_trust_authauthority)
+
+	/* Answser from an authoritative server */
+	dns_trust_authanswer = 6,
+#define dns_trust_authanswer		((dns_trust_t)dns_trust_authanswer)
+
+	/* Successfully DNSSEC validated */	
+	dns_trust_secure = 7,
+#define dns_trust_secure		((dns_trust_t)dns_trust_secure)
+
+	/* This server is authoritative */
+	dns_trust_ultimate = 8
+#define dns_trust_ultimate		((dns_trust_t)dns_trust_ultimate)
+};
+
+/*
+ * Name checking severites.
+ */
+typedef enum {
+	dns_severity_ignore,
+	dns_severity_warn,
+	dns_severity_fail
+} dns_severity_t;
+
+/*
+ * Functions.
+ */
+typedef void
+(*dns_dumpdonefunc_t)(void *, isc_result_t);
+
+typedef void
+(*dns_loaddonefunc_t)(void *, isc_result_t);
+
+typedef isc_result_t
+(*dns_addrdatasetfunc_t)(void *, dns_name_t *, dns_rdataset_t *);
+
+typedef isc_result_t
+(*dns_additionaldatafunc_t)(void *, dns_name_t *, dns_rdatatype_t);
+
+typedef isc_result_t
+(*dns_digestfunc_t)(void *, isc_region_t *);
+
+typedef void
+(*dns_xfrindone_t)(dns_zone_t *, isc_result_t);
+
+typedef void
+(*dns_updatecallback_t)(void *, isc_result_t, dns_message_t *);
+
+typedef int 
+(*dns_rdatasetorderfunc_t)(dns_rdata_t *rdata, void *arg);
+
+#endif /* DNS_TYPES_H */
diff --git a/contrib/bind9/lib/dns/include/dns/validator.h b/contrib/bind9/lib/dns/include/dns/validator.h
new file mode 100644
index 0000000..c405fbb
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/validator.h
@@ -0,0 +1,201 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: validator.h,v 1.18.12.7 2004/05/14 05:06:41 marka Exp $ */
+
+#ifndef DNS_VALIDATOR_H
+#define DNS_VALIDATOR_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DNS Validator
+ *
+ * XXX <TBS> XXX
+ *
+ * MP:
+ *	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	<TBS>
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	RFCs:	1034, 1035, 2181, 2535, <TBS>
+ *	Drafts:	<TBS>
+ */
+
+#include <isc/lang.h>
+#include <isc/event.h>
+#include <isc/mutex.h>
+
+#include <dns/fixedname.h>
+#include <dns/types.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h> /* for dns_rdata_rrsig_t */
+
+#include <dst/dst.h>
+
+/*
+ * A dns_validatorevent_t is sent when a 'validation' completes.
+ *
+ * 'name', 'rdataset', 'sigrdataset', and 'message' are the values that were
+ * supplied when dns_validator_create() was called.  They are returned to the
+ * caller so that they may be freed.
+ */
+typedef struct dns_validatorevent {
+	ISC_EVENT_COMMON(struct dns_validatorevent);
+	dns_validator_t *		validator;
+	isc_result_t			result;
+	dns_name_t *			name;
+	dns_rdatatype_t			type;
+	dns_rdataset_t *		rdataset;
+	dns_rdataset_t *		sigrdataset;
+	dns_message_t *			message;
+	dns_name_t *			proofs[3];
+} dns_validatorevent_t;
+
+#define DNS_VALIDATOR_NOQNAMEPROOF 0
+#define DNS_VALIDATOR_NODATAPROOF 1
+#define DNS_VALIDATOR_NOWILDCARDPROOF 2
+
+/*
+ * A validator object represents a validation in procgress.
+ *
+ * Clients are strongly discouraged from using this type directly, with
+ * the exception of the 'link' field, which may be used directly for
+ * whatever purpose the client desires.
+ */
+struct dns_validator {
+	/* Unlocked. */
+	unsigned int			magic;
+	isc_mutex_t			lock;
+	dns_view_t *			view;
+	/* Locked by lock. */
+	unsigned int			options;
+	unsigned int			attributes;
+	dns_validatorevent_t *		event;
+	dns_fetch_t *			fetch;
+	dns_validator_t *		subvalidator;
+	dns_validator_t *		parent;
+	dns_keytable_t *		keytable;
+	dns_keynode_t *			keynode;
+	dst_key_t *			key;
+	dns_rdata_rrsig_t *		siginfo;
+	isc_task_t *			task;
+	isc_taskaction_t		action;
+	void *				arg;
+	unsigned int			labels;
+	dns_rdataset_t *		currentset;
+	isc_boolean_t			seensig;
+	dns_rdataset_t *		keyset;
+	dns_rdataset_t *		dsset;
+	dns_rdataset_t *		soaset;
+	dns_rdataset_t *		nsecset;
+	dns_name_t *			soaname;
+	dns_rdataset_t			frdataset;
+	dns_rdataset_t			fsigrdataset;
+	dns_fixedname_t			fname;
+	dns_fixedname_t			wild;
+	ISC_LINK(dns_validator_t)	link;
+	dns_rdataset_t *		dlv;
+	dns_fixedname_t			dlvsep;
+	isc_boolean_t			havedlvsep;
+	isc_boolean_t			mustbesecure;
+};
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
+		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+		     dns_message_t *message, unsigned int options,
+		     isc_task_t *task, isc_taskaction_t action, void *arg,
+		     dns_validator_t **validatorp);
+/*
+ * Start a DNSSEC validation.
+ *
+ * This validates a response to the question given by
+ * 'name' and 'type'.
+ *
+ * To validate a positive response, the response data is
+ * given by 'rdataset' and 'sigrdataset'.  If 'sigrdataset'
+ * is NULL, the data is presumed insecure and an attempt
+ * is made to prove its insecurity by finding the appropriate
+ * null key.
+ *
+ * The complete response message may be given in 'message',
+ * to make available any authority section NSECs that may be
+ * needed for validation of a response resulting from a
+ * wildcard expansion (though no such wildcard validation
+ * is implemented yet).  If the complete response message
+ * is not available, 'message' is NULL.
+ *
+ * To validate a negative response, the complete negative response
+ * message is given in 'message'.  The 'rdataset', and
+ * 'sigrdataset' arguments must be NULL, but the 'name' and 'type'
+ * arguments must be provided.
+ *
+ * The validation is performed in the context of 'view'.
+ * 'options' must be zero.
+ *
+ * When the validation finishes, a dns_validatorevent_t with
+ * the given 'action' and 'arg' are sent to 'task'.
+ * Its 'result' field will be ISC_R_SUCCESS iff the
+ * response was successfully proven to be either secure or
+ * part of a known insecure domain.
+ */
+
+void
+dns_validator_cancel(dns_validator_t *validator);
+/*
+ * Cancel a DNSSEC validation in progress.
+ *
+ * Requires:
+ *	'validator' points to a valid DNSSEC validator, which
+ *	may or may not already have completed.
+ *
+ * Ensures:
+ *	It the validator has not already sent its completion
+ *	event, it will send it with result code ISC_R_CANCELED.
+ */
+
+void
+dns_validator_destroy(dns_validator_t **validatorp);
+/*
+ * Destroy a DNSSEC validator.
+ *
+ * Requires:
+ *	'*validatorp' points to a valid DNSSEC validator.
+ * 	The validator must have completed and sent its completion
+ * 	event.
+ *
+ * Ensures:
+ *	All resources used by the validator are freed.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_VALIDATOR_H */
diff --git a/contrib/bind9/lib/dns/include/dns/version.h b/contrib/bind9/lib/dns/include/dns/version.h
new file mode 100644
index 0000000..28c83be
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/version.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: version.h,v 1.2.224.3 2004/03/08 09:04:40 marka Exp $ */
+
+#include <isc/platform.h>
+
+LIBDNS_EXTERNAL_DATA extern const char dns_version[];
+
+LIBDNS_EXTERNAL_DATA extern const unsigned int dns_libinterface;
+LIBDNS_EXTERNAL_DATA extern const unsigned int dns_librevision;
+LIBDNS_EXTERNAL_DATA extern const unsigned int dns_libage;
diff --git a/contrib/bind9/lib/dns/include/dns/view.h b/contrib/bind9/lib/dns/include/dns/view.h
new file mode 100644
index 0000000..a3cd935
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/view.h
@@ -0,0 +1,789 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: view.h,v 1.73.2.4.2.12 2004/03/10 02:55:58 marka Exp $ */
+
+#ifndef DNS_VIEW_H
+#define DNS_VIEW_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DNS View
+ *
+ * A "view" is a DNS namespace, together with an optional resolver and a
+ * forwarding policy.  A "DNS namespace" is a (possibly empty) set of
+ * authoritative zones together with an optional cache and optional
+ * "hints" information.
+ *
+ * Views start out "unfrozen".  In this state, core attributes like
+ * the cache, set of zones, and forwarding policy may be set.  While
+ * "unfrozen", the caller (e.g. nameserver configuration loading
+ * code), must ensure exclusive access to the view.  When the view is
+ * "frozen", the core attributes become immutable, and the view module
+ * will ensure synchronization.  Freezing allows the view's core attributes
+ * to be accessed without locking.
+ *
+ * MP:
+ *	Before the view is frozen, the caller must ensure synchronization.
+ *
+ *	After the view is frozen, the module guarantees appropriate
+ *	synchronization of any data structures it creates and manipulates.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	<TBS>
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	None.
+ */
+
+#include <stdio.h>
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/event.h>
+#include <isc/mutex.h>
+#include <isc/net.h>
+#include <isc/refcount.h>
+#include <isc/rwlock.h>
+#include <isc/stdtime.h>
+
+#include <dns/acl.h>
+#include <dns/fixedname.h>
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+struct dns_view {
+	/* Unlocked. */
+	unsigned int			magic;
+	isc_mem_t *			mctx;
+	dns_rdataclass_t		rdclass;
+	char *				name;
+	dns_zt_t *			zonetable;
+	dns_resolver_t *		resolver;
+	dns_adb_t *			adb;
+	dns_requestmgr_t *		requestmgr;
+	dns_cache_t *			cache;
+	dns_db_t *			cachedb;
+	dns_db_t *			hints;
+	dns_keytable_t *		secroots;
+	dns_keytable_t *		trustedkeys;
+	isc_mutex_t			lock;
+	isc_boolean_t			frozen;
+	isc_task_t *			task;
+	isc_event_t			resevent;
+	isc_event_t			adbevent;
+	isc_event_t			reqevent;
+	/* Configurable data. */
+	dns_tsig_keyring_t *		statickeys;
+	dns_tsig_keyring_t *		dynamickeys;
+	dns_peerlist_t *		peers;
+	dns_order_t *			order;
+	dns_fwdtable_t *		fwdtable;
+	isc_boolean_t			recursion;
+	isc_boolean_t			auth_nxdomain;
+	isc_boolean_t			additionalfromcache;
+	isc_boolean_t			additionalfromauth;
+	isc_boolean_t			minimalresponses;
+	isc_boolean_t			enablednssec;
+	dns_transfer_format_t		transfer_format;
+	dns_acl_t *			queryacl;
+	dns_acl_t *			recursionacl;
+	dns_acl_t *			sortlist;
+	isc_boolean_t			requestixfr;
+	isc_boolean_t			provideixfr;
+	dns_ttl_t			maxcachettl;
+	dns_ttl_t			maxncachettl;
+	in_port_t			dstport;
+	dns_aclenv_t			aclenv;
+	dns_rdatatype_t			preferred_glue;
+	isc_boolean_t			flush;
+	dns_namelist_t *		delonly;
+	isc_boolean_t			rootdelonly;
+	dns_namelist_t *		rootexclude;
+	isc_boolean_t			checknames;
+	dns_name_t *			dlv;
+	dns_fixedname_t			dlv_fixed;
+
+	/*
+	 * Configurable data for server use only,
+	 * locked by server configuration lock.
+	 */
+	dns_acl_t *			matchclients;
+	dns_acl_t *			matchdestinations;
+	isc_boolean_t			matchrecursiveonly;
+
+	/* Locked by themselves. */
+	isc_refcount_t			references;
+
+	/* Locked by lock. */
+	unsigned int			weakrefs;
+	unsigned int			attributes;
+	/* Under owner's locking control. */
+	ISC_LINK(struct dns_view)	link;
+};
+
+#define DNS_VIEW_MAGIC			ISC_MAGIC('V','i','e','w')
+#define DNS_VIEW_VALID(view)		ISC_MAGIC_VALID(view, DNS_VIEW_MAGIC)
+
+#define DNS_VIEWATTR_RESSHUTDOWN	0x01
+#define DNS_VIEWATTR_ADBSHUTDOWN	0x02
+#define DNS_VIEWATTR_REQSHUTDOWN	0x04
+
+isc_result_t
+dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
+		const char *name, dns_view_t **viewp);
+/*
+ * Create a view.
+ *
+ * Notes:
+ *
+ *	The newly created view has no cache, no resolver, and an empty
+ *	zone table.  The view is not frozen.
+ *
+ * Requires:
+ *
+ *	'mctx' is a valid memory context.
+ *
+ *	'rdclass' is a valid class.
+ *
+ *	'name' is a valid C string.
+ *
+ *	viewp != NULL && *viewp == NULL
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *
+ *	Other errors are possible.
+ */
+
+void
+dns_view_attach(dns_view_t *source, dns_view_t **targetp);
+/*
+ * Attach '*targetp' to 'source'.
+ *
+ * Requires:
+ *
+ *	'source' is a valid, frozen view.
+ *
+ *	'targetp' points to a NULL dns_view_t *.
+ *
+ * Ensures:
+ *
+ *	*targetp is attached to source.
+ *
+ *	While *targetp is attached, the view will not shut down.
+ */
+
+void
+dns_view_detach(dns_view_t **viewp);
+/*
+ * Detach '*viewp' from its view.
+ *
+ * Requires:
+ *
+ *	'viewp' points to a valid dns_view_t *
+ *
+ * Ensures:
+ *
+ *	*viewp is NULL.
+ */
+
+void
+dns_view_flushanddetach(dns_view_t **viewp);
+/*
+ * Detach '*viewp' from its view.  If this was the last reference
+ * uncommited changed in zones will be flushed to disk.
+ *
+ * Requires:
+ *
+ *	'viewp' points to a valid dns_view_t *
+ *
+ * Ensures:
+ *
+ *	*viewp is NULL.
+ */
+
+void
+dns_view_weakattach(dns_view_t *source, dns_view_t **targetp);
+/*
+ * Weakly attach '*targetp' to 'source'.
+ *
+ * Requires:
+ *
+ *	'source' is a valid, frozen view.
+ *
+ *	'targetp' points to a NULL dns_view_t *.
+ *
+ * Ensures:
+ *
+ *	*targetp is attached to source.
+ *
+ * 	While *targetp is attached, the view will not be freed.
+ */
+
+void
+dns_view_weakdetach(dns_view_t **targetp);
+/*
+ * Detach '*viewp' from its view.
+ *
+ * Requires:
+ *
+ *	'viewp' points to a valid dns_view_t *.
+ *
+ * Ensures:
+ *
+ *	*viewp is NULL.
+ */
+
+isc_result_t
+dns_view_createresolver(dns_view_t *view,
+			isc_taskmgr_t *taskmgr, unsigned int ntasks,
+			isc_socketmgr_t *socketmgr,
+			isc_timermgr_t *timermgr,
+			unsigned int options,
+			dns_dispatchmgr_t *dispatchmgr,
+			dns_dispatch_t *dispatchv4,
+			dns_dispatch_t *dispatchv6);
+/*
+ * Create a resolver and address database for the view.
+ *
+ * Requires:
+ *
+ *	'view' is a valid, unfrozen view.
+ *
+ *	'view' does not have a resolver already.
+ *
+ *	The requirements of dns_resolver_create() apply to 'taskmgr',
+ *	'ntasks', 'socketmgr', 'timermgr', 'options', 'dispatchv4', and
+ *	'dispatchv6'.
+ *
+ * Returns:
+ *
+ *     	ISC_R_SUCCESS
+ *
+ *	Any error that dns_resolver_create() can return.
+ */
+
+void
+dns_view_setcache(dns_view_t *view, dns_cache_t *cache);
+/*
+ * Set the view's cache database.
+ *
+ * Requires:
+ *
+ *	'view' is a valid, unfrozen view.
+ *
+ *	'cache' is a valid cache.
+ *
+ * Ensures:
+ *
+ *     	The cache of 'view' is 'cached.
+ *
+ *	If this is not the first call to dns_view_setcache() for this
+ *	view, then previously set cache is detached.
+ */
+
+void
+dns_view_sethints(dns_view_t *view, dns_db_t *hints);
+/*
+ * Set the view's hints database.
+ *
+ * Requires:
+ *
+ *	'view' is a valid, unfrozen view, whose hints database has not been
+ *	set.
+ *
+ *	'hints' is a valid zone database.
+ *
+ * Ensures:
+ *
+ *     	The hints database of 'view' is 'hints'.
+ */
+
+void
+dns_view_setkeyring(dns_view_t *view, dns_tsig_keyring_t *ring);
+/*
+ * Set the view's static TSIG keys
+ *
+ * Requires:
+ *
+ *      'view' is a valid, unfrozen view, whose static TSIG keyring has not
+ *	been set.
+ *
+ *      'ring' is a valid TSIG keyring
+ *
+ * Ensures:
+ *
+ *      The static TSIG keyring of 'view' is 'ring'.
+ */
+
+void
+dns_view_setdstport(dns_view_t *view, in_port_t dstport);
+/*
+ * Set the view's destination port.  This is the port to
+ * which outgoing queries are sent.  The default is 53,
+ * the standard DNS port.
+ *
+ * Requires:
+ *
+ *      'view' is a valid view.
+ *
+ *      'dstport' is a valid TCP/UDP port number.
+ *
+ * Ensures:
+ *	External name servers will be assumed to be listning
+ *	on 'dstport'.  For servers whose address has already
+ *	obtained obtained at the time of the call, the view may
+ *	continue to use the previously set port until the address
+ *	times out from the view's address database.
+ */
+
+
+isc_result_t
+dns_view_addzone(dns_view_t *view, dns_zone_t *zone);
+/*
+ * Add zone 'zone' to 'view'.
+ *
+ * Requires:
+ *
+ *	'view' is a valid, unfrozen view.
+ *
+ *	'zone' is a valid zone.
+ */
+
+void
+dns_view_freeze(dns_view_t *view);
+/*
+ * Freeze view.
+ *
+ * Requires:
+ *
+ *	'view' is a valid, unfrozen view.
+ *
+ * Ensures:
+ *
+ *	'view' is frozen.
+ */
+
+isc_result_t
+dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
+	      isc_stdtime_t now, unsigned int options, isc_boolean_t use_hints,
+	      dns_db_t **dbp, dns_dbnode_t **nodep, dns_name_t *foundname,
+	      dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
+/*
+ * Find an rdataset whose owner name is 'name', and whose type is
+ * 'type'.
+ *
+ * Notes:
+ *
+ *	See the description of dns_db_find() for information about 'options'.
+ *	If the caller sets DNS_DBFIND_GLUEOK, it must ensure that 'name'
+ *	and 'type' are appropriate for glue retrieval.
+ *
+ *	If 'now' is zero, then the current time will be used.
+ *
+ *	If 'use_hints' is ISC_TRUE, and the view has a hints database, then
+ *	it will be searched last.  If the answer is found in the hints
+ *	database, the result code will be DNS_R_HINT.  If the name is found
+ *	in the hints database but not the type, the result code will be
+ *	DNS_R_HINTNXRRSET.
+ *
+ *	'foundname' must meet the requirements of dns_db_find().
+ *
+ *	If 'sigrdataset' is not NULL, and there is a SIG rdataset which
+ *	covers 'type', then 'sigrdataset' will be bound to it.
+ *
+ * Requires:
+ *
+ *	'view' is a valid, frozen view.
+ *
+ *	'name' is valid name.
+ *
+ *	'type' is a valid dns_rdatatype_t, and is not a meta query type
+ *	except dns_rdatatype_any.
+ *
+ *	dbp == NULL || *dbp == NULL
+ *
+ *	nodep == NULL || *nodep == NULL.  If nodep != NULL, dbp != NULL.
+ *
+ *	'foundname' is a valid name with a dedicated buffer or NULL.
+ *
+ *	'rdataset' is a valid, disassociated rdataset.
+ *
+ *	'sigrdataset' is NULL, or is a valid, disassociated rdataset.
+ *
+ * Ensures:
+ *
+ *	In successful cases, 'rdataset', and possibly 'sigrdataset', are
+ *	bound to the found data.
+ *
+ *	If dbp != NULL, it points to the database containing the data.
+ *
+ *	If nodep != NULL, it points to the database node containing the data.
+ *
+ *	If foundname != NULL, it contains the full name of the found data.
+ *
+ * Returns:
+ *
+ *	Any result that dns_db_find() can return, with the exception of
+ *	DNS_R_DELEGATION.
+ */
+
+isc_result_t
+dns_view_simplefind(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
+		    isc_stdtime_t now, unsigned int options,
+		    isc_boolean_t use_hints,
+		    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
+/*
+ * Find an rdataset whose owner name is 'name', and whose type is
+ * 'type'.
+ *
+ * Notes:
+ *
+ *	This routine is appropriate for simple, exact-match queries of the
+ *	view.  'name' must be a canonical name; there is no DNAME or CNAME
+ *	processing.
+ *
+ *	See the description of dns_db_find() for information about 'options'.
+ *	If the caller sets DNS_DBFIND_GLUEOK, it must ensure that 'name'
+ *	and 'type' are appropriate for glue retrieval.
+ *
+ *	If 'now' is zero, then the current time will be used.
+ *
+ *	If 'use_hints' is ISC_TRUE, and the view has a hints database, then
+ *	it will be searched last.  If the answer is found in the hints
+ *	database, the result code will be DNS_R_HINT.  If the name is found
+ *	in the hints database but not the type, the result code will be
+ *	DNS_R_HINTNXRRSET.
+ *
+ *	If 'sigrdataset' is not NULL, and there is a SIG rdataset which
+ *	covers 'type', then 'sigrdataset' will be bound to it.
+ *
+ * Requires:
+ *
+ *	'view' is a valid, frozen view.
+ *
+ *	'name' is valid name.
+ *
+ *	'type' is a valid dns_rdatatype_t, and is not a meta query type
+ *	(e.g. dns_rdatatype_any), or dns_rdatatype_rrsig.
+ *
+ *	'rdataset' is a valid, disassociated rdataset.
+ *
+ *	'sigrdataset' is NULL, or is a valid, disassociated rdataset.
+ *
+ * Ensures:
+ *
+ *	In successful cases, 'rdataset', and possibly 'sigrdataset', are
+ *	bound to the found data.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS			Success; result is desired type.
+ *	DNS_R_GLUE			Success; result is glue.
+ *	DNS_R_HINT			Success; result is a hint.
+ *	DNS_R_NCACHENXDOMAIN		Success; result is a ncache entry.
+ *	DNS_R_NCACHENXRRSET		Success; result is a ncache entry.
+ *	DNS_R_NXDOMAIN			The name does not exist.
+ *	DNS_R_NXRRSET			The rrset does not exist.
+ *	ISC_R_NOTFOUND			No matching data found,
+ *					or an error occurred.
+ */
+
+isc_result_t
+dns_view_findzonecut(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
+		     isc_stdtime_t now, unsigned int options,
+		     isc_boolean_t use_hints,
+		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
+
+isc_result_t
+dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
+		      isc_stdtime_t now, unsigned int options,
+		      isc_boolean_t use_hints, isc_boolean_t use_cache,
+		      dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
+/*
+ * Find the best known zonecut containing 'name'.
+ *
+ * This uses local authority, cache, and optionally hints data.
+ * No external queries are performed.
+ *
+ * Notes:
+ *
+ *	If 'now' is zero, then the current time will be used.
+ *
+ *	If 'use_hints' is ISC_TRUE, and the view has a hints database, then
+ *	it will be searched last.
+ *
+ *	If 'use_cache' is ISC_TRUE, and the view has a cache, then it will be
+ *	searched.
+ *
+ *	If 'sigrdataset' is not NULL, and there is a SIG rdataset which
+ *	covers 'type', then 'sigrdataset' will be bound to it.
+ *
+ *	If the DNS_DBFIND_NOEXACT option is set, then the zonecut returned
+ *	(if any) will be the deepest known ancestor of 'name'.
+ *
+ * Requires:
+ *
+ *	'view' is a valid, frozen view.
+ *
+ *	'name' is valid name.
+ *
+ *	'rdataset' is a valid, disassociated rdataset.
+ *
+ *	'sigrdataset' is NULL, or is a valid, disassociated rdataset.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS				Success.
+ *
+ *	Many other results are possible.
+ */
+
+isc_result_t
+dns_viewlist_find(dns_viewlist_t *list, const char *name,
+		  dns_rdataclass_t rdclass, dns_view_t **viewp);
+/*
+ * Search for a view with name 'name' and class 'rdclass' in 'list'.
+ * If found, '*viewp' is (strongly) attached to it.
+ *
+ * Requires:
+ *
+ *	'viewp' points to a NULL dns_view_t *.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		A matching view was found.
+ *	ISC_R_NOTFOUND		No matching view was found.
+ */
+
+isc_result_t
+dns_view_findzone(dns_view_t *view, dns_name_t *name, dns_zone_t **zonep);
+/*
+ * Search for the zone 'name' in the zone table of 'view'.
+ * If found, 'zonep' is (strongly) attached to it.  There
+ * are no partial matches.
+ *
+ * Requires:
+ *
+ *	'zonep' points to a NULL dns_zone_t *.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		A matching zone was found.
+ *	ISC_R_NOTFOUND		No matching zone was found.
+ *	others			An error occurred.
+ */
+
+isc_result_t
+dns_view_load(dns_view_t *view, isc_boolean_t stop);
+
+isc_result_t
+dns_view_loadnew(dns_view_t *view, isc_boolean_t stop);
+/*
+ * Load zones attached to this view.  dns_view_load() loads
+ * all zones whose master file has changed since the last
+ * load; dns_view_loadnew() loads only zones that have never 
+ * been loaded.
+ *
+ * If 'stop' is ISC_TRUE, stop on the first error and return it.
+ * If 'stop' is ISC_FALSE, ignore errors.
+ *
+ * Requires:
+ *
+ *	'view' is valid.
+ */
+
+isc_result_t
+dns_view_gettsig(dns_view_t *view, dns_name_t *keyname,
+		 dns_tsigkey_t **keyp);
+/*
+ * Find the TSIG key configured in 'view' with name 'keyname',
+ * if any.
+ *
+ * Reqires:
+ *	keyp points to a NULL dns_tsigkey_t *.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	A key was found and '*keyp' now points to it.
+ *	ISC_R_NOTFOUND	No key was found.
+ *	others		An error occurred.
+ */
+
+isc_result_t
+dns_view_getpeertsig(dns_view_t *view, isc_netaddr_t *peeraddr,
+		     dns_tsigkey_t **keyp);
+/*
+ * Find the TSIG key configured in 'view' for the server whose
+ * address is 'peeraddr', if any.
+ *
+ * Reqires:
+ *	keyp points to a NULL dns_tsigkey_t *.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	A key was found and '*keyp' now points to it.
+ *	ISC_R_NOTFOUND	No key was found.
+ *	others		An error occurred.
+ */
+
+isc_result_t
+dns_view_checksig(dns_view_t *view, isc_buffer_t *source, dns_message_t *msg);
+/*
+ * Verifies the signature of a message.
+ *
+ * Requires:
+ *
+ *	'view' is a valid view.
+ *	'source' is a valid buffer containing the message
+ *	'msg' is a valid message
+ *
+ * Returns:
+ *	see dns_tsig_verify()
+ */
+
+void
+dns_view_dialup(dns_view_t *view);
+/*
+ * Perform dialup-time maintenance on the zones of 'view'.
+ */
+
+isc_result_t
+dns_view_dumpdbtostream(dns_view_t *view, FILE *fp);
+/*
+ * Dump the current state of the view 'view' to the stream 'fp'
+ * for purposes of analysis or debugging.
+ *
+ * Currently the dumped state includes the view's cache; in the future
+ * it may also include other state such as the address database.
+ * It will not not include authoritative data since it is voluminous and
+ * easily obtainable by other means.
+ *
+ * Requires:
+ * 	
+ *	'view' is valid.
+ *
+ *	'fp' refers to a file open for writing.
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS	The cache was successfully dumped.
+ * 	others		An error occurred (see dns_master_dump)
+ */
+
+isc_result_t
+dns_view_flushcache(dns_view_t *view);
+/*
+ * Flush the view's cache (and ADB).
+ *
+ * Requires:
+ * 	'view' is valid.
+ *
+ * 	No other tasks are executing.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_view_flushname(dns_view_t *view, dns_name_t *);
+/*
+ * Flush the given name from the view's cache (and ADB).
+ *
+ * Requires:
+ *	'view' is valid.
+ *	'name' is valid.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	other returns are failures.
+ */
+
+isc_result_t
+dns_view_adddelegationonly(dns_view_t *view, dns_name_t *name);
+/*
+ * Add the given name to the delegation only table.
+ * 
+ *
+ * Requires:
+ *	'view' is valid.
+ *	'name' is valid.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_view_excludedelegationonly(dns_view_t *view, dns_name_t *name);
+/*
+ * Add the given name to be excluded from the root-delegation-only.
+ * 
+ *
+ * Requires:
+ *	'view' is valid.
+ *	'name' is valid.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ */
+
+isc_boolean_t
+dns_view_isdelegationonly(dns_view_t *view, dns_name_t *name);
+/*
+ * Check if 'name' is in the delegation only table or if
+ * rootdelonly is set that name is not being excluded.
+ *
+ * Requires:
+ *	'view' is valid.
+ *	'name' is valid.
+ *
+ * Returns:
+ *	ISC_TRUE if the name is is the table.
+ *	ISC_FALSE othewise.
+ */
+
+void
+dns_view_setrootdelonly(dns_view_t *view, isc_boolean_t value);
+/*
+ * Set the root delegation only flag.
+ *
+ * Requires:
+ *	'view' is valid.
+ */
+
+isc_boolean_t
+dns_view_getrootdelonly(dns_view_t *view);
+/*
+ * Get the root delegation only flag.
+ *
+ * Requires:
+ *	'view' is valid.
+ */
+
+#endif /* DNS_VIEW_H */
diff --git a/contrib/bind9/lib/dns/include/dns/xfrin.h b/contrib/bind9/lib/dns/include/dns/xfrin.h
new file mode 100644
index 0000000..0050238
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/xfrin.h
@@ -0,0 +1,107 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: xfrin.h,v 1.18.136.2 2004/03/06 08:14:01 marka Exp $ */
+
+#ifndef DNS_XFRIN_H
+#define DNS_XFRIN_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Incoming zone transfers (AXFR + IXFR).
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+/***
+ *** Types
+ ***/
+
+/*
+ * A transfer in progress.  This is an opaque type.
+ */
+typedef struct dns_xfrin_ctx dns_xfrin_ctx_t;
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_xfrin_create(dns_zone_t *zone, dns_rdatatype_t xfrtype,
+		 isc_sockaddr_t *masteraddr, dns_tsigkey_t *tsigkey,
+		 isc_mem_t *mctx, isc_timermgr_t *timermgr,
+		 isc_socketmgr_t *socketmgr, isc_task_t *task,
+		 dns_xfrindone_t done, dns_xfrin_ctx_t **xfrp);
+
+isc_result_t
+dns_xfrin_create2(dns_zone_t *zone, dns_rdatatype_t xfrtype,
+		  isc_sockaddr_t *masteraddr, isc_sockaddr_t *sourceaddr,
+		  dns_tsigkey_t *tsigkey, isc_mem_t *mctx,
+		  isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
+		  isc_task_t *task, dns_xfrindone_t done,
+		  dns_xfrin_ctx_t **xfrp);
+/*
+ * Attempt to start an incoming zone transfer of 'zone'
+ * from 'masteraddr', creating a dns_xfrin_ctx_t object to
+ * manage it.  Attach '*xfrp' to the newly created object.
+ *
+ * Iff ISC_R_SUCCESS is returned, '*done' is guaranteed to be
+ * called in the context of 'task', with 'zone' and a result
+ * code as arguments when the transfer finishes.
+ *
+ * Requires:
+ *	'xfrtype' is dns_rdatatype_axfr or dns_rdatatype_ixfr.
+ *
+ *	If 'xfrtype' is dns_rdatatype_ixfr, the zone has a
+ * 	database.
+ */
+
+void
+dns_xfrin_shutdown(dns_xfrin_ctx_t *xfr);
+/*
+ * If the zone transfer 'xfr' has already finished,
+ * do nothing.  Otherwise, abort it and cause it to call
+ * its done callback with a status of ISC_R_CANCELLED.
+ */
+
+void
+dns_xfrin_detach(dns_xfrin_ctx_t **xfrp);
+/*
+ * Detach a reference to a zone transfer object.
+ * Caller to maintain external locking if required.
+ */
+
+void
+dns_xfrin_attach(dns_xfrin_ctx_t *source, dns_xfrin_ctx_t **target);
+/*
+ * Caller to maintain external locking if required.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_XFRIN_H */
diff --git a/contrib/bind9/lib/dns/include/dns/zone.h b/contrib/bind9/lib/dns/include/dns/zone.h
new file mode 100644
index 0000000..ebd8d8c
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/zone.h
@@ -0,0 +1,1430 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: zone.h,v 1.106.2.7.4.14 2004/03/06 08:14:01 marka Exp $ */
+
+#ifndef DNS_ZONE_H
+#define DNS_ZONE_H 1
+
+/***
+ ***	Imports
+ ***/
+
+#include <stdio.h>
+
+#include <isc/formatcheck.h>
+#include <isc/lang.h>
+#include <isc/rwlock.h>
+
+#include <dns/types.h>
+
+typedef enum {
+	dns_zone_none,
+	dns_zone_master,
+	dns_zone_slave,
+	dns_zone_stub
+} dns_zonetype_t;
+
+#define DNS_ZONEOPT_SERVERS	  0x00000001U	/* perform server checks */
+#define DNS_ZONEOPT_PARENTS	  0x00000002U	/* perform parent checks */
+#define DNS_ZONEOPT_CHILDREN	  0x00000004U	/* perform child checks */
+#define DNS_ZONEOPT_NOTIFY	  0x00000008U	/* perform NOTIFY */
+#define DNS_ZONEOPT_MANYERRORS	  0x00000010U	/* return many errors on load */
+#define DNS_ZONEOPT_IXFRFROMDIFFS 0x00000020U	/* calculate differences */
+#define DNS_ZONEOPT_NOMERGE	  0x00000040U	/* don't merge journal */
+#define DNS_ZONEOPT_CHECKNS	  0x00000080U	/* check if NS's are addresses */
+#define DNS_ZONEOPT_FATALNS	  0x00000100U	/* DNS_ZONEOPT_CHECKNS is fatal */
+#define DNS_ZONEOPT_MULTIMASTER	  0x00000200U	/* this zone has multiple masters */
+#define DNS_ZONEOPT_USEALTXFRSRC  0x00000400U	/* use alternate transfer sources */
+#define DNS_ZONEOPT_CHECKNAMES	  0x00000800U	/* check-names */
+#define DNS_ZONEOPT_CHECKNAMESFAIL 0x00001000U	/* fatal check-name failures */
+
+#ifndef NOMINUM_PUBLIC
+/*
+ * Nominum specific options build down.
+ */
+#define DNS_ZONEOPT_NOTIFYFORWARD 0x80000000U	/* forward notify to master */
+#endif /* NOMINUM_PUBLIC */
+
+#ifndef DNS_ZONE_MINREFRESH
+#define DNS_ZONE_MINREFRESH		    300	/* 5 minutes */
+#endif
+#ifndef DNS_ZONE_MAXREFRESH
+#define DNS_ZONE_MAXREFRESH		2419200	/* 4 weeks */
+#endif
+#ifndef DNS_ZONE_DEFAULTREFRESH
+#define DNS_ZONE_DEFAULTREFRESH		   3600	/* 1 hour */
+#endif
+#ifndef DNS_ZONE_MINRETRY
+#define DNS_ZONE_MINRETRY		    300	/* 5 minutes */
+#endif
+#ifndef DNS_ZONE_MAXRETRY
+#define DNS_ZONE_MAXRETRY		1209600	/* 2 weeks */
+#endif
+#ifndef DNS_ZONE_DEFAULTRETRY
+#define DNS_ZONE_DEFAULTRETRY		     60	/* 1 minute, subject to
+						   exponential backoff */
+#endif
+
+#define DNS_ZONESTATE_XFERRUNNING	1
+#define DNS_ZONESTATE_XFERDEFERRED	2
+#define DNS_ZONESTATE_SOAQUERY		3
+#define DNS_ZONESTATE_ANY		4
+
+ISC_LANG_BEGINDECLS
+
+/***
+ ***	Functions
+ ***/
+
+isc_result_t
+dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx);
+/*
+ *	Creates a new empty zone and attach '*zonep' to it.
+ *
+ * Requires:
+ *	'zonep' to point to a NULL pointer.
+ *	'mctx' to be a valid memory context.
+ *
+ * Ensures:
+ *	'*zonep' refers to a valid zone.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_UNEXPECTED
+ */
+
+void
+dns_zone_setclass(dns_zone_t *zone, dns_rdataclass_t rdclass);
+/*
+ *	Sets the class of a zone.  This operation can only be performed
+ *	once on a zone.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *	dns_zone_setclass() not to have been called since the zone was
+ *	created.
+ *	'rdclass' != dns_rdataclass_none.
+ */
+
+dns_rdataclass_t
+dns_zone_getclass(dns_zone_t *zone);
+/*
+ *	Returns the current zone class.
+ *
+ * Requires:
+ *	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_settype(dns_zone_t *zone, dns_zonetype_t type);
+/*
+ *	Sets the zone type. This operation can only be performed once on
+ *	a zone.
+ *
+ * Requires:
+ *	'zone' to be a valid zone.
+ *	dns_zone_settype() not to have been called since the zone was
+ *	created.
+ *	'type' != dns_zone_none
+ */
+
+void
+dns_zone_setview(dns_zone_t *zone, dns_view_t *view);
+/*
+ *	Associate the zone with a view.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ */
+
+dns_view_t *
+dns_zone_getview(dns_zone_t *zone);
+/*
+ *	Returns the zone's associated view.
+ *
+ * Requires:
+ *	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_setorigin(dns_zone_t *zone, dns_name_t *origin);
+/*
+ *	Sets the zones origin to 'origin'.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *	'origin' to be non NULL.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ * 	ISC_R_NOMEMORY
+ */
+
+dns_name_t *
+dns_zone_getorigin(dns_zone_t *zone);
+/*
+ *	Returns the value of the origin.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_setfile(dns_zone_t *zone, const char *file);
+/*
+ *	Sets the name of the master file from which the zone
+ *	loads its database to 'file'.  For zones that have
+ *	no associated master file, 'file' will be NULL.
+ *
+ *	For zones with persistent databases, the file name
+ *	setting is ignored.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *
+ * Returns:
+ *	ISC_R_NOMEMORY
+ *	ISC_R_SUCCESS
+ */
+
+const char *
+dns_zone_getfile(dns_zone_t *zone);
+/*
+ * 	Gets the name of the zone's master file, if any.
+ *
+ * Requires:
+ *	'zone' to be valid initialised zone.
+ *
+ * Returns:
+ *	Pointer to null-terminated file name, or NULL.
+ */
+
+isc_result_t
+dns_zone_load(dns_zone_t *zone);
+
+isc_result_t
+dns_zone_loadnew(dns_zone_t *zone);
+/*
+ *	Cause the database to be loaded from its backing store.
+ *	Confirm that the minimum requirements for the zone type are
+ *	met, otherwise DNS_R_BADZONE is returned.
+ *
+ *	dns_zone_loadnew() only loads zones that are not yet loaded.
+ *	dns_zone_load() also loads zones that are already loaded and
+ *	and whose master file has changed since the last load.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *
+ * Returns:
+ *	ISC_R_UNEXPECTED
+ *	ISC_R_SUCCESS
+ *	DNS_R_CONTINUE	  Incremental load has been queued.
+ *	DNS_R_UPTODATE	  The zone has already been loaded based on
+ *			  file system timestamps.
+ *	DNS_R_BADZONE
+ *	Any result value from dns_db_load().
+ */
+
+void
+dns_zone_attach(dns_zone_t *source, dns_zone_t **target);
+/*
+ *	Attach '*target' to 'source' incrementing its external
+ * 	reference count.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *	'target' to be non NULL and '*target' to be NULL.
+ */
+
+void
+dns_zone_detach(dns_zone_t **zonep);
+/*
+ *	Detach from a zone decrementing its external reference count.
+ *	If this was the last external reference to the zone it will be
+ * 	shut down and eventually freed.
+ *
+ * Require:
+ *	'zonep' to point to a valid zone.
+ */
+
+void
+dns_zone_iattach(dns_zone_t *source, dns_zone_t **target);
+/*
+ *	Attach '*target' to 'source' incrementing its internal
+ * 	reference count.  This is intended for use by operations
+ * 	such as zone transfers that need to prevent the zone
+ * 	object from being freed but not from shutting down.
+ *
+ * Require:
+ *	The caller is running in the context of the zone's task.
+ *	'zone' to be a valid zone.
+ *	'target' to be non NULL and '*target' to be NULL.
+ */
+
+void
+dns_zone_idetach(dns_zone_t **zonep);
+/*
+ *	Detach from a zone decrementing its internal reference count.
+ *	If there are no more internal or external references to the
+ * 	zone, it will be freed.
+ *
+ * Require:
+ *	The caller is running in the context of the zone's task.
+ *	'zonep' to point to a valid zone.
+ */
+
+void
+dns_zone_setflag(dns_zone_t *zone, unsigned int flags, isc_boolean_t value);
+/*
+ *	Sets ('value' == 'ISC_TRUE') / clears ('value' == 'IS_FALSE')
+ *	zone flags.  Valid flag bits are DNS_ZONE_F_*.
+ *
+ * Requires
+ *	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_getdb(dns_zone_t *zone, dns_db_t **dbp);
+/*
+ * 	Attach '*dbp' to the database to if it exists otherwise
+ *	return DNS_R_NOTLOADED.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *	'dbp' to be != NULL && '*dbp' == NULL.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	DNS_R_NOTLOADED
+ */
+
+isc_result_t
+dns_zone_setdbtype(dns_zone_t *zone,
+		   unsigned int dbargc, const char * const *dbargv);
+/*
+ *	Sets the database type to dbargv[0] and database arguments
+ *	to subsequent dbargv elements.
+ *	'db_type' is not checked to see if it is a valid database type.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *	'database' to be non NULL.
+ *	'dbargc' to be >= 1
+ *	'dbargv' to point to dbargc NULL-terminated strings
+ *
+ * Returns:
+ *	ISC_R_NOMEMORY
+ *	ISC_R_SUCCESS
+ */
+
+void
+dns_zone_markdirty(dns_zone_t *zone);
+/*
+ *	Mark a zone as 'dirty'.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_expire(dns_zone_t *zone);
+/*
+ *	Mark the zone as expired.  If the zone requires dumping cause it to
+ *	be initiated.  Set the refresh and retry intervals to there default
+ *	values and unload the zone.
+ *
+ * Require
+ *	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_refresh(dns_zone_t *zone);
+/*
+ *	Initiate zone up to date checks.  The zone must already be being
+ *	managed.
+ *
+ * Require
+ *	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_flush(dns_zone_t *zone);
+/*
+ *	Write the zone to database if there are uncommited changes.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_dump(dns_zone_t *zone);
+/*
+ *	Write the zone to database.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_dumptostream(dns_zone_t *zone, FILE *fd);
+/*
+ *	Write the zone to stream 'fd'.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *	'fd' to be a stream open for writing.
+ */
+
+isc_result_t
+dns_zone_fulldumptostream(dns_zone_t *zone, FILE *fd);
+/*
+ *	The same as dns_zone_dumptostream, but dumps the zone with
+ *	different dump settings (dns_master_style_full).
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *	'fd' to be a stream open for writing.
+ */
+
+void
+dns_zone_maintenance(dns_zone_t *zone);
+/*
+ *	Perform regular maintenace on the zone.  This is called as a
+ *	result of a zone being managed.
+ *
+ * Require
+ *	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_setmasters(dns_zone_t *zone, isc_sockaddr_t *masters,
+		    isc_uint32_t count);
+isc_result_t
+dns_zone_setmasterswithkeys(dns_zone_t *zone, isc_sockaddr_t *masters,
+			    dns_name_t **keynames, isc_uint32_t count);
+/*
+ *	Set the list of master servers for the zone.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *	'masters' array of isc_sockaddr_t with port set or NULL.
+ *	'count' the number of masters.
+ *      'keynames' array of dns_name_t's for tsig keys or NULL.
+ *
+ *      dns_zone_setmasters() is just a wrapper to setmasterswithkeys(),
+ *      passing NULL in the keynames field.
+ *
+ * 	If 'masters' is NULL then 'count' must be zero.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *      Any result dns_name_dup() can return, if keynames!=NULL
+ */
+
+isc_result_t
+dns_zone_setalsonotify(dns_zone_t *zone, isc_sockaddr_t *notify,
+		       isc_uint32_t count);
+/*
+ *	Set the list of additional servers to be notified when
+ *	a zone changes.	 To clear the list use 'count = 0'.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *	'notify' to be non-NULL if count != 0.
+ *	'count' to be the number of notifyees.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ */
+
+void
+dns_zone_unload(dns_zone_t *zone);
+/*
+ *	detach the database from the zone structure.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setoption(dns_zone_t *zone, unsigned int option, isc_boolean_t value);
+/*
+ *	Set given options on ('value' == ISC_TRUE) or off ('value' ==
+ *	ISC_FALSE).
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ */
+
+unsigned int
+dns_zone_getoptions(dns_zone_t *zone);
+/*
+ *	Returns the current zone options.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setminrefreshtime(dns_zone_t *zone, isc_uint32_t val);
+/*
+ *	Set the minimum refresh time.
+ *
+ * Requires:
+ *	'zone' is valid.
+ *	val > 0.
+ */
+
+void
+dns_zone_setmaxrefreshtime(dns_zone_t *zone, isc_uint32_t val);
+/*
+ *	Set the maximum refresh time.
+ *
+ * Requires:
+ *	'zone' is valid.
+ *	val > 0.
+ */
+
+void
+dns_zone_setminretrytime(dns_zone_t *zone, isc_uint32_t val);
+/*
+ *	Set the minimum retry time.
+ *
+ * Requires:
+ *	'zone' is valid.
+ *	val > 0.
+ */
+
+void
+dns_zone_setmaxretrytime(dns_zone_t *zone, isc_uint32_t val);
+/*
+ *	Set the maximum retry time.
+ *
+ * Requires:
+ *	'zone' is valid.
+ *	val > 0.
+ */
+
+isc_result_t
+dns_zone_setxfrsource4(dns_zone_t *zone, isc_sockaddr_t *xfrsource);
+isc_result_t
+dns_zone_setaltxfrsource4(dns_zone_t *zone, isc_sockaddr_t *xfrsource);
+/*
+ * 	Set the source address to be used in IPv4 zone transfers.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *	'xfrsource' to contain the address.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ */
+
+isc_sockaddr_t *
+dns_zone_getxfrsource4(dns_zone_t *zone);
+isc_sockaddr_t *
+dns_zone_getaltxfrsource4(dns_zone_t *zone);
+/*
+ *	Returns the source address set by a previous dns_zone_setxfrsource4
+ *	call, or the default of inaddr_any, port 0.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_setxfrsource6(dns_zone_t *zone, isc_sockaddr_t *xfrsource);
+isc_result_t
+dns_zone_setaltxfrsource6(dns_zone_t *zone, isc_sockaddr_t *xfrsource);
+/*
+ * 	Set the source address to be used in IPv6 zone transfers.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *	'xfrsource' to contain the address.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ */
+
+isc_sockaddr_t *
+dns_zone_getxfrsource6(dns_zone_t *zone);
+isc_sockaddr_t *
+dns_zone_getaltxfrsource6(dns_zone_t *zone);
+/*
+ *	Returns the source address set by a previous dns_zone_setxfrsource6
+ *	call, or the default of in6addr_any, port 0.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_setnotifysrc4(dns_zone_t *zone, isc_sockaddr_t *notifysrc);
+/*
+ * 	Set the source address to be used with IPv4 NOTIFY messages.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *	'notifysrc' to contain the address.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ */
+
+isc_sockaddr_t *
+dns_zone_getnotifysrc4(dns_zone_t *zone);
+/*
+ *	Returns the source address set by a previous dns_zone_setnotifysrc4
+ *	call, or the default of inaddr_any, port 0.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_setnotifysrc6(dns_zone_t *zone, isc_sockaddr_t *notifysrc);
+/*
+ * 	Set the source address to be used with IPv6 NOTIFY messages.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *	'notifysrc' to contain the address.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ */
+
+isc_sockaddr_t *
+dns_zone_getnotifysrc6(dns_zone_t *zone);
+/*
+ *	Returns the source address set by a previous dns_zone_setnotifysrc6
+ *	call, or the default of in6addr_any, port 0.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setnotifyacl(dns_zone_t *zone, dns_acl_t *acl);
+/*
+ *	Sets the notify acl list for the zone.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *	'acl' to be a valid acl.
+ */
+
+void
+dns_zone_setqueryacl(dns_zone_t *zone, dns_acl_t *acl);
+/*
+ *	Sets the query acl list for the zone.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *	'acl' to be a valid acl.
+ */
+
+void
+dns_zone_setupdateacl(dns_zone_t *zone, dns_acl_t *acl);
+/*
+ *	Sets the update acl list for the zone.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *	'acl' to be valid acl.
+ */
+
+void
+dns_zone_setforwardacl(dns_zone_t *zone, dns_acl_t *acl);
+/*
+ *	Sets the forward unsigned updates acl list for the zone.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *	'acl' to be valid acl.
+ */
+
+void
+dns_zone_setxfracl(dns_zone_t *zone, dns_acl_t *acl);
+/*
+ *	Sets the transfer acl list for the zone.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *	'acl' to be valid acl.
+ */
+
+dns_acl_t *
+dns_zone_getnotifyacl(dns_zone_t *zone);
+/*
+ * 	Returns the current notify acl or NULL.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *
+ * Returns:
+ *	acl a pointer to the acl.
+ *	NULL
+ */
+
+dns_acl_t *
+dns_zone_getqueryacl(dns_zone_t *zone);
+/*
+ * 	Returns the current query acl or NULL.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *
+ * Returns:
+ *	acl a pointer to the acl.
+ *	NULL
+ */
+
+dns_acl_t *
+dns_zone_getupdateacl(dns_zone_t *zone);
+/*
+ * 	Returns the current update acl or NULL.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *
+ * Returns:
+ *	acl a pointer to the acl.
+ *	NULL
+ */
+
+dns_acl_t *
+dns_zone_getforwardacl(dns_zone_t *zone);
+/*
+ * 	Returns the current forward unsigned updates acl or NULL.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *
+ * Returns:
+ *	acl a pointer to the acl.
+ *	NULL
+ */
+
+dns_acl_t *
+dns_zone_getxfracl(dns_zone_t *zone);
+/*
+ * 	Returns the current transfer acl or NULL.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *
+ * Returns:
+ *	acl a pointer to the acl.
+ *	NULL
+ */
+
+void
+dns_zone_clearupdateacl(dns_zone_t *zone);
+/*
+ *	Clear the current update acl.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_clearforwardacl(dns_zone_t *zone);
+/*
+ *	Clear the current forward unsigned updates acl.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_clearnotifyacl(dns_zone_t *zone);
+/*
+ *	Clear the current notify acl.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_clearqueryacl(dns_zone_t *zone);
+/*
+ *	Clear the current query acl.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_clearxfracl(dns_zone_t *zone);
+/*
+ *	Clear the current transfer acl.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ */
+
+isc_boolean_t
+dns_zone_getupdatedisabled(dns_zone_t *zone);
+
+void
+dns_zone_setupdatedisabled(dns_zone_t *zone, isc_boolean_t state);
+
+void
+dns_zone_setchecknames(dns_zone_t *zone, dns_severity_t severity);
+/*
+ * 	Set the severity of name checking when loading a zone.
+ *
+ * Require:
+ *      'zone' to be a valid zone.
+ */
+
+dns_severity_t
+dns_zone_getchecknames(dns_zone_t *zone);
+/*
+ *	Return the current severity of name checking.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setjournalsize(dns_zone_t *zone, isc_int32_t size);
+/*
+ *	Sets the journal size for the zone.
+ *
+ * Requires:
+ *	'zone' to be a valid zone.
+ */
+
+isc_int32_t
+dns_zone_getjournalsize(dns_zone_t *zone);
+/*
+ *	Return the journal size as set with a previous call to
+ *	dns_zone_setjournalsize().
+ *
+ * Requires:
+ *	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
+		       dns_message_t *msg);
+/*
+ *	Tell the zone that it has recieved a NOTIFY message from another
+ *	server.  This may cause some zone maintainence activity to occur.
+ *
+ * Requires:
+ *	'zone' to be a valid zone.
+ *	'*from' to contain the address of the server from which 'msg'
+ *		was recieved.
+ *	'msg' a message with opcode NOTIFY and qr clear.
+ *
+ * Returns:
+ *	DNS_R_REFUSED
+ *	DNS_R_NOTIMP
+ *	DNS_R_FORMERR
+ *	DNS_R_SUCCESS
+ */
+
+void
+dns_zone_setmaxxfrin(dns_zone_t *zone, isc_uint32_t maxxfrin);
+/*
+ * Set the maximum time (in seconds) that a zone transfer in (AXFR/IXFR)
+ * of this zone will use before being aborted.
+ *
+ * Requires:
+ * 	'zone' to be valid initialised zone.
+ */
+
+isc_uint32_t
+dns_zone_getmaxxfrin(dns_zone_t *zone);
+/*
+ * Returns the maximum transfer time for this zone.  This will be
+ * either the value set by the last call to dns_zone_setmaxxfrin() or
+ * the default value of 1 hour.
+ *
+ * Requires:
+ *	'zone' to be valid initialised zone.
+ */
+
+void
+dns_zone_setmaxxfrout(dns_zone_t *zone, isc_uint32_t maxxfrout);
+/*
+ * Set the maximum time (in seconds) that a zone transfer out (AXFR/IXFR)
+ * of this zone will use before being aborted.
+ *
+ * Requires:
+ * 	'zone' to be valid initialised zone.
+ */
+
+isc_uint32_t
+dns_zone_getmaxxfrout(dns_zone_t *zone);
+/*
+ * Returns the maximum transfer time for this zone.  This will be
+ * either the value set by the last call to dns_zone_setmaxxfrout() or
+ * the default value of 1 hour.
+ *
+ * Requires:
+ *	'zone' to be valid initialised zone.
+ */
+
+isc_result_t
+dns_zone_setjournal(dns_zone_t *zone, const char *journal);
+/*
+ * Sets the filename used for journaling updates / IXFR transfers.
+ * The default journal name is set by dns_zone_setfile() to be
+ * "file.jnl".  If 'journal' is NULL, the zone will have no
+ * journal name.
+ *
+ * Requires:
+ *	'zone' to be a valid zone.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ */
+
+char *
+dns_zone_getjournal(dns_zone_t *zone);
+/*
+ * Returns the journal name associated with this zone.
+ * If no journal has been set this will be NULL.
+ *
+ * Requires:
+ *	'zone' to be valid initialised zone.
+ */
+
+dns_zonetype_t
+dns_zone_gettype(dns_zone_t *zone);
+/*
+ * Returns the type of the zone (master/slave/etc.)
+ *
+ * Requires:
+ *	'zone' to be valid initialised zone.
+ */
+
+void
+dns_zone_settask(dns_zone_t *zone, isc_task_t *task);
+/*
+ * Give a zone a task to work with.  Any current task will be detached.
+ *
+ * Requires:
+ *	'zone' to be valid.
+ *	'task' to be valid.
+ */
+
+void
+dns_zone_gettask(dns_zone_t *zone, isc_task_t **target);
+/*
+ * Attach '*target' to the zone's task.
+ *
+ * Requires:
+ *	'zone' to be valid initialised zone.
+ *	'zone' to have a task.
+ *	'target' to be != NULL && '*target' == NULL.
+ */
+
+void
+dns_zone_notify(dns_zone_t *zone);
+/*
+ * Generate notify events for this zone.
+ *
+ * Requires:
+ *	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump);
+/*
+ * Replace the database of "zone" with a new database "db".
+ *
+ * If "dump" is ISC_TRUE, then the new zone contents are dumped
+ * into to the zone's master file for persistence.  When replacing
+ * a zone database by one just loaded from a master file, set
+ * "dump" to ISC_FALSE to avoid a redunant redump of the data just
+ * loaded.  Otherwise, it should be set to ISC_TRUE.
+ *
+ * If the "diff-on-reload" option is enabled in the configuration file,
+ * the differences between the old and the new database are added to the
+ * journal file, and the master file dump is postponed.
+ *
+ * Requires:
+ *	'zone' to be a valid zone.
+ */
+
+isc_uint32_t
+dns_zone_getidlein(dns_zone_t *zone);
+/*
+ * Requires:
+ *	'zone' to be a valid zone.
+ *
+ * Returns:
+ *	number of seconds of idle time before we abort the transfer in.
+ */
+
+void
+dns_zone_setidlein(dns_zone_t *zone, isc_uint32_t idlein);
+/*
+ *	Set the idle timeout for transfer the.
+ *	Zero set the default value, 1 hour.
+ *
+ * Requires:
+ *	'zone' to be a valid zone.
+ */
+
+isc_uint32_t
+dns_zone_getidleout(dns_zone_t *zone);
+/*
+ *
+ * Requires:
+ *	'zone' to be a valid zone.
+ *
+ * Returns:
+ *	number of seconds of idle time before we abort a transfer out.
+ */
+
+void
+dns_zone_setidleout(dns_zone_t *zone, isc_uint32_t idleout);
+/*
+ *	Set the idle timeout for transfers out.
+ *	Zero set the default value, 1 hour.
+ *
+ * Requires:
+ *	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_getssutable(dns_zone_t *zone, dns_ssutable_t **table);
+/*
+ * Get the simple-secure-update policy table.
+ *
+ * Requires:
+ *	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setssutable(dns_zone_t *zone, dns_ssutable_t *table);
+/*
+ * Set / clear the simple-secure-update policy table.
+ *
+ * Requires:
+ *	'zone' to be a valid zone.
+ */
+
+isc_mem_t *
+dns_zone_getmctx(dns_zone_t *zone);
+/*
+ * Get the memory context of a zone.
+ *
+ * Requires:
+ *	'zone' to be a valid zone.
+ */
+
+dns_zonemgr_t *
+dns_zone_getmgr(dns_zone_t *zone);
+/*
+ *	If 'zone' is managed return the zone manager otherwise NULL.
+ *
+ * Requires:
+ *	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setsigvalidityinterval(dns_zone_t *zone, isc_uint32_t interval);
+/*
+ * Set the zone's SIG validity interval.  This is the length of time
+ * for which DNSSEC signatures created as a result of dynamic updates
+ * to secure zones will remain valid, in seconds.
+ *
+ * Requires:
+ *	'zone' to be a valid zone.
+ */
+
+isc_uint32_t
+dns_zone_getsigvalidityinterval(dns_zone_t *zone);
+/*
+ * Get the zone's SIG validity interval.
+ *
+ * Requires:
+ *	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setnotifytype(dns_zone_t *zone, dns_notifytype_t notifytype);
+/*
+ * Sets zone notify method to "notifytype"
+ */
+
+isc_result_t
+dns_zone_forwardupdate(dns_zone_t *zone, dns_message_t *msg,
+                       dns_updatecallback_t callback, void *callback_arg);
+/*
+ * Forward 'msg' to each master in turn until we get an answer or we
+ * have exausted the list of masters. 'callback' will be called with
+ * ISC_R_SUCCESS if we get an answer and the returned message will be
+ * passed as 'answer_message', otherwise a non ISC_R_SUCCESS result code
+ * will be passed and answer_message will be NULL.  The callback function
+ * is responsible for destroying 'answer_message'.
+ *		(callback)(callback_arg, result, answer_message);
+ *
+ * Require:
+ *	'zone' to be valid
+ *	'msg' to be valid.
+ *	'callback' to be non NULL.
+ * Returns:
+ *	ISC_R_SUCCESS if the message has been forwarded,
+ *	ISC_R_NOMEMORY
+ *	Others
+ */
+
+isc_result_t
+dns_zone_next(dns_zone_t *zone, dns_zone_t **next);
+/*
+ * Find the next zone in the list of managed zones.
+ *
+ * Requires:
+ *	'zone' to be valid
+ *	The zone manager for the indicated zone MUST be locked
+ *	by the caller.  This is not checked.
+ *	'next' be non-NULL, and '*next' be NULL.
+ *
+ * Ensures:
+ *	'next' points to a valid zone (result ISC_R_SUCCESS) or to NULL
+ *	(result ISC_R_NOMORE).
+ */
+
+isc_result_t
+dns_zone_first(dns_zonemgr_t *zmgr, dns_zone_t **first);
+/*
+ * Find the first zone in the list of managed zones.
+ *
+ * Requires:
+ *	'zonemgr' to be valid
+ *	The zone manager for the indicated zone MUST be locked
+ *	by the caller.  This is not checked.
+ *	'first' be non-NULL, and '*first' be NULL
+ *
+ * Ensures:
+ *	'first' points to a valid zone (result ISC_R_SUCCESS) or to NULL
+ *	(result ISC_R_NOMORE).
+ */
+
+isc_result_t
+dns_zone_setkeydirectory(dns_zone_t *zone, const char *directory);
+/*
+ *	Sets the name of the directory where private keys used for
+ *	online signing of dynamic zones are found.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *
+ * Returns:
+ *	ISC_R_NOMEMORY
+ *	ISC_R_SUCCESS
+ */
+
+const char *
+dns_zone_getkeydirectory(dns_zone_t *zone);
+/*
+ * 	Gets the name of the directory where private keys used for
+ *	online signing of dynamic zones are found.
+ *
+ * Requires:
+ *	'zone' to be valid initialised zone.
+ *
+ * Returns:
+ *	Pointer to null-terminated file name, or NULL.
+ */
+
+
+isc_result_t
+dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
+		   isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
+		   dns_zonemgr_t **zmgrp);
+/*
+ * Create a zone manager.
+ *
+ * Requires:
+ *	'mctx' to be a valid memory context.
+ *	'taskmgr' to be a valid task manager.
+ *	'timermgr' to be a valid timer manager.
+ *	'zmgrp'	to point to a NULL pointer.
+ */
+
+isc_result_t
+dns_zonemgr_managezone(dns_zonemgr_t *zmgr, dns_zone_t *zone);
+/*
+ *	Bring the zone under control of a zone manager.
+ *
+ * Require:
+ *	'zmgr' to be a valid zone manager.
+ *	'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zonemgr_forcemaint(dns_zonemgr_t *zmgr);
+/*
+ * Force zone maintenance of all zones managed by 'zmgr' at its
+ * earliest conveniene.
+ */
+
+void
+dns_zonemgr_resumexfrs(dns_zonemgr_t *zmgr);
+/*
+ * Attempt to start any stalled zone transfers.
+ */
+
+void
+dns_zonemgr_shutdown(dns_zonemgr_t *zmgr);
+/*
+ *	Shut down the zone manager.
+ *
+ * Requires:
+ *	'zmgr' to be a valid zone manager.
+ */
+
+void
+dns_zonemgr_attach(dns_zonemgr_t *source, dns_zonemgr_t **target);
+/*
+ *	Attach '*target' to 'source' incrementing its external
+ * 	reference count.
+ *
+ * Require:
+ *	'zone' to be a valid zone.
+ *	'target' to be non NULL and '*target' to be NULL.
+ */
+
+void
+dns_zonemgr_detach(dns_zonemgr_t **zmgrp);
+/*
+ *	 Detach from a zone manager.
+ *
+ * Requires:
+ *	'*zmgrp' is a valid, non-NULL zone manager pointer.
+ *
+ * Ensures:
+ *	'*zmgrp' is NULL.
+ */
+
+void
+dns_zonemgr_releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone);
+/*
+ *	Release 'zone' from the managed by 'zmgr'.  'zmgr' is implicitly
+ *	detached from 'zone'.
+ *
+ * Requires:
+ *	'zmgr' to be a valid zone manager.
+ *	'zone' to be a valid zone.
+ *	'zmgr' == 'zone->zmgr'
+ *
+ * Ensures:
+ *	'zone->zmgr' == NULL;
+ */
+
+void
+dns_zonemgr_settransfersin(dns_zonemgr_t *zmgr, isc_uint32_t value);
+/*
+ *	Set the maximum number of simultanious transfers in allowed by
+ *	the zone manager.
+ *
+ * Requires:
+ *	'zmgr' to be a valid zone manager.
+ */
+
+isc_uint32_t
+dns_zonemgr_getttransfersin(dns_zonemgr_t *zmgr);
+/*
+ *	Return the the maximum number of simultanious transfers in allowed.
+ *
+ * Requires:
+ *	'zmgr' to be a valid zone manager.
+ */
+
+void
+dns_zonemgr_settransfersperns(dns_zonemgr_t *zmgr, isc_uint32_t value);
+/*
+ *	Set the number of zone transfers allowed per nameserver.
+ *
+ * Requires:
+ *	'zmgr' to be a valid zone manager
+ */
+
+isc_uint32_t
+dns_zonemgr_getttransfersperns(dns_zonemgr_t *zmgr);
+/*
+ *	Return the number of transfers allowed per nameserver.
+ *
+ * Requires:
+ *	'zmgr' to be a valid zone manager.
+ */
+
+void
+dns_zonemgr_setiolimit(dns_zonemgr_t *zmgr, isc_uint32_t iolimit);
+/*
+ *	Set the number of simultaneous file descriptors available for 
+ *	reading and writing masterfiles.
+ *
+ * Requires:
+ *	'zmgr' to be a valid zone manager.
+ *	'iolimit' to be positive.
+ */
+
+isc_uint32_t
+dns_zonemgr_getiolimit(dns_zonemgr_t *zmgr);
+/*
+ *	Get the number of simultaneous file descriptors available for 
+ *	reading and writing masterfiles.
+ *
+ * Requires:
+ *	'zmgr' to be a valid zone manager.
+ */
+
+void
+dns_zonemgr_setserialqueryrate(dns_zonemgr_t *zmgr, unsigned int value);
+/*
+ *	Set the number of SOA queries sent per second.
+ *
+ * Requires:
+ *	'zmgr' to be a valid zone manager
+ */
+
+unsigned int
+dns_zonemgr_getserialqueryrate(dns_zonemgr_t *zmgr);
+/*
+ *	Return the number of SOA queries sent per second.
+ *
+ * Requires:
+ *	'zmgr' to be a valid zone manager.
+ */
+
+unsigned int
+dns_zonemgr_getcount(dns_zonemgr_t *zmgr, int state);
+/*
+ *	Returns the number of zones in the specified state.
+ *
+ * Requires:
+ *	'zmgr' to be a valid zone manager.
+ *	'state' to be a valid DNS_ZONESTATE_ constant.
+ */
+
+void
+dns_zone_forcereload(dns_zone_t *zone);
+/*
+ *      Force a reload of specified zone.
+ *
+ * Requires:
+ *      'zone' to be a valid zone.
+ */
+
+isc_boolean_t
+dns_zone_isforced(dns_zone_t *zone);
+/*
+ *      Check if the zone is waiting a forced reload.
+ *
+ * Requires:
+ *      'zone' to be a valid zone.
+ */
+
+isc_result_t
+dns_zone_setstatistics(dns_zone_t *zone, isc_boolean_t on);
+/*
+ *      Make the zone keep or not keep an array of statistics
+ * 	counter.
+ *
+ * Requires:
+ *      zone be a valid zone.
+ */
+
+isc_uint64_t *
+dns_zone_getstatscounters(dns_zone_t *zone);
+/*
+ * Requires:
+ *      zone be a valid zone.
+ *
+ * Returns:
+ *      A pointer to the zone's array of statistics counters,
+ *	or NULL if it has none.
+ */
+
+void
+dns_zone_dialup(dns_zone_t *zone);
+/*
+ * Perform dialup-time maintenance on 'zone'.
+ */
+
+void
+dns_zone_setdialup(dns_zone_t *zone, dns_dialuptype_t dialup);
+/*
+ * Set the dialup type of 'zone' to 'dialup'.
+ *
+ * Requires:
+ * 	'zone' to be valid initialised zone.
+ *	'dialup' to be a valid dialup type.
+ */
+
+void
+dns_zone_log(dns_zone_t *zone, int level, const char *msg, ...)
+	ISC_FORMAT_PRINTF(3, 4);
+/*
+ * Log the message 'msg...' at 'level', including text that identifies
+ * the message as applying to 'zone'.
+ */
+
+void
+dns_zone_logc(dns_zone_t *zone, isc_logcategory_t *category, int level,
+	      const char *msg, ...) ISC_FORMAT_PRINTF(4, 5);
+/*
+ * Log the message 'msg...' at 'level', including text that identifies
+ * the message as applying to 'zone'.
+ */
+
+void
+dns_zone_name(dns_zone_t *zone, char *buf, size_t len);
+/*
+ * Return the name of the zone with class and view.
+ * 
+ * Requires:
+ *	'zone' to be valid.
+ *	'buf' to be non NULL.
+ */
+
+isc_result_t
+dns_zone_checknames(dns_zone_t *zone, dns_name_t *name, dns_rdata_t *rdata);
+/*
+ * Check if this record meets the check-names policy.
+ *
+ * Requires:
+ *	'zone' to be valid.
+ *	'name' to be valid.
+ *	'rdata' to be valid.
+ *
+ * Returns:
+ *	DNS_R_SUCCESS		passed checks.
+ *	DNS_R_BADOWNERNAME	failed ownername checks.
+ *	DNS_R_BADNAME		failed rdata checks.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ZONE_H */
diff --git a/contrib/bind9/lib/dns/include/dns/zonekey.h b/contrib/bind9/lib/dns/include/dns/zonekey.h
new file mode 100644
index 0000000..1ac9066
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/zonekey.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: zonekey.h,v 1.3.206.1 2004/03/06 08:14:01 marka Exp $ */
+
+#ifndef DNS_ZONEKEY_H
+#define DNS_ZONEKEY_H 1
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_boolean_t
+dns_zonekey_iszonekey(dns_rdata_t *keyrdata);
+/*
+ *	Determines if the key record contained in the rdata is a zone key.
+ *
+ *	Requires:
+ *		'keyrdata' is not NULL.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ZONEKEY_H */
diff --git a/contrib/bind9/lib/dns/include/dns/zt.h b/contrib/bind9/lib/dns/include/dns/zt.h
new file mode 100644
index 0000000..fb43590
--- /dev/null
+++ b/contrib/bind9/lib/dns/include/dns/zt.h
@@ -0,0 +1,167 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: zt.h,v 1.27.2.2.8.1 2004/03/06 08:14:01 marka Exp $ */
+
+#ifndef DNS_ZT_H
+#define DNS_ZT_H 1
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+#define DNS_ZTFIND_NOEXACT		0x01
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_zt_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, dns_zt_t **zt);
+/*
+ * Creates a new zone table.
+ *
+ * Requires:
+ * 	'mctx' to be initialized.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS on success.
+ *	ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_zt_mount(dns_zt_t *zt, dns_zone_t *zone);
+/*
+ * Mounts the zone on the zone table.
+ *
+ * Requires:
+ *	'zt' to be valid
+ *	'zone' to be valid
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_EXISTS
+ *	ISC_R_NOSPACE
+ *	ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_zt_unmount(dns_zt_t *zt, dns_zone_t *zone);
+/*
+ * Unmount the given zone from the table.
+ *
+ * Requires:
+ * 	'zt' to be valid
+ *	'zone' to be valid
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS
+ *	ISC_R_NOTFOUND
+ *	ISC_R_NOMEMORY
+ */
+
+isc_result_t
+dns_zt_find(dns_zt_t *zt, dns_name_t *name, unsigned int options,
+	    dns_name_t *foundname, dns_zone_t **zone);
+/*
+ * Find the best match for 'name' in 'zt'.  If foundname is non NULL
+ * then the name of the zone found is returned.
+ *
+ * Notes:
+ *	If the DNS_ZTFIND_NOEXACT is set, the best partial match (if any)
+ *	to 'name' will be returned.
+ *
+ * Requires:
+ *	'zt' to be valid
+ *	'name' to be valid
+ *	'foundname' to be initialized and associated with a fixedname or NULL
+ *	'zone' to be non NULL and '*zone' to be NULL
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS
+ *	DNS_R_PARTIALMATCH
+ *	ISC_R_NOTFOUND
+ *	ISC_R_NOSPACE
+ */
+
+void
+dns_zt_detach(dns_zt_t **ztp);
+/*
+ * Detach the given zonetable, if the reference count goes to zero the
+ * zonetable will be freed.  In either case 'ztp' is set to NULL.
+ *
+ * Requires:
+ *	'*ztp' to be valid
+ */
+
+void
+dns_zt_flushanddetach(dns_zt_t **ztp);
+/*
+ * Detach the given zonetable, if the reference count goes to zero the
+ * zonetable will be flushed and then freed.  In either case 'ztp' is
+ * set to NULL.
+ *
+ * Requires:
+ *	'*ztp' to be valid
+ */
+
+void
+dns_zt_attach(dns_zt_t *zt, dns_zt_t **ztp);
+/*
+ * Attach 'zt' to '*ztp'.
+ *
+ * Requires:
+ *	'zt' to be valid
+ *	'*ztp' to be NULL
+ */
+
+isc_result_t
+dns_zt_load(dns_zt_t *zt, isc_boolean_t stop);
+
+isc_result_t
+dns_zt_loadnew(dns_zt_t *zt, isc_boolean_t stop);
+/*
+ * Load all zones in the table.  If 'stop' is ISC_TRUE,
+ * stop on the first error and return it.  If 'stop'
+ * is ISC_FALSE, ignore errors.
+ *
+ * dns_zt_loadnew() only loads zones that are not yet loaded.
+ * dns_zt_load() also loads zones that are already loaded and
+ * and whose master file has changed since the last load.
+ *
+ * Requires:
+ *	'zt' to be valid
+ */
+
+isc_result_t
+dns_zt_apply(dns_zt_t *zt, isc_boolean_t stop,
+	     isc_result_t (*action)(dns_zone_t *, void *), void *uap);
+/*
+ * Apply a given 'action' to all zone zones in the table.
+ * If 'stop' is 'ISC_TRUE' then walking the zone tree will stop if
+ * 'action' does not return ISC_R_SUCCESS.
+ *
+ * Requires:
+ *	'zt' to be valid.
+ *	'action' to be non NULL.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS if action was applied to all nodes.
+ *	any error code from 'action'.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ZT_H */
diff --git a/contrib/bind9/lib/dns/journal.c b/contrib/bind9/lib/dns/journal.c
new file mode 100644
index 0000000..28fd354
--- /dev/null
+++ b/contrib/bind9/lib/dns/journal.c
@@ -0,0 +1,2131 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: journal.c,v 1.77.2.1.10.8 2004/05/14 05:27:47 marka Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/file.h>
+#include <isc/mem.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/compress.h>
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/diff.h>
+#include <dns/fixedname.h>
+#include <dns/journal.h>
+#include <dns/log.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/result.h>
+#include <dns/soa.h>
+
+/*
+ * When true, accept IXFR difference sequences where the
+ * SOA serial number does not change (BIND 8 sends such
+ * sequences).
+ */
+static isc_boolean_t bind8_compat = ISC_TRUE; /* XXX config */
+
+/**************************************************************************/
+/*
+ * Miscellaneous utilities.
+ */
+
+#define JOURNAL_COMMON_LOGARGS \
+	dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_JOURNAL
+
+#define JOURNAL_DEBUG_LOGARGS(n) \
+	JOURNAL_COMMON_LOGARGS, ISC_LOG_DEBUG(n)
+
+/*
+ * It would be non-sensical (or at least obtuse) to use FAIL() with an
+ * ISC_R_SUCCESS code, but the test is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
+ */
+#define FAIL(code) \
+	do { result = (code);					\
+		if (result != ISC_R_SUCCESS) goto failure;	\
+	} while (0)
+
+#define CHECK(op) \
+     	do { result = (op); 					\
+		if (result != ISC_R_SUCCESS) goto failure; 	\
+	} while (0)
+
+static isc_result_t index_to_disk(dns_journal_t *);
+
+static inline isc_uint32_t
+decode_uint32(unsigned char *p) {
+	return ((p[0] << 24) +
+		(p[1] << 16) +
+		(p[2] <<  8) +
+		(p[3] <<  0));
+}
+
+static inline void
+encode_uint32(isc_uint32_t val, unsigned char *p) {
+	p[0] = (isc_uint8_t)(val >> 24);
+	p[1] = (isc_uint8_t)(val >> 16);
+	p[2] = (isc_uint8_t)(val >>  8);
+	p[3] = (isc_uint8_t)(val >>  0);
+}
+
+isc_result_t
+dns_db_createsoatuple(dns_db_t *db, dns_dbversion_t *ver, isc_mem_t *mctx,
+		      dns_diffop_t op, dns_difftuple_t **tp)
+{
+	isc_result_t result;
+	dns_dbnode_t *node;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_name_t *zonename;
+
+	zonename = dns_db_origin(db);
+
+	node = NULL;
+	result = dns_db_findnode(db, zonename, ISC_FALSE, &node);
+	if (result != ISC_R_SUCCESS)
+		goto nonode;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_soa, 0,
+				     (isc_stdtime_t)0, &rdataset, NULL);
+ 	if (result != ISC_R_SUCCESS)
+		goto freenode;
+
+	result = dns_rdataset_first(&rdataset);
+ 	if (result != ISC_R_SUCCESS)
+		goto freenode;
+
+	dns_rdataset_current(&rdataset, &rdata);
+
+	result = dns_difftuple_create(mctx, op, zonename, rdataset.ttl,
+				      &rdata, tp);
+
+	dns_rdataset_disassociate(&rdataset);
+	dns_db_detachnode(db, &node);
+	return (ISC_R_SUCCESS);
+
+ freenode:
+	dns_db_detachnode(db, &node);
+ nonode:
+	UNEXPECTED_ERROR(__FILE__, __LINE__, "missing SOA");
+	return (result);
+}
+
+/**************************************************************************/
+/*
+ * Journalling.
+ */
+
+/*
+ * A journal file consists of
+ *
+ *   - A fixed-size header of type journal_rawheader_t.
+ *
+ *   - The index.  This is an unordered array of index entries
+ *     of type journal_rawpos_t giving the locations
+ *     of some arbitrary subset of the journal's addressable
+ *     transactions.  The index entries are used as hints to
+ *     speed up the process of locating a transaction with a given
+ *     serial number.  Unused index entries have an "offset"
+ *     field of zero.  The size of the index can vary between
+ *     journal files, but does not change during the lifetime
+ *     of a file.  The size can be zero.
+ *
+ *   - The journal data.  This  consists of one or more transactions.
+ *     Each transaction begins with a transaction header of type
+ *     journal_rawxhdr_t.  The transaction header is followed by a
+ *     sequence of RRs, similar in structure to an IXFR difference
+ *     sequence (RFC1995).  That is, the pre-transaction SOA,
+ *     zero or more other deleted RRs, the post-transaction SOA,
+ *     and zero or more other added RRs.  Unlike in IXFR, each RR
+ *     is prefixed with a 32-bit length.
+ *
+ *     The journal data part grows as new transactions are
+ *     appended to the file.  Only those transactions
+ *     whose serial number is current-(2^31-1) to current
+ *     are considered "addressable" and may be pointed
+ *     to from the header or index.  They may be preceded
+ *     by old transactions that are no longer addressable,
+ *     and they may be followed by transactions that were
+ *     appended to the journal but never committed by updating
+ *     the "end" position in the header.  The latter will
+ *     be overwritten when new transactions are added.
+ */
+
+/*
+ * On-disk representation of a "pointer" to a journal entry.
+ * These are used in the journal header to locate the beginning
+ * and end of the journal, and in the journal index to locate
+ * other transactions.
+ */
+typedef struct {
+	unsigned char	serial[4];  /* SOA serial before update. */
+	/*
+	 * XXXRTH  Should offset be 8 bytes?
+	 * XXXDCL ... probably, since isc_offset_t is 8 bytes on many OSs.
+	 * XXXAG  ... but we will not be able to seek >2G anyway on many
+	 *            platforms as long as we are using fseek() rather
+	 *            than lseek().
+	 */
+	unsigned char	offset[4];  /* Offset from beginning of file. */
+} journal_rawpos_t;
+
+/*
+ * The on-disk representation of the journal header.
+ * All numbers are stored in big-endian order.
+ */
+
+/*
+ * The header is of a fixed size, with some spare room for future
+ * extensions.
+ */
+#define JOURNAL_HEADER_SIZE 64 /* Bytes. */
+
+typedef union {
+	struct {
+		/* File format version ID. */
+		unsigned char 		format[16];
+		/* Position of the first addressable transaction */
+		journal_rawpos_t 	begin;
+		/* Position of the next (yet nonexistent) transaction. */
+		journal_rawpos_t 	end;
+		/* Number of index entries following the header. */
+		unsigned char 		index_size[4];
+	} h;
+	/* Pad the header to a fixed size. */
+	unsigned char pad[JOURNAL_HEADER_SIZE];
+} journal_rawheader_t;
+
+/*
+ * The on-disk representation of the transaction header.
+ * There is one of these at the beginning of each transaction.
+ */
+typedef struct {
+	unsigned char	size[4]; 	/* In bytes, excluding header. */
+	unsigned char	serial0[4];	/* SOA serial before update. */
+	unsigned char	serial1[4];	/* SOA serial after update. */
+} journal_rawxhdr_t;
+
+/*
+ * The on-disk representation of the RR header.
+ * There is one of these at the beginning of each RR.
+ */
+typedef struct {
+	unsigned char	size[4]; 	/* In bytes, excluding header. */
+} journal_rawrrhdr_t;
+
+/*
+ * The in-core representation of the journal header.
+ */
+typedef struct {
+	isc_uint32_t	serial;
+	isc_offset_t	offset;
+} journal_pos_t;
+
+#define POS_VALID(pos) 		((pos).offset != 0)
+#define POS_INVALIDATE(pos) 	((pos).offset = 0, (pos).serial = 0)
+
+typedef struct {
+	unsigned char 	format[16];
+	journal_pos_t 	begin;
+	journal_pos_t 	end;
+	isc_uint32_t	index_size;
+} journal_header_t;
+
+/*
+ * The in-core representation of the transaction header.
+ */
+
+typedef struct {
+	isc_uint32_t	size;
+	isc_uint32_t	serial0;
+	isc_uint32_t	serial1;
+} journal_xhdr_t;
+
+/*
+ * The in-core representation of the RR header.
+ */
+typedef struct {
+	isc_uint32_t	size;
+} journal_rrhdr_t;
+
+
+/*
+ * Initial contents to store in the header of a newly created
+ * journal file.
+ *
+ * The header starts with the magic string ";BIND LOG V9\n"
+ * to identify the file as a BIND 9 journal file.  An ASCII
+ * identification string is used rather than a binary magic
+ * number to be consistent with BIND 8 (BIND 8 journal files
+ * are ASCII text files).
+ */
+
+static journal_header_t
+initial_journal_header = { ";BIND LOG V9\n", { 0, 0 }, { 0, 0 }, 0 };
+
+#define JOURNAL_EMPTY(h) ((h)->begin.offset == (h)->end.offset)
+
+typedef enum {
+	JOURNAL_STATE_INVALID,
+	JOURNAL_STATE_READ,
+	JOURNAL_STATE_WRITE,
+	JOURNAL_STATE_TRANSACTION
+} journal_state_t;
+
+struct dns_journal {
+	unsigned int		magic;		/* JOUR */
+	isc_mem_t		*mctx;		/* Memory context */
+	journal_state_t		state;
+	const char 		*filename;	/* Journal file name */
+	FILE *			fp;		/* File handle */
+	isc_offset_t		offset;		/* Current file offset */
+	journal_header_t 	header;		/* In-core journal header */
+	unsigned char		*rawindex;	/* In-core buffer for journal
+						   index in on-disk format */
+	journal_pos_t		*index;		/* In-core journal index */
+
+	/* Current transaction state (when writing). */
+	struct {
+		unsigned int	n_soa;		/* Number of SOAs seen */
+		journal_pos_t	pos[2];		/* Begin/end position */
+	} x;
+
+	/* Iteration state (when reading). */
+	struct {
+		/* These define the part of the journal we iterate over. */
+		journal_pos_t bpos;		/* Position before first, */
+		journal_pos_t epos;		/* and after last
+						   transaction */
+		/* The rest is iterator state. */
+		isc_uint32_t current_serial;	/* Current SOA serial */
+		isc_buffer_t source;		/* Data from disk */
+		isc_buffer_t target;		/* Data from _fromwire check */
+		dns_decompress_t dctx;		/* Dummy decompression ctx */
+		dns_name_t name;		/* Current domain name */
+		dns_rdata_t rdata;		/* Current rdata */
+		isc_uint32_t ttl;		/* Current TTL */
+		unsigned int xsize;		/* Size of transaction data */
+		unsigned int xpos;		/* Current position in it */
+		isc_result_t result;		/* Result of last call */
+	} it;
+};
+
+#define DNS_JOURNAL_MAGIC	ISC_MAGIC('J', 'O', 'U', 'R')
+#define DNS_JOURNAL_VALID(t)	ISC_MAGIC_VALID(t, DNS_JOURNAL_MAGIC)
+
+static void
+journal_pos_decode(journal_rawpos_t *raw, journal_pos_t *cooked) {
+	cooked->serial = decode_uint32(raw->serial);
+	cooked->offset = decode_uint32(raw->offset);
+}
+
+static void
+journal_pos_encode(journal_rawpos_t *raw, journal_pos_t *cooked) {
+	encode_uint32(cooked->serial, raw->serial);
+	encode_uint32(cooked->offset, raw->offset);
+}
+
+static void
+journal_header_decode(journal_rawheader_t *raw, journal_header_t *cooked) {
+	INSIST(sizeof(cooked->format) == sizeof(raw->h.format));
+	memcpy(cooked->format, raw->h.format, sizeof(cooked->format));
+	journal_pos_decode(&raw->h.begin, &cooked->begin);
+	journal_pos_decode(&raw->h.end, &cooked->end);
+	cooked->index_size = decode_uint32(raw->h.index_size);
+}
+
+static void
+journal_header_encode(journal_header_t *cooked, journal_rawheader_t *raw) {
+	INSIST(sizeof(cooked->format) == sizeof(raw->h.format));
+	memset(raw->pad, 0, sizeof(raw->pad));
+	memcpy(raw->h.format, cooked->format, sizeof(raw->h.format));
+	journal_pos_encode(&raw->h.begin, &cooked->begin);
+	journal_pos_encode(&raw->h.end, &cooked->end);
+	encode_uint32(cooked->index_size, raw->h.index_size);
+}
+
+/*
+ * Journal file I/O subroutines, with error checking and reporting.
+ */
+static isc_result_t
+journal_seek(dns_journal_t *j, isc_uint32_t offset) {
+	isc_result_t result;
+	result = isc_stdio_seek(j->fp, (long)offset, SEEK_SET);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: seek: %s", j->filename,
+			      isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+	j->offset = offset;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+journal_read(dns_journal_t *j, void *mem, size_t nbytes) {
+	isc_result_t result;
+
+	result = isc_stdio_read(mem, 1, nbytes, j->fp, NULL);
+	if (result != ISC_R_SUCCESS) {
+		if (result == ISC_R_EOF)
+			return (ISC_R_NOMORE);
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: read: %s",
+			      j->filename, isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+	j->offset += nbytes;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+journal_write(dns_journal_t *j, void *mem, size_t nbytes) {
+	isc_result_t result;
+
+	result = isc_stdio_write(mem, 1, nbytes, j->fp, NULL);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: write: %s",
+			      j->filename, isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+	j->offset += nbytes;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+journal_fsync(dns_journal_t *j) {
+	isc_result_t result;
+	result = isc_stdio_flush(j->fp);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: flush: %s",
+			      j->filename, isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+	result = isc_stdio_sync(j->fp);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: fsync: %s",
+			      j->filename, isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Read/write a transaction header at the current file position.
+ */
+
+static isc_result_t
+journal_read_xhdr(dns_journal_t *j, journal_xhdr_t *xhdr) {
+	journal_rawxhdr_t raw;
+	isc_result_t result;
+	result = journal_read(j, &raw, sizeof(raw));
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	xhdr->size = decode_uint32(raw.size);
+	xhdr->serial0 = decode_uint32(raw.serial0);
+	xhdr->serial1 = decode_uint32(raw.serial1);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+journal_write_xhdr(dns_journal_t *j, isc_uint32_t size,
+		   isc_uint32_t serial0, isc_uint32_t serial1)
+{
+	journal_rawxhdr_t raw;
+	encode_uint32(size, raw.size);
+	encode_uint32(serial0, raw.serial0);
+	encode_uint32(serial1, raw.serial1);
+	return (journal_write(j, &raw, sizeof(raw)));
+}
+
+
+/*
+ * Read an RR header at the current file position.
+ */
+
+static isc_result_t
+journal_read_rrhdr(dns_journal_t *j, journal_rrhdr_t *rrhdr) {
+	journal_rawrrhdr_t raw;
+	isc_result_t result;
+	result = journal_read(j, &raw, sizeof(raw));
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	rrhdr->size = decode_uint32(raw.size);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+journal_file_create(isc_mem_t *mctx, const char *filename) {
+	FILE *fp = NULL;
+	isc_result_t result;
+	journal_header_t header;
+	journal_rawheader_t rawheader;
+	int index_size = 56; /* XXX configurable */
+	int size;
+	void *mem; /* Memory for temporary index image. */
+
+	INSIST(sizeof(journal_rawheader_t) == JOURNAL_HEADER_SIZE);
+
+	result = isc_stdio_open(filename, "wb", &fp);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: create: %s",
+			      filename, isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	header = initial_journal_header;
+	header.index_size = index_size;
+	journal_header_encode(&header, &rawheader);
+
+	size = sizeof(journal_rawheader_t) +
+		index_size * sizeof(journal_rawpos_t);
+
+	mem = isc_mem_get(mctx, size);
+	if (mem == NULL) {
+		(void)isc_stdio_close(fp);
+		(void)isc_file_remove(filename);
+		return (ISC_R_NOMEMORY);
+	}
+	memset(mem, 0, size);
+	memcpy(mem, &rawheader, sizeof(rawheader));
+
+	result = isc_stdio_write(mem, 1, (size_t) size, fp, NULL);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+				 "%s: write: %s",
+				 filename, isc_result_totext(result));
+		(void)isc_stdio_close(fp);
+		(void)isc_file_remove(filename);
+		isc_mem_put(mctx, mem, size);
+		return (ISC_R_UNEXPECTED);
+	}
+	isc_mem_put(mctx, mem, size);
+
+	result = isc_stdio_close(fp);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+				 "%s: close: %s",
+				 filename, isc_result_totext(result));
+		(void)isc_file_remove(filename);
+		return (ISC_R_UNEXPECTED);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write,
+	     isc_boolean_t create, dns_journal_t **journalp) {
+	FILE *fp = NULL;
+	isc_result_t result;
+	journal_rawheader_t rawheader;
+	dns_journal_t *j;
+
+	INSIST(journalp != NULL && *journalp == NULL);
+	j = isc_mem_get(mctx, sizeof(*j));
+	if (j == NULL)
+		return (ISC_R_NOMEMORY);
+
+	j->mctx = mctx;
+	j->state = JOURNAL_STATE_INVALID;
+	j->fp = NULL;
+	j->filename = filename;
+	j->index = NULL;
+	j->rawindex = NULL;
+
+	result = isc_stdio_open(j->filename, write ? "rb+" : "rb", &fp);
+
+	if (result == ISC_R_FILENOTFOUND) {
+		if (create) {
+			isc_log_write(JOURNAL_COMMON_LOGARGS,
+				      ISC_LOG_INFO,
+				      "journal file %s does not exist, "
+				      "creating it",
+				      j->filename);
+			CHECK(journal_file_create(mctx, filename));
+			/*
+			 * Retry.
+			 */
+			result = isc_stdio_open(j->filename, "rb+", &fp);
+		} else {
+			FAIL(ISC_R_NOTFOUND);
+		}
+	}
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: open: %s",
+			      j->filename, isc_result_totext(result));
+		FAIL(ISC_R_UNEXPECTED);
+	}
+
+	j->fp = fp;
+
+	/*
+	 * Set magic early so that seek/read can succeed.
+	 */
+	j->magic = DNS_JOURNAL_MAGIC;
+
+	CHECK(journal_seek(j, 0));
+	CHECK(journal_read(j, &rawheader, sizeof(rawheader)));
+
+	if (memcmp(rawheader.h.format, initial_journal_header.format,
+		   sizeof(initial_journal_header.format)) != 0) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+				 "%s: journal format not recognized",
+				 j->filename);
+		FAIL(ISC_R_UNEXPECTED);
+	}
+	journal_header_decode(&rawheader, &j->header);
+
+	/*
+	 * If there is an index, read the raw index into a dynamically
+	 * allocated buffer and then convert it into a cooked index.
+	 */
+	if (j->header.index_size != 0) {
+		unsigned int i;
+		unsigned int rawbytes;
+		unsigned char *p;
+
+		rawbytes = j->header.index_size * sizeof(journal_rawpos_t);
+		j->rawindex = isc_mem_get(mctx, rawbytes);
+		if (j->rawindex == NULL)
+			FAIL(ISC_R_NOMEMORY);
+
+		CHECK(journal_read(j, j->rawindex, rawbytes));
+
+		j->index = isc_mem_get(mctx, j->header.index_size *
+				       sizeof(journal_pos_t));
+		if (j->index == NULL)
+			FAIL(ISC_R_NOMEMORY);
+
+		p = j->rawindex;
+		for (i = 0; i < j->header.index_size; i++) {
+			j->index[i].serial = decode_uint32(p);
+			p += 4;
+			j->index[i].offset = decode_uint32(p);
+			p += 4;
+		}
+		INSIST(p == j->rawindex + rawbytes);
+	}
+	j->offset = -1; /* Invalid, must seek explicitly. */
+
+	/*
+	 * Initialize the iterator.
+	 */
+	dns_name_init(&j->it.name, NULL);
+	dns_rdata_init(&j->it.rdata);
+
+	/*
+	 * Set up empty initial buffers for uncheched and checked
+	 * wire format RR data.  They will be reallocated
+	 * later.
+	 */
+	isc_buffer_init(&j->it.source, NULL, 0);
+	isc_buffer_init(&j->it.target, NULL, 0);
+	dns_decompress_init(&j->it.dctx, -1, DNS_DECOMPRESS_NONE);
+
+	j->state =
+		write ? JOURNAL_STATE_WRITE : JOURNAL_STATE_READ;
+
+	*journalp = j;
+	return (ISC_R_SUCCESS);
+
+ failure:
+	j->magic = 0;
+	if (j->index != NULL) {
+		isc_mem_put(j->mctx, j->index, j->header.index_size *
+			    sizeof(journal_rawpos_t));
+		j->index = NULL;
+	}
+	if (j->fp != NULL)
+		(void)isc_stdio_close(j->fp);
+	isc_mem_put(j->mctx, j, sizeof(*j));
+	return (result);
+}
+
+isc_result_t
+dns_journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write,
+		 dns_journal_t **journalp) {
+	return (journal_open(mctx, filename, write, write, journalp));
+}
+
+/*
+ * A comparison function defining the sorting order for
+ * entries in the IXFR-style journal file.
+ *
+ * The IXFR format requires that deletions are sorted before
+ * additions, and within either one, SOA records are sorted
+ * before others.
+ *
+ * Also sort the non-SOA records by type as a courtesy to the
+ * server receiving the IXFR - it may help reduce the amount of
+ * rdataset merging it has to do.
+ */
+static int
+ixfr_order(const void *av, const void *bv) {
+	dns_difftuple_t const * const *ap = av;
+	dns_difftuple_t const * const *bp = bv;
+	dns_difftuple_t const *a = *ap;
+	dns_difftuple_t const *b = *bp;
+	int r;
+
+	r = (b->op == DNS_DIFFOP_DEL) - (a->op == DNS_DIFFOP_DEL);
+	if (r != 0)
+		return (r);
+
+	r = (b->rdata.type == dns_rdatatype_soa) -
+		(a->rdata.type == dns_rdatatype_soa);
+	if (r != 0)
+		return (r);
+
+	r = (a->rdata.type - b->rdata.type);
+	return (r);
+}
+
+/*
+ * Advance '*pos' to the next journal transaction.
+ *
+ * Requires:
+ *	*pos refers to a valid journal transaction.
+ *
+ * Ensures:
+ *	When ISC_R_SUCCESS is returned,
+ *	*pos refers to the next journal transaction.
+ *
+ * Returns one of:
+ *
+ *    ISC_R_SUCCESS
+ *    ISC_R_NOMORE 	*pos pointed at the last transaction
+ *    Other results due to file errors are possible.
+ */
+static isc_result_t
+journal_next(dns_journal_t *j, journal_pos_t *pos) {
+	isc_result_t result;
+	journal_xhdr_t xhdr;
+	REQUIRE(DNS_JOURNAL_VALID(j));
+
+	result = journal_seek(j, pos->offset);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (pos->serial == j->header.end.serial)
+		return (ISC_R_NOMORE);
+	/*
+	 * Read the header of the current transaction.
+	 * This will return ISC_R_NOMORE if we are at EOF.
+	 */
+	result = journal_read_xhdr(j, &xhdr);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * Check serial number consistency.
+	 */
+	if (xhdr.serial0 != pos->serial) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: journal file corrupt: "
+			      "expected serial %u, got %u",
+			      j->filename, pos->serial, xhdr.serial0);
+		return (ISC_R_UNEXPECTED);
+	}
+
+	/*
+	 * Check for offset wraparound.
+	 */
+	if ((isc_offset_t)(pos->offset + sizeof(journal_rawxhdr_t) + xhdr.size)
+	    < pos->offset) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: offset too large", j->filename);
+		return (ISC_R_UNEXPECTED);
+	}
+
+	pos->offset += sizeof(journal_rawxhdr_t) + xhdr.size;
+	pos->serial = xhdr.serial1;
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * If the index of the journal 'j' contains an entry "better"
+ * than '*best_guess', replace '*best_guess' with it.
+ *
+ * "Better" means having a serial number closer to 'serial'
+ * but not greater than 'serial'.
+ */
+static void
+index_find(dns_journal_t *j, isc_uint32_t serial, journal_pos_t *best_guess) {
+	unsigned int i;
+	if (j->index == NULL)
+		return;
+	for (i = 0; i < j->header.index_size; i++) {
+		if (POS_VALID(j->index[i]) &&
+		    DNS_SERIAL_GE(serial, j->index[i].serial) &&
+		    DNS_SERIAL_GT(j->index[i].serial, best_guess->serial))
+			*best_guess = j->index[i];
+	}
+}
+
+/*
+ * Add a new index entry.  If there is no room, make room by removing
+ * the odd-numbered entries and compacting the others into the first
+ * half of the index.  This decimates old index entries exponentially
+ * over time, so that the index always contains a much larger fraction
+ * of recent serial numbers than of old ones.  This is deliberate -
+ * most index searches are for outgoing IXFR, and IXFR tends to request
+ * recent versions more often than old ones.
+ */
+static void
+index_add(dns_journal_t *j, journal_pos_t *pos) {
+	unsigned int i;
+	if (j->index == NULL)
+		return;
+	/*
+	 * Search for a vacant position.
+	 */
+	for (i = 0; i < j->header.index_size; i++) {
+		if (! POS_VALID(j->index[i]))
+			break;
+	}
+	if (i == j->header.index_size) {
+		unsigned int k = 0;
+		/*
+		 * Found no vacant position.  Make some room.
+		 */
+		for (i = 0; i < j->header.index_size; i += 2) {
+			j->index[k++] = j->index[i];
+		}
+		i = k; /* 'i' identifies the first vacant position. */
+		while (k < j->header.index_size) {
+			POS_INVALIDATE(j->index[k]);
+			k++;
+		}
+	}
+	INSIST(i < j->header.index_size);
+	INSIST(! POS_VALID(j->index[i]));
+
+	/*
+	 * Store the new index entry.
+	 */
+	j->index[i] = *pos;
+}
+
+/*
+ * Invalidate any existing index entries that could become
+ * ambiguous when a new transaction with number 'serial' is added.
+ */
+static void
+index_invalidate(dns_journal_t *j, isc_uint32_t serial) {
+	unsigned int i;
+	if (j->index == NULL)
+		return;
+	for (i = 0; i < j->header.index_size; i++) {
+		if (! DNS_SERIAL_GT(serial, j->index[i].serial))
+			POS_INVALIDATE(j->index[i]);
+	}
+}
+
+/*
+ * Try to find a transaction with initial serial number 'serial'
+ * in the journal 'j'.
+ *
+ * If found, store its position at '*pos' and return ISC_R_SUCCESS.
+ *
+ * If 'serial' is current (= the ending serial number of the
+ * last transaction in the journal), set '*pos' to
+ * the position immediately following the last transaction and
+ * return ISC_R_SUCCESS.
+ *
+ * If 'serial' is within the range of addressable serial numbers
+ * covered by the journal but that particular serial number is missing
+ * (from the journal, not just from the index), return ISC_R_NOTFOUND.
+ *
+ * If 'serial' is outside the range of addressable serial numbers
+ * covered by the journal, return ISC_R_RANGE.
+ *
+ */
+static isc_result_t
+journal_find(dns_journal_t *j, isc_uint32_t serial, journal_pos_t *pos) {
+	isc_result_t result;
+	journal_pos_t current_pos;
+	REQUIRE(DNS_JOURNAL_VALID(j));
+
+	if (DNS_SERIAL_GT(j->header.begin.serial, serial))
+		return (ISC_R_RANGE);
+	if (DNS_SERIAL_GT(serial, j->header.end.serial))
+		return (ISC_R_RANGE);
+	if (serial == j->header.end.serial) {
+		*pos = j->header.end;
+		return (ISC_R_SUCCESS);
+	}
+
+	current_pos = j->header.begin;
+	index_find(j, serial, &current_pos);
+
+	while (current_pos.serial != serial) {
+		if (DNS_SERIAL_GT(current_pos.serial, serial))
+			return (ISC_R_NOTFOUND);
+		result = journal_next(j, &current_pos);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	*pos = current_pos;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_journal_begin_transaction(dns_journal_t *j) {
+	isc_uint32_t offset;
+	isc_result_t result;
+	journal_rawxhdr_t hdr;
+
+	REQUIRE(DNS_JOURNAL_VALID(j));
+	REQUIRE(j->state == JOURNAL_STATE_WRITE);
+
+	/*
+	 * Find the file offset where the new transaction should
+	 * be written, and seek there.
+	 */
+	if (JOURNAL_EMPTY(&j->header)) {
+		offset = sizeof(journal_rawheader_t) +
+			j->header.index_size * sizeof(journal_rawpos_t);
+	} else {
+		offset = j->header.end.offset;
+	}
+	j->x.pos[0].offset = offset;
+	j->x.pos[1].offset = offset; /* Initial value, will be incremented. */
+	j->x.n_soa = 0;
+
+	CHECK(journal_seek(j, offset));
+
+	/*
+	 * Write a dummy transaction header of all zeroes to reserve
+	 * space.  It will be filled in when the transaction is
+	 * finished.
+	 */
+	memset(&hdr, 0, sizeof(hdr));
+	CHECK(journal_write(j, &hdr, sizeof(hdr)));
+	j->x.pos[1].offset = j->offset;
+
+	j->state = JOURNAL_STATE_TRANSACTION;
+	result = ISC_R_SUCCESS;
+ failure:
+	return (result);
+}
+
+isc_result_t
+dns_journal_writediff(dns_journal_t *j, dns_diff_t *diff) {
+	dns_difftuple_t *t;
+	isc_buffer_t buffer;
+	void *mem = NULL;
+	unsigned int size;
+	isc_result_t result;
+	isc_region_t used;
+
+	REQUIRE(DNS_DIFF_VALID(diff));
+	REQUIRE(j->state == JOURNAL_STATE_TRANSACTION);
+
+	isc_log_write(JOURNAL_DEBUG_LOGARGS(3), "writing to journal");
+	(void)dns_diff_print(diff, NULL);
+
+	/*
+	 * Pass 1: determine the buffer size needed, and
+	 * keep track of SOA serial numbers.
+	 */
+	size = 0;
+	for (t = ISC_LIST_HEAD(diff->tuples); t != NULL;
+	     t = ISC_LIST_NEXT(t, link))
+	{
+		if (t->rdata.type == dns_rdatatype_soa) {
+			if (j->x.n_soa < 2)
+				j->x.pos[j->x.n_soa].serial =
+					dns_soa_getserial(&t->rdata);
+			j->x.n_soa++;
+		}
+		size += sizeof(journal_rawrrhdr_t);
+		size += t->name.length; /* XXX should have access macro? */
+		size += 10;
+		size += t->rdata.length;
+	}
+
+	mem = isc_mem_get(j->mctx, size);
+	if (mem == NULL)
+		return (ISC_R_NOMEMORY);
+
+	isc_buffer_init(&buffer, mem, size);
+
+	/*
+	 * Pass 2.  Write RRs to buffer.
+	 */
+	for (t = ISC_LIST_HEAD(diff->tuples); t != NULL;
+	     t = ISC_LIST_NEXT(t, link))
+	{
+		/*
+		 * Write the RR header.
+		 */
+		isc_buffer_putuint32(&buffer, t->name.length + 10 +
+				     t->rdata.length);
+		/*
+		 * Write the owner name, RR header, and RR data.
+		 */
+		isc_buffer_putmem(&buffer, t->name.ndata, t->name.length);
+		isc_buffer_putuint16(&buffer, t->rdata.type);
+		isc_buffer_putuint16(&buffer, t->rdata.rdclass);
+		isc_buffer_putuint32(&buffer, t->ttl);
+		INSIST(t->rdata.length < 65536);
+		isc_buffer_putuint16(&buffer, (isc_uint16_t)t->rdata.length);
+		INSIST(isc_buffer_availablelength(&buffer) >= t->rdata.length);
+		isc_buffer_putmem(&buffer, t->rdata.data, t->rdata.length);
+	}
+
+	isc_buffer_usedregion(&buffer, &used);
+	INSIST(used.length == size);
+
+	j->x.pos[1].offset += used.length;
+
+	/*
+	 * Write the buffer contents to the journal file.
+	 */
+	CHECK(journal_write(j, used.base, used.length));
+
+	result = ISC_R_SUCCESS;
+
+ failure:
+	if (mem != NULL)
+		isc_mem_put(j->mctx, mem, size);
+	return (result);
+
+}
+
+isc_result_t
+dns_journal_commit(dns_journal_t *j) {
+	isc_result_t result;
+	journal_rawheader_t rawheader;
+
+	REQUIRE(DNS_JOURNAL_VALID(j));
+	REQUIRE(j->state == JOURNAL_STATE_TRANSACTION);
+
+	/*
+	 * Perform some basic consistency checks.
+	 */
+	if (j->x.n_soa != 2) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "malformed transaction: %d SOAs",
+			      j->x.n_soa);
+		return (ISC_R_UNEXPECTED);
+	}
+	if (! (DNS_SERIAL_GT(j->x.pos[1].serial, j->x.pos[0].serial) ||
+	       (bind8_compat &&
+		j->x.pos[1].serial == j->x.pos[0].serial)))
+	{
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "malformed transaction: serial number "
+			      "would decrease");
+		return (ISC_R_UNEXPECTED);
+	}
+	if (! JOURNAL_EMPTY(&j->header)) {
+		if (j->x.pos[0].serial != j->header.end.serial) {
+			isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+					 "malformed transaction: "
+					 "%s last serial %u != "
+					 "transaction first serial %u",
+					 j->filename,
+					 j->header.end.serial,
+					 j->x.pos[0].serial);
+			return (ISC_R_UNEXPECTED);
+		}
+	}
+
+	/*
+	 * Some old journal entries may become non-addressable
+	 * when we increment the current serial number.  Purge them
+	 * by stepping header.begin forward to the first addressable
+	 * transaction.  Also purge them from the index.
+	 */
+	if (! JOURNAL_EMPTY(&j->header)) {
+		while (! DNS_SERIAL_GT(j->x.pos[1].serial,
+				       j->header.begin.serial)) {
+			CHECK(journal_next(j, &j->header.begin));
+		}
+		index_invalidate(j, j->x.pos[1].serial);
+	}
+#ifdef notyet
+	if (DNS_SERIAL_GT(last_dumped_serial, j->x.pos[1].serial)) {
+		force_dump(...);
+	}
+#endif
+
+	/*
+	 * Commit the transaction data to stable storage.
+	 */
+	CHECK(journal_fsync(j));
+
+	/*
+	 * Update the transaction header.
+	 */
+	CHECK(journal_seek(j, j->x.pos[0].offset));
+	CHECK(journal_write_xhdr(j, (j->x.pos[1].offset - j->x.pos[0].offset) -
+				 sizeof(journal_rawxhdr_t),
+				 j->x.pos[0].serial, j->x.pos[1].serial));
+
+	/*
+	 * Update the journal header.
+	 */
+	if (JOURNAL_EMPTY(&j->header)) {
+		j->header.begin = j->x.pos[0];
+	}
+	j->header.end = j->x.pos[1];
+	journal_header_encode(&j->header, &rawheader);
+	CHECK(journal_seek(j, 0));
+	CHECK(journal_write(j, &rawheader, sizeof(rawheader)));
+
+	/*
+	 * Update the index.
+	 */
+	index_add(j, &j->x.pos[0]);
+
+	/*
+	 * Convert the index into on-disk format and write
+	 * it to disk.
+	 */
+	CHECK(index_to_disk(j));
+
+	/*
+	 * Commit the header to stable storage.
+	 */
+	CHECK(journal_fsync(j));
+
+	/*
+	 * We no longer have a transaction open.
+	 */
+	j->state = JOURNAL_STATE_WRITE;
+
+	result = ISC_R_SUCCESS;
+
+ failure:
+	return (result);
+}
+
+isc_result_t
+dns_journal_write_transaction(dns_journal_t *j, dns_diff_t *diff) {
+	isc_result_t result;
+	CHECK(dns_diff_sort(diff, ixfr_order));
+	CHECK(dns_journal_begin_transaction(j));
+	CHECK(dns_journal_writediff(j, diff));
+	CHECK(dns_journal_commit(j));
+	result = ISC_R_SUCCESS;
+ failure:
+	return (result);
+}
+
+void
+dns_journal_destroy(dns_journal_t **journalp) {
+	dns_journal_t *j = *journalp;
+	REQUIRE(DNS_JOURNAL_VALID(j));
+
+	j->it.result = ISC_R_FAILURE;
+	dns_name_invalidate(&j->it.name);
+	dns_decompress_invalidate(&j->it.dctx);
+	if (j->rawindex != NULL)
+		isc_mem_put(j->mctx, j->rawindex, j->header.index_size *
+			    sizeof(journal_rawpos_t));
+	if (j->index != NULL)
+		isc_mem_put(j->mctx, j->index, j->header.index_size *
+			    sizeof(journal_pos_t));
+	if (j->it.target.base != NULL)
+		isc_mem_put(j->mctx, j->it.target.base, j->it.target.length);
+	if (j->it.source.base != NULL)
+		isc_mem_put(j->mctx, j->it.source.base, j->it.source.length);
+
+	if (j->fp != NULL)
+		(void)isc_stdio_close(j->fp);
+	j->magic = 0;
+	isc_mem_put(j->mctx, j, sizeof(*j));
+	*journalp = NULL;
+}
+
+/*
+ * Roll the open journal 'j' into the database 'db'.
+ * A new database version will be created.
+ */
+
+/* XXX Share code with incoming IXFR? */
+
+static isc_result_t
+roll_forward(dns_journal_t *j, dns_db_t *db) {
+	isc_buffer_t source;		/* Transaction data from disk */
+	isc_buffer_t target;		/* Ditto after _fromwire check */
+	isc_uint32_t db_serial;		/* Database SOA serial */
+	isc_uint32_t end_serial;	/* Last journal SOA serial */
+	isc_result_t result;
+	dns_dbversion_t *ver = NULL;
+	journal_pos_t pos;
+	dns_diff_t diff;
+	unsigned int n_soa = 0;
+	unsigned int n_put = 0;
+
+	REQUIRE(DNS_JOURNAL_VALID(j));
+	REQUIRE(DNS_DB_VALID(db));
+
+	dns_diff_init(j->mctx, &diff);
+
+	/*
+	 * Set up empty initial buffers for uncheched and checked
+	 * wire format transaction data.  They will be reallocated
+	 * later.
+	 */
+	isc_buffer_init(&source, NULL, 0);
+	isc_buffer_init(&target, NULL, 0);
+
+	/*
+	 * Create the new database version.
+	 */
+	CHECK(dns_db_newversion(db, &ver));
+
+	/*
+	 * Get the current database SOA serial number.
+	 */
+	CHECK(dns_db_getsoaserial(db, ver, &db_serial));
+
+	/*
+	 * Locate a journal entry for the current database serial.
+	 */
+	CHECK(journal_find(j, db_serial, &pos));
+	/*
+	 * XXX do more drastic things, like marking zone stale,
+	 * if this fails?
+	 */
+	/*
+	 * XXXRTH  The zone code should probably mark the zone as bad and
+	 *         scream loudly into the log if this is a dynamic update
+	 *	   log reply that failed.
+	 */
+
+	end_serial = dns_journal_last_serial(j);
+	if (db_serial == end_serial)
+		CHECK(DNS_R_UPTODATE);
+
+	CHECK(dns_journal_iter_init(j, db_serial, end_serial));
+
+	for (result = dns_journal_first_rr(j);
+	     result == ISC_R_SUCCESS;
+	     result = dns_journal_next_rr(j))
+	{
+		dns_name_t *name;
+		isc_uint32_t ttl;
+		dns_rdata_t *rdata;
+		dns_difftuple_t *tuple = NULL;
+
+		name = NULL;
+		rdata = NULL;
+		dns_journal_current_rr(j, &name, &ttl, &rdata);
+
+		if (rdata->type == dns_rdatatype_soa) {
+			n_soa++;
+			if (n_soa == 2)
+				db_serial = j->it.current_serial;
+		}
+
+		if (n_soa == 3)
+			n_soa = 1;
+		if (n_soa == 0) {
+			isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+					 "%s: journal file corrupt: missing "
+					 "initial SOA", j->filename);
+			FAIL(ISC_R_UNEXPECTED);
+		}
+		CHECK(dns_difftuple_create(diff.mctx, n_soa == 1 ?
+					   DNS_DIFFOP_DEL : DNS_DIFFOP_ADD,
+					   name, ttl, rdata, &tuple));
+		dns_diff_append(&diff, &tuple);
+
+		if (++n_put > 100)  {
+			isc_log_write(JOURNAL_DEBUG_LOGARGS(3),
+				      "applying diff to database (%u)",
+				      db_serial);
+			(void)dns_diff_print(&diff, NULL);
+			CHECK(dns_diff_apply(&diff, db, ver));
+			dns_diff_clear(&diff);
+			n_put = 0;
+		}
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+	CHECK(result);
+
+	if (n_put != 0) {
+		isc_log_write(JOURNAL_DEBUG_LOGARGS(3),
+			      "applying final diff to database (%u)",
+			      db_serial);
+		(void)dns_diff_print(&diff, NULL);
+		CHECK(dns_diff_apply(&diff, db, ver));
+		dns_diff_clear(&diff);
+	}
+
+ failure:
+	if (ver != NULL)
+		dns_db_closeversion(db, &ver, result == ISC_R_SUCCESS ?
+				    ISC_TRUE : ISC_FALSE);
+
+	if (source.base != NULL)
+		isc_mem_put(j->mctx, source.base, source.length);
+	if (target.base != NULL)
+		isc_mem_put(j->mctx, target.base, target.length);
+
+	dns_diff_clear(&diff);
+
+	return (result);
+}
+
+isc_result_t
+dns_journal_rollforward(isc_mem_t *mctx, dns_db_t *db, const char *filename) {
+	dns_journal_t *j;
+	isc_result_t result;
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(filename != NULL);
+
+	j = NULL;
+	result = dns_journal_open(mctx, filename, ISC_FALSE, &j);
+	if (result == ISC_R_NOTFOUND) {
+		isc_log_write(JOURNAL_DEBUG_LOGARGS(3),
+			      "no journal file, but that's OK");
+		return (DNS_R_NOJOURNAL);
+	}
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (JOURNAL_EMPTY(&j->header))
+		result = DNS_R_UPTODATE;
+	else
+		result = roll_forward(j, db);
+
+	dns_journal_destroy(&j);
+
+	return (result);
+}
+
+isc_result_t
+dns_journal_print(isc_mem_t *mctx, const char *filename, FILE *file) {
+	dns_journal_t *j;
+	isc_buffer_t source;		/* Transaction data from disk */
+	isc_buffer_t target;		/* Ditto after _fromwire check */
+	isc_uint32_t start_serial;		/* Database SOA serial */
+	isc_uint32_t end_serial;	/* Last journal SOA serial */
+	isc_result_t result;
+	dns_diff_t diff;
+	unsigned int n_soa = 0;
+	unsigned int n_put = 0;
+
+	REQUIRE(filename != NULL);
+
+	j = NULL;
+	result = dns_journal_open(mctx, filename, ISC_FALSE, &j);
+	if (result == ISC_R_NOTFOUND) {
+		isc_log_write(JOURNAL_DEBUG_LOGARGS(3), "no journal file");
+		return (DNS_R_NOJOURNAL);
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "journal open failure");
+		return (result);
+	}
+
+	dns_diff_init(j->mctx, &diff);
+
+	/*
+	 * Set up empty initial buffers for uncheched and checked
+	 * wire format transaction data.  They will be reallocated
+	 * later.
+	 */
+	isc_buffer_init(&source, NULL, 0);
+	isc_buffer_init(&target, NULL, 0);
+
+	start_serial = dns_journal_first_serial(j);
+	end_serial = dns_journal_last_serial(j);
+
+	CHECK(dns_journal_iter_init(j, start_serial, end_serial));
+
+	for (result = dns_journal_first_rr(j);
+	     result == ISC_R_SUCCESS;
+	     result = dns_journal_next_rr(j))
+	{
+		dns_name_t *name;
+		isc_uint32_t ttl;
+		dns_rdata_t *rdata;
+		dns_difftuple_t *tuple = NULL;
+
+		name = NULL;
+		rdata = NULL;
+		dns_journal_current_rr(j, &name, &ttl, &rdata);
+
+		if (rdata->type == dns_rdatatype_soa)
+			n_soa++;
+
+		if (n_soa == 3)
+			n_soa = 1;
+		if (n_soa == 0) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+					 "%s: journal file corrupt: missing "
+					 "initial SOA", j->filename);
+			FAIL(ISC_R_UNEXPECTED);
+		}
+		CHECK(dns_difftuple_create(diff.mctx, n_soa == 1 ?
+					   DNS_DIFFOP_DEL : DNS_DIFFOP_ADD,
+					   name, ttl, rdata, &tuple));
+		dns_diff_append(&diff, &tuple);
+
+		if (++n_put > 100)  {
+			result = dns_diff_print(&diff, file);
+			dns_diff_clear(&diff);
+			n_put = 0;
+			if (result != ISC_R_SUCCESS)
+				break;
+		}
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+	CHECK(result);
+
+	if (n_put != 0) {
+		result = dns_diff_print(&diff, file);
+		dns_diff_clear(&diff);
+	}
+	goto cleanup;
+
+ failure:
+	isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+		      "%s: cannot print: journal file corrupt", j->filename);
+
+ cleanup:
+	if (source.base != NULL)
+		isc_mem_put(j->mctx, source.base, source.length);
+	if (target.base != NULL)
+		isc_mem_put(j->mctx, target.base, target.length);
+
+	dns_diff_clear(&diff);
+	dns_journal_destroy(&j);
+
+	return (result);
+}
+
+/**************************************************************************/
+/*
+ * Miscellaneous accessors.
+ */
+isc_uint32_t dns_journal_first_serial(dns_journal_t *j) {
+	return (j->header.begin.serial);
+}
+
+isc_uint32_t dns_journal_last_serial(dns_journal_t *j) {
+	return (j->header.end.serial);
+}
+
+/**************************************************************************/
+/*
+ * Iteration support.
+ *
+ * When serving an outgoing IXFR, we transmit a part the journal starting
+ * at the serial number in the IXFR request and ending at the serial
+ * number that is current when the IXFR request arrives.  The ending
+ * serial number is not necessarily at the end of the journal:
+ * the journal may grow while the IXFR is in progress, but we stop
+ * when we reach the serial number that was current when the IXFR started.
+ */
+
+static isc_result_t read_one_rr(dns_journal_t *j);
+
+/*
+ * Make sure the buffer 'b' is has at least 'size' bytes
+ * allocated, and clear it.
+ *
+ * Requires:
+ *	Either b->base is NULL, or it points to b->length bytes of memory
+ *	previously allocated by isc_mem_get().
+ */
+
+static isc_result_t
+size_buffer(isc_mem_t *mctx, isc_buffer_t *b, unsigned size) {
+	if (b->length < size) {
+		void *mem = isc_mem_get(mctx, size);
+		if (mem == NULL)
+			return (ISC_R_NOMEMORY);
+		if (b->base != NULL)
+			isc_mem_put(mctx, b->base, b->length);
+		b->base = mem;
+		b->length = size;
+	}
+	isc_buffer_clear(b);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_journal_iter_init(dns_journal_t *j,
+		      isc_uint32_t begin_serial, isc_uint32_t end_serial)
+{
+	isc_result_t result;
+
+	CHECK(journal_find(j, begin_serial, &j->it.bpos));
+	INSIST(j->it.bpos.serial == begin_serial);
+
+	CHECK(journal_find(j, end_serial, &j->it.epos));
+	INSIST(j->it.epos.serial == end_serial);
+
+	result = ISC_R_SUCCESS;
+ failure:
+	j->it.result = result;
+	return (j->it.result);
+}
+
+
+isc_result_t
+dns_journal_first_rr(dns_journal_t *j) {
+	isc_result_t result;
+
+	/*
+	 * Seek to the beginning of the first transaction we are
+	 * interested in.
+	 */
+	CHECK(journal_seek(j, j->it.bpos.offset));
+	j->it.current_serial = j->it.bpos.serial;
+
+	j->it.xsize = 0;  /* We have no transaction data yet... */
+	j->it.xpos = 0;	  /* ...and haven't used any of it. */
+
+	return (read_one_rr(j));
+
+ failure:
+	return (result);
+}
+
+static isc_result_t
+read_one_rr(dns_journal_t *j) {
+	isc_result_t result;
+
+	dns_rdatatype_t rdtype;
+	dns_rdataclass_t rdclass;
+	unsigned int rdlen;
+	isc_uint32_t ttl;
+	journal_xhdr_t xhdr;
+	journal_rrhdr_t rrhdr;
+
+	INSIST(j->offset <= j->it.epos.offset);
+	if (j->offset == j->it.epos.offset)
+		return (ISC_R_NOMORE);
+	if (j->it.xpos == j->it.xsize) {
+		/*
+		 * We are at a transaction boundary.
+		 * Read another transaction header.
+		 */
+		CHECK(journal_read_xhdr(j, &xhdr));
+		if (xhdr.size == 0) {
+			isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+				      "journal corrupt: empty transaction");
+			FAIL(ISC_R_UNEXPECTED);
+		}
+		if (xhdr.serial0 != j->it.current_serial) {
+			isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+					 "%s: journal file corrupt: "
+					 "expected serial %u, got %u",
+					 j->filename,
+					 j->it.current_serial, xhdr.serial0);
+			FAIL(ISC_R_UNEXPECTED);
+		}
+		j->it.xsize = xhdr.size;
+		j->it.xpos = 0;
+	}
+	/*
+	 * Read an RR.
+	 */
+	result = journal_read_rrhdr(j, &rrhdr);
+	/*
+	 * Perform a sanity check on the journal RR size.
+	 * The smallest possible RR has a 1-byte owner name
+	 * and a 10-byte header.  The largest possible
+	 * RR has 65535 bytes of data, a header, and a maximum-
+	 * size owner name, well below 70 k total.
+	 */
+	if (rrhdr.size < 1+10 || rrhdr.size > 70000) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+				 "%s: journal corrupt: impossible RR size "
+				 "(%d bytes)", j->filename, rrhdr.size);
+		FAIL(ISC_R_UNEXPECTED);
+	}
+
+	CHECK(size_buffer(j->mctx, &j->it.source, rrhdr.size));
+	CHECK(journal_read(j, j->it.source.base, rrhdr.size));
+	isc_buffer_add(&j->it.source, rrhdr.size);
+
+	/*
+	 * The target buffer is made the same size
+	 * as the source buffer, with the assumption that when
+	 * no compression in present, the output of dns_*_fromwire()
+	 * is no larger than the input.
+	 */
+	CHECK(size_buffer(j->mctx, &j->it.target, rrhdr.size));
+
+	/*
+	 * Parse the owner name.  We don't know where it
+	 * ends yet, so we make the entire "remaining"
+	 * part of the buffer "active".
+	 */
+	isc_buffer_setactive(&j->it.source,
+			     j->it.source.used - j->it.source.current);
+	CHECK(dns_name_fromwire(&j->it.name, &j->it.source,
+				&j->it.dctx, 0, &j->it.target));
+
+	/*
+	 * Check that the RR header is there, and parse it.
+	 */
+	if (isc_buffer_remaininglength(&j->it.source) < 10)
+		FAIL(DNS_R_FORMERR);
+
+	rdtype = isc_buffer_getuint16(&j->it.source);
+	rdclass = isc_buffer_getuint16(&j->it.source);
+	ttl = isc_buffer_getuint32(&j->it.source);
+	rdlen = isc_buffer_getuint16(&j->it.source);
+
+	/*
+	 * Parse the rdata.
+	 */
+	isc_buffer_setactive(&j->it.source, rdlen);
+	dns_rdata_reset(&j->it.rdata);
+	CHECK(dns_rdata_fromwire(&j->it.rdata, rdclass,
+				 rdtype, &j->it.source, &j->it.dctx,
+				 0, &j->it.target));
+	j->it.ttl = ttl;
+
+	j->it.xpos += sizeof(journal_rawrrhdr_t) + rrhdr.size;
+	if (rdtype == dns_rdatatype_soa) {
+		/* XXX could do additional consistency checks here */
+		j->it.current_serial = dns_soa_getserial(&j->it.rdata);
+	}
+
+	result = ISC_R_SUCCESS;
+
+ failure:
+	j->it.result = result;
+	return (result);
+}
+
+isc_result_t
+dns_journal_next_rr(dns_journal_t *j) {
+	j->it.result = read_one_rr(j);
+	return (j->it.result);
+}
+
+void
+dns_journal_current_rr(dns_journal_t *j, dns_name_t **name, isc_uint32_t *ttl,
+		   dns_rdata_t **rdata)
+{
+	REQUIRE(j->it.result == ISC_R_SUCCESS);
+	*name = &j->it.name;
+	*ttl = j->it.ttl;
+	*rdata = &j->it.rdata;
+}
+
+/**************************************************************************/
+/*
+ * Generating diffs from databases
+ */
+
+/*
+ * Construct a diff containing all the RRs at the current name of the
+ * database iterator 'dbit' in database 'db', version 'ver'.
+ * Set '*name' to the current name, and append the diff to 'diff'.
+ * All new tuples will have the operation 'op'.
+ *
+ * Requires: 'name' must have buffer large enough to hold the name.
+ * Typically, a dns_fixedname_t would be used.
+ */
+static isc_result_t
+get_name_diff(dns_db_t *db, dns_dbversion_t *ver, isc_stdtime_t now,
+	      dns_dbiterator_t *dbit, dns_name_t *name, dns_diffop_t op,
+	      dns_diff_t *diff)
+{
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdatasetiter_t *rdsiter = NULL;
+	dns_difftuple_t *tuple = NULL;
+
+	result = dns_dbiterator_current(dbit, &node, name);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_db_allrdatasets(db, node, ver, now, &rdsiter);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_node;
+
+	for (result = dns_rdatasetiter_first(rdsiter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(rdsiter))
+	{
+		dns_rdataset_t rdataset;
+
+		dns_rdataset_init(&rdataset);
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+
+		for (result = dns_rdataset_first(&rdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&rdataset))
+		{
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+			dns_rdataset_current(&rdataset, &rdata);
+			result = dns_difftuple_create(diff->mctx, op, name,
+						      rdataset.ttl, &rdata,
+						      &tuple);
+			if (result != ISC_R_SUCCESS) {
+				dns_rdataset_disassociate(&rdataset);
+				goto cleanup_iterator;
+			}
+			dns_diff_append(diff, &tuple);
+		}
+		dns_rdataset_disassociate(&rdataset);
+		if (result != ISC_R_NOMORE)
+			goto cleanup_iterator;
+	}
+	if (result != ISC_R_NOMORE)
+		goto cleanup_iterator;
+
+	result = ISC_R_SUCCESS;
+
+ cleanup_iterator:
+	dns_rdatasetiter_destroy(&rdsiter);
+
+ cleanup_node:
+	dns_db_detachnode(db, &node);
+
+	return (result);
+}
+
+/*
+ * Comparison function for use by dns_diff_subtract when sorting
+ * the diffs to be subtracted.  The sort keys are the rdata type
+ * and the rdata itself.  The owner name is ignored, because
+ * it is known to be the same for all tuples.
+ */
+static int
+rdata_order(const void *av, const void *bv) {
+	dns_difftuple_t const * const *ap = av;
+	dns_difftuple_t const * const *bp = bv;
+	dns_difftuple_t const *a = *ap;
+	dns_difftuple_t const *b = *bp;
+	int r;
+	r = (b->rdata.type - a->rdata.type);
+	if (r != 0)
+		return (r);
+	r = dns_rdata_compare(&a->rdata, &b->rdata);
+	return (r);
+}
+
+static isc_result_t
+dns_diff_subtract(dns_diff_t diff[2], dns_diff_t *r) {
+	isc_result_t result;
+	dns_difftuple_t *p[2];
+	int i, t;
+	CHECK(dns_diff_sort(&diff[0], rdata_order));
+	CHECK(dns_diff_sort(&diff[1], rdata_order));
+
+	for (;;) {
+		p[0] = ISC_LIST_HEAD(diff[0].tuples);
+		p[1] = ISC_LIST_HEAD(diff[1].tuples);
+		if (p[0] == NULL && p[1] == NULL)
+			break;
+
+		for (i = 0; i < 2; i++)
+			if (p[!i] == NULL) {
+				ISC_LIST_UNLINK(diff[i].tuples, p[i], link);
+				ISC_LIST_APPEND(r->tuples, p[i], link);
+				goto next;
+			}
+		t = rdata_order(&p[0], &p[1]);
+		if (t < 0) {
+			ISC_LIST_UNLINK(diff[0].tuples, p[0], link);
+			ISC_LIST_APPEND(r->tuples, p[0], link);
+			goto next;
+		}
+		if (t > 0) {
+			ISC_LIST_UNLINK(diff[1].tuples, p[1], link);
+			ISC_LIST_APPEND(r->tuples, p[1], link);
+			goto next;
+		}
+		INSIST(t == 0);
+		/*
+		 * Identical RRs in both databases; skip them both.
+		 */
+		for (i = 0; i < 2; i++) {
+			ISC_LIST_UNLINK(diff[i].tuples, p[i], link);
+			dns_difftuple_free(&p[i]);
+		}
+	next: ;
+	}
+	result = ISC_R_SUCCESS;
+ failure:
+	return (result);
+}
+
+/*
+ * Compare the databases 'dba' and 'dbb' and generate a journal
+ * entry containing the changes to make 'dba' from 'dbb' (note
+ * the order).  This journal entry will consist of a single,
+ * possibly very large transaction.
+ */
+
+isc_result_t
+dns_db_diff(isc_mem_t *mctx,
+	    dns_db_t *dba, dns_dbversion_t *dbvera,
+	    dns_db_t *dbb, dns_dbversion_t *dbverb,
+	    const char *journal_filename)
+{
+	dns_db_t *db[2];
+	dns_dbversion_t *ver[2];
+	dns_dbiterator_t *dbit[2] = { NULL, NULL };
+	isc_boolean_t have[2] = { ISC_FALSE, ISC_FALSE };
+	dns_fixedname_t fixname[2];
+	isc_result_t result, itresult[2];
+	dns_diff_t diff[2], resultdiff;
+	int i, t;
+	dns_journal_t *journal = NULL;
+
+	db[0] = dba, db[1] = dbb;
+	ver[0] = dbvera, ver[1] = dbverb;
+
+	dns_diff_init(mctx, &diff[0]);
+	dns_diff_init(mctx, &diff[1]);
+	dns_diff_init(mctx, &resultdiff);
+
+	dns_fixedname_init(&fixname[0]);
+	dns_fixedname_init(&fixname[1]);
+
+	result = dns_journal_open(mctx, journal_filename, ISC_TRUE, &journal);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_db_createiterator(db[0], ISC_FALSE, &dbit[0]);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_journal;
+	result = dns_db_createiterator(db[1], ISC_FALSE, &dbit[1]);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_interator0;
+
+	itresult[0] = dns_dbiterator_first(dbit[0]);
+	itresult[1] = dns_dbiterator_first(dbit[1]);
+
+	for (;;) {
+		for (i = 0; i < 2; i++) {
+			if (! have[i] && itresult[i] == ISC_R_SUCCESS) {
+				CHECK(get_name_diff(db[i], ver[i], 0, dbit[i],
+					    dns_fixedname_name(&fixname[i]),
+					    i == 0 ?
+					    DNS_DIFFOP_ADD :
+					    DNS_DIFFOP_DEL,
+					    &diff[i]));
+				itresult[i] = dns_dbiterator_next(dbit[i]);
+				have[i] = ISC_TRUE;
+			}
+		}
+
+		if (! have[0] && ! have[1]) {
+			INSIST(ISC_LIST_EMPTY(diff[0].tuples));
+			INSIST(ISC_LIST_EMPTY(diff[1].tuples));
+			break;
+		}
+
+		for (i = 0; i < 2; i++) {
+			if (! have[!i]) {
+				ISC_LIST_APPENDLIST(resultdiff.tuples,
+						    diff[i].tuples, link);
+				INSIST(ISC_LIST_EMPTY(diff[i].tuples));
+				have[i] = ISC_FALSE;
+				goto next;
+			}
+		}
+
+		t = dns_name_compare(dns_fixedname_name(&fixname[0]),
+				     dns_fixedname_name(&fixname[1]));
+		if (t < 0) {
+			ISC_LIST_APPENDLIST(resultdiff.tuples,
+					    diff[0].tuples, link);
+			INSIST(ISC_LIST_EMPTY(diff[0].tuples));
+			have[0] = ISC_FALSE;
+			continue;
+		}
+		if (t > 0) {
+			ISC_LIST_APPENDLIST(resultdiff.tuples,
+					    diff[1].tuples, link);
+			INSIST(ISC_LIST_EMPTY(diff[1].tuples));
+			have[1] = ISC_FALSE;
+			continue;
+		}
+		INSIST(t == 0);
+		CHECK(dns_diff_subtract(diff, &resultdiff));
+		INSIST(ISC_LIST_EMPTY(diff[0].tuples));
+		INSIST(ISC_LIST_EMPTY(diff[1].tuples));
+		have[0] = have[1] = ISC_FALSE;
+	next: ;
+	}
+	if (itresult[0] != ISC_R_NOMORE)
+		FAIL(itresult[0]);
+	if (itresult[1] != ISC_R_NOMORE)
+		FAIL(itresult[1]);
+
+	if (ISC_LIST_EMPTY(resultdiff.tuples)) {
+		isc_log_write(JOURNAL_DEBUG_LOGARGS(3), "no changes");
+	} else {
+		CHECK(dns_journal_write_transaction(journal, &resultdiff));
+	}
+	INSIST(ISC_LIST_EMPTY(diff[0].tuples));
+	INSIST(ISC_LIST_EMPTY(diff[1].tuples));
+
+ failure:
+	dns_diff_clear(&resultdiff);
+	dns_dbiterator_destroy(&dbit[1]);
+ cleanup_interator0:
+	dns_dbiterator_destroy(&dbit[0]);
+ cleanup_journal:
+	dns_journal_destroy(&journal);
+	return (result);
+}
+
+isc_result_t
+dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial,
+		    isc_uint32_t target_size)
+{
+	unsigned int i;
+	journal_pos_t best_guess;
+	journal_pos_t current_pos;
+	dns_journal_t *j = NULL;
+	journal_rawheader_t rawheader;
+	unsigned int copy_length;
+	unsigned int len;
+	char *buf = NULL;
+	unsigned int size = 0;
+	isc_result_t result;
+	unsigned int indexend;
+
+	CHECK(journal_open(mctx, filename, ISC_TRUE, ISC_FALSE, &j));
+
+	if (JOURNAL_EMPTY(&j->header)) {
+		dns_journal_destroy(&j);
+		return (ISC_R_SUCCESS);
+	}
+		
+	if (DNS_SERIAL_GT(j->header.begin.serial, serial) ||
+	    DNS_SERIAL_GT(serial, j->header.end.serial)) {
+		dns_journal_destroy(&j);
+		return (ISC_R_RANGE);
+	}
+
+	/*
+	 * Cope with very small target sizes.
+	 */
+	indexend = sizeof(journal_rawheader_t) +
+		   j->header.index_size * sizeof(journal_rawpos_t);
+	if (target_size < indexend * 2)
+		target_size = target_size/2 + indexend;
+
+	/*
+	 * See if there is any work to do.
+	 */
+	if ((isc_uint32_t) j->header.end.offset < target_size) {
+		dns_journal_destroy(&j);
+		return (ISC_R_SUCCESS);
+	}
+	
+	/*
+	 * Remove overhead so space test below can succeed.
+	 */
+	if (target_size >= indexend)
+		target_size -= indexend;
+
+	/*
+	 * Find if we can create enough free space.
+	 */
+	best_guess = j->header.begin;
+	for (i = 0; i < j->header.index_size; i++) {
+		if (POS_VALID(j->index[i]) &&
+		    DNS_SERIAL_GE(serial, j->index[i].serial) &&
+		    ((isc_uint32_t)(j->header.end.offset - j->index[i].offset)
+		     >= target_size / 2) &&
+		    j->index[i].offset > best_guess.offset)
+			best_guess = j->index[i];
+	}
+
+	current_pos = best_guess;
+	while (current_pos.serial != serial) {
+		CHECK(journal_next(j, &current_pos));
+		if (current_pos.serial == j->header.end.serial)
+			break;
+
+		if (DNS_SERIAL_GE(serial, current_pos.serial) &&
+		   ((isc_uint32_t)(j->header.end.offset - current_pos.offset)
+		     >= (target_size / 2)) &&
+		    current_pos.offset > best_guess.offset)
+			best_guess = current_pos;
+		else
+			break;
+	}
+
+	INSIST(best_guess.serial != j->header.end.serial);
+	if (best_guess.serial != serial)
+		CHECK(journal_next(j, &best_guess));
+
+	/*
+	 * Enough space to proceed?
+	 */
+	if ((isc_uint32_t) (j->header.end.offset - best_guess.offset) >
+	     (isc_uint32_t) (best_guess.offset - indexend)) {
+		dns_journal_destroy(&j);
+		return (ISC_R_NOSPACE);
+	}
+
+	copy_length = j->header.end.offset - best_guess.offset;
+
+	/*
+	 * Invalidate entire index, will be rebuilt at end.
+	 */
+	for (i = 0; i < j->header.index_size; i++) {
+		if (POS_VALID(j->index[i]))
+			POS_INVALIDATE(j->index[i]);
+	}
+
+	/*
+	 * Convert the index into on-disk format and write
+	 * it to disk.
+	 */
+	CHECK(index_to_disk(j));
+	CHECK(journal_fsync(j));
+
+	/*
+	 * Update the journal header.
+	 */
+	if (copy_length == 0) {
+		j->header.begin.serial = 0;
+		j->header.end.serial = 0;
+		j->header.begin.offset = 0;
+		j->header.end.offset = 0;
+	} else {
+		j->header.begin = best_guess;
+	}
+	journal_header_encode(&j->header, &rawheader);
+	CHECK(journal_seek(j, 0));
+	CHECK(journal_write(j, &rawheader, sizeof(rawheader)));
+	CHECK(journal_fsync(j));
+
+	if (copy_length != 0) {
+		/*
+		 * Copy best_guess to end into space just freed.
+		 */
+		size = 64*1024;
+		if (copy_length < size)
+			size = copy_length;
+		buf = isc_mem_get(mctx, size);
+		if (buf == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto failure;
+		}
+	
+		for (i = 0; i < copy_length; i += size) {
+			len = (copy_length - i) > size ? size :
+							 (copy_length - i);
+			CHECK(journal_seek(j, best_guess.offset + i));
+			CHECK(journal_read(j, buf, len));
+			CHECK(journal_seek(j, indexend + i));
+			CHECK(journal_write(j, buf, len));
+		}
+
+		CHECK(journal_fsync(j));
+
+		/*
+		 * Compute new header.
+		 */
+		j->header.begin.offset = indexend;
+		j->header.end.offset = indexend + copy_length;
+		/*
+		 * Update the journal header.
+		 */
+		journal_header_encode(&j->header, &rawheader);
+		CHECK(journal_seek(j, 0));
+		CHECK(journal_write(j, &rawheader, sizeof(rawheader)));
+		CHECK(journal_fsync(j));
+
+		/*
+		 * Build new index.
+		 */
+		current_pos = j->header.begin;
+		while (current_pos.serial != j->header.end.serial) {
+			index_add(j, &current_pos);
+			CHECK(journal_next(j, &current_pos));
+		}
+
+		/*
+		 * Write index.
+		 */
+		CHECK(index_to_disk(j));
+		CHECK(journal_fsync(j));
+
+		indexend = j->header.end.offset;
+	}
+	dns_journal_destroy(&j);
+	(void)isc_file_truncate(filename, (isc_offset_t)indexend);
+	result = ISC_R_SUCCESS;
+
+ failure:
+	if (buf != NULL)
+		isc_mem_put(mctx, buf, size);
+	if (j != NULL)
+		dns_journal_destroy(&j);
+	return (result);
+}
+
+static isc_result_t
+index_to_disk(dns_journal_t *j) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	if (j->header.index_size != 0) {
+		unsigned int i;
+		unsigned char *p;
+		unsigned int rawbytes;
+
+		rawbytes = j->header.index_size * sizeof(journal_rawpos_t);
+
+		p = j->rawindex;
+		for (i = 0; i < j->header.index_size; i++) {
+			encode_uint32(j->index[i].serial, p);
+			p += 4;
+			encode_uint32(j->index[i].offset, p);
+			p += 4;
+		}
+		INSIST(p == j->rawindex + rawbytes);
+
+		CHECK(journal_seek(j, sizeof(journal_rawheader_t)));
+		CHECK(journal_write(j, j->rawindex, rawbytes));
+	}
+failure:
+	return (result);
+}
diff --git a/contrib/bind9/lib/dns/keytable.c b/contrib/bind9/lib/dns/keytable.c
new file mode 100644
index 0000000..922c09a
--- /dev/null
+++ b/contrib/bind9/lib/dns/keytable.c
@@ -0,0 +1,396 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: keytable.c,v 1.26.12.3 2004/03/08 09:04:30 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/mem.h>
+#include <isc/rwlock.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/util.h>
+
+#include <dns/keytable.h>
+#include <dns/fixedname.h>
+#include <dns/rbt.h>
+#include <dns/result.h>
+
+struct dns_keytable {
+	/* Unlocked. */
+	unsigned int		magic;
+	isc_mem_t		*mctx;
+	isc_mutex_t		lock;
+	isc_rwlock_t		rwlock;
+	/* Locked by lock. */
+	isc_uint32_t		active_nodes;
+	/* Locked by rwlock. */
+	isc_uint32_t		references;
+	dns_rbt_t		*table;
+};
+
+#define KEYTABLE_MAGIC			ISC_MAGIC('K', 'T', 'b', 'l')
+#define VALID_KEYTABLE(kt)	 	ISC_MAGIC_VALID(kt, KEYTABLE_MAGIC)
+
+struct dns_keynode {
+	unsigned int		magic;
+	dst_key_t *		key;
+	struct dns_keynode *	next;
+};
+
+#define KEYNODE_MAGIC			ISC_MAGIC('K', 'N', 'o', 'd')
+#define VALID_KEYNODE(kn)	 	ISC_MAGIC_VALID(kn, KEYNODE_MAGIC)
+
+static void
+free_keynode(void *node, void *arg) {
+	dns_keynode_t *keynode = node;
+	isc_mem_t *mctx = arg;
+
+	REQUIRE(VALID_KEYNODE(keynode));
+	dst_key_free(&keynode->key);
+	if (keynode->next != NULL)
+		free_keynode(keynode->next, mctx);
+	isc_mem_put(mctx, keynode, sizeof(dns_keynode_t));
+}
+
+isc_result_t
+dns_keytable_create(isc_mem_t *mctx, dns_keytable_t **keytablep) {
+	dns_keytable_t *keytable;
+	isc_result_t result;
+
+	/*
+	 * Create a keytable.
+	 */
+
+	REQUIRE(keytablep != NULL && *keytablep == NULL);
+
+	keytable = isc_mem_get(mctx, sizeof(*keytable));
+	if (keytable == NULL)
+		return (ISC_R_NOMEMORY);
+
+	keytable->table = NULL;
+	result = dns_rbt_create(mctx, free_keynode, mctx, &keytable->table);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_keytable;
+
+	result = isc_mutex_init(&keytable->lock);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() failed: %s",
+				 isc_result_totext(result));
+		result = ISC_R_UNEXPECTED;
+		goto cleanup_rbt;
+	}
+
+	result = isc_rwlock_init(&keytable->rwlock, 0, 0);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_rwlock_init() failed: %s",
+				 isc_result_totext(result));
+		result = ISC_R_UNEXPECTED;
+		goto cleanup_lock;
+	}
+
+	keytable->mctx = mctx;
+	keytable->active_nodes = 0;
+	keytable->references = 1;
+	keytable->magic = KEYTABLE_MAGIC;
+	*keytablep = keytable;
+
+	return (ISC_R_SUCCESS);
+
+   cleanup_lock:
+	DESTROYLOCK(&keytable->lock);
+
+   cleanup_rbt:
+	dns_rbt_destroy(&keytable->table);
+
+   cleanup_keytable:
+	isc_mem_put(mctx, keytable, sizeof(*keytable));
+
+	return (result);
+}
+
+
+void
+dns_keytable_attach(dns_keytable_t *source, dns_keytable_t **targetp) {
+
+	/*
+	 * Attach *targetp to source.
+	 */
+
+	REQUIRE(VALID_KEYTABLE(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	RWLOCK(&source->rwlock, isc_rwlocktype_write);
+
+	INSIST(source->references > 0);
+	source->references++;
+	INSIST(source->references != 0);
+
+	RWUNLOCK(&source->rwlock, isc_rwlocktype_write);
+
+	*targetp = source;
+}
+
+void
+dns_keytable_detach(dns_keytable_t **keytablep) {
+	isc_boolean_t destroy = ISC_FALSE;
+	dns_keytable_t *keytable;
+
+	/*
+	 * Detach *keytablep from its keytable.
+	 */
+
+	REQUIRE(keytablep != NULL && VALID_KEYTABLE(*keytablep));
+
+	keytable = *keytablep;
+
+	RWLOCK(&keytable->rwlock, isc_rwlocktype_write);
+
+	INSIST(keytable->references > 0);
+	keytable->references--;
+	LOCK(&keytable->lock);
+	if (keytable->references == 0 && keytable->active_nodes == 0)
+		destroy = ISC_TRUE;
+	UNLOCK(&keytable->lock);
+
+	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_write);
+
+	if (destroy) {
+		dns_rbt_destroy(&keytable->table);
+		isc_rwlock_destroy(&keytable->rwlock);
+		DESTROYLOCK(&keytable->lock);
+		keytable->magic = 0;
+		isc_mem_put(keytable->mctx, keytable, sizeof(*keytable));
+	}
+
+	*keytablep = NULL;
+}
+
+isc_result_t
+dns_keytable_add(dns_keytable_t *keytable, dst_key_t **keyp) {
+	isc_result_t result;
+	dns_keynode_t *knode;
+	dns_rbtnode_t *node;
+	dns_name_t *keyname;
+
+	/*
+	 * Add '*keyp' to 'keytable'.
+	 */
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(keyp != NULL);
+
+	keyname = dst_key_name(*keyp);
+
+	knode = isc_mem_get(keytable->mctx, sizeof(*knode));
+	if (knode == NULL)
+		return (ISC_R_NOMEMORY);
+
+	RWLOCK(&keytable->rwlock, isc_rwlocktype_write);
+
+	node = NULL;
+	result = dns_rbt_addnode(keytable->table, keyname, &node);
+
+	if (result == ISC_R_SUCCESS || result == ISC_R_EXISTS) {
+		knode->magic = KEYNODE_MAGIC;
+		knode->key = *keyp;
+		knode->next = node->data;
+		node->data = knode;
+		*keyp = NULL;
+		knode = NULL;
+		result = ISC_R_SUCCESS;
+	}
+
+	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_write);
+
+	if (knode != NULL)
+		isc_mem_put(keytable->mctx, knode, sizeof(*knode));
+
+	return (result);
+}
+
+isc_result_t
+dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
+			 dns_secalg_t algorithm, dns_keytag_t tag,
+			 dns_keynode_t **keynodep)
+{
+	isc_result_t result;
+	dns_keynode_t *knode;
+	void *data;
+
+	/*
+	 * Search for a key named 'name', matching 'algorithm' and 'tag' in
+	 * 'keytable'.
+	 */
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(keynodep != NULL && *keynodep == NULL);
+
+	RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
+
+	knode = NULL;
+	data = NULL;
+	result = dns_rbt_findname(keytable->table, name, 0, NULL, &data);
+
+	if (result == ISC_R_SUCCESS) {
+		INSIST(data != NULL);
+		for (knode = data; knode != NULL; knode = knode->next) {
+			if (algorithm == dst_key_alg(knode->key)
+			    && tag == dst_key_id(knode->key))
+				break;
+		}
+		if (knode != NULL) {
+			LOCK(&keytable->lock);
+			keytable->active_nodes++;
+			UNLOCK(&keytable->lock);
+			*keynodep = knode;
+		} else
+			result = ISC_R_NOTFOUND;
+	} else if (result == DNS_R_PARTIALMATCH)
+		result = ISC_R_NOTFOUND;
+
+	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
+
+	return (result);
+}
+
+isc_result_t
+dns_keytable_findnextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
+			     dns_keynode_t **nextnodep)
+{
+	isc_result_t result;
+	dns_keynode_t *knode;
+
+	/*
+	 * Search for the next key with the same properties as 'keynode' in
+	 * 'keytable'.
+	 */
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(VALID_KEYNODE(keynode));
+	REQUIRE(nextnodep != NULL && *nextnodep == NULL);
+
+	for (knode = keynode->next; knode != NULL; knode = knode->next) {
+		if (dst_key_alg(keynode->key) == dst_key_alg(knode->key) &&
+		    dst_key_id(keynode->key) == dst_key_id(knode->key))
+			break;
+	}
+	if (knode != NULL) {
+		LOCK(&keytable->lock);
+		keytable->active_nodes++;
+		UNLOCK(&keytable->lock);
+		result = ISC_R_SUCCESS;
+		*nextnodep = knode;
+	} else
+		result = ISC_R_NOTFOUND;
+
+	return (result);
+}
+
+isc_result_t
+dns_keytable_finddeepestmatch(dns_keytable_t *keytable, dns_name_t *name,
+			      dns_name_t *foundname)
+{
+	isc_result_t result;
+	void *data;
+
+	/*
+	 * Search for the deepest match in 'keytable'.
+	 */
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(foundname != NULL);
+
+	RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
+
+	data = NULL;
+	result = dns_rbt_findname(keytable->table, name, 0, foundname, &data);
+
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
+		result = ISC_R_SUCCESS;
+
+	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
+
+	return (result);
+}
+
+void
+dns_keytable_detachkeynode(dns_keytable_t *keytable, dns_keynode_t **keynodep)
+{
+	/*
+	 * Give back a keynode found via dns_keytable_findkeynode().
+	 */
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(keynodep != NULL && VALID_KEYNODE(*keynodep));
+
+	LOCK(&keytable->lock);
+	INSIST(keytable->active_nodes > 0);
+	keytable->active_nodes--;
+	UNLOCK(&keytable->lock);
+
+	*keynodep = NULL;
+}
+
+isc_result_t
+dns_keytable_issecuredomain(dns_keytable_t *keytable, dns_name_t *name,
+			    isc_boolean_t *wantdnssecp)
+{
+	isc_result_t result;
+	void *data;
+
+	/*
+	 * Is 'name' at or beneath a trusted key?
+	 */
+
+	REQUIRE(VALID_KEYTABLE(keytable));
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(wantdnssecp != NULL);
+
+	RWLOCK(&keytable->rwlock, isc_rwlocktype_read);
+
+	data = NULL;
+	result = dns_rbt_findname(keytable->table, name, 0, NULL, &data);
+
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+		INSIST(data != NULL);
+		*wantdnssecp = ISC_TRUE;
+		result = ISC_R_SUCCESS;
+	} else if (result == ISC_R_NOTFOUND) {
+		*wantdnssecp = ISC_FALSE;
+		result = ISC_R_SUCCESS;
+	}
+
+	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_read);
+
+	return (result);
+}
+
+dst_key_t *
+dns_keynode_key(dns_keynode_t *keynode) {
+
+	/*
+	 * Get the DST key associated with keynode.
+	 */
+
+	REQUIRE(VALID_KEYNODE(keynode));
+
+	return (keynode->key);
+}
diff --git a/contrib/bind9/lib/dns/lib.c b/contrib/bind9/lib/dns/lib.c
new file mode 100644
index 0000000..4449067
--- /dev/null
+++ b/contrib/bind9/lib/dns/lib.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lib.c,v 1.9.12.3 2004/03/08 09:04:30 marka Exp $ */
+
+#include <config.h>
+
+#include <stddef.h>
+
+#include <isc/once.h>
+#include <isc/msgcat.h>
+#include <isc/util.h>
+
+#include <dns/lib.h>
+
+/***
+ *** Globals
+ ***/
+
+LIBDNS_EXTERNAL_DATA isc_msgcat_t *			dns_msgcat = NULL;
+
+
+/***
+ *** Private
+ ***/
+
+static isc_once_t		msgcat_once = ISC_ONCE_INIT;
+
+
+/***
+ *** Functions
+ ***/
+
+static void
+open_msgcat(void) {
+	isc_msgcat_open("libdns.cat", &dns_msgcat);
+}
+
+void
+dns_lib_initmsgcat(void) {
+
+	/*
+	 * Initialize the DNS library's message catalog, dns_msgcat, if it
+	 * has not already been initialized.
+	 */
+
+	RUNTIME_CHECK(isc_once_do(&msgcat_once, open_msgcat) == ISC_R_SUCCESS);
+}
diff --git a/contrib/bind9/lib/dns/log.c b/contrib/bind9/lib/dns/log.c
new file mode 100644
index 0000000..d240767
--- /dev/null
+++ b/contrib/bind9/lib/dns/log.c
@@ -0,0 +1,93 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: log.c,v 1.33.2.2.10.3 2004/03/06 08:13:39 marka Exp $ */
+
+/* Principal Authors: DCL */
+
+#include <config.h>
+
+#include <isc/util.h>
+
+#include <dns/log.h>
+
+/*
+ * When adding a new category, be sure to add the appropriate
+ * #define to <dns/log.h>.
+ */
+LIBDNS_EXTERNAL_DATA isc_logcategory_t dns_categories[] = {
+	{ "notify", 	0 },
+	{ "database", 	0 },
+	{ "security", 	0 },
+	{ "_placeholder", 0 },
+	{ "dnssec",	0 },
+	{ "resolver",	0 },
+	{ "xfer-in",	0 },
+	{ "xfer-out",	0 },
+	{ "dispatch",	0 },
+	{ "lame-servers", 0 },
+	{ "delegation-only", 0 },
+	{ NULL, 	0 }
+};
+
+/*
+ * When adding a new module, be sure to add the appropriate
+ * #define to <dns/log.h>.
+ */
+LIBDNS_EXTERNAL_DATA isc_logmodule_t dns_modules[] = {
+	{ "dns/db",	 	0 },
+	{ "dns/rbtdb", 		0 },
+	{ "dns/rbtdb64", 	0 },
+	{ "dns/rbt", 		0 },
+	{ "dns/rdata", 		0 },
+	{ "dns/master", 	0 },
+	{ "dns/message", 	0 },
+	{ "dns/cache", 		0 },
+	{ "dns/config",		0 },
+	{ "dns/resolver",	0 },
+	{ "dns/zone",		0 },
+	{ "dns/journal",	0 },
+	{ "dns/adb",		0 },
+	{ "dns/xfrin",		0 },
+	{ "dns/xfrout",		0 },
+	{ "dns/acl",		0 },
+	{ "dns/validator",	0 },
+	{ "dns/dispatch",	0 },
+	{ "dns/request",	0 },
+	{ "dns/masterdump",	0 },
+	{ "dns/tsig",		0 },
+	{ "dns/tkey",		0 },
+	{ "dns/sdb",		0 },
+	{ "dns/diff",		0 },
+	{ "dns/hints",		0 },
+	{ NULL, 		0 }
+};
+
+LIBDNS_EXTERNAL_DATA isc_log_t *dns_lctx = NULL;
+
+void
+dns_log_init(isc_log_t *lctx) {
+	REQUIRE(lctx != NULL);
+
+	isc_log_registercategories(lctx, dns_categories);
+	isc_log_registermodules(lctx, dns_modules);
+}
+
+void
+dns_log_setcontext(isc_log_t *lctx) {
+	dns_lctx = lctx;
+}
diff --git a/contrib/bind9/lib/dns/lookup.c b/contrib/bind9/lib/dns/lookup.c
new file mode 100644
index 0000000..e593c7b
--- /dev/null
+++ b/contrib/bind9/lib/dns/lookup.c
@@ -0,0 +1,487 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lookup.c,v 1.9.12.5 2004/04/15 02:10:40 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/mem.h>
+#include <isc/netaddr.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/events.h>
+#include <dns/lookup.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/view.h>
+
+struct dns_lookup {
+	/* Unlocked. */
+	unsigned int		magic;
+	isc_mem_t *		mctx;
+	isc_mutex_t		lock;
+	dns_rdatatype_t		type;
+	dns_fixedname_t		name;
+	/* Locked by lock. */
+	unsigned int		options;
+	isc_task_t *		task;
+	dns_view_t *		view;
+	dns_lookupevent_t *	event;
+	dns_fetch_t *		fetch;
+	unsigned int		restarts;
+	isc_boolean_t		canceled;
+	dns_rdataset_t		rdataset;
+	dns_rdataset_t		sigrdataset;
+};
+
+#define LOOKUP_MAGIC			ISC_MAGIC('l', 'o', 'o', 'k')
+#define VALID_LOOKUP(l)			ISC_MAGIC_VALID((l), LOOKUP_MAGIC)
+
+#define MAX_RESTARTS 16
+
+static void lookup_find(dns_lookup_t *lookup, dns_fetchevent_t *event);
+
+static void
+fetch_done(isc_task_t *task, isc_event_t *event) {
+	dns_lookup_t *lookup = event->ev_arg;
+	dns_fetchevent_t *fevent;
+
+	UNUSED(task);
+	REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
+	REQUIRE(VALID_LOOKUP(lookup));
+	REQUIRE(lookup->task == task);
+	fevent = (dns_fetchevent_t *)event;
+	REQUIRE(fevent->fetch == lookup->fetch);
+
+	lookup_find(lookup, fevent);
+}
+
+static inline isc_result_t
+start_fetch(dns_lookup_t *lookup) {
+	isc_result_t result;
+
+	/*
+	 * The caller must be holding the lookup's lock.
+	 */
+
+	REQUIRE(lookup->fetch == NULL);
+
+	result = dns_resolver_createfetch(lookup->view->resolver,
+					  dns_fixedname_name(&lookup->name),
+					  lookup->type,
+					  NULL, NULL, NULL, 0,
+					  lookup->task, fetch_done, lookup,
+					  &lookup->rdataset,
+					  &lookup->sigrdataset,
+					  &lookup->fetch);
+
+	return (result);
+}
+
+static isc_result_t
+build_event(dns_lookup_t *lookup) {
+	dns_name_t *name = NULL;
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdataset_t *sigrdataset = NULL;
+	isc_result_t result;
+
+	name = isc_mem_get(lookup->mctx, sizeof(dns_name_t));
+	if (name == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto fail;
+	}
+	dns_name_init(name, NULL);
+	result = dns_name_dup(dns_fixedname_name(&lookup->name),
+			      lookup->mctx, name);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	if (dns_rdataset_isassociated(&lookup->rdataset)) {
+		rdataset = isc_mem_get(lookup->mctx, sizeof(dns_rdataset_t));
+		if (rdataset == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto fail;
+		}
+		dns_rdataset_init(rdataset);
+		dns_rdataset_clone(&lookup->rdataset, rdataset);
+	}
+
+	if (dns_rdataset_isassociated(&lookup->sigrdataset)) {
+		sigrdataset = isc_mem_get(lookup->mctx,
+					  sizeof(dns_rdataset_t));
+		if (sigrdataset == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto fail;
+		}
+		dns_rdataset_init(sigrdataset);
+		dns_rdataset_clone(&lookup->sigrdataset, sigrdataset);
+	}
+
+	lookup->event->name = name;
+	lookup->event->rdataset = rdataset;
+	lookup->event->sigrdataset = sigrdataset;
+
+	return (ISC_R_SUCCESS);
+
+ fail:
+	if (name != NULL) {
+		if (dns_name_dynamic(name))
+			dns_name_free(name, lookup->mctx);
+		isc_mem_put(lookup->mctx, name, sizeof(dns_name_t));
+	}
+	if (rdataset != NULL) {
+		if (dns_rdataset_isassociated(rdataset))
+			dns_rdataset_disassociate(rdataset);
+		isc_mem_put(lookup->mctx, rdataset, sizeof(dns_rdataset_t));
+	}
+	if (sigrdataset != NULL) {
+		if (dns_rdataset_isassociated(sigrdataset))
+			dns_rdataset_disassociate(sigrdataset);
+		isc_mem_put(lookup->mctx, sigrdataset, sizeof(dns_rdataset_t));
+	}
+	return (result);
+}
+
+static isc_result_t
+view_find(dns_lookup_t *lookup, dns_name_t *foundname) {
+	isc_result_t result;
+	dns_name_t *name = dns_fixedname_name(&lookup->name);
+	dns_rdatatype_t type;
+
+	if (lookup->type == dns_rdatatype_rrsig)
+		type = dns_rdatatype_any;
+	else
+		type = lookup->type;
+
+	result = dns_view_find(lookup->view, name, type, 0, 0, ISC_FALSE,
+			       &lookup->event->db, &lookup->event->node,
+			       foundname, &lookup->rdataset,
+			       &lookup->sigrdataset);
+	return (result);
+}
+
+static void
+lookup_find(dns_lookup_t *lookup, dns_fetchevent_t *event) {
+	isc_result_t result;
+	isc_boolean_t want_restart;
+	isc_boolean_t send_event = ISC_FALSE;
+	dns_name_t *name, *fname, *prefix;
+	dns_fixedname_t foundname, fixed;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned int nlabels;
+	int order;
+	dns_namereln_t namereln;
+	dns_rdata_cname_t cname;
+	dns_rdata_dname_t dname;
+
+	REQUIRE(VALID_LOOKUP(lookup));
+
+	LOCK(&lookup->lock);
+
+	result = ISC_R_SUCCESS;
+	name = dns_fixedname_name(&lookup->name);
+
+	do {
+		lookup->restarts++;
+		want_restart = ISC_FALSE;
+
+		if (event == NULL && !lookup->canceled) {
+			dns_fixedname_init(&foundname);
+			fname = dns_fixedname_name(&foundname);
+			INSIST(!dns_rdataset_isassociated(&lookup->rdataset));
+			INSIST(!dns_rdataset_isassociated
+						(&lookup->sigrdataset));
+			result = view_find(lookup, fname);
+			if (result == ISC_R_NOTFOUND) {
+				/*
+				 * We don't know anything about the name.
+				 * Launch a fetch.
+				 */
+				if  (lookup->event->node != NULL) {
+					INSIST(lookup->event->db != NULL);
+					dns_db_detachnode(lookup->event->db,
+							 &lookup->event->node);
+				}
+				if (lookup->event->db != NULL)
+					dns_db_detach(&lookup->event->db);
+				result = start_fetch(lookup);
+				if (result != ISC_R_SUCCESS)
+					send_event = ISC_TRUE;
+				goto done;
+			}
+		} else {
+			result = event->result;
+			fname = dns_fixedname_name(&event->foundname);
+			dns_resolver_destroyfetch(&lookup->fetch);
+			INSIST(event->rdataset == &lookup->rdataset);
+			INSIST(event->sigrdataset == &lookup->sigrdataset);
+		}
+
+		/*
+		 * If we've been canceled, forget about the result.
+		 */
+		if (lookup->canceled)
+			result = ISC_R_CANCELED;
+
+		switch (result) {
+		case ISC_R_SUCCESS:
+			result = build_event(lookup);
+			send_event = ISC_TRUE;
+			if (event == NULL)
+				break;
+			if (event->db != NULL)
+				dns_db_attach(event->db, &lookup->event->db);
+			if (event->node != NULL)
+				dns_db_attachnode(lookup->event->db,
+						  event->node,
+						  &lookup->event->node);
+			break;
+		case DNS_R_CNAME:
+			/*
+			 * Copy the CNAME's target into the lookup's
+			 * query name and start over.
+			 */
+			result = dns_rdataset_first(&lookup->rdataset);
+			if (result != ISC_R_SUCCESS)
+				break;
+			dns_rdataset_current(&lookup->rdataset, &rdata);
+			result = dns_rdata_tostruct(&rdata, &cname, NULL);
+			dns_rdata_reset(&rdata);
+			if (result != ISC_R_SUCCESS)
+				break;
+			result = dns_name_copy(&cname.cname, name, NULL);
+			dns_rdata_freestruct(&cname);
+			if (result == ISC_R_SUCCESS)
+				want_restart = ISC_TRUE;
+			break;
+		case DNS_R_DNAME:
+			namereln = dns_name_fullcompare(name, fname, &order,
+							&nlabels);
+			INSIST(namereln == dns_namereln_subdomain);
+			/*
+			 * Get the target name of the DNAME.
+			 */
+			result = dns_rdataset_first(&lookup->rdataset);
+			if (result != ISC_R_SUCCESS)
+				break;
+			dns_rdataset_current(&lookup->rdataset, &rdata);
+			result = dns_rdata_tostruct(&rdata, &dname, NULL);
+			dns_rdata_reset(&rdata);
+			if (result != ISC_R_SUCCESS)
+				break;
+			/*
+			 * Construct the new query name and start over.
+			 */
+			dns_fixedname_init(&fixed);
+			prefix = dns_fixedname_name(&fixed);
+			dns_name_split(name, nlabels, prefix, NULL);
+			result = dns_name_concatenate(prefix, &dname.dname,
+						      name, NULL);
+			dns_rdata_freestruct(&dname);
+			if (result == ISC_R_SUCCESS)
+				want_restart = ISC_TRUE;
+			break;
+		default:
+			send_event = ISC_TRUE;
+		}
+
+		if (dns_rdataset_isassociated(&lookup->rdataset))
+			dns_rdataset_disassociate(&lookup->rdataset);
+		if (dns_rdataset_isassociated(&lookup->sigrdataset))
+			dns_rdataset_disassociate(&lookup->sigrdataset);
+
+	done:
+		if (event != NULL) {
+			if (event->node != NULL)
+				dns_db_detachnode(event->db, &event->node);
+			if (event->db != NULL)
+				dns_db_detach(&event->db);
+			isc_event_free(ISC_EVENT_PTR(&event));
+		}
+
+		/*
+		 * Limit the number of restarts.
+		 */
+		if (want_restart && lookup->restarts == MAX_RESTARTS) {
+			want_restart = ISC_FALSE;
+			result = ISC_R_QUOTA;
+			send_event = ISC_TRUE;
+		}
+
+	} while (want_restart);
+
+	if (send_event) {
+		lookup->event->result = result;
+		lookup->event->ev_sender = lookup;
+		isc_task_sendanddetach(&lookup->task,
+				       (isc_event_t **)&lookup->event);
+		dns_view_detach(&lookup->view);
+	}
+
+	UNLOCK(&lookup->lock);
+}
+
+static void
+levent_destroy(isc_event_t *event) {
+	dns_lookupevent_t *levent;
+	isc_mem_t *mctx;
+ 
+	REQUIRE(event->ev_type == DNS_EVENT_LOOKUPDONE);
+	mctx = event->ev_destroy_arg;
+	levent = (dns_lookupevent_t *)event;
+
+	if (levent->name != NULL) {
+		if (dns_name_dynamic(levent->name))
+			dns_name_free(levent->name, mctx);
+		isc_mem_put(mctx, levent->name, sizeof(dns_name_t));
+	}
+	if (levent->rdataset != NULL) {
+		dns_rdataset_disassociate(levent->rdataset);
+		isc_mem_put(mctx, levent->rdataset, sizeof(dns_rdataset_t));
+	}
+	if (levent->sigrdataset != NULL) {
+		dns_rdataset_disassociate(levent->sigrdataset);
+		isc_mem_put(mctx, levent->sigrdataset, sizeof(dns_rdataset_t));
+	}
+	if (levent->node != NULL)
+		dns_db_detachnode(levent->db, &levent->node);
+	if (levent->db != NULL)
+		dns_db_detach(&levent->db);
+	isc_mem_put(mctx, event, event->ev_size);
+}
+
+
+isc_result_t
+dns_lookup_create(isc_mem_t *mctx, dns_name_t *name, dns_rdatatype_t type,
+		  dns_view_t *view, unsigned int options, isc_task_t *task,
+		  isc_taskaction_t action, void *arg, dns_lookup_t **lookupp)
+{
+	isc_result_t result;
+	dns_lookup_t *lookup;
+	isc_event_t *ievent;
+
+	lookup = isc_mem_get(mctx, sizeof(*lookup));
+	if (lookup == NULL)
+		return (ISC_R_NOMEMORY);
+	lookup->mctx = mctx;
+	lookup->options = options;
+
+	ievent = isc_event_allocate(mctx, lookup, DNS_EVENT_LOOKUPDONE,
+				    action, arg, sizeof(*lookup->event));
+	if (ievent == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup_lookup;
+	}
+	lookup->event = (dns_lookupevent_t *)ievent;
+	lookup->event->ev_destroy = levent_destroy;
+	lookup->event->ev_destroy_arg = mctx;
+	lookup->event->result = ISC_R_FAILURE;
+	lookup->event->name = NULL;
+	lookup->event->rdataset = NULL;
+	lookup->event->sigrdataset = NULL;
+	lookup->event->db = NULL;
+	lookup->event->node = NULL;
+
+	lookup->task = NULL;
+	isc_task_attach(task, &lookup->task);
+
+	result = isc_mutex_init(&lookup->lock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_event;
+
+	dns_fixedname_init(&lookup->name);
+
+	result = dns_name_copy(name, dns_fixedname_name(&lookup->name), NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_lock;
+
+	lookup->type = type;
+	lookup->view = NULL;
+	dns_view_attach(view, &lookup->view);
+	lookup->fetch = NULL;
+	lookup->restarts = 0;
+	lookup->canceled = ISC_FALSE;
+	dns_rdataset_init(&lookup->rdataset);
+	dns_rdataset_init(&lookup->sigrdataset);
+	lookup->magic = LOOKUP_MAGIC;
+
+	*lookupp = lookup;
+
+	lookup_find(lookup, NULL);
+
+	return (ISC_R_SUCCESS);
+
+ cleanup_lock:
+	DESTROYLOCK(&lookup->lock);
+
+ cleanup_event:
+	ievent = (isc_event_t *)lookup->event;
+	isc_event_free(&ievent);
+	lookup->event = NULL;
+
+	isc_task_detach(&lookup->task);
+
+ cleanup_lookup:
+	isc_mem_put(mctx, lookup, sizeof(*lookup));
+
+	return (result);
+}
+
+void
+dns_lookup_cancel(dns_lookup_t *lookup) {
+	REQUIRE(VALID_LOOKUP(lookup));
+
+	LOCK(&lookup->lock);
+
+	if (!lookup->canceled) {
+		lookup->canceled = ISC_TRUE;
+		if (lookup->fetch != NULL) {
+			INSIST(lookup->view != NULL);
+			dns_resolver_cancelfetch(lookup->fetch);
+		}
+	}
+
+	UNLOCK(&lookup->lock);
+}
+
+void
+dns_lookup_destroy(dns_lookup_t **lookupp) {
+	dns_lookup_t *lookup;
+
+	REQUIRE(lookupp != NULL);
+	lookup = *lookupp;
+	REQUIRE(VALID_LOOKUP(lookup));
+	REQUIRE(lookup->event == NULL);
+	REQUIRE(lookup->task == NULL);
+	REQUIRE(lookup->view == NULL);
+	if (dns_rdataset_isassociated(&lookup->rdataset))
+		dns_rdataset_disassociate(&lookup->rdataset);
+	if (dns_rdataset_isassociated(&lookup->sigrdataset))
+		dns_rdataset_disassociate(&lookup->sigrdataset);
+
+	DESTROYLOCK(&lookup->lock);
+	lookup->magic = 0;
+	isc_mem_put(lookup->mctx, lookup, sizeof(*lookup));
+
+	*lookupp = NULL;
+}
diff --git a/contrib/bind9/lib/dns/master.c b/contrib/bind9/lib/dns/master.c
new file mode 100644
index 0000000..7a2dab3
--- /dev/null
+++ b/contrib/bind9/lib/dns/master.c
@@ -0,0 +1,2376 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: master.c,v 1.122.2.8.2.14 2004/05/05 01:32:16 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/event.h>
+#include <isc/lex.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/serial.h>
+#include <isc/stdtime.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/events.h>
+#include <dns/fixedname.h>
+#include <dns/master.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/soa.h>
+#include <dns/time.h>
+#include <dns/ttl.h>
+
+/*
+ * Grow the number of dns_rdatalist_t (RDLSZ) and dns_rdata_t (RDSZ) structures
+ * by these sizes when we need to.
+ *
+ * RDLSZ reflects the number of different types with the same name expected.
+ * RDSZ reflects the number of rdata expected at a give name that can fit into
+ * 64k.
+ */
+
+#define RDLSZ 32
+#define RDSZ 512
+
+#define NBUFS 4
+#define MAXWIRESZ 255
+
+/*
+ * Target buffer size and minimum target size.
+ * MINTSIZ must be big enough to hold the largest rdata record.
+ *
+ * TSIZ >= MINTSIZ
+ */
+#define TSIZ (128*1024)
+/*
+ * max message size - header - root - type - class - ttl - rdlen
+ */
+#define MINTSIZ (65535 - 12 - 1 - 2 - 2 - 4 - 2)
+/*
+ * Size for tokens in the presentation format,
+ * The largest tokens are the base64 blocks in KEY and CERT records,
+ * Largest key allowed is about 1372 bytes but
+ * there is no fixed upper bound on CERT records.
+ * 2K is too small for some X.509s, 8K is overkill.
+ */
+#define TOKENSIZ (8*1024)
+
+#define DNS_MASTER_BUFSZ 2048
+
+typedef ISC_LIST(dns_rdatalist_t) rdatalist_head_t;
+
+typedef struct dns_incctx dns_incctx_t;
+
+/*
+ * Master file load state.
+ */
+
+struct dns_loadctx {
+	unsigned int		magic;
+	isc_mem_t		*mctx;
+	isc_lex_t		*lex;
+	isc_boolean_t		keep_lex;
+	dns_rdatacallbacks_t	*callbacks;
+	isc_task_t		*task;
+	dns_loaddonefunc_t	done;
+	void			*done_arg;
+	unsigned int		options;
+	isc_boolean_t		ttl_known;
+	isc_boolean_t		default_ttl_known;
+	isc_boolean_t		warn_1035;
+	isc_boolean_t		warn_tcr;
+	isc_boolean_t		warn_sigexpired;
+	isc_boolean_t		seen_include;
+	isc_uint32_t		ttl;
+	isc_uint32_t		default_ttl;
+	dns_rdataclass_t	zclass;
+	dns_fixedname_t		fixed_top;
+	dns_name_t		*top;			/* top of zone */
+	/* Which fixed buffers we are using? */
+	unsigned int		loop_cnt;		/* records per quantum,
+							 * 0 => all. */
+	isc_boolean_t		canceled;
+	isc_mutex_t		lock;
+	isc_result_t		result;
+	/* locked by lock */
+	isc_uint32_t		references;
+	dns_incctx_t		*inc;
+};
+
+struct dns_incctx {
+	dns_incctx_t		*parent;
+	dns_name_t		*origin;
+	dns_name_t		*current;
+	dns_name_t		*glue;
+	dns_fixedname_t		fixed[NBUFS];		/* working buffers */
+	unsigned int		in_use[NBUFS];		/* covert to bitmap? */
+	int			glue_in_use;
+	int			current_in_use;
+	int			origin_in_use;
+	isc_boolean_t		drop;
+	unsigned int		glue_line;
+	unsigned int		current_line;
+};
+
+#define DNS_LCTX_MAGIC ISC_MAGIC('L','c','t','x')
+#define DNS_LCTX_VALID(lctx) ISC_MAGIC_VALID(lctx, DNS_LCTX_MAGIC)
+
+#define DNS_AS_STR(t) ((t).value.as_textregion.base)
+
+static isc_result_t
+pushfile(const char *master_file, dns_name_t *origin, dns_loadctx_t *lctx);
+
+static isc_result_t
+commit(dns_rdatacallbacks_t *, dns_loadctx_t *, rdatalist_head_t *,
+       dns_name_t *, const char *, unsigned int);
+
+static isc_boolean_t
+is_glue(rdatalist_head_t *, dns_name_t *);
+
+static dns_rdatalist_t *
+grow_rdatalist(int, dns_rdatalist_t *, int, rdatalist_head_t *,
+		rdatalist_head_t *, isc_mem_t *mctx);
+
+static dns_rdata_t *
+grow_rdata(int, dns_rdata_t *, int, rdatalist_head_t *, rdatalist_head_t *,
+	   isc_mem_t *);
+
+static void
+load_quantum(isc_task_t *task, isc_event_t *event);
+
+static isc_result_t
+task_send(dns_loadctx_t *lctx);
+
+static void
+loadctx_destroy(dns_loadctx_t *lctx);
+
+#define GETTOKEN(lexer, options, token, eol) \
+	do { \
+		result = gettoken(lexer, options, token, eol, callbacks); \
+		switch (result) { \
+		case ISC_R_SUCCESS: \
+			break; \
+		case ISC_R_UNEXPECTED: \
+			goto insist_and_cleanup; \
+		default: \
+			if (MANYERRS(lctx, result)) { \
+				SETRESULT(lctx, result); \
+				LOGIT(result); \
+				read_till_eol = ISC_TRUE; \
+				goto next_line; \
+			} else \
+				goto log_and_cleanup; \
+		} \
+		if ((token)->type == isc_tokentype_special) { \
+			result = DNS_R_SYNTAX; \
+			if (MANYERRS(lctx, result)) { \
+				SETRESULT(lctx, result); \
+				LOGIT(result); \
+				read_till_eol = ISC_TRUE; \
+				goto next_line; \
+			} else \
+				goto log_and_cleanup; \
+		} \
+	} while (0)
+
+#define COMMITALL \
+	do { \
+		result = commit(callbacks, lctx, &current_list, \
+				ictx->current, source, ictx->current_line); \
+		if (MANYERRS(lctx, result)) { \
+			SETRESULT(lctx, result); \
+		} else if (result != ISC_R_SUCCESS) \
+			goto insist_and_cleanup; \
+		result = commit(callbacks, lctx, &glue_list, \
+				ictx->glue, source, ictx->glue_line); \
+		if (MANYERRS(lctx, result)) { \
+			SETRESULT(lctx, result); \
+		} else if (result != ISC_R_SUCCESS) \
+			goto insist_and_cleanup; \
+		rdcount = 0; \
+		rdlcount = 0; \
+		isc_buffer_init(&target, target_mem, target_size); \
+		rdcount_save = rdcount; \
+		rdlcount_save = rdlcount; \
+	} while (0)
+
+#define WARNUNEXPECTEDEOF(lexer) \
+	do { \
+		if (isc_lex_isfile(lexer)) \
+			(*callbacks->warn)(callbacks, \
+				"%s: file does not end with newline", \
+				source); \
+	} while (0)
+
+#define EXPECTEOL \
+	do { \
+		GETTOKEN(lctx->lex, 0, &token, ISC_TRUE); \
+		if (token.type != isc_tokentype_eol) { \
+			isc_lex_ungettoken(lctx->lex, &token); \
+			result = DNS_R_EXTRATOKEN; \
+			if (MANYERRS(lctx, result)) { \
+				SETRESULT(lctx, result); \
+				LOGIT(result); \
+				read_till_eol = ISC_TRUE; \
+				continue; \
+			} else if (result != ISC_R_SUCCESS) \
+				goto log_and_cleanup; \
+		} \
+	} while (0)
+
+#define MANYERRS(lctx, result) \
+		((result != ISC_R_SUCCESS) && \
+		((lctx)->options & DNS_MASTER_MANYERRORS) != 0)
+
+#define SETRESULT(lctx, r) \
+		do { \
+			if ((lctx)->result == ISC_R_SUCCESS) \
+				(lctx)->result = r; \
+		} while (0)
+
+#define LOGITFILE(result, filename) \
+	if (result == ISC_R_INVALIDFILE || result == ISC_R_FILENOTFOUND || \
+	    result == ISC_R_IOERROR || result == ISC_R_TOOMANYOPENFILES || \
+	    result == ISC_R_NOPERM) \
+		(*callbacks->error)(callbacks, "%s: %s:%lu: %s: %s", \
+				    "dns_master_load", source, line, \
+				    filename, dns_result_totext(result)); \
+	else LOGIT(result)
+
+#define LOGIT(result) \
+	if (result == ISC_R_NOMEMORY) \
+		(*callbacks->error)(callbacks, "dns_master_load: %s", \
+				    dns_result_totext(result)); \
+	else \
+		(*callbacks->error)(callbacks, "%s: %s:%lu: %s", \
+				    "dns_master_load", \
+				    source, line, dns_result_totext(result))
+
+
+static unsigned char in_addr_arpa_data[]  = "\007IN-ADDR\004ARPA";
+static unsigned char in_addr_arpa_offsets[] = { 0, 8, 13 };
+static const dns_name_t in_addr_arpa =
+{
+	DNS_NAME_MAGIC,
+	in_addr_arpa_data, 14, 3,
+	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
+	in_addr_arpa_offsets, NULL,
+	{(void *)-1, (void *)-1},
+	{NULL, NULL}
+};
+
+static unsigned char ip6_int_data[]  = "\003IP6\003INT";
+static unsigned char ip6_int_offsets[] = { 0, 4, 8 };
+static const dns_name_t ip6_int =
+{
+	DNS_NAME_MAGIC,
+	ip6_int_data, 9, 3,
+	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
+	ip6_int_offsets, NULL,
+	{(void *)-1, (void *)-1},
+	{NULL, NULL}
+};
+
+static unsigned char ip6_arpa_data[]  = "\003IP6\004ARPA";
+static unsigned char ip6_arpa_offsets[] = { 0, 4, 9 };
+static const dns_name_t ip6_arpa =
+{
+	DNS_NAME_MAGIC,
+	ip6_arpa_data, 10, 3,
+	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
+	ip6_arpa_offsets, NULL,
+	{(void *)-1, (void *)-1},
+	{NULL, NULL}
+};
+
+
+static inline isc_result_t
+gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *token,
+	 isc_boolean_t eol, dns_rdatacallbacks_t *callbacks)
+{
+	isc_result_t result;
+
+	options |= ISC_LEXOPT_EOL | ISC_LEXOPT_EOF | ISC_LEXOPT_DNSMULTILINE |
+		ISC_LEXOPT_ESCAPE;
+	result = isc_lex_gettoken(lex, options, token);
+	if (result != ISC_R_SUCCESS) {
+		switch (result) {
+		case ISC_R_NOMEMORY:
+			return (ISC_R_NOMEMORY);
+		default:
+			(*callbacks->error)(callbacks,
+					    "dns_master_load: %s:%lu:"
+					    " isc_lex_gettoken() failed: %s",
+					    isc_lex_getsourcename(lex),
+					    isc_lex_getsourceline(lex),
+					    isc_result_totext(result));
+			return (result);
+		}
+		/*NOTREACHED*/
+	}
+	if (eol != ISC_TRUE)
+		if (token->type == isc_tokentype_eol ||
+		    token->type == isc_tokentype_eof) {
+			(*callbacks->error)(callbacks,
+			    "dns_master_load: %s:%lu: unexpected end of %s",
+					    isc_lex_getsourcename(lex),
+					    isc_lex_getsourceline(lex),
+					    (token->type ==
+					     isc_tokentype_eol) ?
+					    "line" : "file");
+			return (ISC_R_UNEXPECTEDEND);
+		}
+	return (ISC_R_SUCCESS);
+}
+
+
+void
+dns_loadctx_attach(dns_loadctx_t *source, dns_loadctx_t **target) {
+
+	REQUIRE(target != NULL && *target == NULL);
+	REQUIRE(DNS_LCTX_VALID(source));
+
+	LOCK(&source->lock);
+	INSIST(source->references > 0);
+	source->references++;
+	INSIST(source->references != 0);	/* Overflow? */
+	UNLOCK(&source->lock);
+
+	*target = source;
+}
+
+void
+dns_loadctx_detach(dns_loadctx_t **lctxp) {
+	dns_loadctx_t *lctx;
+	isc_boolean_t need_destroy = ISC_FALSE;
+
+	REQUIRE(lctxp != NULL);
+	lctx = *lctxp;
+	REQUIRE(DNS_LCTX_VALID(lctx));
+
+	LOCK(&lctx->lock);
+	INSIST(lctx->references > 0);
+	lctx->references--;
+	if (lctx->references == 0)
+		need_destroy = ISC_TRUE;
+	UNLOCK(&lctx->lock);
+
+	if (need_destroy)
+		loadctx_destroy(lctx);
+	*lctxp = NULL;
+}
+
+static void
+incctx_destroy(isc_mem_t *mctx, dns_incctx_t *ictx) {
+	dns_incctx_t *parent;
+
+ again:
+	parent = ictx->parent;
+	ictx->parent = NULL;
+
+	isc_mem_put(mctx, ictx, sizeof(*ictx));
+
+	if (parent != NULL) {
+		ictx = parent;
+		goto again;
+	}
+}
+
+static void
+loadctx_destroy(dns_loadctx_t *lctx) {
+	isc_mem_t *mctx;
+
+	REQUIRE(DNS_LCTX_VALID(lctx));
+
+	lctx->magic = 0;
+	if (lctx->inc != NULL)
+		incctx_destroy(lctx->mctx, lctx->inc);
+
+	/* isc_lex_destroy() will close all open streams */
+	if (lctx->lex != NULL && !lctx->keep_lex)
+		isc_lex_destroy(&lctx->lex);
+
+	if (lctx->task != NULL)
+		isc_task_detach(&lctx->task);
+	DESTROYLOCK(&lctx->lock);
+	mctx = NULL;
+	isc_mem_attach(lctx->mctx, &mctx);
+	isc_mem_detach(&lctx->mctx);
+	isc_mem_put(mctx, lctx, sizeof(*lctx));
+	isc_mem_detach(&mctx);
+}
+
+static isc_result_t
+incctx_create(isc_mem_t *mctx, dns_name_t *origin, dns_incctx_t **ictxp) {
+	dns_incctx_t *ictx;
+	isc_region_t r;
+	int i;
+
+	ictx = isc_mem_get(mctx, sizeof(*ictx));
+	if (ictx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	for (i = 0; i < NBUFS; i++) {
+		dns_fixedname_init(&ictx->fixed[i]);
+		ictx->in_use[i] = ISC_FALSE;
+	}
+
+	ictx->origin_in_use = 0;
+	ictx->origin = dns_fixedname_name(&ictx->fixed[ictx->origin_in_use]);
+	ictx->in_use[ictx->origin_in_use] = ISC_TRUE;
+	dns_name_toregion(origin, &r);
+	dns_name_fromregion(ictx->origin, &r);
+
+	ictx->glue = NULL;
+	ictx->current = NULL;
+	ictx->glue_in_use = -1;
+	ictx->current_in_use = -1;
+	ictx->parent = NULL;
+	ictx->drop = ISC_FALSE;
+	ictx->glue_line = 0;
+	ictx->current_line = 0;
+
+	*ictxp = ictx;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+loadctx_create(isc_mem_t *mctx, unsigned int options, dns_name_t *top,
+	       dns_rdataclass_t zclass, dns_name_t *origin,
+	       dns_rdatacallbacks_t *callbacks, isc_task_t *task,
+	       dns_loaddonefunc_t done, void *done_arg, isc_lex_t *lex,
+	       dns_loadctx_t **lctxp)
+{
+	dns_loadctx_t *lctx;
+	isc_result_t result;
+	isc_region_t r;
+	isc_lexspecials_t specials;
+
+	REQUIRE(lctxp != NULL && *lctxp == NULL);
+	REQUIRE(callbacks != NULL);
+	REQUIRE(callbacks->add != NULL);
+	REQUIRE(callbacks->error != NULL);
+	REQUIRE(callbacks->warn != NULL);
+	REQUIRE(mctx != NULL);
+	REQUIRE(dns_name_isabsolute(top));
+	REQUIRE(dns_name_isabsolute(origin));
+	REQUIRE((task == NULL && done == NULL) ||
+		(task != NULL && done != NULL));
+
+	lctx = isc_mem_get(mctx, sizeof(*lctx));
+	if (lctx == NULL)
+		return (ISC_R_NOMEMORY);
+	result = isc_mutex_init(&lctx->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, lctx, sizeof(*lctx));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() failed: %s",
+				 isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	lctx->inc = NULL;
+	result = incctx_create(mctx, origin, &lctx->inc);
+	if (result != ISC_R_SUCCESS) 
+		goto cleanup_ctx;
+
+	if (lex != NULL) {
+		lctx->lex = lex;
+		lctx->keep_lex = ISC_TRUE;
+	} else {
+		lctx->lex = NULL;
+		result = isc_lex_create(mctx, TOKENSIZ, &lctx->lex);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_inc;
+		lctx->keep_lex = ISC_FALSE;
+		memset(specials, 0, sizeof(specials));
+		specials['('] = 1;
+		specials[')'] = 1;
+		specials['"'] = 1;
+		isc_lex_setspecials(lctx->lex, specials);
+		isc_lex_setcomments(lctx->lex, ISC_LEXCOMMENT_DNSMASTERFILE);
+	}
+
+	lctx->ttl_known = ISC_FALSE;
+	lctx->ttl = 0;
+	lctx->default_ttl_known = ISC_FALSE;
+	lctx->default_ttl = 0;
+	lctx->warn_1035 = ISC_TRUE;	/* XXX Argument? */
+	lctx->warn_tcr = ISC_TRUE;	/* XXX Argument? */
+	lctx->warn_sigexpired = ISC_TRUE;	/* XXX Argument? */
+	lctx->options = options;
+	lctx->seen_include = ISC_FALSE;
+	lctx->zclass = zclass;
+	lctx->result = ISC_R_SUCCESS;
+
+	dns_fixedname_init(&lctx->fixed_top);
+	lctx->top = dns_fixedname_name(&lctx->fixed_top);
+	dns_name_toregion(top, &r);
+	dns_name_fromregion(lctx->top, &r);
+
+	lctx->loop_cnt = (done != NULL) ? 100 : 0;
+	lctx->callbacks = callbacks;
+	lctx->task = NULL;
+	if (task != NULL)
+		isc_task_attach(task, &lctx->task);
+	lctx->done = done;
+	lctx->done_arg = done_arg;
+	lctx->canceled = ISC_FALSE;
+	lctx->mctx = NULL;
+	isc_mem_attach(mctx, &lctx->mctx);
+	lctx->references = 1;			/* Implicit attach. */
+	lctx->magic = DNS_LCTX_MAGIC;
+	*lctxp = lctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup_inc:
+	incctx_destroy(mctx, lctx->inc);
+ cleanup_ctx:
+	isc_mem_put(mctx, lctx, sizeof(*lctx));
+	return (result);
+}
+
+static isc_result_t
+genname(char *name, int it, char *buffer, size_t length) {
+	char fmt[sizeof("%04000000000d")];
+	char numbuf[128];
+	char *cp;
+	char mode[2];
+	int delta = 0;
+	isc_textregion_t r;
+	unsigned int n;
+	unsigned int width;
+
+	r.base = buffer;
+	r.length = length;
+
+	while (*name != '\0') {
+		if (*name == '$') {
+			name++;
+			if (*name == '$') {
+				if (r.length == 0)
+					return (ISC_R_NOSPACE);
+				r.base[0] = *name++;
+				isc_textregion_consume(&r, 1);
+				continue;
+			}
+			strcpy(fmt, "%d");
+			/* Get format specifier. */
+			if (*name == '{' ) {
+				n = sscanf(name, "{%d,%u,%1[doxX]}",
+					   &delta, &width, mode);
+				switch (n) {
+				case 1:
+					break;
+				case 2:
+					n = snprintf(fmt, sizeof(fmt),
+						     "%%0%ud", width);
+					break;
+				case 3:
+					n = snprintf(fmt, sizeof(fmt),
+						     "%%0%u%c", width, mode[0]);
+					break;
+				default:
+					return (DNS_R_SYNTAX);
+				}
+				if (n >= sizeof(fmt))
+					return (ISC_R_NOSPACE);
+				/* Skip past closing brace. */
+				while (*name != '\0' && *name++ != '}')
+					continue;
+			}
+			n = snprintf(numbuf, sizeof(numbuf), fmt, it + delta);
+			if (n >= sizeof(numbuf))
+				return (ISC_R_NOSPACE);
+			cp = numbuf;
+			while (*cp != '\0') {
+				if (r.length == 0)
+					return (ISC_R_NOSPACE);
+				r.base[0] = *cp++;
+				isc_textregion_consume(&r, 1);
+			}
+		} else if (*name == '\\') {
+			if (r.length == 0)
+				return (ISC_R_NOSPACE);
+			r.base[0] = *name++;
+			isc_textregion_consume(&r, 1);
+			if (*name == '\0')
+				continue;
+			if (r.length == 0)
+				return (ISC_R_NOSPACE);
+			r.base[0] = *name++;
+			isc_textregion_consume(&r, 1);
+		} else {
+			if (r.length == 0)
+				return (ISC_R_NOSPACE);
+			r.base[0] = *name++;
+			isc_textregion_consume(&r, 1);
+		}
+	}
+	if (r.length == 0)
+		return (ISC_R_NOSPACE);
+	r.base[0] = '\0';
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+generate(dns_loadctx_t *lctx, char *range, char *lhs, char *gtype, char *rhs,
+	 const char *source, unsigned int line)
+{
+	char *target_mem = NULL;
+	char *lhsbuf = NULL;
+	char *rhsbuf = NULL;
+	dns_fixedname_t ownerfixed;
+	dns_name_t *owner;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdatacallbacks_t *callbacks;
+	dns_rdatalist_t rdatalist;
+	dns_rdatatype_t type;
+	rdatalist_head_t head;
+	int n;
+	int target_size = MINTSIZ;	/* only one rdata at a time */
+	isc_buffer_t buffer;
+	isc_buffer_t target;
+	isc_result_t result;
+	isc_textregion_t r;
+	unsigned int start, stop, step, i;
+	dns_incctx_t *ictx;
+
+	ictx = lctx->inc;
+	callbacks = lctx->callbacks;
+	dns_fixedname_init(&ownerfixed);
+	owner = dns_fixedname_name(&ownerfixed);
+	ISC_LIST_INIT(head);
+
+	target_mem = isc_mem_get(lctx->mctx, target_size);
+	rhsbuf = isc_mem_get(lctx->mctx, DNS_MASTER_BUFSZ);
+	lhsbuf = isc_mem_get(lctx->mctx, DNS_MASTER_BUFSZ);
+	if (target_mem == NULL || rhsbuf == NULL || lhsbuf == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto error_cleanup;
+	}
+	isc_buffer_init(&target, target_mem, target_size);
+
+	n = sscanf(range, "%u-%u/%u", &start, &stop, &step);
+	if (n < 2 || stop < start) {
+	       (*callbacks->error)(callbacks,
+				  "%s: %s:%lu: invalid range '%s'",
+				  "$GENERATE", source, line, range);
+		result = DNS_R_SYNTAX;
+		goto insist_cleanup;
+	}
+	if (n == 2)
+		step = 1;
+
+	/*
+	 * Get type.
+	 */
+	r.base = gtype;
+	r.length = strlen(gtype);
+	result = dns_rdatatype_fromtext(&type, &r);
+	if (result != ISC_R_SUCCESS) {
+		(*callbacks->error)(callbacks,
+				   "%s: %s:%lu: unknown RR type '%s'",
+				   "$GENERATE", source, line, gtype);
+		goto insist_cleanup;
+	}
+
+	switch (type) {
+	case dns_rdatatype_ns:
+	case dns_rdatatype_ptr:
+	case dns_rdatatype_cname:
+	case dns_rdatatype_dname:
+		break;
+
+	case dns_rdatatype_a:
+	case dns_rdatatype_aaaa:
+		if (lctx->zclass == dns_rdataclass_in ||
+		    lctx->zclass == dns_rdataclass_hs)
+			break;
+		/* FALLTHROUGH */
+	default:
+	       (*callbacks->error)(callbacks,
+				  "%s: %s:%lu: unsupported type '%s'",
+				  "$GENERATE", source, line, gtype);
+		result = ISC_R_NOTIMPLEMENTED;
+		goto error_cleanup;
+	}
+
+	ISC_LIST_INIT(rdatalist.rdata);
+	ISC_LINK_INIT(&rdatalist, link);
+	for (i = start; i <= stop; i += step) {
+		result = genname(lhs, i, lhsbuf, DNS_MASTER_BUFSZ);
+		if (result != ISC_R_SUCCESS)
+			goto error_cleanup;
+		result = genname(rhs, i, rhsbuf, DNS_MASTER_BUFSZ);
+		if (result != ISC_R_SUCCESS)
+			goto error_cleanup;
+
+		isc_buffer_init(&buffer, lhsbuf, strlen(lhsbuf));
+		isc_buffer_add(&buffer, strlen(lhsbuf));
+		isc_buffer_setactive(&buffer, strlen(lhsbuf));
+		result = dns_name_fromtext(owner, &buffer, ictx->origin,
+					   0, NULL);
+		if (result != ISC_R_SUCCESS)
+			goto error_cleanup;
+
+		if ((lctx->options & DNS_MASTER_ZONE) != 0 &&
+		    (lctx->options & DNS_MASTER_SLAVE) == 0 &&
+		    !dns_name_issubdomain(owner, lctx->top))
+		{
+			char namebuf[DNS_NAME_FORMATSIZE];
+			dns_name_format(owner, namebuf, sizeof(namebuf));
+			/*
+			 * Ignore out-of-zone data.
+			 */
+			(*callbacks->warn)(callbacks,
+					   "%s:%lu: "
+					   "ignoring out-of-zone data (%s)",
+					   source, line, namebuf);
+			continue;
+		}
+
+		isc_buffer_init(&buffer, rhsbuf, strlen(rhsbuf));
+		isc_buffer_add(&buffer, strlen(rhsbuf));
+		isc_buffer_setactive(&buffer, strlen(rhsbuf));
+
+		result = isc_lex_openbuffer(lctx->lex, &buffer);
+		if (result != ISC_R_SUCCESS)
+			goto error_cleanup;
+
+		isc_buffer_init(&target, target_mem, target_size);
+		result = dns_rdata_fromtext(&rdata, lctx->zclass, type,
+					    lctx->lex, ictx->origin, 0,
+					    lctx->mctx, &target, callbacks);
+		RUNTIME_CHECK(isc_lex_close(lctx->lex) == ISC_R_SUCCESS);
+		if (result != ISC_R_SUCCESS)
+			goto error_cleanup;
+
+		rdatalist.type = type;
+		rdatalist.covers = 0;
+		rdatalist.rdclass = lctx->zclass;
+		rdatalist.ttl = lctx->ttl;
+		ISC_LIST_PREPEND(head, &rdatalist, link);
+		ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
+		result = commit(callbacks, lctx, &head, owner, source, line);
+		ISC_LIST_UNLINK(rdatalist.rdata, &rdata, link);
+		if (result != ISC_R_SUCCESS)
+			goto error_cleanup;
+		dns_rdata_reset(&rdata);
+	}
+	result = ISC_R_SUCCESS;
+	goto cleanup;
+
+ error_cleanup:
+	if (result == ISC_R_NOMEMORY)
+		(*callbacks->error)(callbacks, "$GENERATE: %s",
+				    dns_result_totext(result));
+	else
+		(*callbacks->error)(callbacks, "$GENERATE: %s:%lu: %s",
+				    source, line, dns_result_totext(result));
+
+ insist_cleanup:
+	INSIST(result != ISC_R_SUCCESS);
+
+ cleanup:
+	if (target_mem != NULL)
+		isc_mem_put(lctx->mctx, target_mem, target_size);
+	if (lhsbuf != NULL)
+		isc_mem_put(lctx->mctx, lhsbuf, DNS_MASTER_BUFSZ);
+	if (rhsbuf != NULL)
+		isc_mem_put(lctx->mctx, rhsbuf, DNS_MASTER_BUFSZ);
+	return (result);
+}
+
+static void
+limit_ttl(dns_rdatacallbacks_t *callbacks, const char *source, unsigned int line,
+	  isc_uint32_t *ttlp)
+{
+	if (*ttlp > 0x7fffffffUL) {
+		(callbacks->warn)(callbacks,
+				  "%s: %s:%lu: "
+				  "$TTL %lu > MAXTTL, "
+				  "setting $TTL to 0",
+				  "dns_master_load",
+				  source, line,
+				  *ttlp);
+		*ttlp = 0;
+	}
+}
+
+static isc_result_t
+check_ns(dns_loadctx_t *lctx, isc_token_t *token, const char *source,
+	 unsigned long line)
+{
+	char *tmp = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+	void (*callback)(struct dns_rdatacallbacks *, const char *, ...);
+
+	if ((lctx->options & DNS_MASTER_FATALNS) != 0)
+		callback = lctx->callbacks->error;
+	else
+		callback = lctx->callbacks->warn;
+		
+	if (token->type == isc_tokentype_string) {
+		struct in_addr addr;
+		struct in6_addr addr6;
+
+		tmp = isc_mem_strdup(lctx->mctx, DNS_AS_STR(*token));
+		if (tmp == NULL)
+			return (ISC_R_NOMEMORY);
+		/*
+		 * Catch both "1.2.3.4" and "1.2.3.4."
+		 */
+		if (tmp[strlen(tmp) - 1] == '.')
+			tmp[strlen(tmp) - 1] = '\0';
+		if (inet_aton(tmp, &addr) == 1 ||
+		    inet_pton(AF_INET6, tmp, &addr6) == 1)
+			result = DNS_R_NSISADDRESS;
+	}
+	if (result != ISC_R_SUCCESS)
+		(*callback)(lctx->callbacks, "%s:%lu: NS record '%s' "
+			    "appears to be an address",
+			    source, line, DNS_AS_STR(*token));
+	if (tmp != NULL)
+		isc_mem_free(lctx->mctx, tmp);
+	return (result);
+}
+
+static isc_result_t
+load(dns_loadctx_t *lctx) {
+	dns_rdataclass_t rdclass;
+	dns_rdatatype_t type, covers;
+	isc_uint32_t ttl_offset = 0;
+	dns_name_t *new_name;
+	isc_boolean_t current_has_delegation = ISC_FALSE;
+	isc_boolean_t done = ISC_FALSE;
+	isc_boolean_t finish_origin = ISC_FALSE;
+	isc_boolean_t finish_include = ISC_FALSE;
+	isc_boolean_t read_till_eol = ISC_FALSE;
+	isc_boolean_t initialws;
+	char *include_file = NULL;
+	isc_token_t token;
+	isc_result_t result = ISC_R_UNEXPECTED;
+	rdatalist_head_t glue_list;
+	rdatalist_head_t current_list;
+	dns_rdatalist_t *this;
+	dns_rdatalist_t *rdatalist = NULL;
+	dns_rdatalist_t *new_rdatalist;
+	int rdlcount = 0;
+	int rdlcount_save = 0;
+	int rdatalist_size = 0;
+	isc_buffer_t buffer;
+	isc_buffer_t target;
+	isc_buffer_t target_ft;
+	isc_buffer_t target_save;
+	dns_rdata_t *rdata = NULL;
+	dns_rdata_t *new_rdata;
+	int rdcount = 0;
+	int rdcount_save = 0;
+	int rdata_size = 0;
+	unsigned char *target_mem = NULL;
+	int target_size = TSIZ;
+	int new_in_use;
+	unsigned int loop_cnt = 0;
+	isc_mem_t *mctx;
+	dns_rdatacallbacks_t *callbacks;
+	dns_incctx_t *ictx;
+	char *range = NULL;
+	char *lhs = NULL;
+	char *gtype = NULL;
+	char *rhs = NULL;
+	const char *source = "";
+	unsigned long line = 0;
+	isc_boolean_t explicit_ttl;
+	isc_stdtime_t now;
+	char classname1[DNS_RDATACLASS_FORMATSIZE];
+	char classname2[DNS_RDATACLASS_FORMATSIZE];
+	unsigned int options = 0;
+
+	REQUIRE(DNS_LCTX_VALID(lctx));
+	callbacks = lctx->callbacks;
+	mctx = lctx->mctx;
+	ictx = lctx->inc;
+
+	ISC_LIST_INIT(glue_list);
+	ISC_LIST_INIT(current_list);
+
+	isc_stdtime_get(&now);
+
+	/*
+	 * Allocate target_size of buffer space.  This is greater than twice
+	 * the maximum individual RR data size.
+	 */
+	target_mem = isc_mem_get(mctx, target_size);
+	if (target_mem == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto log_and_cleanup;
+	}
+	isc_buffer_init(&target, target_mem, target_size);
+	target_save = target;
+
+	if ((lctx->options & DNS_MASTER_CHECKNAMES) != 0)
+		options |= DNS_RDATA_CHECKNAMES;
+	if ((lctx->options & DNS_MASTER_CHECKNAMESFAIL) != 0)
+		options |= DNS_RDATA_CHECKNAMESFAIL;
+	source = isc_lex_getsourcename(lctx->lex);
+	do {
+		initialws = ISC_FALSE;
+		line = isc_lex_getsourceline(lctx->lex);
+		GETTOKEN(lctx->lex, ISC_LEXOPT_INITIALWS, &token, ISC_TRUE);
+		line = isc_lex_getsourceline(lctx->lex);
+
+		if (token.type == isc_tokentype_eof) {
+			if (read_till_eol)
+				WARNUNEXPECTEDEOF(lctx->lex);
+			/* Pop the include stack? */
+			if (ictx->parent != NULL) {
+				COMMITALL;
+				lctx->inc = ictx->parent;
+				ictx->parent = NULL;
+				incctx_destroy(lctx->mctx, ictx);
+				RUNTIME_CHECK(isc_lex_close(lctx->lex) == ISC_R_SUCCESS);
+				line = isc_lex_getsourceline(lctx->lex);
+				source = isc_lex_getsourcename(lctx->lex);
+				ictx = lctx->inc;
+				EXPECTEOL;
+				continue;
+			}
+			done = ISC_TRUE;
+			continue;
+		}
+
+		if (token.type == isc_tokentype_eol) {
+			read_till_eol = ISC_FALSE;
+			continue;		/* blank line */
+		}
+
+		if (read_till_eol)
+			continue;
+
+		if (token.type == isc_tokentype_initialws) {
+			/*
+			 * Still working on the same name.
+			 */
+			initialws = ISC_TRUE;
+		} else if (token.type == isc_tokentype_string) {
+
+			/*
+			 * "$" Support.
+			 *
+			 * "$ORIGIN" and "$INCLUDE" can both take domain names.
+			 * The processing of "$ORIGIN" and "$INCLUDE" extends
+			 * across the normal domain name processing.
+			 */
+
+			if (strcasecmp(DNS_AS_STR(token), "$ORIGIN") == 0) {
+				GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
+				finish_origin = ISC_TRUE;
+			} else if (strcasecmp(DNS_AS_STR(token),
+					      "$TTL") == 0) {
+				GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
+				result =
+				   dns_ttl_fromtext(&token.value.as_textregion,
+						    &lctx->ttl);
+				if (MANYERRS(lctx, result)) {
+					SETRESULT(lctx, result);
+					lctx->ttl = 0;
+				} else if (result != ISC_R_SUCCESS)
+					goto insist_and_cleanup;
+				limit_ttl(callbacks, source, line, &lctx->ttl);
+				lctx->default_ttl = lctx->ttl;
+				lctx->default_ttl_known = ISC_TRUE;
+				EXPECTEOL;
+				continue;
+			} else if (strcasecmp(DNS_AS_STR(token),
+					      "$INCLUDE") == 0) {
+				COMMITALL;
+				if ((lctx->options & DNS_MASTER_NOINCLUDE)
+				    != 0)
+				{
+					(callbacks->error)(callbacks,
+					   "%s: %s:%lu: $INCLUDE not allowed",
+					   "dns_master_load",
+					   source, line);
+					result = DNS_R_REFUSED;
+					goto insist_and_cleanup;
+				}
+				if (ttl_offset != 0) {
+					(callbacks->error)(callbacks,
+					   "%s: %s:%lu: $INCLUDE "
+					   "may not be used with $DATE",
+					   "dns_master_load",
+					   source, line);
+					result = DNS_R_SYNTAX;
+					goto insist_and_cleanup;
+				}
+				GETTOKEN(lctx->lex, ISC_LEXOPT_QSTRING, &token,
+					 ISC_FALSE);
+				if (include_file != NULL)
+					isc_mem_free(mctx, include_file);
+				include_file = isc_mem_strdup(mctx,
+							   DNS_AS_STR(token));
+				if (include_file == NULL) {
+					result = ISC_R_NOMEMORY;
+					goto log_and_cleanup;
+				}
+				GETTOKEN(lctx->lex, 0, &token, ISC_TRUE);
+
+				if (token.type == isc_tokentype_eol ||
+				    token.type == isc_tokentype_eof) {
+					if (token.type == isc_tokentype_eof)
+						WARNUNEXPECTEDEOF(lctx->lex);
+					isc_lex_ungettoken(lctx->lex, &token);
+					/*
+					 * No origin field.
+					 */
+					result = pushfile(include_file,
+							  ictx->origin, lctx);
+					if (MANYERRS(lctx, result)) {
+						SETRESULT(lctx, result);
+						LOGITFILE(result, include_file);
+						continue;
+					} else if (result != ISC_R_SUCCESS) {
+						LOGITFILE(result, include_file);
+						goto insist_and_cleanup;
+					}
+					ictx = lctx->inc;
+					line = isc_lex_getsourceline(lctx->lex);
+					source =
+					       isc_lex_getsourcename(lctx->lex);
+					continue;
+				}
+				/*
+				 * There is an origin field.  Fall through
+				 * to domain name processing code and do
+				 * the actual inclusion later.
+				 */
+				finish_include = ISC_TRUE;
+			} else if (strcasecmp(DNS_AS_STR(token),
+					      "$DATE") == 0) {
+				isc_int64_t dump_time64;
+				isc_stdtime_t dump_time, current_time;
+				GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
+				isc_stdtime_get(&current_time);
+				result = dns_time64_fromtext(DNS_AS_STR(token),
+							     &dump_time64);
+				if (MANYERRS(lctx, result)) {
+					SETRESULT(lctx, result);
+					LOGIT(result);
+					dump_time64 = 0;
+				} else if (result != ISC_R_SUCCESS)
+					goto log_and_cleanup;
+				dump_time = (isc_stdtime_t)dump_time64;
+				if (dump_time != dump_time64) {
+					UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "%s: %s:%lu: $DATE outside epoch",
+					 "dns_master_load", source, line);
+					result = ISC_R_UNEXPECTED;
+					goto insist_and_cleanup;
+				}
+				if (dump_time > current_time) {
+					UNEXPECTED_ERROR(__FILE__, __LINE__,
+					"%s: %s:%lu: "
+					"$DATE in future, using current date",
+					"dns_master_load", source, line);
+					dump_time = current_time;
+				}
+				ttl_offset = current_time - dump_time;
+				EXPECTEOL;
+				continue;
+			} else if (strcasecmp(DNS_AS_STR(token),
+					      "$GENERATE") == 0) {
+				/*
+				 * Lazy cleanup.
+				 */
+				if (range != NULL)
+					isc_mem_free(mctx, range);
+				if (lhs != NULL)
+					isc_mem_free(mctx, lhs);
+				if (gtype != NULL)
+					isc_mem_free(mctx, gtype);
+				if (rhs != NULL)
+					isc_mem_free(mctx, rhs);
+				/* RANGE */
+				GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
+				range = isc_mem_strdup(mctx,
+						     DNS_AS_STR(token));
+				if (range == NULL) {
+					result = ISC_R_NOMEMORY;
+					goto log_and_cleanup;
+				}
+				/* LHS */
+				GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
+				lhs = isc_mem_strdup(mctx, DNS_AS_STR(token));
+				if (lhs == NULL) {
+					result = ISC_R_NOMEMORY;
+					goto log_and_cleanup;
+				}
+				rdclass = 0;
+				explicit_ttl = ISC_FALSE;
+				/* CLASS? */
+				GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
+				if (dns_rdataclass_fromtext(&rdclass,
+                                            &token.value.as_textregion)
+						== ISC_R_SUCCESS) {
+					GETTOKEN(lctx->lex, 0, &token,
+						 ISC_FALSE);
+				}
+				/* TTL? */
+				if (dns_ttl_fromtext(&token.value.as_textregion,
+						     &lctx->ttl)
+						== ISC_R_SUCCESS) {
+					limit_ttl(callbacks, source, line,
+						  &lctx->ttl);
+					lctx->ttl_known = ISC_TRUE;
+					explicit_ttl = ISC_TRUE;
+					GETTOKEN(lctx->lex, 0, &token,
+						 ISC_FALSE);
+				}
+				/* CLASS? */
+				if (rdclass == 0 &&
+				    dns_rdataclass_fromtext(&rdclass,
+						    &token.value.as_textregion)
+						== ISC_R_SUCCESS)
+					GETTOKEN(lctx->lex, 0, &token,
+						 ISC_FALSE);
+				/* TYPE */
+				gtype = isc_mem_strdup(mctx,
+						       DNS_AS_STR(token));
+				if (gtype == NULL) {
+					result = ISC_R_NOMEMORY;
+					goto log_and_cleanup;
+				}
+				/* RHS */
+				GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
+				rhs = isc_mem_strdup(mctx, DNS_AS_STR(token));
+				if (rhs == NULL) {
+					result = ISC_R_NOMEMORY;
+					goto log_and_cleanup;
+				}
+				if (!lctx->ttl_known &&
+				    !lctx->default_ttl_known) {
+					(*callbacks->error)(callbacks,
+					    "%s: %s:%lu: no TTL specified",
+					    "dns_master_load", source, line);
+					result = DNS_R_NOTTL;
+					if (MANYERRS(lctx, result)) {
+						SETRESULT(lctx, result);
+						lctx->ttl = 0;
+					} else if (result != ISC_R_SUCCESS)
+						goto insist_and_cleanup;
+				} else if (!explicit_ttl &&
+					   lctx->default_ttl_known) {
+					lctx->ttl = lctx->default_ttl;
+				}
+				/*
+				 * If the class specified does not match the
+				 * zone's class print out a error message and
+				 * exit.
+				 */
+				if (rdclass != 0 && rdclass != lctx->zclass) {
+					goto bad_class;
+				}
+				result = generate(lctx, range, lhs, gtype, rhs,
+						  source, line);
+				if (MANYERRS(lctx, result)) {
+					SETRESULT(lctx, result);
+				} else if (result != ISC_R_SUCCESS)
+					goto insist_and_cleanup;
+				EXPECTEOL;
+				continue;
+			} else if (strncasecmp(DNS_AS_STR(token),
+					       "$", 1) == 0) {
+				(callbacks->error)(callbacks,
+					   "%s: %s:%lu: "
+					   "unknown $ directive '%s'",
+					   "dns_master_load", source, line,
+					   DNS_AS_STR(token));
+				result = DNS_R_SYNTAX;
+				if (MANYERRS(lctx, result)) {
+					SETRESULT(lctx, result);
+				} else if (result != ISC_R_SUCCESS)
+					goto insist_and_cleanup;
+			}
+
+			/*
+			 * Normal processing resumes.
+			 *
+			 * Find a free name buffer.
+			 */
+			for (new_in_use = 0; new_in_use < NBUFS; new_in_use++)
+				if (!ictx->in_use[new_in_use])
+					break;
+			INSIST(new_in_use < NBUFS);
+			dns_fixedname_init(&ictx->fixed[new_in_use]);
+			new_name = dns_fixedname_name(&ictx->fixed[new_in_use]);
+			isc_buffer_init(&buffer, token.value.as_region.base,
+					token.value.as_region.length);
+			isc_buffer_add(&buffer, token.value.as_region.length);
+			isc_buffer_setactive(&buffer,
+					     token.value.as_region.length);
+			result = dns_name_fromtext(new_name, &buffer,
+					  ictx->origin, ISC_FALSE, NULL);
+			if (MANYERRS(lctx, result)) {
+				SETRESULT(lctx, result);
+				LOGIT(result);
+				read_till_eol = ISC_TRUE;
+				continue;
+			} else if (result != ISC_R_SUCCESS)
+				goto log_and_cleanup;
+
+			/*
+			 * Finish $ORIGIN / $INCLUDE processing if required.
+			 */
+			if (finish_origin) {
+				if (ictx->origin_in_use != -1)
+					ictx->in_use[ictx->origin_in_use] =
+						ISC_FALSE;
+				ictx->origin_in_use = new_in_use;
+				ictx->in_use[ictx->origin_in_use] = ISC_TRUE;
+				ictx->origin = new_name;
+				finish_origin = ISC_FALSE;
+				EXPECTEOL;
+				continue;
+			}
+			if (finish_include) {
+				finish_include = ISC_FALSE;
+				result = pushfile(include_file, new_name, lctx);
+				if (MANYERRS(lctx, result)) {
+					SETRESULT(lctx, result);
+					LOGITFILE(result, include_file);
+					continue;
+				} else if (result != ISC_R_SUCCESS) {
+					LOGITFILE(result, include_file);
+					goto insist_and_cleanup;
+				}
+				ictx = lctx->inc;
+				line = isc_lex_getsourceline(lctx->lex);
+				source = isc_lex_getsourcename(lctx->lex);
+				continue;
+			}
+
+			/*
+			 * "$" Processing Finished
+			 */
+
+			/*
+			 * If we are processing glue and the new name does
+			 * not match the current glue name, commit the glue
+			 * and pop stacks leaving us in 'normal' processing
+			 * state.  Linked lists are undone by commit().
+			 */
+			if (ictx->glue != NULL &&
+			    dns_name_compare(ictx->glue, new_name) != 0) {
+				result = commit(callbacks, lctx, &glue_list,
+						ictx->glue, source,
+						ictx->glue_line);
+				if (MANYERRS(lctx, result)) {
+					SETRESULT(lctx, result);
+				} else if (result != ISC_R_SUCCESS)
+					goto insist_and_cleanup;
+				if (ictx->glue_in_use != -1)
+					ictx->in_use[ictx->glue_in_use] =
+						ISC_FALSE;
+				ictx->glue_in_use = -1;
+				ictx->glue = NULL;
+				rdcount = rdcount_save;
+				rdlcount = rdlcount_save;
+				target = target_save;
+			}
+
+			/*
+			 * If we are in 'normal' processing state and the new
+			 * name does not match the current name, see if the
+			 * new name is for glue and treat it as such,
+			 * otherwise we have a new name so commit what we
+			 * have.
+			 */
+			if ((ictx->glue == NULL) && (ictx->current == NULL ||
+			    dns_name_compare(ictx->current, new_name) != 0)) {
+				if (current_has_delegation &&
+					is_glue(&current_list, new_name)) {
+					rdcount_save = rdcount;
+					rdlcount_save = rdlcount;
+					target_save = target;
+					ictx->glue = new_name;
+					ictx->glue_in_use = new_in_use;
+					ictx->in_use[ictx->glue_in_use] = 
+						ISC_TRUE;
+				} else {
+					result = commit(callbacks, lctx,
+							&current_list,
+							ictx->current,
+							source,
+							ictx->current_line);
+					if (MANYERRS(lctx, result)) {
+						SETRESULT(lctx, result);
+					} else if (result != ISC_R_SUCCESS)
+						goto insist_and_cleanup;
+					rdcount = 0;
+					rdlcount = 0;
+					if (ictx->current_in_use != -1)
+					    ictx->in_use[ictx->current_in_use] =
+						ISC_FALSE;
+					ictx->current_in_use = new_in_use;
+					ictx->in_use[ictx->current_in_use] =
+						ISC_TRUE;
+					ictx->current = new_name;
+					current_has_delegation = ISC_FALSE;
+					isc_buffer_init(&target, target_mem,
+							target_size);
+				}
+			}
+			if ((lctx->options & DNS_MASTER_ZONE) != 0 &&
+			    (lctx->options & DNS_MASTER_SLAVE) == 0 &&
+			    !dns_name_issubdomain(new_name, lctx->top))
+			{
+				char namebuf[DNS_NAME_FORMATSIZE];
+				dns_name_format(new_name, namebuf,
+						sizeof(namebuf));
+				/*
+				 * Ignore out-of-zone data.
+				 */
+				(*callbacks->warn)(callbacks,
+				       "%s:%lu: "
+				       "ignoring out-of-zone data (%s)",
+				       source, line, namebuf);
+				ictx->drop = ISC_TRUE;
+			} else
+				ictx->drop = ISC_FALSE;
+		} else {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "%s:%lu: isc_lex_gettoken() returned "
+					 "unexpeced token type (%d)",
+					 source, line, token.type);
+			result = ISC_R_UNEXPECTED;
+			if (MANYERRS(lctx, result)) {
+				SETRESULT(lctx, result);
+				LOGIT(result);
+				continue;
+			} else if (result != ISC_R_SUCCESS)
+				goto insist_and_cleanup;
+		}
+
+		/*
+		 * Find TTL, class and type.  Both TTL and class are optional
+		 * and may occur in any order if they exist. TTL and class
+		 * come before type which must exist.
+		 *
+		 * [<TTL>] [<class>] <type> <RDATA>
+		 * [<class>] [<TTL>] <type> <RDATA>
+		 */
+
+		type = 0;
+		rdclass = 0;
+
+		GETTOKEN(lctx->lex, 0, &token, initialws);
+
+		if (initialws) {
+			if (token.type == isc_tokentype_eol) {
+				read_till_eol = ISC_FALSE;
+				continue;		/* blank line */
+			}
+
+			if (token.type == isc_tokentype_eof) {
+				WARNUNEXPECTEDEOF(lctx->lex);
+				read_till_eol = ISC_FALSE;
+				isc_lex_ungettoken(lctx->lex, &token);
+				continue;
+			}
+
+			if (ictx->current == NULL) {
+				(*callbacks->error)(callbacks,
+					"%s:%lu: no current owner name",
+					source, line);
+				result = DNS_R_NOOWNER;
+				if (MANYERRS(lctx, result)) {
+					SETRESULT(lctx, result);
+					read_till_eol = ISC_TRUE;
+					continue;
+				} else if (result != ISC_R_SUCCESS)
+					goto insist_and_cleanup;
+			}
+		}
+
+		if (dns_rdataclass_fromtext(&rdclass,
+					    &token.value.as_textregion)
+				== ISC_R_SUCCESS)
+			GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
+
+		explicit_ttl = ISC_FALSE;
+		if (dns_ttl_fromtext(&token.value.as_textregion, &lctx->ttl)
+				== ISC_R_SUCCESS) {
+			limit_ttl(callbacks, source, line, &lctx->ttl);
+			explicit_ttl = ISC_TRUE;
+			lctx->ttl_known = ISC_TRUE;
+			GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
+		}
+
+		if (token.type != isc_tokentype_string) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+			"isc_lex_gettoken() returned unexpected token type");
+			result = ISC_R_UNEXPECTED;
+			if (MANYERRS(lctx, result)) {
+				SETRESULT(lctx, result);
+				read_till_eol = ISC_TRUE;
+				continue;
+			} else if (result != ISC_R_SUCCESS)
+				goto insist_and_cleanup;
+		}
+
+		if (rdclass == 0 &&
+		    dns_rdataclass_fromtext(&rdclass,
+					    &token.value.as_textregion)
+				== ISC_R_SUCCESS)
+			GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
+
+		if (token.type != isc_tokentype_string) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+			"isc_lex_gettoken() returned unexpected token type");
+			result = ISC_R_UNEXPECTED;
+			if (MANYERRS(lctx, result)) {
+				SETRESULT(lctx, result);
+				read_till_eol = ISC_TRUE;
+				continue;
+			} else if (result != ISC_R_SUCCESS)
+				goto insist_and_cleanup;
+		}
+
+		result = dns_rdatatype_fromtext(&type,
+						&token.value.as_textregion);
+		if (result != ISC_R_SUCCESS) {
+			(*callbacks->warn)(callbacks,
+				   "%s:%lu: unknown RR type '%.*s'",
+				   source, line,
+				   token.value.as_textregion.length,
+				   token.value.as_textregion.base);
+			if (MANYERRS(lctx, result)) {
+				SETRESULT(lctx, result);
+				read_till_eol = ISC_TRUE;
+				continue;
+			} else if (result != ISC_R_SUCCESS)
+				goto insist_and_cleanup;
+		}
+
+		/*
+		 * If the class specified does not match the zone's class
+		 * print out a error message and exit.
+		 */
+		if (rdclass != 0 && rdclass != lctx->zclass) {
+  bad_class:
+
+			dns_rdataclass_format(rdclass, classname1,
+					      sizeof(classname1));
+			dns_rdataclass_format(lctx->zclass, classname2,
+					      sizeof(classname2));
+			(*callbacks->error)(callbacks,
+					    "%s:%lu: class '%s' != "
+					    "zone class '%s'",
+					    source, line,
+					    classname1, classname2);
+			result = DNS_R_BADCLASS;
+			if (MANYERRS(lctx, result)) {
+				SETRESULT(lctx, result);
+				read_till_eol = ISC_TRUE;
+				continue;
+			} else if (result != ISC_R_SUCCESS)
+				goto insist_and_cleanup;
+		}
+
+		if (type == dns_rdatatype_ns && ictx->glue == NULL)
+			current_has_delegation = ISC_TRUE;
+
+		/*
+		 * RFC 1123: MD and MF are not allowed to be loaded from
+		 * master files.
+		 */
+		if ((lctx->options & DNS_MASTER_ZONE) != 0 &&
+		    (lctx->options & DNS_MASTER_SLAVE) == 0 &&
+		    (type == dns_rdatatype_md || type == dns_rdatatype_mf)) {
+			char typename[DNS_RDATATYPE_FORMATSIZE];
+
+			result = DNS_R_OBSOLETE;
+
+			dns_rdatatype_format(type, typename, sizeof(typename));
+			(*callbacks->error)(callbacks,
+					    "%s:%lu: %s '%s': %s",
+					    source, line,
+					    "type", typename,
+					    dns_result_totext(result));
+			if (MANYERRS(lctx, result)) {
+				SETRESULT(lctx, result);
+			} else
+				goto insist_and_cleanup;
+		}
+
+		/*
+		 * Find a rdata structure.
+		 */
+		if (rdcount == rdata_size) {
+			new_rdata = grow_rdata(rdata_size + RDSZ, rdata,
+					       rdata_size, &current_list,
+					       &glue_list, mctx);
+			if (new_rdata == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto log_and_cleanup;
+			}
+			rdata_size += RDSZ;
+			rdata = new_rdata;
+		}
+
+		/*
+		 * Peek at the NS record.
+		 */
+		if (type == dns_rdatatype_ns &&
+		    lctx->zclass == dns_rdataclass_in &&
+		    (lctx->options & DNS_MASTER_CHECKNS) != 0) {
+
+			GETTOKEN(lctx->lex, 0, &token, ISC_FALSE);
+			result = check_ns(lctx, &token, source, line);
+			isc_lex_ungettoken(lctx->lex, &token);
+			if ((lctx->options & DNS_MASTER_FATALNS) != 0) {
+				if (MANYERRS(lctx, result)) {
+					SETRESULT(lctx, result);
+				} else if (result != ISC_R_SUCCESS)
+					goto insist_and_cleanup;
+			}
+		}
+
+		/*
+		 * Check owner name.
+		 */
+		options &= ~DNS_RDATA_CHECKREVERSE;
+		if ((lctx->options & DNS_MASTER_CHECKNAMES) != 0) {
+			isc_boolean_t ok;
+			dns_name_t *name;
+
+			name = (ictx->glue != NULL) ? ictx-> glue :
+						      ictx->current;
+			ok = dns_rdata_checkowner(name, lctx->zclass, type,
+						  ISC_TRUE);
+			if (!ok) {
+				char namebuf[DNS_NAME_FORMATSIZE];
+				const char *desc;
+				dns_name_format(name, namebuf, sizeof(namebuf));
+				result = DNS_R_BADOWNERNAME;
+				desc = dns_result_totext(result);
+			        if ((lctx->options & DNS_MASTER_CHECKNAMESFAIL) != 0) {
+					(*callbacks->error)(callbacks,
+							    "%s:%lu: %s: %s",
+							    source, line,
+							    namebuf, desc);
+					if (MANYERRS(lctx, result)) {
+						SETRESULT(lctx, result);
+					} else if (result != ISC_R_SUCCESS)
+						goto cleanup;
+				} else {
+					(*callbacks->warn)(callbacks,
+							   "%s:%lu: %s: %s",
+							   source, line,
+							   namebuf, desc);
+				}
+			}
+			if (type == dns_rdatatype_ptr &&
+			    (dns_name_issubdomain(name, &in_addr_arpa) ||
+			     dns_name_issubdomain(name, &ip6_arpa) ||
+			     dns_name_issubdomain(name, &ip6_int)))
+				options |= DNS_RDATA_CHECKREVERSE;
+		}
+
+		/*
+		 * Read rdata contents.
+		 */
+		dns_rdata_init(&rdata[rdcount]);
+		target_ft = target;
+		result = dns_rdata_fromtext(&rdata[rdcount], lctx->zclass,
+					    type, lctx->lex, ictx->origin,
+					    options, lctx->mctx, &target,
+					    callbacks);
+		if (MANYERRS(lctx, result)) {
+			SETRESULT(lctx, result);
+			continue;
+		} else if (result != ISC_R_SUCCESS)
+			goto insist_and_cleanup;
+
+		if (ictx->drop) {
+			target = target_ft;
+			continue;
+		}
+
+		if (type == dns_rdatatype_soa &&
+		    (lctx->options & DNS_MASTER_ZONE) != 0 &&
+		    dns_name_compare(ictx->current, lctx->top) != 0) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			dns_name_format(ictx->current, namebuf,
+					sizeof(namebuf));
+			(*callbacks->error)(callbacks,
+				            "%s:%lu: SOA "
+			                    "record not at top of zone (%s)",
+				            source, line, namebuf);
+			result = DNS_R_NOTZONETOP;
+			if (MANYERRS(lctx, result)) {
+				SETRESULT(lctx, result);
+				read_till_eol = ISC_TRUE;
+				target = target_ft;
+				continue;
+			} else if (result != ISC_R_SUCCESS)
+				goto insist_and_cleanup;
+		}
+
+
+		if (type == dns_rdatatype_rrsig ||
+		    type == dns_rdatatype_sig)
+			covers = dns_rdata_covers(&rdata[rdcount]);
+		else
+			covers = 0;
+
+		if (!lctx->ttl_known && !lctx->default_ttl_known) {
+			if (type == dns_rdatatype_soa) {
+				(*callbacks->warn)(callbacks,
+						   "%s:%lu: no TTL specified; "
+						   "using SOA MINTTL instead",
+						   source, line);
+				lctx->ttl = dns_soa_getminimum(&rdata[rdcount]);
+				limit_ttl(callbacks, source, line, &lctx->ttl);
+				lctx->default_ttl = lctx->ttl;
+				lctx->default_ttl_known = ISC_TRUE;
+			} else if ((lctx->options & DNS_MASTER_HINT) != 0) {
+				/*
+				 * Zero TTL's are fine for hints.
+				 */
+				lctx->ttl = 0;
+				lctx->default_ttl = lctx->ttl;
+				lctx->default_ttl_known = ISC_TRUE;
+			} else {
+				(*callbacks->warn)(callbacks,
+						   "%s:%lu: no TTL specified; "
+						   "zone rejected",
+						   source, line);
+				result = DNS_R_NOTTL;
+				if (MANYERRS(lctx, result)) {
+					SETRESULT(lctx, result);
+					lctx->ttl = 0;
+				} else {
+					goto insist_and_cleanup;
+				}
+			}
+		} else if (!explicit_ttl && lctx->default_ttl_known) {
+			lctx->ttl = lctx->default_ttl;
+		} else if (!explicit_ttl && lctx->warn_1035) {
+			(*callbacks->warn)(callbacks,
+					   "%s:%lu: "
+					   "using RFC 1035 TTL semantics",
+					   source, line);
+			lctx->warn_1035 = ISC_FALSE;
+		}
+
+		if (type == dns_rdatatype_rrsig && lctx->warn_sigexpired) {
+			dns_rdata_rrsig_t sig;
+			(void)dns_rdata_tostruct(&rdata[rdcount], &sig, NULL);
+			if (isc_serial_lt(sig.timeexpire, now)) {
+				(*callbacks->warn)(callbacks,
+						   "%s:%lu: "
+						   "signature has expired",
+						   source, line);
+				lctx->warn_sigexpired = ISC_FALSE;
+			}
+		}
+
+		if ((type == dns_rdatatype_sig || type == dns_rdatatype_nxt) &&
+		    lctx->warn_tcr && (lctx->options & DNS_MASTER_ZONE) != 0 &&
+                    (lctx->options & DNS_MASTER_SLAVE) == 0) {
+			(*callbacks->warn)(callbacks, "%s:%lu: old style DNSSEC "
+					   " zone detected", source, line);
+			lctx->warn_tcr = ISC_FALSE;
+		}
+
+		if ((lctx->options & DNS_MASTER_AGETTL) != 0) {
+			/*
+			 * Adjust the TTL for $DATE.  If the RR has already
+			 * expired, ignore it.
+			 */
+			if (lctx->ttl < ttl_offset)
+				continue;
+			lctx->ttl -= ttl_offset;
+		}
+
+		/*
+		 * Find type in rdatalist.
+		 * If it does not exist create new one and prepend to list
+		 * as this will mimimise list traversal.
+		 */
+		if (ictx->glue != NULL)
+			this = ISC_LIST_HEAD(glue_list);
+		else
+			this = ISC_LIST_HEAD(current_list);
+
+		while (this != NULL) {
+			if (this->type == type && this->covers == covers)
+				break;
+			this = ISC_LIST_NEXT(this, link);
+		}
+
+		if (this == NULL) {
+			if (rdlcount == rdatalist_size) {
+				new_rdatalist =
+					grow_rdatalist(rdatalist_size + RDLSZ,
+						       rdatalist,
+						       rdatalist_size,
+						       &current_list,
+						       &glue_list,
+						       mctx);
+				if (new_rdatalist == NULL) {
+					result = ISC_R_NOMEMORY;
+					goto log_and_cleanup;
+				}
+				rdatalist = new_rdatalist;
+				rdatalist_size += RDLSZ;
+			}
+			this = &rdatalist[rdlcount++];
+			this->type = type;
+			this->covers = covers;
+			this->rdclass = lctx->zclass;
+			this->ttl = lctx->ttl;
+			ISC_LIST_INIT(this->rdata);
+			if (ictx->glue != NULL)
+				ISC_LIST_INITANDPREPEND(glue_list, this, link);
+			else
+				ISC_LIST_INITANDPREPEND(current_list, this,
+						        link);
+		} else if (this->ttl != lctx->ttl) {
+			(*callbacks->warn)(callbacks,
+					   "%s:%lu: "
+					   "TTL set to prior TTL (%lu)",
+					   source, line, this->ttl);
+			lctx->ttl = this->ttl;
+		}
+
+		ISC_LIST_APPEND(this->rdata, &rdata[rdcount], link);
+		if (ictx->glue != NULL) 
+			ictx->glue_line = line;
+		else
+			ictx->current_line = line;
+		rdcount++;
+
+		/*
+		 * We must have at least 64k as rdlen is 16 bits.
+		 * If we don't commit everything we have so far.
+		 */
+		if ((target.length - target.used) < MINTSIZ)
+			COMMITALL;
+ next_line:
+		;
+	} while (!done && (lctx->loop_cnt == 0 || loop_cnt++ < lctx->loop_cnt));
+
+	/*
+	 * Commit what has not yet been committed.
+	 */
+	result = commit(callbacks, lctx, &current_list, ictx->current,
+			source, ictx->current_line);
+	if (MANYERRS(lctx, result)) {
+		SETRESULT(lctx, result);
+	} else if (result != ISC_R_SUCCESS)
+		goto insist_and_cleanup;
+	result = commit(callbacks, lctx, &glue_list, ictx->glue,
+			source, ictx->glue_line);
+	if (MANYERRS(lctx, result)) {
+		SETRESULT(lctx, result);
+	} else if (result != ISC_R_SUCCESS)
+		goto insist_and_cleanup;
+
+	if (!done) {
+		INSIST(lctx->done != NULL && lctx->task != NULL);
+		result = DNS_R_CONTINUE;
+	} else if (result == ISC_R_SUCCESS && lctx->result != ISC_R_SUCCESS) {
+		result = lctx->result;
+	} else if (result == ISC_R_SUCCESS && lctx->seen_include)
+		result = DNS_R_SEENINCLUDE;
+	goto cleanup;
+
+ log_and_cleanup:
+	LOGIT(result);
+
+ insist_and_cleanup:
+	INSIST(result != ISC_R_SUCCESS);
+
+ cleanup:
+	while ((this = ISC_LIST_HEAD(current_list)) != NULL)
+		ISC_LIST_UNLINK(current_list, this, link);
+	while ((this = ISC_LIST_HEAD(glue_list)) != NULL)
+		ISC_LIST_UNLINK(glue_list, this, link);
+	if (rdatalist != NULL)
+		isc_mem_put(mctx, rdatalist,
+			    rdatalist_size * sizeof(*rdatalist));
+	if (rdata != NULL)
+		isc_mem_put(mctx, rdata, rdata_size * sizeof(*rdata));
+	if (target_mem != NULL)
+		isc_mem_put(mctx, target_mem, target_size);
+	if (include_file != NULL)
+		isc_mem_free(mctx, include_file);
+	if (range != NULL)
+		isc_mem_free(mctx, range);
+	if (lhs != NULL)
+		isc_mem_free(mctx, lhs);
+	if (gtype != NULL)
+		isc_mem_free(mctx, gtype);
+	if (rhs != NULL)
+		isc_mem_free(mctx, rhs);
+	return (result);
+}
+
+static isc_result_t
+pushfile(const char *master_file, dns_name_t *origin, dns_loadctx_t *lctx) {
+	isc_result_t result;
+	dns_incctx_t *ictx;
+	dns_incctx_t *new = NULL;
+	isc_region_t r;
+	int new_in_use;
+
+	REQUIRE(master_file != NULL);
+	REQUIRE(DNS_LCTX_VALID(lctx));
+
+	ictx = lctx->inc;
+	lctx->seen_include = ISC_TRUE;
+
+	result = incctx_create(lctx->mctx, origin, &new);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/* Set current domain. */
+	if (ictx->glue != NULL || ictx->current != NULL) {
+		for (new_in_use = 0; new_in_use < NBUFS; new_in_use++)
+			if (!new->in_use[new_in_use])
+				break;
+		INSIST(new_in_use < NBUFS);
+		new->current_in_use = new_in_use;
+		new->current =
+			dns_fixedname_name(&new->fixed[new->current_in_use]);
+		new->in_use[new->current_in_use] = ISC_TRUE;
+		dns_name_toregion((ictx->glue != NULL) ?
+				   ictx->glue : ictx->current, &r);
+		dns_name_fromregion(new->current, &r);
+		new->drop = ictx->drop;
+	}
+
+	result = isc_lex_openfile(lctx->lex, master_file);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	new->parent = ictx;
+	lctx->inc = new;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (new != NULL)
+		incctx_destroy(lctx->mctx, new);
+	return (result);
+}
+
+isc_result_t
+dns_master_loadfile(const char *master_file, dns_name_t *top,
+		    dns_name_t *origin,
+		    dns_rdataclass_t zclass, unsigned int options,
+		    dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx)
+{
+	dns_loadctx_t *lctx = NULL;
+	isc_result_t result;
+
+	result = loadctx_create(mctx, options, top, zclass, origin,
+				callbacks, NULL, NULL, NULL, NULL, &lctx);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = isc_lex_openfile(lctx->lex, master_file);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = load(lctx);
+	INSIST(result != DNS_R_CONTINUE);
+
+ cleanup:
+	if (lctx != NULL)
+		dns_loadctx_detach(&lctx);
+	return (result);
+}
+
+isc_result_t
+dns_master_loadfileinc(const char *master_file, dns_name_t *top,
+		       dns_name_t *origin, dns_rdataclass_t zclass,
+		       unsigned int options, dns_rdatacallbacks_t *callbacks,
+		       isc_task_t *task, dns_loaddonefunc_t done,
+		       void *done_arg, dns_loadctx_t **lctxp, isc_mem_t *mctx)
+{
+	dns_loadctx_t *lctx = NULL;
+	isc_result_t result;
+	
+	REQUIRE(task != NULL);
+	REQUIRE(done != NULL);
+
+	result = loadctx_create(mctx, options, top, zclass, origin,
+				callbacks, task, done, done_arg, NULL, &lctx);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = isc_lex_openfile(lctx->lex, master_file);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = task_send(lctx);
+	if (result == ISC_R_SUCCESS) {
+		dns_loadctx_attach(lctx, lctxp);
+		return (DNS_R_CONTINUE);
+	}
+
+ cleanup:
+	if (lctx != NULL)
+		dns_loadctx_detach(&lctx);
+	return (result);
+}
+
+isc_result_t
+dns_master_loadstream(FILE *stream, dns_name_t *top, dns_name_t *origin,
+		      dns_rdataclass_t zclass, unsigned int options,
+		      dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx)
+{
+	isc_result_t result;
+	dns_loadctx_t *lctx = NULL;
+
+	REQUIRE(stream != NULL);
+
+	result = loadctx_create(mctx, options, top, zclass, origin,
+				callbacks, NULL, NULL, NULL, NULL, &lctx);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = isc_lex_openstream(lctx->lex, stream);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = load(lctx);
+	INSIST(result != DNS_R_CONTINUE);
+
+ cleanup:
+	if (lctx != NULL)
+		dns_loadctx_detach(&lctx);
+	return (result);
+}
+
+isc_result_t
+dns_master_loadstreaminc(FILE *stream, dns_name_t *top, dns_name_t *origin,
+			 dns_rdataclass_t zclass, unsigned int options,
+			 dns_rdatacallbacks_t *callbacks, isc_task_t *task,
+			 dns_loaddonefunc_t done, void *done_arg,
+			 dns_loadctx_t **lctxp, isc_mem_t *mctx)
+{
+	isc_result_t result;
+	dns_loadctx_t *lctx = NULL;
+
+	REQUIRE(stream != NULL);
+	REQUIRE(task != NULL);
+	REQUIRE(done != NULL);
+
+	result = loadctx_create(mctx, options, top, zclass, origin,
+				callbacks, task, done, done_arg, NULL, &lctx);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = isc_lex_openstream(lctx->lex, stream);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = task_send(lctx);
+	if (result == ISC_R_SUCCESS) {
+		dns_loadctx_attach(lctx, lctxp);
+		return (DNS_R_CONTINUE);
+	}
+
+ cleanup:
+	if (lctx != NULL)
+		dns_loadctx_detach(&lctx);
+	return (result);
+}
+
+isc_result_t
+dns_master_loadbuffer(isc_buffer_t *buffer, dns_name_t *top,
+		      dns_name_t *origin, dns_rdataclass_t zclass,
+		      unsigned int options,
+		      dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx)
+{
+	isc_result_t result;
+	dns_loadctx_t *lctx = NULL;
+
+	REQUIRE(buffer != NULL);
+
+	result = loadctx_create(mctx, options, top, zclass, origin,
+				callbacks, NULL, NULL, NULL, NULL, &lctx);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = isc_lex_openbuffer(lctx->lex, buffer);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = load(lctx);
+	INSIST(result != DNS_R_CONTINUE);
+
+ cleanup:
+	if (lctx != NULL)
+		dns_loadctx_detach(&lctx);
+	return (result);
+}
+
+isc_result_t
+dns_master_loadbufferinc(isc_buffer_t *buffer, dns_name_t *top,
+			 dns_name_t *origin, dns_rdataclass_t zclass,
+			 unsigned int options,
+			 dns_rdatacallbacks_t *callbacks, isc_task_t *task,
+			 dns_loaddonefunc_t done, void *done_arg,
+			 dns_loadctx_t **lctxp, isc_mem_t *mctx)
+{
+	isc_result_t result;
+	dns_loadctx_t *lctx = NULL;
+
+	REQUIRE(buffer != NULL);
+	REQUIRE(task != NULL);
+	REQUIRE(done != NULL);
+
+	result = loadctx_create(mctx, options, top, zclass, origin,
+				callbacks, task, done, done_arg, NULL, &lctx);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = isc_lex_openbuffer(lctx->lex, buffer);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = task_send(lctx);
+	if (result == ISC_R_SUCCESS) {
+		dns_loadctx_attach(lctx, lctxp);
+		return (DNS_R_CONTINUE);
+	}
+
+ cleanup:
+	if (lctx != NULL)
+		dns_loadctx_detach(&lctx);
+	return (result);
+}
+
+isc_result_t
+dns_master_loadlexer(isc_lex_t *lex, dns_name_t *top,
+		     dns_name_t *origin, dns_rdataclass_t zclass,
+		     unsigned int options,
+		     dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx)
+{
+	isc_result_t result;
+	dns_loadctx_t *lctx = NULL;
+
+	REQUIRE(lex != NULL);
+
+	result = loadctx_create(mctx, options, top, zclass, origin,
+				callbacks, NULL, NULL, NULL, lex, &lctx);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = load(lctx);
+	INSIST(result != DNS_R_CONTINUE);
+
+	dns_loadctx_detach(&lctx);
+	return (result);
+}
+
+isc_result_t
+dns_master_loadlexerinc(isc_lex_t *lex, dns_name_t *top,
+			dns_name_t *origin, dns_rdataclass_t zclass,
+			unsigned int options,
+			dns_rdatacallbacks_t *callbacks, isc_task_t *task,
+			dns_loaddonefunc_t done, void *done_arg,
+			dns_loadctx_t **lctxp, isc_mem_t *mctx)
+{
+	isc_result_t result;
+	dns_loadctx_t *lctx = NULL;
+
+	REQUIRE(lex != NULL);
+	REQUIRE(task != NULL);
+	REQUIRE(done != NULL);
+
+	result = loadctx_create(mctx, options, top, zclass, origin,
+				callbacks, task, done, done_arg, lex, &lctx);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = task_send(lctx);
+	if (result == ISC_R_SUCCESS) {
+		dns_loadctx_attach(lctx, lctxp);
+		return (DNS_R_CONTINUE);
+	}
+
+	dns_loadctx_detach(&lctx);
+	return (result);
+}
+
+/*
+ * Grow the slab of dns_rdatalist_t structures.
+ * Re-link glue and current list.
+ */
+static dns_rdatalist_t *
+grow_rdatalist(int new_len, dns_rdatalist_t *old, int old_len,
+	       rdatalist_head_t *current, rdatalist_head_t *glue,
+	       isc_mem_t *mctx)
+{
+	dns_rdatalist_t *new;
+	int rdlcount = 0;
+	ISC_LIST(dns_rdatalist_t) save;
+	dns_rdatalist_t *this;
+
+	new = isc_mem_get(mctx, new_len * sizeof(*new));
+	if (new == NULL)
+		return (NULL);
+
+	ISC_LIST_INIT(save);
+	this = ISC_LIST_HEAD(*current);
+	while ((this = ISC_LIST_HEAD(*current)) != NULL) {
+		ISC_LIST_UNLINK(*current, this, link);
+		ISC_LIST_APPEND(save, this, link);
+	}
+	while ((this = ISC_LIST_HEAD(save)) != NULL) {
+		ISC_LIST_UNLINK(save, this, link);
+		new[rdlcount] = *this;
+		ISC_LIST_APPEND(*current, &new[rdlcount], link);
+		rdlcount++;
+	}
+
+	ISC_LIST_INIT(save);
+	this = ISC_LIST_HEAD(*glue);
+	while ((this = ISC_LIST_HEAD(*glue)) != NULL) {
+		ISC_LIST_UNLINK(*glue, this, link);
+		ISC_LIST_APPEND(save, this, link);
+	}
+	while ((this = ISC_LIST_HEAD(save)) != NULL) {
+		ISC_LIST_UNLINK(save, this, link);
+		new[rdlcount] = *this;
+		ISC_LIST_APPEND(*glue, &new[rdlcount], link);
+		rdlcount++;
+	}
+
+	INSIST(rdlcount == old_len);
+	if (old != NULL)
+		isc_mem_put(mctx, old, old_len * sizeof(*old));
+	return (new);
+}
+
+/*
+ * Grow the slab of rdata structs.
+ * Re-link the current and glue chains.
+ */
+static dns_rdata_t *
+grow_rdata(int new_len, dns_rdata_t *old, int old_len,
+	   rdatalist_head_t *current, rdatalist_head_t *glue,
+	   isc_mem_t *mctx)
+{
+	dns_rdata_t *new;
+	int rdcount = 0;
+	ISC_LIST(dns_rdata_t) save;
+	dns_rdatalist_t *this;
+	dns_rdata_t *rdata;
+
+	new = isc_mem_get(mctx, new_len * sizeof(*new));
+	if (new == NULL)
+		return (NULL);
+	memset(new, 0, new_len * sizeof(*new));
+
+	/*
+	 * Copy current relinking.
+	 */
+	this = ISC_LIST_HEAD(*current);
+	while (this != NULL) {
+		ISC_LIST_INIT(save);
+		while ((rdata = ISC_LIST_HEAD(this->rdata)) != NULL) {
+			ISC_LIST_UNLINK(this->rdata, rdata, link);
+			ISC_LIST_APPEND(save, rdata, link);
+		}
+		while ((rdata = ISC_LIST_HEAD(save)) != NULL) {
+			ISC_LIST_UNLINK(save, rdata, link);
+			new[rdcount] = *rdata;
+			ISC_LIST_APPEND(this->rdata, &new[rdcount], link);
+			rdcount++;
+		}
+		this = ISC_LIST_NEXT(this, link);
+	}
+
+	/*
+	 * Copy glue relinking.
+	 */
+	this = ISC_LIST_HEAD(*glue);
+	while (this != NULL) {
+		ISC_LIST_INIT(save);
+		while ((rdata = ISC_LIST_HEAD(this->rdata)) != NULL) {
+			ISC_LIST_UNLINK(this->rdata, rdata, link);
+			ISC_LIST_APPEND(save, rdata, link);
+		}
+		while ((rdata = ISC_LIST_HEAD(save)) != NULL) {
+			ISC_LIST_UNLINK(save, rdata, link);
+			new[rdcount] = *rdata;
+			ISC_LIST_APPEND(this->rdata, &new[rdcount], link);
+			rdcount++;
+		}
+		this = ISC_LIST_NEXT(this, link);
+	}
+	INSIST(rdcount == old_len);
+	if (old != NULL)
+		isc_mem_put(mctx, old, old_len * sizeof(*old));
+	return (new);
+}
+
+/*
+ * Convert each element from a rdatalist_t to rdataset then call commit.
+ * Unlink each element as we go.
+ */
+
+static isc_result_t
+commit(dns_rdatacallbacks_t *callbacks, dns_loadctx_t *lctx,
+       rdatalist_head_t *head, dns_name_t *owner,
+       const char *source, unsigned int line)
+{
+	dns_rdatalist_t *this;
+	dns_rdataset_t dataset;
+	isc_result_t result;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	void    (*error)(struct dns_rdatacallbacks *, const char *, ...);
+
+	this = ISC_LIST_HEAD(*head);
+	error = callbacks->error;
+
+	if (this == NULL)
+		return (ISC_R_SUCCESS);
+	do {
+		dns_rdataset_init(&dataset);
+		RUNTIME_CHECK(dns_rdatalist_tordataset(this, &dataset)
+			      == ISC_R_SUCCESS);
+		dataset.trust = dns_trust_ultimate;
+		result = ((*callbacks->add)(callbacks->add_private, owner,
+					    &dataset));
+		if (result == ISC_R_NOMEMORY) {
+			(*error)(callbacks, "dns_master_load: %s",
+				 dns_result_totext(result));
+		} else if (result != ISC_R_SUCCESS) {
+			dns_name_format(owner, namebuf,
+					sizeof(namebuf));
+			(*error)(callbacks, "%s: %s:%lu: %s: %s",
+				 "dns_master_load", source, line,
+				 namebuf, dns_result_totext(result));
+		}
+		if (MANYERRS(lctx, result))
+			SETRESULT(lctx, result);
+		else if (result != ISC_R_SUCCESS)
+			return (result);
+		ISC_LIST_UNLINK(*head, this, link);
+		this = ISC_LIST_HEAD(*head);
+	} while (this != NULL);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Returns ISC_TRUE if one of the NS rdata's contains 'owner'.
+ */
+
+static isc_boolean_t
+is_glue(rdatalist_head_t *head, dns_name_t *owner) {
+	dns_rdatalist_t *this;
+	dns_rdata_t *rdata;
+	isc_region_t region;
+	dns_name_t name;
+
+	/*
+	 * Find NS rrset.
+	 */
+	this = ISC_LIST_HEAD(*head);
+	while (this != NULL) {
+		if (this->type == dns_rdatatype_ns)
+			break;
+		this = ISC_LIST_NEXT(this, link);
+	}
+	if (this == NULL)
+		return (ISC_FALSE);
+
+	rdata = ISC_LIST_HEAD(this->rdata);
+	while (rdata != NULL) {
+		dns_name_init(&name, NULL);
+		dns_rdata_toregion(rdata, &region);
+		dns_name_fromregion(&name, &region);
+		if (dns_name_compare(&name, owner) == 0)
+			return (ISC_TRUE);
+		rdata = ISC_LIST_NEXT(rdata, link);
+	}
+	return (ISC_FALSE);
+}
+
+static void
+load_quantum(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	dns_loadctx_t *lctx;
+
+	REQUIRE(event != NULL);
+	lctx = event->ev_arg;
+	REQUIRE(DNS_LCTX_VALID(lctx));
+
+	if (lctx->canceled)
+		result = ISC_R_CANCELED;
+	else
+		result = load(lctx);
+	if (result == DNS_R_CONTINUE) {
+		event->ev_arg = lctx;
+		isc_task_send(task, &event);
+	} else {
+		(lctx->done)(lctx->done_arg, result);
+		isc_event_free(&event);
+		dns_loadctx_detach(&lctx);
+	}
+}
+
+static isc_result_t
+task_send(dns_loadctx_t *lctx) {
+	isc_event_t *event;
+
+	event = isc_event_allocate(lctx->mctx, NULL,
+				   DNS_EVENT_MASTERQUANTUM,
+				   load_quantum, lctx, sizeof(*event));
+	if (event == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_task_send(lctx->task, &event);
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_loadctx_cancel(dns_loadctx_t *lctx) {
+	REQUIRE(DNS_LCTX_VALID(lctx));
+
+	LOCK(&lctx->lock);
+	lctx->canceled = ISC_TRUE;
+	UNLOCK(&lctx->lock);
+}
diff --git a/contrib/bind9/lib/dns/masterdump.c b/contrib/bind9/lib/dns/masterdump.c
new file mode 100644
index 0000000..0225d72
--- /dev/null
+++ b/contrib/bind9/lib/dns/masterdump.c
@@ -0,0 +1,1455 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: masterdump.c,v 1.56.2.5.2.12 2004/08/28 06:25:19 marka Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/event.h>
+#include <isc/file.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/events.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/masterdump.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/time.h>
+#include <dns/ttl.h>
+
+#define DNS_DCTX_MAGIC		ISC_MAGIC('D', 'c', 't', 'x')
+#define DNS_DCTX_VALID(d)	ISC_MAGIC_VALID(d, DNS_DCTX_MAGIC)
+
+#define RETERR(x) do { \
+	isc_result_t _r = (x); \
+	if (_r != ISC_R_SUCCESS) \
+		return (_r); \
+	} while (0)
+
+struct dns_master_style {
+	unsigned int flags;		/* DNS_STYLEFLAG_* */
+	unsigned int ttl_column;
+	unsigned int class_column;
+	unsigned int type_column;
+	unsigned int rdata_column;
+	unsigned int line_length;
+	unsigned int tab_width;
+};
+
+/*
+ * The maximum length of the newline+indentation that is output
+ * when inserting a line break in an RR.  This effectively puts an
+ * upper limits on the value of "rdata_column", because if it is
+ * very large, the tabs and spaces needed to reach it will not fit.
+ */
+#define DNS_TOTEXT_LINEBREAK_MAXLEN 100
+
+/*
+ * Context structure for a masterfile dump in progress.
+ */
+typedef struct dns_totext_ctx {
+	dns_master_style_t	style;
+	isc_boolean_t 		class_printed;
+	char *			linebreak;
+	char 			linebreak_buf[DNS_TOTEXT_LINEBREAK_MAXLEN];
+	dns_name_t *		origin;
+	dns_name_t *		neworigin;
+	dns_fixedname_t		origin_fixname;
+	isc_uint32_t 		current_ttl;
+	isc_boolean_t 		current_ttl_valid;
+} dns_totext_ctx_t;
+
+LIBDNS_EXTERNAL_DATA const dns_master_style_t
+dns_master_style_default = {
+	DNS_STYLEFLAG_OMIT_OWNER |
+	DNS_STYLEFLAG_OMIT_CLASS |
+	DNS_STYLEFLAG_REL_OWNER |
+	DNS_STYLEFLAG_REL_DATA |
+	DNS_STYLEFLAG_OMIT_TTL |
+	DNS_STYLEFLAG_TTL |
+	DNS_STYLEFLAG_COMMENT |
+	DNS_STYLEFLAG_MULTILINE,
+	24, 24, 24, 32, 80, 8
+};
+
+LIBDNS_EXTERNAL_DATA const dns_master_style_t
+dns_master_style_full = {
+	DNS_STYLEFLAG_COMMENT,
+	46, 46, 46, 64, 120, 8
+};
+
+LIBDNS_EXTERNAL_DATA const dns_master_style_t
+dns_master_style_explicitttl = {
+	DNS_STYLEFLAG_OMIT_OWNER |
+	DNS_STYLEFLAG_OMIT_CLASS |
+	DNS_STYLEFLAG_REL_OWNER |
+	DNS_STYLEFLAG_REL_DATA |
+	DNS_STYLEFLAG_COMMENT |
+	DNS_STYLEFLAG_MULTILINE,
+	24, 32, 32, 40, 80, 8
+};
+
+LIBDNS_EXTERNAL_DATA const dns_master_style_t
+dns_master_style_cache = {
+	DNS_STYLEFLAG_OMIT_OWNER |
+	DNS_STYLEFLAG_OMIT_CLASS |
+	DNS_STYLEFLAG_MULTILINE |
+	DNS_STYLEFLAG_TRUST |
+	DNS_STYLEFLAG_NCACHE,
+	24, 32, 32, 40, 80, 8
+};
+
+LIBDNS_EXTERNAL_DATA const dns_master_style_t
+dns_master_style_simple = {
+	0,
+	24, 32, 32, 40, 80, 8
+};
+
+/*
+ * A style suitable for dns_rdataset_totext().
+ */
+LIBDNS_EXTERNAL_DATA const dns_master_style_t
+dns_master_style_debug = {
+	DNS_STYLEFLAG_REL_OWNER,
+	24, 32, 40, 48, 80, 8
+};
+
+
+#define N_SPACES 10
+static char spaces[N_SPACES+1] = "          ";
+
+#define N_TABS 10
+static char tabs[N_TABS+1] = "\t\t\t\t\t\t\t\t\t\t";
+
+struct dns_dumpctx {
+	unsigned int		magic;
+	isc_mem_t		*mctx;
+	isc_mutex_t		lock;
+	unsigned int		references;
+	isc_boolean_t		canceled;
+	isc_boolean_t		first;
+	isc_boolean_t		do_date;
+	isc_stdtime_t		now;
+	FILE			*f;
+	dns_db_t		*db;
+	dns_dbversion_t		*version;
+	dns_dbiterator_t	*dbiter;
+	dns_totext_ctx_t	tctx;
+	isc_task_t		*task;
+	dns_dumpdonefunc_t	done;
+	void			*done_arg;
+	unsigned int		nodes;
+	/* dns_master_dumpinc() */
+	char			*file;
+	char 			*tmpfile;
+};
+
+#define NXDOMAIN(x) (((x)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0) 
+
+/*
+ * Output tabs and spaces to go from column '*current' to
+ * column 'to', and update '*current' to reflect the new
+ * current column.
+ */
+static isc_result_t
+indent(unsigned int *current, unsigned int to, int tabwidth,
+       isc_buffer_t *target)
+{
+	isc_region_t r;
+	unsigned char *p;
+	unsigned int from;
+	int ntabs, nspaces, t;
+
+	from = *current;
+
+	if (to < from + 1)
+		to = from + 1;
+
+	ntabs = to / tabwidth - from / tabwidth;
+	if (ntabs < 0)
+		ntabs = 0;
+
+	if (ntabs > 0) {
+		isc_buffer_availableregion(target, &r);
+		if (r.length < (unsigned) ntabs)
+			return (ISC_R_NOSPACE);
+		p = r.base;
+
+		t = ntabs;
+		while (t) {
+			int n = t;
+			if (n > N_TABS)
+				n = N_TABS;
+			memcpy(p, tabs, n);
+			p += n;
+			t -= n;
+		}
+		isc_buffer_add(target, ntabs);
+		from = (to / tabwidth) * tabwidth;
+	}
+
+	nspaces = to - from;
+	INSIST(nspaces >= 0);
+
+	isc_buffer_availableregion(target, &r);
+	if (r.length < (unsigned) nspaces)
+		return (ISC_R_NOSPACE);
+	p = r.base;
+
+	t = nspaces;
+	while (t) {
+		int n = t;
+		if (n > N_SPACES)
+			n = N_SPACES;
+		memcpy(p, spaces, n);
+		p += n;
+		t -= n;
+	}
+	isc_buffer_add(target, nspaces);
+
+	*current = to;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+totext_ctx_init(const dns_master_style_t *style, dns_totext_ctx_t *ctx) {
+	isc_result_t result;
+
+	REQUIRE(style->tab_width != 0);
+
+	ctx->style = *style;
+	ctx->class_printed = ISC_FALSE;
+
+	dns_fixedname_init(&ctx->origin_fixname);
+
+	/*
+	 * Set up the line break string if needed.
+	 */
+	if ((ctx->style.flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		isc_buffer_t buf;
+		isc_region_t r;
+		unsigned int col = 0;
+
+		isc_buffer_init(&buf, ctx->linebreak_buf,
+				sizeof(ctx->linebreak_buf));
+
+		isc_buffer_availableregion(&buf, &r);
+		if (r.length < 1)
+			return (DNS_R_TEXTTOOLONG);
+		r.base[0] = '\n';
+		isc_buffer_add(&buf, 1);
+
+		result = indent(&col, ctx->style.rdata_column,
+				ctx->style.tab_width, &buf);
+		/*
+		 * Do not return ISC_R_NOSPACE if the line break string
+		 * buffer is too small, because that would just make
+		 * dump_rdataset() retry indenfinitely with ever
+		 * bigger target buffers.  That's a different buffer,
+		 * so it won't help.  Use DNS_R_TEXTTOOLONG as a substitute.
+		 */
+		if (result == ISC_R_NOSPACE)
+			return (DNS_R_TEXTTOOLONG);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+
+		isc_buffer_availableregion(&buf, &r);
+		if (r.length < 1)
+			return (DNS_R_TEXTTOOLONG);
+		r.base[0] = '\0';
+		isc_buffer_add(&buf, 1);
+		ctx->linebreak = ctx->linebreak_buf;
+	} else {
+		ctx->linebreak = NULL;
+	}
+
+	ctx->origin = NULL;
+	ctx->neworigin = NULL;
+	ctx->current_ttl = 0;
+	ctx->current_ttl_valid = ISC_FALSE;
+
+	return (ISC_R_SUCCESS);
+}
+
+#define INDENT_TO(col) \
+	do { \
+		 if ((result = indent(&column, ctx->style.col, \
+				      ctx->style.tab_width, target)) \
+		     != ISC_R_SUCCESS) \
+			    return (result); \
+	} while (0)
+
+
+static isc_result_t
+str_totext(const char *source, isc_buffer_t *target) {
+	unsigned int l;
+	isc_region_t region;
+
+	isc_buffer_availableregion(target, &region);
+	l = strlen(source);
+
+	if (l > region.length)
+		return (ISC_R_NOSPACE);
+
+	memcpy(region.base, source, l);
+	isc_buffer_add(target, l);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Convert 'rdataset' to master file text format according to 'ctx',
+ * storing the result in 'target'.  If 'owner_name' is NULL, it
+ * is omitted; otherwise 'owner_name' must be valid and have at least
+ * one label.
+ */
+
+static isc_result_t
+rdataset_totext(dns_rdataset_t *rdataset,
+		dns_name_t *owner_name,
+		dns_totext_ctx_t *ctx,
+		isc_boolean_t omit_final_dot,
+		isc_buffer_t *target)
+{
+	isc_result_t result;
+	unsigned int column;
+	isc_boolean_t first = ISC_TRUE;
+	isc_uint32_t current_ttl;
+	isc_boolean_t current_ttl_valid;
+	dns_rdatatype_t type;
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+
+	result = dns_rdataset_first(rdataset);
+	REQUIRE(result == ISC_R_SUCCESS);
+
+	current_ttl = ctx->current_ttl;
+	current_ttl_valid = ctx->current_ttl_valid;
+
+	do {
+		column = 0;
+
+		/*
+		 * Owner name.
+		 */
+		if (owner_name != NULL &&
+		    ! ((ctx->style.flags & DNS_STYLEFLAG_OMIT_OWNER) != 0 &&
+		       !first))
+		{
+			unsigned int name_start = target->used;
+			RETERR(dns_name_totext(owner_name,
+					       omit_final_dot,
+					       target));
+			column += target->used - name_start;
+		}
+
+		/*
+		 * TTL.
+		 */
+		if ((ctx->style.flags & DNS_STYLEFLAG_NO_TTL) == 0 &&
+		    !((ctx->style.flags & DNS_STYLEFLAG_OMIT_TTL) != 0 &&
+		      current_ttl_valid &&
+		      rdataset->ttl == current_ttl))
+		{
+			char ttlbuf[64];
+			isc_region_t r;
+			unsigned int length;
+
+			INDENT_TO(ttl_column);
+			length = snprintf(ttlbuf, sizeof(ttlbuf), "%u",
+					  rdataset->ttl);
+			INSIST(length <= sizeof(ttlbuf));
+			isc_buffer_availableregion(target, &r);
+			if (r.length < length)
+				return (ISC_R_NOSPACE);
+			memcpy(r.base, ttlbuf, length);
+			isc_buffer_add(target, length);
+			column += length;
+
+			/*
+			 * If the $TTL directive is not in use, the TTL we
+			 * just printed becomes the default for subsequent RRs.
+			 */
+			if ((ctx->style.flags & DNS_STYLEFLAG_TTL) == 0) {
+				current_ttl = rdataset->ttl;
+				current_ttl_valid = ISC_TRUE;
+			}
+		}
+
+		/*
+		 * Class.
+		 */
+		if ((ctx->style.flags & DNS_STYLEFLAG_NO_CLASS) == 0 &&
+		    ((ctx->style.flags & DNS_STYLEFLAG_OMIT_CLASS) == 0 ||
+		     ctx->class_printed == ISC_FALSE))
+		{
+			unsigned int class_start;
+			INDENT_TO(class_column);
+			class_start = target->used;
+			result = dns_rdataclass_totext(rdataset->rdclass,
+						       target);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			column += (target->used - class_start);
+		}
+
+		/*
+		 * Type.
+		 */
+
+		if (rdataset->type == 0) {
+			type = rdataset->covers;
+		} else {
+			type = rdataset->type;
+		}
+
+		{
+			unsigned int type_start;
+			INDENT_TO(type_column);
+			type_start = target->used;
+			if (rdataset->type == 0)
+				RETERR(str_totext("\\-", target));
+			result = dns_rdatatype_totext(type, target);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			column += (target->used - type_start);
+		}
+
+		/*
+		 * Rdata.
+		 */
+		INDENT_TO(rdata_column);
+		if (rdataset->type == 0) {
+			if (NXDOMAIN(rdataset))
+				RETERR(str_totext(";-$NXDOMAIN\n", target));
+			else
+				RETERR(str_totext(";-$NXRRSET\n", target));
+		} else {
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+			isc_region_t r;
+
+			dns_rdataset_current(rdataset, &rdata);
+
+			RETERR(dns_rdata_tofmttext(&rdata,
+						   ctx->origin,
+						   ctx->style.flags,
+						   ctx->style.line_length -
+						       ctx->style.rdata_column,
+						   ctx->linebreak,
+						   target));
+
+			isc_buffer_availableregion(target, &r);
+			if (r.length < 1)
+				return (ISC_R_NOSPACE);
+			r.base[0] = '\n';
+			isc_buffer_add(target, 1);
+		}
+
+		first = ISC_FALSE;
+		result = dns_rdataset_next(rdataset);
+	} while (result == ISC_R_SUCCESS);
+
+	if (result != ISC_R_NOMORE)
+		return (result);
+
+	/*
+	 * Update the ctx state to reflect what we just printed.
+	 * This is done last, only when we are sure we will return
+	 * success, because this function may be called multiple
+	 * times with increasing buffer sizes until it succeeds,
+	 * and failed attempts must not update the state prematurely.
+	 */
+	ctx->class_printed = ISC_TRUE;
+	ctx->current_ttl= current_ttl;
+	ctx->current_ttl_valid = current_ttl_valid;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Print the name, type, and class of an empty rdataset,
+ * such as those used to represent the question section
+ * of a DNS message.
+ */
+static isc_result_t
+question_totext(dns_rdataset_t *rdataset,
+		dns_name_t *owner_name,
+		dns_totext_ctx_t *ctx,
+		isc_boolean_t omit_final_dot,
+		isc_buffer_t *target)
+{
+	unsigned int column;
+	isc_result_t result;
+	isc_region_t r;
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	result = dns_rdataset_first(rdataset);
+	REQUIRE(result == ISC_R_NOMORE);
+
+	column = 0;
+
+	/* Owner name */
+	{
+		unsigned int name_start = target->used;
+		RETERR(dns_name_totext(owner_name,
+				       omit_final_dot,
+				       target));
+		column += target->used - name_start;
+	}
+
+	/* Class */
+	{
+		unsigned int class_start;
+		INDENT_TO(class_column);
+		class_start = target->used;
+		result = dns_rdataclass_totext(rdataset->rdclass, target);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		column += (target->used - class_start);
+	}
+
+	/* Type */
+	{
+		unsigned int type_start;
+		INDENT_TO(type_column);
+		type_start = target->used;
+		result = dns_rdatatype_totext(rdataset->type, target);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		column += (target->used - type_start);
+	}
+
+	isc_buffer_availableregion(target, &r);
+	if (r.length < 1)
+		return (ISC_R_NOSPACE);
+	r.base[0] = '\n';
+	isc_buffer_add(target, 1);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_rdataset_totext(dns_rdataset_t *rdataset,
+		    dns_name_t *owner_name,
+		    isc_boolean_t omit_final_dot,
+		    isc_boolean_t question,
+		    isc_buffer_t *target)
+{
+	dns_totext_ctx_t ctx;
+	isc_result_t result;
+	result = totext_ctx_init(&dns_master_style_debug, &ctx);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "could not set master file style");
+		return (ISC_R_UNEXPECTED);
+	}
+
+	/*
+	 * The caller might want to give us an empty owner
+	 * name (e.g. if they are outputting into a master
+	 * file and this rdataset has the same name as the
+	 * previous one.)
+	 */
+	if (dns_name_countlabels(owner_name) == 0)
+		owner_name = NULL;
+
+	if (question)
+		return (question_totext(rdataset, owner_name, &ctx,
+					omit_final_dot, target));
+	else
+		return (rdataset_totext(rdataset, owner_name, &ctx,
+					omit_final_dot, target));
+}
+
+isc_result_t
+dns_master_rdatasettotext(dns_name_t *owner_name,
+			  dns_rdataset_t *rdataset,
+			  const dns_master_style_t *style,
+			  isc_buffer_t *target)
+{
+	dns_totext_ctx_t ctx;
+	isc_result_t result;
+	result = totext_ctx_init(style, &ctx);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "could not set master file style");
+		return (ISC_R_UNEXPECTED);
+	}
+
+	return (rdataset_totext(rdataset, owner_name, &ctx,
+				ISC_FALSE, target));
+}
+
+isc_result_t
+dns_master_questiontotext(dns_name_t *owner_name,
+			  dns_rdataset_t *rdataset,
+			  const dns_master_style_t *style,
+			  isc_buffer_t *target)
+{
+	dns_totext_ctx_t ctx;
+	isc_result_t result;
+	result = totext_ctx_init(style, &ctx);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "could not set master file style");
+		return (ISC_R_UNEXPECTED);
+	}
+
+	return (question_totext(rdataset, owner_name, &ctx,
+				ISC_FALSE, target));
+}
+
+/*
+ * Print an rdataset.  'buffer' is a scratch buffer, which must have been
+ * dynamically allocated by the caller.  It must be large enough to
+ * hold the result from dns_ttl_totext().  If more than that is needed,
+ * the buffer will be grown automatically.
+ */
+
+static isc_result_t
+dump_rdataset(isc_mem_t *mctx, dns_name_t *name, dns_rdataset_t *rdataset,
+	      dns_totext_ctx_t *ctx,
+	      isc_buffer_t *buffer, FILE *f)
+{
+	isc_region_t r;
+	isc_result_t result;
+
+	REQUIRE(buffer->length > 0);
+
+	/*
+	 * Output a $TTL directive if needed.
+	 */
+
+	if ((ctx->style.flags & DNS_STYLEFLAG_TTL) != 0) {
+		if (ctx->current_ttl_valid == ISC_FALSE ||
+		    ctx->current_ttl != rdataset->ttl)
+		{
+			if ((ctx->style.flags & DNS_STYLEFLAG_COMMENT) != 0)
+			{
+				isc_buffer_clear(buffer);
+				result = dns_ttl_totext(rdataset->ttl,
+							ISC_TRUE, buffer);
+				INSIST(result == ISC_R_SUCCESS);
+				isc_buffer_usedregion(buffer, &r);
+				fprintf(f, "$TTL %u\t; %.*s\n", rdataset->ttl,
+					(int) r.length, (char *) r.base);
+			} else {
+				fprintf(f, "$TTL %u\n", rdataset->ttl);
+			}
+			ctx->current_ttl = rdataset->ttl;
+			ctx->current_ttl_valid = ISC_TRUE;
+		}
+	}
+
+	isc_buffer_clear(buffer);
+
+	/*
+	 * Generate the text representation of the rdataset into
+	 * the buffer.  If the buffer is too small, grow it.
+	 */
+	for (;;) {
+		int newlength;
+		void *newmem;
+		result = rdataset_totext(rdataset, name, ctx,
+					 ISC_FALSE, buffer);
+		if (result != ISC_R_NOSPACE)
+			break;
+
+		newlength = buffer->length * 2;
+		newmem = isc_mem_get(mctx, newlength);
+		if (newmem == NULL)
+			return (ISC_R_NOMEMORY);
+		isc_mem_put(mctx, buffer->base, buffer->length);
+		isc_buffer_init(buffer, newmem, newlength);
+	}
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * Write the buffer contents to the master file.
+	 */
+	isc_buffer_usedregion(buffer, &r);
+	result = isc_stdio_write(r.base, 1, (size_t)r.length, f, NULL);
+
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "master file write failed: %s",
+				 isc_result_totext(result));
+		return (result);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Define the order in which rdatasets should be printed in zone
+ * files.  We will print SOA and NS records before others, SIGs
+ * immediately following the things they sign, and order everything
+ * else by RR number.  This is all just for aesthetics and
+ * compatibility with buggy software that expects the SOA to be first;
+ * the DNS specifications allow any order.
+ */
+
+static int
+dump_order(const dns_rdataset_t *rds) {
+	int t;
+	int sig;
+	if (rds->type == dns_rdatatype_rrsig) {
+		t = rds->covers;
+		sig = 1;
+	} else {
+		t = rds->type;
+		sig = 0;
+	}
+	switch (t) {
+	case dns_rdatatype_soa:
+		t = 0;
+		break;
+	case dns_rdatatype_ns:
+		t = 1;
+		break;
+	default:
+		t += 2;
+		break;
+	}
+	return (t << 1) + sig;
+}
+
+static int
+dump_order_compare(const void *a, const void *b) {
+	return (dump_order(*((const dns_rdataset_t * const *) a)) -
+		dump_order(*((const dns_rdataset_t * const *) b)));
+}
+
+/*
+ * Dump all the rdatasets of a domain name to a master file.  We make
+ * a "best effort" attempt to sort the RRsets in a nice order, but if
+ * there are more than MAXSORT RRsets, we punt and only sort them in
+ * groups of MAXSORT.  This is not expected to ever happen in practice
+ * since much less than 64 RR types have been registered with the
+ * IANA, so far, and the output will be correct (though not
+ * aesthetically pleasing) even if it does happen.
+ */
+
+#define MAXSORT 64
+
+static const char *trustnames[] = {
+	"none",
+	"pending",
+	"additional",
+	"glue",
+	"answer",
+	"authauthority",
+	"authanswer",
+	"secure",
+	"local" /* aka ultimate */
+};
+
+static isc_result_t
+dump_rdatasets(isc_mem_t *mctx, dns_name_t *name, dns_rdatasetiter_t *rdsiter,
+	       dns_totext_ctx_t *ctx,
+	       isc_buffer_t *buffer, FILE *f)
+{
+	isc_result_t itresult, dumpresult;
+	isc_region_t r;
+	dns_rdataset_t rdatasets[MAXSORT];
+	dns_rdataset_t *sorted[MAXSORT];
+	int i, n;
+
+	itresult = dns_rdatasetiter_first(rdsiter);
+	dumpresult = ISC_R_SUCCESS;
+
+	if (itresult == ISC_R_SUCCESS && ctx->neworigin != NULL) {
+		isc_buffer_clear(buffer);
+		itresult = dns_name_totext(ctx->neworigin, ISC_FALSE, buffer);
+		RUNTIME_CHECK(itresult == ISC_R_SUCCESS);
+		isc_buffer_usedregion(buffer, &r);
+		fprintf(f, "$ORIGIN %.*s\n", (int) r.length, (char *) r.base);
+		ctx->neworigin = NULL;
+	}
+
+ again:
+	for (i = 0;
+	     itresult == ISC_R_SUCCESS && i < MAXSORT;
+	     itresult = dns_rdatasetiter_next(rdsiter), i++) {
+		dns_rdataset_init(&rdatasets[i]);
+		dns_rdatasetiter_current(rdsiter, &rdatasets[i]);
+		sorted[i] = &rdatasets[i];
+	}
+	n = i;
+	INSIST(n <= MAXSORT);
+
+	qsort(sorted, n, sizeof(sorted[0]), dump_order_compare);
+
+	for (i = 0; i < n; i++) {
+		dns_rdataset_t *rds = sorted[i];
+		if (ctx->style.flags & DNS_STYLEFLAG_TRUST) {
+			unsigned int trust = rds->trust;
+			INSIST(trust < (sizeof(trustnames) /
+					sizeof(trustnames[0])));
+			fprintf(f, "; %s\n", trustnames[trust]);
+		}
+		if (rds->type == 0 &&
+		    (ctx->style.flags & DNS_STYLEFLAG_NCACHE) == 0) {
+			/* Omit negative cache entries */
+		} else {
+			isc_result_t result =
+				dump_rdataset(mctx, name, rds, ctx,
+					       buffer, f);
+			if (result != ISC_R_SUCCESS)
+				dumpresult = result;
+			if ((ctx->style.flags & DNS_STYLEFLAG_OMIT_OWNER) != 0)
+				name = NULL;
+		}
+		dns_rdataset_disassociate(rds);
+	}
+
+	if (dumpresult != ISC_R_SUCCESS)
+		return (dumpresult);
+
+	/*
+	 * If we got more data than could be sorted at once,
+	 * go handle the rest.
+	 */
+	if (itresult == ISC_R_SUCCESS)
+		goto again;
+
+	if (itresult == ISC_R_NOMORE)
+		itresult = ISC_R_SUCCESS;
+
+	return (itresult);
+}
+
+
+/*
+ * Initial size of text conversion buffer.  The buffer is used
+ * for several purposes: converting origin names, rdatasets,
+ * $DATE timestamps, and comment strings for $TTL directives.
+ *
+ * When converting rdatasets, it is dynamically resized, but
+ * when converting origins, timestamps, etc it is not.  Therefore,
+ * the  initial size must large enough to hold the longest possible
+ * text representation of any domain name (for $ORIGIN).
+ */
+static const int initial_buffer_length = 1200;
+
+static isc_result_t
+dumptostreaminc(dns_dumpctx_t *dctx);
+
+static void
+dumpctx_destroy(dns_dumpctx_t *dctx) {
+
+	dctx->magic = 0;
+	DESTROYLOCK(&dctx->lock);
+	if (dctx->version != NULL)
+		dns_db_closeversion(dctx->db, &dctx->version, ISC_FALSE);
+	dns_dbiterator_destroy(&dctx->dbiter);
+	dns_db_detach(&dctx->db);
+	if (dctx->task != NULL)
+		isc_task_detach(&dctx->task);
+	if (dctx->file != NULL)
+		isc_mem_free(dctx->mctx, dctx->file);
+	if (dctx->tmpfile != NULL)
+		isc_mem_free(dctx->mctx, dctx->tmpfile);
+	isc_mem_putanddetach(&dctx->mctx, dctx, sizeof(*dctx));
+}
+
+void
+dns_dumpctx_attach(dns_dumpctx_t *source, dns_dumpctx_t **target) {
+
+	REQUIRE(DNS_DCTX_VALID(source));
+	REQUIRE(target != NULL && *target == NULL);
+
+	LOCK(&source->lock);
+	INSIST(source->references > 0);
+	source->references++;
+	INSIST(source->references != 0);	/* Overflow? */
+	UNLOCK(&source->lock);
+
+	*target = source;
+}
+
+void
+dns_dumpctx_detach(dns_dumpctx_t **dctxp) {
+	dns_dumpctx_t *dctx;
+	isc_boolean_t need_destroy = ISC_FALSE;
+
+	REQUIRE(dctxp != NULL);
+	dctx = *dctxp;
+	REQUIRE(DNS_DCTX_VALID(dctx));
+
+	*dctxp = NULL;
+
+	LOCK(&dctx->lock);
+	INSIST(dctx->references != 0);
+	dctx->references--;
+	if (dctx->references == 0)
+		need_destroy = ISC_TRUE;
+	UNLOCK(&dctx->lock);
+	if (need_destroy)
+		dumpctx_destroy(dctx);
+}
+
+dns_dbversion_t *
+dns_dumpctx_version(dns_dumpctx_t *dctx) {
+        REQUIRE(DNS_DCTX_VALID(dctx));
+	return (dctx->version);
+}
+
+dns_db_t *
+dns_dumpctx_db(dns_dumpctx_t *dctx) {
+        REQUIRE(DNS_DCTX_VALID(dctx));
+	return (dctx->db);
+}
+
+void
+dns_dumpctx_cancel(dns_dumpctx_t *dctx) {
+	REQUIRE(DNS_DCTX_VALID(dctx));
+
+	LOCK(&dctx->lock);
+	dctx->canceled = ISC_TRUE;
+	UNLOCK(&dctx->lock);
+}
+
+static isc_result_t
+closeandrename(FILE *f, isc_result_t result, const char *temp, const char *file)
+{
+	isc_result_t tresult;
+	isc_boolean_t logit = ISC_TF(result == ISC_R_SUCCESS);
+
+	if (result == ISC_R_SUCCESS)
+		result = isc_stdio_sync(f);
+	if (result != ISC_R_SUCCESS && logit) {
+		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
+			      "dumping master file: %s: fsync: %s",
+			      temp, isc_result_totext(result));
+		logit = ISC_FALSE;
+	}
+	tresult = isc_stdio_close(f);
+	if (result == ISC_R_SUCCESS)
+		result = tresult;
+	if (result != ISC_R_SUCCESS && logit) {
+		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
+			      "dumping master file: %s: fclose: %s",
+			      temp, isc_result_totext(result));
+		logit = ISC_FALSE;
+	}
+	if (result == ISC_R_SUCCESS)
+		result = isc_file_rename(temp, file);
+	else
+		(void)isc_file_remove(temp);
+	if (result != ISC_R_SUCCESS && logit) {
+		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
+			      "dumping master file: rename: %s: %s",
+			      file, isc_result_totext(result));
+	}
+	return (result);
+}
+
+static void
+dump_quantum(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	isc_result_t tresult;
+	dns_dumpctx_t *dctx;
+
+	REQUIRE(event != NULL);
+	dctx = event->ev_arg;
+	REQUIRE(DNS_DCTX_VALID(dctx));
+	if (dctx->canceled)
+		result = ISC_R_CANCELED;
+	else
+		result = dumptostreaminc(dctx);
+	if (result == DNS_R_CONTINUE) {
+		event->ev_arg = dctx;
+		isc_task_send(task, &event);
+		return;
+	}
+
+	if (dctx->file != NULL) {
+		tresult = closeandrename(dctx->f, result,
+					 dctx->tmpfile, dctx->file);
+		if (tresult != ISC_R_SUCCESS && result == ISC_R_SUCCESS)
+			result = tresult;
+	}
+	(dctx->done)(dctx->done_arg, result);
+	isc_event_free(&event);
+	dns_dumpctx_detach(&dctx);
+}
+
+static isc_result_t
+task_send(dns_dumpctx_t *dctx) {
+	isc_event_t *event;
+
+	event = isc_event_allocate(dctx->mctx, NULL, DNS_EVENT_DUMPQUANTUM,
+				   dump_quantum, dctx, sizeof(*event));
+	if (event == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_task_send(dctx->task, &event);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dumpctx_create(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+	       const dns_master_style_t *style, FILE *f, dns_dumpctx_t **dctxp)
+{
+	dns_dumpctx_t *dctx;
+	isc_result_t result;
+	isc_boolean_t relative;
+
+	dctx = isc_mem_get(mctx, sizeof(*dctx));
+	if (dctx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	dctx->mctx = NULL;
+	dctx->f = f;
+	dctx->dbiter = NULL;
+	dctx->db = NULL;
+	dctx->version = NULL;
+	dctx->done = NULL;
+	dctx->done_arg = NULL;
+	dctx->task = NULL;
+	dctx->nodes = 0;
+	dctx->first = ISC_TRUE;
+	dctx->canceled = ISC_FALSE;
+	dctx->file = NULL;
+	dctx->tmpfile = NULL;
+
+	result = totext_ctx_init(style, &dctx->tctx);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "could not set master file style");
+		goto cleanup;
+	}
+
+	isc_stdtime_get(&dctx->now);
+	dns_db_attach(db, &dctx->db);
+
+	dctx->do_date = dns_db_iscache(dctx->db);
+
+	relative = ((dctx->tctx.style.flags & DNS_STYLEFLAG_REL_OWNER) != 0) ?
+			ISC_TRUE : ISC_FALSE;
+	result = dns_db_createiterator(dctx->db, relative, &dctx->dbiter);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = isc_mutex_init(&dctx->lock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	if (version != NULL)
+		dns_db_attachversion(dctx->db, version, &dctx->version);
+	else if (!dns_db_iscache(db))
+		dns_db_currentversion(dctx->db, &dctx->version);
+	isc_mem_attach(mctx, &dctx->mctx);
+	dctx->references = 1;
+	dctx->magic = DNS_DCTX_MAGIC;
+	*dctxp = dctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (dctx->dbiter != NULL)
+		dns_dbiterator_destroy(&dctx->dbiter);
+	if (dctx->db != NULL)
+		dns_db_detach(&dctx->db);
+	if (dctx != NULL)
+		isc_mem_put(mctx, dctx, sizeof(*dctx));
+	return (result);
+}
+
+static isc_result_t
+dumptostreaminc(dns_dumpctx_t *dctx) {
+	isc_result_t result;
+	isc_buffer_t buffer;
+	char *bufmem;
+	isc_region_t r;
+	dns_name_t *name;
+	dns_fixedname_t fixname;
+	unsigned int nodes;
+
+	bufmem = isc_mem_get(dctx->mctx, initial_buffer_length);
+	if (bufmem == NULL)
+		return (ISC_R_NOMEMORY);
+
+	isc_buffer_init(&buffer, bufmem, initial_buffer_length);
+
+	dns_fixedname_init(&fixname);
+	name = dns_fixedname_name(&fixname);
+
+	if (dctx->first) {
+		/*
+		 * If the database has cache semantics, output an RFC2540
+		 * $DATE directive so that the TTLs can be adjusted when
+		 * it is reloaded.  For zones it is not really needed, and
+		 * it would make the file incompatible with pre-RFC2540
+		 * software, so we omit it in the zone case.
+		 */
+		if (dctx->do_date) {
+			result = dns_time32_totext(dctx->now, &buffer);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			isc_buffer_usedregion(&buffer, &r);
+			fprintf(dctx->f, "$DATE %.*s\n",
+				(int) r.length, (char *) r.base);
+		}
+		result = dns_dbiterator_first(dctx->dbiter);
+		dctx->first = ISC_FALSE;
+	} else
+		result = ISC_R_SUCCESS;
+
+	nodes = dctx->nodes;
+	while (result == ISC_R_SUCCESS && (dctx->nodes == 0 || nodes--)) {
+		dns_rdatasetiter_t *rdsiter = NULL;
+		dns_dbnode_t *node = NULL;
+
+		result = dns_dbiterator_current(dctx->dbiter, &node, name);
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN)
+			break;
+		if (result == DNS_R_NEWORIGIN) {
+			dns_name_t *origin =
+				dns_fixedname_name(&dctx->tctx.origin_fixname);
+			result = dns_dbiterator_origin(dctx->dbiter, origin);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			if ((dctx->tctx.style.flags & DNS_STYLEFLAG_REL_DATA) != 0)
+				dctx->tctx.origin = origin;
+			dctx->tctx.neworigin = origin;
+		}
+		result = dns_db_allrdatasets(dctx->db, node, dctx->version,
+					     dctx->now, &rdsiter);
+		if (result != ISC_R_SUCCESS) {
+			dns_db_detachnode(dctx->db, &node);
+			goto fail;
+		}
+		result = dump_rdatasets(dctx->mctx, name, rdsiter, &dctx->tctx,
+					&buffer, dctx->f);
+		dns_rdatasetiter_destroy(&rdsiter);
+		if (result != ISC_R_SUCCESS) {
+			dns_db_detachnode(dctx->db, &node);
+			goto fail;
+		}
+		dns_db_detachnode(dctx->db, &node);
+		result = dns_dbiterator_next(dctx->dbiter);
+	}
+
+	if (dctx->nodes != 0 && result == ISC_R_SUCCESS) {
+		dns_dbiterator_pause(dctx->dbiter);
+		result = DNS_R_CONTINUE;
+	} else if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+ fail:
+	isc_mem_put(dctx->mctx, buffer.base, buffer.length);
+	return (result);
+}
+
+isc_result_t
+dns_master_dumptostreaminc(isc_mem_t *mctx, dns_db_t *db,
+			   dns_dbversion_t *version,
+			   const dns_master_style_t *style,
+			   FILE *f, isc_task_t *task,
+			   dns_dumpdonefunc_t done, void *done_arg,
+			   dns_dumpctx_t **dctxp)
+{
+	dns_dumpctx_t *dctx = NULL;
+	isc_result_t result;
+
+	REQUIRE(task != NULL);
+	REQUIRE(f != NULL);
+	REQUIRE(done != NULL);
+
+	result = dumpctx_create(mctx, db, version, style, f, &dctx);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_task_attach(task, &dctx->task);
+	dctx->done = done;
+	dctx->done_arg = done_arg;
+	dctx->nodes = 100;
+
+	result = task_send(dctx);
+	if (result == ISC_R_SUCCESS) {
+		dns_dumpctx_attach(dctx, dctxp);
+		return (DNS_R_CONTINUE);
+	}
+	if (dctx != NULL)
+		dns_dumpctx_detach(&dctx);
+
+	return (result);
+}
+
+/*
+ * Dump an entire database into a master file.
+ */
+isc_result_t
+dns_master_dumptostream(isc_mem_t *mctx, dns_db_t *db,
+			dns_dbversion_t *version,
+			const dns_master_style_t *style,
+			FILE *f)
+{
+	dns_dumpctx_t *dctx = NULL;
+	isc_result_t result;
+
+	result = dumpctx_create(mctx, db, version, style, f, &dctx);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dumptostreaminc(dctx);
+	INSIST(result != DNS_R_CONTINUE);
+	dns_dumpctx_detach(&dctx);
+	return (result);
+}
+
+static isc_result_t
+opentmp(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) {
+	FILE *f = NULL;
+	isc_result_t result;
+	char *tempname = NULL;
+	int tempnamelen;
+
+	tempnamelen = strlen(file) + 20;
+	tempname = isc_mem_allocate(mctx, tempnamelen);
+	if (tempname == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_file_mktemplate(file, tempname, tempnamelen);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = isc_file_openunique(tempname, &f);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
+			      "dumping master file: %s: open: %s",
+			      tempname, isc_result_totext(result));
+		goto cleanup;
+	}
+	*tempp = tempname;
+	*fp = f;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	isc_mem_free(mctx, tempname);
+	return (result);
+}
+
+isc_result_t
+dns_master_dumpinc(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+		   const dns_master_style_t *style, const char *filename,
+		   isc_task_t *task, dns_dumpdonefunc_t done, void *done_arg,
+		   dns_dumpctx_t **dctxp)
+{
+	FILE *f = NULL;
+	isc_result_t result;
+	char *tempname = NULL;
+	char *file = NULL;
+	dns_dumpctx_t *dctx = NULL;
+
+	file = isc_mem_strdup(mctx, filename);
+	if (file == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = opentmp(mctx, filename, &tempname, &f);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dumpctx_create(mctx, db, version, style, f, &dctx);
+	if (result != ISC_R_SUCCESS) {
+		(void)isc_stdio_close(f);
+		(void)isc_file_remove(tempname);
+		goto cleanup;
+	}
+
+	isc_task_attach(task, &dctx->task);
+	dctx->done = done;
+	dctx->done_arg = done_arg;
+	dctx->nodes = 100;
+	dctx->file = file;
+	file = NULL;
+	dctx->tmpfile = tempname;
+	tempname = NULL;
+
+	result = task_send(dctx);
+	if (result == ISC_R_SUCCESS) {
+		dns_dumpctx_attach(dctx, dctxp);
+		return (DNS_R_CONTINUE);
+	}
+
+ cleanup:
+	if (dctx != NULL)
+		dns_dumpctx_detach(&dctx);
+	if (file != NULL)
+		isc_mem_free(mctx, file);
+	if (tempname != NULL)
+		isc_mem_free(mctx, tempname);
+	return (result);
+}
+
+isc_result_t
+dns_master_dump(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+		const dns_master_style_t *style, const char *filename)
+{
+	FILE *f = NULL;
+	isc_result_t result;
+	char *tempname;
+	dns_dumpctx_t *dctx = NULL;
+
+	result = opentmp(mctx, filename, &tempname, &f);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dumpctx_create(mctx, db, version, style, f, &dctx);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dumptostreaminc(dctx);
+	INSIST(result != DNS_R_CONTINUE);
+	dns_dumpctx_detach(&dctx);
+
+	result = closeandrename(f, result, tempname, filename);
+
+ cleanup:
+	isc_mem_free(mctx, tempname);
+	return (result);
+}
+
+/*
+ * Dump a database node into a master file.
+ */
+isc_result_t
+dns_master_dumpnodetostream(isc_mem_t *mctx, dns_db_t *db,
+			    dns_dbversion_t *version,
+			    dns_dbnode_t *node, dns_name_t *name,
+			    const dns_master_style_t *style,
+			    FILE *f)
+{
+	isc_result_t result;
+	isc_buffer_t buffer;
+	char *bufmem;
+	isc_stdtime_t now;
+	dns_totext_ctx_t ctx;
+	dns_rdatasetiter_t *rdsiter = NULL;
+
+	result = totext_ctx_init(style, &ctx);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "could not set master file style");
+		return (ISC_R_UNEXPECTED);
+	}
+
+	isc_stdtime_get(&now);
+
+	bufmem = isc_mem_get(mctx, initial_buffer_length);
+	if (bufmem == NULL)
+		return (ISC_R_NOMEMORY);
+
+	isc_buffer_init(&buffer, bufmem, initial_buffer_length);
+
+	result = dns_db_allrdatasets(db, node, version, now, &rdsiter);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+	result = dump_rdatasets(mctx, name, rdsiter, &ctx, &buffer, f);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+	dns_rdatasetiter_destroy(&rdsiter);
+
+	result = ISC_R_SUCCESS;
+
+ failure:
+	isc_mem_put(mctx, buffer.base, buffer.length);
+	return (result);
+}
+
+isc_result_t
+dns_master_dumpnode(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
+		    dns_dbnode_t *node, dns_name_t *name,
+		    const dns_master_style_t *style, const char *filename)
+{
+	FILE *f = NULL;
+	isc_result_t result;
+
+	result = isc_stdio_open(filename, "w", &f);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
+			      "dumping node to file: %s: open: %s", filename,
+			      isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	result = dns_master_dumpnodetostream(mctx, db, version, node, name,
+					     style, f);
+
+	result = isc_stdio_close(f);
+	if (result != ISC_R_SUCCESS) {
+		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MASTERDUMP, ISC_LOG_ERROR,
+			      "dumping master file: %s: close: %s", filename,
+			      isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_master_stylecreate(dns_master_style_t **stylep, unsigned int flags,
+                       unsigned int ttl_column, unsigned int class_column,
+                       unsigned int type_column, unsigned int rdata_column,
+                       unsigned int line_length, unsigned int tab_width,
+                       isc_mem_t *mctx)
+{
+	dns_master_style_t *style;
+
+	REQUIRE(stylep != NULL && *stylep == NULL);
+	style = isc_mem_get(mctx, sizeof(*style));
+	if (style == NULL)
+		return (ISC_R_NOMEMORY);
+
+	style->flags = flags;
+	style->ttl_column = ttl_column;
+	style->class_column = class_column;
+	style->type_column = type_column;
+	style->rdata_column = rdata_column;
+	style->line_length = line_length;
+	style->tab_width = tab_width;
+
+	*stylep = style;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_master_styledestroy(dns_master_style_t **stylep, isc_mem_t *mctx) {
+	dns_master_style_t *style;
+
+	REQUIRE(stylep != NULL && *stylep != NULL);
+	style = *stylep;
+	*stylep = NULL;
+	isc_mem_put(mctx, style, sizeof(*style));
+}
+
diff --git a/contrib/bind9/lib/dns/message.c b/contrib/bind9/lib/dns/message.c
new file mode 100644
index 0000000..badde6e
--- /dev/null
+++ b/contrib/bind9/lib/dns/message.c
@@ -0,0 +1,3160 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: message.c,v 1.194.2.10.2.17 2004/05/05 01:32:16 marka Exp $ */
+
+/***
+ *** Imports
+ ***/
+
+#include <config.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/util.h>
+
+#include <dns/dnssec.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/masterdump.h>
+#include <dns/message.h>
+#include <dns/opcode.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+#include <dns/tsig.h>
+#include <dns/view.h>
+
+#define DNS_MESSAGE_OPCODE_MASK		0x7800U
+#define DNS_MESSAGE_OPCODE_SHIFT	11
+#define DNS_MESSAGE_RCODE_MASK		0x000fU
+#define DNS_MESSAGE_FLAG_MASK		0x8ff0U
+#define DNS_MESSAGE_EDNSRCODE_MASK	0xff000000U
+#define DNS_MESSAGE_EDNSRCODE_SHIFT	24
+#define DNS_MESSAGE_EDNSVERSION_MASK	0x00ff0000U
+#define DNS_MESSAGE_EDNSVERSION_SHIFT	16
+
+#define VALID_NAMED_SECTION(s)  (((s) > DNS_SECTION_ANY) \
+				 && ((s) < DNS_SECTION_MAX))
+#define VALID_SECTION(s)	(((s) >= DNS_SECTION_ANY) \
+				 && ((s) < DNS_SECTION_MAX))
+#define ADD_STRING(b, s)	{if (strlen(s) >= \
+				   isc_buffer_availablelength(b)) \
+				       return(ISC_R_NOSPACE); else \
+				       isc_buffer_putstr(b, s);}
+#define VALID_PSEUDOSECTION(s)	(((s) >= DNS_PSEUDOSECTION_ANY) \
+				 && ((s) < DNS_PSEUDOSECTION_MAX))
+
+/*
+ * This is the size of each individual scratchpad buffer, and the numbers
+ * of various block allocations used within the server.
+ * XXXMLG These should come from a config setting.
+ */
+#define SCRATCHPAD_SIZE		512
+#define NAME_COUNT		  8
+#define OFFSET_COUNT		  4
+#define RDATA_COUNT		  8
+#define RDATALIST_COUNT		  8
+#define RDATASET_COUNT		 RDATALIST_COUNT
+
+/*
+ * Text representation of the different items, for message_totext
+ * functions.
+ */
+static const char *sectiontext[] = {
+	"QUESTION",
+	"ANSWER",
+	"AUTHORITY",
+	"ADDITIONAL"
+};
+
+static const char *updsectiontext[] = {
+	"ZONE",
+	"PREREQUISITE",
+	"UPDATE",
+	"ADDITIONAL"
+};
+
+static const char *opcodetext[] = {
+	"QUERY",
+	"IQUERY",
+	"STATUS",
+	"RESERVED3",
+	"NOTIFY",
+	"UPDATE",
+	"RESERVED6",
+	"RESERVED7",
+	"RESERVED8",
+	"RESERVED9",
+	"RESERVED10",
+	"RESERVED11",
+	"RESERVED12",
+	"RESERVED13",
+	"RESERVED14",
+	"RESERVED15"
+};
+
+static const char *rcodetext[] = {
+	"NOERROR",
+	"FORMERR",
+	"SERVFAIL",
+	"NXDOMAIN",
+	"NOTIMP",
+	"REFUSED",
+	"YXDOMAIN",
+	"YXRRSET",
+	"NXRRSET",
+	"NOTAUTH",
+	"NOTZONE",
+	"RESERVED11",
+	"RESERVED12",
+	"RESERVED13",
+	"RESERVED14",
+	"RESERVED15",
+	"BADVERS"
+};
+
+
+/*
+ * "helper" type, which consists of a block of some type, and is linkable.
+ * For it to work, sizeof(dns_msgblock_t) must be a multiple of the pointer
+ * size, or the allocated elements will not be alligned correctly.
+ */
+struct dns_msgblock {
+	unsigned int			count;
+	unsigned int			remaining;
+	ISC_LINK(dns_msgblock_t)	link;
+}; /* dynamically sized */
+
+static inline dns_msgblock_t *
+msgblock_allocate(isc_mem_t *, unsigned int, unsigned int);
+
+#define msgblock_get(block, type) \
+	((type *)msgblock_internalget(block, sizeof(type)))
+
+static inline void *
+msgblock_internalget(dns_msgblock_t *, unsigned int);
+
+static inline void
+msgblock_reset(dns_msgblock_t *);
+
+static inline void
+msgblock_free(isc_mem_t *, dns_msgblock_t *, unsigned int);
+
+/*
+ * Allocate a new dns_msgblock_t, and return a pointer to it.  If no memory
+ * is free, return NULL.
+ */
+static inline dns_msgblock_t *
+msgblock_allocate(isc_mem_t *mctx, unsigned int sizeof_type,
+		  unsigned int count)
+{
+	dns_msgblock_t *block;
+	unsigned int length;
+
+	length = sizeof(dns_msgblock_t) + (sizeof_type * count);
+
+	block = isc_mem_get(mctx, length);
+	if (block == NULL)
+		return (NULL);
+
+	block->count = count;
+	block->remaining = count;
+
+	ISC_LINK_INIT(block, link);
+
+	return (block);
+}
+
+/*
+ * Return an element from the msgblock.  If no more are available, return
+ * NULL.
+ */
+static inline void *
+msgblock_internalget(dns_msgblock_t *block, unsigned int sizeof_type) {
+	void *ptr;
+
+	if (block == NULL || block->remaining == 0)
+		return (NULL);
+
+	block->remaining--;
+
+	ptr = (((unsigned char *)block)
+	       + sizeof(dns_msgblock_t)
+	       + (sizeof_type * block->remaining));
+
+	return (ptr);
+}
+
+static inline void
+msgblock_reset(dns_msgblock_t *block) {
+	block->remaining = block->count;
+}
+
+/*
+ * Release memory associated with a message block.
+ */
+static inline void
+msgblock_free(isc_mem_t *mctx, dns_msgblock_t *block, unsigned int sizeof_type)
+{
+	unsigned int length;
+
+	length = sizeof(dns_msgblock_t) + (sizeof_type * block->count);
+
+	isc_mem_put(mctx, block, length);
+}
+
+/*
+ * Allocate a new dynamic buffer, and attach it to this message as the
+ * "current" buffer.  (which is always the last on the list, for our
+ * uses)
+ */
+static inline isc_result_t
+newbuffer(dns_message_t *msg, unsigned int size) {
+	isc_result_t result;
+	isc_buffer_t *dynbuf;
+
+	dynbuf = NULL;
+	result = isc_buffer_allocate(msg->mctx, &dynbuf, size);
+	if (result != ISC_R_SUCCESS)
+		return (ISC_R_NOMEMORY);
+
+	ISC_LIST_APPEND(msg->scratchpad, dynbuf, link);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_buffer_t *
+currentbuffer(dns_message_t *msg) {
+	isc_buffer_t *dynbuf;
+
+	dynbuf = ISC_LIST_TAIL(msg->scratchpad);
+	INSIST(dynbuf != NULL);
+
+	return (dynbuf);
+}
+
+static inline void
+releaserdata(dns_message_t *msg, dns_rdata_t *rdata) {
+	ISC_LIST_PREPEND(msg->freerdata, rdata, link);
+}
+
+static inline dns_rdata_t *
+newrdata(dns_message_t *msg) {
+	dns_msgblock_t *msgblock;
+	dns_rdata_t *rdata;
+
+	rdata = ISC_LIST_HEAD(msg->freerdata);
+	if (rdata != NULL) {
+		ISC_LIST_UNLINK(msg->freerdata, rdata, link);
+		return (rdata);
+	}
+
+	msgblock = ISC_LIST_TAIL(msg->rdatas);
+	rdata = msgblock_get(msgblock, dns_rdata_t);
+	if (rdata == NULL) {
+		msgblock = msgblock_allocate(msg->mctx, sizeof(dns_rdata_t),
+					     RDATA_COUNT);
+		if (msgblock == NULL)
+			return (NULL);
+
+		ISC_LIST_APPEND(msg->rdatas, msgblock, link);
+
+		rdata = msgblock_get(msgblock, dns_rdata_t);
+	}
+
+	dns_rdata_init(rdata);
+	return (rdata);
+}
+
+static inline void
+releaserdatalist(dns_message_t *msg, dns_rdatalist_t *rdatalist) {
+	ISC_LIST_PREPEND(msg->freerdatalist, rdatalist, link);
+}
+
+static inline dns_rdatalist_t *
+newrdatalist(dns_message_t *msg) {
+	dns_msgblock_t *msgblock;
+	dns_rdatalist_t *rdatalist;
+
+	rdatalist = ISC_LIST_HEAD(msg->freerdatalist);
+	if (rdatalist != NULL) {
+		ISC_LIST_UNLINK(msg->freerdatalist, rdatalist, link);
+		return (rdatalist);
+	}
+
+	msgblock = ISC_LIST_TAIL(msg->rdatalists);
+	rdatalist = msgblock_get(msgblock, dns_rdatalist_t);
+	if (rdatalist == NULL) {
+		msgblock = msgblock_allocate(msg->mctx,
+					     sizeof(dns_rdatalist_t),
+					     RDATALIST_COUNT);
+		if (msgblock == NULL)
+			return (NULL);
+
+		ISC_LIST_APPEND(msg->rdatalists, msgblock, link);
+
+		rdatalist = msgblock_get(msgblock, dns_rdatalist_t);
+	}
+
+	return (rdatalist);
+}
+
+static inline dns_offsets_t *
+newoffsets(dns_message_t *msg) {
+	dns_msgblock_t *msgblock;
+	dns_offsets_t *offsets;
+
+	msgblock = ISC_LIST_TAIL(msg->offsets);
+	offsets = msgblock_get(msgblock, dns_offsets_t);
+	if (offsets == NULL) {
+		msgblock = msgblock_allocate(msg->mctx,
+					     sizeof(dns_offsets_t),
+					     OFFSET_COUNT);
+		if (msgblock == NULL)
+			return (NULL);
+
+		ISC_LIST_APPEND(msg->offsets, msgblock, link);
+
+		offsets = msgblock_get(msgblock, dns_offsets_t);
+	}
+
+	return (offsets);
+}
+
+static inline void
+msginitheader(dns_message_t *m) {
+	m->id = 0;
+	m->flags = 0;
+	m->rcode = 0;
+	m->opcode = 0;
+	m->rdclass = 0;
+}
+
+static inline void
+msginitprivate(dns_message_t *m) {
+	unsigned int i;
+
+	for (i = 0; i < DNS_SECTION_MAX; i++) {
+		m->cursors[i] = NULL;
+		m->counts[i] = 0;
+	}
+	m->opt = NULL;
+	m->sig0 = NULL;
+	m->sig0name = NULL;
+	m->tsig = NULL;
+	m->tsigname = NULL;
+	m->state = DNS_SECTION_ANY;  /* indicate nothing parsed or rendered */
+	m->opt_reserved = 0;
+	m->sig_reserved = 0;
+	m->reserved = 0;
+	m->buffer = NULL;
+}
+
+static inline void
+msginittsig(dns_message_t *m) {
+	m->tsigstatus = dns_rcode_noerror;
+	m->querytsigstatus = dns_rcode_noerror;
+	m->tsigkey = NULL;
+	m->tsigctx = NULL;
+	m->sigstart = -1;
+	m->sig0key = NULL;
+	m->sig0status = dns_rcode_noerror;
+	m->timeadjust = 0;
+}
+
+/*
+ * Init elements to default state.  Used both when allocating a new element
+ * and when resetting one.
+ */
+static inline void
+msginit(dns_message_t *m) {
+	msginitheader(m);
+	msginitprivate(m);
+	msginittsig(m);
+	m->header_ok = 0;
+	m->question_ok = 0;
+	m->tcp_continuation = 0;
+	m->verified_sig = 0;
+	m->verify_attempted = 0;
+	m->order = NULL;
+	m->order_arg = NULL;
+	m->query.base = NULL;
+	m->query.length = 0;
+	m->free_query = 0;
+	m->saved.base = NULL;
+	m->saved.length = 0;
+	m->free_saved = 0;
+	m->querytsig = NULL;
+}
+
+static inline void
+msgresetnames(dns_message_t *msg, unsigned int first_section) {
+	unsigned int i;
+	dns_name_t *name, *next_name;
+	dns_rdataset_t *rds, *next_rds;
+
+	/*
+	 * Clean up name lists by calling the rdataset disassociate function.
+	 */
+	for (i = first_section; i < DNS_SECTION_MAX; i++) {
+		name = ISC_LIST_HEAD(msg->sections[i]);
+		while (name != NULL) {
+			next_name = ISC_LIST_NEXT(name, link);
+			ISC_LIST_UNLINK(msg->sections[i], name, link);
+
+			rds = ISC_LIST_HEAD(name->list);
+			while (rds != NULL) {
+				next_rds = ISC_LIST_NEXT(rds, link);
+				ISC_LIST_UNLINK(name->list, rds, link);
+
+				INSIST(dns_rdataset_isassociated(rds));
+				dns_rdataset_disassociate(rds);
+				isc_mempool_put(msg->rdspool, rds);
+				rds = next_rds;
+			}
+			if (dns_name_dynamic(name))
+				dns_name_free(name, msg->mctx);
+			isc_mempool_put(msg->namepool, name);
+			name = next_name;
+		}
+	}
+}
+
+static void
+msgresetopt(dns_message_t *msg)
+{
+	if (msg->opt != NULL) {
+		if (msg->opt_reserved > 0) {
+			dns_message_renderrelease(msg, msg->opt_reserved);
+			msg->opt_reserved = 0;
+		}
+		INSIST(dns_rdataset_isassociated(msg->opt));
+		dns_rdataset_disassociate(msg->opt);
+		isc_mempool_put(msg->rdspool, msg->opt);
+		msg->opt = NULL;
+	}
+}
+
+static void
+msgresetsigs(dns_message_t *msg, isc_boolean_t replying) {
+	if (msg->sig_reserved > 0) {
+		dns_message_renderrelease(msg, msg->sig_reserved);
+		msg->sig_reserved = 0;
+	}
+	if (msg->tsig != NULL) {
+		INSIST(dns_rdataset_isassociated(msg->tsig));
+		INSIST(msg->namepool != NULL);
+		if (replying) {
+			INSIST(msg->querytsig == NULL);
+			msg->querytsig = msg->tsig;
+		} else {
+			dns_rdataset_disassociate(msg->tsig);
+			isc_mempool_put(msg->rdspool, msg->tsig);
+			if (msg->querytsig != NULL) {
+				dns_rdataset_disassociate(msg->querytsig);
+				isc_mempool_put(msg->rdspool, msg->querytsig);
+			}
+		}
+		if (dns_name_dynamic(msg->tsigname))
+			dns_name_free(msg->tsigname, msg->mctx);
+		isc_mempool_put(msg->namepool, msg->tsigname);
+		msg->tsig = NULL;
+		msg->tsigname = NULL;
+	} else if (msg->querytsig != NULL && !replying) {
+		dns_rdataset_disassociate(msg->querytsig);
+		isc_mempool_put(msg->rdspool, msg->querytsig);
+		msg->querytsig = NULL;
+	}
+	if (msg->sig0 != NULL) {
+		INSIST(dns_rdataset_isassociated(msg->sig0));
+		dns_rdataset_disassociate(msg->sig0);
+		isc_mempool_put(msg->rdspool, msg->sig0);
+		if (msg->sig0name != NULL) {
+			if (dns_name_dynamic(msg->sig0name))
+				dns_name_free(msg->sig0name, msg->mctx);
+			isc_mempool_put(msg->namepool, msg->sig0name);
+		}
+		msg->sig0 = NULL;
+		msg->sig0name = NULL;
+	}
+}
+
+/*
+ * Free all but one (or everything) for this message.  This is used by
+ * both dns_message_reset() and dns_message_destroy().
+ */
+static void
+msgreset(dns_message_t *msg, isc_boolean_t everything) {
+	dns_msgblock_t *msgblock, *next_msgblock;
+	isc_buffer_t *dynbuf, *next_dynbuf;
+	dns_rdata_t *rdata;
+	dns_rdatalist_t *rdatalist;
+
+	msgresetnames(msg, 0);
+	msgresetopt(msg);
+	msgresetsigs(msg, ISC_FALSE);
+
+	/*
+	 * Clean up linked lists.
+	 */
+
+	/*
+	 * Run through the free lists, and just unlink anything found there.
+	 * The memory isn't lost since these are part of message blocks we
+	 * have allocated.
+	 */
+	rdata = ISC_LIST_HEAD(msg->freerdata);
+	while (rdata != NULL) {
+		ISC_LIST_UNLINK(msg->freerdata, rdata, link);
+		rdata = ISC_LIST_HEAD(msg->freerdata);
+	}
+	rdatalist = ISC_LIST_HEAD(msg->freerdatalist);
+	while (rdatalist != NULL) {
+		ISC_LIST_UNLINK(msg->freerdatalist, rdatalist, link);
+		rdatalist = ISC_LIST_HEAD(msg->freerdatalist);
+	}
+
+	dynbuf = ISC_LIST_HEAD(msg->scratchpad);
+	INSIST(dynbuf != NULL);
+	if (!everything) {
+		isc_buffer_clear(dynbuf);
+		dynbuf = ISC_LIST_NEXT(dynbuf, link);
+	}
+	while (dynbuf != NULL) {
+		next_dynbuf = ISC_LIST_NEXT(dynbuf, link);
+		ISC_LIST_UNLINK(msg->scratchpad, dynbuf, link);
+		isc_buffer_free(&dynbuf);
+		dynbuf = next_dynbuf;
+	}
+
+	msgblock = ISC_LIST_HEAD(msg->rdatas);
+	if (!everything && msgblock != NULL) {
+		msgblock_reset(msgblock);
+		msgblock = ISC_LIST_NEXT(msgblock, link);
+	}
+	while (msgblock != NULL) {
+		next_msgblock = ISC_LIST_NEXT(msgblock, link);
+		ISC_LIST_UNLINK(msg->rdatas, msgblock, link);
+		msgblock_free(msg->mctx, msgblock, sizeof(dns_rdata_t));
+		msgblock = next_msgblock;
+	}
+
+	/*
+	 * rdatalists could be empty.
+	 */
+
+	msgblock = ISC_LIST_HEAD(msg->rdatalists);
+	if (!everything && msgblock != NULL) {
+		msgblock_reset(msgblock);
+		msgblock = ISC_LIST_NEXT(msgblock, link);
+	}
+	while (msgblock != NULL) {
+		next_msgblock = ISC_LIST_NEXT(msgblock, link);
+		ISC_LIST_UNLINK(msg->rdatalists, msgblock, link);
+		msgblock_free(msg->mctx, msgblock, sizeof(dns_rdatalist_t));
+		msgblock = next_msgblock;
+	}
+
+	msgblock = ISC_LIST_HEAD(msg->offsets);
+	if (!everything && msgblock != NULL) {
+		msgblock_reset(msgblock);
+		msgblock = ISC_LIST_NEXT(msgblock, link);
+	}
+	while (msgblock != NULL) {
+		next_msgblock = ISC_LIST_NEXT(msgblock, link);
+		ISC_LIST_UNLINK(msg->offsets, msgblock, link);
+		msgblock_free(msg->mctx, msgblock, sizeof(dns_offsets_t));
+		msgblock = next_msgblock;
+	}
+
+	if (msg->tsigkey != NULL) {
+		dns_tsigkey_detach(&msg->tsigkey);
+		msg->tsigkey = NULL;
+	}
+
+	if (msg->query.base != NULL) {
+		if (msg->free_query != 0)
+			isc_mem_put(msg->mctx, msg->query.base,
+				    msg->query.length);
+		msg->query.base = NULL;
+		msg->query.length = 0;
+	}
+
+	if (msg->saved.base != NULL) {
+		if (msg->free_saved != 0)
+			isc_mem_put(msg->mctx, msg->saved.base,
+				    msg->saved.length);
+		msg->saved.base = NULL;
+		msg->saved.length = 0;
+	}
+
+	/*
+	 * cleanup the buffer cleanup list
+	 */
+	dynbuf = ISC_LIST_HEAD(msg->cleanup);
+	while (dynbuf != NULL) {
+		next_dynbuf = ISC_LIST_NEXT(dynbuf, link);
+		ISC_LIST_UNLINK(msg->cleanup, dynbuf, link);
+		isc_buffer_free(&dynbuf);
+		dynbuf = next_dynbuf;
+	}
+
+	/*
+	 * Set other bits to normal default values.
+	 */
+	if (!everything)
+		msginit(msg);
+
+	ENSURE(isc_mempool_getallocated(msg->namepool) == 0);
+	ENSURE(isc_mempool_getallocated(msg->rdspool) == 0);
+}
+
+static unsigned int
+spacefortsig(dns_tsigkey_t *key, int otherlen) {
+	isc_region_t r1, r2;
+	unsigned int x;
+	isc_result_t result;
+
+	/*
+	 * The space required for an TSIG record is:
+	 *
+	 *	n1 bytes for the name
+	 *	2 bytes for the type
+	 *	2 bytes for the class
+	 *	4 bytes for the ttl
+	 *	2 bytes for the rdlength
+	 *	n2 bytes for the algorithm name
+	 *	6 bytes for the time signed
+	 *	2 bytes for the fudge
+	 *	2 bytes for the MAC size
+	 *	x bytes for the MAC
+	 *	2 bytes for the original id
+	 *	2 bytes for the error
+	 *	2 bytes for the other data length
+	 *	y bytes for the other data (at most)
+	 * ---------------------------------
+	 *     26 + n1 + n2 + x + y bytes
+	 */
+
+	dns_name_toregion(&key->name, &r1);
+	dns_name_toregion(key->algorithm, &r2);
+	if (key->key == NULL)
+		x = 0;
+	else {
+		result = dst_key_sigsize(key->key, &x);
+		if (result != ISC_R_SUCCESS)
+			x = 0;
+	}
+	return (26 + r1.length + r2.length + x + otherlen);
+}
+
+isc_result_t
+dns_message_create(isc_mem_t *mctx, unsigned int intent, dns_message_t **msgp)
+{
+	dns_message_t *m;
+	isc_result_t result;
+	isc_buffer_t *dynbuf;
+	unsigned int i;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(msgp != NULL);
+	REQUIRE(*msgp == NULL);
+	REQUIRE(intent == DNS_MESSAGE_INTENTPARSE
+		|| intent == DNS_MESSAGE_INTENTRENDER);
+
+	m = isc_mem_get(mctx, sizeof(dns_message_t));
+	if (m == NULL)
+		return (ISC_R_NOMEMORY);
+
+	/*
+	 * No allocations until further notice.  Just initialize all lists
+	 * and other members that are freed in the cleanup phase here.
+	 */
+
+	m->magic = DNS_MESSAGE_MAGIC;
+	m->from_to_wire = intent;
+	msginit(m);
+
+	for (i = 0; i < DNS_SECTION_MAX; i++)
+		ISC_LIST_INIT(m->sections[i]);
+	m->mctx = mctx;
+
+	ISC_LIST_INIT(m->scratchpad);
+	ISC_LIST_INIT(m->cleanup);
+	m->namepool = NULL;
+	m->rdspool = NULL;
+	ISC_LIST_INIT(m->rdatas);
+	ISC_LIST_INIT(m->rdatalists);
+	ISC_LIST_INIT(m->offsets);
+	ISC_LIST_INIT(m->freerdata);
+	ISC_LIST_INIT(m->freerdatalist);
+
+	/*
+	 * Ok, it is safe to allocate (and then "goto cleanup" if failure)
+	 */
+
+	result = isc_mempool_create(m->mctx, sizeof(dns_name_t), &m->namepool);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	isc_mempool_setfreemax(m->namepool, NAME_COUNT);
+	isc_mempool_setname(m->namepool, "msg:names");
+
+	result = isc_mempool_create(m->mctx, sizeof(dns_rdataset_t),
+				    &m->rdspool);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	isc_mempool_setfreemax(m->rdspool, NAME_COUNT);
+	isc_mempool_setname(m->rdspool, "msg:rdataset");
+
+	dynbuf = NULL;
+	result = isc_buffer_allocate(mctx, &dynbuf, SCRATCHPAD_SIZE);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	ISC_LIST_APPEND(m->scratchpad, dynbuf, link);
+
+	m->cctx = NULL;
+
+	*msgp = m;
+	return (ISC_R_SUCCESS);
+
+	/*
+	 * Cleanup for error returns.
+	 */
+ cleanup:
+	dynbuf = ISC_LIST_HEAD(m->scratchpad);
+	if (dynbuf != NULL) {
+		ISC_LIST_UNLINK(m->scratchpad, dynbuf, link);
+		isc_buffer_free(&dynbuf);
+	}
+	if (m->namepool != NULL)
+		isc_mempool_destroy(&m->namepool);
+	if (m->rdspool != NULL)
+		isc_mempool_destroy(&m->rdspool);
+	m->magic = 0;
+	isc_mem_put(mctx, m, sizeof(dns_message_t));
+
+	return (ISC_R_NOMEMORY);
+}
+
+void
+dns_message_reset(dns_message_t *msg, unsigned int intent) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(intent == DNS_MESSAGE_INTENTPARSE
+		|| intent == DNS_MESSAGE_INTENTRENDER);
+
+	msgreset(msg, ISC_FALSE);
+	msg->from_to_wire = intent;
+}
+
+void
+dns_message_destroy(dns_message_t **msgp) {
+	dns_message_t *msg;
+
+	REQUIRE(msgp != NULL);
+	REQUIRE(DNS_MESSAGE_VALID(*msgp));
+
+	msg = *msgp;
+	*msgp = NULL;
+
+	msgreset(msg, ISC_TRUE);
+	isc_mempool_destroy(&msg->namepool);
+	isc_mempool_destroy(&msg->rdspool);
+	msg->magic = 0;
+	isc_mem_put(msg->mctx, msg, sizeof(dns_message_t));
+}
+
+static isc_result_t
+findname(dns_name_t **foundname, dns_name_t *target,
+	 dns_namelist_t *section)
+{
+	dns_name_t *curr;
+
+	for (curr = ISC_LIST_TAIL(*section);
+	     curr != NULL;
+	     curr = ISC_LIST_PREV(curr, link)) {
+		if (dns_name_equal(curr, target)) {
+			if (foundname != NULL)
+				*foundname = curr;
+			return (ISC_R_SUCCESS);
+		}
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+dns_message_findtype(dns_name_t *name, dns_rdatatype_t type,
+		     dns_rdatatype_t covers, dns_rdataset_t **rdataset)
+{
+	dns_rdataset_t *curr;
+
+	if (rdataset != NULL) {
+		REQUIRE(*rdataset == NULL);
+	}
+
+	for (curr = ISC_LIST_TAIL(name->list);
+	     curr != NULL;
+	     curr = ISC_LIST_PREV(curr, link)) {
+		if (curr->type == type && curr->covers == covers) {
+			if (rdataset != NULL)
+				*rdataset = curr;
+			return (ISC_R_SUCCESS);
+		}
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+/*
+ * Read a name from buffer "source".
+ */
+static isc_result_t
+getname(dns_name_t *name, isc_buffer_t *source, dns_message_t *msg,
+	dns_decompress_t *dctx)
+{
+	isc_buffer_t *scratch;
+	isc_result_t result;
+	unsigned int tries;
+
+	scratch = currentbuffer(msg);
+
+	/*
+	 * First try:  use current buffer.
+	 * Second try:  allocate a new buffer and use that.
+	 */
+	tries = 0;
+	while (tries < 2) {
+		result = dns_name_fromwire(name, source, dctx, ISC_FALSE,
+					   scratch);
+
+		if (result == ISC_R_NOSPACE) {
+			tries++;
+
+			result = newbuffer(msg, SCRATCHPAD_SIZE);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+
+			scratch = currentbuffer(msg);
+			dns_name_reset(name);
+		} else {
+			return (result);
+		}
+	}
+
+	INSIST(0);  /* Cannot get here... */
+	return (ISC_R_UNEXPECTED);
+}
+
+static isc_result_t
+getrdata(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
+	 dns_rdataclass_t rdclass, dns_rdatatype_t rdtype,
+	 unsigned int rdatalen, dns_rdata_t *rdata)
+{
+	isc_buffer_t *scratch;
+	isc_result_t result;
+	unsigned int tries;
+	unsigned int trysize;
+
+	scratch = currentbuffer(msg);
+
+	isc_buffer_setactive(source, rdatalen);
+
+	/*
+	 * First try:  use current buffer.
+	 * Second try:  allocate a new buffer of size
+	 *     max(SCRATCHPAD_SIZE, 2 * compressed_rdatalen)
+	 *     (the data will fit if it was not more than 50% compressed)
+	 * Subsequent tries: double buffer size on each try.
+	 */
+	tries = 0;
+	trysize = 0;
+	/* XXX possibly change this to a while (tries < 2) loop */
+	for (;;) {
+		result = dns_rdata_fromwire(rdata, rdclass, rdtype,
+					    source, dctx, 0,
+					    scratch);
+
+		if (result == ISC_R_NOSPACE) {
+			if (tries == 0) {
+				trysize = 2 * rdatalen;
+				if (trysize < SCRATCHPAD_SIZE)
+					trysize = SCRATCHPAD_SIZE;
+			} else {
+				INSIST(trysize != 0);
+				if (trysize >= 65535)
+					return (ISC_R_NOSPACE);
+					/* XXX DNS_R_RRTOOLONG? */
+				trysize *= 2;
+			}
+			tries++;
+			result = newbuffer(msg, trysize);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+
+			scratch = currentbuffer(msg);
+		} else {
+			return (result);
+		}
+	}
+}
+
+#define DO_FORMERR					\
+	do {						\
+		if (best_effort)			\
+			seen_problem = ISC_TRUE;	\
+		else {					\
+			result = DNS_R_FORMERR;		\
+			goto cleanup;			\
+		}					\
+	} while (0)
+
+static isc_result_t
+getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
+	     unsigned int options)
+{
+	isc_region_t r;
+	unsigned int count;
+	dns_name_t *name;
+	dns_name_t *name2;
+	dns_offsets_t *offsets;
+	dns_rdataset_t *rdataset;
+	dns_rdatalist_t *rdatalist;
+	isc_result_t result;
+	dns_rdatatype_t rdtype;
+	dns_rdataclass_t rdclass;
+	dns_namelist_t *section;
+	isc_boolean_t free_name;
+	isc_boolean_t best_effort;
+	isc_boolean_t seen_problem;
+
+	section = &msg->sections[DNS_SECTION_QUESTION];
+
+	best_effort = ISC_TF(options & DNS_MESSAGEPARSE_BESTEFFORT);
+	seen_problem = ISC_FALSE;
+
+	name = NULL;
+	rdataset = NULL;
+	rdatalist = NULL;
+
+	for (count = 0; count < msg->counts[DNS_SECTION_QUESTION]; count++) {
+		name = isc_mempool_get(msg->namepool);
+		if (name == NULL)
+			return (ISC_R_NOMEMORY);
+		free_name = ISC_TRUE;
+		
+		offsets = newoffsets(msg);
+		if (offsets == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+		dns_name_init(name, *offsets);
+
+		/*
+		 * Parse the name out of this packet.
+		 */
+		isc_buffer_remainingregion(source, &r);
+		isc_buffer_setactive(source, r.length);
+		result = getname(name, source, msg, dctx);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+
+		/*
+		 * Run through the section, looking to see if this name
+		 * is already there.  If it is found, put back the allocated
+		 * name since we no longer need it, and set our name pointer
+		 * to point to the name we found.
+		 */
+		result = findname(&name2, name, section);
+
+		/*
+		 * If it is the first name in the section, accept it.
+		 *
+		 * If it is not, but is not the same as the name already
+		 * in the question section, append to the section.  Note that
+		 * here in the question section this is illegal, so return
+		 * FORMERR.  In the future, check the opcode to see if
+		 * this should be legal or not.  In either case we no longer
+		 * need this name pointer.
+		 */
+		if (result != ISC_R_SUCCESS) {
+			if (!ISC_LIST_EMPTY(*section))
+				DO_FORMERR;
+			ISC_LIST_APPEND(*section, name, link);
+			free_name = ISC_FALSE;
+		} else {
+			isc_mempool_put(msg->namepool, name);
+			name = name2;
+			name2 = NULL;
+			free_name = ISC_FALSE;
+		}
+
+		/*
+		 * Get type and class.
+		 */
+		isc_buffer_remainingregion(source, &r);
+		if (r.length < 4) {
+			result = ISC_R_UNEXPECTEDEND;
+			goto cleanup;
+		}
+		rdtype = isc_buffer_getuint16(source);
+		rdclass = isc_buffer_getuint16(source);
+
+		/*
+		 * If this class is different than the one we already read,
+		 * this is an error.
+		 */
+		if (msg->state == DNS_SECTION_ANY) {
+			msg->state = DNS_SECTION_QUESTION;
+			msg->rdclass = rdclass;
+		} else if (msg->rdclass != rdclass)
+			DO_FORMERR;
+
+		/*
+		 * Can't ask the same question twice.
+		 */
+		result = dns_message_findtype(name, rdtype, 0, NULL);
+		if (result == ISC_R_SUCCESS)
+			DO_FORMERR;
+
+		/*
+		 * Allocate a new rdatalist.
+		 */
+		rdatalist = newrdatalist(msg);
+		if (rdatalist == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+		rdataset =  isc_mempool_get(msg->rdspool);
+		if (rdataset == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+
+		/*
+		 * Convert rdatalist to rdataset, and attach the latter to
+		 * the name.
+		 */
+		rdatalist->type = rdtype;
+		rdatalist->covers = 0;
+		rdatalist->rdclass = rdclass;
+		rdatalist->ttl = 0;
+		ISC_LIST_INIT(rdatalist->rdata);
+
+		dns_rdataset_init(rdataset);
+		result = dns_rdatalist_tordataset(rdatalist, rdataset);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+
+		rdataset->attributes |= DNS_RDATASETATTR_QUESTION;
+
+		ISC_LIST_APPEND(name->list, rdataset, link);
+		rdataset = NULL;
+	}
+
+	if (seen_problem)
+		return (DNS_R_RECOVERABLE);
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (rdataset != NULL) {
+		INSIST(!dns_rdataset_isassociated(rdataset));
+		isc_mempool_put(msg->rdspool, rdataset);
+	}
+#if 0
+	if (rdatalist != NULL)
+		isc_mempool_put(msg->rdlpool, rdatalist);
+#endif
+	if (free_name)
+		isc_mempool_put(msg->namepool, name);
+
+	return (result);
+}
+
+static isc_boolean_t
+update(dns_section_t section, dns_rdataclass_t rdclass) {
+	if (section == DNS_SECTION_PREREQUISITE)
+		return (ISC_TF(rdclass == dns_rdataclass_any ||
+			       rdclass == dns_rdataclass_none));
+	if (section == DNS_SECTION_UPDATE)
+		return (ISC_TF(rdclass == dns_rdataclass_any));
+	return (ISC_FALSE);
+}
+
+static isc_result_t
+getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
+	   dns_section_t sectionid, unsigned int options)
+{
+	isc_region_t r;
+	unsigned int count, rdatalen;
+	dns_name_t *name;
+	dns_name_t *name2;
+	dns_offsets_t *offsets;
+	dns_rdataset_t *rdataset;
+	dns_rdatalist_t *rdatalist;
+	isc_result_t result;
+	dns_rdatatype_t rdtype, covers;
+	dns_rdataclass_t rdclass;
+	dns_rdata_t *rdata;
+	dns_ttl_t ttl;
+	dns_namelist_t *section;
+	isc_boolean_t free_name, free_rdataset;
+	isc_boolean_t preserve_order, best_effort, seen_problem;
+	isc_boolean_t issigzero;
+
+	preserve_order = ISC_TF(options & DNS_MESSAGEPARSE_PRESERVEORDER);
+	best_effort = ISC_TF(options & DNS_MESSAGEPARSE_BESTEFFORT);
+	seen_problem = ISC_FALSE;
+
+	for (count = 0; count < msg->counts[sectionid]; count++) {
+		int recstart = source->current;
+		isc_boolean_t skip_name_search, skip_type_search;
+
+		section = &msg->sections[sectionid];
+
+		skip_name_search = ISC_FALSE;
+		skip_type_search = ISC_FALSE;
+		free_name = ISC_FALSE;
+		free_rdataset = ISC_FALSE;
+
+		name = isc_mempool_get(msg->namepool);
+		if (name == NULL)
+			return (ISC_R_NOMEMORY);
+		free_name = ISC_TRUE;
+
+		offsets = newoffsets(msg);
+		if (offsets == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+		dns_name_init(name, *offsets);
+
+		/*
+		 * Parse the name out of this packet.
+		 */
+		isc_buffer_remainingregion(source, &r);
+		isc_buffer_setactive(source, r.length);
+		result = getname(name, source, msg, dctx);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+
+		/*
+		 * Get type, class, ttl, and rdatalen.  Verify that at least
+		 * rdatalen bytes remain.  (Some of this is deferred to
+		 * later.)
+		 */
+		isc_buffer_remainingregion(source, &r);
+		if (r.length < 2 + 2 + 4 + 2) {
+			result = ISC_R_UNEXPECTEDEND;
+			goto cleanup;
+		}
+		rdtype = isc_buffer_getuint16(source);
+		rdclass = isc_buffer_getuint16(source);
+
+		/*
+		 * If there was no question section, we may not yet have
+		 * established a class.  Do so now.
+		 */
+		if (msg->state == DNS_SECTION_ANY &&
+		    rdtype != dns_rdatatype_opt &&	/* class is UDP SIZE */
+		    rdtype != dns_rdatatype_tsig &&	/* class is ANY */
+		    rdtype != dns_rdatatype_tkey) {	/* class is undefined */
+			msg->rdclass = rdclass;
+			msg->state = DNS_SECTION_QUESTION;
+		}
+
+		/*
+		 * If this class is different than the one in the question
+		 * section, bail.
+		 */
+		if (msg->opcode != dns_opcode_update
+		    && rdtype != dns_rdatatype_tsig
+		    && rdtype != dns_rdatatype_opt
+		    && rdtype != dns_rdatatype_dnskey /* in a TKEY query */
+		    && rdtype != dns_rdatatype_sig /* SIG(0) */
+		    && rdtype != dns_rdatatype_tkey /* Win2000 TKEY */
+		    && msg->rdclass != rdclass)
+			DO_FORMERR;
+
+		/*
+		 * Special type handling for TSIG, OPT, and TKEY.
+		 */
+		if (rdtype == dns_rdatatype_tsig) {
+			/*
+			 * If it is a tsig, verify that it is in the
+			 * additional data section.
+			 */
+			if (sectionid != DNS_SECTION_ADDITIONAL ||
+			    rdclass != dns_rdataclass_any ||
+			    count != msg->counts[sectionid]  - 1)
+				DO_FORMERR;
+			msg->sigstart = recstart;
+			skip_name_search = ISC_TRUE;
+			skip_type_search = ISC_TRUE;
+		} else if (rdtype == dns_rdatatype_opt) {
+			/*
+			 * The name of an OPT record must be ".", it
+			 * must be in the additional data section, and
+			 * it must be the first OPT we've seen.
+			 */
+			if (!dns_name_equal(dns_rootname, name) ||
+			    msg->opt != NULL)
+				DO_FORMERR;
+			skip_name_search = ISC_TRUE;
+			skip_type_search = ISC_TRUE;
+		} else if (rdtype == dns_rdatatype_tkey) {
+			/*
+			 * A TKEY must be in the additional section if this
+			 * is a query, and the answer section if this is a
+			 * response.  Unless it's a Win2000 client.
+			 *
+			 * Its class is ignored.
+			 */
+			dns_section_t tkeysection;
+
+			if ((msg->flags & DNS_MESSAGEFLAG_QR) == 0)
+				tkeysection = DNS_SECTION_ADDITIONAL;
+			else
+				tkeysection = DNS_SECTION_ANSWER;
+			if (sectionid != tkeysection &&
+			    sectionid != DNS_SECTION_ANSWER)
+				DO_FORMERR;
+		}
+
+		/*
+		 * ... now get ttl and rdatalen, and check buffer.
+		 */
+		ttl = isc_buffer_getuint32(source);
+		rdatalen = isc_buffer_getuint16(source);
+		r.length -= (2 + 2 + 4 + 2);
+		if (r.length < rdatalen) {
+			result = ISC_R_UNEXPECTEDEND;
+			goto cleanup;
+		}
+
+		/*
+		 * Read the rdata from the wire format.  Interpret the
+		 * rdata according to its actual class, even if it had a
+		 * DynDNS meta-class in the packet (unless this is a TSIG).
+		 * Then put the meta-class back into the finished rdata.
+		 */
+		rdata = newrdata(msg);
+		if (rdata == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup;
+		}
+		if (msg->opcode == dns_opcode_update &&
+		    update(sectionid, rdclass)) {
+			if (rdatalen != 0) {
+				result = DNS_R_FORMERR;
+				goto cleanup;
+			}
+			/*
+			 * When the rdata is empty, the data pointer is
+			 * never dereferenced, but it must still be non-NULL. 
+			 * Casting 1 rather than "" avoids warnings about
+			 * discarding the const attribute of a string,
+			 * for compilers that would warn about such things.
+			 */
+			rdata->data = (unsigned char *)1;
+			rdata->length = 0;
+			rdata->rdclass = rdclass;
+			rdata->type = rdtype;
+			rdata->flags = DNS_RDATA_UPDATE;
+			result = ISC_R_SUCCESS;
+		} else if (rdtype == dns_rdatatype_tsig)
+			result = getrdata(source, msg, dctx, rdclass,
+					  rdtype, rdatalen, rdata);
+		else
+			result = getrdata(source, msg, dctx, msg->rdclass,
+					  rdtype, rdatalen, rdata);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		rdata->rdclass = rdclass;
+		issigzero = ISC_FALSE;
+		if (rdtype == dns_rdatatype_rrsig  &&
+		    rdata->flags == 0) {
+			covers = dns_rdata_covers(rdata);
+			if (covers == 0)
+				DO_FORMERR;
+		} else if (rdtype == dns_rdatatype_sig /* SIG(0) */ &&
+			   rdata->flags == 0) {
+			covers = dns_rdata_covers(rdata);
+			if (covers == 0) {
+				if (sectionid != DNS_SECTION_ADDITIONAL ||
+				    count != msg->counts[sectionid]  - 1)
+					DO_FORMERR;
+				msg->sigstart = recstart;
+				skip_name_search = ISC_TRUE;
+				skip_type_search = ISC_TRUE;
+				issigzero = ISC_TRUE;
+			}
+		} else
+			covers = 0;
+
+		/*
+		 * If we are doing a dynamic update or this is a meta-type,
+		 * don't bother searching for a name, just append this one
+		 * to the end of the message.
+		 */
+		if (preserve_order || msg->opcode == dns_opcode_update ||
+		    skip_name_search) {
+			if (rdtype != dns_rdatatype_opt &&
+			    rdtype != dns_rdatatype_tsig &&
+			    !issigzero)
+			{
+				ISC_LIST_APPEND(*section, name, link);
+				free_name = ISC_FALSE;
+			}
+		} else {
+			/*
+			 * Run through the section, looking to see if this name
+			 * is already there.  If it is found, put back the
+			 * allocated name since we no longer need it, and set
+			 * our name pointer to point to the name we found.
+			 */
+			result = findname(&name2, name, section);
+
+			/*
+			 * If it is a new name, append to the section.
+			 */
+			if (result == ISC_R_SUCCESS) {
+				isc_mempool_put(msg->namepool, name);
+				name = name2;
+			} else {
+				ISC_LIST_APPEND(*section, name, link);
+			}
+			free_name = ISC_FALSE;
+		}
+
+		/*
+		 * Search name for the particular type and class.
+		 * Skip this stage if in update mode or this is a meta-type.
+		 */
+		if (preserve_order || msg->opcode == dns_opcode_update ||
+		    skip_type_search)
+			result = ISC_R_NOTFOUND;
+		else {
+			/*
+			 * If this is a type that can only occur in
+			 * the question section, fail.
+			 */
+			if (dns_rdatatype_questiononly(rdtype))
+				DO_FORMERR;
+
+			rdataset = NULL;
+			result = dns_message_findtype(name, rdtype, covers,
+						      &rdataset);
+		}
+
+		/*
+		 * If we found an rdataset that matches, we need to
+		 * append this rdata to that set.  If we did not, we need
+		 * to create a new rdatalist, store the important bits there,
+		 * convert it to an rdataset, and link the latter to the name.
+		 * Yuck.  When appending, make certain that the type isn't
+		 * a singleton type, such as SOA or CNAME.
+		 *
+		 * Note that this check will be bypassed when preserving order,
+		 * the opcode is an update, or the type search is skipped.
+		 */
+		if (result == ISC_R_SUCCESS) {
+			if (dns_rdatatype_issingleton(rdtype))
+				DO_FORMERR;
+		}
+
+		if (result == ISC_R_NOTFOUND) {
+			rdataset = isc_mempool_get(msg->rdspool);
+			if (rdataset == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto cleanup;
+			}
+			free_rdataset = ISC_TRUE;
+
+			rdatalist = newrdatalist(msg);
+			if (rdatalist == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto cleanup;
+			}
+
+			rdatalist->type = rdtype;
+			rdatalist->covers = covers;
+			rdatalist->rdclass = rdclass;
+			rdatalist->ttl = ttl;
+			ISC_LIST_INIT(rdatalist->rdata);
+
+			dns_rdataset_init(rdataset);
+			RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist,
+							       rdataset)
+				      == ISC_R_SUCCESS);
+
+			if (rdtype != dns_rdatatype_opt && 
+			    rdtype != dns_rdatatype_tsig &&
+			    !issigzero)
+			{
+				ISC_LIST_APPEND(name->list, rdataset, link);
+				free_rdataset = ISC_FALSE;
+			}
+		}
+
+		/*
+		 * Minimize TTLs.
+		 *
+		 * Section 5.2 of RFC 2181 says we should drop
+		 * nonauthoritative rrsets where the TTLs differ, but we
+		 * currently treat them the as if they were authoritative and
+		 * minimize them.
+		 */
+		if (ttl != rdataset->ttl) {
+			rdataset->attributes |= DNS_RDATASETATTR_TTLADJUSTED;
+			if (ttl < rdataset->ttl)
+				rdataset->ttl = ttl;
+		}
+
+		/*
+		 * XXXMLG Perform a totally ugly hack here to pull
+		 * the rdatalist out of the private field in the rdataset,
+		 * and append this rdata to the rdatalist's linked list
+		 * of rdata.
+		 */
+		rdatalist = (dns_rdatalist_t *)(rdataset->private1);
+
+		ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+
+		/*
+		 * If this is an OPT record, remember it.  Also, set
+		 * the extended rcode.  Note that msg->opt will only be set
+		 * if best-effort parsing is enabled.
+		 */
+		if (rdtype == dns_rdatatype_opt && msg->opt == NULL) {
+			dns_rcode_t ercode;
+
+			msg->opt = rdataset;
+			rdataset = NULL;
+			free_rdataset = ISC_FALSE;
+			ercode = (dns_rcode_t)
+				((msg->opt->ttl & DNS_MESSAGE_EDNSRCODE_MASK)
+				 >> 20);
+			msg->rcode |= ercode;
+			isc_mempool_put(msg->namepool, name);
+			free_name = ISC_FALSE;
+		}
+
+		/*
+		 * If this is an SIG(0) or TSIG record, remember it.  Note
+		 * that msg->sig0 or msg->tsig will only be set if best-effort
+		 * parsing is enabled.
+		 */
+		if (issigzero && msg->sig0 == NULL) {
+			msg->sig0 = rdataset;
+			msg->sig0name = name;
+			rdataset = NULL;
+			free_rdataset = ISC_FALSE;
+			free_name = ISC_FALSE;
+		} else if (rdtype == dns_rdatatype_tsig && msg->tsig == NULL) {
+			msg->tsig = rdataset;
+			msg->tsigname = name;
+			rdataset = NULL;
+			free_rdataset = ISC_FALSE;
+			free_name = ISC_FALSE;
+		}
+
+		INSIST(free_name == ISC_FALSE);
+		INSIST(free_rdataset == ISC_FALSE);
+	}
+
+	if (seen_problem)
+		return (DNS_R_RECOVERABLE);
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (free_name)
+		isc_mempool_put(msg->namepool, name);
+	if (free_rdataset)
+		isc_mempool_put(msg->rdspool, rdataset);
+
+	return (result);
+}
+
+isc_result_t
+dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
+		  unsigned int options)
+{
+	isc_region_t r;
+	dns_decompress_t dctx;
+	isc_result_t ret;
+	isc_uint16_t tmpflags;
+	isc_buffer_t origsource;
+	isc_boolean_t seen_problem;
+	isc_boolean_t ignore_tc;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(source != NULL);
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTPARSE);
+
+	seen_problem = ISC_FALSE;
+	ignore_tc = ISC_TF(options & DNS_MESSAGEPARSE_IGNORETRUNCATION);
+
+	origsource = *source;
+
+	msg->header_ok = 0;
+	msg->question_ok = 0;
+
+	isc_buffer_remainingregion(source, &r);
+	if (r.length < DNS_MESSAGE_HEADERLEN)
+		return (ISC_R_UNEXPECTEDEND);
+
+	msg->id = isc_buffer_getuint16(source);
+	tmpflags = isc_buffer_getuint16(source);
+	msg->opcode = ((tmpflags & DNS_MESSAGE_OPCODE_MASK)
+		       >> DNS_MESSAGE_OPCODE_SHIFT);
+	msg->rcode = (dns_rcode_t)(tmpflags & DNS_MESSAGE_RCODE_MASK);
+	msg->flags = (tmpflags & DNS_MESSAGE_FLAG_MASK);
+	msg->counts[DNS_SECTION_QUESTION] = isc_buffer_getuint16(source);
+	msg->counts[DNS_SECTION_ANSWER] = isc_buffer_getuint16(source);
+	msg->counts[DNS_SECTION_AUTHORITY] = isc_buffer_getuint16(source);
+	msg->counts[DNS_SECTION_ADDITIONAL] = isc_buffer_getuint16(source);
+
+	msg->header_ok = 1;
+
+	/*
+	 * -1 means no EDNS.
+	 */
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_ANY);
+
+	dns_decompress_setmethods(&dctx, DNS_COMPRESS_GLOBAL14);
+
+	ret = getquestions(source, msg, &dctx, options);
+	if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
+		goto truncated;
+	if (ret == DNS_R_RECOVERABLE) {
+		seen_problem = ISC_TRUE;
+		ret = ISC_R_SUCCESS;
+	}
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+	msg->question_ok = 1;
+
+	ret = getsection(source, msg, &dctx, DNS_SECTION_ANSWER, options);
+	if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
+		goto truncated;
+	if (ret == DNS_R_RECOVERABLE) {
+		seen_problem = ISC_TRUE;
+		ret = ISC_R_SUCCESS;
+	}
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	ret = getsection(source, msg, &dctx, DNS_SECTION_AUTHORITY, options);
+	if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
+		goto truncated;
+	if (ret == DNS_R_RECOVERABLE) {
+		seen_problem = ISC_TRUE;
+		ret = ISC_R_SUCCESS;
+	}
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	ret = getsection(source, msg, &dctx, DNS_SECTION_ADDITIONAL, options);
+	if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
+		goto truncated;
+	if (ret == DNS_R_RECOVERABLE) {
+		seen_problem = ISC_TRUE;
+		ret = ISC_R_SUCCESS;
+	}
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	isc_buffer_remainingregion(source, &r);
+	if (r.length != 0) {
+		isc_log_write(dns_lctx, ISC_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_MESSAGE, ISC_LOG_DEBUG(3),
+			      "message has %u byte(s) of trailing garbage",
+			      r.length);
+	}
+
+ truncated:
+	if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0)
+		isc_buffer_usedregion(&origsource, &msg->saved);
+	else {
+		msg->saved.length = isc_buffer_usedlength(&origsource);
+		msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
+		if (msg->saved.base == NULL)
+			return (ISC_R_NOMEMORY);
+		memcpy(msg->saved.base, isc_buffer_base(&origsource),
+		       msg->saved.length);
+		msg->free_saved = 1;
+	}
+
+	if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
+		return (DNS_R_RECOVERABLE);
+	if (seen_problem == ISC_TRUE)
+		return (DNS_R_RECOVERABLE);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx,
+			isc_buffer_t *buffer)
+{
+	isc_region_t r;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(buffer != NULL);
+	REQUIRE(msg->buffer == NULL);
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
+
+	msg->cctx = cctx;
+
+	/*
+	 * Erase the contents of this buffer.
+	 */
+	isc_buffer_clear(buffer);
+
+	/*
+	 * Make certain there is enough for at least the header in this
+	 * buffer.
+	 */
+	isc_buffer_availableregion(buffer, &r);
+	if (r.length < DNS_MESSAGE_HEADERLEN)
+		return (ISC_R_NOSPACE);
+
+	if (r.length < msg->reserved)
+		return (ISC_R_NOSPACE);
+
+	/*
+	 * Reserve enough space for the header in this buffer.
+	 */
+	isc_buffer_add(buffer, DNS_MESSAGE_HEADERLEN);
+
+	msg->buffer = buffer;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_message_renderchangebuffer(dns_message_t *msg, isc_buffer_t *buffer) {
+	isc_region_t r, rn;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(buffer != NULL);
+	REQUIRE(msg->buffer != NULL);
+
+	/*
+	 * Ensure that the new buffer is empty, and has enough space to
+	 * hold the current contents.
+	 */
+	isc_buffer_clear(buffer);
+
+	isc_buffer_availableregion(buffer, &rn);
+	isc_buffer_usedregion(msg->buffer, &r);
+	REQUIRE(rn.length > r.length);
+
+	/*
+	 * Copy the contents from the old to the new buffer.
+	 */
+	isc_buffer_add(buffer, r.length);
+	memcpy(rn.base, r.base, r.length);
+
+	msg->buffer = buffer;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_message_renderrelease(dns_message_t *msg, unsigned int space) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(space <= msg->reserved);
+
+	msg->reserved -= space;
+}
+
+isc_result_t
+dns_message_renderreserve(dns_message_t *msg, unsigned int space) {
+	isc_region_t r;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+
+	if (msg->buffer != NULL) {
+		isc_buffer_availableregion(msg->buffer, &r);
+		if (r.length < (space + msg->reserved))
+			return (ISC_R_NOSPACE);
+	}
+
+	msg->reserved += space;
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_boolean_t
+wrong_priority(dns_rdataset_t *rds, int pass, dns_rdatatype_t preferred_glue) {
+	int pass_needed;
+
+	/*
+	 * If we are not rendering class IN, this ordering is bogus.
+	 */
+	if (rds->rdclass != dns_rdataclass_in)
+		return (ISC_FALSE);
+
+	switch (rds->type) {
+	case dns_rdatatype_a:
+	case dns_rdatatype_aaaa:
+		if (preferred_glue == rds->type)
+			pass_needed = 4;
+		else
+			pass_needed = 3;
+		break;
+	case dns_rdatatype_rrsig:
+	case dns_rdatatype_dnskey:
+		pass_needed = 2;
+		break;
+	default:
+		pass_needed = 1;
+	}
+
+	if (pass_needed >= pass)
+		return (ISC_FALSE);
+
+	return (ISC_TRUE);
+}
+
+isc_result_t
+dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
+			  unsigned int options)
+{
+	dns_namelist_t *section;
+	dns_name_t *name, *next_name;
+	dns_rdataset_t *rdataset, *next_rdataset;
+	unsigned int count, total;
+	isc_result_t result;
+	isc_buffer_t st; /* for rollbacks */
+	int pass;
+	isc_boolean_t partial = ISC_FALSE;
+	unsigned int rd_options;
+	dns_rdatatype_t preferred_glue = 0;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(msg->buffer != NULL);
+	REQUIRE(VALID_NAMED_SECTION(sectionid));
+
+	section = &msg->sections[sectionid];
+
+	if ((sectionid == DNS_SECTION_ADDITIONAL)
+	    && (options & DNS_MESSAGERENDER_ORDERED) == 0) {
+		if ((options & DNS_MESSAGERENDER_PREFER_A) != 0) {
+			preferred_glue = dns_rdatatype_a;
+			pass = 4;
+		} else if ((options & DNS_MESSAGERENDER_PREFER_AAAA) != 0) {
+			preferred_glue = dns_rdatatype_aaaa;
+			pass = 4;
+		} else
+			pass = 3;
+	} else
+		pass = 1;
+
+	if ((options & DNS_MESSAGERENDER_OMITDNSSEC) == 0)
+		rd_options = 0;
+	else
+		rd_options = DNS_RDATASETTOWIRE_OMITDNSSEC;
+
+	/*
+	 * Shrink the space in the buffer by the reserved amount.
+	 */
+	msg->buffer->length -= msg->reserved;
+
+	total = 0;
+	if (msg->reserved == 0 && (options & DNS_MESSAGERENDER_PARTIAL) != 0)
+		partial = ISC_TRUE;
+
+	do {
+		name = ISC_LIST_HEAD(*section);
+		if (name == NULL) {
+			msg->buffer->length += msg->reserved;
+			msg->counts[sectionid] += total;
+			return (ISC_R_SUCCESS);
+		}
+
+		while (name != NULL) {
+			next_name = ISC_LIST_NEXT(name, link);
+
+			rdataset = ISC_LIST_HEAD(name->list);
+			while (rdataset != NULL) {
+				next_rdataset = ISC_LIST_NEXT(rdataset, link);
+
+				if ((rdataset->attributes &
+				     DNS_RDATASETATTR_RENDERED) != 0)
+					goto next;
+
+				if (((options & DNS_MESSAGERENDER_ORDERED)
+				     == 0)
+				    && (sectionid == DNS_SECTION_ADDITIONAL)
+				    && wrong_priority(rdataset, pass,
+						      preferred_glue))
+					goto next;
+
+				st = *(msg->buffer);
+
+				count = 0;
+				if (partial)
+					result = dns_rdataset_towirepartial(
+							  rdataset,
+							  name,
+							  msg->cctx,
+							  msg->buffer,
+							  msg->order,
+							  msg->order_arg,
+							  rd_options,
+							  &count,
+							  NULL);
+				else
+					result = dns_rdataset_towiresorted(
+							  rdataset,
+							  name,
+							  msg->cctx,
+							  msg->buffer,
+							  msg->order,
+							  msg->order_arg,
+							  rd_options,
+							  &count);
+
+				total += count;
+
+				/*
+				 * If out of space, record stats on what we
+				 * rendered so far, and return that status.
+				 *
+				 * XXXMLG Need to change this when
+				 * dns_rdataset_towire() can render partial
+				 * sets starting at some arbitary point in the
+				 * set.  This will include setting a bit in the
+				 * rdataset to indicate that a partial
+				 * rendering was done, and some state saved
+				 * somewhere (probably in the message struct)
+				 * to indicate where to continue from.
+				 */
+				if (partial && result == ISC_R_NOSPACE) {
+					msg->buffer->length += msg->reserved;
+					msg->counts[sectionid] += total;
+					return (result);
+				}
+				if (result != ISC_R_SUCCESS) {
+					INSIST(st.used < 65536);
+					dns_compress_rollback(msg->cctx,
+							(isc_uint16_t)st.used);
+					*(msg->buffer) = st;  /* rollback */
+					msg->buffer->length += msg->reserved;
+					msg->counts[sectionid] += total;
+					return (result);
+				}
+
+				/*
+				 * If we have rendered non-validated data,
+				 * ensure that the AD bit is not set.
+				 */
+				if (rdataset->trust != dns_trust_secure &&
+				    (sectionid == DNS_SECTION_ANSWER ||
+				     sectionid == DNS_SECTION_AUTHORITY))
+					msg->flags &= ~DNS_MESSAGEFLAG_AD;
+
+				rdataset->attributes |=
+					DNS_RDATASETATTR_RENDERED;
+
+			next:
+				rdataset = next_rdataset;
+			}
+
+			name = next_name;
+		}
+	} while (--pass != 0);
+
+	msg->buffer->length += msg->reserved;
+	msg->counts[sectionid] += total;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_message_renderheader(dns_message_t *msg, isc_buffer_t *target) {
+	isc_uint16_t tmp;
+	isc_region_t r;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(target != NULL);
+
+	isc_buffer_availableregion(target, &r);
+	REQUIRE(r.length >= DNS_MESSAGE_HEADERLEN);
+
+	isc_buffer_putuint16(target, msg->id);
+
+	tmp = ((msg->opcode << DNS_MESSAGE_OPCODE_SHIFT)
+	       & DNS_MESSAGE_OPCODE_MASK);
+	tmp |= (msg->rcode & DNS_MESSAGE_RCODE_MASK);
+	tmp |= (msg->flags & DNS_MESSAGE_FLAG_MASK);
+
+	INSIST(msg->counts[DNS_SECTION_QUESTION]  < 65536 &&
+	       msg->counts[DNS_SECTION_ANSWER]    < 65536 &&
+	       msg->counts[DNS_SECTION_AUTHORITY] < 65536 &&
+	       msg->counts[DNS_SECTION_ADDITIONAL] < 65536);
+
+	isc_buffer_putuint16(target, tmp);
+	isc_buffer_putuint16(target,
+			    (isc_uint16_t)msg->counts[DNS_SECTION_QUESTION]);
+	isc_buffer_putuint16(target,
+			    (isc_uint16_t)msg->counts[DNS_SECTION_ANSWER]);
+	isc_buffer_putuint16(target,
+			    (isc_uint16_t)msg->counts[DNS_SECTION_AUTHORITY]);
+	isc_buffer_putuint16(target,
+			    (isc_uint16_t)msg->counts[DNS_SECTION_ADDITIONAL]);
+}
+
+isc_result_t
+dns_message_renderend(dns_message_t *msg) {
+	isc_buffer_t tmpbuf;
+	isc_region_t r;
+	int result;
+	unsigned int count;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(msg->buffer != NULL);
+
+	if ((msg->rcode & ~DNS_MESSAGE_RCODE_MASK) != 0 && msg->opt == NULL) {
+		/*
+		 * We have an extended rcode but are not using EDNS.
+		 */
+		return (DNS_R_FORMERR);
+	}
+
+	/*
+	 * If we've got an OPT record, render it.
+	 */
+	if (msg->opt != NULL) {
+		dns_message_renderrelease(msg, msg->opt_reserved);
+		msg->opt_reserved = 0;
+		/*
+		 * Set the extended rcode.
+		 */
+		msg->opt->ttl &= ~DNS_MESSAGE_EDNSRCODE_MASK;
+		msg->opt->ttl |= ((msg->rcode << 20) &
+				  DNS_MESSAGE_EDNSRCODE_MASK);
+		/*
+		 * Render.
+		 */
+		count = 0;
+		result = dns_rdataset_towire(msg->opt, dns_rootname,
+					     msg->cctx, msg->buffer, 0,
+					     &count);
+		msg->counts[DNS_SECTION_ADDITIONAL] += count;
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	/*
+	 * If we're adding a TSIG or SIG(0) to a truncated message,
+	 * clear all rdatasets from the message except for the question
+	 * before adding the TSIG or SIG(0).  If the question doesn't fit,
+	 * don't include it.
+	 */
+	if ((msg->tsigkey != NULL || msg->sig0key != NULL) &&
+	    (msg->flags & DNS_MESSAGEFLAG_TC) != 0)
+	{
+		isc_buffer_t *buf;
+
+		msgresetnames(msg, DNS_SECTION_ANSWER);
+		buf = msg->buffer;
+		dns_message_renderreset(msg);
+		msg->buffer = buf;
+		isc_buffer_clear(msg->buffer);
+		isc_buffer_add(msg->buffer, DNS_MESSAGE_HEADERLEN);
+		dns_compress_rollback(msg->cctx, 0);
+		result = dns_message_rendersection(msg, DNS_SECTION_QUESTION,
+						   0);
+		if (result != ISC_R_SUCCESS && result != ISC_R_NOSPACE)
+			return (result);
+	}
+
+	/*
+	 * If we're adding a TSIG record, generate and render it.
+	 */
+	if (msg->tsigkey != NULL) {
+		dns_message_renderrelease(msg, msg->sig_reserved);
+		msg->sig_reserved = 0;
+		result = dns_tsig_sign(msg);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		count = 0;
+		result = dns_rdataset_towire(msg->tsig, msg->tsigname,
+					     msg->cctx, msg->buffer, 0,
+					     &count);
+		msg->counts[DNS_SECTION_ADDITIONAL] += count;
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	/*
+	 * If we're adding a SIG(0) record, generate and render it.
+	 */
+	if (msg->sig0key != NULL) {
+		dns_message_renderrelease(msg, msg->sig_reserved);
+		msg->sig_reserved = 0;
+		result = dns_dnssec_signmessage(msg, msg->sig0key);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		count = 0;
+		/*
+		 * Note: dns_rootname is used here, not msg->sig0name, since
+		 * the owner name of a SIG(0) is irrelevant, and will not
+		 * be set in a message being rendered.
+		 */
+		result = dns_rdataset_towire(msg->sig0, dns_rootname,
+					     msg->cctx, msg->buffer, 0,
+					     &count);
+		msg->counts[DNS_SECTION_ADDITIONAL] += count;
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	isc_buffer_usedregion(msg->buffer, &r);
+	isc_buffer_init(&tmpbuf, r.base, r.length);
+
+	dns_message_renderheader(msg, &tmpbuf);
+
+	msg->buffer = NULL;  /* forget about this buffer only on success XXX */
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_message_renderreset(dns_message_t *msg) {
+	unsigned int i;
+	dns_name_t *name;
+	dns_rdataset_t *rds;
+
+	/*
+	 * Reset the message so that it may be rendered again.
+	 */
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
+
+	msg->buffer = NULL;
+
+	for (i = 0; i < DNS_SECTION_MAX; i++) {
+		msg->cursors[i] = NULL;
+		msg->counts[i] = 0;
+		for (name = ISC_LIST_HEAD(msg->sections[i]);
+		     name != NULL;
+		     name = ISC_LIST_NEXT(name, link)) {
+			for (rds = ISC_LIST_HEAD(name->list);
+			     rds != NULL;
+			     rds = ISC_LIST_NEXT(rds, link)) {
+				rds->attributes &= ~DNS_RDATASETATTR_RENDERED;
+			}
+		}
+	}
+	if (msg->tsigname != NULL)
+		dns_message_puttempname(msg, &msg->tsigname);
+	if (msg->tsig != NULL) {
+		dns_rdataset_disassociate(msg->tsig);
+		dns_message_puttemprdataset(msg, &msg->tsig);
+	}
+	if (msg->sig0 != NULL) {
+		dns_rdataset_disassociate(msg->sig0);
+		dns_message_puttemprdataset(msg, &msg->sig0);
+	}
+}
+
+isc_result_t
+dns_message_firstname(dns_message_t *msg, dns_section_t section) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(VALID_NAMED_SECTION(section));
+
+	msg->cursors[section] = ISC_LIST_HEAD(msg->sections[section]);
+
+	if (msg->cursors[section] == NULL)
+		return (ISC_R_NOMORE);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_message_nextname(dns_message_t *msg, dns_section_t section) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(VALID_NAMED_SECTION(section));
+	REQUIRE(msg->cursors[section] != NULL);
+
+	msg->cursors[section] = ISC_LIST_NEXT(msg->cursors[section], link);
+
+	if (msg->cursors[section] == NULL)
+		return (ISC_R_NOMORE);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_message_currentname(dns_message_t *msg, dns_section_t section,
+			dns_name_t **name)
+{
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(VALID_NAMED_SECTION(section));
+	REQUIRE(name != NULL && *name == NULL);
+	REQUIRE(msg->cursors[section] != NULL);
+
+	*name = msg->cursors[section];
+}
+
+isc_result_t
+dns_message_findname(dns_message_t *msg, dns_section_t section,
+		     dns_name_t *target, dns_rdatatype_t type,
+		     dns_rdatatype_t covers, dns_name_t **name,
+		     dns_rdataset_t **rdataset)
+{
+	dns_name_t *foundname;
+	isc_result_t result;
+
+	/*
+	 * XXX These requirements are probably too intensive, especially
+	 * where things can be NULL, but as they are they ensure that if
+	 * something is NON-NULL, indicating that the caller expects it
+	 * to be filled in, that we can in fact fill it in.
+	 */
+	REQUIRE(msg != NULL);
+	REQUIRE(VALID_SECTION(section));
+	REQUIRE(target != NULL);
+	if (name != NULL)
+		REQUIRE(*name == NULL);
+	if (type == dns_rdatatype_any) {
+		REQUIRE(rdataset == NULL);
+	} else {
+		if (rdataset != NULL)
+			REQUIRE(*rdataset == NULL);
+	}
+
+	result = findname(&foundname, target,
+			  &msg->sections[section]);
+
+	if (result == ISC_R_NOTFOUND)
+		return (DNS_R_NXDOMAIN);
+	else if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (name != NULL)
+		*name = foundname;
+
+	/*
+	 * And now look for the type.
+	 */
+	if (type == dns_rdatatype_any)
+		return (ISC_R_SUCCESS);
+
+	result = dns_message_findtype(foundname, type, covers, rdataset);
+	if (result == ISC_R_NOTFOUND)
+		return (DNS_R_NXRRSET);
+
+	return (result);
+}
+
+void
+dns_message_movename(dns_message_t *msg, dns_name_t *name,
+		     dns_section_t fromsection,
+		     dns_section_t tosection)
+{
+	REQUIRE(msg != NULL);
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
+	REQUIRE(name != NULL);
+	REQUIRE(VALID_NAMED_SECTION(fromsection));
+	REQUIRE(VALID_NAMED_SECTION(tosection));
+
+	/*
+	 * Unlink the name from the old section
+	 */
+	ISC_LIST_UNLINK(msg->sections[fromsection], name, link);
+	ISC_LIST_APPEND(msg->sections[tosection], name, link);
+}
+
+void
+dns_message_addname(dns_message_t *msg, dns_name_t *name,
+		    dns_section_t section)
+{
+	REQUIRE(msg != NULL);
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
+	REQUIRE(name != NULL);
+	REQUIRE(VALID_NAMED_SECTION(section));
+
+	ISC_LIST_APPEND(msg->sections[section], name, link);
+}
+
+isc_result_t
+dns_message_gettempname(dns_message_t *msg, dns_name_t **item) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(item != NULL && *item == NULL);
+
+	*item = isc_mempool_get(msg->namepool);
+	if (*item == NULL)
+		return (ISC_R_NOMEMORY);
+	dns_name_init(*item, NULL);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_message_gettempoffsets(dns_message_t *msg, dns_offsets_t **item) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(item != NULL && *item == NULL);
+
+	*item = newoffsets(msg);
+	if (*item == NULL)
+		return (ISC_R_NOMEMORY);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_message_gettemprdata(dns_message_t *msg, dns_rdata_t **item) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(item != NULL && *item == NULL);
+
+	*item = newrdata(msg);
+	if (*item == NULL)
+		return (ISC_R_NOMEMORY);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_message_gettemprdataset(dns_message_t *msg, dns_rdataset_t **item) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(item != NULL && *item == NULL);
+
+	*item = isc_mempool_get(msg->rdspool);
+	if (*item == NULL)
+		return (ISC_R_NOMEMORY);
+
+	dns_rdataset_init(*item);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_message_gettemprdatalist(dns_message_t *msg, dns_rdatalist_t **item) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(item != NULL && *item == NULL);
+
+	*item = newrdatalist(msg);
+	if (*item == NULL)
+		return (ISC_R_NOMEMORY);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_message_puttempname(dns_message_t *msg, dns_name_t **item) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(item != NULL && *item != NULL);
+
+	if (dns_name_dynamic(*item))
+		dns_name_free(*item, msg->mctx);
+	isc_mempool_put(msg->namepool, *item);
+	*item = NULL;
+}
+
+void
+dns_message_puttemprdata(dns_message_t *msg, dns_rdata_t **item) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(item != NULL && *item != NULL);
+
+	releaserdata(msg, *item);
+	*item = NULL;
+}
+
+void
+dns_message_puttemprdataset(dns_message_t *msg, dns_rdataset_t **item) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(item != NULL && *item != NULL);
+
+	REQUIRE(!dns_rdataset_isassociated(*item));
+	isc_mempool_put(msg->rdspool, *item);
+	*item = NULL;
+}
+
+void
+dns_message_puttemprdatalist(dns_message_t *msg, dns_rdatalist_t **item) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(item != NULL && *item != NULL);
+
+	releaserdatalist(msg, *item);
+	*item = NULL;
+}
+
+isc_result_t
+dns_message_peekheader(isc_buffer_t *source, dns_messageid_t *idp,
+		       unsigned int *flagsp)
+{
+	isc_region_t r;
+	isc_buffer_t buffer;
+	dns_messageid_t id;
+	unsigned int flags;
+
+	REQUIRE(source != NULL);
+
+	buffer = *source;
+
+	isc_buffer_remainingregion(&buffer, &r);
+	if (r.length < DNS_MESSAGE_HEADERLEN)
+		return (ISC_R_UNEXPECTEDEND);
+
+	id = isc_buffer_getuint16(&buffer);
+	flags = isc_buffer_getuint16(&buffer);
+	flags &= DNS_MESSAGE_FLAG_MASK;
+
+	if (flagsp != NULL)
+		*flagsp = flags;
+	if (idp != NULL)
+		*idp = id;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section) {
+	unsigned int first_section;
+	isc_result_t result;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE((msg->flags & DNS_MESSAGEFLAG_QR) == 0);
+
+	if (!msg->header_ok)
+		return (DNS_R_FORMERR);
+	if (msg->opcode != dns_opcode_query &&
+	    msg->opcode != dns_opcode_notify)
+		want_question_section = ISC_FALSE;
+	if (want_question_section) {
+		if (!msg->question_ok)
+			return (DNS_R_FORMERR);
+		first_section = DNS_SECTION_ANSWER;
+	} else
+		first_section = DNS_SECTION_QUESTION;
+	msg->from_to_wire = DNS_MESSAGE_INTENTRENDER;
+	msgresetnames(msg, first_section);
+	msgresetopt(msg);
+	msgresetsigs(msg, ISC_TRUE);
+	msginitprivate(msg);
+	/*
+	 * We now clear most flags and then set QR, ensuring that the
+	 * reply's flags will be in a reasonable state.
+	 */
+	msg->flags &= DNS_MESSAGE_REPLYPRESERVE;
+	msg->flags |= DNS_MESSAGEFLAG_QR;
+
+	/*
+	 * This saves the query TSIG status, if the query was signed, and
+	 * reserves space in the reply for the TSIG.
+	 */
+	if (msg->tsigkey != NULL) {
+		unsigned int otherlen = 0;
+		msg->querytsigstatus = msg->tsigstatus;
+		msg->tsigstatus = dns_rcode_noerror;
+		if (msg->querytsigstatus == dns_tsigerror_badtime)
+			otherlen = 6;
+		msg->sig_reserved = spacefortsig(msg->tsigkey, otherlen);
+		result = dns_message_renderreserve(msg, msg->sig_reserved);
+		if (result != ISC_R_SUCCESS) {
+			msg->sig_reserved = 0;
+			return (result);
+		}
+	}
+	if (msg->saved.base != NULL) {
+		msg->query.base = msg->saved.base;
+		msg->query.length = msg->saved.length;
+		msg->free_query = msg->free_saved;
+		msg->saved.base = NULL;
+		msg->saved.length = 0;
+		msg->free_saved = 0;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+dns_rdataset_t *
+dns_message_getopt(dns_message_t *msg) {
+
+	/*
+	 * Get the OPT record for 'msg'.
+	 */
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+
+	return (msg->opt);
+}
+
+isc_result_t
+dns_message_setopt(dns_message_t *msg, dns_rdataset_t *opt) {
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+
+	/*
+	 * Set the OPT record for 'msg'.
+	 */
+
+	/*
+	 * The space required for an OPT record is:
+	 *
+	 *	1 byte for the name
+	 *	2 bytes for the type
+	 *	2 bytes for the class
+	 *	4 bytes for the ttl
+	 *	2 bytes for the rdata length
+	 * ---------------------------------
+	 *     11 bytes
+	 *
+	 * plus the length of the rdata.
+	 */
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(opt->type == dns_rdatatype_opt);
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
+	REQUIRE(msg->state == DNS_SECTION_ANY);
+
+	msgresetopt(msg);
+
+	result = dns_rdataset_first(opt);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	dns_rdataset_current(opt, &rdata);
+	msg->opt_reserved = 11 + rdata.length;
+	result = dns_message_renderreserve(msg, msg->opt_reserved);
+	if (result != ISC_R_SUCCESS) {
+		msg->opt_reserved = 0;
+		goto cleanup;
+	}
+
+	msg->opt = opt;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	dns_message_puttemprdataset(msg, &opt);
+	return (result);
+
+}
+
+dns_rdataset_t *
+dns_message_gettsig(dns_message_t *msg, dns_name_t **owner) {
+
+	/*
+	 * Get the TSIG record and owner for 'msg'.
+	 */
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(owner == NULL || *owner == NULL);
+
+	if (owner != NULL)
+		*owner = msg->tsigname;
+	return (msg->tsig);
+}
+
+isc_result_t
+dns_message_settsigkey(dns_message_t *msg, dns_tsigkey_t *key) {
+	isc_result_t result;
+
+	/*
+	 * Set the TSIG key for 'msg'
+	 */
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(msg->state == DNS_SECTION_ANY);
+
+	if (key == NULL && msg->tsigkey != NULL) {
+		if (msg->sig_reserved != 0) {
+			dns_message_renderrelease(msg, msg->sig_reserved);
+			msg->sig_reserved = 0;
+		}
+		dns_tsigkey_detach(&msg->tsigkey);
+	}
+	if (key != NULL) {
+		REQUIRE(msg->tsigkey == NULL && msg->sig0key == NULL);
+		dns_tsigkey_attach(key, &msg->tsigkey);
+		if (msg->from_to_wire == DNS_MESSAGE_INTENTRENDER) {
+			msg->sig_reserved = spacefortsig(msg->tsigkey, 0);
+			result = dns_message_renderreserve(msg,
+							   msg->sig_reserved);
+			if (result != ISC_R_SUCCESS) {
+				dns_tsigkey_detach(&msg->tsigkey);
+				msg->sig_reserved = 0;
+				return (result);
+			}
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+dns_tsigkey_t *
+dns_message_gettsigkey(dns_message_t *msg) {
+
+	/*
+	 * Get the TSIG key for 'msg'
+	 */
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+
+	return (msg->tsigkey);
+}
+
+isc_result_t
+dns_message_setquerytsig(dns_message_t *msg, isc_buffer_t *querytsig) {
+	dns_rdata_t *rdata = NULL;
+	dns_rdatalist_t *list = NULL;
+	dns_rdataset_t *set = NULL;
+	isc_buffer_t *buf = NULL;
+	isc_region_t r;
+	isc_result_t result;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(msg->querytsig == NULL);
+
+	if (querytsig == NULL)
+		return (ISC_R_SUCCESS);
+
+	result = dns_message_gettemprdata(msg, &rdata);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_message_gettemprdatalist(msg, &list);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_message_gettemprdataset(msg, &set);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	isc_buffer_usedregion(querytsig, &r);
+	result = isc_buffer_allocate(msg->mctx, &buf, r.length);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	isc_buffer_putmem(buf, r.base, r.length);
+	isc_buffer_usedregion(buf, &r);
+	dns_rdata_init(rdata);
+	dns_rdata_fromregion(rdata, dns_rdataclass_any, dns_rdatatype_tsig, &r);
+	dns_message_takebuffer(msg, &buf);
+	ISC_LIST_INIT(list->rdata);
+	ISC_LIST_APPEND(list->rdata, rdata, link);
+	result = dns_rdatalist_tordataset(list, set);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	msg->querytsig = set;
+
+	return (result);
+
+ cleanup:
+	if (rdata != NULL)
+		dns_message_puttemprdata(msg, &rdata);
+	if (list != NULL)
+		dns_message_puttemprdatalist(msg, &list);
+	if (set != NULL)
+		dns_message_puttemprdataset(msg, &set);
+	return (ISC_R_NOMEMORY);
+}
+
+isc_result_t
+dns_message_getquerytsig(dns_message_t *msg, isc_mem_t *mctx,
+			 isc_buffer_t **querytsig) {
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_region_t r;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(mctx != NULL);
+	REQUIRE(querytsig != NULL && *querytsig == NULL);
+
+	if (msg->tsig == NULL)
+		return (ISC_R_SUCCESS);
+
+	result = dns_rdataset_first(msg->tsig);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	dns_rdataset_current(msg->tsig, &rdata);
+	dns_rdata_toregion(&rdata, &r);
+
+	result = isc_buffer_allocate(mctx, querytsig, r.length);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_buffer_putmem(*querytsig, r.base, r.length);
+	return (ISC_R_SUCCESS);
+}
+
+dns_rdataset_t *
+dns_message_getsig0(dns_message_t *msg, dns_name_t **owner) {
+
+	/*
+	 * Get the SIG(0) record for 'msg'.
+	 */
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(owner == NULL || *owner == NULL);
+
+	if (msg->sig0 != NULL && owner != NULL) {
+		/* If dns_message_getsig0 is called on a rendered message
+		 * after the SIG(0) has been applied, we need to return the
+		 * root name, not NULL.
+		 */
+		if (msg->sig0name == NULL)
+			*owner = dns_rootname;
+		else
+			*owner = msg->sig0name;
+	}
+	return (msg->sig0);
+}
+
+isc_result_t
+dns_message_setsig0key(dns_message_t *msg, dst_key_t *key) {
+	isc_region_t r;
+	unsigned int x;
+	isc_result_t result;
+
+	/*
+	 * Set the SIG(0) key for 'msg'
+	 */
+
+	/*
+	 * The space required for an SIG(0) record is:
+	 *
+	 *	1 byte for the name
+	 *	2 bytes for the type
+	 *	2 bytes for the class
+	 *	4 bytes for the ttl
+	 *	2 bytes for the type covered
+	 *	1 byte for the algorithm
+	 *	1 bytes for the labels
+	 *	4 bytes for the original ttl
+	 *	4 bytes for the signature expiration
+	 *	4 bytes for the signature inception
+	 *	2 bytes for the key tag
+	 *	n bytes for the signer's name
+	 *	x bytes for the signature
+	 * ---------------------------------
+	 *     27 + n + x bytes
+	 */
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER);
+	REQUIRE(msg->state == DNS_SECTION_ANY);
+
+	if (key != NULL) {
+		REQUIRE(msg->sig0key == NULL && msg->tsigkey == NULL);
+		dns_name_toregion(dst_key_name(key), &r);
+		result = dst_key_sigsize(key, &x);
+		if (result != ISC_R_SUCCESS) {
+			msg->sig_reserved = 0;
+			return (result);
+		}
+		msg->sig_reserved = 27 + r.length + x;
+		result = dns_message_renderreserve(msg, msg->sig_reserved);
+		if (result != ISC_R_SUCCESS) {
+			msg->sig_reserved = 0;
+			return (result);
+		}
+		msg->sig0key = key;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+dst_key_t *
+dns_message_getsig0key(dns_message_t *msg) {
+
+	/*
+	 * Get the SIG(0) key for 'msg'
+	 */
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+
+	return (msg->sig0key);
+}
+
+void
+dns_message_takebuffer(dns_message_t *msg, isc_buffer_t **buffer) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(buffer != NULL);
+	REQUIRE(ISC_BUFFER_VALID(*buffer));
+
+	ISC_LIST_APPEND(msg->cleanup, *buffer, link);
+	*buffer = NULL;
+}
+
+isc_result_t
+dns_message_signer(dns_message_t *msg, dns_name_t *signer) {
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(signer != NULL);
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTPARSE);
+
+	if (msg->tsig == NULL && msg->sig0 == NULL)
+		return (ISC_R_NOTFOUND);
+
+	if (msg->verify_attempted == 0)
+		return (DNS_R_NOTVERIFIEDYET);
+
+	if (!dns_name_hasbuffer(signer)) {
+		isc_buffer_t *dynbuf = NULL;
+		result = isc_buffer_allocate(msg->mctx, &dynbuf, 512);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		dns_name_setbuffer(signer, dynbuf);
+		dns_message_takebuffer(msg, &dynbuf);
+	}
+
+	if (msg->sig0 != NULL) {
+		dns_rdata_sig_t sig;
+
+		result = dns_rdataset_first(msg->sig0);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_rdataset_current(msg->sig0, &rdata);
+
+		result = dns_rdata_tostruct(&rdata, &sig, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+
+		if (msg->verified_sig && msg->sig0status == dns_rcode_noerror)
+			result = ISC_R_SUCCESS;
+		else
+			result = DNS_R_SIGINVALID;
+		dns_name_clone(&sig.signer, signer);
+		dns_rdata_freestruct(&sig);
+	} else {
+		dns_name_t *identity;
+		dns_rdata_any_tsig_t tsig;
+
+		result = dns_rdataset_first(msg->tsig);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_rdataset_current(msg->tsig, &rdata);
+
+		result = dns_rdata_tostruct(&rdata, &tsig, NULL);
+		if (msg->tsigstatus != dns_rcode_noerror)
+			result = DNS_R_TSIGVERIFYFAILURE;
+		else if (tsig.error != dns_rcode_noerror)
+			result = DNS_R_TSIGERRORSET;
+		else
+			result = ISC_R_SUCCESS;
+		dns_rdata_freestruct(&tsig);
+
+		if (msg->tsigkey == NULL) {
+			/*
+			 * If msg->tsigstatus & tsig.error are both
+			 * dns_rcode_noerror, the message must have been
+			 * verified, which means msg->tsigkey will be
+			 * non-NULL.
+			 */
+			INSIST(result != ISC_R_SUCCESS);
+		} else {
+			identity = dns_tsigkey_identity(msg->tsigkey);
+			if (identity == NULL) {
+				if (result == ISC_R_SUCCESS)
+					result = DNS_R_NOIDENTITY;
+				identity = &msg->tsigkey->name;
+			}
+			dns_name_clone(identity, signer);
+		}
+	}
+
+	return (result);
+}
+
+void
+dns_message_resetsig(dns_message_t *msg) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	msg->verified_sig = 0;
+	msg->verify_attempted = 0;
+	msg->tsigstatus = dns_rcode_noerror;
+	msg->sig0status = dns_rcode_noerror;
+	msg->timeadjust = 0;
+	if (msg->tsigkey != NULL) {
+		dns_tsigkey_detach(&msg->tsigkey);
+		msg->tsigkey = NULL;
+	}
+}
+
+isc_result_t
+dns_message_rechecksig(dns_message_t *msg, dns_view_t *view) {
+	dns_message_resetsig(msg);
+	return (dns_message_checksig(msg, view));
+}
+
+isc_result_t
+dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
+	isc_buffer_t b, msgb;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+
+	if (msg->tsigkey == NULL && msg->tsig == NULL && msg->sig0 == NULL)
+		return (ISC_R_SUCCESS);
+	INSIST(msg->saved.base != NULL);
+	isc_buffer_init(&msgb, msg->saved.base, msg->saved.length);
+	isc_buffer_add(&msgb, msg->saved.length);
+	if (msg->tsigkey != NULL || msg->tsig != NULL) {
+		if (view != NULL)
+			return (dns_view_checksig(view, &msgb, msg));
+		else
+			return (dns_tsig_verify(&msgb, msg, NULL, NULL));
+	} else {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdata_sig_t sig;
+		dns_rdataset_t keyset;
+		isc_result_t result;
+
+		result = dns_rdataset_first(msg->sig0);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_rdataset_current(msg->sig0, &rdata);
+
+		/*
+		 * This can occur when the message is a dynamic update, since
+		 * the rdata length checking is relaxed.  This should not
+		 * happen in a well-formed message, since the SIG(0) is only
+		 * looked for in the additional section, and the dynamic update
+		 * meta-records are in the prerequisite and update sections.
+		 */
+		if (rdata.length == 0)
+			return (ISC_R_UNEXPECTEDEND);
+
+		result = dns_rdata_tostruct(&rdata, &sig, msg->mctx);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+
+		dns_rdataset_init(&keyset);
+		if (view == NULL)
+			return (DNS_R_KEYUNAUTHORIZED);
+		result = dns_view_simplefind(view, &sig.signer,
+					     dns_rdatatype_key /* SIG(0) */,
+					     0, 0, ISC_FALSE, &keyset, NULL);
+
+		if (result != ISC_R_SUCCESS) {
+			/* XXXBEW Should possibly create a fetch here */
+			result = DNS_R_KEYUNAUTHORIZED;
+			goto freesig;
+		} else if (keyset.trust < dns_trust_secure) {
+			/* XXXBEW Should call a validator here */
+			result = DNS_R_KEYUNAUTHORIZED;
+			goto freesig;
+		}
+		result = dns_rdataset_first(&keyset);
+		INSIST(result == ISC_R_SUCCESS);
+		for (;
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&keyset))
+		{
+			dst_key_t *key = NULL;
+
+			dns_rdataset_current(&keyset, &rdata);
+			isc_buffer_init(&b, rdata.data, rdata.length);
+			isc_buffer_add(&b, rdata.length);
+
+			result = dst_key_fromdns(&sig.signer, rdata.rdclass,
+						 &b, view->mctx, &key);
+			if (result != ISC_R_SUCCESS)
+				continue;
+			if (dst_key_alg(key) != sig.algorithm ||
+			    dst_key_id(key) != sig.keyid ||
+			    !(dst_key_proto(key) == DNS_KEYPROTO_DNSSEC ||
+			      dst_key_proto(key) == DNS_KEYPROTO_ANY))
+			{
+				dst_key_free(&key);
+				continue;
+			}
+			result = dns_dnssec_verifymessage(&msgb, msg, key);
+			dst_key_free(&key);
+			if (result == ISC_R_SUCCESS)
+				break;
+		}
+		if (result == ISC_R_NOMORE)
+			result = DNS_R_KEYUNAUTHORIZED;
+
+ freesig:
+		if (dns_rdataset_isassociated(&keyset))
+			dns_rdataset_disassociate(&keyset);
+		dns_rdata_freestruct(&sig);
+		return (result);
+	}
+}
+
+isc_result_t
+dns_message_sectiontotext(dns_message_t *msg, dns_section_t section,
+			  const dns_master_style_t *style,
+			  dns_messagetextflag_t flags,
+			  isc_buffer_t *target) {
+	dns_name_t *name, empty_name;
+	dns_rdataset_t *rdataset;
+	isc_result_t result;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(target != NULL);
+	REQUIRE(VALID_SECTION(section));
+
+	if (ISC_LIST_EMPTY(msg->sections[section]))
+		return (ISC_R_SUCCESS);
+
+	if ((flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0) {
+		ADD_STRING(target, ";; ");
+		if (msg->opcode != dns_opcode_update) {
+			ADD_STRING(target, sectiontext[section]);
+		}
+		else {
+			ADD_STRING(target, updsectiontext[section]);
+		}
+		ADD_STRING(target, " SECTION:\n");
+	}
+
+	dns_name_init(&empty_name, NULL);
+	result = dns_message_firstname(msg, section);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+	do {
+		name = NULL;
+		dns_message_currentname(msg, section, &name);
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			if (section == DNS_SECTION_QUESTION) {
+				ADD_STRING(target, ";");
+				result = dns_master_questiontotext(name,
+								   rdataset,
+								   style,
+								   target);
+			} else {
+				result = dns_master_rdatasettotext(name,
+								   rdataset,
+								   style,
+								   target);
+			}
+			if (result != ISC_R_SUCCESS)
+				return (result);
+		}
+		result = dns_message_nextname(msg, section);
+	} while (result == ISC_R_SUCCESS);
+	if ((flags & DNS_MESSAGETEXTFLAG_NOHEADERS) == 0 &&
+	    (flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0)
+		ADD_STRING(target, "\n");
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+	return (result);
+}
+
+isc_result_t
+dns_message_pseudosectiontotext(dns_message_t *msg,
+				dns_pseudosection_t section,
+				const dns_master_style_t *style,
+				dns_messagetextflag_t flags,
+				isc_buffer_t *target) {
+	dns_rdataset_t *ps = NULL;
+	dns_name_t *name = NULL;
+	isc_result_t result;
+	char buf[sizeof("1234567890")];
+	isc_uint32_t mbz;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(target != NULL);
+	REQUIRE(VALID_PSEUDOSECTION(section));
+
+	switch (section) {
+	case DNS_PSEUDOSECTION_OPT:
+		ps = dns_message_getopt(msg);
+		if (ps == NULL)
+			return (ISC_R_SUCCESS);
+		if ((flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0)
+			ADD_STRING(target, ";; OPT PSEUDOSECTION:\n");
+		ADD_STRING(target, "; EDNS: version: ");
+		snprintf(buf, sizeof(buf), "%u",
+			 (unsigned int)((ps->ttl & 0x00ff0000) >> 16));
+		ADD_STRING(target, buf);
+		ADD_STRING(target, ", flags:");
+		if ((ps->ttl & DNS_MESSAGEEXTFLAG_DO) != 0)
+			ADD_STRING(target, " do");
+		mbz = ps->ttl & ~DNS_MESSAGEEXTFLAG_DO & 0xffff;
+		if (mbz != 0) {
+			ADD_STRING(target, "; MBZ: ");
+			snprintf(buf, sizeof(buf), "%.4x ", mbz);
+			ADD_STRING(target, buf);
+			ADD_STRING(target, ", udp: ");
+		} else
+			ADD_STRING(target, "; udp: ");
+		snprintf(buf, sizeof(buf), "%u\n", (unsigned int)ps->rdclass);
+		ADD_STRING(target, buf);
+		return (ISC_R_SUCCESS);
+	case DNS_PSEUDOSECTION_TSIG:
+		ps = dns_message_gettsig(msg, &name);
+		if (ps == NULL)
+			return (ISC_R_SUCCESS);
+		if ((flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0)
+			ADD_STRING(target, ";; TSIG PSEUDOSECTION:\n");
+		result = dns_master_rdatasettotext(name, ps, style, target);
+		if ((flags & DNS_MESSAGETEXTFLAG_NOHEADERS) == 0 &&
+		    (flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0)
+			ADD_STRING(target, "\n");
+		return (result);
+	case DNS_PSEUDOSECTION_SIG0:
+		ps = dns_message_getsig0(msg, &name);
+		if (ps == NULL)
+			return (ISC_R_SUCCESS);
+		if ((flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0)
+			ADD_STRING(target, ";; SIG0 PSEUDOSECTION:\n");
+		result = dns_master_rdatasettotext(name, ps, style, target);
+		if ((flags & DNS_MESSAGETEXTFLAG_NOHEADERS) == 0 &&
+		    (flags & DNS_MESSAGETEXTFLAG_NOCOMMENTS) == 0)
+			ADD_STRING(target, "\n");
+		return (result);
+	}
+	return (ISC_R_UNEXPECTED);
+}
+
+isc_result_t
+dns_message_totext(dns_message_t *msg, const dns_master_style_t *style,
+		   dns_messagetextflag_t flags, isc_buffer_t *target) {
+	char buf[sizeof("1234567890")];
+	isc_result_t result;
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(target != NULL);
+
+	if ((flags & DNS_MESSAGETEXTFLAG_NOHEADERS) == 0) {
+		ADD_STRING(target, ";; ->>HEADER<<- opcode: ");
+		ADD_STRING(target, opcodetext[msg->opcode]);
+		ADD_STRING(target, ", status: ");
+		ADD_STRING(target, rcodetext[msg->rcode]);
+		ADD_STRING(target, ", id: ");
+		snprintf(buf, sizeof(buf), "%6u", msg->id);
+		ADD_STRING(target, buf);
+		ADD_STRING(target, "\n;; flags: ");
+		if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0)
+			ADD_STRING(target, "qr ");
+		if ((msg->flags & DNS_MESSAGEFLAG_AA) != 0)
+			ADD_STRING(target, "aa ");
+		if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0)
+			ADD_STRING(target, "tc ");
+		if ((msg->flags & DNS_MESSAGEFLAG_RD) != 0)
+			ADD_STRING(target, "rd ");
+		if ((msg->flags & DNS_MESSAGEFLAG_RA) != 0)
+			ADD_STRING(target, "ra ");
+		if ((msg->flags & DNS_MESSAGEFLAG_AD) != 0)
+			ADD_STRING(target, "ad ");
+		if ((msg->flags & DNS_MESSAGEFLAG_CD) != 0)
+			ADD_STRING(target, "cd ");
+		if (msg->opcode != dns_opcode_update) {
+			ADD_STRING(target, "; QUESTION: ");
+		} else {
+			ADD_STRING(target, "; ZONE: ");
+		}
+		snprintf(buf, sizeof(buf), "%1u",
+			 msg->counts[DNS_SECTION_QUESTION]);
+		ADD_STRING(target, buf);
+		if (msg->opcode != dns_opcode_update) {
+			ADD_STRING(target, ", ANSWER: ");
+		} else {
+			ADD_STRING(target, ", PREREQ: ");
+		}
+		snprintf(buf, sizeof(buf), "%1u",
+			 msg->counts[DNS_SECTION_ANSWER]);
+		ADD_STRING(target, buf);
+		if (msg->opcode != dns_opcode_update) {
+			ADD_STRING(target, ", AUTHORITY: ");
+		} else {
+			ADD_STRING(target, ", UPDATE: ");
+		}
+		snprintf(buf, sizeof(buf), "%1u",
+			msg->counts[DNS_SECTION_AUTHORITY]);
+		ADD_STRING(target, buf);
+		ADD_STRING(target, ", ADDITIONAL: ");
+		snprintf(buf, sizeof(buf), "%1u",
+			msg->counts[DNS_SECTION_ADDITIONAL]);
+		ADD_STRING(target, buf);
+		ADD_STRING(target, "\n");
+	}
+	result = dns_message_pseudosectiontotext(msg,
+						 DNS_PSEUDOSECTION_OPT,
+						 style, flags, target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_message_sectiontotext(msg, DNS_SECTION_QUESTION,
+					   style, flags, target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = dns_message_sectiontotext(msg, DNS_SECTION_ANSWER,
+					   style, flags, target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = dns_message_sectiontotext(msg, DNS_SECTION_AUTHORITY,
+					   style, flags, target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = dns_message_sectiontotext(msg, DNS_SECTION_ADDITIONAL,
+					   style, flags, target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_message_pseudosectiontotext(msg,
+						 DNS_PSEUDOSECTION_TSIG,
+						 style, flags, target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_message_pseudosectiontotext(msg,
+						 DNS_PSEUDOSECTION_SIG0,
+						 style, flags, target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_region_t *
+dns_message_getrawmessage(dns_message_t *msg) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	return (&msg->saved);
+}
+
+void
+dns_message_setsortorder(dns_message_t *msg, dns_rdatasetorderfunc_t order,
+			 void *order_arg)
+{
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	msg->order = order;
+	msg->order_arg = order_arg;
+}
+
+void
+dns_message_settimeadjust(dns_message_t *msg, int timeadjust) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	msg->timeadjust = timeadjust;
+}
+
+int
+dns_message_gettimeadjust(dns_message_t *msg) {
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	return (msg->timeadjust);
+}
+
+isc_result_t
+dns_opcode_totext(dns_opcode_t opcode, isc_buffer_t *target) {
+
+	REQUIRE(opcode < 16);
+
+	if (isc_buffer_availablelength(target) < strlen(opcodetext[opcode]))
+		return (ISC_R_NOSPACE);
+	isc_buffer_putstr(target, opcodetext[opcode]);
+	return (ISC_R_SUCCESS);
+}
diff --git a/contrib/bind9/lib/dns/name.c b/contrib/bind9/lib/dns/name.c
new file mode 100644
index 0000000..37a5f4e
--- /dev/null
+++ b/contrib/bind9/lib/dns/name.c
@@ -0,0 +1,2202 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: name.c,v 1.127.2.7.2.11 2004/09/01 05:19:59 marka Exp $ */
+
+#include <config.h>
+
+#include <ctype.h>
+
+#include <isc/buffer.h>
+#include <isc/hash.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/compress.h>
+#include <dns/name.h>
+#include <dns/result.h>
+
+#define VALID_NAME(n)	ISC_MAGIC_VALID(n, DNS_NAME_MAGIC)
+
+typedef enum {
+	ft_init = 0,
+	ft_start,
+	ft_ordinary,
+	ft_initialescape,
+	ft_escape,
+	ft_escdecimal,
+	ft_at
+} ft_state;
+
+typedef enum {
+	fw_start = 0,
+	fw_ordinary,
+	fw_copy,
+	fw_newcurrent
+} fw_state;
+
+static char digitvalue[256] = {
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,	/*16*/
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*32*/
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*48*/
+	 0,  1,  2,  3,  4,  5,  6,  7,  8,  9, -1, -1, -1, -1, -1, -1, /*64*/
+	-1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*80*/
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*96*/
+	-1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*112*/
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*128*/
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+	-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, /*256*/
+};
+
+static unsigned char maptolower[] = {
+	0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+	0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+	0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+	0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
+	0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
+	0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
+	0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+	0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
+	0x40, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
+	0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
+	0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
+	0x78, 0x79, 0x7a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
+	0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
+	0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
+	0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
+	0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f,
+	0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
+	0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
+	0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
+	0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
+	0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
+	0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf,
+	0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7,
+	0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
+	0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
+	0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf,
+	0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
+	0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
+	0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
+	0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
+	0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
+	0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff
+};
+
+#define CONVERTTOASCII(c)
+#define CONVERTFROMASCII(c)
+
+#define INIT_OFFSETS(name, var, default) \
+	if (name->offsets != NULL) \
+		var = name->offsets; \
+	else \
+		var = default;
+
+#define SETUP_OFFSETS(name, var, default) \
+	if (name->offsets != NULL) \
+		var = name->offsets; \
+	else { \
+		var = default; \
+		set_offsets(name, var, NULL); \
+	}
+
+/*
+ * Note:  If additional attributes are added that should not be set for
+ *	  empty names, MAKE_EMPTY() must be changed so it clears them.
+ */
+#define MAKE_EMPTY(name) \
+do { \
+	name->ndata = NULL; \
+	name->length = 0; \
+	name->labels = 0; \
+	name->attributes &= ~DNS_NAMEATTR_ABSOLUTE; \
+} while (0);
+
+/*
+ * A name is "bindable" if it can be set to point to a new value, i.e.
+ * name->ndata and name->length may be changed.
+ */
+#define BINDABLE(name) \
+	((name->attributes & (DNS_NAMEATTR_READONLY|DNS_NAMEATTR_DYNAMIC)) \
+	 == 0)
+
+/*
+ * Note that the name data must be a char array, not a string
+ * literal, to avoid compiler warnings about discarding
+ * the const attribute of a string.
+ */
+static unsigned char root_ndata[] = { '\0' };
+static unsigned char root_offsets[] = { 0 };
+
+static dns_name_t root = 
+{
+	DNS_NAME_MAGIC,
+	root_ndata, 1, 1,
+	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
+	root_offsets, NULL,
+	{(void *)-1, (void *)-1},
+	{NULL, NULL}
+};
+
+/* XXXDCL make const? */
+LIBDNS_EXTERNAL_DATA dns_name_t *dns_rootname = &root;
+
+static unsigned char wild_ndata[] = { '\001', '*' };
+static unsigned char wild_offsets[] = { 0 };
+
+static dns_name_t wild =
+{
+	DNS_NAME_MAGIC,
+	wild_ndata, 2, 1,
+	DNS_NAMEATTR_READONLY,
+	wild_offsets, NULL,
+	{(void *)-1, (void *)-1},
+	{NULL, NULL}
+};
+
+/* XXXDCL make const? */
+LIBDNS_EXTERNAL_DATA dns_name_t *dns_wildcardname = &wild;
+
+unsigned int
+dns_fullname_hash(dns_name_t *name, isc_boolean_t case_sensitive);
+
+static void
+set_offsets(const dns_name_t *name, unsigned char *offsets,
+	    dns_name_t *set_name);
+
+void
+dns_name_init(dns_name_t *name, unsigned char *offsets) {
+	/*
+	 * Initialize 'name'.
+	 */
+	DNS_NAME_INIT(name, offsets);
+}
+
+void
+dns_name_reset(dns_name_t *name) {
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(BINDABLE(name));
+
+	DNS_NAME_RESET(name);
+}
+
+void
+dns_name_invalidate(dns_name_t *name) {
+	/*
+	 * Make 'name' invalid.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+
+	name->magic = 0;
+	name->ndata = NULL;
+	name->length = 0;
+	name->labels = 0;
+	name->attributes = 0;
+	name->offsets = NULL;
+	name->buffer = NULL;
+	ISC_LINK_INIT(name, link);
+}
+
+void
+dns_name_setbuffer(dns_name_t *name, isc_buffer_t *buffer) {
+	/*
+	 * Dedicate a buffer for use with 'name'.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE((buffer != NULL && name->buffer == NULL) ||
+		(buffer == NULL));
+
+	name->buffer = buffer;
+}
+
+isc_boolean_t
+dns_name_hasbuffer(const dns_name_t *name) {
+	/*
+	 * Does 'name' have a dedicated buffer?
+	 */
+
+	REQUIRE(VALID_NAME(name));
+
+	if (name->buffer != NULL)
+		return (ISC_TRUE);
+
+	return (ISC_FALSE);
+}
+
+isc_boolean_t
+dns_name_isabsolute(const dns_name_t *name) {
+
+	/*
+	 * Does 'name' end in the root label?
+	 */
+
+	REQUIRE(VALID_NAME(name));
+
+	if ((name->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+#define hyphenchar(c) ((c) == 0x2d)
+#define asterchar(c) ((c) == 0x2a)
+#define alphachar(c) (((c) >= 0x41 && (c) <= 0x5a) \
+		      || ((c) >= 0x61 && (c) <= 0x7a))
+#define digitchar(c) ((c) >= 0x30 && (c) <= 0x39)
+#define borderchar(c) (alphachar(c) || digitchar(c))
+#define middlechar(c) (borderchar(c) || hyphenchar(c))
+#define domainchar(c) ((c) > 0x20 && (c) < 0x7f)
+
+isc_boolean_t
+dns_name_ismailbox(const dns_name_t *name) {
+	unsigned char *ndata, ch;
+	unsigned int n;
+	isc_boolean_t first;
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(name->labels > 0);
+	REQUIRE(name->attributes & DNS_NAMEATTR_ABSOLUTE);
+
+	/* 
+	 * Root label.
+	 */
+	if (name->length == 1)
+		return (ISC_TRUE);
+
+	ndata = name->ndata;
+	n = *ndata++;
+	INSIST(n <= 63);
+	while (n--) {
+		ch = *ndata++;
+		if (!domainchar(ch))
+			return (ISC_FALSE);
+	}
+	
+	if (ndata == name->ndata + name->length)
+		return (ISC_FALSE);
+
+	/*
+	 * RFC292/RFC1123 hostname.
+	 */
+	while (ndata < (name->ndata + name->length)) {
+		n = *ndata++;
+		INSIST(n <= 63);
+		first = ISC_TRUE;
+		while (n--) {
+			ch = *ndata++;
+			if (first || n == 0) {
+				if (!borderchar(ch))
+					return (ISC_FALSE);
+			} else {
+				if (!middlechar(ch))
+					return (ISC_FALSE);
+			}
+			first = ISC_FALSE;
+		}
+	}
+	return (ISC_TRUE);
+}
+
+isc_boolean_t
+dns_name_ishostname(const dns_name_t *name, isc_boolean_t wildcard) {
+	unsigned char *ndata, ch;
+	unsigned int n;
+	isc_boolean_t first;
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(name->labels > 0);
+	REQUIRE(name->attributes & DNS_NAMEATTR_ABSOLUTE);
+	
+	/* 
+	 * Root label.
+	 */
+	if (name->length == 1)
+		return (ISC_TRUE);
+
+	/*
+	 * Skip wildcard if this is a ownername.
+	 */
+	ndata = name->ndata;
+	if (wildcard && ndata[0] == 1 && ndata[1] == '*')
+		ndata += 2;
+
+	/*
+	 * RFC292/RFC1123 hostname.
+	 */
+	while (ndata < (name->ndata + name->length)) {
+		n = *ndata++;
+		INSIST(n <= 63);
+		first = ISC_TRUE;
+		while (n--) {
+			ch = *ndata++;
+			if (first || n == 0) {
+				if (!borderchar(ch))
+					return (ISC_FALSE);
+			} else {
+				if (!middlechar(ch))
+					return (ISC_FALSE);
+			}
+			first = ISC_FALSE;
+		}
+	}
+	return (ISC_TRUE);
+}
+
+isc_boolean_t
+dns_name_iswildcard(const dns_name_t *name) {
+	unsigned char *ndata;
+
+	/*
+	 * Is 'name' a wildcard name?
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(name->labels > 0);
+
+	if (name->length >= 2) {
+		ndata = name->ndata;
+		if (ndata[0] == 1 && ndata[1] == '*')
+			return (ISC_TRUE);
+	}
+
+	return (ISC_FALSE);
+}
+
+static inline unsigned int
+name_hash(dns_name_t *name, isc_boolean_t case_sensitive) {
+	unsigned int length;
+	const unsigned char *s;
+	unsigned int h = 0;
+	unsigned char c;
+
+	length = name->length;
+	if (length > 16)
+		length = 16;
+
+	/*
+	 * This hash function is similar to the one Ousterhout
+	 * uses in Tcl.
+	 */
+	s = name->ndata;
+	if (case_sensitive) {
+		while (length > 0) {
+			h += ( h << 3 ) + *s;
+			s++;
+			length--;
+		}
+	} else {
+		while (length > 0) {
+			c = maptolower[*s];
+			h += ( h << 3 ) + c;
+			s++;
+			length--;
+		}
+	}
+
+	return (h);
+}
+
+unsigned int
+dns_name_hash(dns_name_t *name, isc_boolean_t case_sensitive) {
+	/*
+	 * Provide a hash value for 'name'.
+	 */
+	REQUIRE(VALID_NAME(name));
+
+	if (name->labels == 0)
+		return (0);
+
+	return (name_hash(name, case_sensitive));
+}
+
+unsigned int
+dns_name_fullhash(dns_name_t *name, isc_boolean_t case_sensitive) {
+	/*
+	 * Provide a hash value for 'name'.
+	 */
+	REQUIRE(VALID_NAME(name));
+
+	if (name->labels == 0)
+		return (0);
+
+	return (isc_hash_calc((const unsigned char *)name->ndata,
+			      name->length, case_sensitive));
+}
+
+unsigned int
+dns_fullname_hash(dns_name_t *name, isc_boolean_t case_sensitive) {
+	/*
+	 * This function was deprecated due to the breakage of the name space
+	 * convention.  We only keep this internally to provide binary backward
+	 * compatibility.
+	 */
+	REQUIRE(VALID_NAME(name));
+
+	return (dns_name_fullhash(name, case_sensitive));
+}
+
+unsigned int
+dns_name_hashbylabel(dns_name_t *name, isc_boolean_t case_sensitive) {
+	unsigned char *offsets;
+	dns_offsets_t odata;
+	dns_name_t tname;
+	unsigned int h = 0;
+	unsigned int i;
+
+	/*
+	 * Provide a hash value for 'name'.
+	 */
+	REQUIRE(VALID_NAME(name));
+
+	if (name->labels == 0)
+		return (0);
+	else if (name->labels == 1)
+		return (name_hash(name, case_sensitive));
+
+	SETUP_OFFSETS(name, offsets, odata);
+	DNS_NAME_INIT(&tname, NULL);
+	tname.labels = 1;
+	h = 0;
+	for (i = 0; i < name->labels; i++) {
+		tname.ndata = name->ndata + offsets[i];
+		if (i == name->labels - 1)
+			tname.length = name->length - offsets[i];
+		else
+			tname.length = offsets[i + 1] - offsets[i];
+		h += name_hash(&tname, case_sensitive);
+	}
+
+	return (h);
+}
+
+dns_namereln_t
+dns_name_fullcompare(const dns_name_t *name1, const dns_name_t *name2,
+		     int *orderp, unsigned int *nlabelsp)
+{
+	unsigned int l1, l2, l, count1, count2, count, nlabels;
+	int cdiff, ldiff, chdiff;
+	unsigned char *label1, *label2;
+	unsigned char *offsets1, *offsets2;
+	dns_offsets_t odata1, odata2;
+	dns_namereln_t namereln = dns_namereln_none;
+
+	/*
+	 * Determine the relative ordering under the DNSSEC order relation of
+	 * 'name1' and 'name2', and also determine the hierarchical
+	 * relationship of the names.
+	 *
+	 * Note: It makes no sense for one of the names to be relative and the
+	 * other absolute.  If both names are relative, then to be meaningfully
+	 * compared the caller must ensure that they are both relative to the
+	 * same domain.
+	 */
+
+	REQUIRE(VALID_NAME(name1));
+	REQUIRE(VALID_NAME(name2));
+	REQUIRE(orderp != NULL);
+	REQUIRE(nlabelsp != NULL);
+	/*
+	 * Either name1 is absolute and name2 is absolute, or neither is.
+	 */
+	REQUIRE((name1->attributes & DNS_NAMEATTR_ABSOLUTE) ==
+		(name2->attributes & DNS_NAMEATTR_ABSOLUTE));
+
+	SETUP_OFFSETS(name1, offsets1, odata1);
+	SETUP_OFFSETS(name2, offsets2, odata2);
+
+	nlabels = 0;
+	l1 = name1->labels;
+	l2 = name2->labels;
+	ldiff = (int)l1 - (int)l2;
+	if (ldiff < 0)
+		l = l1;
+	else
+		l = l2;
+
+	while (l > 0) {
+		l--;
+		l1--;
+		l2--;
+		label1 = &name1->ndata[offsets1[l1]];
+		label2 = &name2->ndata[offsets2[l2]];
+		count1 = *label1++;
+		count2 = *label2++;
+
+		/*
+		 * We dropped bitstring labels, and we don't support any
+		 * other extended label types.
+		 */
+		INSIST(count1 <= 63 && count2 <= 63);
+
+		cdiff = (int)count1 - (int)count2;
+		if (cdiff < 0)
+			count = count1;
+		else
+			count = count2;
+
+		while (count > 0) {
+			chdiff = (int)maptolower[*label1] -
+			    (int)maptolower[*label2];
+			if (chdiff != 0) {
+				*orderp = chdiff;
+				goto done;
+			}
+			count--;
+			label1++;
+			label2++;
+		}
+		if (cdiff != 0) {
+			*orderp = cdiff;
+			goto done;
+		}
+		nlabels++;
+	}
+
+	*orderp = ldiff;
+	if (ldiff < 0)
+		namereln = dns_namereln_contains;
+	else if (ldiff > 0)
+		namereln = dns_namereln_subdomain;
+	else
+		namereln = dns_namereln_equal;
+
+ done:
+	*nlabelsp = nlabels;
+
+	if (nlabels > 0 && namereln == dns_namereln_none)
+		namereln = dns_namereln_commonancestor;
+
+	return (namereln);
+}
+
+int
+dns_name_compare(const dns_name_t *name1, const dns_name_t *name2) {
+	int order;
+	unsigned int nlabels;
+
+	/*
+	 * Determine the relative ordering under the DNSSEC order relation of
+	 * 'name1' and 'name2'.
+	 *
+	 * Note: It makes no sense for one of the names to be relative and the
+	 * other absolute.  If both names are relative, then to be meaningfully
+	 * compared the caller must ensure that they are both relative to the
+	 * same domain.
+	 */
+
+	(void)dns_name_fullcompare(name1, name2, &order, &nlabels);
+
+	return (order);
+}
+
+isc_boolean_t
+dns_name_equal(const dns_name_t *name1, const dns_name_t *name2) {
+	unsigned int l, count;
+	unsigned char c;
+	unsigned char *label1, *label2;
+
+	/*
+	 * Are 'name1' and 'name2' equal?
+	 *
+	 * Note: It makes no sense for one of the names to be relative and the
+	 * other absolute.  If both names are relative, then to be meaningfully
+	 * compared the caller must ensure that they are both relative to the
+	 * same domain.
+	 */
+
+	REQUIRE(VALID_NAME(name1));
+	REQUIRE(VALID_NAME(name2));
+	/*
+	 * Either name1 is absolute and name2 is absolute, or neither is.
+	 */
+	REQUIRE((name1->attributes & DNS_NAMEATTR_ABSOLUTE) ==
+		(name2->attributes & DNS_NAMEATTR_ABSOLUTE));
+
+	if (name1->length != name2->length)
+		return (ISC_FALSE);
+
+	l = name1->labels;
+
+	if (l != name2->labels)
+		return (ISC_FALSE);
+
+	label1 = name1->ndata;
+	label2 = name2->ndata;
+	while (l > 0) {
+		l--;
+		count = *label1++;
+		if (count != *label2++)
+			return (ISC_FALSE);
+
+		INSIST(count <= 63); /* no bitstring support */
+
+		while (count > 0) {
+			count--;
+			c = maptolower[*label1++];
+			if (c != maptolower[*label2++])
+				return (ISC_FALSE);
+		}
+	}
+
+	return (ISC_TRUE);
+}
+
+int
+dns_name_rdatacompare(const dns_name_t *name1, const dns_name_t *name2) {
+	unsigned int l1, l2, l, count1, count2, count;
+	unsigned char c1, c2;
+	unsigned char *label1, *label2;
+
+	/*
+	 * Compare two absolute names as rdata.
+	 */
+
+	REQUIRE(VALID_NAME(name1));
+	REQUIRE(name1->labels > 0);
+	REQUIRE((name1->attributes & DNS_NAMEATTR_ABSOLUTE) != 0);
+	REQUIRE(VALID_NAME(name2));
+	REQUIRE(name2->labels > 0);
+	REQUIRE((name2->attributes & DNS_NAMEATTR_ABSOLUTE) != 0);
+
+	l1 = name1->labels;
+	l2 = name2->labels;
+
+	l = (l1 < l2) ? l1 : l2;
+
+	label1 = name1->ndata;
+	label2 = name2->ndata;
+	while (l > 0) {
+		l--;
+		count1 = *label1++;
+		count2 = *label2++;
+
+		/* no bitstring support */
+		INSIST(count1 <= 63 && count2 <= 63);
+
+		if (count1 != count2)
+			return ((count1 < count2) ? -1 : 1);
+		count = count1;
+		while (count > 0) {
+			count--;
+			c1 = maptolower[*label1++];
+			c2 = maptolower[*label2++];
+			if (c1 < c2)
+				return (-1);
+			else if (c1 > c2)
+				return (1);
+		}
+	}
+
+	/*
+	 * If one name had more labels than the other, their common
+	 * prefix must have been different because the shorter name
+	 * ended with the root label and the longer one can't have
+	 * a root label in the middle of it.  Therefore, if we get
+	 * to this point, the lengths must be equal.
+	 */
+	INSIST(l1 == l2);
+
+	return (0);
+}
+
+isc_boolean_t
+dns_name_issubdomain(const dns_name_t *name1, const dns_name_t *name2) {
+	int order;
+	unsigned int nlabels;
+	dns_namereln_t namereln;
+
+	/*
+	 * Is 'name1' a subdomain of 'name2'?
+	 *
+	 * Note: It makes no sense for one of the names to be relative and the
+	 * other absolute.  If both names are relative, then to be meaningfully
+	 * compared the caller must ensure that they are both relative to the
+	 * same domain.
+	 */
+
+	namereln = dns_name_fullcompare(name1, name2, &order, &nlabels);
+	if (namereln == dns_namereln_subdomain ||
+	    namereln == dns_namereln_equal)
+		return (ISC_TRUE);
+
+	return (ISC_FALSE);
+}
+
+isc_boolean_t
+dns_name_matcheswildcard(const dns_name_t *name, const dns_name_t *wname) {
+	int order;
+	unsigned int nlabels, labels;
+	dns_name_t tname;
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(name->labels > 0);
+	REQUIRE(VALID_NAME(wname));
+	labels = wname->labels;
+	REQUIRE(labels > 0);
+	REQUIRE(dns_name_iswildcard(wname));
+
+	DNS_NAME_INIT(&tname, NULL);
+	dns_name_getlabelsequence(wname, 1, labels - 1, &tname);
+	if (dns_name_fullcompare(name, &tname, &order, &nlabels) ==
+	    dns_namereln_subdomain)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+unsigned int
+dns_name_countlabels(const dns_name_t *name) {
+	/*
+	 * How many labels does 'name' have?
+	 */
+
+	REQUIRE(VALID_NAME(name));
+
+	ENSURE(name->labels <= 128);
+
+	return (name->labels);
+}
+
+void
+dns_name_getlabel(const dns_name_t *name, unsigned int n, dns_label_t *label) {
+	unsigned char *offsets;
+	dns_offsets_t odata;
+
+	/*
+	 * Make 'label' refer to the 'n'th least significant label of 'name'.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(name->labels > 0);
+	REQUIRE(n < name->labels);
+	REQUIRE(label != NULL);
+
+	SETUP_OFFSETS(name, offsets, odata);
+
+	label->base = &name->ndata[offsets[n]];
+	if (n == name->labels - 1)
+		label->length = name->length - offsets[n];
+	else
+		label->length = offsets[n + 1] - offsets[n];
+}
+
+void
+dns_name_getlabelsequence(const dns_name_t *source,
+			  unsigned int first, unsigned int n,
+			  dns_name_t *target)
+{
+	unsigned char *offsets;
+	dns_offsets_t odata;
+	unsigned int firstoffset, endoffset;
+
+	/*
+	 * Make 'target' refer to the 'n' labels including and following
+	 * 'first' in 'source'.
+	 */
+
+	REQUIRE(VALID_NAME(source));
+	REQUIRE(VALID_NAME(target));
+	REQUIRE(first <= source->labels);
+	REQUIRE(first + n <= source->labels);
+	REQUIRE(BINDABLE(target));
+
+	SETUP_OFFSETS(source, offsets, odata);
+
+	if (first == source->labels)
+		firstoffset = source->length;
+	else
+		firstoffset = offsets[first];
+
+	if (first + n == source->labels)
+		endoffset = source->length;
+	else
+		endoffset = offsets[first + n];
+
+	target->ndata = &source->ndata[firstoffset];
+	target->length = endoffset - firstoffset;
+	
+	if (first + n == source->labels && n > 0 &&
+	    (source->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
+		target->attributes |= DNS_NAMEATTR_ABSOLUTE;
+	else
+		target->attributes &= ~DNS_NAMEATTR_ABSOLUTE;
+
+	target->labels = n;
+
+	/*
+	 * If source and target are the same, and we're making target
+	 * a prefix of source, the offsets table is correct already
+	 * so we don't need to call set_offsets().
+	 */
+	if (target->offsets != NULL &&
+	    (target != source || first != 0))
+		set_offsets(target, target->offsets, NULL);
+}
+
+void
+dns_name_clone(dns_name_t *source, dns_name_t *target) {
+
+	/*
+	 * Make 'target' refer to the same name as 'source'.
+	 */
+
+	REQUIRE(VALID_NAME(source));
+	REQUIRE(VALID_NAME(target));
+	REQUIRE(BINDABLE(target));
+
+	target->ndata = source->ndata;
+	target->length = source->length;
+	target->labels = source->labels;
+	target->attributes = source->attributes &
+		(unsigned int)~(DNS_NAMEATTR_READONLY | DNS_NAMEATTR_DYNAMIC |
+				DNS_NAMEATTR_DYNOFFSETS);
+	if (target->offsets != NULL && source->labels > 0) {
+		if (source->offsets != NULL)
+			memcpy(target->offsets, source->offsets,
+			       source->labels);
+		else
+			set_offsets(target, target->offsets, NULL);
+	}
+}
+
+void
+dns_name_fromregion(dns_name_t *name, const isc_region_t *r) {
+	unsigned char *offsets;
+	dns_offsets_t odata;
+	unsigned int len;
+	isc_region_t r2;
+
+	/*
+	 * Make 'name' refer to region 'r'.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(r != NULL);
+	REQUIRE(BINDABLE(name));
+
+	INIT_OFFSETS(name, offsets, odata);
+
+	if (name->buffer != NULL) {
+		isc_buffer_clear(name->buffer);
+		isc_buffer_availableregion(name->buffer, &r2);
+		len = (r->length < r2.length) ? r->length : r2.length;
+		if (len > DNS_NAME_MAXWIRE)
+			len = DNS_NAME_MAXWIRE;
+		memcpy(r2.base, r->base, len);
+		name->ndata = r2.base;
+		name->length = len;
+	} else {
+		name->ndata = r->base;
+		name->length = (r->length <= DNS_NAME_MAXWIRE) ? 
+			r->length : DNS_NAME_MAXWIRE;
+	}
+
+	if (r->length > 0)
+		set_offsets(name, offsets, name);
+	else {
+		name->labels = 0;
+		name->attributes &= ~DNS_NAMEATTR_ABSOLUTE;
+	}
+
+	if (name->buffer != NULL)
+		isc_buffer_add(name->buffer, name->length);
+}
+
+void
+dns_name_toregion(dns_name_t *name, isc_region_t *r) {
+	/*
+	 * Make 'r' refer to 'name'.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(r != NULL);
+
+	DNS_NAME_TOREGION(name, r);
+}
+
+
+isc_result_t
+dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
+		  dns_name_t *origin, unsigned int options,
+		  isc_buffer_t *target)
+{
+	unsigned char *ndata, *label;
+	char *tdata;
+	char c;
+	ft_state state, kind;
+	unsigned int value, count, tbcount, bitlength, maxlength;
+	unsigned int n1, n2, vlen, tlen, nrem, nused, digits, labels, tused;
+	isc_boolean_t done;
+	unsigned char *offsets;
+	dns_offsets_t odata;
+	isc_boolean_t downcase;
+
+	/*
+	 * Convert the textual representation of a DNS name at source
+	 * into uncompressed wire form stored in target.
+	 *
+	 * Notes:
+	 *	Relative domain names will have 'origin' appended to them
+	 *	unless 'origin' is NULL, in which case relative domain names
+	 *	will remain relative.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(ISC_BUFFER_VALID(source));
+	REQUIRE((target != NULL && ISC_BUFFER_VALID(target)) ||
+		(target == NULL && ISC_BUFFER_VALID(name->buffer)));
+	
+	downcase = ISC_TF((options & DNS_NAME_DOWNCASE) != 0);
+
+	if (target == NULL && name->buffer != NULL) {
+		target = name->buffer;
+		isc_buffer_clear(target);
+	}
+
+	REQUIRE(BINDABLE(name));
+
+	INIT_OFFSETS(name, offsets, odata);
+	offsets[0] = 0;
+
+	/*
+	 * Initialize things to make the compiler happy; they're not required.
+	 */
+	n1 = 0;
+	n2 = 0;
+	vlen = 0;
+	label = NULL;
+	digits = 0;
+	value = 0;
+	count = 0;
+	tbcount = 0;
+	bitlength = 0;
+	maxlength = 0;
+	kind = ft_init;
+
+	/*
+	 * Make 'name' empty in case of failure.
+	 */
+	MAKE_EMPTY(name);
+
+	/*
+	 * Set up the state machine.
+	 */
+	tdata = (char *)source->base + source->current;
+	tlen = isc_buffer_remaininglength(source);
+	tused = 0;
+	ndata = isc_buffer_used(target);
+	nrem = isc_buffer_availablelength(target);
+	if (nrem > 255)
+		nrem = 255;
+	nused = 0;
+	labels = 0;
+	done = ISC_FALSE;
+	state = ft_init;
+
+	while (nrem > 0 && tlen > 0 && !done) {
+		c = *tdata++;
+		tlen--;
+		tused++;
+
+		switch (state) {
+		case ft_init:
+			/*
+			 * Is this the root name?
+			 */
+			if (c == '.') {
+				if (tlen != 0)
+					return (DNS_R_EMPTYLABEL);
+				labels++;
+				*ndata++ = 0;
+				nrem--;
+				nused++;
+				done = ISC_TRUE;
+				break;
+			}
+			if (c == '@' && tlen == 0) {
+				state = ft_at;
+				break;
+			}
+
+			/* FALLTHROUGH */
+		case ft_start:
+			label = ndata;
+			ndata++;
+			nrem--;
+			nused++;
+			count = 0;
+			if (c == '\\') {
+				state = ft_initialescape;
+				break;
+			}
+			kind = ft_ordinary;
+			state = ft_ordinary;
+			if (nrem == 0)
+				return (ISC_R_NOSPACE);
+			/* FALLTHROUGH */
+		case ft_ordinary:
+			if (c == '.') {
+				if (count == 0)
+					return (DNS_R_EMPTYLABEL);
+				*label = count;
+				labels++;
+				INSIST(labels <= 127);
+				offsets[labels] = nused;
+				if (tlen == 0) {
+					labels++;
+					*ndata++ = 0;
+					nrem--;
+					nused++;
+					done = ISC_TRUE;
+				}
+				state = ft_start;
+			} else if (c == '\\') {
+				state = ft_escape;
+			} else {
+				if (count >= 63)
+					return (DNS_R_LABELTOOLONG);
+				count++;
+				CONVERTTOASCII(c);
+				if (downcase)
+					c = maptolower[(int)c];
+				*ndata++ = c;
+				nrem--;
+				nused++;
+			}
+			break;
+		case ft_initialescape:
+			if (c == '[') {
+				/*
+				 * This looks like a bitstring label, which
+				 * was deprecated.  Intentionally drop it.
+				 */
+				return (DNS_R_BADLABELTYPE);
+			}
+			kind = ft_ordinary;
+			state = ft_escape;
+			/* FALLTHROUGH */
+		case ft_escape:
+			if (!isdigit(c & 0xff)) {
+				if (count >= 63)
+					return (DNS_R_LABELTOOLONG);
+				count++;
+				CONVERTTOASCII(c);
+				if (downcase)
+					c = maptolower[(int)c];
+				*ndata++ = c;
+				nrem--;
+				nused++;
+				state = ft_ordinary;
+				break;
+			}
+			digits = 0;
+			value = 0;
+			state = ft_escdecimal;
+			/* FALLTHROUGH */
+		case ft_escdecimal:
+			if (!isdigit(c & 0xff))
+				return (DNS_R_BADESCAPE);
+			value *= 10;
+			value += digitvalue[(int)c];
+			digits++;
+			if (digits == 3) {
+				if (value > 255)
+					return (DNS_R_BADESCAPE);
+				if (count >= 63)
+					return (DNS_R_LABELTOOLONG);
+				count++;
+				if (downcase)
+					value = maptolower[value];
+				*ndata++ = value;
+				nrem--;
+				nused++;
+				state = ft_ordinary;
+			}
+			break;
+		default:
+			FATAL_ERROR(__FILE__, __LINE__,
+				    "Unexpected state %d", state);
+			/* Does not return. */
+		}
+	}
+
+	if (!done) {
+		if (nrem == 0)
+			return (ISC_R_NOSPACE);
+		INSIST(tlen == 0);
+		if (state != ft_ordinary && state != ft_at)
+			return (ISC_R_UNEXPECTEDEND);
+		if (state == ft_ordinary) {
+			INSIST(count != 0);
+			*label = count;
+			labels++;
+			INSIST(labels <= 127);
+			offsets[labels] = nused;
+		}
+		if (origin != NULL) {
+			if (nrem < origin->length)
+				return (ISC_R_NOSPACE);
+			label = origin->ndata;
+			n1 = origin->length;
+			nrem -= n1;
+			while (n1 > 0) {
+				n2 = *label++;
+				INSIST(n2 <= 63); /* no bitstring support */
+				*ndata++ = n2;
+				n1 -= n2 + 1;
+				nused += n2 + 1;
+				while (n2 > 0) {
+					c = *label++;
+					if (downcase)
+						c = maptolower[(int)c];
+					*ndata++ = c;
+					n2--;
+				}
+				labels++;
+				if (n1 > 0) {
+					INSIST(labels <= 127);
+					offsets[labels] = nused;
+				}
+			}
+			if ((origin->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
+				name->attributes |= DNS_NAMEATTR_ABSOLUTE;
+		}
+	} else
+		name->attributes |= DNS_NAMEATTR_ABSOLUTE;
+
+	name->ndata = (unsigned char *)target->base + target->used;
+	name->labels = labels;
+	name->length = nused;
+
+	isc_buffer_forward(source, tused);
+	isc_buffer_add(target, name->length);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
+		isc_buffer_t *target)
+{
+	unsigned char *ndata;
+	char *tdata;
+	unsigned int nlen, tlen;
+	unsigned char c;
+	unsigned int trem, count;
+	unsigned int labels;
+	isc_boolean_t saw_root = ISC_FALSE;
+
+	/*
+	 * This function assumes the name is in proper uncompressed
+	 * wire format.
+	 */
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(ISC_BUFFER_VALID(target));
+
+	ndata = name->ndata;
+	nlen = name->length;
+	labels = name->labels;
+	tdata = isc_buffer_used(target);
+	tlen = isc_buffer_availablelength(target);
+
+	trem = tlen;
+
+	if (labels == 0 && nlen == 0) {
+		/*
+		 * Special handling for an empty name.
+		 */
+		if (trem == 0)
+			return (ISC_R_NOSPACE);
+
+		/*
+		 * The names of these booleans are misleading in this case.
+		 * This empty name is not necessarily from the root node of
+		 * the DNS root zone, nor is a final dot going to be included.
+		 * They need to be set this way, though, to keep the "@"
+		 * from being trounced.
+		 */
+		saw_root = ISC_TRUE;
+		omit_final_dot = ISC_FALSE;
+		*tdata++ = '@';
+		trem--;
+
+		/*
+		 * Skip the while() loop.
+		 */
+		nlen = 0;
+	} else if (nlen == 1 && labels == 1 && *ndata == '\0') {
+		/*
+		 * Special handling for the root label.
+		 */
+		if (trem == 0)
+			return (ISC_R_NOSPACE);
+
+		saw_root = ISC_TRUE;
+		omit_final_dot = ISC_FALSE;
+		*tdata++ = '.';
+		trem--;
+
+		/*
+		 * Skip the while() loop.
+		 */
+		nlen = 0;
+	}
+
+	while (labels > 0 && nlen > 0 && trem > 0) {
+		labels--;
+		count = *ndata++;
+		nlen--;
+		if (count == 0) {
+			saw_root = ISC_TRUE;
+			break;
+		}
+		if (count < 64) {
+			INSIST(nlen >= count);
+			while (count > 0) {
+				c = *ndata;
+				switch (c) {
+				case 0x22: /* '"' */
+				case 0x28: /* '(' */
+				case 0x29: /* ')' */
+				case 0x2E: /* '.' */
+				case 0x3B: /* ';' */
+				case 0x5C: /* '\\' */
+				/* Special modifiers in zone files. */
+				case 0x40: /* '@' */
+				case 0x24: /* '$' */
+					if (trem < 2)
+						return (ISC_R_NOSPACE);
+					*tdata++ = '\\';
+					CONVERTFROMASCII(c);
+					*tdata++ = c;
+					ndata++;
+					trem -= 2;
+					nlen--;
+					break;
+				default:
+					if (c > 0x20 && c < 0x7f) {
+						if (trem == 0)
+							return (ISC_R_NOSPACE);
+						CONVERTFROMASCII(c);
+						*tdata++ = c;
+						ndata++;
+						trem--;
+						nlen--;
+					} else {
+						char buf[5];
+						if (trem < 4)
+							return (ISC_R_NOSPACE);
+						snprintf(buf, sizeof(buf),
+							 "\\%03u", c);
+						memcpy(tdata, buf, 4);
+						tdata += 4;
+						trem -= 4;
+						ndata++;
+						nlen--;
+					}
+				}
+				count--;
+			}
+		} else {
+			FATAL_ERROR(__FILE__, __LINE__,
+				    "Unexpected label type %02x", count);
+			/* NOTREACHED */
+		}
+
+		/*
+		 * The following assumes names are absolute.  If not, we
+		 * fix things up later.  Note that this means that in some
+		 * cases one more byte of text buffer is required than is
+		 * needed in the final output.
+		 */
+		if (trem == 0)
+			return (ISC_R_NOSPACE);
+		*tdata++ = '.';
+		trem--;
+	}
+
+	if (nlen != 0 && trem == 0)
+		return (ISC_R_NOSPACE);
+
+	if (!saw_root || omit_final_dot)
+		trem++;
+
+	isc_buffer_add(target, tlen - trem);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_name_tofilenametext(dns_name_t *name, isc_boolean_t omit_final_dot,
+			isc_buffer_t *target)
+{
+	unsigned char *ndata;
+	char *tdata;
+	unsigned int nlen, tlen;
+	unsigned char c;
+	unsigned int trem, count;
+	unsigned int labels;
+
+	/*
+	 * This function assumes the name is in proper uncompressed
+	 * wire format.
+	 */
+	REQUIRE(VALID_NAME(name));
+	REQUIRE((name->attributes & DNS_NAMEATTR_ABSOLUTE) != 0);
+	REQUIRE(ISC_BUFFER_VALID(target));
+
+	ndata = name->ndata;
+	nlen = name->length;
+	labels = name->labels;
+	tdata = isc_buffer_used(target);
+	tlen = isc_buffer_availablelength(target);
+
+	trem = tlen;
+
+	if (nlen == 1 && labels == 1 && *ndata == '\0') {
+		/*
+		 * Special handling for the root label.
+		 */
+		if (trem == 0)
+			return (ISC_R_NOSPACE);
+
+		omit_final_dot = ISC_FALSE;
+		*tdata++ = '.';
+		trem--;
+
+		/*
+		 * Skip the while() loop.
+		 */
+		nlen = 0;
+	}
+
+	while (labels > 0 && nlen > 0 && trem > 0) {
+		labels--;
+		count = *ndata++;
+		nlen--;
+		if (count == 0)
+			break;
+		if (count < 64) {
+			INSIST(nlen >= count);
+			while (count > 0) {
+				c = *ndata;
+				if ((c >= 0x30 && c <= 0x39) || /* digit */
+				    (c >= 0x41 && c <= 0x5A) ||	/* uppercase */
+				    (c >= 0x61 && c <= 0x7A) || /* lowercase */
+				    c == 0x2D ||		/* hyphen */
+				    c == 0x5F)			/* underscore */
+				{
+					if (trem == 0)
+						return (ISC_R_NOSPACE);
+					/* downcase */
+					if (c >= 0x41 && c <= 0x5A)
+						c += 0x20;
+					CONVERTFROMASCII(c);
+					*tdata++ = c;
+					ndata++;
+					trem--;
+					nlen--;
+				} else {
+					if (trem < 3)
+						return (ISC_R_NOSPACE);
+					sprintf(tdata, "%%%02X", c);
+					tdata += 3;
+					trem -= 3;
+					ndata++;
+					nlen--;
+				}
+				count--;
+			}
+		} else {
+			FATAL_ERROR(__FILE__, __LINE__,
+				    "Unexpected label type %02x", count);
+			/* NOTREACHED */
+		}
+
+		/*
+		 * The following assumes names are absolute.  If not, we
+		 * fix things up later.  Note that this means that in some
+		 * cases one more byte of text buffer is required than is
+		 * needed in the final output.
+		 */
+		if (trem == 0)
+			return (ISC_R_NOSPACE);
+		*tdata++ = '.';
+		trem--;
+	}
+
+	if (nlen != 0 && trem == 0)
+		return (ISC_R_NOSPACE);
+
+	if (omit_final_dot)
+		trem++;
+
+	isc_buffer_add(target, tlen - trem);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_name_downcase(dns_name_t *source, dns_name_t *name, isc_buffer_t *target) {
+	unsigned char *sndata, *ndata;
+	unsigned int nlen, count, labels;
+	isc_buffer_t buffer;
+
+	/*
+	 * Downcase 'source'.
+	 */
+
+	REQUIRE(VALID_NAME(source));
+	REQUIRE(VALID_NAME(name));
+	if (source == name) {
+		REQUIRE((name->attributes & DNS_NAMEATTR_READONLY) == 0);
+		isc_buffer_init(&buffer, source->ndata, source->length);
+		target = &buffer;
+		ndata = source->ndata;
+	} else {
+		REQUIRE(BINDABLE(name));
+		REQUIRE((target != NULL && ISC_BUFFER_VALID(target)) ||
+			(target == NULL && ISC_BUFFER_VALID(name->buffer)));
+		if (target == NULL) {
+			target = name->buffer;
+			isc_buffer_clear(name->buffer);
+		}
+		ndata = (unsigned char *)target->base + target->used;
+		name->ndata = ndata;
+	}
+
+	sndata = source->ndata;
+	nlen = source->length;
+	labels = source->labels;
+
+	if (nlen > (target->length - target->used)) {
+		MAKE_EMPTY(name);
+		return (ISC_R_NOSPACE);
+	}
+
+	while (labels > 0 && nlen > 0) {
+		labels--;
+		count = *sndata++;
+		*ndata++ = count;
+		nlen--;
+		if (count < 64) {
+			INSIST(nlen >= count);
+			while (count > 0) {
+				*ndata++ = maptolower[(*sndata++)];
+				nlen--;
+				count--;
+			}
+		} else {
+			FATAL_ERROR(__FILE__, __LINE__,
+				    "Unexpected label type %02x", count);
+			/* Does not return. */
+		}
+	}
+
+	if (source != name) {
+		name->labels = source->labels;
+		name->length = source->length;
+		if ((source->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
+			name->attributes = DNS_NAMEATTR_ABSOLUTE;
+		else
+			name->attributes = 0;
+		if (name->labels > 0 && name->offsets != NULL)
+			set_offsets(name, name->offsets, NULL);
+	}
+
+	isc_buffer_add(target, name->length);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+set_offsets(const dns_name_t *name, unsigned char *offsets,
+	    dns_name_t *set_name)
+{
+	unsigned int offset, count, length, nlabels;
+	unsigned char *ndata;
+	isc_boolean_t absolute;
+
+	ndata = name->ndata;
+	length = name->length;
+	offset = 0;
+	nlabels = 0;
+	absolute = ISC_FALSE;
+	while (offset != length) {
+		INSIST(nlabels < 128);
+		offsets[nlabels++] = offset;
+		count = *ndata++;
+		offset++;
+		INSIST(count <= 63);
+		offset += count;
+		ndata += count;
+		INSIST(offset <= length);
+		if (count == 0) {
+			absolute = ISC_TRUE;
+			break;
+		}
+	}
+	if (set_name != NULL) {
+		INSIST(set_name == name);
+
+		set_name->labels = nlabels;
+		set_name->length = offset;
+		if (absolute)
+			set_name->attributes |= DNS_NAMEATTR_ABSOLUTE;
+		else
+			set_name->attributes &= ~DNS_NAMEATTR_ABSOLUTE;
+	}
+	INSIST(nlabels == name->labels);
+	INSIST(offset == name->length);
+}
+
+isc_result_t
+dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
+		  dns_decompress_t *dctx, unsigned int options,
+		  isc_buffer_t *target)
+{
+	unsigned char *cdata, *ndata;
+	unsigned int cused; /* Bytes of compressed name data used */
+	unsigned int hops,  nused, labels, n, nmax;
+	unsigned int current, new_current, biggest_pointer;
+	isc_boolean_t done;
+	fw_state state = fw_start;
+	unsigned int c;
+	unsigned char *offsets;
+	dns_offsets_t odata;
+	isc_boolean_t downcase;
+
+	/*
+	 * Copy the possibly-compressed name at source into target,
+	 * decompressing it.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE((target != NULL && ISC_BUFFER_VALID(target)) ||
+		(target == NULL && ISC_BUFFER_VALID(name->buffer)));
+
+	downcase = ISC_TF((options & DNS_NAME_DOWNCASE) != 0);
+
+	if (target == NULL && name->buffer != NULL) {
+		target = name->buffer;
+		isc_buffer_clear(target);
+	}
+
+	REQUIRE(dctx != NULL);
+	REQUIRE(BINDABLE(name));
+
+	INIT_OFFSETS(name, offsets, odata);
+
+	/*
+	 * Make 'name' empty in case of failure.
+	 */
+	MAKE_EMPTY(name);
+
+	/*
+	 * Initialize things to make the compiler happy; they're not required.
+	 */
+	n = 0;
+	new_current = 0;
+
+	/*
+	 * Set up.
+	 */
+	labels = 0;
+	hops = 0;
+	done = ISC_FALSE;
+
+	ndata = isc_buffer_used(target);
+	nused = 0;
+
+	/*
+	 * Find the maximum number of uncompressed target name
+	 * bytes we are willing to generate.  This is the smaller
+	 * of the available target buffer length and the
+	 * maximum legal domain name length (255).
+	 */
+	nmax = isc_buffer_availablelength(target);
+	if (nmax > DNS_NAME_MAXWIRE)
+		nmax = DNS_NAME_MAXWIRE;
+
+	cdata = isc_buffer_current(source);
+	cused = 0;
+
+	current = source->current;
+	biggest_pointer = current;
+
+	/*
+	 * Note:  The following code is not optimized for speed, but
+	 * rather for correctness.  Speed will be addressed in the future.
+	 */
+
+	while (current < source->active && !done) {
+		c = *cdata++;
+		current++;
+		if (hops == 0)
+			cused++;
+
+		switch (state) {
+		case fw_start:
+			if (c < 64) {
+				offsets[labels] = nused;
+				labels++;
+				if (nused + c + 1 > nmax)
+					goto full;
+				nused += c + 1;
+				*ndata++ = c;
+				if (c == 0)
+					done = ISC_TRUE;
+				n = c;
+				state = fw_ordinary;
+			} else if (c >= 128 && c < 192) {
+				/*
+				 * 14 bit local compression pointer.
+				 * Local compression is no longer an
+				 * IETF draft.
+				 */
+				return (DNS_R_BADLABELTYPE);
+			} else if (c >= 192) {
+				/*
+				 * Ordinary 14-bit pointer.
+				 */
+				if ((dctx->allowed & DNS_COMPRESS_GLOBAL14) ==
+				    0)
+					return (DNS_R_DISALLOWED);
+				new_current = c & 0x3F;
+				n = 1;
+				state = fw_newcurrent;
+			} else
+				return (DNS_R_BADLABELTYPE);
+			break;
+		case fw_ordinary:
+			if (downcase)
+				c = maptolower[c];
+			/* FALLTHROUGH */
+		case fw_copy:
+			*ndata++ = c;
+			n--;
+			if (n == 0)
+				state = fw_start;
+			break;
+		case fw_newcurrent:
+			new_current *= 256;
+			new_current += c;
+			n--;
+			if (n != 0)
+				break;
+			if (new_current >= biggest_pointer)
+				return (DNS_R_BADPOINTER);
+			biggest_pointer = new_current;
+			current = new_current;
+			cdata = (unsigned char *)source->base +
+				current;
+			hops++;
+			if (hops > DNS_POINTER_MAXHOPS)
+				return (DNS_R_TOOMANYHOPS);
+			state = fw_start;
+			break;
+		default:
+			FATAL_ERROR(__FILE__, __LINE__,
+				    "Unknown state %d", state);
+			/* Does not return. */
+		}
+	}
+
+	if (!done)
+		return (ISC_R_UNEXPECTEDEND);
+
+	name->ndata = (unsigned char *)target->base + target->used;
+	name->labels = labels;
+	name->length = nused;
+	name->attributes |= DNS_NAMEATTR_ABSOLUTE;
+
+	isc_buffer_forward(source, cused);
+	isc_buffer_add(target, name->length);
+
+	return (ISC_R_SUCCESS);
+
+ full:
+	if (nmax == DNS_NAME_MAXWIRE)
+		/*
+		 * The name did not fit even though we had a buffer
+		 * big enough to fit a maximum-length name.
+		 */
+		return (DNS_R_NAMETOOLONG);
+	else
+		/*
+		 * The name might fit if only the caller could give us a
+		 * big enough buffer.
+		 */
+		return (ISC_R_NOSPACE);
+
+}
+
+isc_result_t
+dns_name_towire(dns_name_t *name, dns_compress_t *cctx, isc_buffer_t *target) {
+	unsigned int methods;
+	isc_uint16_t offset;
+	dns_name_t gp;	/* Global compression prefix */
+	isc_boolean_t gf;	/* Global compression target found */
+	isc_uint16_t go;	/* Global compression offset */
+	dns_offsets_t clo;
+	dns_name_t clname;
+
+	/*
+	 * Convert 'name' into wire format, compressing it as specified by the
+	 * compression context 'cctx', and storing the result in 'target'.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(cctx != NULL);
+	REQUIRE(ISC_BUFFER_VALID(target));
+
+	/*
+	 * If 'name' doesn't have an offsets table, make a clone which
+	 * has one.
+	 */
+	if (name->offsets == NULL) {
+		DNS_NAME_INIT(&clname, clo);
+		dns_name_clone(name, &clname);
+		name = &clname;
+	}
+	DNS_NAME_INIT(&gp, NULL);
+
+	offset = target->used;	/*XXX*/
+
+	methods = dns_compress_getmethods(cctx);
+
+	if ((methods & DNS_COMPRESS_GLOBAL14) != 0)
+		gf = dns_compress_findglobal(cctx, name, &gp, &go);
+	else
+		gf = ISC_FALSE;
+
+	/*
+	 * If the offset is too high for 14 bit global compression, we're
+	 * out of luck.
+	 */
+	if (gf && go >= 0x4000)
+		gf = ISC_FALSE;
+
+	/*
+	 * Will the compression pointer reduce the message size?
+	 */
+	if (gf && (gp.length + 2) >= name->length)
+		gf = ISC_FALSE;
+
+	if (gf) {
+		if (target->length - target->used < gp.length)
+			return (ISC_R_NOSPACE);
+		(void)memcpy((unsigned char *)target->base + target->used,
+			     gp.ndata, (size_t)gp.length);
+		isc_buffer_add(target, gp.length);
+		go |= 0xc000;
+		if (target->length - target->used < 2)
+			return (ISC_R_NOSPACE);
+		isc_buffer_putuint16(target, go);
+		if (gp.length != 0)
+			dns_compress_add(cctx, name, &gp, offset);
+	} else {
+		if (target->length - target->used < name->length)
+			return (ISC_R_NOSPACE);
+		(void)memcpy((unsigned char *)target->base + target->used,
+			     name->ndata, (size_t)name->length);
+		isc_buffer_add(target, name->length);
+		dns_compress_add(cctx, name, name, offset);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_name_concatenate(dns_name_t *prefix, dns_name_t *suffix, dns_name_t *name,
+		     isc_buffer_t *target)
+{
+	unsigned char *ndata, *offsets;
+	unsigned int nrem, labels, prefix_length, length;
+	isc_boolean_t copy_prefix = ISC_TRUE;
+	isc_boolean_t copy_suffix = ISC_TRUE;
+	isc_boolean_t absolute = ISC_FALSE;
+	dns_name_t tmp_name;
+	dns_offsets_t odata;
+
+	/*
+	 * Concatenate 'prefix' and 'suffix'.
+	 */
+
+	REQUIRE(prefix == NULL || VALID_NAME(prefix));
+	REQUIRE(suffix == NULL || VALID_NAME(suffix));
+	REQUIRE(name == NULL || VALID_NAME(name));
+	REQUIRE((target != NULL && ISC_BUFFER_VALID(target)) ||
+		(target == NULL && name != NULL && ISC_BUFFER_VALID(name->buffer)));
+	if (prefix == NULL || prefix->labels == 0)
+		copy_prefix = ISC_FALSE;
+	if (suffix == NULL || suffix->labels == 0)
+		copy_suffix = ISC_FALSE;
+	if (copy_prefix &&
+	    (prefix->attributes & DNS_NAMEATTR_ABSOLUTE) != 0) {
+		absolute = ISC_TRUE;
+		REQUIRE(!copy_suffix);
+	}
+	if (name == NULL) {
+		DNS_NAME_INIT(&tmp_name, odata);
+		name = &tmp_name;
+	}
+	if (target == NULL) {
+		INSIST(name->buffer != NULL);
+		target = name->buffer;
+		isc_buffer_clear(name->buffer);
+	}
+
+	REQUIRE(BINDABLE(name));
+
+	/*
+	 * Set up.
+	 */
+	nrem = target->length - target->used;
+	ndata = (unsigned char *)target->base + target->used;
+	if (nrem > DNS_NAME_MAXWIRE)
+		nrem = DNS_NAME_MAXWIRE;
+	length = 0;
+	prefix_length = 0;
+	labels = 0;
+	if (copy_prefix) {
+		prefix_length = prefix->length;
+		length += prefix_length;
+		labels += prefix->labels;
+	}
+	if (copy_suffix) {
+		length += suffix->length;
+		labels += suffix->labels;
+	}
+	if (length > DNS_NAME_MAXWIRE) {
+		MAKE_EMPTY(name);
+		return (DNS_R_NAMETOOLONG);
+	}
+	if (length > nrem) {
+		MAKE_EMPTY(name);
+		return (ISC_R_NOSPACE);
+	}
+
+	if (copy_suffix) {
+		if ((suffix->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
+			absolute = ISC_TRUE;
+		if (suffix == name && suffix->buffer == target)
+			memmove(ndata + prefix_length, suffix->ndata,
+				suffix->length);
+		else
+			memcpy(ndata + prefix_length, suffix->ndata,
+			       suffix->length);
+	}
+
+	/*
+	 * If 'prefix' and 'name' are the same object, and the object has
+	 * a dedicated buffer, and we're using it, then we don't have to
+	 * copy anything.
+	 */
+	if (copy_prefix && (prefix != name || prefix->buffer != target))
+		memcpy(ndata, prefix->ndata, prefix_length);
+
+	name->ndata = ndata;
+	name->labels = labels;
+	name->length = length;
+	if (absolute)
+		name->attributes = DNS_NAMEATTR_ABSOLUTE;
+	else
+		name->attributes = 0;
+
+	if (name->labels > 0 && name->offsets != NULL) {
+		INIT_OFFSETS(name, offsets, odata);
+		set_offsets(name, offsets, NULL);
+	}
+
+	isc_buffer_add(target, name->length);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_name_split(dns_name_t *name, unsigned int suffixlabels,
+	       dns_name_t *prefix, dns_name_t *suffix)
+
+{
+	unsigned int splitlabel;
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(suffixlabels > 0);
+	REQUIRE(suffixlabels < name->labels);
+	REQUIRE(prefix != NULL || suffix != NULL);
+	REQUIRE(prefix == NULL ||
+		(VALID_NAME(prefix) &&
+		 prefix->buffer != NULL &&
+		 BINDABLE(prefix)));
+	REQUIRE(suffix == NULL ||
+		(VALID_NAME(suffix) &&
+		 suffix->buffer != NULL &&
+		 BINDABLE(suffix)));
+
+	splitlabel = name->labels - suffixlabels;
+
+	if (prefix != NULL)
+		dns_name_getlabelsequence(name, 0, splitlabel, prefix);
+
+	if (suffix != NULL)
+		dns_name_getlabelsequence(name, splitlabel,
+					  suffixlabels, suffix);
+
+	return;
+}
+
+isc_result_t
+dns_name_dup(dns_name_t *source, isc_mem_t *mctx, dns_name_t *target) {
+	/*
+	 * Make 'target' a dynamically allocated copy of 'source'.
+	 */
+
+	REQUIRE(VALID_NAME(source));
+	REQUIRE(source->length > 0);
+	REQUIRE(VALID_NAME(target));
+	REQUIRE(BINDABLE(target));
+
+	/*
+	 * Make 'target' empty in case of failure.
+	 */
+	MAKE_EMPTY(target);
+
+	target->ndata = isc_mem_get(mctx, source->length);
+	if (target->ndata == NULL)
+		return (ISC_R_NOMEMORY);
+
+	memcpy(target->ndata, source->ndata, source->length);
+
+	target->length = source->length;
+	target->labels = source->labels;
+	target->attributes = DNS_NAMEATTR_DYNAMIC;
+	if ((source->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
+		target->attributes |= DNS_NAMEATTR_ABSOLUTE;
+	if (target->offsets != NULL) {
+		if (source->offsets != NULL)
+			memcpy(target->offsets, source->offsets,
+			       source->labels);
+		else
+			set_offsets(target, target->offsets, NULL);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_name_dupwithoffsets(dns_name_t *source, isc_mem_t *mctx,
+			dns_name_t *target)
+{
+	/*
+	 * Make 'target' a read-only dynamically allocated copy of 'source'.
+	 * 'target' will also have a dynamically allocated offsets table.
+	 */
+
+	REQUIRE(VALID_NAME(source));
+	REQUIRE(source->length > 0);
+	REQUIRE(VALID_NAME(target));
+	REQUIRE(BINDABLE(target));
+	REQUIRE(target->offsets == NULL);
+
+	/*
+	 * Make 'target' empty in case of failure.
+	 */
+	MAKE_EMPTY(target);
+
+	target->ndata = isc_mem_get(mctx, source->length + source->labels);
+	if (target->ndata == NULL)
+		return (ISC_R_NOMEMORY);
+
+	memcpy(target->ndata, source->ndata, source->length);
+
+	target->length = source->length;
+	target->labels = source->labels;
+	target->attributes = DNS_NAMEATTR_DYNAMIC | DNS_NAMEATTR_DYNOFFSETS |
+		DNS_NAMEATTR_READONLY;
+	if ((source->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
+		target->attributes |= DNS_NAMEATTR_ABSOLUTE;
+	target->offsets = target->ndata + source->length;
+	if (source->offsets != NULL)
+		memcpy(target->offsets, source->offsets, source->labels);
+	else
+		set_offsets(target, target->offsets, NULL);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_name_free(dns_name_t *name, isc_mem_t *mctx) {
+	size_t size;
+
+	/*
+	 * Free 'name'.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE((name->attributes & DNS_NAMEATTR_DYNAMIC) != 0);
+
+	size = name->length;
+	if ((name->attributes & DNS_NAMEATTR_DYNOFFSETS) != 0)
+		size += name->labels;
+	isc_mem_put(mctx, name->ndata, size);
+	dns_name_invalidate(name);
+}
+
+isc_result_t
+dns_name_digest(dns_name_t *name, dns_digestfunc_t digest, void *arg) {
+	dns_name_t downname;
+	unsigned char data[256];
+	isc_buffer_t buffer;
+	isc_result_t result;
+	isc_region_t r;
+
+	/*
+	 * Send 'name' in DNSSEC canonical form to 'digest'.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+	REQUIRE(digest != NULL);
+
+	DNS_NAME_INIT(&downname, NULL);
+	isc_buffer_init(&buffer, data, sizeof(data));
+
+	result = dns_name_downcase(name, &downname, &buffer);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	isc_buffer_usedregion(&buffer, &r);
+
+	return ((digest)(arg, &r));
+}
+
+isc_boolean_t
+dns_name_dynamic(dns_name_t *name) {
+	REQUIRE(VALID_NAME(name));
+
+	/*
+	 * Returns whether there is dynamic memory associated with this name.
+	 */
+
+	return ((name->attributes & DNS_NAMEATTR_DYNAMIC) != 0 ?
+		ISC_TRUE : ISC_FALSE);
+}
+
+isc_result_t
+dns_name_print(dns_name_t *name, FILE *stream) {
+	isc_result_t result;
+	isc_buffer_t b;
+	isc_region_t r;
+	char t[1024];
+
+	/*
+	 * Print 'name' on 'stream'.
+	 */
+
+	REQUIRE(VALID_NAME(name));
+
+	isc_buffer_init(&b, t, sizeof(t));
+	result = dns_name_totext(name, ISC_FALSE, &b);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_buffer_usedregion(&b, &r);
+	fprintf(stream, "%.*s", (int)r.length, (char *)r.base);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_name_format(dns_name_t *name, char *cp, unsigned int size) {
+	isc_result_t result;
+	isc_buffer_t buf;
+
+	REQUIRE(size > 0);
+
+	/*
+	 * Leave room for null termination after buffer.
+	 */
+	isc_buffer_init(&buf, cp, size - 1);
+	result = dns_name_totext(name, ISC_TRUE, &buf);
+	if (result == ISC_R_SUCCESS) {
+		/*
+		 * Null terminate.
+		 */
+		isc_region_t r;
+		isc_buffer_usedregion(&buf, &r);
+		((char *) r.base)[r.length] = '\0';
+
+	} else
+		snprintf(cp, size, "<unknown>");
+}
+
+isc_result_t
+dns_name_copy(dns_name_t *source, dns_name_t *dest, isc_buffer_t *target) {
+	unsigned char *ndata;
+
+	/*
+	 * Make dest a copy of source.
+	 */
+
+	REQUIRE(VALID_NAME(source));
+	REQUIRE(VALID_NAME(dest));
+	REQUIRE(target != NULL || dest->buffer != NULL);
+
+	if (target == NULL) {
+		target = dest->buffer;
+		isc_buffer_clear(dest->buffer);
+	}
+
+	REQUIRE(BINDABLE(dest));
+
+	/*
+	 * Set up.
+	 */
+	if (target->length - target->used < source->length)
+		return (ISC_R_NOSPACE);
+
+	ndata = (unsigned char *)target->base + target->used;
+	dest->ndata = target->base;
+
+	memcpy(ndata, source->ndata, source->length);
+
+	dest->ndata = ndata;
+	dest->labels = source->labels;
+	dest->length = source->length;
+	if ((source->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
+		dest->attributes = DNS_NAMEATTR_ABSOLUTE;
+	else
+		dest->attributes = 0;
+
+	if (dest->labels > 0 && dest->offsets != NULL) {
+		if (source->offsets != NULL)
+			memcpy(dest->offsets, source->offsets, source->labels);
+		else
+			set_offsets(dest, dest->offsets, NULL);
+	}
+
+	isc_buffer_add(target, dest->length);
+
+	return (ISC_R_SUCCESS);
+}
+
diff --git a/contrib/bind9/lib/dns/ncache.c b/contrib/bind9/lib/dns/ncache.c
new file mode 100644
index 0000000..dddde60
--- /dev/null
+++ b/contrib/bind9/lib/dns/ncache.c
@@ -0,0 +1,554 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ncache.c,v 1.24.2.4.2.7 2004/03/08 02:07:54 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/buffer.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/message.h>
+#include <dns/ncache.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+
+/*
+ * The format of an ncache rdata is a sequence of one or more records of
+ * the following format:
+ *
+ *	owner name
+ *	type
+ *	rdata count
+ *		rdata length			These two occur 'rdata count'
+ *		rdata				times.
+ *
+ */
+
+static inline isc_result_t
+copy_rdataset(dns_rdataset_t *rdataset, isc_buffer_t *buffer) {
+	isc_result_t result;
+	unsigned int count;
+	isc_region_t ar, r;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+
+	/*
+	 * Copy the rdataset count to the buffer.
+	 */
+	isc_buffer_availableregion(buffer, &ar);
+	if (ar.length < 2)
+		return (ISC_R_NOSPACE);
+	count = dns_rdataset_count(rdataset);
+	INSIST(count <= 65535);
+	isc_buffer_putuint16(buffer, (isc_uint16_t)count);
+
+	result = dns_rdataset_first(rdataset);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(rdataset, &rdata);
+		dns_rdata_toregion(&rdata, &r);
+		INSIST(r.length <= 65535);
+		isc_buffer_availableregion(buffer, &ar);
+		if (ar.length < 2)
+			return (ISC_R_NOSPACE);
+		/*
+		 * Copy the rdata length to the buffer.
+		 */
+		isc_buffer_putuint16(buffer, (isc_uint16_t)r.length);
+		/*
+		 * Copy the rdata to the buffer.
+		 */
+		result = isc_buffer_copyregion(buffer, &r);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		dns_rdata_reset(&rdata);
+		result = dns_rdataset_next(rdataset);
+	}
+	if (result != ISC_R_NOMORE)
+		return (result);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
+	       dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
+	       dns_rdataset_t *addedrdataset)
+{
+	isc_result_t result;
+	isc_buffer_t buffer;
+	isc_region_t r;
+	dns_rdataset_t *rdataset;
+	dns_rdatatype_t type;
+	dns_name_t *name;
+	dns_ttl_t ttl;
+	dns_trust_t trust;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t ncrdataset;
+	dns_rdatalist_t ncrdatalist;
+	unsigned char data[4096];
+
+	/*
+	 * Convert the authority data from 'message' into a negative cache
+	 * rdataset, and store it in 'cache' at 'node'.
+	 */
+
+	REQUIRE(message != NULL);
+
+	/*
+	 * We assume that all data in the authority section has been
+	 * validated by the caller.
+	 */
+
+	/*
+	 * First, build an ncache rdata in buffer.
+	 */
+	ttl = maxttl;
+	trust = 0xffff;
+	isc_buffer_init(&buffer, data, sizeof(data));
+	if (message->counts[DNS_SECTION_AUTHORITY])
+		result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+	else
+		result = ISC_R_NOMORE;
+	while (result == ISC_R_SUCCESS) {
+		name = NULL;
+		dns_message_currentname(message, DNS_SECTION_AUTHORITY,
+					&name);
+		if ((name->attributes & DNS_NAMEATTR_NCACHE) != 0) {
+			for (rdataset = ISC_LIST_HEAD(name->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+				if ((rdataset->attributes &
+				     DNS_RDATASETATTR_NCACHE) == 0)
+					continue;
+				type = rdataset->type;
+				if (type == dns_rdatatype_rrsig)
+					type = rdataset->covers;
+				if (type == dns_rdatatype_soa ||
+				    type == dns_rdatatype_nsec) {
+					if (ttl > rdataset->ttl)
+						ttl = rdataset->ttl;
+					if (trust > rdataset->trust)
+						trust = rdataset->trust;
+					/*
+					 * Copy the owner name to the buffer.
+					 */
+					dns_name_toregion(name, &r);
+					result = isc_buffer_copyregion(&buffer,
+								       &r);
+					if (result != ISC_R_SUCCESS)
+						return (result);
+					/*
+					 * Copy the type to the buffer.
+					 */
+					isc_buffer_availableregion(&buffer,
+								   &r);
+					if (r.length < 2)
+						return (ISC_R_NOSPACE);
+					isc_buffer_putuint16(&buffer,
+							     rdataset->type);
+					/*
+					 * Copy the rdataset into the buffer.
+					 */
+					result = copy_rdataset(rdataset,
+							       &buffer);
+					if (result != ISC_R_SUCCESS)
+						return (result);
+				}
+			}
+		}
+		result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
+	}
+	if (result != ISC_R_NOMORE)
+		return (result);
+
+	if (trust == 0xffff) {
+		/*
+		 * We didn't find any authority data from which to create a
+		 * negative cache rdataset.  In particular, we have no SOA.
+		 *
+		 * We trust that the caller wants negative caching, so this
+		 * means we have a "type 3 nxdomain" or "type 3 nodata"
+		 * response (see RFC 2308 for details).
+		 *
+		 * We will now build a suitable negative cache rdataset that
+		 * will cause zero bytes to be emitted when converted to
+		 * wire format.
+		 */
+
+		/*
+		 * The ownername must exist, but it doesn't matter what value
+		 * it has.  We use the root name.
+		 */
+		dns_name_toregion(dns_rootname, &r);
+		result = isc_buffer_copyregion(&buffer, &r);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		/*
+		 * Copy the type and a zero rdata count to the buffer.
+		 */
+		isc_buffer_availableregion(&buffer, &r);
+		if (r.length < 4)
+			return (ISC_R_NOSPACE);
+		isc_buffer_putuint16(&buffer, 0);
+		isc_buffer_putuint16(&buffer, 0);
+		/*
+		 * RFC 2308, section 5, says that negative answers without
+		 * SOAs should not be cached.
+		 */
+		ttl = 0;
+		/*
+		 * Set trust.
+		 */
+		if ((message->flags & DNS_MESSAGEFLAG_AA) != 0 &&
+		    message->counts[DNS_SECTION_ANSWER] == 0) {
+			/*
+			 * The response has aa set and we haven't followed
+			 * any CNAME or DNAME chains.
+			 */
+			trust = dns_trust_authauthority;
+		} else
+			trust = dns_trust_additional;
+	}
+
+	/*
+	 * Now add it to the cache.
+	 */
+	INSIST(trust != 0xffff);
+	isc_buffer_usedregion(&buffer, &r);
+	rdata.data = r.base;
+	rdata.length = r.length;
+	rdata.rdclass = dns_db_class(cache);
+	rdata.type = 0;
+	rdata.flags = 0;
+
+	ncrdatalist.rdclass = rdata.rdclass;
+	ncrdatalist.type = 0;
+	ncrdatalist.covers = covers;
+	ncrdatalist.ttl = ttl;
+	ISC_LIST_INIT(ncrdatalist.rdata);
+	ISC_LINK_INIT(&ncrdatalist, link);
+
+	ISC_LIST_APPEND(ncrdatalist.rdata, &rdata, link);
+
+	dns_rdataset_init(&ncrdataset);
+	RUNTIME_CHECK(dns_rdatalist_tordataset(&ncrdatalist, &ncrdataset)
+		      == ISC_R_SUCCESS);
+	ncrdataset.trust = trust;
+	if (message->rcode == dns_rcode_nxdomain)
+		ncrdataset.attributes |= DNS_RDATASETATTR_NXDOMAIN;
+
+	return (dns_db_addrdataset(cache, node, NULL, now, &ncrdataset,
+				   0, addedrdataset));
+}
+
+isc_result_t
+dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
+		  isc_buffer_t *target, unsigned int options,
+		  unsigned int *countp)
+{
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_result_t result;
+	isc_region_t remaining, tavailable;
+	isc_buffer_t source, savedbuffer, rdlen;
+	dns_name_t name;
+	dns_rdatatype_t type;
+	unsigned int i, rcount, count;
+
+	/*
+	 * Convert the negative caching rdataset 'rdataset' to wire format,
+	 * compressing names as specified in 'cctx', and storing the result in
+	 * 'target'.
+	 */
+
+	REQUIRE(rdataset != NULL);
+	REQUIRE(rdataset->type == 0);
+
+	result = dns_rdataset_first(rdataset);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	dns_rdataset_current(rdataset, &rdata);
+	INSIST(dns_rdataset_next(rdataset) == ISC_R_NOMORE);
+	isc_buffer_init(&source, rdata.data, rdata.length);
+	isc_buffer_add(&source, rdata.length);
+
+	savedbuffer = *target;
+
+	count = 0;
+	do {
+		dns_name_init(&name, NULL);
+		isc_buffer_remainingregion(&source, &remaining);
+		dns_name_fromregion(&name, &remaining);
+		INSIST(remaining.length >= name.length);
+		isc_buffer_forward(&source, name.length);
+		remaining.length -= name.length;
+
+		INSIST(remaining.length >= 4);
+		type = isc_buffer_getuint16(&source);
+		rcount = isc_buffer_getuint16(&source);
+
+		for (i = 0; i < rcount; i++) {
+			/*
+			 * Get the length of this rdata and set up an
+			 * rdata structure for it.
+			 */
+			isc_buffer_remainingregion(&source, &remaining);
+			INSIST(remaining.length >= 2);
+			dns_rdata_reset(&rdata);
+			rdata.length = isc_buffer_getuint16(&source);
+			isc_buffer_remainingregion(&source, &remaining);
+			rdata.data = remaining.base;
+			rdata.type = type;
+			rdata.rdclass = rdataset->rdclass;
+			INSIST(remaining.length >= rdata.length);
+			isc_buffer_forward(&source, rdata.length);
+
+			if ((options & DNS_NCACHETOWIRE_OMITDNSSEC) != 0 &&
+			    dns_rdatatype_isdnssec(type))
+				continue;
+
+			/*
+			 * Write the name.
+			 */
+			dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+			result = dns_name_towire(&name, cctx, target);
+			if (result != ISC_R_SUCCESS)
+				goto rollback;
+
+			/*
+			 * See if we have space for type, class, ttl, and
+			 * rdata length.  Write the type, class, and ttl.
+			 */
+			isc_buffer_availableregion(target, &tavailable);
+			if (tavailable.length < 10) {
+				result = ISC_R_NOSPACE;
+				goto rollback;
+			}
+			isc_buffer_putuint16(target, type);
+			isc_buffer_putuint16(target, rdataset->rdclass);
+			isc_buffer_putuint32(target, rdataset->ttl);
+
+			/*
+			 * Save space for rdata length.
+			 */
+			rdlen = *target;
+			isc_buffer_add(target, 2);
+
+			/*
+			 * Write the rdata.
+			 */
+			result = dns_rdata_towire(&rdata, cctx, target);
+			if (result != ISC_R_SUCCESS)
+				goto rollback;
+
+			/*
+			 * Set the rdata length field to the compressed
+			 * length.
+			 */
+			INSIST((target->used >= rdlen.used + 2) &&
+			       (target->used - rdlen.used - 2 < 65536));
+			isc_buffer_putuint16(&rdlen,
+					     (isc_uint16_t)(target->used -
+							    rdlen.used - 2));
+
+			count++;
+		}
+		isc_buffer_remainingregion(&source, &remaining);
+	} while (remaining.length > 0);
+
+	*countp = count;
+
+	return (ISC_R_SUCCESS);
+
+ rollback:
+	INSIST(savedbuffer.used < 65536);
+	dns_compress_rollback(cctx, (isc_uint16_t)savedbuffer.used);
+	*countp = 0;
+	*target = savedbuffer;
+
+	return (result);
+}
+
+static void
+rdataset_disassociate(dns_rdataset_t *rdataset) {
+	UNUSED(rdataset);
+}
+
+static isc_result_t
+rdataset_first(dns_rdataset_t *rdataset) {
+	unsigned char *raw = rdataset->private3;
+	unsigned int count;
+
+	count = raw[0] * 256 + raw[1];
+	if (count == 0) {
+		rdataset->private5 = NULL;
+		return (ISC_R_NOMORE);
+	}
+	raw += 2;
+	/*
+	 * The privateuint4 field is the number of rdata beyond the cursor
+	 * position, so we decrement the total count by one before storing
+	 * it.
+	 */
+	count--;
+	rdataset->privateuint4 = count;
+	rdataset->private5 = raw;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+rdataset_next(dns_rdataset_t *rdataset) {
+	unsigned int count;
+	unsigned int length;
+	unsigned char *raw;
+
+	count = rdataset->privateuint4;
+	if (count == 0)
+		return (ISC_R_NOMORE);
+	count--;
+	rdataset->privateuint4 = count;
+	raw = rdataset->private5;
+	length = raw[0] * 256 + raw[1];
+	raw += length + 2;
+	rdataset->private5 = raw;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
+	unsigned char *raw = rdataset->private5;
+	isc_region_t r;
+
+	REQUIRE(raw != NULL);
+
+	r.length = raw[0] * 256 + raw[1];
+	raw += 2;
+	r.base = raw;
+	dns_rdata_fromregion(rdata, rdataset->rdclass, rdataset->type, &r);
+}
+
+static void
+rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
+	*target = *source;
+
+	/*
+	 * Reset iterator state.
+	 */
+	target->privateuint4 = 0;
+	target->private5 = NULL;
+}
+
+static unsigned int
+rdataset_count(dns_rdataset_t *rdataset) {
+	unsigned char *raw = rdataset->private3;
+	unsigned int count;
+
+	count = raw[0] * 256 + raw[1];
+
+	return (count);
+}
+
+static dns_rdatasetmethods_t rdataset_methods = {
+	rdataset_disassociate,
+	rdataset_first,
+	rdataset_next,
+	rdataset_current,
+	rdataset_clone,
+	rdataset_count,
+	NULL,
+	NULL
+};
+
+isc_result_t
+dns_ncache_getrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
+		       dns_rdatatype_t type, dns_rdataset_t *rdataset)
+{
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_region_t remaining;
+	isc_buffer_t source;
+	dns_name_t tname;
+	dns_rdatatype_t ttype;
+	unsigned int i, rcount;
+	isc_uint16_t length;
+
+	REQUIRE(ncacherdataset != NULL);
+	REQUIRE(ncacherdataset->type == 0);
+	REQUIRE(name != NULL);
+	REQUIRE(!dns_rdataset_isassociated(rdataset));
+	REQUIRE(type != dns_rdatatype_rrsig);
+
+	result = dns_rdataset_first(ncacherdataset);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	dns_rdataset_current(ncacherdataset, &rdata);
+	INSIST(dns_rdataset_next(ncacherdataset) == ISC_R_NOMORE);
+	isc_buffer_init(&source, rdata.data, rdata.length);
+	isc_buffer_add(&source, rdata.length);
+
+	do {
+		dns_name_init(&tname, NULL);
+		isc_buffer_remainingregion(&source, &remaining);
+		dns_name_fromregion(&tname, &remaining);
+		INSIST(remaining.length >= tname.length);
+		isc_buffer_forward(&source, tname.length);
+		remaining.length -= tname.length;
+
+		INSIST(remaining.length >= 4);
+		ttype = isc_buffer_getuint16(&source);
+
+		if (ttype == type && dns_name_equal(&tname, name)) {
+			isc_buffer_remainingregion(&source, &remaining);
+			break;
+		}
+
+		rcount = isc_buffer_getuint16(&source);
+		for (i = 0; i < rcount; i++) {
+			isc_buffer_remainingregion(&source, &remaining);
+			INSIST(remaining.length >= 2);
+			length = isc_buffer_getuint16(&source);
+			isc_buffer_remainingregion(&source, &remaining);
+			INSIST(remaining.length >= length);
+			isc_buffer_forward(&source, length);
+		}
+		isc_buffer_remainingregion(&source, &remaining);
+	} while (remaining.length > 0);
+
+	if (remaining.length == 0)
+		return (ISC_R_NOTFOUND);
+
+	rdataset->methods = &rdataset_methods;
+	rdataset->rdclass = ncacherdataset->rdclass;
+	rdataset->type = type;
+	rdataset->covers = 0;
+	rdataset->ttl = ncacherdataset->ttl;
+	rdataset->trust = ncacherdataset->trust;
+	rdataset->private1 = NULL;
+	rdataset->private2 = NULL;
+
+	rdataset->private3 = remaining.base;
+
+	/*
+	 * Reset iterator state.
+	 */
+	rdataset->privateuint4 = 0;
+	rdataset->private5 = NULL;
+	return (ISC_R_SUCCESS);
+}
diff --git a/contrib/bind9/lib/dns/nsec.c b/contrib/bind9/lib/dns/nsec.c
new file mode 100644
index 0000000..c259706
--- /dev/null
+++ b/contrib/bind9/lib/dns/nsec.c
@@ -0,0 +1,218 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: nsec.c,v 1.5.2.1 2004/03/08 02:07:55 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/nsec.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+
+#define RETERR(x) do { \
+	result = (x); \
+	if (result != ISC_R_SUCCESS) \
+		goto failure; \
+	} while (0)
+
+static void
+set_bit(unsigned char *array, unsigned int index, unsigned int bit) {
+	unsigned int shift, mask;
+
+	shift = 7 - (index % 8);
+	mask = 1 << shift;
+
+	if (bit != 0)
+		array[index / 8] |= mask;
+	else
+		array[index / 8] &= (~mask & 0xFF);
+}
+
+static unsigned int
+bit_isset(unsigned char *array, unsigned int index) {
+	unsigned int byte, shift, mask;
+
+	byte = array[index / 8];
+	shift = 7 - (index % 8);
+	mask = 1 << shift;
+
+	return ((byte & mask) != 0);
+}
+
+isc_result_t
+dns_nsec_buildrdata(dns_db_t *db, dns_dbversion_t *version,
+		    dns_dbnode_t *node, dns_name_t *target,
+		    unsigned char *buffer, dns_rdata_t *rdata)
+{
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+	isc_region_t r;
+	unsigned int i, window;
+	int octet;
+
+	unsigned char *nsec_bits, *bm;
+	unsigned int max_type;
+	dns_rdatasetiter_t *rdsiter;
+
+	memset(buffer, 0, DNS_NSEC_BUFFERSIZE);
+	dns_name_toregion(target, &r);
+	memcpy(buffer, r.base, r.length);
+	r.base = buffer;
+	/*
+	 * Use the end of the space for a raw bitmap leaving enough
+	 * space for the window identifiers and length octets.
+	 */
+	bm = r.base + r.length + 512;
+	nsec_bits = r.base + r.length;
+	set_bit(bm, dns_rdatatype_nsec, 1);
+	max_type = dns_rdatatype_nsec;
+	dns_rdataset_init(&rdataset);
+	rdsiter = NULL;
+	result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	for (result = dns_rdatasetiter_first(rdsiter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(rdsiter))
+	{
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+		if (rdataset.type != dns_rdatatype_nsec) {
+			if (rdataset.type > max_type)
+				max_type = rdataset.type;
+			set_bit(bm, rdataset.type, 1);
+		}
+		dns_rdataset_disassociate(&rdataset);
+	}
+
+	/*
+	 * At zone cuts, deny the existence of glue in the parent zone.
+	 */
+	if (bit_isset(bm, dns_rdatatype_ns) &&
+	    ! bit_isset(bm, dns_rdatatype_soa)) {
+		for (i = 0; i <= max_type; i++) {
+			if (bit_isset(bm, i) &&
+			    ! dns_rdatatype_iszonecutauth((dns_rdatatype_t)i))
+				set_bit(bm, i, 0);
+		}
+	}
+
+	dns_rdatasetiter_destroy(&rdsiter);
+	if (result != ISC_R_NOMORE)
+		return (result);
+
+	for (window = 0; window < 256; window++) {
+		if (window * 256 > max_type)
+			break;
+		for (octet = 31; octet >= 0; octet--)
+			if (bm[window * 32 + octet] != 0)
+				break;
+		if (octet < 0)
+			continue;
+		nsec_bits[0] = window;
+		nsec_bits[1] = octet + 1;
+		/*
+		 * Note: potential overlapping move.
+		 */
+		memmove(&nsec_bits[2], &bm[window * 32], octet + 1);
+		nsec_bits += 3 + octet;
+	}
+	r.length = nsec_bits - r.base;
+	INSIST(r.length <= DNS_NSEC_BUFFERSIZE);
+	dns_rdata_fromregion(rdata,
+			     dns_db_class(db),
+			     dns_rdatatype_nsec,
+			     &r);
+
+	return (ISC_R_SUCCESS);
+}
+
+
+isc_result_t
+dns_nsec_build(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
+	       dns_name_t *target, dns_ttl_t ttl)
+{
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned char data[DNS_NSEC_BUFFERSIZE];
+	dns_rdatalist_t rdatalist;
+	dns_rdataset_t rdataset;
+
+	dns_rdataset_init(&rdataset);
+	dns_rdata_init(&rdata);
+
+	RETERR(dns_nsec_buildrdata(db, version, node, target, data, &rdata));
+
+	rdatalist.rdclass = dns_db_class(db);
+	rdatalist.type = dns_rdatatype_nsec;
+	rdatalist.covers = 0;
+	rdatalist.ttl = ttl;
+	ISC_LIST_INIT(rdatalist.rdata);
+	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
+	RETERR(dns_rdatalist_tordataset(&rdatalist, &rdataset));
+	result = dns_db_addrdataset(db, node, version, 0, &rdataset,
+				    0, NULL);
+	if (result == DNS_R_UNCHANGED)
+		result = ISC_R_SUCCESS;
+	RETERR(result);
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	return (result);
+}
+
+isc_boolean_t
+dns_nsec_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type) {
+	dns_rdata_nsec_t nsecstruct;
+	isc_result_t result;
+	isc_boolean_t present;
+	unsigned int i, len, window;
+
+	REQUIRE(nsec != NULL);
+	REQUIRE(nsec->type == dns_rdatatype_nsec);
+
+	/* This should never fail */
+	result = dns_rdata_tostruct(nsec, &nsecstruct, NULL);
+	INSIST(result == ISC_R_SUCCESS);
+	
+	present = ISC_FALSE;
+	for (i = 0; i < nsecstruct.len; i += len) {
+		INSIST(i + 2 <= nsecstruct.len);
+		window = nsecstruct.typebits[i];
+		len = nsecstruct.typebits[i + 1];
+		INSIST(len > 0 && len <= 32);
+		i += 2;
+		INSIST(i + len <= nsecstruct.len);
+		if (window * 256 > type)
+			break;
+		if ((window + 1) * 256 <= type)
+			continue;
+		if (type < (window * 256) + len * 8)
+			present = ISC_TF(bit_isset(&nsecstruct.typebits[i],
+						   type % 256));
+		break;
+	}
+	dns_rdata_freestruct(&nsec);
+	return (present);
+}
diff --git a/contrib/bind9/lib/dns/order.c b/contrib/bind9/lib/dns/order.c
new file mode 100644
index 0000000..f09afed
--- /dev/null
+++ b/contrib/bind9/lib/dns/order.c
@@ -0,0 +1,157 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: order.c,v 1.4.202.4 2004/03/08 09:04:30 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/types.h>
+#include <isc/util.h>
+#include <isc/refcount.h>
+
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/order.h>
+#include <dns/rdataset.h>
+#include <dns/types.h>
+
+typedef struct dns_order_ent dns_order_ent_t;
+struct dns_order_ent {
+	dns_fixedname_t			name;
+	dns_rdataclass_t		rdclass;
+	dns_rdatatype_t			rdtype;
+	unsigned int			mode;
+	ISC_LINK(dns_order_ent_t)	link;
+};
+
+struct dns_order {
+	unsigned int			magic;
+	isc_refcount_t          	references;
+	ISC_LIST(dns_order_ent_t)	ents;
+	isc_mem_t			*mctx;
+};
+	
+#define DNS_ORDER_MAGIC ISC_MAGIC('O','r','d','r')
+#define DNS_ORDER_VALID(order)	ISC_MAGIC_VALID(order, DNS_ORDER_MAGIC)
+
+isc_result_t
+dns_order_create(isc_mem_t *mctx, dns_order_t **orderp) {
+	dns_order_t *order;
+	REQUIRE(orderp != NULL && *orderp == NULL);
+
+	order = isc_mem_get(mctx, sizeof(*order));
+	if (order == NULL)
+		return (ISC_R_NOMEMORY);
+	
+	ISC_LIST_INIT(order->ents);
+	isc_refcount_init(&order->references, 1);     /* Implicit attach. */
+
+	order->mctx = NULL;
+	isc_mem_attach(mctx, &order->mctx);
+	order->magic = DNS_ORDER_MAGIC;
+	*orderp = order;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_order_add(dns_order_t *order, dns_name_t *name,
+	      dns_rdatatype_t rdtype, dns_rdataclass_t rdclass,
+	      unsigned int mode)
+{
+	dns_order_ent_t *ent;
+
+	REQUIRE(DNS_ORDER_VALID(order));
+	REQUIRE(mode == DNS_RDATASETATTR_RANDOMIZE ||
+	        mode == DNS_RDATASETATTR_FIXEDORDER ||
+		mode == 0 /* DNS_RDATASETATTR_CYCLIC */ );
+
+	ent = isc_mem_get(order->mctx, sizeof(*ent));
+	if (ent == NULL)
+		return (ISC_R_NOMEMORY);
+
+	dns_fixedname_init(&ent->name);
+	RUNTIME_CHECK(dns_name_copy(name, dns_fixedname_name(&ent->name), NULL)
+		      == ISC_R_SUCCESS);
+	ent->rdtype = rdtype;
+	ent->rdclass = rdclass;
+	ent->mode = mode;
+	ISC_LINK_INIT(ent, link);
+	ISC_LIST_INITANDAPPEND(order->ents, ent, link);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_boolean_t
+match(dns_name_t *name1, dns_name_t *name2) {
+	
+	if (dns_name_iswildcard(name2))
+		return(dns_name_matcheswildcard(name1, name2));
+	return (dns_name_equal(name1, name2));
+}
+
+unsigned int
+dns_order_find(dns_order_t *order, dns_name_t *name,
+	       dns_rdatatype_t rdtype, dns_rdataclass_t rdclass)
+{
+	dns_order_ent_t *ent;
+	REQUIRE(DNS_ORDER_VALID(order));
+
+	for (ent = ISC_LIST_HEAD(order->ents);
+	     ent != NULL;
+	     ent = ISC_LIST_NEXT(ent, link)) {
+		if (ent->rdtype != rdtype && ent->rdtype != dns_rdatatype_any)
+			continue;
+		if (ent->rdclass != rdclass &&
+		    ent->rdclass != dns_rdataclass_any)
+			continue;
+		if (match(name, dns_fixedname_name(&ent->name)))
+			return (ent->mode);
+	}
+	return (0);
+}
+
+void
+dns_order_attach(dns_order_t *source, dns_order_t **target) {
+	REQUIRE(DNS_ORDER_VALID(source));
+	REQUIRE(target != NULL && *target == NULL);
+	isc_refcount_increment(&source->references, NULL);
+	*target = source;
+}
+
+void
+dns_order_detach(dns_order_t **orderp) {
+	dns_order_t *order;
+	dns_order_ent_t *ent;
+	unsigned int references;
+
+	REQUIRE(orderp != NULL);
+	order = *orderp;
+	REQUIRE(DNS_ORDER_VALID(order));
+	isc_refcount_decrement(&order->references, &references);
+	*orderp = NULL;
+	if (references != 0)
+		return;
+
+	order->magic = 0;
+	while ((ent = ISC_LIST_HEAD(order->ents)) != NULL) {
+		ISC_LIST_UNLINK(order->ents, ent, link);
+		isc_mem_put(order->mctx, ent, sizeof(*ent));
+	}
+	isc_refcount_destroy(&order->references);
+	isc_mem_putanddetach(&order->mctx, order, sizeof(*order));
+}
diff --git a/contrib/bind9/lib/dns/peer.c b/contrib/bind9/lib/dns/peer.c
new file mode 100644
index 0000000..a50ff0c
--- /dev/null
+++ b/contrib/bind9/lib/dns/peer.c
@@ -0,0 +1,522 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: peer.c,v 1.14.2.1.10.4 2004/03/06 08:13:41 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
+#include <isc/sockaddr.h>
+
+#include <dns/bit.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/peer.h>
+
+/*
+ * Bit positions in the dns_peer_t structure flags field
+ */
+#define BOGUS_BIT			0
+#define SERVER_TRANSFER_FORMAT_BIT	1
+#define TRANSFERS_BIT			2
+#define PROVIDE_IXFR_BIT		3
+#define REQUEST_IXFR_BIT		4
+#define SUPPORT_EDNS_BIT		5
+
+static void
+peerlist_delete(dns_peerlist_t **list);
+
+static void
+peer_delete(dns_peer_t **peer);
+
+isc_result_t
+dns_peerlist_new(isc_mem_t *mem, dns_peerlist_t **list) {
+	dns_peerlist_t *l;
+
+	REQUIRE(list != NULL);
+
+	l = isc_mem_get(mem, sizeof(*l));
+	if (l == NULL)
+		return (ISC_R_NOMEMORY);
+
+	ISC_LIST_INIT(l->elements);
+	l->mem = mem;
+	l->refs = 1;
+	l->magic = DNS_PEERLIST_MAGIC;
+
+	*list = l;
+
+	return (ISC_R_SUCCESS);
+}
+
+
+void
+dns_peerlist_attach(dns_peerlist_t *source, dns_peerlist_t **target) {
+	REQUIRE(DNS_PEERLIST_VALID(source));
+	REQUIRE(target != NULL);
+	REQUIRE(*target == NULL);
+
+	source->refs++;
+
+	ENSURE(source->refs != 0xffffffffU);
+
+	*target = source;
+}
+
+void
+dns_peerlist_detach(dns_peerlist_t **list) {
+	dns_peerlist_t *plist;
+
+	REQUIRE(list != NULL);
+	REQUIRE(*list != NULL);
+	REQUIRE(DNS_PEERLIST_VALID(*list));
+
+	plist = *list;
+	*list = NULL;
+
+	REQUIRE(plist->refs > 0);
+
+	plist->refs--;
+
+	if (plist->refs == 0)
+		peerlist_delete(&plist);
+}
+
+static void
+peerlist_delete(dns_peerlist_t **list) {
+	dns_peerlist_t *l;
+	dns_peer_t *server, *stmp;
+
+	REQUIRE(list != NULL);
+	REQUIRE(DNS_PEERLIST_VALID(*list));
+
+	l = *list;
+
+	REQUIRE(l->refs == 0);
+
+	server = ISC_LIST_HEAD(l->elements);
+	while (server != NULL) {
+		stmp = ISC_LIST_NEXT(server, next);
+		ISC_LIST_UNLINK(l->elements, server, next);
+		dns_peer_detach(&server);
+		server = stmp;
+	}
+
+	l->magic = 0;
+	isc_mem_put(l->mem, l, sizeof(*l));
+
+	*list = NULL;
+}
+
+void
+dns_peerlist_addpeer(dns_peerlist_t *peers, dns_peer_t *peer) {
+	dns_peer_t *p = NULL;
+
+	dns_peer_attach(peer, &p);
+
+	ISC_LIST_APPEND(peers->elements, peer, next);
+}
+
+isc_result_t
+dns_peerlist_peerbyaddr(dns_peerlist_t *servers,
+			isc_netaddr_t *addr, dns_peer_t **retval)
+{
+	dns_peer_t *server;
+	isc_result_t res;
+
+	REQUIRE(retval != NULL);
+	REQUIRE(DNS_PEERLIST_VALID(servers));
+
+	server = ISC_LIST_HEAD(servers->elements);
+	while (server != NULL) {
+		if (isc_netaddr_equal(addr, &server->address))
+			break;
+
+		server = ISC_LIST_NEXT(server, next);
+	}
+
+	if (server != NULL) {
+		*retval = server;
+		res = ISC_R_SUCCESS;
+	} else {
+		res = ISC_R_NOTFOUND;
+	}
+
+	return (res);
+}
+
+
+
+isc_result_t
+dns_peerlist_currpeer(dns_peerlist_t *peers, dns_peer_t **retval) {
+	dns_peer_t *p = NULL;
+
+	p = ISC_LIST_TAIL(peers->elements);
+
+	dns_peer_attach(p, retval);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_new(isc_mem_t *mem, isc_netaddr_t *addr, dns_peer_t **peerptr) {
+	dns_peer_t *peer;
+
+	REQUIRE(peerptr != NULL);
+
+	peer = isc_mem_get(mem, sizeof(*peer));
+	if (peer == NULL)
+		return (ISC_R_NOMEMORY);
+
+	peer->magic = DNS_PEER_MAGIC;
+	peer->address = *addr;
+	peer->mem = mem;
+	peer->bogus = ISC_FALSE;
+	peer->transfer_format = dns_one_answer;
+	peer->transfers = 0;
+	peer->request_ixfr = ISC_FALSE;
+	peer->provide_ixfr = ISC_FALSE;
+	peer->key = NULL;
+	peer->refs = 1;
+	peer->transfer_source = NULL;
+
+	memset(&peer->bitflags, 0x0, sizeof(peer->bitflags));
+
+	ISC_LINK_INIT(peer, next);
+
+	*peerptr = peer;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_peer_attach(dns_peer_t *source, dns_peer_t **target) {
+	REQUIRE(DNS_PEER_VALID(source));
+	REQUIRE(target != NULL);
+	REQUIRE(*target == NULL);
+
+	source->refs++;
+
+	ENSURE(source->refs != 0xffffffffU);
+
+	*target = source;
+}
+
+void
+dns_peer_detach(dns_peer_t **peer) {
+	dns_peer_t *p;
+
+	REQUIRE(peer != NULL);
+	REQUIRE(*peer != NULL);
+	REQUIRE(DNS_PEER_VALID(*peer));
+
+	p = *peer;
+
+	REQUIRE(p->refs > 0);
+
+	*peer = NULL;
+	p->refs--;
+
+	if (p->refs == 0)
+		peer_delete(&p);
+}
+
+static void
+peer_delete(dns_peer_t **peer) {
+	dns_peer_t *p;
+	isc_mem_t *mem;
+
+	REQUIRE(peer != NULL);
+	REQUIRE(DNS_PEER_VALID(*peer));
+
+	p = *peer;
+
+	REQUIRE(p->refs == 0);
+
+	mem = p->mem;
+	p->mem = NULL;
+	p->magic = 0;
+
+	if (p->key != NULL) {
+		dns_name_free(p->key, mem);
+		isc_mem_put(mem, p->key, sizeof(dns_name_t));
+	}
+
+	if (p->transfer_source != NULL) {
+		isc_mem_put(mem, p->transfer_source,
+			    sizeof(*p->transfer_source));
+	}
+
+	isc_mem_put(mem, p, sizeof(*p));
+
+	*peer = NULL;
+}
+
+isc_result_t
+dns_peer_setbogus(dns_peer_t *peer, isc_boolean_t newval) {
+	isc_boolean_t existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(BOGUS_BIT, &peer->bitflags);
+
+	peer->bogus = newval;
+	DNS_BIT_SET(BOGUS_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getbogus(dns_peer_t *peer, isc_boolean_t *retval) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(retval != NULL);
+
+	if (DNS_BIT_CHECK(BOGUS_BIT, &peer->bitflags)) {
+		*retval = peer->bogus;
+		return (ISC_R_SUCCESS);
+	} else
+		return (ISC_R_NOTFOUND);
+}
+
+
+isc_result_t
+dns_peer_setprovideixfr(dns_peer_t *peer, isc_boolean_t newval) {
+	isc_boolean_t existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(PROVIDE_IXFR_BIT, &peer->bitflags);
+
+	peer->provide_ixfr = newval;
+	DNS_BIT_SET(PROVIDE_IXFR_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getprovideixfr(dns_peer_t *peer, isc_boolean_t *retval) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(retval != NULL);
+
+	if (DNS_BIT_CHECK(PROVIDE_IXFR_BIT, &peer->bitflags)) {
+		*retval = peer->provide_ixfr;
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+}
+
+isc_result_t
+dns_peer_setrequestixfr(dns_peer_t *peer, isc_boolean_t newval) {
+	isc_boolean_t existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(REQUEST_IXFR_BIT, &peer->bitflags);
+
+	peer->request_ixfr = newval;
+	DNS_BIT_SET(REQUEST_IXFR_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getrequestixfr(dns_peer_t *peer, isc_boolean_t *retval) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(retval != NULL);
+
+	if (DNS_BIT_CHECK(REQUEST_IXFR_BIT, &peer->bitflags)) {
+		*retval = peer->request_ixfr;
+		return (ISC_R_SUCCESS);
+	} else
+		return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+dns_peer_setsupportedns(dns_peer_t *peer, isc_boolean_t newval) {
+	isc_boolean_t existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(SUPPORT_EDNS_BIT, &peer->bitflags);
+
+	peer->support_edns = newval;
+	DNS_BIT_SET(SUPPORT_EDNS_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getsupportedns(dns_peer_t *peer, isc_boolean_t *retval) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(retval != NULL);
+
+	if (DNS_BIT_CHECK(SUPPORT_EDNS_BIT, &peer->bitflags)) {
+		*retval = peer->support_edns;
+		return (ISC_R_SUCCESS);
+	} else
+		return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+dns_peer_settransfers(dns_peer_t *peer, isc_uint32_t newval) {
+	isc_boolean_t existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(TRANSFERS_BIT, &peer->bitflags);
+
+	peer->transfers = newval;
+	DNS_BIT_SET(TRANSFERS_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_gettransfers(dns_peer_t *peer, isc_uint32_t *retval) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(retval != NULL);
+
+	if (DNS_BIT_CHECK(TRANSFERS_BIT, &peer->bitflags)) {
+		*retval = peer->transfers;
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+}
+
+isc_result_t
+dns_peer_settransferformat(dns_peer_t *peer, dns_transfer_format_t newval) {
+	isc_boolean_t existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(SERVER_TRANSFER_FORMAT_BIT,
+				 &peer->bitflags);
+
+	peer->transfer_format = newval;
+	DNS_BIT_SET(SERVER_TRANSFER_FORMAT_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_gettransferformat(dns_peer_t *peer, dns_transfer_format_t *retval) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(retval != NULL);
+
+	if (DNS_BIT_CHECK(SERVER_TRANSFER_FORMAT_BIT, &peer->bitflags)) {
+		*retval = peer->transfer_format;
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+}
+
+isc_result_t
+dns_peer_getkey(dns_peer_t *peer, dns_name_t **retval) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(retval != NULL);
+
+	if (peer->key != NULL) {
+		*retval = peer->key;
+	}
+
+	return (peer->key == NULL ? ISC_R_NOTFOUND : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_setkey(dns_peer_t *peer, dns_name_t **keyval) {
+	isc_boolean_t exists = ISC_FALSE;
+
+	if (peer->key != NULL) {
+		dns_name_free(peer->key, peer->mem);
+		isc_mem_put(peer->mem, peer->key, sizeof(dns_name_t));
+		exists = ISC_TRUE;
+	}
+
+	peer->key = *keyval;
+	*keyval = NULL;
+
+	return (exists ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_setkeybycharp(dns_peer_t *peer, const char *keyval) {
+	isc_buffer_t b;
+	dns_fixedname_t fname;
+	dns_name_t *name;
+	isc_result_t result;
+
+	dns_fixedname_init(&fname);
+	isc_buffer_init(&b, keyval, strlen(keyval));
+	isc_buffer_add(&b, strlen(keyval));
+	result = dns_name_fromtext(dns_fixedname_name(&fname), &b,
+				   dns_rootname, ISC_FALSE, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	name = isc_mem_get(peer->mem, sizeof(dns_name_t));
+	if (name == NULL)
+		return (ISC_R_NOMEMORY);
+
+	dns_name_init(name, NULL);
+	result = dns_name_dup(dns_fixedname_name(&fname), peer->mem, name);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(peer->mem, name, sizeof(dns_name_t));
+		return (result);
+	}
+
+	result = dns_peer_setkey(peer, &name);
+	if (result != ISC_R_SUCCESS)
+		isc_mem_put(peer->mem, name, sizeof(dns_name_t));
+
+	return (result);
+}
+
+isc_result_t
+dns_peer_settransfersource(dns_peer_t *peer, isc_sockaddr_t *transfer_source) {
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	if (peer->transfer_source != NULL) {
+		isc_mem_put(peer->mem, peer->transfer_source,
+			    sizeof(*peer->transfer_source));
+		peer->transfer_source = NULL;
+	}
+	if (transfer_source != NULL) {
+		peer->transfer_source = isc_mem_get(peer->mem,
+					        sizeof(*peer->transfer_source));
+		if (peer->transfer_source == NULL)
+			return (ISC_R_NOMEMORY);
+
+		*peer->transfer_source = *transfer_source;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_gettransfersource(dns_peer_t *peer, isc_sockaddr_t *transfer_source) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(transfer_source != NULL);
+
+	if (peer->transfer_source == NULL)
+		return (ISC_R_NOTFOUND);
+	*transfer_source = *peer->transfer_source;
+	return (ISC_R_SUCCESS);
+}
diff --git a/contrib/bind9/lib/dns/portlist.c b/contrib/bind9/lib/dns/portlist.c
new file mode 100644
index 0000000..64546e3
--- /dev/null
+++ b/contrib/bind9/lib/dns/portlist.c
@@ -0,0 +1,260 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: portlist.c,v 1.3.72.4 2004/03/16 05:50:21 marka Exp $ */
+
+#include <stdlib.h>
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/net.h>
+#include <isc/refcount.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dns/types.h>
+#include <dns/portlist.h>
+
+#define DNS_PORTLIST_MAGIC	ISC_MAGIC('P','L','S','T')
+#define DNS_VALID_PORTLIST(p)	ISC_MAGIC_VALID(p, DNS_PORTLIST_MAGIC)
+
+typedef struct dns_element {
+	in_port_t	port;
+	isc_uint16_t	flags;
+} dns_element_t;
+
+struct dns_portlist {
+	unsigned int	magic;
+	isc_mem_t	*mctx;
+	isc_refcount_t	refcount;
+	isc_mutex_t	lock;
+	dns_element_t 	*list;
+	unsigned int	allocated;
+	unsigned int	active;
+};
+
+#define DNS_PL_INET	0x0001
+#define DNS_PL_INET6	0x0002
+#define DNS_PL_ALLOCATE	16
+
+static int
+compare(const void *arg1, const void *arg2) {
+	const dns_element_t *e1 = (const dns_element_t *)arg1;
+	const dns_element_t *e2 = (const dns_element_t *)arg2;
+
+	if (e1->port < e2->port)
+		return (-1);
+	if (e1->port > e2->port)
+		return (1);
+	return (0);
+}
+
+isc_result_t
+dns_portlist_create(isc_mem_t *mctx, dns_portlist_t **portlistp) {
+	dns_portlist_t *portlist;
+	isc_result_t result;
+
+	REQUIRE(portlistp != NULL && *portlistp == NULL);
+
+	portlist = isc_mem_get(mctx, sizeof(*portlist));
+	if (portlist == NULL)
+		return (ISC_R_NOMEMORY);
+        result = isc_mutex_init(&portlist->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, portlist, sizeof(*portlist));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() failed: %s",
+				 isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+	isc_refcount_init(&portlist->refcount, 1);
+	portlist->list = NULL;
+	portlist->allocated = 0;
+	portlist->active = 0;
+	portlist->mctx = NULL;
+	isc_mem_attach(mctx, &portlist->mctx);
+	portlist->magic = DNS_PORTLIST_MAGIC;
+	*portlistp = portlist;
+	return (ISC_R_SUCCESS);
+}
+
+static dns_element_t *
+find_port(dns_element_t *list, unsigned int len, in_port_t port) {
+	unsigned int xtry = len / 2;
+	unsigned int min = 0;
+	unsigned int max = len - 1;
+	unsigned int last = len;
+
+	for (;;) {
+		if (list[xtry].port == port)
+			return (&list[xtry]);
+	        if (port > list[xtry].port) {
+			if (xtry == max)
+				break;
+			min = xtry;
+			xtry = xtry + (max - xtry + 1) / 2;
+			INSIST(xtry <= max);
+			if (xtry == last)
+				break;
+			last = min;
+		} else {
+			if (xtry == min)
+				break;
+			max = xtry;
+			xtry = xtry - (xtry - min + 1) / 2;
+			INSIST(xtry >= min);
+			if (xtry == last)
+				break;
+			last = max;
+		}
+	}
+	return (NULL);
+}
+
+isc_result_t
+dns_portlist_add(dns_portlist_t *portlist, int af, in_port_t port) {
+	dns_element_t *el;
+	isc_result_t result;
+
+	REQUIRE(DNS_VALID_PORTLIST(portlist));
+	REQUIRE(af == AF_INET || af == AF_INET6);
+
+	LOCK(&portlist->lock);
+	if (portlist->active != 0) {
+		el = find_port(portlist->list, portlist->active, port);
+		if (el != NULL) {
+			if (af == AF_INET)
+				el->flags |= DNS_PL_INET;
+			else
+				el->flags |= DNS_PL_INET6;
+			result = ISC_R_SUCCESS;
+			goto unlock;
+		}
+	}
+
+	if (portlist->allocated <= portlist->active) {
+		unsigned int allocated;
+		allocated = portlist->allocated + DNS_PL_ALLOCATE;
+		el = isc_mem_get(portlist->mctx, sizeof(*el) * allocated);
+		if (el == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto unlock;
+		}
+		if (portlist->list != NULL) {
+			memcpy(el, portlist->list,
+			       portlist->allocated * sizeof(*el)); 
+			isc_mem_put(portlist->mctx, portlist->list,
+				    portlist->allocated * sizeof(*el));
+		}
+		portlist->list = el;
+		portlist->allocated = allocated;
+	}
+	portlist->list[portlist->active].port = port;
+	if (af == AF_INET)
+		portlist->list[portlist->active].flags = DNS_PL_INET;
+	else
+		portlist->list[portlist->active].flags = DNS_PL_INET6;
+	portlist->active++;
+	qsort(portlist->list, portlist->active, sizeof(*el), compare);
+	result = ISC_R_SUCCESS;
+ unlock:
+	UNLOCK(&portlist->lock);
+	return (result);
+}
+
+void
+dns_portlist_remove(dns_portlist_t *portlist, int af, in_port_t port) {
+	dns_element_t *el;
+
+	REQUIRE(DNS_VALID_PORTLIST(portlist));
+	REQUIRE(af == AF_INET || af == AF_INET6);
+
+	LOCK(&portlist->lock);
+	if (portlist->active != 0) {
+		el = find_port(portlist->list, portlist->active, port);
+		if (el != NULL) {
+			if (af == AF_INET)
+				el->flags &= ~DNS_PL_INET;
+			else
+				el->flags &= ~DNS_PL_INET6;
+			if (el->flags == 0) {
+				*el = portlist->list[portlist->active];
+				portlist->active--;
+				qsort(portlist->list, portlist->active,
+				      sizeof(*el), compare);
+			}
+		}
+	}
+	UNLOCK(&portlist->lock);
+}
+
+isc_boolean_t
+dns_portlist_match(dns_portlist_t *portlist, int af, in_port_t port) {
+	dns_element_t *el;
+	isc_boolean_t result = ISC_FALSE;
+	
+	REQUIRE(DNS_VALID_PORTLIST(portlist));
+	REQUIRE(af == AF_INET || af == AF_INET6);
+	LOCK(&portlist->lock);
+	if (portlist->active != 0) {
+		el = find_port(portlist->list, portlist->active, port);
+		if (el != NULL) {
+			if (af == AF_INET && (el->flags & DNS_PL_INET) != 0)
+				result = ISC_TRUE;
+			if (af == AF_INET6 && (el->flags & DNS_PL_INET6) != 0)
+				result = ISC_TRUE;
+		}
+	}	
+	UNLOCK(&portlist->lock);
+	return (result);
+}
+
+void
+dns_portlist_attach(dns_portlist_t *portlist, dns_portlist_t **portlistp) {
+
+	REQUIRE(DNS_VALID_PORTLIST(portlist));
+	REQUIRE(portlistp != NULL && *portlistp == NULL);
+
+	isc_refcount_increment(&portlist->refcount, NULL);
+	*portlistp = portlist;
+}
+
+void
+dns_portlist_detach(dns_portlist_t **portlistp) {
+	dns_portlist_t *portlist;
+	unsigned int count;
+
+	REQUIRE(portlistp != NULL);
+	portlist = *portlistp;
+	REQUIRE(DNS_VALID_PORTLIST(portlist));
+	*portlistp = NULL;
+	isc_refcount_decrement(&portlist->refcount, &count);
+	if (count == 0) {
+		portlist->magic = 0;
+		isc_refcount_destroy(&portlist->refcount);
+		if (portlist->list != NULL)
+			isc_mem_put(portlist->mctx, portlist->list,
+				    portlist->allocated *
+				    sizeof(*portlist->list));
+		DESTROYLOCK(&portlist->lock);
+		isc_mem_putanddetach(&portlist->mctx, portlist,
+				     sizeof(*portlist));
+	}
+}
diff --git a/contrib/bind9/lib/dns/rbt.c b/contrib/bind9/lib/dns/rbt.c
new file mode 100644
index 0000000..a3608f7
--- /dev/null
+++ b/contrib/bind9/lib/dns/rbt.c
@@ -0,0 +1,2543 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rbt.c,v 1.115.2.2.2.9 2004/03/08 21:06:27 marka Exp $ */
+
+/* Principal Authors: DCL */
+
+#include <config.h>
+
+#include <isc/mem.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+/*
+ * This define is so dns/name.h (included by dns/fixedname.h) uses more
+ * efficient macro calls instead of functions for a few operations.
+ */
+#define DNS_NAME_USEINLINE 1
+
+#include <dns/fixedname.h>
+#include <dns/rbt.h>
+#include <dns/result.h>
+
+#define RBT_MAGIC		ISC_MAGIC('R', 'B', 'T', '+')
+#define VALID_RBT(rbt)		ISC_MAGIC_VALID(rbt, RBT_MAGIC)
+
+/*
+ * XXXDCL Since parent pointers were added in again, I could remove all of the
+ * chain junk, and replace with dns_rbt_firstnode, _previousnode, _nextnode,
+ * _lastnode.  This would involve pretty major change to the API.
+ */
+#define CHAIN_MAGIC		ISC_MAGIC('0', '-', '0', '-')
+#define VALID_CHAIN(chain)	ISC_MAGIC_VALID(chain, CHAIN_MAGIC)
+
+#define RBT_HASH_SIZE		64
+
+#ifdef RBT_MEM_TEST
+#undef RBT_HASH_SIZE
+#define RBT_HASH_SIZE 2	/* To give the reallocation code a workout. */
+#endif
+
+struct dns_rbt {
+	unsigned int		magic;
+	isc_mem_t *		mctx;
+	dns_rbtnode_t *		root;
+	void			(*data_deleter)(void *, void *);
+	void *			deleter_arg;
+	unsigned int		nodecount;
+	unsigned int		hashsize;
+	dns_rbtnode_t **	hashtable;
+	unsigned int		quantum;
+};
+
+#define RED 0
+#define BLACK 1
+
+/*
+ * Elements of the rbtnode structure.
+ */
+#define PARENT(node)		((node)->parent)
+#define LEFT(node)	 	((node)->left)
+#define RIGHT(node)		((node)->right)
+#define DOWN(node)		((node)->down)
+#define DATA(node)		((node)->data)
+#define HASHNEXT(node)		((node)->hashnext)
+#define HASHVAL(node)		((node)->hashval)
+#define COLOR(node) 		((node)->color)
+#define NAMELEN(node)		((node)->namelen)
+#define OFFSETLEN(node)		((node)->offsetlen)
+#define ATTRS(node)		((node)->attributes)
+#define PADBYTES(node)		((node)->padbytes)
+#define IS_ROOT(node)		ISC_TF((node)->is_root == 1)
+#define FINDCALLBACK(node)	ISC_TF((node)->find_callback == 1)
+
+/*
+ * Structure elements from the rbtdb.c, not
+ * used as part of the rbt.c algorithms.
+ */
+#define DIRTY(node)	((node)->dirty)
+#define WILD(node)	((node)->wild)
+#define LOCKNUM(node)	((node)->locknum)
+#define REFS(node)	((node)->references)
+
+/*
+ * The variable length stuff stored after the node.
+ */
+#define NAME(node)	((unsigned char *)((node) + 1))
+#define OFFSETS(node)	(NAME(node) + NAMELEN(node))
+
+#define NODE_SIZE(node)	(sizeof(*node) + \
+			 NAMELEN(node) + OFFSETLEN(node) + PADBYTES(node))
+
+/*
+ * Color management.
+ */
+#define IS_RED(node)		((node) != NULL && (node)->color == RED)
+#define IS_BLACK(node)		((node) == NULL || (node)->color == BLACK)
+#define MAKE_RED(node)		((node)->color = RED)
+#define MAKE_BLACK(node)	((node)->color = BLACK)
+
+/*
+ * Chain management.
+ *
+ * The "ancestors" member of chains were removed, with their job now
+ * being wholy handled by parent pointers (which didn't exist, because
+ * of memory concerns, when chains were first implemented).
+ */
+#define ADD_LEVEL(chain, node) \
+			(chain)->levels[(chain)->level_count++] = (node)
+
+/*
+ * The following macros directly access normally private name variables.
+ * These macros are used to avoid a lot of function calls in the critical
+ * path of the tree traversal code.
+ */
+
+#define NODENAME(node, name) \
+do { \
+	(name)->length = NAMELEN(node); \
+	(name)->labels = OFFSETLEN(node); \
+	(name)->ndata = NAME(node); \
+	(name)->offsets = OFFSETS(node); \
+	(name)->attributes = ATTRS(node); \
+	(name)->attributes |= DNS_NAMEATTR_READONLY; \
+} while (0)
+
+#ifdef DNS_RBT_USEHASH
+static isc_result_t
+inithash(dns_rbt_t *rbt);
+#endif
+
+#ifdef DEBUG
+#define inline
+/*
+ * A little something to help out in GDB.
+ */
+dns_name_t Name(dns_rbtnode_t *node);
+dns_name_t
+Name(dns_rbtnode_t *node) {
+	dns_name_t name;
+
+	dns_name_init(&name, NULL);
+	if (node != NULL)
+		NODENAME(node, &name);
+
+	return (name);
+}
+
+static void dns_rbt_printnodename(dns_rbtnode_t *node);
+#endif
+
+static inline dns_rbtnode_t *
+find_up(dns_rbtnode_t *node) {
+	dns_rbtnode_t *root;
+
+	/*
+	 * Return the node in the level above the argument node that points
+	 * to the level the argument node is in.  If the argument node is in
+	 * the top level, the return value is NULL.
+	 */
+	for (root = node; ! IS_ROOT(root); root = PARENT(root))
+		; /* Nothing. */
+
+	return (PARENT(root));
+}
+
+#ifdef DNS_RBT_USEHASH
+static inline void
+compute_node_hash(dns_rbtnode_t *node) {
+	unsigned int hash;
+	dns_name_t name;
+	dns_rbtnode_t *up_node;
+
+	dns_name_init(&name, NULL);
+	NODENAME(node, &name);
+	hash = dns_name_hashbylabel(&name, ISC_FALSE);
+
+	up_node = find_up(node);
+	if (up_node != NULL)
+		hash += HASHVAL(up_node);
+
+	HASHVAL(node) = hash;
+}
+#endif
+
+/*
+ * Forward declarations.
+ */
+static isc_result_t
+create_node(isc_mem_t *mctx, dns_name_t *name, dns_rbtnode_t **nodep);
+
+#ifdef DNS_RBT_USEHASH
+static inline void
+hash_node(dns_rbt_t *rbt, dns_rbtnode_t *node);
+static inline void
+unhash_node(dns_rbt_t *rbt, dns_rbtnode_t *node);
+#else
+#define hash_node(rbt, node) (ISC_R_SUCCESS)
+#define unhash_node(rbt, node)
+#endif
+
+static inline void
+rotate_left(dns_rbtnode_t *node, dns_rbtnode_t **rootp);
+static inline void
+rotate_right(dns_rbtnode_t *node, dns_rbtnode_t **rootp);
+
+static void
+dns_rbt_addonlevel(dns_rbtnode_t *node, dns_rbtnode_t *current, int order, 
+		   dns_rbtnode_t **rootp);
+
+static void
+dns_rbt_deletefromlevel(dns_rbtnode_t *delete, dns_rbtnode_t **rootp);
+
+static isc_result_t
+dns_rbt_deletetree(dns_rbt_t *rbt, dns_rbtnode_t *node);
+
+static void
+dns_rbt_deletetreeflat(dns_rbt_t *rbt, dns_rbtnode_t **nodep);
+
+/*
+ * Initialize a red/black tree of trees.
+ */
+isc_result_t
+dns_rbt_create(isc_mem_t *mctx, void (*deleter)(void *, void *),
+	       void *deleter_arg, dns_rbt_t **rbtp)
+{
+#ifdef DNS_RBT_USEHASH
+	isc_result_t result;
+#endif
+	dns_rbt_t *rbt;
+	
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(rbtp != NULL && *rbtp == NULL);
+	REQUIRE(deleter == NULL ? deleter_arg == NULL : 1);
+
+	rbt = (dns_rbt_t *)isc_mem_get(mctx, sizeof(*rbt));
+	if (rbt == NULL)
+		return (ISC_R_NOMEMORY);
+
+	rbt->mctx = mctx;
+	rbt->data_deleter = deleter;
+	rbt->deleter_arg = deleter_arg;
+	rbt->root = NULL;
+	rbt->nodecount = 0;
+	rbt->hashtable = NULL;
+	rbt->hashsize = 0;
+#ifdef DNS_RBT_USEHASH
+	result = inithash(rbt);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, rbt, sizeof(*rbt));
+		return (result);
+	}
+#endif
+	rbt->quantum = 0;
+	rbt->magic = RBT_MAGIC;
+
+	*rbtp = rbt;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Deallocate a red/black tree of trees.
+ */
+void
+dns_rbt_destroy(dns_rbt_t **rbtp) {
+	RUNTIME_CHECK(dns_rbt_destroy2(rbtp, 0) == ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_rbt_destroy2(dns_rbt_t **rbtp, unsigned int quantum) {
+	dns_rbt_t *rbt;
+
+	REQUIRE(rbtp != NULL && VALID_RBT(*rbtp));
+
+	rbt = *rbtp;
+
+	rbt->quantum = quantum;
+
+	dns_rbt_deletetreeflat(rbt, &rbt->root);
+	if (rbt->root != NULL)
+		return (ISC_R_QUOTA);
+
+	INSIST(rbt->nodecount == 0);
+
+	if (rbt->hashtable != NULL)
+		isc_mem_put(rbt->mctx, rbt->hashtable,
+			    rbt->hashsize * sizeof(dns_rbtnode_t *));
+
+	rbt->magic = 0;
+
+	isc_mem_put(rbt->mctx, rbt, sizeof(*rbt));
+	*rbtp = NULL;
+	return (ISC_R_SUCCESS);
+}
+
+unsigned int
+dns_rbt_nodecount(dns_rbt_t *rbt) {
+	REQUIRE(VALID_RBT(rbt));
+	return (rbt->nodecount);
+}
+
+static inline isc_result_t
+chain_name(dns_rbtnodechain_t *chain, dns_name_t *name,
+	   isc_boolean_t include_chain_end)
+{
+	dns_name_t nodename;
+	isc_result_t result = ISC_R_SUCCESS;
+	int i;
+
+	dns_name_init(&nodename, NULL);
+
+	if (include_chain_end && chain->end != NULL) {
+		NODENAME(chain->end, &nodename);
+		result = dns_name_copy(&nodename, name, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	} else
+		dns_name_reset(name);
+
+	for (i = (int)chain->level_count - 1; i >= 0; i--) {
+		NODENAME(chain->levels[i], &nodename);
+		result = dns_name_concatenate(name, &nodename, name, NULL);
+
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	return (result);
+}
+
+static inline isc_result_t
+move_chain_to_last(dns_rbtnodechain_t *chain, dns_rbtnode_t *node) {
+	do {
+		/*
+		 * Go as far right and then down as much as possible,
+		 * as long as the rightmost node has a down pointer.
+		 */
+		while (RIGHT(node) != NULL)
+			node = RIGHT(node);
+
+		if (DOWN(node) == NULL)
+			break;
+
+		ADD_LEVEL(chain, node);
+		node = DOWN(node);
+	} while (1);
+
+	chain->end = node;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Add 'name' to tree, initializing its data pointer with 'data'.
+ */
+
+isc_result_t
+dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) {
+	/*
+	 * Does this thing have too many variables or what?
+	 */
+	dns_rbtnode_t **root, *parent, *child, *current, *new_current;
+	dns_name_t *add_name, current_name, *prefix, *suffix;
+	dns_fixedname_t fixedcopy, fixedprefix, fixedsuffix;
+	dns_offsets_t current_offsets;
+	dns_namereln_t compared;
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_rbtnodechain_t chain;
+	unsigned int common_labels;
+	int order;
+
+	REQUIRE(VALID_RBT(rbt));
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(nodep != NULL && *nodep == NULL);
+
+	/*
+	 * Create a copy of the name so the original name structure is
+	 * not modified.
+	 */
+	dns_fixedname_init(&fixedcopy);
+	add_name = dns_fixedname_name(&fixedcopy);
+	dns_name_clone(name, add_name);
+
+	if (rbt->root == NULL) {
+		result = create_node(rbt->mctx, add_name, &new_current);
+		if (result == ISC_R_SUCCESS) {
+			rbt->nodecount++;
+			new_current->is_root = 1;
+			rbt->root = new_current;
+			*nodep = new_current;
+			hash_node(rbt, new_current);
+		}
+		return (result);
+	}
+
+	dns_rbtnodechain_init(&chain, rbt->mctx);
+
+	dns_fixedname_init(&fixedprefix);
+	dns_fixedname_init(&fixedsuffix);
+	prefix = dns_fixedname_name(&fixedprefix);
+	suffix = dns_fixedname_name(&fixedsuffix);
+
+	root = &rbt->root;
+	INSIST(IS_ROOT(*root));
+	parent = NULL;
+	current = NULL;
+	child = *root;
+	dns_name_init(&current_name, current_offsets);
+
+	do {
+		current = child;
+
+		NODENAME(current, &current_name);
+		compared = dns_name_fullcompare(add_name, &current_name,
+						&order, &common_labels);
+
+		if (compared == dns_namereln_equal) {
+			*nodep = current;
+			result = ISC_R_EXISTS;
+			break;
+
+		}
+
+		if (compared == dns_namereln_none) {
+
+			if (order < 0) {
+				parent = current;
+				child = LEFT(current);
+
+			} else if (order > 0) {
+				parent = current;
+				child = RIGHT(current);
+
+			}
+
+		} else {
+			/*
+			 * This name has some suffix in common with the
+			 * name at the current node.  If the name at
+			 * the current node is shorter, that means the
+			 * new name should be in a subtree.  If the
+			 * name at the current node is longer, that means
+			 * the down pointer to this tree should point
+			 * to a new tree that has the common suffix, and
+			 * the non-common parts of these two names should
+			 * start a new tree.
+			 */
+			if (compared == dns_namereln_subdomain) {
+				/*
+				 * All of the existing labels are in common,
+				 * so the new name is in a subtree.
+				 * Whack off the common labels for the
+				 * not-in-common part to be searched for
+				 * in the next level.
+				 */
+				dns_name_split(add_name, common_labels,
+					       add_name, NULL);
+
+				/*
+				 * Follow the down pointer (possibly NULL).
+				 */
+				root = &DOWN(current);
+
+				INSIST(*root == NULL ||
+				       (IS_ROOT(*root) &&
+					PARENT(*root) == current));
+
+				parent = NULL;
+				child = DOWN(current);
+				ADD_LEVEL(&chain, current);
+
+			} else {
+				/*
+				 * The number of labels in common is fewer
+				 * than the number of labels at the current
+				 * node, so the current node must be adjusted
+				 * to have just the common suffix, and a down
+				 * pointer made to a new tree.
+				 */
+
+				INSIST(compared == dns_namereln_commonancestor
+				       || compared == dns_namereln_contains);
+
+				/*
+				 * Ensure the number of levels in the tree
+				 * does not exceed the number of logical
+				 * levels allowed by DNSSEC.
+				 *
+				 * XXXDCL need a better error result?
+				 *
+				 * XXXDCL Since chain ancestors were removed,
+				 * no longer used by dns_rbt_addonlevel(),
+				 * this is the only real use of chains in the
+				 * function.  It could be done instead with
+				 * a simple integer variable, but I am pressed
+				 * for time.
+				 */
+				if (chain.level_count ==
+				    (sizeof(chain.levels) /
+				     sizeof(*chain.levels))) {
+					result = ISC_R_NOSPACE;
+					break;
+				}
+
+				/*
+				 * Split the name into two parts, a prefix
+				 * which is the not-in-common parts of the
+				 * two names and a suffix that is the common
+				 * parts of them.
+				 */
+				dns_name_split(&current_name, common_labels,
+					       prefix, suffix);
+				result = create_node(rbt->mctx, suffix,
+						     &new_current);
+
+				if (result != ISC_R_SUCCESS)
+					break;
+
+				/*
+				 * Reproduce the tree attributes of the
+				 * current node.
+				 */
+				new_current->is_root = current->is_root;
+				PARENT(new_current)  = PARENT(current);
+				LEFT(new_current)    = LEFT(current);
+				RIGHT(new_current)   = RIGHT(current);
+				COLOR(new_current)   = COLOR(current);
+
+				/*
+				 * Fix pointers that were to the current node.
+				 */
+				if (parent != NULL) {
+					if (LEFT(parent) == current)
+						LEFT(parent) = new_current;
+					else
+						RIGHT(parent) = new_current;
+				}
+				if (LEFT(new_current) != NULL)
+					PARENT(LEFT(new_current)) =
+						new_current;
+				if (RIGHT(new_current) != NULL)
+					PARENT(RIGHT(new_current)) =
+						new_current;
+				if (*root == current)
+					*root = new_current;
+
+				NAMELEN(current) = prefix->length;
+				OFFSETLEN(current) = prefix->labels;
+				memcpy(OFFSETS(current), prefix->offsets,
+				       prefix->labels);
+				PADBYTES(current) +=
+				       (current_name.length - prefix->length) +
+				       (current_name.labels - prefix->labels);
+
+				/*
+				 * Set up the new root of the next level.
+				 * By definition it will not be the top
+				 * level tree, so clear DNS_NAMEATTR_ABSOLUTE.
+				 */
+				current->is_root = 1;
+				PARENT(current) = new_current;
+				DOWN(new_current) = current;
+				root = &DOWN(new_current);
+
+				ADD_LEVEL(&chain, new_current);
+
+				LEFT(current) = NULL;
+				RIGHT(current) = NULL;
+
+				MAKE_BLACK(current);
+				ATTRS(current) &= ~DNS_NAMEATTR_ABSOLUTE;
+
+				rbt->nodecount++;
+				hash_node(rbt, new_current);
+
+				if (common_labels ==
+				    dns_name_countlabels(add_name)) {
+					/*
+					 * The name has been added by pushing
+					 * the not-in-common parts down to
+					 * a new level.
+					 */
+					*nodep = new_current;
+					return (ISC_R_SUCCESS);
+
+				} else {
+					/*
+					 * The current node has no data,
+					 * because it is just a placeholder.
+					 * Its data pointer is already NULL
+					 * from create_node()), so there's
+					 * nothing more to do to it.
+					 */
+
+					/*
+					 * The not-in-common parts of the new
+					 * name will be inserted into the new
+					 * level following this loop (unless
+					 * result != ISC_R_SUCCESS, which
+					 * is tested after the loop ends).
+					 */
+					dns_name_split(add_name, common_labels,
+						       add_name, NULL);
+
+					break;
+				}
+
+			}
+
+		}
+
+	} while (child != NULL);
+
+	if (result == ISC_R_SUCCESS)
+		result = create_node(rbt->mctx, add_name, &new_current);
+
+	if (result == ISC_R_SUCCESS) {
+		dns_rbt_addonlevel(new_current, current, order, root);
+		rbt->nodecount++;
+		*nodep = new_current;
+		hash_node(rbt, new_current);
+	}
+
+	return (result);
+}
+
+/*
+ * Add a name to the tree of trees, associating it with some data.
+ */
+isc_result_t
+dns_rbt_addname(dns_rbt_t *rbt, dns_name_t *name, void *data) {
+	isc_result_t result;
+	dns_rbtnode_t *node;
+
+	REQUIRE(VALID_RBT(rbt));
+	REQUIRE(dns_name_isabsolute(name));
+
+	node = NULL;
+
+	result = dns_rbt_addnode(rbt, name, &node);
+
+	/*
+	 * dns_rbt_addnode will report the node exists even when
+	 * it does not have data associated with it, but the
+	 * dns_rbt_*name functions all behave depending on whether
+	 * there is data associated with a node.
+	 */
+	if (result == ISC_R_SUCCESS ||
+	    (result == ISC_R_EXISTS && DATA(node) == NULL)) {
+		DATA(node) = data;
+		result = ISC_R_SUCCESS;
+	}
+
+	return (result);
+}
+
+/*
+ * Find the node for "name" in the tree of trees.
+ */
+isc_result_t
+dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
+		 dns_rbtnode_t **node, dns_rbtnodechain_t *chain,
+		 unsigned int options, dns_rbtfindcallback_t callback,
+		 void *callback_arg)
+{
+	dns_rbtnode_t *current, *last_compared, *current_root;
+	dns_rbtnodechain_t localchain;
+	dns_name_t *search_name, current_name, *callback_name;
+	dns_fixedname_t fixedcallbackname, fixedsearchname;
+	dns_namereln_t compared;
+	isc_result_t result, saved_result;
+	unsigned int common_labels;
+	int order;
+
+	REQUIRE(VALID_RBT(rbt));
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(node != NULL && *node == NULL);
+	REQUIRE((options & (DNS_RBTFIND_NOEXACT | DNS_RBTFIND_NOPREDECESSOR))
+		!=         (DNS_RBTFIND_NOEXACT | DNS_RBTFIND_NOPREDECESSOR));
+
+	/*
+	 * If there is a chain it needs to appear to be in a sane state,
+	 * otherwise a chain is still needed to generate foundname and
+	 * callback_name.
+	 */
+	if (chain == NULL) {
+		options |= DNS_RBTFIND_NOPREDECESSOR;
+		chain = &localchain;
+		dns_rbtnodechain_init(chain, rbt->mctx);
+	} else
+		dns_rbtnodechain_reset(chain);
+
+	if (rbt->root == NULL)
+		return (ISC_R_NOTFOUND);
+	else {
+		/*
+		 * Appease GCC about variables it incorrectly thinks are
+		 * possibly used uninitialized.
+		 */
+		compared = dns_namereln_none;
+		last_compared = NULL;
+	}
+
+	dns_fixedname_init(&fixedcallbackname);
+	callback_name = dns_fixedname_name(&fixedcallbackname);
+
+	/*
+	 * search_name is the name segment being sought in each tree level.
+	 * By using a fixedname, the search_name will definitely have offsets
+	 * for use by any splitting.
+	 * By using dns_name_clone, no name data should be copied thanks to
+	 * the lack of bitstring labels.
+	 */
+	dns_fixedname_init(&fixedsearchname);
+	search_name = dns_fixedname_name(&fixedsearchname);
+	dns_name_clone(name, search_name);
+
+	dns_name_init(&current_name, NULL);
+
+	saved_result = ISC_R_SUCCESS;
+	current = rbt->root;
+	current_root = rbt->root;
+
+	while (current != NULL) {
+		NODENAME(current, &current_name);
+		compared = dns_name_fullcompare(search_name, &current_name,
+						&order, &common_labels);
+		last_compared = current;
+
+		if (compared == dns_namereln_equal)
+			break;
+
+		if (compared == dns_namereln_none) {
+#ifdef DNS_RBT_USEHASH
+			dns_name_t hash_name;
+			dns_rbtnode_t *hnode;
+			dns_rbtnode_t *up_current;
+			unsigned int nlabels;
+			unsigned int tlabels = 1;
+			unsigned int hash;
+
+			/*
+			 * If there is no hash table, hashing can't be done.
+			 */
+			if (rbt->hashtable == NULL)
+				goto nohash;
+
+			/*
+			 * The case of current != current_root, that
+			 * means a left or right pointer was followed,
+			 * only happens when the algorithm fell through to
+			 * the traditional binary search because of a
+			 * bitstring label.  Since we dropped the bitstring
+			 * support, this should not happen.
+			 */
+			INSIST(current == current_root);
+
+			nlabels = dns_name_countlabels(search_name);
+
+			/*
+			 * current_root is the root of the current level, so
+			 * it's parent is the same as it's "up" pointer.
+			 */
+			up_current = PARENT(current_root);
+			dns_name_init(&hash_name, NULL);
+
+		hashagain:
+			dns_name_getlabelsequence(search_name,
+						  nlabels - tlabels,
+						  tlabels, &hash_name);
+			hash = HASHVAL(up_current) +
+			       dns_name_hashbylabel(&hash_name, ISC_FALSE);
+
+			for (hnode = rbt->hashtable[hash % rbt->hashsize];
+			     hnode != NULL;
+			     hnode = hnode->hashnext)
+			{
+				dns_name_t hnode_name;
+
+				if (hash != HASHVAL(hnode))
+					continue;
+				if (find_up(hnode) != up_current)
+					continue;
+				dns_name_init(&hnode_name, NULL);
+				NODENAME(hnode, &hnode_name);
+				if (dns_name_equal(&hnode_name, &hash_name))
+					break;
+			}
+
+			if (hnode != NULL) {
+				current = hnode;
+				/*
+				 * This is an optimization.  If hashing found
+				 * the right node, the next call to
+				 * dns_name_fullcompare() would obviously
+				 * return _equal or _subdomain.  Determine
+				 * which of those would be the case by
+				 * checking if the full name was hashed.  Then
+				 * make it look like dns_name_fullcompare
+				 * was called and jump to the right place.
+				 */
+				if (tlabels == nlabels) {
+					compared = dns_namereln_equal;
+					break;
+				} else {
+					common_labels = tlabels;
+					compared = dns_namereln_subdomain;
+					goto subdomain;
+				}
+			}
+
+			if (tlabels++ < nlabels)
+				goto hashagain;
+
+			/*
+			 * All of the labels have been tried against the hash
+			 * table.  Since we dropped the support of bitstring
+			 * labels, the name isn't in the table.
+			 */
+			current = NULL;
+			continue;
+			    
+		nohash:
+#endif /* DNS_RBT_USEHASH */
+			/*
+			 * Standard binary search tree movement.
+			 */
+			if (order < 0)
+				current = LEFT(current);
+			else
+				current = RIGHT(current);
+
+		} else {
+			/*
+			 * The names have some common suffix labels.
+			 *
+			 * If the number in common are equal in length to
+			 * the current node's name length, then follow the
+			 * down pointer and search in the new tree.
+			 */
+			if (compared == dns_namereln_subdomain) {
+		subdomain:
+				/*
+				 * Whack off the current node's common parts
+				 * for the name to search in the next level.
+				 */
+				dns_name_split(search_name, common_labels,
+					       search_name, NULL);
+				/*
+				 * This might be the closest enclosing name.
+				 */
+				if (DATA(current) != NULL ||
+				    (options & DNS_RBTFIND_EMPTYDATA) != 0)
+					*node = current;
+
+				/*
+				 * Point the chain to the next level.   This
+				 * needs to be done before 'current' is pointed
+				 * there because the callback in the next
+				 * block of code needs the current 'current',
+				 * but in the event the callback requests that
+				 * the search be stopped then the
+				 * DNS_R_PARTIALMATCH code at the end of this
+				 * function needs the chain pointed to the
+				 * next level.
+				 */
+				ADD_LEVEL(chain, current);
+
+				/*
+				 * The caller may want to interrupt the
+				 * downward search when certain special nodes
+				 * are traversed.  If this is a special node,
+				 * the callback is used to learn what the
+				 * caller wants to do.
+				 */
+				if (callback != NULL &&
+				    FINDCALLBACK(current)) {
+					result = chain_name(chain,
+							    callback_name,
+							    ISC_FALSE);
+					if (result != ISC_R_SUCCESS) {
+						dns_rbtnodechain_reset(chain);
+						return (result);
+					}
+
+					result = (callback)(current,
+							    callback_name,
+							    callback_arg);
+					if (result != DNS_R_CONTINUE) {
+						saved_result = result;
+						/*
+						 * Treat this node as if it
+						 * had no down pointer.
+						 */
+						current = NULL;
+						break;
+					}
+				}
+
+				/*
+				 * Finally, head to the next tree level.
+				 */
+				current = DOWN(current);
+				current_root = current;
+
+			} else {
+				/*
+				 * Though there are labels in common, the
+				 * entire name at this node is not common
+				 * with the search name so the search
+				 * name does not exist in the tree.
+				 */
+				INSIST(compared == dns_namereln_commonancestor
+				       || compared == dns_namereln_contains);
+
+				current = NULL;
+			}
+		}
+	}
+
+	/*
+	 * If current is not NULL, NOEXACT is not disallowing exact matches,
+	 * and either the node has data or an empty node is ok, return
+	 * ISC_R_SUCCESS to indicate an exact match.
+	 */
+	if (current != NULL && (options & DNS_RBTFIND_NOEXACT) == 0 &&
+	    (DATA(current) != NULL ||
+	     (options & DNS_RBTFIND_EMPTYDATA) != 0)) {
+		/*
+		 * Found an exact match.
+		 */
+		chain->end = current;
+		chain->level_matches = chain->level_count;
+
+		if (foundname != NULL)
+			result = chain_name(chain, foundname, ISC_TRUE);
+		else
+			result = ISC_R_SUCCESS;
+
+		if (result == ISC_R_SUCCESS) {
+			*node = current;
+			result = saved_result;
+		} else
+			*node = NULL;
+	} else {
+		/*
+		 * Did not find an exact match (or did not want one).
+		 */
+		if (*node != NULL) {
+			/*
+			 * ... but found a partially matching superdomain.
+			 * Unwind the chain to the partial match node
+			 * to set level_matches to the level above the node,
+			 * and then to derive the name.
+			 *
+			 * chain->level_count is guaranteed to be at least 1
+			 * here because by definition of finding a superdomain,
+			 * the chain is pointed to at least the first subtree.
+			 */
+			chain->level_matches = chain->level_count - 1;
+
+			while (chain->levels[chain->level_matches] != *node) {
+				INSIST(chain->level_matches > 0);
+				chain->level_matches--;
+			}
+
+			if (foundname != NULL) {
+				unsigned int saved_count = chain->level_count;
+
+				chain->level_count = chain->level_matches + 1;
+
+				result = chain_name(chain, foundname,
+						    ISC_FALSE);
+
+				chain->level_count = saved_count;
+			} else
+				result = ISC_R_SUCCESS;
+
+			if (result == ISC_R_SUCCESS)
+				result = DNS_R_PARTIALMATCH;
+
+		} else
+			result = ISC_R_NOTFOUND;
+
+		if (current != NULL) {
+			/*
+			 * There was an exact match but either
+			 * DNS_RBTFIND_NOEXACT was set, or
+			 * DNS_RBTFIND_EMPTYDATA was set and the node had no
+			 * data.  A policy decision was made to set the
+			 * chain to the exact match, but this is subject
+			 * to change if it becomes apparent that something
+			 * else would be more useful.  It is important that
+			 * this case is handled here, because the predecessor
+			 * setting code below assumes the match was not exact.
+			 */
+			INSIST(((options & DNS_RBTFIND_NOEXACT) != 0) ||
+			       ((options & DNS_RBTFIND_EMPTYDATA) == 0 &&
+				DATA(current) == NULL));
+			chain->end = current;
+
+		} else if ((options & DNS_RBTFIND_NOPREDECESSOR) != 0) {
+			/*
+			 * Ensure the chain points nowhere.
+			 */
+			chain->end = NULL;
+
+		} else {
+			/*
+			 * Since there was no exact match, the chain argument
+			 * needs to be pointed at the DNSSEC predecessor of
+			 * the search name.
+			 */
+			if (compared == dns_namereln_subdomain) {
+				/*
+				 * Attempted to follow a down pointer that was
+				 * NULL, which means the searched for name was
+				 * a subdomain of a terminal name in the tree.
+				 * Since there are no existing subdomains to
+				 * order against, the terminal name is the
+				 * predecessor.
+				 */
+				INSIST(chain->level_count > 0);
+				INSIST(chain->level_matches <
+				       chain->level_count);
+				chain->end =
+					chain->levels[--chain->level_count];
+
+			} else {
+				isc_result_t result2;
+
+				/*
+				 * Point current to the node that stopped
+				 * the search.
+				 *
+				 * With the hashing modification that has been
+				 * added to the algorithm, the stop node of a
+				 * standard binary search is not known.  So it
+				 * has to be found.  There is probably a more
+				 * clever way of doing this.
+				 *
+				 * The assignment of current to NULL when
+				 * the relationship is *not* dns_namereln_none,
+				 * even though it later gets set to the same
+				 * last_compared anyway, is simply to not push
+				 * the while loop in one more level of
+				 * indentation.
+				 */
+				if (compared == dns_namereln_none)
+					current = last_compared;
+				else
+					current = NULL;
+
+				while (current != NULL) {
+					NODENAME(current, &current_name);
+					compared = dns_name_fullcompare(
+								search_name,
+								&current_name,
+								&order,
+								&common_labels);
+
+					last_compared = current;
+
+					/*
+					 * Standard binary search movement.
+					 */
+					if (order < 0)
+						current = LEFT(current);
+					else
+						current = RIGHT(current);
+
+				}
+
+				current = last_compared;
+
+				/*
+				 * Reached a point within a level tree that
+				 * positively indicates the name is not
+				 * present, but the stop node could be either
+				 * less than the desired name (order > 0) or
+				 * greater than the desired name (order < 0).
+				 *
+				 * If the stop node is less, it is not
+				 * necessarily the predecessor.  If the stop
+				 * node has a down pointer, then the real
+				 * predecessor is at the end of a level below
+				 * (not necessarily the next level).
+				 * Move down levels until the rightmost node
+				 * does not have a down pointer.
+				 *
+				 * When the stop node is greater, it is
+				 * the successor.  All the logic for finding
+				 * the predecessor is handily encapsulated
+				 * in dns_rbtnodechain_prev.  In the event
+				 * that the search name is less than anything
+				 * else in the tree, the chain is reset.
+				 * XXX DCL What is the best way for the caller
+				 *         to know that the search name has
+				 *         no predecessor?
+				 */
+
+
+				if (order > 0) {
+					if (DOWN(current) != NULL) {
+						ADD_LEVEL(chain, current);
+
+						result2 =
+						      move_chain_to_last(chain,
+								DOWN(current));
+
+						if (result2 != ISC_R_SUCCESS)
+							result = result2;
+					} else
+						/*
+						 * Ah, the pure and simple
+						 * case.  The stop node is the
+						 * predecessor.
+						 */
+						chain->end = current;
+
+				} else {
+					INSIST(order < 0);
+
+					chain->end = current;
+
+					result2 = dns_rbtnodechain_prev(chain,
+									NULL,
+									NULL);
+					if (result2 == ISC_R_SUCCESS ||
+					    result2 == DNS_R_NEWORIGIN)
+						; 	/* Nothing. */
+					else if (result2 == ISC_R_NOMORE)
+						/*
+						 * There is no predecessor.
+						 */
+						dns_rbtnodechain_reset(chain);
+					else
+						result = result2;
+				}
+
+			}
+		}
+	}
+
+	ENSURE(*node == NULL || DNS_RBTNODE_VALID(*node));
+
+	return (result);
+}
+
+/*
+ * Get the data pointer associated with 'name'.
+ */
+isc_result_t
+dns_rbt_findname(dns_rbt_t *rbt, dns_name_t *name, unsigned int options,
+		 dns_name_t *foundname, void **data) {
+	dns_rbtnode_t *node = NULL;
+	isc_result_t result;
+
+	REQUIRE(data != NULL && *data == NULL);
+
+	result = dns_rbt_findnode(rbt, name, foundname, &node, NULL,
+				  options, NULL, NULL);
+
+	if (node != NULL &&
+	    (DATA(node) != NULL || (options & DNS_RBTFIND_EMPTYDATA) != 0))
+		*data = DATA(node);
+	else
+		result = ISC_R_NOTFOUND;
+
+	return (result);
+}
+
+/*
+ * Delete a name from the tree of trees.
+ */
+isc_result_t
+dns_rbt_deletename(dns_rbt_t *rbt, dns_name_t *name, isc_boolean_t recurse) {
+	dns_rbtnode_t *node = NULL;
+	isc_result_t result;
+
+	REQUIRE(VALID_RBT(rbt));
+	REQUIRE(dns_name_isabsolute(name));
+
+	/*
+	 * First, find the node.
+	 *
+	 * When searching, the name might not have an exact match:
+	 * consider a.b.a.com, b.b.a.com and c.b.a.com as the only
+	 * elements of a tree, which would make layer 1 a single
+	 * node tree of "b.a.com" and layer 2 a three node tree of
+	 * a, b, and c.  Deleting a.com would find only a partial depth
+	 * match in the first layer.  Should it be a requirement that
+	 * that the name to be deleted have data?  For now, it is.
+	 *
+	 * ->dirty, ->locknum and ->references are ignored; they are
+	 * solely the province of rbtdb.c.
+	 */
+	result = dns_rbt_findnode(rbt, name, NULL, &node, NULL,
+				  DNS_RBTFIND_NOOPTIONS, NULL, NULL);
+
+	if (result == ISC_R_SUCCESS) {
+		if (DATA(node) != NULL)
+			result = dns_rbt_deletenode(rbt, node, recurse);
+		else
+			result = ISC_R_NOTFOUND;
+
+	} else if (result == DNS_R_PARTIALMATCH)
+		result = ISC_R_NOTFOUND;
+
+	return (result);
+}
+
+/*
+ * Remove a node from the tree of trees.
+ *
+ * NOTE WELL: deletion is *not* symmetric with addition; that is, reversing
+ * a sequence of additions to be deletions will not generally get the
+ * tree back to the state it started in.  For example, if the addition
+ * of "b.c" caused the node "a.b.c" to be split, pushing "a" to its own level,
+ * then the subsequent deletion of "b.c" will not cause "a" to be pulled up,
+ * restoring "a.b.c".  The RBT *used* to do this kind of rejoining, but it
+ * turned out to be a bad idea because it could corrupt an active nodechain
+ * that had "b.c" as one of its levels -- and the RBT has no idea what
+ * nodechains are in use by callers, so it can't even *try* to helpfully
+ * fix them up (which would probably be doomed to failure anyway).
+ *
+ * Similarly, it is possible to leave the tree in a state where a supposedly
+ * deleted node still exists.  The first case of this is obvious; take
+ * the tree which has "b.c" on one level, pointing to "a".  Now deleted "b.c".
+ * It was just established in the previous paragraph why we can't pull "a"
+ * back up to its parent level.  But what happens when "a" then gets deleted?
+ * "b.c" is left hanging around without data or children.  This condition
+ * is actually pretty easy to detect, but ... should it really be removed?
+ * Is a chain pointing to it?  An iterator?  Who knows!  (Note that the
+ * references structure member cannot be looked at because it is private to
+ * rbtdb.)  This is ugly and makes me unhappy, but after hours of trying to
+ * make it more aesthetically proper and getting nowhere, this is the way it
+ * is going to stay until such time as it proves to be a *real* problem.
+ *
+ * Finally, for reference, note that the original routine that did node
+ * joining was called join_nodes().  It has been excised, living now only
+ * in the CVS history, but comments have been left behind that point to it just
+ * in case someone wants to muck with this some more.
+ *
+ * The one positive aspect of all of this is that joining used to have a
+ * case where it might fail.  Without trying to join, now this function always
+ * succeeds. It still returns isc_result_t, though, so the API wouldn't change.
+ */
+isc_result_t
+dns_rbt_deletenode(dns_rbt_t *rbt, dns_rbtnode_t *node, isc_boolean_t recurse)
+{
+	dns_rbtnode_t *parent;
+
+	REQUIRE(VALID_RBT(rbt));
+	REQUIRE(DNS_RBTNODE_VALID(node));
+
+	if (DOWN(node) != NULL) {
+		if (recurse)
+			RUNTIME_CHECK(dns_rbt_deletetree(rbt, DOWN(node))
+				      == ISC_R_SUCCESS);
+		else {
+			if (DATA(node) != NULL && rbt->data_deleter != NULL)
+				rbt->data_deleter(DATA(node),
+						  rbt->deleter_arg);
+			DATA(node) = NULL;
+
+			/*
+			 * Since there is at least one node below this one and
+			 * no recursion was requested, the deletion is
+			 * complete.  The down node from this node might be all
+			 * by itself on a single level, so join_nodes() could
+			 * be used to collapse the tree (with all the caveats
+			 * of the comment at the start of this function).
+			 */
+			return (ISC_R_SUCCESS);
+		}
+	}
+
+	/*
+	 * Note the node that points to the level of the node that is being
+	 * deleted.  If the deleted node is the top level, parent will be set
+	 * to NULL.
+	 */
+	parent = find_up(node);
+
+	/*
+	 * This node now has no down pointer (either because it didn't
+	 * have one to start, or because it was recursively removed).
+	 * So now the node needs to be removed from this level.
+	 */
+	dns_rbt_deletefromlevel(node, parent == NULL ? &rbt->root :
+						       &DOWN(parent));
+
+	if (DATA(node) != NULL && rbt->data_deleter != NULL)
+		rbt->data_deleter(DATA(node), rbt->deleter_arg);
+
+	unhash_node(rbt, node);
+#if DNS_RBT_USEMAGIC
+	node->magic = 0;
+#endif
+	isc_mem_put(rbt->mctx, node, NODE_SIZE(node));
+	rbt->nodecount--;
+
+	/*
+	 * There are now two special cases that can exist that would
+	 * not have existed if the tree had been created using only
+	 * the names that now exist in it.  (This is all related to
+	 * join_nodes() as described in this function's introductory comment.)
+	 * Both cases exist when the deleted node's parent (the node
+	 * that pointed to the deleted node's level) is not null but
+	 * it has no data:  parent != NULL && DATA(parent) == NULL.
+	 *
+	 * The first case is that the deleted node was the last on its level:
+	 * DOWN(parent) == NULL.  This case can only exist if the parent was
+	 * previously deleted -- and so now, apparently, the parent should go
+	 * away.  That can't be done though because there might be external
+	 * references to it, such as through a nodechain.
+	 *
+	 * The other case also involves a parent with no data, but with the
+	 * deleted node being the next-to-last node instead of the last:
+	 * LEFT(DOWN(parent)) == NULL && RIGHT(DOWN(parent)) == NULL.
+	 * Presumably now the remaining node on the level should be joined
+	 * with the parent, but it's already been described why that can't be
+	 * done.
+	 */
+
+	/*
+	 * This function never fails.
+	 */
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_rbt_namefromnode(dns_rbtnode_t *node, dns_name_t *name) {
+
+	REQUIRE(DNS_RBTNODE_VALID(node));
+	REQUIRE(name != NULL);
+	REQUIRE(name->offsets == NULL);
+
+	NODENAME(node, name);
+}
+
+isc_result_t
+dns_rbt_fullnamefromnode(dns_rbtnode_t *node, dns_name_t *name) {
+	dns_name_t current;
+	isc_result_t result;
+
+	REQUIRE(DNS_RBTNODE_VALID(node));
+	REQUIRE(name != NULL);
+	REQUIRE(name->buffer != NULL);
+
+	dns_name_init(&current, NULL);
+	dns_name_reset(name);
+
+	do {
+		INSIST(node != NULL);
+
+		NODENAME(node, &current);
+
+		result = dns_name_concatenate(name, &current, name, NULL);
+		if (result != ISC_R_SUCCESS)
+			break;
+		
+		node = find_up(node);
+	} while (! dns_name_isabsolute(name));
+
+	return (result);
+}
+
+char *
+dns_rbt_formatnodename(dns_rbtnode_t *node, char *printname, unsigned int size)
+{
+	dns_fixedname_t fixedname;
+	dns_name_t *name;
+	isc_result_t result;
+
+	REQUIRE(DNS_RBTNODE_VALID(node));
+	REQUIRE(printname != NULL);
+
+	dns_fixedname_init(&fixedname);
+	name = dns_fixedname_name(&fixedname);
+	result = dns_rbt_fullnamefromnode(node, name);
+	if (result == ISC_R_SUCCESS)
+		dns_name_format(name, printname, size);
+	else
+		snprintf(printname, size, "<error building name: %s>",
+			 dns_result_totext(result));
+
+	return (printname);
+}
+
+static isc_result_t
+create_node(isc_mem_t *mctx, dns_name_t *name, dns_rbtnode_t **nodep) {
+	dns_rbtnode_t *node;
+	isc_region_t region;
+	unsigned int labels;
+
+	REQUIRE(name->offsets != NULL);
+
+	dns_name_toregion(name, &region);
+	labels = dns_name_countlabels(name);
+	ENSURE(labels > 0);
+
+	/*
+	 * Allocate space for the node structure, the name, and the offsets.
+	 */
+	node = (dns_rbtnode_t *)isc_mem_get(mctx, sizeof(*node) +
+					    region.length + labels);
+
+	if (node == NULL)
+		return (ISC_R_NOMEMORY);
+
+	node->is_root = 0;
+	PARENT(node) = NULL;
+	RIGHT(node) = NULL;
+	LEFT(node) = NULL;
+	DOWN(node) = NULL;
+	DATA(node) = NULL;
+#ifdef DNS_RBT_USEHASH
+	HASHNEXT(node) = NULL;
+	HASHVAL(node) = 0;
+#endif
+
+	LOCKNUM(node) = 0;
+	REFS(node) = 0;
+	WILD(node) = 0;
+	DIRTY(node) = 0;
+	node->find_callback = 0;
+
+	MAKE_BLACK(node);
+
+	/*
+	 * The following is stored to make reconstructing a name from the
+	 * stored value in the node easy:  the length of the name, the number
+	 * of labels, whether the name is absolute or not, the name itself,
+	 * and the name's offsets table.
+	 *
+	 * XXX RTH
+	 *	The offsets table could be made smaller by eliminating the
+	 *	first offset, which is always 0.  This requires changes to
+	 * 	lib/dns/name.c.
+	 */
+	NAMELEN(node) = region.length;
+	PADBYTES(node) = 0;
+	OFFSETLEN(node) = labels;
+	ATTRS(node) = name->attributes;
+
+	memcpy(NAME(node), region.base, region.length);
+	memcpy(OFFSETS(node), name->offsets, labels);
+
+#if DNS_RBT_USEMAGIC
+	node->magic = DNS_RBTNODE_MAGIC;
+#endif
+	*nodep = node;
+
+	return (ISC_R_SUCCESS);
+}
+
+#ifdef DNS_RBT_USEHASH
+static inline void
+hash_add_node(dns_rbt_t *rbt, dns_rbtnode_t *node) {
+	unsigned int hash;
+
+	compute_node_hash(node);
+
+	hash = HASHVAL(node) % rbt->hashsize;
+	HASHNEXT(node) = rbt->hashtable[hash];
+
+	rbt->hashtable[hash] = node;
+}
+
+static isc_result_t
+inithash(dns_rbt_t *rbt) {
+	unsigned int bytes;
+
+	rbt->hashsize = RBT_HASH_SIZE;
+	bytes = rbt->hashsize * sizeof(dns_rbtnode_t *);
+	rbt->hashtable = isc_mem_get(rbt->mctx, bytes);
+
+	if (rbt->hashtable == NULL)
+		return (ISC_R_NOMEMORY);
+
+	memset(rbt->hashtable, 0, bytes);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+rehash(dns_rbt_t *rbt) {
+	unsigned int oldsize;
+	dns_rbtnode_t **oldtable;
+	dns_rbtnode_t *node;
+	unsigned int hash;
+	unsigned int i;
+
+	oldsize = rbt->hashsize;
+	oldtable = rbt->hashtable;
+	rbt->hashsize *= 2 + 1;
+	rbt->hashtable = isc_mem_get(rbt->mctx,
+				     rbt->hashsize * sizeof(dns_rbtnode_t *));
+	if (rbt->hashtable == NULL) {
+		rbt->hashtable = oldtable;
+		rbt->hashsize = oldsize;
+		return;
+	}
+
+	for (i = 0; i < rbt->hashsize; i++)
+		rbt->hashtable[i] = NULL;
+
+	for (i = 0; i < oldsize; i++) {
+		node = oldtable[i];
+		while (node != NULL) {
+			hash = HASHVAL(node) % rbt->hashsize;
+			oldtable[i] = HASHNEXT(node);
+			HASHNEXT(node) = rbt->hashtable[hash];
+			rbt->hashtable[hash] = node;
+			node = oldtable[i];
+		}
+	}
+
+	isc_mem_put(rbt->mctx, oldtable, oldsize * sizeof(dns_rbtnode_t *));
+}
+
+static inline void
+hash_node(dns_rbt_t *rbt, dns_rbtnode_t *node) {
+
+	REQUIRE(DNS_RBTNODE_VALID(node));
+
+	if (rbt->nodecount >= (rbt->hashsize *3))
+		rehash(rbt);
+
+	hash_add_node(rbt, node);
+}
+
+static inline void
+unhash_node(dns_rbt_t *rbt, dns_rbtnode_t *node) {
+	unsigned int bucket;
+	dns_rbtnode_t *bucket_node;
+
+	REQUIRE(DNS_RBTNODE_VALID(node));
+
+	if (rbt->hashtable != NULL) {
+		bucket = HASHVAL(node) % rbt->hashsize;
+		bucket_node = rbt->hashtable[bucket];
+
+		if (bucket_node == node)
+			rbt->hashtable[bucket] = HASHNEXT(node);
+		else {
+			while (HASHNEXT(bucket_node) != node) {
+				INSIST(HASHNEXT(bucket_node) != NULL);
+				bucket_node = HASHNEXT(bucket_node);
+			}
+			HASHNEXT(bucket_node) = HASHNEXT(node);
+		}
+	}
+}
+#endif /* DNS_RBT_USEHASH */
+
+static inline void
+rotate_left(dns_rbtnode_t *node, dns_rbtnode_t **rootp) {
+	dns_rbtnode_t *child;
+
+	REQUIRE(DNS_RBTNODE_VALID(node));
+	REQUIRE(rootp != NULL);
+
+	child = RIGHT(node);
+	INSIST(child != NULL);
+
+	RIGHT(node) = LEFT(child);
+	if (LEFT(child) != NULL)
+		PARENT(LEFT(child)) = node;
+	LEFT(child) = node;
+
+	if (child != NULL)
+		PARENT(child) = PARENT(node);
+
+	if (IS_ROOT(node)) {
+		*rootp = child;
+		child->is_root = 1;
+		node->is_root = 0;
+
+	} else {
+		if (LEFT(PARENT(node)) == node)
+			LEFT(PARENT(node)) = child;
+		else
+			RIGHT(PARENT(node)) = child;
+	}
+
+	PARENT(node) = child;
+}
+
+static inline void
+rotate_right(dns_rbtnode_t *node, dns_rbtnode_t **rootp) {
+	dns_rbtnode_t *child;
+
+	REQUIRE(DNS_RBTNODE_VALID(node));
+	REQUIRE(rootp != NULL);
+
+	child = LEFT(node);
+	INSIST(child != NULL);
+
+	LEFT(node) = RIGHT(child);
+	if (RIGHT(child) != NULL)
+		PARENT(RIGHT(child)) = node;
+	RIGHT(child) = node;
+
+	if (child != NULL)
+		PARENT(child) = PARENT(node);
+
+	if (IS_ROOT(node)) {
+		*rootp = child;
+		child->is_root = 1;
+		node->is_root = 0;
+
+	} else {
+		if (LEFT(PARENT(node)) == node)
+			LEFT(PARENT(node)) = child;
+		else
+			RIGHT(PARENT(node)) = child;
+	}
+
+	PARENT(node) = child;
+}
+
+/*
+ * This is the real workhorse of the insertion code, because it does the
+ * true red/black tree on a single level.
+ */
+static void
+dns_rbt_addonlevel(dns_rbtnode_t *node, dns_rbtnode_t *current, int order, 
+		   dns_rbtnode_t **rootp)
+{
+	dns_rbtnode_t *child, *root, *parent, *grandparent;
+	dns_name_t add_name, current_name;
+	dns_offsets_t add_offsets, current_offsets;
+
+	REQUIRE(rootp != NULL);
+	REQUIRE(DNS_RBTNODE_VALID(node) && LEFT(node) == NULL &&
+		RIGHT(node) == NULL);
+	REQUIRE(current != NULL);
+
+	root = *rootp;
+	if (root == NULL) {
+		/*
+		 * First node of a level.
+		 */
+		MAKE_BLACK(node);
+		node->is_root = 1;
+		PARENT(node) = current;
+		*rootp = node;
+		return;
+	}
+
+	child = root;
+
+	dns_name_init(&add_name, add_offsets);
+	NODENAME(node, &add_name);
+
+	dns_name_init(&current_name, current_offsets);
+	NODENAME(current, &current_name);
+
+	if (order < 0) {
+		INSIST(LEFT(current) == NULL);
+		LEFT(current) = node;
+	} else {
+		INSIST(RIGHT(current) == NULL);
+		RIGHT(current) = node;
+	}
+
+	INSIST(PARENT(node) == NULL);
+	PARENT(node) = current;
+
+	MAKE_RED(node);
+
+	while (node != root && IS_RED(PARENT(node))) {
+		/*
+		 * XXXDCL could do away with separate parent and grandparent
+		 * variables.  They are vestiges of the days before parent
+		 * pointers.  However, they make the code a little clearer.
+		 */
+
+		parent = PARENT(node);
+		grandparent = PARENT(parent);
+
+		if (parent == LEFT(grandparent)) {
+			child = RIGHT(grandparent);
+			if (child != NULL && IS_RED(child)) {
+				MAKE_BLACK(parent);
+				MAKE_BLACK(child);
+				MAKE_RED(grandparent);
+				node = grandparent;
+			} else {
+				if (node == RIGHT(parent)) {
+					rotate_left(parent, &root);
+					node = parent;
+					parent = PARENT(node);
+					grandparent = PARENT(parent);
+				}
+				MAKE_BLACK(parent);
+				MAKE_RED(grandparent);
+				rotate_right(grandparent, &root);
+			}
+		} else {
+			child = LEFT(grandparent);
+			if (child != NULL && IS_RED(child)) {
+				MAKE_BLACK(parent);
+				MAKE_BLACK(child);
+				MAKE_RED(grandparent);
+				node = grandparent;
+			} else {
+				if (node == LEFT(parent)) {
+					rotate_right(parent, &root);
+					node = parent;
+					parent = PARENT(node);
+					grandparent = PARENT(parent);
+				}
+				MAKE_BLACK(parent);
+				MAKE_RED(grandparent);
+				rotate_left(grandparent, &root);
+			}
+		}
+	}
+
+	MAKE_BLACK(root);
+	ENSURE(IS_ROOT(root));
+	*rootp = root;
+
+	return;
+}
+
+/*
+ * This is the real workhorse of the deletion code, because it does the
+ * true red/black tree on a single level.
+ */
+static void
+dns_rbt_deletefromlevel(dns_rbtnode_t *delete, dns_rbtnode_t **rootp) {
+	dns_rbtnode_t *child, *sibling, *parent;
+	dns_rbtnode_t *successor;
+
+	REQUIRE(delete != NULL);
+
+	/*
+	 * Verify that the parent history is (apparently) correct.
+	 */
+	INSIST((IS_ROOT(delete) && *rootp == delete) ||
+	       (! IS_ROOT(delete) &&
+		(LEFT(PARENT(delete)) == delete ||
+		 RIGHT(PARENT(delete)) == delete)));
+
+	child = NULL;
+
+	if (LEFT(delete) == NULL) {
+		if (RIGHT(delete) == NULL) {
+			if (IS_ROOT(delete)) {
+				/*
+				 * This is the only item in the tree.
+				 */
+				*rootp = NULL;
+				return;
+			}
+		} else
+			/*
+			 * This node has one child, on the right.
+			 */
+			child = RIGHT(delete);
+
+	} else if (RIGHT(delete) == NULL)
+		/*
+		 * This node has one child, on the left.
+		 */
+		child = LEFT(delete);
+	else {
+		dns_rbtnode_t holder, *tmp = &holder;
+
+		/*
+		 * This node has two children, so it cannot be directly
+		 * deleted.  Find its immediate in-order successor and
+		 * move it to this location, then do the deletion at the
+		 * old site of the successor.
+		 */
+		successor = RIGHT(delete);
+		while (LEFT(successor) != NULL)
+			successor = LEFT(successor);
+
+		/*
+		 * The successor cannot possibly have a left child;
+		 * if there is any child, it is on the right.
+		 */
+		if (RIGHT(successor) != NULL)
+			child = RIGHT(successor);
+
+		/*
+		 * Swap the two nodes; it would be simpler to just replace
+		 * the value being deleted with that of the successor,
+		 * but this rigamarole is done so the caller has complete
+		 * control over the pointers (and memory allocation) of
+		 * all of nodes.  If just the key value were removed from
+		 * the tree, the pointer to the node would be unchanged.
+		 */
+
+		/*
+		 * First, put the successor in the tree location of the
+		 * node to be deleted.  Save its existing tree pointer
+		 * information, which will be needed when linking up
+		 * delete to the successor's old location.
+		 */
+		memcpy(tmp, successor, sizeof(dns_rbtnode_t));
+
+		if (IS_ROOT(delete)) {
+			*rootp = successor;
+			successor->is_root = ISC_TRUE;
+			delete->is_root = ISC_FALSE;
+
+		} else
+			if (LEFT(PARENT(delete)) == delete)
+				LEFT(PARENT(delete)) = successor;
+			else
+				RIGHT(PARENT(delete)) = successor;
+
+		PARENT(successor) = PARENT(delete);
+		LEFT(successor)   = LEFT(delete);
+		RIGHT(successor)  = RIGHT(delete);
+		COLOR(successor)  = COLOR(delete);
+
+		if (LEFT(successor) != NULL)
+			PARENT(LEFT(successor)) = successor;
+		if (RIGHT(successor) != successor)
+			PARENT(RIGHT(successor)) = successor;
+
+		/*
+		 * Now relink the node to be deleted into the
+		 * successor's previous tree location.  PARENT(tmp)
+		 * is the successor's original parent.
+		 */
+		INSIST(! IS_ROOT(delete));
+
+		if (PARENT(tmp) == delete) {
+			/*
+			 * Node being deleted was successor's parent.
+			 */
+			RIGHT(successor) = delete;
+			PARENT(delete) = successor;
+
+		} else {
+			LEFT(PARENT(tmp)) = delete;
+			PARENT(delete) = PARENT(tmp);
+		}
+
+		/*
+		 * Original location of successor node has no left.
+		 */
+		LEFT(delete)   = NULL;
+		RIGHT(delete)  = RIGHT(tmp);
+		COLOR(delete)  = COLOR(tmp);
+	}
+
+	/*
+	 * Remove the node by removing the links from its parent.
+	 */
+	if (! IS_ROOT(delete)) {
+		if (LEFT(PARENT(delete)) == delete)
+			LEFT(PARENT(delete)) = child;
+		else
+			RIGHT(PARENT(delete)) = child;
+
+		if (child != NULL)
+			PARENT(child) = PARENT(delete);
+
+	} else {
+		/*
+		 * This is the root being deleted, and at this point
+		 * it is known to have just one child.
+		 */
+		*rootp = child;
+		child->is_root = 1;
+		PARENT(child) = PARENT(delete);
+	}
+
+	/*
+	 * Fix color violations.
+	 */
+	if (IS_BLACK(delete)) {
+		parent = PARENT(delete);
+
+		while (child != *rootp && IS_BLACK(child)) {
+			INSIST(child == NULL || ! IS_ROOT(child));
+
+			if (LEFT(parent) == child) {
+				sibling = RIGHT(parent);
+
+				if (IS_RED(sibling)) {
+					MAKE_BLACK(sibling);
+					MAKE_RED(parent);
+					rotate_left(parent, rootp);
+					sibling = RIGHT(parent);
+				}
+
+				if (IS_BLACK(LEFT(sibling)) &&
+				    IS_BLACK(RIGHT(sibling))) {
+					MAKE_RED(sibling);
+					child = parent;
+
+				} else {
+
+					if (IS_BLACK(RIGHT(sibling))) {
+						MAKE_BLACK(LEFT(sibling));
+						MAKE_RED(sibling);
+						rotate_right(sibling, rootp);
+						sibling = RIGHT(parent);
+					}
+
+					COLOR(sibling) = COLOR(parent);
+					MAKE_BLACK(parent);
+					MAKE_BLACK(RIGHT(sibling));
+					rotate_left(parent, rootp);
+					child = *rootp;
+				}
+
+			} else {
+				/*
+				 * Child is parent's right child.
+				 * Everything is doen the same as above,
+				 * except mirrored.
+				 */
+				sibling = LEFT(parent);
+
+				if (IS_RED(sibling)) {
+					MAKE_BLACK(sibling);
+					MAKE_RED(parent);
+					rotate_right(parent, rootp);
+					sibling = LEFT(parent);
+				}
+
+				if (IS_BLACK(LEFT(sibling)) &&
+				    IS_BLACK(RIGHT(sibling))) {
+					MAKE_RED(sibling);
+					child = parent;
+
+				} else {
+					if (IS_BLACK(LEFT(sibling))) {
+						MAKE_BLACK(RIGHT(sibling));
+						MAKE_RED(sibling);
+						rotate_left(sibling, rootp);
+						sibling = LEFT(parent);
+					}
+
+					COLOR(sibling) = COLOR(parent);
+					MAKE_BLACK(parent);
+					MAKE_BLACK(LEFT(sibling));
+					rotate_right(parent, rootp);
+					child = *rootp;
+				}
+			}
+
+			parent = PARENT(child);
+		}
+
+		if (IS_RED(child))
+			MAKE_BLACK(child);
+	}
+}
+
+/*
+ * This should only be used on the root of a tree, because no color fixup
+ * is done at all.
+ *
+ * NOTE: No root pointer maintenance is done, because the function is only
+ * used for two cases:
+ * + deleting everything DOWN from a node that is itself being deleted, and
+ * + deleting the entire tree of trees from dns_rbt_destroy.
+ * In each case, the root pointer is no longer relevant, so there
+ * is no need for a root parameter to this function.
+ *
+ * If the function is ever intended to be used to delete something where
+ * a pointer needs to be told that this tree no longer exists,
+ * this function would need to adjusted accordingly.
+ */
+static isc_result_t
+dns_rbt_deletetree(dns_rbt_t *rbt, dns_rbtnode_t *node) {
+	isc_result_t result = ISC_R_SUCCESS;
+	REQUIRE(VALID_RBT(rbt));
+
+	if (node == NULL)
+		return (result);
+
+	if (LEFT(node) != NULL) {
+		result = dns_rbt_deletetree(rbt, LEFT(node));
+		if (result != ISC_R_SUCCESS)
+			goto done;
+		LEFT(node) = NULL;
+	}
+	if (RIGHT(node) != NULL) {
+		result = dns_rbt_deletetree(rbt, RIGHT(node));
+		if (result != ISC_R_SUCCESS)
+			goto done;
+		RIGHT(node) = NULL;
+	}
+	if (DOWN(node) != NULL) {
+		result = dns_rbt_deletetree(rbt, DOWN(node));
+		if (result != ISC_R_SUCCESS)
+			goto done;
+		DOWN(node) = NULL;
+	}
+ done:
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (rbt->quantum != 0 && --rbt->quantum == 0)
+		return (ISC_R_QUOTA);
+
+	if (DATA(node) != NULL && rbt->data_deleter != NULL)
+		rbt->data_deleter(DATA(node), rbt->deleter_arg);
+
+	unhash_node(rbt, node);
+#if DNS_RBT_USEMAGIC
+	node->magic = 0;
+#endif
+	isc_mem_put(rbt->mctx, node, NODE_SIZE(node));
+	rbt->nodecount--;
+	return (result);
+}
+
+static void
+dns_rbt_deletetreeflat(dns_rbt_t *rbt, dns_rbtnode_t **nodep) {
+	dns_rbtnode_t *parent;
+	dns_rbtnode_t *node = *nodep;
+	REQUIRE(VALID_RBT(rbt));
+
+ again:
+	if (node == NULL) {
+		*nodep = NULL;
+		return;
+	}
+
+ traverse:
+	if (LEFT(node) != NULL) {
+		node = LEFT(node);
+		goto traverse;
+	}
+	if (RIGHT(node) != NULL) {
+		node = RIGHT(node);
+		goto traverse;
+	}
+	if (DOWN(node) != NULL) {
+		node = DOWN(node);
+		goto traverse;
+	}
+
+	if (DATA(node) != NULL && rbt->data_deleter != NULL)
+		rbt->data_deleter(DATA(node), rbt->deleter_arg);
+
+	unhash_node(rbt, node);
+#if DNS_RBT_USEMAGIC
+	node->magic = 0;
+#endif
+	parent = PARENT(node);
+	if (parent != NULL) {
+		if (LEFT(parent) == node)
+			LEFT(parent) = NULL;
+		else if (DOWN(parent) == node)
+			DOWN(parent) = NULL;
+		else if (RIGHT(parent) == node)
+			RIGHT(parent) = NULL;
+	}
+	isc_mem_put(rbt->mctx, node, NODE_SIZE(node));
+	rbt->nodecount--;
+	node = parent;
+	if (rbt->quantum != 0 && --rbt->quantum == 0) {
+		*nodep = node;
+		return;
+	}
+	goto again;
+}
+
+static void
+dns_rbt_indent(int depth) {
+	int i;
+
+	for (i = 0; i < depth; i++)
+		putchar('\t');
+}
+
+static void
+dns_rbt_printnodename(dns_rbtnode_t *node) {
+	isc_region_t r;
+	dns_name_t name;
+	char buffer[DNS_NAME_FORMATSIZE];
+	dns_offsets_t offsets;
+
+	r.length = NAMELEN(node);
+	r.base = NAME(node);
+
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &r);
+
+	dns_name_format(&name, buffer, sizeof(buffer));
+
+	printf("%s", buffer);
+}
+
+static void
+dns_rbt_printtree(dns_rbtnode_t *root, dns_rbtnode_t *parent, int depth) {
+	dns_rbt_indent(depth);
+
+	if (root != NULL) {
+		dns_rbt_printnodename(root);
+		printf(" (%s", IS_RED(root) ? "RED" : "black");
+		if (parent) {
+			printf(" from ");
+			dns_rbt_printnodename(parent);
+		}
+
+		if ((! IS_ROOT(root) && PARENT(root) != parent) ||
+		    (  IS_ROOT(root) && depth > 0 &&
+		       DOWN(PARENT(root)) != root)) {
+
+			printf(" (BAD parent pointer! -> ");
+			if (PARENT(root) != NULL)
+				dns_rbt_printnodename(PARENT(root));
+			else
+				printf("NULL");
+			printf(")");
+		}
+
+		printf(")\n");
+
+
+		depth++;
+
+		if (DOWN(root)) {
+			dns_rbt_indent(depth);
+			printf("++ BEG down from ");
+			dns_rbt_printnodename(root);
+			printf("\n");
+			dns_rbt_printtree(DOWN(root), NULL, depth);
+			dns_rbt_indent(depth);
+			printf("-- END down from ");
+			dns_rbt_printnodename(root);
+			printf("\n");
+		}
+
+		if (IS_RED(root) && IS_RED(LEFT(root)))
+		    printf("** Red/Red color violation on left\n");
+		dns_rbt_printtree(LEFT(root), root, depth);
+
+		if (IS_RED(root) && IS_RED(RIGHT(root)))
+		    printf("** Red/Red color violation on right\n");
+		dns_rbt_printtree(RIGHT(root), root, depth);
+
+	} else
+		printf("NULL\n");
+}
+
+void
+dns_rbt_printall(dns_rbt_t *rbt) {
+	REQUIRE(VALID_RBT(rbt));
+
+	dns_rbt_printtree(rbt->root, NULL, 0);
+}
+
+/*
+ * Chain Functions
+ */
+
+void
+dns_rbtnodechain_init(dns_rbtnodechain_t *chain, isc_mem_t *mctx) {
+	/*
+	 * Initialize 'chain'.
+	 */
+
+	REQUIRE(chain != NULL);
+
+	chain->mctx = mctx;
+	chain->end = NULL;
+	chain->level_count = 0;
+	chain->level_matches = 0;
+
+	chain->magic = CHAIN_MAGIC;
+}
+
+isc_result_t
+dns_rbtnodechain_current(dns_rbtnodechain_t *chain, dns_name_t *name,
+			 dns_name_t *origin, dns_rbtnode_t **node)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(VALID_CHAIN(chain));
+
+	if (node != NULL)
+		*node = chain->end;
+
+	if (chain->end == NULL)
+		return (ISC_R_NOTFOUND);
+
+	if (name != NULL) {
+		NODENAME(chain->end, name);
+
+		if (chain->level_count == 0) {
+			/*
+			 * Names in the top level tree are all absolute.
+			 * Always make 'name' relative.
+			 */
+			INSIST(dns_name_isabsolute(name));
+
+			/*
+			 * This is cheaper than dns_name_getlabelsequence().
+			 */
+			name->labels--;
+			name->length--;
+			name->attributes &= ~DNS_NAMEATTR_ABSOLUTE;
+		}
+	}
+
+	if (origin != NULL) {
+		if (chain->level_count > 0)
+			result = chain_name(chain, origin, ISC_FALSE);
+		else
+			result = dns_name_copy(dns_rootname, origin, NULL);
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_rbtnodechain_prev(dns_rbtnodechain_t *chain, dns_name_t *name,
+		      dns_name_t *origin)
+{
+	dns_rbtnode_t *current, *previous, *predecessor;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_boolean_t new_origin = ISC_FALSE;
+
+	REQUIRE(VALID_CHAIN(chain) && chain->end != NULL);
+
+	predecessor = NULL;
+
+	current = chain->end;
+
+	if (LEFT(current) != NULL) {
+		/*
+		 * Moving left one then right as far as possible is the
+		 * previous node, at least for this level.
+		 */
+		current = LEFT(current);
+
+		while (RIGHT(current) != NULL)
+			current = RIGHT(current);
+
+		predecessor = current;
+
+	} else {
+		/*
+		 * No left links, so move toward the root.  If at any point on
+		 * the way there the link from parent to child is a right
+		 * link, then the parent is the previous node, at least
+		 * for this level.
+		 */
+		while (! IS_ROOT(current)) {
+			previous = current;
+			current = PARENT(current);
+
+			if (RIGHT(current) == previous) {
+				predecessor = current;
+				break;
+			}
+		}
+	}
+
+	if (predecessor != NULL) {
+		/*
+		 * Found a predecessor node in this level.  It might not
+		 * really be the predecessor, however.
+		 */
+		if (DOWN(predecessor) != NULL) {
+			/*
+			 * The predecessor is really down at least one level.
+			 * Go down and as far right as possible, and repeat
+			 * as long as the rightmost node has a down pointer.
+			 */
+			do {
+				/*
+				 * XXX DCL Need to do something about origins
+				 * here. See whether to go down, and if so
+				 * whether it is truly what Bob calls a
+				 * new origin.
+				 */
+				ADD_LEVEL(chain, predecessor);
+				predecessor = DOWN(predecessor);
+
+				/* XXX DCL duplicated from above; clever
+				 * way to unduplicate? */
+
+				while (RIGHT(predecessor) != NULL)
+					predecessor = RIGHT(predecessor);
+			} while (DOWN(predecessor) != NULL);
+
+			/* XXX DCL probably needs work on the concept */
+			if (origin != NULL)
+				new_origin = ISC_TRUE;
+		}
+
+	} else if (chain->level_count > 0) {
+		/*
+		 * Dang, didn't find a predecessor in this level.
+		 * Got to the root of this level without having traversed
+		 * any right links.  Ascend the tree one level; the
+		 * node that points to this tree is the predecessor.
+		 */
+		INSIST(chain->level_count > 0 && IS_ROOT(current));
+		predecessor = chain->levels[--chain->level_count];
+
+		/* XXX DCL probably needs work on the concept */
+		/*
+		 * Don't declare an origin change when the new origin is "."
+		 * at the top level tree, because "." is declared as the origin
+		 * for the second level tree.
+		 */
+		if (origin != NULL &&
+		    (chain->level_count > 0 || OFFSETLEN(predecessor) > 1))
+			new_origin = ISC_TRUE;
+	}
+
+	if (predecessor != NULL) {
+		chain->end = predecessor;
+
+		if (new_origin) {
+			result = dns_rbtnodechain_current(chain, name, origin,
+							  NULL);
+			if (result == ISC_R_SUCCESS)
+				result = DNS_R_NEWORIGIN;
+
+		} else
+			result = dns_rbtnodechain_current(chain, name, NULL,
+							  NULL);
+
+	} else
+		result = ISC_R_NOMORE;
+
+	return (result);
+}
+
+isc_result_t
+dns_rbtnodechain_next(dns_rbtnodechain_t *chain, dns_name_t *name,
+		      dns_name_t *origin)
+{
+	dns_rbtnode_t *current, *previous, *successor;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_boolean_t new_origin = ISC_FALSE;
+
+	REQUIRE(VALID_CHAIN(chain) && chain->end != NULL);
+
+	successor = NULL;
+
+	current = chain->end;
+
+	/*
+	 * If there is a level below this node, the next node is the leftmost
+	 * node of the next level.
+	 */
+	if (DOWN(current) != NULL) {
+		/*
+		 * Don't declare an origin change when the new origin is "."
+		 * at the second level tree, because "." is already declared
+		 * as the origin for the top level tree.
+		 */
+		if (chain->level_count > 0 ||
+		    OFFSETLEN(current) > 1)
+			new_origin = ISC_TRUE;
+
+		ADD_LEVEL(chain, current);
+		current = DOWN(current);
+
+		while (LEFT(current) != NULL)
+			current = LEFT(current);
+
+		successor = current;
+
+	} else if (RIGHT(current) == NULL) {
+		/*
+		 * The successor is up, either in this level or a previous one.
+		 * Head back toward the root of the tree, looking for any path
+		 * that was via a left link; the successor is the node that has
+		 * that left link.  In the event the root of the level is
+		 * reached without having traversed any left links, ascend one
+		 * level and look for either a right link off the point of
+		 * ascent, or search for a left link upward again, repeating
+		 * ascents until either case is true.
+		 */
+		do {
+			while (! IS_ROOT(current)) {
+				previous = current;
+				current = PARENT(current);
+
+				if (LEFT(current) == previous) {
+					successor = current;
+					break;
+				}
+			}
+
+			if (successor == NULL) {
+				/*
+				 * Reached the root without having traversed
+				 * any left pointers, so this level is done.
+				 */
+				if (chain->level_count == 0)
+					break;
+
+				current = chain->levels[--chain->level_count];
+				new_origin = ISC_TRUE;
+
+				if (RIGHT(current) != NULL)
+					break;
+			}
+		} while (successor == NULL);
+	}
+
+	if (successor == NULL && RIGHT(current) != NULL) {
+		current = RIGHT(current);
+
+		while (LEFT(current) != NULL)
+			current = LEFT(current);
+
+		successor = current;
+	}
+
+	if (successor != NULL) {
+		chain->end = successor;
+
+		/*
+		 * It is not necessary to use dns_rbtnodechain_current like
+		 * the other functions because this function will never
+		 * find a node in the topmost level.  This is because the
+		 * root level will never be more than one name, and everything
+		 * in the megatree is a successor to that node, down at
+		 * the second level or below.
+		 */
+
+		if (name != NULL)
+			NODENAME(chain->end, name);
+
+		if (new_origin) {
+			if (origin != NULL)
+				result = chain_name(chain, origin, ISC_FALSE);
+
+			if (result == ISC_R_SUCCESS)
+				result = DNS_R_NEWORIGIN;
+
+		} else
+			result = ISC_R_SUCCESS;
+
+	} else
+		result = ISC_R_NOMORE;
+
+	return (result);
+}
+
+isc_result_t
+dns_rbtnodechain_first(dns_rbtnodechain_t *chain, dns_rbt_t *rbt,
+		       dns_name_t *name, dns_name_t *origin)
+
+{
+	isc_result_t result;
+
+	REQUIRE(VALID_RBT(rbt));
+	REQUIRE(VALID_CHAIN(chain));
+
+	dns_rbtnodechain_reset(chain);
+
+	chain->end = rbt->root;
+
+	result = dns_rbtnodechain_current(chain, name, origin, NULL);
+
+	if (result == ISC_R_SUCCESS)
+		result = DNS_R_NEWORIGIN;
+
+	return (result);
+}
+
+isc_result_t
+dns_rbtnodechain_last(dns_rbtnodechain_t *chain, dns_rbt_t *rbt,
+		       dns_name_t *name, dns_name_t *origin)
+
+{
+	isc_result_t result;
+
+	REQUIRE(VALID_RBT(rbt));
+	REQUIRE(VALID_CHAIN(chain));
+
+	dns_rbtnodechain_reset(chain);
+
+	result = move_chain_to_last(chain, rbt->root);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_rbtnodechain_current(chain, name, origin, NULL);
+
+	if (result == ISC_R_SUCCESS)
+		result = DNS_R_NEWORIGIN;
+
+	return (result);
+}
+
+
+void
+dns_rbtnodechain_reset(dns_rbtnodechain_t *chain) {
+	/*
+	 * Free any dynamic storage associated with 'chain', and then
+	 * reinitialize 'chain'.
+	 */
+
+	REQUIRE(VALID_CHAIN(chain));
+
+	chain->end = NULL;
+	chain->level_count = 0;
+	chain->level_matches = 0;
+}
+
+void
+dns_rbtnodechain_invalidate(dns_rbtnodechain_t *chain) {
+	/*
+	 * Free any dynamic storage associated with 'chain', and then
+	 * invalidate 'chain'.
+	 */
+
+	dns_rbtnodechain_reset(chain);
+
+	chain->magic = 0;
+}
diff --git a/contrib/bind9/lib/dns/rbtdb.c b/contrib/bind9/lib/dns/rbtdb.c
new file mode 100644
index 0000000..a0e5ab5
--- /dev/null
+++ b/contrib/bind9/lib/dns/rbtdb.c
@@ -0,0 +1,5706 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rbtdb.c,v 1.168.2.11.2.16 2004/05/23 11:07:23 marka Exp $ */
+
+/*
+ * Principal Author: Bob Halley
+ */
+
+#include <config.h>
+
+#include <isc/event.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/mutex.h>
+#include <isc/random.h>
+#include <isc/refcount.h>
+#include <isc/rwlock.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/events.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/masterdump.h>
+#include <dns/rbt.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdataslab.h>
+#include <dns/result.h>
+#include <dns/zonekey.h>
+
+#ifdef DNS_RBTDB_VERSION64
+#include "rbtdb64.h"
+#else
+#include "rbtdb.h"
+#endif
+
+#ifdef DNS_RBTDB_VERSION64
+#define RBTDB_MAGIC			ISC_MAGIC('R', 'B', 'D', '8')
+#else
+#define RBTDB_MAGIC			ISC_MAGIC('R', 'B', 'D', '4')
+#endif
+
+/*
+ * Note that "impmagic" is not the first four bytes of the struct, so
+ * ISC_MAGIC_VALID cannot be used.
+ */
+#define VALID_RBTDB(rbtdb)	((rbtdb) != NULL && \
+				 (rbtdb)->common.impmagic == RBTDB_MAGIC)
+
+#ifdef DNS_RBTDB_VERSION64
+typedef isc_uint64_t			rbtdb_serial_t;
+/*
+ * Make casting easier in symbolic debuggers by using different names
+ * for the 64 bit version.
+ */
+#define dns_rbtdb_t dns_rbtdb64_t
+#define rdatasetheader_t rdatasetheader64_t
+#define rbtdb_version_t rbtdb_version64_t
+#else
+typedef isc_uint32_t			rbtdb_serial_t;
+#endif
+
+typedef isc_uint32_t			rbtdb_rdatatype_t;
+
+#define RBTDB_RDATATYPE_BASE(type)	((dns_rdatatype_t)((type) & 0xFFFF))
+#define RBTDB_RDATATYPE_EXT(type)	((dns_rdatatype_t)((type) >> 16))
+#define RBTDB_RDATATYPE_VALUE(b, e)	(((e) << 16) | (b))
+
+#define RBTDB_RDATATYPE_SIGNSEC \
+		RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec)
+#define RBTDB_RDATATYPE_SIGNS \
+		RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ns)
+#define RBTDB_RDATATYPE_SIGCNAME \
+		RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_cname)
+#define RBTDB_RDATATYPE_SIGDNAME \
+		RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dname)
+#define RBTDB_RDATATYPE_NCACHEANY \
+		RBTDB_RDATATYPE_VALUE(0, dns_rdatatype_any)
+
+struct noqname {
+	dns_name_t name;
+	void *	   nsec;
+	void *	   nsecsig;
+};
+
+typedef struct rdatasetheader {
+	/*
+	 * Locked by the owning node's lock.
+	 */
+	rbtdb_serial_t			serial;
+	dns_ttl_t			ttl;
+	rbtdb_rdatatype_t		type;
+	isc_uint16_t			attributes;
+	dns_trust_t			trust;
+	struct noqname			*noqname;
+	/*
+	 * We don't use the LIST macros, because the LIST structure has
+	 * both head and tail pointers, and is doubly linked.
+	 */
+
+	struct rdatasetheader		*next;
+	/*
+	 * If this is the top header for an rdataset, 'next' points
+	 * to the top header for the next rdataset (i.e., the next type).
+	 * Otherwise, it points up to the header whose down pointer points
+	 * at this header.
+	 */
+	  
+	struct rdatasetheader		*down;
+	/*
+	 * Points to the header for the next older version of
+	 * this rdataset.
+	 */
+
+	isc_uint32_t			count;
+	/*
+	 * Monotonously increased every time this rdataset is bound so that
+	 * it is used as the base of the starting point in DNS responses
+	 * when the "cyclic" rrset-order is required.  Since the ordering
+	 * should not be so crucial, no lock is set for the counter for
+	 * performance reasons.
+	 */
+} rdatasetheader_t;
+
+#define RDATASET_ATTR_NONEXISTENT	0x0001
+#define RDATASET_ATTR_STALE		0x0002
+#define RDATASET_ATTR_IGNORE		0x0004
+#define RDATASET_ATTR_RETAIN		0x0008
+#define RDATASET_ATTR_NXDOMAIN		0x0010
+
+/*
+ * XXX
+ * When the cache will pre-expire data (due to memory low or other
+ * situations) before the rdataset's TTL has expired, it MUST
+ * respect the RETAIN bit and not expire the data until its TTL is
+ * expired.
+ */
+
+#undef IGNORE			/* WIN32 winbase.h defines this. */
+
+#define EXISTS(header) \
+	(((header)->attributes & RDATASET_ATTR_NONEXISTENT) == 0)
+#define NONEXISTENT(header) \
+	(((header)->attributes & RDATASET_ATTR_NONEXISTENT) != 0)
+#define IGNORE(header) \
+	(((header)->attributes & RDATASET_ATTR_IGNORE) != 0)
+#define RETAIN(header) \
+	(((header)->attributes & RDATASET_ATTR_RETAIN) != 0)
+#define NXDOMAIN(header) \
+	(((header)->attributes & RDATASET_ATTR_NXDOMAIN) != 0)
+
+#define DEFAULT_NODE_LOCK_COUNT		7		/* Should be prime. */
+
+typedef struct {
+	isc_mutex_t			lock;
+	/* Locked by lock. */
+	unsigned int			references;
+	isc_boolean_t			exiting;
+} rbtdb_nodelock_t;
+
+typedef struct rbtdb_changed {
+	dns_rbtnode_t *			node;
+	isc_boolean_t			dirty;
+	ISC_LINK(struct rbtdb_changed)	link;
+} rbtdb_changed_t;
+
+typedef ISC_LIST(rbtdb_changed_t)	rbtdb_changedlist_t;
+
+typedef struct rbtdb_version {
+	/* Not locked */
+	rbtdb_serial_t			serial;
+	/* Locked by database lock. */
+	isc_boolean_t			writer;
+	unsigned int			references;
+	isc_boolean_t			commit_ok;
+	rbtdb_changedlist_t		changed_list;
+	ISC_LINK(struct rbtdb_version)	link;
+} rbtdb_version_t;
+
+typedef ISC_LIST(rbtdb_version_t)	rbtdb_versionlist_t;
+
+typedef struct {
+	/* Unlocked. */
+	dns_db_t			common;
+	isc_mutex_t			lock;
+	isc_rwlock_t			tree_lock;
+	unsigned int			node_lock_count;
+	rbtdb_nodelock_t *	       	node_locks;
+	dns_rbtnode_t *			origin_node;
+	/* Locked by lock. */
+	unsigned int			active;
+	isc_refcount_t			references;
+	unsigned int			attributes;
+	rbtdb_serial_t			current_serial;
+	rbtdb_serial_t			least_serial;
+	rbtdb_serial_t			next_serial;
+	rbtdb_version_t *		current_version;
+	rbtdb_version_t *		future_version;
+	rbtdb_versionlist_t		open_versions;
+	isc_boolean_t			overmem;
+	isc_task_t *			task;
+	/* Locked by tree_lock. */
+	dns_rbt_t *			tree;
+	isc_boolean_t			secure;
+} dns_rbtdb_t;
+
+#define RBTDB_ATTR_LOADED		0x01
+#define RBTDB_ATTR_LOADING		0x02
+
+/*
+ * Search Context
+ */
+typedef struct {
+	dns_rbtdb_t *		rbtdb;
+	rbtdb_version_t *	rbtversion;
+	rbtdb_serial_t		serial;
+	unsigned int		options;
+	dns_rbtnodechain_t	chain;
+	isc_boolean_t		copy_name;
+	isc_boolean_t		need_cleanup;
+	isc_boolean_t		wild;
+	dns_rbtnode_t *	       	zonecut;
+	rdatasetheader_t *	zonecut_rdataset;
+	rdatasetheader_t *	zonecut_sigrdataset;
+	dns_fixedname_t		zonecut_name;
+	isc_stdtime_t		now;
+} rbtdb_search_t;
+
+/*
+ * Load Context
+ */
+typedef struct {
+	dns_rbtdb_t *		rbtdb;
+	isc_stdtime_t		now;
+} rbtdb_load_t;
+
+static void rdataset_disassociate(dns_rdataset_t *rdataset);
+static isc_result_t rdataset_first(dns_rdataset_t *rdataset);
+static isc_result_t rdataset_next(dns_rdataset_t *rdataset);
+static void rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata);
+static void rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target);
+static unsigned int rdataset_count(dns_rdataset_t *rdataset);
+static isc_result_t rdataset_getnoqname(dns_rdataset_t *rdataset,
+				        dns_name_t *name,
+					dns_rdataset_t *nsec,
+					dns_rdataset_t *nsecsig);
+
+static dns_rdatasetmethods_t rdataset_methods = {
+	rdataset_disassociate,
+	rdataset_first,
+	rdataset_next,
+	rdataset_current,
+	rdataset_clone,
+	rdataset_count,
+	NULL,
+	rdataset_getnoqname
+};
+
+static void rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp);
+static isc_result_t rdatasetiter_first(dns_rdatasetiter_t *iterator);
+static isc_result_t rdatasetiter_next(dns_rdatasetiter_t *iterator);
+static void rdatasetiter_current(dns_rdatasetiter_t *iterator,
+				 dns_rdataset_t *rdataset);
+
+static dns_rdatasetitermethods_t rdatasetiter_methods = {
+	rdatasetiter_destroy,
+	rdatasetiter_first,
+	rdatasetiter_next,
+	rdatasetiter_current
+};
+
+typedef struct rbtdb_rdatasetiter {
+	dns_rdatasetiter_t		common;
+	rdatasetheader_t *		current;
+} rbtdb_rdatasetiter_t;
+
+static void		dbiterator_destroy(dns_dbiterator_t **iteratorp);
+static isc_result_t	dbiterator_first(dns_dbiterator_t *iterator);
+static isc_result_t	dbiterator_last(dns_dbiterator_t *iterator);
+static isc_result_t	dbiterator_seek(dns_dbiterator_t *iterator,
+					dns_name_t *name);
+static isc_result_t	dbiterator_prev(dns_dbiterator_t *iterator);
+static isc_result_t	dbiterator_next(dns_dbiterator_t *iterator);
+static isc_result_t	dbiterator_current(dns_dbiterator_t *iterator,
+					   dns_dbnode_t **nodep,
+					   dns_name_t *name);
+static isc_result_t	dbiterator_pause(dns_dbiterator_t *iterator);
+static isc_result_t	dbiterator_origin(dns_dbiterator_t *iterator,
+					  dns_name_t *name);
+
+static dns_dbiteratormethods_t dbiterator_methods = {
+	dbiterator_destroy,
+	dbiterator_first,
+	dbiterator_last,
+	dbiterator_seek,
+	dbiterator_prev,
+	dbiterator_next,
+	dbiterator_current,
+	dbiterator_pause,
+	dbiterator_origin
+};
+
+#define DELETION_BATCH_MAX 64
+
+/*
+ * If 'paused' is ISC_TRUE, then the tree lock is not being held.
+ */
+typedef struct rbtdb_dbiterator {
+	dns_dbiterator_t		common;
+	isc_boolean_t			paused;
+	isc_boolean_t			new_origin;
+	isc_rwlocktype_t		tree_locked;
+	isc_result_t			result;
+	dns_fixedname_t			name;
+	dns_fixedname_t			origin;
+	dns_rbtnodechain_t		chain;
+	dns_rbtnode_t			*node;
+	dns_rbtnode_t			*deletions[DELETION_BATCH_MAX];
+	int				delete;
+} rbtdb_dbiterator_t;
+
+
+#define IS_STUB(rbtdb)  (((rbtdb)->common.attributes & DNS_DBATTR_STUB)  != 0)
+#define IS_CACHE(rbtdb) (((rbtdb)->common.attributes & DNS_DBATTR_CACHE) != 0)
+
+static void free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log,
+		       isc_event_t *event);
+
+/*
+ * Locking
+ *
+ * If a routine is going to lock more than one lock in this module, then
+ * the locking must be done in the following order:
+ *
+ *	Tree Lock
+ *
+ *	Node Lock	(Only one from the set may be locked at one time by
+ *			 any caller)
+ *
+ *	Database Lock
+ *
+ * Failure to follow this hierarchy can result in deadlock.
+ */
+
+/*
+ * Deleting Nodes
+ *
+ * Currently there is no deletion of nodes from the database, except when
+ * the database is being destroyed.
+ *
+ * If node deletion is added in the future, then for zone databases the node
+ * for the origin of the zone MUST NOT be deleted.
+ */
+
+
+/*
+ * DB Routines
+ */
+
+static void
+attach(dns_db_t *source, dns_db_t **targetp) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)source;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	isc_refcount_increment(&rbtdb->references, NULL);
+
+	*targetp = source;
+}
+
+static void
+free_rbtdb_callback(isc_task_t *task, isc_event_t *event) {
+	dns_rbtdb_t *rbtdb = event->ev_arg;
+
+	UNUSED(task);
+
+	free_rbtdb(rbtdb, ISC_TRUE, event);
+}
+
+static void
+free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event) {
+	unsigned int i;
+	isc_ondestroy_t ondest;
+	isc_result_t result;
+	char buf[DNS_NAME_FORMATSIZE];
+
+	REQUIRE(EMPTY(rbtdb->open_versions));
+	REQUIRE(rbtdb->future_version == NULL);
+
+	if (rbtdb->current_version != NULL)
+		isc_mem_put(rbtdb->common.mctx, rbtdb->current_version,
+			    sizeof(rbtdb_version_t));
+ again:
+	if (rbtdb->tree != NULL) {
+		result = dns_rbt_destroy2(&rbtdb->tree,
+					  (rbtdb->task != NULL) ? 5 : 0);
+		if (result == ISC_R_QUOTA) {
+			INSIST(rbtdb->task != NULL);
+			if (event == NULL)
+				event = isc_event_allocate(rbtdb->common.mctx,
+							   NULL,
+						         DNS_EVENT_FREESTORAGE,
+							   free_rbtdb_callback,
+							   rbtdb,
+							   sizeof(isc_event_t));
+			if (event == NULL)
+				goto again;
+			isc_task_send(rbtdb->task, &event);
+			return;
+		}
+		INSIST(result == ISC_R_SUCCESS && rbtdb->tree == NULL);
+	}
+	if (event != NULL)
+		isc_event_free(&event);
+	if (log) {
+		if (dns_name_dynamic(&rbtdb->common.origin))
+			dns_name_format(&rbtdb->common.origin, buf,
+					sizeof(buf));
+		else
+			strcpy(buf, "<UNKNOWN>");
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
+			      "done free_rbtdb(%s)", buf);
+	}
+	if (dns_name_dynamic(&rbtdb->common.origin))
+		dns_name_free(&rbtdb->common.origin, rbtdb->common.mctx);
+	for (i = 0; i < rbtdb->node_lock_count; i++)
+		DESTROYLOCK(&rbtdb->node_locks[i].lock);
+	isc_mem_put(rbtdb->common.mctx, rbtdb->node_locks,
+		    rbtdb->node_lock_count * sizeof(rbtdb_nodelock_t));
+	isc_rwlock_destroy(&rbtdb->tree_lock);
+	isc_refcount_destroy(&rbtdb->references);
+	if (rbtdb->task != NULL)
+		isc_task_detach(&rbtdb->task);
+	DESTROYLOCK(&rbtdb->lock);
+	rbtdb->common.magic = 0;
+	rbtdb->common.impmagic = 0;
+	ondest = rbtdb->common.ondest;
+	isc_mem_putanddetach(&rbtdb->common.mctx, rbtdb, sizeof(*rbtdb));
+	isc_ondestroy_notify(&ondest, rbtdb);
+}
+
+static inline void
+maybe_free_rbtdb(dns_rbtdb_t *rbtdb) {
+	isc_boolean_t want_free = ISC_FALSE;
+	unsigned int i;
+	unsigned int inactive = 0;
+
+	/* XXX check for open versions here */
+
+	/*
+	 * Even though there are no external direct references, there still
+	 * may be nodes in use.
+	 */
+	for (i = 0; i < rbtdb->node_lock_count; i++) {
+		LOCK(&rbtdb->node_locks[i].lock);
+		rbtdb->node_locks[i].exiting = ISC_TRUE;
+		if (rbtdb->node_locks[i].references == 0)
+			inactive++;
+		UNLOCK(&rbtdb->node_locks[i].lock);
+	}
+
+	if (inactive != 0) {
+		LOCK(&rbtdb->lock);
+		rbtdb->active -= inactive;
+		if (rbtdb->active == 0)
+			want_free = ISC_TRUE;
+		UNLOCK(&rbtdb->lock);
+		if (want_free) {
+			char buf[DNS_NAME_FORMATSIZE];
+			if (dns_name_dynamic(&rbtdb->common.origin))
+				dns_name_format(&rbtdb->common.origin, buf,
+						sizeof(buf));
+			else
+				strcpy(buf, "<UNKNOWN>");
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
+				      "calling free_rbtdb(%s)", buf);
+			free_rbtdb(rbtdb, ISC_TRUE, NULL);
+		}
+	}
+}
+
+static void
+detach(dns_db_t **dbp) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)(*dbp);
+	unsigned int refs;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	isc_refcount_decrement(&rbtdb->references, &refs);
+
+	if (refs == 0)
+		maybe_free_rbtdb(rbtdb);
+
+	*dbp = NULL;
+}
+
+static void
+currentversion(dns_db_t *db, dns_dbversion_t **versionp) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	rbtdb_version_t *version;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	LOCK(&rbtdb->lock);
+	version = rbtdb->current_version;
+	if (version->references == 0)
+		PREPEND(rbtdb->open_versions, version, link);
+	version->references++;
+	UNLOCK(&rbtdb->lock);
+
+	*versionp = (dns_dbversion_t *)version;
+}
+
+static inline rbtdb_version_t *
+allocate_version(isc_mem_t *mctx, rbtdb_serial_t serial,
+		 unsigned int references, isc_boolean_t writer)
+{
+	rbtdb_version_t *version;
+
+	version = isc_mem_get(mctx, sizeof(*version));
+	if (version == NULL)
+		return (NULL);
+	version->serial = serial;
+	version->references = references;
+	version->writer = writer;
+	version->commit_ok = ISC_FALSE;
+	ISC_LIST_INIT(version->changed_list);
+	ISC_LINK_INIT(version, link);
+
+	return (version);
+}
+
+static isc_result_t
+newversion(dns_db_t *db, dns_dbversion_t **versionp) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	rbtdb_version_t *version;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(versionp != NULL && *versionp == NULL);
+	REQUIRE(rbtdb->future_version == NULL);
+
+	LOCK(&rbtdb->lock);
+	RUNTIME_CHECK(rbtdb->next_serial != 0);		/* XXX Error? */
+	version = allocate_version(rbtdb->common.mctx, rbtdb->next_serial, 1,
+				   ISC_TRUE);
+	if (version != NULL) {
+		version->commit_ok = ISC_TRUE;
+		rbtdb->next_serial++;
+		rbtdb->future_version = version;
+	}
+	UNLOCK(&rbtdb->lock);
+
+	if (version == NULL)
+		return (ISC_R_NOMEMORY);
+
+	*versionp = version;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+attachversion(dns_db_t *db, dns_dbversion_t *source,
+	      dns_dbversion_t **targetp)
+{
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	rbtdb_version_t *rbtversion = source;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	LOCK(&rbtdb->lock);
+
+	INSIST(rbtversion->references > 0);
+	rbtversion->references++;
+	INSIST(rbtversion->references != 0);
+
+	UNLOCK(&rbtdb->lock);
+
+	*targetp = rbtversion;
+}
+
+static rbtdb_changed_t *
+add_changed(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
+	    dns_rbtnode_t *node)
+{
+	rbtdb_changed_t *changed;
+
+	/*
+	 * Caller must be holding the node lock.
+	 */
+
+	changed = isc_mem_get(rbtdb->common.mctx, sizeof(*changed));
+
+	LOCK(&rbtdb->lock);
+
+	REQUIRE(version->writer);
+
+	if (changed != NULL) {
+		INSIST(node->references > 0);
+		node->references++;
+		INSIST(node->references != 0);
+		changed->node = node;
+		changed->dirty = ISC_FALSE;
+		ISC_LIST_INITANDAPPEND(version->changed_list, changed, link);
+	} else
+		version->commit_ok = ISC_FALSE;
+
+	UNLOCK(&rbtdb->lock);
+
+	return (changed);
+}
+
+static inline void
+free_noqname(isc_mem_t *mctx, struct noqname **noqname) {
+
+	if (dns_name_dynamic(&(*noqname)->name))
+		dns_name_free(&(*noqname)->name, mctx);
+	if ((*noqname)->nsec != NULL)
+		isc_mem_put(mctx, (*noqname)->nsec,
+			    dns_rdataslab_size((*noqname)->nsec, 0));
+	if ((*noqname)->nsec != NULL)
+		isc_mem_put(mctx, (*noqname)->nsecsig,
+			    dns_rdataslab_size((*noqname)->nsecsig, 0));
+	isc_mem_put(mctx, *noqname, sizeof(**noqname));
+	*noqname = NULL;
+}
+
+static inline void
+free_rdataset(isc_mem_t *mctx, rdatasetheader_t *rdataset) {
+	unsigned int size;
+
+	if (rdataset->noqname != NULL)
+		free_noqname(mctx, &rdataset->noqname);
+	
+	if ((rdataset->attributes & RDATASET_ATTR_NONEXISTENT) != 0)
+		size = sizeof(*rdataset);
+	else
+		size = dns_rdataslab_size((unsigned char *)rdataset,
+					  sizeof(*rdataset));
+	isc_mem_put(mctx, rdataset, size);
+}
+
+static inline void
+rollback_node(dns_rbtnode_t *node, rbtdb_serial_t serial) {
+	rdatasetheader_t *header, *dcurrent;
+	isc_boolean_t make_dirty = ISC_FALSE;
+
+	/*
+	 * Caller must hold the node lock.
+	 */
+
+	/*
+	 * We set the IGNORE attribute on rdatasets with serial number
+	 * 'serial'.  When the reference count goes to zero, these rdatasets
+	 * will be cleaned up; until that time, they will be ignored.
+	 */
+	for (header = node->data; header != NULL; header = header->next) {
+		if (header->serial == serial) {
+			header->attributes |= RDATASET_ATTR_IGNORE;
+			make_dirty = ISC_TRUE;
+		}
+		for (dcurrent = header->down;
+		     dcurrent != NULL;
+		     dcurrent = dcurrent->down) {
+			if (dcurrent->serial == serial) {
+				dcurrent->attributes |= RDATASET_ATTR_IGNORE;
+				make_dirty = ISC_TRUE;
+			}
+		}
+	}
+	if (make_dirty)
+		node->dirty = 1;
+}
+
+static inline void
+clean_cache_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
+	rdatasetheader_t *current, *dcurrent, *top_prev, *top_next, *down_next;
+	isc_mem_t *mctx = rbtdb->common.mctx;
+
+	/*
+	 * Caller must be holding the node lock.
+	 */
+
+	top_prev = NULL;
+	for (current = node->data; current != NULL; current = top_next) {
+		top_next = current->next;
+		dcurrent = current->down;
+		if (dcurrent != NULL) {
+			do {
+				down_next = dcurrent->down;
+				free_rdataset(mctx, dcurrent);
+				dcurrent = down_next;
+			} while (dcurrent != NULL);
+			current->down = NULL;
+		}
+		/*
+		 * If current is nonexistent or stale, we can clean it up.
+		 */
+		if ((current->attributes &
+		     (RDATASET_ATTR_NONEXISTENT|RDATASET_ATTR_STALE)) != 0) {
+			if (top_prev != NULL)
+				top_prev->next = current->next;
+			else
+				node->data = current->next;
+			free_rdataset(mctx, current);
+		} else
+			top_prev = current;
+	}
+	node->dirty = 0;
+}
+
+static inline void
+clean_zone_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
+		rbtdb_serial_t least_serial)
+{
+	rdatasetheader_t *current, *dcurrent, *down_next, *dparent;
+	rdatasetheader_t *top_prev, *top_next;
+	isc_mem_t *mctx = rbtdb->common.mctx;
+	isc_boolean_t still_dirty = ISC_FALSE;
+
+	/*
+	 * Caller must be holding the node lock.
+	 */
+	REQUIRE(least_serial != 0);
+
+	top_prev = NULL;
+	for (current = node->data; current != NULL; current = top_next) {
+		top_next = current->next;
+
+		/*
+		 * First, we clean up any instances of multiple rdatasets
+		 * with the same serial number, or that have the IGNORE
+		 * attribute.
+		 */
+		dparent = current;
+		for (dcurrent = current->down;
+		     dcurrent != NULL;
+		     dcurrent = down_next) {
+			down_next = dcurrent->down;
+			INSIST(dcurrent->serial <= dparent->serial);
+			if (dcurrent->serial == dparent->serial ||
+			    IGNORE(dcurrent)) {
+				if (down_next != NULL)
+					down_next->next = dparent;
+				dparent->down = down_next;
+				free_rdataset(mctx, dcurrent);
+			} else
+				dparent = dcurrent;
+		}
+
+		/*
+		 * We've now eliminated all IGNORE datasets with the possible
+		 * exception of current, which we now check.
+		 */
+		if (IGNORE(current)) {
+			down_next = current->down;
+			if (down_next == NULL) {
+				if (top_prev != NULL)
+					top_prev->next = current->next;
+				else
+					node->data = current->next;
+				free_rdataset(mctx, current);
+				/*
+				 * current no longer exists, so we can
+				 * just continue with the loop.
+				 */
+				continue;
+			} else {
+				/*
+				 * Pull up current->down, making it the new
+				 * current.
+				 */
+				if (top_prev != NULL)
+					top_prev->next = down_next;
+				else
+					node->data = down_next;
+				down_next->next = top_next;
+				free_rdataset(mctx, current);
+				current = down_next;
+			}
+		}
+
+		/*
+		 * We now try to find the first down node less than the
+		 * least serial.
+		 */
+		dparent = current;
+		for (dcurrent = current->down;
+		     dcurrent != NULL;
+		     dcurrent = down_next) {
+			down_next = dcurrent->down;
+			if (dcurrent->serial < least_serial)
+				break;
+			dparent = dcurrent;
+		}
+
+		/*
+		 * If there is a such an rdataset, delete it and any older
+		 * versions.
+		 */
+		if (dcurrent != NULL) {
+			do {
+				down_next = dcurrent->down;
+				INSIST(dcurrent->serial <= least_serial);
+				free_rdataset(mctx, dcurrent);
+				dcurrent = down_next;
+			} while (dcurrent != NULL);
+			dparent->down = NULL;
+		}
+
+		/*
+		 * Note.  The serial number of 'current' might be less than
+		 * least_serial too, but we cannot delete it because it is
+		 * the most recent version, unless it is a NONEXISTENT
+		 * rdataset.
+		 */
+		if (current->down != NULL) {
+			still_dirty = ISC_TRUE;
+			top_prev = current;
+		} else {
+			/*
+			 * If this is a NONEXISTENT rdataset, we can delete it.
+			 */
+			if (NONEXISTENT(current)) {
+				if (top_prev != NULL)
+					top_prev->next = current->next;
+				else
+					node->data = current->next;
+				free_rdataset(mctx, current);
+			} else
+				top_prev = current;
+		}
+	}
+	if (!still_dirty)
+		node->dirty = 0;
+}
+
+static inline void
+new_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
+	if (node->references == 0) {
+		rbtdb->node_locks[node->locknum].references++;
+		INSIST(rbtdb->node_locks[node->locknum].references != 0);
+	}
+	node->references++;
+	INSIST(node->references != 0);
+}
+
+static void
+no_references(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
+	      rbtdb_serial_t least_serial, isc_rwlocktype_t lock)
+{
+	isc_result_t result;
+	isc_boolean_t write_locked;
+	unsigned int locknum;
+
+	/*
+	 * Caller must be holding the node lock.
+	 */
+
+	REQUIRE(node->references == 0);
+
+	if (node->dirty) {
+		if (IS_CACHE(rbtdb))
+			clean_cache_node(rbtdb, node);
+		else {
+			if (least_serial == 0) {
+				/*
+				 * Caller doesn't know the least serial.
+				 * Get it.
+				 */
+				LOCK(&rbtdb->lock);
+				least_serial = rbtdb->least_serial;
+				UNLOCK(&rbtdb->lock);
+			}
+			clean_zone_node(rbtdb, node, least_serial);
+		}
+	}
+
+	locknum = node->locknum;
+
+	INSIST(rbtdb->node_locks[locknum].references > 0);
+	rbtdb->node_locks[locknum].references--;
+
+	/*
+	 * XXXDCL should this only be done for cache zones?
+	 */
+	if (node->data != NULL || node->down != NULL)
+		return;
+
+	/*
+	 * XXXDCL need to add a deferred delete method for ISC_R_LOCKBUSY.
+	 */
+	if (lock != isc_rwlocktype_write) {
+		/*
+		 * Locking hierarchy notwithstanding, we don't need to free
+		 * the node lock before acquiring the tree write lock because
+		 * we only do a trylock.
+		 */
+		if (lock == isc_rwlocktype_read)
+			result = isc_rwlock_tryupgrade(&rbtdb->tree_lock);
+		else
+			result = isc_rwlock_trylock(&rbtdb->tree_lock,
+						    isc_rwlocktype_write);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS ||
+			      result == ISC_R_LOCKBUSY);
+ 
+		write_locked = ISC_TF(result == ISC_R_SUCCESS);
+	} else
+		write_locked = ISC_TRUE;
+
+	if (write_locked) {
+		if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(1))) {
+			char printname[DNS_NAME_FORMATSIZE];
+
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
+				      "no_references: delete from rbt: %p %s",
+				      node,
+				      dns_rbt_formatnodename(node, printname,
+							   sizeof(printname)));
+		}
+
+		result = dns_rbt_deletenode(rbtdb->tree, node, ISC_FALSE);
+		if (result != ISC_R_SUCCESS)
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
+				      "no_references: dns_rbt_deletenode: %s",
+				      isc_result_totext(result));
+	}
+
+	/*
+	 * Relock a read lock, or unlock the write lock if no lock was held.
+	 */
+	if (lock == isc_rwlocktype_none)
+		if (write_locked)
+			RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+
+	if (lock == isc_rwlocktype_read)
+		if (write_locked)
+			isc_rwlock_downgrade(&rbtdb->tree_lock);
+}
+
+static inline void
+make_least_version(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
+		   rbtdb_changedlist_t *cleanup_list)
+{
+	/*
+	 * Caller must be holding the database lock.
+	 */
+
+	rbtdb->least_serial = version->serial;
+	*cleanup_list = version->changed_list;
+	ISC_LIST_INIT(version->changed_list);
+}
+
+static inline void
+cleanup_nondirty(rbtdb_version_t *version, rbtdb_changedlist_t *cleanup_list) {
+	rbtdb_changed_t *changed, *next_changed;
+
+	/*
+	 * If the changed record is dirty, then
+	 * an update created multiple versions of
+	 * a given rdataset.  We keep this list
+	 * until we're the least open version, at
+	 * which point it's safe to get rid of any
+	 * older versions.
+	 *
+	 * If the changed record isn't dirty, then
+	 * we don't need it anymore since we're
+	 * committing and not rolling back.
+	 *
+	 * The caller must be holding the database lock.
+	 */
+	for (changed = HEAD(version->changed_list);
+	     changed != NULL;
+	     changed = next_changed) {
+		next_changed = NEXT(changed, link);
+		if (!changed->dirty) {
+			UNLINK(version->changed_list,
+			       changed, link);
+			APPEND(*cleanup_list,
+			       changed, link);
+		}
+	}
+}
+
+static void
+closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	rbtdb_version_t *version, *cleanup_version, *least_greater;
+	isc_boolean_t rollback = ISC_FALSE;
+	rbtdb_changedlist_t cleanup_list;
+	rbtdb_changed_t *changed, *next_changed;
+	rbtdb_serial_t serial, least_serial;
+	dns_rbtnode_t *rbtnode;
+	isc_mutex_t *lock;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	version = (rbtdb_version_t *)*versionp;
+
+	cleanup_version = NULL;
+	ISC_LIST_INIT(cleanup_list);
+
+	LOCK(&rbtdb->lock);
+	INSIST(version->references > 0);
+	INSIST(!version->writer || !(commit && version->references > 1));
+	version->references--;
+	serial = version->serial;
+	if (version->references == 0) {
+		if (version->writer) {
+			if (commit) {
+				INSIST(version->commit_ok);
+				INSIST(version == rbtdb->future_version);
+				if (EMPTY(rbtdb->open_versions)) {
+					/*
+					 * We're going to become the least open
+					 * version.
+					 */
+					make_least_version(rbtdb, version,
+							   &cleanup_list);
+				} else {
+					/*
+					 * Some other open version is the
+					 * least version.  We can't cleanup
+					 * records that were changed in this
+					 * version because the older versions
+					 * may still be in use by an open
+					 * version.
+					 *
+					 * We can, however, discard the
+					 * changed records for things that
+					 * we've added that didn't exist in
+					 * prior versions.
+					 */
+					cleanup_nondirty(version,
+							 &cleanup_list);
+				}
+				/*
+				 * If the (soon to be former) current version
+				 * isn't being used by anyone, we can clean
+				 * it up.
+				 */
+				if (rbtdb->current_version->references == 0) {
+					cleanup_version =
+						rbtdb->current_version;
+					APPENDLIST(version->changed_list,
+						 cleanup_version->changed_list,
+						   link);
+				}
+				/*
+				 * Become the current version.
+				 */
+				version->writer = ISC_FALSE;
+				rbtdb->current_version = version;
+				rbtdb->current_serial = version->serial;
+				rbtdb->future_version = NULL;
+			} else {
+				/*
+				 * We're rolling back this transaction.
+				 */
+				cleanup_list = version->changed_list;
+				ISC_LIST_INIT(version->changed_list);
+				rollback = ISC_TRUE;
+				cleanup_version = version;
+				rbtdb->future_version = NULL;
+			}
+		} else {
+			if (version != rbtdb->current_version) {
+				/*
+				 * There are no external or internal references
+				 * to this version and it can be cleaned up.
+				 */
+				cleanup_version = version;
+
+				/*
+				 * Find the version with the least serial
+				 * number greater than ours.
+				 */
+				least_greater = PREV(version, link);
+				if (least_greater == NULL)
+					least_greater = rbtdb->current_version;
+
+				INSIST(version->serial < least_greater->serial);
+				/*
+				 * Is this the least open version?
+				 */
+				if (version->serial == rbtdb->least_serial) {
+					/*
+					 * Yes.  Install the new least open
+					 * version.
+					 */
+					make_least_version(rbtdb,
+							   least_greater,
+							   &cleanup_list);
+				} else {
+					/*
+					 * Add any unexecuted cleanups to
+					 * those of the least greater version.
+					 */
+					APPENDLIST(least_greater->changed_list,
+						   version->changed_list,
+						   link);
+				}
+			} else if (version->serial == rbtdb->least_serial)
+				INSIST(EMPTY(version->changed_list));
+			UNLINK(rbtdb->open_versions, version, link);
+		}
+	}
+	least_serial = rbtdb->least_serial;
+	UNLOCK(&rbtdb->lock);
+
+	if (cleanup_version != NULL) {
+		INSIST(EMPTY(cleanup_version->changed_list));
+		isc_mem_put(rbtdb->common.mctx, cleanup_version,
+			    sizeof(*cleanup_version));
+	}
+
+	if (!EMPTY(cleanup_list)) {
+		for (changed = HEAD(cleanup_list);
+		     changed != NULL;
+		     changed = next_changed) {
+			next_changed = NEXT(changed, link);
+			rbtnode = changed->node;
+			lock = &rbtdb->node_locks[rbtnode->locknum].lock;
+
+			LOCK(lock);
+
+			INSIST(rbtnode->references > 0);
+			rbtnode->references--;
+			if (rollback)
+				rollback_node(rbtnode, serial);
+
+			if (rbtnode->references == 0)
+				no_references(rbtdb, rbtnode, least_serial,
+					      isc_rwlocktype_none);
+
+			UNLOCK(lock);
+
+			isc_mem_put(rbtdb->common.mctx, changed,
+				    sizeof(*changed));
+		}
+	}
+
+	*versionp = NULL;
+}
+
+/*
+ * Add the necessary magic for the wildcard name 'name'
+ * to be found in 'rbtdb'.
+ *
+ * In order for wildcard matching to work correctly in
+ * zone_find(), we must ensure that a node for the wildcarding
+ * level exists in the database, and has its 'find_callback'
+ * and 'wild' bits set.
+ *
+ * E.g. if the wildcard name is "*.sub.example." then we
+ * must ensure that "sub.example." exists and is marked as
+ * a wildcard level.
+ */
+static isc_result_t
+add_wildcard_magic(dns_rbtdb_t *rbtdb, dns_name_t *name) {
+	isc_result_t result;
+	dns_name_t foundname;
+	dns_offsets_t offsets;
+	unsigned int n;
+	dns_rbtnode_t *node = NULL;
+
+	dns_name_init(&foundname, offsets);
+	n = dns_name_countlabels(name);
+	INSIST(n >= 2);
+	n--;
+	dns_name_getlabelsequence(name, 1, n, &foundname);
+	result = dns_rbt_addnode(rbtdb->tree, &foundname, &node);
+	if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS)
+		return (result);
+	node->find_callback = 1;
+	node->wild = 1;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+add_empty_wildcards(dns_rbtdb_t *rbtdb, dns_name_t *name) {
+	isc_result_t result;
+	dns_name_t foundname;
+	dns_offsets_t offsets;
+	unsigned int n, l, i;
+
+	dns_name_init(&foundname, offsets);
+	n = dns_name_countlabels(name);
+	l = dns_name_countlabels(&rbtdb->common.origin);
+	i = l + 1;
+	while (i < n) {
+		dns_rbtnode_t *node = NULL;	/* dummy */
+		dns_name_getlabelsequence(name, n - i, i, &foundname);
+		if (dns_name_iswildcard(&foundname)) {
+			result = add_wildcard_magic(rbtdb, &foundname);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			result = dns_rbt_addnode(rbtdb->tree, &foundname,
+						 &node);
+			if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS)
+				return (result);
+		}
+		i++;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
+	 dns_dbnode_t **nodep)
+{
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *node = NULL;
+	dns_name_t nodename;
+	unsigned int locknum;
+	isc_result_t result;
+	isc_rwlocktype_t locktype = isc_rwlocktype_read;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	dns_name_init(&nodename, NULL);
+	RWLOCK(&rbtdb->tree_lock, locktype);
+	result = dns_rbt_findnode(rbtdb->tree, name, NULL, &node, NULL,
+				  DNS_RBTFIND_EMPTYDATA, NULL, NULL);
+	if (result != ISC_R_SUCCESS) {
+		RWUNLOCK(&rbtdb->tree_lock, locktype);
+		if (!create) {
+			if (result == DNS_R_PARTIALMATCH)
+				result = ISC_R_NOTFOUND;
+			return (result);
+		}
+		/*
+		 * It would be nice to try to upgrade the lock instead of
+		 * unlocking then relocking.
+		 */
+		locktype = isc_rwlocktype_write;
+		RWLOCK(&rbtdb->tree_lock, locktype);
+		node = NULL;
+		result = dns_rbt_addnode(rbtdb->tree, name, &node);
+		if (result == ISC_R_SUCCESS) {
+			dns_rbt_namefromnode(node, &nodename);
+#ifdef DNS_RBT_USEHASH
+			node->locknum = node->hashval % rbtdb->node_lock_count;
+#else
+			node->locknum = dns_name_hash(&nodename, ISC_TRUE) %
+				rbtdb->node_lock_count;
+#endif
+			add_empty_wildcards(rbtdb, name);
+
+			if (dns_name_iswildcard(name)) {
+				result = add_wildcard_magic(rbtdb, name);
+				if (result != ISC_R_SUCCESS) {
+					RWUNLOCK(&rbtdb->tree_lock, locktype);
+					return (result);
+				}
+			}
+		} else if (result != ISC_R_EXISTS) {
+			RWUNLOCK(&rbtdb->tree_lock, locktype);
+			return (result);
+		}
+	}
+	locknum = node->locknum;
+	LOCK(&rbtdb->node_locks[locknum].lock);
+	new_reference(rbtdb, node);
+	UNLOCK(&rbtdb->node_locks[locknum].lock);
+	RWUNLOCK(&rbtdb->tree_lock, locktype);
+
+	*nodep = (dns_dbnode_t *)node;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+zone_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
+	rbtdb_search_t *search = arg;
+	rdatasetheader_t *header, *header_next;
+	rdatasetheader_t *dname_header, *sigdname_header, *ns_header;
+	rdatasetheader_t *found;
+	isc_result_t result;
+	dns_rbtnode_t *onode;
+
+	/*
+	 * We only want to remember the topmost zone cut, since it's the one
+	 * that counts, so we'll just continue if we've already found a
+	 * zonecut.
+	 */
+	if (search->zonecut != NULL)
+		return (DNS_R_CONTINUE);
+
+	found = NULL;
+	result = DNS_R_CONTINUE;
+	onode = search->rbtdb->origin_node;
+
+	LOCK(&(search->rbtdb->node_locks[node->locknum].lock));
+
+	/*
+	 * Look for an NS or DNAME rdataset active in our version.
+	 */
+	ns_header = NULL;
+	dname_header = NULL;
+	sigdname_header = NULL;
+	for (header = node->data; header != NULL; header = header_next) {
+		header_next = header->next;
+		if (header->type == dns_rdatatype_ns ||
+		    header->type == dns_rdatatype_dname ||
+		    header->type == RBTDB_RDATATYPE_SIGDNAME) {
+			do {
+				if (header->serial <= search->serial &&
+				    !IGNORE(header)) {
+					/*
+					 * Is this a "this rdataset doesn't
+					 * exist" record?
+					 */
+					if (NONEXISTENT(header))
+						header = NULL;
+					break;
+				} else
+					header = header->down;
+			} while (header != NULL);
+			if (header != NULL) {
+				if (header->type == dns_rdatatype_dname)
+					dname_header = header;
+				else if (header->type == 
+					   RBTDB_RDATATYPE_SIGDNAME)
+					sigdname_header = header;
+				else if (node != onode ||
+					 IS_STUB(search->rbtdb)) {
+					/*
+					 * We've found an NS rdataset that
+					 * isn't at the origin node.  We check
+					 * that they're not at the origin node,
+					 * because otherwise we'd erroneously
+					 * treat the zone top as if it were
+					 * a delegation.
+					 */
+					ns_header = header;
+				}
+			}
+		}
+	}
+
+	/*
+	 * Did we find anything?
+	 */
+	if (dname_header != NULL) {
+		/*
+		 * Note that DNAME has precedence over NS if both exist.
+		 */
+		found = dname_header;
+		search->zonecut_sigrdataset = sigdname_header;
+	} else if (ns_header != NULL) {
+		found = ns_header;
+		search->zonecut_sigrdataset = NULL;
+	}
+
+	if (found != NULL) {
+		/*
+		 * We increment the reference count on node to ensure that
+		 * search->zonecut_rdataset will still be valid later.
+		 */
+		new_reference(search->rbtdb, node);
+		search->zonecut = node;
+		search->zonecut_rdataset = found;
+		search->need_cleanup = ISC_TRUE;
+		/*
+		 * Since we've found a zonecut, anything beneath it is
+		 * glue and is not subject to wildcard matching, so we
+		 * may clear search->wild.
+		 */
+		search->wild = ISC_FALSE;
+		if ((search->options & DNS_DBFIND_GLUEOK) == 0) {
+			/*
+			 * If the caller does not want to find glue, then
+			 * this is the best answer and the search should
+			 * stop now.
+			 */
+			result = DNS_R_PARTIALMATCH;
+		} else {
+			dns_name_t *zcname;
+
+			/*
+			 * The search will continue beneath the zone cut.
+			 * This may or may not be the best match.  In case it
+			 * is, we need to remember the node name.
+			 */
+			zcname = dns_fixedname_name(&search->zonecut_name);
+			RUNTIME_CHECK(dns_name_copy(name, zcname, NULL) ==
+				      ISC_R_SUCCESS);
+			search->copy_name = ISC_TRUE;
+		}
+	} else {
+		/*
+		 * There is no zonecut at this node which is active in this
+		 * version.
+		 *
+		 * If this is a "wild" node and the caller hasn't disabled
+		 * wildcard matching, remember that we've seen a wild node
+		 * in case we need to go searching for wildcard matches
+		 * later on.
+		 */
+		if (node->wild && (search->options & DNS_DBFIND_NOWILD) == 0)
+			search->wild = ISC_TRUE;
+	}
+
+	UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock));
+
+	return (result);
+}
+
+static inline void
+bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
+	      rdatasetheader_t *header, isc_stdtime_t now,
+	      dns_rdataset_t *rdataset)
+{
+	unsigned char *raw;
+
+	/*
+	 * Caller must be holding the node lock.
+	 */
+
+	if (rdataset == NULL)
+		return;
+
+	new_reference(rbtdb, node);
+
+	INSIST(rdataset->methods == NULL);	/* We must be disassociated. */
+
+	rdataset->methods = &rdataset_methods;
+	rdataset->rdclass = rbtdb->common.rdclass;
+	rdataset->type = RBTDB_RDATATYPE_BASE(header->type);
+	rdataset->covers = RBTDB_RDATATYPE_EXT(header->type);
+	rdataset->ttl = header->ttl - now;
+	rdataset->trust = header->trust;
+	if (NXDOMAIN(header))
+		rdataset->attributes |= DNS_RDATASETATTR_NXDOMAIN;
+	rdataset->private1 = rbtdb;
+	rdataset->private2 = node;
+	raw = (unsigned char *)header + sizeof(*header);
+	rdataset->private3 = raw;
+	rdataset->count = header->count++;
+	if (header->count == ISC_UINT32_MAX)
+		header->count = 0;
+
+	/*
+	 * Reset iterator state.
+	 */
+	rdataset->privateuint4 = 0;
+	rdataset->private5 = NULL;
+
+	/*
+	 * Add noqname proof.
+	 */
+	rdataset->private6 = header->noqname;
+	if (rdataset->private6 != NULL)
+		rdataset->attributes |=  DNS_RDATASETATTR_NOQNAME;
+}
+
+static inline isc_result_t
+setup_delegation(rbtdb_search_t *search, dns_dbnode_t **nodep,
+		 dns_name_t *foundname, dns_rdataset_t *rdataset,
+		 dns_rdataset_t *sigrdataset)
+{
+	isc_result_t result;
+	dns_name_t *zcname;
+	rbtdb_rdatatype_t type;
+	dns_rbtnode_t *node;
+
+	/*
+	 * The caller MUST NOT be holding any node locks.
+	 */
+
+	node = search->zonecut;
+	type = search->zonecut_rdataset->type;
+
+	/*
+	 * If we have to set foundname, we do it before anything else.
+	 * If we were to set foundname after we had set nodep or bound the
+	 * rdataset, then we'd have to undo that work if dns_name_copy()
+	 * failed.  By setting foundname first, there's nothing to undo if
+	 * we have trouble.
+	 */
+	if (foundname != NULL && search->copy_name) {
+		zcname = dns_fixedname_name(&search->zonecut_name);
+		result = dns_name_copy(zcname, foundname, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	if (nodep != NULL) {
+		/*
+		 * Note that we don't have to increment the node's reference
+		 * count here because we're going to use the reference we
+		 * already have in the search block.
+		 */
+		*nodep = node;
+		search->need_cleanup = ISC_FALSE;
+	}
+	if (rdataset != NULL) {
+		LOCK(&(search->rbtdb->node_locks[node->locknum].lock));
+		bind_rdataset(search->rbtdb, node, search->zonecut_rdataset,
+			      search->now, rdataset);
+		if (sigrdataset != NULL && search->zonecut_sigrdataset != NULL)
+			bind_rdataset(search->rbtdb, node,
+				      search->zonecut_sigrdataset,
+				      search->now, sigrdataset);
+		UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock));
+	}
+
+	if (type == dns_rdatatype_dname)
+		return (DNS_R_DNAME);
+	return (DNS_R_DELEGATION);
+}
+
+static inline isc_boolean_t
+valid_glue(rbtdb_search_t *search, dns_name_t *name, rbtdb_rdatatype_t type,
+	   dns_rbtnode_t *node)
+{
+	unsigned char *raw;
+	unsigned int count, size;
+	dns_name_t ns_name;
+	isc_boolean_t valid = ISC_FALSE;
+	dns_offsets_t offsets;
+	isc_region_t region;
+	rdatasetheader_t *header;
+
+	/*
+	 * No additional locking is required.
+	 */
+
+	/*
+	 * Valid glue types are A, AAAA, A6.  NS is also a valid glue type
+	 * if it occurs at a zone cut, but is not valid below it.
+	 */
+	if (type == dns_rdatatype_ns) {
+		if (node != search->zonecut) {
+			return (ISC_FALSE);
+		}
+	} else if (type != dns_rdatatype_a &&
+		   type != dns_rdatatype_aaaa &&
+		   type != dns_rdatatype_a6) {
+		return (ISC_FALSE);
+	}
+
+	header = search->zonecut_rdataset;
+	raw = (unsigned char *)header + sizeof(*header);
+	count = raw[0] * 256 + raw[1];
+	raw += 2;
+
+	while (count > 0) {
+		count--;
+		size = raw[0] * 256 + raw[1];
+		raw += 2;
+		region.base = raw;
+		region.length = size;
+		raw += size;
+		/*
+		 * XXX Until we have rdata structures, we have no choice but
+		 * to directly access the rdata format.
+		 */
+		dns_name_init(&ns_name, offsets);
+		dns_name_fromregion(&ns_name, &region);
+		if (dns_name_compare(&ns_name, name) == 0) {
+			valid = ISC_TRUE;
+			break;
+		}
+	}
+
+	return (valid);
+}
+
+static inline isc_boolean_t
+activeempty(rbtdb_search_t *search, dns_rbtnodechain_t *chain,
+	    dns_name_t *name)
+{
+	dns_fixedname_t fnext;
+	dns_fixedname_t forigin;
+	dns_name_t *next;
+	dns_name_t *origin;
+	dns_name_t prefix;
+	dns_rbtdb_t *rbtdb;
+	dns_rbtnode_t *node;
+	isc_result_t result;
+	isc_boolean_t answer = ISC_FALSE;
+	rdatasetheader_t *header;
+
+	rbtdb = search->rbtdb;
+
+	dns_name_init(&prefix, NULL);
+	dns_fixedname_init(&fnext);
+	next = dns_fixedname_name(&fnext);
+	dns_fixedname_init(&forigin);
+	origin = dns_fixedname_name(&forigin);
+
+	result = dns_rbtnodechain_next(chain, NULL, NULL);
+	while (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) {
+		node = NULL;
+		result = dns_rbtnodechain_current(chain, &prefix,
+						  origin, &node);
+		if (result != ISC_R_SUCCESS)
+			break;
+		LOCK(&(rbtdb->node_locks[node->locknum].lock));
+		for (header = node->data;
+		     header != NULL;
+		     header = header->next) {
+			if (header->serial <= search->serial &&
+			    !IGNORE(header) && EXISTS(header))
+				break;
+		}
+		UNLOCK(&(rbtdb->node_locks[node->locknum].lock));
+		if (header != NULL)
+			break;
+		result = dns_rbtnodechain_next(chain, NULL, NULL);
+	}
+	if (result == ISC_R_SUCCESS)
+		result = dns_name_concatenate(&prefix, origin, next, NULL);
+	if (result == ISC_R_SUCCESS && dns_name_issubdomain(next, name))
+		answer = ISC_TRUE;
+	return (answer);
+}
+
+static inline isc_boolean_t
+activeemtpynode(rbtdb_search_t *search, dns_name_t *qname, dns_name_t *wname) {
+	dns_fixedname_t fnext;
+	dns_fixedname_t forigin;
+	dns_fixedname_t fprev;
+	dns_name_t *next;
+	dns_name_t *origin;
+	dns_name_t *prev;
+	dns_name_t name;
+	dns_name_t rname;
+	dns_name_t tname;
+	dns_rbtdb_t *rbtdb;
+	dns_rbtnode_t *node;
+	dns_rbtnodechain_t chain;
+	isc_boolean_t check_next = ISC_TRUE;
+	isc_boolean_t check_prev = ISC_TRUE;
+	isc_boolean_t answer = ISC_FALSE;
+	isc_result_t result;
+	rdatasetheader_t *header;
+	unsigned int n;
+
+	rbtdb = search->rbtdb;
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&tname, NULL);
+	dns_name_init(&rname, NULL);
+	dns_fixedname_init(&fnext);
+	next = dns_fixedname_name(&fnext);
+	dns_fixedname_init(&fprev);
+	prev = dns_fixedname_name(&fprev);
+	dns_fixedname_init(&forigin);
+	origin = dns_fixedname_name(&forigin);
+
+	/*
+	 * Find if qname is at or below a empty node.
+	 * Use our own copy of the chain.
+	 */
+
+	chain = search->chain;
+	do {
+		node = NULL;
+		result = dns_rbtnodechain_current(&chain, &name,
+						  origin, &node);
+		if (result != ISC_R_SUCCESS)
+			break;
+		LOCK(&(rbtdb->node_locks[node->locknum].lock));
+		for (header = node->data;
+		     header != NULL;
+		     header = header->next) {
+			if (header->serial <= search->serial &&
+			    !IGNORE(header) && EXISTS(header))
+				break;
+		}
+		UNLOCK(&(rbtdb->node_locks[node->locknum].lock));
+		if (header != NULL)
+			break;
+		result = dns_rbtnodechain_prev(&chain, NULL, NULL);
+	} while (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN);
+	if (result == ISC_R_SUCCESS)
+		result = dns_name_concatenate(&name, origin, prev, NULL);
+	if (result != ISC_R_SUCCESS)
+		check_prev = ISC_FALSE;
+
+	result = dns_rbtnodechain_next(&chain, NULL, NULL);
+	while (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) {
+		node = NULL;
+		result = dns_rbtnodechain_current(&chain, &name,
+						  origin, &node);
+		if (result != ISC_R_SUCCESS)
+			break;
+		LOCK(&(rbtdb->node_locks[node->locknum].lock));
+		for (header = node->data;
+		     header != NULL;
+		     header = header->next) {
+			if (header->serial <= search->serial &&
+			    !IGNORE(header) && EXISTS(header))
+				break;
+		}
+		UNLOCK(&(rbtdb->node_locks[node->locknum].lock));
+		if (header != NULL)
+			break;
+		result = dns_rbtnodechain_next(&chain, NULL, NULL);
+	}
+	if (result == ISC_R_SUCCESS)
+		result = dns_name_concatenate(&name, origin, next, NULL);
+	if (result != ISC_R_SUCCESS)
+		check_next = ISC_FALSE;
+
+	dns_name_clone(qname, &rname);
+
+	/*
+	 * Remove the wildcard label to find the terminal name.
+	 */
+	n = dns_name_countlabels(wname);
+	dns_name_getlabelsequence(wname, 1, n - 1, &tname);
+
+	do {
+		if ((check_prev && dns_name_issubdomain(prev, &rname)) ||
+		    (check_next && dns_name_issubdomain(next, &rname))) {
+			answer = ISC_TRUE;
+			break;
+		}
+		/*
+		 * Remove the left hand label.
+		 */
+		n = dns_name_countlabels(&rname);
+		dns_name_getlabelsequence(&rname, 1, n - 1, &rname);
+	} while (!dns_name_equal(&rname, &tname));
+	return (answer);
+}
+
+static inline isc_result_t
+find_wildcard(rbtdb_search_t *search, dns_rbtnode_t **nodep,
+	      dns_name_t *qname)
+{
+	unsigned int i, j;
+	dns_rbtnode_t *node, *level_node, *wnode;
+	rdatasetheader_t *header;
+	isc_result_t result = ISC_R_NOTFOUND;
+	dns_name_t name;
+	dns_name_t *wname;
+	dns_fixedname_t fwname;
+	dns_rbtdb_t *rbtdb;
+	isc_boolean_t done, wild, active;
+	dns_rbtnodechain_t wchain;
+
+	/*
+	 * Caller must be holding the tree lock and MUST NOT be holding
+	 * any node locks.
+	 */
+
+	/*
+	 * Examine each ancestor level.  If the level's wild bit
+	 * is set, then construct the corresponding wildcard name and
+	 * search for it.  If the wildcard node exists, and is active in
+	 * this version, we're done.  If not, then we next check to see
+	 * if the ancestor is active in this version.  If so, then there
+	 * can be no possible wildcard match and again we're done.  If not,
+	 * continue the search.
+	 */
+
+	rbtdb = search->rbtdb;
+	i = search->chain.level_matches;
+	done = ISC_FALSE;
+	node = *nodep;
+	do {
+		LOCK(&(rbtdb->node_locks[node->locknum].lock));
+
+		/*
+		 * First we try to figure out if this node is active in
+		 * the search's version.  We do this now, even though we
+		 * may not need the information, because it simplifies the
+		 * locking and code flow.
+		 */
+		for (header = node->data;
+		     header != NULL;
+		     header = header->next) {
+			if (header->serial <= search->serial &&
+			    !IGNORE(header) && EXISTS(header))
+				break;
+		}
+		if (header != NULL)
+			active = ISC_TRUE;
+		else
+			active = ISC_FALSE;
+
+		if (node->wild)
+			wild = ISC_TRUE;
+		else
+			wild = ISC_FALSE;
+
+		UNLOCK(&(rbtdb->node_locks[node->locknum].lock));
+
+		if (wild) {
+			/*
+			 * Construct the wildcard name for this level.
+			 */
+			dns_name_init(&name, NULL);
+			dns_rbt_namefromnode(node, &name);
+			dns_fixedname_init(&fwname);
+			wname = dns_fixedname_name(&fwname);
+			result = dns_name_concatenate(dns_wildcardname, &name,
+						      wname, NULL);
+			j = i;
+			while (result == ISC_R_SUCCESS && j != 0) {
+				j--;
+				level_node = search->chain.levels[j];
+				dns_name_init(&name, NULL);
+				dns_rbt_namefromnode(level_node, &name);
+				result = dns_name_concatenate(wname,
+							      &name,
+							      wname,
+							      NULL);
+			}
+			if (result != ISC_R_SUCCESS)
+				break;
+
+			wnode = NULL;
+			dns_rbtnodechain_init(&wchain, NULL);
+			result = dns_rbt_findnode(rbtdb->tree, wname,
+						  NULL, &wnode, &wchain,
+						  DNS_RBTFIND_EMPTYDATA,
+						  NULL, NULL);
+			if (result == ISC_R_SUCCESS) {
+			    /*
+			     * We have found the wildcard node.  If it
+			     * is active in the search's version, we're
+			     * done.
+			     */
+			    LOCK(&(rbtdb->node_locks[wnode->locknum].lock));
+			    for (header = wnode->data;
+				 header != NULL;
+				 header = header->next) {
+				    if (header->serial <= search->serial &&
+					!IGNORE(header) && EXISTS(header))
+					    break;
+			    }
+			    UNLOCK(&(rbtdb->node_locks[wnode->locknum].lock));
+			    if (header != NULL ||
+				activeempty(search, &wchain, wname)) {
+				    if (activeemtpynode(search, qname, wname))
+						return (ISC_R_NOTFOUND);
+				    /*
+				     * The wildcard node is active!
+				     *
+				     * Note: result is still ISC_R_SUCCESS
+				     * so we don't have to set it.
+				     */
+				    *nodep = wnode;
+				    break;
+			    }
+			} else if (result != ISC_R_NOTFOUND &&
+				   result != DNS_R_PARTIALMATCH) {
+				/*
+				 * An error has occurred.  Bail out.
+				 */
+				break;
+			}
+		}
+
+		if (active) {
+			/*
+			 * The level node is active.  Any wildcarding
+			 * present at higher levels has no
+			 * effect and we're done.
+			 */
+			result = ISC_R_NOTFOUND;
+			break;
+		}
+
+		if (i > 0) {
+			i--;
+			node = search->chain.levels[i];
+		} else
+			done = ISC_TRUE;
+	} while (!done);
+
+	return (result);
+}
+
+static inline isc_result_t
+find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
+		  dns_name_t *foundname, dns_rdataset_t *rdataset,
+		  dns_rdataset_t *sigrdataset, isc_boolean_t need_sig)
+{
+	dns_rbtnode_t *node;
+	rdatasetheader_t *header, *header_next, *found, *foundsig;
+	isc_boolean_t empty_node;
+	isc_result_t result;
+	dns_fixedname_t fname, forigin;
+	dns_name_t *name, *origin;
+
+	do {
+		node = NULL;
+		dns_fixedname_init(&fname);
+		name = dns_fixedname_name(&fname);
+		dns_fixedname_init(&forigin);
+		origin = dns_fixedname_name(&forigin);
+		result = dns_rbtnodechain_current(&search->chain, name,
+						  origin, &node);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		LOCK(&(search->rbtdb->node_locks[node->locknum].lock));
+		found = NULL;
+		foundsig = NULL;
+		empty_node = ISC_TRUE;
+		for (header = node->data;
+		     header != NULL;
+		     header = header_next) {
+			header_next = header->next;
+			/*
+			 * Look for an active, extant NSEC or RRSIG NSEC.
+			 */
+			do {
+				if (header->serial <= search->serial &&
+				    !IGNORE(header)) {
+					/*
+					 * Is this a "this rdataset doesn't
+					 * exist" record?
+					 */
+					if (NONEXISTENT(header))
+						header = NULL;
+					break;
+				} else
+					header = header->down;
+			} while (header != NULL);
+			if (header != NULL) {
+				/*
+				 * We now know that there is at least one
+				 * active rdataset at this node.
+				 */
+				empty_node = ISC_FALSE;
+				if (header->type == dns_rdatatype_nsec) {
+					found = header;
+					if (foundsig != NULL)
+						break;
+				} else if (header->type ==
+					   RBTDB_RDATATYPE_SIGNSEC) {
+					foundsig = header;
+					if (found != NULL)
+						break;
+				}
+			}
+		}
+		if (!empty_node) {
+			if (found != NULL &&
+			    (foundsig != NULL || !need_sig))
+			{
+				/*
+				 * We've found the right NSEC record.
+				 *
+				 * Note: for this to really be the right
+				 * NSEC record, it's essential that the NSEC
+				 * records of any nodes obscured by a zone
+				 * cut have been removed; we assume this is
+				 * the case.
+				 */
+				result = dns_name_concatenate(name, origin,
+							      foundname, NULL);
+				if (result == ISC_R_SUCCESS) {
+					if (nodep != NULL) {
+						new_reference(search->rbtdb,
+							      node);
+						*nodep = node;
+					}
+					bind_rdataset(search->rbtdb, node,
+						      found, search->now,
+						      rdataset);
+					if (foundsig != NULL)
+						bind_rdataset(search->rbtdb,
+							      node,
+							      foundsig,
+							      search->now,
+							      sigrdataset);
+				}
+			} else if (found == NULL && foundsig == NULL) {
+				/*
+				 * This node is active, but has no NSEC or
+				 * RRSIG NSEC.  That means it's glue or
+				 * other obscured zone data that isn't
+				 * relevant for our search.  Treat the
+				 * node as if it were empty and keep looking.
+				 */
+				empty_node = ISC_TRUE;
+				result = dns_rbtnodechain_prev(&search->chain,
+							       NULL, NULL);
+			} else {
+				/*
+				 * We found an active node, but either the
+				 * NSEC or the RRSIG NSEC is missing.  This
+				 * shouldn't happen.
+				 */
+				result = DNS_R_BADDB;
+			}
+		} else {
+			/*
+			 * This node isn't active.  We've got to keep
+			 * looking.
+			 */
+			result = dns_rbtnodechain_prev(&search->chain, NULL,
+						       NULL);
+		}
+		UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock));
+	} while (empty_node && result == ISC_R_SUCCESS);
+
+	/*
+	 * If the result is ISC_R_NOMORE, then we got to the beginning of
+	 * the database and didn't find a NSEC record.  This shouldn't
+	 * happen.
+	 */
+	if (result == ISC_R_NOMORE)
+		result = DNS_R_BADDB;
+
+	return (result);
+}
+
+static isc_result_t
+zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
+	  dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
+	  dns_dbnode_t **nodep, dns_name_t *foundname,
+	  dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	dns_rbtnode_t *node = NULL;
+	isc_result_t result;
+	rbtdb_search_t search;
+	isc_boolean_t cname_ok = ISC_TRUE;
+	isc_boolean_t close_version = ISC_FALSE;
+	isc_boolean_t maybe_zonecut = ISC_FALSE;
+	isc_boolean_t at_zonecut = ISC_FALSE;
+	isc_boolean_t wild;
+	isc_boolean_t empty_node;
+	isc_mutex_t *lock;
+	rdatasetheader_t *header, *header_next, *found, *nsecheader;
+	rdatasetheader_t *foundsig, *cnamesig, *nsecsig;
+	rbtdb_rdatatype_t sigtype;
+	isc_boolean_t active;
+	dns_rbtnodechain_t chain;
+
+
+	search.rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(search.rbtdb));
+
+	/*
+	 * We don't care about 'now'.
+	 */
+	UNUSED(now);
+
+	/*
+	 * If the caller didn't supply a version, attach to the current
+	 * version.
+	 */
+	if (version == NULL) {
+		currentversion(db, &version);
+		close_version = ISC_TRUE;
+	}
+
+	search.rbtversion = version;
+	search.serial = search.rbtversion->serial;
+	search.options = options;
+	search.copy_name = ISC_FALSE;
+	search.need_cleanup = ISC_FALSE;
+	search.wild = ISC_FALSE;
+	search.zonecut = NULL;
+	dns_fixedname_init(&search.zonecut_name);
+	dns_rbtnodechain_init(&search.chain, search.rbtdb->common.mctx);
+	search.now = 0;
+
+	/*
+	 * 'wild' will be true iff. we've matched a wildcard.
+	 */
+	wild = ISC_FALSE;
+
+	RWLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
+
+	/*
+	 * Search down from the root of the tree.  If, while going down, we
+	 * encounter a callback node, zone_zonecut_callback() will search the
+	 * rdatasets at the zone cut for active DNAME or NS rdatasets.
+	 */
+	result = dns_rbt_findnode(search.rbtdb->tree, name, foundname, &node,
+				  &search.chain, DNS_RBTFIND_EMPTYDATA,
+				  zone_zonecut_callback, &search);
+
+	if (result == DNS_R_PARTIALMATCH) {
+	partial_match:
+		if (search.zonecut != NULL) {
+		    result = setup_delegation(&search, nodep, foundname,
+					      rdataset, sigrdataset);
+		    goto tree_exit;
+		}
+
+		if (search.wild) {
+			/*
+			 * At least one of the levels in the search chain
+			 * potentially has a wildcard.  For each such level,
+			 * we must see if there's a matching wildcard active
+			 * in the current version.
+			 */
+			result = find_wildcard(&search, &node, name);
+			if (result == ISC_R_SUCCESS) {
+				result = dns_name_copy(name, foundname, NULL);
+				if (result != ISC_R_SUCCESS)
+					goto tree_exit;
+				wild = ISC_TRUE;
+				goto found;
+			}
+			else if (result != ISC_R_NOTFOUND)
+				goto tree_exit;
+		}
+
+		chain = search.chain;
+		active = activeempty(&search, &chain, name);
+
+		/*
+		 * If we're here, then the name does not exist, is not
+		 * beneath a zonecut, and there's no matching wildcard.
+		 */
+		if (search.rbtdb->secure ||
+		    (search.options & DNS_DBFIND_FORCENSEC) != 0)
+		{
+			result = find_closest_nsec(&search, nodep, foundname,
+						  rdataset, sigrdataset,
+						  search.rbtdb->secure);
+			if (result == ISC_R_SUCCESS)
+				result = active ? DNS_R_EMPTYNAME :
+						  DNS_R_NXDOMAIN;
+		} else
+			result = active ? DNS_R_EMPTYNAME : DNS_R_NXDOMAIN;
+		goto tree_exit;
+	} else if (result != ISC_R_SUCCESS)
+		goto tree_exit;
+
+ found:
+	/*
+	 * We have found a node whose name is the desired name, or we
+	 * have matched a wildcard.
+	 */
+
+	if (search.zonecut != NULL) {
+		/*
+		 * If we're beneath a zone cut, we don't want to look for
+		 * CNAMEs because they're not legitimate zone glue.
+		 */
+		cname_ok = ISC_FALSE;
+	} else {
+		/*
+		 * The node may be a zone cut itself.  If it might be one,
+		 * make sure we check for it later.
+		 */
+		if (node->find_callback &&
+		    (node != search.rbtdb->origin_node ||
+		     IS_STUB(search.rbtdb)) &&
+		    !dns_rdatatype_atparent(type))
+			maybe_zonecut = ISC_TRUE;
+	}
+
+	/*
+	 * Certain DNSSEC types are not subject to CNAME matching
+	 * (RFC 2535, section 2.3.5).
+	 *
+	 * We don't check for RRSIG, because we don't store RRSIG records
+	 * directly.
+	 */
+	if (type == dns_rdatatype_dnskey || type == dns_rdatatype_nsec)
+		cname_ok = ISC_FALSE;
+
+	/*
+	 * We now go looking for rdata...
+	 */
+
+	LOCK(&(search.rbtdb->node_locks[node->locknum].lock));
+
+	found = NULL;
+	foundsig = NULL;
+	sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type);
+	nsecheader = NULL;
+	nsecsig = NULL;
+	cnamesig = NULL;
+	empty_node = ISC_TRUE;
+	for (header = node->data; header != NULL; header = header_next) {
+		header_next = header->next;
+		/*
+		 * Look for an active, extant rdataset.
+		 */
+		do {
+			if (header->serial <= search.serial &&
+			    !IGNORE(header)) {
+				/*
+				 * Is this a "this rdataset doesn't
+				 * exist" record?
+				 */
+				if (NONEXISTENT(header))
+					header = NULL;
+				break;
+			} else
+				header = header->down;
+		} while (header != NULL);
+		if (header != NULL) {
+			/*
+			 * We now know that there is at least one active
+			 * rdataset at this node.
+			 */
+			empty_node = ISC_FALSE;
+
+			/*
+			 * Do special zone cut handling, if requested.
+			 */
+			if (maybe_zonecut &&
+			    header->type == dns_rdatatype_ns) {
+				/*
+				 * We increment the reference count on node to
+				 * ensure that search->zonecut_rdataset will
+				 * still be valid later.
+				 */
+				new_reference(search.rbtdb, node);
+				search.zonecut = node;
+				search.zonecut_rdataset = header;
+				search.zonecut_sigrdataset = NULL;
+				search.need_cleanup = ISC_TRUE;
+				maybe_zonecut = ISC_FALSE;
+				at_zonecut = ISC_TRUE;
+				if ((search.options & DNS_DBFIND_GLUEOK) == 0
+				    && type != dns_rdatatype_nsec
+				    && type != dns_rdatatype_dnskey) {
+					/*
+					 * Glue is not OK, but any answer we
+					 * could return would be glue.  Return
+					 * the delegation.
+					 */
+					found = NULL;
+					break;
+				}
+				if (found != NULL && foundsig != NULL)
+					break;
+			}
+
+			/*
+			 * If we found a type we were looking for,
+			 * remember it.
+			 */
+			if (header->type == type ||
+			    type == dns_rdatatype_any ||
+			    (header->type == dns_rdatatype_cname &&
+			     cname_ok)) {
+				/*
+				 * We've found the answer!
+				 */
+				found = header;
+				if (header->type == dns_rdatatype_cname &&
+				    cname_ok) {
+					/*
+					 * We may be finding a CNAME instead
+					 * of the desired type.
+					 *
+					 * If we've already got the CNAME RRSIG,
+					 * use it, otherwise change sigtype
+					 * so that we find it.
+					 */
+					if (cnamesig != NULL)
+						foundsig = cnamesig;
+					else
+						sigtype =
+						    RBTDB_RDATATYPE_SIGCNAME;
+				}
+				/*
+				 * If we've got all we need, end the search.
+				 */
+				if (!maybe_zonecut && foundsig != NULL)
+					break;
+			} else if (header->type == sigtype) {
+				/*
+				 * We've found the RRSIG rdataset for our
+				 * target type.  Remember it.
+				 */
+				foundsig = header;
+				/*
+				 * If we've got all we need, end the search.
+				 */
+				if (!maybe_zonecut && found != NULL)
+					break;
+			} else if (header->type == dns_rdatatype_nsec) {
+				/*
+				 * Remember a NSEC rdataset even if we're
+				 * not specifically looking for it, because
+				 * we might need it later.
+				 */
+				nsecheader = header;
+			} else if (header->type == RBTDB_RDATATYPE_SIGNSEC) {
+				/*
+				 * If we need the NSEC rdataset, we'll also
+				 * need its signature.
+				 */
+				nsecsig = header;
+			} else if (cname_ok &&
+				   header->type == RBTDB_RDATATYPE_SIGCNAME) {
+				/*
+				 * If we get a CNAME match, we'll also need
+				 * its signature.
+				 */
+				cnamesig = header;
+			}
+		}
+	}
+
+	if (empty_node) {
+		/*
+		 * We have an exact match for the name, but there are no
+		 * active rdatasets in the desired version.  That means that
+		 * this node doesn't exist in the desired version, and that
+		 * we really have a partial match.
+		 */
+		if (!wild) {
+			UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
+			goto partial_match;
+		}
+	}
+
+	/*
+	 * If we didn't find what we were looking for...
+	 */
+	if (found == NULL) {
+		if (search.zonecut != NULL) {
+		    /*
+		     * We were trying to find glue at a node beneath a
+		     * zone cut, but didn't.
+		     *
+		     * Return the delegation.
+		     */
+		    UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
+		    result = setup_delegation(&search, nodep, foundname,
+					      rdataset, sigrdataset);
+		    goto tree_exit;
+		}
+		/*
+		 * The desired type doesn't exist.
+		 */
+		result = DNS_R_NXRRSET;
+		if (search.rbtdb->secure &&
+		    (nsecheader == NULL || nsecsig == NULL)) {
+			/*
+			 * The zone is secure but there's no NSEC,
+			 * or the NSEC has no signature!
+			 */
+			if (!wild) {
+				result = DNS_R_BADDB;
+				goto node_exit;
+			}
+			
+			UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
+			result = find_closest_nsec(&search, nodep, foundname,
+						  rdataset, sigrdataset,
+						  search.rbtdb->secure);
+			if (result == ISC_R_SUCCESS)
+				result = DNS_R_EMPTYWILD;
+			goto tree_exit;
+		}
+		if ((search.options & DNS_DBFIND_FORCENSEC) != 0 &&
+		    nsecheader == NULL)
+		{
+			/*
+			 * There's no NSEC record, and we were told
+			 * to find one.
+			 */
+			result = DNS_R_BADDB;
+			goto node_exit;
+		}
+		if (nodep != NULL) {
+			new_reference(search.rbtdb, node);
+			*nodep = node;
+		}
+		if (search.rbtdb->secure ||
+		    (search.options & DNS_DBFIND_FORCENSEC) != 0)
+		{
+			bind_rdataset(search.rbtdb, node, nsecheader,
+				      0, rdataset);
+			if (nsecsig != NULL)
+				bind_rdataset(search.rbtdb, node,
+					      nsecsig, 0, sigrdataset);
+		}
+		if (wild)
+			foundname->attributes |= DNS_NAMEATTR_WILDCARD;
+		goto node_exit;
+	}
+
+	/*
+	 * We found what we were looking for, or we found a CNAME.
+	 */
+
+	if (type != found->type &&
+	    type != dns_rdatatype_any &&
+	    found->type == dns_rdatatype_cname) {
+		/*
+		 * We weren't doing an ANY query and we found a CNAME instead
+		 * of the type we were looking for, so we need to indicate
+		 * that result to the caller.
+		 */
+		result = DNS_R_CNAME;
+	} else if (search.zonecut != NULL) {
+		/*
+		 * If we're beneath a zone cut, we must indicate that the
+		 * result is glue, unless we're actually at the zone cut
+		 * and the type is NSEC or KEY.
+		 */
+		if (search.zonecut == node) {
+			if (type == dns_rdatatype_nsec ||
+			    type == dns_rdatatype_dnskey)
+				result = ISC_R_SUCCESS;
+			else if (type == dns_rdatatype_any)
+				result = DNS_R_ZONECUT;
+			else
+				result = DNS_R_GLUE;
+		} else
+			result = DNS_R_GLUE;
+		/*
+		 * We might have found data that isn't glue, but was occluded
+		 * by a dynamic update.  If the caller cares about this, they
+		 * will have told us to validate glue.
+		 *
+		 * XXX We should cache the glue validity state!
+		 */
+		if (result == DNS_R_GLUE &&
+		    (search.options & DNS_DBFIND_VALIDATEGLUE) != 0 &&
+		    !valid_glue(&search, foundname, type, node)) {
+		    UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
+		    result = setup_delegation(&search, nodep, foundname,
+					      rdataset, sigrdataset);
+		    goto tree_exit;
+		}
+	} else {
+		/*
+		 * An ordinary successful query!
+		 */
+		result = ISC_R_SUCCESS;
+	}
+
+	if (nodep != NULL) {
+		if (!at_zonecut)
+			new_reference(search.rbtdb, node);
+		else
+			search.need_cleanup = ISC_FALSE;
+		*nodep = node;
+	}
+
+	if (type != dns_rdatatype_any) {
+		bind_rdataset(search.rbtdb, node, found, 0, rdataset);
+		if (foundsig != NULL)
+			bind_rdataset(search.rbtdb, node, foundsig, 0,
+				      sigrdataset);
+	}
+
+	if (wild)
+		foundname->attributes |= DNS_NAMEATTR_WILDCARD;
+
+ node_exit:
+	UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
+
+ tree_exit:
+	RWUNLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
+
+	/*
+	 * If we found a zonecut but aren't going to use it, we have to
+	 * let go of it.
+	 */
+	if (search.need_cleanup) {
+		node = search.zonecut;
+		lock = &(search.rbtdb->node_locks[node->locknum].lock);
+
+		LOCK(lock);
+		INSIST(node->references > 0);
+		node->references--;
+		if (node->references == 0)
+			no_references(search.rbtdb, node, 0,
+				      isc_rwlocktype_none);
+
+		UNLOCK(lock);
+	}
+
+	if (close_version)
+		closeversion(db, &version, ISC_FALSE);
+
+	dns_rbtnodechain_reset(&search.chain);
+
+	return (result);
+}
+
+static isc_result_t
+zone_findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
+		 isc_stdtime_t now, dns_dbnode_t **nodep,
+		 dns_name_t *foundname,
+		 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	UNUSED(db);
+	UNUSED(name);
+	UNUSED(options);
+	UNUSED(now);
+	UNUSED(nodep);
+	UNUSED(foundname);
+	UNUSED(rdataset);
+	UNUSED(sigrdataset);
+
+	FATAL_ERROR(__FILE__, __LINE__, "zone_findzonecut() called!");
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+cache_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
+	rbtdb_search_t *search = arg;
+	rdatasetheader_t *header, *header_prev, *header_next;
+	rdatasetheader_t *dname_header, *sigdname_header;
+	isc_result_t result;
+
+	/* XXX comment */
+
+	REQUIRE(search->zonecut == NULL);
+
+	/*
+	 * Keep compiler silent.
+	 */
+	UNUSED(name);
+
+	LOCK(&(search->rbtdb->node_locks[node->locknum].lock));
+
+	/*
+	 * Look for a DNAME or RRSIG DNAME rdataset.
+	 */
+	dname_header = NULL;
+	sigdname_header = NULL;
+	header_prev = NULL;
+	for (header = node->data; header != NULL; header = header_next) {
+		header_next = header->next;
+		if (header->ttl <= search->now) {
+			/*
+			 * This rdataset is stale.  If no one else is
+			 * using the node, we can clean it up right
+			 * now, otherwise we mark it as stale, and
+			 * the node as dirty, so it will get cleaned
+			 * up later.
+			 */
+			if (node->references == 0) {
+				INSIST(header->down == NULL);
+				if (header_prev != NULL)
+					header_prev->next =
+						header->next;
+				else
+					node->data = header->next;
+				free_rdataset(search->rbtdb->common.mctx,
+					      header);
+			} else {
+				header->attributes |=
+					RDATASET_ATTR_STALE;
+				node->dirty = 1;
+				header_prev = header;
+			}
+		} else if (header->type == dns_rdatatype_dname &&
+			   EXISTS(header)) {
+			dname_header = header;
+			header_prev = header;
+		} else if (header->type == RBTDB_RDATATYPE_SIGDNAME &&
+			 EXISTS(header)) {
+			sigdname_header = header;
+			header_prev = header;
+		} else
+			header_prev = header;
+	}
+
+	if (dname_header != NULL &&
+	    (dname_header->trust != dns_trust_pending ||
+	     (search->options & DNS_DBFIND_PENDINGOK) != 0)) {
+		/*
+		 * We increment the reference count on node to ensure that
+		 * search->zonecut_rdataset will still be valid later.
+		 */
+		new_reference(search->rbtdb, node);
+		search->zonecut = node;
+		search->zonecut_rdataset = dname_header;
+		search->zonecut_sigrdataset = sigdname_header;
+		search->need_cleanup = ISC_TRUE;
+		result = DNS_R_PARTIALMATCH;
+	} else
+		result = DNS_R_CONTINUE;
+
+	UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock));
+
+	return (result);
+}
+
+static inline isc_result_t
+find_deepest_zonecut(rbtdb_search_t *search, dns_rbtnode_t *node,
+		     dns_dbnode_t **nodep, dns_name_t *foundname,
+		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	unsigned int i;
+	dns_rbtnode_t *level_node;
+	rdatasetheader_t *header, *header_prev, *header_next;
+	rdatasetheader_t *found, *foundsig;
+	isc_result_t result = ISC_R_NOTFOUND;
+	dns_name_t name;
+	dns_rbtdb_t *rbtdb;
+	isc_boolean_t done;
+
+	/*
+	 * Caller must be holding the tree lock.
+	 */
+
+	rbtdb = search->rbtdb;
+	i = search->chain.level_matches;
+	done = ISC_FALSE;
+	do {
+		LOCK(&(rbtdb->node_locks[node->locknum].lock));
+
+		/*
+		 * Look for NS and RRSIG NS rdatasets.
+		 */
+		found = NULL;
+		foundsig = NULL;
+		header_prev = NULL;
+		for (header = node->data;
+		     header != NULL;
+		     header = header_next) {
+			header_next = header->next;
+			if (header->ttl <= search->now) {
+				/*
+				 * This rdataset is stale.  If no one else is
+				 * using the node, we can clean it up right
+				 * now, otherwise we mark it as stale, and
+				 * the node as dirty, so it will get cleaned
+				 * up later.
+				 */
+				if (node->references == 0) {
+					INSIST(header->down == NULL);
+					if (header_prev != NULL)
+						header_prev->next =
+							header->next;
+					else
+						node->data = header->next;
+					free_rdataset(rbtdb->common.mctx,
+						      header);
+				} else {
+					header->attributes |=
+						RDATASET_ATTR_STALE;
+					node->dirty = 1;
+					header_prev = header;
+				}
+			} else if (EXISTS(header)) {
+				/*
+				 * We've found an extant rdataset.  See if
+				 * we're interested in it.
+				 */
+				if (header->type == dns_rdatatype_ns) {
+					found = header;
+					if (foundsig != NULL)
+						break;
+				} else if (header->type ==
+					   RBTDB_RDATATYPE_SIGNS) {
+					foundsig = header;
+					if (found != NULL)
+						break;
+				}
+				header_prev = header;
+			} else
+				header_prev = header;
+		}
+
+		if (found != NULL) {
+			/*
+			 * If we have to set foundname, we do it before
+			 * anything else.  If we were to set foundname after
+			 * we had set nodep or bound the rdataset, then we'd
+			 * have to undo that work if dns_name_concatenate()
+			 * failed.  By setting foundname first, there's
+			 * nothing to undo if we have trouble.
+			 */
+			if (foundname != NULL) {
+				dns_name_init(&name, NULL);
+				dns_rbt_namefromnode(node, &name);
+				result = dns_name_copy(&name, foundname, NULL);
+				while (result == ISC_R_SUCCESS && i > 0) {
+					i--;
+					level_node = search->chain.levels[i];
+					dns_name_init(&name, NULL);
+					dns_rbt_namefromnode(level_node,
+							     &name);
+					result =
+						dns_name_concatenate(foundname,
+								     &name,
+								     foundname,
+								     NULL);
+				}
+				if (result != ISC_R_SUCCESS) {
+					*nodep = NULL;
+					goto node_exit;
+				}
+			}
+			result = DNS_R_DELEGATION;
+			if (nodep != NULL) {
+				new_reference(search->rbtdb, node);
+				*nodep = node;
+			}
+			bind_rdataset(search->rbtdb, node, found, search->now,
+				      rdataset);
+			if (foundsig != NULL)
+				bind_rdataset(search->rbtdb, node, foundsig,
+					      search->now, sigrdataset);
+		}
+
+	node_exit:
+		UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock));
+
+		if (found == NULL && i > 0) {
+			i--;
+			node = search->chain.levels[i];
+		} else
+			done = ISC_TRUE;
+
+	} while (!done);
+
+	return (result);
+}
+
+static isc_result_t
+find_coveringnsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
+		  isc_stdtime_t now, dns_name_t *foundname,
+		  dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	dns_rbtnode_t *node;
+	rdatasetheader_t *header, *header_next, *header_prev;
+	rdatasetheader_t *found, *foundsig;
+	isc_boolean_t empty_node;
+	isc_result_t result;
+	dns_fixedname_t fname, forigin;
+	dns_name_t *name, *origin;
+	rbtdb_rdatatype_t matchtype, sigmatchtype, nsectype;
+
+	matchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_nsec, 0);
+	nsectype = RBTDB_RDATATYPE_VALUE(0, dns_rdatatype_nsec);
+	sigmatchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig,
+					     dns_rdatatype_nsec);
+	
+	do {
+		node = NULL;
+		dns_fixedname_init(&fname);
+		name = dns_fixedname_name(&fname);
+		dns_fixedname_init(&forigin);
+		origin = dns_fixedname_name(&forigin);
+		result = dns_rbtnodechain_current(&search->chain, name,
+						  origin, &node);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		LOCK(&(search->rbtdb->node_locks[node->locknum].lock));
+		found = NULL;
+		foundsig = NULL;
+		empty_node = ISC_TRUE;
+		header_prev = NULL;
+		for (header = node->data;
+		     header != NULL;
+		     header = header_next) {
+			header_next = header->next;
+			if (header->ttl <= now) {
+				/*
+				 * This rdataset is stale.  If no one else is
+				 * using the node, we can clean it up right
+				 * now, otherwise we mark it as stale, and the
+				 * node as dirty, so it will get cleaned up 
+				 * later.
+				 */
+				if (node->references == 0) {
+					INSIST(header->down == NULL);
+					if (header_prev != NULL)
+						header_prev->next =
+							header->next;
+					else
+						node->data = header->next;
+					free_rdataset(search->rbtdb->common.mctx,
+						      header);
+				} else {
+					header->attributes |=
+						 RDATASET_ATTR_STALE;
+					node->dirty = 1;
+					header_prev = header;
+				}
+				continue;
+			}
+			if (NONEXISTENT(header) || NXDOMAIN(header)) {
+				header_prev = header;
+				continue;
+			}
+			empty_node = ISC_FALSE;
+			if (header->type == matchtype)
+				found = header;
+			else if (header->type == sigmatchtype)
+				foundsig = header;
+			header_prev = header;
+		}
+		if (found != NULL) {
+			result = dns_name_concatenate(name, origin,
+						      foundname, NULL);
+			if (result != ISC_R_SUCCESS)
+				goto unlock_node;
+			bind_rdataset(search->rbtdb, node, found,
+				      now, rdataset);
+			if (foundsig != NULL)
+				bind_rdataset(search->rbtdb, node, foundsig,
+					      now, sigrdataset);
+			new_reference(search->rbtdb, node);
+			*nodep = node;
+			result = DNS_R_COVERINGNSEC;
+		} else if (!empty_node) {
+			result = ISC_R_NOTFOUND;
+		}else
+			result = dns_rbtnodechain_prev(&search->chain, NULL,
+						       NULL);
+ unlock_node:
+		UNLOCK(&(search->rbtdb->node_locks[node->locknum].lock));
+	} while (empty_node && result == ISC_R_SUCCESS);
+	return (result);
+}
+
+static isc_result_t
+cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
+	   dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
+	   dns_dbnode_t **nodep, dns_name_t *foundname,
+	   dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	dns_rbtnode_t *node = NULL;
+	isc_result_t result;
+	rbtdb_search_t search;
+	isc_boolean_t cname_ok = ISC_TRUE;
+	isc_boolean_t empty_node;
+	isc_mutex_t *lock;
+	rdatasetheader_t *header, *header_prev, *header_next;
+	rdatasetheader_t *found, *nsheader;
+	rdatasetheader_t *foundsig, *nssig, *cnamesig;
+	rbtdb_rdatatype_t sigtype, nsectype;
+
+	UNUSED(version);
+
+	search.rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(search.rbtdb));
+	REQUIRE(version == NULL);
+
+	if (now == 0)
+		isc_stdtime_get(&now);
+
+	search.rbtversion = NULL;
+	search.serial = 1;
+	search.options = options;
+	search.copy_name = ISC_FALSE;
+	search.need_cleanup = ISC_FALSE;
+	search.wild = ISC_FALSE;
+	search.zonecut = NULL;
+	dns_fixedname_init(&search.zonecut_name);
+	dns_rbtnodechain_init(&search.chain, search.rbtdb->common.mctx);
+	search.now = now;
+
+	RWLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
+
+	/*
+	 * Search down from the root of the tree.  If, while going down, we
+	 * encounter a callback node, cache_zonecut_callback() will search the
+	 * rdatasets at the zone cut for a DNAME rdataset.
+	 */
+	result = dns_rbt_findnode(search.rbtdb->tree, name, foundname, &node,
+				  &search.chain, DNS_RBTFIND_EMPTYDATA,
+				  cache_zonecut_callback, &search);
+
+	if (result == DNS_R_PARTIALMATCH) {
+		if ((search.options & DNS_DBFIND_COVERINGNSEC) != 0) {
+			result = find_coveringnsec(&search, nodep, now,
+						   foundname, rdataset,
+						   sigrdataset);
+			if (result == DNS_R_COVERINGNSEC)
+				goto tree_exit;
+		}
+		if (search.zonecut != NULL) {
+		    result = setup_delegation(&search, nodep, foundname,
+					      rdataset, sigrdataset);
+		    goto tree_exit;
+		} else {
+		find_ns:
+			result = find_deepest_zonecut(&search, node, nodep,
+						      foundname, rdataset,
+						      sigrdataset);
+			goto tree_exit;
+		}
+	} else if (result != ISC_R_SUCCESS)
+		goto tree_exit;
+
+	/*
+	 * Certain DNSSEC types are not subject to CNAME matching
+	 * (RFC 2535, section 2.3.5).
+	 *
+	 * We don't check for RRSIG, because we don't store RRSIG records
+	 * directly.
+	 */
+	if (type == dns_rdatatype_dnskey || type == dns_rdatatype_nsec)
+		cname_ok = ISC_FALSE;
+
+	/*
+	 * We now go looking for rdata...
+	 */
+
+	LOCK(&(search.rbtdb->node_locks[node->locknum].lock));
+
+	found = NULL;
+	foundsig = NULL;
+	sigtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type);
+	nsectype = RBTDB_RDATATYPE_VALUE(0, type);
+	nsheader = NULL;
+	nssig = NULL;
+	cnamesig = NULL;
+	empty_node = ISC_TRUE;
+	header_prev = NULL;
+	for (header = node->data; header != NULL; header = header_next) {
+		header_next = header->next;
+		if (header->ttl <= now) {
+			/*
+			 * This rdataset is stale.  If no one else is using the
+			 * node, we can clean it up right now, otherwise we
+			 * mark it as stale, and the node as dirty, so it will
+			 * get cleaned up later.
+			 */
+			if (node->references == 0) {
+				INSIST(header->down == NULL);
+				if (header_prev != NULL)
+					header_prev->next = header->next;
+				else
+					node->data = header->next;
+				free_rdataset(search.rbtdb->common.mctx,
+					      header);
+			} else {
+				header->attributes |= RDATASET_ATTR_STALE;
+				node->dirty = 1;
+				header_prev = header;
+			}
+		} else if (EXISTS(header)) {
+			/*
+			 * We now know that there is at least one active
+			 * non-stale rdataset at this node.
+			 */
+			empty_node = ISC_FALSE;
+
+			/*
+			 * If we found a type we were looking for, remember
+			 * it.
+			 */
+			if (header->type == type ||
+			    (type == dns_rdatatype_any &&
+			     RBTDB_RDATATYPE_BASE(header->type) != 0) ||
+			    (cname_ok && header->type ==
+			     dns_rdatatype_cname)) {
+				/*
+				 * We've found the answer.
+				 */
+				found = header;
+				if (header->type == dns_rdatatype_cname &&
+				    cname_ok &&
+				    cnamesig != NULL) {
+					/*
+					 * If we've already got the CNAME RRSIG,
+					 * use it, otherwise change sigtype
+					 * so that we find it.
+					 */
+					if (cnamesig != NULL)
+						foundsig = cnamesig;
+					else
+						sigtype =
+						    RBTDB_RDATATYPE_SIGCNAME;
+					foundsig = cnamesig;
+				}
+			} else if (header->type == sigtype) {
+				/*
+				 * We've found the RRSIG rdataset for our
+				 * target type.  Remember it.
+				 */
+				foundsig = header;
+			} else if (header->type == RBTDB_RDATATYPE_NCACHEANY ||
+				   header->type == nsectype) {
+				/*
+				 * We've found a negative cache entry.
+				 */
+				found = header;
+			} else if (header->type == dns_rdatatype_ns) {
+				/*
+				 * Remember a NS rdataset even if we're
+				 * not specifically looking for it, because
+				 * we might need it later.
+				 */
+				nsheader = header;
+			} else if (header->type == RBTDB_RDATATYPE_SIGNS) {
+				/*
+				 * If we need the NS rdataset, we'll also
+				 * need its signature.
+				 */
+				nssig = header;
+			} else if (cname_ok &&
+				   header->type == RBTDB_RDATATYPE_SIGCNAME) {
+				/*
+				 * If we get a CNAME match, we'll also need
+				 * its signature.
+				 */
+				cnamesig = header;
+			}
+			header_prev = header;
+		} else
+			header_prev = header;
+	}
+
+	if (empty_node) {
+		/*
+		 * We have an exact match for the name, but there are no
+		 * extant rdatasets.  That means that this node doesn't
+		 * meaningfully exist, and that we really have a partial match.
+		 */
+		UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
+		goto find_ns;
+	}
+
+	/*
+	 * If we didn't find what we were looking for...
+	 */
+	if (found == NULL ||
+	    (found->trust == dns_trust_glue &&
+	     ((options & DNS_DBFIND_GLUEOK) == 0)) ||
+	    (found->trust == dns_trust_pending &&
+	     ((options & DNS_DBFIND_PENDINGOK) == 0))) {
+		/*
+		 * If there is an NS rdataset at this node, then this is the
+		 * deepest zone cut.
+		 */
+		if (nsheader != NULL) {
+			if (nodep != NULL) {
+				new_reference(search.rbtdb, node);
+				*nodep = node;
+			}
+			bind_rdataset(search.rbtdb, node, nsheader, search.now,
+				      rdataset);
+			if (nssig != NULL)
+				bind_rdataset(search.rbtdb, node, nssig,
+					      search.now, sigrdataset);
+			result = DNS_R_DELEGATION;
+			goto node_exit;
+		}
+
+		/*
+		 * Go find the deepest zone cut.
+		 */
+		UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
+		goto find_ns;
+	}
+
+	/*
+	 * We found what we were looking for, or we found a CNAME.
+	 */
+
+	if (nodep != NULL) {
+		new_reference(search.rbtdb, node);
+		*nodep = node;
+	}
+
+	if (RBTDB_RDATATYPE_BASE(found->type) == 0) {
+		/*
+		 * We found a negative cache entry.
+		 */
+		if (NXDOMAIN(found))
+			result = DNS_R_NCACHENXDOMAIN;
+		else
+			result = DNS_R_NCACHENXRRSET;
+	} else if (type != found->type &&
+		   type != dns_rdatatype_any &&
+		   found->type == dns_rdatatype_cname) {
+		/*
+		 * We weren't doing an ANY query and we found a CNAME instead
+		 * of the type we were looking for, so we need to indicate
+		 * that result to the caller.
+		 */
+		result = DNS_R_CNAME;
+	} else {
+		/*
+		 * An ordinary successful query!
+		 */
+		result = ISC_R_SUCCESS;
+	}
+
+	if (type != dns_rdatatype_any || result == DNS_R_NCACHENXDOMAIN ||
+	    result == DNS_R_NCACHENXRRSET) {
+		bind_rdataset(search.rbtdb, node, found, search.now,
+			      rdataset);
+		if (foundsig != NULL)
+			bind_rdataset(search.rbtdb, node, foundsig, search.now,
+				      sigrdataset);
+	}
+
+ node_exit:
+	UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
+
+ tree_exit:
+	RWUNLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
+
+	/*
+	 * If we found a zonecut but aren't going to use it, we have to
+	 * let go of it.
+	 */
+	if (search.need_cleanup) {
+		node = search.zonecut;
+		lock = &(search.rbtdb->node_locks[node->locknum].lock);
+
+		LOCK(lock);
+		INSIST(node->references > 0);
+		node->references--;
+		if (node->references == 0)
+			no_references(search.rbtdb, node, 0,
+				      isc_rwlocktype_none);
+		UNLOCK(lock);
+	}
+
+	dns_rbtnodechain_reset(&search.chain);
+
+	return (result);
+}
+
+static isc_result_t
+cache_findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
+		  isc_stdtime_t now, dns_dbnode_t **nodep,
+		  dns_name_t *foundname,
+		  dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	dns_rbtnode_t *node = NULL;
+	isc_result_t result;
+	rbtdb_search_t search;
+	rdatasetheader_t *header, *header_prev, *header_next;
+	rdatasetheader_t *found, *foundsig;
+	unsigned int rbtoptions = DNS_RBTFIND_EMPTYDATA;
+
+	search.rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(search.rbtdb));
+
+	if (now == 0)
+		isc_stdtime_get(&now);
+
+	search.rbtversion = NULL;
+	search.serial = 1;
+	search.options = options;
+	search.copy_name = ISC_FALSE;
+	search.need_cleanup = ISC_FALSE;
+	search.wild = ISC_FALSE;
+	search.zonecut = NULL;
+	dns_fixedname_init(&search.zonecut_name);
+	dns_rbtnodechain_init(&search.chain, search.rbtdb->common.mctx);
+	search.now = now;
+
+	if ((options & DNS_DBFIND_NOEXACT) != 0)
+		rbtoptions |= DNS_RBTFIND_NOEXACT;
+
+	RWLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
+
+	/*
+	 * Search down from the root of the tree.
+	 */
+	result = dns_rbt_findnode(search.rbtdb->tree, name, foundname, &node,
+				  &search.chain, rbtoptions, NULL, &search);
+
+	if (result == DNS_R_PARTIALMATCH) {
+	find_ns:
+		result = find_deepest_zonecut(&search, node, nodep, foundname,
+					      rdataset, sigrdataset);
+		goto tree_exit;
+	} else if (result != ISC_R_SUCCESS)
+		goto tree_exit;
+
+	/*
+	 * We now go looking for an NS rdataset at the node.
+	 */
+
+	LOCK(&(search.rbtdb->node_locks[node->locknum].lock));
+
+	found = NULL;
+	foundsig = NULL;
+	header_prev = NULL;
+	for (header = node->data; header != NULL; header = header_next) {
+		header_next = header->next;
+		if (header->ttl <= now) {
+			/*
+			 * This rdataset is stale.  If no one else is using the
+			 * node, we can clean it up right now, otherwise we
+			 * mark it as stale, and the node as dirty, so it will
+			 * get cleaned up later.
+			 */
+			if (node->references == 0) {
+				INSIST(header->down == NULL);
+				if (header_prev != NULL)
+					header_prev->next = header->next;
+				else
+					node->data = header->next;
+				free_rdataset(search.rbtdb->common.mctx,
+					      header);
+			} else {
+				header->attributes |= RDATASET_ATTR_STALE;
+				node->dirty = 1;
+				header_prev = header;
+			}
+		} else if (EXISTS(header)) {
+			/*
+			 * If we found a type we were looking for, remember
+			 * it.
+			 */
+			if (header->type == dns_rdatatype_ns) {
+				/*
+				 * Remember a NS rdataset even if we're
+				 * not specifically looking for it, because
+				 * we might need it later.
+				 */
+				found = header;
+			} else if (header->type == RBTDB_RDATATYPE_SIGNS) {
+				/*
+				 * If we need the NS rdataset, we'll also
+				 * need its signature.
+				 */
+				foundsig = header;
+			}
+			header_prev = header;
+		} else
+			header_prev = header;
+	}
+
+	if (found == NULL) {
+		/*
+		 * No NS records here.
+		 */
+		UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
+		goto find_ns;
+	}
+
+	if (nodep != NULL) {
+		new_reference(search.rbtdb, node);
+		*nodep = node;
+	}
+
+	bind_rdataset(search.rbtdb, node, found, search.now, rdataset);
+	if (foundsig != NULL)
+		bind_rdataset(search.rbtdb, node, foundsig, search.now,
+			      sigrdataset);
+
+	UNLOCK(&(search.rbtdb->node_locks[node->locknum].lock));
+
+ tree_exit:
+	RWUNLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
+
+	INSIST(!search.need_cleanup);
+
+	dns_rbtnodechain_reset(&search.chain);
+
+	if (result == DNS_R_DELEGATION)
+		result = ISC_R_SUCCESS;
+
+	return (result);
+}
+
+static void
+attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *node = (dns_rbtnode_t *)source;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	LOCK(&rbtdb->node_locks[node->locknum].lock);
+	INSIST(node->references > 0);
+	node->references++;
+	INSIST(node->references != 0);			/* Catch overflow. */
+	UNLOCK(&rbtdb->node_locks[node->locknum].lock);
+
+	*targetp = source;
+}
+
+static void
+detachnode(dns_db_t *db, dns_dbnode_t **targetp) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *node;
+	isc_boolean_t want_free = ISC_FALSE;
+	isc_boolean_t inactive = ISC_FALSE;
+	unsigned int locknum;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(targetp != NULL && *targetp != NULL);
+
+	node = (dns_rbtnode_t *)(*targetp);
+	locknum = node->locknum;
+
+	LOCK(&rbtdb->node_locks[locknum].lock);
+
+	INSIST(node->references > 0);
+	node->references--;
+	if (node->references == 0) {
+		no_references(rbtdb, node, 0, isc_rwlocktype_none);
+		if (rbtdb->node_locks[locknum].references == 0 &&
+		    rbtdb->node_locks[locknum].exiting)
+			inactive = ISC_TRUE;
+	}
+
+	UNLOCK(&rbtdb->node_locks[locknum].lock);
+
+	*targetp = NULL;
+
+	if (inactive) {
+		LOCK(&rbtdb->lock);
+		rbtdb->active--;
+		if (rbtdb->active == 0)
+			want_free = ISC_TRUE;
+		UNLOCK(&rbtdb->lock);
+		if (want_free) {
+			char buf[DNS_NAME_FORMATSIZE];
+			if (dns_name_dynamic(&rbtdb->common.origin))
+				dns_name_format(&rbtdb->common.origin, buf,
+						sizeof(buf));
+			else
+				strcpy(buf, "<UNKNOWN>");
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
+				      "calling free_rbtdb(%s)", buf);
+			free_rbtdb(rbtdb, ISC_TRUE, NULL);
+		}
+	}
+}
+
+static isc_result_t
+expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *rbtnode = node;
+	rdatasetheader_t *header;
+	isc_boolean_t force_expire = ISC_FALSE;
+	/*
+	 * These are the category and module used by the cache cleaner.
+	 */
+	isc_boolean_t log = ISC_FALSE;
+	isc_logcategory_t *category = DNS_LOGCATEGORY_DATABASE;
+	isc_logmodule_t *module = DNS_LOGMODULE_CACHE;
+	int level = ISC_LOG_DEBUG(2);
+	char printname[DNS_NAME_FORMATSIZE];
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	/*
+	 * Caller must hold a tree lock.
+	 */
+
+	if (now == 0)
+		isc_stdtime_get(&now);
+
+	if (rbtdb->overmem) {
+		isc_uint32_t val;
+
+		isc_random_get(&val);
+		/*
+		 * XXXDCL Could stand to have a better policy, like LRU.
+		 */
+		force_expire = ISC_TF(rbtnode->down == NULL && val % 4 == 0);
+
+		/*
+		 * Note that 'log' can be true IFF rbtdb->overmem is also true.
+		 * rbtdb->ovemem can currently only be true for cache databases
+		 * -- hence all of the "overmem cache" log strings.
+		 */
+		log = ISC_TF(isc_log_wouldlog(dns_lctx, level));
+		if (log)
+			isc_log_write(dns_lctx, category, module, level,
+				      "overmem cache: %s %s",
+				      force_expire ? "FORCE" : "check",
+				      dns_rbt_formatnodename(rbtnode,
+							   printname,
+							   sizeof(printname)));
+	}
+
+	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+
+	for (header = rbtnode->data; header != NULL; header = header->next)
+		if (header->ttl <= now) {
+			/*
+			 * We don't check if rbtnode->references == 0 and try
+			 * to free like we do in cache_find(), because
+			 * rbtnode->references must be non-zero.  This is so
+			 * because 'node' is an argument to the function.
+			 */
+			header->attributes |= RDATASET_ATTR_STALE;
+			rbtnode->dirty = 1;
+			if (log)
+				isc_log_write(dns_lctx, category, module,
+					      level, "overmem cache: stale %s",
+					      printname);
+		} else if (force_expire) {
+			if (! RETAIN(header)) {
+				header->ttl = 0;
+				header->attributes |= RDATASET_ATTR_STALE;
+				rbtnode->dirty = 1;
+			} else if (log) {
+				isc_log_write(dns_lctx, category, module,
+					      level, "overmem cache: "
+					      "reprieve by RETAIN() %s",
+					      printname);
+			}
+		} else if (rbtdb->overmem && log)
+			isc_log_write(dns_lctx, category, module, level,
+				      "overmem cache: saved %s", printname);
+
+	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+overmem(dns_db_t *db, isc_boolean_t overmem) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+
+	if (IS_CACHE(rbtdb)) {
+		rbtdb->overmem = overmem;
+	}
+}
+
+static void
+printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *rbtnode = node;
+	isc_boolean_t first;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+
+	fprintf(out, "node %p, %u references, locknum = %u\n",
+		rbtnode, rbtnode->references, rbtnode->locknum);
+	if (rbtnode->data != NULL) {
+		rdatasetheader_t *current, *top_next;
+
+		for (current = rbtnode->data; current != NULL;
+		     current = top_next) {
+			top_next = current->next;
+			first = ISC_TRUE;
+			fprintf(out, "\ttype %u", current->type);
+			do {
+				if (!first)
+					fprintf(out, "\t");
+				first = ISC_FALSE;
+				fprintf(out,
+					"\tserial = %lu, ttl = %u, "
+					"trust = %u, attributes = %u\n",
+					(unsigned long)current->serial,
+					current->ttl,
+					current->trust,
+					current->attributes);
+				current = current->down;
+			} while (current != NULL);
+		}
+	} else
+		fprintf(out, "(empty)\n");
+
+	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+}
+
+static isc_result_t
+createiterator(dns_db_t *db, isc_boolean_t relative_names,
+	       dns_dbiterator_t **iteratorp)
+{
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	rbtdb_dbiterator_t *rbtdbiter;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	rbtdbiter = isc_mem_get(rbtdb->common.mctx, sizeof(*rbtdbiter));
+	if (rbtdbiter == NULL)
+		return (ISC_R_NOMEMORY);
+
+	rbtdbiter->common.methods = &dbiterator_methods;
+	rbtdbiter->common.db = NULL;
+	dns_db_attach(db, &rbtdbiter->common.db);
+	rbtdbiter->common.relative_names = relative_names;
+	rbtdbiter->common.magic = DNS_DBITERATOR_MAGIC;
+	rbtdbiter->common.cleaning = ISC_FALSE;
+	rbtdbiter->paused = ISC_TRUE;
+	rbtdbiter->tree_locked = isc_rwlocktype_none;
+	rbtdbiter->result = ISC_R_SUCCESS;
+	dns_fixedname_init(&rbtdbiter->name);
+	dns_fixedname_init(&rbtdbiter->origin);
+	rbtdbiter->node = NULL;
+	rbtdbiter->delete = 0;
+	memset(rbtdbiter->deletions, 0, sizeof(rbtdbiter->deletions));
+	dns_rbtnodechain_init(&rbtdbiter->chain, db->mctx);
+
+	*iteratorp = (dns_dbiterator_t *)rbtdbiter;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+zone_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		  dns_rdatatype_t type, dns_rdatatype_t covers,
+		  isc_stdtime_t now, dns_rdataset_t *rdataset,
+		  dns_rdataset_t *sigrdataset)
+{
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
+	rdatasetheader_t *header, *header_next, *found, *foundsig;
+	rbtdb_serial_t serial;
+	rbtdb_version_t *rbtversion = version;
+	isc_boolean_t close_version = ISC_FALSE;
+	rbtdb_rdatatype_t matchtype, sigmatchtype;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(type != dns_rdatatype_any);
+
+	if (rbtversion == NULL) {
+		currentversion(db, (dns_dbversion_t **) (void *)(&rbtversion));
+		close_version = ISC_TRUE;
+	}
+	serial = rbtversion->serial;
+	now = 0;
+
+	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+
+	found = NULL;
+	foundsig = NULL;
+	matchtype = RBTDB_RDATATYPE_VALUE(type, covers);
+	if (covers == 0)
+		sigmatchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type);
+	else
+		sigmatchtype = 0;
+
+	for (header = rbtnode->data; header != NULL; header = header_next) {
+		header_next = header->next;
+		do {
+			if (header->serial <= serial &&
+			    !IGNORE(header)) {
+				/*
+				 * Is this a "this rdataset doesn't
+				 * exist" record?
+				 */
+				if (NONEXISTENT(header))
+					header = NULL;
+				break;
+			} else
+				header = header->down;
+		} while (header != NULL);
+		if (header != NULL) {
+			/*
+			 * We have an active, extant rdataset.  If it's a
+			 * type we're looking for, remember it.
+			 */
+			if (header->type == matchtype) {
+				found = header;
+				if (foundsig != NULL)
+					break;
+			} else if (header->type == sigmatchtype) {
+				foundsig = header;
+				if (found != NULL)
+					break;
+			}
+		}
+	}
+	if (found != NULL) {
+		bind_rdataset(rbtdb, rbtnode, found, now, rdataset);
+		if (foundsig != NULL)
+			bind_rdataset(rbtdb, rbtnode, foundsig, now,
+				      sigrdataset);
+	}
+
+	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+
+	if (close_version)
+		closeversion(db, (dns_dbversion_t **) (void *)(&rbtversion),
+			     ISC_FALSE);
+
+	if (found == NULL)
+		return (ISC_R_NOTFOUND);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		   dns_rdatatype_t type, dns_rdatatype_t covers,
+		   isc_stdtime_t now, dns_rdataset_t *rdataset,
+		   dns_rdataset_t *sigrdataset)
+{
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
+	rdatasetheader_t *header, *header_next, *found, *foundsig;
+	rbtdb_rdatatype_t matchtype, sigmatchtype, nsectype;
+	isc_result_t result;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(type != dns_rdatatype_any);
+
+	UNUSED(version);
+
+	result = ISC_R_SUCCESS;
+
+	if (now == 0)
+		isc_stdtime_get(&now);
+
+	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+
+	found = NULL;
+	foundsig = NULL;
+	matchtype = RBTDB_RDATATYPE_VALUE(type, covers);
+	nsectype = RBTDB_RDATATYPE_VALUE(0, type);
+	if (covers == 0)
+		sigmatchtype = RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, type);
+	else
+		sigmatchtype = 0;
+
+	for (header = rbtnode->data; header != NULL; header = header_next) {
+		header_next = header->next;
+		if (header->ttl <= now) {
+			/*
+			 * We don't check if rbtnode->references == 0 and try
+			 * to free like we do in cache_find(), because
+			 * rbtnode->references must be non-zero.  This is so
+			 * because 'node' is an argument to the function.
+			 */
+			header->attributes |= RDATASET_ATTR_STALE;
+			rbtnode->dirty = 1;
+		} else if (EXISTS(header)) {
+			if (header->type == matchtype)
+				found = header;
+			else if (header->type == RBTDB_RDATATYPE_NCACHEANY ||
+				 header->type == nsectype)
+				found = header;
+			else if (header->type == sigmatchtype)
+				foundsig = header;
+		}
+	}
+	if (found != NULL) {
+		bind_rdataset(rbtdb, rbtnode, found, now, rdataset);
+		if (foundsig != NULL)
+			bind_rdataset(rbtdb, rbtnode, foundsig, now,
+				      sigrdataset);
+	}
+
+	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+
+	if (found == NULL)
+		return (ISC_R_NOTFOUND);
+
+	if (RBTDB_RDATATYPE_BASE(found->type) == 0) {
+		/*
+		 * We found a negative cache entry.
+		 */
+		if (NXDOMAIN(found))
+			result = DNS_R_NCACHENXDOMAIN;
+		else
+			result = DNS_R_NCACHENXRRSET;
+	}
+
+	return (result);
+}
+
+static isc_result_t
+allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	     isc_stdtime_t now, dns_rdatasetiter_t **iteratorp)
+{
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
+	rbtdb_version_t *rbtversion = version;
+	rbtdb_rdatasetiter_t *iterator;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	iterator = isc_mem_get(rbtdb->common.mctx, sizeof(*iterator));
+	if (iterator == NULL)
+		return (ISC_R_NOMEMORY);
+
+	if ((db->attributes & DNS_DBATTR_CACHE) == 0) {
+		now = 0;
+		if (rbtversion == NULL)
+			currentversion(db,
+				 (dns_dbversion_t **) (void *)(&rbtversion));
+		else {
+			LOCK(&rbtdb->lock);
+			INSIST(rbtversion->references > 0);
+			rbtversion->references++;
+			INSIST(rbtversion->references != 0);
+			UNLOCK(&rbtdb->lock);
+		}
+	} else {
+		if (now == 0)
+			isc_stdtime_get(&now);
+		rbtversion = NULL;
+	}
+
+	iterator->common.magic = DNS_RDATASETITER_MAGIC;
+	iterator->common.methods = &rdatasetiter_methods;
+	iterator->common.db = db;
+	iterator->common.node = node;
+	iterator->common.version = (dns_dbversion_t *)rbtversion;
+	iterator->common.now = now;
+
+	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+
+	INSIST(rbtnode->references > 0);
+	rbtnode->references++;
+	INSIST(rbtnode->references != 0);
+	iterator->current = NULL;
+
+	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+
+	*iteratorp = (dns_rdatasetiter_t *)iterator;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_boolean_t
+cname_and_other_data(dns_rbtnode_t *node, rbtdb_serial_t serial) {
+	rdatasetheader_t *header, *header_next;
+	isc_boolean_t cname, other_data;
+	dns_rdatatype_t rdtype;
+
+	/*
+	 * The caller must hold the node lock.
+	 */
+
+	/*
+	 * Look for CNAME and "other data" rdatasets active in our version.
+	 */
+	cname = ISC_FALSE;
+	other_data = ISC_FALSE;
+	for (header = node->data; header != NULL; header = header_next) {
+		header_next = header->next;
+		if (header->type == dns_rdatatype_cname) {
+			/*
+			 * Look for an active extant CNAME.
+			 */
+			do {
+				if (header->serial <= serial &&
+				    !IGNORE(header)) {
+					/*
+					 * Is this a "this rdataset doesn't
+					 * exist" record?
+					 */
+					if (NONEXISTENT(header))
+						header = NULL;
+					break;
+				} else
+					header = header->down;
+			} while (header != NULL);
+			if (header != NULL)
+				cname = ISC_TRUE;
+		} else {
+			/*
+			 * Look for active extant "other data".
+			 *
+			 * "Other data" is any rdataset whose type is not
+			 * DNSKEY, RRSIG DNSKEY, NSEC, RRSIG NSEC,
+			 * or RRSIG CNAME.
+			 */
+			rdtype = RBTDB_RDATATYPE_BASE(header->type);
+			if (rdtype == dns_rdatatype_rrsig ||
+			    rdtype == dns_rdatatype_sig)
+				rdtype = RBTDB_RDATATYPE_EXT(header->type);
+			if (rdtype != dns_rdatatype_nsec &&
+			    rdtype != dns_rdatatype_dnskey &&
+			    rdtype != dns_rdatatype_nxt &&
+			    rdtype != dns_rdatatype_key &&
+			    rdtype != dns_rdatatype_cname) {
+				/*
+				 * We've found a type that isn't
+				 * NSEC, KEY, CNAME, or one of their
+				 * signatures.  Is it active and extant?
+				 */
+				do {
+					if (header->serial <= serial &&
+					    !IGNORE(header)) {
+						/*
+						 * Is this a "this rdataset
+						 * doesn't exist" record?
+						 */
+						if (NONEXISTENT(header))
+							header = NULL;
+						break;
+					} else
+						header = header->down;
+				} while (header != NULL);
+				if (header != NULL)
+					other_data = ISC_TRUE;
+			}
+		}
+	}
+
+	if (cname && other_data)
+		return (ISC_TRUE);
+
+	return (ISC_FALSE);
+}
+
+static isc_result_t
+add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+    rdatasetheader_t *newheader, unsigned int options, isc_boolean_t loading,
+    dns_rdataset_t *addedrdataset, isc_stdtime_t now)
+{
+	rbtdb_changed_t *changed = NULL;
+	rdatasetheader_t *topheader, *topheader_prev, *header;
+	unsigned char *merged;
+	isc_result_t result;
+	isc_boolean_t header_nx;
+	isc_boolean_t newheader_nx;
+	isc_boolean_t merge;
+	dns_rdatatype_t nsectype, rdtype, covers;
+	dns_trust_t trust;
+
+	/*
+	 * Add an rdatasetheader_t to a node.
+	 */
+
+	/*
+	 * Caller must be holding the node lock.
+	 */
+
+	if ((options & DNS_DBADD_MERGE) != 0) {
+		REQUIRE(rbtversion != NULL);
+		merge = ISC_TRUE;
+	} else
+		merge = ISC_FALSE;
+
+	if ((options & DNS_DBADD_FORCE) != 0)
+		trust = dns_trust_ultimate;
+	else
+		trust = newheader->trust;
+
+	if (rbtversion != NULL && !loading) {
+		/*
+		 * We always add a changed record, even if no changes end up
+		 * being made to this node, because it's harmless and
+		 * simplifies the code.
+		 */
+		changed = add_changed(rbtdb, rbtversion, rbtnode);
+		if (changed == NULL) {
+			free_rdataset(rbtdb->common.mctx, newheader);
+			return (ISC_R_NOMEMORY);
+		}
+	}
+
+	newheader_nx = NONEXISTENT(newheader) ? ISC_TRUE : ISC_FALSE;
+	topheader_prev = NULL;
+
+	nsectype = 0;
+	if (rbtversion == NULL && !newheader_nx) {
+		rdtype = RBTDB_RDATATYPE_BASE(newheader->type);
+		if (rdtype == 0) {
+			/*
+			 * We're adding a negative cache entry.
+			 */
+			covers = RBTDB_RDATATYPE_EXT(newheader->type);
+			if (covers == dns_rdatatype_any) {
+				/*
+				 * We're adding an NXDOMAIN negative cache
+				 * entry.
+				 *
+				 * We make all other data stale so that the
+				 * only rdataset that can be found at this
+				 * node is the NXDOMAIN negative cache entry.
+				 */
+				for (topheader = rbtnode->data;
+				     topheader != NULL;
+				     topheader = topheader->next) {
+					topheader->ttl = 0;
+					topheader->attributes |=
+						RDATASET_ATTR_STALE;
+				}
+				rbtnode->dirty = 1;
+				goto find_header;
+			}
+			nsectype = RBTDB_RDATATYPE_VALUE(covers, 0);
+		} else {
+			/*
+			 * We're adding something that isn't a
+			 * negative cache entry.  Look for an extant
+			 * non-stale NXDOMAIN negative cache entry.
+			 */
+			for (topheader = rbtnode->data;
+			     topheader != NULL;
+			     topheader = topheader->next) {
+				if (NXDOMAIN(topheader))
+					break;
+			}
+			if (topheader != NULL && EXISTS(topheader) &&
+			    topheader->ttl > now) {
+				/*
+				 * Found one.
+				 */
+				if (trust < topheader->trust) {
+					/*
+					 * The NXDOMAIN is more trusted.
+					 */
+					free_rdataset(rbtdb->common.mctx,
+						      newheader);
+					if (addedrdataset != NULL)
+						bind_rdataset(rbtdb, rbtnode,
+							      topheader, now,
+							      addedrdataset);
+					return (DNS_R_UNCHANGED);
+				}
+				/*
+				 * The new rdataset is better.  Expire the
+				 * NXDOMAIN.
+				 */
+				topheader->ttl = 0;
+				topheader->attributes |= RDATASET_ATTR_STALE;
+				rbtnode->dirty = 1;
+				topheader = NULL;
+				goto find_header;
+			}
+			nsectype = RBTDB_RDATATYPE_VALUE(0, rdtype);
+		}
+	}
+
+	for (topheader = rbtnode->data;
+	     topheader != NULL;
+	     topheader = topheader->next) {
+		if (topheader->type == newheader->type ||
+		    topheader->type == nsectype)
+			break;
+		topheader_prev = topheader;
+	}
+
+ find_header:
+	/*
+	 * If header isn't NULL, we've found the right type.  There may be
+	 * IGNORE rdatasets between the top of the chain and the first real
+	 * data.  We skip over them.
+	 */
+	header = topheader;
+	while (header != NULL && IGNORE(header))
+		header = header->down;
+	if (header != NULL) {
+		header_nx = NONEXISTENT(header) ? ISC_TRUE : ISC_FALSE;
+
+		/*
+		 * Deleting an already non-existent rdataset has no effect.
+		 */
+		if (header_nx && newheader_nx) {
+			free_rdataset(rbtdb->common.mctx, newheader);
+			return (DNS_R_UNCHANGED);
+		}
+
+		/*
+		 * Trying to add an rdataset with lower trust to a cache DB
+		 * has no effect, provided that the cache data isn't stale.
+		 */
+		if (rbtversion == NULL && trust < header->trust &&
+		    (header->ttl > now || header_nx)) {
+			free_rdataset(rbtdb->common.mctx, newheader);
+			if (addedrdataset != NULL)
+				bind_rdataset(rbtdb, rbtnode, header, now,
+					      addedrdataset);
+			return (DNS_R_UNCHANGED);
+		}
+
+		/*
+		 * Don't merge if a nonexistent rdataset is involved.
+		 */
+		if (merge && (header_nx || newheader_nx))
+			merge = ISC_FALSE;
+
+		/*
+		 * If 'merge' is ISC_TRUE, we'll try to create a new rdataset
+		 * that is the union of 'newheader' and 'header'.
+		 */
+		if (merge) {
+			unsigned int flags = 0;
+			INSIST(rbtversion->serial >= header->serial);
+			merged = NULL;
+			result = ISC_R_SUCCESS;
+			
+			if ((options & DNS_DBADD_EXACT) != 0)
+				flags |= DNS_RDATASLAB_EXACT;
+			if ((options & DNS_DBADD_EXACTTTL) != 0 &&
+			     newheader->ttl != header->ttl)
+					result = DNS_R_NOTEXACT;
+			else if (newheader->ttl != header->ttl)
+				flags |= DNS_RDATASLAB_FORCE;
+			if (result == ISC_R_SUCCESS)
+				result = dns_rdataslab_merge(
+					     (unsigned char *)header,
+					     (unsigned char *)newheader,
+					     (unsigned int)(sizeof(*newheader)),
+					     rbtdb->common.mctx,
+					     rbtdb->common.rdclass,
+					     (dns_rdatatype_t)header->type,
+					     flags, &merged);
+			if (result == ISC_R_SUCCESS) {
+				/*
+				 * If 'header' has the same serial number as
+				 * we do, we could clean it up now if we knew
+				 * that our caller had no references to it.
+				 * We don't know this, however, so we leave it
+				 * alone.  It will get cleaned up when
+				 * clean_zone_node() runs.
+				 */
+				free_rdataset(rbtdb->common.mctx, newheader);
+				newheader = (rdatasetheader_t *)merged;
+			} else {
+				free_rdataset(rbtdb->common.mctx, newheader);
+				return (result);
+			}
+		}
+		/*
+		 * Don't replace existing NS, A and AAAA RRsets
+		 * in the cache if they are already exist.  This
+		 * prevents named being locked to old servers.
+		 * Don't lower trust of existing record if the
+		 * update is forced.
+		 */
+		if (IS_CACHE(rbtdb) && header->ttl > now &&
+		    header->type == dns_rdatatype_ns &&
+		    !header_nx && !newheader_nx &&
+		    header->trust >= newheader->trust &&
+		    dns_rdataslab_equalx((unsigned char *)header,
+					 (unsigned char *)newheader,
+				         (unsigned int)(sizeof(*newheader)),
+					 rbtdb->common.rdclass,
+				         (dns_rdatatype_t)header->type)) {
+			/*
+			 * Honour the new ttl if it is less than the
+			 * older one.
+			 */
+			if (header->ttl > newheader->ttl)
+				header->ttl = newheader->ttl;
+			if (header->noqname == NULL &&
+			    newheader->noqname != NULL) {
+				header->noqname = newheader->noqname;
+				newheader->noqname = NULL;
+			}
+			free_rdataset(rbtdb->common.mctx, newheader);
+			if (addedrdataset != NULL)
+				bind_rdataset(rbtdb, rbtnode, header, now,
+					      addedrdataset);
+			return (ISC_R_SUCCESS);
+		}
+		if (IS_CACHE(rbtdb) && header->ttl > now &&
+		    (header->type == dns_rdatatype_a ||
+		     header->type == dns_rdatatype_aaaa) &&
+		    !header_nx && !newheader_nx &&
+		    header->trust >= newheader->trust &&
+		    dns_rdataslab_equal((unsigned char *)header,
+					(unsigned char *)newheader,
+				        (unsigned int)(sizeof(*newheader)))) {
+			/*
+			 * Honour the new ttl if it is less than the
+			 * older one.
+			 */
+			if (header->ttl > newheader->ttl)
+				header->ttl = newheader->ttl;
+			if (header->noqname == NULL &&
+			    newheader->noqname != NULL) {
+				header->noqname = newheader->noqname;
+				newheader->noqname = NULL;
+			}
+			free_rdataset(rbtdb->common.mctx, newheader);
+			if (addedrdataset != NULL)
+				bind_rdataset(rbtdb, rbtnode, header, now,
+					      addedrdataset);
+			return (ISC_R_SUCCESS);
+		}
+		INSIST(rbtversion == NULL ||
+		       rbtversion->serial >= topheader->serial);
+		if (topheader_prev != NULL)
+			topheader_prev->next = newheader;
+		else
+			rbtnode->data = newheader;
+		newheader->next = topheader->next;
+		if (loading) {
+			/*
+			 * There are no other references to 'header' when
+			 * loading, so we MAY clean up 'header' now.
+			 * Since we don't generate changed records when
+			 * loading, we MUST clean up 'header' now.
+			 */
+			newheader->down = NULL;
+			free_rdataset(rbtdb->common.mctx, header);
+		} else {
+			newheader->down = topheader;
+			topheader->next = newheader;
+			rbtnode->dirty = 1;
+			if (changed != NULL)
+				changed->dirty = ISC_TRUE;
+		}
+	} else {
+		/*
+		 * No non-IGNORED rdatasets of the given type exist at
+		 * this node.
+		 */
+
+		/*
+		 * If we're trying to delete the type, don't bother.
+		 */
+		if (newheader_nx) {
+			free_rdataset(rbtdb->common.mctx, newheader);
+			return (DNS_R_UNCHANGED);
+		}
+
+		if (topheader != NULL) {
+			/*
+			 * We have an list of rdatasets of the given type,
+			 * but they're all marked IGNORE.  We simply insert
+			 * the new rdataset at the head of the list.
+			 *
+			 * Ignored rdatasets cannot occur during loading, so
+			 * we INSIST on it.
+			 */
+			INSIST(!loading);
+			INSIST(rbtversion == NULL ||
+			       rbtversion->serial >= topheader->serial);
+			if (topheader_prev != NULL)
+				topheader_prev->next = newheader;
+			else
+				rbtnode->data = newheader;
+			newheader->next = topheader->next;
+			newheader->down = topheader;
+			topheader->next = newheader;
+			rbtnode->dirty = 1;
+			if (changed != NULL)
+				changed->dirty = ISC_TRUE;
+		} else {
+			/*
+			 * No rdatasets of the given type exist at the node.
+			 */
+			newheader->next = rbtnode->data;
+			newheader->down = NULL;
+			rbtnode->data = newheader;
+		}
+	}
+
+	/*
+	 * Check if the node now contains CNAME and other data.
+	 */
+	if (rbtversion != NULL &&
+	    cname_and_other_data(rbtnode, rbtversion->serial))
+		return (DNS_R_CNAMEANDOTHER);
+
+	if (addedrdataset != NULL)
+		bind_rdataset(rbtdb, rbtnode, newheader, now, addedrdataset);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_boolean_t
+delegating_type(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
+		rbtdb_rdatatype_t type)
+{
+	if (IS_CACHE(rbtdb)) {
+		if (type == dns_rdatatype_dname)
+			return (ISC_TRUE);
+		else
+			return (ISC_FALSE);
+	} else if (type == dns_rdatatype_dname ||
+		   (type == dns_rdatatype_ns &&
+		    (node != rbtdb->origin_node || IS_STUB(rbtdb))))
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+static inline isc_result_t
+addnoqname(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader,
+	   dns_rdataset_t *rdataset)
+{
+	struct noqname *noqname;
+	isc_mem_t *mctx = rbtdb->common.mctx;
+	dns_name_t name;
+	dns_rdataset_t nsec, nsecsig;
+	isc_result_t result;
+	isc_region_t r;
+
+	dns_name_init(&name, NULL);
+	dns_rdataset_init(&nsec);
+	dns_rdataset_init(&nsecsig);
+
+	result = dns_rdataset_getnoqname(rdataset, &name, &nsec, &nsecsig);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	noqname = isc_mem_get(mctx, sizeof(*noqname));
+	if (noqname == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	dns_name_init(&noqname->name, NULL);
+	noqname->nsec = NULL;
+	noqname->nsecsig = NULL;
+	result = dns_name_dup(&name, mctx, &noqname->name);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_rdataslab_fromrdataset(&nsec, mctx, &r, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	noqname->nsec = r.base;
+	result = dns_rdataslab_fromrdataset(&nsecsig, mctx, &r, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	noqname->nsecsig = r.base;
+	dns_rdataset_disassociate(&nsec);
+	dns_rdataset_disassociate(&nsecsig);
+	newheader->noqname = noqname;
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	dns_rdataset_disassociate(&nsec);
+	dns_rdataset_disassociate(&nsecsig);
+	free_noqname(mctx, &noqname);
+	return(result);
+}
+
+static isc_result_t
+addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	    isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
+	    dns_rdataset_t *addedrdataset)
+{
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
+	rbtdb_version_t *rbtversion = version;
+	isc_region_t region;
+	rdatasetheader_t *newheader;
+	isc_result_t result;
+	isc_boolean_t delegating;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	if (rbtversion == NULL) {
+		if (now == 0)
+			isc_stdtime_get(&now);
+	} else
+		now = 0;
+
+	result = dns_rdataslab_fromrdataset(rdataset, rbtdb->common.mctx,
+					    &region,
+					    sizeof(rdatasetheader_t));
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	newheader = (rdatasetheader_t *)region.base;
+	newheader->ttl = rdataset->ttl + now;
+	newheader->type = RBTDB_RDATATYPE_VALUE(rdataset->type,
+						rdataset->covers);
+	newheader->attributes = 0;
+	newheader->noqname = NULL;
+	newheader->count = 0;
+	newheader->trust = rdataset->trust;
+	if (rbtversion != NULL) {
+		newheader->serial = rbtversion->serial;
+		now = 0;
+	} else {
+		newheader->serial = 1;
+		if ((rdataset->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
+			newheader->attributes |= RDATASET_ATTR_NXDOMAIN;
+		if ((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0) {
+			result = addnoqname(rbtdb, newheader, rdataset);
+			if (result != ISC_R_SUCCESS) {
+				free_rdataset(rbtdb->common.mctx, newheader);
+				return (result);
+			}
+		}
+	}
+
+	/*
+	 * If we're adding a delegation type (e.g. NS or DNAME for a zone,
+	 * just DNAME for the cache), then we need to set the callback bit
+	 * on the node, and to do that we must be holding an exclusive lock
+	 * on the tree.
+	 */
+	if (delegating_type(rbtdb, rbtnode, rdataset->type)) {
+		delegating = ISC_TRUE;
+		RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+	} else
+		delegating = ISC_FALSE;
+
+	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+
+	result = add(rbtdb, rbtnode, rbtversion, newheader, options, ISC_FALSE,
+		     addedrdataset, now);
+	if (result == ISC_R_SUCCESS && delegating)
+		rbtnode->find_callback = 1;
+
+	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+
+	if (delegating)
+		RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+
+	return (result);
+}
+
+static isc_result_t
+subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		 dns_rdataset_t *rdataset, unsigned int options,
+		 dns_rdataset_t *newrdataset)
+{
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
+	rbtdb_version_t *rbtversion = version;
+	rdatasetheader_t *topheader, *topheader_prev, *header, *newheader;
+	unsigned char *subresult;
+	isc_region_t region;
+	isc_result_t result;
+	rbtdb_changed_t *changed;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	result = dns_rdataslab_fromrdataset(rdataset, rbtdb->common.mctx,
+					    &region,
+					    sizeof(rdatasetheader_t));
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	newheader = (rdatasetheader_t *)region.base;
+	newheader->ttl = rdataset->ttl;
+	newheader->type = RBTDB_RDATATYPE_VALUE(rdataset->type,
+						rdataset->covers);
+	newheader->attributes = 0;
+	newheader->serial = rbtversion->serial;
+	newheader->trust = 0;
+	newheader->noqname = NULL;
+	newheader->count = 0;
+
+	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+
+	changed = add_changed(rbtdb, rbtversion, rbtnode);
+	if (changed == NULL) {
+		free_rdataset(rbtdb->common.mctx, newheader);
+		return (ISC_R_NOMEMORY);
+	}
+
+	topheader_prev = NULL;
+	for (topheader = rbtnode->data;
+	     topheader != NULL;
+	     topheader = topheader->next) {
+		if (topheader->type == newheader->type)
+			break;
+		topheader_prev = topheader;
+	}
+	/*
+	 * If header isn't NULL, we've found the right type.  There may be
+	 * IGNORE rdatasets between the top of the chain and the first real
+	 * data.  We skip over them.
+	 */
+	header = topheader;
+	while (header != NULL && IGNORE(header))
+		header = header->down;
+	if (header != NULL && EXISTS(header)) {
+		unsigned int flags = 0;
+		subresult = NULL;
+		result = ISC_R_SUCCESS;
+		if ((options & DNS_DBSUB_EXACT) != 0) {
+			flags |= DNS_RDATASLAB_EXACT;
+			if (newheader->ttl != header->ttl)
+				result = DNS_R_NOTEXACT;
+		}
+		if (result == ISC_R_SUCCESS)
+			result = dns_rdataslab_subtract(
+					(unsigned char *)header,
+					(unsigned char *)newheader,
+					(unsigned int)(sizeof(*newheader)),
+					rbtdb->common.mctx,
+					rbtdb->common.rdclass,
+					(dns_rdatatype_t)header->type,
+					flags, &subresult);
+		if (result == ISC_R_SUCCESS) {
+			free_rdataset(rbtdb->common.mctx, newheader);
+			newheader = (rdatasetheader_t *)subresult;
+			/*
+			 * We have to set the serial since the rdataslab
+			 * subtraction routine copies the reserved portion of
+			 * header, not newheader.
+			 */
+			newheader->serial = rbtversion->serial;
+		} else if (result == DNS_R_NXRRSET) {
+			/*
+			 * This subtraction would remove all of the rdata;
+			 * add a nonexistent header instead.
+			 */
+			free_rdataset(rbtdb->common.mctx, newheader);
+			newheader = isc_mem_get(rbtdb->common.mctx,
+						sizeof(*newheader));
+			if (newheader == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto unlock;
+			}
+			newheader->ttl = 0;
+			newheader->type = topheader->type;
+			newheader->attributes = RDATASET_ATTR_NONEXISTENT;
+			newheader->trust = 0;
+			newheader->serial = rbtversion->serial;
+			newheader->noqname = NULL;
+			newheader->count = 0;
+		} else {
+			free_rdataset(rbtdb->common.mctx, newheader);
+			goto unlock;
+		}
+
+		/*
+		 * If we're here, we want to link newheader in front of
+		 * topheader.
+		 */
+		INSIST(rbtversion->serial >= topheader->serial);
+		if (topheader_prev != NULL)
+			topheader_prev->next = newheader;
+		else
+			rbtnode->data = newheader;
+		newheader->next = topheader->next;
+		newheader->down = topheader;
+		topheader->next = newheader;
+		rbtnode->dirty = 1;
+		changed->dirty = ISC_TRUE;
+	} else {
+		/*
+		 * The rdataset doesn't exist, so we don't need to do anything
+		 * to satisfy the deletion request.
+		 */
+		free_rdataset(rbtdb->common.mctx, newheader);
+		if ((options & DNS_DBSUB_EXACT) != 0)
+			result = DNS_R_NOTEXACT;
+		else
+			result = DNS_R_UNCHANGED;			
+	}
+
+	if (result == ISC_R_SUCCESS && newrdataset != NULL)
+		bind_rdataset(rbtdb, rbtnode, newheader, 0, newrdataset);
+
+ unlock:
+	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+
+	return (result);
+}
+
+static isc_result_t
+deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	       dns_rdatatype_t type, dns_rdatatype_t covers)
+{
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *rbtnode = (dns_rbtnode_t *)node;
+	rbtdb_version_t *rbtversion = version;
+	isc_result_t result;
+	rdatasetheader_t *newheader;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	if (type == dns_rdatatype_any)
+		return (ISC_R_NOTIMPLEMENTED);
+	if (type == dns_rdatatype_rrsig && covers == 0)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	newheader = isc_mem_get(rbtdb->common.mctx, sizeof(*newheader));
+	if (newheader == NULL)
+		return (ISC_R_NOMEMORY);
+	newheader->ttl = 0;
+	newheader->type = RBTDB_RDATATYPE_VALUE(type, covers);
+	newheader->attributes = RDATASET_ATTR_NONEXISTENT;
+	newheader->trust = 0;
+	newheader->noqname = NULL;
+	if (rbtversion != NULL)
+		newheader->serial = rbtversion->serial;
+	else
+		newheader->serial = 0;
+	newheader->count = 0;
+
+	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+
+	result = add(rbtdb, rbtnode, rbtversion, newheader, DNS_DBADD_FORCE,
+		     ISC_FALSE, NULL, 0);
+
+	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+
+	return (result);
+}
+
+static isc_result_t
+loading_addrdataset(void *arg, dns_name_t *name, dns_rdataset_t *rdataset) {
+	rbtdb_load_t *loadctx = arg;
+	dns_rbtdb_t *rbtdb = loadctx->rbtdb;
+	dns_rbtnode_t *node;
+	isc_result_t result;
+	isc_region_t region;
+	rdatasetheader_t *newheader;
+
+	/*
+	 * This routine does no node locking.  See comments in
+	 * 'load' below for more information on loading and
+	 * locking.
+	 */
+
+
+	/*
+	 * SOA records are only allowed at top of zone.
+	 */
+	if (rdataset->type == dns_rdatatype_soa &&
+	    !IS_CACHE(rbtdb) && !dns_name_equal(name, &rbtdb->common.origin))
+		return (DNS_R_NOTZONETOP);
+
+	add_empty_wildcards(rbtdb, name);
+
+	if (dns_name_iswildcard(name)) {
+		/*
+		 * NS record owners cannot legally be wild cards.
+		 */
+		if (rdataset->type == dns_rdatatype_ns)
+			return (DNS_R_INVALIDNS);
+		result = add_wildcard_magic(rbtdb, name);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	node = NULL;
+	result = dns_rbt_addnode(rbtdb->tree, name, &node);
+	if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS)
+		return (result);
+	if (result != ISC_R_EXISTS) {
+		dns_name_t foundname;
+		dns_name_init(&foundname, NULL);
+		dns_rbt_namefromnode(node, &foundname);
+#ifdef DNS_RBT_USEHASH
+		node->locknum = node->hashval % rbtdb->node_lock_count;
+#else
+		node->locknum = dns_name_hash(&foundname, ISC_TRUE) %
+			rbtdb->node_lock_count;
+#endif
+	}
+
+	result = dns_rdataslab_fromrdataset(rdataset, rbtdb->common.mctx,
+					    &region,
+					    sizeof(rdatasetheader_t));
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	newheader = (rdatasetheader_t *)region.base;
+	newheader->ttl = rdataset->ttl + loadctx->now; /* XXX overflow check */
+	newheader->type = RBTDB_RDATATYPE_VALUE(rdataset->type,
+						rdataset->covers);
+	newheader->attributes = 0;
+	newheader->trust = rdataset->trust;
+	newheader->serial = 1;
+	newheader->noqname = NULL;
+	newheader->count = 0;
+
+	result = add(rbtdb, node, rbtdb->current_version, newheader,
+		     DNS_DBADD_MERGE, ISC_TRUE, NULL, 0);
+	if (result == ISC_R_SUCCESS &&
+	    delegating_type(rbtdb, node, rdataset->type))
+		node->find_callback = 1;
+	else if (result == DNS_R_UNCHANGED)
+		result = ISC_R_SUCCESS;
+
+	return (result);
+}
+
+static isc_result_t
+beginload(dns_db_t *db, dns_addrdatasetfunc_t *addp, dns_dbload_t **dbloadp) {
+	rbtdb_load_t *loadctx;
+	dns_rbtdb_t *rbtdb;
+
+	rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	loadctx = isc_mem_get(rbtdb->common.mctx, sizeof(*loadctx));
+	if (loadctx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	loadctx->rbtdb = rbtdb;
+	if (IS_CACHE(rbtdb))
+		isc_stdtime_get(&loadctx->now);
+	else
+		loadctx->now = 0;
+
+	LOCK(&rbtdb->lock);
+
+	REQUIRE((rbtdb->attributes & (RBTDB_ATTR_LOADED|RBTDB_ATTR_LOADING))
+		== 0);
+	rbtdb->attributes |= RBTDB_ATTR_LOADING;
+
+	UNLOCK(&rbtdb->lock);
+
+	*addp = loading_addrdataset;
+	*dbloadp = loadctx;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_boolean_t
+iszonesecure(dns_db_t *db, dns_dbnode_t *origin) {
+	dns_rdataset_t keyset;
+	dns_rdataset_t nsecset, signsecset;
+	isc_boolean_t haszonekey = ISC_FALSE;
+	isc_boolean_t hasnsec = ISC_FALSE;
+	isc_result_t result;
+
+	dns_rdataset_init(&keyset);
+	result = dns_db_findrdataset(db, origin, NULL, dns_rdatatype_dnskey, 0,
+				     0, &keyset, NULL);
+	if (result == ISC_R_SUCCESS) {
+		dns_rdata_t keyrdata = DNS_RDATA_INIT;
+		result = dns_rdataset_first(&keyset);
+		while (result == ISC_R_SUCCESS) {
+			dns_rdataset_current(&keyset, &keyrdata);
+			if (dns_zonekey_iszonekey(&keyrdata)) {
+				haszonekey = ISC_TRUE;
+				break;
+			}
+			result = dns_rdataset_next(&keyset);
+		}
+		dns_rdataset_disassociate(&keyset);
+	}
+	if (!haszonekey)
+		return (ISC_FALSE);
+
+	dns_rdataset_init(&nsecset);
+	dns_rdataset_init(&signsecset);
+	result = dns_db_findrdataset(db, origin, NULL, dns_rdatatype_nsec, 0,
+				     0, &nsecset, &signsecset);
+	if (result == ISC_R_SUCCESS) {
+		if (dns_rdataset_isassociated(&signsecset)) {
+			hasnsec = ISC_TRUE;
+			dns_rdataset_disassociate(&signsecset);
+		}
+		dns_rdataset_disassociate(&nsecset);
+	}
+	return (hasnsec);
+
+}
+
+static isc_result_t
+endload(dns_db_t *db, dns_dbload_t **dbloadp) {
+	rbtdb_load_t *loadctx;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(dbloadp != NULL);
+	loadctx = *dbloadp;
+	REQUIRE(loadctx->rbtdb == rbtdb);
+
+	LOCK(&rbtdb->lock);
+
+	REQUIRE((rbtdb->attributes & RBTDB_ATTR_LOADING) != 0);
+	REQUIRE((rbtdb->attributes & RBTDB_ATTR_LOADED) == 0);
+
+	rbtdb->attributes &= ~RBTDB_ATTR_LOADING;
+	rbtdb->attributes |= RBTDB_ATTR_LOADED;
+
+	UNLOCK(&rbtdb->lock);
+
+	/*
+	 * If there's a KEY rdataset at the zone origin containing a
+	 * zone key, we consider the zone secure.
+	 */
+	if (! IS_CACHE(rbtdb))
+		rbtdb->secure = iszonesecure(db, rbtdb->origin_node);
+
+	*dbloadp = NULL;
+
+	isc_mem_put(rbtdb->common.mctx, loadctx, sizeof(*loadctx));
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dump(dns_db_t *db, dns_dbversion_t *version, const char *filename) {
+	dns_rbtdb_t *rbtdb;
+
+	rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	return (dns_master_dump(rbtdb->common.mctx, db, version,
+				&dns_master_style_default,
+				filename));
+}
+
+static void
+delete_callback(void *data, void *arg) {
+	dns_rbtdb_t *rbtdb = arg;
+	rdatasetheader_t *current, *next;
+
+	for (current = data; current != NULL; current = next) {
+		next = current->next;
+		free_rdataset(rbtdb->common.mctx, current);
+	}
+}
+
+static isc_boolean_t
+issecure(dns_db_t *db) {
+	dns_rbtdb_t *rbtdb;
+	isc_boolean_t secure;
+
+	rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+	secure = rbtdb->secure;
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+
+	return (secure);
+}
+
+static unsigned int
+nodecount(dns_db_t *db) {
+	dns_rbtdb_t *rbtdb;
+	unsigned int count;
+
+	rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+	count = dns_rbt_nodecount(rbtdb->tree);
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+
+	return (count);
+}
+
+static void
+settask(dns_db_t *db, isc_task_t *task) {
+	dns_rbtdb_t *rbtdb;
+
+	rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	LOCK(&rbtdb->lock);
+	if (rbtdb->task != NULL)
+		isc_task_detach(&rbtdb->task);
+	if (task != NULL)
+		isc_task_attach(task, &rbtdb->task);
+	UNLOCK(&rbtdb->lock);
+}
+
+static isc_boolean_t
+ispersistent(dns_db_t *db) {
+	UNUSED(db);
+	return (ISC_FALSE);
+}
+
+static dns_dbmethods_t zone_methods = {
+	attach,
+	detach,
+	beginload,
+	endload,
+	dump,
+	currentversion,
+	newversion,
+	attachversion,
+	closeversion,
+	findnode,
+	zone_find,
+	zone_findzonecut,
+	attachnode,
+	detachnode,
+	expirenode,
+	printnode,
+	createiterator,
+	zone_findrdataset,
+	allrdatasets,
+	addrdataset,
+	subtractrdataset,
+	deleterdataset,
+	issecure,
+	nodecount,
+	ispersistent,
+	overmem,
+	settask
+};
+
+static dns_dbmethods_t cache_methods = {
+	attach,
+	detach,
+	beginload,
+	endload,
+	dump,
+	currentversion,
+	newversion,
+	attachversion,
+	closeversion,
+	findnode,
+	cache_find,
+	cache_findzonecut,
+	attachnode,
+	detachnode,
+	expirenode,
+	printnode,
+	createiterator,
+	cache_findrdataset,
+	allrdatasets,
+	addrdataset,
+	subtractrdataset,
+	deleterdataset,
+	issecure,
+	nodecount,
+	ispersistent,
+	overmem,
+	settask
+};
+
+isc_result_t
+#ifdef DNS_RBTDB_VERSION64
+dns_rbtdb64_create
+#else
+dns_rbtdb_create
+#endif
+		(isc_mem_t *mctx, dns_name_t *origin, dns_dbtype_t type,
+		 dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
+		 void *driverarg, dns_db_t **dbp)
+{
+	dns_rbtdb_t *rbtdb;
+	isc_result_t result;
+	int i;
+	dns_name_t name;
+
+	/* Keep the compiler happy. */
+	UNUSED(argc);
+	UNUSED(argv);
+	UNUSED(driverarg);
+
+	rbtdb = isc_mem_get(mctx, sizeof(*rbtdb));
+	if (rbtdb == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(rbtdb, '\0', sizeof(*rbtdb));
+	dns_name_init(&rbtdb->common.origin, NULL);
+	rbtdb->common.attributes = 0;
+	if (type == dns_dbtype_cache) {
+		rbtdb->common.methods = &cache_methods;
+		rbtdb->common.attributes |= DNS_DBATTR_CACHE;
+	} else if (type == dns_dbtype_stub) {
+		rbtdb->common.methods = &zone_methods;
+		rbtdb->common.attributes |= DNS_DBATTR_STUB;
+	} else
+		rbtdb->common.methods = &zone_methods;
+	rbtdb->common.rdclass = rdclass;
+	rbtdb->common.mctx = NULL;
+
+	result = isc_mutex_init(&rbtdb->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, rbtdb, sizeof(*rbtdb));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() failed: %s",
+				 isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	result = isc_rwlock_init(&rbtdb->tree_lock, 0, 0);
+	if (result != ISC_R_SUCCESS) {
+		DESTROYLOCK(&rbtdb->lock);
+		isc_mem_put(mctx, rbtdb, sizeof(*rbtdb));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_rwlock_init() failed: %s",
+				 isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	INSIST(rbtdb->node_lock_count < (1 << DNS_RBT_LOCKLENGTH));
+
+	if (rbtdb->node_lock_count == 0)
+		rbtdb->node_lock_count = DEFAULT_NODE_LOCK_COUNT;
+	rbtdb->node_locks = isc_mem_get(mctx, rbtdb->node_lock_count *
+					sizeof(rbtdb_nodelock_t));
+	rbtdb->active = rbtdb->node_lock_count;
+	for (i = 0; i < (int)(rbtdb->node_lock_count); i++) {
+		result = isc_mutex_init(&rbtdb->node_locks[i].lock);
+		if (result != ISC_R_SUCCESS) {
+			i--;
+			while (i >= 0) {
+				DESTROYLOCK(&rbtdb->node_locks[i].lock);
+				i--;
+			}
+			isc_mem_put(mctx, rbtdb->node_locks,
+				    rbtdb->node_lock_count *
+				    sizeof(rbtdb_nodelock_t));
+			isc_rwlock_destroy(&rbtdb->tree_lock);
+			DESTROYLOCK(&rbtdb->lock);
+			isc_mem_put(mctx, rbtdb, sizeof(*rbtdb));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "isc_mutex_init() failed: %s",
+					 isc_result_totext(result));
+			return (ISC_R_UNEXPECTED);
+		}
+		rbtdb->node_locks[i].references = 0;
+		rbtdb->node_locks[i].exiting = ISC_FALSE;
+	}
+
+	/*
+	 * Attach to the mctx.  The database will persist so long as there
+	 * are references to it, and attaching to the mctx ensures that our
+	 * mctx won't disappear out from under us.
+	 */
+	isc_mem_attach(mctx, &rbtdb->common.mctx);
+
+	/*
+	 * Make a copy of the origin name.
+	 */
+	result = dns_name_dupwithoffsets(origin, mctx, &rbtdb->common.origin);
+	if (result != ISC_R_SUCCESS) {
+		free_rbtdb(rbtdb, ISC_FALSE, NULL);
+		return (result);
+	}
+
+	/*
+	 * Make the Red-Black Tree.
+	 */
+	result = dns_rbt_create(mctx, delete_callback, rbtdb, &rbtdb->tree);
+	if (result != ISC_R_SUCCESS) {
+		free_rbtdb(rbtdb, ISC_FALSE, NULL);
+		return (result);
+	}
+	/*
+	 * In order to set the node callback bit correctly in zone databases,
+	 * we need to know if the node has the origin name of the zone.
+	 * In loading_addrdataset() we could simply compare the new name
+	 * to the origin name, but this is expensive.  Also, we don't know the
+	 * node name in addrdataset(), so we need another way of knowing the
+	 * zone's top.
+	 *
+	 * We now explicitly create a node for the zone's origin, and then
+	 * we simply remember the node's address.  This is safe, because
+	 * the top-of-zone node can never be deleted, nor can its address
+	 * change.
+	 */
+	if (! IS_CACHE(rbtdb)) {
+		rbtdb->origin_node = NULL;
+		result = dns_rbt_addnode(rbtdb->tree, &rbtdb->common.origin,
+					 &rbtdb->origin_node);
+		if (result != ISC_R_SUCCESS) {
+			INSIST(result != ISC_R_EXISTS);
+			free_rbtdb(rbtdb, ISC_FALSE, NULL);
+			return (result);
+		}
+		/*
+		 * We need to give the origin node the right locknum.
+		 */
+		dns_name_init(&name, NULL);
+		dns_rbt_namefromnode(rbtdb->origin_node, &name);
+#ifdef DNS_RBT_USEHASH
+		rbtdb->origin_node->locknum =
+			rbtdb->origin_node->hashval %
+			rbtdb->node_lock_count;
+#else
+		rbtdb->origin_node->locknum =
+			dns_name_hash(&name, ISC_TRUE) %
+			rbtdb->node_lock_count;
+#endif
+	}
+
+	/*
+	 * Misc. Initialization.
+	 */
+	isc_refcount_init(&rbtdb->references, 1);
+	rbtdb->attributes = 0;
+	rbtdb->secure = ISC_FALSE;
+	rbtdb->overmem = ISC_FALSE;
+	rbtdb->task = NULL;
+
+	/*
+	 * Version Initialization.
+	 */
+	rbtdb->current_serial = 1;
+	rbtdb->least_serial = 1;
+	rbtdb->next_serial = 2;
+	rbtdb->current_version = allocate_version(mctx, 1, 0, ISC_FALSE);
+	if (rbtdb->current_version == NULL) {
+		free_rbtdb(rbtdb, ISC_FALSE, NULL);
+		return (ISC_R_NOMEMORY);
+	}
+	rbtdb->future_version = NULL;
+	ISC_LIST_INIT(rbtdb->open_versions);
+
+	isc_ondestroy_init(&rbtdb->common.ondest);
+
+	rbtdb->common.magic = DNS_DB_MAGIC;
+	rbtdb->common.impmagic = RBTDB_MAGIC;
+
+	*dbp = (dns_db_t *)rbtdb;
+
+	return (ISC_R_SUCCESS);
+}
+
+
+/*
+ * Slabbed Rdataset Methods
+ */
+
+static void
+rdataset_disassociate(dns_rdataset_t *rdataset) {
+	dns_db_t *db = rdataset->private1;
+	dns_dbnode_t *node = rdataset->private2;
+
+	detachnode(db, &node);
+}
+
+static isc_result_t
+rdataset_first(dns_rdataset_t *rdataset) {
+	unsigned char *raw = rdataset->private3;
+	unsigned int count;
+
+	count = raw[0] * 256 + raw[1];
+	if (count == 0) {
+		rdataset->private5 = NULL;
+		return (ISC_R_NOMORE);
+	}
+	raw += 2;
+	/*
+	 * The privateuint4 field is the number of rdata beyond the cursor
+	 * position, so we decrement the total count by one before storing
+	 * it.
+	 */
+	count--;
+	rdataset->privateuint4 = count;
+	rdataset->private5 = raw;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+rdataset_next(dns_rdataset_t *rdataset) {
+	unsigned int count;
+	unsigned int length;
+	unsigned char *raw;
+
+	count = rdataset->privateuint4;
+	if (count == 0)
+		return (ISC_R_NOMORE);
+	count--;
+	rdataset->privateuint4 = count;
+	raw = rdataset->private5;
+	length = raw[0] * 256 + raw[1];
+	raw += length + 2;
+	rdataset->private5 = raw;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
+	unsigned char *raw = rdataset->private5;
+	isc_region_t r;
+
+	REQUIRE(raw != NULL);
+
+	r.length = raw[0] * 256 + raw[1];
+	raw += 2;
+	r.base = raw;
+	dns_rdata_fromregion(rdata, rdataset->rdclass, rdataset->type, &r);
+}
+
+static void
+rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
+	dns_db_t *db = source->private1;
+	dns_dbnode_t *node = source->private2;
+	dns_dbnode_t *cloned_node = NULL;
+
+	attachnode(db, node, &cloned_node);
+	*target = *source;
+
+	/*
+	 * Reset iterator state.
+	 */
+	target->privateuint4 = 0;
+	target->private5 = NULL;
+}
+
+static unsigned int
+rdataset_count(dns_rdataset_t *rdataset) {
+	unsigned char *raw = rdataset->private3;
+	unsigned int count;
+
+	count = raw[0] * 256 + raw[1];
+
+	return (count);
+}
+
+static isc_result_t
+rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
+		    dns_rdataset_t *nsec, dns_rdataset_t *nsecsig)
+{
+	dns_db_t *db = rdataset->private1;
+	dns_dbnode_t *node = rdataset->private2;
+	dns_dbnode_t *cloned_node;
+	struct noqname *noqname = rdataset->private6;
+
+	cloned_node = NULL;
+	attachnode(db, node, &cloned_node);
+	nsec->methods = &rdataset_methods;
+	nsec->rdclass = db->rdclass;
+	nsec->type = dns_rdatatype_nsec;
+	nsec->covers = 0;
+	nsec->ttl = rdataset->ttl;
+	nsec->trust = rdataset->trust;
+	nsec->private1 = rdataset->private1;
+	nsec->private2 = rdataset->private2;
+	nsec->private3 = noqname->nsec;
+	nsec->privateuint4 = 0;
+	nsec->private5 = NULL;
+	nsec->private6 = NULL;
+
+	cloned_node = NULL;
+	attachnode(db, node, &cloned_node);
+	nsecsig->methods = &rdataset_methods;
+	nsecsig->rdclass = db->rdclass;
+	nsecsig->type = dns_rdatatype_rrsig;
+	nsecsig->covers = dns_rdatatype_nsec;
+	nsecsig->ttl = rdataset->ttl;
+	nsecsig->trust = rdataset->trust;
+	nsecsig->private1 = rdataset->private1;
+	nsecsig->private2 = rdataset->private2;
+	nsecsig->private3 = noqname->nsecsig;
+	nsecsig->privateuint4 = 0;
+	nsecsig->private5 = NULL;
+	nsec->private6 = NULL;
+
+	dns_name_clone(&noqname->name, name);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Rdataset Iterator Methods
+ */
+
+static void
+rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp) {
+	rbtdb_rdatasetiter_t *rbtiterator;
+
+	rbtiterator = (rbtdb_rdatasetiter_t *)(*iteratorp);
+
+	if (rbtiterator->common.version != NULL)
+		closeversion(rbtiterator->common.db,
+			     &rbtiterator->common.version, ISC_FALSE);
+	detachnode(rbtiterator->common.db, &rbtiterator->common.node);
+	isc_mem_put(rbtiterator->common.db->mctx, rbtiterator,
+		    sizeof(*rbtiterator));
+
+	*iteratorp = NULL;
+}
+
+static isc_result_t
+rdatasetiter_first(dns_rdatasetiter_t *iterator) {
+	rbtdb_rdatasetiter_t *rbtiterator = (rbtdb_rdatasetiter_t *)iterator;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)(rbtiterator->common.db);
+	dns_rbtnode_t *rbtnode = rbtiterator->common.node;
+	rbtdb_version_t *rbtversion = rbtiterator->common.version;
+	rdatasetheader_t *header, *top_next;
+	rbtdb_serial_t serial;
+	isc_stdtime_t now;
+
+	if (IS_CACHE(rbtdb)) {
+		serial = 1;
+		now = rbtiterator->common.now;
+	} else {
+		serial = rbtversion->serial;
+		now = 0;
+	}
+
+	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+
+	for (header = rbtnode->data; header != NULL; header = top_next) {
+		top_next = header->next;
+		do {
+			if (header->serial <= serial && !IGNORE(header)) {
+				/*
+				 * Is this a "this rdataset doesn't exist"
+				 * record?  Or is it too old in the cache?
+				 *
+				 * Note: unlike everywhere else, we
+				 * check for now > header->ttl instead
+				 * of now >= header->ttl.  This allows
+				 * ANY and RRSIG queries for 0 TTL
+				 * rdatasets to work.
+				 */
+				if (NONEXISTENT(header) ||
+				    (now != 0 && now > header->ttl))
+					header = NULL;
+				break;
+			} else
+				header = header->down;
+		} while (header != NULL);
+		if (header != NULL)
+			break;
+	}
+
+	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+
+	rbtiterator->current = header;
+
+	if (header == NULL)
+		return (ISC_R_NOMORE);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+rdatasetiter_next(dns_rdatasetiter_t *iterator) {
+	rbtdb_rdatasetiter_t *rbtiterator = (rbtdb_rdatasetiter_t *)iterator;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)(rbtiterator->common.db);
+	dns_rbtnode_t *rbtnode = rbtiterator->common.node;
+	rbtdb_version_t *rbtversion = rbtiterator->common.version;
+	rdatasetheader_t *header, *top_next;
+	rbtdb_serial_t serial;
+	isc_stdtime_t now;
+	rbtdb_rdatatype_t type;
+
+	header = rbtiterator->current;
+	if (header == NULL)
+		return (ISC_R_NOMORE);
+
+	if (IS_CACHE(rbtdb)) {
+		serial = 1;
+		now = rbtiterator->common.now;
+	} else {
+		serial = rbtversion->serial;
+		now = 0;
+	}
+
+	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+
+	type = header->type;
+	for (header = header->next; header != NULL; header = top_next) {
+		top_next = header->next;
+		if (header->type != type) {
+			do {
+				if (header->serial <= serial &&
+				    !IGNORE(header)) {
+					/*
+					 * Is this a "this rdataset doesn't
+					 * exist" record?
+					 *
+					 * Note: unlike everywhere else, we
+					 * check for now > header->ttl instead
+					 * of now >= header->ttl.  This allows
+					 * ANY and RRSIG queries for 0 TTL
+					 * rdatasets to work.
+					 */
+					if ((header->attributes &
+					     RDATASET_ATTR_NONEXISTENT) != 0 ||
+					    (now != 0 && now > header->ttl))
+						header = NULL;
+					break;
+				} else
+					header = header->down;
+			} while (header != NULL);
+			if (header != NULL)
+				break;
+		}
+	}
+
+	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+
+	rbtiterator->current = header;
+
+	if (header == NULL)
+		return (ISC_R_NOMORE);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset) {
+	rbtdb_rdatasetiter_t *rbtiterator = (rbtdb_rdatasetiter_t *)iterator;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)(rbtiterator->common.db);
+	dns_rbtnode_t *rbtnode = rbtiterator->common.node;
+	rdatasetheader_t *header;
+
+	header = rbtiterator->current;
+	REQUIRE(header != NULL);
+
+	LOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+
+	bind_rdataset(rbtdb, rbtnode, header, rbtiterator->common.now,
+		      rdataset);
+
+	UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock);
+}
+
+
+/*
+ * Database Iterator Methods
+ */
+
+static inline void
+reference_iter_node(rbtdb_dbiterator_t *rbtdbiter) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db;
+	dns_rbtnode_t *node = rbtdbiter->node;
+
+	if (node == NULL)
+		return;
+
+	INSIST(rbtdbiter->tree_locked != isc_rwlocktype_none);
+	LOCK(&rbtdb->node_locks[node->locknum].lock);
+	new_reference(rbtdb, node);
+	UNLOCK(&rbtdb->node_locks[node->locknum].lock);
+}
+
+static inline void
+dereference_iter_node(rbtdb_dbiterator_t *rbtdbiter) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db;
+	dns_rbtnode_t *node = rbtdbiter->node;
+	isc_mutex_t *lock;
+
+	if (node == NULL)
+		return;
+
+	lock = &rbtdb->node_locks[node->locknum].lock;
+	LOCK(lock);
+	INSIST(rbtdbiter->node->references > 0);
+	if (--node->references == 0)
+		no_references(rbtdb, node, 0, rbtdbiter->tree_locked);
+	UNLOCK(lock);
+
+	rbtdbiter->node = NULL;
+}
+
+static void
+flush_deletions(rbtdb_dbiterator_t *rbtdbiter) {
+	dns_rbtnode_t *node;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db;
+	isc_boolean_t was_read_locked = ISC_FALSE;
+	isc_mutex_t *lock;
+	int i;
+
+	if (rbtdbiter->delete != 0) {
+		/*
+		 * Note that "%d node of %d in tree" can report things like
+		 * "flush_deletions: 59 nodes of 41 in tree".  This means
+		 * That some nodes appear on the deletions list more than
+		 * once.  Only the last occurence will actually be deleted.
+		 */
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+			      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
+			      "flush_deletions: %d nodes of %d in tree",
+			      rbtdbiter->delete,
+			      dns_rbt_nodecount(rbtdb->tree));
+
+		if (rbtdbiter->tree_locked == isc_rwlocktype_read) {
+			RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+			was_read_locked = ISC_TRUE;
+		}
+		RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+		rbtdbiter->tree_locked = isc_rwlocktype_write;
+
+		for (i = 0; i < rbtdbiter->delete; i++) {
+			node = rbtdbiter->deletions[i];
+			lock = &rbtdb->node_locks[node->locknum].lock;
+
+			LOCK(lock);
+			INSIST(node->references > 0);
+			node->references--;
+			if (node->references == 0)
+				no_references(rbtdb, node, 0,
+					      rbtdbiter->tree_locked);
+			UNLOCK(lock);
+		}
+
+		rbtdbiter->delete = 0;
+
+		RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+		if (was_read_locked) {
+			RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+			rbtdbiter->tree_locked = isc_rwlocktype_read;
+
+		} else {
+			rbtdbiter->tree_locked = isc_rwlocktype_none;
+		}
+	}
+}
+
+static inline void
+resume_iteration(rbtdb_dbiterator_t *rbtdbiter) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db;
+
+	REQUIRE(rbtdbiter->paused);
+	REQUIRE(rbtdbiter->tree_locked == isc_rwlocktype_none);
+
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+	rbtdbiter->tree_locked = isc_rwlocktype_read;
+
+	rbtdbiter->paused = ISC_FALSE;
+}
+
+static void
+dbiterator_destroy(dns_dbiterator_t **iteratorp) {
+	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)(*iteratorp);
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)rbtdbiter->common.db;
+	dns_db_t *db = NULL;
+
+	if (rbtdbiter->tree_locked == isc_rwlocktype_read) {
+		RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+		rbtdbiter->tree_locked = isc_rwlocktype_none;
+	} else
+		INSIST(rbtdbiter->tree_locked == isc_rwlocktype_none);
+
+	dereference_iter_node(rbtdbiter);
+
+	flush_deletions(rbtdbiter);
+
+	dns_db_attach(rbtdbiter->common.db, &db);
+	dns_db_detach(&rbtdbiter->common.db);
+
+	dns_rbtnodechain_reset(&rbtdbiter->chain);
+	isc_mem_put(db->mctx, rbtdbiter, sizeof(*rbtdbiter));
+	dns_db_detach(&db);
+
+	*iteratorp = NULL;
+}
+
+static isc_result_t
+dbiterator_first(dns_dbiterator_t *iterator) {
+	isc_result_t result;
+	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
+	dns_name_t *name, *origin;
+
+	if (rbtdbiter->result != ISC_R_SUCCESS &&
+	    rbtdbiter->result != ISC_R_NOMORE)
+		return (rbtdbiter->result);
+
+	if (rbtdbiter->paused)
+		resume_iteration(rbtdbiter);
+
+	dereference_iter_node(rbtdbiter);
+
+	name = dns_fixedname_name(&rbtdbiter->name);
+	origin = dns_fixedname_name(&rbtdbiter->origin);
+	dns_rbtnodechain_reset(&rbtdbiter->chain);
+
+	result = dns_rbtnodechain_first(&rbtdbiter->chain, rbtdb->tree, name,
+					origin);
+
+	if (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) {
+		result = dns_rbtnodechain_current(&rbtdbiter->chain, NULL,
+						  NULL, &rbtdbiter->node);
+		if (result == ISC_R_SUCCESS) {
+			rbtdbiter->new_origin = ISC_TRUE;
+			reference_iter_node(rbtdbiter);
+		}
+	} else {
+		INSIST(result == ISC_R_NOTFOUND);
+		result = ISC_R_NOMORE; /* The tree is empty. */
+	}
+
+	rbtdbiter->result = result;
+
+	return (result);
+}
+
+static isc_result_t
+dbiterator_last(dns_dbiterator_t *iterator) {
+	isc_result_t result;
+	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
+	dns_name_t *name, *origin;
+
+	if (rbtdbiter->result != ISC_R_SUCCESS &&
+	    rbtdbiter->result != ISC_R_NOMORE)
+		return (rbtdbiter->result);
+
+	if (rbtdbiter->paused)
+		resume_iteration(rbtdbiter);
+
+	dereference_iter_node(rbtdbiter);
+
+	name = dns_fixedname_name(&rbtdbiter->name);
+	origin = dns_fixedname_name(&rbtdbiter->origin);
+	dns_rbtnodechain_reset(&rbtdbiter->chain);
+
+	result = dns_rbtnodechain_last(&rbtdbiter->chain, rbtdb->tree, name,
+				       origin);
+	if (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) {
+		result = dns_rbtnodechain_current(&rbtdbiter->chain, NULL,
+						  NULL, &rbtdbiter->node);
+		if (result == ISC_R_SUCCESS) {
+			rbtdbiter->new_origin = ISC_TRUE;
+			reference_iter_node(rbtdbiter);
+		}
+	} else {
+		INSIST(result == ISC_R_NOTFOUND);
+		result = ISC_R_NOMORE; /* The tree is empty. */
+	}
+
+	rbtdbiter->result = result;
+
+	return (result);
+}
+
+static isc_result_t
+dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name) {
+	isc_result_t result;
+	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
+	dns_name_t *iname, *origin;
+
+	if (rbtdbiter->result != ISC_R_SUCCESS &&
+	    rbtdbiter->result != ISC_R_NOMORE)
+		return (rbtdbiter->result);
+
+	if (rbtdbiter->paused)
+		resume_iteration(rbtdbiter);
+
+	dereference_iter_node(rbtdbiter);
+
+	iname = dns_fixedname_name(&rbtdbiter->name);
+	origin = dns_fixedname_name(&rbtdbiter->origin);
+	dns_rbtnodechain_reset(&rbtdbiter->chain);
+
+	result = dns_rbt_findnode(rbtdb->tree, name, NULL, &rbtdbiter->node,
+				  &rbtdbiter->chain, DNS_RBTFIND_EMPTYDATA,
+				  NULL, NULL);
+	if (result == ISC_R_SUCCESS) {
+		result = dns_rbtnodechain_current(&rbtdbiter->chain, iname,
+						  origin, NULL);
+		if (result == ISC_R_SUCCESS) {
+			rbtdbiter->new_origin = ISC_TRUE;
+			reference_iter_node(rbtdbiter);
+		}
+
+	} else if (result == DNS_R_PARTIALMATCH)
+		result = ISC_R_NOTFOUND;
+
+	rbtdbiter->result = result;
+
+	return (result);
+}
+
+static isc_result_t
+dbiterator_prev(dns_dbiterator_t *iterator) {
+	isc_result_t result;
+	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
+	dns_name_t *name, *origin;
+
+	REQUIRE(rbtdbiter->node != NULL);
+
+	if (rbtdbiter->result != ISC_R_SUCCESS)
+		return (rbtdbiter->result);
+
+	if (rbtdbiter->paused)
+		resume_iteration(rbtdbiter);
+
+	name = dns_fixedname_name(&rbtdbiter->name);
+	origin = dns_fixedname_name(&rbtdbiter->origin);
+	result = dns_rbtnodechain_prev(&rbtdbiter->chain, name, origin);
+
+	dereference_iter_node(rbtdbiter);
+
+	if (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
+		rbtdbiter->new_origin = ISC_TF(result == DNS_R_NEWORIGIN);
+		result = dns_rbtnodechain_current(&rbtdbiter->chain, NULL,
+						  NULL, &rbtdbiter->node);
+	}
+
+	if (result == ISC_R_SUCCESS)
+		reference_iter_node(rbtdbiter);
+
+	rbtdbiter->result = result;
+
+	return (result);
+}
+
+static isc_result_t
+dbiterator_next(dns_dbiterator_t *iterator) {
+	isc_result_t result;
+	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
+	dns_name_t *name, *origin;
+
+	REQUIRE(rbtdbiter->node != NULL);
+
+	if (rbtdbiter->result != ISC_R_SUCCESS)
+		return (rbtdbiter->result);
+
+	if (rbtdbiter->paused)
+		resume_iteration(rbtdbiter);
+
+	name = dns_fixedname_name(&rbtdbiter->name);
+	origin = dns_fixedname_name(&rbtdbiter->origin);
+	result = dns_rbtnodechain_next(&rbtdbiter->chain, name, origin);
+
+	dereference_iter_node(rbtdbiter);
+
+	if (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
+		rbtdbiter->new_origin = ISC_TF(result == DNS_R_NEWORIGIN);
+		result = dns_rbtnodechain_current(&rbtdbiter->chain, NULL,
+						  NULL, &rbtdbiter->node);
+	}
+	if (result == ISC_R_SUCCESS)
+		reference_iter_node(rbtdbiter);
+
+	rbtdbiter->result = result;
+
+	return (result);
+}
+
+static isc_result_t
+dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
+		   dns_name_t *name)
+{
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
+	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
+	dns_rbtnode_t *node = rbtdbiter->node;
+	isc_result_t result;
+	dns_name_t *nodename = dns_fixedname_name(&rbtdbiter->name);
+	dns_name_t *origin = dns_fixedname_name(&rbtdbiter->origin);
+
+	REQUIRE(rbtdbiter->result == ISC_R_SUCCESS);
+	REQUIRE(rbtdbiter->node != NULL);
+
+	if (rbtdbiter->paused)
+		resume_iteration(rbtdbiter);
+
+	if (name != NULL) {
+		if (rbtdbiter->common.relative_names)
+			origin = NULL;
+		result = dns_name_concatenate(nodename, origin, name, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		if (rbtdbiter->common.relative_names && rbtdbiter->new_origin)
+			result = DNS_R_NEWORIGIN;
+	} else
+		result = ISC_R_SUCCESS;
+
+	LOCK(&rbtdb->node_locks[node->locknum].lock);
+	new_reference(rbtdb, node);
+	UNLOCK(&rbtdb->node_locks[node->locknum].lock);
+
+	*nodep = rbtdbiter->node;
+
+	if (iterator->cleaning && result == ISC_R_SUCCESS) {
+		isc_result_t expire_result;
+
+		/*
+		 * If the deletion array is full, flush it before trying
+		 * to expire the current node.  The current node can't
+		 * fully deleted while the iteration cursor is still on it.
+		 */
+		if (rbtdbiter->delete == DELETION_BATCH_MAX)
+			flush_deletions(rbtdbiter);
+
+		expire_result = expirenode(iterator->db, *nodep, 0);
+
+		/*
+		 * expirenode() currently always returns success.
+		 */
+		if (expire_result == ISC_R_SUCCESS && node->down == NULL) {
+			rbtdbiter->deletions[rbtdbiter->delete++] = node;
+			LOCK(&rbtdb->node_locks[node->locknum].lock);
+			node->references++;
+			UNLOCK(&rbtdb->node_locks[node->locknum].lock);
+		}
+	}
+
+	return (result);
+}
+
+static isc_result_t
+dbiterator_pause(dns_dbiterator_t *iterator) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
+	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
+
+	if (rbtdbiter->result != ISC_R_SUCCESS &&
+	    rbtdbiter->result != ISC_R_NOMORE)
+		return (rbtdbiter->result);
+
+	if (rbtdbiter->paused)
+		return (ISC_R_SUCCESS);
+
+	rbtdbiter->paused = ISC_TRUE;
+
+	if (rbtdbiter->tree_locked != isc_rwlocktype_none) {
+		INSIST(rbtdbiter->tree_locked == isc_rwlocktype_read);
+		RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+		rbtdbiter->tree_locked = isc_rwlocktype_none;
+	}
+
+	flush_deletions(rbtdbiter);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name) {
+	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
+	dns_name_t *origin = dns_fixedname_name(&rbtdbiter->origin);
+
+	if (rbtdbiter->result != ISC_R_SUCCESS)
+		return (rbtdbiter->result);
+
+	return (dns_name_copy(origin, name, NULL));
+}
diff --git a/contrib/bind9/lib/dns/rbtdb.h b/contrib/bind9/lib/dns/rbtdb.h
new file mode 100644
index 0000000..086b75e
--- /dev/null
+++ b/contrib/bind9/lib/dns/rbtdb.h
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rbtdb.h,v 1.13.206.1 2004/03/06 08:13:42 marka Exp $ */
+
+#ifndef DNS_RBTDB_H
+#define DNS_RBTDB_H 1
+
+#include <isc/lang.h>
+#include <dns/types.h>
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DNS Red-Black Tree DB Implementation
+ */
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_rbtdb_create(isc_mem_t *mctx, dns_name_t *base, dns_dbtype_t type,
+		 dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
+		 void *driverarg, dns_db_t **dbp);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RBTDB_H */
diff --git a/contrib/bind9/lib/dns/rbtdb64.c b/contrib/bind9/lib/dns/rbtdb64.c
new file mode 100644
index 0000000..f41ab37
--- /dev/null
+++ b/contrib/bind9/lib/dns/rbtdb64.c
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rbtdb64.c,v 1.6.206.1 2004/03/06 08:13:42 marka Exp $ */
+
+#define DNS_RBTDB_VERSION64 1
+#include "rbtdb.c"
diff --git a/contrib/bind9/lib/dns/rbtdb64.h b/contrib/bind9/lib/dns/rbtdb64.h
new file mode 100644
index 0000000..5d426b5
--- /dev/null
+++ b/contrib/bind9/lib/dns/rbtdb64.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rbtdb64.h,v 1.12.206.1 2004/03/06 08:13:43 marka Exp $ */
+
+#ifndef DNS_RBTDB64_H
+#define DNS_RBTDB64_H 1
+
+#include <isc/lang.h>
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * DNS Red-Black Tree DB Implementation with 64-bit version numbers
+ */
+
+#include <dns/db.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_rbtdb64_create(isc_mem_t *mctx, dns_name_t *base, dns_dbtype_t type,
+		   dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
+		   void *driverarg, dns_db_t **dbp);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RBTDB64_H */
diff --git a/contrib/bind9/lib/dns/rcode.c b/contrib/bind9/lib/dns/rcode.c
new file mode 100644
index 0000000..337f649
--- /dev/null
+++ b/contrib/bind9/lib/dns/rcode.c
@@ -0,0 +1,473 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rcode.c,v 1.1.4.1 2004/03/12 10:31:25 marka Exp $ */
+
+#include <config.h>
+#include <ctype.h>
+
+#include <isc/buffer.h>
+#include <isc/parseint.h>
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/result.h>
+#include <isc/stdio.h>
+#include <isc/stdlib.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dns/cert.h>
+#include <dns/keyflags.h>
+#include <dns/keyvalues.h>
+#include <dns/rcode.h>
+#include <dns/rdataclass.h>
+#include <dns/result.h>
+#include <dns/secalg.h>
+#include <dns/secproto.h>
+
+#define RETERR(x) \
+	do { \
+		isc_result_t _r = (x); \
+		if (_r != ISC_R_SUCCESS) \
+			return (_r); \
+	} while (0)
+
+#define NUMBERSIZE sizeof("037777777777") /* 2^32-1 octal + NUL */
+
+#define RCODENAMES \
+	/* standard rcodes */ \
+	{ dns_rcode_noerror, "NOERROR", 0}, \
+	{ dns_rcode_formerr, "FORMERR", 0}, \
+	{ dns_rcode_servfail, "SERVFAIL", 0}, \
+	{ dns_rcode_nxdomain, "NXDOMAIN", 0}, \
+	{ dns_rcode_notimp, "NOTIMP", 0}, \
+	{ dns_rcode_refused, "REFUSED", 0}, \
+	{ dns_rcode_yxdomain, "YXDOMAIN", 0}, \
+	{ dns_rcode_yxrrset, "YXRRSET", 0}, \
+	{ dns_rcode_nxrrset, "NXRRSET", 0}, \
+	{ dns_rcode_notauth, "NOTAUTH", 0}, \
+	{ dns_rcode_notzone, "NOTZONE", 0},
+
+#define ERCODENAMES \
+	/* extended rcodes */ \
+	{ dns_rcode_badvers, "BADVERS", 0}, \
+	{ 0, NULL, 0 } 
+
+#define TSIGRCODENAMES \
+	/* extended rcodes */ \
+	{ dns_tsigerror_badsig, "BADSIG", 0}, \
+	{ dns_tsigerror_badkey, "BADKEY", 0}, \
+	{ dns_tsigerror_badtime, "BADTIME", 0}, \
+	{ dns_tsigerror_badmode, "BADMODE", 0}, \
+	{ dns_tsigerror_badname, "BADNAME", 0}, \
+	{ dns_tsigerror_badalg, "BADALG", 0}, \
+	{ 0, NULL, 0 }
+
+/* RFC2538 section 2.1 */
+
+#define CERTNAMES \
+	{ 1, "PKIX", 0}, \
+	{ 2, "SPKI", 0}, \
+	{ 3, "PGP", 0}, \
+	{ 253, "URI", 0}, \
+	{ 254, "OID", 0}, \
+	{ 0, NULL, 0}
+
+/* RFC2535 section 7, RFC3110 */
+
+#define SECALGNAMES \
+	{ DNS_KEYALG_RSAMD5, "RSAMD5", 0 }, \
+	{ DNS_KEYALG_RSAMD5, "RSA", 0 }, \
+	{ DNS_KEYALG_DH, "DH", 0 }, \
+	{ DNS_KEYALG_DSA, "DSA", 0 }, \
+	{ DNS_KEYALG_ECC, "ECC", 0 }, \
+	{ DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \
+	{ DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \
+	{ DNS_KEYALG_PRIVATEDNS, "PRIVATEDNS", 0 }, \
+	{ DNS_KEYALG_PRIVATEOID, "PRIVATEOID", 0 }, \
+	{ 0, NULL, 0}
+
+/* RFC2535 section 7.1 */
+
+#define SECPROTONAMES \
+	{   0,    "NONE", 0 }, \
+	{   1,    "TLS", 0 }, \
+	{   2,    "EMAIL", 0 }, \
+	{   3,    "DNSSEC", 0 }, \
+	{   4,    "IPSEC", 0 }, \
+	{ 255,    "ALL", 0 }, \
+	{ 0, NULL, 0}
+
+struct tbl {
+	unsigned int    value;
+	const char      *name;
+	int             flags;
+};
+
+static struct tbl rcodes[] = { RCODENAMES ERCODENAMES };
+static struct tbl tsigrcodes[] = { RCODENAMES TSIGRCODENAMES };
+static struct tbl certs[] = { CERTNAMES };
+static struct tbl secalgs[] = { SECALGNAMES };
+static struct tbl secprotos[] = { SECPROTONAMES };
+
+static struct keyflag {
+	const char *name;
+	unsigned int value;
+	unsigned int mask;
+} keyflags[] = {
+	{ "NOCONF", 0x4000, 0xC000 },
+	{ "NOAUTH", 0x8000, 0xC000 },
+	{ "NOKEY",  0xC000, 0xC000 },
+	{ "FLAG2",  0x2000, 0x2000 },
+	{ "EXTEND", 0x1000, 0x1000 },
+	{ "FLAG4",  0x0800, 0x0800 },
+	{ "FLAG5",  0x0400, 0x0400 },
+	{ "USER",   0x0000, 0x0300 },
+	{ "ZONE",   0x0100, 0x0300 },
+	{ "HOST",   0x0200, 0x0300 },
+	{ "NTYP3",  0x0300, 0x0300 },
+	{ "FLAG8",  0x0080, 0x0080 },
+	{ "FLAG9",  0x0040, 0x0040 },
+	{ "FLAG10", 0x0020, 0x0020 },
+	{ "FLAG11", 0x0010, 0x0010 },
+	{ "SIG0",   0x0000, 0x000F },
+	{ "SIG1",   0x0001, 0x000F },
+	{ "SIG2",   0x0002, 0x000F },
+	{ "SIG3",   0x0003, 0x000F },
+	{ "SIG4",   0x0004, 0x000F },
+	{ "SIG5",   0x0005, 0x000F },
+	{ "SIG6",   0x0006, 0x000F },
+	{ "SIG7",   0x0007, 0x000F },
+	{ "SIG8",   0x0008, 0x000F },
+	{ "SIG9",   0x0009, 0x000F },
+	{ "SIG10",  0x000A, 0x000F },
+	{ "SIG11",  0x000B, 0x000F },
+	{ "SIG12",  0x000C, 0x000F },
+	{ "SIG13",  0x000D, 0x000F },
+	{ "SIG14",  0x000E, 0x000F },
+	{ "SIG15",  0x000F, 0x000F },
+	{ "KSK",  DNS_KEYFLAG_KSK, DNS_KEYFLAG_KSK },
+	{ NULL,     0, 0 }
+};
+
+static isc_result_t
+str_totext(const char *source, isc_buffer_t *target) {
+	unsigned int l;
+	isc_region_t region;
+
+	isc_buffer_availableregion(target, &region);
+	l = strlen(source);
+
+	if (l > region.length)
+		return (ISC_R_NOSPACE);
+
+	memcpy(region.base, source, l);
+	isc_buffer_add(target, l);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+maybe_numeric(unsigned int *valuep, isc_textregion_t *source,
+	      unsigned int max, isc_boolean_t hex_allowed)
+{
+	isc_result_t result;
+	isc_uint32_t n;
+	char buffer[NUMBERSIZE];
+
+	if (! isdigit(source->base[0] & 0xff) ||
+	    source->length > NUMBERSIZE - 1)
+		return (ISC_R_BADNUMBER);
+
+	/*
+	 * We have a potential number.  Try to parse it with
+	 * isc_parse_uint32().  isc_parse_uint32() requires
+	 * null termination, so we must make a copy.
+	 */
+	strncpy(buffer, source->base, NUMBERSIZE);
+	INSIST(buffer[source->length] == '\0');
+
+	result = isc_parse_uint32(&n, buffer, 10);
+	if (result == ISC_R_BADNUMBER && hex_allowed)
+		result = isc_parse_uint32(&n, buffer, 16);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (n > max)
+		return (ISC_R_RANGE);
+	*valuep = n;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dns_mnemonic_fromtext(unsigned int *valuep, isc_textregion_t *source,
+		      struct tbl *table, unsigned int max)
+{
+	isc_result_t result;
+	int i;
+
+	result = maybe_numeric(valuep, source, max, ISC_FALSE);
+	if (result != ISC_R_BADNUMBER)
+		return (result);
+
+	for (i = 0; table[i].name != NULL; i++) {
+		unsigned int n;
+		n = strlen(table[i].name);
+		if (n == source->length &&
+		    strncasecmp(source->base, table[i].name, n) == 0) {
+			*valuep = table[i].value;
+			return (ISC_R_SUCCESS);
+		}
+	}
+	return (DNS_R_UNKNOWN);
+}
+
+static isc_result_t
+dns_mnemonic_totext(unsigned int value, isc_buffer_t *target,
+		    struct tbl *table) 
+{
+	int i = 0;
+	char buf[sizeof("4294967296")];
+	while (table[i].name != NULL) {
+		if (table[i].value == value) {
+			return (str_totext(table[i].name, target));
+		}
+		i++;
+	}
+	snprintf(buf, sizeof(buf), "%u", value);
+	return (str_totext(buf, target));
+}
+
+isc_result_t
+dns_rcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source) {
+	unsigned int value;
+	RETERR(dns_mnemonic_fromtext(&value, source, rcodes, 0xffff));
+	*rcodep = value;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_rcode_totext(dns_rcode_t rcode, isc_buffer_t *target) {
+	return (dns_mnemonic_totext(rcode, target, rcodes));
+}
+
+isc_result_t
+dns_tsigrcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source) {
+	unsigned int value;
+	RETERR(dns_mnemonic_fromtext(&value, source, tsigrcodes, 0xffff));
+	*rcodep = value;
+	return (ISC_R_SUCCESS);
+} 
+
+isc_result_t
+dns_tsigrcode_totext(dns_rcode_t rcode, isc_buffer_t *target) {
+	return (dns_mnemonic_totext(rcode, target, tsigrcodes));
+}
+
+isc_result_t
+dns_cert_fromtext(dns_cert_t *certp, isc_textregion_t *source) {
+	unsigned int value;
+	RETERR(dns_mnemonic_fromtext(&value, source, certs, 0xffff));
+	*certp = value;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_cert_totext(dns_cert_t cert, isc_buffer_t *target) {
+	return (dns_mnemonic_totext(cert, target, certs));
+}
+
+isc_result_t
+dns_secalg_fromtext(dns_secalg_t *secalgp, isc_textregion_t *source) {
+	unsigned int value;
+	RETERR(dns_mnemonic_fromtext(&value, source, secalgs, 0xff));
+	*secalgp = value;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_secalg_totext(dns_secalg_t secalg, isc_buffer_t *target) {
+	return (dns_mnemonic_totext(secalg, target, secalgs));
+}
+
+isc_result_t
+dns_secproto_fromtext(dns_secproto_t *secprotop, isc_textregion_t *source) {
+	unsigned int value;
+	RETERR(dns_mnemonic_fromtext(&value, source, secprotos, 0xff));
+	*secprotop = value;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_secproto_totext(dns_secproto_t secproto, isc_buffer_t *target) {
+	return (dns_mnemonic_totext(secproto, target, secprotos));
+}
+
+isc_result_t
+dns_keyflags_fromtext(dns_keyflags_t *flagsp, isc_textregion_t *source)
+{
+	isc_result_t result;
+	char *text, *end;
+	unsigned int value, mask;
+
+	result = maybe_numeric(&value, source, 0xffff, ISC_TRUE);
+	if (result == ISC_R_SUCCESS) {
+		*flagsp = value;
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_BADNUMBER)
+		return (result);
+
+	text = source->base;
+	end = source->base + source->length;
+	value = mask = 0;
+
+	while (text < end) {
+		struct keyflag *p;
+		unsigned int len;
+		char *delim = memchr(text, '|', end - text);
+		if (delim != NULL)
+			len = delim - text;
+		else
+			len = end - text;
+		for (p = keyflags; p->name != NULL; p++) {
+			if (strncasecmp(p->name, text, len) == 0)
+				break;
+		}
+		if (p->name == NULL)
+			return (DNS_R_UNKNOWNFLAG);
+		value |= p->value;
+#ifdef notyet
+		if ((mask & p->mask) != 0)
+			warn("overlapping key flags");
+#endif
+		mask |= p->mask;
+		text += len;
+		if (delim != NULL)
+			text++; /* Skip "|" */
+	}
+	*flagsp = value;
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * This uses lots of hard coded values, but how often do we actually
+ * add classes?
+ */
+isc_result_t
+dns_rdataclass_fromtext(dns_rdataclass_t *classp, isc_textregion_t *source) {
+#define COMPARE(string, rdclass) \
+	if (((sizeof(string) - 1) == source->length) \
+	    && (strncasecmp(source->base, string, source->length) == 0)) { \
+		*classp = rdclass; \
+		return (ISC_R_SUCCESS); \
+	}
+
+	switch (tolower((unsigned char)source->base[0])) {
+	case 'a':
+		COMPARE("any", dns_rdataclass_any);
+		break;
+	case 'c':
+		/*
+		 * RFC1035 says the mnemonic for the CHAOS class is CH,
+		 * but historical BIND practice is to call it CHAOS.
+		 * We will accept both forms, but only generate CH.
+		 */
+		COMPARE("ch", dns_rdataclass_chaos);
+		COMPARE("chaos", dns_rdataclass_chaos);
+
+		if (source->length > 5 &&
+		    source->length < (5 + sizeof("65000")) &&
+		    strncasecmp("class", source->base, 5) == 0) {
+			char buf[sizeof("65000")];
+			char *endp;
+			unsigned int val;
+
+			strncpy(buf, source->base + 5, source->length - 5);
+			buf[source->length - 5] = '\0';
+			val = strtoul(buf, &endp, 10);
+			if (*endp == '\0' && val <= 0xffff) {
+				*classp = (dns_rdataclass_t)val;
+				return (ISC_R_SUCCESS);
+			}
+		}
+		break;
+	case 'h':
+		COMPARE("hs", dns_rdataclass_hs);
+		COMPARE("hesiod", dns_rdataclass_hs);
+		break;
+	case 'i':
+		COMPARE("in", dns_rdataclass_in);
+		break;
+	case 'n':
+		COMPARE("none", dns_rdataclass_none);
+		break;
+	case 'r':
+		COMPARE("reserved0", dns_rdataclass_reserved0);
+		break;
+	}
+
+#undef COMPARE
+
+	return (DNS_R_UNKNOWN);
+}
+
+isc_result_t
+dns_rdataclass_totext(dns_rdataclass_t rdclass, isc_buffer_t *target) {
+	char buf[sizeof("CLASS65535")];
+
+	switch (rdclass) {
+	case dns_rdataclass_any:
+		return (str_totext("ANY", target));
+	case dns_rdataclass_chaos:
+		return (str_totext("CH", target));
+	case dns_rdataclass_hs:
+		return (str_totext("HS", target));
+	case dns_rdataclass_in:
+		return (str_totext("IN", target));
+	case dns_rdataclass_none:
+		return (str_totext("NONE", target));
+	case dns_rdataclass_reserved0:
+		return (str_totext("RESERVED0", target));
+	default:
+		snprintf(buf, sizeof(buf), "CLASS%u", rdclass);
+		return (str_totext(buf, target));
+	}
+}
+
+void
+dns_rdataclass_format(dns_rdataclass_t rdclass,
+		      char *array, unsigned int size)
+{
+	isc_result_t result;
+	isc_buffer_t buf;
+
+	isc_buffer_init(&buf, array, size);
+	result = dns_rdataclass_totext(rdclass, &buf);
+	/*
+	 * Null terminate.
+	 */
+	if (result == ISC_R_SUCCESS) {
+		if (isc_buffer_availablelength(&buf) >= 1)
+			isc_buffer_putuint8(&buf, 0);
+		else
+			result = ISC_R_NOSPACE;
+	}
+	if (result != ISC_R_SUCCESS) {
+		snprintf(array, size, "<unknown>");
+		array[size - 1] = '\0';
+	}
+}
diff --git a/contrib/bind9/lib/dns/rdata.c b/contrib/bind9/lib/dns/rdata.c
new file mode 100644
index 0000000..6bf2b66
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata.c
@@ -0,0 +1,1720 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rdata.c,v 1.147.2.11.2.15 2004/03/12 10:31:25 marka Exp $ */
+
+#include <config.h>
+#include <ctype.h>
+
+#include <isc/base64.h>
+#include <isc/hex.h>
+#include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/parseint.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/stdlib.h>
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/cert.h>
+#include <dns/compress.h>
+#include <dns/enumtype.h>
+#include <dns/keyflags.h>
+#include <dns/keyvalues.h>
+#include <dns/rcode.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/secalg.h>
+#include <dns/secproto.h>
+#include <dns/time.h>
+#include <dns/ttl.h>
+
+#define RETERR(x) \
+	do { \
+		isc_result_t _r = (x); \
+		if (_r != ISC_R_SUCCESS) \
+			return (_r); \
+	} while (0)
+
+#define RETTOK(x) \
+	do { \
+		isc_result_t _r = (x); \
+		if (_r != ISC_R_SUCCESS) { \
+			isc_lex_ungettoken(lexer, &token); \
+			return (_r); \
+		} \
+	} while (0)
+
+#define DNS_AS_STR(t) ((t).value.as_textregion.base)
+
+#define ARGS_FROMTEXT	int rdclass, dns_rdatatype_t type, \
+			isc_lex_t *lexer, dns_name_t *origin, \
+			unsigned int options, isc_buffer_t *target, \
+			dns_rdatacallbacks_t *callbacks
+
+#define ARGS_TOTEXT	dns_rdata_t *rdata, dns_rdata_textctx_t *tctx, \
+			isc_buffer_t *target
+
+#define ARGS_FROMWIRE	int rdclass, dns_rdatatype_t type, \
+			isc_buffer_t *source, dns_decompress_t *dctx, \
+			unsigned int options, isc_buffer_t *target
+
+#define ARGS_TOWIRE	dns_rdata_t *rdata, dns_compress_t *cctx, \
+			isc_buffer_t *target
+
+#define ARGS_COMPARE	const dns_rdata_t *rdata1, const dns_rdata_t *rdata2
+
+#define ARGS_FROMSTRUCT	int rdclass, dns_rdatatype_t type, \
+			void *source, isc_buffer_t *target
+
+#define ARGS_TOSTRUCT	dns_rdata_t *rdata, void *target, isc_mem_t *mctx
+
+#define ARGS_FREESTRUCT void *source
+
+#define ARGS_ADDLDATA	dns_rdata_t *rdata, dns_additionaldatafunc_t add, \
+			void *arg
+
+#define ARGS_DIGEST	dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg
+
+#define ARGS_CHECKOWNER dns_name_t *name, dns_rdataclass_t rdclass, \
+			dns_rdatatype_t type, isc_boolean_t wildcard
+
+#define ARGS_CHECKNAMES dns_rdata_t *rdata, dns_name_t *owner, dns_name_t *bad
+
+
+/*
+ * Context structure for the totext_ functions.
+ * Contains formatting options for rdata-to-text
+ * conversion.
+ */
+typedef struct dns_rdata_textctx {
+	dns_name_t *origin;	/* Current origin, or NULL. */
+	unsigned int flags;	/* DNS_STYLEFLAG_* */
+	unsigned int width;	/* Width of rdata column. */
+  	const char *linebreak;	/* Line break string. */
+} dns_rdata_textctx_t;
+
+static isc_result_t
+txt_totext(isc_region_t *source, isc_buffer_t *target);
+
+static isc_result_t
+txt_fromtext(isc_textregion_t *source, isc_buffer_t *target);
+
+static isc_result_t
+txt_fromwire(isc_buffer_t *source, isc_buffer_t *target);
+
+static isc_boolean_t
+name_prefix(dns_name_t *name, dns_name_t *origin, dns_name_t *target);
+
+static unsigned int
+name_length(dns_name_t *name);
+
+static isc_result_t
+str_totext(const char *source, isc_buffer_t *target);
+
+static isc_result_t
+inet_totext(int af, isc_region_t *src, isc_buffer_t *target);
+
+static isc_boolean_t
+buffer_empty(isc_buffer_t *source);
+
+static void
+buffer_fromregion(isc_buffer_t *buffer, isc_region_t *region);
+
+static isc_result_t
+uint32_tobuffer(isc_uint32_t, isc_buffer_t *target);
+
+static isc_result_t
+uint16_tobuffer(isc_uint32_t, isc_buffer_t *target);
+
+static isc_result_t
+uint8_tobuffer(isc_uint32_t, isc_buffer_t *target);
+
+static isc_result_t
+name_tobuffer(dns_name_t *name, isc_buffer_t *target);
+
+static isc_uint32_t
+uint32_fromregion(isc_region_t *region);
+
+static isc_uint16_t
+uint16_fromregion(isc_region_t *region);
+
+static isc_uint8_t
+uint8_fromregion(isc_region_t *region);
+
+static isc_result_t
+mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length);
+
+static int
+hexvalue(char value);
+
+static int
+decvalue(char value);
+
+static isc_result_t
+btoa_totext(unsigned char *inbuf, int inbuflen, isc_buffer_t *target);
+
+static isc_result_t
+atob_tobuffer(isc_lex_t *lexer, isc_buffer_t *target);
+
+static void
+default_fromtext_callback(dns_rdatacallbacks_t *callbacks, const char *, ...)
+     ISC_FORMAT_PRINTF(2, 3);
+
+static void
+fromtext_error(void (*callback)(dns_rdatacallbacks_t *, const char *, ...),
+	       dns_rdatacallbacks_t *callbacks, const char *name,
+	       unsigned long line, isc_token_t *token, isc_result_t result);
+
+static void
+fromtext_warneof(isc_lex_t *lexer, dns_rdatacallbacks_t *callbacks);
+
+static isc_result_t
+rdata_totext(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
+	     isc_buffer_t *target);
+
+static void
+warn_badname(dns_name_t *name, isc_lex_t *lexer,
+	     dns_rdatacallbacks_t *callbacks);
+
+static inline int
+getquad(const void *src, struct in_addr *dst,
+	isc_lex_t *lexer, dns_rdatacallbacks_t *callbacks)
+{
+	int result;
+	struct in_addr *tmp;
+
+	result = inet_aton(src, dst);
+	if (result == 1 && callbacks != NULL &&
+	    inet_pton(AF_INET, src, &tmp) != 1) {
+		const char *name = isc_lex_getsourcename(lexer);
+		if (name == NULL)
+			name = "UNKNOWN";
+		(*callbacks->warn)(callbacks, "%s:%lu: \"%s\" "
+				   "is not a decimal dotted quad", name,
+				   isc_lex_getsourceline(lexer), src);
+	}
+	return (result);
+}
+
+static inline isc_result_t
+name_duporclone(dns_name_t *source, isc_mem_t *mctx, dns_name_t *target) {
+
+	if (mctx != NULL)
+		return (dns_name_dup(source, mctx, target));
+	dns_name_clone(source, target);
+	return (ISC_R_SUCCESS);
+}
+
+static inline void *
+mem_maybedup(isc_mem_t *mctx, void *source, size_t length) {
+	void *new;
+
+	if (mctx == NULL)
+		return (source);
+	new = isc_mem_allocate(mctx, length);
+	if (new != NULL)
+		memcpy(new, source, length);
+
+	return (new);
+}
+
+static const char hexdigits[] = "0123456789abcdef";
+static const char decdigits[] = "0123456789";
+
+#include "code.h"
+
+#define META 0x0001
+#define RESERVED 0x0002
+
+/***
+ *** Initialization
+ ***/
+
+void
+dns_rdata_init(dns_rdata_t *rdata) {
+
+	REQUIRE(rdata != NULL);
+
+	rdata->data = NULL;
+	rdata->length = 0;
+	rdata->rdclass = 0;
+	rdata->type = 0;
+	rdata->flags = 0;
+	ISC_LINK_INIT(rdata, link);
+	/* ISC_LIST_INIT(rdata->list); */
+}
+
+#if 0
+#define DNS_RDATA_INITIALIZED(rdata) \
+	((rdata)->data == NULL && (rdata)->length == 0 && \
+	 (rdata)->rdclass == 0 && (rdata)->type == 0 && (rdata)->flags == 0 && \
+	 !ISC_LINK_LINKED((rdata), link))
+#else
+#ifdef ISC_LIST_CHECKINIT
+#define DNS_RDATA_INITIALIZED(rdata) \
+	(!ISC_LINK_LINKED((rdata), link))
+#else
+#define DNS_RDATA_INITIALIZED(rdata) ISC_TRUE
+#endif
+#endif
+#define DNS_RDATA_VALIDFLAGS(rdata) \
+	(((rdata)->flags & ~DNS_RDATA_UPDATE) == 0)
+
+void
+dns_rdata_reset(dns_rdata_t *rdata) {
+
+	REQUIRE(rdata != NULL);
+
+	REQUIRE(!ISC_LINK_LINKED(rdata, link));
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+
+	rdata->data = NULL;
+	rdata->length = 0;
+	rdata->rdclass = 0;
+	rdata->type = 0;
+	rdata->flags = 0;
+}
+
+/***
+ ***
+ ***/
+
+void
+dns_rdata_clone(const dns_rdata_t *src, dns_rdata_t *target) {
+
+	REQUIRE(src != NULL);
+	REQUIRE(target != NULL);
+
+	REQUIRE(DNS_RDATA_INITIALIZED(target));
+
+	REQUIRE(DNS_RDATA_VALIDFLAGS(src));
+	REQUIRE(DNS_RDATA_VALIDFLAGS(target));
+
+	target->data = src->data;
+	target->length = src->length;
+	target->rdclass = src->rdclass;
+	target->type = src->type;
+	target->flags = src->flags;
+}
+
+
+/***
+ *** Comparisons
+ ***/
+
+int
+dns_rdata_compare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2) {
+	int result = 0;
+	isc_boolean_t use_default = ISC_FALSE;
+
+	REQUIRE(rdata1 != NULL);
+	REQUIRE(rdata2 != NULL);
+	REQUIRE(rdata1->data != NULL);
+	REQUIRE(rdata2->data != NULL);
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1));
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2));
+
+	if (rdata1->rdclass != rdata2->rdclass)
+		return (rdata1->rdclass < rdata2->rdclass ? -1 : 1);
+
+	if (rdata1->type != rdata2->type)
+		return (rdata1->type < rdata2->type ? -1 : 1);
+
+	COMPARESWITCH
+
+	if (use_default) {
+		isc_region_t r1;
+		isc_region_t r2;
+
+		dns_rdata_toregion(rdata1, &r1);
+		dns_rdata_toregion(rdata2, &r2);
+		result = isc_region_compare(&r1, &r2);
+	}
+	return (result);
+}
+
+/***
+ *** Conversions
+ ***/
+
+void
+dns_rdata_fromregion(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
+		     dns_rdatatype_t type, isc_region_t *r)
+{
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(DNS_RDATA_INITIALIZED(rdata));
+	REQUIRE(r != NULL);
+
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+
+	rdata->data = r->base;
+	rdata->length = r->length;
+	rdata->rdclass = rdclass;
+	rdata->type = type;
+	rdata->flags = 0;
+}
+
+void
+dns_rdata_toregion(const dns_rdata_t *rdata, isc_region_t *r) {
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(r != NULL);
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+
+	r->base = rdata->data;
+	r->length = rdata->length;
+}
+
+isc_result_t
+dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
+		   dns_rdatatype_t type, isc_buffer_t *source,
+		   dns_decompress_t *dctx, unsigned int options,
+		   isc_buffer_t *target)
+{
+	isc_result_t result = ISC_R_NOTIMPLEMENTED;
+	isc_region_t region;
+	isc_buffer_t ss;
+	isc_buffer_t st;
+	isc_boolean_t use_default = ISC_FALSE;
+	isc_uint32_t activelength;
+
+	REQUIRE(dctx != NULL);
+	if (rdata != NULL) {
+		REQUIRE(DNS_RDATA_INITIALIZED(rdata));
+		REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+	}
+
+	if (type == 0)
+		return (DNS_R_FORMERR);
+
+	ss = *source;
+	st = *target;
+
+	activelength = isc_buffer_activelength(source);
+	INSIST(activelength < 65536);
+
+	FROMWIRESWITCH
+
+	if (use_default) {
+		if (activelength > isc_buffer_availablelength(target))
+			result = ISC_R_NOSPACE;
+		else {
+			isc_buffer_putmem(target, isc_buffer_current(source),
+					  activelength);
+			isc_buffer_forward(source, activelength);
+			result = ISC_R_SUCCESS;
+		}
+	}
+
+	/*
+	 * We should have consumed all of our buffer.
+	 */
+	if (result == ISC_R_SUCCESS && !buffer_empty(source))
+		result = DNS_R_EXTRADATA;
+
+	if (rdata != NULL && result == ISC_R_SUCCESS) {
+		region.base = isc_buffer_used(&st);
+		region.length = isc_buffer_usedlength(target) -
+				isc_buffer_usedlength(&st);
+		dns_rdata_fromregion(rdata, rdclass, type, &region);
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		*source = ss;
+		*target = st;
+	}
+	return (result);
+}
+
+isc_result_t
+dns_rdata_towire(dns_rdata_t *rdata, dns_compress_t *cctx,
+		 isc_buffer_t *target)
+{
+	isc_result_t result = ISC_R_NOTIMPLEMENTED;
+	isc_boolean_t use_default = ISC_FALSE;
+	isc_region_t tr;
+	isc_buffer_t st;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+
+	/*
+	 * Some DynDNS meta-RRs have empty rdata.
+	 */
+	if ((rdata->flags & DNS_RDATA_UPDATE) != 0) {
+		INSIST(rdata->length == 0);
+		return (ISC_R_SUCCESS);
+	}
+
+	st = *target;
+
+	TOWIRESWITCH
+
+	if (use_default) {
+		isc_buffer_availableregion(target, &tr);
+		if (tr.length < rdata->length)
+			return (ISC_R_NOSPACE);
+		memcpy(tr.base, rdata->data, rdata->length);
+		isc_buffer_add(target, rdata->length);
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS) {
+		*target = st;
+		INSIST(target->used < 65536);
+		dns_compress_rollback(cctx, (isc_uint16_t)target->used);
+	}
+	return (result);
+}
+
+/*
+ * If the binary data in 'src' is valid uncompressed wire format
+ * rdata of class 'rdclass' and type 'type', return ISC_R_SUCCESS
+ * and copy the validated rdata to 'dest'.  Otherwise return an error.
+ */
+static isc_result_t
+rdata_validate(isc_buffer_t *src, isc_buffer_t *dest, dns_rdataclass_t rdclass,
+	    dns_rdatatype_t type)
+{
+	dns_decompress_t dctx;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_result_t result;
+
+	dns_decompress_init(&dctx, -1, DNS_DECOMPRESS_NONE);
+	isc_buffer_setactive(src, isc_buffer_usedlength(src));
+	result = dns_rdata_fromwire(&rdata, rdclass, type, src,
+				    &dctx, 0, dest);
+	dns_decompress_invalidate(&dctx);
+
+	return (result);
+}
+
+static isc_result_t
+unknown_fromtext(dns_rdataclass_t rdclass, dns_rdatatype_t type,
+		 isc_lex_t *lexer, isc_mem_t *mctx, isc_buffer_t *target)
+{
+	isc_result_t result;
+	isc_buffer_t *buf = NULL;
+	isc_token_t token;
+
+	if (type == 0 || dns_rdatatype_ismeta(type))
+		return (DNS_R_METATYPE);
+
+	result = isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+					ISC_FALSE);
+	if (result == ISC_R_SUCCESS && token.value.as_ulong > 65535U)
+		return (ISC_R_RANGE);
+	result = isc_buffer_allocate(mctx, &buf, token.value.as_ulong);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	
+	result = isc_hex_tobuffer(lexer, buf,
+				  (unsigned int)token.value.as_ulong);
+	if (result != ISC_R_SUCCESS)
+	       goto failure;
+	if (isc_buffer_usedlength(buf) != token.value.as_ulong) {
+		result = ISC_R_UNEXPECTEDEND;
+		goto failure;
+	}
+
+	if (dns_rdatatype_isknown(type)) {
+		result = rdata_validate(buf, target, rdclass, type);
+	} else {
+		isc_region_t r;
+		isc_buffer_usedregion(buf, &r);
+		result = isc_buffer_copyregion(target, &r);
+	}
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	isc_buffer_free(&buf);
+	return (ISC_R_SUCCESS);
+
+ failure:
+	isc_buffer_free(&buf);
+	return (result);
+}
+
+isc_result_t
+dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
+		   dns_rdatatype_t type, isc_lex_t *lexer,
+		   dns_name_t *origin, unsigned int options, isc_mem_t *mctx,
+		   isc_buffer_t *target, dns_rdatacallbacks_t *callbacks)
+{
+	isc_result_t result = ISC_R_NOTIMPLEMENTED;
+	isc_region_t region;
+	isc_buffer_t st;
+	isc_token_t token;
+	unsigned int lexoptions = ISC_LEXOPT_EOL | ISC_LEXOPT_EOF |
+				  ISC_LEXOPT_DNSMULTILINE | ISC_LEXOPT_ESCAPE;
+	char *name;
+	unsigned long line;
+	void (*callback)(dns_rdatacallbacks_t *, const char *, ...);
+	isc_result_t tresult;
+
+	REQUIRE(origin == NULL || dns_name_isabsolute(origin) == ISC_TRUE);
+	if (rdata != NULL) {
+		REQUIRE(DNS_RDATA_INITIALIZED(rdata));
+		REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+	}
+	if (callbacks != NULL) {
+		REQUIRE(callbacks->warn != NULL);
+		REQUIRE(callbacks->error != NULL);
+	}
+
+	st = *target;
+
+	if (callbacks != NULL)
+		callback = callbacks->error;
+	else
+		callback = default_fromtext_callback;
+
+	result = isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
+					ISC_FALSE);
+	if (result != ISC_R_SUCCESS) {
+		name = isc_lex_getsourcename(lexer);
+		line = isc_lex_getsourceline(lexer);
+		fromtext_error(callback, callbacks, name, line,
+			       &token, result);
+		return (result);
+	}
+
+	if (strcmp(DNS_AS_STR(token), "\\#") == 0)
+		result = unknown_fromtext(rdclass, type, lexer, mctx, target);
+	else {
+		isc_lex_ungettoken(lexer, &token);
+
+		FROMTEXTSWITCH
+	}
+
+	/*
+	 * Consume to end of line / file.
+	 * If not at end of line initially set error code.
+	 * Call callback via fromtext_error once if there was an error.
+	 */
+	do {
+		name = isc_lex_getsourcename(lexer);
+		line = isc_lex_getsourceline(lexer);
+		tresult = isc_lex_gettoken(lexer, lexoptions, &token);
+		if (tresult != ISC_R_SUCCESS) {
+			if (result == ISC_R_SUCCESS)
+				result = tresult;
+			if (callback != NULL)
+				fromtext_error(callback, callbacks, name,
+					       line, NULL, result);
+			break;
+		} else if (token.type != isc_tokentype_eol &&
+			   token.type != isc_tokentype_eof) {
+			if (result == ISC_R_SUCCESS)
+				result = DNS_R_EXTRATOKEN;
+			if (callback != NULL) {
+				fromtext_error(callback, callbacks, name,
+					       line, &token, result);
+				callback = NULL;
+			}
+		} else if (result != ISC_R_SUCCESS && callback != NULL) {
+			fromtext_error(callback, callbacks, name, line,
+				       &token, result);
+			break;
+		} else {
+			if (token.type == isc_tokentype_eof)
+				fromtext_warneof(lexer, callbacks);
+			break;
+		}
+	} while (1);
+
+	if (rdata != NULL && result == ISC_R_SUCCESS) {
+		region.base = isc_buffer_used(&st);
+		region.length = isc_buffer_usedlength(target) -
+				isc_buffer_usedlength(&st);
+		dns_rdata_fromregion(rdata, rdclass, type, &region);
+	}
+	if (result != ISC_R_SUCCESS) {
+		*target = st;
+	}
+	return (result);
+}
+
+static isc_result_t
+rdata_totext(dns_rdata_t *rdata, dns_rdata_textctx_t *tctx,
+	     isc_buffer_t *target)
+{
+	isc_result_t result = ISC_R_NOTIMPLEMENTED;
+	isc_boolean_t use_default = ISC_FALSE;
+	char buf[sizeof("65535")];
+	isc_region_t sr;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(tctx->origin == NULL ||
+		dns_name_isabsolute(tctx->origin) == ISC_TRUE);
+
+	/*
+	 * Some DynDNS meta-RRs have empty rdata.
+	 */
+	if ((rdata->flags & DNS_RDATA_UPDATE) != 0) {
+		INSIST(rdata->length == 0);
+		return (ISC_R_SUCCESS);
+	}
+
+	TOTEXTSWITCH
+
+	if (use_default) {
+		strlcpy(buf, "\\# ", sizeof(buf));
+		result = str_totext(buf, target);
+		dns_rdata_toregion(rdata, &sr);
+		INSIST(sr.length < 65536);
+		snprintf(buf, sizeof(buf), "%u", sr.length);
+		result = str_totext(buf, target);
+		if (sr.length != 0 && result == ISC_R_SUCCESS) {
+			if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+				result = str_totext(" ( ", target);
+			else
+				result = str_totext(" ", target);
+			if (result == ISC_R_SUCCESS)
+				result = isc_hex_totext(&sr, tctx->width - 2,
+							tctx->linebreak,
+							target);
+			if (result == ISC_R_SUCCESS &&
+			    (tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+				result = str_totext(" )", target);
+		}
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_rdata_totext(dns_rdata_t *rdata, dns_name_t *origin, isc_buffer_t *target)
+{
+	dns_rdata_textctx_t tctx;
+
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+
+	/*
+	 * Set up formatting options for single-line output.
+	 */
+	tctx.origin = origin;
+	tctx.flags = 0;
+	tctx.width = 60;
+	tctx.linebreak = " ";
+	return (rdata_totext(rdata, &tctx, target));
+}
+
+isc_result_t
+dns_rdata_tofmttext(dns_rdata_t *rdata, dns_name_t *origin,
+		    unsigned int flags, unsigned int width,
+		    char *linebreak, isc_buffer_t *target)
+{
+	dns_rdata_textctx_t tctx;
+
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+
+	/*
+	 * Set up formatting options for formatted output.
+	 */
+	tctx.origin = origin;
+	tctx.flags = flags;
+	if ((flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		tctx.width = width;
+		tctx.linebreak = linebreak;
+	} else {
+		tctx.width = 60; /* Used for hex word length only. */
+		tctx.linebreak = " ";
+	}
+	return (rdata_totext(rdata, &tctx, target));
+}
+
+isc_result_t
+dns_rdata_fromstruct(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
+		     dns_rdatatype_t type, void *source,
+		     isc_buffer_t *target)
+{
+	isc_result_t result = ISC_R_NOTIMPLEMENTED;
+	isc_buffer_t st;
+	isc_region_t region;
+	isc_boolean_t use_default = ISC_FALSE;
+
+	REQUIRE(source != NULL);
+	if (rdata != NULL) {
+		REQUIRE(DNS_RDATA_INITIALIZED(rdata));
+		REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+	}
+
+	st = *target;
+
+	FROMSTRUCTSWITCH
+
+	if (use_default)
+		(void)NULL;
+
+	if (rdata != NULL && result == ISC_R_SUCCESS) {
+		region.base = isc_buffer_used(&st);
+		region.length = isc_buffer_usedlength(target) -
+				isc_buffer_usedlength(&st);
+		dns_rdata_fromregion(rdata, rdclass, type, &region);
+	}
+	if (result != ISC_R_SUCCESS)
+		*target = st;
+	return (result);
+}
+
+isc_result_t
+dns_rdata_tostruct(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
+	isc_result_t result = ISC_R_NOTIMPLEMENTED;
+	isc_boolean_t use_default = ISC_FALSE;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+
+	TOSTRUCTSWITCH
+
+	if (use_default)
+		(void)NULL;
+
+	return (result);
+}
+
+void
+dns_rdata_freestruct(void *source) {
+	dns_rdatacommon_t *common = source;
+	REQUIRE(source != NULL);
+
+	FREESTRUCTSWITCH
+}
+
+isc_result_t
+dns_rdata_additionaldata(dns_rdata_t *rdata, dns_additionaldatafunc_t add,
+			 void *arg)
+{
+	isc_result_t result = ISC_R_NOTIMPLEMENTED;
+	isc_boolean_t use_default = ISC_FALSE;
+
+	/*
+	 * Call 'add' for each name and type from 'rdata' which is subject to
+	 * additional section processing.
+	 */
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(add != NULL);
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+
+	ADDITIONALDATASWITCH
+
+	/* No additional processing for unknown types */
+	if (use_default)
+		result = ISC_R_SUCCESS;
+
+	return (result);
+}
+
+isc_result_t
+dns_rdata_digest(dns_rdata_t *rdata, dns_digestfunc_t digest, void *arg) {
+	isc_result_t result = ISC_R_NOTIMPLEMENTED;
+	isc_boolean_t use_default = ISC_FALSE;
+	isc_region_t r;
+
+	/*
+	 * Send 'rdata' in DNSSEC canonical form to 'digest'.
+	 */
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(digest != NULL);
+	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata));
+
+	DIGESTSWITCH
+
+	if (use_default) {
+		dns_rdata_toregion(rdata, &r);
+		result = (digest)(arg, &r);
+	}
+
+	return (result);
+}
+
+isc_boolean_t
+dns_rdata_checkowner(dns_name_t *name, dns_rdataclass_t rdclass,
+		     dns_rdatatype_t type, isc_boolean_t wildcard)
+{
+	isc_boolean_t result;
+
+	CHECKOWNERSWITCH
+	return (result);
+}
+
+isc_boolean_t
+dns_rdata_checknames(dns_rdata_t *rdata, dns_name_t *owner, dns_name_t *bad)
+{
+	isc_boolean_t result;
+
+	CHECKNAMESSWITCH
+	return (result);
+}
+
+unsigned int
+dns_rdatatype_attributes(dns_rdatatype_t type)
+{
+	RDATATYPE_ATTRIBUTE_SW
+	if (type >= (dns_rdatatype_t)128 && type < (dns_rdatatype_t)255)
+		return (DNS_RDATATYPEATTR_UNKNOWN | DNS_RDATATYPEATTR_META);
+	return (DNS_RDATATYPEATTR_UNKNOWN);
+}
+
+isc_result_t
+dns_rdatatype_fromtext(dns_rdatatype_t *typep, isc_textregion_t *source) {
+	unsigned int hash;
+	unsigned int n;
+	unsigned char a, b;
+
+	n = source->length;
+
+	if (n == 0)
+		return (DNS_R_UNKNOWN);
+
+	a = tolower((unsigned char)source->base[0]);
+	b = tolower((unsigned char)source->base[n - 1]);
+
+	hash = ((a + n) * b) % 256;
+
+	/*
+	 * This switch block is inlined via #define, and will use "return"
+	 * to return a result to the caller if it is a valid (known)
+	 * rdatatype name.
+	 */
+	RDATATYPE_FROMTEXT_SW(hash, source->base, n, typep);
+
+	if (source->length > 4 && source->length < (4 + sizeof("65000")) &&
+	    strncasecmp("type", source->base, 4) == 0) {
+		char buf[sizeof("65000")];
+		char *endp;
+		unsigned int val;
+
+		strncpy(buf, source->base + 4, source->length - 4);
+		buf[source->length - 4] = '\0';
+		val = strtoul(buf, &endp, 10);
+		if (*endp == '\0' && val <= 0xffff) {
+			*typep = (dns_rdatatype_t)val;
+			return (ISC_R_SUCCESS);
+		}
+	}
+
+	return (DNS_R_UNKNOWN);
+}
+
+isc_result_t
+dns_rdatatype_totext(dns_rdatatype_t type, isc_buffer_t *target) {
+	char buf[sizeof("TYPE65535")];
+
+	RDATATYPE_TOTEXT_SW
+	snprintf(buf, sizeof(buf), "TYPE%u", type);
+	return (str_totext(buf, target));
+}
+
+void
+dns_rdatatype_format(dns_rdatatype_t rdtype,
+		     char *array, unsigned int size)
+{
+	isc_result_t result;
+	isc_buffer_t buf;
+
+	isc_buffer_init(&buf, array, size);
+	result = dns_rdatatype_totext(rdtype, &buf);
+	/*
+	 * Null terminate.
+	 */
+	if (result == ISC_R_SUCCESS) {
+		if (isc_buffer_availablelength(&buf) >= 1)
+			isc_buffer_putuint8(&buf, 0);
+		else
+			result = ISC_R_NOSPACE;
+	}
+	if (result != ISC_R_SUCCESS) {
+		snprintf(array, size, "<unknown>");
+		array[size - 1] = '\0';
+	}
+}
+
+/*
+ * Private function.
+ */
+
+static unsigned int
+name_length(dns_name_t *name) {
+	return (name->length);
+}
+
+static isc_result_t
+txt_totext(isc_region_t *source, isc_buffer_t *target) {
+	unsigned int tl;
+	unsigned int n;
+	unsigned char *sp;
+	char *tp;
+	isc_region_t region;
+
+	isc_buffer_availableregion(target, &region);
+	sp = source->base;
+	tp = (char *)region.base;
+	tl = region.length;
+
+	n = *sp++;
+
+	REQUIRE(n + 1 <= source->length);
+
+	if (tl < 1)
+		return (ISC_R_NOSPACE);
+	*tp++ = '"';
+	tl--;
+	while (n--) {
+		if (*sp < 0x20 || *sp >= 0x7f) {
+			if (tl < 4)
+				return (ISC_R_NOSPACE);
+			snprintf(tp, 5, "\\%03u", *sp++);
+			tp += 4;
+			tl -= 4;
+			continue;
+		}
+		if (*sp == 0x22 || *sp == 0x3b || *sp == 0x5c) {
+			if (tl < 2)
+				return (ISC_R_NOSPACE);
+			*tp++ = '\\';
+			tl--;
+		}
+		if (tl < 1)
+			return (ISC_R_NOSPACE);
+		*tp++ = *sp++;
+		tl--;
+	}
+	if (tl < 1)
+		return (ISC_R_NOSPACE);
+	*tp++ = '"';
+	tl--;
+	isc_buffer_add(target, tp - (char *)region.base);
+	isc_region_consume(source, *source->base + 1);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+txt_fromtext(isc_textregion_t *source, isc_buffer_t *target) {
+	isc_region_t tregion;
+	isc_boolean_t escape;
+	unsigned int n, nrem;
+	char *s;
+	unsigned char *t;
+	int d;
+	int c;
+
+	isc_buffer_availableregion(target, &tregion);
+	s = source->base;
+	n = source->length;
+	t = tregion.base;
+	nrem = tregion.length;
+	escape = ISC_FALSE;
+	if (nrem < 1)
+		return (ISC_R_NOSPACE);
+	/*
+	 * Length byte.
+	 */
+	nrem--;
+	t++;
+	/*
+	 * Maximum text string length.
+	 */
+	if (nrem > 255)
+		nrem = 255;
+	while (n-- != 0) {
+		c = (*s++) & 0xff;
+		if (escape && (d = decvalue((char)c)) != -1) {
+			c = d;
+			if (n == 0)
+				return (DNS_R_SYNTAX);
+			n--;
+			if ((d = decvalue(*s++)) != -1)
+				c = c * 10 + d;
+			else
+				return (DNS_R_SYNTAX);
+			if (n == 0)
+				return (DNS_R_SYNTAX);
+			n--;
+			if ((d = decvalue(*s++)) != -1)
+				c = c * 10 + d;
+			else
+				return (DNS_R_SYNTAX);
+			if (c > 255)
+				return (DNS_R_SYNTAX);
+		} else if (!escape && c == '\\') {
+			escape = ISC_TRUE;
+			continue;
+		}
+		escape = ISC_FALSE;
+		if (nrem == 0)
+			return (ISC_R_NOSPACE);
+		*t++ = c;
+		nrem--;
+	}
+	if (escape)
+		return (DNS_R_SYNTAX);
+	*tregion.base = t - tregion.base - 1;
+	isc_buffer_add(target, *tregion.base + 1);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+txt_fromwire(isc_buffer_t *source, isc_buffer_t *target) {
+	unsigned int n;
+	isc_region_t sregion;
+	isc_region_t tregion;
+
+	isc_buffer_activeregion(source, &sregion);
+	if (sregion.length == 0)
+		return(ISC_R_UNEXPECTEDEND);
+	n = *sregion.base + 1;
+	if (n > sregion.length)
+		return (ISC_R_UNEXPECTEDEND);
+
+	isc_buffer_availableregion(target, &tregion);
+	if (n > tregion.length)
+		return (ISC_R_NOSPACE);
+
+	memcpy(tregion.base, sregion.base, n);
+	isc_buffer_forward(source, n);
+	isc_buffer_add(target, n);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_boolean_t
+name_prefix(dns_name_t *name, dns_name_t *origin, dns_name_t *target) {
+	int l1, l2;
+
+	if (origin == NULL)
+		goto return_false;
+
+	if (dns_name_compare(origin, dns_rootname) == 0)
+		goto return_false;
+
+	if (!dns_name_issubdomain(name, origin))
+		goto return_false;
+
+	l1 = dns_name_countlabels(name);
+	l2 = dns_name_countlabels(origin);
+
+	if (l1 == l2)
+		goto return_false;
+
+	dns_name_getlabelsequence(name, 0, l1 - l2, target);
+	return (ISC_TRUE);
+
+return_false:
+	*target = *name;
+	return (ISC_FALSE);
+}
+
+static isc_result_t
+str_totext(const char *source, isc_buffer_t *target) {
+	unsigned int l;
+	isc_region_t region;
+
+	isc_buffer_availableregion(target, &region);
+	l = strlen(source);
+
+	if (l > region.length)
+		return (ISC_R_NOSPACE);
+
+	memcpy(region.base, source, l);
+	isc_buffer_add(target, l);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+inet_totext(int af, isc_region_t *src, isc_buffer_t *target) {
+	char tmpbuf[64];
+
+	/* Note - inet_ntop doesn't do size checking on its input. */
+	if (inet_ntop(af, src->base, tmpbuf, sizeof(tmpbuf)) == NULL)
+		return (ISC_R_NOSPACE);
+	if (strlen(tmpbuf) > isc_buffer_availablelength(target))
+		return (ISC_R_NOSPACE);
+	isc_buffer_putstr(target, tmpbuf);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_boolean_t
+buffer_empty(isc_buffer_t *source) {
+	return((source->current == source->active) ? ISC_TRUE : ISC_FALSE);
+}
+
+static void
+buffer_fromregion(isc_buffer_t *buffer, isc_region_t *region) {
+	isc_buffer_init(buffer, region->base, region->length);
+	isc_buffer_add(buffer, region->length);
+	isc_buffer_setactive(buffer, region->length);
+}
+
+static isc_result_t
+uint32_tobuffer(isc_uint32_t value, isc_buffer_t *target) {
+	isc_region_t region;
+
+	isc_buffer_availableregion(target, &region);
+	if (region.length < 4)
+		return (ISC_R_NOSPACE);
+	isc_buffer_putuint32(target, value);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+uint16_tobuffer(isc_uint32_t value, isc_buffer_t *target) {
+	isc_region_t region;
+
+	if (value > 0xffff)
+		return (ISC_R_RANGE);
+	isc_buffer_availableregion(target, &region);
+	if (region.length < 2)
+		return (ISC_R_NOSPACE);
+	isc_buffer_putuint16(target, (isc_uint16_t)value);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+uint8_tobuffer(isc_uint32_t value, isc_buffer_t *target) {
+	isc_region_t region;
+
+	if (value > 0xff)
+		return (ISC_R_RANGE);
+	isc_buffer_availableregion(target, &region);
+	if (region.length < 1)
+		return (ISC_R_NOSPACE);
+	isc_buffer_putuint8(target, (isc_uint8_t)value);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+name_tobuffer(dns_name_t *name, isc_buffer_t *target) {
+	isc_region_t r;
+	dns_name_toregion(name, &r);
+	return (isc_buffer_copyregion(target, &r));
+}
+
+static isc_uint32_t
+uint32_fromregion(isc_region_t *region) {
+	unsigned long value;
+
+	REQUIRE(region->length >= 4);
+	value = region->base[0] << 24;
+	value |= region->base[1] << 16;
+	value |= region->base[2] << 8;
+	value |= region->base[3];
+	return(value);
+}
+
+static isc_uint16_t
+uint16_fromregion(isc_region_t *region) {
+
+	REQUIRE(region->length >= 2);
+
+	return ((region->base[0] << 8) | region->base[1]);
+}
+
+static isc_uint8_t
+uint8_fromregion(isc_region_t *region) {
+
+	REQUIRE(region->length >= 1);
+
+	return (region->base[0]);
+}
+
+static isc_result_t
+mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length) {
+	isc_region_t tr;
+
+	isc_buffer_availableregion(target, &tr);
+	if (length > tr.length)
+		return (ISC_R_NOSPACE);
+	memcpy(tr.base, base, length);
+	isc_buffer_add(target, length);
+	return (ISC_R_SUCCESS);
+}
+
+static int
+hexvalue(char value) {
+	char *s;
+	unsigned char c;
+
+	c = (unsigned char)value;
+
+	if (!isascii(c))
+		return (-1);
+	if (isupper(c))
+		c = tolower(c);
+	if ((s = strchr(hexdigits, value)) == NULL)
+		return (-1);
+	return (s - hexdigits);
+}
+
+static int
+decvalue(char value) {
+	char *s;
+
+	/*
+	 * isascii() is valid for full range of int values, no need to
+	 * mask or cast.
+	 */
+	if (!isascii(value))
+		return (-1);
+	if ((s = strchr(decdigits, value)) == NULL)
+		return (-1);
+	return (s - decdigits);
+}
+
+static const char atob_digits[86] =
+	"!\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`" \
+	"abcdefghijklmnopqrstu";
+/*
+ * Subroutines to convert between 8 bit binary bytes and printable ASCII.
+ * Computes the number of bytes, and three kinds of simple checksums.
+ * Incoming bytes are collected into 32-bit words, then printed in base 85:
+ *	exp(85,5) > exp(2,32)
+ * The ASCII characters used are between '!' and 'u';
+ * 'z' encodes 32-bit zero; 'x' is used to mark the end of encoded data.
+ *
+ * Originally by Paul Rutter (philabs!per) and Joe Orost (petsd!joe) for
+ * the atob/btoa programs, released with the compress program, in mod.sources.
+ * Modified by Mike Schwartz 8/19/86 for use in BIND.
+ * Modified to be re-entrant 3/2/99.
+ */
+
+
+struct state {
+	isc_int32_t Ceor;
+	isc_int32_t Csum;
+	isc_int32_t Crot;
+	isc_int32_t word;
+	isc_int32_t bcount;
+};
+
+#define Ceor state->Ceor
+#define Csum state->Csum
+#define Crot state->Crot
+#define word state->word
+#define bcount state->bcount
+
+#define times85(x)	((((((x<<2)+x)<<2)+x)<<2)+x)
+
+static isc_result_t	byte_atob(int c, isc_buffer_t *target,
+				  struct state *state);
+static isc_result_t	putbyte(int c, isc_buffer_t *, struct state *state);
+static isc_result_t	byte_btoa(int c, isc_buffer_t *, struct state *state);
+
+/*
+ * Decode ASCII-encoded byte c into binary representation and
+ * place into *bufp, advancing bufp.
+ */
+static isc_result_t
+byte_atob(int c, isc_buffer_t *target, struct state *state) {
+	char *s;
+	if (c == 'z') {
+		if (bcount != 0)
+			return(DNS_R_SYNTAX);
+		else {
+			RETERR(putbyte(0, target, state));
+			RETERR(putbyte(0, target, state));
+			RETERR(putbyte(0, target, state));
+			RETERR(putbyte(0, target, state));
+		}
+	} else if ((s = strchr(atob_digits, c)) != NULL) {
+		if (bcount == 0) {
+			word = s - atob_digits;
+			++bcount;
+		} else if (bcount < 4) {
+			word = times85(word);
+			word += s - atob_digits;
+			++bcount;
+		} else {
+			word = times85(word);
+			word += s - atob_digits;
+			RETERR(putbyte((word >> 24) & 0xff, target, state));
+			RETERR(putbyte((word >> 16) & 0xff, target, state));
+			RETERR(putbyte((word >> 8) & 0xff, target, state));
+			RETERR(putbyte(word & 0xff, target, state));
+			word = 0;
+			bcount = 0;
+		}
+	} else
+		return(DNS_R_SYNTAX);
+	return(ISC_R_SUCCESS);
+}
+
+/*
+ * Compute checksum info and place c into target.
+ */
+static isc_result_t
+putbyte(int c, isc_buffer_t *target, struct state *state) {
+	isc_region_t tr;
+
+	Ceor ^= c;
+	Csum += c;
+	Csum += 1;
+	if ((Crot & 0x80000000)) {
+		Crot <<= 1;
+		Crot += 1;
+	} else {
+		Crot <<= 1;
+	}
+	Crot += c;
+	isc_buffer_availableregion(target, &tr);
+	if (tr.length < 1)
+		return (ISC_R_NOSPACE);
+	tr.base[0] = c;
+	isc_buffer_add(target, 1);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Read the ASCII-encoded data from inbuf, of length inbuflen, and convert
+ * it into T_UNSPEC (binary data) in outbuf, not to exceed outbuflen bytes;
+ * outbuflen must be divisible by 4.  (Note: this is because outbuf is filled
+ * in 4 bytes at a time.  If the actual data doesn't end on an even 4-byte
+ * boundary, there will be no problem...it will be padded with 0 bytes, and
+ * numbytes will indicate the correct number of bytes.  The main point is
+ * that since the buffer is filled in 4 bytes at a time, even if there is
+ * not a full 4 bytes of data at the end, there has to be room to 0-pad the
+ * data, so the buffer must be of size divisible by 4).  Place the number of
+ * output bytes in numbytes, and return a failure/success status.
+ */
+
+static isc_result_t
+atob_tobuffer(isc_lex_t *lexer, isc_buffer_t *target) {
+	long oeor, osum, orot;
+	struct state statebuf, *state= &statebuf;
+	isc_token_t token;
+	char c;
+	char *e;
+
+	Ceor = Csum = Crot = word = bcount = 0;
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	while (token.value.as_textregion.length != 0) {
+		if ((c = token.value.as_textregion.base[0]) == 'x') {
+			break;
+		} else
+			RETERR(byte_atob(c, target, state));
+		isc_textregion_consume(&token.value.as_textregion, 1);
+	}
+
+	/*
+	 * Number of bytes.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if ((token.value.as_ulong % 4) != 0U)
+		isc_buffer_subtract(target,  4 - (token.value.as_ulong % 4));
+
+	/*
+	 * Checksum.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	oeor = strtol(DNS_AS_STR(token), &e, 16);
+	if (*e != 0)
+		return (DNS_R_SYNTAX);
+
+	/*
+	 * Checksum.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	osum = strtol(DNS_AS_STR(token), &e, 16);
+	if (*e != 0)
+		return (DNS_R_SYNTAX);
+
+	/*
+	 * Checksum.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	orot = strtol(DNS_AS_STR(token), &e, 16);
+	if (*e != 0)
+		return (DNS_R_SYNTAX);
+
+	if ((oeor != Ceor) || (osum != Csum) || (orot != Crot))
+		return(DNS_R_BADCKSUM);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Encode binary byte c into ASCII representation and place into *bufp,
+ * advancing bufp.
+ */
+static isc_result_t
+byte_btoa(int c, isc_buffer_t *target, struct state *state) {
+	isc_region_t tr;
+
+	isc_buffer_availableregion(target, &tr);
+	Ceor ^= c;
+	Csum += c;
+	Csum += 1;
+	if ((Crot & 0x80000000)) {
+		Crot <<= 1;
+		Crot += 1;
+	} else {
+		Crot <<= 1;
+	}
+	Crot += c;
+
+	word <<= 8;
+	word |= c;
+	if (bcount == 3) {
+		if (word == 0) {
+			if (tr.length < 1)
+				return (ISC_R_NOSPACE);
+			tr.base[0] = 'z';
+			isc_buffer_add(target, 1);
+		} else {
+		    register int tmp = 0;
+		    register isc_int32_t tmpword = word;
+
+		    if (tmpword < 0) {
+			   /*
+			    * Because some don't support u_long.
+			    */
+		    	tmp = 32;
+		    	tmpword -= (isc_int32_t)(85 * 85 * 85 * 85 * 32);
+		    }
+		    if (tmpword < 0) {
+		    	tmp = 64;
+		    	tmpword -= (isc_int32_t)(85 * 85 * 85 * 85 * 32);
+		    }
+			if (tr.length < 5)
+				return (ISC_R_NOSPACE);
+		    	tr.base[0] = atob_digits[(tmpword /
+					      (isc_int32_t)(85 * 85 * 85 * 85))
+						+ tmp];
+			tmpword %= (isc_int32_t)(85 * 85 * 85 * 85);
+			tr.base[1] = atob_digits[tmpword / (85 * 85 * 85)];
+			tmpword %= (85 * 85 * 85);
+			tr.base[2] = atob_digits[tmpword / (85 * 85)];
+			tmpword %= (85 * 85);
+			tr.base[3] = atob_digits[tmpword / 85];
+			tmpword %= 85;
+			tr.base[4] = atob_digits[tmpword];
+			isc_buffer_add(target, 5);
+		}
+		bcount = 0;
+	} else {
+		bcount += 1;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+
+/*
+ * Encode the binary data from inbuf, of length inbuflen, into a
+ * target.  Return success/failure status
+ */
+static isc_result_t
+btoa_totext(unsigned char *inbuf, int inbuflen, isc_buffer_t *target) {
+	int inc;
+	struct state statebuf, *state = &statebuf;
+	char buf[sizeof("x 2000000000 ffffffff ffffffff ffffffff")];
+
+	Ceor = Csum = Crot = word = bcount = 0;
+	for (inc = 0; inc < inbuflen; inbuf++, inc++)
+		RETERR(byte_btoa(*inbuf, target, state));
+
+	while (bcount != 0)
+		RETERR(byte_btoa(0, target, state));
+
+	/*
+	 * Put byte count and checksum information at end of buffer,
+	 * delimited by 'x'
+	 */
+	snprintf(buf, sizeof(buf), "x %d %x %x %x", inbuflen, Ceor, Csum, Crot);
+	return (str_totext(buf, target));
+}
+
+
+static void
+default_fromtext_callback(dns_rdatacallbacks_t *callbacks, const char *fmt,
+			  ...)
+{
+	va_list ap;
+
+	UNUSED(callbacks);
+
+	va_start(ap, fmt);
+	vfprintf(stderr, fmt, ap);
+	va_end(ap);
+	fprintf(stderr, "\n");
+}
+
+static void
+fromtext_warneof(isc_lex_t *lexer, dns_rdatacallbacks_t *callbacks) {
+	if (isc_lex_isfile(lexer) && callbacks != NULL) {
+		const char *name = isc_lex_getsourcename(lexer);
+		if (name == NULL)
+			name = "UNKNOWN";
+		(*callbacks->warn)(callbacks,
+				   "%s:%lu: file does not end with newline",
+				   name, isc_lex_getsourceline(lexer));
+	}
+}
+
+static void
+warn_badname(dns_name_t *name, isc_lex_t *lexer,
+	     dns_rdatacallbacks_t *callbacks)
+{
+	const char *file;
+	unsigned long line;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	
+	if (lexer != NULL) {
+		file = isc_lex_getsourcename(lexer);
+		line = isc_lex_getsourceline(lexer);
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		(*callbacks->warn)(callbacks, "%s:%u: %s: %s", 
+				   file, line, namebuf,
+				   dns_result_totext(DNS_R_BADNAME));
+	}
+}
+
+static void
+fromtext_error(void (*callback)(dns_rdatacallbacks_t *, const char *, ...),
+	       dns_rdatacallbacks_t *callbacks, const char *name,
+	       unsigned long line, isc_token_t *token, isc_result_t result)
+{
+	if (name == NULL)
+		name = "UNKNOWN";
+
+	if (token != NULL) {
+		switch (token->type) {
+		case isc_tokentype_eol:
+			(*callback)(callbacks, "%s: %s:%lu: near eol: %s",
+				    "dns_rdata_fromtext", name, line,
+				    dns_result_totext(result));
+			break;
+		case isc_tokentype_eof:
+			(*callback)(callbacks, "%s: %s:%lu: near eof: %s",
+				    "dns_rdata_fromtext", name, line,
+				    dns_result_totext(result));
+			break;
+		case isc_tokentype_number:
+			(*callback)(callbacks, "%s: %s:%lu: near %lu: %s",
+				    "dns_rdata_fromtext", name, line,
+				    token->value.as_ulong,
+				    dns_result_totext(result));
+			break;
+		case isc_tokentype_string:
+		case isc_tokentype_qstring:
+			(*callback)(callbacks, "%s: %s:%lu: near '%s': %s",
+				    "dns_rdata_fromtext", name, line,
+				    DNS_AS_STR(*token),
+				    dns_result_totext(result));
+			break;
+		default:
+			(*callback)(callbacks, "%s: %s:%lu: %s",
+				    "dns_rdata_fromtext", name, line,
+				    dns_result_totext(result));
+			break;
+		}
+	} else {
+		(*callback)(callbacks, "dns_rdata_fromtext: %s:%lu: %s",
+			    name, line, dns_result_totext(result));
+	}
+}
+
+dns_rdatatype_t
+dns_rdata_covers(dns_rdata_t *rdata) {
+	if (rdata->type == 46)
+		return (covers_rrsig(rdata));
+	return (covers_sig(rdata));
+}
+
+isc_boolean_t
+dns_rdatatype_ismeta(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_META) != 0)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+isc_boolean_t
+dns_rdatatype_issingleton(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_SINGLETON)
+	    != 0)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+isc_boolean_t
+dns_rdatatype_notquestion(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_NOTQUESTION)
+	    != 0)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+isc_boolean_t
+dns_rdatatype_questiononly(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_QUESTIONONLY)
+	    != 0)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+isc_boolean_t
+dns_rdatatype_atparent(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_ATPARENT) != 0)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+isc_boolean_t
+dns_rdataclass_ismeta(dns_rdataclass_t rdclass) {
+
+	if (rdclass == dns_rdataclass_reserved0
+	    || rdclass == dns_rdataclass_none
+	    || rdclass == dns_rdataclass_any)
+		return (ISC_TRUE);
+
+	return (ISC_FALSE);  /* Assume it is not a meta class. */
+}
+
+isc_boolean_t
+dns_rdatatype_isdnssec(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_DNSSEC) != 0)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+isc_boolean_t
+dns_rdatatype_iszonecutauth(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type)
+	     & (DNS_RDATATYPEATTR_DNSSEC | DNS_RDATATYPEATTR_ZONECUTAUTH))
+	    != 0)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+isc_boolean_t
+dns_rdatatype_isknown(dns_rdatatype_t type) {
+	if ((dns_rdatatype_attributes(type) & DNS_RDATATYPEATTR_UNKNOWN)
+	    == 0)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
diff --git a/contrib/bind9/lib/dns/rdata/any_255/tsig_250.c b/contrib/bind9/lib/dns/rdata/any_255/tsig_250.c
new file mode 100644
index 0000000..6943d82
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/any_255/tsig_250.c
@@ -0,0 +1,593 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: tsig_250.c,v 1.52.2.1.2.6 2004/03/08 09:04:40 marka Exp $ */
+
+/* Reviewed: Thu Mar 16 13:39:43 PST 2000 by gson */
+
+#ifndef RDATA_ANY_255_TSIG_250_C
+#define RDATA_ANY_255_TSIG_250_C
+
+#define RRTYPE_TSIG_ATTRIBUTES \
+	(DNS_RDATATYPEATTR_META | DNS_RDATATYPEATTR_NOTQUESTION)
+
+static inline isc_result_t
+fromtext_any_tsig(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_uint64_t sigtime;
+	isc_buffer_t buffer;
+	dns_rcode_t rcode;
+	long i;
+	char *e;
+
+	REQUIRE(type == 250);
+	REQUIRE(rdclass == 255);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Algorithm Name.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	origin = (origin != NULL) ? origin : dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+
+	/*
+	 * Time Signed: 48 bits.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	sigtime = isc_string_touint64(DNS_AS_STR(token), &e, 10);
+	if (*e != 0)
+		RETTOK(DNS_R_SYNTAX);
+	if ((sigtime >> 48) != 0)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer((isc_uint16_t)(sigtime >> 32), target));
+	RETERR(uint32_tobuffer((isc_uint32_t)(sigtime & 0xffffffffU), target));
+
+	/*
+	 * Fudge.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Signature Size.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Signature.
+	 */
+	RETERR(isc_base64_tobuffer(lexer, target, (int)token.value.as_ulong));
+
+	/*
+	 * Original ID.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Error.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	if (dns_tsigrcode_fromtext(&rcode, &token.value.as_textregion)
+				!= ISC_R_SUCCESS)
+	{
+		i = strtol(DNS_AS_STR(token), &e, 10);
+		if (*e != 0)
+			RETTOK(DNS_R_UNKNOWN);
+		if (i < 0 || i > 0xffff)
+			RETTOK(ISC_R_RANGE);
+		rcode = (dns_rcode_t)i;
+	}
+	RETERR(uint16_tobuffer(rcode, target));
+
+	/*
+	 * Other Len.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Other Data.
+	 */
+	return (isc_base64_tobuffer(lexer, target, (int)token.value.as_ulong));
+}
+
+static inline isc_result_t
+totext_any_tsig(ARGS_TOTEXT) {
+	isc_region_t sr;
+	isc_region_t sigr;
+	char buf[sizeof("281474976710655 ")];
+	char *bufp;
+	dns_name_t name;
+	dns_name_t prefix;
+	isc_boolean_t sub;
+	isc_uint64_t sigtime;
+	unsigned short n;
+
+	REQUIRE(rdata->type == 250);
+	REQUIRE(rdata->rdclass == 255);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+	/*
+	 * Algorithm Name.
+	 */
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+	dns_name_fromregion(&name, &sr);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	RETERR(dns_name_totext(&prefix, sub, target));
+	RETERR(str_totext(" ", target));
+	isc_region_consume(&sr, name_length(&name));
+
+	/*
+	 * Time Signed.
+	 */
+	sigtime = ((isc_uint64_t)sr.base[0] << 40) |
+		  ((isc_uint64_t)sr.base[1] << 32) |
+		  (sr.base[2] << 24) | (sr.base[3] << 16) |
+		  (sr.base[4] << 8) | sr.base[5];
+	isc_region_consume(&sr, 6);
+	bufp = &buf[sizeof(buf) - 1];
+	*bufp-- = 0;
+	*bufp-- = ' ';
+	do {
+		*bufp-- = decdigits[sigtime % 10];
+		sigtime /= 10;
+	} while (sigtime != 0);
+	bufp++;
+	RETERR(str_totext(bufp, target));
+
+	/*
+	 * Fudge.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	sprintf(buf, "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Signature Size.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	sprintf(buf, "%u", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Signature.
+	 */
+	REQUIRE(n <= sr.length);
+	sigr = sr;
+	sigr.length = n;
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" (", target));
+	RETERR(str_totext(tctx->linebreak, target));
+	RETERR(isc_base64_totext(&sigr, tctx->width - 2,
+				 tctx->linebreak, target));
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" ) ", target));
+	else
+		RETERR(str_totext(" ", target));
+	isc_region_consume(&sr, n);
+
+	/*
+	 * Original ID.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	sprintf(buf, "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Error.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	if (dns_tsigrcode_totext((dns_rcode_t)n, target) == ISC_R_SUCCESS)
+		RETERR(str_totext(" ", target));
+	else {
+		sprintf(buf, "%u ", n);
+		RETERR(str_totext(buf, target));
+	}
+
+	/*
+	 * Other Size.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	sprintf(buf, "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Other.
+	 */
+	return (isc_base64_totext(&sr, 60, " ", target));
+}
+
+static inline isc_result_t
+fromwire_any_tsig(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+	unsigned long n;
+
+	REQUIRE(type == 250);
+	REQUIRE(rdclass == 255);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	/*
+	 * Algorithm Name.
+	 */
+	dns_name_init(&name, NULL);
+	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+
+	isc_buffer_activeregion(source, &sr);
+	/*
+	 * Time Signed + Fudge.
+	 */
+	if (sr.length < 8)
+		return (ISC_R_UNEXPECTEDEND);
+	RETERR(mem_tobuffer(target, sr.base, 8));
+	isc_region_consume(&sr, 8);
+	isc_buffer_forward(source, 8);
+
+	/*
+	 * Signature Length + Signature.
+	 */
+	if (sr.length < 2)
+		return (ISC_R_UNEXPECTEDEND);
+	n = uint16_fromregion(&sr);
+	if (sr.length < n + 2)
+		return (ISC_R_UNEXPECTEDEND);
+	RETERR(mem_tobuffer(target, sr.base, n + 2));
+	isc_region_consume(&sr, n + 2);
+	isc_buffer_forward(source, n + 2);
+
+	/*
+	 * Original ID + Error.
+	 */
+	if (sr.length < 4)
+		return (ISC_R_UNEXPECTEDEND);
+	RETERR(mem_tobuffer(target, sr.base,  4));
+	isc_region_consume(&sr, 4);
+	isc_buffer_forward(source, 4);
+
+	/*
+	 * Other Length + Other.
+	 */
+	if (sr.length < 2)
+		return (ISC_R_UNEXPECTEDEND);
+	n = uint16_fromregion(&sr);
+	if (sr.length < n + 2)
+		return (ISC_R_UNEXPECTEDEND);
+	isc_buffer_forward(source, n + 2);
+	return (mem_tobuffer(target, sr.base, n + 2));
+}
+
+static inline isc_result_t
+towire_any_tsig(ARGS_TOWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+	dns_offsets_t offsets;
+
+	REQUIRE(rdata->type == 250);
+	REQUIRE(rdata->rdclass == 255);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	dns_rdata_toregion(rdata, &sr);
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &sr);
+	RETERR(dns_name_towire(&name, cctx, target));
+	isc_region_consume(&sr, name_length(&name));
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_any_tsig(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 250);
+	REQUIRE(rdata1->rdclass == 255);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+	dns_name_fromregion(&name1, &r1);
+	dns_name_fromregion(&name2, &r2);
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0)
+		return (order);
+	isc_region_consume(&r1, name_length(&name1));
+	isc_region_consume(&r2, name_length(&name2));
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_any_tsig(ARGS_FROMSTRUCT) {
+	dns_rdata_any_tsig_t *tsig = source;
+	isc_region_t tr;
+
+	REQUIRE(type == 250);
+	REQUIRE(rdclass == 255);
+	REQUIRE(source != NULL);
+	REQUIRE(tsig->common.rdclass == rdclass);
+	REQUIRE(tsig->common.rdtype == type);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	/*
+	 * Algorithm Name.
+	 */
+	RETERR(name_tobuffer(&tsig->algorithm, target));
+
+	isc_buffer_availableregion(target, &tr);
+	if (tr.length < 6 + 2 + 2)
+		return (ISC_R_NOSPACE);
+
+	/*
+	 * Time Signed: 48 bits.
+	 */
+	RETERR(uint16_tobuffer((isc_uint16_t)(tsig->timesigned >> 32),
+			       target));
+	RETERR(uint32_tobuffer((isc_uint32_t)(tsig->timesigned & 0xffffffffU),
+			       target));
+
+	/*
+	 * Fudge.
+	 */
+	RETERR(uint16_tobuffer(tsig->fudge, target));
+
+	/*
+	 * Signature Size.
+	 */
+	RETERR(uint16_tobuffer(tsig->siglen, target));
+
+	/*
+	 * Signature.
+	 */
+	RETERR(mem_tobuffer(target, tsig->signature, tsig->siglen));
+
+	isc_buffer_availableregion(target, &tr);
+	if (tr.length < 2 + 2 + 2)
+		return (ISC_R_NOSPACE);
+
+	/*
+	 * Original ID.
+	 */
+	RETERR(uint16_tobuffer(tsig->originalid, target));
+
+	/*
+	 * Error.
+	 */
+	RETERR(uint16_tobuffer(tsig->error, target));
+
+	/*
+	 * Other Len.
+	 */
+	RETERR(uint16_tobuffer(tsig->otherlen, target));
+
+	/*
+	 * Other Data.
+	 */
+	return (mem_tobuffer(target, tsig->other, tsig->otherlen));
+}
+
+static inline isc_result_t
+tostruct_any_tsig(ARGS_TOSTRUCT) {
+	dns_rdata_any_tsig_t *tsig;
+	dns_name_t alg;
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == 250);
+	REQUIRE(rdata->rdclass == 255);
+	REQUIRE(rdata->length != 0);
+
+	tsig = (dns_rdata_any_tsig_t *) target;
+	tsig->common.rdclass = rdata->rdclass;
+	tsig->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&tsig->common, link);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Algorithm Name.
+	 */
+	dns_name_init(&alg, NULL);
+	dns_name_fromregion(&alg, &sr);
+	dns_name_init(&tsig->algorithm, NULL);
+	RETERR(name_duporclone(&alg, mctx, &tsig->algorithm));
+
+	isc_region_consume(&sr, name_length(&tsig->algorithm));
+
+	/*
+	 * Time Signed.
+	 */
+	INSIST(sr.length >= 6);
+	tsig->timesigned = ((isc_uint64_t)sr.base[0] << 40) |
+			   ((isc_uint64_t)sr.base[1] << 32) |
+			   (sr.base[2] << 24) | (sr.base[3] << 16) |
+			   (sr.base[4] << 8) | sr.base[5];
+	isc_region_consume(&sr, 6);
+
+	/*
+	 * Fudge.
+	 */
+	tsig->fudge = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Signature Size.
+	 */
+	tsig->siglen = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Signature.
+	 */
+	INSIST(sr.length >= tsig->siglen);
+	tsig->signature = mem_maybedup(mctx, sr.base, tsig->siglen);
+	if (tsig->signature == NULL)
+		goto cleanup;
+	isc_region_consume(&sr, tsig->siglen);
+
+	/*
+	 * Original ID.
+	 */
+	tsig->originalid = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Error.
+	 */
+	tsig->error = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Other Size.
+	 */
+	tsig->otherlen = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Other.
+	 */
+	INSIST(sr.length == tsig->otherlen);
+	tsig->other = mem_maybedup(mctx, sr.base, tsig->otherlen);
+	if (tsig->other == NULL)
+		goto cleanup;
+
+	tsig->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL)
+		dns_name_free(&tsig->algorithm, tsig->mctx);
+	if (mctx != NULL && tsig->signature != NULL)
+		isc_mem_free(mctx, tsig->signature);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_any_tsig(ARGS_FREESTRUCT) {
+	dns_rdata_any_tsig_t *tsig = (dns_rdata_any_tsig_t *) source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(tsig->common.rdclass == 255);
+	REQUIRE(tsig->common.rdtype == 250);
+
+	if (tsig->mctx == NULL)
+		return;
+
+	dns_name_free(&tsig->algorithm, tsig->mctx);
+	if (tsig->signature != NULL)
+		isc_mem_free(tsig->mctx, tsig->signature);
+	if (tsig->other != NULL)
+		isc_mem_free(tsig->mctx, tsig->other);
+	tsig->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_any_tsig(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 250);
+	REQUIRE(rdata->rdclass == 255);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_any_tsig(ARGS_DIGEST) {
+
+	REQUIRE(rdata->type == 250);
+	REQUIRE(rdata->rdclass == 255);
+
+	UNUSED(rdata);
+	UNUSED(digest);
+	UNUSED(arg);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static inline isc_boolean_t
+checkowner_any_tsig(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 250);
+	REQUIRE(rdclass == 255);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_any_tsig(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 250);
+	REQUIRE(rdata->rdclass == 250);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_ANY_255_TSIG_250_C */
diff --git a/contrib/bind9/lib/dns/rdata/any_255/tsig_250.h b/contrib/bind9/lib/dns/rdata/any_255/tsig_250.h
new file mode 100644
index 0000000..7b5ccc2
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/any_255/tsig_250.h
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: tsig_250.h,v 1.20.206.1 2004/03/06 08:14:02 marka Exp $ */
+
+/* RFC 2845 */
+
+#ifndef ANY_255_TSIG_250_H
+#define ANY_255_TSIG_250_H 1
+
+typedef struct dns_rdata_any_tsig {
+	dns_rdatacommon_t	common;
+	isc_mem_t *		mctx;
+	dns_name_t		algorithm;
+	isc_uint64_t		timesigned;
+	isc_uint16_t		fudge;
+	isc_uint16_t		siglen;
+	unsigned char *		signature;
+	isc_uint16_t		originalid;
+	isc_uint16_t		error;
+	isc_uint16_t		otherlen;
+	unsigned char *		other;
+} dns_rdata_any_tsig_t;
+
+#endif /* ANY_255_TSIG_250_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/afsdb_18.c b/contrib/bind9/lib/dns/rdata/generic/afsdb_18.c
new file mode 100644
index 0000000..f46844a
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/afsdb_18.c
@@ -0,0 +1,309 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: afsdb_18.c,v 1.39.2.1.2.3 2004/03/06 08:14:03 marka Exp $ */
+
+/* Reviewed: Wed Mar 15 14:59:00 PST 2000 by explorer */
+
+/* RFC 1183 */
+
+#ifndef RDATA_GENERIC_AFSDB_18_C
+#define RDATA_GENERIC_AFSDB_18_C
+
+#define RRTYPE_AFSDB_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_afsdb(ARGS_FROMTEXT) {
+	isc_token_t token;
+	isc_buffer_t buffer;
+	dns_name_t name;
+	isc_boolean_t ok;
+
+	REQUIRE(type == 18);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Subtype.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Hostname.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	origin = (origin != NULL) ? origin : dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	ok = ISC_TRUE;
+	if ((options & DNS_RDATA_CHECKNAMES) != 0)
+		ok = dns_name_ishostname(&name, ISC_FALSE);
+	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
+		RETTOK(DNS_R_BADNAME);
+	if (!ok && callbacks != NULL)
+		warn_badname(&name, lexer, callbacks);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_afsdb(ARGS_TOTEXT) {
+	dns_name_t name;
+	dns_name_t prefix;
+	isc_region_t region;
+	char buf[sizeof("64000 ")];
+	isc_boolean_t sub;
+	unsigned int num;
+
+	REQUIRE(rdata->type == 18);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	sprintf(buf, "%u ", num);
+	RETERR(str_totext(buf, target));
+	dns_name_fromregion(&name, &region);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_afsdb(ARGS_FROMWIRE) {
+	dns_name_t name;
+	isc_region_t sr;
+	isc_region_t tr;
+
+	REQUIRE(type == 18);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&name, NULL);
+
+	isc_buffer_activeregion(source, &sr);
+	isc_buffer_availableregion(target, &tr);
+	if (tr.length < 2)
+		return (ISC_R_NOSPACE);
+	if (sr.length < 2)
+		return (ISC_R_UNEXPECTEDEND);
+	memcpy(tr.base, sr.base, 2);
+	isc_buffer_forward(source, 2);
+	isc_buffer_add(target, 2);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_afsdb(ARGS_TOWIRE) {
+	isc_region_t tr;
+	isc_region_t sr;
+	dns_name_t name;
+	dns_offsets_t offsets;
+
+	REQUIRE(rdata->type == 18);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	isc_buffer_availableregion(target, &tr);
+	dns_rdata_toregion(rdata, &sr);
+	if (tr.length < 2)
+		return (ISC_R_NOSPACE);
+	memcpy(tr.base, sr.base, 2);
+	isc_region_consume(&sr, 2);
+	isc_buffer_add(target, 2);
+
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &sr);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_afsdb(ARGS_COMPARE) {
+	int result;
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 18);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	result = memcmp(rdata1->data, rdata2->data, 2);
+	if (result != 0)
+		return (result < 0 ? -1 : 1);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	isc_region_consume(&region1, 2);
+	isc_region_consume(&region2, 2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_afsdb(ARGS_FROMSTRUCT) {
+	dns_rdata_afsdb_t *afsdb = source;
+	isc_region_t region;
+
+	REQUIRE(type == 18);
+	REQUIRE(source != NULL);
+	REQUIRE(afsdb->common.rdclass == rdclass);
+	REQUIRE(afsdb->common.rdtype == type);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(afsdb->subtype, target));
+	dns_name_toregion(&afsdb->server, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_afsdb(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_afsdb_t *afsdb = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 18);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	afsdb->common.rdclass = rdata->rdclass;
+	afsdb->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&afsdb->common, link);
+
+	dns_name_init(&afsdb->server, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+
+	afsdb->subtype = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+
+	RETERR(name_duporclone(&name, mctx, &afsdb->server));
+	afsdb->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_afsdb(ARGS_FREESTRUCT) {
+	dns_rdata_afsdb_t *afsdb = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(afsdb->common.rdtype == 18);
+
+	if (afsdb->mctx == NULL)
+		return;
+
+	dns_name_free(&afsdb->server, afsdb->mctx);
+	afsdb->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_afsdb(ARGS_ADDLDATA) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 18);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 2);
+	dns_name_fromregion(&name, &region);
+
+	return ((add)(arg, &name, dns_rdatatype_a));
+}
+
+static inline isc_result_t
+digest_afsdb(ARGS_DIGEST) {
+	isc_region_t r1, r2;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 18);
+
+	dns_rdata_toregion(rdata, &r1);
+	r2 = r1;
+	isc_region_consume(&r2, 2);
+	r1.length = 2;
+	RETERR((digest)(arg, &r1));
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r2);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline isc_boolean_t
+checkowner_afsdb(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 18);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_afsdb(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 18);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 2);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ishostname(&name, ISC_FALSE)) {
+		if (bad != NULL)
+			dns_name_clone(&name, bad);
+		return (ISC_FALSE);
+	}
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_AFSDB_18_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/afsdb_18.h b/contrib/bind9/lib/dns/rdata/generic/afsdb_18.h
new file mode 100644
index 0000000..3f89f9d
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/afsdb_18.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_AFSDB_18_H
+#define GENERIC_AFSDB_18_H 1
+
+/* $Id: afsdb_18.h,v 1.15.206.1 2004/03/06 08:14:03 marka Exp $ */
+
+/* RFC 1183 */
+
+typedef struct dns_rdata_afsdb {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	isc_uint16_t		subtype;
+	dns_name_t		server;
+} dns_rdata_afsdb_t;
+
+#endif /* GENERIC_AFSDB_18_H */
+
diff --git a/contrib/bind9/lib/dns/rdata/generic/cert_37.c b/contrib/bind9/lib/dns/rdata/generic/cert_37.c
new file mode 100644
index 0000000..81a1aa7
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/cert_37.c
@@ -0,0 +1,280 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: cert_37.c,v 1.40.2.1.2.5 2004/03/08 09:04:40 marka Exp $ */
+
+/* Reviewed: Wed Mar 15 21:14:32 EST 2000 by tale */
+
+/* RFC 2538 */
+
+#ifndef RDATA_GENERIC_CERT_37_C
+#define RDATA_GENERIC_CERT_37_C
+
+#define RRTYPE_CERT_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_cert(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_secalg_t secalg;
+	dns_cert_t cert;
+
+	REQUIRE(type == 37);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/*
+	 * Cert type.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	RETTOK(dns_cert_fromtext(&cert, &token.value.as_textregion));
+	RETERR(uint16_tobuffer(cert, target));
+
+	/*
+	 * Key tag.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	RETTOK(dns_secalg_fromtext(&secalg, &token.value.as_textregion));
+	RETERR(mem_tobuffer(target, &secalg, 1));
+
+	return (isc_base64_tobuffer(lexer, target, -1));
+}
+
+static inline isc_result_t
+totext_cert(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("64000 ")];
+	unsigned int n;
+
+	REQUIRE(rdata->type == 37);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Type.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	RETERR(dns_cert_totext((dns_cert_t)n, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Key tag.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	sprintf(buf, "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(dns_secalg_totext(sr.base[0], target));
+	isc_region_consume(&sr, 1);
+
+	/*
+	 * Cert.
+	 */
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" (", target));
+	RETERR(str_totext(tctx->linebreak, target));
+	RETERR(isc_base64_totext(&sr, tctx->width - 2,
+				 tctx->linebreak, target));
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" )", target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_cert(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == 37);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 5)
+		return (ISC_R_UNEXPECTEDEND);
+
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+towire_cert(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == 37);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_cert(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 37);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_cert(ARGS_FROMSTRUCT) {
+	dns_rdata_cert_t *cert = source;
+
+	REQUIRE(type == 37);
+	REQUIRE(source != NULL);
+	REQUIRE(cert->common.rdtype == type);
+	REQUIRE(cert->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(cert->type, target));
+	RETERR(uint16_tobuffer(cert->key_tag, target));
+	RETERR(uint8_tobuffer(cert->algorithm, target));
+
+	return (mem_tobuffer(target, cert->certificate, cert->length));
+}
+
+static inline isc_result_t
+tostruct_cert(ARGS_TOSTRUCT) {
+	dns_rdata_cert_t *cert = target;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 37);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	cert->common.rdclass = rdata->rdclass;
+	cert->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&cert->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	cert->type = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	cert->key_tag = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	cert->algorithm = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	cert->length = region.length;
+
+	cert->certificate = mem_maybedup(mctx, region.base, region.length);
+	if (cert->certificate == NULL)
+		return (ISC_R_NOMEMORY);
+
+	cert->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_cert(ARGS_FREESTRUCT) {
+	dns_rdata_cert_t *cert = source;
+
+	REQUIRE(cert != NULL);
+	REQUIRE(cert->common.rdtype == 37);
+
+	if (cert->mctx == NULL)
+		return;
+
+	if (cert->certificate != NULL)
+		isc_mem_free(cert->mctx, cert->certificate);
+	cert->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_cert(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 37);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_cert(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 37);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_cert(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 37);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_cert(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 37);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_CERT_37_C */
+
diff --git a/contrib/bind9/lib/dns/rdata/generic/cert_37.h b/contrib/bind9/lib/dns/rdata/generic/cert_37.h
new file mode 100644
index 0000000..01ae265
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/cert_37.h
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: cert_37.h,v 1.15.206.1 2004/03/06 08:14:03 marka Exp $ */
+
+/* RFC 2538 */
+#ifndef GENERIC_CERT_37_H
+#define GENERIC_CERT_37_H 1
+
+typedef struct dns_rdata_cert {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	isc_uint16_t		type;
+	isc_uint16_t		key_tag;
+	isc_uint8_t		algorithm;
+	isc_uint16_t		length;
+	unsigned char		*certificate;
+} dns_rdata_cert_t;
+
+#endif /* GENERIC_CERT_37_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/cname_5.c b/contrib/bind9/lib/dns/rdata/generic/cname_5.c
new file mode 100644
index 0000000..0ce7aa2
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/cname_5.c
@@ -0,0 +1,232 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: cname_5.c,v 1.43.206.2 2004/03/06 08:14:03 marka Exp $ */
+
+/* reviewed: Wed Mar 15 16:48:45 PST 2000 by brister */
+
+#ifndef RDATA_GENERIC_CNAME_5_C
+#define RDATA_GENERIC_CNAME_5_C
+
+#define RRTYPE_CNAME_ATTRIBUTES \
+	(DNS_RDATATYPEATTR_EXCLUSIVE | DNS_RDATATYPEATTR_SINGLETON)
+
+static inline isc_result_t
+fromtext_cname(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == 5);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	origin = (origin != NULL) ? origin : dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_cname(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	isc_boolean_t sub;
+
+	REQUIRE(rdata->type == 5);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_cname(ARGS_FROMWIRE) {
+	dns_name_t name;
+
+	REQUIRE(type == 5);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, NULL);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_cname(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 5);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_cname(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 5);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_cname(ARGS_FROMSTRUCT) {
+	dns_rdata_cname_t *cname = source;
+	isc_region_t region;
+
+	REQUIRE(type == 5);
+	REQUIRE(source != NULL);
+	REQUIRE(cname->common.rdtype == type);
+	REQUIRE(cname->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&cname->cname, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_cname(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_cname_t *cname = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 5);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	cname->common.rdclass = rdata->rdclass;
+	cname->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&cname->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&cname->cname, NULL);
+	RETERR(name_duporclone(&name, mctx, &cname->cname));
+	cname->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_cname(ARGS_FREESTRUCT) {
+	dns_rdata_cname_t *cname = source;
+
+	REQUIRE(source != NULL);
+
+	if (cname->mctx == NULL)
+		return;
+
+	dns_name_free(&cname->cname, cname->mctx);
+	cname->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_cname(ARGS_ADDLDATA) {
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	REQUIRE(rdata->type == 5);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_cname(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 5);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline isc_boolean_t
+checkowner_cname(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 5);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_cname(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 5);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_CNAME_5_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/cname_5.h b/contrib/bind9/lib/dns/rdata/generic/cname_5.h
new file mode 100644
index 0000000..2efee44
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/cname_5.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: cname_5.h,v 1.23.206.1 2004/03/06 08:14:04 marka Exp $ */
+
+#ifndef GENERIC_CNAME_5_H
+#define GENERIC_CNAME_5_H 1
+
+typedef struct dns_rdata_cname {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		cname;
+} dns_rdata_cname_t;
+
+#endif /* GENERIC_CNAME_5_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/dlv_65323.c b/contrib/bind9/lib/dns/rdata/generic/dlv_65323.c
new file mode 100644
index 0000000..2d91758
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/dlv_65323.c
@@ -0,0 +1,281 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dlv_65323.c,v 1.2.2.4 2004/03/16 12:38:14 marka Exp $ */
+
+/* draft-ietf-dnsext-delegation-signer-05.txt */
+
+#ifndef RDATA_GENERIC_DLV_65323_C
+#define RDATA_GENERIC_DLV_65323_C
+
+#define RRTYPE_DLV_ATTRIBUTES 0
+
+static inline isc_result_t
+fromtext_dlv(ARGS_FROMTEXT) {
+	isc_token_t token;
+
+	REQUIRE(type == 65323);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/*
+	 * Key tag.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Digest type.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+	type = (isc_uint16_t) token.value.as_ulong;
+
+	/*
+	 * Digest.
+	 */
+	return (isc_hex_tobuffer(lexer, target, -1));
+}
+
+static inline isc_result_t
+totext_dlv(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("64000 ")];
+	unsigned int n;
+
+	REQUIRE(rdata->type == 65323);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Key tag.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	sprintf(buf, "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Algorithm.
+	 */
+	n = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	sprintf(buf, "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Digest type.
+	 */
+	n = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	sprintf(buf, "%u", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Digest.
+	 */
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" (", target));
+	RETERR(str_totext(tctx->linebreak, target));
+	RETERR(isc_hex_totext(&sr, tctx->width - 2, tctx->linebreak, target));
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" )", target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_dlv(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == 65323);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 4)
+		return (ISC_R_UNEXPECTEDEND);
+
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+towire_dlv(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == 65323);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_dlv(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 65323);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_dlv(ARGS_FROMSTRUCT) {
+	dns_rdata_dlv_t *dlv = source;
+
+	REQUIRE(type == 65323);
+	REQUIRE(source != NULL);
+	REQUIRE(dlv->common.rdtype == type);
+	REQUIRE(dlv->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(dlv->key_tag, target));
+	RETERR(uint8_tobuffer(dlv->algorithm, target));
+	RETERR(uint8_tobuffer(dlv->digest_type, target));
+
+	return (mem_tobuffer(target, dlv->digest, dlv->length));
+}
+
+static inline isc_result_t
+tostruct_dlv(ARGS_TOSTRUCT) {
+	dns_rdata_dlv_t *dlv = target;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 65323);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	dlv->common.rdclass = rdata->rdclass;
+	dlv->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&dlv->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	dlv->key_tag = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	dlv->algorithm = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	dlv->digest_type = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	dlv->length = region.length;
+
+	dlv->digest = mem_maybedup(mctx, region.base, region.length);
+	if (dlv->digest == NULL)
+		return (ISC_R_NOMEMORY);
+
+	dlv->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_dlv(ARGS_FREESTRUCT) {
+	dns_rdata_dlv_t *dlv = source;
+
+	REQUIRE(dlv != NULL);
+	REQUIRE(dlv->common.rdtype == 65323);
+
+	if (dlv->mctx == NULL)
+		return;
+
+	if (dlv->digest != NULL)
+		isc_mem_free(dlv->mctx, dlv->digest);
+	dlv->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_dlv(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 65323);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_dlv(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 65323);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_dlv(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 65323);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_dlv(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 65323);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_DLV_65323_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/dlv_65323.h b/contrib/bind9/lib/dns/rdata/generic/dlv_65323.h
new file mode 100644
index 0000000..689fd4b
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/dlv_65323.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dlv_65323.h,v 1.2.2.3 2004/03/15 01:02:55 marka Exp $ */
+
+/* draft-ietf-dnsext-delegation-signer-05.txt */
+#ifndef GENERIC_DLV_65323_H
+#define GENERIC_DLV_65323_H 1
+
+typedef struct dns_rdata_dlv {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	isc_uint16_t		key_tag;
+	isc_uint8_t		algorithm;
+	isc_uint8_t		digest_type;
+	isc_uint16_t		length;
+	unsigned char		*digest;
+} dns_rdata_dlv_t;
+
+#endif /* GENERIC_DLV_65323_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/dname_39.c b/contrib/bind9/lib/dns/rdata/generic/dname_39.c
new file mode 100644
index 0000000..b532f2e
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/dname_39.c
@@ -0,0 +1,233 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dname_39.c,v 1.34.206.2 2004/03/06 08:14:04 marka Exp $ */
+
+/* Reviewed: Wed Mar 15 16:52:38 PST 2000 by explorer */
+
+/* RFC2672 */
+
+#ifndef RDATA_GENERIC_DNAME_39_C
+#define RDATA_GENERIC_DNAME_39_C
+
+#define RRTYPE_DNAME_ATTRIBUTES (DNS_RDATATYPEATTR_SINGLETON)
+
+static inline isc_result_t
+fromtext_dname(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == 39);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	origin = (origin != NULL) ? origin : dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_dname(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	isc_boolean_t sub;
+
+	REQUIRE(rdata->type == 39);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_dname(ARGS_FROMWIRE) {
+	dns_name_t name;
+
+	REQUIRE(type == 39);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&name, NULL);
+	return(dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_dname(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 39);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_dname(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 39);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_dname(ARGS_FROMSTRUCT) {
+	dns_rdata_dname_t *dname = source;
+	isc_region_t region;
+
+	REQUIRE(type == 39);
+	REQUIRE(source != NULL);
+	REQUIRE(dname->common.rdtype == type);
+	REQUIRE(dname->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&dname->dname, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_dname(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_dname_t *dname = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 39);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	dname->common.rdclass = rdata->rdclass;
+	dname->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&dname->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&dname->dname, NULL);
+	RETERR(name_duporclone(&name, mctx, &dname->dname));
+	dname->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_dname(ARGS_FREESTRUCT) {
+	dns_rdata_dname_t *dname = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(dname->common.rdtype == 39);
+
+	if (dname->mctx == NULL)
+		return;
+
+	dns_name_free(&dname->dname, dname->mctx);
+	dname->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_dname(ARGS_ADDLDATA) {
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	REQUIRE(rdata->type == 39);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_dname(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 39);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline isc_boolean_t
+checkowner_dname(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 39);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_dname(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 39);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_DNAME_39_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/dname_39.h b/contrib/bind9/lib/dns/rdata/generic/dname_39.h
new file mode 100644
index 0000000..a1b2192
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/dname_39.h
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_DNAME_39_H
+#define GENERIC_DNAME_39_H 1
+
+/* $Id: dname_39.h,v 1.16.206.1 2004/03/06 08:14:04 marka Exp $ */
+
+/* RFC2672 */
+
+typedef struct dns_rdata_dname {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		dname;
+} dns_rdata_dname_t;
+
+#endif /* GENERIC_DNAME_39_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/dnskey_48.c b/contrib/bind9/lib/dns/rdata/generic/dnskey_48.c
new file mode 100644
index 0000000..5cf58d5
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/dnskey_48.c
@@ -0,0 +1,312 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnskey_48.c,v 1.4.2.1 2004/03/08 02:08:02 marka Exp $ */
+
+/*
+ * Reviewed: Wed Mar 15 16:47:10 PST 2000 by halley.
+ */
+
+/* RFC 2535 */
+
+#ifndef RDATA_GENERIC_DNSKEY_48_C
+#define RDATA_GENERIC_DNSKEY_48_C
+
+#include <dst/dst.h>
+
+#define RRTYPE_DNSKEY_ATTRIBUTES (DNS_RDATATYPEATTR_DNSSEC)
+
+static inline isc_result_t
+fromtext_dnskey(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_secalg_t alg;
+	dns_secproto_t proto;
+	dns_keyflags_t flags;
+
+	REQUIRE(type == 48);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/* flags */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	RETTOK(dns_keyflags_fromtext(&flags, &token.value.as_textregion));
+	RETERR(uint16_tobuffer(flags, target));
+
+	/* protocol */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	RETTOK(dns_secproto_fromtext(&proto, &token.value.as_textregion));
+	RETERR(mem_tobuffer(target, &proto, 1));
+
+	/* algorithm */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	RETTOK(dns_secalg_fromtext(&alg, &token.value.as_textregion));
+	RETERR(mem_tobuffer(target, &alg, 1));
+
+	/* No Key? */
+	if ((flags & 0xc000) == 0xc000)
+		return (ISC_R_SUCCESS);
+
+	return (isc_base64_tobuffer(lexer, target, -1));
+}
+
+static inline isc_result_t
+totext_dnskey(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("64000")];
+	unsigned int flags;
+	unsigned char algorithm;
+
+	REQUIRE(rdata->type == 48);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/* flags */
+	flags = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	sprintf(buf, "%u", flags);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/* protocol */
+	sprintf(buf, "%u", sr.base[0]);
+	isc_region_consume(&sr, 1);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/* algorithm */
+	algorithm = sr.base[0];
+	sprintf(buf, "%u", algorithm);
+	isc_region_consume(&sr, 1);
+	RETERR(str_totext(buf, target));
+
+	/* No Key? */
+	if ((flags & 0xc000) == 0xc000)
+		return (ISC_R_SUCCESS);
+
+	/* key */
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" (", target));
+	RETERR(str_totext(tctx->linebreak, target));
+	RETERR(isc_base64_totext(&sr, tctx->width - 2,
+				 tctx->linebreak, target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_COMMENT) != 0)
+		RETERR(str_totext(tctx->linebreak, target));
+	else if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" ", target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(")", target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_COMMENT) != 0) {
+		isc_region_t tmpr;
+
+		RETERR(str_totext(" ; key id = ", target));
+		dns_rdata_toregion(rdata, &tmpr);
+		sprintf(buf, "%u", dst_region_computeid(&tmpr, algorithm));
+		RETERR(str_totext(buf, target));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_dnskey(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == 48);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 4)
+		return (ISC_R_UNEXPECTEDEND);
+
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+towire_dnskey(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == 48);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_dnskey(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 48);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_dnskey(ARGS_FROMSTRUCT) {
+	dns_rdata_dnskey_t *dnskey = source;
+
+	REQUIRE(type == 48);
+	REQUIRE(source != NULL);
+	REQUIRE(dnskey->common.rdtype == type);
+	REQUIRE(dnskey->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	/* Flags */
+	RETERR(uint16_tobuffer(dnskey->flags, target));
+
+	/* Protocol */
+	RETERR(uint8_tobuffer(dnskey->protocol, target));
+
+	/* Algorithm */
+	RETERR(uint8_tobuffer(dnskey->algorithm, target));
+
+	/* Data */
+	return (mem_tobuffer(target, dnskey->data, dnskey->datalen));
+}
+
+static inline isc_result_t
+tostruct_dnskey(ARGS_TOSTRUCT) {
+	dns_rdata_dnskey_t *dnskey = target;
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == 48);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	dnskey->common.rdclass = rdata->rdclass;
+	dnskey->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&dnskey->common, link);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/* Flags */
+	if (sr.length < 2)
+		return (ISC_R_UNEXPECTEDEND);
+	dnskey->flags = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/* Protocol */
+	if (sr.length < 1)
+		return (ISC_R_UNEXPECTEDEND);
+	dnskey->protocol = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/* Algorithm */
+	if (sr.length < 1)
+		return (ISC_R_UNEXPECTEDEND);
+	dnskey->algorithm = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/* Data */
+	dnskey->datalen = sr.length;
+	dnskey->data = mem_maybedup(mctx, sr.base, dnskey->datalen);
+	if (dnskey->data == NULL)
+		return (ISC_R_NOMEMORY);
+
+	dnskey->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_dnskey(ARGS_FREESTRUCT) {
+	dns_rdata_dnskey_t *dnskey = (dns_rdata_dnskey_t *) source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(dnskey->common.rdtype == 48);
+
+	if (dnskey->mctx == NULL)
+		return;
+
+	if (dnskey->data != NULL)
+		isc_mem_free(dnskey->mctx, dnskey->data);
+	dnskey->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_dnskey(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 48);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_dnskey(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 48);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_dnskey(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 48);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_dnskey(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 48);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_DNSKEY_48_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/dnskey_48.h b/contrib/bind9/lib/dns/rdata/generic/dnskey_48.h
new file mode 100644
index 0000000..4dd71d2
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/dnskey_48.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_DNSKEY_48_H
+#define GENERIC_DNSKEY_48_H 1
+
+/* $Id: dnskey_48.h,v 1.3.2.1 2004/03/08 02:08:02 marka Exp $ */
+
+/* RFC 2535 */
+
+typedef struct dns_rdata_dnskey {
+        dns_rdatacommon_t	common;
+        isc_mem_t *		mctx;
+        isc_uint16_t		flags;
+        isc_uint8_t		protocol;
+        isc_uint8_t		algorithm;
+        isc_uint16_t		datalen;
+        unsigned char *		data;
+} dns_rdata_dnskey_t;
+
+
+#endif /* GENERIC_DNSKEY_48_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/ds_43.c b/contrib/bind9/lib/dns/rdata/generic/ds_43.c
new file mode 100644
index 0000000..538f865
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/ds_43.c
@@ -0,0 +1,283 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ds_43.c,v 1.6.2.2 2004/03/16 12:38:14 marka Exp $ */
+
+/* draft-ietf-dnsext-delegation-signer-05.txt */
+
+#ifndef RDATA_GENERIC_DS_43_C
+#define RDATA_GENERIC_DS_43_C
+
+#define RRTYPE_DS_ATTRIBUTES \
+	(DNS_RDATATYPEATTR_DNSSEC|DNS_RDATATYPEATTR_ATPARENT)
+
+static inline isc_result_t
+fromtext_ds(ARGS_FROMTEXT) {
+	isc_token_t token;
+
+	REQUIRE(type == 43);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/*
+	 * Key tag.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Digest type.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+	type = (isc_uint16_t) token.value.as_ulong;
+
+	/*
+	 * Digest.
+	 */
+	return (isc_hex_tobuffer(lexer, target, -1));
+}
+
+static inline isc_result_t
+totext_ds(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("64000 ")];
+	unsigned int n;
+
+	REQUIRE(rdata->type == 43);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Key tag.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	sprintf(buf, "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Algorithm.
+	 */
+	n = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	sprintf(buf, "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Digest type.
+	 */
+	n = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	sprintf(buf, "%u", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Digest.
+	 */
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" (", target));
+	RETERR(str_totext(tctx->linebreak, target));
+	RETERR(isc_hex_totext(&sr, tctx->width - 2, tctx->linebreak, target));
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" )", target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_ds(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == 43);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 4)
+		return (ISC_R_UNEXPECTEDEND);
+
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+towire_ds(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == 43);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_ds(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 43);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_ds(ARGS_FROMSTRUCT) {
+	dns_rdata_ds_t *ds = source;
+
+	REQUIRE(type == 43);
+	REQUIRE(source != NULL);
+	REQUIRE(ds->common.rdtype == type);
+	REQUIRE(ds->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(ds->key_tag, target));
+	RETERR(uint8_tobuffer(ds->algorithm, target));
+	RETERR(uint8_tobuffer(ds->digest_type, target));
+
+	return (mem_tobuffer(target, ds->digest, ds->length));
+}
+
+static inline isc_result_t
+tostruct_ds(ARGS_TOSTRUCT) {
+	dns_rdata_ds_t *ds = target;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 43);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	ds->common.rdclass = rdata->rdclass;
+	ds->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&ds->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	ds->key_tag = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	ds->algorithm = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	ds->digest_type = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	ds->length = region.length;
+
+	ds->digest = mem_maybedup(mctx, region.base, region.length);
+	if (ds->digest == NULL)
+		return (ISC_R_NOMEMORY);
+
+	ds->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_ds(ARGS_FREESTRUCT) {
+	dns_rdata_ds_t *ds = source;
+
+	REQUIRE(ds != NULL);
+	REQUIRE(ds->common.rdtype == 43);
+
+	if (ds->mctx == NULL)
+		return;
+
+	if (ds->digest != NULL)
+		isc_mem_free(ds->mctx, ds->digest);
+	ds->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_ds(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 43);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_ds(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 43);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_ds(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 43);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_ds(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 43);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_DS_43_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/ds_43.h b/contrib/bind9/lib/dns/rdata/generic/ds_43.h
new file mode 100644
index 0000000..cd4a5ca
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/ds_43.h
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ds_43.h,v 1.3.2.1 2004/03/08 02:08:03 marka Exp $ */
+
+/* draft-ietf-dnsext-delegation-signer-05.txt */
+#ifndef GENERIC_DS_43_H
+#define GENERIC_DS_43_H 1
+
+typedef struct dns_rdata_ds {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	isc_uint16_t		key_tag;
+	isc_uint8_t		algorithm;
+	isc_uint8_t		digest_type;
+	isc_uint16_t		length;
+	unsigned char		*digest;
+} dns_rdata_ds_t;
+
+#endif /* GENERIC_DS_43_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/gpos_27.c b/contrib/bind9/lib/dns/rdata/generic/gpos_27.c
new file mode 100644
index 0000000..1768f17
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/gpos_27.c
@@ -0,0 +1,252 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: gpos_27.c,v 1.32.12.5 2004/03/08 09:04:40 marka Exp $ */
+
+/* reviewed: Wed Mar 15 16:48:45 PST 2000 by brister */
+
+/* RFC 1712 */
+
+#ifndef RDATA_GENERIC_GPOS_27_C
+#define RDATA_GENERIC_GPOS_27_C
+
+#define RRTYPE_GPOS_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_gpos(ARGS_FROMTEXT) {
+	isc_token_t token;
+	int i;
+
+	REQUIRE(type == 27);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	for (i = 0; i < 3; i++) {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_qstring,
+					      ISC_FALSE));
+		RETTOK(txt_fromtext(&token.value.as_textregion, target));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_gpos(ARGS_TOTEXT) {
+	isc_region_t region;
+	int i;
+
+	REQUIRE(rdata->type == 27);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &region);
+
+	for (i = 0; i < 3; i++) {
+		RETERR(txt_totext(&region, target));
+		if (i != 2)
+			RETERR(str_totext(" ", target));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_gpos(ARGS_FROMWIRE) {
+	int i;
+
+	REQUIRE(type == 27);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(rdclass);
+	UNUSED(options);
+
+	for (i = 0; i < 3; i++)
+		RETERR(txt_fromwire(source, target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_gpos(ARGS_TOWIRE) {
+
+	REQUIRE(rdata->type == 27);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_gpos(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 27);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_gpos(ARGS_FROMSTRUCT) {
+	dns_rdata_gpos_t *gpos = source;
+
+	REQUIRE(type == 27);
+	REQUIRE(source != NULL);
+	REQUIRE(gpos->common.rdtype == type);
+	REQUIRE(gpos->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint8_tobuffer(gpos->long_len, target));
+	RETERR(mem_tobuffer(target, gpos->longitude, gpos->long_len));
+	RETERR(uint8_tobuffer(gpos->lat_len, target));
+	RETERR(mem_tobuffer(target, gpos->latitude, gpos->lat_len));
+	RETERR(uint8_tobuffer(gpos->alt_len, target));
+	return (mem_tobuffer(target, gpos->altitude, gpos->alt_len));
+}
+
+static inline isc_result_t
+tostruct_gpos(ARGS_TOSTRUCT) {
+	dns_rdata_gpos_t *gpos = target;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 27);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	gpos->common.rdclass = rdata->rdclass;
+	gpos->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&gpos->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+	gpos->long_len = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	gpos->longitude = mem_maybedup(mctx, region.base, gpos->long_len);
+	if (gpos->longitude == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_region_consume(&region, gpos->long_len);
+
+	gpos->lat_len = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	gpos->latitude = mem_maybedup(mctx, region.base, gpos->lat_len);
+	if (gpos->latitude == NULL)
+		goto cleanup_longitude;
+	isc_region_consume(&region, gpos->lat_len);
+
+	gpos->alt_len = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	if (gpos->lat_len > 0) {
+		gpos->altitude =
+			mem_maybedup(mctx, region.base, gpos->alt_len);
+		if (gpos->altitude == NULL)
+			goto cleanup_latitude;
+	} else
+		gpos->altitude = NULL;
+
+	gpos->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup_latitude:
+	if (mctx != NULL && gpos->longitude != NULL)
+		isc_mem_free(mctx, gpos->longitude);
+
+ cleanup_longitude:
+	if (mctx != NULL && gpos->latitude != NULL)
+		isc_mem_free(mctx, gpos->latitude);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_gpos(ARGS_FREESTRUCT) {
+	dns_rdata_gpos_t *gpos = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(gpos->common.rdtype == 27);
+
+	if (gpos->mctx == NULL)
+		return;
+
+	if (gpos->longitude != NULL)
+		isc_mem_free(gpos->mctx, gpos->longitude);
+	if (gpos->latitude != NULL)
+		isc_mem_free(gpos->mctx, gpos->latitude);
+	if (gpos->altitude != NULL)
+		isc_mem_free(gpos->mctx, gpos->altitude);
+	gpos->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_gpos(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 27);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_gpos(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 27);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_gpos(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 27);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_gpos(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 27);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_GPOS_27_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/gpos_27.h b/contrib/bind9/lib/dns/rdata/generic/gpos_27.h
new file mode 100644
index 0000000..6f9ed37
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/gpos_27.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_GPOS_27_H
+#define GENERIC_GPOS_27_H 1
+
+/* $Id: gpos_27.h,v 1.12.206.1 2004/03/06 08:14:04 marka Exp $ */
+
+/* RFC 1712 */
+
+typedef struct dns_rdata_gpos {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	char			*longitude;
+	char			*latitude;
+	char			*altitude;
+	isc_uint8_t		long_len;
+	isc_uint8_t		lat_len;
+	isc_uint8_t		alt_len;
+} dns_rdata_gpos_t;
+
+#endif /* GENERIC_GPOS_27_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/hinfo_13.c b/contrib/bind9/lib/dns/rdata/generic/hinfo_13.c
new file mode 100644
index 0000000..e432ce5
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/hinfo_13.c
@@ -0,0 +1,224 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: hinfo_13.c,v 1.37.12.5 2004/03/08 09:04:40 marka Exp $ */
+
+/*
+ * Reviewed: Wed Mar 15 16:47:10 PST 2000 by halley.
+ */
+
+#ifndef RDATA_GENERIC_HINFO_13_C
+#define RDATA_GENERIC_HINFO_13_C
+
+#define RRTYPE_HINFO_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_hinfo(ARGS_FROMTEXT) {
+	isc_token_t token;
+	int i;
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	REQUIRE(type == 13);
+
+	for (i = 0; i < 2; i++) {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_qstring,
+					      ISC_FALSE));
+		RETTOK(txt_fromtext(&token.value.as_textregion, target));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_hinfo(ARGS_TOTEXT) {
+	isc_region_t region;
+
+	UNUSED(tctx);
+
+	REQUIRE(rdata->type == 13);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &region);
+	RETERR(txt_totext(&region, target));
+	RETERR(str_totext(" ", target));
+	return (txt_totext(&region, target));
+}
+
+static inline isc_result_t
+fromwire_hinfo(ARGS_FROMWIRE) {
+
+	REQUIRE(type == 13);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(rdclass);
+	UNUSED(options);
+
+	RETERR(txt_fromwire(source, target));
+	return (txt_fromwire(source, target));
+}
+
+static inline isc_result_t
+towire_hinfo(ARGS_TOWIRE) {
+
+	UNUSED(cctx);
+
+	REQUIRE(rdata->type == 13);
+	REQUIRE(rdata->length != 0);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_hinfo(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 13);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_hinfo(ARGS_FROMSTRUCT) {
+	dns_rdata_hinfo_t *hinfo = source;
+
+	REQUIRE(type == 13);
+	REQUIRE(source != NULL);
+	REQUIRE(hinfo->common.rdtype == type);
+	REQUIRE(hinfo->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint8_tobuffer(hinfo->cpu_len, target));
+	RETERR(mem_tobuffer(target, hinfo->cpu, hinfo->cpu_len));
+	RETERR(uint8_tobuffer(hinfo->os_len, target));
+	return (mem_tobuffer(target, hinfo->os, hinfo->os_len));
+}
+
+static inline isc_result_t
+tostruct_hinfo(ARGS_TOSTRUCT) {
+	dns_rdata_hinfo_t *hinfo = target;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 13);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	hinfo->common.rdclass = rdata->rdclass;
+	hinfo->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&hinfo->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+	hinfo->cpu_len = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	hinfo->cpu = mem_maybedup(mctx, region.base, hinfo->cpu_len);
+	if (hinfo->cpu == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_region_consume(&region, hinfo->cpu_len);
+
+	hinfo->os_len = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	hinfo->os = mem_maybedup(mctx, region.base, hinfo->os_len);
+	if (hinfo->os == NULL)
+		goto cleanup;
+
+	hinfo->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL && hinfo->cpu != NULL)
+		isc_mem_free(mctx, hinfo->cpu);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_hinfo(ARGS_FREESTRUCT) {
+	dns_rdata_hinfo_t *hinfo = source;
+
+	REQUIRE(source != NULL);
+
+	if (hinfo->mctx == NULL)
+		return;
+
+	if (hinfo->cpu != NULL)
+		isc_mem_free(hinfo->mctx, hinfo->cpu);
+	if (hinfo->os != NULL)
+		isc_mem_free(hinfo->mctx, hinfo->os);
+	hinfo->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_hinfo(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 13);
+
+	UNUSED(add);
+	UNUSED(arg);
+	UNUSED(rdata);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_hinfo(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 13);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_hinfo(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 13);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_hinfo(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 13);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_HINFO_13_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/hinfo_13.h b/contrib/bind9/lib/dns/rdata/generic/hinfo_13.h
new file mode 100644
index 0000000..61cbdd7
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/hinfo_13.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_HINFO_13_H
+#define GENERIC_HINFO_13_H 1
+
+/* $Id: hinfo_13.h,v 1.22.206.1 2004/03/06 08:14:05 marka Exp $ */
+
+typedef struct dns_rdata_hinfo {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	char			*cpu;
+	char			*os;
+	isc_uint8_t		cpu_len;
+	isc_uint8_t		os_len;
+} dns_rdata_hinfo_t;
+
+#endif /* GENERIC_HINFO_13_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/isdn_20.c b/contrib/bind9/lib/dns/rdata/generic/isdn_20.c
new file mode 100644
index 0000000..cc14157
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/isdn_20.c
@@ -0,0 +1,234 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: isdn_20.c,v 1.30.12.4 2004/03/08 09:04:41 marka Exp $ */
+
+/* Reviewed: Wed Mar 15 16:53:11 PST 2000 by bwelling */
+
+/* RFC 1183 */
+
+#ifndef RDATA_GENERIC_ISDN_20_C
+#define RDATA_GENERIC_ISDN_20_C
+
+#define RRTYPE_ISDN_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_isdn(ARGS_FROMTEXT) {
+	isc_token_t token;
+
+	REQUIRE(type == 20);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/* ISDN-address */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
+				      ISC_FALSE));
+	RETTOK(txt_fromtext(&token.value.as_textregion, target));
+
+	/* sa: optional */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
+				      ISC_TRUE));
+	if (token.type != isc_tokentype_string &&
+	    token.type != isc_tokentype_qstring) {
+		isc_lex_ungettoken(lexer, &token);
+		return (ISC_R_SUCCESS);
+	}
+	RETTOK(txt_fromtext(&token.value.as_textregion, target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_isdn(ARGS_TOTEXT) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 20);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &region);
+	RETERR(txt_totext(&region, target));
+	if (region.length == 0)
+		return (ISC_R_SUCCESS);
+	RETERR(str_totext(" ", target));
+	return (txt_totext(&region, target));
+}
+
+static inline isc_result_t
+fromwire_isdn(ARGS_FROMWIRE) {
+	REQUIRE(type == 20);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(rdclass);
+	UNUSED(options);
+
+	RETERR(txt_fromwire(source, target));
+	if (buffer_empty(source))
+		return (ISC_R_SUCCESS);
+	return (txt_fromwire(source, target));
+}
+
+static inline isc_result_t
+towire_isdn(ARGS_TOWIRE) {
+	UNUSED(cctx);
+
+	REQUIRE(rdata->type == 20);
+	REQUIRE(rdata->length != 0);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_isdn(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 20);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_isdn(ARGS_FROMSTRUCT) {
+	dns_rdata_isdn_t *isdn = source;
+
+	REQUIRE(type == 20);
+	REQUIRE(source != NULL);
+	REQUIRE(isdn->common.rdtype == type);
+	REQUIRE(isdn->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint8_tobuffer(isdn->isdn_len, target));
+	RETERR(mem_tobuffer(target, isdn->isdn, isdn->isdn_len));
+	RETERR(uint8_tobuffer(isdn->subaddress_len, target));
+	return (mem_tobuffer(target, isdn->subaddress, isdn->subaddress_len));
+}
+
+static inline isc_result_t
+tostruct_isdn(ARGS_TOSTRUCT) {
+	dns_rdata_isdn_t *isdn = target;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 20);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	isdn->common.rdclass = rdata->rdclass;
+	isdn->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&isdn->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+
+	isdn->isdn_len = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	isdn->isdn = mem_maybedup(mctx, r.base, isdn->isdn_len);
+	if (isdn->isdn == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_region_consume(&r, isdn->isdn_len);
+
+	isdn->subaddress_len = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	isdn->subaddress = mem_maybedup(mctx, r.base, isdn->subaddress_len);
+	if (isdn->subaddress == NULL)
+		goto cleanup;
+
+	isdn->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL && isdn->isdn != NULL)
+		isc_mem_free(mctx, isdn->isdn);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_isdn(ARGS_FREESTRUCT) {
+	dns_rdata_isdn_t *isdn = source;
+
+	REQUIRE(source != NULL);
+
+	if (isdn->mctx == NULL)
+		return;
+
+	if (isdn->isdn != NULL)
+		isc_mem_free(isdn->mctx, isdn->isdn);
+	if (isdn->subaddress != NULL)
+		isc_mem_free(isdn->mctx, isdn->subaddress);
+	isdn->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_isdn(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 20);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_isdn(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 20);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_isdn(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 20);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_isdn(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 20);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_ISDN_20_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/isdn_20.h b/contrib/bind9/lib/dns/rdata/generic/isdn_20.h
new file mode 100644
index 0000000..3a63971
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/isdn_20.h
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_ISDN_20_H
+#define GENERIC_ISDN_20_H 1
+
+/* $Id: isdn_20.h,v 1.13.206.1 2004/03/06 08:14:05 marka Exp $ */
+
+/* RFC 1183 */
+
+typedef struct dns_rdata_isdn {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	char			*isdn;
+	char			*subaddress;
+	isc_uint8_t		isdn_len;
+	isc_uint8_t		subaddress_len;
+} dns_rdata_isdn_t;
+
+#endif /* GENERIC_ISDN_20_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/key_25.c b/contrib/bind9/lib/dns/rdata/generic/key_25.c
new file mode 100644
index 0000000..defbe6d
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/key_25.c
@@ -0,0 +1,312 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: key_25.c,v 1.41.12.7 2004/03/08 09:04:41 marka Exp $ */
+
+/*
+ * Reviewed: Wed Mar 15 16:47:10 PST 2000 by halley.
+ */
+
+/* RFC 2535 */
+
+#ifndef RDATA_GENERIC_KEY_25_C
+#define RDATA_GENERIC_KEY_25_C
+
+#include <dst/dst.h>
+
+#define RRTYPE_KEY_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_key(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_secalg_t alg;
+	dns_secproto_t proto;
+	dns_keyflags_t flags;
+
+	REQUIRE(type == 25);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/* flags */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	RETTOK(dns_keyflags_fromtext(&flags, &token.value.as_textregion));
+	RETERR(uint16_tobuffer(flags, target));
+
+	/* protocol */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	RETTOK(dns_secproto_fromtext(&proto, &token.value.as_textregion));
+	RETERR(mem_tobuffer(target, &proto, 1));
+
+	/* algorithm */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	RETTOK(dns_secalg_fromtext(&alg, &token.value.as_textregion));
+	RETERR(mem_tobuffer(target, &alg, 1));
+
+	/* No Key? */
+	if ((flags & 0xc000) == 0xc000)
+		return (ISC_R_SUCCESS);
+
+	return (isc_base64_tobuffer(lexer, target, -1));
+}
+
+static inline isc_result_t
+totext_key(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("64000")];
+	unsigned int flags;
+	unsigned char algorithm;
+
+	REQUIRE(rdata->type == 25);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/* flags */
+	flags = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	sprintf(buf, "%u", flags);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/* protocol */
+	sprintf(buf, "%u", sr.base[0]);
+	isc_region_consume(&sr, 1);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/* algorithm */
+	algorithm = sr.base[0];
+	sprintf(buf, "%u", algorithm);
+	isc_region_consume(&sr, 1);
+	RETERR(str_totext(buf, target));
+
+	/* No Key? */
+	if ((flags & 0xc000) == 0xc000)
+		return (ISC_R_SUCCESS);
+
+	/* key */
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" (", target));
+	RETERR(str_totext(tctx->linebreak, target));
+	RETERR(isc_base64_totext(&sr, tctx->width - 2,
+				 tctx->linebreak, target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_COMMENT) != 0)
+		RETERR(str_totext(tctx->linebreak, target));
+	else if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" ", target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(")", target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_COMMENT) != 0) {
+		isc_region_t tmpr;
+
+		RETERR(str_totext(" ; key id = ", target));
+		dns_rdata_toregion(rdata, &tmpr);
+		sprintf(buf, "%u", dst_region_computeid(&tmpr, algorithm));
+		RETERR(str_totext(buf, target));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_key(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == 25);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 4)
+		return (ISC_R_UNEXPECTEDEND);
+
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+towire_key(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == 25);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_key(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 25);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_key(ARGS_FROMSTRUCT) {
+	dns_rdata_key_t *key = source;
+
+	REQUIRE(type == 25);
+	REQUIRE(source != NULL);
+	REQUIRE(key->common.rdtype == type);
+	REQUIRE(key->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	/* Flags */
+	RETERR(uint16_tobuffer(key->flags, target));
+
+	/* Protocol */
+	RETERR(uint8_tobuffer(key->protocol, target));
+
+	/* Algorithm */
+	RETERR(uint8_tobuffer(key->algorithm, target));
+
+	/* Data */
+	return (mem_tobuffer(target, key->data, key->datalen));
+}
+
+static inline isc_result_t
+tostruct_key(ARGS_TOSTRUCT) {
+	dns_rdata_key_t *key = target;
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == 25);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	key->common.rdclass = rdata->rdclass;
+	key->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&key->common, link);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/* Flags */
+	if (sr.length < 2)
+		return (ISC_R_UNEXPECTEDEND);
+	key->flags = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/* Protocol */
+	if (sr.length < 1)
+		return (ISC_R_UNEXPECTEDEND);
+	key->protocol = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/* Algorithm */
+	if (sr.length < 1)
+		return (ISC_R_UNEXPECTEDEND);
+	key->algorithm = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/* Data */
+	key->datalen = sr.length;
+	key->data = mem_maybedup(mctx, sr.base, key->datalen);
+	if (key->data == NULL)
+		return (ISC_R_NOMEMORY);
+
+	key->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_key(ARGS_FREESTRUCT) {
+	dns_rdata_key_t *key = (dns_rdata_key_t *) source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(key->common.rdtype == 25);
+
+	if (key->mctx == NULL)
+		return;
+
+	if (key->data != NULL)
+		isc_mem_free(key->mctx, key->data);
+	key->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_key(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 25);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_key(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 25);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_key(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 25);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_key(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 25);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_KEY_25_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/key_25.h b/contrib/bind9/lib/dns/rdata/generic/key_25.h
new file mode 100644
index 0000000..e192a1b
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/key_25.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_KEY_25_H
+#define GENERIC_KEY_25_H 1
+
+/* $Id: key_25.h,v 1.14.206.1 2004/03/06 08:14:06 marka Exp $ */
+
+/* RFC 2535 */
+
+typedef struct dns_rdata_key_t {
+        dns_rdatacommon_t	common;
+        isc_mem_t *		mctx;
+        isc_uint16_t		flags;
+        isc_uint8_t		protocol;
+        isc_uint8_t		algorithm;
+        isc_uint16_t		datalen;
+        unsigned char *		data;
+} dns_rdata_key_t;
+
+
+#endif /* GENERIC_KEY_25_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/loc_29.c b/contrib/bind9/lib/dns/rdata/generic/loc_29.c
new file mode 100644
index 0000000..28003ab
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/loc_29.c
@@ -0,0 +1,794 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: loc_29.c,v 1.30.2.3.2.6 2004/03/06 08:14:06 marka Exp $ */
+
+/* Reviewed: Wed Mar 15 18:13:09 PST 2000 by explorer */
+
+/* RFC 1876 */
+
+#ifndef RDATA_GENERIC_LOC_29_C
+#define RDATA_GENERIC_LOC_29_C
+
+#define RRTYPE_LOC_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_loc(ARGS_FROMTEXT) {
+	isc_token_t token;
+	int d1, m1, s1;
+	int d2, m2, s2;
+	unsigned char size;
+	unsigned char hp;
+	unsigned char vp;
+	unsigned char version;
+	isc_boolean_t east = ISC_FALSE;
+	isc_boolean_t north = ISC_FALSE;
+	long tmp;
+	long m;
+	long cm;
+	long poweroften[8] = { 1, 10, 100, 1000,
+			       10000, 100000, 1000000, 10000000 };
+	int man;
+	int exp;
+	char *e;
+	int i;
+	unsigned long latitude;
+	unsigned long longitude;
+	unsigned long altitude;
+
+	REQUIRE(type == 29);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+
+	/*
+	 * Defaults.
+	 */
+	m1 = s1 = 0;
+	m2 = s2 = 0;
+	size = 0x12;	/* 1.00m */
+	hp = 0x16;	/* 10000.00 m */
+	vp = 0x13;	/* 10.00 m */
+	version = 0;
+
+	/*
+	 * Degrees.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 90U)
+		RETTOK(ISC_R_RANGE);
+	d1 = (int)token.value.as_ulong;
+	/*
+	 * Minutes.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	if (strcasecmp(DNS_AS_STR(token), "N") == 0)
+		north = ISC_TRUE;
+	if (north || strcasecmp(DNS_AS_STR(token), "S") == 0)
+		goto getlong;
+	m1 = strtol(DNS_AS_STR(token), &e, 10);
+	if (*e != 0)
+		RETTOK(DNS_R_SYNTAX);
+	if (m1 < 0 || m1 > 59)
+		RETTOK(ISC_R_RANGE);
+	if (d1 == 90 && m1 != 0)
+		RETTOK(ISC_R_RANGE);
+
+	/*
+	 * Seconds.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	if (strcasecmp(DNS_AS_STR(token), "N") == 0)
+		north = ISC_TRUE;
+	if (north || strcasecmp(DNS_AS_STR(token), "S") == 0)
+		goto getlong;
+	s1 = strtol(DNS_AS_STR(token), &e, 10);
+	if (*e != 0 && *e != '.')
+		RETTOK(DNS_R_SYNTAX);
+	if (s1 < 0 || s1 > 59)
+		RETTOK(ISC_R_RANGE);
+	if (*e == '.') {
+		const char *l;
+		e++;
+		for (i = 0; i < 3; i++) {
+			if (*e == 0)
+				break;
+			if ((tmp = decvalue(*e++)) < 0)
+				RETTOK(DNS_R_SYNTAX);
+			s1 *= 10;
+			s1 += tmp;
+		}
+		for (; i < 3; i++)
+			s1 *= 10;
+		l = e;
+		while (*e != 0) {
+			if (decvalue(*e++) < 0)
+				RETTOK(DNS_R_SYNTAX);
+		}
+		if (*l != '\0' && callbacks != NULL) {
+			const char *file = isc_lex_getsourcename(lexer);
+			unsigned long line = isc_lex_getsourceline(lexer);
+
+			if (file == NULL)
+				file = "UNKNOWN";
+			(*callbacks->warn)(callbacks, "%s: %s:%u: '%s' extra "
+					   "precision digits ignored",
+					   "dns_rdata_fromtext", file, line,
+					   DNS_AS_STR(token));
+		}
+	} else
+		s1 *= 1000;
+	if (d1 == 90 && s1 != 0)
+		RETTOK(ISC_R_RANGE);
+
+	/*
+	 * Direction.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	if (strcasecmp(DNS_AS_STR(token), "N") == 0)
+		north = ISC_TRUE;
+	if (!north && strcasecmp(DNS_AS_STR(token), "S") != 0)
+		RETTOK(DNS_R_SYNTAX);
+
+ getlong:
+	/*
+	 * Degrees.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 180U)
+		RETTOK(ISC_R_RANGE);
+	d2 = (int)token.value.as_ulong;
+
+	/*
+	 * Minutes.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	if (strcasecmp(DNS_AS_STR(token), "E") == 0)
+		east = ISC_TRUE;
+	if (east || strcasecmp(DNS_AS_STR(token), "W") == 0)
+		goto getalt;
+	m2 = strtol(DNS_AS_STR(token), &e, 10);
+	if (*e != 0)
+		RETTOK(DNS_R_SYNTAX);
+	if (m2 < 0 || m2 > 59)
+		RETTOK(ISC_R_RANGE);
+	if (d2 == 180 && m2 != 0)
+		RETTOK(ISC_R_RANGE);
+
+	/*
+	 * Seconds.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	if (strcasecmp(DNS_AS_STR(token), "E") == 0)
+		east = ISC_TRUE;
+	if (east || strcasecmp(DNS_AS_STR(token), "W") == 0)
+		goto getalt;
+	s2 = strtol(DNS_AS_STR(token), &e, 10);
+	if (*e != 0 && *e != '.')
+		RETTOK(DNS_R_SYNTAX);
+	if (s2 < 0 || s2 > 59)
+		RETTOK(ISC_R_RANGE);
+	if (*e == '.') {
+		const char *l;
+		e++;
+		for (i = 0; i < 3; i++) {
+			if (*e == 0)
+				break;
+			if ((tmp = decvalue(*e++)) < 0)
+				RETTOK(DNS_R_SYNTAX);
+			s2 *= 10;
+			s2 += tmp;
+		}
+		for (; i < 3; i++)
+			s2 *= 10;
+		l = e;
+		while (*e != 0) {
+			if (decvalue(*e++) < 0)
+				RETTOK(DNS_R_SYNTAX);
+		}
+		if (*l != '\0' && callbacks != NULL) {
+			const char *file = isc_lex_getsourcename(lexer);
+			unsigned long line = isc_lex_getsourceline(lexer);
+
+			if (file == NULL)
+				file = "UNKNOWN";
+			(*callbacks->warn)(callbacks, "%s: %s:%u: '%s' extra "
+					   "precision digits ignored",
+					   "dns_rdata_fromtext",
+					   file, line, DNS_AS_STR(token));
+		}
+	} else
+		s2 *= 1000;
+	if (d2 == 180 && s2 != 0)
+		RETTOK(ISC_R_RANGE);
+
+	/*
+	 * Direction.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	if (strcasecmp(DNS_AS_STR(token), "E") == 0)
+		east = ISC_TRUE;
+	if (!east && strcasecmp(DNS_AS_STR(token), "W") != 0)
+		RETTOK(DNS_R_SYNTAX);
+
+ getalt:
+	/*
+	 * Altitude.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	m = strtol(DNS_AS_STR(token), &e, 10);
+	if (*e != 0 && *e != '.' && *e != 'm')
+		RETTOK(DNS_R_SYNTAX);
+	if (m < -100000 || m > 42849672)
+		RETTOK(ISC_R_RANGE);
+	cm = 0;
+	if (*e == '.') {
+		e++;
+		for (i = 0; i < 2; i++) {
+			if (*e == 0 || *e == 'm')
+				break;
+			if ((tmp = decvalue(*e++)) < 0)
+				return (DNS_R_SYNTAX);
+			cm *= 10;
+			if (m < 0)
+				cm -= tmp;
+			else
+				cm += tmp;
+		}
+		for (; i < 2; i++)
+			cm *= 10;
+	}
+	if (*e == 'm')
+		e++;
+	if (*e != 0)
+		RETTOK(DNS_R_SYNTAX);
+	if (m == -100000 && cm != 0)
+		RETTOK(ISC_R_RANGE);
+	if (m == 42849672 && cm > 95)
+		RETTOK(ISC_R_RANGE);
+	/*
+	 * Adjust base.
+	 */
+	altitude = m + 100000;
+	altitude *= 100;
+	altitude += cm;
+
+	/*
+	 * Size: optional.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_TRUE));
+	if (token.type == isc_tokentype_eol ||
+	    token.type == isc_tokentype_eof) {
+		isc_lex_ungettoken(lexer, &token);
+		goto encode;
+	}
+	m = strtol(DNS_AS_STR(token), &e, 10);
+	if (*e != 0 && *e != '.' && *e != 'm')
+		RETTOK(DNS_R_SYNTAX);
+	if (m < 0 || m > 90000000)
+		RETTOK(ISC_R_RANGE);
+	cm = 0;
+	if (*e == '.') {
+		e++;
+		for (i = 0; i < 2; i++) {
+			if (*e == 0 || *e == 'm')
+				break;
+			if ((tmp = decvalue(*e++)) < 0)
+				RETTOK(DNS_R_SYNTAX);
+			cm *= 10;
+			cm += tmp;
+		}
+		for (; i < 2; i++)
+			cm *= 10;
+	}
+	if (*e == 'm')
+		e++;
+	if (*e != 0)
+		RETTOK(DNS_R_SYNTAX);
+	/*
+	 * We don't just multiply out as we will overflow.
+	 */
+	if (m > 0) {
+		for (exp = 0; exp < 7; exp++)
+			if (m < poweroften[exp+1])
+				break;
+		man = m / poweroften[exp];
+		exp += 2;
+	} else {
+		if (cm >= 10) {
+			man = cm / 10;
+			exp = 1;
+		} else {
+			man = cm;
+			exp = 0;
+		}
+	}
+	size = (man << 4) + exp;
+
+	/*
+	 * Horizontal precision: optional.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_TRUE));
+	if (token.type == isc_tokentype_eol ||
+	    token.type == isc_tokentype_eof) {
+		isc_lex_ungettoken(lexer, &token);
+		goto encode;
+	}
+	m = strtol(DNS_AS_STR(token), &e, 10);
+	if (*e != 0 && *e != '.' && *e != 'm')
+		RETTOK(DNS_R_SYNTAX);
+	if (m < 0 || m > 90000000)
+		RETTOK(ISC_R_RANGE);
+	cm = 0;
+	if (*e == '.') {
+		e++;
+		for (i = 0; i < 2; i++) {
+			if (*e == 0 || *e == 'm')
+				break;
+			if ((tmp = decvalue(*e++)) < 0)
+				RETTOK(DNS_R_SYNTAX);
+			cm *= 10;
+			cm += tmp;
+		}
+		for (; i < 2; i++)
+			cm *= 10;
+	}
+	if (*e == 'm')
+		e++;
+	if (*e != 0)
+		RETTOK(DNS_R_SYNTAX);
+	/*
+	 * We don't just multiply out as we will overflow.
+	 */
+	if (m > 0) {
+		for (exp = 0; exp < 7; exp++)
+			if (m < poweroften[exp+1])
+				break;
+		man = m / poweroften[exp];
+		exp += 2;
+	} else if (cm >= 10) {
+		man = cm / 10;
+		exp = 1;
+	} else  {
+		man = cm;
+		exp = 0;
+	}
+	hp = (man << 4) + exp;
+
+	/*
+	 * Vertical precision: optional.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_TRUE));
+	if (token.type == isc_tokentype_eol ||
+	    token.type == isc_tokentype_eof) {
+		isc_lex_ungettoken(lexer, &token);
+		goto encode;
+	}
+	m = strtol(DNS_AS_STR(token), &e, 10);
+	if (*e != 0 && *e != '.' && *e != 'm')
+		RETTOK(DNS_R_SYNTAX);
+	if (m < 0 || m > 90000000)
+		RETTOK(ISC_R_RANGE);
+	cm = 0;
+	if (*e == '.') {
+		e++;
+		for (i = 0; i < 2; i++) {
+			if (*e == 0 || *e == 'm')
+				break;
+			if ((tmp = decvalue(*e++)) < 0)
+				RETTOK(DNS_R_SYNTAX);
+			cm *= 10;
+			cm += tmp;
+		}
+		for (; i < 2; i++)
+			cm *= 10;
+	}
+	if (*e == 'm')
+		e++;
+	if (*e != 0)
+		RETTOK(DNS_R_SYNTAX);
+	/*
+	 * We don't just multiply out as we will overflow.
+	 */
+	if (m > 0) {
+		for (exp = 0; exp < 7; exp++)
+			if (m < poweroften[exp+1])
+				break;
+		man = m / poweroften[exp];
+		exp += 2;
+	} else if (cm >= 10) {
+		man = cm / 10;
+		exp = 1;
+	} else {
+		man = cm;
+		exp = 0;
+	}
+	vp = (man << 4) + exp;
+
+ encode:
+	RETERR(mem_tobuffer(target, &version, 1));
+	RETERR(mem_tobuffer(target, &size, 1));
+	RETERR(mem_tobuffer(target, &hp, 1));
+	RETERR(mem_tobuffer(target, &vp, 1));
+	if (north)
+		latitude = 0x80000000 + ( d1 * 3600 + m1 * 60 ) * 1000 + s1;
+	else
+		latitude = 0x80000000 - ( d1 * 3600 + m1 * 60 ) * 1000 - s1;
+	RETERR(uint32_tobuffer(latitude, target));
+
+	if (east)
+		longitude = 0x80000000 + ( d2 * 3600 + m2 * 60 ) * 1000 + s2;
+	else
+		longitude = 0x80000000 - ( d2 * 3600 + m2 * 60 ) * 1000 - s2;
+	RETERR(uint32_tobuffer(longitude, target));
+
+	return (uint32_tobuffer(altitude, target));
+}
+
+static inline isc_result_t
+totext_loc(ARGS_TOTEXT) {
+	int d1, m1, s1, fs1;
+	int d2, m2, s2, fs2;
+	unsigned long latitude;
+	unsigned long longitude;
+	unsigned long altitude;
+	isc_boolean_t north;
+	isc_boolean_t east;
+	isc_boolean_t below;
+	isc_region_t sr;
+	char buf[sizeof("89 59 59.999 N 179 59 59.999 E "
+			"42849672.95m 90000000m 90000000m 90000000m")];
+	char sbuf[sizeof("90000000m")];
+	char hbuf[sizeof("90000000m")];
+	char vbuf[sizeof("90000000m")];
+	unsigned char size, hp, vp;
+	unsigned long poweroften[8] = { 1, 10, 100, 1000,
+					10000, 100000, 1000000, 10000000 };
+
+	UNUSED(tctx);
+
+	REQUIRE(rdata->type == 29);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/* version = sr.base[0]; */
+	size = sr.base[1];
+	if ((size&0x0f)> 1)
+		sprintf(sbuf, "%lum", (size>>4) * poweroften[(size&0x0f)-2]);
+	else
+		sprintf(sbuf, "0.%02lum", (size>>4) * poweroften[(size&0x0f)]);
+	hp = sr.base[2];
+	if ((hp&0x0f)> 1)
+		sprintf(hbuf, "%lum", (hp>>4) * poweroften[(hp&0x0f)-2]);
+	else
+		sprintf(hbuf, "0.%02lum", (hp>>4) * poweroften[(hp&0x0f)]);
+	vp = sr.base[3];
+	if ((vp&0x0f)> 1)
+		sprintf(vbuf, "%lum", (vp>>4) * poweroften[(vp&0x0f)-2]);
+	else
+		sprintf(vbuf, "0.%02lum", (vp>>4) * poweroften[(vp&0x0f)]);
+	isc_region_consume(&sr, 4);
+
+	latitude = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	if (latitude >= 0x80000000) {
+		north = ISC_TRUE;
+		latitude -= 0x80000000;
+	} else {
+		north = ISC_FALSE;
+		latitude = 0x80000000 - latitude;
+	}
+	fs1 = (int)(latitude % 1000);
+	latitude /= 1000;
+	s1 = (int)(latitude % 60);
+	latitude /= 60;
+	m1 = (int)(latitude % 60);
+	latitude /= 60;
+	d1 = (int)latitude;
+
+	longitude = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	if (longitude >= 0x80000000) {
+		east = ISC_TRUE;
+		longitude -= 0x80000000;
+	} else {
+		east = ISC_FALSE;
+		longitude = 0x80000000 - longitude;
+	}
+	fs2 = (int)(longitude % 1000);
+	longitude /= 1000;
+	s2 = (int)(longitude % 60);
+	longitude /= 60;
+	m2 = (int)(longitude % 60);
+	longitude /= 60;
+	d2 = (int)longitude;
+
+	altitude = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	if (altitude < 10000000U) {
+		below = ISC_TRUE;
+		altitude = 10000000 - altitude;
+	} else {
+		below =ISC_FALSE;
+		altitude -= 10000000;
+	}
+
+	sprintf(buf, "%d %d %d.%03d %s %d %d %d.%03d %s %s%ld.%02ldm %s %s %s",
+		d1, m1, s1, fs1, north ? "N" : "S",
+		d2, m2, s2, fs2, east ? "E" : "W",
+		below ? "-" : "", altitude/100, altitude % 100,
+		sbuf, hbuf, vbuf);
+
+	return (str_totext(buf, target));
+}
+
+static inline isc_result_t
+fromwire_loc(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	unsigned char c;
+	unsigned long latitude;
+	unsigned long longitude;
+
+	REQUIRE(type == 29);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 1)
+		return (ISC_R_UNEXPECTEDEND);
+	if (sr.base[0] != 0)
+		return (ISC_R_NOTIMPLEMENTED);
+	if (sr.length < 16)
+		return (ISC_R_UNEXPECTEDEND);
+
+	/*
+	 * Size.
+	 */
+	c = sr.base[1];
+	if (c != 0)
+		if ((c&0xf) > 9 || ((c>>4)&0xf) > 9 || ((c>>4)&0xf) == 0)
+			return (ISC_R_RANGE);
+
+	/*
+	 * Horizontal precision.
+	 */
+	c = sr.base[2];
+	if (c != 0)
+		if ((c&0xf) > 9 || ((c>>4)&0xf) > 9 || ((c>>4)&0xf) == 0)
+			return (ISC_R_RANGE);
+
+	/*
+	 * Vertical precision.
+	 */
+	c = sr.base[3];
+	if (c != 0)
+		if ((c&0xf) > 9 || ((c>>4)&0xf) > 9 || ((c>>4)&0xf) == 0)
+			return (ISC_R_RANGE);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Latitude.
+	 */
+	latitude = uint32_fromregion(&sr);
+	if (latitude < (0x80000000UL - 90 * 3600000) ||
+	    latitude > (0x80000000UL + 90 * 3600000))
+		return (ISC_R_RANGE);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Longitude.
+	 */
+	longitude = uint32_fromregion(&sr);
+	if (longitude < (0x80000000UL - 180 * 3600000) ||
+	    longitude > (0x80000000UL + 180 * 3600000))
+		return (ISC_R_RANGE);
+
+	/*
+	 * Altitiude.
+	 * All values possible.
+	 */
+
+	isc_buffer_activeregion(source, &sr);
+	isc_buffer_forward(source, 16);
+	return (mem_tobuffer(target, sr.base, 16));
+}
+
+static inline isc_result_t
+towire_loc(ARGS_TOWIRE) {
+	UNUSED(cctx);
+
+	REQUIRE(rdata->type == 29);
+	REQUIRE(rdata->length != 0);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_loc(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 29);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_loc(ARGS_FROMSTRUCT) {
+	dns_rdata_loc_t *loc = source;
+	isc_uint8_t c;
+
+	REQUIRE(type == 29);
+	REQUIRE(source != NULL);
+	REQUIRE(loc->common.rdtype == type);
+	REQUIRE(loc->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	if (loc->v.v0.version != 0)
+		return (ISC_R_NOTIMPLEMENTED);
+	RETERR(uint8_tobuffer(loc->v.v0.version, target));
+
+	c = loc->v.v0.size;
+	if ((c&0xf) > 9 || ((c>>4)&0xf) > 9 || ((c>>4)&0xf) == 0)
+		return (ISC_R_RANGE);
+	RETERR(uint8_tobuffer(loc->v.v0.size, target));
+
+	c = loc->v.v0.horizontal;
+	if ((c&0xf) > 9 || ((c>>4)&0xf) > 9 || ((c>>4)&0xf) == 0)
+		return (ISC_R_RANGE);
+	RETERR(uint8_tobuffer(loc->v.v0.horizontal, target));
+
+	c = loc->v.v0.vertical;
+	if ((c&0xf) > 9 || ((c>>4)&0xf) > 9 || ((c>>4)&0xf) == 0)
+		return (ISC_R_RANGE);
+	RETERR(uint8_tobuffer(loc->v.v0.vertical, target));
+
+	if (loc->v.v0.latitude < (0x80000000UL - 90 * 3600000) ||
+	    loc->v.v0.latitude > (0x80000000UL + 90 * 3600000))
+		return (ISC_R_RANGE);
+	RETERR(uint32_tobuffer(loc->v.v0.latitude, target));
+
+	if (loc->v.v0.longitude < (0x80000000UL - 180 * 3600000) ||
+	    loc->v.v0.longitude > (0x80000000UL + 180 * 3600000))
+		return (ISC_R_RANGE);
+	RETERR(uint32_tobuffer(loc->v.v0.longitude, target));
+	return (uint32_tobuffer(loc->v.v0.altitude, target));
+}
+
+static inline isc_result_t
+tostruct_loc(ARGS_TOSTRUCT) {
+	dns_rdata_loc_t *loc = target;
+	isc_region_t r;
+	isc_uint8_t version;
+
+	REQUIRE(rdata->type == 29);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(mctx);
+
+	dns_rdata_toregion(rdata, &r);
+	version = uint8_fromregion(&r);
+	if (version != 0)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	loc->common.rdclass = rdata->rdclass;
+	loc->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&loc->common, link);
+
+	loc->v.v0.version = version;
+	isc_region_consume(&r, 1);
+	loc->v.v0.size = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	loc->v.v0.horizontal = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	loc->v.v0.vertical = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	loc->v.v0.latitude = uint32_fromregion(&r);
+	isc_region_consume(&r, 4);
+	loc->v.v0.longitude = uint32_fromregion(&r);
+	isc_region_consume(&r, 4);
+	loc->v.v0.altitude = uint32_fromregion(&r);
+	isc_region_consume(&r, 4);
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_loc(ARGS_FREESTRUCT) {
+	dns_rdata_loc_t *loc = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(loc->common.rdtype == 29);
+
+	UNUSED(source);
+	UNUSED(loc);
+}
+
+static inline isc_result_t
+additionaldata_loc(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 29);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_loc(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 29);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_loc(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 29);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_loc(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 29);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_LOC_29_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/loc_29.h b/contrib/bind9/lib/dns/rdata/generic/loc_29.h
new file mode 100644
index 0000000..cdca67b
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/loc_29.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_LOC_29_H
+#define GENERIC_LOC_29_H 1
+
+/* $Id: loc_29.h,v 1.14.206.1 2004/03/06 08:14:06 marka Exp $ */
+
+/* RFC 1876 */
+
+typedef struct dns_rdata_loc_0 {
+	isc_uint8_t	version;	/* must be first and zero */
+	isc_uint8_t	size;
+	isc_uint8_t	horizontal;
+	isc_uint8_t	vertical;
+	isc_uint32_t	latitude;
+	isc_uint32_t	longitude;
+	isc_uint32_t	altitude;
+} dns_rdata_loc_0_t;
+
+typedef struct dns_rdata_loc {
+	dns_rdatacommon_t	common;
+	union {
+		dns_rdata_loc_0_t v0;
+	} v;
+} dns_rdata_loc_t;
+
+#endif /* GENERIC_LOC_29_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mb_7.c b/contrib/bind9/lib/dns/rdata/generic/mb_7.c
new file mode 100644
index 0000000..2562707
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/mb_7.c
@@ -0,0 +1,234 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: mb_7.c,v 1.41.206.2 2004/03/06 08:14:06 marka Exp $ */
+
+/* Reviewed: Wed Mar 15 17:31:26 PST 2000 by bwelling */
+
+#ifndef RDATA_GENERIC_MB_7_C
+#define RDATA_GENERIC_MB_7_C
+
+#define RRTYPE_MB_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_mb(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == 7);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	origin = (origin != NULL) ? origin : dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_mb(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	isc_boolean_t sub;
+
+	REQUIRE(rdata->type == 7);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_mb(ARGS_FROMWIRE) {
+        dns_name_t name;
+
+	REQUIRE(type == 7);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+        dns_name_init(&name, NULL);
+        return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_mb(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 7);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_mb(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 7);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_mb(ARGS_FROMSTRUCT) {
+	dns_rdata_mb_t *mb = source;
+	isc_region_t region;
+
+	REQUIRE(type == 7);
+	REQUIRE(source != NULL);
+	REQUIRE(mb->common.rdtype == type);
+	REQUIRE(mb->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&mb->mb, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_mb(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_mb_t *mb = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 7);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	mb->common.rdclass = rdata->rdclass;
+	mb->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&mb->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&mb->mb, NULL);
+	RETERR(name_duporclone(&name, mctx, &mb->mb));
+	mb->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_mb(ARGS_FREESTRUCT) {
+	dns_rdata_mb_t *mb = source;
+
+	REQUIRE(source != NULL);
+
+	if (mb->mctx == NULL)
+		return;
+
+	dns_name_free(&mb->mb, mb->mctx);
+	mb->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_mb(ARGS_ADDLDATA) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 7);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return ((add)(arg, &name, dns_rdatatype_a));
+}
+
+static inline isc_result_t
+digest_mb(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 7);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline isc_boolean_t
+checkowner_mb(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 7);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (dns_name_ismailbox(name));
+}
+
+static inline isc_boolean_t
+checknames_mb(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 7);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_MB_7_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mb_7.h b/contrib/bind9/lib/dns/rdata/generic/mb_7.h
new file mode 100644
index 0000000..115ab49
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/mb_7.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_MB_7_H
+#define GENERIC_MB_7_H 1
+
+/* $Id: mb_7.h,v 1.22.206.1 2004/03/06 08:14:06 marka Exp $ */
+
+typedef struct dns_rdata_mb {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		mb;
+} dns_rdata_mb_t;
+
+#endif /* GENERIC_MB_7_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/md_3.c b/contrib/bind9/lib/dns/rdata/generic/md_3.c
new file mode 100644
index 0000000..7488d84
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/md_3.c
@@ -0,0 +1,236 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: md_3.c,v 1.43.206.2 2004/03/06 08:14:07 marka Exp $ */
+
+/* Reviewed: Wed Mar 15 17:48:20 PST 2000 by bwelling */
+
+#ifndef RDATA_GENERIC_MD_3_C
+#define RDATA_GENERIC_MD_3_C
+
+#define RRTYPE_MD_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_md(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == 3);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	origin = (origin != NULL) ? origin : dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_md(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	isc_boolean_t sub;
+
+	REQUIRE(rdata->type == 3);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_md(ARGS_FROMWIRE) {
+        dns_name_t name;
+
+	REQUIRE(type == 3);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+        dns_name_init(&name, NULL);
+        return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_md(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 3);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_md(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 3);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_md(ARGS_FROMSTRUCT) {
+	dns_rdata_md_t *md = source;
+	isc_region_t region;
+
+	REQUIRE(type == 3);
+	REQUIRE(source != NULL);
+	REQUIRE(md->common.rdtype == type);
+	REQUIRE(md->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&md->md, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_md(ARGS_TOSTRUCT) {
+	dns_rdata_md_t *md = target;
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 3);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	md->common.rdclass = rdata->rdclass;
+	md->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&md->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &r);
+	dns_name_fromregion(&name, &r);
+	dns_name_init(&md->md, NULL);
+	RETERR(name_duporclone(&name, mctx, &md->md));
+	md->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_md(ARGS_FREESTRUCT) {
+	dns_rdata_md_t *md = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(md->common.rdtype == 3);
+
+	if (md->mctx == NULL)
+		return;
+
+	dns_name_free(&md->md, md->mctx);
+	md->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_md(ARGS_ADDLDATA) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 3);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return ((add)(arg, &name, dns_rdatatype_a));
+}
+
+static inline isc_result_t
+digest_md(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 3);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline isc_boolean_t
+checkowner_md(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 3);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_md(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 3);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_MD_3_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/md_3.h b/contrib/bind9/lib/dns/rdata/generic/md_3.h
new file mode 100644
index 0000000..8662829
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/md_3.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_MD_3_H
+#define GENERIC_MD_3_H 1
+
+/* $Id: md_3.h,v 1.23.206.1 2004/03/06 08:14:07 marka Exp $ */
+
+typedef struct dns_rdata_md {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		md;
+} dns_rdata_md_t;
+
+
+#endif /* GENERIC_MD_3_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mf_4.c b/contrib/bind9/lib/dns/rdata/generic/mf_4.c
new file mode 100644
index 0000000..b6c72d9
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/mf_4.c
@@ -0,0 +1,235 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: mf_4.c,v 1.41.206.2 2004/03/06 08:14:07 marka Exp $ */
+
+/* reviewed: Wed Mar 15 17:47:33 PST 2000 by brister */
+
+#ifndef RDATA_GENERIC_MF_4_C
+#define RDATA_GENERIC_MF_4_C
+
+#define RRTYPE_MF_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_mf(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == 4);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	origin = (origin != NULL) ? origin : dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_mf(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	isc_boolean_t sub;
+
+	REQUIRE(rdata->type == 4);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_mf(ARGS_FROMWIRE) {
+        dns_name_t name;
+
+	REQUIRE(type == 4);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+        dns_name_init(&name, NULL);
+        return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_mf(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 4);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_mf(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 4);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_mf(ARGS_FROMSTRUCT) {
+	dns_rdata_mf_t *mf = source;
+	isc_region_t region;
+
+	REQUIRE(type == 4);
+	REQUIRE(source != NULL);
+	REQUIRE(mf->common.rdtype == type);
+	REQUIRE(mf->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&mf->mf, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_mf(ARGS_TOSTRUCT) {
+	dns_rdata_mf_t *mf = target;
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 4);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	mf->common.rdclass = rdata->rdclass;
+	mf->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&mf->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &r);
+	dns_name_fromregion(&name, &r);
+	dns_name_init(&mf->mf, NULL);
+	RETERR(name_duporclone(&name, mctx, &mf->mf));
+	mf->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_mf(ARGS_FREESTRUCT) {
+	dns_rdata_mf_t *mf = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(mf->common.rdtype == 4);
+
+	if (mf->mctx == NULL)
+		return;
+	dns_name_free(&mf->mf, mf->mctx);
+	mf->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_mf(ARGS_ADDLDATA) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 4);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return ((add)(arg, &name, dns_rdatatype_a));
+}
+
+static inline isc_result_t
+digest_mf(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 4);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline isc_boolean_t
+checkowner_mf(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 4);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_mf(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 4);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_MF_4_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mf_4.h b/contrib/bind9/lib/dns/rdata/generic/mf_4.h
new file mode 100644
index 0000000..adb8254
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/mf_4.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_MF_4_H
+#define GENERIC_MF_4_H 1
+
+/* $Id: mf_4.h,v 1.21.206.1 2004/03/06 08:14:07 marka Exp $ */
+
+typedef struct dns_rdata_mf {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		mf;
+} dns_rdata_mf_t;
+
+#endif /* GENERIC_MF_4_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mg_8.c b/contrib/bind9/lib/dns/rdata/generic/mg_8.c
new file mode 100644
index 0000000..26eac8dd
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/mg_8.c
@@ -0,0 +1,230 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: mg_8.c,v 1.39.206.2 2004/03/06 08:14:07 marka Exp $ */
+
+/* reviewed: Wed Mar 15 17:49:21 PST 2000 by brister */
+
+#ifndef RDATA_GENERIC_MG_8_C
+#define RDATA_GENERIC_MG_8_C
+
+#define RRTYPE_MG_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_mg(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == 8);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	origin = (origin != NULL) ? origin : dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_mg(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	isc_boolean_t sub;
+
+	REQUIRE(rdata->type == 8);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_mg(ARGS_FROMWIRE) {
+        dns_name_t name;
+
+	REQUIRE(type == 8);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+        dns_name_init(&name, NULL);
+        return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_mg(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 8);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_mg(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 8);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_mg(ARGS_FROMSTRUCT) {
+	dns_rdata_mg_t *mg = source;
+	isc_region_t region;
+
+	REQUIRE(type == 8);
+	REQUIRE(source != NULL);
+	REQUIRE(mg->common.rdtype == type);
+	REQUIRE(mg->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&mg->mg, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_mg(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_mg_t *mg = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 8);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	mg->common.rdclass = rdata->rdclass;
+	mg->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&mg->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&mg->mg, NULL);
+	RETERR(name_duporclone(&name, mctx, &mg->mg));
+	mg->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_mg(ARGS_FREESTRUCT) {
+	dns_rdata_mg_t *mg = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(mg->common.rdtype == 8);
+
+	if (mg->mctx == NULL)
+		return;
+	dns_name_free(&mg->mg, mg->mctx);
+	mg->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_mg(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 8);
+
+	UNUSED(add);
+	UNUSED(arg);
+	UNUSED(rdata);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_mg(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 8);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline isc_boolean_t
+checkowner_mg(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 8);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (dns_name_ismailbox(name));
+}
+
+static inline isc_boolean_t
+checknames_mg(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 8);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_MG_8_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mg_8.h b/contrib/bind9/lib/dns/rdata/generic/mg_8.h
new file mode 100644
index 0000000..b45c2bf
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/mg_8.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_MG_8_H
+#define GENERIC_MG_8_H 1
+
+/* $Id: mg_8.h,v 1.21.206.1 2004/03/06 08:14:07 marka Exp $ */
+
+typedef struct dns_rdata_mg {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		mg;
+} dns_rdata_mg_t;
+
+#endif /* GENERIC_MG_8_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/minfo_14.c b/contrib/bind9/lib/dns/rdata/generic/minfo_14.c
new file mode 100644
index 0000000..a3c4a9c
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/minfo_14.c
@@ -0,0 +1,324 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: minfo_14.c,v 1.40.12.4 2004/03/08 09:04:41 marka Exp $ */
+
+/* reviewed: Wed Mar 15 17:45:32 PST 2000 by brister */
+
+#ifndef RDATA_GENERIC_MINFO_14_C
+#define RDATA_GENERIC_MINFO_14_C
+
+#define RRTYPE_MINFO_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_minfo(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	int i;
+	isc_boolean_t ok;
+
+	REQUIRE(type == 14);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	for (i = 0; i < 2; i++) {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string,
+					      ISC_FALSE));
+		dns_name_init(&name, NULL);
+		buffer_fromregion(&buffer, &token.value.as_region);
+		origin = (origin != NULL) ? origin : dns_rootname;
+		RETTOK(dns_name_fromtext(&name, &buffer, origin,
+					 options, target));
+		ok = ISC_TRUE;
+		if ((options & DNS_RDATA_CHECKNAMES) != 0)
+			ok = dns_name_ismailbox(&name);
+		if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
+			RETTOK(DNS_R_BADNAME);
+		if (!ok && callbacks != NULL)
+			warn_badname(&name, lexer, callbacks);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_minfo(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t rmail;
+	dns_name_t email;
+	dns_name_t prefix;
+	isc_boolean_t sub;
+
+	REQUIRE(rdata->type == 14);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&rmail, NULL);
+	dns_name_init(&email, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+
+	dns_name_fromregion(&rmail, &region);
+	isc_region_consume(&region, rmail.length);
+
+	dns_name_fromregion(&email, &region);
+	isc_region_consume(&region, email.length);
+
+	sub = name_prefix(&rmail, tctx->origin, &prefix);
+
+	RETERR(dns_name_totext(&prefix, sub, target));
+
+	RETERR(str_totext(" ", target));
+
+	sub = name_prefix(&email, tctx->origin, &prefix);
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_minfo(ARGS_FROMWIRE) {
+        dns_name_t rmail;
+        dns_name_t email;
+
+	REQUIRE(type == 14);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+        dns_name_init(&rmail, NULL);
+        dns_name_init(&email, NULL);
+
+        RETERR(dns_name_fromwire(&rmail, source, dctx, options, target));
+        return (dns_name_fromwire(&email, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_minfo(ARGS_TOWIRE) {
+	isc_region_t region;
+	dns_name_t rmail;
+	dns_name_t email;
+	dns_offsets_t roffsets;
+	dns_offsets_t eoffsets;
+
+	REQUIRE(rdata->type == 14);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&rmail, roffsets);
+	dns_name_init(&email, eoffsets);
+
+	dns_rdata_toregion(rdata, &region);
+
+	dns_name_fromregion(&rmail, &region);
+	isc_region_consume(&region, name_length(&rmail));
+
+	RETERR(dns_name_towire(&rmail, cctx, target));
+
+	dns_name_fromregion(&rmail, &region);
+	isc_region_consume(&region, rmail.length);
+
+	return (dns_name_towire(&rmail, cctx, target));
+}
+
+static inline int
+compare_minfo(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 14);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0)
+		return (order);
+
+	isc_region_consume(&region1, name_length(&name1));
+	isc_region_consume(&region2, name_length(&name2));
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	order = dns_name_rdatacompare(&name1, &name2);
+	return (order);
+}
+
+static inline isc_result_t
+fromstruct_minfo(ARGS_FROMSTRUCT) {
+	dns_rdata_minfo_t *minfo = source;
+	isc_region_t region;
+
+	REQUIRE(type == 14);
+	REQUIRE(source != NULL);
+	REQUIRE(minfo->common.rdtype == type);
+	REQUIRE(minfo->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&minfo->rmailbox, &region);
+	RETERR(isc_buffer_copyregion(target, &region));
+	dns_name_toregion(&minfo->emailbox, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_minfo(ARGS_TOSTRUCT) {
+	dns_rdata_minfo_t *minfo = target;
+	isc_region_t region;
+	dns_name_t name;
+	isc_result_t result;
+
+	REQUIRE(rdata->type == 14);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	minfo->common.rdclass = rdata->rdclass;
+	minfo->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&minfo->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&minfo->rmailbox, NULL);
+	RETERR(name_duporclone(&name, mctx, &minfo->rmailbox));
+	isc_region_consume(&region, name_length(&name));
+
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&minfo->emailbox, NULL);
+	result = name_duporclone(&name, mctx, &minfo->emailbox);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	minfo->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL)
+		dns_name_free(&minfo->rmailbox, mctx);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_minfo(ARGS_FREESTRUCT) {
+	dns_rdata_minfo_t *minfo = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(minfo->common.rdtype == 14);
+
+	if (minfo->mctx == NULL)
+		return;
+
+	dns_name_free(&minfo->rmailbox, minfo->mctx);
+	dns_name_free(&minfo->emailbox, minfo->mctx);
+	minfo->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_minfo(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 14);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_minfo(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+	isc_result_t result;
+
+	REQUIRE(rdata->type == 14);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+	result = dns_name_digest(&name, digest, arg);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_region_consume(&r, name_length(&name));
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline isc_boolean_t
+checkowner_minfo(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 14);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_minfo(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 14);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ismailbox(&name)) {
+		if (bad != NULL)
+			dns_name_clone(&name, bad);
+		return (ISC_FALSE);
+	}
+	isc_region_consume(&region, name_length(&name));
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ismailbox(&name)) {
+		if (bad != NULL)
+			dns_name_clone(&name, bad);
+		return (ISC_FALSE);
+	}
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_MINFO_14_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/minfo_14.h b/contrib/bind9/lib/dns/rdata/generic/minfo_14.h
new file mode 100644
index 0000000..84078b9
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/minfo_14.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_MINFO_14_H
+#define GENERIC_MINFO_14_H 1
+
+/* $Id: minfo_14.h,v 1.22.206.1 2004/03/06 08:14:08 marka Exp $ */
+
+typedef struct dns_rdata_minfo {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		rmailbox;
+	dns_name_t		emailbox;
+} dns_rdata_minfo_t;
+
+#endif /* GENERIC_MINFO_14_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mr_9.c b/contrib/bind9/lib/dns/rdata/generic/mr_9.c
new file mode 100644
index 0000000..30da6cb
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/mr_9.c
@@ -0,0 +1,231 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: mr_9.c,v 1.38.206.2 2004/03/06 08:14:08 marka Exp $ */
+
+/* Reviewed: Wed Mar 15 21:30:35 EST 2000 by tale */
+
+#ifndef RDATA_GENERIC_MR_9_C
+#define RDATA_GENERIC_MR_9_C
+
+#define RRTYPE_MR_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_mr(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == 9);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	origin = (origin != NULL) ? origin : dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_mr(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	isc_boolean_t sub;
+
+	REQUIRE(rdata->type == 9);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_mr(ARGS_FROMWIRE) {
+        dns_name_t name;
+
+	REQUIRE(type == 9);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+        dns_name_init(&name, NULL);
+        return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_mr(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 9);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_mr(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 9);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_mr(ARGS_FROMSTRUCT) {
+	dns_rdata_mr_t *mr = source;
+	isc_region_t region;
+
+	REQUIRE(type == 9);
+	REQUIRE(source != NULL);
+	REQUIRE(mr->common.rdtype == type);
+	REQUIRE(mr->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&mr->mr, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_mr(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_mr_t *mr = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 9);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	mr->common.rdclass = rdata->rdclass;
+	mr->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&mr->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&mr->mr, NULL);
+	RETERR(name_duporclone(&name, mctx, &mr->mr));
+	mr->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_mr(ARGS_FREESTRUCT) {
+	dns_rdata_mr_t *mr = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(mr->common.rdtype == 9);
+
+	if (mr->mctx == NULL)
+		return;
+	dns_name_free(&mr->mr, mr->mctx);
+	mr->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_mr(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 9);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_mr(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 9);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline isc_boolean_t
+checkowner_mr(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 9);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_mr(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 9);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_MR_9_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mr_9.h b/contrib/bind9/lib/dns/rdata/generic/mr_9.h
new file mode 100644
index 0000000..ba6e154
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/mr_9.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_MR_9_H
+#define GENERIC_MR_9_H 1
+
+/* $Id: mr_9.h,v 1.21.206.1 2004/03/06 08:14:08 marka Exp $ */
+
+typedef struct dns_rdata_mr {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		mr;
+} dns_rdata_mr_t;
+
+#endif /* GENERIC_MR_9_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mx_15.c b/contrib/bind9/lib/dns/rdata/generic/mx_15.c
new file mode 100644
index 0000000..794249c
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/mx_15.c
@@ -0,0 +1,288 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: mx_15.c,v 1.48.2.1.2.3 2004/03/06 08:14:08 marka Exp $ */
+
+/* reviewed: Wed Mar 15 18:05:46 PST 2000 by brister */
+
+#ifndef RDATA_GENERIC_MX_15_C
+#define RDATA_GENERIC_MX_15_C
+
+#define RRTYPE_MX_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_mx(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	isc_boolean_t ok;
+
+	REQUIRE(type == 15);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	origin = (origin != NULL) ? origin : dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	ok = ISC_TRUE;
+	if ((options & DNS_RDATA_CHECKNAMES) != 0)
+		ok = dns_name_ishostname(&name, ISC_FALSE);
+	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
+		RETTOK(DNS_R_BADNAME);
+	if (!ok && callbacks != NULL)
+		warn_badname(&name, lexer, callbacks);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_mx(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	isc_boolean_t sub;
+	char buf[sizeof("64000")];
+	unsigned short num;
+
+	REQUIRE(rdata->type == 15);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	sprintf(buf, "%u", num);
+	RETERR(str_totext(buf, target));
+
+	RETERR(str_totext(" ", target));
+
+	dns_name_fromregion(&name, &region);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_mx(ARGS_FROMWIRE) {
+        dns_name_t name;
+	isc_region_t sregion;
+
+	REQUIRE(type == 15);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+        dns_name_init(&name, NULL);
+
+	isc_buffer_activeregion(source, &sregion);
+	if (sregion.length < 2)
+		return (ISC_R_UNEXPECTEDEND);
+	RETERR(mem_tobuffer(target, sregion.base, 2));
+	isc_buffer_forward(source, 2);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_mx(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 15);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_rdata_toregion(rdata, &region);
+	RETERR(mem_tobuffer(target, region.base, 2));
+	isc_region_consume(&region, 2);
+
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_mx(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 15);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	order = memcmp(rdata1->data, rdata2->data, 2);
+	if (order != 0)
+		return (order < 0 ? -1 : 1);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	isc_region_consume(&region1, 2);
+	isc_region_consume(&region2, 2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_mx(ARGS_FROMSTRUCT) {
+	dns_rdata_mx_t *mx = source;
+	isc_region_t region;
+
+	REQUIRE(type == 15);
+	REQUIRE(source != NULL);
+	REQUIRE(mx->common.rdtype == type);
+	REQUIRE(mx->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(mx->pref, target));
+	dns_name_toregion(&mx->mx, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_mx(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_mx_t *mx = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 15);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	mx->common.rdclass = rdata->rdclass;
+	mx->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&mx->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	mx->pref = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&mx->mx, NULL);
+	RETERR(name_duporclone(&name, mctx, &mx->mx));
+	mx->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_mx(ARGS_FREESTRUCT) {
+	dns_rdata_mx_t *mx = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(mx->common.rdtype == 15);
+
+	if (mx->mctx == NULL)
+		return;
+
+	dns_name_free(&mx->mx, mx->mctx);
+	mx->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_mx(ARGS_ADDLDATA) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 15);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 2);
+	dns_name_fromregion(&name, &region);
+
+	return ((add)(arg, &name, dns_rdatatype_a));
+}
+
+static inline isc_result_t
+digest_mx(ARGS_DIGEST) {
+	isc_region_t r1, r2;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 15);
+
+	dns_rdata_toregion(rdata, &r1);
+	r2 = r1;
+	isc_region_consume(&r2, 2);
+	r1.length = 2;
+	RETERR((digest)(arg, &r1));
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r2);
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline isc_boolean_t
+checkowner_mx(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 15);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (dns_name_ishostname(name, wildcard));
+}
+
+static inline isc_boolean_t
+checknames_mx(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 15);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 2);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ishostname(&name, ISC_FALSE)) {
+		if (bad != NULL)
+			dns_name_clone(&name, bad);
+		return (ISC_FALSE);
+	}
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_MX_15_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/mx_15.h b/contrib/bind9/lib/dns/rdata/generic/mx_15.h
new file mode 100644
index 0000000..01225fa
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/mx_15.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_MX_15_H
+#define GENERIC_MX_15_H 1
+
+/* $Id: mx_15.h,v 1.24.206.1 2004/03/06 08:14:09 marka Exp $ */
+
+typedef struct dns_rdata_mx {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	isc_uint16_t		pref;
+	dns_name_t		mx;
+} dns_rdata_mx_t;
+
+#endif /* GENERIC_MX_15_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/ns_2.c b/contrib/bind9/lib/dns/rdata/generic/ns_2.c
new file mode 100644
index 0000000..bf32d63
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/ns_2.c
@@ -0,0 +1,251 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ns_2.c,v 1.42.206.2 2004/03/06 08:14:09 marka Exp $ */
+
+/* Reviewed: Wed Mar 15 18:15:00 PST 2000 by bwelling */
+
+#ifndef RDATA_GENERIC_NS_2_C
+#define RDATA_GENERIC_NS_2_C
+
+#define RRTYPE_NS_ATTRIBUTES (DNS_RDATATYPEATTR_ZONECUTAUTH)
+
+static inline isc_result_t
+fromtext_ns(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	isc_boolean_t ok;
+
+	REQUIRE(type == 2);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token,isc_tokentype_string,
+				      ISC_FALSE));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	origin = (origin != NULL) ? origin : dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	ok = ISC_TRUE;
+	if ((options & DNS_RDATA_CHECKNAMES) != 0)
+		ok = dns_name_ishostname(&name, ISC_FALSE);
+	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
+		RETTOK(DNS_R_BADNAME);
+	if (!ok && callbacks != NULL)
+		warn_badname(&name, lexer, callbacks);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_ns(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	isc_boolean_t sub;
+
+	REQUIRE(rdata->type == 2);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_ns(ARGS_FROMWIRE) {
+        dns_name_t name;
+
+	REQUIRE(type == 2);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+        dns_name_init(&name, NULL);
+        return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_ns(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 2);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_ns(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 2);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_ns(ARGS_FROMSTRUCT) {
+	dns_rdata_ns_t *ns = source;
+	isc_region_t region;
+
+	REQUIRE(type == 2);
+	REQUIRE(source != NULL);
+	REQUIRE(ns->common.rdtype == type);
+	REQUIRE(ns->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&ns->name, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_ns(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_ns_t *ns = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 2);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	ns->common.rdclass = rdata->rdclass;
+	ns->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&ns->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&ns->name, NULL);
+	RETERR(name_duporclone(&name, mctx, &ns->name));
+	ns->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_ns(ARGS_FREESTRUCT) {
+	dns_rdata_ns_t *ns = source;
+
+	REQUIRE(source != NULL);
+
+	if (ns->mctx == NULL)
+		return;
+
+	dns_name_free(&ns->name, ns->mctx);
+	ns->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_ns(ARGS_ADDLDATA) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 2);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return ((add)(arg, &name, dns_rdatatype_a));
+}
+
+static inline isc_result_t
+digest_ns(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 2);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline isc_boolean_t
+checkowner_ns(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 2);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_ns(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 2);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ishostname(&name, ISC_FALSE)) {
+		if (bad != NULL)
+			dns_name_clone(&name, bad);
+		return (ISC_FALSE);
+	}
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_NS_2_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/ns_2.h b/contrib/bind9/lib/dns/rdata/generic/ns_2.h
new file mode 100644
index 0000000..2bef1f8
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/ns_2.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_NS_2_H
+#define GENERIC_NS_2_H 1
+
+/* $Id: ns_2.h,v 1.22.206.1 2004/03/06 08:14:09 marka Exp $ */
+
+typedef struct dns_rdata_ns {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		name;
+} dns_rdata_ns_t;
+
+
+#endif /* GENERIC_NS_2_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/nsec_47.c b/contrib/bind9/lib/dns/rdata/generic/nsec_47.c
new file mode 100644
index 0000000..74b7806
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/nsec_47.c
@@ -0,0 +1,366 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: nsec_47.c,v 1.7.2.1 2004/03/08 02:08:03 marka Exp $ */
+
+/* reviewed: Wed Mar 15 18:21:15 PST 2000 by brister */
+
+/* draft-ietf-dnsext-nsec-rdata-01.txt */
+
+#ifndef RDATA_GENERIC_NSEC_47_C
+#define RDATA_GENERIC_NSEC_47_C
+
+/*
+ * The attributes do not include DNS_RDATATYPEATTR_SINGLETON
+ * because we must be able to handle a parent/child NSEC pair.
+ */
+#define RRTYPE_NSEC_ATTRIBUTES (DNS_RDATATYPEATTR_DNSSEC)
+
+static inline isc_result_t
+fromtext_nsec(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	unsigned char bm[8*1024]; /* 64k bits */
+	dns_rdatatype_t covered;
+	int octet;
+	int window;
+
+	REQUIRE(type == 47);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Next domain.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	origin = (origin != NULL) ? origin : dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+
+	memset(bm, 0, sizeof(bm));
+	do {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string, ISC_TRUE));
+		if (token.type != isc_tokentype_string)
+			break;
+		RETTOK(dns_rdatatype_fromtext(&covered,
+					      &token.value.as_textregion));
+		bm[covered/8] |= (0x80>>(covered%8));
+	} while (1);
+	isc_lex_ungettoken(lexer, &token);
+	for (window = 0; window < 256 ; window++) {
+		/*
+		 * Find if we have a type in this window.
+		 */
+		for (octet = 31; octet >= 0; octet--)
+			if (bm[window * 32 + octet] != 0)
+				break;
+		if (octet < 0)
+			continue;
+		RETERR(uint8_tobuffer(window, target));
+		RETERR(uint8_tobuffer(octet + 1, target));
+		RETERR(mem_tobuffer(target, &bm[window * 32], octet + 1));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_nsec(ARGS_TOTEXT) {
+	isc_region_t sr;
+	unsigned int i, j, k;
+	dns_name_t name;
+	dns_name_t prefix;
+	isc_boolean_t sub;
+	unsigned int window, len;
+
+	REQUIRE(rdata->type == 47);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+	dns_rdata_toregion(rdata, &sr);
+	dns_name_fromregion(&name, &sr);
+	isc_region_consume(&sr, name_length(&name));
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	RETERR(dns_name_totext(&prefix, sub, target));
+
+
+	for (i = 0; i < sr.length; i += len) {
+		INSIST(i + 2 <= sr.length);
+		window = sr.base[i];
+		len = sr.base[i + 1];
+		INSIST(len > 0 && len <= 32);
+		i += 2;
+		INSIST(i + len <= sr.length);
+		for (j = 0; j < len; j++) {
+			dns_rdatatype_t t;
+			if (sr.base[i + j] == 0)
+				continue;
+			for (k = 0; k < 8; k++) {
+				if ((sr.base[i + j] & (0x80 >> k)) == 0)
+					continue;
+				t = window * 256 + j * 8 + k;
+				RETERR(str_totext(" ", target));
+				if (dns_rdatatype_isknown(t)) {
+					RETERR(dns_rdatatype_totext(t, target));
+				} else {
+					char buf[sizeof("TYPE65535")];
+					sprintf(buf, "TYPE%u", t);
+					RETERR(str_totext(buf, target));
+				}
+			}
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static /* inline */ isc_result_t
+fromwire_nsec(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+	unsigned int window, lastwindow = 0;
+	unsigned int len;
+	isc_boolean_t first = ISC_TRUE;
+	unsigned int i;
+
+	REQUIRE(type == 47);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&name, NULL);
+	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+
+	isc_buffer_activeregion(source, &sr);
+	for (i = 0; i < sr.length; i += len) {
+		/*
+		 * Check for overflow.
+		 */
+		if (i + 2 > sr.length)
+			RETERR(DNS_R_FORMERR);
+		window = sr.base[i];
+		len = sr.base[i + 1];
+		i += 2;
+		/*
+		 * Check that bitmap windows are in the correct order.
+		 */
+		if (!first && window <= lastwindow)
+			RETERR(DNS_R_FORMERR);
+		/*
+		 * Check for legal lengths.
+		 */
+		if (len < 1 || len > 32)
+			RETERR(DNS_R_FORMERR);
+		/*
+		 * Check for overflow.
+		 */
+		if (i + len > sr.length)
+			RETERR(DNS_R_FORMERR);
+		/*
+		 * The last octet of the bitmap must be non zero.
+		 */
+		if (sr.base[i + len - 1] == 0)
+			RETERR(DNS_R_FORMERR);
+		lastwindow = window;
+		first = ISC_FALSE;
+	}
+	if (i != sr.length)
+		return (DNS_R_EXTRADATA);
+	if (first)
+		RETERR(DNS_R_FORMERR);
+	RETERR(mem_tobuffer(target, sr.base, sr.length));
+	isc_buffer_forward(source, sr.length);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_nsec(ARGS_TOWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+	dns_offsets_t offsets;
+
+	REQUIRE(rdata->type == 47);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &sr);
+	dns_name_fromregion(&name, &sr);
+	isc_region_consume(&sr, name_length(&name));
+	RETERR(dns_name_towire(&name, cctx, target));
+
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_nsec(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 47);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_nsec(ARGS_FROMSTRUCT) {
+	dns_rdata_nsec_t *nsec = source;
+	isc_region_t region;
+	unsigned int i, len, window, lastwindow = 0;
+	isc_boolean_t first = ISC_TRUE;
+
+	REQUIRE(type == 47);
+	REQUIRE(source != NULL);
+	REQUIRE(nsec->common.rdtype == type);
+	REQUIRE(nsec->common.rdclass == rdclass);
+	REQUIRE(nsec->typebits != NULL || nsec->len == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&nsec->next, &region);
+	RETERR(isc_buffer_copyregion(target, &region));
+	/*
+	 * Perform sanity check.
+	 */
+	for (i = 0; i < nsec->len ; i += len) {
+		INSIST(i + 2 <= nsec->len);
+		window = nsec->typebits[i];
+		len = nsec->typebits[i+1];
+		i += 2;
+		INSIST(first || window > lastwindow); 
+		INSIST(len > 0 && len <= 32);
+		INSIST(i + len <= nsec->len);
+		INSIST(nsec->typebits[i + len - 1] != 0);
+		lastwindow = window;
+		first = ISC_FALSE;
+	}
+	INSIST(!first);
+	return (mem_tobuffer(target, nsec->typebits, nsec->len));
+}
+
+static inline isc_result_t
+tostruct_nsec(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_nsec_t *nsec = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 47);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	nsec->common.rdclass = rdata->rdclass;
+	nsec->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&nsec->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	isc_region_consume(&region, name_length(&name));
+	dns_name_init(&nsec->next, NULL);
+	RETERR(name_duporclone(&name, mctx, &nsec->next));
+
+	nsec->len = region.length;
+	nsec->typebits = mem_maybedup(mctx, region.base, region.length);
+	if (nsec->typebits == NULL)
+		goto cleanup;
+
+	nsec->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL)
+		dns_name_free(&nsec->next, mctx);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_nsec(ARGS_FREESTRUCT) {
+	dns_rdata_nsec_t *nsec = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(nsec->common.rdtype == 47);
+
+	if (nsec->mctx == NULL)
+		return;
+
+	dns_name_free(&nsec->next, nsec->mctx);
+	if (nsec->typebits != NULL)
+		isc_mem_free(nsec->mctx, nsec->typebits);
+	nsec->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_nsec(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 47);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_nsec(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 47);
+
+	dns_rdata_toregion(rdata, &r);
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_nsec(ARGS_CHECKOWNER) {
+
+       REQUIRE(type == 47);
+
+       UNUSED(name);
+       UNUSED(type);
+       UNUSED(rdclass);
+       UNUSED(wildcard);
+
+       return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_nsec(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 47);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_NSEC_47_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/nsec_47.h b/contrib/bind9/lib/dns/rdata/generic/nsec_47.h
new file mode 100644
index 0000000..d76a25c
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/nsec_47.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_NSEC_47_H
+#define GENERIC_NSEC_47_H 1
+
+/* $Id: nsec_47.h,v 1.4.2.1 2004/03/08 02:08:03 marka Exp $ */
+
+/* draft-ietf-dnsext-nsec-rdata-01.txt */
+
+typedef struct dns_rdata_nsec {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		next;
+	unsigned char		*typebits;
+	isc_uint16_t		len;
+} dns_rdata_nsec_t;
+
+#endif /* GENERIC_NSEC_47_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/null_10.c b/contrib/bind9/lib/dns/rdata/generic/null_10.c
new file mode 100644
index 0000000..492044d
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/null_10.c
@@ -0,0 +1,192 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: null_10.c,v 1.35.2.1.10.4 2004/03/08 09:04:41 marka Exp $ */
+
+/* Reviewed: Thu Mar 16 13:57:50 PST 2000 by explorer */
+
+#ifndef RDATA_GENERIC_NULL_10_C
+#define RDATA_GENERIC_NULL_10_C
+
+#define RRTYPE_NULL_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_null(ARGS_FROMTEXT) {
+	REQUIRE(type == 10);
+
+	UNUSED(rdclass);
+	UNUSED(type);
+	UNUSED(lexer);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(target);
+	UNUSED(callbacks);
+
+	return (DNS_R_SYNTAX);
+}
+
+static inline isc_result_t
+totext_null(ARGS_TOTEXT) {
+	REQUIRE(rdata->type == 10);
+
+	UNUSED(rdata);
+	UNUSED(tctx);
+	UNUSED(target);
+
+	return (DNS_R_SYNTAX);
+}
+
+static inline isc_result_t
+fromwire_null(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == 10);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+towire_null(ARGS_TOWIRE) {
+	REQUIRE(rdata->type == 10);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_null(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 10);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_null(ARGS_FROMSTRUCT) {
+	dns_rdata_null_t *null = source;
+
+	REQUIRE(type == 10);
+	REQUIRE(source != NULL);
+	REQUIRE(null->common.rdtype == type);
+	REQUIRE(null->common.rdclass == rdclass);
+	REQUIRE(null->data != NULL || null->length == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (mem_tobuffer(target, null->data, null->length));
+}
+
+static inline isc_result_t
+tostruct_null(ARGS_TOSTRUCT) {
+	dns_rdata_null_t *null = target;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 10);
+	REQUIRE(target != NULL);
+
+	null->common.rdclass = rdata->rdclass;
+	null->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&null->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+	null->length = r.length;
+	null->data = mem_maybedup(mctx, r.base, r.length);
+	if (null->data == NULL)
+		return (ISC_R_NOMEMORY);
+
+	null->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_null(ARGS_FREESTRUCT) {
+	dns_rdata_null_t *null = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(null->common.rdtype == 10);
+
+	if (null->mctx == NULL)
+		return;
+
+	if (null->data != NULL)
+		isc_mem_free(null->mctx, null->data);
+	null->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_null(ARGS_ADDLDATA) {
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	REQUIRE(rdata->type == 10);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_null(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 10);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_null(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 10);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_null(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 10);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_NULL_10_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/null_10.h b/contrib/bind9/lib/dns/rdata/generic/null_10.h
new file mode 100644
index 0000000..44a9e8f
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/null_10.h
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_NULL_10_H
+#define GENERIC_NULL_10_H 1
+
+/* $Id: null_10.h,v 1.20.206.1 2004/03/06 08:14:09 marka Exp $ */
+
+typedef struct dns_rdata_null {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	isc_uint16_t		length;
+	unsigned char		*data;
+} dns_rdata_null_t;
+
+
+#endif /* GENERIC_NULL_10_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/nxt_30.c b/contrib/bind9/lib/dns/rdata/generic/nxt_30.c
new file mode 100644
index 0000000..e4dba7f
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/nxt_30.c
@@ -0,0 +1,329 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: nxt_30.c,v 1.49.2.2.2.9 2004/03/08 09:04:41 marka Exp $ */
+
+/* reviewed: Wed Mar 15 18:21:15 PST 2000 by brister */
+
+/* RFC 2535 */
+
+#ifndef RDATA_GENERIC_NXT_30_C
+#define RDATA_GENERIC_NXT_30_C
+
+/*
+ * The attributes do not include DNS_RDATATYPEATTR_SINGLETON
+ * because we must be able to handle a parent/child NXT pair.
+ */
+#define RRTYPE_NXT_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_nxt(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	char *e;
+	unsigned char bm[8*1024]; /* 64k bits */
+	dns_rdatatype_t covered;
+	dns_rdatatype_t maxcovered = 0;
+	isc_boolean_t first = ISC_TRUE;
+	long n;
+
+	REQUIRE(type == 30);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Next domain.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	origin = (origin != NULL) ? origin : dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+
+	memset(bm, 0, sizeof(bm));
+	do {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string, ISC_TRUE));
+		if (token.type != isc_tokentype_string)
+			break;
+		n = strtol(DNS_AS_STR(token), &e, 10);
+		if (e != DNS_AS_STR(token) && *e == '\0') {
+			covered = (dns_rdatatype_t)n;
+		} else if (dns_rdatatype_fromtext(&covered,
+				&token.value.as_textregion) == DNS_R_UNKNOWN)
+			RETTOK(DNS_R_UNKNOWN);
+		/*
+		 * NXT is only specified for types 1..127.
+		 */
+		if (covered < 1 || covered > 127)
+			return (ISC_R_RANGE);
+		if (first || covered > maxcovered)
+			maxcovered = covered;
+		first = ISC_FALSE;
+		bm[covered/8] |= (0x80>>(covered%8));
+	} while (1);
+	isc_lex_ungettoken(lexer, &token);
+	if (first)
+		return (ISC_R_SUCCESS);
+	n = (maxcovered + 8) / 8;
+	return (mem_tobuffer(target, bm, n));
+}
+
+static inline isc_result_t
+totext_nxt(ARGS_TOTEXT) {
+	isc_region_t sr;
+	unsigned int i, j;
+	dns_name_t name;
+	dns_name_t prefix;
+	isc_boolean_t sub;
+
+	REQUIRE(rdata->type == 30);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+	dns_rdata_toregion(rdata, &sr);
+	dns_name_fromregion(&name, &sr);
+	isc_region_consume(&sr, name_length(&name));
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	RETERR(dns_name_totext(&prefix, sub, target));
+
+	for (i = 0; i < sr.length; i++) {
+		if (sr.base[i] != 0)
+			for (j = 0; j < 8; j++)
+				if ((sr.base[i] & (0x80 >> j)) != 0) {
+					dns_rdatatype_t t = i * 8 + j;
+					RETERR(str_totext(" ", target));
+					if (dns_rdatatype_isknown(t)) {
+						RETERR(dns_rdatatype_totext(t,
+								      target));
+					} else {
+						char buf[sizeof("65535")];
+						sprintf(buf, "%u", t);
+						RETERR(str_totext(buf,
+								  target));
+					}
+				}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_nxt(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+
+	REQUIRE(type == 30);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	dns_name_init(&name, NULL);
+	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length > 0 && (sr.base[0] & 0x80) == 0 &&
+	    ((sr.length > 16) || sr.base[sr.length - 1] == 0))
+		return (DNS_R_BADBITMAP);
+	RETERR(mem_tobuffer(target, sr.base, sr.length));
+	isc_buffer_forward(source, sr.length);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_nxt(ARGS_TOWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+	dns_offsets_t offsets;
+
+	REQUIRE(rdata->type == 30);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &sr);
+	dns_name_fromregion(&name, &sr);
+	isc_region_consume(&sr, name_length(&name));
+	RETERR(dns_name_towire(&name, cctx, target));
+
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_nxt(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 30);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	dns_name_fromregion(&name1, &r1);
+	dns_name_fromregion(&name2, &r2);
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0)
+		return (order);
+
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_nxt(ARGS_FROMSTRUCT) {
+	dns_rdata_nxt_t *nxt = source;
+	isc_region_t region;
+
+	REQUIRE(type == 30);
+	REQUIRE(source != NULL);
+	REQUIRE(nxt->common.rdtype == type);
+	REQUIRE(nxt->common.rdclass == rdclass);
+	REQUIRE(nxt->typebits != NULL || nxt->len == 0);
+	if (nxt->typebits != NULL && (nxt->typebits[0] & 0x80) == 0) {
+		REQUIRE(nxt->len <= 16);
+		REQUIRE(nxt->typebits[nxt->len - 1] != 0);
+	}
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&nxt->next, &region);
+	RETERR(isc_buffer_copyregion(target, &region));
+
+	return (mem_tobuffer(target, nxt->typebits, nxt->len));
+}
+
+static inline isc_result_t
+tostruct_nxt(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_nxt_t *nxt = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 30);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	nxt->common.rdclass = rdata->rdclass;
+	nxt->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&nxt->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	isc_region_consume(&region, name_length(&name));
+	dns_name_init(&nxt->next, NULL);
+	RETERR(name_duporclone(&name, mctx, &nxt->next));
+
+	nxt->len = region.length;
+	nxt->typebits = mem_maybedup(mctx, region.base, region.length);
+	if (nxt->typebits == NULL)
+		goto cleanup;
+
+	nxt->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL)
+		dns_name_free(&nxt->next, mctx);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_nxt(ARGS_FREESTRUCT) {
+	dns_rdata_nxt_t *nxt = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(nxt->common.rdtype == 30);
+
+	if (nxt->mctx == NULL)
+		return;
+
+	dns_name_free(&nxt->next, nxt->mctx);
+	if (nxt->typebits != NULL)
+		isc_mem_free(nxt->mctx, nxt->typebits);
+	nxt->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_nxt(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 30);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_nxt(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+	isc_result_t result;
+
+	REQUIRE(rdata->type == 30);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+	result = dns_name_digest(&name, digest, arg);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_region_consume(&r, name_length(&name));
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_nxt(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 30);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_nxt(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 30);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_NXT_30_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/nxt_30.h b/contrib/bind9/lib/dns/rdata/generic/nxt_30.h
new file mode 100644
index 0000000..540135f
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/nxt_30.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_NXT_30_H
+#define GENERIC_NXT_30_H 1
+
+/* $Id: nxt_30.h,v 1.18.12.3 2004/03/08 09:04:41 marka Exp $ */
+
+/* RFC 2535 */
+
+typedef struct dns_rdata_nxt {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		next;
+	unsigned char		*typebits;
+	isc_uint16_t		len;
+} dns_rdata_nxt_t;
+
+#endif /* GENERIC_NXT_30_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/opt_41.c b/contrib/bind9/lib/dns/rdata/generic/opt_41.c
new file mode 100644
index 0000000..ac74a28
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/opt_41.c
@@ -0,0 +1,280 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: opt_41.c,v 1.25.12.4 2004/03/08 09:04:41 marka Exp $ */
+
+/* Reviewed: Thu Mar 16 14:06:44 PST 2000 by gson */
+
+/* RFC 2671 */
+
+#ifndef RDATA_GENERIC_OPT_41_C
+#define RDATA_GENERIC_OPT_41_C
+
+#define RRTYPE_OPT_ATTRIBUTES (DNS_RDATATYPEATTR_SINGLETON | \
+			       DNS_RDATATYPEATTR_META | \
+			       DNS_RDATATYPEATTR_NOTQUESTION)
+
+static inline isc_result_t
+fromtext_opt(ARGS_FROMTEXT) {
+	/*
+	 * OPT records do not have a text format.
+	 */
+
+	REQUIRE(type == 41);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(lexer);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(target);
+	UNUSED(callbacks);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static inline isc_result_t
+totext_opt(ARGS_TOTEXT) {
+	isc_region_t r;
+	isc_region_t or;
+	isc_uint16_t option;
+	isc_uint16_t length;
+	char buf[sizeof("64000 64000")];
+
+	/*
+	 * OPT records do not have a text format.
+	 */
+
+	REQUIRE(rdata->type == 41);
+
+	dns_rdata_toregion(rdata, &r);
+	while (r.length > 0) {
+		option = uint16_fromregion(&r);
+		isc_region_consume(&r, 2);
+		length = uint16_fromregion(&r);
+		isc_region_consume(&r, 2);
+		sprintf(buf, "%u %u", option, length);
+		RETERR(str_totext(buf, target));
+		INSIST(r.length >= length);
+		if (length > 0) {
+			if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+				RETERR(str_totext(" (", target));
+			RETERR(str_totext(tctx->linebreak, target));
+			or = r;
+			or.length = length;
+			RETERR(isc_base64_totext(&or, tctx->width - 2,
+						 tctx->linebreak, target));
+			isc_region_consume(&r, length);
+			if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+				RETERR(str_totext(" )", target));
+		}
+		if (r.length > 0)
+			RETERR(str_totext(" ", target));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_opt(ARGS_FROMWIRE) {
+	isc_region_t sregion;
+	isc_region_t tregion;
+	isc_uint16_t length;
+	unsigned int total;
+
+	REQUIRE(type == 41);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sregion);
+	total = 0;
+	while (sregion.length != 0) {
+		if (sregion.length < 4)
+			return (ISC_R_UNEXPECTEDEND);
+		/*
+		 * Eat the 16bit option code.  There is nothing to
+		 * be done with it currently.
+		 */
+		isc_region_consume(&sregion, 2);
+		length = uint16_fromregion(&sregion);
+		isc_region_consume(&sregion, 2);
+		total += 4;
+		if (sregion.length < length)
+			return (ISC_R_UNEXPECTEDEND);
+		isc_region_consume(&sregion, length);
+		total += length;
+	}
+
+	isc_buffer_activeregion(source, &sregion);
+	isc_buffer_availableregion(target, &tregion);
+	if (tregion.length < total)
+		return (ISC_R_NOSPACE);
+	memcpy(tregion.base, sregion.base, total);
+	isc_buffer_forward(source, total);
+	isc_buffer_add(target, total);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_opt(ARGS_TOWIRE) {
+
+	REQUIRE(rdata->type == 41);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_opt(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 41);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_opt(ARGS_FROMSTRUCT) {
+	dns_rdata_opt_t *opt = source;
+	isc_region_t region;
+	isc_uint16_t length;
+
+	REQUIRE(type == 41);
+	REQUIRE(source != NULL);
+	REQUIRE(opt->common.rdtype == type);
+	REQUIRE(opt->common.rdclass == rdclass);
+	REQUIRE(opt->options != NULL || opt->length == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	region.base = opt->options;
+	region.length = opt->length;
+	while (region.length >= 4) {
+		isc_region_consume(&region, 2);	/* opt */
+		length = uint16_fromregion(&region);
+		isc_region_consume(&region, 2);
+		if (region.length < length)
+			return (ISC_R_UNEXPECTEDEND);
+		isc_region_consume(&region, length);
+	}
+	if (region.length != 0)
+		return (ISC_R_UNEXPECTEDEND);
+
+	return (mem_tobuffer(target, opt->options, opt->length));
+}
+
+static inline isc_result_t
+tostruct_opt(ARGS_TOSTRUCT) {
+	dns_rdata_opt_t *opt = target;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 41);
+	REQUIRE(target != NULL);
+
+	opt->common.rdclass = rdata->rdclass;
+	opt->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&opt->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+	opt->length = r.length;
+	opt->options = mem_maybedup(mctx, r.base, r.length);
+	if (opt->options == NULL)
+		return (ISC_R_NOMEMORY);
+
+	opt->offset = 0;
+	opt->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_opt(ARGS_FREESTRUCT) {
+	dns_rdata_opt_t *opt = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(opt->common.rdtype == 41);
+
+	if (opt->mctx == NULL)
+		return;
+
+	if (opt->options != NULL)
+		isc_mem_free(opt->mctx, opt->options);
+	opt->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_opt(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 41);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_opt(ARGS_DIGEST) {
+
+	/*
+	 * OPT records are not digested.
+	 */
+
+	REQUIRE(rdata->type == 41);
+
+	UNUSED(rdata);
+	UNUSED(digest);
+	UNUSED(arg);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static inline isc_boolean_t
+checkowner_opt(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 41);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (dns_name_equal(name, dns_rootname));
+}
+
+static inline isc_boolean_t
+checknames_opt(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 41);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_OPT_41_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/opt_41.h b/contrib/bind9/lib/dns/rdata/generic/opt_41.h
new file mode 100644
index 0000000..c70ad90
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/opt_41.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_OPT_41_H
+#define GENERIC_OPT_41_H 1
+
+/* $Id: opt_41.h,v 1.13.206.1 2004/03/06 08:14:10 marka Exp $ */
+
+/* RFC 2671 */
+
+typedef struct dns_rdata_opt_opcode {
+		isc_uint16_t	opcode;
+		isc_uint16_t	length;
+		unsigned char	*data;
+} dns_rdata_opt_opcode_t;
+
+typedef struct dns_rdata_opt {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	unsigned char		*options;
+	isc_uint16_t		length;
+	/* private */
+	isc_uint16_t		offset;
+} dns_rdata_opt_t;
+
+/*
+ * ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS are already done
+ * via rdatastructpre.h and rdatastructsuf.h.
+ */
+
+isc_result_t
+dns_rdata_opt_first(dns_rdata_opt_t *);
+
+isc_result_t
+dns_rdata_opt_next(dns_rdata_opt_t *);
+
+isc_result_t
+dns_rdata_opt_current(dns_rdata_opt_t *, dns_rdata_opt_opcode_t *);
+
+#endif /* GENERIC_OPT_41_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/proforma.c b/contrib/bind9/lib/dns/rdata/generic/proforma.c
new file mode 100644
index 0000000..21c6577
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/proforma.c
@@ -0,0 +1,173 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: proforma.c,v 1.30.12.4 2004/03/08 09:04:41 marka Exp $ */
+
+#ifndef RDATA_GENERIC_#_#_C
+#define RDATA_GENERIC_#_#_C
+
+#define RRTYPE_#_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_#(ARGS_FROMTEXT) {
+	isc_token_t token;
+
+	REQUIRE(type == #);
+	REQUIRE(rdclass == #);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static inline isc_result_t
+totext_#(ARGS_TOTEXT) {
+
+	REQUIRE(rdata->type == #);
+	REQUIRE(rdata->rdclass == #);
+	REQUIRE(rdata->length != 0);	/* XXX */
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static inline isc_result_t
+fromwire_#(ARGS_FROMWIRE) {
+
+	REQUIRE(type == #);
+	REQUIRE(rdclass == #);
+
+	/* NONE or GLOBAL14 */
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static inline isc_result_t
+towire_#(ARGS_TOWIRE) {
+
+	REQUIRE(rdata->type == #);
+	REQUIRE(rdata->rdclass == #);
+	REQUIRE(rdata->length != 0);	/* XXX */
+
+	/* NONE or GLOBAL14 */
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static inline int
+compare_#(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == #);
+	REQUIRE(rdata1->rdclass == #);
+	REQUIRE(rdata1->length != 0);	/* XXX */
+	REQUIRE(rdata2->length != 0);	/* XXX */
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_#(ARGS_FROMSTRUCT) {
+	dns_rdata_#_t *# = source;
+
+	REQUIRE(type == #);
+	REQUIRE(rdclass == #);
+	REQUIRE(source != NULL);
+	REQUIRE(#->common.rdtype == type);
+	REQUIRE(#->common.rdclass == rdclass);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static inline isc_result_t
+tostruct_#(ARGS_TOSTRUCT) {
+
+	REQUIRE(rdata->type == #);
+	REQUIRE(rdata->rdclass == #);
+	REQUIRE(rdata->length != 0);	/* XXX */
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static inline void
+freestruct_#(ARGS_FREESTRUCT) {
+	dns_rdata_#_t *# = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(#->common.rdtype == #);
+	REQUIRE(#->common.rdclass == #);
+
+}
+
+static inline isc_result_t
+additionaldata_#(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == #);
+	REQUIRE(rdata->rdclass == #);
+
+	(void)add;
+	(void)arg;
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_#(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == #);
+	REQUIRE(rdata->rdclass == #);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_#(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == #);
+	REQUIRE(rdclass == #);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_#(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == #);
+	REQUIRE(rdata->rdclass == #);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_#_#_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/proforma.h b/contrib/bind9/lib/dns/rdata/generic/proforma.h
new file mode 100644
index 0000000..5d5090e
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/proforma.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_PROFORMA_H
+#define GENERIC_PROFORMA_H 1
+
+/* $Id: proforma.h,v 1.18.206.1 2004/03/06 08:14:11 marka Exp $ */
+
+typedef struct dns_rdata_# {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;	/* if required */
+	/* type & class specific elements */
+} dns_rdata_#_t;
+
+#endif /* GENERIC_PROFORMA_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/ptr_12.c b/contrib/bind9/lib/dns/rdata/generic/ptr_12.c
new file mode 100644
index 0000000..9be93b3
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/ptr_12.c
@@ -0,0 +1,291 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ptr_12.c,v 1.39.206.2 2004/03/06 08:14:11 marka Exp $ */
+
+/* Reviewed: Thu Mar 16 14:05:12 PST 2000 by explorer */
+
+#ifndef RDATA_GENERIC_PTR_12_C
+#define RDATA_GENERIC_PTR_12_C
+
+#define RRTYPE_PTR_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_ptr(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == 12);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	origin = (origin != NULL) ? origin : dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	if (rdclass == dns_rdataclass_in &&
+	    (options & DNS_RDATA_CHECKNAMES) != 0 &&
+	    (options & DNS_RDATA_CHECKREVERSE) != 0) {
+		isc_boolean_t ok;
+		ok = dns_name_ishostname(&name, ISC_FALSE);
+		if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
+			RETTOK(DNS_R_BADNAME);
+		if (!ok && callbacks != NULL)
+			warn_badname(&name, lexer, callbacks);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_ptr(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	isc_boolean_t sub;
+
+	REQUIRE(rdata->type == 12);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_ptr(ARGS_FROMWIRE) {
+        dns_name_t name;
+
+	REQUIRE(type == 12);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+        dns_name_init(&name, NULL);
+        return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_ptr(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 12);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_ptr(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 12);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_ptr(ARGS_FROMSTRUCT) {
+	dns_rdata_ptr_t *ptr = source;
+	isc_region_t region;
+
+	REQUIRE(type == 12);
+	REQUIRE(source != NULL);
+	REQUIRE(ptr->common.rdtype == type);
+	REQUIRE(ptr->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&ptr->ptr, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_ptr(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_ptr_t *ptr = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 12);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	ptr->common.rdclass = rdata->rdclass;
+	ptr->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&ptr->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&ptr->ptr, NULL);
+	RETERR(name_duporclone(&name, mctx, &ptr->ptr));
+	ptr->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_ptr(ARGS_FREESTRUCT) {
+	dns_rdata_ptr_t *ptr = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(ptr->common.rdtype == 12);
+
+	if (ptr->mctx == NULL)
+		return;
+
+	dns_name_free(&ptr->ptr, ptr->mctx);
+	ptr->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_ptr(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 12);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_ptr(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 12);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline isc_boolean_t
+checkowner_ptr(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 12);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static unsigned char ip6_arpa_data[]  = "\003IP6\004ARPA";
+static unsigned char ip6_arpa_offsets[] = { 0, 4, 9 };
+static const dns_name_t ip6_arpa =
+{
+	DNS_NAME_MAGIC,
+	ip6_arpa_data, 10, 3,
+	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
+	ip6_arpa_offsets, NULL,
+	{(void *)-1, (void *)-1},
+	{NULL, NULL}
+};
+
+static unsigned char ip6_int_data[]  = "\003IP6\003INT";
+static unsigned char ip6_int_offsets[] = { 0, 4, 8 };
+static const dns_name_t ip6_int =
+{
+	DNS_NAME_MAGIC,
+	ip6_int_data, 9, 3,
+	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
+	ip6_int_offsets, NULL,
+	{(void *)-1, (void *)-1},
+	{NULL, NULL}
+};
+
+static unsigned char in_addr_arpa_data[]  = "\007IN-ADDR\004ARPA";
+static unsigned char in_addr_arpa_offsets[] = { 0, 8, 13 };
+static const dns_name_t in_addr_arpa =
+{
+	DNS_NAME_MAGIC,
+	in_addr_arpa_data, 14, 3,
+	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
+	in_addr_arpa_offsets, NULL,
+	{(void *)-1, (void *)-1},
+	{NULL, NULL}
+};
+
+static inline isc_boolean_t
+checknames_ptr(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 12);
+
+	if (rdata->rdclass != dns_rdataclass_in)
+	    return (ISC_TRUE);
+
+	if (dns_name_issubdomain(owner, &in_addr_arpa) ||
+	    dns_name_issubdomain(owner, &ip6_arpa) ||
+	    dns_name_issubdomain(owner, &ip6_int)) {
+		dns_rdata_toregion(rdata, &region);
+		dns_name_init(&name, NULL);
+		dns_name_fromregion(&name, &region);
+		if (!dns_name_ishostname(&name, ISC_FALSE)) {
+			if (bad != NULL)
+				dns_name_clone(&name, bad);
+			return (ISC_FALSE);
+		}
+	}
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_PTR_12_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/ptr_12.h b/contrib/bind9/lib/dns/rdata/generic/ptr_12.h
new file mode 100644
index 0000000..53e7920
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/ptr_12.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_PTR_12_H
+#define GENERIC_PTR_12_H 1
+
+/* $Id: ptr_12.h,v 1.22.206.1 2004/03/06 08:14:11 marka Exp $ */
+
+typedef struct dns_rdata_ptr {
+        dns_rdatacommon_t       common;
+        isc_mem_t               *mctx;
+        dns_name_t              ptr;
+} dns_rdata_ptr_t;
+
+#endif /* GENERIC_PTR_12_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/rp_17.c b/contrib/bind9/lib/dns/rdata/generic/rp_17.c
new file mode 100644
index 0000000..27e02ee
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/rp_17.c
@@ -0,0 +1,314 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rp_17.c,v 1.35.12.4 2004/03/08 09:04:42 marka Exp $ */
+
+/* RFC 1183 */
+
+#ifndef RDATA_GENERIC_RP_17_C
+#define RDATA_GENERIC_RP_17_C
+
+#define RRTYPE_RP_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_rp(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	int i;
+	isc_boolean_t ok;
+
+	REQUIRE(type == 17);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	origin = (origin != NULL) ? origin : dns_rootname;
+
+	for (i = 0; i < 2; i++) {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string,
+					      ISC_FALSE));
+		dns_name_init(&name, NULL);
+		buffer_fromregion(&buffer, &token.value.as_region);
+		RETTOK(dns_name_fromtext(&name, &buffer, origin,
+					 options, target));
+		ok = ISC_TRUE;
+		if ((options & DNS_RDATA_CHECKNAMES) != 0 && i == 0)
+			ok = dns_name_ismailbox(&name);
+		if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
+			RETTOK(DNS_R_BADNAME);
+		if (!ok && callbacks != NULL)
+			warn_badname(&name, lexer, callbacks);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_rp(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t rmail;
+	dns_name_t email;
+	dns_name_t prefix;
+	isc_boolean_t sub;
+
+	REQUIRE(rdata->type == 17);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&rmail, NULL);
+	dns_name_init(&email, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+
+	dns_name_fromregion(&rmail, &region);
+	isc_region_consume(&region, rmail.length);
+
+	dns_name_fromregion(&email, &region);
+	isc_region_consume(&region, email.length);
+
+	sub = name_prefix(&rmail, tctx->origin, &prefix);
+	RETERR(dns_name_totext(&prefix, sub, target));
+
+	RETERR(str_totext(" ", target));
+
+	sub = name_prefix(&email, tctx->origin, &prefix);
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_rp(ARGS_FROMWIRE) {
+        dns_name_t rmail;
+        dns_name_t email;
+
+	REQUIRE(type == 17);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+        dns_name_init(&rmail, NULL);
+        dns_name_init(&email, NULL);
+
+        RETERR(dns_name_fromwire(&rmail, source, dctx, options, target));
+        return (dns_name_fromwire(&email, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_rp(ARGS_TOWIRE) {
+	isc_region_t region;
+	dns_name_t rmail;
+	dns_name_t email;
+	dns_offsets_t roffsets;
+	dns_offsets_t eoffsets;
+
+	REQUIRE(rdata->type == 17);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	dns_name_init(&rmail, roffsets);
+	dns_name_init(&email, eoffsets);
+
+	dns_rdata_toregion(rdata, &region);
+
+	dns_name_fromregion(&rmail, &region);
+	isc_region_consume(&region, rmail.length);
+
+	RETERR(dns_name_towire(&rmail, cctx, target));
+
+	dns_name_fromregion(&rmail, &region);
+	isc_region_consume(&region, rmail.length);
+
+	return (dns_name_towire(&rmail, cctx, target));
+}
+
+static inline int
+compare_rp(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 17);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0)
+		return (order);
+
+	isc_region_consume(&region1, name_length(&name1));
+	isc_region_consume(&region2, name_length(&name2));
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_rp(ARGS_FROMSTRUCT) {
+	dns_rdata_rp_t *rp = source;
+	isc_region_t region;
+
+	REQUIRE(type == 17);
+	REQUIRE(source != NULL);
+	REQUIRE(rp->common.rdtype == type);
+	REQUIRE(rp->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&rp->mail, &region);
+	RETERR(isc_buffer_copyregion(target, &region));
+	dns_name_toregion(&rp->text, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_rp(ARGS_TOSTRUCT) {
+	isc_result_t result;
+	isc_region_t region;
+	dns_rdata_rp_t *rp = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 17);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	rp->common.rdclass = rdata->rdclass;
+	rp->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&rp->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&rp->mail, NULL);
+	RETERR(name_duporclone(&name, mctx, &rp->mail));
+	isc_region_consume(&region, name_length(&name));
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&rp->text, NULL);
+	result = name_duporclone(&name, mctx, &rp->text);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	rp->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL)
+		dns_name_free(&rp->mail, mctx);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_rp(ARGS_FREESTRUCT) {
+	dns_rdata_rp_t *rp = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(rp->common.rdtype == 17);
+
+	if (rp->mctx == NULL)
+		return;
+
+	dns_name_free(&rp->mail, rp->mctx);
+	dns_name_free(&rp->text, rp->mctx);
+	rp->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_rp(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 17);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_rp(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 17);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+
+	dns_name_fromregion(&name, &r);
+	RETERR(dns_name_digest(&name, digest, arg));
+	isc_region_consume(&r, name_length(&name));
+
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline isc_boolean_t
+checkowner_rp(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 17);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_rp(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 17);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ismailbox(&name)) {
+		if (bad != NULL)
+				dns_name_clone(&name, bad);
+		return (ISC_FALSE);
+	}
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_RP_17_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/rp_17.h b/contrib/bind9/lib/dns/rdata/generic/rp_17.h
new file mode 100644
index 0000000..a88b9c0
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/rp_17.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_RP_17_H
+#define GENERIC_RP_17_H 1
+
+/* $Id: rp_17.h,v 1.16.206.1 2004/03/06 08:14:11 marka Exp $ */
+
+/* RFC 1183 */
+
+typedef struct dns_rdata_rp {
+        dns_rdatacommon_t       common;
+        isc_mem_t               *mctx;
+        dns_name_t              mail;
+        dns_name_t              text;
+} dns_rdata_rp_t;
+
+
+#endif /* GENERIC_RP_17_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/rrsig_46.c b/contrib/bind9/lib/dns/rdata/generic/rrsig_46.c
new file mode 100644
index 0000000..ad43295
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/rrsig_46.c
@@ -0,0 +1,551 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rrsig_46.c,v 1.4.2.3 2004/06/24 00:58:06 marka Exp $ */
+
+/* Reviewed: Fri Mar 17 09:05:02 PST 2000 by gson */
+
+/* RFC 2535 */
+
+#ifndef RDATA_GENERIC_RRSIG_46_C
+#define RDATA_GENERIC_RRSIG_46_C
+
+#define RRTYPE_RRSIG_ATTRIBUTES (DNS_RDATATYPEATTR_DNSSEC)
+
+static inline isc_result_t
+fromtext_rrsig(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned char c;
+	long i;
+	dns_rdatatype_t covered;
+	char *e;
+	isc_result_t result;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	isc_uint32_t time_signed, time_expire;
+
+	REQUIRE(type == 46);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Type covered.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	result = dns_rdatatype_fromtext(&covered, &token.value.as_textregion);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTIMPLEMENTED) {
+		i = strtol(DNS_AS_STR(token), &e, 10);
+		if (i < 0 || i > 65535)
+			RETTOK(ISC_R_RANGE);
+		if (*e != 0)
+			RETTOK(result);
+		covered = (dns_rdatatype_t)i;
+	}
+	RETERR(uint16_tobuffer(covered, target));
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	RETTOK(dns_secalg_fromtext(&c, &token.value.as_textregion));
+	RETERR(mem_tobuffer(target, &c, 1));
+
+	/*
+	 * Labels.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	c = (unsigned char)token.value.as_ulong;
+	RETERR(mem_tobuffer(target, &c, 1));
+
+	/*
+	 * Original ttl.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	RETERR(uint32_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Signature expiration.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &time_expire));
+	RETERR(uint32_tobuffer(time_expire, target));
+
+	/*
+	 * Time signed.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &time_signed));
+	RETERR(uint32_tobuffer(time_signed, target));
+
+	/*
+	 * Key footprint.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Signer.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	origin = (origin != NULL) ? origin : dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+
+	/*
+	 * Sig.
+	 */
+	return (isc_base64_tobuffer(lexer, target, -1));
+}
+
+static inline isc_result_t
+totext_rrsig(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("4294967295")];
+	dns_rdatatype_t covered;
+	unsigned long ttl;
+	unsigned long when;
+	unsigned long exp;
+	unsigned long foot;
+	dns_name_t name;
+	dns_name_t prefix;
+	isc_boolean_t sub;
+
+	REQUIRE(rdata->type == 46);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Type covered.
+	 */
+	covered = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	/*
+	 * XXXAG We should have something like dns_rdatatype_isknown()
+	 * that does the right thing with type 0.
+	 */
+	if (dns_rdatatype_isknown(covered) && covered != 0) {
+		RETERR(dns_rdatatype_totext(covered, target));
+	} else {
+		char buf[sizeof("TYPE65535")];
+		sprintf(buf, "TYPE%u", covered);
+		RETERR(str_totext(buf, target));
+	}
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Algorithm.
+	 */
+	sprintf(buf, "%u", sr.base[0]);
+	isc_region_consume(&sr, 1);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Labels.
+	 */
+	sprintf(buf, "%u", sr.base[0]);
+	isc_region_consume(&sr, 1);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Ttl.
+	 */
+	ttl = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	sprintf(buf, "%lu", ttl);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Sig exp.
+	 */
+	exp = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	RETERR(dns_time32_totext(exp, target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" (", target));
+	RETERR(str_totext(tctx->linebreak, target));
+
+	/*
+	 * Time signed.
+	 */
+	when = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	RETERR(dns_time32_totext(when, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Footprint.
+	 */
+	foot = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	sprintf(buf, "%lu", foot);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Signer.
+	 */
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+	dns_name_fromregion(&name, &sr);
+	isc_region_consume(&sr, name_length(&name));
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	RETERR(dns_name_totext(&prefix, sub, target));
+
+	/*
+	 * Sig.
+	 */
+	RETERR(str_totext(tctx->linebreak, target));
+	RETERR(isc_base64_totext(&sr, tctx->width - 2,
+				    tctx->linebreak, target));
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" )", target));
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_rrsig(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+
+	REQUIRE(type == 46);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	isc_buffer_activeregion(source, &sr);
+	/*
+	 * type covered: 2
+	 * algorithm: 1
+	 * labels: 1
+	 * original ttl: 4
+	 * signature expiration: 4
+	 * time signed: 4
+	 * key footprint: 2
+	 */
+	if (sr.length < 18)
+		return (ISC_R_UNEXPECTEDEND);
+
+	isc_buffer_forward(source, 18);
+	RETERR(mem_tobuffer(target, sr.base, 18));
+
+	/*
+	 * Signer.
+	 */
+	dns_name_init(&name, NULL);
+	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+
+	/*
+	 * Sig.
+	 */
+	isc_buffer_activeregion(source, &sr);
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+towire_rrsig(ARGS_TOWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+	dns_offsets_t offsets;
+
+	REQUIRE(rdata->type == 46);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	dns_rdata_toregion(rdata, &sr);
+	/*
+	 * type covered: 2
+	 * algorithm: 1
+	 * labels: 1
+	 * original ttl: 4
+	 * signature expiration: 4
+	 * time signed: 4
+	 * key footprint: 2
+	 */
+	RETERR(mem_tobuffer(target, sr.base, 18));
+	isc_region_consume(&sr, 18);
+
+	/*
+	 * Signer.
+	 */
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &sr);
+	isc_region_consume(&sr, name_length(&name));
+	RETERR(dns_name_towire(&name, cctx, target));
+
+	/*
+	 * Signature.
+	 */
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_rrsig(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 46);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_rrsig(ARGS_FROMSTRUCT) {
+	dns_rdata_rrsig_t *sig = source;
+
+	REQUIRE(type == 46);
+	REQUIRE(source != NULL);
+	REQUIRE(sig->common.rdtype == type);
+	REQUIRE(sig->common.rdclass == rdclass);
+	REQUIRE(sig->signature != NULL || sig->siglen == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	/*
+	 * Type covered.
+	 */
+	RETERR(uint16_tobuffer(sig->covered, target));
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(uint8_tobuffer(sig->algorithm, target));
+
+	/*
+	 * Labels.
+	 */
+	RETERR(uint8_tobuffer(sig->labels, target));
+
+	/*
+	 * Original TTL.
+	 */
+	RETERR(uint32_tobuffer(sig->originalttl, target));
+
+	/*
+	 * Expire time.
+	 */
+	RETERR(uint32_tobuffer(sig->timeexpire, target));
+
+	/*
+	 * Time signed.
+	 */
+	RETERR(uint32_tobuffer(sig->timesigned, target));
+
+	/*
+	 * Key ID.
+	 */
+	RETERR(uint16_tobuffer(sig->keyid, target));
+
+	/*
+	 * Signer name.
+	 */
+	RETERR(name_tobuffer(&sig->signer, target));
+
+	/*
+	 * Signature.
+	 */
+	return (mem_tobuffer(target, sig->signature, sig->siglen));
+}
+
+static inline isc_result_t
+tostruct_rrsig(ARGS_TOSTRUCT) {
+	isc_region_t sr;
+	dns_rdata_rrsig_t *sig = target;
+	dns_name_t signer;
+
+	REQUIRE(rdata->type == 46);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	sig->common.rdclass = rdata->rdclass;
+	sig->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&sig->common, link);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Type covered.
+	 */
+	sig->covered = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Algorithm.
+	 */
+	sig->algorithm = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/*
+	 * Labels.
+	 */
+	sig->labels = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/*
+	 * Original TTL.
+	 */
+	sig->originalttl = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Expire time.
+	 */
+	sig->timeexpire = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Time signed.
+	 */
+	sig->timesigned = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Key ID.
+	 */
+	sig->keyid = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	dns_name_init(&signer, NULL);
+	dns_name_fromregion(&signer, &sr);
+	dns_name_init(&sig->signer, NULL);
+	RETERR(name_duporclone(&signer, mctx, &sig->signer));
+	isc_region_consume(&sr, name_length(&sig->signer));
+
+	/*
+	 * Signature.
+	 */
+	sig->siglen = sr.length;
+	sig->signature = mem_maybedup(mctx, sr.base, sig->siglen);
+	if (sig->signature == NULL)
+		goto cleanup;
+
+
+	sig->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL)
+		dns_name_free(&sig->signer, mctx);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_rrsig(ARGS_FREESTRUCT) {
+	dns_rdata_rrsig_t *sig = (dns_rdata_rrsig_t *) source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(sig->common.rdtype == 46);
+
+	if (sig->mctx == NULL)
+		return;
+
+	dns_name_free(&sig->signer, sig->mctx);
+	if (sig->signature != NULL)
+		isc_mem_free(sig->mctx, sig->signature);
+	sig->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_rrsig(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 46);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_rrsig(ARGS_DIGEST) {
+
+	REQUIRE(rdata->type == 46);
+
+	UNUSED(rdata);
+	UNUSED(digest);
+	UNUSED(arg);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static inline dns_rdatatype_t
+covers_rrsig(dns_rdata_t *rdata) {
+	dns_rdatatype_t type;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 46);
+
+	dns_rdata_toregion(rdata, &r);
+	type = uint16_fromregion(&r);
+
+	return (type);
+}
+
+static inline isc_boolean_t
+checkowner_rrsig(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 46);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_rrsig(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 46);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_RRSIG_46_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/rrsig_46.h b/contrib/bind9/lib/dns/rdata/generic/rrsig_46.h
new file mode 100644
index 0000000..148604b
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/rrsig_46.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_DNSSIG_46_H
+#define GENERIC_DNSSIG_46_H 1
+
+/* $Id: rrsig_46.h,v 1.3.2.1 2004/03/08 02:08:04 marka Exp $ */
+
+/* RFC 2535 */
+typedef struct dns_rdata_rrsig {
+	dns_rdatacommon_t	common;
+	isc_mem_t *		mctx;
+	dns_rdatatype_t		covered;
+	dns_secalg_t		algorithm;
+	isc_uint8_t		labels;
+	isc_uint32_t		originalttl;
+	isc_uint32_t		timeexpire;
+	isc_uint32_t		timesigned;
+	isc_uint16_t		keyid;
+        dns_name_t		signer;
+	isc_uint16_t		siglen;
+	unsigned char *		signature;
+} dns_rdata_rrsig_t;
+
+
+#endif /* GENERIC_DNSSIG_46_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/rt_21.c b/contrib/bind9/lib/dns/rdata/generic/rt_21.c
new file mode 100644
index 0000000..0f568e3
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/rt_21.c
@@ -0,0 +1,311 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rt_21.c,v 1.37.2.1.2.3 2004/03/06 08:14:11 marka Exp $ */
+
+/* reviewed: Thu Mar 16 15:02:31 PST 2000 by brister */
+
+/* RFC 1183 */
+
+#ifndef RDATA_GENERIC_RT_21_C
+#define RDATA_GENERIC_RT_21_C
+
+#define RRTYPE_RT_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_rt(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	isc_boolean_t ok;
+
+	REQUIRE(type == 21);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	origin = (origin != NULL) ? origin : dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	ok = ISC_TRUE;
+	if ((options & DNS_RDATA_CHECKNAMES) != 0)
+		ok = dns_name_ishostname(&name, ISC_FALSE);
+	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
+		RETTOK(DNS_R_BADNAME);
+	if (!ok && callbacks != NULL)
+		warn_badname(&name, lexer, callbacks);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_rt(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	isc_boolean_t sub;
+	char buf[sizeof("64000")];
+	unsigned short num;
+
+	REQUIRE(rdata->type == 21);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	sprintf(buf, "%u", num);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+	dns_name_fromregion(&name, &region);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_rt(ARGS_FROMWIRE) {
+        dns_name_t name;
+	isc_region_t sregion;
+	isc_region_t tregion;
+
+	REQUIRE(type == 21);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+        dns_name_init(&name, NULL);
+
+	isc_buffer_activeregion(source, &sregion);
+	isc_buffer_availableregion(target, &tregion);
+	if (tregion.length < 2)
+		return (ISC_R_NOSPACE);
+	if (sregion.length < 2)
+		return (ISC_R_UNEXPECTEDEND);
+	memcpy(tregion.base, sregion.base, 2);
+	isc_buffer_forward(source, 2);
+	isc_buffer_add(target, 2);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_rt(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+	isc_region_t tr;
+
+	REQUIRE(rdata->type == 21);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	isc_buffer_availableregion(target, &tr);
+	dns_rdata_toregion(rdata, &region);
+	if (tr.length < 2)
+		return (ISC_R_NOSPACE);
+	memcpy(tr.base, region.base, 2);
+	isc_region_consume(&region, 2);
+	isc_buffer_add(target, 2);
+
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_rt(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 21);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	order = memcmp(rdata1->data, rdata2->data, 2);
+	if (order != 0)
+		return (order < 0 ? -1 : 1);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	isc_region_consume(&region1, 2);
+	isc_region_consume(&region2, 2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_rt(ARGS_FROMSTRUCT) {
+	dns_rdata_rt_t *rt = source;
+	isc_region_t region;
+
+	REQUIRE(type == 21);
+	REQUIRE(source != NULL);
+	REQUIRE(rt->common.rdtype == type);
+	REQUIRE(rt->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(rt->preference, target));
+	dns_name_toregion(&rt->host, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_rt(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_rt_t *rt = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 21);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	rt->common.rdclass = rdata->rdclass;
+	rt->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&rt->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	rt->preference = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&rt->host, NULL);
+	RETERR(name_duporclone(&name, mctx, &rt->host));
+
+	rt->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_rt(ARGS_FREESTRUCT) {
+	dns_rdata_rt_t *rt = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(rt->common.rdtype == 21);
+
+	if (rt->mctx == NULL)
+		return;
+
+	dns_name_free(&rt->host, rt->mctx);
+	rt->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_rt(ARGS_ADDLDATA) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+	isc_result_t result;
+
+	REQUIRE(rdata->type == 21);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 2);
+	dns_name_fromregion(&name, &region);
+
+	result = (add)(arg, &name, dns_rdatatype_x25);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = (add)(arg, &name, dns_rdatatype_isdn);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	return ((add)(arg, &name, dns_rdatatype_a));
+}
+
+static inline isc_result_t
+digest_rt(ARGS_DIGEST) {
+	isc_region_t r1, r2;
+	isc_result_t result;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 21);
+
+	dns_rdata_toregion(rdata, &r1);
+	r2 = r1;
+	isc_region_consume(&r2, 2);
+	r1.length = 2;
+	result = (digest)(arg, &r1);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r2);
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline isc_boolean_t
+checkowner_rt(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 21);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_rt(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 21);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 2);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (dns_name_ishostname(&name, ISC_FALSE)) {
+		if (bad != NULL)
+			dns_name_clone(&name, bad);
+		return (ISC_FALSE);
+	}
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_RT_21_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/rt_21.h b/contrib/bind9/lib/dns/rdata/generic/rt_21.h
new file mode 100644
index 0000000..32b0352
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/rt_21.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_RT_21_H
+#define GENERIC_RT_21_H 1
+
+/* $Id: rt_21.h,v 1.16.206.1 2004/03/06 08:14:12 marka Exp $ */
+
+/* RFC 1183 */
+
+typedef struct dns_rdata_rt {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	isc_uint16_t		preference;
+	dns_name_t		host;
+} dns_rdata_rt_t;
+
+#endif /* GENERIC_RT_21_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/sig_24.c b/contrib/bind9/lib/dns/rdata/generic/sig_24.c
new file mode 100644
index 0000000..39cb064
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/sig_24.c
@@ -0,0 +1,578 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: sig_24.c,v 1.54.2.1.2.7 2004/03/08 09:04:42 marka Exp $ */
+
+/* Reviewed: Fri Mar 17 09:05:02 PST 2000 by gson */
+
+/* RFC 2535 */
+
+#ifndef RDATA_GENERIC_SIG_24_C
+#define RDATA_GENERIC_SIG_24_C
+
+#define RRTYPE_SIG_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_sig(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned char c;
+	long i;
+	dns_rdatatype_t covered;
+	char *e;
+	isc_result_t result;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	isc_uint32_t time_signed, time_expire;
+
+	REQUIRE(type == 24);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Type covered.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	result = dns_rdatatype_fromtext(&covered, &token.value.as_textregion);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTIMPLEMENTED) {
+		i = strtol(DNS_AS_STR(token), &e, 10);
+		if (i < 0 || i > 65535)
+			RETTOK(ISC_R_RANGE);
+		if (*e != 0)
+			RETTOK(result);
+		covered = (dns_rdatatype_t)i;
+	}
+	RETERR(uint16_tobuffer(covered, target));
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	RETTOK(dns_secalg_fromtext(&c, &token.value.as_textregion));
+	RETERR(mem_tobuffer(target, &c, 1));
+
+	/*
+	 * Labels.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	c = (unsigned char)token.value.as_ulong;
+	RETERR(mem_tobuffer(target, &c, 1));
+
+	/*
+	 * Original ttl.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	RETERR(uint32_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Signature expiration.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &time_expire));
+	RETERR(uint32_tobuffer(time_expire, target));
+
+	/*
+	 * Time signed.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	RETTOK(dns_time32_fromtext(DNS_AS_STR(token), &time_signed));
+	RETERR(uint32_tobuffer(time_signed, target));
+
+	/*
+	 * Key footprint.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Signer.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	origin = (origin != NULL) ? origin : dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+
+	/*
+	 * Sig.
+	 */
+	return (isc_base64_tobuffer(lexer, target, -1));
+}
+
+static inline isc_result_t
+totext_sig(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("4294967295")];
+	dns_rdatatype_t covered;
+	unsigned long ttl;
+	unsigned long when;
+	unsigned long exp;
+	unsigned long foot;
+	dns_name_t name;
+	dns_name_t prefix;
+	isc_boolean_t sub;
+
+	REQUIRE(rdata->type == 24);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Type covered.
+	 */
+	covered = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	/*
+	 * XXXAG We should have something like dns_rdatatype_isknown()
+	 * that does the right thing with type 0.
+	 */
+	if (dns_rdatatype_isknown(covered) && covered != 0) {
+		RETERR(dns_rdatatype_totext(covered, target));
+	} else {
+		char buf[sizeof("65535")];
+		sprintf(buf, "%u", covered);
+		RETERR(str_totext(buf, target));
+	}
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Algorithm.
+	 */
+	sprintf(buf, "%u", sr.base[0]);
+	isc_region_consume(&sr, 1);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Labels.
+	 */
+	sprintf(buf, "%u", sr.base[0]);
+	isc_region_consume(&sr, 1);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Ttl.
+	 */
+	ttl = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	sprintf(buf, "%lu", ttl);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Sig exp.
+	 */
+	exp = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	RETERR(dns_time32_totext(exp, target));
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" (", target));
+	RETERR(str_totext(tctx->linebreak, target));
+
+	/*
+	 * Time signed.
+	 */
+	when = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	RETERR(dns_time32_totext(when, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Footprint.
+	 */
+	foot = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	sprintf(buf, "%lu", foot);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Signer.
+	 */
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+	dns_name_fromregion(&name, &sr);
+	isc_region_consume(&sr, name_length(&name));
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	RETERR(dns_name_totext(&prefix, sub, target));
+
+	/*
+	 * Sig.
+	 */
+	RETERR(str_totext(tctx->linebreak, target));
+	RETERR(isc_base64_totext(&sr, tctx->width - 2,
+				    tctx->linebreak, target));
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" )", target));
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_sig(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+
+	REQUIRE(type == 24);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	isc_buffer_activeregion(source, &sr);
+	/*
+	 * type covered: 2
+	 * algorithm: 1
+	 * labels: 1
+	 * original ttl: 4
+	 * signature expiration: 4
+	 * time signed: 4
+	 * key footprint: 2
+	 */
+	if (sr.length < 18)
+		return (ISC_R_UNEXPECTEDEND);
+
+	isc_buffer_forward(source, 18);
+	RETERR(mem_tobuffer(target, sr.base, 18));
+
+	/*
+	 * Signer.
+	 */
+	dns_name_init(&name, NULL);
+	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+
+	/*
+	 * Sig.
+	 */
+	isc_buffer_activeregion(source, &sr);
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+towire_sig(ARGS_TOWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+	dns_offsets_t offsets;
+
+	REQUIRE(rdata->type == 24);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	dns_rdata_toregion(rdata, &sr);
+	/*
+	 * type covered: 2
+	 * algorithm: 1
+	 * labels: 1
+	 * original ttl: 4
+	 * signature expiration: 4
+	 * time signed: 4
+	 * key footprint: 2
+	 */
+	RETERR(mem_tobuffer(target, sr.base, 18));
+	isc_region_consume(&sr, 18);
+
+	/*
+	 * Signer.
+	 */
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &sr);
+	isc_region_consume(&sr, name_length(&name));
+	RETERR(dns_name_towire(&name, cctx, target));
+
+	/*
+	 * Signature.
+	 */
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_sig(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 24);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+
+	INSIST(r1.length > 18);
+	INSIST(r2.length > 18);
+	r1.length = 18;
+	r2.length = 18;
+	order = isc_region_compare(&r1, &r2);
+	if (order != 0)
+		return (order);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	isc_region_consume(&r1, 18);
+	isc_region_consume(&r2, 18);
+	dns_name_fromregion(&name1, &r1);
+	dns_name_fromregion(&name2, &r2);
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0)
+		return (order);
+
+	isc_region_consume(&r1, name_length(&name1));
+	isc_region_consume(&r2, name_length(&name2));
+
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_sig(ARGS_FROMSTRUCT) {
+	dns_rdata_sig_t *sig = source;
+
+	REQUIRE(type == 24);
+	REQUIRE(source != NULL);
+	REQUIRE(sig->common.rdtype == type);
+	REQUIRE(sig->common.rdclass == rdclass);
+	REQUIRE(sig->signature != NULL || sig->siglen == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	/*
+	 * Type covered.
+	 */
+	RETERR(uint16_tobuffer(sig->covered, target));
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(uint8_tobuffer(sig->algorithm, target));
+
+	/*
+	 * Labels.
+	 */
+	RETERR(uint8_tobuffer(sig->labels, target));
+
+	/*
+	 * Original TTL.
+	 */
+	RETERR(uint32_tobuffer(sig->originalttl, target));
+
+	/*
+	 * Expire time.
+	 */
+	RETERR(uint32_tobuffer(sig->timeexpire, target));
+
+	/*
+	 * Time signed.
+	 */
+	RETERR(uint32_tobuffer(sig->timesigned, target));
+
+	/*
+	 * Key ID.
+	 */
+	RETERR(uint16_tobuffer(sig->keyid, target));
+
+	/*
+	 * Signer name.
+	 */
+	RETERR(name_tobuffer(&sig->signer, target));
+
+	/*
+	 * Signature.
+	 */
+	return (mem_tobuffer(target, sig->signature, sig->siglen));
+}
+
+static inline isc_result_t
+tostruct_sig(ARGS_TOSTRUCT) {
+	isc_region_t sr;
+	dns_rdata_sig_t *sig = target;
+	dns_name_t signer;
+
+	REQUIRE(rdata->type == 24);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	sig->common.rdclass = rdata->rdclass;
+	sig->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&sig->common, link);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Type covered.
+	 */
+	sig->covered = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Algorithm.
+	 */
+	sig->algorithm = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/*
+	 * Labels.
+	 */
+	sig->labels = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	/*
+	 * Original TTL.
+	 */
+	sig->originalttl = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Expire time.
+	 */
+	sig->timeexpire = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Time signed.
+	 */
+	sig->timesigned = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Key ID.
+	 */
+	sig->keyid = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	dns_name_init(&signer, NULL);
+	dns_name_fromregion(&signer, &sr);
+	dns_name_init(&sig->signer, NULL);
+	RETERR(name_duporclone(&signer, mctx, &sig->signer));
+	isc_region_consume(&sr, name_length(&sig->signer));
+
+	/*
+	 * Signature.
+	 */
+	sig->siglen = sr.length;
+	sig->signature = mem_maybedup(mctx, sr.base, sig->siglen);
+	if (sig->signature == NULL)
+		goto cleanup;
+
+
+	sig->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL)
+		dns_name_free(&sig->signer, mctx);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_sig(ARGS_FREESTRUCT) {
+	dns_rdata_sig_t *sig = (dns_rdata_sig_t *) source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(sig->common.rdtype == 24);
+
+	if (sig->mctx == NULL)
+		return;
+
+	dns_name_free(&sig->signer, sig->mctx);
+	if (sig->signature != NULL)
+		isc_mem_free(sig->mctx, sig->signature);
+	sig->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_sig(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 24);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_sig(ARGS_DIGEST) {
+
+	REQUIRE(rdata->type == 24);
+
+	UNUSED(rdata);
+	UNUSED(digest);
+	UNUSED(arg);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static inline dns_rdatatype_t
+covers_sig(dns_rdata_t *rdata) {
+	dns_rdatatype_t type;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 24);
+
+	dns_rdata_toregion(rdata, &r);
+	type = uint16_fromregion(&r);
+
+	return (type);
+}
+
+static inline isc_boolean_t
+checkowner_sig(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 24);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_sig(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 24);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_SIG_24_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/sig_24.h b/contrib/bind9/lib/dns/rdata/generic/sig_24.h
new file mode 100644
index 0000000..28bcac2
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/sig_24.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_SIG_24_H
+#define GENERIC_SIG_24_H 1
+
+/* $Id: sig_24.h,v 1.21.206.1 2004/03/06 08:14:12 marka Exp $ */
+
+/* RFC 2535 */
+
+typedef struct dns_rdata_sig_t {
+	dns_rdatacommon_t	common;
+	isc_mem_t *		mctx;
+	dns_rdatatype_t		covered;
+	dns_secalg_t		algorithm;
+	isc_uint8_t		labels;
+	isc_uint32_t		originalttl;
+	isc_uint32_t		timeexpire;
+	isc_uint32_t		timesigned;
+	isc_uint16_t		keyid;
+        dns_name_t		signer;
+	isc_uint16_t		siglen;
+	unsigned char *		signature;
+} dns_rdata_sig_t;
+
+
+#endif /* GENERIC_SIG_24_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/soa_6.c b/contrib/bind9/lib/dns/rdata/generic/soa_6.c
new file mode 100644
index 0000000..7eeb36e
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/soa_6.c
@@ -0,0 +1,443 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: soa_6.c,v 1.53.12.6 2004/03/08 09:04:42 marka Exp $ */
+
+/* Reviewed: Thu Mar 16 15:18:32 PST 2000 by explorer */
+
+#ifndef RDATA_GENERIC_SOA_6_C
+#define RDATA_GENERIC_SOA_6_C
+
+#define RRTYPE_SOA_ATTRIBUTES (DNS_RDATATYPEATTR_SINGLETON)
+
+static inline isc_result_t
+fromtext_soa(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	int i;
+	isc_uint32_t n;
+	isc_boolean_t ok;
+
+	REQUIRE(type == 6);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	origin = (origin != NULL) ? origin : dns_rootname;
+
+	for (i = 0; i < 2; i++) {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string,
+					      ISC_FALSE));
+
+		dns_name_init(&name, NULL);
+		buffer_fromregion(&buffer, &token.value.as_region);
+		RETTOK(dns_name_fromtext(&name, &buffer, origin,
+					 options, target));
+		ok = ISC_TRUE;
+		if ((options & DNS_RDATA_CHECKNAMES) != 0)
+			switch (i) {
+			case 0:
+				ok = dns_name_ishostname(&name, ISC_FALSE);
+				break;
+			case 1:
+				ok = dns_name_ismailbox(&name);
+				break;
+
+			}
+		if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
+			RETTOK(DNS_R_BADNAME);
+		if (!ok && callbacks != NULL)
+			warn_badname(&name, lexer, callbacks);
+	}
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	RETERR(uint32_tobuffer(token.value.as_ulong, target));
+
+	for (i = 0; i < 4; i++) {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string,
+					      ISC_FALSE));
+		RETTOK(dns_counter_fromtext(&token.value.as_textregion, &n));
+		RETERR(uint32_tobuffer(n, target));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static const char *soa_fieldnames[5] = {
+	"serial", "refresh", "retry", "expire", "minimum"
+};
+
+static inline isc_result_t
+totext_soa(ARGS_TOTEXT) {
+	isc_region_t dregion;
+	dns_name_t mname;
+	dns_name_t rname;
+	dns_name_t prefix;
+	isc_boolean_t sub;
+	int i;
+	isc_boolean_t multiline;
+	isc_boolean_t comment;
+
+	REQUIRE(rdata->type == 6);
+	REQUIRE(rdata->length != 0);
+
+	multiline = ISC_TF((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0);
+	comment = ISC_TF((tctx->flags & DNS_STYLEFLAG_COMMENT) != 0);
+
+	dns_name_init(&mname, NULL);
+	dns_name_init(&rname, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &dregion);
+
+	dns_name_fromregion(&mname, &dregion);
+	isc_region_consume(&dregion, name_length(&mname));
+
+	dns_name_fromregion(&rname, &dregion);
+	isc_region_consume(&dregion, name_length(&rname));
+
+	sub = name_prefix(&mname, tctx->origin, &prefix);
+	RETERR(dns_name_totext(&prefix, sub, target));
+
+	RETERR(str_totext(" ", target));
+
+	sub = name_prefix(&rname, tctx->origin, &prefix);
+	RETERR(dns_name_totext(&prefix, sub, target));
+
+	if (multiline)
+		RETERR(str_totext(" (" , target));
+	RETERR(str_totext(tctx->linebreak, target));
+
+	for (i = 0; i < 5; i++) {
+		char buf[sizeof("2147483647")];
+		unsigned long num;
+		unsigned int numlen;
+		num = uint32_fromregion(&dregion);
+		isc_region_consume(&dregion, 4);
+		numlen = sprintf(buf, "%lu", num);
+		INSIST(numlen > 0 && numlen < sizeof("2147483647"));
+		RETERR(str_totext(buf, target));
+		if (multiline && comment) {
+			RETERR(str_totext("           ; " + numlen, target));
+			RETERR(str_totext(soa_fieldnames[i], target));
+			/* Print times in week/day/hour/minute/second form */
+			if (i >= 1) {
+				RETERR(str_totext(" (", target));
+				RETERR(dns_ttl_totext(num, ISC_TRUE, target));
+				RETERR(str_totext(")", target));
+			}
+			RETERR(str_totext(tctx->linebreak, target));
+		} else if (i < 4) {
+			RETERR(str_totext(tctx->linebreak, target));			
+		}
+	}
+
+	if (multiline)
+		RETERR(str_totext(")", target));
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_soa(ARGS_FROMWIRE) {
+        dns_name_t mname;
+        dns_name_t rname;
+	isc_region_t sregion;
+	isc_region_t tregion;
+
+	REQUIRE(type == 6);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
+
+        dns_name_init(&mname, NULL);
+        dns_name_init(&rname, NULL);
+
+        RETERR(dns_name_fromwire(&mname, source, dctx, options, target));
+        RETERR(dns_name_fromwire(&rname, source, dctx, options, target));
+
+	isc_buffer_activeregion(source, &sregion);
+	isc_buffer_availableregion(target, &tregion);
+
+	if (sregion.length < 20)
+		return (ISC_R_UNEXPECTEDEND);
+	if (tregion.length < 20)
+		return (ISC_R_NOSPACE);
+
+	memcpy(tregion.base, sregion.base, 20);
+	isc_buffer_forward(source, 20);
+	isc_buffer_add(target, 20);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_soa(ARGS_TOWIRE) {
+	isc_region_t sregion;
+	isc_region_t tregion;
+	dns_name_t mname;
+	dns_name_t rname;
+	dns_offsets_t moffsets;
+	dns_offsets_t roffsets;
+
+	REQUIRE(rdata->type == 6);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+
+	dns_name_init(&mname, moffsets);
+	dns_name_init(&rname, roffsets);
+
+	dns_rdata_toregion(rdata, &sregion);
+
+	dns_name_fromregion(&mname, &sregion);
+	isc_region_consume(&sregion, name_length(&mname));
+	RETERR(dns_name_towire(&mname, cctx, target));
+
+	dns_name_fromregion(&rname, &sregion);
+	isc_region_consume(&sregion, name_length(&rname));
+	RETERR(dns_name_towire(&rname, cctx, target));
+
+	isc_buffer_availableregion(target, &tregion);
+	if (tregion.length < 20)
+		return (ISC_R_NOSPACE);
+
+	memcpy(tregion.base, sregion.base, 20);
+	isc_buffer_add(target, 20);
+	return (ISC_R_SUCCESS);
+}
+
+static inline int
+compare_soa(ARGS_COMPARE) {
+	isc_region_t region1;
+	isc_region_t region2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 6);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0)
+		return (order);
+
+	isc_region_consume(&region1, name_length(&name1));
+	isc_region_consume(&region2, name_length(&name2));
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0)
+		return (order);
+
+	isc_region_consume(&region1, name_length(&name1));
+	isc_region_consume(&region2, name_length(&name2));
+
+	return (isc_region_compare(&region1, &region2));
+}
+
+static inline isc_result_t
+fromstruct_soa(ARGS_FROMSTRUCT) {
+	dns_rdata_soa_t *soa = source;
+	isc_region_t region;
+
+	REQUIRE(type == 6);
+	REQUIRE(source != NULL);
+	REQUIRE(soa->common.rdtype == type);
+	REQUIRE(soa->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&soa->origin, &region);
+	RETERR(isc_buffer_copyregion(target, &region));
+	dns_name_toregion(&soa->contact, &region);
+	RETERR(isc_buffer_copyregion(target, &region));
+	RETERR(uint32_tobuffer(soa->serial, target));
+	RETERR(uint32_tobuffer(soa->refresh, target));
+	RETERR(uint32_tobuffer(soa->retry, target));
+	RETERR(uint32_tobuffer(soa->expire, target));
+	return (uint32_tobuffer(soa->minimum, target));
+}
+
+static inline isc_result_t
+tostruct_soa(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_soa_t *soa = target;
+	dns_name_t name;
+	isc_result_t result;
+
+	REQUIRE(rdata->type == 6);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	soa->common.rdclass = rdata->rdclass;
+	soa->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&soa->common, link);
+
+
+	dns_rdata_toregion(rdata, &region);
+
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	isc_region_consume(&region, name_length(&name));
+	dns_name_init(&soa->origin, NULL);
+	RETERR(name_duporclone(&name, mctx, &soa->origin));
+
+	dns_name_fromregion(&name, &region);
+	isc_region_consume(&region, name_length(&name));
+	dns_name_init(&soa->contact, NULL);
+	result = name_duporclone(&name, mctx, &soa->contact);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	soa->serial = uint32_fromregion(&region);
+	isc_region_consume(&region, 4);
+
+	soa->refresh = uint32_fromregion(&region);
+	isc_region_consume(&region, 4);
+
+	soa->retry = uint32_fromregion(&region);
+	isc_region_consume(&region, 4);
+
+	soa->expire = uint32_fromregion(&region);
+	isc_region_consume(&region, 4);
+
+	soa->minimum = uint32_fromregion(&region);
+
+	soa->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL)
+		dns_name_free(&soa->origin, mctx);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_soa(ARGS_FREESTRUCT) {
+	dns_rdata_soa_t *soa = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(soa->common.rdtype == 6);
+
+	if (soa->mctx == NULL)
+		return;
+
+	dns_name_free(&soa->origin, soa->mctx);
+	dns_name_free(&soa->contact, soa->mctx);
+	soa->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_soa(ARGS_ADDLDATA) {
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	REQUIRE(rdata->type == 6);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_soa(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 6);
+
+	dns_rdata_toregion(rdata, &r);
+
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+	RETERR(dns_name_digest(&name, digest, arg));
+	isc_region_consume(&r, name_length(&name));
+
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+	RETERR(dns_name_digest(&name, digest, arg));
+	isc_region_consume(&r, name_length(&name));
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_soa(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 6);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_soa(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 6);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ishostname(&name, ISC_FALSE)) {
+		if (bad != NULL)
+			dns_name_clone(&name, bad);
+		return (ISC_FALSE);
+	}
+	isc_region_consume(&region, name_length(&name));
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ismailbox(&name)) {
+		if (bad != NULL)
+			dns_name_clone(&name, bad);
+		return (ISC_FALSE);
+	}
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_SOA_6_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/soa_6.h b/contrib/bind9/lib/dns/rdata/generic/soa_6.h
new file mode 100644
index 0000000..eca6dfd
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/soa_6.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_SOA_6_H
+#define GENERIC_SOA_6_H 1
+
+/* $Id: soa_6.h,v 1.27.206.1 2004/03/06 08:14:12 marka Exp $ */
+
+typedef struct dns_rdata_soa {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		origin;
+	dns_name_t		contact;
+	isc_uint32_t		serial;		/* host order */
+	isc_uint32_t		refresh;	/* host order */
+	isc_uint32_t		retry;		/* host order */
+	isc_uint32_t		expire;		/* host order */
+	isc_uint32_t		minimum;	/* host order */
+} dns_rdata_soa_t;
+
+
+#endif /* GENERIC_SOA_6_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/sshfp_44.c b/contrib/bind9/lib/dns/rdata/generic/sshfp_44.c
new file mode 100644
index 0000000..eabf056
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/sshfp_44.c
@@ -0,0 +1,262 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: sshfp_44.c,v 1.1.8.3 2004/03/06 08:14:13 marka Exp $ */
+
+/* draft-ietf-secsh-dns-05.txt */
+
+#ifndef RDATA_GENERIC_SSHFP_44_C
+#define RDATA_GENERIC_SSHFP_44_C
+
+#define RRTYPE_SSHFP_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_sshfp(ARGS_FROMTEXT) {
+	isc_token_t token;
+
+	REQUIRE(type == 44);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Digest type.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+	type = (isc_uint16_t) token.value.as_ulong;
+
+	/*
+	 * Digest.
+	 */
+	return (isc_hex_tobuffer(lexer, target, -1));
+}
+
+static inline isc_result_t
+totext_sshfp(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof("64000 ")];
+	unsigned int n;
+
+	REQUIRE(rdata->type == 44);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Algorithm.
+	 */
+	n = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	sprintf(buf, "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Digest type.
+	 */
+	n = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	sprintf(buf, "%u", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Digest.
+	 */
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" (", target));
+	RETERR(str_totext(tctx->linebreak, target));
+	RETERR(isc_hex_totext(&sr, tctx->width - 2, tctx->linebreak, target));
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" )", target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_sshfp(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == 44);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 4)
+		return (ISC_R_UNEXPECTEDEND);
+
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+towire_sshfp(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == 44);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_sshfp(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 44);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_sshfp(ARGS_FROMSTRUCT) {
+	dns_rdata_sshfp_t *sshfp = source;
+
+	REQUIRE(type == 44);
+	REQUIRE(source != NULL);
+	REQUIRE(sshfp->common.rdtype == type);
+	REQUIRE(sshfp->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint8_tobuffer(sshfp->algorithm, target));
+	RETERR(uint8_tobuffer(sshfp->digest_type, target));
+
+	return (mem_tobuffer(target, sshfp->digest, sshfp->length));
+}
+
+static inline isc_result_t
+tostruct_sshfp(ARGS_TOSTRUCT) {
+	dns_rdata_sshfp_t *sshfp = target;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 44);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	sshfp->common.rdclass = rdata->rdclass;
+	sshfp->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&sshfp->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	sshfp->algorithm = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	sshfp->digest_type = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	sshfp->length = region.length;
+
+	sshfp->digest = mem_maybedup(mctx, region.base, region.length);
+	if (sshfp->digest == NULL)
+		return (ISC_R_NOMEMORY);
+
+	sshfp->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_sshfp(ARGS_FREESTRUCT) {
+	dns_rdata_sshfp_t *sshfp = source;
+
+	REQUIRE(sshfp != NULL);
+	REQUIRE(sshfp->common.rdtype == 44);
+
+	if (sshfp->mctx == NULL)
+		return;
+
+	if (sshfp->digest != NULL)
+		isc_mem_free(sshfp->mctx, sshfp->digest);
+	sshfp->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_sshfp(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 44);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_sshfp(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 44);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_sshfp(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 44);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_sshfp(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 44);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_SSHFP_44_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/sshfp_44.h b/contrib/bind9/lib/dns/rdata/generic/sshfp_44.h
new file mode 100644
index 0000000..ccdefd4
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/sshfp_44.h
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: sshfp_44.h,v 1.1.8.2 2004/03/06 08:14:13 marka Exp $ */
+
+/* draft-ietf-secsh-dns-05.txt */
+
+#ifndef GENERIC_SSHFP_44_H
+#define GENERIC_SSHFP_44_H 1
+
+typedef struct dns_rdata_sshfp {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	isc_uint8_t		algorithm;
+	isc_uint8_t		digest_type;
+	isc_uint16_t		length;
+	unsigned char		*digest;
+} dns_rdata_sshfp_t;
+
+#endif /* GENERIC_SSHFP_44_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/tkey_249.c b/contrib/bind9/lib/dns/rdata/generic/tkey_249.c
new file mode 100644
index 0000000..da63167
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/tkey_249.c
@@ -0,0 +1,555 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: tkey_249.c,v 1.48.2.1.2.6 2004/03/08 09:04:42 marka Exp $ */
+
+/*
+ * Reviewed: Thu Mar 16 17:35:30 PST 2000 by halley.
+ */
+
+/* draft-ietf-dnsext-tkey-01.txt */
+
+#ifndef RDATA_GENERIC_TKEY_249_C
+#define RDATA_GENERIC_TKEY_249_C
+
+#define RRTYPE_TKEY_ATTRIBUTES (DNS_RDATATYPEATTR_META)
+
+static inline isc_result_t
+fromtext_tkey(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_rcode_t rcode;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	long i;
+	char *e;
+
+	REQUIRE(type == 249);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Algorithm.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	origin = (origin != NULL) ? origin : dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+
+
+	/*
+	 * Inception.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	RETERR(uint32_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Expiration.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	RETERR(uint32_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Mode.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Error.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	if (dns_tsigrcode_fromtext(&rcode, &token.value.as_textregion)
+				!= ISC_R_SUCCESS)
+	{
+		i = strtol(DNS_AS_STR(token), &e, 10);
+		if (*e != 0)
+			RETTOK(DNS_R_UNKNOWN);
+		if (i < 0 || i > 0xffff)
+			RETTOK(ISC_R_RANGE);
+		rcode = (dns_rcode_t)i;
+	}
+	RETERR(uint16_tobuffer(rcode, target));
+
+	/*
+	 * Key Size.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Key Data.
+	 */
+	RETERR(isc_base64_tobuffer(lexer, target, (int)token.value.as_ulong));
+
+	/*
+	 * Other Size.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Other Data.
+	 */
+	return (isc_base64_tobuffer(lexer, target, (int)token.value.as_ulong));
+}
+
+static inline isc_result_t
+totext_tkey(ARGS_TOTEXT) {
+	isc_region_t sr, dr;
+	char buf[sizeof("4294967295 ")];
+	unsigned long n;
+	dns_name_t name;
+	dns_name_t prefix;
+	isc_boolean_t sub;
+
+	REQUIRE(rdata->type == 249);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Algorithm.
+	 */
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+	dns_name_fromregion(&name, &sr);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	RETERR(dns_name_totext(&prefix, sub, target));
+	RETERR(str_totext(" ", target));
+	isc_region_consume(&sr, name_length(&name));
+
+	/*
+	 * Inception.
+	 */
+	n = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	sprintf(buf, "%lu ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Expiration.
+	 */
+	n = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+	sprintf(buf, "%lu ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Mode.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	sprintf(buf, "%lu ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Error.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	if (dns_tsigrcode_totext((dns_rcode_t)n, target) == ISC_R_SUCCESS)
+		RETERR(str_totext(" ", target));
+	else {
+		sprintf(buf, "%lu ", n);
+		RETERR(str_totext(buf, target));
+	}
+
+	/*
+	 * Key Size.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	sprintf(buf, "%lu", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Key Data.
+	 */
+	REQUIRE(n <= sr.length);
+	dr = sr;
+	dr.length = n;
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" (", target));
+	RETERR(str_totext(tctx->linebreak, target));
+	RETERR(isc_base64_totext(&dr, tctx->width - 2,
+				 tctx->linebreak, target));
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" ) ", target));
+	else
+		RETERR(str_totext(" ", target));
+	isc_region_consume(&sr, n);
+
+	/*
+	 * Other Size.
+	 */
+	n = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+	sprintf(buf, "%lu", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * Other Data.
+	 */
+	REQUIRE(n <= sr.length);
+	if (n != 0U) {
+	    dr = sr;
+	    dr.length = n;
+	    if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		    RETERR(str_totext(" (", target));
+	    RETERR(str_totext(tctx->linebreak, target));
+	    RETERR(isc_base64_totext(&dr, tctx->width - 2,
+				     tctx->linebreak, target));
+	    if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		    RETERR(str_totext(" )", target));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_tkey(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	unsigned long n;
+	dns_name_t name;
+
+	REQUIRE(type == 249);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	/*
+	 * Algorithm.
+	 */
+	dns_name_init(&name, NULL);
+	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+
+	/*
+	 * Inception: 4
+	 * Expiration: 4
+	 * Mode: 2
+	 * Error: 2
+	 */
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 12)
+		return (ISC_R_UNEXPECTEDEND);
+	RETERR(mem_tobuffer(target, sr.base, 12));
+	isc_region_consume(&sr, 12);
+	isc_buffer_forward(source, 12);
+
+	/*
+	 * Key Length + Key Data.
+	 */
+	if (sr.length < 2)
+		return (ISC_R_UNEXPECTEDEND);
+	n = uint16_fromregion(&sr);
+	if (sr.length < n + 2)
+		return (ISC_R_UNEXPECTEDEND);
+	RETERR(mem_tobuffer(target, sr.base, n + 2));
+	isc_region_consume(&sr, n + 2);
+	isc_buffer_forward(source, n + 2);
+
+	/*
+	 * Other Length + Other Data.
+	 */
+	if (sr.length < 2)
+		return (ISC_R_UNEXPECTEDEND);
+	n = uint16_fromregion(&sr);
+	if (sr.length < n + 2)
+		return (ISC_R_UNEXPECTEDEND);
+	isc_buffer_forward(source, n + 2);
+	return (mem_tobuffer(target, sr.base, n + 2));
+}
+
+static inline isc_result_t
+towire_tkey(ARGS_TOWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+	dns_offsets_t offsets;
+
+	REQUIRE(rdata->type == 249);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	/*
+	 * Algorithm.
+	 */
+	dns_rdata_toregion(rdata, &sr);
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &sr);
+	RETERR(dns_name_towire(&name, cctx, target));
+	isc_region_consume(&sr, name_length(&name));
+
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_tkey(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+	dns_name_t name1;
+	dns_name_t name2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 249);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	/*
+	 * Algorithm.
+	 */
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+	dns_name_fromregion(&name1, &r1);
+	dns_name_fromregion(&name2, &r2);
+	if ((order = dns_name_rdatacompare(&name1, &name2)) != 0)
+		return (order);
+	isc_region_consume(&r1, name_length(&name1));
+	isc_region_consume(&r2, name_length(&name2));
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_tkey(ARGS_FROMSTRUCT) {
+	dns_rdata_tkey_t *tkey = source;
+
+	REQUIRE(type == 249);
+	REQUIRE(source != NULL);
+	REQUIRE(tkey->common.rdtype == type);
+	REQUIRE(tkey->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	/*
+	 * Algorithm Name.
+	 */
+	RETERR(name_tobuffer(&tkey->algorithm, target));
+
+	/*
+	 * Inception: 32 bits.
+	 */
+	RETERR(uint32_tobuffer(tkey->inception, target));
+
+	/*
+	 * Expire: 32 bits.
+	 */
+	RETERR(uint32_tobuffer(tkey->expire, target));
+
+	/*
+	 * Mode: 16 bits.
+	 */
+	RETERR(uint16_tobuffer(tkey->mode, target));
+
+	/*
+	 * Error: 16 bits.
+	 */
+	RETERR(uint16_tobuffer(tkey->error, target));
+
+	/*
+	 * Key size: 16 bits.
+	 */
+	RETERR(uint16_tobuffer(tkey->keylen, target));
+
+	/*
+	 * Key.
+	 */
+	RETERR(mem_tobuffer(target, tkey->key, tkey->keylen));
+
+	/*
+	 * Other size: 16 bits.
+	 */
+	RETERR(uint16_tobuffer(tkey->otherlen, target));
+
+	/*
+	 * Other data.
+	 */
+	return (mem_tobuffer(target, tkey->other, tkey->otherlen));
+}
+
+static inline isc_result_t
+tostruct_tkey(ARGS_TOSTRUCT) {
+	dns_rdata_tkey_t *tkey = target;
+	dns_name_t alg;
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == 249);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	tkey->common.rdclass = rdata->rdclass;
+	tkey->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&tkey->common, link);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	/*
+	 * Algorithm Name.
+	 */
+	dns_name_init(&alg, NULL);
+	dns_name_fromregion(&alg, &sr);
+	dns_name_init(&tkey->algorithm, NULL);
+	RETERR(name_duporclone(&alg, mctx, &tkey->algorithm));
+	isc_region_consume(&sr, name_length(&tkey->algorithm));
+
+	/*
+	 * Inception.
+	 */
+	tkey->inception = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Expire.
+	 */
+	tkey->expire = uint32_fromregion(&sr);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Mode.
+	 */
+	tkey->mode = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Error.
+	 */
+	tkey->error = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Key size.
+	 */
+	tkey->keylen = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Key.
+	 */
+	tkey->key = mem_maybedup(mctx, sr.base, tkey->keylen);
+	if (tkey->key == NULL)
+		goto cleanup;
+	isc_region_consume(&sr, tkey->keylen);
+
+	/*
+	 * Other size.
+	 */
+	tkey->otherlen = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	/*
+	 * Other.
+	 */
+	tkey->other = mem_maybedup(mctx, sr.base, tkey->otherlen);
+	if (tkey->other == NULL)
+		goto cleanup;
+
+	tkey->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL)
+		dns_name_free(&tkey->algorithm, mctx);
+	if (mctx != NULL && tkey->key != NULL)
+		isc_mem_free(mctx, tkey->key);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_tkey(ARGS_FREESTRUCT) {
+	dns_rdata_tkey_t *tkey = (dns_rdata_tkey_t *) source;
+
+	REQUIRE(source != NULL);
+
+	if (tkey->mctx == NULL)
+		return;
+
+	dns_name_free(&tkey->algorithm, tkey->mctx);
+	if (tkey->key != NULL)
+		isc_mem_free(tkey->mctx, tkey->key);
+	if (tkey->other != NULL)
+		isc_mem_free(tkey->mctx, tkey->other);
+	tkey->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_tkey(ARGS_ADDLDATA) {
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	REQUIRE(rdata->type == 249);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_tkey(ARGS_DIGEST) {
+	UNUSED(rdata);
+	UNUSED(digest);
+	UNUSED(arg);
+
+	REQUIRE(rdata->type == 249);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static inline isc_boolean_t
+checkowner_tkey(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 249);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_tkey(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 249);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_TKEY_249_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/tkey_249.h b/contrib/bind9/lib/dns/rdata/generic/tkey_249.h
new file mode 100644
index 0000000..8e0081c
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/tkey_249.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_TKEY_249_H
+#define GENERIC_TKEY_249_H 1
+
+/* $Id: tkey_249.h,v 1.18.206.2 2004/03/06 08:14:13 marka Exp $ */
+
+/* draft-ietf-dnsind-tkey-00.txt */
+
+typedef struct dns_rdata_tkey {
+        dns_rdatacommon_t	common;
+        isc_mem_t *		mctx;
+        dns_name_t		algorithm;
+        isc_uint32_t		inception;
+        isc_uint32_t		expire;
+        isc_uint16_t		mode;
+        isc_uint16_t		error;
+        isc_uint16_t		keylen;
+        unsigned char *		key;
+        isc_uint16_t		otherlen;
+        unsigned char *		other;
+} dns_rdata_tkey_t;
+
+
+#endif /* GENERIC_TKEY_249_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/txt_16.c b/contrib/bind9/lib/dns/rdata/generic/txt_16.c
new file mode 100644
index 0000000..631d7af
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/txt_16.c
@@ -0,0 +1,238 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: txt_16.c,v 1.37.12.4 2004/03/08 09:04:42 marka Exp $ */
+
+/* Reviewed: Thu Mar 16 15:40:00 PST 2000 by bwelling */
+
+#ifndef RDATA_GENERIC_TXT_16_C
+#define RDATA_GENERIC_TXT_16_C
+
+#define RRTYPE_TXT_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_txt(ARGS_FROMTEXT) {
+	isc_token_t token;
+	int strings;
+
+	REQUIRE(type == 16);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	strings = 0;
+	for (;;) {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_qstring,
+					      ISC_TRUE));
+		if (token.type != isc_tokentype_qstring &&
+		    token.type != isc_tokentype_string)
+			break;
+		RETTOK(txt_fromtext(&token.value.as_textregion, target));
+		strings++;
+	}
+	/* Let upper layer handle eol/eof. */
+	isc_lex_ungettoken(lexer, &token);
+	return (strings == 0 ? ISC_R_UNEXPECTEDEND : ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_txt(ARGS_TOTEXT) {
+	isc_region_t region;
+
+	UNUSED(tctx);
+
+	REQUIRE(rdata->type == 16);
+
+	dns_rdata_toregion(rdata, &region);
+
+	while (region.length > 0) {
+		RETERR(txt_totext(&region, target));
+		if (region.length > 0)
+			RETERR(str_totext(" ", target));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_txt(ARGS_FROMWIRE) {
+	isc_result_t result;
+
+	REQUIRE(type == 16);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(rdclass);
+	UNUSED(options);
+
+	do {
+		result = txt_fromwire(source, target);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	} while (!buffer_empty(source));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_txt(ARGS_TOWIRE) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 16);
+
+	UNUSED(cctx);
+
+	isc_buffer_availableregion(target, &region);
+	if (region.length < rdata->length)
+		return (ISC_R_NOSPACE);
+
+	memcpy(region.base, rdata->data, rdata->length);
+	isc_buffer_add(target, rdata->length);
+	return (ISC_R_SUCCESS);
+}
+
+static inline int
+compare_txt(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 16);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_txt(ARGS_FROMSTRUCT) {
+	dns_rdata_txt_t *txt = source;
+	isc_region_t region;
+	isc_uint8_t length;
+
+	REQUIRE(type == 16);
+	REQUIRE(source != NULL);
+	REQUIRE(txt->common.rdtype == type);
+	REQUIRE(txt->common.rdclass == rdclass);
+	REQUIRE(txt->txt != NULL && txt->txt_len != 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	region.base = txt->txt;
+	region.length = txt->txt_len;
+	while (region.length > 0) {
+		length = uint8_fromregion(&region);
+		isc_region_consume(&region, 1);
+		if (region.length <= length)
+			return (ISC_R_UNEXPECTEDEND);
+		isc_region_consume(&region, length);
+	}
+
+	return (mem_tobuffer(target, txt->txt, txt->txt_len));
+}
+
+static inline isc_result_t
+tostruct_txt(ARGS_TOSTRUCT) {
+	dns_rdata_txt_t *txt = target;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 16);
+	REQUIRE(target != NULL);
+
+	txt->common.rdclass = rdata->rdclass;
+	txt->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&txt->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+	txt->txt_len = r.length;
+	txt->txt = mem_maybedup(mctx, r.base, r.length);
+	if (txt->txt == NULL)
+		return (ISC_R_NOMEMORY);
+
+	txt->offset = 0;
+	txt->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_txt(ARGS_FREESTRUCT) {
+	dns_rdata_txt_t *txt = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(txt->common.rdtype == 16);
+
+	if (txt->mctx == NULL)
+		return;
+
+	if (txt->txt != NULL)
+		isc_mem_free(txt->mctx, txt->txt);
+	txt->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_txt(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 16);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_txt(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 16);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_txt(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 16);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_txt(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 16);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_TXT_16_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/txt_16.h b/contrib/bind9/lib/dns/rdata/generic/txt_16.h
new file mode 100644
index 0000000..db5019c
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/txt_16.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_TXT_16_H
+#define GENERIC_TXT_16_H 1
+
+/* $Id: txt_16.h,v 1.23.206.1 2004/03/06 08:14:14 marka Exp $ */
+
+typedef struct dns_rdata_txt_string {
+                isc_uint8_t    length;
+                unsigned char   *data;
+} dns_rdata_txt_string_t;
+
+typedef struct dns_rdata_txt {
+        dns_rdatacommon_t       common;
+        isc_mem_t               *mctx;
+        unsigned char           *txt;
+        isc_uint16_t            txt_len;
+        /* private */
+        isc_uint16_t            offset;
+} dns_rdata_txt_t;
+
+/*
+ * ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS are already done
+ * via rdatastructpre.h and rdatastructsuf.h.
+ */
+
+isc_result_t
+dns_rdata_txt_first(dns_rdata_txt_t *);
+
+isc_result_t
+dns_rdata_txt_next(dns_rdata_txt_t *);
+
+isc_result_t
+dns_rdata_txt_current(dns_rdata_txt_t *, dns_rdata_txt_string_t *);
+
+#endif /* GENERIC_TXT_16_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/unspec_103.c b/contrib/bind9/lib/dns/rdata/generic/unspec_103.c
new file mode 100644
index 0000000..157e9a1
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/unspec_103.c
@@ -0,0 +1,189 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: unspec_103.c,v 1.28.2.1.10.4 2004/03/08 09:04:43 marka Exp $ */
+
+#ifndef RDATA_GENERIC_UNSPEC_103_C
+#define RDATA_GENERIC_UNSPEC_103_C
+
+#define RRTYPE_UNSPEC_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_unspec(ARGS_FROMTEXT) {
+
+	REQUIRE(type == 103);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	return (atob_tobuffer(lexer, target));
+}
+
+static inline isc_result_t
+totext_unspec(ARGS_TOTEXT) {
+
+	REQUIRE(rdata->type == 103);
+
+	UNUSED(tctx);
+
+	return (btoa_totext(rdata->data, rdata->length, target));
+}
+
+static inline isc_result_t
+fromwire_unspec(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == 103);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+towire_unspec(ARGS_TOWIRE) {
+
+	REQUIRE(rdata->type == 103);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_unspec(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 103);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_unspec(ARGS_FROMSTRUCT) {
+	dns_rdata_unspec_t *unspec = source;
+
+	REQUIRE(type == 103);
+	REQUIRE(source != NULL);
+	REQUIRE(unspec->common.rdtype == type);
+	REQUIRE(unspec->common.rdclass == rdclass);
+	REQUIRE(unspec->data != NULL || unspec->datalen == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (mem_tobuffer(target, unspec->data, unspec->datalen));
+}
+
+static inline isc_result_t
+tostruct_unspec(ARGS_TOSTRUCT) {
+	dns_rdata_unspec_t *unspec = target;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 103);
+	REQUIRE(target != NULL);
+
+	unspec->common.rdclass = rdata->rdclass;
+	unspec->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&unspec->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+	unspec->datalen = r.length;
+	unspec->data = mem_maybedup(mctx, r.base, r.length);
+	if (unspec->data == NULL)
+		return (ISC_R_NOMEMORY);
+
+	unspec->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_unspec(ARGS_FREESTRUCT) {
+	dns_rdata_unspec_t *unspec = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(unspec->common.rdtype == 103);
+
+	if (unspec->mctx == NULL)
+		return;
+
+	if (unspec->data != NULL)
+		isc_mem_free(unspec->mctx, unspec->data);
+	unspec->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_unspec(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 103);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_unspec(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 103);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_unspec(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 103);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_unspec(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 103);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_UNSPEC_103_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/unspec_103.h b/contrib/bind9/lib/dns/rdata/generic/unspec_103.h
new file mode 100644
index 0000000..021e308
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/unspec_103.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_UNSPEC_103_H
+#define GENERIC_UNSPEC_103_H 1
+
+/* $Id: unspec_103.h,v 1.12.206.1 2004/03/06 08:14:14 marka Exp $ */
+
+typedef struct dns_rdata_unspec_t {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	unsigned char		*data;
+	isc_uint16_t		datalen;
+} dns_rdata_unspec_t;
+
+#endif /* GENERIC_UNSPEC_103_H */
diff --git a/contrib/bind9/lib/dns/rdata/generic/x25_19.c b/contrib/bind9/lib/dns/rdata/generic/x25_19.c
new file mode 100644
index 0000000..2f123ad
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/x25_19.c
@@ -0,0 +1,219 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: x25_19.c,v 1.31.12.4 2004/03/08 09:04:43 marka Exp $ */
+
+/* Reviewed: Thu Mar 16 16:15:57 PST 2000 by bwelling */
+
+/* RFC 1183 */
+
+#ifndef RDATA_GENERIC_X25_19_C
+#define RDATA_GENERIC_X25_19_C
+
+#define RRTYPE_X25_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_x25(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned int i;
+
+	REQUIRE(type == 19);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
+				      ISC_FALSE));
+	if (token.value.as_textregion.length < 4)
+		RETTOK(DNS_R_SYNTAX);
+	for (i = 0; i < token.value.as_textregion.length; i++)
+		if (!isdigit(token.value.as_textregion.base[i] & 0xff))
+			RETTOK(ISC_R_RANGE);
+	RETTOK(txt_fromtext(&token.value.as_textregion, target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_x25(ARGS_TOTEXT) {
+	isc_region_t region;
+
+	UNUSED(tctx);
+
+	REQUIRE(rdata->type == 19);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &region);
+	return (txt_totext(&region, target));
+}
+
+static inline isc_result_t
+fromwire_x25(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == 19);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(rdclass);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 5)
+		return (DNS_R_FORMERR);
+	return (txt_fromwire(source, target));
+}
+
+static inline isc_result_t
+towire_x25(ARGS_TOWIRE) {
+	UNUSED(cctx);
+
+	REQUIRE(rdata->type == 19);
+	REQUIRE(rdata->length != 0);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_x25(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 19);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_x25(ARGS_FROMSTRUCT) {
+	dns_rdata_x25_t *x25 = source;
+	isc_uint8_t i;
+
+	REQUIRE(type == 19);
+	REQUIRE(source != NULL);
+	REQUIRE(x25->common.rdtype == type);
+	REQUIRE(x25->common.rdclass == rdclass);
+	REQUIRE(x25->x25 != NULL && x25->x25_len != 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	if (x25->x25_len < 4)
+		return (ISC_R_RANGE);
+
+	for (i = 0; i < x25->x25_len; i++)
+		if (!isdigit(x25->x25[i] & 0xff))
+			return (ISC_R_RANGE);
+
+	RETERR(uint8_tobuffer(x25->x25_len, target));
+	return (mem_tobuffer(target, x25->x25, x25->x25_len));
+}
+
+static inline isc_result_t
+tostruct_x25(ARGS_TOSTRUCT) {
+	dns_rdata_x25_t *x25 = target;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 19);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	x25->common.rdclass = rdata->rdclass;
+	x25->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&x25->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+	x25->x25_len = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	x25->x25 = mem_maybedup(mctx, r.base, x25->x25_len);
+	if (x25->x25 == NULL)
+		return (ISC_R_NOMEMORY);
+
+	x25->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_x25(ARGS_FREESTRUCT) {
+	dns_rdata_x25_t *x25 = source;
+	REQUIRE(source != NULL);
+	REQUIRE(x25->common.rdtype == 19);
+
+	if (x25->mctx == NULL)
+		return;
+
+	if (x25->x25 != NULL)
+		isc_mem_free(x25->mctx, x25->x25);
+	x25->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_x25(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 19);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_x25(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 19);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_x25(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 19);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_x25(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 19);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_X25_19_C */
diff --git a/contrib/bind9/lib/dns/rdata/generic/x25_19.h b/contrib/bind9/lib/dns/rdata/generic/x25_19.h
new file mode 100644
index 0000000..bcb74cf
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/generic/x25_19.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_X25_19_H
+#define GENERIC_X25_19_H 1
+
+/* $Id: x25_19.h,v 1.13.206.1 2004/03/06 08:14:14 marka Exp $ */
+
+/* RFC 1183 */
+
+typedef struct dns_rdata_x25 {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	unsigned char		*x25;
+	isc_uint8_t		x25_len;
+} dns_rdata_x25_t;
+
+#endif /* GENERIC_X25_19_H */
diff --git a/contrib/bind9/lib/dns/rdata/hs_4/a_1.c b/contrib/bind9/lib/dns/rdata/hs_4/a_1.c
new file mode 100644
index 0000000..07d6adc
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/hs_4/a_1.c
@@ -0,0 +1,232 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: a_1.c,v 1.25.12.4 2004/03/08 09:04:43 marka Exp $ */
+
+/* reviewed: Thu Mar 16 15:58:36 PST 2000 by brister */
+
+#ifndef RDATA_HS_4_A_1_C
+#define RDATA_HS_4_A_1_C
+
+#include <isc/net.h>
+
+#define RRTYPE_A_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_hs_a(ARGS_FROMTEXT) {
+	isc_token_t token;
+	struct in_addr addr;
+	isc_region_t region;
+
+	REQUIRE(type == 1);
+	REQUIRE(rdclass == 4);
+
+	UNUSED(type);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(rdclass);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+
+	if (getquad(DNS_AS_STR(token), &addr, lexer, callbacks) != 1)
+		RETTOK(DNS_R_BADDOTTEDQUAD);
+	isc_buffer_availableregion(target, &region);
+	if (region.length < 4)
+		return (ISC_R_NOSPACE);
+	memcpy(region.base, &addr, 4);
+	isc_buffer_add(target, 4);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_hs_a(ARGS_TOTEXT) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 1);
+	REQUIRE(rdata->rdclass == 4);
+	REQUIRE(rdata->length == 4);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &region);
+	return (inet_totext(AF_INET, &region, target));
+}
+
+static inline isc_result_t
+fromwire_hs_a(ARGS_FROMWIRE) {
+	isc_region_t sregion;
+	isc_region_t tregion;
+
+	REQUIRE(type == 1);
+	REQUIRE(rdclass == 4);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(options);
+	UNUSED(rdclass);
+
+	isc_buffer_activeregion(source, &sregion);
+	isc_buffer_availableregion(target, &tregion);
+	if (sregion.length < 4)
+		return (ISC_R_UNEXPECTEDEND);
+	if (tregion.length < 4)
+		return (ISC_R_NOSPACE);
+
+	memcpy(tregion.base, sregion.base, 4);
+	isc_buffer_forward(source, 4);
+	isc_buffer_add(target, 4);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_hs_a(ARGS_TOWIRE) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 1);
+	REQUIRE(rdata->rdclass == 4);
+	REQUIRE(rdata->length == 4);
+
+	UNUSED(cctx);
+
+	isc_buffer_availableregion(target, &region);
+	if (region.length < rdata->length)
+		return (ISC_R_NOSPACE);
+	memcpy(region.base, rdata->data, rdata->length);
+	isc_buffer_add(target, 4);
+	return (ISC_R_SUCCESS);
+}
+
+static inline int
+compare_hs_a(ARGS_COMPARE) {
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 1);
+	REQUIRE(rdata1->rdclass == 4);
+	REQUIRE(rdata1->length == 4);
+	REQUIRE(rdata2->length == 4);
+
+	order = memcmp(rdata1->data, rdata2->data, 4);
+	if (order != 0)
+		order = (order < 0) ? -1 : 1;
+
+	return (order);
+}
+
+static inline isc_result_t
+fromstruct_hs_a(ARGS_FROMSTRUCT) {
+	dns_rdata_hs_a_t *a = source;
+	isc_uint32_t n;
+
+	REQUIRE(type == 1);
+	REQUIRE(rdclass == 4);
+	REQUIRE(source != NULL);
+	REQUIRE(a->common.rdtype == type);
+	REQUIRE(a->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	n = ntohl(a->in_addr.s_addr);
+
+	return (uint32_tobuffer(n, target));
+}
+
+static inline isc_result_t
+tostruct_hs_a(ARGS_TOSTRUCT) {
+	dns_rdata_hs_a_t *a = target;
+	isc_uint32_t n;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 1);
+	REQUIRE(rdata->rdclass == 4);
+	REQUIRE(rdata->length == 4);
+
+	UNUSED(mctx);
+
+	a->common.rdclass = rdata->rdclass;
+	a->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&a->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+	n = uint32_fromregion(&region);
+	a->in_addr.s_addr = htonl(n);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_hs_a(ARGS_FREESTRUCT) {
+	UNUSED(source);
+
+	REQUIRE(source != NULL);
+}
+
+static inline isc_result_t
+additionaldata_hs_a(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 1);
+	REQUIRE(rdata->rdclass == 4);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_hs_a(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 1);
+	REQUIRE(rdata->rdclass == 4);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_hs_a(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 1);
+	REQUIRE(rdclass == 4);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_hs_a(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 1);
+	REQUIRE(rdata->rdclass == 4);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_HS_4_A_1_C */
diff --git a/contrib/bind9/lib/dns/rdata/hs_4/a_1.h b/contrib/bind9/lib/dns/rdata/hs_4/a_1.h
new file mode 100644
index 0000000..c06c648
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/hs_4/a_1.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef HS_4_A_1_H
+#define HS_4_A_1_H 1
+
+/* $Id: a_1.h,v 1.7.206.1 2004/03/06 08:14:15 marka Exp $ */
+
+typedef struct dns_rdata_hs_a {
+	dns_rdatacommon_t	common;
+	struct in_addr          in_addr;
+} dns_rdata_hs_a_t;
+
+#endif /* HS_4_A_1_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/a6_38.c b/contrib/bind9/lib/dns/rdata/in_1/a6_38.c
new file mode 100644
index 0000000..ded70c1
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/in_1/a6_38.c
@@ -0,0 +1,461 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: a6_38.c,v 1.46.2.1.2.5 2004/03/08 09:04:43 marka Exp $ */
+
+/* RFC2874 */
+
+#ifndef RDATA_IN_1_A6_28_C
+#define RDATA_IN_1_A6_28_C
+
+#include <isc/net.h>
+
+#define RRTYPE_A6_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_in_a6(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned char addr[16];
+	unsigned char prefixlen;
+	unsigned char octets;
+	unsigned char mask;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	isc_boolean_t ok;
+
+	REQUIRE(type == 38);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Prefix length.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 128U)
+		RETTOK(ISC_R_RANGE);
+
+	prefixlen = (unsigned char)token.value.as_ulong;
+	RETERR(mem_tobuffer(target, &prefixlen, 1));
+
+	/*
+	 * Suffix.
+	 */
+	if (prefixlen != 128) {
+		/*
+		 * Prefix 0..127.
+		 */
+		octets = prefixlen/8;
+		/*
+		 * Octets 0..15.
+		 */
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string,
+					      ISC_FALSE));
+		if (inet_pton(AF_INET6, DNS_AS_STR(token), addr) != 1)
+			RETTOK(DNS_R_BADAAAA);
+		mask = 0xff >> (prefixlen % 8);
+		addr[octets] &= mask;
+		RETERR(mem_tobuffer(target, &addr[octets], 16 - octets));
+	}
+
+	if (prefixlen == 0)
+		return (ISC_R_SUCCESS);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	origin = (origin != NULL) ? origin : dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	ok = ISC_TRUE;
+	if ((options & DNS_RDATA_CHECKNAMES) != 0)
+		ok = dns_name_ishostname(&name, ISC_FALSE);
+	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
+		RETTOK(DNS_R_BADNAME);
+	if (!ok && callbacks != NULL)
+		warn_badname(&name, lexer, callbacks);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_in_a6(ARGS_TOTEXT) {
+	isc_region_t sr, ar;
+	unsigned char addr[16];
+	unsigned char prefixlen;
+	unsigned char octets;
+	unsigned char mask;
+	char buf[sizeof("128")];
+	dns_name_t name;
+	dns_name_t prefix;
+	isc_boolean_t sub;
+
+	REQUIRE(rdata->type == 38);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+	prefixlen = sr.base[0];
+	INSIST(prefixlen <= 128);
+	isc_region_consume(&sr, 1);
+	sprintf(buf, "%u", prefixlen);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	if (prefixlen != 128) {
+		octets = prefixlen/8;
+		memset(addr, 0, sizeof(addr));
+		memcpy(&addr[octets], sr.base, 16 - octets);
+		mask = 0xff >> (prefixlen % 8);
+		addr[octets] &= mask;
+		ar.base = addr;
+		ar.length = sizeof(addr);
+		RETERR(inet_totext(AF_INET6, &ar, target));
+		isc_region_consume(&sr, 16 - octets);
+	}
+
+	if (prefixlen == 0)
+		return (ISC_R_SUCCESS);
+
+	RETERR(str_totext(" ", target));
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+	dns_name_fromregion(&name, &sr);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_in_a6(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	unsigned char prefixlen;
+	unsigned char octets;
+	unsigned char mask;
+	dns_name_t name;
+
+	REQUIRE(type == 38);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+	isc_buffer_activeregion(source, &sr);
+	/*
+	 * Prefix length.
+	 */
+	if (sr.length < 1)
+		return (ISC_R_UNEXPECTEDEND);
+	prefixlen = sr.base[0];
+	if (prefixlen > 128)
+		return (ISC_R_RANGE);
+	isc_region_consume(&sr, 1);
+	RETERR(mem_tobuffer(target, &prefixlen, 1));
+	isc_buffer_forward(source, 1);
+
+	/*
+	 * Suffix.
+	 */
+	if (prefixlen != 128) {
+		octets = 16 - prefixlen / 8;
+		if (sr.length < octets)
+			return (ISC_R_UNEXPECTEDEND);
+		mask = 0xff >> (prefixlen % 8);
+		sr.base[0] &= mask;	/* Ensure pad bits are zero. */
+		RETERR(mem_tobuffer(target, sr.base, octets));
+		isc_buffer_forward(source, octets);
+	}
+
+	if (prefixlen == 0)
+		return (ISC_R_SUCCESS);
+
+	dns_name_init(&name, NULL);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_in_a6(ARGS_TOWIRE) {
+	isc_region_t sr;
+	dns_name_t name;
+	dns_offsets_t offsets;
+	unsigned char prefixlen;
+	unsigned char octets;
+
+	REQUIRE(rdata->type == 38);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	dns_rdata_toregion(rdata, &sr);
+	prefixlen = sr.base[0];
+	INSIST(prefixlen <= 128);
+
+	octets = 1 + 16 - prefixlen / 8;
+	RETERR(mem_tobuffer(target, sr.base, octets));
+	isc_region_consume(&sr, octets);
+
+	if (prefixlen == 0)
+		return (ISC_R_SUCCESS);
+
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &sr);
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_in_a6(ARGS_COMPARE) {
+	int order;
+	unsigned char prefixlen1, prefixlen2;
+	unsigned char octets;
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 38);
+	REQUIRE(rdata1->rdclass == 1);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+	prefixlen1 = region1.base[0];
+	prefixlen2 = region2.base[0];
+	isc_region_consume(&region1, 1);
+	isc_region_consume(&region2, 1);
+	if (prefixlen1 < prefixlen2)
+		return (-1);
+	else if (prefixlen1 > prefixlen2)
+		return (1);
+	/*
+	 * Prefix lengths are equal.
+	 */
+	octets = 16 - prefixlen1 / 8;
+
+	if (octets > 0) {
+		order = memcmp(region1.base, region2.base, octets);
+		if (order < 0)
+			return (-1);
+		else if (order > 0)
+			return (1);
+		/*
+		 * Address suffixes are equal.
+		 */
+		if (prefixlen1 == 0)
+			return (order);
+		isc_region_consume(&region1, octets);
+		isc_region_consume(&region2, octets);
+	}
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_in_a6(ARGS_FROMSTRUCT) {
+	dns_rdata_in_a6_t *a6 = source;
+	isc_region_t region;
+	int octets;
+	isc_uint8_t bits;
+	isc_uint8_t first;
+	isc_uint8_t mask;
+
+	REQUIRE(type == 38);
+	REQUIRE(rdclass == 1);
+	REQUIRE(source != NULL);
+	REQUIRE(a6->common.rdtype == type);
+	REQUIRE(a6->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	if (a6->prefixlen > 128)
+		return (ISC_R_RANGE);
+
+	RETERR(uint8_tobuffer(a6->prefixlen, target));
+
+	/* Suffix */
+	if (a6->prefixlen != 128) {
+		octets = 16 - a6->prefixlen / 8;
+		bits = a6->prefixlen % 8;
+		if (bits != 0) {
+			mask = 0xffU >> bits;
+			first = a6->in6_addr.s6_addr[16 - octets] & mask;
+			RETERR(uint8_tobuffer(first, target));
+			octets--;
+		}
+		if (octets > 0)
+			RETERR(mem_tobuffer(target,
+					    a6->in6_addr.s6_addr + 16 - octets,
+					    octets));
+	}
+
+	if (a6->prefixlen == 0)
+		return (ISC_R_SUCCESS);
+	dns_name_toregion(&a6->prefix, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_in_a6(ARGS_TOSTRUCT) {
+	dns_rdata_in_a6_t *a6 = target;
+	unsigned char octets;
+	dns_name_t name;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 38);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	a6->common.rdclass = rdata->rdclass;
+	a6->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&a6->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+
+	a6->prefixlen = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	memset(a6->in6_addr.s6_addr, 0, sizeof(a6->in6_addr.s6_addr));
+
+	/*
+	 * Suffix.
+	 */
+	if (a6->prefixlen != 128) {
+		octets = 16 - a6->prefixlen / 8;
+		INSIST(r.length >= octets);
+		memcpy(a6->in6_addr.s6_addr + 16 - octets, r.base, octets);
+		isc_region_consume(&r, octets);
+	}
+
+	/*
+	 * Prefix.
+	 */
+	dns_name_init(&a6->prefix, NULL);
+	if (a6->prefixlen != 0) {
+		dns_name_init(&name, NULL);
+		dns_name_fromregion(&name, &r);
+		RETERR(name_duporclone(&name, mctx, &a6->prefix));
+	}
+	a6->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_in_a6(ARGS_FREESTRUCT) {
+	dns_rdata_in_a6_t *a6 = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(a6->common.rdclass == 1);
+	REQUIRE(a6->common.rdtype == 38);
+
+	if (a6->mctx == NULL)
+		return;
+
+	if (dns_name_dynamic(&a6->prefix))
+		dns_name_free(&a6->prefix, a6->mctx);
+	a6->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_in_a6(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 38);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_in_a6(ARGS_DIGEST) {
+	isc_region_t r1, r2;
+	unsigned char prefixlen, octets;
+	isc_result_t result;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 38);
+	REQUIRE(rdata->rdclass == 1);
+
+	dns_rdata_toregion(rdata, &r1);
+	r2 = r1;
+	prefixlen = r1.base[0];
+	octets = 1 + 16 - prefixlen / 8;
+
+	r1.length = octets;
+	result = (digest)(arg, &r1);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (prefixlen == 0)
+		return (ISC_R_SUCCESS);
+
+	isc_region_consume(&r2, octets);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r2);
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline isc_boolean_t
+checkowner_in_a6(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 38);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (dns_name_ishostname(name, wildcard));
+}
+
+static inline isc_boolean_t
+checknames_in_a6(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+	unsigned int prefixlen;
+
+	REQUIRE(rdata->type == 38);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	prefixlen = uint8_fromregion(&region);
+	if (prefixlen == 0)
+		return (ISC_TRUE);
+	isc_region_consume(&region, 1 + 16 - prefixlen / 8);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ishostname(&name, ISC_FALSE)) {
+		if (bad != NULL)
+			dns_name_clone(&name, bad);
+		return (ISC_FALSE);
+	}
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_IN_1_A6_38_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/a6_38.h b/contrib/bind9/lib/dns/rdata/in_1/a6_38.h
new file mode 100644
index 0000000..9134ced
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/in_1/a6_38.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef IN_1_A6_38_H
+#define IN_1_A6_38_H 1
+
+/* $Id: a6_38.h,v 1.19.206.1 2004/03/06 08:14:15 marka Exp $ */
+
+/* RFC2874 */
+
+typedef struct dns_rdata_in_a6 {
+        dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		prefix;
+	isc_uint8_t		prefixlen;
+	struct in6_addr		in6_addr;
+} dns_rdata_in_a6_t;
+
+#endif /* IN_1_A6_38_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/a_1.c b/contrib/bind9/lib/dns/rdata/in_1/a_1.c
new file mode 100644
index 0000000..30165c9
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/in_1/a_1.c
@@ -0,0 +1,236 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: a_1.c,v 1.46.12.5 2004/03/08 09:04:43 marka Exp $ */
+
+/* Reviewed: Thu Mar 16 16:52:50 PST 2000 by bwelling */
+
+#ifndef RDATA_IN_1_A_1_C
+#define RDATA_IN_1_A_1_C
+
+#include <string.h>
+
+#include <isc/net.h>
+
+#define RRTYPE_A_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_in_a(ARGS_FROMTEXT) {
+	isc_token_t token;
+	struct in_addr addr;
+	isc_region_t region;
+
+	REQUIRE(type == 1);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(rdclass);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+
+	if (getquad(DNS_AS_STR(token), &addr, lexer, callbacks) != 1)
+		RETTOK(DNS_R_BADDOTTEDQUAD);
+	isc_buffer_availableregion(target, &region);
+	if (region.length < 4)
+		return (ISC_R_NOSPACE);
+	memcpy(region.base, &addr, 4);
+	isc_buffer_add(target, 4);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_in_a(ARGS_TOTEXT) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 1);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(rdata->length == 4);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &region);
+	return (inet_totext(AF_INET, &region, target));
+}
+
+static inline isc_result_t
+fromwire_in_a(ARGS_FROMWIRE) {
+	isc_region_t sregion;
+	isc_region_t tregion;
+
+	REQUIRE(type == 1);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(options);
+	UNUSED(rdclass);
+
+	isc_buffer_activeregion(source, &sregion);
+	isc_buffer_availableregion(target, &tregion);
+	if (sregion.length < 4)
+		return (ISC_R_UNEXPECTEDEND);
+	if (tregion.length < 4)
+		return (ISC_R_NOSPACE);
+
+	memcpy(tregion.base, sregion.base, 4);
+	isc_buffer_forward(source, 4);
+	isc_buffer_add(target, 4);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_in_a(ARGS_TOWIRE) {
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 1);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(rdata->length == 4);
+
+	UNUSED(cctx);
+
+	isc_buffer_availableregion(target, &region);
+	if (region.length < rdata->length)
+		return (ISC_R_NOSPACE);
+	memcpy(region.base, rdata->data, rdata->length);
+	isc_buffer_add(target, 4);
+	return (ISC_R_SUCCESS);
+}
+
+static inline int
+compare_in_a(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 1);
+	REQUIRE(rdata1->rdclass == 1);
+	REQUIRE(rdata1->length == 4);
+	REQUIRE(rdata2->length == 4);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_in_a(ARGS_FROMSTRUCT) {
+	dns_rdata_in_a_t *a = source;
+	isc_uint32_t n;
+
+	REQUIRE(type == 1);
+	REQUIRE(rdclass == 1);
+	REQUIRE(source != NULL);
+	REQUIRE(a->common.rdtype == type);
+	REQUIRE(a->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	n = ntohl(a->in_addr.s_addr);
+
+	return (uint32_tobuffer(n, target));
+}
+
+
+static inline isc_result_t
+tostruct_in_a(ARGS_TOSTRUCT) {
+	dns_rdata_in_a_t *a = target;
+	isc_uint32_t n;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 1);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(rdata->length == 4);
+
+	UNUSED(mctx);
+
+	a->common.rdclass = rdata->rdclass;
+	a->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&a->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+	n = uint32_fromregion(&region);
+	a->in_addr.s_addr = htonl(n);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_in_a(ARGS_FREESTRUCT) {
+	dns_rdata_in_a_t *a = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(a->common.rdtype == 1);
+	REQUIRE(a->common.rdclass == 1);
+
+	UNUSED(a);
+}
+
+static inline isc_result_t
+additionaldata_in_a(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 1);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_in_a(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 1);
+	REQUIRE(rdata->rdclass == 1);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_in_a(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 1);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (dns_name_ishostname(name, wildcard));
+}
+
+static inline isc_boolean_t
+checknames_in_a(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 1);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_IN_1_A_1_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/a_1.h b/contrib/bind9/lib/dns/rdata/in_1/a_1.h
new file mode 100644
index 0000000..34d7469
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/in_1/a_1.h
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef IN_1_A_1_H
+#define IN_1_A_1_H 1
+
+/* $Id: a_1.h,v 1.23.206.1 2004/03/06 08:14:16 marka Exp $ */
+
+typedef struct dns_rdata_in_a {
+	dns_rdatacommon_t	common;
+	struct in_addr          in_addr;
+} dns_rdata_in_a_t;
+
+#endif /* IN_1_A_1_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/aaaa_28.c b/contrib/bind9/lib/dns/rdata/in_1/aaaa_28.c
new file mode 100644
index 0000000..489fe01
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/in_1/aaaa_28.c
@@ -0,0 +1,233 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: aaaa_28.c,v 1.36.12.5 2004/03/08 09:04:44 marka Exp $ */
+
+/* Reviewed: Thu Mar 16 16:52:50 PST 2000 by bwelling */
+
+/* RFC 1886 */
+
+#ifndef RDATA_IN_1_AAAA_28_C
+#define RDATA_IN_1_AAAA_28_C
+
+#include <isc/net.h>
+
+#define RRTYPE_AAAA_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_in_aaaa(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned char addr[16];
+	isc_region_t region;
+
+	REQUIRE(type == 28);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+
+	if (inet_pton(AF_INET6, DNS_AS_STR(token), addr) != 1)
+		RETTOK(DNS_R_BADAAAA);
+	isc_buffer_availableregion(target, &region);
+	if (region.length < 16)
+		return (ISC_R_NOSPACE);
+	memcpy(region.base, addr, 16);
+	isc_buffer_add(target, 16);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_in_aaaa(ARGS_TOTEXT) {
+	isc_region_t region;
+
+	UNUSED(tctx);
+
+	REQUIRE(rdata->type == 28);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(rdata->length == 16);
+
+	dns_rdata_toregion(rdata, &region);
+	return (inet_totext(AF_INET6, &region, target));
+}
+
+static inline isc_result_t
+fromwire_in_aaaa(ARGS_FROMWIRE) {
+	isc_region_t sregion;
+	isc_region_t tregion;
+
+	REQUIRE(type == 28);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(options);
+	UNUSED(rdclass);
+
+	isc_buffer_activeregion(source, &sregion);
+	isc_buffer_availableregion(target, &tregion);
+	if (sregion.length < 16)
+		return (ISC_R_UNEXPECTEDEND);
+	if (tregion.length < 16)
+		return (ISC_R_NOSPACE);
+
+	memcpy(tregion.base, sregion.base, 16);
+	isc_buffer_forward(source, 16);
+	isc_buffer_add(target, 16);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_in_aaaa(ARGS_TOWIRE) {
+	isc_region_t region;
+
+	UNUSED(cctx);
+
+	REQUIRE(rdata->type == 28);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(rdata->length == 16);
+
+	isc_buffer_availableregion(target, &region);
+	if (region.length < rdata->length)
+		return (ISC_R_NOSPACE);
+	memcpy(region.base, rdata->data, rdata->length);
+	isc_buffer_add(target, 16);
+	return (ISC_R_SUCCESS);
+}
+
+static inline int
+compare_in_aaaa(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 28);
+	REQUIRE(rdata1->rdclass == 1);
+	REQUIRE(rdata1->length == 16);
+	REQUIRE(rdata2->length == 16);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_in_aaaa(ARGS_FROMSTRUCT) {
+	dns_rdata_in_aaaa_t *aaaa = source;
+
+	REQUIRE(type == 28);
+	REQUIRE(rdclass == 1);
+	REQUIRE(source != NULL);
+	REQUIRE(aaaa->common.rdtype == type);
+	REQUIRE(aaaa->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (mem_tobuffer(target, aaaa->in6_addr.s6_addr, 16));
+}
+
+static inline isc_result_t
+tostruct_in_aaaa(ARGS_TOSTRUCT) {
+	dns_rdata_in_aaaa_t *aaaa = target;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 28);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length == 16);
+
+	UNUSED(mctx);
+
+	aaaa->common.rdclass = rdata->rdclass;
+	aaaa->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&aaaa->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+	INSIST(r.length == 16);
+	memcpy(aaaa->in6_addr.s6_addr, r.base, 16);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_in_aaaa(ARGS_FREESTRUCT) {
+	dns_rdata_in_aaaa_t *aaaa = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(aaaa->common.rdclass == 1);
+	REQUIRE(aaaa->common.rdtype == 28);
+
+	UNUSED(aaaa);
+}
+
+static inline isc_result_t
+additionaldata_in_aaaa(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 28);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_in_aaaa(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 28);
+	REQUIRE(rdata->rdclass == 1);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_in_aaaa(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 28);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (dns_name_ishostname(name, wildcard));
+}
+
+static inline isc_boolean_t
+checknames_in_aaaa(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 28);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_IN_1_AAAA_28_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/aaaa_28.h b/contrib/bind9/lib/dns/rdata/in_1/aaaa_28.h
new file mode 100644
index 0000000..e8a9319
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/in_1/aaaa_28.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef IN_1_AAAA_28_H
+#define IN_1_AAAA_28_H 1
+
+/* $Id: aaaa_28.h,v 1.16.206.1 2004/03/06 08:14:16 marka Exp $ */
+
+/* RFC 1886 */
+
+typedef struct dns_rdata_in_aaaa {
+	dns_rdatacommon_t	common;
+	struct in6_addr		in6_addr;
+} dns_rdata_in_aaaa_t;
+
+#endif /* IN_1_AAAA_28_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/apl_42.c b/contrib/bind9/lib/dns/rdata/in_1/apl_42.c
new file mode 100644
index 0000000..ac39569
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/in_1/apl_42.c
@@ -0,0 +1,402 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: apl_42.c,v 1.4.200.8 2004/03/16 12:38:15 marka Exp $ */
+
+/* RFC 3123 */
+
+#ifndef RDATA_IN_1_APL_42_C
+#define RDATA_IN_1_APL_42_C
+
+#define RRTYPE_APL_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_in_apl(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned char addr[16];
+	unsigned long afi;
+	isc_uint8_t prefix;
+	isc_uint8_t len;
+	isc_boolean_t neg;
+	char *cp, *ap, *slash;
+	int n;
+
+	REQUIRE(type == 42);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	do {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string, ISC_TRUE));
+		if (token.type != isc_tokentype_string)
+			break;
+	
+		cp = DNS_AS_STR(token);
+		neg = ISC_TF(*cp == '!');
+		if (neg)
+			cp++;
+		afi = strtoul(cp, &ap, 10);
+		if (*ap++ != ':' || cp == ap)
+			RETTOK(DNS_R_SYNTAX);
+		if (afi > 0xffffU)
+			RETTOK(ISC_R_RANGE);
+		slash = strchr(ap, '/');
+		if (slash == NULL || slash == ap)
+			RETTOK(DNS_R_SYNTAX);
+		RETTOK(isc_parse_uint8(&prefix, slash + 1, 10));
+		switch (afi) {
+		case 1:
+			*slash = '\0';
+			n = inet_pton(AF_INET, ap, addr);
+			*slash = '/';
+			if (n != 1)
+				RETTOK(DNS_R_BADDOTTEDQUAD);
+			if (prefix > 32)
+				RETTOK(ISC_R_RANGE);
+			for (len = 4; len > 0; len--)
+				if (addr[len - 1] != 0)
+					break;
+			break;
+
+		case 2:
+			*slash = '\0';
+			n = inet_pton(AF_INET6, ap, addr);
+			*slash = '/';
+			if (n != 1)
+				RETTOK(DNS_R_BADAAAA);
+			if (prefix > 128)
+				RETTOK(ISC_R_RANGE);
+			for (len = 16; len > 0; len--)
+				if (addr[len - 1] != 0)
+					break;
+			break;
+
+		default:
+			RETTOK(ISC_R_NOTIMPLEMENTED);
+		}
+		RETERR(uint16_tobuffer(afi, target));
+		RETERR(uint8_tobuffer(prefix, target));
+		RETERR(uint8_tobuffer(len | ((neg) ? 0x80 : 0), target));
+		RETERR(mem_tobuffer(target, addr, len));
+	} while (1);
+
+	/*
+	 * Let upper layer handle eol/eof.
+	 */
+	isc_lex_ungettoken(lexer, &token);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_in_apl(ARGS_TOTEXT) {
+	isc_region_t sr;
+	isc_region_t ir;
+	isc_uint16_t afi;
+	isc_uint8_t prefix;
+	isc_uint8_t len;
+	isc_boolean_t neg;
+	unsigned char buf[16];
+	char txt[sizeof(" !64000")];
+	const char *sep = "";
+	int n;
+
+	REQUIRE(rdata->type == 42);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	ir.base = buf;
+	ir.length = sizeof(buf);
+
+	while (sr.length > 0) {
+		INSIST(sr.length >= 4);
+		afi = uint16_fromregion(&sr);
+		isc_region_consume(&sr, 2);
+		prefix = *sr.base;
+		isc_region_consume(&sr, 1);
+		len = (*sr.base & 0x7f);
+		neg = ISC_TF((*sr.base & 0x80) != 0);
+		isc_region_consume(&sr, 1);
+		INSIST(len <= sr.length);
+		n = snprintf(txt, sizeof(txt), "%s%s%u:", sep,
+			     neg ? "!": "", afi);
+		INSIST(n < (int)sizeof(txt));
+		RETERR(str_totext(txt, target));
+		switch (afi) {
+		case 1:
+			INSIST(len <= 4);
+			INSIST(prefix <= 32);
+			memset(buf, 0, sizeof(buf));
+			memcpy(buf, sr.base, len);
+			RETERR(inet_totext(AF_INET, &ir, target));
+			break;
+
+		case 2:
+			INSIST(len <= 16);
+			INSIST(prefix <= 128);
+			memset(buf, 0, sizeof(buf));
+			memcpy(buf, sr.base, len);
+			RETERR(inet_totext(AF_INET6, &ir, target));
+			break;
+
+		default:
+			return (ISC_R_NOTIMPLEMENTED);
+		}
+		n = snprintf(txt, sizeof(txt), "/%u", prefix);
+		INSIST(n < (int)sizeof(txt));
+		RETERR(str_totext(txt, target));
+		isc_region_consume(&sr, len);
+		sep = " ";
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_in_apl(ARGS_FROMWIRE) {
+	isc_region_t sr, sr2;
+	isc_region_t tr;
+	isc_uint16_t afi;
+	isc_uint8_t prefix;
+	isc_uint8_t len;
+
+	REQUIRE(type == 42);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(rdclass);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	isc_buffer_availableregion(target, &tr);
+	if (sr.length > tr.length)
+		return (ISC_R_NOSPACE);
+	sr2 = sr;
+
+	/* Zero or more items */
+	while (sr.length > 0) {
+		if (sr.length < 4)
+			return (ISC_R_UNEXPECTEDEND);
+		afi = uint16_fromregion(&sr);
+		isc_region_consume(&sr, 2);
+		prefix = *sr.base;
+		isc_region_consume(&sr, 1);
+		len = (*sr.base & 0x7f);
+		isc_region_consume(&sr, 1);
+		if (len > sr.length)
+			return (ISC_R_UNEXPECTEDEND);
+		switch (afi) {
+		case 1:
+			if (prefix > 32 || len > 4)
+				return (ISC_R_RANGE);
+			break;
+		case 2:
+			if (prefix > 128 || len > 16)
+				return (ISC_R_RANGE);
+		}
+		if (len > 0 && sr.base[len - 1] == 0)
+			return (DNS_R_FORMERR);
+		isc_region_consume(&sr, len);
+	}
+	isc_buffer_forward(source, sr2.length);
+	return (mem_tobuffer(target, sr2.base, sr2.length));
+}
+
+static inline isc_result_t
+towire_in_apl(ARGS_TOWIRE) {
+	UNUSED(cctx);
+
+	REQUIRE(rdata->type == 42);
+	REQUIRE(rdata->rdclass == 1);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_in_apl(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 42);
+	REQUIRE(rdata1->rdclass == 1);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_in_apl(ARGS_FROMSTRUCT) {
+	dns_rdata_in_apl_t *apl = source;
+	isc_buffer_t b;
+
+	REQUIRE(type == 42);
+	REQUIRE(rdclass == 1);
+	REQUIRE(source != NULL);
+	REQUIRE(apl->common.rdtype == type);
+	REQUIRE(apl->common.rdclass == rdclass);
+	REQUIRE(apl->apl != NULL || apl->apl_len == 0);
+	
+	isc_buffer_init(&b, apl->apl, apl->apl_len);
+	isc_buffer_add(&b, apl->apl_len);
+	isc_buffer_setactive(&b, apl->apl_len);
+	return(fromwire_in_apl(rdclass, type, &b, NULL, ISC_FALSE, target));
+}
+
+static inline isc_result_t
+tostruct_in_apl(ARGS_TOSTRUCT) {
+	dns_rdata_in_apl_t *apl = target;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 42);
+	REQUIRE(rdata->rdclass == 1);
+
+	apl->common.rdclass = rdata->rdclass;
+	apl->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&apl->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+	apl->apl_len = r.length;
+	apl->apl = mem_maybedup(mctx, r.base, r.length);
+	if (apl->apl == NULL)
+		return (ISC_R_NOMEMORY);
+
+	apl->offset = 0;
+	apl->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_in_apl(ARGS_FREESTRUCT) {
+	dns_rdata_in_apl_t *apl = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(apl->common.rdtype == 42);
+	REQUIRE(apl->common.rdclass == 1);
+
+	if (apl->mctx == NULL)
+		return;
+	if (apl->apl != NULL)
+		isc_mem_free(apl->mctx, apl->apl);
+	apl->mctx = NULL;
+}
+
+isc_result_t
+dns_rdata_apl_first(dns_rdata_in_apl_t *apl) {
+	REQUIRE(apl->common.rdtype == 42);
+	REQUIRE(apl->common.rdclass == 1);
+	REQUIRE(apl->apl != NULL || apl->apl_len == 0);
+
+	apl->offset = 0;
+	return ((apl->apl_len != 0) ? ISC_R_SUCCESS : ISC_R_NOMORE);
+}
+
+isc_result_t
+dns_rdata_apl_next(dns_rdata_in_apl_t *apl) {
+	REQUIRE(apl->common.rdtype == 42);
+	REQUIRE(apl->common.rdclass == 1);
+	REQUIRE(apl->apl != NULL || apl->apl_len == 0);
+
+	if (apl->offset + 3 < apl->apl_len)
+		return (ISC_R_NOMORE);
+	apl->offset += apl->apl[apl->offset + 3] & 0x7f;
+	return ((apl->offset >= apl->apl_len) ? ISC_R_SUCCESS : ISC_R_NOMORE);
+}
+
+isc_result_t
+dns_rdata_apl_current(dns_rdata_in_apl_t *apl, dns_rdata_apl_ent_t *ent) {
+
+	REQUIRE(apl->common.rdtype == 42);
+	REQUIRE(apl->common.rdclass == 1);
+	REQUIRE(ent != NULL);
+	REQUIRE(apl->apl != NULL || apl->apl_len == 0);
+
+	if (apl->offset >= apl->apl_len)
+		return (ISC_R_NOMORE);
+
+	ent->family = (apl->apl[apl->offset] << 8) + apl->apl[apl->offset + 1];
+	ent->prefix = apl->apl[apl->offset + 2];
+	ent->length = apl->apl[apl->offset + 3] & 0x7f;
+	ent->negative = ISC_TF((apl->apl[apl->offset + 3] & 0x80) != 0);
+	if (ent->length != 0)
+		ent->data = &apl->apl[apl->offset + 4];
+	else
+		ent->data = NULL;
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+additionaldata_in_apl(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 42);
+	REQUIRE(rdata->rdclass == 1);
+
+	(void)add;
+	(void)arg;
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_in_apl(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 42);
+	REQUIRE(rdata->rdclass == 1);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_in_apl(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 42);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+
+static inline isc_boolean_t
+checknames_in_apl(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 42);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_IN_1_APL_42_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/apl_42.h b/contrib/bind9/lib/dns/rdata/in_1/apl_42.h
new file mode 100644
index 0000000..83309a6
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/in_1/apl_42.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef IN_1_APL_42_H
+#define IN_1_APL_42_H 1
+
+/* $Id: apl_42.h,v 1.1.202.3 2004/03/08 09:04:44 marka Exp $ */
+
+typedef struct dns_rdata_apl_ent {
+	isc_boolean_t	negative;
+	isc_uint16_t	family;
+	isc_uint8_t	prefix;
+	isc_uint8_t	length;
+	unsigned char	*data;
+} dns_rdata_apl_ent_t;
+
+typedef struct dns_rdata_in_apl {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	/* type & class specific elements */
+	unsigned char           *apl;
+        isc_uint16_t            apl_len;
+        /* private */
+        isc_uint16_t            offset;
+} dns_rdata_in_apl_t;
+
+/*
+ * ISC_LANG_BEGINDECLS and ISC_LANG_ENDDECLS are already done
+ * via rdatastructpre.h and rdatastructsuf.h.
+ */
+
+isc_result_t
+dns_rdata_apl_first(dns_rdata_in_apl_t *);
+
+isc_result_t
+dns_rdata_apl_next(dns_rdata_in_apl_t *);
+
+isc_result_t
+dns_rdata_apl_current(dns_rdata_in_apl_t *, dns_rdata_apl_ent_t *);
+
+#endif /* IN_1_APL_42_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/kx_36.c b/contrib/bind9/lib/dns/rdata/in_1/kx_36.c
new file mode 100644
index 0000000..fee1e3d
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/in_1/kx_36.c
@@ -0,0 +1,288 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: kx_36.c,v 1.37.2.1.2.3 2004/03/06 08:14:17 marka Exp $ */
+
+/* Reviewed: Thu Mar 16 17:24:54 PST 2000 by explorer */
+
+/* RFC 2230 */
+
+#ifndef RDATA_IN_1_KX_36_C
+#define RDATA_IN_1_KX_36_C
+
+#define RRTYPE_KX_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_in_kx(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == 36);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	origin = (origin != NULL) ? origin : dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_in_kx(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	isc_boolean_t sub;
+	char buf[sizeof("64000")];
+	unsigned short num;
+
+	REQUIRE(rdata->type == 36);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	sprintf(buf, "%u", num);
+	RETERR(str_totext(buf, target));
+
+	RETERR(str_totext(" ", target));
+
+	dns_name_fromregion(&name, &region);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_in_kx(ARGS_FROMWIRE) {
+        dns_name_t name;
+	isc_region_t sregion;
+
+	REQUIRE(type == 36);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+        dns_name_init(&name, NULL);
+
+	isc_buffer_activeregion(source, &sregion);
+	if (sregion.length < 2)
+		return (ISC_R_UNEXPECTEDEND);
+	RETERR(mem_tobuffer(target, sregion.base, 2));
+	isc_buffer_forward(source, 2);
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_in_kx(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 36);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	dns_rdata_toregion(rdata, &region);
+	RETERR(mem_tobuffer(target, region.base, 2));
+	isc_region_consume(&region, 2);
+
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_in_kx(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 36);
+	REQUIRE(rdata1->rdclass == 1);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	order = memcmp(rdata1->data, rdata2->data, 2);
+	if (order != 0)
+		return (order < 0 ? -1 : 1);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	isc_region_consume(&region1, 2);
+	isc_region_consume(&region2, 2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_in_kx(ARGS_FROMSTRUCT) {
+	dns_rdata_in_kx_t *kx = source;
+	isc_region_t region;
+
+	REQUIRE(type == 36);
+	REQUIRE(rdclass == 1);
+	REQUIRE(source != NULL);
+	REQUIRE(kx->common.rdtype == type);
+	REQUIRE(kx->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(kx->preference, target));
+	dns_name_toregion(&kx->exchange, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_in_kx(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_in_kx_t *kx = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 36);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	kx->common.rdclass = rdata->rdclass;
+	kx->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&kx->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+
+	kx->preference = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&kx->exchange, NULL);
+	RETERR(name_duporclone(&name, mctx, &kx->exchange));
+	kx->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_in_kx(ARGS_FREESTRUCT) {
+	dns_rdata_in_kx_t *kx = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(kx->common.rdclass == 1);
+	REQUIRE(kx->common.rdtype == 36);
+
+	if (kx->mctx == NULL)
+		return;
+
+	dns_name_free(&kx->exchange, kx->mctx);
+	kx->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_in_kx(ARGS_ADDLDATA) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 36);
+	REQUIRE(rdata->rdclass == 1);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 2);
+	dns_name_fromregion(&name, &region);
+
+	return ((add)(arg, &name, dns_rdatatype_a));
+}
+
+static inline isc_result_t
+digest_in_kx(ARGS_DIGEST) {
+	isc_region_t r1, r2;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 36);
+	REQUIRE(rdata->rdclass == 1);
+
+	dns_rdata_toregion(rdata, &r1);
+	r2 = r1;
+	isc_region_consume(&r2, 2);
+	r1.length = 2;
+	RETERR((digest)(arg, &r1));
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r2);
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline isc_boolean_t
+checkowner_in_kx(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 36);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_in_kx(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 36);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_IN_1_KX_36_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/kx_36.h b/contrib/bind9/lib/dns/rdata/in_1/kx_36.h
new file mode 100644
index 0000000..5ac328d
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/in_1/kx_36.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef IN_1_KX_36_H
+#define IN_1_KX_36_H 1
+
+/* $Id: kx_36.h,v 1.15.206.1 2004/03/06 08:14:17 marka Exp $ */
+
+/* RFC 2230 */
+
+typedef struct dns_rdata_in_kx {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	isc_uint16_t		preference;
+	dns_name_t		exchange;
+} dns_rdata_in_kx_t;
+
+#endif /* IN_1_KX_36_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/naptr_35.c b/contrib/bind9/lib/dns/rdata/in_1/naptr_35.c
new file mode 100644
index 0000000..f3c93c7
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/in_1/naptr_35.c
@@ -0,0 +1,578 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: naptr_35.c,v 1.43.2.1.2.3 2004/03/06 08:14:17 marka Exp $ */
+
+/* Reviewed: Thu Mar 16 16:52:50 PST 2000 by bwelling */
+
+/* RFC 2915 */
+
+#ifndef RDATA_IN_1_NAPTR_35_C
+#define RDATA_IN_1_NAPTR_35_C
+
+#define RRTYPE_NAPTR_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_in_naptr(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == 35);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Order.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Preference.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Flags.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
+				      ISC_FALSE));
+	RETTOK(txt_fromtext(&token.value.as_textregion, target));
+
+	/*
+	 * Service.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
+				      ISC_FALSE));
+	RETTOK(txt_fromtext(&token.value.as_textregion, target));
+
+	/*
+	 * Regexp.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
+				      ISC_FALSE));
+	RETTOK(txt_fromtext(&token.value.as_textregion, target));
+
+	/*
+	 * Replacement.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	origin = (origin != NULL) ? origin : dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_in_naptr(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	isc_boolean_t sub;
+	char buf[sizeof("64000")];
+	unsigned short num;
+
+	REQUIRE(rdata->type == 35);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+
+	/*
+	 * Order.
+	 */
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	sprintf(buf, "%u", num);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Preference.
+	 */
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	sprintf(buf, "%u", num);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Flags.
+	 */
+	RETERR(txt_totext(&region, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Service.
+	 */
+	RETERR(txt_totext(&region, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Regexp.
+	 */
+	RETERR(txt_totext(&region, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Replacement.
+	 */
+	dns_name_fromregion(&name, &region);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_in_naptr(ARGS_FROMWIRE) {
+        dns_name_t name;
+	isc_region_t sr;
+
+	REQUIRE(type == 35);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+        dns_name_init(&name, NULL);
+
+	/*
+	 * Order, preference.
+	 */
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 4)
+		return (ISC_R_UNEXPECTEDEND);
+	RETERR(mem_tobuffer(target, sr.base, 4));
+	isc_buffer_forward(source, 4);
+
+	/*
+	 * Flags.
+	 */
+	RETERR(txt_fromwire(source, target));
+
+	/*
+	 * Service.
+	 */
+	RETERR(txt_fromwire(source, target));
+
+	/*
+	 * Regexp.
+	 */
+	RETERR(txt_fromwire(source, target));
+
+	/*
+	 * Replacement.
+	 */
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_in_naptr(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == 35);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	/*
+	 * Order, preference.
+	 */
+	dns_rdata_toregion(rdata, &sr);
+	RETERR(mem_tobuffer(target, sr.base, 4));
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Flags.
+	 */
+	RETERR(mem_tobuffer(target, sr.base, sr.base[0] + 1));
+	isc_region_consume(&sr, sr.base[0] + 1);
+
+	/*
+	 * Service.
+	 */
+	RETERR(mem_tobuffer(target, sr.base, sr.base[0] + 1));
+	isc_region_consume(&sr, sr.base[0] + 1);
+
+	/*
+	 * Regexp.
+	 */
+	RETERR(mem_tobuffer(target, sr.base, sr.base[0] + 1));
+	isc_region_consume(&sr, sr.base[0] + 1);
+
+	/*
+	 * Replacement.
+	 */
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &sr);
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_in_naptr(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+	int order, len;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 35);
+	REQUIRE(rdata1->rdclass == 1);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	/*
+	 * Order, preference.
+	 */
+	order = memcmp(region1.base, region2.base, 4);
+	if (order != 0)
+		return (order < 0 ? -1 : 1);
+	isc_region_consume(&region1, 4);
+	isc_region_consume(&region2, 4);
+
+	/*
+	 * Flags.
+	 */
+	len = ISC_MIN(region1.base[0], region2.base[0]);
+	order = memcmp(region1.base, region2.base, len + 1);
+	if (order != 0)
+		return (order < 0 ? -1 : 1);
+	isc_region_consume(&region1, region1.base[0] + 1);
+	isc_region_consume(&region2, region2.base[0] + 1);
+
+	/*
+	 * Service.
+	 */
+	len = ISC_MIN(region1.base[0], region2.base[0]);
+	order = memcmp(region1.base, region2.base, len + 1);
+	if (order != 0)
+		return (order < 0 ? -1 : 1);
+	isc_region_consume(&region1, region1.base[0] + 1);
+	isc_region_consume(&region2, region2.base[0] + 1);
+
+	/*
+	 * Regexp.
+	 */
+	len = ISC_MIN(region1.base[0], region2.base[0]);
+	order = memcmp(region1.base, region2.base, len + 1);
+	if (order != 0)
+		return (order < 0 ? -1 : 1);
+	isc_region_consume(&region1, region1.base[0] + 1);
+	isc_region_consume(&region2, region2.base[0] + 1);
+
+	/*
+	 * Replacement.
+	 */
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_in_naptr(ARGS_FROMSTRUCT) {
+	dns_rdata_in_naptr_t *naptr = source;
+	isc_region_t region;
+
+	REQUIRE(type == 35);
+	REQUIRE(rdclass == 1);
+	REQUIRE(source != NULL);
+	REQUIRE(naptr->common.rdtype == type);
+	REQUIRE(naptr->common.rdclass == rdclass);
+	REQUIRE(naptr->flags != NULL || naptr->flags_len == 0);
+	REQUIRE(naptr->service != NULL && naptr->service_len == 0);
+	REQUIRE(naptr->regexp != NULL && naptr->regexp_len == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(naptr->order, target));
+	RETERR(uint16_tobuffer(naptr->preference, target));
+	RETERR(uint8_tobuffer(naptr->flags_len, target));
+	RETERR(mem_tobuffer(target, naptr->flags, naptr->flags_len));
+	RETERR(uint8_tobuffer(naptr->service_len, target));
+	RETERR(mem_tobuffer(target, naptr->service, naptr->service_len));
+	RETERR(uint8_tobuffer(naptr->regexp_len, target));
+	RETERR(mem_tobuffer(target, naptr->regexp, naptr->regexp_len));
+	dns_name_toregion(&naptr->replacement, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_in_naptr(ARGS_TOSTRUCT) {
+	dns_rdata_in_naptr_t *naptr = target;
+	isc_region_t r;
+	isc_result_t result;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 35);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	naptr->common.rdclass = rdata->rdclass;
+	naptr->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&naptr->common, link);
+
+	naptr->flags = NULL;
+	naptr->service = NULL;
+	naptr->regexp = NULL;
+
+	dns_rdata_toregion(rdata, &r);
+
+	naptr->order = uint16_fromregion(&r);
+	isc_region_consume(&r, 2);
+
+	naptr->preference = uint16_fromregion(&r);
+	isc_region_consume(&r, 2);
+
+	naptr->flags_len = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	INSIST(naptr->flags_len <= r.length);
+	naptr->flags = mem_maybedup(mctx, r.base, naptr->flags_len);
+	if (naptr->flags == NULL)
+		goto cleanup;
+	isc_region_consume(&r, naptr->flags_len);
+
+	naptr->service_len = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	INSIST(naptr->service_len <= r.length);
+	naptr->service = mem_maybedup(mctx, r.base, naptr->service_len);
+	if (naptr->service == NULL)
+		goto cleanup;
+	isc_region_consume(&r, naptr->service_len);
+
+	naptr->regexp_len = uint8_fromregion(&r);
+	isc_region_consume(&r, 1);
+	INSIST(naptr->regexp_len <= r.length);
+	naptr->regexp = mem_maybedup(mctx, r.base, naptr->regexp_len);
+	if (naptr->regexp == NULL)
+		goto cleanup;
+	isc_region_consume(&r, naptr->regexp_len);
+
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+	dns_name_init(&naptr->replacement, NULL);
+	result = name_duporclone(&name, mctx, &naptr->replacement);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	naptr->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (mctx != NULL && naptr->flags != NULL)
+		isc_mem_free(mctx, naptr->flags);
+	if (mctx != NULL && naptr->service != NULL)
+		isc_mem_free(mctx, naptr->service);
+	if (mctx != NULL && naptr->regexp != NULL)
+		isc_mem_free(mctx, naptr->regexp);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_in_naptr(ARGS_FREESTRUCT) {
+	dns_rdata_in_naptr_t *naptr = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(naptr->common.rdclass == 1);
+	REQUIRE(naptr->common.rdtype == 35);
+
+	if (naptr->mctx == NULL)
+		return;
+
+	if (naptr->flags != NULL)
+		isc_mem_free(naptr->mctx, naptr->flags);
+	if (naptr->service != NULL)
+		isc_mem_free(naptr->mctx, naptr->service);
+	if (naptr->regexp != NULL)
+		isc_mem_free(naptr->mctx, naptr->regexp);
+	dns_name_free(&naptr->replacement, naptr->mctx);
+	naptr->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_in_naptr(ARGS_ADDLDATA) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t sr;
+	dns_rdatatype_t atype;
+	unsigned int i, flagslen;
+	char *cp;
+
+	REQUIRE(rdata->type == 35);
+	REQUIRE(rdata->rdclass == 1);
+
+	/*
+	 * Order, preference.
+	 */
+	dns_rdata_toregion(rdata, &sr);
+	isc_region_consume(&sr, 4);
+
+	/*
+	 * Flags.
+	 */
+	atype = 0;
+	flagslen = sr.base[0];
+	cp = (char *)&sr.base[1];
+	for (i = 0; i < flagslen; i++, cp++) {
+		if (*cp == 'S' || *cp == 's') {
+			atype = dns_rdatatype_srv;
+			break;
+		}
+		if (*cp == 'A' || *cp == 'a') {
+			atype = dns_rdatatype_a;
+			break;
+		}
+	}
+	isc_region_consume(&sr, flagslen + 1);
+
+	/*
+	 * Service.
+	 */
+	isc_region_consume(&sr, sr.base[0] + 1);
+
+	/*
+	 * Regexp.
+	 */
+	isc_region_consume(&sr, sr.base[0] + 1);
+
+	/*
+	 * Replacement.
+	 */
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &sr);
+
+	if (atype != 0)
+		return ((add)(arg, &name, atype));
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_in_naptr(ARGS_DIGEST) {
+	isc_region_t r1, r2;
+	unsigned int length, n;
+	isc_result_t result;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 35);
+	REQUIRE(rdata->rdclass == 1);
+
+	dns_rdata_toregion(rdata, &r1);
+	r2 = r1;
+	length = 0;
+
+	/*
+	 * Order, preference.
+	 */
+	length += 4;
+	isc_region_consume(&r2, 4);
+
+	/*
+	 * Flags.
+	 */
+	n = r2.base[0] + 1;
+	length += n;
+	isc_region_consume(&r2, n);
+
+	/*
+	 * Service.
+	 */
+	n = r2.base[0] + 1;
+	length += n;
+	isc_region_consume(&r2, n);
+
+	/*
+	 * Regexp.
+	 */
+	n = r2.base[0] + 1;
+	length += n;
+	isc_region_consume(&r2, n);
+
+	/*
+	 * Digest the RR up to the replacement name.
+	 */
+	r1.length = length;
+	result = (digest)(arg, &r1);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * Replacement.
+	 */
+
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r2);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline isc_boolean_t
+checkowner_in_naptr(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 35);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_in_naptr(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 35);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_IN_1_NAPTR_35_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/naptr_35.h b/contrib/bind9/lib/dns/rdata/in_1/naptr_35.h
new file mode 100644
index 0000000..b1deb2ce
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/in_1/naptr_35.h
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef IN_1_NAPTR_35_H
+#define IN_1_NAPTR_35_H 1
+
+/* $Id: naptr_35.h,v 1.18.206.1 2004/03/06 08:14:17 marka Exp $ */
+
+/* RFC 2915 */
+
+typedef struct dns_rdata_in_naptr {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	isc_uint16_t		order;
+	isc_uint16_t		preference;
+	char			*flags;
+	isc_uint8_t		flags_len;
+	char			*service;
+	isc_uint8_t		service_len;
+	char			*regexp;
+	isc_uint8_t		regexp_len;
+	dns_name_t		replacement;
+} dns_rdata_in_naptr_t;
+
+#endif /* IN_1_NAPTR_35_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/nsap-ptr_23.c b/contrib/bind9/lib/dns/rdata/in_1/nsap-ptr_23.c
new file mode 100644
index 0000000..0fa0fb2
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/in_1/nsap-ptr_23.c
@@ -0,0 +1,245 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: nsap-ptr_23.c,v 1.32.206.2 2004/03/06 08:14:17 marka Exp $ */
+
+/* Reviewed: Fri Mar 17 10:16:02 PST 2000 by gson */
+
+/* RFC 1348.  Obsoleted in RFC 1706 - use PTR instead. */
+
+#ifndef RDATA_IN_1_NSAP_PTR_23_C
+#define RDATA_IN_1_NSAP_PTR_23_C
+
+#define RRTYPE_NSAP_PTR_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_in_nsap_ptr(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == 23);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	origin = (origin != NULL) ? origin : dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_in_nsap_ptr(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	isc_boolean_t sub;
+
+	REQUIRE(rdata->type == 23);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	sub = name_prefix(&name, tctx->origin, &prefix);
+
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_in_nsap_ptr(ARGS_FROMWIRE) {
+        dns_name_t name;
+
+	REQUIRE(type == 23);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+        dns_name_init(&name, NULL);
+        return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_in_nsap_ptr(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 23);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_in_nsap_ptr(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 23);
+	REQUIRE(rdata1->rdclass == 1);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_in_nsap_ptr(ARGS_FROMSTRUCT) {
+	dns_rdata_in_nsap_ptr_t *nsap_ptr = source;
+	isc_region_t region;
+
+	REQUIRE(type == 23);
+	REQUIRE(rdclass == 1);
+	REQUIRE(source != NULL);
+	REQUIRE(nsap_ptr->common.rdtype == type);
+	REQUIRE(nsap_ptr->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_name_toregion(&nsap_ptr->owner, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_in_nsap_ptr(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_in_nsap_ptr_t *nsap_ptr = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 23);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	nsap_ptr->common.rdclass = rdata->rdclass;
+	nsap_ptr->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&nsap_ptr->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&nsap_ptr->owner, NULL);
+	RETERR(name_duporclone(&name, mctx, &nsap_ptr->owner));
+	nsap_ptr->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_in_nsap_ptr(ARGS_FREESTRUCT) {
+	dns_rdata_in_nsap_ptr_t *nsap_ptr = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(nsap_ptr->common.rdclass == 1);
+	REQUIRE(nsap_ptr->common.rdtype == 23);
+
+	if (nsap_ptr->mctx == NULL)
+		return;
+
+	dns_name_free(&nsap_ptr->owner, nsap_ptr->mctx);
+	nsap_ptr->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_in_nsap_ptr(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 23);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_in_nsap_ptr(ARGS_DIGEST) {
+	isc_region_t r;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 23);
+	REQUIRE(rdata->rdclass == 1);
+
+	dns_rdata_toregion(rdata, &r);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline isc_boolean_t
+checkowner_in_nsap_ptr(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 23);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_in_nsap_ptr(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 23);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_IN_1_NSAP_PTR_23_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/nsap-ptr_23.h b/contrib/bind9/lib/dns/rdata/in_1/nsap-ptr_23.h
new file mode 100644
index 0000000..9bf3c65
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/in_1/nsap-ptr_23.h
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef IN_1_NSAP_PTR_23_H
+#define IN_1_NSAP_PTR_23_H 1
+
+/* $Id: nsap-ptr_23.h,v 1.14.206.1 2004/03/06 08:14:18 marka Exp $ */
+
+/* RFC 1348.  Obsoleted in RFC 1706 - use PTR instead. */
+
+typedef struct dns_rdata_in_nsap_ptr {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_name_t		owner;
+} dns_rdata_in_nsap_ptr_t;
+
+#endif /* IN_1_NSAP_PTR_23_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/nsap_22.c b/contrib/bind9/lib/dns/rdata/in_1/nsap_22.c
new file mode 100644
index 0000000..594b97f
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/in_1/nsap_22.c
@@ -0,0 +1,255 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: nsap_22.c,v 1.33.12.5 2004/03/08 09:04:44 marka Exp $ */
+
+/* Reviewed: Fri Mar 17 10:41:07 PST 2000 by gson */
+
+/* RFC 1706 */
+
+#ifndef RDATA_IN_1_NSAP_22_C
+#define RDATA_IN_1_NSAP_22_C
+
+#define RRTYPE_NSAP_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_in_nsap(ARGS_FROMTEXT) {
+	isc_token_t token;
+	isc_textregion_t *sr;
+	int n;
+	int digits;
+	unsigned char c = 0;
+
+	REQUIRE(type == 22);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/* 0x<hex.string.with.periods> */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	sr = &token.value.as_textregion;
+	if (sr->length < 2)
+		RETTOK(ISC_R_UNEXPECTEDEND);
+	if (sr->base[0] != '0' || (sr->base[1] != 'x' && sr->base[1] != 'X'))
+		RETTOK(DNS_R_SYNTAX);
+	isc_textregion_consume(sr, 2);
+	digits = 0;
+	n = 0;
+	while (sr->length > 0) {
+		if (sr->base[0] == '.') {
+			isc_textregion_consume(sr, 1);
+			continue;
+		}
+		if ((n = hexvalue(sr->base[0])) == -1)
+			RETTOK(DNS_R_SYNTAX);
+		c <<= 4;
+		c += n;
+		if (++digits == 2) {
+			RETERR(mem_tobuffer(target, &c, 1));
+			digits = 0;
+		}
+		isc_textregion_consume(sr, 1);
+	}
+	if (digits)
+		RETTOK(ISC_R_UNEXPECTEDEND);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_in_nsap(ARGS_TOTEXT) {
+	isc_region_t region;
+	char buf[sizeof("xx")];
+
+	REQUIRE(rdata->type == 22);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &region);
+	RETERR(str_totext("0x", target));
+	while (region.length != 0) {
+		sprintf(buf, "%02x", region.base[0]);
+		isc_region_consume(&region, 1);
+		RETERR(str_totext(buf, target));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_in_nsap(ARGS_FROMWIRE) {
+	isc_region_t region;
+
+	REQUIRE(type == 22);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(options);
+	UNUSED(rdclass);
+
+	isc_buffer_activeregion(source, &region);
+	if (region.length < 1)
+		return (ISC_R_UNEXPECTEDEND);
+
+	RETERR(mem_tobuffer(target, region.base, region.length));
+	isc_buffer_forward(source, region.length);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_in_nsap(ARGS_TOWIRE) {
+	REQUIRE(rdata->type == 22);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	return (mem_tobuffer(target, rdata->data, rdata->length));
+}
+
+static inline int
+compare_in_nsap(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 22);
+	REQUIRE(rdata1->rdclass == 1);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_in_nsap(ARGS_FROMSTRUCT) {
+	dns_rdata_in_nsap_t *nsap = source;
+
+	REQUIRE(type == 22);
+	REQUIRE(rdclass == 1);
+	REQUIRE(source != NULL);
+	REQUIRE(nsap->common.rdtype == type);
+	REQUIRE(nsap->common.rdclass == rdclass);
+	REQUIRE(nsap->nsap != NULL || nsap->nsap_len == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (mem_tobuffer(target, nsap->nsap, nsap->nsap_len));
+}
+
+static inline isc_result_t
+tostruct_in_nsap(ARGS_TOSTRUCT) {
+	dns_rdata_in_nsap_t *nsap = target;
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 22);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	nsap->common.rdclass = rdata->rdclass;
+	nsap->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&nsap->common, link);
+
+	dns_rdata_toregion(rdata, &r);
+	nsap->nsap_len = r.length;
+	nsap->nsap = mem_maybedup(mctx, r.base, r.length);
+	if (nsap->nsap == NULL)
+		return (ISC_R_NOMEMORY);
+
+	nsap->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_in_nsap(ARGS_FREESTRUCT) {
+	dns_rdata_in_nsap_t *nsap = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(nsap->common.rdclass == 1);
+	REQUIRE(nsap->common.rdtype == 22);
+
+	if (nsap->mctx == NULL)
+		return;
+
+	if (nsap->nsap != NULL)
+		isc_mem_free(nsap->mctx, nsap->nsap);
+	nsap->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_in_nsap(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 22);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_in_nsap(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 22);
+	REQUIRE(rdata->rdclass == 1);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_in_nsap(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 22);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_in_nsap(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 22);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_IN_1_NSAP_22_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/nsap_22.h b/contrib/bind9/lib/dns/rdata/in_1/nsap_22.h
new file mode 100644
index 0000000..6467433
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/in_1/nsap_22.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef IN_1_NSAP_22_H
+#define IN_1_NSAP_22_H 1
+
+/* $Id: nsap_22.h,v 1.13.206.1 2004/03/06 08:14:18 marka Exp $ */
+
+/* RFC 1706 */
+
+typedef struct dns_rdata_in_nsap {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	unsigned char		*nsap;
+	isc_uint16_t		nsap_len;
+} dns_rdata_in_nsap_t;
+
+#endif /* IN_1_NSAP_22_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/px_26.c b/contrib/bind9/lib/dns/rdata/in_1/px_26.c
new file mode 100644
index 0000000..66214dd
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/in_1/px_26.c
@@ -0,0 +1,374 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: px_26.c,v 1.34.2.1.2.4 2004/03/06 08:14:18 marka Exp $ */
+
+/* Reviewed: Mon Mar 20 10:44:27 PST 2000 */
+
+/* RFC 2163 */
+
+#ifndef RDATA_IN_1_PX_26_C
+#define RDATA_IN_1_PX_26_C
+
+#define RRTYPE_PX_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_in_px(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+
+	REQUIRE(type == 26);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Preference.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * MAP822.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	origin = (origin != NULL) ? origin : dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+
+	/*
+	 * MAPX400.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	origin = (origin != NULL) ? origin : dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_in_px(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	isc_boolean_t sub;
+	char buf[sizeof("64000")];
+	unsigned short num;
+
+	REQUIRE(rdata->type == 26);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	/*
+	 * Preference.
+	 */
+	dns_rdata_toregion(rdata, &region);
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	sprintf(buf, "%u", num);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * MAP822.
+	 */
+	dns_name_fromregion(&name, &region);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	isc_region_consume(&region, name_length(&name));
+	RETERR(dns_name_totext(&prefix, sub, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * MAPX400.
+	 */
+	dns_name_fromregion(&name, &region);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	return(dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_in_px(ARGS_FROMWIRE) {
+        dns_name_t name;
+	isc_region_t sregion;
+
+	REQUIRE(type == 26);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+        dns_name_init(&name, NULL);
+
+	/*
+	 * Preference.
+	 */
+	isc_buffer_activeregion(source, &sregion);
+	if (sregion.length < 2)
+		return (ISC_R_UNEXPECTEDEND);
+	RETERR(mem_tobuffer(target, sregion.base, 2));
+	isc_buffer_forward(source, 2);
+
+	/*
+	 * MAP822.
+	 */
+	RETERR(dns_name_fromwire(&name, source, dctx, options, target));
+
+	/*
+	 * MAPX400.
+	 */
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_in_px(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 26);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	/*
+	 * Preference.
+	 */
+	dns_rdata_toregion(rdata, &region);
+	RETERR(mem_tobuffer(target, region.base, 2));
+	isc_region_consume(&region, 2);
+
+	/*
+	 * MAP822.
+	 */
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &region);
+	RETERR(dns_name_towire(&name, cctx, target));
+	isc_region_consume(&region, name_length(&name));
+
+	/*
+	 * MAPX400.
+	 */
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &region);
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_in_px(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 26);
+	REQUIRE(rdata1->rdclass == 1);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	order = memcmp(rdata1->data, rdata2->data, 2);
+	if (order != 0)
+		return (order < 0 ? -1 : 1);
+
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	isc_region_consume(&region1, 2);
+	isc_region_consume(&region2, 2);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	order = dns_name_rdatacompare(&name1, &name2);
+	if (order != 0)
+		return (order);
+
+	isc_region_consume(&region1, name_length(&name1));
+	isc_region_consume(&region2, name_length(&name2));
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_in_px(ARGS_FROMSTRUCT) {
+	dns_rdata_in_px_t *px = source;
+	isc_region_t region;
+
+	REQUIRE(type == 26);
+	REQUIRE(rdclass == 1);
+	REQUIRE(source != NULL);
+	REQUIRE(px->common.rdtype == type);
+	REQUIRE(px->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(px->preference, target));
+	dns_name_toregion(&px->map822, &region);
+	RETERR(isc_buffer_copyregion(target, &region));
+	dns_name_toregion(&px->mapx400, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_in_px(ARGS_TOSTRUCT) {
+	dns_rdata_in_px_t *px = target;
+	dns_name_t name;
+	isc_region_t region;
+	isc_result_t result;
+
+	REQUIRE(rdata->type == 26);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	px->common.rdclass = rdata->rdclass;
+	px->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&px->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+
+	px->preference = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+
+	dns_name_fromregion(&name, &region);
+
+	dns_name_init(&px->map822, NULL);
+	RETERR(name_duporclone(&name, mctx, &px->map822));
+	isc_region_consume(&region, name_length(&px->map822));
+
+	dns_name_init(&px->mapx400, NULL);
+	result = name_duporclone(&name, mctx, &px->mapx400);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	px->mctx = mctx;
+	return (result);
+
+ cleanup:
+	dns_name_free(&px->map822, mctx);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_in_px(ARGS_FREESTRUCT) {
+	dns_rdata_in_px_t *px = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(px->common.rdclass == 1);
+	REQUIRE(px->common.rdtype == 26);
+
+	if (px->mctx == NULL)
+		return;
+
+	dns_name_free(&px->map822, px->mctx);
+	dns_name_free(&px->mapx400, px->mctx);
+	px->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_in_px(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 26);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_in_px(ARGS_DIGEST) {
+	isc_region_t r1, r2;
+	dns_name_t name;
+	isc_result_t result;
+
+	REQUIRE(rdata->type == 26);
+	REQUIRE(rdata->rdclass == 1);
+
+	dns_rdata_toregion(rdata, &r1);
+	r2 = r1;
+	isc_region_consume(&r2, 2);
+	r1.length = 2;
+	result = (digest)(arg, &r1);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r2);
+	result = dns_name_digest(&name, digest, arg);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_region_consume(&r2, name_length(&name));
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r2);
+
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline isc_boolean_t
+checkowner_in_px(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 26);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_in_px(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 26);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_IN_1_PX_26_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/px_26.h b/contrib/bind9/lib/dns/rdata/in_1/px_26.h
new file mode 100644
index 0000000..79d4b18
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/in_1/px_26.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef IN_1_PX_26_H
+#define IN_1_PX_26_H 1
+
+/* $Id: px_26.h,v 1.14.206.1 2004/03/06 08:14:18 marka Exp $ */
+
+/* RFC 2163 */
+
+typedef struct dns_rdata_in_px {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	isc_uint16_t		preference;
+	dns_name_t		map822;
+	dns_name_t		mapx400;
+} dns_rdata_in_px_t;
+
+#endif /* IN_1_PX_26_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/srv_33.c b/contrib/bind9/lib/dns/rdata/in_1/srv_33.c
new file mode 100644
index 0000000..7bcba1b
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/in_1/srv_33.c
@@ -0,0 +1,373 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: srv_33.c,v 1.36.2.1.2.4 2004/03/06 08:14:18 marka Exp $ */
+
+/* Reviewed: Fri Mar 17 13:01:00 PST 2000 by bwelling */
+
+/* RFC 2782 */
+
+#ifndef RDATA_IN_1_SRV_33_C
+#define RDATA_IN_1_SRV_33_C
+
+#define RRTYPE_SRV_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_in_srv(ARGS_FROMTEXT) {
+	isc_token_t token;
+	dns_name_t name;
+	isc_buffer_t buffer;
+	isc_boolean_t ok;
+
+	REQUIRE(type == 33);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+
+	/*
+	 * Priority.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Weight.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Port.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * Target.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	dns_name_init(&name, NULL);
+	buffer_fromregion(&buffer, &token.value.as_region);
+	origin = (origin != NULL) ? origin : dns_rootname;
+	RETTOK(dns_name_fromtext(&name, &buffer, origin, options, target));
+	ok = ISC_TRUE;
+	if ((options & DNS_RDATA_CHECKNAMES) != 0)
+		ok = dns_name_ishostname(&name, ISC_FALSE);
+	if (!ok && (options & DNS_RDATA_CHECKNAMESFAIL) != 0)
+		RETTOK(DNS_R_BADNAME);
+	if (!ok && callbacks != NULL)
+		warn_badname(&name, lexer, callbacks);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_in_srv(ARGS_TOTEXT) {
+	isc_region_t region;
+	dns_name_t name;
+	dns_name_t prefix;
+	isc_boolean_t sub;
+	char buf[sizeof("64000")];
+	unsigned short num;
+
+	REQUIRE(rdata->type == 33);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(rdata->length != 0);
+
+	dns_name_init(&name, NULL);
+	dns_name_init(&prefix, NULL);
+
+	/*
+	 * Priority.
+	 */
+	dns_rdata_toregion(rdata, &region);
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	sprintf(buf, "%u", num);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Weight.
+	 */
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	sprintf(buf, "%u", num);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Port.
+	 */
+	num = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	sprintf(buf, "%u", num);
+	RETERR(str_totext(buf, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * Target.
+	 */
+	dns_name_fromregion(&name, &region);
+	sub = name_prefix(&name, tctx->origin, &prefix);
+	return (dns_name_totext(&prefix, sub, target));
+}
+
+static inline isc_result_t
+fromwire_in_srv(ARGS_FROMWIRE) {
+        dns_name_t name;
+	isc_region_t sr;
+
+	REQUIRE(type == 33);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
+
+        dns_name_init(&name, NULL);
+
+	/*
+	 * Priority, weight, port.
+	 */
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length < 6)
+		return (ISC_R_UNEXPECTEDEND);
+	RETERR(mem_tobuffer(target, sr.base, 6));
+	isc_buffer_forward(source, 6);
+
+	/*
+	 * Target.
+	 */
+	return (dns_name_fromwire(&name, source, dctx, options, target));
+}
+
+static inline isc_result_t
+towire_in_srv(ARGS_TOWIRE) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == 33);
+	REQUIRE(rdata->length != 0);
+
+	dns_compress_setmethods(cctx, DNS_COMPRESS_NONE);
+	/*
+	 * Priority, weight, port.
+	 */
+	dns_rdata_toregion(rdata, &sr);
+	RETERR(mem_tobuffer(target, sr.base, 6));
+	isc_region_consume(&sr, 6);
+
+	/*
+	 * Target.
+	 */
+	dns_name_init(&name, offsets);
+	dns_name_fromregion(&name, &sr);
+	return (dns_name_towire(&name, cctx, target));
+}
+
+static inline int
+compare_in_srv(ARGS_COMPARE) {
+	dns_name_t name1;
+	dns_name_t name2;
+	isc_region_t region1;
+	isc_region_t region2;
+	int order;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 33);
+	REQUIRE(rdata1->rdclass == 1);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	/*
+	 * Priority, weight, port.
+	 */
+	order = memcmp(rdata1->data, rdata2->data, 6);
+	if (order != 0)
+		return (order < 0 ? -1 : 1);
+
+	/*
+	 * Target.
+	 */
+	dns_name_init(&name1, NULL);
+	dns_name_init(&name2, NULL);
+
+	dns_rdata_toregion(rdata1, &region1);
+	dns_rdata_toregion(rdata2, &region2);
+
+	isc_region_consume(&region1, 6);
+	isc_region_consume(&region2, 6);
+
+	dns_name_fromregion(&name1, &region1);
+	dns_name_fromregion(&name2, &region2);
+
+	return (dns_name_rdatacompare(&name1, &name2));
+}
+
+static inline isc_result_t
+fromstruct_in_srv(ARGS_FROMSTRUCT) {
+	dns_rdata_in_srv_t *srv = source;
+	isc_region_t region;
+
+	REQUIRE(type == 33);
+	REQUIRE(rdclass == 1);
+	REQUIRE(source != NULL);
+	REQUIRE(srv->common.rdtype == type);
+	REQUIRE(srv->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint16_tobuffer(srv->priority, target));
+	RETERR(uint16_tobuffer(srv->weight, target));
+	RETERR(uint16_tobuffer(srv->port, target));
+	dns_name_toregion(&srv->target, &region);
+	return (isc_buffer_copyregion(target, &region));
+}
+
+static inline isc_result_t
+tostruct_in_srv(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_in_srv_t *srv = target;
+	dns_name_t name;
+
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(rdata->type == 33);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	srv->common.rdclass = rdata->rdclass;
+	srv->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&srv->common, link);
+
+	dns_name_init(&name, NULL);
+	dns_rdata_toregion(rdata, &region);
+	srv->priority = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	srv->weight = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	srv->port = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	dns_name_fromregion(&name, &region);
+	dns_name_init(&srv->target, NULL);
+	RETERR(name_duporclone(&name, mctx, &srv->target));
+	srv->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_in_srv(ARGS_FREESTRUCT) {
+	dns_rdata_in_srv_t *srv = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(srv->common.rdclass == 1);
+	REQUIRE(srv->common.rdtype == 33);
+
+	if (srv->mctx == NULL)
+		return;
+
+	dns_name_free(&srv->target, srv->mctx);
+	srv->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_in_srv(ARGS_ADDLDATA) {
+	dns_name_t name;
+	dns_offsets_t offsets;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 33);
+	REQUIRE(rdata->rdclass == 1);
+
+	dns_name_init(&name, offsets);
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 6);
+	dns_name_fromregion(&name, &region);
+
+	return ((add)(arg, &name, dns_rdatatype_a));
+}
+
+static inline isc_result_t
+digest_in_srv(ARGS_DIGEST) {
+	isc_region_t r1, r2;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 33);
+	REQUIRE(rdata->rdclass == 1);
+
+	dns_rdata_toregion(rdata, &r1);
+	r2 = r1;
+	isc_region_consume(&r2, 6);
+	r1.length = 6;
+	RETERR((digest)(arg, &r1));
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &r2);
+	return (dns_name_digest(&name, digest, arg));
+}
+
+static inline isc_boolean_t
+checkowner_in_srv(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 33);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_in_srv(ARGS_CHECKNAMES) {
+	isc_region_t region;
+	dns_name_t name;
+
+	REQUIRE(rdata->type == 33);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(owner);
+
+	dns_rdata_toregion(rdata, &region);
+	isc_region_consume(&region, 6);
+	dns_name_init(&name, NULL);
+	dns_name_fromregion(&name, &region);
+	if (!dns_name_ishostname(&name, ISC_FALSE)) {
+		if (bad != NULL)
+			dns_name_clone(&name, bad);
+		return (ISC_FALSE);
+	}
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_IN_1_SRV_33_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/srv_33.h b/contrib/bind9/lib/dns/rdata/in_1/srv_33.h
new file mode 100644
index 0000000..91dbf37
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/in_1/srv_33.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef IN_1_SRV_33_H
+#define IN_1_SRV_33_H 1
+
+/* $Id: srv_33.h,v 1.14.206.1 2004/03/06 08:14:19 marka Exp $ */
+
+/* Reviewed: Fri Mar 17 13:01:00 PST 2000 by bwelling */
+
+/* RFC 2782 */
+
+typedef struct dns_rdata_in_srv {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	isc_uint16_t		priority;
+	isc_uint16_t		weight;
+	isc_uint16_t		port;
+	dns_name_t		target;
+} dns_rdata_in_srv_t;
+
+#endif /* IN_1_SRV_33_H */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/wks_11.c b/contrib/bind9/lib/dns/rdata/in_1/wks_11.c
new file mode 100644
index 0000000..91b30e4
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/in_1/wks_11.c
@@ -0,0 +1,349 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: wks_11.c,v 1.44.12.7 2004/03/08 09:04:44 marka Exp $ */
+
+/* Reviewed: Fri Mar 17 15:01:49 PST 2000 by explorer */
+
+#ifndef RDATA_IN_1_WKS_11_C
+#define RDATA_IN_1_WKS_11_C
+
+#include <limits.h>
+#include <stdlib.h>
+
+#include <isc/net.h>
+#include <isc/netdb.h>
+
+#define RRTYPE_WKS_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_in_wks(ARGS_FROMTEXT) {
+	isc_token_t token;
+	isc_region_t region;
+	struct in_addr addr;
+	struct protoent *pe;
+	struct servent *se;
+	char *e;
+	long proto;
+	unsigned char bm[8*1024]; /* 64k bits */
+	long port;
+	long maxport = -1;
+	const char *ps = NULL;
+	unsigned int n;
+	char service[32];
+	int i;
+
+	REQUIRE(type == 11);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(rdclass);
+
+	/*
+	 * IPv4 dotted quad.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+
+	isc_buffer_availableregion(target, &region);
+	if (getquad(DNS_AS_STR(token), &addr, lexer, callbacks) != 1)
+		RETTOK(DNS_R_BADDOTTEDQUAD);
+	if (region.length < 4)
+		return (ISC_R_NOSPACE);
+	memcpy(region.base, &addr, 4);
+	isc_buffer_add(target, 4);
+
+	/*
+	 * Protocol.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+
+	proto = strtol(DNS_AS_STR(token), &e, 10);
+	if (*e == 0)
+		;
+	else if ((pe = getprotobyname(DNS_AS_STR(token))) != NULL)
+		proto = pe->p_proto;
+	else
+		RETTOK(DNS_R_UNKNOWNPROTO);
+	if (proto < 0 || proto > 0xff)
+		RETTOK(ISC_R_RANGE);
+
+	if (proto == IPPROTO_TCP)
+		ps = "tcp";
+	else if (proto == IPPROTO_UDP)
+		ps = "udp";
+
+	RETERR(uint8_tobuffer(proto, target));
+
+	memset(bm, 0, sizeof(bm));
+	do {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string, ISC_TRUE));
+		if (token.type != isc_tokentype_string)
+			break;
+
+		/*
+		 * Lowercase the service string as some getservbyname() are
+		 * case sensitive and the database is usually in lowercase.
+		 */
+		strncpy(service, DNS_AS_STR(token), sizeof(service));
+		service[sizeof(service)-1] = '\0';
+		for (i = strlen(service) - 1; i >= 0; i--)
+			if (isupper(service[i]&0xff))
+				service[i] = tolower(service[i]);
+
+		port = strtol(DNS_AS_STR(token), &e, 10);
+		if (*e == 0)
+			;
+		else if ((se = getservbyname(service, ps)) != NULL)
+			port = ntohs(se->s_port);
+		else if ((se = getservbyname(DNS_AS_STR(token), ps))
+			  != NULL)
+			port = ntohs(se->s_port);
+		else
+			RETTOK(DNS_R_UNKNOWNSERVICE);
+		if (port < 0 || port > 0xffff)
+			RETTOK(ISC_R_RANGE);
+		if (port > maxport)
+			maxport = port;
+		bm[port / 8] |= (0x80 >> (port % 8));
+	} while (1);
+
+	/*
+	 * Let upper layer handle eol/eof.
+	 */
+	isc_lex_ungettoken(lexer, &token);
+
+	n = (maxport + 8) / 8;
+	return (mem_tobuffer(target, bm, n));
+}
+
+static inline isc_result_t
+totext_in_wks(ARGS_TOTEXT) {
+	isc_region_t sr;
+	unsigned short proto;
+	char buf[sizeof("65535")];
+	unsigned int i, j;
+
+	UNUSED(tctx);
+
+	REQUIRE(rdata->type == 11);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(rdata->length >= 5);
+
+	dns_rdata_toregion(rdata, &sr);
+	RETERR(inet_totext(AF_INET, &sr, target));
+	isc_region_consume(&sr, 4);
+
+	proto = uint8_fromregion(&sr);
+	sprintf(buf, "%u", proto);
+	RETERR(str_totext(" ", target));
+	RETERR(str_totext(buf, target));
+	isc_region_consume(&sr, 1);
+
+	for (i = 0; i < sr.length; i++) {
+		if (sr.base[i] != 0)
+			for (j = 0; j < 8; j++)
+				if ((sr.base[i] & (0x80 >> j)) != 0) {
+					sprintf(buf, "%u", i * 8 + j);
+					RETERR(str_totext(" ", target));
+					RETERR(str_totext(buf, target));
+				}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_in_wks(ARGS_FROMWIRE) {
+	isc_region_t sr;
+	isc_region_t tr;
+
+	REQUIRE(type == 11);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(dctx);
+	UNUSED(options);
+	UNUSED(rdclass);
+
+	isc_buffer_activeregion(source, &sr);
+	isc_buffer_availableregion(target, &tr);
+
+	if (sr.length < 5)
+		return (ISC_R_UNEXPECTEDEND);
+	if (sr.length > 8 * 1024 + 5)
+		return (DNS_R_EXTRADATA);
+	if (tr.length < sr.length)
+		return (ISC_R_NOSPACE);
+
+	memcpy(tr.base, sr.base, sr.length);
+	isc_buffer_add(target, sr.length);
+	isc_buffer_forward(source, sr.length);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_in_wks(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	UNUSED(cctx);
+
+	REQUIRE(rdata->type == 11);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_in_wks(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 11);
+	REQUIRE(rdata1->rdclass == 1);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_in_wks(ARGS_FROMSTRUCT) {
+	dns_rdata_in_wks_t *wks = source;
+	isc_uint32_t a;
+
+	REQUIRE(type == 11);
+	REQUIRE(rdclass == 1);
+	REQUIRE(source != NULL);
+	REQUIRE(wks->common.rdtype == type);
+	REQUIRE(wks->common.rdclass == rdclass);
+	REQUIRE(wks->map != NULL || wks->map_len == 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	a = ntohl(wks->in_addr.s_addr);
+	RETERR(uint32_tobuffer(a, target));
+	RETERR(uint16_tobuffer(wks->protocol, target));
+	return (mem_tobuffer(target, wks->map, wks->map_len));
+}
+
+static inline isc_result_t
+tostruct_in_wks(ARGS_TOSTRUCT) {
+	dns_rdata_in_wks_t *wks = target;
+	isc_uint32_t n;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 11);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(rdata->length != 0);
+
+	wks->common.rdclass = rdata->rdclass;
+	wks->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&wks->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+	n = uint32_fromregion(&region);
+	wks->in_addr.s_addr = htonl(n);
+	isc_region_consume(&region, 4);
+	wks->protocol = uint16_fromregion(&region);
+	isc_region_consume(&region, 2);
+	wks->map_len = region.length;
+	wks->map = mem_maybedup(mctx, region.base, region.length);
+	if (wks->map == NULL)
+		return (ISC_R_NOMEMORY);
+	wks->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_in_wks(ARGS_FREESTRUCT) {
+	dns_rdata_in_wks_t *wks = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(wks->common.rdtype == 11);
+	REQUIRE(wks->common.rdclass == 1);
+
+	if (wks->mctx == NULL)
+		return;
+
+	if (wks->map != NULL)
+		isc_mem_free(wks->mctx, wks->map);
+	wks->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_in_wks(ARGS_ADDLDATA) {
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	REQUIRE(rdata->type == 11);
+	REQUIRE(rdata->rdclass == 1);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_in_wks(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 11);
+	REQUIRE(rdata->rdclass == 1);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_in_wks(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 11);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (dns_name_ishostname(name, wildcard));
+}
+
+static inline isc_boolean_t
+checknames_in_wks(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 11);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_IN_1_WKS_11_C */
diff --git a/contrib/bind9/lib/dns/rdata/in_1/wks_11.h b/contrib/bind9/lib/dns/rdata/in_1/wks_11.h
new file mode 100644
index 0000000..e734281
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/in_1/wks_11.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef IN_1_WKS_11_H
+#define IN_1_WKS_11_H 1
+
+/* $Id: wks_11.h,v 1.19.206.1 2004/03/06 08:14:19 marka Exp $ */
+
+typedef	struct dns_rdata_in_wks {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	struct in_addr		in_addr;
+	isc_uint16_t		protocol;
+	unsigned char		*map;
+	isc_uint16_t		map_len;
+} dns_rdata_in_wks_t;
+
+#endif /* IN_1_WKS_11_H */
diff --git a/contrib/bind9/lib/dns/rdata/rdatastructpre.h b/contrib/bind9/lib/dns/rdata/rdatastructpre.h
new file mode 100644
index 0000000..19af8b4
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/rdatastructpre.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rdatastructpre.h,v 1.13.206.1 2004/03/06 08:14:02 marka Exp $ */
+
+#ifndef DNS_RDATASTRUCT_H
+#define DNS_RDATASTRUCT_H 1
+
+#include <isc/lang.h>
+#include <isc/sockaddr.h>
+
+#include <dns/name.h>
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+typedef struct dns_rdatacommon {
+	dns_rdataclass_t			rdclass;
+	dns_rdatatype_t				rdtype;
+	ISC_LINK(struct dns_rdatacommon)	link;
+} dns_rdatacommon_t;
+
+#define DNS_RDATACOMMON_INIT(_data, _rdtype, _rdclass) \
+	do { \
+		(_data)->common.rdtype = (_rdtype); \
+		(_data)->common.rdclass = (_rdclass); \
+		ISC_LINK_INIT(&(_data)->common, link); \
+	} while (0)
diff --git a/contrib/bind9/lib/dns/rdata/rdatastructsuf.h b/contrib/bind9/lib/dns/rdata/rdatastructsuf.h
new file mode 100644
index 0000000..3eabff2
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdata/rdatastructsuf.h
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rdatastructsuf.h,v 1.7.206.1 2004/03/06 08:14:02 marka Exp $ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATASTRUCT_H */
diff --git a/contrib/bind9/lib/dns/rdatalist.c b/contrib/bind9/lib/dns/rdatalist.c
new file mode 100644
index 0000000..baa62e5
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdatalist.c
@@ -0,0 +1,224 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rdatalist.c,v 1.25.2.2.2.2 2004/03/08 02:07:56 marka Exp $ */
+
+#include <config.h>
+
+#include <stddef.h>
+
+#include <isc/util.h>
+
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+
+#include "rdatalist_p.h"
+
+static dns_rdatasetmethods_t methods = {
+	isc__rdatalist_disassociate,
+	isc__rdatalist_first,
+	isc__rdatalist_next,
+	isc__rdatalist_current,
+	isc__rdatalist_clone,
+	isc__rdatalist_count,
+	isc__rdatalist_addnoqname,
+	isc__rdatalist_getnoqname
+};
+
+void
+dns_rdatalist_init(dns_rdatalist_t *rdatalist) {
+
+	/*
+	 * Initialize rdatalist.
+	 */
+
+	rdatalist->rdclass = 0;
+	rdatalist->type = 0;
+	rdatalist->covers = 0;
+	rdatalist->ttl = 0;
+	ISC_LIST_INIT(rdatalist->rdata);
+	ISC_LINK_INIT(rdatalist, link);
+}
+
+isc_result_t
+dns_rdatalist_tordataset(dns_rdatalist_t *rdatalist,
+			 dns_rdataset_t *rdataset) {
+
+	/*
+	 * Make 'rdataset' refer to the rdata in 'rdatalist'.
+	 */
+
+	REQUIRE(rdatalist != NULL);
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(! dns_rdataset_isassociated(rdataset));
+
+	rdataset->methods = &methods;
+	rdataset->rdclass = rdatalist->rdclass;
+	rdataset->type = rdatalist->type;
+	rdataset->covers = rdatalist->covers;
+	rdataset->ttl = rdatalist->ttl;
+	rdataset->trust = 0;
+	rdataset->private1 = rdatalist;
+	rdataset->private2 = NULL;
+	rdataset->private3 = NULL;
+	rdataset->privateuint4 = 0;
+	rdataset->private5 = NULL;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc__rdatalist_disassociate(dns_rdataset_t *rdataset) {
+	UNUSED(rdataset);
+}
+
+isc_result_t
+isc__rdatalist_first(dns_rdataset_t *rdataset) {
+	dns_rdatalist_t *rdatalist;
+
+	rdatalist = rdataset->private1;
+	rdataset->private2 = ISC_LIST_HEAD(rdatalist->rdata);
+
+	if (rdataset->private2 == NULL)
+		return (ISC_R_NOMORE);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc__rdatalist_next(dns_rdataset_t *rdataset) {
+	dns_rdata_t *rdata;
+
+	rdata = rdataset->private2;
+	if (rdata == NULL)
+		return (ISC_R_NOMORE);
+
+	rdataset->private2 = ISC_LIST_NEXT(rdata, link);
+
+	if (rdataset->private2 == NULL)
+		return (ISC_R_NOMORE);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc__rdatalist_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
+	dns_rdata_t *list_rdata;
+
+	list_rdata = rdataset->private2;
+	INSIST(list_rdata != NULL);
+
+	dns_rdata_clone(list_rdata, rdata);
+}
+
+void
+isc__rdatalist_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
+	*target = *source;
+
+	/*
+	 * Reset iterator state.
+	 */
+	target->private2 = NULL;
+}
+
+unsigned int
+isc__rdatalist_count(dns_rdataset_t *rdataset) {
+	dns_rdatalist_t *rdatalist;
+	dns_rdata_t *rdata;
+	unsigned int count;
+
+	rdatalist = rdataset->private1;
+
+	count = 0;
+	for (rdata = ISC_LIST_HEAD(rdatalist->rdata);
+	     rdata != NULL;
+	     rdata = ISC_LIST_NEXT(rdata, link))
+		count++;
+
+	return (count);
+}
+
+isc_result_t
+isc__rdatalist_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name) {
+	dns_rdataset_t *nsec = NULL;
+	dns_rdataset_t *nsecsig = NULL;
+	dns_rdataset_t *rdset;
+	dns_ttl_t ttl;
+
+	for (rdset = ISC_LIST_HEAD(name->list);
+	     rdset != NULL;
+	     rdset = ISC_LIST_NEXT(rdset, link))
+	{
+		if (rdset->rdclass != rdataset->rdclass)
+			continue;
+		if (rdset->type == dns_rdatatype_nsec)
+			nsec = rdset;
+		if (rdset->type == dns_rdatatype_rrsig &&
+		    rdset->covers == dns_rdatatype_nsec)
+			nsecsig = rdset;
+	}
+
+	if (nsec == NULL || nsecsig == NULL)
+		return (ISC_R_NOTFOUND);
+	/*
+	 * Minimise ttl.
+	 */
+	ttl = rdataset->ttl;
+	if (nsec->ttl < ttl)
+		ttl = nsec->ttl;
+	if (nsecsig->ttl < ttl)
+		ttl = nsecsig->ttl;
+	rdataset->ttl = nsec->ttl = nsecsig->ttl = ttl;
+	rdataset->attributes |= DNS_RDATASETATTR_NOQNAME;
+	rdataset->private6 = name;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc__rdatalist_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
+			 dns_rdataset_t *nsec, dns_rdataset_t *nsecsig)
+{
+	dns_rdataclass_t rdclass = rdataset->rdclass;
+	dns_rdataset_t *tnsec = NULL;
+	dns_rdataset_t *tnsecsig = NULL;
+	dns_name_t *noqname = rdataset->private6;
+
+	REQUIRE((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0);
+	(void)dns_name_dynamic(noqname);	/* Sanity Check. */
+
+	for (rdataset = ISC_LIST_HEAD(noqname->list);
+	     rdataset != NULL;
+	     rdataset = ISC_LIST_NEXT(rdataset, link))
+	{
+		if (rdataset->rdclass != rdclass)
+			continue;
+		if (rdataset->type == dns_rdatatype_nsec)
+			tnsec = rdataset;
+		if (rdataset->type == dns_rdatatype_rrsig &&
+		    rdataset->covers == dns_rdatatype_nsec)
+			tnsecsig = rdataset;
+	}
+	if (tnsec == NULL || tnsecsig == NULL)
+		return (ISC_R_NOTFOUND);
+
+	dns_name_clone(noqname, name);
+	dns_rdataset_clone(tnsec, nsec);
+	dns_rdataset_clone(tnsecsig, nsecsig);
+	return (ISC_R_SUCCESS);
+}
diff --git a/contrib/bind9/lib/dns/rdatalist_p.h b/contrib/bind9/lib/dns/rdatalist_p.h
new file mode 100644
index 0000000..3a7b52c
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdatalist_p.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rdatalist_p.h,v 1.3.206.2 2004/03/08 02:07:56 marka Exp $ */
+
+#ifndef DNS_RDATALIST_P_H
+#define DNS_RDATALIST_P_H
+
+#include <isc/result.h>
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+void
+isc__rdatalist_disassociate(dns_rdataset_t *rdatasetp);
+
+isc_result_t
+isc__rdatalist_first(dns_rdataset_t *rdataset);
+
+isc_result_t
+isc__rdatalist_next(dns_rdataset_t *rdataset);
+
+void
+isc__rdatalist_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata);
+
+void
+isc__rdatalist_clone(dns_rdataset_t *source, dns_rdataset_t *target);
+
+unsigned int
+isc__rdatalist_count(dns_rdataset_t *rdataset);
+
+isc_result_t
+isc__rdatalist_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name);
+
+isc_result_t
+isc__rdatalist_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
+			  dns_rdataset_t *nsec, dns_rdataset_t *nsecsig);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_RDATALIST_P_H */
diff --git a/contrib/bind9/lib/dns/rdataset.c b/contrib/bind9/lib/dns/rdataset.c
new file mode 100644
index 0000000..672777b
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdataset.c
@@ -0,0 +1,626 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rdataset.c,v 1.58.2.2.2.10 2004/03/08 09:04:31 marka Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/random.h>
+#include <isc/util.h>
+
+#include <dns/name.h>
+#include <dns/ncache.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/compress.h>
+
+void
+dns_rdataset_init(dns_rdataset_t *rdataset) {
+
+	/*
+	 * Make 'rdataset' a valid, disassociated rdataset.
+	 */
+
+	REQUIRE(rdataset != NULL);
+
+	rdataset->magic = DNS_RDATASET_MAGIC;
+	rdataset->methods = NULL;
+	ISC_LINK_INIT(rdataset, link);
+	rdataset->rdclass = 0;
+	rdataset->type = 0;
+	rdataset->ttl = 0;
+	rdataset->trust = 0;
+	rdataset->covers = 0;
+	rdataset->attributes = 0;
+	rdataset->count = ISC_UINT32_MAX;
+	rdataset->private1 = NULL;
+	rdataset->private2 = NULL;
+	rdataset->private3 = NULL;
+	rdataset->privateuint4 = 0;
+	rdataset->private5 = NULL;
+	rdataset->private6 = NULL;
+}
+
+void
+dns_rdataset_invalidate(dns_rdataset_t *rdataset) {
+
+	/*
+	 * Invalidate 'rdataset'.
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods == NULL);
+
+	rdataset->magic = 0;
+	ISC_LINK_INIT(rdataset, link);
+	rdataset->rdclass = 0;
+	rdataset->type = 0;
+	rdataset->ttl = 0;
+	rdataset->trust = 0;
+	rdataset->covers = 0;
+	rdataset->attributes = 0;
+	rdataset->count = ISC_UINT32_MAX;
+	rdataset->private1 = NULL;
+	rdataset->private2 = NULL;
+	rdataset->private3 = NULL;
+	rdataset->privateuint4 = 0;
+	rdataset->private5 = NULL;
+}
+
+void
+dns_rdataset_disassociate(dns_rdataset_t *rdataset) {
+
+	/*
+	 * Disassociate 'rdataset' from its rdata, allowing it to be reused.
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	(rdataset->methods->disassociate)(rdataset);
+	rdataset->methods = NULL;
+	ISC_LINK_INIT(rdataset, link);
+	rdataset->rdclass = 0;
+	rdataset->type = 0;
+	rdataset->ttl = 0;
+	rdataset->trust = 0;
+	rdataset->covers = 0;
+	rdataset->attributes = 0;
+	rdataset->count = ISC_UINT32_MAX;
+	rdataset->private1 = NULL;
+	rdataset->private2 = NULL;
+	rdataset->private3 = NULL;
+	rdataset->privateuint4 = 0;
+	rdataset->private5 = NULL;
+	rdataset->private6 = NULL;
+}
+
+isc_boolean_t
+dns_rdataset_isassociated(dns_rdataset_t *rdataset) {
+	/*
+	 * Is 'rdataset' associated?
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+
+	if (rdataset->methods != NULL)
+		return (ISC_TRUE);
+
+	return (ISC_FALSE);
+}
+
+static void
+question_disassociate(dns_rdataset_t *rdataset) {
+	UNUSED(rdataset);
+}
+
+static isc_result_t
+question_cursor(dns_rdataset_t *rdataset) {
+	UNUSED(rdataset);
+	
+	return (ISC_R_NOMORE);
+}
+
+static void
+question_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
+	/*
+	 * This routine should never be called.
+	 */
+	UNUSED(rdataset);
+	UNUSED(rdata);
+	
+	REQUIRE(0);
+}
+
+static void
+question_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
+	*target = *source;
+}
+
+static unsigned int
+question_count(dns_rdataset_t *rdataset) {
+	/*
+	 * This routine should never be called.
+	 */
+	UNUSED(rdataset);
+	REQUIRE(0);
+
+	return (0);
+}
+
+static dns_rdatasetmethods_t question_methods = {
+	question_disassociate,
+	question_cursor,
+	question_cursor,
+	question_current,
+	question_clone,
+	question_count,
+	NULL,
+	NULL
+};
+
+void
+dns_rdataset_makequestion(dns_rdataset_t *rdataset, dns_rdataclass_t rdclass,
+			  dns_rdatatype_t type)
+{
+
+	/*
+	 * Make 'rdataset' a valid, associated, question rdataset, with a
+	 * question class of 'rdclass' and type 'type'.
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods == NULL);
+
+	rdataset->methods = &question_methods;
+	rdataset->rdclass = rdclass;
+	rdataset->type = type;
+	rdataset->attributes |= DNS_RDATASETATTR_QUESTION;
+}
+
+unsigned int
+dns_rdataset_count(dns_rdataset_t *rdataset) {
+
+	/*
+	 * Return the number of records in 'rdataset'.
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	return ((rdataset->methods->count)(rdataset));
+}
+
+void
+dns_rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
+
+	/*
+	 * Make 'target' refer to the same rdataset as 'source'.
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(source));
+	REQUIRE(source->methods != NULL);
+	REQUIRE(DNS_RDATASET_VALID(target));
+	REQUIRE(target->methods == NULL);
+
+	(source->methods->clone)(source, target);
+}
+
+isc_result_t
+dns_rdataset_first(dns_rdataset_t *rdataset) {
+
+	/*
+	 * Move the rdata cursor to the first rdata in the rdataset (if any).
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	return ((rdataset->methods->first)(rdataset));
+}
+
+isc_result_t
+dns_rdataset_next(dns_rdataset_t *rdataset) {
+
+	/*
+	 * Move the rdata cursor to the next rdata in the rdataset (if any).
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	return ((rdataset->methods->next)(rdataset));
+}
+
+void
+dns_rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
+
+	/*
+	 * Make 'rdata' refer to the current rdata.
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	(rdataset->methods->current)(rdataset, rdata);
+}
+
+#define MAX_SHUFFLE	32
+#define WANT_FIXED(r)	(((r)->attributes & DNS_RDATASETATTR_FIXEDORDER) != 0)
+#define WANT_RANDOM(r)	(((r)->attributes & DNS_RDATASETATTR_RANDOMIZE) != 0)
+
+struct towire_sort {
+	int key;
+	dns_rdata_t *rdata;
+};
+
+static int
+towire_compare(const void *av, const void *bv) {
+	const struct towire_sort *a = (const struct towire_sort *) av;
+	const struct towire_sort *b = (const struct towire_sort *) bv;
+	return (a->key - b->key);
+}
+
+static isc_result_t
+towiresorted(dns_rdataset_t *rdataset, dns_name_t *owner_name,
+	     dns_compress_t *cctx, isc_buffer_t *target,
+	     dns_rdatasetorderfunc_t order, void *order_arg,
+	     isc_boolean_t partial, unsigned int options,
+	     unsigned int *countp, void **state)
+{
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_region_t r;
+	isc_result_t result;
+	unsigned int i, count, added, choice;
+	isc_buffer_t savedbuffer, rdlen, rrbuffer;
+	unsigned int headlen;
+	isc_boolean_t question = ISC_FALSE;
+	isc_boolean_t shuffle = ISC_FALSE;
+	dns_rdata_t *shuffled = NULL, shuffled_fixed[MAX_SHUFFLE];
+	struct towire_sort *sorted = NULL, sorted_fixed[MAX_SHUFFLE];
+
+	UNUSED(state);
+
+	/*
+	 * Convert 'rdataset' to wire format, compressing names as specified
+	 * in cctx, and storing the result in 'target'.
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(countp != NULL);
+	REQUIRE((order == NULL) == (order_arg == NULL));
+	REQUIRE(cctx != NULL && cctx->mctx != NULL);
+
+	count = 0;
+	if ((rdataset->attributes & DNS_RDATASETATTR_QUESTION) != 0) {
+		question = ISC_TRUE;
+		count = 1;
+		result = dns_rdataset_first(rdataset);
+		INSIST(result == ISC_R_NOMORE);
+	} else if (rdataset->type == 0) {
+		/*
+		 * This is a negative caching rdataset.
+		 */
+		unsigned int ncache_opts = 0;
+		if ((options & DNS_RDATASETTOWIRE_OMITDNSSEC) != 0)
+			ncache_opts |= DNS_NCACHETOWIRE_OMITDNSSEC;
+		return (dns_ncache_towire(rdataset, cctx, target, ncache_opts,
+					  countp));
+	} else {
+		count = (rdataset->methods->count)(rdataset);
+		result = dns_rdataset_first(rdataset);
+		if (result == ISC_R_NOMORE)
+			return (ISC_R_SUCCESS);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	/*
+	 * Do we want to shuffle this anwer?
+	 */
+	if (!question && count > 1 &&
+	    (!WANT_FIXED(rdataset) || order != NULL) &&
+	    rdataset->type != dns_rdatatype_rrsig)
+		shuffle = ISC_TRUE;
+
+	if (shuffle && count > MAX_SHUFFLE) {
+		shuffled = isc_mem_get(cctx->mctx, count * sizeof(*shuffled));
+		sorted = isc_mem_get(cctx->mctx, count * sizeof(*sorted));
+		if (shuffled == NULL || sorted == NULL)
+			shuffle = ISC_FALSE;
+	} else {
+		shuffled = shuffled_fixed;
+		sorted = sorted_fixed;
+	}
+
+	if (shuffle) {
+		/*
+		 * First we get handles to all of the rdata.
+		 */
+		i = 0;
+		do {
+			INSIST(i < count);
+			dns_rdata_init(&shuffled[i]);
+			dns_rdataset_current(rdataset, &shuffled[i]);
+			i++;
+			result = dns_rdataset_next(rdataset);
+		} while (result == ISC_R_SUCCESS);
+		if (result != ISC_R_NOMORE)
+			goto cleanup;
+		INSIST(i == count);
+
+		/*
+		 * Now we shuffle.
+		 */
+		if (WANT_FIXED(rdataset)) {
+			/*
+			 * 'Fixed' order.
+			 */
+			INSIST(order != NULL);
+			for (i = 0; i < count; i++) {
+				sorted[i].key = (*order)(&shuffled[i],
+							 order_arg);
+				sorted[i].rdata = &shuffled[i];
+			}
+		} else if (WANT_RANDOM(rdataset)) {
+			/*
+			 * 'Random' order.
+			 */
+			for (i = 0; i < count; i++) {
+				dns_rdata_t rdata;
+				isc_uint32_t val;
+
+				isc_random_get(&val);
+				choice = i + (val % (count - i));
+				rdata = shuffled[i];
+				shuffled[i] = shuffled[choice];
+				shuffled[choice] = rdata;
+				if (order != NULL)
+					sorted[i].key = (*order)(&shuffled[i],
+								 order_arg);
+				else
+					sorted[i].key = 0; /* Unused */
+				sorted[i].rdata = &shuffled[i];
+			}
+		} else {
+			/*
+			 * "Cyclic" order.
+			 */
+			isc_uint32_t val;
+			unsigned int j;
+
+			val = rdataset->count;
+			if (val == ISC_UINT32_MAX)
+				isc_random_get(&val);
+			j = val % count;
+			for (i = 0; i < count; i++) {
+				if (order != NULL)
+					sorted[j].key = (*order)(&shuffled[i],
+								 order_arg);
+				else
+					sorted[j].key = 0; /* Unused */
+				sorted[j].rdata = &shuffled[i];
+				j++;
+				if (j == count)
+					j = 0; /* Wrap around. */
+			}
+		}
+
+		/*
+		 * Sorted order.
+		 */
+		if (order != NULL)
+			qsort(sorted, count, sizeof(sorted[0]),
+			      towire_compare);
+	}
+
+	savedbuffer = *target;
+	i = 0;
+	added = 0;
+
+	do {
+		/*
+		 * Copy out the name, type, class, ttl.
+		 */
+		
+		rrbuffer = *target;
+		dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
+		result = dns_name_towire(owner_name, cctx, target);
+		if (result != ISC_R_SUCCESS)
+			goto rollback;
+		headlen = sizeof(dns_rdataclass_t) + sizeof(dns_rdatatype_t);
+		if (!question)
+			headlen += sizeof(dns_ttl_t)
+				+ 2;  /* XXX 2 for rdata len */
+		isc_buffer_availableregion(target, &r);
+		if (r.length < headlen) {
+			result = ISC_R_NOSPACE;
+			goto rollback;
+		}
+		isc_buffer_putuint16(target, rdataset->type);
+		isc_buffer_putuint16(target, rdataset->rdclass);
+		if (!question) {
+			isc_buffer_putuint32(target, rdataset->ttl);
+
+			/*
+			 * Save space for rdlen.
+			 */
+			rdlen = *target;
+			isc_buffer_add(target, 2);
+
+			/*
+			 * Copy out the rdata
+			 */
+			if (shuffle)
+				rdata = *(sorted[i].rdata);
+			else {
+				dns_rdata_reset(&rdata);
+				dns_rdataset_current(rdataset, &rdata);
+			}
+			result = dns_rdata_towire(&rdata, cctx, target);
+			if (result != ISC_R_SUCCESS)
+				goto rollback;
+			INSIST((target->used >= rdlen.used + 2) &&
+			       (target->used - rdlen.used - 2 < 65536));
+			isc_buffer_putuint16(&rdlen,
+					     (isc_uint16_t)(target->used -
+							    rdlen.used - 2));
+			added++;
+		}
+
+		if (shuffle) {
+			i++;
+			if (i == count)
+				result = ISC_R_NOMORE;
+			else
+				result = ISC_R_SUCCESS;
+		} else {
+			result = dns_rdataset_next(rdataset);
+		}
+	} while (result == ISC_R_SUCCESS);
+
+	if (result != ISC_R_NOMORE)
+		goto rollback;
+
+	*countp += count;
+
+	result = ISC_R_SUCCESS;
+	goto cleanup;
+
+ rollback:
+	if (partial && result == ISC_R_NOSPACE) {
+		INSIST(rrbuffer.used < 65536);
+		dns_compress_rollback(cctx, (isc_uint16_t)rrbuffer.used);
+		*countp += added;
+		*target = rrbuffer;
+		goto cleanup;
+	}
+	INSIST(savedbuffer.used < 65536);
+	dns_compress_rollback(cctx, (isc_uint16_t)savedbuffer.used);
+	*countp = 0;
+	*target = savedbuffer;
+
+ cleanup:
+	if (sorted != NULL && sorted != sorted_fixed)
+		isc_mem_put(cctx->mctx, sorted, count * sizeof(*sorted));
+	if (shuffled != NULL && shuffled != shuffled_fixed)
+		isc_mem_put(cctx->mctx, shuffled, count * sizeof(*shuffled));
+	return (result);
+}
+
+isc_result_t
+dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
+			  dns_name_t *owner_name,
+			  dns_compress_t *cctx,
+			  isc_buffer_t *target,
+			  dns_rdatasetorderfunc_t order,
+			  void *order_arg,
+			  unsigned int options,
+			  unsigned int *countp)
+{
+	return (towiresorted(rdataset, owner_name, cctx, target,
+			     order, order_arg, ISC_FALSE, options,
+			     countp, NULL));
+}
+
+isc_result_t
+dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
+			   dns_name_t *owner_name,
+			   dns_compress_t *cctx,
+			   isc_buffer_t *target,
+			   dns_rdatasetorderfunc_t order,
+			   void *order_arg,
+			   unsigned int options,
+			   unsigned int *countp,
+			   void **state)
+{
+	REQUIRE(state == NULL);	/* XXX remove when implemented */
+	return (towiresorted(rdataset, owner_name, cctx, target,
+			     order, order_arg, ISC_TRUE, options,
+			     countp, state));
+}
+
+isc_result_t
+dns_rdataset_towire(dns_rdataset_t *rdataset,
+		    dns_name_t *owner_name,
+		    dns_compress_t *cctx,
+		    isc_buffer_t *target,
+		    unsigned int options,
+		    unsigned int *countp)
+{
+	return (towiresorted(rdataset, owner_name, cctx, target,
+			     NULL, NULL, ISC_FALSE, options, countp, NULL));
+}
+
+isc_result_t
+dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
+			    dns_additionaldatafunc_t add, void *arg)
+{
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_result_t result;
+
+	/*
+	 * For each rdata in rdataset, call 'add' for each name and type in the
+	 * rdata which is subject to additional section processing.
+	 */
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0);
+
+	result = dns_rdataset_first(rdataset);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	do {
+		dns_rdataset_current(rdataset, &rdata);
+		result = dns_rdata_additionaldata(&rdata, add, arg);
+		if (result == ISC_R_SUCCESS)
+			result = dns_rdataset_next(rdataset);
+		dns_rdata_reset(&rdata);
+	} while (result == ISC_R_SUCCESS);
+
+	if (result != ISC_R_NOMORE)
+		return (result);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_rdataset_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name) {
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+	if (rdataset->methods->addnoqname == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+	return((rdataset->methods->addnoqname)(rdataset, name));
+}
+
+isc_result_t
+dns_rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
+		        dns_rdataset_t *nsec, dns_rdataset_t *nsecsig)
+{
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	if (rdataset->methods->getnoqname == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+	return((rdataset->methods->getnoqname)(rdataset, name, nsec, nsecsig));
+}
diff --git a/contrib/bind9/lib/dns/rdatasetiter.c b/contrib/bind9/lib/dns/rdatasetiter.c
new file mode 100644
index 0000000..f3b0f8b
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdatasetiter.c
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rdatasetiter.c,v 1.11.206.1 2004/03/06 08:13:44 marka Exp $ */
+
+#include <config.h>
+
+#include <stddef.h>
+
+#include <isc/util.h>
+
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+
+void
+dns_rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp) {
+	/*
+	 * Destroy '*iteratorp'.
+	 */
+
+	REQUIRE(iteratorp != NULL);
+	REQUIRE(DNS_RDATASETITER_VALID(*iteratorp));
+
+	(*iteratorp)->methods->destroy(iteratorp);
+
+	ENSURE(*iteratorp == NULL);
+}
+
+isc_result_t
+dns_rdatasetiter_first(dns_rdatasetiter_t *iterator) {
+	/*
+	 * Move the rdataset cursor to the first rdataset at the node (if any).
+	 */
+
+	REQUIRE(DNS_RDATASETITER_VALID(iterator));
+
+	return (iterator->methods->first(iterator));
+}
+
+isc_result_t
+dns_rdatasetiter_next(dns_rdatasetiter_t *iterator) {
+	/*
+	 * Move the rdataset cursor to the next rdataset at the node (if any).
+	 */
+
+	REQUIRE(DNS_RDATASETITER_VALID(iterator));
+
+	return (iterator->methods->next(iterator));
+}
+
+void
+dns_rdatasetiter_current(dns_rdatasetiter_t *iterator,
+			 dns_rdataset_t *rdataset)
+{
+	/*
+	 * Return the current rdataset.
+	 */
+
+	REQUIRE(DNS_RDATASETITER_VALID(iterator));
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(! dns_rdataset_isassociated(rdataset));
+
+	iterator->methods->current(iterator, rdataset);
+}
diff --git a/contrib/bind9/lib/dns/rdataslab.c b/contrib/bind9/lib/dns/rdataslab.c
new file mode 100644
index 0000000..0604cd5
--- /dev/null
+++ b/contrib/bind9/lib/dns/rdataslab.c
@@ -0,0 +1,715 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rdataslab.c,v 1.29.2.2.2.6 2004/03/08 09:04:31 marka Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/mem.h>
+#include <isc/region.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/util.h>
+
+#include <dns/result.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdataslab.h>
+
+/* Note: the "const void *" are just to make qsort happy. */
+static int
+compare_rdata(const void *p1, const void *p2) {
+	const dns_rdata_t *rdata1 = p1;
+	const dns_rdata_t *rdata2 = p2;
+	return (dns_rdata_compare(rdata1, rdata2));
+}
+
+isc_result_t
+dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
+			   isc_region_t *region, unsigned int reservelen)
+{
+	dns_rdata_t    *rdatas;
+	unsigned char  *rawbuf;
+	unsigned int	buflen;
+	isc_result_t	result;
+	unsigned int	nitems;
+	unsigned int	nalloc;
+	unsigned int	i;
+
+	buflen = reservelen + 2;
+
+	nalloc = dns_rdataset_count(rdataset);
+	nitems = nalloc;
+	if (nitems == 0)
+		return (ISC_R_FAILURE);
+
+	rdatas = isc_mem_get(mctx, nalloc * sizeof(dns_rdata_t));
+	if (rdatas == NULL)
+		return (ISC_R_NOMEMORY);
+
+	/*
+	 * Save all of the rdata members into an array.
+	 */
+	result = dns_rdataset_first(rdataset);
+	if (result != ISC_R_SUCCESS)
+		goto free_rdatas;
+	for (i = 0; i < nalloc && result == ISC_R_SUCCESS; i++) {
+		INSIST(result == ISC_R_SUCCESS);
+		dns_rdata_init(&rdatas[i]);
+		dns_rdataset_current(rdataset, &rdatas[i]);
+		result = dns_rdataset_next(rdataset);
+	}
+	if (result != ISC_R_NOMORE)
+		goto free_rdatas;
+	if (i != nalloc) {
+		/*
+		 * Somehow we iterated over fewer rdatas than
+		 * dns_rdataset_count() said there were!
+		 */
+		result = ISC_R_FAILURE;
+		goto free_rdatas;
+	}
+
+	qsort(rdatas, nalloc, sizeof(dns_rdata_t), compare_rdata);
+
+	/*
+	 * Remove duplicates and compute the total storage required.
+	 *
+	 * If an rdata is not a duplicate, accumulate the storage size
+	 * required for the rdata.  We do not store the class, type, etc,
+	 * just the rdata, so our overhead is 2 bytes for the number of
+	 * records, and 2 for each rdata length, and then the rdata itself.
+	 */
+	for (i = 1; i < nalloc; i++) {
+		if (compare_rdata(&rdatas[i-1], &rdatas[i]) == 0) {
+			rdatas[i-1].data = NULL;
+			rdatas[i-1].length = 0;
+			nitems--;
+		} else
+			buflen += (2 + rdatas[i-1].length);
+	}
+	/*
+	 * Don't forget the last item!
+	 */
+	buflen += (2 + rdatas[i-1].length);
+
+	/*
+	 * Ensure that singleton types are actually singletons.
+	 */
+	if (nitems > 1 && dns_rdatatype_issingleton(rdataset->type)) {
+		/*
+		 * We have a singleton type, but there's more than one
+		 * RR in the rdataset.
+		 */
+		result = DNS_R_SINGLETON;
+		goto free_rdatas;
+	}
+
+	/*
+	 * Allocate the memory, set up a buffer, start copying in
+	 * data.
+	 */
+	rawbuf = isc_mem_get(mctx, buflen);
+	if (rawbuf == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto free_rdatas;
+	}
+
+	region->base = rawbuf;
+	region->length = buflen;
+
+	rawbuf += reservelen;
+
+	*rawbuf++ = (nitems & 0xff00) >> 8;
+	*rawbuf++ = (nitems & 0x00ff);
+	for (i = 0; i < nalloc; i++) {
+		if (rdatas[i].data == NULL)
+			continue;
+		*rawbuf++ = (rdatas[i].length & 0xff00) >> 8;
+		*rawbuf++ = (rdatas[i].length & 0x00ff);
+		memcpy(rawbuf, rdatas[i].data, rdatas[i].length);
+		rawbuf += rdatas[i].length;
+	}
+	result = ISC_R_SUCCESS;
+
+ free_rdatas:
+	isc_mem_put(mctx, rdatas, nalloc * sizeof(dns_rdata_t));
+	return (result);
+}
+
+static void
+rdataset_disassociate(dns_rdataset_t *rdataset) {
+	UNUSED(rdataset);
+}
+
+static isc_result_t
+rdataset_first(dns_rdataset_t *rdataset) {
+	unsigned char *raw = rdataset->private3;
+	unsigned int count;
+
+	count = raw[0] * 256 + raw[1];
+	if (count == 0) {
+		rdataset->private5 = NULL;
+		return (ISC_R_NOMORE);
+	}
+	raw += 2;
+	/*
+	 * The privateuint4 field is the number of rdata beyond the cursor
+	 * position, so we decrement the total count by one before storing
+	 * it.
+	 */
+	count--;
+	rdataset->privateuint4 = count;
+	rdataset->private5 = raw;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+rdataset_next(dns_rdataset_t *rdataset) {
+	unsigned int count;
+	unsigned int length;
+	unsigned char *raw;
+
+	count = rdataset->privateuint4;
+	if (count == 0)
+		return (ISC_R_NOMORE);
+	count--;
+	rdataset->privateuint4 = count;
+	raw = rdataset->private5;
+	length = raw[0] * 256 + raw[1];
+	raw += length + 2;
+	rdataset->private5 = raw;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
+	unsigned char *raw = rdataset->private5;
+	isc_region_t r;
+
+	REQUIRE(raw != NULL);
+
+	r.length = raw[0] * 256 + raw[1];
+	raw += 2;
+	r.base = raw;
+	dns_rdata_fromregion(rdata, rdataset->rdclass, rdataset->type, &r);
+}
+
+static void
+rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
+	*target = *source;
+
+	/*
+	 * Reset iterator state.
+	 */
+	target->privateuint4 = 0;
+	target->private5 = NULL;
+}
+
+static unsigned int
+rdataset_count(dns_rdataset_t *rdataset) {
+	unsigned char *raw = rdataset->private3;
+	unsigned int count;
+
+	count = raw[0] * 256 + raw[1];
+
+	return (count);
+}
+
+static dns_rdatasetmethods_t rdataset_methods = {
+	rdataset_disassociate,
+	rdataset_first,
+	rdataset_next,
+	rdataset_current,
+	rdataset_clone,
+	rdataset_count,
+	NULL,
+	NULL
+};
+
+void
+dns_rdataslab_tordataset(unsigned char *slab, unsigned int reservelen,
+			 dns_rdataclass_t rdclass, dns_rdatatype_t rdtype,
+			 dns_rdatatype_t covers, dns_ttl_t ttl,
+			 dns_rdataset_t *rdataset)
+{
+	REQUIRE(slab != NULL);
+	REQUIRE(!dns_rdataset_isassociated(rdataset));
+
+	rdataset->methods = &rdataset_methods;
+	rdataset->rdclass = rdclass;
+	rdataset->type = rdtype;
+	rdataset->covers = covers;
+	rdataset->ttl = ttl;
+	rdataset->trust = 0;
+	rdataset->private1 = NULL;
+	rdataset->private2 = NULL;
+	rdataset->private3 = slab + reservelen;
+
+	/*
+	 * Reset iterator state.
+	 */
+	rdataset->privateuint4 = 0;
+	rdataset->private5 = NULL;
+}
+
+unsigned int
+dns_rdataslab_size(unsigned char *slab, unsigned int reservelen) {
+	unsigned int count, length;
+	unsigned char *current;
+
+	REQUIRE(slab != NULL);
+
+	current = slab + reservelen;
+	count = *current++ * 256;
+	count += *current++;
+	while (count > 0) {
+		count--;
+		length = *current++ * 256;
+		length += *current++;
+		current += length;
+	}
+
+	return ((unsigned int)(current - slab));
+}
+
+/*
+ * Make the dns_rdata_t 'rdata' refer to the slab item
+ * beginning at '*current', which is part of a slab of type
+ * 'type' and class 'rdclass', and advance '*current' to
+ * point to the next item in the slab.
+ */
+static inline void
+rdata_from_slab(unsigned char **current,
+	      dns_rdataclass_t rdclass, dns_rdatatype_t type,
+	      dns_rdata_t *rdata)
+{
+	unsigned char *tcurrent = *current;
+	isc_region_t region;
+
+	region.length = *tcurrent++ * 256;
+	region.length += *tcurrent++;
+	region.base = tcurrent;
+	tcurrent += region.length;
+	dns_rdata_fromregion(rdata, rdclass, type, &region);
+	*current = tcurrent;
+}
+
+/*
+ * Return true iff 'slab' (slab data of type 'type' and class 'rdclass')
+ * contains an rdata identical to 'rdata'.  This does case insensitive
+ * comparisons per DNSSEC.
+ */
+static inline isc_boolean_t
+rdata_in_slab(unsigned char *slab, unsigned int reservelen,
+	      dns_rdataclass_t rdclass, dns_rdatatype_t type,
+	      dns_rdata_t *rdata)
+{
+	unsigned int count, i;
+	unsigned char *current;
+	dns_rdata_t trdata = DNS_RDATA_INIT;
+
+	current = slab + reservelen;
+	count = *current++ * 256;
+	count += *current++;
+
+	for (i = 0; i < count; i++) {
+		rdata_from_slab(&current, rdclass, type, &trdata);
+		if (dns_rdata_compare(&trdata, rdata) == 0)
+			return (ISC_TRUE);
+		dns_rdata_reset(&trdata);
+	}
+	return (ISC_FALSE);
+}
+
+isc_result_t
+dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
+		    unsigned int reservelen, isc_mem_t *mctx,
+		    dns_rdataclass_t rdclass, dns_rdatatype_t type,
+		    unsigned int flags, unsigned char **tslabp)
+{
+	unsigned char *ocurrent, *ostart, *ncurrent, *tstart, *tcurrent;
+	unsigned int ocount, ncount, count, olength, tlength, tcount, length;
+	isc_region_t nregion;
+	dns_rdata_t ordata = DNS_RDATA_INIT;
+	dns_rdata_t nrdata = DNS_RDATA_INIT;
+	isc_boolean_t added_something = ISC_FALSE;
+	unsigned int oadded = 0;
+	unsigned int nadded = 0;
+	unsigned int nncount = 0;
+
+	/*
+	 * XXX  Need parameter to allow "delete rdatasets in nslab" merge,
+	 * or perhaps another merge routine for this purpose.
+	 */
+
+	REQUIRE(tslabp != NULL && *tslabp == NULL);
+	REQUIRE(oslab != NULL && nslab != NULL);
+
+	ocurrent = oslab + reservelen;
+	ocount = *ocurrent++ * 256;
+	ocount += *ocurrent++;
+	ostart = ocurrent;
+	ncurrent = nslab + reservelen;
+	ncount = *ncurrent++ * 256;
+	ncount += *ncurrent++;
+	INSIST(ocount > 0 && ncount > 0);
+
+	/*
+	 * Yes, this is inefficient!
+	 */
+
+	/*
+	 * Figure out the length of the old slab's data.
+	 */
+	olength = 0;
+	for (count = 0; count < ocount; count++) {
+		length = *ocurrent++ * 256;
+		length += *ocurrent++;
+		olength += length + 2;
+		ocurrent += length;
+	}
+
+	/*
+	 * Start figuring out the target length and count.
+	 */
+	tlength = reservelen + 2 + olength;
+	tcount = ocount;
+
+	/*
+	 * Add in the length of rdata in the new slab that aren't in
+	 * the old slab.
+	 */
+	do {
+		nregion.length = *ncurrent++ * 256;
+		nregion.length += *ncurrent++;
+		nregion.base = ncurrent;
+		dns_rdata_init(&nrdata);
+		dns_rdata_fromregion(&nrdata, rdclass, type, &nregion);
+		if (!rdata_in_slab(oslab, reservelen, rdclass, type, &nrdata))
+		{
+			/*
+			 * This rdata isn't in the old slab.
+			 */
+			tlength += nregion.length + 2;
+			tcount++;
+			nncount++;
+			added_something = ISC_TRUE;
+		}
+		ncurrent += nregion.length;
+		ncount--;
+	} while (ncount > 0);
+	ncount = nncount;
+
+	if (((flags & DNS_RDATASLAB_EXACT) != 0) &&
+	    (tcount != ncount + ocount))
+		return (DNS_R_NOTEXACT);
+
+	if (!added_something && (flags & DNS_RDATASLAB_FORCE) == 0)
+		return (DNS_R_UNCHANGED);
+
+	/*
+	 * Ensure that singleton types are actually singletons.
+	 */
+	if (tcount > 1 && dns_rdatatype_issingleton(type)) {
+		/*
+		 * We have a singleton type, but there's more than one
+		 * RR in the rdataset.
+		 */
+		return (DNS_R_SINGLETON);
+	}
+
+	/*
+	 * Copy the reserved area from the new slab.
+	 */
+	tstart = isc_mem_get(mctx, tlength);
+	if (tstart == NULL)
+		return (ISC_R_NOMEMORY);
+	memcpy(tstart, nslab, reservelen);
+	tcurrent = tstart + reservelen;
+
+	/*
+	 * Write the new count.
+	 */
+	*tcurrent++ = (tcount & 0xff00) >> 8;
+	*tcurrent++ = (tcount & 0x00ff);
+
+	/*
+	 * Merge the two slabs.
+	 */
+	ocurrent = ostart;
+	INSIST(ocount != 0);
+	rdata_from_slab(&ocurrent, rdclass, type, &ordata);
+
+	ncurrent = nslab + reservelen + 2;
+	if (ncount > 0) {
+		do {
+			dns_rdata_reset(&nrdata);
+       			rdata_from_slab(&ncurrent, rdclass, type, &nrdata);
+		} while (rdata_in_slab(oslab, reservelen, rdclass,
+				       type, &nrdata));
+	}
+
+	while (oadded < ocount || nadded < ncount) {
+		isc_boolean_t fromold;
+		if (oadded == ocount)
+			fromold = ISC_FALSE;
+		else if (nadded == ncount)
+			fromold = ISC_TRUE;
+		else
+			fromold = ISC_TF(compare_rdata(&ordata, &nrdata) < 0);
+		if (fromold) {
+			length = ordata.length;
+			*tcurrent++ = (length & 0xff00) >> 8;
+			*tcurrent++ = (length & 0x00ff);
+			memcpy(tcurrent, ordata.data, length);
+			tcurrent += length;
+			oadded++;
+			if (oadded < ocount) {
+				dns_rdata_reset(&ordata);
+       				rdata_from_slab(&ocurrent, rdclass, type,
+						&ordata);
+			}
+		} else {
+			length = nrdata.length;
+			*tcurrent++ = (length & 0xff00) >> 8;
+			*tcurrent++ = (length & 0x00ff);
+			memcpy(tcurrent, nrdata.data, length);
+			tcurrent += length;
+			nadded++;
+			if (nadded < ncount) {
+				do {
+					dns_rdata_reset(&nrdata);
+       					rdata_from_slab(&ncurrent, rdclass,
+							type, &nrdata);
+				} while (rdata_in_slab(oslab, reservelen,
+						       rdclass, type,
+						       &nrdata));
+			}
+		}
+	}
+
+	INSIST(tcurrent == tstart + tlength);
+
+	*tslabp = tstart;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab,
+		       unsigned int reservelen, isc_mem_t *mctx,
+		       dns_rdataclass_t rdclass, dns_rdatatype_t type,
+		       unsigned int flags, unsigned char **tslabp)
+{
+	unsigned char *mcurrent, *sstart, *scurrent, *tstart, *tcurrent;
+	unsigned int mcount, scount, rcount ,count, tlength, tcount;
+	dns_rdata_t srdata = DNS_RDATA_INIT;
+	dns_rdata_t mrdata = DNS_RDATA_INIT;
+
+	REQUIRE(tslabp != NULL && *tslabp == NULL);
+	REQUIRE(mslab != NULL && sslab != NULL);
+
+	mcurrent = mslab + reservelen;
+	mcount = *mcurrent++ * 256;
+	mcount += *mcurrent++;
+	scurrent = sslab + reservelen;
+	scount = *scurrent++ * 256;
+	scount += *scurrent++;
+	sstart = scurrent;
+	INSIST(mcount > 0 && scount > 0);
+
+	/*
+	 * Yes, this is inefficient!
+	 */
+
+	/*
+	 * Start figuring out the target length and count.
+	 */
+	tlength = reservelen + 2;
+	tcount = 0;
+	rcount = 0;
+
+	/*
+	 * Add in the length of rdata in the mslab that aren't in
+	 * the sslab.
+	 */
+	do {
+		unsigned char *mrdatabegin = mcurrent;
+		rdata_from_slab(&mcurrent, rdclass, type, &mrdata);
+		scurrent = sstart;
+		for (count = 0; count < scount; count++) {
+			dns_rdata_reset(&srdata);
+			rdata_from_slab(&scurrent, rdclass, type, &srdata);
+			if (dns_rdata_compare(&mrdata, &srdata) == 0)
+				break;
+		}
+		if (count == scount) {
+			/*
+			 * This rdata isn't in the sslab, and thus isn't
+			 * being subtracted.
+			 */
+			tlength += mcurrent - mrdatabegin;
+			tcount++;
+		} else
+			rcount++;
+		mcount--;
+		dns_rdata_reset(&mrdata);
+	} while (mcount > 0);
+
+	/*
+	 * Check that all the records originally existed.  The numeric
+ 	 * check only works as rdataslabs do not contain duplicates.
+	 */
+	if (((flags & DNS_RDATASLAB_EXACT) != 0) && (rcount != scount))
+		return (DNS_R_NOTEXACT);
+
+	/*
+	 * Don't continue if the new rdataslab would be empty.
+	 */
+	if (tcount == 0)
+		return (DNS_R_NXRRSET);
+
+	/*
+	 * If nothing is going to change, we can stop.
+	 */
+	if (rcount == 0)
+		return (DNS_R_UNCHANGED);
+
+	/*
+	 * Copy the reserved area from the mslab.
+	 */
+	tstart = isc_mem_get(mctx, tlength);
+	if (tstart == NULL)
+		return (ISC_R_NOMEMORY);
+	memcpy(tstart, mslab, reservelen);
+	tcurrent = tstart + reservelen;
+
+	/*
+	 * Write the new count.
+	 */
+	*tcurrent++ = (tcount & 0xff00) >> 8;
+	*tcurrent++ = (tcount & 0x00ff);
+
+	/*
+	 * Copy the parts of mslab not in sslab.
+	 */
+	mcurrent = mslab + reservelen;
+	mcount = *mcurrent++ * 256;
+	mcount += *mcurrent++;
+	do {
+		unsigned char *mrdatabegin = mcurrent;
+		rdata_from_slab(&mcurrent, rdclass, type, &mrdata);
+		scurrent = sstart;
+		for (count = 0; count < scount; count++) {
+			dns_rdata_reset(&srdata);
+			rdata_from_slab(&scurrent, rdclass, type, &srdata);
+			if (dns_rdata_compare(&mrdata, &srdata) == 0)
+				break;
+		}
+		if (count == scount) {
+			/*
+			 * This rdata isn't in the sslab, and thus should be
+			 * copied to the tslab.
+			 */
+			unsigned int length = mcurrent - mrdatabegin;
+			memcpy(tcurrent, mrdatabegin, length);
+			tcurrent += length;
+		}
+		dns_rdata_reset(&mrdata);
+		mcount--;
+	} while (mcount > 0);
+
+	INSIST(tcurrent == tstart + tlength);
+
+	*tslabp = tstart;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_boolean_t
+dns_rdataslab_equal(unsigned char *slab1, unsigned char *slab2,
+		    unsigned int reservelen)
+{
+	unsigned char *current1, *current2;
+	unsigned int count1, count2;
+	unsigned int length1, length2;
+
+	current1 = slab1 + reservelen;
+	count1 = *current1++ * 256;
+	count1 += *current1++;
+
+	current2 = slab2 + reservelen;
+	count2 = *current2++ * 256;
+	count2 += *current2++;
+
+	if (count1 != count2)
+		return (ISC_FALSE);
+
+	while (count1 > 0) {
+		length1 = *current1++ * 256;
+		length1 += *current1++;
+
+		length2 = *current2++ * 256;
+		length2 += *current2++;
+
+		if (length1 != length2 ||
+		    memcmp(current1, current2, length1) != 0)
+			return (ISC_FALSE);
+
+		current1 += length1;
+		current2 += length1;
+
+		count1--;
+	}
+	return (ISC_TRUE);
+}
+
+isc_boolean_t
+dns_rdataslab_equalx(unsigned char *slab1, unsigned char *slab2,
+		     unsigned int reservelen, dns_rdataclass_t rdclass,
+		     dns_rdatatype_t type)
+{
+	unsigned char *current1, *current2;
+	unsigned int count1, count2;
+	dns_rdata_t rdata1 = DNS_RDATA_INIT;
+	dns_rdata_t rdata2 = DNS_RDATA_INIT;
+
+	current1 = slab1 + reservelen;
+	count1 = *current1++ * 256;
+	count1 += *current1++;
+
+	current2 = slab2 + reservelen;
+	count2 = *current2++ * 256;
+	count2 += *current2++;
+
+	if (count1 != count2)
+		return (ISC_FALSE);
+
+	while (count1-- > 0) {
+		rdata_from_slab(&current1, rdclass, type, &rdata1);
+		rdata_from_slab(&current2, rdclass, type, &rdata2);
+		if (dns_rdata_compare(&rdata1, &rdata2) != 0)
+			return (ISC_FALSE);
+		dns_rdata_reset(&rdata1);
+		dns_rdata_reset(&rdata2);
+	}
+	return (ISC_TRUE);
+}
diff --git a/contrib/bind9/lib/dns/request.c b/contrib/bind9/lib/dns/request.c
new file mode 100644
index 0000000..3ec845f
--- /dev/null
+++ b/contrib/bind9/lib/dns/request.c
@@ -0,0 +1,1455 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: request.c,v 1.64.2.1.10.6 2004/03/08 09:04:31 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/acl.h>
+#include <dns/compress.h>
+#include <dns/dispatch.h>
+#include <dns/events.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/rdata.h>
+#include <dns/rdatastruct.h>
+#include <dns/request.h>
+#include <dns/result.h>
+#include <dns/tsig.h>
+
+#define REQUESTMGR_MAGIC	ISC_MAGIC('R', 'q', 'u', 'M')
+#define VALID_REQUESTMGR(mgr)	ISC_MAGIC_VALID(mgr, REQUESTMGR_MAGIC)
+
+#define REQUEST_MAGIC		ISC_MAGIC('R', 'q', 'u', '!')
+#define VALID_REQUEST(request)	ISC_MAGIC_VALID(request, REQUEST_MAGIC)
+
+typedef ISC_LIST(dns_request_t) dns_requestlist_t;
+
+#define DNS_REQUEST_NLOCKS 7
+
+struct dns_requestmgr {
+	unsigned int			magic;
+	isc_mutex_t			lock;
+	isc_mem_t		       *mctx;
+
+	/* locked */
+	isc_int32_t			eref;
+	isc_int32_t			iref;
+	isc_timermgr_t		       *timermgr;
+	isc_socketmgr_t		       *socketmgr;
+	isc_taskmgr_t		       *taskmgr;
+	dns_dispatchmgr_t	       *dispatchmgr;
+	dns_dispatch_t		       *dispatchv4;
+	dns_dispatch_t		       *dispatchv6;
+	isc_boolean_t			exiting;
+	isc_eventlist_t			whenshutdown;
+	unsigned int			hash;
+	isc_mutex_t			locks[DNS_REQUEST_NLOCKS];
+	dns_requestlist_t 		requests;
+};
+
+struct dns_request {
+	unsigned int			magic;
+	unsigned int			hash;
+	isc_mem_t		       *mctx;
+	isc_int32_t			flags;
+	ISC_LINK(dns_request_t) 	link;
+	isc_buffer_t		       *query;
+	isc_buffer_t		       *answer;
+	dns_requestevent_t	       *event;
+	dns_dispatch_t		       *dispatch;
+	dns_dispentry_t		       *dispentry;
+	isc_timer_t		       *timer;
+	dns_requestmgr_t	       *requestmgr;
+	isc_buffer_t		       *tsig;
+	dns_tsigkey_t		       *tsigkey;
+	isc_event_t			ctlevent;
+	isc_boolean_t			canceling; /* ctlevent outstanding */
+	isc_sockaddr_t			destaddr;
+	unsigned int			udpcount;
+};
+
+#define DNS_REQUEST_F_CONNECTING 0x0001
+#define DNS_REQUEST_F_SENDING 0x0002
+#define DNS_REQUEST_F_CANCELED 0x0004	/* ctlevent received, or otherwise
+					   synchronously canceled */
+#define DNS_REQUEST_F_TIMEDOUT 0x0008	/* cancelled due to a timeout */
+#define DNS_REQUEST_F_TCP 0x0010	/* This request used TCP */
+#define DNS_REQUEST_CANCELED(r) \
+	(((r)->flags & DNS_REQUEST_F_CANCELED) != 0)
+#define DNS_REQUEST_CONNECTING(r) \
+	(((r)->flags & DNS_REQUEST_F_CONNECTING) != 0)
+#define DNS_REQUEST_SENDING(r) \
+	(((r)->flags & DNS_REQUEST_F_SENDING) != 0)
+#define DNS_REQUEST_TIMEDOUT(r) \
+	(((r)->flags & DNS_REQUEST_F_TIMEDOUT) != 0)
+
+
+/***
+ *** Forward
+ ***/
+
+static void mgr_destroy(dns_requestmgr_t *requestmgr);
+static void mgr_shutdown(dns_requestmgr_t *requestmgr);
+static unsigned int mgr_gethash(dns_requestmgr_t *requestmgr);
+static void send_shutdown_events(dns_requestmgr_t *requestmgr);
+
+static isc_result_t req_render(dns_message_t *message, isc_buffer_t **buffer,
+			       unsigned int options, isc_mem_t *mctx);
+static void req_senddone(isc_task_t *task, isc_event_t *event);
+static void req_response(isc_task_t *task, isc_event_t *event);
+static void req_timeout(isc_task_t *task, isc_event_t *event);
+static void req_connected(isc_task_t *task, isc_event_t *event);
+static void req_sendevent(dns_request_t *request, isc_result_t result);
+static void req_cancel(dns_request_t *request);
+static void req_destroy(dns_request_t *request);
+static void req_log(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
+static void do_cancel(isc_task_t *task, isc_event_t *event);
+
+/***
+ *** Public
+ ***/
+
+isc_result_t
+dns_requestmgr_create(isc_mem_t *mctx,
+		      isc_timermgr_t *timermgr,
+		      isc_socketmgr_t *socketmgr,
+		      isc_taskmgr_t *taskmgr,
+		      dns_dispatchmgr_t *dispatchmgr,
+		      dns_dispatch_t *dispatchv4,
+		      dns_dispatch_t *dispatchv6,
+		      dns_requestmgr_t **requestmgrp)
+{
+	dns_requestmgr_t *requestmgr;
+	isc_socket_t *socket;
+	isc_result_t result;
+	int i;
+
+	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_create");
+
+	REQUIRE(requestmgrp != NULL && *requestmgrp == NULL);
+	REQUIRE(timermgr != NULL);
+	REQUIRE(socketmgr != NULL);
+	REQUIRE(taskmgr != NULL);
+	REQUIRE(dispatchmgr != NULL);
+	if (dispatchv4 != NULL) {
+		socket = dns_dispatch_getsocket(dispatchv4);
+		REQUIRE(isc_socket_gettype(socket) == isc_sockettype_udp);
+	}
+	if (dispatchv6 != NULL) {
+		socket = dns_dispatch_getsocket(dispatchv6);
+		REQUIRE(isc_socket_gettype(socket) == isc_sockettype_udp);
+	}
+
+	requestmgr = isc_mem_get(mctx, sizeof(*requestmgr));
+	if (requestmgr == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_mutex_init(&requestmgr->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, requestmgr, sizeof(*requestmgr));
+		return (result);
+	}
+	for (i = 0; i < DNS_REQUEST_NLOCKS; i++) {
+		result = isc_mutex_init(&requestmgr->locks[i]);
+		if (result != ISC_R_SUCCESS) {
+			while (--i >= 0)
+				DESTROYLOCK(&requestmgr->locks[i]);
+			DESTROYLOCK(&requestmgr->lock);
+			isc_mem_put(mctx, requestmgr, sizeof(*requestmgr));
+			return (result);
+		}
+	}
+	requestmgr->timermgr = timermgr;
+	requestmgr->socketmgr = socketmgr;
+	requestmgr->taskmgr = taskmgr;
+	requestmgr->dispatchmgr = dispatchmgr;
+	requestmgr->dispatchv4 = NULL;
+	if (dispatchv4 != NULL)
+		dns_dispatch_attach(dispatchv4, &requestmgr->dispatchv4);
+	requestmgr->dispatchv6 = NULL;
+	if (dispatchv6 != NULL)
+		dns_dispatch_attach(dispatchv6, &requestmgr->dispatchv6);
+	requestmgr->mctx = NULL;
+	isc_mem_attach(mctx, &requestmgr->mctx);
+	requestmgr->eref = 1;	/* implict attach */
+	requestmgr->iref = 0;
+	ISC_LIST_INIT(requestmgr->whenshutdown);
+	ISC_LIST_INIT(requestmgr->requests);
+	requestmgr->exiting = ISC_FALSE;
+	requestmgr->hash = 0;
+	requestmgr->magic = REQUESTMGR_MAGIC;
+
+	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_create: %p", requestmgr);
+
+	*requestmgrp = requestmgr;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_requestmgr_whenshutdown(dns_requestmgr_t *requestmgr, isc_task_t *task,
+			    isc_event_t **eventp)
+{
+	isc_task_t *clone;
+	isc_event_t *event;
+
+	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_whenshutdown");
+
+	REQUIRE(VALID_REQUESTMGR(requestmgr));
+	REQUIRE(eventp != NULL);
+
+	event = *eventp;
+	*eventp = NULL;
+
+	LOCK(&requestmgr->lock);
+
+	if (requestmgr->exiting) {
+		/*
+		 * We're already shutdown.  Send the event.
+		 */
+		event->ev_sender = requestmgr;
+		isc_task_send(task, &event);
+	} else {
+		clone = NULL;
+		isc_task_attach(task, &clone);
+		event->ev_sender = clone;
+		ISC_LIST_APPEND(requestmgr->whenshutdown, event, ev_link);
+	}
+	UNLOCK(&requestmgr->lock);
+}
+
+void
+dns_requestmgr_shutdown(dns_requestmgr_t *requestmgr) {
+
+	REQUIRE(VALID_REQUESTMGR(requestmgr));
+
+	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_shutdown: %p", requestmgr);
+
+	LOCK(&requestmgr->lock);
+	mgr_shutdown(requestmgr);
+	UNLOCK(&requestmgr->lock);
+}
+
+static void
+mgr_shutdown(dns_requestmgr_t *requestmgr) {
+	dns_request_t *request;
+
+	/*
+	 * Caller holds lock.
+	 */
+	if (!requestmgr->exiting) {
+		requestmgr->exiting = ISC_TRUE;
+		for (request = ISC_LIST_HEAD(requestmgr->requests);
+		     request != NULL;
+		     request = ISC_LIST_NEXT(request, link)) {
+			dns_request_cancel(request);
+		}
+		if (requestmgr->iref == 0) {
+			INSIST(ISC_LIST_EMPTY(requestmgr->requests));
+			send_shutdown_events(requestmgr);
+		}
+	}
+}
+
+static void
+requestmgr_attach(dns_requestmgr_t *source, dns_requestmgr_t **targetp) {
+
+	/*
+	 * Locked by caller.
+	 */
+
+	REQUIRE(VALID_REQUESTMGR(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	REQUIRE(!source->exiting);
+
+	source->iref++;
+	*targetp = source;
+
+	req_log(ISC_LOG_DEBUG(3), "requestmgr_attach: %p: eref %d iref %d",
+		source, source->eref, source->iref);
+}
+
+static void
+requestmgr_detach(dns_requestmgr_t **requestmgrp) {
+	dns_requestmgr_t *requestmgr;
+	isc_boolean_t need_destroy = ISC_FALSE;
+
+	REQUIRE(requestmgrp != NULL);
+	requestmgr = *requestmgrp;
+	REQUIRE(VALID_REQUESTMGR(requestmgr));
+
+	*requestmgrp = NULL;
+	LOCK(&requestmgr->lock);
+	INSIST(requestmgr->iref > 0);
+	requestmgr->iref--;
+
+	req_log(ISC_LOG_DEBUG(3), "requestmgr_detach: %p: eref %d iref %d",
+		requestmgr, requestmgr->eref, requestmgr->iref);
+
+	if (requestmgr->iref == 0 && requestmgr->exiting) {
+		INSIST(ISC_LIST_HEAD(requestmgr->requests) == NULL);
+		send_shutdown_events(requestmgr);
+		if (requestmgr->eref == 0)
+			need_destroy = ISC_TRUE;
+	}
+	UNLOCK(&requestmgr->lock);
+
+	if (need_destroy)
+		mgr_destroy(requestmgr);
+}
+
+void
+dns_requestmgr_attach(dns_requestmgr_t *source, dns_requestmgr_t **targetp) {
+
+	REQUIRE(VALID_REQUESTMGR(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+	REQUIRE(!source->exiting);
+
+	LOCK(&source->lock);
+	source->eref++;
+	*targetp = source;
+	UNLOCK(&source->lock);
+
+	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_attach: %p: eref %d iref %d",
+		source, source->eref, source->iref);
+}
+
+void
+dns_requestmgr_detach(dns_requestmgr_t **requestmgrp) {
+	dns_requestmgr_t *requestmgr;
+	isc_boolean_t need_destroy = ISC_FALSE;
+
+	REQUIRE(requestmgrp != NULL);
+	requestmgr = *requestmgrp;
+	REQUIRE(VALID_REQUESTMGR(requestmgr));
+
+	LOCK(&requestmgr->lock);
+	INSIST(requestmgr->eref > 0);
+	requestmgr->eref--;
+
+	req_log(ISC_LOG_DEBUG(3), "dns_requestmgr_detach: %p: eref %d iref %d",
+		requestmgr, requestmgr->eref, requestmgr->iref);
+
+	if (requestmgr->eref == 0 && requestmgr->iref == 0) {
+		INSIST(requestmgr->exiting &&
+		       ISC_LIST_HEAD(requestmgr->requests) == NULL);
+		need_destroy = ISC_TRUE;
+	}
+	UNLOCK(&requestmgr->lock);
+
+	if (need_destroy)
+		mgr_destroy(requestmgr);
+
+	*requestmgrp = NULL;
+}
+
+static void
+send_shutdown_events(dns_requestmgr_t *requestmgr) {
+	isc_event_t *event, *next_event;
+	isc_task_t *etask;
+
+	req_log(ISC_LOG_DEBUG(3), "send_shutdown_events: %p", requestmgr);
+
+	/*
+	 * Caller must be holding the manager lock.
+	 */
+	for (event = ISC_LIST_HEAD(requestmgr->whenshutdown);
+	     event != NULL;
+	     event = next_event) {
+		next_event = ISC_LIST_NEXT(event, ev_link);
+		ISC_LIST_UNLINK(requestmgr->whenshutdown, event, ev_link);
+		etask = event->ev_sender;
+		event->ev_sender = requestmgr;
+		isc_task_sendanddetach(&etask, &event);
+	}
+}
+
+static void
+mgr_destroy(dns_requestmgr_t *requestmgr) {
+	int i;
+	isc_mem_t *mctx;
+
+	req_log(ISC_LOG_DEBUG(3), "mgr_destroy");
+
+	REQUIRE(requestmgr->eref == 0);
+	REQUIRE(requestmgr->iref == 0);
+
+	DESTROYLOCK(&requestmgr->lock);
+	for (i = 0; i < DNS_REQUEST_NLOCKS; i++)
+		DESTROYLOCK(&requestmgr->locks[i]);
+	if (requestmgr->dispatchv4 != NULL)
+		dns_dispatch_detach(&requestmgr->dispatchv4);
+	if (requestmgr->dispatchv6 != NULL)
+		dns_dispatch_detach(&requestmgr->dispatchv6);
+	requestmgr->magic = 0;
+	mctx = requestmgr->mctx;
+	isc_mem_put(mctx, requestmgr, sizeof(*requestmgr));
+	isc_mem_detach(&mctx);
+}
+
+static unsigned int
+mgr_gethash(dns_requestmgr_t *requestmgr) {
+	req_log(ISC_LOG_DEBUG(3), "mgr_gethash");
+	/*
+	 * Locked by caller.
+	 */
+	requestmgr->hash++;
+	return (requestmgr->hash % DNS_REQUEST_NLOCKS);
+}
+
+static inline isc_result_t
+req_send(dns_request_t *request, isc_task_t *task, isc_sockaddr_t *address) {
+	isc_region_t r;
+	isc_socket_t *socket;
+	isc_result_t result;
+
+	req_log(ISC_LOG_DEBUG(3), "req_send: request %p", request);
+
+	REQUIRE(VALID_REQUEST(request));
+	socket = dns_dispatch_getsocket(request->dispatch);
+	isc_buffer_usedregion(request->query, &r);
+	result = isc_socket_sendto(socket, &r, task, req_senddone,
+				  request, address, NULL);
+	if (result == ISC_R_SUCCESS)
+		request->flags |= DNS_REQUEST_F_SENDING;
+	return (result);
+}
+
+static isc_result_t
+new_request(isc_mem_t *mctx, dns_request_t **requestp) {
+	dns_request_t *request;
+
+	request = isc_mem_get(mctx, sizeof(*request));
+	if (request == NULL)
+		return (ISC_R_NOMEMORY);
+
+	/*
+	 * Zero structure.
+	 */
+	request->magic = 0;
+	request->mctx = NULL;
+	request->flags = 0;
+	ISC_LINK_INIT(request, link);
+	request->query = NULL;
+	request->answer = NULL;
+	request->event = NULL;
+	request->dispatch = NULL;
+	request->dispentry = NULL;
+	request->timer = NULL;
+	request->requestmgr = NULL;
+	request->tsig = NULL;
+	request->tsigkey = NULL;
+	ISC_EVENT_INIT(&request->ctlevent, sizeof(request->ctlevent), 0, NULL,
+		       DNS_EVENT_REQUESTCONTROL, do_cancel, request, NULL,
+		       NULL, NULL);
+	request->canceling = ISC_FALSE;
+	request->udpcount = 0;
+
+	isc_mem_attach(mctx, &request->mctx);
+
+	request->magic = REQUEST_MAGIC;
+	*requestp = request;
+	return (ISC_R_SUCCESS);
+}
+
+
+static isc_boolean_t
+isblackholed(dns_dispatchmgr_t *dispatchmgr, isc_sockaddr_t *destaddr) {
+	dns_acl_t *blackhole;
+	isc_netaddr_t netaddr;
+	int match;
+	isc_boolean_t drop = ISC_FALSE;
+	char netaddrstr[ISC_NETADDR_FORMATSIZE];
+
+	blackhole = dns_dispatchmgr_getblackhole(dispatchmgr);
+	if (blackhole != NULL) {
+		isc_netaddr_fromsockaddr(&netaddr, destaddr);
+		if (dns_acl_match(&netaddr, NULL, blackhole,
+				  NULL, &match, NULL) == ISC_R_SUCCESS &&
+		    match > 0)
+			drop = ISC_TRUE;
+	}
+	if (drop) {
+		isc_netaddr_format(&netaddr, netaddrstr, sizeof(netaddrstr));
+		req_log(ISC_LOG_DEBUG(10), "blackholed address %s", netaddrstr);
+	}
+	return (drop);
+}
+
+static isc_result_t
+create_tcp_dispatch(dns_requestmgr_t *requestmgr, isc_sockaddr_t *srcaddr,
+		    isc_sockaddr_t *destaddr, dns_dispatch_t **dispatchp)
+{
+	isc_result_t result;
+	isc_socket_t *socket = NULL;
+	isc_sockaddr_t src;
+	unsigned int attrs;
+	isc_sockaddr_t bind_any;
+
+	result = isc_socket_create(requestmgr->socketmgr,
+				   isc_sockaddr_pf(destaddr),
+				   isc_sockettype_tcp, &socket);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (srcaddr == NULL) {
+		isc_sockaddr_anyofpf(&bind_any,
+				     isc_sockaddr_pf(destaddr));
+		result = isc_socket_bind(socket, &bind_any);
+	} else {
+		src = *srcaddr;
+		isc_sockaddr_setport(&src, 0);
+		result = isc_socket_bind(socket, &src);
+	}
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	attrs = 0;
+	attrs |= DNS_DISPATCHATTR_TCP;
+	attrs |= DNS_DISPATCHATTR_PRIVATE;
+	if (isc_sockaddr_pf(destaddr) == AF_INET)
+		attrs |= DNS_DISPATCHATTR_IPV4;
+	else
+		attrs |= DNS_DISPATCHATTR_IPV6;
+	attrs |= DNS_DISPATCHATTR_MAKEQUERY;
+	result = dns_dispatch_createtcp(requestmgr->dispatchmgr,
+					socket, requestmgr->taskmgr,
+					4096, 2, 1, 1, 3, attrs,
+					dispatchp);
+cleanup:
+	isc_socket_detach(&socket);
+	return (result);
+}
+
+static isc_result_t
+find_udp_dispatch(dns_requestmgr_t *requestmgr, isc_sockaddr_t *srcaddr,
+		  isc_sockaddr_t *destaddr, dns_dispatch_t **dispatchp)
+{
+	dns_dispatch_t *disp = NULL;
+	unsigned int attrs, attrmask;
+
+	if (srcaddr == NULL) {
+		switch (isc_sockaddr_pf(destaddr)) {
+		case PF_INET:
+			disp = requestmgr->dispatchv4;
+			break;
+
+		case PF_INET6:
+			disp = requestmgr->dispatchv6;
+			break;
+
+		default:
+			return (ISC_R_NOTIMPLEMENTED);
+		}
+		if (disp == NULL)
+			return (ISC_R_FAMILYNOSUPPORT);
+		dns_dispatch_attach(disp, dispatchp);
+		return (ISC_R_SUCCESS);
+	}
+	attrs = 0;
+	attrs |= DNS_DISPATCHATTR_UDP;
+	switch (isc_sockaddr_pf(srcaddr)) {
+	case PF_INET:
+		attrs |= DNS_DISPATCHATTR_IPV4;
+		break;
+
+	case PF_INET6:
+		attrs |= DNS_DISPATCHATTR_IPV6;
+		break;
+
+	default:
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+	attrmask = 0;
+	attrmask |= DNS_DISPATCHATTR_UDP;
+	attrmask |= DNS_DISPATCHATTR_TCP;
+	attrmask |= DNS_DISPATCHATTR_IPV4;
+	attrmask |= DNS_DISPATCHATTR_IPV6;
+	return (dns_dispatch_getudp(requestmgr->dispatchmgr,
+				    requestmgr->socketmgr,
+				    requestmgr->taskmgr,
+				    srcaddr, 4096,
+				    1000, 32768, 16411, 16433,
+				    attrs, attrmask,
+				    dispatchp));
+}
+
+static isc_result_t
+get_dispatch(isc_boolean_t tcp, dns_requestmgr_t *requestmgr,
+	     isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+	     dns_dispatch_t **dispatchp)
+{
+	isc_result_t result;
+	if (tcp)
+		result = create_tcp_dispatch(requestmgr, srcaddr,
+					     destaddr, dispatchp);
+	else
+		result = find_udp_dispatch(requestmgr, srcaddr,
+					   destaddr, dispatchp);
+	return (result);
+}
+
+static isc_result_t
+set_timer(isc_timer_t *timer, unsigned int timeout, unsigned int udpresend) {
+	isc_time_t expires;
+	isc_interval_t interval;
+	isc_result_t result;
+	isc_timertype_t timertype;
+
+	isc_interval_set(&interval, timeout, 0);
+	result = isc_time_nowplusinterval(&expires, &interval);
+	isc_interval_set(&interval, udpresend, 0);
+
+	timertype = udpresend != 0 ? isc_timertype_limited : isc_timertype_once;
+	if (result == ISC_R_SUCCESS)
+		result = isc_timer_reset(timer, timertype, &expires,
+					 &interval, ISC_FALSE);
+	return (result);
+}
+
+isc_result_t
+dns_request_createraw(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
+		      isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		      unsigned int options, unsigned int timeout,
+		      isc_task_t *task, isc_taskaction_t action, void *arg,
+		      dns_request_t **requestp)
+{
+	return(dns_request_createraw3(requestmgr, msgbuf, srcaddr, destaddr,
+				      options, timeout, 0, 0, task, action,
+				      arg, requestp));
+}
+
+isc_result_t
+dns_request_createraw2(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
+		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		       unsigned int options, unsigned int timeout,
+		       unsigned int udptimeout, isc_task_t *task,
+		       isc_taskaction_t action, void *arg,
+		       dns_request_t **requestp)
+{
+	unsigned int udpretries = 0;
+
+	if (udptimeout != 0)
+		udpretries = timeout / udptimeout;
+
+	return (dns_request_createraw3(requestmgr, msgbuf, srcaddr, destaddr,
+				       options, timeout, udptimeout,
+				       udpretries, task, action, arg,
+				       requestp));
+}
+
+isc_result_t
+dns_request_createraw3(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
+		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		       unsigned int options, unsigned int timeout,
+		       unsigned int udptimeout, unsigned int udpretries,
+		       isc_task_t *task, isc_taskaction_t action, void *arg,
+		       dns_request_t **requestp)
+{
+	dns_request_t *request = NULL;
+	isc_task_t *tclone = NULL;
+	isc_socket_t *socket = NULL;
+	isc_result_t result;
+	isc_mem_t *mctx;
+	dns_messageid_t	id;
+	isc_boolean_t tcp = ISC_FALSE;
+	isc_region_t r;
+
+	REQUIRE(VALID_REQUESTMGR(requestmgr));
+	REQUIRE(msgbuf != NULL);
+	REQUIRE(destaddr != NULL);
+	REQUIRE(task != NULL);
+	REQUIRE(action != NULL);
+	REQUIRE(requestp != NULL && *requestp == NULL);
+	REQUIRE(timeout > 0);
+	if (srcaddr != NULL) 
+		REQUIRE(isc_sockaddr_pf(srcaddr) == isc_sockaddr_pf(destaddr));
+
+	mctx = requestmgr->mctx;
+
+	req_log(ISC_LOG_DEBUG(3), "dns_request_createraw");
+
+	if (isblackholed(requestmgr->dispatchmgr, destaddr))
+		return (DNS_R_BLACKHOLED);
+
+	request = NULL;
+	result = new_request(mctx, &request);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (udptimeout == 0 && udpretries != 0) {
+		udptimeout = timeout / (udpretries + 1);
+		if (udptimeout == 0)
+			udptimeout = 1;
+	}
+
+	/*
+	 * Create timer now.  We will set it below once.
+	 */
+	result = isc_timer_create(requestmgr->timermgr, isc_timertype_inactive,
+				  NULL, NULL, task, req_timeout, request,
+				  &request->timer);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	request->event = (dns_requestevent_t *)
+		isc_event_allocate(mctx, task, DNS_EVENT_REQUESTDONE,
+				   action, arg, sizeof(dns_requestevent_t));
+	if (request->event == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	isc_task_attach(task, &tclone);
+	request->event->ev_sender = task;
+	request->event->request = request;
+	request->event->result = ISC_R_FAILURE;
+
+	isc_buffer_usedregion(msgbuf, &r);
+	if (r.length < DNS_MESSAGE_HEADERLEN || r.length > 65535) {
+		result = DNS_R_FORMERR;
+		goto cleanup;
+	}
+		
+	if ((options & DNS_REQUESTOPT_TCP) != 0 || r.length > 512)
+		tcp = ISC_TRUE;
+
+	result = get_dispatch(tcp, requestmgr, srcaddr, destaddr,
+			      &request->dispatch);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	socket = dns_dispatch_getsocket(request->dispatch);
+	INSIST(socket != NULL);
+	result = dns_dispatch_addresponse(request->dispatch, destaddr, task,
+					  req_response, request, &id,
+					  &request->dispentry);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = isc_buffer_allocate(mctx, &request->query,
+				     r.length + (tcp ? 2 : 0));
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	if (tcp)
+		isc_buffer_putuint16(request->query, (isc_uint16_t)r.length);
+	result = isc_buffer_copyregion(request->query, &r);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	/* Add message ID. */
+	isc_buffer_usedregion(request->query, &r);
+	if (tcp)
+		isc_region_consume(&r, 2);
+	r.base[0] = (id>>8) & 0xff;
+	r.base[1] = id & 0xff;
+
+	LOCK(&requestmgr->lock);
+	if (requestmgr->exiting) {
+		UNLOCK(&requestmgr->lock);
+		result = ISC_R_SHUTTINGDOWN;
+		goto cleanup;
+	}
+	requestmgr_attach(requestmgr, &request->requestmgr);
+	request->hash = mgr_gethash(requestmgr);
+	ISC_LIST_APPEND(requestmgr->requests, request, link);
+	UNLOCK(&requestmgr->lock);
+
+	result = set_timer(request->timer, timeout, tcp ? 0 : udptimeout);
+	if (result != ISC_R_SUCCESS)
+		goto unlink;
+
+	request->destaddr = *destaddr;
+	if (tcp) {
+		result = isc_socket_connect(socket, destaddr, task,
+					    req_connected, request);
+		if (result != ISC_R_SUCCESS)
+			goto unlink;
+		request->flags |= DNS_REQUEST_F_CONNECTING|DNS_REQUEST_F_TCP;
+	} else {
+		result = req_send(request, task, destaddr);
+		if (result != ISC_R_SUCCESS)
+			goto unlink;
+	}
+
+	req_log(ISC_LOG_DEBUG(3), "dns_request_createraw: request %p",
+		request);
+	*requestp = request;
+	return (ISC_R_SUCCESS);
+
+ unlink:
+	LOCK(&requestmgr->lock);
+	ISC_LIST_UNLINK(requestmgr->requests, request, link);
+	UNLOCK(&requestmgr->lock);
+
+ cleanup:
+	if (tclone != NULL)
+		isc_task_detach(&tclone);
+	req_destroy(request);
+	req_log(ISC_LOG_DEBUG(3), "dns_request_createraw: failed %s",
+		dns_result_totext(result));
+	return (result);
+}
+
+isc_result_t
+dns_request_create(dns_requestmgr_t *requestmgr, dns_message_t *message,
+		   isc_sockaddr_t *address, unsigned int options,
+		   dns_tsigkey_t *key,
+		   unsigned int timeout, isc_task_t *task,
+		   isc_taskaction_t action, void *arg,
+		   dns_request_t **requestp)
+{
+	return (dns_request_createvia3(requestmgr, message, NULL, address,
+				       options, key, timeout, 0, 0, task,
+				       action, arg, requestp));
+}
+
+isc_result_t
+dns_request_createvia(dns_requestmgr_t *requestmgr, dns_message_t *message,
+		      isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		      unsigned int options, dns_tsigkey_t *key,
+		      unsigned int timeout, isc_task_t *task,
+		      isc_taskaction_t action, void *arg,
+		      dns_request_t **requestp)
+{
+	return(dns_request_createvia3(requestmgr, message, srcaddr, destaddr,
+				      options, key, timeout, 0, 0, task,
+				      action, arg, requestp));
+}
+
+isc_result_t
+dns_request_createvia2(dns_requestmgr_t *requestmgr, dns_message_t *message,
+		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		       unsigned int options, dns_tsigkey_t *key,
+		       unsigned int timeout, unsigned int udptimeout,
+		       isc_task_t *task, isc_taskaction_t action, void *arg,
+		       dns_request_t **requestp)
+{
+	unsigned int udpretries = 0;
+
+	if (udptimeout != 0)
+		udpretries = timeout / udptimeout;
+	return (dns_request_createvia3(requestmgr, message, srcaddr, destaddr,
+				       options, key, timeout, udptimeout,
+				       udpretries, task, action, arg,
+				       requestp));
+}
+					
+isc_result_t
+dns_request_createvia3(dns_requestmgr_t *requestmgr, dns_message_t *message,
+		       isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		       unsigned int options, dns_tsigkey_t *key,
+		       unsigned int timeout, unsigned int udptimeout,
+		       unsigned int udpretries, isc_task_t *task,
+		       isc_taskaction_t action, void *arg,
+		       dns_request_t **requestp)
+{
+	dns_request_t *request = NULL;
+	isc_task_t *tclone = NULL;
+	isc_socket_t *socket = NULL;
+	isc_result_t result;
+	isc_mem_t *mctx;
+	dns_messageid_t	id;
+	isc_boolean_t tcp;
+	isc_boolean_t setkey = ISC_TRUE;
+
+	REQUIRE(VALID_REQUESTMGR(requestmgr));
+	REQUIRE(message != NULL);
+	REQUIRE(destaddr != NULL);
+	REQUIRE(task != NULL);
+	REQUIRE(action != NULL);
+	REQUIRE(requestp != NULL && *requestp == NULL);
+	REQUIRE(timeout > 0);
+	if (srcaddr != NULL) 
+		REQUIRE(isc_sockaddr_pf(srcaddr) == isc_sockaddr_pf(destaddr));
+
+	mctx = requestmgr->mctx;
+
+	req_log(ISC_LOG_DEBUG(3), "dns_request_createvia");
+
+	if (isblackholed(requestmgr->dispatchmgr, destaddr))
+		return (DNS_R_BLACKHOLED);
+
+	request = NULL;
+	result = new_request(mctx, &request);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (udptimeout == 0 && udpretries != 0) {
+		udptimeout = timeout / (udpretries + 1);
+		if (udptimeout == 0)
+			udptimeout = 1;
+	}
+
+	/*
+	 * Create timer now.  We will set it below once.
+	 */
+	result = isc_timer_create(requestmgr->timermgr, isc_timertype_inactive,
+				  NULL, NULL, task, req_timeout, request,
+				  &request->timer);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	request->event = (dns_requestevent_t *)
+		isc_event_allocate(mctx, task, DNS_EVENT_REQUESTDONE,
+				   action, arg, sizeof(dns_requestevent_t));
+	if (request->event == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	isc_task_attach(task, &tclone);
+	request->event->ev_sender = task;
+	request->event->request = request;
+	request->event->result = ISC_R_FAILURE;
+	if (key != NULL)
+		dns_tsigkey_attach(key, &request->tsigkey);
+
+ use_tcp:
+	tcp = ISC_TF((options & DNS_REQUESTOPT_TCP) != 0);
+	result = get_dispatch(tcp, requestmgr, srcaddr, destaddr,
+			      &request->dispatch);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	socket = dns_dispatch_getsocket(request->dispatch);
+	INSIST(socket != NULL);
+	result = dns_dispatch_addresponse(request->dispatch, destaddr, task,
+					  req_response, request, &id,
+					  &request->dispentry);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	message->id = id;
+	if (setkey) {
+		result = dns_message_settsigkey(message, request->tsigkey);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
+	result = req_render(message, &request->query, options, mctx);
+	if (result == DNS_R_USETCP &&
+	    (options & DNS_REQUESTOPT_TCP) == 0) {
+		/*
+		 * Try again using TCP.
+		 */
+		dns_message_renderreset(message);
+		dns_dispatch_removeresponse(&request->dispentry, NULL);
+		dns_dispatch_detach(&request->dispatch);
+		socket = NULL;
+		options |= DNS_REQUESTOPT_TCP;
+		setkey = ISC_FALSE;
+		goto use_tcp;
+	}
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_message_getquerytsig(message, mctx, &request->tsig);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	LOCK(&requestmgr->lock);
+	if (requestmgr->exiting) {
+		UNLOCK(&requestmgr->lock);
+		result = ISC_R_SHUTTINGDOWN;
+		goto cleanup;
+	}
+	requestmgr_attach(requestmgr, &request->requestmgr);
+	request->hash = mgr_gethash(requestmgr);
+	ISC_LIST_APPEND(requestmgr->requests, request, link);
+	UNLOCK(&requestmgr->lock);
+
+	result = set_timer(request->timer, timeout, tcp ? 0 : udptimeout);
+	if (result != ISC_R_SUCCESS)
+		goto unlink;
+
+	request->destaddr = *destaddr;
+	if (tcp) {
+		result = isc_socket_connect(socket, destaddr, task,
+					    req_connected, request);
+		if (result != ISC_R_SUCCESS)
+			goto unlink;
+		request->flags |= DNS_REQUEST_F_CONNECTING|DNS_REQUEST_F_TCP;
+	} else {
+		result = req_send(request, task, destaddr);
+		if (result != ISC_R_SUCCESS)
+			goto unlink;
+	}
+
+	req_log(ISC_LOG_DEBUG(3), "dns_request_createvia: request %p",
+		request);
+	*requestp = request;
+	return (ISC_R_SUCCESS);
+
+ unlink:
+	LOCK(&requestmgr->lock);
+	ISC_LIST_UNLINK(requestmgr->requests, request, link);
+	UNLOCK(&requestmgr->lock);
+
+ cleanup:
+	if (tclone != NULL)
+		isc_task_detach(&tclone);
+	req_destroy(request);
+	req_log(ISC_LOG_DEBUG(3), "dns_request_createvia: failed %s",
+		dns_result_totext(result));
+	return (result);
+}
+
+static isc_result_t
+req_render(dns_message_t *message, isc_buffer_t **bufferp,
+	   unsigned int options, isc_mem_t *mctx)
+{
+	isc_buffer_t *buf1 = NULL;
+	isc_buffer_t *buf2 = NULL;
+	isc_result_t result;
+	isc_region_t r;
+	isc_boolean_t tcp = ISC_FALSE;
+	dns_compress_t cctx;
+	isc_boolean_t cleanup_cctx = ISC_FALSE;
+
+	REQUIRE(bufferp != NULL && *bufferp == NULL);
+
+	req_log(ISC_LOG_DEBUG(3), "request_render");
+
+	/*
+	 * Create buffer able to hold largest possible message.
+	 */
+	result = isc_buffer_allocate(mctx, &buf1, 65535);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_compress_init(&cctx, -1, mctx);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	cleanup_cctx = ISC_TRUE;
+
+	/*
+	 * Render message.
+	 */
+	result = dns_message_renderbegin(message, &cctx, buf1);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_message_rendersection(message, DNS_SECTION_QUESTION, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_message_rendersection(message, DNS_SECTION_ANSWER, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_message_rendersection(message, DNS_SECTION_AUTHORITY, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_message_rendersection(message, DNS_SECTION_ADDITIONAL, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_message_renderend(message);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	dns_compress_invalidate(&cctx);
+	cleanup_cctx = ISC_FALSE;
+
+	/*
+	 * Copy rendered message to exact sized buffer.
+	 */
+	isc_buffer_usedregion(buf1, &r);
+	if ((options & DNS_REQUESTOPT_TCP) != 0) {
+		tcp = ISC_TRUE;
+	} else if (r.length > 512) {
+		result = DNS_R_USETCP;
+		goto cleanup;
+	}
+	result = isc_buffer_allocate(mctx, &buf2, r.length + (tcp ? 2 : 0));
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	if (tcp)
+		isc_buffer_putuint16(buf2, (isc_uint16_t)r.length);
+	result = isc_buffer_copyregion(buf2, &r);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	/*
+	 * Cleanup and return.
+	 */
+	isc_buffer_free(&buf1);
+	*bufferp = buf2;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	dns_message_renderreset(message);
+	if (buf1 != NULL)
+		isc_buffer_free(&buf1);
+	if (buf2 != NULL)
+		isc_buffer_free(&buf2);
+	if (cleanup_cctx)
+		dns_compress_invalidate(&cctx);
+	return (result);
+}
+
+
+/*
+ * If this request is no longer waiting for events,
+ * send the completion event.  This will ultimately
+ * cause the request to be destroyed.
+ *
+ * Requires:
+ *	'request' is locked by the caller.
+ */
+static void
+send_if_done(dns_request_t *request, isc_result_t result) {
+	if (!DNS_REQUEST_CONNECTING(request) &&
+	    !DNS_REQUEST_SENDING(request) &&
+	    !request->canceling)
+		req_sendevent(request, result);
+}
+
+/*
+ * Handle the control event.
+ */
+static void
+do_cancel(isc_task_t *task, isc_event_t *event) {
+	dns_request_t *request = event->ev_arg;
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_REQUESTCONTROL);
+	LOCK(&request->requestmgr->locks[request->hash]);
+	request->canceling = ISC_FALSE;
+	if (!DNS_REQUEST_CANCELED(request))
+		req_cancel(request);
+	send_if_done(request, ISC_R_CANCELED);
+	UNLOCK(&request->requestmgr->locks[request->hash]);	
+}
+
+void
+dns_request_cancel(dns_request_t *request) {
+	REQUIRE(VALID_REQUEST(request));
+
+	req_log(ISC_LOG_DEBUG(3), "dns_request_cancel: request %p", request);
+
+	REQUIRE(VALID_REQUEST(request));
+
+	LOCK(&request->requestmgr->locks[request->hash]);
+	if (!request->canceling && !DNS_REQUEST_CANCELED(request)) {
+		isc_event_t *ev =  &request->ctlevent;
+		isc_task_send(request->event->ev_sender, &ev);
+		request->canceling = ISC_TRUE;
+	}
+	UNLOCK(&request->requestmgr->locks[request->hash]);
+}
+
+isc_result_t
+dns_request_getresponse(dns_request_t *request, dns_message_t *message,
+			unsigned int options)
+{
+	isc_result_t result;
+
+	REQUIRE(VALID_REQUEST(request));
+	REQUIRE(request->answer != NULL);
+
+	req_log(ISC_LOG_DEBUG(3), "dns_request_getresponse: request %p",
+		request);
+
+	result = dns_message_setquerytsig(message, request->tsig);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = dns_message_settsigkey(message, request->tsigkey);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = dns_message_parse(message, request->answer, options);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (request->tsigkey != NULL)
+		result = dns_tsig_verify(request->answer, message, NULL, NULL);
+	return (result);
+}
+
+isc_boolean_t
+dns_request_usedtcp(dns_request_t *request) {
+	REQUIRE(VALID_REQUEST(request));
+
+	return (ISC_TF((request->flags & DNS_REQUEST_F_TCP) != 0));
+}
+
+void
+dns_request_destroy(dns_request_t **requestp) {
+	dns_request_t *request;
+
+	REQUIRE(requestp != NULL && VALID_REQUEST(*requestp));
+
+	request = *requestp;
+
+	req_log(ISC_LOG_DEBUG(3), "dns_request_destroy: request %p", request);
+
+	LOCK(&request->requestmgr->lock);
+	LOCK(&request->requestmgr->locks[request->hash]);
+	ISC_LIST_UNLINK(request->requestmgr->requests, request, link);
+	INSIST(!DNS_REQUEST_CONNECTING(request));
+	INSIST(!DNS_REQUEST_SENDING(request));
+	UNLOCK(&request->requestmgr->locks[request->hash]);
+	UNLOCK(&request->requestmgr->lock);
+
+	/*
+	 * These should have been cleaned up by req_cancel() before
+	 * the completion event was sent.
+	 */
+	INSIST(!ISC_LINK_LINKED(request, link));
+	INSIST(request->dispentry == NULL);
+	INSIST(request->dispatch == NULL);
+	INSIST(request->timer == NULL);
+
+	req_destroy(request);
+
+	*requestp = NULL;
+}
+
+/***
+ *** Private: request.
+ ***/
+
+static void
+req_connected(isc_task_t *task, isc_event_t *event) {
+	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
+	isc_result_t result;
+	dns_request_t *request = event->ev_arg;
+
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_CONNECT);
+	REQUIRE(VALID_REQUEST(request));
+	REQUIRE(DNS_REQUEST_CONNECTING(request));
+
+	req_log(ISC_LOG_DEBUG(3), "req_connected: request %p", request);
+
+	LOCK(&request->requestmgr->locks[request->hash]);
+	request->flags &= ~DNS_REQUEST_F_CONNECTING;
+
+	if (DNS_REQUEST_CANCELED(request)) {
+		/*
+		 * Send delayed event.
+		 */
+		if (DNS_REQUEST_TIMEDOUT(request))
+			send_if_done(request, ISC_R_TIMEDOUT);
+		else
+			send_if_done(request, ISC_R_CANCELED);
+	} else {
+		dns_dispatch_starttcp(request->dispatch);
+		result = sevent->result;
+		if (result == ISC_R_SUCCESS)
+			result = req_send(request, task, NULL);
+
+		if (result != ISC_R_SUCCESS) {
+			req_cancel(request);
+			send_if_done(request, ISC_R_CANCELED);
+		}
+	}
+	UNLOCK(&request->requestmgr->locks[request->hash]);
+	isc_event_free(&event);
+}
+
+static void
+req_senddone(isc_task_t *task, isc_event_t *event) {
+	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
+	dns_request_t *request = event->ev_arg;
+
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_SENDDONE);
+	REQUIRE(VALID_REQUEST(request));
+	REQUIRE(DNS_REQUEST_SENDING(request));
+
+	req_log(ISC_LOG_DEBUG(3), "req_senddone: request %p", request);
+
+	UNUSED(task);
+
+	LOCK(&request->requestmgr->locks[request->hash]);
+	request->flags &= ~DNS_REQUEST_F_SENDING;
+
+	if (DNS_REQUEST_CANCELED(request)) {
+		/*
+		 * Send delayed event.
+		 */
+		if (DNS_REQUEST_TIMEDOUT(request))
+			send_if_done(request, ISC_R_TIMEDOUT);
+		else
+			send_if_done(request, ISC_R_CANCELED);
+	} else if (sevent->result != ISC_R_SUCCESS) {
+			req_cancel(request);
+			send_if_done(request, ISC_R_CANCELED);
+	}
+	UNLOCK(&request->requestmgr->locks[request->hash]);
+
+	isc_event_free(&event);
+}
+
+static void
+req_response(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	dns_request_t *request = event->ev_arg;
+	dns_dispatchevent_t *devent = (dns_dispatchevent_t *)event;
+	isc_region_t r;
+
+	REQUIRE(VALID_REQUEST(request));
+	REQUIRE(event->ev_type == DNS_EVENT_DISPATCH);
+
+	UNUSED(task);
+
+	req_log(ISC_LOG_DEBUG(3), "req_response: request %p: %s", request,
+		dns_result_totext(devent->result));
+
+	LOCK(&request->requestmgr->locks[request->hash]);
+	result = devent->result;
+	if (result != ISC_R_SUCCESS)
+		goto done;
+
+	/*
+	 * Copy buffer to request.
+	 */
+	isc_buffer_usedregion(&devent->buffer, &r);
+	result = isc_buffer_allocate(request->mctx, &request->answer,
+				     r.length);
+	if (result != ISC_R_SUCCESS)
+		goto done;
+	result = isc_buffer_copyregion(request->answer, &r);
+	if (result != ISC_R_SUCCESS)
+		isc_buffer_free(&request->answer);
+ done:
+	/*
+	 * Cleanup.
+	 */
+	dns_dispatch_removeresponse(&request->dispentry, &devent);
+	req_cancel(request);
+	/*
+	 * Send completion event.
+	 */
+	send_if_done(request, result);
+	UNLOCK(&request->requestmgr->locks[request->hash]);
+}
+
+static void
+req_timeout(isc_task_t *task, isc_event_t *event) {
+	dns_request_t *request = event->ev_arg;
+	isc_result_t result;
+
+	REQUIRE(VALID_REQUEST(request));
+
+	req_log(ISC_LOG_DEBUG(3), "req_timeout: request %p", request);
+
+	UNUSED(task);
+	LOCK(&request->requestmgr->locks[request->hash]);
+	if (event->ev_type == ISC_TIMEREVENT_TICK &&
+	    request->udpcount-- != 0) {
+		if (! DNS_REQUEST_SENDING(request)) {
+			result = req_send(request, task, &request->destaddr);
+			if (result != ISC_R_SUCCESS) {
+				req_cancel(request);
+				send_if_done(request, result);
+			}
+		}
+	} else {
+		request->flags |= DNS_REQUEST_F_TIMEDOUT;
+		req_cancel(request);
+		send_if_done(request, ISC_R_TIMEDOUT);
+	}
+	UNLOCK(&request->requestmgr->locks[request->hash]);
+	isc_event_free(&event);
+}
+
+static void
+req_sendevent(dns_request_t *request, isc_result_t result) {
+	isc_task_t *task;
+
+	REQUIRE(VALID_REQUEST(request));
+
+	req_log(ISC_LOG_DEBUG(3), "req_sendevent: request %p", request);
+
+	/*
+	 * Lock held by caller.
+	 */
+	task = request->event->ev_sender;
+	request->event->ev_sender = request;
+	request->event->result = result;
+	isc_task_sendanddetach(&task, (isc_event_t **)&request->event);
+}
+
+static void
+req_destroy(dns_request_t *request) {
+	isc_mem_t *mctx;
+
+	REQUIRE(VALID_REQUEST(request));
+
+	req_log(ISC_LOG_DEBUG(3), "req_destroy: request %p", request);
+
+	request->magic = 0;
+	if (request->query != NULL)
+		isc_buffer_free(&request->query);
+	if (request->answer != NULL)
+		isc_buffer_free(&request->answer);
+	if (request->event != NULL)
+		isc_event_free((isc_event_t **)&request->event);
+	if (request->dispentry != NULL)
+		dns_dispatch_removeresponse(&request->dispentry, NULL);
+	if (request->dispatch != NULL)
+		dns_dispatch_detach(&request->dispatch);
+	if (request->timer != NULL)
+		isc_timer_detach(&request->timer);
+	if (request->tsig != NULL)
+		isc_buffer_free(&request->tsig);
+	if (request->tsigkey != NULL)
+		dns_tsigkey_detach(&request->tsigkey);
+	if (request->requestmgr != NULL)
+		requestmgr_detach(&request->requestmgr);
+	mctx = request->mctx;
+	isc_mem_put(mctx, request, sizeof(*request));
+	isc_mem_detach(&mctx);
+}
+
+/*
+ * Stop the current request.  Must be called from the request's task.
+ */
+static void
+req_cancel(dns_request_t *request) {
+	isc_socket_t *socket;
+
+	REQUIRE(VALID_REQUEST(request));
+
+	req_log(ISC_LOG_DEBUG(3), "req_cancel: request %p", request);
+
+	/*
+	 * Lock held by caller.
+	 */
+	request->flags |= DNS_REQUEST_F_CANCELED;
+
+	if (request->timer != NULL)
+		isc_timer_detach(&request->timer);
+	if (request->dispentry != NULL)
+		dns_dispatch_removeresponse(&request->dispentry, NULL);
+	if (DNS_REQUEST_CONNECTING(request)) {
+		socket = dns_dispatch_getsocket(request->dispatch);
+		isc_socket_cancel(socket, NULL, ISC_SOCKCANCEL_CONNECT);
+	}
+	if (DNS_REQUEST_SENDING(request)) {
+		socket = dns_dispatch_getsocket(request->dispatch);
+		isc_socket_cancel(socket, NULL, ISC_SOCKCANCEL_SEND);
+	}
+	dns_dispatch_detach(&request->dispatch);
+}
+
+static void
+req_log(int level, const char *fmt, ...) {
+	va_list ap;
+
+	va_start(ap, fmt);
+	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+		       DNS_LOGMODULE_REQUEST, level, fmt, ap);
+	va_end(ap);
+}
diff --git a/contrib/bind9/lib/dns/resolver.c b/contrib/bind9/lib/dns/resolver.c
new file mode 100644
index 0000000..c76631a
--- /dev/null
+++ b/contrib/bind9/lib/dns/resolver.c
@@ -0,0 +1,6473 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: resolver.c,v 1.218.2.18.4.43 2004/08/28 06:25:19 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/acl.h>
+#include <dns/adb.h>
+#include <dns/db.h>
+#include <dns/dispatch.h>
+#include <dns/events.h>
+#include <dns/forward.h>
+#include <dns/keytable.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/ncache.h>
+#include <dns/opcode.h>
+#include <dns/peer.h>
+#include <dns/rbt.h>
+#include <dns/rcode.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/tsig.h>
+#include <dns/validator.h>
+
+#define DNS_RESOLVER_TRACE
+#ifdef DNS_RESOLVER_TRACE
+#define RTRACE(m)	isc_log_write(dns_lctx, \
+				      DNS_LOGCATEGORY_RESOLVER, \
+				      DNS_LOGMODULE_RESOLVER, \
+				      ISC_LOG_DEBUG(3), \
+				      "res %p: %s", res, (m))
+#define RRTRACE(r, m)	isc_log_write(dns_lctx, \
+				      DNS_LOGCATEGORY_RESOLVER, \
+				      DNS_LOGMODULE_RESOLVER, \
+				      ISC_LOG_DEBUG(3), \
+				      "res %p: %s", (r), (m))
+#define FCTXTRACE(m)	isc_log_write(dns_lctx, \
+				      DNS_LOGCATEGORY_RESOLVER, \
+				      DNS_LOGMODULE_RESOLVER, \
+				      ISC_LOG_DEBUG(3), \
+				      "fctx %p(%s'): %s", fctx, fctx->info, (m))
+#define FCTXTRACE2(m1, m2) \
+			isc_log_write(dns_lctx, \
+				      DNS_LOGCATEGORY_RESOLVER, \
+				      DNS_LOGMODULE_RESOLVER, \
+				      ISC_LOG_DEBUG(3), \
+				      "fctx %p(%s): %s %s", \
+				      fctx, fctx->info, (m1), (m2))
+#define FTRACE(m)	isc_log_write(dns_lctx, \
+				      DNS_LOGCATEGORY_RESOLVER, \
+				      DNS_LOGMODULE_RESOLVER, \
+				      ISC_LOG_DEBUG(3), \
+				      "fetch %p (fctx %p(%s)): %s", \
+				      fetch, fetch->private, \
+				      fetch->private->info, (m))
+#define QTRACE(m)	isc_log_write(dns_lctx, \
+				      DNS_LOGCATEGORY_RESOLVER, \
+				      DNS_LOGMODULE_RESOLVER, \
+				      ISC_LOG_DEBUG(3), \
+				      "resquery %p (fctx %p(%s)): %s", \
+				      query, query->fctx, \
+				      query->fctx->info, (m))
+#else
+#define RTRACE(m)
+#define RRTRACE(r, m)
+#define FCTXTRACE(m)
+#define FTRACE(m)
+#define QTRACE(m)
+#endif
+
+/*
+ * Maximum EDNS0 input packet size.
+ */
+#define RECV_BUFFER_SIZE		4096		/* XXXRTH  Constant. */
+
+/*
+ * This defines the maximum number of timeouts we will permit before we
+ * disable EDNS0 on the query.
+ */
+#define MAX_EDNS0_TIMEOUTS	3
+
+typedef struct fetchctx fetchctx_t;
+
+typedef struct query {
+	/* Locked by task event serialization. */
+	unsigned int			magic;
+	fetchctx_t *			fctx;
+	isc_mem_t *			mctx;
+	dns_dispatchmgr_t *		dispatchmgr;
+	dns_dispatch_t *		dispatch;
+	dns_adbaddrinfo_t *		addrinfo;
+	isc_socket_t *			tcpsocket;
+	isc_time_t			start;
+	dns_messageid_t			id;
+	dns_dispentry_t *		dispentry;
+	ISC_LINK(struct query)		link;
+	isc_buffer_t			buffer;
+	isc_buffer_t			*tsig;
+	dns_tsigkey_t			*tsigkey;
+	unsigned int			options;
+	unsigned int			attributes;
+	unsigned int			sends;
+	unsigned int			connects;
+	unsigned char			data[512];
+} resquery_t;
+
+#define QUERY_MAGIC			ISC_MAGIC('Q', '!', '!', '!')
+#define VALID_QUERY(query)		ISC_MAGIC_VALID(query, QUERY_MAGIC)
+
+#define RESQUERY_ATTR_CANCELED		0x02
+
+#define RESQUERY_CONNECTING(q)		((q)->connects > 0)
+#define RESQUERY_CANCELED(q)		(((q)->attributes & \
+					  RESQUERY_ATTR_CANCELED) != 0)
+#define RESQUERY_SENDING(q)		((q)->sends > 0)
+
+typedef enum {
+	fetchstate_init = 0,		/* Start event has not run yet. */
+	fetchstate_active,
+	fetchstate_done			/* FETCHDONE events posted. */
+} fetchstate;
+
+struct fetchctx {
+	/* Not locked. */
+	unsigned int			magic;
+	dns_resolver_t *		res;
+	dns_name_t			name;
+	dns_rdatatype_t			type;
+	unsigned int			options;
+	unsigned int			bucketnum;
+	char *				info;
+	/* Locked by appropriate bucket lock. */
+	fetchstate			state;
+	isc_boolean_t			want_shutdown;
+	isc_boolean_t			cloned;
+	unsigned int			references;
+	isc_event_t			control_event;
+	ISC_LINK(struct fetchctx)	link;
+	ISC_LIST(dns_fetchevent_t)	events;
+	/* Locked by task event serialization. */
+	dns_name_t			domain;
+	dns_rdataset_t			nameservers;
+	unsigned int			attributes;
+	isc_timer_t *			timer;
+	isc_time_t			expires;
+	isc_interval_t			interval;
+	dns_message_t *			qmessage;
+	dns_message_t *			rmessage;
+	ISC_LIST(resquery_t)		queries;
+	dns_adbfindlist_t		finds;
+	dns_adbfind_t *			find;
+	dns_adbfindlist_t		altfinds;
+	dns_adbfind_t *			altfind;
+	dns_adbaddrinfolist_t		forwaddrs;
+	dns_adbaddrinfolist_t		altaddrs;
+	isc_sockaddrlist_t		forwarders;
+	dns_fwdpolicy_t			fwdpolicy;
+	isc_sockaddrlist_t		bad;
+	ISC_LIST(dns_validator_t)	validators;
+	dns_db_t *			cache;
+	dns_adb_t *			adb;
+
+	/*
+	 * The number of events we're waiting for.
+	 */
+	unsigned int			pending;
+
+	/*
+	 * The number of times we've "restarted" the current
+	 * nameserver set.  This acts as a failsafe to prevent
+	 * us from pounding constantly on a particular set of
+	 * servers that, for whatever reason, are not giving
+	 * us useful responses, but are responding in such a
+	 * way that they are not marked "bad".
+	 */
+	unsigned int			restarts;
+
+	/*
+	 * The number of timeouts that have occurred since we 
+	 * last successfully received a response packet.  This
+	 * is used for EDNS0 black hole detection.
+	 */
+	unsigned int			timeouts;
+	/*
+	 * Look aside state for DS lookups.
+	 */
+	dns_name_t 			nsname; 
+	dns_fetch_t *			nsfetch;
+	dns_rdataset_t			nsrrset;
+};
+
+#define FCTX_MAGIC			ISC_MAGIC('F', '!', '!', '!')
+#define VALID_FCTX(fctx)		ISC_MAGIC_VALID(fctx, FCTX_MAGIC)
+
+#define FCTX_ATTR_HAVEANSWER		0x0001
+#define FCTX_ATTR_GLUING		0x0002
+#define FCTX_ATTR_ADDRWAIT		0x0004
+#define FCTX_ATTR_SHUTTINGDOWN		0x0008
+#define FCTX_ATTR_WANTCACHE		0x0010
+#define FCTX_ATTR_WANTNCACHE		0x0020
+#define FCTX_ATTR_NEEDEDNS0		0x0040
+#define FCTX_ATTR_TRIEDFIND		0x0080
+#define FCTX_ATTR_TRIEDALT		0x0100
+
+#define HAVE_ANSWER(f)		(((f)->attributes & FCTX_ATTR_HAVEANSWER) != \
+				 0)
+#define GLUING(f)		(((f)->attributes & FCTX_ATTR_GLUING) != \
+				 0)
+#define ADDRWAIT(f)		(((f)->attributes & FCTX_ATTR_ADDRWAIT) != \
+				 0)
+#define SHUTTINGDOWN(f)		(((f)->attributes & FCTX_ATTR_SHUTTINGDOWN) \
+ 				 != 0)
+#define WANTCACHE(f)		(((f)->attributes & FCTX_ATTR_WANTCACHE) != 0)
+#define WANTNCACHE(f)		(((f)->attributes & FCTX_ATTR_WANTNCACHE) != 0)
+#define NEEDEDNS0(f)		(((f)->attributes & FCTX_ATTR_NEEDEDNS0) != 0)
+#define TRIEDFIND(f)		(((f)->attributes & FCTX_ATTR_TRIEDFIND) != 0)
+#define TRIEDALT(f)		(((f)->attributes & FCTX_ATTR_TRIEDALT) != 0)
+
+struct dns_fetch {
+	unsigned int			magic;
+	fetchctx_t *			private;
+};
+
+#define DNS_FETCH_MAGIC			ISC_MAGIC('F', 't', 'c', 'h')
+#define DNS_FETCH_VALID(fetch)		ISC_MAGIC_VALID(fetch, DNS_FETCH_MAGIC)
+
+typedef struct fctxbucket {
+	isc_task_t *			task;
+	isc_mutex_t			lock;
+	ISC_LIST(fetchctx_t)		fctxs;
+	isc_boolean_t			exiting;
+} fctxbucket_t;
+
+typedef struct alternate {
+	isc_boolean_t			isaddress;
+	union	{
+		isc_sockaddr_t		addr;
+		struct {
+			dns_name_t	name;
+			in_port_t	port;
+		} _n;
+	} _u;
+	ISC_LINK(struct alternate)	link;
+} alternate_t;
+
+struct dns_resolver {
+	/* Unlocked. */
+	unsigned int			magic;
+	isc_mem_t *			mctx;
+	isc_mutex_t			lock;
+	isc_mutex_t			nlock;	
+	isc_mutex_t			primelock;	
+	dns_rdataclass_t		rdclass;
+	isc_socketmgr_t *		socketmgr;
+	isc_timermgr_t *		timermgr;
+	isc_taskmgr_t *			taskmgr;
+	dns_view_t *			view;
+	isc_boolean_t			frozen;
+	unsigned int			options;
+	dns_dispatchmgr_t *		dispatchmgr;
+	dns_dispatch_t *		dispatchv4;
+	dns_dispatch_t *		dispatchv6;
+	unsigned int			nbuckets;
+	fctxbucket_t *			buckets;
+	isc_uint32_t			lame_ttl;
+	ISC_LIST(alternate_t)		alternates;
+	isc_uint16_t			udpsize;
+#if USE_ALGLOCK
+	isc_rwlock_t			alglock;
+#endif
+	dns_rbt_t *			algorithms;
+#if USE_MBSLOCK
+	isc_rwlock_t			mbslock;
+#endif
+	dns_rbt_t *			mustbesecure;
+	/* Locked by lock. */
+	unsigned int			references;
+	isc_boolean_t			exiting;
+	isc_eventlist_t			whenshutdown;
+	unsigned int			activebuckets;
+	isc_boolean_t			priming;
+	/* Locked by primelock. */
+	dns_fetch_t *			primefetch;
+	/* Locked by nlock. */
+	unsigned int			nfctx;
+};
+
+#define RES_MAGIC			ISC_MAGIC('R', 'e', 's', '!')
+#define VALID_RESOLVER(res)		ISC_MAGIC_VALID(res, RES_MAGIC)
+
+/*
+ * Private addrinfo flags.  These must not conflict with DNS_FETCHOPT_NOEDNS0,
+ * which we also use as an addrinfo flag.
+ */
+#define FCTX_ADDRINFO_MARK		0x0001
+#define FCTX_ADDRINFO_FORWARDER		0x1000
+#define UNMARKED(a)			(((a)->flags & FCTX_ADDRINFO_MARK) \
+					 == 0)
+#define ISFORWARDER(a)			(((a)->flags & \
+					 FCTX_ADDRINFO_FORWARDER) != 0)
+
+#define NXDOMAIN(r) (((r)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
+
+static void destroy(dns_resolver_t *res);
+static void empty_bucket(dns_resolver_t *res);
+static isc_result_t resquery_send(resquery_t *query);
+static void resquery_response(isc_task_t *task, isc_event_t *event);
+static void resquery_connected(isc_task_t *task, isc_event_t *event);
+static void fctx_try(fetchctx_t *fctx);
+static isc_boolean_t fctx_destroy(fetchctx_t *fctx);
+static isc_result_t ncache_adderesult(dns_message_t *message,
+				      dns_db_t *cache, dns_dbnode_t *node,
+				      dns_rdatatype_t covers,
+				      isc_stdtime_t now, dns_ttl_t maxttl,
+				      dns_rdataset_t *ardataset,
+				      isc_result_t *eresultp);
+
+static isc_boolean_t
+fix_mustbedelegationornxdomain(dns_message_t *message, fetchctx_t *fctx) {
+	dns_name_t *name;
+	dns_name_t *domain = &fctx->domain;
+	dns_rdataset_t *rdataset;
+	dns_rdatatype_t type;
+	isc_result_t result;
+	isc_boolean_t keep_auth = ISC_FALSE;
+
+	if (message->rcode == dns_rcode_nxdomain)
+		return (ISC_FALSE);
+
+	/*
+	 * Look for BIND 8 style delegations.
+	 * Also look for answers to ANY queries where the duplicate NS RRset
+	 * may have been stripped from the authority section.
+	 */
+	if (message->counts[DNS_SECTION_ANSWER] != 0 &&
+	    (fctx->type == dns_rdatatype_ns ||
+	     fctx->type == dns_rdatatype_any)) {
+		result = dns_message_firstname(message, DNS_SECTION_ANSWER);
+		while (result == ISC_R_SUCCESS) {
+			name = NULL;
+			dns_message_currentname(message, DNS_SECTION_ANSWER,
+						&name);
+			for (rdataset = ISC_LIST_HEAD(name->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+				type = rdataset->type;
+				if (type != dns_rdatatype_ns)
+					continue;
+				if (dns_name_issubdomain(name, domain))
+					return (ISC_FALSE);
+			}
+			result = dns_message_nextname(message,
+						      DNS_SECTION_ANSWER);
+		}
+	}
+
+	/* Look for referral. */
+	if (message->counts[DNS_SECTION_AUTHORITY] == 0)
+		goto munge;
+
+	result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+	while (result == ISC_R_SUCCESS) {
+		name = NULL;
+		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			type = rdataset->type;
+			if (type == dns_rdatatype_soa &&
+			    dns_name_equal(name, domain))
+				keep_auth = ISC_TRUE;
+			if (type != dns_rdatatype_ns &&
+			    type != dns_rdatatype_soa)
+				continue;
+			if (dns_name_equal(name, domain))
+				goto munge;
+			if (dns_name_issubdomain(name, domain))
+				return (ISC_FALSE);
+		}
+		result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
+	}
+
+ munge:
+	message->rcode = dns_rcode_nxdomain;
+	message->counts[DNS_SECTION_ANSWER] = 0;
+	if (!keep_auth)
+		message->counts[DNS_SECTION_AUTHORITY] = 0;
+	message->counts[DNS_SECTION_ADDITIONAL] = 0;
+	return (ISC_TRUE);
+}
+
+static inline isc_result_t
+fctx_starttimer(fetchctx_t *fctx) {
+	/*
+	 * Start the lifetime timer for fctx.
+	 *
+	 * This is also used for stopping the idle timer; in that
+	 * case we must purge events already posted to ensure that
+	 * no further idle events are delivered.
+	 */
+	return (isc_timer_reset(fctx->timer, isc_timertype_once,
+				&fctx->expires, NULL,
+				ISC_TRUE));
+}
+
+static inline void
+fctx_stoptimer(fetchctx_t *fctx) {
+	isc_result_t result;
+
+	/*
+	 * We don't return a result if resetting the timer to inactive fails
+	 * since there's nothing to be done about it.  Resetting to inactive
+	 * should never fail anyway, since the code as currently written
+	 * cannot fail in that case.
+	 */
+	result = isc_timer_reset(fctx->timer, isc_timertype_inactive,
+				  NULL, NULL, ISC_TRUE);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_timer_reset(): %s",
+				 isc_result_totext(result));
+	}
+}
+
+
+static inline isc_result_t
+fctx_startidletimer(fetchctx_t *fctx) {
+	/*
+	 * Start the idle timer for fctx.  The lifetime timer continues
+	 * to be in effect.
+	 */
+	return (isc_timer_reset(fctx->timer, isc_timertype_once,
+				&fctx->expires, &fctx->interval,
+				ISC_FALSE));
+}
+
+/*
+ * Stopping the idle timer is equivalent to calling fctx_starttimer(), but
+ * we use fctx_stopidletimer for readability in the code below.
+ */
+#define fctx_stopidletimer	fctx_starttimer
+
+
+static inline void
+resquery_destroy(resquery_t **queryp) {
+	resquery_t *query;
+
+	REQUIRE(queryp != NULL);
+	query = *queryp;
+	REQUIRE(!ISC_LINK_LINKED(query, link));
+
+	INSIST(query->tcpsocket == NULL);
+
+	query->magic = 0;
+	isc_mem_put(query->mctx, query, sizeof(*query));
+	*queryp = NULL;
+}
+
+static void
+fctx_cancelquery(resquery_t **queryp, dns_dispatchevent_t **deventp,
+		 isc_time_t *finish, isc_boolean_t no_response)
+{
+	fetchctx_t *fctx;
+	resquery_t *query;
+	unsigned int rtt;
+	unsigned int factor;
+	dns_adbfind_t *find;
+	dns_adbaddrinfo_t *addrinfo;
+
+	query = *queryp;
+	fctx = query->fctx;
+
+	FCTXTRACE("cancelquery");
+
+	REQUIRE(!RESQUERY_CANCELED(query));
+
+	query->attributes |= RESQUERY_ATTR_CANCELED;
+
+	/*
+	 * Should we update the RTT?
+	 */
+	if (finish != NULL || no_response) {
+		if (finish != NULL) {
+			/*
+			 * We have both the start and finish times for this
+			 * packet, so we can compute a real RTT.
+			 */
+			rtt = (unsigned int)isc_time_microdiff(finish,
+							       &query->start);
+			factor = DNS_ADB_RTTADJDEFAULT;
+		} else {
+			/*
+			 * We don't have an RTT for this query.  Maybe the
+			 * packet was lost, or maybe this server is very
+			 * slow.  We don't know.  Increase the RTT.
+			 */
+			INSIST(no_response);
+			rtt = query->addrinfo->srtt +
+				(100000 * fctx->restarts);
+			if (rtt > 10000000)
+				rtt = 10000000;
+			/*
+			 * Replace the current RTT with our value.
+			 */
+			factor = DNS_ADB_RTTADJREPLACE;
+		}
+		dns_adb_adjustsrtt(fctx->adb, query->addrinfo, rtt, factor);
+	}
+
+	/*
+	 * Age RTTs of servers not tried.
+	 */
+	factor = DNS_ADB_RTTADJAGE;
+	if (finish != NULL)
+		for (addrinfo = ISC_LIST_HEAD(fctx->forwaddrs);
+		     addrinfo != NULL;
+		     addrinfo = ISC_LIST_NEXT(addrinfo, publink))
+			if (UNMARKED(addrinfo))
+				dns_adb_adjustsrtt(fctx->adb, addrinfo,
+						   0, factor);
+
+	if (finish != NULL && TRIEDFIND(fctx))
+		for (find = ISC_LIST_HEAD(fctx->finds);
+		     find != NULL;
+		     find = ISC_LIST_NEXT(find, publink))
+			for (addrinfo = ISC_LIST_HEAD(find->list);
+			     addrinfo != NULL;
+			     addrinfo = ISC_LIST_NEXT(addrinfo, publink))
+				if (UNMARKED(addrinfo))
+					dns_adb_adjustsrtt(fctx->adb, addrinfo,
+							   0, factor);
+
+	if (finish != NULL && TRIEDALT(fctx)) {
+		for (addrinfo = ISC_LIST_HEAD(fctx->altaddrs);
+		     addrinfo != NULL;
+		     addrinfo = ISC_LIST_NEXT(addrinfo, publink))
+			if (UNMARKED(addrinfo))
+				dns_adb_adjustsrtt(fctx->adb, addrinfo,
+						   0, factor);
+		for (find = ISC_LIST_HEAD(fctx->altfinds);
+		     find != NULL;
+		     find = ISC_LIST_NEXT(find, publink))
+			for (addrinfo = ISC_LIST_HEAD(find->list);
+			     addrinfo != NULL;
+			     addrinfo = ISC_LIST_NEXT(addrinfo, publink))
+				if (UNMARKED(addrinfo))
+					dns_adb_adjustsrtt(fctx->adb, addrinfo,
+							   0, factor);
+	}
+
+	if (query->dispentry != NULL)
+		dns_dispatch_removeresponse(&query->dispentry, deventp);
+
+	ISC_LIST_UNLINK(fctx->queries, query, link);
+
+	if (query->tsig != NULL)
+		isc_buffer_free(&query->tsig);
+
+	if (query->tsigkey != NULL)
+		dns_tsigkey_detach(&query->tsigkey);
+
+	/*
+	 * Check for any outstanding socket events.  If they exist, cancel
+	 * them and let the event handlers finish the cleanup.  The resolver
+	 * only needs to worry about managing the connect and send events;
+	 * the dispatcher manages the recv events.
+	 */
+	if (RESQUERY_CONNECTING(query))
+		/*
+		 * Cancel the connect.
+		 */
+		isc_socket_cancel(query->tcpsocket, NULL,
+				  ISC_SOCKCANCEL_CONNECT);
+	else if (RESQUERY_SENDING(query))
+		/*
+		 * Cancel the pending send.
+		 */
+		isc_socket_cancel(dns_dispatch_getsocket(query->dispatch),
+				  NULL, ISC_SOCKCANCEL_SEND);
+
+	if (query->dispatch != NULL)
+		dns_dispatch_detach(&query->dispatch);
+
+	if (! (RESQUERY_CONNECTING(query) || RESQUERY_SENDING(query)))
+		/*
+		 * It's safe to destroy the query now.
+		 */
+		resquery_destroy(&query);
+}
+
+static void
+fctx_cancelqueries(fetchctx_t *fctx, isc_boolean_t no_response) {
+	resquery_t *query, *next_query;
+
+	FCTXTRACE("cancelqueries");
+
+	for (query = ISC_LIST_HEAD(fctx->queries);
+	     query != NULL;
+	     query = next_query) {
+		next_query = ISC_LIST_NEXT(query, link);
+		fctx_cancelquery(&query, NULL, NULL, no_response);
+	}
+}
+
+static void
+fctx_cleanupfinds(fetchctx_t *fctx) {
+	dns_adbfind_t *find, *next_find;
+
+	REQUIRE(ISC_LIST_EMPTY(fctx->queries));
+
+	for (find = ISC_LIST_HEAD(fctx->finds);
+	     find != NULL;
+	     find = next_find) {
+		next_find = ISC_LIST_NEXT(find, publink);
+		ISC_LIST_UNLINK(fctx->finds, find, publink);
+		dns_adb_destroyfind(&find);
+	}
+	fctx->find = NULL;
+}
+
+static void
+fctx_cleanupaltfinds(fetchctx_t *fctx) {
+	dns_adbfind_t *find, *next_find;
+
+	REQUIRE(ISC_LIST_EMPTY(fctx->queries));
+
+	for (find = ISC_LIST_HEAD(fctx->altfinds);
+	     find != NULL;
+	     find = next_find) {
+		next_find = ISC_LIST_NEXT(find, publink);
+		ISC_LIST_UNLINK(fctx->altfinds, find, publink);
+		dns_adb_destroyfind(&find);
+	}
+	fctx->altfind = NULL;
+}
+
+static void
+fctx_cleanupforwaddrs(fetchctx_t *fctx) {
+	dns_adbaddrinfo_t *addr, *next_addr;
+
+	REQUIRE(ISC_LIST_EMPTY(fctx->queries));
+
+	for (addr = ISC_LIST_HEAD(fctx->forwaddrs);
+	     addr != NULL;
+	     addr = next_addr) {
+		next_addr = ISC_LIST_NEXT(addr, publink);
+		ISC_LIST_UNLINK(fctx->forwaddrs, addr, publink);
+		dns_adb_freeaddrinfo(fctx->adb, &addr);
+	}
+}
+
+static void
+fctx_cleanupaltaddrs(fetchctx_t *fctx) {
+	dns_adbaddrinfo_t *addr, *next_addr;
+
+	REQUIRE(ISC_LIST_EMPTY(fctx->queries));
+
+	for (addr = ISC_LIST_HEAD(fctx->altaddrs);
+	     addr != NULL;
+	     addr = next_addr) {
+		next_addr = ISC_LIST_NEXT(addr, publink);
+		ISC_LIST_UNLINK(fctx->altaddrs, addr, publink);
+		dns_adb_freeaddrinfo(fctx->adb, &addr);
+	}
+}
+
+static inline void
+fctx_stopeverything(fetchctx_t *fctx, isc_boolean_t no_response) {
+	FCTXTRACE("stopeverything");
+	fctx_cancelqueries(fctx, no_response);
+	fctx_cleanupfinds(fctx);
+	fctx_cleanupaltfinds(fctx);
+	fctx_cleanupforwaddrs(fctx);
+	fctx_cleanupaltaddrs(fctx);
+	fctx_stoptimer(fctx);
+}
+
+static inline void
+fctx_sendevents(fetchctx_t *fctx, isc_result_t result) {
+	dns_fetchevent_t *event, *next_event;
+	isc_task_t *task;
+
+	/*
+	 * Caller must be holding the appropriate bucket lock.
+	 */
+	REQUIRE(fctx->state == fetchstate_done);
+
+	FCTXTRACE("sendevents");
+
+	for (event = ISC_LIST_HEAD(fctx->events);
+	     event != NULL;
+	     event = next_event) {
+		next_event = ISC_LIST_NEXT(event, ev_link);
+		ISC_LIST_UNLINK(fctx->events, event, ev_link);
+		task = event->ev_sender;
+		event->ev_sender = fctx;
+		if (!HAVE_ANSWER(fctx))
+			event->result = result;
+
+		INSIST(result != ISC_R_SUCCESS ||
+		       dns_rdataset_isassociated(event->rdataset) ||
+		       fctx->type == dns_rdatatype_any ||
+		       fctx->type == dns_rdatatype_rrsig);
+
+		isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event));
+	}
+}
+
+static void
+fctx_done(fetchctx_t *fctx, isc_result_t result) {
+	dns_resolver_t *res;
+	isc_boolean_t no_response;
+
+	FCTXTRACE("done");
+
+	res = fctx->res;
+
+	if (result == ISC_R_SUCCESS)
+		no_response = ISC_TRUE;
+	else
+		no_response = ISC_FALSE;
+	fctx_stopeverything(fctx, no_response);
+
+	LOCK(&res->buckets[fctx->bucketnum].lock);
+
+	fctx->state = fetchstate_done;
+	fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
+	fctx_sendevents(fctx, result);
+
+	UNLOCK(&res->buckets[fctx->bucketnum].lock);
+}
+
+static void
+resquery_senddone(isc_task_t *task, isc_event_t *event) {
+	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
+	resquery_t *query = event->ev_arg;
+
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_SENDDONE);
+
+	QTRACE("senddone");
+
+	/*
+	 * XXXRTH
+	 *
+	 * Currently we don't wait for the senddone event before retrying
+	 * a query.  This means that if we get really behind, we may end
+	 * up doing extra work!
+	 */
+
+	UNUSED(task);
+
+	INSIST(RESQUERY_SENDING(query));
+
+	query->sends--;
+
+	if (RESQUERY_CANCELED(query)) {
+		if (query->sends == 0) {
+			/*
+			 * This query was canceled while the
+			 * isc_socket_sendto() was in progress.
+			 */
+			if (query->tcpsocket != NULL)
+				isc_socket_detach(&query->tcpsocket);
+			resquery_destroy(&query);
+		}
+	} else if (sevent->result != ISC_R_SUCCESS)
+		fctx_cancelquery(&query, NULL, NULL, ISC_FALSE);
+
+	isc_event_free(&event);
+}
+
+static inline isc_result_t
+fctx_addopt(dns_message_t *message, dns_resolver_t *res) {
+	dns_rdataset_t *rdataset;
+	dns_rdatalist_t *rdatalist;
+	dns_rdata_t *rdata;
+	isc_result_t result;
+
+	rdatalist = NULL;
+	result = dns_message_gettemprdatalist(message, &rdatalist);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	rdata = NULL;
+	result = dns_message_gettemprdata(message, &rdata);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	rdataset = NULL;
+	result = dns_message_gettemprdataset(message, &rdataset);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	dns_rdataset_init(rdataset);
+
+	rdatalist->type = dns_rdatatype_opt;
+	rdatalist->covers = 0;
+
+	/*
+	 * Set Maximum UDP buffer size.
+	 */
+	rdatalist->rdclass = res->udpsize;
+
+	/*
+	 * Set EXTENDED-RCODE, VERSION, and Z to 0, and the DO bit to 1.
+	 */
+	rdatalist->ttl = DNS_MESSAGEEXTFLAG_DO;
+
+	/*
+	 * No EDNS options.
+	 */
+	rdata->data = NULL;
+	rdata->length = 0;
+	rdata->rdclass = rdatalist->rdclass;
+	rdata->type = rdatalist->type;
+	rdata->flags = 0;
+
+	ISC_LIST_INIT(rdatalist->rdata);
+	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset) == ISC_R_SUCCESS);
+
+	return (dns_message_setopt(message, rdataset));
+}
+
+static inline void
+fctx_setretryinterval(fetchctx_t *fctx, unsigned int rtt) {
+	unsigned int seconds;
+
+	/*
+	 * We retry every 2 seconds the first two times through the address
+	 * list, and then we do exponential back-off.
+	 */
+	if (fctx->restarts < 3)
+		seconds = 2;
+	else
+		seconds = (2 << (fctx->restarts - 1));
+
+	/*
+	 * Double the round-trip time and convert to seconds.
+	 */
+	rtt /= 500000;
+
+	/*
+	 * Always wait for at least the doubled round-trip time.
+	 */
+	if (seconds < rtt)
+		seconds = rtt;
+
+	/*
+	 * But don't ever wait for more than 30 seconds.
+	 */
+	if (seconds > 30)
+		seconds = 30;
+
+	isc_interval_set(&fctx->interval, seconds, 0);
+}
+
+static isc_result_t
+fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
+	   unsigned int options)
+{
+	dns_resolver_t *res;
+	isc_task_t *task;
+	isc_result_t result;
+	resquery_t *query;
+
+	FCTXTRACE("query");
+
+	res = fctx->res;
+	task = res->buckets[fctx->bucketnum].task;
+
+	fctx_setretryinterval(fctx, addrinfo->srtt);
+	result = fctx_startidletimer(fctx);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	dns_message_reset(fctx->rmessage, DNS_MESSAGE_INTENTPARSE);
+
+	query = isc_mem_get(res->mctx, sizeof(*query));
+	if (query == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto stop_idle_timer;
+	}
+	query->mctx = res->mctx;
+	query->options = options;
+	query->attributes = 0;
+	query->sends = 0;
+	query->connects = 0;
+	/*
+	 * Note that the caller MUST guarantee that 'addrinfo' will remain
+	 * valid until this query is canceled.
+	 */
+	query->addrinfo = addrinfo;
+	TIME_NOW(&query->start);
+
+	/*
+	 * If this is a TCP query, then we need to make a socket and
+	 * a dispatch for it here.  Otherwise we use the resolver's
+	 * shared dispatch.
+	 */
+	query->dispatchmgr = res->dispatchmgr;
+	query->dispatch = NULL;
+	query->tcpsocket = NULL;
+	if ((query->options & DNS_FETCHOPT_TCP) != 0) {
+		isc_sockaddr_t addr;
+		int pf;
+
+		pf = isc_sockaddr_pf(&addrinfo->sockaddr);
+
+		switch (pf) {
+		case PF_INET:
+			result = dns_dispatch_getlocaladdress(res->dispatchv4,
+							      &addr);
+			break;
+		case PF_INET6:
+			result = dns_dispatch_getlocaladdress(res->dispatchv6,
+							      &addr);
+			break;
+		default:
+			result = ISC_R_NOTIMPLEMENTED;
+			break;
+		}
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_query;
+
+		isc_sockaddr_setport(&addr, 0);
+
+		result = isc_socket_create(res->socketmgr, pf,
+					   isc_sockettype_tcp,
+					   &query->tcpsocket);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_query;
+
+		result = isc_socket_bind(query->tcpsocket, &addr);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_socket;
+
+		/*
+		 * A dispatch will be created once the connect succeeds.
+		 */
+	} else {
+		switch (isc_sockaddr_pf(&addrinfo->sockaddr)) {
+		case PF_INET:
+			dns_dispatch_attach(res->dispatchv4, &query->dispatch);
+			break;
+		case PF_INET6:
+			dns_dispatch_attach(res->dispatchv6, &query->dispatch);
+			break;
+		default:
+			result = ISC_R_NOTIMPLEMENTED;
+			goto cleanup_query;
+		}
+		/*
+		 * We should always have a valid dispatcher here.  If we
+		 * don't support a protocol family, then its dispatcher
+		 * will be NULL, but we shouldn't be finding addresses for
+		 * protocol types we don't support, so the dispatcher
+		 * we found should never be NULL.
+		 */
+		INSIST(query->dispatch != NULL);
+	}
+
+	query->dispentry = NULL;
+	query->fctx = fctx;
+	query->tsig = NULL;
+	query->tsigkey = NULL;
+	ISC_LINK_INIT(query, link);
+	query->magic = QUERY_MAGIC;
+
+	if ((query->options & DNS_FETCHOPT_TCP) != 0) {
+		/*
+		 * Connect to the remote server.
+		 *
+		 * XXXRTH  Should we attach to the socket?
+		 */
+		result = isc_socket_connect(query->tcpsocket,
+					    &addrinfo->sockaddr, task,
+					    resquery_connected, query);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_socket;
+		query->connects++;
+		QTRACE("connecting via TCP");
+	} else {
+		result = resquery_send(query);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_dispatch;
+	}
+
+	ISC_LIST_APPEND(fctx->queries, query, link);
+
+	return (ISC_R_SUCCESS);
+
+ cleanup_socket:
+	isc_socket_detach(&query->tcpsocket);
+
+ cleanup_dispatch:
+	if (query->dispatch != NULL)
+		dns_dispatch_detach(&query->dispatch);
+
+ cleanup_query:
+	query->magic = 0;
+	isc_mem_put(res->mctx, query, sizeof(*query));
+
+ stop_idle_timer:
+	RUNTIME_CHECK(fctx_stopidletimer(fctx) == ISC_R_SUCCESS);
+
+	return (result);
+}
+
+static isc_result_t
+resquery_send(resquery_t *query) {
+	fetchctx_t *fctx;
+	isc_result_t result;
+	dns_name_t *qname = NULL;
+	dns_rdataset_t *qrdataset = NULL;
+	isc_region_t r;
+	dns_resolver_t *res;
+	isc_task_t *task;
+	isc_socket_t *socket;
+	isc_buffer_t tcpbuffer;
+	isc_sockaddr_t *address;
+	isc_buffer_t *buffer;
+	isc_netaddr_t ipaddr;
+	dns_tsigkey_t *tsigkey = NULL;
+	dns_peer_t *peer = NULL;
+	isc_boolean_t useedns;
+	dns_compress_t cctx;
+	isc_boolean_t cleanup_cctx = ISC_FALSE;
+	isc_boolean_t secure_domain;
+
+	fctx = query->fctx;
+	QTRACE("send");
+
+	res = fctx->res;
+	task = res->buckets[fctx->bucketnum].task;
+	address = NULL;
+
+	if ((query->options & DNS_FETCHOPT_TCP) != 0) {
+		/*
+		 * Reserve space for the TCP message length.
+		 */
+		isc_buffer_init(&tcpbuffer, query->data, sizeof(query->data));
+		isc_buffer_init(&query->buffer, query->data + 2,
+				sizeof(query->data) - 2);
+		buffer = &tcpbuffer;
+	} else {
+		isc_buffer_init(&query->buffer, query->data,
+				sizeof(query->data));
+		buffer = &query->buffer;
+	}
+
+	result = dns_message_gettempname(fctx->qmessage, &qname);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_temps;
+	result = dns_message_gettemprdataset(fctx->qmessage, &qrdataset);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_temps;
+
+	/*
+	 * Get a query id from the dispatch.
+	 */
+	result = dns_dispatch_addresponse(query->dispatch,
+					  &query->addrinfo->sockaddr,
+					  task,
+					  resquery_response,
+					  query,
+					  &query->id,
+					  &query->dispentry);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_temps;
+
+	fctx->qmessage->opcode = dns_opcode_query;
+
+	/*
+	 * Set up question.
+	 */
+	dns_name_init(qname, NULL);
+	dns_name_clone(&fctx->name, qname);
+	dns_rdataset_init(qrdataset);
+	dns_rdataset_makequestion(qrdataset, res->rdclass, fctx->type);
+	ISC_LIST_APPEND(qname->list, qrdataset, link);
+	dns_message_addname(fctx->qmessage, qname, DNS_SECTION_QUESTION);
+	qname = NULL;
+	qrdataset = NULL;
+
+	/*
+	 * Set RD if the client has requested that we do a recursive query,
+	 * or if we're sending to a forwarder.
+	 */
+	if ((query->options & DNS_FETCHOPT_RECURSIVE) != 0 ||
+	    ISFORWARDER(query->addrinfo))
+		fctx->qmessage->flags |= DNS_MESSAGEFLAG_RD;
+
+	/*
+	 * Set CD if the client says don't validate or the question is
+	 * under a secure entry point.
+	 */
+	if ((query->options & DNS_FETCHOPT_NOVALIDATE) == 0) {
+		result = dns_keytable_issecuredomain(res->view->secroots,
+						     &fctx->name,
+						     &secure_domain);
+		if (result != ISC_R_SUCCESS)
+			secure_domain = ISC_FALSE;
+		if (res->view->dlv != NULL)
+			secure_domain = ISC_TRUE;
+		if (secure_domain)
+			fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
+	} else
+		fctx->qmessage->flags |= DNS_MESSAGEFLAG_CD;
+
+	/*
+	 * We don't have to set opcode because it defaults to query.
+	 */
+	fctx->qmessage->id = query->id;
+
+	/*
+	 * Convert the question to wire format.
+	 */
+	result = dns_compress_init(&cctx, -1, fctx->res->mctx);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_message;
+	cleanup_cctx = ISC_TRUE;
+
+	result = dns_message_renderbegin(fctx->qmessage, &cctx,
+					 &query->buffer);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_message;
+
+	result = dns_message_rendersection(fctx->qmessage,
+					   DNS_SECTION_QUESTION, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_message;
+
+	peer = NULL;
+	isc_netaddr_fromsockaddr(&ipaddr, &query->addrinfo->sockaddr);
+	(void) dns_peerlist_peerbyaddr(fctx->res->view->peers, &ipaddr, &peer);
+
+	/*
+	 * The ADB does not know about servers with "edns no".  Check this,
+	 * and then inform the ADB for future use.
+	 */
+	if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) == 0 &&
+	    peer != NULL &&
+	    dns_peer_getsupportedns(peer, &useedns) == ISC_R_SUCCESS &&
+	    !useedns)
+	{
+		query->options |= DNS_FETCHOPT_NOEDNS0;
+		dns_adb_changeflags(fctx->adb,
+				    query->addrinfo,
+				    DNS_FETCHOPT_NOEDNS0,
+				    DNS_FETCHOPT_NOEDNS0);
+	}
+
+	/*
+	 * Use EDNS0, unless the caller doesn't want it, or we know that
+	 * the remote server doesn't like it.
+	 */
+	if (fctx->timeouts >= MAX_EDNS0_TIMEOUTS &&
+	    (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
+		query->options |= DNS_FETCHOPT_NOEDNS0;
+		FCTXTRACE("too many timeouts, disabling EDNS0");
+	}
+
+	if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
+		if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) == 0) {
+			result = fctx_addopt(fctx->qmessage, res);
+			if (result != ISC_R_SUCCESS) {
+				/*
+				 * We couldn't add the OPT, but we'll press on.
+				 * We're not using EDNS0, so set the NOEDNS0
+				 * bit.
+				 */
+				query->options |= DNS_FETCHOPT_NOEDNS0;
+			}
+		} else {
+			/*
+			 * We know this server doesn't like EDNS0, so we
+			 * won't use it.  Set the NOEDNS0 bit since we're
+			 * not using EDNS0.
+			 */
+			query->options |= DNS_FETCHOPT_NOEDNS0;
+		}
+	}
+
+	/*
+	 * If we need EDNS0 to do this query and aren't using it, we lose.
+	 */
+	if (NEEDEDNS0(fctx) && (query->options & DNS_FETCHOPT_NOEDNS0) != 0) {
+		result = DNS_R_SERVFAIL;
+		goto cleanup_message;
+	}
+
+	/*
+	 * Add TSIG record tailored to the current recipient.
+	 */
+	result = dns_view_getpeertsig(fctx->res->view, &ipaddr, &tsigkey);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
+		goto cleanup_message;
+
+	if (tsigkey != NULL) {
+		result = dns_message_settsigkey(fctx->qmessage, tsigkey);
+		dns_tsigkey_detach(&tsigkey);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_message;
+	}
+
+	result = dns_message_rendersection(fctx->qmessage,
+					   DNS_SECTION_ADDITIONAL, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_message;
+
+	result = dns_message_renderend(fctx->qmessage);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_message;
+
+	dns_compress_invalidate(&cctx);
+	cleanup_cctx = ISC_FALSE;
+
+	if (dns_message_gettsigkey(fctx->qmessage) != NULL) {
+		dns_tsigkey_attach(dns_message_gettsigkey(fctx->qmessage),
+				   &query->tsigkey);
+		result = dns_message_getquerytsig(fctx->qmessage,
+						  fctx->res->mctx,
+						  &query->tsig);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_message;
+	}
+
+	/*
+	 * If using TCP, write the length of the message at the beginning
+	 * of the buffer.
+	 */
+	if ((query->options & DNS_FETCHOPT_TCP) != 0) {
+		isc_buffer_usedregion(&query->buffer, &r);
+		isc_buffer_putuint16(&tcpbuffer, (isc_uint16_t)r.length);
+		isc_buffer_add(&tcpbuffer, r.length);
+	}
+
+	/*
+	 * We're now done with the query message.
+	 */
+	dns_message_reset(fctx->qmessage, DNS_MESSAGE_INTENTRENDER);
+
+	socket = dns_dispatch_getsocket(query->dispatch);
+	/*
+	 * Send the query!
+	 */
+	if ((query->options & DNS_FETCHOPT_TCP) == 0)
+		address = &query->addrinfo->sockaddr;
+	isc_buffer_usedregion(buffer, &r);
+
+	/*
+	 * XXXRTH  Make sure we don't send to ourselves!  We should probably
+	 *	   prune out these addresses when we get them from the ADB.
+	 */
+	result = isc_socket_sendto(socket, &r, task, resquery_senddone,
+				   query, address, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_message;
+	query->sends++;
+	QTRACE("sent");
+
+	return (ISC_R_SUCCESS);
+
+ cleanup_message:
+	if (cleanup_cctx)
+		dns_compress_invalidate(&cctx);
+
+	dns_message_reset(fctx->qmessage, DNS_MESSAGE_INTENTRENDER);
+
+	/*
+	 * Stop the dispatcher from listening.
+	 */
+	dns_dispatch_removeresponse(&query->dispentry, NULL);
+
+ cleanup_temps:
+	if (qname != NULL)
+		dns_message_puttempname(fctx->qmessage, &qname);
+	if (qrdataset != NULL)
+		dns_message_puttemprdataset(fctx->qmessage, &qrdataset);
+
+	return (result);
+}
+
+static void
+resquery_connected(isc_task_t *task, isc_event_t *event) {
+	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
+	resquery_t *query = event->ev_arg;
+	isc_result_t result;
+
+	REQUIRE(event->ev_type == ISC_SOCKEVENT_CONNECT);
+	REQUIRE(VALID_QUERY(query));
+
+	QTRACE("connected");
+
+	UNUSED(task);
+
+	/*
+	 * XXXRTH
+	 *
+	 * Currently we don't wait for the connect event before retrying
+	 * a query.  This means that if we get really behind, we may end
+	 * up doing extra work!
+	 */
+
+	query->connects--;
+
+	if (RESQUERY_CANCELED(query)) {
+		/*
+		 * This query was canceled while the connect() was in
+		 * progress.
+		 */
+		isc_socket_detach(&query->tcpsocket);
+		resquery_destroy(&query);
+	} else {
+		if (sevent->result == ISC_R_SUCCESS) {
+			unsigned int attrs;
+
+			/*
+			 * We are connected.  Create a dispatcher and
+			 * send the query.
+			 */
+			attrs = 0;
+			attrs |= DNS_DISPATCHATTR_TCP;
+			attrs |= DNS_DISPATCHATTR_PRIVATE;
+			attrs |= DNS_DISPATCHATTR_CONNECTED;
+			if (isc_sockaddr_pf(&query->addrinfo->sockaddr) ==
+			    AF_INET)
+				attrs |= DNS_DISPATCHATTR_IPV4;
+			else
+				attrs |= DNS_DISPATCHATTR_IPV6;
+			attrs |= DNS_DISPATCHATTR_MAKEQUERY;
+
+			result = dns_dispatch_createtcp(query->dispatchmgr,
+						     query->tcpsocket,
+						     query->fctx->res->taskmgr,
+						     4096, 2, 1, 1, 3, attrs,
+						     &query->dispatch);
+
+			/*
+			 * Regardless of whether dns_dispatch_create()
+			 * succeeded or not, we don't need our reference
+			 * to the socket anymore.
+			 */
+			isc_socket_detach(&query->tcpsocket);
+
+			if (result == ISC_R_SUCCESS)
+				result = resquery_send(query);
+
+			if (result != ISC_R_SUCCESS) {
+				fetchctx_t *fctx = query->fctx;
+				fctx_cancelquery(&query, NULL, NULL,
+						 ISC_FALSE);
+				fctx_done(fctx, result);
+			}
+		} else {
+			isc_socket_detach(&query->tcpsocket);
+			fctx_cancelquery(&query, NULL, NULL, ISC_FALSE);
+		}
+	}
+
+	isc_event_free(&event);
+}
+
+
+
+static void
+fctx_finddone(isc_task_t *task, isc_event_t *event) {
+	fetchctx_t *fctx;
+	dns_adbfind_t *find;
+	dns_resolver_t *res;
+	isc_boolean_t want_try = ISC_FALSE;
+	isc_boolean_t want_done = ISC_FALSE;
+	isc_boolean_t bucket_empty = ISC_FALSE;
+	unsigned int bucketnum;
+
+	find = event->ev_sender;
+	fctx = event->ev_arg;
+	REQUIRE(VALID_FCTX(fctx));
+	res = fctx->res;
+
+	UNUSED(task);
+
+	FCTXTRACE("finddone");
+
+	INSIST(fctx->pending > 0);
+	fctx->pending--;
+
+	if (ADDRWAIT(fctx)) {
+		/*
+		 * The fetch is waiting for a name to be found.
+		 */
+		INSIST(!SHUTTINGDOWN(fctx));
+		fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
+		if (event->ev_type == DNS_EVENT_ADBMOREADDRESSES)
+			want_try = ISC_TRUE;
+		else if (fctx->pending == 0) {
+			/*
+			 * We've got nothing else to wait for and don't
+			 * know the answer.  There's nothing to do but
+			 * fail the fctx.
+			 */
+			want_done = ISC_TRUE;
+		}
+	} else if (SHUTTINGDOWN(fctx) && fctx->pending == 0 &&
+		   ISC_LIST_EMPTY(fctx->validators)) {
+		bucketnum = fctx->bucketnum;
+		LOCK(&res->buckets[bucketnum].lock);
+		/*
+		 * Note that we had to wait until we had the lock before
+		 * looking at fctx->references.
+		 */
+		if (fctx->references == 0)
+			bucket_empty = fctx_destroy(fctx);
+		UNLOCK(&res->buckets[bucketnum].lock);
+	}
+
+	isc_event_free(&event);
+	dns_adb_destroyfind(&find);
+
+	if (want_try)
+		fctx_try(fctx);
+	else if (want_done)
+		fctx_done(fctx, ISC_R_FAILURE);
+	else if (bucket_empty)
+		empty_bucket(res);
+}
+
+
+static inline isc_boolean_t
+bad_server(fetchctx_t *fctx, isc_sockaddr_t *address) {
+	isc_sockaddr_t *sa;
+
+	for (sa = ISC_LIST_HEAD(fctx->bad);
+	     sa != NULL;
+	     sa = ISC_LIST_NEXT(sa, link)) {
+		if (isc_sockaddr_equal(sa, address))
+			return (ISC_TRUE);
+	}
+
+	return (ISC_FALSE);
+}
+
+static inline isc_boolean_t
+mark_bad(fetchctx_t *fctx) {
+	dns_adbfind_t *curr;
+	dns_adbaddrinfo_t *addrinfo;
+	isc_boolean_t all_bad = ISC_TRUE;
+
+	/*
+	 * Mark all known bad servers, so we don't try to talk to them
+	 * again.
+	 */
+
+	/*
+	 * Mark any bad nameservers.
+	 */
+	for (curr = ISC_LIST_HEAD(fctx->finds);
+	     curr != NULL;
+	     curr = ISC_LIST_NEXT(curr, publink)) {
+		for (addrinfo = ISC_LIST_HEAD(curr->list);
+		     addrinfo != NULL;
+		     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
+			if (bad_server(fctx, &addrinfo->sockaddr))
+				addrinfo->flags |= FCTX_ADDRINFO_MARK;
+			else
+				all_bad = ISC_FALSE;
+		}
+	}
+
+	/*
+	 * Mark any bad forwarders.
+	 */
+	for (addrinfo = ISC_LIST_HEAD(fctx->forwaddrs);
+	     addrinfo != NULL;
+	     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
+		if (bad_server(fctx, &addrinfo->sockaddr))
+			addrinfo->flags |= FCTX_ADDRINFO_MARK;
+		else
+			all_bad = ISC_FALSE;
+	}
+
+	/*
+	 * Mark any bad alternates.
+	 */
+	for (curr = ISC_LIST_HEAD(fctx->altfinds);
+	     curr != NULL;
+	     curr = ISC_LIST_NEXT(curr, publink)) {
+		for (addrinfo = ISC_LIST_HEAD(curr->list);
+		     addrinfo != NULL;
+		     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
+			if (bad_server(fctx, &addrinfo->sockaddr))
+				addrinfo->flags |= FCTX_ADDRINFO_MARK;
+			else
+				all_bad = ISC_FALSE;
+		}
+	}
+
+	for (addrinfo = ISC_LIST_HEAD(fctx->altaddrs);
+	     addrinfo != NULL;
+	     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
+		if (bad_server(fctx, &addrinfo->sockaddr))
+			addrinfo->flags |= FCTX_ADDRINFO_MARK;
+		else
+			all_bad = ISC_FALSE;
+	}
+
+	return (all_bad);
+}
+
+static void
+add_bad(fetchctx_t *fctx, isc_sockaddr_t *address, isc_result_t reason) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+	char classbuf[64];
+	char typebuf[64];
+	char code[64];
+	isc_buffer_t b;
+	isc_sockaddr_t *sa;
+	const char *sep1, *sep2;
+
+	if (bad_server(fctx, address)) {
+		/*
+		 * We already know this server is bad.
+		 */
+		return;
+	}
+
+	FCTXTRACE("add_bad");
+
+	sa = isc_mem_get(fctx->res->mctx, sizeof(*sa));
+	if (sa == NULL)
+		return;
+	*sa = *address;
+	ISC_LIST_INITANDAPPEND(fctx->bad, sa, link);
+
+	if (reason == DNS_R_LAME)	/* already logged */
+		return;
+
+	if (reason == DNS_R_UNEXPECTEDRCODE) {
+		isc_buffer_init(&b, code, sizeof(code) - 1);
+		dns_rcode_totext(fctx->rmessage->rcode, &b);
+		code[isc_buffer_usedlength(&b)] = '\0';
+		sep1 = "(";
+		sep2 = ") ";
+	} else if (reason == DNS_R_UNEXPECTEDOPCODE) {
+		isc_buffer_init(&b, code, sizeof(code) - 1);
+		dns_opcode_totext((dns_opcode_t)fctx->rmessage->opcode, &b);
+		code[isc_buffer_usedlength(&b)] = '\0';
+		sep1 = "(";
+		sep2 = ") ";
+	} else {
+		code[0] = '\0';
+		sep1 = "";
+		sep2 = "";
+	}
+	dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
+	dns_rdatatype_format(fctx->type, typebuf, sizeof(typebuf));
+	dns_rdataclass_format(fctx->res->rdclass, classbuf, sizeof(classbuf));
+	isc_sockaddr_format(address, addrbuf, sizeof(addrbuf));
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
+		      "%s %s%s%sresolving '%s/%s/%s': %s",
+		      dns_result_totext(reason), sep1, code, sep2,
+		      namebuf, typebuf, classbuf, addrbuf);
+}
+
+static void
+sort_adbfind(dns_adbfind_t *find) {
+	dns_adbaddrinfo_t *best, *curr;
+	dns_adbaddrinfolist_t sorted;
+
+	/*
+	 * Lame N^2 bubble sort.
+	 */
+
+	ISC_LIST_INIT(sorted);
+	while (!ISC_LIST_EMPTY(find->list)) {
+		best = ISC_LIST_HEAD(find->list);
+		curr = ISC_LIST_NEXT(best, publink);
+		while (curr != NULL) {
+			if (curr->srtt < best->srtt)
+				best = curr;
+			curr = ISC_LIST_NEXT(curr, publink);
+		}
+		ISC_LIST_UNLINK(find->list, best, publink);
+		ISC_LIST_APPEND(sorted, best, publink);
+	}
+	find->list = sorted;
+}
+
+static void
+sort_finds(fetchctx_t *fctx) {
+	dns_adbfind_t *best, *curr;
+	dns_adbfindlist_t sorted;
+	dns_adbaddrinfo_t *addrinfo, *bestaddrinfo;
+
+	/*
+	 * Lame N^2 bubble sort.
+	 */
+
+	ISC_LIST_INIT(sorted);
+	while (!ISC_LIST_EMPTY(fctx->finds)) {
+		best = ISC_LIST_HEAD(fctx->finds);
+		bestaddrinfo = ISC_LIST_HEAD(best->list);
+		INSIST(bestaddrinfo != NULL);
+		curr = ISC_LIST_NEXT(best, publink);
+		while (curr != NULL) {
+			addrinfo = ISC_LIST_HEAD(curr->list);
+			INSIST(addrinfo != NULL);
+			if (addrinfo->srtt < bestaddrinfo->srtt) {
+				best = curr;
+				bestaddrinfo = addrinfo;
+			}
+			curr = ISC_LIST_NEXT(curr, publink);
+		}
+		ISC_LIST_UNLINK(fctx->finds, best, publink);
+		ISC_LIST_APPEND(sorted, best, publink);
+	}
+	fctx->finds = sorted;
+
+	ISC_LIST_INIT(sorted);
+	while (!ISC_LIST_EMPTY(fctx->altfinds)) {
+		best = ISC_LIST_HEAD(fctx->altfinds);
+		bestaddrinfo = ISC_LIST_HEAD(best->list);
+		INSIST(bestaddrinfo != NULL);
+		curr = ISC_LIST_NEXT(best, publink);
+		while (curr != NULL) {
+			addrinfo = ISC_LIST_HEAD(curr->list);
+			INSIST(addrinfo != NULL);
+			if (addrinfo->srtt < bestaddrinfo->srtt) {
+				best = curr;
+				bestaddrinfo = addrinfo;
+			}
+			curr = ISC_LIST_NEXT(curr, publink);
+		}
+		ISC_LIST_UNLINK(fctx->altfinds, best, publink);
+		ISC_LIST_APPEND(sorted, best, publink);
+	}
+	fctx->altfinds = sorted;
+}
+
+static void
+findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
+	 unsigned int options, unsigned int flags, isc_stdtime_t now,
+	 isc_boolean_t *pruned, isc_boolean_t *need_alternate)
+{
+	dns_adbaddrinfo_t *ai;
+	dns_adbfind_t *find;
+	dns_resolver_t *res;
+	isc_boolean_t unshared;
+	isc_result_t result;
+
+	res = fctx->res;
+	unshared = ISC_TF((fctx->options | DNS_FETCHOPT_UNSHARED) != 0);
+	/*
+	 * If this name is a subdomain of the query domain, tell
+	 * the ADB to start looking using zone/hint data. This keeps us
+	 * from getting stuck if the nameserver is beneath the zone cut
+	 * and we don't know its address (e.g. because the A record has
+	 * expired).
+	 */
+	if (dns_name_issubdomain(name, &fctx->domain))
+		options |= DNS_ADBFIND_STARTATZONE;
+	options |= DNS_ADBFIND_GLUEOK;
+	options |= DNS_ADBFIND_HINTOK;
+
+	/*
+	 * See what we know about this address.
+	 */
+	find = NULL;
+	result = dns_adb_createfind(fctx->adb,
+				    res->buckets[fctx->bucketnum].task,
+				    fctx_finddone, fctx, name,
+				    &fctx->domain, options, now, NULL,
+				    res->view->dstport, &find);
+	if (result != ISC_R_SUCCESS) {
+		if (result == DNS_R_ALIAS) {
+			/*
+			 * XXXRTH  Follow the CNAME/DNAME chain?
+			 */
+			dns_adb_destroyfind(&find);
+		}
+	} else if (!ISC_LIST_EMPTY(find->list)) {
+		/*
+		 * We have at least some of the addresses for the
+		 * name.
+		 */
+		INSIST((find->options & DNS_ADBFIND_WANTEVENT) == 0);
+		sort_adbfind(find);
+		if (flags != 0 || port != 0) {
+			for (ai = ISC_LIST_HEAD(find->list);
+			     ai != NULL;
+			     ai = ISC_LIST_NEXT(ai, publink)) {
+				ai->flags |= flags;
+				if (port != 0)
+					isc_sockaddr_setport(&ai->sockaddr,
+							     port);
+			}
+		}
+		if ((flags & FCTX_ADDRINFO_FORWARDER) != 0)
+			ISC_LIST_APPEND(fctx->altfinds, find, publink);
+		else
+			ISC_LIST_APPEND(fctx->finds, find, publink);
+	} else {
+		/*
+		 * We don't know any of the addresses for this
+		 * name.
+		 */
+		if ((find->options & DNS_ADBFIND_WANTEVENT) != 0) {
+			/*
+			 * We're looking for them and will get an
+			 * event about it later.
+			 */
+			fctx->pending++;
+			/*
+			 * Bootstrap.
+			 */
+			if (need_alternate != NULL &&
+			    !*need_alternate && unshared &&
+			    ((res->dispatchv4 == NULL &&
+			      find->result_v6 != DNS_R_NXDOMAIN) ||
+			     (res->dispatchv6 == NULL &&
+			      find->result_v4 != DNS_R_NXDOMAIN)))
+				*need_alternate = ISC_TRUE;
+		} else {
+			/*
+			 * If we know there are no addresses for
+			 * the family we are using then try to add
+			 * an alternative server.
+			 */
+			if (need_alternate != NULL && !*need_alternate &&
+			    ((res->dispatchv4 == NULL &&
+			      find->result_v6 == DNS_R_NXRRSET) ||
+			     (res->dispatchv6 == NULL &&
+			      find->result_v4 == DNS_R_NXRRSET)))
+				*need_alternate = ISC_TRUE;
+			/*
+			 * And ADB isn't going to send us any events
+			 * either.  This find loses.
+			 */
+			if ((find->options & DNS_ADBFIND_LAMEPRUNED) != 0) {
+				/*
+				 * The ADB pruned lame servers for
+				 * this name.  Remember that in case
+				 * we get desperate later on.
+				 */
+				*pruned = ISC_TRUE;
+			}
+			dns_adb_destroyfind(&find);
+		}
+	}
+}
+
+static isc_result_t
+fctx_getaddresses(fetchctx_t *fctx) {
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_result_t result;
+	dns_resolver_t *res;
+	isc_stdtime_t now;
+	unsigned int stdoptions;
+	isc_sockaddr_t *sa;
+	dns_adbaddrinfo_t *ai;
+	isc_boolean_t pruned, all_bad;
+	dns_rdata_ns_t ns;
+	isc_boolean_t need_alternate = ISC_FALSE;
+	isc_boolean_t unshared;
+
+	FCTXTRACE("getaddresses");
+
+	/*
+	 * Don't pound on remote servers.  (Failsafe!)
+	 */
+	fctx->restarts++;
+	if (fctx->restarts > 10) {
+		FCTXTRACE("too many restarts");
+		return (DNS_R_SERVFAIL);
+	}
+
+	res = fctx->res;
+	pruned = ISC_FALSE;
+	stdoptions = 0;		/* Keep compiler happy. */
+	unshared = ISC_TF((fctx->options | DNS_FETCHOPT_UNSHARED) != 0);
+
+	/*
+	 * Forwarders.
+	 */
+
+	INSIST(ISC_LIST_EMPTY(fctx->forwaddrs));
+	INSIST(ISC_LIST_EMPTY(fctx->altaddrs));
+
+	/*
+	 * If this fctx has forwarders, use them; otherwise use any
+	 * selective forwarders specified in the view; otherwise use the
+	 * resolver's forwarders (if any).
+	 */
+	sa = ISC_LIST_HEAD(fctx->forwarders);
+	if (sa == NULL) {
+		dns_forwarders_t *forwarders = NULL;
+		dns_name_t *name = &fctx->name;
+		dns_name_t suffix;
+		unsigned int labels;
+
+		/*
+		 * DS records are found in the parent server.
+		 * Strip label to get the correct forwarder (if any).
+		 */
+		if (fctx->type == dns_rdatatype_ds &&
+		    dns_name_countlabels(name) > 1) {
+			dns_name_init(&suffix, NULL);
+			labels = dns_name_countlabels(name);
+			dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
+			name = &suffix;
+		}
+		result = dns_fwdtable_find(fctx->res->view->fwdtable, name,
+					   &forwarders);
+		if (result == ISC_R_SUCCESS) {
+			sa = ISC_LIST_HEAD(forwarders->addrs);
+			fctx->fwdpolicy = forwarders->fwdpolicy;
+		}
+	}
+
+	while (sa != NULL) {
+		ai = NULL;
+		result = dns_adb_findaddrinfo(fctx->adb,
+					      sa, &ai, 0);  /* XXXMLG */
+		if (result == ISC_R_SUCCESS) {
+			dns_adbaddrinfo_t *cur;
+			ai->flags |= FCTX_ADDRINFO_FORWARDER;
+			cur = ISC_LIST_HEAD(fctx->forwaddrs);
+			while (cur != NULL && cur->srtt < ai->srtt)
+				cur = ISC_LIST_NEXT(cur, publink);
+			if (cur != NULL)
+				ISC_LIST_INSERTBEFORE(fctx->forwaddrs, cur,
+						      ai, publink);
+			else
+				ISC_LIST_APPEND(fctx->forwaddrs, ai, publink);
+		}
+		sa = ISC_LIST_NEXT(sa, link);
+	}
+
+	/*
+	 * If the forwarding policy is "only", we don't need the addresses
+	 * of the nameservers.
+	 */
+	if (fctx->fwdpolicy == dns_fwdpolicy_only)
+		goto out;
+
+	/*
+	 * Normal nameservers.
+	 */
+
+	stdoptions = DNS_ADBFIND_WANTEVENT | DNS_ADBFIND_EMPTYEVENT;
+	if (fctx->restarts == 1) {
+		/*
+		 * To avoid sending out a flood of queries likely to
+		 * result in NXRRSET, we suppress fetches for address
+		 * families we don't have the first time through,
+		 * provided that we have addresses in some family we
+		 * can use.
+		 *
+		 * We don't want to set this option all the time, since
+		 * if fctx->restarts > 1, we've clearly been having trouble
+		 * with the addresses we had, so getting more could help.
+		 */
+		stdoptions |= DNS_ADBFIND_AVOIDFETCHES;
+	}
+	if (res->dispatchv4 != NULL)
+		stdoptions |= DNS_ADBFIND_INET;
+	if (res->dispatchv6 != NULL)
+		stdoptions |= DNS_ADBFIND_INET6;
+	isc_stdtime_get(&now);
+
+ restart:
+	INSIST(ISC_LIST_EMPTY(fctx->finds));
+	INSIST(ISC_LIST_EMPTY(fctx->altfinds));
+
+	for (result = dns_rdataset_first(&fctx->nameservers);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&fctx->nameservers))
+	{
+		dns_rdataset_current(&fctx->nameservers, &rdata);
+		/*
+		 * Extract the name from the NS record.
+		 */
+		result = dns_rdata_tostruct(&rdata, &ns, NULL);
+		if (result != ISC_R_SUCCESS)
+			continue;
+
+		findname(fctx, &ns.name, 0, stdoptions, 0, now,
+			 &pruned, &need_alternate);
+		dns_rdata_reset(&rdata);
+		dns_rdata_freestruct(&ns);
+	}
+	if (result != ISC_R_NOMORE)
+		return (result);
+
+	/*
+	 * Do we need to use 6 to 4?
+	 */
+	if (need_alternate) {
+		int family;
+		alternate_t *a;
+		family = (res->dispatchv6 != NULL) ? AF_INET6 : AF_INET;
+		for (a = ISC_LIST_HEAD(fctx->res->alternates);
+		     a != NULL;
+		     a = ISC_LIST_NEXT(a, link)) {
+			if (!a->isaddress) {
+				findname(fctx, &a->_u._n.name, a->_u._n.port,
+					 stdoptions, FCTX_ADDRINFO_FORWARDER,
+					 now, &pruned, NULL);
+				continue;
+			}
+			if (isc_sockaddr_pf(&a->_u.addr) != family)
+				continue;
+			ai = NULL;
+			result = dns_adb_findaddrinfo(fctx->adb, &a->_u.addr,
+						      &ai, 0);
+			if (result == ISC_R_SUCCESS) {
+				dns_adbaddrinfo_t *cur;
+				ai->flags |= FCTX_ADDRINFO_FORWARDER;
+				cur = ISC_LIST_HEAD(fctx->altaddrs);
+				while (cur != NULL && cur->srtt < ai->srtt)
+					cur = ISC_LIST_NEXT(cur, publink);
+				if (cur != NULL)
+					ISC_LIST_INSERTBEFORE(fctx->altaddrs,
+							      cur, ai, publink);
+				else
+					ISC_LIST_APPEND(fctx->altaddrs, ai,
+							publink);
+			}
+		}
+	}
+
+ out:
+	/*
+	 * Mark all known bad servers.
+	 */
+	all_bad = mark_bad(fctx);
+
+	/*
+	 * How are we doing?
+	 */
+	if (all_bad) {
+		/*
+		 * We've got no addresses.
+		 */
+		if (fctx->pending > 0) {
+			/*
+			 * We're fetching the addresses, but don't have any
+			 * yet.   Tell the caller to wait for an answer.
+			 */
+			result = DNS_R_WAIT;
+		} else if (pruned) {
+			/*
+			 * Some addresses were removed by lame pruning.
+			 * Turn pruning off and try again.
+			 */
+			FCTXTRACE("restarting with returnlame");
+			INSIST((stdoptions & DNS_ADBFIND_RETURNLAME) == 0);
+			stdoptions |= DNS_ADBFIND_RETURNLAME;
+			pruned = ISC_FALSE;
+			fctx_cleanupaltfinds(fctx);
+			fctx_cleanupfinds(fctx);
+			goto restart;
+		} else {
+			/*
+			 * We've lost completely.  We don't know any
+			 * addresses, and the ADB has told us it can't get
+			 * them.
+			 */
+			FCTXTRACE("no addresses");
+			result = ISC_R_FAILURE;
+		}
+	} else {
+		/*
+		 * We've found some addresses.  We might still be looking
+		 * for more addresses.
+		 */
+		sort_finds(fctx);
+		result = ISC_R_SUCCESS;
+	}
+
+	return (result);
+}
+
+static inline void
+possibly_mark(fetchctx_t *fctx, dns_adbaddrinfo_t *addr)
+{
+	isc_netaddr_t na;
+	char buf[ISC_NETADDR_FORMATSIZE];
+	isc_sockaddr_t *sa;
+	isc_boolean_t aborted = ISC_FALSE;
+	isc_boolean_t bogus;
+	dns_acl_t *blackhole;
+	isc_netaddr_t ipaddr;
+	dns_peer_t *peer = NULL;
+	dns_resolver_t *res;
+	const char *msg = NULL;
+
+	sa = &addr->sockaddr;
+
+	res = fctx->res;
+	isc_netaddr_fromsockaddr(&ipaddr, sa);
+	blackhole = dns_dispatchmgr_getblackhole(res->dispatchmgr);
+	(void) dns_peerlist_peerbyaddr(res->view->peers, &ipaddr, &peer);
+	
+	if (blackhole != NULL) {
+		int match;
+
+		if (dns_acl_match(&ipaddr, NULL, blackhole,
+				  &res->view->aclenv,
+				  &match, NULL) == ISC_R_SUCCESS &&
+		    match > 0)
+			aborted = ISC_TRUE;
+	}
+
+	if (peer != NULL &&
+	    dns_peer_getbogus(peer, &bogus) == ISC_R_SUCCESS &&
+	    bogus)
+		aborted = ISC_TRUE;
+
+	if (aborted) {
+		addr->flags |= FCTX_ADDRINFO_MARK;
+		msg = "ignoring blackholed / bogus server: ";
+	} else if (isc_sockaddr_ismulticast(sa)) {
+		addr->flags |= FCTX_ADDRINFO_MARK;
+		msg = "ignoring multicast address: ";
+	} else if (isc_sockaddr_isexperimental(sa)) {
+		addr->flags |= FCTX_ADDRINFO_MARK;
+		msg = "ignoring experimental address: ";
+	} else if (sa->type.sa.sa_family != AF_INET6) {
+		return;
+	} else if (IN6_IS_ADDR_V4MAPPED(&sa->type.sin6.sin6_addr)) {
+		addr->flags |= FCTX_ADDRINFO_MARK;
+		msg = "ignoring IPv6 mapped IPV4 address: ";
+	} else if (IN6_IS_ADDR_V4COMPAT(&sa->type.sin6.sin6_addr)) {
+		addr->flags |= FCTX_ADDRINFO_MARK;
+		msg = "ignoring IPv6 compatibility IPV4 address: ";
+	} else
+		return;
+
+	if (!isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3)))
+		return;
+
+	isc_netaddr_fromsockaddr(&na, sa);
+	isc_netaddr_format(&na, buf, sizeof(buf));
+	FCTXTRACE2(msg, buf);
+}
+
+static inline dns_adbaddrinfo_t *
+fctx_nextaddress(fetchctx_t *fctx) {
+	dns_adbfind_t *find, *start;
+	dns_adbaddrinfo_t *addrinfo;
+	dns_adbaddrinfo_t *faddrinfo;
+
+	/*
+	 * Return the next untried address, if any.
+	 */
+
+	/*
+	 * Find the first unmarked forwarder (if any).
+	 */
+	for (addrinfo = ISC_LIST_HEAD(fctx->forwaddrs);
+	     addrinfo != NULL;
+	     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
+		if (!UNMARKED(addrinfo))
+			continue;
+		possibly_mark(fctx, addrinfo);
+		if (UNMARKED(addrinfo)) {
+			addrinfo->flags |= FCTX_ADDRINFO_MARK;
+			fctx->find = NULL;
+			return (addrinfo);
+		}
+	}
+
+	/*
+	 * No forwarders.  Move to the next find.
+	 */
+
+	fctx->attributes |= FCTX_ATTR_TRIEDFIND;
+
+	find = fctx->find;
+	if (find == NULL)
+		find = ISC_LIST_HEAD(fctx->finds);
+	else {
+		find = ISC_LIST_NEXT(find, publink);
+		if (find == NULL)
+			find = ISC_LIST_HEAD(fctx->finds);
+	}
+
+	/*
+	 * Find the first unmarked addrinfo.
+	 */
+	addrinfo = NULL;
+	if (find != NULL) {
+		start = find;
+		do {
+			for (addrinfo = ISC_LIST_HEAD(find->list);
+			     addrinfo != NULL;
+			     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
+				if (!UNMARKED(addrinfo))
+					continue;
+				possibly_mark(fctx, addrinfo);
+				if (UNMARKED(addrinfo)) {
+					addrinfo->flags |= FCTX_ADDRINFO_MARK;
+					break;
+				}
+			}
+			if (addrinfo != NULL)
+				break;
+			find = ISC_LIST_NEXT(find, publink);
+			if (find == NULL)
+				find = ISC_LIST_HEAD(fctx->finds);
+		} while (find != start);
+	}
+
+	fctx->find = find;
+	if (addrinfo != NULL)
+		return (addrinfo);
+
+	/*
+	 * No nameservers left.  Try alternates.
+	 */
+
+	fctx->attributes |= FCTX_ATTR_TRIEDALT;
+
+	find = fctx->altfind;
+	if (find == NULL)
+		find = ISC_LIST_HEAD(fctx->altfinds);
+	else {
+		find = ISC_LIST_NEXT(find, publink);
+		if (find == NULL)
+			find = ISC_LIST_HEAD(fctx->altfinds);
+	}
+
+	/*
+	 * Find the first unmarked addrinfo.
+	 */
+	addrinfo = NULL;
+	if (find != NULL) {
+		start = find;
+		do {
+			for (addrinfo = ISC_LIST_HEAD(find->list);
+			     addrinfo != NULL;
+			     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
+				if (!UNMARKED(addrinfo))
+					continue;
+				possibly_mark(fctx, addrinfo);
+				if (UNMARKED(addrinfo)) {
+					addrinfo->flags |= FCTX_ADDRINFO_MARK;
+					break;
+				}
+			}
+			if (addrinfo != NULL)
+				break;
+			find = ISC_LIST_NEXT(find, publink);
+			if (find == NULL)
+				find = ISC_LIST_HEAD(fctx->altfinds);
+		} while (find != start);
+	}
+
+	faddrinfo = addrinfo;
+
+	/*
+	 * See if we have a better alternate server by address.
+	 */
+
+	for (addrinfo = ISC_LIST_HEAD(fctx->altaddrs);
+	     addrinfo != NULL;
+	     addrinfo = ISC_LIST_NEXT(addrinfo, publink)) {
+		if (!UNMARKED(addrinfo))
+			continue;
+		possibly_mark(fctx, addrinfo);
+		if (UNMARKED(addrinfo) &&
+		    (faddrinfo == NULL ||
+		     addrinfo->srtt < faddrinfo->srtt)) {
+			if (faddrinfo != NULL)
+				faddrinfo->flags &= ~FCTX_ADDRINFO_MARK;
+			addrinfo->flags |= FCTX_ADDRINFO_MARK;
+			break;
+		}
+	}
+
+	if (addrinfo == NULL) {
+		addrinfo = faddrinfo;
+		fctx->altfind = find;
+	}
+
+	return (addrinfo);
+}
+
+static void
+fctx_try(fetchctx_t *fctx) {
+	isc_result_t result;
+	dns_adbaddrinfo_t *addrinfo;
+
+	FCTXTRACE("try");
+
+	REQUIRE(!ADDRWAIT(fctx));
+
+	addrinfo = fctx_nextaddress(fctx);
+	if (addrinfo == NULL) {
+		/*
+		 * We have no more addresses.  Start over.
+		 */
+		fctx_cancelqueries(fctx, ISC_TRUE);
+		fctx_cleanupfinds(fctx);
+		fctx_cleanupaltfinds(fctx);
+		fctx_cleanupforwaddrs(fctx);
+		fctx_cleanupaltaddrs(fctx);
+		result = fctx_getaddresses(fctx);
+		if (result == DNS_R_WAIT) {
+			/*
+			 * Sleep waiting for addresses.
+			 */
+			FCTXTRACE("addrwait");
+			fctx->attributes |= FCTX_ATTR_ADDRWAIT;
+			return;
+		} else if (result != ISC_R_SUCCESS) {
+			/*
+			 * Something bad happened.
+			 */
+			fctx_done(fctx, result);
+			return;
+		}
+
+		addrinfo = fctx_nextaddress(fctx);
+		/*
+		 * While we may have addresses from the ADB, they
+		 * might be bad ones.  In this case, return SERVFAIL.
+		 */
+		if (addrinfo == NULL) {
+			fctx_done(fctx, DNS_R_SERVFAIL);
+			return;
+		}
+	}
+
+	result = fctx_query(fctx, addrinfo, fctx->options);
+	if (result != ISC_R_SUCCESS)
+		fctx_done(fctx, result);
+}
+
+static isc_boolean_t
+fctx_destroy(fetchctx_t *fctx) {
+	dns_resolver_t *res;
+	unsigned int bucketnum;
+	isc_sockaddr_t *sa, *next_sa;
+
+	/*
+	 * Caller must be holding the bucket lock.
+	 */
+
+	REQUIRE(VALID_FCTX(fctx));
+	REQUIRE(fctx->state == fetchstate_done ||
+		fctx->state == fetchstate_init);
+	REQUIRE(ISC_LIST_EMPTY(fctx->events));
+	REQUIRE(ISC_LIST_EMPTY(fctx->queries));
+	REQUIRE(ISC_LIST_EMPTY(fctx->finds));
+	REQUIRE(ISC_LIST_EMPTY(fctx->altfinds));
+	REQUIRE(fctx->pending == 0);
+	REQUIRE(ISC_LIST_EMPTY(fctx->validators));
+	REQUIRE(fctx->references == 0);
+
+	FCTXTRACE("destroy");
+
+	res = fctx->res;
+	bucketnum = fctx->bucketnum;
+
+	ISC_LIST_UNLINK(res->buckets[bucketnum].fctxs, fctx, link);
+
+	/*
+	 * Free bad.
+	 */
+	for (sa = ISC_LIST_HEAD(fctx->bad);
+	     sa != NULL;
+	     sa = next_sa) {
+		next_sa = ISC_LIST_NEXT(sa, link);
+		ISC_LIST_UNLINK(fctx->bad, sa, link);
+		isc_mem_put(res->mctx, sa, sizeof(*sa));
+	}
+
+	isc_timer_detach(&fctx->timer);
+	dns_message_destroy(&fctx->rmessage);
+	dns_message_destroy(&fctx->qmessage);
+	if (dns_name_countlabels(&fctx->domain) > 0)
+		dns_name_free(&fctx->domain, res->mctx);
+	if (dns_rdataset_isassociated(&fctx->nameservers))
+		dns_rdataset_disassociate(&fctx->nameservers);
+	dns_name_free(&fctx->name, res->mctx);
+	dns_db_detach(&fctx->cache);
+	dns_adb_detach(&fctx->adb);
+	isc_mem_free(res->mctx, fctx->info);
+	isc_mem_put(res->mctx, fctx, sizeof(*fctx));
+
+	LOCK(&res->nlock);
+	res->nfctx--;
+	UNLOCK(&res->nlock);
+
+	if (res->buckets[bucketnum].exiting &&
+	    ISC_LIST_EMPTY(res->buckets[bucketnum].fctxs))
+		return (ISC_TRUE);
+
+	return (ISC_FALSE);
+}
+
+/*
+ * Fetch event handlers.
+ */
+
+static void
+fctx_timeout(isc_task_t *task, isc_event_t *event) {
+	fetchctx_t *fctx = event->ev_arg;
+
+	REQUIRE(VALID_FCTX(fctx));
+
+	UNUSED(task);
+
+	FCTXTRACE("timeout");
+
+	if (event->ev_type == ISC_TIMEREVENT_LIFE) {
+		fctx_done(fctx, ISC_R_TIMEDOUT);
+	} else {
+		isc_result_t result;
+
+		fctx->timeouts++;
+		/*
+		 * We could cancel the running queries here, or we could let
+		 * them keep going.  Right now we choose the latter...
+		 */
+		fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
+		/*
+		 * Our timer has triggered.  Reestablish the fctx lifetime
+		 * timer.
+		 */
+		result = fctx_starttimer(fctx);
+		if (result != ISC_R_SUCCESS)
+			fctx_done(fctx, result);
+		else
+			/*
+			 * Keep trying.
+			 */
+			fctx_try(fctx);
+	}
+
+	isc_event_free(&event);
+}
+
+static void
+fctx_shutdown(fetchctx_t *fctx) {
+	isc_event_t *cevent;
+
+	/*
+	 * Start the shutdown process for fctx, if it isn't already underway.
+	 */
+
+	FCTXTRACE("shutdown");
+
+	/*
+	 * The caller must be holding the appropriate bucket lock.
+	 */
+
+	if (fctx->want_shutdown)
+		return;
+
+	fctx->want_shutdown = ISC_TRUE;
+
+	/*
+	 * Unless we're still initializing (in which case the
+	 * control event is still outstanding), we need to post
+	 * the control event to tell the fetch we want it to
+	 * exit.
+	 */
+	if (fctx->state != fetchstate_init) {
+		cevent = &fctx->control_event;
+		isc_task_send(fctx->res->buckets[fctx->bucketnum].task,
+			      &cevent);
+	}
+}
+
+static void
+fctx_doshutdown(isc_task_t *task, isc_event_t *event) {
+	fetchctx_t *fctx = event->ev_arg;
+	isc_boolean_t bucket_empty = ISC_FALSE;
+	dns_resolver_t *res;
+	unsigned int bucketnum;
+	dns_validator_t *validator;
+
+	REQUIRE(VALID_FCTX(fctx));
+
+	UNUSED(task);
+
+	res = fctx->res;
+	bucketnum = fctx->bucketnum;
+
+	FCTXTRACE("doshutdown");
+
+	/*
+	 * An fctx that is shutting down is no longer in ADDRWAIT mode.
+	 */
+	fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
+
+	/*
+	 * Cancel all pending validators.  Note that this must be done
+	 * without the bucket lock held, since that could cause deadlock.
+	 */
+	validator = ISC_LIST_HEAD(fctx->validators);
+	while (validator != NULL) {
+		dns_validator_cancel(validator);
+		validator = ISC_LIST_NEXT(validator, link);
+	}
+	
+	if (fctx->nsfetch != NULL)
+		dns_resolver_cancelfetch(fctx->nsfetch);
+
+	/*
+	 * Shut down anything that is still running on behalf of this
+	 * fetch.  To avoid deadlock with the ADB, we must do this
+	 * before we lock the bucket lock.
+	 */
+	fctx_stopeverything(fctx, ISC_FALSE);
+
+	LOCK(&res->buckets[bucketnum].lock);
+
+	fctx->attributes |= FCTX_ATTR_SHUTTINGDOWN;
+
+	INSIST(fctx->state == fetchstate_active ||
+	       fctx->state == fetchstate_done);
+	INSIST(fctx->want_shutdown);
+
+	if (fctx->state != fetchstate_done) {
+		fctx->state = fetchstate_done;
+		fctx_sendevents(fctx, ISC_R_CANCELED);
+	}
+
+	if (fctx->references == 0 && fctx->pending == 0 &&
+	    ISC_LIST_EMPTY(fctx->validators))
+		bucket_empty = fctx_destroy(fctx);
+
+	UNLOCK(&res->buckets[bucketnum].lock);
+
+	if (bucket_empty)
+		empty_bucket(res);
+}
+
+static void
+fctx_start(isc_task_t *task, isc_event_t *event) {
+	fetchctx_t *fctx = event->ev_arg;
+	isc_boolean_t done = ISC_FALSE, bucket_empty = ISC_FALSE;
+	dns_resolver_t *res;
+	unsigned int bucketnum;
+
+	REQUIRE(VALID_FCTX(fctx));
+
+	UNUSED(task);
+
+	res = fctx->res;
+	bucketnum = fctx->bucketnum;
+
+	FCTXTRACE("start");
+
+	LOCK(&res->buckets[bucketnum].lock);
+
+	INSIST(fctx->state == fetchstate_init);
+	if (fctx->want_shutdown) {
+		/*
+		 * We haven't started this fctx yet, and we've been requested
+		 * to shut it down.
+		 */
+		fctx->attributes |= FCTX_ATTR_SHUTTINGDOWN;
+		fctx->state = fetchstate_done;
+		fctx_sendevents(fctx, ISC_R_CANCELED);
+		/*
+		 * Since we haven't started, we INSIST that we have no
+		 * pending ADB finds and no pending validations.
+		 */
+		INSIST(fctx->pending == 0);
+		INSIST(ISC_LIST_EMPTY(fctx->validators));
+		if (fctx->references == 0) {
+			/*
+			 * It's now safe to destroy this fctx.
+			 */
+			bucket_empty = fctx_destroy(fctx);
+		}
+		done = ISC_TRUE;
+	} else {
+		/*
+		 * Normal fctx startup.
+		 */
+		fctx->state = fetchstate_active;
+		/*
+		 * Reset the control event for later use in shutting down
+		 * the fctx.
+		 */
+		ISC_EVENT_INIT(event, sizeof(*event), 0, NULL,
+			       DNS_EVENT_FETCHCONTROL, fctx_doshutdown, fctx,
+			       NULL, NULL, NULL);
+	}
+
+	UNLOCK(&res->buckets[bucketnum].lock);
+
+	if (!done) {
+		isc_result_t result;
+
+		/*
+		 * All is well.  Start working on the fetch.
+		 */
+		result = fctx_starttimer(fctx);
+		if (result != ISC_R_SUCCESS)
+			fctx_done(fctx, result);
+		else
+			fctx_try(fctx);
+	} else if (bucket_empty)
+		empty_bucket(res);
+}
+
+/*
+ * Fetch Creation, Joining, and Cancelation.
+ */
+
+static inline isc_result_t
+fctx_join(fetchctx_t *fctx, isc_task_t *task, isc_taskaction_t action,
+	  void *arg, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+	  dns_fetch_t *fetch)
+{
+	isc_task_t *clone;
+	dns_fetchevent_t *event;
+
+	FCTXTRACE("join");
+
+	/*
+	 * We store the task we're going to send this event to in the
+	 * sender field.  We'll make the fetch the sender when we actually
+	 * send the event.
+	 */
+	clone = NULL;
+	isc_task_attach(task, &clone);
+	event = (dns_fetchevent_t *)
+		isc_event_allocate(fctx->res->mctx, clone,
+				   DNS_EVENT_FETCHDONE,
+				   action, arg, sizeof(*event));
+	if (event == NULL) {
+		isc_task_detach(&clone);
+		return (ISC_R_NOMEMORY);
+	}
+	event->result = DNS_R_SERVFAIL;
+	event->qtype = fctx->type;
+	event->db = NULL;
+	event->node = NULL;
+	event->rdataset = rdataset;
+	event->sigrdataset = sigrdataset;
+	event->fetch = fetch;
+	dns_fixedname_init(&event->foundname);
+
+	/*
+	 * Make sure that we can store the sigrdataset in the
+	 * first event if it is needed by any of the events.
+	 */
+	if (event->sigrdataset != NULL)
+		ISC_LIST_PREPEND(fctx->events, event, ev_link);
+	else
+		ISC_LIST_APPEND(fctx->events, event, ev_link);
+	fctx->references++;
+
+	fetch->magic = DNS_FETCH_MAGIC;
+	fetch->private = fctx;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
+	    dns_name_t *domain, dns_rdataset_t *nameservers,
+	    unsigned int options, unsigned int bucketnum, fetchctx_t **fctxp)
+{
+	fetchctx_t *fctx;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t iresult;
+	isc_interval_t interval;
+	dns_fixedname_t qdomain;
+	unsigned int findoptions = 0;
+	char buf[DNS_NAME_FORMATSIZE + DNS_RDATATYPE_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	dns_name_t suffix;
+
+	/*
+	 * Caller must be holding the lock for bucket number 'bucketnum'.
+	 */
+	REQUIRE(fctxp != NULL && *fctxp == NULL);
+
+	fctx = isc_mem_get(res->mctx, sizeof(*fctx));
+	if (fctx == NULL)
+		return (ISC_R_NOMEMORY);
+	dns_name_format(name, buf, sizeof(buf));
+	dns_rdatatype_format(type, typebuf, sizeof(typebuf));
+	strcat(buf, "/");	/* checked */
+	strcat(buf, typebuf);	/* checked */
+	fctx->info = isc_mem_strdup(res->mctx, buf);
+	if (fctx->info == NULL)
+		goto cleanup_fetch;
+	FCTXTRACE("create");
+	dns_name_init(&fctx->name, NULL);
+	result = dns_name_dup(name, res->mctx, &fctx->name);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_info;
+	dns_name_init(&fctx->domain, NULL);
+	dns_rdataset_init(&fctx->nameservers);
+
+	fctx->type = type;
+	fctx->options = options;
+	/*
+	 * Note!  We do not attach to the task.  We are relying on the
+	 * resolver to ensure that this task doesn't go away while we are
+	 * using it.
+	 */
+	fctx->res = res;
+	fctx->references = 0;
+	fctx->bucketnum = bucketnum;
+	fctx->state = fetchstate_init;
+	fctx->want_shutdown = ISC_FALSE;
+	fctx->cloned = ISC_FALSE;
+	ISC_LIST_INIT(fctx->queries);
+	ISC_LIST_INIT(fctx->finds);
+	ISC_LIST_INIT(fctx->altfinds);
+	ISC_LIST_INIT(fctx->forwaddrs);
+	ISC_LIST_INIT(fctx->altaddrs);
+	ISC_LIST_INIT(fctx->forwarders);
+	fctx->fwdpolicy = dns_fwdpolicy_none;
+	ISC_LIST_INIT(fctx->bad);
+	ISC_LIST_INIT(fctx->validators);
+	fctx->find = NULL;
+	fctx->altfind = NULL;
+	fctx->pending = 0;
+	fctx->restarts = 0;
+	fctx->timeouts = 0;
+	fctx->attributes = 0;
+
+	dns_name_init(&fctx->nsname, NULL);
+	fctx->nsfetch = NULL;
+	dns_rdataset_init(&fctx->nsrrset);
+
+	if (domain == NULL) {
+		dns_forwarders_t *forwarders = NULL;
+		unsigned int labels;
+
+		/*
+		 * DS records are found in the parent server.
+		 * Strip label to get the correct forwarder (if any).
+		 */
+		if (fctx->type == dns_rdatatype_ds &&
+		    dns_name_countlabels(name) > 1) {
+			dns_name_init(&suffix, NULL);
+			labels = dns_name_countlabels(name);
+			dns_name_getlabelsequence(name, 1, labels - 1, &suffix);
+			name = &suffix;
+		}
+		result = dns_fwdtable_find(fctx->res->view->fwdtable, name,
+					   &forwarders);
+		if (result == ISC_R_SUCCESS)
+			fctx->fwdpolicy = forwarders->fwdpolicy;
+
+		if (fctx->fwdpolicy != dns_fwdpolicy_only) {
+			/*
+			 * The caller didn't supply a query domain and
+			 * nameservers, and we're not in forward-only mode,
+			 * so find the best nameservers to use.
+			 */
+			if (dns_rdatatype_atparent(type))
+				findoptions |= DNS_DBFIND_NOEXACT;
+			dns_fixedname_init(&qdomain);
+			result = dns_view_findzonecut(res->view, name,
+					      dns_fixedname_name(&qdomain), 0,
+						      findoptions, ISC_TRUE,
+						      &fctx->nameservers,
+						      NULL);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup_name;
+			result = dns_name_dup(dns_fixedname_name(&qdomain),
+					      res->mctx, &fctx->domain);
+			if (result != ISC_R_SUCCESS) {
+				dns_rdataset_disassociate(&fctx->nameservers);
+				goto cleanup_name;
+			}
+		} else {
+			/*
+			 * We're in forward-only mode.  Set the query domain
+			 * to ".".
+			 */
+			result = dns_name_dup(dns_rootname, res->mctx,
+					      &fctx->domain);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup_name;
+		}
+	} else {
+		result = dns_name_dup(domain, res->mctx, &fctx->domain);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_name;
+		dns_rdataset_clone(nameservers, &fctx->nameservers);
+	}
+
+	INSIST(dns_name_issubdomain(&fctx->name, &fctx->domain));
+
+	fctx->qmessage = NULL;
+	result = dns_message_create(res->mctx, DNS_MESSAGE_INTENTRENDER,
+				    &fctx->qmessage);
+
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_domain;
+
+	fctx->rmessage = NULL;
+	result = dns_message_create(res->mctx, DNS_MESSAGE_INTENTPARSE,
+				    &fctx->rmessage);
+
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_qmessage;
+
+	/*
+	 * Compute an expiration time for the entire fetch.
+	 */
+	isc_interval_set(&interval, 30, 0);		/* XXXRTH constant */
+	iresult = isc_time_nowplusinterval(&fctx->expires, &interval);
+	if (iresult != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_time_nowplusinterval: %s",
+				 isc_result_totext(iresult));
+		result = ISC_R_UNEXPECTED;
+		goto cleanup_rmessage;
+	}
+
+	/*
+	 * Default retry interval initialization.  We set the interval now
+	 * mostly so it won't be uninitialized.  It will be set to the
+	 * correct value before a query is issued.
+	 */
+	isc_interval_set(&fctx->interval, 2, 0);
+
+	/*
+	 * Create an inactive timer.  It will be made active when the fetch
+	 * is actually started.
+	 */
+	fctx->timer = NULL;
+	iresult = isc_timer_create(res->timermgr, isc_timertype_inactive,
+				   NULL, NULL,
+				   res->buckets[bucketnum].task, fctx_timeout,
+				   fctx, &fctx->timer);
+	if (iresult != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_timer_create: %s",
+				 isc_result_totext(iresult));
+		result = ISC_R_UNEXPECTED;
+		goto cleanup_rmessage;
+	}
+
+	/*
+	 * Attach to the view's cache and adb.
+	 */
+	fctx->cache = NULL;
+	dns_db_attach(res->view->cachedb, &fctx->cache);
+	fctx->adb = NULL;
+	dns_adb_attach(res->view->adb, &fctx->adb);
+
+	ISC_LIST_INIT(fctx->events);
+	ISC_LINK_INIT(fctx, link);
+	fctx->magic = FCTX_MAGIC;
+
+	ISC_LIST_APPEND(res->buckets[bucketnum].fctxs, fctx, link);
+
+	LOCK(&res->nlock);
+	res->nfctx++;
+	UNLOCK(&res->nlock);
+
+	*fctxp = fctx;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup_rmessage:
+	dns_message_destroy(&fctx->rmessage);
+
+ cleanup_qmessage:
+	dns_message_destroy(&fctx->qmessage);
+
+ cleanup_domain:
+	if (dns_name_countlabels(&fctx->domain) > 0)
+		dns_name_free(&fctx->domain, res->mctx);
+	if (dns_rdataset_isassociated(&fctx->nameservers))
+		dns_rdataset_disassociate(&fctx->nameservers);
+
+ cleanup_name:
+	dns_name_free(&fctx->name, res->mctx);
+
+ cleanup_info:
+	isc_mem_free(res->mctx, fctx->info);
+
+ cleanup_fetch:
+	isc_mem_put(res->mctx, fctx, sizeof(*fctx));
+
+	return (result);
+}
+
+/*
+ * Handle Responses
+ */
+static inline isc_boolean_t
+is_lame(fetchctx_t *fctx) {
+	dns_message_t *message = fctx->rmessage;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+	isc_result_t result;
+
+	if (message->rcode != dns_rcode_noerror &&
+	    message->rcode != dns_rcode_nxdomain)
+		return (ISC_FALSE);
+
+	if (message->counts[DNS_SECTION_ANSWER] != 0)
+		return (ISC_FALSE);
+
+	if (message->counts[DNS_SECTION_AUTHORITY] == 0)
+		return (ISC_FALSE);
+
+	result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+	while (result == ISC_R_SUCCESS) {
+		name = NULL;
+		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			dns_namereln_t namereln;
+			int order;
+			unsigned int labels;
+			if (rdataset->type != dns_rdatatype_ns)
+				continue;
+			namereln = dns_name_fullcompare(name, &fctx->domain,
+				   			&order, &labels);
+			if (namereln == dns_namereln_equal &&
+			    (message->flags & DNS_MESSAGEFLAG_AA) != 0)
+				return (ISC_FALSE);
+			if (namereln == dns_namereln_subdomain)
+				return (ISC_FALSE);
+			return (ISC_TRUE);
+		}
+		result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
+	}
+
+	return (ISC_FALSE);
+}
+
+static inline void
+log_lame(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char domainbuf[DNS_NAME_FORMATSIZE];	
+	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+	
+	dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
+	dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
+	isc_sockaddr_format(&addrinfo->sockaddr, addrbuf, sizeof(addrbuf));
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_LAME_SERVERS,
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
+		      "lame server resolving '%s' (in '%s'?): %s",
+		      namebuf, domainbuf, addrbuf);
+}
+
+static inline isc_result_t
+same_question(fetchctx_t *fctx) {
+	isc_result_t result;
+	dns_message_t *message = fctx->rmessage;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+
+	/*
+	 * Caller must be holding the fctx lock.
+	 */
+
+	/*
+	 * XXXRTH  Currently we support only one question.
+	 */
+	if (message->counts[DNS_SECTION_QUESTION] != 1)
+		return (DNS_R_FORMERR);
+
+	result = dns_message_firstname(message, DNS_SECTION_QUESTION);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	name = NULL;
+	dns_message_currentname(message, DNS_SECTION_QUESTION, &name);
+	rdataset = ISC_LIST_HEAD(name->list);
+	INSIST(rdataset != NULL);
+	INSIST(ISC_LIST_NEXT(rdataset, link) == NULL);
+	if (fctx->type != rdataset->type ||
+	    fctx->res->rdclass != rdataset->rdclass ||
+	    !dns_name_equal(&fctx->name, name))
+		return (DNS_R_FORMERR);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+clone_results(fetchctx_t *fctx) {
+	dns_fetchevent_t *event, *hevent;
+	isc_result_t result;
+	dns_name_t *name, *hname;
+
+	FCTXTRACE("clone_results");
+
+	/*
+	 * Set up any other events to have the same data as the first
+	 * event.
+	 *
+	 * Caller must be holding the appropriate lock.
+	 */
+
+	fctx->cloned = ISC_TRUE;
+	hevent = ISC_LIST_HEAD(fctx->events);
+	if (hevent == NULL)
+		return;
+	hname = dns_fixedname_name(&hevent->foundname);
+	for (event = ISC_LIST_NEXT(hevent, ev_link);
+	     event != NULL;
+	     event = ISC_LIST_NEXT(event, ev_link)) {
+		name = dns_fixedname_name(&event->foundname);
+		result = dns_name_copy(hname, name, NULL);
+		if (result != ISC_R_SUCCESS)
+			event->result = result;
+		else
+			event->result = hevent->result;
+		dns_db_attach(hevent->db, &event->db);
+		dns_db_attachnode(hevent->db, hevent->node, &event->node);
+		INSIST(hevent->rdataset != NULL);
+		INSIST(event->rdataset != NULL);
+		if (dns_rdataset_isassociated(hevent->rdataset))
+			dns_rdataset_clone(hevent->rdataset, event->rdataset);
+		INSIST(! (hevent->sigrdataset == NULL &&
+			  event->sigrdataset != NULL));
+		if (hevent->sigrdataset != NULL &&
+		    dns_rdataset_isassociated(hevent->sigrdataset) &&
+		    event->sigrdataset != NULL)
+			dns_rdataset_clone(hevent->sigrdataset,
+					   event->sigrdataset);
+	}
+}
+
+#define CACHE(r)	(((r)->attributes & DNS_RDATASETATTR_CACHE) != 0)
+#define ANSWER(r)	(((r)->attributes & DNS_RDATASETATTR_ANSWER) != 0)
+#define ANSWERSIG(r)	(((r)->attributes & DNS_RDATASETATTR_ANSWERSIG) != 0)
+#define EXTERNAL(r)	(((r)->attributes & DNS_RDATASETATTR_EXTERNAL) != 0)
+#define CHAINING(r)	(((r)->attributes & DNS_RDATASETATTR_CHAINING) != 0)
+#define CHASE(r)	(((r)->attributes & DNS_RDATASETATTR_CHASE) != 0)
+#define CHECKNAMES(r)	(((r)->attributes & DNS_RDATASETATTR_CHECKNAMES) != 0)
+
+
+/*
+ * Destroy '*fctx' if it is ready to be destroyed (i.e., if it has
+ * no references and is no longer waiting for any events).  If this
+ * was the last fctx in the resolver, destroy the resolver.
+ *
+ * Requires:
+ *	'*fctx' is shutting down.
+ */
+static void
+maybe_destroy(fetchctx_t *fctx) {
+	unsigned int bucketnum;
+	isc_boolean_t bucket_empty = ISC_FALSE;
+	dns_resolver_t *res = fctx->res;
+
+	REQUIRE(SHUTTINGDOWN(fctx));
+
+	if (fctx->pending != 0 || !ISC_LIST_EMPTY(fctx->validators))
+		return;
+
+	bucketnum = fctx->bucketnum;
+	LOCK(&res->buckets[bucketnum].lock);
+	if (fctx->references == 0)
+		bucket_empty = fctx_destroy(fctx);
+	UNLOCK(&res->buckets[bucketnum].lock);
+
+	if (bucket_empty)
+		empty_bucket(res);
+}
+
+/*
+ * The validator has finished.
+ */
+static void
+validated(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t eresult = ISC_R_SUCCESS;
+	isc_stdtime_t now;
+	fetchctx_t *fctx;
+	dns_validatorevent_t *vevent;
+	dns_fetchevent_t *hevent;
+	dns_rdataset_t *ardataset = NULL;
+	dns_rdataset_t *asigrdataset = NULL;
+	dns_dbnode_t *node = NULL;
+	isc_boolean_t negative;
+	isc_boolean_t chaining;
+	isc_boolean_t sentresponse;
+	isc_uint32_t ttl;
+	dns_dbnode_t *nsnode = NULL;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+	dns_rdataset_t *sigrdataset;
+
+	UNUSED(task); /* for now */
+
+	REQUIRE(event->ev_type == DNS_EVENT_VALIDATORDONE);
+	fctx = event->ev_arg;
+	REQUIRE(VALID_FCTX(fctx));
+	REQUIRE(!ISC_LIST_EMPTY(fctx->validators));
+
+	vevent = (dns_validatorevent_t *)event;
+
+	FCTXTRACE("received validation completion event");
+
+	ISC_LIST_UNLINK(fctx->validators, vevent->validator, link);
+
+	/*
+	 * Destroy the validator early so that we can
+	 * destroy the fctx if necessary.
+	 */
+	dns_validator_destroy(&vevent->validator);
+
+	negative = ISC_TF(vevent->rdataset == NULL);
+
+	sentresponse = ISC_TF((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0);
+
+	/*
+	 * If shutting down, ignore the results.  Check to see if we're
+	 * done waiting for validator completions and ADB pending events; if
+	 * so, destroy the fctx.
+	 */
+	if (SHUTTINGDOWN(fctx) && !sentresponse) {
+		maybe_destroy(fctx);
+		goto cleanup_event;
+	}
+
+	/*
+	 * If chaining, we need to make sure that the right result code is
+	 * returned, and that the rdatasets are bound.
+	 */
+	if (vevent->result == ISC_R_SUCCESS &&
+	    !negative &&
+	    vevent->rdataset != NULL &&
+	    CHAINING(vevent->rdataset))
+	{
+		if (vevent->rdataset->type == dns_rdatatype_cname)
+			eresult = DNS_R_CNAME;
+		else {
+			INSIST(vevent->rdataset->type == dns_rdatatype_dname);
+			eresult = DNS_R_DNAME;
+		}
+		chaining = ISC_TRUE;
+	} else
+		chaining = ISC_FALSE;
+
+	/*
+	 * Either we're not shutting down, or we are shutting down but want
+	 * to cache the result anyway (if this was a validation started by
+	 * a query with cd set)
+	 */
+
+	hevent = ISC_LIST_HEAD(fctx->events);
+	if (hevent != NULL) {
+		if (!negative && !chaining &&
+		    (fctx->type == dns_rdatatype_any ||
+		     fctx->type == dns_rdatatype_rrsig)) {
+			/*
+			 * Don't bind rdatasets; the caller
+			 * will iterate the node.
+			 */
+		} else {
+			ardataset = hevent->rdataset;
+			asigrdataset = hevent->sigrdataset;
+		}
+	}
+
+	if (vevent->result != ISC_R_SUCCESS) {
+		FCTXTRACE("validation failed");
+		if (vevent->rdataset != NULL) {
+			result = dns_db_findnode(fctx->cache, vevent->name,
+						 ISC_TRUE, &node);
+			if (result != ISC_R_SUCCESS)
+				goto noanswer_response;
+			(void)dns_db_deleterdataset(fctx->cache, node, NULL,
+						    vevent->type, 0);
+			if (vevent->sigrdataset != NULL)
+				(void)dns_db_deleterdataset(fctx->cache,
+							    node, NULL,
+							    dns_rdatatype_rrsig,
+							    vevent->type);
+		}
+		result = vevent->result;
+		goto noanswer_response;
+	}
+
+	isc_stdtime_get(&now);
+
+	if (negative) {
+		dns_rdatatype_t covers;
+		FCTXTRACE("nonexistence validation OK");
+
+		if (fctx->rmessage->rcode == dns_rcode_nxdomain)
+			covers = dns_rdatatype_any;
+		else
+			covers = fctx->type;
+
+		result = dns_db_findnode(fctx->cache, vevent->name, ISC_TRUE,
+					 &node);
+		if (result != ISC_R_SUCCESS)
+			goto noanswer_response;
+
+		/*
+		 * If we are asking for a SOA record set the cache time
+		 * to zero to facilitate locating the containing zone of
+		 * a arbitary zone.
+		 */
+		ttl = fctx->res->view->maxncachettl;
+		if (fctx->type == dns_rdatatype_soa &&
+		    covers == dns_rdatatype_any)
+			ttl = 0;
+
+		result = ncache_adderesult(fctx->rmessage, fctx->cache, node,
+					   covers, now, ttl,
+					   ardataset, &eresult);
+		if (result != ISC_R_SUCCESS)
+			goto noanswer_response;
+		goto answer_response;
+	}
+
+	FCTXTRACE("validation OK");
+
+	if (vevent->proofs[DNS_VALIDATOR_NOQNAMEPROOF] != NULL) {
+
+		result = dns_rdataset_addnoqname(vevent->rdataset,
+				   vevent->proofs[DNS_VALIDATOR_NOQNAMEPROOF]);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		vevent->sigrdataset->ttl = vevent->rdataset->ttl;
+	}
+
+	/*
+	 * The data was already cached as pending data.
+	 * Re-cache it as secure and bind the cached
+	 * rdatasets to the first event on the fetch
+	 * event list.
+	 */
+	result = dns_db_findnode(fctx->cache, vevent->name, ISC_TRUE, &node);
+	if (result != ISC_R_SUCCESS)
+		goto noanswer_response;
+
+	result = dns_db_addrdataset(fctx->cache, node, NULL, now,
+				    vevent->rdataset, 0, ardataset);
+	if (result != ISC_R_SUCCESS &&
+	    result != DNS_R_UNCHANGED)
+		goto noanswer_response;
+	if (vevent->sigrdataset != NULL) {
+		result = dns_db_addrdataset(fctx->cache, node, NULL, now,
+					    vevent->sigrdataset, 0,
+					    asigrdataset);
+		if (result != ISC_R_SUCCESS &&
+		    result != DNS_R_UNCHANGED)
+			goto noanswer_response;
+	}
+
+	if (sentresponse) {
+		/*
+		 * If we only deferred the destroy because we wanted to cache
+		 * the data, destroy now.
+		 */
+		if (SHUTTINGDOWN(fctx))
+			maybe_destroy(fctx);
+
+		goto cleanup_event;
+	}
+
+	if (!ISC_LIST_EMPTY(fctx->validators)) {
+		INSIST(!negative);
+		INSIST(fctx->type == dns_rdatatype_any ||
+		       fctx->type == dns_rdatatype_rrsig);
+		/*
+		 * Don't send a response yet - we have
+		 * more rdatasets that still need to
+		 * be validated.
+		 */
+		goto cleanup_event;
+	}
+
+ answer_response:
+	/*
+	 * Cache any NS/NSEC records that happened to be validated.
+	 */
+	result = dns_message_firstname(fctx->rmessage, DNS_SECTION_AUTHORITY);
+	while (result == ISC_R_SUCCESS) {
+		name = NULL;
+		dns_message_currentname(fctx->rmessage, DNS_SECTION_AUTHORITY,
+					&name);
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			if ((rdataset->type != dns_rdatatype_ns &&
+			     rdataset->type != dns_rdatatype_nsec) ||
+			    rdataset->trust != dns_trust_secure)
+				continue;
+			for (sigrdataset = ISC_LIST_HEAD(name->list);
+			     sigrdataset != NULL;
+			     sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
+				if (sigrdataset->type != dns_rdatatype_rrsig ||
+				    sigrdataset->covers != rdataset->type)
+					continue;
+				break;
+			}
+			if (sigrdataset == NULL ||
+			    sigrdataset->trust != dns_trust_secure)
+				continue;
+			result = dns_db_findnode(fctx->cache, name, ISC_TRUE,
+						 &nsnode);
+			if (result != ISC_R_SUCCESS)
+				continue;
+
+			result = dns_db_addrdataset(fctx->cache, nsnode, NULL,
+						    now, rdataset, 0, NULL);
+			if (result == ISC_R_SUCCESS)
+				result = dns_db_addrdataset(fctx->cache, nsnode,
+							    NULL, now,
+							    sigrdataset, 0,
+							    NULL);
+			dns_db_detachnode(fctx->cache, &nsnode);
+		}
+		result = dns_message_nextname(fctx->rmessage,
+					      DNS_SECTION_AUTHORITY);
+	}
+
+	result = ISC_R_SUCCESS;
+
+	/*
+	 * Respond with an answer, positive or negative,
+	 * as opposed to an error.  'node' must be non-NULL.
+	 */
+
+	fctx->attributes |= FCTX_ATTR_HAVEANSWER;
+
+	if (hevent != NULL) {
+		hevent->result = eresult;
+		RUNTIME_CHECK(dns_name_copy(vevent->name,
+			      dns_fixedname_name(&hevent->foundname), NULL)
+			      == ISC_R_SUCCESS);
+		dns_db_attach(fctx->cache, &hevent->db);
+		hevent->node = node;
+		node = NULL;
+		clone_results(fctx);
+	}
+
+ noanswer_response:
+	if (node != NULL)
+		dns_db_detachnode(fctx->cache, &node);
+
+	fctx_done(fctx, result);
+
+ cleanup_event:
+	isc_event_free(&event);
+}
+
+static inline isc_result_t
+cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
+	dns_rdataset_t *rdataset, *sigrdataset;
+	dns_rdataset_t *addedrdataset, *ardataset, *asigrdataset;
+	dns_rdataset_t *valrdataset = NULL, *valsigrdataset = NULL;
+	dns_dbnode_t *node, **anodep;
+	dns_db_t **adbp;
+	dns_name_t *aname;
+	dns_resolver_t *res;
+	isc_boolean_t need_validation, secure_domain, have_answer;
+	isc_result_t result, eresult;
+	dns_fetchevent_t *event;
+	unsigned int options;
+	isc_task_t *task;
+	dns_validator_t *validator;
+	isc_boolean_t fail;
+
+	/*
+	 * The appropriate bucket lock must be held.
+	 */
+
+	res = fctx->res;
+	need_validation = ISC_FALSE;
+	secure_domain = ISC_FALSE;
+	have_answer = ISC_FALSE;
+	eresult = ISC_R_SUCCESS;
+	task = res->buckets[fctx->bucketnum].task;
+
+	/*
+	 * Is DNSSEC validation required for this name?
+	 */
+	result = dns_keytable_issecuredomain(res->view->secroots, name,
+					     &secure_domain);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (res->view->dlv != NULL)
+		secure_domain = ISC_TRUE;
+
+	if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0)
+		need_validation = ISC_FALSE;
+	else
+		need_validation = secure_domain;
+
+	adbp = NULL;
+	aname = NULL;
+	anodep = NULL;
+	ardataset = NULL;
+	asigrdataset = NULL;
+	event = NULL;
+	if ((name->attributes & DNS_NAMEATTR_ANSWER) != 0 &&
+	    !need_validation) {
+		have_answer = ISC_TRUE;
+		event = ISC_LIST_HEAD(fctx->events);
+		if (event != NULL) {
+			adbp = &event->db;
+			aname = dns_fixedname_name(&event->foundname);
+			result = dns_name_copy(name, aname, NULL);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			anodep = &event->node;
+			/*
+			 * If this is an ANY or SIG query, we're not going
+			 * to return any rdatasets, unless we encountered
+			 * a CNAME or DNAME as "the answer".  In this case,
+			 * we're going to return DNS_R_CNAME or DNS_R_DNAME
+			 * and we must set up the rdatasets.
+			 */
+			if ((fctx->type != dns_rdatatype_any &&
+			    fctx->type != dns_rdatatype_rrsig) ||
+			    (name->attributes & DNS_NAMEATTR_CHAINING) != 0) {
+				ardataset = event->rdataset;
+				asigrdataset = event->sigrdataset;
+			}
+		}
+	}
+
+	/*
+	 * Find or create the cache node.
+	 */
+	node = NULL;
+	result = dns_db_findnode(fctx->cache, name, ISC_TRUE, &node);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * Cache or validate each cacheable rdataset.
+	 */
+	fail = (fctx->res->options & DNS_RESOLVER_CHECKNAMESFAIL) != 0;
+	for (rdataset = ISC_LIST_HEAD(name->list);
+	     rdataset != NULL;
+	     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+		if (!CACHE(rdataset))
+			continue;
+		if (CHECKNAMES(rdataset)) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			char typebuf[DNS_RDATATYPE_FORMATSIZE];
+			char classbuf[DNS_RDATATYPE_FORMATSIZE];
+
+			dns_name_format(name, namebuf, sizeof(namebuf));
+			dns_rdatatype_format(rdataset->type, typebuf,
+					     sizeof(typebuf));
+			dns_rdataclass_format(rdataset->rdclass, classbuf,
+					      sizeof(classbuf));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,  
+				      DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
+				      "check-names %s %s/%s/%s", 
+				      fail ? "failure" : "warning",
+				      namebuf, typebuf, classbuf);
+			if (fail) {
+				if (ANSWER(rdataset))
+					return (DNS_R_BADNAME);
+				continue;
+			}
+		}
+
+		/*
+		 * Enforce the configure maximum cache TTL.
+		 */
+		if (rdataset->ttl > res->view->maxcachettl)
+			rdataset->ttl = res->view->maxcachettl;
+
+		/*
+		 * If this rrset is in a secure domain, do DNSSEC validation
+		 * for it, unless it is glue.
+		 */
+		if (secure_domain && rdataset->trust != dns_trust_glue) {
+			/*
+			 * SIGs are validated as part of validating the
+			 * type they cover.
+			 */
+			if (rdataset->type == dns_rdatatype_rrsig)
+				continue;
+			/*
+			 * Find the SIG for this rdataset, if we have it.
+			 */
+			for (sigrdataset = ISC_LIST_HEAD(name->list);
+			     sigrdataset != NULL;
+			     sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
+				if (sigrdataset->type == dns_rdatatype_rrsig &&
+				    sigrdataset->covers == rdataset->type)
+					break;
+			}
+			if (sigrdataset == NULL) {
+				if (!ANSWER(rdataset) && need_validation) {
+					/*
+					 * Ignore non-answer rdatasets that
+					 * are missing signatures.
+					 */
+					continue;
+				}
+			}
+
+			/*
+			 * Normalize the rdataset and sigrdataset TTLs.
+			 */
+			if (sigrdataset != NULL) {
+				rdataset->ttl = ISC_MIN(rdataset->ttl,
+							sigrdataset->ttl);
+				sigrdataset->ttl = rdataset->ttl;
+			}
+
+			/*
+			 * Cache this rdataset/sigrdataset pair as
+			 * pending data.
+			 */
+			rdataset->trust = dns_trust_pending;
+			if (sigrdataset != NULL)
+				sigrdataset->trust = dns_trust_pending;
+			if (!need_validation)
+				addedrdataset = ardataset;
+			else
+				addedrdataset = NULL;
+			result = dns_db_addrdataset(fctx->cache, node, NULL,
+						    now, rdataset, 0,
+						    addedrdataset);
+			if (result == DNS_R_UNCHANGED)
+				result = ISC_R_SUCCESS;
+			if (result != ISC_R_SUCCESS)
+				break;
+			if (sigrdataset != NULL) {
+				if (!need_validation)
+					addedrdataset = asigrdataset;
+				else
+					addedrdataset = NULL;
+				result = dns_db_addrdataset(fctx->cache,
+							    node, NULL, now,
+							    sigrdataset, 0,
+							    addedrdataset);
+				if (result == DNS_R_UNCHANGED)
+					result = ISC_R_SUCCESS;
+				if (result != ISC_R_SUCCESS)
+					break;
+			} else if (!ANSWER(rdataset))
+				continue;
+
+			if (ANSWER(rdataset) && need_validation) {
+				if (fctx->type != dns_rdatatype_any &&
+				    fctx->type != dns_rdatatype_rrsig) {
+					/*
+					 * This is The Answer.  We will
+					 * validate it, but first we cache
+					 * the rest of the response - it may
+					 * contain useful keys.
+					 */
+					INSIST(valrdataset == NULL &&
+					       valsigrdataset == NULL);
+					valrdataset = rdataset;
+					valsigrdataset = sigrdataset;
+				} else {
+					/*
+					 * This is one of (potentially)
+					 * multiple answers to an ANY
+					 * or SIG query.  To keep things
+					 * simple, we just start the
+					 * validator right away rather
+					 * than caching first and
+					 * having to remember which
+					 * rdatasets needed validation.
+					 */
+					validator = NULL;
+					result = dns_validator_create(
+						res->view,
+						name,
+						rdataset->type,
+						rdataset,
+						sigrdataset,
+						fctx->rmessage,
+						0,
+						task,
+						validated,
+						fctx,
+						&validator);
+					if (result == ISC_R_SUCCESS)
+						ISC_LIST_APPEND(
+							fctx->validators,
+							validator, link);
+				}
+			}
+		} else if (!EXTERNAL(rdataset)) {
+			/*
+			 * It's OK to cache this rdataset now.
+			 */
+			if (ANSWER(rdataset))
+				addedrdataset = ardataset;
+			else if (ANSWERSIG(rdataset))
+				addedrdataset = asigrdataset;
+			else
+				addedrdataset = NULL;
+			if (CHAINING(rdataset)) {
+				if (rdataset->type == dns_rdatatype_cname)
+					eresult = DNS_R_CNAME;
+				else {
+					INSIST(rdataset->type ==
+					       dns_rdatatype_dname);
+					eresult = DNS_R_DNAME;
+				}
+			}
+			if (rdataset->trust == dns_trust_glue &&
+			    (rdataset->type == dns_rdatatype_ns ||
+			     (rdataset->type == dns_rdatatype_rrsig &&
+			      rdataset->covers == dns_rdatatype_ns))) {
+				/*
+				 * If the trust level is 'dns_trust_glue'
+				 * then we are adding data from a referral
+				 * we got while executing the search algorithm.
+				 * New referral data always takes precedence
+				 * over the existing cache contents.
+				 */
+				options = DNS_DBADD_FORCE;
+			} else
+				options = 0;
+			/*
+			 * Now we can add the rdataset.
+			 */
+			result = dns_db_addrdataset(fctx->cache,
+						    node, NULL, now,
+						    rdataset,
+						    options,
+						    addedrdataset);
+			if (result == DNS_R_UNCHANGED) {
+				if (ANSWER(rdataset) &&
+				    ardataset != NULL &&
+				    ardataset->type == 0) {
+					/*
+					 * The answer in the cache is better
+					 * than the answer we found, and is
+					 * a negative cache entry, so we
+					 * must set eresult appropriately.
+					 */
+					 if (NXDOMAIN(ardataset))
+						 eresult =
+							 DNS_R_NCACHENXDOMAIN;
+					 else
+						 eresult =
+							 DNS_R_NCACHENXRRSET;
+				}
+				result = ISC_R_SUCCESS;
+			} else if (result != ISC_R_SUCCESS)
+				break;
+		}
+	}
+
+	if (valrdataset != NULL) {
+		validator = NULL;
+		result = dns_validator_create(res->view,
+					      name,
+					      fctx->type,
+					      valrdataset,
+					      valsigrdataset,
+					      fctx->rmessage,
+					      0,
+					      task,
+					      validated,
+					      fctx,
+					      &validator);
+		if (result == ISC_R_SUCCESS)
+			ISC_LIST_APPEND(fctx->validators, validator, link);
+	}
+
+	if (result == ISC_R_SUCCESS && have_answer) {
+		fctx->attributes |= FCTX_ATTR_HAVEANSWER;
+		if (event != NULL) {
+			event->result = eresult;
+			dns_db_attach(fctx->cache, adbp);
+			*anodep = node;
+			node = NULL;
+			clone_results(fctx);
+		}
+	}
+
+	if (node != NULL)
+		dns_db_detachnode(fctx->cache, &node);
+
+	return (result);
+}
+
+static inline isc_result_t
+cache_message(fetchctx_t *fctx, isc_stdtime_t now) {
+	isc_result_t result;
+	dns_section_t section;
+	dns_name_t *name;
+
+	FCTXTRACE("cache_message");
+
+	fctx->attributes &= ~FCTX_ATTR_WANTCACHE;
+
+	LOCK(&fctx->res->buckets[fctx->bucketnum].lock);
+
+	for (section = DNS_SECTION_ANSWER;
+	     section <= DNS_SECTION_ADDITIONAL;
+	     section++) {
+		result = dns_message_firstname(fctx->rmessage, section);
+		while (result == ISC_R_SUCCESS) {
+			name = NULL;
+			dns_message_currentname(fctx->rmessage, section,
+						&name);
+			if ((name->attributes & DNS_NAMEATTR_CACHE) != 0) {
+				result = cache_name(fctx, name, now);
+				if (result != ISC_R_SUCCESS)
+					break;
+			}
+			result = dns_message_nextname(fctx->rmessage, section);
+		}
+		if (result != ISC_R_NOMORE)
+			break;
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+	UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
+
+	return (result);
+}
+
+/*
+ * Do what dns_ncache_add() does, and then compute an appropriate eresult.
+ */
+static isc_result_t
+ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
+		  dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
+		  dns_rdataset_t *ardataset,
+		  isc_result_t *eresultp)
+{
+	isc_result_t result;
+	result = dns_ncache_add(message, cache, node, covers, now,
+				maxttl, ardataset);
+	if (result == DNS_R_UNCHANGED) {
+		/*
+		 * The data in the cache are better than the negative cache
+		 * entry we're trying to add.
+		 */
+		if (ardataset != NULL && ardataset->type == 0) {
+			/*
+			 * The cache data is also a negative cache
+			 * entry.
+			 */
+			if (NXDOMAIN(ardataset))
+				*eresultp = DNS_R_NCACHENXDOMAIN;
+			else
+				*eresultp = DNS_R_NCACHENXRRSET;
+			result = ISC_R_SUCCESS;
+		} else {
+			/*
+			 * Either we don't care about the nature of the
+			 * cache rdataset (because no fetch is interested
+			 * in the outcome), or the cache rdataset is not
+			 * a negative cache entry.  Whichever case it is,
+			 * we can return success.
+			 *
+			 * XXXRTH  There's a CNAME/DNAME problem here.
+			 */
+			*eresultp = ISC_R_SUCCESS;
+			result = ISC_R_SUCCESS;
+		}
+	} else if (result == ISC_R_SUCCESS) {
+		if (NXDOMAIN(ardataset))
+			*eresultp = DNS_R_NCACHENXDOMAIN;
+		else
+			*eresultp = DNS_R_NCACHENXRRSET;
+	}
+
+	return (result);
+}
+
+static inline isc_result_t
+ncache_message(fetchctx_t *fctx, dns_rdatatype_t covers, isc_stdtime_t now) {
+	isc_result_t result, eresult;
+	dns_name_t *name;
+	dns_resolver_t *res;
+	dns_db_t **adbp;
+	dns_dbnode_t *node, **anodep;
+	dns_rdataset_t *ardataset;
+	isc_boolean_t need_validation, secure_domain;
+	dns_name_t *aname;
+	dns_fetchevent_t *event;
+	isc_uint32_t ttl;
+
+	FCTXTRACE("ncache_message");
+
+	fctx->attributes &= ~FCTX_ATTR_WANTNCACHE;
+
+	res = fctx->res;
+	need_validation = ISC_FALSE;
+	secure_domain = ISC_FALSE;
+	eresult = ISC_R_SUCCESS;
+	name = &fctx->name;
+	node = NULL;
+
+	/*
+	 * XXXMPA remove when we follow cnames and adjust the setting
+	 * of FCTX_ATTR_WANTNCACHE in noanswer_response().
+	 */
+	INSIST(fctx->rmessage->counts[DNS_SECTION_ANSWER] == 0);
+
+	/*
+	 * Is DNSSEC validation required for this name?
+	 */
+	result = dns_keytable_issecuredomain(res->view->secroots, name,
+					     &secure_domain);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (res->view->dlv != NULL)
+		secure_domain = ISC_TRUE;
+
+	if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0)
+		need_validation = ISC_FALSE;
+	else
+		need_validation = secure_domain;
+
+	if (secure_domain) {
+		/*
+		 * Mark all rdatasets as pending.
+		 */
+		dns_rdataset_t *trdataset;
+		dns_name_t *tname;
+
+		result = dns_message_firstname(fctx->rmessage,
+					       DNS_SECTION_AUTHORITY);
+		while (result == ISC_R_SUCCESS) {
+			tname = NULL;
+			dns_message_currentname(fctx->rmessage,
+						DNS_SECTION_AUTHORITY,
+						&tname);
+			for (trdataset = ISC_LIST_HEAD(tname->list);
+			     trdataset != NULL;
+			     trdataset = ISC_LIST_NEXT(trdataset, link))
+				trdataset->trust = dns_trust_pending;
+			result = dns_message_nextname(fctx->rmessage,
+						      DNS_SECTION_AUTHORITY);
+		}
+		if (result != ISC_R_NOMORE)
+			return (result);
+
+	}
+
+	if (need_validation) {
+		/*
+		 * Do negative response validation.
+		 */
+		dns_validator_t *validator = NULL;
+		isc_task_t *task = res->buckets[fctx->bucketnum].task;
+
+		result = dns_validator_create(res->view, name, fctx->type,
+					      NULL, NULL,
+					      fctx->rmessage, 0, task,
+					      validated, fctx,
+					      &validator);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		ISC_LIST_APPEND(fctx->validators, validator, link);
+		/*
+		 * If validation is necessary, return now.  Otherwise continue
+		 * to process the message, letting the validation complete
+		 * in its own good time.
+		 */
+		return (ISC_R_SUCCESS);
+	}
+
+	LOCK(&res->buckets[fctx->bucketnum].lock);
+
+	adbp = NULL;
+	aname = NULL;
+	anodep = NULL;
+	ardataset = NULL;
+	if (!HAVE_ANSWER(fctx)) {
+		event = ISC_LIST_HEAD(fctx->events);
+		if (event != NULL) {
+			adbp = &event->db;
+			aname = dns_fixedname_name(&event->foundname);
+			result = dns_name_copy(name, aname, NULL);
+			if (result != ISC_R_SUCCESS)
+				goto unlock;
+			anodep = &event->node;
+			ardataset = event->rdataset;
+		}
+	} else
+		event = NULL;
+
+	result = dns_db_findnode(fctx->cache, name, ISC_TRUE, &node);
+	if (result != ISC_R_SUCCESS)
+		goto unlock;
+
+	/*
+	 * If we are asking for a SOA record set the cache time
+	 * to zero to facilitate locating the containing zone of
+	 * a arbitary zone.
+	 */
+	ttl = fctx->res->view->maxncachettl;
+	if (fctx->type == dns_rdatatype_soa &&
+	    covers == dns_rdatatype_any)
+		ttl = 0;
+
+	result = ncache_adderesult(fctx->rmessage, fctx->cache, node,
+				   covers, now, ttl, ardataset, &eresult);
+	if (result != ISC_R_SUCCESS)
+		goto unlock;
+
+	if (!HAVE_ANSWER(fctx)) {
+		fctx->attributes |= FCTX_ATTR_HAVEANSWER;
+		if (event != NULL) {
+			event->result = eresult;
+			dns_db_attach(fctx->cache, adbp);
+			*anodep = node;
+			node = NULL;
+			clone_results(fctx);
+		}
+	}
+
+ unlock:
+	UNLOCK(&res->buckets[fctx->bucketnum].lock);
+
+	if (node != NULL)
+		dns_db_detachnode(fctx->cache, &node);
+
+	return (result);
+}
+
+static inline void
+mark_related(dns_name_t *name, dns_rdataset_t *rdataset,
+	     isc_boolean_t external, isc_boolean_t gluing)
+{
+	name->attributes |= DNS_NAMEATTR_CACHE;
+	if (gluing) {
+		rdataset->trust = dns_trust_glue;
+		/*
+		 * Glue with 0 TTL causes problems.  We force the TTL to
+		 * 1 second to prevent this.
+		 */
+		if (rdataset->ttl == 0)
+			rdataset->ttl = 1;
+	} else
+		rdataset->trust = dns_trust_additional;
+	/*
+	 * Avoid infinite loops by only marking new rdatasets.
+	 */
+	if (!CACHE(rdataset)) {
+		name->attributes |= DNS_NAMEATTR_CHASE;
+		rdataset->attributes |= DNS_RDATASETATTR_CHASE;
+	}
+	rdataset->attributes |= DNS_RDATASETATTR_CACHE;
+	if (external)
+		rdataset->attributes |= DNS_RDATASETATTR_EXTERNAL;
+}
+
+static isc_result_t
+check_related(void *arg, dns_name_t *addname, dns_rdatatype_t type) {
+	fetchctx_t *fctx = arg;
+	isc_result_t result;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+	isc_boolean_t external;
+	dns_rdatatype_t rtype;
+	isc_boolean_t gluing;
+
+	REQUIRE(VALID_FCTX(fctx));
+
+	if (GLUING(fctx))
+		gluing = ISC_TRUE;
+	else
+		gluing = ISC_FALSE;
+	name = NULL;
+	rdataset = NULL;
+	result = dns_message_findname(fctx->rmessage, DNS_SECTION_ADDITIONAL,
+				      addname, dns_rdatatype_any, 0, &name,
+				      NULL);
+	if (result == ISC_R_SUCCESS) {
+		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
+		if (type == dns_rdatatype_a) {
+			for (rdataset = ISC_LIST_HEAD(name->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+				if (rdataset->type == dns_rdatatype_rrsig)
+					rtype = rdataset->covers;
+				else
+					rtype = rdataset->type;
+				if (rtype == dns_rdatatype_a ||
+				    rtype == dns_rdatatype_aaaa)
+					mark_related(name, rdataset, external,
+						     gluing);
+			}
+		} else {
+			result = dns_message_findtype(name, type, 0,
+						      &rdataset);
+			if (result == ISC_R_SUCCESS) {
+				mark_related(name, rdataset, external, gluing);
+				/*
+				 * Do we have its SIG too?
+				 */
+				rdataset = NULL;
+				result = dns_message_findtype(name,
+						      dns_rdatatype_rrsig,
+						      type, &rdataset);
+				if (result == ISC_R_SUCCESS)
+					mark_related(name, rdataset, external,
+						     gluing);
+			}
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+chase_additional(fetchctx_t *fctx) {
+	isc_boolean_t rescan;
+	dns_section_t section = DNS_SECTION_ADDITIONAL;
+	isc_result_t result;
+
+ again:
+	rescan = ISC_FALSE;
+	
+	for (result = dns_message_firstname(fctx->rmessage, section);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(fctx->rmessage, section)) {
+		dns_name_t *name = NULL;
+		dns_rdataset_t *rdataset;
+		dns_message_currentname(fctx->rmessage, DNS_SECTION_ADDITIONAL,
+					&name);
+		if ((name->attributes & DNS_NAMEATTR_CHASE) == 0)
+			continue;
+		name->attributes &= ~DNS_NAMEATTR_CHASE;
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			if (CHASE(rdataset)) {
+				rdataset->attributes &= ~DNS_RDATASETATTR_CHASE;
+				(void)dns_rdataset_additionaldata(rdataset,
+								  check_related,
+								  fctx);
+				rescan = ISC_TRUE;
+			}
+		}
+	}
+	if (rescan)
+		goto again;
+}
+
+static inline isc_result_t
+cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) {
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_cname_t cname;
+
+	result = dns_rdataset_first(rdataset);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	dns_rdataset_current(rdataset, &rdata);
+	result = dns_rdata_tostruct(&rdata, &cname, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	dns_name_init(tname, NULL);
+	dns_name_clone(&cname.cname, tname);
+	dns_rdata_freestruct(&cname);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+dname_target(dns_rdataset_t *rdataset, dns_name_t *qname, dns_name_t *oname,
+	     dns_fixedname_t *fixeddname)
+{
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned int nlabels;
+	int order;
+	dns_namereln_t namereln;
+	dns_rdata_dname_t dname;
+	dns_fixedname_t prefix;
+
+	/*
+	 * Get the target name of the DNAME.
+	 */
+
+	result = dns_rdataset_first(rdataset);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	dns_rdataset_current(rdataset, &rdata);
+	result = dns_rdata_tostruct(&rdata, &dname, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * Get the prefix of qname.
+	 */
+	namereln = dns_name_fullcompare(qname, oname, &order, &nlabels);
+	if (namereln != dns_namereln_subdomain) {
+		dns_rdata_freestruct(&dname);
+		return (DNS_R_FORMERR);
+	}
+	dns_fixedname_init(&prefix);
+	dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL); 
+	dns_fixedname_init(fixeddname);
+	result = dns_name_concatenate(dns_fixedname_name(&prefix),
+				      &dname.dname,
+				      dns_fixedname_name(fixeddname), NULL);
+	dns_rdata_freestruct(&dname);
+	return (result);
+}
+
+/*
+ * Handle a no-answer response (NXDOMAIN, NXRRSET, or referral).
+ * If bind8_ns_resp is ISC_TRUE, this is a suspected BIND 8
+ * response to an NS query that should be treated as a referral
+ * even though the NS records occur in the answer section
+ * rather than the authority section.
+ */
+static isc_result_t
+noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
+		  isc_boolean_t bind8_ns_resp)
+{
+	isc_result_t result;
+	dns_message_t *message;
+	dns_name_t *name, *qname, *ns_name, *soa_name, *ds_name;
+	dns_rdataset_t *rdataset, *ns_rdataset;
+	isc_boolean_t done, aa, negative_response;
+	dns_rdatatype_t type;
+	dns_section_t section =
+		bind8_ns_resp ? DNS_SECTION_ANSWER : DNS_SECTION_AUTHORITY;
+
+	FCTXTRACE("noanswer_response");
+
+	message = fctx->rmessage;
+
+	/*
+	 * Setup qname.
+	 */
+	if (oqname == NULL) {
+		/*
+		 * We have a normal, non-chained negative response or
+		 * referral.
+		 */
+		if ((message->flags & DNS_MESSAGEFLAG_AA) != 0)
+			aa = ISC_TRUE;
+		else
+			aa = ISC_FALSE;
+		qname = &fctx->name;
+	} else {
+		/*
+		 * We're being invoked by answer_response() after it has
+		 * followed a CNAME/DNAME chain.
+		 */
+		qname = oqname;
+		aa = ISC_FALSE;
+		/*
+		 * If the current qname is not a subdomain of the query
+		 * domain, there's no point in looking at the authority
+		 * section without doing DNSSEC validation.
+		 *
+		 * Until we do that validation, we'll just return success
+		 * in this case.
+		 */
+		if (!dns_name_issubdomain(qname, &fctx->domain))
+			return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * We have to figure out if this is a negative response, or a
+	 * referral.
+	 */
+
+	/*
+	 * Sometimes we can tell if its a negative response by looking at
+	 * the message header.
+	 */
+	negative_response = ISC_FALSE;
+	if (message->rcode == dns_rcode_nxdomain ||
+	    (message->counts[DNS_SECTION_ANSWER] == 0 &&
+	     message->counts[DNS_SECTION_AUTHORITY] == 0))
+		negative_response = ISC_TRUE;
+
+	/*
+	 * Process the authority section.
+	 */
+	done = ISC_FALSE;
+	ns_name = NULL;
+	ns_rdataset = NULL;
+	soa_name = NULL;
+	ds_name = NULL;
+	result = dns_message_firstname(message, section);
+	while (!done && result == ISC_R_SUCCESS) {
+		name = NULL;
+		dns_message_currentname(message, section, &name);
+		if (dns_name_issubdomain(name, &fctx->domain)) {
+			/*
+			 * Look for NS RRset first.
+			 */
+			for (rdataset = ISC_LIST_HEAD(name->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+				type = rdataset->type;
+				if (type == dns_rdatatype_rrsig)
+					type = rdataset->covers;
+				if (((type == dns_rdatatype_ns ||
+				      type == dns_rdatatype_soa) &&
+				     !dns_name_issubdomain(qname, name)))
+					return (DNS_R_FORMERR);
+				if (type == dns_rdatatype_ns) {
+					/*
+					 * NS or SIG NS.
+					 *
+					 * Only one set of NS RRs is allowed.
+					 */
+					if (rdataset->type ==
+					    dns_rdatatype_ns) {
+						if (ns_name != NULL &&
+						    name != ns_name)
+							return (DNS_R_FORMERR);
+						ns_name = name;
+						ns_rdataset = rdataset;
+					}
+					name->attributes |=
+						DNS_NAMEATTR_CACHE;
+					rdataset->attributes |=
+						DNS_RDATASETATTR_CACHE;
+					rdataset->trust = dns_trust_glue;
+				}
+			}
+			for (rdataset = ISC_LIST_HEAD(name->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+				type = rdataset->type;
+				if (type == dns_rdatatype_rrsig)
+					type = rdataset->covers;
+				if (type == dns_rdatatype_soa ||
+				    type == dns_rdatatype_nsec) {
+					/*
+					 * SOA, RRSIG SOA, NSEC, or RRSIG NSEC.
+					 *
+					 * Only one SOA is allowed.
+					 */
+					if (rdataset->type ==
+					    dns_rdatatype_soa) {
+						if (soa_name != NULL &&
+						    name != soa_name)
+							return (DNS_R_FORMERR);
+						soa_name = name;
+					}
+					if (ns_name == NULL) {
+						negative_response = ISC_TRUE;
+						name->attributes |=
+							DNS_NAMEATTR_NCACHE;
+						rdataset->attributes |=
+							DNS_RDATASETATTR_NCACHE;
+					} else {
+						name->attributes |=
+							DNS_NAMEATTR_CACHE;
+						rdataset->attributes |=
+							DNS_RDATASETATTR_CACHE;
+					}
+					if (aa)
+						rdataset->trust =
+						    dns_trust_authauthority;
+					else
+						rdataset->trust =
+							dns_trust_additional;
+					/*
+					 * No additional data needs to be
+					 * marked.
+					 */
+				} else if (type == dns_rdatatype_ds) {
+					/*
+					 * DS or SIG DS.
+					 *
+					 * These should only be here if
+					 * this is a referral, and there
+					 * should only be one DS.
+					 */
+					if (negative_response)
+						return (DNS_R_FORMERR);
+					if (rdataset->type ==
+					    dns_rdatatype_ds) {
+						if (ds_name != NULL &&
+						    name != ds_name)
+							return (DNS_R_FORMERR);
+						ds_name = name;
+					}
+					name->attributes |=
+						DNS_NAMEATTR_CACHE;
+					rdataset->attributes |=
+						DNS_RDATASETATTR_CACHE;
+					if (aa)
+						rdataset->trust =
+						    dns_trust_authauthority;
+					else
+						rdataset->trust =
+							dns_trust_additional;
+				}
+			}
+		}
+		result = dns_message_nextname(message, section);
+		if (result == ISC_R_NOMORE)
+			break;
+		else if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	/*
+	 * Trigger lookups for DNS nameservers.
+	 */
+	if (negative_response && message->rcode == dns_rcode_noerror &&
+	    fctx->type == dns_rdatatype_ds && soa_name != NULL &&
+	    dns_name_equal(soa_name, qname) &&
+	    !dns_name_equal(qname, dns_rootname))
+		return (DNS_R_CHASEDSSERVERS);
+
+	/*
+	 * Did we find anything?
+	 */
+	if (!negative_response && ns_name == NULL) {
+		/*
+		 * Nope.
+		 */
+		if (oqname != NULL) {
+			/*
+			 * We've already got a partial CNAME/DNAME chain,
+			 * and haven't found else anything useful here, but
+			 * no error has occurred since we have an answer.
+			 */
+			return (ISC_R_SUCCESS);
+		} else {
+			/*
+			 * The responder is insane.
+			 */
+			return (DNS_R_FORMERR);
+		}
+	}
+
+	/*
+	 * If we found both NS and SOA, they should be the same name.
+	 */
+	if (ns_name != NULL && soa_name != NULL && ns_name != soa_name)
+		return (DNS_R_FORMERR);
+
+	/*
+	 * Do we have a referral?  (We only want to follow a referral if
+	 * we're not following a chain.)
+	 */
+	if (!negative_response && ns_name != NULL && oqname == NULL) {
+		/*
+		 * We already know ns_name is a subdomain of fctx->domain.
+		 * If ns_name is equal to fctx->domain, we're not making
+		 * progress.  We return DNS_R_FORMERR so that we'll keep
+		 * trying other servers.
+		 */
+		if (dns_name_equal(ns_name, &fctx->domain))
+			return (DNS_R_FORMERR);
+
+		/*
+		 * If the referral name is not a parent of the query
+		 * name, consider the responder insane.
+		 */
+		if (! dns_name_issubdomain(&fctx->name, ns_name)) {
+			FCTXTRACE("referral to non-parent");
+			return (DNS_R_FORMERR);
+		}
+
+		/*
+		 * Mark any additional data related to this rdataset.
+		 * It's important that we do this before we change the
+		 * query domain.
+		 */
+		INSIST(ns_rdataset != NULL);
+		fctx->attributes |= FCTX_ATTR_GLUING;
+		(void)dns_rdataset_additionaldata(ns_rdataset, check_related,
+						  fctx);
+		fctx->attributes &= ~FCTX_ATTR_GLUING;
+		/*
+		 * NS rdatasets with 0 TTL cause problems.
+		 * dns_view_findzonecut() will not find them when we
+		 * try to follow the referral, and we'll SERVFAIL
+		 * because the best nameservers are now above QDOMAIN.
+		 * We force the TTL to 1 second to prevent this.
+		 */
+		if (ns_rdataset->ttl == 0)
+			ns_rdataset->ttl = 1;
+		/*
+		 * Set the current query domain to the referral name.
+		 *
+		 * XXXRTH  We should check if we're in forward-only mode, and
+		 *	   if so we should bail out.
+		 */
+		INSIST(dns_name_countlabels(&fctx->domain) > 0);
+		dns_name_free(&fctx->domain, fctx->res->mctx);
+		if (dns_rdataset_isassociated(&fctx->nameservers))
+			dns_rdataset_disassociate(&fctx->nameservers);
+		dns_name_init(&fctx->domain, NULL);
+		result = dns_name_dup(ns_name, fctx->res->mctx, &fctx->domain);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		fctx->attributes |= FCTX_ATTR_WANTCACHE;
+		return (DNS_R_DELEGATION);
+	}
+
+	/*
+	 * Since we're not doing a referral, we don't want to cache any
+	 * NS RRs we may have found.
+	 */
+	if (ns_name != NULL)
+		ns_name->attributes &= ~DNS_NAMEATTR_CACHE;
+
+	if (negative_response && oqname == NULL)
+		fctx->attributes |= FCTX_ATTR_WANTNCACHE;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+answer_response(fetchctx_t *fctx) {
+	isc_result_t result;
+	dns_message_t *message;
+	dns_name_t *name, *qname, tname;
+	dns_rdataset_t *rdataset;
+	isc_boolean_t done, external, chaining, aa, found, want_chaining;
+	isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
+	unsigned int aflag;
+	dns_rdatatype_t type;
+	dns_fixedname_t dname, fqname;
+
+	FCTXTRACE("answer_response");
+
+	message = fctx->rmessage;
+
+	/*
+	 * Examine the answer section, marking those rdatasets which are
+	 * part of the answer and should be cached.
+	 */
+
+	done = ISC_FALSE;
+	found_cname = ISC_FALSE;
+	found_type = ISC_FALSE;
+	chaining = ISC_FALSE;
+	have_answer = ISC_FALSE;
+	want_chaining = ISC_FALSE;
+	if ((message->flags & DNS_MESSAGEFLAG_AA) != 0)
+		aa = ISC_TRUE;
+	else
+		aa = ISC_FALSE;
+	qname = &fctx->name;
+	type = fctx->type;
+	result = dns_message_firstname(message, DNS_SECTION_ANSWER);
+	while (!done && result == ISC_R_SUCCESS) {
+		name = NULL;
+		dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
+		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
+		if (dns_name_equal(name, qname)) {
+			wanted_chaining = ISC_FALSE;
+			for (rdataset = ISC_LIST_HEAD(name->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+				found = ISC_FALSE;
+				want_chaining = ISC_FALSE;
+				aflag = 0;
+				if (rdataset->type == type && !found_cname) {
+					/*
+					 * We've found an ordinary answer.
+					 */
+					found = ISC_TRUE;
+					found_type = ISC_TRUE;
+					done = ISC_TRUE;
+					aflag = DNS_RDATASETATTR_ANSWER;
+				} else if (type == dns_rdatatype_any) {
+					/*
+					 * We've found an answer matching
+					 * an ANY query.  There may be
+					 * more.
+					 */
+					found = ISC_TRUE;
+					aflag = DNS_RDATASETATTR_ANSWER;
+				} else if (rdataset->type == dns_rdatatype_rrsig
+					   && rdataset->covers == type
+					   && !found_cname) {
+					/*
+					 * We've found a signature that
+					 * covers the type we're looking for.
+					 */
+					found = ISC_TRUE;
+					found_type = ISC_TRUE;
+					aflag = DNS_RDATASETATTR_ANSWERSIG;
+				} else if (rdataset->type ==
+					   dns_rdatatype_cname
+					   && !found_type) {
+					/*
+					 * We're looking for something else,
+					 * but we found a CNAME.
+					 *
+					 * Getting a CNAME response for some
+					 * query types is an error.
+					 */
+					if (type == dns_rdatatype_rrsig ||
+					    type == dns_rdatatype_dnskey ||
+					    type == dns_rdatatype_nsec)
+						return (DNS_R_FORMERR);
+					found = ISC_TRUE;
+					found_cname = ISC_TRUE;
+					want_chaining = ISC_TRUE;
+					aflag = DNS_RDATASETATTR_ANSWER;
+					result = cname_target(rdataset,
+							      &tname);
+					if (result != ISC_R_SUCCESS)
+						return (result);
+				} else if (rdataset->type == dns_rdatatype_rrsig
+					   && rdataset->covers ==
+					   dns_rdatatype_cname
+					   && !found_type) {
+					/*
+					 * We're looking for something else,
+					 * but we found a SIG CNAME.
+					 */
+					found = ISC_TRUE;
+					found_cname = ISC_TRUE;
+					aflag = DNS_RDATASETATTR_ANSWERSIG;
+				}
+
+				if (found) {
+					/*
+					 * We've found an answer to our
+					 * question.
+					 */
+					name->attributes |=
+						DNS_NAMEATTR_CACHE;
+					rdataset->attributes |=
+						DNS_RDATASETATTR_CACHE;
+					rdataset->trust = dns_trust_answer;
+					if (!chaining) {
+						/*
+						 * This data is "the" answer
+						 * to our question only if
+						 * we're not chaining (i.e.
+						 * if we haven't followed
+						 * a CNAME or DNAME).
+						 */
+						INSIST(!external);
+						if (aflag ==
+						    DNS_RDATASETATTR_ANSWER)
+							have_answer = ISC_TRUE;
+						name->attributes |=
+							DNS_NAMEATTR_ANSWER;
+						rdataset->attributes |= aflag;
+						if (aa)
+							rdataset->trust =
+							  dns_trust_authanswer;
+					} else if (external) {
+						/*
+						 * This data is outside of
+						 * our query domain, and
+						 * may only be cached if it
+						 * comes from a secure zone
+						 * and validates.
+						 */
+						rdataset->attributes |=
+						    DNS_RDATASETATTR_EXTERNAL;
+					}
+
+					/*
+					 * Mark any additional data related
+					 * to this rdataset.
+					 */
+					(void)dns_rdataset_additionaldata(
+							rdataset,
+							check_related,
+							fctx);
+
+					/*
+					 * CNAME chaining.
+					 */
+					if (want_chaining) {
+						wanted_chaining = ISC_TRUE;
+						name->attributes |=
+							DNS_NAMEATTR_CHAINING;
+						rdataset->attributes |=
+						    DNS_RDATASETATTR_CHAINING;
+						qname = &tname;
+					}
+				}
+				/*
+				 * We could add an "else" clause here and
+				 * log that we're ignoring this rdataset.
+				 */
+			}
+			/*
+			 * If wanted_chaining is true, we've done
+			 * some chaining as the result of processing
+			 * this node, and thus we need to set
+			 * chaining to true.
+			 *
+			 * We don't set chaining inside of the
+			 * rdataset loop because doing that would
+			 * cause us to ignore the signatures of
+			 * CNAMEs.
+			 */
+			if (wanted_chaining)
+				chaining = ISC_TRUE;
+		} else {
+			/*
+			 * Look for a DNAME (or its SIG).  Anything else is
+			 * ignored.
+			 */
+			wanted_chaining = ISC_FALSE;
+			for (rdataset = ISC_LIST_HEAD(name->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+				isc_boolean_t found_dname = ISC_FALSE;
+				found = ISC_FALSE;
+				aflag = 0;
+				if (rdataset->type == dns_rdatatype_dname) {
+					/*
+					 * We're looking for something else,
+					 * but we found a DNAME.
+					 *
+					 * If we're not chaining, then the
+					 * DNAME should not be external.
+					 */
+					if (!chaining && external)
+						return (DNS_R_FORMERR);
+					found = ISC_TRUE;
+					want_chaining = ISC_TRUE;
+					aflag = DNS_RDATASETATTR_ANSWER;
+					result = dname_target(rdataset,
+							      qname, name,
+							      &dname);
+					if (result == ISC_R_NOSPACE) {
+						/*
+						 * We can't construct the
+						 * DNAME target.  Do not
+						 * try to continue.
+						 */
+						want_chaining = ISC_FALSE;
+					} else if (result != ISC_R_SUCCESS)
+						return (result);
+					else
+						found_dname = ISC_TRUE;
+				} else if (rdataset->type == dns_rdatatype_rrsig
+					   && rdataset->covers ==
+					   dns_rdatatype_dname) {
+					/*
+					 * We've found a signature that
+					 * covers the DNAME.
+					 */
+					found = ISC_TRUE;
+					aflag = DNS_RDATASETATTR_ANSWERSIG;
+				}
+
+				if (found) {
+					/*
+					 * We've found an answer to our
+					 * question.
+					 */
+					name->attributes |=
+						DNS_NAMEATTR_CACHE;
+					rdataset->attributes |=
+						DNS_RDATASETATTR_CACHE;
+					rdataset->trust = dns_trust_answer;
+					if (!chaining) {
+						/*
+						 * This data is "the" answer
+						 * to our question only if
+						 * we're not chaining.
+						 */
+						INSIST(!external);
+						if (aflag ==
+						    DNS_RDATASETATTR_ANSWER)
+							have_answer = ISC_TRUE;
+						name->attributes |=
+							DNS_NAMEATTR_ANSWER;
+						rdataset->attributes |= aflag;
+						if (aa)
+							rdataset->trust =
+							  dns_trust_authanswer;
+					} else if (external) {
+						rdataset->attributes |=
+						    DNS_RDATASETATTR_EXTERNAL;
+					}
+
+					/*
+					 * DNAME chaining.
+					 */
+					if (found_dname) {
+						/*
+						 * Copy the the dname into the
+						 * qname fixed name.
+						 *
+						 * Although we check for
+						 * failure of the copy
+						 * operation, in practice it
+						 * should never fail since
+						 * we already know that the
+						 * result fits in a fixedname.
+						 */
+						dns_fixedname_init(&fqname);
+						result = dns_name_copy(
+						  dns_fixedname_name(&dname),
+						  dns_fixedname_name(&fqname),
+						  NULL);
+						if (result != ISC_R_SUCCESS)
+							return (result);
+						wanted_chaining = ISC_TRUE;
+						name->attributes |=
+							DNS_NAMEATTR_CHAINING;
+						rdataset->attributes |=
+						    DNS_RDATASETATTR_CHAINING;
+						qname = dns_fixedname_name(
+								   &fqname);
+					}
+				}
+			}
+			if (wanted_chaining)
+				chaining = ISC_TRUE;
+		}
+		result = dns_message_nextname(message, DNS_SECTION_ANSWER);
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * We should have found an answer.
+	 */
+	if (!have_answer)
+		return (DNS_R_FORMERR);
+
+	/*
+	 * This response is now potentially cacheable.
+	 */
+	fctx->attributes |= FCTX_ATTR_WANTCACHE;
+
+	/*
+	 * Did chaining end before we got the final answer?
+	 */
+	if (chaining) {
+		/*
+		 * Yes.  This may be a negative reply, so hand off
+		 * authority section processing to the noanswer code.
+		 * If it isn't a noanswer response, no harm will be
+		 * done.
+		 */
+		return (noanswer_response(fctx, qname, ISC_FALSE));
+	}
+
+	/*
+	 * We didn't end with an incomplete chain, so the rcode should be
+	 * "no error".
+	 */
+	if (message->rcode != dns_rcode_noerror)
+		return (DNS_R_FORMERR);
+
+	/*
+	 * Examine the authority section (if there is one).
+	 *
+	 * We expect there to be only one owner name for all the rdatasets
+	 * in this section, and we expect that it is not external.
+	 */
+	done = ISC_FALSE;
+	result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+	while (!done && result == ISC_R_SUCCESS) {
+		name = NULL;
+		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
+		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
+		if (!external) {
+			/*
+			 * We expect to find NS or SIG NS rdatasets, and
+			 * nothing else.
+			 */
+			for (rdataset = ISC_LIST_HEAD(name->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+				if (rdataset->type == dns_rdatatype_ns ||
+				    (rdataset->type == dns_rdatatype_rrsig &&
+				     rdataset->covers == dns_rdatatype_ns)) {
+					name->attributes |=
+						DNS_NAMEATTR_CACHE;
+					rdataset->attributes |=
+						DNS_RDATASETATTR_CACHE;
+					if (aa && !chaining)
+						rdataset->trust =
+						    dns_trust_authauthority;
+					else
+						rdataset->trust =
+						    dns_trust_additional;
+
+					/*
+					 * Mark any additional data related
+					 * to this rdataset.
+					 */
+					(void)dns_rdataset_additionaldata(
+							rdataset,
+							check_related,
+							fctx);
+					done = ISC_TRUE;
+				}
+			}
+		}
+		result = dns_message_nextname(message, DNS_SECTION_AUTHORITY);
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+	return (result);
+}
+
+static void
+resume_dslookup(isc_task_t *task, isc_event_t *event) {
+	dns_fetchevent_t *fevent;
+	dns_resolver_t *res;
+	fetchctx_t *fctx;
+	isc_result_t result;
+	isc_boolean_t bucket_empty = ISC_FALSE;
+	isc_boolean_t locked = ISC_FALSE;
+	unsigned int bucketnum;
+	dns_rdataset_t nameservers;
+	dns_fixedname_t fixed;
+	dns_name_t *domain;
+
+	REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
+	fevent = (dns_fetchevent_t *)event;
+	fctx = event->ev_arg;
+	REQUIRE(VALID_FCTX(fctx));
+	res = fctx->res;
+
+	UNUSED(task);
+	FCTXTRACE("resume_dslookup");
+
+	if (fevent->node != NULL)
+		dns_db_detachnode(fevent->db, &fevent->node);
+	if (fevent->db != NULL)
+		dns_db_detach(&fevent->db);
+
+	dns_rdataset_init(&nameservers);
+
+	bucketnum = fctx->bucketnum;
+	if (fevent->result == ISC_R_CANCELED) {
+		dns_resolver_destroyfetch(&fctx->nsfetch);
+		fctx_done(fctx, ISC_R_CANCELED);
+	} else if (fevent->result == ISC_R_SUCCESS) {
+
+		FCTXTRACE("resuming DS lookup");
+
+		dns_resolver_destroyfetch(&fctx->nsfetch);
+		if (dns_rdataset_isassociated(&fctx->nameservers))
+			dns_rdataset_disassociate(&fctx->nameservers);
+		dns_rdataset_clone(fevent->rdataset, &fctx->nameservers);
+		dns_name_free(&fctx->domain, fctx->res->mctx);
+		dns_name_init(&fctx->domain, NULL);
+		result = dns_name_dup(&fctx->nsname, fctx->res->mctx,
+				      &fctx->domain);
+		if (result != ISC_R_SUCCESS) {
+			fctx_done(fctx, DNS_R_SERVFAIL);
+			goto cleanup;
+		}
+		/*
+		 * Try again.
+		 */
+		fctx_try(fctx);
+	} else {
+		unsigned int n;
+
+		/*
+		 * Retrieve state from fctx->nsfetch before we destroy it.
+		 */
+		dns_fixedname_init(&fixed);
+		domain = dns_fixedname_name(&fixed);
+		dns_name_copy(&fctx->nsfetch->private->domain, domain, NULL);
+		dns_rdataset_clone(&fctx->nsfetch->private->nameservers,
+				   &nameservers);
+		dns_resolver_destroyfetch(&fctx->nsfetch);
+		if (dns_name_equal(&fctx->nsname, domain)) {
+			fctx_done(fctx, DNS_R_SERVFAIL);
+			goto cleanup;
+		}
+		n = dns_name_countlabels(&fctx->nsname);
+		dns_name_getlabelsequence(&fctx->nsname, 1, n - 1,
+					  &fctx->nsname);
+
+		if (dns_rdataset_isassociated(fevent->rdataset))
+			dns_rdataset_disassociate(fevent->rdataset);
+		FCTXTRACE("continuing to look for parent's NS records");
+		result = dns_resolver_createfetch(fctx->res, &fctx->nsname,
+						  dns_rdatatype_ns, domain,
+						  &nameservers, NULL, 0, task,
+						  resume_dslookup, fctx,
+						  &fctx->nsrrset, NULL,
+						  &fctx->nsfetch);
+		if (result != ISC_R_SUCCESS)
+			fctx_done(fctx, result);
+		else {
+			LOCK(&res->buckets[bucketnum].lock);
+			locked = ISC_TRUE;
+			fctx->references++;
+		}
+	}
+
+ cleanup:
+	if (dns_rdataset_isassociated(&nameservers))
+		dns_rdataset_disassociate(&nameservers);
+	if (dns_rdataset_isassociated(fevent->rdataset))
+		dns_rdataset_disassociate(fevent->rdataset);
+	INSIST(fevent->sigrdataset == NULL);
+	isc_event_free(&event);
+	if (!locked)
+		LOCK(&res->buckets[bucketnum].lock);
+	fctx->references--;
+	if (fctx->references == 0)
+		bucket_empty = fctx_destroy(fctx);
+	UNLOCK(&res->buckets[bucketnum].lock);
+	if (bucket_empty)
+		empty_bucket(res);
+}
+
+static inline void
+checknamessection(dns_message_t *message, dns_section_t section) {
+	isc_result_t result;
+	dns_name_t *name;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t *rdataset;
+	
+	for (result = dns_message_firstname(message, section);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(message, section))
+	{
+		name = NULL;
+		dns_message_currentname(message, section, &name);
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			for (result = dns_rdataset_first(rdataset);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(rdataset)) {
+				dns_rdataset_current(rdataset, &rdata);
+				if (!dns_rdata_checkowner(name, rdata.rdclass,
+							  rdata.type,
+							  ISC_FALSE) ||
+				    !dns_rdata_checknames(&rdata, name, NULL))
+				{
+					rdataset->attributes |= 
+						DNS_RDATASETATTR_CHECKNAMES;
+				}
+				dns_rdata_reset(&rdata);
+			}
+		}
+	}
+}
+
+static void
+checknames(dns_message_t *message) {
+
+	checknamessection(message, DNS_SECTION_ANSWER);
+	checknamessection(message, DNS_SECTION_AUTHORITY);
+	checknamessection(message, DNS_SECTION_ADDITIONAL);
+}
+
+static void
+resquery_response(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result = ISC_R_SUCCESS;
+	resquery_t *query = event->ev_arg;
+	dns_dispatchevent_t *devent = (dns_dispatchevent_t *)event;
+	isc_boolean_t keep_trying, get_nameservers, resend;
+	isc_boolean_t truncated;
+	dns_message_t *message;
+	fetchctx_t *fctx;
+	dns_name_t *fname;
+	dns_fixedname_t foundname;
+	isc_stdtime_t now;
+	isc_time_t tnow, *finish;
+	dns_adbaddrinfo_t *addrinfo;
+	unsigned int options;
+	unsigned int findoptions;
+	isc_result_t broken_server;
+
+	REQUIRE(VALID_QUERY(query));
+	fctx = query->fctx;
+	options = query->options;
+	REQUIRE(VALID_FCTX(fctx));
+	REQUIRE(event->ev_type == DNS_EVENT_DISPATCH);
+
+	QTRACE("response");
+
+	(void)isc_timer_touch(fctx->timer);
+
+	keep_trying = ISC_FALSE;
+	broken_server = ISC_R_SUCCESS;
+	get_nameservers = ISC_FALSE;
+	resend = ISC_FALSE;
+	truncated = ISC_FALSE;
+	finish = NULL;
+
+	if (fctx->res->exiting) {
+		result = ISC_R_SHUTTINGDOWN;
+		goto done;
+	}
+
+	fctx->timeouts = 0;
+
+	/*
+	 * XXXRTH  We should really get the current time just once.  We
+	 *	   need a routine to convert from an isc_time_t to an
+	 *	   isc_stdtime_t.
+	 */
+	TIME_NOW(&tnow);
+	finish = &tnow;
+	isc_stdtime_get(&now);
+
+	/*
+	 * Did the dispatcher have a problem?
+	 */
+	if (devent->result != ISC_R_SUCCESS) {
+		if (devent->result == ISC_R_EOF &&
+		    (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
+			/*
+			 * The problem might be that they
+			 * don't understand EDNS0.  Turn it
+			 * off and try again.
+			 */
+			options |= DNS_FETCHOPT_NOEDNS0;
+			resend = ISC_TRUE;
+			/*
+			 * Remember that they don't like EDNS0.
+			 */
+			dns_adb_changeflags(fctx->adb,
+					    query->addrinfo,
+					    DNS_FETCHOPT_NOEDNS0,
+					    DNS_FETCHOPT_NOEDNS0);
+		} else {
+			/*
+			 * There's no hope for this query.
+			 */
+			keep_trying = ISC_TRUE;
+		}
+		goto done;
+	}
+
+	message = fctx->rmessage;
+
+	if (query->tsig != NULL) {
+		result = dns_message_setquerytsig(message, query->tsig);
+		if (result != ISC_R_SUCCESS)
+			goto done;
+	}
+
+	if (query->tsigkey) {
+		result = dns_message_settsigkey(message, query->tsigkey);
+		if (result != ISC_R_SUCCESS)
+			goto done;
+	}
+
+	result = dns_message_parse(message, &devent->buffer, 0);
+	if (result != ISC_R_SUCCESS) {
+		switch (result) {
+		case ISC_R_UNEXPECTEDEND:
+			if (!message->question_ok ||
+			    (message->flags & DNS_MESSAGEFLAG_TC) == 0 ||
+			    (options & DNS_FETCHOPT_TCP) != 0) {
+				/*
+				 * Either the message ended prematurely,
+				 * and/or wasn't marked as being truncated,
+				 * and/or this is a response to a query we
+				 * sent over TCP.  In all of these cases,
+				 * something is wrong with the remote
+				 * server and we don't want to retry using
+				 * TCP.
+				 */
+				if ((query->options & DNS_FETCHOPT_NOEDNS0)
+				    == 0) {
+					/*
+					 * The problem might be that they
+					 * don't understand EDNS0.  Turn it
+					 * off and try again.
+					 */
+					options |= DNS_FETCHOPT_NOEDNS0;
+					resend = ISC_TRUE;
+					/*
+					 * Remember that they don't like EDNS0.
+					 */
+					dns_adb_changeflags(
+							fctx->adb,
+							query->addrinfo,
+							DNS_FETCHOPT_NOEDNS0,
+							DNS_FETCHOPT_NOEDNS0);
+				} else {
+					broken_server = result;
+					keep_trying = ISC_TRUE;
+				}
+				goto done;
+			}
+			/*
+			 * We defer retrying via TCP for a bit so we can
+			 * check out this message further.
+			 */
+			truncated = ISC_TRUE;
+			break;
+		case DNS_R_FORMERR:
+			if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
+				/*
+				 * The problem might be that they
+				 * don't understand EDNS0.  Turn it
+				 * off and try again.
+				 */
+				options |= DNS_FETCHOPT_NOEDNS0;
+				resend = ISC_TRUE;
+				/*
+				 * Remember that they don't like EDNS0.
+				 */
+				dns_adb_changeflags(fctx->adb,
+						    query->addrinfo,
+						    DNS_FETCHOPT_NOEDNS0,
+						    DNS_FETCHOPT_NOEDNS0);
+			} else {
+				broken_server = DNS_R_UNEXPECTEDRCODE;
+				keep_trying = ISC_TRUE;
+			}
+			goto done;
+		default:
+			/*
+			 * Something bad has happened.
+			 */
+			goto done;
+		}
+	}
+
+	/*
+	 * If the message is signed, check the signature.  If not, this
+	 * returns success anyway.
+	 */
+	result = dns_message_checksig(message, fctx->res->view);
+	if (result != ISC_R_SUCCESS)
+		goto done;
+
+	/*
+	 * The dispatcher should ensure we only get responses with QR set.
+	 */
+	INSIST((message->flags & DNS_MESSAGEFLAG_QR) != 0);
+	/*
+	 * INSIST() that the message comes from the place we sent it to,
+	 * since the dispatch code should ensure this.
+	 *
+	 * INSIST() that the message id is correct (this should also be
+	 * ensured by the dispatch code).
+	 */
+
+
+	/*
+	 * Deal with truncated responses by retrying using TCP.
+	 */
+	if ((message->flags & DNS_MESSAGEFLAG_TC) != 0)
+		truncated = ISC_TRUE;
+
+	if (truncated) {
+		if ((options & DNS_FETCHOPT_TCP) != 0) {
+			broken_server = DNS_R_TRUNCATEDTCP;
+			keep_trying = ISC_TRUE;
+		} else {
+			options |= DNS_FETCHOPT_TCP;
+			resend = ISC_TRUE;
+		}
+		goto done;
+	}
+
+	/*
+	 * Is it a query response?
+	 */
+	if (message->opcode != dns_opcode_query) {
+		/* XXXRTH Log */
+		broken_server = DNS_R_UNEXPECTEDOPCODE;
+		keep_trying = ISC_TRUE;
+		goto done;
+	}
+
+	/*
+	 * Is the remote server broken, or does it dislike us?
+	 */
+	if (message->rcode != dns_rcode_noerror &&
+	    message->rcode != dns_rcode_nxdomain) {
+		if ((message->rcode == dns_rcode_formerr ||
+		     message->rcode == dns_rcode_notimp ||
+		     message->rcode == dns_rcode_servfail) &&
+		    (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
+			/*
+			 * It's very likely they don't like EDNS0.
+			 *
+			 * XXXRTH  We should check if the question
+			 *	   we're asking requires EDNS0, and
+			 *	   if so, we should bail out.
+			 */
+			options |= DNS_FETCHOPT_NOEDNS0;
+			resend = ISC_TRUE;
+			/*
+			 * Remember that they don't like EDNS0.
+			 */
+			if (message->rcode != dns_rcode_servfail)
+				dns_adb_changeflags(fctx->adb, query->addrinfo,
+						    DNS_FETCHOPT_NOEDNS0,
+						    DNS_FETCHOPT_NOEDNS0);
+		} else if (message->rcode == dns_rcode_formerr) {
+			if (ISFORWARDER(query->addrinfo)) {
+				/*
+				 * This forwarder doesn't understand us,
+				 * but other forwarders might.  Keep trying.
+				 */
+				broken_server = DNS_R_REMOTEFORMERR;
+				keep_trying = ISC_TRUE;
+			} else {
+				/*
+				 * The server doesn't understand us.  Since
+				 * all servers for a zone need similar
+				 * capabilities, we assume that we will get
+				 * FORMERR from all servers, and thus we
+				 * cannot make any more progress with this
+				 * fetch.
+				 */
+				result = DNS_R_FORMERR;
+			}
+		} else if (message->rcode == dns_rcode_yxdomain) {
+			/*
+			 * DNAME mapping failed because the new name
+			 * was too long.  There's no chance of success
+			 * for this fetch.
+			 */
+			result = DNS_R_YXDOMAIN;
+		} else {
+			/*
+			 * XXXRTH log.
+			 */
+			broken_server = DNS_R_UNEXPECTEDRCODE;
+			INSIST(broken_server != ISC_R_SUCCESS);
+			keep_trying = ISC_TRUE;
+		}
+		goto done;
+	}
+
+	/*
+	 * Is the question the same as the one we asked?
+	 */
+	result = same_question(fctx);
+	if (result != ISC_R_SUCCESS) {
+		/* XXXRTH Log */
+		if (result == DNS_R_FORMERR)
+			keep_trying = ISC_TRUE;
+		goto done;
+	}
+
+	/*
+	 * Is the server lame?
+	 */
+	if (fctx->res->lame_ttl != 0 && !ISFORWARDER(query->addrinfo) &&
+	    is_lame(fctx)) {
+		log_lame(fctx, query->addrinfo);
+		result = dns_adb_marklame(fctx->adb, query->addrinfo,
+					  &fctx->domain,
+					  now + fctx->res->lame_ttl);
+		if (result != ISC_R_SUCCESS)
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+				      DNS_LOGMODULE_RESOLVER, ISC_LOG_ERROR,
+				      "could not mark server as lame: %s",
+				      isc_result_totext(result));
+		broken_server = DNS_R_LAME;
+		keep_trying = ISC_TRUE;
+		goto done;
+	}
+
+	/*
+	 * Enforce delegations only zones like NET and COM.
+	 */
+	if (!ISFORWARDER(query->addrinfo) &&
+	    dns_view_isdelegationonly(fctx->res->view, &fctx->domain) &&
+	    !dns_name_equal(&fctx->domain, &fctx->name) &&
+	    fix_mustbedelegationornxdomain(message, fctx)) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+		char domainbuf[DNS_NAME_FORMATSIZE];
+		char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+		char classbuf[64];
+		char typebuf[64];
+
+		dns_name_format(&fctx->name, namebuf, sizeof(namebuf));
+		dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
+		dns_rdatatype_format(fctx->type, typebuf, sizeof(typebuf));
+		dns_rdataclass_format(fctx->res->rdclass, classbuf,
+				      sizeof(classbuf));
+		isc_sockaddr_format(&query->addrinfo->sockaddr, addrbuf,
+				    sizeof(addrbuf));
+
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DELEGATION_ONLY,
+			     DNS_LOGMODULE_RESOLVER, ISC_LOG_NOTICE,
+			     "enforced delegation-only for '%s' (%s/%s/%s) "
+			     "from %s",
+			     domainbuf, namebuf, typebuf, classbuf, addrbuf);
+	}
+
+	if ((fctx->res->options | DNS_RESOLVER_CHECKNAMES) != 0)
+		checknames(message);
+
+	/*
+	 * Did we get any answers?
+	 */
+	if (message->counts[DNS_SECTION_ANSWER] > 0 &&
+	    (message->rcode == dns_rcode_noerror ||
+	     message->rcode == dns_rcode_nxdomain)) {
+		/*
+		 * We've got answers.  However, if we sent
+		 * a BIND 8 server an NS query, it may have
+		 * incorrectly responded with a non-authoritative
+		 * answer instead of a referral.  Since this
+		 * answer lacks the SIGs necessary to do DNSSEC
+		 * validation, we must invoke the following special
+		 * kludge to treat it as a referral.
+		 */
+		if (fctx->type == dns_rdatatype_ns &&
+		    (message->flags & DNS_MESSAGEFLAG_AA) == 0 &&
+		    !ISFORWARDER(query->addrinfo))
+		{
+			result = noanswer_response(fctx, NULL, ISC_TRUE);
+			if (result != DNS_R_DELEGATION) {
+				/*
+				 * The answer section must have contained
+				 * something other than the NS records
+				 * we asked for.  Since AA is not set
+				 * and the server is not a forwarder,
+				 * it is technically lame and it's easier
+				 * to treat it as such than to figure out
+				 * some more elaborate course of action.
+				 */
+				broken_server = DNS_R_LAME;
+				keep_trying = ISC_TRUE;
+				goto done;
+			}
+			goto force_referral;
+		}
+		result = answer_response(fctx);
+		if (result != ISC_R_SUCCESS) {
+			if (result == DNS_R_FORMERR)
+				keep_trying = ISC_TRUE;
+			goto done;
+		}
+	} else if (message->counts[DNS_SECTION_AUTHORITY] > 0 ||
+		   message->rcode == dns_rcode_noerror ||
+		   message->rcode == dns_rcode_nxdomain) {
+		/*
+		 * NXDOMAIN, NXRDATASET, or referral.
+		 */
+		result = noanswer_response(fctx, NULL, ISC_FALSE);
+		if (result == DNS_R_CHASEDSSERVERS) {
+		} else if (result == DNS_R_DELEGATION) {
+		force_referral:
+			/*
+			 * We don't have the answer, but we know a better
+			 * place to look.
+			 */
+			get_nameservers = ISC_TRUE;
+			keep_trying = ISC_TRUE;
+			/*
+			 * We have a new set of name servers, and it
+			 * has not experienced any restarts yet.
+			 */
+			fctx->restarts = 0;
+			result = ISC_R_SUCCESS;
+		} else if (result != ISC_R_SUCCESS) {
+			/*
+			 * Something has gone wrong.
+			 */
+			if (result == DNS_R_FORMERR)
+				keep_trying = ISC_TRUE;
+			goto done;
+		}
+	} else {
+		/*
+		 * The server is insane.
+		 */
+		/* XXXRTH Log */
+		broken_server = DNS_R_UNEXPECTEDRCODE;
+		keep_trying = ISC_TRUE;
+		goto done;
+	}
+
+	/*
+	 * Follow additional section data chains.
+	 */
+	chase_additional(fctx);
+
+	/*
+	 * Cache the cacheable parts of the message.  This may also cause
+	 * work to be queued to the DNSSEC validator.
+	 */
+	if (WANTCACHE(fctx)) {
+		result = cache_message(fctx, now);
+		if (result != ISC_R_SUCCESS)
+			goto done;
+	}
+
+	/*
+	 * Ncache the negatively cacheable parts of the message.  This may
+	 * also cause work to be queued to the DNSSEC validator.
+	 */
+	if (WANTNCACHE(fctx)) {
+		dns_rdatatype_t covers;
+		if (message->rcode == dns_rcode_nxdomain)
+			covers = dns_rdatatype_any;
+		else
+			covers = fctx->type;
+
+		/*
+		 * Cache any negative cache entries in the message.
+		 */
+		result = ncache_message(fctx, covers, now);
+	}
+
+ done:
+	/*
+	 * Remember the query's addrinfo, in case we need to mark the
+	 * server as broken.
+	 */
+	addrinfo = query->addrinfo;
+
+	/*
+	 * Cancel the query.
+	 *
+	 * XXXRTH  Don't cancel the query if waiting for validation?
+	 */
+	fctx_cancelquery(&query, &devent, finish, ISC_FALSE);
+
+	if (keep_trying) {
+		if (result == DNS_R_FORMERR)
+			broken_server = DNS_R_FORMERR;
+		if (broken_server != ISC_R_SUCCESS) {
+			/*
+			 * Add this server to the list of bad servers for
+			 * this fctx.
+			 */
+			add_bad(fctx, &addrinfo->sockaddr, broken_server);
+		}
+
+		if (get_nameservers) {
+			dns_name_t *name;
+			dns_fixedname_init(&foundname);
+			fname = dns_fixedname_name(&foundname);
+			if (result != ISC_R_SUCCESS) {
+				fctx_done(fctx, DNS_R_SERVFAIL);
+				return;
+			}
+			findoptions = 0;
+			if ((options & DNS_FETCHOPT_UNSHARED) == 0)
+				name = &fctx->name;
+			else
+				name = &fctx->domain;
+			result = dns_view_findzonecut(fctx->res->view,
+						      name, fname,
+						      now, 0, ISC_TRUE,
+						      &fctx->nameservers,
+						      NULL);
+			if (result != ISC_R_SUCCESS) {
+				FCTXTRACE("couldn't find a zonecut");
+				fctx_done(fctx, DNS_R_SERVFAIL);
+				return;
+			}
+			if (!dns_name_issubdomain(fname, &fctx->domain)) {
+				/*
+				 * The best nameservers are now above our
+				 * QDOMAIN.
+				 */
+				FCTXTRACE("nameservers now above QDOMAIN");
+				fctx_done(fctx, DNS_R_SERVFAIL);
+				return;
+			}
+			dns_name_free(&fctx->domain, fctx->res->mctx);
+			dns_name_init(&fctx->domain, NULL);
+			result = dns_name_dup(fname, fctx->res->mctx,
+					      &fctx->domain);
+			if (result != ISC_R_SUCCESS) {
+				fctx_done(fctx, DNS_R_SERVFAIL);
+				return;
+			}
+			fctx_cancelqueries(fctx, ISC_TRUE);
+			fctx_cleanupfinds(fctx);
+			fctx_cleanupaltfinds(fctx);
+			fctx_cleanupforwaddrs(fctx);
+			fctx_cleanupaltaddrs(fctx);
+		}
+		/*
+		 * Try again.
+		 */
+		fctx_try(fctx);
+	} else if (resend) {
+		/*
+		 * Resend (probably with changed options).
+		 */
+		FCTXTRACE("resend");
+		result = fctx_query(fctx, addrinfo, options);
+		if (result != ISC_R_SUCCESS)
+			fctx_done(fctx, result);
+	} else if (result == ISC_R_SUCCESS && !HAVE_ANSWER(fctx)) {
+		/*
+		 * All has gone well so far, but we are waiting for the
+		 * DNSSEC validator to validate the answer.
+		 */
+		FCTXTRACE("wait for validator");
+		fctx_cancelqueries(fctx, ISC_TRUE);
+		/*
+		 * We must not retransmit while the validator is working;
+		 * it has references to the current rmessage.
+		 */
+		result = fctx_stopidletimer(fctx);
+		if (result != ISC_R_SUCCESS)
+			fctx_done(fctx, result);
+	} else if (result == DNS_R_CHASEDSSERVERS) {
+		unsigned int n;
+		add_bad(fctx, &addrinfo->sockaddr, result);
+		fctx_cancelqueries(fctx, ISC_TRUE);
+		fctx_cleanupfinds(fctx);
+		fctx_cleanupforwaddrs(fctx);
+
+		n = dns_name_countlabels(&fctx->name);
+		dns_name_getlabelsequence(&fctx->name, 1, n - 1, &fctx->nsname);
+
+		FCTXTRACE("suspending DS lookup to find parent's NS records");
+
+		result = dns_resolver_createfetch(fctx->res, &fctx->nsname,
+						  dns_rdatatype_ns,
+						  NULL, NULL, NULL, 0, task,
+						  resume_dslookup, fctx,
+						  &fctx->nsrrset, NULL,
+						  &fctx->nsfetch);
+		if (result != ISC_R_SUCCESS)
+			fctx_done(fctx, result);
+		LOCK(&fctx->res->buckets[fctx->bucketnum].lock);
+		fctx->references++;
+		UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
+		result = fctx_stopidletimer(fctx);
+		if (result != ISC_R_SUCCESS)
+			fctx_done(fctx, result);
+	} else {
+		/*
+		 * We're done.
+		 */
+		fctx_done(fctx, result);
+	}
+}
+
+
+/***
+ *** Resolver Methods
+ ***/
+
+static void
+destroy(dns_resolver_t *res) {
+	unsigned int i;
+	alternate_t *a;
+
+	REQUIRE(res->references == 0);
+	REQUIRE(!res->priming);
+	REQUIRE(res->primefetch == NULL);
+
+	RTRACE("destroy");
+
+	INSIST(res->nfctx == 0);
+
+	DESTROYLOCK(&res->primelock);
+	DESTROYLOCK(&res->nlock);
+	DESTROYLOCK(&res->lock);
+	for (i = 0; i < res->nbuckets; i++) {
+		INSIST(ISC_LIST_EMPTY(res->buckets[i].fctxs));
+		isc_task_shutdown(res->buckets[i].task);
+		isc_task_detach(&res->buckets[i].task);
+		DESTROYLOCK(&res->buckets[i].lock);
+	}
+	isc_mem_put(res->mctx, res->buckets,
+		    res->nbuckets * sizeof(fctxbucket_t));
+	if (res->dispatchv4 != NULL)
+		dns_dispatch_detach(&res->dispatchv4);
+	if (res->dispatchv6 != NULL)
+		dns_dispatch_detach(&res->dispatchv6);
+	while ((a = ISC_LIST_HEAD(res->alternates)) != NULL) {
+		ISC_LIST_UNLINK(res->alternates, a, link);
+		if (!a->isaddress)
+			dns_name_free(&a->_u._n.name, res->mctx);
+		isc_mem_put(res->mctx, a, sizeof(*a));
+	}
+	dns_resolver_reset_algorithms(res);
+	dns_resolver_resetmustbesecure(res);
+#if USE_ALGLOCK
+	isc_rwlock_destroy(&res->alglock);
+#endif
+#if USE_MBSLOCK
+	isc_rwlock_destroy(&res->mbslock);
+#endif
+	res->magic = 0;
+	isc_mem_put(res->mctx, res, sizeof(*res));
+}
+
+static void
+send_shutdown_events(dns_resolver_t *res) {
+	isc_event_t *event, *next_event;
+	isc_task_t *etask;
+
+	/*
+	 * Caller must be holding the resolver lock.
+	 */
+
+	for (event = ISC_LIST_HEAD(res->whenshutdown);
+	     event != NULL;
+	     event = next_event) {
+		next_event = ISC_LIST_NEXT(event, ev_link);
+		ISC_LIST_UNLINK(res->whenshutdown, event, ev_link);
+		etask = event->ev_sender;
+		event->ev_sender = res;
+		isc_task_sendanddetach(&etask, &event);
+	}
+}
+
+static void
+empty_bucket(dns_resolver_t *res) {
+	RTRACE("empty_bucket");
+
+	LOCK(&res->lock);
+
+	INSIST(res->activebuckets > 0);
+	res->activebuckets--;
+	if (res->activebuckets == 0)
+		send_shutdown_events(res);
+
+	UNLOCK(&res->lock);
+}
+
+isc_result_t
+dns_resolver_create(dns_view_t *view,
+		    isc_taskmgr_t *taskmgr, unsigned int ntasks,
+		    isc_socketmgr_t *socketmgr,
+		    isc_timermgr_t *timermgr,
+		    unsigned int options,
+		    dns_dispatchmgr_t *dispatchmgr,
+		    dns_dispatch_t *dispatchv4,
+		    dns_dispatch_t *dispatchv6,
+		    dns_resolver_t **resp)
+{
+	dns_resolver_t *res;
+	isc_result_t result = ISC_R_SUCCESS;
+	unsigned int i, buckets_created = 0;
+	char name[16];
+
+	/*
+	 * Create a resolver.
+	 */
+
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(ntasks > 0);
+	REQUIRE(resp != NULL && *resp == NULL);
+	REQUIRE(dispatchmgr != NULL);
+	REQUIRE(dispatchv4 != NULL || dispatchv6 != NULL);
+
+	res = isc_mem_get(view->mctx, sizeof(*res));
+	if (res == NULL)
+		return (ISC_R_NOMEMORY);
+	RTRACE("create");
+	res->mctx = view->mctx;
+	res->rdclass = view->rdclass;
+	res->socketmgr = socketmgr;
+	res->timermgr = timermgr;
+	res->taskmgr = taskmgr;
+	res->dispatchmgr = dispatchmgr;
+	res->view = view;
+	res->options = options;
+	res->lame_ttl = 0;
+	ISC_LIST_INIT(res->alternates);
+	res->udpsize = RECV_BUFFER_SIZE;
+	res->algorithms = NULL;
+	res->mustbesecure = NULL;
+
+	res->nbuckets = ntasks;
+	res->activebuckets = ntasks;
+	res->buckets = isc_mem_get(view->mctx,
+				   ntasks * sizeof(fctxbucket_t));
+	if (res->buckets == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup_res;
+	}
+	for (i = 0; i < ntasks; i++) {
+		result = isc_mutex_init(&res->buckets[i].lock);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_buckets;
+		res->buckets[i].task = NULL;
+		result = isc_task_create(taskmgr, 0, &res->buckets[i].task);
+		if (result != ISC_R_SUCCESS) {
+			DESTROYLOCK(&res->buckets[i].lock);
+			goto cleanup_buckets;
+		}
+		snprintf(name, sizeof(name), "res%u", i);
+		isc_task_setname(res->buckets[i].task, name, res);
+		ISC_LIST_INIT(res->buckets[i].fctxs);
+		res->buckets[i].exiting = ISC_FALSE;
+		buckets_created++;
+	}
+
+	res->dispatchv4 = NULL;
+	if (dispatchv4 != NULL)
+		dns_dispatch_attach(dispatchv4, &res->dispatchv4);
+	res->dispatchv6 = NULL;
+	if (dispatchv6 != NULL)
+		dns_dispatch_attach(dispatchv6, &res->dispatchv6);
+
+	res->references = 1;
+	res->exiting = ISC_FALSE;
+	res->frozen = ISC_FALSE;
+	ISC_LIST_INIT(res->whenshutdown);
+	res->priming = ISC_FALSE;
+	res->primefetch = NULL;
+	res->nfctx = 0;
+
+	result = isc_mutex_init(&res->lock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_dispatches;
+
+	result = isc_mutex_init(&res->nlock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_lock;
+
+	result = isc_mutex_init(&res->primelock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_nlock;
+
+#if USE_ALGLOCK
+	result = isc_rwlock_init(&res->alglock, 0, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_primelock;
+#endif
+#if USE_MBSLOCK
+	result = isc_rwlock_init(&res->mbslock, 0, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_alglock;
+#endif
+
+	res->magic = RES_MAGIC;
+
+	*resp = res;
+
+	return (ISC_R_SUCCESS);
+
+#if USE_MBSLOCK
+ cleanup_alglock:
+#if USE_ALGLOCK
+	isc_rwlock_destroy(&res->alglock);
+#endif
+#endif
+#if USE_ALGLOCK || USE_MBSLOCK
+ cleanup_primelock:
+	DESTROYLOCK(&res->primelock);
+#endif
+
+ cleanup_nlock:
+	DESTROYLOCK(&res->nlock);
+
+ cleanup_lock:
+	DESTROYLOCK(&res->lock);
+
+ cleanup_dispatches:
+	if (res->dispatchv6 != NULL)
+		dns_dispatch_detach(&res->dispatchv6);
+	if (res->dispatchv4 != NULL)
+		dns_dispatch_detach(&res->dispatchv4);
+
+ cleanup_buckets:
+	for (i = 0; i < buckets_created; i++) {
+		DESTROYLOCK(&res->buckets[i].lock);
+		isc_task_shutdown(res->buckets[i].task);
+		isc_task_detach(&res->buckets[i].task);
+	}
+	isc_mem_put(view->mctx, res->buckets,
+		    res->nbuckets * sizeof(fctxbucket_t));
+
+ cleanup_res:
+	isc_mem_put(view->mctx, res, sizeof(*res));
+
+	return (result);
+}
+
+static void
+prime_done(isc_task_t *task, isc_event_t *event) {
+	dns_resolver_t *res;
+	dns_fetchevent_t *fevent;
+	dns_fetch_t *fetch;
+
+	REQUIRE(event->ev_type == DNS_EVENT_FETCHDONE);
+	fevent = (dns_fetchevent_t *)event;
+	res = event->ev_arg;
+	REQUIRE(VALID_RESOLVER(res));
+
+	UNUSED(task);
+
+	LOCK(&res->lock);
+
+	INSIST(res->priming);
+	res->priming = ISC_FALSE;
+	LOCK(&res->primelock);
+	fetch = res->primefetch;
+	res->primefetch = NULL;
+	UNLOCK(&res->primelock);
+
+	UNLOCK(&res->lock);
+
+	if (fevent->node != NULL)
+		dns_db_detachnode(fevent->db, &fevent->node);
+	if (fevent->db != NULL)
+		dns_db_detach(&fevent->db);
+	if (dns_rdataset_isassociated(fevent->rdataset))
+		dns_rdataset_disassociate(fevent->rdataset);
+	INSIST(fevent->sigrdataset == NULL);
+
+	isc_mem_put(res->mctx, fevent->rdataset, sizeof(*fevent->rdataset));
+
+	isc_event_free(&event);
+	dns_resolver_destroyfetch(&fetch);
+}
+
+void
+dns_resolver_prime(dns_resolver_t *res) {
+	isc_boolean_t want_priming = ISC_FALSE;
+	dns_rdataset_t *rdataset;
+	isc_result_t result;
+
+	REQUIRE(VALID_RESOLVER(res));
+	REQUIRE(res->frozen);
+
+	RTRACE("dns_resolver_prime");
+
+	LOCK(&res->lock);
+
+	if (!res->exiting && !res->priming) {
+		INSIST(res->primefetch == NULL);
+		res->priming = ISC_TRUE;
+		want_priming = ISC_TRUE;
+	}
+
+	UNLOCK(&res->lock);
+
+	if (want_priming) {
+		/*
+		 * To avoid any possible recursive locking problems, we
+		 * start the priming fetch like any other fetch, and holding
+		 * no resolver locks.  No one else will try to start it
+		 * because we're the ones who set res->priming to true.
+		 * Any other callers of dns_resolver_prime() while we're
+		 * running will see that res->priming is already true and
+		 * do nothing.
+		 */
+		RTRACE("priming");
+		rdataset = isc_mem_get(res->mctx, sizeof(*rdataset));
+		if (rdataset == NULL) {
+			LOCK(&res->lock);
+			INSIST(res->priming);
+			INSIST(res->primefetch == NULL);
+			res->priming = ISC_FALSE;
+			UNLOCK(&res->lock);
+			return;
+		}
+		dns_rdataset_init(rdataset);
+		LOCK(&res->primelock);
+		result = dns_resolver_createfetch(res, dns_rootname,
+						  dns_rdatatype_ns,
+						  NULL, NULL, NULL, 0,
+						  res->buckets[0].task,
+						  prime_done,
+						  res, rdataset, NULL,
+						  &res->primefetch);
+		UNLOCK(&res->primelock);
+		if (result != ISC_R_SUCCESS) {
+			LOCK(&res->lock);
+			INSIST(res->priming);
+			res->priming = ISC_FALSE;
+			UNLOCK(&res->lock);
+		}
+	}
+}
+
+void
+dns_resolver_freeze(dns_resolver_t *res) {
+
+	/*
+	 * Freeze resolver.
+	 */
+
+	REQUIRE(VALID_RESOLVER(res));
+	REQUIRE(!res->frozen);
+
+	res->frozen = ISC_TRUE;
+}
+
+void
+dns_resolver_attach(dns_resolver_t *source, dns_resolver_t **targetp) {
+	REQUIRE(VALID_RESOLVER(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	RRTRACE(source, "attach");
+	LOCK(&source->lock);
+	REQUIRE(!source->exiting);
+
+	INSIST(source->references > 0);
+	source->references++;
+	INSIST(source->references != 0);
+	UNLOCK(&source->lock);
+
+	*targetp = source;
+}
+
+void
+dns_resolver_whenshutdown(dns_resolver_t *res, isc_task_t *task,
+			  isc_event_t **eventp)
+{
+	isc_task_t *clone;
+	isc_event_t *event;
+
+	REQUIRE(VALID_RESOLVER(res));
+	REQUIRE(eventp != NULL);
+
+	event = *eventp;
+	*eventp = NULL;
+
+	LOCK(&res->lock);
+
+	if (res->exiting && res->activebuckets == 0) {
+		/*
+		 * We're already shutdown.  Send the event.
+		 */
+		event->ev_sender = res;
+		isc_task_send(task, &event);
+	} else {
+		clone = NULL;
+		isc_task_attach(task, &clone);
+		event->ev_sender = clone;
+		ISC_LIST_APPEND(res->whenshutdown, event, ev_link);
+	}
+
+	UNLOCK(&res->lock);
+}
+
+void
+dns_resolver_shutdown(dns_resolver_t *res) {
+	unsigned int i;
+	fetchctx_t *fctx;
+	isc_socket_t *sock;
+
+	REQUIRE(VALID_RESOLVER(res));
+
+	RTRACE("shutdown");
+
+	LOCK(&res->lock);
+
+	if (!res->exiting) {
+		RTRACE("exiting");
+		res->exiting = ISC_TRUE;
+
+		for (i = 0; i < res->nbuckets; i++) {
+			LOCK(&res->buckets[i].lock);
+			for (fctx = ISC_LIST_HEAD(res->buckets[i].fctxs);
+			     fctx != NULL;
+			     fctx = ISC_LIST_NEXT(fctx, link))
+				fctx_shutdown(fctx);
+			if (res->dispatchv4 != NULL) {
+				sock = dns_dispatch_getsocket(res->dispatchv4);
+				isc_socket_cancel(sock, res->buckets[i].task,
+						  ISC_SOCKCANCEL_ALL);
+			}
+			if (res->dispatchv6 != NULL) {
+				sock = dns_dispatch_getsocket(res->dispatchv6);
+				isc_socket_cancel(sock, res->buckets[i].task,
+						  ISC_SOCKCANCEL_ALL);
+			}
+			res->buckets[i].exiting = ISC_TRUE;
+			if (ISC_LIST_EMPTY(res->buckets[i].fctxs)) {
+				INSIST(res->activebuckets > 0);
+				res->activebuckets--;
+			}
+			UNLOCK(&res->buckets[i].lock);
+		}
+		if (res->activebuckets == 0)
+			send_shutdown_events(res);
+	}
+
+	UNLOCK(&res->lock);
+}
+
+void
+dns_resolver_detach(dns_resolver_t **resp) {
+	dns_resolver_t *res;
+	isc_boolean_t need_destroy = ISC_FALSE;
+
+	REQUIRE(resp != NULL);
+	res = *resp;
+	REQUIRE(VALID_RESOLVER(res));
+
+	RTRACE("detach");
+
+	LOCK(&res->lock);
+
+	INSIST(res->references > 0);
+	res->references--;
+	if (res->references == 0) {
+		INSIST(res->exiting && res->activebuckets == 0);
+		need_destroy = ISC_TRUE;
+	}
+
+	UNLOCK(&res->lock);
+
+	if (need_destroy)
+		destroy(res);
+
+	*resp = NULL;
+}
+
+static inline isc_boolean_t
+fctx_match(fetchctx_t *fctx, dns_name_t *name, dns_rdatatype_t type,
+	   unsigned int options)
+{
+	if (fctx->type != type || fctx->options != options)
+		return (ISC_FALSE);
+	return (dns_name_equal(&fctx->name, name));
+}
+
+static inline void
+log_fetch(dns_name_t *name, dns_rdatatype_t type) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	int level = ISC_LOG_DEBUG(1);
+
+	if (! isc_log_wouldlog(dns_lctx, level))
+		return;
+
+	dns_name_format(name, namebuf, sizeof(namebuf));
+	dns_rdatatype_format(type, typebuf, sizeof(typebuf));
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+		      DNS_LOGMODULE_RESOLVER, level,
+		      "createfetch: %s %s", namebuf, typebuf);
+}
+
+isc_result_t
+dns_resolver_createfetch(dns_resolver_t *res, dns_name_t *name,
+			 dns_rdatatype_t type,
+			 dns_name_t *domain, dns_rdataset_t *nameservers,
+			 dns_forwarders_t *forwarders,
+			 unsigned int options, isc_task_t *task,
+			 isc_taskaction_t action, void *arg,
+			 dns_rdataset_t *rdataset,
+			 dns_rdataset_t *sigrdataset,
+			 dns_fetch_t **fetchp)
+{
+	dns_fetch_t *fetch;
+	fetchctx_t *fctx = NULL;
+	isc_result_t result;
+	unsigned int bucketnum;
+	isc_boolean_t new_fctx = ISC_FALSE;
+	isc_event_t *event;
+
+	UNUSED(forwarders);
+
+	REQUIRE(VALID_RESOLVER(res));
+	REQUIRE(res->frozen);
+	/* XXXRTH  Check for meta type */
+	if (domain != NULL) {
+		REQUIRE(DNS_RDATASET_VALID(nameservers));
+		REQUIRE(nameservers->type == dns_rdatatype_ns);
+	} else
+		REQUIRE(nameservers == NULL);
+	REQUIRE(forwarders == NULL);
+	REQUIRE(!dns_rdataset_isassociated(rdataset));
+	REQUIRE(sigrdataset == NULL ||
+		!dns_rdataset_isassociated(sigrdataset));
+	REQUIRE(fetchp != NULL && *fetchp == NULL);
+
+	log_fetch(name, type);
+
+	/*
+	 * XXXRTH  use a mempool?
+	 */
+	fetch = isc_mem_get(res->mctx, sizeof(*fetch));
+	if (fetch == NULL)
+		return (ISC_R_NOMEMORY);
+
+	bucketnum = dns_name_hash(name, ISC_FALSE) % res->nbuckets;
+
+	LOCK(&res->buckets[bucketnum].lock);
+
+	if (res->buckets[bucketnum].exiting) {
+		result = ISC_R_SHUTTINGDOWN;
+		goto unlock;
+	}
+
+	if ((options & DNS_FETCHOPT_UNSHARED) == 0) {
+		for (fctx = ISC_LIST_HEAD(res->buckets[bucketnum].fctxs);
+		     fctx != NULL;
+		     fctx = ISC_LIST_NEXT(fctx, link)) {
+			if (fctx_match(fctx, name, type, options))
+				break;
+		}
+	}
+
+	/*
+	 * If we didn't have a fetch, would attach to a done fetch, this
+	 * fetch has already cloned its results, or if the fetch has gone
+	 * "idle" (no one was interested in it), we need to start a new
+	 * fetch instead of joining with the existing one.
+	 */
+	if (fctx == NULL ||
+	    fctx->state == fetchstate_done ||
+	    fctx->cloned ||
+	    ISC_LIST_EMPTY(fctx->events)) {
+		fctx = NULL;
+		result = fctx_create(res, name, type, domain, nameservers,
+				     options, bucketnum, &fctx);
+		if (result != ISC_R_SUCCESS)
+			goto unlock;
+		new_fctx = ISC_TRUE;
+	}
+
+	result = fctx_join(fctx, task, action, arg,
+			   rdataset, sigrdataset, fetch);
+	if (new_fctx) {
+		if (result == ISC_R_SUCCESS) {
+			/*
+			 * Launch this fctx.
+			 */
+			event = &fctx->control_event;
+			ISC_EVENT_INIT(event, sizeof(*event), 0, NULL,
+				       DNS_EVENT_FETCHCONTROL,
+				       fctx_start, fctx, NULL,
+				       NULL, NULL);
+			isc_task_send(res->buckets[bucketnum].task, &event);
+		} else {
+			/*
+			 * We don't care about the result of fctx_destroy()
+			 * since we know we're not exiting.
+			 */
+			(void)fctx_destroy(fctx);
+		}
+	}
+
+ unlock:
+	UNLOCK(&res->buckets[bucketnum].lock);
+
+	if (result == ISC_R_SUCCESS) {
+		FTRACE("created");
+		*fetchp = fetch;
+	} else
+		isc_mem_put(res->mctx, fetch, sizeof(*fetch));
+
+	return (result);
+}
+
+void
+dns_resolver_cancelfetch(dns_fetch_t *fetch) {
+	fetchctx_t *fctx;
+	dns_resolver_t *res;
+	dns_fetchevent_t *event, *next_event;
+	isc_task_t *etask;
+
+	REQUIRE(DNS_FETCH_VALID(fetch));
+	fctx = fetch->private;
+	REQUIRE(VALID_FCTX(fctx));
+	res = fctx->res;
+
+	FTRACE("cancelfetch");
+
+	LOCK(&res->buckets[fctx->bucketnum].lock);
+
+	/*
+	 * Find the completion event for this fetch (as opposed
+	 * to those for other fetches that have joined the same
+	 * fctx) and send it with result = ISC_R_CANCELED.
+	 */
+	event = NULL;
+	if (fctx->state != fetchstate_done) {
+		for (event = ISC_LIST_HEAD(fctx->events);
+		     event != NULL;
+		     event = next_event) {
+			next_event = ISC_LIST_NEXT(event, ev_link);
+			if (event->fetch == fetch) {
+				ISC_LIST_UNLINK(fctx->events, event, ev_link);
+				break;
+			}
+		}
+	}
+	if (event != NULL) {
+		etask = event->ev_sender;
+		event->ev_sender = fctx;
+		event->result = ISC_R_CANCELED;
+		isc_task_sendanddetach(&etask, ISC_EVENT_PTR(&event));
+	}
+	/*
+	 * The fctx continues running even if no fetches remain;
+	 * the answer is still cached.
+	 */
+
+	UNLOCK(&res->buckets[fctx->bucketnum].lock);
+}
+
+void
+dns_resolver_destroyfetch(dns_fetch_t **fetchp) {
+	dns_fetch_t *fetch;
+	dns_resolver_t *res;
+	dns_fetchevent_t *event, *next_event;
+	fetchctx_t *fctx;
+	unsigned int bucketnum;
+	isc_boolean_t bucket_empty = ISC_FALSE;
+
+	REQUIRE(fetchp != NULL);
+	fetch = *fetchp;
+	REQUIRE(DNS_FETCH_VALID(fetch));
+	fctx = fetch->private;
+	REQUIRE(VALID_FCTX(fctx));
+	res = fctx->res;
+
+	FTRACE("destroyfetch");
+
+	bucketnum = fctx->bucketnum;
+	LOCK(&res->buckets[bucketnum].lock);
+
+	/*
+	 * Sanity check: the caller should have gotten its event before
+	 * trying to destroy the fetch.
+	 */
+	event = NULL;
+	if (fctx->state != fetchstate_done) {
+		for (event = ISC_LIST_HEAD(fctx->events);
+		     event != NULL;
+		     event = next_event) {
+			next_event = ISC_LIST_NEXT(event, ev_link);
+			RUNTIME_CHECK(event->fetch != fetch);
+		}
+	}
+
+	INSIST(fctx->references > 0);
+	fctx->references--;
+	if (fctx->references == 0) {
+		/*
+		 * No one cares about the result of this fetch anymore.
+		 */
+		if (fctx->pending == 0 && ISC_LIST_EMPTY(fctx->validators) &&
+		    SHUTTINGDOWN(fctx)) {
+			/*
+			 * This fctx is already shutdown; we were just
+			 * waiting for the last reference to go away.
+			 */
+			bucket_empty = fctx_destroy(fctx);
+		} else {
+			/*
+			 * Initiate shutdown.
+			 */
+			fctx_shutdown(fctx);
+		}
+	}
+
+	UNLOCK(&res->buckets[bucketnum].lock);
+
+	isc_mem_put(res->mctx, fetch, sizeof(*fetch));
+	*fetchp = NULL;
+
+	if (bucket_empty)
+		empty_bucket(res);
+}
+
+dns_dispatchmgr_t *
+dns_resolver_dispatchmgr(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (resolver->dispatchmgr);
+}
+
+dns_dispatch_t *
+dns_resolver_dispatchv4(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (resolver->dispatchv4);
+}
+
+dns_dispatch_t *
+dns_resolver_dispatchv6(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (resolver->dispatchv6);
+}
+
+isc_socketmgr_t *
+dns_resolver_socketmgr(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (resolver->socketmgr);
+}
+
+isc_taskmgr_t *
+dns_resolver_taskmgr(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (resolver->taskmgr);
+}
+
+isc_uint32_t
+dns_resolver_getlamettl(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (resolver->lame_ttl);
+}
+
+void
+dns_resolver_setlamettl(dns_resolver_t *resolver, isc_uint32_t lame_ttl) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	resolver->lame_ttl = lame_ttl;
+}
+
+unsigned int
+dns_resolver_nrunning(dns_resolver_t *resolver) {
+	unsigned int n;
+	LOCK(&resolver->nlock);
+	n = resolver->nfctx;
+	UNLOCK(&resolver->nlock);
+	return (n);
+}
+
+isc_result_t
+dns_resolver_addalternate(dns_resolver_t *resolver, isc_sockaddr_t *alt,
+			  dns_name_t *name, in_port_t port) {
+	alternate_t *a;
+	isc_result_t result;
+
+	REQUIRE(VALID_RESOLVER(resolver));
+	REQUIRE(!resolver->frozen);
+	REQUIRE((alt == NULL) ^ (name == NULL));
+
+	a = isc_mem_get(resolver->mctx, sizeof(*a));
+	if (a == NULL)
+		return (ISC_R_NOMEMORY);
+	if (alt != NULL) {
+		a->isaddress = ISC_TRUE;
+		a->_u.addr = *alt;
+	} else {
+		a->isaddress = ISC_FALSE;
+		a->_u._n.port = port;
+		dns_name_init(&a->_u._n.name, NULL);
+		result = dns_name_dup(name, resolver->mctx, &a->_u._n.name);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(resolver->mctx, a, sizeof(*a));
+			return (result);
+		}
+	}
+	ISC_LINK_INIT(a, link);
+	ISC_LIST_APPEND(resolver->alternates, a, link);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_resolver_setudpsize(dns_resolver_t *resolver, isc_uint16_t udpsize) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	resolver->udpsize = udpsize;
+}
+
+isc_uint16_t
+dns_resolver_getudpsize(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+	return (resolver->udpsize);
+}
+
+static void
+free_algorithm(void *node, void *arg) {
+	unsigned char *algorithms = node;
+	isc_mem_t *mctx = arg;
+
+	isc_mem_put(mctx, algorithms, *algorithms);
+}
+ 
+void
+dns_resolver_reset_algorithms(dns_resolver_t *resolver) {
+
+	REQUIRE(VALID_RESOLVER(resolver));
+
+#if USE_ALGLOCK
+	RWLOCK(&resolver->alglock, isc_rwlocktype_write);
+#endif
+	if (resolver->algorithms != NULL)
+		dns_rbt_destroy(&resolver->algorithms);
+#if USE_ALGLOCK
+	RWUNLOCK(&resolver->alglock, isc_rwlocktype_write);
+#endif
+}
+
+isc_result_t
+dns_resolver_disable_algorithm(dns_resolver_t *resolver, dns_name_t *name,
+			       unsigned int alg)
+{
+	unsigned int len, mask;
+	unsigned char *new;
+	unsigned char *algorithms;
+	isc_result_t result;
+	dns_rbtnode_t *node = NULL;
+
+	REQUIRE(VALID_RESOLVER(resolver));
+	if (alg > 255)
+		return (ISC_R_RANGE);
+
+#if USE_ALGLOCK
+	RWLOCK(&resolver->alglock, isc_rwlocktype_write);
+#endif
+	if (resolver->algorithms == NULL) {
+		result = dns_rbt_create(resolver->mctx, free_algorithm,
+					resolver->mctx, &resolver->algorithms);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
+
+	len = alg/8 + 2;
+	mask = 1 << (alg%8);
+
+	result = dns_rbt_addnode(resolver->algorithms, name, &node);
+	
+	if (result == ISC_R_SUCCESS || result == ISC_R_EXISTS) {
+		algorithms = node->data;
+		if (algorithms == NULL || len > *algorithms) {
+			new = isc_mem_get(resolver->mctx, len);
+			if (new == NULL) {
+				result = ISC_R_NOMEMORY;
+				goto cleanup;
+			}
+			memset(new, 0, len);
+			if (algorithms != NULL)
+				memcpy(new, algorithms, *algorithms);
+			new[len-1] |= mask;
+			*new = len;
+			node->data = new;
+			if (algorithms != NULL)
+				isc_mem_put(resolver->mctx, algorithms, 
+					    *algorithms);
+		} else
+			algorithms[len-1] |= mask;
+	}
+	result = ISC_R_SUCCESS;
+ cleanup:
+#if USE_ALGLOCK
+	RWUNLOCK(&resolver->alglock, isc_rwlocktype_write);
+#endif
+	return (result);
+}
+
+isc_boolean_t
+dns_resolver_algorithm_supported(dns_resolver_t *resolver, dns_name_t *name,
+				 unsigned int alg)
+{
+	unsigned int len, mask;
+	unsigned char *algorithms;
+	void *data = NULL;
+	isc_result_t result;
+	isc_boolean_t found = ISC_FALSE;
+
+	REQUIRE(VALID_RESOLVER(resolver));
+
+#if USE_ALGLOCK
+	RWLOCK(&resolver->alglock, isc_rwlocktype_read);
+#endif
+	if (resolver->algorithms == NULL)
+		goto unlock;
+	result = dns_rbt_findname(resolver->algorithms, name, 0, NULL, &data);
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+		len = alg/8 + 2;
+		mask = 1 << (alg%8);
+		algorithms = data;
+		if (len <= *algorithms && (algorithms[len-1] & mask) != 0)
+			found = ISC_TRUE;
+	}
+ unlock:
+#if USE_ALGLOCK
+	RWUNLOCK(&resolver->alglock, isc_rwlocktype_read);
+#endif
+	if (found)
+		return (ISC_FALSE);
+	return (dst_algorithm_supported(alg));
+}
+
+void
+dns_resolver_resetmustbesecure(dns_resolver_t *resolver) {
+
+	REQUIRE(VALID_RESOLVER(resolver));
+
+#if USE_MBSLOCK
+	RWLOCK(&resolver->mbslock, isc_rwlocktype_write);
+#endif
+	if (resolver->mustbesecure != NULL)
+		dns_rbt_destroy(&resolver->mustbesecure);
+#if USE_MBSLOCK
+	RWUNLOCK(&resolver->mbslock, isc_rwlocktype_write);
+#endif
+}
+ 
+static isc_boolean_t yes = ISC_TRUE, no = ISC_FALSE;
+
+isc_result_t
+dns_resolver_setmustbesecure(dns_resolver_t *resolver, dns_name_t *name,
+                             isc_boolean_t value)
+{
+	isc_result_t result;
+
+	REQUIRE(VALID_RESOLVER(resolver));
+
+#if USE_MBSLOCK
+	RWLOCK(&resolver->mbslock, isc_rwlocktype_write);
+#endif
+	if (resolver->mustbesecure == NULL) {
+		result = dns_rbt_create(resolver->mctx, NULL, NULL,
+					&resolver->mustbesecure);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	}
+	result = dns_rbt_addname(resolver->mustbesecure, name, 
+				 value ? &yes : &no);
+ cleanup:
+#if USE_MBSLOCK
+	RWUNLOCK(&resolver->mbslock, isc_rwlocktype_write);
+#endif
+	return (result);
+}
+
+isc_boolean_t
+dns_resolver_getmustbesecure(dns_resolver_t *resolver, dns_name_t *name) {
+	void *data = NULL;
+	isc_boolean_t value = ISC_FALSE;
+	isc_result_t result;
+
+	REQUIRE(VALID_RESOLVER(resolver));
+
+#if USE_MBSLOCK
+	RWLOCK(&resolver->mbslock, isc_rwlocktype_read);
+#endif
+	if (resolver->mustbesecure == NULL)
+		goto unlock;
+	result = dns_rbt_findname(resolver->mustbesecure, name, 0, NULL, &data);
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
+		value = *(isc_boolean_t*)data;
+ unlock:
+#if USE_MBSLOCK
+	RWUNLOCK(&resolver->mbslock, isc_rwlocktype_read);
+#endif
+	return (value);
+}
diff --git a/contrib/bind9/lib/dns/result.c b/contrib/bind9/lib/dns/result.c
new file mode 100644
index 0000000..eb8308a
--- /dev/null
+++ b/contrib/bind9/lib/dns/result.c
@@ -0,0 +1,272 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: result.c,v 1.90.2.9.2.13 2004/05/14 05:06:39 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/once.h>
+#include <isc/util.h>
+
+#include <dns/result.h>
+#include <dns/lib.h>
+
+static const char *text[DNS_R_NRESULTS] = {
+	"label too long",		       /*  0 DNS_R_LABELTOOLONG	     */
+	"bad escape",			       /*  1 DNS_R_BADESCAPE	     */
+	/*
+	 * Note that DNS_R_BADBITSTRING and DNS_R_BITSTRINGTOOLONG are
+	 * deprecated.
+	 */
+	"bad bitstring",		       /*  2 DNS_R_BADBITSTRING	     */
+	"bitstring too long",		       /*  3 DNS_R_BITSTRINGTOOLONG  */
+	"empty label",			       /*  4 DNS_R_EMPTYLABEL	     */
+
+	"bad dotted quad",		       /*  5 DNS_R_BADDOTTEDQUAD     */
+	"invalid NS owner name (wildcard)",    /*  6 DNS_R_INVALIDNS	     */
+	"unknown class/type",		       /*  7 DNS_R_UNKNOWN	     */
+	"bad label type",		       /*  8 DNS_R_BADLABELTYPE	     */
+	"bad compression pointer",	       /*  9 DNS_R_BADPOINTER	     */
+
+	"too many hops",		       /* 10 DNS_R_TOOMANYHOPS	     */
+	"disallowed (by application policy)",  /* 11 DNS_R_DISALLOWED	     */
+	"extra input text",		       /* 12 DNS_R_EXTRATOKEN	     */
+	"extra input data",		       /* 13 DNS_R_EXTRADATA	     */
+	"text too long",		       /* 14 DNS_R_TEXTTOOLONG	     */
+
+	"not at top of zone",		       /* 15 DNS_R_NOTZONETOP	     */
+	"syntax error",			       /* 16 DNS_R_SYNTAX	     */
+	"bad checksum",			       /* 17 DNS_R_BADCKSUM	     */
+	"bad IPv6 address",		       /* 18 DNS_R_BADAAAA	     */
+	"no owner",			       /* 19 DNS_R_NOOWNER	     */
+
+	"no ttl",			       /* 20 DNS_R_NOTTL	     */
+	"bad class",			       /* 21 DNS_R_BADCLASS	     */
+	"name too long",		       /* 22 DNS_R_NAMETOOLONG	     */
+	"partial match",		       /* 23 DNS_R_PARTIALMATCH	     */
+	"new origin",			       /* 24 DNS_R_NEWORIGIN	     */
+
+	"unchanged",			       /* 25 DNS_R_UNCHANGED	     */
+	"bad ttl",			       /* 26 DNS_R_BADTTL	     */
+	"more data needed/to be rendered",     /* 27 DNS_R_NOREDATA	     */
+	"continue",			       /* 28 DNS_R_CONTINUE	     */
+	"delegation",			       /* 29 DNS_R_DELEGATION	     */
+
+	"glue",				       /* 30 DNS_R_GLUE		     */
+	"dname",			       /* 31 DNS_R_DNAME	     */
+	"cname",			       /* 32 DNS_R_CNAME	     */
+	"bad database",			       /* 33 DNS_R_BADDB	     */
+	"zonecut",			       /* 34 DNS_R_ZONECUT	     */
+
+	"bad zone",			       /* 35 DNS_R_BADZONE	     */
+	"more data",			       /* 36 DNS_R_MOREDATA	     */
+	"up to date",			       /* 37 DNS_R_UPTODATE	     */
+	"tsig verify failure",		       /* 38 DNS_R_TSIGVERIFYFAILURE */
+	"tsig indicates error",		       /* 39 DNS_R_TSIGERRORSET	     */
+
+	"RRSIG failed to verify",	       /* 40 DNS_R_SIGINVALID	     */
+	"RRSIG has expired",		       /* 41 DNS_R_SIGEXPIRED	     */
+	"RRSIG validity period has not begun", /* 42 DNS_R_SIGFUTURE	     */
+	"key is unauthorized to sign data",    /* 43 DNS_R_KEYUNAUTHORIZED   */
+	"invalid time",			       /* 44 DNS_R_INVALIDTIME	     */
+
+	"expected a TSIG or SIG(0)",	       /* 45 DNS_R_EXPECTEDTSIG	     */
+	"did not expect a TSIG or SIG(0)",     /* 46 DNS_R_UNEXPECTEDTSIG    */
+	"TKEY is unacceptable",		       /* 47 DNS_R_INVALIDTKEY	     */
+	"hint",				       /* 48 DNS_R_HINT		     */
+	"drop",				       /* 49 DNS_R_DROP		     */
+
+	"zone not loaded",		       /* 50 DNS_R_NOTLOADED	     */
+	"ncache nxdomain",		       /* 51 DNS_R_NCACHENXDOMAIN    */
+	"ncache nxrrset",		       /* 52 DNS_R_NCACHENXRRSET     */
+	"wait",				       /* 53 DNS_R_WAIT		     */
+	"not verified yet",		       /* 54 DNS_R_NOTVERIFIEDYET    */
+
+	"no identity",			       /* 55 DNS_R_NOIDENTITY	     */
+	"no journal",			       /* 56 DNS_R_NOJOURNAL	     */
+	"alias",			       /* 57 DNS_R_ALIAS	     */
+	"use TCP",			       /* 58 DNS_R_USETCP	     */
+	"no valid RRSIG",		       /* 59 DNS_R_NOVALIDSIG	     */
+
+	"no valid NSEC",		       /* 60 DNS_R_NOVALIDNSEC	     */
+	"not insecure",			       /* 61 DNS_R_NOTINSECURE	     */
+	"unknown service",		       /* 62 DNS_R_UNKNOWNSERVICE    */
+	"recoverable error occurred",	       /* 63 DNS_R_RECOVERABLE       */
+	"unknown opt attribute record",	       /* 64 DNS_R_UNKNOWNOPT	     */
+
+	"unexpected message id",	       /* 65 DNS_R_UNEXPECTEDID      */
+	"seen include file",		       /* 66 DNS_R_SEENINCLUDE       */
+	"not exact",		       	       /* 67 DNS_R_NOTEXACT	     */
+	"address blackholed",	       	       /* 68 DNS_R_BLACKHOLED	     */
+	"bad algorithm",		       /* 69 DNS_R_BADALG	     */
+
+	"invalid use of a meta type",	       /* 70 DNS_R_METATYPE	     */
+	"CNAME and other data",		       /* 71 DNS_R_CNAMEANDOTHER     */
+	"multiple RRs of singleton type",      /* 72 DNS_R_SINGLETON	     */
+	"hint nxrrset",			       /* 73 DNS_R_HINTNXRRSET	     */
+	"no master file configured",	       /* 74 DNS_R_NOMASTERFILE	     */
+
+	"unknown protocol",		       /* 75 DNS_R_UNKNOWNPROTO	     */
+	"clocks are unsynchronized",	       /* 76 DNS_R_CLOCKSKEW	     */
+	"IXFR failed",			       /* 77 DNS_R_BADIXFR	     */
+	"not authoritative",		       /* 78 DNS_R_NOTAUTHORITATIVE  */
+	"no valid KEY",		       	       /* 79 DNS_R_NOVALIDKEY	     */
+
+	"obsolete",			       /* 80 DNS_R_OBSOLETE	     */
+	"already frozen",		       /* 81 DNS_R_FROZEN	     */
+	"unknown flag",			       /* 82 DNS_R_UNKNOWNFLAG	     */
+	"expected a response",		       /* 83 DNS_R_EXPECTEDRESPONSE  */
+	"no valid DS",			       /* 84 DNS_R_NOVALIDDS	     */
+
+	"NS is an address",		       /* 85 DNS_R_NSISADDRESS	     */
+	"received FORMERR",		       /* 86 DNS_R_REMOTEFORMERR     */
+	"truncated TCP response",	       /* 87 DNS_R_TRUNCATEDTCP	     */
+	"lame server detected",		       /* 88 DNS_R_LAME		     */
+	"unexpected RCODE",		       /* 89 DNS_R_UNEXPECTEDRCODE   */
+
+	"unexpected OPCODE",		       /* 90 DNS_R_UNEXPECTEDOPCODE  */
+	"chase DS servers",		       /* 91 DNS_R_CHASEDSSERVERS    */
+	"empty name",			       /* 92 DNS_R_EMPTYNAME	     */
+	"empty wild",			       /* 93 DNS_R_EMPTYWILD	     */
+	"bad bitmap",			       /* 94 DNS_R_BADBITMAP	     */
+
+	"from wildcard",		       /* 95 DNS_R_FROMWILDCARD	     */
+	"bad owner name (check-names)",	       /* 96 DNS_R_BADOWNERNAME	     */
+	"bad name (check-names)",	       /* 97 DNS_R_BADNAME	     */
+	"dynamic zone",			       /* 98 DNS_R_DYNAMIC	     */
+	"unknown command",		       /* 99 DNS_R_UNKNOWNCOMMAND    */
+
+	"must-be-secure",		       /* 100 DNS_R_MUSTBESECURE     */
+	"covering NSEC record returned"	       /* 101 DNS_R_COVERINGNSEC     */
+};
+
+static const char *rcode_text[DNS_R_NRCODERESULTS] = {
+	"NOERROR",				/*  0 DNS_R_NOEROR	     */
+	"FORMERR",				/*  1 DNS_R_FORMERR	     */
+	"SERVFAIL",				/*  2 DNS_R_SERVFAIL	     */
+	"NXDOMAIN",				/*  3 DNS_R_NXDOMAIN	     */
+	"NOTIMP",				/*  4 DNS_R_NOTIMP	     */
+
+	"REFUSED",				/*  5 DNS_R_REFUSED	     */
+	"YXDOMAIN",				/*  6 DNS_R_YXDOMAIN	     */
+	"YXRRSET",				/*  7 DNS_R_YXRRSET	     */
+	"NXRRSET",				/*  8 DNS_R_NXRRSET	     */
+	"NOTAUTH",				/*  9 DNS_R_NOTAUTH	     */
+
+	"NOTZONE",				/* 10 DNS_R_NOTZONE 	     */
+	"<rcode 11>",				/* 11 has no macro	     */
+	"<rcode 12>",				/* 12 has no macro	     */
+	"<rcode 13>",				/* 13 has no macro	     */
+	"<rcode 14>",				/* 14 has no macro	     */
+
+	"<rcode 15>",				/* 15 has no macro	     */
+	"BADVERS",				/* 16 DNS_R_BADVERS	     */
+};
+
+#define DNS_RESULT_RESULTSET			2
+#define DNS_RESULT_RCODERESULTSET		3
+
+static isc_once_t		once = ISC_ONCE_INIT;
+
+static void
+initialize_action(void) {
+	isc_result_t result;
+
+	result = isc_result_register(ISC_RESULTCLASS_DNS, DNS_R_NRESULTS,
+				     text, dns_msgcat, DNS_RESULT_RESULTSET);
+	if (result == ISC_R_SUCCESS)
+		result = isc_result_register(ISC_RESULTCLASS_DNSRCODE,
+					     DNS_R_NRCODERESULTS,
+					     rcode_text, dns_msgcat,
+					     DNS_RESULT_RCODERESULTSET);
+	if (result != ISC_R_SUCCESS)
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_result_register() failed: %u", result);
+}
+
+static void
+initialize(void) {
+	dns_lib_initmsgcat();
+	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
+}
+
+const char *
+dns_result_totext(isc_result_t result) {
+	initialize();
+
+	return (isc_result_totext(result));
+}
+
+void
+dns_result_register(void) {
+	initialize();
+}
+
+dns_rcode_t
+dns_result_torcode(isc_result_t result) {
+	dns_rcode_t rcode = dns_rcode_servfail;
+
+	if (DNS_RESULT_ISRCODE(result)) {
+		/*
+		 * Rcodes can't be bigger than 12 bits, which is why we
+		 * AND with 0xFFF instead of 0xFFFF.
+		 */
+		return ((dns_rcode_t)((result) & 0xFFF));
+	}
+	/*
+	 * Try to supply an appropriate rcode.
+	 */
+	switch (result) {
+	case ISC_R_SUCCESS:
+		rcode = dns_rcode_noerror;
+		break;
+	case ISC_R_BADBASE64:
+	case ISC_R_NOSPACE:
+	case ISC_R_RANGE:
+	case ISC_R_UNEXPECTEDEND:
+	case DNS_R_BADAAAA:
+	/* case DNS_R_BADBITSTRING: deprecated */
+	case DNS_R_BADCKSUM:
+	case DNS_R_BADCLASS:
+	case DNS_R_BADLABELTYPE:
+	case DNS_R_BADPOINTER:
+	case DNS_R_BADTTL:
+	case DNS_R_BADZONE:
+	/* case DNS_R_BITSTRINGTOOLONG: deprecated */
+	case DNS_R_EXTRADATA:
+	case DNS_R_LABELTOOLONG:
+	case DNS_R_NOREDATA:
+	case DNS_R_SYNTAX:
+	case DNS_R_TEXTTOOLONG:
+	case DNS_R_TOOMANYHOPS:
+	case DNS_R_TSIGERRORSET:
+	case DNS_R_UNKNOWN:
+		rcode = dns_rcode_formerr;
+		break;
+	case DNS_R_DISALLOWED:
+		rcode = dns_rcode_refused;
+		break;
+	case DNS_R_TSIGVERIFYFAILURE:
+	case DNS_R_CLOCKSKEW:
+		rcode = dns_rcode_notauth;
+		break;
+	default:
+		rcode = dns_rcode_servfail;
+	}
+
+	return (rcode);
+}
diff --git a/contrib/bind9/lib/dns/rootns.c b/contrib/bind9/lib/dns/rootns.c
new file mode 100644
index 0000000..9e9c940
--- /dev/null
+++ b/contrib/bind9/lib/dns/rootns.c
@@ -0,0 +1,247 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rootns.c,v 1.20.2.3.2.5 2004/03/08 09:04:32 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/buffer.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/log.h>
+#include <dns/fixedname.h>
+#include <dns/master.h>
+#include <dns/rdata.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+#include <dns/rootns.h>
+
+static char root_ns[] =
+";\n"
+"; Internet Root Nameservers\n"
+";\n"
+"; Thu Sep 23 17:57:37 PDT 1999\n"
+";\n"
+"$TTL 518400\n"
+".                       518400  IN      NS      A.ROOT-SERVERS.NET.\n"
+".                       518400  IN      NS      B.ROOT-SERVERS.NET.\n"
+".                       518400  IN      NS      C.ROOT-SERVERS.NET.\n"
+".                       518400  IN      NS      D.ROOT-SERVERS.NET.\n"
+".                       518400  IN      NS      E.ROOT-SERVERS.NET.\n"
+".                       518400  IN      NS      F.ROOT-SERVERS.NET.\n"
+".                       518400  IN      NS      G.ROOT-SERVERS.NET.\n"
+".                       518400  IN      NS      H.ROOT-SERVERS.NET.\n"
+".                       518400  IN      NS      I.ROOT-SERVERS.NET.\n"
+".                       518400  IN      NS      J.ROOT-SERVERS.NET.\n"
+".                       518400  IN      NS      K.ROOT-SERVERS.NET.\n"
+".                       518400  IN      NS      L.ROOT-SERVERS.NET.\n"
+".                       518400  IN      NS      M.ROOT-SERVERS.NET.\n"
+"A.ROOT-SERVERS.NET.     3600000 IN      A       198.41.0.4\n"
+"B.ROOT-SERVERS.NET.     3600000 IN      A       192.228.79.201\n"
+"C.ROOT-SERVERS.NET.     3600000 IN      A       192.33.4.12\n"
+"D.ROOT-SERVERS.NET.     3600000 IN      A       128.8.10.90\n"
+"E.ROOT-SERVERS.NET.     3600000 IN      A       192.203.230.10\n"
+"F.ROOT-SERVERS.NET.     3600000 IN      A       192.5.5.241\n"
+"G.ROOT-SERVERS.NET.     3600000 IN      A       192.112.36.4\n"
+"H.ROOT-SERVERS.NET.     3600000 IN      A       128.63.2.53\n"
+"I.ROOT-SERVERS.NET.     3600000 IN      A       192.36.148.17\n"
+"J.ROOT-SERVERS.NET.     3600000 IN      A       192.58.128.30\n"
+"K.ROOT-SERVERS.NET.     3600000 IN      A       193.0.14.129\n"
+"L.ROOT-SERVERS.NET.     3600000 IN      A       198.32.64.12\n"
+"M.ROOT-SERVERS.NET.     3600000 IN      A       202.12.27.33\n";
+
+static isc_result_t
+in_rootns(dns_rdataset_t *rootns, dns_name_t *name) {
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_ns_t ns;
+	
+	if (!dns_rdataset_isassociated(rootns))
+		return (ISC_R_NOTFOUND);
+
+	result = dns_rdataset_first(rootns);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(rootns, &rdata);
+		result = dns_rdata_tostruct(&rdata, &ns, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		if (dns_name_compare(name, &ns.name) == 0)
+			return (ISC_R_SUCCESS);
+		result = dns_rdataset_next(rootns);
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_NOTFOUND;
+	return (result);
+}
+
+static isc_result_t 
+check_node(dns_rdataset_t *rootns, dns_name_t *name,
+	   dns_rdatasetiter_t *rdsiter) {
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_rdatasetiter_first(rdsiter);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+		switch (rdataset.type) {
+		case dns_rdatatype_a:
+		case dns_rdatatype_aaaa:
+			result = in_rootns(rootns, name);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+			break;
+		case dns_rdatatype_ns:
+			if (dns_name_compare(name, dns_rootname) == 0)
+				break;
+			/*FALLTHROUGH*/
+		default:
+			result = ISC_R_FAILURE;
+			goto cleanup;
+		}
+		dns_rdataset_disassociate(&rdataset);
+		result = dns_rdatasetiter_next(rdsiter);
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+ cleanup:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	return (result);
+}
+
+static isc_result_t
+check_hints(dns_db_t *db) {
+	isc_result_t result;
+	dns_rdataset_t rootns;
+	dns_dbiterator_t *dbiter = NULL;
+	dns_dbnode_t *node = NULL;
+	isc_stdtime_t now;
+	dns_fixedname_t fixname;
+	dns_name_t *name;
+	dns_rdatasetiter_t *rdsiter = NULL;
+
+	isc_stdtime_get(&now);
+
+	dns_fixedname_init(&fixname);
+	name = dns_fixedname_name(&fixname);
+
+	dns_rdataset_init(&rootns);
+	(void)dns_db_find(db, dns_rootname, NULL, dns_rdatatype_ns, 0,
+			  now, NULL, name, &rootns, NULL);
+	result = dns_db_createiterator(db, ISC_FALSE, &dbiter);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_dbiterator_first(dbiter);
+	while (result == ISC_R_SUCCESS) {
+		result = dns_dbiterator_current(dbiter, &node, name);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		result = dns_db_allrdatasets(db, node, NULL, now, &rdsiter);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		result = check_node(&rootns, name, rdsiter);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		dns_rdatasetiter_destroy(&rdsiter);
+		dns_db_detachnode(db, &node);
+		result = dns_dbiterator_next(dbiter);
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+ cleanup:
+	if (dns_rdataset_isassociated(&rootns))
+		dns_rdataset_disassociate(&rootns);
+	if (rdsiter != NULL)
+		dns_rdatasetiter_destroy(&rdsiter);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	if (dbiter != NULL)
+		dns_dbiterator_destroy(&dbiter);
+	return (result);
+}
+
+isc_result_t
+dns_rootns_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
+		  const char *filename, dns_db_t **target)
+{
+	isc_result_t result, eresult;
+	isc_buffer_t source;
+	size_t len;
+	dns_rdatacallbacks_t callbacks;
+	dns_db_t *db = NULL;
+
+	REQUIRE(target != NULL && *target == NULL);
+
+	result = dns_db_create(mctx, "rbt", dns_rootname, dns_dbtype_zone,
+			       rdclass, 0, NULL, &db);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	dns_rdatacallbacks_init(&callbacks);
+
+	len = strlen(root_ns);
+	isc_buffer_init(&source, root_ns, len);
+	isc_buffer_add(&source, len);
+
+	result = dns_db_beginload(db, &callbacks.add,
+				  &callbacks.add_private);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (filename != NULL) {
+		/*
+		 * Load the hints from the specified filename.
+		 */
+		result = dns_master_loadfile(filename, &db->origin,
+					     &db->origin, db->rdclass,
+					     DNS_MASTER_HINT,
+					     &callbacks, db->mctx);
+	} else if (rdclass == dns_rdataclass_in) {
+		/*
+		 * Default to using the Internet root servers.
+		 */
+		result = dns_master_loadbuffer(&source, &db->origin,
+					       &db->origin, db->rdclass, 
+					       DNS_MASTER_HINT,
+					       &callbacks, db->mctx);
+	} else
+		result = ISC_R_NOTFOUND;
+	eresult = dns_db_endload(db, &callbacks.add_private);
+	if (result == ISC_R_SUCCESS || result == DNS_R_SEENINCLUDE)
+		result = eresult;
+	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
+		goto db_detach;
+	if (check_hints(db) != ISC_R_SUCCESS)
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_HINTS, ISC_LOG_WARNING,
+			      "extra data in root hints '%s'",
+			      (filename != NULL) ? filename : "<BUILT-IN>");
+	*target = db;
+	return (ISC_R_SUCCESS);
+
+ db_detach:
+	dns_db_detach(&db);
+
+	return (result);
+}
diff --git a/contrib/bind9/lib/dns/sdb.c b/contrib/bind9/lib/dns/sdb.c
new file mode 100644
index 0000000..ef22418
--- /dev/null
+++ b/contrib/bind9/lib/dns/sdb.c
@@ -0,0 +1,1528 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: sdb.c,v 1.35.12.8 2004/07/22 04:01:58 marka Exp $ */
+
+#include <config.h>
+
+#include <string.h>
+
+#include <isc/buffer.h>
+#include <isc/lex.h>
+#include <isc/log.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/util.h>
+
+#include <dns/callbacks.h>
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+#include <dns/sdb.h>
+#include <dns/types.h>
+
+#include "rdatalist_p.h"
+
+struct dns_sdbimplementation {
+	const dns_sdbmethods_t		*methods;
+	void				*driverdata;
+	unsigned int			flags;
+	isc_mem_t			*mctx;
+	isc_mutex_t			driverlock;
+	dns_dbimplementation_t		*dbimp;
+};
+
+struct dns_sdb {
+	/* Unlocked */
+	dns_db_t			common;
+	char				*zone;
+	dns_sdbimplementation_t		*implementation;
+	void				*dbdata;
+	isc_mutex_t			lock;
+	/* Locked */
+	unsigned int			references;
+};
+
+struct dns_sdblookup {
+	/* Unlocked */
+	unsigned int			magic;
+	dns_sdb_t			*sdb;
+	ISC_LIST(dns_rdatalist_t)	lists;
+	ISC_LIST(isc_buffer_t)		buffers;
+	dns_name_t			*name;
+	ISC_LINK(dns_sdblookup_t)	link;
+	isc_mutex_t			lock;
+	dns_rdatacallbacks_t		callbacks;
+	/* Locked */
+	unsigned int			references;
+};
+
+typedef struct dns_sdblookup dns_sdbnode_t;
+
+struct dns_sdballnodes {
+	dns_dbiterator_t		common;
+	ISC_LIST(dns_sdbnode_t)		nodelist;
+	dns_sdbnode_t			*current;
+	dns_sdbnode_t			*origin;
+};
+
+typedef dns_sdballnodes_t sdb_dbiterator_t;
+
+typedef struct sdb_rdatasetiter {
+	dns_rdatasetiter_t		common;
+	dns_rdatalist_t			*current;
+} sdb_rdatasetiter_t;
+
+#define SDB_MAGIC		ISC_MAGIC('S', 'D', 'B', '-')
+
+/*
+ * Note that "impmagic" is not the first four bytes of the struct, so
+ * ISC_MAGIC_VALID cannot be used.
+ */
+#define VALID_SDB(sdb)		((sdb) != NULL && \
+				 (sdb)->common.impmagic == SDB_MAGIC)
+
+#define SDBLOOKUP_MAGIC		ISC_MAGIC('S','D','B','L')
+#define VALID_SDBLOOKUP(sdbl)	ISC_MAGIC_VALID(sdbl, SDBLOOKUP_MAGIC)
+#define VALID_SDBNODE(sdbn)	VALID_SDBLOOKUP(sdbn)
+
+/* These values are taken from RFC 1537 */
+#define SDB_DEFAULT_REFRESH	(60 * 60 * 8)
+#define SDB_DEFAULT_RETRY	(60 * 60 * 2)
+#define SDB_DEFAULT_EXPIRE	(60 * 60 * 24 * 7)
+#define SDB_DEFAULT_MINIMUM	(60 * 60 * 24)
+
+/* This is a reasonable value */
+#define SDB_DEFAULT_TTL		(60 * 60 * 24)
+
+#define MAYBE_LOCK(sdb)							\
+	do {								\
+		unsigned int flags = sdb->implementation->flags;	\
+		if ((flags & DNS_SDBFLAG_THREADSAFE) == 0)		\
+			LOCK(&sdb->implementation->driverlock);		\
+	} while (0)
+
+#define MAYBE_UNLOCK(sdb)						\
+	do {								\
+		unsigned int flags = sdb->implementation->flags;	\
+		if ((flags & DNS_SDBFLAG_THREADSAFE) == 0)		\
+			UNLOCK(&sdb->implementation->driverlock);	\
+	} while (0)
+
+static int dummy;
+
+static isc_result_t dns_sdb_create(isc_mem_t *mctx, dns_name_t *origin,
+				   dns_dbtype_t type, dns_rdataclass_t rdclass,
+				   unsigned int argc, char *argv[],
+				   void *driverarg, dns_db_t **dbp);
+
+static isc_result_t findrdataset(dns_db_t *db, dns_dbnode_t *node,
+				 dns_dbversion_t *version,
+				 dns_rdatatype_t type, dns_rdatatype_t covers,
+				 isc_stdtime_t now, dns_rdataset_t *rdataset,
+				 dns_rdataset_t *sigrdataset);
+
+static isc_result_t createnode(dns_sdb_t *sdb, dns_sdbnode_t **nodep);
+
+static void destroynode(dns_sdbnode_t *node);
+
+static void detachnode(dns_db_t *db, dns_dbnode_t **targetp);
+
+
+static void list_tordataset(dns_rdatalist_t *rdatalist,
+			    dns_db_t *db, dns_dbnode_t *node,
+			    dns_rdataset_t *rdataset);
+
+static void		dbiterator_destroy(dns_dbiterator_t **iteratorp);
+static isc_result_t	dbiterator_first(dns_dbiterator_t *iterator);
+static isc_result_t	dbiterator_last(dns_dbiterator_t *iterator);
+static isc_result_t	dbiterator_seek(dns_dbiterator_t *iterator,
+					dns_name_t *name);
+static isc_result_t	dbiterator_prev(dns_dbiterator_t *iterator);
+static isc_result_t	dbiterator_next(dns_dbiterator_t *iterator);
+static isc_result_t	dbiterator_current(dns_dbiterator_t *iterator,
+					   dns_dbnode_t **nodep,
+					   dns_name_t *name);
+static isc_result_t	dbiterator_pause(dns_dbiterator_t *iterator);
+static isc_result_t	dbiterator_origin(dns_dbiterator_t *iterator,
+					  dns_name_t *name);
+
+static dns_dbiteratormethods_t dbiterator_methods = {
+	dbiterator_destroy,
+	dbiterator_first,
+	dbiterator_last,
+	dbiterator_seek,
+	dbiterator_prev,
+	dbiterator_next,
+	dbiterator_current,
+	dbiterator_pause,
+	dbiterator_origin
+};
+
+static void		rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp);
+static isc_result_t	rdatasetiter_first(dns_rdatasetiter_t *iterator);
+static isc_result_t	rdatasetiter_next(dns_rdatasetiter_t *iterator);
+static void		rdatasetiter_current(dns_rdatasetiter_t *iterator,
+					     dns_rdataset_t *rdataset);
+
+static dns_rdatasetitermethods_t rdatasetiter_methods = {
+	rdatasetiter_destroy,
+	rdatasetiter_first,
+	rdatasetiter_next,
+	rdatasetiter_current
+};
+
+/*
+ * Functions used by implementors of simple databases
+ */
+isc_result_t
+dns_sdb_register(const char *drivername, const dns_sdbmethods_t *methods,
+		 void *driverdata, unsigned int flags, isc_mem_t *mctx,
+		 dns_sdbimplementation_t **sdbimp)
+{
+	dns_sdbimplementation_t *imp;
+	isc_result_t result;
+
+	REQUIRE(drivername != NULL);
+	REQUIRE(methods != NULL);
+	REQUIRE(methods->lookup != NULL);
+	REQUIRE(mctx != NULL);
+	REQUIRE(sdbimp != NULL && *sdbimp == NULL);
+	REQUIRE((flags & ~(DNS_SDBFLAG_RELATIVEOWNER |
+			   DNS_SDBFLAG_RELATIVERDATA |
+			   DNS_SDBFLAG_THREADSAFE)) == 0);
+
+	imp = isc_mem_get(mctx, sizeof(dns_sdbimplementation_t));
+	if (imp == NULL)
+		return (ISC_R_NOMEMORY);
+	imp->methods = methods;
+	imp->driverdata = driverdata;
+	imp->flags = flags;
+	imp->mctx = NULL;
+	isc_mem_attach(mctx, &imp->mctx);
+	result = isc_mutex_init(&imp->driverlock);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() failed: %s",
+				 isc_result_totext(result));
+		goto cleanup_mctx;
+	}
+
+	imp->dbimp = NULL;
+	result = dns_db_register(drivername, dns_sdb_create, imp, mctx,
+				 &imp->dbimp);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_mutex;
+	*sdbimp = imp;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup_mutex:
+	DESTROYLOCK(&imp->driverlock);
+ cleanup_mctx:
+	isc_mem_put(mctx, imp, sizeof(dns_sdbimplementation_t));
+	return (result);
+}
+
+void
+dns_sdb_unregister(dns_sdbimplementation_t **sdbimp) {
+	dns_sdbimplementation_t *imp;
+	isc_mem_t *mctx;
+
+	REQUIRE(sdbimp != NULL && *sdbimp != NULL);
+
+	imp = *sdbimp;
+	dns_db_unregister(&imp->dbimp);
+	DESTROYLOCK(&imp->driverlock);
+
+	mctx = imp->mctx;
+	isc_mem_put(mctx, imp, sizeof(dns_sdbimplementation_t));
+	isc_mem_detach(&mctx);
+
+	*sdbimp = NULL;
+}
+
+static inline unsigned int
+initial_size(unsigned int len) {
+	unsigned int size;
+	for (size = 64; size < (64 * 1024); size *= 2)
+		if (len < size)
+			return (size);
+	return (64 * 1024);
+}
+
+isc_result_t
+dns_sdb_putrdata(dns_sdblookup_t *lookup, dns_rdatatype_t typeval, dns_ttl_t ttl,
+		 const unsigned char *rdatap, unsigned int rdlen)
+{
+	dns_rdatalist_t *rdatalist;
+	dns_rdata_t *rdata;
+	isc_buffer_t *rdatabuf = NULL;
+	isc_result_t result;
+	isc_mem_t *mctx;
+	isc_region_t region;
+
+	mctx = lookup->sdb->common.mctx;
+
+	rdatalist = ISC_LIST_HEAD(lookup->lists);
+	while (rdatalist != NULL) {
+		if (rdatalist->type == typeval)
+			break;
+		rdatalist = ISC_LIST_NEXT(rdatalist, link);
+	}
+
+	if (rdatalist == NULL) {
+		rdatalist = isc_mem_get(mctx, sizeof(dns_rdatalist_t));
+		if (rdatalist == NULL)
+			return (ISC_R_NOMEMORY);
+		rdatalist->rdclass = lookup->sdb->common.rdclass;
+		rdatalist->type = typeval;
+		rdatalist->covers = 0;
+		rdatalist->ttl = ttl;
+		ISC_LIST_INIT(rdatalist->rdata);
+		ISC_LINK_INIT(rdatalist, link);
+		ISC_LIST_APPEND(lookup->lists, rdatalist, link);
+	} else 
+		if (rdatalist->ttl != ttl)
+			return (DNS_R_BADTTL);
+
+	rdata = isc_mem_get(mctx, sizeof(dns_rdata_t));
+	if (rdata == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_buffer_allocate(mctx, &rdatabuf, rdlen);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+	DE_CONST(rdatap, region.base);
+	region.length = rdlen;
+	isc_buffer_copyregion(rdatabuf, &region);
+	isc_buffer_usedregion(rdatabuf, &region);
+	dns_rdata_init(rdata);
+	dns_rdata_fromregion(rdata, rdatalist->rdclass, rdatalist->type,
+			     &region);
+	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	ISC_LIST_APPEND(lookup->buffers, rdatabuf, link);
+	rdata = NULL;
+
+ failure:
+	if (rdata != NULL)
+		isc_mem_put(mctx, rdata, sizeof(dns_rdata_t));
+	return (result);
+}
+	
+
+isc_result_t
+dns_sdb_putrr(dns_sdblookup_t *lookup, const char *type, dns_ttl_t ttl,
+	      const char *data)
+{
+	unsigned int datalen;
+	dns_rdatatype_t typeval;
+	isc_textregion_t r;
+	isc_lex_t *lex = NULL;
+	isc_result_t result;
+	unsigned char *p = NULL;
+	unsigned int size = 0; /* Init to suppress compiler warning */
+	isc_mem_t *mctx;
+	dns_sdbimplementation_t *imp;
+	dns_name_t *origin;
+	isc_buffer_t b;
+	isc_buffer_t rb;
+
+	REQUIRE(VALID_SDBLOOKUP(lookup));
+	REQUIRE(type != NULL);
+	REQUIRE(data != NULL);
+
+	mctx = lookup->sdb->common.mctx;
+
+	DE_CONST(type, r.base);
+	r.length = strlen(type);
+	result = dns_rdatatype_fromtext(&typeval, &r);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	imp = lookup->sdb->implementation;
+	if ((imp->flags & DNS_SDBFLAG_RELATIVERDATA) != 0)
+		origin = &lookup->sdb->common.origin;
+	else
+		origin = dns_rootname;
+
+	result = isc_lex_create(mctx, 64, &lex);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	datalen = strlen(data);
+	size = initial_size(datalen);
+	for (;;) {
+		isc_buffer_init(&b, data, datalen);
+		isc_buffer_add(&b, datalen);
+		result = isc_lex_openbuffer(lex, &b);
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+
+		p = isc_mem_get(mctx, size);
+		if (p == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto failure;
+		}
+		isc_buffer_init(&rb, p, size);
+		result = dns_rdata_fromtext(NULL,
+					    lookup->sdb->common.rdclass,
+					    typeval, lex,
+					    origin, 0,
+					    mctx, &rb,
+					    &lookup->callbacks);
+		if (result != ISC_R_NOSPACE)
+			break;
+
+		isc_mem_put(mctx, p, size);
+		p = NULL;
+		size *= 2;
+	} while (result == ISC_R_NOSPACE);
+
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	result = dns_sdb_putrdata(lookup, typeval, ttl,
+				  isc_buffer_base(&rb),
+				  isc_buffer_usedlength(&rb));
+ failure:
+	if (p != NULL)
+		isc_mem_put(mctx, p, size);
+	if (lex != NULL)
+		isc_lex_destroy(&lex);
+
+	return (result);
+}
+
+static isc_result_t
+getnode(dns_sdballnodes_t *allnodes, const char *name, dns_sdbnode_t **nodep) {
+	dns_name_t *newname, *origin;
+	dns_fixedname_t fnewname;
+	dns_sdb_t *sdb = (dns_sdb_t *)allnodes->common.db;
+	dns_sdbimplementation_t *imp = sdb->implementation;
+	dns_sdbnode_t *sdbnode;
+	isc_mem_t *mctx = sdb->common.mctx;
+	isc_buffer_t b;
+	isc_result_t result;
+
+	dns_fixedname_init(&fnewname);
+	newname = dns_fixedname_name(&fnewname);
+
+	if ((imp->flags & DNS_SDBFLAG_RELATIVERDATA) != 0)
+		origin = &sdb->common.origin;
+	else
+		origin = dns_rootname;
+	isc_buffer_init(&b, name, strlen(name));
+	isc_buffer_add(&b, strlen(name));
+
+	result = dns_name_fromtext(newname, &b, origin, ISC_FALSE, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (allnodes->common.relative_names) {
+		/* All names are relative to the root */
+		unsigned int nlabels = dns_name_countlabels(newname);
+		dns_name_getlabelsequence(newname, 0, nlabels - 1, newname);
+	}
+
+	sdbnode = ISC_LIST_HEAD(allnodes->nodelist);
+	if (sdbnode == NULL || !dns_name_equal(sdbnode->name, newname)) {
+		sdbnode = NULL;
+		result = createnode(sdb, &sdbnode);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		sdbnode->name = isc_mem_get(mctx, sizeof(dns_name_t));
+		if (sdbnode->name == NULL) {
+			destroynode(sdbnode);
+			return (ISC_R_NOMEMORY);
+		}
+		dns_name_init(sdbnode->name, NULL);
+		result = dns_name_dup(newname, mctx, sdbnode->name);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(mctx, sdbnode->name, sizeof(dns_name_t));
+			destroynode(sdbnode);
+			return (result);
+		}
+		ISC_LIST_PREPEND(allnodes->nodelist, sdbnode, link);
+		if (allnodes->origin == NULL &&
+		    dns_name_equal(newname, &sdb->common.origin))
+			allnodes->origin = sdbnode;
+	}
+	*nodep = sdbnode;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_sdb_putnamedrr(dns_sdballnodes_t *allnodes, const char *name,
+		   const char *type, dns_ttl_t ttl, const char *data)
+{
+	isc_result_t result;
+	dns_sdbnode_t *sdbnode = NULL;
+	result = getnode(allnodes, name, &sdbnode);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	return (dns_sdb_putrr(sdbnode, type, ttl, data));
+}
+
+isc_result_t
+dns_sdb_putnamedrdata(dns_sdballnodes_t *allnodes, const char *name,
+		      dns_rdatatype_t type, dns_ttl_t ttl,
+		      const void *rdata, unsigned int rdlen)
+{
+	isc_result_t result;
+	dns_sdbnode_t *sdbnode = NULL;
+	result = getnode(allnodes, name, &sdbnode);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	return (dns_sdb_putrdata(sdbnode, type, ttl, rdata, rdlen));
+}
+
+isc_result_t
+dns_sdb_putsoa(dns_sdblookup_t *lookup, const char *mname, const char *rname,
+	       isc_uint32_t serial)
+{
+	char str[2 * DNS_NAME_MAXTEXT + 5 * (sizeof("2147483647")) + 7];
+	int n;
+
+	REQUIRE(mname != NULL);
+	REQUIRE(rname != NULL);
+
+	n = snprintf(str, sizeof(str), "%s %s %u %u %u %u %u",
+		     mname, rname, serial,
+		     SDB_DEFAULT_REFRESH, SDB_DEFAULT_RETRY,
+		     SDB_DEFAULT_EXPIRE, SDB_DEFAULT_MINIMUM);
+	if (n >= (int)sizeof(str) || n < 0)
+		return (ISC_R_NOSPACE);
+	return (dns_sdb_putrr(lookup, "SOA", SDB_DEFAULT_TTL, str));
+}
+
+/*
+ * DB routines
+ */
+
+static void
+attach(dns_db_t *source, dns_db_t **targetp) {
+	dns_sdb_t *sdb = (dns_sdb_t *) source;
+
+	REQUIRE(VALID_SDB(sdb));
+
+	LOCK(&sdb->lock);
+	REQUIRE(sdb->references > 0);
+	sdb->references++;
+	UNLOCK(&sdb->lock);
+
+	*targetp = source;
+}
+
+static void
+destroy(dns_sdb_t *sdb) {
+	isc_mem_t *mctx;
+	dns_sdbimplementation_t *imp = sdb->implementation;
+
+	mctx = sdb->common.mctx;
+
+	if (imp->methods->destroy != NULL) {
+		MAYBE_LOCK(sdb);
+		imp->methods->destroy(sdb->zone, imp->driverdata,
+				      &sdb->dbdata);
+		MAYBE_UNLOCK(sdb);
+	}
+
+	isc_mem_free(mctx, sdb->zone);
+	DESTROYLOCK(&sdb->lock);
+
+	sdb->common.magic = 0;
+	sdb->common.impmagic = 0;
+
+	dns_name_free(&sdb->common.origin, mctx);
+
+	isc_mem_put(mctx, sdb, sizeof(dns_sdb_t));
+	isc_mem_detach(&mctx);
+}
+
+static void
+detach(dns_db_t **dbp) {
+	dns_sdb_t *sdb = (dns_sdb_t *)(*dbp);
+	isc_boolean_t need_destroy = ISC_FALSE;
+
+	REQUIRE(VALID_SDB(sdb));
+	LOCK(&sdb->lock);
+	REQUIRE(sdb->references > 0);
+	sdb->references--;
+	if (sdb->references == 0)
+		need_destroy = ISC_TRUE;
+	UNLOCK(&sdb->lock);
+
+	if (need_destroy)
+		destroy(sdb);
+
+	*dbp = NULL;
+}
+
+static isc_result_t
+beginload(dns_db_t *db, dns_addrdatasetfunc_t *addp, dns_dbload_t **dbloadp) {
+	UNUSED(db);
+	UNUSED(addp);
+	UNUSED(dbloadp);
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+endload(dns_db_t *db, dns_dbload_t **dbloadp) {
+	UNUSED(db);
+	UNUSED(dbloadp);
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+dump(dns_db_t *db, dns_dbversion_t *version, const char *filename) {
+	UNUSED(db);
+	UNUSED(version);
+	UNUSED(filename);
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static void
+currentversion(dns_db_t *db, dns_dbversion_t **versionp) {
+	REQUIRE(versionp != NULL && *versionp == NULL);
+
+	UNUSED(db);
+
+	*versionp = (void *) &dummy;
+	return;
+}
+
+static isc_result_t
+newversion(dns_db_t *db, dns_dbversion_t **versionp) {
+	UNUSED(db);
+	UNUSED(versionp);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static void
+attachversion(dns_db_t *db, dns_dbversion_t *source, 
+	      dns_dbversion_t **targetp)
+{
+	REQUIRE(source != NULL && source == (void *) &dummy);
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	UNUSED(db);
+	*targetp = source;
+	return;
+}
+
+static void
+closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
+	REQUIRE(versionp != NULL && *versionp == (void *) &dummy);
+	REQUIRE(commit == ISC_FALSE);
+
+	UNUSED(db);
+	UNUSED(commit);
+
+	*versionp = NULL;
+}
+
+static isc_result_t
+createnode(dns_sdb_t *sdb, dns_sdbnode_t **nodep) {
+	dns_sdbnode_t *node;
+	isc_result_t result;
+
+	node = isc_mem_get(sdb->common.mctx, sizeof(dns_sdbnode_t));
+	if (node == NULL)
+		return (ISC_R_NOMEMORY);
+
+	node->sdb = NULL;
+	attach((dns_db_t *)sdb, (dns_db_t **)&node->sdb);
+	ISC_LIST_INIT(node->lists);
+	ISC_LIST_INIT(node->buffers);
+	ISC_LINK_INIT(node, link);
+	node->name = NULL;
+	result = isc_mutex_init(&node->lock);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() failed: %s",
+				 isc_result_totext(result));
+		isc_mem_put(sdb->common.mctx, node, sizeof(dns_sdbnode_t));
+		return (ISC_R_UNEXPECTED);
+	}
+	dns_rdatacallbacks_init(&node->callbacks);
+	node->references = 1;
+	node->magic = SDBLOOKUP_MAGIC;
+
+	*nodep = node;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+destroynode(dns_sdbnode_t *node) {
+	dns_rdatalist_t *list;
+	dns_rdata_t *rdata;
+	isc_buffer_t *b;
+	dns_sdb_t *sdb;
+	isc_mem_t *mctx;
+
+	sdb = node->sdb;
+	mctx = sdb->common.mctx;
+
+	while (!ISC_LIST_EMPTY(node->lists)) {
+		list = ISC_LIST_HEAD(node->lists);
+		while (!ISC_LIST_EMPTY(list->rdata)) {
+			rdata = ISC_LIST_HEAD(list->rdata);
+			ISC_LIST_UNLINK(list->rdata, rdata, link);
+			isc_mem_put(mctx, rdata, sizeof(dns_rdata_t));
+		}
+		ISC_LIST_UNLINK(node->lists, list, link);
+		isc_mem_put(mctx, list, sizeof(dns_rdatalist_t));
+	}
+
+	while (!ISC_LIST_EMPTY(node->buffers)) {
+		b = ISC_LIST_HEAD(node->buffers);
+		ISC_LIST_UNLINK(node->buffers, b, link);
+		isc_buffer_free(&b);
+	}
+
+	if (node->name != NULL) {
+		dns_name_free(node->name, mctx);
+		isc_mem_put(mctx, node->name, sizeof(dns_name_t));
+	}
+	DESTROYLOCK(&node->lock);
+	node->magic = 0;
+	isc_mem_put(mctx, node, sizeof(dns_sdbnode_t));
+	detach((dns_db_t **) (void *)&sdb);
+}
+
+static isc_result_t
+findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
+	 dns_dbnode_t **nodep)
+{
+	dns_sdb_t *sdb = (dns_sdb_t *)db;
+	dns_sdbnode_t *node = NULL;
+	isc_result_t result;
+	isc_buffer_t b;
+	char namestr[DNS_NAME_MAXTEXT + 1];
+	isc_boolean_t isorigin;
+	dns_sdbimplementation_t *imp;
+
+	REQUIRE(VALID_SDB(sdb));
+	REQUIRE(create == ISC_FALSE);
+	REQUIRE(nodep != NULL && *nodep == NULL);
+
+	UNUSED(name);
+	UNUSED(create);
+
+	imp = sdb->implementation;
+
+	isc_buffer_init(&b, namestr, sizeof(namestr));
+	if ((imp->flags & DNS_SDBFLAG_RELATIVEOWNER) != 0) {
+		dns_name_t relname;
+		unsigned int labels;
+
+		labels = dns_name_countlabels(name) -
+			 dns_name_countlabels(&db->origin);
+		dns_name_init(&relname, NULL);
+		dns_name_getlabelsequence(name, 0, labels, &relname);
+		result = dns_name_totext(&relname, ISC_TRUE, &b);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	} else {
+		result = dns_name_totext(name, ISC_TRUE, &b);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	isc_buffer_putuint8(&b, 0);
+
+	result = createnode(sdb, &node);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	isorigin = dns_name_equal(name, &sdb->common.origin);
+
+	MAYBE_LOCK(sdb);
+	result = imp->methods->lookup(sdb->zone, namestr, sdb->dbdata, node);
+	MAYBE_UNLOCK(sdb);
+	if (result != ISC_R_SUCCESS &&
+	    !(result == ISC_R_NOTFOUND &&
+	      isorigin && imp->methods->authority != NULL))
+	{
+		destroynode(node);
+		return (result);
+	}
+
+	if (isorigin && imp->methods->authority != NULL) {
+		MAYBE_LOCK(sdb);
+		result = imp->methods->authority(sdb->zone, sdb->dbdata, node);
+		MAYBE_UNLOCK(sdb);
+		if (result != ISC_R_SUCCESS) {
+			destroynode(node);
+			return (result);
+		}
+	}
+	
+	*nodep = node;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
+     dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
+     dns_dbnode_t **nodep, dns_name_t *foundname,
+     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	dns_sdb_t *sdb = (dns_sdb_t *)db;
+	dns_dbnode_t *node = NULL;
+	dns_fixedname_t fname;
+	dns_rdataset_t xrdataset;
+	dns_name_t *xname;
+	unsigned int nlabels, olabels;
+	isc_result_t result;
+	unsigned int i;
+
+	REQUIRE(VALID_SDB(sdb));
+	REQUIRE(nodep == NULL || *nodep == NULL);
+	REQUIRE(version == NULL || version == (void *) &dummy);
+
+	UNUSED(options);
+	UNUSED(sdb);
+
+	if (!dns_name_issubdomain(name, &db->origin))
+		return (DNS_R_NXDOMAIN);
+
+	olabels = dns_name_countlabels(&db->origin);
+	nlabels = dns_name_countlabels(name);
+
+	dns_fixedname_init(&fname);
+	xname = dns_fixedname_name(&fname);
+
+	if (rdataset == NULL) {
+		dns_rdataset_init(&xrdataset);
+		rdataset = &xrdataset;
+	}
+
+	result = DNS_R_NXDOMAIN;
+
+	for (i = olabels; i <= nlabels; i++) {
+		/*
+		 * Unless this is an explicit lookup at the origin, don't
+		 * look at the origin.
+		 */
+		if (i == olabels && i != nlabels)
+			continue;
+
+		/*
+		 * Look up the next label.
+		 */
+		dns_name_getlabelsequence(name, nlabels - i, i, xname);
+		result = findnode(db, xname, ISC_FALSE, &node);
+		if (result != ISC_R_SUCCESS) {
+			result = DNS_R_NXDOMAIN;
+			continue;
+		}
+
+		/*
+		 * Look for a DNAME at the current label, unless this is
+		 * the qname.
+		 */
+		if (i < nlabels) {
+			result = findrdataset(db, node, version,
+					      dns_rdatatype_dname,
+					      0, now, rdataset, sigrdataset);
+			if (result == ISC_R_SUCCESS) {
+				result = DNS_R_DNAME;
+				break;
+			}
+		}
+
+		/*
+		 * Look for an NS at the current label, unless this is the
+		 * origin or glue is ok.
+		 */
+		if (i != olabels && (options & DNS_DBFIND_GLUEOK) == 0) {
+			result = findrdataset(db, node, version,
+					      dns_rdatatype_ns,
+					      0, now, rdataset, sigrdataset);
+			if (result == ISC_R_SUCCESS) {
+				if (i == nlabels && type == dns_rdatatype_any)
+				{
+					result = DNS_R_ZONECUT;
+					dns_rdataset_disassociate(rdataset);
+					if (sigrdataset != NULL)
+						dns_rdataset_disassociate
+								(sigrdataset);
+				} else
+					result = DNS_R_DELEGATION;
+				break;
+			}
+		}
+
+		/*
+		 * If the current name is not the qname, add another label
+		 * and try again.
+		 */
+		if (i < nlabels) {
+			destroynode(node);
+			node = NULL;
+			continue;
+		}
+
+		/*
+		 * If we're looking for ANY, we're done.
+		 */
+		if (type == dns_rdatatype_any) {
+			result = ISC_R_SUCCESS;
+			break;
+		}
+
+		/*
+		 * Look for the qtype.
+		 */
+		result = findrdataset(db, node, version, type,
+				      0, now, rdataset, sigrdataset);
+		if (result == ISC_R_SUCCESS)
+			break;
+
+		/*
+		 * Look for a CNAME
+		 */
+		if (type != dns_rdatatype_cname) {
+			result = findrdataset(db, node, version,
+					      dns_rdatatype_cname,
+					      0, now, rdataset, sigrdataset);
+			if (result == ISC_R_SUCCESS) {
+				result = DNS_R_CNAME;
+				break;
+			}
+		}
+
+		result = DNS_R_NXRRSET;
+		break;
+	}
+
+	if (rdataset == &xrdataset && dns_rdataset_isassociated(rdataset))
+		dns_rdataset_disassociate(rdataset);
+
+	if (foundname != NULL) {
+		isc_result_t xresult;
+
+		xresult = dns_name_copy(xname, foundname, NULL);
+		if (xresult != ISC_R_SUCCESS) {
+			destroynode(node);
+			if (dns_rdataset_isassociated(rdataset))
+				dns_rdataset_disassociate(rdataset);
+			return (DNS_R_BADDB);
+		}
+	}
+
+	if (nodep != NULL)
+		*nodep = node;
+	else if (node != NULL)
+		detachnode(db, &node);
+
+	return (result);
+}
+
+static isc_result_t
+findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
+	    isc_stdtime_t now, dns_dbnode_t **nodep, dns_name_t *foundname,
+	    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	UNUSED(db);
+	UNUSED(name);
+	UNUSED(options);
+	UNUSED(now);
+	UNUSED(nodep);
+	UNUSED(foundname);
+	UNUSED(rdataset);
+	UNUSED(sigrdataset);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static void
+attachnode(dns_db_t *db, dns_dbnode_t *source, dns_dbnode_t **targetp) {
+	dns_sdb_t *sdb = (dns_sdb_t *)db;
+	dns_sdbnode_t *node = (dns_sdbnode_t *)source;
+
+	REQUIRE(VALID_SDB(sdb));
+
+	UNUSED(sdb);
+
+	LOCK(&node->lock);
+	INSIST(node->references > 0);
+	node->references++;
+	INSIST(node->references != 0);		/* Catch overflow. */
+	UNLOCK(&node->lock);
+
+	*targetp = source;
+}
+
+static void
+detachnode(dns_db_t *db, dns_dbnode_t **targetp) {
+	dns_sdb_t *sdb = (dns_sdb_t *)db;
+	dns_sdbnode_t *node;
+	isc_boolean_t need_destroy = ISC_FALSE;
+
+	REQUIRE(VALID_SDB(sdb));
+	REQUIRE(targetp != NULL && *targetp != NULL);
+
+	UNUSED(sdb);
+
+	node = (dns_sdbnode_t *)(*targetp);
+
+	LOCK(&node->lock);
+	INSIST(node->references > 0);
+	node->references--;
+	if (node->references == 0)
+		need_destroy = ISC_TRUE;
+	UNLOCK(&node->lock);
+
+	if (need_destroy)
+		destroynode(node);
+
+	*targetp = NULL;
+}
+
+static isc_result_t
+expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
+	UNUSED(db);
+	UNUSED(node);
+	UNUSED(now);
+	INSIST(0);
+	return (ISC_R_UNEXPECTED);
+}
+
+static void
+printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out) {
+	UNUSED(db);
+	UNUSED(node);
+	UNUSED(out);
+	return;
+}
+
+static isc_result_t
+createiterator(dns_db_t *db, isc_boolean_t relative_names,
+	       dns_dbiterator_t **iteratorp)
+{
+	dns_sdb_t *sdb = (dns_sdb_t *)db;
+	sdb_dbiterator_t *sdbiter;
+	dns_sdbimplementation_t *imp = sdb->implementation;
+	isc_result_t result;
+
+	REQUIRE(VALID_SDB(sdb));
+
+	if (imp->methods->allnodes == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	sdbiter = isc_mem_get(sdb->common.mctx, sizeof(sdb_dbiterator_t));
+	if (sdbiter == NULL)
+		return (ISC_R_NOMEMORY);
+
+	sdbiter->common.methods = &dbiterator_methods;
+	sdbiter->common.db = NULL;
+	dns_db_attach(db, &sdbiter->common.db);
+	sdbiter->common.relative_names = relative_names;
+	sdbiter->common.magic = DNS_DBITERATOR_MAGIC;
+	ISC_LIST_INIT(sdbiter->nodelist);
+	sdbiter->current = NULL;
+	sdbiter->origin = NULL;
+
+	MAYBE_LOCK(sdb);
+	result = imp->methods->allnodes(sdb->zone, sdb->dbdata, sdbiter);
+	MAYBE_UNLOCK(sdb);
+	if (result != ISC_R_SUCCESS) {
+		dbiterator_destroy((dns_dbiterator_t **) (void *)&sdbiter);
+		return (result);
+	}
+
+	if (sdbiter->origin != NULL) {
+		ISC_LIST_UNLINK(sdbiter->nodelist, sdbiter->origin, link);
+		ISC_LIST_PREPEND(sdbiter->nodelist, sdbiter->origin, link);
+	}
+
+	*iteratorp = (dns_dbiterator_t *)sdbiter;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	     dns_rdatatype_t type, dns_rdatatype_t covers,
+	     isc_stdtime_t now, dns_rdataset_t *rdataset,
+	     dns_rdataset_t *sigrdataset)
+{
+	dns_rdatalist_t *list;
+	dns_sdbnode_t *sdbnode = (dns_sdbnode_t *)node;
+
+	REQUIRE(VALID_SDBNODE(node));
+
+	UNUSED(db);
+	UNUSED(version);
+	UNUSED(covers);
+	UNUSED(now);
+	UNUSED(sigrdataset);
+
+	if (type == dns_rdatatype_rrsig)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	list = ISC_LIST_HEAD(sdbnode->lists);
+	while (list != NULL) {
+		if (list->type == type)
+			break;
+		list = ISC_LIST_NEXT(list, link);
+	}
+	if (list == NULL)
+		return (ISC_R_NOTFOUND);
+
+	list_tordataset(list, db, node, rdataset);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	     isc_stdtime_t now, dns_rdatasetiter_t **iteratorp)
+{
+	sdb_rdatasetiter_t *iterator;
+
+	REQUIRE(version == NULL || version == &dummy);
+	
+	UNUSED(version);
+	UNUSED(now);
+
+	iterator = isc_mem_get(db->mctx, sizeof(sdb_rdatasetiter_t));
+	if (iterator == NULL)
+		return (ISC_R_NOMEMORY);
+
+	iterator->common.magic = DNS_RDATASETITER_MAGIC;
+	iterator->common.methods = &rdatasetiter_methods;
+	iterator->common.db = db;
+	iterator->common.node = NULL;
+	attachnode(db, node, &iterator->common.node);
+	iterator->common.version = version;
+	iterator->common.now = now;
+
+	*iteratorp = (dns_rdatasetiter_t *)iterator;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	    isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
+	    dns_rdataset_t *addedrdataset)
+{
+	UNUSED(db);
+	UNUSED(node);
+	UNUSED(version);
+	UNUSED(now);
+	UNUSED(rdataset);
+	UNUSED(options);
+	UNUSED(addedrdataset);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		 dns_rdataset_t *rdataset, unsigned int options,
+		 dns_rdataset_t *newrdataset)
+{
+	UNUSED(db);
+	UNUSED(node);
+	UNUSED(version);
+	UNUSED(rdataset);
+	UNUSED(options);
+	UNUSED(newrdataset);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_result_t
+deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+	       dns_rdatatype_t type, dns_rdatatype_t covers)
+{
+	UNUSED(db);
+	UNUSED(node);
+	UNUSED(version);
+	UNUSED(type);
+	UNUSED(covers);
+
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+static isc_boolean_t
+issecure(dns_db_t *db) {
+	UNUSED(db);
+
+	return (ISC_FALSE);
+}
+
+static unsigned int
+nodecount(dns_db_t *db) {
+	UNUSED(db);
+
+	return (0);
+}
+
+static isc_boolean_t
+ispersistent(dns_db_t *db) {
+	UNUSED(db);
+	return (ISC_TRUE);
+}
+
+static void
+overmem(dns_db_t *db, isc_boolean_t overmem) {
+	UNUSED(db);
+	UNUSED(overmem);
+}
+
+static void
+settask(dns_db_t *db, isc_task_t *task) {
+	UNUSED(db);
+	UNUSED(task);
+}
+
+
+static dns_dbmethods_t sdb_methods = {
+	attach,
+	detach,
+	beginload,
+	endload,
+	dump,
+	currentversion,
+	newversion,
+	attachversion,
+	closeversion,
+	findnode,
+	find,
+	findzonecut,
+	attachnode,
+	detachnode,
+	expirenode,
+	printnode,
+	createiterator,
+	findrdataset,
+	allrdatasets,
+	addrdataset,
+	subtractrdataset,
+	deleterdataset,
+	issecure,
+	nodecount,
+	ispersistent,
+	overmem,
+	settask
+};
+
+static isc_result_t
+dns_sdb_create(isc_mem_t *mctx, dns_name_t *origin, dns_dbtype_t type,
+	       dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
+	       void *driverarg, dns_db_t **dbp)
+{
+	dns_sdb_t *sdb;
+	isc_result_t result;
+	char zonestr[DNS_NAME_MAXTEXT + 1];
+	isc_buffer_t b;
+	dns_sdbimplementation_t *imp;
+
+	REQUIRE(driverarg != NULL);
+
+	imp = driverarg;
+
+	if (type != dns_dbtype_zone)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	sdb = isc_mem_get(mctx, sizeof(dns_sdb_t));
+	if (sdb == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(sdb, 0, sizeof(dns_sdb_t));
+
+	dns_name_init(&sdb->common.origin, NULL);
+	sdb->common.attributes = 0;
+	sdb->common.methods = &sdb_methods;
+	sdb->common.rdclass = rdclass;
+	sdb->common.mctx = NULL;
+	sdb->implementation = imp;
+
+	isc_mem_attach(mctx, &sdb->common.mctx);
+
+	result = isc_mutex_init(&sdb->lock);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() failed: %s",
+				 isc_result_totext(result));
+		result = ISC_R_UNEXPECTED;
+		goto cleanup_mctx;
+	}
+
+	result = dns_name_dupwithoffsets(origin, mctx, &sdb->common.origin);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_lock;
+
+	isc_buffer_init(&b, zonestr, sizeof(zonestr));
+	result = dns_name_totext(origin, ISC_TRUE, &b);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_origin;
+	isc_buffer_putuint8(&b, 0);
+
+	sdb->zone = isc_mem_strdup(mctx, zonestr);
+	if (sdb->zone == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup_origin;
+	}
+
+	sdb->dbdata = NULL;
+	if (imp->methods->create != NULL) {
+		MAYBE_LOCK(sdb);
+		result = imp->methods->create(sdb->zone, argc, argv,
+					      imp->driverdata, &sdb->dbdata);
+		MAYBE_UNLOCK(sdb);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_zonestr;
+	}
+
+	sdb->references = 1;
+
+	sdb->common.magic = DNS_DB_MAGIC;
+	sdb->common.impmagic = SDB_MAGIC;
+
+	*dbp = (dns_db_t *)sdb;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup_zonestr:
+	isc_mem_free(mctx, sdb->zone);
+ cleanup_origin:
+	dns_name_free(&sdb->common.origin, mctx);
+ cleanup_lock:
+	isc_mutex_destroy(&sdb->lock);
+ cleanup_mctx:
+	isc_mem_put(mctx, sdb, sizeof(dns_sdb_t));
+	isc_mem_detach(&mctx);
+
+	return (result);
+}
+
+
+/*
+ * Rdataset Methods
+ */
+
+static void
+disassociate(dns_rdataset_t *rdataset) {
+	dns_dbnode_t *node = rdataset->private5;
+	dns_sdbnode_t *sdbnode = (dns_sdbnode_t *) node;
+	dns_db_t *db = (dns_db_t *) sdbnode->sdb;
+
+	detachnode(db, &node);
+	isc__rdatalist_disassociate(rdataset);
+}
+
+static void
+rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
+	dns_dbnode_t *node = source->private5;
+	dns_sdbnode_t *sdbnode = (dns_sdbnode_t *) node;
+	dns_db_t *db = (dns_db_t *) sdbnode->sdb;
+	dns_dbnode_t *tempdb = NULL;
+
+	isc__rdatalist_clone(source, target);
+	attachnode(db, node, &tempdb);
+	source->private5 = tempdb;
+}
+
+static dns_rdatasetmethods_t methods = {
+	disassociate,
+	isc__rdatalist_first,
+	isc__rdatalist_next,
+	isc__rdatalist_current,
+	rdataset_clone,
+	isc__rdatalist_count,
+	isc__rdatalist_addnoqname,
+	isc__rdatalist_getnoqname
+};
+
+static void
+list_tordataset(dns_rdatalist_t *rdatalist,
+		dns_db_t *db, dns_dbnode_t *node,
+		dns_rdataset_t *rdataset)
+{
+	/*
+	 * The sdb rdataset is an rdatalist with some additions.
+	 *	- private1 & private2 are used by the rdatalist.
+	 *	- private3 & private 4 are unused.
+	 *	- private5 is the node.
+	 */
+
+	/* This should never fail. */
+	RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset) ==
+		      ISC_R_SUCCESS);
+
+	rdataset->methods = &methods;
+	dns_db_attachnode(db, node, &rdataset->private5);
+}
+
+/*
+ * Database Iterator Methods
+ */
+static void
+dbiterator_destroy(dns_dbiterator_t **iteratorp) {
+	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)(*iteratorp);
+	dns_sdb_t *sdb = (dns_sdb_t *)sdbiter->common.db;
+
+	while (!ISC_LIST_EMPTY(sdbiter->nodelist)) {
+		dns_sdbnode_t *node;
+		node = ISC_LIST_HEAD(sdbiter->nodelist);
+		ISC_LIST_UNLINK(sdbiter->nodelist, node, link);
+		destroynode(node);
+	}
+
+	dns_db_detach(&sdbiter->common.db);
+	isc_mem_put(sdb->common.mctx, sdbiter, sizeof(sdb_dbiterator_t));
+
+	*iteratorp = NULL;
+}
+
+static isc_result_t
+dbiterator_first(dns_dbiterator_t *iterator) {
+	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator;
+
+	sdbiter->current = ISC_LIST_HEAD(sdbiter->nodelist);
+	if (sdbiter->current == NULL)
+		return (ISC_R_NOMORE);
+	else
+		return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dbiterator_last(dns_dbiterator_t *iterator) {
+	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator;
+
+	sdbiter->current = ISC_LIST_TAIL(sdbiter->nodelist);
+	if (sdbiter->current == NULL)
+		return (ISC_R_NOMORE);
+	else
+		return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name) {
+	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator;
+
+	sdbiter->current = ISC_LIST_HEAD(sdbiter->nodelist);
+	while (sdbiter->current != NULL)
+		if (dns_name_equal(sdbiter->current->name, name))
+			return (ISC_R_SUCCESS);
+	return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+dbiterator_prev(dns_dbiterator_t *iterator) {
+	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator;
+
+	sdbiter->current = ISC_LIST_PREV(sdbiter->current, link);
+	if (sdbiter->current == NULL)
+		return (ISC_R_NOMORE);
+	else
+		return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dbiterator_next(dns_dbiterator_t *iterator) {
+	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator;
+
+	sdbiter->current = ISC_LIST_NEXT(sdbiter->current, link);
+	if (sdbiter->current == NULL)
+		return (ISC_R_NOMORE);
+	else
+		return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
+		   dns_name_t *name)
+{
+	sdb_dbiterator_t *sdbiter = (sdb_dbiterator_t *)iterator;
+
+	attachnode(iterator->db, sdbiter->current, nodep);
+	if (name != NULL)
+		return (dns_name_copy(sdbiter->current->name, name, NULL));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dbiterator_pause(dns_dbiterator_t *iterator) {
+	UNUSED(iterator);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+dbiterator_origin(dns_dbiterator_t *iterator, dns_name_t *name) {
+	UNUSED(iterator);
+	return (dns_name_copy(dns_rootname, name, NULL));
+}
+
+/*
+ * Rdataset Iterator Methods
+ */
+
+static void
+rdatasetiter_destroy(dns_rdatasetiter_t **iteratorp) {
+	sdb_rdatasetiter_t *sdbiterator = (sdb_rdatasetiter_t *)(*iteratorp);
+	detachnode(sdbiterator->common.db, &sdbiterator->common.node);
+	isc_mem_put(sdbiterator->common.db->mctx, sdbiterator,
+		    sizeof(sdb_rdatasetiter_t));
+	*iteratorp = NULL;
+}
+
+static isc_result_t
+rdatasetiter_first(dns_rdatasetiter_t *iterator) {
+	sdb_rdatasetiter_t *sdbiterator = (sdb_rdatasetiter_t *)iterator;
+	dns_sdbnode_t *sdbnode = (dns_sdbnode_t *)iterator->node;
+
+	if (ISC_LIST_EMPTY(sdbnode->lists))
+		return (ISC_R_NOMORE);
+	sdbiterator->current = ISC_LIST_HEAD(sdbnode->lists);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+rdatasetiter_next(dns_rdatasetiter_t *iterator) {
+	sdb_rdatasetiter_t *sdbiterator = (sdb_rdatasetiter_t *)iterator;
+
+	sdbiterator->current = ISC_LIST_NEXT(sdbiterator->current, link);
+	if (sdbiterator->current == NULL)
+		return (ISC_R_NOMORE);
+	else
+		return (ISC_R_SUCCESS);
+}
+
+static void
+rdatasetiter_current(dns_rdatasetiter_t *iterator, dns_rdataset_t *rdataset) {
+	sdb_rdatasetiter_t *sdbiterator = (sdb_rdatasetiter_t *)iterator;
+
+	list_tordataset(sdbiterator->current, iterator->db, iterator->node,
+			rdataset);
+}
diff --git a/contrib/bind9/lib/dns/sec/Makefile.in b/contrib/bind9/lib/dns/sec/Makefile.in
new file mode 100644
index 0000000..94b50ab
--- /dev/null
+++ b/contrib/bind9/lib/dns/sec/Makefile.in
@@ -0,0 +1,25 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1998-2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.11.206.1 2004/03/06 08:14:19 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	dst
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/dns/sec/dst/Makefile.in b/contrib/bind9/lib/dns/sec/dst/Makefile.in
new file mode 100644
index 0000000..c975207
--- /dev/null
+++ b/contrib/bind9/lib/dns/sec/dst/Makefile.in
@@ -0,0 +1,48 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1998-2002  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.25.2.2.8.4 2004/03/09 05:21:08 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I${srcdir} ${DNS_INCLUDES} \
+		${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
+
+CDEFINES =	-DUSE_MD5 @USE_OPENSSL@ @USE_GSSAPI@
+CWARNINGS =
+
+LIBS =		@LIBS@
+
+# Alphabetically
+OBJS =		dst_api.@O@ dst_lib.@O@ dst_parse.@O@ \
+		dst_result.@O@ gssapi_link.@O@ gssapictx.@O@ \
+		hmac_link.@O@ key.@O@ \
+		openssl_link.@O@ openssldh_link.@O@ \
+		openssldsa_link.@O@ opensslrsa_link.@O@
+
+SRCS =		dst_api.c dst_lib.c dst_parse.c \
+		dst_result.c gssapi_link.c gssapictx.c \
+		hmac_link.c key.c \
+		openssl_link.c openssldh_link.c \
+		openssldsa_link.c opensslrsa_link.c
+
+SUBDIRS =	include
+TARGETS =	${OBJS}
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/dns/sec/dst/dst_api.c b/contrib/bind9/lib/dns/sec/dst/dst_api.c
new file mode 100644
index 0000000..f3adedc
--- /dev/null
+++ b/contrib/bind9/lib/dns/sec/dst/dst_api.c
@@ -0,0 +1,1185 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 1999-2003  Internet Software Consortium.
+ * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Principal Author: Brian Wellington
+ * $Id: dst_api.c,v 1.88.2.3.2.15 2004/06/16 01:05:01 marka Exp $
+ */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/dir.h>
+#include <isc/entropy.h>
+#include <isc/fsaccess.h>
+#include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/ttl.h>
+#include <dns/types.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+
+#define DST_AS_STR(t) ((t).value.as_textregion.base)
+
+static dst_func_t *dst_t_func[DST_MAX_ALGS];
+static isc_entropy_t *dst_entropy_pool = NULL;
+static unsigned int dst_entropy_flags = 0;
+static isc_boolean_t dst_initialized = ISC_FALSE;
+
+isc_mem_t *dst__memory_pool = NULL;
+
+/*
+ * Static functions.
+ */
+static dst_key_t *	get_key_struct(dns_name_t *name,
+				       unsigned int alg,
+				       unsigned int flags,
+				       unsigned int protocol,
+				       unsigned int bits,
+				       dns_rdataclass_t rdclass,
+				       isc_mem_t *mctx);
+static isc_result_t	read_public_key(const char *filename,
+					int type,
+					isc_mem_t *mctx,
+					dst_key_t **keyp);
+static isc_result_t	write_public_key(const dst_key_t *key, int type,
+					 const char *directory);
+static isc_result_t	buildfilename(dns_name_t *name,
+				      dns_keytag_t id,
+				      unsigned int alg,
+				      unsigned int type,
+				      const char *directory,
+				      isc_buffer_t *out);
+static isc_result_t	computeid(dst_key_t *key);
+static isc_result_t	frombuffer(dns_name_t *name,
+				   unsigned int alg,
+				   unsigned int flags,
+				   unsigned int protocol,
+				   dns_rdataclass_t rdclass,
+				   isc_buffer_t *source,
+				   isc_mem_t *mctx,
+				   dst_key_t **keyp);
+
+static isc_result_t	algorithm_status(unsigned int alg);
+
+static isc_result_t	addsuffix(char *filename, unsigned int len,
+				  const char *ofilename, const char *suffix);
+
+#define RETERR(x) 				\
+	do {					\
+		result = (x);			\
+		if (result != ISC_R_SUCCESS)	\
+			goto out;		\
+	} while (0)
+
+#define CHECKALG(alg)				\
+	do {					\
+		isc_result_t _r;		\
+		_r = algorithm_status(alg);	\
+		if (_r != ISC_R_SUCCESS)	\
+			return (_r);		\
+	} while (0);				\
+
+isc_result_t
+dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
+	isc_result_t result;
+
+	REQUIRE(mctx != NULL && ectx != NULL);
+	REQUIRE(dst_initialized == ISC_FALSE);
+
+	dst__memory_pool = NULL;
+
+#ifdef OPENSSL
+	UNUSED(mctx);
+	/*
+	 * When using --with-openssl, there seems to be no good way of not
+	 * leaking memory due to the openssl error handling mechanism.
+	 * Avoid assertions by using a local memory context and not checking
+	 * for leaks on exit.
+	 */
+	result = isc_mem_create(0, 0, &dst__memory_pool);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_mem_setdestroycheck(dst__memory_pool, ISC_FALSE);
+#else
+	isc_mem_attach(mctx, &dst__memory_pool);
+#endif
+	isc_entropy_attach(ectx, &dst_entropy_pool);
+	dst_entropy_flags = eflags;
+
+	dst_result_register();
+
+	memset(dst_t_func, 0, sizeof(dst_t_func));
+	RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5]));
+#ifdef OPENSSL
+	RETERR(dst__openssl_init());
+	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5]));
+	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1]));
+#ifdef HAVE_OPENSSL_DSA
+	RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA]));
+#endif
+	RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
+#endif /* OPENSSL */
+#ifdef GSSAPI
+	RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));
+#endif
+	dst_initialized = ISC_TRUE;
+	return (ISC_R_SUCCESS);
+
+ out:
+	dst_lib_destroy();
+	return (result);
+}
+
+void
+dst_lib_destroy(void) {
+	int i;
+	RUNTIME_CHECK(dst_initialized == ISC_TRUE);
+	dst_initialized = ISC_FALSE;
+
+	for (i = 0; i < DST_MAX_ALGS; i++)
+		if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL)
+			dst_t_func[i]->cleanup();
+#ifdef OPENSSL
+	dst__openssl_destroy();
+#endif
+	if (dst__memory_pool != NULL)
+		isc_mem_detach(&dst__memory_pool);
+	if (dst_entropy_pool != NULL)
+		isc_entropy_detach(&dst_entropy_pool);
+
+}
+
+isc_boolean_t
+dst_algorithm_supported(unsigned int alg) {
+	REQUIRE(dst_initialized == ISC_TRUE);
+
+	if (alg >= DST_MAX_ALGS || dst_t_func[alg] == NULL)
+		return (ISC_FALSE);
+	return (ISC_TRUE);
+}
+
+isc_result_t
+dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp) {
+	dst_context_t *dctx;
+	isc_result_t result;
+
+	REQUIRE(dst_initialized == ISC_TRUE);
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(mctx != NULL);
+	REQUIRE(dctxp != NULL && *dctxp == NULL);
+
+	if (key->func->createctx == NULL)
+		return (DST_R_UNSUPPORTEDALG);
+	if (key->opaque == NULL)
+		return (DST_R_NULLKEY);
+
+	dctx = isc_mem_get(mctx, sizeof(dst_context_t));
+	if (dctx == NULL)
+		return (ISC_R_NOMEMORY);
+	dctx->key = key;
+	dctx->mctx = mctx;
+	result = key->func->createctx(key, dctx);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, dctx, sizeof(dst_context_t));
+		return (result);
+	}
+	dctx->magic = CTX_MAGIC;
+	*dctxp = dctx;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dst_context_destroy(dst_context_t **dctxp) {
+	dst_context_t *dctx;
+
+	REQUIRE(dctxp != NULL && VALID_CTX(*dctxp));
+
+	dctx = *dctxp;
+	INSIST(dctx->key->func->destroyctx != NULL);
+	dctx->key->func->destroyctx(dctx);
+	dctx->magic = 0;
+	isc_mem_put(dctx->mctx, dctx, sizeof(dst_context_t));
+	*dctxp = NULL;
+}
+
+isc_result_t
+dst_context_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	REQUIRE(VALID_CTX(dctx));
+	REQUIRE(data != NULL);
+	INSIST(dctx->key->func->adddata != NULL);
+
+	return (dctx->key->func->adddata(dctx, data));
+}
+
+isc_result_t
+dst_context_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	dst_key_t *key;
+
+	REQUIRE(VALID_CTX(dctx));
+	REQUIRE(sig != NULL);
+
+	key = dctx->key;
+	CHECKALG(key->key_alg);
+	if (key->opaque == NULL)
+		return (DST_R_NULLKEY);
+	if (key->func->sign == NULL)
+		return (DST_R_NOTPRIVATEKEY);
+	if (key->func->isprivate == NULL ||
+	    key->func->isprivate(key) == ISC_FALSE)
+		return (DST_R_NOTPRIVATEKEY);
+
+	return (key->func->sign(dctx, sig));
+}
+
+isc_result_t
+dst_context_verify(dst_context_t *dctx, isc_region_t *sig) {
+	REQUIRE(VALID_CTX(dctx));
+	REQUIRE(sig != NULL);
+
+	CHECKALG(dctx->key->key_alg);
+	if (dctx->key->opaque == NULL)
+		return (DST_R_NULLKEY);
+	if (dctx->key->func->verify == NULL)
+		return (DST_R_NOTPUBLICKEY);
+
+	return (dctx->key->func->verify(dctx, sig));
+}
+
+isc_result_t
+dst_key_computesecret(const dst_key_t *pub, const dst_key_t *priv,
+		      isc_buffer_t *secret)
+{
+	REQUIRE(dst_initialized == ISC_TRUE);
+	REQUIRE(VALID_KEY(pub) && VALID_KEY(priv));
+	REQUIRE(secret != NULL);
+
+	CHECKALG(pub->key_alg);
+	CHECKALG(priv->key_alg);
+
+	if (pub->opaque == NULL || priv->opaque == NULL)
+		return (DST_R_NULLKEY);
+
+	if (pub->key_alg != priv->key_alg ||
+	    pub->func->computesecret == NULL ||
+	    priv->func->computesecret == NULL)
+		return (DST_R_KEYCANNOTCOMPUTESECRET);
+
+	if (dst_key_isprivate(priv) == ISC_FALSE)
+		return (DST_R_NOTPRIVATEKEY);
+
+	return (pub->func->computesecret(pub, priv, secret));
+}
+
+isc_result_t
+dst_key_tofile(const dst_key_t *key, int type, const char *directory) {
+	isc_result_t ret = ISC_R_SUCCESS;
+
+	REQUIRE(dst_initialized == ISC_TRUE);
+	REQUIRE(VALID_KEY(key));
+	REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);
+
+	CHECKALG(key->key_alg);
+
+	if (key->func->tofile == NULL)
+		return (DST_R_UNSUPPORTEDALG);
+
+	if (type & DST_TYPE_PUBLIC) {
+		ret = write_public_key(key, type, directory);
+		if (ret != ISC_R_SUCCESS)
+			return (ret);
+	}
+
+	if ((type & DST_TYPE_PRIVATE) &&
+	    (key->key_flags & DNS_KEYFLAG_TYPEMASK) != DNS_KEYTYPE_NOKEY)
+		return (key->func->tofile(key, directory));
+	else
+		return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dst_key_fromfile(dns_name_t *name, dns_keytag_t id,
+		 unsigned int alg, int type, const char *directory,
+		 isc_mem_t *mctx, dst_key_t **keyp)
+{
+	char filename[ISC_DIR_NAMEMAX];
+	isc_buffer_t b;
+	dst_key_t *key;
+	isc_result_t result;
+
+	REQUIRE(dst_initialized == ISC_TRUE);
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);
+	REQUIRE(mctx != NULL);
+	REQUIRE(keyp != NULL && *keyp == NULL);
+
+	CHECKALG(alg);
+
+	isc_buffer_init(&b, filename, sizeof(filename));
+	result = buildfilename(name, id, alg, type, directory, &b);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	key = NULL;
+	result = dst_key_fromnamedfile(filename, type, mctx, &key);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = computeid(key);
+	if (result != ISC_R_SUCCESS) {
+		dst_key_free(&key);
+		return (result);
+	}
+
+	if (!dns_name_equal(name, key->key_name) ||
+	    id != key->key_id ||
+	    alg != key->key_alg)
+	{
+		dst_key_free(&key);
+		return (DST_R_INVALIDPRIVATEKEY);
+	}
+	key->key_id = id;
+
+	*keyp = key;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dst_key_fromnamedfile(const char *filename, int type, isc_mem_t *mctx,
+		      dst_key_t **keyp)
+{
+	isc_result_t result;
+	dst_key_t *pubkey = NULL, *key = NULL;
+	dns_keytag_t id;
+	char *newfilename = NULL;
+	int newfilenamelen = 0;
+	isc_lex_t *lex = NULL;
+
+	REQUIRE(dst_initialized == ISC_TRUE);
+	REQUIRE(filename != NULL);
+	REQUIRE((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) != 0);
+	REQUIRE(mctx != NULL);
+	REQUIRE(keyp != NULL && *keyp == NULL);
+
+	result = read_public_key(filename, type, mctx, &pubkey);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (type == DST_TYPE_PUBLIC ||
+	    (pubkey->key_flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY)
+	{
+		result = computeid(pubkey);
+		if (result != ISC_R_SUCCESS) {
+			dst_key_free(&pubkey);
+			return (result);
+		}
+
+		*keyp = pubkey;
+		return (ISC_R_SUCCESS);
+	}
+
+	result = algorithm_status(pubkey->key_alg);
+	if (result != ISC_R_SUCCESS) {
+		dst_key_free(&pubkey);
+		return (result);
+	}
+
+	key = get_key_struct(pubkey->key_name, pubkey->key_alg,
+			     pubkey->key_flags, pubkey->key_proto, 0,
+			     pubkey->key_class, mctx);
+	id = pubkey->key_id;
+	dst_key_free(&pubkey);
+
+	if (key == NULL)
+		return (ISC_R_NOMEMORY);
+
+	if (key->func->parse == NULL)
+		RETERR(DST_R_UNSUPPORTEDALG);
+
+	newfilenamelen = strlen(filename) + 9;
+	newfilename = isc_mem_get(mctx, newfilenamelen);
+	if (newfilename == NULL)
+		RETERR(ISC_R_NOMEMORY);
+	result = addsuffix(newfilename, newfilenamelen, filename, ".private");
+	INSIST(result == ISC_R_SUCCESS);
+
+	RETERR(isc_lex_create(mctx, 1500, &lex));
+	RETERR(isc_lex_openfile(lex, newfilename));
+	isc_mem_put(mctx, newfilename, newfilenamelen);
+
+	RETERR(key->func->parse(key, lex));
+	isc_lex_destroy(&lex);
+
+	RETERR(computeid(key));
+
+	if (id != key->key_id)
+		RETERR(DST_R_INVALIDPRIVATEKEY);
+
+	*keyp = key;
+	return (ISC_R_SUCCESS);
+ out:
+	if (newfilename != NULL)
+		isc_mem_put(mctx, newfilename, newfilenamelen);
+	if (lex != NULL)
+		isc_lex_destroy(&lex);
+	dst_key_free(&key);
+	return (result);
+}
+
+isc_result_t
+dst_key_todns(const dst_key_t *key, isc_buffer_t *target) {
+	REQUIRE(dst_initialized == ISC_TRUE);
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(target != NULL);
+
+	CHECKALG(key->key_alg);
+
+	if (key->func->todns == NULL)
+		return (DST_R_UNSUPPORTEDALG);
+
+	if (isc_buffer_availablelength(target) < 4)
+		return (ISC_R_NOSPACE);
+	isc_buffer_putuint16(target, (isc_uint16_t)(key->key_flags & 0xffff));
+	isc_buffer_putuint8(target, (isc_uint8_t)key->key_proto);
+	isc_buffer_putuint8(target, (isc_uint8_t)key->key_alg);
+
+	if (key->key_flags & DNS_KEYFLAG_EXTENDED) {
+		if (isc_buffer_availablelength(target) < 2)
+			return (ISC_R_NOSPACE);
+		isc_buffer_putuint16(target,
+				     (isc_uint16_t)((key->key_flags >> 16)
+						    & 0xffff));
+	}
+
+	if (key->opaque == NULL) /* NULL KEY */
+		return (ISC_R_SUCCESS);
+
+	return (key->func->todns(key, target));
+}
+
+isc_result_t
+dst_key_fromdns(dns_name_t *name, dns_rdataclass_t rdclass,
+		isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp)
+{
+	isc_uint8_t alg, proto;
+	isc_uint32_t flags, extflags;
+	dst_key_t *key = NULL;
+	dns_keytag_t id;
+	isc_region_t r;
+	isc_result_t result;
+
+	REQUIRE(dst_initialized);
+
+	isc_buffer_remainingregion(source, &r);
+
+	if (isc_buffer_remaininglength(source) < 4)
+		return (DST_R_INVALIDPUBLICKEY);
+	flags = isc_buffer_getuint16(source);
+	proto = isc_buffer_getuint8(source);
+	alg = isc_buffer_getuint8(source);
+
+	id = dst_region_computeid(&r, alg);
+
+	if (flags & DNS_KEYFLAG_EXTENDED) {
+		if (isc_buffer_remaininglength(source) < 2)
+			return (DST_R_INVALIDPUBLICKEY);
+		extflags = isc_buffer_getuint16(source);
+		flags |= (extflags << 16);
+	}
+
+	result = frombuffer(name, alg, flags, proto, rdclass, source,
+			    mctx, &key);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	key->key_id = id;
+
+	*keyp = key;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dst_key_frombuffer(dns_name_t *name, unsigned int alg,
+		   unsigned int flags, unsigned int protocol,
+		   dns_rdataclass_t rdclass,
+		   isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp)
+{
+	dst_key_t *key = NULL;
+	isc_result_t result;
+
+	REQUIRE(dst_initialized);
+
+	result = frombuffer(name, alg, flags, protocol, rdclass, source,
+			    mctx, &key);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = computeid(key);
+	if (result != ISC_R_SUCCESS) {
+		dst_key_free(&key);
+		return (result);
+	}
+
+	*keyp = key;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dst_key_tobuffer(const dst_key_t *key, isc_buffer_t *target) {
+	REQUIRE(dst_initialized == ISC_TRUE);
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(target != NULL);
+
+	CHECKALG(key->key_alg);
+
+	if (key->func->todns == NULL)
+		return (DST_R_UNSUPPORTEDALG);
+
+	return (key->func->todns(key, target));
+}
+
+isc_result_t
+dst_key_privatefrombuffer(dst_key_t *key, isc_buffer_t *buffer) {
+	isc_lex_t *lex = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(dst_initialized == ISC_TRUE);
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(!dst_key_isprivate(key));
+	REQUIRE(buffer != NULL);
+
+	if (key->func->parse == NULL)
+		RETERR(DST_R_UNSUPPORTEDALG);
+
+	RETERR(isc_lex_create(key->mctx, 1500, &lex));
+	RETERR(isc_lex_openbuffer(lex, buffer));
+	RETERR(key->func->parse(key, lex));
+ out:
+	if (lex != NULL)
+		isc_lex_destroy(&lex);
+	return (result);
+}
+
+isc_result_t
+dst_key_fromgssapi(dns_name_t *name, void *opaque, isc_mem_t *mctx,
+		   dst_key_t **keyp)
+{
+	dst_key_t *key;
+
+	REQUIRE(opaque != NULL);
+	REQUIRE(keyp != NULL && *keyp == NULL);
+
+	key = get_key_struct(name, DST_ALG_GSSAPI, 0, DNS_KEYPROTO_DNSSEC,
+			     0, dns_rdataclass_in, mctx);
+	if (key == NULL)
+		return (ISC_R_NOMEMORY);
+	key->opaque = opaque;
+	*keyp = key;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dst_key_generate(dns_name_t *name, unsigned int alg,
+		 unsigned int bits, unsigned int param,
+		 unsigned int flags, unsigned int protocol,
+		 dns_rdataclass_t rdclass,
+		 isc_mem_t *mctx, dst_key_t **keyp)
+{
+	dst_key_t *key;
+	isc_result_t ret;
+
+	REQUIRE(dst_initialized == ISC_TRUE);
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(mctx != NULL);
+	REQUIRE(keyp != NULL && *keyp == NULL);
+
+	CHECKALG(alg);
+
+	key = get_key_struct(name, alg, flags, protocol, bits, rdclass, mctx);
+	if (key == NULL)
+		return (ISC_R_NOMEMORY);
+
+	if (bits == 0) { /* NULL KEY */
+		key->key_flags |= DNS_KEYTYPE_NOKEY;
+		*keyp = key;
+		return (ISC_R_SUCCESS);
+	}
+
+	if (key->func->generate == NULL) {
+		dst_key_free(&key);
+		return (DST_R_UNSUPPORTEDALG);
+	}
+
+	ret = key->func->generate(key, param);
+	if (ret != ISC_R_SUCCESS) {
+		dst_key_free(&key);
+		return (ret);
+	}
+
+	ret = computeid(key);
+	if (ret != ISC_R_SUCCESS) {
+		dst_key_free(&key);
+		return (ret);
+	}
+
+	*keyp = key;
+	return (ISC_R_SUCCESS);
+}
+
+isc_boolean_t
+dst_key_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	REQUIRE(dst_initialized == ISC_TRUE);
+	REQUIRE(VALID_KEY(key1));
+	REQUIRE(VALID_KEY(key2));
+
+	if (key1 == key2)
+		return (ISC_TRUE);
+	if (key1 == NULL || key2 == NULL)
+		return (ISC_FALSE);
+	if (key1->key_alg == key2->key_alg &&
+	    key1->key_id == key2->key_id &&
+	    key1->func->compare != NULL &&
+	    key1->func->compare(key1, key2) == ISC_TRUE)
+		return (ISC_TRUE);
+	else
+		return (ISC_FALSE);
+}
+
+isc_boolean_t
+dst_key_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
+	REQUIRE(dst_initialized == ISC_TRUE);
+	REQUIRE(VALID_KEY(key1));
+	REQUIRE(VALID_KEY(key2));
+
+	if (key1 == key2)
+		return (ISC_TRUE);
+	if (key1 == NULL || key2 == NULL)
+		return (ISC_FALSE);
+	if (key1->key_alg == key2->key_alg &&
+	    key1->func->paramcompare != NULL &&
+	    key1->func->paramcompare(key1, key2) == ISC_TRUE)
+		return (ISC_TRUE);
+	else
+		return (ISC_FALSE);
+}
+
+void
+dst_key_free(dst_key_t **keyp) {
+	isc_mem_t *mctx;
+	dst_key_t *key;
+
+	REQUIRE(dst_initialized == ISC_TRUE);
+	REQUIRE(keyp != NULL && VALID_KEY(*keyp));
+
+	key = *keyp;
+	mctx = key->mctx;
+
+	if (key->opaque != NULL) {
+		INSIST(key->func->destroy != NULL);
+		key->func->destroy(key);
+	}
+
+	dns_name_free(key->key_name, mctx);
+	isc_mem_put(mctx, key->key_name, sizeof(dns_name_t));
+	memset(key, 0, sizeof(dst_key_t));
+	isc_mem_put(mctx, key, sizeof(dst_key_t));
+	*keyp = NULL;
+}
+
+isc_boolean_t
+dst_key_isprivate(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	INSIST(key->func->isprivate != NULL);
+	return (key->func->isprivate(key));
+}
+
+isc_result_t
+dst_key_buildfilename(const dst_key_t *key, int type,
+		      const char *directory, isc_buffer_t *out) {
+
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(type == DST_TYPE_PRIVATE || type == DST_TYPE_PUBLIC ||
+		type == 0);
+
+	return (buildfilename(key->key_name, key->key_id, key->key_alg,
+			      type, directory, out));
+}
+
+isc_result_t
+dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
+	REQUIRE(dst_initialized == ISC_TRUE);
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(n != NULL);
+
+	/* XXXVIX this switch statement is too sparse to gen a jump table. */
+	switch (key->key_alg) {
+	case DST_ALG_RSAMD5:
+	case DST_ALG_RSASHA1:
+		*n = (key->key_size + 7) / 8;
+		break;
+	case DST_ALG_DSA:
+		*n = DNS_SIG_DSASIGSIZE;
+		break;
+	case DST_ALG_HMACMD5:
+		*n = 16;
+		break;
+	case DST_ALG_GSSAPI:
+		*n = 128; /* XXX */
+		break;
+	case DST_ALG_DH:
+	default:
+		return (DST_R_UNSUPPORTEDALG);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dst_key_secretsize(const dst_key_t *key, unsigned int *n) {
+	REQUIRE(dst_initialized == ISC_TRUE);
+	REQUIRE(VALID_KEY(key));
+	REQUIRE(n != NULL);
+
+	if (key->key_alg == DST_ALG_DH)
+		*n = (key->key_size + 7) / 8;
+	else
+		return (DST_R_UNSUPPORTEDALG);
+	return (ISC_R_SUCCESS);
+}
+
+/***
+ *** Static methods
+ ***/
+
+/*
+ * Allocates a key structure and fills in some of the fields.
+ */
+static dst_key_t *
+get_key_struct(dns_name_t *name, unsigned int alg,
+	       unsigned int flags, unsigned int protocol,
+	       unsigned int bits, dns_rdataclass_t rdclass,
+	       isc_mem_t *mctx)
+{
+	dst_key_t *key;
+	isc_result_t result;
+
+	key = (dst_key_t *) isc_mem_get(mctx, sizeof(dst_key_t));
+	if (key == NULL)
+		return (NULL);
+
+	memset(key, 0, sizeof(dst_key_t));
+	key->magic = KEY_MAGIC;
+
+	key->key_name = isc_mem_get(mctx, sizeof(dns_name_t));
+	if (key->key_name == NULL) {
+		isc_mem_put(mctx, key, sizeof(dst_key_t));
+		return (NULL);
+	}
+	dns_name_init(key->key_name, NULL);
+	result = dns_name_dup(name, mctx, key->key_name);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, key->key_name, sizeof(dns_name_t));
+		isc_mem_put(mctx, key, sizeof(dst_key_t));
+		return (NULL);
+	}
+	key->key_alg = alg;
+	key->key_flags = flags;
+	key->key_proto = protocol;
+	key->mctx = mctx;
+	key->opaque = NULL;
+	key->key_size = bits;
+	key->key_class = rdclass;
+	key->func = dst_t_func[alg];
+	return (key);
+}
+
+/*
+ * Reads a public key from disk
+ */
+static isc_result_t
+read_public_key(const char *filename, int type,
+		isc_mem_t *mctx, dst_key_t **keyp)
+{
+	u_char rdatabuf[DST_KEY_MAXSIZE];
+	isc_buffer_t b;
+	dns_fixedname_t name;
+	isc_lex_t *lex = NULL;
+	isc_token_t token;
+	isc_result_t ret;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned int opt = ISC_LEXOPT_DNSMULTILINE;
+	char *newfilename;
+	unsigned int newfilenamelen;
+	dns_rdataclass_t rdclass = dns_rdataclass_in;
+	isc_lexspecials_t specials;
+	isc_uint32_t ttl;
+	isc_result_t result;
+	dns_rdatatype_t keytype;
+
+	newfilenamelen = strlen(filename) + 5;
+	newfilename = isc_mem_get(mctx, newfilenamelen);
+	if (newfilename == NULL)
+		return (ISC_R_NOMEMORY);
+	ret = addsuffix(newfilename, newfilenamelen, filename, ".key");
+	INSIST(ret == ISC_R_SUCCESS);
+
+	/*
+	 * Open the file and read its formatted contents
+	 * File format:
+	 *    domain.name [ttl] [class] KEY <flags> <protocol> <algorithm> <key>
+	 */
+
+	/* 1500 should be large enough for any key */
+	ret = isc_lex_create(mctx, 1500, &lex);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup;
+
+	memset(specials, 0, sizeof(specials));
+	specials['('] = 1;
+	specials[')'] = 1;
+	specials['"'] = 1;
+	isc_lex_setspecials(lex, specials);
+	isc_lex_setcomments(lex, ISC_LEXCOMMENT_DNSMASTERFILE);
+
+	ret = isc_lex_openfile(lex, newfilename);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup;
+
+#define NEXTTOKEN(lex, opt, token) { \
+	ret = isc_lex_gettoken(lex, opt, token); \
+	if (ret != ISC_R_SUCCESS) \
+		goto cleanup; \
+	}
+
+#define BADTOKEN() { \
+	ret = ISC_R_UNEXPECTEDTOKEN; \
+	goto cleanup; \
+	}
+
+	/* Read the domain name */
+	NEXTTOKEN(lex, opt, &token);
+	if (token.type != isc_tokentype_string)
+		BADTOKEN();
+	dns_fixedname_init(&name);
+	isc_buffer_init(&b, DST_AS_STR(token), strlen(DST_AS_STR(token)));
+	isc_buffer_add(&b, strlen(DST_AS_STR(token)));
+	ret = dns_name_fromtext(dns_fixedname_name(&name), &b, dns_rootname,
+				ISC_FALSE, NULL);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup;
+
+	/* Read the next word: either TTL, class, or 'KEY' */
+	NEXTTOKEN(lex, opt, &token);
+
+	/* If it's a TTL, read the next one */
+	result = dns_ttl_fromtext(&token.value.as_textregion, &ttl);
+	if (result == ISC_R_SUCCESS)
+		NEXTTOKEN(lex, opt, &token);
+
+	if (token.type != isc_tokentype_string)
+		BADTOKEN();
+
+	ret = dns_rdataclass_fromtext(&rdclass, &token.value.as_textregion);
+	if (ret == ISC_R_SUCCESS)
+		NEXTTOKEN(lex, opt, &token);
+
+	if (token.type != isc_tokentype_string)
+		BADTOKEN();
+
+	if (strcasecmp(DST_AS_STR(token), "DNSKEY") == 0)
+		keytype = dns_rdatatype_dnskey;
+	else if (strcasecmp(DST_AS_STR(token), "KEY") == 0)
+		keytype = dns_rdatatype_key; /* SIG(0), TKEY */
+	else
+		BADTOKEN();
+
+	if (((type & DST_TYPE_KEY) != 0 && keytype != dns_rdatatype_key) ||
+	    ((type & DST_TYPE_KEY) == 0 && keytype != dns_rdatatype_dnskey)) {
+		ret = DST_R_BADKEYTYPE;
+		goto cleanup;
+	}
+
+	isc_buffer_init(&b, rdatabuf, sizeof(rdatabuf));
+	ret = dns_rdata_fromtext(&rdata, rdclass, keytype, lex, NULL,
+				 ISC_FALSE, mctx, &b, NULL);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup;
+
+	ret = dst_key_fromdns(dns_fixedname_name(&name), rdclass, &b, mctx,
+			      keyp);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup;
+
+ cleanup:
+	if (lex != NULL)
+		isc_lex_destroy(&lex);
+	isc_mem_put(mctx, newfilename, newfilenamelen);
+
+	return (ret);
+}
+
+static isc_boolean_t
+issymmetric(const dst_key_t *key) {
+	REQUIRE(dst_initialized == ISC_TRUE);
+	REQUIRE(VALID_KEY(key));
+
+	/* XXXVIX this switch statement is too sparse to gen a jump table. */
+	switch (key->key_alg) {
+	case DST_ALG_RSAMD5:
+	case DST_ALG_RSASHA1:
+	case DST_ALG_DSA:
+	case DST_ALG_DH:
+		return (ISC_FALSE);
+	case DST_ALG_HMACMD5:
+	case DST_ALG_GSSAPI:
+		return (ISC_TRUE);
+	default:
+		return (ISC_FALSE);
+	}
+}
+
+/*
+ * Writes a public key to disk in DNS format.
+ */
+static isc_result_t
+write_public_key(const dst_key_t *key, int type, const char *directory) {
+	FILE *fp;
+	isc_buffer_t keyb, textb, fileb, classb;
+	isc_region_t r;
+	char filename[ISC_DIR_NAMEMAX];
+	unsigned char key_array[DST_KEY_MAXSIZE];
+	char text_array[DST_KEY_MAXTEXTSIZE];
+	char class_array[10];
+	isc_result_t ret;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_fsaccess_t access;
+
+	REQUIRE(VALID_KEY(key));
+
+	isc_buffer_init(&keyb, key_array, sizeof(key_array));
+	isc_buffer_init(&textb, text_array, sizeof(text_array));
+	isc_buffer_init(&classb, class_array, sizeof(class_array));
+
+	ret = dst_key_todns(key, &keyb);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	isc_buffer_usedregion(&keyb, &r);
+	dns_rdata_fromregion(&rdata, key->key_class, dns_rdatatype_dnskey, &r);
+
+	ret = dns_rdata_totext(&rdata, (dns_name_t *) NULL, &textb);
+	if (ret != ISC_R_SUCCESS)
+		return (DST_R_INVALIDPUBLICKEY);
+
+	ret = dns_rdataclass_totext(key->key_class, &classb);
+	if (ret != ISC_R_SUCCESS)
+		return (DST_R_INVALIDPUBLICKEY);
+
+	/*
+	 * Make the filename.
+	 */
+	isc_buffer_init(&fileb, filename, sizeof(filename));
+	ret = dst_key_buildfilename(key, DST_TYPE_PUBLIC, directory, &fileb);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	/*
+	 * Create public key file.
+	 */
+	if ((fp = fopen(filename, "w")) == NULL)
+		return (DST_R_WRITEERROR);
+
+	if (issymmetric(key)) {
+		access = 0;
+		isc_fsaccess_add(ISC_FSACCESS_OWNER,
+				 ISC_FSACCESS_READ | ISC_FSACCESS_WRITE,
+				 &access);
+		(void)isc_fsaccess_set(filename, access);
+	}
+
+	ret = dns_name_print(key->key_name, fp);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	fprintf(fp, " ");
+
+	isc_buffer_usedregion(&classb, &r);
+	fwrite(r.base, 1, r.length, fp);
+
+	if ((type & DST_TYPE_KEY) != 0)
+		fprintf(fp, " KEY ");
+	else
+		fprintf(fp, " DNSKEY ");
+
+	isc_buffer_usedregion(&textb, &r);
+	fwrite(r.base, 1, r.length, fp);
+
+	fputc('\n', fp);
+	fclose(fp);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+buildfilename(dns_name_t *name, dns_keytag_t id,
+	      unsigned int alg, unsigned int type,
+	      const char *directory, isc_buffer_t *out)
+{
+	const char *suffix = "";
+	unsigned int len;
+	isc_result_t result;
+
+	REQUIRE(out != NULL);
+	if ((type & DST_TYPE_PRIVATE) != 0)
+		suffix = ".private";
+	else if (type == DST_TYPE_PUBLIC)
+		suffix = ".key";
+	if (directory != NULL) {
+		if (isc_buffer_availablelength(out) < strlen(directory))
+			return (ISC_R_NOSPACE);
+		isc_buffer_putstr(out, directory);
+		if (strlen(directory) > 0U &&
+		    directory[strlen(directory) - 1] != '/')
+			isc_buffer_putstr(out, "/");
+	}
+	if (isc_buffer_availablelength(out) < 1)
+		return (ISC_R_NOSPACE);
+	isc_buffer_putstr(out, "K");
+	result = dns_name_tofilenametext(name, ISC_FALSE, out);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	len = 1 + 3 + 1 + 5 + strlen(suffix) + 1;
+	if (isc_buffer_availablelength(out) < len)
+		return (ISC_R_NOSPACE);
+	sprintf((char *) isc_buffer_used(out), "+%03d+%05d%s", alg, id, suffix);
+	isc_buffer_add(out, len);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+computeid(dst_key_t *key) {
+	isc_buffer_t dnsbuf;
+	unsigned char dns_array[DST_KEY_MAXSIZE];
+	isc_region_t r;
+	isc_result_t ret;
+
+	isc_buffer_init(&dnsbuf, dns_array, sizeof(dns_array));
+	ret = dst_key_todns(key, &dnsbuf);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	isc_buffer_usedregion(&dnsbuf, &r);
+	key->key_id = dst_region_computeid(&r, key->key_alg);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+frombuffer(dns_name_t *name, unsigned int alg, unsigned int flags,
+	   unsigned int protocol, dns_rdataclass_t rdclass,
+	   isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp)
+{
+	dst_key_t *key;
+	isc_result_t ret;
+
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(source != NULL);
+	REQUIRE(mctx != NULL);
+	REQUIRE(keyp != NULL && *keyp == NULL);
+
+	key = get_key_struct(name, alg, flags, protocol, 0, rdclass, mctx);
+	if (key == NULL)
+		return (ISC_R_NOMEMORY);
+
+	if (isc_buffer_remaininglength(source) > 0) {
+		ret = algorithm_status(alg);
+		if (ret != ISC_R_SUCCESS) {
+			dst_key_free(&key);
+			return (ret);
+		}
+		if (key->func->fromdns == NULL) {
+			dst_key_free(&key);
+			return (DST_R_UNSUPPORTEDALG);
+		}
+
+		ret = key->func->fromdns(key, source);
+		if (ret != ISC_R_SUCCESS) {
+			dst_key_free(&key);
+			return (ret);
+		}
+	}
+
+	*keyp = key;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+algorithm_status(unsigned int alg) {
+	REQUIRE(dst_initialized == ISC_TRUE);
+
+	if (dst_algorithm_supported(alg))
+		return (ISC_R_SUCCESS);
+#ifndef OPENSSL
+	if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
+	    alg == DST_ALG_DSA || alg == DST_ALG_DH ||
+	    alg == DST_ALG_HMACMD5)
+		return (DST_R_NOCRYPTO);
+#endif
+	return (DST_R_UNSUPPORTEDALG);
+}
+
+static isc_result_t
+addsuffix(char *filename, unsigned int len, const char *ofilename,
+	  const char *suffix)
+{
+	int olen = strlen(ofilename);
+	int n;
+
+	if (olen > 1 && ofilename[olen - 1] == '.')
+		olen -= 1;
+	else if (olen > 8 && strcmp(ofilename + olen - 8, ".private") == 0)
+		olen -= 8;
+	else if (olen > 4 && strcmp(ofilename + olen - 4, ".key") == 0)
+		olen -= 4;
+
+	n = snprintf(filename, len, "%.*s%s", olen, ofilename, suffix);
+	if (n < 0)
+		return (ISC_R_NOSPACE);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) {
+	unsigned int flags = dst_entropy_flags;
+	if (pseudo)
+		flags &= ~ISC_ENTROPY_GOODONLY;
+	return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
+}
diff --git a/contrib/bind9/lib/dns/sec/dst/dst_internal.h b/contrib/bind9/lib/dns/sec/dst/dst_internal.h
new file mode 100644
index 0000000..f4dfa9f
--- /dev/null
+++ b/contrib/bind9/lib/dns/sec/dst/dst_internal.h
@@ -0,0 +1,134 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2000-2002  Internet Software Consortium.
+ * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dst_internal.h,v 1.38.12.3 2004/03/08 09:04:45 marka Exp $ */
+
+#ifndef DST_DST_INTERNAL_H
+#define DST_DST_INTERNAL_H 1
+
+#include <isc/lang.h>
+#include <isc/buffer.h>
+#include <isc/int.h>
+#include <isc/magic.h>
+#include <isc/region.h>
+#include <isc/types.h>
+
+#include <dst/dst.h>
+
+ISC_LANG_BEGINDECLS
+
+#define KEY_MAGIC       ISC_MAGIC('D','S','T','K')
+#define CTX_MAGIC       ISC_MAGIC('D','S','T','C')
+
+#define VALID_KEY(x) ISC_MAGIC_VALID(x, KEY_MAGIC)
+#define VALID_CTX(x) ISC_MAGIC_VALID(x, CTX_MAGIC)
+
+extern isc_mem_t *dst__memory_pool;
+
+/***
+ *** Types
+ ***/
+
+typedef struct dst_func dst_func_t;
+
+struct dst_key {
+	unsigned int	magic;
+	dns_name_t *	key_name;	/* name of the key */
+	unsigned int	key_size;	/* size of the key in bits */
+	unsigned int	key_proto;	/* protocols this key is used for */
+	unsigned int	key_alg;	/* algorithm of the key */
+	isc_uint32_t	key_flags;	/* flags of the public key */
+	isc_uint16_t	key_id;		/* identifier of the key */
+	dns_rdataclass_t key_class;	/* class of the key record */
+	isc_mem_t	*mctx;		/* memory context */
+	void *		opaque;		/* pointer to key in crypto pkg fmt */
+	dst_func_t *	func;		/* crypto package specific functions */
+};
+
+struct dst_context {
+	unsigned int magic;
+	dst_key_t *key;
+	isc_mem_t *mctx;
+	void *opaque;
+};
+
+struct dst_func {
+	/*
+	 * Context functions
+	 */
+	isc_result_t (*createctx)(dst_key_t *key, dst_context_t *dctx);
+	void (*destroyctx)(dst_context_t *dctx);
+	isc_result_t (*adddata)(dst_context_t *dctx, const isc_region_t *data);
+
+	/*
+	 * Key operations
+	 */
+	isc_result_t (*sign)(dst_context_t *dctx, isc_buffer_t *sig);
+	isc_result_t (*verify)(dst_context_t *dctx, const isc_region_t *sig);
+	isc_result_t (*computesecret)(const dst_key_t *pub,
+				      const dst_key_t *priv,
+				      isc_buffer_t *secret);
+	isc_boolean_t (*compare)(const dst_key_t *key1, const dst_key_t *key2);
+	isc_boolean_t (*paramcompare)(const dst_key_t *key1,
+				      const dst_key_t *key2);
+	isc_result_t (*generate)(dst_key_t *key, int parms);
+	isc_boolean_t (*isprivate)(const dst_key_t *key);
+	void (*destroy)(dst_key_t *key);
+
+	/* conversion functions */
+	isc_result_t (*todns)(const dst_key_t *key, isc_buffer_t *data);
+	isc_result_t (*fromdns)(dst_key_t *key, isc_buffer_t *data);
+	isc_result_t (*tofile)(const dst_key_t *key, const char *directory);
+	isc_result_t (*parse)(dst_key_t *key, isc_lex_t *lexer);
+
+	/* cleanup */
+	void (*cleanup)(void);
+};
+
+/*
+ * Initializers
+ */
+isc_result_t dst__openssl_init(void);
+
+isc_result_t dst__hmacmd5_init(struct dst_func **funcp);
+isc_result_t dst__opensslrsa_init(struct dst_func **funcp);
+isc_result_t dst__openssldsa_init(struct dst_func **funcp);
+isc_result_t dst__openssldh_init(struct dst_func **funcp);
+isc_result_t dst__gssapi_init(struct dst_func **funcp);
+
+/*
+ * Destructors
+ */
+void dst__openssl_destroy(void);
+
+/*
+ * Memory allocators using the DST memory pool.
+ */
+void * dst__mem_alloc(size_t size);
+void   dst__mem_free(void *ptr);
+void * dst__mem_realloc(void *ptr, size_t size);
+
+/*
+ * Entropy retriever using the DST entropy pool.
+ */
+isc_result_t dst__entropy_getdata(void *buf, unsigned int len,
+				  isc_boolean_t pseudo);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DST_DST_INTERNAL_H */
diff --git a/contrib/bind9/lib/dns/sec/dst/dst_lib.c b/contrib/bind9/lib/dns/sec/dst/dst_lib.c
new file mode 100644
index 0000000..fdee148
--- /dev/null
+++ b/contrib/bind9/lib/dns/sec/dst/dst_lib.c
@@ -0,0 +1,65 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Principal Author: Brian Wellington
+ * $Id: dst_lib.c,v 1.8.12.3 2004/03/08 09:04:45 marka Exp $
+ */
+
+#include <config.h>
+
+#include <stddef.h>
+
+#include <isc/once.h>
+#include <isc/msgcat.h>
+#include <isc/util.h>
+
+#include <dst/lib.h>
+
+/***
+ *** Globals
+ ***/
+
+LIBDNS_EXTERNAL_DATA isc_msgcat_t *		dst_msgcat = NULL;
+
+
+/***
+ *** Private
+ ***/
+
+static isc_once_t		msgcat_once = ISC_ONCE_INIT;
+
+
+/***
+ *** Functions
+ ***/
+
+static void
+open_msgcat(void) {
+	isc_msgcat_open("libdst.cat", &dst_msgcat);
+}
+
+void
+dst_lib_initmsgcat(void) {
+
+	/*
+	 * Initialize the DST library's message catalog, dst_msgcat, if it
+	 * has not already been initialized.
+	 */
+
+	RUNTIME_CHECK(isc_once_do(&msgcat_once, open_msgcat) == ISC_R_SUCCESS);
+}
diff --git a/contrib/bind9/lib/dns/sec/dst/dst_openssl.h b/contrib/bind9/lib/dns/sec/dst/dst_openssl.h
new file mode 100644
index 0000000..c774ca9
--- /dev/null
+++ b/contrib/bind9/lib/dns/sec/dst/dst_openssl.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dst_openssl.h,v 1.1.202.3 2004/03/08 09:04:45 marka Exp $ */
+
+#ifndef DST_OPENSSL_H
+#define DST_OPENSSL_H 1
+
+#include <isc/lang.h>
+#include <isc/result.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dst__openssl_toresult(isc_result_t fallback);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DST_OPENSSL_H */
diff --git a/contrib/bind9/lib/dns/sec/dst/dst_parse.c b/contrib/bind9/lib/dns/sec/dst/dst_parse.c
new file mode 100644
index 0000000..1c5378c
--- /dev/null
+++ b/contrib/bind9/lib/dns/sec/dst/dst_parse.c
@@ -0,0 +1,412 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 1999-2002  Internet Software Consortium.
+ * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Principal Author: Brian Wellington
+ * $Id: dst_parse.c,v 1.31.2.1.10.10 2004/03/16 05:50:22 marka Exp $
+ */
+
+#include <config.h>
+
+#include <isc/base64.h>
+#include <isc/dir.h>
+#include <isc/fsaccess.h>
+#include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include "dst_internal.h"
+#include "dst_parse.h"
+#include "dst/result.h"
+
+#define DST_AS_STR(t) ((t).value.as_textregion.base)
+
+#define PRIVATE_KEY_STR "Private-key-format:"
+#define ALGORITHM_STR "Algorithm:"
+
+struct parse_map {
+	const int value;
+	const char *tag;
+};
+
+static struct parse_map map[] = {
+	{TAG_RSA_MODULUS, "Modulus:"},
+	{TAG_RSA_PUBLICEXPONENT, "PublicExponent:"},
+	{TAG_RSA_PRIVATEEXPONENT, "PrivateExponent:"},
+	{TAG_RSA_PRIME1, "Prime1:"},
+	{TAG_RSA_PRIME2, "Prime2:"},
+	{TAG_RSA_EXPONENT1, "Exponent1:"},
+	{TAG_RSA_EXPONENT2, "Exponent2:"},
+	{TAG_RSA_COEFFICIENT, "Coefficient:"},
+
+	{TAG_DH_PRIME, "Prime(p):"},
+	{TAG_DH_GENERATOR, "Generator(g):"},
+	{TAG_DH_PRIVATE, "Private_value(x):"},
+	{TAG_DH_PUBLIC, "Public_value(y):"},
+
+	{TAG_DSA_PRIME, "Prime(p):"},
+	{TAG_DSA_SUBPRIME, "Subprime(q):"},
+	{TAG_DSA_BASE, "Base(g):"},
+	{TAG_DSA_PRIVATE, "Private_value(x):"},
+	{TAG_DSA_PUBLIC, "Public_value(y):"},
+
+	{TAG_HMACMD5_KEY, "Key:"},
+	{0, NULL}
+};
+
+static int
+find_value(const char *s, const unsigned int alg) {
+	int i;
+
+	for (i = 0; ; i++) {
+		if (map[i].tag == NULL)
+			return (-1);
+		else if (strcasecmp(s, map[i].tag) == 0 &&
+			 TAG_ALG(map[i].value) == alg)
+			return (map[i].value);
+	}
+}
+
+static const char *
+find_tag(const int value) {
+	int i;
+
+	for (i = 0; ; i++) {
+		if (map[i].tag == NULL)
+			return (NULL);
+		else if (value == map[i].value)
+			return (map[i].tag);
+	}
+}
+
+static int
+check_rsa(const dst_private_t *priv) {
+	int i, j;
+	if (priv->nelements != RSA_NTAGS)
+		return (-1);
+	for (i = 0; i < RSA_NTAGS; i++) {
+		for (j = 0; j < priv->nelements; j++)
+			if (priv->elements[j].tag == TAG(DST_ALG_RSAMD5, i))
+				break;
+		if (j == priv->nelements)
+			return (-1);
+	}
+	return (0);
+}
+
+static int
+check_dh(const dst_private_t *priv) {
+	int i, j;
+	if (priv->nelements != DH_NTAGS)
+		return (-1);
+	for (i = 0; i < DH_NTAGS; i++) {
+		for (j = 0; j < priv->nelements; j++)
+			if (priv->elements[j].tag == TAG(DST_ALG_DH, i))
+				break;
+		if (j == priv->nelements)
+			return (-1);
+	}
+	return (0);
+}
+
+static int
+check_dsa(const dst_private_t *priv) {
+	int i, j;
+	if (priv->nelements != DSA_NTAGS)
+		return (-1);
+	for (i = 0; i < DSA_NTAGS; i++) {
+		for (j = 0; j < priv->nelements; j++)
+			if (priv->elements[j].tag == TAG(DST_ALG_DSA, i))
+				break;
+		if (j == priv->nelements)
+			return (-1);
+	}
+	return (0);
+}
+
+static int
+check_hmac_md5(const dst_private_t *priv) {
+	if (priv->nelements != HMACMD5_NTAGS)
+		return (-1);
+	if (priv->elements[0].tag != TAG_HMACMD5_KEY)
+		return (-1);
+	return (0);
+}
+
+static int
+check_data(const dst_private_t *priv, const unsigned int alg) {
+	/* XXXVIX this switch statement is too sparse to gen a jump table. */
+	switch (alg) {
+	case DST_ALG_RSAMD5:
+	case DST_ALG_RSASHA1:
+		return (check_rsa(priv));
+	case DST_ALG_DH:
+		return (check_dh(priv));
+	case DST_ALG_DSA:
+		return (check_dsa(priv));
+	case DST_ALG_HMACMD5:
+		return (check_hmac_md5(priv));
+	default:
+		return (DST_R_UNSUPPORTEDALG);
+	}
+}
+
+void
+dst__privstruct_free(dst_private_t *priv, isc_mem_t *mctx) {
+	int i;
+
+	if (priv == NULL)
+		return;
+	for (i = 0; i < priv->nelements; i++) {
+		if (priv->elements[i].data == NULL)
+			continue;
+		memset(priv->elements[i].data, 0, MAXFIELDSIZE);
+		isc_mem_put(mctx, priv->elements[i].data, MAXFIELDSIZE);
+	}
+	priv->nelements = 0;
+}
+
+int
+dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
+		      isc_mem_t *mctx, dst_private_t *priv)
+{
+	int n = 0, major, minor;
+	isc_buffer_t b;
+	isc_token_t token;
+	unsigned char *data = NULL;
+	unsigned int opt = ISC_LEXOPT_EOL;
+	isc_result_t ret;
+
+	REQUIRE(priv != NULL);
+
+	priv->nelements = 0;
+
+#define NEXTTOKEN(lex, opt, token)				\
+	do {							\
+		ret = isc_lex_gettoken(lex, opt, token);	\
+		if (ret != ISC_R_SUCCESS)			\
+			goto fail;				\
+	} while (0)
+
+#define READLINE(lex, opt, token)				\
+	do {							\
+		ret = isc_lex_gettoken(lex, opt, token);	\
+		if (ret == ISC_R_EOF)				\
+			break;					\
+		else if (ret != ISC_R_SUCCESS)			\
+			goto fail;				\
+	} while ((*token).type != isc_tokentype_eol)
+
+	/*
+	 * Read the description line.
+	 */
+	NEXTTOKEN(lex, opt, &token);
+	if (token.type != isc_tokentype_string ||
+	    strcmp(DST_AS_STR(token), PRIVATE_KEY_STR) != 0)
+	{
+		ret = DST_R_INVALIDPRIVATEKEY;
+		goto fail;
+	}
+
+	NEXTTOKEN(lex, opt, &token);
+	if (token.type != isc_tokentype_string ||
+	    (DST_AS_STR(token))[0] != 'v')
+	{
+		ret = DST_R_INVALIDPRIVATEKEY;
+		goto fail;
+	}
+	if (sscanf(DST_AS_STR(token), "v%d.%d", &major, &minor) != 2)
+	{
+		ret = DST_R_INVALIDPRIVATEKEY;
+		goto fail;
+	}
+
+	if (major > MAJOR_VERSION ||
+	    (major == MAJOR_VERSION && minor > MINOR_VERSION))
+	{
+		ret = DST_R_INVALIDPRIVATEKEY;
+		goto fail;
+	}
+
+	READLINE(lex, opt, &token);
+
+	/*
+	 * Read the algorithm line.
+	 */
+	NEXTTOKEN(lex, opt, &token);
+	if (token.type != isc_tokentype_string ||
+	    strcmp(DST_AS_STR(token), ALGORITHM_STR) != 0)
+	{
+		ret = DST_R_INVALIDPRIVATEKEY;
+		goto fail;
+	}
+
+	NEXTTOKEN(lex, opt | ISC_LEXOPT_NUMBER, &token);
+	if (token.type != isc_tokentype_number ||
+	    token.value.as_ulong != (unsigned long) dst_key_alg(key))
+	{
+		ret = DST_R_INVALIDPRIVATEKEY;
+		goto fail;
+	}
+
+	READLINE(lex, opt, &token);
+
+	/*
+	 * Read the key data.
+	 */
+	for (n = 0; n < MAXFIELDS; n++) {
+		int tag;
+		isc_region_t r;
+
+		do {
+			ret = isc_lex_gettoken(lex, opt, &token);
+			if (ret == ISC_R_EOF)
+				goto done;
+			if (ret != ISC_R_SUCCESS)
+				goto fail;
+		} while (token.type == isc_tokentype_eol);
+
+		if (token.type != isc_tokentype_string) {
+			ret = DST_R_INVALIDPRIVATEKEY;
+			goto fail;
+		}
+
+		memset(&priv->elements[n], 0, sizeof(dst_private_element_t));
+		tag = find_value(DST_AS_STR(token), alg);
+		if (tag < 0 || TAG_ALG(tag) != alg) {
+			ret = DST_R_INVALIDPRIVATEKEY;
+			goto fail;
+		}
+		priv->elements[n].tag = tag;
+
+		data = (unsigned char *) isc_mem_get(mctx, MAXFIELDSIZE);
+		if (data == NULL)
+			goto fail;
+
+		isc_buffer_init(&b, data, MAXFIELDSIZE);
+		ret = isc_base64_tobuffer(lex, &b, -1);
+		if (ret != ISC_R_SUCCESS)
+			goto fail;
+		isc_buffer_usedregion(&b, &r);
+		priv->elements[n].length = r.length;
+		priv->elements[n].data = r.base;
+
+		READLINE(lex, opt, &token);
+		data = NULL;
+	}
+ done:
+	priv->nelements = n;
+
+	if (check_data(priv, alg) < 0)
+		goto fail;
+
+	return (ISC_R_SUCCESS);
+
+fail:
+	priv->nelements = n;
+	dst__privstruct_free(priv, mctx);
+	if (data != NULL)
+		isc_mem_put(mctx, data, MAXFIELDSIZE);
+
+	return (ret);
+}
+
+int
+dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
+			  const char *directory)
+{
+	FILE *fp;
+	int ret, i;
+	isc_result_t iret;
+	char filename[ISC_DIR_NAMEMAX];
+	char buffer[MAXFIELDSIZE * 2];
+	isc_buffer_t b;
+	isc_fsaccess_t access;
+
+	REQUIRE(priv != NULL);
+
+	if (check_data(priv, dst_key_alg(key)) < 0)
+		return (DST_R_INVALIDPRIVATEKEY);
+
+	isc_buffer_init(&b, filename, sizeof(filename));
+	ret = dst_key_buildfilename(key, DST_TYPE_PRIVATE, directory, &b);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	if ((fp = fopen(filename, "w")) == NULL)
+		return (DST_R_WRITEERROR);
+
+	access = 0;
+	isc_fsaccess_add(ISC_FSACCESS_OWNER,
+			 ISC_FSACCESS_READ | ISC_FSACCESS_WRITE,
+			 &access);
+	(void)isc_fsaccess_set(filename, access);
+
+	/* XXXDCL return value should be checked for full filesystem */
+	fprintf(fp, "%s v%d.%d\n", PRIVATE_KEY_STR, MAJOR_VERSION,
+		MINOR_VERSION);
+
+	fprintf(fp, "%s %d ", ALGORITHM_STR, dst_key_alg(key));
+	/* XXXVIX this switch statement is too sparse to gen a jump table. */
+	switch (dst_key_alg(key)) {
+	case DST_ALG_RSAMD5:
+		fprintf(fp, "(RSA)\n");
+		break;
+	case DST_ALG_DH:
+		fprintf(fp, "(DH)\n");
+		break;
+	case DST_ALG_DSA:
+		fprintf(fp, "(DSA)\n");
+		break;
+	case DST_ALG_RSASHA1:
+		fprintf(fp, "(RSASHA1)\n");
+		break;
+	case DST_ALG_HMACMD5:
+		fprintf(fp, "(HMAC_MD5)\n");
+		break;
+	default:
+		fprintf(fp, "(?)\n");
+		break;
+	}
+
+	for (i = 0; i < priv->nelements; i++) {
+		isc_buffer_t b;
+		isc_region_t r;
+		const char *s;
+
+		s = find_tag(priv->elements[i].tag);
+
+		r.base = priv->elements[i].data;
+		r.length = priv->elements[i].length;
+		isc_buffer_init(&b, buffer, sizeof(buffer));
+		iret = isc_base64_totext(&r, sizeof(buffer), "", &b);
+		if (iret != ISC_R_SUCCESS) {
+			fclose(fp);
+			return (DST_R_INVALIDPRIVATEKEY);
+		}
+		isc_buffer_usedregion(&b, &r);
+
+		fprintf(fp, "%s ", s);
+		fwrite(r.base, 1, r.length, fp);
+		fprintf(fp, "\n");
+	}
+
+	fclose(fp);
+	return (ISC_R_SUCCESS);
+}
diff --git a/contrib/bind9/lib/dns/sec/dst/dst_parse.h b/contrib/bind9/lib/dns/sec/dst/dst_parse.h
new file mode 100644
index 0000000..ff554db
--- /dev/null
+++ b/contrib/bind9/lib/dns/sec/dst/dst_parse.h
@@ -0,0 +1,95 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2000-2002  Internet Software Consortium.
+ * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dst_parse.h,v 1.19.12.4 2004/03/08 09:04:45 marka Exp $ */
+
+#ifndef DST_DST_PARSE_H
+#define DST_DST_PARSE_H 1
+
+#include <isc/lang.h>
+
+#include <dst/dst.h>
+
+#define MAJOR_VERSION		1
+#define MINOR_VERSION		2
+
+#define MAXFIELDSIZE		512
+#define MAXFIELDS		12
+
+#define TAG_SHIFT		4
+#define TAG_ALG(tag)		((unsigned int)(tag) >> TAG_SHIFT)
+#define TAG(alg, off)		(((alg) << TAG_SHIFT) + (off))
+
+/* These are used by both RSA-MD5 and RSA-SHA1 */
+#define RSA_NTAGS		8
+#define TAG_RSA_MODULUS		((DST_ALG_RSAMD5 << TAG_SHIFT) + 0)
+#define TAG_RSA_PUBLICEXPONENT	((DST_ALG_RSAMD5 << TAG_SHIFT) + 1)
+#define TAG_RSA_PRIVATEEXPONENT	((DST_ALG_RSAMD5 << TAG_SHIFT) + 2)
+#define TAG_RSA_PRIME1		((DST_ALG_RSAMD5 << TAG_SHIFT) + 3)
+#define TAG_RSA_PRIME2		((DST_ALG_RSAMD5 << TAG_SHIFT) + 4)
+#define TAG_RSA_EXPONENT1	((DST_ALG_RSAMD5 << TAG_SHIFT) + 5)
+#define TAG_RSA_EXPONENT2	((DST_ALG_RSAMD5 << TAG_SHIFT) + 6)
+#define TAG_RSA_COEFFICIENT	((DST_ALG_RSAMD5 << TAG_SHIFT) + 7)
+
+#define DH_NTAGS		4
+#define TAG_DH_PRIME		((DST_ALG_DH << TAG_SHIFT) + 0)
+#define TAG_DH_GENERATOR	((DST_ALG_DH << TAG_SHIFT) + 1)
+#define TAG_DH_PRIVATE		((DST_ALG_DH << TAG_SHIFT) + 2)
+#define TAG_DH_PUBLIC		((DST_ALG_DH << TAG_SHIFT) + 3)
+
+#define DSA_NTAGS		5
+#define TAG_DSA_PRIME		((DST_ALG_DSA << TAG_SHIFT) + 0)
+#define TAG_DSA_SUBPRIME	((DST_ALG_DSA << TAG_SHIFT) + 1)
+#define TAG_DSA_BASE		((DST_ALG_DSA << TAG_SHIFT) + 2)
+#define TAG_DSA_PRIVATE		((DST_ALG_DSA << TAG_SHIFT) + 3)
+#define TAG_DSA_PUBLIC		((DST_ALG_DSA << TAG_SHIFT) + 4)
+
+#define HMACMD5_NTAGS		1
+#define TAG_HMACMD5_KEY		((DST_ALG_HMACMD5 << TAG_SHIFT) + 0)
+
+struct dst_private_element {
+	unsigned short tag;
+	unsigned short length;
+	unsigned char *data;
+};
+
+typedef struct dst_private_element dst_private_element_t;
+
+struct dst_private {
+	unsigned short nelements;
+	dst_private_element_t elements[MAXFIELDS];
+};
+
+typedef struct dst_private dst_private_t;
+
+ISC_LANG_BEGINDECLS
+
+void
+dst__privstruct_free(dst_private_t *priv, isc_mem_t *mctx);
+
+int
+dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
+		      isc_mem_t *mctx, dst_private_t *priv);
+
+int
+dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
+			  const char *directory);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DST_DST_PARSE_H */
diff --git a/contrib/bind9/lib/dns/sec/dst/dst_result.c b/contrib/bind9/lib/dns/sec/dst/dst_result.c
new file mode 100644
index 0000000..d6c372f
--- /dev/null
+++ b/contrib/bind9/lib/dns/sec/dst/dst_result.c
@@ -0,0 +1,86 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Principal Author: Brian Wellington
+ * $Id: dst_result.c,v 1.18.2.1.8.2 2004/06/11 00:30:55 marka Exp $
+ */
+
+#include <config.h>
+
+#include <isc/once.h>
+#include <isc/util.h>
+
+#include <dst/result.h>
+#include <dst/lib.h>
+
+static const char *text[DST_R_NRESULTS] = {
+	"algorithm is unsupported",		/*  0 */
+	"openssl failure",			/*  1 */
+	"built with no crypto support",		/*  2 */
+	"illegal operation for a null key",	/*  3 */
+	"public key is invalid",		/*  4 */
+	"private key is invalid",		/*  5 */
+	"UNUSED6",				/*  6 */
+	"error occurred writing key to disk",	/*  7 */
+	"invalid algorithm specific parameter",	/*  8 */
+	"UNUSED9",				/*  9 */
+	"UNUSED10",				/* 10 */
+	"sign failure",				/* 11 */
+	"UNUSED12",				/* 12 */
+	"UNUSED13",				/* 13 */
+	"verify failure",			/* 14 */
+	"not a public key",			/* 15 */
+	"not a private key",			/* 16 */
+	"not a key that can compute a secret",	/* 17 */
+	"failure computing a shared secret",	/* 18 */
+	"no randomness available",		/* 19 */
+	"bad key type"				/* 20 */
+};
+
+#define DST_RESULT_RESULTSET			2
+
+static isc_once_t		once = ISC_ONCE_INIT;
+
+static void
+initialize_action(void) {
+	isc_result_t result;
+
+	result = isc_result_register(ISC_RESULTCLASS_DST, DST_R_NRESULTS,
+				     text, dst_msgcat, DST_RESULT_RESULTSET);
+	if (result != ISC_R_SUCCESS)
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_result_register() failed: %u", result);
+}
+
+static void
+initialize(void) {
+	dst_lib_initmsgcat();
+	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
+}
+
+const char *
+dst_result_totext(isc_result_t result) {
+	initialize();
+
+	return (isc_result_totext(result));
+}
+
+void
+dst_result_register(void) {
+	initialize();
+}
diff --git a/contrib/bind9/lib/dns/sec/dst/gssapi_link.c b/contrib/bind9/lib/dns/sec/dst/gssapi_link.c
new file mode 100644
index 0000000..20f9f8f
--- /dev/null
+++ b/contrib/bind9/lib/dns/sec/dst/gssapi_link.c
@@ -0,0 +1,220 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * $Id: gssapi_link.c,v 1.7.12.4 2004/03/08 09:04:46 marka Exp $
+ */
+
+#ifdef GSSAPI
+
+#include <config.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_parse.h"
+
+#include <gssapi/gssapi.h>
+
+#define INITIAL_BUFFER_SIZE 1024
+#define BUFFER_EXTRA 1024
+
+#define REGION_TO_GBUFFER(r, gb) \
+	do { \
+		(gb).length = (r).length;	\
+		(gb).value = (r).base;	\
+	} while (0)
+
+typedef struct gssapi_ctx {
+	isc_buffer_t *buffer;
+	gss_ctx_id_t *context_id;
+} gssapi_ctx_t;
+
+
+static isc_result_t
+gssapi_createctx(dst_key_t *key, dst_context_t *dctx) {
+	gssapi_ctx_t *ctx;
+	isc_result_t result;
+
+	UNUSED(key);
+
+	ctx = isc_mem_get(dctx->mctx, sizeof(gssapi_ctx_t));
+	if (ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	ctx->buffer = NULL;
+	result = isc_buffer_allocate(dctx->mctx, &ctx->buffer,
+				     INITIAL_BUFFER_SIZE);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(dctx->mctx, ctx, sizeof(gssapi_ctx_t));
+		return (result);
+	}
+	ctx->context_id = key->opaque;
+	dctx->opaque = ctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+gssapi_destroyctx(dst_context_t *dctx) {
+	gssapi_ctx_t *ctx = dctx->opaque;
+
+	if (ctx != NULL) {
+		if (ctx->buffer != NULL)
+			isc_buffer_free(&ctx->buffer);
+		isc_mem_put(dctx->mctx, ctx, sizeof(gssapi_ctx_t));
+		dctx->opaque = NULL;
+	}
+}
+
+static isc_result_t
+gssapi_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	gssapi_ctx_t *ctx = dctx->opaque;
+	isc_buffer_t *newbuffer = NULL;
+	isc_region_t r;
+	unsigned int length;
+	isc_result_t result;
+
+	result = isc_buffer_copyregion(ctx->buffer, data);
+	if (result == ISC_R_SUCCESS)
+		return (ISC_R_SUCCESS);
+
+	length = isc_buffer_length(ctx->buffer) + data->length + BUFFER_EXTRA;
+
+	result = isc_buffer_allocate(dctx->mctx, &newbuffer, length);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	isc_buffer_usedregion(ctx->buffer, &r);
+	(void) isc_buffer_copyregion(newbuffer, &r);
+	(void) isc_buffer_copyregion(newbuffer, data);
+
+	isc_buffer_free(&ctx->buffer);
+	ctx->buffer = newbuffer;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+gssapi_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	gssapi_ctx_t *ctx = dctx->opaque;
+	isc_region_t message;
+	gss_buffer_desc gmessage, gsig;
+	OM_uint32 minor, gret;
+
+	isc_buffer_usedregion(ctx->buffer, &message);
+	REGION_TO_GBUFFER(message, gmessage);
+
+	gret = gss_get_mic(&minor, ctx->context_id,
+			   GSS_C_QOP_DEFAULT, &gmessage, &gsig);
+	if (gret != 0)
+		return (ISC_R_FAILURE);
+
+	if (gsig.length > isc_buffer_availablelength(sig)) {
+		gss_release_buffer(&minor, &gsig);
+		return (ISC_R_NOSPACE);
+	}
+
+	isc_buffer_putmem(sig, gsig.value, gsig.length);
+
+	gss_release_buffer(&minor, &gsig);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+gssapi_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	gssapi_ctx_t *ctx = dctx->opaque;
+	isc_region_t message;
+	gss_buffer_desc gmessage, gsig;
+	OM_uint32 minor, gret;
+
+	isc_buffer_usedregion(ctx->buffer, &message);
+	REGION_TO_GBUFFER(message, gmessage);
+
+	REGION_TO_GBUFFER(*sig, gsig);
+
+	gret = gss_verify_mic(&minor, ctx->context_id, &gmessage, &gsig, NULL);
+	if (gret != 0)
+		return (ISC_R_FAILURE);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_boolean_t
+gssapi_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	gss_ctx_id_t gsskey1 = key1->opaque;
+	gss_ctx_id_t gsskey2 = key2->opaque;
+
+	/* No idea */
+	return (ISC_TF(gsskey1 == gsskey2));
+}
+
+static isc_result_t
+gssapi_generate(dst_key_t *key, int unused) {
+	UNUSED(key);
+	UNUSED(unused);
+
+	/* No idea */
+	return (ISC_R_FAILURE);
+}
+
+static isc_boolean_t
+gssapi_isprivate(const dst_key_t *key) {
+	UNUSED(key);
+        return (ISC_TRUE);
+}
+
+static void
+gssapi_destroy(dst_key_t *key) {
+	UNUSED(key);
+	/* No idea */
+}
+
+static dst_func_t gssapi_functions = {
+	gssapi_createctx,
+	gssapi_destroyctx,
+	gssapi_adddata,
+	gssapi_sign,
+	gssapi_verify,
+	NULL, /* computesecret */
+	gssapi_compare,
+	NULL, /* paramcompare */
+	gssapi_generate,
+	gssapi_isprivate,
+	gssapi_destroy,
+	NULL, /* todns */
+	NULL, /* fromdns */
+	NULL, /* tofile */
+	NULL, /* parse */
+	NULL, /* cleanup */
+};
+
+isc_result_t
+dst__gssapi_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL)
+		*funcp = &gssapi_functions;
+	return (ISC_R_SUCCESS);
+}
+
+#else
+int  gssapi_link_unneeded = 1;
+#endif
diff --git a/contrib/bind9/lib/dns/sec/dst/gssapictx.c b/contrib/bind9/lib/dns/sec/dst/gssapictx.c
new file mode 100644
index 0000000..0f74999
--- /dev/null
+++ b/contrib/bind9/lib/dns/sec/dst/gssapictx.c
@@ -0,0 +1,262 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: gssapictx.c,v 1.3.2.1.8.1 2004/03/06 08:14:21 marka Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/dir.h>
+#include <isc/entropy.h>
+#include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/random.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/result.h>
+#include <dns/types.h>
+#include <dns/keyvalues.h>
+
+#include <dst/gssapi.h>
+#include <dst/result.h>
+
+#include "dst_internal.h"
+
+#ifdef GSSAPI
+
+#include <gssapi/gssapi.h>
+
+#define RETERR(x) do { \
+	result = (x); \
+	if (result != ISC_R_SUCCESS) \
+		goto out; \
+	} while (0)
+
+#define REGION_TO_GBUFFER(r, gb)		\
+	do {					\
+		(gb).length = (r).length;	\
+		(gb).value = (r).base;		\
+	} while (0)
+
+#define GBUFFER_TO_REGION(gb, r)		\
+	do {					\
+		(r).length = (gb).length;	\
+		(r).base = (gb).value;		\
+	} while (0)
+
+static inline void
+name_to_gbuffer(dns_name_t *name, isc_buffer_t *buffer,
+		gss_buffer_desc *gbuffer)
+{
+	dns_name_t tname, *namep;
+	isc_region_t r;
+	isc_result_t result;
+
+	if (!dns_name_isabsolute(name))
+		namep = name;
+	else {
+		unsigned int labels;
+		dns_name_init(&tname, NULL);
+		labels = dns_name_countlabels(name);
+		dns_name_getlabelsequence(name, 0, labels - 1, &tname);
+		namep = &tname;
+	}
+					
+	result = dns_name_totext(namep, ISC_FALSE, buffer);
+	isc_buffer_putuint8(buffer, 0);
+	isc_buffer_usedregion(buffer, &r);
+	REGION_TO_GBUFFER(r, *gbuffer);
+}
+
+isc_result_t
+dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate, void **cred) {
+	isc_buffer_t namebuf;
+	gss_name_t gname;
+	gss_buffer_desc gnamebuf;
+	unsigned char array[DNS_NAME_MAXTEXT + 1];
+	OM_uint32 gret, minor;
+	gss_OID_set mechs;
+	OM_uint32 lifetime;
+	gss_cred_usage_t usage;
+
+	REQUIRE(cred != NULL && *cred == NULL);
+
+	if (name != NULL) {
+		isc_buffer_init(&namebuf, array, sizeof(array));
+		name_to_gbuffer(name, &namebuf, &gnamebuf);
+		gret = gss_import_name(&minor, &gnamebuf, GSS_C_NO_OID,
+				       &gname);
+		if (gret != GSS_S_COMPLETE)
+			return (ISC_R_FAILURE);
+	} else
+		gname = NULL;
+
+	if (initiate)
+		usage = GSS_C_INITIATE;
+	else
+		usage = GSS_C_ACCEPT;
+
+	gret = gss_acquire_cred(&minor, gname, GSS_C_INDEFINITE,
+				GSS_C_NO_OID_SET, usage,
+				cred, &mechs, &lifetime);
+	if (gret != GSS_S_COMPLETE)
+		return (ISC_R_FAILURE);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dst_gssapi_initctx(dns_name_t *name, void *cred,
+		   isc_region_t *intoken, isc_buffer_t *outtoken,
+		   void **context)
+{
+	isc_region_t r;
+	isc_buffer_t namebuf;
+	gss_buffer_desc gnamebuf, gintoken, *gintokenp, gouttoken;
+	OM_uint32 gret, minor, flags, ret_flags;
+	gss_OID mech_type, ret_mech_type;
+	OM_uint32 lifetime;
+	gss_name_t gname;
+	isc_result_t result;
+	unsigned char array[DNS_NAME_MAXTEXT + 1];
+
+	isc_buffer_init(&namebuf, array, sizeof(array));
+	name_to_gbuffer(name, &namebuf, &gnamebuf);
+	gret = gss_import_name(&minor, &gnamebuf, GSS_C_NO_OID, &gname);
+	if (gret != GSS_S_COMPLETE)
+		return (ISC_R_FAILURE);
+
+	if (intoken != NULL) {
+		REGION_TO_GBUFFER(*intoken, gintoken);
+		gintokenp = &gintoken;
+	} else
+		gintokenp = NULL;
+
+	if (*context == NULL)
+		*context = GSS_C_NO_CONTEXT;
+	flags = GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG |
+		GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG;
+	mech_type = GSS_C_NO_OID;
+
+	gret = gss_init_sec_context(&minor, cred, context, gname,
+				    mech_type, flags, 0,
+				    GSS_C_NO_CHANNEL_BINDINGS, gintokenp,
+				    &ret_mech_type, &gouttoken, &ret_flags,
+				    &lifetime);
+	if (gret != GSS_S_COMPLETE && gret != GSS_S_CONTINUE_NEEDED)
+		return (ISC_R_FAILURE);
+
+	GBUFFER_TO_REGION(gouttoken, r);
+	RETERR(isc_buffer_copyregion(outtoken, &r));
+
+	if (gret == GSS_S_COMPLETE)
+		return (ISC_R_SUCCESS);
+	else
+		return (DNS_R_CONTINUE);
+
+ out:
+ 	return (result);
+}
+
+isc_result_t
+dst_gssapi_acceptctx(dns_name_t *name, void *cred,
+		     isc_region_t *intoken, isc_buffer_t *outtoken,
+		     void **context)
+{
+	isc_region_t r;
+	isc_buffer_t namebuf;
+	gss_buffer_desc gnamebuf, gintoken, gouttoken;
+	OM_uint32 gret, minor, flags;
+	gss_OID mech_type;
+	OM_uint32 lifetime;
+	gss_cred_id_t delegated_cred;
+	gss_name_t gname;
+	isc_result_t result;
+	unsigned char array[DNS_NAME_MAXTEXT + 1];
+
+	isc_buffer_init(&namebuf, array, sizeof(array));
+	name_to_gbuffer(name, &namebuf, &gnamebuf);
+	gret = gss_import_name(&minor, &gnamebuf, GSS_C_NO_OID, &gname);
+	if (gret != GSS_S_COMPLETE)
+		return (ISC_R_FAILURE);
+
+	REGION_TO_GBUFFER(*intoken, gintoken);
+
+	if (*context == NULL)
+		*context = GSS_C_NO_CONTEXT;
+
+	gret = gss_accept_sec_context(&minor, context, cred, &gintoken,
+				      GSS_C_NO_CHANNEL_BINDINGS, gname,
+				      &mech_type, &gouttoken, &flags,
+				      &lifetime, &delegated_cred);
+	if (gret != GSS_S_COMPLETE)
+		return (ISC_R_FAILURE);
+
+	GBUFFER_TO_REGION(gouttoken, r);
+	RETERR(isc_buffer_copyregion(outtoken, &r));
+
+	return (ISC_R_SUCCESS);
+
+ out:
+	return (result);
+}
+
+#else
+
+isc_result_t
+dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate, void **cred) {
+	UNUSED(name);
+	UNUSED(initiate);
+	UNUSED(cred);
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+isc_result_t
+dst_gssapi_initctx(dns_name_t *name, void *cred,
+		   isc_region_t *intoken, isc_buffer_t *outtoken,
+		   void **context)
+{
+	UNUSED(name);
+	UNUSED(cred);
+	UNUSED(intoken);
+	UNUSED(outtoken);
+	UNUSED(context);
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+isc_result_t
+dst_gssapi_acceptctx(dns_name_t *name, void *cred,
+		     isc_region_t *intoken, isc_buffer_t *outtoken,
+		     void **context)
+{
+	UNUSED(name);
+	UNUSED(cred);
+	UNUSED(intoken);
+	UNUSED(outtoken);
+	UNUSED(context);
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+#endif
diff --git a/contrib/bind9/lib/dns/sec/dst/hmac_link.c b/contrib/bind9/lib/dns/sec/dst/hmac_link.c
new file mode 100644
index 0000000..102121a
--- /dev/null
+++ b/contrib/bind9/lib/dns/sec/dst/hmac_link.c
@@ -0,0 +1,282 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 1999-2002  Internet Software Consortium.
+ * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Principal Author: Brian Wellington
+ * $Id: hmac_link.c,v 1.53.2.1.8.5 2004/03/08 09:04:46 marka Exp $
+ */
+
+#include <config.h>
+
+#include <isc/buffer.h>
+#include <isc/hmacmd5.h>
+#include <isc/md5.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_parse.h"
+
+#define HMAC_LEN	64
+#define HMAC_IPAD	0x36
+#define HMAC_OPAD	0x5c
+
+static isc_result_t hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data);
+
+typedef struct hmackey {
+	unsigned char key[HMAC_LEN];
+} HMAC_Key;
+
+static isc_result_t
+hmacmd5_createctx(dst_key_t *key, dst_context_t *dctx) {
+	isc_hmacmd5_t *hmacmd5ctx;
+	HMAC_Key *hkey = key->opaque;
+
+	hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t));
+	if (hmacmd5ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_hmacmd5_init(hmacmd5ctx, hkey->key, HMAC_LEN);
+	dctx->opaque = hmacmd5ctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+hmacmd5_destroyctx(dst_context_t *dctx) {
+	isc_hmacmd5_t *hmacmd5ctx = dctx->opaque;
+
+	if (hmacmd5ctx != NULL) {
+		isc_hmacmd5_invalidate(hmacmd5ctx);
+		isc_mem_put(dctx->mctx, hmacmd5ctx, sizeof(isc_hmacmd5_t));
+		dctx->opaque = NULL;
+	}
+}
+
+static isc_result_t
+hmacmd5_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	isc_hmacmd5_t *hmacmd5ctx = dctx->opaque;
+
+	isc_hmacmd5_update(hmacmd5ctx, data->base, data->length);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacmd5_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	isc_hmacmd5_t *hmacmd5ctx = dctx->opaque;
+	unsigned char *digest;
+
+	if (isc_buffer_availablelength(sig) < ISC_MD5_DIGESTLENGTH)
+		return (ISC_R_NOSPACE);
+	digest = isc_buffer_used(sig);
+	isc_hmacmd5_sign(hmacmd5ctx, digest);
+	isc_buffer_add(sig, ISC_MD5_DIGESTLENGTH);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacmd5_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	isc_hmacmd5_t *hmacmd5ctx = dctx->opaque;
+
+	if (sig->length < ISC_MD5_DIGESTLENGTH)
+		return (DST_R_VERIFYFAILURE);
+
+	if (isc_hmacmd5_verify(hmacmd5ctx, sig->base))
+		return (ISC_R_SUCCESS);
+	else
+		return (DST_R_VERIFYFAILURE);
+}
+
+static isc_boolean_t
+hmacmd5_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	HMAC_Key *hkey1, *hkey2;
+
+	hkey1 = (HMAC_Key *)key1->opaque;
+	hkey2 = (HMAC_Key *)key2->opaque;
+
+	if (hkey1 == NULL && hkey2 == NULL)
+		return (ISC_TRUE);
+	else if (hkey1 == NULL || hkey2 == NULL)
+		return (ISC_FALSE);
+
+	if (memcmp(hkey1->key, hkey2->key, HMAC_LEN) == 0)
+		return (ISC_TRUE);
+	else
+		return (ISC_FALSE);
+}
+
+static isc_result_t
+hmacmd5_generate(dst_key_t *key, int pseudorandom_ok) {
+	isc_buffer_t b;
+	isc_result_t ret;
+	int bytes;
+	unsigned char data[HMAC_LEN];
+
+	bytes = (key->key_size + 7) / 8;
+	if (bytes > 64) {
+		bytes = 64;
+		key->key_size = 512;
+	}
+
+	memset(data, 0, HMAC_LEN);
+	ret = dst__entropy_getdata(data, bytes, ISC_TF(pseudorandom_ok != 0));
+
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	isc_buffer_init(&b, data, bytes);
+	isc_buffer_add(&b, bytes);
+	ret = hmacmd5_fromdns(key, &b);
+	memset(data, 0, HMAC_LEN);
+
+	return (ret);
+}
+
+static isc_boolean_t
+hmacmd5_isprivate(const dst_key_t *key) {
+	UNUSED(key);
+	return (ISC_TRUE);
+}
+
+static void
+hmacmd5_destroy(dst_key_t *key) {
+	HMAC_Key *hkey = key->opaque;
+	memset(hkey, 0, sizeof(HMAC_Key));
+	isc_mem_put(key->mctx, hkey, sizeof(HMAC_Key));
+	key->opaque = NULL;
+}
+
+static isc_result_t
+hmacmd5_todns(const dst_key_t *key, isc_buffer_t *data) {
+	HMAC_Key *hkey;
+	unsigned int bytes;
+
+	REQUIRE(key->opaque != NULL);
+
+	hkey = (HMAC_Key *) key->opaque;
+
+	bytes = (key->key_size + 7) / 8;
+	if (isc_buffer_availablelength(data) < bytes)
+		return (ISC_R_NOSPACE);
+	isc_buffer_putmem(data, hkey->key, bytes);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	HMAC_Key *hkey;
+	int keylen;
+	isc_region_t r;
+	isc_md5_t md5ctx;
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0)
+		return (ISC_R_SUCCESS);
+
+	hkey = (HMAC_Key *) isc_mem_get(key->mctx, sizeof(HMAC_Key));
+	if (hkey == NULL)
+		return (ISC_R_NOMEMORY);
+
+	memset(hkey->key, 0, sizeof(hkey->key));
+
+	if (r.length > HMAC_LEN) {
+		isc_md5_init(&md5ctx);
+		isc_md5_update(&md5ctx, r.base, r.length);
+		isc_md5_final(&md5ctx, hkey->key);
+		keylen = ISC_MD5_DIGESTLENGTH;
+	}
+	else {
+		memcpy(hkey->key, r.base, r.length);
+		keylen = r.length;
+	}
+
+	key->key_size = keylen * 8;
+	key->opaque = hkey;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+hmacmd5_tofile(const dst_key_t *key, const char *directory) {
+	int cnt = 0;
+	HMAC_Key *hkey;
+	dst_private_t priv;
+	int bytes = (key->key_size + 7) / 8;
+
+	if (key->opaque == NULL)
+		return (DST_R_NULLKEY);
+
+	hkey = (HMAC_Key *) key->opaque;
+
+	priv.elements[cnt].tag = TAG_HMACMD5_KEY;
+	priv.elements[cnt].length = bytes;
+	priv.elements[cnt++].data = hkey->key;
+
+	priv.nelements = cnt;
+	return (dst__privstruct_writefile(key, &priv, directory));
+}
+
+static isc_result_t
+hmacmd5_parse(dst_key_t *key, isc_lex_t *lexer) {
+	dst_private_t priv;
+	isc_result_t ret;
+	isc_buffer_t b;
+	isc_mem_t *mctx = key->mctx;
+
+	/* read private key file */
+	ret = dst__privstruct_parse(key, DST_ALG_HMACMD5, lexer, mctx, &priv);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	isc_buffer_init(&b, priv.elements[0].data, priv.elements[0].length);
+	isc_buffer_add(&b, priv.elements[0].length);
+	ret = hmacmd5_fromdns(key, &b);
+	dst__privstruct_free(&priv, mctx);
+	memset(&priv, 0, sizeof(priv));
+	return (ret);
+}
+
+static dst_func_t hmacmd5_functions = {
+	hmacmd5_createctx,
+	hmacmd5_destroyctx,
+	hmacmd5_adddata,
+	hmacmd5_sign,
+	hmacmd5_verify,
+	NULL, /* computesecret */
+	hmacmd5_compare,
+	NULL, /* paramcompare */
+	hmacmd5_generate,
+	hmacmd5_isprivate,
+	hmacmd5_destroy,
+	hmacmd5_todns,
+	hmacmd5_fromdns,
+	hmacmd5_tofile,
+	hmacmd5_parse,
+	NULL, /* cleanup */
+};
+
+isc_result_t
+dst__hmacmd5_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL)
+		*funcp = &hmacmd5_functions;
+	return (ISC_R_SUCCESS);
+}
diff --git a/contrib/bind9/lib/dns/sec/dst/include/Makefile.in b/contrib/bind9/lib/dns/sec/dst/include/Makefile.in
new file mode 100644
index 0000000..4bf4922
--- /dev/null
+++ b/contrib/bind9/lib/dns/sec/dst/include/Makefile.in
@@ -0,0 +1,25 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1998-2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.8.206.1 2004/03/06 08:14:23 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	dst
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/dns/sec/dst/include/dst/Makefile.in b/contrib/bind9/lib/dns/sec/dst/include/dst/Makefile.in
new file mode 100644
index 0000000..c59dbb4
--- /dev/null
+++ b/contrib/bind9/lib/dns/sec/dst/include/dst/Makefile.in
@@ -0,0 +1,37 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1998-2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.10.206.1 2004/03/06 08:14:23 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+HEADERS =	dst.h lib.h result.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/dst
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/dst ; \
+	done
diff --git a/contrib/bind9/lib/dns/sec/dst/include/dst/dst.h b/contrib/bind9/lib/dns/sec/dst/include/dst/dst.h
new file mode 100644
index 0000000..614971a
--- /dev/null
+++ b/contrib/bind9/lib/dns/sec/dst/include/dst/dst.h
@@ -0,0 +1,570 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dst.h,v 1.42.2.1.8.6 2004/06/11 00:31:01 marka Exp $ */
+
+#ifndef DST_DST_H
+#define DST_DST_H 1
+
+#include <isc/lang.h>
+
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Types
+ ***/
+
+/*
+ * The dst_key structure is opaque.  Applications should use the accessor
+ * functions provided to retrieve key attributes.  If an application needs
+ * to set attributes, new accessor functions will be written.
+ */
+
+typedef struct dst_key		dst_key_t;
+typedef struct dst_context 	dst_context_t;
+
+/* DST algorithm codes */
+#define DST_ALG_UNKNOWN		0
+#define DST_ALG_RSAMD5		1
+#define DST_ALG_RSA		DST_ALG_RSAMD5	/* backwards compatibility */
+#define DST_ALG_DH		2
+#define DST_ALG_DSA		3
+#define DST_ALG_ECC		4
+#define DST_ALG_RSASHA1		5
+#define DST_ALG_HMACMD5		157
+#define DST_ALG_GSSAPI		160
+#define DST_ALG_PRIVATE		254
+#define DST_ALG_EXPAND		255
+#define DST_MAX_ALGS		255
+
+/* A buffer of this size is large enough to hold any key */
+#define DST_KEY_MAXSIZE		1280
+
+/*
+ * A buffer of this size is large enough to hold the textual representation
+ * of any key
+ */
+#define DST_KEY_MAXTEXTSIZE	2048
+
+/* 'Type' for dst_read_key() */
+#define DST_TYPE_KEY		0x1000000	/* KEY key */
+#define DST_TYPE_PRIVATE	0x2000000
+#define DST_TYPE_PUBLIC		0x4000000
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags);
+/*
+ * Initializes the DST subsystem.
+ *
+ * Requires:
+ * 	"mctx" is a valid memory context
+ * 	"ectx" is a valid entropy context
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS
+ * 	ISC_R_NOMEMORY
+ *
+ * Ensures:
+ * 	DST is properly initialized.
+ */
+
+void
+dst_lib_destroy(void);
+/*
+ * Releases all resources allocated by DST.
+ */
+
+isc_boolean_t
+dst_algorithm_supported(unsigned int alg);
+/*
+ * Checks that a given algorithm is supported by DST.
+ *
+ * Returns:
+ * 	ISC_TRUE
+ * 	ISC_FALSE
+ */
+
+isc_result_t
+dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp);
+/*
+ * Creates a context to be used for a sign or verify operation.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ * 	"mctx" is a valid memory context.
+ * 	dctxp != NULL && *dctxp == NULL
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS
+ * 	ISC_R_NOMEMORY
+ *
+ * Ensures:
+ *	*dctxp will contain a usable context.
+ */
+
+void
+dst_context_destroy(dst_context_t **dctxp);
+/*
+ * Destroys all memory associated with a context.
+ *
+ * Requires:
+ * 	*dctxp != NULL && *dctxp == NULL
+ *
+ * Ensures:
+ *	*dctxp == NULL
+ */
+
+isc_result_t
+dst_context_adddata(dst_context_t *dctx, const isc_region_t *data);
+/*
+ * Incrementally adds data to the context to be used in a sign or verify
+ * operation.
+ *
+ * Requires:
+ * 	"dctx" is a valid context
+ * 	"data" is a valid region
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS
+ * 	DST_R_SIGNFAILURE
+ * 	all other errors indicate failure
+ */
+
+isc_result_t
+dst_context_sign(dst_context_t *dctx, isc_buffer_t *sig);
+/*
+ * Computes a signature using the data and key stored in the context.
+ *
+ * Requires:
+ * 	"dctx" is a valid context.
+ *	"sig" is a valid buffer.
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS
+ * 	DST_R_VERIFYFAILURE
+ * 	all other errors indicate failure
+ *
+ * Ensures:
+ *	"sig" will contain the signature
+ */
+
+isc_result_t
+dst_context_verify(dst_context_t *dctx, isc_region_t *sig);
+/*
+ * Verifies the signature using the data and key stored in the context.
+ *
+ * Requires:
+ * 	"dctx" is a valid context.
+ *	"sig" is a valid region.
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS
+ * 	all other errors indicate failure
+ *
+ * Ensures:
+ *	"sig" will contain the signature
+ */
+
+isc_result_t
+dst_key_computesecret(const dst_key_t *pub, const dst_key_t *priv,
+		      isc_buffer_t *secret);
+/*
+ * Computes a shared secret from two (Diffie-Hellman) keys.
+ *
+ * Requires:
+ *     "pub" is a valid key that can be used to derive a shared secret
+ *     "priv" is a valid private key that can be used to derive a shared secret
+ *     "secret" is a valid buffer
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS
+ * 	any other result indicates failure
+ *
+ * Ensures:
+ *      If successful, secret will contain the derived shared secret.
+ */
+
+isc_result_t
+dst_key_fromfile(dns_name_t *name, dns_keytag_t id, unsigned int alg, int type,
+		 const char *directory, isc_mem_t *mctx, dst_key_t **keyp);
+/*
+ * Reads a key from permanent storage.  The key can either be a public or
+ * private key, and is specified by name, algorithm, and id.  If a private key
+ * is specified, the public key must also be present.  If directory is NULL,
+ * the current directory is assumed.
+ *
+ * Requires:
+ *	"name" is a valid absolute dns name.
+ *	"id" is a valid key tag identifier.
+ *	"alg" is a supported key algorithm.
+ *	"type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or the bitwise union.
+ *		  DST_TYPE_KEY look for a KEY record otherwise DNSKEY
+ *	"mctx" is a valid memory context.
+ *	"keyp" is not NULL and "*keyp" is NULL.
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS
+ * 	any other result indicates failure
+ *
+ * Ensures:
+ *	If successful, *keyp will contain a valid key.
+ */
+
+isc_result_t
+dst_key_fromnamedfile(const char *filename, int type, isc_mem_t *mctx,
+		      dst_key_t **keyp);
+/*
+ * Reads a key from permanent storage.  The key can either be a public or
+ * key, and is specified by filename.  If a private key is specified, the
+ * public key must also be present.
+ *
+ * Requires:
+ * 	"filename" is not NULL
+ *	"type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or the bitwise union
+ *		  DST_TYPE_KEY look for a KEY record otherwise DNSKEY
+ *	"mctx" is a valid memory context
+ *	"keyp" is not NULL and "*keyp" is NULL.
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS
+ * 	any other result indicates failure
+ *
+ * Ensures:
+ *	If successful, *keyp will contain a valid key.
+ */
+
+isc_result_t
+dst_key_tofile(const dst_key_t *key, int type, const char *directory);
+/*
+ * Writes a key to permanent storage.  The key can either be a public or
+ * private key.  Public keys are written in DNS format and private keys
+ * are written as a set of base64 encoded values.  If directory is NULL,
+ * the current directory is assumed.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"type" is DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or the bitwise union
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS
+ * 	any other result indicates failure
+ */
+
+isc_result_t
+dst_key_fromdns(dns_name_t *name, dns_rdataclass_t rdclass,
+		isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp);
+/*
+ * Converts a DNS KEY record into a DST key.
+ *
+ * Requires:
+ *	"name" is a valid absolute dns name.
+ *	"source" is a valid buffer.  There must be at least 4 bytes available.
+ *	"mctx" is a valid memory context.
+ *	"keyp" is not NULL and "*keyp" is NULL.
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS
+ * 	any other result indicates failure
+ *
+ * Ensures:
+ *	If successful, *keyp will contain a valid key, and the consumed
+ *	pointer in data will be advanced.
+ */
+
+isc_result_t
+dst_key_todns(const dst_key_t *key, isc_buffer_t *target);
+/*
+ * Converts a DST key into a DNS KEY record.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"target" is a valid buffer.  There must be at least 4 bytes unused.
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS
+ * 	any other result indicates failure
+ *
+ * Ensures:
+ *	If successful, the used pointer in 'target' is advanced by at least 4.
+ */
+
+isc_result_t
+dst_key_frombuffer(dns_name_t *name, unsigned int alg,
+		   unsigned int flags, unsigned int protocol,
+		   dns_rdataclass_t rdclass,
+		   isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp);
+/*
+ * Converts a buffer containing DNS KEY RDATA into a DST key.
+ *
+ * Requires:
+ *	"name" is a valid absolute dns name.
+ *	"alg" is a supported key algorithm.
+ *	"source" is a valid buffer.
+ *	"mctx" is a valid memory context.
+ *	"keyp" is not NULL and "*keyp" is NULL.
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS
+ * 	any other result indicates failure
+ *
+ * Ensures:
+ *	If successful, *keyp will contain a valid key, and the consumed
+ *	pointer in source will be advanced.
+ */
+
+isc_result_t
+dst_key_tobuffer(const dst_key_t *key, isc_buffer_t *target);
+/*
+ * Converts a DST key into DNS KEY RDATA format.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"target" is a valid buffer.
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS
+ * 	any other result indicates failure
+ *
+ * Ensures:
+ *	If successful, the used pointer in 'target' is advanced.
+ */
+
+isc_result_t
+dst_key_privatefrombuffer(dst_key_t *key, isc_buffer_t *buffer);
+/*
+ * Converts a public key into a private key, reading the private key
+ * information from the buffer.  The buffer should contain the same data
+ * as the .private key file would.
+ *
+ * Requires:
+ * 	"key" is a valid public key.
+ *	"buffer" is not NULL.
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS
+ * 	any other result indicates failure
+ *
+ * Ensures:
+ *	If successful, key will contain a valid private key.
+ */
+
+
+isc_result_t
+dst_key_fromgssapi(dns_name_t *name, void *opaque, isc_mem_t *mctx,
+		                   dst_key_t **keyp);
+/*
+ * Converts a GSSAPI opaque context id into a DST key.
+ *
+ * Requires:
+ *	"name" is a valid absolute dns name.
+ *	"opaque" is a GSSAPI context id.
+ *	"mctx" is a valid memory context.
+ *	"keyp" is not NULL and "*keyp" is NULL.
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS
+ * 	any other result indicates failure
+ *
+ * Ensures:
+ *	If successful, *keyp will contain a valid key and be responsible for
+ *	the context id.
+ */
+
+isc_result_t
+dst_key_generate(dns_name_t *name, unsigned int alg,
+		 unsigned int bits, unsigned int param,
+		 unsigned int flags, unsigned int protocol,
+		 dns_rdataclass_t rdclass,
+		 isc_mem_t *mctx, dst_key_t **keyp);
+/*
+ * Generate a DST key (or keypair) with the supplied parameters.  The
+ * interpretation of the "param" field depends on the algorithm:
+ * 	RSA:	exponent
+ * 		0	use exponent 3
+ * 		!0	use Fermat4 (2^16 + 1)
+ * 	DH:	generator
+ * 		0	default - use well known prime if bits == 768 or 1024,
+ * 			otherwise use 2 as the generator.
+ * 		!0	use this value as the generator.
+ * 	DSA:	unused
+ * 	HMACMD5: entropy
+ *		0	default - require good entropy
+ *		!0	lack of good entropy is ok
+ *
+ * Requires:
+ *	"name" is a valid absolute dns name.
+ *	"keyp" is not NULL and "*keyp" is NULL.
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS
+ * 	any other result indicates failure
+ *
+ * Ensures:
+ *	If successful, *keyp will contain a valid key.
+ */
+
+isc_boolean_t
+dst_key_compare(const dst_key_t *key1, const dst_key_t *key2);
+/*
+ * Compares two DST keys.
+ *
+ * Requires:
+ *	"key1" is a valid key.
+ *	"key2" is a valid key.
+ *
+ * Returns:
+ * 	ISC_TRUE
+ * 	ISC_FALSE
+ */
+
+isc_boolean_t
+dst_key_paramcompare(const dst_key_t *key1, const dst_key_t *key2);
+/*
+ * Compares the parameters of two DST keys.  This is used to determine if
+ * two (Diffie-Hellman) keys can be used to derive a shared secret.
+ *
+ * Requires:
+ *	"key1" is a valid key.
+ *	"key2" is a valid key.
+ *
+ * Returns:
+ * 	ISC_TRUE
+ * 	ISC_FALSE
+ */
+
+void
+dst_key_free(dst_key_t **keyp);
+/*
+ * Release all memory associated with the key.
+ *
+ * Requires:
+ *	"keyp" is not NULL and "*keyp" is a valid key.
+ *
+ * Ensures:
+ *	All memory associated with "*keyp" will be freed.
+ *	*keyp == NULL
+ */
+
+/*
+ * Accessor functions to obtain key fields.
+ *
+ * Require:
+ *	"key" is a valid key.
+ */
+dns_name_t *
+dst_key_name(const dst_key_t *key);
+
+unsigned int
+dst_key_size(const dst_key_t *key);
+
+unsigned int
+dst_key_proto(const dst_key_t *key);
+
+unsigned int
+dst_key_alg(const dst_key_t *key);
+
+isc_uint32_t
+dst_key_flags(const dst_key_t *key);
+
+dns_keytag_t
+dst_key_id(const dst_key_t *key);
+
+dns_rdataclass_t
+dst_key_class(const dst_key_t *key);
+
+isc_boolean_t
+dst_key_isprivate(const dst_key_t *key);
+
+isc_boolean_t
+dst_key_iszonekey(const dst_key_t *key);
+
+isc_boolean_t
+dst_key_isnullkey(const dst_key_t *key);
+
+isc_result_t
+dst_key_buildfilename(const dst_key_t *key, int type,
+		      const char *directory, isc_buffer_t *out);
+/*
+ * Generates the filename used by dst to store the specified key.
+ * If directory is NULL, the current directory is assumed.
+ *
+ * Requires:
+ *	"key" is a valid key
+ *	"type" is either DST_TYPE_PUBLIC, DST_TYPE_PRIVATE, or 0 for no suffix.
+ *	"out" is a valid buffer
+ *
+ * Ensures:
+ *	the file name will be written to "out", and the used pointer will
+ *		be advanced.
+ */
+
+isc_result_t
+dst_key_sigsize(const dst_key_t *key, unsigned int *n);
+/*
+ * Computes the size of a signature generated by the given key.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"n" is not NULL
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	DST_R_UNSUPPORTEDALG
+ *
+ * Ensures:
+ * 	"n" stores the size of a generated signature
+ */
+
+isc_result_t
+dst_key_secretsize(const dst_key_t *key, unsigned int *n);
+/*
+ * Computes the size of a shared secret generated by the given key.
+ *
+ * Requires:
+ *	"key" is a valid key.
+ *	"n" is not NULL
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	DST_R_UNSUPPORTEDALG
+ *
+ * Ensures:
+ * 	"n" stores the size of a generated shared secret
+ */
+
+isc_uint16_t
+dst_region_computeid(const isc_region_t *source, unsigned int alg);
+/*
+ * Computes the key id of the key stored in the provided region with the
+ * given algorithm.
+ *
+ * Requires:
+ * 	"source" contains a valid, non-NULL region.
+ *
+ * Returns:
+ * 	the key id
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DST_DST_H */
diff --git a/contrib/bind9/lib/dns/sec/dst/include/dst/gssapi.h b/contrib/bind9/lib/dns/sec/dst/include/dst/gssapi.h
new file mode 100644
index 0000000..564e488
--- /dev/null
+++ b/contrib/bind9/lib/dns/sec/dst/include/dst/gssapi.h
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: gssapi.h,v 1.3.206.1 2004/03/06 08:14:25 marka Exp $ */
+
+#ifndef DST_GSSAPI_H
+#define DST_GSSAPI_H 1
+
+#include <isc/lang.h>
+
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Types
+ ***/
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate, void **cred);
+
+isc_result_t
+dst_gssapi_initctx(dns_name_t *name, void *cred,
+		   isc_region_t *intoken, isc_buffer_t *outtoken,
+		   void **context);
+
+isc_result_t
+dst_gssapi_acceptctx(dns_name_t *name, void *cred,
+		     isc_region_t *intoken, isc_buffer_t *outtoken,
+		     void **context);
+
+/*
+ * XXX
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DST_GSSAPI_H */
diff --git a/contrib/bind9/lib/dns/sec/dst/include/dst/lib.h b/contrib/bind9/lib/dns/sec/dst/include/dst/lib.h
new file mode 100644
index 0000000..11b23e3
--- /dev/null
+++ b/contrib/bind9/lib/dns/sec/dst/include/dst/lib.h
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lib.h,v 1.6.12.3 2004/03/08 09:04:47 marka Exp $ */
+
+#ifndef DST_LIB_H
+#define DST_LIB_H 1
+
+#include <isc/types.h>
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+LIBDNS_EXTERNAL_DATA extern isc_msgcat_t *dst_msgcat;
+
+void
+dst_lib_initmsgcat(void);
+/*
+ * Initialize the DST library's message catalog, dst_msgcat, if it
+ * has not already been initialized.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DST_LIB_H */
diff --git a/contrib/bind9/lib/dns/sec/dst/include/dst/result.h b/contrib/bind9/lib/dns/sec/dst/include/dst/result.h
new file mode 100644
index 0000000..fa5ff39
--- /dev/null
+++ b/contrib/bind9/lib/dns/sec/dst/include/dst/result.h
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: result.h,v 1.20.206.2 2004/06/11 00:31:01 marka Exp $ */
+
+#ifndef DST_RESULT_H
+#define DST_RESULT_H 1
+
+#include <isc/lang.h>
+#include <isc/resultclass.h>
+
+/*
+ * Nothing in this file truly depends on <isc/result.h>, but the
+ * DST result codes are considered to be publicly derived from
+ * the ISC result codes, so including this file buys you the ISC_R_
+ * namespace too.
+ */
+#include <isc/result.h>		/* Contractual promise. */
+
+#define DST_R_UNSUPPORTEDALG		(ISC_RESULTCLASS_DST + 0)
+#define DST_R_OPENSSLFAILURE		(ISC_RESULTCLASS_DST + 1)
+#define DST_R_NOCRYPTO			(ISC_RESULTCLASS_DST + 2)
+#define DST_R_NULLKEY			(ISC_RESULTCLASS_DST + 3)
+#define DST_R_INVALIDPUBLICKEY		(ISC_RESULTCLASS_DST + 4)
+#define DST_R_INVALIDPRIVATEKEY		(ISC_RESULTCLASS_DST + 5)
+/* 6 is unused */
+#define DST_R_WRITEERROR		(ISC_RESULTCLASS_DST + 7)
+#define DST_R_INVALIDPARAM		(ISC_RESULTCLASS_DST + 8)
+/* 9 is unused */
+/* 10 is unused */
+#define DST_R_SIGNFAILURE		(ISC_RESULTCLASS_DST + 11)
+/* 12 is unused */
+/* 13 is unused */
+#define DST_R_VERIFYFAILURE		(ISC_RESULTCLASS_DST + 14)
+#define DST_R_NOTPUBLICKEY		(ISC_RESULTCLASS_DST + 15)
+#define DST_R_NOTPRIVATEKEY		(ISC_RESULTCLASS_DST + 16)
+#define DST_R_KEYCANNOTCOMPUTESECRET	(ISC_RESULTCLASS_DST + 17)
+#define DST_R_COMPUTESECRETFAILURE	(ISC_RESULTCLASS_DST + 18)
+#define DST_R_NORANDOMNESS		(ISC_RESULTCLASS_DST + 19)
+#define DST_R_BADKEYTYPE		(ISC_RESULTCLASS_DST + 20)
+
+#define DST_R_NRESULTS			21	/* Number of results */
+
+ISC_LANG_BEGINDECLS
+
+const char *
+dst_result_totext(isc_result_t);
+
+void
+dst_result_register(void);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DST_RESULT_H */
diff --git a/contrib/bind9/lib/dns/sec/dst/key.c b/contrib/bind9/lib/dns/sec/dst/key.c
new file mode 100644
index 0000000..e373cf6
--- /dev/null
+++ b/contrib/bind9/lib/dns/sec/dst/key.c
@@ -0,0 +1,126 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: key.c,v 1.6.206.1 2004/03/06 08:14:22 marka Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/region.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+
+#include <dst/dst.h>
+
+#include "dst_internal.h"
+
+isc_uint16_t
+dst_region_computeid(const isc_region_t *source, unsigned int alg) {
+	isc_uint32_t ac;
+	const unsigned char *p;
+	int size;
+
+	REQUIRE(source != NULL);
+	REQUIRE(source->length >= 4);
+
+	p = source->base;
+	size = source->length;
+
+	if (alg == DST_ALG_RSAMD5)
+		return ((p[size - 3] << 8) + p[size - 2]);
+
+	for (ac = 0; size > 1; size -= 2, p += 2)
+		ac += ((*p) << 8) + *(p + 1);
+
+	if (size > 0)
+		ac += ((*p) << 8);
+	ac += (ac >> 16) & 0xffff;
+
+	return ((isc_uint16_t)(ac & 0xffff));
+}
+
+dns_name_t *
+dst_key_name(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_name);
+}
+
+unsigned int
+dst_key_size(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_size);
+}
+
+unsigned int
+dst_key_proto(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_proto);
+}
+
+unsigned int
+dst_key_alg(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_alg);
+}
+
+isc_uint32_t
+dst_key_flags(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_flags);
+}
+
+dns_keytag_t
+dst_key_id(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_id);
+}
+
+dns_rdataclass_t
+dst_key_class(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+	return (key->key_class);
+}
+
+isc_boolean_t
+dst_key_iszonekey(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+
+	if ((key->key_flags & DNS_KEYTYPE_NOAUTH) != 0)
+		return (ISC_FALSE);
+	if ((key->key_flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
+		return (ISC_FALSE);
+	if (key->key_proto != DNS_KEYPROTO_DNSSEC &&
+	    key->key_proto != DNS_KEYPROTO_ANY)
+		return (ISC_FALSE);
+	return (ISC_TRUE);
+}
+
+isc_boolean_t
+dst_key_isnullkey(const dst_key_t *key) {
+	REQUIRE(VALID_KEY(key));
+
+	if ((key->key_flags & DNS_KEYFLAG_TYPEMASK) != DNS_KEYTYPE_NOKEY)
+		return (ISC_FALSE);
+	if ((key->key_flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
+		return (ISC_FALSE);
+	if (key->key_proto != DNS_KEYPROTO_DNSSEC &&
+	    key->key_proto != DNS_KEYPROTO_ANY)
+		return (ISC_FALSE);
+	return (ISC_TRUE);
+}
diff --git a/contrib/bind9/lib/dns/sec/dst/openssl_link.c b/contrib/bind9/lib/dns/sec/dst/openssl_link.c
new file mode 100644
index 0000000..62b17c3
--- /dev/null
+++ b/contrib/bind9/lib/dns/sec/dst/openssl_link.c
@@ -0,0 +1,219 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 1999-2003  Internet Software Consortium.
+ * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Principal Author: Brian Wellington
+ * $Id: openssl_link.c,v 1.46.2.2.2.9 2004/03/16 05:50:23 marka Exp $
+ */
+#ifdef OPENSSL
+
+#include <config.h>
+
+#include <isc/entropy.h>
+#include <isc/mem.h>
+#include <isc/mutex.h>
+#include <isc/mutexblock.h>
+#include <isc/string.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include "dst_internal.h"
+#include "dst_openssl.h"
+
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#include <openssl/crypto.h>
+
+#if defined(CRYPTO_LOCK_ENGINE) && (OPENSSL_VERSION_NUMBER < 0x00907000L)
+#define USE_ENGINE 1
+#endif
+
+#ifdef USE_ENGINE
+#include <openssl/engine.h>
+#endif
+
+static RAND_METHOD *rm = NULL;
+static isc_mutex_t *locks = NULL;
+static int nlocks;
+
+#ifdef USE_ENGINE
+static ENGINE *e;
+#endif
+
+
+static int
+entropy_get(unsigned char *buf, int num) {
+	isc_result_t result;
+	if (num < 0)
+		return (-1);
+	result = dst__entropy_getdata(buf, (unsigned int) num, ISC_FALSE);
+	return (result == ISC_R_SUCCESS ? num : -1);
+}
+
+static int
+entropy_getpseudo(unsigned char *buf, int num) {
+	isc_result_t result;
+	if (num < 0)
+		return (-1);
+	result = dst__entropy_getdata(buf, (unsigned int) num, ISC_TRUE);
+	return (result == ISC_R_SUCCESS ? num : -1);
+}
+
+static void
+entropy_add(const void *buf, int num, double entropy) {
+	/*
+	 * Do nothing.  The only call to this provides no useful data anyway.
+	 */
+	UNUSED(buf);
+	UNUSED(num);
+	UNUSED(entropy);
+}
+
+static void
+lock_callback(int mode, int type, const char *file, int line) {
+	UNUSED(file);
+	UNUSED(line);
+	if ((mode & CRYPTO_LOCK) != 0)
+		LOCK(&locks[type]);
+	else
+		UNLOCK(&locks[type]);
+}
+
+static unsigned long
+id_callback(void) {
+	return ((unsigned long)isc_thread_self());
+}
+
+static void *
+mem_alloc(size_t size) {
+	INSIST(dst__memory_pool != NULL);
+	return (isc_mem_allocate(dst__memory_pool, size));
+}
+
+static void
+mem_free(void *ptr) {
+	INSIST(dst__memory_pool != NULL);
+	if (ptr != NULL)
+		isc_mem_free(dst__memory_pool, ptr);
+}
+
+static void *
+mem_realloc(void *ptr, size_t size) {
+	void *p;
+
+	INSIST(dst__memory_pool != NULL);
+	p = NULL;
+	if (size > 0U) {
+		p = mem_alloc(size);
+		if (p != NULL && ptr != NULL)
+			memcpy(p, ptr, size);
+	}
+	if (ptr != NULL)
+		mem_free(ptr);
+	return (p);
+}
+
+isc_result_t
+dst__openssl_init() {
+	isc_result_t result;
+
+	CRYPTO_set_mem_functions(mem_alloc, mem_realloc, mem_free);
+	nlocks = CRYPTO_num_locks();
+	locks = mem_alloc(sizeof(isc_mutex_t) * nlocks);
+	if (locks == NULL)
+		return (ISC_R_NOMEMORY);
+	result = isc_mutexblock_init(locks, nlocks);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_mutexalloc;
+	CRYPTO_set_locking_callback(lock_callback);
+	CRYPTO_set_id_callback(id_callback);
+	rm = mem_alloc(sizeof(RAND_METHOD));
+	if (rm == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup_mutexinit;
+	}
+	rm->seed = NULL;
+	rm->bytes = entropy_get;
+	rm->cleanup = NULL;
+	rm->add = entropy_add;
+	rm->pseudorand = entropy_getpseudo;
+	rm->status = NULL;
+#ifdef USE_ENGINE
+	e = ENGINE_new();
+	if (e == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup_rm;
+	}
+	ENGINE_set_RAND(e, rm);
+	RAND_set_rand_method(e);
+#else
+	RAND_set_rand_method(rm);
+#endif
+	return (ISC_R_SUCCESS);
+
+#ifdef USE_ENGINE
+ cleanup_rm:
+	mem_free(rm);
+#endif
+ cleanup_mutexinit:
+	DESTROYMUTEXBLOCK(locks, nlocks);
+ cleanup_mutexalloc:
+	mem_free(locks);
+	return (result);
+}
+
+void
+dst__openssl_destroy() {
+	ERR_clear_error();
+#ifdef USE_ENGINE
+	if (e != NULL) {
+		ENGINE_free(e);
+		e = NULL;
+	}
+#endif
+	if (locks != NULL) {
+		DESTROYMUTEXBLOCK(locks, nlocks);
+		mem_free(locks);
+	}
+	if (rm != NULL)
+		mem_free(rm);
+}
+
+isc_result_t
+dst__openssl_toresult(isc_result_t fallback) {
+	isc_result_t result = fallback;
+	int err = ERR_get_error();
+
+	switch (ERR_GET_REASON(err)) {
+	case ERR_R_MALLOC_FAILURE:
+		result = ISC_R_NOMEMORY;
+		break;
+	default:
+		break;
+	}
+	ERR_clear_error();
+	return (result);
+}
+
+#else /* OPENSSL */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* OPENSSL */
diff --git a/contrib/bind9/lib/dns/sec/dst/openssldh_link.c b/contrib/bind9/lib/dns/sec/dst/openssldh_link.c
new file mode 100644
index 0000000..dcee976
--- /dev/null
+++ b/contrib/bind9/lib/dns/sec/dst/openssldh_link.c
@@ -0,0 +1,608 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 1999-2002  Internet Software Consortium.
+ * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Principal Author: Brian Wellington
+ * $Id: openssldh_link.c,v 1.38.2.2.8.7 2004/03/16 05:50:23 marka Exp $
+ */
+
+#ifdef OPENSSL
+
+#include <config.h>
+
+#include <ctype.h>
+
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_openssl.h"
+#include "dst_parse.h"
+
+#include <openssl/dh.h>
+
+#define PRIME768 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088" \
+	"A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25" \
+	"F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A63A3620FFFFFFFFFFFFFFFF"
+
+#define PRIME1024 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08" \
+	"8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF2" \
+	"5F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406" \
+	"B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF"
+
+#define PRIME1536 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \
+	"29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \
+	"EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \
+	"E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \
+	"EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \
+	"C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \
+	"83655D23DCA3AD961C62F356208552BB9ED529077096966D" \
+	"670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF"
+
+
+static isc_result_t openssldh_todns(const dst_key_t *key, isc_buffer_t *data);
+
+static BIGNUM bn2, bn768, bn1024, bn1536;
+
+static isc_result_t
+openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
+			isc_buffer_t *secret)
+{
+	DH *dhpub, *dhpriv;
+	int ret;
+	isc_region_t r;
+	unsigned int len;
+
+	REQUIRE(pub->opaque != NULL);
+	REQUIRE(priv->opaque != NULL);
+
+	dhpub = (DH *) pub->opaque;
+	dhpriv = (DH *) priv->opaque;
+
+	len = DH_size(dhpriv);
+	isc_buffer_availableregion(secret, &r);
+	if (r.length < len)
+		return (ISC_R_NOSPACE);
+	ret = DH_compute_key(r.base, dhpub->pub_key, dhpriv);
+	if (ret == 0)
+		return (dst__openssl_toresult(DST_R_COMPUTESECRETFAILURE));
+	isc_buffer_add(secret, len);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_boolean_t
+openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	int status;
+	DH *dh1, *dh2;
+
+	dh1 = (DH *) key1->opaque;
+	dh2 = (DH *) key2->opaque;
+
+	if (dh1 == NULL && dh2 == NULL)
+		return (ISC_TRUE);
+	else if (dh1 == NULL || dh2 == NULL)
+		return (ISC_FALSE);
+
+	status = BN_cmp(dh1->p, dh2->p) ||
+		 BN_cmp(dh1->g, dh2->g) ||
+		 BN_cmp(dh1->pub_key, dh2->pub_key);
+
+	if (status != 0)
+		return (ISC_FALSE);
+
+	if (dh1->priv_key != NULL || dh2->priv_key != NULL) {
+		if (dh1->priv_key == NULL || dh2->priv_key == NULL)
+			return (ISC_FALSE);
+		if (BN_cmp(dh1->priv_key, dh2->priv_key) != 0)
+			return (ISC_FALSE);
+	}
+	return (ISC_TRUE);
+}
+
+static isc_boolean_t
+openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
+	int status;
+	DH *dh1, *dh2;
+
+	dh1 = (DH *) key1->opaque;
+	dh2 = (DH *) key2->opaque;
+
+	if (dh1 == NULL && dh2 == NULL)
+		return (ISC_TRUE);
+	else if (dh1 == NULL || dh2 == NULL)
+		return (ISC_FALSE);
+
+	status = BN_cmp(dh1->p, dh2->p) ||
+		 BN_cmp(dh1->g, dh2->g);
+
+	if (status != 0)
+		return (ISC_FALSE);
+	return (ISC_TRUE);
+}
+
+static isc_result_t
+openssldh_generate(dst_key_t *key, int generator) {
+	DH *dh = NULL;
+
+	if (generator == 0) {
+		if (key->key_size == 768 ||
+		    key->key_size == 1024 ||
+		    key->key_size == 1536)
+		{
+			dh = DH_new();
+			if (dh == NULL)
+				return (ISC_R_NOMEMORY);
+			if (key->key_size == 768)
+				dh->p = &bn768;
+			else if (key->key_size == 1024)
+				dh->p = &bn1024;
+			else
+				dh->p = &bn1536;
+			dh->g = &bn2;
+		}
+		else
+			generator = 2;
+	}
+
+	if (generator != 0)
+		dh = DH_generate_parameters(key->key_size, generator,
+					    NULL, NULL);
+
+	if (dh == NULL)
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+
+	if (DH_generate_key(dh) == 0) {
+		DH_free(dh);
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	}
+	dh->flags &= ~DH_FLAG_CACHE_MONT_P;
+
+	key->opaque = dh;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_boolean_t
+openssldh_isprivate(const dst_key_t *key) {
+	DH *dh = (DH *) key->opaque;
+	return (ISC_TF(dh != NULL && dh->priv_key != NULL));
+}
+
+static void
+openssldh_destroy(dst_key_t *key) {
+	DH *dh = key->opaque;
+
+	if (dh == NULL)
+		return;
+
+	if (dh->p == &bn768 || dh->p == &bn1024 || dh->p == &bn1536)
+		dh->p = NULL;
+	if (dh->g == &bn2)
+		dh->g = NULL;
+	DH_free(dh);
+	key->opaque = NULL;
+}
+
+static void
+uint16_toregion(isc_uint16_t val, isc_region_t *region) {
+	*region->base++ = (val & 0xff00) >> 8;
+	*region->base++ = (val & 0x00ff);
+}
+
+static isc_uint16_t
+uint16_fromregion(isc_region_t *region) {
+	isc_uint16_t val;
+	unsigned char *cp = region->base;
+
+	val = ((unsigned int)(cp[0])) << 8;
+	val |= ((unsigned int)(cp[1]));
+
+	region->base += 2;
+	return (val);
+}
+
+static isc_result_t
+openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
+	DH *dh;
+	isc_region_t r;
+	isc_uint16_t dnslen, plen, glen, publen;
+
+	REQUIRE(key->opaque != NULL);
+
+	dh = (DH *) key->opaque;
+
+	isc_buffer_availableregion(data, &r);
+
+	if (dh->g == &bn2 &&
+	    (dh->p == &bn768 || dh->p == &bn1024 || dh->p == &bn1536)) {
+		plen = 1;
+		glen = 0;
+	}
+	else {
+		plen = BN_num_bytes(dh->p);
+		glen = BN_num_bytes(dh->g);
+	}
+	publen = BN_num_bytes(dh->pub_key);
+	dnslen = plen + glen + publen + 6;
+	if (r.length < (unsigned int) dnslen)
+		return (ISC_R_NOSPACE);
+
+	uint16_toregion(plen, &r);
+	if (plen == 1) {
+		if (dh->p == &bn768)
+			*r.base = 1;
+		else if (dh->p == &bn1024)
+			*r.base = 2;
+		else
+			*r.base = 3;
+	}
+	else
+		BN_bn2bin(dh->p, r.base);
+	r.base += plen;
+
+	uint16_toregion(glen, &r);
+	if (glen > 0)
+		BN_bn2bin(dh->g, r.base);
+	r.base += glen;
+
+	uint16_toregion(publen, &r);
+	BN_bn2bin(dh->pub_key, r.base);
+	r.base += publen;
+
+	isc_buffer_add(data, dnslen);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	DH *dh;
+	isc_region_t r;
+	isc_uint16_t plen, glen, publen;
+	int special = 0;
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0)
+		return (ISC_R_SUCCESS);
+
+	dh = DH_new();
+	if (dh == NULL)
+		return (ISC_R_NOMEMORY);
+	dh->flags &= ~DH_FLAG_CACHE_MONT_P;
+
+	/*
+	 * Read the prime length.  1 & 2 are table entries, > 16 means a
+	 * prime follows, otherwise an error.
+	 */
+	if (r.length < 2) {
+		DH_free(dh);
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+	plen = uint16_fromregion(&r);
+	if (plen < 16 && plen != 1 && plen != 2) {
+		DH_free(dh);
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+	if (r.length < plen) {
+		DH_free(dh);
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+	if (plen == 1 || plen == 2) {
+		if (plen == 1)
+			special = *r.base++;
+		else
+			special = uint16_fromregion(&r);
+		switch (special) {
+			case 1:
+				dh->p = &bn768;
+				break;
+			case 2:
+				dh->p = &bn1024;
+				break;
+			case 3:
+				dh->p = &bn1536;
+				break;
+			default:
+				DH_free(dh);
+				return (DST_R_INVALIDPUBLICKEY);
+		}
+	}
+	else {
+		dh->p = BN_bin2bn(r.base, plen, NULL);
+		r.base += plen;
+	}
+
+	/*
+	 * Read the generator length.  This should be 0 if the prime was
+	 * special, but it might not be.  If it's 0 and the prime is not
+	 * special, we have a problem.
+	 */
+	if (r.length < 2) {
+		DH_free(dh);
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+	glen = uint16_fromregion(&r);
+	if (r.length < glen) {
+		DH_free(dh);
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+	if (special != 0) {
+		if (glen == 0)
+			dh->g = &bn2;
+		else {
+			dh->g = BN_bin2bn(r.base, glen, NULL);
+			if (BN_cmp(dh->g, &bn2) == 0) {
+				BN_free(dh->g);
+				dh->g = &bn2;
+			}
+			else {
+				DH_free(dh);
+				return (DST_R_INVALIDPUBLICKEY);
+			}
+		}
+	}
+	else {
+		if (glen == 0) {
+			DH_free(dh);
+			return (DST_R_INVALIDPUBLICKEY);
+		}
+		dh->g = BN_bin2bn(r.base, glen, NULL);
+	}
+	r.base += glen;
+
+	if (r.length < 2) {
+		DH_free(dh);
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+	publen = uint16_fromregion(&r);
+	if (r.length < publen) {
+		DH_free(dh);
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+	dh->pub_key = BN_bin2bn(r.base, publen, NULL);
+	r.base += publen;
+
+	key->key_size = BN_num_bits(dh->p);
+
+	isc_buffer_forward(data, plen + glen + publen + 6);
+
+	key->opaque = (void *) dh;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+openssldh_tofile(const dst_key_t *key, const char *directory) {
+	int i;
+	DH *dh;
+	dst_private_t priv;
+	unsigned char *bufs[4];
+	isc_result_t result;
+
+	if (key->opaque == NULL)
+		return (DST_R_NULLKEY);
+
+	dh = (DH *) key->opaque;
+
+	for (i = 0; i < 4; i++) {
+		bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(dh->p));
+		if (bufs[i] == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto fail;
+		}
+	}
+
+	i = 0;
+
+	priv.elements[i].tag = TAG_DH_PRIME;
+	priv.elements[i].length = BN_num_bytes(dh->p);
+	BN_bn2bin(dh->p, bufs[i]);
+	priv.elements[i].data = bufs[i];
+	i++;
+
+	priv.elements[i].tag = TAG_DH_GENERATOR;
+	priv.elements[i].length = BN_num_bytes(dh->g);
+	BN_bn2bin(dh->g, bufs[i]);
+	priv.elements[i].data = bufs[i];
+	i++;
+
+	priv.elements[i].tag = TAG_DH_PRIVATE;
+	priv.elements[i].length = BN_num_bytes(dh->priv_key);
+	BN_bn2bin(dh->priv_key, bufs[i]);
+	priv.elements[i].data = bufs[i];
+	i++;
+
+	priv.elements[i].tag = TAG_DH_PUBLIC;
+	priv.elements[i].length = BN_num_bytes(dh->pub_key);
+	BN_bn2bin(dh->pub_key, bufs[i]);
+	priv.elements[i].data = bufs[i];
+	i++;
+
+	priv.nelements = i;
+	result = dst__privstruct_writefile(key, &priv, directory);
+ fail:
+	for (i = 0; i < 4; i++) {
+		if (bufs[i] == NULL)
+			break;
+		isc_mem_put(key->mctx, bufs[i], BN_num_bytes(dh->p));
+	}
+	return (result);
+}
+
+static isc_result_t
+openssldh_parse(dst_key_t *key, isc_lex_t *lexer) {
+	dst_private_t priv;
+	isc_result_t ret;
+	int i;
+	DH *dh = NULL;
+	isc_mem_t *mctx;
+#define DST_RET(a) {ret = a; goto err;}
+
+	mctx = key->mctx;
+
+	/* read private key file */
+	ret = dst__privstruct_parse(key, DST_ALG_DH, lexer, mctx, &priv);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	dh = DH_new();
+	if (dh == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	dh->flags &= ~DH_FLAG_CACHE_MONT_P;
+	key->opaque = dh;
+
+	for (i = 0; i < priv.nelements; i++) {
+		BIGNUM *bn;
+		bn = BN_bin2bn(priv.elements[i].data,
+			       priv.elements[i].length, NULL);
+		if (bn == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+
+		switch (priv.elements[i].tag) {
+			case TAG_DH_PRIME:
+				dh->p = bn;
+				break;
+			case TAG_DH_GENERATOR:
+				dh->g = bn;
+				break;
+			case TAG_DH_PRIVATE:
+				dh->priv_key = bn;
+				break;
+			case TAG_DH_PUBLIC:
+				dh->pub_key = bn;
+				break;
+		}
+	}
+	dst__privstruct_free(&priv, mctx);
+
+	key->key_size = BN_num_bits(dh->p);
+
+	if ((key->key_size == 768 ||
+	     key->key_size == 1024 ||
+	     key->key_size == 1536) &&
+	    BN_cmp(dh->g, &bn2) == 0)
+	{
+		if (key->key_size == 768 && BN_cmp(dh->p, &bn768) == 0) {
+			BN_free(dh->p);
+			BN_free(dh->g);
+			dh->p = &bn768;
+			dh->g = &bn2;
+		} else if (key->key_size == 1024 &&
+			   BN_cmp(dh->p, &bn1024) == 0) {
+			BN_free(dh->p);
+			BN_free(dh->g);
+			dh->p = &bn1024;
+			dh->g = &bn2;
+		} else if (key->key_size == 1536 &&
+			   BN_cmp(dh->p, &bn1536) == 0) {
+			BN_free(dh->p);
+			BN_free(dh->g);
+			dh->p = &bn1536;
+			dh->g = &bn2;
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+
+ err:
+	openssldh_destroy(key);
+	dst__privstruct_free(&priv, mctx);
+	memset(&priv, 0, sizeof(priv));
+	return (ret);
+}
+
+static void
+BN_fromhex(BIGNUM *b, const char *str) {
+	static const char hexdigits[] = "0123456789abcdef";
+	unsigned char data[512];
+	unsigned int i;
+	BIGNUM *out;
+
+	RUNTIME_CHECK(strlen(str) < 1024U && strlen(str) % 2 == 0U);
+	for (i = 0; i < strlen(str); i += 2) {
+		char *s;
+		unsigned int high, low;
+
+		s = strchr(hexdigits, tolower((unsigned char)str[i]));
+		RUNTIME_CHECK(s != NULL);
+		high = s - hexdigits;
+
+		s = strchr(hexdigits, tolower((unsigned char)str[i + 1]));
+		RUNTIME_CHECK(s != NULL);
+		low = s - hexdigits;
+
+		data[i/2] = (unsigned char)((high << 4) + low);
+	}
+	out = BN_bin2bn(data, strlen(str)/2, b);
+	RUNTIME_CHECK(out != NULL);
+}
+
+static void
+openssldh_cleanup(void) {
+	BN_free(&bn2);
+	BN_free(&bn768);
+	BN_free(&bn1024);
+	BN_free(&bn1536);
+}
+
+static dst_func_t openssldh_functions = {
+	NULL, /* createctx */
+	NULL, /* destroyctx */
+	NULL, /* adddata */
+	NULL, /* openssldh_sign */
+	NULL, /* openssldh_verify */
+	openssldh_computesecret,
+	openssldh_compare,
+	openssldh_paramcompare,
+	openssldh_generate,
+	openssldh_isprivate,
+	openssldh_destroy,
+	openssldh_todns,
+	openssldh_fromdns,
+	openssldh_tofile,
+	openssldh_parse,
+	openssldh_cleanup,
+};
+
+isc_result_t
+dst__openssldh_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL) {
+		BN_init(&bn2);
+		BN_init(&bn768);
+		BN_init(&bn1024);
+		BN_init(&bn1536);
+		BN_set_word(&bn2, 2);
+		BN_fromhex(&bn768, PRIME768);
+		BN_fromhex(&bn1024, PRIME1024);
+		BN_fromhex(&bn1536, PRIME1536);
+		*funcp = &openssldh_functions;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+#else /* OPENSSL */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* OPENSSL */
diff --git a/contrib/bind9/lib/dns/sec/dst/openssldsa_link.c b/contrib/bind9/lib/dns/sec/dst/openssldsa_link.c
new file mode 100644
index 0000000..ec4a6d3
--- /dev/null
+++ b/contrib/bind9/lib/dns/sec/dst/openssldsa_link.c
@@ -0,0 +1,443 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 1999-2002  Internet Software Consortium.
+ * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: openssldsa_link.c,v 1.4.2.1.8.6 2004/03/08 09:04:46 marka Exp $ */
+
+#ifdef OPENSSL
+
+#include <config.h>
+
+#include <string.h>
+
+#include <isc/entropy.h>
+#include <isc/mem.h>
+#include <isc/sha1.h>
+#include <isc/util.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_openssl.h"
+#include "dst_parse.h"
+
+#include <openssl/dsa.h>
+
+static isc_result_t openssldsa_todns(const dst_key_t *key, isc_buffer_t *data);
+
+static isc_result_t
+openssldsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+	isc_sha1_t *sha1ctx;
+
+	UNUSED(key);
+
+	sha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_sha1_t));
+	isc_sha1_init(sha1ctx);
+	dctx->opaque = sha1ctx;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+openssldsa_destroyctx(dst_context_t *dctx) {
+	isc_sha1_t *sha1ctx = dctx->opaque;
+
+	if (sha1ctx != NULL) {
+		isc_sha1_invalidate(sha1ctx);
+		isc_mem_put(dctx->mctx, sha1ctx, sizeof(isc_sha1_t));
+		dctx->opaque = NULL;
+	}
+}
+
+static isc_result_t
+openssldsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	isc_sha1_t *sha1ctx = dctx->opaque;
+
+	isc_sha1_update(sha1ctx, data->base, data->length);
+	return (ISC_R_SUCCESS);
+}
+
+static int
+BN_bn2bin_fixed(BIGNUM *bn, unsigned char *buf, int size) {
+	int bytes = size - BN_num_bytes(bn);
+	while (bytes-- > 0)
+		*buf++ = 0;
+	BN_bn2bin(bn, buf);
+	return (size);
+}
+
+static isc_result_t
+openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	isc_sha1_t *sha1ctx = dctx->opaque;
+	dst_key_t *key = dctx->key;
+	DSA *dsa = key->opaque;
+	DSA_SIG *dsasig;
+	isc_region_t r;
+	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
+
+	isc_buffer_availableregion(sig, &r);
+	if (r.length < ISC_SHA1_DIGESTLENGTH * 2 + 1)
+		return (ISC_R_NOSPACE);
+
+	isc_sha1_final(sha1ctx, digest);
+
+	dsasig = DSA_do_sign(digest, ISC_SHA1_DIGESTLENGTH, dsa);
+	if (dsasig == NULL)
+		return (dst__openssl_toresult(DST_R_SIGNFAILURE));
+
+	*r.base++ = (key->key_size - 512)/64;
+	BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH);
+	r.base += ISC_SHA1_DIGESTLENGTH;
+	BN_bn2bin_fixed(dsasig->s, r.base, ISC_SHA1_DIGESTLENGTH);
+	r.base += ISC_SHA1_DIGESTLENGTH;
+	DSA_SIG_free(dsasig);
+	isc_buffer_add(sig, ISC_SHA1_DIGESTLENGTH * 2 + 1);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+openssldsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	isc_sha1_t *sha1ctx = dctx->opaque;
+	dst_key_t *key = dctx->key;
+	DSA *dsa = key->opaque;
+	DSA_SIG *dsasig;
+	int status = 0;
+	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
+	unsigned char *cp = sig->base;
+
+	isc_sha1_final(sha1ctx, digest);
+
+	if (sig->length < 2 * ISC_SHA1_DIGESTLENGTH + 1)
+		return (DST_R_VERIFYFAILURE);
+
+	cp++;	/* Skip T */
+	dsasig = DSA_SIG_new();
+	dsasig->r = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL);
+	cp += ISC_SHA1_DIGESTLENGTH;
+	dsasig->s = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL);
+	cp += ISC_SHA1_DIGESTLENGTH;
+
+	status = DSA_do_verify(digest, ISC_SHA1_DIGESTLENGTH, dsasig, dsa);
+	DSA_SIG_free(dsasig);
+	if (status == 0)
+		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_boolean_t
+openssldsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	int status;
+	DSA *dsa1, *dsa2;
+
+	dsa1 = (DSA *) key1->opaque;
+	dsa2 = (DSA *) key2->opaque;
+
+	if (dsa1 == NULL && dsa2 == NULL)
+		return (ISC_TRUE);
+	else if (dsa1 == NULL || dsa2 == NULL)
+		return (ISC_FALSE);
+
+	status = BN_cmp(dsa1->p, dsa2->p) ||
+		 BN_cmp(dsa1->q, dsa2->q) ||
+		 BN_cmp(dsa1->g, dsa2->g) ||
+		 BN_cmp(dsa1->pub_key, dsa2->pub_key);
+
+	if (status != 0)
+		return (ISC_FALSE);
+
+	if (dsa1->priv_key != NULL || dsa2->priv_key != NULL) {
+		if (dsa1->priv_key == NULL || dsa2->priv_key == NULL)
+			return (ISC_FALSE);
+		if (BN_cmp(dsa1->priv_key, dsa2->priv_key))
+			return (ISC_FALSE);
+	}
+	return (ISC_TRUE);
+}
+
+static isc_result_t
+openssldsa_generate(dst_key_t *key, int unused) {
+	DSA *dsa;
+	unsigned char rand_array[ISC_SHA1_DIGESTLENGTH];
+	isc_result_t result;
+
+	UNUSED(unused);
+
+	result = dst__entropy_getdata(rand_array, sizeof(rand_array),
+				      ISC_FALSE);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	dsa = DSA_generate_parameters(key->key_size, rand_array,
+				      ISC_SHA1_DIGESTLENGTH, NULL, NULL,
+				      NULL, NULL);
+
+	if (dsa == NULL)
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+
+	if (DSA_generate_key(dsa) == 0) {
+		DSA_free(dsa);
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	}
+	dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
+
+	key->opaque = dsa;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_boolean_t
+openssldsa_isprivate(const dst_key_t *key) {
+	DSA *dsa = (DSA *) key->opaque;
+	return (ISC_TF(dsa != NULL && dsa->priv_key != NULL));
+}
+
+static void
+openssldsa_destroy(dst_key_t *key) {
+	DSA *dsa = key->opaque;
+	DSA_free(dsa);
+	key->opaque = NULL;
+}
+
+
+static isc_result_t
+openssldsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+	DSA *dsa;
+	isc_region_t r;
+	int dnslen;
+	unsigned int t, p_bytes;
+
+	REQUIRE(key->opaque != NULL);
+
+	dsa = (DSA *) key->opaque;
+
+	isc_buffer_availableregion(data, &r);
+
+	t = (BN_num_bytes(dsa->p) - 64) / 8;
+	if (t > 8)
+		return (DST_R_INVALIDPUBLICKEY);
+	p_bytes = 64 + 8 * t;
+
+	dnslen = 1 + (key->key_size * 3)/8 + ISC_SHA1_DIGESTLENGTH;
+	if (r.length < (unsigned int) dnslen)
+		return (ISC_R_NOSPACE);
+
+	*r.base++ = t;
+	BN_bn2bin_fixed(dsa->q, r.base, ISC_SHA1_DIGESTLENGTH);
+	r.base += ISC_SHA1_DIGESTLENGTH;
+	BN_bn2bin_fixed(dsa->p, r.base, key->key_size/8);
+	r.base += p_bytes;
+	BN_bn2bin_fixed(dsa->g, r.base, key->key_size/8);
+	r.base += p_bytes;
+	BN_bn2bin_fixed(dsa->pub_key, r.base, key->key_size/8);
+	r.base += p_bytes;
+
+	isc_buffer_add(data, dnslen);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+openssldsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	DSA *dsa;
+	isc_region_t r;
+	unsigned int t, p_bytes;
+	isc_mem_t *mctx = key->mctx;
+
+	UNUSED(mctx);
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0)
+		return (ISC_R_SUCCESS);
+
+	dsa = DSA_new();
+	if (dsa == NULL)
+		return (ISC_R_NOMEMORY);
+	dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
+
+	t = (unsigned int) *r.base++;
+	if (t > 8) {
+		DSA_free(dsa);
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+	p_bytes = 64 + 8 * t;
+
+	if (r.length < 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
+		DSA_free(dsa);
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+
+	dsa->q = BN_bin2bn(r.base, ISC_SHA1_DIGESTLENGTH, NULL);
+	r.base += ISC_SHA1_DIGESTLENGTH;
+
+	dsa->p = BN_bin2bn(r.base, p_bytes, NULL);
+	r.base += p_bytes;
+
+	dsa->g = BN_bin2bn(r.base, p_bytes, NULL);
+	r.base += p_bytes;
+
+	dsa->pub_key = BN_bin2bn(r.base, p_bytes, NULL);
+	r.base += p_bytes;
+
+	key->key_size = p_bytes * 8;
+
+	isc_buffer_forward(data, 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes);
+
+	key->opaque = (void *) dsa;
+
+	return (ISC_R_SUCCESS);
+}
+
+
+static isc_result_t
+openssldsa_tofile(const dst_key_t *key, const char *directory) {
+	int cnt = 0;
+	DSA *dsa;
+	dst_private_t priv;
+	unsigned char bufs[5][128];
+
+	if (key->opaque == NULL)
+		return (DST_R_NULLKEY);
+
+	dsa = (DSA *) key->opaque;
+
+	priv.elements[cnt].tag = TAG_DSA_PRIME;
+	priv.elements[cnt].length = BN_num_bytes(dsa->p);
+	BN_bn2bin(dsa->p, bufs[cnt]);
+	priv.elements[cnt].data = bufs[cnt];
+	cnt++;
+
+	priv.elements[cnt].tag = TAG_DSA_SUBPRIME;
+	priv.elements[cnt].length = BN_num_bytes(dsa->q);
+	BN_bn2bin(dsa->q, bufs[cnt]);
+	priv.elements[cnt].data = bufs[cnt];
+	cnt++;
+
+	priv.elements[cnt].tag = TAG_DSA_BASE;
+	priv.elements[cnt].length = BN_num_bytes(dsa->g);
+	BN_bn2bin(dsa->g, bufs[cnt]);
+	priv.elements[cnt].data = bufs[cnt];
+	cnt++;
+
+	priv.elements[cnt].tag = TAG_DSA_PRIVATE;
+	priv.elements[cnt].length = BN_num_bytes(dsa->priv_key);
+	BN_bn2bin(dsa->priv_key, bufs[cnt]);
+	priv.elements[cnt].data = bufs[cnt];
+	cnt++;
+
+	priv.elements[cnt].tag = TAG_DSA_PUBLIC;
+	priv.elements[cnt].length = BN_num_bytes(dsa->pub_key);
+	BN_bn2bin(dsa->pub_key, bufs[cnt]);
+	priv.elements[cnt].data = bufs[cnt];
+	cnt++;
+
+	priv.nelements = cnt;
+	return (dst__privstruct_writefile(key, &priv, directory));
+}
+
+static isc_result_t
+openssldsa_parse(dst_key_t *key, isc_lex_t *lexer) {
+	dst_private_t priv;
+	isc_result_t ret;
+	int i;
+	DSA *dsa = NULL;
+	isc_mem_t *mctx = key->mctx;
+#define DST_RET(a) {ret = a; goto err;}
+
+	/* read private key file */
+	ret = dst__privstruct_parse(key, DST_ALG_DSA, lexer, mctx, &priv);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	dsa = DSA_new();
+	if (dsa == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
+	key->opaque = dsa;
+
+	for (i=0; i < priv.nelements; i++) {
+		BIGNUM *bn;
+		bn = BN_bin2bn(priv.elements[i].data,
+			       priv.elements[i].length, NULL);
+		if (bn == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+
+		switch (priv.elements[i].tag) {
+			case TAG_DSA_PRIME:
+				dsa->p = bn;
+				break;
+			case TAG_DSA_SUBPRIME:
+				dsa->q = bn;
+				break;
+			case TAG_DSA_BASE:
+				dsa->g = bn;
+				break;
+			case TAG_DSA_PRIVATE:
+				dsa->priv_key = bn;
+				break;
+			case TAG_DSA_PUBLIC:
+				dsa->pub_key = bn;
+				break;
+		}
+	}
+	dst__privstruct_free(&priv, mctx);
+
+	key->key_size = BN_num_bits(dsa->p);
+
+	return (ISC_R_SUCCESS);
+
+ err:
+	openssldsa_destroy(key);
+	dst__privstruct_free(&priv, mctx);
+	memset(&priv, 0, sizeof(priv));
+	return (ret);
+}
+
+static dst_func_t openssldsa_functions = {
+	openssldsa_createctx,
+	openssldsa_destroyctx,
+	openssldsa_adddata,
+	openssldsa_sign,
+	openssldsa_verify,
+	NULL, /* computesecret */
+	openssldsa_compare,
+	NULL, /* paramcompare */
+	openssldsa_generate,
+	openssldsa_isprivate,
+	openssldsa_destroy,
+	openssldsa_todns,
+	openssldsa_fromdns,
+	openssldsa_tofile,
+	openssldsa_parse,
+	NULL, /* cleanup */
+};
+
+isc_result_t
+dst__openssldsa_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL)
+		*funcp = &openssldsa_functions;
+	return (ISC_R_SUCCESS);
+}
+
+#else /* OPENSSL */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* OPENSSL */
diff --git a/contrib/bind9/lib/dns/sec/dst/opensslrsa_link.c b/contrib/bind9/lib/dns/sec/dst/opensslrsa_link.c
new file mode 100644
index 0000000..a9a48d9
--- /dev/null
+++ b/contrib/bind9/lib/dns/sec/dst/opensslrsa_link.c
@@ -0,0 +1,567 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Principal Author: Brian Wellington
+ * $Id: opensslrsa_link.c,v 1.12.2.4.2.8 2004/03/16 05:50:24 marka Exp $
+ */
+#ifdef OPENSSL
+
+#include <config.h>
+
+#include <isc/entropy.h>
+#include <isc/md5.h>
+#include <isc/sha1.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_openssl.h"
+#include "dst_parse.h"
+
+#include <openssl/err.h>
+#include <openssl/objects.h>
+#include <openssl/rsa.h>
+
+	/*
+	 * XXXMPA  Temporarially disable RSA_BLINDING as it requires
+	 * good quality random data that cannot currently be guarenteed.
+	 * XXXMPA  Find which versions of openssl use pseudo random data
+	 * and set RSA_FLAG_BLINDING for those.
+	 */
+
+#if 0
+#if OPENSSL_VERSION_NUMBER < 0x0090601fL
+#define SET_FLAGS(rsa) \
+	do { \
+	(rsa)->flags &= ~(RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE); \
+	(rsa)->flags |= RSA_FLAG_BLINDING; \
+	} while (0)
+#else
+#define SET_FLAGS(rsa) \
+	do { \
+		(rsa)->flags |= RSA_FLAG_BLINDING; \
+	} while (0)
+#endif
+#endif
+
+#if OPENSSL_VERSION_NUMBER < 0x0090601fL
+#define SET_FLAGS(rsa) \
+	do { \
+	(rsa)->flags &= ~(RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE); \
+	(rsa)->flags &= ~RSA_FLAG_BLINDING; \
+	} while (0)
+#else
+#define SET_FLAGS(rsa) \
+	do { \
+		(rsa)->flags &= ~RSA_FLAG_BLINDING; \
+	} while (0)
+#endif
+
+static isc_result_t opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data);
+
+static isc_result_t
+opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+	UNUSED(key);
+	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
+		dctx->key->key_alg == DST_ALG_RSASHA1);
+
+	if (dctx->key->key_alg == DST_ALG_RSAMD5) {
+		isc_md5_t *md5ctx;
+
+		md5ctx = isc_mem_get(dctx->mctx, sizeof(isc_md5_t));
+		isc_md5_init(md5ctx);
+		dctx->opaque = md5ctx;
+	} else {
+		isc_sha1_t *sha1ctx;
+
+		sha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_sha1_t));
+		isc_sha1_init(sha1ctx);
+		dctx->opaque = sha1ctx;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+opensslrsa_destroyctx(dst_context_t *dctx) {
+	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
+		dctx->key->key_alg == DST_ALG_RSASHA1);
+
+	if (dctx->key->key_alg == DST_ALG_RSAMD5) {
+		isc_md5_t *md5ctx = dctx->opaque;
+
+		if (md5ctx != NULL) {
+			isc_md5_invalidate(md5ctx);
+			isc_mem_put(dctx->mctx, md5ctx, sizeof(isc_md5_t));
+		}
+	} else {
+		isc_sha1_t *sha1ctx = dctx->opaque;
+
+		if (sha1ctx != NULL) {
+			isc_sha1_invalidate(sha1ctx);
+			isc_mem_put(dctx->mctx, sha1ctx, sizeof(isc_sha1_t));
+		}
+	}
+	dctx->opaque = NULL;
+}
+
+static isc_result_t
+opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
+		dctx->key->key_alg == DST_ALG_RSASHA1);
+
+	if (dctx->key->key_alg == DST_ALG_RSAMD5) {
+		isc_md5_t *md5ctx = dctx->opaque;
+		isc_md5_update(md5ctx, data->base, data->length);
+	} else {
+		isc_sha1_t *sha1ctx = dctx->opaque;
+		isc_sha1_update(sha1ctx, data->base, data->length);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	dst_key_t *key = dctx->key;
+	RSA *rsa = key->opaque;
+	isc_region_t r;
+	/* note: ISC_SHA1_DIGESTLENGTH > ISC_MD5_DIGESTLENGTH */
+	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
+	unsigned int siglen = 0;
+	int status;
+	int type;
+	unsigned int digestlen;
+	char *message;
+	unsigned long err;
+	const char* file;
+	int line;
+
+	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
+		dctx->key->key_alg == DST_ALG_RSASHA1);
+
+	isc_buffer_availableregion(sig, &r);
+
+	if (r.length < (unsigned int) RSA_size(rsa))
+		return (ISC_R_NOSPACE);
+
+	if (dctx->key->key_alg == DST_ALG_RSAMD5) {
+		isc_md5_t *md5ctx = dctx->opaque;
+		isc_md5_final(md5ctx, digest);
+		type = NID_md5;
+		digestlen = ISC_MD5_DIGESTLENGTH;
+	} else {
+		isc_sha1_t *sha1ctx = dctx->opaque;
+		isc_sha1_final(sha1ctx, digest);
+		type = NID_sha1;
+		digestlen = ISC_SHA1_DIGESTLENGTH;
+	}
+
+	status = RSA_sign(type, digest, digestlen, r.base, &siglen, rsa);
+	if (status == 0) {
+		err = ERR_peek_error_line(&file, &line);
+		if (err != 0U) {
+			message = ERR_error_string(err, NULL);
+			fprintf(stderr, "%s:%s:%d\n", message,
+				file ? file : "", line);
+		}
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	}
+
+	isc_buffer_add(sig, siglen);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	dst_key_t *key = dctx->key;
+	RSA *rsa = key->opaque;
+	/* note: ISC_SHA1_DIGESTLENGTH > ISC_MD5_DIGESTLENGTH */
+	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
+	int status = 0;
+	int type;
+	unsigned int digestlen;
+
+	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
+		dctx->key->key_alg == DST_ALG_RSASHA1);
+
+	if (dctx->key->key_alg == DST_ALG_RSAMD5) {
+		isc_md5_t *md5ctx = dctx->opaque;
+		isc_md5_final(md5ctx, digest);
+		type = NID_md5;
+		digestlen = ISC_MD5_DIGESTLENGTH;
+	} else {
+		isc_sha1_t *sha1ctx = dctx->opaque;
+		isc_sha1_final(sha1ctx, digest);
+		type = NID_sha1;
+		digestlen = ISC_SHA1_DIGESTLENGTH;
+	}
+
+	if (sig->length < (unsigned int) RSA_size(rsa))
+		return (DST_R_VERIFYFAILURE);
+
+	status = RSA_verify(type, digest, digestlen, sig->base,
+			    RSA_size(rsa), rsa);
+	if (status == 0)
+		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_boolean_t
+opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	int status;
+	RSA *rsa1, *rsa2;
+
+	rsa1 = (RSA *) key1->opaque;
+	rsa2 = (RSA *) key2->opaque;
+
+	if (rsa1 == NULL && rsa2 == NULL)
+		return (ISC_TRUE);
+	else if (rsa1 == NULL || rsa2 == NULL)
+		return (ISC_FALSE);
+
+	status = BN_cmp(rsa1->n, rsa2->n) ||
+		 BN_cmp(rsa1->e, rsa2->e);
+
+	if (status != 0)
+		return (ISC_FALSE);
+
+	if (rsa1->d != NULL || rsa2->d != NULL) {
+		if (rsa1->d == NULL || rsa2->d == NULL)
+			return (ISC_FALSE);
+		status = BN_cmp(rsa1->d, rsa2->d) ||
+			 BN_cmp(rsa1->p, rsa2->p) ||
+			 BN_cmp(rsa1->q, rsa2->q);
+
+		if (status != 0)
+			return (ISC_FALSE);
+	}
+	return (ISC_TRUE);
+}
+
+static isc_result_t
+opensslrsa_generate(dst_key_t *key, int exp) {
+	RSA *rsa;
+	unsigned long e;
+
+	if (exp == 0)
+		e = RSA_3;
+	else
+		e = RSA_F4;
+	rsa = RSA_generate_key(key->key_size, e, NULL, NULL);
+	if (rsa == NULL)
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	SET_FLAGS(rsa);
+	key->opaque = rsa;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_boolean_t
+opensslrsa_isprivate(const dst_key_t *key) {
+	RSA *rsa = (RSA *) key->opaque;
+	return (ISC_TF(rsa != NULL && rsa->d != NULL));
+}
+
+static void
+opensslrsa_destroy(dst_key_t *key) {
+	RSA *rsa = key->opaque;
+	RSA_free(rsa);
+	key->opaque = NULL;
+}
+
+
+static isc_result_t
+opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+	RSA *rsa;
+	isc_region_t r;
+	unsigned int e_bytes;
+	unsigned int mod_bytes;
+
+	REQUIRE(key->opaque != NULL);
+
+	rsa = (RSA *) key->opaque;
+
+	isc_buffer_availableregion(data, &r);
+
+	e_bytes = BN_num_bytes(rsa->e);
+	mod_bytes = BN_num_bytes(rsa->n);
+
+	if (e_bytes < 256) {	/* key exponent is <= 2040 bits */
+		if (r.length < 1)
+			return (ISC_R_NOSPACE);
+		isc_buffer_putuint8(data, (isc_uint8_t) e_bytes);
+	} else {
+		if (r.length < 3)
+			return (ISC_R_NOSPACE);
+		isc_buffer_putuint8(data, 0);
+		isc_buffer_putuint16(data, (isc_uint16_t) e_bytes);
+	}
+
+	if (r.length < e_bytes + mod_bytes)
+		return (ISC_R_NOSPACE);
+	isc_buffer_availableregion(data, &r);
+
+	BN_bn2bin(rsa->e, r.base);
+	r.base += e_bytes;
+	BN_bn2bin(rsa->n, r.base);
+
+	isc_buffer_add(data, e_bytes + mod_bytes);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	RSA *rsa;
+	isc_region_t r;
+	unsigned int e_bytes;
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0)
+		return (ISC_R_SUCCESS);
+
+	rsa = RSA_new();
+	if (rsa == NULL)
+		return (ISC_R_NOMEMORY);
+	SET_FLAGS(rsa);
+
+	if (r.length < 1) {
+		RSA_free(rsa);
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+	e_bytes = *r.base++;
+	r.length--;
+
+	if (e_bytes == 0) {
+		if (r.length < 2) {
+			RSA_free(rsa);
+			return (DST_R_INVALIDPUBLICKEY);
+		}
+		e_bytes = ((*r.base++) << 8);
+		e_bytes += *r.base++;
+		r.length -= 2;
+	}
+
+	if (r.length < e_bytes) {
+		RSA_free(rsa);
+		return (DST_R_INVALIDPUBLICKEY);
+	}
+	rsa->e = BN_bin2bn(r.base, e_bytes, NULL);
+	r.base += e_bytes;
+	r.length -= e_bytes;
+
+	rsa->n = BN_bin2bn(r.base, r.length, NULL);
+
+	key->key_size = BN_num_bits(rsa->n);
+
+	isc_buffer_forward(data, r.length);
+
+	key->opaque = (void *) rsa;
+
+	return (ISC_R_SUCCESS);
+}
+
+
+static isc_result_t
+opensslrsa_tofile(const dst_key_t *key, const char *directory) {
+	int i;
+	RSA *rsa;
+	dst_private_t priv;
+	unsigned char *bufs[8];
+	isc_result_t result;
+
+	if (key->opaque == NULL)
+		return (DST_R_NULLKEY);
+
+	rsa = (RSA *) key->opaque;
+
+	for (i = 0; i < 8; i++) {
+		bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(rsa->n));
+		if (bufs[i] == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto fail;
+		}
+	}
+
+	i = 0;
+
+	priv.elements[i].tag = TAG_RSA_MODULUS;
+	priv.elements[i].length = BN_num_bytes(rsa->n);
+	BN_bn2bin(rsa->n, bufs[i]);
+	priv.elements[i].data = bufs[i];
+	i++;
+
+	priv.elements[i].tag = TAG_RSA_PUBLICEXPONENT;
+	priv.elements[i].length = BN_num_bytes(rsa->e);
+	BN_bn2bin(rsa->e, bufs[i]);
+	priv.elements[i].data = bufs[i];
+	i++;
+
+	priv.elements[i].tag = TAG_RSA_PRIVATEEXPONENT;
+	priv.elements[i].length = BN_num_bytes(rsa->d);
+	BN_bn2bin(rsa->d, bufs[i]);
+	priv.elements[i].data = bufs[i];
+	i++;
+
+	priv.elements[i].tag = TAG_RSA_PRIME1;
+	priv.elements[i].length = BN_num_bytes(rsa->p);
+	BN_bn2bin(rsa->p, bufs[i]);
+	priv.elements[i].data = bufs[i];
+	i++;
+
+	priv.elements[i].tag = TAG_RSA_PRIME2;
+	priv.elements[i].length = BN_num_bytes(rsa->q);
+	BN_bn2bin(rsa->q, bufs[i]);
+	priv.elements[i].data = bufs[i];
+	i++;
+
+	priv.elements[i].tag = TAG_RSA_EXPONENT1;
+	priv.elements[i].length = BN_num_bytes(rsa->dmp1);
+	BN_bn2bin(rsa->dmp1, bufs[i]);
+	priv.elements[i].data = bufs[i];
+	i++;
+
+	priv.elements[i].tag = TAG_RSA_EXPONENT2;
+	priv.elements[i].length = BN_num_bytes(rsa->dmq1);
+	BN_bn2bin(rsa->dmq1, bufs[i]);
+	priv.elements[i].data = bufs[i];
+	i++;
+
+	priv.elements[i].tag = TAG_RSA_COEFFICIENT;
+	priv.elements[i].length = BN_num_bytes(rsa->iqmp);
+	BN_bn2bin(rsa->iqmp, bufs[i]);
+	priv.elements[i].data = bufs[i];
+	i++;
+
+	priv.nelements = i;
+	result =  dst__privstruct_writefile(key, &priv, directory);
+ fail:
+	for (i = 0; i < 8; i++) {
+		if (bufs[i] == NULL)
+			break;
+		isc_mem_put(key->mctx, bufs[i], BN_num_bytes(rsa->n));
+	}
+	return (result);
+}
+
+static isc_result_t
+opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer) {
+	dst_private_t priv;
+	isc_result_t ret;
+	int i;
+	RSA *rsa = NULL;
+	isc_mem_t *mctx = key->mctx;
+#define DST_RET(a) {ret = a; goto err;}
+
+	/* read private key file */
+	ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	rsa = RSA_new();
+	if (rsa == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	SET_FLAGS(rsa);
+	key->opaque = rsa;
+
+	for (i = 0; i < priv.nelements; i++) {
+		BIGNUM *bn;
+		bn = BN_bin2bn(priv.elements[i].data,
+			       priv.elements[i].length, NULL);
+		if (bn == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+
+		switch (priv.elements[i].tag) {
+			case TAG_RSA_MODULUS:
+				rsa->n = bn;
+				break;
+			case TAG_RSA_PUBLICEXPONENT:
+				rsa->e = bn;
+				break;
+			case TAG_RSA_PRIVATEEXPONENT:
+				rsa->d = bn;
+				break;
+			case TAG_RSA_PRIME1:
+				rsa->p = bn;
+				break;
+			case TAG_RSA_PRIME2:
+				rsa->q = bn;
+				break;
+			case TAG_RSA_EXPONENT1:
+				rsa->dmp1 = bn;
+				break;
+			case TAG_RSA_EXPONENT2:
+				rsa->dmq1 = bn;
+				break;
+			case TAG_RSA_COEFFICIENT:
+				rsa->iqmp = bn;
+				break;
+		}
+	}
+	dst__privstruct_free(&priv, mctx);
+
+	key->key_size = BN_num_bits(rsa->n);
+
+	return (ISC_R_SUCCESS);
+
+ err:
+	opensslrsa_destroy(key);
+	dst__privstruct_free(&priv, mctx);
+	memset(&priv, 0, sizeof(priv));
+	return (ret);
+}
+
+static dst_func_t opensslrsa_functions = {
+	opensslrsa_createctx,
+	opensslrsa_destroyctx,
+	opensslrsa_adddata,
+	opensslrsa_sign,
+	opensslrsa_verify,
+	NULL, /* computesecret */
+	opensslrsa_compare,
+	NULL, /* paramcompare */
+	opensslrsa_generate,
+	opensslrsa_isprivate,
+	opensslrsa_destroy,
+	opensslrsa_todns,
+	opensslrsa_fromdns,
+	opensslrsa_tofile,
+	opensslrsa_parse,
+	NULL, /* cleanup */
+};
+
+isc_result_t
+dst__opensslrsa_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL)
+		*funcp = &opensslrsa_functions;
+	return (ISC_R_SUCCESS);
+}
+
+#else /* OPENSSL */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* OPENSSL */
diff --git a/contrib/bind9/lib/dns/soa.c b/contrib/bind9/lib/dns/soa.c
new file mode 100644
index 0000000..c0e0518
--- /dev/null
+++ b/contrib/bind9/lib/dns/soa.c
@@ -0,0 +1,109 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: soa.c,v 1.3.206.1 2004/03/06 08:13:45 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/util.h>
+
+#include <dns/rdata.h>
+#include <dns/soa.h>
+
+static inline isc_uint32_t
+decode_uint32(unsigned char *p) {
+	return ((p[0] << 24) +
+		(p[1] << 16) +
+		(p[2] <<  8) +
+		(p[3] <<  0));
+}
+
+static inline void
+encode_uint32(isc_uint32_t val, unsigned char *p) {
+	p[0] = (isc_uint8_t)(val >> 24);
+	p[1] = (isc_uint8_t)(val >> 16);
+	p[2] = (isc_uint8_t)(val >>  8);
+	p[3] = (isc_uint8_t)(val >>  0);
+}
+
+static isc_uint32_t
+soa_get(dns_rdata_t *rdata, int offset) {
+	INSIST(rdata->type == dns_rdatatype_soa);
+	/*
+	 * Locate the field within the SOA RDATA based
+	 * on its position relative to the end of the data.
+	 *
+	 * This is a bit of a kludge, but the alternative approach of
+	 * using dns_rdata_tostruct() and dns_rdata_fromstruct() would
+	 * involve a lot of unnecessary work (like building domain
+	 * names and allocating temporary memory) when all we really
+	 * want to do is to get 32 bits of fixed-sized data.
+	 */
+	INSIST(rdata->length >= 20);
+	INSIST(offset >= 0 && offset <= 16);
+	return (decode_uint32(rdata->data + rdata->length - 20 + offset));
+}
+
+isc_uint32_t
+dns_soa_getserial(dns_rdata_t *rdata) {
+	return soa_get(rdata, 0);
+}
+isc_uint32_t
+dns_soa_getrefresh(dns_rdata_t *rdata) {
+	return soa_get(rdata, 4);
+}
+isc_uint32_t
+dns_soa_getretry(dns_rdata_t *rdata) {
+	return soa_get(rdata, 8);
+}
+isc_uint32_t
+dns_soa_getexpire(dns_rdata_t *rdata) {
+	return soa_get(rdata, 12);
+}
+isc_uint32_t
+dns_soa_getminimum(dns_rdata_t *rdata) {
+	return soa_get(rdata, 16);
+}
+
+static void
+soa_set(dns_rdata_t *rdata, isc_uint32_t val, int offset) {
+	INSIST(rdata->type == dns_rdatatype_soa);
+	INSIST(rdata->length >= 20);
+	INSIST(offset >= 0 && offset <= 16);
+	encode_uint32(val, rdata->data + rdata->length - 20 + offset);
+}
+
+void
+dns_soa_setserial(isc_uint32_t val, dns_rdata_t *rdata) {
+	soa_set(rdata, val, 0);
+}
+void
+dns_soa_setrefresh(isc_uint32_t val, dns_rdata_t *rdata) {
+	soa_set(rdata, val, 4);
+}
+void
+dns_soa_setretry(isc_uint32_t val, dns_rdata_t *rdata) {
+	soa_set(rdata, val, 8);
+}
+void
+dns_soa_setexpire(isc_uint32_t val, dns_rdata_t *rdata) {
+	soa_set(rdata, val, 12);
+}
+void
+dns_soa_setminimum(isc_uint32_t val, dns_rdata_t *rdata) {
+	soa_set(rdata, val, 16);
+}
diff --git a/contrib/bind9/lib/dns/ssu.c b/contrib/bind9/lib/dns/ssu.c
new file mode 100644
index 0000000..a9ecdce
--- /dev/null
+++ b/contrib/bind9/lib/dns/ssu.c
@@ -0,0 +1,357 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * $Id: ssu.c,v 1.22.206.3 2004/03/08 09:04:32 marka Exp $
+ * Principal Author: Brian Wellington
+ */
+
+#include <config.h>
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/util.h>
+
+#include <dns/name.h>
+#include <dns/ssu.h>
+
+#define SSUTABLEMAGIC		ISC_MAGIC('S', 'S', 'U', 'T')
+#define VALID_SSUTABLE(table)	ISC_MAGIC_VALID(table, SSUTABLEMAGIC)
+
+#define SSURULEMAGIC		ISC_MAGIC('S', 'S', 'U', 'R')
+#define VALID_SSURULE(table)	ISC_MAGIC_VALID(table, SSURULEMAGIC)
+
+struct dns_ssurule {
+	unsigned int magic;
+	isc_boolean_t grant;	/* is this a grant or a deny? */
+	unsigned int matchtype;	/* which type of pattern match? */
+	dns_name_t *identity;	/* the identity to match */
+	dns_name_t *name;	/* the name being updated */
+	unsigned int ntypes;	/* number of data types covered */
+	dns_rdatatype_t *types;	/* the data types.  Can include ANY, */
+				/* defaults to all but SIG,SOA,NS if NULL*/
+	ISC_LINK(dns_ssurule_t) link;
+};
+
+struct dns_ssutable {
+	unsigned int magic;
+	isc_mem_t *mctx;
+	unsigned int references;
+	isc_mutex_t lock;
+	ISC_LIST(dns_ssurule_t) rules;
+};
+
+isc_result_t
+dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **tablep) {
+	isc_result_t result;
+	dns_ssutable_t *table;
+
+	REQUIRE(tablep != NULL && *tablep == NULL);
+	REQUIRE(mctx != NULL);
+
+	table = isc_mem_get(mctx, sizeof(dns_ssutable_t));
+	if (table == NULL)
+		return (ISC_R_NOMEMORY);
+	result = isc_mutex_init(&table->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, table, sizeof(dns_ssutable_t));
+		return (result);
+	}
+	table->references = 1;
+	table->mctx = mctx;
+	ISC_LIST_INIT(table->rules);
+	table->magic = SSUTABLEMAGIC;
+	*tablep = table;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+destroy(dns_ssutable_t *table) {
+	isc_mem_t *mctx;
+
+	REQUIRE(VALID_SSUTABLE(table));
+
+	mctx = table->mctx;
+	while (!ISC_LIST_EMPTY(table->rules)) {
+		dns_ssurule_t *rule = ISC_LIST_HEAD(table->rules);
+		if (rule->identity != NULL) {
+			dns_name_free(rule->identity, mctx);
+			isc_mem_put(mctx, rule->identity, sizeof(dns_name_t));
+		}
+		if (rule->name != NULL) {
+			dns_name_free(rule->name, mctx);
+			isc_mem_put(mctx, rule->name, sizeof(dns_name_t));
+		}
+		if (rule->types != NULL)
+			isc_mem_put(mctx, rule->types,
+				    rule->ntypes * sizeof(dns_rdatatype_t));
+		ISC_LIST_UNLINK(table->rules, rule, link);
+		rule->magic = 0;
+		isc_mem_put(mctx, rule, sizeof(dns_ssurule_t));
+	}
+	DESTROYLOCK(&table->lock);
+	table->magic = 0;
+	isc_mem_put(mctx, table, sizeof(dns_ssutable_t));
+}
+
+void
+dns_ssutable_attach(dns_ssutable_t *source, dns_ssutable_t **targetp) {
+	REQUIRE(VALID_SSUTABLE(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	LOCK(&source->lock);
+
+	INSIST(source->references > 0);
+	source->references++;
+	INSIST(source->references != 0);
+
+	UNLOCK(&source->lock);
+
+	*targetp = source;
+}
+
+void
+dns_ssutable_detach(dns_ssutable_t **tablep) {
+	dns_ssutable_t *table;
+	isc_boolean_t done = ISC_FALSE;
+
+	REQUIRE(tablep != NULL);
+	table = *tablep;
+	REQUIRE(VALID_SSUTABLE(table));
+
+	LOCK(&table->lock);
+
+	INSIST(table->references > 0);
+	if (--table->references == 0)
+		done = ISC_TRUE;
+	UNLOCK(&table->lock);
+
+	*tablep = NULL;
+
+	if (done)
+		destroy(table);
+}
+
+isc_result_t
+dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
+		     dns_name_t *identity, unsigned int matchtype,
+		     dns_name_t *name, unsigned int ntypes,
+		     dns_rdatatype_t *types)
+{
+	dns_ssurule_t *rule;
+	isc_mem_t *mctx;
+	isc_result_t result;
+
+	REQUIRE(VALID_SSUTABLE(table));
+	REQUIRE(dns_name_isabsolute(identity));
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(matchtype <= DNS_SSUMATCHTYPE_SELF);
+	if (matchtype == DNS_SSUMATCHTYPE_WILDCARD)
+		REQUIRE(dns_name_iswildcard(name));
+	if (ntypes > 0)
+		REQUIRE(types != NULL);
+
+	mctx = table->mctx;
+	rule = isc_mem_get(mctx, sizeof(dns_ssurule_t));
+	if (rule == NULL)
+		return (ISC_R_NOMEMORY);
+
+	rule->identity = NULL;
+	rule->name = NULL;
+	rule->types = NULL;
+
+	rule->grant = grant;
+
+	rule->identity = isc_mem_get(mctx, sizeof(dns_name_t));
+	if (rule->identity == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto failure;
+	}
+	dns_name_init(rule->identity, NULL);
+	result = dns_name_dup(identity, mctx, rule->identity);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	rule->name = isc_mem_get(mctx, sizeof(dns_name_t));
+	if (rule->name == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto failure;
+	}
+	dns_name_init(rule->name, NULL);
+	result = dns_name_dup(name, mctx, rule->name);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	rule->matchtype = matchtype;
+
+	rule->ntypes = ntypes;
+	if (ntypes > 0) {
+		rule->types = isc_mem_get(mctx,
+					  ntypes * sizeof(dns_rdatatype_t));
+		if (rule->types == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto failure;
+		}
+		memcpy(rule->types, types, ntypes * sizeof(dns_rdatatype_t));
+	}
+	else
+		rule->types = NULL;
+
+	rule->magic = SSURULEMAGIC;
+	ISC_LIST_INITANDAPPEND(table->rules, rule, link);
+
+	return (ISC_R_SUCCESS);
+
+ failure:
+	if (rule->identity != NULL) {
+		if (dns_name_dynamic(rule->identity))
+			dns_name_free(rule->identity, mctx);
+		isc_mem_put(mctx, rule->identity, sizeof(dns_name_t));
+	}
+	if (rule->name != NULL) {
+		if (dns_name_dynamic(rule->name))
+			dns_name_free(rule->name, mctx);
+		isc_mem_put(mctx, rule->name, sizeof(dns_name_t));
+	}
+	if (rule->types != NULL)
+		isc_mem_put(mctx, rule->types,
+			    ntypes * sizeof(dns_rdatatype_t));
+	isc_mem_put(mctx, rule, sizeof(dns_ssurule_t));
+
+	return (result);
+}
+
+static inline isc_boolean_t
+isusertype(dns_rdatatype_t type) {
+	return (ISC_TF(type != dns_rdatatype_ns &&
+		       type != dns_rdatatype_soa &&
+		       type != dns_rdatatype_rrsig));
+}
+
+isc_boolean_t
+dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
+			dns_name_t *name, dns_rdatatype_t type)
+{
+	dns_ssurule_t *rule;
+	unsigned int i;
+
+	REQUIRE(VALID_SSUTABLE(table));
+	REQUIRE(signer == NULL || dns_name_isabsolute(signer));
+	REQUIRE(dns_name_isabsolute(name));
+
+	if (signer == NULL)
+		return (ISC_FALSE);
+	rule = ISC_LIST_HEAD(table->rules);
+		rule = ISC_LIST_NEXT(rule, link);
+	for (rule = ISC_LIST_HEAD(table->rules);
+	     rule != NULL;
+	     rule = ISC_LIST_NEXT(rule, link))
+	{
+		if (dns_name_iswildcard(rule->identity)) {
+			if (!dns_name_matcheswildcard(signer, rule->identity))
+				continue;
+		}
+		else {
+			if (!dns_name_equal(signer, rule->identity))
+				continue;
+		}
+
+		if (rule->matchtype == DNS_SSUMATCHTYPE_NAME) {
+			if (!dns_name_equal(name, rule->name))
+				continue;
+		}
+		else if (rule->matchtype == DNS_SSUMATCHTYPE_SUBDOMAIN) {
+			if (!dns_name_issubdomain(name, rule->name))
+				continue;
+		}
+		else if (rule->matchtype == DNS_SSUMATCHTYPE_WILDCARD) {
+			if (!dns_name_matcheswildcard(name, rule->name))
+				continue;
+
+		}
+		else if (rule->matchtype == DNS_SSUMATCHTYPE_SELF) {
+			if (!dns_name_equal(signer, name))
+				continue;
+		}
+
+		if (rule->ntypes == 0) {
+			if (!isusertype(type))
+				continue;
+		}
+		else {
+			for (i = 0; i < rule->ntypes; i++) {
+				if (rule->types[i] == dns_rdatatype_any ||
+				    rule->types[i] == type)
+					break;
+			}
+			if (i == rule->ntypes)
+				continue;
+		}
+		return (rule->grant);
+	}
+
+	return (ISC_FALSE);
+}
+
+isc_boolean_t
+dns_ssurule_isgrant(const dns_ssurule_t *rule) {
+	REQUIRE(VALID_SSURULE(rule));
+	return (rule->grant);
+}
+
+dns_name_t *
+dns_ssurule_identity(const dns_ssurule_t *rule) {
+	REQUIRE(VALID_SSURULE(rule));
+	return (rule->identity);
+}
+
+unsigned int
+dns_ssurule_matchtype(const dns_ssurule_t *rule) {
+	REQUIRE(VALID_SSURULE(rule));
+	return (rule->matchtype);
+}
+
+dns_name_t *
+dns_ssurule_name(const dns_ssurule_t *rule) {
+	REQUIRE(VALID_SSURULE(rule));
+	return (rule->name);
+}
+
+unsigned int
+dns_ssurule_types(const dns_ssurule_t *rule, dns_rdatatype_t **types) {
+	REQUIRE(VALID_SSURULE(rule));
+	REQUIRE(types != NULL && *types != NULL);
+	*types = rule->types;
+	return (rule->ntypes);
+}
+
+isc_result_t
+dns_ssutable_firstrule(const dns_ssutable_t *table, dns_ssurule_t **rule) {
+	REQUIRE(VALID_SSUTABLE(table));
+	REQUIRE(rule != NULL && *rule == NULL);
+	*rule = ISC_LIST_HEAD(table->rules);
+	return (*rule != NULL ? ISC_R_SUCCESS : ISC_R_NOMORE);
+}
+
+isc_result_t
+dns_ssutable_nextrule(dns_ssurule_t *rule, dns_ssurule_t **nextrule) {
+	REQUIRE(VALID_SSURULE(rule));
+	REQUIRE(nextrule != NULL && *nextrule == NULL);
+	*nextrule = ISC_LIST_NEXT(rule, link);
+	return (*nextrule != NULL ? ISC_R_SUCCESS : ISC_R_NOMORE);
+}
diff --git a/contrib/bind9/lib/dns/stats.c b/contrib/bind9/lib/dns/stats.c
new file mode 100644
index 0000000..aefcbe0
--- /dev/null
+++ b/contrib/bind9/lib/dns/stats.c
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: stats.c,v 1.5.206.1 2004/03/06 08:13:46 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/mem.h>
+
+#include <dns/stats.h>
+
+LIBDNS_EXTERNAL_DATA const char *dns_statscounter_names[DNS_STATS_NCOUNTERS] =
+	{
+	"success",
+	"referral",
+	"nxrrset",
+	"nxdomain",
+	"recursion",
+	"failure"
+	};
+
+isc_result_t
+dns_stats_alloccounters(isc_mem_t *mctx, isc_uint64_t **ctrp) {
+	int i;
+	isc_uint64_t *p =
+		isc_mem_get(mctx, DNS_STATS_NCOUNTERS * sizeof(isc_uint64_t));
+	if (p == NULL)
+		return (ISC_R_NOMEMORY);
+	for (i = 0; i < DNS_STATS_NCOUNTERS; i++)
+		p[i] = 0;
+	*ctrp = p;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_stats_freecounters(isc_mem_t *mctx, isc_uint64_t **ctrp) {
+	isc_mem_put(mctx, *ctrp, DNS_STATS_NCOUNTERS * sizeof(isc_uint64_t));
+	*ctrp = NULL;
+}
diff --git a/contrib/bind9/lib/dns/tcpmsg.c b/contrib/bind9/lib/dns/tcpmsg.c
new file mode 100644
index 0000000..4400a3a
--- /dev/null
+++ b/contrib/bind9/lib/dns/tcpmsg.c
@@ -0,0 +1,240 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: tcpmsg.c,v 1.24.206.1 2004/03/06 08:13:46 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/mem.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/events.h>
+#include <dns/result.h>
+#include <dns/tcpmsg.h>
+
+#ifdef TCPMSG_DEBUG
+#include <stdio.h>		/* Required for printf. */
+#define XDEBUG(x) printf x
+#else
+#define XDEBUG(x)
+#endif
+
+#define TCPMSG_MAGIC		ISC_MAGIC('T', 'C', 'P', 'm')
+#define VALID_TCPMSG(foo)	ISC_MAGIC_VALID(foo, TCPMSG_MAGIC)
+
+static void recv_length(isc_task_t *, isc_event_t *);
+static void recv_message(isc_task_t *, isc_event_t *);
+
+
+static void
+recv_length(isc_task_t *task, isc_event_t *ev_in) {
+	isc_socketevent_t *ev = (isc_socketevent_t *)ev_in;
+	isc_event_t *dev;
+	dns_tcpmsg_t *tcpmsg = ev_in->ev_arg;
+	isc_region_t region;
+	isc_result_t result;
+
+	INSIST(VALID_TCPMSG(tcpmsg));
+
+	dev = &tcpmsg->event;
+
+	if (ev->result != ISC_R_SUCCESS) {
+		tcpmsg->result = ev->result;
+		goto send_and_free;
+	}
+
+	/*
+	 * Success.
+	 */
+	tcpmsg->size = ntohs(tcpmsg->size);
+	if (tcpmsg->size == 0) {
+		tcpmsg->result = ISC_R_UNEXPECTEDEND;
+		goto send_and_free;
+	}
+	if (tcpmsg->size > tcpmsg->maxsize) {
+		tcpmsg->result = ISC_R_RANGE;
+		goto send_and_free;
+	}
+
+	region.base = isc_mem_get(tcpmsg->mctx, tcpmsg->size);
+	region.length = tcpmsg->size;
+	if (region.base == NULL) {
+		tcpmsg->result = ISC_R_NOMEMORY;
+		goto send_and_free;
+	}
+	XDEBUG(("Allocated %d bytes\n", tcpmsg->size));
+
+	isc_buffer_init(&tcpmsg->buffer, region.base, region.length);
+	result = isc_socket_recv(tcpmsg->sock, &region, 0,
+				 task, recv_message, tcpmsg);
+	if (result != ISC_R_SUCCESS) {
+		tcpmsg->result = result;
+		goto send_and_free;
+	}
+
+	isc_event_free(&ev_in);
+	return;
+
+ send_and_free:
+	isc_task_send(tcpmsg->task, &dev);
+	tcpmsg->task = NULL;
+	isc_event_free(&ev_in);
+	return;
+}
+
+static void
+recv_message(isc_task_t *task, isc_event_t *ev_in) {
+	isc_socketevent_t *ev = (isc_socketevent_t *)ev_in;
+	isc_event_t *dev;
+	dns_tcpmsg_t *tcpmsg = ev_in->ev_arg;
+
+	(void)task;
+
+	INSIST(VALID_TCPMSG(tcpmsg));
+
+	dev = &tcpmsg->event;
+
+	if (ev->result != ISC_R_SUCCESS) {
+		tcpmsg->result = ev->result;
+		goto send_and_free;
+	}
+
+	tcpmsg->result = ISC_R_SUCCESS;
+	isc_buffer_add(&tcpmsg->buffer, ev->n);
+	tcpmsg->address = ev->address;
+
+	XDEBUG(("Received %d bytes (of %d)\n", ev->n, tcpmsg->size));
+
+ send_and_free:
+	isc_task_send(tcpmsg->task, &dev);
+	tcpmsg->task = NULL;
+	isc_event_free(&ev_in);
+}
+
+void
+dns_tcpmsg_init(isc_mem_t *mctx, isc_socket_t *sock, dns_tcpmsg_t *tcpmsg) {
+	REQUIRE(mctx != NULL);
+	REQUIRE(sock != NULL);
+	REQUIRE(tcpmsg != NULL);
+
+	tcpmsg->magic = TCPMSG_MAGIC;
+	tcpmsg->size = 0;
+	tcpmsg->buffer.base = NULL;
+	tcpmsg->buffer.length = 0;
+	tcpmsg->maxsize = 65535;		/* Largest message possible. */
+	tcpmsg->mctx = mctx;
+	tcpmsg->sock = sock;
+	tcpmsg->task = NULL;			/* None yet. */
+	tcpmsg->result = ISC_R_UNEXPECTED;	/* None yet. */
+	/*
+	 * Should probably initialize the event here, but it can wait.
+	 */
+}
+
+
+void
+dns_tcpmsg_setmaxsize(dns_tcpmsg_t *tcpmsg, unsigned int maxsize) {
+	REQUIRE(VALID_TCPMSG(tcpmsg));
+	REQUIRE(maxsize < 65536);
+
+	tcpmsg->maxsize = maxsize;
+}
+
+
+isc_result_t
+dns_tcpmsg_readmessage(dns_tcpmsg_t *tcpmsg,
+		       isc_task_t *task, isc_taskaction_t action, void *arg)
+{
+	isc_result_t result;
+	isc_region_t region;
+
+	REQUIRE(VALID_TCPMSG(tcpmsg));
+	REQUIRE(task != NULL);
+	REQUIRE(tcpmsg->task == NULL);  /* not currently in use */
+
+	if (tcpmsg->buffer.base != NULL) {
+		isc_mem_put(tcpmsg->mctx, tcpmsg->buffer.base,
+			    tcpmsg->buffer.length);
+		tcpmsg->buffer.base = NULL;
+		tcpmsg->buffer.length = 0;
+	}
+
+	tcpmsg->task = task;
+	tcpmsg->action = action;
+	tcpmsg->arg = arg;
+	tcpmsg->result = ISC_R_UNEXPECTED;  /* unknown right now */
+
+	ISC_EVENT_INIT(&tcpmsg->event, sizeof(isc_event_t), 0, 0,
+		       DNS_EVENT_TCPMSG, action, arg, tcpmsg,
+		       NULL, NULL);
+
+	region.base = (unsigned char *)&tcpmsg->size;
+	region.length = 2;  /* isc_uint16_t */
+	result = isc_socket_recv(tcpmsg->sock, &region, 0,
+				 tcpmsg->task, recv_length, tcpmsg);
+
+	if (result != ISC_R_SUCCESS)
+		tcpmsg->task = NULL;
+
+	return (result);
+}
+
+void
+dns_tcpmsg_cancelread(dns_tcpmsg_t *tcpmsg) {
+	REQUIRE(VALID_TCPMSG(tcpmsg));
+
+	isc_socket_cancel(tcpmsg->sock, NULL, ISC_SOCKCANCEL_RECV);
+}
+
+void
+dns_tcpmsg_keepbuffer(dns_tcpmsg_t *tcpmsg, isc_buffer_t *buffer) {
+	REQUIRE(VALID_TCPMSG(tcpmsg));
+	REQUIRE(buffer != NULL);
+
+	*buffer = tcpmsg->buffer;
+	tcpmsg->buffer.base = NULL;
+	tcpmsg->buffer.length = 0;
+}
+
+#if 0
+void
+dns_tcpmsg_freebuffer(dns_tcpmsg_t *tcpmsg) {
+	REQUIRE(VALID_TCPMSG(tcpmsg));
+
+	if (tcpmsg->buffer.base == NULL)
+		return;
+
+	isc_mem_put(tcpmsg->mctx, tcpmsg->buffer.base, tcpmsg->buffer.length);
+	tcpmsg->buffer.base = NULL;
+	tcpmsg->buffer.length = 0;
+}
+#endif
+
+void
+dns_tcpmsg_invalidate(dns_tcpmsg_t *tcpmsg) {
+	REQUIRE(VALID_TCPMSG(tcpmsg));
+
+	tcpmsg->magic = 0;
+
+	if (tcpmsg->buffer.base != NULL) {
+		isc_mem_put(tcpmsg->mctx, tcpmsg->buffer.base,
+			    tcpmsg->buffer.length);
+		tcpmsg->buffer.base = NULL;
+		tcpmsg->buffer.length = 0;
+	}
+}
diff --git a/contrib/bind9/lib/dns/time.c b/contrib/bind9/lib/dns/time.c
new file mode 100644
index 0000000..770f021
--- /dev/null
+++ b/contrib/bind9/lib/dns/time.c
@@ -0,0 +1,172 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: time.c,v 1.18.2.4.2.8 2004/08/28 06:25:20 marka Exp $ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <time.h>
+
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/stdtime.h>
+#include <isc/util.h>
+
+#include <dns/result.h>
+#include <dns/time.h>
+
+static int days[12] = { 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 };
+
+isc_result_t
+dns_time64_totext(isc_int64_t t, isc_buffer_t *target) {
+	struct tm tm;
+	char buf[sizeof("YYYYMMDDHHMMSS")];
+	int secs;
+	unsigned int l;
+	isc_region_t region;
+
+	REQUIRE(t >= 0);
+
+#define is_leap(y) ((((y) % 4) == 0 && ((y) % 100) != 0) || ((y) % 400) == 0)
+#define year_secs(y) ((is_leap(y) ? 366 : 365 ) * 86400)
+#define month_secs(m,y) ((days[m] + ((m == 1 && is_leap(y)) ? 1 : 0 )) * 86400)
+
+	tm.tm_year = 70;
+	while ((secs = year_secs(tm.tm_year + 1900)) <= t) {
+		t -= secs;
+		tm.tm_year++;
+		if (tm.tm_year + 1900 > 9999)
+			return (ISC_R_RANGE);
+	}
+	tm.tm_mon = 0;
+	while ((secs = month_secs(tm.tm_mon, tm.tm_year + 1900)) <= t) {
+		t -= secs;
+		tm.tm_mon++;
+	}
+	tm.tm_mday = 1;
+	while (86400 <= t) {
+		t -= 86400;
+		tm.tm_mday++;
+	}
+	tm.tm_hour = 0;
+	while (3600 <= t) {
+		t -= 3600;
+		tm.tm_hour++;
+	}
+	tm.tm_min = 0;
+	while (60 <= t) {
+		t -= 60;
+		tm.tm_min++;
+	}
+	tm.tm_sec = (int)t;
+				 /* yyyy  mm  dd  HH  MM  SS */
+	snprintf(buf, sizeof(buf), "%04d%02d%02d%02d%02d%02d",
+		 tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday,
+		 tm.tm_hour, tm.tm_min, tm.tm_sec);
+
+	isc_buffer_availableregion(target, &region);
+	l = strlen(buf);
+
+	if (l > region.length)
+		return (ISC_R_NOSPACE);
+
+	memcpy(region.base, buf, l);
+	isc_buffer_add(target, l);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_time32_totext(isc_uint32_t value, isc_buffer_t *target) {
+	isc_stdtime_t now;
+	isc_int64_t start;
+	isc_int64_t base;
+	isc_int64_t t;
+
+	/*
+	 * Adjust the time to the closest epoch.  This should be changed
+	 * to use a 64-bit counterpart to isc_stdtime_get() if one ever
+	 * is defined, but even the current code is good until the year
+	 * 2106.
+	 */
+	isc_stdtime_get(&now);
+	start = (isc_int64_t) now;
+	start -= 0x7fffffff;
+	base = 0;
+	while ((t = (base + value)) < start) {
+		base += 0x80000000;
+		base += 0x80000000;
+	}
+	return (dns_time64_totext(t, target));
+}
+
+isc_result_t
+dns_time64_fromtext(const char *source, isc_int64_t *target) {
+	int year, month, day, hour, minute, second;
+	isc_int64_t value;
+	int secs;
+	int i;
+
+#define RANGE(min, max, value) \
+	do { \
+		if (value < (min) || value > (max)) \
+			return (ISC_R_RANGE); \
+	} while (0)
+
+	if (strlen(source) != 14U)
+		return (DNS_R_SYNTAX);
+	if (sscanf(source, "%4d%2d%2d%2d%2d%2d",
+		   &year, &month, &day, &hour, &minute, &second) != 6)
+		return (DNS_R_SYNTAX);
+
+	RANGE(1970, 9999, year);
+	RANGE(1, 12, month);
+	RANGE(1, days[month - 1] +
+		 ((month == 2 && is_leap(year)) ? 1 : 0), day);
+	RANGE(0, 23, hour);
+	RANGE(0, 59, minute);
+	RANGE(0, 60, second);		/* 60 == leap second. */
+
+	/*
+	 * Calulate seconds since epoch.
+	 */
+	value = second + (60 * minute) + (3600 * hour) + ((day - 1) * 86400);
+	for (i = 0; i < (month - 1); i++)
+		value += days[i] * 86400;
+	if (is_leap(year) && month > 2)
+		value += 86400;
+	for (i = 1970; i < year; i++) {
+		secs = (is_leap(i) ? 366 : 365) * 86400;
+		value += secs;
+	}
+
+	*target = value;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_time32_fromtext(const char *source, isc_uint32_t *target) {
+	isc_int64_t value64;
+	isc_result_t result;
+	result = dns_time64_fromtext(source, &value64);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	*target = (isc_uint32_t)value64;
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/contrib/bind9/lib/dns/timer.c b/contrib/bind9/lib/dns/timer.c
new file mode 100644
index 0000000..b364f54
--- /dev/null
+++ b/contrib/bind9/lib/dns/timer.c
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: timer.c,v 1.2.206.1 2004/03/06 08:13:46 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/result.h>
+#include <isc/time.h>
+#include <isc/timer.h>
+
+#include <dns/types.h>
+#include <dns/timer.h>
+
+#define CHECK(op) \
+	do { result = (op);					\
+		if (result != ISC_R_SUCCESS) goto failure;	\
+	} while (0)
+
+isc_result_t
+dns_timer_setidle(isc_timer_t *timer, unsigned int maxtime,
+		  unsigned int idletime, isc_boolean_t purge)
+{
+	isc_result_t result;
+	isc_interval_t maxinterval, idleinterval;
+	isc_time_t expires;
+
+	/* Compute the time of expiry. */
+	isc_interval_set(&maxinterval, maxtime, 0);
+	CHECK(isc_time_nowplusinterval(&expires, &maxinterval));
+
+	/*
+	 * Compute the idle interval, and add a spare nanosecond to
+	 * work around the silly limitation of the ISC timer interface
+	 * that you cannot specify an idle interval of zero.
+	 */
+	isc_interval_set(&idleinterval, idletime, 1);
+
+	CHECK(isc_timer_reset(timer, isc_timertype_once,
+			      &expires, &idleinterval,
+			      purge));
+ failure:
+	return (result);
+}
diff --git a/contrib/bind9/lib/dns/tkey.c b/contrib/bind9/lib/dns/tkey.c
new file mode 100644
index 0000000..dc49a33
--- /dev/null
+++ b/contrib/bind9/lib/dns/tkey.c
@@ -0,0 +1,1240 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * $Id: tkey.c,v 1.71.2.1.10.5 2004/06/11 00:30:54 marka Exp $
+ */
+
+#include <config.h>
+
+#include <isc/buffer.h>
+#include <isc/entropy.h>
+#include <isc/md5.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/dnssec.h>
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+#include <dns/tkey.h>
+#include <dns/tsig.h>
+
+#include <dst/dst.h>
+#include <dst/gssapi.h>
+
+#define TKEY_RANDOM_AMOUNT 16
+
+#define RETERR(x) do { \
+	result = (x); \
+	if (result != ISC_R_SUCCESS) \
+		goto failure; \
+	} while (0)
+
+static void
+tkey_log(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2);
+
+static void
+tkey_log(const char *fmt, ...) {
+	va_list ap;
+
+	va_start(ap, fmt);
+	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+		       DNS_LOGMODULE_REQUEST, ISC_LOG_DEBUG(4), fmt, ap);
+	va_end(ap);
+}
+
+isc_result_t
+dns_tkeyctx_create(isc_mem_t *mctx, isc_entropy_t *ectx, dns_tkeyctx_t **tctxp)
+{
+	dns_tkeyctx_t *tctx;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(ectx != NULL);
+	REQUIRE(tctxp != NULL && *tctxp == NULL);
+
+	tctx = isc_mem_get(mctx, sizeof(dns_tkeyctx_t));
+	if (tctx == NULL)
+		return (ISC_R_NOMEMORY);
+	tctx->mctx = NULL;
+	isc_mem_attach(mctx, &tctx->mctx);
+	tctx->ectx = NULL;
+	isc_entropy_attach(ectx, &tctx->ectx);
+	tctx->dhkey = NULL;
+	tctx->domain = NULL;
+	tctx->gsscred = NULL;
+
+	*tctxp = tctx;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_tkeyctx_destroy(dns_tkeyctx_t **tctxp) {
+	isc_mem_t *mctx;
+	dns_tkeyctx_t *tctx;
+
+	REQUIRE(tctxp != NULL && *tctxp != NULL);
+
+	tctx = *tctxp;
+	mctx = tctx->mctx;
+
+	if (tctx->dhkey != NULL)
+		dst_key_free(&tctx->dhkey);
+	if (tctx->domain != NULL) {
+		if (dns_name_dynamic(tctx->domain))
+			dns_name_free(tctx->domain, mctx);
+		isc_mem_put(mctx, tctx->domain, sizeof(dns_name_t));
+	}
+	isc_entropy_detach(&tctx->ectx);
+	isc_mem_put(mctx, tctx, sizeof(dns_tkeyctx_t));
+	isc_mem_detach(&mctx);
+	*tctxp = NULL;
+}
+
+static isc_result_t
+add_rdata_to_list(dns_message_t *msg, dns_name_t *name, dns_rdata_t *rdata,
+		isc_uint32_t ttl, dns_namelist_t *namelist)
+{
+	isc_result_t result;
+	isc_region_t r, newr;
+	dns_rdata_t *newrdata = NULL;
+	dns_name_t *newname = NULL;
+	dns_rdatalist_t *newlist = NULL;
+	dns_rdataset_t *newset = NULL;
+	isc_buffer_t *tmprdatabuf = NULL;
+
+	RETERR(dns_message_gettemprdata(msg, &newrdata));
+
+	dns_rdata_toregion(rdata, &r);
+	RETERR(isc_buffer_allocate(msg->mctx, &tmprdatabuf, r.length));
+	isc_buffer_availableregion(tmprdatabuf, &newr);
+	memcpy(newr.base, r.base, r.length);
+	dns_rdata_fromregion(newrdata, rdata->rdclass, rdata->type, &newr);
+	dns_message_takebuffer(msg, &tmprdatabuf);
+
+	RETERR(dns_message_gettempname(msg, &newname));
+	dns_name_init(newname, NULL);
+	RETERR(dns_name_dup(name, msg->mctx, newname));
+
+	RETERR(dns_message_gettemprdatalist(msg, &newlist));
+	newlist->rdclass = newrdata->rdclass;
+	newlist->type = newrdata->type;
+	newlist->covers = 0;
+	newlist->ttl = ttl;
+	ISC_LIST_INIT(newlist->rdata);
+	ISC_LIST_APPEND(newlist->rdata, newrdata, link);
+
+	RETERR(dns_message_gettemprdataset(msg, &newset));
+	dns_rdataset_init(newset);
+	RETERR(dns_rdatalist_tordataset(newlist, newset));
+
+	ISC_LIST_INIT(newname->list);
+	ISC_LIST_APPEND(newname->list, newset, link);
+
+	ISC_LIST_APPEND(*namelist, newname, link);
+
+	return (ISC_R_SUCCESS);
+
+ failure:
+	if (newrdata != NULL) {
+		if (ISC_LINK_LINKED(newrdata, link))
+			ISC_LIST_UNLINK(newlist->rdata, newrdata, link);
+		dns_message_puttemprdata(msg, &newrdata);
+	}
+	if (newname != NULL)
+		dns_message_puttempname(msg, &newname);
+	if (newset != NULL) {
+		dns_rdataset_disassociate(newset);
+		dns_message_puttemprdataset(msg, &newset);
+	}
+	if (newlist != NULL)
+		dns_message_puttemprdatalist(msg, &newlist);
+	return (result);
+}
+
+static void
+free_namelist(dns_message_t *msg, dns_namelist_t *namelist) {
+	dns_name_t *name;
+	dns_rdataset_t *set;
+
+	while (!ISC_LIST_EMPTY(*namelist)) {
+		name = ISC_LIST_HEAD(*namelist);
+		ISC_LIST_UNLINK(*namelist, name, link);
+		while (!ISC_LIST_EMPTY(name->list)) {
+			set = ISC_LIST_HEAD(name->list);
+			ISC_LIST_UNLINK(name->list, set, link);
+			dns_message_puttemprdataset(msg, &set);
+		}
+		dns_message_puttempname(msg, &name);
+	}
+}
+
+static isc_result_t
+compute_secret(isc_buffer_t *shared, isc_region_t *queryrandomness,
+	       isc_region_t *serverrandomness, isc_buffer_t *secret)
+{
+	isc_md5_t md5ctx;
+	isc_region_t r, r2;
+	unsigned char digests[32];
+	unsigned int i;
+
+	isc_buffer_usedregion(shared, &r);
+
+	/*
+	 * MD5 ( query data | DH value ).
+	 */
+	isc_md5_init(&md5ctx);
+	isc_md5_update(&md5ctx, queryrandomness->base,
+		       queryrandomness->length);
+	isc_md5_update(&md5ctx, r.base, r.length);
+	isc_md5_final(&md5ctx, digests);
+
+	/*
+	 * MD5 ( server data | DH value ).
+	 */
+	isc_md5_init(&md5ctx);
+	isc_md5_update(&md5ctx, serverrandomness->base,
+		       serverrandomness->length);
+	isc_md5_update(&md5ctx, r.base, r.length);
+	isc_md5_final(&md5ctx, &digests[ISC_MD5_DIGESTLENGTH]);
+
+	/*
+	 * XOR ( DH value, MD5-1 | MD5-2).
+	 */
+	isc_buffer_availableregion(secret, &r);
+	isc_buffer_usedregion(shared, &r2);
+	if (r.length < sizeof(digests) || r.length < r2.length)
+		return (ISC_R_NOSPACE);
+	if (r2.length > sizeof(digests)) {
+		memcpy(r.base, r2.base, r2.length);
+		for (i = 0; i < sizeof(digests); i++)
+			r.base[i] ^= digests[i];
+		isc_buffer_add(secret, r2.length);
+	} else {
+		memcpy(r.base, digests, sizeof(digests));
+		for (i = 0; i < r2.length; i++)
+			r.base[i] ^= r2.base[i];
+		isc_buffer_add(secret, sizeof(digests));
+	}
+	return (ISC_R_SUCCESS);
+
+}
+
+static isc_result_t
+process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
+	       dns_rdata_tkey_t *tkeyin, dns_tkeyctx_t *tctx,
+	       dns_rdata_tkey_t *tkeyout,
+	       dns_tsig_keyring_t *ring, dns_namelist_t *namelist)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_name_t *keyname, ourname;
+	dns_rdataset_t *keyset = NULL;
+	dns_rdata_t keyrdata = DNS_RDATA_INIT, ourkeyrdata = DNS_RDATA_INIT;
+	isc_boolean_t found_key = ISC_FALSE, found_incompatible = ISC_FALSE;
+	dst_key_t *pubkey = NULL;
+	isc_buffer_t ourkeybuf, *shared = NULL;
+	isc_region_t r, r2, ourkeyr;
+	unsigned char keydata[DST_KEY_MAXSIZE];
+	unsigned int sharedsize;
+	isc_buffer_t secret;
+	unsigned char *randomdata = NULL, secretdata[256];
+	dns_ttl_t ttl = 0;
+
+	if (tctx->dhkey == NULL) {
+		tkey_log("process_dhtkey: tkey-dhkey not defined");
+		tkeyout->error = dns_tsigerror_badalg;
+		return (DNS_R_REFUSED);
+	}
+
+	if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_HMACMD5_NAME)) {
+		tkey_log("process_dhtkey: algorithms other than "
+			 "hmac-md5 are not supported");
+		tkeyout->error = dns_tsigerror_badalg;
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Look for a DH KEY record that will work with ours.
+	 */
+	for (result = dns_message_firstname(msg, DNS_SECTION_ADDITIONAL);
+	     result == ISC_R_SUCCESS && !found_key;
+	     result = dns_message_nextname(msg, DNS_SECTION_ADDITIONAL))
+	{
+		keyname = NULL;
+		dns_message_currentname(msg, DNS_SECTION_ADDITIONAL, &keyname);
+		keyset = NULL;
+		result = dns_message_findtype(keyname, dns_rdatatype_key, 0,
+					      &keyset);
+		if (result != ISC_R_SUCCESS)
+			continue;
+
+		for (result = dns_rdataset_first(keyset);
+		     result == ISC_R_SUCCESS && !found_key;
+		     result = dns_rdataset_next(keyset))
+		{
+			dns_rdataset_current(keyset, &keyrdata);
+			pubkey = NULL;
+			result = dns_dnssec_keyfromrdata(keyname, &keyrdata,
+							 msg->mctx, &pubkey);
+			if (result != ISC_R_SUCCESS) {
+				dns_rdata_reset(&keyrdata);
+				continue;
+			}
+			if (dst_key_alg(pubkey) == DNS_KEYALG_DH) {
+				if (dst_key_paramcompare(pubkey, tctx->dhkey))
+				{
+					found_key = ISC_TRUE;
+					ttl = keyset->ttl;
+					break;
+				} else
+					found_incompatible = ISC_TRUE;
+			}
+			dst_key_free(&pubkey);
+			dns_rdata_reset(&keyrdata);
+		}
+	}
+
+	if (!found_key) {
+		if (found_incompatible) {
+			tkey_log("process_dhtkey: found an incompatible key");
+			tkeyout->error = dns_tsigerror_badkey;
+			return (ISC_R_SUCCESS);
+		} else {
+			tkey_log("process_dhtkey: failed to find a key");
+			return (DNS_R_FORMERR);
+		}
+	}
+
+	RETERR(add_rdata_to_list(msg, keyname, &keyrdata, ttl, namelist));
+
+	isc_buffer_init(&ourkeybuf, keydata, sizeof(keydata));
+	RETERR(dst_key_todns(tctx->dhkey, &ourkeybuf));
+	isc_buffer_usedregion(&ourkeybuf, &ourkeyr);
+	dns_rdata_fromregion(&ourkeyrdata, dns_rdataclass_any,
+			     dns_rdatatype_key, &ourkeyr);
+
+	dns_name_init(&ourname, NULL);
+	dns_name_clone(dst_key_name(tctx->dhkey), &ourname);
+
+	/*
+	 * XXXBEW The TTL should be obtained from the database, if it exists.
+	 */
+	RETERR(add_rdata_to_list(msg, &ourname, &ourkeyrdata, 0, namelist));
+
+	RETERR(dst_key_secretsize(tctx->dhkey, &sharedsize));
+	RETERR(isc_buffer_allocate(msg->mctx, &shared, sharedsize));
+
+	result = dst_key_computesecret(pubkey, tctx->dhkey, shared);
+	if (result != ISC_R_SUCCESS) {
+		tkey_log("process_dhtkey: failed to compute shared secret: %s",
+			 isc_result_totext(result));
+		goto failure;
+	}
+	dst_key_free(&pubkey);
+
+	isc_buffer_init(&secret, secretdata, sizeof(secretdata));
+
+	randomdata = isc_mem_get(tctx->mctx, TKEY_RANDOM_AMOUNT);
+	if (randomdata == NULL)
+		goto failure;
+
+	result = isc_entropy_getdata(tctx->ectx, randomdata,
+				     TKEY_RANDOM_AMOUNT, NULL, 0);
+	if (result != ISC_R_SUCCESS) {
+		tkey_log("process_dhtkey: failed to obtain entropy: %s",
+			 isc_result_totext(result));
+		goto failure;
+	}
+
+	r.base = randomdata;
+	r.length = TKEY_RANDOM_AMOUNT;
+	r2.base = tkeyin->key;
+	r2.length = tkeyin->keylen;
+	RETERR(compute_secret(shared, &r2, &r, &secret));
+	isc_buffer_free(&shared);
+
+	RETERR(dns_tsigkey_create(name, &tkeyin->algorithm,
+				  isc_buffer_base(&secret),
+				  isc_buffer_usedlength(&secret),
+				  ISC_TRUE, signer, tkeyin->inception,
+				  tkeyin->expire, msg->mctx, ring, NULL));
+
+	/* This key is good for a long time */
+	tkeyout->inception = tkeyin->inception;
+	tkeyout->expire = tkeyin->expire;
+
+	tkeyout->key = randomdata;
+	tkeyout->keylen = TKEY_RANDOM_AMOUNT;
+
+	return (ISC_R_SUCCESS);
+
+ failure:
+	if (!ISC_LIST_EMPTY(*namelist))
+		free_namelist(msg, namelist);
+	if (shared != NULL)
+		isc_buffer_free(&shared);
+	if (pubkey != NULL)
+		dst_key_free(&pubkey);
+	if (randomdata == NULL)
+		isc_mem_put(tctx->mctx, randomdata, TKEY_RANDOM_AMOUNT);
+	return (result);
+}
+
+static isc_result_t
+process_gsstkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
+		dns_rdata_tkey_t *tkeyin, dns_tkeyctx_t *tctx,
+		dns_rdata_tkey_t *tkeyout,
+		dns_tsig_keyring_t *ring, dns_namelist_t *namelist)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	dst_key_t *dstkey = NULL;
+	void *gssctx = NULL;
+	isc_stdtime_t now;
+	isc_region_t intoken;
+	unsigned char array[1024];
+	isc_buffer_t outtoken;
+
+	UNUSED(namelist);
+
+	if (tctx->gsscred == NULL)
+		return (ISC_R_NOPERM);
+
+	if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPI_NAME) &&
+	    !dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPIMS_NAME)) {
+		tkeyout->error = dns_tsigerror_badalg;
+		return (ISC_R_SUCCESS);
+	}
+
+	intoken.base = tkeyin->key;
+	intoken.length = tkeyin->keylen;
+
+	isc_buffer_init(&outtoken, array, sizeof(array));
+	RETERR(dst_gssapi_acceptctx(name, tctx->gsscred, &intoken,
+				    &outtoken, &gssctx));
+
+	dstkey = NULL;
+	RETERR(dst_key_fromgssapi(name, gssctx, msg->mctx, &dstkey));
+
+	result = dns_tsigkey_createfromkey(name, &tkeyin->algorithm,
+					   dstkey, ISC_TRUE, signer,
+					   tkeyin->inception, tkeyin->expire,
+					   msg->mctx, ring, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	if (result == ISC_R_NOTFOUND) {
+		tkeyout->error = dns_tsigerror_badalg;
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	/* This key is good for a long time */
+	isc_stdtime_get(&now);
+	tkeyout->inception = tkeyin->inception;
+	tkeyout->expire = tkeyin->expire;
+
+	tkeyout->key = isc_mem_get(msg->mctx,
+				   isc_buffer_usedlength(&outtoken));
+	if (tkeyout->key == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto failure;
+	}
+	tkeyout->keylen = isc_buffer_usedlength(&outtoken);
+	memcpy(tkeyout->key, isc_buffer_base(&outtoken), tkeyout->keylen);
+
+	return (ISC_R_SUCCESS);
+
+ failure:
+	if (dstkey != NULL)
+		dst_key_free(&dstkey);
+
+	return (result);
+}
+
+static isc_result_t
+process_deletetkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
+		   dns_rdata_tkey_t *tkeyin,
+		   dns_rdata_tkey_t *tkeyout,
+		   dns_tsig_keyring_t *ring,
+		   dns_namelist_t *namelist)
+{
+	isc_result_t result;
+	dns_tsigkey_t *tsigkey = NULL;
+	dns_name_t *identity;
+
+	UNUSED(msg);
+	UNUSED(namelist);
+
+	result = dns_tsigkey_find(&tsigkey, name, &tkeyin->algorithm, ring);
+	if (result != ISC_R_SUCCESS) {
+		tkeyout->error = dns_tsigerror_badname;
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Only allow a delete if the identity that created the key is the
+	 * same as the identity that signed the message.
+	 */
+	identity = dns_tsigkey_identity(tsigkey);
+	if (identity == NULL || !dns_name_equal(identity, signer)) {
+		dns_tsigkey_detach(&tsigkey);
+		return (DNS_R_REFUSED);
+	}
+
+	/*
+	 * Set the key to be deleted when no references are left.  If the key
+	 * was not generated with TKEY and is in the config file, it may be
+	 * reloaded later.
+	 */
+	dns_tsigkey_setdeleted(tsigkey);
+
+	/* Release the reference */
+	dns_tsigkey_detach(&tsigkey);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
+		      dns_tsig_keyring_t *ring)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_rdata_tkey_t tkeyin, tkeyout;
+	isc_boolean_t freetkeyin = ISC_FALSE;
+	dns_name_t *qname, *name, *keyname, *signer, tsigner;
+	dns_fixedname_t fkeyname;
+	dns_rdataset_t *tkeyset;
+	dns_rdata_t rdata;
+	dns_namelist_t namelist;
+	char tkeyoutdata[512];
+	isc_buffer_t tkeyoutbuf;
+
+	REQUIRE(msg != NULL);
+	REQUIRE(tctx != NULL);
+	REQUIRE(ring != NULL);
+
+	ISC_LIST_INIT(namelist);
+
+	/*
+	 * Interpret the question section.
+	 */
+	result = dns_message_firstname(msg, DNS_SECTION_QUESTION);
+	if (result != ISC_R_SUCCESS)
+		return (DNS_R_FORMERR);
+
+	qname = NULL;
+	dns_message_currentname(msg, DNS_SECTION_QUESTION, &qname);
+
+	/*
+	 * Look for a TKEY record that matches the question.
+	 */
+	tkeyset = NULL;
+	name = NULL;
+	result = dns_message_findname(msg, DNS_SECTION_ADDITIONAL, qname,
+				      dns_rdatatype_tkey, 0, &name, &tkeyset);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * Try the answer section, since that's where Win2000
+		 * puts it.
+		 */
+		if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
+					 dns_rdatatype_tkey, 0, &name,
+					 &tkeyset) != ISC_R_SUCCESS)
+		{
+			result = DNS_R_FORMERR;
+			tkey_log("dns_tkey_processquery: couldn't find a TKEY "
+				 "matching the question");
+			goto failure;
+		}
+	}
+	result = dns_rdataset_first(tkeyset);
+	if (result != ISC_R_SUCCESS) {
+		result = DNS_R_FORMERR;
+		goto failure;
+	}
+	dns_rdata_init(&rdata);
+	dns_rdataset_current(tkeyset, &rdata);
+
+	RETERR(dns_rdata_tostruct(&rdata, &tkeyin, NULL));
+	freetkeyin = ISC_TRUE;
+
+	if (tkeyin.error != dns_rcode_noerror) {
+		result = DNS_R_FORMERR;
+		goto failure;
+	}
+
+	/*
+	 * Before we go any farther, verify that the message was signed.
+	 * GSSAPI TKEY doesn't require a signature, the rest do.
+	 */
+	dns_name_init(&tsigner, NULL);
+	result = dns_message_signer(msg, &tsigner);
+	if (result != ISC_R_SUCCESS) {
+		if (tkeyin.mode == DNS_TKEYMODE_GSSAPI &&
+		    result == ISC_R_NOTFOUND)
+		       signer = NULL;
+		else {
+			tkey_log("dns_tkey_processquery: query was not "
+				 "properly signed - rejecting");
+			result = DNS_R_FORMERR;
+			goto failure;
+		}
+	} else
+		signer = &tsigner;
+
+	tkeyout.common.rdclass = tkeyin.common.rdclass;
+	tkeyout.common.rdtype = tkeyin.common.rdtype;
+	ISC_LINK_INIT(&tkeyout.common, link);
+	tkeyout.mctx = msg->mctx;
+
+	dns_name_init(&tkeyout.algorithm, NULL);
+	dns_name_clone(&tkeyin.algorithm, &tkeyout.algorithm);
+
+	tkeyout.inception = tkeyout.expire = 0;
+	tkeyout.mode = tkeyin.mode;
+	tkeyout.error = 0;
+	tkeyout.keylen = tkeyout.otherlen = 0;
+	tkeyout.key = tkeyout.other = NULL;
+
+	/*
+	 * A delete operation must have a fully specified key name.  If this
+	 * is not a delete, we do the following:
+	 * if (qname != ".")
+	 *	keyname = qname + defaultdomain
+	 * else
+	 *	keyname = <random hex> + defaultdomain
+	 */
+	if (tkeyin.mode != DNS_TKEYMODE_DELETE) {
+		dns_tsigkey_t *tsigkey = NULL;
+
+		if (tctx->domain == NULL) {
+			tkey_log("dns_tkey_processquery: tkey-domain not set");
+			result = DNS_R_REFUSED;
+			goto failure;
+		}
+
+		dns_fixedname_init(&fkeyname);
+		keyname = dns_fixedname_name(&fkeyname);
+
+		if (!dns_name_equal(qname, dns_rootname)) {
+			unsigned int n = dns_name_countlabels(qname);
+			RUNTIME_CHECK(dns_name_copy(qname, keyname, NULL)
+				      == ISC_R_SUCCESS);
+			dns_name_getlabelsequence(keyname, 0, n - 1, keyname);
+		} else {
+			static char hexdigits[16] = {
+				'0', '1', '2', '3', '4', '5', '6', '7',
+				'8', '9', 'A', 'B', 'C', 'D', 'E', 'F' };
+			unsigned char randomdata[16];
+			char randomtext[32];
+			isc_buffer_t b;
+			unsigned int i, j;
+
+			result = isc_entropy_getdata(tctx->ectx,
+						     randomdata,
+						     sizeof(randomdata),
+						     NULL, 0);
+			if (result != ISC_R_SUCCESS)
+				goto failure;
+
+			for (i = 0, j = 0; i < sizeof(randomdata); i++) {
+				unsigned char val = randomdata[i];
+				randomtext[j++] = hexdigits[val >> 4];
+				randomtext[j++] = hexdigits[val & 0xF];
+			}
+			isc_buffer_init(&b, randomtext, sizeof(randomtext));
+			isc_buffer_add(&b, sizeof(randomtext));
+			result = dns_name_fromtext(keyname, &b, NULL,
+						   ISC_FALSE, NULL);
+			if (result != ISC_R_SUCCESS)
+				goto failure;
+		}
+		result = dns_name_concatenate(keyname, tctx->domain,
+					      keyname, NULL);
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+
+		result = dns_tsigkey_find(&tsigkey, keyname, NULL, ring);
+		if (result == ISC_R_SUCCESS) {
+			tkeyout.error = dns_tsigerror_badname;
+			dns_tsigkey_detach(&tsigkey);
+			goto failure_with_tkey;
+		} else if (result != ISC_R_NOTFOUND)
+			goto failure;
+	} else
+		keyname = qname;
+
+	switch (tkeyin.mode) {
+		case DNS_TKEYMODE_DIFFIEHELLMAN:
+			tkeyout.error = dns_rcode_noerror;
+			RETERR(process_dhtkey(msg, signer, keyname, &tkeyin,
+					      tctx, &tkeyout, ring,
+					      &namelist));
+			break;
+		case DNS_TKEYMODE_GSSAPI:
+			tkeyout.error = dns_rcode_noerror;
+			RETERR(process_gsstkey(msg, signer, keyname, &tkeyin,
+					       tctx, &tkeyout, ring,
+					       &namelist));
+			break;
+		case DNS_TKEYMODE_DELETE:
+			tkeyout.error = dns_rcode_noerror;
+			RETERR(process_deletetkey(msg, signer, keyname,
+						  &tkeyin, &tkeyout,
+						  ring, &namelist));
+			break;
+		case DNS_TKEYMODE_SERVERASSIGNED:
+		case DNS_TKEYMODE_RESOLVERASSIGNED:
+			result = DNS_R_NOTIMP;
+			goto failure;
+		default:
+			tkeyout.error = dns_tsigerror_badmode;
+	}
+
+ failure_with_tkey:
+	dns_rdata_init(&rdata);
+	isc_buffer_init(&tkeyoutbuf, tkeyoutdata, sizeof(tkeyoutdata));
+	result = dns_rdata_fromstruct(&rdata, tkeyout.common.rdclass,
+				      tkeyout.common.rdtype, &tkeyout,
+				      &tkeyoutbuf);
+
+	if (freetkeyin) {
+		dns_rdata_freestruct(&tkeyin);
+		freetkeyin = ISC_FALSE;
+	}
+
+	if (tkeyout.key != NULL)
+		isc_mem_put(msg->mctx, tkeyout.key, tkeyout.keylen);
+	if (tkeyout.other != NULL)
+		isc_mem_put(msg->mctx, tkeyout.other, tkeyout.otherlen);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	RETERR(add_rdata_to_list(msg, keyname, &rdata, 0, &namelist));
+
+	RETERR(dns_message_reply(msg, ISC_TRUE));
+
+	name = ISC_LIST_HEAD(namelist);
+	while (name != NULL) {
+		dns_name_t *next = ISC_LIST_NEXT(name, link);
+		ISC_LIST_UNLINK(namelist, name, link);
+		dns_message_addname(msg, name, DNS_SECTION_ANSWER);
+		name = next;
+	}
+
+	return (ISC_R_SUCCESS);
+
+ failure:
+	if (freetkeyin)
+		dns_rdata_freestruct(&tkeyin);
+	if (!ISC_LIST_EMPTY(namelist))
+		free_namelist(msg, &namelist);
+	return (result);
+}
+
+static isc_result_t
+buildquery(dns_message_t *msg, dns_name_t *name,
+	   dns_rdata_tkey_t *tkey)
+{
+	dns_name_t *qname = NULL, *aname = NULL;
+	dns_rdataset_t *question = NULL, *tkeyset = NULL;
+	dns_rdatalist_t *tkeylist = NULL;
+	dns_rdata_t *rdata = NULL;
+	isc_buffer_t *dynbuf = NULL;
+	isc_result_t result;
+
+	REQUIRE(msg != NULL);
+	REQUIRE(name != NULL);
+	REQUIRE(tkey != NULL);
+
+	RETERR(dns_message_gettempname(msg, &qname));
+	RETERR(dns_message_gettempname(msg, &aname));
+
+	RETERR(dns_message_gettemprdataset(msg, &question));
+	dns_rdataset_init(question);
+	dns_rdataset_makequestion(question, dns_rdataclass_any,
+				  dns_rdatatype_tkey);
+
+	RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 512));
+	RETERR(dns_message_gettemprdata(msg, &rdata));
+	RETERR(dns_rdata_fromstruct(rdata, dns_rdataclass_any,
+				    dns_rdatatype_tkey, tkey, dynbuf));
+	dns_message_takebuffer(msg, &dynbuf);
+
+	RETERR(dns_message_gettemprdatalist(msg, &tkeylist));
+	tkeylist->rdclass = dns_rdataclass_any;
+	tkeylist->type = dns_rdatatype_tkey;
+	tkeylist->covers = 0;
+	tkeylist->ttl = 0;
+	ISC_LIST_INIT(tkeylist->rdata);
+	ISC_LIST_APPEND(tkeylist->rdata, rdata, link);
+
+	RETERR(dns_message_gettemprdataset(msg, &tkeyset));
+	dns_rdataset_init(tkeyset);
+	RETERR(dns_rdatalist_tordataset(tkeylist, tkeyset));
+
+	dns_name_init(qname, NULL);
+	dns_name_clone(name, qname);
+
+	dns_name_init(aname, NULL);
+	dns_name_clone(name, aname);
+
+	ISC_LIST_APPEND(qname->list, question, link);
+	ISC_LIST_APPEND(aname->list, tkeyset, link);
+
+	dns_message_addname(msg, qname, DNS_SECTION_QUESTION);
+	dns_message_addname(msg, aname, DNS_SECTION_ADDITIONAL);
+
+	return (ISC_R_SUCCESS);
+
+ failure:
+	if (qname != NULL)
+		dns_message_puttempname(msg, &qname);
+	if (aname != NULL)
+		dns_message_puttempname(msg, &aname);
+	if (question != NULL) {
+		dns_rdataset_disassociate(question);
+		dns_message_puttemprdataset(msg, &question);
+	}
+	if (dynbuf != NULL)
+		isc_buffer_free(&dynbuf);
+	return (result);
+}
+
+isc_result_t
+dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
+		      dns_name_t *algorithm, isc_buffer_t *nonce,
+		      isc_uint32_t lifetime)
+{
+	dns_rdata_tkey_t tkey;
+	dns_rdata_t *rdata = NULL;
+	isc_buffer_t *dynbuf = NULL;
+	isc_region_t r;
+	dns_name_t keyname;
+	dns_namelist_t namelist;
+	isc_result_t result;
+	isc_stdtime_t now;
+
+	REQUIRE(msg != NULL);
+	REQUIRE(key != NULL);
+	REQUIRE(dst_key_alg(key) == DNS_KEYALG_DH);
+	REQUIRE(dst_key_isprivate(key));
+	REQUIRE(name != NULL);
+	REQUIRE(algorithm != NULL);
+
+	tkey.common.rdclass = dns_rdataclass_any;
+	tkey.common.rdtype = dns_rdatatype_tkey;
+	ISC_LINK_INIT(&tkey.common, link);
+	tkey.mctx = msg->mctx;
+	dns_name_init(&tkey.algorithm, NULL);
+	dns_name_clone(algorithm, &tkey.algorithm);
+	isc_stdtime_get(&now);
+	tkey.inception = now;
+	tkey.expire = now + lifetime;
+	tkey.mode = DNS_TKEYMODE_DIFFIEHELLMAN;
+	if (nonce != NULL)
+		isc_buffer_usedregion(nonce, &r);
+	else {
+		r.base = isc_mem_get(msg->mctx, 0);
+		r.length = 0;
+	}
+	tkey.error = 0;
+	tkey.key = r.base;
+	tkey.keylen =  r.length;
+	tkey.other = NULL;
+	tkey.otherlen = 0;
+
+	RETERR(buildquery(msg, name, &tkey));
+
+	if (nonce == NULL)
+		isc_mem_put(msg->mctx, r.base, 0);
+
+	RETERR(dns_message_gettemprdata(msg, &rdata));
+	RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 1024));
+	RETERR(dst_key_todns(key, dynbuf));
+	isc_buffer_usedregion(dynbuf, &r);
+	dns_rdata_fromregion(rdata, dns_rdataclass_any,
+			     dns_rdatatype_key, &r);
+	dns_message_takebuffer(msg, &dynbuf);
+
+	dns_name_init(&keyname, NULL);
+	dns_name_clone(dst_key_name(key), &keyname);
+
+	ISC_LIST_INIT(namelist);
+	RETERR(add_rdata_to_list(msg, &keyname, rdata, 0, &namelist));
+	dns_message_addname(msg, ISC_LIST_HEAD(namelist),
+			    DNS_SECTION_ADDITIONAL);
+
+	return (ISC_R_SUCCESS);
+
+ failure:
+
+	if (dynbuf != NULL)
+		isc_buffer_free(&dynbuf);
+	return (result);
+}
+
+isc_result_t
+dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name,
+		       dns_name_t *gname, void *cred,
+		       isc_uint32_t lifetime, void **context)
+{
+	dns_rdata_tkey_t tkey;
+	isc_result_t result;
+	isc_stdtime_t now;
+	isc_buffer_t token;
+	unsigned char array[1024];
+
+	REQUIRE(msg != NULL);
+	REQUIRE(name != NULL);
+	REQUIRE(gname != NULL);
+	REQUIRE(context != NULL && *context == NULL);
+
+	isc_buffer_init(&token, array, sizeof(array));
+	result = dst_gssapi_initctx(gname, cred, NULL, &token, context);
+	if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS)
+		return (result);
+
+	tkey.common.rdclass = dns_rdataclass_any;
+	tkey.common.rdtype = dns_rdatatype_tkey;
+	ISC_LINK_INIT(&tkey.common, link);
+	tkey.mctx = NULL;
+	dns_name_init(&tkey.algorithm, NULL);
+	dns_name_clone(DNS_TSIG_GSSAPI_NAME, &tkey.algorithm);
+	isc_stdtime_get(&now);
+	tkey.inception = now;
+	tkey.expire = now + lifetime;
+	tkey.mode = DNS_TKEYMODE_GSSAPI;
+	tkey.error = 0;
+	tkey.key = isc_buffer_base(&token);
+	tkey.keylen = isc_buffer_usedlength(&token);
+	tkey.other = NULL;
+	tkey.otherlen = 0;
+
+	RETERR(buildquery(msg, name, &tkey));
+
+	return (ISC_R_SUCCESS);
+
+ failure:
+	return (result);
+}
+
+isc_result_t
+dns_tkey_builddeletequery(dns_message_t *msg, dns_tsigkey_t *key) {
+	dns_rdata_tkey_t tkey;
+
+	REQUIRE(msg != NULL);
+	REQUIRE(key != NULL);
+
+	tkey.common.rdclass = dns_rdataclass_any;
+	tkey.common.rdtype = dns_rdatatype_tkey;
+	ISC_LINK_INIT(&tkey.common, link);
+	tkey.mctx = msg->mctx;
+	dns_name_init(&tkey.algorithm, NULL);
+	dns_name_clone(key->algorithm, &tkey.algorithm);
+	tkey.inception = tkey.expire = 0;
+	tkey.mode = DNS_TKEYMODE_DELETE;
+	tkey.error = 0;
+	tkey.keylen = tkey.otherlen = 0;
+	tkey.key = tkey.other = NULL;
+
+	return (buildquery(msg, &key->name, &tkey));
+}
+
+static isc_result_t
+find_tkey(dns_message_t *msg, dns_name_t **name, dns_rdata_t *rdata,
+	  int section)
+{
+	dns_rdataset_t *tkeyset;
+	isc_result_t result;
+
+	result = dns_message_firstname(msg, section);
+	while (result == ISC_R_SUCCESS) {
+		*name = NULL;
+		dns_message_currentname(msg, section, name);
+		tkeyset = NULL;
+		result = dns_message_findtype(*name, dns_rdatatype_tkey, 0,
+					      &tkeyset);
+		if (result == ISC_R_SUCCESS) {
+			result = dns_rdataset_first(tkeyset);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			dns_rdataset_current(tkeyset, rdata);
+			return (ISC_R_SUCCESS);
+		}
+		result = dns_message_nextname(msg, section);
+	}
+	if (result == ISC_R_NOMORE)
+		return (ISC_R_NOTFOUND);
+	return (result);
+}
+
+isc_result_t
+dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
+			   dst_key_t *key, isc_buffer_t *nonce,
+			   dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring)
+{
+	dns_rdata_t qtkeyrdata = DNS_RDATA_INIT, rtkeyrdata = DNS_RDATA_INIT;
+	dns_name_t keyname, *tkeyname, *theirkeyname, *ourkeyname, *tempname;
+	dns_rdataset_t *theirkeyset = NULL, *ourkeyset = NULL;
+	dns_rdata_t theirkeyrdata = DNS_RDATA_INIT;
+	dst_key_t *theirkey = NULL;
+	dns_rdata_tkey_t qtkey, rtkey;
+	unsigned char secretdata[256];
+	unsigned int sharedsize;
+	isc_buffer_t *shared = NULL, secret;
+	isc_region_t r, r2;
+	isc_result_t result;
+	isc_boolean_t freertkey = ISC_FALSE;
+
+	REQUIRE(qmsg != NULL);
+	REQUIRE(rmsg != NULL);
+	REQUIRE(key != NULL);
+	REQUIRE(dst_key_alg(key) == DNS_KEYALG_DH);
+	REQUIRE(dst_key_isprivate(key));
+	if (outkey != NULL)
+		REQUIRE(*outkey == NULL);
+
+	if (rmsg->rcode != dns_rcode_noerror)
+		return (ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
+	RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
+	RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
+	freertkey = ISC_TRUE;
+
+	RETERR(find_tkey(qmsg, &tempname, &qtkeyrdata,
+			 DNS_SECTION_ADDITIONAL));
+	RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
+
+	if (rtkey.error != dns_rcode_noerror ||
+	    rtkey.mode != DNS_TKEYMODE_DIFFIEHELLMAN ||
+	    rtkey.mode != qtkey.mode ||
+	    !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm) ||
+	    rmsg->rcode != dns_rcode_noerror)
+	{
+		tkey_log("dns_tkey_processdhresponse: tkey mode invalid "
+			 "or error set");
+		result = DNS_R_INVALIDTKEY;
+		dns_rdata_freestruct(&qtkey);
+		goto failure;
+	}
+
+	dns_rdata_freestruct(&qtkey);
+
+	dns_name_init(&keyname, NULL);
+	dns_name_clone(dst_key_name(key), &keyname);
+
+	ourkeyname = NULL;
+	ourkeyset = NULL;
+	RETERR(dns_message_findname(rmsg, DNS_SECTION_ANSWER, &keyname,
+				    dns_rdatatype_key, 0, &ourkeyname,
+				    &ourkeyset));
+
+	result = dns_message_firstname(rmsg, DNS_SECTION_ANSWER);
+	while (result == ISC_R_SUCCESS) {
+		theirkeyname = NULL;
+		dns_message_currentname(rmsg, DNS_SECTION_ANSWER,
+					&theirkeyname);
+		if (dns_name_equal(theirkeyname, ourkeyname))
+			goto next;
+		theirkeyset = NULL;
+		result = dns_message_findtype(theirkeyname, dns_rdatatype_key,
+					      0, &theirkeyset);
+		if (result == ISC_R_SUCCESS) {
+			RETERR(dns_rdataset_first(theirkeyset));
+			break;
+		}
+ next:
+		result = dns_message_nextname(rmsg, DNS_SECTION_ANSWER);
+	}
+
+	if (theirkeyset == NULL) {
+		tkey_log("dns_tkey_processdhresponse: failed to find server "
+			 "key");
+		result = ISC_R_NOTFOUND;
+		goto failure;
+	}
+
+	dns_rdataset_current(theirkeyset, &theirkeyrdata);
+	RETERR(dns_dnssec_keyfromrdata(theirkeyname, &theirkeyrdata,
+				       rmsg->mctx, &theirkey));
+
+	RETERR(dst_key_secretsize(key, &sharedsize));
+	RETERR(isc_buffer_allocate(rmsg->mctx, &shared, sharedsize));
+
+	RETERR(dst_key_computesecret(theirkey, key, shared));
+
+	isc_buffer_init(&secret, secretdata, sizeof(secretdata));
+
+	r.base = rtkey.key;
+	r.length = rtkey.keylen;
+	if (nonce != NULL)
+		isc_buffer_usedregion(nonce, &r2);
+	else {
+		r2.base = isc_mem_get(rmsg->mctx, 0);
+		r2.length = 0;
+	}
+	RETERR(compute_secret(shared, &r2, &r, &secret));
+	if (nonce == NULL)
+		isc_mem_put(rmsg->mctx, r2.base, 0);
+
+	isc_buffer_usedregion(&secret, &r);
+	result = dns_tsigkey_create(tkeyname, &rtkey.algorithm,
+				    r.base, r.length, ISC_TRUE,
+				    NULL, rtkey.inception, rtkey.expire,
+				    rmsg->mctx, ring, outkey);
+	isc_buffer_free(&shared);
+	dns_rdata_freestruct(&rtkey);
+	dst_key_free(&theirkey);
+	return (result);
+
+ failure:
+	if (shared != NULL)
+		isc_buffer_free(&shared);
+
+	if (theirkey != NULL)
+		dst_key_free(&theirkey);
+
+	if (freertkey)
+		dns_rdata_freestruct(&rtkey);
+
+	return (result);
+}
+
+isc_result_t
+dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
+			    dns_name_t *gname, void *cred, void **context,
+			    dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring)
+{
+	dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT;
+	dns_name_t *tkeyname;
+	dns_rdata_tkey_t rtkey, qtkey;
+	isc_buffer_t outtoken;
+	dst_key_t *dstkey = NULL;
+	isc_region_t r;
+	isc_result_t result;
+	unsigned char array[1024];
+
+	REQUIRE(qmsg != NULL);
+	REQUIRE(rmsg != NULL);
+	REQUIRE(gname != NULL);
+	if (outkey != NULL)
+		REQUIRE(*outkey == NULL);
+
+	if (rmsg->rcode != dns_rcode_noerror)
+		return (ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
+	RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
+	RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
+
+	RETERR(find_tkey(qmsg, &tkeyname, &qtkeyrdata,
+			 DNS_SECTION_ADDITIONAL));
+	RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
+
+	if (rtkey.error != dns_rcode_noerror ||
+	    rtkey.mode != DNS_TKEYMODE_GSSAPI ||
+	    !dns_name_equal(&rtkey.algorithm, &rtkey.algorithm))
+	{
+		tkey_log("dns_tkey_processdhresponse: tkey mode invalid "
+			 "or error set");
+		result = DNS_R_INVALIDTKEY;
+		goto failure;
+	}
+
+	isc_buffer_init(&outtoken, array, sizeof(array));
+	r.base = rtkey.key;
+	r.length = rtkey.keylen;
+	RETERR(dst_gssapi_initctx(gname, cred, &r, &outtoken, context));
+
+	dstkey = NULL;
+	RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx,
+				  &dstkey));
+
+	RETERR(dns_tsigkey_createfromkey(tkeyname, DNS_TSIG_GSSAPI_NAME,
+					 dstkey, ISC_TRUE, NULL,
+					 rtkey.inception, rtkey.expire,
+					 rmsg->mctx, ring, outkey));
+
+	dns_rdata_freestruct(&rtkey);
+	return (result);
+
+ failure:
+	return (result);
+}
+
+isc_result_t
+dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg,
+			       dns_tsig_keyring_t *ring)
+{
+	dns_rdata_t qtkeyrdata = DNS_RDATA_INIT, rtkeyrdata = DNS_RDATA_INIT;
+	dns_name_t *tkeyname, *tempname;
+	dns_rdata_tkey_t qtkey, rtkey;
+	dns_tsigkey_t *tsigkey = NULL;
+	isc_result_t result;
+
+	REQUIRE(qmsg != NULL);
+	REQUIRE(rmsg != NULL);
+
+	if (rmsg->rcode != dns_rcode_noerror)
+		return(ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
+
+	RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
+	RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
+
+	RETERR(find_tkey(qmsg, &tempname, &qtkeyrdata,
+			 DNS_SECTION_ADDITIONAL));
+	RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
+
+	if (rtkey.error != dns_rcode_noerror ||
+	    rtkey.mode != DNS_TKEYMODE_DELETE ||
+	    rtkey.mode != qtkey.mode ||
+	    !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm) ||
+	    rmsg->rcode != dns_rcode_noerror)
+	{
+		tkey_log("dns_tkey_processdeleteresponse: tkey mode invalid "
+			 "or error set");
+		result = DNS_R_INVALIDTKEY;
+		dns_rdata_freestruct(&qtkey);
+		dns_rdata_freestruct(&rtkey);
+		goto failure;
+	}
+
+	dns_rdata_freestruct(&qtkey);
+
+	RETERR(dns_tsigkey_find(&tsigkey, tkeyname, &rtkey.algorithm, ring));
+
+	dns_rdata_freestruct(&rtkey);
+
+	/*
+	 * Mark the key as deleted.
+	 */
+	dns_tsigkey_setdeleted(tsigkey);
+	/*
+	 * Release the reference.
+	 */
+	dns_tsigkey_detach(&tsigkey);
+
+ failure:
+	return (result);
+}
diff --git a/contrib/bind9/lib/dns/tsig.c b/contrib/bind9/lib/dns/tsig.c
new file mode 100644
index 0000000..fb1ac82
--- /dev/null
+++ b/contrib/bind9/lib/dns/tsig.c
@@ -0,0 +1,1218 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * $Id: tsig.c,v 1.112.2.3.8.4 2004/03/08 09:04:32 marka Exp $
+ */
+
+#include <config.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/refcount.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/rbt.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+#include <dns/tsig.h>
+
+#include <dst/result.h>
+
+#define TSIG_MAGIC		ISC_MAGIC('T', 'S', 'I', 'G')
+#define VALID_TSIG_KEY(x)	ISC_MAGIC_VALID(x, TSIG_MAGIC)
+
+#define is_response(msg) (msg->flags & DNS_MESSAGEFLAG_QR)
+#define algname_is_allocated(algname) \
+	((algname) != dns_tsig_hmacmd5_name && \
+	 (algname) != dns_tsig_gssapi_name && \
+	 (algname) != dns_tsig_gssapims_name)
+
+#define BADTIMELEN 6
+
+static unsigned char hmacmd5_ndata[] = "\010hmac-md5\007sig-alg\003reg\003int";
+static unsigned char hmacmd5_offsets[] = { 0, 9, 17, 21, 25 };
+
+static dns_name_t hmacmd5 = {
+	DNS_NAME_MAGIC,
+	hmacmd5_ndata, 26, 5,
+	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
+	hmacmd5_offsets, NULL,
+	{(void *)-1, (void *)-1},
+	{NULL, NULL}
+};
+
+dns_name_t *dns_tsig_hmacmd5_name = &hmacmd5;
+
+static unsigned char gsstsig_ndata[] = "\010gss-tsig";
+static unsigned char gsstsig_offsets[] = { 0, 9 };
+
+static dns_name_t gsstsig = {
+	DNS_NAME_MAGIC,
+	gsstsig_ndata, 10, 2,
+	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
+	gsstsig_offsets, NULL,
+	{(void *)-1, (void *)-1},
+	{NULL, NULL}
+};
+
+LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_gssapi_name = &gsstsig;
+
+/* It's nice of Microsoft to conform to their own standard. */
+static unsigned char gsstsigms_ndata[] = "\003gss\011microsoft\003com";
+static unsigned char gsstsigms_offsets[] = { 0, 4, 14, 18 };
+
+static dns_name_t gsstsigms = {
+	DNS_NAME_MAGIC,
+	gsstsigms_ndata, 19, 4,
+	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
+	gsstsigms_offsets, NULL,
+	{(void *)-1, (void *)-1},
+	{NULL, NULL}
+};
+
+LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_gssapims_name = &gsstsigms;
+
+static isc_result_t
+tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg);
+
+static void
+tsig_log(dns_tsigkey_t *key, int level, const char *fmt, ...)
+     ISC_FORMAT_PRINTF(3, 4);
+
+static void
+tsig_log(dns_tsigkey_t *key, int level, const char *fmt, ...) {
+	va_list ap;
+	char message[4096];
+	char namestr[DNS_NAME_FORMATSIZE];
+
+	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
+		return;
+	if (key != NULL)
+		dns_name_format(&key->name, namestr, sizeof(namestr));
+	else
+		strcpy(namestr, "<null>");
+	va_start(ap, fmt);
+	vsnprintf(message, sizeof(message), fmt, ap);
+	va_end(ap);
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_TSIG,
+		      level, "tsig key '%s': %s", namestr, message);
+}
+
+isc_result_t
+dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
+			  dst_key_t *dstkey, isc_boolean_t generated,
+			  dns_name_t *creator, isc_stdtime_t inception,
+			  isc_stdtime_t expire, isc_mem_t *mctx,
+			  dns_tsig_keyring_t *ring, dns_tsigkey_t **key)
+{
+	dns_tsigkey_t *tkey;
+	isc_result_t ret;
+	unsigned int refs = 0;
+
+	REQUIRE(key == NULL || *key == NULL);
+	REQUIRE(name != NULL);
+	REQUIRE(algorithm != NULL);
+	REQUIRE(mctx != NULL);
+
+	tkey = (dns_tsigkey_t *) isc_mem_get(mctx, sizeof(dns_tsigkey_t));
+	if (tkey == NULL)
+		return (ISC_R_NOMEMORY);
+
+	dns_name_init(&tkey->name, NULL);
+	ret = dns_name_dup(name, mctx, &tkey->name);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_key;
+	(void)dns_name_downcase(&tkey->name, &tkey->name, NULL);
+
+	if (dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME)) {
+		tkey->algorithm = DNS_TSIG_HMACMD5_NAME;
+		if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_HMACMD5) {
+			ret = DNS_R_BADALG;
+			goto cleanup_name;
+		}
+	} else if (dns_name_equal(algorithm, DNS_TSIG_GSSAPI_NAME)) {
+		tkey->algorithm = DNS_TSIG_GSSAPI_NAME;
+		if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_GSSAPI) {
+			ret = DNS_R_BADALG;
+			goto cleanup_name;
+		}
+	} else if (dns_name_equal(algorithm, DNS_TSIG_GSSAPIMS_NAME)) {
+		tkey->algorithm = DNS_TSIG_GSSAPIMS_NAME;
+		if (dstkey != NULL && dst_key_alg(dstkey) != DST_ALG_GSSAPI) {
+			ret = DNS_R_BADALG;
+			goto cleanup_name;
+		}
+	} else {
+		if (key != NULL) {
+			ret = DNS_R_BADALG;
+			goto cleanup_name;
+		}
+		tkey->algorithm = isc_mem_get(mctx, sizeof(dns_name_t));
+		if (tkey->algorithm == NULL) {
+			ret = ISC_R_NOMEMORY;
+			goto cleanup_name;
+		}
+		dns_name_init(tkey->algorithm, NULL);
+		ret = dns_name_dup(algorithm, mctx, tkey->algorithm);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_algorithm;
+		(void)dns_name_downcase(tkey->algorithm, tkey->algorithm,
+					NULL);
+	}
+
+	if (creator != NULL) {
+		tkey->creator = isc_mem_get(mctx, sizeof(dns_name_t));
+		if (tkey->creator == NULL) {
+			ret = ISC_R_NOMEMORY;
+			goto cleanup_algorithm;
+		}
+		dns_name_init(tkey->creator, NULL);
+		ret = dns_name_dup(creator, mctx, tkey->creator);
+		if (ret != ISC_R_SUCCESS) {
+			isc_mem_put(mctx, tkey->creator, sizeof(dns_name_t));
+			goto cleanup_algorithm;
+		}
+	} else
+		tkey->creator = NULL;
+
+	tkey->key = dstkey;
+	tkey->ring = ring;
+
+	if (ring != NULL) {
+		RWLOCK(&ring->lock, isc_rwlocktype_write);
+		ret = dns_rbt_addname(ring->keys, name, tkey);
+		if (ret != ISC_R_SUCCESS) {
+			RWUNLOCK(&ring->lock, isc_rwlocktype_write);
+			goto cleanup_algorithm;
+		}
+		refs++;
+		RWUNLOCK(&ring->lock, isc_rwlocktype_write);
+	}
+
+	if (key != NULL)
+		refs++;
+	isc_refcount_init(&tkey->refs, refs);
+	tkey->generated = generated;
+	tkey->inception = inception;
+	tkey->expire = expire;
+	tkey->mctx = mctx;
+
+	tkey->magic = TSIG_MAGIC;
+
+	if (dstkey != NULL && dst_key_size(dstkey) < 64) {
+		char namestr[DNS_NAME_FORMATSIZE];
+		dns_name_format(name, namestr, sizeof(namestr));
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
+			      DNS_LOGMODULE_TSIG, ISC_LOG_INFO,
+			      "the key '%s' is too short to be secure",
+			      namestr);
+	}
+	if (key != NULL)
+		*key = tkey;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup_algorithm:
+	if (algname_is_allocated(tkey->algorithm)) {
+		if (dns_name_dynamic(tkey->algorithm))
+			dns_name_free(tkey->algorithm, mctx);
+		isc_mem_put(mctx, tkey->algorithm, sizeof(dns_name_t));
+	}
+ cleanup_name:
+	dns_name_free(&tkey->name, mctx);
+ cleanup_key:
+	isc_mem_put(mctx, tkey, sizeof(dns_tsigkey_t));
+
+	return (ret);
+}
+
+isc_result_t
+dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
+		   unsigned char *secret, int length, isc_boolean_t generated,
+		   dns_name_t *creator, isc_stdtime_t inception,
+		   isc_stdtime_t expire, isc_mem_t *mctx,
+		   dns_tsig_keyring_t *ring, dns_tsigkey_t **key)
+{
+	dst_key_t *dstkey = NULL;
+	isc_result_t result;
+
+	REQUIRE(length >= 0);
+	if (length > 0)
+		REQUIRE(secret != NULL);
+
+	if (!dns_name_equal(algorithm, DNS_TSIG_HMACMD5_NAME) && length > 0)
+		return (DNS_R_BADALG);
+
+	if (secret != NULL) {
+		isc_buffer_t b;
+
+		isc_buffer_init(&b, secret, length);
+		isc_buffer_add(&b, length);
+		result = dst_key_frombuffer(name, DST_ALG_HMACMD5,
+					    DNS_KEYOWNER_ENTITY,
+					    DNS_KEYPROTO_DNSSEC,
+					    dns_rdataclass_in,
+					    &b, mctx, &dstkey);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	result = dns_tsigkey_createfromkey(name, algorithm, dstkey,
+					   generated, creator,
+					   inception, expire, mctx, ring, key);
+	if (result != ISC_R_SUCCESS && dstkey != NULL)
+		dst_key_free(&dstkey);
+	return (result);
+}
+
+void
+dns_tsigkey_attach(dns_tsigkey_t *source, dns_tsigkey_t **targetp) {
+	REQUIRE(VALID_TSIG_KEY(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	isc_refcount_increment(&source->refs, NULL);
+	*targetp = source;
+}
+
+static void
+tsigkey_free(dns_tsigkey_t *key) {
+	REQUIRE(VALID_TSIG_KEY(key));
+
+	key->magic = 0;
+	dns_name_free(&key->name, key->mctx);
+	if (algname_is_allocated(key->algorithm)) {
+		dns_name_free(key->algorithm, key->mctx);
+		isc_mem_put(key->mctx, key->algorithm, sizeof(dns_name_t));
+	}
+	if (key->key != NULL)
+		dst_key_free(&key->key);
+	if (key->creator != NULL) {
+		dns_name_free(key->creator, key->mctx);
+		isc_mem_put(key->mctx, key->creator, sizeof(dns_name_t));
+	}
+	isc_refcount_destroy(&key->refs);
+	isc_mem_put(key->mctx, key, sizeof(dns_tsigkey_t));
+}
+
+void
+dns_tsigkey_detach(dns_tsigkey_t **keyp) {
+	dns_tsigkey_t *key;
+	unsigned int refs;
+
+	REQUIRE(keyp != NULL);
+	REQUIRE(VALID_TSIG_KEY(*keyp));
+
+	key = *keyp;
+	isc_refcount_decrement(&key->refs, &refs);
+
+	if (refs == 0)
+		tsigkey_free(key);
+
+	*keyp = NULL;
+}
+
+void
+dns_tsigkey_setdeleted(dns_tsigkey_t *key) {
+	REQUIRE(VALID_TSIG_KEY(key));
+	REQUIRE(key->ring != NULL);
+
+	RWLOCK(&key->ring->lock, isc_rwlocktype_write);
+	(void)dns_rbt_deletename(key->ring->keys, &key->name, ISC_FALSE);
+	RWUNLOCK(&key->ring->lock, isc_rwlocktype_write);
+}
+
+static void
+buffer_putuint48(isc_buffer_t *b, isc_uint64_t val) {
+	isc_uint16_t valhi;
+	isc_uint32_t vallo;
+
+	valhi = (isc_uint16_t)(val >> 32);
+	vallo = (isc_uint32_t)(val & 0xFFFFFFFF);
+	isc_buffer_putuint16(b, valhi);
+	isc_buffer_putuint32(b, vallo);
+}
+
+isc_result_t
+dns_tsig_sign(dns_message_t *msg) {
+	dns_tsigkey_t *key;
+	dns_rdata_any_tsig_t tsig, querytsig;
+	unsigned char data[128];
+	isc_buffer_t databuf, sigbuf;
+	isc_buffer_t *dynbuf;
+	dns_name_t *owner;
+	dns_rdata_t *rdata;
+	dns_rdatalist_t *datalist;
+	dns_rdataset_t *dataset;
+	isc_region_t r;
+	isc_stdtime_t now;
+	isc_mem_t *mctx;
+	dst_context_t *ctx = NULL;
+	isc_result_t ret;
+	unsigned char badtimedata[BADTIMELEN];
+	unsigned int sigsize = 0;
+
+	REQUIRE(msg != NULL);
+	REQUIRE(VALID_TSIG_KEY(dns_message_gettsigkey(msg)));
+
+	/*
+	 * If this is a response, there should be a query tsig.
+	 */
+	if (is_response(msg) && msg->querytsig == NULL)
+		return (DNS_R_EXPECTEDTSIG);
+
+	dynbuf = NULL;
+
+	mctx = msg->mctx;
+	key = dns_message_gettsigkey(msg);
+
+	tsig.mctx = mctx;
+	tsig.common.rdclass = dns_rdataclass_any;
+	tsig.common.rdtype = dns_rdatatype_tsig;
+	ISC_LINK_INIT(&tsig.common, link);
+	dns_name_init(&tsig.algorithm, NULL);
+	dns_name_clone(key->algorithm, &tsig.algorithm);
+
+	isc_stdtime_get(&now);
+	tsig.timesigned = now + msg->timeadjust;
+	tsig.fudge = DNS_TSIG_FUDGE;
+
+	tsig.originalid = msg->id;
+
+	isc_buffer_init(&databuf, data, sizeof(data));
+
+	if (is_response(msg))
+		tsig.error = msg->querytsigstatus;
+	else
+		tsig.error = dns_rcode_noerror;
+
+	if (tsig.error != dns_tsigerror_badtime) {
+		tsig.otherlen = 0;
+		tsig.other = NULL;
+	} else {
+		isc_buffer_t otherbuf;
+
+		tsig.otherlen = BADTIMELEN;
+		tsig.other = badtimedata;
+		isc_buffer_init(&otherbuf, tsig.other, tsig.otherlen);
+		buffer_putuint48(&otherbuf, tsig.timesigned);
+	}
+
+	if (key->key != NULL && tsig.error != dns_tsigerror_badsig) {
+		unsigned char header[DNS_MESSAGE_HEADERLEN];
+		isc_buffer_t headerbuf;
+
+		ret = dst_context_create(key->key, mctx, &ctx);
+		if (ret != ISC_R_SUCCESS)
+			return (ret);
+
+		/*
+		 * If this is a response, digest the query signature.
+		 */
+		if (is_response(msg)) {
+			dns_rdata_t querytsigrdata = DNS_RDATA_INIT;
+
+			ret = dns_rdataset_first(msg->querytsig);
+			if (ret != ISC_R_SUCCESS)
+				goto cleanup_context;
+			dns_rdataset_current(msg->querytsig, &querytsigrdata);
+			ret = dns_rdata_tostruct(&querytsigrdata, &querytsig,
+						 NULL);
+			if (ret != ISC_R_SUCCESS)
+				goto cleanup_context;
+			isc_buffer_putuint16(&databuf, querytsig.siglen);
+			if (isc_buffer_availablelength(&databuf) <
+			    querytsig.siglen)
+			{
+				ret = ISC_R_NOSPACE;
+				goto cleanup_context;
+			}
+			isc_buffer_putmem(&databuf, querytsig.signature,
+					  querytsig.siglen);
+			isc_buffer_usedregion(&databuf, &r);
+			ret = dst_context_adddata(ctx, &r);
+			if (ret != ISC_R_SUCCESS)
+				goto cleanup_context;
+		}
+
+		/*
+		 * Digest the header.
+		 */
+		isc_buffer_init(&headerbuf, header, sizeof(header));
+		dns_message_renderheader(msg, &headerbuf);
+		isc_buffer_usedregion(&headerbuf, &r);
+		ret = dst_context_adddata(ctx, &r);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_context;
+
+		/*
+		 * Digest the remainder of the message.
+		 */
+		isc_buffer_usedregion(msg->buffer, &r);
+		isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
+		ret = dst_context_adddata(ctx, &r);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_context;
+
+		if (msg->tcp_continuation == 0) {
+			/*
+			 * Digest the name, class, ttl, alg.
+			 */
+			dns_name_toregion(&key->name, &r);
+			ret = dst_context_adddata(ctx, &r);
+			if (ret != ISC_R_SUCCESS)
+				goto cleanup_context;
+
+			isc_buffer_clear(&databuf);
+			isc_buffer_putuint16(&databuf, dns_rdataclass_any);
+			isc_buffer_putuint32(&databuf, 0); /* ttl */
+			isc_buffer_usedregion(&databuf, &r);
+			ret = dst_context_adddata(ctx, &r);
+			if (ret != ISC_R_SUCCESS)
+				goto cleanup_context;
+
+			dns_name_toregion(&tsig.algorithm, &r);
+			ret = dst_context_adddata(ctx, &r);
+			if (ret != ISC_R_SUCCESS)
+				goto cleanup_context;
+
+		}
+		/* Digest the timesigned and fudge */
+		isc_buffer_clear(&databuf);
+		if (tsig.error == dns_tsigerror_badtime)
+			tsig.timesigned = querytsig.timesigned;
+		buffer_putuint48(&databuf, tsig.timesigned);
+		isc_buffer_putuint16(&databuf, tsig.fudge);
+		isc_buffer_usedregion(&databuf, &r);
+		ret = dst_context_adddata(ctx, &r);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_context;
+
+		if (msg->tcp_continuation == 0) {
+			/*
+			 * Digest the error and other data length.
+			 */
+			isc_buffer_clear(&databuf);
+			isc_buffer_putuint16(&databuf, tsig.error);
+			isc_buffer_putuint16(&databuf, tsig.otherlen);
+
+			isc_buffer_usedregion(&databuf, &r);
+			ret = dst_context_adddata(ctx, &r);
+			if (ret != ISC_R_SUCCESS)
+				goto cleanup_context;
+
+			/*
+			 * Digest the error and other data.
+			 */
+			if (tsig.otherlen > 0) {
+				r.length = tsig.otherlen;
+				r.base = tsig.other;
+				ret = dst_context_adddata(ctx, &r);
+				if (ret != ISC_R_SUCCESS)
+					goto cleanup_context;
+			}
+		}
+
+		ret = dst_key_sigsize(key->key, &sigsize);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_context;
+		tsig.signature = (unsigned char *) isc_mem_get(mctx, sigsize);
+		if (tsig.signature == NULL) {
+			ret = ISC_R_NOMEMORY;
+			goto cleanup_context;
+		}
+
+		isc_buffer_init(&sigbuf, tsig.signature, sigsize);
+		ret = dst_context_sign(ctx, &sigbuf);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_signature;
+		dst_context_destroy(&ctx);
+		tsig.siglen = isc_buffer_usedlength(&sigbuf);
+	} else {
+		tsig.siglen = 0;
+		tsig.signature = NULL;
+	}
+
+	rdata = NULL;
+	ret = dns_message_gettemprdata(msg, &rdata);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_signature;
+	ret = isc_buffer_allocate(msg->mctx, &dynbuf, 512);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_signature;
+	ret = dns_rdata_fromstruct(rdata, dns_rdataclass_any,
+				   dns_rdatatype_tsig, &tsig, dynbuf);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_dynbuf;
+
+	dns_message_takebuffer(msg, &dynbuf);
+
+	if (tsig.signature != NULL) {
+		isc_mem_put(mctx, tsig.signature, sigsize);
+		tsig.signature = NULL;
+	}
+
+	owner = NULL;
+	ret = dns_message_gettempname(msg, &owner);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_dynbuf;
+	dns_name_init(owner, NULL);
+	ret = dns_name_dup(&key->name, msg->mctx, owner);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_owner;
+
+	datalist = NULL;
+	ret = dns_message_gettemprdatalist(msg, &datalist);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_owner;
+	datalist->rdclass = dns_rdataclass_any;
+	datalist->type = dns_rdatatype_tsig;
+	datalist->covers = 0;
+	datalist->ttl = 0;
+	ISC_LIST_INIT(datalist->rdata);
+	ISC_LIST_APPEND(datalist->rdata, rdata, link);
+	dataset = NULL;
+	ret = dns_message_gettemprdataset(msg, &dataset);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_owner;
+	dns_rdataset_init(dataset);
+	RUNTIME_CHECK(dns_rdatalist_tordataset(datalist, dataset)
+		      == ISC_R_SUCCESS);
+	msg->tsig = dataset;
+	msg->tsigname = owner;
+
+	return (ISC_R_SUCCESS);
+
+cleanup_owner:
+	if (owner != NULL)
+		dns_message_puttempname(msg, &owner);
+cleanup_dynbuf:
+	if (dynbuf != NULL)
+		isc_buffer_free(&dynbuf);
+cleanup_signature:
+	if (tsig.signature != NULL)
+		isc_mem_put(mctx, tsig.signature, sigsize);
+cleanup_context:
+	if (ctx != NULL)
+		dst_context_destroy(&ctx);
+	return (ret);
+}
+
+isc_result_t
+dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
+		dns_tsig_keyring_t *ring1, dns_tsig_keyring_t *ring2)
+{
+	dns_rdata_any_tsig_t tsig, querytsig;
+	isc_region_t r, source_r, header_r, sig_r;
+	isc_buffer_t databuf;
+	unsigned char data[32];
+	dns_name_t *keyname;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_stdtime_t now;
+	isc_result_t ret;
+	dns_tsigkey_t *tsigkey;
+	dst_key_t *key = NULL;
+	unsigned char header[DNS_MESSAGE_HEADERLEN];
+	dst_context_t *ctx = NULL;
+	isc_mem_t *mctx;
+	isc_uint16_t addcount, id;
+
+	REQUIRE(source != NULL);
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	tsigkey = dns_message_gettsigkey(msg);
+	REQUIRE(tsigkey == NULL || VALID_TSIG_KEY(tsigkey));
+
+	msg->verify_attempted = 1;
+
+	if (msg->tcp_continuation)
+		return (tsig_verify_tcp(source, msg));
+
+	/*
+	 * There should be a TSIG record...
+	 */
+	if (msg->tsig == NULL)
+		return (DNS_R_EXPECTEDTSIG);
+
+	/*
+	 * If this is a response and there's no key or query TSIG, there
+	 * shouldn't be one on the response.
+	 */
+	if (is_response(msg) &&
+	    (tsigkey == NULL || msg->querytsig == NULL))
+		return (DNS_R_UNEXPECTEDTSIG);
+
+	mctx = msg->mctx;
+
+	/*
+	 * If we're here, we know the message is well formed and contains a
+	 * TSIG record.
+	 */
+
+	keyname = msg->tsigname;
+	ret = dns_rdataset_first(msg->tsig);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+	dns_rdataset_current(msg->tsig, &rdata);
+	ret = dns_rdata_tostruct(&rdata, &tsig, NULL);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+	dns_rdata_reset(&rdata);
+	if (is_response(msg)) {
+		ret = dns_rdataset_first(msg->querytsig);
+		if (ret != ISC_R_SUCCESS)
+			return (ret);
+		dns_rdataset_current(msg->querytsig, &rdata);
+		ret = dns_rdata_tostruct(&rdata, &querytsig, NULL);
+		if (ret != ISC_R_SUCCESS)
+			return (ret);
+	}
+
+	/*
+	 * Do the key name and algorithm match that of the query?
+	 */
+	if (is_response(msg) &&
+	    (!dns_name_equal(keyname, &tsigkey->name) ||
+	     !dns_name_equal(&tsig.algorithm, &querytsig.algorithm)))
+	{
+		msg->tsigstatus = dns_tsigerror_badkey;
+		tsig_log(msg->tsigkey, 2,
+			 "key name and algorithm do not match");
+		return (DNS_R_TSIGVERIFYFAILURE);
+	}
+
+	/*
+	 * Get the current time.
+	 */
+	isc_stdtime_get(&now);
+
+	/*
+	 * Find dns_tsigkey_t based on keyname.
+	 */
+	if (tsigkey == NULL) {
+		ret = ISC_R_NOTFOUND;
+		if (ring1 != NULL)
+			ret = dns_tsigkey_find(&tsigkey, keyname,
+					       &tsig.algorithm, ring1);
+		if (ret == ISC_R_NOTFOUND && ring2 != NULL)
+			ret = dns_tsigkey_find(&tsigkey, keyname,
+					       &tsig.algorithm, ring2);
+		if (ret != ISC_R_SUCCESS) {
+			msg->tsigstatus = dns_tsigerror_badkey;
+			ret = dns_tsigkey_create(keyname, &tsig.algorithm,
+						 NULL, 0, ISC_FALSE, NULL,
+						 now, now,
+						 mctx, NULL, &msg->tsigkey);
+			if (ret != ISC_R_SUCCESS)
+				return (ret);
+			tsig_log(msg->tsigkey, 2, "unknown key");
+			return (DNS_R_TSIGVERIFYFAILURE);
+		}
+		msg->tsigkey = tsigkey;
+	}
+
+	key = tsigkey->key;
+
+	/*
+	 * Is the time ok?
+	 */
+	if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
+		msg->tsigstatus = dns_tsigerror_badtime;
+		tsig_log(msg->tsigkey, 2, "signature has expired");
+		return (DNS_R_CLOCKSKEW);
+	} else if (now + msg->timeadjust < tsig.timesigned - tsig.fudge) {
+		msg->tsigstatus = dns_tsigerror_badtime;
+		tsig_log(msg->tsigkey, 2, "signature is in the future");
+		return (DNS_R_CLOCKSKEW);
+	}
+
+	if (tsig.siglen > 0) {
+		sig_r.base = tsig.signature;
+		sig_r.length = tsig.siglen;
+
+		ret = dst_context_create(key, mctx, &ctx);
+		if (ret != ISC_R_SUCCESS)
+			return (ret);
+
+		if (is_response(msg)) {
+			isc_buffer_init(&databuf, data, sizeof(data));
+			isc_buffer_putuint16(&databuf, querytsig.siglen);
+			isc_buffer_usedregion(&databuf, &r);
+			ret = dst_context_adddata(ctx, &r);
+			if (ret != ISC_R_SUCCESS)
+				goto cleanup_context;
+			if (querytsig.siglen > 0) {
+				r.length = querytsig.siglen;
+				r.base = querytsig.signature;
+				ret = dst_context_adddata(ctx, &r);
+				if (ret != ISC_R_SUCCESS)
+					goto cleanup_context;
+			}
+		}
+
+		/*
+		 * Extract the header.
+		 */
+		isc_buffer_usedregion(source, &r);
+		memcpy(header, r.base, DNS_MESSAGE_HEADERLEN);
+		isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
+
+		/*
+		 * Decrement the additional field counter.
+		 */
+		memcpy(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
+		addcount = htons((isc_uint16_t)(ntohs(addcount) - 1));
+		memcpy(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
+
+		/*
+		 * Put in the original id.
+		 */
+		id = htons(tsig.originalid);
+		memcpy(&header[0], &id, 2);
+
+		/*
+		 * Digest the modified header.
+		 */
+		header_r.base = (unsigned char *) header;
+		header_r.length = DNS_MESSAGE_HEADERLEN;
+		ret = dst_context_adddata(ctx, &header_r);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_context;
+
+		/*
+		 * Digest all non-TSIG records.
+		 */
+		isc_buffer_usedregion(source, &source_r);
+		r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
+		r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
+		ret = dst_context_adddata(ctx, &r);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_context;
+
+		/*
+		 * Digest the key name.
+		 */
+		dns_name_toregion(&tsigkey->name, &r);
+		ret = dst_context_adddata(ctx, &r);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_context;
+
+		isc_buffer_init(&databuf, data, sizeof(data));
+		isc_buffer_putuint16(&databuf, tsig.common.rdclass);
+		isc_buffer_putuint32(&databuf, msg->tsig->ttl);
+		isc_buffer_usedregion(&databuf, &r);
+		ret = dst_context_adddata(ctx, &r);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_context;
+
+		/*
+		 * Digest the key algorithm.
+		 */
+		dns_name_toregion(tsigkey->algorithm, &r);
+		ret = dst_context_adddata(ctx, &r);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_context;
+
+		isc_buffer_clear(&databuf);
+		buffer_putuint48(&databuf, tsig.timesigned);
+		isc_buffer_putuint16(&databuf, tsig.fudge);
+		isc_buffer_putuint16(&databuf, tsig.error);
+		isc_buffer_putuint16(&databuf, tsig.otherlen);
+		isc_buffer_usedregion(&databuf, &r);
+		ret = dst_context_adddata(ctx, &r);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_context;
+
+		if (tsig.otherlen > 0) {
+			r.base = tsig.other;
+			r.length = tsig.otherlen;
+			ret = dst_context_adddata(ctx, &r);
+			if (ret != ISC_R_SUCCESS)
+				goto cleanup_context;
+		}
+
+		ret = dst_context_verify(ctx, &sig_r);
+		if (ret == DST_R_VERIFYFAILURE) {
+			msg->tsigstatus = dns_tsigerror_badsig;
+			ret = DNS_R_TSIGVERIFYFAILURE;
+			tsig_log(msg->tsigkey, 2,
+				 "signature failed to verify");
+			goto cleanup_context;
+		} else if (ret != ISC_R_SUCCESS)
+			goto cleanup_context;
+
+		dst_context_destroy(&ctx);
+	} else if (tsig.error != dns_tsigerror_badsig &&
+		   tsig.error != dns_tsigerror_badkey)
+	{
+		msg->tsigstatus = dns_tsigerror_badsig;
+		tsig_log(msg->tsigkey, 2, "signature was empty");
+		return (DNS_R_TSIGVERIFYFAILURE);
+	}
+
+	msg->tsigstatus = dns_rcode_noerror;
+
+	if (tsig.error != dns_rcode_noerror) {
+		if (tsig.error == dns_tsigerror_badtime)
+			return (DNS_R_CLOCKSKEW);
+		else
+			return (DNS_R_TSIGERRORSET);
+	}
+
+	msg->verified_sig = 1;
+
+	return (ISC_R_SUCCESS);
+
+cleanup_context:
+	if (ctx != NULL)
+		dst_context_destroy(&ctx);
+
+	return (ret);
+}
+
+static isc_result_t
+tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
+	dns_rdata_any_tsig_t tsig, querytsig;
+	isc_region_t r, source_r, header_r, sig_r;
+	isc_buffer_t databuf;
+	unsigned char data[32];
+	dns_name_t *keyname;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_stdtime_t now;
+	isc_result_t ret;
+	dns_tsigkey_t *tsigkey;
+	dst_key_t *key = NULL;
+	unsigned char header[DNS_MESSAGE_HEADERLEN];
+	isc_uint16_t addcount, id;
+	isc_boolean_t has_tsig = ISC_FALSE;
+	isc_mem_t *mctx;
+
+	REQUIRE(source != NULL);
+	REQUIRE(msg != NULL);
+	REQUIRE(dns_message_gettsigkey(msg) != NULL);
+	REQUIRE(msg->tcp_continuation == 1);
+	REQUIRE(msg->querytsig != NULL);
+
+	if (!is_response(msg))
+		return (DNS_R_EXPECTEDRESPONSE);
+
+	mctx = msg->mctx;
+
+	tsigkey = dns_message_gettsigkey(msg);
+
+	/*
+	 * Extract and parse the previous TSIG
+	 */
+	ret = dns_rdataset_first(msg->querytsig);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+	dns_rdataset_current(msg->querytsig, &rdata);
+	ret = dns_rdata_tostruct(&rdata, &querytsig, NULL);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+	dns_rdata_reset(&rdata);
+
+	/*
+	 * If there is a TSIG in this message, do some checks.
+	 */
+	if (msg->tsig != NULL) {
+		has_tsig = ISC_TRUE;
+
+		keyname = msg->tsigname;
+		ret = dns_rdataset_first(msg->tsig);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_querystruct;
+		dns_rdataset_current(msg->tsig, &rdata);
+		ret = dns_rdata_tostruct(&rdata, &tsig, NULL);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_querystruct;
+
+		/*
+		 * Do the key name and algorithm match that of the query?
+		 */
+		if (!dns_name_equal(keyname, &tsigkey->name) ||
+		    !dns_name_equal(&tsig.algorithm, &querytsig.algorithm))
+		{
+			msg->tsigstatus = dns_tsigerror_badkey;
+			ret = DNS_R_TSIGVERIFYFAILURE;
+			tsig_log(msg->tsigkey, 2,
+				 "key name and algorithm do not match");
+			goto cleanup_querystruct;
+		}
+
+		/*
+		 * Is the time ok?
+		 */
+		isc_stdtime_get(&now);
+
+		if (now + msg->timeadjust > tsig.timesigned + tsig.fudge) {
+			msg->tsigstatus = dns_tsigerror_badtime;
+			tsig_log(msg->tsigkey, 2, "signature has expired");
+			ret = DNS_R_CLOCKSKEW;
+			goto cleanup_querystruct;
+		} else if (now + msg->timeadjust <
+			   tsig.timesigned - tsig.fudge)
+		{
+			msg->tsigstatus = dns_tsigerror_badtime;
+			tsig_log(msg->tsigkey, 2,
+				 "signature is in the future");
+			ret = DNS_R_CLOCKSKEW;
+			goto cleanup_querystruct;
+		}
+	}
+
+	key = tsigkey->key;
+
+	if (msg->tsigctx == NULL) {
+		ret = dst_context_create(key, mctx, &msg->tsigctx);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_querystruct;
+
+		/*
+		 * Digest the length of the query signature
+		 */
+		isc_buffer_init(&databuf, data, sizeof(data));
+		isc_buffer_putuint16(&databuf, querytsig.siglen);
+		isc_buffer_usedregion(&databuf, &r);
+		ret = dst_context_adddata(msg->tsigctx, &r);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_context;
+
+		/*
+		 * Digest the data of the query signature
+		 */
+		if (querytsig.siglen > 0) {
+			r.length = querytsig.siglen;
+			r.base = querytsig.signature;
+			ret = dst_context_adddata(msg->tsigctx, &r);
+			if (ret != ISC_R_SUCCESS)
+				goto cleanup_context;
+		}
+	}
+
+	/*
+	 * Extract the header.
+	 */
+	isc_buffer_usedregion(source, &r);
+	memcpy(header, r.base, DNS_MESSAGE_HEADERLEN);
+	isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
+
+	/*
+	 * Decrement the additional field counter if necessary.
+	 */
+	if (has_tsig) {
+		memcpy(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
+		addcount = htons((isc_uint16_t)(ntohs(addcount) - 1));
+		memcpy(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
+	}
+
+	/*
+	 * Put in the original id.
+	 */
+	/* XXX Can TCP transfers be forwarded?  How would that work? */
+	if (has_tsig) {
+		id = htons(tsig.originalid);
+		memcpy(&header[0], &id, 2);
+	}
+
+	/*
+	 * Digest the modified header.
+	 */
+	header_r.base = (unsigned char *) header;
+	header_r.length = DNS_MESSAGE_HEADERLEN;
+	ret = dst_context_adddata(msg->tsigctx, &header_r);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_context;
+
+	/*
+	 * Digest all non-TSIG records.
+	 */
+	isc_buffer_usedregion(source, &source_r);
+	r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
+	if (has_tsig)
+		r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
+	else
+		r.length = source_r.length - DNS_MESSAGE_HEADERLEN;
+	ret = dst_context_adddata(msg->tsigctx, &r);
+	if (ret != ISC_R_SUCCESS)
+		goto cleanup_context;
+
+	/*
+	 * Digest the time signed and fudge.
+	 */
+	if (has_tsig) {
+		isc_buffer_init(&databuf, data, sizeof(data));
+		buffer_putuint48(&databuf, tsig.timesigned);
+		isc_buffer_putuint16(&databuf, tsig.fudge);
+		isc_buffer_usedregion(&databuf, &r);
+		ret = dst_context_adddata(msg->tsigctx, &r);
+		if (ret != ISC_R_SUCCESS)
+			goto cleanup_context;
+
+		sig_r.base = tsig.signature;
+		sig_r.length = tsig.siglen;
+		if (tsig.siglen == 0) {
+			if (tsig.error != dns_rcode_noerror) {
+				if (tsig.error == dns_tsigerror_badtime)
+					ret = DNS_R_CLOCKSKEW;
+				else
+					ret = DNS_R_TSIGERRORSET;
+			} else {
+				tsig_log(msg->tsigkey, 2,
+					 "signature is empty");
+				ret = DNS_R_TSIGVERIFYFAILURE;
+			}
+			goto cleanup_context;
+		}
+
+		ret = dst_context_verify(msg->tsigctx, &sig_r);
+		if (ret == DST_R_VERIFYFAILURE) {
+			msg->tsigstatus = dns_tsigerror_badsig;
+			tsig_log(msg->tsigkey, 2,
+				 "signature failed to verify");
+			ret = DNS_R_TSIGVERIFYFAILURE;
+			goto cleanup_context;
+		}
+		else if (ret != ISC_R_SUCCESS)
+			goto cleanup_context;
+
+		dst_context_destroy(&msg->tsigctx);
+	}
+
+	msg->tsigstatus = dns_rcode_noerror;
+	return (ISC_R_SUCCESS);
+
+ cleanup_context:
+	dst_context_destroy(&msg->tsigctx);
+
+ cleanup_querystruct:
+	dns_rdata_freestruct(&querytsig);
+
+	return (ret);
+
+}
+
+isc_result_t
+dns_tsigkey_find(dns_tsigkey_t **tsigkey, dns_name_t *name,
+		 dns_name_t *algorithm, dns_tsig_keyring_t *ring)
+{
+	dns_tsigkey_t *key;
+	isc_stdtime_t now;
+	isc_result_t result;
+
+	REQUIRE(tsigkey != NULL);
+	REQUIRE(*tsigkey == NULL);
+	REQUIRE(name != NULL);
+	REQUIRE(ring != NULL);
+
+	isc_stdtime_get(&now);
+	RWLOCK(&ring->lock, isc_rwlocktype_read);
+	key = NULL;
+	result = dns_rbt_findname(ring->keys, name, 0, NULL, (void *)&key);
+	if (result == DNS_R_PARTIALMATCH || result == ISC_R_NOTFOUND) {
+		RWUNLOCK(&ring->lock, isc_rwlocktype_read);
+		return (ISC_R_NOTFOUND);
+	}
+	if (algorithm != NULL && !dns_name_equal(key->algorithm, algorithm)) {
+		RWUNLOCK(&ring->lock, isc_rwlocktype_read);
+		return (ISC_R_NOTFOUND);
+	}
+	if (key->inception != key->expire && key->expire < now) {
+		/*
+		 * The key has expired.
+		 */
+		RWUNLOCK(&ring->lock, isc_rwlocktype_read);
+		RWLOCK(&ring->lock, isc_rwlocktype_write);
+		(void) dns_rbt_deletename(ring->keys, name, ISC_FALSE);
+		RWUNLOCK(&ring->lock, isc_rwlocktype_write);
+		return (ISC_R_NOTFOUND);
+	}
+
+	isc_refcount_increment(&key->refs, NULL);
+	RWUNLOCK(&ring->lock, isc_rwlocktype_read);
+	*tsigkey = key;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+free_tsignode(void *node, void *_unused) {
+	dns_tsigkey_t *key;
+
+	UNUSED(_unused);
+
+	REQUIRE(node != NULL);
+
+	key = node;
+	dns_tsigkey_detach(&key);
+}
+
+isc_result_t
+dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ringp) {
+	isc_result_t result;
+	dns_tsig_keyring_t *ring;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(ringp != NULL);
+	REQUIRE(*ringp == NULL);
+
+	ring = isc_mem_get(mctx, sizeof(dns_tsig_keyring_t));
+	if (ring == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_rwlock_init(&ring->lock, 0, 0);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_rwlock_init() failed: %s",
+				 isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	ring->keys = NULL;
+	result = dns_rbt_create(mctx, free_tsignode, NULL, &ring->keys);
+	if (result != ISC_R_SUCCESS) {
+		isc_rwlock_destroy(&ring->lock);
+		isc_mem_put(mctx, ring, sizeof(dns_tsig_keyring_t));
+		return (result);
+	}
+
+	ring->mctx = mctx;
+
+	*ringp = ring;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_tsigkeyring_destroy(dns_tsig_keyring_t **ringp) {
+	dns_tsig_keyring_t *ring;
+
+	REQUIRE(ringp != NULL);
+	REQUIRE(*ringp != NULL);
+
+	ring = *ringp;
+	*ringp = NULL;
+
+	dns_rbt_destroy(&ring->keys);
+	isc_rwlock_destroy(&ring->lock);
+	isc_mem_put(ring->mctx, ring, sizeof(dns_tsig_keyring_t));
+}
diff --git a/contrib/bind9/lib/dns/ttl.c b/contrib/bind9/lib/dns/ttl.c
new file mode 100644
index 0000000..1dad0fb
--- /dev/null
+++ b/contrib/bind9/lib/dns/ttl.c
@@ -0,0 +1,214 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ttl.c,v 1.21.12.5 2004/03/08 09:04:32 marka Exp $ */
+
+#include <config.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/parseint.h>
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/result.h>
+#include <dns/ttl.h>
+
+#define RETERR(x) do { \
+	isc_result_t _r = (x); \
+	if (_r != ISC_R_SUCCESS) \
+		return (_r); \
+	} while (0)
+
+
+static isc_result_t bind_ttl(isc_textregion_t *source, isc_uint32_t *ttl);
+
+/*
+ * Helper for dns_ttl_totext().
+ */
+static isc_result_t
+ttlfmt(unsigned int t, const char *s, isc_boolean_t verbose,
+       isc_boolean_t space, isc_buffer_t *target)
+{
+	char tmp[60];
+	size_t len;
+	isc_region_t region;
+
+	if (verbose)
+		len = snprintf(tmp, sizeof(tmp), "%s%u %s%s",
+			       space ? " " : "",
+			       t, s,
+			       t == 1 ? "" : "s");
+	else
+		len = snprintf(tmp, sizeof(tmp), "%u%c", t, s[0]);
+
+	INSIST(len + 1 <= sizeof(tmp));
+	isc_buffer_availableregion(target, &region);
+	if (len > region.length)
+		return (ISC_R_NOSPACE);
+	memcpy(region.base, tmp, len);
+	isc_buffer_add(target, len);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Derived from bind8 ns_format_ttl().
+ */
+isc_result_t
+dns_ttl_totext(isc_uint32_t src, isc_boolean_t verbose, isc_buffer_t *target) {
+	unsigned secs, mins, hours, days, weeks, x;
+
+	secs = src % 60;   src /= 60;
+	mins = src % 60;   src /= 60;
+	hours = src % 24;  src /= 24;
+	days = src % 7;    src /= 7;
+	weeks = src;       src = 0;
+
+	x = 0;
+	if (weeks != 0) {
+		RETERR(ttlfmt(weeks, "week", verbose, ISC_TF(x > 0), target));
+		x++;
+	}
+	if (days != 0) {
+		RETERR(ttlfmt(days, "day", verbose, ISC_TF(x > 0), target));
+		x++;
+	}
+	if (hours != 0) {
+		RETERR(ttlfmt(hours, "hour", verbose, ISC_TF(x > 0), target));
+		x++;
+	}
+	if (mins != 0) {
+		RETERR(ttlfmt(mins, "minute", verbose, ISC_TF(x > 0), target));
+		x++;
+	}
+	if (secs != 0 ||
+	    (weeks == 0 && days == 0 && hours == 0 && mins == 0)) {
+		RETERR(ttlfmt(secs, "second", verbose, ISC_TF(x > 0), target));
+		x++;
+	}
+	INSIST (x > 0);
+	/*
+	 * If only a single unit letter is printed, print it
+	 * in upper case. (Why?  Because BIND 8 does that.
+	 * Presumably it has a reason.)
+	 */
+	if (x == 1 && !verbose) {
+		isc_region_t region;
+		/*
+		 * The unit letter is the last character in the
+		 * used region of the buffer.
+		 *
+		 * toupper() does not need its argument to be masked of cast
+		 * here because region.base is type unsigned char *.
+		 */
+		isc_buffer_usedregion(target, &region);
+		region.base[region.length - 1] =
+			toupper(region.base[region.length - 1]);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_counter_fromtext(isc_textregion_t *source, isc_uint32_t *ttl) {
+	return (bind_ttl(source, ttl));
+}
+
+isc_result_t
+dns_ttl_fromtext(isc_textregion_t *source, isc_uint32_t *ttl) {
+	isc_result_t result;
+
+	result = bind_ttl(source, ttl);
+	if (result != ISC_R_SUCCESS)
+		result = DNS_R_BADTTL;
+	return (result);
+}
+
+static isc_result_t
+bind_ttl(isc_textregion_t *source, isc_uint32_t *ttl) {
+	isc_uint32_t tmp = 0;
+	isc_uint32_t n;
+	char *s;
+	char buf[64];
+	char nbuf[64]; /* Number buffer */
+
+	/*
+	 * Copy the buffer as it may not be NULL terminated.
+	 * No legal counter / ttl is longer that 63 characters.
+	 */
+	if (source->length > sizeof(buf) - 1)
+		return (DNS_R_SYNTAX);
+	strncpy(buf, source->base, source->length);
+	buf[source->length] = '\0';
+	s = buf;
+
+	do {
+		isc_result_t result;
+
+		char *np = nbuf;
+		while (*s != '\0' && isdigit((unsigned char)*s))
+			*np++ = *s++;
+		*np++ = '\0';
+		INSIST(np - nbuf <= (int)sizeof(nbuf));
+		result = isc_parse_uint32(&n, nbuf, 10);
+		if (result != ISC_R_SUCCESS)
+			return (DNS_R_SYNTAX);
+		switch (*s) {
+		case 'w':
+		case 'W':
+			tmp += n * 7 * 24 * 3600;
+			s++;
+			break;
+		case 'd':
+		case 'D':
+			tmp += n * 24 * 3600;
+			s++;
+			break;
+		case 'h':
+		case 'H':
+			tmp += n * 3600;
+			s++;
+			break;
+		case 'm':
+		case 'M':
+			tmp += n * 60;
+			s++;
+			break;
+		case 's':
+		case 'S':
+			tmp += n;
+			s++;
+			break;
+		case '\0':
+			/* Plain number? */
+			if (tmp != 0)
+				return (DNS_R_SYNTAX);
+			tmp = n;
+			break;
+		default:
+			return (DNS_R_SYNTAX);
+		}
+	} while (*s != '\0');
+	*ttl = tmp;
+	return (ISC_R_SUCCESS);
+}
diff --git a/contrib/bind9/lib/dns/validator.c b/contrib/bind9/lib/dns/validator.c
new file mode 100644
index 0000000..c55c893
--- /dev/null
+++ b/contrib/bind9/lib/dns/validator.c
@@ -0,0 +1,2823 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: validator.c,v 1.91.2.5.8.12 2004/06/11 01:17:36 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/ds.h>
+#include <dns/dnssec.h>
+#include <dns/events.h>
+#include <dns/keytable.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/ncache.h>
+#include <dns/nsec.h>
+#include <dns/rdata.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdataset.h>
+#include <dns/rdatatype.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/validator.h>
+#include <dns/view.h>
+
+#define VALIDATOR_MAGIC			ISC_MAGIC('V', 'a', 'l', '?')
+#define VALID_VALIDATOR(v)		ISC_MAGIC_VALID(v, VALIDATOR_MAGIC)
+
+#define VALATTR_SHUTDOWN		0x0001
+#define VALATTR_FOUNDNONEXISTENCE	0x0002
+#define VALATTR_TRIEDVERIFY		0x0004
+#define VALATTR_NEGATIVE		0x0008
+#define VALATTR_INSECURITY		0x0010
+#define VALATTR_DLV			0x0020
+#define VALATTR_DLVTRIED		0x0040
+#define VALATTR_DLVSEPTRIED		0x0080
+
+#define VALATTR_NEEDNOQNAME		0x0100
+#define VALATTR_NEEDNOWILDCARD		0x0200
+#define VALATTR_NEEDNODATA		0x0400
+
+#define VALATTR_FOUNDNOQNAME		0x1000
+#define VALATTR_FOUNDNOWILDCARD		0x2000
+#define VALATTR_FOUNDNODATA		0x4000
+
+
+#define NEEDNODATA(val) ((val->attributes & VALATTR_NEEDNODATA) != 0)
+#define NEEDNOQNAME(val) ((val->attributes & VALATTR_NEEDNOQNAME) != 0)
+#define NEEDNOWILDCARD(val) ((val->attributes & VALATTR_NEEDNOWILDCARD) != 0)
+#define DLV(val) ((val->attributes & VALATTR_DLV) != 0)
+#define DLVTRIED(val) ((val->attributes & VALATTR_DLVTRIED) != 0)
+#define DLVSEPTRIED(val) ((val->attributes & VALATTR_DLVSEPTRIED) != 0)
+
+#define SHUTDOWN(v)		(((v)->attributes & VALATTR_SHUTDOWN) != 0)
+
+static void
+destroy(dns_validator_t *val);
+
+static isc_result_t
+get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
+	    dns_rdataset_t *rdataset);
+
+static isc_result_t
+validate(dns_validator_t *val, isc_boolean_t resume);
+
+static isc_result_t
+validatezonekey(dns_validator_t *val);
+
+static isc_result_t
+nsecvalidate(dns_validator_t *val, isc_boolean_t resume);
+
+static isc_result_t
+proveunsecure(dns_validator_t *val, isc_boolean_t resume);
+
+static void
+validator_logv(dns_validator_t *val, isc_logcategory_t *category,
+	       isc_logmodule_t *module, int level, const char *fmt, va_list ap)
+     ISC_FORMAT_PRINTF(5, 0);
+
+static void
+validator_log(dns_validator_t *val, int level, const char *fmt, ...)
+     ISC_FORMAT_PRINTF(3, 4);
+
+static void
+validator_logcreate(dns_validator_t *val,
+		    dns_name_t *name, dns_rdatatype_t type,
+		    const char *caller, const char *operation);
+
+static isc_result_t
+dlv_validatezonekey(dns_validator_t *val);
+
+static isc_result_t
+finddlvsep(dns_validator_t *val, isc_boolean_t resume);
+
+static void
+validator_done(dns_validator_t *val, isc_result_t result) {
+	isc_task_t *task;
+
+	if (val->event == NULL)
+		return;
+
+	/*
+	 * Caller must be holding the lock.
+	 */
+
+	val->event->result = result;
+	task = val->event->ev_sender;
+	val->event->ev_sender = val;
+	val->event->ev_type = DNS_EVENT_VALIDATORDONE;
+	val->event->ev_action = val->action;
+	val->event->ev_arg = val->arg;
+	isc_task_sendanddetach(&task, (isc_event_t **)&val->event);
+}
+
+static inline isc_boolean_t
+exit_check(dns_validator_t *val) {
+	/*
+	 * Caller must be holding the lock.
+	 */
+	if (!SHUTDOWN(val))
+		return (ISC_FALSE);
+
+	INSIST(val->event == NULL);
+
+	if (val->fetch != NULL || val->subvalidator != NULL)
+		return (ISC_FALSE);
+
+	return (ISC_TRUE);
+}
+
+static void
+auth_nonpending(dns_message_t *message) {
+	isc_result_t result;
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+
+	for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
+	{
+		name = NULL;
+		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+		{
+			if (rdataset->trust == dns_trust_pending)
+				rdataset->trust = dns_trust_authauthority;
+		}
+	}
+}
+
+static isc_boolean_t
+isdelegation(dns_name_t *name, dns_rdataset_t *rdataset,
+	     isc_result_t dbresult)
+{
+	dns_rdataset_t set;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_boolean_t found;
+	isc_result_t result;
+
+	REQUIRE(dbresult == DNS_R_NXRRSET || dbresult == DNS_R_NCACHENXRRSET);
+
+	dns_rdataset_init(&set);
+	if (dbresult == DNS_R_NXRRSET)
+		dns_rdataset_clone(rdataset, &set);
+	else {
+		result = dns_ncache_getrdataset(rdataset, name,
+						dns_rdatatype_nsec, &set);
+		if (result != ISC_R_SUCCESS)
+			return (ISC_FALSE);
+	}
+
+	INSIST(set.type == dns_rdatatype_nsec);
+
+	found = ISC_FALSE;
+	result = dns_rdataset_first(&set);
+	if (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(&set, &rdata);
+		found = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
+	}
+	dns_rdataset_disassociate(&set);
+	return (found);
+}
+
+static void
+fetch_callback_validator(isc_task_t *task, isc_event_t *event) {
+	dns_fetchevent_t *devent;
+	dns_validator_t *val;
+	dns_rdataset_t *rdataset;
+	isc_boolean_t want_destroy;
+	isc_result_t result;
+	isc_result_t eresult;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
+	devent = (dns_fetchevent_t *)event;
+	val = devent->ev_arg;
+	rdataset = &val->frdataset;
+	eresult = devent->result;
+
+	isc_event_free(&event);
+	dns_resolver_destroyfetch(&val->fetch);
+
+	INSIST(val->event != NULL);
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in fetch_callback_validator");
+	LOCK(&val->lock);
+	if (eresult == ISC_R_SUCCESS) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "keyset with trust %d", rdataset->trust);
+		/*
+		 * Only extract the dst key if the keyset is secure.
+		 */
+		if (rdataset->trust >= dns_trust_secure) {
+			result = get_dst_key(val, val->siginfo, rdataset);
+			if (result == ISC_R_SUCCESS)
+				val->keyset = &val->frdataset;
+		}
+		result = validate(val, ISC_TRUE);
+		if (result != DNS_R_WAIT)
+			validator_done(val, result);
+	} else {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "fetch_callback_validator: got %s",
+			      isc_result_totext(eresult));
+		if (eresult == ISC_R_CANCELED)
+			validator_done(val, eresult);
+		else
+			validator_done(val, DNS_R_NOVALIDKEY);
+	}
+	want_destroy = exit_check(val);
+	UNLOCK(&val->lock);
+	if (want_destroy)
+		destroy(val);
+}
+
+static void
+dsfetched(isc_task_t *task, isc_event_t *event) {
+	dns_fetchevent_t *devent;
+	dns_validator_t *val;
+	dns_rdataset_t *rdataset;
+	isc_boolean_t want_destroy;
+	isc_result_t result;
+	isc_result_t eresult;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
+	devent = (dns_fetchevent_t *)event;
+	val = devent->ev_arg;
+	rdataset = &val->frdataset;
+	eresult = devent->result;
+
+	isc_event_free(&event);
+	dns_resolver_destroyfetch(&val->fetch);
+
+	INSIST(val->event != NULL);
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in dsfetched");
+	LOCK(&val->lock);
+	if (eresult == ISC_R_SUCCESS) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "dsset with trust %d", rdataset->trust);
+		val->dsset = &val->frdataset;
+		result = validatezonekey(val);
+		if (result != DNS_R_WAIT)
+			validator_done(val, result);
+	} else if (val->view->dlv != NULL && !DLVTRIED(val) &&
+		   (eresult == DNS_R_NXRRSET ||
+		    eresult == DNS_R_NCACHENXRRSET) &&
+		   !dns_name_issubdomain(val->event->name,
+					 val->view->dlv))
+	{
+		validator_log(val, ISC_LOG_DEBUG(2),
+			      "no DS record: looking for DLV");
+
+		result = dlv_validatezonekey(val);
+		if (result != DNS_R_WAIT)
+			validator_done(val, result);
+	} else if (eresult == DNS_R_NXRRSET ||
+		   eresult == DNS_R_NCACHENXRRSET)
+	{
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "falling back to insecurity proof");
+		val->attributes |= VALATTR_INSECURITY;
+		result = proveunsecure(val, ISC_FALSE);
+		if (result != DNS_R_WAIT)
+			validator_done(val, result);
+	} else {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "dsfetched: got %s",
+			      isc_result_totext(eresult));
+		if (eresult == ISC_R_CANCELED)
+			validator_done(val, eresult);
+		else
+			validator_done(val, DNS_R_NOVALIDDS);
+	}
+	want_destroy = exit_check(val);
+	UNLOCK(&val->lock);
+	if (want_destroy)
+		destroy(val);
+}
+
+/*
+ * XXX there's too much duplicated code here.
+ */
+static void
+dsfetched2(isc_task_t *task, isc_event_t *event) {
+	dns_fetchevent_t *devent;
+	dns_validator_t *val;
+	dns_rdataset_t *rdataset;
+	dns_name_t *tname;
+	isc_boolean_t want_destroy;
+	isc_result_t result;
+	isc_result_t eresult;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
+	devent = (dns_fetchevent_t *)event;
+	val = devent->ev_arg;
+	rdataset = &val->frdataset;
+	eresult = devent->result;
+
+	dns_resolver_destroyfetch(&val->fetch);
+
+	INSIST(val->event != NULL);
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in dsfetched2");
+	LOCK(&val->lock);
+	if (eresult == DNS_R_NXRRSET || eresult == DNS_R_NCACHENXRRSET) {
+		/*
+		 * There is no DS.  If this is a delegation, we're done.
+		 */
+		tname = dns_fixedname_name(&devent->foundname);
+		if (isdelegation(tname, &val->frdataset, eresult)) {
+			if (val->mustbesecure) {
+				validator_log(val, ISC_LOG_WARNING,
+					      "must be secure failure");
+				validator_done(val, DNS_R_MUSTBESECURE);
+			} else {
+				val->event->rdataset->trust = dns_trust_answer;
+				validator_done(val, ISC_R_SUCCESS);
+			}
+		} else {
+			result = proveunsecure(val, ISC_TRUE);
+			if (result != DNS_R_WAIT)
+				validator_done(val, result);
+		}
+	} else if (eresult == ISC_R_SUCCESS ||
+		   eresult == DNS_R_NXDOMAIN ||
+		   eresult == DNS_R_NCACHENXDOMAIN)
+	{
+		/*
+		 * Either there is a DS or this is not a zone cut.  Continue.
+		 */
+		result = proveunsecure(val, ISC_TRUE);
+		if (result != DNS_R_WAIT)
+			validator_done(val, result);
+	} else {
+		if (eresult == ISC_R_CANCELED)
+			validator_done(val, eresult);
+		else
+			validator_done(val, DNS_R_NOVALIDDS);
+	}
+	isc_event_free(&event);
+	want_destroy = exit_check(val);
+	UNLOCK(&val->lock);
+	if (want_destroy)
+		destroy(val);
+}
+
+static void
+keyvalidated(isc_task_t *task, isc_event_t *event) {
+	dns_validatorevent_t *devent;
+	dns_validator_t *val;
+	isc_boolean_t want_destroy;
+	isc_result_t result;
+	isc_result_t eresult;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
+
+	devent = (dns_validatorevent_t *)event;
+	val = devent->ev_arg;
+	eresult = devent->result;
+
+	isc_event_free(&event);
+	dns_validator_destroy(&val->subvalidator);
+
+	INSIST(val->event != NULL);
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in keyvalidated");
+	LOCK(&val->lock);
+	if (eresult == ISC_R_SUCCESS) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "keyset with trust %d", val->frdataset.trust);
+		/*
+		 * Only extract the dst key if the keyset is secure.
+		 */
+		if (val->frdataset.trust >= dns_trust_secure)
+			(void) get_dst_key(val, val->siginfo, &val->frdataset);
+		result = validate(val, ISC_TRUE);
+		if (result != DNS_R_WAIT)
+			validator_done(val, result);
+	} else {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "keyvalidated: got %s",
+			      isc_result_totext(eresult));
+		validator_done(val, eresult);
+	}
+	want_destroy = exit_check(val);
+	UNLOCK(&val->lock);
+	if (want_destroy)
+		destroy(val);
+}
+
+static void
+dsvalidated(isc_task_t *task, isc_event_t *event) {
+	dns_validatorevent_t *devent;
+	dns_validator_t *val;
+	isc_boolean_t want_destroy;
+	isc_result_t result;
+	isc_result_t eresult;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
+
+	devent = (dns_validatorevent_t *)event;
+	val = devent->ev_arg;
+	eresult = devent->result;
+
+	isc_event_free(&event);
+	dns_validator_destroy(&val->subvalidator);
+
+	INSIST(val->event != NULL);
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in dsvalidated");
+	LOCK(&val->lock);
+	if (eresult == ISC_R_SUCCESS) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "dsset with trust %d", val->frdataset.trust);
+		if ((val->attributes & VALATTR_INSECURITY) != 0)
+			result = proveunsecure(val, ISC_TRUE);
+		else
+			result = validatezonekey(val);
+		if (result != DNS_R_WAIT)
+			validator_done(val, result);
+	} else {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "dsvalidated: got %s",
+			      isc_result_totext(eresult));
+		validator_done(val, eresult);
+	}
+	want_destroy = exit_check(val);
+	UNLOCK(&val->lock);
+	if (want_destroy)
+		destroy(val);
+}
+
+/*
+ * Return ISC_R_SUCCESS if we can determine that the name doesn't exist
+ * or we can determine whether there is data or not at the name.
+ * If the name does not exist return the wildcard name.
+ */
+static isc_result_t
+nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname,
+		  dns_rdataset_t *nsecset, isc_boolean_t *exists,
+		  isc_boolean_t *data, dns_name_t *wild)
+{
+	int order;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_result_t result;
+	dns_namereln_t relation;
+	unsigned int olabels, nlabels, labels;
+	dns_rdata_nsec_t nsec;
+	isc_boolean_t atparent;
+
+	REQUIRE(exists != NULL);
+	REQUIRE(data != NULL);
+
+	result = dns_rdataset_first(nsecset);
+	if (result != ISC_R_SUCCESS) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			"failure processing NSEC set");
+		return (result);
+	}
+	dns_rdataset_current(nsecset, &rdata);
+
+	validator_log(val, ISC_LOG_DEBUG(3), "looking for relevant nsec");
+	relation = dns_name_fullcompare(name, nsecname, &order, &olabels);
+
+	if (order < 0) {
+		/*
+		 * The name is not within the NSEC range.
+		 */
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "NSEC does not cover name, before NSEC");
+		return (ISC_R_IGNORE);
+	}
+
+	if (order == 0) {
+		/*
+		 * The names are the same.
+		 */
+		atparent = dns_rdatatype_atparent(val->event->type);
+		if (dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
+		    !dns_nsec_typepresent(&rdata, dns_rdatatype_soa))
+		{
+			if (!atparent) {
+				/*
+				 * This NSEC record is from somewhere higher in
+				 * the DNS, and at the parent of a delegation.
+				 * It can not be legitimately used here.
+				 */
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "ignoring parent nsec");
+				return (ISC_R_IGNORE);
+			}
+		} else if (atparent) {
+			/*
+			 * This NSEC record is from the child.
+			 * It can not be legitimately used here.
+			 */
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "ignoring child nsec");
+			return (ISC_R_IGNORE);
+		}
+		*exists = ISC_TRUE;
+		*data = dns_nsec_typepresent(&rdata, val->event->type);
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "nsec proves name exists (owner) data=%d",
+			      *data);
+		return (ISC_R_SUCCESS);
+	} 
+
+	if (relation == dns_namereln_subdomain &&
+	    dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
+	    !dns_nsec_typepresent(&rdata, dns_rdatatype_soa))
+	{
+		/*
+		 * This NSEC record is from somewhere higher in
+		 * the DNS, and at the parent of a delegation.
+		 * It can not be legitimately used here.
+		 */
+		validator_log(val, ISC_LOG_DEBUG(3), "ignoring parent nsec");
+		return (ISC_R_IGNORE);
+	}
+
+	result = dns_rdata_tostruct(&rdata, &nsec, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	relation = dns_name_fullcompare(&nsec.next, name, &order, &nlabels);
+	if (order == 0) {
+		dns_rdata_freestruct(&nsec);
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "ignoring nsec matches next name");
+		return (ISC_R_IGNORE);
+	}
+
+	if (order < 0 && !dns_name_issubdomain(nsecname, &nsec.next)) {
+		/*
+		 * The name is not within the NSEC range.
+		 */
+		dns_rdata_freestruct(&nsec);
+		validator_log(val, ISC_LOG_DEBUG(3),
+			    "ignoring nsec because name is past end of range");
+		return (ISC_R_IGNORE);
+	}
+
+	if (order > 0 && relation == dns_namereln_subdomain) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "nsec proves name exist (empty)");
+		dns_rdata_freestruct(&nsec);
+		*exists = ISC_TRUE;
+		*data = ISC_FALSE;
+		return (ISC_R_SUCCESS);
+	}
+	if (wild != NULL) {
+		dns_name_t common;
+		dns_name_init(&common, NULL);
+		if (olabels > nlabels) {
+			labels = dns_name_countlabels(nsecname);
+			dns_name_getlabelsequence(nsecname, labels - olabels,
+						  olabels, &common);
+		} else {
+			labels = dns_name_countlabels(&nsec.next);
+			dns_name_getlabelsequence(&nsec.next, labels - nlabels,
+						  nlabels, &common);
+		}
+		result = dns_name_concatenate(dns_wildcardname, &common,
+					       wild, NULL);
+		if (result != ISC_R_SUCCESS) {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				    "failure generating wilcard name");
+			return (result);
+		}
+	}
+	dns_rdata_freestruct(&nsec);
+	validator_log(val, ISC_LOG_DEBUG(3), "nsec range ok");
+	*exists = ISC_FALSE;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+authvalidated(isc_task_t *task, isc_event_t *event) {
+	dns_validatorevent_t *devent;
+	dns_validator_t *val;
+	dns_rdataset_t *rdataset, *sigrdataset;
+	isc_boolean_t want_destroy;
+	isc_result_t result;
+	isc_boolean_t exists, data;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
+
+	devent = (dns_validatorevent_t *)event;
+	rdataset = devent->rdataset;
+	sigrdataset = devent->sigrdataset;
+	val = devent->ev_arg;
+	result = devent->result;
+	dns_validator_destroy(&val->subvalidator);
+
+	INSIST(val->event != NULL);
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in authvalidated");
+	LOCK(&val->lock);
+	if (result != ISC_R_SUCCESS) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "authvalidated: got %s",
+			      isc_result_totext(result));
+		if (result == ISC_R_CANCELED)
+			validator_done(val, result);
+		else {
+			result = nsecvalidate(val, ISC_TRUE);
+			if (result != DNS_R_WAIT)
+				validator_done(val, result);
+		}
+	} else {
+		dns_name_t **proofs = val->event->proofs;
+		
+		if (rdataset->trust == dns_trust_secure)
+			val->seensig = ISC_TRUE;
+
+		if (val->nsecset != NULL &&
+		    rdataset->trust == dns_trust_secure &&
+		    ((val->attributes & VALATTR_NEEDNODATA) != 0 ||
+		     (val->attributes & VALATTR_NEEDNOQNAME) != 0) &&
+	            (val->attributes & VALATTR_FOUNDNODATA) == 0 &&
+		    (val->attributes & VALATTR_FOUNDNOQNAME) == 0 &&
+		    nsecnoexistnodata(val, val->event->name, devent->name,
+				      rdataset, &exists, &data,
+				      dns_fixedname_name(&val->wild))
+				      == ISC_R_SUCCESS)
+		 {
+			if (exists && !data) {
+				val->attributes |= VALATTR_FOUNDNODATA;
+				if (NEEDNODATA(val))
+					proofs[DNS_VALIDATOR_NODATAPROOF] =
+						devent->name;
+			}
+			if (!exists) {
+				val->attributes |= VALATTR_FOUNDNOQNAME;
+				if (NEEDNOQNAME(val))
+					proofs[DNS_VALIDATOR_NOQNAMEPROOF] =
+						devent->name;
+			}
+		}
+		result = nsecvalidate(val, ISC_TRUE);
+		if (result != DNS_R_WAIT)
+			validator_done(val, result);
+	}
+	want_destroy = exit_check(val);
+	UNLOCK(&val->lock);
+	if (want_destroy)
+		destroy(val);
+
+	/*
+	 * Free stuff from the event.
+	 */
+	isc_event_free(&event);
+}
+
+static void
+negauthvalidated(isc_task_t *task, isc_event_t *event) {
+	dns_validatorevent_t *devent;
+	dns_validator_t *val;
+	isc_boolean_t want_destroy;
+	isc_result_t eresult;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
+
+	devent = (dns_validatorevent_t *)event;
+	val = devent->ev_arg;
+	eresult = devent->result;
+	isc_event_free(&event);
+	dns_validator_destroy(&val->subvalidator);
+
+	INSIST(val->event != NULL);
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in negauthvalidated");
+	LOCK(&val->lock);
+	if (eresult == ISC_R_SUCCESS) {
+		val->attributes |= VALATTR_FOUNDNONEXISTENCE;
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "nonexistence proof found");
+		auth_nonpending(val->event->message);
+		validator_done(val, ISC_R_SUCCESS);
+	} else {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "negauthvalidated: got %s",
+			      isc_result_totext(eresult));
+		validator_done(val, eresult);
+	}
+	want_destroy = exit_check(val);
+	UNLOCK(&val->lock);
+	if (want_destroy)
+		destroy(val);
+}
+
+static inline isc_result_t
+view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
+	dns_fixedname_t fixedname;
+	dns_name_t *foundname;
+	dns_rdata_nsec_t nsec;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_result_t result;
+	unsigned int options;
+	char buf1[DNS_NAME_FORMATSIZE];
+	char buf2[DNS_NAME_FORMATSIZE];
+	char buf3[DNS_NAME_FORMATSIZE];
+
+	if (dns_rdataset_isassociated(&val->frdataset))
+		dns_rdataset_disassociate(&val->frdataset);
+	if (dns_rdataset_isassociated(&val->fsigrdataset))
+		dns_rdataset_disassociate(&val->fsigrdataset);
+
+	if (val->view->zonetable == NULL)
+		return (ISC_R_CANCELED);
+
+	options = DNS_DBFIND_PENDINGOK;
+	if (type == dns_rdatatype_dlv)
+		options |= DNS_DBFIND_COVERINGNSEC;
+	dns_fixedname_init(&fixedname);
+	foundname = dns_fixedname_name(&fixedname);
+	result = dns_view_find(val->view, name, type, 0, options,
+			       ISC_FALSE, NULL, NULL, foundname,
+			       &val->frdataset, &val->fsigrdataset);
+	if (result == DNS_R_NXDOMAIN) {
+		if (dns_rdataset_isassociated(&val->frdataset))
+			dns_rdataset_disassociate(&val->frdataset);
+		if (dns_rdataset_isassociated(&val->fsigrdataset))
+			dns_rdataset_disassociate(&val->fsigrdataset);
+	} else if (result == DNS_R_COVERINGNSEC) {
+		validator_log(val, ISC_LOG_DEBUG(3), "DNS_R_COVERINGNSEC");
+		/*
+		 * Check if the returned NSEC covers the name.
+		 */
+		INSIST(type == dns_rdatatype_dlv);
+		if (val->frdataset.trust != dns_trust_secure) {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "covering nsec: trust %u",
+				      val->frdataset.trust);
+			goto notfound;
+		}
+		result = dns_rdataset_first(&val->frdataset);
+		if (result != ISC_R_SUCCESS)
+			goto notfound;
+		dns_rdataset_current(&val->frdataset, &rdata);
+		if (dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
+		    !dns_nsec_typepresent(&rdata, dns_rdatatype_soa)) {
+			/* Parent NSEC record. */
+			if (dns_name_issubdomain(name, foundname)) {
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "covering nsec: for parent");
+				goto notfound;
+			}
+		}
+		result = dns_rdata_tostruct(&rdata, &nsec, NULL);
+		if (result != ISC_R_SUCCESS)
+			goto notfound;
+		if (dns_name_compare(foundname, &nsec.next) >= 0) {
+			/* End of zone chain. */
+			if (!dns_name_issubdomain(name, &nsec.next)) {
+				/*
+ 				 * XXXMPA We could look for a parent NSEC
+				 * at nsec.next and if found retest with
+				 * this NSEC.
+				 */
+				dns_rdata_freestruct(&nsec);
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "covering nsec: not in zone");
+				goto notfound;
+			}
+		} else if (dns_name_compare(name, &nsec.next) >= 0) {
+			/*
+			 * XXXMPA We could check if this NSEC is at a zone
+			 * apex and if the qname is not below it and look for
+			 * a parent NSEC with the same name.  This requires
+			 * that we can cache both NSEC records which we
+			 * currently don't support.
+			 */
+			dns_rdata_freestruct(&nsec);
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "covering nsec: not in range");
+			goto notfound;
+		}
+		if (isc_log_wouldlog(dns_lctx,ISC_LOG_DEBUG(3))) {
+			dns_name_format(name, buf1, sizeof buf1);
+			dns_name_format(foundname, buf2, sizeof buf2);
+			dns_name_format(&nsec.next, buf3, sizeof buf3);
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "covering nsec found: '%s' '%s' '%s'",
+				      buf1, buf2, buf3);
+		}
+		if (dns_rdataset_isassociated(&val->frdataset))
+			dns_rdataset_disassociate(&val->frdataset);
+		if (dns_rdataset_isassociated(&val->fsigrdataset))
+			dns_rdataset_disassociate(&val->fsigrdataset);
+		dns_rdata_freestruct(&nsec);
+		result = DNS_R_NCACHENXDOMAIN;
+	} else if (result != ISC_R_SUCCESS &&
+                   result != DNS_R_GLUE &&
+                   result != DNS_R_HINT &&
+                   result != DNS_R_NCACHENXDOMAIN &&
+                   result != DNS_R_NCACHENXRRSET &&
+                   result != DNS_R_NXRRSET &&
+                   result != DNS_R_HINTNXRRSET &&
+                   result != ISC_R_NOTFOUND) {
+		goto  notfound;
+	}
+	return (result);
+
+ notfound:
+	if (dns_rdataset_isassociated(&val->frdataset))
+		dns_rdataset_disassociate(&val->frdataset);
+	if (dns_rdataset_isassociated(&val->fsigrdataset))
+		dns_rdataset_disassociate(&val->fsigrdataset);
+	return (ISC_R_NOTFOUND);
+}
+
+static inline isc_boolean_t
+check_deadlock(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
+	dns_validator_t *parent;
+
+	for (parent = val->parent; parent != NULL; parent = parent->parent) {
+		if (parent->event != NULL &&
+		    parent->event->type == type &&
+		    dns_name_equal(parent->event->name, name))
+		{
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "continuing validation would lead to "
+				      "deadlock: aborting validation");
+			return (ISC_TRUE);
+		}
+	}
+	return (ISC_FALSE);
+}
+
+static inline isc_result_t
+create_fetch(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
+	     isc_taskaction_t callback, const char *caller)
+{
+	if (dns_rdataset_isassociated(&val->frdataset))
+		dns_rdataset_disassociate(&val->frdataset);
+	if (dns_rdataset_isassociated(&val->fsigrdataset))
+		dns_rdataset_disassociate(&val->fsigrdataset);
+
+	if (check_deadlock(val, name, type))
+		return (DNS_R_NOVALIDSIG);
+
+	validator_logcreate(val, name, type, caller, "fetch");
+	return (dns_resolver_createfetch(val->view->resolver, name, type,
+					 NULL, NULL, NULL, 0,
+					 val->event->ev_sender,
+					 callback, val,
+					 &val->frdataset,
+					 &val->fsigrdataset,
+					 &val->fetch));
+}
+
+static inline isc_result_t
+create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
+		 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+		 isc_taskaction_t action, const char *caller)
+{
+	isc_result_t result;
+
+	if (check_deadlock(val, name, type))
+		return (DNS_R_NOVALIDSIG);
+
+	validator_logcreate(val, name, type, caller, "validator");
+	result = dns_validator_create(val->view, name, type,
+				      rdataset, sigrdataset, NULL, 0,
+				      val->task, action, val,
+				      &val->subvalidator);
+	if (result == ISC_R_SUCCESS)
+		val->subvalidator->parent = val;
+	return (result);
+}
+
+/*
+ * Try to find a key that could have signed 'siginfo' among those
+ * in 'rdataset'.  If found, build a dst_key_t for it and point
+ * val->key at it.
+ *
+ * If val->key is non-NULL, this returns the next matching key.
+ */
+static isc_result_t
+get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
+	    dns_rdataset_t *rdataset)
+{
+	isc_result_t result;
+	isc_buffer_t b;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dst_key_t *oldkey = val->key;
+	isc_boolean_t foundold;
+
+	if (oldkey == NULL)
+		foundold = ISC_TRUE;
+	else {
+		foundold = ISC_FALSE;
+		val->key = NULL;
+	}
+
+	result = dns_rdataset_first(rdataset);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+	do {
+		dns_rdataset_current(rdataset, &rdata);
+
+		isc_buffer_init(&b, rdata.data, rdata.length);
+		isc_buffer_add(&b, rdata.length);
+		INSIST(val->key == NULL);
+		result = dst_key_fromdns(&siginfo->signer, rdata.rdclass, &b,
+					 val->view->mctx, &val->key);
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+		if (siginfo->algorithm ==
+		    (dns_secalg_t)dst_key_alg(val->key) &&
+		    siginfo->keyid ==
+		    (dns_keytag_t)dst_key_id(val->key) &&
+		    dst_key_iszonekey(val->key))
+		{
+			if (foundold)
+				/*
+				 * This is the key we're looking for.
+				 */
+				return (ISC_R_SUCCESS);
+			else if (dst_key_compare(oldkey, val->key) == ISC_TRUE)
+			{
+				foundold = ISC_TRUE;
+				dst_key_free(&oldkey);
+			}
+		}
+		dst_key_free(&val->key);
+		dns_rdata_reset(&rdata);
+		result = dns_rdataset_next(rdataset);
+	} while (result == ISC_R_SUCCESS);
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_NOTFOUND;
+
+ failure:
+	if (oldkey != NULL)
+		dst_key_free(&oldkey);
+
+	return (result);
+}
+
+static isc_result_t
+get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) {
+	isc_result_t result;
+	unsigned int nlabels;
+	int order;
+	dns_namereln_t namereln;
+
+	/*
+	 * Is the signer name appropriate for this signature?
+	 *
+	 * The signer name must be at the same level as the owner name
+	 * or closer to the the DNS root.
+	 */
+	namereln = dns_name_fullcompare(val->event->name, &siginfo->signer,
+					&order, &nlabels);
+	if (namereln != dns_namereln_subdomain &&
+	    namereln != dns_namereln_equal)
+		return (DNS_R_CONTINUE);
+
+	if (namereln == dns_namereln_equal) {
+		/*
+		 * If this is a self-signed keyset, it must not be a zone key
+		 * (since get_key is not called from validatezonekey).
+		 */
+		if (val->event->rdataset->type == dns_rdatatype_dnskey)
+			return (DNS_R_CONTINUE);
+
+		/*
+		 * Records appearing in the parent zone at delegation
+		 * points cannot be self-signed.
+		 */
+		if (dns_rdatatype_atparent(val->event->rdataset->type))
+			return (DNS_R_CONTINUE);
+	}
+
+	/*
+	 * Do we know about this key?
+	 */
+	result = view_find(val, &siginfo->signer, dns_rdatatype_dnskey);
+	if (result == ISC_R_SUCCESS) {
+		/*
+		 * We have an rrset for the given keyname.
+		 */
+		val->keyset = &val->frdataset;
+		if (val->frdataset.trust == dns_trust_pending &&
+		    dns_rdataset_isassociated(&val->fsigrdataset))
+		{
+			/*
+			 * We know the key but haven't validated it yet.
+			 */
+			result = create_validator(val, &siginfo->signer,
+						  dns_rdatatype_dnskey,
+						  &val->frdataset,
+						  &val->fsigrdataset,
+						  keyvalidated,
+						  "get_key");
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			return (DNS_R_WAIT);
+		} else if (val->frdataset.trust == dns_trust_pending) {
+			/*
+			 * Having a pending key with no signature means that
+			 * something is broken.
+			 */
+			result = DNS_R_CONTINUE;
+		} else if (val->frdataset.trust < dns_trust_secure) {
+			/*
+			 * The key is legitimately insecure.  There's no
+			 * point in even attempting verification.
+			 */
+			val->key = NULL;
+			result = ISC_R_SUCCESS;
+		} else {
+			/*
+			 * See if we've got the key used in the signature.
+			 */
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "keyset with trust %d",
+				      val->frdataset.trust);
+			result = get_dst_key(val, siginfo, val->keyset);
+			if (result != ISC_R_SUCCESS) {
+				/*
+				 * Either the key we're looking for is not
+				 * in the rrset, or something bad happened.
+				 * Give up.
+				 */
+				result = DNS_R_CONTINUE;
+			}
+		}
+	} else if (result == ISC_R_NOTFOUND) {
+		/*
+		 * We don't know anything about this key.
+		 */
+		result = create_fetch(val, &siginfo->signer, dns_rdatatype_dnskey,
+				      fetch_callback_validator, "get_key");
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		return (DNS_R_WAIT);
+	} else if (result ==  DNS_R_NCACHENXDOMAIN ||
+		   result == DNS_R_NCACHENXRRSET ||
+		   result == DNS_R_NXDOMAIN ||
+		   result == DNS_R_NXRRSET)
+	{
+		/*
+		 * This key doesn't exist.
+		 */
+		result = DNS_R_CONTINUE;
+	}
+
+	if (dns_rdataset_isassociated(&val->frdataset) &&
+	    val->keyset != &val->frdataset)
+		dns_rdataset_disassociate(&val->frdataset);
+	if (dns_rdataset_isassociated(&val->fsigrdataset))
+		dns_rdataset_disassociate(&val->fsigrdataset);
+
+	return (result);
+}
+
+static dns_keytag_t
+compute_keytag(dns_rdata_t *rdata, dns_rdata_dnskey_t *key) {
+	isc_region_t r;
+
+	dns_rdata_toregion(rdata, &r);
+	return (dst_region_computeid(&r, key->algorithm));
+}
+
+/*
+ * Is this keyset self-signed?
+ */
+static isc_boolean_t
+isselfsigned(dns_validator_t *val) {
+	dns_rdataset_t *rdataset, *sigrdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_t sigrdata = DNS_RDATA_INIT;
+	dns_rdata_dnskey_t key;
+	dns_rdata_rrsig_t sig;
+	dns_keytag_t keytag;
+	isc_result_t result;
+
+	rdataset = val->event->rdataset;
+	sigrdataset = val->event->sigrdataset;
+
+	INSIST(rdataset->type == dns_rdatatype_dnskey);
+
+	for (result = dns_rdataset_first(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset))
+	{
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(rdataset, &rdata);
+		(void)dns_rdata_tostruct(&rdata, &key, NULL);
+		keytag = compute_keytag(&rdata, &key);
+		for (result = dns_rdataset_first(sigrdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(sigrdataset))
+		{
+			dns_rdata_reset(&sigrdata);
+			dns_rdataset_current(sigrdataset, &sigrdata);
+			(void)dns_rdata_tostruct(&sigrdata, &sig, NULL);
+
+			if (sig.algorithm == key.algorithm &&
+			    sig.keyid == keytag)
+				return (ISC_TRUE);
+		}
+	}
+	return (ISC_FALSE);
+}
+
+static isc_result_t
+verify(dns_validator_t *val, dst_key_t *key, dns_rdata_t *rdata) {
+	isc_result_t result;
+	dns_fixedname_t fixed;
+
+	val->attributes |= VALATTR_TRIEDVERIFY;
+	dns_fixedname_init(&fixed);
+	result = dns_dnssec_verify2(val->event->name, val->event->rdataset,
+				    key, ISC_FALSE, val->view->mctx, rdata,
+				    dns_fixedname_name(&fixed));
+	validator_log(val, ISC_LOG_DEBUG(3),
+		      "verify rdataset: %s",
+		      isc_result_totext(result));
+	if (result == DNS_R_FROMWILDCARD) {
+		if (!dns_name_equal(val->event->name,
+				    dns_fixedname_name(&fixed)))
+			val->attributes |= VALATTR_NEEDNOQNAME;
+		result = ISC_R_SUCCESS;
+	}
+	return (result);
+}
+
+/*
+ * Attempts positive response validation of a normal RRset.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	Validation completed successfully
+ *	DNS_R_WAIT	Validation has started but is waiting
+ *			for an event.
+ *	Other return codes are possible and all indicate failure.
+ */
+static isc_result_t
+validate(dns_validator_t *val, isc_boolean_t resume) {
+	isc_result_t result;
+	dns_validatorevent_t *event;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+
+	/*
+	 * Caller must be holding the validator lock.
+	 */
+
+	event = val->event;
+
+	if (resume) {
+		/*
+		 * We already have a sigrdataset.
+		 */
+		result = ISC_R_SUCCESS;
+		validator_log(val, ISC_LOG_DEBUG(3), "resuming validate");
+	} else {
+		result = dns_rdataset_first(event->sigrdataset);
+	}
+
+	for (;
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(event->sigrdataset))
+	{
+		dns_rdata_reset(&rdata);
+		dns_rdataset_current(event->sigrdataset, &rdata);
+		if (val->siginfo == NULL) {
+			val->siginfo = isc_mem_get(val->view->mctx,
+						   sizeof(*val->siginfo));
+			if (val->siginfo == NULL)
+				return (ISC_R_NOMEMORY);
+		}
+		result = dns_rdata_tostruct(&rdata, val->siginfo, NULL);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+
+		/*
+		 * At this point we could check that the signature algorithm
+		 * was known and "sufficiently good".
+		 */
+		if (!dns_resolver_algorithm_supported(val->view->resolver,
+						      event->name,
+						      val->siginfo->algorithm))
+			continue;
+
+		if (!resume) {
+			result = get_key(val, val->siginfo);
+			if (result == DNS_R_CONTINUE)
+				continue; /* Try the next SIG RR. */
+			if (result != ISC_R_SUCCESS)
+				return (result);
+		}
+
+		/*
+		 * The key is insecure, so mark the data as insecure also.
+		 */
+		if (val->key == NULL) {
+			if (val->mustbesecure) {
+				validator_log(val, ISC_LOG_WARNING,
+					      "must be secure failure");
+				return (DNS_R_MUSTBESECURE);
+			}
+			event->rdataset->trust = dns_trust_answer;
+			event->sigrdataset->trust = dns_trust_answer;
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "marking as answer");
+			return (ISC_R_SUCCESS);
+		}
+
+		do {
+			result = verify(val, val->key, &rdata);
+			if (result == ISC_R_SUCCESS)
+				break;
+			if (val->keynode != NULL) {
+				dns_keynode_t *nextnode = NULL;
+				result = dns_keytable_findnextkeynode(
+							val->keytable,
+							val->keynode,
+							&nextnode);
+				dns_keytable_detachkeynode(val->keytable,
+							   &val->keynode);
+				val->keynode = nextnode;
+				if (result != ISC_R_SUCCESS) {
+					val->key = NULL;
+					break;
+				}
+				val->key = dns_keynode_key(val->keynode);
+			} else {
+				if (get_dst_key(val, val->siginfo, val->keyset)
+				    != ISC_R_SUCCESS)
+					break;
+			}
+		} while (1);
+		if (result != ISC_R_SUCCESS)
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "failed to verify rdataset");
+		else {
+			isc_uint32_t ttl;
+			isc_stdtime_t now;
+
+			isc_stdtime_get(&now);
+			ttl = ISC_MIN(event->rdataset->ttl,
+				      val->siginfo->timeexpire - now);
+			if (val->keyset != NULL)
+				ttl = ISC_MIN(ttl, val->keyset->ttl);
+			event->rdataset->ttl = ttl;
+			event->sigrdataset->ttl = ttl;
+		}
+
+		if (val->keynode != NULL)
+			dns_keytable_detachkeynode(val->keytable,
+						   &val->keynode);
+		else {
+			if (val->key != NULL)
+				dst_key_free(&val->key);
+			if (val->keyset != NULL) {
+				dns_rdataset_disassociate(val->keyset);
+				val->keyset = NULL;
+			}
+		}
+		val->key = NULL;
+		if ((val->attributes & VALATTR_NEEDNOQNAME) != 0) {
+			if (val->event->message == NULL) {
+				validator_log(val, ISC_LOG_DEBUG(3),
+				      "no message available for noqname proof");
+				return (DNS_R_NOVALIDSIG);
+			}
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "looking for noqname proof");
+			return (nsecvalidate(val, ISC_FALSE));
+		} else if (result == ISC_R_SUCCESS) {
+			event->rdataset->trust = dns_trust_secure;
+			event->sigrdataset->trust = dns_trust_secure;
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "marking as secure");
+			return (result);
+		} else {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "verify failure: %s",
+				      isc_result_totext(result));
+			resume = ISC_FALSE;
+		}
+	}
+	if (result != ISC_R_NOMORE) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "failed to iterate signatures: %s",
+			      isc_result_totext(result));
+		return (result);
+	}
+
+	validator_log(val, ISC_LOG_INFO, "no valid signature found");
+	return (DNS_R_NOVALIDSIG);
+}
+
+
+static void
+dlv_validated(isc_task_t *task, isc_event_t *event) {
+	dns_validatorevent_t *devent;
+	dns_validator_t *val;
+	isc_boolean_t want_destroy;
+	isc_result_t result;
+	isc_result_t eresult;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_VALIDATORDONE);
+
+	devent = (dns_validatorevent_t *)event;
+	val = devent->ev_arg;
+	eresult = devent->result;
+
+	isc_event_free(&event);
+	dns_validator_destroy(&val->subvalidator);
+
+	INSIST(val->event != NULL);
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in dsvalidated");
+	LOCK(&val->lock);
+	if (eresult == ISC_R_SUCCESS) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "dlv with trust %d", val->frdataset.trust);
+		if ((val->attributes & VALATTR_INSECURITY) != 0)
+			result = proveunsecure(val, ISC_TRUE);
+		else
+			result = validatezonekey(val);
+		if (result != DNS_R_WAIT)
+			validator_done(val, result);
+	} else {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "dlv_validated: got %s",
+			      isc_result_totext(eresult));
+		validator_done(val, eresult);
+	}
+	want_destroy = exit_check(val);
+	UNLOCK(&val->lock);
+	if (want_destroy)
+		destroy(val);
+}
+
+static void
+dlv_fetched(isc_task_t *task, isc_event_t *event) {
+	dns_fetchevent_t *devent;
+	dns_validator_t *val;
+	dns_rdataset_t *rdataset;
+	isc_boolean_t want_destroy;
+	isc_result_t result;
+	isc_result_t eresult;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
+	devent = (dns_fetchevent_t *)event;
+	val = devent->ev_arg;
+	rdataset = &val->frdataset;
+	eresult = devent->result;
+
+	isc_event_free(&event);
+	dns_resolver_destroyfetch(&val->fetch);
+
+	INSIST(val->event != NULL);
+
+	validator_log(val, ISC_LOG_DEBUG(3), "in dlv_fetched");
+	LOCK(&val->lock);
+	if (eresult == ISC_R_SUCCESS) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "dlv set with trust %d", rdataset->trust);
+		val->dlv = &val->frdataset;
+		result = dlv_validatezonekey(val);
+		if (result != DNS_R_WAIT)
+			validator_done(val, result);
+	} else if (eresult == DNS_R_NXRRSET ||
+		   eresult == DNS_R_NCACHENXRRSET)
+	{
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "falling back to insecurity proof");
+		val->attributes |= VALATTR_INSECURITY;
+		result = proveunsecure(val, ISC_FALSE);
+		if (result != DNS_R_WAIT)
+			validator_done(val, result);
+	} else {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "dlv_fetched: got %s",
+			      isc_result_totext(eresult));
+		if (eresult == ISC_R_CANCELED)
+			validator_done(val, eresult);
+		else
+			validator_done(val, DNS_R_NOVALIDDS);
+	}
+	want_destroy = exit_check(val);
+	UNLOCK(&val->lock);
+	if (want_destroy)
+		destroy(val);
+}
+
+static isc_result_t
+dlv_validatezonekey(dns_validator_t *val) {
+	dns_fixedname_t fixed;
+	dns_keytag_t keytag;
+	dns_name_t *name;
+	dns_name_t tname;
+	dns_rdata_dlv_t dlv;
+	dns_rdata_dnskey_t key;
+	dns_rdata_rrsig_t sig;
+	dns_rdata_t dlvrdata = DNS_RDATA_INIT;
+	dns_rdata_t keyrdata = DNS_RDATA_INIT;
+	dns_rdata_t newdsrdata = DNS_RDATA_INIT;
+	dns_rdata_t sigrdata = DNS_RDATA_INIT;
+	dns_rdataset_t trdataset;
+	dst_key_t *dstkey;
+	isc_boolean_t supported_algorithm;
+	isc_result_t result;
+	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
+	unsigned int labels;
+
+	val->attributes |= VALATTR_DLVTRIED;
+
+	dns_name_init(&tname, NULL);
+	dns_fixedname_init(&fixed);
+	name = dns_fixedname_name(&fixed);
+	labels = dns_name_countlabels(val->event->name);
+	dns_name_getlabelsequence(val->event->name, 0, labels - 1, &tname);
+	result = dns_name_concatenate(&tname, val->view->dlv, name, NULL);
+	if (result != ISC_R_SUCCESS) {
+		validator_log(val, ISC_LOG_DEBUG(2),
+			      "DLV concatenate failed");
+		return (DNS_R_NOVALIDSIG);
+	}
+	if (val->dlv == NULL) {
+		result = view_find(val, name, dns_rdatatype_dlv);
+		if (result == ISC_R_SUCCESS) {
+			/*
+			 * We have DLV records.
+			 */
+			val->dsset = &val->frdataset;
+			if (val->frdataset.trust == dns_trust_pending &&
+			    dns_rdataset_isassociated(&val->fsigrdataset))
+			{
+				result = create_validator(val,
+							  val->event->name,
+							  dns_rdatatype_ds,
+							  &val->frdataset,
+							  &val->fsigrdataset,
+							  dlv_validated,
+							  "dlv_validatezonekey");
+				if (result != ISC_R_SUCCESS)
+					return (result);
+				return (DNS_R_WAIT);
+			} else if (val->frdataset.trust == dns_trust_pending) {
+				/*
+				 * There should never be an unsigned DLV.
+				 */
+				dns_rdataset_disassociate(&val->frdataset);
+				validator_log(val, ISC_LOG_DEBUG(2),
+					      "unsigned DLV record");
+				return (DNS_R_NOVALIDSIG);
+			} else
+				result = ISC_R_SUCCESS;
+		} else if (result == ISC_R_NOTFOUND) {
+			result = create_fetch(val, name, dns_rdatatype_dlv,
+					      dlv_fetched,
+					      "dlv_validatezonekey");
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			return (DNS_R_WAIT);
+		} else if (result ==  DNS_R_NCACHENXDOMAIN ||
+		   result == DNS_R_NCACHENXRRSET ||
+		   result == DNS_R_NXDOMAIN ||
+		   result == DNS_R_NXRRSET)
+		{
+			/*
+			 * The DS does not exist.
+			 */
+			if (dns_rdataset_isassociated(&val->frdataset))
+				dns_rdataset_disassociate(&val->frdataset);
+			if (dns_rdataset_isassociated(&val->fsigrdataset))
+				dns_rdataset_disassociate(&val->fsigrdataset);
+			validator_log(val, ISC_LOG_DEBUG(2), "no DLV record");
+			return (DNS_R_NOVALIDSIG);
+		}
+	}
+
+	/*
+	 * We have a DLV set.
+	 */
+	INSIST(val->dlv != NULL);
+
+	if (val->dlv->trust < dns_trust_secure) {
+		if (val->mustbesecure) {
+			validator_log(val, ISC_LOG_WARNING,
+				      "must be secure failure");
+			return (DNS_R_MUSTBESECURE);
+		}
+		val->event->rdataset->trust = dns_trust_answer;
+		val->event->sigrdataset->trust = dns_trust_answer;
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Look through the DLV record and find the keys that can sign the
+	 * key set and the matching signature.  For each such key, attempt
+	 * verification.
+	 */
+
+	supported_algorithm = ISC_FALSE;
+
+	for (result = dns_rdataset_first(val->dlv);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(val->dlv))
+	{
+		dns_rdata_reset(&dlvrdata);
+		dns_rdataset_current(val->dlv, &dlvrdata);
+		(void)dns_rdata_tostruct(&dlvrdata, &dlv, NULL);
+
+		if (!dns_resolver_algorithm_supported(val->view->resolver,
+						      val->event->name,
+						      dlv.algorithm))
+			continue;
+
+		supported_algorithm = ISC_TRUE;
+
+		dns_rdataset_init(&trdataset);
+		dns_rdataset_clone(val->event->rdataset, &trdataset);
+
+		for (result = dns_rdataset_first(&trdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&trdataset))
+		{
+			dns_rdata_reset(&keyrdata);
+			dns_rdataset_current(&trdataset, &keyrdata);
+			(void)dns_rdata_tostruct(&keyrdata, &key, NULL);
+			keytag = compute_keytag(&keyrdata, &key);
+			if (dlv.key_tag != keytag ||
+			    dlv.algorithm != key.algorithm)
+				continue;
+			dns_rdata_reset(&newdsrdata);
+			result = dns_ds_buildrdata(val->event->name,
+						   &keyrdata, dlv.digest_type,
+						   dsbuf, &newdsrdata);
+			if (result != ISC_R_SUCCESS)
+				continue;
+			/* Covert to DLV */
+			newdsrdata.type = dns_rdatatype_dlv;
+			if (dns_rdata_compare(&dlvrdata, &newdsrdata) == 0)
+				break;
+		}
+		if (result != ISC_R_SUCCESS) {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "no DNSKEY matching DLV");
+			continue;
+		}
+		
+		for (result = dns_rdataset_first(val->event->sigrdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(val->event->sigrdataset))
+		{
+			dns_rdata_reset(&sigrdata);
+			dns_rdataset_current(val->event->sigrdataset,
+					     &sigrdata);
+			(void)dns_rdata_tostruct(&sigrdata, &sig, NULL);
+			if (dlv.key_tag != sig.keyid &&
+			    dlv.algorithm != sig.algorithm)
+				continue;
+
+			dstkey = NULL;
+			result = dns_dnssec_keyfromrdata(val->event->name,
+							 &keyrdata,
+							 val->view->mctx,
+							 &dstkey);
+			if (result != ISC_R_SUCCESS)
+				/*
+				 * This really shouldn't happen, but...
+				 */
+				continue;
+
+			result = verify(val, dstkey, &sigrdata);
+			dst_key_free(&dstkey);
+			if (result == ISC_R_SUCCESS)
+				break;
+		}
+		dns_rdataset_disassociate(&trdataset);
+		if (result == ISC_R_SUCCESS)
+			break;
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "no RRSIG matching DLV key");
+	}
+	if (result == ISC_R_SUCCESS) {
+		val->event->rdataset->trust = dns_trust_secure;
+		val->event->sigrdataset->trust = dns_trust_secure;
+		validator_log(val, ISC_LOG_DEBUG(3), "marking as secure");
+		return (result);
+	} else if (result == ISC_R_NOMORE && !supported_algorithm) {
+		if (val->mustbesecure) {
+			validator_log(val, ISC_LOG_WARNING,
+				      "must be secure failure");
+			return (DNS_R_MUSTBESECURE);
+		}
+		val->event->rdataset->trust = dns_trust_answer;
+		val->event->sigrdataset->trust = dns_trust_answer;
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "no supported algorithm (dlv)");
+		return (ISC_R_SUCCESS);
+	} else
+		return (DNS_R_NOVALIDSIG);
+}
+
+/*
+ * Attempts positive response validation of an RRset containing zone keys.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	Validation completed successfully
+ *	DNS_R_WAIT	Validation has started but is waiting
+ *			for an event.
+ *	Other return codes are possible and all indicate failure.
+ */
+static isc_result_t
+validatezonekey(dns_validator_t *val) {
+	isc_result_t result;
+	dns_validatorevent_t *event;
+	dns_rdataset_t trdataset;
+	dns_rdata_t dsrdata = DNS_RDATA_INIT;
+	dns_rdata_t newdsrdata = DNS_RDATA_INIT;
+	dns_rdata_t keyrdata = DNS_RDATA_INIT;
+	dns_rdata_t sigrdata = DNS_RDATA_INIT;
+	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
+	dns_keytag_t keytag;
+	dns_rdata_ds_t ds;
+	dns_rdata_dnskey_t key;
+	dns_rdata_rrsig_t sig;
+	dst_key_t *dstkey;
+	isc_boolean_t supported_algorithm;
+
+	/*
+	 * Caller must be holding the validator lock.
+	 */
+
+	event = val->event;
+
+	if (val->dsset == NULL) {
+		/*
+		 * First, see if this key was signed by a trusted key.
+		 */
+		for (result = dns_rdataset_first(val->event->sigrdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(val->event->sigrdataset))
+		{
+			dns_keynode_t *keynode = NULL, *nextnode = NULL;
+
+			dns_rdata_reset(&sigrdata);
+			dns_rdataset_current(val->event->sigrdataset,
+					     &sigrdata);
+			(void)dns_rdata_tostruct(&sigrdata, &sig, NULL);
+			result = dns_keytable_findkeynode(val->keytable,
+							  val->event->name,
+							  sig.algorithm,
+							  sig.keyid,
+							  &keynode);
+			while (result == ISC_R_SUCCESS) {
+				dstkey = dns_keynode_key(keynode);
+				result = verify(val, dstkey, &sigrdata);
+				if (result == ISC_R_SUCCESS) {
+					dns_keytable_detachkeynode(val->keytable,
+								   &keynode);
+					break;
+				}
+				result = dns_keytable_findnextkeynode(
+								val->keytable,
+								keynode,
+								&nextnode);
+				dns_keytable_detachkeynode(val->keytable,
+							   &keynode);
+				keynode = nextnode;
+			}
+			if (result == ISC_R_SUCCESS) {
+				event->rdataset->trust = dns_trust_secure;
+				event->sigrdataset->trust = dns_trust_secure;
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "signed by trusted key; "
+					      "marking as secure");
+				return (result);
+			}
+		}
+
+		/*
+		 * If this is the root name and there was no trusted key,
+		 * give up, since there's no DS at the root.
+		 */
+		if (dns_name_equal(event->name, dns_rootname)) {
+			if ((val->attributes & VALATTR_TRIEDVERIFY) != 0)
+				return (DNS_R_NOVALIDSIG);
+			else
+				return (DNS_R_NOVALIDDS);
+		}
+
+		/*
+		 * Otherwise, try to find the DS record.
+		 */
+		result = view_find(val, val->event->name, dns_rdatatype_ds);
+		if (result == ISC_R_SUCCESS) {
+			/*
+			 * We have DS records.
+			 */
+			val->dsset = &val->frdataset;
+			if (val->frdataset.trust == dns_trust_pending &&
+			    dns_rdataset_isassociated(&val->fsigrdataset))
+			{
+				result = create_validator(val,
+							  val->event->name,
+							  dns_rdatatype_ds,
+							  &val->frdataset,
+							  &val->fsigrdataset,
+							  dsvalidated,
+							  "validatezonekey");
+				if (result != ISC_R_SUCCESS)
+					return (result);
+				return (DNS_R_WAIT);
+			} else if (val->frdataset.trust == dns_trust_pending) {
+				/*
+				 * There should never be an unsigned DS.
+				 */
+				dns_rdataset_disassociate(&val->frdataset);
+				validator_log(val, ISC_LOG_DEBUG(2),
+					      "unsigned DS record");
+				return (DNS_R_NOVALIDSIG);
+			} else
+				result = ISC_R_SUCCESS;
+		} else if (result == ISC_R_NOTFOUND) {
+			/*
+			 * We don't have the DS.  Find it.
+			 */
+			result = create_fetch(val, val->event->name,
+					      dns_rdatatype_ds, dsfetched,
+					      "validatezonekey");
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			return (DNS_R_WAIT);
+		} else if (val->view->dlv != NULL && !DLVTRIED(val) &&
+			   (result == DNS_R_NCACHENXRRSET ||
+			    result == DNS_R_NXRRSET) &&
+			   !dns_name_issubdomain(val->event->name,
+						 val->view->dlv))
+		{
+
+			if (dns_rdataset_isassociated(&val->frdataset))
+				dns_rdataset_disassociate(&val->frdataset);
+			if (dns_rdataset_isassociated(&val->fsigrdataset))
+				dns_rdataset_disassociate(&val->fsigrdataset);
+
+			validator_log(val, ISC_LOG_DEBUG(2),
+				      "no DS record: looking for DLV");
+
+			return (dlv_validatezonekey(val));
+		 } else if (result ==  DNS_R_NCACHENXDOMAIN ||
+			   result == DNS_R_NCACHENXRRSET ||
+			   result == DNS_R_NXDOMAIN ||
+			   result == DNS_R_NXRRSET)
+		{
+			/*
+			 * The DS does not exist.
+			 */
+			if (dns_rdataset_isassociated(&val->frdataset))
+				dns_rdataset_disassociate(&val->frdataset);
+			if (dns_rdataset_isassociated(&val->fsigrdataset))
+				dns_rdataset_disassociate(&val->fsigrdataset);
+			validator_log(val, ISC_LOG_DEBUG(2), "no DS record");
+			return (DNS_R_NOVALIDSIG);
+		}
+	}
+
+	/*
+	 * We have a DS set.
+	 */
+	INSIST(val->dsset != NULL);
+
+	if (val->dsset->trust < dns_trust_secure) {
+		if (val->mustbesecure) {
+			validator_log(val, ISC_LOG_WARNING,
+				      "must be secure failure");
+			return (DNS_R_MUSTBESECURE);
+		}
+		val->event->rdataset->trust = dns_trust_answer;
+		val->event->sigrdataset->trust = dns_trust_answer;
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * Look through the DS record and find the keys that can sign the
+	 * key set and the matching signature.  For each such key, attempt
+	 * verification.
+	 */
+
+	supported_algorithm = ISC_FALSE;
+
+	for (result = dns_rdataset_first(val->dsset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(val->dsset))
+	{
+		dns_rdata_reset(&dsrdata);
+		dns_rdataset_current(val->dsset, &dsrdata);
+		(void)dns_rdata_tostruct(&dsrdata, &ds, NULL);
+
+		if (!dns_resolver_algorithm_supported(val->view->resolver,
+						      val->event->name,
+						      ds.algorithm))
+			continue;
+
+		supported_algorithm = ISC_TRUE;
+
+		dns_rdataset_init(&trdataset);
+		dns_rdataset_clone(val->event->rdataset, &trdataset);
+
+		for (result = dns_rdataset_first(&trdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&trdataset))
+		{
+			dns_rdata_reset(&keyrdata);
+			dns_rdataset_current(&trdataset, &keyrdata);
+			(void)dns_rdata_tostruct(&keyrdata, &key, NULL);
+			keytag = compute_keytag(&keyrdata, &key);
+			if (ds.key_tag != keytag ||
+			    ds.algorithm != key.algorithm)
+				continue;
+			dns_rdata_reset(&newdsrdata);
+			result = dns_ds_buildrdata(val->event->name,
+						   &keyrdata, ds.digest_type,
+						   dsbuf, &newdsrdata);
+			if (result != ISC_R_SUCCESS)
+				continue;
+			if (dns_rdata_compare(&dsrdata, &newdsrdata) == 0)
+				break;
+		}
+		if (result != ISC_R_SUCCESS) {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "no DNSKEY matching DS");
+			continue;
+		}
+		
+		for (result = dns_rdataset_first(val->event->sigrdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(val->event->sigrdataset))
+		{
+			dns_rdata_reset(&sigrdata);
+			dns_rdataset_current(val->event->sigrdataset,
+					     &sigrdata);
+			(void)dns_rdata_tostruct(&sigrdata, &sig, NULL);
+			if (ds.key_tag != sig.keyid &&
+			    ds.algorithm != sig.algorithm)
+				continue;
+
+			dstkey = NULL;
+			result = dns_dnssec_keyfromrdata(val->event->name,
+							 &keyrdata,
+							 val->view->mctx,
+							 &dstkey);
+			if (result != ISC_R_SUCCESS)
+				/*
+				 * This really shouldn't happen, but...
+				 */
+				continue;
+
+			result = verify(val, dstkey, &sigrdata);
+			dst_key_free(&dstkey);
+			if (result == ISC_R_SUCCESS)
+				break;
+		}
+		dns_rdataset_disassociate(&trdataset);
+		if (result == ISC_R_SUCCESS)
+			break;
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "no RRSIG matching DS key");
+	}
+	if (result == ISC_R_SUCCESS) {
+		event->rdataset->trust = dns_trust_secure;
+		event->sigrdataset->trust = dns_trust_secure;
+		validator_log(val, ISC_LOG_DEBUG(3), "marking as secure");
+		return (result);
+	} else if (result == ISC_R_NOMORE && val->view->dlv != NULL &&
+		   !DLVTRIED(val) && !dns_name_issubdomain(val->event->name,
+							   val->view->dlv))
+	{
+		validator_log(val, ISC_LOG_DEBUG(2),
+			      "no DS/DNSKEY pair: looking for DLV");
+
+		return (dlv_validatezonekey(val));
+	} else if (result == ISC_R_NOMORE && !supported_algorithm) {
+		if (val->mustbesecure) {
+			validator_log(val, ISC_LOG_WARNING,
+				      "must be secure failure");
+			return (DNS_R_MUSTBESECURE);
+		}
+		val->event->rdataset->trust = dns_trust_answer;
+		val->event->sigrdataset->trust = dns_trust_answer;
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "no supported algorithm (ds)");
+		return (ISC_R_SUCCESS);
+	} else
+		return (DNS_R_NOVALIDSIG);
+}
+
+/*
+ * Starts a positive response validation.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	Validation completed successfully
+ *	DNS_R_WAIT	Validation has started but is waiting
+ *			for an event.
+ *	Other return codes are possible and all indicate failure.
+ */
+static isc_result_t
+start_positive_validation(dns_validator_t *val) {
+	/*
+	 * If this is not a key, go straight into validate().
+	 */
+	if (val->event->type != dns_rdatatype_dnskey || !isselfsigned(val))
+		return (validate(val, ISC_FALSE));
+
+	return (validatezonekey(val));
+}
+
+static isc_result_t
+checkwildcard(dns_validator_t *val) {
+	dns_name_t *name, *wild;
+	dns_message_t *message = val->event->message;
+	isc_result_t result;
+	isc_boolean_t exists, data;
+	char namebuf[DNS_NAME_FORMATSIZE];
+
+	wild = dns_fixedname_name(&val->wild);
+	dns_name_format(wild, namebuf, sizeof(namebuf));
+	validator_log(val, ISC_LOG_DEBUG(3), "in checkwildcard: %s", namebuf);
+
+	for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
+	{
+		dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
+
+		name = NULL;
+		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
+
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+		{
+			if (rdataset->type != dns_rdatatype_nsec)
+				continue;
+			val->nsecset = rdataset;
+
+			for (sigrdataset = ISC_LIST_HEAD(name->list);
+			     sigrdataset != NULL;
+			     sigrdataset = ISC_LIST_NEXT(sigrdataset, link))
+			{
+				if (sigrdataset->type == dns_rdatatype_rrsig &&
+				    sigrdataset->covers == rdataset->type)
+					break;
+			}
+			if (sigrdataset == NULL)
+				continue;
+
+			if (rdataset->trust != dns_trust_secure)
+				continue;
+
+			if (((val->attributes & VALATTR_NEEDNODATA) != 0 ||
+			     (val->attributes & VALATTR_NEEDNOWILDCARD) != 0) &&
+			    (val->attributes & VALATTR_FOUNDNODATA) == 0 &&
+			    (val->attributes & VALATTR_FOUNDNOWILDCARD) == 0 &&
+			    nsecnoexistnodata(val, wild, name, rdataset,
+					      &exists, &data, NULL)
+					       == ISC_R_SUCCESS)
+			{
+				dns_name_t **proofs = val->event->proofs;
+				if (exists && !data)
+					val->attributes |= VALATTR_FOUNDNODATA;
+				if (exists && !data && NEEDNODATA(val))
+					proofs[DNS_VALIDATOR_NODATAPROOF] =
+							 name;
+				if (!exists)
+					val->attributes |=
+						 VALATTR_FOUNDNOWILDCARD;
+				if (!exists && NEEDNOQNAME(val))
+					proofs[DNS_VALIDATOR_NOWILDCARDPROOF] =
+							 name;
+				return (ISC_R_SUCCESS);
+			}
+		}
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+	return (result);
+}
+
+static isc_result_t
+nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
+	dns_name_t *name;
+	dns_message_t *message = val->event->message;
+	isc_result_t result;
+
+	if (!resume)
+		result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+	else {
+		result = ISC_R_SUCCESS;
+		validator_log(val, ISC_LOG_DEBUG(3), "resuming nsecvalidate");
+	}
+
+	for (;
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
+	{
+		dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
+
+		name = NULL;
+		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
+		if (resume) {
+			rdataset = ISC_LIST_NEXT(val->currentset, link);
+			val->currentset = NULL;
+			resume = ISC_FALSE;
+		} else
+			rdataset = ISC_LIST_HEAD(name->list);
+
+		for (;
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+		{
+			if (rdataset->type == dns_rdatatype_rrsig)
+				continue;
+
+			if (rdataset->type == dns_rdatatype_soa) {
+				val->soaset = rdataset;
+				val->soaname = name;
+			} else if (rdataset->type == dns_rdatatype_nsec)
+				val->nsecset = rdataset;
+
+			for (sigrdataset = ISC_LIST_HEAD(name->list);
+			     sigrdataset != NULL;
+			     sigrdataset = ISC_LIST_NEXT(sigrdataset,
+							 link))
+			{
+				if (sigrdataset->type == dns_rdatatype_rrsig &&
+				    sigrdataset->covers == rdataset->type)
+					break;
+			}
+			if (sigrdataset == NULL)
+				continue;
+			/*
+			 * If a signed zone is missing the zone key, bad
+			 * things could happen.  A query for data in the zone
+			 * would lead to a query for the zone key, which
+			 * would return a negative answer, which would contain
+			 * an SOA and an NSEC signed by the missing key, which
+			 * would trigger another query for the DNSKEY (since
+			 * the first one is still in progress), and go into an
+			 * infinite loop.  Avoid that.
+			 */
+			if (val->event->type == dns_rdatatype_dnskey &&
+			    dns_name_equal(name, val->event->name))
+			{
+				dns_rdata_t nsec = DNS_RDATA_INIT;
+
+				if (rdataset->type != dns_rdatatype_nsec)
+					continue;
+
+				result = dns_rdataset_first(rdataset);
+				if (result != ISC_R_SUCCESS)
+					return (result);
+				dns_rdataset_current(rdataset, &nsec);
+				if (dns_nsec_typepresent(&nsec,
+							dns_rdatatype_soa))
+					continue;
+			}
+			val->currentset = rdataset;
+			result = create_validator(val, name, rdataset->type,
+						  rdataset, sigrdataset,
+						  authvalidated,
+						  "nsecvalidate");
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			return (DNS_R_WAIT);
+
+		}
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * Do we only need to check for NOQNAME?
+	 */
+	if ((val->attributes & VALATTR_NEEDNODATA) == 0 &&
+	    (val->attributes & VALATTR_NEEDNOWILDCARD) == 0 &&
+	    (val->attributes & VALATTR_NEEDNOQNAME) != 0) {
+		if ((val->attributes & VALATTR_FOUNDNOQNAME) != 0) {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "noqname proof found");
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "marking as secure");
+			val->event->rdataset->trust = dns_trust_secure;
+			val->event->sigrdataset->trust = dns_trust_secure;
+			return (ISC_R_SUCCESS);
+		}
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "noqname proof not found");
+		return (DNS_R_NOVALIDNSEC);
+	}
+
+	/*
+	 * Do we need to check for the wildcard?
+	 */
+	if ((val->attributes & VALATTR_FOUNDNOQNAME) != 0 &&
+	    (((val->attributes & VALATTR_NEEDNODATA) != 0 &&
+	      (val->attributes & VALATTR_FOUNDNODATA) == 0) ||
+	     (val->attributes & VALATTR_NEEDNOWILDCARD) != 0)) {
+		result = checkwildcard(val);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	if (((val->attributes & VALATTR_NEEDNODATA) != 0 &&
+	     (val->attributes & VALATTR_FOUNDNODATA) != 0) ||
+	    ((val->attributes & VALATTR_NEEDNOQNAME) != 0 &&
+	     (val->attributes & VALATTR_FOUNDNOQNAME) != 0 &&
+	     (val->attributes & VALATTR_NEEDNOWILDCARD) != 0 &&
+	     (val->attributes & VALATTR_FOUNDNOWILDCARD) != 0))
+		val->attributes |= VALATTR_FOUNDNONEXISTENCE;
+
+	if ((val->attributes & VALATTR_FOUNDNONEXISTENCE) == 0) {
+		if (!val->seensig && val->soaset != NULL) {
+			result = create_validator(val, name, dns_rdatatype_soa,
+						  val->soaset, NULL,
+						  negauthvalidated,
+						  "nsecvalidate");
+			if (result != ISC_R_SUCCESS)
+				return (result);
+			return (DNS_R_WAIT);
+		}
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "nonexistence proof not found");
+		return (DNS_R_NOVALIDNSEC);
+	} else {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "nonexistence proof found");
+		return (ISC_R_SUCCESS);
+	}
+}
+
+static isc_boolean_t
+check_ds_algorithm(dns_validator_t *val, dns_name_t *name,
+		   dns_rdataset_t *rdataset) {
+	dns_rdata_t dsrdata = DNS_RDATA_INIT;
+	dns_rdata_ds_t ds;
+	isc_result_t result;
+
+	for (result = dns_rdataset_first(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset)) {
+		dns_rdataset_current(rdataset, &dsrdata);
+		(void)dns_rdata_tostruct(&dsrdata, &ds, NULL);
+
+		if (dns_resolver_algorithm_supported(val->view->resolver,
+						     name, ds.algorithm))
+			return (ISC_TRUE);
+		dns_rdata_reset(&dsrdata);
+	}
+	return (ISC_FALSE);
+}
+
+static void
+dlv_fetched2(isc_task_t *task, isc_event_t *event) {
+	dns_fetchevent_t *devent;
+	dns_validator_t *val;
+	isc_boolean_t want_destroy;
+	isc_result_t eresult;
+	isc_result_t result;
+
+	UNUSED(task);
+	INSIST(event->ev_type == DNS_EVENT_FETCHDONE);
+	devent = (dns_fetchevent_t *)event;
+	val = devent->ev_arg;
+	eresult = devent->result;
+	
+	isc_event_free(&event);
+	dns_resolver_destroyfetch(&val->fetch);
+	
+	INSIST(val->event != NULL);
+	validator_log(val, ISC_LOG_DEBUG(3), "in dlv_fetched2: %s",
+		      dns_result_totext(eresult));
+
+	LOCK(&val->lock);
+	if (eresult == ISC_R_SUCCESS) {
+		val->havedlvsep = ISC_TRUE;
+		result = proveunsecure(val, ISC_FALSE);
+		if (result != DNS_R_WAIT)
+			validator_done(val, result);
+	} else if (eresult == DNS_R_NXRRSET ||
+		   eresult == DNS_R_NXDOMAIN ||
+		   eresult == DNS_R_NCACHENXRRSET ||
+		   eresult == DNS_R_NCACHENXDOMAIN) {
+		   result = finddlvsep(val, ISC_TRUE);
+		if (result == ISC_R_SUCCESS) {
+			result = proveunsecure(val, ISC_FALSE);
+			if (result != DNS_R_WAIT)
+				validator_done(val, result);
+		} else if (result == ISC_R_NOTFOUND) {
+			validator_done(val, ISC_R_SUCCESS);
+		} else if (result != DNS_R_WAIT)
+			validator_done(val, result);
+	}
+	want_destroy = exit_check(val);
+	UNLOCK(&val->lock);
+	if (want_destroy)
+		destroy(val);
+}
+
+static isc_result_t
+finddlvsep(dns_validator_t *val, isc_boolean_t resume) {
+	dns_fixedname_t dlvfixed;
+	dns_name_t *dlvname;
+	dns_name_t *dlvsep;
+	dns_name_t noroot;
+	isc_result_t result;
+	unsigned int labels;
+
+	if (!resume) {
+		dns_fixedname_init(&val->dlvsep);
+		dlvsep = dns_fixedname_name(&val->dlvsep);
+		dns_name_copy(val->event->name, dlvsep, NULL);
+		val->attributes |= VALATTR_DLVSEPTRIED;
+	} else {
+		dlvsep = dns_fixedname_name(&val->dlvsep);
+		labels = dns_name_countlabels(dlvsep);
+		dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep);
+	}
+	dns_name_init(&noroot, NULL);
+	dns_fixedname_init(&dlvfixed);
+	dlvname = dns_fixedname_name(&dlvfixed);
+	labels = dns_name_countlabels(dlvsep);
+	dns_name_getlabelsequence(dlvsep, 0, labels - 1, &noroot);
+	result = dns_name_concatenate(&noroot, val->view->dlv, dlvname, NULL);
+	while (result == ISC_R_NOSPACE) {
+		labels = dns_name_countlabels(dlvsep);
+		dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep);
+		dns_name_getlabelsequence(dlvsep, 0, labels - 2, &noroot);
+		result = dns_name_concatenate(&noroot, val->view->dlv,
+					      dlvname, NULL);
+	}
+	if (result != ISC_R_SUCCESS) {
+		validator_log(val, ISC_LOG_DEBUG(2), "DLV concatenate failed");
+		return (DNS_R_NOVALIDSIG);
+	}
+
+	while (dns_name_countlabels(dlvname) >
+	       dns_name_countlabels(val->view->dlv)) 
+	{
+		result = view_find(val, dlvname, dns_rdatatype_dlv);
+		if (result == ISC_R_SUCCESS) {
+			if (val->frdataset.trust < dns_trust_secure)
+				return (DNS_R_NOVALIDSIG);
+			val->havedlvsep = ISC_TRUE;
+			return (ISC_R_SUCCESS);
+		}
+		if (result == ISC_R_NOTFOUND) {
+                        result = create_fetch(val, dlvname, dns_rdatatype_dlv,
+                                              dlv_fetched2, "finddlvsep");
+                        if (result != ISC_R_SUCCESS)
+                                return (result);
+                        return (DNS_R_WAIT);
+		}
+		if (result != DNS_R_NXRRSET &&
+		    result != DNS_R_NXDOMAIN &&
+		    result != DNS_R_NCACHENXRRSET &&
+		    result != DNS_R_NCACHENXDOMAIN) 
+			return (result);
+		/*
+		 * Strip first labels from both dlvsep and dlvname.
+		 */
+		labels = dns_name_countlabels(dlvsep);
+		dns_name_getlabelsequence(dlvsep, 1, labels - 1, dlvsep);
+		labels = dns_name_countlabels(dlvname);
+		dns_name_getlabelsequence(dlvname, 1, labels - 1, dlvname);
+	}
+	return (ISC_R_NOTFOUND);
+}
+
+static isc_result_t
+proveunsecure(dns_validator_t *val, isc_boolean_t resume) {
+	isc_result_t result;
+	isc_result_t tresult;
+	dns_fixedname_t secroot;
+	dns_name_t *tname;
+
+	dns_fixedname_init(&secroot);
+	result = dns_keytable_finddeepestmatch(val->keytable,
+					       val->event->name,
+					       dns_fixedname_name(&secroot));
+	/*
+	 * If the name is not under a security root, it must be insecure.
+	 */
+	if (val->view->dlv != NULL && !DLVSEPTRIED(val) && 
+	    !dns_name_issubdomain(val->event->name, val->view->dlv)) {
+		tresult = finddlvsep(val, ISC_FALSE);
+		if (tresult != ISC_R_NOTFOUND && tresult != ISC_R_SUCCESS) {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "finddlvsep returned: %s",
+				      dns_result_totext(tresult));
+			return (tresult);
+		}
+	}
+
+	if (result == ISC_R_NOTFOUND) {
+		if (!val->havedlvsep)
+			return (ISC_R_SUCCESS);
+		dns_name_copy(dns_fixedname_name(&val->dlvsep),
+			      dns_fixedname_name(&secroot), NULL);
+	} else if (result != ISC_R_SUCCESS)
+		return (result);
+	else if (val->havedlvsep &&
+	         dns_name_issubdomain(dns_fixedname_name(&val->dlvsep),
+				      dns_fixedname_name(&secroot))) {
+		dns_name_copy(dns_fixedname_name(&val->dlvsep),
+			      dns_fixedname_name(&secroot), NULL);
+	}
+
+	if (!resume) {
+		val->labels =
+			dns_name_countlabels(dns_fixedname_name(&secroot)) + 1;
+	} else {
+		validator_log(val, ISC_LOG_DEBUG(3), "resuming proveunsecure");
+		if (val->frdataset.trust >= dns_trust_secure &&
+		    !check_ds_algorithm(val, dns_fixedname_name(&val->fname),
+					&val->frdataset)) {
+			if (val->mustbesecure) {
+				validator_log(val, ISC_LOG_WARNING,
+					      "must be secure failure");
+				result = DNS_R_MUSTBESECURE;
+				goto out;
+			}
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "no supported algorithm (ds)");
+			val->event->rdataset->trust = dns_trust_answer;
+			result = ISC_R_SUCCESS;
+			goto out;
+		}
+		val->labels++;
+	}
+
+	for (;
+	     val->labels <= dns_name_countlabels(val->event->name);
+	     val->labels++)
+	{
+		char namebuf[DNS_NAME_FORMATSIZE];
+
+		dns_fixedname_init(&val->fname);
+		tname = dns_fixedname_name(&val->fname);
+		if (val->labels == dns_name_countlabels(val->event->name))
+			dns_name_copy(val->event->name, tname, NULL);
+		else
+			dns_name_split(val->event->name, val->labels,
+				       NULL, tname);
+
+		dns_name_format(tname, namebuf, sizeof(namebuf));
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "checking existence of DS at '%s'",
+			      namebuf);
+
+		result = view_find(val, tname, dns_rdatatype_ds);
+		if (result == DNS_R_NXRRSET || result == DNS_R_NCACHENXRRSET) {
+			/*
+			 * There is no DS.  If this is a delegation,
+			 * we're done.
+			 */
+			if (val->frdataset.trust < dns_trust_secure) {
+				/*
+				 * This shouldn't happen, since the negative
+				 * response should have been validated.  Since
+				 * there's no way of validating existing
+				 * negative response blobs, give up.
+				 */
+				result = DNS_R_NOVALIDSIG;
+				goto out;
+			}
+			if (isdelegation(tname, &val->frdataset, result)) {
+				if (val->mustbesecure) {
+					validator_log(val, ISC_LOG_WARNING,
+						      "must be secure failure");
+					return (DNS_R_MUSTBESECURE);
+				}
+				val->event->rdataset->trust = dns_trust_answer;
+				return (ISC_R_SUCCESS);
+			}
+			continue;
+		} else if (result == ISC_R_SUCCESS) {
+			/*
+			 * There is a DS here.  Verify that it's secure and
+			 * continue.
+			 */
+			if (val->frdataset.trust >= dns_trust_secure) {
+				if (!check_ds_algorithm(val, tname,
+							&val->frdataset)) {
+					validator_log(val, ISC_LOG_DEBUG(3),
+					      "no supported algorithm (ds)");
+					if (val->mustbesecure) {
+						validator_log(val,
+							      ISC_LOG_WARNING,
+						      "must be secure failure");
+						result = DNS_R_MUSTBESECURE;
+						goto out;
+					}
+					val->event->rdataset->trust =
+							dns_trust_answer;
+					result = ISC_R_SUCCESS;
+					goto out;
+				}
+				continue;
+			}
+			else if (!dns_rdataset_isassociated(&val->fsigrdataset))
+			{
+				result = DNS_R_NOVALIDSIG;
+				goto out;
+			}
+			result = create_validator(val, tname, dns_rdatatype_ds,
+						  &val->frdataset,
+						  &val->fsigrdataset,
+						  dsvalidated,
+						  "proveunsecure");
+			if (result != ISC_R_SUCCESS)
+				goto out;
+			return (DNS_R_WAIT);
+		} else if (result == DNS_R_NXDOMAIN ||
+			   result == DNS_R_NCACHENXDOMAIN)
+		{
+			/*
+			 * This is not a zone cut.  Assuming things are
+			 * as expected, continue.
+			 */
+			if (!dns_rdataset_isassociated(&val->frdataset)) {
+				/*
+				 * There should be an NSEC here, since we
+				 * are still in a secure zone.
+				 */
+				result = DNS_R_NOVALIDNSEC;
+				goto out;
+			} else if (val->frdataset.trust < dns_trust_secure) {
+				/*
+				 * This shouldn't happen, since the negative
+				 * response should have been validated.  Since
+				 * there's no way of validating existing
+				 * negative response blobs, give up.
+				 */
+				result = DNS_R_NOVALIDSIG;
+				goto out;
+			}
+			continue;
+		} else if (result == ISC_R_NOTFOUND) {
+			/*
+			 * We don't know anything about the DS.  Find it.
+			 */
+			result = create_fetch(val, tname, dns_rdatatype_ds,
+					      dsfetched2, "proveunsecure");
+			if (result != ISC_R_SUCCESS)
+				goto out;
+			return (DNS_R_WAIT);
+		}
+	}
+	validator_log(val, ISC_LOG_DEBUG(3), "insecurity proof failed");
+	return (DNS_R_NOTINSECURE); /* Couldn't complete insecurity proof */
+
+ out:
+	if (dns_rdataset_isassociated(&val->frdataset))
+		dns_rdataset_disassociate(&val->frdataset);
+	if (dns_rdataset_isassociated(&val->fsigrdataset))
+		dns_rdataset_disassociate(&val->fsigrdataset);
+	return (result);
+}
+
+static void
+validator_start(isc_task_t *task, isc_event_t *event) {
+	dns_validator_t *val;
+	dns_validatorevent_t *vevent;
+	isc_boolean_t want_destroy = ISC_FALSE;
+	isc_result_t result = ISC_R_FAILURE;
+
+	UNUSED(task);
+	REQUIRE(event->ev_type == DNS_EVENT_VALIDATORSTART);
+	vevent = (dns_validatorevent_t *)event;
+	val = vevent->validator;
+
+	/* If the validator has been cancelled, val->event == NULL */
+	if (val->event == NULL)
+		return;
+
+	validator_log(val, ISC_LOG_DEBUG(3), "starting");
+
+	LOCK(&val->lock);
+
+	if (val->event->rdataset != NULL && val->event->sigrdataset != NULL) {
+		isc_result_t saved_result;
+
+		/*
+		 * This looks like a simple validation.  We say "looks like"
+		 * because it might end up requiring an insecurity proof.
+		 */
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "attempting positive response validation");
+
+		INSIST(dns_rdataset_isassociated(val->event->rdataset));
+		INSIST(dns_rdataset_isassociated(val->event->sigrdataset));
+		result = start_positive_validation(val);
+		if (result == DNS_R_NOVALIDSIG &&
+		    (val->attributes & VALATTR_TRIEDVERIFY) == 0)
+		{
+			saved_result = result;
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "falling back to insecurity proof");
+			val->attributes |= VALATTR_INSECURITY;
+			result = proveunsecure(val, ISC_FALSE);
+			if (result == DNS_R_NOTINSECURE)
+				result = saved_result;
+		}
+	} else if (val->event->rdataset != NULL) {
+		/*
+		 * This is either an unsecure subdomain or a response from
+		 * a broken server.
+		 */
+		INSIST(dns_rdataset_isassociated(val->event->rdataset));
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "attempting insecurity proof");
+
+		val->attributes |= VALATTR_INSECURITY;
+		result = proveunsecure(val, ISC_FALSE);
+	} else if (val->event->rdataset == NULL &&
+		   val->event->sigrdataset == NULL)
+	{
+		/*
+		 * This is a nonexistence validation.
+		 */
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "attempting negative response validation");
+
+		val->attributes |= VALATTR_NEGATIVE;
+		if (val->event->message->rcode == dns_rcode_nxdomain) {
+			val->attributes |= VALATTR_NEEDNOQNAME;
+			val->attributes |= VALATTR_NEEDNOWILDCARD;
+		} else
+			val->attributes |= VALATTR_NEEDNODATA;
+		result = nsecvalidate(val, ISC_FALSE);
+	} else {
+		/*
+		 * This shouldn't happen.
+		 */
+		INSIST(0);
+	}
+
+	if (result != DNS_R_WAIT) {
+		want_destroy = exit_check(val);
+		validator_done(val, result);
+	}
+
+	UNLOCK(&val->lock);
+	if (want_destroy)
+		destroy(val);
+}
+
+isc_result_t
+dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
+		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+		     dns_message_t *message, unsigned int options,
+		     isc_task_t *task, isc_taskaction_t action, void *arg,
+		     dns_validator_t **validatorp)
+{
+	isc_result_t result;
+	dns_validator_t *val;
+	isc_task_t *tclone;
+	dns_validatorevent_t *event;
+
+	REQUIRE(name != NULL);
+	REQUIRE(type != 0);
+	REQUIRE(rdataset != NULL ||
+		(rdataset == NULL && sigrdataset == NULL && message != NULL));
+	REQUIRE(options == 0);
+	REQUIRE(validatorp != NULL && *validatorp == NULL);
+
+	tclone = NULL;
+	result = ISC_R_FAILURE;
+
+	val = isc_mem_get(view->mctx, sizeof(*val));
+	if (val == NULL)
+		return (ISC_R_NOMEMORY);
+	val->view = NULL;
+	dns_view_weakattach(view, &val->view);
+	event = (dns_validatorevent_t *)
+		isc_event_allocate(view->mctx, task,
+				   DNS_EVENT_VALIDATORSTART,
+				   validator_start, NULL,
+				   sizeof(dns_validatorevent_t));
+	if (event == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup_val;
+	}
+	isc_task_attach(task, &tclone);
+	event->validator = val;
+	event->result = ISC_R_FAILURE;
+	event->name = name;
+	event->type = type;
+	event->rdataset = rdataset;
+	event->sigrdataset = sigrdataset;
+	event->message = message;
+	memset(event->proofs, 0, sizeof(event->proofs));
+	result = isc_mutex_init(&val->lock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_event;
+	val->event = event;
+	val->options = options;
+	val->attributes = 0;
+	val->fetch = NULL;
+	val->subvalidator = NULL;
+	val->parent = NULL;
+	val->keytable = NULL;
+	dns_keytable_attach(val->view->secroots, &val->keytable);
+	val->keynode = NULL;
+	val->key = NULL;
+	val->siginfo = NULL;
+	val->task = task;
+	val->action = action;
+	val->arg = arg;
+	val->labels = 0;
+	val->currentset = NULL;
+	val->keyset = NULL;
+	val->dsset = NULL;
+	val->dlv = NULL;
+	val->soaset = NULL;
+	val->nsecset = NULL;
+	val->soaname = NULL;
+	val->seensig = ISC_FALSE;
+	val->havedlvsep = ISC_FALSE;
+	val->mustbesecure = dns_resolver_getmustbesecure(view->resolver, name);
+	dns_rdataset_init(&val->frdataset);
+	dns_rdataset_init(&val->fsigrdataset);
+	dns_fixedname_init(&val->wild);
+	ISC_LINK_INIT(val, link);
+	val->magic = VALIDATOR_MAGIC;
+
+	isc_task_send(task, ISC_EVENT_PTR(&event));
+
+	*validatorp = val;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup_event:
+	isc_task_detach(&tclone);
+	isc_event_free((isc_event_t **)&val->event);
+
+ cleanup_val:
+	dns_view_weakdetach(&val->view);
+	isc_mem_put(view->mctx, val, sizeof(*val));
+
+	return (result);
+}
+
+void
+dns_validator_cancel(dns_validator_t *validator) {
+	REQUIRE(VALID_VALIDATOR(validator));
+
+	LOCK(&validator->lock);
+
+	validator_log(validator, ISC_LOG_DEBUG(3), "dns_validator_cancel");
+
+	if (validator->event != NULL) {
+		if (validator->fetch != NULL)
+			dns_resolver_cancelfetch(validator->fetch);
+
+		if (validator->subvalidator != NULL)
+			dns_validator_cancel(validator->subvalidator);
+	}
+	UNLOCK(&validator->lock);
+}
+
+static void
+destroy(dns_validator_t *val) {
+	isc_mem_t *mctx;
+
+	REQUIRE(SHUTDOWN(val));
+	REQUIRE(val->event == NULL);
+	REQUIRE(val->fetch == NULL);
+
+	if (val->keynode != NULL)
+		dns_keytable_detachkeynode(val->keytable, &val->keynode);
+	else if (val->key != NULL)
+		dst_key_free(&val->key);
+	if (val->keytable != NULL)
+		dns_keytable_detach(&val->keytable);
+	if (val->subvalidator != NULL)
+		dns_validator_destroy(&val->subvalidator);
+	mctx = val->view->mctx;
+	if (val->siginfo != NULL)
+		isc_mem_put(mctx, val->siginfo, sizeof(*val->siginfo));
+	DESTROYLOCK(&val->lock);
+	dns_view_weakdetach(&val->view);
+	val->magic = 0;
+	isc_mem_put(mctx, val, sizeof(*val));
+}
+
+void
+dns_validator_destroy(dns_validator_t **validatorp) {
+	dns_validator_t *val;
+	isc_boolean_t want_destroy = ISC_FALSE;
+
+	REQUIRE(validatorp != NULL);
+	val = *validatorp;
+	REQUIRE(VALID_VALIDATOR(val));
+
+	LOCK(&val->lock);
+
+	val->attributes |= VALATTR_SHUTDOWN;
+	validator_log(val, ISC_LOG_DEBUG(3), "dns_validator_destroy");
+
+	want_destroy = exit_check(val);
+
+	UNLOCK(&val->lock);
+
+	if (want_destroy)
+		destroy(val);
+
+	*validatorp = NULL;
+}
+
+static void
+validator_logv(dns_validator_t *val, isc_logcategory_t *category,
+	       isc_logmodule_t *module, int level, const char *fmt, va_list ap)
+{
+	char msgbuf[2048];
+
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+
+	if (val->event != NULL && val->event->name != NULL) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+		char typebuf[DNS_RDATATYPE_FORMATSIZE];
+
+		dns_name_format(val->event->name, namebuf, sizeof(namebuf));
+		dns_rdatatype_format(val->event->type, typebuf,
+				     sizeof(typebuf));
+		isc_log_write(dns_lctx, category, module, level,
+			      "validating %s %s: %s", namebuf, typebuf,
+			      msgbuf);
+	} else {
+		isc_log_write(dns_lctx, category, module, level,
+			      "validator @%p: %s", val, msgbuf);
+	}
+}
+
+static void
+validator_log(dns_validator_t *val, int level, const char *fmt, ...) {
+	va_list ap;
+
+	if (! isc_log_wouldlog(dns_lctx, level))
+		return;
+
+	va_start(ap, fmt);
+
+	validator_logv(val, DNS_LOGCATEGORY_DNSSEC,
+		       DNS_LOGMODULE_VALIDATOR, level, fmt, ap);
+	va_end(ap);
+}
+
+static void
+validator_logcreate(dns_validator_t *val,
+		    dns_name_t *name, dns_rdatatype_t type,
+		    const char *caller, const char *operation)
+{
+	char namestr[DNS_NAME_FORMATSIZE];
+	char typestr[DNS_RDATATYPE_FORMATSIZE];
+
+	dns_name_format(name, namestr, sizeof(namestr));
+	dns_rdatatype_format(type, typestr, sizeof(typestr));
+	validator_log(val, ISC_LOG_DEBUG(9), "%s: creating %s for %s %s",
+		      caller, operation, namestr, typestr);
+}
diff --git a/contrib/bind9/lib/dns/version.c b/contrib/bind9/lib/dns/version.c
new file mode 100644
index 0000000..6b043ab
--- /dev/null
+++ b/contrib/bind9/lib/dns/version.c
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: version.c,v 1.9.12.3 2004/03/08 09:04:33 marka Exp $ */
+
+#include <dns/version.h>
+
+const char dns_version[] = VERSION;
+
+const unsigned int dns_libinterface = LIBINTERFACE;
+const unsigned int dns_librevision = LIBREVISION;
+const unsigned int dns_libage = LIBAGE;
diff --git a/contrib/bind9/lib/dns/view.c b/contrib/bind9/lib/dns/view.c
new file mode 100644
index 0000000..ac7af61
--- /dev/null
+++ b/contrib/bind9/lib/dns/view.c
@@ -0,0 +1,1332 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: view.c,v 1.103.2.5.2.14 2004/03/10 02:55:58 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/hash.h>
+#include <isc/task.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/util.h>
+
+#include <dns/acl.h>
+#include <dns/adb.h>
+#include <dns/cache.h>
+#include <dns/db.h>
+#include <dns/events.h>
+#include <dns/forward.h>
+#include <dns/keytable.h>
+#include <dns/master.h>
+#include <dns/masterdump.h>
+#include <dns/order.h>
+#include <dns/peer.h>
+#include <dns/rdataset.h>
+#include <dns/request.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/tsig.h>
+#include <dns/zone.h>
+#include <dns/zt.h>
+
+#define RESSHUTDOWN(v)	(((v)->attributes & DNS_VIEWATTR_RESSHUTDOWN) != 0)
+#define ADBSHUTDOWN(v)	(((v)->attributes & DNS_VIEWATTR_ADBSHUTDOWN) != 0)
+#define REQSHUTDOWN(v)	(((v)->attributes & DNS_VIEWATTR_REQSHUTDOWN) != 0)
+
+#define DNS_VIEW_DELONLYHASH 111
+
+static void resolver_shutdown(isc_task_t *task, isc_event_t *event);
+static void adb_shutdown(isc_task_t *task, isc_event_t *event);
+static void req_shutdown(isc_task_t *task, isc_event_t *event);
+
+isc_result_t
+dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
+		const char *name, dns_view_t **viewp)
+{
+	dns_view_t *view;
+	isc_result_t result;
+
+	/*
+	 * Create a view.
+	 */
+
+	REQUIRE(name != NULL);
+	REQUIRE(viewp != NULL && *viewp == NULL);
+
+	view = isc_mem_get(mctx, sizeof(*view));
+	if (view == NULL)
+		return (ISC_R_NOMEMORY);
+	view->name = isc_mem_strdup(mctx, name);
+	if (view->name == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup_view;
+	}
+	result = isc_mutex_init(&view->lock);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() failed: %s",
+				 isc_result_totext(result));
+		result = ISC_R_UNEXPECTED;
+		goto cleanup_name;
+	}
+	view->zonetable = NULL;
+	result = dns_zt_create(mctx, rdclass, &view->zonetable);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "dns_zt_create() failed: %s",
+				 isc_result_totext(result));
+		result = ISC_R_UNEXPECTED;
+		goto cleanup_mutex;
+	}
+	view->secroots = NULL;
+	result = dns_keytable_create(mctx, &view->secroots);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "dns_keytable_create() failed: %s",
+				 isc_result_totext(result));
+		result = ISC_R_UNEXPECTED;
+		goto cleanup_zt;
+	}
+	view->trustedkeys = NULL;
+	result = dns_keytable_create(mctx, &view->trustedkeys);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "dns_keytable_create() failed: %s",
+				 isc_result_totext(result));
+		result = ISC_R_UNEXPECTED;
+		goto cleanup_secroots;
+	}
+	view->fwdtable = NULL;
+	result = dns_fwdtable_create(mctx, &view->fwdtable);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "dns_fwdtable_create() failed: %s",
+				 isc_result_totext(result));
+		result = ISC_R_UNEXPECTED;
+		goto cleanup_trustedkeys;
+	}
+
+	view->cache = NULL;
+	view->cachedb = NULL;
+	view->hints = NULL;
+	view->resolver = NULL;
+	view->adb = NULL;
+	view->requestmgr = NULL;
+	view->mctx = mctx;
+	view->rdclass = rdclass;
+	view->frozen = ISC_FALSE;
+	view->task = NULL;
+	isc_refcount_init(&view->references, 1);
+	view->weakrefs = 0;
+	view->attributes = (DNS_VIEWATTR_RESSHUTDOWN|DNS_VIEWATTR_ADBSHUTDOWN|
+			    DNS_VIEWATTR_REQSHUTDOWN);
+	view->statickeys = NULL;
+	view->dynamickeys = NULL;
+	view->matchclients = NULL;
+	view->matchdestinations = NULL;
+	view->matchrecursiveonly = ISC_FALSE;
+	result = dns_tsigkeyring_create(view->mctx, &view->dynamickeys);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_fwdtable;
+	view->peers = NULL;
+	view->order = NULL;
+	view->delonly = NULL;
+	view->rootdelonly = ISC_FALSE;
+	view->rootexclude = NULL;
+
+	/*
+	 * Initialize configuration data with default values.
+	 */
+	view->recursion = ISC_TRUE;
+	view->auth_nxdomain = ISC_FALSE; /* Was true in BIND 8 */
+	view->additionalfromcache = ISC_TRUE;
+	view->additionalfromauth = ISC_TRUE;
+	view->enablednssec = ISC_TRUE;
+	view->minimalresponses = ISC_FALSE;
+	view->transfer_format = dns_one_answer;
+	view->queryacl = NULL;
+	view->recursionacl = NULL;
+	view->sortlist = NULL;
+	view->requestixfr = ISC_TRUE;
+	view->provideixfr = ISC_TRUE;
+	view->maxcachettl = 7 * 24 * 3600;
+	view->maxncachettl = 3 * 3600;
+	view->dstport = 53;
+	view->preferred_glue = 0;
+	view->flush = ISC_FALSE;
+	view->dlv = NULL;
+	dns_fixedname_init(&view->dlv_fixed);
+
+	result = dns_order_create(view->mctx, &view->order);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_dynkeys;
+
+	result = dns_peerlist_new(view->mctx, &view->peers);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_order;
+
+	result = dns_aclenv_init(view->mctx, &view->aclenv);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_peerlist;
+
+	ISC_LINK_INIT(view, link);
+	ISC_EVENT_INIT(&view->resevent, sizeof(view->resevent), 0, NULL,
+		       DNS_EVENT_VIEWRESSHUTDOWN, resolver_shutdown,
+		       view, NULL, NULL, NULL);
+	ISC_EVENT_INIT(&view->adbevent, sizeof(view->adbevent), 0, NULL,
+		       DNS_EVENT_VIEWADBSHUTDOWN, adb_shutdown,
+		       view, NULL, NULL, NULL);
+	ISC_EVENT_INIT(&view->reqevent, sizeof(view->reqevent), 0, NULL,
+		       DNS_EVENT_VIEWREQSHUTDOWN, req_shutdown,
+		       view, NULL, NULL, NULL);
+	view->magic = DNS_VIEW_MAGIC;
+
+	*viewp = view;
+
+	return (ISC_R_SUCCESS);
+
+ cleanup_peerlist:
+	dns_peerlist_detach(&view->peers);
+
+ cleanup_order:
+	dns_order_detach(&view->order);
+
+ cleanup_dynkeys:
+	dns_tsigkeyring_destroy(&view->dynamickeys);
+
+ cleanup_fwdtable:
+	dns_fwdtable_destroy(&view->fwdtable);
+
+ cleanup_trustedkeys:
+	dns_keytable_detach(&view->trustedkeys);
+
+ cleanup_secroots:
+	dns_keytable_detach(&view->secroots);
+
+ cleanup_zt:
+	dns_zt_detach(&view->zonetable);
+
+ cleanup_mutex:
+	DESTROYLOCK(&view->lock);
+
+ cleanup_name:
+	isc_mem_free(mctx, view->name);
+
+ cleanup_view:
+	isc_mem_put(mctx, view, sizeof(*view));
+
+	return (result);
+}
+
+static inline void
+destroy(dns_view_t *view) {
+	REQUIRE(!ISC_LINK_LINKED(view, link));
+	REQUIRE(isc_refcount_current(&view->references) == 0);
+	REQUIRE(view->weakrefs == 0);
+	REQUIRE(RESSHUTDOWN(view));
+	REQUIRE(ADBSHUTDOWN(view));
+	REQUIRE(REQSHUTDOWN(view));
+
+	if (view->order != NULL)
+		dns_order_detach(&view->order);
+	if (view->peers != NULL)
+		dns_peerlist_detach(&view->peers);
+	if (view->dynamickeys != NULL)
+		dns_tsigkeyring_destroy(&view->dynamickeys);
+	if (view->statickeys != NULL)
+		dns_tsigkeyring_destroy(&view->statickeys);
+	if (view->adb != NULL)
+		dns_adb_detach(&view->adb);
+	if (view->resolver != NULL)
+		dns_resolver_detach(&view->resolver);
+	if (view->requestmgr != NULL)
+		dns_requestmgr_detach(&view->requestmgr);
+	if (view->task != NULL)
+		isc_task_detach(&view->task);
+	if (view->hints != NULL)
+		dns_db_detach(&view->hints);
+	if (view->cachedb != NULL)
+		dns_db_detach(&view->cachedb);
+	if (view->cache != NULL)
+		dns_cache_detach(&view->cache);
+	if (view->matchclients != NULL)
+		dns_acl_detach(&view->matchclients);
+	if (view->matchdestinations != NULL)
+		dns_acl_detach(&view->matchdestinations);
+	if (view->queryacl != NULL)
+		dns_acl_detach(&view->queryacl);
+	if (view->recursionacl != NULL)
+		dns_acl_detach(&view->recursionacl);
+	if (view->sortlist != NULL)
+		dns_acl_detach(&view->sortlist);
+	if (view->delonly != NULL) {
+		dns_name_t *name;
+		int i;
+
+		for (i = 0; i < DNS_VIEW_DELONLYHASH; i++) {
+			name = ISC_LIST_HEAD(view->delonly[i]);
+			while (name != NULL) {
+				ISC_LIST_UNLINK(view->delonly[i], name, link);
+				dns_name_free(name, view->mctx);
+				isc_mem_put(view->mctx, name, sizeof(*name));
+				name = ISC_LIST_HEAD(view->delonly[i]);
+			}
+		}
+		isc_mem_put(view->mctx, view->delonly, sizeof(dns_namelist_t) *
+			    DNS_VIEW_DELONLYHASH);
+		view->delonly = NULL;
+	}
+	if (view->rootexclude != NULL) {
+		dns_name_t *name;
+		int i;
+
+		for (i = 0; i < DNS_VIEW_DELONLYHASH; i++) {
+			name = ISC_LIST_HEAD(view->rootexclude[i]);
+			while (name != NULL) {
+				ISC_LIST_UNLINK(view->rootexclude[i],
+					 	name, link);
+				dns_name_free(name, view->mctx);
+				isc_mem_put(view->mctx, name, sizeof(*name));
+				name = ISC_LIST_HEAD(view->rootexclude[i]);
+			}
+		}
+		isc_mem_put(view->mctx, view->rootexclude,
+			    sizeof(dns_namelist_t) * DNS_VIEW_DELONLYHASH);
+		view->rootexclude = NULL;
+	}
+	dns_keytable_detach(&view->trustedkeys);
+	dns_keytable_detach(&view->secroots);
+	dns_fwdtable_destroy(&view->fwdtable);
+	dns_aclenv_destroy(&view->aclenv);
+	DESTROYLOCK(&view->lock);
+	isc_refcount_destroy(&view->references);
+	isc_mem_free(view->mctx, view->name);
+	isc_mem_put(view->mctx, view, sizeof(*view));
+}
+
+/*
+ * Return true iff 'view' may be freed.
+ * The caller must be holding the view lock.
+ */
+static isc_boolean_t
+all_done(dns_view_t *view) {
+
+	if (isc_refcount_current(&view->references) == 0 &&
+	    view->weakrefs == 0 &&
+	    RESSHUTDOWN(view) && ADBSHUTDOWN(view) && REQSHUTDOWN(view))
+		return (ISC_TRUE);
+
+	return (ISC_FALSE);
+}
+
+void
+dns_view_attach(dns_view_t *source, dns_view_t **targetp) {
+
+	REQUIRE(DNS_VIEW_VALID(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	isc_refcount_increment(&source->references, NULL);
+
+	*targetp = source;
+}
+
+static void
+view_flushanddetach(dns_view_t **viewp, isc_boolean_t flush) {
+	dns_view_t *view;
+	unsigned int refs;
+	isc_boolean_t done = ISC_FALSE;
+
+	REQUIRE(viewp != NULL);
+	view = *viewp;
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (flush)
+		view->flush = ISC_TRUE;
+	isc_refcount_decrement(&view->references, &refs);
+	if (refs == 0) {
+		LOCK(&view->lock);
+		if (!RESSHUTDOWN(view))
+			dns_resolver_shutdown(view->resolver);
+		if (!ADBSHUTDOWN(view))
+			dns_adb_shutdown(view->adb);
+		if (!REQSHUTDOWN(view))
+			dns_requestmgr_shutdown(view->requestmgr);
+		if (view->flush)
+			dns_zt_flushanddetach(&view->zonetable);
+		else
+			dns_zt_detach(&view->zonetable);
+		done = all_done(view);
+		UNLOCK(&view->lock);
+	}
+
+	*viewp = NULL;
+
+	if (done)
+		destroy(view);
+}
+
+void
+dns_view_flushanddetach(dns_view_t **viewp) {
+	view_flushanddetach(viewp, ISC_TRUE);
+}
+
+void
+dns_view_detach(dns_view_t **viewp) {
+	view_flushanddetach(viewp, ISC_FALSE);
+}
+
+static isc_result_t
+dialup(dns_zone_t *zone, void *dummy) {
+	UNUSED(dummy);
+	dns_zone_dialup(zone);
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_view_dialup(dns_view_t *view) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	(void)dns_zt_apply(view->zonetable, ISC_FALSE, dialup, NULL);
+}
+
+void
+dns_view_weakattach(dns_view_t *source, dns_view_t **targetp) {
+
+	REQUIRE(DNS_VIEW_VALID(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	LOCK(&source->lock);
+	source->weakrefs++;
+	UNLOCK(&source->lock);
+
+	*targetp = source;
+}
+
+void
+dns_view_weakdetach(dns_view_t **viewp) {
+	dns_view_t *view;
+	isc_boolean_t done = ISC_FALSE;
+
+	REQUIRE(viewp != NULL);
+	view = *viewp;
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	LOCK(&view->lock);
+
+	INSIST(view->weakrefs > 0);
+	view->weakrefs--;
+	done = all_done(view);
+
+	UNLOCK(&view->lock);
+
+	*viewp = NULL;
+
+	if (done)
+		destroy(view);
+}
+
+static void
+resolver_shutdown(isc_task_t *task, isc_event_t *event) {
+	dns_view_t *view = event->ev_arg;
+	isc_boolean_t done;
+
+	REQUIRE(event->ev_type == DNS_EVENT_VIEWRESSHUTDOWN);
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(view->task == task);
+
+	UNUSED(task);
+
+	LOCK(&view->lock);
+
+	view->attributes |= DNS_VIEWATTR_RESSHUTDOWN;
+	done = all_done(view);
+
+	UNLOCK(&view->lock);
+
+	isc_event_free(&event);
+
+	if (done)
+		destroy(view);
+}
+
+static void
+adb_shutdown(isc_task_t *task, isc_event_t *event) {
+	dns_view_t *view = event->ev_arg;
+	isc_boolean_t done;
+
+	REQUIRE(event->ev_type == DNS_EVENT_VIEWADBSHUTDOWN);
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(view->task == task);
+
+	UNUSED(task);
+
+	LOCK(&view->lock);
+
+	view->attributes |= DNS_VIEWATTR_ADBSHUTDOWN;
+	done = all_done(view);
+
+	UNLOCK(&view->lock);
+
+	isc_event_free(&event);
+
+	if (done)
+		destroy(view);
+}
+
+static void
+req_shutdown(isc_task_t *task, isc_event_t *event) {
+	dns_view_t *view = event->ev_arg;
+	isc_boolean_t done;
+
+	REQUIRE(event->ev_type == DNS_EVENT_VIEWREQSHUTDOWN);
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(view->task == task);
+
+	UNUSED(task);
+
+	LOCK(&view->lock);
+
+	view->attributes |= DNS_VIEWATTR_REQSHUTDOWN;
+	done = all_done(view);
+
+	UNLOCK(&view->lock);
+
+	isc_event_free(&event);
+
+	if (done)
+		destroy(view);
+}
+
+isc_result_t
+dns_view_createresolver(dns_view_t *view,
+			isc_taskmgr_t *taskmgr, unsigned int ntasks,
+			isc_socketmgr_t *socketmgr,
+			isc_timermgr_t *timermgr,
+			unsigned int options,
+			dns_dispatchmgr_t *dispatchmgr,
+			dns_dispatch_t *dispatchv4,
+			dns_dispatch_t *dispatchv6)
+{
+	isc_result_t result;
+	isc_event_t *event;
+	isc_mem_t *mctx = NULL;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(!view->frozen);
+	REQUIRE(view->resolver == NULL);
+
+	result = isc_task_create(taskmgr, 0, &view->task);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_task_setname(view->task, "view", view);
+
+	result = dns_resolver_create(view, taskmgr, ntasks, socketmgr,
+				     timermgr, options, dispatchmgr,
+				     dispatchv4, dispatchv6,
+				     &view->resolver);
+	if (result != ISC_R_SUCCESS) {
+		isc_task_detach(&view->task);
+		return (result);
+	}
+	event = &view->resevent;
+	dns_resolver_whenshutdown(view->resolver, view->task, &event);
+	view->attributes &= ~DNS_VIEWATTR_RESSHUTDOWN;
+
+	result = isc_mem_create(0, 0, &mctx);
+	if (result != ISC_R_SUCCESS) {
+		dns_resolver_shutdown(view->resolver);
+		return (result);
+	}
+
+	result = dns_adb_create(mctx, view, timermgr, taskmgr, &view->adb);
+	isc_mem_detach(&mctx);
+	if (result != ISC_R_SUCCESS) {
+		dns_resolver_shutdown(view->resolver);
+		return (result);
+	}
+	event = &view->adbevent;
+	dns_adb_whenshutdown(view->adb, view->task, &event);
+	view->attributes &= ~DNS_VIEWATTR_ADBSHUTDOWN;
+
+	result = dns_requestmgr_create(view->mctx, timermgr, socketmgr,
+				      dns_resolver_taskmgr(view->resolver),
+				      dns_resolver_dispatchmgr(view->resolver),
+				      dns_resolver_dispatchv4(view->resolver),
+				      dns_resolver_dispatchv6(view->resolver),
+				      &view->requestmgr);
+	if (result != ISC_R_SUCCESS) {
+		dns_adb_shutdown(view->adb);
+		dns_resolver_shutdown(view->resolver);
+		return (result);
+	}
+	event = &view->reqevent;
+	dns_requestmgr_whenshutdown(view->requestmgr, view->task, &event);
+	view->attributes &= ~DNS_VIEWATTR_REQSHUTDOWN;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_view_setcache(dns_view_t *view, dns_cache_t *cache) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(!view->frozen);
+
+	if (view->cache != NULL) {
+		dns_db_detach(&view->cachedb);
+		dns_cache_detach(&view->cache);
+	}
+	dns_cache_attach(cache, &view->cache);
+	dns_cache_attachdb(cache, &view->cachedb);
+	INSIST(DNS_DB_VALID(view->cachedb));
+}
+
+void
+dns_view_sethints(dns_view_t *view, dns_db_t *hints) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(!view->frozen);
+	REQUIRE(view->hints == NULL);
+	REQUIRE(dns_db_iszone(hints));
+
+	dns_db_attach(hints, &view->hints);
+}
+
+void
+dns_view_setkeyring(dns_view_t *view, dns_tsig_keyring_t *ring) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(ring != NULL);
+	if (view->statickeys != NULL)
+		dns_tsigkeyring_destroy(&view->statickeys);
+	view->statickeys = ring;
+}
+
+void
+dns_view_setdstport(dns_view_t *view, in_port_t dstport) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	view->dstport = dstport;
+}
+
+isc_result_t
+dns_view_addzone(dns_view_t *view, dns_zone_t *zone) {
+	isc_result_t result;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(!view->frozen);
+
+	result = dns_zt_mount(view->zonetable, zone);
+
+	return (result);
+}
+
+void
+dns_view_freeze(dns_view_t *view) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(!view->frozen);
+
+	if (view->resolver != NULL) {
+		INSIST(view->cachedb != NULL);
+		dns_resolver_freeze(view->resolver);
+	}
+	view->frozen = ISC_TRUE;
+}
+
+isc_result_t
+dns_view_findzone(dns_view_t *view, dns_name_t *name, dns_zone_t **zonep) {
+	isc_result_t result;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	result = dns_zt_find(view->zonetable, name, 0, NULL, zonep);
+	if (result == DNS_R_PARTIALMATCH) {
+		dns_zone_detach(zonep);
+		result = ISC_R_NOTFOUND;
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_view_find(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
+	      isc_stdtime_t now, unsigned int options, isc_boolean_t use_hints,
+	      dns_db_t **dbp, dns_dbnode_t **nodep, dns_name_t *foundname,
+	      dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	isc_result_t result;
+	dns_db_t *db, *zdb;
+	dns_dbnode_t *node, *znode;
+	isc_boolean_t is_cache;
+	dns_rdataset_t zrdataset, zsigrdataset;
+	dns_zone_t *zone;
+
+	/*
+	 * Find an rdataset whose owner name is 'name', and whose type is
+	 * 'type'.
+	 */
+
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(view->frozen);
+	REQUIRE(type != dns_rdatatype_rrsig);
+	REQUIRE(rdataset != NULL);  /* XXXBEW - remove this */
+
+	/*
+	 * Initialize.
+	 */
+	dns_rdataset_init(&zrdataset);
+	dns_rdataset_init(&zsigrdataset);
+	zdb = NULL;
+	znode = NULL;
+
+	/*
+	 * Find a database to answer the query.
+	 */
+	zone = NULL;
+	db = NULL;
+	node = NULL;
+	result = dns_zt_find(view->zonetable, name, 0, NULL, &zone);
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+		result = dns_zone_getdb(zone, &db);
+		if (result != ISC_R_SUCCESS && view->cachedb != NULL)
+			dns_db_attach(view->cachedb, &db);
+		else if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	} else if (result == ISC_R_NOTFOUND && view->cachedb != NULL)
+		dns_db_attach(view->cachedb, &db);
+	else
+		goto cleanup;
+
+	is_cache = dns_db_iscache(db);
+
+ db_find:
+	/*
+	 * Now look for an answer in the database.
+	 */
+	result = dns_db_find(db, name, NULL, type, options,
+			     now, &node, foundname, rdataset, sigrdataset);
+
+	if (result == DNS_R_DELEGATION ||
+	    result == ISC_R_NOTFOUND) {
+		if (dns_rdataset_isassociated(rdataset))
+			dns_rdataset_disassociate(rdataset);
+		if (sigrdataset != NULL &&
+		    dns_rdataset_isassociated(sigrdataset))
+			dns_rdataset_disassociate(sigrdataset);
+		if (node != NULL)
+			dns_db_detachnode(db, &node);
+		if (!is_cache) {
+			dns_db_detach(&db);
+			if (view->cachedb != NULL) {
+				/*
+				 * Either the answer is in the cache, or we
+				 * don't know it.
+				 */
+				is_cache = ISC_TRUE;
+				dns_db_attach(view->cachedb, &db);
+				goto db_find;
+			}
+		} else {
+			/*
+			 * We don't have the data in the cache.  If we've got
+			 * glue from the zone, use it.
+			 */
+			if (dns_rdataset_isassociated(&zrdataset)) {
+				dns_rdataset_clone(&zrdataset, rdataset);
+				if (sigrdataset != NULL &&
+				    dns_rdataset_isassociated(&zsigrdataset))
+					dns_rdataset_clone(&zsigrdataset,
+							   sigrdataset);
+				result = DNS_R_GLUE;
+				if (db != NULL)
+					dns_db_detach(&db);
+				dns_db_attach(zdb, &db);
+				dns_db_attachnode(db, znode, &node);
+				goto cleanup;
+			}
+		}
+		/*
+		 * We don't know the answer.
+		 */
+		result = ISC_R_NOTFOUND;
+	} else if (result == DNS_R_GLUE) {
+		if (view->cachedb != NULL) {
+			/*
+			 * We found an answer, but the cache may be better.
+			 * Remember what we've got and go look in the cache.
+			 */
+			is_cache = ISC_TRUE;
+			dns_rdataset_clone(rdataset, &zrdataset);
+			dns_rdataset_disassociate(rdataset);
+			if (sigrdataset != NULL &&
+			    dns_rdataset_isassociated(sigrdataset)) {
+				dns_rdataset_clone(sigrdataset, &zsigrdataset);
+				dns_rdataset_disassociate(sigrdataset);
+			}
+			dns_db_attach(db, &zdb);
+			dns_db_attachnode(zdb, node, &znode);
+			dns_db_detachnode(db, &node);
+			dns_db_detach(&db);
+			dns_db_attach(view->cachedb, &db);
+			goto db_find;
+		}
+		/*
+		 * Otherwise, the glue is the best answer.
+		 */
+		result = ISC_R_SUCCESS;
+	}
+
+	if (result == ISC_R_NOTFOUND && use_hints && view->hints != NULL) {
+		if (dns_rdataset_isassociated(rdataset))
+			dns_rdataset_disassociate(rdataset);
+		if (sigrdataset != NULL &&
+		    dns_rdataset_isassociated(sigrdataset))
+			dns_rdataset_disassociate(sigrdataset);
+		if (db != NULL) {
+			if (node != NULL)
+				dns_db_detachnode(db, &node);
+			dns_db_detach(&db);
+		}
+		result = dns_db_find(view->hints, name, NULL, type, options,
+				     now, &node, foundname,
+				     rdataset, sigrdataset);
+		if (result == ISC_R_SUCCESS || result == DNS_R_GLUE) {
+			/*
+			 * We just used a hint.  Let the resolver know it
+			 * should consider priming.
+			 */
+			dns_resolver_prime(view->resolver);
+			dns_db_attach(view->hints, &db);
+			result = DNS_R_HINT;
+		} else if (result == DNS_R_NXRRSET) {
+			dns_db_attach(view->hints, &db);
+			result = DNS_R_HINTNXRRSET;
+		} else if (result == DNS_R_NXDOMAIN)
+			result = ISC_R_NOTFOUND;
+
+		/*
+		 * Cleanup if non-standard hints are used.
+		 */
+		if (db == NULL && node != NULL)
+			dns_db_detachnode(view->hints, &node);
+	}
+
+ cleanup:
+	if (result == DNS_R_NXDOMAIN || result == DNS_R_NXRRSET) {
+		/*
+		 * We don't care about any DNSSEC proof data in these cases.
+		 */
+		if (dns_rdataset_isassociated(rdataset))
+			dns_rdataset_disassociate(rdataset);
+		if (sigrdataset != NULL &&
+		    dns_rdataset_isassociated(sigrdataset))
+			dns_rdataset_disassociate(sigrdataset);
+	}
+
+	if (dns_rdataset_isassociated(&zrdataset)) {
+		dns_rdataset_disassociate(&zrdataset);
+		if (dns_rdataset_isassociated(&zsigrdataset))
+			dns_rdataset_disassociate(&zsigrdataset);
+	}
+
+	if (zdb != NULL) {
+		if (znode != NULL)
+			dns_db_detachnode(zdb, &znode);
+		dns_db_detach(&zdb);
+	}
+
+	if (db != NULL) {
+		if (node != NULL) {
+			if (nodep != NULL)
+				*nodep = node;
+			else
+				dns_db_detachnode(db, &node);
+		}
+		if (dbp != NULL)
+			*dbp = db;
+		else
+			dns_db_detach(&db);
+	} else
+		INSIST(node == NULL);
+
+	if (zone != NULL)
+		dns_zone_detach(&zone);
+
+	return (result);
+}
+
+isc_result_t
+dns_view_simplefind(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
+		    isc_stdtime_t now, unsigned int options,
+		    isc_boolean_t use_hints,
+		    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	isc_result_t result;
+	dns_fixedname_t foundname;
+
+	dns_fixedname_init(&foundname);
+	result = dns_view_find(view, name, type, now, options, use_hints,
+			       NULL, NULL, dns_fixedname_name(&foundname),
+			       rdataset, sigrdataset);
+	if (result == DNS_R_NXDOMAIN) {
+		/*
+		 * The rdataset and sigrdataset of the relevant NSEC record
+		 * may be returned, but the caller cannot use them because
+		 * foundname is not returned by this simplified API.  We
+		 * disassociate them here to prevent any misuse by the caller.
+		 */
+		if (dns_rdataset_isassociated(rdataset))
+			dns_rdataset_disassociate(rdataset);
+		if (sigrdataset != NULL &&
+		    dns_rdataset_isassociated(sigrdataset))
+			dns_rdataset_disassociate(sigrdataset);
+	} else if (result != ISC_R_SUCCESS &&
+		   result != DNS_R_GLUE &&
+		   result != DNS_R_HINT &&
+		   result != DNS_R_NCACHENXDOMAIN &&
+		   result != DNS_R_NCACHENXRRSET &&
+		   result != DNS_R_NXRRSET &&
+		   result != DNS_R_HINTNXRRSET &&
+		   result != ISC_R_NOTFOUND) {
+		if (dns_rdataset_isassociated(rdataset))
+			dns_rdataset_disassociate(rdataset);
+		if (sigrdataset != NULL &&
+		    dns_rdataset_isassociated(sigrdataset))
+			dns_rdataset_disassociate(sigrdataset);
+		result = ISC_R_NOTFOUND;
+	}
+
+	return (result);
+}
+
+isc_result_t
+dns_view_findzonecut(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
+		     isc_stdtime_t now, unsigned int options,
+		     isc_boolean_t use_hints, 
+		     dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	return(dns_view_findzonecut2(view, name, fname, now, options,
+				     use_hints, ISC_TRUE,
+				     rdataset, sigrdataset));
+}
+
+isc_result_t
+dns_view_findzonecut2(dns_view_t *view, dns_name_t *name, dns_name_t *fname,
+		      isc_stdtime_t now, unsigned int options,
+		      isc_boolean_t use_hints,  isc_boolean_t use_cache,
+		      dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
+	isc_result_t result;
+	dns_db_t *db;
+	isc_boolean_t is_cache, use_zone, try_hints;
+	dns_zone_t *zone;
+	dns_name_t *zfname;
+	dns_rdataset_t zrdataset, zsigrdataset;
+	dns_fixedname_t zfixedname;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(view->frozen);
+
+	db = NULL;
+	zone = NULL;
+	use_zone = ISC_FALSE;
+	try_hints = ISC_FALSE;
+	zfname = NULL;
+
+	/*
+	 * Initialize.
+	 */
+	dns_fixedname_init(&zfixedname);
+	dns_rdataset_init(&zrdataset);
+	dns_rdataset_init(&zsigrdataset);
+
+	/*
+	 * Find the right database.
+	 */
+	result = dns_zt_find(view->zonetable, name, 0, NULL, &zone);
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
+		result = dns_zone_getdb(zone, &db);
+	if (result == ISC_R_NOTFOUND) {
+		/*
+		 * We're not directly authoritative for this query name, nor
+		 * is it a subdomain of any zone for which we're
+		 * authoritative.
+		 */
+		if (use_cache && view->cachedb != NULL) {
+			/*
+			 * We have a cache; try it.
+			 */
+			dns_db_attach(view->cachedb, &db);
+		} else {
+			/*
+			 * Maybe we have hints...
+			 */
+			try_hints = ISC_TRUE;
+			goto finish;
+		}
+	} else if (result != ISC_R_SUCCESS) {
+		/*
+		 * Something is broken.
+		 */
+		goto cleanup;
+	}
+	is_cache = dns_db_iscache(db);
+
+ db_find:
+	/*
+	 * Look for the zonecut.
+	 */
+	if (!is_cache) {
+		result = dns_db_find(db, name, NULL, dns_rdatatype_ns, options,
+				     now, NULL, fname, rdataset, sigrdataset);
+		if (result == DNS_R_DELEGATION)
+			result = ISC_R_SUCCESS;
+		else if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		if (use_cache && view->cachedb != NULL && db != view->hints) {
+			/*
+			 * We found an answer, but the cache may be better.
+			 */
+			zfname = dns_fixedname_name(&zfixedname);
+			result = dns_name_copy(fname, zfname, NULL);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+			dns_rdataset_clone(rdataset, &zrdataset);
+			dns_rdataset_disassociate(rdataset);
+			if (sigrdataset != NULL &&
+			    dns_rdataset_isassociated(sigrdataset)) {
+				dns_rdataset_clone(sigrdataset, &zsigrdataset);
+				dns_rdataset_disassociate(sigrdataset);
+			}
+			dns_db_detach(&db);
+			dns_db_attach(view->cachedb, &db);
+			is_cache = ISC_TRUE;
+			goto db_find;
+		}
+	} else {
+		result = dns_db_findzonecut(db, name, options, now, NULL,
+					    fname, rdataset, sigrdataset);
+		if (result == ISC_R_SUCCESS) {
+			if (zfname != NULL &&
+			    !dns_name_issubdomain(fname, zfname)) {
+				/*
+				 * We found a zonecut in the cache, but our
+				 * zone delegation is better.
+				 */
+				use_zone = ISC_TRUE;
+			}
+		} else if (result == ISC_R_NOTFOUND) {
+			if (zfname != NULL) {
+				/*
+				 * We didn't find anything in the cache, but we
+				 * have a zone delegation, so use it.
+				 */
+				use_zone = ISC_TRUE;
+			} else {
+				/*
+				 * Maybe we have hints...
+				 */
+				try_hints = ISC_TRUE;
+			}
+		} else {
+			/*
+			 * Something bad happened.
+			 */
+			goto cleanup;
+		}
+	}
+
+ finish:
+	if (use_zone) {
+		if (dns_rdataset_isassociated(rdataset)) {
+			dns_rdataset_disassociate(rdataset);
+			if (sigrdataset != NULL &&
+			    dns_rdataset_isassociated(sigrdataset))
+				dns_rdataset_disassociate(sigrdataset);
+		}
+		result = dns_name_copy(zfname, fname, NULL);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		dns_rdataset_clone(&zrdataset, rdataset);
+		if (sigrdataset != NULL &&
+		    dns_rdataset_isassociated(&zrdataset))
+			dns_rdataset_clone(&zsigrdataset, sigrdataset);
+	} else if (try_hints && use_hints && view->hints != NULL) {
+		/*
+		 * We've found nothing so far, but we have hints.
+		 */
+		result = dns_db_find(view->hints, dns_rootname, NULL,
+				     dns_rdatatype_ns, 0, now, NULL, fname,
+				     rdataset, NULL);
+		if (result != ISC_R_SUCCESS) {
+			/*
+			 * We can't even find the hints for the root
+			 * nameservers!
+			 */
+			if (dns_rdataset_isassociated(rdataset))
+				dns_rdataset_disassociate(rdataset);
+			result = ISC_R_NOTFOUND;
+		}
+	}
+
+ cleanup:
+	if (dns_rdataset_isassociated(&zrdataset)) {
+		dns_rdataset_disassociate(&zrdataset);
+		if (dns_rdataset_isassociated(&zsigrdataset))
+			dns_rdataset_disassociate(&zsigrdataset);
+	}
+	if (db != NULL)
+		dns_db_detach(&db);
+	if (zone != NULL)
+		dns_zone_detach(&zone);
+
+	return (result);
+}
+
+isc_result_t
+dns_viewlist_find(dns_viewlist_t *list, const char *name,
+		  dns_rdataclass_t rdclass, dns_view_t **viewp)
+{
+	dns_view_t *view;
+
+	REQUIRE(list != NULL);
+
+	for (view = ISC_LIST_HEAD(*list);
+	     view != NULL;
+	     view = ISC_LIST_NEXT(view, link)) {
+		if (strcmp(view->name, name) == 0 && view->rdclass == rdclass)
+			break;
+	}
+	if (view == NULL)
+		return (ISC_R_NOTFOUND);
+
+	dns_view_attach(view, viewp);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_view_load(dns_view_t *view, isc_boolean_t stop) {
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	return (dns_zt_load(view->zonetable, stop));
+}
+
+isc_result_t
+dns_view_loadnew(dns_view_t *view, isc_boolean_t stop) {
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	return (dns_zt_loadnew(view->zonetable, stop));
+}
+
+isc_result_t
+dns_view_gettsig(dns_view_t *view, dns_name_t *keyname, dns_tsigkey_t **keyp)
+{
+	isc_result_t result;
+	REQUIRE(keyp != NULL && *keyp == NULL);
+
+	result = dns_tsigkey_find(keyp, keyname, NULL,
+				  view->statickeys);
+	if (result == ISC_R_NOTFOUND)
+		result = dns_tsigkey_find(keyp, keyname, NULL,
+					  view->dynamickeys);
+	return (result);
+}
+
+isc_result_t
+dns_view_getpeertsig(dns_view_t *view, isc_netaddr_t *peeraddr,
+		     dns_tsigkey_t **keyp)
+{
+	isc_result_t result;
+	dns_name_t *keyname = NULL;
+	dns_peer_t *peer = NULL;
+
+	result = dns_peerlist_peerbyaddr(view->peers, peeraddr, &peer);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_peer_getkey(peer, &keyname);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	return (dns_view_gettsig(view, keyname, keyp));
+}
+
+isc_result_t
+dns_view_checksig(dns_view_t *view, isc_buffer_t *source, dns_message_t *msg) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(source != NULL);
+
+	return (dns_tsig_verify(source, msg, view->statickeys,
+				view->dynamickeys));
+}
+
+isc_result_t
+dns_view_dumpdbtostream(dns_view_t *view, FILE *fp) {
+	isc_result_t result;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	(void)fprintf(fp, ";\n; Cache dump of view '%s'\n;\n", view->name);
+	result = dns_master_dumptostream(view->mctx, view->cachedb, NULL,
+					  &dns_master_style_cache, fp);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	dns_adb_dump(view->adb, fp);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_view_flushcache(dns_view_t *view) {
+	isc_result_t result;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (view->cachedb == NULL)
+		return (ISC_R_SUCCESS);
+	result = dns_cache_flush(view->cache);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	dns_db_detach(&view->cachedb);
+	dns_cache_attachdb(view->cache, &view->cachedb);
+
+	dns_adb_flush(view->adb);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_view_flushname(dns_view_t *view, dns_name_t *name) {
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (view->adb != NULL)
+		dns_adb_flushname(view->adb, name);
+	if (view->cache == NULL)
+		return (ISC_R_SUCCESS);
+	return (dns_cache_flushname(view->cache, name));
+}
+
+isc_result_t
+dns_view_adddelegationonly(dns_view_t *view, dns_name_t *name) {
+	isc_result_t result;
+	dns_name_t *new;
+	isc_uint32_t hash;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (view->delonly == NULL) {
+		view->delonly = isc_mem_get(view->mctx,
+					    sizeof(dns_namelist_t) *
+					    DNS_VIEW_DELONLYHASH);
+		if (view->delonly == NULL)
+			return (ISC_R_NOMEMORY);
+		for (hash = 0; hash < DNS_VIEW_DELONLYHASH; hash++)
+			ISC_LIST_INIT(view->delonly[hash]);
+	}
+	hash = dns_name_hash(name, ISC_FALSE) % DNS_VIEW_DELONLYHASH;
+	new = ISC_LIST_HEAD(view->delonly[hash]);
+	while (new != NULL && !dns_name_equal(new, name))
+		new = ISC_LIST_NEXT(new, link);
+	if (new != NULL)
+		return (ISC_R_SUCCESS);
+	new = isc_mem_get(view->mctx, sizeof(*new));
+	if (new == NULL)
+		return (ISC_R_NOMEMORY);
+	dns_name_init(new, NULL);
+	result = dns_name_dup(name, view->mctx, new);
+	if (result == ISC_R_SUCCESS)
+		ISC_LIST_APPEND(view->delonly[hash], new, link);
+	else
+		isc_mem_put(view->mctx, new, sizeof(*new));
+	return (result);
+}
+
+isc_result_t
+dns_view_excludedelegationonly(dns_view_t *view, dns_name_t *name) {
+	isc_result_t result;
+	dns_name_t *new;
+	isc_uint32_t hash;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (view->rootexclude == NULL) {
+		view->rootexclude = isc_mem_get(view->mctx,
+					    sizeof(dns_namelist_t) *
+					    DNS_VIEW_DELONLYHASH);
+		if (view->rootexclude == NULL)
+			return (ISC_R_NOMEMORY);
+		for (hash = 0; hash < DNS_VIEW_DELONLYHASH; hash++)
+			ISC_LIST_INIT(view->rootexclude[hash]);
+	}
+	hash = dns_name_hash(name, ISC_FALSE) % DNS_VIEW_DELONLYHASH;
+	new = ISC_LIST_HEAD(view->rootexclude[hash]);
+	while (new != NULL && !dns_name_equal(new, name))
+		new = ISC_LIST_NEXT(new, link);
+	if (new != NULL)
+		return (ISC_R_SUCCESS);
+	new = isc_mem_get(view->mctx, sizeof(*new));
+	if (new == NULL)
+		return (ISC_R_NOMEMORY);
+	dns_name_init(new, NULL);
+	result = dns_name_dup(name, view->mctx, new);
+	if (result == ISC_R_SUCCESS)
+		ISC_LIST_APPEND(view->rootexclude[hash], new, link);
+	else
+		isc_mem_put(view->mctx, new, sizeof(*new));
+	return (result);
+}
+
+isc_boolean_t
+dns_view_isdelegationonly(dns_view_t *view, dns_name_t *name) {
+	dns_name_t *new;
+	isc_uint32_t hash;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	if (!view->rootdelonly && view->delonly == NULL)
+		return (ISC_FALSE);
+
+	hash = dns_name_hash(name, ISC_FALSE) % DNS_VIEW_DELONLYHASH;
+	if (view->rootdelonly && dns_name_countlabels(name) <= 2) {
+		if (view->rootexclude == NULL)
+			return (ISC_TRUE);
+		new = ISC_LIST_HEAD(view->rootexclude[hash]);
+		while (new != NULL && !dns_name_equal(new, name))
+			new = ISC_LIST_NEXT(new, link);
+		if (new == NULL)
+			return (ISC_TRUE);
+	}
+
+	if (view->delonly == NULL)
+		return (ISC_FALSE);
+
+	new = ISC_LIST_HEAD(view->delonly[hash]);
+	while (new != NULL && !dns_name_equal(new, name))
+		new = ISC_LIST_NEXT(new, link);
+	if (new == NULL)
+		return (ISC_FALSE);
+	return (ISC_TRUE);
+}
+
+void 
+dns_view_setrootdelonly(dns_view_t *view, isc_boolean_t value) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	view->rootdelonly = value;
+}
+
+isc_boolean_t
+dns_view_getrootdelonly(dns_view_t *view) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	return (view->rootdelonly);
+}
diff --git a/contrib/bind9/lib/dns/xfrin.c b/contrib/bind9/lib/dns/xfrin.c
new file mode 100644
index 0000000..c9f1d74
--- /dev/null
+++ b/contrib/bind9/lib/dns/xfrin.c
@@ -0,0 +1,1402 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: xfrin.c,v 1.124.2.4.2.7 2004/03/08 09:04:33 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/diff.h>
+#include <dns/events.h>
+#include <dns/journal.h>
+#include <dns/log.h>
+#include <dns/message.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/result.h>
+#include <dns/soa.h>
+#include <dns/tcpmsg.h>
+#include <dns/timer.h>
+#include <dns/tsig.h>
+#include <dns/view.h>
+#include <dns/xfrin.h>
+#include <dns/zone.h>
+
+#include <dst/dst.h>
+
+/*
+ * Incoming AXFR and IXFR.
+ */
+
+/*
+ * It would be non-sensical (or at least obtuse) to use FAIL() with an
+ * ISC_R_SUCCESS code, but the test is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
+ */
+#define FAIL(code) \
+	do { result = (code);					\
+		if (result != ISC_R_SUCCESS) goto failure;	\
+	} while (0)
+
+#define CHECK(op) \
+	do { result = (op);					\
+		if (result != ISC_R_SUCCESS) goto failure;	\
+	} while (0)
+
+/*
+ * The states of the *XFR state machine.  We handle both IXFR and AXFR
+ * with a single integrated state machine because they cannot be distinguished
+ * immediately - an AXFR response to an IXFR request can only be detected
+ * when the first two (2) response RRs have already been received.
+ */
+typedef enum {
+	XFRST_INITIALSOA,
+	XFRST_FIRSTDATA,
+	XFRST_IXFR_DELSOA,
+	XFRST_IXFR_DEL,
+	XFRST_IXFR_ADDSOA,
+	XFRST_IXFR_ADD,
+	XFRST_AXFR,
+	XFRST_END
+} xfrin_state_t;
+
+/*
+ * Incoming zone transfer context.
+ */
+
+struct dns_xfrin_ctx {
+	unsigned int		magic;
+	isc_mem_t		*mctx;
+	dns_zone_t		*zone;
+
+	int			refcount;
+
+	isc_task_t 		*task;
+	isc_timer_t		*timer;
+	isc_socketmgr_t 	*socketmgr;
+
+	int			connects; 	/* Connect in progress */
+	int			sends;		/* Send in progress */
+	int			recvs;	  	/* Receive in progress */
+	isc_boolean_t		shuttingdown;
+
+	dns_name_t 		name; 		/* Name of zone to transfer */
+	dns_rdataclass_t 	rdclass;
+
+	isc_boolean_t		checkid;
+	dns_messageid_t		id;
+
+	/*
+	 * Requested transfer type (dns_rdatatype_axfr or
+	 * dns_rdatatype_ixfr).  The actual transfer type
+	 * may differ due to IXFR->AXFR fallback.
+	 */
+	dns_rdatatype_t 	reqtype;
+
+	isc_sockaddr_t 		masteraddr;
+	isc_sockaddr_t		sourceaddr;
+	isc_socket_t 		*socket;
+
+	/* Buffer for IXFR/AXFR request message */
+	isc_buffer_t 		qbuffer;
+	unsigned char 		qbuffer_data[512];
+
+	/* Incoming reply TCP message */
+	dns_tcpmsg_t		tcpmsg;
+	isc_boolean_t		tcpmsg_valid;
+
+	dns_db_t 		*db;
+	dns_dbversion_t 	*ver;
+	dns_diff_t 		diff;		/* Pending database changes */
+	int 			difflen;	/* Number of pending tuples */
+
+	xfrin_state_t 		state;
+	isc_uint32_t 		end_serial;
+	isc_boolean_t 		is_ixfr;
+
+	unsigned int		nmsg;		/* Number of messages recvd */
+
+	dns_tsigkey_t		*tsigkey;	/* Key used to create TSIG */
+	isc_buffer_t		*lasttsig;	/* The last TSIG */
+	dst_context_t		*tsigctx;	/* TSIG verification context */
+	unsigned int		sincetsig;	/* recvd since the last TSIG */
+	dns_xfrindone_t		done;
+
+	/*
+	 * AXFR- and IXFR-specific data.  Only one is used at a time
+	 * according to the is_ixfr flag, so this could be a union,
+	 * but keeping them separate makes it a bit simpler to clean
+	 * things up when destroying the context.
+	 */
+	struct {
+		dns_addrdatasetfunc_t add_func;
+		dns_dbload_t	      *add_private;
+	} axfr;
+
+	struct {
+		isc_uint32_t 	request_serial;
+		isc_uint32_t 	current_serial;
+		dns_journal_t	*journal;
+
+	} ixfr;
+};
+
+#define XFRIN_MAGIC		  ISC_MAGIC('X', 'f', 'r', 'I')
+#define VALID_XFRIN(x)		  ISC_MAGIC_VALID(x, XFRIN_MAGIC)
+
+/**************************************************************************/
+/*
+ * Forward declarations.
+ */
+
+static isc_result_t
+xfrin_create(isc_mem_t *mctx,
+	     dns_zone_t *zone,
+	     dns_db_t *db,
+	     isc_task_t *task,
+	     isc_timermgr_t *timermgr,
+	     isc_socketmgr_t *socketmgr,
+	     dns_name_t *zonename,
+	     dns_rdataclass_t rdclass,
+	     dns_rdatatype_t reqtype,
+	     isc_sockaddr_t *masteraddr,
+	     isc_sockaddr_t *sourceaddr,
+	     dns_tsigkey_t *tsigkey,
+	     dns_xfrin_ctx_t **xfrp);
+
+static isc_result_t axfr_init(dns_xfrin_ctx_t *xfr);
+static isc_result_t axfr_makedb(dns_xfrin_ctx_t *xfr, dns_db_t **dbp);
+static isc_result_t axfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op,
+				   dns_name_t *name, dns_ttl_t ttl,
+				   dns_rdata_t *rdata);
+static isc_result_t axfr_apply(dns_xfrin_ctx_t *xfr);
+static isc_result_t axfr_commit(dns_xfrin_ctx_t *xfr);
+
+static isc_result_t ixfr_init(dns_xfrin_ctx_t *xfr);
+static isc_result_t ixfr_apply(dns_xfrin_ctx_t *xfr);
+static isc_result_t ixfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op,
+				 dns_name_t *name, dns_ttl_t ttl,
+				 dns_rdata_t *rdata);
+static isc_result_t ixfr_commit(dns_xfrin_ctx_t *xfr);
+
+static isc_result_t xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name,
+			   isc_uint32_t ttl, dns_rdata_t *rdata);
+
+static isc_result_t xfrin_start(dns_xfrin_ctx_t *xfr);
+
+static void xfrin_connect_done(isc_task_t *task, isc_event_t *event);
+static isc_result_t xfrin_send_request(dns_xfrin_ctx_t *xfr);
+static void xfrin_send_done(isc_task_t *task, isc_event_t *event);
+static void xfrin_sendlen_done(isc_task_t *task, isc_event_t *event);
+static void xfrin_recv_done(isc_task_t *task, isc_event_t *event);
+static void xfrin_timeout(isc_task_t *task, isc_event_t *event);
+
+static void maybe_free(dns_xfrin_ctx_t *xfr);
+
+static void
+xfrin_fail(dns_xfrin_ctx_t *xfr, isc_result_t result, const char *msg);
+static isc_result_t
+render(dns_message_t *msg, isc_mem_t *mctx, isc_buffer_t *buf);
+
+static void
+xfrin_logv(int level, dns_name_t *zonename, dns_rdataclass_t rdclass,
+	   isc_sockaddr_t *masteraddr, const char *fmt, va_list ap)
+     ISC_FORMAT_PRINTF(5, 0);
+
+static void
+xfrin_log1(int level, dns_name_t *zonename, dns_rdataclass_t rdclass,
+	   isc_sockaddr_t *masteraddr, const char *fmt, ...)
+     ISC_FORMAT_PRINTF(5, 6);
+
+static void
+xfrin_log(dns_xfrin_ctx_t *xfr, unsigned int level, const char *fmt, ...)
+     ISC_FORMAT_PRINTF(3, 4);
+
+/**************************************************************************/
+/*
+ * AXFR handling
+ */
+
+static isc_result_t
+axfr_init(dns_xfrin_ctx_t *xfr) {
+	isc_result_t result;
+
+ 	xfr->is_ixfr = ISC_FALSE;
+
+	if (xfr->db != NULL)
+		dns_db_detach(&xfr->db);
+
+	CHECK(axfr_makedb(xfr, &xfr->db));
+	CHECK(dns_db_beginload(xfr->db, &xfr->axfr.add_func,
+			       &xfr->axfr.add_private));
+	result = ISC_R_SUCCESS;
+ failure:
+	return (result);
+}
+
+static isc_result_t
+axfr_makedb(dns_xfrin_ctx_t *xfr, dns_db_t **dbp) {
+	return (dns_db_create(xfr->mctx, /* XXX */
+			      "rbt", /* XXX guess */
+			      &xfr->name,
+			      dns_dbtype_zone,
+			      xfr->rdclass,
+			      0, NULL, /* XXX guess */
+			      dbp));
+}
+
+static isc_result_t
+axfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op,
+	     dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata)
+{
+	isc_result_t result;
+
+	dns_difftuple_t *tuple = NULL;
+
+	CHECK(dns_zone_checknames(xfr->zone, name, rdata));
+	CHECK(dns_difftuple_create(xfr->diff.mctx, op,
+				   name, ttl, rdata, &tuple));
+	dns_diff_append(&xfr->diff, &tuple);
+	if (++xfr->difflen > 100)
+		CHECK(axfr_apply(xfr));
+	result = ISC_R_SUCCESS;
+ failure:
+	return (result);
+}
+
+/*
+ * Store a set of AXFR RRs in the database.
+ */
+static isc_result_t
+axfr_apply(dns_xfrin_ctx_t *xfr) {
+	isc_result_t result;
+
+	CHECK(dns_diff_load(&xfr->diff,
+			    xfr->axfr.add_func, xfr->axfr.add_private));
+	xfr->difflen = 0;
+	dns_diff_clear(&xfr->diff);
+	result = ISC_R_SUCCESS;
+ failure:
+	return (result);
+}
+
+static isc_result_t
+axfr_commit(dns_xfrin_ctx_t *xfr) {
+	isc_result_t result;
+
+	CHECK(axfr_apply(xfr));
+	CHECK(dns_db_endload(xfr->db, &xfr->axfr.add_private));
+	CHECK(dns_zone_replacedb(xfr->zone, xfr->db, ISC_TRUE));
+
+	result = ISC_R_SUCCESS;
+ failure:
+	return (result);
+}
+
+/**************************************************************************/
+/*
+ * IXFR handling
+ */
+
+static isc_result_t
+ixfr_init(dns_xfrin_ctx_t *xfr) {
+	isc_result_t result;
+	char *journalfile;
+
+	if (xfr->reqtype != dns_rdatatype_ixfr) {
+		xfrin_log(xfr, ISC_LOG_ERROR,
+			  "got incremental response to AXFR request");
+		return (DNS_R_FORMERR);
+	}
+
+	xfr->is_ixfr = ISC_TRUE;
+	INSIST(xfr->db != NULL);
+	xfr->difflen = 0;
+
+	journalfile = dns_zone_getjournal(xfr->zone);
+	if (journalfile != NULL)
+		CHECK(dns_journal_open(xfr->mctx, journalfile,
+				       ISC_TRUE, &xfr->ixfr.journal));
+
+	result = ISC_R_SUCCESS;
+ failure:
+	return (result);
+}
+
+static isc_result_t
+ixfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op,
+	     dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata)
+{
+	isc_result_t result;
+
+	dns_difftuple_t *tuple = NULL;
+	if (op == DNS_DIFFOP_ADD)
+		CHECK(dns_zone_checknames(xfr->zone, name, rdata));
+	CHECK(dns_difftuple_create(xfr->diff.mctx, op,
+				   name, ttl, rdata, &tuple));
+	dns_diff_append(&xfr->diff, &tuple);
+	if (++xfr->difflen > 100)
+		CHECK(ixfr_apply(xfr));
+	result = ISC_R_SUCCESS;
+ failure:
+	return (result);
+}
+
+/*
+ * Apply a set of IXFR changes to the database.
+ */
+static isc_result_t
+ixfr_apply(dns_xfrin_ctx_t *xfr) {
+	isc_result_t result;
+
+	if (xfr->ver == NULL) {
+		CHECK(dns_db_newversion(xfr->db, &xfr->ver));
+		if (xfr->ixfr.journal != NULL)
+			CHECK(dns_journal_begin_transaction(xfr->ixfr.journal));
+	}
+	CHECK(dns_diff_apply(&xfr->diff, xfr->db, xfr->ver));
+	if (xfr->ixfr.journal != NULL) {
+		result = dns_journal_writediff(xfr->ixfr.journal, &xfr->diff);
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+	}
+	dns_diff_clear(&xfr->diff);
+	xfr->difflen = 0;
+	result = ISC_R_SUCCESS;
+ failure:
+	return (result);
+}
+
+static isc_result_t
+ixfr_commit(dns_xfrin_ctx_t *xfr) {
+	isc_result_t result;
+
+	CHECK(ixfr_apply(xfr));
+	if (xfr->ver != NULL) {
+		/* XXX enter ready-to-commit state here */
+		if (xfr->ixfr.journal != NULL)
+			CHECK(dns_journal_commit(xfr->ixfr.journal));
+		dns_db_closeversion(xfr->db, &xfr->ver, ISC_TRUE);
+		dns_zone_markdirty(xfr->zone);
+	}
+	result = ISC_R_SUCCESS;
+ failure:
+	return (result);
+}
+
+/**************************************************************************/
+/*
+ * Common AXFR/IXFR protocol code
+ */
+
+/*
+ * Handle a single incoming resource record according to the current
+ * state.
+ */
+static isc_result_t
+xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, isc_uint32_t ttl,
+       dns_rdata_t *rdata)
+{
+	isc_result_t result;
+
+ redo:
+	switch (xfr->state) {
+	case XFRST_INITIALSOA:
+		if (rdata->type != dns_rdatatype_soa) {
+			xfrin_log(xfr, ISC_LOG_ERROR,
+				  "first RR in zone transfer must be SOA");
+			FAIL(DNS_R_FORMERR);
+		}
+		/*
+		 * Remember the serial number in the intial SOA.
+		 * We need it to recognize the end of an IXFR.
+		 */
+		xfr->end_serial = dns_soa_getserial(rdata);
+		if (xfr->reqtype == dns_rdatatype_ixfr &&
+		    ! DNS_SERIAL_GT(xfr->end_serial, xfr->ixfr.request_serial)
+		    && !dns_zone_isforced(xfr->zone))
+		{
+			/*
+			 * This must be the single SOA record that is
+			 * sent when the current version on the master
+			 * is not newer than the version in the request.
+			 */
+			xfrin_log(xfr, ISC_LOG_DEBUG(3),
+				  "requested serial %u, "
+				  "master has %u, not updating",
+				  xfr->ixfr.request_serial, xfr->end_serial);
+			FAIL(DNS_R_UPTODATE);
+		}
+		if (xfr->reqtype == dns_rdatatype_axfr)
+			xfr->checkid = ISC_FALSE;
+		xfr->state = XFRST_FIRSTDATA;
+		break;
+
+	case XFRST_FIRSTDATA:
+		/*
+		 * If the transfer begins with one SOA record, it is an AXFR,
+		 * if it begins with two SOAs, it is an IXFR.
+		 */
+		if (xfr->reqtype == dns_rdatatype_ixfr &&
+		    rdata->type == dns_rdatatype_soa &&
+		    xfr->ixfr.request_serial == dns_soa_getserial(rdata)) {
+			xfrin_log(xfr, ISC_LOG_DEBUG(3),
+				  "got incremental response");
+			CHECK(ixfr_init(xfr));
+			xfr->state = XFRST_IXFR_DELSOA;
+		} else {
+			xfrin_log(xfr, ISC_LOG_DEBUG(3),
+				  "got nonincremental response");
+			CHECK(axfr_init(xfr));
+			xfr->state = XFRST_AXFR;
+		}
+		goto redo;
+
+	case XFRST_IXFR_DELSOA:
+		INSIST(rdata->type == dns_rdatatype_soa);
+		CHECK(ixfr_putdata(xfr, DNS_DIFFOP_DEL, name, ttl, rdata));
+		xfr->state = XFRST_IXFR_DEL;
+		break;
+
+	case XFRST_IXFR_DEL:
+		if (rdata->type == dns_rdatatype_soa) {
+			isc_uint32_t soa_serial = dns_soa_getserial(rdata);
+			xfr->state = XFRST_IXFR_ADDSOA;
+			xfr->ixfr.current_serial = soa_serial;
+			goto redo;
+		}
+		CHECK(ixfr_putdata(xfr, DNS_DIFFOP_DEL, name, ttl, rdata));
+		break;
+
+	case XFRST_IXFR_ADDSOA:
+		INSIST(rdata->type == dns_rdatatype_soa);
+		CHECK(ixfr_putdata(xfr, DNS_DIFFOP_ADD, name, ttl, rdata));
+		xfr->state = XFRST_IXFR_ADD;
+		break;
+
+	case XFRST_IXFR_ADD:
+		if (rdata->type == dns_rdatatype_soa) {
+			isc_uint32_t soa_serial = dns_soa_getserial(rdata);
+			CHECK(ixfr_commit(xfr));
+			if (soa_serial == xfr->end_serial) {
+				xfr->state = XFRST_END;
+				break;
+			} else if (soa_serial != xfr->ixfr.current_serial) {
+				xfrin_log(xfr, ISC_LOG_ERROR,
+					  "IXFR out of sync: "
+					  "expected serial %u, got %u",
+					  xfr->ixfr.current_serial, soa_serial);
+				FAIL(DNS_R_FORMERR);
+			} else {
+				xfr->state = XFRST_IXFR_DELSOA;
+				goto redo;
+			}
+		}
+		if (rdata->type == dns_rdatatype_ns &&
+		    dns_name_iswildcard(name))
+			FAIL(DNS_R_INVALIDNS);
+		CHECK(ixfr_putdata(xfr, DNS_DIFFOP_ADD, name, ttl, rdata));
+		break;
+
+	case XFRST_AXFR:
+		/*
+		 * Old BINDs sent cross class A records for non IN classes.
+		 */
+		if (rdata->type == dns_rdatatype_a &&
+		    rdata->rdclass != xfr->rdclass &&
+		    xfr->rdclass != dns_rdataclass_in)
+			break;
+		CHECK(axfr_putdata(xfr, DNS_DIFFOP_ADD, name, ttl, rdata));
+		if (rdata->type == dns_rdatatype_soa) {
+			CHECK(axfr_commit(xfr));
+			xfr->state = XFRST_END;
+			break;
+		}
+		break;
+	case XFRST_END:
+		FAIL(DNS_R_EXTRADATA);
+	default:
+		INSIST(0);
+		break;
+	}
+	result = ISC_R_SUCCESS;
+ failure:
+	return (result);
+}
+
+isc_result_t
+dns_xfrin_create(dns_zone_t *zone, dns_rdatatype_t xfrtype,
+		 isc_sockaddr_t *masteraddr, dns_tsigkey_t *tsigkey,
+		 isc_mem_t *mctx, isc_timermgr_t *timermgr,
+		 isc_socketmgr_t *socketmgr, isc_task_t *task,
+		 dns_xfrindone_t done, dns_xfrin_ctx_t **xfrp)
+{
+	isc_sockaddr_t sourceaddr;
+
+	switch (isc_sockaddr_pf(masteraddr)) {
+	case PF_INET:
+		sourceaddr = *dns_zone_getxfrsource4(zone);
+		break;
+	case PF_INET6:
+		sourceaddr = *dns_zone_getxfrsource6(zone);
+		break;
+	default:
+		INSIST(0);
+	}
+
+	return(dns_xfrin_create2(zone, xfrtype, masteraddr, &sourceaddr,
+				 tsigkey, mctx, timermgr, socketmgr,
+				 task, done, xfrp));
+}
+
+isc_result_t
+dns_xfrin_create2(dns_zone_t *zone, dns_rdatatype_t xfrtype,
+		  isc_sockaddr_t *masteraddr, isc_sockaddr_t *sourceaddr,
+		  dns_tsigkey_t *tsigkey, isc_mem_t *mctx,
+		  isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
+		  isc_task_t *task, dns_xfrindone_t done, dns_xfrin_ctx_t **xfrp)
+{
+	dns_name_t *zonename = dns_zone_getorigin(zone);
+	dns_xfrin_ctx_t *xfr;
+	isc_result_t result;
+	dns_db_t *db = NULL;
+
+	REQUIRE(xfrp != NULL && *xfrp == NULL);
+
+	(void)dns_zone_getdb(zone, &db);
+
+	CHECK(xfrin_create(mctx, zone, db, task, timermgr, socketmgr, zonename,
+			   dns_zone_getclass(zone), xfrtype, masteraddr,
+			   sourceaddr, tsigkey, &xfr));
+
+	CHECK(xfrin_start(xfr));
+
+	xfr->done = done;
+	xfr->refcount++;
+	*xfrp = xfr;
+
+ failure:
+	if (db != NULL)
+		dns_db_detach(&db);
+	if (result != ISC_R_SUCCESS)
+		xfrin_log1(ISC_LOG_ERROR, zonename, dns_zone_getclass(zone),
+			   masteraddr, "zone transfer setup failed");
+	return (result);
+}
+
+void
+dns_xfrin_shutdown(dns_xfrin_ctx_t *xfr) {
+	if (! xfr->shuttingdown)
+		xfrin_fail(xfr, ISC_R_CANCELED, "shut down");
+}
+
+void
+dns_xfrin_attach(dns_xfrin_ctx_t *source, dns_xfrin_ctx_t **target) {
+	REQUIRE(target != NULL && *target == NULL);
+	source->refcount++;
+	*target = source;
+}
+
+void
+dns_xfrin_detach(dns_xfrin_ctx_t **xfrp) {
+	dns_xfrin_ctx_t *xfr = *xfrp;
+	INSIST(xfr->refcount > 0);
+	xfr->refcount--;
+	maybe_free(xfr);
+	*xfrp = NULL;
+}
+
+static void
+xfrin_cancelio(dns_xfrin_ctx_t *xfr) {
+	if (xfr->connects > 0) {
+		isc_socket_cancel(xfr->socket, xfr->task,
+				  ISC_SOCKCANCEL_CONNECT);
+	} else if (xfr->recvs > 0) {
+		dns_tcpmsg_cancelread(&xfr->tcpmsg);
+	} else if (xfr->sends > 0) {
+		isc_socket_cancel(xfr->socket, xfr->task,
+				  ISC_SOCKCANCEL_SEND);
+	}
+}
+
+static void
+xfrin_reset(dns_xfrin_ctx_t *xfr) {
+	REQUIRE(VALID_XFRIN(xfr));
+
+	xfrin_log(xfr, ISC_LOG_INFO, "resetting");
+
+	xfrin_cancelio(xfr);
+
+	if (xfr->socket != NULL)
+		isc_socket_detach(&xfr->socket);
+
+	if (xfr->lasttsig != NULL)
+		isc_buffer_free(&xfr->lasttsig);
+
+	dns_diff_clear(&xfr->diff);
+	xfr->difflen = 0;
+
+	if (xfr->ixfr.journal != NULL)
+		dns_journal_destroy(&xfr->ixfr.journal);
+
+	if (xfr->axfr.add_private != NULL) {
+		(void)dns_db_endload(xfr->db, &xfr->axfr.add_private);
+		xfr->axfr.add_func = NULL;
+	}
+
+	if (xfr->tcpmsg_valid) {
+		dns_tcpmsg_invalidate(&xfr->tcpmsg);
+		xfr->tcpmsg_valid = ISC_FALSE;
+	}
+
+	if (xfr->ver != NULL)
+		dns_db_closeversion(xfr->db, &xfr->ver, ISC_FALSE);
+}
+
+
+static void
+xfrin_fail(dns_xfrin_ctx_t *xfr, isc_result_t result, const char *msg) {
+	if (result != DNS_R_UPTODATE) {
+		xfrin_log(xfr, ISC_LOG_ERROR, "%s: %s",
+			  msg, isc_result_totext(result));
+		if (xfr->is_ixfr)
+			/* Pass special result code to force AXFR retry */
+			result = DNS_R_BADIXFR;
+	}
+	xfrin_cancelio(xfr);
+	if (xfr->done != NULL) {
+		(xfr->done)(xfr->zone, result);
+		xfr->done = NULL;
+	}
+	xfr->shuttingdown = ISC_TRUE;
+	maybe_free(xfr);
+}
+
+static isc_result_t
+xfrin_create(isc_mem_t *mctx,
+	     dns_zone_t *zone,
+	     dns_db_t *db,
+	     isc_task_t *task,
+	     isc_timermgr_t *timermgr,
+	     isc_socketmgr_t *socketmgr,
+	     dns_name_t *zonename,
+	     dns_rdataclass_t rdclass,
+	     dns_rdatatype_t reqtype,
+	     isc_sockaddr_t *masteraddr,
+	     isc_sockaddr_t *sourceaddr,
+	     dns_tsigkey_t *tsigkey,
+	     dns_xfrin_ctx_t **xfrp)
+{
+	dns_xfrin_ctx_t *xfr = NULL;
+	isc_result_t result;
+	isc_uint32_t tmp;
+
+	xfr = isc_mem_get(mctx, sizeof(*xfr));
+	if (xfr == NULL)
+		return (ISC_R_NOMEMORY);
+	xfr->mctx = mctx;
+	xfr->refcount = 0;
+	xfr->zone = NULL;
+	dns_zone_iattach(zone, &xfr->zone);
+	xfr->task = NULL;
+	isc_task_attach(task, &xfr->task);
+	xfr->timer = NULL;
+	xfr->socketmgr = socketmgr;
+	xfr->done = NULL;
+
+	xfr->connects = 0;
+	xfr->sends = 0;
+	xfr->recvs = 0;
+	xfr->shuttingdown = ISC_FALSE;
+
+	dns_name_init(&xfr->name, NULL);
+	xfr->rdclass = rdclass;
+	isc_random_get(&tmp);
+	xfr->checkid = ISC_TRUE;
+	xfr->id	= (isc_uint16_t)(tmp & 0xffff);
+	xfr->reqtype = reqtype;
+
+	/* sockaddr */
+	xfr->socket = NULL;
+	/* qbuffer */
+	/* qbuffer_data */
+	/* tcpmsg */
+	xfr->tcpmsg_valid = ISC_FALSE;
+
+	xfr->db = NULL;
+	if (db != NULL)
+		dns_db_attach(db, &xfr->db);
+	xfr->ver = NULL;
+	dns_diff_init(xfr->mctx, &xfr->diff);
+	xfr->difflen = 0;
+
+	xfr->state = XFRST_INITIALSOA;
+	/* end_serial */
+
+	xfr->nmsg = 0;
+
+	xfr->tsigkey = NULL;
+	if (tsigkey != NULL)
+		dns_tsigkey_attach(tsigkey, &xfr->tsigkey);
+	xfr->lasttsig = NULL;
+	xfr->tsigctx = NULL;
+	xfr->sincetsig = 0;
+	xfr->is_ixfr = ISC_FALSE;
+
+	/* ixfr.request_serial */
+	/* ixfr.current_serial */
+	xfr->ixfr.journal = NULL;
+
+	xfr->axfr.add_func = NULL;
+	xfr->axfr.add_private = NULL;
+
+	CHECK(dns_name_dup(zonename, mctx, &xfr->name));
+
+	CHECK(isc_timer_create(timermgr, isc_timertype_inactive, NULL, NULL,
+			       task, xfrin_timeout, xfr, &xfr->timer));
+	CHECK(dns_timer_setidle(xfr->timer,
+				dns_zone_getmaxxfrin(xfr->zone),
+				dns_zone_getidlein(xfr->zone),
+				ISC_FALSE));
+
+	xfr->masteraddr = *masteraddr;
+
+	INSIST(isc_sockaddr_pf(masteraddr) == isc_sockaddr_pf(sourceaddr));
+	xfr->sourceaddr = *sourceaddr;
+	isc_sockaddr_setport(&xfr->sourceaddr, 0);
+
+	isc_buffer_init(&xfr->qbuffer, xfr->qbuffer_data,
+			sizeof(xfr->qbuffer_data));
+
+	xfr->magic = XFRIN_MAGIC;
+	*xfrp = xfr;
+	return (ISC_R_SUCCESS);
+
+ failure:
+	xfrin_fail(xfr, result, "failed creating transfer context");
+	return (result);
+}
+
+static isc_result_t
+xfrin_start(dns_xfrin_ctx_t *xfr) {
+	isc_result_t result;
+	CHECK(isc_socket_create(xfr->socketmgr,
+				isc_sockaddr_pf(&xfr->sourceaddr),
+				isc_sockettype_tcp,
+				&xfr->socket));
+	CHECK(isc_socket_bind(xfr->socket, &xfr->sourceaddr));
+	CHECK(isc_socket_connect(xfr->socket, &xfr->masteraddr, xfr->task,
+				 xfrin_connect_done, xfr));
+	xfr->connects++;
+	return (ISC_R_SUCCESS);
+ failure:
+	xfrin_fail(xfr, result, "failed setting up socket");
+	return (result);
+}
+
+/* XXX the resolver could use this, too */
+
+static isc_result_t
+render(dns_message_t *msg, isc_mem_t *mctx, isc_buffer_t *buf) {
+	dns_compress_t cctx;
+	isc_boolean_t cleanup_cctx = ISC_FALSE;
+	isc_result_t result;
+
+	CHECK(dns_compress_init(&cctx, -1, mctx));
+	cleanup_cctx = ISC_TRUE;
+	CHECK(dns_message_renderbegin(msg, &cctx, buf));
+	CHECK(dns_message_rendersection(msg, DNS_SECTION_QUESTION, 0));
+	CHECK(dns_message_rendersection(msg, DNS_SECTION_ANSWER, 0));
+	CHECK(dns_message_rendersection(msg, DNS_SECTION_AUTHORITY, 0));
+	CHECK(dns_message_rendersection(msg, DNS_SECTION_ADDITIONAL, 0));
+	CHECK(dns_message_renderend(msg));
+	result = ISC_R_SUCCESS;
+ failure:
+ 	if (cleanup_cctx)
+	 	dns_compress_invalidate(&cctx);
+	return (result);
+}
+
+/*
+ * A connection has been established.
+ */
+static void
+xfrin_connect_done(isc_task_t *task, isc_event_t *event) {
+	isc_socket_connev_t *cev = (isc_socket_connev_t *) event;
+	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) event->ev_arg;
+	isc_result_t evresult = cev->result;
+	isc_result_t result;
+	char sourcetext[ISC_SOCKADDR_FORMATSIZE];
+	isc_sockaddr_t sockaddr;
+
+	REQUIRE(VALID_XFRIN(xfr));
+
+	UNUSED(task);
+
+	INSIST(event->ev_type == ISC_SOCKEVENT_CONNECT);
+	isc_event_free(&event);
+
+	xfr->connects--;
+	if (xfr->shuttingdown) {
+		maybe_free(xfr);
+		return;
+	}
+
+	CHECK(evresult);
+	result = isc_socket_getsockname(xfr->socket, &sockaddr);
+	if (result == ISC_R_SUCCESS) {
+		isc_sockaddr_format(&sockaddr, sourcetext, sizeof(sourcetext));
+	} else
+		strcpy(sourcetext, "<UNKNOWN>");
+	xfrin_log(xfr, ISC_LOG_INFO, "connected using %s", sourcetext);
+
+	dns_tcpmsg_init(xfr->mctx, xfr->socket, &xfr->tcpmsg);
+	xfr->tcpmsg_valid = ISC_TRUE;
+
+	CHECK(xfrin_send_request(xfr));
+ failure:
+	if (result != ISC_R_SUCCESS)
+		xfrin_fail(xfr, result, "failed to connect");
+}
+
+/*
+ * Convert a tuple into a dns_name_t suitable for inserting
+ * into the given dns_message_t.
+ */
+static isc_result_t
+tuple2msgname(dns_difftuple_t *tuple, dns_message_t *msg, dns_name_t **target)
+{
+	isc_result_t result;
+	dns_rdata_t *rdata = NULL;
+	dns_rdatalist_t *rdl = NULL;
+	dns_rdataset_t *rds = NULL;
+	dns_name_t *name = NULL;
+
+	REQUIRE(target != NULL && *target == NULL);
+
+	CHECK(dns_message_gettemprdata(msg, &rdata));
+	dns_rdata_init(rdata);
+	dns_rdata_clone(&tuple->rdata, rdata);
+
+	CHECK(dns_message_gettemprdatalist(msg, &rdl));
+	dns_rdatalist_init(rdl);
+	rdl->type = tuple->rdata.type;
+	rdl->rdclass = tuple->rdata.rdclass;
+	rdl->ttl = tuple->ttl;
+	ISC_LIST_APPEND(rdl->rdata, rdata, link);
+
+	CHECK(dns_message_gettemprdataset(msg, &rds));
+	dns_rdataset_init(rds);
+	CHECK(dns_rdatalist_tordataset(rdl, rds));
+
+	CHECK(dns_message_gettempname(msg, &name));
+	dns_name_init(name, NULL);
+	dns_name_clone(&tuple->name, name);
+	ISC_LIST_APPEND(name->list, rds, link);
+
+	*target = name;
+	return (ISC_R_SUCCESS);
+
+ failure:
+
+	if (rds != NULL)
+		dns_rdataset_disassociate(rds);
+		dns_message_puttemprdataset(msg, &rds);
+	if (rdl != NULL) {
+		ISC_LIST_UNLINK(rdl->rdata, rdata, link);
+		dns_message_puttemprdatalist(msg, &rdl);
+	}
+	if (rdata != NULL)
+		dns_message_puttemprdata(msg, &rdata);
+
+	return (result);
+}
+
+
+/*
+ * Build an *XFR request and send its length prefix.
+ */
+static isc_result_t
+xfrin_send_request(dns_xfrin_ctx_t *xfr) {
+	isc_result_t result;
+	isc_region_t region;
+	isc_region_t lregion;
+	dns_rdataset_t *qrdataset = NULL;
+	dns_message_t *msg = NULL;
+	unsigned char length[2];
+	dns_difftuple_t *soatuple = NULL;
+	dns_name_t *qname = NULL;
+	dns_dbversion_t *ver = NULL;
+	dns_name_t *msgsoaname = NULL;
+
+	/* Create the request message */
+	CHECK(dns_message_create(xfr->mctx, DNS_MESSAGE_INTENTRENDER, &msg));
+	CHECK(dns_message_settsigkey(msg, xfr->tsigkey));
+
+	/* Create a name for the question section. */
+	CHECK(dns_message_gettempname(msg, &qname));
+	dns_name_init(qname, NULL);
+	dns_name_clone(&xfr->name, qname);
+
+	/* Formulate the question and attach it to the question name. */
+	CHECK(dns_message_gettemprdataset(msg, &qrdataset));
+	dns_rdataset_init(qrdataset);
+	dns_rdataset_makequestion(qrdataset, xfr->rdclass, xfr->reqtype);
+	ISC_LIST_APPEND(qname->list, qrdataset, link);
+	qrdataset = NULL;
+
+	dns_message_addname(msg, qname, DNS_SECTION_QUESTION);
+	qname = NULL;
+
+	if (xfr->reqtype == dns_rdatatype_ixfr) {
+		/* Get the SOA and add it to the authority section. */
+		/* XXX is using the current version the right thing? */
+		dns_db_currentversion(xfr->db, &ver);
+		CHECK(dns_db_createsoatuple(xfr->db, ver, xfr->mctx,
+					    DNS_DIFFOP_EXISTS, &soatuple));
+		xfr->ixfr.request_serial = dns_soa_getserial(&soatuple->rdata);
+		xfr->ixfr.current_serial = xfr->ixfr.request_serial;
+		xfrin_log(xfr, ISC_LOG_DEBUG(3),
+			  "requesting IXFR for serial %u",
+			  xfr->ixfr.request_serial);
+
+		CHECK(tuple2msgname(soatuple, msg, &msgsoaname));
+		dns_message_addname(msg, msgsoaname, DNS_SECTION_AUTHORITY);
+	}
+
+	xfr->checkid = ISC_TRUE;
+	xfr->id++;
+	msg->id = xfr->id;
+
+	CHECK(render(msg, xfr->mctx, &xfr->qbuffer));
+
+	/*
+	 * Free the last tsig, if there is one.
+	 */
+	if (xfr->lasttsig != NULL)
+		isc_buffer_free(&xfr->lasttsig);
+
+	/*
+	 * Save the query TSIG and don't let message_destroy free it.
+	 */
+	CHECK(dns_message_getquerytsig(msg, xfr->mctx, &xfr->lasttsig));
+
+	isc_buffer_usedregion(&xfr->qbuffer, &region);
+	INSIST(region.length <= 65535);
+
+	length[0] = region.length >> 8;
+	length[1] = region.length & 0xFF;
+	lregion.base = length;
+	lregion.length = 2;
+	CHECK(isc_socket_send(xfr->socket, &lregion, xfr->task,
+			      xfrin_sendlen_done, xfr));
+	xfr->sends++;
+
+ failure:
+	if (qname != NULL)
+		dns_message_puttempname(msg, &qname);
+	if (qrdataset != NULL)
+		dns_message_puttemprdataset(msg, &qrdataset);
+	if (msg != NULL)
+		dns_message_destroy(&msg);
+	if (soatuple != NULL)
+		dns_difftuple_free(&soatuple);
+	if (ver != NULL)
+		dns_db_closeversion(xfr->db, &ver, ISC_FALSE);
+	return (result);
+}
+
+/* XXX there should be library support for sending DNS TCP messages */
+
+static void
+xfrin_sendlen_done(isc_task_t *task, isc_event_t *event) {
+	isc_socketevent_t *sev = (isc_socketevent_t *) event;
+	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) event->ev_arg;
+	isc_result_t evresult = sev->result;
+	isc_result_t result;
+	isc_region_t region;
+
+	REQUIRE(VALID_XFRIN(xfr));
+
+	UNUSED(task);
+
+	INSIST(event->ev_type == ISC_SOCKEVENT_SENDDONE);
+	isc_event_free(&event);
+
+	xfr->sends--;
+	if (xfr->shuttingdown) {
+		maybe_free(xfr);
+		return;
+	}
+
+	xfrin_log(xfr, ISC_LOG_DEBUG(3), "sent request length prefix");
+	CHECK(evresult);
+
+	isc_buffer_usedregion(&xfr->qbuffer, &region);
+	CHECK(isc_socket_send(xfr->socket, &region, xfr->task,
+			      xfrin_send_done, xfr));
+	xfr->sends++;
+ failure:
+	if (result != ISC_R_SUCCESS)
+		xfrin_fail(xfr, result, "failed sending request length prefix");
+}
+
+
+static void
+xfrin_send_done(isc_task_t *task, isc_event_t *event) {
+	isc_socketevent_t *sev = (isc_socketevent_t *) event;
+	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) event->ev_arg;
+	isc_result_t result;
+
+	REQUIRE(VALID_XFRIN(xfr));
+
+	UNUSED(task);
+
+	INSIST(event->ev_type == ISC_SOCKEVENT_SENDDONE);
+
+	xfr->sends--;
+	xfrin_log(xfr, ISC_LOG_DEBUG(3), "sent request data");
+	CHECK(sev->result);
+
+	CHECK(dns_tcpmsg_readmessage(&xfr->tcpmsg, xfr->task,
+				     xfrin_recv_done, xfr));
+	xfr->recvs++;
+ failure:
+	isc_event_free(&event);
+	if (result != ISC_R_SUCCESS)
+		xfrin_fail(xfr, result, "failed sending request data");
+}
+
+
+static void
+xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
+	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) ev->ev_arg;
+	isc_result_t result;
+	dns_message_t *msg = NULL;
+	dns_name_t *name;
+	dns_tcpmsg_t *tcpmsg;
+	dns_name_t *tsigowner = NULL;
+
+	REQUIRE(VALID_XFRIN(xfr));
+
+	UNUSED(task);
+
+	INSIST(ev->ev_type == DNS_EVENT_TCPMSG);
+	tcpmsg = ev->ev_sender;
+	isc_event_free(&ev);
+
+	xfr->recvs--;
+	if (xfr->shuttingdown) {
+		maybe_free(xfr);
+		return;
+	}
+
+	CHECK(tcpmsg->result);
+
+	xfrin_log(xfr, ISC_LOG_DEBUG(7), "received %u bytes",
+		  tcpmsg->buffer.used);
+
+	CHECK(isc_timer_touch(xfr->timer));
+
+	CHECK(dns_message_create(xfr->mctx, DNS_MESSAGE_INTENTPARSE, &msg));
+
+	CHECK(dns_message_settsigkey(msg, xfr->tsigkey));
+	CHECK(dns_message_setquerytsig(msg, xfr->lasttsig));
+	msg->tsigctx = xfr->tsigctx;
+	if (xfr->nmsg > 0)
+		msg->tcp_continuation = 1;
+
+	result = dns_message_parse(msg, &tcpmsg->buffer,
+				   DNS_MESSAGEPARSE_PRESERVEORDER);
+
+	if (result != ISC_R_SUCCESS || msg->rcode != dns_rcode_noerror ||
+	    (xfr->checkid && msg->id != xfr->id)) {
+		if (result == ISC_R_SUCCESS)
+			result = ISC_RESULTCLASS_DNSRCODE + msg->rcode; /*XXX*/
+		if (result == ISC_R_SUCCESS || result == DNS_R_NOERROR)
+			result = DNS_R_UNEXPECTEDID;
+		if (xfr->reqtype == dns_rdatatype_axfr ||
+		    xfr->reqtype == dns_rdatatype_soa)
+			FAIL(result);
+		xfrin_log(xfr, ISC_LOG_DEBUG(3), "got %s, retrying with AXFR",
+		       isc_result_totext(result));
+ try_axfr:
+		dns_message_destroy(&msg);
+		xfrin_reset(xfr);
+		xfr->reqtype = dns_rdatatype_axfr;
+		xfr->state = XFRST_INITIALSOA;
+		(void)xfrin_start(xfr);
+		return;
+	}
+
+	/*
+	 * Does the server know about IXFR?  If it doesn't we will get
+	 * a message with a empty answer section or a potentially a CNAME /
+	 * DNAME, the later is handled by xfr_rr() which will return FORMERR
+	 * if the first RR in the answer section is not a SOA record.
+	 */
+	if (xfr->reqtype == dns_rdatatype_ixfr &&
+	    xfr->state == XFRST_INITIALSOA &&
+	    msg->counts[DNS_SECTION_ANSWER] == 0) {
+		xfrin_log(xfr, ISC_LOG_DEBUG(3),
+			  "empty answer section, retrying with AXFR");
+		goto try_axfr;
+	}
+
+	if (xfr->reqtype == dns_rdatatype_soa &&
+	    (msg->flags & DNS_MESSAGEFLAG_AA) == 0) {
+		FAIL(DNS_R_NOTAUTHORITATIVE);
+	}
+
+
+	result = dns_message_checksig(msg, dns_zone_getview(xfr->zone));
+	if (result != ISC_R_SUCCESS) {
+		xfrin_log(xfr, ISC_LOG_DEBUG(3), "TSIG check failed: %s",
+		       isc_result_totext(result));
+		FAIL(result);
+	}
+
+	for (result = dns_message_firstname(msg, DNS_SECTION_ANSWER);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(msg, DNS_SECTION_ANSWER))
+	{
+		dns_rdataset_t *rds;
+
+		name = NULL;
+		dns_message_currentname(msg, DNS_SECTION_ANSWER, &name);
+		for (rds = ISC_LIST_HEAD(name->list);
+		     rds != NULL;
+		     rds = ISC_LIST_NEXT(rds, link))
+		{
+			for (result = dns_rdataset_first(rds);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(rds))
+			{
+				dns_rdata_t rdata = DNS_RDATA_INIT;
+				dns_rdataset_current(rds, &rdata);
+				CHECK(xfr_rr(xfr, name, rds->ttl, &rdata));
+			}
+		}
+	}
+	if (result != ISC_R_NOMORE)
+		goto failure;
+
+	if (dns_message_gettsig(msg, &tsigowner) != NULL) {
+		/*
+		 * Reset the counter.
+		 */
+		xfr->sincetsig = 0;
+
+		/*
+		 * Free the last tsig, if there is one.
+		 */
+		if (xfr->lasttsig != NULL)
+			isc_buffer_free(&xfr->lasttsig);
+
+		/*
+		 * Update the last tsig pointer.
+		 */
+		CHECK(dns_message_getquerytsig(msg, xfr->mctx,
+					       &xfr->lasttsig));
+
+	} else if (dns_message_gettsigkey(msg) != NULL) {
+		xfr->sincetsig++;
+		if (xfr->sincetsig > 100 ||
+		    xfr->nmsg == 0 || xfr->state == XFRST_END)
+		{
+			result = DNS_R_EXPECTEDTSIG;
+			goto failure;
+		}
+	}
+
+	/*
+	 * Update the number of messages received.
+	 */
+	xfr->nmsg++;
+
+	/*
+	 * Copy the context back.
+	 */
+	xfr->tsigctx = msg->tsigctx;
+
+	dns_message_destroy(&msg);
+
+	if (xfr->state == XFRST_END) {
+		/*
+		 * Inform the caller we succeeded.
+		 */
+		if (xfr->done != NULL) {
+			(xfr->done)(xfr->zone, ISC_R_SUCCESS);
+			xfr->done = NULL;
+		}
+		/*
+		 * We should have no outstanding events at this
+		 * point, thus maybe_free() should succeed.
+		 */
+		xfr->shuttingdown = ISC_TRUE;
+		maybe_free(xfr);
+	} else {
+		/*
+		 * Read the next message.
+		 */
+		CHECK(dns_tcpmsg_readmessage(&xfr->tcpmsg, xfr->task,
+					     xfrin_recv_done, xfr));
+		xfr->recvs++;
+	}
+	return;
+
+ failure:
+	if (msg != NULL)
+		dns_message_destroy(&msg);
+	if (result != ISC_R_SUCCESS)
+		xfrin_fail(xfr, result, "failed while receiving responses");
+}
+
+static void
+xfrin_timeout(isc_task_t *task, isc_event_t *event) {
+	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) event->ev_arg;
+
+	REQUIRE(VALID_XFRIN(xfr));
+
+	UNUSED(task);
+
+	isc_event_free(&event);
+	/*
+	 * This will log "giving up: timeout".
+	 */
+	xfrin_fail(xfr, ISC_R_TIMEDOUT, "giving up");
+}
+
+static void
+maybe_free(dns_xfrin_ctx_t *xfr) {
+	REQUIRE(VALID_XFRIN(xfr));
+
+	if (! xfr->shuttingdown || xfr->refcount != 0 ||
+	    xfr->connects != 0 || xfr->sends != 0 ||
+	    xfr->recvs != 0)
+		return;
+
+	xfrin_log(xfr, ISC_LOG_INFO, "end of transfer");
+
+	if (xfr->socket != NULL)
+		isc_socket_detach(&xfr->socket);
+
+	if (xfr->timer != NULL)
+		isc_timer_detach(&xfr->timer);
+
+	if (xfr->task != NULL)
+		isc_task_detach(&xfr->task);
+
+	if (xfr->tsigkey != NULL)
+		dns_tsigkey_detach(&xfr->tsigkey);
+
+	if (xfr->lasttsig != NULL)
+		isc_buffer_free(&xfr->lasttsig);
+
+	dns_diff_clear(&xfr->diff);
+
+	if (xfr->ixfr.journal != NULL)
+		dns_journal_destroy(&xfr->ixfr.journal);
+
+	if (xfr->axfr.add_private != NULL)
+		(void)dns_db_endload(xfr->db, &xfr->axfr.add_private);
+
+	if (xfr->tcpmsg_valid)
+		dns_tcpmsg_invalidate(&xfr->tcpmsg);
+
+	if ((xfr->name.attributes & DNS_NAMEATTR_DYNAMIC) != 0)
+		dns_name_free(&xfr->name, xfr->mctx);
+
+	if (xfr->ver != NULL)
+		dns_db_closeversion(xfr->db, &xfr->ver, ISC_FALSE);
+
+	if (xfr->db != NULL)
+		dns_db_detach(&xfr->db);
+
+	if (xfr->zone != NULL)
+		dns_zone_idetach(&xfr->zone);
+
+	isc_mem_put(xfr->mctx, xfr, sizeof(*xfr));
+}
+
+/*
+ * Log incoming zone transfer messages in a format like
+ * transfer of <zone> from <address>: <message>
+ */
+static void
+xfrin_logv(int level, dns_name_t *zonename, dns_rdataclass_t rdclass,
+	   isc_sockaddr_t *masteraddr, const char *fmt, va_list ap)
+{
+	char zntext[DNS_NAME_FORMATSIZE];
+	char mastertext[ISC_SOCKADDR_FORMATSIZE];
+	char classtext[DNS_RDATACLASS_FORMATSIZE];
+	char msgtext[2048];
+
+	dns_name_format(zonename, zntext, sizeof(zntext));
+	dns_rdataclass_format(rdclass, classtext, sizeof(classtext));
+	isc_sockaddr_format(masteraddr, mastertext, sizeof(mastertext));
+	vsnprintf(msgtext, sizeof(msgtext), fmt, ap);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_XFER_IN,
+		      DNS_LOGMODULE_XFER_IN, level,
+		      "transfer of '%s/%s' from %s: %s",
+		      zntext, classtext, mastertext, msgtext);
+}
+
+/*
+ * Logging function for use when a xfrin_ctx_t has not yet been created.
+ */
+
+static void
+xfrin_log1(int level, dns_name_t *zonename, dns_rdataclass_t rdclass,
+	   isc_sockaddr_t *masteraddr, const char *fmt, ...)
+{
+	va_list ap;
+
+	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
+		return;
+
+	va_start(ap, fmt);
+	xfrin_logv(level, zonename, rdclass, masteraddr, fmt, ap);
+	va_end(ap);
+}
+
+/*
+ * Logging function for use when there is a xfrin_ctx_t.
+ */
+
+static void
+xfrin_log(dns_xfrin_ctx_t *xfr, unsigned int level, const char *fmt, ...)
+{
+	va_list ap;
+
+	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
+		return;
+
+	va_start(ap, fmt);
+	xfrin_logv(level, &xfr->name, xfr->rdclass, &xfr->masteraddr, fmt, ap);
+	va_end(ap);
+}
diff --git a/contrib/bind9/lib/dns/zone.c b/contrib/bind9/lib/dns/zone.c
new file mode 100644
index 0000000..b5cbc6e
--- /dev/null
+++ b/contrib/bind9/lib/dns/zone.c
@@ -0,0 +1,6804 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: zone.c,v 1.333.2.23.2.50 2004/08/28 05:53:37 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/file.h>
+#include <isc/mutex.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/ratelimiter.h>
+#include <isc/refcount.h>
+#include <isc/serial.h>
+#include <isc/string.h>
+#include <isc/taskpool.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/acl.h>
+#include <dns/adb.h>
+#include <dns/callbacks.h>
+#include <dns/db.h>
+#include <dns/events.h>
+#include <dns/journal.h>
+#include <dns/log.h>
+#include <dns/master.h>
+#include <dns/masterdump.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/peer.h>
+#include <dns/rcode.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+#include <dns/rdatatype.h>
+#include <dns/request.h>
+#include <dns/resolver.h>
+#include <dns/result.h>
+#include <dns/stats.h>
+#include <dns/ssu.h>
+#include <dns/tsig.h>
+#include <dns/xfrin.h>
+#include <dns/zone.h>
+
+#define ZONE_MAGIC			ISC_MAGIC('Z', 'O', 'N', 'E')
+#define DNS_ZONE_VALID(zone)		ISC_MAGIC_VALID(zone, ZONE_MAGIC)
+
+#define NOTIFY_MAGIC			ISC_MAGIC('N', 't', 'f', 'y')
+#define DNS_NOTIFY_VALID(notify)	ISC_MAGIC_VALID(notify, NOTIFY_MAGIC)
+
+#define STUB_MAGIC			ISC_MAGIC('S', 't', 'u', 'b')
+#define DNS_STUB_VALID(stub)		ISC_MAGIC_VALID(stub, STUB_MAGIC)
+
+#define ZONEMGR_MAGIC			ISC_MAGIC('Z', 'm', 'g', 'r')
+#define DNS_ZONEMGR_VALID(stub)		ISC_MAGIC_VALID(stub, ZONEMGR_MAGIC)
+
+#define LOAD_MAGIC			ISC_MAGIC('L', 'o', 'a', 'd')
+#define DNS_LOAD_VALID(load)		ISC_MAGIC_VALID(load, LOAD_MAGIC)
+
+#define FORWARD_MAGIC			ISC_MAGIC('F', 'o', 'r', 'w')
+#define DNS_FORWARD_VALID(load)		ISC_MAGIC_VALID(load, FORWARD_MAGIC)
+
+#define IO_MAGIC			ISC_MAGIC('Z', 'm', 'I', 'O')
+#define DNS_IO_VALID(load)		ISC_MAGIC_VALID(load, IO_MAGIC)
+
+/*
+ * Ensure 'a' is at least 'min' but not more than 'max'.
+ */
+#define RANGE(a, min, max) \
+		(((a) < (min)) ? (min) : ((a) < (max) ? (a) : (max)))
+
+/*
+ * Default values.
+ */
+#define DNS_DEFAULT_IDLEIN 3600		/* 1 hour */
+#define DNS_DEFAULT_IDLEOUT 3600	/* 1 hour */
+#define MAX_XFER_TIME (2*3600)		/* Documented default is 2 hours */
+
+#ifndef DNS_MAX_EXPIRE
+#define DNS_MAX_EXPIRE	14515200	/* 24 weeks */
+#endif
+
+#ifndef DNS_DUMP_DELAY
+#define DNS_DUMP_DELAY 900		/* 15 minutes */
+#endif
+
+typedef struct dns_notify dns_notify_t;
+typedef struct dns_stub dns_stub_t;
+typedef struct dns_load dns_load_t;
+typedef struct dns_forward dns_forward_t;
+typedef struct dns_io dns_io_t;
+typedef ISC_LIST(dns_io_t) dns_iolist_t;
+
+#define DNS_ZONE_CHECKLOCK
+#ifdef DNS_ZONE_CHECKLOCK
+#define LOCK_ZONE(z) \
+	 do { LOCK(&(z)->lock); \
+	      INSIST((z)->locked == ISC_FALSE); \
+	     (z)->locked = ISC_TRUE; \
+		} while (0)
+#define UNLOCK_ZONE(z) \
+	do { (z)->locked = ISC_FALSE; UNLOCK(&(z)->lock); } while (0)
+#define LOCKED_ZONE(z) ((z)->locked)
+#else
+#define LOCK_ZONE(z) LOCK(&(z)->lock)
+#define UNLOCK_ZONE(z) UNLOCK(&(z)->lock)
+#define LOCKED_ZONE(z) ISC_TRUE
+#endif
+
+struct dns_zone {
+	/* Unlocked */
+	unsigned int		magic;
+	isc_mutex_t		lock;
+#ifdef DNS_ZONE_CHECKLOCK
+	isc_boolean_t		locked;
+#endif
+	isc_mem_t		*mctx;
+	isc_refcount_t		erefs;
+
+	/* Locked */
+	dns_db_t		*db;
+	dns_zonemgr_t		*zmgr;
+	ISC_LINK(dns_zone_t)	link;		/* Used by zmgr. */
+	isc_timer_t		*timer;
+	unsigned int		irefs;
+	dns_name_t		origin;
+	char			*masterfile;
+	char			*journal;
+	isc_int32_t		journalsize;
+	dns_rdataclass_t	rdclass;
+	dns_zonetype_t		type;
+	unsigned int		flags;
+	unsigned int		options;
+	unsigned int		db_argc;
+	char			**db_argv;
+	isc_time_t		expiretime;
+	isc_time_t		refreshtime;
+	isc_time_t		dumptime;
+	isc_time_t		loadtime;
+	isc_uint32_t		serial;
+	isc_uint32_t		refresh;
+	isc_uint32_t		retry;
+	isc_uint32_t		expire;
+	isc_uint32_t		minimum;
+	char			*keydirectory;
+
+	isc_uint32_t		maxrefresh;
+	isc_uint32_t		minrefresh;
+	isc_uint32_t		maxretry;
+	isc_uint32_t		minretry;
+
+	isc_sockaddr_t		*masters;
+	dns_name_t		**masterkeynames;
+	unsigned int		masterscnt;
+	unsigned int		curmaster;
+	isc_sockaddr_t		masteraddr;
+	dns_notifytype_t	notifytype;
+	isc_sockaddr_t		*notify;
+	unsigned int		notifycnt;
+	isc_sockaddr_t		notifyfrom;
+	isc_task_t		*task;
+	isc_sockaddr_t	 	notifysrc4;
+	isc_sockaddr_t	 	notifysrc6;
+	isc_sockaddr_t	 	xfrsource4;
+	isc_sockaddr_t	 	xfrsource6;
+	isc_sockaddr_t	 	altxfrsource4;
+	isc_sockaddr_t	 	altxfrsource6;
+	isc_sockaddr_t	 	sourceaddr;
+	dns_xfrin_ctx_t		*xfr;		/* task locked */
+	dns_tsigkey_t		*tsigkey;	/* key used for xfr */
+	/* Access Control Lists */
+	dns_acl_t		*update_acl;
+	dns_acl_t		*forward_acl;
+	dns_acl_t		*notify_acl;
+	dns_acl_t		*query_acl;
+	dns_acl_t		*xfr_acl;
+	isc_boolean_t		update_disabled;
+	dns_severity_t		check_names;
+	ISC_LIST(dns_notify_t)	notifies;
+	dns_request_t		*request;
+	dns_loadctx_t		*lctx;
+	dns_io_t		*readio;
+	dns_dumpctx_t		*dctx;
+	dns_io_t		*writeio;
+	isc_uint32_t		maxxfrin;
+	isc_uint32_t		maxxfrout;
+	isc_uint32_t		idlein;
+	isc_uint32_t		idleout;
+	isc_event_t		ctlevent;
+	dns_ssutable_t		*ssutable;
+	isc_uint32_t		sigvalidityinterval;
+	dns_view_t		*view;
+	/*
+	 * Zones in certain states such as "waiting for zone transfer"
+	 * or "zone transfer in progress" are kept on per-state linked lists
+	 * in the zone manager using the 'statelink' field.  The 'statelist'
+	 * field points at the list the zone is currently on.  It the zone
+	 * is not on any such list, statelist is NULL.
+	 */
+	ISC_LINK(dns_zone_t)	statelink;
+	dns_zonelist_t		*statelist;
+	/*
+	 * Optional per-zone statistics counters (NULL if not present).
+	 */
+	isc_uint64_t	    *counters;
+};
+
+#define DNS_ZONE_FLAG(z,f) (ISC_TF(((z)->flags & (f)) != 0))
+#define DNS_ZONE_SETFLAG(z,f) do { \
+		INSIST(LOCKED_ZONE(z)); \
+		(z)->flags |= (f); \
+		} while (0)
+#define DNS_ZONE_CLRFLAG(z,f) do { \
+		INSIST(LOCKED_ZONE(z)); \
+		(z)->flags &= ~(f); \
+		} while (0)
+	/* XXX MPA these may need to go back into zone.h */
+#define DNS_ZONEFLG_REFRESH	0x00000001U	/* refresh check in progress */
+#define DNS_ZONEFLG_NEEDDUMP	0x00000002U	/* zone need consolidation */
+#define DNS_ZONEFLG_USEVC	0x00000004U	/* use tcp for refresh query */
+#define DNS_ZONEFLG_DUMPING	0x00000008U	/* a dump is in progress */
+#define DNS_ZONEFLG_HASINCLUDE	0x00000010U	/* $INCLUDE in zone file */
+#define DNS_ZONEFLG_LOADED	0x00000020U	/* database has loaded */
+#define DNS_ZONEFLG_EXITING	0x00000040U	/* zone is being destroyed */
+#define DNS_ZONEFLG_EXPIRED	0x00000080U	/* zone has expired */
+#define DNS_ZONEFLG_NEEDREFRESH	0x00000100U	/* refresh check needed */
+#define DNS_ZONEFLG_UPTODATE	0x00000200U	/* zone contents are
+						 * uptodate */
+#define DNS_ZONEFLG_NEEDNOTIFY	0x00000400U	/* need to send out notify
+						 * messages */
+#define DNS_ZONEFLG_DIFFONRELOAD 0x00000800U	/* generate a journal diff on
+						 * reload */
+#define DNS_ZONEFLG_NOMASTERS	0x00001000U	/* an attempt to refresh a
+						 * zone with no masters
+						 * occured */
+#define DNS_ZONEFLG_LOADING	0x00002000U	/* load from disk in progress*/
+#define DNS_ZONEFLG_HAVETIMERS	0x00004000U	/* timer values have been set
+						 * from SOA (if not set, we
+						 * are still using
+						 * default timer values) */
+#define DNS_ZONEFLG_FORCEXFER   0x00008000U     /* Force a zone xfer */
+#define DNS_ZONEFLG_NOREFRESH	0x00010000U
+#define DNS_ZONEFLG_DIALNOTIFY	0x00020000U
+#define DNS_ZONEFLG_DIALREFRESH	0x00040000U
+#define DNS_ZONEFLG_SHUTDOWN	0x00080000U
+#define DNS_ZONEFLAG_NOIXFR	0x00100000U	/* IXFR failed, force AXFR */
+#define DNS_ZONEFLG_FLUSH	0x00200000U
+#define DNS_ZONEFLG_NOEDNS	0x00400000U
+#define DNS_ZONEFLG_USEALTXFRSRC 0x00800000U
+
+#define DNS_ZONE_OPTION(z,o) (((z)->options & (o)) != 0)
+
+/* Flags for zone_load() */
+#define DNS_ZONELOADFLAG_NOSTAT	0x00000001U	/* Do not stat() master files */
+
+struct dns_zonemgr {
+	unsigned int		magic;
+	isc_mem_t *		mctx;
+	int			refs;		/* Locked by rwlock */
+	isc_taskmgr_t *		taskmgr;
+	isc_timermgr_t *	timermgr;
+	isc_socketmgr_t *	socketmgr;
+	isc_taskpool_t *	zonetasks;
+	isc_task_t *		task;
+	isc_ratelimiter_t *	rl;
+	isc_rwlock_t		rwlock;
+	isc_mutex_t		iolock;
+
+	/* Locked by rwlock. */
+	dns_zonelist_t		zones;
+	dns_zonelist_t		waiting_for_xfrin;
+	dns_zonelist_t		xfrin_in_progress;
+
+	/* Configuration data. */
+	isc_uint32_t		transfersin;
+	isc_uint32_t		transfersperns;
+	unsigned int		serialqueryrate;
+
+	/* Locked by iolock */
+	isc_uint32_t		iolimit;
+	isc_uint32_t		ioactive;
+	dns_iolist_t		high;
+	dns_iolist_t		low;
+};
+
+/*
+ * Hold notify state.
+ */
+struct dns_notify {
+	unsigned int		magic;
+	unsigned int		flags;
+	isc_mem_t		*mctx;
+	dns_zone_t		*zone;
+	dns_adbfind_t		*find;
+	dns_request_t		*request;
+	dns_name_t		ns;
+	isc_sockaddr_t		dst;
+	ISC_LINK(dns_notify_t)	link;
+};
+
+#define DNS_NOTIFY_NOSOA	0x0001U
+
+/*
+ *	dns_stub holds state while performing a 'stub' transfer.
+ *	'db' is the zone's 'db' or a new one if this is the initial
+ *	transfer.
+ */
+
+struct dns_stub {
+	unsigned int		magic;
+	isc_mem_t		*mctx;
+	dns_zone_t		*zone;
+	dns_db_t		*db;
+	dns_dbversion_t		*version;
+};
+
+/*
+ *	Hold load state.
+ */
+struct dns_load {
+	unsigned int		magic;
+	isc_mem_t		*mctx;
+	dns_zone_t		*zone;
+	dns_db_t		*db;
+	isc_time_t		loadtime;
+	dns_rdatacallbacks_t	callbacks;
+};
+
+/*
+ *	Hold forward state.
+ */
+struct dns_forward {
+	unsigned int		magic;
+	isc_mem_t		*mctx;
+	dns_zone_t		*zone;
+	isc_buffer_t		*msgbuf;
+	dns_request_t		*request;
+	isc_uint32_t		which;
+	isc_sockaddr_t		addr;
+	dns_updatecallback_t	callback;
+	void			*callback_arg;
+};
+
+/*
+ *	Hold IO request state.
+ */
+struct dns_io {
+	unsigned int	magic;
+	dns_zonemgr_t	*zmgr;
+	isc_boolean_t	high;
+	isc_task_t	*task;
+	ISC_LINK(dns_io_t) link;
+	isc_event_t	*event;
+};
+
+#define SEND_BUFFER_SIZE 2048
+
+static void zone_settimer(dns_zone_t *, isc_time_t *);
+static void cancel_refresh(dns_zone_t *);
+static void zone_debuglog(dns_zone_t *zone, const char *, int debuglevel,
+			  const char *msg, ...) ISC_FORMAT_PRINTF(4, 5);
+static void notify_log(dns_zone_t *zone, int level, const char *fmt, ...)
+     ISC_FORMAT_PRINTF(3, 4);
+static void queue_xfrin(dns_zone_t *zone);
+static void zone_unload(dns_zone_t *zone);
+static void zone_expire(dns_zone_t *zone);
+static void zone_iattach(dns_zone_t *source, dns_zone_t **target);
+static void zone_idetach(dns_zone_t **zonep);
+static isc_result_t zone_replacedb(dns_zone_t *zone, dns_db_t *db,
+				   isc_boolean_t dump);
+static isc_result_t default_journal(dns_zone_t *zone);
+static void zone_xfrdone(dns_zone_t *zone, isc_result_t result);
+static isc_result_t zone_postload(dns_zone_t *zone, dns_db_t *db,
+				  isc_time_t loadtime, isc_result_t result);
+static void zone_needdump(dns_zone_t *zone, unsigned int delay);
+static void zone_shutdown(isc_task_t *, isc_event_t *);
+static void zone_loaddone(void *arg, isc_result_t result);
+static isc_result_t zone_startload(dns_db_t *db, dns_zone_t *zone,
+				   isc_time_t loadtime);
+
+#if 0
+/* ondestroy example */
+static void dns_zonemgr_dbdestroyed(isc_task_t *task, isc_event_t *event);
+#endif
+
+static void refresh_callback(isc_task_t *, isc_event_t *);
+static void stub_callback(isc_task_t *, isc_event_t *);
+static void queue_soa_query(dns_zone_t *zone);
+static void soa_query(isc_task_t *, isc_event_t *);
+static void ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset,
+		     dns_stub_t *stub);
+static int message_count(dns_message_t *msg, dns_section_t section,
+			 dns_rdatatype_t type);
+static void notify_cancel(dns_zone_t *zone);
+static void notify_find_address(dns_notify_t *notify);
+static void notify_send(dns_notify_t *notify);
+static isc_result_t notify_createmessage(dns_zone_t *zone,
+					 unsigned int flags,
+					 dns_message_t **messagep);
+static void notify_done(isc_task_t *task, isc_event_t *event);
+static void notify_send_toaddr(isc_task_t *task, isc_event_t *event);
+static isc_result_t zone_dump(dns_zone_t *, isc_boolean_t);
+static void got_transfer_quota(isc_task_t *task, isc_event_t *event);
+static isc_result_t zmgr_start_xfrin_ifquota(dns_zonemgr_t *zmgr,
+					     dns_zone_t *zone);
+static void zmgr_resume_xfrs(dns_zonemgr_t *zmgr, isc_boolean_t multi);
+static void zonemgr_free(dns_zonemgr_t *zmgr);
+static isc_result_t zonemgr_getio(dns_zonemgr_t *zmgr, isc_boolean_t high,
+				  isc_task_t *task, isc_taskaction_t action,
+				  void *arg, dns_io_t **iop);
+static void zonemgr_putio(dns_io_t **iop);
+static void zonemgr_cancelio(dns_io_t *io);
+
+static isc_result_t
+zone_get_from_db(dns_db_t *db, dns_name_t *origin, unsigned int *nscount,
+		 unsigned int *soacount, isc_uint32_t *serial,
+		 isc_uint32_t *refresh, isc_uint32_t *retry,
+		 isc_uint32_t *expire, isc_uint32_t *minimum);
+
+static void zone_freedbargs(dns_zone_t *zone);
+static void forward_callback(isc_task_t *task, isc_event_t *event);
+static void zone_saveunique(dns_zone_t *zone, const char *path,
+			    const char *templat);
+static void zone_maintenance(dns_zone_t *zone);
+static void zone_notify(dns_zone_t *zone);
+static void dump_done(void *arg, isc_result_t result);
+
+#define ENTER zone_debuglog(zone, me, 1, "enter")
+
+static const unsigned int dbargc_default = 1;
+static const char *dbargv_default[] = { "rbt" };
+
+#define DNS_ZONE_JITTER_ADD(a, b, c) \
+	do { \
+		isc_interval_t _i; \
+		isc_uint32_t _j; \
+		_j = isc_random_jitter((b), (b)/4); \
+		isc_interval_set(&_i, _j, 0); \
+		if (isc_time_add((a), &_i, (c)) != ISC_R_SUCCESS) { \
+			dns_zone_log(zone, ISC_LOG_WARNING, \
+				     "epoch approaching: upgrade required: " \
+				     "now + %s failed", #b); \
+			isc_interval_set(&_i, _j/2, 0); \
+			(void)isc_time_add((a), &_i, (c)); \
+		} \
+	} while (0)
+
+#define DNS_ZONE_TIME_ADD(a, b, c) \
+	do { \
+		isc_interval_t _i; \
+		isc_interval_set(&_i, (b), 0); \
+		if (isc_time_add((a), &_i, (c)) != ISC_R_SUCCESS) { \
+			dns_zone_log(zone, ISC_LOG_WARNING, \
+				     "epoch approaching: upgrade required: " \
+				     "now + %s failed", #b); \
+			isc_interval_set(&_i, (b)/2, 0); \
+			(void)isc_time_add((a), &_i, (c)); \
+		} \
+	} while (0)
+
+/***
+ ***	Public functions.
+ ***/
+
+isc_result_t
+dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
+	isc_result_t result;
+	dns_zone_t *zone;
+
+	REQUIRE(zonep != NULL && *zonep == NULL);
+	REQUIRE(mctx != NULL);
+
+	zone = isc_mem_get(mctx, sizeof(*zone));
+	if (zone == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_mutex_init(&zone->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, zone, sizeof(*zone));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() failed: %s",
+				 isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	/* XXX MPA check that all elements are initialised */
+	zone->mctx = NULL;
+#ifdef DNS_ZONE_CHECKLOCK
+	zone->locked = ISC_FALSE;
+#endif
+	isc_mem_attach(mctx, &zone->mctx);
+	zone->db = NULL;
+	zone->zmgr = NULL;
+	ISC_LINK_INIT(zone, link);
+	isc_refcount_init(&zone->erefs, 1);	/* Implicit attach. */
+	zone->irefs = 0;
+	dns_name_init(&zone->origin, NULL);
+	zone->masterfile = NULL;
+	zone->keydirectory = NULL;
+	zone->journalsize = -1;
+	zone->journal = NULL;
+	zone->rdclass = dns_rdataclass_none;
+	zone->type = dns_zone_none;
+	zone->flags = 0;
+	zone->options = 0;
+	zone->db_argc = 0;
+	zone->db_argv = NULL;
+	isc_time_settoepoch(&zone->expiretime);
+	isc_time_settoepoch(&zone->refreshtime);
+	isc_time_settoepoch(&zone->dumptime);
+	isc_time_settoepoch(&zone->loadtime);
+	zone->serial = 0;
+	zone->refresh = DNS_ZONE_DEFAULTREFRESH;
+	zone->retry = DNS_ZONE_DEFAULTRETRY;
+	zone->expire = 0;
+	zone->minimum = 0;
+	zone->maxrefresh = DNS_ZONE_MAXREFRESH;
+	zone->minrefresh = DNS_ZONE_MINREFRESH;
+	zone->maxretry = DNS_ZONE_MAXRETRY;
+	zone->minretry = DNS_ZONE_MINRETRY;
+	zone->masters = NULL;
+	zone->masterkeynames = NULL;
+	zone->masterscnt = 0;
+	zone->curmaster = 0;
+	zone->notify = NULL;
+	zone->notifytype = dns_notifytype_yes;
+	zone->notifycnt = 0;
+	zone->task = NULL;
+	zone->update_acl = NULL;
+	zone->forward_acl = NULL;
+	zone->notify_acl = NULL;
+	zone->query_acl = NULL;
+	zone->xfr_acl = NULL;
+	zone->update_disabled = ISC_FALSE;
+	zone->check_names = dns_severity_ignore;
+	zone->request = NULL;
+	zone->lctx = NULL;
+	zone->readio = NULL;
+	zone->dctx = NULL;
+	zone->writeio = NULL;
+	zone->timer = NULL;
+	zone->idlein = DNS_DEFAULT_IDLEIN;
+	zone->idleout = DNS_DEFAULT_IDLEOUT;
+	ISC_LIST_INIT(zone->notifies);
+	isc_sockaddr_any(&zone->notifysrc4);
+	isc_sockaddr_any6(&zone->notifysrc6);
+	isc_sockaddr_any(&zone->xfrsource4);
+	isc_sockaddr_any6(&zone->xfrsource6);
+	isc_sockaddr_any(&zone->altxfrsource4);
+	isc_sockaddr_any6(&zone->altxfrsource6);
+	zone->xfr = NULL;
+	zone->tsigkey = NULL;
+	zone->maxxfrin = MAX_XFER_TIME;
+	zone->maxxfrout = MAX_XFER_TIME;
+	zone->ssutable = NULL;
+	zone->sigvalidityinterval = 30 * 24 * 3600;
+	zone->view = NULL;
+	ISC_LINK_INIT(zone, statelink);
+	zone->statelist = NULL;
+	zone->counters = NULL;
+
+	zone->magic = ZONE_MAGIC;
+
+	/* Must be after magic is set. */
+	result = dns_zone_setdbtype(zone, dbargc_default, dbargv_default);
+	if (result != ISC_R_SUCCESS)
+		goto free_mutex;
+
+	ISC_EVENT_INIT(&zone->ctlevent, sizeof(zone->ctlevent), 0, NULL,
+		       DNS_EVENT_ZONECONTROL, zone_shutdown, zone, zone,
+		       NULL, NULL);
+	*zonep = zone;
+	return (ISC_R_SUCCESS);
+
+ free_mutex:
+	DESTROYLOCK(&zone->lock);
+	return (ISC_R_NOMEMORY);
+}
+
+/*
+ * Free a zone.  Because we require that there be no more
+ * outstanding events or references, no locking is necessary.
+ */
+static void
+zone_free(dns_zone_t *zone) {
+	isc_mem_t *mctx = NULL;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(isc_refcount_current(&zone->erefs) == 0);
+	REQUIRE(zone->irefs == 0);
+	REQUIRE(!LOCKED_ZONE(zone));
+	REQUIRE(zone->timer == NULL);
+
+	/*
+	 * Managed objects.  Order is important.
+	 */
+	if (zone->request != NULL)
+		dns_request_destroy(&zone->request); /* XXXMPA */
+	INSIST(zone->readio == NULL);
+	INSIST(zone->statelist == NULL);
+	INSIST(zone->writeio == NULL);
+
+	if (zone->task != NULL)
+		isc_task_detach(&zone->task);
+	if (zone->zmgr)
+		dns_zonemgr_releasezone(zone->zmgr, zone);
+
+	/* Unmanaged objects */
+	if (zone->masterfile != NULL)
+		isc_mem_free(zone->mctx, zone->masterfile);
+	zone->masterfile = NULL;
+	if (zone->keydirectory != NULL)
+		isc_mem_free(zone->mctx, zone->keydirectory);
+	zone->keydirectory = NULL;
+	zone->journalsize = -1;
+	if (zone->journal != NULL)
+		isc_mem_free(zone->mctx, zone->journal);
+	zone->journal = NULL;
+	if (zone->counters != NULL)
+		dns_stats_freecounters(zone->mctx, &zone->counters);
+	if (zone->db != NULL)
+		dns_db_detach(&zone->db);
+	zone_freedbargs(zone);
+	RUNTIME_CHECK(dns_zone_setmasterswithkeys(zone, NULL, NULL, 0)
+		      == ISC_R_SUCCESS);
+	RUNTIME_CHECK(dns_zone_setalsonotify(zone, NULL, 0)
+		      == ISC_R_SUCCESS);
+	zone->check_names = dns_severity_ignore;
+	if (zone->update_acl != NULL)
+		dns_acl_detach(&zone->update_acl);
+	if (zone->forward_acl != NULL)
+		dns_acl_detach(&zone->forward_acl);
+	if (zone->notify_acl != NULL)
+		dns_acl_detach(&zone->notify_acl);
+	if (zone->query_acl != NULL)
+		dns_acl_detach(&zone->query_acl);
+	if (zone->xfr_acl != NULL)
+		dns_acl_detach(&zone->xfr_acl);
+	if (dns_name_dynamic(&zone->origin))
+		dns_name_free(&zone->origin, zone->mctx);
+	if (zone->ssutable != NULL)
+		dns_ssutable_detach(&zone->ssutable);
+
+	/* last stuff */
+	DESTROYLOCK(&zone->lock);
+	isc_refcount_destroy(&zone->erefs);
+	zone->magic = 0;
+	mctx = zone->mctx;
+	isc_mem_put(mctx, zone, sizeof(*zone));
+	isc_mem_detach(&mctx);
+}
+
+/*
+ *	Single shot.
+ */
+void
+dns_zone_setclass(dns_zone_t *zone, dns_rdataclass_t rdclass) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(rdclass != dns_rdataclass_none);
+
+	/*
+	 * Test and set.
+	 */
+	LOCK_ZONE(zone);
+	REQUIRE(zone->rdclass == dns_rdataclass_none ||
+		zone->rdclass == rdclass);
+	zone->rdclass = rdclass;
+	UNLOCK_ZONE(zone);
+}
+
+dns_rdataclass_t
+dns_zone_getclass(dns_zone_t *zone){
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->rdclass);
+}
+
+void
+dns_zone_setnotifytype(dns_zone_t *zone, dns_notifytype_t notifytype) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->notifytype = notifytype;
+	UNLOCK_ZONE(zone);
+}
+
+/*
+ *	Single shot.
+ */
+void
+dns_zone_settype(dns_zone_t *zone, dns_zonetype_t type) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(type != dns_zone_none);
+
+	/*
+	 * Test and set.
+	 */
+	LOCK_ZONE(zone);
+	REQUIRE(zone->type == dns_zone_none || zone->type == type);
+	zone->type = type;
+	UNLOCK_ZONE(zone);
+}
+
+static void
+zone_freedbargs(dns_zone_t *zone) {
+	unsigned int i;
+
+	/* Free the old database argument list. */
+	if (zone->db_argv != NULL) {
+		for (i = 0; i < zone->db_argc; i++)
+			isc_mem_free(zone->mctx, zone->db_argv[i]);
+		isc_mem_put(zone->mctx, zone->db_argv,
+			    zone->db_argc * sizeof(*zone->db_argv));
+	}
+	zone->db_argc = 0;
+	zone->db_argv = NULL;
+}
+
+isc_result_t
+dns_zone_setdbtype(dns_zone_t *zone,
+		   unsigned int dbargc, const char * const *dbargv) {
+	isc_result_t result = ISC_R_SUCCESS;
+	char **new = NULL;
+	unsigned int i;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(dbargc >= 1);
+	REQUIRE(dbargv != NULL);
+
+	LOCK_ZONE(zone);
+
+	/* Set up a new database argument list. */
+	new = isc_mem_get(zone->mctx, dbargc * sizeof(*new));
+	if (new == NULL)
+		goto nomem;
+	for (i = 0; i < dbargc; i++)
+		new[i] = NULL;
+	for (i = 0; i < dbargc; i++) {
+		new[i] = isc_mem_strdup(zone->mctx, dbargv[i]);
+		if (new[i] == NULL)
+			goto nomem;
+	}
+
+	/* Free the old list. */
+	zone_freedbargs(zone);
+
+	zone->db_argc = dbargc;
+	zone->db_argv = new;
+	result = ISC_R_SUCCESS;
+	goto unlock;
+
+ nomem:
+	if (new != NULL) {
+		for (i = 0; i < dbargc; i++) {
+			if (zone->db_argv[i] != NULL)
+				isc_mem_free(zone->mctx, new[i]);
+			isc_mem_put(zone->mctx, new,
+				    dbargc * sizeof(*new));
+		}
+	}
+	result = ISC_R_NOMEMORY;
+
+ unlock:
+	UNLOCK_ZONE(zone);
+	return (result);
+}
+
+void
+dns_zone_setview(dns_zone_t *zone, dns_view_t *view) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->view != NULL)
+		dns_view_weakdetach(&zone->view);
+	dns_view_weakattach(view, &zone->view);
+	UNLOCK_ZONE(zone);
+}
+
+
+dns_view_t *
+dns_zone_getview(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->view);
+}
+
+
+isc_result_t
+dns_zone_setorigin(dns_zone_t *zone, dns_name_t *origin) {
+	isc_result_t result;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(origin != NULL);
+
+	LOCK_ZONE(zone);
+	if (dns_name_dynamic(&zone->origin)) {
+		dns_name_free(&zone->origin, zone->mctx);
+		dns_name_init(&zone->origin, NULL);
+	}
+	result = dns_name_dup(origin, zone->mctx, &zone->origin);
+	UNLOCK_ZONE(zone);
+	return (result);
+}
+
+
+static isc_result_t
+dns_zone_setstring(dns_zone_t *zone, char **field, const char *value) {
+	char *copy;
+
+	if (value != NULL) {
+		copy = isc_mem_strdup(zone->mctx, value);
+		if (copy == NULL)
+			return (ISC_R_NOMEMORY);
+	} else {
+		copy = NULL;
+	}
+
+	if (*field != NULL)
+		isc_mem_free(zone->mctx, *field);
+
+	*field = copy;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_zone_setfile(dns_zone_t *zone, const char *file) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	result = dns_zone_setstring(zone, &zone->masterfile, file);
+	if (result == ISC_R_SUCCESS)
+		result = default_journal(zone);
+	UNLOCK_ZONE(zone);
+
+	return (result);
+}
+
+const char *
+dns_zone_getfile(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->masterfile);
+}
+
+static isc_result_t
+default_journal(dns_zone_t *zone) {
+	isc_result_t result;
+	char *journal;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(LOCKED_ZONE(zone));
+
+	if (zone->masterfile != NULL) {
+		/* Calculate string length including '\0'. */
+		int len = strlen(zone->masterfile) + sizeof(".jnl");
+		journal = isc_mem_allocate(zone->mctx, len);
+		if (journal == NULL)
+			return (ISC_R_NOMEMORY);
+		strcpy(journal, zone->masterfile);
+		strcat(journal, ".jnl");
+	} else {
+		journal = NULL;
+	}
+	result = dns_zone_setstring(zone, &zone->journal, journal);
+	if (journal != NULL)
+		isc_mem_free(zone->mctx, journal);
+	return (result);
+}
+
+isc_result_t
+dns_zone_setjournal(dns_zone_t *zone, const char *journal) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	result = dns_zone_setstring(zone, &zone->journal, journal);
+	UNLOCK_ZONE(zone);
+
+	return (result);
+}
+
+char *
+dns_zone_getjournal(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->journal);
+}
+
+/*
+ * Return true iff the zone is "dynamic", in the sense that the zone's
+ * master file (if any) is written by the server, rather than being
+ * updated manually and read by the server.
+ *
+ * This is true for slave zones, stub zones, and zones that allow
+ * dynamic updates either by having an update policy ("ssutable")
+ * or an "allow-update" ACL with a value other than exactly "{ none; }".
+ */
+static isc_boolean_t
+zone_isdynamic(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (ISC_TF(zone->type == dns_zone_slave ||
+		       zone->type == dns_zone_stub ||
+		       (!zone->update_disabled && zone->ssutable != NULL) ||
+		       (!zone->update_disabled && zone->update_acl != NULL &&
+			! (zone->update_acl->length == 1 &&
+			   zone->update_acl->elements[0].negative == ISC_TRUE
+			   &&
+			   zone->update_acl->elements[0].type ==
+			   dns_aclelementtype_any))));
+}
+
+
+static isc_result_t
+zone_load(dns_zone_t *zone, unsigned int flags) {
+	isc_result_t result;
+	isc_time_t now;
+	isc_time_t loadtime, filetime;
+	dns_db_t *db = NULL;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	TIME_NOW(&now);
+
+	INSIST(zone->type != dns_zone_none);
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADING)) {
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+
+	if (zone->db != NULL && zone->masterfile == NULL) {
+		/*
+		 * The zone has no master file configured, but it already
+		 * has a database.  It could be the built-in
+		 * version.bind. CH zone, a zone with a persistent
+		 * database being reloaded, or maybe a zone that
+		 * used to have a master file but whose configuration
+		 * was changed so that it no longer has one.  Do nothing.
+		 */
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+
+	if (zone->db != NULL && zone_isdynamic(zone)) {
+		/*
+		 * This is a slave, stub, or dynamically updated
+		 * zone being reloaded.  Do nothing - the database
+		 * we already have is guaranteed to be up-to-date.
+		 */
+		if (zone->type == dns_zone_master)
+			result = DNS_R_DYNAMIC;
+		else
+			result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+
+	/*
+	 * Don't do the load if the file that stores the zone is older
+	 * than the last time the zone was loaded.  If the zone has not
+	 * been loaded yet, zone->loadtime will be the epoch.
+	 */
+	if (zone->masterfile != NULL && ! isc_time_isepoch(&zone->loadtime)) {
+		/*
+		 * The file is already loaded.  If we are just doing a
+		 * "rndc reconfig", we are done.
+		 */
+		if ((flags & DNS_ZONELOADFLAG_NOSTAT) != 0) {
+			result = ISC_R_SUCCESS;
+			goto cleanup;
+		}
+		if (! DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HASINCLUDE)) {
+			result = isc_file_getmodtime(zone->masterfile,
+						     &filetime);
+			if (result == ISC_R_SUCCESS &&
+			    isc_time_compare(&filetime, &zone->loadtime) < 0) {
+				dns_zone_log(zone, ISC_LOG_DEBUG(1),
+					     "skipping load: master file older "
+					     "than last load");
+				result = DNS_R_UPTODATE;
+				goto cleanup;
+			}
+		}
+	}
+
+	INSIST(zone->db_argc >= 1);
+
+	if ((zone->type == dns_zone_slave || zone->type == dns_zone_stub) &&
+	    (strcmp(zone->db_argv[0], "rbt") == 0 ||
+	     strcmp(zone->db_argv[0], "rbt64") == 0)) {
+		if (zone->masterfile == NULL ||
+		    !isc_file_exists(zone->masterfile)) {
+			if (zone->masterfile != NULL)
+				dns_zone_log(zone, ISC_LOG_DEBUG(1),
+					     "no master file");
+			zone->refreshtime = now;
+			if (zone->task != NULL)
+				zone_settimer(zone, &now);
+			result = ISC_R_SUCCESS;
+			goto cleanup;
+		}
+	}
+
+	dns_zone_log(zone, ISC_LOG_DEBUG(1), "starting load");
+
+	/*
+	 * Store the current time before the zone is loaded, so that if the
+	 * file changes between the time of the load and the time that
+	 * zone->loadtime is set, then the file will still be reloaded
+	 * the next time dns_zone_load is called.
+	 */
+	TIME_NOW(&loadtime);
+
+	result = dns_db_create(zone->mctx, zone->db_argv[0],
+			       &zone->origin, (zone->type == dns_zone_stub) ?
+			       dns_dbtype_stub : dns_dbtype_zone,
+			       zone->rdclass,
+			       zone->db_argc - 1, zone->db_argv + 1,
+			       &db);
+
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "loading zone: creating database: %s",
+			     isc_result_totext(result));
+		goto cleanup;
+	}
+	dns_db_settask(db, zone->task);
+
+	if (! dns_db_ispersistent(db)) {
+		if (zone->masterfile != NULL) {
+			result = zone_startload(db, zone, loadtime);
+		} else {
+			result = DNS_R_NOMASTERFILE;
+			if (zone->type == dns_zone_master) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "loading zone: "
+					     "no master file configured");
+				goto cleanup;
+			}
+			dns_zone_log(zone, ISC_LOG_INFO, "loading zone: "
+				     "no master file configured: continuing");
+		}
+	}
+
+	if (result == DNS_R_CONTINUE) {
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADING);
+		goto cleanup;
+	}
+
+	result = zone_postload(zone, db, loadtime, result);
+
+ cleanup:
+	UNLOCK_ZONE(zone);
+	if (db != NULL)
+		dns_db_detach(&db);
+	return (result);
+}
+
+isc_result_t
+dns_zone_load(dns_zone_t *zone) {
+	return (zone_load(zone, 0));
+}
+
+isc_result_t
+dns_zone_loadnew(dns_zone_t *zone) {
+	return (zone_load(zone, DNS_ZONELOADFLAG_NOSTAT));
+}
+
+static void
+zone_gotreadhandle(isc_task_t *task, isc_event_t *event) {
+	dns_load_t *load = event->ev_arg;
+	isc_result_t result = ISC_R_SUCCESS;
+	unsigned int options;
+
+	REQUIRE(DNS_LOAD_VALID(load));
+
+	if ((event->ev_attributes & ISC_EVENTATTR_CANCELED) != 0)
+		result = ISC_R_CANCELED;
+	isc_event_free(&event);
+	if (result == ISC_R_CANCELED)
+		goto fail;
+
+	options = DNS_MASTER_ZONE;
+	if (load->zone->type == dns_zone_slave)
+		options |= DNS_MASTER_SLAVE;
+	if (DNS_ZONE_OPTION(load->zone, DNS_ZONEOPT_CHECKNS))
+		options |= DNS_MASTER_CHECKNS;
+	if (DNS_ZONE_OPTION(load->zone, DNS_ZONEOPT_FATALNS))
+		options |= DNS_MASTER_FATALNS;
+	if (DNS_ZONE_OPTION(load->zone, DNS_ZONEOPT_CHECKNAMES))
+		options |= DNS_MASTER_CHECKNAMES;
+	if (DNS_ZONE_OPTION(load->zone, DNS_ZONEOPT_CHECKNAMESFAIL))
+		options |= DNS_MASTER_CHECKNAMESFAIL;
+	result = dns_master_loadfileinc(load->zone->masterfile,
+					dns_db_origin(load->db),
+					dns_db_origin(load->db),
+					load->zone->rdclass,
+					options,
+					&load->callbacks, task,
+					zone_loaddone, load,
+					&load->zone->lctx, load->zone->mctx);
+	if (result != ISC_R_SUCCESS && result != DNS_R_CONTINUE &&
+	    result != DNS_R_SEENINCLUDE)
+		goto fail;
+	return;
+
+ fail:
+	zone_loaddone(load, result);
+}
+
+static void
+zone_gotwritehandle(isc_task_t *task, isc_event_t *event) {
+	const char me[] = "zone_gotwritehandle";
+	dns_zone_t *zone = event->ev_arg;
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_dbversion_t *version = NULL;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	INSIST(task == zone->task);
+	ENTER;
+
+	if ((event->ev_attributes & ISC_EVENTATTR_CANCELED) != 0)
+		result = ISC_R_CANCELED;
+	isc_event_free(&event);
+	if (result == ISC_R_CANCELED)
+		goto fail;
+
+	LOCK_ZONE(zone);
+	dns_db_currentversion(zone->db, &version);
+	result = dns_master_dumpinc(zone->mctx, zone->db, version,
+				    &dns_master_style_default,
+				    zone->masterfile, zone->task,
+				    dump_done, zone, &zone->dctx);
+	dns_db_closeversion(zone->db, &version, ISC_FALSE);
+	UNLOCK_ZONE(zone);
+	if (result != DNS_R_CONTINUE)
+		goto fail;
+	return;
+
+ fail:
+	dump_done(zone, result);
+}
+
+static isc_result_t
+zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) {
+	dns_load_t *load;
+	isc_result_t result;
+	isc_result_t tresult;
+	unsigned int options;
+
+	options = DNS_MASTER_ZONE;
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MANYERRORS))
+		options |= DNS_MASTER_MANYERRORS;
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNS))
+		options |= DNS_MASTER_CHECKNS;
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_FATALNS))
+		options |= DNS_MASTER_FATALNS;
+	if (zone->type == dns_zone_slave)
+		options |= DNS_MASTER_SLAVE;
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMES))
+		options |= DNS_MASTER_CHECKNAMES;
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMESFAIL))
+		options |= DNS_MASTER_CHECKNAMESFAIL;
+
+	if (zone->zmgr != NULL && zone->db != NULL && zone->task != NULL) {
+		load = isc_mem_get(zone->mctx, sizeof(*load));
+		if (load == NULL)
+			return (ISC_R_NOMEMORY);
+
+		load->mctx = NULL;
+		load->zone = NULL;
+		load->db = NULL;
+		load->loadtime = loadtime;
+		load->magic = LOAD_MAGIC;
+
+		isc_mem_attach(zone->mctx, &load->mctx);
+		zone_iattach(zone, &load->zone);
+		dns_db_attach(db, &load->db);
+		dns_rdatacallbacks_init(&load->callbacks);
+		result = dns_db_beginload(db, &load->callbacks.add,
+					  &load->callbacks.add_private);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		result = zonemgr_getio(zone->zmgr, ISC_TRUE, zone->task,
+				       zone_gotreadhandle, load,
+				       &zone->readio);
+		if (result != ISC_R_SUCCESS) {
+			tresult = dns_db_endload(load->db,
+						 &load->callbacks.add_private);
+			if (result == ISC_R_SUCCESS)
+				result = tresult;
+			goto cleanup;
+		} else
+			result = DNS_R_CONTINUE;
+	} else {
+		dns_rdatacallbacks_t callbacks;
+
+		dns_rdatacallbacks_init(&callbacks);
+		result = dns_db_beginload(db, &callbacks.add,
+					  &callbacks.add_private);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		result = dns_master_loadfile(zone->masterfile, &zone->origin,
+					     &zone->origin, zone->rdclass,
+					     options, &callbacks, zone->mctx);
+		tresult = dns_db_endload(db, &callbacks.add_private);
+		if (result == ISC_R_SUCCESS)
+			result = tresult;
+	}
+
+	return (result);
+
+ cleanup:
+	load->magic = 0;
+	dns_db_detach(&load->db);
+	zone_idetach(&load->zone);
+	isc_mem_detach(&load->mctx);
+	isc_mem_put(zone->mctx, load, sizeof(*load));
+	return (result);
+}
+
+static isc_result_t
+zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
+	      isc_result_t result)
+{
+	unsigned int soacount = 0;
+	unsigned int nscount = 0;
+	isc_uint32_t serial, refresh, retry, expire, minimum;
+	isc_time_t now;
+	isc_boolean_t needdump = ISC_FALSE;
+
+	TIME_NOW(&now);
+
+	/*
+	 * Initiate zone transfer?  We may need a error code that
+	 * indicates that the "permanent" form does not exist.
+	 * XXX better error feedback to log.
+	 */
+	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) {
+		if (zone->type == dns_zone_slave ||
+		    zone->type == dns_zone_stub) {
+			if (result == ISC_R_FILENOTFOUND)
+				dns_zone_log(zone, ISC_LOG_DEBUG(1),
+					     "no master file");
+			else if (result != DNS_R_NOMASTERFILE)
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "loading master file %s: %s",
+					     zone->masterfile,
+					     dns_result_totext(result));
+		} else
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "loading master file %s: %s",
+				     zone->masterfile,
+				     dns_result_totext(result));
+		goto cleanup;
+	}
+
+	dns_zone_log(zone, ISC_LOG_DEBUG(2),
+		     "number of nodes in database: %u",
+		     dns_db_nodecount(db));
+	zone->loadtime = loadtime;
+
+	dns_zone_log(zone, ISC_LOG_DEBUG(1), "loaded");
+
+	if (result == DNS_R_SEENINCLUDE)
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HASINCLUDE);
+	else
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HASINCLUDE);
+	/*
+	 * Apply update log, if any, on initial load.
+	 */
+	if (zone->journal != NULL &&
+	    ! DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOMERGE) &&
+	    ! DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
+	{
+		result = dns_journal_rollforward(zone->mctx, db,
+						 zone->journal);
+		if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND &&
+		    result != DNS_R_UPTODATE && result != DNS_R_NOJOURNAL &&
+		    result != ISC_R_RANGE) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "journal rollforward failed: %s",
+				     dns_result_totext(result));
+			goto cleanup;
+		}
+		if (result == ISC_R_NOTFOUND || result == ISC_R_RANGE) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "journal rollforward failed: "
+				     "journal out of sync with zone");
+			goto cleanup;
+		}
+		dns_zone_log(zone, ISC_LOG_DEBUG(1),
+			     "journal rollforward completed "
+			     "successfully: %s",
+			     dns_result_totext(result));
+		if (result == ISC_R_SUCCESS)
+			needdump = ISC_TRUE;
+	}
+
+	/*
+	 * Obtain ns and soa counts for top of zone.
+	 */
+	nscount = 0;
+	soacount = 0;
+	INSIST(db != NULL);
+	result = zone_get_from_db(db, &zone->origin, &nscount,
+				  &soacount, &serial, &refresh, &retry,
+				  &expire, &minimum);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "could not find NS and/or SOA records");
+	}
+
+	/*
+	 * Master / Slave / Stub zones require both NS and SOA records at
+	 * the top of the zone.
+	 */
+
+	switch (zone->type) {
+	case dns_zone_master:
+	case dns_zone_slave:
+	case dns_zone_stub:
+		if (soacount != 1) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "has %d SOA records", soacount);
+			result = DNS_R_BADZONE;
+		}
+		if (nscount == 0) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "has no NS records");
+			result = DNS_R_BADZONE;
+		}
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		if (zone->db != NULL) {
+			if (!isc_serial_ge(serial, zone->serial)) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "zone serial has gone backwards");
+			}
+		}
+		zone->serial = serial;
+		zone->refresh = RANGE(refresh,
+				      zone->minrefresh, zone->maxrefresh);
+		zone->retry = RANGE(retry,
+				    zone->minretry, zone->maxretry);
+		zone->expire = RANGE(expire, zone->refresh + zone->retry,
+				     DNS_MAX_EXPIRE);
+		zone->minimum = minimum;
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
+
+		if (zone->type == dns_zone_slave ||
+		    zone->type == dns_zone_stub) {
+			isc_time_t t;
+			isc_uint32_t delay;
+
+			result = isc_file_getmodtime(zone->journal, &t);
+			if (result != ISC_R_SUCCESS)
+				result = isc_file_getmodtime(zone->masterfile,
+							     &t);
+			if (result == ISC_R_SUCCESS)
+				DNS_ZONE_TIME_ADD(&t, zone->expire,
+						  &zone->expiretime);
+			else
+				DNS_ZONE_TIME_ADD(&now, zone->retry,
+						  &zone->expiretime);
+
+			delay = isc_random_jitter(zone->retry,
+						  (zone->retry * 3) / 4);
+			DNS_ZONE_TIME_ADD(&now, delay, &zone->refreshtime);
+			if (isc_time_compare(&zone->refreshtime,
+					     &zone->expiretime) >= 0)
+				zone->refreshtime = now;
+		}
+		break;
+	default:
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "unexpected zone type %d", zone->type);
+		result = ISC_R_UNEXPECTED;
+		goto cleanup;
+	}
+
+
+#if 0
+	/* destroy notification example. */
+	{
+		isc_event_t *e = isc_event_allocate(zone->mctx, NULL,
+						    DNS_EVENT_DBDESTROYED,
+						    dns_zonemgr_dbdestroyed,
+						    zone,
+						    sizeof(isc_event_t));
+		dns_db_ondestroy(db, zone->task, &e);
+	}
+#endif
+
+	if (zone->db != NULL) {
+		result = zone_replacedb(zone, db, ISC_FALSE);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+	} else {
+		dns_db_attach(db, &zone->db);
+		DNS_ZONE_SETFLAG(zone,
+				 DNS_ZONEFLG_LOADED|DNS_ZONEFLG_NEEDNOTIFY);
+	}
+	result = ISC_R_SUCCESS;
+	if (needdump)
+		zone_needdump(zone, DNS_DUMP_DELAY);
+	if (zone->task != NULL)
+		zone_settimer(zone, &now);
+
+	if (! dns_db_ispersistent(db))
+		dns_zone_log(zone, ISC_LOG_INFO, "loaded serial %u%s",
+			     zone->serial,
+			     dns_db_issecure(db) ? " (signed)" : "");
+
+	return (result);
+
+ cleanup:
+	if (zone->type == dns_zone_slave ||
+	    zone->type == dns_zone_stub) {
+		if (zone->journal != NULL)
+			zone_saveunique(zone, zone->journal, "jn-XXXXXXXX");
+		if (zone->masterfile != NULL)
+			zone_saveunique(zone, zone->masterfile, "db-XXXXXXXX");
+
+		/* Mark the zone for immediate refresh. */
+		zone->refreshtime = now;
+		if (zone->task != NULL)
+			zone_settimer(zone, &now);
+		result = ISC_R_SUCCESS;
+	}
+	return (result);
+}
+
+static isc_boolean_t
+exit_check(dns_zone_t *zone) {
+
+	REQUIRE(LOCKED_ZONE(zone));
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SHUTDOWN) &&
+	    zone->irefs == 0)
+	{
+		/*
+		 * DNS_ZONEFLG_SHUTDOWN can only be set if erefs == 0.
+		 */
+		INSIST(isc_refcount_current(&zone->erefs) == 0);
+		return (ISC_TRUE);
+	}
+	return (ISC_FALSE);
+}
+
+static isc_result_t
+zone_count_ns_rr(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		 unsigned int *nscount)
+{
+	isc_result_t result;
+	unsigned int count;
+	dns_rdataset_t rdataset;
+
+	REQUIRE(nscount != NULL);
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_ns,
+				     dns_rdatatype_none, 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		*nscount = 0;
+		result = ISC_R_SUCCESS;
+		goto invalidate_rdataset;
+	}
+	else if (result != ISC_R_SUCCESS)
+		goto invalidate_rdataset;
+
+	count = 0;
+	result = dns_rdataset_first(&rdataset);
+	while (result == ISC_R_SUCCESS) {
+		count++;
+		result = dns_rdataset_next(&rdataset);
+	}
+	dns_rdataset_disassociate(&rdataset);
+
+	*nscount = count;
+	result = ISC_R_SUCCESS;
+
+ invalidate_rdataset:
+	dns_rdataset_invalidate(&rdataset);
+
+	return (result);
+}
+
+static isc_result_t
+zone_load_soa_rr(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		 unsigned int *soacount,
+		 isc_uint32_t *serial, isc_uint32_t *refresh,
+		 isc_uint32_t *retry, isc_uint32_t *expire,
+		 isc_uint32_t *minimum)
+{
+	isc_result_t result;
+	unsigned int count;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_soa_t soa;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_soa,
+				     dns_rdatatype_none, 0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto invalidate_rdataset;
+
+	count = 0;
+	result = dns_rdataset_first(&rdataset);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdata_init(&rdata);
+		dns_rdataset_current(&rdataset, &rdata);
+		count++;
+		if (count == 1) {
+			result = dns_rdata_tostruct(&rdata, &soa, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		}
+
+		result = dns_rdataset_next(&rdataset);
+		dns_rdata_reset(&rdata);
+	}
+	dns_rdataset_disassociate(&rdataset);
+
+	if (soacount != NULL)
+		*soacount = count;
+
+	if (count > 0) {
+		if (serial != NULL)
+			*serial = soa.serial;
+		if (refresh != NULL)
+			*refresh = soa.refresh;
+		if (retry != NULL)
+			*retry = soa.retry;
+		if (expire != NULL)
+			*expire = soa.expire;
+		if (minimum != NULL)
+			*minimum = soa.minimum;
+	}
+
+	result = ISC_R_SUCCESS;
+
+ invalidate_rdataset:
+	dns_rdataset_invalidate(&rdataset);
+
+	return (result);
+}
+
+/*
+ * zone must be locked.
+ */
+static isc_result_t
+zone_get_from_db(dns_db_t *db, dns_name_t *origin, unsigned int *nscount,
+		 unsigned int *soacount, isc_uint32_t *serial,
+		 isc_uint32_t *refresh, isc_uint32_t *retry,
+		 isc_uint32_t *expire, isc_uint32_t *minimum)
+{
+	dns_dbversion_t *version;
+	isc_result_t result;
+	isc_result_t answer = ISC_R_SUCCESS;
+	dns_dbnode_t *node;
+
+	REQUIRE(db != NULL);
+	REQUIRE(origin != NULL);
+
+	version = NULL;
+	dns_db_currentversion(db, &version);
+
+	node = NULL;
+	result = dns_db_findnode(db, origin, ISC_FALSE, &node);
+	if (result != ISC_R_SUCCESS) {
+		answer = result;
+		goto closeversion;
+	}
+
+	if (nscount != NULL) {
+		result = zone_count_ns_rr(db, node, version, nscount);
+		if (result != ISC_R_SUCCESS)
+			answer = result;
+	}
+
+	if (soacount != NULL || serial != NULL || refresh != NULL
+	    || retry != NULL || expire != NULL || minimum != NULL) {
+		result = zone_load_soa_rr(db, node, version, soacount,
+					  serial, refresh, retry, expire,
+					  minimum);
+		if (result != ISC_R_SUCCESS)
+			answer = result;
+	}
+
+	dns_db_detachnode(db, &node);
+ closeversion:
+	dns_db_closeversion(db, &version, ISC_FALSE);
+
+	return (answer);
+}
+
+void
+dns_zone_attach(dns_zone_t *source, dns_zone_t **target) {
+	REQUIRE(DNS_ZONE_VALID(source));
+	REQUIRE(target != NULL && *target == NULL);
+	isc_refcount_increment(&source->erefs, NULL);
+	*target = source;
+}
+
+void
+dns_zone_detach(dns_zone_t **zonep) {
+	dns_zone_t *zone;
+	unsigned int refs;
+	isc_boolean_t free_now = ISC_FALSE;
+
+	REQUIRE(zonep != NULL && DNS_ZONE_VALID(*zonep));
+
+	zone = *zonep;
+
+	isc_refcount_decrement(&zone->erefs, &refs);
+
+	if (refs == 0) {
+		LOCK_ZONE(zone);
+		/*
+		 * We just detached the last external reference.
+		 */
+		if (zone->task != NULL) {
+			/*
+			 * This zone is being managed.  Post
+			 * its control event and let it clean
+			 * up synchronously in the context of
+			 * its task.
+			 */
+			isc_event_t *ev = &zone->ctlevent;
+			isc_task_send(zone->task, &ev);
+		} else {
+			/*
+			 * This zone is not being managed; it has
+			 * no task and can have no outstanding
+			 * events.  Free it immediately.
+			 */
+			/*
+			 * Unmanaged zones should not have non-null views;
+			 * we have no way of detaching from the view here
+			 * without causing deadlock because this code is called
+			 * with the view already locked.
+			 */
+			INSIST(zone->view == NULL);
+			free_now = ISC_TRUE;
+		}
+		UNLOCK_ZONE(zone);
+	}
+	*zonep = NULL;
+	if (free_now)
+		zone_free(zone);
+}
+
+void
+dns_zone_iattach(dns_zone_t *source, dns_zone_t **target) {
+	REQUIRE(DNS_ZONE_VALID(source));
+	REQUIRE(target != NULL && *target == NULL);
+	LOCK_ZONE(source);
+	zone_iattach(source, target);
+	UNLOCK_ZONE(source);
+}
+
+static void
+zone_iattach(dns_zone_t *source, dns_zone_t **target) {
+
+	/*
+	 * 'source' locked by caller.
+	 */
+	REQUIRE(LOCKED_ZONE(source));
+	REQUIRE(DNS_ZONE_VALID(source));
+	REQUIRE(target != NULL && *target == NULL);
+	INSIST(source->irefs + isc_refcount_current(&source->erefs) > 0);
+	source->irefs++;
+	INSIST(source->irefs != 0);
+	*target = source;
+}
+
+static void
+zone_idetach(dns_zone_t **zonep) {
+	dns_zone_t *zone;
+
+	/*
+	 * 'zone' locked by caller.
+	 */
+	REQUIRE(zonep != NULL && DNS_ZONE_VALID(*zonep));
+	zone = *zonep;
+	REQUIRE(LOCKED_ZONE(*zonep));
+	*zonep = NULL;
+
+	INSIST(zone->irefs > 0);
+	zone->irefs--;
+	INSIST(zone->irefs + isc_refcount_current(&zone->erefs) > 0);
+}
+
+void
+dns_zone_idetach(dns_zone_t **zonep) {
+	dns_zone_t *zone;
+	isc_boolean_t free_needed;
+
+	REQUIRE(zonep != NULL && DNS_ZONE_VALID(*zonep));
+	zone = *zonep;
+	*zonep = NULL;
+
+	LOCK_ZONE(zone);
+	INSIST(zone->irefs > 0);
+	zone->irefs--;
+	free_needed = exit_check(zone);
+	UNLOCK_ZONE(zone);
+	if (free_needed)
+		zone_free(zone);
+}
+
+isc_mem_t *
+dns_zone_getmctx(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->mctx);
+}
+
+dns_zonemgr_t *
+dns_zone_getmgr(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->zmgr);
+}
+
+void
+dns_zone_setflag(dns_zone_t *zone, unsigned int flags, isc_boolean_t value) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (value)
+		DNS_ZONE_SETFLAG(zone, flags);
+	else
+		DNS_ZONE_CLRFLAG(zone, flags);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setoption(dns_zone_t *zone, unsigned int option, isc_boolean_t value)
+{
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (value)
+		zone->options |= option;
+	else
+		zone->options &= ~option;
+	UNLOCK_ZONE(zone);
+}
+
+unsigned int
+dns_zone_getoptions(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->options);
+}
+
+isc_result_t
+dns_zone_setxfrsource4(dns_zone_t *zone, isc_sockaddr_t *xfrsource) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->xfrsource4 = *xfrsource;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_sockaddr_t *
+dns_zone_getxfrsource4(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (&zone->xfrsource4);
+}
+
+isc_result_t
+dns_zone_setxfrsource6(dns_zone_t *zone, isc_sockaddr_t *xfrsource) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->xfrsource6 = *xfrsource;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_sockaddr_t *
+dns_zone_getxfrsource6(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (&zone->xfrsource6);
+}
+
+isc_result_t
+dns_zone_setaltxfrsource4(dns_zone_t *zone, isc_sockaddr_t *altxfrsource) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->altxfrsource4 = *altxfrsource;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_sockaddr_t *
+dns_zone_getaltxfrsource4(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (&zone->altxfrsource4);
+}
+
+isc_result_t
+dns_zone_setaltxfrsource6(dns_zone_t *zone, isc_sockaddr_t *altxfrsource) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->altxfrsource6 = *altxfrsource;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_sockaddr_t *
+dns_zone_getaltxfrsource6(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (&zone->altxfrsource6);
+}
+
+isc_result_t
+dns_zone_setnotifysrc4(dns_zone_t *zone, isc_sockaddr_t *notifysrc) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->notifysrc4 = *notifysrc;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_sockaddr_t *
+dns_zone_getnotifysrc4(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (&zone->notifysrc4);
+}
+
+isc_result_t
+dns_zone_setnotifysrc6(dns_zone_t *zone, isc_sockaddr_t *notifysrc) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone->notifysrc6 = *notifysrc;
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_sockaddr_t *
+dns_zone_getnotifysrc6(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (&zone->notifysrc6);
+}
+
+isc_result_t
+dns_zone_setalsonotify(dns_zone_t *zone, isc_sockaddr_t *notify,
+		       isc_uint32_t count)
+{
+	isc_sockaddr_t *new;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(count == 0 || notify != NULL);
+
+	LOCK_ZONE(zone);
+	if (zone->notify != NULL) {
+		isc_mem_put(zone->mctx, zone->notify,
+			    zone->notifycnt * sizeof(*new));
+		zone->notify = NULL;
+		zone->notifycnt = 0;
+	}
+	if (count != 0) {
+		new = isc_mem_get(zone->mctx, count * sizeof(*new));
+		if (new == NULL) {
+			UNLOCK_ZONE(zone);
+			return (ISC_R_NOMEMORY);
+		}
+		memcpy(new, notify, count * sizeof(*new));
+		zone->notify = new;
+		zone->notifycnt = count;
+	}
+	UNLOCK_ZONE(zone);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_zone_setmasters(dns_zone_t *zone, isc_sockaddr_t *masters,
+		    isc_uint32_t count)
+{
+	isc_result_t result;
+
+	result = dns_zone_setmasterswithkeys(zone, masters, NULL, count);
+	return (result);
+}
+
+isc_result_t
+dns_zone_setmasterswithkeys(dns_zone_t *zone, isc_sockaddr_t *masters,
+			    dns_name_t **keynames, isc_uint32_t count)
+{
+	isc_sockaddr_t *new;
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_name_t **newname;
+	unsigned int i;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(count == 0 || masters != NULL);
+	if (keynames != NULL) {
+		REQUIRE(count != 0);
+	}
+
+	LOCK_ZONE(zone);
+	if (zone->masters != NULL) {
+		isc_mem_put(zone->mctx, zone->masters,
+			    zone->masterscnt * sizeof(*new));
+		zone->masters = NULL;
+	}
+	if (zone->masterkeynames != NULL) {
+		for (i = 0; i < zone->masterscnt; i++) {
+			if (zone->masterkeynames[i] != NULL) {
+				dns_name_free(zone->masterkeynames[i],
+					      zone->mctx);
+				isc_mem_put(zone->mctx,
+					    zone->masterkeynames[i],
+					    sizeof(dns_name_t));
+				zone->masterkeynames[i] = NULL;
+			}
+		}
+		isc_mem_put(zone->mctx, zone->masterkeynames,
+			    zone->masterscnt * sizeof(dns_name_t *));
+		zone->masterkeynames = NULL;
+	}
+	zone->masterscnt = 0;
+	/*
+	 * If count == 0, don't allocate any space for masters or keynames
+	 * so internally, those pointers are NULL if count == 0
+	 */
+	if (count == 0)
+		goto unlock;
+
+	/*
+	 * masters must countain count elements!
+	 */
+	new = isc_mem_get(zone->mctx,
+			  count * sizeof(isc_sockaddr_t));
+	if (new == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto unlock;
+	}
+	memcpy(new, masters, count * sizeof(*new));
+	zone->masters = new;
+	zone->masterscnt = count;
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOMASTERS);
+
+	/*
+	 * if keynames is non-NULL, it must contain count elements!
+	 */
+	if (keynames != NULL) {
+		newname = isc_mem_get(zone->mctx,
+				      count * sizeof(dns_name_t *));
+		if (newname == NULL) {
+			result = ISC_R_NOMEMORY;
+			isc_mem_put(zone->mctx, zone->masters,
+				    count * sizeof(*new));
+			goto unlock;
+		}
+		for (i = 0; i < count; i++)
+			newname[i] = NULL;
+		for (i = 0; i < count; i++) {
+			if (keynames[i] != NULL) {
+				newname[i] = isc_mem_get(zone->mctx,
+							 sizeof(dns_name_t));
+				if (newname[i] == NULL)
+					goto allocfail;
+				dns_name_init(newname[i], NULL);
+				result = dns_name_dup(keynames[i], zone->mctx,
+						      newname[i]);
+				if (result != ISC_R_SUCCESS) {
+				allocfail:
+					for (i = 0; i < count; i++)
+						if (newname[i] != NULL)
+							dns_name_free(
+							       newname[i],
+							       zone->mctx);
+					isc_mem_put(zone->mctx, zone->masters,
+						    count * sizeof(*new));
+					isc_mem_put(zone->mctx, newname,
+						    count * sizeof(*newname));
+					goto unlock;
+				}
+			}
+		}
+		zone->masterkeynames = newname;
+	}
+ unlock:
+	UNLOCK_ZONE(zone);
+	return (result);
+}
+
+isc_result_t
+dns_zone_getdb(dns_zone_t *zone, dns_db_t **dpb) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->db == NULL)
+		result = DNS_R_NOTLOADED;
+	else
+		dns_db_attach(zone->db, dpb);
+	UNLOCK_ZONE(zone);
+
+	return (result);
+}
+
+/*
+ * Co-ordinates the starting of routine jobs.
+ */
+
+void
+dns_zone_maintenance(dns_zone_t *zone) {
+	const char me[] = "dns_zone_maintenance";
+	isc_time_t now;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	ENTER;
+
+	LOCK_ZONE(zone);
+	TIME_NOW(&now);
+	zone_settimer(zone, &now);
+	UNLOCK_ZONE(zone);
+}
+
+static inline isc_boolean_t
+was_dumping(dns_zone_t *zone) {
+	isc_boolean_t dumping;
+
+	REQUIRE(LOCKED_ZONE(zone));
+
+	dumping = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING);
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DUMPING);
+	if (!dumping) {
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
+		isc_time_settoepoch(&zone->dumptime);
+	}
+	return (dumping);
+}
+
+static void
+zone_maintenance(dns_zone_t *zone) {
+	const char me[] = "zone_maintenance";
+	isc_time_t now;
+	isc_result_t result;
+	isc_boolean_t dumping;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	ENTER;
+
+	/*
+	 * Configuring the view of this zone may have
+	 * failed, for example because the config file
+	 * had a syntax error.  In that case, the view
+	 * adb or resolver, and we had better not try
+	 * to do maintenance on it.
+	 */
+	if (zone->view == NULL || zone->view->adb == NULL)
+		return;
+
+	TIME_NOW(&now);
+
+	/*
+	 * Expire check.
+	 */
+	switch (zone->type) {
+	case dns_zone_slave:
+	case dns_zone_stub:
+		LOCK_ZONE(zone);
+		if (isc_time_compare(&now, &zone->expiretime) >= 0 &&
+		    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
+			zone_expire(zone);
+			zone->refreshtime = now;
+		}
+		UNLOCK_ZONE(zone);
+		break;
+	default:
+		break;
+	}
+
+	/*
+	 * Up to date check.
+	 */
+	switch (zone->type) {
+	case dns_zone_slave:
+	case dns_zone_stub:
+		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH) &&
+		    isc_time_compare(&now, &zone->refreshtime) >= 0)
+			dns_zone_refresh(zone);
+		break;
+	default:
+		break;
+	}
+
+	/*
+	 * Do we need to consolidate the backing store?
+	 */
+	switch (zone->type) {
+	case dns_zone_master:
+	case dns_zone_slave:
+		LOCK_ZONE(zone);
+		if (zone->masterfile != NULL &&
+		    isc_time_compare(&now, &zone->dumptime) >= 0 &&
+		    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
+		    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP)) {
+			dumping = was_dumping(zone);
+		} else
+			dumping = ISC_TRUE;
+		UNLOCK_ZONE(zone);
+		if (!dumping) {
+			result = zone_dump(zone, ISC_TRUE); /* task locked */
+			if (result != ISC_R_SUCCESS)
+				dns_zone_log(zone, ISC_LOG_WARNING,
+					     "dump failed: %s",
+					     dns_result_totext(result));
+		}
+		break;
+	default:
+		break;
+	}
+
+	/*
+	 * Do we need to send out notify messages?
+	 */
+	switch (zone->type) {
+	case dns_zone_master:
+	case dns_zone_slave:
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY))
+			zone_notify(zone);
+		break;
+	default:
+		break;
+	}
+	zone_settimer(zone, &now);
+}
+
+void
+dns_zone_markdirty(dns_zone_t *zone) {
+
+	LOCK_ZONE(zone);
+	zone_needdump(zone, DNS_DUMP_DELAY);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_expire(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone_expire(zone);
+	UNLOCK_ZONE(zone);
+}
+
+static void
+zone_expire(dns_zone_t *zone) {
+	/*
+	 * 'zone' locked by caller.
+	 */
+
+	REQUIRE(LOCKED_ZONE(zone));
+
+	dns_zone_log(zone, ISC_LOG_WARNING, "expired");
+
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_EXPIRED);
+	zone->refresh = DNS_ZONE_DEFAULTREFRESH;
+	zone->retry = DNS_ZONE_DEFAULTRETRY;
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
+	zone_unload(zone);
+}
+
+void
+dns_zone_refresh(dns_zone_t *zone) {
+	isc_interval_t i;
+	isc_uint32_t oldflags;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING))
+		return;
+
+	/*
+	 * Set DNS_ZONEFLG_REFRESH so that there is only one refresh operation
+	 * in progress at a time.
+	 */
+
+	LOCK_ZONE(zone);
+	oldflags = zone->flags;
+	if (zone->masterscnt == 0) {
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOMASTERS);
+		if ((oldflags & DNS_ZONEFLG_NOMASTERS) == 0)
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "cannot refresh: no masters");
+		goto unlock;
+	}
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESH);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOEDNS);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
+	if ((oldflags & (DNS_ZONEFLG_REFRESH|DNS_ZONEFLG_LOADING)) != 0)
+		goto unlock;
+
+	/*
+	 * Set the next refresh time as if refresh check has failed.
+	 * Setting this to the retry time will do that.  XXXMLG
+	 * If we are successful it will be reset using zone->refresh.
+	 */
+	isc_interval_set(&i, isc_random_jitter(zone->retry, zone->retry / 4),
+			 0);
+	isc_time_nowplusinterval(&zone->refreshtime, &i);
+
+	/*
+	 * When lacking user-specified timer values from the SOA,
+	 * do exponential backoff of the retry time up to a
+	 * maximum of six hours.
+	 */
+	if (! DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HAVETIMERS))
+		zone->retry = ISC_MIN(zone->retry * 2, 6 * 3600);
+
+	zone->curmaster = 0;
+	/* initiate soa query */
+	queue_soa_query(zone);
+ unlock:
+	UNLOCK_ZONE(zone);
+}
+
+isc_result_t
+dns_zone_flush(dns_zone_t *zone) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_boolean_t dumping;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_FLUSH);
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
+	    zone->masterfile != NULL) {
+		result = ISC_R_ALREADYRUNNING;
+		dumping = was_dumping(zone);
+	} else
+		dumping = ISC_TRUE;
+	UNLOCK_ZONE(zone);
+	if (!dumping)
+		result = zone_dump(zone, ISC_FALSE);	/* Unknown task. */
+	return (result);
+}
+
+isc_result_t
+dns_zone_dump(dns_zone_t *zone) {
+	isc_result_t result = ISC_R_ALREADYRUNNING;
+	isc_boolean_t dumping;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	dumping = was_dumping(zone);
+	UNLOCK_ZONE(zone);
+	if (!dumping)
+		result = zone_dump(zone, ISC_FALSE);	/* Unknown task. */
+	return (result);
+}
+
+static void
+zone_needdump(dns_zone_t *zone, unsigned int delay) {
+	isc_time_t dumptime;
+	isc_time_t now;
+
+	/*
+	 * 'zone' locked by caller
+	 */
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(LOCKED_ZONE(zone));
+
+	/*
+	 * Do we have a place to dump to and are we loaded?
+	 */
+	if (zone->masterfile == NULL ||
+	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) == 0)
+		return;
+
+	TIME_NOW(&now);
+	/* add some noise */
+	DNS_ZONE_JITTER_ADD(&now, delay, &dumptime);
+
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
+	if (isc_time_isepoch(&zone->dumptime) ||
+	    isc_time_compare(&zone->dumptime, &dumptime) > 0)
+		zone->dumptime = dumptime;
+	if (zone->task != NULL)
+		zone_settimer(zone, &now);
+}
+
+static void
+dump_done(void *arg, isc_result_t result) {
+	const char me[] = "dump_done";
+	dns_zone_t *zone = arg;
+	dns_db_t *db;
+	dns_dbversion_t *version;
+	isc_boolean_t again = ISC_FALSE;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	ENTER;
+
+	if (result == ISC_R_SUCCESS && zone->journal != NULL &&
+	    zone->journalsize != -1) {
+		isc_uint32_t serial;
+		isc_result_t tresult;
+
+		/*
+		 * We don't own these, zone->dctx must stay valid.
+		 */
+		db = dns_dumpctx_db(zone->dctx);
+		version = dns_dumpctx_version(zone->dctx);
+
+		tresult = dns_db_getsoaserial(db, version, &serial);
+		if (tresult == ISC_R_SUCCESS) {
+			tresult = dns_journal_compact(zone->mctx,
+						      zone->journal,
+						      serial,
+						      zone->journalsize);
+			switch (tresult) {
+			case ISC_R_SUCCESS:
+			case ISC_R_NOSPACE:
+			case ISC_R_NOTFOUND:
+				dns_zone_log(zone, ISC_LOG_DEBUG(3),
+					     "dns_journal_compact: %s",
+					     dns_result_totext(tresult));
+				break;
+			default:
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "dns_journal_compact failed: %s",
+					     dns_result_totext(tresult));
+				break;
+			}
+		}
+	}
+
+	LOCK_ZONE(zone);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_DUMPING);
+	if (result != ISC_R_SUCCESS && result != ISC_R_CANCELED) {
+		/*
+		 * Try again in a short while.
+		 */
+		zone_needdump(zone, DNS_DUMP_DELAY);
+	} else if (result == ISC_R_SUCCESS &&
+		   DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) &&
+		   DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
+		   DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DUMPING);
+		isc_time_settoepoch(&zone->dumptime);
+		again = ISC_TRUE;
+	} else if (result == ISC_R_SUCCESS)
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FLUSH);
+
+	if (zone->dctx != NULL)
+		dns_dumpctx_detach(&zone->dctx);
+	zonemgr_putio(&zone->writeio);
+	UNLOCK_ZONE(zone);
+	if (again)
+		(void)zone_dump(zone, ISC_FALSE);
+	dns_zone_idetach(&zone);
+}
+
+static isc_result_t
+zone_dump(dns_zone_t *zone, isc_boolean_t compact) {
+	const char me[] = "zone_dump";
+	isc_result_t result;
+	dns_dbversion_t *version = NULL;
+	isc_boolean_t again;
+	dns_db_t *db = NULL;
+	char *masterfile = NULL;
+
+/*
+ * 'compact' MUST only be set if we are task locked.
+ */
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	ENTER;
+
+ redo:
+	LOCK_ZONE(zone);
+	if (zone->db != NULL)
+		dns_db_attach(zone->db, &db);
+	if (zone->masterfile != NULL)
+		masterfile = isc_mem_strdup(zone->mctx, zone->masterfile);
+	UNLOCK_ZONE(zone);
+	if (db == NULL) {
+		result = DNS_R_NOTLOADED;
+		goto fail;
+	}
+	if (masterfile == NULL) {
+		result = DNS_R_NOMASTERFILE;
+		goto fail;
+	}
+
+	if (compact) {
+		dns_zone_t *dummy = NULL;
+		LOCK_ZONE(zone);
+		zone_iattach(zone, &dummy);
+		result = zonemgr_getio(zone->zmgr, ISC_FALSE, zone->task,
+				       zone_gotwritehandle, zone,
+				       &zone->writeio);
+		if (result != ISC_R_SUCCESS)
+			zone_idetach(&dummy);
+		else
+			result = DNS_R_CONTINUE;
+		UNLOCK_ZONE(zone);
+	} else {
+		dns_db_currentversion(db, &version);
+		result = dns_master_dump(zone->mctx, db, version,
+					 &dns_master_style_default,
+					 masterfile);
+		dns_db_closeversion(db, &version, ISC_FALSE);
+	}
+ fail:
+	if (db != NULL)
+		dns_db_detach(&db);
+	if (masterfile != NULL)
+		isc_mem_free(zone->mctx, masterfile);
+	masterfile = NULL;
+
+	if (result == DNS_R_CONTINUE)
+		return (ISC_R_SUCCESS); /* XXXMPA */
+
+	again = ISC_FALSE;
+	LOCK_ZONE(zone);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_DUMPING);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * Try again in a short while.
+		 */
+		zone_needdump(zone, DNS_DUMP_DELAY);
+	} else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) &&
+		   DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
+		   DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDDUMP);
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DUMPING);
+		isc_time_settoepoch(&zone->dumptime);
+		again = ISC_TRUE;
+	} else
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FLUSH);
+	UNLOCK_ZONE(zone);
+	if (again)
+		goto redo;
+
+	return (result);
+}
+
+static isc_result_t
+dumptostream(dns_zone_t *zone, FILE *fd, const dns_master_style_t *style) {
+	isc_result_t result;
+	dns_dbversion_t *version = NULL;
+	dns_db_t *db = NULL;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->db != NULL)
+		dns_db_attach(zone->db, &db);
+	UNLOCK_ZONE(zone);
+	if (db == NULL)
+		return (DNS_R_NOTLOADED);
+
+	dns_db_currentversion(db, &version);
+	result = dns_master_dumptostream(zone->mctx, db, version, style, fd);
+	dns_db_closeversion(db, &version, ISC_FALSE);
+	dns_db_detach(&db);
+	return (result);
+}
+
+isc_result_t
+dns_zone_dumptostream(dns_zone_t *zone, FILE *fd) {
+	return dumptostream(zone, fd, &dns_master_style_default);
+}
+
+isc_result_t
+dns_zone_fulldumptostream(dns_zone_t *zone, FILE *fd) {
+	return dumptostream(zone, fd, &dns_master_style_full);
+}
+
+void
+dns_zone_unload(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	zone_unload(zone);
+	UNLOCK_ZONE(zone);
+}
+
+static void
+notify_cancel(dns_zone_t *zone) {
+	dns_notify_t *notify;
+
+	/*
+	 * 'zone' locked by caller.
+	 */
+
+	REQUIRE(LOCKED_ZONE(zone));
+
+	for (notify = ISC_LIST_HEAD(zone->notifies);
+	     notify != NULL;
+	     notify = ISC_LIST_NEXT(notify, link)) {
+		if (notify->find != NULL)
+			dns_adb_cancelfind(notify->find);
+		if (notify->request != NULL)
+			dns_request_cancel(notify->request);
+	}
+}
+
+static void
+zone_unload(dns_zone_t *zone) {
+
+	/*
+	 * 'zone' locked by caller.
+	 */
+
+	REQUIRE(LOCKED_ZONE(zone));
+
+	dns_db_detach(&zone->db);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADED);
+}
+
+void
+dns_zone_setminrefreshtime(dns_zone_t *zone, isc_uint32_t val) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(val > 0);
+
+	zone->minrefresh = val;
+}
+
+void
+dns_zone_setmaxrefreshtime(dns_zone_t *zone, isc_uint32_t val) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(val > 0);
+
+	zone->maxrefresh = val;
+}
+
+void
+dns_zone_setminretrytime(dns_zone_t *zone, isc_uint32_t val) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(val > 0);
+
+	zone->minretry = val;
+}
+
+void
+dns_zone_setmaxretrytime(dns_zone_t *zone, isc_uint32_t val) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(val > 0);
+
+	zone->maxretry = val;
+}
+
+static isc_boolean_t
+notify_isqueued(dns_zone_t *zone, dns_name_t *name, isc_sockaddr_t *addr) {
+	dns_notify_t *notify;
+
+	for (notify = ISC_LIST_HEAD(zone->notifies);
+	     notify != NULL;
+	     notify = ISC_LIST_NEXT(notify, link)) {
+		if (notify->request != NULL)
+			continue;
+		if (name != NULL && dns_name_dynamic(&notify->ns) &&
+		    dns_name_equal(name, &notify->ns))
+			return (ISC_TRUE);
+		if (addr != NULL && isc_sockaddr_equal(addr, &notify->dst))
+			return (ISC_TRUE);
+	}
+	return (ISC_FALSE);
+}
+
+static void
+notify_destroy(dns_notify_t *notify, isc_boolean_t locked) {
+	isc_mem_t *mctx;
+
+	/*
+	 * Caller holds zone lock.
+	 */
+	REQUIRE(DNS_NOTIFY_VALID(notify));
+
+	if (notify->zone != NULL) {
+		if (!locked)
+			LOCK_ZONE(notify->zone);
+		REQUIRE(LOCKED_ZONE(notify->zone));
+		if (ISC_LINK_LINKED(notify, link))
+			ISC_LIST_UNLINK(notify->zone->notifies, notify, link);
+		if (!locked)
+			UNLOCK_ZONE(notify->zone);
+		if (locked)
+			zone_idetach(&notify->zone);
+		else
+			dns_zone_idetach(&notify->zone);
+	}
+	if (notify->find != NULL)
+		dns_adb_destroyfind(&notify->find);
+	if (notify->request != NULL)
+		dns_request_destroy(&notify->request);
+	if (dns_name_dynamic(&notify->ns))
+		dns_name_free(&notify->ns, notify->mctx);
+	mctx = notify->mctx;
+	isc_mem_put(notify->mctx, notify, sizeof(*notify));
+	isc_mem_detach(&mctx);
+}
+
+static isc_result_t
+notify_create(isc_mem_t *mctx, unsigned int flags, dns_notify_t **notifyp) {
+	dns_notify_t *notify;
+
+	REQUIRE(notifyp != NULL && *notifyp == NULL);
+
+	notify = isc_mem_get(mctx, sizeof(*notify));
+	if (notify == NULL)
+		return (ISC_R_NOMEMORY);
+
+	notify->mctx = NULL;
+	isc_mem_attach(mctx, &notify->mctx);
+	notify->flags = flags;
+	notify->zone = NULL;
+	notify->find = NULL;
+	notify->request = NULL;
+	isc_sockaddr_any(&notify->dst);
+	dns_name_init(&notify->ns, NULL);
+	ISC_LINK_INIT(notify, link);
+	notify->magic = NOTIFY_MAGIC;
+	*notifyp = notify;
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * XXXAG should check for DNS_ZONEFLG_EXITING
+ */
+static void
+process_adb_event(isc_task_t *task, isc_event_t *ev) {
+	dns_notify_t *notify;
+	isc_eventtype_t result;
+
+	UNUSED(task);
+
+	notify = ev->ev_arg;
+	REQUIRE(DNS_NOTIFY_VALID(notify));
+	INSIST(task == notify->zone->task);
+	result = ev->ev_type;
+	isc_event_free(&ev);
+	if (result == DNS_EVENT_ADBMOREADDRESSES) {
+		dns_adb_destroyfind(&notify->find);
+		notify_find_address(notify);
+		return;
+	}
+	if (result == DNS_EVENT_ADBNOMOREADDRESSES) {
+		LOCK_ZONE(notify->zone);
+		notify_send(notify);
+		UNLOCK_ZONE(notify->zone);
+	}
+	notify_destroy(notify, ISC_FALSE);
+}
+
+static void
+notify_find_address(dns_notify_t *notify) {
+	isc_result_t result;
+	unsigned int options;
+
+	REQUIRE(DNS_NOTIFY_VALID(notify));
+	options = DNS_ADBFIND_WANTEVENT | DNS_ADBFIND_INET |
+		  DNS_ADBFIND_INET6 | DNS_ADBFIND_RETURNLAME;
+
+	if (notify->zone->view->adb == NULL)
+		goto destroy;
+
+	result = dns_adb_createfind(notify->zone->view->adb,
+				    notify->zone->task,
+				    process_adb_event, notify,
+				    &notify->ns, dns_rootname,
+				    options, 0, NULL,
+				    notify->zone->view->dstport,
+				    &notify->find);
+
+	/* Something failed? */
+	if (result != ISC_R_SUCCESS)
+		goto destroy;
+
+	/* More addresses pending? */
+	if ((notify->find->options & DNS_ADBFIND_WANTEVENT) != 0)
+		return;
+
+	/* We have as many addresses as we can get. */
+	LOCK_ZONE(notify->zone);
+	notify_send(notify);
+	UNLOCK_ZONE(notify->zone);
+
+ destroy:
+	notify_destroy(notify, ISC_FALSE);
+}
+
+
+static isc_result_t
+notify_send_queue(dns_notify_t *notify) {
+	isc_event_t *e;
+	isc_result_t result;
+
+	e = isc_event_allocate(notify->mctx, NULL,
+			       DNS_EVENT_NOTIFYSENDTOADDR,
+			       notify_send_toaddr,
+			       notify, sizeof(isc_event_t));
+	if (e == NULL)
+		return (ISC_R_NOMEMORY);
+	e->ev_arg = notify;
+	e->ev_sender = NULL;
+	result = isc_ratelimiter_enqueue(notify->zone->zmgr->rl,
+					 notify->zone->task, &e);
+	if (result != ISC_R_SUCCESS)
+		isc_event_free(&e);
+	return (result);
+}
+
+static void
+notify_send_toaddr(isc_task_t *task, isc_event_t *event) {
+	dns_notify_t *notify;
+	isc_result_t result;
+	dns_message_t *message = NULL;
+	isc_netaddr_t dstip;
+	dns_tsigkey_t *key = NULL;
+	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+	isc_sockaddr_t src;
+	int timeout;
+
+	notify = event->ev_arg;
+	REQUIRE(DNS_NOTIFY_VALID(notify));
+
+	UNUSED(task);
+
+	LOCK_ZONE(notify->zone);
+
+	if (DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_LOADED) == 0) {
+		result = ISC_R_CANCELED;
+		goto cleanup;
+	}
+
+	if ((event->ev_attributes & ISC_EVENTATTR_CANCELED) != 0 ||
+	    DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_EXITING) ||
+	    notify->zone->view->requestmgr == NULL ||
+	    notify->zone->db == NULL) {
+		result = ISC_R_CANCELED;
+		goto cleanup;
+	}
+
+	/*
+	 * The raw IPv4 address should also exist.  Don't send to the
+	 * mapped form.
+	 */
+	if (isc_sockaddr_pf(&notify->dst) == PF_INET6 &&
+	    IN6_IS_ADDR_V4MAPPED(&notify->dst.type.sin6.sin6_addr)) {
+	        isc_sockaddr_format(&notify->dst, addrbuf, sizeof(addrbuf));
+		notify_log(notify->zone, ISC_LOG_DEBUG(3),
+			   "notify: ignoring IPv6 mapped IPV4 address: %s",
+			   addrbuf);
+		result = ISC_R_CANCELED;
+		goto cleanup;
+	}
+
+	result = notify_createmessage(notify->zone, notify->flags, &message);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	isc_netaddr_fromsockaddr(&dstip, &notify->dst);
+	(void)dns_view_getpeertsig(notify->zone->view, &dstip, &key);
+
+	isc_sockaddr_format(&notify->dst, addrbuf, sizeof(addrbuf));
+	notify_log(notify->zone, ISC_LOG_DEBUG(3), "sending notify to %s",
+		   addrbuf);
+	switch (isc_sockaddr_pf(&notify->dst)) {
+	case PF_INET:
+		src = notify->zone->notifysrc4;
+		break;
+	case PF_INET6:
+		src = notify->zone->notifysrc6;
+		break;
+	default:
+		result = ISC_R_NOTIMPLEMENTED;
+		goto cleanup_key;
+	}
+	timeout = 15;
+	if (DNS_ZONE_FLAG(notify->zone, DNS_ZONEFLG_DIALNOTIFY))
+		timeout = 30;
+	result = dns_request_createvia2(notify->zone->view->requestmgr,
+					message, &src, &notify->dst, 0, key,
+					timeout * 3, timeout,
+					notify->zone->task, notify_done,
+					notify, &notify->request);
+ cleanup_key:
+	if (key != NULL)
+		dns_tsigkey_detach(&key);
+	dns_message_destroy(&message);
+ cleanup:
+	UNLOCK_ZONE(notify->zone);
+	if (result != ISC_R_SUCCESS)
+		notify_destroy(notify, ISC_FALSE);
+	isc_event_free(&event);
+}
+
+static void
+notify_send(dns_notify_t *notify) {
+	dns_adbaddrinfo_t *ai;
+	isc_sockaddr_t dst;
+	isc_result_t result;
+	dns_notify_t *new = NULL;
+
+	/*
+	 * Zone lock held by caller.
+	 */
+	REQUIRE(DNS_NOTIFY_VALID(notify));
+	REQUIRE(LOCKED_ZONE(notify->zone));
+
+	for (ai = ISC_LIST_HEAD(notify->find->list);
+	     ai != NULL;
+	     ai = ISC_LIST_NEXT(ai, publink)) {
+		dst = ai->sockaddr;
+		if (notify_isqueued(notify->zone, NULL, &dst))
+			continue;
+		new = NULL;
+		result = notify_create(notify->mctx,
+				       (notify->flags & DNS_NOTIFY_NOSOA),
+				       &new);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		zone_iattach(notify->zone, &new->zone);
+		ISC_LIST_APPEND(new->zone->notifies, new, link);
+		new->dst = dst;
+		result = notify_send_queue(new);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+		new = NULL;
+	}
+
+ cleanup:
+	if (new != NULL)
+		notify_destroy(new, ISC_TRUE);
+}
+
+void
+dns_zone_notify(dns_zone_t *zone) {
+	isc_time_t now;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
+
+	TIME_NOW(&now);
+	zone_settimer(zone, &now);
+	UNLOCK_ZONE(zone);
+}
+
+static void
+zone_notify(dns_zone_t *zone) {
+	dns_dbnode_t *node = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_name_t *origin = NULL;
+	dns_name_t master;
+	dns_rdata_ns_t ns;
+	dns_rdata_soa_t soa;
+	isc_uint32_t serial;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t nsrdset;
+	dns_rdataset_t soardset;
+	isc_result_t result;
+	dns_notify_t *notify = NULL;
+	unsigned int i;
+	isc_sockaddr_t dst;
+	isc_boolean_t isqueued;
+	dns_notifytype_t notifytype;
+	unsigned int flags = 0;
+	isc_boolean_t loggednotify = ISC_FALSE;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
+	notifytype = zone->notifytype;
+	UNLOCK_ZONE(zone);
+
+	if (! DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
+		return;
+
+	if (notifytype == dns_notifytype_no)
+		return;
+
+	origin = &zone->origin;
+
+	/*
+	 * If the zone is dialup we are done as we don't want to send
+	 * the current soa so as to force a refresh query.
+	 */
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALNOTIFY))
+		flags |= DNS_NOTIFY_NOSOA;
+
+	/*
+	 * Get SOA RRset.
+	 */
+	dns_db_currentversion(zone->db, &version);
+	result = dns_db_findnode(zone->db, origin, ISC_FALSE, &node);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup1;
+
+	dns_rdataset_init(&soardset);
+	result = dns_db_findrdataset(zone->db, node, version,
+				     dns_rdatatype_soa,
+				     dns_rdatatype_none, 0, &soardset, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup2;
+
+	/*
+	 * Find serial and master server's name.
+	 */
+	dns_name_init(&master, NULL);
+	result = dns_rdataset_first(&soardset);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup3;
+	dns_rdataset_current(&soardset, &rdata);
+	result = dns_rdata_tostruct(&rdata, &soa, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	dns_rdata_reset(&rdata);
+	result = dns_name_dup(&soa.origin, zone->mctx, &master);
+	serial = soa.serial;
+	dns_rdataset_disassociate(&soardset);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup3;
+
+	/*
+	 * Enqueue notify requests for 'also-notify' servers.
+	 */
+	LOCK_ZONE(zone);
+	for (i = 0; i < zone->notifycnt; i++) {
+		dst = zone->notify[i];
+		if (notify_isqueued(zone, NULL, &dst))
+			continue;
+		result = notify_create(zone->mctx, flags, &notify);
+		if (result != ISC_R_SUCCESS)
+			continue;
+		zone_iattach(zone, &notify->zone);
+		notify->dst = dst;
+		ISC_LIST_APPEND(zone->notifies, notify, link);
+		result = notify_send_queue(notify);
+		if (result != ISC_R_SUCCESS)
+			notify_destroy(notify, ISC_TRUE);
+		if (!loggednotify) {
+			notify_log(zone, ISC_LOG_INFO,
+				   "sending notifies (serial %u)",
+				   serial);
+			loggednotify = ISC_TRUE;
+		}
+		notify = NULL;
+	}
+	UNLOCK_ZONE(zone);
+
+	if (notifytype == dns_notifytype_explicit)
+		goto cleanup3;
+
+	/*
+	 * Process NS RRset to generate notifies.
+	 */
+
+	dns_rdataset_init(&nsrdset);
+	result = dns_db_findrdataset(zone->db, node, version,
+				     dns_rdatatype_ns,
+				     dns_rdatatype_none, 0, &nsrdset, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup3;
+
+	result = dns_rdataset_first(&nsrdset);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(&nsrdset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &ns, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		dns_rdata_reset(&rdata);
+		/*
+		 * don't notify the master server.
+		 */
+		if (dns_name_compare(&master, &ns.name) == 0) {
+			result = dns_rdataset_next(&nsrdset);
+			continue;
+		}
+
+		if (!loggednotify) {
+			notify_log(zone, ISC_LOG_INFO,
+				   "sending notifies (serial %u)",
+				   serial);
+			loggednotify = ISC_TRUE;
+		}
+
+		LOCK_ZONE(zone);
+		isqueued = notify_isqueued(zone, &ns.name, NULL);
+		UNLOCK_ZONE(zone);
+		if (isqueued) {
+			result = dns_rdataset_next(&nsrdset);
+			continue;
+		}
+		result = notify_create(zone->mctx, flags, &notify);
+		if (result != ISC_R_SUCCESS)
+			continue;
+		dns_zone_iattach(zone, &notify->zone);
+		result = dns_name_dup(&ns.name, zone->mctx, &notify->ns);
+		if (result != ISC_R_SUCCESS) {
+			LOCK_ZONE(zone);
+			notify_destroy(notify, ISC_TRUE);
+			UNLOCK_ZONE(zone);
+			continue;
+		}
+		LOCK_ZONE(zone);
+		ISC_LIST_APPEND(zone->notifies, notify, link);
+		UNLOCK_ZONE(zone);
+		notify_find_address(notify);
+		notify = NULL;
+		result = dns_rdataset_next(&nsrdset);
+	}
+	dns_rdataset_disassociate(&nsrdset);
+
+ cleanup3:
+	if (dns_name_dynamic(&master))
+		dns_name_free(&master, zone->mctx);
+ cleanup2:
+	dns_db_detachnode(zone->db, &node);
+ cleanup1:
+	dns_db_closeversion(zone->db, &version, ISC_FALSE);
+}
+
+/***
+ *** Private
+ ***/
+
+static inline isc_result_t
+save_nsrrset(dns_message_t *message, dns_name_t *name,
+	     dns_db_t *db, dns_dbversion_t *version)
+{
+	dns_rdataset_t *nsrdataset = NULL;
+	dns_rdataset_t *rdataset = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_rdata_ns_t ns;
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+
+	/*
+	 * Extract NS RRset from message.
+	 */
+	result = dns_message_findname(message, DNS_SECTION_ANSWER, name,
+				      dns_rdatatype_ns, dns_rdatatype_none,
+				      NULL, &nsrdataset);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+
+	/*
+	 * Add NS rdataset.
+	 */
+	result = dns_db_findnode(db, name, ISC_TRUE, &node);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+	result = dns_db_addrdataset(db, node, version, 0,
+				    nsrdataset, 0, NULL);
+	dns_db_detachnode(db, &node);
+	if (result != ISC_R_SUCCESS)
+		goto fail;
+	/*
+	 * Add glue rdatasets.
+	 */
+	for (result = dns_rdataset_first(nsrdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(nsrdataset)) {
+		dns_rdataset_current(nsrdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &ns, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		dns_rdata_reset(&rdata);
+		if (!dns_name_issubdomain(&ns.name, name))
+			continue;
+		rdataset = NULL;
+		result = dns_message_findname(message, DNS_SECTION_ADDITIONAL,
+					      &ns.name, dns_rdatatype_aaaa,
+					      dns_rdatatype_none, NULL,
+					      &rdataset);
+		if (result == ISC_R_SUCCESS) {
+			result = dns_db_findnode(db, &ns.name,
+						 ISC_TRUE, &node);
+			if (result != ISC_R_SUCCESS)
+				goto fail;
+			result = dns_db_addrdataset(db, node, version, 0,
+						    rdataset, 0, NULL);
+			dns_db_detachnode(db, &node);
+			if (result != ISC_R_SUCCESS)
+				goto fail;
+		}
+		rdataset = NULL;
+		result = dns_message_findname(message, DNS_SECTION_ADDITIONAL,
+					      &ns.name, dns_rdatatype_a,
+					      dns_rdatatype_none, NULL,
+					      &rdataset);
+		if (result == ISC_R_SUCCESS) {
+			result = dns_db_findnode(db, &ns.name,
+						 ISC_TRUE, &node);
+			if (result != ISC_R_SUCCESS)
+				goto fail;
+			result = dns_db_addrdataset(db, node, version, 0,
+						    rdataset, 0, NULL);
+			dns_db_detachnode(db, &node);
+			if (result != ISC_R_SUCCESS)
+				goto fail;
+		}
+	}
+	if (result != ISC_R_NOMORE)
+		goto fail;
+
+	return (ISC_R_SUCCESS);
+
+fail:
+	return (result);
+}
+
+static void
+stub_callback(isc_task_t *task, isc_event_t *event) {
+	const char me[] = "stub_callback";
+	dns_requestevent_t *revent = (dns_requestevent_t *)event;
+	dns_stub_t *stub = NULL;
+	dns_message_t *msg = NULL;
+	dns_zone_t *zone = NULL;
+	char master[ISC_SOCKADDR_FORMATSIZE];
+	char source[ISC_SOCKADDR_FORMATSIZE];
+	isc_uint32_t nscnt, cnamecnt;
+	isc_result_t result;
+	isc_time_t now;
+	isc_boolean_t exiting = ISC_FALSE;
+	isc_interval_t i;
+
+	stub = revent->ev_arg;
+	INSIST(DNS_STUB_VALID(stub));
+
+	UNUSED(task);
+
+	zone = stub->zone;
+
+	ENTER;
+
+	TIME_NOW(&now);
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
+		zone_debuglog(zone, me, 1, "exiting");
+		exiting = ISC_TRUE;
+		goto next_master;
+	}
+
+	isc_sockaddr_format(&zone->masteraddr, master, sizeof(master));
+	isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source));
+
+	if (revent->result != ISC_R_SUCCESS) {
+		if (revent->result == ISC_R_TIMEDOUT &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
+			LOCK_ZONE(zone);
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
+			UNLOCK_ZONE(zone);
+			dns_zone_log(zone, ISC_LOG_DEBUG(1),
+				     "refreshing stub: timeout retrying "
+				     " without EDNS master %s (source %s)",
+				     master, source);
+			goto same_master;
+		}
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "could not refresh stub from master %s"
+			     " (source %s): %s", master, source,
+			     dns_result_totext(revent->result));
+		goto next_master;
+	}
+
+	result = dns_message_create(zone->mctx, DNS_MESSAGE_INTENTPARSE, &msg);
+	if (result != ISC_R_SUCCESS)
+		goto next_master;
+
+	result = dns_request_getresponse(revent->request, msg, 0);
+	if (result != ISC_R_SUCCESS)
+		goto next_master;
+
+	/*
+	 * Unexpected rcode.
+	 */
+	if (msg->rcode != dns_rcode_noerror) {
+		char rcode[128];
+		isc_buffer_t rb;
+
+		isc_buffer_init(&rb, rcode, sizeof(rcode));
+		(void)dns_rcode_totext(msg->rcode, &rb);
+
+		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS) &&
+		    (msg->rcode == dns_rcode_servfail ||
+		     msg->rcode == dns_rcode_notimp ||
+		     msg->rcode == dns_rcode_formerr)) {
+			dns_zone_log(zone, ISC_LOG_DEBUG(1),
+				     "refreshing stub: rcode (%.*s) retrying "
+				     "without EDNS master %s (source %s)",
+				     (int)rb.used, rcode, master, source);
+			LOCK_ZONE(zone);
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
+			UNLOCK_ZONE(zone);
+			goto same_master;
+		}
+
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refreshing stub: "
+			     "unexpected rcode (%.*s) from %s (source %s)",
+			     (int)rb.used, rcode, master, source);
+		goto next_master;
+	}
+
+	/*
+	 * We need complete messages.
+	 */
+	if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) {
+		if (dns_request_usedtcp(revent->request)) {
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "refreshing stub: truncated TCP "
+				     "response from master %s (source %s)",
+				     master, source);
+			goto next_master;
+		}
+		LOCK_ZONE(zone);
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEVC);
+		UNLOCK_ZONE(zone);
+		goto same_master;
+	}
+
+	/*
+	 * If non-auth log and next master.
+	 */
+	if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0) {
+		dns_zone_log(zone, ISC_LOG_INFO, "refreshing stub: "
+			     "non-authoritative answer from "
+			     "master %s (source %s)", master, source);
+		goto next_master;
+	}
+
+	/*
+	 * Sanity checks.
+	 */
+	cnamecnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_cname);
+	nscnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_ns);
+
+	if (cnamecnt != 0) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refreshing stub: unexpected CNAME response "
+			     "from master %s (source %s)", master, source);
+		goto next_master;
+	}
+
+	if (nscnt == 0) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refreshing stub: no NS records in response "
+			     "from master %s (source %s)", master, source);
+		goto next_master;
+	}
+
+	/*
+	 * Save answer.
+	 */
+	result = save_nsrrset(msg, &zone->origin, stub->db, stub->version);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refreshing stub: unable to save NS records "
+			     "from master %s (source %s)", master, source);
+		goto next_master;
+	}
+
+	/*
+	 * Tidy up.
+	 */
+	dns_db_closeversion(stub->db, &stub->version, ISC_TRUE);
+	LOCK_ZONE(zone);
+	if (zone->db == NULL)
+		dns_db_attach(stub->db, &zone->db);
+	UNLOCK_ZONE(zone);
+	dns_db_detach(&stub->db);
+
+	if (zone->masterfile != NULL) {
+		dns_zone_dump(zone);
+		TIME_NOW(&zone->loadtime);
+	}
+
+	dns_message_destroy(&msg);
+	isc_event_free(&event);
+	LOCK_ZONE(zone);
+	dns_request_destroy(&zone->request);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
+	DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime);
+	isc_interval_set(&i, zone->expire, 0);
+	DNS_ZONE_TIME_ADD(&now, zone->expire, &zone->expiretime);
+	zone_settimer(zone, &now);
+	UNLOCK_ZONE(zone);
+	goto free_stub;
+
+ next_master:
+	if (stub->version != NULL)
+		dns_db_closeversion(stub->db, &stub->version, ISC_FALSE);
+	if (stub->db != NULL)
+		dns_db_detach(&stub->db);
+	if (msg != NULL)
+		dns_message_destroy(&msg);
+	isc_event_free(&event);
+	LOCK_ZONE(zone);
+	dns_request_destroy(&zone->request);
+	zone->curmaster++;
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOEDNS);
+	if (exiting || zone->curmaster >= zone->masterscnt) {
+		if (!exiting &&
+		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_USEALTXFRSRC) &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
+			zone->curmaster = 0;
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
+		} else {
+			DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
+
+			zone_settimer(zone, &now);
+			UNLOCK_ZONE(zone);
+			goto free_stub;
+		}
+	}
+	queue_soa_query(zone);
+	UNLOCK_ZONE(zone);
+	goto free_stub;
+
+ same_master:
+	if (msg != NULL)
+		dns_message_destroy(&msg);
+	isc_event_free(&event);
+	LOCK_ZONE(zone);
+	dns_request_destroy(&zone->request);
+	UNLOCK_ZONE(zone);
+	ns_query(zone, NULL, stub);
+	goto done;
+
+ free_stub:
+	stub->magic = 0;
+	dns_zone_idetach(&stub->zone);
+	INSIST(stub->db == NULL);
+	INSIST(stub->version == NULL);
+	isc_mem_put(stub->mctx, stub, sizeof(*stub));
+
+ done:
+	INSIST(event == NULL);
+	return;
+}
+
+/*
+ * An SOA query has finished (successfully or not).
+ */
+static void
+refresh_callback(isc_task_t *task, isc_event_t *event) {
+	const char me[] = "refresh_callback";
+	dns_requestevent_t *revent = (dns_requestevent_t *)event;
+	dns_zone_t *zone;
+	dns_message_t *msg = NULL;
+	isc_uint32_t soacnt, cnamecnt, soacount, nscount;
+	isc_time_t now;
+	char master[ISC_SOCKADDR_FORMATSIZE];
+	char source[ISC_SOCKADDR_FORMATSIZE];
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_soa_t soa;
+	isc_result_t result;
+	isc_uint32_t serial;
+
+	zone = revent->ev_arg;
+	INSIST(DNS_ZONE_VALID(zone));
+
+	UNUSED(task);
+
+	ENTER;
+
+	/*
+	 * if timeout log and next master;
+	 */
+
+	isc_sockaddr_format(&zone->masteraddr, master, sizeof(master));
+	isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source));
+
+	TIME_NOW(&now);
+
+	if (revent->result != ISC_R_SUCCESS) {
+		if (revent->result == ISC_R_TIMEDOUT &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
+			LOCK_ZONE(zone);
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
+			UNLOCK_ZONE(zone);
+			dns_zone_log(zone, ISC_LOG_DEBUG(1),
+				     "refresh: timeout retrying without EDNS "
+				     "master %s (source %s)", master, source);
+			goto same_master;
+		}
+		if (revent->result == ISC_R_TIMEDOUT &&
+		    !dns_request_usedtcp(revent->request)) {
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "refresh: retry limit for "
+				     "master %s exceeded (source %s)",
+				     master, source);
+			/* Try with slave with TCP. */
+			if (zone->type == dns_zone_slave)
+				goto tcp_transfer;
+		} else
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "refresh: failure trying master "
+				     "%s (source %s): %s", master, source,
+				     dns_result_totext(revent->result));
+		goto next_master;
+	}
+
+	result = dns_message_create(zone->mctx, DNS_MESSAGE_INTENTPARSE, &msg);
+	if (result != ISC_R_SUCCESS)
+		goto next_master;
+	result = dns_request_getresponse(revent->request, msg, 0);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refresh: failure trying master "
+			     "%s (source %s): %s", master, source,
+			     dns_result_totext(result));
+		goto next_master;
+	}
+
+	/*
+	 * Unexpected rcode.
+	 */
+	if (msg->rcode != dns_rcode_noerror) {
+		char rcode[128];
+		isc_buffer_t rb;
+
+		isc_buffer_init(&rb, rcode, sizeof(rcode));
+		(void)dns_rcode_totext(msg->rcode, &rb);
+
+		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS) &&
+		    (msg->rcode == dns_rcode_servfail ||
+		     msg->rcode == dns_rcode_notimp ||
+		     msg->rcode == dns_rcode_formerr)) {
+			dns_zone_log(zone, ISC_LOG_DEBUG(1),
+				     "refresh: rcode (%.*s) retrying without "
+				     "EDNS master %s (source %s)",
+				     (int)rb.used, rcode, master, source);
+			LOCK_ZONE(zone);
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
+			UNLOCK_ZONE(zone);
+			goto same_master;
+		}
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refresh: unexpected rcode (%.*s) from "
+			     "master %s (source %s)", (int)rb.used, rcode,
+			     master, source);
+		/*
+		 * Perhaps AXFR/IXFR is allowed even if SOA queries arn't.
+		 */
+		if (msg->rcode == dns_rcode_refused &&
+		    zone->type == dns_zone_slave)
+			goto tcp_transfer;
+		goto next_master;
+	}
+
+	/*
+	 * If truncated punt to zone transfer which will query again.
+	 */
+	if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0) {
+		if (zone->type == dns_zone_slave) {
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "refresh: truncated UDP answer, "
+				     "initiating TCP zone xfer "
+				     "for master %s (source %s)",
+				     master, source);
+			goto tcp_transfer;
+		} else {
+			INSIST(zone->type == dns_zone_stub);
+			if (dns_request_usedtcp(revent->request)) {
+				dns_zone_log(zone, ISC_LOG_INFO,
+					     "refresh: truncated TCP response "
+					     "from master %s (source %s)",
+					     master, source);
+				goto next_master;
+			}
+			LOCK_ZONE(zone);
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEVC);
+			UNLOCK_ZONE(zone);
+			goto same_master;
+		}
+	}
+
+	/*
+	 * if non-auth log and next master;
+	 */
+	if ((msg->flags & DNS_MESSAGEFLAG_AA) == 0) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refresh: non-authoritative answer from "
+			     "master %s (source %s)", master, source);
+		goto next_master;
+	}
+
+	cnamecnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_cname);
+	soacnt = message_count(msg, DNS_SECTION_ANSWER, dns_rdatatype_soa);
+	nscount = message_count(msg, DNS_SECTION_AUTHORITY, dns_rdatatype_ns);
+	soacount = message_count(msg, DNS_SECTION_AUTHORITY,
+				 dns_rdatatype_soa);
+
+	/*
+	 * There should not be a CNAME record at top of zone.
+	 */
+	if (cnamecnt != 0) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refresh: CNAME at top of zone "
+			     "in master %s (source %s)", master, source);
+		goto next_master;
+	}
+
+	/*
+	 * if referral log and next master;
+	 */
+	if (soacnt == 0 && soacount == 0 && nscount != 0) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refresh: referral response "
+			     "from master %s (source %s)", master, source);
+		goto next_master;
+	}
+
+	/*
+	 * if nodata log and next master;
+	 */
+	if (soacnt == 0 && (nscount == 0 || soacount != 0)) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refresh: NODATA response "
+			     "from master %s (source %s)", master, source);
+		goto next_master;
+	}
+
+	/*
+	 * Only one soa at top of zone.
+	 */
+	if (soacnt != 1) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refresh: answer SOA count (%d) != 1 "
+			     "from master %s (source %s)",
+			     soacnt, master, source);
+		goto next_master;
+	}
+	/*
+	 * Extract serial
+	 */
+	rdataset = NULL;
+	result = dns_message_findname(msg, DNS_SECTION_ANSWER, &zone->origin,
+				      dns_rdatatype_soa, dns_rdatatype_none,
+				      NULL, &rdataset);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refresh: unable to get SOA record "
+			     "from master %s (source %s)", master, source);
+		goto next_master;
+	}
+
+	result = dns_rdataset_first(rdataset);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refresh: dns_rdataset_first() failed");
+		goto next_master;
+	}
+
+	dns_rdataset_current(rdataset, &rdata);
+	result = dns_rdata_tostruct(&rdata, &soa, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	serial = soa.serial;
+
+	zone_debuglog(zone, me, 1, "serial: new %u, old %u",
+		      serial, zone->serial);
+	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) ||
+	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER) ||
+	    isc_serial_gt(serial, zone->serial)) {
+ tcp_transfer:
+		isc_event_free(&event);
+		LOCK_ZONE(zone);
+		dns_request_destroy(&zone->request);
+		UNLOCK_ZONE(zone);
+		if (zone->type == dns_zone_slave) {
+			queue_xfrin(zone);
+		} else {
+			INSIST(zone->type == dns_zone_stub);
+			ns_query(zone, rdataset, NULL);
+		}
+		if (msg != NULL)
+			dns_message_destroy(&msg);
+	} else if (isc_serial_eq(soa.serial, zone->serial)) {
+		if (zone->masterfile != NULL) {
+			result = ISC_R_FAILURE;
+			if (zone->journal != NULL)
+				result = isc_file_settime(zone->journal, &now);
+			if (result != ISC_R_SUCCESS)
+				result = isc_file_settime(zone->masterfile,
+							  &now);
+			/* Someone removed the file from underneath us! */
+			if (result == ISC_R_FILENOTFOUND) {
+				LOCK_ZONE(zone);
+				zone_needdump(zone, DNS_DUMP_DELAY);
+				UNLOCK_ZONE(zone);
+			} else if (result != ISC_R_SUCCESS)
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "refresh: could not set file "
+					     "modification time of '%s': %s",
+					     zone->masterfile,
+					     dns_result_totext(result));
+		}
+		DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime);
+		DNS_ZONE_TIME_ADD(&now, zone->expire, &zone->expiretime);
+		goto next_master;
+	} else {
+		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MULTIMASTER))
+			dns_zone_log(zone, ISC_LOG_INFO, "serial number (%u) "
+				     "received from master %s < ours (%u)",
+				     soa.serial, master, zone->serial);
+		else
+			zone_debuglog(zone, me, 1, "ahead");
+		goto next_master;
+	}
+	if (msg != NULL)
+		dns_message_destroy(&msg);
+	goto detach;
+
+ next_master:
+	if (msg != NULL)
+		dns_message_destroy(&msg);
+	isc_event_free(&event);
+	LOCK_ZONE(zone);
+	dns_request_destroy(&zone->request);
+	zone->curmaster++;
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NOEDNS);
+	if (zone->curmaster >= zone->masterscnt) {
+		if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_USEALTXFRSRC) &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
+			zone->curmaster = 0;
+			goto requeue;
+		}
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDREFRESH)) {
+			DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDREFRESH);
+			zone->refreshtime = now;
+		}
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
+		zone_settimer(zone, &now);
+		UNLOCK_ZONE(zone);
+		goto detach;
+	}
+
+ requeue:
+	queue_soa_query(zone);
+	UNLOCK_ZONE(zone);
+	goto detach;
+
+ same_master:
+	if (msg != NULL)
+		dns_message_destroy(&msg);
+	isc_event_free(&event);
+	LOCK_ZONE(zone);
+	dns_request_destroy(&zone->request);
+	queue_soa_query(zone);
+	UNLOCK_ZONE(zone);
+
+ detach:
+	dns_zone_idetach(&zone);
+	return;
+}
+
+static void
+queue_soa_query(dns_zone_t *zone) {
+	const char me[] = "queue_soa_query";
+	isc_event_t *e;
+	dns_zone_t *dummy = NULL;
+	isc_result_t result;
+
+	ENTER;
+	/*
+	 * Locked by caller
+	 */
+	REQUIRE(LOCKED_ZONE(zone));
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
+		cancel_refresh(zone);
+		return;
+	}
+
+	e = isc_event_allocate(zone->mctx, NULL, DNS_EVENT_ZONE,
+			       soa_query, zone, sizeof(isc_event_t));
+	if (e == NULL) {
+		cancel_refresh(zone);
+		return;
+	}
+
+	/*
+	 * Attach so that we won't clean up
+	 * until the event is delivered.
+	 */
+	zone_iattach(zone, &dummy);
+
+	e->ev_arg = zone;
+	e->ev_sender = NULL;
+	result = isc_ratelimiter_enqueue(zone->zmgr->rl, zone->task, &e);
+	if (result != ISC_R_SUCCESS) {
+		zone_idetach(&dummy);
+		isc_event_free(&e);
+		cancel_refresh(zone);
+	}
+}
+
+static inline isc_result_t
+create_query(dns_zone_t *zone, dns_rdatatype_t rdtype,
+	     dns_message_t **messagep)
+{
+	dns_message_t *message = NULL;
+	dns_name_t *qname = NULL;
+	dns_rdataset_t *qrdataset = NULL;
+	isc_result_t result;
+
+	result = dns_message_create(zone->mctx, DNS_MESSAGE_INTENTRENDER,
+				    &message);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	message->opcode = dns_opcode_query;
+	message->rdclass = zone->rdclass;
+
+	result = dns_message_gettempname(message, &qname);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_message_gettemprdataset(message, &qrdataset);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	/*
+	 * Make question.
+	 */
+	dns_name_init(qname, NULL);
+	dns_name_clone(&zone->origin, qname);
+	dns_rdataset_init(qrdataset);
+	dns_rdataset_makequestion(qrdataset, zone->rdclass, rdtype);
+	ISC_LIST_APPEND(qname->list, qrdataset, link);
+	dns_message_addname(message, qname, DNS_SECTION_QUESTION);
+
+	*messagep = message;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (qname != NULL)
+		dns_message_puttempname(message, &qname);
+	if (qrdataset != NULL)
+		dns_message_puttemprdataset(message, &qrdataset);
+	if (message != NULL)
+		dns_message_destroy(&message);
+	return (result);
+}
+
+static isc_result_t
+add_opt(dns_message_t *message) {
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdatalist_t *rdatalist = NULL;
+	dns_rdata_t *rdata = NULL;
+	isc_result_t result;
+
+	result = dns_message_gettemprdatalist(message, &rdatalist);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_message_gettemprdata(message, &rdata);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_message_gettemprdataset(message, &rdataset);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	dns_rdataset_init(rdataset);
+	
+	rdatalist->type = dns_rdatatype_opt;
+	rdatalist->covers = 0;
+
+	/*
+	 * Set Maximum UDP buffer size.
+	 */
+	rdatalist->rdclass = SEND_BUFFER_SIZE;
+
+	/*
+	 * Set EXTENDED-RCODE, VERSION, DO and Z to 0.
+	 */
+	rdatalist->ttl = 0;
+
+	/*
+	 * No EDNS options.
+	 */
+	rdata->data = NULL;
+	rdata->length = 0;
+	rdata->rdclass = rdatalist->rdclass;
+	rdata->type = rdatalist->type;
+	rdata->flags = 0;
+
+	ISC_LIST_INIT(rdatalist->rdata);
+	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
+	RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset)
+		      == ISC_R_SUCCESS);
+
+	return (dns_message_setopt(message, rdataset));
+
+ cleanup:
+	if (rdatalist != NULL)
+		dns_message_puttemprdatalist(message, &rdatalist);
+	if (rdataset != NULL)
+		dns_message_puttemprdataset(message, &rdataset);
+	if (rdata != NULL)
+		dns_message_puttemprdata(message, &rdata);
+	
+	return (result);
+}
+
+static void
+soa_query(isc_task_t *task, isc_event_t *event) {
+	const char me[] = "soa_query";
+	isc_result_t result = ISC_R_FAILURE;
+	dns_message_t *message = NULL;
+	dns_zone_t *zone = event->ev_arg;
+	dns_zone_t *dummy = NULL;
+	isc_netaddr_t masterip;
+	dns_tsigkey_t *key = NULL;
+	isc_uint32_t options;
+	isc_boolean_t cancel = ISC_TRUE;
+	int timeout;
+	isc_boolean_t have_xfrsource;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	UNUSED(task);
+
+	ENTER;
+
+	LOCK_ZONE(zone);
+	if (((event->ev_attributes & ISC_EVENTATTR_CANCELED) != 0) ||
+	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING) ||
+	    zone->view->requestmgr == NULL) {
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING))
+			cancel = ISC_FALSE;
+		goto cleanup;
+	}
+
+	/*
+	 * XXX Optimisation: Create message when zone is setup and reuse.
+	 */
+	result = create_query(zone, dns_rdatatype_soa, &message);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+ again:
+	INSIST(zone->masterscnt > 0);
+	INSIST(zone->curmaster < zone->masterscnt);
+
+	zone->masteraddr = zone->masters[zone->curmaster];
+
+	isc_netaddr_fromsockaddr(&masterip, &zone->masteraddr);
+	/*
+	 * First, look for a tsig key in the master statement, then
+	 * try for a server key.
+	 */
+	if ((zone->masterkeynames != NULL) &&
+	    (zone->masterkeynames[zone->curmaster] != NULL)) {
+		dns_view_t *view = dns_zone_getview(zone);
+		dns_name_t *keyname = zone->masterkeynames[zone->curmaster];
+		result = dns_view_gettsig(view, keyname, &key);
+		if (result != ISC_R_SUCCESS) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			dns_name_format(keyname, namebuf, sizeof(namebuf));
+			dns_zone_log(zone, ISC_LOG_ERROR,
+			             "unable to find key: %s", namebuf);
+		}
+	}
+	if (key == NULL)
+		(void)dns_view_getpeertsig(zone->view, &masterip, &key);
+
+	have_xfrsource = ISC_FALSE;
+	if (zone->view->peers != NULL) {
+		dns_peer_t *peer = NULL;
+		isc_boolean_t edns;
+		result = dns_peerlist_peerbyaddr(zone->view->peers,
+						 &masterip, &peer);
+		if (result == ISC_R_SUCCESS) {
+			result = dns_peer_getsupportedns(peer, &edns);
+			if (result == ISC_R_SUCCESS && !edns)
+				DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
+			result = dns_peer_gettransfersource(peer,
+							    &zone->sourceaddr);
+			if (result == ISC_R_SUCCESS)
+				have_xfrsource = ISC_TRUE;
+		}
+	}
+
+	switch (isc_sockaddr_pf(&zone->masteraddr)) {
+	case PF_INET:
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
+			if (isc_sockaddr_equal(&zone->altxfrsource4,
+					       &zone->xfrsource4))
+				goto skip_master;
+			zone->sourceaddr = zone->altxfrsource4;
+		} else if (!have_xfrsource)
+			zone->sourceaddr = zone->xfrsource4;
+		break;
+	case PF_INET6:
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
+			if (isc_sockaddr_equal(&zone->altxfrsource6,
+					       &zone->xfrsource6))
+				goto skip_master;
+			zone->sourceaddr = zone->altxfrsource6;
+		} else if (!have_xfrsource)
+			zone->sourceaddr = zone->xfrsource6;
+		break;
+	default:
+		result = ISC_R_NOTIMPLEMENTED;
+		goto cleanup;
+	}
+
+	options = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEVC) ?
+		  DNS_REQUESTOPT_TCP : 0;
+
+	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
+		result = add_opt(message);
+		if (result != ISC_R_SUCCESS)
+			zone_debuglog(zone, me, 1,
+				      "unable to add opt record: %s",
+				      dns_result_totext(result));
+	}
+
+	zone_iattach(zone, &dummy);
+	timeout = 15;
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH))
+		timeout = 30;
+	result = dns_request_createvia2(zone->view->requestmgr, message,
+					&zone->sourceaddr, &zone->masteraddr,
+					options, key, timeout * 3, timeout,
+					zone->task, refresh_callback, zone,
+					&zone->request);
+	if (result != ISC_R_SUCCESS) {
+		zone_idetach(&dummy);
+		zone_debuglog(zone, me, 1,
+			      "dns_request_createvia2() failed: %s",
+			      dns_result_totext(result));
+		goto cleanup;
+	}
+	cancel = ISC_FALSE;
+
+ cleanup:
+	if (key != NULL)
+		dns_tsigkey_detach(&key);
+	if (result != ISC_R_SUCCESS)
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
+	if (message != NULL)
+		dns_message_destroy(&message);
+	if (cancel)
+		cancel_refresh(zone);
+	isc_event_free(&event);
+	UNLOCK_ZONE(zone);
+	dns_zone_idetach(&zone);
+	return;
+
+ skip_master:
+	if (key != NULL)
+		dns_tsigkey_detach(&key);
+	zone->curmaster++;
+	if (zone->curmaster < zone->masterscnt)
+		goto again;
+	zone->curmaster = 0;
+	goto cleanup;
+}
+
+static void
+ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
+	const char me[] = "ns_query";
+	isc_result_t result;
+	dns_message_t *message = NULL;
+	isc_netaddr_t masterip;
+	dns_tsigkey_t *key = NULL;
+	dns_dbnode_t *node = NULL;
+	int timeout;
+	isc_boolean_t have_xfrsource = ISC_FALSE;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE((soardataset != NULL && stub == NULL) ||
+		(soardataset == NULL && stub != NULL));
+	REQUIRE(stub == NULL || DNS_STUB_VALID(stub));
+
+	ENTER;
+
+	LOCK_ZONE(zone);
+	if (stub == NULL) {
+		stub = isc_mem_get(zone->mctx, sizeof(*stub));
+		if (stub == NULL)
+			goto cleanup;
+		stub->magic = STUB_MAGIC;
+		stub->mctx = zone->mctx;
+		stub->zone = NULL;
+		stub->db = NULL;
+		stub->version = NULL;
+
+		/*
+		 * Attach so that the zone won't disappear from under us.
+		 */
+		zone_iattach(zone, &stub->zone);
+
+		/*
+		 * If a db exists we will update it, otherwise we create a
+		 * new one and attach it to the zone once we have the NS
+		 * RRset and glue.
+		 */
+		if (zone->db != NULL)
+			dns_db_attach(zone->db, &stub->db);
+		else {
+			INSIST(zone->db_argc >= 1);
+			result = dns_db_create(zone->mctx, zone->db_argv[0],
+					       &zone->origin, dns_dbtype_stub,
+					       zone->rdclass,
+					       zone->db_argc - 1,
+					       zone->db_argv + 1,
+					       &stub->db);
+			if (result != ISC_R_SUCCESS) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "refreshing stub: "
+					     "could not create "
+					     "database: %s",
+					     dns_result_totext(result));
+				goto cleanup;
+			}
+			dns_db_settask(stub->db, zone->task);
+		}
+
+		dns_db_newversion(stub->db, &stub->version);
+
+		/*
+		 * Update SOA record.
+		 */
+		result = dns_db_findnode(stub->db, &zone->origin, ISC_TRUE,
+					 &node);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "refreshing stub: "
+				     "dns_db_findnode() failed: %s",
+				     dns_result_totext(result));
+			goto cleanup;
+		}
+
+		result = dns_db_addrdataset(stub->db, node, stub->version, 0,
+					    soardataset, 0, NULL);
+		dns_db_detachnode(stub->db, &node);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "refreshing stub: "
+				     "dns_db_addrdataset() failed: %s",
+				     dns_result_totext(result));
+			goto cleanup;
+		}
+	}
+
+	/*
+	 * XXX Optimisation: Create message when zone is setup and reuse.
+	 */
+	result = create_query(zone, dns_rdatatype_ns, &message);
+
+	INSIST(zone->masterscnt > 0);
+	INSIST(zone->curmaster < zone->masterscnt);
+	zone->masteraddr = zone->masters[zone->curmaster];
+
+	isc_netaddr_fromsockaddr(&masterip, &zone->masteraddr);
+	/*
+	 * First, look for a tsig key in the master statement, then
+	 * try for a server key.
+	 */
+	if ((zone->masterkeynames != NULL) &&
+	    (zone->masterkeynames[zone->curmaster] != NULL)) {
+		dns_view_t *view = dns_zone_getview(zone);
+		dns_name_t *keyname = zone->masterkeynames[zone->curmaster];
+		result = dns_view_gettsig(view, keyname, &key);
+		if (result != ISC_R_SUCCESS) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			dns_name_format(keyname, namebuf, sizeof(namebuf));
+			dns_zone_log(zone, ISC_LOG_ERROR,
+			             "unable to find key: %s", namebuf);
+		}
+	}
+	if (key == NULL)
+		(void)dns_view_getpeertsig(zone->view, &masterip, &key);	
+
+	if (zone->view->peers != NULL) {
+		dns_peer_t *peer = NULL;
+		isc_boolean_t edns;
+		result = dns_peerlist_peerbyaddr(zone->view->peers,
+						 &masterip, &peer);
+		if (result == ISC_R_SUCCESS) {
+			result = dns_peer_getsupportedns(peer, &edns);
+			if (result == ISC_R_SUCCESS && !edns)
+				DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOEDNS);
+			result = dns_peer_gettransfersource(peer,
+							    &zone->sourceaddr);
+			if (result == ISC_R_SUCCESS)
+				have_xfrsource = ISC_TRUE;
+		}
+		
+	}
+	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
+		result = add_opt(message);
+		if (result != ISC_R_SUCCESS)
+			zone_debuglog(zone, me, 1,
+				      "unable to add opt record: %s",
+				      dns_result_totext(result));
+	}
+
+	/*
+	 * Always use TCP so that we shouldn't truncate in additional section.
+	 */
+	switch (isc_sockaddr_pf(&zone->masteraddr)) {
+	case PF_INET:
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC))
+			zone->sourceaddr = zone->altxfrsource4;
+		else if (!have_xfrsource)
+			zone->sourceaddr = zone->xfrsource4;
+		break;
+	case PF_INET6:
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC))
+			zone->sourceaddr = zone->altxfrsource6;
+		else if (!have_xfrsource)
+			zone->sourceaddr = zone->xfrsource6;
+		break;
+	default:
+		result = ISC_R_NOTIMPLEMENTED;
+		goto cleanup;
+	}
+	timeout = 15;
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH))
+		timeout = 30;
+	result = dns_request_createvia2(zone->view->requestmgr, message,
+					&zone->sourceaddr, &zone->masteraddr,
+					DNS_REQUESTOPT_TCP, key, timeout * 3,
+					timeout, zone->task, stub_callback,
+					stub, &zone->request);
+	if (result != ISC_R_SUCCESS) {
+		zone_debuglog(zone, me, 1,
+			      "dns_request_createvia() failed: %s",
+			      dns_result_totext(result));
+		goto cleanup;
+	}
+	dns_message_destroy(&message);
+	goto unlock;
+
+ cleanup:
+	cancel_refresh(zone);
+	if (stub != NULL) {
+		stub->magic = 0;
+		if (stub->version != NULL)
+			dns_db_closeversion(stub->db, &stub->version,
+					    ISC_FALSE);
+		if (stub->db != NULL)
+			dns_db_detach(&stub->db);
+		if (stub->zone != NULL)
+			zone_idetach(&stub->zone);
+		isc_mem_put(stub->mctx, stub, sizeof(*stub));
+	}
+	if (message != NULL)
+		dns_message_destroy(&message);
+  unlock:
+        if (key != NULL)
+		dns_tsigkey_detach(&key);
+	UNLOCK_ZONE(zone);
+	return;
+}
+
+/*
+ * Handle the control event.  Note that although this event causes the zone
+ * to shut down, it is not a shutdown event in the sense of the task library.
+ */
+static void
+zone_shutdown(isc_task_t *task, isc_event_t *event) {
+	dns_zone_t *zone = (dns_zone_t *) event->ev_arg;
+	isc_boolean_t free_needed, linked = ISC_FALSE;
+
+	UNUSED(task);
+	REQUIRE(DNS_ZONE_VALID(zone));
+	INSIST(event->ev_type == DNS_EVENT_ZONECONTROL);
+	INSIST(isc_refcount_current(&zone->erefs) == 0);
+	zone_debuglog(zone, "zone_shutdown", 3, "shutting down");
+
+	/*
+	 * Stop things being restarted after we cancel them below.
+	 */
+	LOCK_ZONE(zone);
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_EXITING);
+	UNLOCK_ZONE(zone);
+
+	/*
+	 * If we were waiting for xfrin quota, step out of
+	 * the queue.
+	 * If there's no zone manager, we can't be waiting for the
+	 * xfrin quota
+	 */
+	if (zone->zmgr != NULL) {
+		RWLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
+		if (zone->statelist == &zone->zmgr->waiting_for_xfrin) {
+			ISC_LIST_UNLINK(zone->zmgr->waiting_for_xfrin, zone,
+					statelink);
+			linked = ISC_TRUE;
+			zone->statelist = NULL;
+		}
+		RWUNLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
+	}
+
+	/*
+	 * In task context, no locking required.  See zone_xfrdone().
+	 */
+	if (zone->xfr != NULL)
+		dns_xfrin_shutdown(zone->xfr);
+
+	LOCK_ZONE(zone);
+	if (linked) {
+		INSIST(zone->irefs > 0);
+		zone->irefs--;
+	}
+	if (zone->request != NULL) {
+		dns_request_cancel(zone->request);
+	}
+
+	if (zone->readio != NULL)
+		zonemgr_cancelio(zone->readio);
+
+	if (zone->lctx != NULL)
+		dns_loadctx_cancel(zone->lctx);
+
+	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FLUSH) ||
+	    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
+		if (zone->writeio != NULL)
+			zonemgr_cancelio(zone->writeio);
+
+		if (zone->dctx != NULL) 
+			dns_dumpctx_cancel(zone->dctx);
+	}
+
+	notify_cancel(zone);
+
+	if (zone->timer != NULL) {
+		isc_timer_detach(&zone->timer);
+		INSIST(zone->irefs > 0);
+		zone->irefs--;
+	}
+
+	if (zone->view != NULL)
+		dns_view_weakdetach(&zone->view);
+
+	/*
+	 * We have now canceled everything set the flag to allow exit_check()
+	 * to succeed.  We must not unlock between setting this flag and
+	 * calling exit_check().
+	 */
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_SHUTDOWN);
+	free_needed = exit_check(zone);
+	UNLOCK_ZONE(zone);
+	if (free_needed)
+		zone_free(zone);
+}
+
+static void
+zone_timer(isc_task_t *task, isc_event_t *event) {
+	const char me[] = "zone_timer";
+	dns_zone_t *zone = (dns_zone_t *)event->ev_arg;
+
+	UNUSED(task);
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	ENTER;
+
+	zone_maintenance(zone);
+
+	isc_event_free(&event);
+}
+
+static void
+zone_settimer(dns_zone_t *zone, isc_time_t *now) {
+	const char me[] = "zone_settimer";
+	isc_time_t next;
+	isc_result_t result;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING))
+		return;
+
+	isc_time_settoepoch(&next);
+
+	switch (zone->type) {
+	case dns_zone_master:
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY))
+			next = *now;
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
+			INSIST(!isc_time_isepoch(&zone->dumptime));
+			if (isc_time_isepoch(&next) ||
+			    isc_time_compare(&zone->dumptime, &next) < 0)
+				next = zone->dumptime;
+		}
+		break;
+
+	case dns_zone_slave:
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY))
+			next = *now;
+		/*FALLTHROUGH*/
+
+	case dns_zone_stub:
+		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH) &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOMASTERS) &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOREFRESH) &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADING)) {
+			INSIST(!isc_time_isepoch(&zone->refreshtime));
+			if (isc_time_isepoch(&next) ||
+			    isc_time_compare(&zone->refreshtime, &next) < 0)
+				next = zone->refreshtime;
+		}
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED)) {
+			INSIST(!isc_time_isepoch(&zone->expiretime));
+			if (isc_time_isepoch(&next) ||
+			    isc_time_compare(&zone->expiretime, &next) < 0)
+				next = zone->expiretime;
+		}
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP) &&
+		    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DUMPING)) {
+			INSIST(!isc_time_isepoch(&zone->dumptime));
+			if (isc_time_isepoch(&next) ||
+			    isc_time_compare(&zone->dumptime, &next) < 0)
+				next = zone->dumptime;
+		}
+		break;
+
+	default:
+		break;
+	}
+
+	if (isc_time_isepoch(&next)) {
+		zone_debuglog(zone, me, 10, "settimer inactive");
+		result = isc_timer_reset(zone->timer, isc_timertype_inactive,
+					  NULL, NULL, ISC_TRUE);
+		if (result != ISC_R_SUCCESS)
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "could not deactivate zone timer: %s",
+				     isc_result_totext(result));
+	} else {
+		if (isc_time_compare(&next, now) <= 0)
+			next = *now;
+		result = isc_timer_reset(zone->timer, isc_timertype_once,
+					 &next, NULL, ISC_TRUE);
+		if (result != ISC_R_SUCCESS)
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "could not reset zone timer: %s",
+				     isc_result_totext(result));
+	}
+}
+
+static void
+cancel_refresh(dns_zone_t *zone) {
+	const char me[] = "cancel_refresh";
+	isc_time_t now;
+
+	/*
+	 * 'zone' locked by caller.
+	 */
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(LOCKED_ZONE(zone));
+
+	ENTER;
+
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
+	TIME_NOW(&now);
+	zone_settimer(zone, &now);
+}
+
+static isc_result_t
+notify_createmessage(dns_zone_t *zone, unsigned int flags,
+		     dns_message_t **messagep)
+{
+	dns_dbnode_t *node = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_message_t *message = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+
+	dns_name_t *tempname = NULL;
+	dns_rdata_t *temprdata = NULL;
+	dns_rdatalist_t *temprdatalist = NULL;
+	dns_rdataset_t *temprdataset = NULL;
+
+	isc_result_t result;
+	isc_region_t r;
+	isc_buffer_t *b = NULL;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(messagep != NULL && *messagep == NULL);
+
+	message = NULL;
+	result = dns_message_create(zone->mctx, DNS_MESSAGE_INTENTRENDER,
+				    &message);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	message->opcode = dns_opcode_notify;
+	message->flags |= DNS_MESSAGEFLAG_AA;
+	message->rdclass = zone->rdclass;
+
+	result = dns_message_gettempname(message, &tempname);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = dns_message_gettemprdataset(message, &temprdataset);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	/*
+	 * Make question.
+	 */
+	dns_name_init(tempname, NULL);
+	dns_name_clone(&zone->origin, tempname);
+	dns_rdataset_init(temprdataset);
+	dns_rdataset_makequestion(temprdataset, zone->rdclass,
+				  dns_rdatatype_soa);
+	ISC_LIST_APPEND(tempname->list, temprdataset, link);
+	dns_message_addname(message, tempname, DNS_SECTION_QUESTION);
+	tempname = NULL;
+	temprdataset = NULL;
+
+	if ((flags & DNS_NOTIFY_NOSOA) != 0)
+		goto done;
+
+	result = dns_message_gettempname(message, &tempname);
+	if (result != ISC_R_SUCCESS)
+		goto soa_cleanup;
+	result = dns_message_gettemprdata(message, &temprdata);
+	if (result != ISC_R_SUCCESS)
+		goto soa_cleanup;
+	result = dns_message_gettemprdataset(message, &temprdataset);
+	if (result != ISC_R_SUCCESS)
+		goto soa_cleanup;
+	result = dns_message_gettemprdatalist(message, &temprdatalist);
+	if (result != ISC_R_SUCCESS)
+		goto soa_cleanup;
+
+	dns_name_init(tempname, NULL);
+	dns_name_clone(&zone->origin, tempname);
+	dns_db_currentversion(zone->db, &version);
+	result = dns_db_findnode(zone->db, tempname, ISC_FALSE, &node);
+	if (result != ISC_R_SUCCESS)
+		goto soa_cleanup;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(zone->db, node, version,
+				     dns_rdatatype_soa,
+				     dns_rdatatype_none, 0, &rdataset,
+				     NULL);
+	if (result != ISC_R_SUCCESS)
+		goto soa_cleanup;
+	result = dns_rdataset_first(&rdataset);
+	if (result != ISC_R_SUCCESS)
+		goto soa_cleanup;
+	dns_rdataset_current(&rdataset, &rdata);
+	dns_rdata_toregion(&rdata, &r);
+	result = isc_buffer_allocate(zone->mctx, &b, r.length);
+	if (result != ISC_R_SUCCESS)
+		goto soa_cleanup;
+	isc_buffer_putmem(b, r.base, r.length);
+	isc_buffer_usedregion(b, &r);
+	dns_rdata_init(temprdata);
+	dns_rdata_fromregion(temprdata, rdata.rdclass, rdata.type, &r);
+	dns_message_takebuffer(message, &b);
+	result = dns_rdataset_next(&rdataset);
+	dns_rdataset_disassociate(&rdataset);
+	if (result != ISC_R_NOMORE)
+		goto soa_cleanup;
+	temprdatalist->rdclass = rdata.rdclass;
+	temprdatalist->type = rdata.type;
+	temprdatalist->covers = 0;
+	temprdatalist->ttl = rdataset.ttl;
+	ISC_LIST_INIT(temprdatalist->rdata);
+	ISC_LIST_APPEND(temprdatalist->rdata, temprdata, link);
+
+	dns_rdataset_init(temprdataset);
+	result = dns_rdatalist_tordataset(temprdatalist, temprdataset);
+	if (result != ISC_R_SUCCESS)
+		goto soa_cleanup;
+
+	ISC_LIST_APPEND(tempname->list, temprdataset, link);
+	dns_message_addname(message, tempname, DNS_SECTION_ANSWER);
+	temprdatalist = NULL;
+	temprdataset = NULL;
+	temprdata = NULL;
+	tempname = NULL;
+
+ soa_cleanup:
+	if (node != NULL)
+		dns_db_detachnode(zone->db, &node);
+	if (version != NULL)
+		dns_db_closeversion(zone->db, &version, ISC_FALSE);
+	if (tempname != NULL)
+		dns_message_puttempname(message, &tempname);
+	if (temprdata != NULL)
+		dns_message_puttemprdata(message, &temprdata);
+	if (temprdataset != NULL)
+		dns_message_puttemprdataset(message, &temprdataset);
+	if (temprdatalist != NULL)
+		dns_message_puttemprdatalist(message, &temprdatalist);
+
+ done:
+	*messagep = message;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (tempname != NULL)
+		dns_message_puttempname(message, &tempname);
+	if (temprdataset != NULL)
+		dns_message_puttemprdataset(message, &temprdataset);
+	if (message != NULL)
+		dns_message_destroy(&message);
+	return (result);
+}
+
+isc_result_t
+dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
+		       dns_message_t *msg)
+{
+	unsigned int i;
+	dns_rdata_soa_t soa;
+	dns_rdataset_t *rdataset = NULL;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_result_t result;
+	char fromtext[ISC_SOCKADDR_FORMATSIZE];
+	int match = 0;
+	isc_netaddr_t netaddr;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	/*
+	 * If type != T_SOA return DNS_R_REFUSED.  We don't yet support
+	 * ROLLOVER.
+	 *
+	 * SOA:	RFC 1996
+	 * Check that 'from' is a valid notify source, (zone->masters).
+	 *	Return DNS_R_REFUSED if not.
+	 *
+	 * If the notify message contains a serial number check it
+	 * against the zones serial and return if <= current serial
+	 *
+	 * If a refresh check is progress, if so just record the
+	 * fact we received a NOTIFY and from where and return.
+	 * We will perform a new refresh check when the current one
+	 * completes. Return ISC_R_SUCCESS.
+	 *
+	 * Otherwise initiate a refresh check using 'from' as the
+	 * first address to check.  Return ISC_R_SUCCESS.
+	 */
+
+	isc_sockaddr_format(from, fromtext, sizeof(fromtext));
+
+	/*
+	 *  We only handle NOTIFY (SOA) at the present.
+	 */
+	LOCK_ZONE(zone);
+	if (msg->counts[DNS_SECTION_QUESTION] == 0 ||
+	    dns_message_findname(msg, DNS_SECTION_QUESTION, &zone->origin,
+				 dns_rdatatype_soa, dns_rdatatype_none,
+				 NULL, NULL) != ISC_R_SUCCESS) {
+		UNLOCK_ZONE(zone);
+		if (msg->counts[DNS_SECTION_QUESTION] == 0) {
+			dns_zone_log(zone, ISC_LOG_NOTICE,
+				     "NOTIFY with no "
+				     "question section from: %s", fromtext);
+			return (DNS_R_FORMERR);
+		}
+		dns_zone_log(zone, ISC_LOG_NOTICE,
+			     "NOTIFY zone does not match");
+		return (DNS_R_NOTIMP);
+	}
+
+	/*
+	 * If we are a master zone just succeed.
+	 */
+	if (zone->type == dns_zone_master) {
+		UNLOCK_ZONE(zone);
+		return (ISC_R_SUCCESS);
+	}
+
+	isc_netaddr_fromsockaddr(&netaddr, from);
+	for (i = 0; i < zone->masterscnt; i++) {
+		if (isc_sockaddr_eqaddr(from, &zone->masters[i]))
+			break;
+		if (zone->view->aclenv.match_mapped &&
+		    IN6_IS_ADDR_V4MAPPED(&from->type.sin6.sin6_addr) &&
+		    isc_sockaddr_pf(&zone->masters[i]) == AF_INET) {
+			isc_netaddr_t na1, na2;
+			isc_netaddr_fromv4mapped(&na1, &netaddr);
+			isc_netaddr_fromsockaddr(&na2, &zone->masters[i]);
+			if (isc_netaddr_equal(&na1, &na2))
+				break;
+		}
+	}
+
+	/*
+	 * Accept notify requests from non masters if they are on
+	 * 'zone->notify_acl'.
+	 */
+	if (i >= zone->masterscnt && zone->notify_acl != NULL &&
+	    dns_acl_match(&netaddr, NULL, zone->notify_acl,
+			  &zone->view->aclenv,
+			  &match, NULL) == ISC_R_SUCCESS &&
+	    match > 0)
+	{
+		/* Accept notify. */
+	} else if (i >= zone->masterscnt) {
+		UNLOCK_ZONE(zone);
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "refused notify from non-master: %s", fromtext);
+		return (DNS_R_REFUSED);
+	}
+
+	/*
+	 * If the zone is loaded and there are answers check the serial
+	 * to see if we need to do a refresh.  Do not worry about this
+	 * check if we are a dialup zone as we use the notify request
+	 * to trigger a refresh check.
+	 */
+	if (msg->counts[DNS_SECTION_ANSWER] > 0 &&
+	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
+	    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOREFRESH)) {
+		result = dns_message_findname(msg, DNS_SECTION_ANSWER,
+					      &zone->origin,
+					      dns_rdatatype_soa,
+					      dns_rdatatype_none, NULL,
+					      &rdataset);
+		if (result == ISC_R_SUCCESS)
+			result = dns_rdataset_first(rdataset);
+		if (result == ISC_R_SUCCESS) {
+			isc_uint32_t serial = 0;
+
+			dns_rdataset_current(rdataset, &rdata);
+			result = dns_rdata_tostruct(&rdata, &soa, NULL);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			serial = soa.serial;
+			if (isc_serial_le(serial, zone->serial)) {
+			  dns_zone_log(zone, ISC_LOG_INFO,
+					     "notify from %s: "
+					     "zone is up to date",
+					     fromtext);
+				UNLOCK_ZONE(zone);
+				return (ISC_R_SUCCESS);
+			}
+		}
+	}
+
+	/*
+	 * If we got this far and there was a refresh in progress just
+	 * let it complete.  Record where we got the notify from so we
+	 * can perform a refresh check when the current one completes
+	 */
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH)) {
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDREFRESH);
+		zone->notifyfrom = *from;
+		UNLOCK_ZONE(zone);
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "notify from %s: refresh in progress, "
+			     "refresh check queued",
+			     fromtext);
+		return (ISC_R_SUCCESS);
+	}
+	zone->notifyfrom = *from;
+	UNLOCK_ZONE(zone);
+	dns_zone_refresh(zone);
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_zone_setnotifyacl(dns_zone_t *zone, dns_acl_t *acl) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->notify_acl != NULL)
+		dns_acl_detach(&zone->notify_acl);
+	dns_acl_attach(acl, &zone->notify_acl);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setqueryacl(dns_zone_t *zone, dns_acl_t *acl) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->query_acl != NULL)
+		dns_acl_detach(&zone->query_acl);
+	dns_acl_attach(acl, &zone->query_acl);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setupdateacl(dns_zone_t *zone, dns_acl_t *acl) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->update_acl != NULL)
+		dns_acl_detach(&zone->update_acl);
+	dns_acl_attach(acl, &zone->update_acl);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setforwardacl(dns_zone_t *zone, dns_acl_t *acl) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->forward_acl != NULL)
+		dns_acl_detach(&zone->forward_acl);
+	dns_acl_attach(acl, &zone->forward_acl);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setxfracl(dns_zone_t *zone, dns_acl_t *acl) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->xfr_acl != NULL)
+		dns_acl_detach(&zone->xfr_acl);
+	dns_acl_attach(acl, &zone->xfr_acl);
+	UNLOCK_ZONE(zone);
+}
+
+dns_acl_t *
+dns_zone_getnotifyacl(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->notify_acl);
+}
+
+dns_acl_t *
+dns_zone_getqueryacl(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->query_acl);
+}
+
+dns_acl_t *
+dns_zone_getupdateacl(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->update_acl);
+}
+
+dns_acl_t *
+dns_zone_getforwardacl(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->forward_acl);
+}
+
+dns_acl_t *
+dns_zone_getxfracl(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->xfr_acl);
+}
+
+void
+dns_zone_clearupdateacl(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->update_acl != NULL)
+		dns_acl_detach(&zone->update_acl);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_clearforwardacl(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->forward_acl != NULL)
+		dns_acl_detach(&zone->forward_acl);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_clearnotifyacl(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->notify_acl != NULL)
+		dns_acl_detach(&zone->notify_acl);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_clearqueryacl(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->query_acl != NULL)
+		dns_acl_detach(&zone->query_acl);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_clearxfracl(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->xfr_acl != NULL)
+		dns_acl_detach(&zone->xfr_acl);
+	UNLOCK_ZONE(zone);
+}
+
+isc_boolean_t
+dns_zone_getupdatedisabled(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->update_disabled);
+
+}
+
+void
+dns_zone_setupdatedisabled(dns_zone_t *zone, isc_boolean_t state) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	zone->update_disabled = state;
+}
+
+void
+dns_zone_setchecknames(dns_zone_t *zone, dns_severity_t severity) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	zone->check_names = severity;
+}
+
+dns_severity_t
+dns_zone_getchecknames(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->check_names);
+}
+
+void
+dns_zone_setjournalsize(dns_zone_t *zone, isc_int32_t size) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	zone->journalsize = size;
+}
+
+isc_int32_t
+dns_zone_getjournalsize(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->journalsize);
+}
+
+static void
+zone_tostr(dns_zone_t *zone, char *buf, size_t length) {
+	isc_result_t result = ISC_R_FAILURE;
+	isc_buffer_t buffer;
+
+	REQUIRE(buf != NULL);
+	REQUIRE(length > 1U);
+
+	/*
+	 * Leave space for terminating '\0'.
+	 */
+	isc_buffer_init(&buffer, buf, length - 1);
+	if (dns_name_dynamic(&zone->origin))
+		result = dns_name_totext(&zone->origin, ISC_TRUE, &buffer);
+	if (result != ISC_R_SUCCESS &&
+	    isc_buffer_availablelength(&buffer) >= (sizeof("<UNKNOWN>") - 1))
+		isc_buffer_putstr(&buffer, "<UNKNOWN>");
+
+	if (isc_buffer_availablelength(&buffer) > 0)
+		isc_buffer_putstr(&buffer, "/");
+	(void)dns_rdataclass_totext(zone->rdclass, &buffer);
+
+	if (zone->view != NULL && strcmp(zone->view->name, "_bind") != 0 &&
+	    strcmp(zone->view->name, "_default") != 0 &&
+	    strlen(zone->view->name) < isc_buffer_availablelength(&buffer)) {
+		isc_buffer_putstr(&buffer, "/");
+		isc_buffer_putstr(&buffer, zone->view->name);
+	}
+
+	buf[isc_buffer_usedlength(&buffer)] = '\0';
+}
+
+void
+dns_zone_name(dns_zone_t *zone, char *buf, size_t length) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(buf != NULL);
+	zone_tostr(zone, buf, length);
+}
+
+static void
+notify_log(dns_zone_t *zone, int level, const char *fmt, ...) {
+	va_list ap;
+	char message[4096];
+	char namebuf[1024+32];
+
+	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
+		return;
+
+	zone_tostr(zone, namebuf, sizeof(namebuf));
+
+	va_start(ap, fmt);
+	vsnprintf(message, sizeof(message), fmt, ap);
+	va_end(ap);
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_NOTIFY, DNS_LOGMODULE_ZONE,
+		      level, "zone %s: %s", namebuf, message);
+}
+
+void
+dns_zone_logc(dns_zone_t *zone, isc_logcategory_t *category,
+	      int level, const char *fmt, ...) {
+	va_list ap;
+	char message[4096];
+	char namebuf[1024+32];
+
+	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
+		return;
+
+	zone_tostr(zone, namebuf, sizeof(namebuf));
+
+	va_start(ap, fmt);
+	vsnprintf(message, sizeof(message), fmt, ap);
+	va_end(ap);
+	isc_log_write(dns_lctx, category, DNS_LOGMODULE_ZONE,
+		      level, "zone %s: %s", namebuf, message);
+}
+
+void
+dns_zone_log(dns_zone_t *zone, int level, const char *fmt, ...) {
+	va_list ap;
+	char message[4096];
+	char namebuf[1024+32];
+
+	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
+		return;
+
+	zone_tostr(zone, namebuf, sizeof(namebuf));
+
+	va_start(ap, fmt);
+	vsnprintf(message, sizeof(message), fmt, ap);
+	va_end(ap);
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_ZONE,
+		      level, "zone %s: %s", namebuf, message);
+}
+
+static void
+zone_debuglog(dns_zone_t *zone, const char *me, int debuglevel,
+	      const char *fmt, ...)
+{
+	va_list ap;
+	char message[4096];
+	char namebuf[1024+32];
+	int level = ISC_LOG_DEBUG(debuglevel);
+
+	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
+		return;
+
+	zone_tostr(zone, namebuf, sizeof(namebuf));
+
+	va_start(ap, fmt);
+	vsnprintf(message, sizeof(message), fmt, ap);
+	va_end(ap);
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_ZONE,
+		      level, "%s: zone %s: %s", me, namebuf, message);
+}
+
+static int
+message_count(dns_message_t *msg, dns_section_t section, dns_rdatatype_t type)
+{
+	isc_result_t result;
+	dns_name_t *name;
+	dns_rdataset_t *curr;
+	int count = 0;
+
+	result = dns_message_firstname(msg, section);
+	while (result == ISC_R_SUCCESS) {
+		name = NULL;
+		dns_message_currentname(msg, section, &name);
+
+		for (curr = ISC_LIST_TAIL(name->list); curr != NULL;
+		     curr = ISC_LIST_PREV(curr, link)) {
+			if (curr->type == type)
+				count++;
+		}
+		result = dns_message_nextname(msg, section);
+	}
+
+	return (count);
+}
+
+void
+dns_zone_setmaxxfrin(dns_zone_t *zone, isc_uint32_t maxxfrin) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	zone->maxxfrin = maxxfrin;
+}
+
+isc_uint32_t
+dns_zone_getmaxxfrin(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->maxxfrin);
+}
+
+void
+dns_zone_setmaxxfrout(dns_zone_t *zone, isc_uint32_t maxxfrout) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	zone->maxxfrout = maxxfrout;
+}
+
+isc_uint32_t
+dns_zone_getmaxxfrout(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->maxxfrout);
+}
+
+dns_zonetype_t dns_zone_gettype(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->type);
+}
+
+dns_name_t *
+dns_zone_getorigin(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (&zone->origin);
+}
+
+void
+dns_zone_settask(dns_zone_t *zone, isc_task_t *task) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->task != NULL)
+		isc_task_detach(&zone->task);
+	isc_task_attach(task, &zone->task);
+	if (zone->db != NULL)
+		dns_db_settask(zone->db, zone->task);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_gettask(dns_zone_t *zone, isc_task_t **target) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	isc_task_attach(zone->task, target);
+}
+
+void
+dns_zone_setidlein(dns_zone_t *zone, isc_uint32_t idlein) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	if (idlein == 0)
+		idlein = DNS_DEFAULT_IDLEIN;
+	zone->idlein = idlein;
+}
+
+isc_uint32_t
+dns_zone_getidlein(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->idlein);
+}
+
+void
+dns_zone_setidleout(dns_zone_t *zone, isc_uint32_t idleout) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	zone->idleout = idleout;
+}
+
+isc_uint32_t
+dns_zone_getidleout(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->idleout);
+}
+
+static void
+notify_done(isc_task_t *task, isc_event_t *event) {
+	dns_requestevent_t *revent = (dns_requestevent_t *)event;
+	dns_notify_t *notify;
+	isc_result_t result;
+	dns_message_t *message = NULL;
+	isc_buffer_t buf;
+	char rcode[128];
+	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+
+	UNUSED(task);
+
+	notify = event->ev_arg;
+	REQUIRE(DNS_NOTIFY_VALID(notify));
+	INSIST(task == notify->zone->task);
+
+	isc_buffer_init(&buf, rcode, sizeof(rcode));
+	isc_sockaddr_format(&notify->dst, addrbuf, sizeof(addrbuf));
+
+	result = revent->result;
+	if (result == ISC_R_SUCCESS)
+		result = dns_message_create(notify->zone->mctx,
+					    DNS_MESSAGE_INTENTPARSE, &message);
+	if (result == ISC_R_SUCCESS)
+		result = dns_request_getresponse(revent->request, message,
+					DNS_MESSAGEPARSE_PRESERVEORDER);
+	if (result == ISC_R_SUCCESS)
+		result = dns_rcode_totext(message->rcode, &buf);
+	if (result == ISC_R_SUCCESS)
+		notify_log(notify->zone, ISC_LOG_DEBUG(3),
+			   "notify response from %s: %.*s",
+			   addrbuf, (int)buf.used, rcode);
+	else
+		notify_log(notify->zone, ISC_LOG_DEBUG(2),
+			   "notify to %s failed: %s", addrbuf,
+			   dns_result_totext(result));
+
+	/*
+	 * Old bind's return formerr if they see a soa record.  Retry w/o
+	 * the soa if we see a formerr and had sent a SOA.
+	 */
+	isc_event_free(&event);
+	if (message != NULL && message->rcode == dns_rcode_formerr &&
+	    (notify->flags & DNS_NOTIFY_NOSOA) == 0) {
+		notify->flags |= DNS_NOTIFY_NOSOA;
+		dns_request_destroy(&notify->request);
+		result = notify_send_queue(notify);
+		if (result != ISC_R_SUCCESS)
+			notify_destroy(notify, ISC_FALSE);
+	} else {
+		if (result == ISC_R_TIMEDOUT)
+			notify_log(notify->zone, ISC_LOG_DEBUG(1),
+				   "notify to %s: retries exceeded", addrbuf);
+		notify_destroy(notify, ISC_FALSE);
+	}
+	if (message != NULL)
+		dns_message_destroy(&message);
+}
+
+isc_result_t
+dns_zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
+	isc_result_t result;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	LOCK_ZONE(zone);
+	result = zone_replacedb(zone, db, dump);
+	UNLOCK_ZONE(zone);
+	return (result);
+}
+
+static isc_result_t
+zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
+	dns_dbversion_t *ver;
+	isc_result_t result;
+
+	/*
+	 * 'zone' locked by caller.
+	 */
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(LOCKED_ZONE(zone));
+
+	ver = NULL;
+	dns_db_currentversion(db, &ver);
+
+	/*
+	 * The initial version of a slave zone is always dumped;
+	 * subsequent versions may be journalled instead if this
+	 * is enabled in the configuration.
+	 */
+	if (zone->db != NULL && zone->journal != NULL &&
+	    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS)) {
+		isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+			      DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
+			      "generating diffs");
+		result = dns_db_diff(zone->mctx, db, ver,
+				     zone->db, NULL /* XXX */,
+				     zone->journal);
+		if (result != ISC_R_SUCCESS)
+			goto fail;
+		if (dump)
+			zone_needdump(zone, DNS_DUMP_DELAY);
+		else if (zone->journalsize != -1) {
+			isc_uint32_t serial;
+
+			result = dns_db_getsoaserial(db, ver, &serial);
+			if (result == ISC_R_SUCCESS) {
+				result = dns_journal_compact(zone->mctx,
+							     zone->journal,
+							     serial,
+							     zone->journalsize);
+				switch (result) {
+				case ISC_R_SUCCESS:
+				case ISC_R_NOSPACE:
+				case ISC_R_NOTFOUND:
+					dns_zone_log(zone, ISC_LOG_DEBUG(3),
+						     "dns_journal_compact: %s",
+						     dns_result_totext(result));
+					break;
+				default:
+					dns_zone_log(zone, ISC_LOG_ERROR,
+					     "dns_journal_compact failed: %s",
+						     dns_result_totext(result));
+					break;
+				}
+			}
+		}
+	} else {
+		if (dump && zone->masterfile != NULL) {
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
+				      "dumping new zone version");
+			result = dns_db_dump(db, ver, zone->masterfile);
+			if (result != ISC_R_SUCCESS)
+				goto fail;
+
+			/*
+			 * Update the time the zone was updated, so
+			 * dns_zone_load can avoid loading it when
+			 * the server is reloaded.  If isc_time_now
+			 * fails for some reason, all that happens is
+			 * the timestamp is not updated.
+			 */
+			TIME_NOW(&zone->loadtime);
+		}
+
+		if (dump && zone->journal != NULL) {
+			/*
+			 * The in-memory database just changed, and
+			 * because 'dump' is set, it didn't change by
+			 * being loaded from disk.  Also, we have not
+			 * journalled diffs for this change.
+			 * Therefore, the on-disk journal is missing
+			 * the deltas for this change.  Since it can
+			 * no longer be used to bring the zone
+			 * up-to-date, it is useless and should be
+			 * removed.
+			 */
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+				      DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
+				      "removing journal file");
+			(void)remove(zone->journal);
+		}
+	}
+
+	dns_db_closeversion(db, &ver, ISC_FALSE);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+		      DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
+		      "replacing zone database");
+
+	if (zone->db != NULL)
+		dns_db_detach(&zone->db);
+	dns_db_attach(db, &zone->db);
+	dns_db_settask(zone->db, zone->task);
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED|DNS_ZONEFLG_NEEDNOTIFY);
+	return (ISC_R_SUCCESS);
+
+ fail:
+	dns_db_closeversion(db, &ver, ISC_FALSE);
+	return (result);
+}
+
+static void
+zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
+	isc_time_t now;
+	isc_boolean_t again = ISC_FALSE;
+	unsigned int soacount;
+	unsigned int nscount;
+	isc_uint32_t serial, refresh, retry, expire, minimum;
+	isc_result_t xfrresult = result;
+	isc_boolean_t free_needed;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	dns_zone_log(zone, ISC_LOG_DEBUG(1),
+		     "zone transfer finished: %s", dns_result_totext(result));
+
+	LOCK_ZONE(zone);
+	INSIST((zone->flags & DNS_ZONEFLG_REFRESH) != 0);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
+
+	TIME_NOW(&now);
+	switch (result) {
+	case ISC_R_SUCCESS:
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
+		/*FALLTHROUGH*/
+	case DNS_R_UPTODATE:
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FORCEXFER);
+		/*
+		 * Has the zone expired underneath us?
+		 */
+		if (zone->db == NULL)
+			goto same_master;
+
+		/*
+		 * Update the zone structure's data from the actual
+		 * SOA received.
+		 */
+		nscount = 0;
+		soacount = 0;
+		INSIST(zone->db != NULL);
+		result = zone_get_from_db(zone->db, &zone->origin, &nscount,
+					  &soacount, &serial, &refresh,
+					  &retry, &expire, &minimum);
+		if (result == ISC_R_SUCCESS) {
+			if (soacount != 1)
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "transferred zone "
+					     "has %d SOA record%s", soacount,
+					     (soacount != 0) ? "s" : "");
+			if (nscount == 0)
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "transferred zone "
+					     "has no NS records");
+			zone->serial = serial;
+			zone->refresh = RANGE(refresh, zone->minrefresh,
+					      zone->maxrefresh);
+			zone->retry = RANGE(retry, zone->minretry,
+					    zone->maxretry);
+			zone->expire = RANGE(expire,
+					     zone->refresh + zone->retry,
+					     DNS_MAX_EXPIRE);
+			zone->minimum = minimum;
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
+		}
+
+		/*
+		 * Set our next update/expire times.
+		 */
+		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDREFRESH)) {
+			DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_NEEDREFRESH);
+			zone->refreshtime = now;
+			DNS_ZONE_TIME_ADD(&now, zone->expire,
+					  &zone->expiretime);
+		} else {
+			DNS_ZONE_JITTER_ADD(&now, zone->refresh,
+					    &zone->refreshtime);
+			DNS_ZONE_TIME_ADD(&now, zone->expire,
+					  &zone->expiretime);
+		}
+		if (result == ISC_R_SUCCESS && xfrresult == ISC_R_SUCCESS) {
+			char buf[DNS_NAME_FORMATSIZE + sizeof(": TSIG ''")];
+			if (zone->tsigkey != NULL) {
+				char namebuf[DNS_NAME_FORMATSIZE];
+				dns_name_format(&zone->tsigkey->name, namebuf,
+						sizeof(namebuf));
+				snprintf(buf, sizeof(buf), ": TSIG '%s'",
+					 namebuf);
+			} else
+				buf[0] = '\0';
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "transferred serial %u%s",
+				     zone->serial, buf);
+		}
+
+		/*
+		 * This is not neccessary if we just performed a AXFR
+		 * however it is necessary for an IXFR / UPTODATE and
+		 * won't hurt with an AXFR.
+		 */
+		if (zone->masterfile != NULL || zone->journal != NULL) {
+			result = ISC_R_FAILURE;
+			if (zone->journal != NULL)
+				result = isc_file_settime(zone->journal, &now);
+			if (result != ISC_R_SUCCESS &&
+			    zone->masterfile != NULL)
+				result = isc_file_settime(zone->masterfile,
+							  &now);
+			/* Someone removed the file from underneath us! */
+			if (result == ISC_R_FILENOTFOUND &&
+			    zone->masterfile != NULL)
+				zone_needdump(zone, DNS_DUMP_DELAY);
+			else if (result != ISC_R_SUCCESS)
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "transfer: could not set file "
+					     "modification time of '%s': %s",
+					     zone->masterfile,
+					     dns_result_totext(result));
+		}
+
+		break;
+
+	case DNS_R_BADIXFR:
+		/* Force retry with AXFR. */
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLAG_NOIXFR);
+		goto same_master;
+
+	default:
+		zone->curmaster++;
+	same_master:
+		if (zone->curmaster >= zone->masterscnt) {
+			zone->curmaster = 0;
+			if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_USEALTXFRSRC) &&
+			    !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_USEALTXFRSRC)) {
+				DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESH);
+				DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
+				again = ISC_TRUE;
+			} else
+				DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_USEALTXFRSRC);
+		} else {
+			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESH);
+			again = ISC_TRUE;
+		}
+		break;
+	}
+	zone_settimer(zone, &now);
+
+	/*
+	 * If creating the transfer object failed, zone->xfr is NULL.
+	 * Otherwise, we are called as the done callback of a zone
+	 * transfer object that just entered its shutting-down
+	 * state.  Since we are no longer responsible for shutting
+	 * it down, we can detach our reference.
+	 */
+	if (zone->xfr != NULL)
+		dns_xfrin_detach(&zone->xfr);
+
+	if (zone->tsigkey != NULL)
+		dns_tsigkey_detach(&zone->tsigkey);
+
+	/*
+	 * This transfer finishing freed up a transfer quota slot.
+	 * Let any other zones waiting for quota have it.
+	 */
+	RWLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
+	ISC_LIST_UNLINK(zone->zmgr->xfrin_in_progress, zone, statelink);
+	zone->statelist = NULL;
+	zmgr_resume_xfrs(zone->zmgr, ISC_FALSE);
+	RWUNLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
+
+	/*
+	 * Retry with a different server if necessary.
+	 */
+	if (again && !DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING))
+		queue_soa_query(zone);
+
+	INSIST(zone->irefs > 0);
+	zone->irefs--;
+	free_needed = exit_check(zone);
+	UNLOCK_ZONE(zone);
+	if (free_needed)
+		zone_free(zone);
+}
+
+static void
+zone_loaddone(void *arg, isc_result_t result) {
+	static char me[] = "zone_loaddone";
+	dns_load_t *load = arg;
+	dns_zone_t *zone;
+	isc_result_t tresult;
+
+	REQUIRE(DNS_LOAD_VALID(load));
+	zone = load->zone;
+
+	ENTER;
+
+	tresult = dns_db_endload(load->db, &load->callbacks.add_private);
+	if (tresult != ISC_R_SUCCESS && 
+	    (result == ISC_R_SUCCESS || result == DNS_R_SEENINCLUDE))
+		result = tresult;
+
+	LOCK_ZONE(load->zone);
+	(void)zone_postload(load->zone, load->db, load->loadtime, result);
+	zonemgr_putio(&load->zone->readio);
+	DNS_ZONE_CLRFLAG(load->zone, DNS_ZONEFLG_LOADING);
+	UNLOCK_ZONE(load->zone);
+
+	load->magic = 0;
+	dns_db_detach(&load->db);
+	if (load->zone->lctx != NULL)
+		dns_loadctx_detach(&load->zone->lctx);
+	dns_zone_idetach(&load->zone);
+	isc_mem_putanddetach(&load->mctx, load, sizeof(*load));
+}
+
+void
+dns_zone_getssutable(dns_zone_t *zone, dns_ssutable_t **table) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(table != NULL);
+	REQUIRE(*table == NULL);
+
+	LOCK_ZONE(zone);
+	if (zone->ssutable != NULL)
+		dns_ssutable_attach(zone->ssutable, table);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setssutable(dns_zone_t *zone, dns_ssutable_t *table) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->ssutable != NULL)
+		dns_ssutable_detach(&zone->ssutable);
+	if (table != NULL)
+		dns_ssutable_attach(table, &zone->ssutable);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setsigvalidityinterval(dns_zone_t *zone, isc_uint32_t interval) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	zone->sigvalidityinterval = interval;
+}
+
+isc_uint32_t
+dns_zone_getsigvalidityinterval(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->sigvalidityinterval);
+}
+
+static void
+queue_xfrin(dns_zone_t *zone) {
+	const char me[] = "queue_xfrin";
+	isc_result_t result;
+	dns_zonemgr_t *zmgr = zone->zmgr;
+
+	ENTER;
+
+	INSIST(zone->statelist == NULL);
+
+	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+	ISC_LIST_APPEND(zmgr->waiting_for_xfrin, zone, statelink);
+	LOCK_ZONE(zone);
+	zone->irefs++;
+	UNLOCK_ZONE(zone);
+	zone->statelist = &zmgr->waiting_for_xfrin;
+	result = zmgr_start_xfrin_ifquota(zmgr, zone);
+	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+
+	if (result == ISC_R_QUOTA) {
+		dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_INFO,
+			      "zone transfer deferred due to quota");
+	} else if (result != ISC_R_SUCCESS) {
+		dns_zone_logc(zone, DNS_LOGCATEGORY_XFER_IN, ISC_LOG_ERROR,
+			      "starting zone transfer: %s",
+			      isc_result_totext(result));
+	}
+}
+
+/*
+ * This event callback is called when a zone has received
+ * any necessary zone transfer quota.  This is the time
+ * to go ahead and start the transfer.
+ */
+static void
+got_transfer_quota(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result;
+	dns_peer_t *peer = NULL;
+	char mastertext[256];
+	dns_rdatatype_t xfrtype;
+	dns_zone_t *zone = event->ev_arg;
+	isc_netaddr_t masterip;
+	isc_sockaddr_t sourceaddr;
+	isc_sockaddr_t masteraddr;
+
+	UNUSED(task);
+
+	INSIST(task == zone->task);
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_EXITING)) {
+		result = ISC_R_CANCELED;
+		goto cleanup;
+	}
+
+	isc_sockaddr_format(&zone->masteraddr, mastertext, sizeof(mastertext));
+
+	isc_netaddr_fromsockaddr(&masterip, &zone->masteraddr);
+	(void)dns_peerlist_peerbyaddr(zone->view->peers,
+				      &masterip, &peer);
+
+	/*
+	 * Decide whether we should request IXFR or AXFR.
+	 */
+	if (zone->db == NULL) {
+		dns_zone_log(zone, ISC_LOG_DEBUG(1),
+			     "no database exists yet, "
+			     "requesting AXFR of "
+			     "initial version from %s", mastertext);
+		xfrtype = dns_rdatatype_axfr;
+	} else if (dns_zone_isforced(zone)) {
+		dns_zone_log(zone, ISC_LOG_DEBUG(1),
+			     "forced reload, requesting AXFR of "
+			     "initial version from %s", mastertext);
+		xfrtype = dns_rdatatype_axfr;
+	} else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLAG_NOIXFR)) {
+		dns_zone_log(zone, ISC_LOG_DEBUG(1),
+			     "retrying with AXFR from %s due to "
+			     "previous IXFR failure", mastertext);
+		xfrtype = dns_rdatatype_axfr;
+		LOCK_ZONE(zone);
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLAG_NOIXFR);
+		UNLOCK_ZONE(zone);
+	} else {
+		isc_boolean_t use_ixfr = ISC_TRUE;
+		if (peer != NULL &&
+		    dns_peer_getrequestixfr(peer, &use_ixfr) ==
+		    ISC_R_SUCCESS) {
+			; /* Using peer setting */
+		} else {
+			use_ixfr = zone->view->requestixfr;
+		}
+		if (use_ixfr == ISC_FALSE) {
+			dns_zone_log(zone, ISC_LOG_DEBUG(1),
+				     "IXFR disabled, "
+				     "requesting AXFR from %s",
+				     mastertext);
+			xfrtype = dns_rdatatype_axfr;
+		} else {
+			dns_zone_log(zone, ISC_LOG_DEBUG(1),
+				     "requesting IXFR from %s",
+				     mastertext);
+			xfrtype = dns_rdatatype_ixfr;
+		}
+	}
+
+	/*
+	 * Determine if we should attempt to sign the request with TSIG.
+	 */
+	result = ISC_R_NOTFOUND;
+	/*
+	 * First, look for a tsig key in the master statement, then
+	 * try for a server key.
+	 */
+	if ((zone->masterkeynames != NULL) &&
+	    (zone->masterkeynames[zone->curmaster] != NULL)) {
+		dns_view_t *view = dns_zone_getview(zone);
+		dns_name_t *keyname = zone->masterkeynames[zone->curmaster];
+		result = dns_view_gettsig(view, keyname, &zone->tsigkey);
+	}
+	if (zone->tsigkey == NULL)
+		result = dns_view_getpeertsig(zone->view, &masterip,
+					      &zone->tsigkey);
+
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "could not get TSIG key "
+			     "for zone transfer: %s",
+			     isc_result_totext(result));
+	}
+
+	LOCK_ZONE(zone);
+	masteraddr = zone->masteraddr;
+	sourceaddr = zone->sourceaddr;
+	UNLOCK_ZONE(zone);
+	INSIST(isc_sockaddr_pf(&masteraddr) == isc_sockaddr_pf(&sourceaddr));
+	result = dns_xfrin_create2(zone, xfrtype, &masteraddr, &sourceaddr,
+				   zone->tsigkey, zone->mctx,
+				   zone->zmgr->timermgr, zone->zmgr->socketmgr,
+				   zone->task, zone_xfrdone, &zone->xfr);
+ cleanup:
+	/*
+	 * Any failure in this function is handled like a failed
+	 * zone transfer.  This ensures that we get removed from
+	 * zmgr->xfrin_in_progress.
+	 */
+	if (result != ISC_R_SUCCESS)
+		zone_xfrdone(zone, result);
+
+	isc_event_free(&event);
+}
+
+/*
+ * Update forwarding support.
+ */
+
+static void
+forward_destroy(dns_forward_t *forward) {
+
+	forward->magic = 0;
+	if (forward->request != NULL)
+		dns_request_destroy(&forward->request);
+	if (forward->msgbuf != NULL)
+		isc_buffer_free(&forward->msgbuf);
+	if (forward->zone != NULL)
+		dns_zone_idetach(&forward->zone);
+	isc_mem_putanddetach(&forward->mctx, forward, sizeof(*forward));
+}
+
+static isc_result_t
+sendtomaster(dns_forward_t *forward) {
+	isc_result_t result;
+	isc_sockaddr_t src;
+
+	LOCK_ZONE(forward->zone);
+	if (forward->which >= forward->zone->masterscnt) {
+		UNLOCK_ZONE(forward->zone);
+		return (ISC_R_NOMORE);
+	}
+
+	forward->addr = forward->zone->masters[forward->which];
+	/*
+	 * Always use TCP regardless of whether the original update
+	 * used TCP.
+	 * XXX The timeout may but a bit small if we are far down a
+	 * transfer graph and the master has to try several masters.
+	 */
+	switch (isc_sockaddr_pf(&forward->addr)) {
+	case PF_INET:
+		src = forward->zone->xfrsource4;
+		break;
+	case PF_INET6:
+		src = forward->zone->xfrsource6;
+		break;
+	default:
+		result = ISC_R_NOTIMPLEMENTED;
+		goto unlock;
+	}
+	result = dns_request_createraw(forward->zone->view->requestmgr,
+				       forward->msgbuf,
+				       &src, &forward->addr,
+				       DNS_REQUESTOPT_TCP, 15 /* XXX */,
+				       forward->zone->task,
+				       forward_callback, forward,
+				       &forward->request);
+ unlock:
+	UNLOCK_ZONE(forward->zone);
+	return (result);
+}
+
+static void
+forward_callback(isc_task_t *task, isc_event_t *event) {
+	const char me[] = "forward_callback";
+	dns_requestevent_t *revent = (dns_requestevent_t *)event;
+	dns_message_t *msg = NULL;
+	char master[ISC_SOCKADDR_FORMATSIZE];
+	isc_result_t result;
+	dns_forward_t *forward;
+	dns_zone_t *zone;
+
+	UNUSED(task);
+
+	forward = revent->ev_arg;
+	INSIST(DNS_FORWARD_VALID(forward));
+	zone = forward->zone;
+	INSIST(DNS_ZONE_VALID(zone));
+
+	ENTER;
+
+	isc_sockaddr_format(&forward->addr, master, sizeof(master));
+
+	if (revent->result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "could not forward dynamic update to %s: %s",
+			     master, dns_result_totext(revent->result));
+		goto next_master;
+	}
+
+	result = dns_message_create(zone->mctx, DNS_MESSAGE_INTENTPARSE, &msg);
+	if (result != ISC_R_SUCCESS)
+		goto next_master;
+
+	result = dns_request_getresponse(revent->request, msg,
+					 DNS_MESSAGEPARSE_PRESERVEORDER |
+					 DNS_MESSAGEPARSE_CLONEBUFFER);
+	if (result != ISC_R_SUCCESS)
+		goto next_master;
+
+	switch (msg->rcode) {
+	/*
+	 * Pass these rcodes back to client.
+	 */
+	case dns_rcode_noerror:
+	case dns_rcode_yxdomain:
+	case dns_rcode_yxrrset:
+	case dns_rcode_nxrrset:
+	case dns_rcode_refused:
+	case dns_rcode_nxdomain:
+		break;
+
+	/* These should not occur if the masters/zone are valid. */
+	case dns_rcode_notzone:
+	case dns_rcode_notauth: {
+		char rcode[128];
+		isc_buffer_t rb;
+
+		isc_buffer_init(&rb, rcode, sizeof(rcode));
+		(void)dns_rcode_totext(msg->rcode, &rb);
+		dns_zone_log(zone, ISC_LOG_WARNING,
+			     "forwarding dynamic update: "
+			     "unexpected response: master %s returned: %.*s",
+			     master, (int)rb.used, rcode);
+		goto next_master;
+	}
+
+	/* Try another server for these rcodes. */
+	case dns_rcode_formerr:
+	case dns_rcode_servfail:
+	case dns_rcode_notimp:
+	case dns_rcode_badvers:
+	default:
+		goto next_master;
+	}
+
+	/* call callback */
+	(forward->callback)(forward->callback_arg, ISC_R_SUCCESS, msg);
+	msg = NULL;
+	dns_request_destroy(&forward->request);
+	forward_destroy(forward);
+	isc_event_free(&event);
+	return;
+
+ next_master:
+	if (msg != NULL)
+		dns_message_destroy(&msg);
+	isc_event_free(&event);
+	forward->which++;
+	dns_request_destroy(&forward->request);
+	result = sendtomaster(forward);
+	if (result != ISC_R_SUCCESS) {
+		/* call callback */
+		dns_zone_log(zone, ISC_LOG_DEBUG(3),
+			     "exhausted dynamic update forwarder list");
+		(forward->callback)(forward->callback_arg, result, NULL);
+		forward_destroy(forward);
+	}
+}
+
+isc_result_t
+dns_zone_forwardupdate(dns_zone_t *zone, dns_message_t *msg,
+		       dns_updatecallback_t callback, void *callback_arg)
+{
+	dns_forward_t *forward;
+	isc_result_t result;
+	isc_region_t *mr;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(msg != NULL);
+	REQUIRE(callback != NULL);
+
+	forward = isc_mem_get(zone->mctx, sizeof(*forward));
+	if (forward == NULL)
+		return (ISC_R_NOMEMORY);
+
+	forward->request = NULL;
+	forward->zone = NULL;
+	forward->msgbuf = NULL;
+	forward->which = 0;
+	forward->mctx = 0;
+	forward->callback = callback;
+	forward->callback_arg = callback_arg;
+	forward->magic = FORWARD_MAGIC;
+
+	mr = dns_message_getrawmessage(msg);
+	if (mr == NULL) {
+		result = ISC_R_UNEXPECTEDEND;
+		goto cleanup;
+	}
+
+	result = isc_buffer_allocate(zone->mctx, &forward->msgbuf, mr->length);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = isc_buffer_copyregion(forward->msgbuf, mr);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	isc_mem_attach(zone->mctx, &forward->mctx);
+	dns_zone_iattach(zone, &forward->zone);
+	result = sendtomaster(forward);
+
+ cleanup:
+	if (result != ISC_R_SUCCESS) {
+		forward_destroy(forward);
+	}
+	return (result);
+}
+
+isc_result_t
+dns_zone_next(dns_zone_t *zone, dns_zone_t **next) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(next != NULL && *next == NULL);
+
+	*next = ISC_LIST_NEXT(zone, link);
+	if (*next == NULL)
+		return (ISC_R_NOMORE);
+	else
+		return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_zone_first(dns_zonemgr_t *zmgr, dns_zone_t **first) {
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+	REQUIRE(first != NULL && *first == NULL);
+
+	*first = ISC_LIST_HEAD(zmgr->zones);
+	if (*first == NULL)
+		return (ISC_R_NOMORE);
+	else
+		return (ISC_R_SUCCESS);
+}
+
+/***
+ ***	Zone manager.
+ ***/
+
+isc_result_t
+dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
+		   isc_timermgr_t *timermgr, isc_socketmgr_t *socketmgr,
+		   dns_zonemgr_t **zmgrp)
+{
+	dns_zonemgr_t *zmgr;
+	isc_result_t result;
+	isc_interval_t interval;
+
+	zmgr = isc_mem_get(mctx, sizeof(*zmgr));
+	if (zmgr == NULL)
+		return (ISC_R_NOMEMORY);
+	zmgr->mctx = NULL;
+	zmgr->refs = 1;
+	isc_mem_attach(mctx, &zmgr->mctx);
+	zmgr->taskmgr = taskmgr;
+	zmgr->timermgr = timermgr;
+	zmgr->socketmgr = socketmgr;
+	zmgr->zonetasks = NULL;
+	zmgr->task = NULL;
+	zmgr->rl = NULL;
+	ISC_LIST_INIT(zmgr->zones);
+	ISC_LIST_INIT(zmgr->waiting_for_xfrin);
+	ISC_LIST_INIT(zmgr->xfrin_in_progress);
+	result = isc_rwlock_init(&zmgr->rwlock, 0, 0);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_rwlock_init() failed: %s",
+				 isc_result_totext(result));
+		result = ISC_R_UNEXPECTED;
+		goto free_mem;
+	}
+	zmgr->transfersin = 10;
+	zmgr->transfersperns = 2;
+
+	/* Create the zone task pool. */
+	result = isc_taskpool_create(taskmgr, mctx,
+				     8 /* XXX */, 2, &zmgr->zonetasks);
+	if (result != ISC_R_SUCCESS)
+		goto free_rwlock;
+
+	/* Create a single task for queueing of SOA queries. */
+	result = isc_task_create(taskmgr, 1, &zmgr->task);
+	if (result != ISC_R_SUCCESS)
+		goto free_taskpool;
+	isc_task_setname(zmgr->task, "zmgr", zmgr);
+	result = isc_ratelimiter_create(mctx, timermgr, zmgr->task,
+					&zmgr->rl);
+	if (result != ISC_R_SUCCESS)
+		goto free_task;
+	/* default to 20 refresh queries / notifies per second. */
+	isc_interval_set(&interval, 0, 1000000000/2);
+	result = isc_ratelimiter_setinterval(zmgr->rl, &interval);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	isc_ratelimiter_setpertic(zmgr->rl, 10);
+
+	zmgr->iolimit = 1;
+	zmgr->ioactive = 0;
+	ISC_LIST_INIT(zmgr->high);
+	ISC_LIST_INIT(zmgr->low);
+
+	result = isc_mutex_init(&zmgr->iolock);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() failed: %s",
+				 isc_result_totext(result));
+		goto free_rl;
+	}
+	zmgr->magic = ZONEMGR_MAGIC;
+
+	*zmgrp = zmgr;
+	return (ISC_R_SUCCESS);
+
+#if 0
+ free_iolock:
+	DESTROYLOCK(&zmgr->iolock);
+#endif
+ free_rl:
+	isc_ratelimiter_detach(&zmgr->rl);
+ free_task:
+	isc_task_detach(&zmgr->task);
+ free_taskpool:
+	isc_taskpool_destroy(&zmgr->zonetasks);
+ free_rwlock:
+	isc_rwlock_destroy(&zmgr->rwlock);
+ free_mem:
+	isc_mem_put(zmgr->mctx, zmgr, sizeof(*zmgr));
+	isc_mem_detach(&mctx);
+	return (result);
+}
+
+isc_result_t
+dns_zonemgr_managezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
+	isc_result_t result;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+	LOCK_ZONE(zone);
+	REQUIRE(zone->task == NULL);
+	REQUIRE(zone->timer == NULL);
+	REQUIRE(zone->zmgr == NULL);
+
+	isc_taskpool_gettask(zmgr->zonetasks,
+			     dns_name_hash(dns_zone_getorigin(zone),
+					   ISC_FALSE),
+			     &zone->task);
+
+	/*
+	 * Set the task name.  The tag will arbitrarily point to one
+	 * of the zones sharing the task (in practice, the one
+	 * to be managed last).
+	 */
+	isc_task_setname(zone->task, "zone", zone);
+
+	result = isc_timer_create(zmgr->timermgr, isc_timertype_inactive,
+				  NULL, NULL,
+				  zone->task, zone_timer, zone,
+				  &zone->timer);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_task;
+	/*
+	 * The timer "holds" a iref.
+	 */
+	zone->irefs++;
+	INSIST(zone->irefs != 0);
+
+	ISC_LIST_APPEND(zmgr->zones, zone, link);
+	zone->zmgr = zmgr;
+	zmgr->refs++;
+
+	goto unlock;
+
+ cleanup_task:
+	isc_task_detach(&zone->task);
+
+ unlock:
+	UNLOCK_ZONE(zone);
+	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+	return (result);
+}
+
+void
+dns_zonemgr_releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
+	isc_boolean_t free_now = ISC_FALSE;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+	REQUIRE(zone->zmgr == zmgr);
+
+	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+	LOCK_ZONE(zone);
+
+	ISC_LIST_UNLINK(zmgr->zones, zone, link);
+	zone->zmgr = NULL;
+	zmgr->refs--;
+	if (zmgr->refs == 0)
+		free_now = ISC_TRUE;
+
+	UNLOCK_ZONE(zone);
+	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+
+	if (free_now)
+		zonemgr_free(zmgr);
+	ENSURE(zone->zmgr == NULL);
+}
+
+void
+dns_zonemgr_attach(dns_zonemgr_t *source, dns_zonemgr_t **target) {
+	REQUIRE(DNS_ZONEMGR_VALID(source));
+	REQUIRE(target != NULL && *target == NULL);
+
+	RWLOCK(&source->rwlock, isc_rwlocktype_write);
+	REQUIRE(source->refs > 0);
+	source->refs++;
+	INSIST(source->refs > 0);
+	RWUNLOCK(&source->rwlock, isc_rwlocktype_write);
+	*target = source;
+}
+
+void
+dns_zonemgr_detach(dns_zonemgr_t **zmgrp) {
+	dns_zonemgr_t *zmgr;
+	isc_boolean_t free_now = ISC_FALSE;
+
+	REQUIRE(zmgrp != NULL);
+	zmgr = *zmgrp;
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+	zmgr->refs--;
+	if (zmgr->refs == 0)
+		free_now = ISC_TRUE;
+	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+
+	if (free_now)
+		zonemgr_free(zmgr);
+}
+
+isc_result_t
+dns_zonemgr_forcemaint(dns_zonemgr_t *zmgr) {
+	dns_zone_t *p;
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	RWLOCK(&zmgr->rwlock, isc_rwlocktype_read);
+	for (p = ISC_LIST_HEAD(zmgr->zones);
+	     p != NULL;
+	     p = ISC_LIST_NEXT(p, link))
+	{
+		dns_zone_maintenance(p);
+	}
+	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_read);
+
+	/*
+	 * Recent configuration changes may have increased the
+	 * amount of available transfers quota.  Make sure any
+	 * transfers currently blocked on quota get started if
+	 * possible.
+	 */
+	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+	zmgr_resume_xfrs(zmgr, ISC_TRUE);
+	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_zonemgr_resumexfrs(dns_zonemgr_t *zmgr) {
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+	zmgr_resume_xfrs(zmgr, ISC_TRUE);
+	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+}
+
+void
+dns_zonemgr_shutdown(dns_zonemgr_t *zmgr) {
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	isc_ratelimiter_shutdown(zmgr->rl);
+
+	if (zmgr->task != NULL)
+		isc_task_destroy(&zmgr->task);
+	if (zmgr->zonetasks != NULL)
+		isc_taskpool_destroy(&zmgr->zonetasks);
+}
+
+static void
+zonemgr_free(dns_zonemgr_t *zmgr) {
+	isc_mem_t *mctx;
+
+	INSIST(zmgr->refs == 0);
+	INSIST(ISC_LIST_EMPTY(zmgr->zones));
+
+	zmgr->magic = 0;
+
+	DESTROYLOCK(&zmgr->iolock);
+	isc_ratelimiter_detach(&zmgr->rl);
+
+	isc_rwlock_destroy(&zmgr->rwlock);
+	mctx = zmgr->mctx;
+	isc_mem_put(zmgr->mctx, zmgr, sizeof(*zmgr));
+	isc_mem_detach(&mctx);
+}
+
+void
+dns_zonemgr_settransfersin(dns_zonemgr_t *zmgr, isc_uint32_t value) {
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	zmgr->transfersin = value;
+}
+
+isc_uint32_t
+dns_zonemgr_getttransfersin(dns_zonemgr_t *zmgr) {
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	return (zmgr->transfersin);
+}
+
+void
+dns_zonemgr_settransfersperns(dns_zonemgr_t *zmgr, isc_uint32_t value) {
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	zmgr->transfersperns = value;
+}
+
+isc_uint32_t
+dns_zonemgr_getttransfersperns(dns_zonemgr_t *zmgr) {
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	return (zmgr->transfersperns);
+}
+
+/*
+ * Try to start a new incoming zone transfer to fill a quota
+ * slot that was just vacated.
+ *
+ * Requires:
+ *	The zone manager is locked by the caller.
+ */
+static void
+zmgr_resume_xfrs(dns_zonemgr_t *zmgr, isc_boolean_t multi) {
+	dns_zone_t *zone;
+	dns_zone_t *next;
+
+	for (zone = ISC_LIST_HEAD(zmgr->waiting_for_xfrin);
+	     zone != NULL;
+	     zone = next)
+	{
+		isc_result_t result;
+		next = ISC_LIST_NEXT(zone, statelink);
+		result = zmgr_start_xfrin_ifquota(zmgr, zone);
+		if (result == ISC_R_SUCCESS) {
+			if (multi)
+				continue;
+			/*
+			 * We successfully filled the slot.  We're done.
+			 */
+			break;
+		} else if (result == ISC_R_QUOTA) {
+			/*
+			 * Not enough quota.  This is probably the per-server
+			 * quota, because we usually get called when a unit of
+			 * global quota has just been freed.  Try the next
+			 * zone, it may succeed if it uses another master.
+			 */
+			continue;
+		} else {
+			dns_zone_log(zone, ISC_LOG_DEBUG(1),
+				     "starting zone transfer: %s",
+				     isc_result_totext(result));
+			break;
+		}
+	}
+}
+
+/*
+ * Try to start an incoming zone transfer for 'zone', quota permitting.
+ *
+ * Requires:
+ *	The zone manager is locked by the caller.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	There was enough quota and we attempted to
+ *			start a transfer.  zone_xfrdone() has been or will
+ *			be called.
+ *	ISC_R_QUOTA	Not enough quota.
+ *	Others		Failure.
+ */
+static isc_result_t
+zmgr_start_xfrin_ifquota(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
+	dns_peer_t *peer = NULL;
+	isc_netaddr_t masterip;
+	isc_uint32_t nxfrsin, nxfrsperns;
+	dns_zone_t *x;
+	isc_uint32_t maxtransfersin, maxtransfersperns;
+	isc_event_t *e;
+
+	/*
+	 * Find any configured information about the server we'd
+	 * like to transfer this zone from.
+	 */
+	isc_netaddr_fromsockaddr(&masterip, &zone->masteraddr);
+	(void)dns_peerlist_peerbyaddr(zone->view->peers,
+				      &masterip, &peer);
+
+	/*
+	 * Determine the total maximum number of simultaneous
+	 * transfers allowed, and the maximum for this specific
+	 * master.
+	 */
+	maxtransfersin = zmgr->transfersin;
+	maxtransfersperns = zmgr->transfersperns;
+	if (peer != NULL)
+		(void)dns_peer_gettransfers(peer, &maxtransfersperns);
+
+	/*
+	 * Count the total number of transfers that are in progress,
+	 * and the number of transfers in progress from this master.
+	 * We linearly scan a list of all transfers; if this turns
+	 * out to be too slow, we could hash on the master address.
+	 */
+	nxfrsin = nxfrsperns = 0;
+	for (x = ISC_LIST_HEAD(zmgr->xfrin_in_progress);
+	     x != NULL;
+	     x = ISC_LIST_NEXT(x, statelink))
+	{
+		isc_netaddr_t xip;
+		isc_netaddr_fromsockaddr(&xip, &x->masteraddr);
+		nxfrsin++;
+		if (isc_netaddr_equal(&xip, &masterip))
+			nxfrsperns++;
+	}
+
+	/* Enforce quota. */
+	if (nxfrsin >= maxtransfersin)
+		return (ISC_R_QUOTA);
+
+	if (nxfrsperns >= maxtransfersperns)
+		return (ISC_R_QUOTA);
+
+	/*
+	 * We have sufficient quota.  Move the zone to the "xfrin_in_progress"
+	 * list and send it an event to let it start the actual transfer in the
+	 * context of its own task.
+	 */
+	e = isc_event_allocate(zmgr->mctx, zmgr,
+			       DNS_EVENT_ZONESTARTXFRIN,
+			       got_transfer_quota, zone,
+			       sizeof(isc_event_t));
+	if (e == NULL)
+		return (ISC_R_NOMEMORY);
+
+	LOCK_ZONE(zone);
+	INSIST(zone->statelist == &zmgr->waiting_for_xfrin);
+	ISC_LIST_UNLINK(zmgr->waiting_for_xfrin, zone, statelink);
+	ISC_LIST_APPEND(zmgr->xfrin_in_progress, zone, statelink);
+	zone->statelist = &zmgr->xfrin_in_progress;
+	isc_task_send(zone->task, &e);
+	dns_zone_log(zone, ISC_LOG_INFO, "Transfer started.");
+	UNLOCK_ZONE(zone);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_zonemgr_setiolimit(dns_zonemgr_t *zmgr, isc_uint32_t iolimit) {
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+	REQUIRE(iolimit > 0);
+
+	zmgr->iolimit = iolimit;
+}
+
+isc_uint32_t
+dns_zonemgr_getiolimit(dns_zonemgr_t *zmgr) {
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	return (zmgr->iolimit);
+}
+
+/*
+ * Get permission to request a file handle from the OS.
+ * An event will be sent to action when one is available.
+ * There are two queues available (high and low), the high
+ * queue will be serviced before the low one.
+ *
+ * zonemgr_putio() must be called after the event is delivered to
+ * 'action'.
+ */
+
+static isc_result_t
+zonemgr_getio(dns_zonemgr_t *zmgr, isc_boolean_t high,
+	      isc_task_t *task, isc_taskaction_t action, void *arg,
+	      dns_io_t **iop)
+{
+	dns_io_t *io;
+	isc_boolean_t queue;
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+	REQUIRE(iop != NULL && *iop == NULL);
+
+	io = isc_mem_get(zmgr->mctx, sizeof(*io));
+	if (io == NULL)
+		return (ISC_R_NOMEMORY);
+	io->event = isc_event_allocate(zmgr->mctx, task, DNS_EVENT_IOREADY,
+				       action, arg, sizeof(*io->event));
+	if (io->event == NULL) {
+		isc_mem_put(zmgr->mctx, io, sizeof(*io));
+		return (ISC_R_NOMEMORY);
+	}
+	io->zmgr = zmgr;
+	io->high = high;
+	io->task = NULL;
+	isc_task_attach(task, &io->task);
+	ISC_LINK_INIT(io, link);
+	io->magic = IO_MAGIC;
+
+	LOCK(&zmgr->iolock);
+	zmgr->ioactive++;
+	queue = ISC_TF(zmgr->ioactive > zmgr->iolimit);
+	if (queue) {
+		if (io->high)
+			ISC_LIST_APPEND(zmgr->high, io, link);
+		else
+			ISC_LIST_APPEND(zmgr->low, io, link);
+	}
+	UNLOCK(&zmgr->iolock);
+	*iop = io;
+
+	if (!queue) {
+		isc_task_send(io->task, &io->event);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static void
+zonemgr_putio(dns_io_t **iop) {
+	dns_io_t *io;
+	dns_io_t *next;
+	dns_zonemgr_t *zmgr;
+
+	REQUIRE(iop != NULL);
+	io = *iop;
+	REQUIRE(DNS_IO_VALID(io));
+
+	*iop = NULL;
+
+	INSIST(!ISC_LINK_LINKED(io, link));
+	INSIST(io->event == NULL);
+
+	zmgr = io->zmgr;
+	isc_task_detach(&io->task);
+	io->magic = 0;
+	isc_mem_put(zmgr->mctx, io, sizeof(*io));
+
+	LOCK(&zmgr->iolock);
+	INSIST(zmgr->ioactive > 0);
+	zmgr->ioactive--;
+	next = HEAD(zmgr->high);
+	if (next == NULL)
+		next = HEAD(zmgr->low);
+	if (next != NULL) {
+		if (next->high)
+			ISC_LIST_UNLINK(zmgr->high, next, link);
+		else
+			ISC_LIST_UNLINK(zmgr->low, next, link);
+		INSIST(next->event != NULL);
+	}
+	UNLOCK(&zmgr->iolock);
+	if (next != NULL)
+		isc_task_send(next->task, &next->event);
+}
+
+static void
+zonemgr_cancelio(dns_io_t *io) {
+	isc_boolean_t send_event = ISC_FALSE;
+
+	REQUIRE(DNS_IO_VALID(io));
+
+	/*
+	 * If we are queued to be run then dequeue.
+	 */
+	LOCK(&io->zmgr->iolock);
+	if (ISC_LINK_LINKED(io, link)) {
+		if (io->high)
+			ISC_LIST_UNLINK(io->zmgr->high, io, link);
+		else
+			ISC_LIST_UNLINK(io->zmgr->low, io, link);
+
+		send_event = ISC_TRUE;
+		INSIST(io->event != NULL);
+	}
+	UNLOCK(&io->zmgr->iolock);
+	if (send_event) {
+		io->event->ev_attributes |= ISC_EVENTATTR_CANCELED;
+		isc_task_send(io->task, &io->event);
+	}
+}
+
+static void
+zone_saveunique(dns_zone_t *zone, const char *path, const char *templat) {
+	char *buf;
+	int buflen;
+	isc_result_t result;
+
+	buflen = strlen(path) + strlen(templat) + 2;
+
+	buf = isc_mem_get(zone->mctx, buflen);
+	if (buf == NULL)
+		return;
+
+	result = isc_file_template(path, templat, buf, buflen);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = isc_file_renameunique(path, buf);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	dns_zone_log(zone, ISC_LOG_INFO, "saved '%s' as '%s'",
+		     path, buf);
+
+ cleanup:
+	isc_mem_put(zone->mctx, buf, buflen);
+}
+
+#if 0
+/* Hook for ondestroy notifcation from a database. */
+
+static void
+dns_zonemgr_dbdestroyed(isc_task_t *task, isc_event_t *event) {
+	dns_db_t *db = event->sender;
+	UNUSED(task);
+
+	isc_event_free(&event);
+
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+		      DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
+		      "database (%p) destroyed", (void*) db);
+}
+#endif
+
+void
+dns_zonemgr_setserialqueryrate(dns_zonemgr_t *zmgr, unsigned int value) {
+	isc_interval_t interval;
+	isc_uint32_t s, ns;
+	isc_uint32_t pertic;
+	isc_result_t result;
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	if (value == 0)
+		value = 1;
+
+	if (value == 1) {
+		s = 1;
+		ns = 0;
+		pertic = 1;
+	} else if (value <= 10) {
+		s = 0;
+		ns = 1000000000 / value;
+		pertic = 1;
+	} else {
+		s = 0;
+		ns = (1000000000 / value) * 10;
+		pertic = 10;
+	}
+
+	isc_interval_set(&interval, s, ns);
+	result = isc_ratelimiter_setinterval(zmgr->rl, &interval);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	isc_ratelimiter_setpertic(zmgr->rl, pertic);
+
+	zmgr->serialqueryrate = value;
+}
+
+unsigned int
+dns_zonemgr_getserialqueryrate(dns_zonemgr_t *zmgr) {
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	return (zmgr->serialqueryrate);
+}
+
+void
+dns_zone_forcereload(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_FORCEXFER);
+	UNLOCK_ZONE(zone);
+	dns_zone_refresh(zone);
+}
+
+isc_boolean_t
+dns_zone_isforced(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER));
+}
+
+isc_result_t
+dns_zone_setstatistics(dns_zone_t *zone, isc_boolean_t on) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	LOCK_ZONE(zone);
+	if (on) {
+		if (zone->counters != NULL)
+			goto done;
+		result = dns_stats_alloccounters(zone->mctx, &zone->counters);
+	} else {
+		if (zone->counters == NULL)
+			goto done;
+		dns_stats_freecounters(zone->mctx, &zone->counters);
+	}
+ done:
+	UNLOCK_ZONE(zone);
+	return (result);
+}
+
+isc_uint64_t *
+dns_zone_getstatscounters(dns_zone_t *zone) {
+	return (zone->counters);
+}
+
+void
+dns_zone_dialup(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	zone_debuglog(zone, "dns_zone_dialup", 3,
+		      "notify = %d, refresh = %d",
+		      DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALNOTIFY),
+		      DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH));
+
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALNOTIFY))
+		dns_zone_notify(zone);
+	if (zone->type != dns_zone_master &&
+	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH))
+		dns_zone_refresh(zone);
+}
+
+void
+dns_zone_setdialup(dns_zone_t *zone, dns_dialuptype_t dialup) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_DIALNOTIFY |
+			 DNS_ZONEFLG_DIALREFRESH |
+			 DNS_ZONEFLG_NOREFRESH);
+	switch (dialup) {
+	case dns_dialuptype_no:
+		break;
+	case dns_dialuptype_yes:
+		DNS_ZONE_SETFLAG(zone,  (DNS_ZONEFLG_DIALNOTIFY |
+				 DNS_ZONEFLG_DIALREFRESH |
+				 DNS_ZONEFLG_NOREFRESH));
+		break;
+	case dns_dialuptype_notify:
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALNOTIFY);
+		break;
+	case dns_dialuptype_notifypassive:
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALNOTIFY);
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH);
+		break;
+	case dns_dialuptype_refresh:
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_DIALREFRESH);
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH);
+		break;
+	case dns_dialuptype_passive:
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NOREFRESH);
+		break;
+	default:
+		INSIST(0);
+	}
+	UNLOCK_ZONE(zone);
+}
+
+isc_result_t
+dns_zone_setkeydirectory(dns_zone_t *zone, const char *directory) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	result = dns_zone_setstring(zone, &zone->keydirectory, directory);
+	UNLOCK_ZONE(zone);
+
+	return (result);
+}
+
+const char *
+dns_zone_getkeydirectory(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->keydirectory);
+}
+unsigned int
+dns_zonemgr_getcount(dns_zonemgr_t *zmgr, int state) {
+	dns_zone_t *zone;
+	unsigned int count = 0;
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	RWLOCK(&zmgr->rwlock, isc_rwlocktype_read);
+	switch (state) {
+	case DNS_ZONESTATE_XFERRUNNING:
+		for (zone = ISC_LIST_HEAD(zmgr->xfrin_in_progress);
+		     zone != NULL;
+		     zone = ISC_LIST_NEXT(zone, statelink))
+			count++;
+		break;
+	case DNS_ZONESTATE_XFERDEFERRED:
+		for (zone = ISC_LIST_HEAD(zmgr->waiting_for_xfrin);
+		     zone != NULL;
+		     zone = ISC_LIST_NEXT(zone, statelink))
+			count++;
+		break;
+	case DNS_ZONESTATE_SOAQUERY:
+		for (zone = ISC_LIST_HEAD(zmgr->zones);
+		     zone != NULL;
+		     zone = ISC_LIST_NEXT(zone, link))
+			if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_REFRESH))
+				count++;
+		break;
+	case DNS_ZONESTATE_ANY:
+		for (zone = ISC_LIST_HEAD(zmgr->zones);
+		     zone != NULL;
+		     zone = ISC_LIST_NEXT(zone, link)) {
+			dns_view_t *view = zone->view;
+			if (view != NULL && strcmp(view->name, "_bind") == 0)
+				continue;
+			count++;
+		}
+		break;
+	default:
+		INSIST(0);
+	}
+
+	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_read);
+
+	return (count);
+}
+
+isc_result_t
+dns_zone_checknames(dns_zone_t *zone, dns_name_t *name, dns_rdata_t *rdata) {
+	isc_boolean_t ok = ISC_TRUE;
+	isc_boolean_t fail = ISC_FALSE;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char namebuf2[DNS_NAME_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
+	int level = ISC_LOG_WARNING;
+	dns_name_t bad;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMES))
+		return (ISC_R_SUCCESS);
+
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMESFAIL)) {
+		level = ISC_LOG_ERROR;
+		fail = ISC_TRUE;
+	}
+
+	ok = dns_rdata_checkowner(name, rdata->rdclass, rdata->type, ISC_TRUE);
+	if (!ok) {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		dns_rdatatype_format(rdata->type, typebuf, sizeof(typebuf));
+		dns_zone_log(zone, level, "%s/%s: %s", namebuf, typebuf,
+			     dns_result_totext(DNS_R_BADOWNERNAME));
+		if (fail)
+			return (DNS_R_BADOWNERNAME);
+	}
+
+	dns_name_init(&bad, NULL);
+	ok = dns_rdata_checknames(rdata, name, &bad);
+	if (!ok) {
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		dns_name_format(&bad, namebuf2, sizeof(namebuf2));
+		dns_rdatatype_format(rdata->type, typebuf, sizeof(typebuf));
+		dns_zone_log(zone, level, "%s/%s: %s: %s ", namebuf, typebuf,
+			     namebuf2, dns_result_totext(DNS_R_BADNAME));
+		if (fail)
+			return (DNS_R_BADNAME);
+	}
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/contrib/bind9/lib/dns/zonekey.c b/contrib/bind9/lib/dns/zonekey.c
new file mode 100644
index 0000000..dc7ae0f
--- /dev/null
+++ b/contrib/bind9/lib/dns/zonekey.c
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: zonekey.c,v 1.3.206.3 2004/03/08 09:04:33 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/result.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dns/rdata.h>
+#include <dns/rdatastruct.h>
+#include <dns/types.h>
+#include <dns/zonekey.h>
+
+isc_boolean_t
+dns_zonekey_iszonekey(dns_rdata_t *keyrdata) {
+	isc_result_t result;
+	dns_rdata_dnskey_t key;
+	isc_boolean_t iszonekey = ISC_TRUE;
+
+	REQUIRE(keyrdata != NULL);
+
+	result = dns_rdata_tostruct(keyrdata, &key, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (ISC_FALSE);
+
+	if ((key.flags & DNS_KEYTYPE_NOAUTH) != 0)
+		iszonekey = ISC_FALSE;
+	if ((key.flags & DNS_KEYFLAG_OWNERMASK) != DNS_KEYOWNER_ZONE)
+		iszonekey = ISC_FALSE;
+	if (key.protocol != DNS_KEYPROTO_DNSSEC &&
+	key.protocol != DNS_KEYPROTO_ANY)
+		iszonekey = ISC_FALSE;
+	
+	return (iszonekey);
+}
diff --git a/contrib/bind9/lib/dns/zt.c b/contrib/bind9/lib/dns/zt.c
new file mode 100644
index 0000000..7aa6a9f
--- /dev/null
+++ b/contrib/bind9/lib/dns/zt.c
@@ -0,0 +1,320 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: zt.c,v 1.33.12.6 2004/03/08 21:06:28 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/util.h>
+
+#include <dns/rbt.h>
+#include <dns/result.h>
+#include <dns/zone.h>
+#include <dns/zt.h>
+
+struct dns_zt {
+	/* Unlocked. */
+	unsigned int		magic;
+	isc_mem_t		*mctx;
+	dns_rdataclass_t	rdclass;
+	isc_rwlock_t		rwlock;
+	/* Locked by lock. */
+	isc_uint32_t		references;
+	dns_rbt_t		*table;
+};
+
+#define ZTMAGIC			ISC_MAGIC('Z', 'T', 'b', 'l')
+#define VALID_ZT(zt) 		ISC_MAGIC_VALID(zt, ZTMAGIC)
+
+static void
+auto_detach(void *, void *);
+
+static isc_result_t
+load(dns_zone_t *zone, void *uap);
+
+static isc_result_t
+loadnew(dns_zone_t *zone, void *uap);
+
+isc_result_t
+dns_zt_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, dns_zt_t **ztp) {
+	dns_zt_t *zt;
+	isc_result_t result;
+
+	REQUIRE(ztp != NULL && *ztp == NULL);
+
+	zt = isc_mem_get(mctx, sizeof(*zt));
+	if (zt == NULL)
+		return (ISC_R_NOMEMORY);
+
+	zt->table = NULL;
+	result = dns_rbt_create(mctx, auto_detach, zt, &zt->table);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_zt;
+
+	result = isc_rwlock_init(&zt->rwlock, 0, 0);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_rwlock_init() failed: %s",
+				 isc_result_totext(result));
+		result = ISC_R_UNEXPECTED;
+		goto cleanup_rbt;
+	}
+
+	zt->mctx = mctx;
+	zt->references = 1;
+	zt->rdclass = rdclass;
+	zt->magic = ZTMAGIC;
+	*ztp = zt;
+
+	return (ISC_R_SUCCESS);
+
+   cleanup_rbt:
+	dns_rbt_destroy(&zt->table);
+
+   cleanup_zt:
+	isc_mem_put(mctx, zt, sizeof(*zt));
+
+	return (result);
+}
+
+isc_result_t
+dns_zt_mount(dns_zt_t *zt, dns_zone_t *zone) {
+	isc_result_t result;
+	dns_zone_t *dummy = NULL;
+	dns_name_t *name;
+
+	REQUIRE(VALID_ZT(zt));
+
+	name = dns_zone_getorigin(zone);
+
+	RWLOCK(&zt->rwlock, isc_rwlocktype_write);
+
+	result = dns_rbt_addname(zt->table, name, zone);
+	if (result == ISC_R_SUCCESS)
+		dns_zone_attach(zone, &dummy);
+
+	RWUNLOCK(&zt->rwlock, isc_rwlocktype_write);
+
+	return (result);
+}
+
+isc_result_t
+dns_zt_unmount(dns_zt_t *zt, dns_zone_t *zone) {
+	isc_result_t result;
+	dns_name_t *name;
+
+	REQUIRE(VALID_ZT(zt));
+
+	name = dns_zone_getorigin(zone);
+
+	RWLOCK(&zt->rwlock, isc_rwlocktype_write);
+
+	result = dns_rbt_deletename(zt->table, name, ISC_FALSE);
+
+	RWUNLOCK(&zt->rwlock, isc_rwlocktype_write);
+
+	return (result);
+}
+
+isc_result_t
+dns_zt_find(dns_zt_t *zt, dns_name_t *name, unsigned int options,
+	    dns_name_t *foundname, dns_zone_t **zonep)
+{
+	isc_result_t result;
+	dns_zone_t *dummy = NULL;
+	unsigned int rbtoptions = 0;
+
+	REQUIRE(VALID_ZT(zt));
+
+	if ((options & DNS_ZTFIND_NOEXACT) != 0)
+		rbtoptions |= DNS_RBTFIND_NOEXACT;
+
+	RWLOCK(&zt->rwlock, isc_rwlocktype_read);
+
+	result = dns_rbt_findname(zt->table, name, rbtoptions, foundname,
+				  (void **) (void*)&dummy);
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
+		dns_zone_attach(dummy, zonep);
+
+	RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
+
+	return (result);
+}
+
+void
+dns_zt_attach(dns_zt_t *zt, dns_zt_t **ztp) {
+
+	REQUIRE(VALID_ZT(zt));
+	REQUIRE(ztp != NULL && *ztp == NULL);
+
+	RWLOCK(&zt->rwlock, isc_rwlocktype_write);
+
+	INSIST(zt->references > 0);
+	zt->references++;
+	INSIST(zt->references != 0);
+
+	RWUNLOCK(&zt->rwlock, isc_rwlocktype_write);
+
+	*ztp = zt;
+}
+
+static isc_result_t
+flush(dns_zone_t *zone, void *uap) {
+	UNUSED(uap);
+	return (dns_zone_flush(zone));
+}
+
+static void
+zt_flushanddetach(dns_zt_t **ztp, isc_boolean_t need_flush) {
+	isc_boolean_t destroy = ISC_FALSE;
+	dns_zt_t *zt;
+
+	REQUIRE(ztp != NULL && VALID_ZT(*ztp));
+
+	zt = *ztp;
+
+	RWLOCK(&zt->rwlock, isc_rwlocktype_write);
+
+	INSIST(zt->references > 0);
+	zt->references--;
+	if (zt->references == 0)
+		destroy = ISC_TRUE;
+
+	RWUNLOCK(&zt->rwlock, isc_rwlocktype_write);
+
+	if (destroy) {
+		if (need_flush)
+			(void)dns_zt_apply(zt, ISC_FALSE, flush, NULL);
+		dns_rbt_destroy(&zt->table);
+		isc_rwlock_destroy(&zt->rwlock);
+		zt->magic = 0;
+		isc_mem_put(zt->mctx, zt, sizeof(*zt));
+	}
+
+	*ztp = NULL;
+}
+
+void
+dns_zt_flushanddetach(dns_zt_t **ztp) {
+	zt_flushanddetach(ztp, ISC_TRUE);
+}
+
+void
+dns_zt_detach(dns_zt_t **ztp) {
+	zt_flushanddetach(ztp, ISC_FALSE);
+}
+
+isc_result_t
+dns_zt_load(dns_zt_t *zt, isc_boolean_t stop) {
+	isc_result_t result;
+
+	REQUIRE(VALID_ZT(zt));
+
+	RWLOCK(&zt->rwlock, isc_rwlocktype_read);
+	result = dns_zt_apply(zt, stop, load, NULL);
+	RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
+	return (result);
+}
+
+static isc_result_t
+load(dns_zone_t *zone, void *uap) {
+	isc_result_t result;
+	UNUSED(uap);
+	result = dns_zone_load(zone);
+	if (result == DNS_R_CONTINUE || result == DNS_R_UPTODATE)
+		result = ISC_R_SUCCESS;
+	return (result);
+}
+
+isc_result_t
+dns_zt_loadnew(dns_zt_t *zt, isc_boolean_t stop) {
+	isc_result_t result;
+
+	REQUIRE(VALID_ZT(zt));
+
+	RWLOCK(&zt->rwlock, isc_rwlocktype_read);
+	result = dns_zt_apply(zt, stop, loadnew, NULL);
+	RWUNLOCK(&zt->rwlock, isc_rwlocktype_read);
+	return (result);
+}
+
+static isc_result_t
+loadnew(dns_zone_t *zone, void *uap) {
+	isc_result_t result;
+	UNUSED(uap);
+	result = dns_zone_loadnew(zone);
+	if (result == DNS_R_CONTINUE || result == DNS_R_UPTODATE ||
+	    result == DNS_R_DYNAMIC)
+		result = ISC_R_SUCCESS;
+	return (result);
+}
+
+isc_result_t
+dns_zt_apply(dns_zt_t *zt, isc_boolean_t stop,
+	     isc_result_t (*action)(dns_zone_t *, void *), void *uap)
+{
+	dns_rbtnode_t *node;
+	dns_rbtnodechain_t chain;
+	isc_result_t result;
+	dns_zone_t *zone;
+
+	REQUIRE(VALID_ZT(zt));
+	REQUIRE(action != NULL);
+
+	dns_rbtnodechain_init(&chain, zt->mctx);
+	result = dns_rbtnodechain_first(&chain, zt->table, NULL, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		/*
+		 * The tree is empty.
+		 */
+		result = ISC_R_NOMORE;
+	}
+	while (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
+		result = dns_rbtnodechain_current(&chain, NULL, NULL,
+						  &node);
+		if (result == ISC_R_SUCCESS) {
+			zone = node->data;
+			if (zone != NULL)
+				result = (action)(zone, uap);
+			if (result != ISC_R_SUCCESS && stop)
+				goto cleanup;	/* don't break */
+		}
+		result = dns_rbtnodechain_next(&chain, NULL, NULL);
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+ cleanup:
+	dns_rbtnodechain_invalidate(&chain);
+
+	return (result);
+}
+
+/***
+ *** Private
+ ***/
+
+static void
+auto_detach(void *data, void *arg) {
+	dns_zone_t *zone = data;
+
+	UNUSED(arg);
+
+	dns_zone_detach(&zone);
+}
diff --git a/contrib/bind9/lib/isc/Makefile.in b/contrib/bind9/lib/isc/Makefile.in
new file mode 100644
index 0000000..7e53510
--- /dev/null
+++ b/contrib/bind9/lib/isc/Makefile.in
@@ -0,0 +1,111 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1998-2003  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.71.2.2.2.8 2004/07/20 07:01:58 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+@LIBISC_API@
+
+CINCLUDES =	-I${srcdir}/unix/include \
+		-I${srcdir}/@ISC_THREAD_DIR@/include \
+		-I./include \
+		-I${srcdir}/include
+CDEFINES =
+CWARNINGS =
+
+# Alphabetically
+UNIXOBJS =	@ISC_ISCIPV6_O@ \
+		unix/app.@O@ unix/dir.@O@ unix/entropy.@O@ \
+		unix/errno2result.@O@ unix/file.@O@ unix/fsaccess.@O@ \
+		unix/interfaceiter.@O@ unix/keyboard.@O@ unix/net.@O@ \
+		unix/os.@O@ unix/resource.@O@ unix/socket.@O@ unix/stdio.@O@ \
+		unix/stdtime.@O@ unix/strerror.@O@ unix/syslog.@O@ unix/time.@O@
+
+
+NLSOBJS =	nls/msgcat.@O@
+
+THREADOBJS =	@ISC_THREAD_DIR@/condition.@O@ @ISC_THREAD_DIR@/mutex.@O@ \
+		@ISC_THREAD_DIR@/thread.@O@
+
+WIN32OBJS = 	win32/condition.@O@ win32/dir.@O@ win32/file.@O@ \
+		win32/fsaccess.@O@ win32/once.@O@ win32/stdtime.@O@ \
+		win32/thread.@O@ win32/time.@O@
+
+# Alphabetically
+OBJS =		@ISC_EXTRA_OBJS@ \
+		assertions.@O@ base64.@O@ bitstring.@O@ buffer.@O@ \
+		bufferlist.@O@ commandline.@O@ error.@O@ event.@O@ \
+		hash.@O@ heap.@O@ hex.@O@ hmacmd5.@O@ \
+		lex.@O@ lfsr.@O@ lib.@O@ log.@O@ md5.@O@ \
+		mem.@O@ mutexblock.@O@ netaddr.@O@ netscope.@O@ ondestroy.@O@ \
+		parseint.@O@ quota.@O@ random.@O@ \
+		ratelimiter.@O@ region.@O@ result.@O@ rwlock.@O@ \
+		serial.@O@ sha1.@O@ sockaddr.@O@ string.@O@ strtoul.@O@ \
+		symtab.@O@ task.@O@ taskpool.@O@ timer.@O@ version.@O@ \
+		${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
+
+# Alphabetically
+SRCS =		@ISC_EXTRA_SRCS@ \
+		assertions.c base64.c bitstring.c buffer.c \
+		bufferlist.c commandline.c error.c event.c \
+		heap.c hex.c hmacmd5.c \
+		lex.c lfsr.c lib.c log.c \
+		md5.c mem.c mutexblock.c netaddr.c netscope.c ondestroy.c \
+		parseint.c quota.c random.c \
+		ratelimiter.c result.c rwlock.c \
+		serial.c sha1.c sockaddr.c string.c strtoul.c symtab.c \
+		task.c taskpool.c timer.c version.c
+
+LIBS =		@LIBS@
+
+SUBDIRS =	include unix nls @ISC_THREAD_DIR@
+TARGETS =	timestamp
+
+@BIND9_MAKE_RULES@
+
+version.@O@: version.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-DLIBINTERFACE=${LIBINTERFACE} \
+		-DLIBREVISION=${LIBREVISION} \
+		-DLIBAGE=${LIBAGE} \
+		-c ${srcdir}/version.c
+
+libisc.@SA@: ${OBJS}
+	${AR} ${ARFLAGS} $@ ${OBJS}
+	${RANLIB} $@
+
+libisc.la: ${OBJS}
+	${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la -rpath ${libdir} \
+		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+		${OBJS} ${LIBS}
+
+timestamp: libisc.@A@
+	touch timestamp
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
+
+install:: timestamp installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisc.@A@ ${DESTDIR}${libdir}
+
+clean distclean::
+	rm -f libisc.@A@ libisc.la timestamp
diff --git a/contrib/bind9/lib/isc/api b/contrib/bind9/lib/isc/api
new file mode 100644
index 0000000..9d7fc51
--- /dev/null
+++ b/contrib/bind9/lib/isc/api
@@ -0,0 +1,3 @@
+LIBINTERFACE = 10
+LIBREVISION = 4
+LIBAGE = 1
diff --git a/contrib/bind9/lib/isc/assertions.c b/contrib/bind9/lib/isc/assertions.c
new file mode 100644
index 0000000..94c6732
--- /dev/null
+++ b/contrib/bind9/lib/isc/assertions.c
@@ -0,0 +1,93 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1997-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: assertions.c,v 1.16.206.1 2004/03/06 08:14:27 marka Exp $ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <isc/assertions.h>
+#include <isc/msgs.h>
+
+/*
+ * Forward.
+ */
+
+static void
+default_callback(const char *, int, isc_assertiontype_t, const char *);
+
+/*
+ * Public.
+ */
+
+LIBISC_EXTERNAL_DATA isc_assertioncallback_t isc_assertion_failed =
+					     default_callback;
+
+void
+isc_assertion_setcallback(isc_assertioncallback_t cb) {
+	if (cb == NULL)
+		isc_assertion_failed = default_callback;
+	else
+		isc_assertion_failed = cb;
+}
+
+const char *
+isc_assertion_typetotext(isc_assertiontype_t type) {
+	const char *result;
+
+	/*
+	 * These strings have purposefully not been internationalized
+	 * because they are considered to essentially be keywords of
+	 * the ISC development environment.
+	 */
+	switch (type) {
+	case isc_assertiontype_require:
+		result = "REQUIRE";
+		break;
+	case isc_assertiontype_ensure:
+		result = "ENSURE";
+		break;
+	case isc_assertiontype_insist:
+		result = "INSIST";
+		break;
+	case isc_assertiontype_invariant:
+		result = "INVARIANT";
+		break;
+	default:
+		result = NULL;
+	}
+	return (result);
+}
+
+/*
+ * Private.
+ */
+
+static void
+default_callback(const char *file, int line, isc_assertiontype_t type,
+		 const char *cond)
+{
+	fprintf(stderr, "%s:%d: %s(%s) %s.\n",
+		file, line, isc_assertion_typetotext(type), cond,
+		isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+			       ISC_MSG_FAILED, "failed"));
+	fflush(stderr);
+	abort();
+	/* NOTREACHED */
+}
diff --git a/contrib/bind9/lib/isc/base64.c b/contrib/bind9/lib/isc/base64.c
new file mode 100644
index 0000000..445f8f5
--- /dev/null
+++ b/contrib/bind9/lib/isc/base64.c
@@ -0,0 +1,246 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: base64.c,v 1.23.2.2.2.3 2004/03/06 08:14:27 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/lex.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#define RETERR(x) do { \
+	isc_result_t _r = (x); \
+	if (_r != ISC_R_SUCCESS) \
+		return (_r); \
+	} while (0)
+
+
+/*
+ * These static functions are also present in lib/dns/rdata.c.  I'm not
+ * sure where they should go. -- bwelling
+ */
+static isc_result_t
+str_totext(const char *source, isc_buffer_t *target);
+
+static isc_result_t
+mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length);
+
+static const char base64[] =
+	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
+
+isc_result_t
+isc_base64_totext(isc_region_t *source, int wordlength,
+		  const char *wordbreak, isc_buffer_t *target)
+{
+	char buf[5];
+	unsigned int loops = 0;
+
+	if (wordlength < 4)
+		wordlength = 4;
+
+	memset(buf, 0, sizeof(buf));
+	while (source->length > 2) {
+		buf[0] = base64[(source->base[0]>>2)&0x3f];
+		buf[1] = base64[((source->base[0]<<4)&0x30)|
+				((source->base[1]>>4)&0x0f)];
+		buf[2] = base64[((source->base[1]<<2)&0x3c)|
+				((source->base[2]>>6)&0x03)];
+		buf[3] = base64[source->base[2]&0x3f];
+		RETERR(str_totext(buf, target));
+		isc_region_consume(source, 3);
+
+		loops++;
+		if (source->length != 0 &&
+		    (int)((loops + 1) * 4) >= wordlength)
+		{
+			loops = 0;
+			RETERR(str_totext(wordbreak, target));
+		}
+	}
+	if (source->length == 2) {
+		buf[0] = base64[(source->base[0]>>2)&0x3f];
+		buf[1] = base64[((source->base[0]<<4)&0x30)|
+				((source->base[1]>>4)&0x0f)];
+		buf[2] = base64[((source->base[1]<<2)&0x3c)];
+		buf[3] = '=';
+		RETERR(str_totext(buf, target));
+	} else if (source->length == 1) {
+		buf[0] = base64[(source->base[0]>>2)&0x3f];
+		buf[1] = base64[((source->base[0]<<4)&0x30)];
+		buf[2] = buf[3] = '=';
+		RETERR(str_totext(buf, target));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * State of a base64 decoding process in progress.
+ */
+typedef struct {
+	int length;		/* Desired length of binary data or -1 */
+	isc_buffer_t *target;	/* Buffer for resulting binary data */
+	int digits;		/* Number of buffered base64 digits */
+	isc_boolean_t seen_end;	/* True if "=" end marker seen */
+	int val[4];
+} base64_decode_ctx_t;
+
+static inline void
+base64_decode_init(base64_decode_ctx_t *ctx, int length, isc_buffer_t *target)
+{
+	ctx->digits = 0;
+	ctx->seen_end = ISC_FALSE;
+	ctx->length = length;
+	ctx->target = target;
+}
+
+static inline isc_result_t
+base64_decode_char(base64_decode_ctx_t *ctx, int c) {
+	char *s;
+
+	if (ctx->seen_end)
+		return (ISC_R_BADBASE64);
+	if ((s = strchr(base64, c)) == NULL)
+		return (ISC_R_BADBASE64);
+	ctx->val[ctx->digits++] = s - base64;
+	if (ctx->digits == 4) {
+		int n;
+		unsigned char buf[3];
+		if (ctx->val[0] == 64 || ctx->val[1] == 64)
+			return (ISC_R_BADBASE64);
+		if (ctx->val[2] == 64 && ctx->val[3] != 64)
+			return (ISC_R_BADBASE64);
+		/*
+		 * Check that bits that should be zero are.
+		 */
+		if (ctx->val[2] == 64 && (ctx->val[1] & 0xf) != 0)
+			return (ISC_R_BADBASE64);
+		/*
+		 * We don't need to test for ctx->val[2] != 64 as
+		 * the bottom two bits of 64 are zero.
+		 */
+		if (ctx->val[3] == 64 && (ctx->val[2] & 0x3) != 0)
+			return (ISC_R_BADBASE64);
+		n = (ctx->val[2] == 64) ? 1 :
+			(ctx->val[3] == 64) ? 2 : 3;
+		if (n != 3) {
+			ctx->seen_end = ISC_TRUE;
+			if (ctx->val[2] == 64)
+				ctx->val[2] = 0;
+			if (ctx->val[3] == 64)
+				ctx->val[3] = 0;
+		}
+		buf[0] = (ctx->val[0]<<2)|(ctx->val[1]>>4);
+		buf[1] = (ctx->val[1]<<4)|(ctx->val[2]>>2);
+		buf[2] = (ctx->val[2]<<6)|(ctx->val[3]);
+		RETERR(mem_tobuffer(ctx->target, buf, n));
+		if (ctx->length >= 0) {
+			if (n > ctx->length)
+				return (ISC_R_BADBASE64);
+			else
+				ctx->length -= n;
+		}
+		ctx->digits = 0;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+base64_decode_finish(base64_decode_ctx_t *ctx) {
+	if (ctx->length > 0)
+		return (ISC_R_UNEXPECTEDEND);
+	if (ctx->digits != 0)
+		return (ISC_R_BADBASE64);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_base64_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length) {
+	base64_decode_ctx_t ctx;
+	isc_textregion_t *tr;
+	isc_token_t token;
+	isc_boolean_t eol;
+
+	base64_decode_init(&ctx, length, target);
+
+	while (!ctx.seen_end && (ctx.length != 0)) {
+		unsigned int i;
+
+		if (length > 0)
+			eol = ISC_FALSE;
+		else
+			eol = ISC_TRUE;
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string, eol));
+		if (token.type != isc_tokentype_string)
+			break;
+		tr = &token.value.as_textregion;
+		for (i = 0; i < tr->length; i++)
+			RETERR(base64_decode_char(&ctx, tr->base[i]));
+	}
+	if (ctx.length < 0 && !ctx.seen_end)
+		isc_lex_ungettoken(lexer, &token);
+	RETERR(base64_decode_finish(&ctx));
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_base64_decodestring(const char *cstr, isc_buffer_t *target) {
+	base64_decode_ctx_t ctx;
+
+	base64_decode_init(&ctx, -1, target);
+	for (;;) {
+		int c = *cstr++;
+		if (c == '\0')
+			break;
+		if (c == ' ' || c == '\t' || c == '\n' || c== '\r')
+			continue;
+		RETERR(base64_decode_char(&ctx, c));
+	}
+	RETERR(base64_decode_finish(&ctx));	
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+str_totext(const char *source, isc_buffer_t *target) {
+	unsigned int l;
+	isc_region_t region;
+
+	isc_buffer_availableregion(target, &region);
+	l = strlen(source);
+
+	if (l > region.length)
+		return (ISC_R_NOSPACE);
+
+	memcpy(region.base, source, l);
+	isc_buffer_add(target, l);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length) {
+	isc_region_t tr;
+
+	isc_buffer_availableregion(target, &tr);
+	if (length > tr.length)
+		return (ISC_R_NOSPACE);
+	memcpy(tr.base, base, length);
+	isc_buffer_add(target, length);
+	return (ISC_R_SUCCESS);
+}
diff --git a/contrib/bind9/lib/isc/bitstring.c b/contrib/bind9/lib/isc/bitstring.c
new file mode 100644
index 0000000..e77ed39
--- /dev/null
+++ b/contrib/bind9/lib/isc/bitstring.c
@@ -0,0 +1,125 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: bitstring.c,v 1.12.206.1 2004/03/06 08:14:27 marka Exp $ */
+
+#include <config.h>
+
+#include <stddef.h>
+
+#include <isc/magic.h>
+#include <isc/bitstring.h>
+#include <isc/util.h>
+
+#define DIV8(x)			((x) >> 3)
+#define MOD8(x)			((x) & 0x00000007U)
+#define OCTETS(n)		(((n) + 7) >> 3)
+#define PADDED(n)		((((n) + 7) >> 3) << 3)
+#define BITSET(bs, n) 		(((bs)->data[DIV8(n)] & \
+				 (1 << (7 - MOD8(n)))) != 0)
+#define SETBIT(bs, n)		(bs)->data[DIV8(n)] |= (1 << (7 - MOD8(n)))
+#define CLEARBIT(bs, n)		(bs)->data[DIV8(n)] &= ~(1 << (7 - MOD8(n)))
+
+#define BITSTRING_MAGIC		ISC_MAGIC('B', 'S', 't', 'r')
+#define VALID_BITSTRING(b)	ISC_MAGIC_VALID(b, BITSTRING_MAGIC)
+
+void
+isc_bitstring_init(isc_bitstring_t *bitstring, unsigned char *data,
+		   unsigned int length, unsigned int size, isc_boolean_t lsb0)
+{
+	/*
+	 * Make 'bitstring' refer to the bitstring of 'size' bits starting
+	 * at 'data'.  'length' bits of the bitstring are valid.  If 'lsb0'
+	 * is set then, bit 0 refers to the least significant bit of the
+	 * bitstring.  Otherwise bit 0 is the most significant bit.
+	 */
+
+	REQUIRE(bitstring != NULL);
+	REQUIRE(data != NULL);
+	REQUIRE(length <= size);
+
+	bitstring->magic = BITSTRING_MAGIC;
+	bitstring->data = data;
+	bitstring->length = length;
+	bitstring->size = size;
+	bitstring->lsb0 = lsb0;
+}
+
+void
+isc_bitstring_invalidate(isc_bitstring_t *bitstring) {
+
+	/*
+	 * Invalidate 'bitstring'.
+	 */
+
+	REQUIRE(VALID_BITSTRING(bitstring));
+
+	bitstring->magic = 0;
+	bitstring->data = NULL;
+	bitstring->length = 0;
+	bitstring->size = 0;
+	bitstring->lsb0 = ISC_FALSE;
+}
+
+void
+isc_bitstring_copy(isc_bitstring_t *source, unsigned int sbitpos,
+		   isc_bitstring_t *target, unsigned int tbitpos,
+		   unsigned int n)
+{
+	unsigned int tlast;
+
+	/*
+	 * Starting at bit 'sbitpos', copy 'n' bits from 'source' to
+	 * the 'n' bits of 'target' starting at 'tbitpos'.
+	 */
+
+	REQUIRE(VALID_BITSTRING(source));
+	REQUIRE(VALID_BITSTRING(target));
+	REQUIRE(source->lsb0 == target->lsb0);
+	if (source->lsb0) {
+		REQUIRE(sbitpos <= source->length);
+		sbitpos = PADDED(source->size) - sbitpos;
+		REQUIRE(sbitpos >= n);
+		sbitpos -= n;
+	} else
+		REQUIRE(sbitpos + n <= source->length);
+	tlast = tbitpos + n;
+	if (target->lsb0) {
+		REQUIRE(tbitpos <= target->length);
+		tbitpos = PADDED(target->size) - tbitpos;
+		REQUIRE(tbitpos >= n);
+		tbitpos -= n;
+	} else
+		REQUIRE(tlast <= target->size);
+
+	if (tlast > target->length)
+		target->length = tlast;
+
+	/*
+	 * This is far from optimal...
+	 */
+
+	while (n > 0) {
+		if (BITSET(source, sbitpos))
+			SETBIT(target, tbitpos);
+		else
+			CLEARBIT(target, tbitpos);
+		sbitpos++;
+		tbitpos++;
+		n--;
+	}
+}
diff --git a/contrib/bind9/lib/isc/buffer.c b/contrib/bind9/lib/isc/buffer.c
new file mode 100644
index 0000000..30ce529
--- /dev/null
+++ b/contrib/bind9/lib/isc/buffer.c
@@ -0,0 +1,411 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: buffer.c,v 1.36.12.2 2004/03/08 09:04:48 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/buffer.h>
+#include <isc/mem.h>
+#include <isc/region.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+void
+isc__buffer_init(isc_buffer_t *b, const void *base, unsigned int length) {
+	/*
+	 * Make 'b' refer to the 'length'-byte region starting at 'base'.
+	 * XXXDCL see the comment in buffer.h about base being const.
+	 */
+
+	REQUIRE(b != NULL);
+
+	ISC__BUFFER_INIT(b, base, length);
+}
+
+void
+isc__buffer_invalidate(isc_buffer_t *b) {
+	/*
+	 * Make 'b' an invalid buffer.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(!ISC_LINK_LINKED(b, link));
+	REQUIRE(b->mctx == NULL);
+
+	ISC__BUFFER_INVALIDATE(b);
+}
+
+void
+isc__buffer_region(isc_buffer_t *b, isc_region_t *r) {
+	/*
+	 * Make 'r' refer to the region of 'b'.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(r != NULL);
+
+	ISC__BUFFER_REGION(b, r);
+}
+
+void
+isc__buffer_usedregion(isc_buffer_t *b, isc_region_t *r) {
+	/*
+	 * Make 'r' refer to the used region of 'b'.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(r != NULL);
+
+	ISC__BUFFER_USEDREGION(b, r);
+}
+
+void
+isc__buffer_availableregion(isc_buffer_t *b, isc_region_t *r) {
+	/*
+	 * Make 'r' refer to the available region of 'b'.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(r != NULL);
+
+	ISC__BUFFER_AVAILABLEREGION(b, r);
+}
+
+void
+isc__buffer_add(isc_buffer_t *b, unsigned int n) {
+	/*
+	 * Increase the 'used' region of 'b' by 'n' bytes.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(b->used + n <= b->length);
+
+	ISC__BUFFER_ADD(b, n);
+}
+
+void
+isc__buffer_subtract(isc_buffer_t *b, unsigned int n) {
+	/*
+	 * Decrease the 'used' region of 'b' by 'n' bytes.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(b->used >= n);
+
+	ISC__BUFFER_SUBTRACT(b, n);
+}
+
+void
+isc__buffer_clear(isc_buffer_t *b) {
+	/*
+	 * Make the used region empty.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+
+	ISC__BUFFER_CLEAR(b);
+}
+
+void
+isc__buffer_consumedregion(isc_buffer_t *b, isc_region_t *r) {
+	/*
+	 * Make 'r' refer to the consumed region of 'b'.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(r != NULL);
+
+	ISC__BUFFER_CONSUMEDREGION(b, r);
+}
+
+void
+isc__buffer_remainingregion(isc_buffer_t *b, isc_region_t *r) {
+	/*
+	 * Make 'r' refer to the remaining region of 'b'.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(r != NULL);
+
+	ISC__BUFFER_REMAININGREGION(b, r);
+}
+
+void
+isc__buffer_activeregion(isc_buffer_t *b, isc_region_t *r) {
+	/*
+	 * Make 'r' refer to the active region of 'b'.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(r != NULL);
+
+	ISC__BUFFER_ACTIVEREGION(b, r);
+}
+
+void
+isc__buffer_setactive(isc_buffer_t *b, unsigned int n) {
+	/*
+	 * Sets the end of the active region 'n' bytes after current.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(b->current + n <= b->used);
+
+	ISC__BUFFER_SETACTIVE(b, n);
+}
+
+void
+isc__buffer_first(isc_buffer_t *b) {
+	/*
+	 * Make the consumed region empty.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+
+	ISC__BUFFER_FIRST(b);
+}
+
+void
+isc__buffer_forward(isc_buffer_t *b, unsigned int n) {
+	/*
+	 * Increase the 'consumed' region of 'b' by 'n' bytes.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(b->current + n <= b->used);
+
+	ISC__BUFFER_FORWARD(b, n);
+}
+
+void
+isc__buffer_back(isc_buffer_t *b, unsigned int n) {
+	/*
+	 * Decrease the 'consumed' region of 'b' by 'n' bytes.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(n <= b->current);
+
+	ISC__BUFFER_BACK(b, n);
+}
+
+void
+isc_buffer_compact(isc_buffer_t *b) {
+	unsigned int length;
+	void *src;
+
+	/*
+	 * Compact the used region by moving the remaining region so it occurs
+	 * at the start of the buffer.  The used region is shrunk by the size
+	 * of the consumed region, and the consumed region is then made empty.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+
+	src = isc_buffer_current(b);
+	length = isc_buffer_remaininglength(b);
+	(void)memmove(b->base, src, (size_t)length);
+
+	if (b->active > b->current)
+		b->active -= b->current;
+	else
+		b->active = 0;
+	b->current = 0;
+	b->used = length;
+}
+
+isc_uint8_t
+isc_buffer_getuint8(isc_buffer_t *b) {
+	unsigned char *cp;
+	isc_uint8_t result;
+
+	/*
+	 * Read an unsigned 8-bit integer from 'b' and return it.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(b->used - b->current >= 1);
+
+	cp = isc_buffer_current(b);
+	b->current += 1;
+	result = ((isc_uint8_t)(cp[0]));
+
+	return (result);
+}
+
+void
+isc__buffer_putuint8(isc_buffer_t *b, isc_uint8_t val) {
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(b->used + 1 <= b->length);
+
+	ISC__BUFFER_PUTUINT8(b, val);
+}
+
+isc_uint16_t
+isc_buffer_getuint16(isc_buffer_t *b) {
+	unsigned char *cp;
+	isc_uint16_t result;
+
+	/*
+	 * Read an unsigned 16-bit integer in network byte order from 'b',
+	 * convert it to host byte order, and return it.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(b->used - b->current >= 2);
+
+	cp = isc_buffer_current(b);
+	b->current += 2;
+	result = ((unsigned int)(cp[0])) << 8;
+	result |= ((unsigned int)(cp[1]));
+
+	return (result);
+}
+
+void
+isc__buffer_putuint16(isc_buffer_t *b, isc_uint16_t val) {
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(b->used + 2 <= b->length);
+
+	ISC__BUFFER_PUTUINT16(b, val);
+}
+
+isc_uint32_t
+isc_buffer_getuint32(isc_buffer_t *b) {
+	unsigned char *cp;
+	isc_uint32_t result;
+
+	/*
+	 * Read an unsigned 32-bit integer in network byte order from 'b',
+	 * convert it to host byte order, and return it.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(b->used - b->current >= 4);
+
+	cp = isc_buffer_current(b);
+	b->current += 4;
+	result = ((unsigned int)(cp[0])) << 24;
+	result |= ((unsigned int)(cp[1])) << 16;
+	result |= ((unsigned int)(cp[2])) << 8;
+	result |= ((unsigned int)(cp[3]));
+
+	return (result);
+}
+
+void
+isc__buffer_putuint32(isc_buffer_t *b, isc_uint32_t val) {
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(b->used + 4 <= b->length);
+
+	ISC__BUFFER_PUTUINT32(b, val);
+}
+
+void
+isc__buffer_putmem(isc_buffer_t *b, const unsigned char *base,
+		   unsigned int length)
+{
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(b->used + length <= b->length);
+
+	ISC__BUFFER_PUTMEM(b, base, length);
+}
+
+void
+isc__buffer_putstr(isc_buffer_t *b, const char *source) {
+	unsigned int l;
+	unsigned char *cp;
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(source != NULL);
+
+	/*
+	 * Do not use ISC__BUFFER_PUTSTR(), so strlen is only done once.
+	 */
+	l = strlen(source);
+
+	REQUIRE(l <= isc_buffer_availablelength(b));
+
+	cp = isc_buffer_used(b);
+	memcpy(cp, source, l);
+	b->used += l;
+}
+
+isc_result_t
+isc_buffer_copyregion(isc_buffer_t *b, const isc_region_t *r) {
+	unsigned char *base;
+	unsigned int available;
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(r != NULL);
+
+	/*
+	 * XXXDCL
+	 */
+	base = isc_buffer_used(b);
+	available = isc_buffer_availablelength(b);
+        if (r->length > available)
+		return (ISC_R_NOSPACE);
+	memcpy(base, r->base, r->length);
+	b->used += r->length;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_buffer_allocate(isc_mem_t *mctx, isc_buffer_t **dynbuffer,
+		    unsigned int length)
+{
+	isc_buffer_t *dbuf;
+
+	REQUIRE(dynbuffer != NULL);
+	REQUIRE(*dynbuffer == NULL);
+
+	dbuf = isc_mem_get(mctx, length + sizeof(isc_buffer_t));
+	if (dbuf == NULL)
+		return (ISC_R_NOMEMORY);
+
+	isc_buffer_init(dbuf, ((unsigned char *)dbuf) + sizeof(isc_buffer_t),
+			length);
+	dbuf->mctx = mctx;
+
+	*dynbuffer = dbuf;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_buffer_free(isc_buffer_t **dynbuffer) {
+	unsigned int real_length;
+	isc_buffer_t *dbuf;
+	isc_mem_t *mctx;
+
+	REQUIRE(dynbuffer != NULL);
+	REQUIRE(ISC_BUFFER_VALID(*dynbuffer));
+	REQUIRE((*dynbuffer)->mctx != NULL);
+
+	dbuf = *dynbuffer;
+	*dynbuffer = NULL;	/* destroy external reference */
+
+	real_length = dbuf->length + sizeof(isc_buffer_t);
+	mctx = dbuf->mctx;
+	dbuf->mctx = NULL;
+	isc_buffer_invalidate(dbuf);
+
+	isc_mem_put(mctx, dbuf, real_length);
+}
diff --git a/contrib/bind9/lib/isc/bufferlist.c b/contrib/bind9/lib/isc/bufferlist.c
new file mode 100644
index 0000000..6d64a3f
--- /dev/null
+++ b/contrib/bind9/lib/isc/bufferlist.c
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: bufferlist.c,v 1.12.206.1 2004/03/06 08:14:28 marka Exp $ */
+
+#include <config.h>
+
+#include <stddef.h>
+
+#include <isc/buffer.h>
+#include <isc/bufferlist.h>
+#include <isc/util.h>
+
+unsigned int
+isc_bufferlist_usedcount(isc_bufferlist_t *bl) {
+	isc_buffer_t *buffer;
+	unsigned int length;
+
+	REQUIRE(bl != NULL);
+
+	length = 0;
+	buffer = ISC_LIST_HEAD(*bl);
+	while (buffer != NULL) {
+		REQUIRE(ISC_BUFFER_VALID(buffer));
+		length += isc_buffer_usedlength(buffer);
+		buffer = ISC_LIST_NEXT(buffer, link);
+	}
+
+	return (length);
+}
+
+unsigned int
+isc_bufferlist_availablecount(isc_bufferlist_t *bl) {
+	isc_buffer_t *buffer;
+	unsigned int length;
+
+	REQUIRE(bl != NULL);
+
+	length = 0;
+	buffer = ISC_LIST_HEAD(*bl);
+	while (buffer != NULL) {
+		REQUIRE(ISC_BUFFER_VALID(buffer));
+		length += isc_buffer_availablelength(buffer);
+		buffer = ISC_LIST_NEXT(buffer, link);
+	}
+
+	return (length);
+}
diff --git a/contrib/bind9/lib/isc/commandline.c b/contrib/bind9/lib/isc/commandline.c
new file mode 100644
index 0000000..4c8af7f
--- /dev/null
+++ b/contrib/bind9/lib/isc/commandline.c
@@ -0,0 +1,222 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Copyright (c) 1987, 1993, 1994
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: commandline.c,v 1.15.206.1 2004/03/06 08:14:28 marka Exp $ */
+
+/*
+ * This file was adapted from the NetBSD project's source tree, RCS ID:
+ *    NetBSD: getopt.c,v 1.15 1999/09/20 04:39:37 lukem Exp
+ *
+ * The primary change has been to rename items to the ISC namespace
+ * and format in the ISC coding style.
+ */
+
+/*
+ * Principal Authors: Computer Systems Research Group at UC Berkeley
+ * Principal ISC caretaker: DCL
+ */
+
+#include <config.h>
+
+#include <stdio.h>
+
+#include <isc/commandline.h>
+#include <isc/msgs.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+/* Index into parent argv vector. */
+LIBISC_EXTERNAL_DATA int isc_commandline_index = 1;
+/* Character checked for validity. */
+LIBISC_EXTERNAL_DATA int isc_commandline_option;
+/* Argument associated with option. */
+LIBISC_EXTERNAL_DATA char *isc_commandline_argument;
+/* For printing error messages. */
+LIBISC_EXTERNAL_DATA char *isc_commandline_progname;
+/* Print error messages. */
+LIBISC_EXTERNAL_DATA isc_boolean_t isc_commandline_errprint = ISC_TRUE;
+/* Reset processing. */
+LIBISC_EXTERNAL_DATA isc_boolean_t isc_commandline_reset = ISC_TRUE;
+
+static char endopt = '\0';
+
+#define	BADOPT	'?'
+#define	BADARG	':'
+#define ENDOPT  &endopt
+
+/*
+ * getopt --
+ *	Parse argc/argv argument vector.
+ */
+int
+isc_commandline_parse(int argc, char * const *argv, const char *options) {
+	static char *place = ENDOPT;
+	char *option;			/* Index into *options of option. */
+
+	REQUIRE(argc >= 0 && argv != NULL && options != NULL);
+
+	/*
+	 * Update scanning pointer, either because a reset was requested or
+	 * the previous argv was finished.
+	 */
+	if (isc_commandline_reset || *place == '\0') {
+		isc_commandline_reset = ISC_FALSE;
+
+		if (isc_commandline_progname == NULL)
+			isc_commandline_progname = argv[0];
+
+		if (isc_commandline_index >= argc ||
+		    *(place = argv[isc_commandline_index]) != '-') {
+			/*
+			 * Index out of range or points to non-option.
+			 */
+			place = ENDOPT;
+			return (-1);
+		}
+
+		if (place[1] != '\0' && *++place == '-' && place[1] == '\0') {
+			/*
+			 * Found '--' to signal end of options.  Advance
+			 * index to next argv, the first non-option.
+			 */
+			isc_commandline_index++;
+			place = ENDOPT;
+			return (-1);
+		}
+	}
+
+	isc_commandline_option = *place++;
+	option = strchr(options, isc_commandline_option);
+
+	/*
+	 * Ensure valid option has been passed as specified by options string.
+	 * '-:' is never a valid command line option because it could not
+	 * distinguish ':' from the argument specifier in the options string.
+	 */
+	if (isc_commandline_option == ':' || option == NULL) {
+		if (*place == '\0')
+			isc_commandline_index++;
+
+		if (isc_commandline_errprint && *options != ':')
+			fprintf(stderr, "%s: %s -- %c\n",
+				isc_commandline_progname,
+				isc_msgcat_get(isc_msgcat,
+					       ISC_MSGSET_COMMANDLINE,
+					       ISC_MSG_ILLEGALOPT,
+					       "illegal option"),
+				isc_commandline_option);
+
+		return (BADOPT);
+	}
+
+	if (*++option != ':') {
+		/*
+		 * Option does not take an argument.
+		 */
+		isc_commandline_argument = NULL;
+
+		/*
+		 * Skip to next argv if at the end of the current argv.
+		 */
+		if (*place == '\0')
+			++isc_commandline_index;
+
+	} else {
+		/*
+		 * Option needs an argument.
+		 */
+		if (*place != '\0')
+			/*
+			 * Option is in this argv, -D1 style.
+			 */
+			isc_commandline_argument = place;
+
+		else if (argc > ++isc_commandline_index)
+			/*
+			 * Option is next argv, -D 1 style.
+			 */
+			isc_commandline_argument = argv[isc_commandline_index];
+
+		else {
+			/*
+			 * Argument needed, but no more argv.
+			 */
+			place = ENDOPT;
+
+			/*
+			 * Silent failure with "missing argument" return
+			 * when ':' starts options string, per historical spec.
+			 */
+			if (*options == ':')
+				return (BADARG);
+
+			if (isc_commandline_errprint)
+				fprintf(stderr, "%s: %s -- %c\n",
+					isc_commandline_progname,
+					isc_msgcat_get(isc_msgcat,
+						       ISC_MSGSET_COMMANDLINE,
+						       ISC_MSG_OPTNEEDARG,
+						       "option requires "
+						       "an argument"),
+					isc_commandline_option);
+
+			return (BADOPT);
+		}
+
+		place = ENDOPT;
+
+		/*
+		 * Point to argv that follows argument.
+		 */
+		isc_commandline_index++;
+	}
+
+	return (isc_commandline_option);
+}
diff --git a/contrib/bind9/lib/isc/entropy.c b/contrib/bind9/lib/isc/entropy.c
new file mode 100644
index 0000000..8834eef
--- /dev/null
+++ b/contrib/bind9/lib/isc/entropy.c
@@ -0,0 +1,1256 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: entropy.c,v 1.3.2.2.2.7 2004/03/08 09:04:48 marka Exp $ */
+
+/*
+ * This is the system independent part of the entropy module.  It is
+ * compiled via inclusion from the relevant OS source file, ie,
+ * unix/entropy.c or win32/entropy.c.
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+
+#include <isc/buffer.h>
+#include <isc/entropy.h>
+#include <isc/keyboard.h>
+#include <isc/list.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/msgs.h>
+#include <isc/mutex.h>
+#include <isc/platform.h>
+#include <isc/region.h>
+#include <isc/sha1.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+/*
+ * Much of this code is modeled after the NetBSD /dev/random implementation,
+ * written by Michael Graff <explorer@netbsd.org>.
+ */
+
+#define ENTROPY_MAGIC		ISC_MAGIC('E', 'n', 't', 'e')
+#define SOURCE_MAGIC		ISC_MAGIC('E', 'n', 't', 's')
+
+#define VALID_ENTROPY(e)	ISC_MAGIC_VALID(e, ENTROPY_MAGIC)
+#define VALID_SOURCE(s)		ISC_MAGIC_VALID(s, SOURCE_MAGIC)
+
+/***
+ *** "constants."  Do not change these unless you _really_ know what
+ *** you are doing.
+ ***/
+
+/*
+ * size of entropy pool in 32-bit words.  This _MUST_ be a power of 2.
+ */
+#define RND_POOLWORDS	128
+#define RND_POOLBYTES	(RND_POOLWORDS * 4)
+#define RND_POOLBITS	(RND_POOLWORDS * 32)
+
+/*
+ * Number of bytes returned per hash.  This must be true:
+ *	threshold * 2 <= digest_size_in_bytes
+ */
+#define RND_ENTROPY_THRESHOLD	10
+#define THRESHOLD_BITS		(RND_ENTROPY_THRESHOLD * 8)
+
+/*
+ * Size of the input event queue in samples.
+ */
+#define RND_EVENTQSIZE	32
+
+/*
+ * The number of times we'll "reseed" for pseudorandom seeds.  This is an
+ * extremely weak pseudorandom seed.  If the caller is using lots of
+ * pseudorandom data and they cannot provide a stronger random source,
+ * there is little we can do other than hope they're smart enough to
+ * call _adddata() with something better than we can come up with.
+ */
+#define RND_INITIALIZE	128
+
+typedef struct {
+	isc_uint32_t	cursor;		/* current add point in the pool */
+	isc_uint32_t	entropy;	/* current entropy estimate in bits */
+	isc_uint32_t	pseudo;		/* bits extracted in pseudorandom */
+	isc_uint32_t	rotate;		/* how many bits to rotate by */
+	isc_uint32_t	pool[RND_POOLWORDS];	/* random pool data */
+} isc_entropypool_t;
+
+struct isc_entropy {
+	unsigned int			magic;
+	isc_mem_t		       *mctx;
+	isc_mutex_t			lock;
+	unsigned int			refcnt;
+	isc_uint32_t			initialized;
+	isc_uint32_t			initcount;
+	isc_entropypool_t		pool;
+	unsigned int			nsources;
+	isc_entropysource_t	       *nextsource;
+	ISC_LIST(isc_entropysource_t)	sources;
+};
+
+typedef struct {
+	isc_uint32_t	last_time;	/* last time recorded */
+	isc_uint32_t	last_delta;	/* last delta value */
+	isc_uint32_t	last_delta2;	/* last delta2 value */
+	isc_uint32_t	nsamples;	/* number of samples filled in */
+	isc_uint32_t   *samples;	/* the samples */
+	isc_uint32_t   *extra;		/* extra samples added in */
+} sample_queue_t;
+
+typedef struct {
+	sample_queue_t	samplequeue;
+} isc_entropysamplesource_t;
+
+typedef struct {
+	isc_boolean_t		start_called;
+	isc_entropystart_t	startfunc;
+	isc_entropyget_t	getfunc;
+	isc_entropystop_t	stopfunc;
+	void		       *arg;
+	sample_queue_t		samplequeue;
+} isc_cbsource_t;
+
+typedef struct {
+	FILESOURCE_HANDLE_TYPE handle;
+} isc_entropyfilesource_t;
+
+struct isc_entropysource {
+	unsigned int	magic;
+	unsigned int	type;
+	isc_entropy_t  *ent;
+	isc_uint32_t	total;		/* entropy from this source */
+	ISC_LINK(isc_entropysource_t)	link;
+	char		name[32];
+	isc_boolean_t	bad;
+	isc_boolean_t	warn_keyboard;
+	isc_keyboard_t	kbd;
+	union {
+		isc_entropysamplesource_t	sample;
+		isc_entropyfilesource_t		file;
+		isc_cbsource_t			callback;
+		isc_entropyusocketsource_t	usocket;
+	} sources;
+};
+
+#define ENTROPY_SOURCETYPE_SAMPLE	1	/* Type is a sample source */
+#define ENTROPY_SOURCETYPE_FILE		2	/* Type is a file source */
+#define ENTROPY_SOURCETYPE_CALLBACK	3	/* Type is a callback source */
+#define ENTROPY_SOURCETYPE_USOCKET	4	/* Type is a Unix socket source */
+
+/*
+ * The random pool "taps"
+ */
+#define TAP1	99
+#define TAP2	59
+#define TAP3	31
+#define TAP4	 9
+#define TAP5	 7
+
+/*
+ * Declarations for function provided by the system dependent sources that
+ * include this file.
+ */
+static void
+fillpool(isc_entropy_t *, unsigned int, isc_boolean_t);
+
+static int
+wait_for_sources(isc_entropy_t *);
+
+static void
+destroyfilesource(isc_entropyfilesource_t *source);
+
+static void
+destroyusocketsource(isc_entropyusocketsource_t *source);
+
+
+static void
+samplequeue_release(isc_entropy_t *ent, sample_queue_t *sq) {
+	REQUIRE(sq->samples != NULL);
+	REQUIRE(sq->extra != NULL);
+
+	isc_mem_put(ent->mctx, sq->samples, RND_EVENTQSIZE * 4);
+	isc_mem_put(ent->mctx, sq->extra, RND_EVENTQSIZE * 4);
+	sq->samples = NULL;
+	sq->extra = NULL;
+}
+
+static isc_result_t
+samplesource_allocate(isc_entropy_t *ent, sample_queue_t *sq) {
+	sq->samples = isc_mem_get(ent->mctx, RND_EVENTQSIZE * 4);
+	if (sq->samples == NULL)
+		return (ISC_R_NOMEMORY);
+
+	sq->extra = isc_mem_get(ent->mctx, RND_EVENTQSIZE * 4);
+	if (sq->extra == NULL) {
+		isc_mem_put(ent->mctx, sq->samples, RND_EVENTQSIZE * 4);
+		sq->samples = NULL;
+		return (ISC_R_NOMEMORY);
+	}
+
+	sq->nsamples = 0;
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Add in entropy, even when the value we're adding in could be
+ * very large.
+ */
+static inline void
+add_entropy(isc_entropy_t *ent, isc_uint32_t entropy) {
+	/* clamp input.  Yes, this must be done. */
+	entropy = ISC_MIN(entropy, RND_POOLBITS);
+	/* Add in the entropy we already have. */
+	entropy += ent->pool.entropy;
+	/* Clamp. */
+	ent->pool.entropy = ISC_MIN(entropy, RND_POOLBITS);
+}
+
+/*
+ * Decrement the amount of entropy the pool has.
+ */
+static inline void
+subtract_entropy(isc_entropy_t *ent, isc_uint32_t entropy) {
+	entropy = ISC_MIN(entropy, ent->pool.entropy);
+	ent->pool.entropy -= entropy;
+}
+
+/*
+ * Add in entropy, even when the value we're adding in could be
+ * very large.
+ */
+static inline void
+add_pseudo(isc_entropy_t *ent, isc_uint32_t pseudo) {
+	/* clamp input.  Yes, this must be done. */
+	pseudo = ISC_MIN(pseudo, RND_POOLBITS * 8);
+	/* Add in the pseudo we already have. */
+	pseudo += ent->pool.pseudo;
+	/* Clamp. */
+	ent->pool.pseudo = ISC_MIN(pseudo, RND_POOLBITS * 8);
+}
+
+/*
+ * Decrement the amount of pseudo the pool has.
+ */
+static inline void
+subtract_pseudo(isc_entropy_t *ent, isc_uint32_t pseudo) {
+	pseudo = ISC_MIN(pseudo, ent->pool.pseudo);
+	ent->pool.pseudo -= pseudo;
+}
+
+/*
+ * Add one word to the pool, rotating the input as needed.
+ */
+static inline void
+entropypool_add_word(isc_entropypool_t *rp, isc_uint32_t val) {
+	/*
+	 * Steal some values out of the pool, and xor them into the
+	 * word we were given.
+	 *
+	 * Mix the new value into the pool using xor.  This will
+	 * prevent the actual values from being known to the caller
+	 * since the previous values are assumed to be unknown as well.
+	 */
+	val ^= rp->pool[(rp->cursor + TAP1) & (RND_POOLWORDS - 1)];
+	val ^= rp->pool[(rp->cursor + TAP2) & (RND_POOLWORDS - 1)];
+	val ^= rp->pool[(rp->cursor + TAP3) & (RND_POOLWORDS - 1)];
+	val ^= rp->pool[(rp->cursor + TAP4) & (RND_POOLWORDS - 1)];
+	val ^= rp->pool[(rp->cursor + TAP5) & (RND_POOLWORDS - 1)];
+	rp->pool[rp->cursor++] ^=
+	  ((val << rp->rotate) | (val >> (32 - rp->rotate)));
+
+	/*
+	 * If we have looped around the pool, increment the rotate
+	 * variable so the next value will get xored in rotated to
+	 * a different position.
+	 * Increment by a value that is relativly prime to the word size
+	 * to try to spread the bits throughout the pool quickly when the
+	 * pool is empty.
+	 */
+	if (rp->cursor == RND_POOLWORDS) {
+		rp->cursor = 0;
+		rp->rotate = (rp->rotate + 7) & 31;
+	}
+}
+
+/*
+ * Add a buffer's worth of data to the pool.
+ *
+ * Requires that the lock is held on the entropy pool.
+ */
+static void
+entropypool_adddata(isc_entropy_t *ent, void *p, unsigned int len,
+		    isc_uint32_t entropy)
+{
+	isc_uint32_t val;
+	unsigned long addr;
+	isc_uint8_t *buf;
+
+	addr = (unsigned long)p;
+	buf = p;
+
+	if ((addr & 0x03U) != 0U) {
+		val = 0;
+		switch (len) {
+		case 3:
+			val = *buf++;
+			len--;
+		case 2:
+			val = val << 8 | *buf++;
+			len--;
+		case 1:
+			val = val << 8 | *buf++;
+			len--;
+		}
+
+		entropypool_add_word(&ent->pool, val);
+	}
+
+	for (; len > 3; len -= 4) {
+		val = *((isc_uint32_t *)buf);
+
+		entropypool_add_word(&ent->pool, val);
+		buf += 4;
+	}
+
+	if (len != 0) {
+		val = 0;
+		switch (len) {
+		case 3:
+			val = *buf++;
+		case 2:
+			val = val << 8 | *buf++;
+		case 1:
+			val = val << 8 | *buf++;
+		}
+
+		entropypool_add_word(&ent->pool, val);
+	}
+
+	add_entropy(ent, entropy);
+	subtract_pseudo(ent, entropy);
+}
+
+static inline void
+reseed(isc_entropy_t *ent) {
+	isc_time_t t;
+	pid_t pid;
+
+	if (ent->initcount == 0) {
+		pid = getpid();
+		entropypool_adddata(ent, &pid, sizeof(pid), 0);
+		pid = getppid();
+		entropypool_adddata(ent, &pid, sizeof(pid), 0);
+	}
+
+	/*
+	 * After we've reseeded 100 times, only add new timing info every
+	 * 50 requests.  This will keep us from using lots and lots of
+	 * CPU just to return bad pseudorandom data anyway.
+	 */
+	if (ent->initcount > 100)
+		if ((ent->initcount % 50) != 0)
+			return;
+
+	TIME_NOW(&t);
+	entropypool_adddata(ent, &t, sizeof(t), 0);
+	ent->initcount++;
+}
+
+static inline unsigned int
+estimate_entropy(sample_queue_t *sq, isc_uint32_t t) {
+	isc_int32_t		delta;
+	isc_int32_t		delta2;
+	isc_int32_t		delta3;
+
+	/*
+	 * If the time counter has overflowed, calculate the real difference.
+	 * If it has not, it is simpler.
+	 */
+	if (t < sq->last_time)
+		delta = UINT_MAX - sq->last_time + t;
+	else
+		delta = sq->last_time - t;
+
+	if (delta < 0)
+		delta = -delta;
+
+	/*
+	 * Calculate the second and third order differentials
+	 */
+	delta2 = sq->last_delta - delta;
+	if (delta2 < 0)
+		delta2 = -delta2;
+
+	delta3 = sq->last_delta2 - delta2;
+	if (delta3 < 0)
+		delta3 = -delta3;
+
+	sq->last_time = t;
+	sq->last_delta = delta;
+	sq->last_delta2 = delta2;
+
+	/*
+	 * If any delta is 0, we got no entropy.  If all are non-zero, we
+	 * might have something.
+	 */
+	if (delta == 0 || delta2 == 0 || delta3 == 0)
+		return 0;
+
+	/*
+	 * We could find the smallest delta and claim we got log2(delta)
+	 * bits, but for now return that we found 1 bit.
+	 */
+	return 1;
+}
+
+static unsigned int
+crunchsamples(isc_entropy_t *ent, sample_queue_t *sq) {
+	unsigned int ns;
+	unsigned int added;
+
+	if (sq->nsamples < 6)
+		return (0);
+
+	added = 0;
+	sq->last_time = sq->samples[0];
+	sq->last_delta = 0;
+	sq->last_delta2 = 0;
+
+	/*
+	 * Prime the values by adding in the first 4 samples in.  This
+	 * should completely initialize the delta calculations.
+	 */
+	for (ns = 0; ns < 4; ns++)
+		(void)estimate_entropy(sq, sq->samples[ns]);
+
+	for (ns = 4; ns < sq->nsamples; ns++)
+		added += estimate_entropy(sq, sq->samples[ns]);
+
+	entropypool_adddata(ent, sq->samples, sq->nsamples * 4, added);
+	entropypool_adddata(ent, sq->extra, sq->nsamples * 4, 0);
+
+	/*
+	 * Move the last 4 samples into the first 4 positions, and start
+	 * adding new samples from that point.
+	 */
+	for (ns = 0; ns < 4; ns++) {
+		sq->samples[ns] = sq->samples[sq->nsamples - 4 + ns];
+		sq->extra[ns] = sq->extra[sq->nsamples - 4 + ns];
+	}
+
+	sq->nsamples = 4;
+
+	return (added);
+}
+
+static unsigned int
+get_from_callback(isc_entropysource_t *source, unsigned int desired,
+		  isc_boolean_t blocking)
+{
+	isc_entropy_t *ent = source->ent;
+	isc_cbsource_t *cbs = &source->sources.callback;
+	unsigned int added;
+	unsigned int got;
+	isc_result_t result;
+
+	if (desired == 0)
+		return (0);
+
+	if (source->bad)
+		return (0);
+
+	if (!cbs->start_called && cbs->startfunc != NULL) {
+		result = cbs->startfunc(source, cbs->arg, blocking);
+		if (result != ISC_R_SUCCESS)
+			return (0);
+		cbs->start_called = ISC_TRUE;
+	}
+
+	added = 0;
+	result = ISC_R_SUCCESS;
+	while (desired > 0 && result == ISC_R_SUCCESS) {
+		result = cbs->getfunc(source, cbs->arg, blocking);
+		if (result == ISC_R_QUEUEFULL) {
+			got = crunchsamples(ent, &cbs->samplequeue);
+			added += got;
+			desired -= ISC_MIN(got, desired);
+			result = ISC_R_SUCCESS;
+		} else if (result != ISC_R_SUCCESS &&
+			   result != ISC_R_NOTBLOCKING)
+			source->bad = ISC_TRUE;
+
+	}
+
+	return (added);
+}
+
+/*
+ * Extract some number of bytes from the random pool, decreasing the
+ * estimate of randomness as each byte is extracted.
+ *
+ * Do this by stiring the pool and returning a part of hash as randomness.
+ * Note that no secrets are given away here since parts of the hash are
+ * xored together before returned.
+ *
+ * Honor the request from the caller to only return good data, any data,
+ * etc.
+ */
+isc_result_t
+isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length,
+		    unsigned int *returned, unsigned int flags)
+{
+	unsigned int i;
+	isc_sha1_t hash;
+	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
+	isc_uint32_t remain, deltae, count, total;
+	isc_uint8_t *buf;
+	isc_boolean_t goodonly, partial, blocking;
+
+	REQUIRE(VALID_ENTROPY(ent));
+	REQUIRE(data != NULL);
+	REQUIRE(length > 0);
+
+	goodonly = ISC_TF((flags & ISC_ENTROPY_GOODONLY) != 0);
+	partial = ISC_TF((flags & ISC_ENTROPY_PARTIAL) != 0);
+	blocking = ISC_TF((flags & ISC_ENTROPY_BLOCKING) != 0);
+
+	REQUIRE(!partial || returned != NULL);
+
+	LOCK(&ent->lock);
+
+	remain = length;
+	buf = data;
+	total = 0;
+	while (remain != 0) {
+		count = ISC_MIN(remain, RND_ENTROPY_THRESHOLD);
+
+		/*
+		 * If we are extracting good data only, make certain we
+		 * have enough data in our pool for this pass.  If we don't,
+		 * get some, and fail if we can't, and partial returns
+		 * are not ok.
+		 */
+		if (goodonly) {
+			unsigned int fillcount;
+
+			fillcount = ISC_MAX(remain * 8, count * 8);
+
+			/*
+			 * If, however, we have at least THRESHOLD_BITS
+			 * of entropy in the pool, don't block here.  It is
+			 * better to drain the pool once in a while and
+			 * then refill it than it is to constantly keep the
+			 * pool full.
+			 */
+			if (ent->pool.entropy >= THRESHOLD_BITS)
+				fillpool(ent, fillcount, ISC_FALSE);
+			else
+				fillpool(ent, fillcount, blocking);
+
+			/*
+			 * Verify that we got enough entropy to do one
+			 * extraction.  If we didn't, bail.
+			 */
+			if (ent->pool.entropy < THRESHOLD_BITS) {
+				if (!partial)
+					goto zeroize;
+				else
+					goto partial_output;
+			}
+		} else {
+			/*
+			 * If we've extracted half our pool size in bits
+			 * since the last refresh, try to refresh here.
+			 */
+			if (ent->initialized < THRESHOLD_BITS)
+				fillpool(ent, THRESHOLD_BITS, blocking);
+			else
+				fillpool(ent, 0, ISC_FALSE);
+
+			/*
+			 * If we've not initialized with enough good random
+			 * data, seed with our crappy code.
+			 */
+			if (ent->initialized < THRESHOLD_BITS)
+				reseed(ent);
+		}
+
+		isc_sha1_init(&hash);
+		isc_sha1_update(&hash, (void *)(ent->pool.pool),
+				RND_POOLBYTES);
+		isc_sha1_final(&hash, digest);
+
+		/*
+		 * Stir the extracted data (all of it) back into the pool.
+		 */
+		entropypool_adddata(ent, digest, ISC_SHA1_DIGESTLENGTH, 0);
+
+		for (i = 0; i < count; i++)
+			buf[i] = digest[i] ^ digest[i + RND_ENTROPY_THRESHOLD];
+
+		buf += count;
+		remain -= count;
+
+		deltae = count * 8;
+		deltae = ISC_MIN(deltae, ent->pool.entropy);
+		total += deltae;
+		subtract_entropy(ent, deltae);
+		add_pseudo(ent, count * 8);
+	}
+
+ partial_output:
+	memset(digest, 0, sizeof(digest));
+
+	if (returned != NULL)
+		*returned = (length - remain);
+
+	UNLOCK(&ent->lock);
+
+	return (ISC_R_SUCCESS);
+
+ zeroize:
+	/* put the entropy we almost extracted back */
+	add_entropy(ent, total);
+	memset(data, 0, length);
+	memset(digest, 0, sizeof(digest));
+	if (returned != NULL)
+		*returned = 0;
+
+	UNLOCK(&ent->lock);
+
+	return (ISC_R_NOENTROPY);
+}
+
+static void
+isc_entropypool_init(isc_entropypool_t *pool) {
+	pool->cursor = RND_POOLWORDS - 1;
+	pool->entropy = 0;
+	pool->pseudo = 0;
+	pool->rotate = 0;
+	memset(pool->pool, 0, RND_POOLBYTES);
+}
+
+static void
+isc_entropypool_invalidate(isc_entropypool_t *pool) {
+	pool->cursor = 0;
+	pool->entropy = 0;
+	pool->pseudo = 0;
+	pool->rotate = 0;
+	memset(pool->pool, 0, RND_POOLBYTES);
+}
+
+isc_result_t
+isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp) {
+	isc_result_t ret;
+	isc_entropy_t *ent;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(entp != NULL && *entp == NULL);
+
+	ent = isc_mem_get(mctx, sizeof(isc_entropy_t));
+	if (ent == NULL)
+		return (ISC_R_NOMEMORY);
+
+	/*
+	 * We need a lock.
+	 */
+	if (isc_mutex_init(&ent->lock) != ISC_R_SUCCESS) {
+		ret = ISC_R_UNEXPECTED;
+		goto errout;
+	}
+
+	/*
+	 * From here down, no failures will/can occur.
+	 */
+	ISC_LIST_INIT(ent->sources);
+	ent->nextsource = NULL;
+	ent->nsources = 0;
+	ent->mctx = NULL;
+	isc_mem_attach(mctx, &ent->mctx);
+	ent->refcnt = 1;
+	ent->initialized = 0;
+	ent->initcount = 0;
+	ent->magic = ENTROPY_MAGIC;
+
+	isc_entropypool_init(&ent->pool);
+
+	*entp = ent;
+	return (ISC_R_SUCCESS);
+
+ errout:
+	isc_mem_put(mctx, ent, sizeof(isc_entropy_t));
+
+	return (ret);
+}
+
+/*
+ * Requires "ent" be locked.
+ */
+static void
+destroysource(isc_entropysource_t **sourcep) {
+	isc_entropysource_t *source;
+	isc_entropy_t *ent;
+	isc_cbsource_t *cbs;
+
+	source = *sourcep;
+	*sourcep = NULL;
+	ent = source->ent;
+
+	ISC_LIST_UNLINK(ent->sources, source, link);
+	ent->nextsource = NULL;
+	REQUIRE(ent->nsources > 0);
+	ent->nsources--;
+
+	switch (source->type) {
+	case ENTROPY_SOURCETYPE_FILE:
+		if (! source->bad)
+			destroyfilesource(&source->sources.file);
+		break;
+	case ENTROPY_SOURCETYPE_USOCKET:
+		if (! source->bad)
+			destroyusocketsource(&source->sources.usocket);
+		break;
+	case ENTROPY_SOURCETYPE_SAMPLE:
+		samplequeue_release(ent, &source->sources.sample.samplequeue);
+		break;
+	case ENTROPY_SOURCETYPE_CALLBACK:
+		cbs = &source->sources.callback;
+		if (cbs->start_called && cbs->stopfunc != NULL) {
+			cbs->stopfunc(source, cbs->arg);
+			cbs->start_called = ISC_FALSE;
+		}
+		samplequeue_release(ent, &cbs->samplequeue);
+		break;
+	}
+
+	memset(source, 0, sizeof(isc_entropysource_t));
+
+	isc_mem_put(ent->mctx, source, sizeof(isc_entropysource_t));
+}
+
+static inline isc_boolean_t
+destroy_check(isc_entropy_t *ent) {
+	isc_entropysource_t *source;
+
+	if (ent->refcnt > 0)
+		return (ISC_FALSE);
+
+	source = ISC_LIST_HEAD(ent->sources);
+	while (source != NULL) {
+		switch (source->type) {
+		case ENTROPY_SOURCETYPE_FILE:
+		case ENTROPY_SOURCETYPE_USOCKET:
+			break;
+		default:
+			return (ISC_FALSE);
+		}
+		source = ISC_LIST_NEXT(source, link);
+	}
+
+	return (ISC_TRUE);
+}
+
+static void
+destroy(isc_entropy_t **entp) {
+	isc_entropy_t *ent;
+	isc_entropysource_t *source;
+	isc_mem_t *mctx;
+
+	REQUIRE(entp != NULL && *entp != NULL);
+	ent = *entp;
+	*entp = NULL;
+
+	LOCK(&ent->lock);
+
+	REQUIRE(ent->refcnt == 0);
+
+	/*
+	 * Here, detach non-sample sources.
+	 */
+	source = ISC_LIST_HEAD(ent->sources);
+	while (source != NULL) {
+		switch(source->type) {
+		case ENTROPY_SOURCETYPE_FILE:
+		case ENTROPY_SOURCETYPE_USOCKET:
+			destroysource(&source);
+			break;
+		}
+		source = ISC_LIST_HEAD(ent->sources);
+	}
+
+	/*
+	 * If there are other types of sources, we've found a bug.
+	 */
+	REQUIRE(ISC_LIST_EMPTY(ent->sources));
+
+	mctx = ent->mctx;
+
+	isc_entropypool_invalidate(&ent->pool);
+
+	UNLOCK(&ent->lock);
+
+	DESTROYLOCK(&ent->lock);
+
+	memset(ent, 0, sizeof(isc_entropy_t));
+	isc_mem_put(mctx, ent, sizeof(isc_entropy_t));
+	isc_mem_detach(&mctx);
+}
+
+void
+isc_entropy_destroysource(isc_entropysource_t **sourcep) {
+	isc_entropysource_t *source;
+	isc_entropy_t *ent;
+	isc_boolean_t killit;
+
+	REQUIRE(sourcep != NULL);
+	REQUIRE(VALID_SOURCE(*sourcep));
+
+	source = *sourcep;
+	*sourcep = NULL;
+
+	ent = source->ent;
+	REQUIRE(VALID_ENTROPY(ent));
+
+	LOCK(&ent->lock);
+
+	destroysource(&source);
+
+	killit = destroy_check(ent);
+
+	UNLOCK(&ent->lock);
+
+	if (killit)
+		destroy(&ent);
+}
+
+isc_result_t
+isc_entropy_createcallbacksource(isc_entropy_t *ent,
+				 isc_entropystart_t start,
+				 isc_entropyget_t get,
+				 isc_entropystop_t stop,
+				 void *arg,
+				 isc_entropysource_t **sourcep)
+{
+	isc_result_t ret;
+	isc_entropysource_t *source;
+	isc_cbsource_t *cbs;
+
+	REQUIRE(VALID_ENTROPY(ent));
+	REQUIRE(get != NULL);
+	REQUIRE(sourcep != NULL && *sourcep == NULL);
+
+	LOCK(&ent->lock);
+
+	source = isc_mem_get(ent->mctx, sizeof(isc_entropysource_t));
+	if (source == NULL) {
+		ret = ISC_R_NOMEMORY;
+		goto errout;
+	}
+	source->bad = ISC_FALSE;
+
+	cbs = &source->sources.callback;
+
+	ret = samplesource_allocate(ent, &cbs->samplequeue);
+	if (ret != ISC_R_SUCCESS)
+		goto errout;
+
+	cbs->start_called = ISC_FALSE;
+	cbs->startfunc = start;
+	cbs->getfunc = get;
+	cbs->stopfunc = stop;
+	cbs->arg = arg;
+
+	/*
+	 * From here down, no failures can occur.
+	 */
+	source->magic = SOURCE_MAGIC;
+	source->type = ENTROPY_SOURCETYPE_CALLBACK;
+	source->ent = ent;
+	source->total = 0;
+	memset(source->name, 0, sizeof(source->name));
+	ISC_LINK_INIT(source, link);
+
+	/*
+	 * Hook it into the entropy system.
+	 */
+	ISC_LIST_APPEND(ent->sources, source, link);
+	ent->nsources++;
+
+	*sourcep = source;
+
+	UNLOCK(&ent->lock);
+	return (ISC_R_SUCCESS);
+
+ errout:
+	if (source != NULL)
+		isc_mem_put(ent->mctx, source, sizeof(isc_entropysource_t));
+
+	UNLOCK(&ent->lock);
+
+	return (ret);
+}
+
+void
+isc_entropy_stopcallbacksources(isc_entropy_t *ent) {
+	isc_entropysource_t *source;
+	isc_cbsource_t *cbs;
+
+	REQUIRE(VALID_ENTROPY(ent));
+
+	LOCK(&ent->lock);
+
+	source = ISC_LIST_HEAD(ent->sources);
+	while (source != NULL) {
+		if (source->type == ENTROPY_SOURCETYPE_CALLBACK) {
+			cbs = &source->sources.callback;
+			if (cbs->start_called && cbs->stopfunc != NULL) {
+				cbs->stopfunc(source, cbs->arg);
+				cbs->start_called = ISC_FALSE;
+			}
+		}
+
+		source = ISC_LIST_NEXT(source, link);
+	}
+
+	UNLOCK(&ent->lock);
+}
+
+isc_result_t
+isc_entropy_createsamplesource(isc_entropy_t *ent,
+			       isc_entropysource_t **sourcep)
+{
+	isc_result_t ret;
+	isc_entropysource_t *source;
+	sample_queue_t *sq;
+
+	REQUIRE(VALID_ENTROPY(ent));
+	REQUIRE(sourcep != NULL && *sourcep == NULL);
+
+	LOCK(&ent->lock);
+
+	source = isc_mem_get(ent->mctx, sizeof(isc_entropysource_t));
+	if (source == NULL) {
+		ret = ISC_R_NOMEMORY;
+		goto errout;
+	}
+
+	sq = &source->sources.sample.samplequeue;
+	ret = samplesource_allocate(ent, sq);
+	if (ret != ISC_R_SUCCESS)
+		goto errout;
+
+	/*
+	 * From here down, no failures can occur.
+	 */
+	source->magic = SOURCE_MAGIC;
+	source->type = ENTROPY_SOURCETYPE_SAMPLE;
+	source->ent = ent;
+	source->total = 0;
+	memset(source->name, 0, sizeof(source->name));
+	ISC_LINK_INIT(source, link);
+
+	/*
+	 * Hook it into the entropy system.
+	 */
+	ISC_LIST_APPEND(ent->sources, source, link);
+	ent->nsources++;
+
+	*sourcep = source;
+
+	UNLOCK(&ent->lock);
+	return (ISC_R_SUCCESS);
+
+ errout:
+	if (source != NULL)
+		isc_mem_put(ent->mctx, source, sizeof(isc_entropysource_t));
+
+	UNLOCK(&ent->lock);
+
+	return (ret);
+}
+
+/*
+ * Add a sample, and return ISC_R_SUCCESS if the queue has become full,
+ * ISC_R_NOENTROPY if it has space remaining, and ISC_R_NOMORE if the
+ * queue was full when this function was called.
+ */
+static isc_result_t
+addsample(sample_queue_t *sq, isc_uint32_t sample, isc_uint32_t extra) {
+	if (sq->nsamples >= RND_EVENTQSIZE)
+		return (ISC_R_NOMORE);
+
+	sq->samples[sq->nsamples] = sample;
+	sq->extra[sq->nsamples] = extra;
+	sq->nsamples++;
+
+	if (sq->nsamples >= RND_EVENTQSIZE)
+		return (ISC_R_QUEUEFULL);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_entropy_addsample(isc_entropysource_t *source, isc_uint32_t sample,
+		      isc_uint32_t extra)
+{
+	isc_entropy_t *ent;
+	sample_queue_t *sq;
+	unsigned int entropy;
+	isc_result_t result;
+
+	REQUIRE(VALID_SOURCE(source));
+
+	ent = source->ent;
+
+	LOCK(&ent->lock);
+
+	sq = &source->sources.sample.samplequeue;
+	result = addsample(sq, sample, extra);
+	if (result == ISC_R_QUEUEFULL) {
+		entropy = crunchsamples(ent, sq);
+		add_entropy(ent, entropy);
+	}
+
+	UNLOCK(&ent->lock);
+
+	return (result);
+}
+
+isc_result_t
+isc_entropy_addcallbacksample(isc_entropysource_t *source, isc_uint32_t sample,
+			      isc_uint32_t extra)
+{
+	sample_queue_t *sq;
+	isc_result_t result;
+
+	REQUIRE(VALID_SOURCE(source));
+	REQUIRE(source->type == ENTROPY_SOURCETYPE_CALLBACK);
+
+	sq = &source->sources.callback.samplequeue;
+	result = addsample(sq, sample, extra);
+
+	return (result);
+}
+
+void
+isc_entropy_putdata(isc_entropy_t *ent, void *data, unsigned int length,
+		    isc_uint32_t entropy)
+{
+	REQUIRE(VALID_ENTROPY(ent));
+
+	LOCK(&ent->lock);
+
+	entropypool_adddata(ent, data, length, entropy);
+
+	if (ent->initialized < THRESHOLD_BITS)
+		ent->initialized = THRESHOLD_BITS;
+
+	UNLOCK(&ent->lock);
+}
+
+static void
+dumpstats(isc_entropy_t *ent, FILE *out) {
+	fprintf(out,
+		isc_msgcat_get(isc_msgcat, ISC_MSGSET_ENTROPY,
+			       ISC_MSG_ENTROPYSTATS,
+			       "Entropy pool %p:  refcnt %u cursor %u,"
+			       " rotate %u entropy %u pseudo %u nsources %u"
+			       " nextsource %p initialized %u initcount %u\n"),
+		ent, ent->refcnt,
+		ent->pool.cursor, ent->pool.rotate,
+		ent->pool.entropy, ent->pool.pseudo,
+		ent->nsources, ent->nextsource, ent->initialized,
+		ent->initcount);
+}
+
+/*
+ * This function ignores locking.  Use at your own risk.
+ */
+void
+isc_entropy_stats(isc_entropy_t *ent, FILE *out) {
+	REQUIRE(VALID_ENTROPY(ent));
+
+	LOCK(&ent->lock);
+	dumpstats(ent, out);
+	UNLOCK(&ent->lock);
+}
+
+void
+isc_entropy_attach(isc_entropy_t *ent, isc_entropy_t **entp) {
+	REQUIRE(VALID_ENTROPY(ent));
+	REQUIRE(entp != NULL && *entp == NULL);
+
+	LOCK(&ent->lock);
+
+	ent->refcnt++;
+	*entp = ent;
+
+	UNLOCK(&ent->lock);
+}
+
+void
+isc_entropy_detach(isc_entropy_t **entp) {
+	isc_entropy_t *ent;
+	isc_boolean_t killit;
+
+	REQUIRE(entp != NULL && VALID_ENTROPY(*entp));
+	ent = *entp;
+	*entp = NULL;
+
+	LOCK(&ent->lock);
+
+	REQUIRE(ent->refcnt > 0);
+	ent->refcnt--;
+
+	killit = destroy_check(ent);
+
+	UNLOCK(&ent->lock);
+
+	if (killit)
+		destroy(&ent);
+}
+
+static isc_result_t
+kbdstart(isc_entropysource_t *source, void *arg, isc_boolean_t blocking) {
+	/*
+	 * The intent of "first" is to provide a warning message only once
+	 * during the run of a program that might try to gather keyboard
+	 * entropy multiple times.
+	 */
+	static isc_boolean_t first = ISC_TRUE;
+
+	UNUSED(arg);
+
+	if (! blocking)
+		return (ISC_R_NOENTROPY);
+
+	if (first) {
+		if (source->warn_keyboard)
+			fprintf(stderr, "You must use the keyboard to create "
+				"entropy, since your system is lacking\n"
+				"/dev/random (or equivalent)\n\n");
+		first = ISC_FALSE;
+	}
+	fprintf(stderr, "start typing:\n");
+
+	return (isc_keyboard_open(&source->kbd));
+}
+
+static void
+kbdstop(isc_entropysource_t *source, void *arg) {
+
+	UNUSED(arg);
+
+	if (! isc_keyboard_canceled(&source->kbd))
+		fprintf(stderr, "stop typing.\r\n");
+
+	(void)isc_keyboard_close(&source->kbd, 3);
+}
+
+static isc_result_t
+kbdget(isc_entropysource_t *source, void *arg, isc_boolean_t blocking) {
+	isc_result_t result;
+	isc_time_t t;
+	isc_uint32_t sample;
+	isc_uint32_t extra;
+	unsigned char c;
+
+	UNUSED(arg);
+
+	if (!blocking)
+		return (ISC_R_NOTBLOCKING);
+
+	result = isc_keyboard_getchar(&source->kbd, &c);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	TIME_NOW(&t);
+
+	sample = isc_time_nanoseconds(&t);
+	extra = c;
+
+	result = isc_entropy_addcallbacksample(source, sample, extra);
+	if (result != ISC_R_SUCCESS) {
+		fprintf(stderr, "\r\n");
+		return (result);
+	}
+
+	fprintf(stderr, ".");
+	fflush(stderr);
+
+	return (result);
+}
+
+isc_result_t
+isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
+			  const char *randomfile, int use_keyboard)
+{
+	isc_result_t result;
+	isc_result_t final_result = ISC_R_NOENTROPY;
+	isc_boolean_t userfile = ISC_TRUE;
+
+	REQUIRE(VALID_ENTROPY(ectx));
+	REQUIRE(source != NULL && *source == NULL);
+	REQUIRE(use_keyboard == ISC_ENTROPY_KEYBOARDYES ||
+		use_keyboard == ISC_ENTROPY_KEYBOARDNO  ||
+		use_keyboard == ISC_ENTROPY_KEYBOARDMAYBE);
+
+#ifdef PATH_RANDOMDEV
+	if (randomfile == NULL) {
+		randomfile = PATH_RANDOMDEV;
+		userfile = ISC_FALSE;
+	}
+#endif
+
+	if (randomfile != NULL && use_keyboard != ISC_ENTROPY_KEYBOARDYES) {
+		result = isc_entropy_createfilesource(ectx, randomfile);
+		if (result == ISC_R_SUCCESS &&
+		    use_keyboard == ISC_ENTROPY_KEYBOARDMAYBE)
+			use_keyboard = ISC_ENTROPY_KEYBOARDNO;
+		if (result != ISC_R_SUCCESS && userfile)
+			return (result);
+
+		final_result = result;
+	}
+
+	if (use_keyboard != ISC_ENTROPY_KEYBOARDNO) {
+		result = isc_entropy_createcallbacksource(ectx, kbdstart,
+							  kbdget, kbdstop,
+							  NULL, source);
+		if (result == ISC_R_SUCCESS)
+			(*source)->warn_keyboard =
+				ISC_TF(use_keyboard ==
+				       ISC_ENTROPY_KEYBOARDMAYBE);
+
+		if (final_result != ISC_R_SUCCESS)
+			final_result = result;
+	}	
+
+	/*
+	 * final_result is ISC_R_SUCCESS if at least one source of entropy
+	 * could be started, otherwise it is the error from the most recently
+	 * failed operation (or ISC_R_NOENTROPY if PATH_RANDOMDEV is not
+	 * defined and use_keyboard is ISC_ENTROPY_KEYBOARDNO).
+	 */
+	return (final_result);
+}
diff --git a/contrib/bind9/lib/isc/error.c b/contrib/bind9/lib/isc/error.c
new file mode 100644
index 0000000..ceb7d2a
--- /dev/null
+++ b/contrib/bind9/lib/isc/error.c
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: error.c,v 1.16.206.1 2004/03/06 08:14:28 marka Exp $ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <isc/error.h>
+#include <isc/msgs.h>
+
+static void
+default_unexpected_callback(const char *, int, const char *, va_list)
+     ISC_FORMAT_PRINTF(3, 0);
+
+static void
+default_fatal_callback(const char *, int, const char *, va_list)
+     ISC_FORMAT_PRINTF(3, 0);
+
+static isc_errorcallback_t unexpected_callback = default_unexpected_callback;
+static isc_errorcallback_t fatal_callback = default_fatal_callback;
+
+void
+isc_error_setunexpected(isc_errorcallback_t cb) {
+	if (cb == NULL)
+		unexpected_callback = default_unexpected_callback;
+	else
+		unexpected_callback = cb;
+}
+
+void
+isc_error_setfatal(isc_errorcallback_t cb) {
+	if (cb == NULL)
+		fatal_callback = default_fatal_callback;
+	else
+		fatal_callback = cb;
+}
+
+void
+isc_error_unexpected(const char *file, int line, const char *format, ...) {
+	va_list args;
+
+	va_start(args, format);
+	(unexpected_callback)(file, line, format, args);
+	va_end(args);
+}
+
+void
+isc_error_fatal(const char *file, int line, const char *format, ...) {
+	va_list args;
+
+	va_start(args, format);
+	(fatal_callback)(file, line, format, args);
+	va_end(args);
+	abort();
+}
+
+void
+isc_error_runtimecheck(const char *file, int line, const char *expression) {
+	isc_error_fatal(file, line, "RUNTIME_CHECK(%s) %s", expression,
+			isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+				       ISC_MSG_FAILED, "failed"));
+}
+
+static void
+default_unexpected_callback(const char *file, int line, const char *format,
+			    va_list args)
+{
+	fprintf(stderr, "%s:%d: ", file, line);
+	vfprintf(stderr, format, args);
+	fprintf(stderr, "\n");
+	fflush(stderr);
+}
+
+static void
+default_fatal_callback(const char *file, int line, const char *format,
+		       va_list args)
+{
+	fprintf(stderr, "%s:%d: %s: ", file, line,
+		isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+			       ISC_MSG_FATALERROR, "fatal error"));
+	vfprintf(stderr, format, args);
+	fprintf(stderr, "\n");
+	fflush(stderr);
+}
diff --git a/contrib/bind9/lib/isc/event.c b/contrib/bind9/lib/isc/event.c
new file mode 100644
index 0000000..f767870
--- /dev/null
+++ b/contrib/bind9/lib/isc/event.c
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: event.c,v 1.15.12.3 2004/03/08 09:04:48 marka Exp $ */
+
+/*
+ * Principal Author: Bob Halley
+ */
+
+#include <config.h>
+
+#include <isc/event.h>
+#include <isc/mem.h>
+#include <isc/util.h>
+
+/***
+ *** Events.
+ ***/
+
+static void
+destroy(isc_event_t *event) {
+	isc_mem_t *mctx = event->ev_destroy_arg;
+
+	isc_mem_put(mctx, event, event->ev_size);
+}
+
+isc_event_t *
+isc_event_allocate(isc_mem_t *mctx, void *sender, isc_eventtype_t type,
+		   isc_taskaction_t action, const void *arg, size_t size)
+{
+	isc_event_t *event;
+	void *deconst_arg;
+
+	REQUIRE(size >= sizeof(struct isc_event));
+	REQUIRE(action != NULL);
+
+	event = isc_mem_get(mctx, size);
+	if (event == NULL)
+		return (NULL);
+
+	/*
+	 * Removing the const attribute from "arg" is the best of two
+	 * evils here.  If the event->ev_arg member is made const, then
+	 * it affects a great many users of the task/event subsystem
+	 * which are not passing in an "arg" which starts its life as
+	 * const.  Changing isc_event_allocate() and isc_task_onshutdown()
+	 * to not have "arg" prototyped as const (which is quite legitimate,
+	 * because neither of those functions modify arg) can cause
+	 * compiler whining anytime someone does want to use a const
+	 * arg that they themselves never modify, such as with
+	 * gcc -Wwrite-strings and using a string "arg".
+	 */
+	DE_CONST(arg, deconst_arg);
+
+	ISC_EVENT_INIT(event, size, 0, NULL, type, action, deconst_arg,
+		       sender, destroy, mctx);
+
+	return (event);
+}
+
+void
+isc_event_free(isc_event_t **eventp) {
+	isc_event_t *event;
+
+	REQUIRE(eventp != NULL);
+	event = *eventp;
+	REQUIRE(event != NULL);
+
+	if (event->ev_destroy != NULL)
+		(event->ev_destroy)(event);
+
+	*eventp = NULL;
+}
diff --git a/contrib/bind9/lib/isc/fsaccess.c b/contrib/bind9/lib/isc/fsaccess.c
new file mode 100644
index 0000000..1193472
--- /dev/null
+++ b/contrib/bind9/lib/isc/fsaccess.c
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: fsaccess.c,v 1.5.206.1 2004/03/06 08:14:29 marka Exp $ */
+
+/*
+ * This file contains the OS-independent functionality of the API.
+ */
+#include <isc/fsaccess.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+/*
+ * Shorthand.  Maybe ISC__FSACCESS_PERMISSIONBITS should not even be in
+ * <isc/fsaccess.h>.  Could check consistency with sizeof(isc_fsaccess_t)
+ * and the number of bits in each function.
+ */
+#define STEP		(ISC__FSACCESS_PERMISSIONBITS)
+#define GROUP		(STEP)
+#define OTHER		(STEP * 2)
+
+void
+isc_fsaccess_add(int trustee, int permission, isc_fsaccess_t *access) {
+	REQUIRE(trustee <= 0x7);
+	REQUIRE(permission <= 0xFF);
+
+	if ((trustee & ISC_FSACCESS_OWNER) != 0)
+		*access |= permission;
+
+	if ((trustee & ISC_FSACCESS_GROUP) != 0)
+		*access |= (permission << GROUP);
+
+	if ((trustee & ISC_FSACCESS_OTHER) != 0)
+		*access |= (permission << OTHER);
+}
+
+void
+isc_fsaccess_remove(int trustee, int permission, isc_fsaccess_t *access) {
+	REQUIRE(trustee <= 0x7);
+	REQUIRE(permission <= 0xFF);
+
+
+	if ((trustee & ISC_FSACCESS_OWNER) != 0)
+		*access &= ~permission;
+
+	if ((trustee & ISC_FSACCESS_GROUP) != 0)
+		*access &= ~(permission << GROUP);
+
+	if ((trustee & ISC_FSACCESS_OTHER) != 0)
+		*access &= ~(permission << OTHER);
+}
+
+static isc_result_t
+check_bad_bits(isc_fsaccess_t access, isc_boolean_t is_dir) {
+	isc_fsaccess_t bits;
+
+	/*
+	 * Check for disallowed user bits.
+	 */
+	if (is_dir)
+		bits = ISC_FSACCESS_READ |
+		       ISC_FSACCESS_WRITE |
+		       ISC_FSACCESS_EXECUTE;
+	else
+		bits = ISC_FSACCESS_CREATECHILD |
+		       ISC_FSACCESS_ACCESSCHILD |
+		       ISC_FSACCESS_DELETECHILD |
+		       ISC_FSACCESS_LISTDIRECTORY;
+
+	/*
+	 * Set group bad bits.
+	 */
+	bits |= bits << STEP;
+	/*
+	 * Set other bad bits.
+	 */
+	bits |= bits << STEP;
+
+	if ((access & bits) != 0) {
+		if (is_dir)
+			return (ISC_R_NOTFILE);
+		else
+			return (ISC_R_NOTDIRECTORY);
+	}
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/contrib/bind9/lib/isc/hash.c b/contrib/bind9/lib/isc/hash.c
new file mode 100644
index 0000000..22f3700
--- /dev/null
+++ b/contrib/bind9/lib/isc/hash.c
@@ -0,0 +1,387 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: hash.c,v 1.2.2.4.2.1 2004/03/06 08:14:29 marka Exp $ */
+
+/*
+ * Some portion of this code was derived from universal hash function
+ * libraries of Rice University. 
+ */
+
+/*  "UH Universal Hashing Library"
+
+Copyright ((c)) 2002, Rice University
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+    * Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+
+    * Redistributions in binary form must reproduce the above
+    copyright notice, this list of conditions and the following
+    disclaimer in the documentation and/or other materials provided
+    with the distribution.
+
+    * Neither the name of Rice University (RICE) nor the names of its
+    contributors may be used to endorse or promote products derived
+    from this software without specific prior written permission.
+
+
+This software is provided by RICE and the contributors on an "as is"
+basis, without any representations or warranties of any kind, express
+or implied including, but not limited to, representations or
+warranties of non-infringement, merchantability or fitness for a
+particular purpose. In no event shall RICE or contributors be liable
+for any direct, indirect, incidental, special, exemplary, or
+consequential damages (including, but not limited to, procurement of
+substitute goods or services; loss of use, data, or profits; or
+business interruption) however caused and on any theory of liability,
+whether in contract, strict liability, or tort (including negligence
+or otherwise) arising in any way out of the use of this software, even
+if advised of the possibility of such damage.
+*/
+
+#include <config.h>
+
+#include <isc/entropy.h>
+#include <isc/hash.h>
+#include <isc/mem.h>
+#include <isc/magic.h>
+#include <isc/mutex.h>
+#include <isc/once.h>
+#include <isc/random.h>
+#include <isc/refcount.h>
+#include <isc/rwlock.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#define HASH_MAGIC		ISC_MAGIC('H', 'a', 's', 'h')
+#define VALID_HASH(h)		ISC_MAGIC_VALID((h), HASH_MAGIC)
+
+/*
+ * A large 32-bit prime number that specifies the range of the hash output.
+ */
+#define PRIME32 0xFFFFFFFB              /* 2^32 -  5 */
+
+/*
+ * Types of random seed and hash accumulator.  Perhaps they can be system
+ * dependent.
+ */
+typedef isc_uint32_t hash_accum_t;
+typedef isc_uint16_t hash_random_t;
+
+struct isc_hash {
+	unsigned int	magic;
+	isc_mem_t	*mctx;
+	isc_mutex_t	lock;
+	isc_boolean_t	initialized;
+	isc_refcount_t	refcnt;
+	isc_entropy_t	*entropy; /* entropy source */
+	unsigned int	limit;	/* upper limit of key length */
+	size_t		vectorlen; /* size of the vector below */
+	hash_random_t	*rndvector; /* random vector for universal hashing */
+};
+
+static isc_rwlock_t createlock;
+static isc_once_t once = ISC_ONCE_INIT;
+static isc_hash_t *hash = NULL;
+
+static unsigned char maptolower[] = {
+	0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+	0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+	0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+	0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
+	0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
+	0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
+	0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
+	0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
+	0x40, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
+	0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
+	0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
+	0x78, 0x79, 0x7a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
+	0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
+	0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
+	0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
+	0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f,
+	0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
+	0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
+	0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
+	0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
+	0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
+	0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf,
+	0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7,
+	0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
+	0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
+	0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf,
+	0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
+	0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
+	0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
+	0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
+	0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
+	0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff
+};
+
+isc_result_t
+isc_hash_ctxcreate(isc_mem_t *mctx, isc_entropy_t *entropy,
+		   unsigned int limit, isc_hash_t **hctxp)
+{
+	isc_result_t ret;
+	isc_hash_t *hctx;
+	size_t vlen;
+	hash_random_t *rv;
+	hash_accum_t overflow_limit;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(hctxp != NULL && *hctxp == NULL);
+
+	/*
+	 * Overflow check.  Since our implementation only does a modulo
+	 * operation at the last stage of hash calculation, the accumulator
+	 * must not overflow.
+	 */
+	overflow_limit =
+		1 << (((sizeof(hash_accum_t) - sizeof(hash_random_t))) * 8);
+	if (overflow_limit < (limit + 1) * 0xff)
+		return (ISC_R_RANGE);
+
+	hctx = isc_mem_get(mctx, sizeof(isc_hash_t));
+	if (hctx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	vlen = sizeof(hash_random_t) * (limit + 1);
+	rv = isc_mem_get(mctx, vlen);
+	if (rv == NULL) {
+		ret = ISC_R_NOMEMORY;
+		goto errout;
+	}
+
+	/*
+	 * We need a lock.
+	 */
+	if (isc_mutex_init(&hctx->lock) != ISC_R_SUCCESS) {
+		ret = ISC_R_UNEXPECTED;
+		goto errout;
+	}
+
+	/*
+	 * From here down, no failures will/can occur.
+	 */
+	hctx->magic = HASH_MAGIC;
+	hctx->mctx = NULL;
+	isc_mem_attach(mctx, &hctx->mctx);
+	hctx->initialized = ISC_FALSE;
+	isc_refcount_init(&hctx->refcnt, 1);
+	hctx->entropy = NULL;
+	hctx->limit = limit;
+	hctx->vectorlen = vlen;
+	hctx->rndvector = rv;
+
+	if (entropy != NULL)
+		isc_entropy_attach(entropy, &hctx->entropy);
+
+	*hctxp = hctx;
+	return (ISC_R_SUCCESS);
+
+ errout:
+	isc_mem_put(mctx, hctx, sizeof(isc_hash_t));
+	if (rv != NULL)
+		isc_mem_put(mctx, rv, vlen);
+
+	return (ret);
+}
+
+static void
+initialize_lock(void) {
+	RUNTIME_CHECK(isc_rwlock_init(&createlock, 0, 0) == ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_hash_create(isc_mem_t *mctx, isc_entropy_t *entropy, size_t limit) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(mctx != NULL);
+	INSIST(hash == NULL);
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize_lock) == ISC_R_SUCCESS);
+
+	RWLOCK(&createlock, isc_rwlocktype_write);
+
+	if (hash == NULL)
+		result = isc_hash_ctxcreate(mctx, entropy, limit, &hash);
+
+	RWUNLOCK(&createlock, isc_rwlocktype_write);
+
+	return (result);
+}
+
+void
+isc_hash_ctxinit(isc_hash_t *hctx) {
+	isc_result_t result;
+
+	LOCK(&hctx->lock);
+
+	if (hctx->initialized == ISC_TRUE)
+		goto out;
+
+	if (hctx->entropy) {
+		result = isc_entropy_getdata(hctx->entropy, 
+					     hctx->rndvector, hctx->vectorlen,
+					     NULL, 0);
+		INSIST(result == ISC_R_SUCCESS);
+	} else {
+		isc_uint32_t pr;
+		unsigned int i, copylen;
+		unsigned char *p;
+
+		p = (unsigned char *)hctx->rndvector;
+		for (i = 0; i < hctx->vectorlen; i += copylen, p += copylen) {
+			isc_random_get(&pr);
+			if (i + sizeof(pr) <= hctx->vectorlen)
+				copylen = sizeof(pr);
+			else
+				copylen = hctx->vectorlen - i;
+
+			memcpy(p, &pr, copylen);
+		}
+		INSIST(p == (unsigned char *)hctx->rndvector +
+		       hctx->vectorlen);
+	}
+
+	hctx->initialized = ISC_TRUE;
+
+ out:
+	UNLOCK(&hctx->lock);
+}
+
+void
+isc_hash_init() {
+	INSIST(hash != NULL && VALID_HASH(hash));
+	
+	isc_hash_ctxinit(hash);
+}
+
+void
+isc_hash_ctxattach(isc_hash_t *hctx, isc_hash_t **hctxp) {
+	REQUIRE(VALID_HASH(hctx));
+	REQUIRE(hctxp != NULL && *hctxp == NULL);
+
+	isc_refcount_increment(&hctx->refcnt, NULL);
+	*hctxp = hctx;
+}
+
+static void
+destroy(isc_hash_t **hctxp) {
+	isc_hash_t *hctx;
+	isc_mem_t *mctx;
+
+	REQUIRE(hctxp != NULL && *hctxp != NULL);
+	hctx = *hctxp;
+	*hctxp = NULL;
+
+	LOCK(&hctx->lock);
+
+	isc_refcount_destroy(&hctx->refcnt);
+
+	mctx = hctx->mctx;
+	if (hctx->entropy != NULL)
+		isc_entropy_detach(&hctx->entropy);
+	if (hctx->rndvector != NULL)
+		isc_mem_put(mctx, hctx->rndvector, hctx->vectorlen);
+
+	UNLOCK(&hctx->lock);
+
+	DESTROYLOCK(&hctx->lock);
+
+	memset(hctx, 0, sizeof(isc_hash_t));
+	isc_mem_put(mctx, hctx, sizeof(isc_hash_t));
+	isc_mem_detach(&mctx);
+}
+
+void
+isc_hash_ctxdetach(isc_hash_t **hctxp) {
+	isc_hash_t *hctx;
+	unsigned int refs;
+
+	REQUIRE(hctxp != NULL && VALID_HASH(*hctxp));
+	hctx = *hctxp;
+
+	isc_refcount_decrement(&hctx->refcnt, &refs);
+	if (refs == 0)
+		destroy(&hctx);
+
+	*hctxp = NULL;
+}
+
+void
+isc_hash_destroy() {
+	unsigned int refs;
+
+	INSIST(hash != NULL && VALID_HASH(hash));
+
+	isc_refcount_decrement(&hash->refcnt, &refs);
+	INSIST(refs == 0);
+
+	destroy(&hash);
+}
+
+static inline unsigned int
+hash_calc(isc_hash_t *hctx, const unsigned char *key, unsigned int keylen,
+	  isc_boolean_t case_sensitive)
+{
+	hash_accum_t partial_sum = 0;
+	hash_random_t *p = hctx->rndvector;
+	unsigned int i = 0;
+
+	/* Make it sure that the hash context is initialized. */
+	if (hctx->initialized == ISC_FALSE)
+		isc_hash_ctxinit(hctx);
+
+	if (case_sensitive) {
+		for (i = 0; i < keylen; i++)
+			partial_sum += key[i] * (hash_accum_t)p[i];
+	} else {
+		for (i = 0; i < keylen; i++)
+			partial_sum += maptolower[key[i]] * (hash_accum_t)p[i];
+	}
+
+	partial_sum += p[i];
+
+	return ((unsigned int)(partial_sum % PRIME32));
+}
+
+unsigned int
+isc_hash_ctxcalc(isc_hash_t *hctx, const unsigned char *key,
+		 unsigned int keylen, isc_boolean_t case_sensitive)
+{
+	REQUIRE(hctx != NULL && VALID_HASH(hctx));
+	REQUIRE(keylen <= hctx->limit);
+
+	return (hash_calc(hctx, key, keylen, case_sensitive));
+}
+
+unsigned int
+isc_hash_calc(const unsigned char *key, unsigned int keylen,
+	      isc_boolean_t case_sensitive)
+{
+	INSIST(hash != NULL && VALID_HASH(hash));
+	REQUIRE(keylen <= hash->limit);
+
+	return (hash_calc(hash, key, keylen, case_sensitive));
+}
diff --git a/contrib/bind9/lib/isc/heap.c b/contrib/bind9/lib/isc/heap.c
new file mode 100644
index 0000000..78b1925
--- /dev/null
+++ b/contrib/bind9/lib/isc/heap.c
@@ -0,0 +1,252 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1997-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: heap.c,v 1.28.12.3 2004/03/08 09:04:48 marka Exp $ */
+
+/*
+ * Heap implementation of priority queues adapted from the following:
+ *
+ *	_Introduction to Algorithms_, Cormen, Leiserson, and Rivest,
+ *	MIT Press / McGraw Hill, 1990, ISBN 0-262-03141-8, chapter 7.
+ *
+ *	_Algorithms_, Second Edition, Sedgewick, Addison-Wesley, 1988,
+ *	ISBN 0-201-06673-4, chapter 11.
+ */
+
+#include <config.h>
+
+#include <isc/heap.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/string.h>		/* Required for memcpy. */
+#include <isc/util.h>
+
+/*
+ * Note: to make heap_parent and heap_left easy to compute, the first
+ * element of the heap array is not used; i.e. heap subscripts are 1-based,
+ * not 0-based.
+ */
+#define heap_parent(i)			((i) >> 1)
+#define heap_left(i)			((i) << 1)
+
+#define SIZE_INCREMENT			1024
+
+#define HEAP_MAGIC			ISC_MAGIC('H', 'E', 'A', 'P')
+#define VALID_HEAP(h)			ISC_MAGIC_VALID(h, HEAP_MAGIC)
+
+/*
+ * When the heap is in a consistent state, the following invariant
+ * holds true: for every element i > 1, heap_parent(i) has a priority
+ * higher than or equal to that of i.
+ */
+#define HEAPCONDITION(i) ((i) == 1 || \
+			  ! heap->compare(heap->array[(i)], \
+					  heap->array[heap_parent(i)]))
+
+struct isc_heap {
+	unsigned int			magic;
+	isc_mem_t *			mctx;
+	unsigned int			size;
+	unsigned int			size_increment;
+	unsigned int			last;
+	void				**array;
+	isc_heapcompare_t		compare;
+	isc_heapindex_t			index;
+};
+
+isc_result_t
+isc_heap_create(isc_mem_t *mctx, isc_heapcompare_t compare,
+		isc_heapindex_t index, unsigned int size_increment,
+		isc_heap_t **heapp)
+{
+	isc_heap_t *heap;
+
+	REQUIRE(heapp != NULL && *heapp == NULL);
+	REQUIRE(compare != NULL);
+
+	heap = isc_mem_get(mctx, sizeof(*heap));
+	if (heap == NULL)
+		return (ISC_R_NOMEMORY);
+	heap->magic = HEAP_MAGIC;
+	heap->mctx = mctx;
+	heap->size = 0;
+	if (size_increment == 0)
+		heap->size_increment = SIZE_INCREMENT;
+	else
+		heap->size_increment = size_increment;
+	heap->last = 0;
+	heap->array = NULL;
+	heap->compare = compare;
+	heap->index = index;
+
+	*heapp = heap;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_heap_destroy(isc_heap_t **heapp) {
+	isc_heap_t *heap;
+
+	REQUIRE(heapp != NULL);
+	heap = *heapp;
+	REQUIRE(VALID_HEAP(heap));
+
+	if (heap->array != NULL)
+		isc_mem_put(heap->mctx, heap->array,
+			    heap->size * sizeof(void *));
+	heap->magic = 0;
+	isc_mem_put(heap->mctx, heap, sizeof(*heap));
+
+	*heapp = NULL;
+}
+
+static isc_boolean_t
+resize(isc_heap_t *heap) {
+	void **new_array;
+	size_t new_size;
+
+	REQUIRE(VALID_HEAP(heap));
+
+	new_size = heap->size + heap->size_increment;
+	new_array = isc_mem_get(heap->mctx, new_size * sizeof(void *));
+	if (new_array == NULL)
+		return (ISC_FALSE);
+	if (heap->array != NULL) {
+		memcpy(new_array, heap->array, heap->size * sizeof(void *));
+		isc_mem_put(heap->mctx, heap->array,
+			    heap->size * sizeof(void *));
+	}
+	heap->size = new_size;
+	heap->array = new_array;
+
+	return (ISC_TRUE);
+}
+
+static void
+float_up(isc_heap_t *heap, unsigned int i, void *elt) {
+	unsigned int p;
+
+	for (p = heap_parent(i);
+	     i > 1 && heap->compare(elt, heap->array[p]);
+	     i = p, p = heap_parent(i)) {
+		heap->array[i] = heap->array[p];
+		if (heap->index != NULL)
+			(heap->index)(heap->array[i], i);
+	}
+	heap->array[i] = elt;
+	if (heap->index != NULL)
+		(heap->index)(heap->array[i], i);
+
+	INSIST(HEAPCONDITION(i));
+}
+
+static void
+sink_down(isc_heap_t *heap, unsigned int i, void *elt) {
+	unsigned int j, size, half_size;
+	size = heap->last;
+	half_size = size / 2;
+	while (i <= half_size) {
+		/* Find the smallest of the (at most) two children. */
+		j = heap_left(i);
+		if (j < size && heap->compare(heap->array[j+1],
+					      heap->array[j]))
+			j++;
+		if (heap->compare(elt, heap->array[j]))
+			break;
+		heap->array[i] = heap->array[j];
+		if (heap->index != NULL)
+			(heap->index)(heap->array[i], i);
+		i = j;
+	}
+	heap->array[i] = elt;
+	if (heap->index != NULL)
+		(heap->index)(heap->array[i], i);
+
+	INSIST(HEAPCONDITION(i));
+}
+
+isc_result_t
+isc_heap_insert(isc_heap_t *heap, void *elt) {
+	unsigned int i;
+
+	REQUIRE(VALID_HEAP(heap));
+
+	i = ++heap->last;
+	if (heap->last >= heap->size && !resize(heap))
+		return (ISC_R_NOMEMORY);
+
+	float_up(heap, i, elt);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_heap_delete(isc_heap_t *heap, unsigned int i) {
+	void *elt;
+	isc_boolean_t less;
+
+	REQUIRE(VALID_HEAP(heap));
+	REQUIRE(i >= 1 && i <= heap->last);
+
+	if (i == heap->last) {
+		heap->last--;
+	} else {
+		elt = heap->array[heap->last--];
+		less = heap->compare(elt, heap->array[i]);
+		heap->array[i] = elt;
+		if (less)
+			float_up(heap, i, heap->array[i]);
+		else
+			sink_down(heap, i, heap->array[i]);
+	}
+}
+
+void
+isc_heap_increased(isc_heap_t *heap, unsigned int i) {
+	REQUIRE(VALID_HEAP(heap));
+	REQUIRE(i >= 1 && i <= heap->last);
+
+	float_up(heap, i, heap->array[i]);
+}
+
+void
+isc_heap_decreased(isc_heap_t *heap, unsigned int i) {
+	REQUIRE(VALID_HEAP(heap));
+	REQUIRE(i >= 1 && i <= heap->last);
+
+	sink_down(heap, i, heap->array[i]);
+}
+
+void *
+isc_heap_element(isc_heap_t *heap, unsigned int i) {
+	REQUIRE(VALID_HEAP(heap));
+	REQUIRE(i >= 1 && i <= heap->last);
+
+	return (heap->array[i]);
+}
+
+void
+isc_heap_foreach(isc_heap_t *heap, isc_heapaction_t action, void *uap) {
+	unsigned int i;
+
+	REQUIRE(VALID_HEAP(heap));
+	REQUIRE(action != NULL);
+
+	for (i = 1; i <= heap->last; i++)
+		(action)(heap->array[i], uap);
+}
diff --git a/contrib/bind9/lib/isc/hex.c b/contrib/bind9/lib/isc/hex.c
new file mode 100644
index 0000000..a90f1ce
--- /dev/null
+++ b/contrib/bind9/lib/isc/hex.c
@@ -0,0 +1,199 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: hex.c,v 1.8.2.2.8.3 2004/03/06 08:14:30 marka Exp $ */
+
+#include <config.h>
+
+#include <ctype.h>
+
+#include <isc/buffer.h>
+#include <isc/hex.h>
+#include <isc/lex.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#define RETERR(x) do { \
+	isc_result_t _r = (x); \
+	if (_r != ISC_R_SUCCESS) \
+		return (_r); \
+	} while (0)
+
+
+/*
+ * BEW: These static functions are copied from lib/dns/rdata.c.
+ */
+static isc_result_t
+str_totext(const char *source, isc_buffer_t *target);
+
+static isc_result_t
+mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length);
+
+static const char hex[] = "0123456789ABCDEF";
+
+isc_result_t
+isc_hex_totext(isc_region_t *source, int wordlength,
+	       const char *wordbreak, isc_buffer_t *target)
+{
+	char buf[3];
+	unsigned int loops = 0;
+
+	if (wordlength < 2)
+		wordlength = 2;
+
+	memset(buf, 0, sizeof(buf));
+	while (source->length > 0) {
+		buf[0] = hex[(source->base[0] >> 4) & 0xf];
+		buf[1] = hex[(source->base[0]) & 0xf];
+		RETERR(str_totext(buf, target));
+		isc_region_consume(source, 1);
+
+		loops++;
+		if (source->length != 0 &&
+		    (int)((loops + 1) * 2) >= wordlength)
+		{
+			loops = 0;
+			RETERR(str_totext(wordbreak, target));
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * State of a hex decoding process in progress.
+ */
+typedef struct {
+	int length;		/* Desired length of binary data or -1 */
+	isc_buffer_t *target;	/* Buffer for resulting binary data */
+	int digits;		/* Number of buffered hex digits */
+	int val[2];
+} hex_decode_ctx_t;
+
+static inline void
+hex_decode_init(hex_decode_ctx_t *ctx, int length, isc_buffer_t *target)
+{
+	ctx->digits = 0;
+	ctx->length = length;
+	ctx->target = target;
+}
+
+static inline isc_result_t
+hex_decode_char(hex_decode_ctx_t *ctx, int c) {
+	char *s;
+
+	if ((s = strchr(hex, toupper(c))) == NULL)
+		return (ISC_R_BADHEX);
+	ctx->val[ctx->digits++] = s - hex;
+	if (ctx->digits == 2) {
+		unsigned char num;
+
+		num = (ctx->val[0] << 4) + (ctx->val[1]);
+		RETERR(mem_tobuffer(ctx->target, &num, 1));
+		if (ctx->length >= 0) {
+			if (ctx->length == 0)
+				return (ISC_R_BADHEX);
+			else
+				ctx->length -= 1;
+		}
+		ctx->digits = 0;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+hex_decode_finish(hex_decode_ctx_t *ctx) {
+	if (ctx->length > 0)
+		return (ISC_R_UNEXPECTEDEND);
+	if (ctx->digits != 0)
+		return (ISC_R_BADHEX);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_hex_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length) {
+	hex_decode_ctx_t ctx;
+	isc_textregion_t *tr;
+	isc_token_t token;
+	isc_boolean_t eol;
+
+	hex_decode_init(&ctx, length, target);
+
+	while (ctx.length != 0) {
+		unsigned int i;
+
+		if (length > 0)
+			eol = ISC_FALSE;
+		else
+			eol = ISC_TRUE;
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string, eol));
+		if (token.type != isc_tokentype_string)
+			break;
+		tr = &token.value.as_textregion;
+		for (i = 0; i < tr->length; i++)
+			RETERR(hex_decode_char(&ctx, tr->base[i]));
+	}
+	if (ctx.length < 0)
+		isc_lex_ungettoken(lexer, &token);
+	RETERR(hex_decode_finish(&ctx));
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_hex_decodestring(char *cstr, isc_buffer_t *target) {
+	hex_decode_ctx_t ctx;
+
+	hex_decode_init(&ctx, -1, target);
+	for (;;) {
+		int c = *cstr++;
+		if (c == '\0')
+			break;
+		if (c == ' ' || c == '\t' || c == '\n' || c== '\r')
+			continue;
+		RETERR(hex_decode_char(&ctx, c));
+	}
+	RETERR(hex_decode_finish(&ctx));	
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+str_totext(const char *source, isc_buffer_t *target) {
+	unsigned int l;
+	isc_region_t region;
+
+	isc_buffer_availableregion(target, &region);
+	l = strlen(source);
+
+	if (l > region.length)
+		return (ISC_R_NOSPACE);
+
+	memcpy(region.base, source, l);
+	isc_buffer_add(target, l);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length) {
+	isc_region_t tr;
+
+	isc_buffer_availableregion(target, &tr);
+	if (length > tr.length)
+		return (ISC_R_NOSPACE);
+	memcpy(tr.base, base, length);
+	isc_buffer_add(target, length);
+	return (ISC_R_SUCCESS);
+}
diff --git a/contrib/bind9/lib/isc/hmacmd5.c b/contrib/bind9/lib/isc/hmacmd5.c
new file mode 100644
index 0000000..04dc8c5
--- /dev/null
+++ b/contrib/bind9/lib/isc/hmacmd5.c
@@ -0,0 +1,113 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: hmacmd5.c,v 1.5.12.3 2004/03/08 09:04:48 marka Exp $ */
+
+/*
+ * This code implements the HMAC-MD5 keyed hash algorithm
+ * described in RFC 2104.
+ */
+
+#include "config.h"
+
+#include <isc/assertions.h>
+#include <isc/hmacmd5.h>
+#include <isc/md5.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#define PADLEN 64
+#define IPAD 0x36
+#define OPAD 0x5C
+
+/*
+ * Start HMAC-MD5 process.  Initialize an md5 context and digest the key.
+ */
+void
+isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
+		 unsigned int len)
+{
+	unsigned char ipad[PADLEN];
+	int i;
+
+	memset(ctx->key, 0, sizeof(ctx->key));
+	if (len > sizeof(ctx->key)) {
+		isc_md5_t md5ctx;
+		isc_md5_init(&md5ctx);
+		isc_md5_update(&md5ctx, key, len);
+		isc_md5_final(&md5ctx, ctx->key);
+	} else
+		memcpy(ctx->key, key, len);
+
+	isc_md5_init(&ctx->md5ctx);
+	memset(ipad, IPAD, sizeof(ipad));
+	for (i = 0; i < PADLEN; i++)
+		ipad[i] ^= ctx->key[i];
+	isc_md5_update(&ctx->md5ctx, ipad, sizeof(ipad));
+}
+
+void
+isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) {
+	isc_md5_invalidate(&ctx->md5ctx);
+	memset(ctx->key, 0, sizeof(ctx->key));
+	memset(ctx, 0, sizeof(ctx));
+}
+
+/*
+ * Update context to reflect the concatenation of another buffer full
+ * of bytes.
+ */
+void
+isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf,
+		   unsigned int len)
+{
+	isc_md5_update(&ctx->md5ctx, buf, len);
+}
+
+/*
+ * Compute signature - finalize MD5 operation and reapply MD5.
+ */
+void
+isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) {
+	unsigned char opad[PADLEN];
+	int i;
+
+	isc_md5_final(&ctx->md5ctx, digest);
+
+	memset(opad, OPAD, sizeof(opad));
+	for (i = 0; i < PADLEN; i++)
+		opad[i] ^= ctx->key[i];
+
+	isc_md5_init(&ctx->md5ctx);
+	isc_md5_update(&ctx->md5ctx, opad, sizeof(opad));
+	isc_md5_update(&ctx->md5ctx, digest, ISC_MD5_DIGESTLENGTH);
+	isc_md5_final(&ctx->md5ctx, digest);
+	isc_hmacmd5_invalidate(ctx);
+}
+
+/*
+ * Verify signature - finalize MD5 operation and reapply MD5, then
+ * compare to the supplied digest.
+ */
+isc_boolean_t
+isc_hmacmd5_verify(isc_hmacmd5_t *ctx, unsigned char *digest) {
+	unsigned char newdigest[ISC_MD5_DIGESTLENGTH];
+
+	isc_hmacmd5_sign(ctx, newdigest);
+	return (ISC_TF(memcmp(digest, newdigest, ISC_MD5_DIGESTLENGTH) == 0));
+}
diff --git a/contrib/bind9/lib/isc/include/Makefile.in b/contrib/bind9/lib/isc/include/Makefile.in
new file mode 100644
index 0000000..59d66c7
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/Makefile.in
@@ -0,0 +1,25 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1998-2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.10.206.1 2004/03/06 08:14:38 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	isc
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/include/isc/Makefile.in b/contrib/bind9/lib/isc/include/isc/Makefile.in
new file mode 100644
index 0000000..10cad7e
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/Makefile.in
@@ -0,0 +1,57 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1998-2001, 2003  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.50.12.4 2004/03/06 08:14:38 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+#
+# Only list headers that are to be installed and are not
+# machine generated.  The latter are handled specially in the
+# install target below.
+#
+HEADERS =	app.h assertions.h base64.h bitstring.h boolean.h buffer.h \
+		bufferlist.h commandline.h entropy.h error.h event.h \
+		eventclass.h \
+		file.h formatcheck.h fsaccess.h heap.h hex.h hmacmd5.h \
+		interfaceiter.h @ISC_IPV6_H@ lang.h lex.h \
+		lfsr.h lib.h list.h log.h magic.h md5.h mem.h msgcat.h msgs.h \
+		mutexblock.h netaddr.h ondestroy.h os.h parseint.h \
+		print.h quota.h random.h ratelimiter.h \
+		refcount.h region.h resource.h \
+		result.h resultclass.h rwlock.h serial.h sha1.h sockaddr.h \
+		socket.h stdio.h stdlib.h string.h symtab.h task.h taskpool.h \
+		timer.h types.h util.h version.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/isc ; \
+	done
+	${INSTALL_DATA} platform.h ${DESTDIR}${includedir}/isc
+
+distclean::
+	rm -f platform.h
diff --git a/contrib/bind9/lib/isc/include/isc/app.h b/contrib/bind9/lib/isc/include/isc/app.h
new file mode 100644
index 0000000..f77057b
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/app.h
@@ -0,0 +1,212 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: app.h,v 1.1.206.1 2004/03/06 08:14:38 marka Exp $ */
+
+#ifndef ISC_APP_H
+#define ISC_APP_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * ISC Application Support
+ *
+ * Dealing with program termination can be difficult, especially in a
+ * multithreaded program.  The routines in this module help coordinate
+ * the shutdown process.  They are used as follows by the initial (main)
+ * thread of the application:
+ *
+ *		isc_app_start();	Call very early in main(), before
+ *					any other threads have been created.
+ *
+ *		isc_app_run();		This will post any on-run events,
+ *					and then block until application
+ *					shutdown is requested.  A shutdown
+ *					request is made by calling
+ *					isc_app_shutdown(), or by sending
+ *					SIGINT or SIGTERM to the process.
+ *					After isc_app_run() returns, the
+ *					application should shutdown itself.
+ *
+ *		isc_app_finish();	Call very late in main().
+ *
+ * Applications that want to use SIGHUP/isc_app_reload() to trigger reloading
+ * should check the result of isc_app_run() and call the reload routine if
+ * the result is ISC_R_RELOAD.  They should then call isc_app_run() again
+ * to resume waiting for reload or termination.
+ *
+ * Use of this module is not required.  In particular, isc_app_start() is
+ * NOT an ISC library initialization routine.
+ *
+ * MP:
+ *	Clients must ensure that isc_app_start(), isc_app_run(), and
+ *	isc_app_finish() are called at most once.  isc_app_shutdown()
+ *	is safe to use by any thread (provided isc_app_start() has been
+ *	called previously).
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	None.
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	None.
+ */
+
+#include <isc/eventclass.h>
+#include <isc/lang.h>
+#include <isc/result.h>
+
+typedef isc_event_t isc_appevent_t;
+
+#define ISC_APPEVENT_FIRSTEVENT		(ISC_EVENTCLASS_APP + 0)
+#define ISC_APPEVENT_SHUTDOWN		(ISC_EVENTCLASS_APP + 1)
+#define ISC_APPEVENT_LASTEVENT		(ISC_EVENTCLASS_APP + 65535)
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_app_start(void);
+/*
+ * Start an ISC library application.
+ *
+ * Notes:
+ *	This call should be made before any other ISC library call, and as
+ *	close to the beginning of the application as possible.
+ */
+
+isc_result_t
+isc_app_onrun(isc_mem_t *mctx, isc_task_t *task, isc_taskaction_t action,
+	      void *arg);
+/*
+ * Request delivery of an event when the application is run.
+ *
+ * Requires:
+ *	isc_app_start() has been called.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ */
+
+isc_result_t
+isc_app_run(void);
+/*
+ * Run an ISC library application.
+ *
+ * Notes:
+ *	The caller (typically the initial thread of an application) will
+ *	block until shutdown is requested.  When the call returns, the
+ *	caller should start shutting down the application.
+ *
+ * Requires:
+ *	isc_app_start() has been called.
+ *
+ * Ensures:
+ *	Any events requested via isc_app_onrun() will have been posted (in
+ *	FIFO order) before isc_app_run() blocks.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS			Shutdown has been requested.
+ *	ISC_R_RELOAD			Reload has been requested.
+ */
+
+isc_result_t
+isc_app_shutdown(void);
+/*
+ * Request application shutdown.
+ *
+ * Notes:
+ *	It is safe to call isc_app_shutdown() multiple times.  Shutdown will
+ *	only be triggered once.
+ *
+ * Requires:
+ *	isc_app_run() has been called.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_app_reload(void);
+/*
+ * Request application reload.
+ *
+ * Requires:
+ *	isc_app_run() has been called.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_UNEXPECTED
+ */
+
+void
+isc_app_finish(void);
+/*
+ * Finish an ISC library application.
+ *
+ * Notes:
+ *	This call should be made at or near the end of main().
+ *
+ * Requires:
+ *	isc_app_start() has been called.
+ *
+ * Ensures:
+ *	Any resources allocated by isc_app_start() have been released.
+ */
+
+void
+isc_app_block(void);
+/*
+ * Indicate that a blocking operation will be performed.
+ *
+ * Notes:
+ *	If a blocking operation is in process, a call to isc_app_shutdown()
+ *	or an external signal will abort the program, rather than allowing
+ *	clean shutdown.  This is primarily useful for reading user input.
+ *
+ * Requires:
+ * 	isc_app_start() has been called.
+ * 	No other blocking operations are in progress.
+ */
+
+void
+isc_app_unblock(void);
+/*
+ * Indicate that a blocking operation is complete.
+ *
+ * Notes:
+ * 	When a blocking operation has completed, return the program to a
+ * 	state where a call to isc_app_shutdown() or an external signal will
+ * 	shutdown normally.
+ *
+ * Requires:
+ * 	isc_app_start() has been called.
+ * 	isc_app_block() has been called by the same thread.
+ */
+
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_APP_H */
diff --git a/contrib/bind9/lib/isc/include/isc/assertions.h b/contrib/bind9/lib/isc/include/isc/assertions.h
new file mode 100644
index 0000000..6091de9
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/assertions.h
@@ -0,0 +1,120 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1997-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * $Id: assertions.h,v 1.17.206.1 2004/03/06 08:14:38 marka Exp $
+ */
+
+#ifndef ISC_ASSERTIONS_H
+#define ISC_ASSERTIONS_H 1
+
+#include <isc/lang.h>
+#include <isc/platform.h>
+
+ISC_LANG_BEGINDECLS
+
+typedef enum {
+	isc_assertiontype_require,
+	isc_assertiontype_ensure,
+	isc_assertiontype_insist,
+	isc_assertiontype_invariant
+} isc_assertiontype_t;
+
+typedef void (*isc_assertioncallback_t)(const char *, int, isc_assertiontype_t,
+					const char *);
+
+LIBISC_EXTERNAL_DATA extern isc_assertioncallback_t isc_assertion_failed;
+
+void
+isc_assertion_setcallback(isc_assertioncallback_t);
+
+const char *
+isc_assertion_typetotext(isc_assertiontype_t type);
+
+#ifdef ISC_CHECK_ALL
+#define ISC_CHECK_REQUIRE		1
+#define ISC_CHECK_ENSURE		1
+#define ISC_CHECK_INSIST		1
+#define ISC_CHECK_INVARIANT		1
+#endif
+
+#ifdef ISC_CHECK_NONE
+#define ISC_CHECK_REQUIRE		0
+#define ISC_CHECK_ENSURE		0
+#define ISC_CHECK_INSIST		0
+#define ISC_CHECK_INVARIANT		0
+#endif
+
+#ifndef ISC_CHECK_REQUIRE
+#define ISC_CHECK_REQUIRE		1
+#endif
+
+#ifndef ISC_CHECK_ENSURE
+#define ISC_CHECK_ENSURE		1
+#endif
+
+#ifndef ISC_CHECK_INSIST
+#define ISC_CHECK_INSIST		1
+#endif
+
+#ifndef ISC_CHECK_INVARIANT
+#define ISC_CHECK_INVARIANT		1
+#endif
+
+#if ISC_CHECK_REQUIRE != 0
+#define ISC_REQUIRE(cond) \
+	((void) ((cond) || \
+		 ((isc_assertion_failed)(__FILE__, __LINE__, \
+					 isc_assertiontype_require, \
+					 #cond), 0)))
+#else
+#define ISC_REQUIRE(cond)	((void) 0)
+#endif /* ISC_CHECK_REQUIRE */
+
+#if ISC_CHECK_ENSURE != 0
+#define ISC_ENSURE(cond) \
+	((void) ((cond) || \
+		 ((isc_assertion_failed)(__FILE__, __LINE__, \
+					 isc_assertiontype_ensure, \
+					 #cond), 0)))
+#else
+#define ISC_ENSURE(cond)	((void) 0)
+#endif /* ISC_CHECK_ENSURE */
+
+#if ISC_CHECK_INSIST != 0
+#define ISC_INSIST(cond) \
+	((void) ((cond) || \
+		 ((isc_assertion_failed)(__FILE__, __LINE__, \
+					 isc_assertiontype_insist, \
+					 #cond), 0)))
+#else
+#define ISC_INSIST(cond)	((void) 0)
+#endif /* ISC_CHECK_INSIST */
+
+#if ISC_CHECK_INVARIANT != 0
+#define ISC_INVARIANT(cond) \
+	((void) ((cond) || \
+		 ((isc_assertion_failed)(__FILE__, __LINE__, \
+					 isc_assertiontype_invariant, \
+					 #cond), 0)))
+#else
+#define ISC_INVARIANT(cond)	((void) 0)
+#endif /* ISC_CHECK_INVARIANT */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_ASSERTIONS_H */
diff --git a/contrib/bind9/lib/isc/include/isc/base64.h b/contrib/bind9/lib/isc/include/isc/base64.h
new file mode 100644
index 0000000..260dd1d
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/base64.h
@@ -0,0 +1,97 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: base64.h,v 1.15.206.1 2004/03/06 08:14:38 marka Exp $ */
+
+#ifndef ISC_BASE64_H
+#define ISC_BASE64_H 1
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+isc_base64_totext(isc_region_t *source, int wordlength,
+		  const char *wordbreak, isc_buffer_t *target);
+/*
+ * Convert data into base64 encoded text.
+ *
+ * Notes:
+ *	The base64 encoded text in 'target' will be divided into
+ *	words of at most 'wordlength' characters, separated by
+ * 	the 'wordbreak' string.  No parentheses will surround
+ *	the text.
+ *
+ * Requires:
+ *	'source' is a region containing binary data
+ *	'target' is a text buffer containing available space
+ *	'wordbreak' points to a null-terminated string of
+ *		zero or more whitespace characters
+ *
+ * Ensures:
+ *	target will contain the base64 encoded version of the data
+ *	in source.  The 'used' pointer in target will be advanced as
+ *	necessary.
+ */
+
+isc_result_t
+isc_base64_decodestring(const char *cstr, isc_buffer_t *target);
+/*
+ * Decode a null-terminated base64 string.
+ *
+ * Requires:
+ *	'cstr' is non-null.
+ *	'target' is a valid buffer.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	-- the entire decoded representation of 'cstring'
+ *			   fit in 'target'.
+ *	ISC_R_BADBASE64 -- 'cstr' is not a valid base64 encoding.
+ *
+ * 	Other error returns are any possible error code from:
+ *		isc_lex_create(),
+ *		isc_lex_openbuffer(),
+ *		isc_base64_tobuffer().
+ */
+
+isc_result_t
+isc_base64_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length);
+/*
+ * Convert base64 encoded text from a lexer context into data.
+ *
+ * Requires:
+ *	'lex' is a valid lexer context
+ *	'target' is a buffer containing binary data
+ *	'length' is an integer
+ *
+ * Ensures:
+ *	target will contain the data represented by the base64 encoded
+ *	string parsed by the lexer.  No more than length bytes will be read,
+ *	if length is positive.  The 'used' pointer in target will be
+ *	advanced as necessary.
+ */
+
+
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_BASE64_H */
diff --git a/contrib/bind9/lib/isc/include/isc/bitstring.h b/contrib/bind9/lib/isc/include/isc/bitstring.h
new file mode 100644
index 0000000..6d6a555
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/bitstring.h
@@ -0,0 +1,152 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: bitstring.h,v 1.7.206.1 2004/03/06 08:14:38 marka Exp $ */
+
+#ifndef ISC_BITSTRING_H
+#define ISC_BITSTRING_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Bitstring
+ *
+ * A bitstring is a packed array of bits, stored in a contiguous
+ * sequence of octets.  The "most significant bit" (msb) of a bitstring
+ * is the high bit of the first octet.  The "least significant bit" of a
+ * bitstring is the low bit of the last octet.
+ *
+ * Two bit numbering schemes are supported, "msb0" and "lsb0".
+ *
+ * In the "msb0" scheme, bit number 0 designates the most significant bit,
+ * and any padding bits required to make the bitstring a multiple of 8 bits
+ * long are added to the least significant end of the last octet.
+ *
+ * In the "lsb0" scheme, bit number 0 designates the least significant bit,
+ * and any padding bits required to make the bitstring a multiple of 8 bits
+ * long are added to the most significant end of the first octet.
+ *
+ * E.g., consider the bitstring "11010001111".  This bitstring is 11 bits
+ * long and will take two octets.  Let "p" denote a pad bit.  In the msb0
+ * encoding, it would be
+ *
+ *             Octet 0           Octet 1
+ *                         |
+ *         1 1 0 1 0 0 0 1 | 1 1 1 p p p p p
+ *         ^               |               ^
+ *         |                               |
+ *         bit 0                           bit 15
+ *
+ * In the lsb0 encoding, it would be
+ *
+ *             Octet 0           Octet 1
+ *                         |
+ *         p p p p p 1 1 0 | 1 0 0 0 1 1 1 1 
+ *         ^               |               ^
+ *         |                               |
+ *         bit 15                          bit 0
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Types
+ ***/
+
+struct isc_bitstring {
+	unsigned int		magic;
+	unsigned char *		data;
+	unsigned int		length;
+	unsigned int		size;
+	isc_boolean_t		lsb0;
+};
+
+/***
+ *** Functions
+ ***/
+
+void
+isc_bitstring_init(isc_bitstring_t *bitstring, unsigned char *data,
+		   unsigned int length, unsigned int size, isc_boolean_t lsb0);
+/*
+ * Make 'bitstring' refer to the bitstring of 'size' bits starting
+ * at 'data'.  'length' bits of the bitstring are valid.  If 'lsb0'
+ * is set then, bit 0 refers to the least significant bit of the
+ * bitstring.  Otherwise bit 0 is the most significant bit.
+ *
+ * Requires:
+ *
+ *	'bitstring' points to a isc_bitstring_t.
+ *
+ *	'data' points to an array of unsigned char large enough to hold
+ *	'size' bits.
+ *
+ *	'length' <= 'size'.
+ *
+ * Ensures:
+ *
+ *	'bitstring' is a valid bitstring.
+ */
+
+void
+isc_bitstring_invalidate(isc_bitstring_t *bitstring);
+/*
+ * Invalidate 'bitstring'.
+ *
+ * Requires:
+ *
+ *	'bitstring' is a valid bitstring.
+ *
+ * Ensures:
+ *
+ *	'bitstring' is not a valid bitstring.
+ */
+
+void
+isc_bitstring_copy(isc_bitstring_t *source, unsigned int sbitpos,
+		   isc_bitstring_t *target, unsigned int tbitpos,
+		   unsigned int n);
+/*
+ * Starting at bit 'sbitpos', copy 'n' bits from 'source' to
+ * the 'n' bits of 'target' starting at 'tbitpos'.
+ *
+ * Requires:
+ *
+ *	'source' and target are valid bitstrings with the same lsb0 setting.
+ *
+ *	'sbitpos' + 'n' is less than or equal to the length of 'source'.
+ *
+ *	'tbitpos' + 'n' is less than or equal to the size of 'target'.
+ *
+ * Ensures:
+ *
+ *	The specified bits have been copied, and the length of 'target'
+ *	adjusted (if required).
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_BITSTRING_H */
diff --git a/contrib/bind9/lib/isc/include/isc/boolean.h b/contrib/bind9/lib/isc/include/isc/boolean.h
new file mode 100644
index 0000000..0081447
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/boolean.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: boolean.h,v 1.12.206.1 2004/03/06 08:14:39 marka Exp $ */
+
+#ifndef ISC_BOOLEAN_H
+#define ISC_BOOLEAN_H 1
+
+typedef enum { isc_boolean_false = 0, isc_boolean_true = 1 } isc_boolean_t;
+
+#define ISC_FALSE isc_boolean_false
+#define ISC_TRUE isc_boolean_true
+#define ISC_TF(x) ((x) ? ISC_TRUE : ISC_FALSE)
+
+#endif /* ISC_BOOLEAN_H */
diff --git a/contrib/bind9/lib/isc/include/isc/buffer.h b/contrib/bind9/lib/isc/include/isc/buffer.h
new file mode 100644
index 0000000..02b82bc
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/buffer.h
@@ -0,0 +1,800 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: buffer.h,v 1.39.12.2 2004/03/08 09:04:51 marka Exp $ */
+
+#ifndef ISC_BUFFER_H
+#define ISC_BUFFER_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Buffers
+ *
+ * A buffer is a region of memory, together with a set of related subregions.
+ * Buffers are used for parsing and I/O operations.
+ *
+ * The 'used region' and the 'available' region are disjoint, and their
+ * union is the buffer's region.  The used region extends from the beginning
+ * of the buffer region to the last used byte.  The available region
+ * extends from one byte greater than the last used byte to the end of the
+ * buffer's region.  The size of the used region can be changed using various
+ * buffer commands.  Initially, the used region is empty.
+ *
+ * The used region is further subdivided into two disjoint regions: the
+ * 'consumed region' and the 'remaining region'.  The union of these two
+ * regions is the used region.  The consumed region extends from the beginning
+ * of the used region to the byte before the 'current' offset (if any).  The
+ * 'remaining' region the current pointer to the end of the used
+ * region.  The size of the consumed region can be changed using various
+ * buffer commands.  Initially, the consumed region is empty.
+ *
+ * The 'active region' is an (optional) subregion of the remaining region.
+ * It extends from the current offset to an offset in the remaining region
+ * that is selected with isc_buffer_setactive().  Initially, the active region
+ * is empty.  If the current offset advances beyond the chosen offset, the
+ * active region will also be empty.
+ *
+ *  /------------entire length---------------\
+ *  /----- used region -----\/-- available --\
+ *  +----------------------------------------+
+ *  | consumed  | remaining |                |
+ *  +----------------------------------------+
+ *  a           b     c     d                e
+ *
+ * a == base of buffer.
+ * b == current pointer.  Can be anywhere between a and d.
+ * c == active pointer.  Meaningful between b and d.
+ * d == used pointer.
+ * e == length of buffer.
+ *
+ * a-e == entire length of buffer.
+ * a-d == used region.
+ * a-b == consumed region.
+ * b-d == remaining region.
+ * b-c == optional active region.
+ *
+ * The following invariants are maintained by all routines:
+ *
+ *	length > 0
+ *
+ *	base is a valid pointer to length bytes of memory
+ *
+ *	0 <= used <= length
+ *
+ *	0 <= current <= used
+ *
+ *	0 <= active <= used
+ *	(although active < current implies empty active region)
+ *
+ * MP:
+ *	Buffers have no synchronization.  Clients must ensure exclusive
+ *	access.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	Memory: 1 pointer + 6 unsigned integers per buffer.
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	None.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/types.h>
+
+/*
+ * To make many functions be inline macros (via #define) define this.
+ * If it is undefined, a function will be used.
+ */
+/* #define ISC_BUFFER_USEINLINE */
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Magic numbers
+ ***/
+#define ISC_BUFFER_MAGIC		0x42756621U	/* Buf!. */
+#define ISC_BUFFER_VALID(b)		ISC_MAGIC_VALID(b, ISC_BUFFER_MAGIC)
+
+/*
+ * The following macros MUST be used only on valid buffers.  It is the
+ * caller's responsibility to ensure this by using the ISC_BUFFER_VALID
+ * check above, or by calling another isc_buffer_*() function (rather than
+ * another macro.)
+ */
+
+/*
+ * Fundamental buffer elements.  (A through E in the introductory comment.)
+ */
+#define isc_buffer_base(b)    ((void *)(b)->base)			  /*a*/
+#define isc_buffer_current(b) \
+		((void *)((unsigned char *)(b)->base + (b)->current))     /*b*/
+#define isc_buffer_active(b)  \
+		((void *)((unsigned char *)(b)->base + (b)->active))      /*c*/
+#define isc_buffer_used(b)    \
+		((void *)((unsigned char *)(b)->base + (b)->used))        /*d*/
+#define isc_buffer_length(b)  ((b)->length)				  /*e*/
+
+/*
+ * Derived lengths.  (Described in the introductory comment.)
+ */
+#define isc_buffer_usedlength(b)	((b)->used)		      /* d-a */
+#define isc_buffer_consumedlength(b)	((b)->current)		      /* b-a */
+#define isc_buffer_remaininglength(b)	((b)->used - (b)->current)    /* d-b */
+#define isc_buffer_activelength(b)	((b)->active - (b)->current)  /* c-b */
+#define isc_buffer_availablelength(b)	((b)->length - (b)->used)     /* e-d */
+
+/*
+ * Note that the buffer structure is public.  This is principally so buffer
+ * operations can be implemented using macros.  Applications are strongly
+ * discouraged from directly manipulating the structure.
+ */
+
+struct isc_buffer {
+	unsigned int		magic;
+	void		       *base;
+	/* The following integers are byte offsets from 'base'. */
+	unsigned int		length;
+	unsigned int		used;
+	unsigned int 		current;
+	unsigned int 		active;
+	/* linkable */
+	ISC_LINK(isc_buffer_t)	link;
+	/* private internal elements */
+	isc_mem_t	       *mctx;
+};
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+isc_buffer_allocate(isc_mem_t *mctx, isc_buffer_t **dynbuffer,
+		    unsigned int length);
+/*
+ * Allocate a dynamic linkable buffer which has "length" bytes in the
+ * data region.
+ *
+ * Requires:
+ *	"mctx" is valid.
+ *
+ *	"dynbuffer" is non-NULL, and "*dynbuffer" is NULL.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		- success
+ *	ISC_R_NOMEMORY		- no memory available
+ *
+ * Note:
+ *	Changing the buffer's length field is not permitted.
+ */
+
+void
+isc_buffer_free(isc_buffer_t **dynbuffer);
+/*
+ * Release resources allocated for a dynamic buffer.
+ *
+ * Requires:
+ *	"dynbuffer" is not NULL.
+ *
+ *	"*dynbuffer" is a valid dynamic buffer.
+ *
+ * Ensures:
+ *	"*dynbuffer" will be NULL on return, and all memory associated with
+ *	the dynamic buffer is returned to the memory context used in
+ *	isc_buffer_allocate().
+ */
+
+void
+isc__buffer_init(isc_buffer_t *b, const void *base, unsigned int length);
+/*
+ * Make 'b' refer to the 'length'-byte region starting at base.
+ *
+ * Requires:
+ *
+ *	'length' > 0
+ *
+ *	'base' is a pointer to a sequence of 'length' bytes.
+ *
+ */
+
+void
+isc__buffer_invalidate(isc_buffer_t *b);
+/*
+ * Make 'b' an invalid buffer.
+ *
+ * Requires:
+ *	'b' is a valid buffer.
+ *
+ * Ensures:
+ *	If assertion checking is enabled, future attempts to use 'b' without
+ *	calling isc_buffer_init() on it will cause an assertion failure.
+ */
+
+void
+isc__buffer_region(isc_buffer_t *b, isc_region_t *r);
+/*
+ * Make 'r' refer to the region of 'b'.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer.
+ *
+ *	'r' points to a region structure.
+ */
+
+void
+isc__buffer_usedregion(isc_buffer_t *b, isc_region_t *r);
+/*
+ * Make 'r' refer to the used region of 'b'.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer.
+ *
+ *	'r' points to a region structure.
+ */
+
+void
+isc__buffer_availableregion(isc_buffer_t *b, isc_region_t *r);
+/*
+ * Make 'r' refer to the available region of 'b'.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer.
+ *
+ *	'r' points to a region structure.
+ */
+
+void
+isc__buffer_add(isc_buffer_t *b, unsigned int n);
+/*
+ * Increase the 'used' region of 'b' by 'n' bytes.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer
+ *
+ *	used + n <= length
+ *
+ */
+
+void
+isc__buffer_subtract(isc_buffer_t *b, unsigned int n);
+/*
+ * Decrease the 'used' region of 'b' by 'n' bytes.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer
+ *
+ *	used >= n
+ *
+ */
+
+void
+isc__buffer_clear(isc_buffer_t *b);
+/*
+ * Make the used region empty.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer
+ *
+ * Ensures:
+ *
+ *	used = 0
+ *
+ */
+
+void
+isc__buffer_consumedregion(isc_buffer_t *b, isc_region_t *r);
+/*
+ * Make 'r' refer to the consumed region of 'b'.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer.
+ *
+ *	'r' points to a region structure.
+ */
+
+void
+isc__buffer_remainingregion(isc_buffer_t *b, isc_region_t *r);
+/*
+ * Make 'r' refer to the remaining region of 'b'.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer.
+ *
+ *	'r' points to a region structure.
+ */
+
+void
+isc__buffer_activeregion(isc_buffer_t *b, isc_region_t *r);
+/*
+ * Make 'r' refer to the active region of 'b'.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer.
+ *
+ *	'r' points to a region structure.
+ */
+
+void
+isc__buffer_setactive(isc_buffer_t *b, unsigned int n);
+/*
+ * Sets the end of the active region 'n' bytes after current.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer.
+ *
+ *	current + n <= used
+ */
+
+void
+isc__buffer_first(isc_buffer_t *b);
+/*
+ * Make the consumed region empty.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer
+ *
+ * Ensures:
+ *
+ *	current == 0
+ *
+ */
+
+void
+isc__buffer_forward(isc_buffer_t *b, unsigned int n);
+/*
+ * Increase the 'consumed' region of 'b' by 'n' bytes.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer
+ *
+ *	current + n <= used
+ *
+ */
+
+void
+isc__buffer_back(isc_buffer_t *b, unsigned int n);
+/*
+ * Decrease the 'consumed' region of 'b' by 'n' bytes.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer
+ *
+ *	n <= current
+ *
+ */
+
+void
+isc_buffer_compact(isc_buffer_t *b);
+/*
+ * Compact the used region by moving the remaining region so it occurs
+ * at the start of the buffer.  The used region is shrunk by the size of
+ * the consumed region, and the consumed region is then made empty.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer
+ *
+ * Ensures:
+ *
+ *	current == 0
+ *
+ *	The size of the used region is now equal to the size of the remaining
+ *	region (as it was before the call).  The contents of the used region
+ *	are those of the remaining region (as it was before the call).
+ */
+
+isc_uint8_t
+isc_buffer_getuint8(isc_buffer_t *b);
+/*
+ * Read an unsigned 8-bit integer from 'b' and return it.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer.
+ *
+ *	The length of the available region of 'b' is at least 1.
+ *
+ * Ensures:
+ *
+ *	The current pointer in 'b' is advanced by 1.
+ *
+ * Returns:
+ *
+ *	A 8-bit unsigned integer.
+ */
+
+void
+isc__buffer_putuint8(isc_buffer_t *b, isc_uint8_t val);
+/*
+ * Store an unsigned 8-bit integer from 'val' into 'b'.
+ *
+ * Requires:
+ *	'b' is a valid buffer.
+ *
+ *	The length of the unused region of 'b' is at least 1.
+ *
+ * Ensures:
+ *	The used pointer in 'b' is advanced by 1.
+ */
+
+isc_uint16_t
+isc_buffer_getuint16(isc_buffer_t *b);
+/*
+ * Read an unsigned 16-bit integer in network byte order from 'b', convert
+ * it to host byte order, and return it.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer.
+ *
+ *	The length of the available region of 'b' is at least 2.
+ *
+ * Ensures:
+ *
+ *	The current pointer in 'b' is advanced by 2.
+ *
+ * Returns:
+ *
+ *	A 16-bit unsigned integer.
+ */
+
+void
+isc__buffer_putuint16(isc_buffer_t *b, isc_uint16_t val);
+/*
+ * Store an unsigned 16-bit integer in host byte order from 'val'
+ * into 'b' in network byte order.
+ *
+ * Requires:
+ *	'b' is a valid buffer.
+ *
+ *	The length of the unused region of 'b' is at least 2.
+ *
+ * Ensures:
+ *	The used pointer in 'b' is advanced by 2.
+ */
+
+isc_uint32_t
+isc_buffer_getuint32(isc_buffer_t *b);
+/*
+ * Read an unsigned 32-bit integer in network byte order from 'b', convert
+ * it to host byte order, and return it.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer.
+ *
+ *	The length of the available region of 'b' is at least 4.
+ *
+ * Ensures:
+ *
+ *	The current pointer in 'b' is advanced by 4.
+ *
+ * Returns:
+ *
+ *	A 32-bit unsigned integer.
+ */
+
+void
+isc__buffer_putuint32(isc_buffer_t *b, isc_uint32_t val);
+/*
+ * Store an unsigned 32-bit integer in host byte order from 'val'
+ * into 'b' in network byte order.
+ *
+ * Requires:
+ *	'b' is a valid buffer.
+ *
+ *	The length of the unused region of 'b' is at least 4.
+ *
+ * Ensures:
+ *	The used pointer in 'b' is advanced by 4.
+ */
+
+void
+isc__buffer_putmem(isc_buffer_t *b, const unsigned char *base,
+		   unsigned int length);
+/*
+ * Copy 'length' bytes of memory at 'base' into 'b'.
+ *
+ * Requires:
+ *	'b' is a valid buffer.
+ *
+ *	'base' points to 'length' bytes of valid memory.
+ *
+ */
+
+void
+isc__buffer_putstr(isc_buffer_t *b, const char *source);
+/*
+ * Copy 'source' into 'b', not including terminating NUL.
+ *
+ * Requires:
+ *	'b' is a valid buffer.
+ *
+ *	'source' to be a valid NULL terminated string.
+ *
+ *	strlen(source) <= isc_buffer_available(b)
+ */
+
+isc_result_t
+isc_buffer_copyregion(isc_buffer_t *b, const isc_region_t *r);
+/*
+ * Copy the contents of 'r' into 'b'.
+ *
+ * Requires:
+ *	'b' is a valid buffer.
+ *
+ *	'r' is a valid region.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOSPACE			The available region of 'b' is not
+ *					big enough.
+ */
+
+ISC_LANG_ENDDECLS
+
+/*
+ * Inline macro versions of the functions.  These should never be called
+ * directly by an application, but will be used by the functions within
+ * buffer.c.  The callers should always use "isc_buffer_*()" names, never
+ * ones beginning with "isc__"
+ */
+
+/*
+ * XXXDCL Something more could be done with initializing buffers that
+ * point to const data.  For example, a new function, isc_buffer_initconst,
+ * could be used, and a new boolean flag in the buffer structure could
+ * indicate whether the buffer was initialized with that function.
+ * (isc_bufer_init itself would be reprototyped to *not* have its "base"
+ * parameter be const.)  Then if the boolean were true, the isc_buffer_put*
+ * functions could assert a contractual requirement for a non-const buffer.
+ * One drawback is that the isc_buffer_* functions (macros) that return
+ * pointers would still need to return non-const pointers to avoid compiler
+ * warnings, so it would be up to code that uses them to have to deal
+ * with the possibility that the buffer was initialized as const --
+ * a problem that they *already* have to deal with but have absolutely
+ * no ability to.  With a new isc_buffer_isconst() function returning
+ * true/false, they could at least assert a contractual requirement for
+ * non-const buffers when needed.
+ */
+#define ISC__BUFFER_INIT(_b, _base, _length) \
+	do { \
+		union { \
+			const void *	konst; \
+			void *		var; \
+		} _u; \
+		_u.konst = (_base); \
+		(_b)->base = _u.var; \
+		(_b)->length = (_length); \
+		(_b)->used = 0; \
+		(_b)->current = 0; \
+		(_b)->active = 0; \
+		(_b)->mctx = NULL; \
+		ISC_LINK_INIT(_b, link); \
+		(_b)->magic = ISC_BUFFER_MAGIC; \
+	} while (0)
+
+#define ISC__BUFFER_INVALIDATE(_b) \
+	do { \
+		(_b)->magic = 0; \
+		(_b)->base = NULL; \
+		(_b)->length = 0; \
+		(_b)->used = 0; \
+		(_b)->current = 0; \
+		(_b)->active = 0; \
+	} while (0)
+
+#define ISC__BUFFER_REGION(_b, _r) \
+	do { \
+		(_r)->base = (_b)->base; \
+		(_r)->length = (_b)->length; \
+	} while (0)
+
+#define ISC__BUFFER_USEDREGION(_b, _r) \
+	do { \
+		(_r)->base = (_b)->base; \
+		(_r)->length = (_b)->used; \
+	} while (0)
+
+#define ISC__BUFFER_AVAILABLEREGION(_b, _r) \
+	do { \
+		(_r)->base = isc_buffer_used(_b); \
+		(_r)->length = isc_buffer_availablelength(_b); \
+	} while (0)
+
+#define ISC__BUFFER_ADD(_b, _n) \
+	do { \
+		(_b)->used += (_n); \
+	} while (0)
+
+#define ISC__BUFFER_SUBTRACT(_b, _n) \
+	do { \
+		(_b)->used -= (_n); \
+		if ((_b)->current > (_b)->used) \
+			(_b)->current = (_b)->used; \
+		if ((_b)->active > (_b)->used) \
+			(_b)->active = (_b)->used; \
+	} while (0)
+
+#define ISC__BUFFER_CLEAR(_b) \
+	do { \
+		(_b)->used = 0; \
+		(_b)->current = 0; \
+		(_b)->active = 0; \
+	} while (0)
+
+#define ISC__BUFFER_CONSUMEDREGION(_b, _r) \
+	do { \
+		(_r)->base = (_b)->base; \
+		(_r)->length = (_b)->current; \
+	} while (0)
+
+#define ISC__BUFFER_REMAININGREGION(_b, _r) \
+	do { \
+		(_r)->base = isc_buffer_current(_b); \
+		(_r)->length = isc_buffer_remaininglength(_b); \
+	} while (0)
+
+#define ISC__BUFFER_ACTIVEREGION(_b, _r) \
+	do { \
+		if ((_b)->current < (_b)->active) { \
+			(_r)->base = isc_buffer_current(_b); \
+			(_r)->length = isc_buffer_activelength(_b); \
+		} else { \
+			(_r)->base = NULL; \
+			(_r)->length = 0; \
+		} \
+	} while (0)
+
+#define ISC__BUFFER_SETACTIVE(_b, _n) \
+	do { \
+		(_b)->active = (_b)->current + (_n); \
+	} while (0)
+
+#define ISC__BUFFER_FIRST(_b) \
+	do { \
+		(_b)->current = 0; \
+	} while (0)
+
+#define ISC__BUFFER_FORWARD(_b, _n) \
+	do { \
+		(_b)->current += (_n); \
+	} while (0)
+
+#define ISC__BUFFER_BACK(_b, _n) \
+	do { \
+		(_b)->current -= (_n); \
+	} while (0)
+
+#define ISC__BUFFER_PUTMEM(_b, _base, _length) \
+	do { \
+		memcpy(isc_buffer_used(_b), (_base), (_length)); \
+		(_b)->used += (_length); \
+	} while (0)
+
+#define ISC__BUFFER_PUTSTR(_b, _source) \
+	do { \
+		unsigned int _length; \
+		unsigned char *_cp; \
+		_length = strlen(_source); \
+		_cp = isc_buffer_used(_b); \
+		memcpy(_cp, (_source), _length); \
+		(_b)->used += (_length); \
+	} while (0)
+
+#define ISC__BUFFER_PUTUINT8(_b, _val) \
+	do { \
+		unsigned char *_cp; \
+		isc_uint8_t _val2 = (_val); \
+		_cp = isc_buffer_used(_b); \
+		(_b)->used++; \
+		_cp[0] = _val2 & 0x00ff; \
+	} while (0)
+
+#define ISC__BUFFER_PUTUINT16(_b, _val) \
+	do { \
+		unsigned char *_cp; \
+		isc_uint16_t _val2 = (_val); \
+		_cp = isc_buffer_used(_b); \
+		(_b)->used += 2; \
+		_cp[0] = (unsigned char)((_val2 & 0xff00U) >> 8); \
+		_cp[1] = (unsigned char)(_val2 & 0x00ffU); \
+	} while (0)
+
+#define ISC__BUFFER_PUTUINT32(_b, _val) \
+	do { \
+		unsigned char *_cp; \
+		isc_uint32_t _val2 = (_val); \
+		_cp = isc_buffer_used(_b); \
+		(_b)->used += 4; \
+		_cp[0] = (unsigned char)((_val2 & 0xff000000) >> 24); \
+		_cp[1] = (unsigned char)((_val2 & 0x00ff0000) >> 16); \
+		_cp[2] = (unsigned char)((_val2 & 0x0000ff00) >> 8); \
+		_cp[3] = (unsigned char)((_val2 & 0x000000ff)); \
+	} while (0)
+
+#if defined(ISC_BUFFER_USEINLINE)
+#define isc_buffer_init			ISC__BUFFER_INIT
+#define isc_buffer_invalidate		ISC__BUFFER_INVALIDATE
+#define isc_buffer_region		ISC__BUFFER_REGION
+#define isc_buffer_usedregion		ISC__BUFFER_USEDREGION
+#define isc_buffer_availableregion	ISC__BUFFER_AVAILABLEREGION
+#define isc_buffer_add			ISC__BUFFER_ADD
+#define isc_buffer_subtract		ISC__BUFFER_SUBTRACT
+#define isc_buffer_clear		ISC__BUFFER_CLEAR
+#define isc_buffer_consumedregion	ISC__BUFFER_CONSUMEDREGION
+#define isc_buffer_remainingregion	ISC__BUFFER_REMAININGREGION
+#define isc_buffer_activeregion		ISC__BUFFER_ACTIVEREGION
+#define isc_buffer_setactive		ISC__BUFFER_SETACTIVE
+#define isc_buffer_first		ISC__BUFFER_FIRST
+#define isc_buffer_forward		ISC__BUFFER_FORWARD
+#define isc_buffer_back			ISC__BUFFER_BACK
+#define isc_buffer_putmem		ISC__BUFFER_PUTMEM
+#define isc_buffer_putstr		ISC__BUFFER_PUTSTR
+#define isc_buffer_putuint8		ISC__BUFFER_PUTUINT8
+#define isc_buffer_putuint16		ISC__BUFFER_PUTUINT16
+#define isc_buffer_putuint32		ISC__BUFFER_PUTUINT32
+#else
+#define isc_buffer_init			isc__buffer_init
+#define isc_buffer_invalidate		isc__buffer_invalidate
+#define isc_buffer_region		isc__buffer_region
+#define isc_buffer_usedregion		isc__buffer_usedregion
+#define isc_buffer_availableregion	isc__buffer_availableregion
+#define isc_buffer_add			isc__buffer_add
+#define isc_buffer_subtract		isc__buffer_subtract
+#define isc_buffer_clear		isc__buffer_clear
+#define isc_buffer_consumedregion	isc__buffer_consumedregion
+#define isc_buffer_remainingregion	isc__buffer_remainingregion
+#define isc_buffer_activeregion		isc__buffer_activeregion
+#define isc_buffer_setactive		isc__buffer_setactive
+#define isc_buffer_first		isc__buffer_first
+#define isc_buffer_forward		isc__buffer_forward
+#define isc_buffer_back			isc__buffer_back
+#define isc_buffer_putmem		isc__buffer_putmem
+#define isc_buffer_putstr		isc__buffer_putstr
+#define isc_buffer_putuint8		isc__buffer_putuint8
+#define isc_buffer_putuint16		isc__buffer_putuint16
+#define isc_buffer_putuint32		isc__buffer_putuint32
+#endif
+
+#endif /* ISC_BUFFER_H */
diff --git a/contrib/bind9/lib/isc/include/isc/bufferlist.h b/contrib/bind9/lib/isc/include/isc/bufferlist.h
new file mode 100644
index 0000000..b24cde0
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/bufferlist.h
@@ -0,0 +1,86 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: bufferlist.h,v 1.10.206.1 2004/03/06 08:14:39 marka Exp $ */
+
+#ifndef ISC_BUFFERLIST_H
+#define ISC_BUFFERLIST_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Buffer Lists
+ *
+ *	Buffer lists have no synchronization.  Clients must ensure exclusive
+ *	access.
+ *
+ * Reliability:
+ *	No anticipated impact.
+
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	None.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Functions
+ ***/
+
+unsigned int
+isc_bufferlist_usedcount(isc_bufferlist_t *bl);
+/*
+ * Return the length of the sum of all used regions of all buffers in
+ * the buffer list 'bl'
+ *
+ * Requires:
+ *
+ *	'bl' is not NULL.
+ *
+ * Returns:
+ *	sum of all used regions' lengths.
+ */
+
+unsigned int
+isc_bufferlist_availablecount(isc_bufferlist_t *bl);
+/*
+ * Return the length of the sum of all available regions of all buffers in
+ * the buffer list 'bl'
+ *
+ * Requires:
+ *
+ *	'bl' is not NULL.
+ *
+ * Returns:
+ *	sum of all available regions' lengths.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_BUFFERLIST_H */
diff --git a/contrib/bind9/lib/isc/include/isc/commandline.h b/contrib/bind9/lib/isc/include/isc/commandline.h
new file mode 100644
index 0000000..250f7f0
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/commandline.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: commandline.h,v 1.9.206.1 2004/03/06 08:14:39 marka Exp $ */
+
+#ifndef ISC_COMMANDLINE_H
+#define ISC_COMMANDLINE_H 1
+
+#include <isc/boolean.h>
+#include <isc/lang.h>
+#include <isc/platform.h>
+
+/* Index into parent argv vector. */
+LIBISC_EXTERNAL_DATA extern int isc_commandline_index;
+/* Character checked for validity. */
+LIBISC_EXTERNAL_DATA extern int isc_commandline_option;
+/* Argument associated with option. */
+LIBISC_EXTERNAL_DATA extern char *isc_commandline_argument;
+/* For printing error messages. */
+LIBISC_EXTERNAL_DATA extern char *isc_commandline_progname;
+/* Print error message. */
+LIBISC_EXTERNAL_DATA extern isc_boolean_t isc_commandline_errprint;
+/* Reset getopt. */
+LIBISC_EXTERNAL_DATA extern isc_boolean_t isc_commandline_reset;
+
+ISC_LANG_BEGINDECLS
+
+int
+isc_commandline_parse(int argc, char * const *argv, const char *options);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_COMMANDLINE_H */
diff --git a/contrib/bind9/lib/isc/include/isc/entropy.h b/contrib/bind9/lib/isc/include/isc/entropy.h
new file mode 100644
index 0000000..7200a12
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/entropy.h
@@ -0,0 +1,288 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: entropy.h,v 1.23.2.1.10.1 2004/03/06 08:14:40 marka Exp $ */
+
+#ifndef ISC_ENTROPY_H
+#define ISC_ENTROPY_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Entropy
+ *
+ * The entropy API
+ *
+ * MP:
+ *	The entropy object is locked internally.  All callbacks into
+ *	application-provided functions (for setup, gathering, and
+ *	shutdown of sources) are guaranteed to be called with the
+ *	entropy API lock held.  This means these functions are
+ *	not permitted to call back into the entropy API.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	A buffer, used as an entropy pool.
+ *
+ * Security:
+ *	While this code is believed to implement good entropy gathering
+ *	and distribution, it has not been reviewed by a cryptographic
+ *	expert.
+ *
+ *	Since the added entropy is only as good as the sources used,
+ *	this module could hand out bad data and never know it.
+ *
+ * Standards:
+ *	None.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <stdio.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+/*
+ * Entropy callback function.
+ */
+typedef isc_result_t (*isc_entropystart_t)(isc_entropysource_t *source,
+					   void *arg, isc_boolean_t blocking);
+typedef isc_result_t (*isc_entropyget_t)(isc_entropysource_t *source,
+					 void *arg, isc_boolean_t blocking);
+typedef void (*isc_entropystop_t)(isc_entropysource_t *source, void *arg);
+
+/***
+ *** Flags.
+ ***/
+
+/*
+ * _GOODONLY
+ *	Extract only "good" data; return failure if there is not enough
+ *	data available and there are no sources which we can poll to get
+ *	data, or those sources are empty.
+ *
+ * _PARTIAL
+ *	Extract as much good data as possible, but if there isn't enough
+ *	at hand, return what is available.  This flag only makes sense
+ *	when used with _GOODONLY.
+ *
+ * _BLOCKING
+ *	Block the task until data is available.  This is contrary to the
+ *	ISC task system, where tasks should never block.  However, if
+ *	this is a special purpose application where blocking a task is
+ *	acceptable (say, an offline zone signer) this flag may be set.
+ *	This flag only makes sense when used with _GOODONLY, and will
+ *	block regardless of the setting for _PARTIAL.
+ */
+#define ISC_ENTROPY_GOODONLY	0x00000001U
+#define ISC_ENTROPY_PARTIAL	0x00000002U
+#define ISC_ENTROPY_BLOCKING	0x00000004U
+
+/*
+ * _ESTIMATE
+ *	Estimate the amount of entropy contained in the sample pool.
+ *	If this is not set, the source will be gathered and perodically
+ *	mixed into the entropy pool, but no increment in contained entropy
+ *	will be assumed.  This flag only makes sense on sample sources.
+ */
+#define ISC_ENTROPYSOURCE_ESTIMATE	0x00000001U
+
+/*
+ * For use with isc_entropy_usebestsource().
+ *
+ * _KEYBOARDYES
+ *	Use the keyboard as the only entropy source.
+ * _KEYBOARDNO
+ *	Never use the keyboard as an entropy source.
+ * _KEYBOARDMAYBE
+ *	Use the keyboard as an entropy source only if opening the
+ *	random device fails.
+ */
+#define ISC_ENTROPY_KEYBOARDYES		1
+#define ISC_ENTROPY_KEYBOARDNO		2
+#define ISC_ENTROPY_KEYBOARDMAYBE	3
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+isc_entropy_create(isc_mem_t *mctx, isc_entropy_t **entp);
+/*
+ * Create a new entropy object.
+ */
+
+void
+isc_entropy_attach(isc_entropy_t *ent, isc_entropy_t **entp);
+/*
+ * Attaches to an entropy object.
+ */
+
+void
+isc_entropy_detach(isc_entropy_t **entp);
+/*
+ * Detaches from an entropy object.
+ */
+
+isc_result_t
+isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname);
+/*
+ * Create a new entropy source from a file.
+ *
+ * The file is assumed to contain good randomness, and will be mixed directly
+ * into the pool with every byte adding 8 bits of entropy.
+ *
+ * The file will be put into non-blocking mode, so it may be a device file,
+ * such as /dev/random.  /dev/urandom should not be used here if it can
+ * be avoided, since it will always provide data even if it isn't good.
+ * We will make as much pseudorandom data as we need internally if our
+ * caller asks for it.
+ *
+ * If we hit end-of-file, we will stop reading from this source.  Callers
+ * who require strong random data will get failure when our pool drains.
+ * The file will never be opened/read again once EOF is reached.
+ */
+
+void
+isc_entropy_destroysource(isc_entropysource_t **sourcep);
+/*
+ * Removes an entropy source from the entropy system.
+ */
+
+isc_result_t
+isc_entropy_createsamplesource(isc_entropy_t *ent,
+			       isc_entropysource_t **sourcep);
+/*
+ * Create an entropy source that consists of samples.  Each sample is added
+ * to the source via isc_entropy_addsamples(), below.
+ */
+
+isc_result_t
+isc_entropy_createcallbacksource(isc_entropy_t *ent,
+				 isc_entropystart_t start,
+				 isc_entropyget_t get,
+				 isc_entropystop_t stop,
+				 void *arg,
+				 isc_entropysource_t **sourcep);
+/*
+ * Create an entropy source that is polled via a callback.  This would
+ * be used when keyboard input is used, or a GUI input method.  It can
+ * also be used to hook in any external entropy source.
+ *
+ * Samples are added via isc_entropy_addcallbacksample(), below.
+ * _addcallbacksample() is the only function which may be called from
+ * within an entropy API callback function.
+ */
+
+void
+isc_entropy_stopcallbacksources(isc_entropy_t *ent);
+/*
+ * Call the stop functions for callback sources that have had their
+ * start functions called.
+ */
+
+isc_result_t
+isc_entropy_addcallbacksample(isc_entropysource_t *source, isc_uint32_t sample,
+			      isc_uint32_t extra);
+isc_result_t
+isc_entropy_addsample(isc_entropysource_t *source, isc_uint32_t sample,
+		      isc_uint32_t extra);
+/*
+ * Add a sample to the sample source.  The sample MUST be a timestamp
+ * that increases over time, with the exception of wrap-around for
+ * extremely high resolution timers which will quickly wrap-around
+ * a 32-bit integer.
+ *
+ * The "extra" parameter is used only to add a bit more unpredictable
+ * data.  It is not used other than included in the hash of samples.
+ *
+ * When in an entropy API callback function, _addcallbacksource() must be
+ * used.  At all other times, _addsample() must be used.
+ */
+
+isc_result_t
+isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length,
+		    unsigned int *returned, unsigned int flags);
+/*
+ * Extract data from the entropy pool.  This may load the pool from various
+ * sources.
+ */
+
+void
+isc_entropy_putdata(isc_entropy_t *ent, void *data, unsigned int length,
+		    isc_uint32_t entropy);
+/*
+ * Add "length" bytes in "data" to the entropy pool, incrementing the pool's
+ * entropy count by "entropy."
+ *
+ * These bytes will prime the pseudorandom portion even no entropy is actually
+ * added.
+ */
+
+void
+isc_entropy_stats(isc_entropy_t *ent, FILE *out);
+/*
+ * Dump some (trivial) stats to the stdio stream "out".
+ */
+
+isc_result_t
+isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
+			  const char *randomfile, int use_keyboard);
+/*
+ * Use whatever source of entropy is best.
+ *
+ * Notes:
+ *	If "randomfile" is not NULL, open it with
+ *	isc_entropy_createfilesource(). 
+ *
+ *	If "randomfile" is NULL and the system's random device was detected
+ *	when the program was configured and built, open that device with
+ *	isc_entropy_createfilesource(). 
+ *
+ *	If "use_keyboard" is ISC_ENTROPY_KEYBOARDYES, then always open
+ *	the keyboard as an entropy source (possibly in addition to
+ *	"randomfile" or the random device).
+ *
+ *	If "use_keyboard" is ISC_ENTROPY_KEYBOARDMAYBE, open the keyboard only
+ *	if opening the random file/device fails.  A message will be
+ *	printed describing the need for keyboard input.
+ *
+ *	If "use_keyboard" is ISC_ENTROPY_KEYBOARDNO, the keyboard will
+ *	never be opened.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS if at least one source of entropy could be started.
+ *
+ *	ISC_R_NOENTROPY if use_keyboard is ISC_ENTROPY_KEYBOARDNO and
+ *	there is no random device pathname compiled into the program.
+ *
+ *	A return code from isc_entropy_createfilesource() or
+ *	isc_entropy_createcallbacksource().
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_ENTROPY_H */
diff --git a/contrib/bind9/lib/isc/include/isc/error.h b/contrib/bind9/lib/isc/include/isc/error.h
new file mode 100644
index 0000000..6142926
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/error.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: error.h,v 1.13.206.1 2004/03/06 08:14:40 marka Exp $ */
+
+#ifndef ISC_ERROR_H
+#define ISC_ERROR_H 1
+
+#include <stdarg.h>
+
+#include <isc/formatcheck.h>
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+typedef void (*isc_errorcallback_t)(const char *, int, const char *, va_list);
+
+void
+isc_error_setunexpected(isc_errorcallback_t);
+
+void
+isc_error_setfatal(isc_errorcallback_t);
+
+void
+isc_error_unexpected(const char *, int, const char *, ...)
+     ISC_FORMAT_PRINTF(3, 4);
+
+void
+isc_error_fatal(const char *, int, const char *, ...)
+     ISC_FORMAT_PRINTF(3, 4);
+
+void
+isc_error_runtimecheck(const char *, int, const char *);
+
+#define ISC_ERROR_RUNTIMECHECK(cond) \
+	((void) ((cond) || \
+		 ((isc_error_runtimecheck)(__FILE__, __LINE__, #cond), 0)))
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_ERROR_H */
diff --git a/contrib/bind9/lib/isc/include/isc/event.h b/contrib/bind9/lib/isc/include/isc/event.h
new file mode 100644
index 0000000..58ef2c3
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/event.h
@@ -0,0 +1,115 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: event.h,v 1.24.2.2.8.2 2004/04/15 02:10:41 marka Exp $ */
+
+#ifndef ISC_EVENT_H
+#define ISC_EVENT_H 1
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+/*****
+ ***** Events.
+ *****/
+
+typedef void (*isc_eventdestructor_t)(isc_event_t *);
+
+#define ISC_EVENT_COMMON(ltype)		\
+	size_t				ev_size; \
+	unsigned int			ev_attributes; \
+	void *				ev_tag; \
+	isc_eventtype_t			ev_type; \
+	isc_taskaction_t		ev_action; \
+	void *				ev_arg; \
+	void *				ev_sender; \
+	isc_eventdestructor_t		ev_destroy; \
+	void *				ev_destroy_arg; \
+	ISC_LINK(ltype)			ev_link
+
+/*
+ * Attributes matching a mask of 0x000000ff are reserved for the task library's
+ * definition.  Attributes of 0xffffff00 may be used by the application
+ * or non-ISC libraries.
+ */
+#define ISC_EVENTATTR_NOPURGE		0x00000001
+
+/*
+ * The ISC_EVENTATTR_CANCELED attribute is intended to indicate
+ * that an event is delivered as a result of a canceled operation
+ * rather than successful completion, by mutual agreement
+ * between the sender and receiver.  It is not set or used by
+ * the task system.
+ */
+#define ISC_EVENTATTR_CANCELED		0x00000002
+
+#define ISC_EVENT_INIT(event, sz, at, ta, ty, ac, ar, sn, df, da) \
+do { \
+	(event)->ev_size = (sz); \
+	(event)->ev_attributes = (at); \
+	(event)->ev_tag = (ta); \
+	(event)->ev_type = (ty); \
+	(event)->ev_action = (ac); \
+	(event)->ev_arg = (ar); \
+	(event)->ev_sender = (sn); \
+	(event)->ev_destroy = (df); \
+	(event)->ev_destroy_arg = (da); \
+	ISC_LINK_INIT((event), ev_link); \
+} while (0)
+
+/*
+ * This structure is public because "subclassing" it may be useful when
+ * defining new event types.
+ */
+struct isc_event {
+	ISC_EVENT_COMMON(struct isc_event);
+};
+
+#define ISC_EVENTTYPE_FIRSTEVENT	0x00000000
+#define ISC_EVENTTYPE_LASTEVENT		0xffffffff
+
+#define ISC_EVENT_PTR(p) ((isc_event_t **)(void *)(p))
+
+ISC_LANG_BEGINDECLS
+
+isc_event_t *
+isc_event_allocate(isc_mem_t *mctx, void *sender, isc_eventtype_t type,
+		   isc_taskaction_t action, const void *arg, size_t size);
+/*
+ * Allocate and initialize in a structure with initial elements
+ * defined by:
+ *
+ *	struct {
+ *		ISC_EVENT_COMMON(struct isc_event);
+ *		...
+ *	};
+ *	
+ * Requires:
+ *	'size' >= sizeof(struct isc_event)
+ *	'action' to be non NULL
+ *
+ * Returns:
+ *	a pointer to a initialized structure of the requested size.
+ *	NULL if unable to allocate memory.
+ */
+
+void
+isc_event_free(isc_event_t **);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_EVENT_H */
diff --git a/contrib/bind9/lib/isc/include/isc/eventclass.h b/contrib/bind9/lib/isc/include/isc/eventclass.h
new file mode 100644
index 0000000..a783d35
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/eventclass.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: eventclass.h,v 1.13.206.1 2004/03/06 08:14:40 marka Exp $ */
+
+#ifndef ISC_EVENTCLASS_H
+#define ISC_EVENTCLASS_H 1
+
+/*****
+ ***** Registry of Predefined Event Type Classes
+ *****/
+
+/*
+ * An event class is an unsigned 16 bit number.  Each class may contain up
+ * to 65536 events.  An event type is formed by adding the event number
+ * within the class to the class number.
+ */
+
+#define ISC_EVENTCLASS(eclass)		((eclass) << 16)
+
+/*
+ * Classes < 1024 are reserved for ISC use.
+ */
+
+#define	ISC_EVENTCLASS_TASK		ISC_EVENTCLASS(0)
+#define	ISC_EVENTCLASS_TIMER		ISC_EVENTCLASS(1)
+#define	ISC_EVENTCLASS_SOCKET		ISC_EVENTCLASS(2)
+#define	ISC_EVENTCLASS_FILE		ISC_EVENTCLASS(3)
+#define	ISC_EVENTCLASS_DNS		ISC_EVENTCLASS(4)
+#define	ISC_EVENTCLASS_APP		ISC_EVENTCLASS(5)
+#define	ISC_EVENTCLASS_OMAPI		ISC_EVENTCLASS(6)
+#define	ISC_EVENTCLASS_RATELIMITER	ISC_EVENTCLASS(7)
+#define	ISC_EVENTCLASS_ISCCC		ISC_EVENTCLASS(8)
+
+/*
+ * Event classes >= 1024 and <= 65535 are reserved for application use.
+ */
+
+#endif /* ISC_EVENTCLASS_H */
diff --git a/contrib/bind9/lib/isc/include/isc/file.h b/contrib/bind9/lib/isc/include/isc/file.h
new file mode 100644
index 0000000..6de6c8a
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/file.h
@@ -0,0 +1,252 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: file.h,v 1.24.12.3 2004/03/08 09:04:51 marka Exp $ */
+
+#ifndef ISC_FILE_H
+#define ISC_FILE_H 1
+
+#include <stdio.h>
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_file_settime(const char *file, isc_time_t *time);
+
+isc_result_t
+isc_file_getmodtime(const char *file, isc_time_t *time);
+/*
+ * Get the time of last modication of a file.
+ *
+ * Notes:
+ *	The time that is set is relative to the (OS-specific) epoch, as are
+ *	all isc_time_t structures.
+ *
+ * Requires:
+ *	file != NULL.
+ *	time != NULL.
+ *
+ * Ensures:
+ *	If the file could not be accessed, 'time' is unchanged.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *		Success.
+ *	ISC_R_NOTFOUND
+ *		No such file exists.
+ *	ISC_R_INVALIDFILE
+ *		The path specified was not usable by the operating system.
+ *	ISC_R_NOPERM
+ *		The file's metainformation could not be retrieved because
+ *		permission was denied to some part of the file's path.
+ *	ISC_R_EIO
+ *		Hardware error interacting with the filesystem.
+ *	ISC_R_UNEXPECTED
+ *		Something totally unexpected happened.
+ *
+ */
+
+isc_result_t
+isc_file_mktemplate(const char *path, char *buf, size_t buflen);
+/*
+ * Generate a template string suitable for use with isc_file_openunique.
+ *
+ * Notes:
+ *	This function is intended to make creating temporary files
+ *	portable between different operating systems.
+ *
+ *	The path is prepended to an implementation-defined string and
+ *	placed into buf.  The string has no path characters in it,
+ *	and its maximum length is 14 characters plus a NUL.  Thus
+ *	buflen should be at least strlen(path) + 15 characters or
+ *	an error will be returned.
+ *
+ * Requires:
+ *	buf != NULL.
+ *
+ * Ensures:
+ *	If result == ISC_R_SUCCESS:
+ *		buf contains a string suitable for use as the template argument
+ *		to isc_file_openunique.
+ *
+ *	If result != ISC_R_SUCCESS:
+ *		buf is unchanged.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS 	Success.
+ *	ISC_R_NOSPACE	buflen indicates buf is too small for the catenation
+ *				of the path with the internal template string.
+ */
+
+
+isc_result_t
+isc_file_openunique(char *templet, FILE **fp);
+/*
+ * Create and open a file with a unique name based on 'templet'.
+ *
+ * Notes:
+ *	'template' is a reserved work in C++.  If you want to complain
+ *	about the spelling of 'templet', first look it up in the
+ *	Merriam-Webster English dictionary. (http://www.m-w.com/)
+ *
+ *	This function works by using the template to generate file names.
+ *	The template must be a writable string, as it is modified in place.
+ *	Trailing X characters in the file name (full file name on Unix,
+ *	basename on Win32 -- eg, tmp-XXXXXX vs XXXXXX.tmp, respectively)
+ *	are replaced with ASCII characters until a non-existent filename
+ *	is found.  If the template does not include pathname information,
+ *	the files in the working directory of the program are searched.
+ *
+ *	isc_file_mktemplate is a good, portable way to get a template.
+ *
+ * Requires:
+ *	'fp' is non-NULL and '*fp' is NULL.
+ *
+ *	'template' is non-NULL, and of a form suitable for use by
+ *	the system as described above.
+ *
+ * Ensures:
+ *	If result is ISC_R_SUCCESS:
+ *		*fp points to an stream opening in stdio's "w+" mode.
+ *
+ *	If result is not ISC_R_SUCCESS:
+ *		*fp is NULL.
+ *
+ *		No file is open.  Even if one was created (but unable
+ *		to be reopened as a stdio FILE pointer) then it has been
+ *		removed.
+ *
+ *	This function does *not* ensure that the template string has not been
+ *	modified, even if the operation was unsuccessful.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *		Success.
+ *	ISC_R_EXISTS
+ *		No file with a unique name could be created based on the
+ *		template.
+ *	ISC_R_INVALIDFILE
+ *		The path specified was not usable by the operating system.
+ *	ISC_R_NOPERM
+ *		The file could not be created because permission was denied
+ *		to some part of the file's path.
+ *	ISC_R_EIO
+ *		Hardware error interacting with the filesystem.
+ *	ISC_R_UNEXPECTED
+ *		Something totally unexpected happened.
+ */
+
+isc_result_t
+isc_file_remove(const char *filename);
+/*
+ * Remove the file named by 'filename'.
+ */
+
+isc_result_t
+isc_file_rename(const char *oldname, const char *newname);
+/*
+ * Rename the file 'oldname' to 'newname'.
+ */
+
+isc_boolean_t
+isc_file_exists(const char *pathname);
+/*
+ * Return ISC_TRUE iff the calling process can tell that the given file exists.
+ * Will not return true if the calling process has insufficient privileges
+ * to search the entire path.
+ */
+
+isc_boolean_t
+isc_file_isabsolute(const char *filename);
+/*
+ * Return ISC_TRUE iff the given file name is absolute.
+ */
+
+isc_boolean_t
+isc_file_iscurrentdir(const char *filename);
+/*
+ * Return ISC_TRUE iff the given file name is the current directory (".").
+ */
+
+isc_boolean_t
+isc_file_ischdiridempotent(const char *filename);
+/*
+ * Return ISC_TRUE if calling chdir(filename) multiple times will give
+ * the same result as calling it once.
+ */
+
+const char *
+isc_file_basename(const char *filename);
+/*
+ * Return the final component of the path in the file name.
+ */
+
+isc_result_t
+isc_file_progname(const char *filename, char *buf, size_t buflen);
+/*
+ * Given an operating system specific file name "filename"
+ * referring to a program, return the canonical program name. 
+ * Any directory prefix or executable file name extension (if
+ * used on the OS in case) is stripped.  On systems where program
+ * names are case insensitive, the name is canonicalized to all
+ * lower case.  The name is written to 'buf', an array of 'buflen'
+ * chars, and null terminated.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOSPACE 	The name did not fit in 'buf'.
+ */
+
+isc_result_t
+isc_file_template(const char *path, const char *templet, char *buf,
+		  size_t buflen);
+/*
+ * Create an OS specific template using 'path' to define the directory
+ * 'templet' to describe the filename and store the result in 'buf'
+ * such that path can be renamed to buf atomically.
+ */
+
+isc_result_t
+isc_file_renameunique(const char *file, char *templet);
+/*
+ * Rename 'file' using 'templet' as a template for the new file name.
+ */
+
+isc_result_t
+isc_file_absolutepath(const char *filename, char *path, size_t pathlen);
+/*
+ * Given a file name, return the fully qualified path to the file.
+ */
+
+/*
+ * XXX We should also have a isc_file_writeeopen() function
+ * for safely open a file in a publicly writable directory
+ * (see write_open() in BIND 8's ns_config.c).
+ */
+
+isc_result_t
+isc_file_truncate(const char *filename, isc_offset_t size);
+/*
+ * Truncate/extend the file specified to 'size' bytes.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_FILE_H */
diff --git a/contrib/bind9/lib/isc/include/isc/formatcheck.h b/contrib/bind9/lib/isc/include/isc/formatcheck.h
new file mode 100644
index 0000000..a7f26c1
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/formatcheck.h
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: formatcheck.h,v 1.6.206.1 2004/03/06 08:14:41 marka Exp $ */
+
+#ifndef ISC_FORMATCHECK_H
+#define ISC_FORMATCHECK_H 1
+
+/*
+ * fmt is the location of the format string parameter.
+ * args is the location of the first argument (or 0 for no argument checking).
+ * Note: the first parameter is 1, not 0.
+ */
+#ifdef __GNUC__
+#define ISC_FORMAT_PRINTF(fmt, args) __attribute__((__format__(__printf__, fmt, args)))
+#else
+#define ISC_FORMAT_PRINTF(fmt, args)
+#endif
+
+#endif /* ISC_FORMATCHECK_H */
diff --git a/contrib/bind9/lib/isc/include/isc/fsaccess.h b/contrib/bind9/lib/isc/include/isc/fsaccess.h
new file mode 100644
index 0000000..0f0c8ce
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/fsaccess.h
@@ -0,0 +1,177 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: fsaccess.h,v 1.7.206.1 2004/03/06 08:14:41 marka Exp $ */
+
+#ifndef ISC_FSACCESS_H
+#define ISC_FSACCESS_H 1
+
+/*
+ * The ISC filesystem access module encapsulates the setting of file
+ * and directory access permissions into one API that is meant to be
+ * portable to multiple operating systems.
+ *
+ * The two primary operating system flavors that are initially accomodated are
+ * POSIX and Windows NT 4.0 and later.  The Windows NT access model is
+ * considerable more flexible than POSIX's model (as much as I am loathe to
+ * admit it), and so the ISC API has a higher degree of complexity than would
+ * be needed to simply address POSIX's needs.
+ *
+ * The full breadth of NT's flexibility is not available either, for the
+ * present time.  Much of it is to provide compatibility with what Unix
+ * programmers are expecting.  This is also due to not yet really needing all
+ * of the functionality of an NT system (or, for that matter, a POSIX system)
+ * in BIND9, and so resolving how to handle the various incompatibilities has
+ * been a purely theoretical exercise with no operational experience to
+ * indicate how flawed the thinking may be.
+ *
+ * Some of the more notable dumbing down of NT for this API includes:
+ *
+ *   o Each of FILE_READ_DATA and FILE_READ_EA are set with ISC_FSACCESS_READ.
+ *
+ *   o All of FILE_WRITE_DATA, FILE_WRITE_EA and FILE_APPEND_DATA are
+ *     set with ISC_FSACCESS_WRITE.  FILE_WRITE_ATTRIBUTES is not set
+ *     so as to be consistent with Unix, where only the owner of the file
+ *     or the superuser can change the attributes/mode of a file.
+ *
+ *   o Both of FILE_ADD_FILE and FILE_ADD_SUBDIRECTORY are set with
+ *     ISC_FSACCESS_CREATECHILD.  This is similar to setting the WRITE
+ *     permission on a Unix directory.
+ *
+ *   o SYNCHRONIZE is always set for files and directories, unless someone
+ *     can give me a reason why this is a bad idea.
+ *
+ *   o READ_CONTROL and FILE_READ_ATTRIBUTES are always set; this is
+ *     consistent with Unix, where any file or directory can be stat()'d
+ *     unless the directory path disallows complete access somewhere along
+ *     the way.
+ *
+ *   o WRITE_DAC is only set for the owner.  This too is consistent with
+ *     Unix, and is tighter security than allowing anyone else to be
+ *     able to set permissions.
+ *
+ *   o DELETE is only set for the owner.  On Unix the ability to delete
+ *     a file is controlled by the directory permissions, but it isn't
+ *     currently clear to me what happens on NT if the directory has
+ *     FILE_DELETE_CHILD set but a file within it does not have DELETE
+ *     set.  Always setting DELETE on the file/directory for the owner
+ *     gives maximum flexibility to the owner without exposing the
+ *     file to deletion by others.
+ *
+ *   o WRITE_OWNER is never set.  This too is consistent with Unix,
+ *     and is also tighter security than allowing anyone to change the
+ *     ownership of the file apart from the superu..ahem, Administrator.
+ *
+ *   o Inheritance is set to NO_INHERITANCE.
+ *
+ * Unix's dumbing down includes:
+ *
+ *   o The sticky bit cannot be set.
+ *
+ *   o setuid and setgid cannot be set.
+ *
+ *   o Only regular files and directories can be set.
+ *
+ * The rest of this comment discusses a few of the incompatibilities
+ * between the two systems that need more thought if this API is to
+ * be extended to accomodate them.
+ *
+ * The Windows standard access right "DELETE" doesn't have a direct
+ * equivalent in the Unix world, so it isn't clear what should be done
+ * with it.
+ *
+ * The Unix sticky bit is not supported.  While NT does have a concept
+ * of allowing users to create files in a directory but not delete or
+ * rename them, it does not have a concept of allowing them to be deleted
+ * if they are owned by the user trying to delete/rename.  While it is
+ * probable that something could be cobbled together in NT 5 with inheritence,
+ * it can't really be done in NT 4 as a single property that you could
+ * set on a directory.  You'd need to coordinate something with file creation
+ * so that every file created had DELETE set for the owner but noone else.
+ *
+ * On Unix systems, setting ISC_FSACCESS_LISTDIRECTORY sets READ.
+ * ... setting either of ISC_FSACCESS_(CREATE|DELETE)CHILD sets WRITE.
+ * ... setting ISC_FSACCESS_ACCESSCHILD sets EXECUTE.
+ *
+ * On NT systems, setting ISC_FSACCESS_LISTDIRECTORY sets FILE_LIST_DIRECTORY.
+ * ... setting ISC_FSACCESS_(CREATE|DELETE)CHILD sets
+ *	FILE_(CREATE|DELETE)_CHILD independently.
+ * ... setting ISC_FSACCESS_ACCESSCHILD sets FILE_TRAVERSE.
+ *
+ * Unresolved:							XXXDCL
+ *   What NT access right controls the ability to rename a file?
+ *   How does DELETE work?  If a directory has FILE_DELETE_CHILD but a
+ *      file or directory within it does not have DELETE, is that file
+ *	or directory deletable?
+ *   To implement isc_fsaccess_get(), mapping an existing Unix permission
+ * 	mode_t back to an isc_fsaccess_t is pretty trivial; however, mapping
+ *	an NT DACL could be impossible to do in a responsible way.
+ *   Similarly, trying to implement the functionality of being able to
+ *	say "add group writability to whatever permissions already exist"
+ *	could be tricky on NT because of the order-of-entry issue combined
+ *	with possibly having one or more matching ACEs already explicitly
+ *	granting or denying access.  Because this functionality is
+ *	not yet needed by the ISC, no code has been written to try to
+ * 	solve this problem.
+ */
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+/*
+ * Trustees.
+ */
+#define ISC_FSACCESS_OWNER	0x1 /* User account. */
+#define ISC_FSACCESS_GROUP	0x2 /* Primary group owner. */
+#define ISC_FSACCESS_OTHER	0x4 /* Not the owner or the group owner. */
+#define ISC_FSACCESS_WORLD	0x7 /* User, Group, Other. */
+
+/*
+ * Types of permission.
+ */
+#define ISC_FSACCESS_READ		0x00000001 /* File only. */
+#define ISC_FSACCESS_WRITE		0x00000002 /* File only. */
+#define ISC_FSACCESS_EXECUTE		0x00000004 /* File only. */
+#define ISC_FSACCESS_CREATECHILD	0x00000008 /* Dir only. */
+#define ISC_FSACCESS_DELETECHILD	0x00000010 /* Dir only. */
+#define ISC_FSACCESS_LISTDIRECTORY	0x00000020 /* Dir only. */
+#define ISC_FSACCESS_ACCESSCHILD	0x00000040 /* Dir only. */
+
+/*
+ * Adding any permission bits beyond 0x200 would mean typedef'ing
+ * isc_fsaccess_t as isc_uint64_t, and redefining this value to
+ * reflect the new range of permission types, Probably to 21 for
+ * maximum flexibility.  The number of bits has to accomodate all of
+ * the permission types, and three full sets of them have to fit
+ * within an isc_fsaccess_t.
+ */
+#define ISC__FSACCESS_PERMISSIONBITS 10
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_fsaccess_add(int trustee, int permission, isc_fsaccess_t *access);
+
+void
+isc_fsaccess_remove(int trustee, int permission, isc_fsaccess_t *access);
+
+isc_result_t
+isc_fsaccess_set(const char *path, isc_fsaccess_t access);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_FSACCESS_H */
diff --git a/contrib/bind9/lib/isc/include/isc/hash.h b/contrib/bind9/lib/isc/include/isc/hash.h
new file mode 100644
index 0000000..b94142b
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/hash.h
@@ -0,0 +1,175 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: hash.h,v 1.2.2.1.2.2 2004/03/06 08:14:41 marka Exp $ */
+
+#ifndef ISC_HASH_H
+#define ISC_HASH_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Hash
+ *
+ * The hash API
+ *
+ *	Provides an unpredictable hash value for variable length data.
+ *	A hash object contains a random vector (which is hidden from clients
+ *	of this API) to make the actual hash value unpredictable.
+ *
+ *	The algorithm used in the API guarantees the probability of hash
+ *	collision; in the current implementation, as long as the values stored
+ *	in the random vector are unpredictable, the probability of hash
+ *	collision between arbitrary two different values is at most 1/2^16.
+ *
+ *	Altough the API is generic about the hash keys, it mainly expects
+ *	DNS names (and sometimes IPv4/v6 addresses) as inputs.  It has an
+ *	upper limit of the input length, and may run slow to calculate the
+ *	hash values for large inputs.
+ *
+ *	This API is designed to be general so that it can provide multiple
+ *	different hash contexts that have different random vectors.  However,
+ *	it should be typical to have a single context for an entire system.
+ *	To support such cases, the API also provides a single-context mode.
+ *
+ * MP:
+ *	The hash object is almost read-only.  Once the internal random vector
+ *	is initialized, no write operation will occur, and there will be no
+ *	need to lock the object to calculate actual hash values.
+ *
+ * Reliability:
+ *	In some cases this module uses low-level data copy to initialize the
+ *	random vector.  Errors in this part are likely to crash the server or
+ *	corrupt memory.
+ *
+ * Resources:
+ *	A buffer, used as a random vector for calculating hash values.
+ *
+ * Security:
+ *	This module intends to provide unpredictable hash values in
+ *	adversarial environments in order to avoid denial of service attacks
+ *	to hash buckets.
+ *	Its unpredictability relies on the quality of entropy to build the
+ *	random vector.
+ *
+ * Standards:
+ *	None.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/types.h>
+
+/***
+ *** Functions
+ ***/
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_hash_ctxcreate(isc_mem_t *mctx, isc_entropy_t *entropy, unsigned int limit,
+		   isc_hash_t **hctx);
+isc_result_t
+isc_hash_create(isc_mem_t *mctx, isc_entropy_t *entropy, size_t limit);
+/*
+ * Create a new hash object.
+ *
+ * isc_hash_ctxcreate() creates a different object.
+ * isc_hash_create() creates a module-internal object to support the
+ * single-context mode.  It should be called only once.
+ *
+ * 'entropy' must be NULL or a valid entropy object.  If 'entropy' is NULL,
+ * pseudo random values will be used to build the random vector, which may
+ * weaken security.
+ *
+ * 'limit' specifies the maximum number of hash keys.  If it is too large,
+ * these functions may fail.
+ */
+
+void
+isc_hash_ctxattach(isc_hash_t *hctx, isc_hash_t **hctxp);
+/*
+ * Attach to a hash object.
+ * This function is only necessary for the multiple-context mode.
+ */
+
+void
+isc_hash_ctxdetach(isc_hash_t **hctxp);
+/*
+ * Detach from a hash object.
+ *
+ * This function  is for the multiple-context mode, and takes a valid
+ * hash object as an argument.
+ */
+
+void
+isc_hash_destroy(void);
+/*
+ * This function is for the single-context mode, and is expected to be used
+ * as a counterpart of isc_hash_create().
+ * A valid module-internal hash object must have been created, and this
+ * function should be called only once.
+ */
+
+void
+isc_hash_ctxinit(isc_hash_t *hctx);
+void
+isc_hash_init(void);
+/*
+ * Initialize a hash object.  It fills in the random vector with a proper
+ * source of entropy, which is typically from the entropy object specified
+ * at the creation.  Thus, it is desirable to call these functions after
+ * initializing the entropy object with some good entropy sources.
+ *
+ * These functions should be called before the first hash calculation.
+ *
+ * isc_hash_ctxinit() is for the multiple-context mode, and takes a valid hash
+ * object as an argument.
+ * isc_hash_init() is for the single-context mode.  A valid module-internal
+ * hash object must have been created, and this function should be called only
+ * once.
+ */
+
+unsigned int
+isc_hash_ctxcalc(isc_hash_t *hctx, const unsigned char *key,
+		 unsigned int keylen, isc_boolean_t case_sensitive);
+unsigned int
+isc_hash_calc(const unsigned char *key, unsigned int keylen,
+	      isc_boolean_t case_sensitive);
+/*
+ * Calculate a hash value.
+ *
+ * isc_hash_ctxinit() is for the multiple-context mode, and takes a valid hash
+ * object as an argument.
+ * isc_hash_init() is for the single-context mode.  A valid module-internal
+ * hash object must have been created.
+ *
+ * 'key' is the hash key, which is a variable length buffer.
+ * 'keylen' specifies the key length, which must not be larger than the limit
+ * specified for the corresponding hash object.
+ *
+ * 'case_sensitive' specifies whether the hash key should be treated as
+ * case_sensitive values.  It should typically be ISC_FALSE if the hash key
+ * is a DNS name.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_HASH_H */
diff --git a/contrib/bind9/lib/isc/include/isc/heap.h b/contrib/bind9/lib/isc/include/isc/heap.h
new file mode 100644
index 0000000..5ebf404
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/heap.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1997-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: heap.h,v 1.16.206.1 2004/03/06 08:14:41 marka Exp $ */
+
+#ifndef ISC_HEAP_H
+#define ISC_HEAP_H 1
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * The comparision function returns ISC_TRUE if the first argument has
+ * higher priority than the second argument, and ISC_FALSE otherwise.
+ */
+typedef isc_boolean_t (*isc_heapcompare_t)(void *, void *);
+
+typedef void (*isc_heapindex_t)(void *, unsigned int);
+typedef void (*isc_heapaction_t)(void *, void *);
+
+typedef struct isc_heap isc_heap_t;
+
+isc_result_t	isc_heap_create(isc_mem_t *, isc_heapcompare_t,
+				isc_heapindex_t, unsigned int, isc_heap_t **);
+void		isc_heap_destroy(isc_heap_t **);
+isc_result_t	isc_heap_insert(isc_heap_t *, void *);
+void		isc_heap_delete(isc_heap_t *, unsigned int);
+void		isc_heap_increased(isc_heap_t *, unsigned int);
+void		isc_heap_decreased(isc_heap_t *, unsigned int);
+void *		isc_heap_element(isc_heap_t *, unsigned int);
+void		isc_heap_foreach(isc_heap_t *, isc_heapaction_t, void *);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_HEAP_H */
diff --git a/contrib/bind9/lib/isc/include/isc/hex.h b/contrib/bind9/lib/isc/include/isc/hex.h
new file mode 100644
index 0000000..cf7dfd0
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/hex.h
@@ -0,0 +1,96 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: hex.h,v 1.4.206.1 2004/03/06 08:14:41 marka Exp $ */
+
+#ifndef ISC_HEX_H
+#define ISC_HEX_H 1
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+isc_hex_totext(isc_region_t *source, int wordlength,
+	       const char *wordbreak, isc_buffer_t *target);
+/*
+ * Convert data into hex encoded text.
+ *
+ * Notes:
+ *	The hex encoded text in 'target' will be divided into
+ *	words of at most 'wordlength' characters, separated by
+ * 	the 'wordbreak' string.  No parentheses will surround
+ *	the text.
+ *
+ * Requires:
+ *	'source' is a region containing binary data
+ *	'target' is a text buffer containing available space
+ *	'wordbreak' points to a null-terminated string of
+ *		zero or more whitespace characters
+ *
+ * Ensures:
+ *	target will contain the hex encoded version of the data
+ *	in source.  The 'used' pointer in target will be advanced as
+ *	necessary.
+ */
+
+isc_result_t
+isc_hex_decodestring(char *cstr, isc_buffer_t *target);
+/*
+ * Decode a null-terminated hex string.
+ *
+ * Requires:
+ *	'cstr' is non-null.
+ *	'target' is a valid buffer.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	-- the entire decoded representation of 'cstring'
+ *			   fit in 'target'.
+ *	ISC_R_BADHEX -- 'cstr' is not a valid hex encoding.
+ *
+ * 	Other error returns are any possible error code from:
+ *		isc_lex_create(),
+ *		isc_lex_openbuffer(),
+ *		isc_hex_tobuffer().
+ */
+
+isc_result_t
+isc_hex_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length);
+/*
+ * Convert hex encoded text from a lexer context into data.
+ *
+ * Requires:
+ *	'lex' is a valid lexer context
+ *	'target' is a buffer containing binary data
+ *	'length' is an integer
+ *
+ * Ensures:
+ *	target will contain the data represented by the hex encoded
+ *	string parsed by the lexer.  No more than length bytes will be read,
+ *	if length is positive.  The 'used' pointer in target will be
+ *	advanced as necessary.
+ */
+
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_HEX_H */
diff --git a/contrib/bind9/lib/isc/include/isc/hmacmd5.h b/contrib/bind9/lib/isc/include/isc/hmacmd5.h
new file mode 100644
index 0000000..6e8647f
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/hmacmd5.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: hmacmd5.h,v 1.4.206.1 2004/03/06 08:14:42 marka Exp $ */
+
+/*
+ * This is the header file for the HMAC-MD5 keyed hash algorithm
+ * described in RFC 2104.
+ */
+
+#ifndef ISC_HMACMD5_H
+#define ISC_HMACMD5_H 1
+
+#include <isc/lang.h>
+#include <isc/md5.h>
+#include <isc/types.h>
+
+#define ISC_HMACMD5_KEYLENGTH 64
+
+typedef struct {
+	isc_md5_t md5ctx;
+	unsigned char key[ISC_HMACMD5_KEYLENGTH];
+} isc_hmacmd5_t;
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
+		 unsigned int len);
+
+void
+isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx);
+
+void
+isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf,
+		   unsigned int len);
+
+void
+isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest);
+
+isc_boolean_t
+isc_hmacmd5_verify(isc_hmacmd5_t *ctx, unsigned char *digest);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_HMACMD5_H */
diff --git a/contrib/bind9/lib/isc/include/isc/interfaceiter.h b/contrib/bind9/lib/isc/include/isc/interfaceiter.h
new file mode 100644
index 0000000..3a9b21b
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/interfaceiter.h
@@ -0,0 +1,134 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: interfaceiter.h,v 1.10.206.1 2004/03/06 08:14:42 marka Exp $ */
+
+#ifndef ISC_INTERFACEITER_H
+#define ISC_INTERFACEITER_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Interface iterator
+ *
+ * Iterate over the list of network interfaces.
+ *
+ * Interfaces whose address family is not supported are ignored and never
+ * returned by the iterator.  Interfaces whose netmask, interface flags,
+ * or similar cannot be obtained are also ignored, and the failure is logged.
+ *
+ * Standards:
+ *	The API for scanning varies greatly among operating systems.
+ *	This module attempts to hide the differences.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/lang.h>
+#include <isc/netaddr.h>
+#include <isc/types.h>
+
+/*
+ * Public structure describing a network interface.
+ */
+
+struct isc_interface {
+	char name[32];			/* Interface name, null-terminated. */
+	unsigned int af;		/* Address family. */
+	isc_netaddr_t address;		/* Local address. */
+	isc_netaddr_t netmask;		/* Network mask. */
+	isc_netaddr_t dstaddress; 	/* Destination address
+					   (point-to-point only). */
+	isc_uint32_t flags;		/* Flags; see below. */
+};
+
+/* Interface flags. */
+
+#define INTERFACE_F_UP			0x00000001U
+#define INTERFACE_F_POINTTOPOINT	0x00000002U
+#define INTERFACE_F_LOOPBACK		0x00000004U
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp);
+/*
+ * Create an iterator for traversing the operating system's list
+ * of network interfaces.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ * 	ISC_R_NOMEMORY
+ *	Various network-related errors
+ */
+
+isc_result_t
+isc_interfaceiter_first(isc_interfaceiter_t *iter);
+/*
+ * Position the iterator on the first interface.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		Success.
+ *	ISC_R_NOMORE		There are no interfaces.
+ */
+
+isc_result_t
+isc_interfaceiter_current(isc_interfaceiter_t *iter,
+			  isc_interface_t *ifdata);
+/*
+ * Get information about the interface the iterator is currently
+ * positioned at and store it at *ifdata.
+ *
+ * Requires:
+ * 	The iterator has been successfully positioned using
+ * 	isc_interface_iter_first() / isc_interface_iter_next().
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		Success.
+ */
+
+isc_result_t
+isc_interfaceiter_next(isc_interfaceiter_t *iter);
+/*
+ * Position the iterator on the next interface.
+ *
+ * Requires:
+ * 	The iterator has been successfully positioned using
+ * 	isc_interface_iter_first() / isc_interface_iter_next().
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		Success.
+ *	ISC_R_NOMORE		There are no more interfaces.
+ */
+
+void
+isc_interfaceiter_destroy(isc_interfaceiter_t **iterp);
+/*
+ * Destroy the iterator.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_INTERFACEITER_H */
diff --git a/contrib/bind9/lib/isc/include/isc/ipv6.h b/contrib/bind9/lib/isc/include/isc/ipv6.h
new file mode 100644
index 0000000..8b4b0eb
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/ipv6.h
@@ -0,0 +1,148 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ipv6.h,v 1.17.12.4 2004/03/09 05:21:09 marka Exp $ */
+
+#ifndef ISC_IPV6_H
+#define ISC_IPV6_H 1
+
+/*
+ * Also define LWRES_IPV6_H to keep it from being included if liblwres is
+ * being used, or redefinition errors will occur.
+ */
+#define LWRES_IPV6_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * IPv6 definitions for systems which do not support IPv6.
+ *
+ * MP:
+ *	No impact.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	N/A.
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	RFC 2553.
+ */
+
+/***
+ *** Imports.
+ ***/
+
+#include <isc/int.h>
+#include <isc/platform.h>
+
+/***
+ *** Types.
+ ***/
+
+struct in6_addr {
+        union {
+		isc_uint8_t	_S6_u8[16];
+		isc_uint16_t	_S6_u16[8];
+		isc_uint32_t	_S6_u32[4];
+        } _S6_un;
+};
+#define s6_addr		_S6_un._S6_u8
+#define s6_addr8	_S6_un._S6_u8
+#define s6_addr16	_S6_un._S6_u16
+#define s6_addr32	_S6_un._S6_u32
+
+#define IN6ADDR_ANY_INIT 	{{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }}}
+#define IN6ADDR_LOOPBACK_INIT 	{{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 }}}
+
+LIBISC_EXTERNAL_DATA extern const struct in6_addr in6addr_any;
+LIBISC_EXTERNAL_DATA extern const struct in6_addr in6addr_loopback;
+
+struct sockaddr_in6 {
+#ifdef ISC_PLATFORM_HAVESALEN
+	isc_uint8_t		sin6_len;
+	isc_uint8_t		sin6_family;
+#else
+	isc_uint16_t		sin6_family;
+#endif
+	isc_uint16_t		sin6_port;
+	isc_uint32_t		sin6_flowinfo;
+	struct in6_addr		sin6_addr;
+	isc_uint32_t		sin6_scope_id;
+};
+
+#ifdef ISC_PLATFORM_HAVESALEN
+#define SIN6_LEN 1
+#endif
+
+/*
+ * Unspecified
+ */
+#define IN6_IS_ADDR_UNSPECIFIED(a)      \
+        (((a)->s6_addr32[0] == 0) &&    \
+         ((a)->s6_addr32[1] == 0) &&    \
+         ((a)->s6_addr32[2] == 0) &&    \
+         ((a)->s6_addr32[3] == 0))
+
+/*
+ * Loopback
+ */
+#define IN6_IS_ADDR_LOOPBACK(a)         \
+        (((a)->s6_addr32[0] == 0) &&    \
+         ((a)->s6_addr32[1] == 0) &&    \
+         ((a)->s6_addr32[2] == 0) &&    \
+         ((a)->s6_addr32[3] == htonl(1)))
+
+/*
+ * IPv4 compatible
+ */
+#define IN6_IS_ADDR_V4COMPAT(a)         \
+        (((a)->s6_addr32[0] == 0) &&    \
+         ((a)->s6_addr32[1] == 0) &&    \
+         ((a)->s6_addr32[2] == 0) &&    \
+         ((a)->s6_addr32[3] != 0) &&    \
+         ((a)->s6_addr32[3] != htonl(1)))
+
+/*
+ * Mapped
+ */
+#define IN6_IS_ADDR_V4MAPPED(a)               \
+        (((a)->s6_addr32[0] == 0) &&          \
+         ((a)->s6_addr32[1] == 0) &&          \
+         ((a)->s6_addr32[2] == htonl(0x0000ffff)))
+
+/*
+ * Multicast
+ */
+#define IN6_IS_ADDR_MULTICAST(a)	\
+	((a)->s6_addr8[0] == 0xffU)
+
+/*
+ * Unicast link / site local.
+ */
+#define IN6_IS_ADDR_LINKLOCAL(a)	\
+	(((a)->s6_addr[0] == 0xfe) && (((a)->s6_addr[1] & 0xc0) == 0x80))
+#define IN6_IS_ADDR_SITELOCAL(a)	\
+	(((a)->s6_addr[0] == 0xfe) && (((a)->s6_addr[1] & 0xc0) == 0xc0))
+
+#endif /* ISC_IPV6_H */
diff --git a/contrib/bind9/lib/isc/include/isc/lang.h b/contrib/bind9/lib/isc/include/isc/lang.h
new file mode 100644
index 0000000..f94f123
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/lang.h
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lang.h,v 1.6.206.1 2004/03/06 08:14:42 marka Exp $ */
+
+#ifndef ISC_LANG_H
+#define ISC_LANG_H 1
+
+#ifdef __cplusplus
+#define ISC_LANG_BEGINDECLS	extern "C" {
+#define ISC_LANG_ENDDECLS	}
+#else
+#define ISC_LANG_BEGINDECLS
+#define ISC_LANG_ENDDECLS
+#endif
+
+#endif /* ISC_LANG_H */
diff --git a/contrib/bind9/lib/isc/include/isc/lex.h b/contrib/bind9/lib/isc/include/isc/lex.h
new file mode 100644
index 0000000..29bdb2f
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/lex.h
@@ -0,0 +1,410 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lex.h,v 1.26.2.2.8.3 2004/03/08 09:04:51 marka Exp $ */
+
+#ifndef ISC_LEX_H
+#define ISC_LEX_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Lex
+ *
+ * The "lex" module provides a lightweight tokenizer.  It can operate
+ * on files or buffers, and can handle "include".  It is designed for
+ * parsing of DNS master files and the BIND configuration file, but
+ * should be general enough to tokenize other things, e.g. HTTP.
+ *
+ * MP:
+ *	No synchronization is provided.  Clients must ensure exclusive
+ *	access.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	<TBS>
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ * 	None.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <stdio.h>
+
+#include <isc/lang.h>
+#include <isc/region.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Options
+ ***/
+
+/*
+ * Various options for isc_lex_gettoken().
+ */
+
+#define ISC_LEXOPT_EOL			0x01	/* Want end-of-line token. */
+#define ISC_LEXOPT_EOF			0x02	/* Want end-of-file token. */
+#define ISC_LEXOPT_INITIALWS		0x04	/* Want initial whitespace. */
+#define ISC_LEXOPT_NUMBER		0x08	/* Recognize numbers. */
+#define ISC_LEXOPT_QSTRING		0x10	/* Recognize qstrings. */
+
+/*
+ * The ISC_LEXOPT_DNSMULTILINE option handles the processing of '(' and ')' in
+ * the DNS master file format.  If this option is set, then the
+ * ISC_LEXOPT_INITIALWS and ISC_LEXOPT_EOL options will be ignored when
+ * the paren count is > 0.  To use this option, '(' and ')' must be special
+ * characters.
+ */
+#define ISC_LEXOPT_DNSMULTILINE		0x20	/* Handle '(' and ')'. */
+#define ISC_LEXOPT_NOMORE		0x40	/* Want "no more" token. */
+
+#define ISC_LEXOPT_CNUMBER		0x80    /* Regognise octal and hex */
+#define ISC_LEXOPT_ESCAPE		0x100	/* Recognize escapes. */
+#define ISC_LEXOPT_QSTRINGMULTILINE	0x200	/* Allow multiline "" strings */
+
+/*
+ * Various commenting styles, which may be changed at any time with
+ * isc_lex_setcomments().
+ */
+
+#define ISC_LEXCOMMENT_C		0x01
+#define ISC_LEXCOMMENT_CPLUSPLUS	0x02
+#define ISC_LEXCOMMENT_SHELL		0x04
+#define ISC_LEXCOMMENT_DNSMASTERFILE	0x08
+
+/***
+ *** Types
+ ***/
+
+/* Lex */
+
+typedef char isc_lexspecials_t[256];
+
+/* Tokens */
+
+typedef enum {
+	isc_tokentype_unknown = 0,
+	isc_tokentype_string = 1,
+	isc_tokentype_number = 2,
+	isc_tokentype_qstring = 3,
+	isc_tokentype_eol = 4,
+	isc_tokentype_eof = 5,
+	isc_tokentype_initialws = 6,
+	isc_tokentype_special = 7,
+	isc_tokentype_nomore = 8
+} isc_tokentype_t;
+
+typedef union {
+	char				as_char;
+	unsigned long			as_ulong;
+	isc_region_t			as_region;
+	isc_textregion_t		as_textregion;
+	void *				as_pointer;
+} isc_tokenvalue_t;
+
+typedef struct isc_token {
+	isc_tokentype_t			type;
+	isc_tokenvalue_t		value;
+} isc_token_t;
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+isc_lex_create(isc_mem_t *mctx, size_t max_token, isc_lex_t **lexp);
+/*
+ * Create a lexer.
+ *
+ * 'max_token' is a hint of the number of bytes in the largest token.
+ *
+ * Requires:
+ *	'*lexp' is a valid lexer.
+ *
+ *	max_token > 0.
+ *
+ * Ensures:
+ *	On success, *lexp is attached to the newly created lexer.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ */
+
+void
+isc_lex_destroy(isc_lex_t **lexp);
+/*
+ * Destroy the lexer.
+ *
+ * Requires:
+ *	'*lexp' is a valid lexer.
+ *
+ * Ensures:
+ *	*lexp == NULL
+ */
+
+unsigned int
+isc_lex_getcomments(isc_lex_t *lex);
+/*
+ * Return the current lexer commenting styles.
+ *
+ * Requires:
+ *	'lex' is a valid lexer.
+ *
+ * Returns:
+ *	The commenting sytles which are currently allowed.
+ */
+
+void
+isc_lex_setcomments(isc_lex_t *lex, unsigned int comments);
+/*
+ * Set allowed lexer commenting styles.
+ *
+ * Requires:
+ *	'lex' is a valid lexer.
+ *
+ *	'comments' has meaningful values.
+ */
+
+void
+isc_lex_getspecials(isc_lex_t *lex, isc_lexspecials_t specials);
+/*
+ * Put the current list of specials into 'specials'.
+ *
+ * Requires:
+ *	'lex' is a valid lexer.
+ */
+
+void
+isc_lex_setspecials(isc_lex_t *lex, isc_lexspecials_t specials);
+/*
+ * The characters in 'specials' are returned as tokens.  Along with
+ * whitespace, they delimit strings and numbers.
+ *
+ * Note:
+ *	Comment processing takes precedence over special character
+ *	recognition.
+ *
+ * Requires:
+ *	'lex' is a valid lexer.
+ */
+
+isc_result_t
+isc_lex_openfile(isc_lex_t *lex, const char *filename);
+/*
+ * Open 'filename' and make it the current input source for 'lex'.
+ *
+ * Requires:
+ *	'lex' is a valid lexer.
+ *
+ *	filename is a valid C string.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY			Out of memory
+ *	ISC_R_NOTFOUND			File not found
+ *	ISC_R_NOPERM			No permission to open file
+ *	ISC_R_FAILURE			Couldn't open file, not sure why
+ *	ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_lex_openstream(isc_lex_t *lex, FILE *stream);
+/*
+ * Make 'stream' the current input source for 'lex'.
+ *
+ * Requires:
+ *	'lex' is a valid lexer.
+ *
+ *	'stream' is a valid C stream.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY			Out of memory
+ */
+
+isc_result_t
+isc_lex_openbuffer(isc_lex_t *lex, isc_buffer_t *buffer);
+/*
+ * Make 'buffer' the current input source for 'lex'.
+ *
+ * Requires:
+ *	'lex' is a valid lexer.
+ *
+ *	'buffer' is a valid buffer.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY			Out of memory
+ */
+
+isc_result_t
+isc_lex_close(isc_lex_t *lex);
+/*
+ * Close the most recently opened object (i.e. file or buffer).
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMORE			No more input sources
+ */
+
+isc_result_t
+isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp);
+/*
+ * Get the next token.
+ *
+ * Requires:
+ *	'lex' is a valid lexer.
+ *
+ *	'lex' has an input source.
+ *
+ *	'options' contains valid options.
+ *
+ *	'*tokenp' is a valid pointer.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_UNEXPECTEDEND
+ *	ISC_R_NOMEMORY
+ *
+ *	These two results are returned only if their corresponding lexer
+ *	options are not set.
+ *
+ *	ISC_R_EOF			End of input source
+ *	ISC_R_NOMORE			No more input sources
+ */
+
+isc_result_t
+isc_lex_getmastertoken(isc_lex_t *lex, isc_token_t *token,
+		       isc_tokentype_t expect, isc_boolean_t eol);
+/*
+ * Get the next token from a DNS master file type stream.  This is a
+ * convenience function that sets appropriate options and handles quoted
+ * strings and end of line correctly for master files.  It also ungets
+ * unexpected tokens.
+ *
+ * Requires:
+ *	'lex' is a valid lexer.
+ *
+ *	'token' is a valid pointer
+ *
+ * Returns:
+ *
+ * 	any return code from isc_lex_gettoken.
+ */
+
+void
+isc_lex_ungettoken(isc_lex_t *lex, isc_token_t *tokenp);
+/*
+ * Unget the current token.
+ *
+ * Requires:
+ *	'lex' is a valid lexer.
+ *
+ *	'lex' has an input source.
+ *
+ *	'tokenp' points to a valid token.
+ *
+ *	There is no ungotten token already.
+ */
+
+void
+isc_lex_getlasttokentext(isc_lex_t *lex, isc_token_t *tokenp, isc_region_t *r);
+/*
+ * Returns a region containing the text of the last token returned.
+ *
+ * Requires:
+ *	'lex' is a valid lexer.
+ *
+ *	'lex' has an input source.
+ *
+ *	'tokenp' points to a valid token.
+ *
+ *	A token has been gotten and not ungotten.
+ */
+
+char *
+isc_lex_getsourcename(isc_lex_t *lex);
+/*
+ * Return the input source name.
+ *
+ * Requires:
+ *	'lex' is a valid lexer.
+ *
+ * Returns:
+ * 	source name or NULL if no current source.
+ *	result valid while current input source exists.
+ */
+
+
+unsigned long
+isc_lex_getsourceline(isc_lex_t *lex);
+/*
+ * Return the input source line number.
+ *
+ * Requires:
+ *	'lex' is a valid lexer.
+ *
+ * Returns:
+ * 	Current line number or 0 if no current source.
+ */
+
+isc_result_t
+isc_lex_setsourcename(isc_lex_t *lex, const char *name);
+/*
+ * Assigns a new name to the input source.
+ *
+ * Requires:
+ *
+ * 	'lex' is a valid lexer.
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS
+ * 	ISC_R_NOMEMORY
+ * 	ISC_R_NOTFOUND - there are no sources.
+ */
+
+isc_boolean_t
+isc_lex_isfile(isc_lex_t *lex);
+/*
+ * Return whether the current input source is a file.
+ *
+ * Requires:
+ *	'lex' is a valid lexer.
+ *
+ * Returns:
+ * 	ISC_TRUE if the current input is a file,
+ *	ISC_FALSE otherwise.
+ */
+
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_LEX_H */
diff --git a/contrib/bind9/lib/isc/include/isc/lfsr.h b/contrib/bind9/lib/isc/include/isc/lfsr.h
new file mode 100644
index 0000000..e562380
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/lfsr.h
@@ -0,0 +1,133 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lfsr.h,v 1.10.206.1 2004/03/06 08:14:43 marka Exp $ */
+
+#ifndef ISC_LFSR_H
+#define ISC_LFSR_H 1
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+typedef struct isc_lfsr isc_lfsr_t;
+
+/*
+ * This function is called when reseeding is needed.  It is allowed to
+ * modify any state in the LFSR in any way it sees fit OTHER THAN "bits".
+ *
+ * It MUST set "count" to a new value or the lfsr will never reseed again.
+ *
+ * Also, a reseed will never occur in the middle of an extraction.  This
+ * is purely an optimization, and is probably what one would want.
+ */
+typedef void (*isc_lfsrreseed_t)(isc_lfsr_t *, void *);
+
+/*
+ * The members of this structure can be used by the application, but care
+ * needs to be taken to not change state once the lfsr is in operation.
+ */
+struct isc_lfsr {
+	isc_uint32_t		state;	/* previous state */
+	unsigned int		bits;	/* length */
+	isc_uint32_t		tap;	/* bit taps */
+	unsigned int		count;	/* reseed count (in BITS!) */
+	isc_lfsrreseed_t	reseed;	/* reseed function */
+	void		       *arg;	/* reseed function argument */
+};
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * In all these functions it is important that the caller only use as many
+ * bits as the LFSR has state.  Also, it isn't guaranteed that an LFSR of
+ * bit length 32 will have 2^32 unique states before repeating.
+ */
+
+void 
+isc_lfsr_init(isc_lfsr_t *lfsr, isc_uint32_t state, unsigned int bits,
+		   isc_uint32_t tap, unsigned int count,
+		   isc_lfsrreseed_t reseed, void *arg);
+/*
+ * Initialize an LFSR.
+ *
+ * Note:
+ *
+ *	Putting untrusted values into this function will cause the LFSR to
+ *	generate (perhaps) non-maximal length sequences.
+ *
+ * Requires:
+ *
+ *	lfsr != NULL
+ *
+ *	8 <= bits <= 32
+ *
+ *	tap != 0
+ */
+
+void 
+isc_lfsr_generate(isc_lfsr_t *lfsr, void *data, unsigned int count);
+/*
+ * Returns "count" bytes of data from the LFSR.
+ *
+ * Requires:
+ *
+ *	lfsr be valid.
+ *
+ *	data != NULL.
+ *
+ *	count > 0.
+ */
+
+void 
+isc_lfsr_skip(isc_lfsr_t *lfsr, unsigned int skip);
+/*
+ * Skip "skip" states.
+ *
+ * Requires:
+ *
+ *	lfsr be valid.
+ */
+
+isc_uint32_t 
+isc_lfsr_generate32(isc_lfsr_t *lfsr1, isc_lfsr_t *lfsr2);
+/*
+ * Given two LFSRs, use the current state from each to skip entries in the
+ * other.  The next states are then xor'd together and returned.
+ *
+ * WARNING:
+ *
+ *	This function is used only for very, very low security data, such
+ *	as DNS message IDs where it is desired to have an unpredictable
+ *	stream of bytes that are harder to predict than a simple flooding
+ *	attack.
+ *
+ * Notes:
+ *
+ *	Since the current state from each of the LFSRs is used to skip
+ *	state in the other, it is important that no state be leaked
+ *	from either LFSR.
+ *
+ * Requires:
+ *
+ *	lfsr1 and lfsr2 be valid.
+ *
+ *	1 <= skipbits <= 31
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_LFSR_H */
diff --git a/contrib/bind9/lib/isc/include/isc/lib.h b/contrib/bind9/lib/isc/include/isc/lib.h
new file mode 100644
index 0000000..1ad4493
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/lib.h
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lib.h,v 1.6.12.3 2004/03/08 09:04:51 marka Exp $ */
+
+#ifndef ISC_LIB_H
+#define ISC_LIB_H 1
+
+#include <isc/types.h>
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+LIBISC_EXTERNAL_DATA extern isc_msgcat_t *isc_msgcat;
+
+void
+isc_lib_initmsgcat(void);
+/*
+ * Initialize the ISC library's message catalog, isc_msgcat, if it
+ * has not already been initialized.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_LIB_H */
diff --git a/contrib/bind9/lib/isc/include/isc/list.h b/contrib/bind9/lib/isc/include/isc/list.h
new file mode 100644
index 0000000..962336a
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/list.h
@@ -0,0 +1,180 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1997-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: list.h,v 1.18.2.2.8.1 2004/03/06 08:14:43 marka Exp $ */
+
+#ifndef ISC_LIST_H
+#define ISC_LIST_H 1
+#include <isc/boolean.h>
+#include <isc/assertions.h>
+
+#ifdef ISC_LIST_CHECKINIT
+#define ISC_LINK_INSIST(x) ISC_INSIST(x)
+#else
+#define ISC_LINK_INSIST(x)
+#endif
+
+#define ISC_LIST(type) struct { type *head, *tail; }
+#define ISC_LIST_INIT(list) \
+	do { (list).head = NULL; (list).tail = NULL; } while (0)
+
+#define ISC_LINK(type) struct { type *prev, *next; }
+#define ISC_LINK_INIT_TYPE(elt, link, type) \
+	do { \
+		(elt)->link.prev = (type *)(-1); \
+		(elt)->link.next = (type *)(-1); \
+	} while (0)
+#define ISC_LINK_INIT(elt, link) \
+	ISC_LINK_INIT_TYPE(elt, link, void)
+#define ISC_LINK_LINKED(elt, link) ((void *)((elt)->link.prev) != (void *)(-1))
+
+#define ISC_LIST_HEAD(list) ((list).head)
+#define ISC_LIST_TAIL(list) ((list).tail)
+#define ISC_LIST_EMPTY(list) ISC_TF((list).head == NULL)
+
+#define __ISC_LIST_PREPENDUNSAFE(list, elt, link) \
+	do { \
+		if ((list).head != NULL) \
+			(list).head->link.prev = (elt); \
+		else \
+			(list).tail = (elt); \
+		(elt)->link.prev = NULL; \
+		(elt)->link.next = (list).head; \
+		(list).head = (elt); \
+	} while (0)
+
+#define ISC_LIST_PREPEND(list, elt, link) \
+	do { \
+		ISC_LINK_INSIST(!ISC_LINK_LINKED(elt, link)); \
+		__ISC_LIST_PREPENDUNSAFE(list, elt, link); \
+	} while (0)
+
+#define ISC_LIST_INITANDPREPEND(list, elt, link) \
+		__ISC_LIST_PREPENDUNSAFE(list, elt, link)
+
+#define __ISC_LIST_APPENDUNSAFE(list, elt, link) \
+	do { \
+		if ((list).tail != NULL) \
+			(list).tail->link.next = (elt); \
+		else \
+			(list).head = (elt); \
+		(elt)->link.prev = (list).tail; \
+		(elt)->link.next = NULL; \
+		(list).tail = (elt); \
+	} while (0)
+
+#define ISC_LIST_APPEND(list, elt, link) \
+	do { \
+		ISC_LINK_INSIST(!ISC_LINK_LINKED(elt, link)); \
+		__ISC_LIST_APPENDUNSAFE(list, elt, link); \
+	} while (0)
+
+#define ISC_LIST_INITANDAPPEND(list, elt, link) \
+		__ISC_LIST_APPENDUNSAFE(list, elt, link)
+
+#define __ISC_LIST_UNLINKUNSAFE_TYPE(list, elt, link, type) \
+	do { \
+		if ((elt)->link.next != NULL) \
+			(elt)->link.next->link.prev = (elt)->link.prev; \
+		else \
+			(list).tail = (elt)->link.prev; \
+		if ((elt)->link.prev != NULL) \
+			(elt)->link.prev->link.next = (elt)->link.next; \
+		else \
+			(list).head = (elt)->link.next; \
+		(elt)->link.prev = (type *)(-1); \
+		(elt)->link.next = (type *)(-1); \
+	} while (0)
+
+#define __ISC_LIST_UNLINKUNSAFE(list, elt, link) \
+	__ISC_LIST_UNLINKUNSAFE_TYPE(list, elt, link, void)
+
+#define ISC_LIST_UNLINK_TYPE(list, elt, link, type) \
+	do { \
+		ISC_LINK_INSIST(ISC_LINK_LINKED(elt, link)); \
+		__ISC_LIST_UNLINKUNSAFE_TYPE(list, elt, link, type); \
+	} while (0)
+#define ISC_LIST_UNLINK(list, elt, link) \
+	ISC_LIST_UNLINK_TYPE(list, elt, link, void)
+
+#define ISC_LIST_PREV(elt, link) ((elt)->link.prev)
+#define ISC_LIST_NEXT(elt, link) ((elt)->link.next)
+
+#define __ISC_LIST_INSERTBEFOREUNSAFE(list, before, elt, link) \
+	do { \
+		if ((before)->link.prev == NULL) \
+			ISC_LIST_PREPEND(list, elt, link); \
+		else { \
+			(elt)->link.prev = (before)->link.prev; \
+			(before)->link.prev = (elt); \
+			(elt)->link.prev->link.next = (elt); \
+			(elt)->link.next = (before); \
+		} \
+	} while (0)
+
+#define ISC_LIST_INSERTBEFORE(list, before, elt, link) \
+	do { \
+		ISC_LINK_INSIST(ISC_LINK_LINKED(before, link)); \
+		ISC_LINK_INSIST(!ISC_LINK_LINKED(elt, link)); \
+		__ISC_LIST_INSERTBEFOREUNSAFE(list, before, elt, link); \
+	} while (0)
+
+#define __ISC_LIST_INSERTAFTERUNSAFE(list, after, elt, link) \
+	do { \
+		if ((after)->link.next == NULL) \
+			ISC_LIST_APPEND(list, elt, link); \
+		else { \
+			(elt)->link.next = (after)->link.next; \
+			(after)->link.next = (elt); \
+			(elt)->link.next->link.prev = (elt); \
+			(elt)->link.prev = (after); \
+		} \
+	} while (0)
+
+#define ISC_LIST_INSERTAFTER(list, after, elt, link) \
+	do { \
+		ISC_LINK_INSIST(ISC_LINK_LINKED(after, link)); \
+		ISC_LINK_INSIST(!ISC_LINK_LINKED(elt, link)); \
+		__ISC_LIST_INSERTAFTERUNSAFE(list, after, elt, link); \
+	} while (0)
+
+#define ISC_LIST_APPENDLIST(list1, list2, link) \
+	do { \
+		if (ISC_LIST_EMPTY(list1)) \
+			(list1) = (list2); \
+		else if (!ISC_LIST_EMPTY(list2)) { \
+			(list1).tail->link.next = (list2).head; \
+			(list2).head->link.prev = (list1).tail; \
+			(list1).tail = (list2).tail; \
+		} \
+		(list2).head = NULL; \
+		(list2).tail = NULL; \
+	} while (0)
+
+#define ISC_LIST_ENQUEUE(list, elt, link) ISC_LIST_APPEND(list, elt, link)
+#define __ISC_LIST_ENQUEUEUNSAFE(list, elt, link) \
+	__ISC_LIST_APPENDUNSAFE(list, elt, link)
+#define ISC_LIST_DEQUEUE(list, elt, link) \
+	 ISC_LIST_UNLINK_TYPE(list, elt, link, void)
+#define ISC_LIST_DEQUEUE_TYPE(list, elt, link, type) \
+	 ISC_LIST_UNLINK_TYPE(list, elt, link, type)
+#define __ISC_LIST_DEQUEUEUNSAFE(list, elt, link) \
+	__ISC_LIST_UNLINKUNSAFE_TYPE(list, elt, link, void)
+#define __ISC_LIST_DEQUEUEUNSAFE_TYPE(list, elt, link, type) \
+	__ISC_LIST_UNLINKUNSAFE_TYPE(list, elt, link, type)
+
+#endif /* ISC_LIST_H */
diff --git a/contrib/bind9/lib/isc/include/isc/log.h b/contrib/bind9/lib/isc/include/isc/log.h
new file mode 100644
index 0000000..97aeba0
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/log.h
@@ -0,0 +1,879 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: log.h,v 1.39.2.4.2.7 2004/04/10 04:31:40 marka Exp $ */
+
+#ifndef ISC_LOG_H
+#define ISC_LOG_H 1
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <syslog.h> /* XXXDCL NT */
+
+#include <isc/formatcheck.h>
+#include <isc/lang.h>
+#include <isc/platform.h>
+#include <isc/types.h>
+
+/*
+ * Severity levels, patterned after Unix's syslog levels.
+ *
+ * ISC_LOG_DYNAMIC can only be used for defining channels with
+ * isc_log_createchannel(), not to specify a level in isc_log_write().
+ */
+#define ISC_LOG_DEBUG(level)	(level)
+#define ISC_LOG_DYNAMIC	  	  0
+#define ISC_LOG_INFO		(-1)
+#define ISC_LOG_NOTICE		(-2)
+#define ISC_LOG_WARNING 	(-3)
+#define ISC_LOG_ERROR		(-4)
+#define ISC_LOG_CRITICAL	(-5)
+
+/*
+ * Destinations.
+ */
+#define ISC_LOG_TONULL		1
+#define ISC_LOG_TOSYSLOG	2
+#define ISC_LOG_TOFILE		3
+#define ISC_LOG_TOFILEDESC	4
+
+/*
+ * Channel flags.
+ */
+#define ISC_LOG_PRINTTIME	0x0001
+#define ISC_LOG_PRINTLEVEL	0x0002
+#define ISC_LOG_PRINTCATEGORY	0x0004
+#define ISC_LOG_PRINTMODULE	0x0008
+#define ISC_LOG_PRINTTAG	0x0010
+#define ISC_LOG_PRINTALL	0x001F
+#define ISC_LOG_DEBUGONLY	0x1000
+#define ISC_LOG_OPENERR		0x8000		/* internal */
+
+/*
+ * Other options.
+ * XXXDCL INFINITE doesn't yet work.  Arguably it isn't needed, but
+ *   since I am intend to make large number of versions work efficiently,
+ *   INFINITE is going to be trivial to add to that.
+ */
+#define ISC_LOG_ROLLINFINITE	(-1)
+#define ISC_LOG_ROLLNEVER	(-2)
+
+/*
+ * Used to name the categories used by a library.  An array of isc_logcategory
+ * structures names each category, and the id value is initialized by calling
+ * isc_log_registercategories.
+ */
+struct isc_logcategory {
+	const char *name;
+	unsigned int id;
+};
+
+/*
+ * Similar to isc_logcategory above, but for all the modules a library defines.
+ */
+struct isc_logmodule {
+	const char *name;
+	unsigned int id;
+};
+
+/*
+ * The isc_logfile structure is initialized as part of an isc_logdestination
+ * before calling isc_log_createchannel().  When defining an ISC_LOG_TOFILE
+ * channel the name, versions and maximum_size should be set before calling
+ * isc_log_createchannel().  To define an ISC_LOG_TOFILEDESC channel set only
+ * the stream before the call.
+ * 
+ * Setting maximum_size to zero implies no maximum.
+ */
+typedef struct isc_logfile {
+	FILE *stream;		/* Initialized to NULL for ISC_LOG_TOFILE. */
+	const char *name;	/* NULL for ISC_LOG_TOFILEDESC. */
+	int versions;	/* >= 0, ISC_LOG_ROLLNEVER, ISC_LOG_ROLLINFINITE. */
+	/*
+	 * stdio's ftell is standardized to return a long, which may well not
+	 * be big enough for the largest file supportable by the operating
+	 * system (though it is _probably_ big enough for the largest log
+	 * anyone would want).  st_size returned by fstat should be typedef'd
+	 * to a size large enough for the largest possible file on a system.
+	 */
+	isc_offset_t maximum_size;
+	isc_boolean_t maximum_reached; /* Private. */
+} isc_logfile_t;
+
+/*
+ * Passed to isc_log_createchannel to define the attributes of either
+ * a stdio or a syslog log.
+ */
+typedef union isc_logdestination {
+	isc_logfile_t file;
+	int facility;		/* XXXDCL NT */
+} isc_logdestination_t;
+
+/*
+ * The built-in categories of libisc.
+ *
+ * Each library registering categories should provide library_LOGCATEGORY_name
+ * definitions with indexes into its isc_logcategory structure corresponding to
+ * the order of the names.
+ */
+LIBISC_EXTERNAL_DATA extern isc_logcategory_t isc_categories[];
+LIBISC_EXTERNAL_DATA extern isc_log_t *isc_lctx;
+LIBISC_EXTERNAL_DATA extern isc_logmodule_t isc_modules[];
+
+/*
+ * Do not log directly to DEFAULT.  Use another category.  When in doubt,
+ * use GENERAL.
+ */
+#define ISC_LOGCATEGORY_DEFAULT	(&isc_categories[0])
+#define ISC_LOGCATEGORY_GENERAL	(&isc_categories[1])
+
+#define ISC_LOGMODULE_SOCKET (&isc_modules[0])
+#define ISC_LOGMODULE_TIME (&isc_modules[1])
+#define ISC_LOGMODULE_INTERFACE (&isc_modules[2])
+#define ISC_LOGMODULE_TIMER (&isc_modules[3])
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_log_create(isc_mem_t *mctx, isc_log_t **lctxp, isc_logconfig_t **lcfgp);
+/*
+ * Establish a new logging context, with default channels.
+ *
+ * Notes:
+ *	isc_log_create calls isc_logconfig_create, so see its comment
+ *	below for more information.
+ *
+ * Requires:
+ *	mctx is a valid memory context.
+ *	lctxp is not null and *lctxp is null.
+ *	lcfgp is null or lcfgp is not null and *lcfgp is null.
+ *
+ * Ensures:
+ *	*lctxp will point to a valid logging context if all of the necessary
+ *	memory was allocated, or NULL otherwise.
+ *	*lcfgp will point to a valid logging configuration if all of the
+ *	necessary memory was allocated, or NULL otherwise.
+ *	On failure, no additional memory is allocated.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		Success
+ *	ISC_R_NOMEMORY		Resource limit: Out of memory
+ */
+
+isc_result_t
+isc_logconfig_create(isc_log_t *lctx, isc_logconfig_t **lcfgp);
+/*
+ * Create the data structure that holds all of the configurable information
+ * about where messages are actually supposed to be sent -- the information
+ * that could changed based on some configuration file, as opposed to the
+ * the category/module specification of isc_log_[v]write[1] that is compiled
+ * into a program, or the debug_level which is dynamic state information.
+ *
+ * Notes:
+ *	It is necessary to specify the logging context the configuration
+ * 	will be used with because the number of categories and modules
+ *	needs to be known in order to set the configuration.  However,
+ *	the configuration is not used by the logging context until the
+ *	isc_logconfig_use function is called.
+ *
+ *	The memory context used for operations that allocate memory for
+ *	the configuration is that of the logging context, as specified
+ *	in the isc_log_create call.
+ *
+ *	Four default channels are established:
+ *	    	default_syslog
+ *		 - log to syslog's daemon facility ISC_LOG_INFO or higher
+ *		default_stderr
+ *		 - log to stderr ISC_LOG_INFO or higher
+ *		default_debug
+ *		 - log to stderr ISC_LOG_DEBUG dynamically
+ *		null
+ *		 - log nothing
+ *
+ * Requires:
+ * 	lctx is a valid logging context.
+ *	lcftp is not null and *lcfgp is null.
+ *
+ * Ensures:
+ *	*lcfgp will point to a valid logging context if all of the necessary
+ *	memory was allocated, or NULL otherwise.
+ *	On failure, no additional memory is allocated.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		Success
+ *	ISC_R_NOMEMORY		Resource limit: Out of memory
+ */
+
+isc_logconfig_t *
+isc_logconfig_get(isc_log_t *lctx);
+/*
+ * Returns a pointer to the configuration currently in use by the log context.
+ *
+ * Requires:
+ *	lctx is a valid context.
+ *
+ * Ensures:
+ *	The configuration pointer is non-null.
+ *
+ * Returns:
+ *	The configuration pointer.
+ */
+
+isc_result_t
+isc_logconfig_use(isc_log_t *lctx, isc_logconfig_t *lcfg);
+/*
+ * Associate a new configuration with a logging context.
+ *
+ * Notes:
+ *	This is thread safe.  The logging context will lock a mutex
+ *	before attempting to swap in the new configuration, and isc_log_doit
+ *	(the internal function used by all of isc_log_[v]write[1]) locks
+ *	the same lock for the duration of its use of the configuration.
+ *
+ * Requires:
+ *	lctx is a valid logging context.
+ *	lcfg is a valid logging configuration.
+ *	lctx is the same configuration given to isc_logconfig_create
+ *		when the configuration was created.
+ *
+ * Ensures:
+ *	Future calls to isc_log_write will use the new configuration.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		Success
+ *	ISC_R_NOMEMORY		Resource limit: Out of memory
+ */
+
+void
+isc_log_destroy(isc_log_t **lctxp);
+/*
+ * Deallocate the memory associated with a logging context.
+ *
+ * Requires:
+ *	*lctx is a valid logging context.
+ *
+ * Ensures:
+ *	All of the memory associated with the logging context is returned
+ *	to the free memory pool.
+ *
+ *	Any open files are closed.
+ *
+ *	The logging context is marked as invalid.
+ */
+
+void
+isc_logconfig_destroy(isc_logconfig_t **lcfgp);
+/*
+ * Destroy a logging configuration.
+ *
+ * Notes:
+ *	This function cannot be used directly with the return value of
+ *	isc_logconfig_get, because a logging context must always have
+ *	a valid configuration associated with it.
+ *
+ * Requires:
+ *	lcfgp is not null and *lcfgp is a valid logging configuration.
+ *	The logging configuration is not in use by an existing logging context.
+ *
+ * Ensures:
+ *	All memory allocated for the configuration is freed.
+ *
+ *	The configuration is marked as invalid.
+ */
+
+void
+isc_log_registercategories(isc_log_t *lctx, isc_logcategory_t categories[]);
+/*
+ * Identify logging categories a library will use.
+ *
+ * Notes:
+ *	A category should only be registered once, but no mechanism enforces
+ *	this rule.
+ *
+ *	The end of the categories array is identified by a NULL name.
+ *
+ *	Because the name is used by ISC_LOG_PRINTCATEGORY, it should not
+ *	be altered or destroyed after isc_log_registercategories().
+ *
+ *	Because each element of the categories array is used by
+ *	isc_log_categorybyname, it should not be altered or destroyed
+ *	after registration.
+ *
+ *	The value of the id integer in each structure is overwritten
+ *	by this function, and so id need not be initialized to any particular
+ *	value prior to the function call.
+ *
+ *	A subsequent call to isc_log_registercategories with the same
+ *	logging context (but new categories) will cause the last
+ *	element of the categories array from the prior call to have
+ *	its "name" member changed from NULL to point to the new
+ *	categories array, and its "id" member set to UINT_MAX.
+ *
+ * Requires:
+ *	lctx is a valid logging context.
+ *	categories != NULL.
+ *	categories[0].name != NULL.
+ *
+ * Ensures:
+ * 	There are references to each category in the logging context,
+ * 	so they can be used with isc_log_usechannel() and isc_log_write().
+ */
+
+void
+isc_log_registermodules(isc_log_t *lctx, isc_logmodule_t modules[]);
+/*
+ * Identify logging categories a library will use.
+ *
+ * Notes:
+ *	A module should only be registered once, but no mechanism enforces
+ *	this rule.
+ *
+ *	The end of the modules array is identified by a NULL name.
+ *
+ *	Because the name is used by ISC_LOG_PRINTMODULE, it should not
+ *	be altered or destroyed after isc_log_registermodules().
+ *
+ *	Because each element of the modules array is used by
+ *	isc_log_modulebyname, it should not be altered or destroyed
+ *	after registration.
+ *
+ *	The value of the id integer in each structure is overwritten
+ *	by this function, and so id need not be initialized to any particular
+ *	value prior to the function call.
+ *
+ *	A subsequent call to isc_log_registermodules with the same
+ *	logging context (but new modules) will cause the last
+ *	element of the modules array from the prior call to have
+ *	its "name" member changed from NULL to point to the new
+ *	modules array, and its "id" member set to UINT_MAX.
+ *
+ * Requires:
+ *	lctx is a valid logging context.
+ *	modules != NULL.
+ *	modules[0].name != NULL;
+ *
+ * Ensures:
+ *	Each module has a reference in the logging context, so they can be
+ *	used with isc_log_usechannel() and isc_log_write().
+ */
+
+isc_result_t
+isc_log_createchannel(isc_logconfig_t *lcfg, const char *name,
+		      unsigned int type, int level,
+		      const isc_logdestination_t *destination,
+		      unsigned int flags);
+/*
+ * Specify the parameters of a logging channel.
+ *
+ * Notes:
+ *	The name argument is copied to memory in the logging context, so
+ *	it can be altered or destroyed after isc_log_createchannel().
+ *
+ *	Defining a very large number of channels will have a performance
+ *	impact on isc_log_usechannel(), since the names are searched
+ *	linearly until a match is made.  This same issue does not affect
+ *	isc_log_write, however.
+ *
+ *	Channel names can be redefined; this is primarily useful for programs
+ *	that want their own definition of default_syslog, default_debug
+ *	and default_stderr.
+ *
+ *	Any channel that is redefined will not affect logging that was
+ *	already directed to its original definition, _except_ for the
+ *	default_stderr channel.  This case is handled specially so that
+ *	the default logging category can be changed by redefining
+ *	default_stderr.  (XXXDCL Though now that I think of it, the default
+ *	logging category can be changed with only one additional function
+ *	call by defining a new channel and then calling isc_log_usechannel()
+ *	for ISC_LOGCATEGORY_DEFAULT.)
+ *
+ *	Specifying ISC_LOG_PRINTTIME or ISC_LOG_PRINTTAG for syslog is allowed,
+ *	but probably not what you wanted to do.
+ *
+ *	ISC_LOG_DEBUGONLY will mark the channel as usable only when the
+ *	debug level of the logging context (see isc_log_setdebuglevel)
+ *	is non-zero.
+ *
+ * Requires:
+ *	lcfg is a valid logging configuration.
+ *
+ *	name is not NULL.
+ *
+ *	type is ISC_LOG_TOSYSLOG, ISC_LOG_TOFILE, ISC_LOG_TOFILEDESC or
+ *		ISC_LOG_TONULL.
+ *
+ *	destination is not NULL unless type is ISC_LOG_TONULL.
+ *
+ *	level is >= ISC_LOG_CRITICAL (the most negative logging level).
+ *
+ *	flags does not include any bits aside from the ISC_LOG_PRINT* bits
+ *	or ISC_LOG_DEBUGONLY.
+ *
+ * Ensures:
+ *	ISC_R_SUCCESS
+ *		A channel with the given name is usable with
+ *		isc_log_usechannel().
+ *
+ *	ISC_R_NOMEMORY or ISC_R_UNEXPECTED
+ *		No additional memory is being used by the logging context.
+ *
+ *		Any channel that previously existed with the given name
+ *		is not redefined.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		Success
+ *	ISC_R_NOMEMORY		Resource limit: Out of memory
+ *	ISC_R_UNEXPECTED	type was out of range and REQUIRE()
+ *					was disabled.
+ */
+
+isc_result_t
+isc_log_usechannel(isc_logconfig_t *lcfg, const char *name,
+		   const isc_logcategory_t *category,
+		   const isc_logmodule_t *module);
+/*
+ * Associate a named logging channel with a category and module that
+ * will use it.
+ *
+ * Notes:
+ *	The name is searched for linearly in the set of known channel names
+ *	until a match is found.  (Note the performance impact of a very large
+ *	number of named channels.)  When multiple channels of the same
+ *	name are defined, the most recent definition is found.
+ *
+ *	Specifing a very large number of channels for a category will have
+ *	a moderate impact on performance in isc_log_write(), as each
+ *	call looks up the category for the start of a linked list, which
+ *	it follows all the way to the end to find matching modules.  The
+ *	test for matching modules is  integral, though.
+ *
+ *	If category is NULL, then the channel is associated with the indicated
+ *	module for all known categories (including the "default" category).
+ *
+ *	If module is NULL, then the channel is associated with every module
+ *	that uses that category.
+ *
+ *	Passing both category and module as NULL would make every log message
+ *	use the indicated channel.
+ *
+ * 	Specifying a channel that is ISC_LOG_TONULL for a category/module pair
+ *	has no effect on any other channels associated with that pair,
+ *	regardless of ordering.  Thus you cannot use it to "mask out" one
+ *	category/module pair when you have specified some other channel that
+ * 	is also used by that category/module pair.
+ *
+ * Requires:
+ *	lcfg is a valid logging configuration.
+ *
+ *	category is NULL or has an id that is in the range of known ids.
+ *
+ *	module is NULL or has an id that is in the range of known ids.
+ *
+ * Ensures:
+ *	ISC_R_SUCCESS
+ *		The channel will be used by the indicated category/module
+ *		arguments.
+ *
+ *	ISC_R_NOMEMORY
+ *		If assignment for a specific category has been requested,
+ *		the channel has not been associated with the indicated
+ *		category/module arguments and no additional memory is
+ *		used by the logging context.
+ *
+ *		If assignment for all categories has been requested
+ *		then _some_ may have succeeded (starting with category
+ *		"default" and progressing through the order of categories
+ *		passed to isc_log_registercategories) and additional memory
+ *		is being used by whatever assignments succeeded.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	Success
+ *	ISC_R_NOMEMORY	Resource limit: Out of memory
+ */
+
+void
+isc_log_write(isc_log_t *lctx, isc_logcategory_t *category,
+	      isc_logmodule_t *module, int level,
+	      const char *format, ...)
+ISC_FORMAT_PRINTF(5, 6);
+/*
+ * Write a message to the log channels.
+ *
+ * Notes:
+ *	Log messages containing natural language text should be logged with
+ *	isc_log_iwrite() to allow for localization.
+ *
+ *	lctx can be NULL; this is allowed so that programs which use
+ *	libraries that use the ISC logging system are not required to
+ *	also use it.
+ *
+ *	The format argument is a printf(3) string, with additional arguments
+ *	as necessary.
+ *
+ * Requires:
+ *	lctx is a valid logging context.
+ *
+ *	The category and module arguments must have ids that are in the
+ *	range of known ids, as estabished by isc_log_registercategories()
+ *	and isc_log_registermodules().
+ *
+ *	level != ISC_LOG_DYNAMIC.  ISC_LOG_DYNAMIC is used only to define
+ *	channels, and explicit debugging level must be identified for
+ *	isc_log_write() via ISC_LOG_DEBUG(level).
+ *
+ *	format != NULL.
+ *
+ * Ensures:
+ *	The log message is written to every channel associated with the
+ *	indicated category/module pair.
+ *
+ * Returns:
+ *	Nothing.  Failure to log a message is not construed as a
+ *	meaningful error.
+ */
+
+void
+isc_log_vwrite(isc_log_t *lctx, isc_logcategory_t *category,
+	       isc_logmodule_t *module, int level,
+	       const char *format, va_list args)
+ISC_FORMAT_PRINTF(5, 0);
+/*
+ * Write a message to the log channels.
+ *
+ * Notes:
+ *	lctx can be NULL; this is allowed so that programs which use
+ *	libraries that use the ISC logging system are not required to
+ *	also use it.
+ *
+ *	The format argument is a printf(3) string, with additional arguments
+ *	as necessary.
+ *
+ * Requires:
+ *	lctx is a valid logging context.
+ *
+ *	The category and module arguments must have ids that are in the
+ *	range of known ids, as estabished by isc_log_registercategories()
+ *	and isc_log_registermodules().
+ *
+ *	level != ISC_LOG_DYNAMIC.  ISC_LOG_DYNAMIC is used only to define
+ *	channels, and explicit debugging level must be identified for
+ *	isc_log_write() via ISC_LOG_DEBUG(level).
+ *
+ *	format != NULL.
+ *
+ * Ensures:
+ *	The log message is written to every channel associated with the
+ *	indicated category/module pair.
+ *
+ * Returns:
+ *	Nothing.  Failure to log a message is not construed as a
+ *	meaningful error.
+ */
+
+void
+isc_log_write1(isc_log_t *lctx, isc_logcategory_t *category,
+	       isc_logmodule_t *module, int level, const char *format, ...)
+ISC_FORMAT_PRINTF(5, 6);
+/*
+ * Write a message to the log channels, pruning duplicates that occur within
+ * a configurable amount of seconds (see isc_log_[sg]etduplicateinterval).
+ * This function is otherwise identical to isc_log_write().
+ */
+
+void
+isc_log_vwrite1(isc_log_t *lctx, isc_logcategory_t *category,
+		isc_logmodule_t *module, int level, const char *format,
+		va_list args)
+ISC_FORMAT_PRINTF(5, 0);
+/*
+ * Write a message to the log channels, pruning duplicates that occur within
+ * a configurable amount of seconds (see isc_log_[sg]etduplicateinterval).
+ * This function is otherwise identical to isc_log_vwrite().
+ */
+
+void
+isc_log_iwrite(isc_log_t *lctx, isc_logcategory_t *category,
+	      isc_logmodule_t *module, int level,
+	      isc_msgcat_t *msgcat, int msgset, int message,
+	      const char *format, ...)
+ISC_FORMAT_PRINTF(8, 9);
+
+void
+isc_log_ivwrite(isc_log_t *lctx, isc_logcategory_t *category,
+		isc_logmodule_t *module, int level,
+		isc_msgcat_t *msgcat, int msgset, int message,
+		const char *format, va_list args)
+ISC_FORMAT_PRINTF(8, 0);
+
+void
+isc_log_iwrite1(isc_log_t *lctx, isc_logcategory_t *category,
+		isc_logmodule_t *module, int level,
+		isc_msgcat_t *msgcat, int msgset, int message,
+		const char *format, ...)
+ISC_FORMAT_PRINTF(8, 9);
+
+void
+isc_log_ivwrite1(isc_log_t *lctx, isc_logcategory_t *category,
+		 isc_logmodule_t *module, int level,
+		 isc_msgcat_t *msgcat, int msgset, int message,
+		 const char *format, va_list args)
+ISC_FORMAT_PRINTF(8, 0);
+/*
+ * These are four internationalized versions of the the isc_log_[v]write[1]
+ * functions.  The only difference is that they take arguments for a message
+ * catalog, message set, and message number, all immediately preceding the
+ * format argument.  The format argument becomes the default text, a la
+ * isc_msgcat_get.  If the message catalog is NULL, no lookup is attempted
+ * for a message -- which makes the message set and message number irrelevant,
+ * and the non-internationalized call should have probably been used instead.
+ *
+ * Yes, that means there are now *eight* interfaces to logging a message.
+ * Sheesh.   Make the madness stop!
+ */
+
+void
+isc_log_setdebuglevel(isc_log_t *lctx, unsigned int level);
+/*
+ * Set the debugging level used for logging.
+ *
+ * Notes:
+ *	Setting the debugging level to 0 disables debugging log messages.
+ *
+ * Requires:
+ *	lctx is a valid logging context.
+ *
+ * Ensures:
+ *	The debugging level is set to the requested value.
+ */
+
+unsigned int
+isc_log_getdebuglevel(isc_log_t *lctx);
+/*
+ * Get the current debugging level.
+ *
+ * Notes:
+ *	This is provided so that a program can have a notion of
+ *	"increment debugging level" or "decrement debugging level"
+ *	without needing to keep track of what the current level is.
+ *
+ *	A return value of 0 indicates that debugging messages are disabled.
+ *
+ * Requires:
+ *	lctx is a valid logging context.
+ *
+ * Ensures:
+ *	The current logging debugging level is returned.
+ */
+
+isc_boolean_t
+isc_log_wouldlog(isc_log_t *lctx, int level);
+/*
+ * Determine whether logging something to 'lctx' at 'level' would
+ * actually cause something to be logged somewhere.
+ *
+ * If ISC_FALSE is returned, it is guaranteed that nothing would
+ * be logged, allowing the caller to omit unnecessary
+ * isc_log_write() calls and possible message preformatting.
+ */
+
+void
+isc_log_setduplicateinterval(isc_logconfig_t *lcfg, unsigned int interval);
+/*
+ * Set the interval over which duplicate log messages will be ignored
+ * by isc_log_[v]write1(), in seconds.
+ *
+ * Notes:
+ *	Increasing the duplicate interval from X to Y will not necessarily
+ *	filter out duplicates of messages logged in Y - X seconds since the
+ *	increase.  (Example: Message1 is logged at midnight.  Message2
+ *	is logged at 00:01:00, when the interval is only 30 seconds, causing
+ *	Message1 to be expired from the log message history.  Then the interval
+ *	is increased to 3000 (five minutes) and at 00:04:00 Message1 is logged
+ *	again.  It will appear the second time even though less than five
+ *	passed since the first occurrence.
+ *
+ * Requires:
+ *	lctx is a valid logging context.
+ */
+
+unsigned int
+isc_log_getduplicateinterval(isc_logconfig_t *lcfg);
+/*
+ * Get the current duplicate filtering interval.
+ *
+ * Requires:
+ *	lctx is a valid logging context.
+ *
+ * Returns:
+ *	The current duplicate filtering interval.
+ */
+
+isc_result_t
+isc_log_settag(isc_logconfig_t *lcfg, const char *tag);
+/*
+ * Set the program name or other identifier for ISC_LOG_PRINTTAG.
+ *
+ * Requires:
+ *	lcfg is a valid logging configuration.
+ *
+ * Notes:
+ *	If this function has not set the tag to a non-NULL, non-empty value,
+ *	then the ISC_LOG_PRINTTAG channel flag will not print anything.
+ *	Unlike some implementations of syslog on Unix systems, you *must* set
+ *	the tag in order to get it logged.  It is not implicitly derived from
+ *	the program name (which is pretty impossible to infer portably).
+ *
+ *	Setting the tag to NULL or the empty string will also cause the
+ *	ISC_LOG_PRINTTAG channel flag to not print anything.  If tag equals the
+ *	empty string, calls to isc_log_gettag will return NULL.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	Success
+ *	ISC_R_NOMEMORY  Resource Limit: Out of memory
+ *
+ * XXXDCL when creating a new isc_logconfig_t, it might be nice if the tag
+ * of the currently active isc_logconfig_t was inherited.  this does not
+ * currently happen.
+ */
+
+char *
+isc_log_gettag(isc_logconfig_t *lcfg);
+/*
+ * Get the current identifier printed with ISC_LOG_PRINTTAG.
+ *
+ * Requires:
+ *	lcfg is a valid logging configuration.
+ *
+ * Notes:
+ *	Since isc_log_settag() will not associate a zero-length string
+ *	with the logging configuration, attempts to do so will cause
+ *	this function to return NULL.  However, a determined programmer
+ *	will observe that (currently) a tag of length greater than zero
+ *	could be set, and then modified to be zero length.
+ *
+ * Returns:
+ *	A pointer to the current identifier, or NULL if none has been set.
+ */
+
+void
+isc_log_opensyslog(const char *tag, int options, int facility);
+/*
+ * Initialize syslog logging.
+ *
+ * Notes:
+ *	XXXDCL NT
+ *	This is currently equivalent to openlog(), but is not going to remain
+ *	that way.  In the meantime, the arguments are all identical to
+ *	those used by openlog(3), as follows:
+ *		tag: The string to use in the position of the program
+ *			name in syslog messages.  Most (all?) syslogs
+ *			will use basename(argv[0]) if tag is NULL.
+ *
+ *		options: LOG_CONS, LOG_PID, LOG_NDELAY ... whatever your
+ *			syslog supports.
+ *
+ *		facility: The default syslog facility.  This is irrelevant
+ *			since isc_log_write will ALWAYS use the channel's
+ *			declared facility.
+ *
+ *	Zero effort has been made (yet) to accomodate systems with openlog()
+ *	that only takes two arguments, or to identify valid syslog
+ *	facilities or options for any given architecture.
+ *
+ *	It is necessary to call isc_log_opensyslog() to initialize
+ *	syslogging on machines which do not support network connections to
+ *	syslogd because they require a Unix domain socket to be used.  Since
+ *	this is a chore to determine at run-time, it is suggested that it
+ *	always be called by programs using the ISC logging system.
+ *
+ * Requires:
+ *	Nothing.
+ *
+ * Ensures:
+ *	openlog() is called to initialize the syslog system.
+ */
+
+void
+isc_log_closefilelogs(isc_log_t *lctx);
+/*
+ * Close all open files used by ISC_LOG_TOFILE channels.
+ *
+ * Notes:
+ *	This function is provided for programs that want to use their own
+ *	log rolling mechanism rather than the one provided internally.
+ *	For example, a program that wanted to keep daily logs would define
+ *	a channel which used ISC_LOG_ROLLNEVER, then once a day would
+ *	rename the log file and call isc_log_closefilelogs().
+ *
+ *	ISC_LOG_TOFILEDESC channels are unaffected.
+ *
+ * Requires:
+ *	lctx is a valid context.
+ *
+ * Ensures:
+ *	The open files are closed and will be reopened when they are
+ *	next needed.
+ */
+
+isc_logcategory_t *
+isc_log_categorybyname(isc_log_t *lctx, const char *name);
+/*
+ * Find a category by its name.
+ *
+ * Notes:
+ *	The string name of a category is not required to be unique.
+ *
+ * Requires:
+ *	lctx is a valid context.
+ *	name is not NULL.
+ *
+ * Returns:
+ *	A pointer to the _first_ isc_logcategory_t structure used by "name".
+ *
+ *	NULL if no category exists by that name.
+ */
+
+isc_logmodule_t *
+isc_log_modulebyname(isc_log_t *lctx, const char *name);
+/*
+ * Find a module by its name.
+ *
+ * Notes:
+ *	The string name of a module is not required to be unique.
+ *
+ * Requires:
+ *	lctx is a valid context.
+ *	name is not NULL.
+ *
+ * Returns:
+ *	A pointer to the _first_ isc_logmodule_t structure used by "name".
+ *
+ *	NULL if no module exists by that name.
+ */
+
+void
+isc_log_setcontext(isc_log_t *lctx);
+/*
+ * Sets the context used by the libisc for logging.
+ *
+ * Requires:
+ *	lctx be a valid context.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_LOG_H */
diff --git a/contrib/bind9/lib/isc/include/isc/magic.h b/contrib/bind9/lib/isc/include/isc/magic.h
new file mode 100644
index 0000000..729e512
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/magic.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: magic.h,v 1.11.206.1 2004/03/06 08:14:43 marka Exp $ */
+
+#ifndef ISC_MAGIC_H
+#define ISC_MAGIC_H 1
+
+typedef struct {
+	unsigned int magic;
+} isc__magic_t;
+
+
+/*
+ * To use this macro the magic number MUST be the first thing in the
+ * structure, and MUST be of type "unsigned int".
+ *
+ * The intent of this is to allow magic numbers to be checked even though
+ * the object is otherwise opaque.
+ */
+#define ISC_MAGIC_VALID(a,b)	(((a) != NULL) && \
+				 (((const isc__magic_t *)(a))->magic == (b)))
+
+#define ISC_MAGIC(a, b, c, d)	((a) << 24 | (b) << 16 | (c) << 8 | (d))
+
+#endif /* ISC_MAGIC_H */
diff --git a/contrib/bind9/lib/isc/include/isc/md5.h b/contrib/bind9/lib/isc/include/isc/md5.h
new file mode 100644
index 0000000..c6c3825
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/md5.h
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: md5.h,v 1.8.206.1 2004/03/06 08:14:43 marka Exp $ */
+
+/*
+ * This is the header file for the MD5 message-digest algorithm.
+ * The algorithm is due to Ron Rivest.  This code was
+ * written by Colin Plumb in 1993, no copyright is claimed.
+ * This code is in the public domain; do with it what you wish.
+ *
+ * Equivalent code is available from RSA Data Security, Inc.
+ * This code has been tested against that, and is equivalent,
+ * except that you don't need to include two pages of legalese
+ * with every copy.
+ *
+ * To compute the message digest of a chunk of bytes, declare an
+ * MD5Context structure, pass it to MD5Init, call MD5Update as
+ * needed on buffers full of bytes, and then call MD5Final, which
+ * will fill a supplied 16-byte array with the digest.
+ *
+ * Changed so as no longer to depend on Colin Plumb's `usual.h'
+ * header definitions; now uses stuff from dpkg's config.h
+ *  - Ian Jackson <ijackson@nyx.cs.du.edu>.
+ * Still in the public domain.
+ */
+
+#ifndef ISC_MD5_H
+#define ISC_MD5_H 1
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#define ISC_MD5_DIGESTLENGTH 16
+
+typedef struct {
+	isc_uint32_t buf[4];
+	isc_uint32_t bytes[2];
+	isc_uint32_t in[16];
+} isc_md5_t;
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_md5_init(isc_md5_t *ctx);
+
+void
+isc_md5_invalidate(isc_md5_t *ctx);
+
+void
+isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len);
+
+void
+isc_md5_final(isc_md5_t *ctx, unsigned char *digest);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_MD5_H */
diff --git a/contrib/bind9/lib/isc/include/isc/mem.h b/contrib/bind9/lib/isc/include/isc/mem.h
new file mode 100644
index 0000000..301803e
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/mem.h
@@ -0,0 +1,452 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1997-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: mem.h,v 1.54.12.3 2004/03/08 09:04:52 marka Exp $ */
+
+#ifndef ISC_MEM_H
+#define ISC_MEM_H 1
+
+#include <stdio.h>
+
+#include <isc/lang.h>
+#include <isc/mutex.h>
+#include <isc/platform.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+#define ISC_MEM_LOWATER 0
+#define ISC_MEM_HIWATER 1
+typedef void (*isc_mem_water_t)(void *, int);
+
+typedef void * (*isc_memalloc_t)(void *, size_t);
+typedef void (*isc_memfree_t)(void *, void *);
+
+/*
+ * Define ISC_MEM_DEBUG=1 to make all functions that free memory
+ * set the pointer being freed to NULL after being freed.
+ * This is the default; set ISC_MEM_DEBUG=0 to disable it.
+ */
+#ifndef ISC_MEM_DEBUG
+#define ISC_MEM_DEBUG 1
+#endif
+
+/*
+ * Define ISC_MEM_TRACKLINES=1 to turn on detailed tracing of memory
+ * allocation and freeing by file and line number.
+ */
+#ifndef ISC_MEM_TRACKLINES
+#define ISC_MEM_TRACKLINES 1
+#endif
+
+/*
+ * Define ISC_MEM_CHECKOVERRUN=1 to turn on checks for using memory outside
+ * the requested space.  This will increase the size of each allocation.
+ */
+#ifndef ISC_MEM_CHECKOVERRUN
+#define ISC_MEM_CHECKOVERRUN 0
+#endif
+
+/*
+ * Define ISC_MEM_FILL=1 to fill each block of memory returned to the system
+ * with the byte string '0xbe'.  This helps track down uninitialized pointers
+ * and the like.  On freeing memory, the space is filled with '0xde' for
+ * the same reasons.
+ */
+#ifndef ISC_MEM_FILL
+#define ISC_MEM_FILL 1
+#endif
+
+/*
+ * Define ISC_MEMPOOL_NAMES=1 to make memory pools store a symbolic
+ * name so that the leaking pool can be more readily identified in
+ * case of a memory leak.
+ */
+#ifndef ISC_MEMPOOL_NAMES
+#define ISC_MEMPOOL_NAMES 1
+#endif
+
+LIBISC_EXTERNAL_DATA extern unsigned int isc_mem_debugging;
+#define ISC_MEM_DEBUGTRACE		0x00000001U
+#define ISC_MEM_DEBUGRECORD		0x00000002U
+#define ISC_MEM_DEBUGUSAGE		0x00000004U
+/*
+ * The variable isc_mem_debugging holds a set of flags for
+ * turning certain memory debugging options on or off at
+ * runtime.  Its is intialized to the value ISC_MEM_DEGBUGGING,
+ * which is 0 by default but may be overridden at compile time.
+ * The following flags can be specified:
+ *
+ * ISC_MEM_DEBUGTRACE
+ *	Log each allocation and free to isc_lctx.
+ *
+ * ISC_MEM_DEBUGRECORD
+ *	Remember each allocation, and match them up on free.
+ *	Crash if a free doesn't match an allocation.
+ *
+ * ISC_MEM_DEBUGUSAGE
+ *	If a hi_water mark is set, print the maximium inuse memory
+ *	every time it is raised once it exceeds the hi_water mark.
+ */
+
+#if ISC_MEM_TRACKLINES
+#define _ISC_MEM_FILELINE	, __FILE__, __LINE__
+#define _ISC_MEM_FLARG		, const char *, int
+#else
+#define _ISC_MEM_FILELINE
+#define _ISC_MEM_FLARG
+#endif
+
+#define isc_mem_get(c, s)	isc__mem_get((c), (s) _ISC_MEM_FILELINE)
+#define isc_mem_allocate(c, s)	isc__mem_allocate((c), (s) _ISC_MEM_FILELINE)
+#define isc_mem_strdup(c, p)	isc__mem_strdup((c), (p) _ISC_MEM_FILELINE)
+#define isc_mempool_get(c)	isc__mempool_get((c) _ISC_MEM_FILELINE)
+
+/*
+ * isc_mem_putanddetach() is a convienence function for use where you
+ * have a structure with an attached memory context.
+ *
+ * Given:
+ *
+ * struct {
+ *	...
+ *	isc_mem_t *mctx;
+ *	...
+ * } *ptr;
+ *
+ * isc_mem_t *mctx;
+ *
+ * isc_mem_putanddetach(&ptr->mctx, ptr, sizeof(*ptr));
+ *
+ * is the equivalent of:
+ *
+ * mctx = NULL;
+ * isc_mem_attach(ptr->mctx, &mctx);
+ * isc_mem_detach(&ptr->mctx);
+ * isc_mem_put(mctx, ptr, sizeof(*ptr));
+ * isc_mem_detach(&mctx);
+ */
+
+#if ISC_MEM_DEBUG
+#define isc_mem_put(c, p, s) \
+	do { \
+		isc__mem_put((c), (p), (s) _ISC_MEM_FILELINE); \
+		(p) = NULL; \
+	} while (0)
+#define isc_mem_putanddetach(c, p, s) \
+	do { \
+		isc__mem_putanddetach((c), (p), (s) _ISC_MEM_FILELINE); \
+		(p) = NULL; \
+	} while (0)
+#define isc_mem_free(c, p) \
+	do { \
+		isc__mem_free((c), (p) _ISC_MEM_FILELINE); \
+		(p) = NULL; \
+	} while (0)
+#define isc_mempool_put(c, p) \
+	do { \
+		isc__mempool_put((c), (p) _ISC_MEM_FILELINE); \
+		(p) = NULL; \
+	} while (0)
+#else
+#define isc_mem_put(c, p, s)	isc__mem_put((c), (p), (s) _ISC_MEM_FILELINE)
+#define isc_mem_putanddetach(c, p, s) \
+	isc__mem_putanddetach((c), (p), (s) _ISC_MEM_FILELINE)
+#define isc_mem_free(c, p)	isc__mem_free((c), (p) _ISC_MEM_FILELINE)
+#define isc_mempool_put(c, p)	isc__mempool_put((c), (p) _ISC_MEM_FILELINE)
+#endif
+
+isc_result_t 
+isc_mem_create(size_t max_size, size_t target_size,
+	       isc_mem_t **mctxp);
+
+isc_result_t 
+isc_mem_createx(size_t max_size, size_t target_size,
+		isc_memalloc_t memalloc, isc_memfree_t memfree,
+		void *arg, isc_mem_t **mctxp);
+/*
+ * Create a memory context.
+ *
+ * 'max_size' and 'target_size' are tuning parameters.  When
+ * ISC_MEM_USE_INTERNAL_MALLOC is true, allocations smaller than
+ * 'max_size' will be satisfied by getting blocks of size
+ * 'target_size' from the system allocator and breaking them up into
+ * pieces; larger allocations will use the system allocator directly.
+ * If 'max_size' and/or 'target_size' are zero, default values will be
+ * used.  When ISC_MEM_USE_INTERNAL_MALLOC is false, 'target_size' is
+ * ignored.
+ *
+ * 'max_size' is also used to size the statistics arrays and the array
+ * used to record active memory when ISC_MEM_DEBUGRECORD is set.  Settin
+ * 'max_size' too low can have detrimental effects on performance.
+ *
+ * A memory context created using isc_mem_createx() will obtain
+ * memory from the system by calling 'memalloc' and 'memfree',
+ * passing them the argument 'arg'.  A memory context created
+ * using isc_mem_create() will use the standard library malloc()
+ * and free().
+ *
+ * Requires:
+ * mctxp != NULL && *mctxp == NULL */
+
+void 
+isc_mem_attach(isc_mem_t *, isc_mem_t **);
+void 
+isc_mem_detach(isc_mem_t **);
+/*
+ * Attach to / detach from a memory context.
+ *
+ * This is intended for applications that use multiple memory contexts
+ * in such a way that it is not obvious when the last allocations from
+ * a given context has been freed and destroying the context is safe.
+ * 
+ * Most applications do not need to call these functions as they can
+ * simply create a single memory context at the beginning of main()
+ * and destroy it at the end of main(), thereby guaranteeing that it
+ * is not destroyed while there are outstanding allocations.
+ */
+
+void 
+isc_mem_destroy(isc_mem_t **);
+/*
+ * Destroy a memory context.
+ */
+
+isc_result_t 
+isc_mem_ondestroy(isc_mem_t *ctx,
+		  isc_task_t *task,
+		  isc_event_t **event);
+/*
+ * Request to be notified with an event when a memory context has
+ * been successfully destroyed.
+ */
+
+void 
+isc_mem_stats(isc_mem_t *mctx, FILE *out);
+/*
+ * Print memory usage statistics for 'mctx' on the stream 'out'.
+ */
+
+void 
+isc_mem_setdestroycheck(isc_mem_t *mctx,
+			isc_boolean_t on);
+/*
+ * Iff 'on' is ISC_TRUE, 'mctx' will check for memory leaks when
+ * destroyed and abort the program if any are present.
+ */
+
+void 
+isc_mem_setquota(isc_mem_t *, size_t);
+size_t 
+isc_mem_getquota(isc_mem_t *);
+/*
+ * Set/get the memory quota of 'mctx'.  This is a hard limit
+ * on the amount of memory that may be allocated from mctx;
+ * if it is exceeded, allocations will fail.
+ */
+
+size_t 
+isc_mem_inuse(isc_mem_t *mctx);
+/*
+ * Get an estimate of the number of memory in use in 'mctx', in bytes.
+ * This includes quantization overhead, but does not include memory
+ * allocated from the system but not yet used.
+ */
+
+void
+isc_mem_setwater(isc_mem_t *mctx, isc_mem_water_t water, void *water_arg,
+		 size_t hiwater, size_t lowater);
+/*
+ * Set high and low water marks for this memory context.  When the memory
+ * usage of 'mctx' exceeds 'hiwater', '(water)(water_arg, ISC_MEM_HIWATER)'
+ * will be called.  When the usage drops below 'lowater', 'water' will
+ * again be called, this time with ISC_MEM_LOWATER.
+ *
+ * If 'water' is NULL then 'water_arg', 'hi_water' and 'lo_water' are
+ * ignored and the state is reset.
+ *
+ * Requires:
+ *
+ *	'water' is not NULL.
+ *	hi_water >= lo_water
+ */
+
+/*
+ * Memory pools
+ */
+
+isc_result_t
+isc_mempool_create(isc_mem_t *mctx, size_t size, isc_mempool_t **mpctxp);
+/*
+ * Create a memory pool.
+ *
+ * Requires:
+ *	mctx is a valid memory context.
+ *	size > 0
+ *	mpctxp != NULL and *mpctxp == NULL
+ *
+ * Defaults:
+ *	maxalloc = UINT_MAX
+ *	freemax = 1
+ *	fillcount = 1
+ *
+ * Returns:
+ *	ISC_R_NOMEMORY		-- not enough memory to create pool
+ *	ISC_R_SUCCESS		-- all is well.
+ */
+
+void
+isc_mempool_destroy(isc_mempool_t **mpctxp);
+/*
+ * Destroy a memory pool.
+ *
+ * Requires:
+ *	mpctxp != NULL && *mpctxp is a valid pool.
+ *	The pool has no un"put" allocations outstanding
+ */
+
+void
+isc_mempool_setname(isc_mempool_t *mpctx, const char *name);
+/*
+ * Associate a name with a memory pool.  At most 15 characters may be used.
+ *
+ * Requires:
+ *	mpctx is a valid pool.
+ *	name != NULL;
+ */
+
+void
+isc_mempool_associatelock(isc_mempool_t *mpctx, isc_mutex_t *lock);
+/*
+ * Associate a lock with this memory pool.
+ *
+ * This lock is used when getting or putting items using this memory pool,
+ * and it is also used to set or get internal state via the isc_mempool_get*()
+ * and isc_mempool_set*() set of functions.
+ *
+ * Mutiple pools can each share a single lock.  For instance, if "manager"
+ * type object contained pools for various sizes of events, and each of
+ * these pools used a common lock.  Note that this lock must NEVER be used
+ * by other than mempool routines once it is given to a pool, since that can
+ * easily cause double locking.
+ *
+ * Requires:
+ *
+ *	mpctpx is a valid pool.
+ *
+ *	lock != NULL.
+ *
+ *	No previous lock is assigned to this pool.
+ *
+ *	The lock is initialized before calling this function via the normal
+ *	means of doing that.
+ */
+
+/*
+ * The following functions get/set various parameters.  Note that due to
+ * the unlocked nature of pools these are potentially random values unless
+ * the imposed externally provided locking protocols are followed.
+ *
+ * Also note that the quota limits will not always take immediate effect.
+ * For instance, setting "maxalloc" to a number smaller than the currently
+ * allocated count is permitted.  New allocations will be refused until
+ * the count drops below this threshold.
+ *
+ * All functions require (in addition to other requirements):
+ *	mpctx is a valid memory pool
+ */
+
+unsigned int
+isc_mempool_getfreemax(isc_mempool_t *mpctx);
+/*
+ * Returns the maximum allowed size of the free list.
+ */
+
+void
+isc_mempool_setfreemax(isc_mempool_t *mpctx, unsigned int limit);
+/*
+ * Sets the maximum allowed size of the free list.
+ */
+
+unsigned int
+isc_mempool_getfreecount(isc_mempool_t *mpctx);
+/*
+ * Returns current size of the free list.
+ */
+
+unsigned int
+isc_mempool_getmaxalloc(isc_mempool_t *mpctx);
+/*
+ * Returns the maximum allowed number of allocations.
+ */
+
+void
+isc_mempool_setmaxalloc(isc_mempool_t *mpctx, unsigned int limit);
+/*
+ * Sets the maximum allowed number of allocations.
+ *
+ * Additional requirements:
+ *	limit > 0
+ */
+
+unsigned int
+isc_mempool_getallocated(isc_mempool_t *mpctx);
+/*
+ * Returns the number of items allocated from this pool.
+ */
+
+unsigned int
+isc_mempool_getfillcount(isc_mempool_t *mpctx);
+/*
+ * Returns the number of items allocated as a block from the parent memory
+ * context when the free list is empty.
+ */
+
+void
+isc_mempool_setfillcount(isc_mempool_t *mpctx, unsigned int limit);
+/*
+ * Sets the fillcount.
+ *
+ * Additional requirements:
+ *	limit > 0
+ */
+
+
+/*
+ * Pseudo-private functions for use via macros.  Do not call directly.
+ */
+void *		
+isc__mem_get(isc_mem_t *, size_t _ISC_MEM_FLARG);
+void 		
+isc__mem_putanddetach(isc_mem_t **, void *,
+				      size_t _ISC_MEM_FLARG);
+void 		
+isc__mem_put(isc_mem_t *, void *, size_t _ISC_MEM_FLARG);
+void *		
+isc__mem_allocate(isc_mem_t *, size_t _ISC_MEM_FLARG);
+void		
+isc__mem_free(isc_mem_t *, void * _ISC_MEM_FLARG);
+char *		
+isc__mem_strdup(isc_mem_t *, const char *_ISC_MEM_FLARG);
+void *		
+isc__mempool_get(isc_mempool_t * _ISC_MEM_FLARG);
+void 		
+isc__mempool_put(isc_mempool_t *, void * _ISC_MEM_FLARG);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_MEM_H */
diff --git a/contrib/bind9/lib/isc/include/isc/msgcat.h b/contrib/bind9/lib/isc/include/isc/msgcat.h
new file mode 100644
index 0000000..97839fa
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/msgcat.h
@@ -0,0 +1,132 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: msgcat.h,v 1.8.206.1 2004/03/06 08:14:44 marka Exp $ */
+
+#ifndef ISC_MSGCAT_H
+#define ISC_MSGCAT_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * ISC Message Catalog
+ *
+ * Message catalogs aid internationalization of applications by allowing
+ * messages to be retrieved from locale-specific files instead of
+ * hardwiring them into the application.  This allows translations of
+ * messages appropriate to the locale to be supplied without recompiling
+ * the application.
+ *
+ * Notes:
+ *	It's very important that message catalogs work, even if only the
+ *	default_text can be used.
+ *
+ * MP:
+ *	The caller must ensure appropriate synchronization of
+ *	isc_msgcat_open() and isc_msgcat_close().  isc_msgcat_get()
+ *	ensures appropriate synchronization.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	<TBS>
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	None.
+ */
+
+/*****
+ ***** Imports
+ *****/
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+ ***** Methods
+ *****/
+
+void
+isc_msgcat_open(const char *name, isc_msgcat_t **msgcatp);
+/*
+ * Open a message catalog.
+ *
+ * Notes:
+ *
+ *	If memory cannot be allocated or other failures occur, *msgcatp
+ *	will be set to NULL.  If a NULL msgcat is given to isc_msgcat_get(),
+ *	the default_text will be returned, ensuring that some message text
+ *	will be available, no matter what's going wrong.
+ *
+ * Requires:
+ *
+ *	'name' is a valid string.
+ *
+ *	msgcatp != NULL && *msgcatp == NULL
+ */
+
+void
+isc_msgcat_close(isc_msgcat_t **msgcatp);
+/*
+ * Close a message catalog.
+ *
+ * Notes:
+ *
+ *	Any string pointers returned by prior calls to isc_msgcat_get() are
+ *	invalid after isc_msgcat_close() has been called and must not be
+ *	used.
+ *
+ * Requires:
+ *
+ *	*msgcatp is a valid message catalog or is NULL.
+ *
+ * Ensures:
+ *
+ *	All resources associated with the message catalog are released.
+ *
+ *	*msgcatp == NULL
+ */
+
+const char *
+isc_msgcat_get(isc_msgcat_t *msgcat, int set, int message,
+	       const char *default_text);
+/*
+ * Get message 'message' from message set 'set' in 'msgcat'.  If it
+ * is not available, use 'default_text'.
+ *
+ * Requires:
+ *
+ *	'msgcat' is a valid message catalog or is NULL.
+ *
+ *	set > 0
+ *
+ *	message > 0
+ *
+ *	'default_text' is a valid string.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_MSGCAT_H */
diff --git a/contrib/bind9/lib/isc/include/isc/msgs.h b/contrib/bind9/lib/isc/include/isc/msgs.h
new file mode 100644
index 0000000..967005b
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/msgs.h
@@ -0,0 +1,183 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: msgs.h,v 1.5.2.2.8.3 2004/03/06 08:14:44 marka Exp $ */
+
+#ifndef ISC_MSGS_H
+#define ISC_MSGS_H 1
+
+#include <isc/lib.h>		/* Provide isc_msgcat global variable. */
+#include <isc/msgcat.h>		/* Provide isc_msgcat_*() functions. */
+
+/*
+ * Message sets, named per source file, excepting "GENERAL".
+ * IMPORTANT: The original list is alphabetical, but any new sets must
+ * be added to the end.
+ */
+#define ISC_MSGSET_GENERAL	1
+/*	ISC_RESULT_RESULTSET    2 */     /* XXX */
+/*	ISC_RESULT_UNAVAILABLESET 3 */   /* XXX */
+#define ISC_MSGSET_APP		4
+#define ISC_MSGSET_COMMANDLINE	5
+#define ISC_MSGSET_ENTROPY	6
+#define ISC_MSGSET_IFITERIOCTL	7
+#define ISC_MSGSET_IFITERSYSCTL	8
+#define ISC_MSGSET_LEX		9
+#define ISC_MSGSET_LOG		10
+#define ISC_MSGSET_MEM		11
+#define ISC_MSGSET_NETADDR	12
+#define ISC_MSGSET_PRINT	13
+#define ISC_MSGSET_RESULT	14
+#define ISC_MSGSET_RWLOCK	15
+#define ISC_MSGSET_SOCKADDR	16
+#define ISC_MSGSET_SOCKET	17
+#define ISC_MSGSET_TASK		18
+#define ISC_MSGSET_TIMER	19
+#define ISC_MSGSET_UTIL		20
+#define ISC_MSGSET_IFITERGETIFADDRS 21
+
+/*
+ * Message numbers.  They are only required to be unique per message set,
+ * but are unique throughout the entire catalog to not be as confusing when
+ * debugging.
+ *
+ * The initial numbering was done by multiply by 100 the set number the
+ * message appears in then adding the incremental message number.
+ */
+#define ISC_MSG_FAILED		101 /* "failed" */
+#define ISC_MSG_SUCCEEDED	102 /* Compatible with "failed" */
+#define ISC_MSG_SUCCESS		103 /* More usual way to say "success" */
+#define ISC_MSG_STARTING	104 /* As in "daemon: starting" */
+#define ISC_MSG_STOPING		105 /* As in "daemon: stopping" */
+#define ISC_MSG_ENTERING	106 /* As in "some_subr: entering" */
+#define ISC_MSG_EXITING		107 /* As in "some_subr: exiting" */
+#define ISC_MSG_CALLING		108 /* As in "calling some_subr()" */
+#define ISC_MSG_RETURNED	109 /* As in "some_subr: returned <foo>" */
+#define ISC_MSG_FATALERROR	110 /* "fatal error" */
+#define ISC_MSG_SHUTTINGDOWN	111 /* "shutting down" */
+#define ISC_MSG_RUNNING		112 /* "running" */
+#define ISC_MSG_WAIT		113 /* "wait" */
+#define ISC_MSG_WAITUNTIL	114 /* "waituntil" */
+
+#define ISC_MSG_SIGNALSETUP	201 /* "handle_signal() %d setup: %s" */
+
+#define ISC_MSG_ILLEGALOPT	301 /* "illegal option" */
+#define ISC_MSG_OPTNEEDARG	302 /* "option requires an argument" */
+
+#define ISC_MSG_ENTROPYSTATS	401 /* "Entropy pool %p:  refcnt %u ..." */
+
+#define ISC_MSG_MAKESCANSOCKET	501 /* "making interface scan socket: %s" */
+#define ISC_MSG_GETIFCONFIG	502 /* "get interface configuration: %s" */
+#define ISC_MSG_BUFFERMAX	503 /* "... maximum buffer size exceeded" */
+#define ISC_MSG_GETDESTADDR	504 /* "%s: getting destination address: %s" */
+#define ISC_MSG_GETNETMASK	505 /* "%s: getting netmask: %s" */
+
+#define ISC_MSG_GETIFLISTSIZE	601 /* "getting interface list size: ..." */
+#define ISC_MSG_GETIFLIST	602 /* "getting interface list: ..." */
+#define ISC_MSG_UNEXPECTEDTYPE	603 /* "... unexpected ... message type" */
+
+#define ISC_MSG_UNEXPECTEDSTATE	701 /* "Unexpected state %d" */
+
+#define ISC_MSG_BADTIME		801 /* "Bad 00 99:99:99.999 " */
+#define ISC_MSG_LEVEL		802 /* "level %d: " */
+
+#define ISC_MSG_ADDTRACE	901 /* "add %p size %u " */
+#define ISC_MSG_DELTRACE	902 /* "del %p size %u " */
+#define ISC_MSG_POOLSTATS	903 /* "[Pool statistics]\n" */
+#define ISC_MSG_POOLNAME	904 /* "name" */
+#define ISC_MSG_POOLSIZE	905 /* "size" */
+#define ISC_MSG_POOLMAXALLOC	906 /* "maxalloc" */
+#define ISC_MSG_POOLALLOCATED	907 /* "allocated" */
+#define ISC_MSG_POOLFREECOUNT	908 /* "freecount" */
+#define ISC_MSG_POOLFREEMAX	909 /* "freemax" */
+#define ISC_MSG_POOLFILLCOUNT	910 /* "fillcount" */
+#define ISC_MSG_POOLGETS	911 /* "gets" */
+#define ISC_MSG_DUMPALLOC	912 /* "DUMP OF ALL OUTSTANDING MEMORY ..." */
+#define ISC_MSG_NONE		913 /* "\tNone.\n" */
+#define ISC_MSG_PTRFILELINE	914 /* "\tptr %p file %s line %u\n" */
+
+#define ISC_MSG_UNKNOWNADDR    1001 /* "<unknown address, family %u>" */
+
+#define ISC_MSG_NOLONGDBL      1104 /* "long doubles are not supported" */
+
+#define ISC_MSG_PRINTLOCK      1201 /* "rwlock %p thread %lu ..." */
+#define ISC_MSG_READ	       1202 /* "read" */
+#define ISC_MSG_WRITE	       1203 /* "write" */
+#define ISC_MSG_READING	       1204 /* "reading" */
+#define ISC_MSG_WRITING	       1205 /* "writing" */
+#define ISC_MSG_PRELOCK	       1206 /* "prelock" */
+#define ISC_MSG_POSTLOCK       1207 /* "postlock" */
+#define ISC_MSG_PREUNLOCK      1208 /* "preunlock" */
+#define ISC_MSG_POSTUNLOCK     1209 /* "postunlock" */
+
+#define ISC_MSG_UNKNOWNFAMILY  1301 /* "unknown address family: %d" */
+
+#define ISC_MSG_WRITEFAILED    1401 /* "write() failed during watcher ..." */
+#define ISC_MSG_READFAILED     1402 /* "read() failed during watcher ... " */
+#define ISC_MSG_PROCESSCMSG    1403 /* "processing cmsg %p" */
+#define ISC_MSG_IFRECEIVED     1404 /* "interface received on ifindex %u" */
+#define ISC_MSG_SENDTODATA     1405 /* "sendto pktinfo data, ifindex %u" */
+#define ISC_MSG_DOIORECV       1406 /* "doio_recv: recvmsg(%d) %d bytes ..." */
+#define ISC_MSG_PKTRECV	       1407 /* "packet received correctly" */
+#define ISC_MSG_DESTROYING     1408 /* "destroying" */
+#define ISC_MSG_CREATED	       1409 /* "created" */
+#define ISC_MSG_ACCEPTLOCK     1410 /* "internal_accept called, locked ..." */
+#define ISC_MSG_ACCEPTEDCXN    1411 /* "accepted connection, new socket %p" */
+#define ISC_MSG_INTERNALRECV   1412 /* "internal_recv: task %p got event %p" */
+#define ISC_MSG_INTERNALSEND   1413 /* "internal_send: task %p got event %p" */
+#define ISC_MSG_WATCHERMSG     1414 /* "watcher got message %d" */
+#define ISC_MSG_SOCKETSREMAIN  1415 /* "sockets exist" */
+#define ISC_MSG_PKTINFOPROVIDED	1416 /* "pktinfo structure provided, ..." */
+#define ISC_MSG_BOUND	       1417 /* "bound" */
+#define ISC_MSG_ACCEPTRETURNED 1418 /* accept() returned %d/%s */
+#define ISC_MSG_TOOMANYFDS     1419 /* %s: too many open file descriptors */
+#define ISC_MSG_ZEROPORT       1420 /* dropping source port zero packet */
+#define ISC_MSG_FILTER	       1420 /* setsockopt(SO_ACCEPTFILTER): %s */
+
+#define ISC_MSG_AWAKE	       1502 /* "awake" */
+#define ISC_MSG_WORKING	       1503 /* "working" */
+#define ISC_MSG_EXECUTE	       1504 /* "execute action" */
+#define ISC_MSG_EMPTY	       1505 /* "empty" */
+#define ISC_MSG_DONE	       1506 /* "done" */
+#define ISC_MSG_QUANTUM	       1507 /* "quantum" */
+
+#define ISC_MSG_SCHEDULE       1601 /* "schedule" */
+#define ISC_MSG_SIGNALSCHED    1602 /* "signal (schedule)" */
+#define ISC_MSG_SIGNALDESCHED  1603 /* "signal (deschedule)" */
+#define ISC_MSG_SIGNALDESTROY  1604 /* "signal (destroy)" */
+#define ISC_MSG_IDLERESCHED    1605 /* "idle reschedule" */
+#define ISC_MSG_EVENTNOTALLOC  1606 /* "couldn't allocate event" */
+#define ISC_MSG_SCHEDFAIL      1607 /* "couldn't schedule timer: %u" */
+#define ISC_MSG_POSTING	       1608 /* "posting" */
+#define ISC_MSG_WAKEUP	       1609 /* "wakeup" */
+
+#define ISC_MSG_LOCK	       1701 /* "LOCK" */
+#define ISC_MSG_LOCKING	       1702 /* "LOCKING" */
+#define ISC_MSG_LOCKED	       1703 /* "LOCKED" */
+#define ISC_MSG_UNLOCKED       1704 /* "UNLOCKED" */
+#define ISC_MSG_RWLOCK	       1705 /* "RWLOCK" */
+#define ISC_MSG_RWLOCKED       1706 /* "RWLOCKED" */
+#define ISC_MSG_RWUNLOCK       1707 /* "RWUNLOCK" */
+#define ISC_MSG_BROADCAST      1708 /* "BROADCAST" */
+#define ISC_MSG_SIGNAL	       1709 /* "SIGNAL" */
+#define ISC_MSG_UTILWAIT       1710 /* "WAIT" */
+#define ISC_MSG_WAITED	       1711 /* "WAITED" */
+
+#define ISC_MSG_GETIFADDRS     1801 /* "getting interface addresses: ..." */
+
+
+#endif /* ISC_MSGS_H */
diff --git a/contrib/bind9/lib/isc/include/isc/mutexblock.h b/contrib/bind9/lib/isc/include/isc/mutexblock.h
new file mode 100644
index 0000000..9bfd90c
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/mutexblock.h
@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: mutexblock.h,v 1.10.206.1 2004/03/06 08:14:44 marka Exp $ */
+
+#ifndef ISC_MUTEXBLOCK_H
+#define ISC_MUTEXBLOCK_H 1
+
+#include <isc/lang.h>
+#include <isc/mutex.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_mutexblock_init(isc_mutex_t *block, unsigned int count);
+/*
+ * Initialize a block of locks.  If an error occurs all initialized locks
+ * will be destroyed, if possible.
+ *
+ * Requires:
+ *
+ *	block != NULL
+ *
+ *	count > 0
+ *
+ * Returns:
+ *
+ *	Any code isc_mutex_init() can return is a valid return for this
+ *	function.
+ */
+
+isc_result_t
+isc_mutexblock_destroy(isc_mutex_t *block, unsigned int count);
+/*
+ * Destroy a block of locks.
+ *
+ * Requires:
+ *
+ *	block != NULL
+ *
+ *	count > 0
+ *
+ *	Each lock in the block be initialized via isc_mutex_init() or
+ * 	the whole block was initialized via isc_mutex_initblock().
+ *
+ * Returns:
+ *
+ *	Any code isc_mutex_init() can return is a valid return for this
+ *	function.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_MUTEXBLOCK_H */
diff --git a/contrib/bind9/lib/isc/include/isc/netaddr.h b/contrib/bind9/lib/isc/include/isc/netaddr.h
new file mode 100644
index 0000000..e209a9f
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/netaddr.h
@@ -0,0 +1,149 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: netaddr.h,v 1.18.12.7 2004/03/08 09:04:52 marka Exp $ */
+
+#ifndef ISC_NETADDR_H
+#define ISC_NETADDR_H 1
+
+#include <isc/lang.h>
+#include <isc/net.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+struct isc_netaddr {
+	unsigned int family;
+	union {
+    		struct in_addr in;
+		struct in6_addr in6;
+	} type;
+	isc_uint32_t zone;
+};
+
+isc_boolean_t
+isc_netaddr_equal(const isc_netaddr_t *a, const isc_netaddr_t *b);
+
+isc_boolean_t
+isc_netaddr_eqprefix(const isc_netaddr_t *a, const isc_netaddr_t *b,
+		     unsigned int prefixlen);
+/*
+ * Compare the 'prefixlen' most significant bits of the network
+ * addresses 'a' and 'b'.  Return ISC_TRUE if they are equal,
+ * ISC_FALSE if not.
+ */
+
+isc_result_t
+isc_netaddr_masktoprefixlen(const isc_netaddr_t *s, unsigned int *lenp);
+/*
+ * Convert a netmask in 's' into a prefix length in '*lenp'.
+ * The mask should consist of zero or more '1' bits in the most
+ * most significant part of the address, followed by '0' bits.
+ * If this is not the case, ISC_R_MASKNONCONTIG is returned.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_MASKNONCONTIG
+ */
+
+isc_result_t
+isc_netaddr_totext(const isc_netaddr_t *netaddr, isc_buffer_t *target);
+/*
+ * Append a text representation of 'sockaddr' to the buffer 'target'.
+ * The text is NOT null terminated.  Handles IPv4 and IPv6 addresses.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOSPACE	The text or the null termination did not fit.
+ *	ISC_R_FAILURE	Unspecified failure
+ */
+
+void
+isc_netaddr_format(const isc_netaddr_t *na, char *array, unsigned int size);
+/*
+ * Format a human-readable representation of the network address '*na'
+ * into the character array 'array', which is of size 'size'.
+ * The resulting string is guaranteed to be null-terminated.
+ */
+
+#define ISC_NETADDR_FORMATSIZE \
+	sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:XXX.XXX.XXX.XXX")
+/*
+ * Minimum size of array to pass to isc_netaddr_format().
+ */
+
+void
+isc_netaddr_fromsockaddr(isc_netaddr_t *netaddr, const isc_sockaddr_t *source);
+
+void
+isc_netaddr_fromin(isc_netaddr_t *netaddr, const struct in_addr *ina);
+
+void
+isc_netaddr_fromin6(isc_netaddr_t *netaddr, const struct in6_addr *ina6);
+
+void
+isc_netaddr_setzone(isc_netaddr_t *netaddr, isc_uint32_t zone);
+
+isc_uint32_t
+isc_netaddr_getzone(const isc_netaddr_t *netaddr);
+
+void
+isc_netaddr_any(isc_netaddr_t *netaddr);
+/*
+ * Return the IPv4 wildcard address.
+ */
+
+void
+isc_netaddr_any6(isc_netaddr_t *netaddr);
+/*
+ * Return the IPv6 wildcard address.
+ */
+
+isc_boolean_t
+isc_netaddr_ismulticast(isc_netaddr_t *na);
+/*
+ * Returns ISC_TRUE if the address is a multicast address.
+ */
+
+isc_boolean_t
+isc_netaddr_isexperimental(isc_netaddr_t *na);
+/*
+ * Returns ISC_TRUE if the address is a experimental (CLASS E) address.
+ */
+
+isc_boolean_t
+isc_netaddr_islinklocal(isc_netaddr_t *na);
+/*
+ * Returns ISC_TRUE if the address is a link local address.
+ */
+
+isc_boolean_t
+isc_netaddr_issitelocal(isc_netaddr_t *na);
+/*
+ * Returns ISC_TRUE if the address is a site local address.
+ */
+
+void
+isc_netaddr_fromv4mapped(isc_netaddr_t *t, const isc_netaddr_t *s);
+/*
+ * Convert an IPv6 v4mapped address into an IPv4 address.
+ */
+
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_NETADDR_H */
diff --git a/contrib/bind9/lib/isc/include/isc/netscope.h b/contrib/bind9/lib/isc/include/isc/netscope.h
new file mode 100644
index 0000000..7cc0f18
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/netscope.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: netscope.h,v 1.4.142.5 2004/03/08 09:04:52 marka Exp $ */
+
+#ifndef ISC_NETSCOPE_H
+#define ISC_NETSCOPE_H 1
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * Convert a string of an IPv6 scope zone to zone index.  If the conversion
+ * succeeds, 'zoneid' will store the index value.
+ * XXXJT: when a standard interface for this purpose is defined,
+ * we should use it.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS: conversion succeeds
+ *	ISC_R_FAILURE: conversion fails
+ */
+isc_result_t
+isc_netscope_pton(int af, char *scopename, void *addr, isc_uint32_t *zoneid);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_NETADDR_H */
diff --git a/contrib/bind9/lib/isc/include/isc/ondestroy.h b/contrib/bind9/lib/isc/include/isc/ondestroy.h
new file mode 100644
index 0000000..a2c584a
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/ondestroy.h
@@ -0,0 +1,108 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ondestroy.h,v 1.7.206.1 2004/03/06 08:14:45 marka Exp $ */
+
+#ifndef ISC_ONDESTROY_H
+#define ISC_ONDESTROY_H 1
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * ondestroy handling.
+ *
+ * Any class ``X'' of objects that wants to send out notifications
+ * on its destruction should declare a field of type isc_ondestroy_t
+ * (call it 'ondest').
+ *
+ * 	typedef struct {
+ * 		...
+ * 		isc_ondestroy_t	ondest;
+ * 		...
+ * 	} X;
+ *
+ * When an object ``A'' of type X is created
+ * it must initialize the field ondest with a call to
+ *
+ * 	isc_ondestroy_init(&A->ondest).
+ *
+ * X should also provide a registration function for third-party
+ * objects to call to register their interest in being told about
+ * the destruction of a particular instance of X.
+ *
+ *	isc_result_t
+ * 	X_ondestroy(X *instance, isc_task_t *task,
+ * 		     isc_event_t **eventp) {
+ * 		return(isc_ondestroy_register(&instance->ondest, task,eventp));
+ * 	}
+ *
+ *	Note: locking of the ondestory structure embedded inside of X, is
+ * 	X's responsibility.
+ *
+ * When an instance of X is destroyed, a call to  isc_ondestroy_notify()
+ * sends the notifications:
+ *
+ *	X *instance;
+ *	isc_ondestroy_t ondest = instance->ondest;
+ *
+ *	... completely cleanup 'instance' here...
+ *
+ * 	isc_ondestroy_notify(&ondest, instance);
+ *
+ *
+ * see dns/zone.c for an ifdef'd-out example.
+ */
+
+struct isc_ondestroy {
+	unsigned int magic;
+	isc_eventlist_t events;
+};
+
+void
+isc_ondestroy_init(isc_ondestroy_t *ondest);
+/*
+ * Initialize the on ondest structure. *must* be called before first call
+ * to isc_ondestroy_register().
+ */
+
+isc_result_t
+isc_ondestroy_register(isc_ondestroy_t *ondest, isc_task_t *task,
+		       isc_event_t **eventp);
+
+/*
+ * Stores task and *eventp away inside *ondest.  Ownership of **event is
+ * taken from the caller (and *eventp is set to NULL). The task is attached
+ * to.
+ */
+
+void
+isc_ondestroy_notify(isc_ondestroy_t *ondest, void *sender);
+/*
+ * Dispatches the event(s) to the task(s) that were given in
+ * isc_ondestroy_register call(s) (done via calls to
+ * isc_task_sendanddetach()).  Before dispatch, the sender value of each
+ * event structure is set to the value of the sender paramater. The
+ * internal structures of the ondest parameter are cleaned out, so no other
+ * cleanup is needed.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_ONDESTROY_H */
diff --git a/contrib/bind9/lib/isc/include/isc/os.h b/contrib/bind9/lib/isc/include/isc/os.h
new file mode 100644
index 0000000..5c3bd62
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/os.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: os.h,v 1.5.206.1 2004/03/06 08:14:45 marka Exp $ */
+
+#ifndef ISC_OS_H
+#define ISC_OS_H 1
+
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+unsigned int
+isc_os_ncpus(void);
+/*
+ * Return the number of CPUs available on the system, or 1 if this cannot
+ * be determined.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_OS_H */
diff --git a/contrib/bind9/lib/isc/include/isc/parseint.h b/contrib/bind9/lib/isc/include/isc/parseint.h
new file mode 100644
index 0000000..c877131
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/parseint.h
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001, 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: parseint.h,v 1.2.202.4 2004/03/08 09:04:52 marka Exp $ */
+
+#ifndef ISC_PARSEINT_H
+#define ISC_PARSEINT_H 1
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+/*
+ * Parse integers, in a saner way than atoi() or strtoul() do.
+ */
+
+/***
+ ***	Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_parse_uint32(isc_uint32_t *uip, const char *string, int base);
+
+isc_result_t
+isc_parse_uint16(isc_uint16_t *uip, const char *string, int base);
+
+isc_result_t
+isc_parse_uint8(isc_uint8_t *uip, const char *string, int base);
+/*
+ * Parse the null-terminated string 'string' containing a base 'base'
+ * integer, storing the result in '*uip'.  The base is interpreted
+ * as in strtoul().  Unlike strtoul(), leading whitespace, minus or
+ * plus signs are not accepted, and all errors (including overflow)
+ * are reported uniformly through the return value.
+ *
+ * Requires:
+ *	'string' points to a null-terminated string
+ *	0 <= 'base' <= 36
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_BADNUMBER   The string is not numeric (in the given base)
+ *	ISC_R_RANGE	  The number is not representable as the requested type.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_PARSEINT_H */
diff --git a/contrib/bind9/lib/isc/include/isc/platform.h.in b/contrib/bind9/lib/isc/include/isc/platform.h.in
new file mode 100644
index 0000000..7a803d7
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/platform.h.in
@@ -0,0 +1,255 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: platform.h.in,v 1.24.2.1.10.11 2004/03/08 09:04:52 marka Exp $ */
+
+#ifndef ISC_PLATFORM_H
+#define ISC_PLATFORM_H 1
+
+/*****
+ ***** Platform-dependent defines.
+ *****/
+
+/***
+ *** Network.
+ ***/
+
+/*
+ * Define if this system needs the <netinet/in6.h> header file included
+ * for full IPv6 support (pretty much only UnixWare).
+ */
+@ISC_PLATFORM_NEEDNETINETIN6H@
+
+/*
+ * Define if this system needs the <netinet6/in6.h> header file included
+ * to support in6_pkinfo (pretty much only BSD/OS).
+ */
+@ISC_PLATFORM_NEEDNETINET6IN6H@
+
+/*
+ * If sockaddrs on this system have an sa_len field, ISC_PLATFORM_HAVESALEN
+ * will be defined.
+ */
+@ISC_PLATFORM_HAVESALEN@
+
+/*
+ * If this system has the IPv6 structure definitions, ISC_PLATFORM_HAVEIPV6
+ * will be defined.
+ */
+@ISC_PLATFORM_HAVEIPV6@
+
+/*
+ * If this system is missing in6addr_any, ISC_PLATFORM_NEEDIN6ADDRANY will
+ * be defined.
+ */
+@ISC_PLATFORM_NEEDIN6ADDRANY@
+
+/*
+ * If this system is missing in6addr_loopback, ISC_PLATFORM_NEEDIN6ADDRLOOPBACK
+ * will be defined.
+ */
+@ISC_PLATFORM_NEEDIN6ADDRLOOPBACK@
+
+/*
+ * If this system has in6_pktinfo, ISC_PLATFORM_HAVEIN6PKTINFO will be
+ * defined.
+ */
+@ISC_PLATFORM_HAVEIN6PKTINFO@
+
+/*
+ * If this system has in_addr6, rather than in6_addr, ISC_PLATFORM_HAVEINADDR6
+ * will be defined.
+ */
+@ISC_PLATFORM_HAVEINADDR6@
+
+/*
+ * If this system has sin6_scope_id, ISC_PLATFORM_HAVESCOPEID will be defined.
+ */
+@ISC_PLATFORM_HAVESCOPEID@
+
+/*
+ * If this system needs inet_ntop(), ISC_PLATFORM_NEEDNTOP will be defined.
+ */
+@ISC_PLATFORM_NEEDNTOP@
+
+/*
+ * If this system needs inet_pton(), ISC_PLATFORM_NEEDPTON will be defined.
+ */
+@ISC_PLATFORM_NEEDPTON@
+
+/*
+ * If this system needs inet_aton(), ISC_PLATFORM_NEEDATON will be defined.
+ */
+@ISC_PLATFORM_NEEDATON@
+
+/*
+ * If this system needs in_port_t, ISC_PLATFORM_NEEDPORTT will be defined.
+ */
+@ISC_PLATFORM_NEEDPORTT@
+
+/*
+ * If the system needs strsep(), ISC_PLATFORM_NEEDSTRSEP will be defined.
+ */
+@ISC_PLATFORM_NEEDSTRSEP@
+
+/*
+ * If the system needs strlcpy(), ISC_PLATFORM_NEEDSTRLCPY will be defined.
+ */
+@ISC_PLATFORM_NEEDSTRLCPY@
+
+/*
+ * If the system needs strlcat(), ISC_PLATFORM_NEEDSTRLCAT will be defined.
+ */
+@ISC_PLATFORM_NEEDSTRLCAT@
+
+/*
+ * Define either ISC_PLATFORM_BSD44MSGHDR or ISC_PLATFORM_BSD43MSGHDR.
+ */
+@ISC_PLATFORM_MSGHDRFLAVOR@
+
+/*
+ * Define if PTHREAD_ONCE_INIT should be surrounded by braces to
+ * prevent compiler warnings (such as with gcc on Solaris 2.8).
+ */
+@ISC_PLATFORM_BRACEPTHREADONCEINIT@
+
+/*
+ * Define on some UnixWare systems to fix erroneous definitions of various
+ * IN6_IS_ADDR_* macros.
+ */
+@ISC_PLATFORM_FIXIN6ISADDR@
+
+/***
+ *** Printing.
+ ***/
+
+/*
+ * If this system needs vsnprintf() and snprintf(), ISC_PLATFORM_NEEDVSNPRINTF
+ * will be defined.
+ */
+@ISC_PLATFORM_NEEDVSNPRINTF@
+
+/*
+ * If this system need a modern sprintf() that returns (int) not (char*).
+ */
+@ISC_PLATFORM_NEEDSPRINTF@
+
+/*
+ * The printf format string modifier to use with isc_uint64_t values.
+ */
+@ISC_PLATFORM_QUADFORMAT@
+
+/*
+ * Defined if we are using threads.
+ */
+@ISC_PLATFORM_USETHREADS@
+
+/*
+ * Defined if unistd.h does not cause fd_set to be delared.
+ */
+@ISC_PLATFORM_NEEDSYSSELECTH@
+
+/*
+ * Type used for resource limits.
+ */
+@ISC_PLATFORM_RLIMITTYPE@
+
+/*
+ * Define if your compiler supports "long long int".
+ */
+@ISC_PLATFORM_HAVELONGLONG@
+
+/*
+ * Define if the system has struct lifconf which is a extended struct ifconf
+ * for IPv6.
+ */
+@ISC_PLATFORM_HAVELIFCONF@
+
+/*
+ * Define if the system has struct if_laddrconf which is a extended struct
+ * ifconf for IPv6.
+ */
+@ISC_PLATFORM_HAVEIF_LADDRCONF@
+
+/*
+ * Define if the system has struct if_laddrreq.
+ */
+@ISC_PLATFORM_HAVEIF_LADDRREQ@
+
+/*
+ * Used to control how extern data is linked; needed for Win32 platforms.
+ */
+@ISC_PLATFORM_USEDECLSPEC@
+
+/*
+ * Define if the system supports if_nametoindex.
+ */
+@ISC_PLATFORM_HAVEIFNAMETOINDEX@
+
+/*
+ * Define if this system needs strtoul.
+ */
+@ISC_PLATFORM_NEEDSTRTOUL@
+
+/*
+ * Define if this system needs memmove.
+ */
+@ISC_PLATFORM_NEEDMEMMOVE@
+
+#ifndef ISC_PLATFORM_USEDECLSPEC
+#define LIBISC_EXTERNAL_DATA
+#define LIBDNS_EXTERNAL_DATA
+#define LIBISCCC_EXTERNAL_DATA
+#define LIBISCCFG_EXTERNAL_DATA
+#define LIBBIND9_EXTERNAL_DATA
+#else /* ISC_PLATFORM_USEDECLSPEC */
+#ifdef LIBISC_EXPORTS
+#define LIBISC_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBISC_EXTERNAL_DATA __declspec(dllimport)
+#endif
+#ifdef LIBDNS_EXPORTS
+#define LIBDNS_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBDNS_EXTERNAL_DATA __declspec(dllimport)
+#endif
+#ifdef LIBISCCC_EXPORTS
+#define LIBISCCC_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBISCCC_EXTERNAL_DATA __declspec(dllimport)
+#endif
+#ifdef LIBISCCFG_EXPORTS
+#define LIBISCCFG_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBISCCFG_EXTERNAL_DATA __declspec(dllimport)
+#endif
+#ifdef LIBBIND9_EXPORTS
+#define LIBBIND9_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBBIND9_EXTERNAL_DATA __declspec(dllimport)
+#endif
+#endif /* ISC_PLATFORM_USEDECLSPEC */
+
+/*
+ * Tell emacs to use C mode for this file.
+ *
+ * Local Variables:
+ * mode: c
+ * End:
+ */
+
+#endif /* ISC_PLATFORM_H */
diff --git a/contrib/bind9/lib/isc/include/isc/print.h b/contrib/bind9/lib/isc/include/isc/print.h
new file mode 100644
index 0000000..19da6b0
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/print.h
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: print.h,v 1.17.188.2 2004/03/06 08:14:46 marka Exp $ */
+
+#ifndef ISC_PRINT_H
+#define ISC_PRINT_H 1
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/formatcheck.h>    /* Required for ISC_FORMAT_PRINTF() macro. */
+#include <isc/lang.h>
+#include <isc/platform.h>
+
+/*
+ * This block allows lib/isc/print.c to be cleanly compiled even if
+ * the platform does not need it.  The standard Makefile will still
+ * not compile print.c or archive print.o, so this is just to make test
+ * compilation ("make print.o") easier.
+ */
+#if !defined(ISC_PLATFORM_NEEDVSNPRINTF) && defined(ISC__PRINT_SOURCE)
+#define ISC_PLATFORM_NEEDVSNPRINTF
+#endif
+
+#if !defined(ISC_PLATFORM_NEEDSPRINTF) && defined(ISC__PRINT_SOURCE)
+#define ISC_PLATFORM_NEEDSPRINTF
+#endif
+
+/***
+ *** Macros
+ ***/
+#define ISC_PRINT_QUADFORMAT ISC_PLATFORM_QUADFORMAT
+
+/***
+ *** Functions
+ ***/
+
+#ifdef ISC_PLATFORM_NEEDVSNPRINTF
+#include <stdarg.h>
+#include <stddef.h>
+#endif
+
+ISC_LANG_BEGINDECLS
+
+#ifdef ISC_PLATFORM_NEEDVSNPRINTF
+int
+isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap)
+     ISC_FORMAT_PRINTF(3, 0);
+#define vsnprintf isc_print_vsnprintf
+
+int
+isc_print_snprintf(char *str, size_t size, const char *format, ...)
+     ISC_FORMAT_PRINTF(3, 4);
+#define snprintf isc_print_snprintf
+#endif /* ISC_PLATFORM_NEEDVSNPRINTF */
+
+#ifdef ISC_PLATFORM_NEEDSPRINTF
+int
+isc_print_sprintf(char *str, const char *format, ...) ISC_FORMAT_PRINTF(2, 3);
+#define sprintf isc_print_sprintf
+#endif
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_PRINT_H */
diff --git a/contrib/bind9/lib/isc/include/isc/quota.h b/contrib/bind9/lib/isc/include/isc/quota.h
new file mode 100644
index 0000000..8647876
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/quota.h
@@ -0,0 +1,114 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: quota.h,v 1.8.12.3 2004/03/08 09:04:52 marka Exp $ */
+
+#ifndef ISC_QUOTA_H
+#define ISC_QUOTA_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Quota
+ *
+ * The isc_quota_t object is a simple helper object for implementing
+ * quotas on things like the number of simultaneous connections to
+ * a server.  It keeps track of the amount of quota in use, and
+ * encapsulates the locking necessary to allow multiple tasks to
+ * share a quota.
+ */
+
+/***
+ *** Imports.
+ ***/
+
+#include <isc/lang.h>
+#include <isc/mutex.h>
+#include <isc/types.h>
+
+/*****
+ ***** Types.
+ *****/
+
+ISC_LANG_BEGINDECLS
+
+struct isc_quota {
+	isc_mutex_t	lock;
+	/* Locked by lock. */
+	int 		max;
+	int 		used;
+	isc_boolean_t	soft;
+};
+
+isc_result_t
+isc_quota_init(isc_quota_t *quota, int max);
+/*
+ * Initialize a quota object.
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS
+ *	Other error	Lock creation failed.
+ */
+
+void
+isc_quota_destroy(isc_quota_t *quota);
+/*
+ * Destroy a quota object.
+ */
+
+void
+isc_quota_soft(isc_quota_t *quota, isc_boolean_t soft);
+/*
+ * Turn on/off soft quotas.
+ */
+
+isc_result_t
+isc_quota_reserve(isc_quota_t *quota);
+/*
+ * Attempt to reserve one unit of 'quota'.
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS	Success
+ *	ISC_R_SOFTQUOTA	Success soft quota reached
+ *	ISC_R_QUOTA	Quota is full
+ */
+
+void
+isc_quota_release(isc_quota_t *quota);
+/*
+ * Release one unit of quota.
+ */
+
+isc_result_t
+isc_quota_attach(isc_quota_t *quota, isc_quota_t **p);
+/*
+ * Like isc_quota_reserve, and also attaches '*p' to the
+ * quota if successful (ISC_R_SUCCESS or ISC_R_SOFTQUOTA).
+ */
+
+void
+isc_quota_detach(isc_quota_t **p);
+/*
+ * Like isc_quota_release, and also detaches '*p' from the
+ * quota.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_QUOTA_H */
diff --git a/contrib/bind9/lib/isc/include/isc/random.h b/contrib/bind9/lib/isc/include/isc/random.h
new file mode 100644
index 0000000..ee416c5
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/random.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: random.h,v 1.11.206.1 2004/03/06 08:14:46 marka Exp $ */
+
+#ifndef ISC_RANDOM_H
+#define ISC_RANDOM_H 1
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+/*
+ * Implements a random state pool which will let the caller return a
+ * series of possibly non-reproducable random values.  Note that the
+ * strength of these numbers is not all that high, and should not be
+ * used in cryptography functions.  It is useful for jittering values
+ * a bit here and there, such as timeouts, etc.
+ */
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_random_seed(isc_uint32_t seed);
+/*
+ * Set the initial seed of the random state.
+ */
+
+void
+isc_random_get(isc_uint32_t *val);
+/*
+ * Get a random value.
+ *
+ * Requires:
+ *	val != NULL.
+ */
+
+isc_uint32_t
+isc_random_jitter(isc_uint32_t max, isc_uint32_t jitter);
+/*
+ * Get a random value between (max - jitter) and (max).
+ * This is useful for jittering timer values.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_RANDOM_H */
diff --git a/contrib/bind9/lib/isc/include/isc/ratelimiter.h b/contrib/bind9/lib/isc/include/isc/ratelimiter.h
new file mode 100644
index 0000000..2acab34
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/ratelimiter.h
@@ -0,0 +1,132 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ratelimiter.h,v 1.13.14.3 2004/03/08 09:04:53 marka Exp $ */
+
+#ifndef ISC_RATELIMITER_H
+#define ISC_RATELIMITER_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * A rate limiter is a mechanism for dispatching events at a limited
+ * rate.  This is intended to be used when sending zone maintenance
+ * SOA queries, NOTIFY messages, etc.
+ */
+
+/***
+ *** Imports.
+ ***/
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+ ***** Functions.
+ *****/
+
+isc_result_t
+isc_ratelimiter_create(isc_mem_t *mctx, isc_timermgr_t *timermgr,
+		       isc_task_t *task, isc_ratelimiter_t **ratelimiterp);
+/*
+ * Create a rate limiter.  The execution interval is initially undefined.
+ */
+
+isc_result_t
+isc_ratelimiter_setinterval(isc_ratelimiter_t *rl, isc_interval_t *interval);
+/*
+ * Set the mininum interval between event executions.
+ * The interval value is copied, so the caller need not preserve it.
+ *
+ * Requires:
+ *	'*interval' is a nonzero interval.
+ */
+
+void
+isc_ratelimiter_setpertic(isc_ratelimiter_t *rl, isc_uint32_t perint);
+/*
+ * Set the number of events processed per interval timer tick.
+ * If 'perint' is zero it is treated as 1.
+ */
+
+isc_result_t
+isc_ratelimiter_enqueue(isc_ratelimiter_t *rl, isc_task_t *task,
+			isc_event_t **eventp);
+/*
+ * Queue an event for rate-limited execution.  This is similar
+ * to doing an isc_task_send() to the 'task', except that the
+ * execution may be delayed to achieve the desired rate of
+ * execution.
+ *
+ * '(*eventp)->ev_sender' is used to hold the task.  The caller
+ * must ensure that the task exists until the event is delivered.
+ *
+ * Requires:
+ *	An interval has been set by calling
+ *	isc_ratelimiter_setinterval().
+ *
+ *	'task' to be non NULL.
+ *	'(*eventp)->ev_sender' to be NULL.
+ */
+
+void
+isc_ratelimiter_shutdown(isc_ratelimiter_t *ratelimiter);
+/*
+ * Shut down a rate limiter.
+ *
+ * Ensures:
+ *	All events that have not yet been
+ * 	dispatched to the task are dispatched immediately with
+ *	the ISC_EVENTATTR_CANCELED bit set in ev_attributes.
+ *
+ *	Further attempts to enqueue events will fail with
+ * 	ISC_R_SHUTTINGDOWN.
+ *
+ *	The reatelimiter is no longer attached to its task.
+ */
+
+void
+isc_ratelimiter_attach(isc_ratelimiter_t *source, isc_ratelimiter_t **target);
+/*
+ * Attach to a rate limiter.
+ */
+
+void
+isc_ratelimiter_detach(isc_ratelimiter_t **ratelimiterp);
+/*
+ * Detach from a rate limiter.
+ */
+
+isc_result_t
+isc_ratelimiter_stall(isc_ratelimiter_t *rl);
+/*
+ * Stall event processing.
+ */
+
+isc_result_t
+isc_ratelimiter_release(isc_ratelimiter_t *rl);
+/*
+ * Release a stalled rate limiter.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_RATELIMITER_H */
diff --git a/contrib/bind9/lib/isc/include/isc/refcount.h b/contrib/bind9/lib/isc/include/isc/refcount.h
new file mode 100644
index 0000000..d2c7b6f
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/refcount.h
@@ -0,0 +1,164 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: refcount.h,v 1.3.2.2.2.2 2004/04/14 05:12:25 marka Exp $ */
+
+#ifndef ISC_REFCOUNT_H
+#define ISC_REFCOUNT_H 1
+
+#include <isc/lang.h>
+#include <isc/mutex.h>
+#include <isc/platform.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+/*
+ * Implements a locked reference counter.  These functions may actually be
+ * implemented using macros, and implementations of these macros are below.
+ * The isc_refcount_t type should not be accessed directly, as its contents
+ * depend on the implementation.
+ */
+
+ISC_LANG_BEGINDECLS
+
+/*
+ * Function prototypes
+ */
+
+/*
+ * void
+ * isc_refcount_init(isc_refcount_t *ref, unsigned int n);
+ *
+ * Initialize the reference counter.  There will be 'n' initial references.
+ *
+ * Requires:
+ *	ref != NULL
+ */
+
+/*
+ * void
+ * isc_refcount_destroy(isc_refcount_t *ref);
+ *
+ * Destroys a reference counter.
+ *
+ * Requires:
+ *	ref != NULL
+ *	The number of references is 0.
+ */
+
+/*
+ * void
+ * isc_refcount_increment(isc_refcount_t *ref, unsigned int *targetp);
+ *
+ * Increments the reference count, returning the new value in targetp if it's
+ * not NULL.
+ *
+ * Requires:
+ *	ref != NULL.
+ */
+
+/*
+ * void
+ * isc_refcount_decrement(isc_refcount_t *ref, unsigned int *targetp);
+ *
+ * Decrements the reference count,  returning the new value in targetp if it's
+ * not NULL.
+ *
+ * Requires:
+ *	ref != NULL.
+ */
+
+
+/*
+ * Sample implementations
+ */
+#ifdef ISC_PLATFORM_USETHREADS
+
+typedef struct isc_refcount {
+	int refs;
+	isc_mutex_t lock;
+} isc_refcount_t;
+
+#define isc_refcount_init(rp, n) 			\
+	do {						\
+		isc_result_t _r;			\
+		(rp)->refs = (n);			\
+		_r = isc_mutex_init(&(rp)->lock);	\
+		RUNTIME_CHECK(_r == ISC_R_SUCCESS);	\
+	} while (0)
+
+#define isc_refcount_destroy(rp)			\
+	do {						\
+		REQUIRE((rp)->refs == 0);		\
+		DESTROYLOCK(&(rp)->lock);		\
+	} while (0)
+
+#define isc_refcount_current(rp) ((unsigned int)((rp)->refs))
+
+#define isc_refcount_increment(rp, tp)				\
+	do {							\
+		unsigned int *_tmp = (unsigned int *)(tp);	\
+		LOCK(&(rp)->lock);				\
+		REQUIRE((rp)->refs > 0);			\
+		++((rp)->refs);					\
+		if (_tmp != NULL)				\
+			*_tmp = ((rp)->refs);			\
+		UNLOCK(&(rp)->lock);				\
+	} while (0)
+
+#define isc_refcount_decrement(rp, tp)				\
+	do {							\
+		unsigned int *_tmp = (unsigned int *)(tp);	\
+		LOCK(&(rp)->lock);				\
+		REQUIRE((rp)->refs > 0);			\
+		--((rp)->refs);					\
+		if (_tmp != NULL)				\
+			*_tmp = ((rp)->refs);			\
+		UNLOCK(&(rp)->lock);				\
+	} while (0)
+
+#else
+
+typedef struct isc_refcount {
+	int refs;
+} isc_refcount_t;
+
+#define isc_refcount_init(rp, n) ((rp)->refs = (n))
+#define isc_refcount_destroy(rp) (REQUIRE((rp)->refs == 0))
+#define isc_refcount_current(rp) ((unsigned int)((rp)->refs))
+
+#define isc_refcount_increment(rp, tp)					\
+	do {								\
+		unsigned int *_tmp = (unsigned int *)(tp);		\
+		int _n = ++(rp)->refs;					\
+		if (_tmp != NULL)					\
+			*_tmp = _n;					\
+	} while (0)
+
+#define isc_refcount_decrement(rp, tp)					\
+	do {								\
+		unsigned int *_tmp = (unsigned int *)(tp);		\
+		int _n = --(rp)->refs;					\
+		if (_tmp != NULL)					\
+			*_tmp = _n;					\
+	} while (0)
+
+#endif
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_REFCOUNT_H */
diff --git a/contrib/bind9/lib/isc/include/isc/region.h b/contrib/bind9/lib/isc/include/isc/region.h
new file mode 100644
index 0000000..5622394
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/region.h
@@ -0,0 +1,95 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: region.h,v 1.16.12.3 2004/03/08 09:04:53 marka Exp $ */
+
+#ifndef ISC_REGION_H
+#define ISC_REGION_H 1
+
+#include <isc/types.h>
+
+struct isc_region {
+	unsigned char *	base;
+	unsigned int	length;
+};
+
+struct isc_textregion {
+	char *		base;
+	unsigned int	length;
+};
+
+/* XXXDCL questionable ... bears discussion.  we have been putting off
+ * discussing the region api.
+ */
+struct isc_constregion {
+	const void *	base;
+	unsigned int	length;
+};
+
+struct isc_consttextregion {
+	const char *	base;
+	unsigned int	length;
+};
+
+/*
+ * The region structure is not opaque, and is usually directly manipulated.
+ * Some macros are defined below for convenience.
+ */
+
+#define isc_region_consume(r,l) \
+	do { \
+		isc_region_t *_r = (r); \
+		unsigned int _l = (l); \
+		INSIST(_r->length >= _l); \
+		_r->base += _l; \
+		_r->length -= _l; \
+	} while (0)
+
+#define isc_textregion_consume(r,l) \
+	do { \
+		isc_textregion_t *_r = (r); \
+		unsigned int _l = (l); \
+		INSIST(_r->length >= _l); \
+		_r->base += _l; \
+		_r->length -= _l; \
+	} while (0)
+
+#define isc_constregion_consume(r,l) \
+	do { \
+		isc_constregion_t *_r = (r); \
+		unsigned int _l = (l); \
+		INSIST(_r->length >= _l); \
+		_r->base += _l; \
+		_r->length -= _l; \
+	} while (0)
+
+int
+isc_region_compare(isc_region_t *r1, isc_region_t *r2);
+/*
+ * Compares the contents of two regions 
+ *
+ * Requires: 
+ *	'r1' is a valid region
+ *	'r2' is a valid region
+ *
+ * Returns:
+ *	 < 0 if r1 is lexicographically less than r2
+ *	 = 0 if r1 is lexicographically identical to r2
+ *	 > 0 if r1 is lexicographically greater than r2
+ */
+
+#endif /* ISC_REGION_H */
diff --git a/contrib/bind9/lib/isc/include/isc/resource.h b/contrib/bind9/lib/isc/include/isc/resource.h
new file mode 100644
index 0000000..2c2a829
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/resource.h
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: resource.h,v 1.4.206.1 2004/03/06 08:14:47 marka Exp $ */
+
+#ifndef ISC_RESOURCE_H
+#define ISC_RESOURCE_H 1
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#define ISC_RESOURCE_UNLIMITED ((isc_resourcevalue_t)ISC_UINT64_MAX)
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_resource_setlimit(isc_resource_t resource, isc_resourcevalue_t value);
+/*
+ * Set the maximum limit for a system resource.
+ *
+ * Notes:
+ *	If 'value' exceeds the maximum possible on the operating system,
+ *	it is silently limited to that maximum -- or to "infinity", if
+ *	the operating system has that concept.  ISC_RESOURCE_UNLIMITED
+ *	can be used to explicitly ask for the maximum.
+ *
+ * Requires:
+ *	'resource' is a valid member of the isc_resource_t enumeration.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	Success.
+ *	ISC_R_NOTIMPLEMENTED	'resource' is not a type known by the OS.
+ *	ISC_R_NOPERM	The calling process did not have adequate permission
+ *			to change the resource limit.
+ */
+
+isc_result_t
+isc_resource_getlimit(isc_resource_t resource, isc_resourcevalue_t *value);
+/*
+ * Get the maximum limit for a system resource.
+ *
+ * Notes:
+ *	'value' is set to the maximum limit.
+ *
+ *	ISC_RESOURCE_UNLIMITED is the maximum value of isc_resourcevalue_t.
+ *
+ *	On many (all?) Unix systems, RLIM_INFINITY is a valid value that is
+ *	significantly less than ISC_RESOURCE_UNLIMITED, but which in practice
+ *	behaves the same.
+ *
+ *	The current ISC libdns configuration file parser assigns a value
+ *	of ISC_UINT32_MAX for a size_spec of "unlimited" and ISC_UNIT32_MAX - 1
+ *	for "default", the latter of which is supposed to represent "the
+ *	limit that was in force when the server started".  Since these are
+ *	valid values in the middle of the range of isc_resourcevalue_t,
+ *	there is the possibility for confusion over what exactly those
+ *	particular values are supposed to represent in a particular context --
+ *	discrete integral values or generalized concepts.
+ *
+ * Requires:
+ *	'resource' is a valid member of the isc_resource_t enumeration.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		Success.
+ *	ISC_R_NOTIMPLEMENTED	'resource' is not a type known by the OS.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_RESOURCE_H */
+
diff --git a/contrib/bind9/lib/isc/include/isc/result.h b/contrib/bind9/lib/isc/include/isc/result.h
new file mode 100644
index 0000000..93f7cef
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/result.h
@@ -0,0 +1,106 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: result.h,v 1.57.2.2.8.5 2004/05/15 03:46:13 jinmei Exp $ */
+
+#ifndef ISC_RESULT_H
+#define ISC_RESULT_H 1
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#define ISC_R_SUCCESS			0	/* success */
+#define ISC_R_NOMEMORY			1	/* out of memory */
+#define ISC_R_TIMEDOUT			2	/* timed out */
+#define ISC_R_NOTHREADS			3	/* no available threads */
+#define ISC_R_ADDRNOTAVAIL		4	/* address not available */
+#define ISC_R_ADDRINUSE			5	/* address in use */
+#define ISC_R_NOPERM			6	/* permission denied */
+#define ISC_R_NOCONN			7	/* no pending connections */
+#define ISC_R_NETUNREACH		8	/* network unreachable */
+#define ISC_R_HOSTUNREACH		9	/* host unreachable */
+#define ISC_R_NETDOWN			10	/* network down */
+#define ISC_R_HOSTDOWN			11	/* host down */
+#define ISC_R_CONNREFUSED		12	/* connection refused */
+#define ISC_R_NORESOURCES		13	/* not enough free resources */
+#define ISC_R_EOF			14	/* end of file */
+#define ISC_R_BOUND			15	/* socket already bound */
+#define ISC_R_RELOAD			16	/* reload */
+#define ISC_R_LOCKBUSY			17	/* lock busy */
+#define ISC_R_EXISTS			18	/* already exists */
+#define ISC_R_NOSPACE			19	/* ran out of space */
+#define ISC_R_CANCELED			20	/* operation canceled */
+#define ISC_R_NOTBOUND			21	/* socket is not bound */
+#define ISC_R_SHUTTINGDOWN		22	/* shutting down */
+#define ISC_R_NOTFOUND			23	/* not found */
+#define ISC_R_UNEXPECTEDEND		24	/* unexpected end of input */
+#define ISC_R_FAILURE			25	/* generic failure */
+#define ISC_R_IOERROR			26	/* I/O error */
+#define ISC_R_NOTIMPLEMENTED		27	/* not implemented */
+#define ISC_R_UNBALANCED		28	/* unbalanced parentheses */
+#define ISC_R_NOMORE			29	/* no more */
+#define ISC_R_INVALIDFILE		30	/* invalid file */
+#define ISC_R_BADBASE64			31	/* bad base64 encoding */
+#define ISC_R_UNEXPECTEDTOKEN		32	/* unexpected token */
+#define ISC_R_QUOTA			33	/* quota reached */
+#define ISC_R_UNEXPECTED		34	/* unexpected error */
+#define ISC_R_ALREADYRUNNING		35	/* already running */
+#define ISC_R_IGNORE			36	/* ignore */
+#define ISC_R_MASKNONCONTIG             37	/* addr mask not contiguous */
+#define ISC_R_FILENOTFOUND		38	/* file not found */
+#define ISC_R_FILEEXISTS		39	/* file already exists */
+#define ISC_R_NOTCONNECTED		40	/* socket is not connected */
+#define ISC_R_RANGE			41	/* out of range */
+#define ISC_R_NOENTROPY			42	/* out of entropy */
+#define ISC_R_MULTICAST			43	/* invalid use of multicast */
+#define ISC_R_NOTFILE			44	/* not a file */
+#define ISC_R_NOTDIRECTORY		45	/* not a directory */
+#define ISC_R_QUEUEFULL			46	/* queue is full */
+#define ISC_R_FAMILYMISMATCH		47	/* address family mismatch */
+#define ISC_R_FAMILYNOSUPPORT		48	/* AF not supported */
+#define ISC_R_BADHEX			49	/* bad hex encoding */
+#define ISC_R_TOOMANYOPENFILES		50	/* too many open files */
+#define ISC_R_NOTBLOCKING		51	/* not blocking */
+#define ISC_R_UNBALANCEDQUOTES		52	/* unbalanced quotes */
+#define ISC_R_INPROGRESS		53	/* operation in progress */
+#define ISC_R_CONNECTIONRESET		54	/* connection reset */
+#define ISC_R_SOFTQUOTA			55	/* soft quota reached */
+#define ISC_R_BADNUMBER			56	/* not a valid number */
+#define ISC_R_DISABLED			57	/* disabled */
+#define ISC_R_MAXSIZE			58	/* max size */
+#define ISC_R_BADADDRESSFORM		59	/* invalid address format */
+
+/*
+ * Not a result code: the number of results.
+ */
+#define ISC_R_NRESULTS 			60
+
+ISC_LANG_BEGINDECLS
+
+const char *
+isc_result_totext(isc_result_t);
+/*
+ * Convert an isc_result_t into a string message describing the result.
+ */
+
+isc_result_t
+isc_result_register(unsigned int base, unsigned int nresults,
+		    const char **text, isc_msgcat_t *msgcat, int set);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_RESULT_H */
diff --git a/contrib/bind9/lib/isc/include/isc/resultclass.h b/contrib/bind9/lib/isc/include/isc/resultclass.h
new file mode 100644
index 0000000..adb5338
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/resultclass.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: resultclass.h,v 1.11.206.1 2004/03/06 08:14:47 marka Exp $ */
+
+#ifndef ISC_RESULTCLASS_H
+#define ISC_RESULTCLASS_H 1
+
+/*****
+ ***** Registry of Predefined Result Type Classes
+ *****/
+
+/*
+ * A result class number is an unsigned 16 bit number.  Each class may
+ * contain up to 65536 results.  A result code is formed by adding the
+ * result number within the class to the class number multiplied by 65536.
+ */
+
+#define ISC_RESULTCLASS_FROMNUM(num)		((num) << 16)
+#define ISC_RESULTCLASS_TONUM(rclass)		((rclass) >> 16)
+#define ISC_RESULTCLASS_SIZE			65536
+#define ISC_RESULTCLASS_INCLASS(rclass, result) \
+	((rclass) == ((result) & 0xFFFF0000))
+
+/*
+ * Classes < 1024 are reserved for ISC use.
+ */
+
+#define	ISC_RESULTCLASS_ISC		ISC_RESULTCLASS_FROMNUM(0)
+#define	ISC_RESULTCLASS_DNS		ISC_RESULTCLASS_FROMNUM(1)
+#define	ISC_RESULTCLASS_DST		ISC_RESULTCLASS_FROMNUM(2)
+#define	ISC_RESULTCLASS_DNSRCODE	ISC_RESULTCLASS_FROMNUM(3)
+#define	ISC_RESULTCLASS_OMAPI		ISC_RESULTCLASS_FROMNUM(4)
+#define	ISC_RESULTCLASS_ISCCC		ISC_RESULTCLASS_FROMNUM(5)
+
+/*
+ * Result classes >= 1024 and <= 65535 are reserved for application use.
+ */
+
+#endif /* ISC_RESULTCLASS_H */
diff --git a/contrib/bind9/lib/isc/include/isc/rwlock.h b/contrib/bind9/lib/isc/include/isc/rwlock.h
new file mode 100644
index 0000000..44edfcc
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/rwlock.h
@@ -0,0 +1,95 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rwlock.h,v 1.18.2.3.2.1 2004/03/06 08:14:47 marka Exp $ */
+
+#ifndef ISC_RWLOCK_H
+#define ISC_RWLOCK_H 1
+
+#include <isc/condition.h>
+#include <isc/lang.h>
+#include <isc/platform.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+typedef enum {
+	isc_rwlocktype_none = 0,
+	isc_rwlocktype_read,
+	isc_rwlocktype_write
+} isc_rwlocktype_t;
+
+#ifdef ISC_PLATFORM_USETHREADS
+struct isc_rwlock {
+	/* Unlocked. */
+	unsigned int		magic;
+	isc_mutex_t		lock;
+	/* Locked by lock. */
+	isc_condition_t		readable;
+	isc_condition_t		writeable;
+	isc_rwlocktype_t	type;
+
+	/* The number of threads that have the lock. */
+	unsigned int		active;
+
+	/*
+	 * The number of lock grants made since the lock was last switched
+	 * from reading to writing or vice versa; used in determining
+	 * when the quota is reached and it is time to switch.
+	 */
+	unsigned int		granted;
+	
+	unsigned int		readers_waiting;
+	unsigned int		writers_waiting;
+	unsigned int		read_quota;
+	unsigned int		write_quota;
+	isc_rwlocktype_t	original;
+};
+#else /* ISC_PLATFORM_USETHREADS */
+struct isc_rwlock {
+	unsigned int		magic;
+	isc_rwlocktype_t	type;
+	unsigned int		active;
+};
+#endif /* ISC_PLATFORM_USETHREADS */
+
+
+isc_result_t
+isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota,
+		unsigned int write_quota);
+
+isc_result_t
+isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type);
+
+isc_result_t
+isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type);
+
+isc_result_t
+isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type);
+
+isc_result_t
+isc_rwlock_tryupgrade(isc_rwlock_t *rwl);
+
+void
+isc_rwlock_downgrade(isc_rwlock_t *rwl);
+
+void
+isc_rwlock_destroy(isc_rwlock_t *rwl);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_RWLOCK_H */
diff --git a/contrib/bind9/lib/isc/include/isc/serial.h b/contrib/bind9/lib/isc/include/isc/serial.h
new file mode 100644
index 0000000..cb054a6
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/serial.h
@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: serial.h,v 1.9.206.1 2004/03/06 08:14:48 marka Exp $ */
+
+#ifndef ISC_SERIAL_H
+#define ISC_SERIAL_H 1
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+/*
+ *	Implement 32 bit serial space arithmetic comparision functions.
+ *
+ *	Note: Undefined results are returned as ISC_FALSE.
+ */
+
+/***
+ ***	Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_boolean_t
+isc_serial_lt(isc_uint32_t a, isc_uint32_t b);
+/*
+ *	Return true if 'a' < 'b' otherwise false.
+ */
+
+isc_boolean_t
+isc_serial_gt(isc_uint32_t a, isc_uint32_t b);
+/*
+ *	Return true if 'a' > 'b' otherwise false.
+ */
+
+isc_boolean_t
+isc_serial_le(isc_uint32_t a, isc_uint32_t b);
+/*
+ *	Return true if 'a' <= 'b' otherwise false.
+ */
+
+isc_boolean_t
+isc_serial_ge(isc_uint32_t a, isc_uint32_t b);
+/*
+ *	Return true if 'a' >= 'b' otherwise false.
+ */
+
+isc_boolean_t
+isc_serial_eq(isc_uint32_t a, isc_uint32_t b);
+/*
+ *	Return true if 'a' == 'b' otherwise false.
+ */
+
+isc_boolean_t
+isc_serial_ne(isc_uint32_t a, isc_uint32_t b);
+/*
+ *	Return true if 'a' != 'b' otherwise false.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_SERIAL_H */
diff --git a/contrib/bind9/lib/isc/include/isc/sha1.h b/contrib/bind9/lib/isc/include/isc/sha1.h
new file mode 100644
index 0000000..935578b
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/sha1.h
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef ISC_SHA1_H
+#define ISC_SHA1_H 1
+
+/* $Id: sha1.h,v 1.8.206.1 2004/03/06 08:14:48 marka Exp $ */
+
+/*	$NetBSD: sha1.h,v 1.2 1998/05/29 22:55:44 thorpej Exp $	*/
+
+/*
+ * SHA-1 in C
+ * By Steve Reid <steve@edmweb.com>
+ * 100% Public Domain
+ */
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#define ISC_SHA1_DIGESTLENGTH 20
+
+typedef struct {
+	isc_uint32_t state[5];
+	isc_uint32_t count[2];
+	unsigned char buffer[64];
+} isc_sha1_t;
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_sha1_init(isc_sha1_t *ctx);
+
+void
+isc_sha1_invalidate(isc_sha1_t *ctx);
+
+void
+isc_sha1_update(isc_sha1_t *ctx, const unsigned char *data, unsigned int len);
+
+void
+isc_sha1_final(isc_sha1_t *ctx, unsigned char *digest);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_SHA1_H */
diff --git a/contrib/bind9/lib/isc/include/isc/sockaddr.h b/contrib/bind9/lib/isc/include/isc/sockaddr.h
new file mode 100644
index 0000000..ffe4105
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/sockaddr.h
@@ -0,0 +1,202 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: sockaddr.h,v 1.35.12.6 2004/03/08 09:04:53 marka Exp $ */
+
+#ifndef ISC_SOCKADDR_H
+#define ISC_SOCKADDR_H 1
+
+#include <isc/lang.h>
+#include <isc/net.h>
+#include <isc/types.h>
+
+struct isc_sockaddr {
+	union {
+		struct sockaddr		sa;
+		struct sockaddr_in	sin;
+		struct sockaddr_in6	sin6;
+	}				type;
+	unsigned int			length;		/* XXXRTH beginning? */
+	ISC_LINK(struct isc_sockaddr)	link;
+};
+
+typedef ISC_LIST(struct isc_sockaddr)	isc_sockaddrlist_t;
+
+ISC_LANG_BEGINDECLS
+
+isc_boolean_t
+isc_sockaddr_equal(const isc_sockaddr_t *a, const isc_sockaddr_t *b);
+/*
+ * Return ISC_TRUE iff the socket addresses 'a' and 'b' are equal.
+ */
+
+isc_boolean_t
+isc_sockaddr_eqaddr(const isc_sockaddr_t *a, const isc_sockaddr_t *b);
+/*
+ * Return ISC_TRUE iff the address parts of the socket addresses
+ * 'a' and 'b' are equal, ignoring the ports.
+ */
+
+isc_boolean_t
+isc_sockaddr_eqaddrprefix(const isc_sockaddr_t *a, const isc_sockaddr_t *b,
+			  unsigned int prefixlen);
+/*
+ * Return ISC_TRUE iff the most significant 'prefixlen' bits of the
+ * socket addresses 'a' and 'b' are equal, ignoring the ports.
+ */
+
+unsigned int
+isc_sockaddr_hash(const isc_sockaddr_t *sockaddr, isc_boolean_t address_only);
+/*
+ * Return a hash value for the socket address 'sockaddr'.  If 'address_only'
+ * is ISC_TRUE, the hash value will not depend on the port.
+ *
+ * IPv6 addresses containing mapped IPv4 addresses generate the same hash
+ * value as the equivalent IPv4 address.
+ */
+
+void
+isc_sockaddr_any(isc_sockaddr_t *sockaddr);
+/*
+ * Return the IPv4 wildcard address.
+ */
+
+void
+isc_sockaddr_any6(isc_sockaddr_t *sockaddr);
+/*
+ * Return the IPv6 wildcard address.
+ */
+
+void
+isc_sockaddr_anyofpf(isc_sockaddr_t *sockaddr, int family);
+/*
+ * Set '*sockaddr' to the wildcard address of protocol family
+ * 'family'.
+ *
+ * Requires:
+ *	'family' is AF_INET or AF_INET6.
+ */
+
+void
+isc_sockaddr_fromin(isc_sockaddr_t *sockaddr, const struct in_addr *ina,
+		    in_port_t port);
+/*
+ * Construct an isc_sockaddr_t from an IPv4 address and port.
+ */
+
+void
+isc_sockaddr_fromin6(isc_sockaddr_t *sockaddr, const struct in6_addr *ina6,
+		     in_port_t port);
+/*
+ * Construct an isc_sockaddr_t from an IPv6 address and port.
+ */
+
+void
+isc_sockaddr_v6fromin(isc_sockaddr_t *sockaddr, const struct in_addr *ina,
+		      in_port_t port);
+/*
+ * Construct an IPv6 isc_sockaddr_t representing a mapped IPv4 address.
+ */
+
+void
+isc_sockaddr_fromnetaddr(isc_sockaddr_t *sockaddr, const isc_netaddr_t *na,
+			 in_port_t port);
+/*
+ * Construct an isc_sockaddr_t from an isc_netaddr_t and port.
+ */
+
+int
+isc_sockaddr_pf(const isc_sockaddr_t *sockaddr);
+/*
+ * Get the protocol family of 'sockaddr'.
+ *
+ * Requires:
+ *
+ *	'sockaddr' is a valid sockaddr with an address family of AF_INET
+ *	or AF_INET6.
+ *
+ * Returns:
+ *
+ *	The protocol family of 'sockaddr', e.g. PF_INET or PF_INET6.
+ */
+
+void
+isc_sockaddr_setport(isc_sockaddr_t *sockaddr, in_port_t port);
+/*
+ * Set the port of 'sockaddr' to 'port'.
+ */
+
+in_port_t
+isc_sockaddr_getport(isc_sockaddr_t *sockaddr);
+/*
+ * Get the port stored in 'sockaddr'.
+ */
+
+isc_result_t
+isc_sockaddr_totext(const isc_sockaddr_t *sockaddr, isc_buffer_t *target);
+/*
+ * Append a text representation of 'sockaddr' to the buffer 'target'.
+ * The text will include both the IP address (v4 or v6) and the port.
+ * The text is null terminated, but the terminating null is not
+ * part of the buffer's used region.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOSPACE	The text or the null termination did not fit.
+ */
+
+void
+isc_sockaddr_format(const isc_sockaddr_t *sa, char *array, unsigned int size);
+/*
+ * Format a human-readable representation of the socket address '*sa'
+ * into the character array 'array', which is of size 'size'.
+ * The resulting string is guaranteed to be null-terminated.
+ */
+
+isc_boolean_t
+isc_sockaddr_ismulticast(isc_sockaddr_t *sa);
+/*
+ * Returns ISC_TRUE if the address is a multicast address.
+ */
+
+isc_boolean_t
+isc_sockaddr_isexperimental(isc_sockaddr_t *sa);
+/*
+ * Returns ISC_TRUE if the address is a experimental (CLASS E) address.
+ */
+
+isc_boolean_t
+isc_sockaddr_islinklocal(isc_sockaddr_t *sa);
+/*
+ * Returns ISC_TRUE if the address is a link local addresss.
+ */
+
+isc_boolean_t
+isc_sockaddr_issitelocal(isc_sockaddr_t *sa);
+/*
+ * Returns ISC_TRUE if the address is a sitelocal address.
+ */
+
+#define ISC_SOCKADDR_FORMATSIZE \
+	sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:XXX.XXX.XXX.XXX#YYYYY")
+/*
+ * Minimum size of array to pass to isc_sockaddr_format().
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_SOCKADDR_H */
diff --git a/contrib/bind9/lib/isc/include/isc/socket.h b/contrib/bind9/lib/isc/include/isc/socket.h
new file mode 100644
index 0000000..9dcadb2
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/socket.h
@@ -0,0 +1,704 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: socket.h,v 1.54.12.4 2004/03/08 09:04:53 marka Exp $ */
+
+#ifndef ISC_SOCKET_H
+#define ISC_SOCKET_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Sockets
+ *
+ * Provides TCP and UDP sockets for network I/O.  The sockets are event
+ * sources in the task system.
+ *
+ * When I/O completes, a completion event for the socket is posted to the
+ * event queue of the task which requested the I/O.
+ *
+ * MP:
+ *	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *
+ *	Clients of this module must not be holding a socket's task's lock when
+ *	making a call that affects that socket.  Failure to follow this rule
+ *	can result in deadlock.
+ *
+ *	The caller must ensure that isc_socketmgr_destroy() is called only
+ *	once for a given manager.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	<TBS>
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	None.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/lang.h>
+#include <isc/types.h>
+#include <isc/event.h>
+#include <isc/eventclass.h>
+#include <isc/time.h>
+#include <isc/region.h>
+#include <isc/sockaddr.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Constants
+ ***/
+
+/*
+ * Maximum number of buffers in a scatter/gather read/write.  The operating
+ * system in use must support at least this number (plus one on some.)
+ */
+#define ISC_SOCKET_MAXSCATTERGATHER	8
+
+/***
+ *** Types
+ ***/
+
+struct isc_socketevent {
+	ISC_EVENT_COMMON(isc_socketevent_t);
+	isc_result_t		result;		/* OK, EOF, whatever else */
+	unsigned int		minimum;	/* minimum i/o for event */
+	unsigned int		n;		/* bytes read or written */
+	unsigned int		offset;		/* offset into buffer list */
+	isc_region_t		region;		/* for single-buffer i/o */
+	isc_bufferlist_t	bufferlist;	/* list of buffers */
+	isc_sockaddr_t		address;	/* source address */
+	isc_time_t		timestamp;	/* timestamp of packet recv */
+	struct in6_pktinfo	pktinfo;	/* ipv6 pktinfo */
+	isc_uint32_t		attributes;	/* see below */
+};
+
+typedef struct isc_socket_newconnev isc_socket_newconnev_t;
+struct isc_socket_newconnev {
+	ISC_EVENT_COMMON(isc_socket_newconnev_t);
+	isc_socket_t *		newsocket;
+	isc_result_t		result;		/* OK, EOF, whatever else */
+	isc_sockaddr_t		address;	/* source address */
+};
+
+typedef struct isc_socket_connev isc_socket_connev_t;
+struct isc_socket_connev {
+	ISC_EVENT_COMMON(isc_socket_connev_t);
+	isc_result_t		result;		/* OK, EOF, whatever else */
+};
+
+/*
+ * _ATTACHED:	Internal use only.
+ * _TRUNC:	Packet was truncated on receive.
+ * _CTRUNC:	Packet control information was truncated.  This can
+ *		indicate that the packet is not complete, even though
+ *		all the data is valid.
+ * _TIMESTAMP:	The timestamp member is valid.
+ * _PKTINFO:	The pktinfo member is valid.
+ * _MULTICAST:	The UDP packet was received via a multicast transmission.
+ */
+#define ISC_SOCKEVENTATTR_ATTACHED		0x80000000U /* internal */
+#define ISC_SOCKEVENTATTR_TRUNC			0x00800000U /* public */
+#define ISC_SOCKEVENTATTR_CTRUNC		0x00400000U /* public */
+#define ISC_SOCKEVENTATTR_TIMESTAMP		0x00200000U /* public */
+#define ISC_SOCKEVENTATTR_PKTINFO		0x00100000U /* public */
+#define ISC_SOCKEVENTATTR_MULTICAST		0x00080000U /* public */
+
+#define ISC_SOCKEVENT_ANYEVENT  (0)
+#define ISC_SOCKEVENT_RECVDONE	(ISC_EVENTCLASS_SOCKET + 1)
+#define ISC_SOCKEVENT_SENDDONE	(ISC_EVENTCLASS_SOCKET + 2)
+#define ISC_SOCKEVENT_NEWCONN	(ISC_EVENTCLASS_SOCKET + 3)
+#define ISC_SOCKEVENT_CONNECT	(ISC_EVENTCLASS_SOCKET + 4)
+
+/*
+ * Internal events.
+ */
+#define ISC_SOCKEVENT_INTR	(ISC_EVENTCLASS_SOCKET + 256)
+#define ISC_SOCKEVENT_INTW	(ISC_EVENTCLASS_SOCKET + 257)
+
+typedef enum {
+	isc_sockettype_udp = 1,
+	isc_sockettype_tcp = 2
+} isc_sockettype_t;
+
+/*
+ * How a socket should be shutdown in isc_socket_shutdown() calls.
+ */
+#define ISC_SOCKSHUT_RECV	0x00000001	/* close read side */
+#define ISC_SOCKSHUT_SEND	0x00000002	/* close write side */
+#define ISC_SOCKSHUT_ALL	0x00000003	/* close them all */
+
+/*
+ * What I/O events to cancel in isc_socket_cancel() calls.
+ */
+#define ISC_SOCKCANCEL_RECV	0x00000001	/* cancel recv */
+#define ISC_SOCKCANCEL_SEND	0x00000002	/* cancel send */
+#define ISC_SOCKCANCEL_ACCEPT	0x00000004	/* cancel accept */
+#define ISC_SOCKCANCEL_CONNECT	0x00000008	/* cancel connect */
+#define ISC_SOCKCANCEL_ALL	0x0000000f	/* cancel everything */
+
+/*
+ * Flags for isc_socket_send() and isc_socket_recv() calls.
+ */
+#define ISC_SOCKFLAG_IMMEDIATE	0x00000001	/* send event only if needed */
+#define ISC_SOCKFLAG_NORETRY	0x00000002	/* drop failed UDP sends */
+
+/***
+ *** Socket and Socket Manager Functions
+ ***
+ *** Note: all Ensures conditions apply only if the result is success for
+ *** those functions which return an isc_result.
+ ***/
+
+isc_result_t
+isc_socket_create(isc_socketmgr_t *manager,
+		  int pf,
+		  isc_sockettype_t type,
+		  isc_socket_t **socketp);
+/*
+ * Create a new 'type' socket managed by 'manager'.
+ *
+ * Note:
+ *
+ *	'pf' is the desired protocol family, e.g. PF_INET or PF_INET6.
+ *
+ * Requires:
+ *
+ *	'manager' is a valid manager
+ *
+ *	'socketp' is a valid pointer, and *socketp == NULL
+ *
+ * Ensures:
+ *
+ *	'*socketp' is attached to the newly created socket
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_NORESOURCES
+ *	ISC_R_UNEXPECTED
+ */
+
+void
+isc_socket_cancel(isc_socket_t *sock, isc_task_t *task,
+		  unsigned int how);
+/*
+ * Cancel pending I/O of the type specified by "how".
+ *
+ * Note: if "task" is NULL, then the cancel applies to all tasks using the
+ * socket.
+ *
+ * Requires:
+ *
+ *	"socket" is a valid socket
+ *
+ *	"task" is NULL or a valid task
+ *
+ * "how" is a bitmask describing the type of cancelation to perform.
+ * The type ISC_SOCKCANCEL_ALL will cancel all pending I/O on this
+ * socket.
+ *
+ * ISC_SOCKCANCEL_RECV:
+ *	Cancel pending isc_socket_recv() calls.
+ *
+ * ISC_SOCKCANCEL_SEND:
+ *	Cancel pending isc_socket_send() and isc_socket_sendto() calls.
+ *
+ * ISC_SOCKCANCEL_ACCEPT:
+ *	Cancel pending isc_socket_accept() calls.
+ *
+ * ISC_SOCKCANCEL_CONNECT:
+ *	Cancel pending isc_socket_connect() call.
+ */
+
+void
+isc_socket_shutdown(isc_socket_t *sock, unsigned int how);
+/*
+ * Shutdown 'socket' according to 'how'.
+ *
+ * Requires:
+ *
+ *	'socket' is a valid socket.
+ *
+ *	'task' is NULL or is a valid task.
+ *
+ *	If 'how' is 'ISC_SOCKSHUT_RECV' or 'ISC_SOCKSHUT_ALL' then
+ *
+ *		The read queue must be empty.
+ *
+ *		No further read requests may be made.
+ *
+ *	If 'how' is 'ISC_SOCKSHUT_SEND' or 'ISC_SOCKSHUT_ALL' then
+ *
+ *		The write queue must be empty.
+ *
+ *		No further write requests may be made.
+ */
+
+void
+isc_socket_attach(isc_socket_t *sock, isc_socket_t **socketp);
+/*
+ * Attach *socketp to socket.
+ *
+ * Requires:
+ *
+ *	'socket' is a valid socket.
+ *
+ *	'socketp' points to a NULL socket.
+ *
+ * Ensures:
+ *
+ *	*socketp is attached to socket.
+ */
+
+void
+isc_socket_detach(isc_socket_t **socketp);
+/*
+ * Detach *socketp from its socket.
+ *
+ * Requires:
+ *
+ *	'socketp' points to a valid socket.
+ *
+ *	If '*socketp' is the last reference to the socket,
+ *	then:
+ *
+ *		There must be no pending I/O requests.
+ *
+ * Ensures:
+ *
+ *	*socketp is NULL.
+ *
+ *	If '*socketp' is the last reference to the socket,
+ *	then:
+ *
+ *		The socket will be shutdown (both reading and writing)
+ *		for all tasks.
+ *
+ *		All resources used by the socket have been freed
+ */
+
+isc_result_t
+isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *addressp);
+/*
+ * Bind 'socket' to '*addressp'.
+ *
+ * Requires:
+ *
+ *	'socket' is a valid socket
+ *
+ *	'addressp' points to a valid isc_sockaddr.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOPERM
+ *	ISC_R_ADDRNOTAVAIL
+ *	ISC_R_ADDRINUSE
+ *	ISC_R_BOUND
+ *	ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_socket_filter(isc_socket_t *sock, const char *filter);
+/*
+ * Inform the kernel that it should perform accept filtering.
+ * If filter is NULL the current filter will be removed.:w
+ */
+
+isc_result_t
+isc_socket_listen(isc_socket_t *sock, unsigned int backlog);
+/*
+ * Set listen mode on the socket.  After this call, the only function that
+ * can be used (other than attach and detach) is isc_socket_accept().
+ *
+ * Notes:
+ *
+ *	'backlog' is as in the UNIX system call listen() and may be
+ *	ignored by non-UNIX implementations.
+ *
+ *	If 'backlog' is zero, a reasonable system default is used, usually
+ *	SOMAXCONN.
+ *
+ * Requires:
+ *
+ *	'socket' is a valid, bound TCP socket.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_socket_accept(isc_socket_t *sock,
+		  isc_task_t *task, isc_taskaction_t action, const void *arg);
+/*
+ * Queue accept event.  When a new connection is received, the task will
+ * get an ISC_SOCKEVENT_NEWCONN event with the sender set to the listen
+ * socket.  The new socket structure is sent inside the isc_socket_newconnev_t
+ * event type, and is attached to the task 'task'.
+ *
+ * REQUIRES:
+ *	'socket' is a valid TCP socket that isc_socket_listen() was called
+ *	on.
+ *
+ *	'task' is a valid task
+ *
+ *	'action' is a valid action
+ *
+ * RETURNS:
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addressp,
+		   isc_task_t *task, isc_taskaction_t action,
+		   const void *arg);
+/*
+ * Connect 'socket' to peer with address *saddr.  When the connection
+ * succeeds, or when an error occurs, a CONNECT event with action 'action'
+ * and arg 'arg' will be posted to the event queue for 'task'.
+ *
+ * Requires:
+ *
+ *	'socket' is a valid TCP socket
+ *
+ *	'addressp' points to a valid isc_sockaddr
+ *
+ *	'task' is a valid task
+ *
+ *	'action' is a valid action
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_UNEXPECTED
+ *
+ * Posted event's result code:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_TIMEDOUT
+ *	ISC_R_CONNREFUSED
+ *	ISC_R_NETUNREACH
+ *	ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_socket_getpeername(isc_socket_t *sock, isc_sockaddr_t *addressp);
+/*
+ * Get the name of the peer connected to 'socket'.
+ *
+ * Requires:
+ *
+ *	'socket' is a valid TCP socket.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_TOOSMALL
+ *	ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_socket_getsockname(isc_socket_t *sock, isc_sockaddr_t *addressp);
+/*
+ * Get the name of 'socket'.
+ *
+ * Requires:
+ *
+ *	'socket' is a valid socket.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_TOOSMALL
+ *	ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_socket_recv(isc_socket_t *sock, isc_region_t *region,
+		unsigned int minimum,
+		isc_task_t *task, isc_taskaction_t action, const void *arg);
+isc_result_t
+isc_socket_recvv(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		 unsigned int minimum,
+		 isc_task_t *task, isc_taskaction_t action, const void *arg);
+
+isc_result_t
+isc_socket_recv2(isc_socket_t *sock, isc_region_t *region,
+		 unsigned int minimum, isc_task_t *task,
+		 isc_socketevent_t *event, unsigned int flags);
+
+/*
+ * Receive from 'socket', storing the results in region.
+ *
+ * Notes:
+ *
+ *	Let 'length' refer to the length of 'region' or to the sum of all
+ *	available regions in the list of buffers '*buflist'.
+ *
+ *	If 'minimum' is non-zero and at least that many bytes are read,
+ *	the completion event will be posted to the task 'task.'  If minimum
+ *	is zero, the exact number of bytes requested in the region must
+ * 	be read for an event to be posted.  This only makes sense for TCP
+ *	connections, and is always set to 1 byte for UDP.
+ *
+ *	The read will complete when the desired number of bytes have been
+ *	read, if end-of-input occurs, or if an error occurs.  A read done
+ *	event with the given 'action' and 'arg' will be posted to the
+ *	event queue of 'task'.
+ *
+ *	The caller may not modify 'region', the buffers which are passed
+ *	into this function, or any data they refer to until the completion
+ *	event is received.
+ *
+ *	For isc_socket_recvv():
+ *	On successful completion, '*buflist' will be empty, and the list of
+ *	all buffers will be returned in the done event's 'bufferlist'
+ *	member.  On error return, '*buflist' will be unchanged.
+ *
+ *	For isc_socket_recv2():
+ *	'event' is not NULL, and the non-socket specific fields are
+ *	expected to be initialized.
+ *
+ *	For isc_socket_recv2():
+ *	The only defined value for 'flags' is ISC_SOCKFLAG_IMMEDIATE.  If
+ *	set and the operation completes, the return value will be
+ *	ISC_R_SUCCESS and the event will be filled in and not sent.  If the
+ *	operation does not complete, the return value will be
+ *	ISC_R_INPROGRESS and the event will be sent when the operation
+ *	completes.
+ *
+ * Requires:
+ *
+ *	'socket' is a valid, bound socket.
+ *
+ *	For isc_socket_recv():
+ *	'region' is a valid region
+ *
+ *	For isc_socket_recvv():
+ *	'buflist' is non-NULL, and '*buflist' contain at least one buffer.
+ *
+ *	'task' is a valid task
+ *
+ *	For isc_socket_recv() and isc_socket_recvv():
+ *	action != NULL and is a valid action
+ *
+ *	For isc_socket_recv2():
+ *	event != NULL
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_INPROGRESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_UNEXPECTED
+ *
+ * Event results:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_UNEXPECTED
+ *	XXX needs other net-type errors
+ */
+
+isc_result_t
+isc_socket_send(isc_socket_t *sock, isc_region_t *region,
+		isc_task_t *task, isc_taskaction_t action, const void *arg);
+isc_result_t
+isc_socket_sendto(isc_socket_t *sock, isc_region_t *region,
+		  isc_task_t *task, isc_taskaction_t action, const void *arg,
+		  isc_sockaddr_t *address, struct in6_pktinfo *pktinfo);
+isc_result_t
+isc_socket_sendv(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		 isc_task_t *task, isc_taskaction_t action, const void *arg);
+isc_result_t
+isc_socket_sendtov(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		   isc_task_t *task, isc_taskaction_t action, const void *arg,
+		   isc_sockaddr_t *address, struct in6_pktinfo *pktinfo);
+isc_result_t
+isc_socket_sendto2(isc_socket_t *sock, isc_region_t *region,
+		   isc_task_t *task,
+		   isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
+		   isc_socketevent_t *event, unsigned int flags);
+
+/*
+ * Send the contents of 'region' to the socket's peer.
+ *
+ * Notes:
+ *
+ *	Shutting down the requestor's task *may* result in any
+ *	still pending writes being dropped or completed, depending on the
+ *	underlying OS implementation.
+ *
+ *	If 'action' is NULL, then no completion event will be posted.
+ *
+ *	The caller may not modify 'region', the buffers which are passed
+ *	into this function, or any data they refer to until the completion
+ *	event is received.
+ *
+ *	For isc_socket_sendv() and isc_socket_sendtov():
+ *	On successful completion, '*buflist' will be empty, and the list of
+ *	all buffers will be returned in the done event's 'bufferlist'
+ *	member.  On error return, '*buflist' will be unchanged.
+ *
+ *	For isc_socket_sendto2():
+ *	'event' is not NULL, and the non-socket specific fields are
+ *	expected to be initialized.
+ *
+ *	For isc_socket_sendto2():
+ *	The only defined values for 'flags' are ISC_SOCKFLAG_IMMEDIATE
+ *	and ISC_SOCKFLAG_NORETRY.
+ *
+ *	If ISC_SOCKFLAG_IMMEDIATE is set and the operation completes, the
+ *	return value will be ISC_R_SUCCESS and the event will be filled
+ *	in and not sent.  If the operation does not complete, the return
+ *	value will be ISC_R_INPROGRESS and the event will be sent when
+ *	the operation completes.
+ *
+ *	ISC_SOCKFLAG_NORETRY can only be set for UDP sockets.  If set
+ *	and the send operation fails due to a transient error, the send
+ *	will not be retried and the error will be indicated in the event.
+ *	Using this option along with ISC_SOCKFLAG_IMMEDIATE allows the caller
+ *	to specify a region that is allocated on the stack.
+ *
+ * Requires:
+ *
+ *	'socket' is a valid, bound socket.
+ *
+ *	For isc_socket_send():
+ *	'region' is a valid region
+ *
+ *	For isc_socket_sendv() and isc_socket_sendtov():
+ *	'buflist' is non-NULL, and '*buflist' contain at least one buffer.
+ *
+ *	'task' is a valid task
+ *
+ *	For isc_socket_sendv(), isc_socket_sendtov(), isc_socket_send(), and
+ *	isc_socket_sendto():
+ *	action == NULL or is a valid action
+ *
+ *	For isc_socket_sendto2():
+ *	event != NULL
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_INPROGRESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_UNEXPECTED
+ *
+ * Event results:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_UNEXPECTED
+ *	XXX needs other net-type errors
+ */
+
+isc_result_t
+isc_socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp);
+/*
+ * Create a socket manager.
+ *
+ * Notes:
+ *
+ *	All memory will be allocated in memory context 'mctx'.
+ *
+ * Requires:
+ *
+ *	'mctx' is a valid memory context.
+ *
+ *	'managerp' points to a NULL isc_socketmgr_t.
+ *
+ * Ensures:
+ *
+ *	'*managerp' is a valid isc_socketmgr_t.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_UNEXPECTED
+ */
+
+void
+isc_socketmgr_destroy(isc_socketmgr_t **managerp);
+/*
+ * Destroy a socket manager.
+ *
+ * Notes:
+ *
+ *	This routine blocks until there are no sockets left in the manager,
+ *	so if the caller holds any socket references using the manager, it
+ *	must detach them before calling isc_socketmgr_destroy() or it will
+ *	block forever.
+ *
+ * Requires:
+ *
+ *	'*managerp' is a valid isc_socketmgr_t.
+ *
+ *	All sockets managed by this manager are fully detached.
+ *
+ * Ensures:
+ *
+ *	*managerp == NULL
+ *
+ *	All resources used by the manager have been freed.
+ */
+
+isc_sockettype_t
+isc_socket_gettype(isc_socket_t *sock);
+/*
+ * Returns the socket type for "sock."
+ *
+ * Requires:
+ *
+ *	"sock" is a valid socket.
+ */
+
+isc_boolean_t
+isc_socket_isbound(isc_socket_t *sock);
+
+void
+isc_socket_ipv6only(isc_socket_t *sock, isc_boolean_t yes);
+/*
+ * If the socket is an IPv6 socket set/clear the IPV6_IPV6ONLY socket
+ * option if the host OS supports this option.
+ *
+ * Requires:
+ *	'sock' is a valid socket.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_SOCKET_H */
diff --git a/contrib/bind9/lib/isc/include/isc/stdio.h b/contrib/bind9/lib/isc/include/isc/stdio.h
new file mode 100644
index 0000000..7dad284
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/stdio.h
@@ -0,0 +1,67 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: stdio.h,v 1.6.206.1 2004/03/06 08:14:48 marka Exp $ */
+
+#ifndef ISC_STDIO_H
+#define ISC_STDIO_H 1
+
+#include <stdio.h>
+
+#include <isc/lang.h>
+#include <isc/result.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_stdio_open(const char *filename, const char *mode, FILE **fp);
+
+isc_result_t
+isc_stdio_close(FILE *f);
+
+isc_result_t
+isc_stdio_seek(FILE *f, long offset, int whence);
+
+isc_result_t
+isc_stdio_read(void *ptr, size_t size, size_t nmemb, FILE *f,
+	       size_t *nret);
+
+isc_result_t
+isc_stdio_write(const void *ptr, size_t size, size_t nmemb, FILE *f,
+		size_t *nret);
+
+isc_result_t
+isc_stdio_flush(FILE *f);
+/*
+ * These functions are wrappers around the corresponding stdio functions,
+ * returning a detailed error code in the form of an an isc_result_t.  ANSI C
+ * does not guarantee that stdio functions set errno, hence these functions
+ * must use platform dependent methods (e.g., the POSIX errno) to construct the
+ * error code.
+ */
+
+isc_result_t
+isc_stdio_sync(FILE *f);
+/*
+ * Invoke fsync() on the file descriptor underlying an stdio stream, or an
+ * equivalent system-dependent operation.  Note that this function has no
+ * direct counterpart in the stdio library.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_STDIO_H */
diff --git a/contrib/bind9/lib/isc/include/isc/stdlib.h b/contrib/bind9/lib/isc/include/isc/stdlib.h
new file mode 100644
index 0000000..7b75584
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/stdlib.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: stdlib.h,v 1.1.32.2 2004/03/06 08:14:48 marka Exp $ */
+
+#ifndef ISC_STDLIB_H
+#define ISC_STDLIB_H 1
+
+#include <stdlib.h>
+
+#include <isc/lang.h>
+#include <isc/platform.h>
+
+#ifdef ISC_PLATFORM_NEEDSTRTOUL
+#define strtoul isc_strtoul
+#endif
+
+ISC_LANG_BEGINDECLS
+
+unsigned long isc_strtoul(const char *, char **, int);
+
+ISC_LANG_ENDDECLS
+
+#endif
diff --git a/contrib/bind9/lib/isc/include/isc/string.h b/contrib/bind9/lib/isc/include/isc/string.h
new file mode 100644
index 0000000..4fbfe19
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/string.h
@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: string.h,v 1.9.164.3 2004/03/06 08:14:49 marka Exp $ */
+
+#ifndef ISC_STRING_H
+#define ISC_STRING_H 1
+
+#include <string.h>
+
+#include <isc/int.h>
+#include <isc/lang.h>
+#include <isc/platform.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_uint64_t
+isc_string_touint64(char *source, char **endp, int base);
+/*
+ * Convert the string pointed to by 'source' to isc_uint64_t.
+ *
+ * On successful conversion 'endp' points to the first character
+ * after conversion is complete.
+ *
+ * 'base': 0 or 2..36
+ *
+ * If base is 0 the base is computed from the string type.
+ *
+ * On error 'endp' points to 'source'.
+ */
+
+
+char *
+isc_string_separate(char **stringp, const char *delim);
+
+#ifdef ISC_PLATFORM_NEEDSTRSEP
+#define strsep isc_string_separate
+#endif
+
+#ifdef ISC_PLATFORM_NEEDMEMMOVE
+#define memmove(a,b,c) bcopy(b,a,c)
+#endif
+
+size_t
+isc_string_strlcpy(char *dst, const char *src, size_t size);
+
+
+#ifdef ISC_PLATFORM_NEEDSTRLCPY
+#define strlcpy isc_string_strlcpy
+#endif
+
+
+size_t
+isc_string_strlcat(char *dst, const char *src, size_t size);
+
+#ifdef ISC_PLATFORM_NEEDSTRLCAT
+#define strlcat isc_string_strlcat
+#endif
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_STRING_H */
diff --git a/contrib/bind9/lib/isc/include/isc/symtab.h b/contrib/bind9/lib/isc/include/isc/symtab.h
new file mode 100644
index 0000000..d8dbd21
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/symtab.h
@@ -0,0 +1,127 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1996-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: symtab.h,v 1.16.206.1 2004/03/06 08:14:49 marka Exp $ */
+
+#ifndef ISC_SYMTAB_H
+#define ISC_SYMTAB_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Symbol Table
+ *
+ * Provides a simple memory-based symbol table.
+ *
+ * Keys are C strings, and key comparisons are case-insenstive.  A type may
+ * be specified when looking up, defining, or undefining.  A type value of
+ * 0 means "match any type"; any other value will only match the given
+ * type.
+ *
+ * It's possible that a client will attempt to define a <key, type, value>
+ * tuple when a tuple with the given key and type already exists in the table.
+ * What to do in this case is specified by the client.  Possible policies are:
+ *
+ *	isc_symexists_reject	Disallow the define, returning ISC_R_EXISTS
+ *	isc_symexists_replace	Replace the old value with the new.  The
+ *				undefine action (if provided) will be called
+ *				with the old <key, type, value> tuple.
+ *	isc_symexists_add	Add the new tuple, leaving the old tuple in
+ *				the table.  Subsequent lookups will retrieve
+ *				the most-recently-defined tuple.
+ *
+ * A lookup of a key using type 0 will return the most-recently defined
+ * symbol with that key.  An undefine of a key using type 0 will undefine the
+ * most-recently defined symbol with that key.  Trying to define a key with
+ * type 0 is illegal.
+ *
+ * The symbol table library does not make a copy the key field, so the
+ * caller must ensure that any key it passes to isc_symtab_define() will not
+ * change until it calls isc_symtab_undefine() or isc_symtab_destroy().
+ *
+ * A user-specified action will be called (if provided) when a symbol is
+ * undefined.  It can be used to free memory associated with keys and/or
+ * values.
+ *
+ * MP:
+ *	The callers of this module must ensure any required synchronization.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	<TBS>
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	None.
+ */
+
+/***
+ *** Imports.
+ ***/
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+/***
+ *** Symbol Tables.
+ ***/
+
+typedef union isc_symvalue {
+	void *				as_pointer;
+	int				as_integer;
+	unsigned int			as_uinteger;
+} isc_symvalue_t;
+
+typedef void (*isc_symtabaction_t)(char *key, unsigned int type,
+				   isc_symvalue_t value, void *userarg);
+
+typedef enum {
+	isc_symexists_reject = 0,
+	isc_symexists_replace = 1,
+	isc_symexists_add = 2
+} isc_symexists_t;
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_symtab_create(isc_mem_t *mctx, unsigned int size,
+		  isc_symtabaction_t undefine_action, void *undefine_arg,
+		  isc_boolean_t case_sensitive, isc_symtab_t **symtabp);
+
+void
+isc_symtab_destroy(isc_symtab_t **symtabp);
+
+isc_result_t
+isc_symtab_lookup(isc_symtab_t *symtab, const char *key, unsigned int type,
+		  isc_symvalue_t *value);
+
+isc_result_t
+isc_symtab_define(isc_symtab_t *symtab, const char *key, unsigned int type,
+		  isc_symvalue_t value, isc_symexists_t exists_policy);
+
+isc_result_t
+isc_symtab_undefine(isc_symtab_t *symtab, const char *key, unsigned int type);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_SYMTAB_H */
diff --git a/contrib/bind9/lib/isc/include/isc/task.h b/contrib/bind9/lib/isc/include/isc/task.h
new file mode 100644
index 0000000..0e8190a
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/task.h
@@ -0,0 +1,615 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: task.h,v 1.49.206.3 2004/03/09 05:21:09 marka Exp $ */
+
+#ifndef ISC_TASK_H
+#define ISC_TASK_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Task System
+ *
+ * The task system provides a lightweight execution context, which is
+ * basically an event queue.  When a task's event queue is non-empty, the
+ * task is runnable.  A small work crew of threads, typically one per CPU,
+ * execute runnable tasks by dispatching the events on the tasks' event
+ * queues.  Context switching between tasks is fast.
+ *
+ * MP:
+ *	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *
+ *	The caller must ensure that isc_taskmgr_destroy() is called only
+ *	once for a given manager.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	<TBS>
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	None.
+ */
+
+
+/***
+ *** Imports.
+ ***/
+
+#include <isc/eventclass.h>
+#include <isc/lang.h>
+#include <isc/stdtime.h>
+#include <isc/types.h>
+
+#define ISC_TASKEVENT_FIRSTEVENT	(ISC_EVENTCLASS_TASK + 0)
+#define ISC_TASKEVENT_SHUTDOWN		(ISC_EVENTCLASS_TASK + 1)
+#define ISC_TASKEVENT_LASTEVENT		(ISC_EVENTCLASS_TASK + 65535)
+
+/*****
+ ***** Tasks.
+ *****/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_task_create(isc_taskmgr_t *manager, unsigned int quantum,
+		isc_task_t **taskp);
+/*
+ * Create a task.
+ *
+ * Notes:
+ *
+ *	If 'quantum' is non-zero, then only that many events can be dispatched
+ *	before the task must yield to other tasks waiting to execute.  If
+ *	quantum is zero, then the default quantum of the task manager will
+ *	be used.
+ *
+ *	The 'quantum' option may be removed from isc_task_create() in the
+ *	future.  If this happens, isc_task_getquantum() and
+ *	isc_task_setquantum() will be provided.
+ *
+ * Requires:
+ *
+ *	'manager' is a valid task manager.
+ *
+ *	taskp != NULL && *taskp == NULL
+ *
+ * Ensures:
+ *
+ *	On success, '*taskp' is bound to the new task.
+ *
+ * Returns:
+ *
+ *     	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_UNEXPECTED
+ *	ISC_R_SHUTTINGDOWN
+ */
+
+void
+isc_task_attach(isc_task_t *source, isc_task_t **targetp);
+/*
+ * Attach *targetp to source.
+ *
+ * Requires:
+ *
+ *	'source' is a valid task.
+ *
+ *	'targetp' points to a NULL isc_task_t *.
+ *
+ * Ensures:
+ *
+ *	*targetp is attached to source.
+ */
+
+void
+isc_task_detach(isc_task_t **taskp);
+/*
+ * Detach *taskp from its task.
+ *
+ * Requires:
+ *
+ *	'*taskp' is a valid task.
+ *
+ * Ensures:
+ *
+ *	*taskp is NULL.
+ *
+ *	If '*taskp' is the last reference to the task, the task is idle (has
+ *	an empty event queue), and has not been shutdown, the task will be
+ *	shutdown.
+ *
+ *	If '*taskp' is the last reference to the task and
+ *	the task has been shutdown,
+ *
+ *		All resources used by the task will be freed.
+ */
+
+void
+isc_task_send(isc_task_t *task, isc_event_t **eventp);
+/*
+ * Send '*event' to 'task'.
+ *
+ * Requires:
+ *
+ *	'task' is a valid task.
+ *	eventp != NULL && *eventp != NULL.
+ *
+ * Ensures:
+ *
+ *	*eventp == NULL.
+ */
+
+void
+isc_task_sendanddetach(isc_task_t **taskp, isc_event_t **eventp);
+/*
+ * Send '*event' to '*taskp' and then detach '*taskp' from its
+ * task.
+ *
+ * Requires:
+ *
+ *	'*taskp' is a valid task.
+ *	eventp != NULL && *eventp != NULL.
+ *
+ * Ensures:
+ *
+ *	*eventp == NULL.
+ *
+ *	*taskp == NULL.
+ *
+ *	If '*taskp' is the last reference to the task, the task is
+ *	idle (has an empty event queue), and has not been shutdown,
+ *	the task will be shutdown.
+ *
+ *	If '*taskp' is the last reference to the task and
+ *	the task has been shutdown,
+ *
+ *		All resources used by the task will be freed.
+ */
+
+/*
+ * Purging and Unsending
+ *
+ * Events which have been queued for a task but not delivered may be removed
+ * from the task's event queue by purging or unsending.
+ *
+ * With both types, the caller specifies a matching pattern that selects
+ * events based upon their sender, type, and tag.
+ *
+ * Purging calls isc_event_free() on the matching events.
+ *
+ * Unsending returns a list of events that matched the pattern.
+ * The caller is then responsible for them.
+ *
+ * Consumers of events should purge, not unsend.
+ *
+ * Producers of events often want to remove events when the caller indicates
+ * it is no longer interested in the object, e.g. by cancelling a timer.
+ * Sometimes this can be done by purging, but for some event types, the
+ * calls to isc_event_free() cause deadlock because the event free routine
+ * wants to acquire a lock the caller is already holding.  Unsending instead
+ * of purging solves this problem.  As a general rule, producers should only
+ * unsend events which they have sent.
+ */
+
+unsigned int
+isc_task_purgerange(isc_task_t *task, void *sender, isc_eventtype_t first,
+		    isc_eventtype_t last, void *tag);
+/*
+ * Purge events from a task's event queue.
+ *
+ * Requires:
+ *
+ *	'task' is a valid task.
+ *
+ *	last >= first
+ *
+ * Ensures:
+ *
+ *	Events in the event queue of 'task' whose sender is 'sender', whose
+ *	type is >= first and <= last, and whose tag is 'tag' will be purged,
+ *	unless they are marked as unpurgable.
+ *
+ *	A sender of NULL will match any sender.  A NULL tag matches any
+ *	tag.
+ *
+ * Returns:
+ *
+ *	The number of events purged.
+ */
+
+unsigned int
+isc_task_purge(isc_task_t *task, void *sender, isc_eventtype_t type,
+	       void *tag);
+/*
+ * Purge events from a task's event queue.
+ *
+ * Notes:
+ *
+ *	This function is equivalent to
+ *
+ *		isc_task_purgerange(task, sender, type, type, tag);
+ *
+ * Requires:
+ *
+ *	'task' is a valid task.
+ *
+ * Ensures:
+ *
+ *	Events in the event queue of 'task' whose sender is 'sender', whose
+ *	type is 'type', and whose tag is 'tag' will be purged, unless they
+ *	are marked as unpurgable.
+ *
+ *	A sender of NULL will match any sender.  A NULL tag matches any
+ *	tag.
+ *
+ * Returns:
+ *
+ *	The number of events purged.
+ */
+
+isc_boolean_t
+isc_task_purgeevent(isc_task_t *task, isc_event_t *event);
+/*
+ * Purge 'event' from a task's event queue.
+ *
+ * XXXRTH:  WARNING:  This method may be removed before beta.
+ *
+ * Notes:
+ *
+ *	If 'event' is on the task's event queue, it will be purged,
+ * 	unless it is marked as unpurgeable.  'event' does not have to be
+ *	on the task's event queue; in fact, it can even be an invalid
+ *	pointer.  Purging only occurs if the event is actually on the task's
+ *	event queue.
+ *
+ * 	Purging never changes the state of the task.
+ *
+ * Requires:
+ *
+ *	'task' is a valid task.
+ *
+ * Ensures:
+ *
+ *	'event' is not in the event queue for 'task'.
+ *
+ * Returns:
+ *
+ *	ISC_TRUE			The event was purged.
+ *	ISC_FALSE			The event was not in the event queue,
+ *					or was marked unpurgeable.
+ */
+
+unsigned int
+isc_task_unsendrange(isc_task_t *task, void *sender, isc_eventtype_t first,
+		     isc_eventtype_t last, void *tag, isc_eventlist_t *events);
+/*
+ * Remove events from a task's event queue.
+ *
+ * Requires:
+ *
+ *	'task' is a valid task.
+ *
+ *	last >= first.
+ *
+ *	*events is a valid list.
+ *
+ * Ensures:
+ *
+ *	Events in the event queue of 'task' whose sender is 'sender', whose
+ *	type is >= first and <= last, and whose tag is 'tag' will be dequeued
+ *	and appended to *events.
+ *
+ *	A sender of NULL will match any sender.  A NULL tag matches any
+ *	tag.
+ *
+ * Returns:
+ *
+ *	The number of events unsent.
+ */
+
+unsigned int
+isc_task_unsend(isc_task_t *task, void *sender, isc_eventtype_t type,
+		void *tag, isc_eventlist_t *events);
+/*
+ * Remove events from a task's event queue.
+ *
+ * Notes:
+ *
+ *	This function is equivalent to
+ *
+ *		isc_task_unsendrange(task, sender, type, type, tag, events);
+ *
+ * Requires:
+ *
+ *	'task' is a valid task.
+ *
+ *	*events is a valid list.
+ *
+ * Ensures:
+ *
+ *	Events in the event queue of 'task' whose sender is 'sender', whose
+ *	type is 'type', and whose tag is 'tag' will be dequeued and appended
+ *	to *events.
+ *
+ * Returns:
+ *
+ *	The number of events unsent.
+ */
+
+isc_result_t
+isc_task_onshutdown(isc_task_t *task, isc_taskaction_t action,
+		    const void *arg);
+/*
+ * Send a shutdown event with action 'action' and argument 'arg' when
+ * 'task' is shutdown.
+ *
+ * Notes:
+ *
+ *	Shutdown events are posted in LIFO order.
+ *
+ * Requires:
+ *
+ *	'task' is a valid task.
+ *
+ *	'action' is a valid task action.
+ *
+ * Ensures:
+ *
+ *	When the task is shutdown, shutdown events requested with
+ *	isc_task_onshutdown() will be appended to the task's event queue.
+ *
+
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_TASKSHUTTINGDOWN			Task is shutting down.
+ */
+
+void
+isc_task_shutdown(isc_task_t *task);
+/*
+ * Shutdown 'task'.
+ *
+ * Notes:
+ *
+ *	Shutting down a task causes any shutdown events requested with
+ *	isc_task_onshutdown() to be posted (in LIFO order).  The task
+ *	moves into a "shutting down" mode which prevents further calls
+ *	to isc_task_onshutdown().
+ *
+ *	Trying to shutdown a task that has already been shutdown has no
+ *	effect.
+ *
+ * Requires:
+ *
+ *	'task' is a valid task.
+ *
+ * Ensures:
+ *
+ *	Any shutdown events requested with isc_task_onshutdown() have been
+ *	posted (in LIFO order).
+ */
+
+void
+isc_task_destroy(isc_task_t **taskp);
+/*
+ * Destroy '*taskp'.
+ *
+ * Notes:
+ *
+ *	This call is equivalent to:
+ *
+ *		isc_task_shutdown(*taskp);
+ *		isc_task_detach(taskp);
+ *
+ * Requires:
+ *
+ *	'*taskp' is a valid task.
+ *
+ * Ensures:
+ *
+ *	Any shutdown events requested with isc_task_onshutdown() have been
+ *	posted (in LIFO order).
+ *
+ *	*taskp == NULL
+ *
+ *	If '*taskp' is the last reference to the task,
+ *
+ *		All resources used by the task will be freed.
+ */
+
+void
+isc_task_setname(isc_task_t *task, const char *name, void *tag);
+/*
+ * Name 'task'.
+ *
+ * Notes:
+ *
+ *	Only the first 15 characters of 'name' will be copied.
+ *
+ *	Naming a task is currently only useful for debugging purposes.
+ *
+ * Requires:
+ *
+ *	'task' is a valid task.
+ */
+
+const char *
+isc_task_getname(isc_task_t *task);
+/*
+ * Get the name of 'task', as previously set using isc_task_setname().
+ *
+ * Notes:
+ *	This function is for debugging purposes only.
+ *
+ * Requires:
+ *	'task' is a valid task.
+ *
+ * Returns:
+ *	A non-NULL pointer to a null-terminated string.
+ * 	If the task has not been named, the string is
+ * 	empty.
+ *
+ */
+
+void *
+isc_task_gettag(isc_task_t *task);
+/*
+ * Get the tag value for  'task', as previously set using isc_task_settag().
+ *
+ * Notes:
+ *	This function is for debugging purposes only.
+ *
+ * Requires:
+ *	'task' is a valid task.
+ */
+
+isc_result_t
+isc_task_beginexclusive(isc_task_t *task);
+/*
+ * Request exclusive access for 'task', which must be the calling
+ * task.  Waits for any other concurrently executing tasks to finish their
+ * current event, and prevents any new events from executing in any of the
+ * tasks sharing a task manager with 'task'.
+ *
+ * The exclusive access must be relinquished by calling 
+ * isc_task_endexclusive() before returning from the current event handler.
+ *
+ * Requires:
+ *	'task' is the calling task.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS		The current task now has exclusive access.
+ *	ISC_R_LOCKBUSY		Another task has already requested exclusive
+ *				access.
+ */
+
+void
+isc_task_endexclusive(isc_task_t *task);
+/*
+ * Relinquish the exclusive access obtained by isc_task_beginexclusive(), 
+ * allowing other tasks to execute.
+ *
+ * Requires:
+ *	'task' is the calling task, and has obtained
+ *		exclusive access by calling isc_task_spl().
+ */
+
+void
+isc_task_getcurrenttime(isc_task_t *task, isc_stdtime_t *t);
+/*
+ * Provide the most recent timestamp on the task.  The timestamp is considered
+ * as the "current time" in the second-order granularity.
+ *
+ * Requires:
+ *	'task' is a valid task.
+ *	't' is a valid non NULL pointer.
+ *
+ * Ensures:
+ *	'*t' has the "current time".
+ */
+
+/*****
+ ***** Task Manager.
+ *****/
+
+isc_result_t
+isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
+		   unsigned int default_quantum, isc_taskmgr_t **managerp);
+/*
+ * Create a new task manager.
+ *
+ * Notes:
+ *
+ *	'workers' in the number of worker threads to create.  In general,
+ *	the value should be close to the number of processors in the system.
+ *	The 'workers' value is advisory only.  An attempt will be made to
+ *	create 'workers' threads, but if at least one thread creation
+ *	succeeds, isc_taskmgr_create() may return ISC_R_SUCCESS.
+ *
+ *	If 'default_quantum' is non-zero, then it will be used as the default
+ *	quantum value when tasks are created.  If zero, then an implementation
+ *	defined default quantum will be used.
+ *
+ * Requires:
+ *
+ *      'mctx' is a valid memory context.
+ *
+ *	workers > 0
+ *
+ *	managerp != NULL && *managerp == NULL
+ *
+ * Ensures:
+ *
+ *	On success, '*managerp' will be attached to the newly created task
+ *	manager.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_NOTHREADS			No threads could be created.
+ *	ISC_R_UNEXPECTED		An unexpected error occurred.
+ */
+
+void
+isc_taskmgr_destroy(isc_taskmgr_t **managerp);
+/*
+ * Destroy '*managerp'.
+ *
+ * Notes:
+ *
+ *	Calling isc_taskmgr_destroy() will shutdown all tasks managed by
+ *	*managerp that haven't already been shutdown.  The call will block
+ *	until all tasks have entered the done state.
+ *
+ *	isc_taskmgr_destroy() must not be called by a task event action,
+ *	because it would block forever waiting for the event action to
+ *	complete.  An event action that wants to cause task manager shutdown
+ *	should request some non-event action thread of execution to do the
+ *	shutdown, e.g. by signalling a condition variable or using
+ *	isc_app_shutdown().
+ *
+ *	Task manager references are not reference counted, so the caller
+ *	must ensure that no attempt will be made to use the manager after
+ *	isc_taskmgr_destroy() returns.
+ *
+ * Requires:
+ *
+ *	'*managerp' is a valid task manager.
+ *
+ *	isc_taskmgr_destroy() has not be called previously on '*managerp'.
+ *
+ * Ensures:
+ *
+ *	All resources used by the task manager, and any tasks it managed,
+ *	have been freed.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_TASK_H */
diff --git a/contrib/bind9/lib/isc/include/isc/taskpool.h b/contrib/bind9/lib/isc/include/isc/taskpool.h
new file mode 100644
index 0000000..42066d2
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/taskpool.h
@@ -0,0 +1,107 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: taskpool.h,v 1.8.206.1 2004/03/06 08:14:49 marka Exp $ */
+
+#ifndef ISC_TASKPOOL_H
+#define ISC_TASKPOOL_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Task Pool
+ *
+ * A task pool is a mechanism for sharing a small number of tasks
+ * among a large number of objects such that each object is
+ * assigned a unique task, but each task may be shared by several
+ * objects.
+ *
+ * Task pools are used to let objects that can exist in large
+ * numbers (e.g., zones) use tasks for synchronization without
+ * the memory overhead and unfair scheduling competition that
+ * could result from creating a separate task for each object.
+ */
+
+
+/***
+ *** Imports.
+ ***/
+
+#include <isc/lang.h>
+#include <isc/task.h>
+
+ISC_LANG_BEGINDECLS
+
+/*****
+ ***** Types.
+ *****/
+
+typedef struct isc_taskpool isc_taskpool_t;
+
+/*****
+ ***** Functions.
+ *****/
+
+isc_result_t
+isc_taskpool_create(isc_taskmgr_t *tmgr, isc_mem_t *mctx,
+		    unsigned int ntasks, unsigned int quantum,
+		    isc_taskpool_t **poolp);
+/*
+ * Create a task pool of "ntasks" tasks, each with quantum
+ * "quantum".
+ *
+ * Requires:
+ *
+ *	'tmgr' is a valid task manager.
+ *
+ *	'mctx' is a valid memory context.
+ *
+ *	poolp != NULL && *poolp == NULL
+ *
+ * Ensures:
+ *
+ *	On success, '*taskp' points to the new task pool.
+ *
+ * Returns:
+ *
+ *     	ISC_R_SUCCESS
+ *	ISC_R_NOMEMORY
+ *	ISC_R_UNEXPECTED
+ */
+
+void 
+isc_taskpool_gettask(isc_taskpool_t *pool, unsigned int hash,
+			  isc_task_t **targetp);
+/*
+ * Attach to the task corresponding to the hash value "hash".
+ */
+
+void
+isc_taskpool_destroy(isc_taskpool_t **poolp);
+/*
+ * Destroy a task pool.  The tasks in the pool are detached but not
+ * shut down.
+ *
+ * Requires:
+ * 	'*poolp' is a valid task pool.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_TASKPOOL_H */
diff --git a/contrib/bind9/lib/isc/include/isc/timer.h b/contrib/bind9/lib/isc/include/isc/timer.h
new file mode 100644
index 0000000..be32911
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/timer.h
@@ -0,0 +1,336 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: timer.h,v 1.28.12.4 2004/03/08 09:04:53 marka Exp $ */
+
+#ifndef ISC_TIMER_H
+#define ISC_TIMER_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Timers
+ *
+ * Provides timers which are event sources in the task system.
+ *
+ * Three types of timers are supported:
+ *
+ *	'ticker' timers generate a periodic tick event.
+ *
+ *	'once' timers generate an idle timeout event if they are idle for too
+ *	long, and generate a life timeout event if their lifetime expires.
+ *	They are used to implement both (possibly expiring) idle timers and
+ *	'one-shot' timers.
+ *
+ *	'limited' timers generate a periodic tick event until they reach
+ *	their lifetime when they generate a life timeout event.
+ *
+ *	'inactive' timers generate no events.
+ *
+ * Timers can change type.  It is typical to create a timer as
+ * an 'inactive' timer and then change it into a 'ticker' or
+ * 'once' timer.
+ *
+ * MP:
+ *	The module ensures appropriate synchronization of data structures it
+ *	creates and manipulates.
+ *
+ *	Clients of this module must not be holding a timer's task's lock when
+ *	making a call that affects that timer.  Failure to follow this rule
+ *	can result in deadlock.
+ *
+ *	The caller must ensure that isc_timermgr_destroy() is called only
+ *	once for a given manager.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	<TBS>
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	None.
+ */
+
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/types.h>
+#include <isc/event.h>
+#include <isc/eventclass.h>
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Types
+ ***/
+
+typedef enum {
+	isc_timertype_ticker = 0,
+	isc_timertype_once = 1,
+	isc_timertype_limited = 2,
+	isc_timertype_inactive = 3
+} isc_timertype_t;
+
+typedef struct isc_timerevent {
+	struct isc_event	common;
+} isc_timerevent_t;
+
+#define ISC_TIMEREVENT_FIRSTEVENT	(ISC_EVENTCLASS_TIMER + 0)
+#define ISC_TIMEREVENT_TICK		(ISC_EVENTCLASS_TIMER + 1)
+#define ISC_TIMEREVENT_IDLE		(ISC_EVENTCLASS_TIMER + 2)
+#define ISC_TIMEREVENT_LIFE		(ISC_EVENTCLASS_TIMER + 3)
+#define ISC_TIMEREVENT_LASTEVENT	(ISC_EVENTCLASS_TIMER + 65535)
+
+/***
+ *** Timer and Timer Manager Functions
+ ***
+ *** Note: all Ensures conditions apply only if the result is success for
+ *** those functions which return an isc_result_t.
+ ***/
+
+isc_result_t
+isc_timer_create(isc_timermgr_t *manager,
+		 isc_timertype_t type,
+		 isc_time_t *expires,
+		 isc_interval_t *interval,
+		 isc_task_t *task,
+		 isc_taskaction_t action,
+		 const void *arg,
+		 isc_timer_t **timerp);
+/*
+ * Create a new 'type' timer managed by 'manager'.  The timers parameters
+ * are specified by 'expires' and 'interval'.  Events will be posted to
+ * 'task' and when dispatched 'action' will be called with 'arg' as the
+ * arg value.  The new timer is returned in 'timerp'.
+ *
+ * Notes:
+ *
+ *	For ticker timers, the timer will generate a 'tick' event every
+ *	'interval' seconds.  The value of 'expires' is ignored.
+ *
+ *	For once timers, 'expires' specifies the time when a life timeout
+ *	event should be generated.  If 'expires' is 0 (the epoch), then no life
+ *	timeout will be generated.  'interval' specifies how long the timer
+ *	can be idle before it generates an idle timeout.  If 0, then no
+ *	idle timeout will be generated.
+ *
+ *	If 'expires' is NULL, the epoch will be used.
+ *
+ *	If 'interval' is NULL, the zero interval will be used.
+ *
+ * Requires:
+ *
+ *	'manager' is a valid manager
+ *
+ *	'task' is a valid task
+ *
+ *	'action' is a valid action
+ *
+ *	'expires' points to a valid time, or is NULL.
+ *
+ *	'interval' points to a valid interval, or is NULL.
+ *
+ *	type == isc_timertype_inactive ||
+ *	('expires' and 'interval' are not both 0)
+ *
+ *	'timerp' is a valid pointer, and *timerp == NULL
+ *
+ * Ensures:
+ *
+ *	'*timerp' is attached to the newly created timer
+ *
+ *	The timer is attached to the task
+ *
+ *	An idle timeout will not be generated until at least Now + the
+ *	timer's interval if 'timer' is a once timer with a non-zero
+ *	interval.
+ *
+ * Returns:
+ *
+ *	Success
+ *	No memory
+ *	Unexpected error
+ */
+
+isc_result_t
+isc_timer_reset(isc_timer_t *timer,
+		isc_timertype_t type,
+		isc_time_t *expires,
+		isc_interval_t *interval,
+		isc_boolean_t purge);
+/*
+ * Change the timer's type, expires, and interval values to the given
+ * values.  If 'purge' is TRUE, any pending events from this timer
+ * are purged from its task's event queue.
+ *
+ * Notes:
+ *
+ *	If 'expires' is NULL, the epoch will be used.
+ *
+ *	If 'interval' is NULL, the zero interval will be used.
+ *
+ * Requires:
+ *
+ *	'timer' is a valid timer
+ *
+ *	The same requirements that isc_timer_create() imposes on 'type',
+ *	'expires' and 'interval' apply.
+ *
+ * Ensures:
+ *
+ *	An idle timeout will not be generated until at least Now + the
+ *	timer's interval if 'timer' is a once timer with a non-zero
+ *	interval.
+ *
+ * Returns:
+ *
+ *	Success
+ *	No memory
+ *	Unexpected error
+ */
+
+isc_result_t
+isc_timer_touch(isc_timer_t *timer);
+/*
+ * Set the last-touched time of 'timer' to the current time.
+ *
+ * Requires:
+ *
+ *	'timer' is a valid once timer.
+ *
+ * Ensures:
+ *
+ *	An idle timeout will not be generated until at least Now + the
+ *	timer's interval if 'timer' is a once timer with a non-zero
+ *	interval.
+ *
+ * Returns:
+ *
+ *	Success
+ *	Unexpected error
+ */
+
+void
+isc_timer_attach(isc_timer_t *timer, isc_timer_t **timerp);
+/*
+ * Attach *timerp to timer.
+ *
+ * Requires:
+ *
+ *	'timer' is a valid timer.
+ *
+ *	'timerp' points to a NULL timer.
+ *
+ * Ensures:
+ *
+ *	*timerp is attached to timer.
+ */
+
+void
+isc_timer_detach(isc_timer_t **timerp);
+/*
+ * Detach *timerp from its timer.
+ *
+ * Requires:
+ *
+ *	'timerp' points to a valid timer.
+ *
+ * Ensures:
+ *
+ *	*timerp is NULL.
+ *
+ *	If '*timerp' is the last reference to the timer,
+ *	then:
+ *
+ *		The timer will be shutdown
+ *
+ *		The timer will detach from its task
+ *
+ *		All resources used by the timer have been freed
+ *
+ *		Any events already posted by the timer will be purged.
+ *		Therefore, if isc_timer_detach() is called in the context
+ *		of the timer's task, it is guaranteed that no more
+ *		timer event callbacks will run after the call.
+ */
+
+isc_result_t
+isc_timer_gettype(isc_timer_t *timer);
+
+isc_result_t
+isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp);
+/*
+ * Create a timer manager.
+ *
+ * Notes:
+ *
+ *	All memory will be allocated in memory context 'mctx'.
+ *
+ * Requires:
+ *
+ *	'mctx' is a valid memory context.
+ *
+ *	'managerp' points to a NULL isc_timermgr_t.
+ *
+ * Ensures:
+ *
+ *	'*managerp' is a valid isc_timermgr_t.
+ *
+ * Returns:
+ *
+ *	Success
+ *	No memory
+ *	Unexpected error
+ */
+
+void
+isc_timermgr_destroy(isc_timermgr_t **managerp);
+/*
+ * Destroy a timer manager.
+ *
+ * Notes:
+ *
+ *	This routine blocks until there are no timers left in the manager,
+ *	so if the caller holds any timer references using the manager, it
+ *	must detach them before calling isc_timermgr_destroy() or it will
+ *	block forever.
+ *
+ * Requires:
+ *
+ *	'*managerp' is a valid isc_timermgr_t.
+ *
+ * Ensures:
+ *
+ *	*managerp == NULL
+ *
+ *	All resources used by the manager have been freed.
+ */
+
+void isc_timermgr_poke(isc_timermgr_t *m);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_TIMER_H */
diff --git a/contrib/bind9/lib/isc/include/isc/types.h b/contrib/bind9/lib/isc/include/isc/types.h
new file mode 100644
index 0000000..fad77da
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/types.h
@@ -0,0 +1,103 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: types.h,v 1.32.2.3.2.1 2004/03/06 08:14:50 marka Exp $ */
+
+#ifndef ISC_TYPES_H
+#define ISC_TYPES_H 1
+
+/*
+ * OS-specific types, from the OS-specific include directories.
+ */
+#include <isc/int.h>
+#include <isc/offset.h>
+
+/*
+ * XXXDCL should isc_boolean_t be moved here, requiring an explicit include
+ * of <isc/boolean.h> when ISC_TRUE/ISC_FALSE/ISC_TF() are desired?
+ */
+#include <isc/boolean.h>
+/*
+ * XXXDCL This is just for ISC_LIST and ISC_LINK, but gets all of the other
+ * list macros too.
+ */
+#include <isc/list.h>
+
+/***
+ *** Core Types.  Alphabetized by defined type.
+ ***/
+
+typedef struct isc_bitstring		isc_bitstring_t;
+typedef struct isc_buffer		isc_buffer_t;
+typedef ISC_LIST(isc_buffer_t)		isc_bufferlist_t;
+typedef struct isc_constregion		isc_constregion_t;
+typedef struct isc_consttextregion	isc_consttextregion_t;
+typedef struct isc_entropy		isc_entropy_t;
+typedef struct isc_entropysource	isc_entropysource_t;
+typedef struct isc_event		isc_event_t;
+typedef ISC_LIST(isc_event_t)		isc_eventlist_t;
+typedef unsigned int			isc_eventtype_t;
+typedef isc_uint32_t			isc_fsaccess_t;
+typedef struct isc_hash			isc_hash_t;
+typedef struct isc_interface		isc_interface_t;
+typedef struct isc_interfaceiter	isc_interfaceiter_t;
+typedef struct isc_interval		isc_interval_t;
+typedef struct isc_lex			isc_lex_t;
+typedef struct isc_log 			isc_log_t;
+typedef struct isc_logcategory		isc_logcategory_t;
+typedef struct isc_logconfig		isc_logconfig_t;
+typedef struct isc_logmodule		isc_logmodule_t;
+typedef struct isc_mem			isc_mem_t;
+typedef struct isc_mempool		isc_mempool_t;
+typedef struct isc_msgcat		isc_msgcat_t;
+typedef struct isc_ondestroy		isc_ondestroy_t;
+typedef struct isc_netaddr		isc_netaddr_t;
+typedef struct isc_quota		isc_quota_t;
+typedef struct isc_random		isc_random_t;
+typedef struct isc_ratelimiter		isc_ratelimiter_t;
+typedef struct isc_region		isc_region_t;
+typedef isc_uint64_t			isc_resourcevalue_t;
+typedef unsigned int			isc_result_t;
+typedef struct isc_rwlock		isc_rwlock_t;
+typedef struct isc_sockaddr		isc_sockaddr_t;
+typedef struct isc_socket		isc_socket_t;
+typedef struct isc_socketevent		isc_socketevent_t;
+typedef struct isc_socketmgr		isc_socketmgr_t;
+typedef struct isc_symtab		isc_symtab_t;
+typedef struct isc_task			isc_task_t;
+typedef ISC_LIST(isc_task_t)		isc_tasklist_t;
+typedef struct isc_taskmgr		isc_taskmgr_t;
+typedef struct isc_textregion		isc_textregion_t;
+typedef struct isc_time			isc_time_t;
+typedef struct isc_timer		isc_timer_t;
+typedef struct isc_timermgr		isc_timermgr_t;
+
+typedef void (*isc_taskaction_t)(isc_task_t *, isc_event_t *);
+
+typedef enum {
+	isc_resource_coresize = 1,
+	isc_resource_cputime,
+	isc_resource_datasize,
+	isc_resource_filesize,
+	isc_resource_lockedmemory,
+	isc_resource_openfiles,
+	isc_resource_processes,
+	isc_resource_residentsize,
+	isc_resource_stacksize
+} isc_resource_t;
+
+#endif /* ISC_TYPES_H */
diff --git a/contrib/bind9/lib/isc/include/isc/util.h b/contrib/bind9/lib/isc/include/isc/util.h
new file mode 100644
index 0000000..c2798d6
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/util.h
@@ -0,0 +1,225 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: util.h,v 1.21.12.5 2004/03/08 09:04:53 marka Exp $ */
+
+#ifndef ISC_UTIL_H
+#define ISC_UTIL_H 1
+
+/*
+ * NOTE:
+ *
+ * This file is not to be included from any <isc/???.h> (or other) library
+ * files.
+ *
+ * Including this file puts several macros in your name space that are
+ * not protected (as all the other ISC functions/macros do) by prepending
+ * ISC_ or isc_ to the name.
+ */
+
+/***
+ *** General Macros.
+ ***/
+
+/*
+ * Use this to hide unused function arguments.
+ *
+ * int
+ * foo(char *bar)
+ * {
+ *	UNUSED(bar);
+ * }
+ */
+#define UNUSED(x)      (void)(x)
+
+#define ISC_MAX(a, b)  ((a) > (b) ? (a) : (b))
+#define ISC_MIN(a, b)  ((a) < (b) ? (a) : (b))
+
+/*
+ * Use this to remove the const qualifier of a variable to assign it to
+ * a non-const variable or pass it as a non-const function argument ...
+ * but only when you are sure it won't then be changed!
+ * This is necessary to sometimes shut up some compilers
+ * (as with gcc -Wcast-qual) when there is just no other good way to avoid the
+ * situation.
+ */
+#define DE_CONST(konst, var) \
+	do { \
+		union { const void *k; void *v; } _u; \
+		_u.k = konst; \
+		var = _u.v; \
+	} while (0)
+
+/*
+ * Use this in translation units that would otherwise be empty, to
+ * suppress compiler warnings.
+ */
+#define EMPTY_TRANSLATION_UNIT static void isc__empty(void) { isc__empty(); }
+
+/*
+ * We use macros instead of calling the routines directly because
+ * the capital letters make the locking stand out.
+ *
+ * We RUNTIME_CHECK for success since in general there's no way
+ * for us to continue if they fail.
+ */
+
+#ifdef ISC_UTIL_TRACEON
+#define ISC_UTIL_TRACE(a) a
+#include <stdio.h>		/* Required for fprintf/stderr when tracing. */
+#include <isc/msgs.h>		/* Required for isc_msgcat when tracing. */
+#else
+#define ISC_UTIL_TRACE(a)
+#endif
+
+#include <isc/result.h>		/* Contractual promise. */
+
+#define LOCK(lp) do { \
+	ISC_UTIL_TRACE(fprintf(stderr, "%s %p %s %d\n", \
+			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
+					      ISC_MSG_LOCKING, "LOCKING"), \
+			       (lp), __FILE__, __LINE__)); \
+	RUNTIME_CHECK(isc_mutex_lock((lp)) == ISC_R_SUCCESS); \
+	ISC_UTIL_TRACE(fprintf(stderr, "%s %p %s %d\n", \
+			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
+					      ISC_MSG_LOCKED, "LOCKED"), \
+			       (lp), __FILE__, __LINE__)); \
+	} while (0)
+#define UNLOCK(lp) do { \
+	RUNTIME_CHECK(isc_mutex_unlock((lp)) == ISC_R_SUCCESS); \
+	ISC_UTIL_TRACE(fprintf(stderr, "%s %p %s %d\n", \
+			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
+					      ISC_MSG_UNLOCKED, "UNLOCKED"), \
+			       (lp), __FILE__, __LINE__)); \
+	} while (0)
+#define ISLOCKED(lp) (1)
+#define DESTROYLOCK(lp) \
+	RUNTIME_CHECK(isc_mutex_destroy((lp)) == ISC_R_SUCCESS)
+
+
+#define BROADCAST(cvp) do { \
+	ISC_UTIL_TRACE(fprintf(stderr, "%s %p %s %d\n", \
+			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
+					      ISC_MSG_BROADCAST, "BROADCAST"),\
+			       (cvp), __FILE__, __LINE__)); \
+	RUNTIME_CHECK(isc_condition_broadcast((cvp)) == ISC_R_SUCCESS); \
+	} while (0)
+#define SIGNAL(cvp) do { \
+	ISC_UTIL_TRACE(fprintf(stderr, "%s %p %s %d\n", \
+			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
+					      ISC_MSG_SIGNAL, "SIGNAL"), \
+			       (cvp), __FILE__, __LINE__)); \
+	RUNTIME_CHECK(isc_condition_signal((cvp)) == ISC_R_SUCCESS); \
+	} while (0)
+#define WAIT(cvp, lp) do { \
+	ISC_UTIL_TRACE(fprintf(stderr, "%s %p %s %p %s %d\n", \
+			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
+					      ISC_MSG_UTILWAIT, "WAIT"), \
+			       (cvp), \
+			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
+					      ISC_MSG_LOCK, "LOCK"), \
+			       (lp), __FILE__, __LINE__)); \
+	RUNTIME_CHECK(isc_condition_wait((cvp), (lp)) == ISC_R_SUCCESS); \
+	ISC_UTIL_TRACE(fprintf(stderr, "%s %p %s %p %s %d\n", \
+			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
+					      ISC_MSG_WAITED, "WAITED"), \
+			       (cvp), \
+			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
+					      ISC_MSG_LOCKED, "LOCKED"), \
+			       (lp), __FILE__, __LINE__)); \
+	} while (0)
+
+/*
+ * isc_condition_waituntil can return ISC_R_TIMEDOUT, so we
+ * don't RUNTIME_CHECK the result.
+ *
+ *  XXX Also, can't really debug this then...
+ */
+
+#define WAITUNTIL(cvp, lp, tp) \
+	isc_condition_waituntil((cvp), (lp), (tp))
+
+#define RWLOCK(lp, t) do { \
+	ISC_UTIL_TRACE(fprintf(stderr, "%s %p, %d %s %d\n", \
+			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
+					      ISC_MSG_RWLOCK, "RWLOCK"), \
+			       (lp), (t), __FILE__, __LINE__)); \
+	RUNTIME_CHECK(isc_rwlock_lock((lp), (t)) == ISC_R_SUCCESS); \
+	ISC_UTIL_TRACE(fprintf(stderr, "%s %p, %d %s %d\n", \
+			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
+					      ISC_MSG_RWLOCKED, "RWLOCKED"), \
+			       (lp), (t), __FILE__, __LINE__)); \
+	} while (0)
+#define RWUNLOCK(lp, t) do { \
+	ISC_UTIL_TRACE(fprintf(stderr, "%s %p, %d %s %d\n", \
+			       isc_msgcat_get(isc_msgcat, ISC_MSGSET_UTIL, \
+					      ISC_MSG_RWUNLOCK, "RWUNLOCK"), \
+			       (lp), (t), __FILE__, __LINE__)); \
+	RUNTIME_CHECK(isc_rwlock_unlock((lp), (t)) == ISC_R_SUCCESS); \
+	} while (0)
+
+#define DESTROYMUTEXBLOCK(bp, n) \
+	RUNTIME_CHECK(isc_mutexblock_destroy((bp), (n)) == ISC_R_SUCCESS)
+
+/*
+ * List Macros.
+ */
+#include <isc/list.h>		/* Contractual promise. */
+
+#define LIST(type)			ISC_LIST(type)
+#define INIT_LIST(type)			ISC_LIST_INIT(type)
+#define LINK(type)			ISC_LINK(type)
+#define INIT_LINK(elt, link)		ISC_LINK_INIT(elt, link)
+#define HEAD(list)			ISC_LIST_HEAD(list)
+#define TAIL(list)			ISC_LIST_TAIL(list)
+#define EMPTY(list)			ISC_LIST_EMPTY(list)
+#define PREV(elt, link)			ISC_LIST_PREV(elt, link)
+#define NEXT(elt, link)			ISC_LIST_NEXT(elt, link)
+#define APPEND(list, elt, link)		ISC_LIST_APPEND(list, elt, link)
+#define PREPEND(list, elt, link)	ISC_LIST_PREPEND(list, elt, link)
+#define UNLINK(list, elt, link)		ISC_LIST_UNLINK(list, elt, link)
+#define ENQUEUE(list, elt, link)	ISC_LIST_APPEND(list, elt, link)
+#define DEQUEUE(list, elt, link)	ISC_LIST_UNLINK(list, elt, link)
+#define INSERTBEFORE(li, b, e, ln)	ISC_LIST_INSERTBEFORE(li, b, e, ln)
+#define INSERTAFTER(li, a, e, ln)	ISC_LIST_INSERTAFTER(li, a, e, ln)
+#define APPENDLIST(list1, list2, link)	ISC_LIST_APPENDLIST(list1, list2, link)
+
+/*
+ * Assertions
+ */
+#include <isc/assertions.h>	/* Contractual promise. */
+
+#define REQUIRE(e)			ISC_REQUIRE(e)
+#define ENSURE(e)			ISC_ENSURE(e)
+#define INSIST(e)			ISC_INSIST(e)
+#define INVARIANT(e)			ISC_INVARIANT(e)
+
+/*
+ * Errors
+ */
+#include <isc/error.h>		/* Contractual promise. */
+
+#define UNEXPECTED_ERROR		isc_error_unexpected
+#define FATAL_ERROR			isc_error_fatal
+#define RUNTIME_CHECK(cond)		ISC_ERROR_RUNTIMECHECK(cond)
+
+/*
+ * Time
+ */
+#define TIME_NOW(tp) 	RUNTIME_CHECK(isc_time_now((tp)) == ISC_R_SUCCESS)
+
+#endif /* ISC_UTIL_H */
diff --git a/contrib/bind9/lib/isc/include/isc/version.h b/contrib/bind9/lib/isc/include/isc/version.h
new file mode 100644
index 0000000..3da836c
--- /dev/null
+++ b/contrib/bind9/lib/isc/include/isc/version.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: version.h,v 1.2.220.3 2004/03/08 09:04:54 marka Exp $ */
+
+#include <isc/platform.h>
+
+LIBISC_EXTERNAL_DATA extern const char isc_version[];
+
+LIBISC_EXTERNAL_DATA extern const unsigned int isc_libinterface;
+LIBISC_EXTERNAL_DATA extern const unsigned int isc_librevision;
+LIBISC_EXTERNAL_DATA extern const unsigned int isc_libage;
diff --git a/contrib/bind9/lib/isc/inet_aton.c b/contrib/bind9/lib/isc/inet_aton.c
new file mode 100644
index 0000000..530b010
--- /dev/null
+++ b/contrib/bind9/lib/isc/inet_aton.c
@@ -0,0 +1,195 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 1996-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Copyright (c) 1983, 1990, 1993
+ *    The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ * 	This product includes software developed by the University of
+ * 	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * Portions Copyright (c) 1993 by Digital Equipment Corporation.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies, and that
+ * the name of Digital Equipment Corporation not be used in advertising or
+ * publicity pertaining to distribution of the document or software without
+ * specific, written prior permission.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
+ * CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
+static char rcsid[] = "$Id: inet_aton.c,v 1.15.12.3 2004/03/08 09:04:49 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include <config.h>
+
+#include <ctype.h>
+#include <stddef.h>		/* Required for NULL. */
+
+#include <isc/types.h>
+#include <isc/net.h>
+
+/*
+ * Check whether "cp" is a valid ascii representation
+ * of an Internet address and convert to a binary address.
+ * Returns 1 if the address is valid, 0 if not.
+ * This replaces inet_addr, the return value from which
+ * cannot distinguish between failure and a local broadcast address.
+ */
+int
+isc_net_aton(const char *cp, struct in_addr *addr) {
+	unsigned long val;
+	int base, n;
+	unsigned char c;
+	isc_uint8_t parts[4];
+	isc_uint8_t *pp = parts;
+	int digit;
+
+	c = *cp;
+	for (;;) {
+		/*
+		 * Collect number up to ``.''.
+		 * Values are specified as for C:
+		 * 0x=hex, 0=octal, isdigit=decimal.
+		 */
+		if (!isdigit(c & 0xff))
+			return (0);
+		val = 0; base = 10; digit = 0;
+		if (c == '0') {
+			c = *++cp;
+			if (c == 'x' || c == 'X')
+				base = 16, c = *++cp;
+			else {
+				base = 8;
+				digit = 1;
+			}
+		}
+		for (;;) {
+			/*
+			 * isascii() is valid for all integer values, and
+			 * when it is true, c is known to be in scope
+			 * for isdigit().  No cast necessary.  Similar
+			 * comment applies for later ctype uses.
+			 */
+			if (isascii(c) && isdigit(c)) {
+				if (base == 8 && (c == '8' || c == '9'))
+					return (0);
+				val = (val * base) + (c - '0');
+				c = *++cp;
+				digit = 1;
+			} else if (base == 16 && isascii(c) && isxdigit(c)) {
+				val = (val << 4) |
+					(c + 10 - (islower(c) ? 'a' : 'A'));
+				c = *++cp;
+				digit = 1;
+			} else
+				break;
+		}
+		if (c == '.') {
+			/*
+			 * Internet format:
+			 *	a.b.c.d
+			 *	a.b.c	(with c treated as 16 bits)
+			 *	a.b	(with b treated as 24 bits)
+			 */
+			if (pp >= parts + 3 || val > 0xff)
+				return (0);
+			*pp++ = (isc_uint8_t)val;
+			c = *++cp;
+		} else
+			break;
+	}
+	/*
+	 * Check for trailing characters.
+	 */
+	if (c != '\0' && (!isascii(c) || !isspace(c)))
+		return (0);
+	/*
+	 * Did we get a valid digit?
+	 */
+	if (!digit)
+		return (0);
+	/*
+	 * Concoct the address according to
+	 * the number of parts specified.
+	 */
+	n = pp - parts + 1;
+	switch (n) {
+	case 1:				/* a -- 32 bits */
+		break;
+
+	case 2:				/* a.b -- 8.24 bits */
+		if (val > 0xffffff)
+			return (0);
+		val |= parts[0] << 24;
+		break;
+
+	case 3:				/* a.b.c -- 8.8.16 bits */
+		if (val > 0xffff)
+			return (0);
+		val |= (parts[0] << 24) | (parts[1] << 16);
+		break;
+
+	case 4:				/* a.b.c.d -- 8.8.8.8 bits */
+		if (val > 0xff)
+			return (0);
+		val |= (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8);
+		break;
+	}
+	if (addr != NULL)
+		addr->s_addr = htonl(val);
+
+	return (1);
+}
diff --git a/contrib/bind9/lib/isc/inet_ntop.c b/contrib/bind9/lib/isc/inet_ntop.c
new file mode 100644
index 0000000..6dadd73
--- /dev/null
+++ b/contrib/bind9/lib/isc/inet_ntop.c
@@ -0,0 +1,195 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1996-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static char rcsid[] =
+	"$Id: inet_ntop.c,v 1.12.12.4 2004/08/28 06:25:21 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include <config.h>
+
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <isc/net.h>
+#include <isc/print.h>
+
+#define NS_INT16SZ	 2
+#define NS_IN6ADDRSZ	16
+
+/*
+ * WARNING: Don't even consider trying to compile this on a system where
+ * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
+ */
+
+static const char *inet_ntop4(const unsigned char *src, char *dst,
+			      size_t size);
+
+#ifdef AF_INET6
+static const char *inet_ntop6(const unsigned char *src, char *dst,
+			      size_t size);
+#endif
+
+/* char *
+ * isc_net_ntop(af, src, dst, size)
+ *	convert a network format address to presentation format.
+ * return:
+ *	pointer to presentation format address (`dst'), or NULL (see errno).
+ * author:
+ *	Paul Vixie, 1996.
+ */
+const char *
+isc_net_ntop(int af, const void *src, char *dst, size_t size)
+{
+	switch (af) {
+	case AF_INET:
+		return (inet_ntop4(src, dst, size));
+#ifdef AF_INET6
+	case AF_INET6:
+		return (inet_ntop6(src, dst, size));
+#endif
+	default:
+		errno = EAFNOSUPPORT;
+		return (NULL);
+	}
+	/* NOTREACHED */
+}
+
+/* const char *
+ * inet_ntop4(src, dst, size)
+ *	format an IPv4 address
+ * return:
+ *	`dst' (as a const)
+ * notes:
+ *	(1) uses no statics
+ *	(2) takes a unsigned char* not an in_addr as input
+ * author:
+ *	Paul Vixie, 1996.
+ */
+static const char *
+inet_ntop4(const unsigned char *src, char *dst, size_t size)
+{
+	static const char *fmt = "%u.%u.%u.%u";
+	char tmp[sizeof("255.255.255.255")];
+
+	if ((size_t)sprintf(tmp, fmt, src[0], src[1], src[2], src[3]) >= size)
+	{
+		errno = ENOSPC;
+		return (NULL);
+	}
+	strcpy(dst, tmp);
+
+	return (dst);
+}
+
+/* const char *
+ * isc_inet_ntop6(src, dst, size)
+ *	convert IPv6 binary address into presentation (printable) format
+ * author:
+ *	Paul Vixie, 1996.
+ */
+#ifdef AF_INET6
+static const char *
+inet_ntop6(const unsigned char *src, char *dst, size_t size)
+{
+	/*
+	 * Note that int32_t and int16_t need only be "at least" large enough
+	 * to contain a value of the specified size.  On some systems, like
+	 * Crays, there is no such thing as an integer variable with 16 bits.
+	 * Keep this in mind if you think this function should have been coded
+	 * to use pointer overlays.  All the world's not a VAX.
+	 */
+	char tmp[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")], *tp;
+	struct { int base, len; } best, cur;
+	unsigned int words[NS_IN6ADDRSZ / NS_INT16SZ];
+	int i;
+
+	/*
+	 * Preprocess:
+	 *	Copy the input (bytewise) array into a wordwise array.
+	 *	Find the longest run of 0x00's in src[] for :: shorthanding.
+	 */
+	memset(words, '\0', sizeof(words));
+	for (i = 0; i < NS_IN6ADDRSZ; i++)
+		words[i / 2] |= (src[i] << ((1 - (i % 2)) << 3));
+	best.base = -1;
+	cur.base = -1;
+	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
+		if (words[i] == 0) {
+			if (cur.base == -1)
+				cur.base = i, cur.len = 1;
+			else
+				cur.len++;
+		} else {
+			if (cur.base != -1) {
+				if (best.base == -1 || cur.len > best.len)
+					best = cur;
+				cur.base = -1;
+			}
+		}
+	}
+	if (cur.base != -1) {
+		if (best.base == -1 || cur.len > best.len)
+			best = cur;
+	}
+	if (best.base != -1 && best.len < 2)
+		best.base = -1;
+
+	/*
+	 * Format the result.
+	 */
+	tp = tmp;
+	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
+		/* Are we inside the best run of 0x00's? */
+		if (best.base != -1 && i >= best.base &&
+		    i < (best.base + best.len)) {
+			if (i == best.base)
+				*tp++ = ':';
+			continue;
+		}
+		/* Are we following an initial run of 0x00s or any real hex? */
+		if (i != 0)
+			*tp++ = ':';
+		/* Is this address an encapsulated IPv4? */
+		if (i == 6 && best.base == 0 &&
+		    (best.len == 6 || (best.len == 5 && words[5] == 0xffff))) {
+			if (!inet_ntop4(src+12, tp,
+					sizeof(tmp) - (tp - tmp)))
+				return (NULL);
+			tp += strlen(tp);
+			break;
+		}
+		tp += sprintf(tp, "%x", words[i]);
+	}
+	/* Was it a trailing run of 0x00's? */
+	if (best.base != -1 && (best.base + best.len) ==
+	    (NS_IN6ADDRSZ / NS_INT16SZ))
+		*tp++ = ':';
+	*tp++ = '\0';
+
+	/*
+	 * Check for overflow, copy, and we're done.
+	 */
+	if ((size_t)(tp - tmp) > size) {
+		errno = ENOSPC;
+		return (NULL);
+	}
+	strcpy(dst, tmp);
+	return (dst);
+}
+#endif /* AF_INET6 */
diff --git a/contrib/bind9/lib/isc/inet_pton.c b/contrib/bind9/lib/isc/inet_pton.c
new file mode 100644
index 0000000..b253069
--- /dev/null
+++ b/contrib/bind9/lib/isc/inet_pton.c
@@ -0,0 +1,211 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1996-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static char rcsid[] =
+	"$Id: inet_pton.c,v 1.10.2.4.2.1 2004/03/06 08:14:31 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include <config.h>
+
+#include <errno.h>
+#include <string.h>
+
+#include <isc/net.h>
+
+#define NS_INT16SZ	 2
+#define NS_INADDRSZ	 4
+#define NS_IN6ADDRSZ	16
+
+/*
+ * WARNING: Don't even consider trying to compile this on a system where
+ * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
+ */
+
+static int inet_pton4(const char *src, unsigned char *dst);
+static int inet_pton6(const char *src, unsigned char *dst);
+
+/* int
+ * isc_net_pton(af, src, dst)
+ *	convert from presentation format (which usually means ASCII printable)
+ *	to network format (which is usually some kind of binary format).
+ * return:
+ *	1 if the address was valid for the specified address family
+ *	0 if the address wasn't valid (`dst' is untouched in this case)
+ *	-1 if some other error occurred (`dst' is untouched in this case, too)
+ * author:
+ *	Paul Vixie, 1996.
+ */
+int
+isc_net_pton(int af, const char *src, void *dst) {
+	switch (af) {
+	case AF_INET:
+		return (inet_pton4(src, dst));
+	case AF_INET6:
+		return (inet_pton6(src, dst));
+	default:
+		errno = EAFNOSUPPORT;
+		return (-1);
+	}
+	/* NOTREACHED */
+}
+
+/* int
+ * inet_pton4(src, dst)
+ *	like inet_aton() but without all the hexadecimal and shorthand.
+ * return:
+ *	1 if `src' is a valid dotted quad, else 0.
+ * notice:
+ *	does not touch `dst' unless it's returning 1.
+ * author:
+ *	Paul Vixie, 1996.
+ */
+static int
+inet_pton4(const char *src, unsigned char *dst) {
+	static const char digits[] = "0123456789";
+	int saw_digit, octets, ch;
+	unsigned char tmp[NS_INADDRSZ], *tp;
+
+	saw_digit = 0;
+	octets = 0;
+	*(tp = tmp) = 0;
+	while ((ch = *src++) != '\0') {
+		const char *pch;
+
+		if ((pch = strchr(digits, ch)) != NULL) {
+			unsigned int new = *tp * 10 + (pch - digits);
+
+			if (saw_digit && *tp == 0)
+				return (0);
+			if (new > 255)
+				return (0);
+			*tp = new;
+			if (!saw_digit) {
+				if (++octets > 4)
+					return (0);
+				saw_digit = 1;
+			}
+		} else if (ch == '.' && saw_digit) {
+			if (octets == 4)
+				return (0);
+			*++tp = 0;
+			saw_digit = 0;
+		} else
+			return (0);
+	}
+	if (octets < 4)
+		return (0);
+	memcpy(dst, tmp, NS_INADDRSZ);
+	return (1);
+}
+
+/* int
+ * inet_pton6(src, dst)
+ *	convert presentation level address to network order binary form.
+ * return:
+ *	1 if `src' is a valid [RFC1884 2.2] address, else 0.
+ * notice:
+ *	(1) does not touch `dst' unless it's returning 1.
+ *	(2) :: in a full address is silently ignored.
+ * credit:
+ *	inspired by Mark Andrews.
+ * author:
+ *	Paul Vixie, 1996.
+ */
+static int
+inet_pton6(const char *src, unsigned char *dst) {
+	static const char xdigits_l[] = "0123456789abcdef",
+			  xdigits_u[] = "0123456789ABCDEF";
+	unsigned char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp;
+	const char *xdigits, *curtok;
+	int ch, saw_xdigit;
+	unsigned int val;
+
+	memset((tp = tmp), '\0', NS_IN6ADDRSZ);
+	endp = tp + NS_IN6ADDRSZ;
+	colonp = NULL;
+	/* Leading :: requires some special handling. */
+	if (*src == ':')
+		if (*++src != ':')
+			return (0);
+	curtok = src;
+	saw_xdigit = 0;
+	val = 0;
+	while ((ch = *src++) != '\0') {
+		const char *pch;
+
+		if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL)
+			pch = strchr((xdigits = xdigits_u), ch);
+		if (pch != NULL) {
+			val <<= 4;
+			val |= (pch - xdigits);
+			if (val > 0xffff)
+				return (0);
+			saw_xdigit = 1;
+			continue;
+		}
+		if (ch == ':') {
+			curtok = src;
+			if (!saw_xdigit) {
+				if (colonp)
+					return (0);
+				colonp = tp;
+				continue;
+			}
+			if (tp + NS_INT16SZ > endp)
+				return (0);
+			*tp++ = (unsigned char) (val >> 8) & 0xff;
+			*tp++ = (unsigned char) val & 0xff;
+			saw_xdigit = 0;
+			val = 0;
+			continue;
+		}
+		if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) &&
+		    inet_pton4(curtok, tp) > 0) {
+			tp += NS_INADDRSZ;
+			saw_xdigit = 0;
+			break;	/* '\0' was seen by inet_pton4(). */
+		}
+		return (0);
+	}
+	if (saw_xdigit) {
+		if (tp + NS_INT16SZ > endp)
+			return (0);
+		*tp++ = (unsigned char) (val >> 8) & 0xff;
+		*tp++ = (unsigned char) val & 0xff;
+	}
+	if (colonp != NULL) {
+		/*
+		 * Since some memmove()'s erroneously fail to handle
+		 * overlapping regions, we'll do the shift by hand.
+		 */
+		const int n = tp - colonp;
+		int i;
+
+		if (tp == endp)
+			return (0);
+		for (i = 1; i <= n; i++) {
+			endp[- i] = colonp[n - i];
+			colonp[n - i] = 0;
+		}
+		tp = endp;
+	}
+	if (tp != endp)
+		return (0);
+	memcpy(dst, tmp, NS_IN6ADDRSZ);
+	return (1);
+}
diff --git a/contrib/bind9/lib/isc/lex.c b/contrib/bind9/lib/isc/lex.c
new file mode 100644
index 0000000..bb832dd
--- /dev/null
+++ b/contrib/bind9/lib/isc/lex.c
@@ -0,0 +1,921 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lex.c,v 1.66.2.6.2.8 2004/08/28 06:25:21 marka Exp $ */
+
+#include <config.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/file.h>
+#include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/msgs.h>
+#include <isc/parseint.h>
+#include <isc/print.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+typedef struct inputsource {
+	isc_result_t			result;
+	isc_boolean_t			is_file;
+	isc_boolean_t			need_close;
+	isc_boolean_t			at_eof;
+	isc_buffer_t *			pushback;
+	unsigned int			ignored;
+	void *				input;
+	char *				name;
+	unsigned long			line;
+	unsigned long			saved_line;
+	ISC_LINK(struct inputsource)	link;
+} inputsource;
+
+#define LEX_MAGIC			ISC_MAGIC('L', 'e', 'x', '!')
+#define VALID_LEX(l)			ISC_MAGIC_VALID(l, LEX_MAGIC)
+
+struct isc_lex {
+	/* Unlocked. */
+	unsigned int			magic;
+	isc_mem_t *			mctx;
+	size_t				max_token;
+	char *				data;
+	unsigned int			comments;
+	isc_boolean_t			comment_ok;
+	isc_boolean_t			last_was_eol;
+	unsigned int			paren_count;
+	unsigned int			saved_paren_count;
+	isc_lexspecials_t		specials;
+	LIST(struct inputsource)	sources;
+};
+
+static inline isc_result_t
+grow_data(isc_lex_t *lex, size_t *remainingp, char **currp, char **prevp) {
+	char *new;
+
+	new = isc_mem_get(lex->mctx, lex->max_token * 2 + 1);
+	if (new == NULL)
+		return (ISC_R_NOMEMORY);
+	memcpy(new, lex->data, lex->max_token + 1);
+	*currp = new + (*currp - lex->data);
+	if (*prevp != NULL)
+		*prevp = new + (*prevp - lex->data);
+	isc_mem_put(lex->mctx, lex->data, lex->max_token + 1);
+	lex->data = new;
+	*remainingp += lex->max_token;
+	lex->max_token *= 2;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_lex_create(isc_mem_t *mctx, size_t max_token, isc_lex_t **lexp) {
+	isc_lex_t *lex;
+
+	/*
+	 * Create a lexer.
+	 */
+
+	REQUIRE(lexp != NULL && *lexp == NULL);
+	REQUIRE(max_token > 0U);
+
+	lex = isc_mem_get(mctx, sizeof(*lex));
+	if (lex == NULL)
+		return (ISC_R_NOMEMORY);
+	lex->data = isc_mem_get(mctx, max_token + 1);
+	if (lex->data == NULL) {
+		isc_mem_put(mctx, lex, sizeof(*lex));
+		return (ISC_R_NOMEMORY);
+	}
+	lex->mctx = mctx;
+	lex->max_token = max_token;
+	lex->comments = 0;
+	lex->comment_ok = ISC_TRUE;
+	lex->last_was_eol = ISC_TRUE;
+	lex->paren_count = 0;
+	lex->saved_paren_count = 0;
+	memset(lex->specials, 0, 256);
+	INIT_LIST(lex->sources);
+	lex->magic = LEX_MAGIC;
+
+	*lexp = lex;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_lex_destroy(isc_lex_t **lexp) {
+	isc_lex_t *lex;
+
+	/*
+	 * Destroy the lexer.
+	 */
+
+	REQUIRE(lexp != NULL);
+	lex = *lexp;
+	REQUIRE(VALID_LEX(lex));
+
+	while (!EMPTY(lex->sources))
+		RUNTIME_CHECK(isc_lex_close(lex) == ISC_R_SUCCESS);
+	if (lex->data != NULL)
+		isc_mem_put(lex->mctx, lex->data, lex->max_token + 1);
+	lex->magic = 0;
+	isc_mem_put(lex->mctx, lex, sizeof(*lex));
+
+	*lexp = NULL;
+}
+
+unsigned int
+isc_lex_getcomments(isc_lex_t *lex) {
+	/*
+	 * Return the current lexer commenting styles.
+	 */
+
+	REQUIRE(VALID_LEX(lex));
+
+	return (lex->comments);
+}
+
+void
+isc_lex_setcomments(isc_lex_t *lex, unsigned int comments) {
+	/*
+	 * Set allowed lexer commenting styles.
+	 */
+
+	REQUIRE(VALID_LEX(lex));
+
+	lex->comments = comments;
+}
+
+void
+isc_lex_getspecials(isc_lex_t *lex, isc_lexspecials_t specials) {
+	/*
+	 * Put the current list of specials into 'specials'.
+	 */
+
+	REQUIRE(VALID_LEX(lex));
+
+	memcpy(specials, lex->specials, 256);
+}
+
+void
+isc_lex_setspecials(isc_lex_t *lex, isc_lexspecials_t specials) {
+	/*
+	 * The characters in 'specials' are returned as tokens.  Along with
+	 * whitespace, they delimit strings and numbers.
+	 */
+
+	REQUIRE(VALID_LEX(lex));
+
+	memcpy(lex->specials, specials, 256);
+}
+
+static inline isc_result_t
+new_source(isc_lex_t *lex, isc_boolean_t is_file, isc_boolean_t need_close,
+	   void *input, const char *name)
+{
+	inputsource *source;
+	isc_result_t result;
+
+	source = isc_mem_get(lex->mctx, sizeof(*source));
+	if (source == NULL)
+		return (ISC_R_NOMEMORY);
+	source->result = ISC_R_SUCCESS;
+	source->is_file = is_file;
+	source->need_close = need_close;
+	source->at_eof = ISC_FALSE;
+	source->input = input;
+	source->name = isc_mem_strdup(lex->mctx, name);
+	if (source->name == NULL) {
+		isc_mem_put(lex->mctx, source, sizeof(*source));
+		return (ISC_R_NOMEMORY);
+	}
+	source->pushback = NULL;
+	result = isc_buffer_allocate(lex->mctx, &source->pushback,
+				     lex->max_token);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_free(lex->mctx, source->name);
+		isc_mem_put(lex->mctx, source, sizeof(*source));
+		return (result);
+	}
+	source->ignored = 0;
+	source->line = 1;
+	ISC_LIST_INITANDPREPEND(lex->sources, source, link);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_lex_openfile(isc_lex_t *lex, const char *filename) {
+	isc_result_t result;
+	FILE *stream = NULL;
+
+	/*
+	 * Open 'filename' and make it the current input source for 'lex'.
+	 */
+
+	REQUIRE(VALID_LEX(lex));
+
+	result = isc_stdio_open(filename, "r", &stream);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = new_source(lex, ISC_TRUE, ISC_TRUE, stream, filename);
+	if (result != ISC_R_SUCCESS)
+		(void)fclose(stream);
+	return (result);
+}
+
+isc_result_t
+isc_lex_openstream(isc_lex_t *lex, FILE *stream) {
+	char name[128];
+
+	/*
+	 * Make 'stream' the current input source for 'lex'.
+	 */
+
+	REQUIRE(VALID_LEX(lex));
+
+	snprintf(name, sizeof(name), "stream-%p", stream);
+
+	return (new_source(lex, ISC_TRUE, ISC_FALSE, stream, name));
+}
+
+isc_result_t
+isc_lex_openbuffer(isc_lex_t *lex, isc_buffer_t *buffer) {
+	char name[128];
+
+	/*
+	 * Make 'buffer' the current input source for 'lex'.
+	 */
+
+	REQUIRE(VALID_LEX(lex));
+
+	snprintf(name, sizeof(name), "buffer-%p", buffer);
+
+	return (new_source(lex, ISC_FALSE, ISC_FALSE, buffer, name));
+}
+
+isc_result_t
+isc_lex_close(isc_lex_t *lex) {
+	inputsource *source;
+
+	/*
+	 * Close the most recently opened object (i.e. file or buffer).
+	 */
+
+	REQUIRE(VALID_LEX(lex));
+
+	source = HEAD(lex->sources);
+	if (source == NULL)
+		return (ISC_R_NOMORE);
+
+	ISC_LIST_UNLINK(lex->sources, source, link);
+	if (source->is_file) {
+		if (source->need_close)
+			(void)fclose((FILE *)(source->input));
+	}
+	isc_mem_free(lex->mctx, source->name);
+	isc_buffer_free(&source->pushback);
+	isc_mem_put(lex->mctx, source, sizeof(*source));
+
+	return (ISC_R_SUCCESS);
+}
+
+typedef enum {
+	lexstate_start,
+	lexstate_crlf,
+	lexstate_string,
+	lexstate_number,
+	lexstate_maybecomment,
+	lexstate_ccomment,
+	lexstate_ccommentend,
+	lexstate_eatline,
+	lexstate_qstring
+} lexstate;
+
+#define IWSEOL (ISC_LEXOPT_INITIALWS | ISC_LEXOPT_EOL)
+
+static void
+pushback(inputsource *source, int c) {
+	REQUIRE(source->pushback->current > 0);
+	if (c == EOF) {
+		source->at_eof = ISC_FALSE;
+		return;
+	}
+	source->pushback->current--;
+	if (c == '\n')
+		source->line--;
+}
+
+static isc_result_t
+pushandgrow(isc_lex_t *lex, inputsource *source, int c) {
+	if (isc_buffer_availablelength(source->pushback) == 0) {
+		isc_buffer_t *tbuf = NULL;
+		unsigned int oldlen;
+		isc_region_t used;
+		isc_result_t result;
+
+		oldlen = isc_buffer_length(source->pushback);
+		result = isc_buffer_allocate(lex->mctx, &tbuf, oldlen * 2);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		isc_buffer_usedregion(source->pushback, &used);
+		result = isc_buffer_copyregion(tbuf, &used);
+		INSIST(result == ISC_R_SUCCESS);
+		tbuf->current = source->pushback->current;
+		isc_buffer_free(&source->pushback);
+		source->pushback = tbuf;
+	}
+	isc_buffer_putuint8(source->pushback, (isc_uint8_t)c);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
+	inputsource *source;
+	int c;
+	isc_boolean_t done = ISC_FALSE;
+	isc_boolean_t no_comments = ISC_FALSE;
+	isc_boolean_t escaped = ISC_FALSE;
+	lexstate state = lexstate_start;
+	lexstate saved_state = lexstate_start;
+	isc_buffer_t *buffer;
+	FILE *stream;
+	char *curr, *prev;
+	size_t remaining;
+	isc_uint32_t as_ulong;
+	unsigned int saved_options;
+	isc_result_t result;
+
+	/*
+	 * Get the next token.
+	 */
+
+	REQUIRE(VALID_LEX(lex));
+	source = HEAD(lex->sources);
+	REQUIRE(tokenp != NULL);
+
+	lex->saved_paren_count = lex->paren_count;
+	source->saved_line = source->line;
+
+	if (source == NULL) {
+		if ((options & ISC_LEXOPT_NOMORE) != 0) {
+			tokenp->type = isc_tokentype_nomore;
+			return (ISC_R_SUCCESS);
+		}
+		return (ISC_R_NOMORE);
+	}
+
+	if (source->result != ISC_R_SUCCESS)
+		return (source->result);
+
+	if (isc_buffer_remaininglength(source->pushback) == 0 &&
+	    source->at_eof)
+	{
+		if ((options & ISC_LEXOPT_DNSMULTILINE) != 0 &&
+		    lex->paren_count != 0) {
+			lex->paren_count = 0;
+			return (ISC_R_UNBALANCED);
+		}
+		if ((options & ISC_LEXOPT_EOF) != 0) {
+			tokenp->type = isc_tokentype_eof;
+			return (ISC_R_SUCCESS);
+		}
+		return (ISC_R_EOF);
+	}
+
+	isc_buffer_compact(source->pushback);
+
+	saved_options = options;
+	if ((options & ISC_LEXOPT_DNSMULTILINE) != 0 && lex->paren_count > 0)
+		options &= ~IWSEOL;
+
+	curr = lex->data;
+	*curr = '\0';
+
+	prev = NULL;
+	remaining = lex->max_token;
+
+#ifdef HAVE_FLOCKFILE
+	if (source->is_file)
+		flockfile(source->input);
+#endif
+
+	do {
+		if (isc_buffer_remaininglength(source->pushback) == 0) {
+			if (source->is_file) {
+				stream = source->input;
+
+#if defined(HAVE_FLOCKFILE) && defined(HAVE_GETCUNLOCKED)
+				c = getc_unlocked(stream);
+#else
+				c = getc(stream);
+#endif
+				if (c == EOF) {
+					if (ferror(stream)) {
+						source->result = ISC_R_IOERROR;
+						result = source->result;
+						goto done;
+					}
+					source->at_eof = ISC_TRUE;
+				}
+			} else {
+				buffer = source->input;
+
+				if (buffer->current == buffer->used) {
+					c = EOF;
+					source->at_eof = ISC_TRUE;
+				} else {
+					c = *((char *)buffer->base +
+					      buffer->current);
+					buffer->current++;
+				}
+			}
+			if (c != EOF) {
+				source->result = pushandgrow(lex, source, c);
+				if (source->result != ISC_R_SUCCESS) {
+					result = source->result;
+					goto done;
+				}
+			}
+		}
+
+		if (!source->at_eof) {
+			if (state == lexstate_start)
+				/* Token has not started yet. */
+				source->ignored =
+				   isc_buffer_consumedlength(source->pushback);
+			c = isc_buffer_getuint8(source->pushback);
+		} else {
+			c = EOF;
+		}
+
+		if (c == '\n')
+			source->line++;
+
+		if (lex->comment_ok && !no_comments) {
+			if (!escaped && c == ';' &&
+			    ((lex->comments & ISC_LEXCOMMENT_DNSMASTERFILE)
+			     != 0)) {
+				saved_state = state;
+				state = lexstate_eatline;
+				no_comments = ISC_TRUE;
+				continue;
+			} else if (c == '/' &&
+				   (lex->comments &
+				    (ISC_LEXCOMMENT_C|
+				     ISC_LEXCOMMENT_CPLUSPLUS)) != 0) {
+				saved_state = state;
+				state = lexstate_maybecomment;
+				no_comments = ISC_TRUE;
+				continue;
+			} else if (c == '#' &&
+				   ((lex->comments & ISC_LEXCOMMENT_SHELL)
+				    != 0)) {
+				saved_state = state;
+				state = lexstate_eatline;
+				no_comments = ISC_TRUE;
+				continue;
+			}
+		}
+
+	no_read:
+		/* INSIST(c == EOF || (c >= 0 && c <= 255)); */
+		switch (state) {
+		case lexstate_start:
+			if (c == EOF) {
+				lex->last_was_eol = ISC_FALSE;
+				if ((options & ISC_LEXOPT_DNSMULTILINE) != 0 &&
+				    lex->paren_count != 0) {
+					lex->paren_count = 0;
+					result = ISC_R_UNBALANCED;
+					goto done;
+				}
+				if ((options & ISC_LEXOPT_EOF) == 0) {
+					result = ISC_R_EOF;
+					goto done;
+				}
+				tokenp->type = isc_tokentype_eof;
+				done = ISC_TRUE;
+			} else if (c == ' ' || c == '\t') {
+				if (lex->last_was_eol &&
+				    (options & ISC_LEXOPT_INITIALWS)
+				    != 0) {
+					lex->last_was_eol = ISC_FALSE;
+					tokenp->type = isc_tokentype_initialws;
+ 					tokenp->value.as_char = c;
+					done = ISC_TRUE;
+				}
+			} else if (c == '\n') {
+				if ((options & ISC_LEXOPT_EOL) != 0) {
+					tokenp->type = isc_tokentype_eol;
+					done = ISC_TRUE;
+				}
+				lex->last_was_eol = ISC_TRUE;
+			} else if (c == '\r') {
+				if ((options & ISC_LEXOPT_EOL) != 0)
+					state = lexstate_crlf;
+			} else if (c == '"' &&
+				   (options & ISC_LEXOPT_QSTRING) != 0) {
+				lex->last_was_eol = ISC_FALSE;
+				no_comments = ISC_TRUE;
+				state = lexstate_qstring;
+			} else if (lex->specials[c]) {
+				lex->last_was_eol = ISC_FALSE;
+				if ((c == '(' || c == ')') &&
+				    (options & ISC_LEXOPT_DNSMULTILINE) != 0) {
+					if (c == '(') {
+						if (lex->paren_count == 0)
+							options &= ~IWSEOL;
+						lex->paren_count++;
+					} else {
+						if (lex->paren_count == 0) {
+						    result = ISC_R_UNBALANCED;
+						    goto done;
+						}
+						lex->paren_count--;
+						if (lex->paren_count == 0)
+							options =
+								saved_options;
+					}
+					continue;
+				}
+				tokenp->type = isc_tokentype_special;
+				tokenp->value.as_char = c;
+				done = ISC_TRUE;
+			} else if (isdigit((unsigned char)c) &&
+				   (options & ISC_LEXOPT_NUMBER) != 0) {
+				lex->last_was_eol = ISC_FALSE;
+				state = lexstate_number;
+				goto no_read;
+			} else {
+				lex->last_was_eol = ISC_FALSE;
+				state = lexstate_string;
+				goto no_read;
+			}
+			break;
+		case lexstate_crlf:
+			if (c != '\n')
+				pushback(source, c);
+			tokenp->type = isc_tokentype_eol;
+			done = ISC_TRUE;
+			lex->last_was_eol = ISC_TRUE;
+			break;
+		case lexstate_number:
+			if (c == EOF || !isdigit((unsigned char)c)) {
+				if (c == ' ' || c == '\t' || c == '\r' ||
+				    c == '\n' || c == EOF ||
+				    lex->specials[c]) {
+					int base;
+					if ((options & ISC_LEXOPT_CNUMBER) != 0)
+						base = 0;
+					else
+						base = 10;
+					pushback(source, c);
+
+					result = isc_parse_uint32(&as_ulong,
+								  lex->data,
+								  base);
+					if (result == ISC_R_SUCCESS) {
+						tokenp->type =
+							isc_tokentype_number;
+						tokenp->value.as_ulong =
+							as_ulong;
+					} else if (result == ISC_R_BADNUMBER) {
+						isc_tokenvalue_t *v;
+
+						tokenp->type =
+							isc_tokentype_string;
+						v = &(tokenp->value);
+						v->as_textregion.base =
+							lex->data;
+						v->as_textregion.length =
+							lex->max_token -
+							remaining;
+					} else
+						goto done;
+					done = ISC_TRUE;
+					continue;
+				} else if (!(options & ISC_LEXOPT_CNUMBER) ||
+					   ((c != 'x' && c != 'X') ||
+					   (curr != &lex->data[1]) ||
+					   (lex->data[0] != '0'))) {
+					/* Above test supports hex numbers */
+					state = lexstate_string;
+				}
+			}
+			if (remaining == 0U) {
+				result = grow_data(lex, &remaining,
+						   &curr, &prev);
+				if (result != ISC_R_SUCCESS)
+					goto done;
+			}
+			INSIST(remaining > 0U);
+			*curr++ = c;
+			*curr = '\0';
+			remaining--;
+			break;
+		case lexstate_string:
+			if ((!escaped &&
+			     (c == ' ' || c == '\t' || lex->specials[c])) ||
+			    c == '\r' || c == '\n' || c == EOF) {
+				pushback(source, c);
+				if (source->result != ISC_R_SUCCESS) {
+					result = source->result;
+					goto done;
+				}
+				tokenp->type = isc_tokentype_string;
+				tokenp->value.as_textregion.base = lex->data;
+				tokenp->value.as_textregion.length =
+					lex->max_token - remaining;
+				done = ISC_TRUE;
+				continue;
+			}
+			if ((options & ISC_LEXOPT_ESCAPE) != 0)
+				escaped = (!escaped && c == '\\') ?
+						ISC_TRUE : ISC_FALSE;
+			if (remaining == 0U) {
+				result = grow_data(lex, &remaining,
+						   &curr, &prev);
+				if (result != ISC_R_SUCCESS)
+					goto done;
+			}
+			INSIST(remaining > 0U);
+			*curr++ = c;
+			*curr = '\0';
+			remaining--;
+			break;
+		case lexstate_maybecomment:
+			if (c == '*' &&
+			    (lex->comments & ISC_LEXCOMMENT_C) != 0) {
+				state = lexstate_ccomment;
+				continue;
+			} else if (c == '/' &&
+			    (lex->comments & ISC_LEXCOMMENT_CPLUSPLUS) != 0) {
+				state = lexstate_eatline;
+				continue;
+			}
+			pushback(source, c);
+			c = '/';
+			no_comments = ISC_FALSE;
+			state = saved_state;
+			goto no_read;
+		case lexstate_ccomment:
+			if (c == EOF) {
+				result = ISC_R_UNEXPECTEDEND;
+				goto done;
+			}
+			if (c == '*')
+				state = lexstate_ccommentend;
+			break;
+		case lexstate_ccommentend:
+			if (c == EOF) {
+				result = ISC_R_UNEXPECTEDEND;
+				goto done;
+			}
+			if (c == '/') {
+				/*
+				 * C-style comments become a single space.
+				 * We do this to ensure that a comment will
+				 * act as a delimiter for strings and
+				 * numbers.
+				 */
+				c = ' ';
+				no_comments = ISC_FALSE;
+				state = saved_state;
+				goto no_read;
+			} else if (c != '*')
+				state = lexstate_ccomment;
+			break;
+		case lexstate_eatline:
+			if (c == EOF) {
+				result = ISC_R_UNEXPECTEDEND;
+				goto done;
+			}
+			if (c == '\n') {
+				no_comments = ISC_FALSE;
+				state = saved_state;
+				goto no_read;
+			}
+			break;
+		case lexstate_qstring:
+			if (c == EOF) {
+				result = ISC_R_UNEXPECTEDEND;
+				goto done;
+			}
+			if (c == '"') {
+				if (escaped) {
+					escaped = ISC_FALSE;
+					/*
+					 * Overwrite the preceding backslash.
+					 */
+					INSIST(prev != NULL);
+					*prev = '"';
+				} else {
+					tokenp->type = isc_tokentype_qstring;
+					tokenp->value.as_textregion.base =
+						lex->data;
+					tokenp->value.as_textregion.length =
+						lex->max_token - remaining;
+					no_comments = ISC_FALSE;
+					done = ISC_TRUE;
+				}
+			} else {
+				if (c == '\n' && !escaped &&
+			    (options & ISC_LEXOPT_QSTRINGMULTILINE) == 0) {
+					pushback(source, c);
+					result = ISC_R_UNBALANCEDQUOTES;
+					goto done;
+				}
+				if (c == '\\' && !escaped)
+					escaped = ISC_TRUE;
+				else
+					escaped = ISC_FALSE;
+				if (remaining == 0U) {
+					result = grow_data(lex, &remaining,
+							   &curr, &prev);
+					if (result != ISC_R_SUCCESS)
+						goto done;
+				}
+				INSIST(remaining > 0U);
+				prev = curr;
+				*curr++ = c;
+				*curr = '\0';
+				remaining--;
+			}
+			break;
+		default:
+			FATAL_ERROR(__FILE__, __LINE__,
+				    isc_msgcat_get(isc_msgcat, ISC_MSGSET_LEX,
+						   ISC_MSG_UNEXPECTEDSTATE,
+						   "Unexpected state %d"),
+				    state);
+			/* Does not return. */
+		}
+
+	} while (!done);
+
+	result = ISC_R_SUCCESS;
+ done:
+#ifdef HAVE_FLOCKFILE
+	if (source->is_file)
+		funlockfile(source->input);
+#endif
+	return (result);
+}
+
+isc_result_t
+isc_lex_getmastertoken(isc_lex_t *lex, isc_token_t *token,
+		       isc_tokentype_t expect, isc_boolean_t eol)
+{
+	unsigned int options = ISC_LEXOPT_EOL | ISC_LEXOPT_EOF |
+			       ISC_LEXOPT_DNSMULTILINE | ISC_LEXOPT_ESCAPE;
+	isc_result_t result;
+
+	if (expect == isc_tokentype_qstring)
+		options |= ISC_LEXOPT_QSTRING;
+	else if (expect == isc_tokentype_number)
+		options |= ISC_LEXOPT_NUMBER;
+	result = isc_lex_gettoken(lex, options, token);
+	if (result == ISC_R_RANGE)
+		isc_lex_ungettoken(lex, token);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (eol && ((token->type == isc_tokentype_eol) ||
+		    (token->type == isc_tokentype_eof)))
+		return (ISC_R_SUCCESS);
+	if (token->type == isc_tokentype_string &&
+	    expect == isc_tokentype_qstring)
+		return (ISC_R_SUCCESS);
+	if (token->type != expect) {
+		isc_lex_ungettoken(lex, token);
+		if (token->type == isc_tokentype_eol ||
+		    token->type == isc_tokentype_eof)
+			return (ISC_R_UNEXPECTEDEND);
+		if (expect == isc_tokentype_number)
+			return (ISC_R_BADNUMBER);
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_lex_ungettoken(isc_lex_t *lex, isc_token_t *tokenp) {
+	inputsource *source;
+	/*
+	 * Unget the current token.
+	 */
+
+	REQUIRE(VALID_LEX(lex));
+	source = HEAD(lex->sources);
+	REQUIRE(source != NULL);
+	REQUIRE(tokenp != NULL);
+	REQUIRE(isc_buffer_consumedlength(source->pushback) != 0 ||
+		tokenp->type == isc_tokentype_eof);
+
+	UNUSED(tokenp);
+
+	isc_buffer_first(source->pushback);
+	lex->paren_count = lex->saved_paren_count;
+	source->line = source->saved_line;
+	source->at_eof = ISC_FALSE;
+}
+
+void
+isc_lex_getlasttokentext(isc_lex_t *lex, isc_token_t *tokenp, isc_region_t *r)
+{
+	inputsource *source;
+
+	REQUIRE(VALID_LEX(lex));
+	source = HEAD(lex->sources);
+	REQUIRE(source != NULL);
+	REQUIRE(tokenp != NULL);
+	REQUIRE(isc_buffer_consumedlength(source->pushback) != 0 ||
+		tokenp->type == isc_tokentype_eof);
+
+	UNUSED(tokenp);
+
+	INSIST(source->ignored <= isc_buffer_consumedlength(source->pushback));
+	r->base = (unsigned char *)isc_buffer_base(source->pushback) +
+		  source->ignored;
+	r->length = isc_buffer_consumedlength(source->pushback) -
+		    source->ignored;
+}
+
+
+char *
+isc_lex_getsourcename(isc_lex_t *lex) {
+	inputsource *source;
+
+	REQUIRE(VALID_LEX(lex));
+	source = HEAD(lex->sources);
+
+	if (source == NULL)
+		return (NULL);
+
+	return (source->name);
+}
+
+unsigned long
+isc_lex_getsourceline(isc_lex_t *lex) {
+	inputsource *source;
+
+	REQUIRE(VALID_LEX(lex));
+	source = HEAD(lex->sources);
+
+	if (source == NULL)
+		return (0);
+
+	return (source->line);
+}
+
+
+isc_result_t
+isc_lex_setsourcename(isc_lex_t *lex, const char *name) {
+	inputsource *source;
+	char *newname;
+
+	REQUIRE(VALID_LEX(lex));
+	source = HEAD(lex->sources);
+
+	if (source == NULL)
+		return(ISC_R_NOTFOUND);
+	newname = isc_mem_strdup(lex->mctx, name);
+	if (newname == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_mem_free(lex->mctx, source->name);
+	source->name = newname;
+	return (ISC_R_SUCCESS);
+}
+
+isc_boolean_t
+isc_lex_isfile(isc_lex_t *lex) {
+	inputsource *source;
+
+	REQUIRE(VALID_LEX(lex));
+
+	source = HEAD(lex->sources);
+
+	if (source == NULL)
+		return (ISC_FALSE);
+
+	return (source->is_file);
+}
diff --git a/contrib/bind9/lib/isc/lfsr.c b/contrib/bind9/lib/isc/lfsr.c
new file mode 100644
index 0000000..e1de6aa
--- /dev/null
+++ b/contrib/bind9/lib/isc/lfsr.c
@@ -0,0 +1,161 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lfsr.c,v 1.11.2.2.2.3 2004/03/08 09:04:49 marka Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/assertions.h>
+#include <isc/lfsr.h>
+#include <isc/util.h>
+
+#define VALID_LFSR(x)	(x != NULL)
+
+void
+isc_lfsr_init(isc_lfsr_t *lfsr, isc_uint32_t state, unsigned int bits,
+	      isc_uint32_t tap, unsigned int count,
+	      isc_lfsrreseed_t reseed, void *arg)
+{
+	REQUIRE(VALID_LFSR(lfsr));
+	REQUIRE(8 <= bits && bits <= 32);
+	REQUIRE(tap != 0);
+
+	lfsr->state = state;
+	lfsr->bits = bits;
+	lfsr->tap = tap;
+	lfsr->count = count;
+	lfsr->reseed = reseed;
+	lfsr->arg = arg;
+
+	if (count == 0 && reseed != NULL)
+		reseed(lfsr, arg);
+	if (lfsr->state == 0)
+		lfsr->state = 0xffffffffU >> (32 - lfsr->bits);
+}
+
+/*
+ * Return the next state of the lfsr.
+ */
+static inline isc_uint32_t
+lfsr_generate(isc_lfsr_t *lfsr)
+{
+	unsigned int highbit;
+
+	highbit = 1 << (lfsr->bits - 1);
+
+	/*
+	 * If the previous state is zero, we must fill it with something
+	 * here, or we will begin to generate an extremely predictable output.
+	 *
+	 * First, give the reseed function a crack at it.  If the state is
+	 * still 0, set it to all ones.
+	 */
+	if (lfsr->state == 0) {
+		if (lfsr->reseed != NULL)
+			lfsr->reseed(lfsr, lfsr->arg);
+		if (lfsr->state == 0)
+			lfsr->state = 0xffffffffU >> (32 - lfsr->bits);
+	}
+
+	if (lfsr->state & 0x01) {
+		lfsr->state = (lfsr->state >> 1) ^ lfsr->tap;
+		return (1);
+	} else {
+		lfsr->state >>= 1;
+		return (0);
+	}
+}
+
+void
+isc_lfsr_generate(isc_lfsr_t *lfsr, void *data, unsigned int count)
+{
+	unsigned char *p;
+	unsigned int bit;
+	unsigned int byte;
+
+	REQUIRE(VALID_LFSR(lfsr));
+	REQUIRE(data != NULL);
+	REQUIRE(count > 0);
+
+	p = data;
+	byte = count;
+
+	while (byte--) {
+		*p = 0;
+		for (bit = 0; bit < 7; bit++) {
+			*p |= lfsr_generate(lfsr);
+			*p <<= 1;
+		}
+		*p |= lfsr_generate(lfsr);
+		p++;
+	}
+
+	if (lfsr->count != 0 && lfsr->reseed != NULL) {
+		if (lfsr->count <= count * 8)
+			lfsr->reseed(lfsr, lfsr->arg);
+		else
+			lfsr->count -= (count * 8);
+	}
+}
+
+static inline isc_uint32_t
+lfsr_skipgenerate(isc_lfsr_t *lfsr, unsigned int skip)
+{
+	while (skip--)
+		(void)lfsr_generate(lfsr);
+
+	(void)lfsr_generate(lfsr);
+
+	return (lfsr->state);
+}
+
+/*
+ * Skip "skip" states in "lfsr".
+ */
+void
+isc_lfsr_skip(isc_lfsr_t *lfsr, unsigned int skip)
+{
+	REQUIRE(VALID_LFSR(lfsr));
+
+	while (skip--)
+		(void)lfsr_generate(lfsr);
+}
+
+/*
+ * Skip states in lfsr1 and lfsr2 using the other's current state.
+ * Return the final state of lfsr1 ^ lfsr2.
+ */
+isc_uint32_t
+isc_lfsr_generate32(isc_lfsr_t *lfsr1, isc_lfsr_t *lfsr2)
+{
+	isc_uint32_t state1, state2;
+	isc_uint32_t skip1, skip2;
+
+	REQUIRE(VALID_LFSR(lfsr1));
+	REQUIRE(VALID_LFSR(lfsr2));
+
+	skip1 = lfsr1->state & 0x01;
+	skip2 = lfsr2->state & 0x01;
+
+	/* cross-skip. */
+	state1 = lfsr_skipgenerate(lfsr1, skip2);
+	state2 = lfsr_skipgenerate(lfsr2, skip1);
+
+	return (state1 ^ state2);
+}
diff --git a/contrib/bind9/lib/isc/lib.c b/contrib/bind9/lib/isc/lib.c
new file mode 100644
index 0000000..fa30abf
--- /dev/null
+++ b/contrib/bind9/lib/isc/lib.c
@@ -0,0 +1,77 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lib.c,v 1.8.12.3 2004/03/08 09:04:49 marka Exp $ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <isc/once.h>
+#include <isc/msgs.h>
+#include <isc/lib.h>
+
+/***
+ *** Globals
+ ***/
+
+LIBISC_EXTERNAL_DATA isc_msgcat_t *		isc_msgcat = NULL;
+
+
+/***
+ *** Private
+ ***/
+
+static isc_once_t		msgcat_once = ISC_ONCE_INIT;
+
+
+/***
+ *** Functions
+ ***/
+
+static void
+open_msgcat(void) {
+	isc_msgcat_open("libisc.cat", &isc_msgcat);
+}
+
+void
+isc_lib_initmsgcat(void) {
+	isc_result_t result;
+
+	/*
+	 * Initialize the ISC library's message catalog, isc_msgcat, if it
+	 * has not already been initialized.
+	 */
+
+	result = isc_once_do(&msgcat_once, open_msgcat);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * Normally we'd use RUNTIME_CHECK() or FATAL_ERROR(), but
+		 * we can't do that here, since they might call us!
+		 * (Note that the catalog might be open anyway, so we might
+		 * as well try to  provide an internationalized message.)
+		 */
+		fprintf(stderr, "%s:%d: %s: isc_once_do() %s.\n",
+			__FILE__, __LINE__,
+			isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+				       ISC_MSG_FATALERROR, "fatal error"),
+			isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+				       ISC_MSG_FAILED, "failed"));
+		abort();
+	}
+}
diff --git a/contrib/bind9/lib/isc/log.c b/contrib/bind9/lib/isc/log.c
new file mode 100644
index 0000000..247b253
--- /dev/null
+++ b/contrib/bind9/lib/isc/log.c
@@ -0,0 +1,1753 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: log.c,v 1.70.2.8.2.12 2004/06/11 00:35:38 marka Exp $ */
+
+/* Principal Authors: DCL */
+
+#include <config.h>
+
+#include <errno.h>
+#include <stdlib.h>
+#include <limits.h>
+#include <time.h>
+
+#include <sys/types.h>	/* dev_t FreeBSD 2.1 */
+
+#include <isc/dir.h>
+#include <isc/file.h>
+#include <isc/log.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/msgs.h>
+#include <isc/print.h>
+#include <isc/stat.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#define LCTX_MAGIC		ISC_MAGIC('L', 'c', 't', 'x')
+#define VALID_CONTEXT(lctx)	ISC_MAGIC_VALID(lctx, LCTX_MAGIC)
+
+#define LCFG_MAGIC		ISC_MAGIC('L', 'c', 'f', 'g')
+#define VALID_CONFIG(lcfg)	ISC_MAGIC_VALID(lcfg, LCFG_MAGIC)
+
+/*
+ * XXXDCL make dynamic?
+ */
+#define LOG_BUFFER_SIZE	(8 * 1024)
+
+#ifndef PATH_MAX
+#define PATH_MAX 1024	/* AIX and others don't define this. */
+#endif
+
+/*
+ * This is the structure that holds each named channel.  A simple linked
+ * list chains all of the channels together, so an individual channel is
+ * found by doing strcmp()s with the names down the list.  Their should
+ * be no peformance penalty from this as it is expected that the number
+ * of named channels will be no more than a dozen or so, and name lookups
+ * from the head of the list are only done when isc_log_usechannel() is
+ * called, which should also be very infrequent.
+ */
+typedef struct isc_logchannel isc_logchannel_t;
+
+struct isc_logchannel {
+	char *				name;
+	unsigned int			type;
+	int 				level;
+	unsigned int			flags;
+	isc_logdestination_t 		destination;
+	ISC_LINK(isc_logchannel_t)	link;
+};
+
+/*
+ * The logchannellist structure associates categories and modules with
+ * channels.  First the appropriate channellist is found based on the
+ * category, and then each structure in the linked list is checked for
+ * a matching module.  It is expected that the number of channels
+ * associated with any given category will be very short, no more than
+ * three or four in the more unusual cases.
+ */
+typedef struct isc_logchannellist isc_logchannellist_t;
+
+struct isc_logchannellist {
+	const isc_logmodule_t *		module;
+	isc_logchannel_t *		channel;
+	ISC_LINK(isc_logchannellist_t)	link;
+};
+
+/*
+ * This structure is used to remember messages for pruning via
+ * isc_log_[v]write1().
+ */
+typedef struct isc_logmessage isc_logmessage_t;
+
+struct isc_logmessage {
+	char *				text;
+	isc_time_t			time;
+	ISC_LINK(isc_logmessage_t)	link;
+};
+
+/*
+ * The isc_logconfig structure is used to store the configurable information
+ * about where messages are actually supposed to be sent -- the information
+ * that could changed based on some configuration file, as opposed to the
+ * the category/module specification of isc_log_[v]write[1] that is compiled
+ * into a program, or the debug_level which is dynamic state information.
+ */
+struct isc_logconfig {
+	unsigned int			magic;
+	isc_log_t *			lctx;
+	ISC_LIST(isc_logchannel_t)	channels;
+	ISC_LIST(isc_logchannellist_t) *channellists;
+	unsigned int			channellist_count;
+	unsigned int			duplicate_interval;
+	int				highest_level;
+	char *				tag;
+	isc_boolean_t			dynamic;
+};
+
+/*
+ * This isc_log structure provides the context for the isc_log functions.
+ * The log context locks itself in isc_log_doit, the internal backend to
+ * isc_log_write.  The locking is necessary both to provide exclusive access
+ * to the the buffer into which the message is formatted and to guard against
+ * competing threads trying to write to the same syslog resource.  (On
+ * some systems, such as BSD/OS, stdio is thread safe but syslog is not.)
+ * Unfortunately, the lock cannot guard against a _different_ logging
+ * context in the same program competing for syslog's attention.  Thus
+ * There Can Be Only One, but this is not enforced.
+ * XXXDCL enforce it?
+ *
+ * Note that the category and module information is not locked.
+ * This is because in the usual case, only one isc_log_t is ever created
+ * in a program, and the category/module registration happens only once.
+ * XXXDCL it might be wise to add more locking overall.
+ */
+struct isc_log {
+	/* Not locked. */
+	unsigned int			magic;
+	isc_mem_t *			mctx;
+	isc_logcategory_t *		categories;
+	unsigned int			category_count;
+	isc_logmodule_t *		modules;
+	unsigned int			module_count;
+	int				debug_level;
+	isc_mutex_t			lock;
+	/* Locked by isc_log lock. */
+	isc_logconfig_t * 		logconfig;
+	char 				buffer[LOG_BUFFER_SIZE];
+	ISC_LIST(isc_logmessage_t)	messages;
+};
+
+/*
+ * Used when ISC_LOG_PRINTLEVEL is enabled for a channel.
+ */
+static const char *log_level_strings[] = {
+	"debug",
+	"info",
+	"notice",
+	"warning",
+	"error",
+	"critical"
+};
+
+/*
+ * Used to convert ISC_LOG_* priorities into syslog priorities.
+ * XXXDCL This will need modification for NT.
+ */
+static const int syslog_map[] = {
+	LOG_DEBUG,
+	LOG_INFO,
+	LOG_NOTICE,
+	LOG_WARNING,
+	LOG_ERR,
+	LOG_CRIT
+};
+
+/*
+ * When adding new categories, a corresponding ISC_LOGCATEGORY_foo
+ * definition needs to be added to <isc/log.h>.
+ *
+ * The default category is provided so that the internal default can
+ * be overridden.  Since the default is always looked up as the first
+ * channellist in the log context, it must come first in isc_categories[].
+ */
+LIBISC_EXTERNAL_DATA isc_logcategory_t isc_categories[] = {
+	{ "default", 0 },	/* "default" must come first. */
+	{ "general", 0 },
+	{ NULL, 0 }
+};
+
+/*
+ * See above comment for categories, and apply it to modules.
+ */
+LIBISC_EXTERNAL_DATA isc_logmodule_t isc_modules[] = {
+	{ "socket", 0 },
+	{ "time", 0 },
+	{ "interface", 0 },
+	{ "timer", 0 },
+	{ NULL, 0 }
+};
+
+/*
+ * This essentially constant structure must be filled in at run time,
+ * because its channel member is pointed to a channel that is created
+ * dynamically with isc_log_createchannel.
+ */
+static isc_logchannellist_t default_channel;
+
+/*
+ * libisc logs to this context.
+ */
+LIBISC_EXTERNAL_DATA isc_log_t *isc_lctx = NULL;
+
+/*
+ * Forward declarations.
+ */
+static isc_result_t
+assignchannel(isc_logconfig_t *lcfg, unsigned int category_id,
+	      const isc_logmodule_t *module, isc_logchannel_t *channel);
+
+static isc_result_t
+sync_channellist(isc_logconfig_t *lcfg);
+
+static isc_result_t
+greatest_version(isc_logchannel_t *channel, int *greatest);
+
+static isc_result_t
+roll_log(isc_logchannel_t *channel);
+
+static void
+isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
+	     isc_logmodule_t *module, int level, isc_boolean_t write_once,
+	     isc_msgcat_t *msgcat, int msgset, int msg,
+	     const char *format, va_list args)
+     ISC_FORMAT_PRINTF(9, 0);
+
+/*
+ * Convenience macros.
+ */
+
+#define FACILITY(channel)	 (channel->destination.facility)
+#define FILE_NAME(channel)	 (channel->destination.file.name)
+#define FILE_STREAM(channel)	 (channel->destination.file.stream)
+#define FILE_VERSIONS(channel)	 (channel->destination.file.versions)
+#define FILE_MAXSIZE(channel)	 (channel->destination.file.maximum_size)
+#define FILE_MAXREACHED(channel) (channel->destination.file.maximum_reached)
+
+/****
+ **** Public interfaces.
+ ****/
+
+/*
+ * Establish a new logging context, with default channels.
+ */
+isc_result_t
+isc_log_create(isc_mem_t *mctx, isc_log_t **lctxp, isc_logconfig_t **lcfgp) {
+	isc_log_t *lctx;
+	isc_logconfig_t *lcfg = NULL;
+	isc_result_t result;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(lctxp != NULL && *lctxp == NULL);
+	REQUIRE(lcfgp == NULL || *lcfgp == NULL);
+
+	lctx = isc_mem_get(mctx, sizeof(*lctx));
+	if (lctx != NULL) {
+		lctx->mctx = mctx;
+		lctx->categories = NULL;
+		lctx->category_count = 0;
+		lctx->modules = NULL;
+		lctx->module_count = 0;
+		lctx->debug_level = 0;
+
+		ISC_LIST_INIT(lctx->messages);
+
+		RUNTIME_CHECK(isc_mutex_init(&lctx->lock) == ISC_R_SUCCESS);
+
+		/*
+		 * Normally setting the magic number is the last step done
+		 * in a creation function, but a valid log context is needed
+		 * by isc_log_registercategories and isc_logconfig_create.
+		 * If either fails, the lctx is destroyed and not returned
+		 * to the caller.
+		 */
+		lctx->magic = LCTX_MAGIC;
+
+		isc_log_registercategories(lctx, isc_categories);
+		isc_log_registermodules(lctx, isc_modules);
+		result = isc_logconfig_create(lctx, &lcfg);
+
+	} else
+		result = ISC_R_NOMEMORY;
+
+	if (result == ISC_R_SUCCESS)
+		result = sync_channellist(lcfg);
+
+	if (result == ISC_R_SUCCESS) {
+		lctx->logconfig = lcfg;
+
+		*lctxp = lctx;
+		if (lcfgp != NULL)
+			*lcfgp = lcfg;
+
+	} else {
+		if (lcfg != NULL)
+			isc_logconfig_destroy(&lcfg);
+		if (lctx != NULL)
+			isc_log_destroy(&lctx);
+	}
+
+	return (result);
+}
+
+isc_result_t
+isc_logconfig_create(isc_log_t *lctx, isc_logconfig_t **lcfgp) {
+	isc_logconfig_t *lcfg;
+	isc_logdestination_t destination;
+	isc_result_t result = ISC_R_SUCCESS;
+	int level = ISC_LOG_INFO;
+
+	REQUIRE(lcfgp != NULL && *lcfgp == NULL);
+	REQUIRE(VALID_CONTEXT(lctx));
+
+	lcfg = isc_mem_get(lctx->mctx, sizeof(*lcfg));
+
+	if (lcfg != NULL) {
+		lcfg->lctx = lctx;
+		lcfg->channellists = NULL;
+		lcfg->channellist_count = 0;
+		lcfg->duplicate_interval = 0;
+		lcfg->highest_level = level;
+		lcfg->tag = NULL;
+		lcfg->dynamic = ISC_FALSE;
+
+		ISC_LIST_INIT(lcfg->channels);
+
+		/*
+		 * Normally the magic number is the last thing set in the
+		 * structure, but isc_log_createchannel() needs a valid
+		 * config.  If the channel creation fails, the lcfg is not
+		 * returned to the caller.
+		 */
+		lcfg->magic = LCFG_MAGIC;
+
+	} else
+		result = ISC_R_NOMEMORY;
+
+	/*
+	 * Create the default channels:
+	 *   	default_syslog, default_stderr, default_debug and null.
+	 */
+	if (result == ISC_R_SUCCESS) {
+		destination.facility = LOG_DAEMON;
+		result = isc_log_createchannel(lcfg, "default_syslog",
+					       ISC_LOG_TOSYSLOG, level,
+					       &destination, 0);
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		destination.file.stream = stderr;
+		destination.file.name = NULL;
+		destination.file.versions = ISC_LOG_ROLLNEVER;
+		destination.file.maximum_size = 0;
+		result = isc_log_createchannel(lcfg, "default_stderr",
+					       ISC_LOG_TOFILEDESC,
+					       level,
+					       &destination,
+					       ISC_LOG_PRINTTIME);
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		/*
+		 * Set the default category's channel to default_stderr,
+		 * which is at the head of the channels list because it was
+		 * just created.
+		 */
+		default_channel.channel = ISC_LIST_HEAD(lcfg->channels);
+
+		destination.file.stream = stderr;
+		destination.file.name = NULL;
+		destination.file.versions = ISC_LOG_ROLLNEVER;
+		destination.file.maximum_size = 0;
+		result = isc_log_createchannel(lcfg, "default_debug",
+					       ISC_LOG_TOFILEDESC,
+					       ISC_LOG_DYNAMIC,
+					       &destination,
+					       ISC_LOG_PRINTTIME);
+	}
+
+	if (result == ISC_R_SUCCESS)
+		result = isc_log_createchannel(lcfg, "null",
+					       ISC_LOG_TONULL,
+					       ISC_LOG_DYNAMIC,
+					       NULL, 0);
+
+	if (result == ISC_R_SUCCESS)
+		*lcfgp = lcfg;
+
+	else
+		if (lcfg != NULL)
+			isc_logconfig_destroy(&lcfg);
+
+	return (result);
+}
+
+isc_logconfig_t *
+isc_logconfig_get(isc_log_t *lctx) {
+	REQUIRE(VALID_CONTEXT(lctx));
+
+	ENSURE(lctx->logconfig != NULL);
+
+	return (lctx->logconfig);
+}
+
+isc_result_t
+isc_logconfig_use(isc_log_t *lctx, isc_logconfig_t *lcfg) {
+	isc_logconfig_t *old_cfg;
+	isc_result_t result;
+
+	REQUIRE(VALID_CONTEXT(lctx));
+	REQUIRE(VALID_CONFIG(lcfg));
+	REQUIRE(lcfg->lctx == lctx);
+
+	/*
+	 * Ensure that lcfg->channellist_count == lctx->category_count.
+	 * They won't be equal if isc_log_usechannel has not been called
+	 * since any call to isc_log_registercategories.
+	 */
+	result = sync_channellist(lcfg);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	LOCK(&lctx->lock);
+
+	old_cfg = lctx->logconfig;
+	lctx->logconfig = lcfg;
+
+	UNLOCK(&lctx->lock);
+
+	isc_logconfig_destroy(&old_cfg);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_log_destroy(isc_log_t **lctxp) {
+	isc_log_t *lctx;
+	isc_logconfig_t *lcfg;
+	isc_mem_t *mctx;
+	isc_logmessage_t *message;
+
+	REQUIRE(lctxp != NULL && VALID_CONTEXT(*lctxp));
+
+	lctx = *lctxp;
+	mctx = lctx->mctx;
+
+	if (lctx->logconfig != NULL) {
+		lcfg = lctx->logconfig;
+		lctx->logconfig = NULL;
+		isc_logconfig_destroy(&lcfg);
+	}
+
+	DESTROYLOCK(&lctx->lock);
+
+	while ((message = ISC_LIST_HEAD(lctx->messages)) != NULL) {
+		ISC_LIST_UNLINK(lctx->messages, message, link);
+
+		isc_mem_put(mctx, message,
+			    sizeof(*message) + strlen(message->text) + 1);
+	}
+
+	lctx->buffer[0] = '\0';
+	lctx->debug_level = 0;
+	lctx->categories = NULL;
+	lctx->category_count = 0;
+	lctx->modules = NULL;
+	lctx->module_count = 0;
+	lctx->mctx = NULL;
+	lctx->magic = 0;
+
+	isc_mem_put(mctx, lctx, sizeof(*lctx));
+
+	*lctxp = NULL;
+}
+
+void
+isc_logconfig_destroy(isc_logconfig_t **lcfgp) {
+	isc_logconfig_t *lcfg;
+	isc_mem_t *mctx;
+	isc_logchannel_t *channel;
+	isc_logchannellist_t *item;
+	char *filename;
+	unsigned int i;
+
+	REQUIRE(lcfgp != NULL && VALID_CONFIG(*lcfgp));
+
+	lcfg = *lcfgp;
+
+	/*
+	 * This function cannot be called with a logconfig that is in
+	 * use by a log context.
+	 */
+	REQUIRE(lcfg->lctx != NULL && lcfg->lctx->logconfig != lcfg);
+
+	mctx = lcfg->lctx->mctx;
+
+	while ((channel = ISC_LIST_HEAD(lcfg->channels)) != NULL) {
+		ISC_LIST_UNLINK(lcfg->channels, channel, link);
+
+		if (channel->type == ISC_LOG_TOFILE) {
+			/*
+			 * The filename for the channel may have ultimately
+			 * started its life in user-land as a const string,
+			 * but in isc_log_createchannel it gets copied
+			 * into writable memory and is not longer truly const.
+			 */
+			DE_CONST(FILE_NAME(channel), filename);
+			isc_mem_free(mctx, filename);
+
+			if (FILE_STREAM(channel) != NULL)
+				(void)fclose(FILE_STREAM(channel));
+		}
+
+		isc_mem_free(mctx, channel->name);
+		isc_mem_put(mctx, channel, sizeof(*channel));
+	}
+
+	for (i = 0; i < lcfg->channellist_count; i++)
+		while ((item = ISC_LIST_HEAD(lcfg->channellists[i])) != NULL) {
+			ISC_LIST_UNLINK(lcfg->channellists[i], item, link);
+			isc_mem_put(mctx, item, sizeof(*item));
+		}
+
+	if (lcfg->channellist_count > 0)
+		isc_mem_put(mctx, lcfg->channellists,
+			    lcfg->channellist_count *
+			    sizeof(ISC_LIST(isc_logchannellist_t)));
+
+	lcfg->dynamic = ISC_FALSE;
+	if (lcfg->tag != NULL)
+		isc_mem_free(lcfg->lctx->mctx, lcfg->tag);
+	lcfg->tag = NULL;
+	lcfg->highest_level = 0;
+	lcfg->duplicate_interval = 0;
+	lcfg->magic = 0;
+
+	isc_mem_put(mctx, lcfg, sizeof(*lcfg));
+
+	*lcfgp = NULL;
+}
+
+void
+isc_log_registercategories(isc_log_t *lctx, isc_logcategory_t categories[]) {
+	isc_logcategory_t *catp;
+
+	REQUIRE(VALID_CONTEXT(lctx));
+	REQUIRE(categories != NULL && categories[0].name != NULL);
+
+	/*
+	 * XXXDCL This somewhat sleazy situation of using the last pointer
+	 * in one category array to point to the next array exists because
+	 * this registration function returns void and I didn't want to have
+	 * change everything that used it by making it return an isc_result_t.
+	 * It would need to do that if it had to allocate memory to store
+	 * pointers to each array passed in.
+	 */
+	if (lctx->categories == NULL)
+		lctx->categories = categories;
+
+	else {
+		/*
+		 * Adjust the last (NULL) pointer of the already registered
+		 * categories to point to the incoming array.
+		 */
+		for (catp = lctx->categories; catp->name != NULL; )
+			if (catp->id == UINT_MAX)
+				/*
+				 * The name pointer points to the next array.
+				 * Ick.
+				 */
+				DE_CONST(catp->name, catp);
+			else
+				catp++;
+
+		catp->name = (void *)categories;
+		catp->id = UINT_MAX;
+	}
+
+	/*
+	 * Update the id number of the category with its new global id.
+	 */
+	for (catp = categories; catp->name != NULL; catp++)
+		catp->id = lctx->category_count++;
+}
+
+isc_logcategory_t *
+isc_log_categorybyname(isc_log_t *lctx, const char *name) {
+	isc_logcategory_t *catp;
+
+	REQUIRE(VALID_CONTEXT(lctx));
+	REQUIRE(name != NULL);
+
+	for (catp = lctx->categories; catp->name != NULL; )
+		if (catp->id == UINT_MAX)
+			/*
+			 * catp is neither modified nor returned to the
+			 * caller, so removing its const qualifier is ok.
+			 */
+			DE_CONST(catp->name, catp);
+		else {
+			if (strcmp(catp->name, name) == 0)
+				return (catp);
+			catp++;
+		}
+
+	return (NULL);
+}
+
+void
+isc_log_registermodules(isc_log_t *lctx, isc_logmodule_t modules[]) {
+	isc_logmodule_t *modp;
+
+	REQUIRE(VALID_CONTEXT(lctx));
+	REQUIRE(modules != NULL && modules[0].name != NULL);
+
+	/*
+	 * XXXDCL This somewhat sleazy situation of using the last pointer
+	 * in one category array to point to the next array exists because
+	 * this registration function returns void and I didn't want to have
+	 * change everything that used it by making it return an isc_result_t.
+	 * It would need to do that if it had to allocate memory to store
+	 * pointers to each array passed in.
+	 */
+	if (lctx->modules == NULL)
+		lctx->modules = modules;
+
+	else {
+		/*
+		 * Adjust the last (NULL) pointer of the already registered
+		 * modules to point to the incoming array.
+		 */
+		for (modp = lctx->modules; modp->name != NULL; )
+			if (modp->id == UINT_MAX)
+				/*
+				 * The name pointer points to the next array.
+				 * Ick.
+				 */
+				DE_CONST(modp->name, modp);
+			else
+				modp++;
+
+		modp->name = (void *)modules;
+		modp->id = UINT_MAX;
+	}
+
+	/*
+	 * Update the id number of the module with its new global id.
+	 */
+	for (modp = modules; modp->name != NULL; modp++)
+		modp->id = lctx->module_count++;
+}
+
+isc_logmodule_t *
+isc_log_modulebyname(isc_log_t *lctx, const char *name) {
+	isc_logmodule_t *modp;
+
+	REQUIRE(VALID_CONTEXT(lctx));
+	REQUIRE(name != NULL);
+
+	for (modp = lctx->modules; modp->name != NULL; )
+		if (modp->id == UINT_MAX)
+			/*
+			 * modp is neither modified nor returned to the
+			 * caller, so removing its const qualifier is ok.
+			 */
+			DE_CONST(modp->name, modp);
+		else {
+			if (strcmp(modp->name, name) == 0)
+				return (modp);
+			modp++;
+		}
+
+	return (NULL);
+}
+
+isc_result_t
+isc_log_createchannel(isc_logconfig_t *lcfg, const char *name,
+		      unsigned int type, int level,
+		      const isc_logdestination_t *destination,
+		      unsigned int flags)
+{
+	isc_logchannel_t *channel;
+	isc_mem_t *mctx;
+
+	REQUIRE(VALID_CONFIG(lcfg));
+	REQUIRE(name != NULL);
+	REQUIRE(type == ISC_LOG_TOSYSLOG   || type == ISC_LOG_TOFILE ||
+		type == ISC_LOG_TOFILEDESC || type == ISC_LOG_TONULL);
+	REQUIRE(destination != NULL || type == ISC_LOG_TONULL);
+	REQUIRE(level >= ISC_LOG_CRITICAL);
+	REQUIRE((flags &
+		 (unsigned int)~(ISC_LOG_PRINTALL | ISC_LOG_DEBUGONLY)) == 0);
+
+	/* XXXDCL find duplicate names? */
+
+	mctx = lcfg->lctx->mctx;
+
+	channel = isc_mem_get(mctx, sizeof(*channel));
+	if (channel == NULL)
+		return (ISC_R_NOMEMORY);
+
+	channel->name = isc_mem_strdup(mctx, name);
+	if (channel->name == NULL) {
+		isc_mem_put(mctx, channel, sizeof(*channel));
+		return (ISC_R_NOMEMORY);
+	}
+
+	channel->type = type;
+	channel->level = level;
+	channel->flags = flags;
+	ISC_LINK_INIT(channel, link);
+
+	switch (type) {
+	case ISC_LOG_TOSYSLOG:
+		FACILITY(channel) = destination->facility;
+		break;
+
+	case ISC_LOG_TOFILE:
+		/*
+		 * The file name is copied because greatest_version wants
+		 * to scribble on it, so it needs to be definitely in
+		 * writable memory.
+		 */
+		FILE_NAME(channel) =
+			isc_mem_strdup(mctx, destination->file.name);
+		FILE_STREAM(channel) = NULL;
+		FILE_VERSIONS(channel) = destination->file.versions;
+		FILE_MAXSIZE(channel) = destination->file.maximum_size;
+		FILE_MAXREACHED(channel) = ISC_FALSE;
+		break;
+
+	case ISC_LOG_TOFILEDESC:
+		FILE_NAME(channel) = NULL;
+		FILE_STREAM(channel) = destination->file.stream;
+		FILE_MAXSIZE(channel) = 0;
+		FILE_VERSIONS(channel) = ISC_LOG_ROLLNEVER;
+		break;
+
+	case ISC_LOG_TONULL:
+		/* Nothing. */
+		break;
+
+	default:
+		isc_mem_put(mctx, channel->name, strlen(channel->name) + 1);
+		isc_mem_put(mctx, channel, sizeof(*channel));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	ISC_LIST_PREPEND(lcfg->channels, channel, link);
+
+	/*
+	 * If default_stderr was redefined, make the default category
+	 * point to the new default_stderr.
+	 */
+	if (strcmp(name, "default_stderr") == 0)
+		default_channel.channel = channel;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_log_usechannel(isc_logconfig_t *lcfg, const char *name,
+		   const isc_logcategory_t *category,
+		   const isc_logmodule_t *module)
+{
+	isc_log_t *lctx;
+	isc_logchannel_t *channel;
+	isc_result_t result = ISC_R_SUCCESS;
+	unsigned int i;
+
+	REQUIRE(VALID_CONFIG(lcfg));
+	REQUIRE(name != NULL);
+
+	lctx = lcfg->lctx;
+
+	REQUIRE(category == NULL || category->id < lctx->category_count);
+	REQUIRE(module == NULL || module->id < lctx->module_count);
+
+	for (channel = ISC_LIST_HEAD(lcfg->channels); channel != NULL;
+	     channel = ISC_LIST_NEXT(channel, link))
+		if (strcmp(name, channel->name) == 0)
+			break;
+
+	if (channel == NULL)
+		return (ISC_R_NOTFOUND);
+
+	if (category != NULL)
+		result = assignchannel(lcfg, category->id, module, channel);
+
+	else
+		/*
+		 * Assign to all categories.  Note that this includes
+		 * the default channel.
+		 */
+		for (i = 0; i < lctx->category_count; i++) {
+			result = assignchannel(lcfg, i, module, channel);
+			if (result != ISC_R_SUCCESS)
+				break;
+		}
+
+	return (result);
+}
+
+void
+isc_log_write(isc_log_t *lctx, isc_logcategory_t *category,
+	      isc_logmodule_t *module, int level, const char *format, ...)
+{
+	va_list args;
+
+	/*
+	 * Contract checking is done in isc_log_doit().
+	 */
+
+	va_start(args, format);
+	isc_log_doit(lctx, category, module, level, ISC_FALSE,
+		     NULL, 0, 0, format, args);
+	va_end(args);
+}
+
+void
+isc_log_vwrite(isc_log_t *lctx, isc_logcategory_t *category,
+	       isc_logmodule_t *module, int level,
+	       const char *format, va_list args)
+{
+	/*
+	 * Contract checking is done in isc_log_doit().
+	 */
+	isc_log_doit(lctx, category, module, level, ISC_FALSE,
+		     NULL, 0, 0, format, args);
+}
+
+void
+isc_log_write1(isc_log_t *lctx, isc_logcategory_t *category,
+	       isc_logmodule_t *module, int level, const char *format, ...)
+{
+	va_list args;
+
+	/*
+	 * Contract checking is done in isc_log_doit().
+	 */
+
+	va_start(args, format);
+	isc_log_doit(lctx, category, module, level, ISC_TRUE,
+		     NULL, 0, 0, format, args);
+	va_end(args);
+}
+
+void
+isc_log_vwrite1(isc_log_t *lctx, isc_logcategory_t *category,
+		isc_logmodule_t *module, int level,
+		const char *format, va_list args)
+{
+	/*
+	 * Contract checking is done in isc_log_doit().
+	 */
+	isc_log_doit(lctx, category, module, level, ISC_TRUE,
+		     NULL, 0, 0, format, args);
+}
+
+void
+isc_log_iwrite(isc_log_t *lctx, isc_logcategory_t *category,
+	       isc_logmodule_t *module, int level,
+	       isc_msgcat_t *msgcat, int msgset, int msg,
+	       const char *format, ...)
+{
+	va_list args;
+
+	/*
+	 * Contract checking is done in isc_log_doit().
+	 */
+
+	va_start(args, format);
+	isc_log_doit(lctx, category, module, level, ISC_FALSE,
+		     msgcat, msgset, msg, format, args);
+	va_end(args);
+}
+
+void
+isc_log_ivwrite(isc_log_t *lctx, isc_logcategory_t *category,
+	       isc_logmodule_t *module, int level,
+	       isc_msgcat_t *msgcat, int msgset, int msg,
+	       const char *format, va_list args)
+{
+	/*
+	 * Contract checking is done in isc_log_doit().
+	 */
+	isc_log_doit(lctx, category, module, level, ISC_FALSE,
+		     msgcat, msgset, msg, format, args);
+}
+
+void
+isc_log_iwrite1(isc_log_t *lctx, isc_logcategory_t *category,
+		isc_logmodule_t *module, int level,
+		isc_msgcat_t *msgcat, int msgset, int msg,
+		const char *format, ...)
+{
+	va_list args;
+
+	/*
+	 * Contract checking is done in isc_log_doit().
+	 */
+
+	va_start(args, format);
+	isc_log_doit(lctx, category, module, level, ISC_TRUE,
+		     msgcat, msgset, msg, format, args);
+	va_end(args);
+}
+
+void
+isc_log_ivwrite1(isc_log_t *lctx, isc_logcategory_t *category,
+		 isc_logmodule_t *module, int level,
+		 isc_msgcat_t *msgcat, int msgset, int msg,
+		 const char *format, va_list args)
+{
+	/*
+	 * Contract checking is done in isc_log_doit().
+	 */
+	isc_log_doit(lctx, category, module, level, ISC_TRUE,
+		     msgcat, msgset, msg, format, args);
+}
+
+void
+isc_log_setcontext(isc_log_t *lctx) {
+	isc_lctx = lctx;
+}
+
+void
+isc_log_setdebuglevel(isc_log_t *lctx, unsigned int level) {
+	isc_logchannel_t *channel;
+
+	REQUIRE(VALID_CONTEXT(lctx));
+
+	LOCK(&lctx->lock);
+
+	lctx->debug_level = level;
+	/*
+	 * Close ISC_LOG_DEBUGONLY channels if level is zero.
+	 */
+	if (lctx->debug_level == 0)
+		for (channel = ISC_LIST_HEAD(lctx->logconfig->channels);
+		     channel != NULL;
+		     channel = ISC_LIST_NEXT(channel, link))
+			if (channel->type == ISC_LOG_TOFILE &&
+			    (channel->flags & ISC_LOG_DEBUGONLY) != 0 &&
+			    FILE_STREAM(channel) != NULL) {
+				(void)fclose(FILE_STREAM(channel));
+				FILE_STREAM(channel) = NULL;
+			}
+	UNLOCK(&lctx->lock);
+}
+
+unsigned int
+isc_log_getdebuglevel(isc_log_t *lctx) {
+	REQUIRE(VALID_CONTEXT(lctx));
+
+	return (lctx->debug_level);
+}
+
+void
+isc_log_setduplicateinterval(isc_logconfig_t *lcfg, unsigned int interval) {
+	REQUIRE(VALID_CONFIG(lcfg));
+
+	lcfg->duplicate_interval = interval;
+}
+
+unsigned int
+isc_log_getduplicateinterval(isc_logconfig_t *lcfg) {
+	REQUIRE(VALID_CONTEXT(lcfg));
+
+	return (lcfg->duplicate_interval);
+}
+
+isc_result_t
+isc_log_settag(isc_logconfig_t *lcfg, const char *tag) {
+	REQUIRE(VALID_CONFIG(lcfg));
+
+	if (tag != NULL && *tag != '\0') {
+		if (lcfg->tag != NULL)
+			isc_mem_free(lcfg->lctx->mctx, lcfg->tag);
+		lcfg->tag = isc_mem_strdup(lcfg->lctx->mctx, tag);
+		if (lcfg->tag == NULL)
+			return (ISC_R_NOMEMORY);
+
+	} else {
+		if (lcfg->tag != NULL)
+			isc_mem_free(lcfg->lctx->mctx, lcfg->tag);
+		lcfg->tag = NULL;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+char *
+isc_log_gettag(isc_logconfig_t *lcfg) {
+	REQUIRE(VALID_CONFIG(lcfg));
+
+	return (lcfg->tag);
+}
+
+/* XXXDCL NT  -- This interface will assuredly be changing. */
+void
+isc_log_opensyslog(const char *tag, int options, int facility) {
+	(void)openlog(tag, options, facility);
+}
+
+void
+isc_log_closefilelogs(isc_log_t *lctx) {
+	isc_logchannel_t *channel;
+
+	REQUIRE(VALID_CONTEXT(lctx));
+
+	LOCK(&lctx->lock);
+	for (channel = ISC_LIST_HEAD(lctx->logconfig->channels);
+	     channel != NULL;
+	     channel = ISC_LIST_NEXT(channel, link))
+
+		if (channel->type == ISC_LOG_TOFILE &&
+		    FILE_STREAM(channel) != NULL) {
+			(void)fclose(FILE_STREAM(channel));
+			FILE_STREAM(channel) = NULL;
+		}
+	UNLOCK(&lctx->lock);
+}
+
+/****
+ **** Internal functions
+ ****/
+
+static isc_result_t
+assignchannel(isc_logconfig_t *lcfg, unsigned int category_id,
+	      const isc_logmodule_t *module, isc_logchannel_t *channel)
+{
+	isc_logchannellist_t *new_item;
+	isc_log_t *lctx;
+	isc_result_t result;
+
+	REQUIRE(VALID_CONFIG(lcfg));
+
+	lctx = lcfg->lctx;
+
+	REQUIRE(category_id < lctx->category_count);
+	REQUIRE(module == NULL || module->id < lctx->module_count);
+	REQUIRE(channel != NULL);
+
+	/*
+	 * Ensure lcfg->channellist_count == lctx->category_count.
+	 */
+	result = sync_channellist(lcfg);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	new_item = isc_mem_get(lctx->mctx, sizeof(*new_item));
+	if (new_item == NULL)
+		return (ISC_R_NOMEMORY);
+
+	new_item->channel = channel;
+	new_item->module = module;
+	ISC_LIST_INITANDPREPEND(lcfg->channellists[category_id],
+			       new_item, link);
+
+	/*
+	 * Remember the highest logging level set by any channel in the
+	 * logging config, so isc_log_doit() can quickly return if the
+	 * message is too high to be logged by any channel.
+	 */
+	if (channel->type != ISC_LOG_TONULL) {
+		if (lcfg->highest_level < channel->level)
+			lcfg->highest_level = channel->level;
+		if (channel->level == ISC_LOG_DYNAMIC)
+			lcfg->dynamic = ISC_TRUE;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * This would ideally be part of isc_log_registercategories(), except then
+ * that function would have to return isc_result_t instead of void.
+ */
+static isc_result_t
+sync_channellist(isc_logconfig_t *lcfg) {
+	unsigned int bytes;
+	isc_log_t *lctx;
+	void *lists;
+
+	REQUIRE(VALID_CONFIG(lcfg));
+
+	lctx = lcfg->lctx;
+
+	REQUIRE(lctx->category_count != 0);
+
+	if (lctx->category_count == lcfg->channellist_count)
+		return (ISC_R_SUCCESS);
+
+	bytes = lctx->category_count * sizeof(ISC_LIST(isc_logchannellist_t));
+
+	lists = isc_mem_get(lctx->mctx, bytes);
+
+	if (lists == NULL)
+		return (ISC_R_NOMEMORY);
+
+	memset(lists, 0, bytes);
+
+	if (lcfg->channellist_count != 0) {
+		bytes = lcfg->channellist_count *
+			sizeof(ISC_LIST(isc_logchannellist_t));
+		memcpy(lists, lcfg->channellists, bytes);
+		isc_mem_put(lctx->mctx, lcfg->channellists, bytes);
+	}
+
+	lcfg->channellists = lists;
+	lcfg->channellist_count = lctx->category_count;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+greatest_version(isc_logchannel_t *channel, int *greatestp) {
+	/* XXXDCL HIGHLY NT */
+	char *basename, *digit_end;
+	const char *dirname;
+	int version, greatest = -1;
+	unsigned int basenamelen;
+	isc_dir_t dir;
+	isc_result_t result;
+	char sep = '/';
+#ifdef _WIN32
+	char *basename2;
+#endif
+
+	REQUIRE(channel->type == ISC_LOG_TOFILE);
+
+	/*
+	 * It is safe to DE_CONST the file.name because it was copied
+	 * with isc_mem_strdup in isc_log_createchannel.
+	 */
+	basename = strrchr(FILE_NAME(channel), sep);
+#ifdef _WIN32
+	basename2 = strrchr(FILE_NAME(channel), '\\');
+	if ((basename != NULL && basename2 != NULL && basename2 > basename) ||
+	    (basename == NULL && basename2 != NULL)) {
+		basename = basename2;
+		sep = '\\';
+	}
+#endif
+	if (basename != NULL) {
+		*basename++ = '\0';
+		dirname = FILE_NAME(channel);
+	} else {
+		DE_CONST(FILE_NAME(channel), basename);
+		dirname = ".";
+	}
+	basenamelen = strlen(basename);
+
+	isc_dir_init(&dir);
+	result = isc_dir_open(&dir, dirname);
+
+	/*
+	 * Replace the file separator if it was taken out.
+	 */
+	if (basename != FILE_NAME(channel))
+		*(basename - 1) = sep;
+
+	/*
+	 * Return if the directory open failed.
+	 */
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	while (isc_dir_read(&dir) == ISC_R_SUCCESS) {
+		if (dir.entry.length > basenamelen &&
+		    strncmp(dir.entry.name, basename, basenamelen) == 0 &&
+		    dir.entry.name[basenamelen] == '.') {
+
+			version = strtol(&dir.entry.name[basenamelen + 1],
+					 &digit_end, 10);
+			if (*digit_end == '\0' && version > greatest)
+				greatest = version;
+		}
+	}
+	isc_dir_close(&dir);
+
+	*greatestp = ++greatest;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+roll_log(isc_logchannel_t *channel) {
+	int i, n, greatest;
+	char current[PATH_MAX + 1];
+	char new[PATH_MAX + 1];
+	const char *path;
+	isc_result_t result;
+
+	/*
+	 * Do nothing (not even excess version trimming) if ISC_LOG_ROLLNEVER
+	 * is specified.  Apparently complete external control over the log
+	 * files is desired.
+	 */
+	if (FILE_VERSIONS(channel) == ISC_LOG_ROLLNEVER)
+		return (ISC_R_SUCCESS);
+
+	path = FILE_NAME(channel);
+
+	/*
+	 * Set greatest_version to the greatest existing version
+	 * (not the maximum requested version).  This is 1 based even
+	 * though the file names are 0 based, so an oldest log of log.1
+	 * is a greatest_version of 2.
+	 */
+	result = greatest_version(channel, &greatest);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * Now greatest should be set to the highest version number desired.
+	 * Since the highest number is one less than FILE_VERSIONS(channel)
+	 * when not doing infinite log rolling, greatest will need to be
+	 * decremented when it is equal to -- or greater than --
+	 * FILE_VERSIONS(channel).  When greatest is less than
+	 * FILE_VERSIONS(channel), it is already suitable for use as
+	 * the maximum version number.
+	 */
+
+	if (FILE_VERSIONS(channel) == ISC_LOG_ROLLINFINITE ||
+	    FILE_VERSIONS(channel) > greatest)
+		;		/* Do nothing. */
+	else
+		/*
+		 * When greatest is >= FILE_VERSIONS(channel), it needs to
+		 * be reduced until it is FILE_VERSIONS(channel) - 1.
+		 * Remove any excess logs on the way to that value.
+		 */
+		while (--greatest >= FILE_VERSIONS(channel)) {
+			n = snprintf(current, sizeof(current), "%s.%d",
+				     path, greatest);
+			if (n >= (int)sizeof(current) || n < 0)
+				result = ISC_R_NOSPACE;
+			else
+				result = isc_file_remove(current);
+			if (result != ISC_R_SUCCESS &&
+			    result != ISC_R_FILENOTFOUND)
+				syslog(LOG_ERR,
+				       "unable to remove log file '%s.%d': %s",
+				       path, greatest,
+				       isc_result_totext(result));
+		}
+
+	for (i = greatest; i > 0; i--) {
+		result = ISC_R_SUCCESS;
+		n = snprintf(current, sizeof(current), "%s.%d", path, i - 1);
+		if (n >= (int)sizeof(current) || n < 0)
+			result = ISC_R_NOSPACE;
+		if (result == ISC_R_SUCCESS) {
+			n = snprintf(new, sizeof(new), "%s.%d", path, i);
+			if (n >= (int)sizeof(new) || n < 0)
+				result = ISC_R_NOSPACE;
+		}
+		if (result == ISC_R_SUCCESS)
+			result = isc_file_rename(current, new);
+		if (result != ISC_R_SUCCESS &&
+		    result != ISC_R_FILENOTFOUND)
+			syslog(LOG_ERR,
+			       "unable to rename log file '%s.%d' to "
+			       "'%s.%d': %s", path, i - 1, path, i,
+			       isc_result_totext(result));
+	}
+
+	if (FILE_VERSIONS(channel) != 0) {
+		n = snprintf(new, sizeof(new), "%s.0", path);
+		if (n >= (int)sizeof(new) || n < 0)
+			result = ISC_R_NOSPACE;
+		else
+			result = isc_file_rename(path, new);
+		if (result != ISC_R_SUCCESS &&
+		    result != ISC_R_FILENOTFOUND)
+			syslog(LOG_ERR,
+			       "unable to rename log file '%s' to '%s.0': %s",
+			       path, path, isc_result_totext(result));
+	} else {
+		result = isc_file_remove(path);
+		if (result != ISC_R_SUCCESS &&
+		    result != ISC_R_FILENOTFOUND)
+			syslog(LOG_ERR, "unable to remove log file '%s': %s",
+			       path, isc_result_totext(result));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+isc_log_open(isc_logchannel_t *channel) {
+	struct stat statbuf;
+	isc_boolean_t regular_file;
+	isc_boolean_t roll = ISC_FALSE;
+	isc_result_t result = ISC_R_SUCCESS;
+	const char *path;
+
+	REQUIRE(channel->type == ISC_LOG_TOFILE);
+	REQUIRE(FILE_STREAM(channel) == NULL);
+
+	path = FILE_NAME(channel);
+
+	REQUIRE(path != NULL && *path != '\0');
+
+	/*
+	 * Determine type of file; only regular files will be
+	 * version renamed, and only if the base file exists
+	 * and either has no size limit or has reached its size limit.
+	 */
+	if (stat(path, &statbuf) == 0) {
+		regular_file = S_ISREG(statbuf.st_mode) ? ISC_TRUE : ISC_FALSE;
+		/* XXXDCL if not regular_file complain? */
+		if ((FILE_MAXSIZE(channel) == 0 &&
+		     FILE_VERSIONS(channel) != ISC_LOG_ROLLNEVER) ||
+		    (FILE_MAXSIZE(channel) > 0 &&
+		     statbuf.st_size >= FILE_MAXSIZE(channel)))
+			roll = regular_file;
+	} else if (errno == ENOENT)
+		regular_file = ISC_TRUE;
+	else
+		result = ISC_R_INVALIDFILE;
+
+	/*
+	 * Version control.
+	 */
+	if (result == ISC_R_SUCCESS && roll) {
+		if (FILE_VERSIONS(channel) == ISC_LOG_ROLLNEVER)
+			return (ISC_R_MAXSIZE);
+		result = roll_log(channel);
+		if (result != ISC_R_SUCCESS) {
+			if ((channel->flags & ISC_LOG_OPENERR) == 0) {
+				syslog(LOG_ERR,
+				       "isc_log_open: roll_log '%s' "
+				       "failed: %s",
+				       FILE_NAME(channel),
+				       isc_result_totext(result));
+				channel->flags |= ISC_LOG_OPENERR;
+			}
+			return (result);
+		}
+	}
+
+	result = isc_stdio_open(path, "a", &FILE_STREAM(channel));
+
+	return (result);
+}
+
+isc_boolean_t
+isc_log_wouldlog(isc_log_t *lctx, int level) {
+	/*
+	 * Try to avoid locking the mutex for messages which can't
+	 * possibly be logged to any channels -- primarily debugging
+	 * messages that the debug level is not high enough to print.
+	 *
+	 * If the level is (mathematically) less than or equal to the
+	 * highest_level, or if there is a dynamic channel and the level is
+	 * less than or equal to the debug level, the main loop must be
+	 * entered to see if the message should really be output.
+	 *
+	 * NOTE: this is UNLOCKED access to the logconfig.  However,
+	 * the worst thing that can happen is that a bad decision is made
+	 * about returning without logging, and that's not a big concern,
+	 * because that's a risk anyway if the logconfig is being
+	 * dynamically changed.
+	 */
+
+	if (lctx == NULL || lctx->logconfig == NULL)
+		return (ISC_FALSE);
+
+	return (ISC_TF(level <= lctx->logconfig->highest_level ||
+		       (lctx->logconfig->dynamic &&
+			level <= lctx->debug_level)));
+}
+
+static void
+isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
+	     isc_logmodule_t *module, int level, isc_boolean_t write_once,
+	     isc_msgcat_t *msgcat, int msgset, int msg,
+	     const char *format, va_list args)
+{
+	int syslog_level;
+	char time_string[64];
+	char level_string[24];
+	const char *iformat;
+	struct stat statbuf;
+	isc_boolean_t matched = ISC_FALSE;
+	isc_boolean_t printtime, printtag;
+	isc_boolean_t printcategory, printmodule, printlevel;
+	isc_logconfig_t *lcfg;
+	isc_logchannel_t *channel;
+	isc_logchannellist_t *category_channels;
+	isc_result_t result;
+
+	REQUIRE(lctx == NULL || VALID_CONTEXT(lctx));
+	REQUIRE(category != NULL);
+	REQUIRE(module != NULL);
+	REQUIRE(level != ISC_LOG_DYNAMIC);
+	REQUIRE(format != NULL);
+
+	/*
+	 * Programs can use libraries that use this logging code without
+	 * wanting to do any logging, thus the log context is allowed to
+	 * be non-existent.
+	 */
+	if (lctx == NULL)
+		return;
+
+	REQUIRE(category->id < lctx->category_count);
+	REQUIRE(module->id < lctx->module_count);
+
+	if (! isc_log_wouldlog(lctx, level))
+		return;
+
+	if (msgcat != NULL)
+		iformat = isc_msgcat_get(msgcat, msgset, msg, format);
+	else
+		iformat = format;
+
+	time_string[0]  = '\0';
+	level_string[0] = '\0';
+
+	LOCK(&lctx->lock);
+
+	lctx->buffer[0] = '\0';
+	
+	lcfg = lctx->logconfig;
+
+	category_channels = ISC_LIST_HEAD(lcfg->channellists[category->id]);
+
+	/*
+	 * XXXDCL add duplicate filtering? (To not write multiple times to
+	 * the same source via various channels).
+	 */
+	do {
+		/*
+		 * If the channel list end was reached and a match was made,
+		 * everything is finished.
+		 */
+		if (category_channels == NULL && matched)
+			break;
+
+		if (category_channels == NULL && ! matched &&
+		    category_channels != ISC_LIST_HEAD(lcfg->channellists[0]))
+			/*
+			 * No category/module pair was explicitly configured.
+			 * Try the category named "default".
+			 */
+			category_channels =
+				ISC_LIST_HEAD(lcfg->channellists[0]);
+
+		if (category_channels == NULL && ! matched)
+			/*
+			 * No matching module was explicitly configured
+			 * for the category named "default".  Use the internal
+			 * default channel.
+			 */
+			category_channels = &default_channel;
+
+		if (category_channels->module != NULL &&
+		    category_channels->module != module) {
+			category_channels = ISC_LIST_NEXT(category_channels,
+							  link);
+			continue;
+		}
+
+		matched = ISC_TRUE;
+
+		channel = category_channels->channel;
+		category_channels = ISC_LIST_NEXT(category_channels, link);
+
+		if (((channel->flags & ISC_LOG_DEBUGONLY) != 0) &&
+		    lctx->debug_level == 0)
+			continue;
+
+		if (channel->level == ISC_LOG_DYNAMIC) {
+			if (lctx->debug_level < level)
+				continue;
+		} else if (channel->level < level)
+			continue;
+
+		if ((channel->flags & ISC_LOG_PRINTTIME) != 0 &&
+		    time_string[0] == '\0') {
+			isc_time_t isctime;
+			
+			TIME_NOW(&isctime);
+			isc_time_formattimestamp(&isctime, time_string,
+						 sizeof(time_string));
+		}
+
+		if ((channel->flags & ISC_LOG_PRINTLEVEL) != 0 &&
+		    level_string[0] == '\0') {
+			if (level < ISC_LOG_CRITICAL)
+				snprintf(level_string, sizeof(level_string),
+					 isc_msgcat_get(isc_msgcat,
+						        ISC_MSGSET_LOG,
+						        ISC_MSG_LEVEL,
+						        "level %d: "),
+					 level);
+			else if (level > ISC_LOG_DYNAMIC)
+				snprintf(level_string, sizeof(level_string),
+					 "%s %d: ", log_level_strings[0],
+					 level);
+			else
+				snprintf(level_string, sizeof(level_string),
+					 "%s: ", log_level_strings[-level]);
+		}
+
+		/*
+		 * Only format the message once.
+		 */
+		if (lctx->buffer[0] == '\0') {
+			(void)vsnprintf(lctx->buffer, sizeof(lctx->buffer),
+					iformat, args);
+
+			/*
+			 * Check for duplicates.
+			 */
+			if (write_once) {
+				isc_logmessage_t *message, *new;
+				isc_time_t oldest;
+				isc_interval_t interval;
+
+				isc_interval_set(&interval,
+						 lcfg->duplicate_interval, 0);
+
+				/*
+				 * 'oldest' is the age of the oldest messages
+				 * which fall within the duplicate_interval
+				 * range.
+				 */
+				TIME_NOW(&oldest);
+				if (isc_time_subtract(&oldest, &interval, &oldest)
+				    != ISC_R_SUCCESS)
+					/*
+					 * Can't effectively do the checking
+					 * without having a valid time.
+					 */
+					message = NULL;
+				else
+					message =ISC_LIST_HEAD(lctx->messages);
+
+				while (message != NULL) {
+					if (isc_time_compare(&message->time,
+							     &oldest) < 0) {
+						/*
+						 * This message is older
+						 * than the duplicate_interval,
+						 * so it should be dropped from
+						 * the history.
+						 *
+						 * Setting the interval to be
+						 * to be longer will obviously
+						 * not cause the expired
+						 * message to spring back into
+						 * existence.
+						 */
+						new = ISC_LIST_NEXT(message,
+								    link);
+
+						ISC_LIST_UNLINK(lctx->messages,
+								message, link);
+
+						isc_mem_put(lctx->mctx,
+							message,
+							sizeof(*message) + 1 +
+							strlen(message->text));
+
+						message = new;
+						continue;
+					}
+
+					/*
+					 * This message is in the duplicate
+					 * filtering interval ...
+					 */
+					if (strcmp(lctx->buffer, message->text)
+					    == 0) {
+						/*
+						 * ... and it is a duplicate.
+						 * Unlock the mutex and
+						 * get the hell out of Dodge.
+						 */
+						UNLOCK(&lctx->lock);
+						return;
+					}
+
+					message = ISC_LIST_NEXT(message, link);
+				}
+
+				/*
+				 * It wasn't in the duplicate interval,
+				 * so add it to the message list.
+				 */
+				new = isc_mem_get(lctx->mctx,
+						  sizeof(isc_logmessage_t) +
+						  strlen(lctx->buffer) + 1);
+				if (new != NULL) {
+					/*
+					 * Put the text immediately after
+					 * the struct.  The strcpy is safe.
+					 */
+					new->text = (char *)(new + 1);
+					strcpy(new->text, lctx->buffer);
+
+					TIME_NOW(&new->time);
+
+					ISC_LIST_APPEND(lctx->messages,
+							new, link);
+				}
+			}
+		}
+
+		printtime     = ISC_TF((channel->flags & ISC_LOG_PRINTTIME)
+				       != 0);
+		printtag      = ISC_TF((channel->flags & ISC_LOG_PRINTTAG)
+				       != 0 && lcfg->tag != NULL);
+		printcategory = ISC_TF((channel->flags & ISC_LOG_PRINTCATEGORY)
+				       != 0);
+		printmodule   = ISC_TF((channel->flags & ISC_LOG_PRINTMODULE)
+				       != 0);
+		printlevel    = ISC_TF((channel->flags & ISC_LOG_PRINTLEVEL)
+				       != 0);
+
+		switch (channel->type) {
+		case ISC_LOG_TOFILE:
+			if (FILE_MAXREACHED(channel)) {
+				/*
+				 * If the file can be rolled, OR
+				 * If the file no longer exists, OR
+				 * If the file is less than the maximum size,
+				 *    (such as if it had been renamed and
+				 *     a new one touched, or it was truncated
+				 *     in place)
+				 * ... then close it to trigger reopening.
+				 */
+				if (FILE_VERSIONS(channel) !=
+				    ISC_LOG_ROLLNEVER ||
+				    (stat(FILE_NAME(channel), &statbuf) != 0 &&
+				     errno == ENOENT) ||
+				    statbuf.st_size < FILE_MAXSIZE(channel)) {
+					(void)fclose(FILE_STREAM(channel));
+					FILE_STREAM(channel) = NULL;
+					FILE_MAXREACHED(channel) = ISC_FALSE;
+				} else
+					/*
+					 * Eh, skip it.
+					 */
+					break;
+			}
+
+			if (FILE_STREAM(channel) == NULL) {
+				result = isc_log_open(channel);
+				if (result != ISC_R_SUCCESS &&
+				    result != ISC_R_MAXSIZE &&
+				    (channel->flags & ISC_LOG_OPENERR) == 0) {
+					syslog(LOG_ERR,
+					       "isc_log_open '%s' failed: %s",
+					       FILE_NAME(channel),
+					       isc_result_totext(result));
+					channel->flags |= ISC_LOG_OPENERR;
+				}
+				if (result != ISC_R_SUCCESS)
+					break;
+				channel->flags &= ~ISC_LOG_OPENERR;
+			}
+			/* FALLTHROUGH */
+
+		case ISC_LOG_TOFILEDESC:
+			fprintf(FILE_STREAM(channel), "%s%s%s%s%s%s%s%s%s%s\n",
+				printtime     ? time_string	: "",
+				printtime     ? " "		: "",
+				printtag      ? lcfg->tag	: "",
+				printtag      ? ": "		: "",
+				printcategory ? category->name	: "",
+				printcategory ? ": "		: "",
+				printmodule   ? (module != NULL ? module->name
+						 		: "no_module")
+					      			: "",
+				printmodule   ? ": "		: "",
+				printlevel    ? level_string	: "",
+				lctx->buffer);
+
+			fflush(FILE_STREAM(channel));
+
+			/*
+			 * If the file now exceeds its maximum size
+			 * threshold, note it so that it will not be logged
+			 * to any more.
+			 */
+			if (FILE_MAXSIZE(channel) > 0) {
+				INSIST(channel->type == ISC_LOG_TOFILE);
+
+				/* XXXDCL NT fstat/fileno */
+				/* XXXDCL complain if fstat fails? */
+				if (fstat(fileno(FILE_STREAM(channel)),
+					  &statbuf) >= 0 &&
+				    statbuf.st_size > FILE_MAXSIZE(channel))
+					FILE_MAXREACHED(channel) = ISC_TRUE;
+			}
+
+			break;
+
+		case ISC_LOG_TOSYSLOG:
+			if (level > 0)
+				syslog_level = LOG_DEBUG;
+			else if (level < ISC_LOG_CRITICAL)
+				syslog_level = LOG_CRIT;
+			else
+				syslog_level = syslog_map[-level];
+
+			(void)syslog(FACILITY(channel) | syslog_level,
+			       "%s%s%s%s%s%s%s%s%s",
+			       printtime     ? time_string	: "",
+			       printtag      ? lcfg->tag	: "",
+			       printtag      ? ": "		: "",
+			       printcategory ? category->name	: "",
+			       printcategory ? ": "		: "",
+			       printmodule   ? (module != NULL	? module->name
+						 		: "no_module")
+					      			: "",
+			       printmodule   ? ": "		: "",
+			       printlevel    ? level_string	: "",
+			       lctx->buffer);
+			break;
+
+		case ISC_LOG_TONULL:
+			break;
+
+		}
+
+	} while (1);
+
+	UNLOCK(&lctx->lock);
+}
diff --git a/contrib/bind9/lib/isc/md5.c b/contrib/bind9/lib/isc/md5.c
new file mode 100644
index 0000000..863612b
--- /dev/null
+++ b/contrib/bind9/lib/isc/md5.c
@@ -0,0 +1,249 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: md5.c,v 1.9.206.1 2004/03/06 08:14:32 marka Exp $ */
+
+/*
+ * This code implements the MD5 message-digest algorithm.
+ * The algorithm is due to Ron Rivest.  This code was
+ * written by Colin Plumb in 1993, no copyright is claimed.
+ * This code is in the public domain; do with it what you wish.
+ *
+ * Equivalent code is available from RSA Data Security, Inc.
+ * This code has been tested against that, and is equivalent,
+ * except that you don't need to include two pages of legalese
+ * with every copy.
+ *
+ * To compute the message digest of a chunk of bytes, declare an
+ * MD5Context structure, pass it to MD5Init, call MD5Update as
+ * needed on buffers full of bytes, and then call MD5Final, which
+ * will fill a supplied 16-byte array with the digest.
+ */
+
+#include "config.h"
+
+#include <isc/assertions.h>
+#include <isc/md5.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+static void
+byteSwap(isc_uint32_t *buf, unsigned words)
+{
+	unsigned char *p = (unsigned char *)buf;
+
+	do {
+		*buf++ = (isc_uint32_t)((unsigned)p[3] << 8 | p[2]) << 16 |
+			((unsigned)p[1] << 8 | p[0]);
+		p += 4;
+	} while (--words);
+}
+
+/*
+ * Start MD5 accumulation.  Set bit count to 0 and buffer to mysterious
+ * initialization constants.
+ */
+void
+isc_md5_init(isc_md5_t *ctx) {
+	ctx->buf[0] = 0x67452301;
+	ctx->buf[1] = 0xefcdab89;
+	ctx->buf[2] = 0x98badcfe;
+	ctx->buf[3] = 0x10325476;
+
+	ctx->bytes[0] = 0;
+	ctx->bytes[1] = 0;
+}
+
+void
+isc_md5_invalidate(isc_md5_t *ctx) {
+	memset(ctx, 0, sizeof(isc_md5_t));
+}
+
+/* The four core functions - F1 is optimized somewhat */
+
+/* #define F1(x, y, z) (x & y | ~x & z) */
+#define F1(x, y, z) (z ^ (x & (y ^ z)))
+#define F2(x, y, z) F1(z, x, y)
+#define F3(x, y, z) (x ^ y ^ z)
+#define F4(x, y, z) (y ^ (x | ~z))
+
+/* This is the central step in the MD5 algorithm. */
+#define MD5STEP(f,w,x,y,z,in,s) \
+	 (w += f(x,y,z) + in, w = (w<<s | w>>(32-s)) + x)
+
+/*
+ * The core of the MD5 algorithm, this alters an existing MD5 hash to
+ * reflect the addition of 16 longwords of new data.  MD5Update blocks
+ * the data and converts bytes into longwords for this routine.
+ */
+static void
+transform(isc_uint32_t buf[4], isc_uint32_t const in[16]) {
+	register isc_uint32_t a, b, c, d;
+
+	a = buf[0];
+	b = buf[1];
+	c = buf[2];
+	d = buf[3];
+
+	MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478, 7);
+	MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756, 12);
+	MD5STEP(F1, c, d, a, b, in[2] + 0x242070db, 17);
+	MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceee, 22);
+	MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0faf, 7);
+	MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62a, 12);
+	MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613, 17);
+	MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501, 22);
+	MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8, 7);
+	MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7af, 12);
+	MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1, 17);
+	MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7be, 22);
+	MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122, 7);
+	MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193, 12);
+	MD5STEP(F1, c, d, a, b, in[14] + 0xa679438e, 17);
+	MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821, 22);
+
+	MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562, 5);
+	MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340, 9);
+	MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51, 14);
+	MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aa, 20);
+	MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105d, 5);
+	MD5STEP(F2, d, a, b, c, in[10] + 0x02441453, 9);
+	MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681, 14);
+	MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8, 20);
+	MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6, 5);
+	MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6, 9);
+	MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87, 14);
+	MD5STEP(F2, b, c, d, a, in[8] + 0x455a14ed, 20);
+	MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905, 5);
+	MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8, 9);
+	MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9, 14);
+	MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20);
+
+	MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942, 4);
+	MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681, 11);
+	MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122, 16);
+	MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380c, 23);
+	MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44, 4);
+	MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9, 11);
+	MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60, 16);
+	MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70, 23);
+	MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6, 4);
+	MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127fa, 11);
+	MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085, 16);
+	MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05, 23);
+	MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039, 4);
+	MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5, 11);
+	MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8, 16);
+	MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665, 23);
+
+	MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244, 6);
+	MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97, 10);
+	MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7, 15);
+	MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039, 21);
+	MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3, 6);
+	MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92, 10);
+	MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47d, 15);
+	MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1, 21);
+	MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4f, 6);
+	MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0, 10);
+	MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314, 15);
+	MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1, 21);
+	MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82, 6);
+	MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235, 10);
+	MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bb, 15);
+	MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391, 21);
+
+	buf[0] += a;
+	buf[1] += b;
+	buf[2] += c;
+	buf[3] += d;
+}
+
+/*
+ * Update context to reflect the concatenation of another buffer full
+ * of bytes.
+ */
+void
+isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len) {
+	isc_uint32_t t;
+
+	/* Update byte count */
+
+	t = ctx->bytes[0];
+	if ((ctx->bytes[0] = t + len) < t)
+		ctx->bytes[1]++;	/* Carry from low to high */
+
+	t = 64 - (t & 0x3f);	/* Space available in ctx->in (at least 1) */
+	if (t > len) {
+		memcpy((unsigned char *)ctx->in + 64 - t, buf, len);
+		return;
+	}
+	/* First chunk is an odd size */
+	memcpy((unsigned char *)ctx->in + 64 - t, buf, t);
+	byteSwap(ctx->in, 16);
+	transform(ctx->buf, ctx->in);
+	buf += t;
+	len -= t;
+
+	/* Process data in 64-byte chunks */
+	while (len >= 64) {
+		memcpy(ctx->in, buf, 64);
+		byteSwap(ctx->in, 16);
+		transform(ctx->buf, ctx->in);
+		buf += 64;
+		len -= 64;
+	}
+
+	/* Handle any remaining bytes of data. */
+	memcpy(ctx->in, buf, len);
+}
+
+/*
+ * Final wrapup - pad to 64-byte boundary with the bit pattern
+ * 1 0* (64-bit count of bits processed, MSB-first)
+ */
+void
+isc_md5_final(isc_md5_t *ctx, unsigned char *digest) {
+	int count = ctx->bytes[0] & 0x3f;    /* Number of bytes in ctx->in */
+	unsigned char *p = (unsigned char *)ctx->in + count;
+
+	/* Set the first char of padding to 0x80.  There is always room. */
+	*p++ = 0x80;
+
+	/* Bytes of padding needed to make 56 bytes (-8..55) */
+	count = 56 - 1 - count;
+
+	if (count < 0) {	/* Padding forces an extra block */
+		memset(p, 0, count + 8);
+		byteSwap(ctx->in, 16);
+		transform(ctx->buf, ctx->in);
+		p = (unsigned char *)ctx->in;
+		count = 56;
+	}
+	memset(p, 0, count);
+	byteSwap(ctx->in, 14);
+
+	/* Append length in bits and transform */
+	ctx->in[14] = ctx->bytes[0] << 3;
+	ctx->in[15] = ctx->bytes[1] << 3 | ctx->bytes[0] >> 29;
+	transform(ctx->buf, ctx->in);
+
+	byteSwap(ctx->buf, 4);
+	memcpy(digest, ctx->buf, 16);
+	memset(ctx, 0, sizeof(isc_md5_t));	/* In case it's sensitive */
+}
diff --git a/contrib/bind9/lib/isc/mem.c b/contrib/bind9/lib/isc/mem.c
new file mode 100644
index 0000000..762aa17
--- /dev/null
+++ b/contrib/bind9/lib/isc/mem.c
@@ -0,0 +1,1776 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1997-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: mem.c,v 1.98.2.7.2.5 2004/03/16 05:50:24 marka Exp $ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stddef.h>
+
+#include <limits.h>
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/msgs.h>
+#include <isc/ondestroy.h>
+#include <isc/string.h>
+
+#include <isc/mutex.h>
+#include <isc/util.h>
+
+#ifndef ISC_MEM_DEBUGGING
+#define ISC_MEM_DEBUGGING 0
+#endif
+LIBISC_EXTERNAL_DATA unsigned int isc_mem_debugging = ISC_MEM_DEBUGGING;
+
+/*
+ * Define ISC_MEM_USE_INTERNAL_MALLOC=1 to use the internal malloc()
+ * implementation in preference to the system one.  The internal malloc()
+ * is very space-efficient, and quite fast on uniprocessor systems.  It
+ * performs poorly on multiprocessor machines.
+ */
+#ifndef ISC_MEM_USE_INTERNAL_MALLOC
+#define ISC_MEM_USE_INTERNAL_MALLOC 0
+#endif
+
+/*
+ * Constants.
+ */
+
+#define DEF_MAX_SIZE		1100
+#define DEF_MEM_TARGET		4096
+#define ALIGNMENT_SIZE		8		/* must be a power of 2 */
+#define NUM_BASIC_BLOCKS	64		/* must be > 1 */
+#define TABLE_INCREMENT		1024
+#define DEBUGLIST_COUNT		1024
+
+/*
+ * Types.
+ */
+#if ISC_MEM_TRACKLINES
+typedef struct debuglink debuglink_t;
+struct debuglink {
+	ISC_LINK(debuglink_t)	link;
+	const void	       *ptr[DEBUGLIST_COUNT];
+	unsigned int		size[DEBUGLIST_COUNT];
+	const char	       *file[DEBUGLIST_COUNT];
+	unsigned int		line[DEBUGLIST_COUNT];
+	unsigned int		count;
+};
+
+#define FLARG_PASS	, file, line
+#define FLARG		, const char *file, int line
+#else
+#define FLARG_PASS
+#define FLARG
+#endif
+
+typedef struct element element;
+struct element {
+	element *		next;
+};
+
+typedef struct {
+	/*
+	 * This structure must be ALIGNMENT_SIZE bytes.
+	 */
+	union {
+		size_t		size;
+		char		bytes[ALIGNMENT_SIZE];
+	} u;
+} size_info;
+
+struct stats {
+	unsigned long		gets;
+	unsigned long		totalgets;
+#if ISC_MEM_USE_INTERNAL_MALLOC
+	unsigned long		blocks;
+	unsigned long		freefrags;
+#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
+};
+
+#define MEM_MAGIC		ISC_MAGIC('M', 'e', 'm', 'C')
+#define VALID_CONTEXT(c)	ISC_MAGIC_VALID(c, MEM_MAGIC)
+
+#if ISC_MEM_TRACKLINES
+typedef ISC_LIST(debuglink_t)	debuglist_t;
+#endif
+
+struct isc_mem {
+	unsigned int		magic;
+	isc_ondestroy_t		ondestroy;
+	isc_mutex_t		lock;
+	isc_memalloc_t		memalloc;
+	isc_memfree_t		memfree;
+	void *			arg;
+	size_t			max_size;
+	isc_boolean_t		checkfree;
+	struct stats *		stats;
+	unsigned int		references;
+	size_t			quota;
+	size_t			total;
+	size_t			inuse;
+	size_t			maxinuse;
+	size_t			hi_water;
+	size_t			lo_water;
+	isc_boolean_t		hi_called;
+	isc_mem_water_t		water;
+	void *			water_arg;
+	ISC_LIST(isc_mempool_t)	pools;
+
+#if ISC_MEM_USE_INTERNAL_MALLOC
+	size_t			mem_target;
+	element **		freelists;
+	element *		basic_blocks;
+	unsigned char **	basic_table;
+	unsigned int		basic_table_count;
+	unsigned int		basic_table_size;
+	unsigned char *		lowest;
+	unsigned char *		highest;
+#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
+
+#if ISC_MEM_TRACKLINES
+	debuglist_t *	 	debuglist;
+#endif
+
+	unsigned int		memalloc_failures;
+};
+
+#define MEMPOOL_MAGIC		ISC_MAGIC('M', 'E', 'M', 'p')
+#define VALID_MEMPOOL(c)	ISC_MAGIC_VALID(c, MEMPOOL_MAGIC)
+
+struct isc_mempool {
+	/* always unlocked */
+	unsigned int	magic;		/* magic number */
+	isc_mutex_t    *lock;		/* optional lock */
+	isc_mem_t      *mctx;		/* our memory context */
+	/* locked via the memory context's lock */
+	ISC_LINK(isc_mempool_t)	link;	/* next pool in this mem context */
+	/* optionally locked from here down */
+	element	       *items;		/* low water item list */
+	size_t		size;		/* size of each item on this pool */
+	unsigned int	maxalloc;	/* max number of items allowed */
+	unsigned int	allocated;	/* # of items currently given out */
+	unsigned int	freecount;	/* # of items on reserved list */
+	unsigned int	freemax;	/* # of items allowed on free list */
+	unsigned int	fillcount;	/* # of items to fetch on each fill */
+	/* Stats only. */
+	unsigned int	gets;		/* # of requests to this pool */
+	/* Debugging only. */
+#if ISC_MEMPOOL_NAMES
+	char		name[16];	/* printed name in stats reports */
+#endif
+};
+
+/*
+ * Private Inline-able.
+ */
+
+#if ! ISC_MEM_TRACKLINES
+#define ADD_TRACE(a, b, c, d, e)
+#define DELETE_TRACE(a, b, c, d, e)
+#else
+#define ADD_TRACE(a, b, c, d, e) \
+	do { \
+		if ((isc_mem_debugging & (ISC_MEM_DEBUGTRACE | \
+					  ISC_MEM_DEBUGRECORD)) != 0 && \
+		     b != NULL) \
+		         add_trace_entry(a, b, c, d, e); \
+	} while (0)
+#define DELETE_TRACE(a, b, c, d, e)	delete_trace_entry(a, b, c, d, e)
+
+static void
+print_active(isc_mem_t *ctx, FILE *out);
+
+/*
+ * mctx must be locked.
+ */
+static inline void
+add_trace_entry(isc_mem_t *mctx, const void *ptr, unsigned int size
+		FLARG)
+{
+	debuglink_t *dl;
+	unsigned int i;
+
+	if ((isc_mem_debugging & ISC_MEM_DEBUGTRACE) != 0)
+		fprintf(stderr, isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+					       ISC_MSG_ADDTRACE,
+					       "add %p size %u "
+					       "file %s line %u mctx %p\n"),
+			ptr, size, file, line, mctx);
+
+	if (mctx->debuglist == NULL)
+		return;
+
+	if (size > mctx->max_size)
+		size = mctx->max_size;
+
+	dl = ISC_LIST_HEAD(mctx->debuglist[size]);
+	while (dl != NULL) {
+		if (dl->count == DEBUGLIST_COUNT)
+			goto next;
+		for (i = 0; i < DEBUGLIST_COUNT; i++) {
+			if (dl->ptr[i] == NULL) {
+				dl->ptr[i] = ptr;
+				dl->size[i] = size;
+				dl->file[i] = file;
+				dl->line[i] = line;
+				dl->count++;
+				return;
+			}
+		}
+	next:
+		dl = ISC_LIST_NEXT(dl, link);
+	}
+
+	dl = malloc(sizeof(debuglink_t));
+	INSIST(dl != NULL);
+
+	ISC_LINK_INIT(dl, link);
+	for (i = 1; i < DEBUGLIST_COUNT; i++) {
+		dl->ptr[i] = NULL;
+		dl->size[i] = 0;
+		dl->file[i] = NULL;
+		dl->line[i] = 0;
+	}
+
+	dl->ptr[0] = ptr;
+	dl->size[0] = size;
+	dl->file[0] = file;
+	dl->line[0] = line;
+	dl->count = 1;
+
+	ISC_LIST_PREPEND(mctx->debuglist[size], dl, link);
+}
+
+static inline void
+delete_trace_entry(isc_mem_t *mctx, const void *ptr, unsigned int size,
+		   const char *file, unsigned int line)
+{
+	debuglink_t *dl;
+	unsigned int i;
+
+	if ((isc_mem_debugging & ISC_MEM_DEBUGTRACE) != 0)
+		fprintf(stderr, isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+					       ISC_MSG_DELTRACE,
+					       "del %p size %u "
+					       "file %s line %u mctx %p\n"),
+			ptr, size, file, line, mctx);
+
+	if (mctx->debuglist == NULL)
+		return;
+
+	if (size > mctx->max_size)
+		size = mctx->max_size;
+
+	dl = ISC_LIST_HEAD(mctx->debuglist[size]);
+	while (dl != NULL) {
+		for (i = 0; i < DEBUGLIST_COUNT; i++) {
+			if (dl->ptr[i] == ptr) {
+				dl->ptr[i] = NULL;
+				dl->size[i] = 0;
+				dl->file[i] = NULL;
+				dl->line[i] = 0;
+
+				INSIST(dl->count > 0);
+				dl->count--;
+				if (dl->count == 0) {
+					ISC_LIST_UNLINK(mctx->debuglist[size],
+							dl, link);
+					free(dl);
+				}
+				return;
+			}
+		}
+		dl = ISC_LIST_NEXT(dl, link);
+	}
+
+	/*
+	 * If we get here, we didn't find the item on the list.  We're
+	 * screwed.
+	 */
+	INSIST(dl != NULL);
+}
+#endif /* ISC_MEM_TRACKLINES */
+
+#if ISC_MEM_USE_INTERNAL_MALLOC
+static inline size_t
+rmsize(size_t size) {
+	/*
+ 	 * round down to ALIGNMENT_SIZE
+	 */
+	return (size & (~(ALIGNMENT_SIZE - 1)));
+}
+
+static inline size_t
+quantize(size_t size) {
+	/*
+	 * Round up the result in order to get a size big
+	 * enough to satisfy the request and be aligned on ALIGNMENT_SIZE
+	 * byte boundaries.
+	 */
+
+	if (size == 0)
+		return (ALIGNMENT_SIZE);
+	return ((size + ALIGNMENT_SIZE - 1) & (~(ALIGNMENT_SIZE - 1)));
+}
+
+static inline isc_boolean_t
+more_basic_blocks(isc_mem_t *ctx) {
+	void *new;
+	unsigned char *curr, *next;
+	unsigned char *first, *last;
+	unsigned char **table;
+	unsigned int table_size;
+	size_t increment;
+	int i;
+
+	/* Require: we hold the context lock. */
+
+	/*
+	 * Did we hit the quota for this context?
+	 */
+	increment = NUM_BASIC_BLOCKS * ctx->mem_target;
+	if (ctx->quota != 0 && ctx->total + increment > ctx->quota)
+		return (ISC_FALSE);
+
+	INSIST(ctx->basic_table_count <= ctx->basic_table_size);
+	if (ctx->basic_table_count == ctx->basic_table_size) {
+		table_size = ctx->basic_table_size + TABLE_INCREMENT;
+		table = (ctx->memalloc)(ctx->arg,
+					table_size * sizeof(unsigned char *));
+		if (table == NULL) {
+			ctx->memalloc_failures++;
+			return (ISC_FALSE);
+		}
+		if (ctx->basic_table_size != 0) {
+			memcpy(table, ctx->basic_table,
+			       ctx->basic_table_size *
+			       sizeof(unsigned char *));
+			(ctx->memfree)(ctx->arg, ctx->basic_table);
+		}
+		ctx->basic_table = table;
+		ctx->basic_table_size = table_size;
+	}
+
+	new = (ctx->memalloc)(ctx->arg, NUM_BASIC_BLOCKS * ctx->mem_target);
+	if (new == NULL) {
+		ctx->memalloc_failures++;
+		return (ISC_FALSE);
+	}
+	ctx->total += increment;
+	ctx->basic_table[ctx->basic_table_count] = new;
+	ctx->basic_table_count++;
+
+	curr = new;
+	next = curr + ctx->mem_target;
+	for (i = 0; i < (NUM_BASIC_BLOCKS - 1); i++) {
+		((element *)curr)->next = (element *)next;
+		curr = next;
+		next += ctx->mem_target;
+	}
+	/*
+	 * curr is now pointing at the last block in the
+	 * array.
+	 */
+	((element *)curr)->next = NULL;
+	first = new;
+	last = first + NUM_BASIC_BLOCKS * ctx->mem_target - 1;
+	if (first < ctx->lowest || ctx->lowest == NULL)
+		ctx->lowest = first;
+	if (last > ctx->highest)
+		ctx->highest = last;
+	ctx->basic_blocks = new;
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+more_frags(isc_mem_t *ctx, size_t new_size) {
+	int i, frags;
+	size_t total_size;
+	void *new;
+	unsigned char *curr, *next;
+
+	/*
+	 * Try to get more fragments by chopping up a basic block.
+	 */
+
+	if (ctx->basic_blocks == NULL) {
+		if (!more_basic_blocks(ctx)) {
+			/*
+			 * We can't get more memory from the OS, or we've
+			 * hit the quota for this context.
+			 */
+			/*
+			 * XXXRTH  "At quota" notification here.
+			 */
+			return (ISC_FALSE);
+		}
+	}
+
+	total_size = ctx->mem_target;
+	new = ctx->basic_blocks;
+	ctx->basic_blocks = ctx->basic_blocks->next;
+	frags = total_size / new_size;
+	ctx->stats[new_size].blocks++;
+	ctx->stats[new_size].freefrags += frags;
+	/*
+	 * Set up a linked-list of blocks of size
+	 * "new_size".
+	 */
+	curr = new;
+	next = curr + new_size;
+	total_size -= new_size;
+	for (i = 0; i < (frags - 1); i++) {
+		((element *)curr)->next = (element *)next;
+		curr = next;
+		next += new_size;
+		total_size -= new_size;
+	}
+	/*
+	 * Add the remaining fragment of the basic block to a free list.
+	 */
+	total_size = rmsize(total_size);
+	if (total_size > 0) {
+		((element *)next)->next = ctx->freelists[total_size];
+		ctx->freelists[total_size] = (element *)next;
+		ctx->stats[total_size].freefrags++;
+	}
+	/*
+	 * curr is now pointing at the last block in the
+	 * array.
+	 */
+	((element *)curr)->next = NULL;
+	ctx->freelists[new_size] = new;
+
+	return (ISC_TRUE);
+}
+
+static inline void *
+mem_getunlocked(isc_mem_t *ctx, size_t size) {
+	size_t new_size = quantize(size);
+	void *ret;
+
+	if (size >= ctx->max_size || new_size >= ctx->max_size) {
+		/*
+		 * memget() was called on something beyond our upper limit.
+		 */
+		if (ctx->quota != 0 && ctx->total + size > ctx->quota) {
+			ret = NULL;
+			goto done;
+		}
+		ret = (ctx->memalloc)(ctx->arg, size);
+		if (ret == NULL) {
+			ctx->memalloc_failures++;
+			goto done;
+		}
+		ctx->total += size;
+		ctx->inuse += size;
+		ctx->stats[ctx->max_size].gets++;
+		ctx->stats[ctx->max_size].totalgets++;
+		/*
+		 * If we don't set new_size to size, then the
+		 * ISC_MEM_FILL code might write over bytes we
+		 * don't own.
+		 */
+		new_size = size;
+		goto done;
+	}
+
+	/*
+	 * If there are no blocks in the free list for this size, get a chunk
+	 * of memory and then break it up into "new_size"-sized blocks, adding
+	 * them to the free list.
+	 */
+	if (ctx->freelists[new_size] == NULL && !more_frags(ctx, new_size))
+		return (NULL);
+
+	/*
+	 * The free list uses the "rounded-up" size "new_size".
+	 */
+	ret = ctx->freelists[new_size];
+	ctx->freelists[new_size] = ctx->freelists[new_size]->next;
+
+	/*
+	 * The stats[] uses the _actual_ "size" requested by the
+	 * caller, with the caveat (in the code above) that "size" >= the
+	 * max. size (max_size) ends up getting recorded as a call to
+	 * max_size.
+	 */
+	ctx->stats[size].gets++;
+	ctx->stats[size].totalgets++;
+	ctx->stats[new_size].freefrags--;
+	ctx->inuse += new_size;
+
+ done:
+
+#if ISC_MEM_FILL
+	if (ret != NULL)
+		memset(ret, 0xbe, new_size); /* Mnemonic for "beef". */
+#endif
+
+	return (ret);
+}
+
+#if ISC_MEM_FILL && ISC_MEM_CHECKOVERRUN
+static inline void
+check_overrun(void *mem, size_t size, size_t new_size) {
+	unsigned char *cp;
+
+	cp = (unsigned char *)mem;
+	cp += size;
+	while (size < new_size) {
+		INSIST(*cp == 0xbe);
+		cp++;
+		size++;
+	}
+}
+#endif
+
+static inline void
+mem_putunlocked(isc_mem_t *ctx, void *mem, size_t size) {
+	size_t new_size = quantize(size);
+
+	if (size == ctx->max_size || new_size >= ctx->max_size) {
+		/*
+		 * memput() called on something beyond our upper limit.
+		 */
+#if ISC_MEM_FILL
+		memset(mem, 0xde, size); /* Mnemonic for "dead". */
+#endif
+		(ctx->memfree)(ctx->arg, mem);
+		INSIST(ctx->stats[ctx->max_size].gets != 0);
+		ctx->stats[ctx->max_size].gets--;
+		INSIST(size <= ctx->total);
+		ctx->inuse -= size;
+		ctx->total -= size;
+		return;
+	}
+
+#if ISC_MEM_FILL
+#if ISC_MEM_CHECKOVERRUN
+	check_overrun(mem, size, new_size);
+#endif
+	memset(mem, 0xde, new_size); /* Mnemonic for "dead". */
+#endif
+
+	/*
+	 * The free list uses the "rounded-up" size "new_size".
+	 */
+	((element *)mem)->next = ctx->freelists[new_size];
+	ctx->freelists[new_size] = (element *)mem;
+
+	/*
+	 * The stats[] uses the _actual_ "size" requested by the
+	 * caller, with the caveat (in the code above) that "size" >= the
+	 * max. size (max_size) ends up getting recorded as a call to
+	 * max_size.
+	 */
+	INSIST(ctx->stats[size].gets != 0);
+	ctx->stats[size].gets--;
+	ctx->stats[new_size].freefrags++;
+	ctx->inuse -= new_size;
+}
+
+#else /* ISC_MEM_USE_INTERNAL_MALLOC */
+
+/*
+ * Perform a malloc, doing memory filling and overrun detection as necessary.
+ */
+static inline void *
+mem_get(isc_mem_t *ctx, size_t size) {
+	char *ret;
+
+#if ISC_MEM_CHECKOVERRUN
+	size += 1;
+#endif
+
+	ret = (ctx->memalloc)(ctx->arg, size);
+	if (ret == NULL)
+		ctx->memalloc_failures++;	
+
+#if ISC_MEM_FILL
+	if (ret != NULL)
+		memset(ret, 0xbe, size); /* Mnemonic for "beef". */
+#else
+#  if ISC_MEM_CHECKOVERRUN
+	if (ret != NULL)
+		ret[size-1] = 0xbe;
+#  endif
+#endif
+
+	return (ret);
+}
+
+/*
+ * Perform a free, doing memory filling and overrun detection as necessary.
+ */
+static inline void
+mem_put(isc_mem_t *ctx, void *mem, size_t size) {
+#if ISC_MEM_CHECKOVERRUN
+	INSIST(((unsigned char *)mem)[size] == 0xbe);
+#endif
+#if ISC_MEM_FILL
+	memset(mem, 0xde, size); /* Mnemonic for "dead". */
+#else
+	UNUSED(size);
+#endif
+	(ctx->memfree)(ctx->arg, mem);
+}
+
+/*
+ * Update internal counters after a memory get.
+ */
+static inline void
+mem_getstats(isc_mem_t *ctx, size_t size) {
+	ctx->total += size;
+	ctx->inuse += size;
+
+	if (size > ctx->max_size) {
+		ctx->stats[ctx->max_size].gets++;
+		ctx->stats[ctx->max_size].totalgets++;
+	} else {
+		ctx->stats[size].gets++;
+		ctx->stats[size].totalgets++;
+	}
+}
+
+/*
+ * Update internal counters after a memory put.
+ */
+static inline void
+mem_putstats(isc_mem_t *ctx, void *ptr, size_t size) {
+	UNUSED(ptr);
+
+	INSIST(ctx->inuse >= size);
+	ctx->inuse -= size;
+
+	if (size > ctx->max_size) {
+		INSIST(ctx->stats[ctx->max_size].gets > 0U);
+		ctx->stats[ctx->max_size].gets--;
+	} else {
+		INSIST(ctx->stats[size].gets > 0U);
+		ctx->stats[size].gets--;
+	}
+}
+
+#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
+
+/*
+ * Private.
+ */
+
+static void *
+default_memalloc(void *arg, size_t size) {
+	UNUSED(arg);
+	if (size == 0U)
+		size = 1;
+	return (malloc(size));
+}
+
+static void
+default_memfree(void *arg, void *ptr) {
+	UNUSED(arg);
+	free(ptr);
+}
+
+/*
+ * Public.
+ */
+
+isc_result_t
+isc_mem_createx(size_t init_max_size, size_t target_size,
+		isc_memalloc_t memalloc, isc_memfree_t memfree, void *arg,
+		isc_mem_t **ctxp)
+{
+	isc_mem_t *ctx;
+	isc_result_t result;
+
+	REQUIRE(ctxp != NULL && *ctxp == NULL);
+	REQUIRE(memalloc != NULL);
+	REQUIRE(memfree != NULL);
+
+	INSIST((ALIGNMENT_SIZE & (ALIGNMENT_SIZE - 1)) == 0);
+
+#if !ISC_MEM_USE_INTERNAL_MALLOC
+	UNUSED(target_size);
+#endif
+
+	ctx = (memalloc)(arg, sizeof(*ctx));
+	if (ctx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	if (init_max_size == 0U)
+		ctx->max_size = DEF_MAX_SIZE;
+	else
+		ctx->max_size = init_max_size;
+	ctx->references = 1;
+	ctx->quota = 0;
+	ctx->total = 0;
+	ctx->inuse = 0;
+	ctx->maxinuse = 0;
+	ctx->hi_water = 0;
+	ctx->lo_water = 0;
+	ctx->hi_called = ISC_FALSE;
+	ctx->water = NULL;
+	ctx->water_arg = NULL;
+	ctx->magic = MEM_MAGIC;
+	isc_ondestroy_init(&ctx->ondestroy);
+	ctx->memalloc = memalloc;
+	ctx->memfree = memfree;
+	ctx->arg = arg;
+	ctx->stats = NULL;
+	ctx->checkfree = ISC_TRUE;
+#if ISC_MEM_TRACKLINES
+	ctx->debuglist = NULL;
+#endif
+	ISC_LIST_INIT(ctx->pools);
+
+#if ISC_MEM_USE_INTERNAL_MALLOC
+	ctx->freelists = NULL;
+#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
+
+	ctx->stats = (memalloc)(arg,
+				(ctx->max_size+1) * sizeof(struct stats));
+	if (ctx->stats == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto error;
+	}
+	memset(ctx->stats, 0, (ctx->max_size + 1) * sizeof(struct stats));
+
+#if ISC_MEM_USE_INTERNAL_MALLOC
+	if (target_size == 0)
+		ctx->mem_target = DEF_MEM_TARGET;
+	else
+		ctx->mem_target = target_size;
+	ctx->freelists = (memalloc)(arg, ctx->max_size * sizeof(element *));
+	if (ctx->freelists == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto error;
+	}
+	memset(ctx->freelists, 0,
+	       ctx->max_size * sizeof(element *));
+	ctx->basic_blocks = NULL;
+	ctx->basic_table = NULL;
+	ctx->basic_table_count = 0;
+	ctx->basic_table_size = 0;
+	ctx->lowest = NULL;
+	ctx->highest = NULL;
+#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
+
+	if (isc_mutex_init(&ctx->lock) != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"));
+		result = ISC_R_UNEXPECTED;
+		goto error;
+	}
+
+#if ISC_MEM_TRACKLINES
+	if ((isc_mem_debugging & ISC_MEM_DEBUGRECORD) != 0) {
+		unsigned int i;
+
+		ctx->debuglist = (memalloc)(arg,
+				      (ctx->max_size+1) * sizeof(debuglist_t));
+		if (ctx->debuglist == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto error;
+		}
+		for (i = 0; i <= ctx->max_size; i++)
+			ISC_LIST_INIT(ctx->debuglist[i]);
+	}
+#endif
+
+	ctx->memalloc_failures = 0;
+
+	*ctxp = ctx;
+	return (ISC_R_SUCCESS);
+
+  error:
+	if (ctx) {
+		if (ctx->stats)
+			(memfree)(arg, ctx->stats);
+#if ISC_MEM_USE_INTERNAL_MALLOC
+		if (ctx->freelists)
+			(memfree)(arg, ctx->freelists);
+#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
+#if ISC_MEM_TRACKLINES
+		if (ctx->debuglist)
+			(ctx->memfree)(ctx->arg, ctx->debuglist);
+#endif /* ISC_MEM_TRACKLINES */
+		(memfree)(arg, ctx);
+	}
+
+	return (result);
+}
+
+isc_result_t
+isc_mem_create(size_t init_max_size, size_t target_size,
+	       isc_mem_t **ctxp)
+{
+	return (isc_mem_createx(init_max_size, target_size,
+				default_memalloc, default_memfree, NULL,
+				ctxp));
+}
+
+static void
+destroy(isc_mem_t *ctx) {
+	unsigned int i;
+	isc_ondestroy_t ondest;
+
+	ctx->magic = 0;
+
+#if ISC_MEM_USE_INTERNAL_MALLOC
+	INSIST(ISC_LIST_EMPTY(ctx->pools));
+#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
+
+#if ISC_MEM_TRACKLINES
+	if (ctx->debuglist != NULL) {
+		if (ctx->checkfree) {
+			for (i = 0; i <= ctx->max_size; i++) {
+				if (!ISC_LIST_EMPTY(ctx->debuglist[i]))
+					print_active(ctx, stderr);
+				INSIST(ISC_LIST_EMPTY(ctx->debuglist[i]));
+			}
+		} else {
+			debuglink_t *dl;
+
+			for (i = 0; i <= ctx->max_size; i++)
+				for (dl = ISC_LIST_HEAD(ctx->debuglist[i]);
+				     dl != NULL;
+				     dl = ISC_LIST_HEAD(ctx->debuglist[i])) {
+					ISC_LIST_UNLINK(ctx->debuglist[i],
+						 	dl, link);
+					free(dl);
+				}
+		}
+		(ctx->memfree)(ctx->arg, ctx->debuglist);
+	}
+#endif
+	INSIST(ctx->references == 0);
+
+	if (ctx->checkfree) {
+		for (i = 0; i <= ctx->max_size; i++) {
+#if ISC_MEM_TRACKLINES
+			if (ctx->stats[i].gets != 0U)
+				print_active(ctx, stderr);
+#endif
+			INSIST(ctx->stats[i].gets == 0U);
+		}
+	}
+
+	(ctx->memfree)(ctx->arg, ctx->stats);
+
+#if ISC_MEM_USE_INTERNAL_MALLOC
+	for (i = 0; i < ctx->basic_table_count; i++)
+		(ctx->memfree)(ctx->arg, ctx->basic_table[i]);
+	(ctx->memfree)(ctx->arg, ctx->freelists);
+	(ctx->memfree)(ctx->arg, ctx->basic_table);
+#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
+
+	ondest = ctx->ondestroy;
+
+	DESTROYLOCK(&ctx->lock);
+	(ctx->memfree)(ctx->arg, ctx);
+
+	isc_ondestroy_notify(&ondest, ctx);
+}
+
+void
+isc_mem_attach(isc_mem_t *source, isc_mem_t **targetp) {
+	REQUIRE(VALID_CONTEXT(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	LOCK(&source->lock);
+	source->references++;
+	UNLOCK(&source->lock);
+
+	*targetp = source;
+}
+
+void
+isc_mem_detach(isc_mem_t **ctxp) {
+	isc_mem_t *ctx;
+	isc_boolean_t want_destroy = ISC_FALSE;
+
+	REQUIRE(ctxp != NULL);
+	ctx = *ctxp;
+	REQUIRE(VALID_CONTEXT(ctx));
+
+	LOCK(&ctx->lock);
+	INSIST(ctx->references > 0);
+	ctx->references--;
+	if (ctx->references == 0)
+		want_destroy = ISC_TRUE;
+	UNLOCK(&ctx->lock);
+
+	if (want_destroy)
+		destroy(ctx);
+
+	*ctxp = NULL;
+}
+
+/*
+ * isc_mem_putanddetach() is the equivalent of:
+ *
+ * mctx = NULL;
+ * isc_mem_attach(ptr->mctx, &mctx);
+ * isc_mem_detach(&ptr->mctx);
+ * isc_mem_put(mctx, ptr, sizeof(*ptr);
+ * isc_mem_detach(&mctx);
+ */
+
+void
+isc__mem_putanddetach(isc_mem_t **ctxp, void *ptr, size_t size FLARG) {
+	isc_mem_t *ctx;
+	isc_boolean_t want_destroy = ISC_FALSE;
+
+	REQUIRE(ctxp != NULL);
+	ctx = *ctxp;
+	REQUIRE(VALID_CONTEXT(ctx));
+	REQUIRE(ptr != NULL);
+
+	/*
+	 * Must be before mem_putunlocked() as ctxp is usually within
+	 * [ptr..ptr+size).
+	 */
+	*ctxp = NULL;
+
+#if ISC_MEM_USE_INTERNAL_MALLOC
+	LOCK(&ctx->lock);
+	mem_putunlocked(ctx, ptr, size);
+#else /* ISC_MEM_USE_INTERNAL_MALLOC */
+	mem_put(ctx, ptr, size);
+	LOCK(&ctx->lock);
+	mem_putstats(ctx, ptr, size);
+#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
+
+	DELETE_TRACE(ctx, ptr, size, file, line);
+	INSIST(ctx->references > 0);
+	ctx->references--;
+	if (ctx->references == 0)
+		want_destroy = ISC_TRUE;
+
+	UNLOCK(&ctx->lock);
+
+	if (want_destroy)
+		destroy(ctx);
+}
+
+void
+isc_mem_destroy(isc_mem_t **ctxp) {
+	isc_mem_t *ctx;
+
+	/*
+	 * This routine provides legacy support for callers who use mctxs
+	 * without attaching/detaching.
+	 */
+
+	REQUIRE(ctxp != NULL);
+	ctx = *ctxp;
+	REQUIRE(VALID_CONTEXT(ctx));
+
+	LOCK(&ctx->lock);
+#if ISC_MEM_TRACKLINES
+	if (ctx->references != 1)
+		print_active(ctx, stderr);
+#endif
+	REQUIRE(ctx->references == 1);
+	ctx->references--;
+	UNLOCK(&ctx->lock);
+
+	destroy(ctx);
+
+	*ctxp = NULL;
+}
+
+isc_result_t
+isc_mem_ondestroy(isc_mem_t *ctx, isc_task_t *task, isc_event_t **event) {
+	isc_result_t res;
+
+	LOCK(&ctx->lock);
+	res = isc_ondestroy_register(&ctx->ondestroy, task, event);
+	UNLOCK(&ctx->lock);
+
+	return (res);
+}
+
+
+void *
+isc__mem_get(isc_mem_t *ctx, size_t size FLARG) {
+	void *ptr;
+	isc_boolean_t call_water = ISC_FALSE;
+
+	REQUIRE(VALID_CONTEXT(ctx));
+
+#if ISC_MEM_USE_INTERNAL_MALLOC
+	LOCK(&ctx->lock);
+	ptr = mem_getunlocked(ctx, size);
+#else /* ISC_MEM_USE_INTERNAL_MALLOC */
+	ptr = mem_get(ctx, size);
+	LOCK(&ctx->lock);
+	if (ptr != NULL)
+		mem_getstats(ctx, size);
+#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
+
+	ADD_TRACE(ctx, ptr, size, file, line);
+	if (ctx->hi_water != 0U && !ctx->hi_called &&
+	    ctx->inuse > ctx->hi_water) {
+		ctx->hi_called = ISC_TRUE;
+		call_water = ISC_TRUE;
+	}
+	if (ctx->inuse > ctx->maxinuse) {
+		ctx->maxinuse = ctx->inuse;
+		if (ctx->hi_water != 0U && ctx->inuse > ctx->hi_water &&
+		    (isc_mem_debugging & ISC_MEM_DEBUGUSAGE) != 0)
+			fprintf(stderr, "maxinuse = %lu\n",
+				(unsigned long)ctx->inuse);
+	}
+	UNLOCK(&ctx->lock);
+
+	if (call_water)
+		(ctx->water)(ctx->water_arg, ISC_MEM_HIWATER);
+
+	return (ptr);
+}
+
+void
+isc__mem_put(isc_mem_t *ctx, void *ptr, size_t size FLARG)
+{
+	isc_boolean_t call_water = ISC_FALSE;
+
+	REQUIRE(VALID_CONTEXT(ctx));
+	REQUIRE(ptr != NULL);
+
+#if ISC_MEM_USE_INTERNAL_MALLOC
+	LOCK(&ctx->lock);
+	mem_putunlocked(ctx, ptr, size);
+#else /* ISC_MEM_USE_INTERNAL_MALLOC */
+	mem_put(ctx, ptr, size);
+	LOCK(&ctx->lock);
+	mem_putstats(ctx, ptr, size);
+#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
+
+	DELETE_TRACE(ctx, ptr, size, file, line);
+
+	/*
+	 * The check against ctx->lo_water == 0 is for the condition
+	 * when the context was pushed over hi_water but then had
+	 * isc_mem_setwater() called with 0 for hi_water and lo_water.
+	 */
+	if (ctx->hi_called && 
+	    (ctx->inuse < ctx->lo_water || ctx->lo_water == 0U)) {
+		ctx->hi_called = ISC_FALSE;
+
+		if (ctx->water != NULL)
+			call_water = ISC_TRUE;
+	}
+	UNLOCK(&ctx->lock);
+
+	if (call_water)
+		(ctx->water)(ctx->water_arg, ISC_MEM_LOWATER);
+}
+
+#if ISC_MEM_TRACKLINES
+static void
+print_active(isc_mem_t *mctx, FILE *out) {
+	if (mctx->debuglist != NULL) {
+		debuglink_t *dl;
+		unsigned int i, j;
+		const char *format;
+		isc_boolean_t found;
+
+		fprintf(out, isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+					    ISC_MSG_DUMPALLOC,
+					    "Dump of all outstanding "
+					    "memory allocations:\n"));
+		found = ISC_FALSE;
+		format = isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+				        ISC_MSG_PTRFILELINE,
+					"\tptr %p size %u file %s line %u\n");
+		for (i = 0; i <= mctx->max_size; i++) {
+			dl = ISC_LIST_HEAD(mctx->debuglist[i]);
+			
+			if (dl != NULL)
+				found = ISC_TRUE;
+
+			while (dl != NULL) {
+				for (j = 0; j < DEBUGLIST_COUNT; j++)
+					if (dl->ptr[j] != NULL)
+						fprintf(out, format,
+							dl->ptr[j],
+							dl->size[j],
+							dl->file[j],
+							dl->line[j]);
+				dl = ISC_LIST_NEXT(dl, link);
+			}
+		}
+		if (!found)
+			fprintf(out, isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+						    ISC_MSG_NONE, "\tNone.\n"));
+	}
+}
+#endif
+
+/*
+ * Print the stats[] on the stream "out" with suitable formatting.
+ */
+void
+isc_mem_stats(isc_mem_t *ctx, FILE *out) {
+	size_t i;
+	const struct stats *s;
+	const isc_mempool_t *pool;
+
+	REQUIRE(VALID_CONTEXT(ctx));
+	LOCK(&ctx->lock);
+
+	for (i = 0; i <= ctx->max_size; i++) {
+		s = &ctx->stats[i];
+
+		if (s->totalgets == 0U && s->gets == 0U)
+			continue;
+		fprintf(out, "%s%5lu: %11lu gets, %11lu rem",
+			(i == ctx->max_size) ? ">=" : "  ",
+			(unsigned long) i, s->totalgets, s->gets);
+#if ISC_MEM_USE_INTERNAL_MALLOC
+		if (s->blocks != 0 || s->freefrags != 0)
+			fprintf(out, " (%lu bl, %lu ff)",
+				s->blocks, s->freefrags);
+#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
+		fputc('\n', out);
+	}
+
+	/*
+	 * Note that since a pool can be locked now, these stats might be
+	 * somewhat off if the pool is in active use at the time the stats
+	 * are dumped.  The link fields are protected by the isc_mem_t's
+	 * lock, however, so walking this list and extracting integers from
+	 * stats fields is always safe.
+	 */
+	pool = ISC_LIST_HEAD(ctx->pools);
+	if (pool != NULL) {
+		fprintf(out, isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+					    ISC_MSG_POOLSTATS,
+					    "[Pool statistics]\n"));
+		fprintf(out, "%15s %10s %10s %10s %10s %10s %10s %10s %1s\n",
+			isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+				       ISC_MSG_POOLNAME, "name"),
+			isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+				       ISC_MSG_POOLSIZE, "size"),
+			isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+				       ISC_MSG_POOLMAXALLOC, "maxalloc"),
+			isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+				       ISC_MSG_POOLALLOCATED, "allocated"),
+			isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+				       ISC_MSG_POOLFREECOUNT, "freecount"),
+			isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+				       ISC_MSG_POOLFREEMAX, "freemax"),
+			isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+				       ISC_MSG_POOLFILLCOUNT, "fillcount"),
+			isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+				       ISC_MSG_POOLGETS, "gets"),
+			"L");
+	}
+	while (pool != NULL) {
+		fprintf(out, "%15s %10lu %10u %10u %10u %10u %10u %10u %s\n",
+			pool->name, (unsigned long) pool->size, pool->maxalloc,
+			pool->allocated, pool->freecount, pool->freemax,
+			pool->fillcount, pool->gets,
+			(pool->lock == NULL ? "N" : "Y"));
+		pool = ISC_LIST_NEXT(pool, link);
+	}
+
+#if ISC_MEM_TRACKLINES
+	print_active(ctx, out);
+#endif
+
+	UNLOCK(&ctx->lock);
+}
+
+/*
+ * Replacements for malloc() and free() -- they implicitly remember the
+ * size of the object allocated (with some additional overhead).
+ */
+
+static void *
+isc__mem_allocateunlocked(isc_mem_t *ctx, size_t size) {
+	size_info *si;
+
+	size += ALIGNMENT_SIZE;
+#if ISC_MEM_USE_INTERNAL_MALLOC
+	si = mem_getunlocked(ctx, size);
+#else /* ISC_MEM_USE_INTERNAL_MALLOC */
+	si = mem_get(ctx, size);
+#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
+	if (si == NULL)
+		return (NULL);
+	si->u.size = size;
+	return (&si[1]);
+}
+
+void *
+isc__mem_allocate(isc_mem_t *ctx, size_t size FLARG) {
+	size_info *si;
+
+	REQUIRE(VALID_CONTEXT(ctx));
+
+#if ISC_MEM_USE_INTERNAL_MALLOC
+	LOCK(&ctx->lock);
+	si = isc__mem_allocateunlocked(ctx, size);
+#else /* ISC_MEM_USE_INTERNAL_MALLOC */
+	si = isc__mem_allocateunlocked(ctx, size);
+	LOCK(&ctx->lock);
+	if (si != NULL)
+		mem_getstats(ctx, si[-1].u.size);
+#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
+
+#if ISC_MEM_TRACKLINES
+	ADD_TRACE(ctx, si, si[-1].u.size, file, line);
+#endif
+
+	UNLOCK(&ctx->lock);
+
+	return (si);
+}
+
+void
+isc__mem_free(isc_mem_t *ctx, void *ptr FLARG) {
+	size_info *si;
+	size_t size;
+
+	REQUIRE(VALID_CONTEXT(ctx));
+	REQUIRE(ptr != NULL);
+
+	si = &(((size_info *)ptr)[-1]);
+	size = si->u.size;
+
+#if ISC_MEM_USE_INTERNAL_MALLOC
+	LOCK(&ctx->lock);
+	mem_putunlocked(ctx, si, size);
+#else /* ISC_MEM_USE_INTERNAL_MALLOC */
+	mem_put(ctx, si, size);
+	LOCK(&ctx->lock);
+	mem_putstats(ctx, si, size);
+#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
+
+	DELETE_TRACE(ctx, ptr, size, file, line);
+
+	UNLOCK(&ctx->lock);
+}
+
+
+/*
+ * Other useful things.
+ */
+
+char *
+isc__mem_strdup(isc_mem_t *mctx, const char *s FLARG) {
+	size_t len;
+	char *ns;
+
+	REQUIRE(VALID_CONTEXT(mctx));
+	REQUIRE(s != NULL);
+
+	len = strlen(s);
+
+	ns = isc__mem_allocate(mctx, len + 1 FLARG_PASS);
+
+	if (ns != NULL)
+		strncpy(ns, s, len + 1);
+
+	return (ns);
+}
+
+void
+isc_mem_setdestroycheck(isc_mem_t *ctx, isc_boolean_t flag) {
+	REQUIRE(VALID_CONTEXT(ctx));
+	LOCK(&ctx->lock);
+
+	ctx->checkfree = flag;
+
+	UNLOCK(&ctx->lock);
+}
+
+/*
+ * Quotas
+ */
+
+void
+isc_mem_setquota(isc_mem_t *ctx, size_t quota) {
+	REQUIRE(VALID_CONTEXT(ctx));
+	LOCK(&ctx->lock);
+
+	ctx->quota = quota;
+
+	UNLOCK(&ctx->lock);
+}
+
+size_t
+isc_mem_getquota(isc_mem_t *ctx) {
+	size_t quota;
+
+	REQUIRE(VALID_CONTEXT(ctx));
+	LOCK(&ctx->lock);
+
+	quota = ctx->quota;
+
+	UNLOCK(&ctx->lock);
+
+	return (quota);
+}
+
+size_t
+isc_mem_inuse(isc_mem_t *ctx) {
+	size_t inuse;
+
+	REQUIRE(VALID_CONTEXT(ctx));
+	LOCK(&ctx->lock);
+
+	inuse = ctx->inuse;
+
+	UNLOCK(&ctx->lock);
+
+	return (inuse);
+}
+
+void
+isc_mem_setwater(isc_mem_t *ctx, isc_mem_water_t water, void *water_arg,
+                 size_t hiwater, size_t lowater)
+{
+	REQUIRE(VALID_CONTEXT(ctx));
+	REQUIRE(hiwater >= lowater);
+
+	LOCK(&ctx->lock);
+	if (water == NULL) {
+		ctx->water = NULL;
+		ctx->water_arg = NULL;
+		ctx->hi_water = 0;
+		ctx->lo_water = 0;
+		ctx->hi_called = ISC_FALSE;
+	} else {
+		ctx->water = water;
+		ctx->water_arg = water_arg;
+		ctx->hi_water = hiwater;
+		ctx->lo_water = lowater;
+		ctx->hi_called = ISC_FALSE;
+	}
+	UNLOCK(&ctx->lock);
+}
+
+/*
+ * Memory pool stuff
+ */
+
+isc_result_t
+isc_mempool_create(isc_mem_t *mctx, size_t size, isc_mempool_t **mpctxp) {
+	isc_mempool_t *mpctx;
+
+	REQUIRE(VALID_CONTEXT(mctx));
+	REQUIRE(size > 0U);
+	REQUIRE(mpctxp != NULL && *mpctxp == NULL);
+
+	/*
+	 * Allocate space for this pool, initialize values, and if all works
+	 * well, attach to the memory context.
+	 */
+	mpctx = isc_mem_get(mctx, sizeof(isc_mempool_t));
+	if (mpctx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	mpctx->magic = MEMPOOL_MAGIC;
+	mpctx->lock = NULL;
+	mpctx->mctx = mctx;
+	mpctx->size = size;
+	mpctx->maxalloc = UINT_MAX;
+	mpctx->allocated = 0;
+	mpctx->freecount = 0;
+	mpctx->freemax = 1;
+	mpctx->fillcount = 1;
+	mpctx->gets = 0;
+#if ISC_MEMPOOL_NAMES
+	mpctx->name[0] = 0;
+#endif
+	mpctx->items = NULL;
+
+	*mpctxp = mpctx;
+
+	LOCK(&mctx->lock);
+	ISC_LIST_INITANDAPPEND(mctx->pools, mpctx, link);
+	UNLOCK(&mctx->lock);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_mempool_setname(isc_mempool_t *mpctx, const char *name) {
+	REQUIRE(name != NULL);
+
+#if ISC_MEMPOOL_NAMES
+	if (mpctx->lock != NULL)
+		LOCK(mpctx->lock);
+
+	strncpy(mpctx->name, name, sizeof(mpctx->name) - 1);
+	mpctx->name[sizeof(mpctx->name) - 1] = '\0';
+
+	if (mpctx->lock != NULL)
+		UNLOCK(mpctx->lock);
+#else
+	UNUSED(mpctx);
+	UNUSED(name);
+#endif
+}
+
+void
+isc_mempool_destroy(isc_mempool_t **mpctxp) {
+	isc_mempool_t *mpctx;
+	isc_mem_t *mctx;
+	isc_mutex_t *lock;
+	element *item;
+
+	REQUIRE(mpctxp != NULL);
+	mpctx = *mpctxp;
+	REQUIRE(VALID_MEMPOOL(mpctx));
+#if ISC_MEMPOOL_NAMES
+	if (mpctx->allocated > 0)
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mempool_destroy(): mempool %s "
+				 "leaked memory",
+				 mpctx->name);
+#endif
+	REQUIRE(mpctx->allocated == 0);
+
+	mctx = mpctx->mctx;
+
+	lock = mpctx->lock;
+
+	if (lock != NULL)
+		LOCK(lock);
+
+	/*
+	 * Return any items on the free list
+	 */
+	LOCK(&mctx->lock);
+	while (mpctx->items != NULL) {
+		INSIST(mpctx->freecount > 0);
+		mpctx->freecount--;
+		item = mpctx->items;
+		mpctx->items = item->next;
+
+#if ISC_MEM_USE_INTERNAL_MALLOC
+		mem_putunlocked(mctx, item, mpctx->size);
+#else /* ISC_MEM_USE_INTERNAL_MALLOC */
+		mem_put(mctx, item, mpctx->size);
+		mem_putstats(mctx, item, mpctx->size);
+#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
+	}
+	UNLOCK(&mctx->lock);
+
+	/*
+	 * Remove our linked list entry from the memory context.
+	 */
+	LOCK(&mctx->lock);
+	ISC_LIST_UNLINK(mctx->pools, mpctx, link);
+	UNLOCK(&mctx->lock);
+
+	mpctx->magic = 0;
+
+	isc_mem_put(mpctx->mctx, mpctx, sizeof(isc_mempool_t));
+
+	if (lock != NULL)
+		UNLOCK(lock);
+
+	*mpctxp = NULL;
+}
+
+void
+isc_mempool_associatelock(isc_mempool_t *mpctx, isc_mutex_t *lock) {
+	REQUIRE(VALID_MEMPOOL(mpctx));
+	REQUIRE(mpctx->lock == NULL);
+	REQUIRE(lock != NULL);
+
+	mpctx->lock = lock;
+}
+
+void *
+isc__mempool_get(isc_mempool_t *mpctx FLARG) {
+	element *item;
+	isc_mem_t *mctx;
+	unsigned int i;
+
+	REQUIRE(VALID_MEMPOOL(mpctx));
+
+	mctx = mpctx->mctx;
+
+	if (mpctx->lock != NULL)
+		LOCK(mpctx->lock);
+
+	/*
+	 * Don't let the caller go over quota
+	 */
+	if (mpctx->allocated >= mpctx->maxalloc) {
+		item = NULL;
+		goto out;
+	}
+
+	/*
+	 * if we have a free list item, return the first here
+	 */
+	item = mpctx->items;
+	if (item != NULL) {
+		mpctx->items = item->next;
+		INSIST(mpctx->freecount > 0);
+		mpctx->freecount--;
+		mpctx->gets++;
+		mpctx->allocated++;
+		goto out;
+	}
+
+	/*
+	 * We need to dip into the well.  Lock the memory context here and
+	 * fill up our free list.
+	 */
+	LOCK(&mctx->lock);
+	for (i = 0; i < mpctx->fillcount; i++) {
+#if ISC_MEM_USE_INTERNAL_MALLOC
+		item = mem_getunlocked(mctx, mpctx->size);
+#else /* ISC_MEM_USE_INTERNAL_MALLOC */
+		item = mem_get(mctx, mpctx->size);
+		if (item != NULL)
+			mem_getstats(mctx, mpctx->size);
+#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
+		if (item == NULL)
+			break;
+		item->next = mpctx->items;
+		mpctx->items = item;
+		mpctx->freecount++;
+	}
+	UNLOCK(&mctx->lock);
+
+	/*
+	 * If we didn't get any items, return NULL.
+	 */
+	item = mpctx->items;
+	if (item == NULL)
+		goto out;
+
+	mpctx->items = item->next;
+	mpctx->freecount--;
+	mpctx->gets++;
+	mpctx->allocated++;
+
+ out:
+	if (mpctx->lock != NULL)
+		UNLOCK(mpctx->lock);
+
+#if ISC_MEM_TRACKLINES
+	if (item != NULL) {
+		LOCK(&mctx->lock);
+		ADD_TRACE(mctx, item, mpctx->size, file, line);
+		UNLOCK(&mctx->lock);
+	}
+#endif /* ISC_MEM_TRACKLINES */
+
+	return (item);
+}
+
+void
+isc__mempool_put(isc_mempool_t *mpctx, void *mem FLARG) {
+	isc_mem_t *mctx;
+	element *item;
+
+	REQUIRE(VALID_MEMPOOL(mpctx));
+	REQUIRE(mem != NULL);
+
+	mctx = mpctx->mctx;
+
+	if (mpctx->lock != NULL)
+		LOCK(mpctx->lock);
+
+	INSIST(mpctx->allocated > 0);
+	mpctx->allocated--;
+
+#if ISC_MEM_TRACKLINES
+	LOCK(&mctx->lock);
+	DELETE_TRACE(mctx, mem, mpctx->size, file, line);
+	UNLOCK(&mctx->lock);
+#endif /* ISC_MEM_TRACKLINES */
+
+	/*
+	 * If our free list is full, return this to the mctx directly.
+	 */
+	if (mpctx->freecount >= mpctx->freemax) {
+#if ISC_MEM_USE_INTERNAL_MALLOC
+		LOCK(&mctx->lock);
+		mem_putunlocked(mctx, mem, mpctx->size);
+		UNLOCK(&mctx->lock);
+#else /* ISC_MEM_USE_INTERNAL_MALLOC */
+		mem_put(mctx, mem, mpctx->size);
+		LOCK(&mctx->lock);
+		mem_putstats(mctx, mem, mpctx->size);
+		UNLOCK(&mctx->lock);
+#endif /* ISC_MEM_USE_INTERNAL_MALLOC */
+		if (mpctx->lock != NULL)
+			UNLOCK(mpctx->lock);
+		return;
+	}
+
+	/*
+	 * Otherwise, attach it to our free list and bump the counter.
+	 */
+	mpctx->freecount++;
+	item = (element *)mem;
+	item->next = mpctx->items;
+	mpctx->items = item;
+
+	if (mpctx->lock != NULL)
+		UNLOCK(mpctx->lock);
+}
+
+/*
+ * Quotas
+ */
+
+void
+isc_mempool_setfreemax(isc_mempool_t *mpctx, unsigned int limit) {
+	REQUIRE(VALID_MEMPOOL(mpctx));
+
+	if (mpctx->lock != NULL)
+		LOCK(mpctx->lock);
+
+	mpctx->freemax = limit;
+
+	if (mpctx->lock != NULL)
+		UNLOCK(mpctx->lock);
+}
+
+unsigned int
+isc_mempool_getfreemax(isc_mempool_t *mpctx) {
+	unsigned int freemax;
+
+	REQUIRE(VALID_MEMPOOL(mpctx));
+
+	if (mpctx->lock != NULL)
+		LOCK(mpctx->lock);
+
+	freemax = mpctx->freemax;
+
+	if (mpctx->lock != NULL)
+		UNLOCK(mpctx->lock);
+
+	return (freemax);
+}
+
+unsigned int
+isc_mempool_getfreecount(isc_mempool_t *mpctx) {
+	unsigned int freecount;
+
+	REQUIRE(VALID_MEMPOOL(mpctx));
+
+	if (mpctx->lock != NULL)
+		LOCK(mpctx->lock);
+
+	freecount = mpctx->freecount;
+
+	if (mpctx->lock != NULL)
+		UNLOCK(mpctx->lock);
+
+	return (freecount);
+}
+
+void
+isc_mempool_setmaxalloc(isc_mempool_t *mpctx, unsigned int limit) {
+	REQUIRE(limit > 0);
+
+	REQUIRE(VALID_MEMPOOL(mpctx));
+
+	if (mpctx->lock != NULL)
+		LOCK(mpctx->lock);
+
+	mpctx->maxalloc = limit;
+
+	if (mpctx->lock != NULL)
+		UNLOCK(mpctx->lock);
+}
+
+unsigned int
+isc_mempool_getmaxalloc(isc_mempool_t *mpctx) {
+	unsigned int maxalloc;
+
+	REQUIRE(VALID_MEMPOOL(mpctx));
+
+	if (mpctx->lock != NULL)
+		LOCK(mpctx->lock);
+
+	maxalloc = mpctx->maxalloc;
+
+	if (mpctx->lock != NULL)
+		UNLOCK(mpctx->lock);
+
+	return (maxalloc);
+}
+
+unsigned int
+isc_mempool_getallocated(isc_mempool_t *mpctx) {
+	unsigned int allocated;
+
+	REQUIRE(VALID_MEMPOOL(mpctx));
+
+	if (mpctx->lock != NULL)
+		LOCK(mpctx->lock);
+
+	allocated = mpctx->allocated;
+
+	if (mpctx->lock != NULL)
+		UNLOCK(mpctx->lock);
+
+	return (allocated);
+}
+
+void
+isc_mempool_setfillcount(isc_mempool_t *mpctx, unsigned int limit) {
+	REQUIRE(limit > 0);
+	REQUIRE(VALID_MEMPOOL(mpctx));
+
+	if (mpctx->lock != NULL)
+		LOCK(mpctx->lock);
+
+	mpctx->fillcount = limit;
+
+	if (mpctx->lock != NULL)
+		UNLOCK(mpctx->lock);
+}
+
+unsigned int
+isc_mempool_getfillcount(isc_mempool_t *mpctx) {
+	unsigned int fillcount;
+
+	REQUIRE(VALID_MEMPOOL(mpctx));
+
+	if (mpctx->lock != NULL)
+		LOCK(mpctx->lock);
+
+	fillcount = mpctx->fillcount;
+
+	if (mpctx->lock != NULL)
+		UNLOCK(mpctx->lock);
+
+	return (fillcount);
+}
diff --git a/contrib/bind9/lib/isc/mutexblock.c b/contrib/bind9/lib/isc/mutexblock.c
new file mode 100644
index 0000000..dc7c23d
--- /dev/null
+++ b/contrib/bind9/lib/isc/mutexblock.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: mutexblock.c,v 1.14.12.3 2004/03/08 09:04:49 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/mutexblock.h>
+#include <isc/util.h>
+
+isc_result_t
+isc_mutexblock_init(isc_mutex_t *block, unsigned int count) {
+	isc_result_t result;
+	unsigned int i;
+
+	for (i = 0; i < count; i++) {
+		result = isc_mutex_init(&block[i]);
+		if (result != ISC_R_SUCCESS) {
+			i--;
+			while (i > 0) {
+				DESTROYLOCK(&block[i]);
+				i--;
+			}
+			return (result);
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_mutexblock_destroy(isc_mutex_t *block, unsigned int count) {
+	isc_result_t result;
+	unsigned int i;
+
+	for (i = 0; i < count; i++) {
+		result = isc_mutex_destroy(&block[i]);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/contrib/bind9/lib/isc/netaddr.c b/contrib/bind9/lib/isc/netaddr.c
new file mode 100644
index 0000000..712ad2c
--- /dev/null
+++ b/contrib/bind9/lib/isc/netaddr.c
@@ -0,0 +1,357 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: netaddr.c,v 1.18.12.9 2004/05/15 03:46:12 jinmei Exp $ */
+
+#include <config.h>
+
+#include <stdio.h>
+
+#include <isc/buffer.h>
+#include <isc/msgs.h>
+#include <isc/net.h>
+#include <isc/netaddr.h>
+#include <isc/print.h>
+#include <isc/sockaddr.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+isc_boolean_t
+isc_netaddr_equal(const isc_netaddr_t *a, const isc_netaddr_t *b) {
+	REQUIRE(a != NULL && b != NULL);
+
+	if (a->family != b->family)
+		return (ISC_FALSE);
+
+	if (a->zone != b->zone)
+		return (ISC_FALSE);
+
+	switch (a->family) {
+	case AF_INET:
+		if (a->type.in.s_addr != b->type.in.s_addr)
+			return (ISC_FALSE);
+		break;
+	case AF_INET6:
+		if (memcmp(&a->type.in6, &b->type.in6,
+			   sizeof(a->type.in6)) != 0 ||
+		    a->zone != b->zone)
+			return (ISC_FALSE);
+		break;
+	default:
+		return (ISC_FALSE);
+	}
+	return (ISC_TRUE);
+}
+
+isc_boolean_t
+isc_netaddr_eqprefix(const isc_netaddr_t *a, const isc_netaddr_t *b,
+		     unsigned int prefixlen)
+{
+	const unsigned char *pa, *pb;
+	unsigned int ipabytes; /* Length of whole IP address in bytes */
+	unsigned int nbytes;   /* Number of significant whole bytes */
+	unsigned int nbits;    /* Number of significant leftover bits */
+
+	REQUIRE(a != NULL && b != NULL);
+
+	if (a->family != b->family)
+		return (ISC_FALSE);
+
+	if (a->zone != b->zone)
+		return (ISC_FALSE);
+
+	switch (a->family) {
+	case AF_INET:
+		pa = (const unsigned char *) &a->type.in;
+		pb = (const unsigned char *) &b->type.in;
+		ipabytes = 4;
+		break;
+	case AF_INET6:
+		pa = (const unsigned char *) &a->type.in6;
+		pb = (const unsigned char *) &b->type.in6;
+		ipabytes = 16;
+		break;
+	default:
+		pa = pb = NULL; /* Avoid silly compiler warning. */
+		ipabytes = 0; /* Ditto. */
+		return (ISC_FALSE);
+	}
+
+	/*
+	 * Don't crash if we get a pattern like 10.0.0.1/9999999.
+	 */
+	if (prefixlen > ipabytes * 8)
+		prefixlen = ipabytes * 8;
+
+	nbytes = prefixlen / 8;
+	nbits = prefixlen % 8;
+
+	if (nbytes > 0) {
+		if (memcmp(pa, pb, nbytes) != 0)
+			return (ISC_FALSE);
+	}
+	if (nbits > 0) {
+		unsigned int bytea, byteb, mask;
+		INSIST(nbytes < ipabytes);
+		INSIST(nbits < 8);
+		bytea = pa[nbytes];
+		byteb = pb[nbytes];
+		mask = (0xFF << (8-nbits)) & 0xFF;
+		if ((bytea & mask) != (byteb & mask))
+			return (ISC_FALSE);
+	}
+	return (ISC_TRUE);
+}
+
+isc_result_t
+isc_netaddr_totext(const isc_netaddr_t *netaddr, isc_buffer_t *target) {
+	char abuf[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:255.255.255.255")];
+	char zbuf[sizeof("%4294967295")];
+	unsigned int alen;
+	int zlen;
+	const char *r;
+	const void *type;
+
+	REQUIRE(netaddr != NULL);
+
+	switch (netaddr->family) {
+	case AF_INET:
+		type = &netaddr->type.in;
+		break;
+	case AF_INET6:
+		type = &netaddr->type.in6;
+		break;
+	default:
+		return (ISC_R_FAILURE);
+	}
+	r = inet_ntop(netaddr->family, type, abuf, sizeof(abuf));
+	if (r == NULL)
+		return (ISC_R_FAILURE);
+
+	alen = strlen(abuf);
+	INSIST(alen < sizeof(abuf));
+
+	zlen = 0;
+	if (netaddr->family == AF_INET6 && netaddr->zone != 0) {
+		zlen = snprintf(zbuf, sizeof(zbuf), "%%%u", netaddr->zone);
+		if (zlen < 0)
+			return (ISC_R_FAILURE);
+		INSIST((unsigned int)zlen < sizeof(zbuf));
+	}
+
+	if (alen + zlen > isc_buffer_availablelength(target))
+		return (ISC_R_NOSPACE);
+
+	isc_buffer_putmem(target, (unsigned char *)abuf, alen);
+	isc_buffer_putmem(target, (unsigned char *)zbuf, zlen);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_netaddr_format(const isc_netaddr_t *na, char *array, unsigned int size) {
+	isc_result_t result;
+	isc_buffer_t buf;
+
+	isc_buffer_init(&buf, array, size);
+	result = isc_netaddr_totext(na, &buf);
+
+	/*
+	 * Null terminate.
+	 */
+	if (result == ISC_R_SUCCESS) {
+		if (isc_buffer_availablelength(&buf) >= 1)
+			isc_buffer_putuint8(&buf, 0);
+		else
+			result = ISC_R_NOSPACE;
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		snprintf(array, size,
+			 isc_msgcat_get(isc_msgcat, ISC_MSGSET_NETADDR,
+					ISC_MSG_UNKNOWNADDR,
+					"<unknown address, family %u>"),
+			 na->family);
+		array[size - 1] = '\0';
+	}
+}
+
+isc_result_t
+isc_netaddr_masktoprefixlen(const isc_netaddr_t *s, unsigned int *lenp) {
+	unsigned int nbits, nbytes, ipbytes, i;
+	const unsigned char *p;
+
+	switch (s->family) {
+	case AF_INET:
+		p = (const unsigned char *) &s->type.in;
+		ipbytes = 4;
+		break;
+	case AF_INET6:
+		p = (const unsigned char *) &s->type.in6;
+		ipbytes = 16;
+		break;
+	default:
+		ipbytes = 0;
+		return (ISC_R_NOTIMPLEMENTED);
+	}
+	nbytes = nbits = 0;
+	for (i = 0; i < ipbytes; i++) {
+		if (p[i] != 0xFF)
+			break;
+	}
+	nbytes = i;
+	if (i < ipbytes) {
+		unsigned int c = p[nbytes];
+		while ((c & 0x80) != 0 && nbits < 8) {
+			c <<= 1; nbits++;
+		}
+		if ((c & 0xFF) != 0)
+			return (ISC_R_MASKNONCONTIG);
+		i++;
+	}
+	for (; i < ipbytes; i++) {
+		if (p[i] != 0)
+			return (ISC_R_MASKNONCONTIG);
+		i++;
+	}
+	*lenp = nbytes * 8 + nbits;
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_netaddr_fromin(isc_netaddr_t *netaddr, const struct in_addr *ina) {
+	memset(netaddr, 0, sizeof(*netaddr));
+	netaddr->family = AF_INET;
+	netaddr->type.in = *ina;
+}
+
+void
+isc_netaddr_fromin6(isc_netaddr_t *netaddr, const struct in6_addr *ina6) {
+	memset(netaddr, 0, sizeof(*netaddr));
+	netaddr->family = AF_INET6;
+	netaddr->type.in6 = *ina6;
+}
+
+void
+isc_netaddr_setzone(isc_netaddr_t *netaddr, isc_uint32_t zone) {
+	/* we currently only support AF_INET6. */
+	REQUIRE(netaddr->family == AF_INET6);
+
+	netaddr->zone = zone;
+}
+
+isc_uint32_t
+isc_netaddr_getzone(const isc_netaddr_t *netaddr) {
+	return (netaddr->zone);
+}
+
+void
+isc_netaddr_fromsockaddr(isc_netaddr_t *t, const isc_sockaddr_t *s) {
+	int family = s->type.sa.sa_family;
+	t->family = family;
+	switch (family) {
+	case AF_INET:
+		t->type.in = s->type.sin.sin_addr;
+		t->zone = 0;
+		break;
+	case AF_INET6:
+		memcpy(&t->type.in6, &s->type.sin6.sin6_addr, 16);
+#ifdef ISC_PLATFORM_HAVESCOPEID
+		t->zone = s->type.sin6.sin6_scope_id;
+#else
+		t->zone = 0;
+#endif
+		break;
+	default:
+		INSIST(0);
+	}
+}
+
+void
+isc_netaddr_any(isc_netaddr_t *netaddr) {
+	memset(netaddr, 0, sizeof(*netaddr));
+	netaddr->family = AF_INET;
+	netaddr->type.in.s_addr = INADDR_ANY;
+}
+
+void
+isc_netaddr_any6(isc_netaddr_t *netaddr) {
+	memset(netaddr, 0, sizeof(*netaddr));
+	netaddr->family = AF_INET6;
+	netaddr->type.in6 = in6addr_any;
+}
+
+isc_boolean_t
+isc_netaddr_ismulticast(isc_netaddr_t *na) {
+	switch (na->family) {
+	case AF_INET:
+		return (ISC_TF(ISC_IPADDR_ISMULTICAST(na->type.in.s_addr)));
+	case AF_INET6:
+		return (ISC_TF(IN6_IS_ADDR_MULTICAST(&na->type.in6)));
+	default:
+		return (ISC_FALSE);  /* XXXMLG ? */
+	}
+}
+
+isc_boolean_t
+isc_netaddr_isexperimental(isc_netaddr_t *na) {
+	switch (na->family) {
+	case AF_INET:
+		return (ISC_TF(ISC_IPADDR_ISEXPERIMENTAL(na->type.in.s_addr)));
+	default:
+		return (ISC_FALSE);  /* XXXMLG ? */
+	}
+}
+
+isc_boolean_t
+isc_netaddr_islinklocal(isc_netaddr_t *na) {
+	switch (na->family) {
+	case AF_INET:
+		return (ISC_FALSE);
+	case AF_INET6:
+		return (ISC_TF(IN6_IS_ADDR_LINKLOCAL(&na->type.in6)));
+	default:
+		return (ISC_FALSE);
+	}
+}
+
+isc_boolean_t
+isc_netaddr_issitelocal(isc_netaddr_t *na) {
+	switch (na->family) {
+	case AF_INET:
+		return (ISC_FALSE);
+	case AF_INET6:
+		return (ISC_TF(IN6_IS_ADDR_SITELOCAL(&na->type.in6)));
+	default:
+		return (ISC_FALSE);
+	}
+}
+
+void
+isc_netaddr_fromv4mapped(isc_netaddr_t *t, const isc_netaddr_t *s) {
+	isc_netaddr_t *src;
+
+	DE_CONST(s, src);	/* Must come before IN6_IS_ADDR_V4MAPPED. */
+
+	REQUIRE(s->family == AF_INET6);
+	REQUIRE(IN6_IS_ADDR_V4MAPPED(&src->type.in6));
+
+	memset(t, 0, sizeof(*t));
+	t->family = AF_INET;
+	memcpy(&t->type.in, (char *)&src->type.in6 + 12, 4);
+	return;
+}
diff --git a/contrib/bind9/lib/isc/netscope.c b/contrib/bind9/lib/isc/netscope.c
new file mode 100644
index 0000000..843c46d
--- /dev/null
+++ b/contrib/bind9/lib/isc/netscope.c
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static char rcsid[] =
+	"$Id: netscope.c,v 1.5.142.7 2004/03/12 10:31:26 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include <isc/string.h>
+#include <isc/net.h>
+#include <isc/netscope.h>
+#include <isc/result.h>
+
+isc_result_t
+isc_netscope_pton(int af, char *scopename, void *addr, isc_uint32_t *zoneid) {
+	char *ep;
+#ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX
+	unsigned int ifid;
+#endif
+	struct in6_addr *in6;
+	isc_uint32_t zone;
+	isc_uint64_t llz;
+
+	/* at this moment, we only support AF_INET6 */
+	if (af != AF_INET6)
+		return (ISC_R_FAILURE);
+
+	in6 = (struct in6_addr *)addr;
+
+	/*
+	 * Basically, "names" are more stable than numeric IDs in terms of
+	 * renumbering, and are more preferred.  However, since there is no
+	 * standard naming convention and APIs to deal with the names.  Thus,
+	 * we only handle the case of link-local addresses, for which we use
+	 * interface names as link names, assuming one to one mapping between
+	 * interfaces and links.
+	 */
+#ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX
+	if (IN6_IS_ADDR_LINKLOCAL(in6) &&
+	    (ifid = if_nametoindex((const char *)scopename)) != 0)
+		zone = (isc_uint32_t)ifid;
+	else {
+#endif
+		llz = isc_string_touint64(scopename, &ep, 10);
+		if (ep == scopename)
+			return (ISC_R_FAILURE);
+
+		/* check overflow */
+		zone = (isc_uint32_t)(llz & 0xffffffffUL);
+		if (zone != llz)
+			return (ISC_R_FAILURE);
+#ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX
+	}
+#endif
+
+	*zoneid = zone;
+	return (ISC_R_SUCCESS);
+}
diff --git a/contrib/bind9/lib/isc/nls/Makefile.in b/contrib/bind9/lib/isc/nls/Makefile.in
new file mode 100644
index 0000000..f16b4cb
--- /dev/null
+++ b/contrib/bind9/lib/isc/nls/Makefile.in
@@ -0,0 +1,37 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1999-2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.11.206.1 2004/03/06 08:14:50 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+CINCLUDES =	-I../unix/include \
+		-I${srcdir}/../unix/include \
+		-I../include \
+		-I${srcdir}/../include
+
+CDEFINES =
+CWARNINGS =
+
+OBJS =		msgcat.@O@
+
+SRCS =		msgcat.c
+
+SUBDIRS =
+TARGETS =	${OBJS}
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/nls/msgcat.c b/contrib/bind9/lib/isc/nls/msgcat.c
new file mode 100644
index 0000000..484ab51
--- /dev/null
+++ b/contrib/bind9/lib/isc/nls/msgcat.c
@@ -0,0 +1,129 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: msgcat.c,v 1.10.12.4 2004/03/08 09:04:54 marka Exp $ */
+
+/*
+ * Principal Author: Bob Halley
+ */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/magic.h>
+#include <isc/msgcat.h>
+#include <isc/util.h>
+
+#ifdef HAVE_CATGETS
+#include <nl_types.h>		/* Required for nl_catd. */
+#endif
+
+/*
+ * Implementation Notes:
+ *
+ *	We use malloc() and free() instead of isc_mem_get() and isc_mem_put()
+ *	because we don't want to require a memory context to be specified
+ *	in order to use a message catalog.
+ */
+
+struct isc_msgcat {
+	unsigned int	magic;
+#ifdef HAVE_CATGETS
+	nl_catd		catalog;
+#endif
+};
+
+#define MSGCAT_MAGIC			ISC_MAGIC('M', 'C', 'a', 't')
+#define VALID_MSGCAT(m)			ISC_MAGIC_VALID(m, MSGCAT_MAGIC)
+
+void
+isc_msgcat_open(const char *name, isc_msgcat_t **msgcatp) {
+	isc_msgcat_t *msgcat;
+
+	/*
+	 * Open a message catalog.
+	 */
+
+	REQUIRE(name != NULL);
+	REQUIRE(msgcatp != NULL && *msgcatp == NULL);
+
+	msgcat = malloc(sizeof(*msgcat));
+	if (msgcat == NULL) {
+		*msgcatp = NULL;
+		return;
+	}
+
+#ifdef HAVE_CATGETS
+	/*
+	 * We don't check if catopen() fails because we don't care.
+	 * If it does fail, then when we call catgets(), it will use
+	 * the default string.
+	 */
+	msgcat->catalog = catopen(name, 0);
+#endif
+	msgcat->magic = MSGCAT_MAGIC;
+
+	*msgcatp = msgcat;
+}
+
+void
+isc_msgcat_close(isc_msgcat_t **msgcatp) {
+	isc_msgcat_t *msgcat;
+
+	/*
+	 * Close a message catalog.
+	 */
+
+	REQUIRE(msgcatp != NULL);
+	msgcat = *msgcatp;
+	REQUIRE(VALID_MSGCAT(msgcat) || msgcat == NULL);
+
+	if (msgcat != NULL) {
+#ifdef HAVE_CATGETS
+		if (msgcat->catalog != (nl_catd)(-1))
+			(void)catclose(msgcat->catalog);
+#endif
+		msgcat->magic = 0;
+		free(msgcat);
+	}
+
+	*msgcatp = NULL;
+}
+
+const char *
+isc_msgcat_get(isc_msgcat_t *msgcat, int set, int message,
+	       const char *default_text)
+{
+	/*
+	 * Get message 'message' from message set 'set' in 'msgcat'.  If it
+	 * is not available, use 'default'.
+	 */
+
+	REQUIRE(VALID_MSGCAT(msgcat) || msgcat == NULL);
+	REQUIRE(set > 0);
+	REQUIRE(message > 0);
+	REQUIRE(default_text != NULL);
+
+#ifdef HAVE_CATGETS
+	if (msgcat == NULL)
+		return (default_text);
+	return (catgets(msgcat->catalog, set, message, default_text));
+#else
+	return (default_text);
+#endif
+}
diff --git a/contrib/bind9/lib/isc/nothreads/Makefile.in b/contrib/bind9/lib/isc/nothreads/Makefile.in
new file mode 100644
index 0000000..639c9fa
--- /dev/null
+++ b/contrib/bind9/lib/isc/nothreads/Makefile.in
@@ -0,0 +1,38 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2000, 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.4.206.1 2004/03/06 08:14:51 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+CINCLUDES =	-I${srcdir}/include \
+		-I${srcdir}/../unix/include \
+		-I../include \
+		-I${srcdir}/../include \
+		-I${srcdir}/..
+
+CDEFINES =
+CWARNINGS =
+
+OBJS =		condition.@O@ mutex.@O@ thread.@O@
+
+SRCS =		condition.c mutex.c thread.c
+
+SUBDIRS =	include
+TARGETS =	${OBJS}
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/nothreads/condition.c b/contrib/bind9/lib/isc/nothreads/condition.c
new file mode 100644
index 0000000..0bc6196
--- /dev/null
+++ b/contrib/bind9/lib/isc/nothreads/condition.c
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: condition.c,v 1.4.12.3 2004/03/08 09:04:54 marka Exp $ */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
diff --git a/contrib/bind9/lib/isc/nothreads/include/Makefile.in b/contrib/bind9/lib/isc/nothreads/include/Makefile.in
new file mode 100644
index 0000000..4c58269
--- /dev/null
+++ b/contrib/bind9/lib/isc/nothreads/include/Makefile.in
@@ -0,0 +1,25 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2000, 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2.206.1 2004/03/06 08:14:52 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	isc
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/nothreads/include/isc/Makefile.in b/contrib/bind9/lib/isc/nothreads/include/isc/Makefile.in
new file mode 100644
index 0000000..6717404
--- /dev/null
+++ b/contrib/bind9/lib/isc/nothreads/include/isc/Makefile.in
@@ -0,0 +1,37 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2000, 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.4.206.1 2004/03/06 08:14:52 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+HEADERS =	condition.h mutex.h once.h thread.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/isc ; \
+	done
diff --git a/contrib/bind9/lib/isc/nothreads/include/isc/condition.h b/contrib/bind9/lib/isc/nothreads/include/isc/condition.h
new file mode 100644
index 0000000..b899a82
--- /dev/null
+++ b/contrib/bind9/lib/isc/nothreads/include/isc/condition.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: condition.h,v 1.3.206.1 2004/03/06 08:14:52 marka Exp $ */
+
+/*
+ * This provides a limited subset of the isc_condition_t
+ * functionality for use by single-threaded programs that
+ * need to block waiting for events.   Only a single
+ * call to isc_condition_wait() may be blocked at any given
+ * time, and the _waituntil and _broadcast functions are not
+ * supported.  This is intended primarily for use by the omapi
+ * library, and may go away once omapi goes away.  Use for
+ * other purposes is strongly discouraged.
+ */
+
+#ifndef ISC_CONDITION_H
+#define ISC_CONDITION_H 1
+
+#include <isc/mutex.h>
+
+typedef int isc_condition_t;
+
+isc_result_t isc__nothread_wait_hack(isc_condition_t *cp, isc_mutex_t *mp);
+isc_result_t isc__nothread_signal_hack(isc_condition_t *cp);
+
+#define isc_condition_init(cp) \
+	(*(cp) = 0, ISC_R_SUCCESS)
+
+#define isc_condition_wait(cp, mp) \
+	isc__nothread_wait_hack(cp, mp)
+
+#define isc_condition_waituntil(cp, mp, tp) \
+	((void)(cp), (void)(mp), (void)(tp), ISC_R_NOTIMPLEMENTED)
+
+#define isc_condition_signal(cp) \
+	isc__nothread_signal_hack(cp)
+
+#define isc_condition_broadcast(cp) \
+	((void)(cp), ISC_R_NOTIMPLEMENTED)
+
+#define isc_condition_destroy(cp) \
+	(*(cp) == 0 ? (*(cp) = -1, ISC_R_SUCCESS) : ISC_R_UNEXPECTED)
+
+#endif /* ISC_CONDITION_H */
diff --git a/contrib/bind9/lib/isc/nothreads/include/isc/mutex.h b/contrib/bind9/lib/isc/nothreads/include/isc/mutex.h
new file mode 100644
index 0000000..c80a945
--- /dev/null
+++ b/contrib/bind9/lib/isc/nothreads/include/isc/mutex.h
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: mutex.h,v 1.3.206.1 2004/03/06 08:14:53 marka Exp $ */
+
+#ifndef ISC_MUTEX_H
+#define ISC_MUTEX_H 1
+
+#include <isc/result.h>		/* for ISC_R_ codes */
+
+typedef int isc_mutex_t;
+
+#define isc_mutex_init(mp) \
+	(*(mp) = 0, ISC_R_SUCCESS)
+#define isc_mutex_lock(mp) \
+	((*(mp))++ == 0 ? ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+#define isc_mutex_unlock(mp) \
+	(--(*(mp)) == 0 ? ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+#define isc_mutex_trylock(mp) \
+	(*(mp) == 0 ? ((*(mp))++, ISC_R_SUCCESS) : ISC_R_LOCKBUSY)
+#define isc_mutex_destroy(mp) \
+	(*(mp) == 0 ? (*(mp) = -1, ISC_R_SUCCESS) : ISC_R_UNEXPECTED)
+#define isc_mutex_stats(fp)
+
+#endif /* ISC_MUTEX_H */
diff --git a/contrib/bind9/lib/isc/nothreads/include/isc/once.h b/contrib/bind9/lib/isc/nothreads/include/isc/once.h
new file mode 100644
index 0000000..9f54ac8
--- /dev/null
+++ b/contrib/bind9/lib/isc/nothreads/include/isc/once.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: once.h,v 1.3.206.1 2004/03/06 08:14:53 marka Exp $ */
+
+#ifndef ISC_ONCE_H
+#define ISC_ONCE_H 1
+
+#include <isc/result.h>
+
+typedef isc_boolean_t isc_once_t;
+
+#define ISC_ONCE_INIT ISC_FALSE
+
+#define isc_once_do(op, f) \
+	(!*(op) ? (f(), *(op) = ISC_TRUE, ISC_R_SUCCESS) : ISC_R_SUCCESS)
+
+#endif /* ISC_ONCE_H */
diff --git a/contrib/bind9/lib/isc/nothreads/include/isc/thread.h b/contrib/bind9/lib/isc/nothreads/include/isc/thread.h
new file mode 100644
index 0000000..e045b98
--- /dev/null
+++ b/contrib/bind9/lib/isc/nothreads/include/isc/thread.h
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: thread.h,v 1.3.206.1 2004/03/06 08:14:53 marka Exp $ */
+
+#ifndef ISC_THREAD_H
+#define ISC_THREAD_H 1
+
+#include <isc/lang.h>
+#include <isc/result.h>
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_thread_setconcurrency(unsigned int level);
+
+#define isc_thread_self() ((unsigned long)0)
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_THREAD_H */
diff --git a/contrib/bind9/lib/isc/nothreads/mutex.c b/contrib/bind9/lib/isc/nothreads/mutex.c
new file mode 100644
index 0000000..cc7572a
--- /dev/null
+++ b/contrib/bind9/lib/isc/nothreads/mutex.c
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: mutex.c,v 1.4.12.3 2004/03/08 09:04:54 marka Exp $ */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
diff --git a/contrib/bind9/lib/isc/nothreads/thread.c b/contrib/bind9/lib/isc/nothreads/thread.c
new file mode 100644
index 0000000..1aea72a
--- /dev/null
+++ b/contrib/bind9/lib/isc/nothreads/thread.c
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: thread.c,v 1.2.206.1 2004/03/06 08:14:52 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/thread.h>
+#include <isc/util.h>
+
+void
+isc_thread_setconcurrency(unsigned int level) {
+	UNUSED(level);
+}
diff --git a/contrib/bind9/lib/isc/ondestroy.c b/contrib/bind9/lib/isc/ondestroy.c
new file mode 100644
index 0000000..aacb8f2
--- /dev/null
+++ b/contrib/bind9/lib/isc/ondestroy.c
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ondestroy.c,v 1.11.206.1 2004/03/06 08:14:33 marka Exp $ */
+
+#include <config.h>
+
+#include <stddef.h>
+
+#include <isc/event.h>
+#include <isc/magic.h>
+#include <isc/ondestroy.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#define ONDESTROY_MAGIC		ISC_MAGIC('D', 'e', 'S', 't')
+#define VALID_ONDESTROY(s)	ISC_MAGIC_VALID(s, ONDESTROY_MAGIC)
+
+void
+isc_ondestroy_init(isc_ondestroy_t *ondest) {
+	ondest->magic = ONDESTROY_MAGIC;
+	ISC_LIST_INIT(ondest->events);
+}
+
+isc_result_t
+isc_ondestroy_register(isc_ondestroy_t *ondest, isc_task_t *task,
+		       isc_event_t **eventp)
+{
+	isc_event_t *theevent;
+	isc_task_t *thetask = NULL;
+
+	REQUIRE(VALID_ONDESTROY(ondest));
+	REQUIRE(task != NULL);
+	REQUIRE(eventp != NULL);
+
+	theevent = *eventp;
+
+	REQUIRE(theevent != NULL);
+
+	isc_task_attach(task, &thetask);
+
+	theevent->ev_sender = thetask;
+
+	ISC_LIST_APPEND(ondest->events, theevent, ev_link);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_ondestroy_notify(isc_ondestroy_t *ondest, void *sender) {
+	isc_event_t *eventp;
+	isc_task_t *task;
+
+	REQUIRE(VALID_ONDESTROY(ondest));
+
+	eventp = ISC_LIST_HEAD(ondest->events);
+	while (eventp != NULL) {
+		ISC_LIST_UNLINK(ondest->events, eventp, ev_link);
+
+		task = eventp->ev_sender;
+		eventp->ev_sender = sender;
+
+		isc_task_sendanddetach(&task, &eventp);
+
+		eventp = ISC_LIST_HEAD(ondest->events);
+	}
+}
+
+
diff --git a/contrib/bind9/lib/isc/parseint.c b/contrib/bind9/lib/isc/parseint.c
new file mode 100644
index 0000000..fe74e57
--- /dev/null
+++ b/contrib/bind9/lib/isc/parseint.c
@@ -0,0 +1,70 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: parseint.c,v 1.3.26.5 2004/03/08 09:04:49 marka Exp $ */
+
+#include <config.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <limits.h>
+
+#include <isc/parseint.h>
+#include <isc/result.h>
+#include <isc/stdlib.h>
+
+isc_result_t
+isc_parse_uint32(isc_uint32_t *uip, const char *string, int base) {
+	unsigned long n;
+	char *e;
+	if (! isalnum((unsigned char)(string[0])))
+		return (ISC_R_BADNUMBER);
+	errno = 0;
+	n = strtoul(string, &e, base);
+	if (*e != '\0')
+		return (ISC_R_BADNUMBER);
+	if (n == ULONG_MAX && errno == ERANGE)
+		return (ISC_R_RANGE);
+	*uip = n;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_parse_uint16(isc_uint16_t *uip, const char *string, int base) {
+	isc_uint32_t val;
+	isc_result_t result;
+	result = isc_parse_uint32(&val, string, base);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (val > 0xFFFF)
+		return (ISC_R_RANGE);
+	*uip = (isc_uint16_t) val;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_parse_uint8(isc_uint8_t *uip, const char *string, int base) {
+	isc_uint32_t val;
+	isc_result_t result;
+	result = isc_parse_uint32(&val, string, base);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (val > 0xFF)
+		return (ISC_R_RANGE);
+	*uip = (isc_uint8_t) val;
+	return (ISC_R_SUCCESS);
+}
diff --git a/contrib/bind9/lib/isc/print.c b/contrib/bind9/lib/isc/print.c
new file mode 100644
index 0000000..6542fe4
--- /dev/null
+++ b/contrib/bind9/lib/isc/print.c
@@ -0,0 +1,556 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: print.c,v 1.22.2.3.2.3 2004/03/06 08:14:33 marka Exp $ */
+
+#include <config.h>
+
+#include <ctype.h>
+#include <stdio.h>		/* for sprintf */
+
+#define	ISC__PRINT_SOURCE	/* Used to get the isc_print_* prototypes. */
+
+#include <isc/assertions.h>
+#include <isc/int.h>
+#include <isc/msgs.h>
+#include <isc/print.h>
+#include <isc/stdlib.h>
+#include <isc/util.h>
+
+int
+isc_print_sprintf(char *str, const char *format, ...) {
+	va_list ap;
+
+	va_start(ap, format);
+	vsprintf(str, format, ap);
+	va_end(ap);
+	return (strlen(str));
+}
+
+/*
+ * Return length of string that would have been written if not truncated.
+ */
+
+int
+isc_print_snprintf(char *str, size_t size, const char *format, ...) {
+	va_list ap;
+	int ret;
+
+	va_start(ap, format);
+	ret = vsnprintf(str, size, format, ap);
+	va_end(ap);
+	return (ret);
+
+}
+
+/*
+ * Return length of string that would have been written if not truncated.
+ */
+
+int
+isc_print_vsnprintf(char *str, size_t size, const char *format, va_list ap) {
+	int h;
+	int l;
+	int q;
+	int alt;
+	int zero;
+	int left;
+	int plus;
+	int space;
+	int neg;
+	isc_int64_t tmpi;
+	isc_uint64_t tmpui;
+	unsigned long width;
+	unsigned long precision;
+	unsigned int length;
+	char buf[1024];
+	char c;
+	void *v;
+	char *save = str;
+	const char *cp;
+	const char *head;
+	int count = 0;
+	int pad;
+	int zeropad;
+	int dot;
+	double dbl;
+#ifdef HAVE_LONG_DOUBLE
+	long double ldbl;
+#endif
+	char fmt[32];
+
+	INSIST(str != NULL);
+	INSIST(format != NULL);
+
+	while (*format != '\0') {
+		if (*format != '%') {
+			if (size > 1) {
+				*str++ = *format;
+				size--;
+			}
+			count++;
+			format++;
+			continue;
+		}
+		format++;
+
+		/*
+		 * Reset flags.
+		 */
+		dot = neg = space = plus = left = zero = alt = h = l = q = 0;
+		width = precision = 0;
+		head = "";
+		length = pad = zeropad = 0;
+
+		do {
+			if (*format == '#') {
+				alt = 1;
+				format++;
+			} else if (*format == '-') {
+				left = 1;
+				zero = 0;
+				format++;
+			} else if (*format == ' ') {
+				if (!plus)
+					space = 1;
+				format++;
+			} else if (*format == '+') {
+				plus = 1;
+				space = 0;
+				format++;
+			} else if (*format == '0') {
+				if (!left)
+					zero = 1;
+				format++;
+			} else
+				break;
+		} while (1);
+
+		/*
+		 * Width.
+		 */
+		if (*format == '*') {
+			width = va_arg(ap, int);
+			format++;
+		} else if (isdigit((unsigned char)*format)) {
+			char *e;
+			width = strtoul(format, &e, 10);
+			format = e;
+		}
+
+		/*
+		 * Precision.
+		 */
+		if (*format == '.') {
+			format++;
+			dot = 1;
+			if (*format == '*') {
+				precision = va_arg(ap, int);
+				format++;
+			} else if (isdigit((unsigned char)*format)) {
+				char *e;
+				precision = strtoul(format, &e, 10);
+				format = e;
+			}
+		}
+
+		switch (*format) {
+		case '\0':
+			continue;
+		case '%':
+			if (size > 1) {
+				*str++ = *format;
+				size--;
+			}
+			count++;
+			break;
+		case 'q':
+			q = 1;
+			format++;
+			goto doint;
+		case 'h':
+			h = 1;
+			format++;
+			goto doint;
+		case 'l':
+			l = 1;
+			format++;
+			if (*format == 'l') {
+				q = 1;
+				format++;
+			}
+			goto doint;
+		case 'n':
+		case 'i':
+		case 'd':
+		case 'o':
+		case 'u':
+		case 'x':
+		case 'X':
+		doint:
+			if (precision != 0)
+				zero = 0;
+			switch (*format) {
+			case 'n':
+				if (h) {
+					short int *p;
+					p = va_arg(ap, short *);
+					REQUIRE(p != NULL);
+					*p = str - save;
+				} else if (l) {
+					long int *p;
+					p = va_arg(ap, long *);
+					REQUIRE(p != NULL);
+					*p = str - save;
+				} else {
+					int *p;
+					p = va_arg(ap, int *);
+					REQUIRE(p != NULL);
+					*p = str - save;
+				}
+				break;
+			case 'i':
+			case 'd':
+				if (q)
+					tmpi = va_arg(ap, isc_int64_t);
+				else if (l)
+					tmpi = va_arg(ap, long int);
+				else
+					tmpi = va_arg(ap, int);
+				if (tmpi < 0) {
+					head = "-";
+					tmpui = -tmpi;
+				} else {
+					if (plus)
+						head = "+";
+					else if (space)
+						head = " ";
+					else
+						head = "";
+					tmpui = tmpi;
+				}
+				sprintf(buf, "%" ISC_PRINT_QUADFORMAT "u",
+					tmpui);
+				goto printint;
+			case 'o':
+				if (q)
+					tmpui = va_arg(ap, isc_uint64_t);
+				else if (l)
+					tmpui = va_arg(ap, long int);
+				else
+					tmpui = va_arg(ap, int);
+				sprintf(buf,
+					alt ? "%#" ISC_PRINT_QUADFORMAT "o"
+					    : "%" ISC_PRINT_QUADFORMAT "o",
+					tmpui);
+				goto printint;
+			case 'u':
+				if (q)
+					tmpui = va_arg(ap, isc_uint64_t);
+				else if (l)
+					tmpui = va_arg(ap, unsigned long int);
+				else
+					tmpui = va_arg(ap, unsigned int);
+				sprintf(buf, "%" ISC_PRINT_QUADFORMAT "u",
+					tmpui);
+				goto printint;
+			case 'x':
+				if (q)
+					tmpui = va_arg(ap, isc_uint64_t);
+				else if (l)
+					tmpui = va_arg(ap, unsigned long int);
+				else
+					tmpui = va_arg(ap, unsigned int);
+				if (alt) {
+					head = "0x";
+					if (precision > 2)
+						precision -= 2;
+				}
+				sprintf(buf, "%" ISC_PRINT_QUADFORMAT "x",
+					tmpui);
+				goto printint;
+			case 'X':
+				if (q)
+					tmpui = va_arg(ap, isc_uint64_t);
+				else if (l)
+					tmpui = va_arg(ap, unsigned long int);
+				else
+					tmpui = va_arg(ap, unsigned int);
+				if (alt) {
+					head = "0X";
+					if (precision > 2)
+						precision -= 2;
+				}
+				sprintf(buf, "%" ISC_PRINT_QUADFORMAT "X",
+					tmpui);
+				goto printint;
+			printint:
+				if (precision != 0 || width != 0) {
+					length = strlen(buf);
+					if (length < precision)
+						zeropad = precision - length;
+					else if (length < width && zero)
+						zeropad = width - length;
+					if (width != 0) {
+						pad = width - length -
+						      zeropad - strlen(head);
+						if (pad < 0)
+							pad = 0;
+					}
+				}
+				count += strlen(head) + strlen(buf) + pad +
+					 zeropad;
+				if (!left) {
+					while (pad > 0 && size > 1) {
+						*str++ = ' ';
+						size--;
+						pad--;
+					}
+				}
+				cp = head;
+				while (*cp != '\0' && size > 1) {
+					*str++ = *cp++;
+					size--;
+				}
+				while (zeropad > 0 && size > 1) {
+					*str++ = '0';
+					size--;
+					zeropad--;
+				}
+				cp = buf;
+				while (*cp != '\0' && size > 1) {
+					*str++ = *cp++;
+					size--;
+				}
+				while (pad > 0 && size > 1) {
+					*str++ = ' ';
+					size--;
+					pad--;
+				}
+				break;
+			default:
+				break;
+			}
+			break;
+		case 's':
+			cp = va_arg(ap, char *);
+			REQUIRE(cp != NULL);
+
+			if (precision != 0) {
+				/*
+				 * cp need not be NULL terminated.
+				 */
+				const char *tp;
+				unsigned long n;
+
+				n = precision;
+				tp = cp;
+				while (n != 0 && *tp != '\0')
+					n--, tp++;
+				length = precision - n;
+			} else {
+				length = strlen(cp);
+			}
+			if (width != 0) {
+				pad = width - length;
+				if (pad < 0)
+					pad = 0;
+			}
+			count += pad + length;
+			if (!left)
+				while (pad > 0 && size > 1) {
+					*str++ = ' ';
+					size--;
+					pad--;
+				}
+			if (precision != 0)
+				while (precision > 0 && *cp != '\0' &&
+				       size > 1) {
+					*str++ = *cp++;
+					size--;
+					precision--;
+				}
+			else
+				while (*cp != '\0' && size > 1) {
+					*str++ = *cp++;
+					size--;
+				}
+			while (pad > 0 && size > 1) {
+				*str++ = ' ';
+				size--;
+				pad--;
+			}
+			break;
+		case 'c':
+			c = va_arg(ap, int);
+			if (width > 0) {
+				count += width;
+				width--;
+				if (left) {
+					*str++ = c;
+					size--;
+				}
+				while (width-- > 0 && size > 1) {
+					*str++ = ' ';
+					size--;
+				}
+				if (!left && size > 1) {
+					*str++ = c;
+					size--;
+				}
+			} else {
+				count++;
+				if (size > 1) {
+					*str++ = c;
+					size--;
+				}
+			}
+			break;
+		case 'p':
+			v = va_arg(ap, void *);
+			sprintf(buf, "%p", v);
+			length = strlen(buf);
+			if (precision > length)
+				zeropad = precision - length;
+			if (width > 0) {
+				pad = width - length - zeropad;
+				if (pad < 0)
+					pad = 0;
+			}
+			count += length + pad + zeropad;
+			if (!left)
+				while (pad > 0 && size > 1) {
+					*str++ = ' ';
+					size--;
+					pad--;
+				}
+			cp = buf;
+			if (zeropad > 0 && buf[0] == '0' &&
+			    (buf[1] == 'x' || buf[1] == 'X')) {
+				if (size > 1) {
+					*str++ = *cp++;
+					size--;
+				}
+				if (size > 1) {
+					*str++ = *cp++;
+					size--;
+				}
+				while (zeropad > 0 && size > 1) {
+					*str++ = '0';
+					size--;
+					zeropad--;
+				}
+			}
+			while (*cp != '\0' && size > 1) {
+				*str++ = *cp++;
+				size--;
+			}
+			while (pad > 0 && size > 1) {
+				*str++ = ' ';
+				size--;
+				pad--;
+			}
+			break;
+		case 'D':	/*deprecated*/
+			INSIST("use %ld instead of %D" == NULL);
+		case 'O':	/*deprecated*/
+			INSIST("use %lo instead of %O" == NULL);
+		case 'U':	/*deprecated*/
+			INSIST("use %lu instead of %U" == NULL);
+
+		case 'L':
+#ifdef HAVE_LONG_DOUBLE
+			l = 1;
+#else
+			INSIST("long doubles are not supported" == NULL);
+#endif
+			/*FALLTHROUGH*/
+		case 'e':
+		case 'E':
+		case 'f':
+		case 'g':
+		case 'G':
+			if (!dot)
+				precision = 6;
+			/*
+			 * IEEE floating point.
+			 * MIN 2.2250738585072014E-308
+			 * MAX 1.7976931348623157E+308
+			 * VAX floating point has a smaller range than IEEE.
+			 *
+			 * precisions > 324 don't make much sense.
+			 * if we cap the precision at 512 we will not
+			 * overflow buf.
+			 */
+			if (precision > 512)
+				precision = 512;
+			sprintf(fmt, "%%%s%s.%lu%s%c", alt ? "#" : "",
+				plus ? "+" : space ? " " : "",
+				precision, l ? "L" : "", *format);
+			switch (*format) {
+			case 'e':
+			case 'E':
+			case 'f':
+			case 'g':
+			case 'G':
+#ifdef HAVE_LONG_DOUBLE
+				if (l) {
+					ldbl = va_arg(ap, long double);
+					sprintf(buf, fmt, ldbl);
+				} else
+#endif
+				{
+					dbl = va_arg(ap, double);
+					sprintf(buf, fmt, dbl);
+				}
+				length = strlen(buf);
+				if (width > 0) {
+					pad = width - length;
+					if (pad < 0)
+						pad = 0;
+				}
+				count += length + pad;
+				if (!left)
+					while (pad > 0 && size > 1) {
+						*str++ = ' ';
+						size--;
+						pad--;
+					}
+				cp = buf;
+				while (*cp != ' ' && size > 1) {
+					*str++ = *cp++;
+					size--;
+				}
+				while (pad > 0 && size > 1) {
+					*str++ = ' ';
+					size--;
+					pad--;
+				}
+				break;
+			default:
+				continue;
+			}
+			break;
+		default:
+			continue;
+		}
+		format++;
+	}
+	if (size > 0)
+		*str = '\0';
+	return (count);
+}
diff --git a/contrib/bind9/lib/isc/pthreads/Makefile.in b/contrib/bind9/lib/isc/pthreads/Makefile.in
new file mode 100644
index 0000000..f245afa
--- /dev/null
+++ b/contrib/bind9/lib/isc/pthreads/Makefile.in
@@ -0,0 +1,38 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1998-2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.16.206.1 2004/03/06 08:14:53 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+CINCLUDES =	-I${srcdir}/include \
+		-I${srcdir}/../unix/include \
+		-I../include \
+		-I${srcdir}/../include \
+		-I${srcdir}/..
+
+CDEFINES =
+CWARNINGS =
+
+OBJS =		condition.@O@ mutex.@O@ thread.@O@
+
+SRCS =		condition.c mutex.c thread.c
+
+SUBDIRS =	include
+TARGETS =	${OBJS}
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/pthreads/condition.c b/contrib/bind9/lib/isc/pthreads/condition.c
new file mode 100644
index 0000000..489980c
--- /dev/null
+++ b/contrib/bind9/lib/isc/pthreads/condition.c
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: condition.c,v 1.30.2.1.10.1 2004/03/06 08:14:53 marka Exp $ */
+
+#include <config.h>
+
+#include <errno.h>
+
+#include <isc/condition.h>
+#include <isc/msgs.h>
+#include <isc/strerror.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+isc_result_t
+isc_condition_waituntil(isc_condition_t *c, isc_mutex_t *m, isc_time_t *t) {
+	int presult;
+	isc_result_t result;
+	struct timespec ts;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(c != NULL && m != NULL && t != NULL);
+
+	/*
+	 * POSIX defines a timespec's tv_sec as time_t.
+	 */
+	result = isc_time_secondsastimet(t, &ts.tv_sec);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * POSIX defines a timespec's tv_nsec as long.  isc_time_nanoseconds
+	 * ensures its return value is < 1 billion, which will fit in a long.
+	 */
+	ts.tv_nsec = (long)isc_time_nanoseconds(t);
+
+	do {
+#if ISC_MUTEX_PROFILE
+		presult = pthread_cond_timedwait(c, &m->mutex, &ts);
+#else
+		presult = pthread_cond_timedwait(c, m, &ts);
+#endif
+		if (presult == 0)
+			return (ISC_R_SUCCESS);
+		if (presult == ETIMEDOUT)
+			return (ISC_R_TIMEDOUT);
+	} while (presult == EINTR);
+
+	isc__strerror(presult, strbuf, sizeof(strbuf));
+	UNEXPECTED_ERROR(__FILE__, __LINE__,
+			 "pthread_cond_timedwait() %s %s",
+			 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+					ISC_MSG_RETURNED, "returned"),
+			 strbuf);
+	return (ISC_R_UNEXPECTED);
+}
diff --git a/contrib/bind9/lib/isc/pthreads/include/Makefile.in b/contrib/bind9/lib/isc/pthreads/include/Makefile.in
new file mode 100644
index 0000000..5fec836
--- /dev/null
+++ b/contrib/bind9/lib/isc/pthreads/include/Makefile.in
@@ -0,0 +1,25 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1998-2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.11.206.1 2004/03/06 08:14:54 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	isc
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/pthreads/include/isc/Makefile.in b/contrib/bind9/lib/isc/pthreads/include/isc/Makefile.in
new file mode 100644
index 0000000..dd15a11
--- /dev/null
+++ b/contrib/bind9/lib/isc/pthreads/include/isc/Makefile.in
@@ -0,0 +1,37 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1998-2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.13.206.1 2004/03/06 08:14:56 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+HEADERS =	condition.h mutex.h once.h thread.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/isc ; \
+	done
diff --git a/contrib/bind9/lib/isc/pthreads/include/isc/condition.h b/contrib/bind9/lib/isc/pthreads/include/isc/condition.h
new file mode 100644
index 0000000..c33772f
--- /dev/null
+++ b/contrib/bind9/lib/isc/pthreads/include/isc/condition.h
@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: condition.h,v 1.21.206.1 2004/03/06 08:14:56 marka Exp $ */
+
+#ifndef ISC_CONDITION_H
+#define ISC_CONDITION_H 1
+
+#include <isc/lang.h>
+#include <isc/mutex.h>
+#include <isc/result.h>
+#include <isc/types.h>
+
+typedef pthread_cond_t isc_condition_t;
+
+#define isc_condition_init(cp) \
+	((pthread_cond_init((cp), NULL) == 0) ? \
+	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+
+#if ISC_MUTEX_PROFILE
+#define isc_condition_wait(cp, mp) \
+	((pthread_cond_wait((cp), &((mp)->mutex)) == 0) ? \
+	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+#else
+#define isc_condition_wait(cp, mp) \
+	((pthread_cond_wait((cp), (mp)) == 0) ? \
+	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+#endif
+
+#define isc_condition_signal(cp) \
+	((pthread_cond_signal((cp)) == 0) ? \
+	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+
+#define isc_condition_broadcast(cp) \
+	((pthread_cond_broadcast((cp)) == 0) ? \
+	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+
+#define isc_condition_destroy(cp) \
+	((pthread_cond_destroy((cp)) == 0) ? \
+	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_condition_waituntil(isc_condition_t *, isc_mutex_t *, isc_time_t *);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_CONDITION_H */
diff --git a/contrib/bind9/lib/isc/pthreads/include/isc/mutex.h b/contrib/bind9/lib/isc/pthreads/include/isc/mutex.h
new file mode 100644
index 0000000..f6e526d
--- /dev/null
+++ b/contrib/bind9/lib/isc/pthreads/include/isc/mutex.h
@@ -0,0 +1,139 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: mutex.h,v 1.23.26.3 2004/03/08 09:04:55 marka Exp $ */
+
+#ifndef ISC_MUTEX_H
+#define ISC_MUTEX_H 1
+
+#include <pthread.h>
+#include <stdio.h>
+
+#include <isc/result.h>		/* for ISC_R_ codes */
+
+/*
+ * Supply mutex attributes that enable deadlock detection
+ * (helpful when debugging).  This is system dependent and
+ * currently only supported on NetBSD.
+ */
+#if ISC_MUTEX_DEBUG && defined(__NetBSD__) && defined(PTHREAD_MUTEX_ERRORCHECK)
+extern pthread_mutexattr_t isc__mutex_attrs;
+#define ISC__MUTEX_ATTRS &isc__mutex_attrs
+#else
+#define ISC__MUTEX_ATTRS NULL
+#endif
+
+/* XXX We could do fancier error handling... */
+
+/*
+ * Define ISC_MUTEX_PROFILE to turn on profiling of mutexes by line.  When
+ * enabled, isc_mutex_stats() can be used to print a table showing the
+ * number of times each type of mutex was locked and the amount of time
+ * waiting to obtain the lock.
+ */
+#ifndef ISC_MUTEX_PROFILE
+#define ISC_MUTEX_PROFILE 0
+#endif
+
+#if ISC_MUTEX_PROFILE
+typedef struct isc_mutexstats isc_mutexstats_t;
+
+typedef struct {
+	pthread_mutex_t		mutex;	/* The actual mutex. */
+	isc_mutexstats_t *	stats;	/* Mutex statistics. */
+} isc_mutex_t;
+#else
+typedef pthread_mutex_t	isc_mutex_t;
+#endif
+
+
+#if ISC_MUTEX_PROFILE
+#define isc_mutex_init(mp) \
+	isc_mutex_init_profile((mp), __FILE__, __LINE__)
+#else
+#if ISC_MUTEX_DEBUG && defined(PTHREAD_MUTEX_ERRORCHECK)
+#define isc_mutex_init(mp) \
+        isc_mutex_init_errcheck((mp))
+#else
+#define isc_mutex_init(mp) \
+	((pthread_mutex_init((mp), ISC__MUTEX_ATTRS) == 0) ? \
+	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+#endif
+#endif
+
+#if ISC_MUTEX_PROFILE
+#define isc_mutex_lock(mp) \
+	isc_mutex_lock_profile((mp), __FILE__, __LINE__)
+#else
+#define isc_mutex_lock(mp) \
+	((pthread_mutex_lock((mp)) == 0) ? \
+	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+#endif
+
+#if ISC_MUTEX_PROFILE
+#define isc_mutex_unlock(mp) \
+	isc_mutex_unlock_profile((mp), __FILE__, __LINE__)
+#else
+#define isc_mutex_unlock(mp) \
+	((pthread_mutex_unlock((mp)) == 0) ? \
+	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+#endif
+
+#if ISC_MUTEX_PROFILE
+#define isc_mutex_trylock(mp) \
+	((pthread_mutex_trylock((&(mp)->mutex)) == 0) ? \
+	 ISC_R_SUCCESS : ISC_R_LOCKBUSY)
+#else
+#define isc_mutex_trylock(mp) \
+	((pthread_mutex_trylock((mp)) == 0) ? \
+	 ISC_R_SUCCESS : ISC_R_LOCKBUSY)
+#endif
+
+#if ISC_MUTEX_PROFILE
+#define isc_mutex_destroy(mp) \
+	((pthread_mutex_destroy((&(mp)->mutex)) == 0) ? \
+	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+#else
+#define isc_mutex_destroy(mp) \
+	((pthread_mutex_destroy((mp)) == 0) ? \
+	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+#endif
+
+#if ISC_MUTEX_PROFILE
+#define isc_mutex_stats(fp) isc_mutex_statsprofile(fp);
+#else
+#define isc_mutex_stats(fp)
+#endif
+
+#if ISC_MUTEX_PROFILE
+
+isc_result_t
+isc_mutex_init_profile(isc_mutex_t *mp, const char * _file, int _line);
+isc_result_t
+isc_mutex_lock_profile(isc_mutex_t *mp, const char * _file, int _line);
+isc_result_t
+isc_mutex_unlock_profile(isc_mutex_t *mp, const char * _file, int _line);
+
+void
+isc_mutex_statsprofile(FILE *fp);
+
+isc_result_t
+isc_mutex_init_errcheck(isc_mutex_t *mp);
+
+#endif /* ISC_MUTEX_PROFILE */
+
+#endif /* ISC_MUTEX_H */
diff --git a/contrib/bind9/lib/isc/pthreads/include/isc/once.h b/contrib/bind9/lib/isc/pthreads/include/isc/once.h
new file mode 100644
index 0000000..39b4885
--- /dev/null
+++ b/contrib/bind9/lib/isc/pthreads/include/isc/once.h
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: once.h,v 1.8.206.1 2004/03/06 08:14:57 marka Exp $ */
+
+#ifndef ISC_ONCE_H
+#define ISC_ONCE_H 1
+
+#include <pthread.h>
+
+#include <isc/platform.h>
+#include <isc/result.h>
+
+typedef pthread_once_t isc_once_t;
+
+#ifdef ISC_PLATFORM_BRACEPTHREADONCEINIT
+/*
+ * This accomodates systems that define PTHRAD_ONCE_INIT improperly.
+ */
+#define ISC_ONCE_INIT { PTHREAD_ONCE_INIT }
+#else
+/*
+ * This is the usual case.
+ */
+#define ISC_ONCE_INIT PTHREAD_ONCE_INIT
+#endif
+
+/* XXX We could do fancier error handling... */
+
+#define isc_once_do(op, f) \
+	((pthread_once((op), (f)) == 0) ? \
+	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+
+#endif /* ISC_ONCE_H */
diff --git a/contrib/bind9/lib/isc/pthreads/include/isc/thread.h b/contrib/bind9/lib/isc/pthreads/include/isc/thread.h
new file mode 100644
index 0000000..6287dcd
--- /dev/null
+++ b/contrib/bind9/lib/isc/pthreads/include/isc/thread.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: thread.h,v 1.19.206.1 2004/03/06 08:14:57 marka Exp $ */
+
+#ifndef ISC_THREAD_H
+#define ISC_THREAD_H 1
+
+#include <pthread.h>
+
+#include <isc/lang.h>
+#include <isc/result.h>
+
+ISC_LANG_BEGINDECLS
+
+typedef pthread_t isc_thread_t;
+typedef void * isc_threadresult_t;
+typedef void * isc_threadarg_t;
+typedef isc_threadresult_t (*isc_threadfunc_t)(isc_threadarg_t);
+
+isc_result_t
+isc_thread_create(isc_threadfunc_t, isc_threadarg_t, isc_thread_t *);
+
+void
+isc_thread_setconcurrency(unsigned int level);
+
+/* XXX We could do fancier error handling... */
+
+#define isc_thread_join(t, rp) \
+	((pthread_join((t), (rp)) == 0) ? \
+	 ISC_R_SUCCESS : ISC_R_UNEXPECTED)
+
+#define isc_thread_self \
+	(unsigned long)pthread_self
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_THREAD_H */
diff --git a/contrib/bind9/lib/isc/pthreads/mutex.c b/contrib/bind9/lib/isc/pthreads/mutex.c
new file mode 100644
index 0000000..e29e92b
--- /dev/null
+++ b/contrib/bind9/lib/isc/pthreads/mutex.c
@@ -0,0 +1,241 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: mutex.c,v 1.6.26.3 2004/03/08 09:04:55 marka Exp $ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <time.h>
+#include <sys/time.h>
+
+#include <isc/mutex.h>
+#include <isc/util.h>
+
+#if ISC_MUTEX_PROFILE
+
+/* Operations on timevals; adapted from FreeBSD's sys/time.h */
+#define timevalclear(tvp)      ((tvp)->tv_sec = (tvp)->tv_usec = 0)
+#define timevaladd(vvp, uvp)                                            \
+        do {                                                            \
+                (vvp)->tv_sec += (uvp)->tv_sec;                         \
+                (vvp)->tv_usec += (uvp)->tv_usec;                       \
+                if ((vvp)->tv_usec >= 1000000) {                        \
+                        (vvp)->tv_sec++;                                \
+                        (vvp)->tv_usec -= 1000000;                      \
+                }                                                       \
+        } while (0)
+#define timevalsub(vvp, uvp)                                            \
+        do {                                                            \
+                (vvp)->tv_sec -= (uvp)->tv_sec;                         \
+                (vvp)->tv_usec -= (uvp)->tv_usec;                       \
+                if ((vvp)->tv_usec < 0) {                               \
+                        (vvp)->tv_sec--;                                \
+                        (vvp)->tv_usec += 1000000;                      \
+                }                                                       \
+        } while (0)
+
+#define ISC_MUTEX_MAX_LOCKERS 32
+
+typedef struct {
+	const char *		file;
+	int			line;
+	unsigned		count;
+	struct timeval		locked_total;
+	struct timeval		wait_total;
+} isc_mutexlocker_t;
+
+struct isc_mutexstats {
+	const char *		file;	/* File mutex was created in. */
+	int 			line;	/* Line mutex was created on. */
+	unsigned		count;
+	struct timeval		lock_t;
+	struct timeval		locked_total;
+	struct timeval		wait_total;
+	isc_mutexlocker_t *	cur_locker;
+	isc_mutexlocker_t	lockers[ISC_MUTEX_MAX_LOCKERS];
+};
+
+#define TABLESIZE (8 * 1024)
+static isc_mutexstats_t stats[TABLESIZE];
+static isc_boolean_t stats_init = ISC_FALSE;
+static pthread_mutex_t statslock = PTHREAD_MUTEX_INITIALIZER;
+
+
+isc_result_t
+isc_mutex_init_profile(isc_mutex_t *mp, const char *file, int line) {
+	int i;
+
+	if (pthread_mutex_init(&mp->mutex, NULL) != 0)
+		return ISC_R_UNEXPECTED;
+
+	RUNTIME_CHECK(pthread_mutex_lock(&statslock) == 0);
+
+	if (stats_init == ISC_FALSE) {
+		for (i = 0; i < TABLESIZE; i++) {
+			stats[i].file = NULL;
+		}
+		stats_init = ISC_TRUE;
+	}
+
+	mp->stats = NULL;
+	for (i = 0; i < TABLESIZE; i++) {
+		if (stats[i].file == NULL) {
+			mp->stats = &stats[i];
+			break;
+		}
+	}
+	RUNTIME_CHECK(mp->stats != NULL);
+
+	RUNTIME_CHECK(pthread_mutex_unlock(&statslock) == 0);
+
+	mp->stats->file = file;
+	mp->stats->line = line;
+	mp->stats->count = 0;
+	timevalclear(&mp->stats->locked_total);
+	timevalclear(&mp->stats->wait_total);
+	for (i = 0; i < ISC_MUTEX_MAX_LOCKERS; i++) {
+		mp->stats->lockers[i].file = NULL;
+		mp->stats->lockers[i].line = 0;
+		mp->stats->lockers[i].count = 0;
+		timevalclear(&mp->stats->lockers[i].locked_total);
+		timevalclear(&mp->stats->lockers[i].wait_total);
+	}
+
+	return ISC_R_SUCCESS;
+}
+
+isc_result_t
+isc_mutex_lock_profile(isc_mutex_t *mp, const char *file, int line) {
+	struct timeval prelock_t;
+	struct timeval postlock_t;
+	isc_mutexlocker_t *locker = NULL;
+	int i;
+
+	for (i = 0; i < ISC_MUTEX_MAX_LOCKERS; i++) {
+		if (mp->stats->lockers[i].file == NULL) {
+			locker = &mp->stats->lockers[i];
+			locker->file = file;
+			locker->line = line;
+			break;
+		} else if (mp->stats->lockers[i].file == file &&
+			   mp->stats->lockers[i].line == line) {
+			locker = &mp->stats->lockers[i];
+			break;
+		}
+	}
+
+	gettimeofday(&prelock_t, NULL);
+
+	if (pthread_mutex_lock(&mp->mutex) != 0)
+		return (ISC_R_UNEXPECTED);
+
+	gettimeofday(&postlock_t, NULL);
+	mp->stats->lock_t = postlock_t;
+
+	timevalsub(&postlock_t, &prelock_t);
+
+	mp->stats->count++;
+	timevaladd(&mp->stats->wait_total, &postlock_t);
+
+	if (locker != NULL) {
+		locker->count++;
+		timevaladd(&locker->wait_total, &postlock_t);
+	}
+
+	mp->stats->cur_locker = locker;
+
+	return ISC_R_SUCCESS;
+}
+
+isc_result_t
+isc_mutex_unlock_profile(isc_mutex_t *mp, const char *file, int line) {
+	struct timeval unlock_t;
+
+	UNUSED(file);
+	UNUSED(line);
+
+	if (mp->stats->cur_locker != NULL) {
+		gettimeofday(&unlock_t, NULL);
+		timevalsub(&unlock_t, &mp->stats->lock_t);
+		timevaladd(&mp->stats->locked_total, &unlock_t);
+		timevaladd(&mp->stats->cur_locker->locked_total, &unlock_t);
+		mp->stats->cur_locker = NULL;
+	}
+
+	return ((pthread_mutex_unlock((&mp->mutex)) == 0) ? \
+		ISC_R_SUCCESS : ISC_R_UNEXPECTED);
+}
+
+
+void
+isc_mutex_statsprofile(FILE *fp) {
+	isc_mutexlocker_t *locker;
+	int i, j;
+	fprintf(fp, "Mutex stats (in us)\n");
+	for (i = 0; i < TABLESIZE; i++) {
+		if (stats[i].file == NULL)
+			continue;
+		fprintf(fp, "%-12s %4d: %10u  %lu.%06lu %lu.%06lu\n",
+			stats[i].file, stats[i].line, stats[i].count,
+			stats[i].locked_total.tv_sec,
+			stats[i].locked_total.tv_usec,
+			stats[i].wait_total.tv_sec,
+			stats[i].wait_total.tv_usec
+			);
+		for (j = 0; j < ISC_MUTEX_MAX_LOCKERS; j++) {
+			locker = &stats[i].lockers[j];
+			if (locker->file == NULL)
+				continue;
+			fprintf(fp, " %-11s %4d: %10u  %lu.%06lu %lu.%06lu\n",
+				locker->file, locker->line, locker->count,
+				locker->locked_total.tv_sec,
+				locker->locked_total.tv_usec,
+				locker->wait_total.tv_sec,
+				locker->wait_total.tv_usec
+				);
+		}
+	}
+}
+
+#endif /* ISC_MUTEX_PROFILE */
+
+#if ISC_MUTEX_DEBUG && defined(PTHREAD_MUTEX_ERRORCHECK)
+isc_result_t
+isc_mutex_init_errcheck(isc_mutex_t *mp)
+{
+	pthread_mutexattr_t attr;
+
+	if (pthread_mutexattr_init(&attr) != 0)
+		return ISC_R_UNEXPECTED;
+
+	if (pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK) != 0)
+		return ISC_R_UNEXPECTED;
+  
+	if (pthread_mutex_init(mp, &attr) != 0)
+		return ISC_R_UNEXPECTED;
+
+	return ISC_R_SUCCESS;
+}
+#endif
+
+#if ISC_MUTEX_DEBUG && defined(__NetBSD__) && defined(PTHREAD_MUTEX_ERRORCHECK)
+pthread_mutexattr_t isc__mutex_attrs = {
+	PTHREAD_MUTEX_ERRORCHECK,	/* m_type */
+	0				/* m_flags, which appears to be unused. */
+};
+#endif
diff --git a/contrib/bind9/lib/isc/pthreads/thread.c b/contrib/bind9/lib/isc/pthreads/thread.c
new file mode 100644
index 0000000..0f552d7
--- /dev/null
+++ b/contrib/bind9/lib/isc/pthreads/thread.c
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: thread.c,v 1.9.2.2.2.1 2004/03/06 08:14:54 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#ifndef THREAD_MINSTACKSIZE
+#define THREAD_MINSTACKSIZE		(64U * 1024)
+#endif
+
+isc_result_t
+isc_thread_create(isc_threadfunc_t func, isc_threadarg_t arg,
+		  isc_thread_t *thread)
+{
+	pthread_attr_t attr;
+	size_t stacksize;
+	int ret;
+
+	pthread_attr_init(&attr);
+
+#if defined(HAVE_PTHREAD_ATTR_GETSTACKSIZE) && \
+    defined(HAVE_PTHREAD_ATTR_SETSTACKSIZE)
+	ret = pthread_attr_getstacksize(&attr, &stacksize);
+	if (ret != 0)
+		return (ISC_R_UNEXPECTED);
+
+	if (stacksize < THREAD_MINSTACKSIZE) {
+		ret = pthread_attr_setstacksize(&attr, THREAD_MINSTACKSIZE);
+		if (ret != 0)
+			return (ISC_R_UNEXPECTED);
+	}
+#endif
+
+	ret = pthread_create(thread, &attr, func, arg);
+	if (ret != 0)
+		return (ISC_R_UNEXPECTED);
+
+	pthread_attr_destroy(&attr);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_thread_setconcurrency(unsigned int level) {
+#if defined(CALL_PTHREAD_SETCONCURRENCY)
+	(void)pthread_setconcurrency(level);
+#else
+	UNUSED(level);
+#endif
+}
diff --git a/contrib/bind9/lib/isc/quota.c b/contrib/bind9/lib/isc/quota.c
new file mode 100644
index 0000000..012bfbb
--- /dev/null
+++ b/contrib/bind9/lib/isc/quota.c
@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: quota.c,v 1.11.12.3 2004/03/08 09:04:49 marka Exp $ */
+
+#include <config.h>
+
+#include <stddef.h>
+
+#include <isc/quota.h>
+#include <isc/util.h>
+
+isc_result_t
+isc_quota_init(isc_quota_t *quota, int max) {
+	quota->max = max;
+	quota->used = 0;
+	quota->soft = ISC_FALSE;
+	return (isc_mutex_init(&quota->lock));
+}
+
+void
+isc_quota_destroy(isc_quota_t *quota) {
+	INSIST(quota->used == 0);
+	quota->max = -1;
+	quota->used = -1;
+	quota->soft = ISC_FALSE;
+	DESTROYLOCK(&quota->lock);
+}
+
+void
+isc_quota_soft(isc_quota_t *quota, isc_boolean_t soft) {
+	quota->soft = soft;
+}
+
+isc_result_t
+isc_quota_reserve(isc_quota_t *quota) {
+	isc_result_t result;
+	LOCK(&quota->lock);
+	if (quota->used < quota->max) {
+		quota->used++;
+		result = ISC_R_SUCCESS;
+	} else {
+		if (quota->soft) {
+			quota->used++;
+			result = ISC_R_SOFTQUOTA;
+		} else
+			result = ISC_R_QUOTA;
+	}
+	UNLOCK(&quota->lock);
+	return (result);
+}
+
+void
+isc_quota_release(isc_quota_t *quota) {
+	LOCK(&quota->lock);
+	INSIST(quota->used > 0);
+	quota->used--;
+	UNLOCK(&quota->lock);
+}
+
+isc_result_t
+isc_quota_attach(isc_quota_t *quota, isc_quota_t **p)
+{
+	isc_result_t result;
+	INSIST(p != NULL && *p == NULL);
+	result = isc_quota_reserve(quota);
+	if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA)
+		*p = quota;
+	return (result);
+}
+
+void
+isc_quota_detach(isc_quota_t **p)
+{
+	INSIST(p != NULL && *p != NULL);
+	isc_quota_release(*p);
+	*p = NULL;
+}
diff --git a/contrib/bind9/lib/isc/random.c b/contrib/bind9/lib/isc/random.c
new file mode 100644
index 0000000..e5c4d31
--- /dev/null
+++ b/contrib/bind9/lib/isc/random.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: random.c,v 1.15.74.5 2004/03/08 09:04:49 marka Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+#include <time.h>		/* Required for time(). */
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+#include <isc/mutex.h>
+#include <isc/once.h>
+#include <isc/random.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+static isc_once_t once = ISC_ONCE_INIT;
+
+static void
+initialize_rand(void)
+{
+#ifndef HAVE_ARC4RANDOM
+	unsigned int pid = getpid();
+	
+	/*
+	 * The low bits of pid generally change faster.
+	 * Xor them with the high bits of time which change slowly.
+	 */
+	pid = ((pid << 16) & 0xffff0000) | ((pid >> 16) & 0xffff);
+
+	srand(time(NULL) ^ pid);
+#endif
+}
+
+static void
+initialize(void)
+{
+	RUNTIME_CHECK(isc_once_do(&once, initialize_rand) == ISC_R_SUCCESS);
+}
+
+void
+isc_random_seed(isc_uint32_t seed)
+{
+	initialize();
+
+#ifndef HAVE_ARC4RANDOM
+	srand(seed);
+#else
+	arc4random_addrandom((u_char *) &seed, sizeof(isc_uint32_t));
+#endif
+}
+
+void
+isc_random_get(isc_uint32_t *val)
+{
+	REQUIRE(val != NULL);
+
+	initialize();
+
+#ifndef HAVE_ARC4RANDOM
+	/*
+	 * rand()'s lower bits are not random.
+	 * rand()'s upper bit is zero.
+	 */
+	*val = ((rand() >> 4) & 0xffff) | ((rand() << 12) & 0xffff0000);
+#else
+	*val = arc4random();
+#endif
+}
+
+isc_uint32_t
+isc_random_jitter(isc_uint32_t max, isc_uint32_t jitter) {
+	REQUIRE(jitter < max);
+	if (jitter == 0)
+		return (max);
+	else
+#ifndef HAVE_ARC4RANDOM
+		return (max - rand() % jitter);
+#else
+		return (max - arc4random() % jitter);
+#endif
+}
diff --git a/contrib/bind9/lib/isc/ratelimiter.c b/contrib/bind9/lib/isc/ratelimiter.c
new file mode 100644
index 0000000..211363c
--- /dev/null
+++ b/contrib/bind9/lib/isc/ratelimiter.c
@@ -0,0 +1,326 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ratelimiter.c,v 1.18.14.4 2004/03/08 09:04:50 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/mem.h>
+#include <isc/ratelimiter.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+typedef enum {
+	isc_ratelimiter_stalled = 0,
+	isc_ratelimiter_ratelimited = 1,
+	isc_ratelimiter_idle = 2,
+	isc_ratelimiter_shuttingdown = 3
+} isc_ratelimiter_state_t;
+
+struct isc_ratelimiter {
+	isc_mem_t *		mctx;
+	isc_mutex_t		lock;
+	int			refs;
+	isc_task_t *		task;
+	isc_timer_t *		timer;
+	isc_interval_t		interval;
+	isc_uint32_t		pertic;
+	isc_ratelimiter_state_t	state;
+	isc_event_t		shutdownevent;
+	ISC_LIST(isc_event_t)	pending;
+};
+
+#define ISC_RATELIMITEREVENT_SHUTDOWN (ISC_EVENTCLASS_RATELIMITER + 1)
+
+static void
+ratelimiter_tick(isc_task_t *task, isc_event_t *event);
+
+static void
+ratelimiter_shutdowncomplete(isc_task_t *task, isc_event_t *event);
+
+isc_result_t
+isc_ratelimiter_create(isc_mem_t *mctx, isc_timermgr_t *timermgr,
+		       isc_task_t *task, isc_ratelimiter_t **ratelimiterp)
+{
+	isc_result_t result;
+	isc_ratelimiter_t *rl;
+	INSIST(ratelimiterp != NULL && *ratelimiterp == NULL);
+
+	rl = isc_mem_get(mctx, sizeof(*rl));
+	if (rl == NULL)
+		return ISC_R_NOMEMORY;
+	rl->mctx = mctx;
+	rl->refs = 1;
+	rl->task = task;
+	isc_interval_set(&rl->interval, 0, 0);
+	rl->timer = NULL;
+	rl->pertic = 1;
+	rl->state = isc_ratelimiter_idle;
+	ISC_LIST_INIT(rl->pending);
+
+	result = isc_mutex_init(&rl->lock);
+	if (result != ISC_R_SUCCESS)
+		goto free_mem;
+	result = isc_timer_create(timermgr, isc_timertype_inactive,
+				  NULL, NULL, rl->task, ratelimiter_tick,
+				  rl, &rl->timer);
+	if (result != ISC_R_SUCCESS)
+		goto free_mutex;
+
+	/*
+	 * Increment the reference count to indicate that we may
+	 * (soon) have events outstanding.
+	 */
+	rl->refs++;
+
+	ISC_EVENT_INIT(&rl->shutdownevent,
+		       sizeof(isc_event_t),
+		       0, NULL, ISC_RATELIMITEREVENT_SHUTDOWN,
+		       ratelimiter_shutdowncomplete, rl, rl, NULL, NULL);
+
+	*ratelimiterp = rl;
+	return (ISC_R_SUCCESS);
+
+free_mutex:
+	DESTROYLOCK(&rl->lock);
+free_mem:
+	isc_mem_put(mctx, rl, sizeof(*rl));
+	return (result);
+}
+
+isc_result_t
+isc_ratelimiter_setinterval(isc_ratelimiter_t *rl, isc_interval_t *interval) {
+	isc_result_t result = ISC_R_SUCCESS;
+	LOCK(&rl->lock);
+	rl->interval = *interval;
+	/*
+	 * If the timer is currently running, change its rate.
+	 */
+        if (rl->state == isc_ratelimiter_ratelimited) {
+		result = isc_timer_reset(rl->timer, isc_timertype_ticker, NULL,
+					 &rl->interval, ISC_FALSE);
+	}
+	UNLOCK(&rl->lock);
+	return (result);
+}
+
+void
+isc_ratelimiter_setpertic(isc_ratelimiter_t *rl, isc_uint32_t pertic) {
+	if (pertic == 0)
+		pertic = 1;
+	rl->pertic = pertic;
+}
+
+isc_result_t
+isc_ratelimiter_enqueue(isc_ratelimiter_t *rl, isc_task_t *task,
+			isc_event_t **eventp)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_event_t *ev;
+
+	REQUIRE(eventp != NULL && *eventp != NULL);
+	REQUIRE(task != NULL);
+	ev = *eventp;
+	REQUIRE(ev->ev_sender == NULL);
+
+	LOCK(&rl->lock);
+        if (rl->state == isc_ratelimiter_ratelimited ||
+	    rl->state == isc_ratelimiter_stalled) {
+		isc_event_t *ev = *eventp;
+		ev->ev_sender = task;
+                ISC_LIST_APPEND(rl->pending, ev, ev_link);
+		*eventp = NULL;
+        } else if (rl->state == isc_ratelimiter_idle) {
+		result = isc_timer_reset(rl->timer, isc_timertype_ticker, NULL,
+					 &rl->interval, ISC_FALSE);
+		if (result == ISC_R_SUCCESS) {
+			ev->ev_sender = task;
+			rl->state = isc_ratelimiter_ratelimited;
+		}
+	} else {
+		INSIST(rl->state == isc_ratelimiter_shuttingdown);
+		result = ISC_R_SHUTTINGDOWN;
+	}
+	UNLOCK(&rl->lock);
+	if (*eventp != NULL && result == ISC_R_SUCCESS)
+		isc_task_send(task, eventp);
+	return (result);
+}
+
+static void
+ratelimiter_tick(isc_task_t *task, isc_event_t *event) {
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_ratelimiter_t *rl = (isc_ratelimiter_t *)event->ev_arg;
+	isc_event_t *p;
+	isc_uint32_t pertic;
+
+	UNUSED(task);
+
+	isc_event_free(&event);
+
+	pertic = rl->pertic;
+        while (pertic != 0) {
+		pertic--;
+		LOCK(&rl->lock);
+		p = ISC_LIST_HEAD(rl->pending);
+		if (p != NULL) {
+			/*
+			 * There is work to do.  Let's do it after unlocking.
+			 */
+			ISC_LIST_UNLINK(rl->pending, p, ev_link);
+		} else {
+			/*
+			 * No work left to do.  Stop the timer so that we don't
+			 * waste resources by having it fire periodically.
+			 */
+			result = isc_timer_reset(rl->timer,
+						 isc_timertype_inactive,
+						 NULL, NULL, ISC_FALSE);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			rl->state = isc_ratelimiter_idle;
+			pertic = 0;	/* Force the loop to exit. */
+		}
+		UNLOCK(&rl->lock);
+		if (p != NULL) {
+			isc_task_t *evtask = p->ev_sender;
+			isc_task_send(evtask, &p);
+		}
+		INSIST(p == NULL);
+	}
+}
+
+void
+isc_ratelimiter_shutdown(isc_ratelimiter_t *rl) {
+	isc_event_t *ev;
+	isc_task_t *task;
+	LOCK(&rl->lock);
+	rl->state = isc_ratelimiter_shuttingdown;
+	(void)isc_timer_reset(rl->timer, isc_timertype_inactive,
+			      NULL, NULL, ISC_FALSE);
+	while ((ev = ISC_LIST_HEAD(rl->pending)) != NULL) {
+		ISC_LIST_UNLINK(rl->pending, ev, ev_link);
+		ev->ev_attributes |= ISC_EVENTATTR_CANCELED;
+		task = ev->ev_sender;
+		isc_task_send(task, &ev);
+	}
+	isc_timer_detach(&rl->timer);
+	/*
+	 * Send an event to our task.  The delivery of this event
+	 * indicates that no more timer events will be delivered.
+	 */
+	ev = &rl->shutdownevent;
+	isc_task_send(rl->task, &ev);
+
+	UNLOCK(&rl->lock);
+}
+
+static void
+ratelimiter_shutdowncomplete(isc_task_t *task, isc_event_t *event) {
+	isc_ratelimiter_t *rl = (isc_ratelimiter_t *)event->ev_arg;
+
+	UNUSED(task);
+
+	isc_ratelimiter_detach(&rl);
+}
+
+static void
+ratelimiter_free(isc_ratelimiter_t *rl) {
+	DESTROYLOCK(&rl->lock);
+	isc_mem_put(rl->mctx, rl, sizeof(*rl));
+}
+
+void
+isc_ratelimiter_attach(isc_ratelimiter_t *source, isc_ratelimiter_t **target) {
+	REQUIRE(source != NULL);
+	REQUIRE(target != NULL && *target == NULL);
+
+	LOCK(&source->lock);
+	REQUIRE(source->refs > 0);
+	source->refs++;
+	INSIST(source->refs > 0);
+	UNLOCK(&source->lock);
+	*target = source;
+}
+
+void
+isc_ratelimiter_detach(isc_ratelimiter_t **rlp) {
+	isc_ratelimiter_t *rl = *rlp;
+	isc_boolean_t free_now = ISC_FALSE;
+
+	LOCK(&rl->lock);
+	REQUIRE(rl->refs > 0);
+	rl->refs--;
+	if (rl->refs == 0)
+		free_now = ISC_TRUE;
+	UNLOCK(&rl->lock);
+
+	if (free_now)
+		ratelimiter_free(rl);
+
+	*rlp = NULL;
+}
+
+isc_result_t
+isc_ratelimiter_stall(isc_ratelimiter_t *rl) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	LOCK(&rl->lock);
+	switch (rl->state) {
+	case isc_ratelimiter_shuttingdown:
+		result = ISC_R_SHUTTINGDOWN;
+		break;
+	case isc_ratelimiter_ratelimited:
+		result = isc_timer_reset(rl->timer, isc_timertype_inactive,
+				 	 NULL, NULL, ISC_FALSE);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	case isc_ratelimiter_idle:
+	case isc_ratelimiter_stalled:
+		rl->state = isc_ratelimiter_stalled;
+		break;
+	}
+	UNLOCK(&rl->lock);
+	return (result);
+}
+
+isc_result_t
+isc_ratelimiter_release(isc_ratelimiter_t *rl) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	LOCK(&rl->lock);
+	switch (rl->state) {
+	case isc_ratelimiter_shuttingdown:
+		result = ISC_R_SHUTTINGDOWN;
+		break;
+	case isc_ratelimiter_stalled:
+		if (!ISC_LIST_EMPTY(rl->pending)) {
+			result = isc_timer_reset(rl->timer,
+						 isc_timertype_ticker, NULL,
+						 &rl->interval, ISC_FALSE);
+			if (result == ISC_R_SUCCESS)
+				rl->state = isc_ratelimiter_ratelimited;
+		} else 
+			rl->state = isc_ratelimiter_idle;
+		break;
+	case isc_ratelimiter_ratelimited:
+	case isc_ratelimiter_idle:
+		break;
+	}
+	UNLOCK(&rl->lock);
+	return (result);
+}
diff --git a/contrib/bind9/lib/isc/region.c b/contrib/bind9/lib/isc/region.c
new file mode 100644
index 0000000..92f4f02
--- /dev/null
+++ b/contrib/bind9/lib/isc/region.c
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: region.c,v 1.2.202.3 2004/03/08 09:04:50 marka Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/region.h>
+#include <isc/util.h>
+
+int
+isc_region_compare(isc_region_t *r1, isc_region_t *r2) {
+	unsigned int l;
+	int result;
+
+	REQUIRE(r1 != NULL);
+	REQUIRE(r2 != NULL);
+	       
+	l = (r1->length < r2->length) ? r1->length : r2->length;
+
+	if ((result = memcmp(r1->base, r2->base, l)) != 0)
+		return ((result < 0) ? -1 : 1);
+	else
+		return ((r1->length == r2->length) ? 0 :
+			(r1->length < r2->length) ? -1 : 1);
+}
diff --git a/contrib/bind9/lib/isc/result.c b/contrib/bind9/lib/isc/result.c
new file mode 100644
index 0000000..5b0ddd3
--- /dev/null
+++ b/contrib/bind9/lib/isc/result.c
@@ -0,0 +1,209 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: result.c,v 1.56.2.2.8.7 2004/06/11 00:31:01 marka Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/lib.h>
+#include <isc/msgs.h>
+#include <isc/mutex.h>
+#include <isc/once.h>
+#include <isc/resultclass.h>
+#include <isc/util.h>
+
+typedef struct resulttable {
+	unsigned int				base;
+	unsigned int				last;
+	const char **				text;
+	isc_msgcat_t *				msgcat;
+	int					set;
+	ISC_LINK(struct resulttable)		link;
+} resulttable;
+
+static const char *text[ISC_R_NRESULTS] = {
+	"success",				/*  0 */
+	"out of memory",			/*  1 */
+	"timed out",				/*  2 */
+	"no available threads",			/*  3 */
+	"address not available",		/*  4 */
+	"address in use",			/*  5 */
+	"permission denied",			/*  6 */
+	"no pending connections",		/*  7 */
+	"network unreachable",			/*  8 */
+	"host unreachable",			/*  9 */
+	"network down",				/* 10 */
+	"host down",				/* 11 */
+	"connection refused",			/* 12 */
+	"not enough free resources",		/* 13 */
+	"end of file",				/* 14 */
+	"socket already bound",			/* 15 */
+	"reload",				/* 16 */
+	"lock busy",				/* 17 */
+	"already exists",			/* 18 */
+	"ran out of space",			/* 19 */
+	"operation canceled",			/* 20 */
+	"socket is not bound",			/* 21 */
+	"shutting down",			/* 22 */
+	"not found",				/* 23 */
+	"unexpected end of input",		/* 24 */
+	"failure",				/* 25 */
+	"I/O error",				/* 26 */
+	"not implemented",			/* 27 */
+	"unbalanced parentheses",		/* 28 */
+	"no more",				/* 29 */
+	"invalid file",				/* 30 */
+	"bad base64 encoding",			/* 31 */
+	"unexpected token",			/* 32 */
+	"quota reached",			/* 33 */
+	"unexpected error",			/* 34 */
+	"already running",			/* 35 */
+	"ignore",				/* 36 */
+	"address mask not contiguous",		/* 37 */
+	"file not found",			/* 38 */
+	"file already exists",			/* 39 */
+	"socket is not connected",		/* 40 */
+	"out of range",				/* 41 */
+	"out of entropy",			/* 42 */
+	"invalid use of multicast address",	/* 43 */
+	"not a file",				/* 44 */
+	"not a directory",			/* 45 */
+	"queue is full",			/* 46 */
+	"address family mismatch",		/* 47 */
+	"address family not supported",		/* 48 */
+	"bad hex encoding",			/* 49 */
+	"too many open files",			/* 50 */
+	"not blocking",				/* 51 */
+	"unbalanced quotes",			/* 52 */
+	"operation in progress",		/* 53 */
+	"connection reset",			/* 54 */
+	"soft quota reached",			/* 55 */
+	"not a valid number",			/* 56 */
+	"disabled",				/* 57 */
+	"max size",				/* 58 */
+	"invalid address format"		/* 59 */
+};
+
+#define ISC_RESULT_RESULTSET			2
+#define ISC_RESULT_UNAVAILABLESET		3
+
+static isc_once_t 				once = ISC_ONCE_INIT;
+static ISC_LIST(resulttable)			tables;
+static isc_mutex_t				lock;
+
+static isc_result_t
+register_table(unsigned int base, unsigned int nresults, const char **text,
+	       isc_msgcat_t *msgcat, int set)
+{
+	resulttable *table;
+
+	REQUIRE(base % ISC_RESULTCLASS_SIZE == 0);
+	REQUIRE(nresults <= ISC_RESULTCLASS_SIZE);
+	REQUIRE(text != NULL);
+
+	/*
+	 * We use malloc() here because we we want to be able to use
+	 * isc_result_totext() even if there is no memory context.
+	 */
+	table = malloc(sizeof(*table));
+	if (table == NULL)
+		return (ISC_R_NOMEMORY);
+	table->base = base;
+	table->last = base + nresults - 1;
+	table->text = text;
+	table->msgcat = msgcat;
+	table->set = set;
+	ISC_LINK_INIT(table, link);
+
+	LOCK(&lock);
+
+	ISC_LIST_APPEND(tables, table, link);
+
+	UNLOCK(&lock);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+initialize_action(void) {
+	isc_result_t result;
+
+	RUNTIME_CHECK(isc_mutex_init(&lock) == ISC_R_SUCCESS);
+	ISC_LIST_INIT(tables);
+
+	result = register_table(ISC_RESULTCLASS_ISC, ISC_R_NRESULTS, text,
+				isc_msgcat, ISC_RESULT_RESULTSET);
+	if (result != ISC_R_SUCCESS)
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "register_table() %s: %u",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"),
+				 result);
+}
+
+static void
+initialize(void) {
+	isc_lib_initmsgcat();
+	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
+}
+
+const char *
+isc_result_totext(isc_result_t result) {
+	resulttable *table;
+	const char *text, *default_text;
+	int index;
+
+	initialize();
+
+	LOCK(&lock);
+
+	text = NULL;
+	for (table = ISC_LIST_HEAD(tables);
+	     table != NULL;
+	     table = ISC_LIST_NEXT(table, link)) {
+		if (result >= table->base && result <= table->last) {
+			index = (int)(result - table->base);
+			default_text = table->text[index];
+			/*
+			 * Note: we use 'index + 1' as the message number
+			 * instead of index because isc_msgcat_get() requires
+			 * the message number to be > 0.
+			 */
+			text = isc_msgcat_get(table->msgcat, table->set,
+					      index + 1, default_text);
+			break;
+		}
+	}
+	if (text == NULL)
+		text = isc_msgcat_get(isc_msgcat, ISC_RESULT_UNAVAILABLESET,
+				      1, "(result code text not available)");
+
+	UNLOCK(&lock);
+
+	return (text);
+}
+
+isc_result_t
+isc_result_register(unsigned int base, unsigned int nresults,
+		    const char **text, isc_msgcat_t *msgcat, int set)
+{
+	initialize();
+
+	return (register_table(base, nresults, text, msgcat, set));
+}
diff --git a/contrib/bind9/lib/isc/rwlock.c b/contrib/bind9/lib/isc/rwlock.c
new file mode 100644
index 0000000..63f0c68
--- /dev/null
+++ b/contrib/bind9/lib/isc/rwlock.c
@@ -0,0 +1,417 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rwlock.c,v 1.33.2.4.2.1 2004/03/06 08:14:35 marka Exp $ */
+
+#include <config.h>
+
+#include <stddef.h>
+
+#include <isc/magic.h>
+#include <isc/msgs.h>
+#include <isc/platform.h>
+#include <isc/rwlock.h>
+#include <isc/util.h>
+
+#define RWLOCK_MAGIC		ISC_MAGIC('R', 'W', 'L', 'k')
+#define VALID_RWLOCK(rwl)	ISC_MAGIC_VALID(rwl, RWLOCK_MAGIC)
+
+#ifdef ISC_PLATFORM_USETHREADS
+
+#ifndef RWLOCK_DEFAULT_READ_QUOTA
+#define RWLOCK_DEFAULT_READ_QUOTA 4
+#endif
+
+#ifndef RWLOCK_DEFAULT_WRITE_QUOTA
+#define RWLOCK_DEFAULT_WRITE_QUOTA 4
+#endif
+
+#ifdef ISC_RWLOCK_TRACE
+#include <stdio.h>		/* Required for fprintf/stderr. */
+#include <isc/thread.h>		/* Requried for isc_thread_self(). */
+
+static void
+print_lock(const char *operation, isc_rwlock_t *rwl, isc_rwlocktype_t type) {
+	fprintf(stderr,
+		isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+			       ISC_MSG_PRINTLOCK,
+			       "rwlock %p thread %lu %s(%s): %s, %u active, "
+			       "%u granted, %u rwaiting, %u wwaiting\n"),
+		rwl, isc_thread_self(), operation,
+		(type == isc_rwlocktype_read ? 
+		 isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+				ISC_MSG_READ, "read") :
+		 isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+				ISC_MSG_WRITE, "write")),
+	        (rwl->type == isc_rwlocktype_read ?
+		 isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+				ISC_MSG_READING, "reading") : 
+		 isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+				ISC_MSG_WRITING, "writing")),
+	        rwl->active, rwl->granted, rwl->readers_waiting,
+		rwl->writers_waiting);
+}
+#endif
+
+isc_result_t
+isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota,
+		unsigned int write_quota)
+{
+	isc_result_t result;
+
+	REQUIRE(rwl != NULL);
+
+	/*
+	 * In case there's trouble initializing, we zero magic now.  If all
+	 * goes well, we'll set it to RWLOCK_MAGIC.
+	 */
+	rwl->magic = 0;
+
+	rwl->type = isc_rwlocktype_read;
+	rwl->original = isc_rwlocktype_none;
+	rwl->active = 0;
+	rwl->granted = 0;
+	rwl->readers_waiting = 0;
+	rwl->writers_waiting = 0;
+	if (read_quota == 0)
+		read_quota = RWLOCK_DEFAULT_READ_QUOTA;
+	rwl->read_quota = read_quota;
+	if (write_quota == 0)
+		write_quota = RWLOCK_DEFAULT_WRITE_QUOTA;
+	rwl->write_quota = write_quota;
+	result = isc_mutex_init(&rwl->lock);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() %s: %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"),
+				 isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+	result = isc_condition_init(&rwl->readable);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_condition_init(readable) %s: %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"),
+				 isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+	result = isc_condition_init(&rwl->writeable);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_condition_init(writeable) %s: %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"),
+				 isc_result_totext(result));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	rwl->magic = RWLOCK_MAGIC;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+doit(isc_rwlock_t *rwl, isc_rwlocktype_t type, isc_boolean_t nonblock) {
+	isc_boolean_t skip = ISC_FALSE;
+	isc_boolean_t done = ISC_FALSE;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(VALID_RWLOCK(rwl));
+
+	LOCK(&rwl->lock);
+
+#ifdef ISC_RWLOCK_TRACE
+	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+				  ISC_MSG_PRELOCK, "prelock"), rwl, type);
+#endif
+
+	if (type == isc_rwlocktype_read) {
+		if (rwl->readers_waiting != 0)
+			skip = ISC_TRUE;
+		while (!done) {
+			if (!skip &&
+			    ((rwl->active == 0 ||
+			      (rwl->type == isc_rwlocktype_read &&
+			       (rwl->writers_waiting == 0 ||
+			        rwl->granted < rwl->read_quota)))))
+			{
+				rwl->type = isc_rwlocktype_read;
+				rwl->active++;
+				rwl->granted++;
+				done = ISC_TRUE;
+			} else if (nonblock) {
+				result = ISC_R_LOCKBUSY;
+				done = ISC_TRUE;
+			} else {
+				skip = ISC_FALSE;
+				rwl->readers_waiting++;
+				WAIT(&rwl->readable, &rwl->lock);
+				rwl->readers_waiting--;
+			}
+		}
+	} else {
+		if (rwl->writers_waiting != 0)
+			skip = ISC_TRUE;
+		while (!done) {
+			if (!skip && rwl->active == 0) {
+				rwl->type = isc_rwlocktype_write;
+				rwl->active = 1;
+				rwl->granted++;
+				done = ISC_TRUE;
+			} else if (nonblock) {
+				result = ISC_R_LOCKBUSY;
+				done = ISC_TRUE;
+			} else {
+				skip = ISC_FALSE;
+				rwl->writers_waiting++;
+				WAIT(&rwl->writeable, &rwl->lock);
+				rwl->writers_waiting--;
+			}
+		}
+	}
+
+#ifdef ISC_RWLOCK_TRACE
+	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+				  ISC_MSG_POSTLOCK, "postlock"), rwl, type);
+#endif
+
+	UNLOCK(&rwl->lock);
+
+	return (result);
+}
+
+isc_result_t
+isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
+	return (doit(rwl, type, ISC_FALSE));
+}
+
+isc_result_t
+isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
+	return (doit(rwl, type, ISC_TRUE));
+}
+
+isc_result_t
+isc_rwlock_tryupgrade(isc_rwlock_t *rwl) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(VALID_RWLOCK(rwl));
+	LOCK(&rwl->lock);
+	REQUIRE(rwl->type == isc_rwlocktype_read);
+	REQUIRE(rwl->active != 0);
+
+	/* If we are the only reader then succeed. */
+	if (rwl->active == 1) {
+		rwl->original = (rwl->original == isc_rwlocktype_none) ?
+				isc_rwlocktype_read : isc_rwlocktype_none;
+		rwl->type = isc_rwlocktype_write;
+	} else
+		result = ISC_R_LOCKBUSY;
+
+	UNLOCK(&rwl->lock);
+	return (result);
+}
+
+void
+isc_rwlock_downgrade(isc_rwlock_t *rwl) {
+
+	REQUIRE(VALID_RWLOCK(rwl));
+	LOCK(&rwl->lock);
+	REQUIRE(rwl->type == isc_rwlocktype_write);
+	REQUIRE(rwl->active == 1);
+
+	rwl->type = isc_rwlocktype_read;
+	rwl->original = (rwl->original == isc_rwlocktype_none) ?
+			isc_rwlocktype_write : isc_rwlocktype_none;
+	/*
+	 * Resume processing any read request that were blocked when
+	 * we upgraded.
+	 */
+	if (rwl->original == isc_rwlocktype_none &&
+	    (rwl->writers_waiting == 0 || rwl->granted < rwl->read_quota) &&
+	    rwl->readers_waiting > 0)
+		BROADCAST(&rwl->readable);
+
+	UNLOCK(&rwl->lock);
+}
+
+isc_result_t
+isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
+
+	REQUIRE(VALID_RWLOCK(rwl));
+	LOCK(&rwl->lock);
+	REQUIRE(rwl->type == type);
+
+	UNUSED(type);
+
+#ifdef ISC_RWLOCK_TRACE
+	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+				  ISC_MSG_PREUNLOCK, "preunlock"), rwl, type);
+#endif
+
+	INSIST(rwl->active > 0);
+	rwl->active--;
+	if (rwl->active == 0) {
+		if (rwl->original != isc_rwlocktype_none) {
+			rwl->type = rwl->original;
+			rwl->original = isc_rwlocktype_none;
+		}
+		if (rwl->type == isc_rwlocktype_read) {
+			rwl->granted = 0;
+			if (rwl->writers_waiting > 0) {
+				rwl->type = isc_rwlocktype_write;
+				SIGNAL(&rwl->writeable);
+			} else if (rwl->readers_waiting > 0) {
+				/* Does this case ever happen? */
+				BROADCAST(&rwl->readable);
+			}
+		} else {
+			if (rwl->readers_waiting > 0) {
+				if (rwl->writers_waiting > 0 &&
+				    rwl->granted < rwl->write_quota) {
+					SIGNAL(&rwl->writeable);
+				} else {
+					rwl->granted = 0;
+					rwl->type = isc_rwlocktype_read;
+					BROADCAST(&rwl->readable);
+				}
+			} else if (rwl->writers_waiting > 0) {
+				rwl->granted = 0;
+				SIGNAL(&rwl->writeable);
+			} else {
+				rwl->granted = 0;
+			}
+		}
+	}
+	INSIST(rwl->original == isc_rwlocktype_none);
+
+#ifdef ISC_RWLOCK_TRACE
+	print_lock(isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
+				  ISC_MSG_POSTUNLOCK, "postunlock"),
+		   rwl, type);
+#endif
+
+	UNLOCK(&rwl->lock);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_rwlock_destroy(isc_rwlock_t *rwl) {
+	REQUIRE(VALID_RWLOCK(rwl));
+
+	LOCK(&rwl->lock);
+	REQUIRE(rwl->active == 0 &&
+		rwl->readers_waiting == 0 &&
+		rwl->writers_waiting == 0);
+	UNLOCK(&rwl->lock);
+
+	rwl->magic = 0;
+	(void)isc_condition_destroy(&rwl->readable);
+	(void)isc_condition_destroy(&rwl->writeable);
+	DESTROYLOCK(&rwl->lock);
+}
+
+#else /* ISC_PLATFORM_USETHREADS */
+
+isc_result_t
+isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota,
+		unsigned int write_quota)
+{
+	REQUIRE(rwl != NULL);
+
+	UNUSED(read_quota);
+	UNUSED(write_quota);
+
+	rwl->type = isc_rwlocktype_read;
+	rwl->active = 0;
+	rwl->magic = RWLOCK_MAGIC;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
+	REQUIRE(VALID_RWLOCK(rwl));
+
+	if (type == isc_rwlocktype_read) {
+		if (rwl->type != isc_rwlocktype_read && rwl->active != 0)
+			return (ISC_R_LOCKBUSY);
+		rwl->type = isc_rwlocktype_read;
+		rwl->active++;
+	} else {
+		if (rwl->active != 0)
+			return (ISC_R_LOCKBUSY);
+		rwl->type = isc_rwlocktype_write;
+		rwl->active = 1;
+	}
+        return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
+	return (isc_rwlock_lock(rwl, type));
+}
+
+isc_result_t
+isc_rwlock_tryupgrade(isc_rwlock_t *rwl) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(VALID_RWLOCK(rwl));
+	REQUIRE(rwl->type == isc_rwlocktype_read);
+	REQUIRE(rwl->active != 0);
+	
+	/* If we are the only reader then succeed. */
+	if (rwl->active == 1)
+		rwl->type = isc_rwlocktype_write;
+	else
+		result = ISC_R_LOCKBUSY;
+	return (result);
+}
+
+void
+isc_rwlock_downgrade(isc_rwlock_t *rwl) {
+
+	REQUIRE(VALID_RWLOCK(rwl));
+	REQUIRE(rwl->type == isc_rwlocktype_write);
+	REQUIRE(rwl->active == 1);
+
+	rwl->type = isc_rwlocktype_read;
+}
+
+isc_result_t
+isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
+	REQUIRE(VALID_RWLOCK(rwl));
+	REQUIRE(rwl->type == type);
+
+	UNUSED(type);
+
+	INSIST(rwl->active > 0);
+	rwl->active--;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_rwlock_destroy(isc_rwlock_t *rwl) {
+	REQUIRE(rwl != NULL);
+	REQUIRE(rwl->active == 0);
+	rwl->magic = 0;
+}
+
+#endif /* ISC_PLATFORM_USETHREADS */
diff --git a/contrib/bind9/lib/isc/serial.c b/contrib/bind9/lib/isc/serial.c
new file mode 100644
index 0000000..4fe0ee5
--- /dev/null
+++ b/contrib/bind9/lib/isc/serial.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: serial.c,v 1.7.206.1 2004/03/06 08:14:35 marka Exp $ */
+#include <config.h>
+
+#include <isc/serial.h>
+
+isc_boolean_t
+isc_serial_lt(isc_uint32_t a, isc_uint32_t b) {
+	/*
+	 * Undefined => ISC_FALSE
+	 */
+	if (a == (b ^ 0x80000000U))
+		return (ISC_FALSE);
+	return (((isc_int32_t)(a - b) < 0) ? ISC_TRUE : ISC_FALSE);
+}
+
+isc_boolean_t
+isc_serial_gt(isc_uint32_t a, isc_uint32_t b) {
+	return (((isc_int32_t)(a - b) > 0) ? ISC_TRUE : ISC_FALSE);
+}
+
+isc_boolean_t
+isc_serial_le(isc_uint32_t a, isc_uint32_t b) {
+	return ((a == b) ? ISC_TRUE : isc_serial_lt(a, b));
+}
+
+isc_boolean_t
+isc_serial_ge(isc_uint32_t a, isc_uint32_t b) {
+	return ((a == b) ? ISC_TRUE : isc_serial_gt(a, b));
+}
+
+isc_boolean_t
+isc_serial_eq(isc_uint32_t a, isc_uint32_t b) {
+	return ((a == b) ? ISC_TRUE : ISC_FALSE);
+}
+
+isc_boolean_t
+isc_serial_ne(isc_uint32_t a, isc_uint32_t b) {
+	return ((a != b) ? ISC_TRUE : ISC_FALSE);
+}
diff --git a/contrib/bind9/lib/isc/sha1.c b/contrib/bind9/lib/isc/sha1.c
new file mode 100644
index 0000000..0549e88
--- /dev/null
+++ b/contrib/bind9/lib/isc/sha1.c
@@ -0,0 +1,309 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: sha1.c,v 1.10.2.2.2.3 2004/03/06 08:14:35 marka Exp $ */
+
+/*	$NetBSD: sha1.c,v 1.5 2000/01/22 22:19:14 mycroft Exp $	*/
+/*	$OpenBSD: sha1.c,v 1.9 1997/07/23 21:12:32 kstailey Exp $	*/
+
+/*
+ * SHA-1 in C
+ * By Steve Reid <steve@edmweb.com>
+ * 100% Public Domain
+ *
+ * Test Vectors (from FIPS PUB 180-1)
+ * "abc"
+ *   A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D
+ * "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
+ *   84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1
+ * A million repetitions of "a"
+ *   34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F
+ */
+
+#include "config.h"
+
+#include <isc/assertions.h>
+#include <isc/sha1.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
+
+/*
+ * blk0() and blk() perform the initial expand.
+ * I got the idea of expanding during the round function from SSLeay
+ */
+#if !defined(WORDS_BIGENDIAN)
+# define blk0(i) \
+	(block->l[i] = (rol(block->l[i], 24) & 0xFF00FF00) \
+	 | (rol(block->l[i], 8) & 0x00FF00FF))
+#else
+# define blk0(i) block->l[i]
+#endif
+#define blk(i) \
+	(block->l[i & 15] = rol(block->l[(i + 13) & 15] \
+				^ block->l[(i + 8) & 15] \
+				^ block->l[(i + 2) & 15] \
+				^ block->l[i & 15], 1))
+
+/*
+ * (R0+R1), R2, R3, R4 are the different operations (rounds) used in SHA1
+ */
+#define R0(v,w,x,y,z,i) \
+	z += ((w & (x ^ y)) ^ y) + blk0(i) + 0x5A827999 + rol(v, 5); \
+	w = rol(w, 30);
+#define R1(v,w,x,y,z,i) \
+	z += ((w & (x ^ y)) ^ y) + blk(i) + 0x5A827999 + rol(v, 5); \
+	w = rol(w, 30);
+#define R2(v,w,x,y,z,i) \
+	z += (w ^ x ^ y) + blk(i) + 0x6ED9EBA1 + rol(v, 5); \
+	w = rol(w, 30);
+#define R3(v,w,x,y,z,i) \
+	z += (((w | x) & y) | (w & x)) + blk(i) + 0x8F1BBCDC + rol(v, 5); \
+	w = rol(w, 30);
+#define R4(v,w,x,y,z,i) \
+	z += (w ^ x ^ y) + blk(i) + 0xCA62C1D6 + rol(v, 5); \
+	w = rol(w, 30);
+
+typedef union {
+	unsigned char c[64];
+	unsigned int l[16];
+} CHAR64LONG16;
+
+#ifdef __sparc_v9__
+static void do_R01(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c,
+		   isc_uint32_t *d, isc_uint32_t *e, CHAR64LONG16 *);
+static void do_R2(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c,
+		  isc_uint32_t *d, isc_uint32_t *e, CHAR64LONG16 *);
+static void do_R3(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c,
+		  isc_uint32_t *d, isc_uint32_t *e, CHAR64LONG16 *);
+static void do_R4(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c,
+		  isc_uint32_t *d, isc_uint32_t *e, CHAR64LONG16 *);
+
+#define nR0(v,w,x,y,z,i) R0(*v,*w,*x,*y,*z,i)
+#define nR1(v,w,x,y,z,i) R1(*v,*w,*x,*y,*z,i)
+#define nR2(v,w,x,y,z,i) R2(*v,*w,*x,*y,*z,i)
+#define nR3(v,w,x,y,z,i) R3(*v,*w,*x,*y,*z,i)
+#define nR4(v,w,x,y,z,i) R4(*v,*w,*x,*y,*z,i)
+
+static void
+do_R01(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c, isc_uint32_t *d,
+       isc_uint32_t *e, CHAR64LONG16 *block)
+{
+	nR0(a,b,c,d,e, 0); nR0(e,a,b,c,d, 1); nR0(d,e,a,b,c, 2);
+	nR0(c,d,e,a,b, 3); nR0(b,c,d,e,a, 4); nR0(a,b,c,d,e, 5);
+	nR0(e,a,b,c,d, 6); nR0(d,e,a,b,c, 7); nR0(c,d,e,a,b, 8);
+	nR0(b,c,d,e,a, 9); nR0(a,b,c,d,e,10); nR0(e,a,b,c,d,11);
+	nR0(d,e,a,b,c,12); nR0(c,d,e,a,b,13); nR0(b,c,d,e,a,14);
+	nR0(a,b,c,d,e,15); nR1(e,a,b,c,d,16); nR1(d,e,a,b,c,17);
+	nR1(c,d,e,a,b,18); nR1(b,c,d,e,a,19);
+}
+
+static void
+do_R2(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c, isc_uint32_t *d,
+      isc_uint32_t *e, CHAR64LONG16 *block)
+{
+	nR2(a,b,c,d,e,20); nR2(e,a,b,c,d,21); nR2(d,e,a,b,c,22);
+	nR2(c,d,e,a,b,23); nR2(b,c,d,e,a,24); nR2(a,b,c,d,e,25);
+	nR2(e,a,b,c,d,26); nR2(d,e,a,b,c,27); nR2(c,d,e,a,b,28);
+	nR2(b,c,d,e,a,29); nR2(a,b,c,d,e,30); nR2(e,a,b,c,d,31);
+	nR2(d,e,a,b,c,32); nR2(c,d,e,a,b,33); nR2(b,c,d,e,a,34);
+	nR2(a,b,c,d,e,35); nR2(e,a,b,c,d,36); nR2(d,e,a,b,c,37);
+	nR2(c,d,e,a,b,38); nR2(b,c,d,e,a,39);
+}
+
+static void
+do_R3(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c, isc_uint32_t *d,
+      isc_uint32_t *e, CHAR64LONG16 *block)
+{
+	nR3(a,b,c,d,e,40); nR3(e,a,b,c,d,41); nR3(d,e,a,b,c,42);
+	nR3(c,d,e,a,b,43); nR3(b,c,d,e,a,44); nR3(a,b,c,d,e,45);
+	nR3(e,a,b,c,d,46); nR3(d,e,a,b,c,47); nR3(c,d,e,a,b,48);
+	nR3(b,c,d,e,a,49); nR3(a,b,c,d,e,50); nR3(e,a,b,c,d,51);
+	nR3(d,e,a,b,c,52); nR3(c,d,e,a,b,53); nR3(b,c,d,e,a,54);
+	nR3(a,b,c,d,e,55); nR3(e,a,b,c,d,56); nR3(d,e,a,b,c,57);
+	nR3(c,d,e,a,b,58); nR3(b,c,d,e,a,59);
+}
+
+static void
+do_R4(isc_uint32_t *a, isc_uint32_t *b, isc_uint32_t *c, isc_uint32_t *d,
+      isc_uint32_t *e, CHAR64LONG16 *block)
+{
+	nR4(a,b,c,d,e,60); nR4(e,a,b,c,d,61); nR4(d,e,a,b,c,62);
+	nR4(c,d,e,a,b,63); nR4(b,c,d,e,a,64); nR4(a,b,c,d,e,65);
+	nR4(e,a,b,c,d,66); nR4(d,e,a,b,c,67); nR4(c,d,e,a,b,68);
+	nR4(b,c,d,e,a,69); nR4(a,b,c,d,e,70); nR4(e,a,b,c,d,71);
+	nR4(d,e,a,b,c,72); nR4(c,d,e,a,b,73); nR4(b,c,d,e,a,74);
+	nR4(a,b,c,d,e,75); nR4(e,a,b,c,d,76); nR4(d,e,a,b,c,77);
+	nR4(c,d,e,a,b,78); nR4(b,c,d,e,a,79);
+}
+#endif
+
+/*
+ * Hash a single 512-bit block. This is the core of the algorithm.
+ */
+static void
+transform(isc_uint32_t state[5], const unsigned char buffer[64]) {
+	isc_uint32_t a, b, c, d, e;
+	CHAR64LONG16 *block;
+	CHAR64LONG16 workspace;
+
+	INSIST(buffer != NULL);
+	INSIST(state != NULL);
+
+	block = &workspace;
+	(void)memcpy(block, buffer, 64);
+
+	/* Copy context->state[] to working vars */
+	a = state[0];
+	b = state[1];
+	c = state[2];
+	d = state[3];
+	e = state[4];
+
+#ifdef __sparc_v9__
+	do_R01(&a, &b, &c, &d, &e, block);
+	do_R2(&a, &b, &c, &d, &e, block);
+	do_R3(&a, &b, &c, &d, &e, block);
+	do_R4(&a, &b, &c, &d, &e, block);
+#else
+	/* 4 rounds of 20 operations each. Loop unrolled. */
+	R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
+	R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
+	R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
+	R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
+	R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
+	R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
+	R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
+	R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
+	R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
+	R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
+	R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
+	R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
+	R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
+	R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
+	R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
+	R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
+	R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
+	R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
+	R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
+	R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
+#endif
+
+	/* Add the working vars back into context.state[] */
+	state[0] += a;
+	state[1] += b;
+	state[2] += c;
+	state[3] += d;
+	state[4] += e;
+
+	/* Wipe variables */
+	a = b = c = d = e = 0;
+}
+
+
+/*
+ * isc_sha1_init - Initialize new context
+ */
+void
+isc_sha1_init(isc_sha1_t *context)
+{
+	INSIST(context != NULL);
+
+	/* SHA1 initialization constants */
+	context->state[0] = 0x67452301;
+	context->state[1] = 0xEFCDAB89;
+	context->state[2] = 0x98BADCFE;
+	context->state[3] = 0x10325476;
+	context->state[4] = 0xC3D2E1F0;
+	context->count[0] = 0;
+	context->count[1] = 0;
+}
+
+void
+isc_sha1_invalidate(isc_sha1_t *context) {
+	memset(context, 0, sizeof(isc_sha1_t));
+}
+
+/*
+ * Run your data through this.
+ */
+void
+isc_sha1_update(isc_sha1_t *context, const unsigned char *data,
+		unsigned int len)
+{
+	unsigned int i, j;
+
+	INSIST(context != 0);
+	INSIST(data != 0);
+
+	j = context->count[0];
+	if ((context->count[0] += len << 3) < j)
+		context->count[1] += (len >> 29) + 1;
+	j = (j >> 3) & 63;
+	if ((j + len) > 63) {
+		(void)memcpy(&context->buffer[j], data, (i = 64 - j));
+		transform(context->state, context->buffer);
+		for (; i + 63 < len; i += 64)
+			transform(context->state, &data[i]);
+		j = 0;
+	} else {
+		i = 0;
+	}
+
+	(void)memcpy(&context->buffer[j], &data[i], len - i);
+}
+
+
+/*
+ * Add padding and return the message digest.
+ */
+
+static const unsigned char final_200 = 128;
+static const unsigned char final_0 = 0;
+
+void
+isc_sha1_final(isc_sha1_t *context, unsigned char *digest) {
+	unsigned int i;
+	unsigned char finalcount[8];
+
+	INSIST(digest != 0);
+	INSIST(context != 0);
+
+	for (i = 0; i < 8; i++) {
+		/* Endian independent */
+		finalcount[i] = (unsigned char)
+			((context->count[(i >= 4 ? 0 : 1)]
+			  >> ((3 - (i & 3)) * 8)) & 255);
+	}
+
+	isc_sha1_update(context, &final_200, 1);
+	while ((context->count[0] & 504) != 448)
+		isc_sha1_update(context, &final_0, 1);
+	/* The next Update should cause a transform() */
+	isc_sha1_update(context, finalcount, 8);
+
+	if (digest) {
+		for (i = 0; i < 20; i++)
+			digest[i] = (unsigned char)
+				((context->state[i >> 2]
+				  >> ((3 - (i & 3)) * 8)) & 255);
+	}
+
+	memset(context, 0, sizeof(isc_sha1_t));
+}
diff --git a/contrib/bind9/lib/isc/sockaddr.c b/contrib/bind9/lib/isc/sockaddr.c
new file mode 100644
index 0000000..4c47e4e
--- /dev/null
+++ b/contrib/bind9/lib/isc/sockaddr.c
@@ -0,0 +1,463 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: sockaddr.c,v 1.48.2.1.2.10 2004/05/15 03:46:12 jinmei Exp $ */
+
+#include <config.h>
+
+#include <stdio.h>
+
+#include <isc/buffer.h>
+#include <isc/hash.h>
+#include <isc/msgs.h>
+#include <isc/netaddr.h>
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/sockaddr.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+isc_boolean_t
+isc_sockaddr_equal(const isc_sockaddr_t *a, const isc_sockaddr_t *b) {
+	REQUIRE(a != NULL && b != NULL);
+
+	if (a->length != b->length)
+		return (ISC_FALSE);
+
+	/*
+	 * We don't just memcmp because the sin_zero field isn't always
+	 * zero.
+	 */
+
+	if (a->type.sa.sa_family != b->type.sa.sa_family)
+		return (ISC_FALSE);
+	switch (a->type.sa.sa_family) {
+	case AF_INET:
+		if (memcmp(&a->type.sin.sin_addr, &b->type.sin.sin_addr,
+			   sizeof(a->type.sin.sin_addr)) != 0)
+			return (ISC_FALSE);
+		if (a->type.sin.sin_port != b->type.sin.sin_port)
+			return (ISC_FALSE);
+		break;
+	case AF_INET6:
+		if (memcmp(&a->type.sin6.sin6_addr, &b->type.sin6.sin6_addr,
+			   sizeof(a->type.sin6.sin6_addr)) != 0)
+			return (ISC_FALSE);
+#ifdef ISC_PLATFORM_HAVESCOPEID
+		if (a->type.sin6.sin6_scope_id != b->type.sin6.sin6_scope_id)
+			return (ISC_FALSE);
+#endif
+		if (a->type.sin6.sin6_port != b->type.sin6.sin6_port)
+			return (ISC_FALSE);
+		break;
+	default:
+		if (memcmp(&a->type, &b->type, a->length) != 0)
+			return (ISC_FALSE);
+	}
+	return (ISC_TRUE);
+}
+
+isc_boolean_t
+isc_sockaddr_eqaddr(const isc_sockaddr_t *a, const isc_sockaddr_t *b) {
+	REQUIRE(a != NULL && b != NULL);
+
+	if (a->length != b->length)
+		return (ISC_FALSE);
+
+	if (a->type.sa.sa_family != b->type.sa.sa_family)
+		return (ISC_FALSE);
+	switch (a->type.sa.sa_family) {
+	case AF_INET:
+		if (memcmp(&a->type.sin.sin_addr, &b->type.sin.sin_addr,
+			   sizeof(a->type.sin.sin_addr)) != 0)
+			return (ISC_FALSE);
+		break;
+	case AF_INET6:
+		if (memcmp(&a->type.sin6.sin6_addr, &b->type.sin6.sin6_addr,
+			   sizeof(a->type.sin6.sin6_addr)) != 0)
+			return (ISC_FALSE);
+#ifdef ISC_PLATFORM_HAVESCOPEID
+		if (a->type.sin6.sin6_scope_id != b->type.sin6.sin6_scope_id)
+			return (ISC_FALSE);
+#endif
+		break;
+	default:
+		if (memcmp(&a->type, &b->type, a->length) != 0)
+			return (ISC_FALSE);
+	}
+	return (ISC_TRUE);
+}
+
+isc_boolean_t
+isc_sockaddr_eqaddrprefix(const isc_sockaddr_t *a, const isc_sockaddr_t *b,
+			  unsigned int prefixlen)
+{
+	isc_netaddr_t na, nb;
+	isc_netaddr_fromsockaddr(&na, a);
+	isc_netaddr_fromsockaddr(&nb, b);
+	return (isc_netaddr_eqprefix(&na, &nb, prefixlen));
+}
+
+isc_result_t
+isc_sockaddr_totext(const isc_sockaddr_t *sockaddr, isc_buffer_t *target) {
+	isc_result_t result;
+	isc_netaddr_t netaddr;
+	char pbuf[sizeof("65000")];
+	unsigned int plen;
+	isc_region_t avail;
+
+	REQUIRE(sockaddr != NULL);
+
+	/*
+	 * Do the port first, giving us the opportunity to check for
+	 * unsupported address families before calling
+	 * isc_netaddr_fromsockaddr().
+	 */
+	switch (sockaddr->type.sa.sa_family) {
+	case AF_INET:
+		snprintf(pbuf, sizeof(pbuf), "%u", ntohs(sockaddr->type.sin.sin_port));
+		break;
+	case AF_INET6:
+		snprintf(pbuf, sizeof(pbuf), "%u", ntohs(sockaddr->type.sin6.sin6_port));
+		break;
+	default:
+		return (ISC_R_FAILURE);
+	}
+
+	plen = strlen(pbuf);
+	INSIST(plen < sizeof(pbuf));
+
+	isc_netaddr_fromsockaddr(&netaddr, sockaddr);
+	result = isc_netaddr_totext(&netaddr, target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (1 + plen + 1 > isc_buffer_availablelength(target))
+		return (ISC_R_NOSPACE);
+
+	isc_buffer_putmem(target, (const unsigned char *)"#", 1);
+	isc_buffer_putmem(target, (const unsigned char *)pbuf, plen);
+
+	/*
+	 * Null terminate after used region.
+	 */
+	isc_buffer_availableregion(target, &avail);
+	INSIST(avail.length >= 1);
+	avail.base[0] = '\0';
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_sockaddr_format(const isc_sockaddr_t *sa, char *array, unsigned int size) {
+	isc_result_t result;
+	isc_buffer_t buf;
+
+	isc_buffer_init(&buf, array, size);
+	result = isc_sockaddr_totext(sa, &buf);
+	if (result != ISC_R_SUCCESS) {
+		/*
+		 * The message is the same as in netaddr.c.
+		 */
+		snprintf(array, size,
+			 isc_msgcat_get(isc_msgcat, ISC_MSGSET_NETADDR,
+					ISC_MSG_UNKNOWNADDR,
+					"<unknown address, family %u>"),
+			 sa->type.sa.sa_family);
+		array[size - 1] = '\0';
+	}
+}
+
+unsigned int
+isc_sockaddr_hash(const isc_sockaddr_t *sockaddr, isc_boolean_t address_only) {
+	unsigned int length = 0;
+	const unsigned char *s = NULL;
+	unsigned int h = 0;
+	unsigned int g;
+	unsigned int p = 0;
+	const struct in6_addr *in6;
+
+	REQUIRE(sockaddr != NULL);
+
+	switch (sockaddr->type.sa.sa_family) {
+	case AF_INET:
+		s = (const unsigned char *)&sockaddr->type.sin.sin_addr;
+		p = ntohs(sockaddr->type.sin.sin_port);
+		length = sizeof(sockaddr->type.sin.sin_addr.s_addr);
+		break;
+	case AF_INET6:
+		in6 = &sockaddr->type.sin6.sin6_addr;
+		if (IN6_IS_ADDR_V4MAPPED(in6)) {
+			s = (const unsigned char *)&in6[12];
+			length = sizeof(sockaddr->type.sin.sin_addr.s_addr);
+		} else {
+			s = (const unsigned char *)in6;
+			length = sizeof(sockaddr->type.sin6.sin6_addr);
+		}
+		p = ntohs(sockaddr->type.sin6.sin6_port);
+		break;
+	default:
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 isc_msgcat_get(isc_msgcat,
+						ISC_MSGSET_SOCKADDR,
+						ISC_MSG_UNKNOWNFAMILY,
+						"unknown address family: %d"),
+					     (int)sockaddr->type.sa.sa_family);
+		s = (const unsigned char *)&sockaddr->type;
+		length = sockaddr->length;
+		p = 0;
+	}
+
+	h = isc_hash_calc(s, length, ISC_TRUE);
+	if (!address_only) {
+		g = isc_hash_calc((const unsigned char *)&p, sizeof(p),
+				  ISC_TRUE);
+		h = h ^ g; /* XXX: we should concatenate h and p first */
+	}
+
+	return (h);
+}
+
+void
+isc_sockaddr_any(isc_sockaddr_t *sockaddr)
+{
+	memset(sockaddr, 0, sizeof(*sockaddr));
+	sockaddr->type.sin.sin_family = AF_INET;
+#ifdef ISC_PLATFORM_HAVESALEN
+	sockaddr->type.sin.sin_len = sizeof(sockaddr->type.sin);
+#endif
+	sockaddr->type.sin.sin_addr.s_addr = INADDR_ANY;
+	sockaddr->type.sin.sin_port = 0;
+	sockaddr->length = sizeof(sockaddr->type.sin);
+	ISC_LINK_INIT(sockaddr, link);
+}
+
+void
+isc_sockaddr_any6(isc_sockaddr_t *sockaddr)
+{
+	memset(sockaddr, 0, sizeof(*sockaddr));
+	sockaddr->type.sin6.sin6_family = AF_INET6;
+#ifdef ISC_PLATFORM_HAVESALEN
+	sockaddr->type.sin6.sin6_len = sizeof(sockaddr->type.sin6);
+#endif
+	sockaddr->type.sin6.sin6_addr = in6addr_any;
+	sockaddr->type.sin6.sin6_port = 0;
+	sockaddr->length = sizeof(sockaddr->type.sin6);
+	ISC_LINK_INIT(sockaddr, link);
+}
+
+void
+isc_sockaddr_fromin(isc_sockaddr_t *sockaddr, const struct in_addr *ina,
+		    in_port_t port)
+{
+	memset(sockaddr, 0, sizeof(*sockaddr));
+	sockaddr->type.sin.sin_family = AF_INET;
+#ifdef ISC_PLATFORM_HAVESALEN
+	sockaddr->type.sin.sin_len = sizeof(sockaddr->type.sin);
+#endif
+	sockaddr->type.sin.sin_addr = *ina;
+	sockaddr->type.sin.sin_port = htons(port);
+	sockaddr->length = sizeof(sockaddr->type.sin);
+	ISC_LINK_INIT(sockaddr, link);
+}
+
+void
+isc_sockaddr_anyofpf(isc_sockaddr_t *sockaddr, int pf) {
+     switch (pf) {
+     case AF_INET:
+	     isc_sockaddr_any(sockaddr);
+	     break;
+     case AF_INET6:
+	     isc_sockaddr_any6(sockaddr);
+	     break;
+     default:
+	     INSIST(0);
+     }
+}
+
+void
+isc_sockaddr_fromin6(isc_sockaddr_t *sockaddr, const struct in6_addr *ina6,
+		     in_port_t port)
+{
+	memset(sockaddr, 0, sizeof(*sockaddr));
+	sockaddr->type.sin6.sin6_family = AF_INET6;
+#ifdef ISC_PLATFORM_HAVESALEN
+	sockaddr->type.sin6.sin6_len = sizeof(sockaddr->type.sin6);
+#endif
+	sockaddr->type.sin6.sin6_addr = *ina6;
+	sockaddr->type.sin6.sin6_port = htons(port);
+	sockaddr->length = sizeof(sockaddr->type.sin6);
+	ISC_LINK_INIT(sockaddr, link);
+}
+
+void
+isc_sockaddr_v6fromin(isc_sockaddr_t *sockaddr, const struct in_addr *ina,
+		      in_port_t port)
+{
+	memset(sockaddr, 0, sizeof(*sockaddr));
+	sockaddr->type.sin6.sin6_family = AF_INET6;
+#ifdef ISC_PLATFORM_HAVESALEN
+	sockaddr->type.sin6.sin6_len = sizeof(sockaddr->type.sin6);
+#endif
+	sockaddr->type.sin6.sin6_addr.s6_addr[10] = 0xff;
+	sockaddr->type.sin6.sin6_addr.s6_addr[11] = 0xff;
+	memcpy(&sockaddr->type.sin6.sin6_addr.s6_addr[12], ina, 4);
+	sockaddr->type.sin6.sin6_port = htons(port);
+	sockaddr->length = sizeof(sockaddr->type.sin6);
+	ISC_LINK_INIT(sockaddr, link);
+}
+
+int
+isc_sockaddr_pf(const isc_sockaddr_t *sockaddr) {
+
+	/*
+	 * Get the protocol family of 'sockaddr'.
+	 */
+
+#if (AF_INET == PF_INET && AF_INET6 == PF_INET6)
+	/*
+	 * Assume that PF_xxx == AF_xxx for all AF and PF.
+	 */
+	return (sockaddr->type.sa.sa_family);
+#else
+	switch (sockaddr->type.sa.sa_family) {
+	case AF_INET:
+		return (PF_INET);
+	case AF_INET6:
+		return (PF_INET6);
+	default:
+		FATAL_ERROR(__FILE__, __LINE__,
+			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKADDR,
+					   ISC_MSG_UNKNOWNFAMILY,
+					   "unknown address family: %d"),
+			    (int)sockaddr->type.sa.sa_family);
+	}
+#endif
+}
+
+void
+isc_sockaddr_fromnetaddr(isc_sockaddr_t *sockaddr, const isc_netaddr_t *na,
+		    in_port_t port)
+{
+	memset(sockaddr, 0, sizeof(*sockaddr));
+	sockaddr->type.sin.sin_family = na->family;
+	switch (na->family) {
+	case AF_INET:
+		sockaddr->length = sizeof(sockaddr->type.sin);
+#ifdef ISC_PLATFORM_HAVESALEN
+		sockaddr->type.sin.sin_len = sizeof(sockaddr->type.sin);
+#endif
+		sockaddr->type.sin.sin_addr = na->type.in;
+		sockaddr->type.sin.sin_port = htons(port);
+		break;
+	case AF_INET6:
+		sockaddr->length = sizeof(sockaddr->type.sin6);
+#ifdef ISC_PLATFORM_HAVESALEN
+		sockaddr->type.sin6.sin6_len = sizeof(sockaddr->type.sin6);
+#endif
+		memcpy(&sockaddr->type.sin6.sin6_addr, &na->type.in6, 16);
+#ifdef ISC_PLATFORM_HAVESCOPEID
+		sockaddr->type.sin6.sin6_scope_id = isc_netaddr_getzone(na);
+#endif
+		sockaddr->type.sin6.sin6_port = htons(port);
+		break;
+        default:
+                INSIST(0);
+	}
+	ISC_LINK_INIT(sockaddr, link);
+}
+
+void
+isc_sockaddr_setport(isc_sockaddr_t *sockaddr, in_port_t port) {
+	switch (sockaddr->type.sa.sa_family) {
+	case AF_INET:
+		sockaddr->type.sin.sin_port = htons(port);
+		break;
+	case AF_INET6:
+		sockaddr->type.sin6.sin6_port = htons(port);
+		break;
+	default:
+		FATAL_ERROR(__FILE__, __LINE__,
+			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKADDR,
+					   ISC_MSG_UNKNOWNFAMILY,
+					   "unknown address family: %d"),
+			    (int)sockaddr->type.sa.sa_family);
+	}
+}
+
+in_port_t
+isc_sockaddr_getport(isc_sockaddr_t *sockaddr) {
+	in_port_t port = 0;
+
+	switch (sockaddr->type.sa.sa_family) {
+	case AF_INET:
+		port = ntohs(sockaddr->type.sin.sin_port);
+		break;
+	case AF_INET6:
+		port = ntohs(sockaddr->type.sin6.sin6_port);
+		break;
+	default:
+		FATAL_ERROR(__FILE__, __LINE__,
+			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKADDR,
+					   ISC_MSG_UNKNOWNFAMILY,
+					   "unknown address family: %d"),
+			    (int)sockaddr->type.sa.sa_family);
+	}
+
+	return (port);
+}
+
+isc_boolean_t
+isc_sockaddr_ismulticast(isc_sockaddr_t *sockaddr) {
+	isc_netaddr_t netaddr;
+
+	isc_netaddr_fromsockaddr(&netaddr, sockaddr);
+	return (isc_netaddr_ismulticast(&netaddr));
+}
+
+isc_boolean_t
+isc_sockaddr_isexperimental(isc_sockaddr_t *sockaddr) {
+	isc_netaddr_t netaddr;
+
+	if (sockaddr->type.sa.sa_family == AF_INET) {
+		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
+		return (isc_netaddr_isexperimental(&netaddr));
+	}
+	return (ISC_FALSE);
+}
+
+isc_boolean_t
+isc_sockaddr_issitelocal(isc_sockaddr_t *sockaddr) {
+	isc_netaddr_t netaddr;
+
+	if (sockaddr->type.sa.sa_family == AF_INET6) {
+		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
+		return (isc_netaddr_issitelocal(&netaddr));
+	}
+	return (ISC_FALSE);
+}
+
+isc_boolean_t
+isc_sockaddr_islinklocal(isc_sockaddr_t *sockaddr) {
+	isc_netaddr_t netaddr;
+
+	if (sockaddr->type.sa.sa_family == AF_INET6) {
+		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
+		return (isc_netaddr_islinklocal(&netaddr));
+	}
+	return (ISC_FALSE);
+}
diff --git a/contrib/bind9/lib/isc/string.c b/contrib/bind9/lib/isc/string.c
new file mode 100644
index 0000000..9de2b81
--- /dev/null
+++ b/contrib/bind9/lib/isc/string.c
@@ -0,0 +1,165 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: string.c,v 1.6.164.4 2004/03/16 05:50:24 marka Exp $ */
+
+#include <config.h>
+
+#include <ctype.h>
+
+#include <isc/string.h>
+
+static char digits[] = "0123456789abcdefghijklmnoprstuvwxyz";
+
+isc_uint64_t
+isc_string_touint64(char *source, char **end, int base) {
+	isc_uint64_t tmp;
+	isc_uint64_t overflow;
+	char *s = source;
+	char *o;
+	char c;
+
+	if ((base < 0) || (base == 1) || (base > 36)) {
+		*end = source;
+		return (0);
+	}
+
+	while (*s != 0 && isascii(*s&0xff) && isspace(*s&0xff))
+		s++;
+	if (*s == '+' /* || *s == '-' */)
+		s++;
+	if (base == 0) {
+		if (*s == '0' && (*(s+1) == 'X' || *(s+1) == 'x')) {
+			s += 2;
+			base = 16;
+		} else if (*s == '0')
+			base = 8;
+		else
+			base = 10;
+	}
+	if (*s == 0) {
+		*end = source;
+		return (0);
+	}
+	overflow = ~0;
+	overflow /= base;
+	tmp = 0;
+
+	while ((c = *s) != 0) {
+		c = tolower(c);
+		/* end ? */
+		if ((o = strchr(digits, c)) == NULL) {
+			*end = s;
+			return (tmp);
+		}
+		/* end ? */
+		if ((o - digits) >= base) {
+			*end = s;
+			return (tmp);
+		}
+		/* overflow ? */
+		if (tmp > overflow) {
+			*end = source;
+			return (0);
+		}
+		tmp *= base;
+		/* overflow ? */
+		if ((tmp + (o - digits)) < tmp) {
+			*end = source;
+			return (0);
+		}
+		tmp += o - digits;
+		s++;
+	}
+	*end = s;
+	return (tmp);
+}
+
+char *
+isc_string_separate(char **stringp, const char *delim) {
+	char *string = *stringp;
+	char *s;
+	const char *d;
+	char sc, dc;
+
+	if (string == NULL)
+		return (NULL);
+
+	for (s = string; (sc = *s) != '\0'; s++)
+		for (d = delim; (dc = *d) != '\0'; d++)
+			if (sc == dc) {
+				*s++ = '\0';
+				*stringp = s;
+				return (string);
+			}
+	*stringp = NULL;
+	return (string);
+}
+
+size_t
+isc_string_strlcpy(char *dst, const char *src, size_t size)
+{
+	char *d = dst;
+	const char *s = src;
+	size_t n = size;
+
+	/* Copy as many bytes as will fit */
+	if (n != 0U && --n != 0U) {
+		do {
+			if ((*d++ = *s++) == 0)
+				break;
+		} while (--n != 0U);
+	}
+
+	/* Not enough room in dst, add NUL and traverse rest of src */
+	if (n == 0U) {
+		if (size != 0U)
+			*d = '\0';		/* NUL-terminate dst */
+		while (*s++)
+			;
+	}
+
+	return(s - src - 1);	/* count does not include NUL */
+}
+
+size_t
+isc_string_strlcat(char *dst, const char *src, size_t size)
+{
+	char *d = dst;
+	const char *s = src;
+	size_t n = size;
+	size_t dlen;
+
+	/* Find the end of dst and adjust bytes left but don't go past end */
+	while (n-- != 0U && *d != '\0')
+		d++;
+	dlen = d - dst;
+	n = size - dlen;
+
+	if (n == 0U)
+		return(dlen + strlen(s));
+	while (*s != '\0') {
+		if (n != 1U) {
+			*d++ = *s;
+			n--;
+		}
+		s++;
+	}
+	*d = '\0';
+
+	return(dlen + (s - src));	/* count does not include NUL */
+}
diff --git a/contrib/bind9/lib/isc/strtoul.c b/contrib/bind9/lib/isc/strtoul.c
new file mode 100644
index 0000000..b3d7e49
--- /dev/null
+++ b/contrib/bind9/lib/isc/strtoul.c
@@ -0,0 +1,128 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Copyright (c) 1990, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static char sccsid[] = "@(#)strtoul.c	8.1 (Berkeley) 6/4/93";
+#endif /* LIBC_SCCS and not lint */
+
+/* $Id: strtoul.c,v 1.2.14.3 2004/03/06 08:14:36 marka Exp $ */
+
+#include <config.h>
+
+#include <limits.h>
+#include <ctype.h>
+#include <errno.h>
+
+#include <isc/stdlib.h>
+#include <isc/util.h>
+
+/*
+ * Convert a string to an unsigned long integer.
+ *
+ * Ignores `locale' stuff.  Assumes that the upper and lower case
+ * alphabets and digits are each contiguous.
+ */
+unsigned long
+isc_strtoul(const char *nptr, char **endptr, int base) {
+	const char *s = nptr;
+	unsigned long acc;
+	unsigned char c;
+	unsigned long cutoff;
+	int neg = 0, any, cutlim;
+
+	/*
+	 * See strtol for comments as to the logic used.
+	 */
+	do {
+		c = *s++;
+	} while (isspace(c));
+	if (c == '-') {
+		neg = 1;
+		c = *s++;
+	} else if (c == '+')
+		c = *s++;
+	if ((base == 0 || base == 16) &&
+	    c == '0' && (*s == 'x' || *s == 'X')) {
+		c = s[1];
+		s += 2;
+		base = 16;
+	}
+	if (base == 0)
+		base = c == '0' ? 8 : 10;
+	cutoff = (unsigned long)ULONG_MAX / (unsigned long)base;
+	cutlim = (unsigned long)ULONG_MAX % (unsigned long)base;
+	for (acc = 0, any = 0;; c = *s++) {
+		if (!isascii(c))
+			break;
+		if (isdigit(c))
+			c -= '0';
+		else if (isalpha(c))
+			c -= isupper(c) ? 'A' - 10 : 'a' - 10;
+		else
+			break;
+		if (c >= base)
+			break;
+		if (any < 0 || acc > cutoff || (acc == cutoff && c > cutlim))
+			any = -1;
+		else {
+			any = 1;
+			acc *= base;
+			acc += c;
+		}
+	}
+	if (any < 0) {
+		acc = ULONG_MAX;
+		errno = ERANGE;
+	} else if (neg)
+		acc = -acc;
+	if (endptr != 0)
+		DE_CONST(any ? s - 1 : nptr, *endptr);
+	return (acc);
+}
diff --git a/contrib/bind9/lib/isc/symtab.c b/contrib/bind9/lib/isc/symtab.c
new file mode 100644
index 0000000..8b2b8c4
--- /dev/null
+++ b/contrib/bind9/lib/isc/symtab.c
@@ -0,0 +1,250 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1996-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: symtab.c,v 1.24.12.3 2004/03/08 09:04:50 marka Exp $ */
+
+#include <config.h>
+
+#include <ctype.h>
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/string.h>
+#include <isc/symtab.h>
+#include <isc/util.h>
+
+typedef struct elt {
+	char *				key;
+	unsigned int			type;
+	isc_symvalue_t			value;
+	LINK(struct elt)		link;
+} elt_t;
+
+typedef LIST(elt_t)			eltlist_t;
+
+#define SYMTAB_MAGIC			ISC_MAGIC('S', 'y', 'm', 'T')
+#define VALID_SYMTAB(st)		ISC_MAGIC_VALID(st, SYMTAB_MAGIC)
+
+struct isc_symtab {
+	/* Unlocked. */
+	unsigned int			magic;
+	isc_mem_t *			mctx;
+	unsigned int			size;
+	eltlist_t *			table;
+	isc_symtabaction_t		undefine_action;
+	void *				undefine_arg;
+	isc_boolean_t			case_sensitive;
+};
+
+isc_result_t
+isc_symtab_create(isc_mem_t *mctx, unsigned int size,
+		  isc_symtabaction_t undefine_action,
+		  void *undefine_arg,
+		  isc_boolean_t case_sensitive,
+		  isc_symtab_t **symtabp)
+{
+	isc_symtab_t *symtab;
+	unsigned int i;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(symtabp != NULL && *symtabp == NULL);
+	REQUIRE(size > 0);	/* Should be prime. */
+
+	symtab = (isc_symtab_t *)isc_mem_get(mctx, sizeof(*symtab));
+	if (symtab == NULL)
+		return (ISC_R_NOMEMORY);
+	symtab->table = (eltlist_t *)isc_mem_get(mctx,
+						 size * sizeof(eltlist_t));
+	if (symtab->table == NULL) {
+		isc_mem_put(mctx, symtab, sizeof(*symtab));
+		return (ISC_R_NOMEMORY);
+	}
+	for (i = 0; i < size; i++)
+		INIT_LIST(symtab->table[i]);
+	symtab->mctx = mctx;
+	symtab->size = size;
+	symtab->undefine_action = undefine_action;
+	symtab->undefine_arg = undefine_arg;
+	symtab->case_sensitive = case_sensitive;
+	symtab->magic = SYMTAB_MAGIC;
+
+	*symtabp = symtab;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_symtab_destroy(isc_symtab_t **symtabp) {
+	isc_symtab_t *symtab;
+	unsigned int i;
+	elt_t *elt, *nelt;
+
+	REQUIRE(symtabp != NULL);
+	symtab = *symtabp;
+	REQUIRE(VALID_SYMTAB(symtab));
+
+	for (i = 0; i < symtab->size; i++) {
+		for (elt = HEAD(symtab->table[i]); elt != NULL; elt = nelt) {
+			nelt = NEXT(elt, link);
+			if (symtab->undefine_action != NULL)
+			       (symtab->undefine_action)(elt->key,
+							 elt->type,
+							 elt->value,
+							 symtab->undefine_arg);
+			isc_mem_put(symtab->mctx, elt, sizeof(*elt));
+		}
+	}
+	isc_mem_put(symtab->mctx, symtab->table,
+		    symtab->size * sizeof(eltlist_t));
+	symtab->magic = 0;
+	isc_mem_put(symtab->mctx, symtab, sizeof(*symtab));
+
+	*symtabp = NULL;
+}
+
+static inline unsigned int
+hash(const char *key, isc_boolean_t case_sensitive) {
+	const char *s;
+	unsigned int h = 0;
+	int c;
+
+	/*
+	 * This hash function is similar to the one Ousterhout
+	 * uses in Tcl.
+	 */
+
+	if (case_sensitive) {
+		for (s = key; *s != '\0'; s++) {
+			h += (h << 3) + *s;
+		}
+	} else {
+		for (s = key; *s != '\0'; s++) {
+			c = *s;
+			c = tolower((unsigned char)c);
+			h += (h << 3) + c;
+		}
+	}
+
+	return (h);
+}
+
+#define FIND(s, k, t, b, e) \
+	b = hash((k), (s)->case_sensitive) % (s)->size; \
+	if ((s)->case_sensitive) { \
+		for (e = HEAD((s)->table[b]); e != NULL; e = NEXT(e, link)) { \
+			if (((t) == 0 || e->type == (t)) && \
+			    strcmp(e->key, (k)) == 0) \
+				break; \
+		} \
+	} else { \
+		for (e = HEAD((s)->table[b]); e != NULL; e = NEXT(e, link)) { \
+			if (((t) == 0 || e->type == (t)) && \
+			    strcasecmp(e->key, (k)) == 0) \
+				break; \
+		} \
+	}
+
+isc_result_t
+isc_symtab_lookup(isc_symtab_t *symtab, const char *key, unsigned int type,
+		  isc_symvalue_t *value)
+{
+	unsigned int bucket;
+	elt_t *elt;
+
+	REQUIRE(VALID_SYMTAB(symtab));
+	REQUIRE(key != NULL);
+
+	FIND(symtab, key, type, bucket, elt);
+
+	if (elt == NULL)
+		return (ISC_R_NOTFOUND);
+
+	if (value != NULL)
+		*value = elt->value;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_symtab_define(isc_symtab_t *symtab, const char *key, unsigned int type,
+		  isc_symvalue_t value, isc_symexists_t exists_policy)
+{
+	unsigned int bucket;
+	elt_t *elt;
+
+	REQUIRE(VALID_SYMTAB(symtab));
+	REQUIRE(key != NULL);
+	REQUIRE(type != 0);
+
+	FIND(symtab, key, type, bucket, elt);
+
+	if (exists_policy != isc_symexists_add && elt != NULL) {
+		if (exists_policy == isc_symexists_reject)
+			return (ISC_R_EXISTS);
+		INSIST(exists_policy == isc_symexists_replace);
+		UNLINK(symtab->table[bucket], elt, link);
+		if (symtab->undefine_action != NULL)
+			(symtab->undefine_action)(elt->key, elt->type,
+						  elt->value,
+						  symtab->undefine_arg);
+	} else {
+		elt = (elt_t *)isc_mem_get(symtab->mctx, sizeof(*elt));
+		if (elt == NULL)
+			return (ISC_R_NOMEMORY);
+		ISC_LINK_INIT(elt, link);
+	}
+
+	/*
+	 * Though the "key" can be const coming in, it is not stored as const
+	 * so that the calling program can easily have writable access to
+	 * it in its undefine_action function.  In the event that it *was*
+	 * truly const coming in and then the caller modified it anyway ...
+	 * well, don't do that!
+	 */
+	DE_CONST(key, elt->key);
+	elt->type = type;
+	elt->value = value;
+
+	/*
+	 * We prepend so that the most recent definition will be found.
+	 */
+	PREPEND(symtab->table[bucket], elt, link);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_symtab_undefine(isc_symtab_t *symtab, const char *key, unsigned int type) {
+	unsigned int bucket;
+	elt_t *elt;
+
+	REQUIRE(VALID_SYMTAB(symtab));
+	REQUIRE(key != NULL);
+
+	FIND(symtab, key, type, bucket, elt);
+
+	if (elt == NULL)
+		return (ISC_R_NOTFOUND);
+
+	if (symtab->undefine_action != NULL)
+		(symtab->undefine_action)(elt->key, elt->type,
+					  elt->value, symtab->undefine_arg);
+	UNLINK(symtab->table[bucket], elt, link);
+	isc_mem_put(symtab->mctx, elt, sizeof(*elt));
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/contrib/bind9/lib/isc/task.c b/contrib/bind9/lib/isc/task.c
new file mode 100644
index 0000000..dc41695
--- /dev/null
+++ b/contrib/bind9/lib/isc/task.c
@@ -0,0 +1,1303 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: task.c,v 1.85.2.3.8.4 2004/03/08 21:06:29 marka Exp $ */
+
+/*
+ * Principal Author: Bob Halley
+ */
+
+/*
+ * XXXRTH  Need to document the states a task can be in, and the rules
+ * for changing states.
+ */
+
+#include <config.h>
+
+#include <isc/condition.h>
+#include <isc/event.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/msgs.h>
+#include <isc/platform.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#ifndef ISC_PLATFORM_USETHREADS
+#include "task_p.h"
+#endif /* ISC_PLATFORM_USETHREADS */
+
+#define ISC_TASK_NAMES 1
+
+#ifdef ISC_TASK_TRACE
+#define XTRACE(m)		fprintf(stderr, "task %p thread %lu: %s\n", \
+				       task, isc_thread_self(), (m))
+#define XTTRACE(t, m)		fprintf(stderr, "task %p thread %lu: %s\n", \
+				       (t), isc_thread_self(), (m))
+#define XTHREADTRACE(m)		fprintf(stderr, "thread %lu: %s\n", \
+				       isc_thread_self(), (m))
+#else
+#define XTRACE(m)
+#define XTTRACE(t, m)
+#define XTHREADTRACE(m)
+#endif
+
+/***
+ *** Types.
+ ***/
+
+typedef enum {
+	task_state_idle, task_state_ready, task_state_running,
+	task_state_done
+} task_state_t;
+
+#define TASK_MAGIC			ISC_MAGIC('T', 'A', 'S', 'K')
+#define VALID_TASK(t)			ISC_MAGIC_VALID(t, TASK_MAGIC)
+
+struct isc_task {
+	/* Not locked. */
+	unsigned int			magic;
+	isc_taskmgr_t *			manager;
+	isc_mutex_t			lock;
+	/* Locked by task lock. */
+	task_state_t			state;
+	unsigned int			references;
+	isc_eventlist_t			events;
+	isc_eventlist_t			on_shutdown;
+	unsigned int			quantum;
+	unsigned int			flags;
+	isc_stdtime_t			now;
+#ifdef ISC_TASK_NAMES
+	char				name[16];
+	void *				tag;
+#endif
+	/* Locked by task manager lock. */
+	LINK(isc_task_t)		link;
+	LINK(isc_task_t)		ready_link;
+};
+
+#define TASK_F_SHUTTINGDOWN		0x01
+
+#define TASK_SHUTTINGDOWN(t)		(((t)->flags & TASK_F_SHUTTINGDOWN) \
+					 != 0)
+
+#define TASK_MANAGER_MAGIC		ISC_MAGIC('T', 'S', 'K', 'M')
+#define VALID_MANAGER(m)		ISC_MAGIC_VALID(m, TASK_MANAGER_MAGIC)
+
+struct isc_taskmgr {
+	/* Not locked. */
+	unsigned int			magic;
+	isc_mem_t *			mctx;
+	isc_mutex_t			lock;
+	unsigned int			workers;
+#ifdef ISC_PLATFORM_USETHREADS
+	isc_thread_t *			threads;
+#endif /* ISC_PLATFORM_USETHREADS */
+	/* Locked by task manager lock. */
+	unsigned int			default_quantum;
+	LIST(isc_task_t)		tasks;
+	isc_tasklist_t			ready_tasks;
+#ifdef ISC_PLATFORM_USETHREADS
+	isc_condition_t			work_available;
+	isc_condition_t			exclusive_granted;
+#endif /* ISC_PLATFORM_USETHREADS */
+	unsigned int			tasks_running;
+	isc_boolean_t			exclusive_requested;
+	isc_boolean_t			exiting;
+#ifndef ISC_PLATFORM_USETHREADS
+	unsigned int			refs;
+#endif /* ISC_PLATFORM_USETHREADS */
+};
+
+#define DEFAULT_TASKMGR_QUANTUM		10
+#define DEFAULT_DEFAULT_QUANTUM		5
+#define FINISHED(m)			((m)->exiting && EMPTY((m)->tasks))
+
+#ifndef ISC_PLATFORM_USETHREADS
+static isc_taskmgr_t *taskmgr = NULL;
+#endif /* ISC_PLATFORM_USETHREADS */
+
+/***
+ *** Tasks.
+ ***/
+
+static void
+task_finished(isc_task_t *task) {
+	isc_taskmgr_t *manager = task->manager;
+
+	REQUIRE(EMPTY(task->events));
+	REQUIRE(EMPTY(task->on_shutdown));
+	REQUIRE(task->references == 0);
+	REQUIRE(task->state == task_state_done);
+
+	XTRACE("task_finished");
+
+	LOCK(&manager->lock);
+	UNLINK(manager->tasks, task, link);
+#ifdef ISC_PLATFORM_USETHREADS
+	if (FINISHED(manager)) {
+		/*
+		 * All tasks have completed and the
+		 * task manager is exiting.  Wake up
+		 * any idle worker threads so they
+		 * can exit.
+		 */
+		BROADCAST(&manager->work_available);
+	}
+#endif /* ISC_PLATFORM_USETHREADS */
+	UNLOCK(&manager->lock);
+
+	DESTROYLOCK(&task->lock);
+	task->magic = 0;
+	isc_mem_put(manager->mctx, task, sizeof(*task));
+}
+
+isc_result_t
+isc_task_create(isc_taskmgr_t *manager, unsigned int quantum,
+		isc_task_t **taskp)
+{
+	isc_task_t *task;
+	isc_boolean_t exiting;
+
+	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(taskp != NULL && *taskp == NULL);
+
+	task = isc_mem_get(manager->mctx, sizeof(*task));
+	if (task == NULL)
+		return (ISC_R_NOMEMORY);
+	XTRACE("isc_task_create");
+	task->manager = manager;
+	if (isc_mutex_init(&task->lock) != ISC_R_SUCCESS) {
+		isc_mem_put(manager->mctx, task, sizeof(*task));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"));
+		return (ISC_R_UNEXPECTED);
+	}
+	task->state = task_state_idle;
+	task->references = 1;
+	INIT_LIST(task->events);
+	INIT_LIST(task->on_shutdown);
+	task->quantum = quantum;
+	task->flags = 0;
+	task->now = 0;
+#ifdef ISC_TASK_NAMES
+	memset(task->name, 0, sizeof(task->name));
+	task->tag = NULL;
+#endif
+	INIT_LINK(task, link);
+	INIT_LINK(task, ready_link);
+
+	exiting = ISC_FALSE;
+	LOCK(&manager->lock);
+	if (!manager->exiting) {
+		if (task->quantum == 0)
+			task->quantum = manager->default_quantum;
+		APPEND(manager->tasks, task, link);
+	} else
+		exiting = ISC_TRUE;
+	UNLOCK(&manager->lock);
+
+	if (exiting) {
+		DESTROYLOCK(&task->lock);
+		isc_mem_put(manager->mctx, task, sizeof(*task));
+		return (ISC_R_SHUTTINGDOWN);
+	}
+
+	task->magic = TASK_MAGIC;
+	*taskp = task;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_task_attach(isc_task_t *source, isc_task_t **targetp) {
+
+	/*
+	 * Attach *targetp to source.
+	 */
+
+	REQUIRE(VALID_TASK(source));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+
+	XTTRACE(source, "isc_task_attach");
+
+	LOCK(&source->lock);
+	source->references++;
+	UNLOCK(&source->lock);
+
+	*targetp = source;
+}
+
+static inline isc_boolean_t
+task_shutdown(isc_task_t *task) {
+	isc_boolean_t was_idle = ISC_FALSE;
+	isc_event_t *event, *prev;
+
+	/*
+	 * Caller must be holding the task's lock.
+	 */
+
+	XTRACE("task_shutdown");
+
+	if (! TASK_SHUTTINGDOWN(task)) {
+		XTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+				      ISC_MSG_SHUTTINGDOWN, "shutting down"));
+		task->flags |= TASK_F_SHUTTINGDOWN;
+		if (task->state == task_state_idle) {
+			INSIST(EMPTY(task->events));
+			task->state = task_state_ready;
+			was_idle = ISC_TRUE;
+		}
+		INSIST(task->state == task_state_ready ||
+		       task->state == task_state_running);
+		/*
+		 * Note that we post shutdown events LIFO.
+		 */
+		for (event = TAIL(task->on_shutdown);
+		     event != NULL;
+		     event = prev) {
+			prev = PREV(event, ev_link);
+			DEQUEUE(task->on_shutdown, event, ev_link);
+			ENQUEUE(task->events, event, ev_link);
+		}
+	}
+
+	return (was_idle);
+}
+
+static inline void
+task_ready(isc_task_t *task) {
+	isc_taskmgr_t *manager = task->manager;
+
+	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(task->state == task_state_ready);
+
+	XTRACE("task_ready");
+
+	LOCK(&manager->lock);
+
+	ENQUEUE(manager->ready_tasks, task, ready_link);
+#ifdef ISC_PLATFORM_USETHREADS
+	SIGNAL(&manager->work_available);
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	UNLOCK(&manager->lock);
+}
+
+static inline isc_boolean_t
+task_detach(isc_task_t *task) {
+
+	/*
+	 * Caller must be holding the task lock.
+	 */
+
+	REQUIRE(task->references > 0);
+
+	XTRACE("detach");
+
+	task->references--;
+	if (task->references == 0 && task->state == task_state_idle) {
+		INSIST(EMPTY(task->events));
+		/*
+		 * There are no references to this task, and no
+		 * pending events.  We could try to optimize and
+		 * either initiate shutdown or clean up the task,
+		 * depending on its state, but it's easier to just
+		 * make the task ready and allow run() or the event
+		 * loop to deal with shutting down and termination.
+		 */
+		task->state = task_state_ready;
+		return (ISC_TRUE);
+	}
+
+	return (ISC_FALSE);
+}
+
+void
+isc_task_detach(isc_task_t **taskp) {
+	isc_task_t *task;
+	isc_boolean_t was_idle;
+
+	/*
+	 * Detach *taskp from its task.
+	 */
+
+	REQUIRE(taskp != NULL);
+	task = *taskp;
+	REQUIRE(VALID_TASK(task));
+
+	XTRACE("isc_task_detach");
+
+	LOCK(&task->lock);
+	was_idle = task_detach(task);
+	UNLOCK(&task->lock);
+
+	if (was_idle)
+		task_ready(task);
+
+	*taskp = NULL;
+}
+
+static inline isc_boolean_t
+task_send(isc_task_t *task, isc_event_t **eventp) {
+	isc_boolean_t was_idle = ISC_FALSE;
+	isc_event_t *event;
+
+	/*
+	 * Caller must be holding the task lock.
+	 */
+
+	REQUIRE(eventp != NULL);
+	event = *eventp;
+	REQUIRE(event != NULL);
+	REQUIRE(event->ev_type > 0);
+	REQUIRE(task->state != task_state_done);
+
+	XTRACE("task_send");
+
+	if (task->state == task_state_idle) {
+		was_idle = ISC_TRUE;
+		INSIST(EMPTY(task->events));
+		task->state = task_state_ready;
+	}
+	INSIST(task->state == task_state_ready ||
+	       task->state == task_state_running);
+	ENQUEUE(task->events, event, ev_link);
+	*eventp = NULL;
+
+	return (was_idle);
+}
+
+void
+isc_task_send(isc_task_t *task, isc_event_t **eventp) {
+	isc_boolean_t was_idle;
+
+	/*
+	 * Send '*event' to 'task'.
+	 */
+
+	REQUIRE(VALID_TASK(task));
+
+	XTRACE("isc_task_send");
+
+	/*
+	 * We're trying hard to hold locks for as short a time as possible.
+	 * We're also trying to hold as few locks as possible.  This is why
+	 * some processing is deferred until after the lock is released.
+	 */
+	LOCK(&task->lock);
+	was_idle = task_send(task, eventp);
+	UNLOCK(&task->lock);
+
+	if (was_idle) {
+		/*
+		 * We need to add this task to the ready queue.
+		 *
+		 * We've waited until now to do it because making a task
+		 * ready requires locking the manager.  If we tried to do
+		 * this while holding the task lock, we could deadlock.
+		 *
+		 * We've changed the state to ready, so no one else will
+		 * be trying to add this task to the ready queue.  The
+		 * only way to leave the ready state is by executing the
+		 * task.  It thus doesn't matter if events are added,
+		 * removed, or a shutdown is started in the interval
+		 * between the time we released the task lock, and the time
+		 * we add the task to the ready queue.
+		 */
+		task_ready(task);
+	}
+}
+
+void
+isc_task_sendanddetach(isc_task_t **taskp, isc_event_t **eventp) {
+	isc_boolean_t idle1, idle2;
+	isc_task_t *task;
+
+	/*
+	 * Send '*event' to '*taskp' and then detach '*taskp' from its
+	 * task.
+	 */
+
+	REQUIRE(taskp != NULL);
+	task = *taskp;
+	REQUIRE(VALID_TASK(task));
+
+	XTRACE("isc_task_sendanddetach");
+
+	LOCK(&task->lock);
+	idle1 = task_send(task, eventp);
+	idle2 = task_detach(task);
+	UNLOCK(&task->lock);
+
+	/*
+	 * If idle1, then idle2 shouldn't be true as well since we're holding
+	 * the task lock, and thus the task cannot switch from ready back to
+	 * idle.
+	 */
+	INSIST(!(idle1 && idle2));
+
+	if (idle1 || idle2)
+		task_ready(task);
+
+	*taskp = NULL;
+}
+
+#define PURGE_OK(event)	(((event)->ev_attributes & ISC_EVENTATTR_NOPURGE) == 0)
+
+static unsigned int
+dequeue_events(isc_task_t *task, void *sender, isc_eventtype_t first,
+	       isc_eventtype_t last, void *tag,
+	       isc_eventlist_t *events, isc_boolean_t purging)
+{
+	isc_event_t *event, *next_event;
+	unsigned int count = 0;
+
+	REQUIRE(VALID_TASK(task));
+	REQUIRE(last >= first);
+
+	XTRACE("dequeue_events");
+
+	/*
+	 * Events matching 'sender', whose type is >= first and <= last, and
+	 * whose tag is 'tag' will be dequeued.  If 'purging', matching events
+	 * which are marked as unpurgable will not be dequeued.
+	 *
+	 * sender == NULL means "any sender", and tag == NULL means "any tag".
+	 */
+
+	LOCK(&task->lock);
+
+	for (event = HEAD(task->events); event != NULL; event = next_event) {
+		next_event = NEXT(event, ev_link);
+		if (event->ev_type >= first && event->ev_type <= last &&
+		    (sender == NULL || event->ev_sender == sender) &&
+		    (tag == NULL || event->ev_tag == tag) &&
+		    (!purging || PURGE_OK(event))) {
+			DEQUEUE(task->events, event, ev_link);
+			ENQUEUE(*events, event, ev_link);
+			count++;
+		}
+	}
+
+	UNLOCK(&task->lock);
+
+	return (count);
+}
+
+unsigned int
+isc_task_purgerange(isc_task_t *task, void *sender, isc_eventtype_t first,
+		    isc_eventtype_t last, void *tag)
+{
+	unsigned int count;
+	isc_eventlist_t events;
+	isc_event_t *event, *next_event;
+
+	/*
+	 * Purge events from a task's event queue.
+	 */
+
+	XTRACE("isc_task_purgerange");
+
+	ISC_LIST_INIT(events);
+
+	count = dequeue_events(task, sender, first, last, tag, &events,
+			       ISC_TRUE);
+
+	for (event = HEAD(events); event != NULL; event = next_event) {
+		next_event = NEXT(event, ev_link);
+		isc_event_free(&event);
+	}
+
+	/*
+	 * Note that purging never changes the state of the task.
+	 */
+
+	return (count);
+}
+
+unsigned int
+isc_task_purge(isc_task_t *task, void *sender, isc_eventtype_t type,
+	       void *tag)
+{
+	/*
+	 * Purge events from a task's event queue.
+	 */
+
+	XTRACE("isc_task_purge");
+
+	return (isc_task_purgerange(task, sender, type, type, tag));
+}
+
+isc_boolean_t
+isc_task_purgeevent(isc_task_t *task, isc_event_t *event) {
+	isc_event_t *curr_event, *next_event;
+
+	/*
+	 * Purge 'event' from a task's event queue.
+	 *
+	 * XXXRTH:  WARNING:  This method may be removed before beta.
+	 */
+
+	REQUIRE(VALID_TASK(task));
+
+	/*
+	 * If 'event' is on the task's event queue, it will be purged,
+	 * unless it is marked as unpurgeable.  'event' does not have to be
+	 * on the task's event queue; in fact, it can even be an invalid
+	 * pointer.  Purging only occurs if the event is actually on the task's
+	 * event queue.
+	 *
+	 * Purging never changes the state of the task.
+	 */
+
+	LOCK(&task->lock);
+	for (curr_event = HEAD(task->events);
+	     curr_event != NULL;
+	     curr_event = next_event) {
+		next_event = NEXT(curr_event, ev_link);
+		if (curr_event == event && PURGE_OK(event)) {
+			DEQUEUE(task->events, curr_event, ev_link);
+			break;
+		}
+	}
+	UNLOCK(&task->lock);
+
+	if (curr_event == NULL)
+		return (ISC_FALSE);
+
+	isc_event_free(&curr_event);
+
+	return (ISC_TRUE);
+}
+
+unsigned int
+isc_task_unsendrange(isc_task_t *task, void *sender, isc_eventtype_t first,
+		     isc_eventtype_t last, void *tag,
+		     isc_eventlist_t *events)
+{
+	/*
+	 * Remove events from a task's event queue.
+	 */
+
+	XTRACE("isc_task_unsendrange");
+
+	return (dequeue_events(task, sender, first, last, tag, events,
+			       ISC_FALSE));
+}
+
+unsigned int
+isc_task_unsend(isc_task_t *task, void *sender, isc_eventtype_t type,
+		void *tag, isc_eventlist_t *events)
+{
+	/*
+	 * Remove events from a task's event queue.
+	 */
+
+	XTRACE("isc_task_unsend");
+
+	return (dequeue_events(task, sender, type, type, tag, events,
+			       ISC_FALSE));
+}
+
+isc_result_t
+isc_task_onshutdown(isc_task_t *task, isc_taskaction_t action, const void *arg)
+{
+	isc_boolean_t disallowed = ISC_FALSE;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_event_t *event;
+
+	/*
+	 * Send a shutdown event with action 'action' and argument 'arg' when
+	 * 'task' is shutdown.
+	 */
+
+	REQUIRE(VALID_TASK(task));
+	REQUIRE(action != NULL);
+
+	event = isc_event_allocate(task->manager->mctx,
+				   NULL,
+				   ISC_TASKEVENT_SHUTDOWN,
+				   action,
+				   arg,
+				   sizeof(*event));
+	if (event == NULL)
+		return (ISC_R_NOMEMORY);
+
+	LOCK(&task->lock);
+	if (TASK_SHUTTINGDOWN(task)) {
+		disallowed = ISC_TRUE;
+		result = ISC_R_SHUTTINGDOWN;
+	} else
+		ENQUEUE(task->on_shutdown, event, ev_link);
+	UNLOCK(&task->lock);
+
+	if (disallowed)
+		isc_mem_put(task->manager->mctx, event, sizeof(*event));
+
+	return (result);
+}
+
+void
+isc_task_shutdown(isc_task_t *task) {
+	isc_boolean_t was_idle;
+
+	/*
+	 * Shutdown 'task'.
+	 */
+
+	REQUIRE(VALID_TASK(task));
+
+	LOCK(&task->lock);
+	was_idle = task_shutdown(task);
+	UNLOCK(&task->lock);
+
+	if (was_idle)
+		task_ready(task);
+}
+
+void
+isc_task_destroy(isc_task_t **taskp) {
+
+	/*
+	 * Destroy '*taskp'.
+	 */
+
+	REQUIRE(taskp != NULL);
+
+	isc_task_shutdown(*taskp);
+	isc_task_detach(taskp);
+}
+
+void
+isc_task_setname(isc_task_t *task, const char *name, void *tag) {
+
+	/*
+	 * Name 'task'.
+	 */
+
+	REQUIRE(VALID_TASK(task));
+
+#ifdef ISC_TASK_NAMES
+	LOCK(&task->lock);
+	memset(task->name, 0, sizeof(task->name));
+	strncpy(task->name, name, sizeof(task->name) - 1);
+	task->tag = tag;
+	UNLOCK(&task->lock);
+#else
+	UNUSED(name);
+	UNUSED(tag);
+#endif
+
+}
+
+const char *
+isc_task_getname(isc_task_t *task) {
+	return (task->name);
+}
+
+void *
+isc_task_gettag(isc_task_t *task) {
+	return (task->tag);
+}
+
+void
+isc_task_getcurrenttime(isc_task_t *task, isc_stdtime_t *t) {
+	REQUIRE(VALID_TASK(task));
+	REQUIRE(t != NULL);
+
+	LOCK(&task->lock);
+
+	*t = task->now;
+
+	UNLOCK(&task->lock);
+}
+
+/***
+ *** Task Manager.
+ ***/
+static void
+dispatch(isc_taskmgr_t *manager) {
+	isc_task_t *task;
+#ifndef ISC_PLATFORM_USETHREADS
+	unsigned int total_dispatch_count = 0;
+	isc_tasklist_t ready_tasks;
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	REQUIRE(VALID_MANAGER(manager));
+
+	/*
+	 * Again we're trying to hold the lock for as short a time as possible
+	 * and to do as little locking and unlocking as possible.
+	 *
+	 * In both while loops, the appropriate lock must be held before the
+	 * while body starts.  Code which acquired the lock at the top of
+	 * the loop would be more readable, but would result in a lot of
+	 * extra locking.  Compare:
+	 *
+	 * Straightforward:
+	 *
+	 *	LOCK();
+	 *	...
+	 *	UNLOCK();
+	 *	while (expression) {
+	 *		LOCK();
+	 *		...
+	 *		UNLOCK();
+	 *
+	 *	       	Unlocked part here...
+	 *
+	 *		LOCK();
+	 *		...
+	 *		UNLOCK();
+	 *	}
+	 *
+	 * Note how if the loop continues we unlock and then immediately lock.
+	 * For N iterations of the loop, this code does 2N+1 locks and 2N+1
+	 * unlocks.  Also note that the lock is not held when the while
+	 * condition is tested, which may or may not be important, depending
+	 * on the expression.
+	 *
+	 * As written:
+	 *
+	 *	LOCK();
+	 *	while (expression) {
+	 *		...
+	 *		UNLOCK();
+	 *
+	 *	       	Unlocked part here...
+	 *
+	 *		LOCK();
+	 *		...
+	 *	}
+	 *	UNLOCK();
+	 *
+	 * For N iterations of the loop, this code does N+1 locks and N+1
+	 * unlocks.  The while expression is always protected by the lock.
+	 */
+
+#ifndef ISC_PLATFORM_USETHREADS
+	ISC_LIST_INIT(ready_tasks);
+#endif
+	LOCK(&manager->lock);
+	while (!FINISHED(manager)) {
+#ifdef ISC_PLATFORM_USETHREADS
+		/*
+		 * For reasons similar to those given in the comment in
+		 * isc_task_send() above, it is safe for us to dequeue
+		 * the task while only holding the manager lock, and then
+		 * change the task to running state while only holding the
+		 * task lock.
+		 */
+		while ((EMPTY(manager->ready_tasks) ||
+		        manager->exclusive_requested) &&
+		  	!FINISHED(manager)) 
+	  	{
+			XTHREADTRACE(isc_msgcat_get(isc_msgcat,
+						    ISC_MSGSET_GENERAL,
+						    ISC_MSG_WAIT, "wait"));
+			WAIT(&manager->work_available, &manager->lock);
+			XTHREADTRACE(isc_msgcat_get(isc_msgcat,
+						    ISC_MSGSET_TASK,
+						    ISC_MSG_AWAKE, "awake"));
+		}
+#else /* ISC_PLATFORM_USETHREADS */
+		if (total_dispatch_count >= DEFAULT_TASKMGR_QUANTUM ||
+		    EMPTY(manager->ready_tasks))
+			break;
+#endif /* ISC_PLATFORM_USETHREADS */
+		XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TASK,
+					    ISC_MSG_WORKING, "working"));
+
+		task = HEAD(manager->ready_tasks);
+		if (task != NULL) {
+			unsigned int dispatch_count = 0;
+			isc_boolean_t done = ISC_FALSE;
+			isc_boolean_t requeue = ISC_FALSE;
+			isc_boolean_t finished = ISC_FALSE;
+			isc_event_t *event;
+
+			INSIST(VALID_TASK(task));
+
+			/*
+			 * Note we only unlock the manager lock if we actually
+			 * have a task to do.  We must reacquire the manager
+			 * lock before exiting the 'if (task != NULL)' block.
+			 */
+			DEQUEUE(manager->ready_tasks, task, ready_link);
+			manager->tasks_running++;
+			UNLOCK(&manager->lock);
+
+			LOCK(&task->lock);
+			INSIST(task->state == task_state_ready);
+			task->state = task_state_running;
+			XTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+					      ISC_MSG_RUNNING, "running"));
+			isc_stdtime_get(&task->now);
+			do {
+				if (!EMPTY(task->events)) {
+					event = HEAD(task->events);
+					DEQUEUE(task->events, event, ev_link);
+
+					/*
+					 * Execute the event action.
+					 */
+					XTRACE(isc_msgcat_get(isc_msgcat,
+							    ISC_MSGSET_TASK,
+							    ISC_MSG_EXECUTE,
+							    "execute action"));
+					if (event->ev_action != NULL) {
+						UNLOCK(&task->lock);
+						(event->ev_action)(task,event);
+						LOCK(&task->lock);
+					}
+					dispatch_count++;
+#ifndef ISC_PLATFORM_USETHREADS
+					total_dispatch_count++;
+#endif /* ISC_PLATFORM_USETHREADS */
+				}
+
+				if (task->references == 0 &&
+				    EMPTY(task->events) &&
+				    !TASK_SHUTTINGDOWN(task)) {
+					isc_boolean_t was_idle;
+
+					/*
+					 * There are no references and no
+					 * pending events for this task,
+					 * which means it will not become
+					 * runnable again via an external
+					 * action (such as sending an event
+					 * or detaching).
+					 *
+					 * We initiate shutdown to prevent
+					 * it from becoming a zombie.
+					 *
+					 * We do this here instead of in
+					 * the "if EMPTY(task->events)" block
+					 * below because:
+					 *
+					 *	If we post no shutdown events,
+					 *	we want the task to finish.
+					 *
+					 *	If we did post shutdown events,
+					 *	will still want the task's
+					 *	quantum to be applied.
+					 */
+					was_idle = task_shutdown(task);
+					INSIST(!was_idle);
+				}
+
+				if (EMPTY(task->events)) {
+					/*
+					 * Nothing else to do for this task
+					 * right now.
+					 */
+					XTRACE(isc_msgcat_get(isc_msgcat,
+							      ISC_MSGSET_TASK,
+							      ISC_MSG_EMPTY,
+							      "empty"));
+					if (task->references == 0 &&
+					    TASK_SHUTTINGDOWN(task)) {
+						/*
+						 * The task is done.
+						 */
+						XTRACE(isc_msgcat_get(
+							       isc_msgcat,
+							       ISC_MSGSET_TASK,
+							       ISC_MSG_DONE,
+							       "done"));
+						finished = ISC_TRUE;
+						task->state = task_state_done;
+					} else
+						task->state = task_state_idle;
+					done = ISC_TRUE;
+				} else if (dispatch_count >= task->quantum) {
+					/*
+					 * Our quantum has expired, but
+					 * there is more work to be done.
+					 * We'll requeue it to the ready
+					 * queue later.
+					 *
+					 * We don't check quantum until
+					 * dispatching at least one event,
+					 * so the minimum quantum is one.
+					 */
+					XTRACE(isc_msgcat_get(isc_msgcat,
+							      ISC_MSGSET_TASK,
+							      ISC_MSG_QUANTUM,
+							      "quantum"));
+					task->state = task_state_ready;
+					requeue = ISC_TRUE;
+					done = ISC_TRUE;
+				}
+			} while (!done);
+			UNLOCK(&task->lock);
+
+			if (finished)
+				task_finished(task);
+
+			LOCK(&manager->lock);
+			manager->tasks_running--;
+#ifdef ISC_PLATFORM_USETHREADS
+			if (manager->exclusive_requested &&
+			    manager->tasks_running == 1) {
+				SIGNAL(&manager->exclusive_granted);
+			}
+#endif /* ISC_PLATFORM_USETHREADS */
+			if (requeue) {
+				/*
+				 * We know we're awake, so we don't have
+				 * to wakeup any sleeping threads if the
+				 * ready queue is empty before we requeue.
+				 *
+				 * A possible optimization if the queue is
+				 * empty is to 'goto' the 'if (task != NULL)'
+				 * block, avoiding the ENQUEUE of the task
+				 * and the subsequent immediate DEQUEUE
+				 * (since it is the only executable task).
+				 * We don't do this because then we'd be
+				 * skipping the exit_requested check.  The
+				 * cost of ENQUEUE is low anyway, especially
+				 * when you consider that we'd have to do
+				 * an extra EMPTY check to see if we could
+				 * do the optimization.  If the ready queue
+				 * were usually nonempty, the 'optimization'
+				 * might even hurt rather than help.
+				 */
+#ifdef ISC_PLATFORM_USETHREADS
+				ENQUEUE(manager->ready_tasks, task,
+					ready_link);
+#else
+				ENQUEUE(ready_tasks, task, ready_link);
+#endif
+			}
+		}
+	}
+#ifndef ISC_PLATFORM_USETHREADS
+	ISC_LIST_APPENDLIST(manager->ready_tasks, ready_tasks, ready_link);
+#endif
+	UNLOCK(&manager->lock);
+}
+
+#ifdef ISC_PLATFORM_USETHREADS
+static isc_threadresult_t
+#ifdef _WIN32
+WINAPI
+#endif
+run(void *uap) {
+	isc_taskmgr_t *manager = uap;
+
+	XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+				    ISC_MSG_STARTING, "starting"));
+
+	dispatch(manager);
+
+	XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+				    ISC_MSG_EXITING, "exiting"));
+
+	return ((isc_threadresult_t)0);
+}
+#endif /* ISC_PLATFORM_USETHREADS */
+
+static void
+manager_free(isc_taskmgr_t *manager) {
+	isc_mem_t *mctx;
+
+#ifdef ISC_PLATFORM_USETHREADS
+	(void)isc_condition_destroy(&manager->exclusive_granted);	
+	(void)isc_condition_destroy(&manager->work_available);
+	isc_mem_put(manager->mctx, manager->threads,
+		    manager->workers * sizeof(isc_thread_t));
+#endif /* ISC_PLATFORM_USETHREADS */
+	DESTROYLOCK(&manager->lock);
+	manager->magic = 0;
+	mctx = manager->mctx;
+	isc_mem_put(mctx, manager, sizeof(*manager));
+	isc_mem_detach(&mctx);
+}
+
+isc_result_t
+isc_taskmgr_create(isc_mem_t *mctx, unsigned int workers,
+		   unsigned int default_quantum, isc_taskmgr_t **managerp)
+{
+	isc_result_t result;
+	unsigned int i, started = 0;
+	isc_taskmgr_t *manager;
+
+	/*
+	 * Create a new task manager.
+	 */
+
+	REQUIRE(workers > 0);
+	REQUIRE(managerp != NULL && *managerp == NULL);
+
+#ifndef ISC_PLATFORM_USETHREADS
+	UNUSED(i);
+	UNUSED(started);
+	UNUSED(workers);
+
+	if (taskmgr != NULL) {
+		taskmgr->refs++;
+		*managerp = taskmgr;
+		return (ISC_R_SUCCESS);
+	}
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	manager = isc_mem_get(mctx, sizeof(*manager));
+	if (manager == NULL)
+		return (ISC_R_NOMEMORY);
+	manager->magic = TASK_MANAGER_MAGIC;
+	manager->mctx = NULL;
+	manager->workers = 0;
+	if (isc_mutex_init(&manager->lock) != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"));
+		result = ISC_R_UNEXPECTED;
+		goto cleanup_mgr;
+	}
+#ifdef ISC_PLATFORM_USETHREADS
+	manager->threads = isc_mem_get(mctx, workers * sizeof(isc_thread_t));
+	if (manager->threads == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup_lock;
+	}
+	if (isc_condition_init(&manager->work_available) != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_condition_init() %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"));
+		result = ISC_R_UNEXPECTED;
+		goto cleanup_threads;
+	}
+	if (isc_condition_init(&manager->exclusive_granted) != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_condition_init() %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"));
+		result = ISC_R_UNEXPECTED;
+		goto cleanup_workavailable;
+	}
+#endif /* ISC_PLATFORM_USETHREADS */
+	if (default_quantum == 0)
+		default_quantum = DEFAULT_DEFAULT_QUANTUM;
+	manager->default_quantum = default_quantum;
+	INIT_LIST(manager->tasks);
+	INIT_LIST(manager->ready_tasks);
+	manager->tasks_running = 0;
+	manager->exclusive_requested = ISC_FALSE;
+	manager->exiting = ISC_FALSE;
+	manager->workers = 0;
+
+	isc_mem_attach(mctx, &manager->mctx);
+
+#ifdef ISC_PLATFORM_USETHREADS
+	LOCK(&manager->lock);
+	/*
+	 * Start workers.
+	 */
+	for (i = 0; i < workers; i++) {
+		if (isc_thread_create(run, manager,
+				      &manager->threads[manager->workers]) ==
+		    ISC_R_SUCCESS) {
+			manager->workers++;
+			started++;
+		}
+	}
+	UNLOCK(&manager->lock);
+
+	if (started == 0) {
+		manager_free(manager);
+		return (ISC_R_NOTHREADS);
+	}
+	isc_thread_setconcurrency(workers);
+#else /* ISC_PLATFORM_USETHREADS */
+	manager->refs = 1;
+	taskmgr = manager;
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	*managerp = manager;
+
+	return (ISC_R_SUCCESS);
+
+#ifdef ISC_PLATFORM_USETHREADS
+ cleanup_workavailable:
+	(void)isc_condition_destroy(&manager->work_available);
+ cleanup_threads:
+	isc_mem_put(mctx, manager->threads, workers * sizeof(isc_thread_t));
+ cleanup_lock:
+	DESTROYLOCK(&manager->lock);
+#endif
+ cleanup_mgr:
+	isc_mem_put(mctx, manager, sizeof(*manager));
+	return (result);
+}
+
+void
+isc_taskmgr_destroy(isc_taskmgr_t **managerp) {
+	isc_taskmgr_t *manager;
+	isc_task_t *task;
+	unsigned int i;
+
+	/*
+	 * Destroy '*managerp'.
+	 */
+
+	REQUIRE(managerp != NULL);
+	manager = *managerp;
+	REQUIRE(VALID_MANAGER(manager));
+
+#ifndef ISC_PLATFORM_USETHREADS
+	UNUSED(i);
+
+	if (manager->refs > 1) {
+		manager->refs--;
+		*managerp = NULL;
+		return;
+	}
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	XTHREADTRACE("isc_taskmgr_destroy");
+	/*
+	 * Only one non-worker thread may ever call this routine.
+	 * If a worker thread wants to initiate shutdown of the
+	 * task manager, it should ask some non-worker thread to call
+	 * isc_taskmgr_destroy(), e.g. by signalling a condition variable
+	 * that the startup thread is sleeping on.
+	 */
+
+	/*
+	 * Unlike elsewhere, we're going to hold this lock a long time.
+	 * We need to do so, because otherwise the list of tasks could
+	 * change while we were traversing it.
+	 *
+	 * This is also the only function where we will hold both the
+	 * task manager lock and a task lock at the same time.
+	 */
+
+	LOCK(&manager->lock);
+
+	/*
+	 * Make sure we only get called once.
+	 */
+	INSIST(!manager->exiting);
+	manager->exiting = ISC_TRUE;
+
+	/*
+	 * Post shutdown event(s) to every task (if they haven't already been
+	 * posted).
+	 */
+	for (task = HEAD(manager->tasks);
+	     task != NULL;
+	     task = NEXT(task, link)) {
+		LOCK(&task->lock);
+		if (task_shutdown(task))
+			ENQUEUE(manager->ready_tasks, task, ready_link);
+		UNLOCK(&task->lock);
+	}
+#ifdef ISC_PLATFORM_USETHREADS
+	/*
+	 * Wake up any sleeping workers.  This ensures we get work done if
+	 * there's work left to do, and if there are already no tasks left
+	 * it will cause the workers to see manager->exiting.
+	 */
+	BROADCAST(&manager->work_available);
+	UNLOCK(&manager->lock);
+
+	/*
+	 * Wait for all the worker threads to exit.
+	 */
+	for (i = 0; i < manager->workers; i++)
+		(void)isc_thread_join(manager->threads[i], NULL);
+#else /* ISC_PLATFORM_USETHREADS */
+	/*
+	 * Dispatch the shutdown events.
+	 */
+	UNLOCK(&manager->lock);
+	while (isc__taskmgr_ready())
+		(void)isc__taskmgr_dispatch();
+	INSIST(ISC_LIST_EMPTY(manager->tasks));
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	manager_free(manager);
+
+	*managerp = NULL;
+}
+
+#ifndef ISC_PLATFORM_USETHREADS
+isc_boolean_t
+isc__taskmgr_ready(void) {
+	if (taskmgr == NULL)
+		return (ISC_FALSE);
+	return (ISC_TF(!ISC_LIST_EMPTY(taskmgr->ready_tasks)));
+}
+
+isc_result_t
+isc__taskmgr_dispatch(void) {
+	isc_taskmgr_t *manager = taskmgr;
+
+	if (taskmgr == NULL)
+		return (ISC_R_NOTFOUND);
+
+	dispatch(manager);
+
+	return (ISC_R_SUCCESS);
+}
+
+#endif /* ISC_PLATFORM_USETHREADS */
+
+isc_result_t
+isc_task_beginexclusive(isc_task_t *task) {
+#ifdef ISC_PLATFORM_USETHREADS	
+	isc_taskmgr_t *manager = task->manager;
+	REQUIRE(task->state == task_state_running);
+	LOCK(&manager->lock);
+	if (manager->exclusive_requested) {
+		UNLOCK(&manager->lock);			
+		return (ISC_R_LOCKBUSY);
+	}
+	manager->exclusive_requested = ISC_TRUE;
+	while (manager->tasks_running > 1) {
+		WAIT(&manager->exclusive_granted, &manager->lock);
+	}
+	UNLOCK(&manager->lock);	
+#else
+	UNUSED(task);
+#endif
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_task_endexclusive(isc_task_t *task) {
+#ifdef ISC_PLATFORM_USETHREADS	
+	isc_taskmgr_t *manager = task->manager;
+	REQUIRE(task->state == task_state_running);
+	LOCK(&manager->lock);
+	REQUIRE(manager->exclusive_requested);
+	manager->exclusive_requested = ISC_FALSE;
+	BROADCAST(&manager->work_available);
+	UNLOCK(&manager->lock);
+#else
+	UNUSED(task);
+#endif
+}
diff --git a/contrib/bind9/lib/isc/task_p.h b/contrib/bind9/lib/isc/task_p.h
new file mode 100644
index 0000000..f842c5b
--- /dev/null
+++ b/contrib/bind9/lib/isc/task_p.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: task_p.h,v 1.6.206.1 2004/03/06 08:14:36 marka Exp $ */
+
+#ifndef ISC_TASK_P_H
+#define ISC_TASK_P_H
+
+isc_boolean_t
+isc__taskmgr_ready(void);
+
+isc_result_t
+isc__taskmgr_dispatch(void);
+
+#endif /* ISC_TASK_P_H */
diff --git a/contrib/bind9/lib/isc/taskpool.c b/contrib/bind9/lib/isc/taskpool.c
new file mode 100644
index 0000000..0b400bf
--- /dev/null
+++ b/contrib/bind9/lib/isc/taskpool.c
@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: taskpool.c,v 1.10.12.3 2004/03/08 09:04:50 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/mem.h>
+#include <isc/taskpool.h>
+#include <isc/util.h>
+
+/***
+ *** Types.
+ ***/
+
+struct isc_taskpool {
+	isc_mem_t *			mctx;
+	unsigned int			ntasks;
+	isc_task_t **			tasks;
+};
+/***
+ *** Functions.
+ ***/
+
+isc_result_t
+isc_taskpool_create(isc_taskmgr_t *tmgr, isc_mem_t *mctx,
+		    unsigned int ntasks, unsigned int quantum,
+		    isc_taskpool_t **poolp)
+{
+	unsigned int i;
+	isc_taskpool_t *pool;
+	isc_result_t result;
+
+	INSIST(ntasks > 0);
+	pool = isc_mem_get(mctx, sizeof(*pool));
+	if (pool == NULL)
+		return (ISC_R_NOMEMORY);
+	pool->mctx = mctx;
+	pool->ntasks = ntasks;
+	pool->tasks = isc_mem_get(mctx, ntasks * sizeof(isc_task_t *));
+	for (i = 0; i < ntasks; i++)
+		pool->tasks[i] = NULL;
+	for (i = 0; i < ntasks; i++) {
+		result = isc_task_create(tmgr, quantum, &pool->tasks[i]);
+		if (result != ISC_R_SUCCESS) {
+			isc_taskpool_destroy(&pool);
+			return (result);
+		}
+	}
+	*poolp = pool;
+	return (ISC_R_SUCCESS);
+}
+
+void isc_taskpool_gettask(isc_taskpool_t *pool, unsigned int hash,
+			  isc_task_t **targetp)
+{
+	isc_task_attach(pool->tasks[hash % pool->ntasks], targetp);
+}
+
+void
+isc_taskpool_destroy(isc_taskpool_t **poolp) {
+	unsigned int i;
+	isc_taskpool_t *pool = *poolp;
+	for (i = 0; i < pool->ntasks; i++) {
+		if (pool->tasks[i] != NULL) {
+			isc_task_detach(&pool->tasks[i]);
+		}
+	}
+	isc_mem_put(pool->mctx, pool->tasks,
+		    pool->ntasks * sizeof(isc_task_t *));
+	isc_mem_put(pool->mctx, pool, sizeof(*pool));
+	*poolp = NULL;
+}
+
+
diff --git a/contrib/bind9/lib/isc/timer.c b/contrib/bind9/lib/isc/timer.c
new file mode 100644
index 0000000..f3cdd91
--- /dev/null
+++ b/contrib/bind9/lib/isc/timer.c
@@ -0,0 +1,920 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: timer.c,v 1.64.12.9 2004/03/08 09:04:50 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/condition.h>
+#include <isc/heap.h>
+#include <isc/log.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/msgs.h>
+#include <isc/platform.h>
+#include <isc/task.h>
+#include <isc/thread.h>
+#include <isc/time.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#ifndef ISC_PLATFORM_USETHREADS
+#include "timer_p.h"
+#endif /* ISC_PLATFORM_USETHREADS */
+
+#ifdef ISC_TIMER_TRACE
+#define XTRACE(s)			fprintf(stderr, "%s\n", (s))
+#define XTRACEID(s, t)			fprintf(stderr, "%s %p\n", (s), (t))
+#define XTRACETIME(s, d)		fprintf(stderr, "%s %u.%09u\n", (s), \
+					       (d).seconds, (d).nanoseconds)
+#define XTRACETIME2(s, d, n)		fprintf(stderr, "%s %u.%09u %u.%09u\n", (s), \
+					       (d).seconds, (d).nanoseconds, (n).seconds, (n).nanoseconds)
+#define XTRACETIMER(s, t, d)		fprintf(stderr, "%s %p %u.%09u\n", (s), (t), \
+					       (d).seconds, (d).nanoseconds)
+#else
+#define XTRACE(s)
+#define XTRACEID(s, t)
+#define XTRACETIME(s, d)
+#define XTRACETIME2(s, d, n)
+#define XTRACETIMER(s, t, d)
+#endif /* ISC_TIMER_TRACE */
+
+#define TIMER_MAGIC			ISC_MAGIC('T', 'I', 'M', 'R')
+#define VALID_TIMER(t)			ISC_MAGIC_VALID(t, TIMER_MAGIC)
+
+struct isc_timer {
+	/* Not locked. */
+	unsigned int			magic;
+	isc_timermgr_t *		manager;
+	isc_mutex_t			lock;
+	/* Locked by timer lock. */
+	unsigned int			references;
+	isc_time_t			idle;
+	/* Locked by manager lock. */
+	isc_timertype_t			type;
+	isc_time_t			expires;
+	isc_interval_t			interval;
+	isc_task_t *			task;
+	isc_taskaction_t		action;
+	void *				arg;
+	unsigned int			index;
+	isc_time_t			due;
+	LINK(isc_timer_t)		link;
+};
+
+#define TIMER_MANAGER_MAGIC		ISC_MAGIC('T', 'I', 'M', 'M')
+#define VALID_MANAGER(m)		ISC_MAGIC_VALID(m, TIMER_MANAGER_MAGIC)
+
+struct isc_timermgr {
+	/* Not locked. */
+	unsigned int			magic;
+	isc_mem_t *			mctx;
+	isc_mutex_t			lock;
+	/* Locked by manager lock. */
+	isc_boolean_t			done;
+	LIST(isc_timer_t)		timers;
+	unsigned int			nscheduled;
+	isc_time_t			due;
+#ifdef ISC_PLATFORM_USETHREADS
+	isc_condition_t			wakeup;
+	isc_thread_t			thread;
+#else /* ISC_PLATFORM_USETHREADS */
+	unsigned int			refs;
+#endif /* ISC_PLATFORM_USETHREADS */
+	isc_heap_t *			heap;
+};
+
+#ifndef ISC_PLATFORM_USETHREADS
+/*
+ * If threads are not in use, there can be only one.
+ */
+static isc_timermgr_t *timermgr = NULL;
+#endif /* ISC_PLATFORM_USETHREADS */
+
+static inline isc_result_t
+schedule(isc_timer_t *timer, isc_time_t *now, isc_boolean_t signal_ok) {
+	isc_result_t result;
+	isc_timermgr_t *manager;
+	isc_time_t due;
+	int cmp;
+#ifdef ISC_PLATFORM_USETHREADS
+	isc_boolean_t timedwait;
+#endif
+
+	/*
+	 * Note: the caller must ensure locking.
+	 */
+
+	REQUIRE(timer->type != isc_timertype_inactive);
+
+#ifndef ISC_PLATFORM_USETHREADS
+	UNUSED(signal_ok);
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	manager = timer->manager;
+
+#ifdef ISC_PLATFORM_USETHREADS
+	/*
+	 * If the manager was timed wait, we may need to signal the
+	 * manager to force a wakeup.
+	 */
+	timedwait = ISC_TF(manager->nscheduled > 0 &&
+			   isc_time_seconds(&manager->due) != 0);
+#endif
+
+	/*
+	 * Compute the new due time.
+	 */
+	if (timer->type != isc_timertype_once) {
+		result = isc_time_add(now, &timer->interval, &due);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		if (timer->type == isc_timertype_limited &&
+		    isc_time_compare(&timer->expires, &due) < 0)
+			due = timer->expires;
+	} else {
+		if (isc_time_isepoch(&timer->idle))
+			due = timer->expires;
+		else if (isc_time_isepoch(&timer->expires))
+			due = timer->idle;
+		else if (isc_time_compare(&timer->idle, &timer->expires) < 0)
+			due = timer->idle;
+		else
+			due = timer->expires;
+	}
+
+	/*
+	 * Schedule the timer.
+	 */
+
+	if (timer->index > 0) {
+		/*
+		 * Already scheduled.
+		 */
+		cmp = isc_time_compare(&due, &timer->due);
+		timer->due = due;
+		switch (cmp) {
+		case -1:
+			isc_heap_increased(manager->heap, timer->index);
+			break;
+		case 1:
+			isc_heap_decreased(manager->heap, timer->index);
+			break;
+		case 0:
+			/* Nothing to do. */
+			break;
+		}
+	} else {
+		timer->due = due;
+		result = isc_heap_insert(manager->heap, timer);
+		if (result != ISC_R_SUCCESS) {
+			INSIST(result == ISC_R_NOMEMORY);
+			return (ISC_R_NOMEMORY);
+		}
+		manager->nscheduled++;
+	}
+
+	XTRACETIMER(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TIMER,
+				   ISC_MSG_SCHEDULE, "schedule"), timer, due);
+
+	/*
+	 * If this timer is at the head of the queue, we need to ensure
+	 * that we won't miss it if it has a more recent due time than
+	 * the current "next" timer.  We do this either by waking up the
+	 * run thread, or explicitly setting the value in the manager.
+	 */
+#ifdef ISC_PLATFORM_USETHREADS
+
+	/*
+	 * This is a temporary (probably) hack to fix a bug on tru64 5.1
+	 * and 5.1a.  Sometimes, pthread_cond_timedwait() doesn't actually
+	 * return when the time expires, so here, we check to see if
+	 * we're 15 seconds or more behind, and if we are, we signal
+	 * the dispatcher.  This isn't such a bad idea as a general purpose
+	 * watchdog, so perhaps we should just leave it in here.
+	 */
+	if (signal_ok && timedwait) {
+		isc_interval_t fifteen;
+		isc_time_t then;
+
+		isc_interval_set(&fifteen, 15, 0);
+		isc_time_add(&manager->due, &fifteen, &then);
+
+		if (isc_time_compare(&then, now) < 0) {
+			SIGNAL(&manager->wakeup);
+			signal_ok = ISC_FALSE;
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_TIMER, ISC_LOG_WARNING,
+				      "*** POKED TIMER ***");
+		}
+	}
+		
+	if (timer->index == 1 && signal_ok) {
+		XTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TIMER,
+				      ISC_MSG_SIGNALSCHED,
+				      "signal (schedule)"));
+		SIGNAL(&manager->wakeup);
+	}
+#else /* ISC_PLATFORM_USETHREADS */
+	if (timer->index == 1 &&
+	    isc_time_compare(&timer->due, &manager->due) < 0)
+		manager->due = timer->due;
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+deschedule(isc_timer_t *timer) {
+	isc_boolean_t need_wakeup = ISC_FALSE;
+	isc_timermgr_t *manager;
+
+	/*
+	 * The caller must ensure locking.
+	 */
+
+	manager = timer->manager;
+	if (timer->index > 0) {
+		if (timer->index == 1)
+			need_wakeup = ISC_TRUE;
+		isc_heap_delete(manager->heap, timer->index);
+		timer->index = 0;
+		INSIST(manager->nscheduled > 0);
+		manager->nscheduled--;
+#ifdef ISC_PLATFORM_USETHREADS
+		if (need_wakeup) {
+			XTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TIMER,
+					      ISC_MSG_SIGNALDESCHED,
+					      "signal (deschedule)"));
+			SIGNAL(&manager->wakeup);
+		}
+#endif /* ISC_PLATFORM_USETHREADS */
+	}
+}
+
+static void
+destroy(isc_timer_t *timer) {
+	isc_timermgr_t *manager = timer->manager;
+
+	/*
+	 * The caller must ensure it is safe to destroy the timer.
+	 */
+
+	LOCK(&manager->lock);
+
+	(void)isc_task_purgerange(timer->task,
+				  timer,
+				  ISC_TIMEREVENT_FIRSTEVENT,
+				  ISC_TIMEREVENT_LASTEVENT,
+				  NULL);
+	deschedule(timer);
+	UNLINK(manager->timers, timer, link);
+
+	UNLOCK(&manager->lock);
+
+	isc_task_detach(&timer->task);
+	DESTROYLOCK(&timer->lock);
+	timer->magic = 0;
+	isc_mem_put(manager->mctx, timer, sizeof(*timer));
+}
+
+isc_result_t
+isc_timer_create(isc_timermgr_t *manager, isc_timertype_t type,
+		 isc_time_t *expires, isc_interval_t *interval,
+		 isc_task_t *task, isc_taskaction_t action, const void *arg,
+		 isc_timer_t **timerp)
+{
+	isc_timer_t *timer;
+	isc_result_t result;
+	isc_time_t now;
+
+	/*
+	 * Create a new 'type' timer managed by 'manager'.  The timers
+	 * parameters are specified by 'expires' and 'interval'.  Events
+	 * will be posted to 'task' and when dispatched 'action' will be
+	 * called with 'arg' as the arg value.  The new timer is returned
+	 * in 'timerp'.
+	 */
+
+	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(task != NULL);
+	REQUIRE(action != NULL);
+	if (expires == NULL)
+		expires = isc_time_epoch;
+	if (interval == NULL)
+		interval = isc_interval_zero;
+	REQUIRE(type == isc_timertype_inactive ||
+		!(isc_time_isepoch(expires) && isc_interval_iszero(interval)));
+	REQUIRE(timerp != NULL && *timerp == NULL);
+	REQUIRE(type != isc_timertype_limited ||
+		!(isc_time_isepoch(expires) || isc_interval_iszero(interval)));
+
+	/*
+	 * Get current time.
+	 */
+	if (type != isc_timertype_inactive) {
+		TIME_NOW(&now);
+	} else {
+		/*
+		 * We don't have to do this, but it keeps the compiler from
+		 * complaining about "now" possibly being used without being
+		 * set, even though it will never actually happen.
+		 */
+		isc_time_settoepoch(&now);
+	}
+
+
+	timer = isc_mem_get(manager->mctx, sizeof(*timer));
+	if (timer == NULL)
+		return (ISC_R_NOMEMORY);
+
+	timer->manager = manager;
+	timer->references = 1;
+
+	if (type == isc_timertype_once && !isc_interval_iszero(interval)) {
+		result = isc_time_add(&now, interval, &timer->idle);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	} else
+		isc_time_settoepoch(&timer->idle);
+
+	timer->type = type;
+	timer->expires = *expires;
+	timer->interval = *interval;
+	timer->task = NULL;
+	isc_task_attach(task, &timer->task);
+	timer->action = action;
+	/*
+	 * Removing the const attribute from "arg" is the best of two
+	 * evils here.  If the timer->arg member is made const, then
+	 * it affects a great many recipients of the timer event
+	 * which did not pass in an "arg" that was truly const.
+	 * Changing isc_timer_create() to not have "arg" prototyped as const,
+	 * though, can cause compilers warnings for calls that *do*
+	 * have a truly const arg.  The caller will have to carefully
+	 * keep track of whether arg started as a true const.
+	 */
+	DE_CONST(arg, timer->arg);
+	timer->index = 0;
+	if (isc_mutex_init(&timer->lock) != ISC_R_SUCCESS) {
+		isc_task_detach(&timer->task);
+		isc_mem_put(manager->mctx, timer, sizeof(*timer));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"));
+		return (ISC_R_UNEXPECTED);
+	}
+	ISC_LINK_INIT(timer, link);
+	timer->magic = TIMER_MAGIC;
+
+	LOCK(&manager->lock);
+
+	/*
+	 * Note we don't have to lock the timer like we normally would because
+	 * there are no external references to it yet.
+	 */
+
+	if (type != isc_timertype_inactive)
+		result = schedule(timer, &now, ISC_TRUE);
+	else
+		result = ISC_R_SUCCESS;
+	if (result == ISC_R_SUCCESS)
+		APPEND(manager->timers, timer, link);
+
+	UNLOCK(&manager->lock);
+
+	if (result != ISC_R_SUCCESS) {
+		timer->magic = 0;
+		DESTROYLOCK(&timer->lock);
+		isc_task_detach(&timer->task);
+		isc_mem_put(manager->mctx, timer, sizeof(*timer));
+		return (result);
+	}
+
+	*timerp = timer;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_timer_reset(isc_timer_t *timer, isc_timertype_t type,
+		isc_time_t *expires, isc_interval_t *interval,
+		isc_boolean_t purge)
+{
+	isc_time_t now;
+	isc_timermgr_t *manager;
+	isc_result_t result;
+
+	/*
+	 * Change the timer's type, expires, and interval values to the given
+	 * values.  If 'purge' is ISC_TRUE, any pending events from this timer
+	 * are purged from its task's event queue.
+	 */
+
+	REQUIRE(VALID_TIMER(timer));
+	manager = timer->manager;
+	REQUIRE(VALID_MANAGER(manager));
+	if (expires == NULL)
+		expires = isc_time_epoch;
+	if (interval == NULL)
+		interval = isc_interval_zero;
+	REQUIRE(type == isc_timertype_inactive ||
+		!(isc_time_isepoch(expires) && isc_interval_iszero(interval)));
+	REQUIRE(type != isc_timertype_limited ||
+		!(isc_time_isepoch(expires) || isc_interval_iszero(interval)));
+
+	/*
+	 * Get current time.
+	 */
+	if (type != isc_timertype_inactive) {
+		TIME_NOW(&now);
+	} else {
+		/*
+		 * We don't have to do this, but it keeps the compiler from
+		 * complaining about "now" possibly being used without being
+		 * set, even though it will never actually happen.
+		 */
+		isc_time_settoepoch(&now);
+	}
+
+	manager = timer->manager;
+
+	LOCK(&manager->lock);
+	LOCK(&timer->lock);
+
+	if (purge)
+		(void)isc_task_purgerange(timer->task,
+					  timer,
+					  ISC_TIMEREVENT_FIRSTEVENT,
+					  ISC_TIMEREVENT_LASTEVENT,
+					  NULL);
+	timer->type = type;
+	timer->expires = *expires;
+	timer->interval = *interval;
+	if (type == isc_timertype_once && !isc_interval_iszero(interval)) {
+		result = isc_time_add(&now, interval, &timer->idle);
+	} else {
+		isc_time_settoepoch(&timer->idle);
+		result = ISC_R_SUCCESS;
+	}
+
+	if (result == ISC_R_SUCCESS) {
+		if (type == isc_timertype_inactive) {
+			deschedule(timer);
+			result = ISC_R_SUCCESS;
+		} else
+			result = schedule(timer, &now, ISC_TRUE);
+	}
+
+	UNLOCK(&timer->lock);
+	UNLOCK(&manager->lock);
+
+	return (result);
+}
+
+isc_result_t
+isc_timer_gettype(isc_timer_t *timer) {
+	isc_timertype_t t;
+
+	REQUIRE(VALID_TIMER(timer));
+
+	LOCK(&timer->lock);
+	t = timer->type;
+	UNLOCK(&timer->lock);
+
+	return (t);
+}
+
+isc_result_t
+isc_timer_touch(isc_timer_t *timer) {
+	isc_result_t result;
+	isc_time_t now;
+
+	/*
+	 * Set the last-touched time of 'timer' to the current time.
+	 */
+
+	REQUIRE(VALID_TIMER(timer));
+
+	LOCK(&timer->lock);
+
+	/*
+	 * We'd like to
+	 *
+	 *	REQUIRE(timer->type == isc_timertype_once);
+	 *
+	 * but we cannot without locking the manager lock too, which we
+	 * don't want to do.
+	 */
+
+	TIME_NOW(&now);
+	result = isc_time_add(&now, &timer->interval, &timer->idle);
+
+	UNLOCK(&timer->lock);
+
+	return (result);
+}
+
+void
+isc_timer_attach(isc_timer_t *timer, isc_timer_t **timerp) {
+	/*
+	 * Attach *timerp to timer.
+	 */
+
+	REQUIRE(VALID_TIMER(timer));
+	REQUIRE(timerp != NULL && *timerp == NULL);
+
+	LOCK(&timer->lock);
+	timer->references++;
+	UNLOCK(&timer->lock);
+
+	*timerp = timer;
+}
+
+void
+isc_timer_detach(isc_timer_t **timerp) {
+	isc_timer_t *timer;
+	isc_boolean_t free_timer = ISC_FALSE;
+
+	/*
+	 * Detach *timerp from its timer.
+	 */
+
+	REQUIRE(timerp != NULL);
+	timer = *timerp;
+	REQUIRE(VALID_TIMER(timer));
+
+	LOCK(&timer->lock);
+	REQUIRE(timer->references > 0);
+	timer->references--;
+	if (timer->references == 0)
+		free_timer = ISC_TRUE;
+	UNLOCK(&timer->lock);
+
+	if (free_timer)
+		destroy(timer);
+
+	*timerp = NULL;
+}
+
+static void
+dispatch(isc_timermgr_t *manager, isc_time_t *now) {
+	isc_boolean_t done = ISC_FALSE, post_event, need_schedule;
+	isc_event_t *event;
+	isc_eventtype_t type = 0;
+	isc_timer_t *timer;
+	isc_result_t result;
+
+	/*
+	 * The caller must be holding the manager lock.
+	 */
+
+	while (manager->nscheduled > 0 && !done) {
+		timer = isc_heap_element(manager->heap, 1);
+		INSIST(timer->type != isc_timertype_inactive);
+		if (isc_time_compare(now, &timer->due) >= 0) {
+			if (timer->type == isc_timertype_ticker) {
+				type = ISC_TIMEREVENT_TICK;
+				post_event = ISC_TRUE;
+				need_schedule = ISC_TRUE;
+			} else if (timer->type == isc_timertype_limited) {
+				int cmp;
+				cmp = isc_time_compare(now, &timer->expires);
+				if (cmp >= 0) {
+					type = ISC_TIMEREVENT_LIFE;
+					post_event = ISC_TRUE;
+					need_schedule = ISC_FALSE;
+				} else {
+					type = ISC_TIMEREVENT_TICK;
+					post_event = ISC_TRUE;
+					need_schedule = ISC_TRUE;
+				}
+			} else if (!isc_time_isepoch(&timer->expires) &&
+				   isc_time_compare(now,
+						    &timer->expires) >= 0) {
+				type = ISC_TIMEREVENT_LIFE;
+				post_event = ISC_TRUE;
+				need_schedule = ISC_FALSE;
+			} else if (!isc_time_isepoch(&timer->idle) &&
+				   isc_time_compare(now,
+						    &timer->idle) >= 0) {
+				type = ISC_TIMEREVENT_IDLE;
+				post_event = ISC_TRUE;
+				need_schedule = ISC_FALSE;
+			} else {
+				/*
+				 * Idle timer has been touched; reschedule.
+				 */
+				XTRACEID(isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_TIMER,
+							ISC_MSG_IDLERESCHED,
+							"idle reschedule"),
+					 timer);
+				post_event = ISC_FALSE;
+				need_schedule = ISC_TRUE;
+			}
+
+			if (post_event) {
+				XTRACEID(isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_TIMER,
+							ISC_MSG_POSTING,
+							"posting"), timer);
+				/*
+				 * XXX We could preallocate this event.
+				 */
+				event = isc_event_allocate(manager->mctx,
+							   timer,
+							   type,
+							   timer->action,
+							   timer->arg,
+							   sizeof(*event));
+
+				if (event != NULL)
+					isc_task_send(timer->task, &event);
+				else
+					UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 isc_msgcat_get(isc_msgcat,
+							 ISC_MSGSET_TIMER,
+							 ISC_MSG_EVENTNOTALLOC,
+							 "couldn't "
+							 "allocate event"));
+			}
+
+			timer->index = 0;
+			isc_heap_delete(manager->heap, 1);
+			manager->nscheduled--;
+
+			if (need_schedule) {
+				result = schedule(timer, now, ISC_FALSE);
+				if (result != ISC_R_SUCCESS)
+					UNEXPECTED_ERROR(__FILE__, __LINE__,
+						isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_TIMER,
+							ISC_MSG_SCHEDFAIL,
+							"couldn't "
+							"schedule timer: %u"),
+							 result);
+			}
+		} else {
+			manager->due = timer->due;
+			done = ISC_TRUE;
+		}
+	}
+}
+
+#ifdef ISC_PLATFORM_USETHREADS
+static isc_threadresult_t
+#ifdef _WIN32			/* XXXDCL */
+WINAPI
+#endif
+run(void *uap) {
+	isc_timermgr_t *manager = uap;
+	isc_time_t now;
+	isc_result_t result;
+
+	LOCK(&manager->lock);
+	while (!manager->done) {
+		TIME_NOW(&now);
+
+		XTRACETIME(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+					  ISC_MSG_RUNNING,
+					  "running"), now);
+
+		dispatch(manager, &now);
+
+		if (manager->nscheduled > 0) {
+			XTRACETIME2(isc_msgcat_get(isc_msgcat,
+						   ISC_MSGSET_GENERAL,
+						   ISC_MSG_WAITUNTIL,
+						   "waituntil"),
+				    manager->due, now);
+			result = WAITUNTIL(&manager->wakeup, &manager->lock, &manager->due);
+			INSIST(result == ISC_R_SUCCESS ||
+			       result == ISC_R_TIMEDOUT);
+		} else {
+			XTRACETIME(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						  ISC_MSG_WAIT, "wait"), now);
+			WAIT(&manager->wakeup, &manager->lock);
+		}
+		XTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TIMER,
+				      ISC_MSG_WAKEUP, "wakeup"));
+	}
+	UNLOCK(&manager->lock);
+
+	return ((isc_threadresult_t)0);
+}
+#endif /* ISC_PLATFORM_USETHREADS */
+
+static isc_boolean_t
+sooner(void *v1, void *v2) {
+	isc_timer_t *t1, *t2;
+
+	t1 = v1;
+	t2 = v2;
+	REQUIRE(VALID_TIMER(t1));
+	REQUIRE(VALID_TIMER(t2));
+
+	if (isc_time_compare(&t1->due, &t2->due) < 0)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+static void
+set_index(void *what, unsigned int index) {
+	isc_timer_t *timer;
+
+	timer = what;
+	REQUIRE(VALID_TIMER(timer));
+
+	timer->index = index;
+}
+
+isc_result_t
+isc_timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp) {
+	isc_timermgr_t *manager;
+	isc_result_t result;
+
+	/*
+	 * Create a timer manager.
+	 */
+
+	REQUIRE(managerp != NULL && *managerp == NULL);
+
+#ifndef ISC_PLATFORM_USETHREADS
+	if (timermgr != NULL) {
+		timermgr->refs++;
+		*managerp = timermgr;
+		return (ISC_R_SUCCESS);
+	}
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	manager = isc_mem_get(mctx, sizeof(*manager));
+	if (manager == NULL)
+		return (ISC_R_NOMEMORY);
+
+	manager->magic = TIMER_MANAGER_MAGIC;
+	manager->mctx = NULL;
+	manager->done = ISC_FALSE;
+	INIT_LIST(manager->timers);
+	manager->nscheduled = 0;
+	isc_time_settoepoch(&manager->due);
+	manager->heap = NULL;
+	result = isc_heap_create(mctx, sooner, set_index, 0, &manager->heap);
+	if (result != ISC_R_SUCCESS) {
+		INSIST(result == ISC_R_NOMEMORY);
+		isc_mem_put(mctx, manager, sizeof(*manager));
+		return (ISC_R_NOMEMORY);
+	}
+	if (isc_mutex_init(&manager->lock) != ISC_R_SUCCESS) {
+		isc_heap_destroy(&manager->heap);
+		isc_mem_put(mctx, manager, sizeof(*manager));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"));
+		return (ISC_R_UNEXPECTED);
+	}
+	isc_mem_attach(mctx, &manager->mctx);
+#ifdef ISC_PLATFORM_USETHREADS
+	if (isc_condition_init(&manager->wakeup) != ISC_R_SUCCESS) {
+		isc_mem_detach(&manager->mctx);
+		DESTROYLOCK(&manager->lock);
+		isc_heap_destroy(&manager->heap);
+		isc_mem_put(mctx, manager, sizeof(*manager));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_condition_init() %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"));
+		return (ISC_R_UNEXPECTED);
+	}
+	if (isc_thread_create(run, manager, &manager->thread) !=
+	    ISC_R_SUCCESS) {
+		isc_mem_detach(&manager->mctx);
+		(void)isc_condition_destroy(&manager->wakeup);
+		DESTROYLOCK(&manager->lock);
+		isc_heap_destroy(&manager->heap);
+		isc_mem_put(mctx, manager, sizeof(*manager));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_thread_create() %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"));
+		return (ISC_R_UNEXPECTED);
+	}
+#else /* ISC_PLATFORM_USETHREADS */
+	manager->refs = 1;
+	timermgr = manager;
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	*managerp = manager;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_timermgr_poke(isc_timermgr_t *manager) {
+#ifdef ISC_PLATFORM_USETHREADS
+	REQUIRE(VALID_MANAGER(manager));
+
+	SIGNAL(&manager->wakeup);
+#else
+	UNUSED(manager);
+#endif
+}
+
+void
+isc_timermgr_destroy(isc_timermgr_t **managerp) {
+	isc_timermgr_t *manager;
+	isc_mem_t *mctx;
+
+	/*
+	 * Destroy a timer manager.
+	 */
+
+	REQUIRE(managerp != NULL);
+	manager = *managerp;
+	REQUIRE(VALID_MANAGER(manager));
+
+	LOCK(&manager->lock);
+
+#ifndef ISC_PLATFORM_USETHREADS
+	if (manager->refs > 1) {
+		manager->refs--;
+		UNLOCK(&manager->lock);
+		*managerp = NULL;
+		return;
+	}
+
+	isc__timermgr_dispatch();
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	REQUIRE(EMPTY(manager->timers));
+	manager->done = ISC_TRUE;
+
+#ifdef ISC_PLATFORM_USETHREADS
+	XTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_TIMER,
+			      ISC_MSG_SIGNALDESTROY, "signal (destroy)"));
+	SIGNAL(&manager->wakeup);
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	UNLOCK(&manager->lock);
+
+#ifdef ISC_PLATFORM_USETHREADS
+	/*
+	 * Wait for thread to exit.
+	 */
+	if (isc_thread_join(manager->thread, NULL) != ISC_R_SUCCESS)
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_thread_join() %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"));
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	/*
+	 * Clean up.
+	 */
+#ifdef ISC_PLATFORM_USETHREADS
+	(void)isc_condition_destroy(&manager->wakeup);
+#endif /* ISC_PLATFORM_USETHREADS */
+	DESTROYLOCK(&manager->lock);
+	isc_heap_destroy(&manager->heap);
+	manager->magic = 0;
+	mctx = manager->mctx;
+	isc_mem_put(mctx, manager, sizeof(*manager));
+	isc_mem_detach(&mctx);
+
+	*managerp = NULL;
+}
+
+#ifndef ISC_PLATFORM_USETHREADS
+isc_result_t
+isc__timermgr_nextevent(isc_time_t *when) {
+	if (timermgr == NULL || timermgr->nscheduled == 0)
+		return (ISC_R_NOTFOUND);
+	*when = timermgr->due;
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc__timermgr_dispatch(void) {
+	isc_time_t now;
+	if (timermgr == NULL)
+		return;
+	TIME_NOW(&now);
+	dispatch(timermgr, &now);
+}
+#endif /* ISC_PLATFORM_USETHREADS */
diff --git a/contrib/bind9/lib/isc/timer_p.h b/contrib/bind9/lib/isc/timer_p.h
new file mode 100644
index 0000000..ad7a5d0
--- /dev/null
+++ b/contrib/bind9/lib/isc/timer_p.h
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: timer_p.h,v 1.4.12.3 2004/03/08 09:04:50 marka Exp $ */
+
+#ifndef ISC_TIMER_P_H
+#define ISC_TIMER_P_H
+
+isc_result_t
+isc__timermgr_nextevent(isc_time_t *when);
+
+void
+isc__timermgr_dispatch(void);
+
+#endif /* ISC_TIMER_P_H */
diff --git a/contrib/bind9/lib/isc/unix/Makefile.in b/contrib/bind9/lib/isc/unix/Makefile.in
new file mode 100644
index 0000000..49845d4
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/Makefile.in
@@ -0,0 +1,51 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1998-2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.35.2.1.10.2 2004/06/22 02:48:36 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+CINCLUDES =	-I${srcdir}/include \
+		-I${srcdir}/../@ISC_THREAD_DIR@/include \
+		-I../include \
+		-I${srcdir}/../include \
+		-I${srcdir}/..
+
+CDEFINES =
+CWARNINGS =
+
+# Alphabetically
+OBJS =		@ISC_IPV6_O@ \
+		app.@O@ dir.@O@ entropy.@O@ errno2result.@O@ file.@O@ \
+		fsaccess.@O@ interfaceiter.@O@ keyboard.@O@ net.@O@ \
+		os.@O@ resource.@O@ socket.@O@ stdio.@O@ stdtime.@O@ \
+		strerror.@O@ syslog.@O@ time.@O@
+
+# Alphabetically
+SRCS =		@ISC_IPV6_C@ \
+		app.c dir.c entropy.c errno2result.c file.c \
+		fsaccess.c interfaceiter.c keyboard.c net.c \
+		os.c resource.c socket.c stdio.c stdtime.c \
+		strerror.c syslog.c time.c
+
+SUBDIRS =	include
+TARGETS =	${OBJS}
+
+@BIND9_MAKE_RULES@
+
+interfaceiter.@O@: interfaceiter.c ifiter_ioctl.c ifiter_sysctl.c ifiter_getifaddrs.c
+
diff --git a/contrib/bind9/lib/isc/unix/app.c b/contrib/bind9/lib/isc/unix/app.c
new file mode 100644
index 0000000..811d67b
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/app.c
@@ -0,0 +1,681 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: app.c,v 1.43.2.3.8.5 2004/03/08 02:08:05 marka Exp $ */
+
+#include <config.h>
+
+#include <sys/param.h>	/* Openserver 5.0.6A and FD_SETSIZE */
+#include <sys/types.h>
+
+#include <stddef.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <unistd.h>
+#include <signal.h>
+#include <sys/time.h>
+
+#include <isc/app.h>
+#include <isc/boolean.h>
+#include <isc/condition.h>
+#include <isc/msgs.h>
+#include <isc/mutex.h>
+#include <isc/event.h>
+#include <isc/platform.h>
+#include <isc/strerror.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#ifdef ISC_PLATFORM_USETHREADS
+#include <pthread.h>
+#else /* ISC_PLATFORM_USETHREADS */
+#include "../timer_p.h"
+#include "../task_p.h"
+#include "socket_p.h"
+#endif /* ISC_PLATFORM_USETHREADS */
+
+static isc_eventlist_t		on_run;
+static isc_mutex_t		lock;
+static isc_boolean_t		shutdown_requested = ISC_FALSE;
+static isc_boolean_t		running = ISC_FALSE;
+/*
+ * We assume that 'want_shutdown' can be read and written atomically.
+ */
+static isc_boolean_t		want_shutdown = ISC_FALSE;
+/*
+ * We assume that 'want_reload' can be read and written atomically.
+ */
+static isc_boolean_t		want_reload = ISC_FALSE;
+
+static isc_boolean_t		blocked  = ISC_FALSE;
+#ifdef ISC_PLATFORM_USETHREADS
+static pthread_t		blockedthread;
+#endif /* ISC_PLATFORM_USETHREADS */
+
+#ifdef HAVE_LINUXTHREADS
+/*
+ * Linux has sigwait(), but it appears to prevent signal handlers from
+ * running, even if they're not in the set being waited for.  This makes
+ * it impossible to get the default actions for SIGILL, SIGSEGV, etc.
+ * Instead of messing with it, we just use sigsuspend() instead.
+ */
+#undef HAVE_SIGWAIT
+/*
+ * We need to remember which thread is the main thread...
+ */
+static pthread_t		main_thread;
+#endif
+
+#ifndef HAVE_SIGWAIT
+static void
+exit_action(int arg) {
+        UNUSED(arg);
+	want_shutdown = ISC_TRUE;
+}
+
+static void
+reload_action(int arg) {
+        UNUSED(arg);
+	want_reload = ISC_TRUE;
+}
+#endif
+
+static isc_result_t
+handle_signal(int sig, void (*handler)(int)) {
+	struct sigaction sa;
+	char strbuf[ISC_STRERRORSIZE];
+
+	memset(&sa, 0, sizeof(sa));
+	sa.sa_handler = handler;
+
+	if (sigfillset(&sa.sa_mask) != 0 ||
+	    sigaction(sig, &sa, NULL) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_APP,
+					       ISC_MSG_SIGNALSETUP,
+					       "handle_signal() %d setup: %s"),
+				 sig, strbuf);
+		return (ISC_R_UNEXPECTED);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_app_start(void) {
+	isc_result_t result;
+	int presult;
+	sigset_t sset;
+	char strbuf[ISC_STRERRORSIZE];
+
+	/*
+	 * Start an ISC library application.
+	 */
+
+#ifdef NEED_PTHREAD_INIT
+	/*
+	 * BSDI 3.1 seg faults in pthread_sigmask() if we don't do this.
+	 */
+	presult = pthread_init();
+	if (presult != 0) {
+		isc__strerror(presult, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_app_start() pthread_init: %s", strbuf);
+		return (ISC_R_UNEXPECTED);
+	}
+#endif
+
+#ifdef HAVE_LINUXTHREADS
+	main_thread = pthread_self();
+#endif
+
+	result = isc_mutex_init(&lock);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+#ifndef HAVE_SIGWAIT
+	/*
+	 * Install do-nothing handlers for SIGINT and SIGTERM.
+	 *
+	 * We install them now because BSDI 3.1 won't block
+	 * the default actions, regardless of what we do with
+	 * pthread_sigmask().
+	 */
+	result = handle_signal(SIGINT, exit_action);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = handle_signal(SIGTERM, exit_action);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+#endif
+
+	/*
+	 * Always ignore SIGPIPE.
+	 */
+	result = handle_signal(SIGPIPE, SIG_IGN);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * On Solaris 2, delivery of a signal whose action is SIG_IGN
+	 * will not cause sigwait() to return. We may have inherited
+	 * unexpected actions for SIGHUP, SIGINT, and SIGTERM from our parent
+	 * process (e.g, Solaris cron).  Set an action of SIG_DFL to make
+	 * sure sigwait() works as expected.  Only do this for SIGTERM and
+	 * SIGINT if we don't have sigwait(), since a different handler is
+	 * installed above.
+	 */
+	result = handle_signal(SIGHUP, SIG_DFL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+#ifdef HAVE_SIGWAIT
+	result = handle_signal(SIGTERM, SIG_DFL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = handle_signal(SIGINT, SIG_DFL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+#endif
+
+#ifdef ISC_PLATFORM_USETHREADS
+	/*
+	 * Block SIGHUP, SIGINT, SIGTERM.
+	 *
+	 * If isc_app_start() is called from the main thread before any other
+	 * threads have been created, then the pthread_sigmask() call below
+	 * will result in all threads having SIGHUP, SIGINT and SIGTERM
+	 * blocked by default, ensuring that only the thread that calls
+	 * sigwait() for them will get those signals.
+	 */
+	if (sigemptyset(&sset) != 0 ||
+	    sigaddset(&sset, SIGHUP) != 0 ||
+	    sigaddset(&sset, SIGINT) != 0 ||
+	    sigaddset(&sset, SIGTERM) != 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_app_start() sigsetops: %s", strbuf);
+		return (ISC_R_UNEXPECTED);
+	}
+	presult = pthread_sigmask(SIG_BLOCK, &sset, NULL);
+	if (presult != 0) {
+		isc__strerror(presult, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_app_start() pthread_sigmask: %s",
+				 strbuf);
+		return (ISC_R_UNEXPECTED);
+	}
+#else /* ISC_PLATFORM_USETHREADS */
+	/*
+	 * Unblock SIGHUP, SIGINT, SIGTERM.
+	 *
+	 * If we're not using threads, we need to make sure that SIGHUP,
+	 * SIGINT and SIGTERM are not inherited as blocked from the parent
+	 * process.
+	 */
+	if (sigemptyset(&sset) != 0 ||
+	    sigaddset(&sset, SIGHUP) != 0 ||
+	    sigaddset(&sset, SIGINT) != 0 ||
+	    sigaddset(&sset, SIGTERM) != 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_app_start() sigsetops: %s", strbuf);
+		return (ISC_R_UNEXPECTED);
+	}
+	presult = sigprocmask(SIG_UNBLOCK, &sset, NULL);
+	if (presult != 0) {
+		isc__strerror(presult, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_app_start() sigprocmask: %s", strbuf);
+		return (ISC_R_UNEXPECTED);
+	}
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	ISC_LIST_INIT(on_run);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_app_onrun(isc_mem_t *mctx, isc_task_t *task, isc_taskaction_t action,
+	      void *arg)
+{
+	isc_event_t *event;
+	isc_task_t *cloned_task = NULL;
+	isc_result_t result;
+
+	LOCK(&lock);
+
+	if (running) {
+		result = ISC_R_ALREADYRUNNING;
+		goto unlock;
+	}
+
+	/*
+	 * Note that we store the task to which we're going to send the event
+	 * in the event's "sender" field.
+	 */
+	isc_task_attach(task, &cloned_task);
+	event = isc_event_allocate(mctx, cloned_task, ISC_APPEVENT_SHUTDOWN,
+				   action, arg, sizeof(*event));
+	if (event == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto unlock;
+	}
+
+	ISC_LIST_APPEND(on_run, event, ev_link);
+
+	result = ISC_R_SUCCESS;
+
+ unlock:
+	UNLOCK(&lock);
+
+	return (result);
+}
+
+#ifndef ISC_PLATFORM_USETHREADS
+/*
+ * Event loop for nonthreaded programs.
+ */
+static isc_result_t
+evloop() {
+	isc_result_t result;
+	while (!want_shutdown) {
+		int n;
+		isc_time_t when, now;
+		struct timeval tv, *tvp;
+		fd_set readfds, writefds;
+		int maxfd;
+		isc_boolean_t readytasks;
+		isc_boolean_t call_timer_dispatch = ISC_FALSE;
+
+		readytasks = isc__taskmgr_ready();
+		if (readytasks) {
+			tv.tv_sec = 0;
+			tv.tv_usec = 0;
+			tvp = &tv;
+			call_timer_dispatch = ISC_TRUE;
+		} else {
+			result = isc__timermgr_nextevent(&when);
+			if (result != ISC_R_SUCCESS)
+				tvp = NULL;
+			else {
+				isc_uint64_t us;
+
+				TIME_NOW(&now);
+				us = isc_time_microdiff(&when, &now);
+				if (us == 0)
+					call_timer_dispatch = ISC_TRUE;
+				tv.tv_sec = us / 1000000;
+				tv.tv_usec = us % 1000000;
+				tvp = &tv;
+			}
+		}
+
+		isc__socketmgr_getfdsets(&readfds, &writefds, &maxfd);
+		n = select(maxfd, &readfds, &writefds, NULL, tvp);
+
+		if (n == 0 || call_timer_dispatch) {
+			/*
+			 * We call isc__timermgr_dispatch() only when
+			 * necessary, in order to reduce overhead.  If the
+			 * select() call indicates a timeout, we need the
+			 * dispatch.  Even if not, if we set the 0-timeout 
+			 * for the select() call, we need to check the timer
+			 * events.  In the 'readytasks' case, there may be no
+			 * timeout event actually, but there is no other way
+			 * to reduce the overhead.
+			 * Note that we do not have to worry about the case
+			 * where a new timer is inserted during the select()
+			 * call, since this loop only runs in the non-thread
+			 * mode.
+			 */
+			isc__timermgr_dispatch();
+		}
+		if (n > 0)
+			(void)isc__socketmgr_dispatch(&readfds, &writefds,
+						      maxfd);
+		(void)isc__taskmgr_dispatch();
+
+		if (want_reload) {
+			want_reload = ISC_FALSE;
+			return (ISC_R_RELOAD);
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * This is a gross hack to support waiting for condition
+ * variables in nonthreaded programs in a limited way;
+ * see lib/isc/nothreads/include/isc/condition.h.
+ * We implement isc_condition_wait() by entering the
+ * event loop recursively until the want_shutdown flag
+ * is set by isc_condition_signal().
+ */
+
+/*
+ * True iff we are currently executing in the recursive
+ * event loop.
+ */
+static isc_boolean_t in_recursive_evloop = ISC_FALSE;
+
+/*
+ * True iff we are exiting the event loop as the result of
+ * a call to isc_condition_signal() rather than a shutdown
+ * or reload.
+ */
+static isc_boolean_t signalled = ISC_FALSE;
+
+isc_result_t
+isc__nothread_wait_hack(isc_condition_t *cp, isc_mutex_t *mp) {
+	isc_result_t result;
+
+	UNUSED(cp);
+	UNUSED(mp);
+
+	INSIST(!in_recursive_evloop);
+	in_recursive_evloop = ISC_TRUE;
+
+	INSIST(*mp == 1); /* Mutex must be locked on entry. */
+	--*mp;
+
+	result = evloop();
+	if (result == ISC_R_RELOAD)
+		want_reload = ISC_TRUE;
+	if (signalled) {
+		want_shutdown = ISC_FALSE;
+		signalled = ISC_FALSE;
+	}
+
+	++*mp;
+	in_recursive_evloop = ISC_FALSE;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc__nothread_signal_hack(isc_condition_t *cp) {
+
+	UNUSED(cp);
+
+	INSIST(in_recursive_evloop);
+
+	want_shutdown = ISC_TRUE;
+	signalled = ISC_TRUE;
+	return (ISC_R_SUCCESS);
+}
+	
+#endif /* ISC_PLATFORM_USETHREADS */
+
+isc_result_t
+isc_app_run(void) {
+	int result;
+	isc_event_t *event, *next_event;
+	isc_task_t *task;
+#ifdef ISC_PLATFORM_USETHREADS
+	sigset_t sset;
+	char strbuf[ISC_STRERRORSIZE];
+#endif /* ISC_PLATFORM_USETHREADS */
+#ifdef HAVE_SIGWAIT
+	int sig;
+#endif
+
+#ifdef HAVE_LINUXTHREADS
+	REQUIRE(main_thread == pthread_self());
+#endif
+
+	LOCK(&lock);
+
+	if (!running) {
+		running = ISC_TRUE;
+
+		/*
+		 * Post any on-run events (in FIFO order).
+		 */
+		for (event = ISC_LIST_HEAD(on_run);
+		     event != NULL;
+		     event = next_event) {
+			next_event = ISC_LIST_NEXT(event, ev_link);
+			ISC_LIST_UNLINK(on_run, event, ev_link);
+			task = event->ev_sender;
+			event->ev_sender = NULL;
+			isc_task_sendanddetach(&task, &event);
+		}
+
+	}
+
+	UNLOCK(&lock);
+
+#ifndef HAVE_SIGWAIT
+	/*
+	 * Catch SIGHUP.
+	 *
+	 * We do this here to ensure that the signal handler is installed
+	 * (i.e. that it wasn't a "one-shot" handler).
+	 */
+	result = handle_signal(SIGHUP, reload_action);
+	if (result != ISC_R_SUCCESS)
+		return (ISC_R_SUCCESS);
+#endif
+
+#ifdef ISC_PLATFORM_USETHREADS
+	/*
+	 * There is no danger if isc_app_shutdown() is called before we wait
+	 * for signals.  Signals are blocked, so any such signal will simply
+	 * be made pending and we will get it when we call sigwait().
+	 */
+
+	while (!want_shutdown) {
+#ifdef HAVE_SIGWAIT
+		/*
+		 * Wait for SIGHUP, SIGINT, or SIGTERM.
+		 */
+		if (sigemptyset(&sset) != 0 ||
+		    sigaddset(&sset, SIGHUP) != 0 ||
+		    sigaddset(&sset, SIGINT) != 0 ||
+		    sigaddset(&sset, SIGTERM) != 0) {
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "isc_app_run() sigsetops: %s", strbuf);
+			return (ISC_R_UNEXPECTED);
+		}
+
+#ifndef HAVE_UNIXWARE_SIGWAIT
+		result = sigwait(&sset, &sig);
+		if (result == 0) {
+			if (sig == SIGINT ||
+			    sig == SIGTERM)
+				want_shutdown = ISC_TRUE;
+			else if (sig == SIGHUP)
+				want_reload = ISC_TRUE;
+		}
+
+#else /* Using UnixWare sigwait semantics. */
+		sig = sigwait(&sset);
+		if (sig >= 0) {
+			if (sig == SIGINT ||
+			    sig == SIGTERM)
+				want_shutdown = ISC_TRUE;
+			else if (sig == SIGHUP)
+				want_reload = ISC_TRUE;
+		}
+
+#endif /* HAVE_UNIXWARE_SIGWAIT */
+#else  /* Don't have sigwait(). */
+		/*
+		 * Listen for all signals.
+		 */
+		if (sigemptyset(&sset) != 0) {
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "isc_app_run() sigsetops: %s", strbuf);
+			return (ISC_R_UNEXPECTED);
+		}
+		result = sigsuspend(&sset);
+#endif /* HAVE_SIGWAIT */
+
+		if (want_reload) {
+			want_reload = ISC_FALSE;
+			return (ISC_R_RELOAD);
+		}
+
+		if (want_shutdown && blocked)
+			exit(1);
+	}
+
+#else /* ISC_PLATFORM_USETHREADS */
+
+	(void)isc__taskmgr_dispatch();
+
+	result = evloop();
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_app_shutdown(void) {
+	isc_boolean_t want_kill = ISC_TRUE;
+	char strbuf[ISC_STRERRORSIZE];
+
+	LOCK(&lock);
+
+	REQUIRE(running);
+
+	if (shutdown_requested)
+		want_kill = ISC_FALSE;
+	else
+		shutdown_requested = ISC_TRUE;
+
+	UNLOCK(&lock);
+
+	if (want_kill) {
+#ifdef HAVE_LINUXTHREADS
+		int result;
+
+		result = pthread_kill(main_thread, SIGTERM);
+		if (result != 0) {
+			isc__strerror(result, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "isc_app_shutdown() pthread_kill: %s",
+					 strbuf);
+			return (ISC_R_UNEXPECTED);
+		}
+#else
+		if (kill(getpid(), SIGTERM) < 0) {
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "isc_app_shutdown() kill: %s", strbuf);
+			return (ISC_R_UNEXPECTED);
+		}
+#endif
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_app_reload(void) {
+	isc_boolean_t want_kill = ISC_TRUE;
+	char strbuf[ISC_STRERRORSIZE];
+
+	LOCK(&lock);
+
+	REQUIRE(running);
+
+	/*
+	 * Don't send the reload signal if we're shutting down.
+	 */
+	if (shutdown_requested)
+		want_kill = ISC_FALSE;
+
+	UNLOCK(&lock);
+
+	if (want_kill) {
+#ifdef HAVE_LINUXTHREADS
+		int result;
+
+		result = pthread_kill(main_thread, SIGHUP);
+		if (result != 0) {
+			isc__strerror(result, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "isc_app_reload() pthread_kill: %s",
+					 strbuf);
+			return (ISC_R_UNEXPECTED);
+		}
+#else
+		if (kill(getpid(), SIGHUP) < 0) {
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "isc_app_reload() kill: %s", strbuf);
+			return (ISC_R_UNEXPECTED);
+		}
+#endif
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_app_finish(void) {
+	DESTROYLOCK(&lock);
+}
+
+void
+isc_app_block(void) {
+#ifdef ISC_PLATFORM_USETHREADS
+	sigset_t sset;
+#endif /* ISC_PLATFORM_USETHREADS */
+	REQUIRE(running);
+	REQUIRE(!blocked);
+
+	blocked = ISC_TRUE;
+#ifdef ISC_PLATFORM_USETHREADS
+	blockedthread = pthread_self();
+	RUNTIME_CHECK(sigemptyset(&sset) == 0 &&
+		      sigaddset(&sset, SIGINT) == 0 &&
+		      sigaddset(&sset, SIGTERM) == 0);
+	RUNTIME_CHECK(pthread_sigmask(SIG_UNBLOCK, &sset, NULL) == 0);
+#endif /* ISC_PLATFORM_USETHREADS */
+}
+
+void
+isc_app_unblock(void) {
+#ifdef ISC_PLATFORM_USETHREADS
+	sigset_t sset;
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	REQUIRE(running);
+	REQUIRE(blocked);
+
+	blocked = ISC_FALSE;
+
+#ifdef ISC_PLATFORM_USETHREADS
+	REQUIRE(blockedthread == pthread_self());
+
+	RUNTIME_CHECK(sigemptyset(&sset) == 0 &&
+		      sigaddset(&sset, SIGINT) == 0 && 
+		      sigaddset(&sset, SIGTERM) == 0);
+	RUNTIME_CHECK(pthread_sigmask(SIG_BLOCK, &sset, NULL) == 0);
+#endif /* ISC_PLATFORM_USETHREADS */
+}
diff --git a/contrib/bind9/lib/isc/unix/dir.c b/contrib/bind9/lib/isc/unix/dir.c
new file mode 100644
index 0000000..85a1217
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/dir.c
@@ -0,0 +1,225 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dir.c,v 1.18.2.1.2.3 2004/03/08 09:04:55 marka Exp $ */
+
+/* Principal Authors: DCL */
+
+#include <config.h>
+
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <unistd.h>
+
+#include <isc/dir.h>
+#include <isc/magic.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include "errno2result.h"
+
+#define ISC_DIR_MAGIC		ISC_MAGIC('D', 'I', 'R', '*')
+#define VALID_DIR(dir)		ISC_MAGIC_VALID(dir, ISC_DIR_MAGIC)
+
+void
+isc_dir_init(isc_dir_t *dir) {
+	REQUIRE(dir != NULL);
+
+	dir->entry.name[0] = '\0';
+	dir->entry.length = 0;
+
+	dir->handle = NULL;
+
+	dir->magic = ISC_DIR_MAGIC;
+}
+
+/*
+ * Allocate workspace and open directory stream. If either one fails,
+ * NULL will be returned.
+ */
+isc_result_t
+isc_dir_open(isc_dir_t *dir, const char *dirname) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(VALID_DIR(dir));
+	REQUIRE(dirname != NULL);
+
+	/*
+	 * Open stream.
+	 */
+	dir->handle = opendir(dirname);
+
+	if (dir->handle == NULL)
+		return isc__errno2result(errno);
+
+	return (result);
+}
+
+/*
+ * Return previously retrieved file or get next one.  Unix's dirent has
+ * separate open and read functions, but the Win32 and DOS interfaces open
+ * the dir stream and reads the first file in one operation.
+ */
+isc_result_t
+isc_dir_read(isc_dir_t *dir) {
+	struct dirent *entry;
+
+	REQUIRE(VALID_DIR(dir) && dir->handle != NULL);
+
+	/*
+	 * Fetch next file in directory.
+	 */
+	entry = readdir(dir->handle);
+
+	if (entry == NULL)
+		return (ISC_R_NOMORE);
+
+	/*
+	 * Make sure that the space for the name is long enough.
+	 */
+	if (sizeof(dir->entry.name) <= strlen(entry->d_name))
+	    return (ISC_R_UNEXPECTED);
+
+	strcpy(dir->entry.name, entry->d_name);
+
+	/*
+	 * Some dirents have d_namlen, but it is not portable.
+	 */
+	dir->entry.length = strlen(entry->d_name);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Close directory stream.
+ */
+void
+isc_dir_close(isc_dir_t *dir) {
+       REQUIRE(VALID_DIR(dir) && dir->handle != NULL);
+
+       (void)closedir(dir->handle);
+       dir->handle = NULL;
+}
+
+/*
+ * Reposition directory stream at start.
+ */
+isc_result_t
+isc_dir_reset(isc_dir_t *dir) {
+	REQUIRE(VALID_DIR(dir) && dir->handle != NULL);
+
+	rewinddir(dir->handle);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_dir_chdir(const char *dirname) {
+	/*
+	 * Change the current directory to 'dirname'.
+	 */
+
+	REQUIRE(dirname != NULL);
+
+	if (chdir(dirname) < 0)
+		return (isc__errno2result(errno));
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_dir_chroot(const char *dirname) {
+
+	REQUIRE(dirname != NULL);
+
+	if (chroot(dirname) < 0)
+		return (isc__errno2result(errno));
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_dir_createunique(char *templet) {
+	isc_result_t result;
+	char *x;
+	char *p;
+	int i;
+	int pid;
+
+	REQUIRE(templet != NULL);
+
+	/*
+	 * mkdtemp is not portable, so this emulates it.
+	 */
+
+	pid = getpid();
+
+	/*
+	 * Replace trailing Xs with the process-id, zero-filled.
+	 */
+	for (x = templet + strlen(templet) - 1; *x == 'X' && x >= templet;
+	     x--, pid /= 10)
+		*x = pid % 10 + '0';
+
+	x++;			/* Set x to start of ex-Xs. */
+
+	do {
+		i = mkdir(templet, 0700);
+		if (i == 0 || errno != EEXIST)
+			break;
+
+		/*
+		 * The BSD algorithm.
+		 */
+		p = x;
+		while (*p != '\0') {
+			if (isdigit(*p & 0xff))
+				*p = 'a';
+			else if (*p != 'z')
+				++*p;
+			else {
+				/*
+				 * Reset character and move to next.
+				 */
+				*p++ = 'a';
+				continue;
+			}
+
+			break;
+		}
+
+		if (*p == '\0') {
+			/*
+			 * Tried all combinations.  errno should already
+			 * be EEXIST, but ensure it is anyway for
+			 * isc__errno2result().
+			 */
+			errno = EEXIST;
+			break;
+		}
+	} while (1);
+
+	if (i == -1)
+		result = isc__errno2result(errno);
+	else
+		result = ISC_R_SUCCESS;
+
+	return (result);
+}
diff --git a/contrib/bind9/lib/isc/unix/entropy.c b/contrib/bind9/lib/isc/unix/entropy.c
new file mode 100644
index 0000000..a2cbb3c
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/entropy.c
@@ -0,0 +1,589 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: entropy.c,v 1.60.2.3.8.9 2004/03/16 05:02:31 marka Exp $ */
+
+/*
+ * This is the system depenedent part of the ISC entropy API.
+ */
+
+#include <config.h>
+
+#include <sys/param.h>	/* Openserver 5.0.6A and FD_SETSIZE */
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+
+#include <unistd.h>
+
+#include <isc/platform.h>
+#include <isc/strerror.h>
+
+#ifdef ISC_PLATFORM_NEEDSYSSELECTH
+#include <sys/select.h>
+#endif
+
+#include "errno2result.h"
+
+/*
+ * There is only one variable in the entropy data structures that is not
+ * system independent, but pulling the structure that uses it into this file
+ * ultimately means pulling several other independent structures here also to
+ * resolve their interdependencies.  Thus only the problem variable's type
+ * is defined here.
+ */
+#define FILESOURCE_HANDLE_TYPE	int
+
+typedef struct {
+	int	handle;
+	enum	{
+		isc_usocketsource_disconnected,
+		isc_usocketsource_connecting,
+		isc_usocketsource_connected,
+		isc_usocketsource_ndesired,
+		isc_usocketsource_wrote,
+		isc_usocketsource_reading
+	} status;
+	size_t	sz_to_recv;
+} isc_entropyusocketsource_t;
+
+#include "../entropy.c"
+
+static unsigned int
+get_from_filesource(isc_entropysource_t *source, isc_uint32_t desired) {
+	isc_entropy_t *ent = source->ent;
+	unsigned char buf[128];
+	int fd = source->sources.file.handle;
+	ssize_t n, ndesired;
+	unsigned int added;
+
+	if (source->bad)
+		return (0);
+
+	desired = desired / 8 + (((desired & 0x07) > 0) ? 1 : 0);
+
+	added = 0;
+	while (desired > 0) {
+		ndesired = ISC_MIN(desired, sizeof(buf));
+		n = read(fd, buf, ndesired);
+		if (n < 0) {
+			if (errno == EAGAIN || errno == EINTR)
+				goto out;
+			goto err;
+		}
+		if (n == 0)
+			goto err;
+
+		entropypool_adddata(ent, buf, n, n * 8);
+		added += n * 8;
+		desired -= n;
+	}
+	goto out;
+
+ err:
+	(void)close(fd);
+	source->sources.file.handle = -1;
+	source->bad = ISC_TRUE;
+
+ out:
+	return (added);
+}
+
+static unsigned int
+get_from_usocketsource(isc_entropysource_t *source, isc_uint32_t desired) {
+	isc_entropy_t *ent = source->ent;
+	unsigned char buf[128];
+	int fd = source->sources.usocket.handle;
+	ssize_t n = 0, ndesired;
+	unsigned int added;
+	size_t sz_to_recv = source->sources.usocket.sz_to_recv;
+
+	if (source->bad)
+		return (0);
+
+	desired = desired / 8 + (((desired & 0x07) > 0) ? 1 : 0);
+
+	added = 0;
+	while (desired > 0) {
+		ndesired = ISC_MIN(desired, sizeof(buf));
+ eagain_loop:
+
+		switch ( source->sources.usocket.status ) {
+		case isc_usocketsource_ndesired:
+			buf[0] = ndesired;
+			if ((n = send(fd, buf, 1, 0)) < 0) {
+				if (errno == EWOULDBLOCK || errno == EINTR ||
+				    errno == ECONNRESET)
+					goto out;
+				goto err;
+			}
+			INSIST(n == 1);
+			source->sources.usocket.status =
+						isc_usocketsource_wrote;
+			goto eagain_loop;
+
+		case isc_usocketsource_connecting:
+		case isc_usocketsource_connected:
+			buf[0] = 1;
+			buf[1] = ndesired;
+			if ((n = send(fd, buf, 2, 0)) < 0) {
+				if (errno == EWOULDBLOCK || errno == EINTR ||
+				    errno == ECONNRESET)
+					goto out;
+				goto err;
+			}
+			if (n == 1) {
+				source->sources.usocket.status =
+					isc_usocketsource_ndesired;
+				goto eagain_loop;
+			}	
+			INSIST(n == 2);
+			source->sources.usocket.status =
+						isc_usocketsource_wrote;
+			/*FALLTHROUGH*/
+		
+		case isc_usocketsource_wrote:
+			if (recv(fd, buf, 1, 0) != 1) {
+				if (errno == EAGAIN) {
+					/*
+					 * The problem of EAGAIN (try again
+					 * later) is a major issue on HP-UX.
+					 * Solaris actually tries the recv
+					 * call again, while HP-UX just dies. 
+					 * This code is an attempt to let the
+					 * entropy pool fill back up (at least
+					 * that's what I think the problem is.)
+					 * We go to eagain_loop because if we 
+					 * just "break", then the "desired"
+					 * amount gets borked.
+					 */
+					usleep(1000);
+					goto eagain_loop;
+				}
+				if (errno == EWOULDBLOCK || errno == EINTR)
+					goto out;
+				goto err;
+			}
+			source->sources.usocket.status =
+					isc_usocketsource_reading;
+			sz_to_recv = buf[0];
+			source->sources.usocket.sz_to_recv = sz_to_recv;
+			if (sz_to_recv > sizeof(buf))
+				goto err;
+			/*FALLTHROUGH*/
+
+		case isc_usocketsource_reading:
+			if (sz_to_recv != 0U) {
+				n = recv(fd, buf, sz_to_recv, 0);
+				if (n < 0) {
+					if (errno == EWOULDBLOCK ||
+					    errno == EINTR)
+						goto out;
+					goto err;
+				}
+			} else
+				n = 0;
+			break;
+		
+		default:
+			goto err;
+		}
+
+		if ((size_t)n != sz_to_recv)
+			source->sources.usocket.sz_to_recv -= n;
+		else
+			source->sources.usocket.status =
+				isc_usocketsource_connected;
+
+		if (n == 0)
+			goto out;
+
+		entropypool_adddata(ent, buf, n, n * 8);
+		added += n * 8;
+		desired -= n;
+	}
+	goto out;
+
+ err:
+	close(fd);
+	source->bad = ISC_TRUE;
+	source->sources.usocket.status = isc_usocketsource_disconnected;
+	source->sources.usocket.handle = -1;
+
+ out:
+	return (added);
+}
+
+/*
+ * Poll each source, trying to get data from it to stuff into the entropy
+ * pool.
+ */
+static void
+fillpool(isc_entropy_t *ent, unsigned int desired, isc_boolean_t blocking) {
+	unsigned int added;
+	unsigned int remaining;
+	unsigned int needed;
+	unsigned int nsource;
+	isc_entropysource_t *source;
+
+	REQUIRE(VALID_ENTROPY(ent));
+
+	needed = desired;
+
+	/*
+	 * This logic is a little strange, so an explanation is in order.
+	 *
+	 * If needed is 0, it means we are being asked to "fill to whatever
+	 * we think is best."  This means that if we have at least a
+	 * partially full pool (say, > 1/4th of the pool) we probably don't
+	 * need to add anything.
+	 *
+	 * Also, we will check to see if the "pseudo" count is too high.
+	 * If it is, try to mix in better data.  Too high is currently
+	 * defined as 1/4th of the pool.
+	 *
+	 * Next, if we are asked to add a specific bit of entropy, make
+	 * certain that we will do so.  Clamp how much we try to add to
+	 * (DIGEST_SIZE * 8 < needed < POOLBITS - entropy).
+	 *
+	 * Note that if we are in a blocking mode, we will only try to
+	 * get as much data as we need, not as much as we might want
+	 * to build up.
+	 */
+	if (needed == 0) {
+		REQUIRE(!blocking);
+
+		if ((ent->pool.entropy >= RND_POOLBITS / 4)
+		    && (ent->pool.pseudo <= RND_POOLBITS / 4))
+			return;
+
+		needed = THRESHOLD_BITS * 4;
+	} else {
+		needed = ISC_MAX(needed, THRESHOLD_BITS);
+		needed = ISC_MIN(needed, RND_POOLBITS);
+	}
+
+	/*
+	 * In any case, clamp how much we need to how much we can add.
+	 */
+	needed = ISC_MIN(needed, RND_POOLBITS - ent->pool.entropy);
+
+	/*
+	 * But wait!  If we're not yet initialized, we need at least
+	 *	THRESHOLD_BITS
+	 * of randomness.
+	 */
+	if (ent->initialized < THRESHOLD_BITS)
+		needed = ISC_MAX(needed, THRESHOLD_BITS - ent->initialized);
+
+	/*
+	 * Poll each file source to see if we can read anything useful from
+	 * it.  XXXMLG When where are multiple sources, we should keep a
+	 * record of which one we last used so we can start from it (or the
+	 * next one) to avoid letting some sources build up entropy while
+	 * others are always drained.
+	 */
+
+	added = 0;
+	remaining = needed;
+	if (ent->nextsource == NULL) {
+		ent->nextsource = ISC_LIST_HEAD(ent->sources);
+		if (ent->nextsource == NULL)
+			return;
+	}
+	source = ent->nextsource;
+ again_file:
+	for (nsource = 0; nsource < ent->nsources; nsource++) {
+		unsigned int got;
+
+		if (remaining == 0)
+			break;
+
+		got = 0;
+
+		switch ( source->type ) {
+		case ENTROPY_SOURCETYPE_FILE:
+			got = get_from_filesource(source, remaining);
+			break;
+
+		case ENTROPY_SOURCETYPE_USOCKET:
+			got = get_from_usocketsource(source, remaining);
+			break;
+		}
+
+		added += got;
+
+		remaining -= ISC_MIN(remaining, got);
+
+		source = ISC_LIST_NEXT(source, link);
+		if (source == NULL)
+			source = ISC_LIST_HEAD(ent->sources);
+	}
+	ent->nextsource = source;
+
+	if (blocking && remaining != 0) {
+		int fds;
+
+		fds = wait_for_sources(ent);
+		if (fds > 0)
+			goto again_file;
+	}
+
+	/*
+	 * Here, if there are bits remaining to be had and we can block,
+	 * check to see if we have a callback source.  If so, call them.
+	 */
+	source = ISC_LIST_HEAD(ent->sources);
+	while ((remaining != 0) && (source != NULL)) {
+		unsigned int got;
+
+		got = 0;
+
+		if (source->type == ENTROPY_SOURCETYPE_CALLBACK)
+			got = get_from_callback(source, remaining, blocking);
+
+		added += got;
+		remaining -= ISC_MIN(remaining, got);
+
+		if (added >= needed)
+			break;
+
+		source = ISC_LIST_NEXT(source, link);
+	}
+
+	/*
+	 * Mark as initialized if we've added enough data.
+	 */
+	if (ent->initialized < THRESHOLD_BITS)
+		ent->initialized += added;
+}
+
+static int
+wait_for_sources(isc_entropy_t *ent) {
+	isc_entropysource_t *source;
+	int maxfd, fd;
+	int cc;
+	fd_set reads;
+	fd_set writes;
+
+	maxfd = -1;
+	FD_ZERO(&reads);
+	FD_ZERO(&writes);
+
+	source = ISC_LIST_HEAD(ent->sources);
+	while (source != NULL) {
+		if (source->type == ENTROPY_SOURCETYPE_FILE) {
+			fd = source->sources.file.handle;
+			if (fd >= 0) {
+				maxfd = ISC_MAX(maxfd, fd);
+				FD_SET(fd, &reads);
+			}
+		}
+		if (source->type == ENTROPY_SOURCETYPE_USOCKET) {
+			fd = source->sources.usocket.handle;
+			if (fd >= 0) {
+				switch (source->sources.usocket.status) {
+				case isc_usocketsource_disconnected:
+					break;
+				case isc_usocketsource_connecting:
+				case isc_usocketsource_connected:
+				case isc_usocketsource_ndesired:
+					maxfd = ISC_MAX(maxfd, fd);
+					FD_SET(fd, &writes);
+					break;
+				case isc_usocketsource_wrote:
+				case isc_usocketsource_reading:
+					maxfd = ISC_MAX(maxfd, fd);
+					FD_SET(fd, &reads);
+					break;
+				}
+			}
+		}
+		source = ISC_LIST_NEXT(source, link);
+	}
+
+	if (maxfd < 0)
+		return (-1);
+
+	cc = select(maxfd + 1, &reads, &writes, NULL, NULL);
+	if (cc < 0)
+		return (-1);
+
+	return (cc);
+}
+
+static void
+destroyfilesource(isc_entropyfilesource_t *source) {
+	(void)close(source->handle);
+}
+
+static void
+destroyusocketsource(isc_entropyusocketsource_t *source) {
+	close(source->handle);
+}
+
+/*
+ * Make a fd non-blocking
+ */
+static isc_result_t
+make_nonblock(int fd) {
+	int ret;
+	int flags;
+	char strbuf[ISC_STRERRORSIZE];
+
+	flags = fcntl(fd, F_GETFL, 0);
+	flags |= O_NONBLOCK;
+	ret = fcntl(fd, F_SETFL, flags);
+
+	if (ret == -1) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "fcntl(%d, F_SETFL, %d): %s",
+				 fd, flags, strbuf);
+
+		return (ISC_R_UNEXPECTED);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname) {
+	int fd;
+	struct stat _stat;
+	isc_boolean_t is_usocket = ISC_FALSE;
+	isc_boolean_t is_connected = ISC_FALSE;
+	isc_result_t ret;
+	isc_entropysource_t *source;
+
+	REQUIRE(VALID_ENTROPY(ent));
+	REQUIRE(fname != NULL);
+
+	LOCK(&ent->lock);
+
+	source = NULL;
+
+	if (stat(fname, &_stat) < 0) {
+		ret = isc__errno2result(errno);
+		goto errout;
+	}
+	/* 
+	 * Solaris 2.5.1 does not have support for sockets (S_IFSOCK),
+	 * but it does return type S_IFIFO (the OS believes that
+	 * the socket is a fifo).  This may be an issue if we tell
+	 * the program to look at an actual FIFO as its source of
+	 * entropy.
+	 */
+#if defined(S_ISSOCK)
+	if (S_ISSOCK(_stat.st_mode))
+		is_usocket = ISC_TRUE;
+#endif
+#if defined(S_ISFIFO)
+	if (S_ISFIFO(_stat.st_mode))
+		is_usocket = ISC_TRUE;
+#endif
+	if (is_usocket)
+		fd = socket(PF_UNIX, SOCK_STREAM, 0);
+	else
+		fd = open(fname, O_RDONLY | O_NONBLOCK, 0);
+
+	if (fd < 0) {
+		ret = isc__errno2result(errno);
+		goto errout;
+	}
+
+	ret = make_nonblock(fd);
+	if (ret != ISC_R_SUCCESS)
+		goto closefd;
+
+	if (is_usocket) {
+		struct sockaddr_un sname;
+
+		memset(&sname, 0, sizeof(sname));
+		sname.sun_family = AF_UNIX;
+		strncpy(sname.sun_path, fname, sizeof(sname.sun_path));
+		sname.sun_path[sizeof(sname.sun_path)-1] = '0';
+#ifdef ISC_PLATFORM_HAVESALEN
+#if !defined(SUN_LEN)
+#define SUN_LEN(su) \
+	(sizeof(*(su)) - sizeof((su)->sun_path) + strlen((su)->sun_path))
+#endif
+		sname.sun_len = SUN_LEN(&sname);
+#endif
+
+		if (connect(fd, (struct sockaddr *) &sname,
+			    sizeof(struct sockaddr_un)) < 0) {
+			if (errno != EINPROGRESS) {
+				ret = isc__errno2result(errno);
+				goto closefd;
+			}
+		} else
+			is_connected = ISC_TRUE;
+	}
+
+	source = isc_mem_get(ent->mctx, sizeof(isc_entropysource_t));
+	if (source == NULL) {
+		ret = ISC_R_NOMEMORY;
+		goto closefd;
+	}
+
+	/*
+	 * From here down, no failures can occur.
+	 */
+	source->magic = SOURCE_MAGIC;
+	source->ent = ent;
+	source->total = 0;
+	source->bad = ISC_FALSE;
+	memset(source->name, 0, sizeof(source->name));
+	ISC_LINK_INIT(source, link);
+	if (is_usocket) {
+		source->sources.usocket.handle = fd;
+		if (is_connected)
+			source->sources.usocket.status =
+					isc_usocketsource_connected;
+		else
+			source->sources.usocket.status =
+					isc_usocketsource_connecting;
+		source->sources.usocket.sz_to_recv = 0;
+		source->type = ENTROPY_SOURCETYPE_USOCKET;
+	} else {
+		source->sources.file.handle = fd;
+		source->type = ENTROPY_SOURCETYPE_FILE;
+	}
+
+	/*
+	 * Hook it into the entropy system.
+	 */
+	ISC_LIST_APPEND(ent->sources, source, link);
+	ent->nsources++;
+
+	UNLOCK(&ent->lock);
+	return (ISC_R_SUCCESS);
+
+ closefd:
+	(void)close(fd);
+
+ errout:
+	if (source != NULL)
+		isc_mem_put(ent->mctx, source, sizeof(isc_entropysource_t));
+
+	UNLOCK(&ent->lock);
+
+	return (ret);
+}
diff --git a/contrib/bind9/lib/isc/unix/errno2result.c b/contrib/bind9/lib/isc/unix/errno2result.c
new file mode 100644
index 0000000..66a4e91
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/errno2result.c
@@ -0,0 +1,121 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: errno2result.c,v 1.8.2.4.8.1 2004/03/06 08:14:59 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/result.h>
+#include <isc/strerror.h>
+#include <isc/util.h>
+
+#include "errno2result.h"
+
+/*
+ * Convert a POSIX errno value into an isc_result_t.  The
+ * list of supported errno values is not complete; new users
+ * of this function should add any expected errors that are
+ * not already there.
+ */
+isc_result_t
+isc__errno2result(int posixerrno) {
+	char strbuf[ISC_STRERRORSIZE];
+
+	switch (posixerrno) {
+	case ENOTDIR:
+	case ELOOP:
+	case EINVAL:		/* XXX sometimes this is not for files */
+	case ENAMETOOLONG:
+	case EBADF:
+		return (ISC_R_INVALIDFILE);
+	case ENOENT:
+		return (ISC_R_FILENOTFOUND);
+	case EACCES:
+	case EPERM:
+		return (ISC_R_NOPERM);
+	case EEXIST:
+		return (ISC_R_FILEEXISTS);
+	case EIO:
+		return (ISC_R_IOERROR);
+	case ENOMEM:
+		return (ISC_R_NOMEMORY);
+	case ENFILE:	
+	case EMFILE:
+		return (ISC_R_TOOMANYOPENFILES);
+	case EPIPE:
+#ifdef ECONNRESET
+	case ECONNRESET:
+#endif
+#ifdef ECONNABORTED
+	case ECONNABORTED:
+#endif
+		return (ISC_R_CONNECTIONRESET);
+#ifdef ENOTCONN
+	case ENOTCONN:
+		return (ISC_R_NOTCONNECTED);
+#endif
+#ifdef ETIMEDOUT
+	case ETIMEDOUT:
+		return (ISC_R_TIMEDOUT);
+#endif
+#ifdef ENOBUFS
+	case ENOBUFS:
+		return (ISC_R_NORESOURCES);
+#endif
+#ifdef EAFNOSUPPORT
+	case EAFNOSUPPORT:
+		return (ISC_R_FAMILYNOSUPPORT);
+#endif
+#ifdef ENETDOWN
+	case ENETDOWN:
+		return (ISC_R_NETDOWN);
+#endif
+#ifdef EHOSTDOWN
+	case EHOSTDOWN:
+		return (ISC_R_HOSTDOWN);
+#endif
+#ifdef ENETUNREACH
+	case ENETUNREACH:
+		return (ISC_R_NETUNREACH);
+#endif
+#ifdef EHOSTUNREACH
+	case EHOSTUNREACH:
+		return (ISC_R_HOSTUNREACH);
+#endif
+#ifdef EADDRINUSE
+	case EADDRINUSE:
+		return (ISC_R_ADDRINUSE);
+#endif
+	case EADDRNOTAVAIL:
+		return (ISC_R_ADDRNOTAVAIL);
+	case ECONNREFUSED:
+		return (ISC_R_CONNREFUSED);
+	default:
+		isc__strerror(posixerrno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "unable to convert errno "
+				 "to isc_result: %d: %s",
+				 posixerrno, strbuf);
+		/*
+		 * XXXDCL would be nice if perhaps this function could
+		 * return the system's error string, so the caller
+		 * might have something more descriptive than "unexpected
+		 * error" to log with.
+		 */
+		return (ISC_R_UNEXPECTED);
+	}
+}
diff --git a/contrib/bind9/lib/isc/unix/errno2result.h b/contrib/bind9/lib/isc/unix/errno2result.h
new file mode 100644
index 0000000..9a8d07c
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/errno2result.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: errno2result.h,v 1.7.206.1 2004/03/06 08:14:59 marka Exp $ */
+
+#ifndef UNIX_ERRNO2RESULT_H
+#define UNIX_ERRNO2RESULT_H 1
+
+/* XXXDCL this should be moved to lib/isc/include/isc/errno2result.h. */
+
+#include <errno.h>		/* Provides errno. */
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc__errno2result(int posixerrno);
+
+ISC_LANG_ENDDECLS
+
+#endif /* UNIX_ERRNO2RESULT_H */
diff --git a/contrib/bind9/lib/isc/unix/file.c b/contrib/bind9/lib/isc/unix/file.c
new file mode 100644
index 0000000..7ed6272
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/file.c
@@ -0,0 +1,435 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions Copyright (c) 1987, 1993
+ *      The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: file.c,v 1.38.12.8 2004/03/16 05:50:25 marka Exp $ */
+
+#include <config.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <stdlib.h>
+#include <time.h>		/* Required for utimes on some platforms. */
+#include <unistd.h>		/* Required for mkstemp on NetBSD. */
+
+
+#include <sys/stat.h>
+#include <sys/time.h>
+
+#include <isc/dir.h>
+#include <isc/file.h>
+#include <isc/random.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include "errno2result.h"
+
+/*
+ * XXXDCL As the API for accessing file statistics undoubtedly gets expanded,
+ * it might be good to provide a mechanism that allows for the results
+ * of a previous stat() to be used again without having to do another stat,
+ * such as perl's mechanism of using "_" in place of a file name to indicate
+ * that the results of the last stat should be used.  But then you get into
+ * annoying MP issues.   BTW, Win32 has stat().
+ */
+static isc_result_t
+file_stats(const char *file, struct stat *stats) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(file != NULL);
+	REQUIRE(stats != NULL);
+
+	if (stat(file, stats) != 0)
+		result = isc__errno2result(errno);
+
+	return (result);
+}
+
+isc_result_t
+isc_file_getmodtime(const char *file, isc_time_t *time) {
+	isc_result_t result;
+	struct stat stats;
+
+	REQUIRE(file != NULL);
+	REQUIRE(time != NULL);
+
+	result = file_stats(file, &stats);
+
+	if (result == ISC_R_SUCCESS)
+		/*
+		 * XXXDCL some operating systems provide nanoseconds, too,
+		 * such as BSD/OS via st_mtimespec.
+		 */
+		isc_time_set(time, stats.st_mtime, 0);
+
+	return (result);
+}
+
+isc_result_t
+isc_file_settime(const char *file, isc_time_t *time) {
+	struct timeval times[2];
+
+	REQUIRE(file != NULL && time != NULL);
+
+	/*
+	 * tv_sec is at least a 32 bit quantity on all platforms we're
+	 * dealing with, but it is signed on most (all?) of them,
+	 * so we need to make sure the high bit isn't set.  This unfortunately
+	 * loses when either:
+	 *   * tv_sec becomes a signed 64 bit integer but long is 32 bits
+	 *	and isc_time_seconds > LONG_MAX, or
+	 *   * isc_time_seconds is changed to be > 32 bits but long is 32 bits
+	 *      and isc_time_seconds has at least 33 significant bits.
+	 */
+	times[0].tv_sec = times[1].tv_sec = (long)isc_time_seconds(time);
+
+	/*
+	 * Here is the real check for the high bit being set.
+	 */
+	if ((times[0].tv_sec &
+	     (1ULL << (sizeof(times[0].tv_sec) * CHAR_BIT - 1))) != 0)
+		return (ISC_R_RANGE);
+
+	/*
+	 * isc_time_nanoseconds guarantees a value that divided by 1000 will
+	 * fit into the minimum possible size tv_usec field.  Unfortunately,
+	 * we don't know what that type is so can't cast directly ... but
+	 * we can at least cast to signed so the IRIX compiler shuts up.
+	 */
+	times[0].tv_usec = times[1].tv_usec =
+		(isc_int32_t)(isc_time_nanoseconds(time) / 1000);
+
+	if (utimes(file, times) < 0)
+		return (isc__errno2result(errno));
+
+	return (ISC_R_SUCCESS);
+}
+
+#undef TEMPLATE
+#define TEMPLATE "tmp-XXXXXXXXXX" /* 14 characters. */
+
+isc_result_t
+isc_file_mktemplate(const char *path, char *buf, size_t buflen) {
+	return (isc_file_template(path, TEMPLATE, buf, buflen));
+}
+
+isc_result_t
+isc_file_template(const char *path, const char *templet, char *buf,
+			size_t buflen) {
+	char *s;
+
+	REQUIRE(path != NULL);
+	REQUIRE(templet != NULL);
+	REQUIRE(buf != NULL);
+
+	s = strrchr(templet, '/');
+	if (s != NULL)
+		templet = s + 1;
+
+	s = strrchr(path, '/');
+
+	if (s != NULL) {
+		if ((s - path + 1 + strlen(templet) + 1) > buflen)
+			return (ISC_R_NOSPACE);
+
+		strncpy(buf, path, s - path + 1);
+		buf[s - path + 1] = '\0';
+		strcat(buf, templet);
+	} else {
+		if ((strlen(templet) + 1) > buflen)
+			return (ISC_R_NOSPACE);
+
+		strcpy(buf, templet);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static char alphnum[] =
+	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+
+isc_result_t
+isc_file_renameunique(const char *file, char *templet) {
+	char *x;
+	char *cp;
+	isc_uint32_t which;
+
+	REQUIRE(file != NULL);
+	REQUIRE(templet != NULL);
+
+	cp = templet;
+	while (*cp != '\0')
+		cp++;
+	if (cp == templet)
+		return (ISC_R_FAILURE);
+
+	x = cp--;
+	while (cp >= templet && *cp == 'X') {
+		isc_random_get(&which);
+		*cp = alphnum[which % (sizeof(alphnum) - 1)];
+		x = cp--;
+	}
+	while (link(file, templet) == -1) {
+		if (errno != EEXIST)
+			return (isc__errno2result(errno));
+		for (cp = x;;) {
+			char *t;
+			if (*cp == '\0')
+				return (ISC_R_FAILURE);
+			t = strchr(alphnum, *cp);
+			if (t == NULL || *++t == '\0')
+				*cp++ = alphnum[0];
+			else {
+				*cp = *t;
+				break;
+			}
+		}
+	}
+	(void)unlink(file);
+	return (ISC_R_SUCCESS);
+}
+
+
+isc_result_t
+isc_file_openunique(char *templet, FILE **fp) {
+	int fd;
+	FILE *f;
+	isc_result_t result = ISC_R_SUCCESS;
+	char *x;
+	char *cp;
+	isc_uint32_t which;
+	int mode;
+
+	REQUIRE(templet != NULL);
+	REQUIRE(fp != NULL && *fp == NULL);
+
+	cp = templet;
+	while (*cp != '\0')
+		cp++;
+	if (cp == templet)
+		return (ISC_R_FAILURE);
+
+	x = cp--;
+	while (cp >= templet && *cp == 'X') {
+		isc_random_get(&which);
+		*cp = alphnum[which % (sizeof(alphnum) - 1)];
+		x = cp--;
+	}
+
+	mode = S_IWUSR|S_IRUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH;
+
+	while ((fd = open(templet, O_RDWR|O_CREAT|O_EXCL, mode)) == -1) {
+		if (errno != EEXIST)
+			return (isc__errno2result(errno));
+		for (cp = x;;) {
+			char *t;
+			if (*cp == '\0')
+				return (ISC_R_FAILURE);
+			t = strchr(alphnum, *cp);
+			if (t == NULL || *++t == '\0')
+				*cp++ = alphnum[0];
+			else {
+				*cp = *t;
+				break;
+			}
+		}
+	}
+	f = fdopen(fd, "w+");
+	if (f == NULL) {
+		result = isc__errno2result(errno);
+		(void)remove(templet);
+		(void)close(fd);
+	} else
+		*fp = f;
+
+	return (result);
+}
+
+isc_result_t
+isc_file_remove(const char *filename) {
+	int r;
+
+	REQUIRE(filename != NULL);
+
+	r = unlink(filename);
+	if (r == 0)
+		return (ISC_R_SUCCESS);
+	else
+		return (isc__errno2result(errno));
+}
+
+isc_result_t
+isc_file_rename(const char *oldname, const char *newname) {
+	int r;
+
+	REQUIRE(oldname != NULL);
+	REQUIRE(newname != NULL);
+
+	r = rename(oldname, newname);
+	if (r == 0)
+		return (ISC_R_SUCCESS);
+	else
+		return (isc__errno2result(errno));
+}
+
+isc_boolean_t
+isc_file_exists(const char *pathname) {
+	struct stat stats;
+
+	REQUIRE(pathname != NULL);
+
+	return (ISC_TF(file_stats(pathname, &stats) == ISC_R_SUCCESS));
+}
+
+isc_boolean_t
+isc_file_isabsolute(const char *filename) {
+	REQUIRE(filename != NULL);
+	return (ISC_TF(filename[0] == '/'));
+}
+
+isc_boolean_t
+isc_file_iscurrentdir(const char *filename) {
+	REQUIRE(filename != NULL);
+	return (ISC_TF(filename[0] == '.' && filename[1] == '\0'));
+}
+
+isc_boolean_t
+isc_file_ischdiridempotent(const char *filename) {
+	REQUIRE(filename != NULL);
+	if (isc_file_isabsolute(filename))
+		return (ISC_TRUE);
+	if (isc_file_iscurrentdir(filename))
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+const char *
+isc_file_basename(const char *filename) {
+	char *s;
+
+	REQUIRE(filename != NULL);
+
+	s = strrchr(filename, '/');
+	if (s == NULL)
+		return (filename);
+
+	return (s + 1);
+}
+
+isc_result_t
+isc_file_progname(const char *filename, char *buf, size_t buflen) {
+	const char *base;
+	size_t len;
+
+	REQUIRE(filename != NULL);
+	REQUIRE(buf != NULL);
+
+	base = isc_file_basename(filename);
+	len = strlen(base) + 1;
+
+	if (len > buflen)
+		return (ISC_R_NOSPACE);
+	memcpy(buf, base, len);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Put the absolute name of the current directory into 'dirname', which is
+ * a buffer of at least 'length' characters.  End the string with the 
+ * appropriate path separator, such that the final product could be
+ * concatenated with a relative pathname to make a valid pathname string.
+ */
+static isc_result_t
+dir_current(char *dirname, size_t length) {
+	char *cwd;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(dirname != NULL);
+	REQUIRE(length > 0U);
+
+	cwd = getcwd(dirname, length);
+
+	if (cwd == NULL) {
+		if (errno == ERANGE)
+			result = ISC_R_NOSPACE;
+		else
+			result = isc__errno2result(errno);
+	} else {
+		if (strlen(dirname) + 1 == length)
+			result = ISC_R_NOSPACE;
+		else if (dirname[1] != '\0')
+			strcat(dirname, "/");
+	}
+
+	return (result);
+}
+
+isc_result_t
+isc_file_absolutepath(const char *filename, char *path, size_t pathlen) {
+	isc_result_t result;
+	result = dir_current(path, pathlen);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (strlen(path) + strlen(filename) + 1 > pathlen)
+		return (ISC_R_NOSPACE);
+	strcat(path, filename);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_file_truncate(const char *filename, isc_offset_t size) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	if (truncate(filename, size) < 0) 
+		result = isc__errno2result(errno);
+	return (result);
+}
diff --git a/contrib/bind9/lib/isc/unix/fsaccess.c b/contrib/bind9/lib/isc/unix/fsaccess.c
new file mode 100644
index 0000000..5fa4fb4
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/fsaccess.c
@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: fsaccess.c,v 1.6.206.1 2004/03/06 08:14:59 marka Exp $ */
+
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <errno.h>
+
+#include "errno2result.h"
+
+/*
+ * The OS-independent part of the API is in lib/isc.
+ */
+#include "../fsaccess.c"
+
+isc_result_t
+isc_fsaccess_set(const char *path, isc_fsaccess_t access) {
+	struct stat statb;
+	mode_t mode;
+	isc_boolean_t is_dir = ISC_FALSE;
+	isc_fsaccess_t bits;
+	isc_result_t result;
+
+	if (stat(path, &statb) != 0)
+		return (isc__errno2result(errno));
+
+	if ((statb.st_mode & S_IFDIR) != 0)
+		is_dir = ISC_TRUE;
+	else if ((statb.st_mode & S_IFREG) == 0)
+		return (ISC_R_INVALIDFILE);
+
+	result = check_bad_bits(access, is_dir);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * Done with checking bad bits.  Set mode_t.
+	 */
+	mode = 0;
+
+#define SET_AND_CLEAR1(modebit) \
+	if ((access & bits) != 0) { \
+		mode |= modebit; \
+		access &= ~bits; \
+	}
+#define SET_AND_CLEAR(user, group, other) \
+	SET_AND_CLEAR1(user); \
+	bits <<= STEP; \
+	SET_AND_CLEAR1(group); \
+	bits <<= STEP; \
+	SET_AND_CLEAR1(other);
+
+	bits = ISC_FSACCESS_READ | ISC_FSACCESS_LISTDIRECTORY;
+
+	SET_AND_CLEAR(S_IRUSR, S_IRGRP, S_IROTH);
+
+	bits = ISC_FSACCESS_WRITE |
+	       ISC_FSACCESS_CREATECHILD |
+	       ISC_FSACCESS_DELETECHILD;
+
+	SET_AND_CLEAR(S_IWUSR, S_IWGRP, S_IWOTH);
+
+	bits = ISC_FSACCESS_EXECUTE |
+	       ISC_FSACCESS_ACCESSCHILD;
+
+	SET_AND_CLEAR(S_IXUSR, S_IXGRP, S_IXOTH);
+
+	INSIST(access == 0);
+
+	if (chmod(path, mode) < 0)
+		return (isc__errno2result(errno));
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/contrib/bind9/lib/isc/unix/ifiter_getifaddrs.c b/contrib/bind9/lib/isc/unix/ifiter_getifaddrs.c
new file mode 100644
index 0000000..ad6e1e0
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/ifiter_getifaddrs.c
@@ -0,0 +1,178 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ifiter_getifaddrs.c,v 1.2.68.3 2004/03/06 08:14:59 marka Exp $ */
+
+/*
+ * Obtain the list of network interfaces using the getifaddrs(3) library.
+ */
+
+#include <ifaddrs.h>
+
+#define IFITER_MAGIC		ISC_MAGIC('I', 'F', 'I', 'G')
+#define VALID_IFITER(t)		ISC_MAGIC_VALID(t, IFITER_MAGIC)
+
+struct isc_interfaceiter {
+	unsigned int		magic;		/* Magic number. */
+	isc_mem_t		*mctx;
+	void			*buf;		/* (unused) */
+	unsigned int		bufsize;	/* (always 0) */
+	struct ifaddrs		*ifaddrs;	/* List of ifaddrs */
+	struct ifaddrs		*pos;		/* Ptr to current ifaddr */
+	isc_interface_t		current;	/* Current interface data. */
+	isc_result_t		result;		/* Last result code. */
+};
+
+isc_result_t
+isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
+	isc_interfaceiter_t *iter;
+	isc_result_t result;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(iterp != NULL);
+	REQUIRE(*iterp == NULL);
+
+	iter = isc_mem_get(mctx, sizeof(*iter));
+	if (iter == NULL)
+		return (ISC_R_NOMEMORY);
+
+	iter->mctx = mctx;
+	iter->buf = NULL;
+	iter->bufsize = 0;
+	iter->ifaddrs = NULL;
+
+	if (getifaddrs(&iter->ifaddrs) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 isc_msgcat_get(isc_msgcat,
+						ISC_MSGSET_IFITERGETIFADDRS,
+						ISC_MSG_GETIFADDRS,
+						"getting interface "
+						"addresses: getifaddrs: %s"),
+				 strbuf);
+		result = ISC_R_UNEXPECTED;
+		goto failure;
+	}
+
+	/*
+	 * A newly created iterator has an undefined position
+	 * until isc_interfaceiter_first() is called.
+	 */
+	iter->pos = NULL;
+	iter->result = ISC_R_FAILURE;
+
+	iter->magic = IFITER_MAGIC;
+	*iterp = iter;
+	return (ISC_R_SUCCESS);
+
+ failure:
+	if (iter->ifaddrs != NULL) /* just in case */
+		freeifaddrs(iter->ifaddrs);
+	isc_mem_put(mctx, iter, sizeof(*iter));
+	return (result);
+}
+
+/*
+ * Get information about the current interface to iter->current.
+ * If successful, return ISC_R_SUCCESS.
+ * If the interface has an unsupported address family,
+ * return ISC_R_IGNORE.
+ */
+
+static isc_result_t
+internal_current(isc_interfaceiter_t *iter) {
+	struct ifaddrs *ifa;
+	int family;
+	unsigned int namelen;
+
+	REQUIRE(VALID_IFITER(iter));
+
+	ifa = iter->pos;
+
+	INSIST(ifa != NULL);
+	INSIST(ifa->ifa_name != NULL);
+	INSIST(ifa->ifa_addr != NULL);
+
+	family = ifa->ifa_addr->sa_family;
+	if (family != AF_INET && family != AF_INET6)
+		return (ISC_R_IGNORE);
+
+	memset(&iter->current, 0, sizeof(iter->current));
+
+	namelen = strlen(ifa->ifa_name);
+	if (namelen > sizeof(iter->current.name) - 1)
+		namelen = sizeof(iter->current.name) - 1;
+
+	memset(iter->current.name, 0, sizeof(iter->current.name));
+	memcpy(iter->current.name, ifa->ifa_name, namelen);
+
+	iter->current.flags = 0;
+
+	if ((ifa->ifa_flags & IFF_UP) != 0)
+		iter->current.flags |= INTERFACE_F_UP;
+
+	if ((ifa->ifa_flags & IFF_POINTOPOINT) != 0)
+		iter->current.flags |= INTERFACE_F_POINTTOPOINT;
+
+	if ((ifa->ifa_flags & IFF_LOOPBACK) != 0)
+		iter->current.flags |= INTERFACE_F_LOOPBACK;
+
+	iter->current.af = family;
+
+	get_addr(family, &iter->current.address, ifa->ifa_addr, ifa->ifa_name);
+
+	if (ifa->ifa_netmask != NULL)
+		get_addr(family, &iter->current.netmask, ifa->ifa_netmask,
+			 ifa->ifa_name);
+
+	if (ifa->ifa_dstaddr != NULL &&
+	    (iter->current.flags & IFF_POINTOPOINT) != 0)
+		get_addr(family, &iter->current.dstaddress, ifa->ifa_dstaddr,
+			 ifa->ifa_name);
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Step the iterator to the next interface.  Unlike
+ * isc_interfaceiter_next(), this may leave the iterator
+ * positioned on an interface that will ultimately
+ * be ignored.  Return ISC_R_NOMORE if there are no more
+ * interfaces, otherwise ISC_R_SUCCESS.
+ */
+static isc_result_t
+internal_next(isc_interfaceiter_t *iter) {
+	iter->pos = iter->pos->ifa_next;
+
+	if (iter->pos == NULL)
+		return (ISC_R_NOMORE);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+internal_destroy(isc_interfaceiter_t *iter) {
+	if (iter->ifaddrs)
+		freeifaddrs(iter->ifaddrs);
+	iter->ifaddrs = NULL;
+}
+
+static
+void internal_first(isc_interfaceiter_t *iter) {
+	iter->pos = iter->ifaddrs;
+}
diff --git a/contrib/bind9/lib/isc/unix/ifiter_ioctl.c b/contrib/bind9/lib/isc/unix/ifiter_ioctl.c
new file mode 100644
index 0000000..5825eb8
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/ifiter_ioctl.c
@@ -0,0 +1,1016 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ifiter_ioctl.c,v 1.19.2.5.2.14 2004/06/22 04:40:23 marka Exp $ */
+
+/*
+ * Obtain the list of network interfaces using the SIOCGLIFCONF ioctl.
+ * See netintro(4).
+ */
+
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+#ifdef ISC_PLATFORM_HAVEIF_LADDRCONF
+#define lifc_len iflc_len
+#define lifc_buf iflc_buf
+#define lifc_req iflc_req
+#define LIFCONF if_laddrconf
+#else
+#define ISC_HAVE_LIFC_FAMILY 1
+#define ISC_HAVE_LIFC_FLAGS 1
+#define LIFCONF lifconf
+#endif
+
+#ifdef ISC_PLATFORM_HAVEIF_LADDRREQ
+#define lifr_addr iflr_addr
+#define lifr_name iflr_name
+#define lifr_dstaddr iflr_dstaddr
+#define lifr_flags iflr_flags
+#define ss_family sa_family
+#define LIFREQ if_laddrreq
+#else
+#define LIFREQ lifreq
+#endif
+#endif
+
+#define IFITER_MAGIC		ISC_MAGIC('I', 'F', 'I', 'T')
+#define VALID_IFITER(t)		ISC_MAGIC_VALID(t, IFITER_MAGIC)
+
+#define ISC_IF_INET6_SZ \
+    sizeof("00000000000000000000000000000001 01 80 10 80 XXXXXXloXXXXXXXX\n")
+
+struct isc_interfaceiter {
+	unsigned int		magic;		/* Magic number. */
+	isc_mem_t		*mctx;
+	int			mode;
+	int			socket;
+	struct ifconf 		ifc;
+	void			*buf;		/* Buffer for sysctl data. */
+	unsigned int		bufsize;	/* Bytes allocated. */
+	unsigned int		pos;		/* Current offset in
+						   SIOCGIFCONF data */
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+	int			socket6;
+	struct LIFCONF 		lifc;
+	void			*buf6;		/* Buffer for sysctl data. */
+	unsigned int		bufsize6;	/* Bytes allocated. */
+	unsigned int		pos6;		/* Current offset in
+						   SIOCGLIFCONF data */
+	isc_result_t		result6;	/* Last result code. */
+	isc_boolean_t		first6;
+#endif
+#ifdef HAVE_TRUCLUSTER
+	int			clua_context;	/* Cluster alias context */
+	isc_boolean_t		clua_done;
+	struct sockaddr		clua_sa;
+#endif
+#ifdef	__linux
+	FILE *			proc;
+	char			entry[ISC_IF_INET6_SZ];
+	isc_result_t		valid;
+	isc_boolean_t		first;
+#endif
+	isc_interface_t		current;	/* Current interface data. */
+	isc_result_t		result;		/* Last result code. */
+};
+
+#ifdef HAVE_TRUCLUSTER
+#include <clua/clua.h>
+#include <sys/socket.h>
+#endif
+
+
+/*
+ * Size of buffer for SIOCGLIFCONF, in bytes.  We assume no sane system
+ * will have more than a megabyte of interface configuration data.
+ */
+#define IFCONF_BUFSIZE_INITIAL	4096
+#define IFCONF_BUFSIZE_MAX	1048576
+
+#ifdef __linux
+#ifndef IF_NAMESIZE
+# ifdef IFNAMSIZ
+#  define IF_NAMESIZE  IFNAMSIZ  
+# else
+#  define IF_NAMESIZE 16
+# endif
+#endif
+#endif
+
+static isc_result_t
+getbuf4(isc_interfaceiter_t *iter) {
+	char strbuf[ISC_STRERRORSIZE];
+
+	iter->bufsize = IFCONF_BUFSIZE_INITIAL;
+
+	for (;;) {
+		iter->buf = isc_mem_get(iter->mctx, iter->bufsize);
+		if (iter->buf == NULL)
+			return (ISC_R_NOMEMORY);
+
+		memset(&iter->ifc.ifc_len, 0, sizeof(iter->ifc.ifc_len));
+		iter->ifc.ifc_len = iter->bufsize;
+		iter->ifc.ifc_buf = iter->buf;
+		/*
+		 * Ignore the HP/UX warning about "interger overflow during
+		 * conversion".  It comes from its own macro definition,
+		 * and is really hard to shut up.
+		 */
+		if (ioctl(iter->socket, SIOCGIFCONF, (char *)&iter->ifc)
+		    == -1) {
+			if (errno != EINVAL) {
+				isc__strerror(errno, strbuf, sizeof(strbuf));
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_IFITERIOCTL,
+							ISC_MSG_GETIFCONFIG,
+							"get interface "
+							"configuration: %s"),
+						 strbuf);
+				goto unexpected;
+			}
+			/*
+			 * EINVAL.  Retry with a bigger buffer.
+			 */
+		} else {
+			/*
+			 * The ioctl succeeded.
+			 * Some OS's just return what will fit rather
+			 * than set EINVAL if the buffer is too small
+			 * to fit all the interfaces in.  If
+			 * ifc.lifc_len is too near to the end of the
+			 * buffer we will grow it just in case and
+			 * retry.
+			 */
+			if (iter->ifc.ifc_len + 2 * sizeof(struct ifreq)
+			    < iter->bufsize)
+				break;
+		}
+		if (iter->bufsize >= IFCONF_BUFSIZE_MAX) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_IFITERIOCTL,
+							ISC_MSG_BUFFERMAX,
+							"get interface "
+							"configuration: "
+							"maximum buffer "
+							"size exceeded"));
+			goto unexpected;
+		}
+		isc_mem_put(iter->mctx, iter->buf, iter->bufsize);
+
+		iter->bufsize *= 2;
+	}
+	return (ISC_R_SUCCESS);
+
+ unexpected:
+	isc_mem_put(iter->mctx, iter->buf, iter->bufsize);
+	iter->buf = NULL;
+	return (ISC_R_UNEXPECTED);
+}
+
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+static isc_result_t
+getbuf6(isc_interfaceiter_t *iter) {
+	char strbuf[ISC_STRERRORSIZE];
+	isc_result_t result;
+
+	iter->bufsize6 = IFCONF_BUFSIZE_INITIAL;
+
+	for (;;) {
+		iter->buf6 = isc_mem_get(iter->mctx, iter->bufsize6);
+		if (iter->buf6 == NULL)
+			return (ISC_R_NOMEMORY);
+
+		memset(&iter->lifc, 0, sizeof(iter->lifc));
+#ifdef ISC_HAVE_LIFC_FAMILY
+		iter->lifc.lifc_family = AF_INET6;
+#endif
+#ifdef ISC_HAVE_LIFC_FLAGS
+		iter->lifc.lifc_flags = 0;
+#endif
+		iter->lifc.lifc_len = iter->bufsize6;
+		iter->lifc.lifc_buf = iter->buf6;
+		/*
+		 * Ignore the HP/UX warning about "interger overflow during
+		 * conversion".  It comes from its own macro definition,
+		 * and is really hard to shut up.
+		 */
+		if (ioctl(iter->socket6, SIOCGLIFCONF, (char *)&iter->lifc)
+		    == -1) {
+#ifdef __hpux
+			/*
+			 * IPv6 interface scanning is not available on all
+			 * kernels w/ IPv6 sockets.
+			 */
+			if (errno == ENOENT) {
+				isc__strerror(errno, strbuf, sizeof(strbuf));
+				isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+					      ISC_LOGMODULE_INTERFACE,
+					      ISC_LOG_DEBUG(1),
+					      isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_IFITERIOCTL,
+							ISC_MSG_GETIFCONFIG,
+							"get interface "
+							"configuration: %s"),
+					       strbuf);
+				result = ISC_R_FAILURE;
+				goto cleanup;
+			}
+#endif
+			if (errno != EINVAL) {
+				isc__strerror(errno, strbuf, sizeof(strbuf));
+				UNEXPECTED_ERROR(__FILE__, __LINE__,
+						 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_IFITERIOCTL,
+							ISC_MSG_GETIFCONFIG,
+							"get interface "
+							"configuration: %s"),
+						 strbuf);
+				result = ISC_R_UNEXPECTED;
+				goto cleanup;
+			}
+			/*
+			 * EINVAL.  Retry with a bigger buffer.
+			 */
+		} else {
+			/*
+			 * The ioctl succeeded.
+			 * Some OS's just return what will fit rather
+			 * than set EINVAL if the buffer is too small
+			 * to fit all the interfaces in.  If
+			 * ifc.ifc_len is too near to the end of the
+			 * buffer we will grow it just in case and
+			 * retry.
+			 */
+			if (iter->lifc.lifc_len + 2 * sizeof(struct LIFREQ)
+			    < iter->bufsize6)
+				break;
+		}
+		if (iter->bufsize6 >= IFCONF_BUFSIZE_MAX) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_IFITERIOCTL,
+							ISC_MSG_BUFFERMAX,
+							"get interface "
+							"configuration: "
+							"maximum buffer "
+							"size exceeded"));
+			result = ISC_R_UNEXPECTED;
+			goto cleanup;
+		}
+		isc_mem_put(iter->mctx, iter->buf6, iter->bufsize6);
+
+		iter->bufsize6 *= 2;
+	}
+
+	if (iter->lifc.lifc_len != 0)
+		iter->mode = 6;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	isc_mem_put(iter->mctx, iter->buf6, iter->bufsize6);
+	iter->buf6 = NULL;
+	return (result);
+}
+#endif
+
+isc_result_t
+isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
+	isc_interfaceiter_t *iter;
+	isc_result_t result;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(iterp != NULL);
+	REQUIRE(*iterp == NULL);
+
+	iter = isc_mem_get(mctx, sizeof(*iter));
+	if (iter == NULL)
+		return (ISC_R_NOMEMORY);
+
+	iter->mctx = mctx;
+	iter->mode = 4;
+	iter->buf = NULL;
+	iter->pos = (unsigned int) -1;
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+	iter->buf6 = NULL;
+	iter->pos6 = (unsigned int) -1;
+	iter->result6 = ISC_R_NOMORE;
+	iter->socket6 = -1;
+	iter->first6 = ISC_FALSE;
+#endif
+
+	/*
+	 * Get the interface configuration, allocating more memory if
+	 * necessary.
+	 */
+
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+	result = isc_net_probeipv6();
+	if (result == ISC_R_SUCCESS) {
+		/*
+		 * Create an unbound datagram socket to do the SIOCGLIFCONF
+		 * ioctl on.  HP/UX requires an AF_INET6 socket for
+		 * SIOCGLIFCONF to get IPv6 addresses.
+		 */
+		if ((iter->socket6 = socket(AF_INET6, SOCK_DGRAM, 0)) < 0) {
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_IFITERIOCTL,
+							ISC_MSG_MAKESCANSOCKET,
+							"making interface "
+							"scan socket: %s"),
+					 strbuf);
+			result = ISC_R_UNEXPECTED;
+			goto socket6_failure;
+		}
+		iter->result6 = getbuf6(iter);
+		if (iter->result6 != ISC_R_NOTIMPLEMENTED &&
+		    iter->result6 != ISC_R_SUCCESS)
+			goto ioctl6_failure;
+	}
+#endif
+	if ((iter->socket = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 isc_msgcat_get(isc_msgcat,
+						ISC_MSGSET_IFITERIOCTL,
+						ISC_MSG_MAKESCANSOCKET,
+						"making interface "
+						"scan socket: %s"),
+				 strbuf);
+		result = ISC_R_UNEXPECTED;
+		goto socket_failure;
+	}
+	result = getbuf4(iter);
+	if (result != ISC_R_SUCCESS)
+		goto ioctl_failure;
+
+	/*
+	 * A newly created iterator has an undefined position
+	 * until isc_interfaceiter_first() is called.
+	 */
+#ifdef HAVE_TRUCLUSTER
+	iter->clua_context = -1;
+	iter->clua_done = ISC_TRUE;
+#endif
+#ifdef __linux
+	iter->proc = fopen("/proc/net/if_inet6", "r");
+	iter->valid = ISC_R_FAILURE;
+	iter->first = ISC_FALSE;
+#endif
+	iter->result = ISC_R_FAILURE;
+
+	iter->magic = IFITER_MAGIC;
+	*iterp = iter;
+	return (ISC_R_SUCCESS);
+
+ ioctl_failure:
+	if (iter->buf != NULL)
+		isc_mem_put(mctx, iter->buf, iter->bufsize);
+	(void) close(iter->socket);
+
+ socket_failure:
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+	if (iter->buf6 != NULL)
+		isc_mem_put(mctx, iter->buf6, iter->bufsize6);
+  ioctl6_failure:
+	if (iter->socket6 != -1)
+		(void) close(iter->socket6);
+  socket6_failure:
+#endif
+ 
+	isc_mem_put(mctx, iter, sizeof(*iter));
+	return (result);
+}
+
+#ifdef HAVE_TRUCLUSTER
+static void
+get_inaddr(isc_netaddr_t *dst, struct in_addr *src) {
+	dst->family = AF_INET;
+	memcpy(&dst->type.in, src, sizeof(struct in_addr));
+}
+
+static isc_result_t
+internal_current_clusteralias(isc_interfaceiter_t *iter) {
+	struct clua_info ci;
+	if (clua_getaliasinfo(&iter->clua_sa, &ci) != CLUA_SUCCESS)
+		return (ISC_R_IGNORE);
+	memset(&iter->current, 0, sizeof(iter->current));
+	iter->current.af = iter->clua_sa.sa_family;
+	memset(iter->current.name, 0, sizeof(iter->current.name));
+	sprintf(iter->current.name, "clua%d", ci.aliasid);
+	iter->current.flags = INTERFACE_F_UP;
+	get_inaddr(&iter->current.address, &ci.addr);
+	get_inaddr(&iter->current.netmask, &ci.netmask);
+	return (ISC_R_SUCCESS);
+}
+#endif
+
+#ifdef __linux
+static isc_result_t
+linux_if_inet6_next(isc_interfaceiter_t *iter) {
+	if (iter->proc != NULL &&
+	    fgets(iter->entry, sizeof(iter->entry), iter->proc) != NULL)
+		iter->valid = ISC_R_SUCCESS;
+	else
+		iter->valid = ISC_R_NOMORE;
+	return (iter->valid);
+}
+
+static void
+linux_if_inet6_first(isc_interfaceiter_t *iter) {
+	if (iter->proc != NULL) {
+		rewind(iter->proc);
+		(void)linux_if_inet6_next(iter);
+	} else
+		iter->valid = ISC_R_NOMORE;
+	iter->first = ISC_FALSE;
+}
+
+static isc_result_t
+linux_if_inet6_current(isc_interfaceiter_t *iter) {
+	char address[33];
+	char name[IF_NAMESIZE+1];
+	struct in6_addr addr6;
+	int ifindex, prefix, flag3, flag4;
+	int res;
+	unsigned int i;
+
+	if (iter->valid != ISC_R_SUCCESS)
+		return (iter->valid);
+	if (iter->proc == NULL) {
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_INTERFACE, ISC_LOG_ERROR,
+			      "/proc/net/if_inet6:iter->proc == NULL");
+		return (ISC_R_FAILURE);
+	}
+
+	res = sscanf(iter->entry, "%32[a-f0-9] %x %x %x %x %16s\n",
+		     address, &ifindex, &prefix, &flag3, &flag4, name);
+	if (res != 6) {
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_INTERFACE, ISC_LOG_ERROR,
+			      "/proc/net/if_inet6:sscanf() -> %d (expected 6)",
+			      res);
+		return (ISC_R_FAILURE);
+	}
+	if (strlen(address) != 32) {
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_INTERFACE, ISC_LOG_ERROR,
+			      "/proc/net/if_inet6:strlen(%s) != 32", address);
+		return (ISC_R_FAILURE);
+	}
+	for (i = 0; i < 16; i++) {
+		unsigned char byte;
+		static const char hex[] = "0123456789abcdef";
+		byte = ((index(hex, address[i * 2]) - hex) << 4) |
+		       (index(hex, address[i * 2 + 1]) - hex);
+		addr6.s6_addr[i] = byte;
+	}
+	iter->current.af = AF_INET6;
+	iter->current.flags = INTERFACE_F_UP;
+	isc_netaddr_fromin6(&iter->current.address, &addr6);
+	if (isc_netaddr_islinklocal(&iter->current.address)) {
+		isc_netaddr_setzone(&iter->current.address,
+				    (isc_uint32_t)ifindex);
+	}
+	for (i = 0; i < 16; i++) {
+		if (prefix > 8) {
+			addr6.s6_addr[i] = 0xff;
+			prefix -= 8;
+		} else {
+			addr6.s6_addr[i] = (0xff << (8 - prefix)) & 0xff;
+			prefix = 0;
+		}
+	}
+	isc_netaddr_fromin6(&iter->current.netmask, &addr6);
+	strncpy(iter->current.name, name, sizeof(iter->current.name));
+	return (ISC_R_SUCCESS);
+}
+#endif
+
+/*
+ * Get information about the current interface to iter->current.
+ * If successful, return ISC_R_SUCCESS.
+ * If the interface has an unsupported address family, or if
+ * some operation on it fails, return ISC_R_IGNORE to make
+ * the higher-level iterator code ignore it.
+ */
+
+static isc_result_t
+internal_current4(isc_interfaceiter_t *iter) {
+	struct ifreq *ifrp;
+	struct ifreq ifreq;
+	int family;
+	char strbuf[ISC_STRERRORSIZE];
+#if !defined(ISC_PLATFORM_HAVEIF_LADDRREQ) && defined(SIOCGLIFADDR)
+	struct lifreq lifreq;
+#else
+	char sabuf[256];
+#endif
+	int i, bits, prefixlen;
+#ifdef __linux
+	isc_result_t result;
+#endif
+
+	REQUIRE(VALID_IFITER(iter));
+	REQUIRE (iter->pos < (unsigned int) iter->ifc.ifc_len);
+
+#ifdef __linux
+	result = linux_if_inet6_current(iter);
+	if (result != ISC_R_NOMORE)
+		return (result);
+	iter->first = ISC_TRUE;
+#endif
+
+	ifrp = (struct ifreq *)((char *) iter->ifc.ifc_req + iter->pos);
+
+	memset(&ifreq, 0, sizeof(ifreq));
+	memcpy(&ifreq, ifrp, sizeof(ifreq));
+
+	family = ifreq.ifr_addr.sa_family;
+#if defined(ISC_PLATFORM_HAVEIPV6)
+	if (family != AF_INET && family != AF_INET6)
+#else
+	if (family != AF_INET)
+#endif
+		return (ISC_R_IGNORE);
+
+	memset(&iter->current, 0, sizeof(iter->current));
+	iter->current.af = family;
+
+	INSIST(sizeof(ifreq.ifr_name) <= sizeof(iter->current.name));
+	memset(iter->current.name, 0, sizeof(iter->current.name));
+	memcpy(iter->current.name, ifreq.ifr_name, sizeof(ifreq.ifr_name));
+
+	get_addr(family, &iter->current.address,
+		 (struct sockaddr *)&ifrp->ifr_addr, ifreq.ifr_name);
+
+	/*
+	 * If the interface does not have a address ignore it.
+	 */
+	switch (family) {
+	case AF_INET:
+		if (iter->current.address.type.in.s_addr == htonl(INADDR_ANY))
+			return (ISC_R_IGNORE);
+		break;
+	case AF_INET6:
+		if (memcmp(&iter->current.address.type.in6, &in6addr_any,
+			   sizeof(in6addr_any)) == 0)
+			return (ISC_R_IGNORE);
+		break;
+	}
+
+	/*
+	 * Get interface flags.
+	 */
+
+	iter->current.flags = 0;
+
+	/*
+	 * Ignore the HP/UX warning about "interger overflow during
+	 * conversion.  It comes from its own macro definition,
+	 * and is really hard to shut up.
+	 */
+	if (ioctl(iter->socket, SIOCGIFFLAGS, (char *) &ifreq) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "%s: getting interface flags: %s",
+				 ifreq.ifr_name, strbuf);
+		return (ISC_R_IGNORE);
+	}
+
+	if ((ifreq.ifr_flags & IFF_UP) != 0)
+		iter->current.flags |= INTERFACE_F_UP;
+
+#ifdef IFF_POINTOPOINT
+	if ((ifreq.ifr_flags & IFF_POINTOPOINT) != 0)
+		iter->current.flags |= INTERFACE_F_POINTTOPOINT;
+#endif
+
+	if ((ifreq.ifr_flags & IFF_LOOPBACK) != 0)
+		iter->current.flags |= INTERFACE_F_LOOPBACK;
+
+	if (family == AF_INET)
+		goto inet;
+
+#if !defined(ISC_PLATFORM_HAVEIF_LADDRREQ) && defined(SIOCGLIFADDR)
+	memset(&lifreq, 0, sizeof(lifreq));
+	memcpy(lifreq.lifr_name, iter->current.name, sizeof(lifreq.lifr_name));
+	memcpy(&lifreq.lifr_addr, &iter->current.address.type.in6,
+	       sizeof(iter->current.address.type.in6));
+
+	if (ioctl(iter->socket, SIOCGLIFADDR, &lifreq) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "%s: getting interface address: %s",
+				 ifreq.ifr_name, strbuf);
+		return (ISC_R_IGNORE);
+	}
+	prefixlen = lifreq.lifr_addrlen;
+#else
+	isc_netaddr_format(&iter->current.address, sabuf, sizeof(sabuf));
+	isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+		      ISC_LOGMODULE_INTERFACE,
+		      ISC_LOG_INFO,
+		      isc_msgcat_get(isc_msgcat,
+				     ISC_MSGSET_IFITERIOCTL,
+				     ISC_MSG_GETIFCONFIG,
+				     "prefix length for %s is unknown "
+				     "(assume 128)"), sabuf);
+	prefixlen = 128;
+#endif
+
+	/*
+	 * Netmask already zeroed.
+	 */
+	iter->current.netmask.family = family;
+	for (i = 0; i < 16; i++) {
+		if (prefixlen > 8) {
+			bits = 0;
+			prefixlen -= 8;
+		} else {
+			bits = 8 - prefixlen;
+			prefixlen = 0;
+		}
+		iter->current.netmask.type.in6.s6_addr[i] = (~0 << bits) & 0xff;
+	}
+	return (ISC_R_SUCCESS);
+
+ inet:
+	if (family != AF_INET)
+		return (ISC_R_IGNORE);
+#ifdef IFF_POINTOPOINT
+	/*
+	 * If the interface is point-to-point, get the destination address.
+	 */
+	if ((iter->current.flags & INTERFACE_F_POINTTOPOINT) != 0) {
+		/*
+		 * Ignore the HP/UX warning about "interger overflow during
+		 * conversion.  It comes from its own macro definition,
+		 * and is really hard to shut up.
+		 */
+		if (ioctl(iter->socket, SIOCGIFDSTADDR, (char *)&ifreq)
+		    < 0) {
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+				isc_msgcat_get(isc_msgcat,
+					       ISC_MSGSET_IFITERIOCTL,
+					       ISC_MSG_GETDESTADDR,
+					       "%s: getting "
+					       "destination address: %s"),
+					 ifreq.ifr_name, strbuf);
+			return (ISC_R_IGNORE);
+		}
+		get_addr(family, &iter->current.dstaddress,
+			 (struct sockaddr *)&ifreq.ifr_dstaddr, ifreq.ifr_name);
+	}
+#endif
+
+	/*
+	 * Get the network mask.
+	 */
+	memset(&ifreq, 0, sizeof(ifreq));
+	memcpy(&ifreq, ifrp, sizeof(ifreq));
+	/*
+	 * Ignore the HP/UX warning about "interger overflow during
+	 * conversion.  It comes from its own macro definition,
+	 * and is really hard to shut up.
+	 */
+	if (ioctl(iter->socket, SIOCGIFNETMASK, (char *)&ifreq) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+			isc_msgcat_get(isc_msgcat,
+				       ISC_MSGSET_IFITERIOCTL,
+				       ISC_MSG_GETNETMASK,
+				       "%s: getting netmask: %s"),
+				       ifreq.ifr_name, strbuf);
+		return (ISC_R_IGNORE);
+	}
+	get_addr(family, &iter->current.netmask,
+		 (struct sockaddr *)&ifreq.ifr_addr, ifreq.ifr_name);
+	return (ISC_R_SUCCESS);
+}
+
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+static isc_result_t
+internal_current6(isc_interfaceiter_t *iter) {
+	struct LIFREQ *ifrp;
+	struct LIFREQ lifreq;
+	int family;
+	char strbuf[ISC_STRERRORSIZE];
+	int fd;
+
+	REQUIRE(VALID_IFITER(iter));
+	if (iter->result6 != ISC_R_SUCCESS)
+		return (iter->result6);
+	REQUIRE(iter->pos6 < (unsigned int) iter->lifc.lifc_len);
+
+	ifrp = (struct LIFREQ *)((char *) iter->lifc.lifc_req + iter->pos6);
+
+	memset(&lifreq, 0, sizeof(lifreq));
+	memcpy(&lifreq, ifrp, sizeof(lifreq));
+
+	family = lifreq.lifr_addr.ss_family;
+#ifdef ISC_PLATFORM_HAVEIPV6
+	if (family != AF_INET && family != AF_INET6)
+#else
+	if (family != AF_INET)
+#endif
+		return (ISC_R_IGNORE);
+
+	memset(&iter->current, 0, sizeof(iter->current));
+	iter->current.af = family;
+
+	INSIST(sizeof(lifreq.lifr_name) <= sizeof(iter->current.name));
+	memset(iter->current.name, 0, sizeof(iter->current.name));
+	memcpy(iter->current.name, lifreq.lifr_name, sizeof(lifreq.lifr_name));
+
+	get_addr(family, &iter->current.address,
+		 (struct sockaddr *)&lifreq.lifr_addr, lifreq.lifr_name);
+
+	/*
+	 * If the interface does not have a address ignore it.
+	 */
+	switch (family) {
+	case AF_INET:
+		if (iter->current.address.type.in.s_addr == htonl(INADDR_ANY))
+			return (ISC_R_IGNORE);
+		break;
+	case AF_INET6:
+		if (memcmp(&iter->current.address.type.in6, &in6addr_any,
+			   sizeof(in6addr_any)) == 0)
+			return (ISC_R_IGNORE);
+		break;
+	}
+
+	/*
+	 * Get interface flags.
+	 */
+
+	iter->current.flags = 0;
+
+	if (family == AF_INET6)
+		fd = iter->socket6;
+	else
+		fd = iter->socket;
+
+	/*
+	 * Ignore the HP/UX warning about "interger overflow during
+	 * conversion.  It comes from its own macro definition,
+	 * and is really hard to shut up.
+	 */
+	if (ioctl(fd, SIOCGLIFFLAGS, (char *) &lifreq) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "%s: getting interface flags: %s",
+				 lifreq.lifr_name, strbuf);
+		return (ISC_R_IGNORE);
+	}
+
+	if ((lifreq.lifr_flags & IFF_UP) != 0)
+		iter->current.flags |= INTERFACE_F_UP;
+
+#ifdef IFF_POINTOPOINT
+	if ((lifreq.lifr_flags & IFF_POINTOPOINT) != 0)
+		iter->current.flags |= INTERFACE_F_POINTTOPOINT;
+#endif
+
+	if ((lifreq.lifr_flags & IFF_LOOPBACK) != 0)
+		iter->current.flags |= INTERFACE_F_LOOPBACK;
+
+#ifdef IFF_POINTOPOINT
+	/*
+	 * If the interface is point-to-point, get the destination address.
+	 */
+	if ((iter->current.flags & INTERFACE_F_POINTTOPOINT) != 0) {
+		/*
+		 * Ignore the HP/UX warning about "interger overflow during
+		 * conversion.  It comes from its own macro definition,
+		 * and is really hard to shut up.
+		 */
+		if (ioctl(fd, SIOCGLIFDSTADDR, (char *)&lifreq)
+		    < 0) {
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+				isc_msgcat_get(isc_msgcat,
+					       ISC_MSGSET_IFITERIOCTL,
+					       ISC_MSG_GETDESTADDR,
+					       "%s: getting "
+					       "destination address: %s"),
+					 lifreq.lifr_name, strbuf);
+			return (ISC_R_IGNORE);
+		}
+		get_addr(family, &iter->current.dstaddress,
+			 (struct sockaddr *)&lifreq.lifr_dstaddr,
+			 lifreq.lifr_name);
+	}
+#endif
+
+	/*
+	 * Get the network mask.  Netmask already zeroed.
+	 */
+	memset(&lifreq, 0, sizeof(lifreq));
+	memcpy(&lifreq, ifrp, sizeof(lifreq));
+
+#ifdef lifr_addrlen
+	/*
+	 * Special case: if the system provides lifr_addrlen member, the
+	 * netmask of an IPv6 address can be derived from the length, since
+	 * an IPv6 address always has a contiguous mask.
+	 */
+	if (family == AF_INET6) {
+		int i, bits;
+
+		iter->current.netmask.family = family;
+		for (i = 0; i < lifreq.lifr_addrlen; i += 8) {
+			bits = lifreq.lifr_addrlen - i;
+			bits = (bits < 8) ? (8 - bits) : 0;
+			iter->current.netmask.type.in6.s6_addr[i / 8] =
+				(~0 << bits) & 0xff;
+		}
+
+		return (ISC_R_SUCCESS);
+	}
+#endif
+
+	/*
+	 * Ignore the HP/UX warning about "interger overflow during
+	 * conversion.  It comes from its own macro definition,
+	 * and is really hard to shut up.
+	 */
+	if (ioctl(fd, SIOCGLIFNETMASK, (char *)&lifreq) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 isc_msgcat_get(isc_msgcat,
+						ISC_MSGSET_IFITERIOCTL,
+						ISC_MSG_GETNETMASK,
+						"%s: getting netmask: %s"),
+				 lifreq.lifr_name, strbuf);
+		return (ISC_R_IGNORE);
+	}
+	get_addr(family, &iter->current.netmask,
+		 (struct sockaddr *)&lifreq.lifr_addr, lifreq.lifr_name);
+
+	return (ISC_R_SUCCESS);
+}
+#endif
+
+static isc_result_t
+internal_current(isc_interfaceiter_t *iter) {
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+	if (iter->mode == 6) {
+		iter->result6 = internal_current6(iter);
+		if (iter->result6 != ISC_R_NOMORE)
+			return (iter->result6);
+	}
+#endif
+#ifdef HAVE_TRUCLUSTER
+	if (!iter->clua_done)
+		return(internal_current_clusteralias(iter));
+#endif
+	return (internal_current4(iter));
+}
+
+/*
+ * Step the iterator to the next interface.  Unlike
+ * isc_interfaceiter_next(), this may leave the iterator
+ * positioned on an interface that will ultimately
+ * be ignored.  Return ISC_R_NOMORE if there are no more
+ * interfaces, otherwise ISC_R_SUCCESS.
+ */
+static isc_result_t
+internal_next4(isc_interfaceiter_t *iter) {
+	struct ifreq *ifrp;
+
+	REQUIRE (iter->pos < (unsigned int) iter->ifc.ifc_len);
+
+#ifdef __linux
+	if (linux_if_inet6_next(iter) == ISC_R_SUCCESS)
+		return (ISC_R_SUCCESS);
+	if (!iter->first)
+		return (ISC_R_SUCCESS);
+#endif
+	ifrp = (struct ifreq *)((char *) iter->ifc.ifc_req + iter->pos);
+
+#ifdef ISC_PLATFORM_HAVESALEN
+	if (ifrp->ifr_addr.sa_len > sizeof(struct sockaddr))
+		iter->pos += sizeof(ifrp->ifr_name) + ifrp->ifr_addr.sa_len;
+	else
+#endif
+		iter->pos += sizeof(*ifrp);
+
+	if (iter->pos >= (unsigned int) iter->ifc.ifc_len)
+		return (ISC_R_NOMORE);
+
+	return (ISC_R_SUCCESS);
+}
+
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+static isc_result_t
+internal_next6(isc_interfaceiter_t *iter) {
+	struct LIFREQ *ifrp;
+	
+	if (iter->result6 != ISC_R_SUCCESS && iter->result6 != ISC_R_IGNORE)
+		return (iter->result6);
+
+	REQUIRE(iter->pos6 < (unsigned int) iter->lifc.lifc_len);
+
+	ifrp = (struct LIFREQ *)((char *) iter->lifc.lifc_req + iter->pos6);
+
+#ifdef ISC_PLATFORM_HAVESALEN
+	if (ifrp->lifr_addr.sa_len > sizeof(struct sockaddr))
+		iter->pos6 += sizeof(ifrp->lifr_name) + ifrp->lifr_addr.sa_len;
+	else
+#endif
+		iter->pos6 += sizeof(*ifrp);
+
+	if (iter->pos6 >= (unsigned int) iter->lifc.lifc_len)
+		return (ISC_R_NOMORE);
+
+	return (ISC_R_SUCCESS);
+}
+#endif
+
+static isc_result_t
+internal_next(isc_interfaceiter_t *iter) {
+#ifdef HAVE_TRUCLUSTER
+	int clua_result;
+#endif
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+	if (iter->mode == 6) {
+		iter->result6 = internal_next6(iter);
+		if (iter->result6 != ISC_R_NOMORE)
+			return (iter->result6);
+		if (iter->first6) {
+			iter->first6 = ISC_FALSE;
+			return (ISC_R_SUCCESS);
+		}
+	}
+#endif
+#ifdef HAVE_TRUCLUSTER
+	if (!iter->clua_done) {
+		clua_result = clua_getaliasaddress(&iter->clua_sa,
+						   &iter->clua_context);
+		if (clua_result != CLUA_SUCCESS)
+			iter->clua_done = ISC_TRUE;
+		return (ISC_R_SUCCESS);
+	}
+#endif
+	return (internal_next4(iter));
+}
+
+static void
+internal_destroy(isc_interfaceiter_t *iter) {
+	(void) close(iter->socket);
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+	if (iter->socket6 != -1)
+		(void) close(iter->socket6);
+	if (iter->buf6 != NULL) {
+		isc_mem_put(iter->mctx, iter->buf6, iter->bufsize6);
+	}
+#endif
+#ifdef __linux
+	if (iter->proc != NULL)
+		fclose(iter->proc);
+#endif
+}
+
+static
+void internal_first(isc_interfaceiter_t *iter) {
+#ifdef HAVE_TRUCLUSTER
+	int clua_result;
+#endif
+	iter->pos = 0;
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR)
+	iter->pos6 = 0;
+	if (iter->result6 == ISC_R_NOMORE)
+		iter->result6 = ISC_R_SUCCESS;
+	iter->first6 = ISC_TRUE;
+#endif
+#ifdef HAVE_TRUCLUSTER
+	iter->clua_context = 0;
+	clua_result = clua_getaliasaddress(&iter->clua_sa,
+					   &iter->clua_context);
+	iter->clua_done = ISC_TF(clua_result != CLUA_SUCCESS);
+#endif
+#ifdef __linux
+	linux_if_inet6_first(iter);
+#endif
+}
diff --git a/contrib/bind9/lib/isc/unix/ifiter_sysctl.c b/contrib/bind9/lib/isc/unix/ifiter_sysctl.c
new file mode 100644
index 0000000..c0f678b
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/ifiter_sysctl.c
@@ -0,0 +1,301 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ifiter_sysctl.c,v 1.14.12.7 2004/03/08 09:04:56 marka Exp $ */
+
+/*
+ * Obtain the list of network interfaces using sysctl.
+ * See TCP/IP Illustrated Volume 2, sections 19.8, 19.14,
+ * and 19.16.
+ */
+
+#include <sys/param.h>
+#include <sys/sysctl.h>
+
+#include <net/route.h>
+#include <net/if_dl.h>
+
+/* XXX what about Alpha? */
+#ifdef sgi
+#define ROUNDUP(a) ((a) > 0 ? \
+		(1 + (((a) - 1) | (sizeof(__uint64_t) - 1))) : \
+		sizeof(__uint64_t))
+#else
+#define ROUNDUP(a) ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) \
+                    : sizeof(long))
+#endif
+
+#define IFITER_MAGIC		ISC_MAGIC('I', 'F', 'I', 'S')
+#define VALID_IFITER(t)		ISC_MAGIC_VALID(t, IFITER_MAGIC)
+
+struct isc_interfaceiter {
+	unsigned int		magic;		/* Magic number. */
+	isc_mem_t		*mctx;
+	void			*buf;		/* Buffer for sysctl data. */
+	unsigned int		bufsize;	/* Bytes allocated. */
+	unsigned int		bufused;	/* Bytes used. */
+	unsigned int		pos;		/* Current offset in
+						   sysctl data. */
+	isc_interface_t		current;	/* Current interface data. */
+	isc_result_t		result;		/* Last result code. */
+};
+
+static int mib[6] = {
+	CTL_NET,
+	PF_ROUTE,
+        0,
+	0, 			/* Any address family. */
+        NET_RT_IFLIST,
+	0 			/* Flags. */
+};
+
+isc_result_t
+isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
+	isc_interfaceiter_t *iter;
+	isc_result_t result;
+	size_t bufsize;
+	size_t bufused;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(iterp != NULL);
+	REQUIRE(*iterp == NULL);
+
+	iter = isc_mem_get(mctx, sizeof(*iter));
+	if (iter == NULL)
+		return (ISC_R_NOMEMORY);
+
+	iter->mctx = mctx;
+	iter->buf = 0;
+
+	/*
+	 * Determine the amount of memory needed.
+	 */
+	bufsize = 0;
+	if (sysctl(mib, 6, NULL, &bufsize, NULL, (size_t) 0) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 isc_msgcat_get(isc_msgcat,
+						ISC_MSGSET_IFITERSYSCTL,
+						ISC_MSG_GETIFLISTSIZE,
+						"getting interface "
+						"list size: sysctl: %s"),
+				 strbuf);
+		result = ISC_R_UNEXPECTED;
+		goto failure;
+	}
+	iter->bufsize = bufsize;
+
+	iter->buf = isc_mem_get(iter->mctx, iter->bufsize);
+	if (iter->buf == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto failure;
+	}
+
+	bufused = bufsize;
+	if (sysctl(mib, 6, iter->buf, &bufused, NULL, (size_t) 0) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 isc_msgcat_get(isc_msgcat,
+						ISC_MSGSET_IFITERSYSCTL,
+						ISC_MSG_GETIFLIST,
+						"getting interface list: "
+						"sysctl: %s"),
+				 strbuf);
+		result = ISC_R_UNEXPECTED;
+		goto failure;
+	}
+	iter->bufused = bufused;
+	INSIST(iter->bufused <= iter->bufsize);
+
+	/*
+	 * A newly created iterator has an undefined position
+	 * until isc_interfaceiter_first() is called.
+	 */
+	iter->pos = (unsigned int) -1;
+	iter->result = ISC_R_FAILURE;
+
+	iter->magic = IFITER_MAGIC;
+	*iterp = iter;
+	return (ISC_R_SUCCESS);
+
+ failure:
+	if (iter->buf != NULL)
+		isc_mem_put(mctx, iter->buf, iter->bufsize);
+	isc_mem_put(mctx, iter, sizeof(*iter));
+	return (result);
+}
+
+/*
+ * Get information about the current interface to iter->current.
+ * If successful, return ISC_R_SUCCESS.
+ * If the interface has an unsupported address family,
+ * return ISC_R_IGNORE.  In case of other failure,
+ * return ISC_R_UNEXPECTED.
+ */
+
+static isc_result_t
+internal_current(isc_interfaceiter_t *iter) {
+	struct ifa_msghdr *ifam, *ifam_end;
+
+	REQUIRE(VALID_IFITER(iter));
+	REQUIRE (iter->pos < (unsigned int) iter->bufused);
+
+	ifam = (struct ifa_msghdr *) ((char *) iter->buf + iter->pos);
+	ifam_end = (struct ifa_msghdr *) ((char *) iter->buf + iter->bufused);
+
+	if (ifam->ifam_type == RTM_IFINFO) {
+		struct if_msghdr *ifm = (struct if_msghdr *) ifam;
+		struct sockaddr_dl *sdl = (struct sockaddr_dl *) (ifm + 1);
+		unsigned int namelen;
+
+		memset(&iter->current, 0, sizeof(iter->current));
+
+		namelen = sdl->sdl_nlen;
+		if (namelen > sizeof(iter->current.name) - 1)
+			namelen = sizeof(iter->current.name) - 1;
+
+		memset(iter->current.name, 0, sizeof(iter->current.name));
+		memcpy(iter->current.name, sdl->sdl_data, namelen);
+
+		iter->current.flags = 0;
+
+		if ((ifam->ifam_flags & IFF_UP) != 0)
+			iter->current.flags |= INTERFACE_F_UP;
+
+		if ((ifam->ifam_flags & IFF_POINTOPOINT) != 0)
+			iter->current.flags |= INTERFACE_F_POINTTOPOINT;
+
+		if ((ifam->ifam_flags & IFF_LOOPBACK) != 0)
+			iter->current.flags |= INTERFACE_F_LOOPBACK;
+
+		/*
+		 * This is not an interface address.
+		 * Force another iteration.
+		 */
+		return (ISC_R_IGNORE);
+	} else if (ifam->ifam_type == RTM_NEWADDR) {
+		int i;
+		int family;
+		struct sockaddr *mask_sa = NULL;
+		struct sockaddr *addr_sa = NULL;
+		struct sockaddr *dst_sa = NULL;
+
+		struct sockaddr *sa = (struct sockaddr *)(ifam + 1);
+		family = sa->sa_family;
+
+		for (i = 0; i < RTAX_MAX; i++)
+		{
+			if ((ifam->ifam_addrs & (1 << i)) == 0)
+				continue;
+
+			INSIST(sa < (struct sockaddr *) ifam_end);
+
+			switch (i) {
+			case RTAX_NETMASK: /* Netmask */
+				mask_sa = sa;
+				break;
+			case RTAX_IFA: /* Interface address */
+				addr_sa = sa;
+				break;
+			case RTAX_BRD: /* Broadcast or destination address */
+				dst_sa = sa;
+				break;
+			}
+#ifdef ISC_PLATFORM_HAVESALEN
+			sa = (struct sockaddr *)((char*)(sa)
+					 + ROUNDUP(sa->sa_len));
+#else
+#ifdef sgi
+			/*
+			 * Do as the contributed SGI code does.
+			 */
+			sa = (struct sockaddr *)((char*)(sa)
+					 + ROUNDUP(_FAKE_SA_LEN_DST(sa)));
+#else
+			/* XXX untested. */
+			sa = (struct sockaddr *)((char*)(sa)
+					 + ROUNDUP(sizeof(struct sockaddr)));
+#endif
+#endif
+		}
+
+		if (addr_sa == NULL)
+			return (ISC_R_IGNORE);
+
+		family = addr_sa->sa_family;
+		if (family != AF_INET && family != AF_INET6)
+			return (ISC_R_IGNORE);
+
+		iter->current.af = family;
+
+		get_addr(family, &iter->current.address, addr_sa,
+			 iter->current.name);
+
+		if (mask_sa != NULL)
+			get_addr(family, &iter->current.netmask, mask_sa,
+				 iter->current.name);
+
+		if (dst_sa != NULL &&
+		    (iter->current.flags & IFF_POINTOPOINT) != 0)
+			get_addr(family, &iter->current.dstaddress, dst_sa,
+				 iter->current.name);
+
+		return (ISC_R_SUCCESS);
+	} else {
+		printf(isc_msgcat_get(isc_msgcat, ISC_MSGSET_IFITERSYSCTL,
+				      ISC_MSG_UNEXPECTEDTYPE,
+				      "warning: unexpected interface list "
+				      "message type\n"));
+		return (ISC_R_IGNORE);
+	}
+}
+
+/*
+ * Step the iterator to the next interface.  Unlike
+ * isc_interfaceiter_next(), this may leave the iterator
+ * positioned on an interface that will ultimately
+ * be ignored.  Return ISC_R_NOMORE if there are no more
+ * interfaces, otherwise ISC_R_SUCCESS.
+ */
+static isc_result_t
+internal_next(isc_interfaceiter_t *iter) {
+	struct ifa_msghdr *ifam;
+	REQUIRE (iter->pos < (unsigned int) iter->bufused);
+
+	ifam = (struct ifa_msghdr *) ((char *) iter->buf + iter->pos);
+
+	iter->pos += ifam->ifam_msglen;
+
+	if (iter->pos >= iter->bufused)
+		return (ISC_R_NOMORE);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+internal_destroy(isc_interfaceiter_t *iter) {
+	UNUSED(iter); /* Unused. */
+	/*
+	 * Do nothing.
+	 */
+}
+
+static
+void internal_first(isc_interfaceiter_t *iter) {
+	iter->pos = 0;
+}
diff --git a/contrib/bind9/lib/isc/unix/include/Makefile.in b/contrib/bind9/lib/isc/unix/include/Makefile.in
new file mode 100644
index 0000000..5a06022
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/include/Makefile.in
@@ -0,0 +1,25 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1998-2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.11.206.1 2004/03/06 08:15:03 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	isc
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isc/unix/include/isc/Makefile.in b/contrib/bind9/lib/isc/unix/include/isc/Makefile.in
new file mode 100644
index 0000000..4c5bae2
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/include/isc/Makefile.in
@@ -0,0 +1,38 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1998-2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.27.206.1 2004/03/06 08:15:03 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+HEADERS =	dir.h int.h net.h netdb.h offset.h stdtime.h \
+		syslog.h time.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isc
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/isc ; \
+	done
diff --git a/contrib/bind9/lib/isc/unix/include/isc/dir.h b/contrib/bind9/lib/isc/unix/include/isc/dir.h
new file mode 100644
index 0000000..53b51df
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/include/isc/dir.h
@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dir.h,v 1.15.12.3 2004/03/08 09:04:57 marka Exp $ */
+
+/* Principal Authors: DCL */
+
+#ifndef ISC_DIR_H
+#define ISC_DIR_H 1
+
+#include <sys/types.h>		/* Required on some systems. */
+#include <dirent.h>
+
+#include <isc/lang.h>
+#include <isc/result.h>
+
+#define ISC_DIR_NAMEMAX 256
+#define ISC_DIR_PATHMAX 1024
+
+typedef struct isc_direntry {
+	/*
+	 * Ideally, this should be NAME_MAX, but AIX does not define it by
+	 * default and dynamically allocating the space based on pathconf()
+	 * complicates things undesirably, as does adding special conditionals
+	 * just for AIX.  So a comfortably sized buffer is chosen instead.
+	 */
+	char 		name[ISC_DIR_NAMEMAX];
+	unsigned int	length;
+} isc_direntry_t;
+
+typedef struct isc_dir {
+	unsigned int	magic;
+	/*
+	 * As with isc_direntry_t->name, making this "right" for all systems
+	 * is slightly problematic because AIX does not define PATH_MAX.
+	 */
+	char		dirname[ISC_DIR_PATHMAX];
+	isc_direntry_t	entry;
+	DIR *		handle;
+} isc_dir_t;
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_dir_init(isc_dir_t *dir);
+
+isc_result_t
+isc_dir_open(isc_dir_t *dir, const char *dirname);
+
+isc_result_t
+isc_dir_read(isc_dir_t *dir);
+
+isc_result_t
+isc_dir_reset(isc_dir_t *dir);
+
+void
+isc_dir_close(isc_dir_t *dir);
+
+isc_result_t
+isc_dir_chdir(const char *dirname);
+
+isc_result_t
+isc_dir_chroot(const char *dirname);
+
+isc_result_t
+isc_dir_createunique(char *templet);
+/*
+ * Use a templet (such as from isc_file_mktemplate()) to create a uniquely
+ * named, empty directory.  The templet string is modified in place.
+ * If result == ISC_R_SUCCESS, it is the name of the directory that was
+ * created.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_DIR_H */
diff --git a/contrib/bind9/lib/isc/unix/include/isc/int.h b/contrib/bind9/lib/isc/unix/include/isc/int.h
new file mode 100644
index 0000000..be36ccb
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/include/isc/int.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: int.h,v 1.11.206.1 2004/03/06 08:15:04 marka Exp $ */
+
+#ifndef ISC_INT_H
+#define ISC_INT_H 1
+
+typedef char				isc_int8_t;
+typedef unsigned char			isc_uint8_t;
+typedef short				isc_int16_t;
+typedef unsigned short			isc_uint16_t;
+typedef int				isc_int32_t;
+typedef unsigned int			isc_uint32_t;
+typedef long long			isc_int64_t;
+typedef unsigned long long		isc_uint64_t;
+
+#define ISC_INT8_MIN	-128
+#define ISC_INT8_MAX	127
+#define ISC_UINT8_MAX	255
+
+#define ISC_INT16_MIN	-32768
+#define ISC_INT16_MAX	32767
+#define ISC_UINT16_MAX	65535
+
+/*
+ * Note that "int" is 32 bits on all currently supported Unix-like operating
+ * systems, but "long" can be either 32 bits or 64 bits, thus the 32 bit
+ * constants are not qualified with "L".
+ */
+#define ISC_INT32_MIN	-2147483648
+#define ISC_INT32_MAX	2147483647
+#define ISC_UINT32_MAX	4294967295U
+
+#define ISC_INT64_MIN	-9223372036854775808LL
+#define ISC_INT64_MAX	9223372036854775807LL
+#define ISC_UINT64_MAX	18446744073709551615ULL
+
+#endif /* ISC_INT_H */
diff --git a/contrib/bind9/lib/isc/unix/include/isc/keyboard.h b/contrib/bind9/lib/isc/unix/include/isc/keyboard.h
new file mode 100644
index 0000000..31005b1
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/include/isc/keyboard.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: keyboard.h,v 1.6.206.1 2004/03/06 08:15:04 marka Exp $ */
+
+#ifndef ISC_KEYBOARD_H
+#define ISC_KEYBOARD_H 1
+
+#include <termios.h>
+
+#include <isc/lang.h>
+#include <isc/result.h>
+
+ISC_LANG_BEGINDECLS
+
+typedef struct {
+	int fd;
+	struct termios saved_mode;
+	isc_result_t result;
+} isc_keyboard_t;
+
+isc_result_t
+isc_keyboard_open(isc_keyboard_t *keyboard);
+
+isc_result_t
+isc_keyboard_close(isc_keyboard_t *keyboard, unsigned int sleepseconds);
+
+isc_result_t
+isc_keyboard_getchar(isc_keyboard_t *keyboard, unsigned char *cp);
+
+isc_boolean_t
+isc_keyboard_canceled(isc_keyboard_t *keyboard);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_KEYBOARD_H */
diff --git a/contrib/bind9/lib/isc/unix/include/isc/net.h b/contrib/bind9/lib/isc/unix/include/isc/net.h
new file mode 100644
index 0000000..f1a015f
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/include/isc/net.h
@@ -0,0 +1,327 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: net.h,v 1.31.2.2.10.8 2004/04/29 01:31:23 marka Exp $ */
+
+#ifndef ISC_NET_H
+#define ISC_NET_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Basic Networking Types
+ *
+ * This module is responsible for defining the following basic networking
+ * types:
+ *
+ *		struct in_addr
+ *		struct in6_addr
+ *		struct in6_pktinfo
+ *		struct sockaddr
+ *		struct sockaddr_in
+ *		struct sockaddr_in6
+ *		in_port_t
+ *
+ * It ensures that the AF_ and PF_ macros are defined.
+ *
+ * It declares ntoh[sl]() and hton[sl]().
+ *
+ * It declares inet_aton(), inet_ntop(), and inet_pton().
+ *
+ * It ensures that INADDR_LOOPBACK, INADDR_ANY, IN6ADDR_ANY_INIT,
+ * in6addr_any, and in6addr_loopback are available.
+ *
+ * It ensures that IN_MULTICAST() is available to check for multicast
+ * addresses.
+ *
+ * MP:
+ *	No impact.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	N/A.
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	BSD Socket API
+ *	RFC 2553
+ */
+
+/***
+ *** Imports.
+ ***/
+#include <isc/platform.h>
+
+#include <sys/types.h>
+#include <sys/socket.h>		/* Contractual promise. */
+
+#include <net/if.h>
+
+#include <netinet/in.h>		/* Contractual promise. */
+#include <arpa/inet.h>		/* Contractual promise. */
+#ifdef ISC_PLATFORM_NEEDNETINETIN6H
+#include <netinet/in6.h>	/* Required on UnixWare. */
+#endif
+#ifdef ISC_PLATFORM_NEEDNETINET6IN6H
+#include <netinet6/in6.h>	/* Required on BSD/OS for in6_pktinfo. */
+#endif
+
+#ifndef ISC_PLATFORM_HAVEIPV6
+#include <isc/ipv6.h>		/* Contractual promise. */
+#endif
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+#ifdef ISC_PLATFORM_HAVEINADDR6
+#define in6_addr in_addr6	/* Required for pre RFC2133 implementations. */
+#endif
+
+#ifdef ISC_PLATFORM_HAVEIPV6
+/*
+ * Required for some pre RFC2133 implementations.
+ * IN6ADDR_ANY_INIT and IN6ADDR_LOOPBACK_INIT were added in
+ * draft-ietf-ipngwg-bsd-api-04.txt or draft-ietf-ipngwg-bsd-api-05.txt.  
+ * If 's6_addr' is defined then assume that there is a union and three
+ * levels otherwise assume two levels required.
+ */
+#ifndef IN6ADDR_ANY_INIT
+#ifdef s6_addr
+#define IN6ADDR_ANY_INIT { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } } }
+#else
+#define IN6ADDR_ANY_INIT { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } }
+#endif
+#endif
+
+#ifndef IN6ADDR_LOOPBACK_INIT
+#ifdef s6_addr
+#define IN6ADDR_LOOPBACK_INIT { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 } } }
+#else
+#define IN6ADDR_LOOPBACK_INIT { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 } }
+#endif
+#endif
+
+#ifndef IN6_IS_ADDR_V4MAPPED
+#define IN6_IS_ADDR_V4MAPPED(x) \
+	 (memcmp((x)->s6_addr, in6addr_any.s6_addr, 10) == 0 && \
+	  (x)->s6_addr[10] == 0xff && (x)->s6_addr[11] == 0xff)
+#endif
+
+#ifndef IN6_IS_ADDR_V4COMPAT
+#define IN6_IS_ADDR_V4COMPAT(x) \
+	 (memcmp((x)->s6_addr, in6addr_any.s6_addr, 12) == 0 && \
+	 ((x)->s6_addr[12] != 0 || (x)->s6_addr[13] != 0 || \
+	  (x)->s6_addr[14] != 0 || \
+	  ((x)->s6_addr[15] != 0 && (x)->s6_addr[15] != 1)))
+#endif
+
+#ifndef IN6_IS_ADDR_MULTICAST
+#define IN6_IS_ADDR_MULTICAST(a)        ((a)->s6_addr[0] == 0xff)
+#endif
+
+#ifndef IN6_IS_ADDR_LINKLOCAL
+#define IN6_IS_ADDR_LINKLOCAL(a) \
+	(((a)->s6_addr[0] == 0xfe) && (((a)->s6_addr[1] & 0xc0) == 0x80))
+#endif
+
+#ifndef IN6_IS_ADDR_SITELOCAL
+#define IN6_IS_ADDR_SITELOCAL(a) \
+	(((a)->s6_addr[0] == 0xfe) && (((a)->s6_addr[1] & 0xc0) == 0xc0))
+#endif
+
+
+#ifndef IN6_IS_ADDR_LOOPBACK
+#define IN6_IS_ADDR_LOOPBACK(x) \
+	(memcmp((x)->s6_addr, in6addr_loopback.s6_addr, 16) == 0)
+#endif
+#endif
+
+#ifndef AF_INET6
+#define AF_INET6 99
+#endif
+
+#ifndef PF_INET6
+#define PF_INET6 AF_INET6
+#endif
+
+#ifndef INADDR_LOOPBACK
+#define INADDR_LOOPBACK 0x7f000001UL
+#endif
+
+#ifndef ISC_PLATFORM_HAVEIN6PKTINFO
+struct in6_pktinfo {
+	struct in6_addr ipi6_addr;    /* src/dst IPv6 address */
+	unsigned int    ipi6_ifindex; /* send/recv interface index */
+};
+#endif
+
+/*
+ * Cope with a missing in6addr_any and in6addr_loopback.
+ */
+#if defined(ISC_PLATFORM_HAVEIPV6) && defined(ISC_PLATFORM_NEEDIN6ADDRANY)
+extern const struct in6_addr isc_net_in6addrany;
+#define in6addr_any isc_net_in6addrany
+#endif
+
+#if defined(ISC_PLATFORM_HAVEIPV6) && defined(ISC_PLATFORM_NEEDIN6ADDRLOOPBACK)
+extern const struct in6_addr isc_net_in6addrloop;
+#define in6addr_loopback isc_net_in6addrloop
+#endif
+
+/*
+ * Fix UnixWare 7.1.1's broken IN6_IS_ADDR_* definitions.
+ */
+#ifdef ISC_PLATFORM_FIXIN6ISADDR
+#undef  IN6_IS_ADDR_GEOGRAPHIC
+#define IN6_IS_ADDR_GEOGRAPHIC(a) (((a)->S6_un.S6_l[0] & 0xE0) == 0x80)
+#undef  IN6_IS_ADDR_IPX
+#define IN6_IS_ADDR_IPX(a)        (((a)->S6_un.S6_l[0] & 0xFE) == 0x04)
+#undef  IN6_IS_ADDR_LINKLOCAL
+#define IN6_IS_ADDR_LINKLOCAL(a)  (((a)->S6_un.S6_l[0] & 0xC0FF) == 0x80FE)
+#undef  IN6_IS_ADDR_MULTICAST
+#define IN6_IS_ADDR_MULTICAST(a)  (((a)->S6_un.S6_l[0] & 0xFF) == 0xFF)
+#undef  IN6_IS_ADDR_NSAP
+#define IN6_IS_ADDR_NSAP(a)       (((a)->S6_un.S6_l[0] & 0xFE) == 0x02)
+#undef  IN6_IS_ADDR_PROVIDER
+#define IN6_IS_ADDR_PROVIDER(a)   (((a)->S6_un.S6_l[0] & 0xE0) == 0x40)
+#undef  IN6_IS_ADDR_SITELOCAL
+#define IN6_IS_ADDR_SITELOCAL(a)  (((a)->S6_un.S6_l[0] & 0xC0FF) == 0xC0FE)
+#endif /* ISC_PLATFORM_FIXIN6ISADDR */
+
+/*
+ * Ensure type in_port_t is defined.
+ */
+#ifdef ISC_PLATFORM_NEEDPORTT
+typedef isc_uint16_t in_port_t;
+#endif
+
+/*
+ * If this system does not have MSG_TRUNC (as returned from recvmsg())
+ * ISC_PLATFORM_RECVOVERFLOW will be defined.  This will enable the MSG_TRUNC
+ * faking code in socket.c.
+ */
+#ifndef MSG_TRUNC
+#define ISC_PLATFORM_RECVOVERFLOW
+#endif
+
+#define ISC__IPADDR(x)	((isc_uint32_t)htonl((isc_uint32_t)(x)))
+
+#define ISC_IPADDR_ISMULTICAST(i) \
+		(((isc_uint32_t)(i) & ISC__IPADDR(0xf0000000)) \
+		 == ISC__IPADDR(0xe0000000))
+
+#define ISC_IPADDR_ISEXPERIMENTAL(i) \
+		(((isc_uint32_t)(i) & ISC__IPADDR(0xf0000000)) \
+		 == ISC__IPADDR(0xf0000000))
+
+/***
+ *** Functions.
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_net_probeipv4(void);
+/*
+ * Check if the system's kernel supports IPv4.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		IPv4 is supported.
+ *	ISC_R_NOTFOUND		IPv4 is not supported.
+ *	ISC_R_DISABLED		IPv4 is disabled.
+ *	ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_net_probeipv6(void);
+/*
+ * Check if the system's kernel supports IPv6.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		IPv6 is supported.
+ *	ISC_R_NOTFOUND		IPv6 is not supported.
+ *	ISC_R_DISABLED		IPv6 is disabled.
+ *	ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_net_probe_ipv6only(void);
+/*
+ * Check if the system's kernel supports the IPV6_V6ONLY socket option.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		the option is supported for both TCP and UDP.
+ *	ISC_R_NOTFOUND		IPv6 itself or the option is not supported.
+ *	ISC_R_UNEXPECTED
+ */
+
+isc_result_t
+isc_net_probe_ipv6pktinfo(void);
+/*
+ * Check if the system's kernel supports the IPV6_(RECV)PKTINFO socket option
+ * for UDP sockets.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		the option is supported.
+ *	ISC_R_NOTFOUND		IPv6 itself or the option is not supported.
+ *	ISC_R_UNEXPECTED
+ */
+
+void
+isc_net_disableipv4(void);
+
+void
+isc_net_disableipv6(void);
+
+void
+isc_net_enableipv4(void);
+
+void
+isc_net_enableipv6(void);
+
+#ifdef ISC_PLATFORM_NEEDNTOP
+const char *
+isc_net_ntop(int af, const void *src, char *dst, size_t size);
+#define inet_ntop isc_net_ntop
+#endif
+
+#ifdef ISC_PLATFORM_NEEDPTON
+int
+isc_net_pton(int af, const char *src, void *dst);
+#undef inet_pton
+#define inet_pton isc_net_pton
+#endif
+
+#ifdef ISC_PLATFORM_NEEDATON
+int
+isc_net_aton(const char *cp, struct in_addr *addr);
+#define inet_aton isc_net_aton
+#endif
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_NET_H */
diff --git a/contrib/bind9/lib/isc/unix/include/isc/netdb.h b/contrib/bind9/lib/isc/unix/include/isc/netdb.h
new file mode 100644
index 0000000..beb9137
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/include/isc/netdb.h
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: netdb.h,v 1.6.206.1 2004/03/06 08:15:04 marka Exp $ */
+
+#ifndef ISC_NETDB_H
+#define ISC_NETDB_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Portable netdb.h support.
+ *
+ * This module is responsible for defining the get<x>by<y> APIs.
+ *
+ * MP:
+ *	No impact.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	N/A.
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	BSD API
+ */
+
+/***
+ *** Imports.
+ ***/
+
+#include <isc/net.h>
+
+#include <netdb.h>
+
+#endif /* ISC_NETDB_H */
diff --git a/contrib/bind9/lib/isc/unix/include/isc/offset.h b/contrib/bind9/lib/isc/unix/include/isc/offset.h
new file mode 100644
index 0000000..0ea1362
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/include/isc/offset.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: offset.h,v 1.10.206.1 2004/03/06 08:15:04 marka Exp $ */
+
+#ifndef ISC_OFFSET_H
+#define ISC_OFFSET_H 1
+
+/*
+ * File offsets are operating-system dependent.
+ */
+#include <limits.h>             /* Required for CHAR_BIT. */
+#include <sys/types.h>
+
+typedef off_t isc_offset_t;
+
+/*
+ * POSIX says "Additionally, blkcnt_t and off_t are extended signed integral
+ * types", so the maximum value is all 1s except for the high bit.
+ * This definition is more complex than it really needs to be because it was
+ * crafted to keep both the SunOS 5.6 and the HP/UX 11 compilers quiet about
+ * integer overflow.  For example, though this is equivalent to just left
+ * shifting 1 to the high bit and then inverting the bits, the SunOS compiler
+ * is unhappy about shifting a positive "1" to negative in a signed integer.
+ */
+#define ISC_OFFSET_MAXIMUM \
+	(~(((off_t)-1 >> (sizeof(off_t) * CHAR_BIT - 1)) \
+		      << (sizeof(off_t) * CHAR_BIT - 1)))
+
+#endif /* ISC_OFFSET_H */
diff --git a/contrib/bind9/lib/isc/unix/include/isc/stat.h b/contrib/bind9/lib/isc/unix/include/isc/stat.h
new file mode 100644
index 0000000..4304208
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/include/isc/stat.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: stat.h,v 1.1.2.1.4.1 2004/03/06 08:15:05 marka Exp $ */
+
+#ifndef ISC_STAT_H
+#define ISC_STAT_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Portable netdb.h support.
+ *
+ * This module is responsible for defining S_IS??? macros.
+ *
+ * MP:
+ *	No impact.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	N/A.
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ */
+
+/***
+ *** Imports.
+ ***/
+
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#endif /* ISC_STAT_H */
diff --git a/contrib/bind9/lib/isc/unix/include/isc/stdtime.h b/contrib/bind9/lib/isc/unix/include/isc/stdtime.h
new file mode 100644
index 0000000..9b855c7
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/include/isc/stdtime.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: stdtime.h,v 1.8.206.1 2004/03/06 08:15:05 marka Exp $ */
+
+#ifndef ISC_STDTIME_H
+#define ISC_STDTIME_H 1
+
+#include <isc/lang.h>
+#include <isc/int.h>
+
+/*
+ * It's public information that 'isc_stdtime_t' is an unsigned integral type.
+ * Applications that want maximum portability should not assume anything
+ * about its size.
+ */
+typedef isc_uint32_t isc_stdtime_t;
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_stdtime_get(isc_stdtime_t *t);
+/*
+ * Set 't' to the number of seconds since 00:00:00 UTC, January 1, 1970.
+ *
+ * Requires:
+ *
+ *	't' is a valid pointer.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_STDTIME_H */
diff --git a/contrib/bind9/lib/isc/unix/include/isc/strerror.h b/contrib/bind9/lib/isc/unix/include/isc/strerror.h
new file mode 100644
index 0000000..f51fbdc
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/include/isc/strerror.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: strerror.h,v 1.2.12.3 2004/03/08 09:04:57 marka Exp $ */
+
+#ifndef ISC_STRERROR_H
+#define ISC_STRERROR_H
+
+#include <sys/types.h>
+
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+#define ISC_STRERRORSIZE 128
+
+/*
+ * Provide a thread safe wrapper to strerrror().
+ *
+ * Requires:
+ * 	'buf' to be non NULL.
+ */
+void
+isc__strerror(int num, char *buf, size_t bufsize);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_STRERROR_H */
diff --git a/contrib/bind9/lib/isc/unix/include/isc/syslog.h b/contrib/bind9/lib/isc/unix/include/isc/syslog.h
new file mode 100644
index 0000000..2c0625e
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/include/isc/syslog.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: syslog.h,v 1.2.206.1 2004/03/06 08:15:05 marka Exp $ */
+
+#ifndef ISC_SYSLOG_H
+#define ISC_SYSLOG_H 1
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isc_syslog_facilityfromstring(const char *str, int *facilityp);
+/*
+ * Convert 'str' to the appropriate syslog facility constant.
+ *
+ * Requires:
+ *
+ *	'str' is not NULL
+ *	'facilityp' is not NULL
+ *
+ * Returns:
+ * 	ISC_R_SUCCESS
+ * 	ISC_R_NOTFOUND
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_SYSLOG_H */
diff --git a/contrib/bind9/lib/isc/unix/include/isc/time.h b/contrib/bind9/lib/isc/unix/include/isc/time.h
new file mode 100644
index 0000000..6021c13
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/include/isc/time.h
@@ -0,0 +1,299 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: time.h,v 1.25.2.1.10.4 2004/03/08 09:04:58 marka Exp $ */
+
+#ifndef ISC_TIME_H
+#define ISC_TIME_H 1
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+/***
+ *** Intervals
+ ***/
+
+/*
+ * The contents of this structure are private, and MUST NOT be accessed
+ * directly by callers.
+ *
+ * The contents are exposed only to allow callers to avoid dynamic allocation.
+ */
+struct isc_interval {
+	unsigned int seconds;
+	unsigned int nanoseconds;
+};
+
+extern isc_interval_t *isc_interval_zero;
+
+ISC_LANG_BEGINDECLS
+
+void
+isc_interval_set(isc_interval_t *i,
+		 unsigned int seconds, unsigned int nanoseconds);
+/*
+ * Set 'i' to a value representing an interval of 'seconds' seconds and
+ * 'nanoseconds' nanoseconds, suitable for use in isc_time_add() and
+ * isc_time_subtract().
+ *
+ * Requires:
+ *
+ *	't' is a valid pointer.
+ *	nanoseconds < 1000000000.
+ */
+
+isc_boolean_t
+isc_interval_iszero(const isc_interval_t *i);
+/*
+ * Returns ISC_TRUE iff. 'i' is the zero interval.
+ *
+ * Requires:
+ *
+ *	'i' is a valid pointer.
+ */
+
+/***
+ *** Absolute Times
+ ***/
+
+/*
+ * The contents of this structure are private, and MUST NOT be accessed
+ * directly by callers.
+ *
+ * The contents are exposed only to allow callers to avoid dynamic allocation.
+ */
+
+struct isc_time {
+	unsigned int	seconds;
+	unsigned int	nanoseconds;
+};
+
+extern isc_time_t *isc_time_epoch;
+
+void
+isc_time_set(isc_time_t *t, unsigned int seconds, unsigned int nanoseconds);
+/*
+ * Set 't' to a particular number of seconds + nanoseconds since the epoch.
+ *
+ * Notes:
+ *	This call is equivalent to:
+ *
+ *	isc_time_settoepoch(t);
+ *	isc_interval_set(i, seconds, nanoseconds);
+ *	isc_time_add(t, i, t);
+ *
+ * Requires:
+ *	't' is a valid pointer.
+ *	nanoseconds < 1000000000.
+ */
+
+void
+isc_time_settoepoch(isc_time_t *t);
+/*
+ * Set 't' to the time of the epoch.
+ *
+ * Notes:
+ * 	The date of the epoch is platform-dependent.
+ *
+ * Requires:
+ *
+ *	't' is a valid pointer.
+ */
+
+isc_boolean_t
+isc_time_isepoch(const isc_time_t *t);
+/*
+ * Returns ISC_TRUE iff. 't' is the epoch ("time zero").
+ *
+ * Requires:
+ *
+ *	't' is a valid pointer.
+ */
+
+isc_result_t
+isc_time_now(isc_time_t *t);
+/*
+ * Set 't' to the current absolute time.
+ *
+ * Requires:
+ *
+ *	't' is a valid pointer.
+ *
+ * Returns:
+ *
+ *	Success
+ *	Unexpected error
+ *		Getting the time from the system failed.
+ *	Out of range
+ *		The time from the system is too large to be represented
+ *		in the current definition of isc_time_t.
+ */
+
+isc_result_t
+isc_time_nowplusinterval(isc_time_t *t, const isc_interval_t *i);
+/*
+ * Set *t to the current absolute time + i.
+ *
+ * Note:
+ *	This call is equivalent to:
+ *
+ *		isc_time_now(t);
+ *		isc_time_add(t, i, t);
+ *
+ * Requires:
+ *
+ *	't' and 'i' are valid pointers.
+ *
+ * Returns:
+ *
+ *	Success
+ *	Unexpected error
+ *		Getting the time from the system failed.
+ *	Out of range
+ *		The interval added to the time from the system is too large to
+ *		be represented in the current definition of isc_time_t.
+ */
+
+int
+isc_time_compare(const isc_time_t *t1, const isc_time_t *t2);
+/*
+ * Compare the times referenced by 't1' and 't2'
+ *
+ * Requires:
+ *
+ *	't1' and 't2' are valid pointers.
+ *
+ * Returns:
+ *
+ *	-1		t1 < t2		(comparing times, not pointers)
+ *	0		t1 = t2
+ *	1		t1 > t2
+ */
+
+isc_result_t
+isc_time_add(const isc_time_t *t, const isc_interval_t *i, isc_time_t *result);
+/*
+ * Add 'i' to 't', storing the result in 'result'.
+ *
+ * Requires:
+ *
+ *	't', 'i', and 'result' are valid pointers.
+ *
+ * Returns:
+ * 	Success
+ *	Out of range
+ * 		The interval added to the time is too large to
+ *		be represented in the current definition of isc_time_t.
+ */
+
+isc_result_t
+isc_time_subtract(const isc_time_t *t, const isc_interval_t *i,
+		  isc_time_t *result);
+/*
+ * Subtract 'i' from 't', storing the result in 'result'.
+ *
+ * Requires:
+ *
+ *	't', 'i', and 'result' are valid pointers.
+ *
+ * Returns:
+ *	Success
+ *	Out of range
+ *		The interval is larger than the time since the epoch.
+ */
+
+isc_uint64_t
+isc_time_microdiff(const isc_time_t *t1, const isc_time_t *t2);
+/*
+ * Find the difference in microseconds between time t1 and time t2.
+ * t2 is the subtrahend of t1; ie, difference = t1 - t2.
+ *
+ * Requires:
+ *
+ *	't1' and 't2' are valid pointers.
+ *
+ * Returns:
+ *	The difference of t1 - t2, or 0 if t1 <= t2.
+ */
+
+isc_uint32_t
+isc_time_seconds(const isc_time_t *t);
+/*
+ * Return the number of seconds since the epoch stored in a time structure.
+ *
+ * Requires:
+ *
+ *	't' is a valid pointer.
+ */
+
+isc_result_t
+isc_time_secondsastimet(const isc_time_t *t, time_t *secondsp);
+/*
+ * Ensure the number of seconds in an isc_time_t is representable by a time_t.
+ *
+ * Notes:
+ *	The number of seconds stored in an isc_time_t might be larger
+ *	than the number of seconds a time_t is able to handle.  Since
+ *	time_t is mostly opaque according to the ANSI/ISO standard
+ *	(essentially, all you can be sure of is that it is an arithmetic type,
+ *	not even necessarily integral), it can be tricky to ensure that
+ *	the isc_time_t is in the range a time_t can handle.  Use this
+ *	function in place of isc_time_seconds() any time you need to set a
+ *	time_t from an isc_time_t.
+ *
+ * Requires:
+ *	't' is a valid pointer.
+ *
+ * Returns:
+ *	Success
+ *	Out of range
+ */
+
+isc_uint32_t
+isc_time_nanoseconds(const isc_time_t *t);
+/*
+ * Return the number of nanoseconds stored in a time structure.
+ *
+ * Notes:
+ *	This is the number of nanoseconds in excess of the the number
+ *	of seconds since the epoch; it will always be less than one
+ *	full second.
+ *
+ * Requires:
+ *	't' is a valid pointer.
+ *
+ * Ensures:
+ *	The returned value is less than 1*10^9.
+ */
+
+void
+isc_time_formattimestamp(const isc_time_t *t, char *buf, unsigned int len);
+/*
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using a format like "30-Aug-2000 04:06:47.997" and the local time zone.
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *      'len' > 0
+ *      'buf' points to an array of at least len chars
+ *
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_TIME_H */
diff --git a/contrib/bind9/lib/isc/unix/interfaceiter.c b/contrib/bind9/lib/isc/unix/interfaceiter.c
new file mode 100644
index 0000000..9520bdeb
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/interfaceiter.c
@@ -0,0 +1,220 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: interfaceiter.c,v 1.22.2.1.10.14 2004/08/28 06:25:22 marka Exp $ */
+
+#include <config.h>
+
+#include <sys/types.h>
+#include <sys/ioctl.h>
+#ifdef HAVE_SYS_SOCKIO_H
+#include <sys/sockio.h>		/* Required for ifiter_ioctl.c. */
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include <isc/interfaceiter.h>
+#include <isc/log.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/msgs.h>
+#include <isc/net.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/strerror.h>
+#include <isc/string.h>
+#include <isc/types.h>
+#include <isc/util.h>
+
+/* Must follow <isc/net.h>. */
+#ifdef HAVE_NET_IF6_H
+#include <net/if6.h>
+#endif
+#include <net/if.h>
+
+/* Common utility functions */
+
+/*
+ * Extract the network address part from a "struct sockaddr".
+ *
+ * The address family is given explicitly
+ * instead of using src->sa_family, because the latter does not work
+ * for copying a network mask obtained by SIOCGIFNETMASK (it does
+ * not have a valid address family).
+ */
+
+static void
+get_addr(unsigned int family, isc_netaddr_t *dst, struct sockaddr *src,
+	 char *ifname)
+{
+	struct sockaddr_in6 *sa6;
+
+#if !defined(ISC_PLATFORM_HAVEIFNAMETOINDEX) || \
+    !defined(ISC_PLATFORM_HAVESCOPEID)
+	UNUSED(ifname);
+#endif
+
+	/* clear any remaining value for safety */
+	memset(dst, 0, sizeof(*dst));
+
+	dst->family = family;
+	switch (family) {
+	case AF_INET:
+		memcpy(&dst->type.in,
+		       &((struct sockaddr_in *) src)->sin_addr,
+		       sizeof(struct in_addr));
+		break;
+	case AF_INET6:
+		sa6 = (struct sockaddr_in6 *)src;
+		memcpy(&dst->type.in6, &sa6->sin6_addr,
+		       sizeof(struct in6_addr));
+#ifdef ISC_PLATFORM_HAVESCOPEID
+		if (sa6->sin6_scope_id != 0)
+			isc_netaddr_setzone(dst, sa6->sin6_scope_id);
+		else {
+			/*
+			 * BSD variants embed scope zone IDs in the 128bit
+			 * address as a kernel internal form.  Unfortunately,
+			 * the embedded IDs are not hidden from applications
+			 * when getting access to them by sysctl or ioctl.
+			 * We convert the internal format to the pure address
+			 * part and the zone ID part.
+			 * Since multicast addresses should not appear here
+			 * and they cannot be distinguished from netmasks,
+			 * we only consider unicast link-local addresses.
+			 */
+			if (IN6_IS_ADDR_LINKLOCAL(&sa6->sin6_addr)) {
+				isc_uint16_t zone16;
+
+				memcpy(&zone16, &sa6->sin6_addr.s6_addr[2],
+				       sizeof(zone16));
+				zone16 = ntohs(zone16);
+				if (zone16 != 0) {
+					/* the zone ID is embedded */
+					isc_netaddr_setzone(dst,
+							    (isc_uint32_t)zone16);
+					dst->type.in6.s6_addr[2] = 0;
+					dst->type.in6.s6_addr[3] = 0;
+#ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX
+				} else if (ifname != NULL) {
+					unsigned int zone;
+
+					/*
+					 * sin6_scope_id is still not provided,
+					 * but the corresponding interface name
+					 * is know.  Use the interface ID as
+					 * the link ID.
+					 */
+					zone = if_nametoindex(ifname);
+					if (zone != 0) {
+						isc_netaddr_setzone(dst,
+								    (isc_uint32_t)zone);
+					}
+#endif
+				}
+			}
+		}
+#endif
+		break;
+	default:
+		INSIST(0);
+		break;
+	}
+}
+
+/*
+ * Include system-dependent code.
+ */
+
+#if HAVE_GETIFADDRS
+#include "ifiter_getifaddrs.c"
+#elif HAVE_IFLIST_SYSCTL
+#include "ifiter_sysctl.c"
+#else
+#include "ifiter_ioctl.c"
+#endif
+
+/*
+ * The remaining code is common to the sysctl and ioctl case.
+ */
+
+isc_result_t
+isc_interfaceiter_current(isc_interfaceiter_t *iter,
+			  isc_interface_t *ifdata)
+{
+	REQUIRE(iter->result == ISC_R_SUCCESS);
+	memcpy(ifdata, &iter->current, sizeof(*ifdata));
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_interfaceiter_first(isc_interfaceiter_t *iter) {
+	isc_result_t result;
+
+	REQUIRE(VALID_IFITER(iter));
+
+	internal_first(iter);
+	for (;;) {
+		result = internal_current(iter);
+		if (result != ISC_R_IGNORE)
+			break;
+		result = internal_next(iter);
+		if (result != ISC_R_SUCCESS)
+			break;
+	}
+	iter->result = result;
+	return (result);
+}
+
+isc_result_t
+isc_interfaceiter_next(isc_interfaceiter_t *iter) {
+	isc_result_t result;
+
+	REQUIRE(VALID_IFITER(iter));
+	REQUIRE(iter->result == ISC_R_SUCCESS);
+
+	for (;;) {
+		result = internal_next(iter);
+		if (result != ISC_R_SUCCESS)
+			break;
+		result = internal_current(iter);
+		if (result != ISC_R_IGNORE)
+			break;
+	}
+	iter->result = result;
+	return (result);
+}
+
+void
+isc_interfaceiter_destroy(isc_interfaceiter_t **iterp)
+{
+	isc_interfaceiter_t *iter;
+	REQUIRE(iterp != NULL);
+	iter = *iterp;
+	REQUIRE(VALID_IFITER(iter));
+
+	internal_destroy(iter);
+	if (iter->buf != NULL)
+		isc_mem_put(iter->mctx, iter->buf, iter->bufsize);
+
+	iter->magic = 0;
+	isc_mem_put(iter->mctx, iter, sizeof(*iter));
+	*iterp = NULL;
+}
diff --git a/contrib/bind9/lib/isc/unix/ipv6.c b/contrib/bind9/lib/isc/unix/ipv6.c
new file mode 100644
index 0000000..25e0c57
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/ipv6.c
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ipv6.c,v 1.7.206.1 2004/03/06 08:15:00 marka Exp $ */
+
+#include <isc/ipv6.h>
+
+const struct in6_addr in6addr_any = IN6ADDR_ANY_INIT;
+const struct in6_addr in6addr_loopback = IN6ADDR_LOOPBACK_INIT;
diff --git a/contrib/bind9/lib/isc/unix/keyboard.c b/contrib/bind9/lib/isc/unix/keyboard.c
new file mode 100644
index 0000000..146338a
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/keyboard.c
@@ -0,0 +1,126 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: keyboard.c,v 1.9.12.3 2004/03/08 09:04:56 marka Exp $ */
+
+#include <config.h>
+
+#include <sys/param.h>
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/uio.h>
+
+#include <errno.h>
+#include <stdlib.h>
+#include <string.h>
+#include <termios.h>
+#include <unistd.h>
+#include <fcntl.h>
+
+#include <isc/keyboard.h>
+#include <isc/util.h>
+
+isc_result_t
+isc_keyboard_open(isc_keyboard_t *keyboard) {
+	int fd;
+	isc_result_t ret;
+	struct termios current_mode;
+
+	REQUIRE(keyboard != NULL);
+
+	fd = open("/dev/tty", O_RDONLY, 0);
+	if (fd < 0)
+		return (ISC_R_IOERROR);
+
+	keyboard->fd = fd;
+
+	if (tcgetattr(fd, &keyboard->saved_mode) < 0) {
+		ret = ISC_R_IOERROR;
+		goto errout;
+	}
+
+	current_mode = keyboard->saved_mode;
+
+	current_mode.c_iflag &=
+			~(IGNBRK|BRKINT|PARMRK|ISTRIP|INLCR|IGNCR|ICRNL|IXON);
+	current_mode.c_oflag &= ~OPOST;
+	current_mode.c_lflag &= ~(ECHO|ECHONL|ICANON|ISIG|IEXTEN);
+	current_mode.c_cflag &= ~(CSIZE|PARENB);
+	current_mode.c_cflag |= CS8;
+
+	current_mode.c_cc[VMIN] = 1;
+	current_mode.c_cc[VTIME] = 0;
+	if (tcsetattr(fd, TCSAFLUSH, &current_mode) < 0) {
+		ret = ISC_R_IOERROR;
+		goto errout;
+	}
+
+	keyboard->result = ISC_R_SUCCESS;
+
+	return (ISC_R_SUCCESS);
+
+ errout:
+	close (fd);
+
+	return (ret);
+}
+
+isc_result_t
+isc_keyboard_close(isc_keyboard_t *keyboard, unsigned int sleeptime) {
+	REQUIRE(keyboard != NULL);
+
+	if (sleeptime > 0 && keyboard->result != ISC_R_CANCELED)
+		(void)sleep(sleeptime);
+
+	(void)tcsetattr(keyboard->fd, TCSAFLUSH, &keyboard->saved_mode);
+	(void)close(keyboard->fd);
+
+	keyboard->fd = -1;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_keyboard_getchar(isc_keyboard_t *keyboard, unsigned char *cp) {
+	ssize_t cc;
+	unsigned char c;
+	cc_t *controlchars;
+
+	REQUIRE(keyboard != NULL);
+	REQUIRE(cp != NULL);
+
+	cc = read(keyboard->fd, &c, 1);
+	if (cc < 0) {
+		keyboard->result = ISC_R_IOERROR;
+		return (keyboard->result);
+	}
+
+	controlchars = keyboard->saved_mode.c_cc;
+	if (c == controlchars[VINTR] || c == controlchars[VQUIT]) {
+		keyboard->result = ISC_R_CANCELED;
+		return (keyboard->result);
+	}
+
+	*cp = c;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_boolean_t
+isc_keyboard_canceled(isc_keyboard_t *keyboard) {
+	return (ISC_TF(keyboard->result == ISC_R_CANCELED));
+}
diff --git a/contrib/bind9/lib/isc/unix/net.c b/contrib/bind9/lib/isc/unix/net.c
new file mode 100644
index 0000000..05f4121
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/net.c
@@ -0,0 +1,344 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: net.c,v 1.22.2.2.10.7 2004/04/29 01:31:22 marka Exp $ */
+
+#include <config.h>
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <isc/log.h>
+#include <isc/msgs.h>
+#include <isc/net.h>
+#include <isc/once.h>
+#include <isc/strerror.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#if defined(ISC_PLATFORM_HAVEIPV6) && defined(ISC_PLATFORM_NEEDIN6ADDRANY)
+const struct in6_addr isc_net_in6addrany = IN6ADDR_ANY_INIT;
+#endif
+
+#if defined(ISC_PLATFORM_HAVEIPV6) && defined(ISC_PLATFORM_NEEDIN6ADDRLOOPBACK)
+const struct in6_addr isc_net_in6addrloop = IN6ADDR_LOOPBACK_INIT;
+#endif
+
+static isc_once_t 	once = ISC_ONCE_INIT;
+static isc_once_t 	once_ipv6only = ISC_ONCE_INIT;
+static isc_once_t 	once_ipv6pktinfo = ISC_ONCE_INIT;
+static isc_result_t	ipv4_result = ISC_R_NOTFOUND;
+static isc_result_t	ipv6_result = ISC_R_NOTFOUND;
+static isc_result_t	ipv6only_result = ISC_R_NOTFOUND;
+static isc_result_t	ipv6pktinfo_result = ISC_R_NOTFOUND;
+
+static isc_result_t
+try_proto(int domain) {
+	int s;
+	isc_result_t result = ISC_R_SUCCESS;
+	char strbuf[ISC_STRERRORSIZE];
+
+	s = socket(domain, SOCK_STREAM, 0);
+	if (s == -1) {
+		switch (errno) {
+#ifdef EAFNOSUPPORT
+		case EAFNOSUPPORT:
+#endif
+#ifdef EPROTONOSUPPORT
+		case EPROTONOSUPPORT:
+#endif
+#ifdef EINVAL
+		case EINVAL:
+#endif
+			return (ISC_R_NOTFOUND);
+		default:
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "socket() %s: %s",
+					 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_GENERAL,
+							ISC_MSG_FAILED,
+							"failed"),
+					 strbuf);
+			return (ISC_R_UNEXPECTED);
+		}
+	}
+
+#ifdef ISC_PLATFORM_HAVEIPV6
+#ifdef WANT_IPV6
+#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
+	if (domain == PF_INET6) {
+		struct sockaddr_in6 sin6;
+		unsigned int len;
+
+		/*
+		 * Check to see if IPv6 is broken, as is common on Linux.
+		 */
+		len = sizeof(sin6);
+		if (getsockname(s, (struct sockaddr *)&sin6, (void *)&len) < 0)
+		{
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+				      "retrieving the address of an IPv6 "
+				      "socket from the kernel failed.");
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+				      "IPv6 is not supported.");
+			result = ISC_R_NOTFOUND;
+		} else {
+			if (len == sizeof(struct sockaddr_in6))
+				result = ISC_R_SUCCESS;
+			else {
+				isc_log_write(isc_lctx,
+					      ISC_LOGCATEGORY_GENERAL,
+					      ISC_LOGMODULE_SOCKET,
+					      ISC_LOG_ERROR,
+					      "IPv6 structures in kernel and "
+					      "user space do not match.");
+				isc_log_write(isc_lctx,
+					      ISC_LOGCATEGORY_GENERAL,
+					      ISC_LOGMODULE_SOCKET,
+					      ISC_LOG_ERROR,
+					      "IPv6 is not supported.");
+				result = ISC_R_NOTFOUND;
+			}
+		}
+	}
+#endif
+#endif
+#endif
+
+	(void)close(s);
+
+	return (result);
+}
+
+static void
+initialize_action(void) {
+	ipv4_result = try_proto(PF_INET);
+#ifdef ISC_PLATFORM_HAVEIPV6
+#ifdef WANT_IPV6
+#ifdef ISC_PLATFORM_HAVEIN6PKTINFO
+	ipv6_result = try_proto(PF_INET6);
+#endif
+#endif
+#endif
+}
+
+static void
+initialize(void) {
+	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_net_probeipv4(void) {
+	initialize();
+	return (ipv4_result);
+}
+
+isc_result_t
+isc_net_probeipv6(void) {
+	initialize();
+	return (ipv6_result);
+}
+
+#ifdef ISC_PLATFORM_HAVEIPV6
+#ifdef WANT_IPV6
+static void
+try_ipv6only(void) {
+#ifdef IPV6_V6ONLY
+	int s, on;
+	char strbuf[ISC_STRERRORSIZE];
+#endif
+	isc_result_t result;
+
+	result = isc_net_probeipv6();
+	if (result != ISC_R_SUCCESS) {
+		ipv6only_result = result;
+		return;
+	}
+
+#ifndef IPV6_V6ONLY
+	ipv6only_result = ISC_R_NOTFOUND;
+	return;
+#else
+	/* check for TCP sockets */
+	s = socket(PF_INET6, SOCK_STREAM, 0);
+	if (s == -1) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "socket() %s: %s",
+				 isc_msgcat_get(isc_msgcat,
+						ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED,
+						"failed"),
+				 strbuf);
+		ipv6only_result = ISC_R_UNEXPECTED;
+		return;
+	}
+
+	on = 1;
+	if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0) {
+		ipv6only_result = ISC_R_NOTFOUND;
+		goto close;
+	}
+
+	close(s);
+
+	/* check for UDP sockets */
+	s = socket(PF_INET6, SOCK_DGRAM, 0);
+	if (s == -1) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "socket() %s: %s",
+				 isc_msgcat_get(isc_msgcat,
+						ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED,
+						"failed"),
+				 strbuf);
+		ipv6only_result = ISC_R_UNEXPECTED;
+		return;
+	}
+
+	on = 1;
+	if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)) < 0) {
+		ipv6only_result = ISC_R_NOTFOUND;
+		goto close;
+	}
+
+	close(s);
+
+	ipv6only_result = ISC_R_SUCCESS;
+
+close:
+	close(s);
+	return;
+#endif /* IPV6_V6ONLY */
+}
+
+static void
+initialize_ipv6only(void) {
+	RUNTIME_CHECK(isc_once_do(&once_ipv6only,
+				  try_ipv6only) == ISC_R_SUCCESS);
+}
+#endif /* IPV6_V6ONLY */
+
+static void
+try_ipv6pktinfo(void) {
+	int s, on;
+	char strbuf[ISC_STRERRORSIZE];
+	isc_result_t result;
+	int optname;
+
+	result = isc_net_probeipv6();
+	if (result != ISC_R_SUCCESS) {
+		ipv6pktinfo_result = result;
+		return;
+	}
+
+	/* we only use this for UDP sockets */
+	s = socket(PF_INET6, SOCK_DGRAM, IPPROTO_UDP);
+	if (s == -1) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "socket() %s: %s",
+				 isc_msgcat_get(isc_msgcat,
+						ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED,
+						"failed"),
+				 strbuf);
+		ipv6pktinfo_result = ISC_R_UNEXPECTED;
+		return;
+	}
+
+#ifdef IPV6_RECVPKTINFO
+	optname = IPV6_RECVPKTINFO;
+#else
+	optname = IPV6_PKTINFO;
+#endif
+	on = 1;
+	if (setsockopt(s, IPPROTO_IPV6, optname, &on, sizeof(on)) < 0) {
+		ipv6pktinfo_result = ISC_R_NOTFOUND;
+		goto close;
+	}
+
+	close(s);
+	ipv6pktinfo_result = ISC_R_SUCCESS;
+
+close:
+	close(s);
+	return;
+}
+
+static void
+initialize_ipv6pktinfo(void) {
+	RUNTIME_CHECK(isc_once_do(&once_ipv6pktinfo,
+				  try_ipv6pktinfo) == ISC_R_SUCCESS);
+}
+#endif /* WANT_IPV6 */
+
+isc_result_t
+isc_net_probe_ipv6only(void) {
+#ifdef ISC_PLATFORM_HAVEIPV6
+#ifdef WANT_IPV6
+	initialize_ipv6only();
+#else
+	ipv6only_result = ISC_R_NOTFOUND;
+#endif
+#endif
+	return (ipv6only_result);
+}
+
+isc_result_t
+isc_net_probe_ipv6pktinfo(void) {
+#ifdef ISC_PLATFORM_HAVEIPV6
+#ifdef WANT_IPV6
+	initialize_ipv6pktinfo();
+#else
+	ipv6pktinfo_result = ISC_R_NOTFOUND;
+#endif
+#endif
+	return (ipv6pktinfo_result);
+}
+
+void
+isc_net_disableipv4(void) {
+	initialize();
+	if (ipv4_result == ISC_R_SUCCESS)
+		ipv4_result = ISC_R_DISABLED;
+}
+
+void
+isc_net_disableipv6(void) {
+	initialize();
+	if (ipv6_result == ISC_R_SUCCESS)
+		ipv6_result = ISC_R_DISABLED;
+}
+
+void
+isc_net_enableipv4(void) {
+	initialize();
+	if (ipv4_result == ISC_R_DISABLED)
+		ipv4_result = ISC_R_SUCCESS;
+}
+
+void
+isc_net_enableipv6(void) {
+	initialize();
+	if (ipv6_result == ISC_R_DISABLED)
+		ipv6_result = ISC_R_SUCCESS;
+}
diff --git a/contrib/bind9/lib/isc/unix/os.c b/contrib/bind9/lib/isc/unix/os.c
new file mode 100644
index 0000000..0838e12
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/os.c
@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: os.c,v 1.11.12.4 2004/05/18 01:39:20 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/os.h>
+
+
+#ifdef HAVE_SYSCONF
+
+#include <unistd.h>
+
+static inline long
+sysconf_ncpus(void) {
+#if defined(_SC_NPROCESSORS_ONLN)
+	return sysconf((_SC_NPROCESSORS_ONLN));
+#elif defined(_SC_NPROC_ONLN)
+	return sysconf((_SC_NPROC_ONLN));
+#else
+	return (0);
+#endif
+}
+#endif /* HAVE_SYSCONF */
+
+
+#ifdef __hpux
+
+#include <sys/pstat.h>
+
+static inline int
+hpux_ncpus(void) {
+	struct pst_dynamic psd;
+	if (pstat_getdynamic(&psd, sizeof(psd), 1, 0) != -1)
+		return (psd.psd_proc_cnt);
+	else
+		return (0);
+}
+
+#endif /* __hpux */
+
+#if defined(HAVE_SYS_SYSCTL_H) && defined(HAVE_SYSCTLBYNAME)
+#include <sys/types.h>  /* for FreeBSD */
+#include <sys/param.h>  /* for NetBSD */
+#include <sys/sysctl.h>
+
+static int
+sysctl_ncpus(void) {
+	int ncpu, result;
+	size_t len;
+
+	len = sizeof(ncpu);
+	result = sysctlbyname("hw.ncpu", &ncpu, &len , 0, 0);
+	if (result != -1)
+		return (ncpu);
+	return (0);
+}
+#endif
+
+unsigned int
+isc_os_ncpus(void) {
+	long ncpus = 0;
+
+#ifdef __hpux
+	ncpus = hpux_ncpus();
+#elif defined(HAVE_SYSCONF)
+	ncpus = sysconf_ncpus();
+#endif
+#if defined(HAVE_SYS_SYSCTL_H) && defined(HAVE_SYSCTLBYNAME)
+	if (ncpus <= 0)
+		ncpus = sysctl_ncpus();
+#endif
+	if (ncpus <= 0)
+		ncpus = 1;
+
+	return ((unsigned int)ncpus);
+}
diff --git a/contrib/bind9/lib/isc/unix/resource.c b/contrib/bind9/lib/isc/unix/resource.c
new file mode 100644
index 0000000..b6faf32
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/resource.c
@@ -0,0 +1,204 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: resource.c,v 1.11.206.1 2004/03/06 08:15:01 marka Exp $ */
+
+#include <config.h>
+
+#include <sys/types.h>
+#include <sys/time.h>	/* Required on some systems for <sys/resource.h>. */
+#include <sys/resource.h>
+
+#include <isc/platform.h>
+#include <isc/resource.h>
+#include <isc/result.h>
+#include <isc/util.h>
+
+#include "errno2result.h"
+
+static isc_result_t
+resource2rlim(isc_resource_t resource, int *rlim_resource) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	switch (resource) {
+	case isc_resource_coresize:
+		*rlim_resource = RLIMIT_CORE;
+		break;
+	case isc_resource_cputime:
+		*rlim_resource = RLIMIT_CPU;
+		break;		
+	case isc_resource_datasize:
+		*rlim_resource = RLIMIT_DATA;
+		break;		
+	case isc_resource_filesize:
+		*rlim_resource = RLIMIT_FSIZE;
+		break;		
+	case isc_resource_lockedmemory:
+#ifdef RLIMIT_MEMLOCK
+		*rlim_resource = RLIMIT_MEMLOCK;
+#else
+		result = ISC_R_NOTIMPLEMENTED;
+#endif
+		break;
+	case isc_resource_openfiles:
+#ifdef RLIMIT_NOFILE
+		*rlim_resource = RLIMIT_NOFILE;
+#else
+		result = ISC_R_NOTIMPLEMENTED;
+#endif
+		break;
+	case isc_resource_processes:
+#ifdef RLIMIT_NPROC
+		*rlim_resource = RLIMIT_NPROC;
+#else
+		result = ISC_R_NOTIMPLEMENTED;
+#endif
+		break;
+	case isc_resource_residentsize:
+#ifdef RLIMIT_RSS
+		*rlim_resource = RLIMIT_RSS;
+#else
+		result = ISC_R_NOTIMPLEMENTED;
+#endif
+		break;
+	case isc_resource_stacksize:
+		*rlim_resource = RLIMIT_STACK;
+		break;
+	default:
+                /*
+		 * This test is not very robust if isc_resource_t
+		 * changes, but generates a clear assertion message.
+		 */
+		REQUIRE(resource >= isc_resource_coresize &&
+			resource <= isc_resource_stacksize);
+
+		result = ISC_R_RANGE;
+		break;
+	}
+
+	return (result);
+}
+
+isc_result_t
+isc_resource_setlimit(isc_resource_t resource, isc_resourcevalue_t value) {
+	struct rlimit rl;
+	ISC_PLATFORM_RLIMITTYPE rlim_value;
+	int unixresult;
+	int unixresource;
+	isc_result_t result;
+
+	result = resource2rlim(resource, &unixresource);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (value == ISC_RESOURCE_UNLIMITED)
+		rlim_value = RLIM_INFINITY;
+
+	else {
+		/*
+		 * isc_resourcevalue_t was chosen as an unsigned 64 bit
+		 * integer so that it could contain the maximum range of
+		 * reasonable values.  Unfortunately, this exceeds the typical
+		 * range on Unix systems.  Ensure the range of
+		 * ISC_PLATFORM_RLIMITTYPE is not overflowed.
+		 */
+		isc_resourcevalue_t rlim_max;
+		isc_boolean_t rlim_t_is_signed =
+			ISC_TF(((double)(ISC_PLATFORM_RLIMITTYPE)-1) < 0);
+
+		if (rlim_t_is_signed)
+			rlim_max = ~((ISC_PLATFORM_RLIMITTYPE)1 <<
+				     (sizeof(ISC_PLATFORM_RLIMITTYPE) * 8 - 1));
+		else
+			rlim_max = (ISC_PLATFORM_RLIMITTYPE)-1;
+
+		if (value > rlim_max)
+			value = rlim_max;
+
+		rlim_value = value;
+	}
+
+	/*
+	 * The BIND 8 documentation reports:
+	 *
+	 *	Note: on some operating systems the server cannot set an
+	 *	unlimited value and cannot determine the maximum number of
+	 *	open files the kernel can support. On such systems, choosing
+	 *	unlimited will cause the server to use the larger of the
+	 *	rlim_max for RLIMIT_NOFILE and the value returned by
+	 *	sysconf(_SC_OPEN_MAX). If the actual kernel limit is larger
+	 *	than this value, use limit files to specify the limit
+	 *	explicitly.
+	 *
+	 * The CHANGES for 8.1.2-T3A also mention:
+	 *
+	 *	352. [bug] Because of problems with setting an infinite
+	 *	rlim_max for RLIMIT_NOFILE on some systems, previous versions
+	 *	of the server implemented "limit files unlimited" by setting
+	 *	the limit to the value returned by sysconf(_SC_OPEN_MAX).  The
+	 *	server will now use RLIM_INFINITY on systems which allow it.
+	 *
+	 * At some point the BIND 8 server stopped using SC_OPEN_MAX for this
+	 * purpose at all, but it isn't clear to me when or why, as my access
+	 * to the CVS archive is limited at the time of this writing.  What
+	 * BIND 8 *does* do is to set RLIMIT_NOFILE to either RLIMIT_INFINITY
+	 * on a half dozen operating systems or to FD_SETSIZE on the rest,
+	 * the latter of which is probably fewer than the real limit.  (Note
+	 * that libisc's socket module will have problems with any fd over
+	 * FD_SETSIZE.  This should be fixed in the socket module, not a
+	 * limitation here.  BIND 8's eventlib also has a problem, making
+	 * its RLIMIT_INFINITY setting useless, because it closes and ignores
+	 * any fd over FD_SETSIZE.)
+	 *
+	 * More troubling is the reference to some operating systems not being
+	 * able to set an unlimited value for the number of open files.  I'd
+	 * hate to put in code that is really only there to support archaic
+	 * systems that the rest of libisc won't work on anyway.  So what this
+	 * extremely verbose comment is here to say is the following:
+	 *
+	 *   I'm aware there might be an issue with not limiting the value
+	 *   for RLIMIT_NOFILE on some systems, but since I don't know yet
+	 *   what those systems are and what the best workaround is (use
+	 *   sysconf()?  rlim_max from getrlimit()?  FD_SETSIZE?) so nothing
+	 *   is currently being done to clamp the value for open files.
+	 */
+
+	rl.rlim_cur = rl.rlim_max = rlim_value;
+	unixresult = setrlimit(unixresource, &rl);
+
+	if (unixresult == 0)
+		return (ISC_R_SUCCESS);
+	else
+		return (isc__errno2result(errno));
+}
+
+isc_result_t
+isc_resource_getlimit(isc_resource_t resource, isc_resourcevalue_t *value) {
+	int unixresult;
+	int unixresource;
+	struct rlimit rl;
+	isc_result_t result;
+
+	result = resource2rlim(resource, &unixresource);
+	if (result == ISC_R_SUCCESS) {
+		unixresult = getrlimit(unixresource, &rl);
+		INSIST(unixresult == 0);
+		*value = rl.rlim_max;
+	}
+
+	return (result);
+}
diff --git a/contrib/bind9/lib/isc/unix/socket.c b/contrib/bind9/lib/isc/unix/socket.c
new file mode 100644
index 0000000..5ab1adf
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/socket.c
@@ -0,0 +1,3505 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: socket.c,v 1.207.2.19.2.13 2004/07/01 04:51:15 marka Exp $ */
+
+#include <config.h>
+
+#include <sys/param.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+#include <sys/uio.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <isc/buffer.h>
+#include <isc/bufferlist.h>
+#include <isc/condition.h>
+#include <isc/formatcheck.h>
+#include <isc/list.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/msgs.h>
+#include <isc/mutex.h>
+#include <isc/net.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/region.h>
+#include <isc/socket.h>
+#include <isc/strerror.h>
+#include <isc/task.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include "errno2result.h"
+
+#ifndef ISC_PLATFORM_USETHREADS
+#include "socket_p.h"
+#endif /* ISC_PLATFORM_USETHREADS */
+
+/*
+ * Some systems define the socket length argument as an int, some as size_t,
+ * some as socklen_t.  This is here so it can be easily changed if needed.
+ */
+#ifndef ISC_SOCKADDR_LEN_T
+#ifdef _BSD_SOCKLEN_T_
+#define ISC_SOCKADDR_LEN_T _BSD_SOCKLEN_T_
+#else
+#define ISC_SOCKADDR_LEN_T unsigned int
+#endif
+#endif
+
+/*
+ * Define what the possible "soft" errors can be.  These are non-fatal returns
+ * of various network related functions, like recv() and so on.
+ *
+ * For some reason, BSDI (and perhaps others) will sometimes return <0
+ * from recv() but will have errno==0.  This is broken, but we have to
+ * work around it here.
+ */
+#define SOFT_ERROR(e)	((e) == EAGAIN || \
+			 (e) == EWOULDBLOCK || \
+			 (e) == EINTR || \
+			 (e) == 0)
+
+#define DLVL(x) ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_SOCKET, ISC_LOG_DEBUG(x)
+
+/*
+ * DLVL(90)  --  Function entry/exit and other tracing.
+ * DLVL(70)  --  Socket "correctness" -- including returning of events, etc.
+ * DLVL(60)  --  Socket data send/receive
+ * DLVL(50)  --  Event tracing, including receiving/sending completion events.
+ * DLVL(20)  --  Socket creation/destruction.
+ */
+#define TRACE_LEVEL		90
+#define CORRECTNESS_LEVEL	70
+#define IOEVENT_LEVEL		60
+#define EVENT_LEVEL		50
+#define CREATION_LEVEL		20
+
+#define TRACE		DLVL(TRACE_LEVEL)
+#define CORRECTNESS	DLVL(CORRECTNESS_LEVEL)
+#define IOEVENT		DLVL(IOEVENT_LEVEL)
+#define EVENT		DLVL(EVENT_LEVEL)
+#define CREATION	DLVL(CREATION_LEVEL)
+
+typedef isc_event_t intev_t;
+
+#define SOCKET_MAGIC		ISC_MAGIC('I', 'O', 'i', 'o')
+#define VALID_SOCKET(t)		ISC_MAGIC_VALID(t, SOCKET_MAGIC)
+
+/*
+ * IPv6 control information.  If the socket is an IPv6 socket we want
+ * to collect the destination address and interface so the client can
+ * set them on outgoing packets.
+ */
+#ifdef ISC_PLATFORM_HAVEIPV6
+#ifndef USE_CMSG
+#define USE_CMSG	1
+#endif
+#endif
+
+/*
+ * NetBSD and FreeBSD can timestamp packets.  XXXMLG Should we have
+ * a setsockopt() like interface to request timestamps, and if the OS
+ * doesn't do it for us, call gettimeofday() on every UDP receive?
+ */
+#ifdef SO_TIMESTAMP
+#ifndef USE_CMSG
+#define USE_CMSG	1
+#endif
+#endif
+
+/*
+ * The number of times a send operation is repeated if the result is EINTR.
+ */
+#define NRETRIES 10
+
+struct isc_socket {
+	/* Not locked. */
+	unsigned int		magic;
+	isc_socketmgr_t	       *manager;
+	isc_mutex_t		lock;
+	isc_sockettype_t	type;
+
+	/* Locked by socket lock. */
+	ISC_LINK(isc_socket_t)	link;
+	unsigned int		references;
+	int			fd;
+	int			pf;
+
+	ISC_LIST(isc_socketevent_t)		send_list;
+	ISC_LIST(isc_socketevent_t)		recv_list;
+	ISC_LIST(isc_socket_newconnev_t)	accept_list;
+	isc_socket_connev_t		       *connect_ev;
+
+	/*
+	 * Internal events.  Posted when a descriptor is readable or
+	 * writable.  These are statically allocated and never freed.
+	 * They will be set to non-purgable before use.
+	 */
+	intev_t			readable_ev;
+	intev_t			writable_ev;
+
+	isc_sockaddr_t		address;  /* remote address */
+
+	unsigned int		pending_recv : 1,
+				pending_send : 1,
+				pending_accept : 1,
+				listener : 1, /* listener socket */
+				connected : 1,
+				connecting : 1, /* connect pending */
+				bound : 1; /* bound to local addr */
+
+#ifdef ISC_NET_RECVOVERFLOW
+	unsigned char		overflow; /* used for MSG_TRUNC fake */
+#endif
+
+	char			*recvcmsgbuf;
+	ISC_SOCKADDR_LEN_T	recvcmsgbuflen;
+	char			*sendcmsgbuf;
+	ISC_SOCKADDR_LEN_T	sendcmsgbuflen;
+};
+
+#define SOCKET_MANAGER_MAGIC	ISC_MAGIC('I', 'O', 'm', 'g')
+#define VALID_MANAGER(m)	ISC_MAGIC_VALID(m, SOCKET_MANAGER_MAGIC)
+
+struct isc_socketmgr {
+	/* Not locked. */
+	unsigned int		magic;
+	isc_mem_t	       *mctx;
+	isc_mutex_t		lock;
+	/* Locked by manager lock. */
+	ISC_LIST(isc_socket_t)	socklist;
+	fd_set			read_fds;
+	fd_set			write_fds;
+	isc_socket_t	       *fds[FD_SETSIZE];
+	int			fdstate[FD_SETSIZE];
+	int			maxfd;
+#ifdef ISC_PLATFORM_USETHREADS
+	isc_thread_t		watcher;
+	isc_condition_t		shutdown_ok;
+	int			pipe_fds[2];
+#else /* ISC_PLATFORM_USETHREADS */
+	unsigned int		refs;
+#endif /* ISC_PLATFORM_USETHREADS */
+};
+
+#ifndef ISC_PLATFORM_USETHREADS
+static isc_socketmgr_t *socketmgr = NULL;
+#endif /* ISC_PLATFORM_USETHREADS */
+
+#define CLOSED		0	/* this one must be zero */
+#define MANAGED		1
+#define CLOSE_PENDING	2
+
+/*
+ * send() and recv() iovec counts
+ */
+#define MAXSCATTERGATHER_SEND	(ISC_SOCKET_MAXSCATTERGATHER)
+#ifdef ISC_NET_RECVOVERFLOW
+# define MAXSCATTERGATHER_RECV	(ISC_SOCKET_MAXSCATTERGATHER + 1)
+#else
+# define MAXSCATTERGATHER_RECV	(ISC_SOCKET_MAXSCATTERGATHER)
+#endif
+
+static void send_recvdone_event(isc_socket_t *, isc_socketevent_t **);
+static void send_senddone_event(isc_socket_t *, isc_socketevent_t **);
+static void free_socket(isc_socket_t **);
+static isc_result_t allocate_socket(isc_socketmgr_t *, isc_sockettype_t,
+				    isc_socket_t **);
+static void destroy(isc_socket_t **);
+static void internal_accept(isc_task_t *, isc_event_t *);
+static void internal_connect(isc_task_t *, isc_event_t *);
+static void internal_recv(isc_task_t *, isc_event_t *);
+static void internal_send(isc_task_t *, isc_event_t *);
+static void process_cmsg(isc_socket_t *, struct msghdr *, isc_socketevent_t *);
+static void build_msghdr_send(isc_socket_t *, isc_socketevent_t *,
+			      struct msghdr *, struct iovec *, size_t *);
+static void build_msghdr_recv(isc_socket_t *, isc_socketevent_t *,
+			      struct msghdr *, struct iovec *, size_t *);
+
+#define SELECT_POKE_SHUTDOWN		(-1)
+#define SELECT_POKE_NOTHING		(-2)
+#define SELECT_POKE_READ		(-3)
+#define SELECT_POKE_ACCEPT		(-3) /* Same as _READ */
+#define SELECT_POKE_WRITE		(-4)
+#define SELECT_POKE_CONNECT		(-4) /* Same as _WRITE */
+#define SELECT_POKE_CLOSE		(-5)
+
+#define SOCK_DEAD(s)			((s)->references == 0)
+
+static void
+manager_log(isc_socketmgr_t *sockmgr,
+	    isc_logcategory_t *category, isc_logmodule_t *module, int level,
+	    const char *fmt, ...) ISC_FORMAT_PRINTF(5, 6);
+static void
+manager_log(isc_socketmgr_t *sockmgr,
+	    isc_logcategory_t *category, isc_logmodule_t *module, int level,
+	    const char *fmt, ...)
+{
+	char msgbuf[2048];
+	va_list ap;
+
+	if (! isc_log_wouldlog(isc_lctx, level))
+		return;
+
+	va_start(ap, fmt);
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	va_end(ap);
+
+	isc_log_write(isc_lctx, category, module, level,
+		      "sockmgr %p: %s", sockmgr, msgbuf);
+}
+
+static void
+socket_log(isc_socket_t *sock, isc_sockaddr_t *address,
+	   isc_logcategory_t *category, isc_logmodule_t *module, int level,
+	   isc_msgcat_t *msgcat, int msgset, int message,
+	   const char *fmt, ...) ISC_FORMAT_PRINTF(9, 10);
+static void
+socket_log(isc_socket_t *sock, isc_sockaddr_t *address,
+	   isc_logcategory_t *category, isc_logmodule_t *module, int level,
+	   isc_msgcat_t *msgcat, int msgset, int message,
+	   const char *fmt, ...)
+{
+	char msgbuf[2048];
+	char peerbuf[256];
+	va_list ap;
+
+	if (! isc_log_wouldlog(isc_lctx, level))
+		return;
+
+	va_start(ap, fmt);
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	va_end(ap);
+
+	if (address == NULL) {
+		isc_log_iwrite(isc_lctx, category, module, level,
+			       msgcat, msgset, message,
+			       "socket %p: %s", sock, msgbuf);
+	} else {
+		isc_sockaddr_format(address, peerbuf, sizeof(peerbuf));
+		isc_log_iwrite(isc_lctx, category, module, level,
+			       msgcat, msgset, message,
+			       "socket %p %s: %s", sock, peerbuf, msgbuf);
+	}
+}
+
+static void
+wakeup_socket(isc_socketmgr_t *manager, int fd, int msg) {
+	isc_socket_t *sock;
+
+	/*
+	 * This is a wakeup on a socket.  If the socket is not in the
+	 * process of being closed, start watching it for either reads
+	 * or writes.
+	 */
+
+	INSIST(fd >= 0 && fd < (int)FD_SETSIZE);
+
+	if (manager->fdstate[fd] == CLOSE_PENDING) {
+		manager->fdstate[fd] = CLOSED;
+		FD_CLR(fd, &manager->read_fds);
+		FD_CLR(fd, &manager->write_fds);
+		(void)close(fd);
+		return;
+	}
+	if (manager->fdstate[fd] != MANAGED)
+		return;
+
+	sock = manager->fds[fd];
+
+	/*
+	 * Set requested bit.
+	 */
+	if (msg == SELECT_POKE_READ)
+		FD_SET(sock->fd, &manager->read_fds);
+	if (msg == SELECT_POKE_WRITE)
+		FD_SET(sock->fd, &manager->write_fds);
+}
+
+#ifdef ISC_PLATFORM_USETHREADS
+/*
+ * Poke the select loop when there is something for us to do.
+ * The write is required (by POSIX) to complete.  That is, we
+ * will not get partial writes.
+ */
+static void
+select_poke(isc_socketmgr_t *mgr, int fd, int msg) {
+	int cc;
+	int buf[2];
+	char strbuf[ISC_STRERRORSIZE];
+
+	buf[0] = fd;
+	buf[1] = msg;
+
+	do {
+		cc = write(mgr->pipe_fds[1], buf, sizeof(buf));
+#ifdef ENOSR
+		/*
+		 * Treat ENOSR as EAGAIN but loop slowly as it is
+		 * unlikely to clear fast.
+		 */
+		if (cc < 0 && errno == ENOSR) {
+			sleep(1);
+			errno = EAGAIN;
+		}
+#endif
+	} while (cc < 0 && SOFT_ERROR(errno));
+			        
+	if (cc < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		FATAL_ERROR(__FILE__, __LINE__,
+			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKET,
+					   ISC_MSG_WRITEFAILED,
+					   "write() failed "
+					   "during watcher poke: %s"),
+			    strbuf);
+	}
+
+	INSIST(cc == sizeof(buf));
+}
+
+/*
+ * Read a message on the internal fd.
+ */
+static void
+select_readmsg(isc_socketmgr_t *mgr, int *fd, int *msg) {
+	int buf[2];
+	int cc;
+	char strbuf[ISC_STRERRORSIZE];
+
+	cc = read(mgr->pipe_fds[0], buf, sizeof(buf));
+	if (cc < 0) {
+		*msg = SELECT_POKE_NOTHING;
+		if (SOFT_ERROR(errno))
+			return;
+
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		FATAL_ERROR(__FILE__, __LINE__,
+			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKET,
+					   ISC_MSG_READFAILED,
+					   "read() failed "
+					   "during watcher poke: %s"),
+			    strbuf);
+		
+		return;
+	}
+	INSIST(cc == sizeof(buf));
+
+	*fd = buf[0];
+	*msg = buf[1];
+}
+#else /* ISC_PLATFORM_USETHREADS */
+/*
+ * Update the state of the socketmgr when something changes.
+ */
+static void
+select_poke(isc_socketmgr_t *manager, int fd, int msg) {
+	if (msg == SELECT_POKE_SHUTDOWN)
+		return;
+	else if (fd >= 0)
+		wakeup_socket(manager, fd, msg);
+	return;
+}
+#endif /* ISC_PLATFORM_USETHREADS */
+
+/*
+ * Make a fd non-blocking.
+ */
+static isc_result_t
+make_nonblock(int fd) {
+	int ret;
+	int flags;
+	char strbuf[ISC_STRERRORSIZE];
+
+	flags = fcntl(fd, F_GETFL, 0);
+	flags |= O_NONBLOCK;
+	ret = fcntl(fd, F_SETFL, flags);
+
+	if (ret == -1) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "fcntl(%d, F_SETFL, %d): %s",
+				 fd, flags, strbuf);
+
+		return (ISC_R_UNEXPECTED);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+#ifdef USE_CMSG
+/*
+ * Not all OSes support advanced CMSG macros: CMSG_LEN and CMSG_SPACE.
+ * In order to ensure as much portability as possible, we provide wrapper
+ * functions of these macros.
+ * Note that cmsg_space() could run slow on OSes that do not have
+ * CMSG_SPACE.
+ */
+static inline ISC_SOCKADDR_LEN_T
+cmsg_len(ISC_SOCKADDR_LEN_T len) {
+#ifdef CMSG_LEN
+	return (CMSG_LEN(len));
+#else
+	ISC_SOCKADDR_LEN_T hdrlen;
+
+	hdrlen = (ISC_SOCKADDR_LEN_T)CMSG_DATA(NULL); /* XXX */
+	return (hdrlen + len);
+#endif
+}
+
+static inline ISC_SOCKADDR_LEN_T
+cmsg_space(ISC_SOCKADDR_LEN_T len) {
+#ifdef CMSG_SPACE
+	return (CMSG_SPACE(len));
+#else
+	struct msghdr msg;
+	struct cmsghdr *cmsgp;
+	/*
+	 * XXX: The buffer length is an ad-hoc value, but should be enough
+	 * in a practical sense.
+	 */
+	char dummybuf[sizeof(struct cmsghdr) + 1024];
+
+	memset(&msg, 0, sizeof(msg));
+	msg.msg_control = dummybuf;
+	msg.msg_controllen = sizeof(dummybuf);
+
+	cmsgp = (struct cmsghdr *)dummybuf;
+	cmsgp->cmsg_len = cmsg_len(len);
+
+	cmsgp = CMSG_NXTHDR(&msg, cmsgp);
+	if (cmsgp != NULL)
+		return ((char *)cmsgp - (char *)msg.msg_control);
+	else
+		return (0);
+#endif	
+}
+#endif /* USE_CMSG */
+
+/*
+ * Process control messages received on a socket.
+ */
+static void
+process_cmsg(isc_socket_t *sock, struct msghdr *msg, isc_socketevent_t *dev) {
+#ifdef USE_CMSG
+	struct cmsghdr *cmsgp;
+#ifdef ISC_PLATFORM_HAVEIPV6
+	struct in6_pktinfo *pktinfop;
+#endif
+#ifdef SO_TIMESTAMP
+	struct timeval *timevalp;
+#endif
+#endif
+
+	/*
+	 * sock is used only when ISC_NET_BSD44MSGHDR and USE_CMSG are defined.
+	 * msg and dev are used only when ISC_NET_BSD44MSGHDR is defined.
+	 * They are all here, outside of the CPP tests, because it is
+	 * more consistent with the usual ISC coding style.
+	 */
+	UNUSED(sock);
+	UNUSED(msg);
+	UNUSED(dev);
+
+#ifdef ISC_NET_BSD44MSGHDR
+
+#ifdef MSG_TRUNC
+	if ((msg->msg_flags & MSG_TRUNC) == MSG_TRUNC)
+		dev->attributes |= ISC_SOCKEVENTATTR_TRUNC;
+#endif
+
+#ifdef MSG_CTRUNC
+	if ((msg->msg_flags & MSG_CTRUNC) == MSG_CTRUNC)
+		dev->attributes |= ISC_SOCKEVENTATTR_CTRUNC;
+#endif
+
+#ifndef USE_CMSG
+	return;
+#else
+	if (msg->msg_controllen == 0U || msg->msg_control == NULL)
+		return;
+
+#ifdef SO_TIMESTAMP
+	timevalp = NULL;
+#endif
+#ifdef ISC_PLATFORM_HAVEIPV6
+	pktinfop = NULL;
+#endif
+
+	cmsgp = CMSG_FIRSTHDR(msg);
+	while (cmsgp != NULL) {
+		socket_log(sock, NULL, TRACE,
+			   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_PROCESSCMSG,
+			   "processing cmsg %p", cmsgp);
+
+#ifdef ISC_PLATFORM_HAVEIPV6
+		if (cmsgp->cmsg_level == IPPROTO_IPV6
+		    && cmsgp->cmsg_type == IPV6_PKTINFO) {
+
+			pktinfop = (struct in6_pktinfo *)CMSG_DATA(cmsgp);
+			memcpy(&dev->pktinfo, pktinfop,
+			       sizeof(struct in6_pktinfo));
+			dev->attributes |= ISC_SOCKEVENTATTR_PKTINFO;
+			socket_log(sock, NULL, TRACE,
+				   isc_msgcat, ISC_MSGSET_SOCKET,
+				   ISC_MSG_IFRECEIVED,
+				   "interface received on ifindex %u",
+				   dev->pktinfo.ipi6_ifindex);
+			if (IN6_IS_ADDR_MULTICAST(&pktinfop->ipi6_addr))
+				dev->attributes |= ISC_SOCKEVENTATTR_MULTICAST;				
+			goto next;
+		}
+#endif
+
+#ifdef SO_TIMESTAMP
+		if (cmsgp->cmsg_level == SOL_SOCKET
+		    && cmsgp->cmsg_type == SCM_TIMESTAMP) {
+			timevalp = (struct timeval *)CMSG_DATA(cmsgp);
+			dev->timestamp.seconds = timevalp->tv_sec;
+			dev->timestamp.nanoseconds = timevalp->tv_usec * 1000;
+			dev->attributes |= ISC_SOCKEVENTATTR_TIMESTAMP;
+			goto next;
+		}
+#endif
+
+	next:
+		cmsgp = CMSG_NXTHDR(msg, cmsgp);
+	}
+#endif /* USE_CMSG */
+
+#endif /* ISC_NET_BSD44MSGHDR */
+}
+
+/*
+ * Construct an iov array and attach it to the msghdr passed in.  This is
+ * the SEND constructor, which will use the used region of the buffer
+ * (if using a buffer list) or will use the internal region (if a single
+ * buffer I/O is requested).
+ *
+ * Nothing can be NULL, and the done event must list at least one buffer
+ * on the buffer linked list for this function to be meaningful.
+ *
+ * If write_countp != NULL, *write_countp will hold the number of bytes
+ * this transaction can send.
+ */
+static void
+build_msghdr_send(isc_socket_t *sock, isc_socketevent_t *dev,
+		  struct msghdr *msg, struct iovec *iov, size_t *write_countp)
+{
+	unsigned int iovcount;
+	isc_buffer_t *buffer;
+	isc_region_t used;
+	size_t write_count;
+	size_t skip_count;
+
+	memset(msg, 0, sizeof(*msg));
+
+	if (sock->type == isc_sockettype_udp) {
+		msg->msg_name = (void *)&dev->address.type.sa;
+		msg->msg_namelen = dev->address.length;
+	} else {
+		msg->msg_name = NULL;
+		msg->msg_namelen = 0;
+	}
+
+	buffer = ISC_LIST_HEAD(dev->bufferlist);
+	write_count = 0;
+	iovcount = 0;
+
+	/*
+	 * Single buffer I/O?  Skip what we've done so far in this region.
+	 */
+	if (buffer == NULL) {
+		write_count = dev->region.length - dev->n;
+		iov[0].iov_base = (void *)(dev->region.base + dev->n);
+		iov[0].iov_len = write_count;
+		iovcount = 1;
+
+		goto config;
+	}
+
+	/*
+	 * Multibuffer I/O.
+	 * Skip the data in the buffer list that we have already written.
+	 */
+	skip_count = dev->n;
+	while (buffer != NULL) {
+		REQUIRE(ISC_BUFFER_VALID(buffer));
+		if (skip_count < isc_buffer_usedlength(buffer))
+			break;
+		skip_count -= isc_buffer_usedlength(buffer);
+		buffer = ISC_LIST_NEXT(buffer, link);
+	}
+
+	while (buffer != NULL) {
+		INSIST(iovcount < MAXSCATTERGATHER_SEND);
+
+		isc_buffer_usedregion(buffer, &used);
+
+		if (used.length > 0) {
+			iov[iovcount].iov_base = (void *)(used.base
+							  + skip_count);
+			iov[iovcount].iov_len = used.length - skip_count;
+			write_count += (used.length - skip_count);
+			skip_count = 0;
+			iovcount++;
+		}
+		buffer = ISC_LIST_NEXT(buffer, link);
+	}
+
+	INSIST(skip_count == 0U);
+
+ config:
+	msg->msg_iov = iov;
+	msg->msg_iovlen = iovcount;
+
+#ifdef ISC_NET_BSD44MSGHDR
+	msg->msg_control = NULL;
+	msg->msg_controllen = 0;
+	msg->msg_flags = 0;
+#if defined(USE_CMSG) && defined(ISC_PLATFORM_HAVEIPV6)
+	if ((sock->type == isc_sockettype_udp)
+	    && ((dev->attributes & ISC_SOCKEVENTATTR_PKTINFO) != 0)) {
+		struct cmsghdr *cmsgp;
+		struct in6_pktinfo *pktinfop;
+
+		socket_log(sock, NULL, TRACE,
+			   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_SENDTODATA,
+			   "sendto pktinfo data, ifindex %u",
+			   dev->pktinfo.ipi6_ifindex);
+
+		msg->msg_controllen = cmsg_space(sizeof(struct in6_pktinfo));
+		INSIST(msg->msg_controllen <= sock->sendcmsgbuflen);
+		msg->msg_control = (void *)sock->sendcmsgbuf;
+
+		cmsgp = (struct cmsghdr *)sock->sendcmsgbuf;
+		cmsgp->cmsg_level = IPPROTO_IPV6;
+		cmsgp->cmsg_type = IPV6_PKTINFO;
+		cmsgp->cmsg_len = cmsg_len(sizeof(struct in6_pktinfo));
+		pktinfop = (struct in6_pktinfo *)CMSG_DATA(cmsgp);
+		memcpy(pktinfop, &dev->pktinfo, sizeof(struct in6_pktinfo));
+	}
+#endif /* USE_CMSG && ISC_PLATFORM_HAVEIPV6 */
+#else /* ISC_NET_BSD44MSGHDR */
+	msg->msg_accrights = NULL;
+	msg->msg_accrightslen = 0;
+#endif /* ISC_NET_BSD44MSGHDR */
+
+	if (write_countp != NULL)
+		*write_countp = write_count;
+}
+
+/*
+ * Construct an iov array and attach it to the msghdr passed in.  This is
+ * the RECV constructor, which will use the avialable region of the buffer
+ * (if using a buffer list) or will use the internal region (if a single
+ * buffer I/O is requested).
+ *
+ * Nothing can be NULL, and the done event must list at least one buffer
+ * on the buffer linked list for this function to be meaningful.
+ *
+ * If read_countp != NULL, *read_countp will hold the number of bytes
+ * this transaction can receive.
+ */
+static void
+build_msghdr_recv(isc_socket_t *sock, isc_socketevent_t *dev,
+		  struct msghdr *msg, struct iovec *iov, size_t *read_countp)
+{
+	unsigned int iovcount;
+	isc_buffer_t *buffer;
+	isc_region_t available;
+	size_t read_count;
+
+	memset(msg, 0, sizeof(struct msghdr));
+
+	if (sock->type == isc_sockettype_udp) {
+		memset(&dev->address, 0, sizeof(dev->address));
+		msg->msg_name = (void *)&dev->address.type.sa;
+		msg->msg_namelen = sizeof(dev->address.type);
+#ifdef ISC_NET_RECVOVERFLOW
+		/* If needed, steal one iovec for overflow detection. */
+		maxiov--;
+#endif
+	} else { /* TCP */
+		msg->msg_name = NULL;
+		msg->msg_namelen = 0;
+		dev->address = sock->address;
+	}
+
+	buffer = ISC_LIST_HEAD(dev->bufferlist);
+	read_count = 0;
+
+	/*
+	 * Single buffer I/O?  Skip what we've done so far in this region.
+	 */
+	if (buffer == NULL) {
+		read_count = dev->region.length - dev->n;
+		iov[0].iov_base = (void *)(dev->region.base + dev->n);
+		iov[0].iov_len = read_count;
+		iovcount = 1;
+
+		goto config;
+	}
+
+	/*
+	 * Multibuffer I/O.
+	 * Skip empty buffers.
+	 */
+	while (buffer != NULL) {
+		REQUIRE(ISC_BUFFER_VALID(buffer));
+		if (isc_buffer_availablelength(buffer) != 0)
+			break;
+		buffer = ISC_LIST_NEXT(buffer, link);
+	}
+
+	iovcount = 0;
+	while (buffer != NULL) {
+		INSIST(iovcount < MAXSCATTERGATHER_RECV);
+
+		isc_buffer_availableregion(buffer, &available);
+
+		if (available.length > 0) {
+			iov[iovcount].iov_base = (void *)(available.base);
+			iov[iovcount].iov_len = available.length;
+			read_count += available.length;
+			iovcount++;
+		}
+		buffer = ISC_LIST_NEXT(buffer, link);
+	}
+
+ config:
+
+	/*
+	 * If needed, set up to receive that one extra byte.  Note that
+	 * we know there is at least one iov left, since we stole it
+	 * at the top of this function.
+	 */
+#ifdef ISC_NET_RECVOVERFLOW
+	if (sock->type == isc_sockettype_udp) {
+		iov[iovcount].iov_base = (void *)(&sock->overflow);
+		iov[iovcount].iov_len = 1;
+		iovcount++;
+	}
+#endif
+
+	msg->msg_iov = iov;
+	msg->msg_iovlen = iovcount;
+
+#ifdef ISC_NET_BSD44MSGHDR
+	msg->msg_control = NULL;
+	msg->msg_controllen = 0;
+	msg->msg_flags = 0;
+#if defined(USE_CMSG)
+	if (sock->type == isc_sockettype_udp) {
+		msg->msg_control = sock->recvcmsgbuf;
+		msg->msg_controllen = sock->recvcmsgbuflen;
+	}
+#endif /* USE_CMSG */
+#else /* ISC_NET_BSD44MSGHDR */
+	msg->msg_accrights = NULL;
+	msg->msg_accrightslen = 0;
+#endif /* ISC_NET_BSD44MSGHDR */
+
+	if (read_countp != NULL)
+		*read_countp = read_count;
+}
+
+static void
+set_dev_address(isc_sockaddr_t *address, isc_socket_t *sock,
+		isc_socketevent_t *dev)
+{
+	if (sock->type == isc_sockettype_udp) {
+		if (address != NULL)
+			dev->address = *address;
+		else
+			dev->address = sock->address;
+	} else if (sock->type == isc_sockettype_tcp) {
+		INSIST(address == NULL);
+		dev->address = sock->address;
+	}
+}
+
+static isc_socketevent_t *
+allocate_socketevent(isc_socket_t *sock, isc_eventtype_t eventtype,
+		     isc_taskaction_t action, const void *arg)
+{
+	isc_socketevent_t *ev;
+
+	ev = (isc_socketevent_t *)isc_event_allocate(sock->manager->mctx,
+						     sock, eventtype,
+						     action, arg,
+						     sizeof(*ev));
+
+	if (ev == NULL)
+		return (NULL);
+
+	ev->result = ISC_R_UNEXPECTED;
+	ISC_LINK_INIT(ev, ev_link);
+	ISC_LIST_INIT(ev->bufferlist);
+	ev->region.base = NULL;
+	ev->n = 0;
+	ev->offset = 0;
+	ev->attributes = 0;
+
+	return (ev);
+}
+
+#if defined(ISC_SOCKET_DEBUG)
+static void
+dump_msg(struct msghdr *msg) {
+	unsigned int i;
+
+	printf("MSGHDR %p\n", msg);
+	printf("\tname %p, namelen %d\n", msg->msg_name, msg->msg_namelen);
+	printf("\tiov %p, iovlen %d\n", msg->msg_iov, msg->msg_iovlen);
+	for (i = 0; i < (unsigned int)msg->msg_iovlen; i++)
+		printf("\t\t%d\tbase %p, len %d\n", i,
+		       msg->msg_iov[i].iov_base,
+		       msg->msg_iov[i].iov_len);
+#ifdef ISC_NET_BSD44MSGHDR
+	printf("\tcontrol %p, controllen %d\n", msg->msg_control,
+	       msg->msg_controllen);
+#endif
+}
+#endif
+
+#define DOIO_SUCCESS		0	/* i/o ok, event sent */
+#define DOIO_SOFT		1	/* i/o ok, soft error, no event sent */
+#define DOIO_HARD		2	/* i/o error, event sent */
+#define DOIO_EOF		3	/* EOF, no event sent */
+
+static int
+doio_recv(isc_socket_t *sock, isc_socketevent_t *dev) {
+	int cc;
+	struct iovec iov[MAXSCATTERGATHER_RECV];
+	size_t read_count;
+	size_t actual_count;
+	struct msghdr msghdr;
+	isc_buffer_t *buffer;
+	int recv_errno;
+	char strbuf[ISC_STRERRORSIZE];
+
+	build_msghdr_recv(sock, dev, &msghdr, iov, &read_count);
+
+#if defined(ISC_SOCKET_DEBUG)
+	dump_msg(&msghdr);
+#endif
+
+	cc = recvmsg(sock->fd, &msghdr, 0);
+	recv_errno = errno;
+
+	if (cc < 0) {
+		if (SOFT_ERROR(recv_errno))
+			return (DOIO_SOFT);
+
+		if (isc_log_wouldlog(isc_lctx, IOEVENT_LEVEL)) {
+			isc__strerror(recv_errno, strbuf, sizeof(strbuf));
+			socket_log(sock, NULL, IOEVENT,
+				   isc_msgcat, ISC_MSGSET_SOCKET,
+				   ISC_MSG_DOIORECV, 
+				  "doio_recv: recvmsg(%d) %d bytes, err %d/%s",
+				   sock->fd, cc, recv_errno, strbuf);
+		}
+
+#define SOFT_OR_HARD(_system, _isc) \
+	if (recv_errno == _system) { \
+		if (sock->connected) { \
+			dev->result = _isc; \
+			return (DOIO_HARD); \
+		} \
+		return (DOIO_SOFT); \
+	}
+#define ALWAYS_HARD(_system, _isc) \
+	if (recv_errno == _system) { \
+		dev->result = _isc; \
+		return (DOIO_HARD); \
+	}
+
+		SOFT_OR_HARD(ECONNREFUSED, ISC_R_CONNREFUSED);
+		SOFT_OR_HARD(ENETUNREACH, ISC_R_NETUNREACH);
+		SOFT_OR_HARD(EHOSTUNREACH, ISC_R_HOSTUNREACH);
+		SOFT_OR_HARD(EHOSTDOWN, ISC_R_HOSTDOWN);
+		/* HPUX 11.11 can return EADDRNOTAVAIL. */
+		SOFT_OR_HARD(EADDRNOTAVAIL, ISC_R_ADDRNOTAVAIL);
+		ALWAYS_HARD(ENOBUFS, ISC_R_NORESOURCES);
+
+#undef SOFT_OR_HARD
+#undef ALWAYS_HARD
+
+		dev->result = isc__errno2result(recv_errno);
+		return (DOIO_HARD);
+	}
+
+	/*
+	 * On TCP, zero length reads indicate EOF, while on
+	 * UDP, zero length reads are perfectly valid, although
+	 * strange.
+	 */
+	if ((sock->type == isc_sockettype_tcp) && (cc == 0))
+		return (DOIO_EOF);
+
+	if (sock->type == isc_sockettype_udp) {
+		dev->address.length = msghdr.msg_namelen;
+		if (isc_sockaddr_getport(&dev->address) == 0) {
+			if (isc_log_wouldlog(isc_lctx, IOEVENT_LEVEL)) {
+				socket_log(sock, &dev->address, IOEVENT,
+					   isc_msgcat, ISC_MSGSET_SOCKET,
+					   ISC_MSG_ZEROPORT, 
+					   "dropping source port zero packet");
+			}
+			return (DOIO_SOFT);
+		}
+	}
+
+	socket_log(sock, &dev->address, IOEVENT,
+		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_PKTRECV,
+		   "packet received correctly");
+
+	/*
+	 * Overflow bit detection.  If we received MORE bytes than we should,
+	 * this indicates an overflow situation.  Set the flag in the
+	 * dev entry and adjust how much we read by one.
+	 */
+#ifdef ISC_NET_RECVOVERFLOW
+	if ((sock->type == isc_sockettype_udp) && ((size_t)cc > read_count)) {
+		dev->attributes |= ISC_SOCKEVENTATTR_TRUNC;
+		cc--;
+	}
+#endif
+
+	/*
+	 * If there are control messages attached, run through them and pull
+	 * out the interesting bits.
+	 */
+	if (sock->type == isc_sockettype_udp)
+		process_cmsg(sock, &msghdr, dev);
+
+	/*
+	 * update the buffers (if any) and the i/o count
+	 */
+	dev->n += cc;
+	actual_count = cc;
+	buffer = ISC_LIST_HEAD(dev->bufferlist);
+	while (buffer != NULL && actual_count > 0U) {
+		REQUIRE(ISC_BUFFER_VALID(buffer));
+		if (isc_buffer_availablelength(buffer) <= actual_count) {
+			actual_count -= isc_buffer_availablelength(buffer);
+			isc_buffer_add(buffer,
+				       isc_buffer_availablelength(buffer));
+		} else {
+			isc_buffer_add(buffer, actual_count);
+			actual_count = 0;
+			break;
+		}
+		buffer = ISC_LIST_NEXT(buffer, link);
+		if (buffer == NULL) {
+			INSIST(actual_count == 0U);
+		}
+	}
+
+	/*
+	 * If we read less than we expected, update counters,
+	 * and let the upper layer poke the descriptor.
+	 */
+	if (((size_t)cc != read_count) && (dev->n < dev->minimum))
+		return (DOIO_SOFT);
+
+	/*
+	 * Full reads are posted, or partials if partials are ok.
+	 */
+	dev->result = ISC_R_SUCCESS;
+	return (DOIO_SUCCESS);
+}
+
+/*
+ * Returns:
+ *	DOIO_SUCCESS	The operation succeeded.  dev->result contains
+ *			ISC_R_SUCCESS.
+ *
+ *	DOIO_HARD	A hard or unexpected I/O error was encountered.
+ *			dev->result contains the appropriate error.
+ *
+ *	DOIO_SOFT	A soft I/O error was encountered.  No senddone
+ *			event was sent.  The operation should be retried.
+ *
+ *	No other return values are possible.
+ */
+static int
+doio_send(isc_socket_t *sock, isc_socketevent_t *dev) {
+	int cc;
+	struct iovec iov[MAXSCATTERGATHER_SEND];
+	size_t write_count;
+	struct msghdr msghdr;
+	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+	int attempts = 0;
+	int send_errno;
+	char strbuf[ISC_STRERRORSIZE];
+
+	build_msghdr_send(sock, dev, &msghdr, iov, &write_count);
+
+ resend:
+	cc = sendmsg(sock->fd, &msghdr, 0);
+	send_errno = errno;
+
+	/*
+	 * Check for error or block condition.
+	 */
+	if (cc < 0) {
+		if (send_errno == EINTR && ++attempts < NRETRIES)
+			goto resend;
+
+		if (SOFT_ERROR(send_errno))
+			return (DOIO_SOFT);
+
+#define SOFT_OR_HARD(_system, _isc) \
+	if (send_errno == _system) { \
+		if (sock->connected) { \
+			dev->result = _isc; \
+			return (DOIO_HARD); \
+		} \
+		return (DOIO_SOFT); \
+	}
+#define ALWAYS_HARD(_system, _isc) \
+	if (send_errno == _system) { \
+		dev->result = _isc; \
+		return (DOIO_HARD); \
+	}
+
+		SOFT_OR_HARD(ECONNREFUSED, ISC_R_CONNREFUSED);
+		ALWAYS_HARD(EACCES, ISC_R_NOPERM);
+		ALWAYS_HARD(EAFNOSUPPORT, ISC_R_ADDRNOTAVAIL);
+		ALWAYS_HARD(EADDRNOTAVAIL, ISC_R_ADDRNOTAVAIL);
+		ALWAYS_HARD(EHOSTUNREACH, ISC_R_HOSTUNREACH);
+#ifdef EHOSTDOWN
+		ALWAYS_HARD(EHOSTDOWN, ISC_R_HOSTUNREACH);
+#endif
+		ALWAYS_HARD(ENETUNREACH, ISC_R_NETUNREACH);
+		ALWAYS_HARD(ENOBUFS, ISC_R_NORESOURCES);
+		ALWAYS_HARD(EPERM, ISC_R_HOSTUNREACH);
+		ALWAYS_HARD(EPIPE, ISC_R_NOTCONNECTED);
+		ALWAYS_HARD(ECONNRESET, ISC_R_CONNECTIONRESET);
+
+#undef SOFT_OR_HARD
+#undef ALWAYS_HARD
+
+		/*
+		 * The other error types depend on whether or not the
+		 * socket is UDP or TCP.  If it is UDP, some errors
+		 * that we expect to be fatal under TCP are merely
+		 * annoying, and are really soft errors.
+		 *
+		 * However, these soft errors are still returned as
+		 * a status.
+		 */
+		isc_sockaddr_format(&dev->address, addrbuf, sizeof(addrbuf));
+		isc__strerror(send_errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "internal_send: %s: %s",
+				 addrbuf, strbuf);
+		dev->result = isc__errno2result(send_errno);
+		return (DOIO_HARD);
+	}
+
+	if (cc == 0)
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "internal_send: send() %s 0",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_RETURNED, "returned"));
+
+	/*
+	 * If we write less than we expected, update counters, poke.
+	 */
+	dev->n += cc;
+	if ((size_t)cc != write_count)
+		return (DOIO_SOFT);
+
+	/*
+	 * Exactly what we wanted to write.  We're done with this
+	 * entry.  Post its completion event.
+	 */
+	dev->result = ISC_R_SUCCESS;
+	return (DOIO_SUCCESS);
+}
+
+/*
+ * Kill.
+ *
+ * Caller must ensure that the socket is not locked and no external
+ * references exist.
+ */
+static void
+destroy(isc_socket_t **sockp) {
+	isc_socket_t *sock = *sockp;
+	isc_socketmgr_t *manager = sock->manager;
+
+	socket_log(sock, NULL, CREATION, isc_msgcat, ISC_MSGSET_SOCKET,
+		   ISC_MSG_DESTROYING, "destroying");
+
+	INSIST(ISC_LIST_EMPTY(sock->accept_list));
+	INSIST(ISC_LIST_EMPTY(sock->recv_list));
+	INSIST(ISC_LIST_EMPTY(sock->send_list));
+	INSIST(sock->connect_ev == NULL);
+	REQUIRE(sock->fd >= 0 && sock->fd < (int)FD_SETSIZE);
+
+	LOCK(&manager->lock);
+
+	/*
+	 * No one has this socket open, so the watcher doesn't have to be
+	 * poked, and the socket doesn't have to be locked.
+	 */
+	manager->fds[sock->fd] = NULL;
+	manager->fdstate[sock->fd] = CLOSE_PENDING;
+	select_poke(manager, sock->fd, SELECT_POKE_CLOSE);
+	ISC_LIST_UNLINK(manager->socklist, sock, link);
+
+#ifdef ISC_PLATFORM_USETHREADS
+	if (ISC_LIST_EMPTY(manager->socklist))
+		SIGNAL(&manager->shutdown_ok);
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	/*
+	 * XXX should reset manager->maxfd here
+	 */
+
+	UNLOCK(&manager->lock);
+
+	free_socket(sockp);
+}
+
+static isc_result_t
+allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type,
+		isc_socket_t **socketp)
+{
+	isc_socket_t *sock;
+	isc_result_t ret;
+	ISC_SOCKADDR_LEN_T cmsgbuflen;
+
+	sock = isc_mem_get(manager->mctx, sizeof(*sock));
+
+	if (sock == NULL)
+		return (ISC_R_NOMEMORY);
+
+	ret = ISC_R_UNEXPECTED;
+
+	sock->magic = 0;
+	sock->references = 0;
+
+	sock->manager = manager;
+	sock->type = type;
+	sock->fd = -1;
+
+	ISC_LINK_INIT(sock, link);
+
+	sock->recvcmsgbuf = NULL;
+	sock->sendcmsgbuf = NULL;
+
+	/*
+	 * set up cmsg buffers
+	 */
+	cmsgbuflen = 0;
+#if defined(USE_CMSG) && defined(ISC_PLATFORM_HAVEIPV6)
+	cmsgbuflen = cmsg_space(sizeof(struct in6_pktinfo));
+#endif
+#if defined(USE_CMSG) && defined(SO_TIMESTAMP)
+	cmsgbuflen += cmsg_space(sizeof(struct timeval));
+#endif
+	sock->recvcmsgbuflen = cmsgbuflen;
+	if (sock->recvcmsgbuflen != 0) {
+		sock->recvcmsgbuf = isc_mem_get(manager->mctx, cmsgbuflen);
+		if (sock->recvcmsgbuf == NULL)
+			goto error;
+	}
+
+	cmsgbuflen = 0;
+#if defined(USE_CMSG) && defined(ISC_PLATFORM_HAVEIPV6)
+	cmsgbuflen = cmsg_space(sizeof(struct in6_pktinfo));
+#endif
+	sock->sendcmsgbuflen = cmsgbuflen;
+	if (sock->sendcmsgbuflen != 0) {
+		sock->sendcmsgbuf = isc_mem_get(manager->mctx, cmsgbuflen);
+		if (sock->sendcmsgbuf == NULL)
+			goto error;
+	}
+
+	/*
+	 * set up list of readers and writers to be initially empty
+	 */
+	ISC_LIST_INIT(sock->recv_list);
+	ISC_LIST_INIT(sock->send_list);
+	ISC_LIST_INIT(sock->accept_list);
+	sock->connect_ev = NULL;
+	sock->pending_recv = 0;
+	sock->pending_send = 0;
+	sock->pending_accept = 0;
+	sock->listener = 0;
+	sock->connected = 0;
+	sock->connecting = 0;
+	sock->bound = 0;
+
+	/*
+	 * initialize the lock
+	 */
+	if (isc_mutex_init(&sock->lock) != ISC_R_SUCCESS) {
+		sock->magic = 0;
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"));
+		ret = ISC_R_UNEXPECTED;
+		goto error;
+	}
+
+	/*
+	 * Initialize readable and writable events
+	 */
+	ISC_EVENT_INIT(&sock->readable_ev, sizeof(intev_t),
+		       ISC_EVENTATTR_NOPURGE, NULL, ISC_SOCKEVENT_INTR,
+		       NULL, sock, sock, NULL, NULL);
+	ISC_EVENT_INIT(&sock->writable_ev, sizeof(intev_t),
+		       ISC_EVENTATTR_NOPURGE, NULL, ISC_SOCKEVENT_INTW,
+		       NULL, sock, sock, NULL, NULL);
+
+	sock->magic = SOCKET_MAGIC;
+	*socketp = sock;
+
+	return (ISC_R_SUCCESS);
+
+ error:
+	if (sock->recvcmsgbuf != NULL)
+		isc_mem_put(manager->mctx, sock->recvcmsgbuf,
+			    sock->recvcmsgbuflen);
+	if (sock->sendcmsgbuf != NULL)
+		isc_mem_put(manager->mctx, sock->sendcmsgbuf,
+			    sock->sendcmsgbuflen);
+	isc_mem_put(manager->mctx, sock, sizeof(*sock));
+
+	return (ret);
+}
+
+/*
+ * This event requires that the various lists be empty, that the reference
+ * count be 1, and that the magic number is valid.  The other socket bits,
+ * like the lock, must be initialized as well.  The fd associated must be
+ * marked as closed, by setting it to -1 on close, or this routine will
+ * also close the socket.
+ */
+static void
+free_socket(isc_socket_t **socketp) {
+	isc_socket_t *sock = *socketp;
+
+	INSIST(sock->references == 0);
+	INSIST(VALID_SOCKET(sock));
+	INSIST(!sock->connecting);
+	INSIST(!sock->pending_recv);
+	INSIST(!sock->pending_send);
+	INSIST(!sock->pending_accept);
+	INSIST(ISC_LIST_EMPTY(sock->recv_list));
+	INSIST(ISC_LIST_EMPTY(sock->send_list));
+	INSIST(ISC_LIST_EMPTY(sock->accept_list));
+	INSIST(!ISC_LINK_LINKED(sock, link));
+
+	if (sock->recvcmsgbuf != NULL)
+		isc_mem_put(sock->manager->mctx, sock->recvcmsgbuf,
+			    sock->recvcmsgbuflen);
+	if (sock->sendcmsgbuf != NULL)
+		isc_mem_put(sock->manager->mctx, sock->sendcmsgbuf,
+			    sock->sendcmsgbuflen);
+
+	sock->magic = 0;
+
+	DESTROYLOCK(&sock->lock);
+
+	isc_mem_put(sock->manager->mctx, sock, sizeof(*sock));
+
+	*socketp = NULL;
+}
+
+/*
+ * Create a new 'type' socket managed by 'manager'.  Events
+ * will be posted to 'task' and when dispatched 'action' will be
+ * called with 'arg' as the arg value.  The new socket is returned
+ * in 'socketp'.
+ */
+isc_result_t
+isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
+		  isc_socket_t **socketp)
+{
+	isc_socket_t *sock = NULL;
+	isc_result_t ret;
+#if defined(USE_CMSG) || defined(SO_BSDCOMPAT)
+	int on = 1;
+#endif
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(socketp != NULL && *socketp == NULL);
+
+	ret = allocate_socket(manager, type, &sock);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	sock->pf = pf;
+	switch (type) {
+	case isc_sockettype_udp:
+		sock->fd = socket(pf, SOCK_DGRAM, IPPROTO_UDP);
+		break;
+	case isc_sockettype_tcp:
+		sock->fd = socket(pf, SOCK_STREAM, IPPROTO_TCP);
+		break;
+	}
+
+#ifdef F_DUPFD
+        /*
+         * Leave a space for stdio to work in.
+         */
+        if (sock->fd >= 0 && sock->fd < 20) {
+                int new, tmp;
+                new = fcntl(sock->fd, F_DUPFD, 20);
+                tmp = errno;
+                (void)close(sock->fd);
+                errno = tmp;
+                sock->fd = new;
+        }
+#endif
+
+	if (sock->fd >= (int)FD_SETSIZE) {
+		(void)close(sock->fd);
+		isc_log_iwrite(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+			       isc_msgcat, ISC_MSGSET_SOCKET,
+			       ISC_MSG_TOOMANYFDS,
+			       "%s: too many open file descriptors", "socket");
+		free_socket(&sock);
+		return (ISC_R_NORESOURCES);
+	}
+	
+	if (sock->fd < 0) {
+		free_socket(&sock);
+
+		switch (errno) {
+		case EMFILE:
+		case ENFILE:
+		case ENOBUFS:
+			return (ISC_R_NORESOURCES);
+
+		case EPROTONOSUPPORT:
+		case EPFNOSUPPORT:
+		case EAFNOSUPPORT:
+		/*
+		 * Linux 2.2 (and maybe others) return EINVAL instead of
+		 * EAFNOSUPPORT.
+		 */
+		case EINVAL:
+			return (ISC_R_FAMILYNOSUPPORT);
+
+		default:
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "socket() %s: %s",
+					 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_GENERAL,
+							ISC_MSG_FAILED,
+							"failed"),
+					 strbuf);
+			return (ISC_R_UNEXPECTED);
+		}
+	}
+
+	if (make_nonblock(sock->fd) != ISC_R_SUCCESS) {
+		(void)close(sock->fd);
+		free_socket(&sock);
+		return (ISC_R_UNEXPECTED);
+	}
+
+#ifdef SO_BSDCOMPAT
+	if (setsockopt(sock->fd, SOL_SOCKET, SO_BSDCOMPAT,
+		       (void *)&on, sizeof(on)) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "setsockopt(%d, SO_BSDCOMPAT) %s: %s",
+				 sock->fd,
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"),
+				 strbuf);
+		/* Press on... */
+	}
+#endif
+
+#if defined(USE_CMSG)
+	if (type == isc_sockettype_udp) {
+
+#if defined(SO_TIMESTAMP)
+		if (setsockopt(sock->fd, SOL_SOCKET, SO_TIMESTAMP,
+			       (void *)&on, sizeof(on)) < 0
+		    && errno != ENOPROTOOPT) {
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "setsockopt(%d, SO_TIMESTAMP) %s: %s",
+					 sock->fd, 
+					 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_GENERAL,
+							ISC_MSG_FAILED,
+							"failed"),
+					 strbuf);
+			/* Press on... */
+		}
+#endif /* SO_TIMESTAMP */
+
+#if defined(ISC_PLATFORM_HAVEIPV6)
+		if (pf == AF_INET6 && sock->recvcmsgbuflen == 0) {
+			/*
+			 * Warn explicitly because this anomaly can be hidden
+			 * in usual operation (and unexpectedly appear later).
+			 */
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "No buffer available to receive "
+					 "IPv6 destination");
+		}
+#ifdef IPV6_RECVPKTINFO
+		/* 2292bis */
+		if ((pf == AF_INET6)
+		    && (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_RECVPKTINFO,
+				   (void *)&on, sizeof(on)) < 0)) {
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "setsockopt(%d, IPV6_RECVPKTINFO) "
+					 "%s: %s", sock->fd,
+					 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_GENERAL,
+							ISC_MSG_FAILED,
+							"failed"),
+					 strbuf);
+		}
+#else
+		/* 2292 */
+		if ((pf == AF_INET6)
+		    && (setsockopt(sock->fd, IPPROTO_IPV6, IPV6_PKTINFO,
+				   (void *)&on, sizeof(on)) < 0)) {
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "setsockopt(%d, IPV6_PKTINFO) %s: %s",
+					 sock->fd,
+					 isc_msgcat_get(isc_msgcat,
+							ISC_MSGSET_GENERAL,
+							ISC_MSG_FAILED,
+							"failed"),
+					 strbuf);
+		}
+#endif /* IPV6_RECVPKTINFO */
+#ifdef IPV6_USE_MIN_MTU        /*2292bis, not too common yet*/
+		/* use minimum MTU */
+		if (pf == AF_INET6) {
+			(void)setsockopt(sock->fd, IPPROTO_IPV6,
+					 IPV6_USE_MIN_MTU,
+					 (void *)&on, sizeof(on));
+		}
+#endif
+#endif /* ISC_PLATFORM_HAVEIPV6 */
+
+	}
+#endif /* USE_CMSG */
+
+	sock->references = 1;
+	*socketp = sock;
+
+	LOCK(&manager->lock);
+
+	/*
+	 * Note we don't have to lock the socket like we normally would because
+	 * there are no external references to it yet.
+	 */
+
+	manager->fds[sock->fd] = sock;
+	manager->fdstate[sock->fd] = MANAGED;
+	ISC_LIST_APPEND(manager->socklist, sock, link);
+	if (manager->maxfd < sock->fd)
+		manager->maxfd = sock->fd;
+
+	UNLOCK(&manager->lock);
+
+	socket_log(sock, NULL, CREATION, isc_msgcat, ISC_MSGSET_SOCKET,
+		   ISC_MSG_CREATED, "created");
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Attach to a socket.  Caller must explicitly detach when it is done.
+ */
+void
+isc_socket_attach(isc_socket_t *sock, isc_socket_t **socketp) {
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(socketp != NULL && *socketp == NULL);
+
+	LOCK(&sock->lock);
+	sock->references++;
+	UNLOCK(&sock->lock);
+
+	*socketp = sock;
+}
+
+/*
+ * Dereference a socket.  If this is the last reference to it, clean things
+ * up by destroying the socket.
+ */
+void
+isc_socket_detach(isc_socket_t **socketp) {
+	isc_socket_t *sock;
+	isc_boolean_t kill_socket = ISC_FALSE;
+
+	REQUIRE(socketp != NULL);
+	sock = *socketp;
+	REQUIRE(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+	REQUIRE(sock->references > 0);
+	sock->references--;
+	if (sock->references == 0)
+		kill_socket = ISC_TRUE;
+	UNLOCK(&sock->lock);
+
+	if (kill_socket)
+		destroy(&sock);
+
+	*socketp = NULL;
+}
+
+/*
+ * I/O is possible on a given socket.  Schedule an event to this task that
+ * will call an internal function to do the I/O.  This will charge the
+ * task with the I/O operation and let our select loop handler get back
+ * to doing something real as fast as possible.
+ *
+ * The socket and manager must be locked before calling this function.
+ */
+static void
+dispatch_recv(isc_socket_t *sock) {
+	intev_t *iev;
+	isc_socketevent_t *ev;
+
+	INSIST(!sock->pending_recv);
+
+	ev = ISC_LIST_HEAD(sock->recv_list);
+	if (ev == NULL)
+		return;
+
+	sock->pending_recv = 1;
+	iev = &sock->readable_ev;
+
+	socket_log(sock, NULL, EVENT, NULL, 0, 0,
+		   "dispatch_recv:  event %p -> task %p", ev, ev->ev_sender);
+
+	sock->references++;
+	iev->ev_sender = sock;
+	iev->ev_action = internal_recv;
+	iev->ev_arg = sock;
+
+	isc_task_send(ev->ev_sender, (isc_event_t **)&iev);
+}
+
+static void
+dispatch_send(isc_socket_t *sock) {
+	intev_t *iev;
+	isc_socketevent_t *ev;
+
+	INSIST(!sock->pending_send);
+
+	ev = ISC_LIST_HEAD(sock->send_list);
+	if (ev == NULL)
+		return;
+
+	sock->pending_send = 1;
+	iev = &sock->writable_ev;
+
+	socket_log(sock, NULL, EVENT, NULL, 0, 0,
+		   "dispatch_send:  event %p -> task %p", ev, ev->ev_sender);
+
+	sock->references++;
+	iev->ev_sender = sock;
+	iev->ev_action = internal_send;
+	iev->ev_arg = sock;
+
+	isc_task_send(ev->ev_sender, (isc_event_t **)&iev);
+}
+
+/*
+ * Dispatch an internal accept event.
+ */
+static void
+dispatch_accept(isc_socket_t *sock) {
+	intev_t *iev;
+	isc_socket_newconnev_t *ev;
+
+	INSIST(!sock->pending_accept);
+
+	/*
+	 * Are there any done events left, or were they all canceled
+	 * before the manager got the socket lock?
+	 */
+	ev = ISC_LIST_HEAD(sock->accept_list);
+	if (ev == NULL)
+		return;
+
+	sock->pending_accept = 1;
+	iev = &sock->readable_ev;
+
+	sock->references++;  /* keep socket around for this internal event */
+	iev->ev_sender = sock;
+	iev->ev_action = internal_accept;
+	iev->ev_arg = sock;
+
+	isc_task_send(ev->ev_sender, (isc_event_t **)&iev);
+}
+
+static void
+dispatch_connect(isc_socket_t *sock) {
+	intev_t *iev;
+	isc_socket_connev_t *ev;
+
+	iev = &sock->writable_ev;
+
+	ev = sock->connect_ev;
+	INSIST(ev != NULL); /* XXX */
+
+	INSIST(sock->connecting);
+
+	sock->references++;  /* keep socket around for this internal event */
+	iev->ev_sender = sock;
+	iev->ev_action = internal_connect;
+	iev->ev_arg = sock;
+
+	isc_task_send(ev->ev_sender, (isc_event_t **)&iev);
+}
+
+/*
+ * Dequeue an item off the given socket's read queue, set the result code
+ * in the done event to the one provided, and send it to the task it was
+ * destined for.
+ *
+ * If the event to be sent is on a list, remove it before sending.  If
+ * asked to, send and detach from the socket as well.
+ *
+ * Caller must have the socket locked if the event is attached to the socket.
+ */
+static void
+send_recvdone_event(isc_socket_t *sock, isc_socketevent_t **dev) {
+	isc_task_t *task;
+
+	task = (*dev)->ev_sender;
+
+	(*dev)->ev_sender = sock;
+
+	if (ISC_LINK_LINKED(*dev, ev_link))
+		ISC_LIST_DEQUEUE(sock->recv_list, *dev, ev_link);
+
+	if (((*dev)->attributes & ISC_SOCKEVENTATTR_ATTACHED)
+	    == ISC_SOCKEVENTATTR_ATTACHED)
+		isc_task_sendanddetach(&task, (isc_event_t **)dev);
+	else
+		isc_task_send(task, (isc_event_t **)dev);
+}
+
+/*
+ * See comments for send_recvdone_event() above.
+ *
+ * Caller must have the socket locked if the event is attached to the socket.
+ */
+static void
+send_senddone_event(isc_socket_t *sock, isc_socketevent_t **dev) {
+	isc_task_t *task;
+
+	INSIST(dev != NULL && *dev != NULL);
+
+	task = (*dev)->ev_sender;
+	(*dev)->ev_sender = sock;
+
+	if (ISC_LINK_LINKED(*dev, ev_link))
+		ISC_LIST_DEQUEUE(sock->send_list, *dev, ev_link);
+
+	if (((*dev)->attributes & ISC_SOCKEVENTATTR_ATTACHED)
+	    == ISC_SOCKEVENTATTR_ATTACHED)
+		isc_task_sendanddetach(&task, (isc_event_t **)dev);
+	else
+		isc_task_send(task, (isc_event_t **)dev);
+}
+
+/*
+ * Call accept() on a socket, to get the new file descriptor.  The listen
+ * socket is used as a prototype to create a new isc_socket_t.  The new
+ * socket has one outstanding reference.  The task receiving the event
+ * will be detached from just after the event is delivered.
+ *
+ * On entry to this function, the event delivered is the internal
+ * readable event, and the first item on the accept_list should be
+ * the done event we want to send.  If the list is empty, this is a no-op,
+ * so just unlock and return.
+ */
+static void
+internal_accept(isc_task_t *me, isc_event_t *ev) {
+	isc_socket_t *sock;
+	isc_socketmgr_t *manager;
+	isc_socket_newconnev_t *dev;
+	isc_task_t *task;
+	ISC_SOCKADDR_LEN_T addrlen;
+	int fd;
+	isc_result_t result = ISC_R_SUCCESS;
+	char strbuf[ISC_STRERRORSIZE];
+
+	UNUSED(me);
+
+	sock = ev->ev_sender;
+	INSIST(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+	socket_log(sock, NULL, TRACE,
+		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_ACCEPTLOCK,
+		   "internal_accept called, locked socket");
+
+	manager = sock->manager;
+	INSIST(VALID_MANAGER(manager));
+
+	INSIST(sock->listener);
+	INSIST(sock->pending_accept == 1);
+	sock->pending_accept = 0;
+
+	INSIST(sock->references > 0);
+	sock->references--;  /* the internal event is done with this socket */
+	if (sock->references == 0) {
+		UNLOCK(&sock->lock);
+		destroy(&sock);
+		return;
+	}
+
+	/*
+	 * Get the first item off the accept list.
+	 * If it is empty, unlock the socket and return.
+	 */
+	dev = ISC_LIST_HEAD(sock->accept_list);
+	if (dev == NULL) {
+		UNLOCK(&sock->lock);
+		return;
+	}
+
+	/*
+	 * Try to accept the new connection.  If the accept fails with
+	 * EAGAIN or EINTR, simply poke the watcher to watch this socket
+	 * again.  Also ignore ECONNRESET, which has been reported to
+	 * be spuriously returned on Linux 2.2.19 although it is not
+	 * a documented error for accept().  ECONNABORTED has been
+	 * reported for Solaris 8.  The rest are thrown in not because
+	 * we have seen them but because they are ignored by other
+	 * deamons such as BIND 8 and Apache.
+	 */
+
+	addrlen = sizeof(dev->newsocket->address.type);
+	memset(&dev->newsocket->address.type.sa, 0, addrlen);
+	fd = accept(sock->fd, &dev->newsocket->address.type.sa,
+		    (void *)&addrlen);
+
+#ifdef F_DUPFD
+        /*
+         * Leave a space for stdio to work in.
+         */
+        if (fd >= 0 && fd < 20) {
+                int new, tmp;
+                new = fcntl(fd, F_DUPFD, 20);
+                tmp = errno;
+                (void)close(fd);
+                errno = tmp;
+                fd = new;
+        }
+#endif
+
+	if (fd < 0) {
+		if (SOFT_ERROR(errno))
+			goto soft_error;
+		switch (errno) {
+		case ENOBUFS:
+		case ENFILE:
+		case ENOMEM:
+		case ECONNRESET:
+		case ECONNABORTED:
+		case EHOSTUNREACH:
+		case EHOSTDOWN:
+		case ENETUNREACH:
+		case ENETDOWN:
+		case ECONNREFUSED:
+#ifdef EPROTO
+		case EPROTO:
+#endif
+#ifdef ENONET
+		case ENONET:
+#endif
+			goto soft_error;
+		default:
+			break;
+		}
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "internal_accept: accept() %s: %s",
+				 isc_msgcat_get(isc_msgcat,
+						ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED,
+						"failed"),
+				 strbuf);
+		fd = -1;
+		result = ISC_R_UNEXPECTED;
+	} else {
+		if (addrlen == 0) {
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "internal_accept(): "
+					 "accept() failed to return "
+					 "remote address");
+
+			(void)close(fd);
+			goto soft_error;
+		} else if (dev->newsocket->address.type.sa.sa_family !=
+			   sock->pf)
+		{
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "internal_accept(): "
+					 "accept() returned peer address "
+					 "family %u (expected %u)", 
+					 dev->newsocket->address.
+					 type.sa.sa_family,
+					 sock->pf);
+			(void)close(fd);
+			goto soft_error;
+		} else if (fd >= (int)FD_SETSIZE) {
+			isc_log_iwrite(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				       ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+				       isc_msgcat, ISC_MSGSET_SOCKET,
+				       ISC_MSG_TOOMANYFDS,
+				       "%s: too many open file descriptors",
+				       "accept");
+			(void)close(fd);
+			goto soft_error;
+		}
+	}
+
+	if (fd != -1) {
+		dev->newsocket->address.length = addrlen;
+		dev->newsocket->pf = sock->pf;
+	}
+
+	/*
+	 * Pull off the done event.
+	 */
+	ISC_LIST_UNLINK(sock->accept_list, dev, ev_link);
+
+	/*
+	 * Poke watcher if there are more pending accepts.
+	 */
+	if (!ISC_LIST_EMPTY(sock->accept_list))
+		select_poke(sock->manager, sock->fd, SELECT_POKE_ACCEPT);
+
+	UNLOCK(&sock->lock);
+
+	if (fd != -1 && (make_nonblock(fd) != ISC_R_SUCCESS)) {
+		(void)close(fd);
+		fd = -1;
+		result = ISC_R_UNEXPECTED;
+	}
+
+	/*
+	 * -1 means the new socket didn't happen.
+	 */
+	if (fd != -1) {
+		LOCK(&manager->lock);
+		ISC_LIST_APPEND(manager->socklist, dev->newsocket, link);
+
+		dev->newsocket->fd = fd;
+		dev->newsocket->bound = 1;
+		dev->newsocket->connected = 1;
+
+		/*
+		 * Save away the remote address
+		 */
+		dev->address = dev->newsocket->address;
+
+		manager->fds[fd] = dev->newsocket;
+		manager->fdstate[fd] = MANAGED;
+		if (manager->maxfd < fd)
+			manager->maxfd = fd;
+
+		socket_log(sock, &dev->newsocket->address, CREATION,
+			   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_ACCEPTEDCXN,
+			   "accepted connection, new socket %p",
+			   dev->newsocket);
+
+		UNLOCK(&manager->lock);
+	} else {
+		dev->newsocket->references--;
+		free_socket(&dev->newsocket);
+	}
+	
+	/*
+	 * Fill in the done event details and send it off.
+	 */
+	dev->result = result;
+	task = dev->ev_sender;
+	dev->ev_sender = sock;
+
+	isc_task_sendanddetach(&task, ISC_EVENT_PTR(&dev));
+	return;
+
+ soft_error:
+	select_poke(sock->manager, sock->fd, SELECT_POKE_ACCEPT);
+	UNLOCK(&sock->lock);
+	return;
+}
+
+static void
+internal_recv(isc_task_t *me, isc_event_t *ev) {
+	isc_socketevent_t *dev;
+	isc_socket_t *sock;
+
+	INSIST(ev->ev_type == ISC_SOCKEVENT_INTR);
+
+	sock = ev->ev_sender;
+	INSIST(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+	socket_log(sock, NULL, IOEVENT,
+		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_INTERNALRECV,
+		   "internal_recv: task %p got event %p", me, ev);
+
+	INSIST(sock->pending_recv == 1);
+	sock->pending_recv = 0;
+
+	INSIST(sock->references > 0);
+	sock->references--;  /* the internal event is done with this socket */
+	if (sock->references == 0) {
+		UNLOCK(&sock->lock);
+		destroy(&sock);
+		return;
+	}
+
+	/*
+	 * Try to do as much I/O as possible on this socket.  There are no
+	 * limits here, currently.
+	 */
+	dev = ISC_LIST_HEAD(sock->recv_list);
+	while (dev != NULL) {
+		switch (doio_recv(sock, dev)) {
+		case DOIO_SOFT:
+			goto poke;
+
+		case DOIO_EOF:
+			/*
+			 * read of 0 means the remote end was closed.
+			 * Run through the event queue and dispatch all
+			 * the events with an EOF result code.
+			 */
+			do {
+				dev->result = ISC_R_EOF;
+				send_recvdone_event(sock, &dev);
+				dev = ISC_LIST_HEAD(sock->recv_list);
+			} while (dev != NULL);
+			goto poke;
+
+		case DOIO_SUCCESS:
+		case DOIO_HARD:
+			send_recvdone_event(sock, &dev);
+			break;
+		}
+
+		dev = ISC_LIST_HEAD(sock->recv_list);
+	}
+
+ poke:
+	if (!ISC_LIST_EMPTY(sock->recv_list))
+		select_poke(sock->manager, sock->fd, SELECT_POKE_READ);
+
+	UNLOCK(&sock->lock);
+}
+
+static void
+internal_send(isc_task_t *me, isc_event_t *ev) {
+	isc_socketevent_t *dev;
+	isc_socket_t *sock;
+
+	INSIST(ev->ev_type == ISC_SOCKEVENT_INTW);
+
+	/*
+	 * Find out what socket this is and lock it.
+	 */
+	sock = (isc_socket_t *)ev->ev_sender;
+	INSIST(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+	socket_log(sock, NULL, IOEVENT,
+		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_INTERNALSEND,
+		   "internal_send: task %p got event %p", me, ev);
+
+	INSIST(sock->pending_send == 1);
+	sock->pending_send = 0;
+
+	INSIST(sock->references > 0);
+	sock->references--;  /* the internal event is done with this socket */
+	if (sock->references == 0) {
+		UNLOCK(&sock->lock);
+		destroy(&sock);
+		return;
+	}
+
+	/*
+	 * Try to do as much I/O as possible on this socket.  There are no
+	 * limits here, currently.
+	 */
+	dev = ISC_LIST_HEAD(sock->send_list);
+	while (dev != NULL) {
+		switch (doio_send(sock, dev)) {
+		case DOIO_SOFT:
+			goto poke;
+
+		case DOIO_HARD:
+		case DOIO_SUCCESS:
+			send_senddone_event(sock, &dev);
+			break;
+		}
+
+		dev = ISC_LIST_HEAD(sock->send_list);
+	}
+
+ poke:
+	if (!ISC_LIST_EMPTY(sock->send_list))
+		select_poke(sock->manager, sock->fd, SELECT_POKE_WRITE);
+
+	UNLOCK(&sock->lock);
+}
+
+static void
+process_fds(isc_socketmgr_t *manager, int maxfd,
+	    fd_set *readfds, fd_set *writefds)
+{
+	int i;
+	isc_socket_t *sock;
+	isc_boolean_t unlock_sock;
+
+	REQUIRE(maxfd <= (int)FD_SETSIZE);
+
+	/*
+	 * Process read/writes on other fds here.  Avoid locking
+	 * and unlocking twice if both reads and writes are possible.
+	 */
+	for (i = 0; i < maxfd; i++) {
+#ifdef ISC_PLATFORM_USETHREADS
+		if (i == manager->pipe_fds[0] || i == manager->pipe_fds[1])
+			continue;
+#endif /* ISC_PLATFORM_USETHREADS */
+
+		if (manager->fdstate[i] == CLOSE_PENDING) {
+			manager->fdstate[i] = CLOSED;
+			FD_CLR(i, &manager->read_fds);
+			FD_CLR(i, &manager->write_fds);
+
+			(void)close(i);
+
+			continue;
+		}
+
+		sock = manager->fds[i];
+		unlock_sock = ISC_FALSE;
+		if (FD_ISSET(i, readfds)) {
+			if (sock == NULL) {
+				FD_CLR(i, &manager->read_fds);
+				goto check_write;
+			}
+			unlock_sock = ISC_TRUE;
+			LOCK(&sock->lock);
+			if (!SOCK_DEAD(sock)) {
+				if (sock->listener)
+					dispatch_accept(sock);
+				else
+					dispatch_recv(sock);
+			}
+			FD_CLR(i, &manager->read_fds);
+		}
+	check_write:
+		if (FD_ISSET(i, writefds)) {
+			if (sock == NULL) {
+				FD_CLR(i, &manager->write_fds);
+				continue;
+			}
+			if (!unlock_sock) {
+				unlock_sock = ISC_TRUE;
+				LOCK(&sock->lock);
+			}
+			if (!SOCK_DEAD(sock)) {
+				if (sock->connecting)
+					dispatch_connect(sock);
+				else
+					dispatch_send(sock);
+			}
+			FD_CLR(i, &manager->write_fds);
+		}
+		if (unlock_sock)
+			UNLOCK(&sock->lock);
+	}
+}
+
+#ifdef ISC_PLATFORM_USETHREADS
+/*
+ * This is the thread that will loop forever, always in a select or poll
+ * call.
+ *
+ * When select returns something to do, track down what thread gets to do
+ * this I/O and post the event to it.
+ */
+static isc_threadresult_t
+watcher(void *uap) {
+	isc_socketmgr_t *manager = uap;
+	isc_boolean_t done;
+	int ctlfd;
+	int cc;
+	fd_set readfds;
+	fd_set writefds;
+	int msg, fd;
+	int maxfd;
+	char strbuf[ISC_STRERRORSIZE];
+
+	/*
+	 * Get the control fd here.  This will never change.
+	 */
+	LOCK(&manager->lock);
+	ctlfd = manager->pipe_fds[0];
+
+	done = ISC_FALSE;
+	while (!done) {
+		do {
+			readfds = manager->read_fds;
+			writefds = manager->write_fds;
+			maxfd = manager->maxfd + 1;
+
+			UNLOCK(&manager->lock);
+
+			cc = select(maxfd, &readfds, &writefds, NULL, NULL);
+			if (cc < 0) {
+				if (!SOFT_ERROR(errno)) {
+				        isc__strerror(errno, strbuf,
+						      sizeof(strbuf));
+					FATAL_ERROR(__FILE__, __LINE__,
+						    "select() %s: %s",
+						    isc_msgcat_get(isc_msgcat,
+							    ISC_MSGSET_GENERAL,
+							    ISC_MSG_FAILED,
+							    "failed"),
+						    strbuf);
+				}
+			}
+
+			LOCK(&manager->lock);
+		} while (cc < 0);
+
+
+		/*
+		 * Process reads on internal, control fd.
+		 */
+		if (FD_ISSET(ctlfd, &readfds)) {
+			for (;;) {
+				select_readmsg(manager, &fd, &msg);
+
+				manager_log(manager, IOEVENT,
+					    isc_msgcat_get(isc_msgcat,
+						     ISC_MSGSET_SOCKET,
+						     ISC_MSG_WATCHERMSG,
+						     "watcher got message %d"),
+						     msg);
+
+				/*
+				 * Nothing to read?
+				 */
+				if (msg == SELECT_POKE_NOTHING)
+					break;
+
+				/*
+				 * Handle shutdown message.  We really should
+				 * jump out of this loop right away, but
+				 * it doesn't matter if we have to do a little
+				 * more work first.
+				 */
+				if (msg == SELECT_POKE_SHUTDOWN) {
+					done = ISC_TRUE;
+
+					break;
+				}
+
+				/*
+				 * This is a wakeup on a socket.  Look
+				 * at the event queue for both read and write,
+				 * and decide if we need to watch on it now
+				 * or not.
+				 */
+				wakeup_socket(manager, fd, msg);
+			}
+		}
+
+		process_fds(manager, maxfd, &readfds, &writefds);
+	}
+
+	manager_log(manager, TRACE,
+		    isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+				   ISC_MSG_EXITING, "watcher exiting"));
+
+	UNLOCK(&manager->lock);
+	return ((isc_threadresult_t)0);
+}
+#endif /* ISC_PLATFORM_USETHREADS */
+
+/*
+ * Create a new socket manager.
+ */
+isc_result_t
+isc_socketmgr_create(isc_mem_t *mctx, isc_socketmgr_t **managerp) {
+	isc_socketmgr_t *manager;
+#ifdef ISC_PLATFORM_USETHREADS
+	char strbuf[ISC_STRERRORSIZE];
+#endif
+
+	REQUIRE(managerp != NULL && *managerp == NULL);
+
+#ifndef ISC_PLATFORM_USETHREADS
+	if (socketmgr != NULL) {
+		socketmgr->refs++;
+		*managerp = socketmgr;
+		return (ISC_R_SUCCESS);
+	}
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	manager = isc_mem_get(mctx, sizeof(*manager));
+	if (manager == NULL)
+		return (ISC_R_NOMEMORY);
+
+	manager->magic = SOCKET_MANAGER_MAGIC;
+	manager->mctx = NULL;
+	memset(manager->fds, 0, sizeof(manager->fds));
+	ISC_LIST_INIT(manager->socklist);
+	if (isc_mutex_init(&manager->lock) != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, manager, sizeof(*manager));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_mutex_init() %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"));
+		return (ISC_R_UNEXPECTED);
+	}
+#ifdef ISC_PLATFORM_USETHREADS
+	if (isc_condition_init(&manager->shutdown_ok) != ISC_R_SUCCESS) {
+		DESTROYLOCK(&manager->lock);
+		isc_mem_put(mctx, manager, sizeof(*manager));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_condition_init() %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"));
+		return (ISC_R_UNEXPECTED);
+	}
+
+	/*
+	 * Create the special fds that will be used to wake up the
+	 * select/poll loop when something internal needs to be done.
+	 */
+	if (pipe(manager->pipe_fds) != 0) {
+		DESTROYLOCK(&manager->lock);
+		isc_mem_put(mctx, manager, sizeof(*manager));
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "pipe() %s: %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"),
+				 strbuf);
+
+		return (ISC_R_UNEXPECTED);
+	}
+
+	RUNTIME_CHECK(make_nonblock(manager->pipe_fds[0]) == ISC_R_SUCCESS);
+#if 0
+	RUNTIME_CHECK(make_nonblock(manager->pipe_fds[1]) == ISC_R_SUCCESS);
+#endif
+#else /* ISC_PLATFORM_USETHREADS */
+	manager->refs = 1;
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	/*
+	 * Set up initial state for the select loop
+	 */
+	FD_ZERO(&manager->read_fds);
+	FD_ZERO(&manager->write_fds);
+#ifdef ISC_PLATFORM_USETHREADS
+	FD_SET(manager->pipe_fds[0], &manager->read_fds);
+	manager->maxfd = manager->pipe_fds[0];
+#else /* ISC_PLATFORM_USETHREADS */
+	manager->maxfd = 0;
+#endif /* ISC_PLATFORM_USETHREADS */
+	memset(manager->fdstate, 0, sizeof(manager->fdstate));
+
+#ifdef ISC_PLATFORM_USETHREADS
+	/*
+	 * Start up the select/poll thread.
+	 */
+	if (isc_thread_create(watcher, manager, &manager->watcher) !=
+	    ISC_R_SUCCESS) {
+		(void)close(manager->pipe_fds[0]);
+		(void)close(manager->pipe_fds[1]);
+		DESTROYLOCK(&manager->lock);
+		isc_mem_put(mctx, manager, sizeof(*manager));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_thread_create() %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"));
+		return (ISC_R_UNEXPECTED);
+	}
+#endif /* ISC_PLATFORM_USETHREADS */
+	isc_mem_attach(mctx, &manager->mctx);
+
+#ifndef ISC_PLATFORM_USETHREADS
+	socketmgr = manager;
+#endif /* ISC_PLATFORM_USETHREADS */
+	*managerp = manager;
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_socketmgr_destroy(isc_socketmgr_t **managerp) {
+	isc_socketmgr_t *manager;
+	int i;
+	isc_mem_t *mctx;
+
+	/*
+	 * Destroy a socket manager.
+	 */
+
+	REQUIRE(managerp != NULL);
+	manager = *managerp;
+	REQUIRE(VALID_MANAGER(manager));
+
+#ifndef ISC_PLATFORM_USETHREADS
+	if (manager->refs > 1) {
+		manager->refs--;
+		*managerp = NULL;
+		return;
+	}
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	LOCK(&manager->lock);
+
+#ifdef ISC_PLATFORM_USETHREADS
+	/*
+	 * Wait for all sockets to be destroyed.
+	 */
+	while (!ISC_LIST_EMPTY(manager->socklist)) {
+		manager_log(manager, CREATION,
+			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKET,
+					   ISC_MSG_SOCKETSREMAIN,
+					   "sockets exist"));
+		WAIT(&manager->shutdown_ok, &manager->lock);
+	}
+#else /* ISC_PLATFORM_USETHREADS */
+	/*
+	 * Hope all sockets have been destroyed.
+	 */
+	if (!ISC_LIST_EMPTY(manager->socklist)) {
+		manager_log(manager, CREATION,
+			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKET,
+					   ISC_MSG_SOCKETSREMAIN,
+					   "sockets exist"));
+		INSIST(0);
+	}
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	UNLOCK(&manager->lock);
+
+	/*
+	 * Here, poke our select/poll thread.  Do this by closing the write
+	 * half of the pipe, which will send EOF to the read half.
+	 * This is currently a no-op in the non-threaded case.
+	 */
+	select_poke(manager, 0, SELECT_POKE_SHUTDOWN);
+
+#ifdef ISC_PLATFORM_USETHREADS
+	/*
+	 * Wait for thread to exit.
+	 */
+	if (isc_thread_join(manager->watcher, NULL) != ISC_R_SUCCESS)
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_thread_join() %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"));
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	/*
+	 * Clean up.
+	 */
+#ifdef ISC_PLATFORM_USETHREADS
+	(void)close(manager->pipe_fds[0]);
+	(void)close(manager->pipe_fds[1]);
+	(void)isc_condition_destroy(&manager->shutdown_ok);
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	for (i = 0; i < (int)FD_SETSIZE; i++)
+		if (manager->fdstate[i] == CLOSE_PENDING)
+			(void)close(i);
+
+	DESTROYLOCK(&manager->lock);
+	manager->magic = 0;
+	mctx= manager->mctx;
+	isc_mem_put(mctx, manager, sizeof(*manager));
+
+	isc_mem_detach(&mctx);
+
+	*managerp = NULL;
+}
+
+static isc_result_t
+socket_recv(isc_socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
+	    unsigned int flags)
+{
+	int io_state;
+	isc_boolean_t have_lock = ISC_FALSE;
+	isc_task_t *ntask = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	dev->ev_sender = task;
+
+	if (sock->type == isc_sockettype_udp) {
+		io_state = doio_recv(sock, dev);
+	} else {
+		LOCK(&sock->lock);
+		have_lock = ISC_TRUE;
+
+		if (ISC_LIST_EMPTY(sock->recv_list))
+			io_state = doio_recv(sock, dev);
+		else
+			io_state = DOIO_SOFT;
+	}
+
+	switch (io_state) {
+	case DOIO_SOFT:
+		/*
+		 * We couldn't read all or part of the request right now, so
+		 * queue it.
+		 *
+		 * Attach to socket and to task
+		 */
+		isc_task_attach(task, &ntask);
+		dev->attributes |= ISC_SOCKEVENTATTR_ATTACHED;
+
+		if (!have_lock) {
+			LOCK(&sock->lock);
+			have_lock = ISC_TRUE;
+		}
+
+		/*
+		 * Enqueue the request.  If the socket was previously not being
+		 * watched, poke the watcher to start paying attention to it.
+		 */
+		if (ISC_LIST_EMPTY(sock->recv_list))
+			select_poke(sock->manager, sock->fd, SELECT_POKE_READ);
+		ISC_LIST_ENQUEUE(sock->recv_list, dev, ev_link);
+
+		socket_log(sock, NULL, EVENT, NULL, 0, 0,
+			   "socket_recv: event %p -> task %p",
+			   dev, ntask);
+
+		if ((flags & ISC_SOCKFLAG_IMMEDIATE) != 0)
+			result = ISC_R_INPROGRESS;
+		break;
+
+	case DOIO_EOF:
+		dev->result = ISC_R_EOF;
+		/* fallthrough */
+
+	case DOIO_HARD:
+	case DOIO_SUCCESS:
+		if ((flags & ISC_SOCKFLAG_IMMEDIATE) == 0)
+			send_recvdone_event(sock, &dev);
+		break;
+	}
+
+	if (have_lock)
+		UNLOCK(&sock->lock);
+
+	return (result);
+}
+
+isc_result_t
+isc_socket_recvv(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		 unsigned int minimum, isc_task_t *task,
+		 isc_taskaction_t action, const void *arg)
+{
+	isc_socketevent_t *dev;
+	isc_socketmgr_t *manager;
+	unsigned int iocount;
+	isc_buffer_t *buffer;
+
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(buflist != NULL);
+	REQUIRE(!ISC_LIST_EMPTY(*buflist));
+	REQUIRE(task != NULL);
+	REQUIRE(action != NULL);
+
+	manager = sock->manager;
+	REQUIRE(VALID_MANAGER(manager));
+
+	iocount = isc_bufferlist_availablecount(buflist);
+	REQUIRE(iocount > 0);
+
+	INSIST(sock->bound);
+
+	dev = allocate_socketevent(sock, ISC_SOCKEVENT_RECVDONE, action, arg);
+	if (dev == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	/*
+	 * UDP sockets are always partial read
+	 */
+	if (sock->type == isc_sockettype_udp)
+		dev->minimum = 1;
+	else {
+		if (minimum == 0)
+			dev->minimum = iocount;
+		else
+			dev->minimum = minimum;
+	}
+
+	/*
+	 * Move each buffer from the passed in list to our internal one.
+	 */
+	buffer = ISC_LIST_HEAD(*buflist);
+	while (buffer != NULL) {
+		ISC_LIST_DEQUEUE(*buflist, buffer, link);
+		ISC_LIST_ENQUEUE(dev->bufferlist, buffer, link);
+		buffer = ISC_LIST_HEAD(*buflist);
+	}
+
+	return (socket_recv(sock, dev, task, 0));
+}
+
+isc_result_t
+isc_socket_recv(isc_socket_t *sock, isc_region_t *region, unsigned int minimum,
+		isc_task_t *task, isc_taskaction_t action, const void *arg)
+{
+	isc_socketevent_t *dev;
+	isc_socketmgr_t *manager;
+
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(action != NULL);
+
+	manager = sock->manager;
+	REQUIRE(VALID_MANAGER(manager));
+
+	INSIST(sock->bound);
+
+	dev = allocate_socketevent(sock, ISC_SOCKEVENT_RECVDONE, action, arg);
+	if (dev == NULL)
+		return (ISC_R_NOMEMORY);
+
+	return (isc_socket_recv2(sock, region, minimum, task, dev, 0));
+}
+
+isc_result_t
+isc_socket_recv2(isc_socket_t *sock, isc_region_t *region,
+		 unsigned int minimum, isc_task_t *task,
+		 isc_socketevent_t *event, unsigned int flags)
+{
+	event->ev_sender = sock;
+	event->result = ISC_R_UNEXPECTED;
+	ISC_LIST_INIT(event->bufferlist);
+	event->region = *region;
+	event->n = 0;
+	event->offset = 0;
+	event->attributes = 0;
+
+	/*
+	 * UDP sockets are always partial read.
+	 */
+	if (sock->type == isc_sockettype_udp)
+		event->minimum = 1;
+	else {
+		if (minimum == 0)
+			event->minimum = region->length;
+		else
+			event->minimum = minimum;
+	}
+
+	return (socket_recv(sock, event, task, flags));
+}
+
+static isc_result_t
+socket_send(isc_socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
+	    isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
+	    unsigned int flags)
+{
+	int io_state;
+	isc_boolean_t have_lock = ISC_FALSE;
+	isc_task_t *ntask = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	dev->ev_sender = task;
+
+	set_dev_address(address, sock, dev);
+	if (pktinfo != NULL) {
+		dev->attributes |= ISC_SOCKEVENTATTR_PKTINFO;
+		dev->pktinfo = *pktinfo;
+
+		if (!isc_sockaddr_issitelocal(address) &&
+		    !isc_sockaddr_islinklocal(address)) {
+			socket_log(sock, NULL, TRACE, isc_msgcat,
+				   ISC_MSGSET_SOCKET, ISC_MSG_PKTINFOPROVIDED,
+				   "pktinfo structure provided, ifindex %u "
+				   "(set to 0)", pktinfo->ipi6_ifindex);
+
+			/*
+			 * Set the pktinfo index to 0 here, to let the
+			 * kernel decide what interface it should send on.
+			 */
+			dev->pktinfo.ipi6_ifindex = 0;
+		}
+	}
+
+	if (sock->type == isc_sockettype_udp)
+		io_state = doio_send(sock, dev);
+	else {
+		LOCK(&sock->lock);
+		have_lock = ISC_TRUE;
+
+		if (ISC_LIST_EMPTY(sock->send_list))
+			io_state = doio_send(sock, dev);
+		else
+			io_state = DOIO_SOFT;
+	}
+
+	switch (io_state) {
+	case DOIO_SOFT:
+		/*
+		 * We couldn't send all or part of the request right now, so
+		 * queue it unless ISC_SOCKFLAG_NORETRY is set.
+		 */
+		if ((flags & ISC_SOCKFLAG_NORETRY) == 0) {
+			isc_task_attach(task, &ntask);
+			dev->attributes |= ISC_SOCKEVENTATTR_ATTACHED;
+
+			if (!have_lock) {
+				LOCK(&sock->lock);
+				have_lock = ISC_TRUE;
+			}
+
+			/*
+			 * Enqueue the request.  If the socket was previously
+			 * not being watched, poke the watcher to start
+			 * paying attention to it.
+			 */
+			if (ISC_LIST_EMPTY(sock->send_list))
+				select_poke(sock->manager, sock->fd,
+					    SELECT_POKE_WRITE);
+			ISC_LIST_ENQUEUE(sock->send_list, dev, ev_link);
+
+			socket_log(sock, NULL, EVENT, NULL, 0, 0,
+				   "socket_send: event %p -> task %p",
+				   dev, ntask);
+
+			if ((flags & ISC_SOCKFLAG_IMMEDIATE) != 0)
+				result = ISC_R_INPROGRESS;
+			break;
+		}
+
+	case DOIO_HARD:
+	case DOIO_SUCCESS:
+		if ((flags & ISC_SOCKFLAG_IMMEDIATE) == 0)
+			send_senddone_event(sock, &dev);
+		break;
+	}
+
+	if (have_lock)
+		UNLOCK(&sock->lock);
+
+	return (result);
+}
+
+isc_result_t
+isc_socket_send(isc_socket_t *sock, isc_region_t *region,
+		isc_task_t *task, isc_taskaction_t action, const void *arg)
+{
+	/*
+	 * REQUIRE() checking is performed in isc_socket_sendto().
+	 */
+	return (isc_socket_sendto(sock, region, task, action, arg, NULL,
+				  NULL));
+}
+
+isc_result_t
+isc_socket_sendto(isc_socket_t *sock, isc_region_t *region,
+		  isc_task_t *task, isc_taskaction_t action, const void *arg,
+		  isc_sockaddr_t *address, struct in6_pktinfo *pktinfo)
+{
+	isc_socketevent_t *dev;
+	isc_socketmgr_t *manager;
+
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(region != NULL);
+	REQUIRE(task != NULL);
+	REQUIRE(action != NULL);
+
+	manager = sock->manager;
+	REQUIRE(VALID_MANAGER(manager));
+
+	INSIST(sock->bound);
+
+	dev = allocate_socketevent(sock, ISC_SOCKEVENT_SENDDONE, action, arg);
+	if (dev == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	dev->region = *region;
+
+	return (socket_send(sock, dev, task, address, pktinfo, 0));
+}
+
+isc_result_t
+isc_socket_sendv(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		 isc_task_t *task, isc_taskaction_t action, const void *arg)
+{
+	return (isc_socket_sendtov(sock, buflist, task, action, arg, NULL,
+				   NULL));
+}
+
+isc_result_t
+isc_socket_sendtov(isc_socket_t *sock, isc_bufferlist_t *buflist,
+		   isc_task_t *task, isc_taskaction_t action, const void *arg,
+		   isc_sockaddr_t *address, struct in6_pktinfo *pktinfo)
+{
+	isc_socketevent_t *dev;
+	isc_socketmgr_t *manager;
+	unsigned int iocount;
+	isc_buffer_t *buffer;
+
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(buflist != NULL);
+	REQUIRE(!ISC_LIST_EMPTY(*buflist));
+	REQUIRE(task != NULL);
+	REQUIRE(action != NULL);
+
+	manager = sock->manager;
+	REQUIRE(VALID_MANAGER(manager));
+
+	iocount = isc_bufferlist_usedcount(buflist);
+	REQUIRE(iocount > 0);
+
+	dev = allocate_socketevent(sock, ISC_SOCKEVENT_SENDDONE, action, arg);
+	if (dev == NULL) {
+		return (ISC_R_NOMEMORY);
+	}
+
+	/*
+	 * Move each buffer from the passed in list to our internal one.
+	 */
+	buffer = ISC_LIST_HEAD(*buflist);
+	while (buffer != NULL) {
+		ISC_LIST_DEQUEUE(*buflist, buffer, link);
+		ISC_LIST_ENQUEUE(dev->bufferlist, buffer, link);
+		buffer = ISC_LIST_HEAD(*buflist);
+	}
+
+	return (socket_send(sock, dev, task, address, pktinfo, 0));
+}
+
+isc_result_t
+isc_socket_sendto2(isc_socket_t *sock, isc_region_t *region,
+		   isc_task_t *task,
+		   isc_sockaddr_t *address, struct in6_pktinfo *pktinfo,
+		   isc_socketevent_t *event, unsigned int flags)
+{
+	REQUIRE((flags & ~(ISC_SOCKFLAG_IMMEDIATE|ISC_SOCKFLAG_NORETRY)) == 0);
+	if ((flags & ISC_SOCKFLAG_NORETRY) != 0)
+		REQUIRE(sock->type == isc_sockettype_udp);
+	event->ev_sender = sock;
+	event->result = ISC_R_UNEXPECTED;
+	ISC_LIST_INIT(event->bufferlist);
+	event->region = *region;
+	event->n = 0;
+	event->offset = 0;
+	event->attributes = 0;
+
+	return (socket_send(sock, event, task, address, pktinfo, flags));
+}
+
+isc_result_t
+isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr) {
+	char strbuf[ISC_STRERRORSIZE];
+	int on = 1;
+
+	LOCK(&sock->lock);
+
+	INSIST(!sock->bound);
+
+	if (sock->pf != sockaddr->type.sa.sa_family) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_FAMILYMISMATCH);
+	}
+	/*
+	 * Only set SO_REUSEADDR when we want a specific port.
+	 */
+	if (isc_sockaddr_getport(sockaddr) != (in_port_t)0 &&
+	    setsockopt(sock->fd, SOL_SOCKET, SO_REUSEADDR, (void *)&on,
+		       sizeof(on)) < 0) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "setsockopt(%d) %s", sock->fd,
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"));
+		/* Press on... */
+	}
+	if (bind(sock->fd, &sockaddr->type.sa, sockaddr->length) < 0) {
+		UNLOCK(&sock->lock);
+		switch (errno) {
+		case EACCES:
+			return (ISC_R_NOPERM);
+		case EADDRNOTAVAIL:
+			return (ISC_R_ADDRNOTAVAIL);
+		case EADDRINUSE:
+			return (ISC_R_ADDRINUSE);
+		case EINVAL:
+			return (ISC_R_BOUND);
+		default:
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__, "bind: %s",
+					 strbuf);
+			return (ISC_R_UNEXPECTED);
+		}
+	}
+
+	socket_log(sock, sockaddr, TRACE,
+		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_BOUND, "bound");
+	sock->bound = 1;
+
+	UNLOCK(&sock->lock);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_socket_filter(isc_socket_t *sock, const char *filter) {
+#ifdef SO_ACCEPTFILTER
+	char strbuf[ISC_STRERRORSIZE];
+	struct accept_filter_arg afa;
+#else
+	UNUSED(sock);
+	UNUSED(filter);
+#endif
+
+	REQUIRE(VALID_SOCKET(sock));
+
+#ifdef SO_ACCEPTFILTER
+	bzero(&afa, sizeof(afa));
+	strncpy(afa.af_name, filter, sizeof(afa.af_name));
+	if (setsockopt(sock->fd, SOL_SOCKET, SO_ACCEPTFILTER,
+			 &afa, sizeof(afa)) == -1) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		socket_log(sock, NULL, CREATION, isc_msgcat, ISC_MSGSET_SOCKET,
+			   ISC_MSG_FILTER, "setsockopt(SO_ACCEPTFILTER): %s",
+			   strbuf);
+		return (ISC_R_FAILURE);
+	}
+	return (ISC_R_SUCCESS);
+#else
+	return (ISC_R_NOTIMPLEMENTED);
+#endif
+}
+
+/*
+ * Set up to listen on a given socket.  We do this by creating an internal
+ * event that will be dispatched when the socket has read activity.  The
+ * watcher will send the internal event to the task when there is a new
+ * connection.
+ *
+ * Unlike in read, we don't preallocate a done event here.  Every time there
+ * is a new connection we'll have to allocate a new one anyway, so we might
+ * as well keep things simple rather than having to track them.
+ */
+isc_result_t
+isc_socket_listen(isc_socket_t *sock, unsigned int backlog) {
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+
+	REQUIRE(!sock->listener);
+	REQUIRE(sock->bound);
+	REQUIRE(sock->type == isc_sockettype_tcp);
+
+	if (backlog == 0)
+		backlog = SOMAXCONN;
+
+	if (listen(sock->fd, (int)backlog) < 0) {
+		UNLOCK(&sock->lock);
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "listen: %s", strbuf);
+
+		return (ISC_R_UNEXPECTED);
+	}
+
+	sock->listener = 1;
+
+	UNLOCK(&sock->lock);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * This should try to do agressive accept() XXXMLG
+ */
+isc_result_t
+isc_socket_accept(isc_socket_t *sock,
+		  isc_task_t *task, isc_taskaction_t action, const void *arg)
+{
+	isc_socket_newconnev_t *dev;
+	isc_socketmgr_t *manager;
+	isc_task_t *ntask = NULL;
+	isc_socket_t *nsock;
+	isc_result_t ret;
+	isc_boolean_t do_poke = ISC_FALSE;
+
+	REQUIRE(VALID_SOCKET(sock));
+	manager = sock->manager;
+	REQUIRE(VALID_MANAGER(manager));
+
+	LOCK(&sock->lock);
+
+	REQUIRE(sock->listener);
+
+	/*
+	 * Sender field is overloaded here with the task we will be sending
+	 * this event to.  Just before the actual event is delivered the
+	 * actual ev_sender will be touched up to be the socket.
+	 */
+	dev = (isc_socket_newconnev_t *)
+		isc_event_allocate(manager->mctx, task, ISC_SOCKEVENT_NEWCONN,
+				   action, arg, sizeof(*dev));
+	if (dev == NULL) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_NOMEMORY);
+	}
+	ISC_LINK_INIT(dev, ev_link);
+
+	ret = allocate_socket(manager, sock->type, &nsock);
+	if (ret != ISC_R_SUCCESS) {
+		isc_event_free(ISC_EVENT_PTR(&dev));
+		UNLOCK(&sock->lock);
+		return (ret);
+	}
+
+	/*
+	 * Attach to socket and to task.
+	 */
+	isc_task_attach(task, &ntask);
+	nsock->references++;
+
+	dev->ev_sender = ntask;
+	dev->newsocket = nsock;
+
+	/*
+	 * Poke watcher here.  We still have the socket locked, so there
+	 * is no race condition.  We will keep the lock for such a short
+	 * bit of time waking it up now or later won't matter all that much.
+	 */
+	if (ISC_LIST_EMPTY(sock->accept_list))
+		do_poke = ISC_TRUE;
+
+	ISC_LIST_ENQUEUE(sock->accept_list, dev, ev_link);
+
+	if (do_poke)
+		select_poke(manager, sock->fd, SELECT_POKE_ACCEPT);
+
+	UNLOCK(&sock->lock);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr,
+		   isc_task_t *task, isc_taskaction_t action, const void *arg)
+{
+	isc_socket_connev_t *dev;
+	isc_task_t *ntask = NULL;
+	isc_socketmgr_t *manager;
+	int cc;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(addr != NULL);
+	REQUIRE(task != NULL);
+	REQUIRE(action != NULL);
+
+	manager = sock->manager;
+	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(addr != NULL);
+
+	if (isc_sockaddr_ismulticast(addr))
+		return (ISC_R_MULTICAST);
+
+	LOCK(&sock->lock);
+
+	REQUIRE(!sock->connecting);
+
+	dev = (isc_socket_connev_t *)isc_event_allocate(manager->mctx, sock,
+							ISC_SOCKEVENT_CONNECT,
+							action,	arg,
+							sizeof(*dev));
+	if (dev == NULL) {
+		UNLOCK(&sock->lock);
+		return (ISC_R_NOMEMORY);
+	}
+	ISC_LINK_INIT(dev, ev_link);
+
+	/*
+	 * Try to do the connect right away, as there can be only one
+	 * outstanding, and it might happen to complete.
+	 */
+	sock->address = *addr;
+	cc = connect(sock->fd, &addr->type.sa, addr->length);
+	if (cc < 0) {
+		if (SOFT_ERROR(errno) || errno == EINPROGRESS)
+			goto queue;
+
+		switch (errno) {
+#define ERROR_MATCH(a, b) case a: dev->result = b; goto err_exit;
+			ERROR_MATCH(EACCES, ISC_R_NOPERM);
+			ERROR_MATCH(EADDRNOTAVAIL, ISC_R_ADDRNOTAVAIL);
+			ERROR_MATCH(EAFNOSUPPORT, ISC_R_ADDRNOTAVAIL);
+			ERROR_MATCH(ECONNREFUSED, ISC_R_CONNREFUSED);
+			ERROR_MATCH(EHOSTUNREACH, ISC_R_HOSTUNREACH);
+#ifdef EHOSTDOWN
+			ERROR_MATCH(EHOSTDOWN, ISC_R_HOSTUNREACH);
+#endif
+			ERROR_MATCH(ENETUNREACH, ISC_R_NETUNREACH);
+			ERROR_MATCH(ENOBUFS, ISC_R_NORESOURCES);
+			ERROR_MATCH(EPERM, ISC_R_HOSTUNREACH);
+			ERROR_MATCH(EPIPE, ISC_R_NOTCONNECTED);
+#undef ERROR_MATCH
+		}
+
+		sock->connected = 0;
+
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "%d/%s", errno, strbuf);
+
+		UNLOCK(&sock->lock);
+		isc_event_free(ISC_EVENT_PTR(&dev));
+		return (ISC_R_UNEXPECTED);
+
+	err_exit:
+		sock->connected = 0;
+		isc_task_send(task, ISC_EVENT_PTR(&dev));
+
+		UNLOCK(&sock->lock);
+		return (ISC_R_SUCCESS);
+	}
+
+	/*
+	 * If connect completed, fire off the done event.
+	 */
+	if (cc == 0) {
+		sock->connected = 1;
+		sock->bound = 1;
+		dev->result = ISC_R_SUCCESS;
+		isc_task_send(task, ISC_EVENT_PTR(&dev));
+
+		UNLOCK(&sock->lock);
+		return (ISC_R_SUCCESS);
+	}
+
+ queue:
+
+	/*
+	 * Attach to task.
+	 */
+	isc_task_attach(task, &ntask);
+
+	sock->connecting = 1;
+
+	dev->ev_sender = ntask;
+
+	/*
+	 * Poke watcher here.  We still have the socket locked, so there
+	 * is no race condition.  We will keep the lock for such a short
+	 * bit of time waking it up now or later won't matter all that much.
+	 */
+	if (sock->connect_ev == NULL)
+		select_poke(manager, sock->fd, SELECT_POKE_CONNECT);
+
+	sock->connect_ev = dev;
+
+	UNLOCK(&sock->lock);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Called when a socket with a pending connect() finishes.
+ */
+static void
+internal_connect(isc_task_t *me, isc_event_t *ev) {
+	isc_socket_t *sock;
+	isc_socket_connev_t *dev;
+	isc_task_t *task;
+	int cc;
+	ISC_SOCKADDR_LEN_T optlen;
+	char strbuf[ISC_STRERRORSIZE];
+
+	UNUSED(me);
+	INSIST(ev->ev_type == ISC_SOCKEVENT_INTW);
+
+	sock = ev->ev_sender;
+	INSIST(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+
+	/*
+	 * When the internal event was sent the reference count was bumped
+	 * to keep the socket around for us.  Decrement the count here.
+	 */
+	INSIST(sock->references > 0);
+	sock->references--;
+	if (sock->references == 0) {
+		UNLOCK(&sock->lock);
+		destroy(&sock);
+		return;
+	}
+
+	/*
+	 * Has this event been canceled?
+	 */
+	dev = sock->connect_ev;
+	if (dev == NULL) {
+		INSIST(!sock->connecting);
+		UNLOCK(&sock->lock);
+		return;
+	}
+
+	INSIST(sock->connecting);
+	sock->connecting = 0;
+
+	/*
+	 * Get any possible error status here.
+	 */
+	optlen = sizeof(cc);
+	if (getsockopt(sock->fd, SOL_SOCKET, SO_ERROR,
+		       (void *)&cc, (void *)&optlen) < 0)
+		cc = errno;
+	else
+		errno = cc;
+
+	if (errno != 0) {
+		/*
+		 * If the error is EAGAIN, just re-select on this
+		 * fd and pretend nothing strange happened.
+		 */
+		if (SOFT_ERROR(errno) || errno == EINPROGRESS) {
+			sock->connecting = 1;
+			select_poke(sock->manager, sock->fd,
+				    SELECT_POKE_CONNECT);
+			UNLOCK(&sock->lock);
+
+			return;
+		}
+
+		/*
+		 * Translate other errors into ISC_R_* flavors.
+		 */
+		switch (errno) {
+#define ERROR_MATCH(a, b) case a: dev->result = b; break;
+			ERROR_MATCH(EACCES, ISC_R_NOPERM);
+			ERROR_MATCH(EADDRNOTAVAIL, ISC_R_ADDRNOTAVAIL);
+			ERROR_MATCH(EAFNOSUPPORT, ISC_R_ADDRNOTAVAIL);
+			ERROR_MATCH(ECONNREFUSED, ISC_R_CONNREFUSED);
+			ERROR_MATCH(EHOSTUNREACH, ISC_R_HOSTUNREACH);
+#ifdef EHOSTDOWN
+			ERROR_MATCH(EHOSTDOWN, ISC_R_HOSTUNREACH);
+#endif
+			ERROR_MATCH(ENETUNREACH, ISC_R_NETUNREACH);
+			ERROR_MATCH(ENOBUFS, ISC_R_NORESOURCES);
+			ERROR_MATCH(EPERM, ISC_R_HOSTUNREACH);
+			ERROR_MATCH(EPIPE, ISC_R_NOTCONNECTED);
+			ERROR_MATCH(ETIMEDOUT, ISC_R_TIMEDOUT);
+#undef ERROR_MATCH
+		default:
+			dev->result = ISC_R_UNEXPECTED;
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			UNEXPECTED_ERROR(__FILE__, __LINE__,
+					 "internal_connect: connect() %s",
+					 strbuf);
+		}
+	} else {
+		dev->result = ISC_R_SUCCESS;
+		sock->connected = 1;
+		sock->bound = 1;
+	}
+
+	sock->connect_ev = NULL;
+
+	UNLOCK(&sock->lock);
+
+	task = dev->ev_sender;
+	dev->ev_sender = sock;
+	isc_task_sendanddetach(&task, ISC_EVENT_PTR(&dev));
+}
+
+isc_result_t
+isc_socket_getpeername(isc_socket_t *sock, isc_sockaddr_t *addressp) {
+	isc_result_t ret;
+
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(addressp != NULL);
+
+	LOCK(&sock->lock);
+
+	if (sock->connected) {
+		*addressp = sock->address;
+		ret = ISC_R_SUCCESS;
+	} else {
+		ret = ISC_R_NOTCONNECTED;
+	}
+
+	UNLOCK(&sock->lock);
+
+	return (ret);
+}
+
+isc_result_t
+isc_socket_getsockname(isc_socket_t *sock, isc_sockaddr_t *addressp) {
+	ISC_SOCKADDR_LEN_T len;
+	isc_result_t ret;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(VALID_SOCKET(sock));
+	REQUIRE(addressp != NULL);
+
+	LOCK(&sock->lock);
+
+	if (!sock->bound) {
+		ret = ISC_R_NOTBOUND;
+		goto out;
+	}
+
+	ret = ISC_R_SUCCESS;
+
+	len = sizeof(addressp->type);
+	if (getsockname(sock->fd, &addressp->type.sa, (void *)&len) < 0) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "getsockname: %s",
+				 strbuf);
+		ret = ISC_R_UNEXPECTED;
+		goto out;
+	}
+	addressp->length = (unsigned int)len;
+
+ out:
+	UNLOCK(&sock->lock);
+
+	return (ret);
+}
+
+/*
+ * Run through the list of events on this socket, and cancel the ones
+ * queued for task "task" of type "how".  "how" is a bitmask.
+ */
+void
+isc_socket_cancel(isc_socket_t *sock, isc_task_t *task, unsigned int how) {
+
+	REQUIRE(VALID_SOCKET(sock));
+
+	/*
+	 * Quick exit if there is nothing to do.  Don't even bother locking
+	 * in this case.
+	 */
+	if (how == 0)
+		return;
+
+	LOCK(&sock->lock);
+
+	/*
+	 * All of these do the same thing, more or less.
+	 * Each will:
+	 *	o If the internal event is marked as "posted" try to
+	 *	  remove it from the task's queue.  If this fails, mark it
+	 *	  as canceled instead, and let the task clean it up later.
+	 *	o For each I/O request for that task of that type, post
+	 *	  its done event with status of "ISC_R_CANCELED".
+	 *	o Reset any state needed.
+	 */
+	if (((how & ISC_SOCKCANCEL_RECV) == ISC_SOCKCANCEL_RECV)
+	    && !ISC_LIST_EMPTY(sock->recv_list)) {
+		isc_socketevent_t      *dev;
+		isc_socketevent_t      *next;
+		isc_task_t	       *current_task;
+
+		dev = ISC_LIST_HEAD(sock->recv_list);
+
+		while (dev != NULL) {
+			current_task = dev->ev_sender;
+			next = ISC_LIST_NEXT(dev, ev_link);
+
+			if ((task == NULL) || (task == current_task)) {
+				dev->result = ISC_R_CANCELED;
+				send_recvdone_event(sock, &dev);
+			}
+			dev = next;
+		}
+	}
+
+	if (((how & ISC_SOCKCANCEL_SEND) == ISC_SOCKCANCEL_SEND)
+	    && !ISC_LIST_EMPTY(sock->send_list)) {
+		isc_socketevent_t      *dev;
+		isc_socketevent_t      *next;
+		isc_task_t	       *current_task;
+
+		dev = ISC_LIST_HEAD(sock->send_list);
+
+		while (dev != NULL) {
+			current_task = dev->ev_sender;
+			next = ISC_LIST_NEXT(dev, ev_link);
+
+			if ((task == NULL) || (task == current_task)) {
+				dev->result = ISC_R_CANCELED;
+				send_senddone_event(sock, &dev);
+			}
+			dev = next;
+		}
+	}
+
+	if (((how & ISC_SOCKCANCEL_ACCEPT) == ISC_SOCKCANCEL_ACCEPT)
+	    && !ISC_LIST_EMPTY(sock->accept_list)) {
+		isc_socket_newconnev_t *dev;
+		isc_socket_newconnev_t *next;
+		isc_task_t	       *current_task;
+
+		dev = ISC_LIST_HEAD(sock->accept_list);
+		while (dev != NULL) {
+			current_task = dev->ev_sender;
+			next = ISC_LIST_NEXT(dev, ev_link);
+
+			if ((task == NULL) || (task == current_task)) {
+
+				ISC_LIST_UNLINK(sock->accept_list, dev,
+						ev_link);
+
+				dev->newsocket->references--;
+				free_socket(&dev->newsocket);
+
+				dev->result = ISC_R_CANCELED;
+				dev->ev_sender = sock;
+				isc_task_sendanddetach(&current_task,
+					        ISC_EVENT_PTR(&dev));
+			}
+
+			dev = next;
+		}
+	}
+
+	/*
+	 * Connecting is not a list.
+	 */
+	if (((how & ISC_SOCKCANCEL_CONNECT) == ISC_SOCKCANCEL_CONNECT)
+	    && sock->connect_ev != NULL) {
+		isc_socket_connev_t    *dev;
+		isc_task_t	       *current_task;
+
+		INSIST(sock->connecting);
+		sock->connecting = 0;
+
+		dev = sock->connect_ev;
+		current_task = dev->ev_sender;
+
+		if ((task == NULL) || (task == current_task)) {
+			sock->connect_ev = NULL;
+
+			dev->result = ISC_R_CANCELED;
+			dev->ev_sender = sock;
+			isc_task_sendanddetach(&current_task,
+					       ISC_EVENT_PTR(&dev));
+		}
+	}
+
+	UNLOCK(&sock->lock);
+}
+
+isc_sockettype_t
+isc_socket_gettype(isc_socket_t *sock) {
+	REQUIRE(VALID_SOCKET(sock));
+
+	return (sock->type);
+}
+
+isc_boolean_t
+isc_socket_isbound(isc_socket_t *sock) {
+	isc_boolean_t val;
+
+	LOCK(&sock->lock);
+	val = ((sock->bound) ? ISC_TRUE : ISC_FALSE);
+	UNLOCK(&sock->lock);
+
+	return (val);
+}
+
+void
+isc_socket_ipv6only(isc_socket_t *sock, isc_boolean_t yes) {
+#if defined(IPV6_V6ONLY)
+	int onoff = yes ? 1 : 0;
+#else
+	UNUSED(yes);
+	UNUSED(sock);
+#endif
+
+	REQUIRE(VALID_SOCKET(sock));
+
+#ifdef IPV6_V6ONLY
+	if (sock->pf == AF_INET6) {
+		(void)setsockopt(sock->fd, IPPROTO_IPV6, IPV6_V6ONLY,
+				 (void *)&onoff, sizeof(onoff));
+	}
+#endif
+}
+
+#ifndef ISC_PLATFORM_USETHREADS
+void
+isc__socketmgr_getfdsets(fd_set *readset, fd_set *writeset, int *maxfd) {
+	if (socketmgr == NULL)
+		*maxfd = 0;
+	else {
+		*readset = socketmgr->read_fds;
+		*writeset = socketmgr->write_fds;
+		*maxfd = socketmgr->maxfd + 1;
+	}
+}
+
+isc_result_t
+isc__socketmgr_dispatch(fd_set *readset, fd_set *writeset, int maxfd) {
+	isc_socketmgr_t *manager = socketmgr;
+
+	if (manager == NULL)
+		return (ISC_R_NOTFOUND);
+
+	process_fds(manager, maxfd, readset, writeset);
+	return (ISC_R_SUCCESS);
+}
+#endif /* ISC_PLATFORM_USETHREADS */
diff --git a/contrib/bind9/lib/isc/unix/socket_p.h b/contrib/bind9/lib/isc/unix/socket_p.h
new file mode 100644
index 0000000..f430bf2
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/socket_p.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: socket_p.h,v 1.6.206.1 2004/03/06 08:15:02 marka Exp $ */
+
+#ifndef ISC_SOCKET_P_H
+#define ISC_SOCKET_P_H
+
+#ifdef ISC_PLATFORM_NEEDSYSSELECTH
+#include <sys/select.h>
+#endif
+
+void
+isc__socketmgr_getfdsets(fd_set *readset, fd_set *writeset, int *maxfd);
+
+isc_result_t
+isc__socketmgr_dispatch(fd_set *readset, fd_set *writeset, int maxfd);
+
+#endif /* ISC_SOCKET_P_H */
diff --git a/contrib/bind9/lib/isc/unix/stdio.c b/contrib/bind9/lib/isc/unix/stdio.c
new file mode 100644
index 0000000..794164e
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/stdio.c
@@ -0,0 +1,117 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: stdio.c,v 1.5.206.1 2004/03/06 08:15:02 marka Exp $ */
+
+#include <config.h>
+
+#include <errno.h>
+#include <unistd.h>
+
+#include <isc/stdio.h>
+
+#include "errno2result.h"
+
+isc_result_t
+isc_stdio_open(const char *filename, const char *mode, FILE **fp) {
+	FILE *f;
+
+	f = fopen(filename, mode);
+	if (f == NULL)
+		return (isc__errno2result(errno));
+	*fp = f;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_stdio_close(FILE *f) {
+	int r;
+
+	r = fclose(f);
+	if (r == 0)
+		return (ISC_R_SUCCESS);
+	else
+		return (isc__errno2result(errno));
+}
+
+isc_result_t
+isc_stdio_seek(FILE *f, long offset, int whence) {
+	int r;
+
+	r = fseek(f, offset, whence);
+	if (r == 0)
+		return (ISC_R_SUCCESS);
+	else
+		return (isc__errno2result(errno));
+}
+
+isc_result_t
+isc_stdio_read(void *ptr, size_t size, size_t nmemb, FILE *f, size_t *nret) {
+	isc_result_t result = ISC_R_SUCCESS;
+	size_t r;
+
+	clearerr(f);
+	r = fread(ptr, size, nmemb, f);
+	if (r != nmemb) {
+		if (feof(f))
+			result = ISC_R_EOF;
+		else
+			result = isc__errno2result(errno);
+	}
+	if (nret != NULL)
+		*nret = r;
+	return (result);
+}
+
+isc_result_t
+isc_stdio_write(const void *ptr, size_t size, size_t nmemb, FILE *f,
+	       size_t *nret)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	size_t r;
+
+	clearerr(f);
+	r = fwrite(ptr, size, nmemb, f);
+	if (r != nmemb)
+		result = isc__errno2result(errno);
+	if (nret != NULL)
+		*nret = r;
+	return (result);
+}
+
+isc_result_t
+isc_stdio_flush(FILE *f) {
+	int r;
+
+	r = fflush(f);
+	if (r == 0)
+		return (ISC_R_SUCCESS);
+	else
+		return (isc__errno2result(errno));
+}
+
+isc_result_t
+isc_stdio_sync(FILE *f) {
+	int r;
+
+	r = fsync(fileno(f));
+	if (r == 0)
+		return (ISC_R_SUCCESS);
+	else
+		return (isc__errno2result(errno));
+}
+
diff --git a/contrib/bind9/lib/isc/unix/stdtime.c b/contrib/bind9/lib/isc/unix/stdtime.c
new file mode 100644
index 0000000..8946a60
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/stdtime.c
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: stdtime.c,v 1.11.2.1.10.3 2004/03/08 09:04:57 marka Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>	/* NULL */
+#include <syslog.h>
+
+#include <sys/time.h>
+
+#include <isc/stdtime.h>
+#include <isc/util.h>
+
+#ifndef ISC_FIX_TV_USEC
+#define ISC_FIX_TV_USEC 1
+#endif
+
+#define US_PER_S 1000000
+
+#if ISC_FIX_TV_USEC
+static inline void
+fix_tv_usec(struct timeval *tv) {
+	isc_boolean_t fixed = ISC_FALSE;
+
+	if (tv->tv_usec < 0) {
+		fixed = ISC_TRUE;
+		do {
+			tv->tv_sec -= 1;
+			tv->tv_usec += US_PER_S;
+		} while (tv->tv_usec < 0);
+	} else if (tv->tv_usec >= US_PER_S) {
+		fixed = ISC_TRUE;
+		do {
+			tv->tv_sec += 1;
+			tv->tv_usec -= US_PER_S;
+		} while (tv->tv_usec >=US_PER_S);
+	}
+	/*
+	 * Call syslog directly as we are called from the logging functions.
+	 */
+	if (fixed)
+		(void)syslog(LOG_ERR, "gettimeofday returned bad tv_usec: corrected");
+}
+#endif
+
+void
+isc_stdtime_get(isc_stdtime_t *t) {
+	struct timeval tv;
+
+	/*
+	 * Set 't' to the number of seconds since 00:00:00 UTC, January 1,
+	 * 1970.
+	 */
+
+	REQUIRE(t != NULL);
+
+	RUNTIME_CHECK(gettimeofday(&tv, NULL) != -1);
+
+#if ISC_FIX_TV_USEC
+	fix_tv_usec(&tv);
+	INSIST(tv.tv_usec >= 0);
+#else
+	INSIST(tv.tv_usec >= 0 && tv.tv_usec < US_PER_S);
+#endif
+
+	*t = (unsigned int)tv.tv_sec;
+}
diff --git a/contrib/bind9/lib/isc/unix/strerror.c b/contrib/bind9/lib/isc/unix/strerror.c
new file mode 100644
index 0000000..863867e
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/strerror.c
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: strerror.c,v 1.1.2.1.10.3 2004/03/08 09:04:57 marka Exp $ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <string.h>
+
+#include <isc/mutex.h>
+#include <isc/once.h>
+#include <isc/print.h>
+#include <isc/strerror.h>
+#include <isc/util.h>
+
+#ifdef HAVE_STRERROR
+/*
+ * We need to do this this way for profiled locks.
+ */
+static isc_mutex_t isc_strerror_lock;
+static void init_lock(void) {
+	RUNTIME_CHECK(isc_mutex_init(&isc_strerror_lock) == ISC_R_SUCCESS);
+}
+#else
+extern const char * const sys_errlist[];
+extern const int sys_nerr;
+#endif
+
+void
+isc__strerror(int num, char *buf, size_t size) {
+#ifdef HAVE_STRERROR
+	char *msg;
+	unsigned int unum = num;
+	static isc_once_t once = ISC_ONCE_INIT;
+
+	REQUIRE(buf != NULL);
+
+	RUNTIME_CHECK(isc_once_do(&once, init_lock) == ISC_R_SUCCESS);
+
+	LOCK(&isc_strerror_lock);
+	msg = strerror(num);
+	if (msg != NULL)
+		snprintf(buf, size, "%s", msg);
+	else
+		snprintf(buf, size, "Unknown error: %u", unum);
+	UNLOCK(&isc_strerror_lock);
+#else
+	unsigned int unum = num;
+
+	REQUIRE(buf != NULL);
+
+	if (num >= 0 && num < sys_nerr)
+		snprintf(buf, size, "%s", sys_errlist[num]);
+	else
+		snprintf(buf, size, "Unknown error: %u", unum);
+#endif
+}
diff --git a/contrib/bind9/lib/isc/unix/syslog.c b/contrib/bind9/lib/isc/unix/syslog.c
new file mode 100644
index 0000000..e531544
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/syslog.c
@@ -0,0 +1,82 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: syslog.c,v 1.1.12.3 2004/03/08 09:04:57 marka Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
+
+#include <isc/result.h>
+#include <isc/syslog.h>
+#include <isc/util.h>
+
+static struct dsn_c_pvt_sfnt {
+	int val;
+	const char *strval;
+} facilities[] = {
+	{ LOG_KERN,			"kern" },
+	{ LOG_USER,			"user" },
+	{ LOG_MAIL,			"mail" },
+	{ LOG_DAEMON,			"daemon" },
+	{ LOG_AUTH,			"auth" },
+	{ LOG_SYSLOG,			"syslog" },
+	{ LOG_LPR,			"lpr" },
+#ifdef LOG_NEWS
+	{ LOG_NEWS,			"news" },
+#endif
+#ifdef LOG_UUCP
+	{ LOG_UUCP,			"uucp" },
+#endif
+#ifdef LOG_CRON
+	{ LOG_CRON,			"cron" },
+#endif
+#ifdef LOG_AUTHPRIV
+	{ LOG_AUTHPRIV,			"authpriv" },
+#endif
+#ifdef LOG_FTP
+	{ LOG_FTP,			"ftp" },
+#endif
+	{ LOG_LOCAL0,			"local0"},
+	{ LOG_LOCAL1,			"local1"},
+	{ LOG_LOCAL2,			"local2"},
+	{ LOG_LOCAL3,			"local3"},
+	{ LOG_LOCAL4,			"local4"},
+	{ LOG_LOCAL5,			"local5"},
+	{ LOG_LOCAL6,			"local6"},
+	{ LOG_LOCAL7,			"local7"},
+	{ 0,				NULL }
+};
+
+isc_result_t
+isc_syslog_facilityfromstring(const char *str, int *facilityp) {
+	int i;
+
+	REQUIRE(str != NULL);
+	REQUIRE(facilityp != NULL);
+
+	for (i = 0; facilities[i].strval != NULL; i++) {
+		if (strcasecmp(facilities[i].strval, str) == 0) {
+			*facilityp = facilities[i].val;
+			return (ISC_R_SUCCESS);
+		}
+	}
+	return (ISC_R_NOTFOUND);
+
+}
diff --git a/contrib/bind9/lib/isc/unix/time.c b/contrib/bind9/lib/isc/unix/time.c
new file mode 100644
index 0000000..39c851c
--- /dev/null
+++ b/contrib/bind9/lib/isc/unix/time.c
@@ -0,0 +1,412 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: time.c,v 1.34.2.6.2.4 2004/03/06 08:15:03 marka Exp $ */
+
+#include <config.h>
+
+#include <errno.h>
+#include <limits.h>
+#include <syslog.h>
+#include <time.h>
+
+#include <sys/time.h>	/* Required for struct timeval on some platforms. */
+
+#include <isc/log.h>
+#include <isc/print.h>
+#include <isc/strerror.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#define NS_PER_S	1000000000	/* Nanoseconds per second. */
+#define NS_PER_US	1000		/* Nanoseconds per microsecond. */
+#define US_PER_S	1000000		/* Microseconds per second. */
+
+/*
+ * All of the INSIST()s checks of nanoseconds < NS_PER_S are for
+ * consistency checking of the type. In lieu of magic numbers, it
+ * is the best we've got.  The check is only performed on functions which
+ * need an initialized type.
+ */
+
+#ifndef ISC_FIX_TV_USEC
+#define ISC_FIX_TV_USEC 1
+#endif
+
+/***
+ *** Intervals
+ ***/
+
+static isc_interval_t zero_interval = { 0, 0 };
+isc_interval_t *isc_interval_zero = &zero_interval;
+
+#if ISC_FIX_TV_USEC
+static inline void
+fix_tv_usec(struct timeval *tv) {
+	isc_boolean_t fixed = ISC_FALSE;
+
+	if (tv->tv_usec < 0) {
+		fixed = ISC_TRUE;
+		do {
+			tv->tv_sec -= 1;
+			tv->tv_usec += US_PER_S;
+		} while (tv->tv_usec < 0);
+	} else if (tv->tv_usec >= US_PER_S) {
+		fixed = ISC_TRUE;
+		do {
+			tv->tv_sec += 1;
+			tv->tv_usec -= US_PER_S;
+		} while (tv->tv_usec >=US_PER_S);
+	}
+	/*
+	 * Call syslog directly as was are called from the logging functions.
+	 */
+	if (fixed)
+		(void)syslog(LOG_ERR, "gettimeofday returned bad tv_usec: corrected");
+}
+#endif
+
+void
+isc_interval_set(isc_interval_t *i,
+		 unsigned int seconds, unsigned int nanoseconds)
+{
+	REQUIRE(i != NULL);
+	REQUIRE(nanoseconds < NS_PER_S);
+
+	i->seconds = seconds;
+	i->nanoseconds = nanoseconds;
+}
+
+isc_boolean_t
+isc_interval_iszero(const isc_interval_t *i) {
+	REQUIRE(i != NULL);
+	INSIST(i->nanoseconds < NS_PER_S);
+
+	if (i->seconds == 0 && i->nanoseconds == 0)
+		return (ISC_TRUE);
+
+	return (ISC_FALSE);
+}
+
+
+/***
+ *** Absolute Times
+ ***/
+
+static isc_time_t epoch = { 0, 0 };
+isc_time_t *isc_time_epoch = &epoch;
+
+void
+isc_time_set(isc_time_t *t, unsigned int seconds, unsigned int nanoseconds) {
+	REQUIRE(t != NULL);
+	REQUIRE(nanoseconds < NS_PER_S);
+
+	t->seconds = seconds;
+	t->nanoseconds = nanoseconds;
+}
+
+void
+isc_time_settoepoch(isc_time_t *t) {
+	REQUIRE(t != NULL);
+
+	t->seconds = 0;
+	t->nanoseconds = 0;
+}
+
+isc_boolean_t
+isc_time_isepoch(const isc_time_t *t) {
+	REQUIRE(t != NULL);
+	INSIST(t->nanoseconds < NS_PER_S);
+
+	if (t->seconds == 0 && t->nanoseconds == 0)
+		return (ISC_TRUE);
+
+	return (ISC_FALSE);
+}
+
+
+isc_result_t
+isc_time_now(isc_time_t *t) {
+	struct timeval tv;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(t != NULL);
+
+	if (gettimeofday(&tv, NULL) == -1) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "%s", strbuf);
+		return (ISC_R_UNEXPECTED);
+	}
+
+	/*
+	 * Does POSIX guarantee the signedness of tv_sec and tv_usec?  If not,
+	 * then this test will generate warnings for platforms on which it is
+	 * unsigned.  In any event, the chances of any of these problems
+	 * happening are pretty much zero, but since the libisc library ensures
+	 * certain things to be true ...
+	 */
+#if ISC_FIX_TV_USEC
+	fix_tv_usec(&tv);
+	if (tv.tv_sec < 0)
+		return (ISC_R_UNEXPECTED);
+#else
+	if (tv.tv_sec < 0 || tv.tv_usec < 0 || tv.tv_usec >= US_PER_S)
+		return (ISC_R_UNEXPECTED);
+#endif
+
+	/*
+	 * Ensure the tv_sec value fits in t->seconds.
+	 */
+	if (sizeof(tv.tv_sec) > sizeof(t->seconds) &&
+	    ((tv.tv_sec | (unsigned int)-1) ^ (unsigned int)-1) != 0U)
+		return (ISC_R_RANGE);
+
+	t->seconds = tv.tv_sec;
+	t->nanoseconds = tv.tv_usec * NS_PER_US;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_time_nowplusinterval(isc_time_t *t, const isc_interval_t *i) {
+	struct timeval tv;
+	char strbuf[ISC_STRERRORSIZE];
+
+	REQUIRE(t != NULL);
+	REQUIRE(i != NULL);
+	INSIST(i->nanoseconds < NS_PER_S);
+
+	if (gettimeofday(&tv, NULL) == -1) {
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__, "%s", strbuf);
+		return (ISC_R_UNEXPECTED);
+	}
+
+	/*
+	 * Does POSIX guarantee the signedness of tv_sec and tv_usec?  If not,
+	 * then this test will generate warnings for platforms on which it is
+	 * unsigned.  In any event, the chances of any of these problems
+	 * happening are pretty much zero, but since the libisc library ensures
+	 * certain things to be true ...
+	 */
+#if ISC_FIX_TV_USEC
+	fix_tv_usec(&tv);
+	if (tv.tv_sec < 0)
+		return (ISC_R_UNEXPECTED);
+#else
+	if (tv.tv_sec < 0 || tv.tv_usec < 0 || tv.tv_usec >= US_PER_S)
+		return (ISC_R_UNEXPECTED);
+#endif
+
+	/*
+	 * Ensure the resulting seconds value fits in the size of an
+	 * unsigned int.  (It is written this way as a slight optimization;
+	 * note that even if both values == INT_MAX, then when added
+	 * and getting another 1 added below the result is UINT_MAX.)
+	 */
+	if ((tv.tv_sec > INT_MAX || i->seconds > INT_MAX) &&
+	    ((long long)tv.tv_sec + i->seconds > UINT_MAX))
+		return (ISC_R_RANGE);
+
+	t->seconds = tv.tv_sec + i->seconds;
+	t->nanoseconds = tv.tv_usec * NS_PER_US + i->nanoseconds;
+	if (t->nanoseconds > NS_PER_S) {
+		t->seconds++;
+		t->nanoseconds -= NS_PER_S;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+int
+isc_time_compare(const isc_time_t *t1, const isc_time_t *t2) {
+	REQUIRE(t1 != NULL && t2 != NULL);
+	INSIST(t1->nanoseconds < NS_PER_S && t2->nanoseconds < NS_PER_S);
+
+	if (t1->seconds < t2->seconds)
+		return (-1);
+	if (t1->seconds > t2->seconds)
+		return (1);
+	if (t1->nanoseconds < t2->nanoseconds)
+		return (-1);
+	if (t1->nanoseconds > t2->nanoseconds)
+		return (1);
+	return (0);
+}
+
+isc_result_t
+isc_time_add(const isc_time_t *t, const isc_interval_t *i, isc_time_t *result)
+{
+	REQUIRE(t != NULL && i != NULL && result != NULL);
+	INSIST(t->nanoseconds < NS_PER_S && i->nanoseconds < NS_PER_S);
+
+	/*
+	 * Ensure the resulting seconds value fits in the size of an
+	 * unsigned int.  (It is written this way as a slight optimization;
+	 * note that even if both values == INT_MAX, then when added
+	 * and getting another 1 added below the result is UINT_MAX.)
+	 */
+	if ((t->seconds > INT_MAX || i->seconds > INT_MAX) &&
+	    ((long long)t->seconds + i->seconds > UINT_MAX))
+		return (ISC_R_RANGE);
+
+	result->seconds = t->seconds + i->seconds;
+	result->nanoseconds = t->nanoseconds + i->nanoseconds;
+	if (result->nanoseconds >= NS_PER_S) {
+		result->seconds++;
+		result->nanoseconds -= NS_PER_S;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_time_subtract(const isc_time_t *t, const isc_interval_t *i,
+		  isc_time_t *result)
+{
+	REQUIRE(t != NULL && i != NULL && result != NULL);
+	INSIST(t->nanoseconds < NS_PER_S && i->nanoseconds < NS_PER_S);
+
+	if ((unsigned int)t->seconds < i->seconds ||
+	    ((unsigned int)t->seconds == i->seconds &&
+	     t->nanoseconds < i->nanoseconds))
+	    return (ISC_R_RANGE);
+
+	result->seconds = t->seconds - i->seconds;
+	if (t->nanoseconds >= i->nanoseconds)
+		result->nanoseconds = t->nanoseconds - i->nanoseconds;
+	else {
+		result->nanoseconds = NS_PER_S - i->nanoseconds +
+			t->nanoseconds;
+		result->seconds--;
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_uint64_t
+isc_time_microdiff(const isc_time_t *t1, const isc_time_t *t2) {
+	isc_uint64_t i1, i2, i3;
+
+	REQUIRE(t1 != NULL && t2 != NULL);
+	INSIST(t1->nanoseconds < NS_PER_S && t2->nanoseconds < NS_PER_S);
+
+	i1 = (isc_uint64_t)t1->seconds * NS_PER_S + t1->nanoseconds;
+	i2 = (isc_uint64_t)t2->seconds * NS_PER_S + t2->nanoseconds;
+
+	if (i1 <= i2)
+		return (0);
+
+	i3 = i1 - i2;
+
+	/*
+	 * Convert to microseconds.
+	 */
+	i3 = (i1 - i2) / NS_PER_US;
+
+	return (i3);
+}
+
+isc_uint32_t
+isc_time_seconds(const isc_time_t *t) {
+	REQUIRE(t != NULL);
+	INSIST(t->nanoseconds < NS_PER_S);
+
+	return ((isc_uint32_t)t->seconds);
+}
+
+isc_result_t
+isc_time_secondsastimet(const isc_time_t *t, time_t *secondsp) {
+	isc_uint64_t i;
+	time_t seconds;
+
+	REQUIRE(t != NULL);
+	INSIST(t->nanoseconds < NS_PER_S);
+
+	/*
+	 * Ensure that the number of seconds represented by t->seconds
+	 * can be represented by a time_t.  Since t->seconds is an unsigned
+	 * int and since time_t is mostly opaque, this is trickier than
+	 * it seems.  (This standardized opaqueness of time_t is *very*
+	 * frustrating; time_t is not even limited to being an integral
+	 * type.)
+	 *
+	 * The mission, then, is to avoid generating any kind of warning
+	 * about "signed versus unsigned" while trying to determine if the
+	 * the unsigned int t->seconds is out range for tv_sec, which is
+	 * pretty much only true if time_t is a signed integer of the same
+	 * size as the return value of isc_time_seconds.
+	 *
+	 * The use of the 64 bit integer ``i'' takes advantage of C's
+	 * conversion rules to either zero fill or sign extend the widened
+	 * type.
+	 *
+	 * Solaris 5.6 gives this warning about the left shift:
+	 *	warning: integer overflow detected: op "<<"
+	 * if the U(nsigned) qualifier is not on the 1.
+	 */
+	seconds = (time_t)t->seconds;
+
+	INSIST(sizeof(unsigned int) == sizeof(isc_uint32_t));
+	INSIST(sizeof(time_t) >= sizeof(isc_uint32_t));
+
+	if (sizeof(time_t) == sizeof(isc_uint32_t) &&	       /* Same size. */
+	    (time_t)0.5 != 0.5 &&	       /* Not a floating point type. */
+	    (i = (time_t)-1) != 4294967295u &&		       /* Is signed. */
+	    (seconds &
+	     (1U << (sizeof(time_t) * CHAR_BIT - 1))) != 0U) {   /* Negative. */
+		/*
+		 * This UNUSED() is here to shut up the IRIX compiler:
+		 *	variable "i" was set but never used
+		 * when the value of i *was* used in the third test.
+		 * (Let's hope the compiler got the actual test right.)
+		 */
+		UNUSED(i);
+		return (ISC_R_RANGE);
+	}
+
+	*secondsp = seconds;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_uint32_t
+isc_time_nanoseconds(const isc_time_t *t) {
+	REQUIRE(t != NULL);
+
+	ENSURE(t->nanoseconds < NS_PER_S);
+
+	return ((isc_uint32_t)t->nanoseconds);
+}
+
+void
+isc_time_formattimestamp(const isc_time_t *t, char *buf, unsigned int len) {
+	time_t now;
+	unsigned int flen;
+
+	REQUIRE(len > 0);
+
+	now = (time_t) t->seconds;
+	flen = strftime(buf, len, "%d-%b-%Y %X", localtime(&now));
+	INSIST(flen < len);
+	if (flen != 0)
+		snprintf(buf + flen, len - flen,
+			 ".%03u", t->nanoseconds / 1000000);
+	else
+                snprintf(buf, len, "99-Bad-9999 99:99:99.999");
+}
diff --git a/contrib/bind9/lib/isc/version.c b/contrib/bind9/lib/isc/version.c
new file mode 100644
index 0000000..d0f270d
--- /dev/null
+++ b/contrib/bind9/lib/isc/version.c
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: version.c,v 1.9.12.3 2004/03/08 09:04:51 marka Exp $ */
+
+#include <isc/version.h>
+
+const char isc_version[] = VERSION;
+
+const unsigned int isc_libinterface = LIBINTERFACE;
+const unsigned int isc_librevision = LIBREVISION;
+const unsigned int isc_libage = LIBAGE;
diff --git a/contrib/bind9/lib/isccc/Makefile.in b/contrib/bind9/lib/isccc/Makefile.in
new file mode 100644
index 0000000..f6ae951
--- /dev/null
+++ b/contrib/bind9/lib/isccc/Makefile.in
@@ -0,0 +1,86 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001, 2003  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2.12.5 2004/07/20 07:01:58 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+@LIBISCCC_API@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCC_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+ISCLIBS =	../../lib/isc/libisc.@A@
+ISCCCLIBS =	../../lib/isccc/libisccc.@A@
+
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+ISCCCDEPLIBS =	libisccc.@A@
+
+LIBS =		@LIBS@
+
+SUBDIRS =	include
+
+# Alphabetically
+OBJS =		alist.@O@ base64.@O@ cc.@O@ ccmsg.@O@ \
+		lib.@O@ \
+		result.@O@ sexpr.@O@ symtab.@O@ version.@O@
+
+# Alphabetically
+SRCS =		alist.c base64.c cc.c ccmsg.c \
+		lib.c \
+		result.c sexpr.c symtab.c version.c
+
+
+TARGETS = 	timestamp
+
+@BIND9_MAKE_RULES@
+
+version.@O@: version.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-DLIBINTERFACE=${LIBINTERFACE} \
+		-DLIBREVISION=${LIBREVISION} \
+		-DLIBAGE=${LIBAGE} \
+		-c ${srcdir}/version.c
+
+libisccc.@SA@: ${OBJS}
+	${AR} ${ARFLAGS} $@ ${OBJS}
+	${RANLIB} $@
+
+libisccc.la: ${OBJS}
+	${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccc.la -rpath ${libdir} \
+		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+		${OBJS} ${LIBS} ${ISCLIBS}
+
+timestamp: libisccc.@A@
+	touch timestamp
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
+
+install:: timestamp installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisccc.@A@ ${DESTDIR}${libdir}
+
+clean distclean::
+	rm -f libisccc.@A@ timestamp
diff --git a/contrib/bind9/lib/isccc/alist.c b/contrib/bind9/lib/isccc/alist.c
new file mode 100644
index 0000000..21b14a2
--- /dev/null
+++ b/contrib/bind9/lib/isccc/alist.c
@@ -0,0 +1,297 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) 2001  Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: alist.c,v 1.2.206.1 2004/03/06 08:15:18 marka Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <isccc/alist.h>
+#include <isc/assertions.h>
+#include <isccc/result.h>
+#include <isccc/sexpr.h>
+#include <isccc/util.h>
+
+#define CAR(s)			(s)->value.as_dottedpair.car
+#define CDR(s)			(s)->value.as_dottedpair.cdr
+
+#define ALIST_TAG		"*alist*"
+#define MAX_INDENT		64
+
+static char spaces[MAX_INDENT + 1] = 
+	"                                                                ";
+
+isccc_sexpr_t *
+isccc_alist_create(void)
+{
+	isccc_sexpr_t *alist, *tag;
+
+	tag = isccc_sexpr_fromstring(ALIST_TAG);
+	if (tag == NULL)
+		return (NULL);
+	alist = isccc_sexpr_cons(tag, NULL);
+	if (alist == NULL) {
+		isccc_sexpr_free(&tag);
+		return (NULL);
+	}
+
+	return (alist);
+}
+
+isc_boolean_t
+isccc_alist_alistp(isccc_sexpr_t *alist)
+{
+	isccc_sexpr_t *car;
+
+	if (alist == NULL || alist->type != ISCCC_SEXPRTYPE_DOTTEDPAIR)
+		return (ISC_FALSE);
+	car = CAR(alist);
+	if (car == NULL || car->type != ISCCC_SEXPRTYPE_STRING)
+		return (ISC_FALSE);
+	if (strcmp(car->value.as_string, ALIST_TAG) != 0)
+		return (ISC_FALSE);
+	return (ISC_TRUE);
+}
+
+isc_boolean_t
+isccc_alist_emptyp(isccc_sexpr_t *alist)
+{
+	REQUIRE(isccc_alist_alistp(alist));
+
+	if (CDR(alist) == NULL)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+isccc_sexpr_t *
+isccc_alist_first(isccc_sexpr_t *alist)
+{
+	REQUIRE(isccc_alist_alistp(alist));
+
+	return (CDR(alist));
+}
+
+isccc_sexpr_t *
+isccc_alist_assq(isccc_sexpr_t *alist, const char *key)
+{
+	isccc_sexpr_t *car, *caar;
+
+	REQUIRE(isccc_alist_alistp(alist));
+
+	/*
+	 * Skip alist type tag.
+	 */
+	alist = CDR(alist);
+
+	while (alist != NULL) {
+		INSIST(alist->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
+		car = CAR(alist);
+		INSIST(car->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
+		caar = CAR(car);
+		if (caar->type == ISCCC_SEXPRTYPE_STRING &&
+		    strcmp(caar->value.as_string, key) == 0)
+			return (car);
+		alist = CDR(alist);
+	}
+
+	return (NULL);
+}
+
+void
+isccc_alist_delete(isccc_sexpr_t *alist, const char *key)
+{
+	isccc_sexpr_t *car, *caar, *rest, *prev;
+
+	REQUIRE(isccc_alist_alistp(alist));
+
+	prev = alist;
+	rest = CDR(alist);
+	while (rest != NULL) {
+		INSIST(rest->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
+		car = CAR(rest);
+		INSIST(car != NULL && car->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
+		caar = CAR(car);
+		if (caar->type == ISCCC_SEXPRTYPE_STRING &&
+		    strcmp(caar->value.as_string, key) == 0) {
+			CDR(prev) = CDR(rest);
+			CDR(rest) = NULL;
+			isccc_sexpr_free(&rest);
+			break;
+		}
+		prev = rest;
+		rest = CDR(rest);
+	}
+}
+
+isccc_sexpr_t *
+isccc_alist_define(isccc_sexpr_t *alist, const char *key, isccc_sexpr_t *value)
+{
+	isccc_sexpr_t *kv, *k, *elt;
+
+	kv = isccc_alist_assq(alist, key);
+	if (kv == NULL) {
+		/*
+		 * New association.
+		 */
+		k = isccc_sexpr_fromstring(key);
+		if (k == NULL)
+			return (NULL);
+		kv = isccc_sexpr_cons(k, value);
+		if (kv == NULL) {
+			isccc_sexpr_free(&kv);
+			return (NULL);
+		}
+		elt = isccc_sexpr_addtolist(&alist, kv);
+		if (elt == NULL) {
+			isccc_sexpr_free(&kv);
+			return (NULL);
+		}
+	} else {
+		/*
+		 * We've already got an entry for this key.  Replace it.
+		 */
+		isccc_sexpr_free(&CDR(kv));
+		CDR(kv) = value;
+	}
+
+	return (kv);
+}
+
+isccc_sexpr_t *
+isccc_alist_definestring(isccc_sexpr_t *alist, const char *key, const char *str)
+{
+	isccc_sexpr_t *v, *kv;
+
+	v = isccc_sexpr_fromstring(str);
+	if (v == NULL)
+		return (NULL);
+	kv = isccc_alist_define(alist, key, v);
+	if (kv == NULL)
+		isccc_sexpr_free(&v);
+
+	return (kv);
+}
+
+isccc_sexpr_t *
+isccc_alist_definebinary(isccc_sexpr_t *alist, const char *key, isccc_region_t *r)
+{
+	isccc_sexpr_t *v, *kv;
+
+	v = isccc_sexpr_frombinary(r);
+	if (v == NULL)
+		return (NULL);
+	kv = isccc_alist_define(alist, key, v);
+	if (kv == NULL)
+		isccc_sexpr_free(&v);
+
+	return (kv);
+}
+
+isccc_sexpr_t *
+isccc_alist_lookup(isccc_sexpr_t *alist, const char *key)
+{
+	isccc_sexpr_t *kv;
+
+	kv = isccc_alist_assq(alist, key);
+	if (kv != NULL)
+		return (CDR(kv));
+	return (NULL);
+}
+
+isc_result_t
+isccc_alist_lookupstring(isccc_sexpr_t *alist, const char *key, char **strp)
+{
+	isccc_sexpr_t *kv, *v;
+
+	kv = isccc_alist_assq(alist, key);
+	if (kv != NULL) {
+		v = CDR(kv);
+		if (isccc_sexpr_stringp(v)) {
+			if (strp != NULL)
+				*strp = isccc_sexpr_tostring(v);
+			return (ISC_R_SUCCESS);
+		} else
+			return (ISC_R_EXISTS);
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+isccc_alist_lookupbinary(isccc_sexpr_t *alist, const char *key, isccc_region_t **r)
+{
+	isccc_sexpr_t *kv, *v;
+
+	kv = isccc_alist_assq(alist, key);
+	if (kv != NULL) {
+		v = CDR(kv);
+		if (isccc_sexpr_binaryp(v)) {
+			if (r != NULL)
+				*r = isccc_sexpr_tobinary(v);
+			return (ISC_R_SUCCESS);
+		} else
+			return (ISC_R_EXISTS);
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+void
+isccc_alist_prettyprint(isccc_sexpr_t *sexpr, unsigned int indent, FILE *stream)
+{
+	isccc_sexpr_t *elt, *kv, *k, *v;
+
+	if (isccc_alist_alistp(sexpr)) {
+		fprintf(stream, "{\n");
+		indent += 4;
+		for (elt = isccc_alist_first(sexpr);
+		     elt != NULL;
+		     elt = CDR(elt)) {
+			kv = CAR(elt);
+			INSIST(isccc_sexpr_listp(kv));
+			k = CAR(kv);
+			v = CDR(kv);
+			INSIST(isccc_sexpr_stringp(k));
+			fprintf(stream, "%.*s%s => ", (int)indent, spaces,
+				isccc_sexpr_tostring(k));
+			isccc_alist_prettyprint(v, indent, stream);
+			if (CDR(elt) != NULL)
+				fprintf(stream, ",");
+			fprintf(stream, "\n");
+		}
+		indent -= 4;
+		fprintf(stream, "%.*s}", (int)indent, spaces);
+	} else if (isccc_sexpr_listp(sexpr)) {
+		fprintf(stream, "(\n");
+		indent += 4;
+		for (elt = sexpr;
+		     elt != NULL;
+		     elt = CDR(elt)) {
+			fprintf(stream, "%.*s", (int)indent, spaces);
+			isccc_alist_prettyprint(CAR(elt), indent, stream);
+			if (CDR(elt) != NULL)
+				fprintf(stream, ",");
+			fprintf(stream, "\n");
+		}
+		indent -= 4;
+		fprintf(stream, "%.*s)", (int)indent, spaces);
+	} else
+		isccc_sexpr_print(sexpr, stream);
+}
diff --git a/contrib/bind9/lib/isccc/api b/contrib/bind9/lib/isccc/api
new file mode 100644
index 0000000..4f115e7
--- /dev/null
+++ b/contrib/bind9/lib/isccc/api
@@ -0,0 +1,3 @@
+LIBINTERFACE = 2
+LIBREVISION = 1
+LIBAGE = 2
diff --git a/contrib/bind9/lib/isccc/base64.c b/contrib/bind9/lib/isccc/base64.c
new file mode 100644
index 0000000..81d356c
--- /dev/null
+++ b/contrib/bind9/lib/isccc/base64.c
@@ -0,0 +1,63 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) 2001  Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: base64.c,v 1.2.206.1 2004/03/06 08:15:19 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/region.h>
+#include <isc/result.h>
+
+#include <isccc/base64.h>
+#include <isccc/result.h>
+#include <isccc/util.h>
+
+isc_result_t
+isccc_base64_encode(isccc_region_t *source, int wordlength,
+		  const char *wordbreak, isccc_region_t *target)
+{
+	isc_region_t sr;
+	isc_buffer_t tb;
+	isc_result_t result;
+
+	sr.base = source->rstart;
+	sr.length = source->rend - source->rstart;
+	isc_buffer_init(&tb, target->rstart, target->rend - target->rstart);
+
+	result = isc_base64_totext(&sr, wordlength, wordbreak, &tb);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	source->rstart = source->rend;
+	target->rstart = isc_buffer_used(&tb);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isccc_base64_decode(const char *cstr, isccc_region_t *target) {
+	isc_buffer_t b;
+	isc_result_t result;
+
+	isc_buffer_init(&b, target->rstart, target->rend - target->rstart);
+	result = isc_base64_decodestring(cstr, &b);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	target->rstart = isc_buffer_used(&b);
+	return (ISC_R_SUCCESS);
+}
diff --git a/contrib/bind9/lib/isccc/cc.c b/contrib/bind9/lib/isccc/cc.c
new file mode 100644
index 0000000..ccf8c68
--- /dev/null
+++ b/contrib/bind9/lib/isccc/cc.c
@@ -0,0 +1,807 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2001-2003  Internet Software Consortium.
+ * Portions Copyright (C) 2001  Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: cc.c,v 1.4.2.3.2.5 2004/08/28 06:25:23 marka Exp $ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+
+#include <isc/assertions.h>
+#include <isc/hmacmd5.h>
+#include <isc/print.h>
+#include <isc/stdlib.h>
+
+#include <isccc/alist.h>
+#include <isccc/base64.h>
+#include <isccc/cc.h>
+#include <isccc/result.h>
+#include <isccc/sexpr.h>
+#include <isccc/symtab.h>
+#include <isccc/symtype.h>
+#include <isccc/util.h>
+
+#define MAX_TAGS		256
+#define DUP_LIFETIME		900
+
+typedef isccc_sexpr_t *sexpr_ptr;
+
+static unsigned char auth_hmd5[] = {
+	0x05, 0x5f, 0x61, 0x75, 0x74, 0x68,		/* len + _auth */
+	ISCCC_CCMSGTYPE_TABLE,				/* message type */
+	0x00, 0x00, 0x00, 0x20,				/* length == 32 */
+	0x04, 0x68, 0x6d, 0x64, 0x35,			/* len + hmd5 */
+	ISCCC_CCMSGTYPE_BINARYDATA,			/* message type */
+	0x00, 0x00, 0x00, 0x16,				/* length == 22 */
+	/*
+	 * The base64 encoding of one of our HMAC-MD5 signatures is
+	 * 22 bytes.
+	 */
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+	0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+
+#define HMD5_OFFSET	21		/* 6 + 1 + 4 + 5 + 1 + 4 */
+#define HMD5_LENGTH	22
+
+static isc_result_t
+table_towire(isccc_sexpr_t *alist, isccc_region_t *target);
+
+static isc_result_t
+list_towire(isccc_sexpr_t *alist, isccc_region_t *target);
+
+static isc_result_t
+value_towire(isccc_sexpr_t *elt, isccc_region_t *target)
+{
+	size_t len;
+	unsigned char *lenp;
+	isccc_region_t *vr;
+	isc_result_t result;
+
+	if (isccc_sexpr_binaryp(elt)) {
+		vr = isccc_sexpr_tobinary(elt);
+		len = REGION_SIZE(*vr);
+		if (REGION_SIZE(*target) < 1 + 4 + len)
+			return (ISC_R_NOSPACE);
+		PUT8(ISCCC_CCMSGTYPE_BINARYDATA, target->rstart);
+		PUT32(len, target->rstart);
+		if (REGION_SIZE(*target) < len)
+			return (ISC_R_NOSPACE);
+		PUT_MEM(vr->rstart, len, target->rstart);
+	} else if (isccc_alist_alistp(elt)) {
+		if (REGION_SIZE(*target) < 1 + 4)
+			return (ISC_R_NOSPACE);
+		PUT8(ISCCC_CCMSGTYPE_TABLE, target->rstart);
+		/*
+		 * Emit a placeholder length.
+		 */
+		lenp = target->rstart;
+		PUT32(0, target->rstart);
+		/*
+		 * Emit the table.
+		 */
+		result = table_towire(elt, target);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		len = (size_t)(target->rstart - lenp);
+		/*
+		 * 'len' is 4 bytes too big, since it counts
+		 * the placeholder length too.  Adjust and
+		 * emit.
+		 */
+		INSIST(len >= 4U);
+		len -= 4;
+		PUT32(len, lenp);
+	} else if (isccc_sexpr_listp(elt)) {
+		if (REGION_SIZE(*target) < 1 + 4)
+			return (ISC_R_NOSPACE);
+		PUT8(ISCCC_CCMSGTYPE_LIST, target->rstart);
+		/*
+		 * Emit a placeholder length and count.
+		 */
+		lenp = target->rstart;
+		PUT32(0, target->rstart);
+		/*
+		 * Emit the list.
+		 */
+		result = list_towire(elt, target);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		len = (size_t)(target->rstart - lenp);
+		/*
+		 * 'len' is 4 bytes too big, since it counts
+		 * the placeholder length.  Adjust and emit.
+		 */
+		INSIST(len >= 4U);
+		len -= 4;
+		PUT32(len, lenp);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+table_towire(isccc_sexpr_t *alist, isccc_region_t *target)
+{
+	isccc_sexpr_t *kv, *elt, *k, *v;
+	char *ks;
+	isc_result_t result;
+	size_t len;
+
+	for (elt = isccc_alist_first(alist);
+	     elt != NULL;
+	     elt = ISCCC_SEXPR_CDR(elt)) {
+		kv = ISCCC_SEXPR_CAR(elt);
+		k = ISCCC_SEXPR_CAR(kv);
+		ks = isccc_sexpr_tostring(k);
+		v = ISCCC_SEXPR_CDR(kv);
+		len = strlen(ks);
+		INSIST(len <= 255U);
+		/*
+		 * Emit the key name.
+		 */
+		if (REGION_SIZE(*target) < 1 + len)
+			return (ISC_R_NOSPACE);
+		PUT8(len, target->rstart);
+		PUT_MEM(ks, len, target->rstart);
+		/*
+		 * Emit the value.
+		 */
+		result = value_towire(v, target);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+list_towire(isccc_sexpr_t *list, isccc_region_t *target)
+{
+	isc_result_t result;
+
+	while (list != NULL) {
+		result = value_towire(ISCCC_SEXPR_CAR(list), target);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		list = ISCCC_SEXPR_CDR(list);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+sign(unsigned char *data, unsigned int length, unsigned char *hmd5,
+     isccc_region_t *secret)
+{
+	isc_hmacmd5_t ctx;
+	isc_result_t result;
+	isccc_region_t source, target;
+	unsigned char digest[ISC_MD5_DIGESTLENGTH];
+	unsigned char digestb64[ISC_MD5_DIGESTLENGTH * 4];
+
+	isc_hmacmd5_init(&ctx, secret->rstart, REGION_SIZE(*secret));
+	isc_hmacmd5_update(&ctx, data, length);
+	isc_hmacmd5_sign(&ctx, digest);
+	source.rstart = digest;
+	source.rend = digest + ISC_MD5_DIGESTLENGTH;
+	target.rstart = digestb64;
+	target.rend = digestb64 + ISC_MD5_DIGESTLENGTH * 4;
+	result = isccc_base64_encode(&source, 64, "", &target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	PUT_MEM(digestb64, HMD5_LENGTH, hmd5);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isccc_cc_towire(isccc_sexpr_t *alist, isccc_region_t *target,
+	      isccc_region_t *secret)
+{
+	unsigned char *hmd5_rstart, *signed_rstart;
+	isc_result_t result;
+
+	if (REGION_SIZE(*target) < 4 + sizeof(auth_hmd5))
+		return (ISC_R_NOSPACE);
+	/*
+	 * Emit protocol version.
+	 */
+	PUT32(1, target->rstart);
+	if (secret != NULL) {
+		/*
+		 * Emit _auth section with zeroed HMAC-MD5 signature.
+		 * We'll replace the zeros with the real signature once
+		 * we know what it is.
+		 */
+		hmd5_rstart = target->rstart + HMD5_OFFSET;
+		PUT_MEM(auth_hmd5, sizeof(auth_hmd5), target->rstart);
+	} else
+		hmd5_rstart = NULL;
+	signed_rstart = target->rstart;
+	/*
+	 * Delete any existing _auth section so that we don't try
+	 * to encode it.
+	 */
+	isccc_alist_delete(alist, "_auth");
+	/*
+	 * Emit the message.
+	 */
+	result = table_towire(alist, target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (secret != NULL)
+		return (sign(signed_rstart, (target->rstart - signed_rstart),
+			     hmd5_rstart, secret));
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
+       isccc_region_t *secret)
+{
+	isc_hmacmd5_t ctx;
+	isccc_region_t source;
+	isccc_region_t target;
+	isc_result_t result;
+	isccc_sexpr_t *_auth, *hmd5;
+	unsigned char digest[ISC_MD5_DIGESTLENGTH];
+	unsigned char digestb64[ISC_MD5_DIGESTLENGTH * 4];
+
+	/*
+	 * Extract digest.
+	 */
+	_auth = isccc_alist_lookup(alist, "_auth");
+	if (_auth == NULL)
+		return (ISC_R_FAILURE);
+	hmd5 = isccc_alist_lookup(_auth, "hmd5");
+	if (hmd5 == NULL)
+		return (ISC_R_FAILURE);
+	/*
+	 * Compute digest.
+	 */
+	isc_hmacmd5_init(&ctx, secret->rstart, REGION_SIZE(*secret));
+	isc_hmacmd5_update(&ctx, data, length);
+	isc_hmacmd5_sign(&ctx, digest);
+	source.rstart = digest;
+	source.rend = digest + ISC_MD5_DIGESTLENGTH;
+	target.rstart = digestb64;
+	target.rend = digestb64 + ISC_MD5_DIGESTLENGTH * 4;
+	result = isccc_base64_encode(&source, 64, "", &target);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	/*
+	 * Strip trailing == and NUL terminate target.
+	 */
+	target.rstart -= 2;
+	*target.rstart++ = '\0';
+	/*
+	 * Verify.
+	 */
+	if (strcmp((char *)digestb64, isccc_sexpr_tostring(hmd5)) != 0)
+		return (ISCCC_R_BADAUTH);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+	       isccc_sexpr_t **alistp);
+
+static isc_result_t
+list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp);
+
+static isc_result_t
+value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep)
+{
+	unsigned int msgtype;
+	isc_uint32_t len;
+	isccc_sexpr_t *value;
+	isccc_region_t active;
+	isc_result_t result;
+
+	if (REGION_SIZE(*source) < 1 + 4)
+		return (ISC_R_UNEXPECTEDEND);
+	GET8(msgtype, source->rstart);
+	GET32(len, source->rstart);
+	if (REGION_SIZE(*source) < len)
+		return (ISC_R_UNEXPECTEDEND);
+	active.rstart = source->rstart;
+	active.rend = active.rstart + len;
+	source->rstart = active.rend;
+	if (msgtype == ISCCC_CCMSGTYPE_BINARYDATA) {
+		value = isccc_sexpr_frombinary(&active);
+		if (value != NULL) {
+			*valuep = value;
+			result = ISC_R_SUCCESS;
+		} else
+			result = ISC_R_NOMEMORY;
+	} else if (msgtype == ISCCC_CCMSGTYPE_TABLE)
+		result = table_fromwire(&active, NULL, valuep);
+	else if (msgtype == ISCCC_CCMSGTYPE_LIST)
+		result = list_fromwire(&active, valuep);
+	else
+		result = ISCCC_R_SYNTAX;
+
+	return (result);
+}
+
+static isc_result_t
+table_fromwire(isccc_region_t *source, isccc_region_t *secret,
+	       isccc_sexpr_t **alistp)
+{
+	char key[256];
+	isc_uint32_t len;
+	isc_result_t result;
+	isccc_sexpr_t *alist, *value;
+	isc_boolean_t first_tag;
+	unsigned char *checksum_rstart;
+
+	REQUIRE(alistp != NULL && *alistp == NULL);
+
+	checksum_rstart = NULL;
+	first_tag = ISC_TRUE;
+	alist = isccc_alist_create();
+	if (alist == NULL)
+		return (ISC_R_NOMEMORY);
+
+	while (!REGION_EMPTY(*source)) {
+		GET8(len, source->rstart);
+		if (REGION_SIZE(*source) < len) {
+			result = ISC_R_UNEXPECTEDEND;
+			goto bad;
+		}
+		GET_MEM(key, len, source->rstart);
+		key[len] = '\0';	/* Ensure NUL termination. */
+		value = NULL;
+		result = value_fromwire(source, &value);
+		if (result != ISC_R_SUCCESS)
+			goto bad;
+		if (isccc_alist_define(alist, key, value) == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto bad;
+		}
+		if (first_tag && secret != NULL && strcmp(key, "_auth") == 0)
+			checksum_rstart = source->rstart;
+		first_tag = ISC_FALSE;
+	}
+
+	*alistp = alist;
+
+	if (secret != NULL) {
+		if (checksum_rstart != NULL)
+			return (verify(alist, checksum_rstart,
+				       (source->rend - checksum_rstart),
+				       secret));
+		return (ISCCC_R_BADAUTH);
+	}
+
+	return (ISC_R_SUCCESS);
+
+ bad:
+	isccc_sexpr_free(&alist);
+
+	return (result);
+}
+
+static isc_result_t
+list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp)
+{
+	isccc_sexpr_t *list, *value;
+	isc_result_t result;
+
+	list = NULL;
+	while (!REGION_EMPTY(*source)) {
+		value = NULL;
+		result = value_fromwire(source, &value);
+		if (result != ISC_R_SUCCESS) {
+			isccc_sexpr_free(&list);
+			return (result);
+		}
+		if (isccc_sexpr_addtolist(&list, value) == NULL) {
+			isccc_sexpr_free(&value);
+			isccc_sexpr_free(&list);
+			return (result);
+		}
+	}
+
+	*listp = list;
+	
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
+		isccc_region_t *secret)
+{
+	unsigned int size;
+	isc_uint32_t version;
+
+	size = REGION_SIZE(*source);
+	if (size < 4)
+		return (ISC_R_UNEXPECTEDEND);
+	GET32(version, source->rstart);
+	if (version != 1)
+		return (ISCCC_R_UNKNOWNVERSION);	
+	
+	return (table_fromwire(source, secret, alistp));
+}
+
+static isc_result_t
+createmessage(isc_uint32_t version, const char *from, const char *to,
+	      isc_uint32_t serial, isccc_time_t now,
+	      isccc_time_t expires, isccc_sexpr_t **alistp,
+	      isc_boolean_t want_expires)
+{
+	isccc_sexpr_t *alist, *_ctrl, *_data;
+	isc_result_t result;
+
+	REQUIRE(alistp != NULL && *alistp == NULL);
+
+	if (version != 1)
+		return (ISCCC_R_UNKNOWNVERSION);
+
+	alist = isccc_alist_create();
+	if (alist == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = ISC_R_NOMEMORY;
+
+	_ctrl = isccc_alist_create();
+	_data = isccc_alist_create();
+	if (_ctrl == NULL || _data == NULL)
+		goto bad;
+	if (isccc_alist_define(alist, "_ctrl", _ctrl) == NULL ||
+	    isccc_alist_define(alist, "_data", _data) == NULL)
+		goto bad;
+	if (isccc_cc_defineuint32(_ctrl, "_ser", serial) == NULL ||
+	    isccc_cc_defineuint32(_ctrl, "_tim", now) == NULL ||
+	    (want_expires &&
+	     isccc_cc_defineuint32(_ctrl, "_exp", expires) == NULL))
+		goto bad;
+	if (from != NULL &&
+	    isccc_cc_definestring(_ctrl, "_frm", from) == NULL)
+		goto bad;
+	if (to != NULL &&
+	    isccc_cc_definestring(_ctrl, "_to", to) == NULL)
+		goto bad;
+		
+	*alistp = alist;
+
+	return (ISC_R_SUCCESS);
+
+ bad:
+	isccc_sexpr_free(&alist);
+
+	return (result);
+}
+
+isc_result_t
+isccc_cc_createmessage(isc_uint32_t version, const char *from, const char *to,
+		     isc_uint32_t serial, isccc_time_t now,
+		     isccc_time_t expires, isccc_sexpr_t **alistp)
+{
+	return (createmessage(version, from, to, serial, now, expires,
+			      alistp, ISC_TRUE));
+}
+
+isc_result_t
+isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok,
+		 isccc_sexpr_t **ackp)
+{
+	char *_frm, *_to;
+	isc_uint32_t serial;
+	isccc_sexpr_t *ack, *_ctrl;
+	isc_result_t result;
+	isccc_time_t t;
+
+	REQUIRE(ackp != NULL && *ackp == NULL);
+
+	_ctrl = isccc_alist_lookup(message, "_ctrl");
+	if (_ctrl == NULL ||
+	    isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
+	    isccc_cc_lookupuint32(_ctrl, "_tim", &t) != ISC_R_SUCCESS)
+		return (ISC_R_FAILURE);
+	/*
+	 * _frm and _to are optional.
+	 */
+	_frm = NULL;
+	(void)isccc_cc_lookupstring(_ctrl, "_frm", &_frm);
+	_to = NULL;
+	(void)isccc_cc_lookupstring(_ctrl, "_to", &_to);
+	/*
+	 * Create the ack.
+	 */
+	ack = NULL;
+	result = createmessage(1, _to, _frm, serial, t, 0, &ack, ISC_FALSE);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	_ctrl = isccc_alist_lookup(ack, "_ctrl");
+	if (_ctrl == NULL)
+		return (ISC_R_FAILURE);
+	if (isccc_cc_definestring(ack, "_ack", (ok) ? "1" : "0") == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto bad;
+	}
+
+	*ackp = ack;
+
+	return (ISC_R_SUCCESS);
+
+ bad:
+	isccc_sexpr_free(&ack);
+
+	return (result);
+}
+
+isc_boolean_t
+isccc_cc_isack(isccc_sexpr_t *message)
+{
+	isccc_sexpr_t *_ctrl;
+
+	_ctrl = isccc_alist_lookup(message, "_ctrl");
+	if (_ctrl == NULL)
+		return (ISC_FALSE);
+	if (isccc_cc_lookupstring(_ctrl, "_ack", NULL) == ISC_R_SUCCESS)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+isc_boolean_t
+isccc_cc_isreply(isccc_sexpr_t *message)
+{
+	isccc_sexpr_t *_ctrl;
+
+	_ctrl = isccc_alist_lookup(message, "_ctrl");
+	if (_ctrl == NULL)
+		return (ISC_FALSE);
+	if (isccc_cc_lookupstring(_ctrl, "_rpl", NULL) == ISC_R_SUCCESS)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+isc_result_t
+isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
+		      isccc_time_t expires, isccc_sexpr_t **alistp)
+{
+	char *_frm, *_to, *type;
+	isc_uint32_t serial;
+	isccc_sexpr_t *alist, *_ctrl, *_data;
+	isc_result_t result;
+
+	REQUIRE(alistp != NULL && *alistp == NULL);
+
+	_ctrl = isccc_alist_lookup(message, "_ctrl");
+	_data = isccc_alist_lookup(message, "_data");
+	if (_ctrl == NULL ||
+	    _data == NULL ||
+	    isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
+	    isccc_cc_lookupstring(_data, "type", &type) != ISC_R_SUCCESS)
+		return (ISC_R_FAILURE);
+	/*
+	 * _frm and _to are optional.
+	 */
+	_frm = NULL;
+	(void)isccc_cc_lookupstring(_ctrl, "_frm", &_frm);
+	_to = NULL;
+	(void)isccc_cc_lookupstring(_ctrl, "_to", &_to);
+	/*
+	 * Create the response.
+	 */
+	alist = NULL;
+	result = isccc_cc_createmessage(1, _to, _frm, serial, now, expires,
+					 &alist);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	_ctrl = isccc_alist_lookup(alist, "_ctrl");
+	if (_ctrl == NULL)
+		return (ISC_R_FAILURE);
+	_data = isccc_alist_lookup(alist, "_data");
+	if (_data == NULL)
+		return (ISC_R_FAILURE);
+	if (isccc_cc_definestring(_ctrl, "_rpl", "1") == NULL ||
+	    isccc_cc_definestring(_data, "type", type) == NULL) {
+		isccc_sexpr_free(&alist);
+		return (ISC_R_NOMEMORY);
+	}
+
+	*alistp = alist;
+
+	return (ISC_R_SUCCESS);
+}
+
+isccc_sexpr_t *
+isccc_cc_definestring(isccc_sexpr_t *alist, const char *key, const char *str)
+{
+	size_t len;
+	isccc_region_t r;
+
+	len = strlen(str);
+	DE_CONST(str, r.rstart);
+	r.rend = r.rstart + len;
+
+	return (isccc_alist_definebinary(alist, key, &r));
+}
+
+isccc_sexpr_t *
+isccc_cc_defineuint32(isccc_sexpr_t *alist, const char *key, isc_uint32_t i)
+{
+	char b[100];
+	size_t len;
+	isccc_region_t r;
+
+	snprintf(b, sizeof(b), "%u", i);
+	len = strlen(b);
+	r.rstart = (unsigned char *)b;
+	r.rend = (unsigned char *)b + len;
+
+	return (isccc_alist_definebinary(alist, key, &r));
+}
+
+isc_result_t
+isccc_cc_lookupstring(isccc_sexpr_t *alist, const char *key, char **strp)
+{
+	isccc_sexpr_t *kv, *v;
+
+	kv = isccc_alist_assq(alist, key);
+	if (kv != NULL) {
+		v = ISCCC_SEXPR_CDR(kv);
+		if (isccc_sexpr_binaryp(v)) {
+			if (strp != NULL)
+				*strp = isccc_sexpr_tostring(v);
+			return (ISC_R_SUCCESS);
+		} else
+			return (ISC_R_EXISTS);
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+isccc_cc_lookupuint32(isccc_sexpr_t *alist, const char *key,
+		       isc_uint32_t *uintp)
+{
+	isccc_sexpr_t *kv, *v;
+
+	kv = isccc_alist_assq(alist, key);
+	if (kv != NULL) {
+		v = ISCCC_SEXPR_CDR(kv);
+		if (isccc_sexpr_binaryp(v)) {
+			if (uintp != NULL)
+				*uintp = (isc_uint32_t)
+					strtoul(isccc_sexpr_tostring(v),
+						NULL, 10);
+			return (ISC_R_SUCCESS);
+		} else
+			return (ISC_R_EXISTS);
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+static void
+symtab_undefine(char *key, unsigned int type, isccc_symvalue_t value,
+		void *arg)
+{
+	UNUSED(type);
+	UNUSED(value);
+	UNUSED(arg);
+
+	free(key);
+}
+
+static isc_boolean_t
+symtab_clean(char *key, unsigned int type, isccc_symvalue_t value,
+	     void *arg)
+{
+	isccc_time_t *now;
+
+	UNUSED(key);
+	UNUSED(type);
+
+	now = arg;
+
+	if (*now < value.as_uinteger)
+		return (ISC_FALSE);
+	if ((*now - value.as_uinteger) < DUP_LIFETIME)
+		return (ISC_FALSE);
+	return (ISC_TRUE);
+}
+
+isc_result_t
+isccc_cc_createsymtab(isccc_symtab_t **symtabp)
+{
+	return (isccc_symtab_create(11897, symtab_undefine, NULL, ISC_FALSE,
+				  symtabp));
+}
+
+void
+isccc_cc_cleansymtab(isccc_symtab_t *symtab, isccc_time_t now)
+{
+	isccc_symtab_foreach(symtab, symtab_clean, &now);
+}
+
+static isc_boolean_t
+has_whitespace(const char *str)
+{
+	char c;
+
+	if (str == NULL)
+		return (ISC_FALSE);
+	while ((c = *str++) != '\0') {
+		if (c == ' ' || c == '\t' || c == '\n')
+			return (ISC_TRUE);
+	}
+	return (ISC_FALSE);
+}
+
+isc_result_t
+isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
+		isccc_time_t now)
+{
+	const char *_frm;
+	const char *_to;
+	char *_ser, *_tim, *tmp;
+	isc_result_t result;
+	char *key;
+	size_t len;
+	isccc_symvalue_t value;
+	isccc_sexpr_t *_ctrl;
+
+	_ctrl = isccc_alist_lookup(message, "_ctrl");
+	if (_ctrl == NULL ||
+	    isccc_cc_lookupstring(_ctrl, "_ser", &_ser) != ISC_R_SUCCESS ||
+	    isccc_cc_lookupstring(_ctrl, "_tim", &_tim) != ISC_R_SUCCESS)
+		return (ISC_R_FAILURE);
+	/*
+	 * _frm and _to are optional.
+	 */
+	if (isccc_cc_lookupstring(_ctrl, "_frm", &tmp) != ISC_R_SUCCESS)
+		_frm = "";
+	else
+		_frm = tmp;
+	if (isccc_cc_lookupstring(_ctrl, "_to", &tmp) != ISC_R_SUCCESS)
+		_to = "";
+	else
+		_to = tmp;
+	/*
+	 * Ensure there is no newline in any of the strings.  This is so
+	 * we can write them to a file later.
+	 */
+	if (has_whitespace(_frm) || has_whitespace(_to) ||
+	    has_whitespace(_ser) || has_whitespace(_tim))
+		return (ISC_R_FAILURE);
+	len = strlen(_frm) + strlen(_to) + strlen(_ser) + strlen(_tim) + 4;
+	key = malloc(len);
+	if (key == NULL)
+		return (ISC_R_NOMEMORY);
+	snprintf(key, len, "%s;%s;%s;%s", _frm, _to, _ser, _tim);
+	value.as_uinteger = now;
+	result = isccc_symtab_define(symtab, key, ISCCC_SYMTYPE_CCDUP, value,
+				   isccc_symexists_reject);
+	if (result != ISC_R_SUCCESS) {
+		free(key);
+		return (result);
+	}
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/contrib/bind9/lib/isccc/ccmsg.c b/contrib/bind9/lib/isccc/ccmsg.c
new file mode 100644
index 0000000..fc5fae8
--- /dev/null
+++ b/contrib/bind9/lib/isccc/ccmsg.c
@@ -0,0 +1,220 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) 2001  Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ccmsg.c,v 1.4.206.1 2004/03/06 08:15:19 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/mem.h>
+#include <isc/result.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <isccc/events.h>
+#include <isccc/ccmsg.h>
+
+#define CCMSG_MAGIC		ISC_MAGIC('C', 'C', 'm', 's')
+#define VALID_CCMSG(foo)	ISC_MAGIC_VALID(foo, CCMSG_MAGIC)
+
+static void recv_length(isc_task_t *, isc_event_t *);
+static void recv_message(isc_task_t *, isc_event_t *);
+
+
+static void
+recv_length(isc_task_t *task, isc_event_t *ev_in) {
+	isc_socketevent_t *ev = (isc_socketevent_t *)ev_in;
+	isc_event_t *dev;
+	isccc_ccmsg_t *ccmsg = ev_in->ev_arg;
+	isc_region_t region;
+	isc_result_t result;
+
+	INSIST(VALID_CCMSG(ccmsg));
+
+	dev = &ccmsg->event;
+
+	if (ev->result != ISC_R_SUCCESS) {
+		ccmsg->result = ev->result;
+		goto send_and_free;
+	}
+
+	/*
+	 * Success.
+	 */
+	ccmsg->size = ntohl(ccmsg->size);
+	if (ccmsg->size == 0) {
+		ccmsg->result = ISC_R_UNEXPECTEDEND;
+		goto send_and_free;
+	}
+	if (ccmsg->size > ccmsg->maxsize) {
+		ccmsg->result = ISC_R_RANGE;
+		goto send_and_free;
+	}
+
+	region.base = isc_mem_get(ccmsg->mctx, ccmsg->size);
+	region.length = ccmsg->size;
+	if (region.base == NULL) {
+		ccmsg->result = ISC_R_NOMEMORY;
+		goto send_and_free;
+	}
+
+	isc_buffer_init(&ccmsg->buffer, region.base, region.length);
+	result = isc_socket_recv(ccmsg->sock, &region, 0,
+				 task, recv_message, ccmsg);
+	if (result != ISC_R_SUCCESS) {
+		ccmsg->result = result;
+		goto send_and_free;
+	}
+
+	isc_event_free(&ev_in);
+	return;
+
+ send_and_free:
+	isc_task_send(ccmsg->task, &dev);
+	ccmsg->task = NULL;
+	isc_event_free(&ev_in);
+	return;
+}
+
+static void
+recv_message(isc_task_t *task, isc_event_t *ev_in) {
+	isc_socketevent_t *ev = (isc_socketevent_t *)ev_in;
+	isc_event_t *dev;
+	isccc_ccmsg_t *ccmsg = ev_in->ev_arg;
+
+	(void)task;
+
+	INSIST(VALID_CCMSG(ccmsg));
+
+	dev = &ccmsg->event;
+
+	if (ev->result != ISC_R_SUCCESS) {
+		ccmsg->result = ev->result;
+		goto send_and_free;
+	}
+
+	ccmsg->result = ISC_R_SUCCESS;
+	isc_buffer_add(&ccmsg->buffer, ev->n);
+	ccmsg->address = ev->address;
+
+ send_and_free:
+	isc_task_send(ccmsg->task, &dev);
+	ccmsg->task = NULL;
+	isc_event_free(&ev_in);
+}
+
+void
+isccc_ccmsg_init(isc_mem_t *mctx, isc_socket_t *sock, isccc_ccmsg_t *ccmsg) {
+	REQUIRE(mctx != NULL);
+	REQUIRE(sock != NULL);
+	REQUIRE(ccmsg != NULL);
+
+	ccmsg->magic = CCMSG_MAGIC;
+	ccmsg->size = 0;
+	ccmsg->buffer.base = NULL;
+	ccmsg->buffer.length = 0;
+	ccmsg->maxsize = 4294967295U;	/* Largest message possible. */
+	ccmsg->mctx = mctx;
+	ccmsg->sock = sock;
+	ccmsg->task = NULL;			/* None yet. */
+	ccmsg->result = ISC_R_UNEXPECTED;	/* None yet. */
+	/*
+	 * Should probably initialize the event here, but it can wait.
+	 */
+}
+
+
+void
+isccc_ccmsg_setmaxsize(isccc_ccmsg_t *ccmsg, unsigned int maxsize) {
+	REQUIRE(VALID_CCMSG(ccmsg));
+
+	ccmsg->maxsize = maxsize;
+}
+
+
+isc_result_t
+isccc_ccmsg_readmessage(isccc_ccmsg_t *ccmsg,
+		       isc_task_t *task, isc_taskaction_t action, void *arg)
+{
+	isc_result_t result;
+	isc_region_t region;
+
+	REQUIRE(VALID_CCMSG(ccmsg));
+	REQUIRE(task != NULL);
+	REQUIRE(ccmsg->task == NULL);  /* not currently in use */
+
+	if (ccmsg->buffer.base != NULL) {
+		isc_mem_put(ccmsg->mctx, ccmsg->buffer.base,
+			    ccmsg->buffer.length);
+		ccmsg->buffer.base = NULL;
+		ccmsg->buffer.length = 0;
+	}
+
+	ccmsg->task = task;
+	ccmsg->action = action;
+	ccmsg->arg = arg;
+	ccmsg->result = ISC_R_UNEXPECTED;  /* unknown right now */
+
+	ISC_EVENT_INIT(&ccmsg->event, sizeof(isc_event_t), 0, 0,
+		       ISCCC_EVENT_CCMSG, action, arg, ccmsg,
+		       NULL, NULL);
+
+	region.base = (unsigned char *)&ccmsg->size;
+	region.length = 4;  /* isc_uint32_t */
+	result = isc_socket_recv(ccmsg->sock, &region, 0,
+				 ccmsg->task, recv_length, ccmsg);
+
+	if (result != ISC_R_SUCCESS)
+		ccmsg->task = NULL;
+
+	return (result);
+}
+
+void
+isccc_ccmsg_cancelread(isccc_ccmsg_t *ccmsg) {
+	REQUIRE(VALID_CCMSG(ccmsg));
+
+	isc_socket_cancel(ccmsg->sock, NULL, ISC_SOCKCANCEL_RECV);
+}
+
+#if 0
+void
+isccc_ccmsg_freebuffer(isccc_ccmsg_t *ccmsg) {
+	REQUIRE(VALID_CCMSG(ccmsg));
+
+	if (ccmsg->buffer.base == NULL)
+		return;
+
+	isc_mem_put(ccmsg->mctx, ccmsg->buffer.base, ccmsg->buffer.length);
+	ccmsg->buffer.base = NULL;
+	ccmsg->buffer.length = 0;
+}
+#endif
+
+void
+isccc_ccmsg_invalidate(isccc_ccmsg_t *ccmsg) {
+	REQUIRE(VALID_CCMSG(ccmsg));
+
+	ccmsg->magic = 0;
+
+	if (ccmsg->buffer.base != NULL) {
+		isc_mem_put(ccmsg->mctx, ccmsg->buffer.base,
+			    ccmsg->buffer.length);
+		ccmsg->buffer.base = NULL;
+		ccmsg->buffer.length = 0;
+	}
+}
diff --git a/contrib/bind9/lib/isccc/include/Makefile.in b/contrib/bind9/lib/isccc/include/Makefile.in
new file mode 100644
index 0000000..91a2bca
--- /dev/null
+++ b/contrib/bind9/lib/isccc/include/Makefile.in
@@ -0,0 +1,25 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2.206.1 2004/03/06 08:15:20 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	isccc
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isccc/include/isccc/Makefile.in b/contrib/bind9/lib/isccc/include/isccc/Makefile.in
new file mode 100644
index 0000000..b86e50c
--- /dev/null
+++ b/contrib/bind9/lib/isccc/include/isccc/Makefile.in
@@ -0,0 +1,42 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.3.12.3 2004/03/08 09:05:05 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+#
+# Only list headers that are to be installed and are not
+# machine generated.  The latter are handled specially in the
+# install target below.
+#
+HEADERS =	alist.h base64.h cc.h ccmsg.h events.h lib.h result.h \
+		sexpr.h symtab.h symtype.h types.h util.h version.h
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isccc
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/isccc ; \
+	done
diff --git a/contrib/bind9/lib/isccc/include/isccc/alist.h b/contrib/bind9/lib/isccc/include/isccc/alist.h
new file mode 100644
index 0000000..409c48b
--- /dev/null
+++ b/contrib/bind9/lib/isccc/include/isccc/alist.h
@@ -0,0 +1,72 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) 2001  Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: alist.h,v 1.2.206.1 2004/03/06 08:15:21 marka Exp $ */
+
+#ifndef ISCCC_ALIST_H
+#define ISCCC_ALIST_H 1
+
+#include <stdio.h>
+
+#include <isc/lang.h>
+#include <isccc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isccc_sexpr_t *
+isccc_alist_create(void);
+
+isc_boolean_t
+isccc_alist_alistp(isccc_sexpr_t *alist);
+
+isc_boolean_t
+isccc_alist_emptyp(isccc_sexpr_t *alist);
+
+isccc_sexpr_t *
+isccc_alist_first(isccc_sexpr_t *alist);
+
+isccc_sexpr_t *
+isccc_alist_assq(isccc_sexpr_t *alist, const char *key);
+
+void
+isccc_alist_delete(isccc_sexpr_t *alist, const char *key);
+
+isccc_sexpr_t *
+isccc_alist_define(isccc_sexpr_t *alist, const char *key, isccc_sexpr_t *value);
+
+isccc_sexpr_t *
+isccc_alist_definestring(isccc_sexpr_t *alist, const char *key, const char *str);
+
+isccc_sexpr_t *
+isccc_alist_definebinary(isccc_sexpr_t *alist, const char *key, isccc_region_t *r);
+
+isccc_sexpr_t *
+isccc_alist_lookup(isccc_sexpr_t *alist, const char *key);
+
+isc_result_t
+isccc_alist_lookupstring(isccc_sexpr_t *alist, const char *key, char **strp);
+
+isc_result_t
+isccc_alist_lookupbinary(isccc_sexpr_t *alist, const char *key, isccc_region_t **r);
+
+void
+isccc_alist_prettyprint(isccc_sexpr_t *sexpr, unsigned int indent, FILE *stream);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCC_ALIST_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/base64.h b/contrib/bind9/lib/isccc/include/isccc/base64.h
new file mode 100644
index 0000000..14fbe57
--- /dev/null
+++ b/contrib/bind9/lib/isccc/include/isccc/base64.h
@@ -0,0 +1,70 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) 2001  Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: base64.h,v 1.2.206.1 2004/03/06 08:15:21 marka Exp $ */
+
+#ifndef ISCCC_BASE64_H
+#define ISCCC_BASE64_H 1
+
+#include <isc/lang.h>
+#include <isccc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+isccc_base64_encode(isccc_region_t *source, int wordlength,
+		  const char *wordbreak, isccc_region_t *target);
+/*
+ * Convert data into base64 encoded text.
+ *
+ * Notes:
+ *	The base64 encoded text in 'target' will be divided into
+ *	words of at most 'wordlength' characters, separated by
+ * 	the 'wordbreak' string.  No parentheses will surround
+ *	the text.
+ *
+ * Requires:
+ *	'source' is a region containing binary data.
+ *	'target' is a text region containing available space.
+ *	'wordbreak' points to a null-terminated string of
+ *		zero or more whitespace characters.
+ */
+
+isc_result_t
+isccc_base64_decode(const char *cstr, isccc_region_t *target);
+/*
+ * Decode a null-terminated base64 string.
+ *
+ * Requires:
+ *	'cstr' is non-null.
+ *	'target' is a valid region.
+ *
+ * Returns:
+ *	ISC_R_SUCCESS	-- the entire decoded representation of 'cstring'
+ *			   fit in 'target'.
+ *	ISC_R_BADBASE64 -- 'cstr' is not a valid base64 encoding.
+ *	ISC_R_NOSPACE	-- 'target' is not big enough.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCC_BASE64_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/cc.h b/contrib/bind9/lib/isccc/include/isccc/cc.h
new file mode 100644
index 0000000..aedf1f7
--- /dev/null
+++ b/contrib/bind9/lib/isccc/include/isccc/cc.h
@@ -0,0 +1,88 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) 2001  Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: cc.h,v 1.3.206.1 2004/03/06 08:15:21 marka Exp $ */
+
+#ifndef ISCCC_CC_H
+#define ISCCC_CC_H 1
+
+#include <isc/lang.h>
+#include <isccc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+#define ISCCC_CC_MAXDGRAMPACKET		4096
+
+#define ISCCC_CCMSGTYPE_STRING		0x00
+#define ISCCC_CCMSGTYPE_BINARYDATA	0x01
+#define ISCCC_CCMSGTYPE_TABLE		0x02
+#define ISCCC_CCMSGTYPE_LIST		0x03
+
+isc_result_t
+isccc_cc_towire(isccc_sexpr_t *alist, isccc_region_t *target,
+	      isccc_region_t *secret);
+
+isc_result_t
+isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp,
+		isccc_region_t *secret);
+
+isc_result_t
+isccc_cc_createmessage(isc_uint32_t version, const char *from, const char *to,
+		     isc_uint32_t serial, isccc_time_t now,
+		     isccc_time_t expires, isccc_sexpr_t **alistp);
+
+isc_result_t
+isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok,
+		 isccc_sexpr_t **ackp);
+
+isc_boolean_t
+isccc_cc_isack(isccc_sexpr_t *message);
+
+isc_boolean_t
+isccc_cc_isreply(isccc_sexpr_t *message);
+
+isc_result_t
+isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
+		      isccc_time_t expires, isccc_sexpr_t **alistp);
+
+isccc_sexpr_t *
+isccc_cc_definestring(isccc_sexpr_t *alist, const char *key, const char *str);
+
+isccc_sexpr_t *
+isccc_cc_defineuint32(isccc_sexpr_t *alist, const char *key, isc_uint32_t i);
+
+isc_result_t
+isccc_cc_lookupstring(isccc_sexpr_t *alist, const char *key, char **strp);
+
+isc_result_t
+isccc_cc_lookupuint32(isccc_sexpr_t *alist, const char *key,
+		    isc_uint32_t *uintp);
+
+isc_result_t
+isccc_cc_createsymtab(isccc_symtab_t **symtabp);
+
+void
+isccc_cc_cleansymtab(isccc_symtab_t *symtab, isccc_time_t now);
+
+isc_result_t
+isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
+		   isccc_time_t now);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCC_CC_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/ccmsg.h b/contrib/bind9/lib/isccc/include/isccc/ccmsg.h
new file mode 100644
index 0000000..54734bb
--- /dev/null
+++ b/contrib/bind9/lib/isccc/include/isccc/ccmsg.h
@@ -0,0 +1,132 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) 2001  Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ccmsg.h,v 1.3.206.1 2004/03/06 08:15:21 marka Exp $ */
+
+#ifndef ISCCC_CCMSG_H
+#define ISCCC_CCMSG_H 1
+
+#include <isc/buffer.h>
+#include <isc/lang.h>
+#include <isc/socket.h>
+
+typedef struct isccc_ccmsg {
+	/* private (don't touch!) */
+	unsigned int		magic;
+	isc_uint32_t		size;
+	isc_buffer_t		buffer;
+	unsigned int		maxsize;
+	isc_mem_t	       *mctx;
+	isc_socket_t	       *sock;
+	isc_task_t	       *task;
+	isc_taskaction_t	action;
+	void		       *arg;
+	isc_event_t		event;
+	/* public (read-only) */
+	isc_result_t		result;
+	isc_sockaddr_t		address;
+} isccc_ccmsg_t;
+
+ISC_LANG_BEGINDECLS
+
+void
+isccc_ccmsg_init(isc_mem_t *mctx, isc_socket_t *sock, isccc_ccmsg_t *ccmsg);
+/*
+ * Associate a cc message state with a given memory context and
+ * TCP socket.
+ *
+ * Requires:
+ *
+ *	"mctx" and "sock" be non-NULL and valid types.
+ *
+ *	"sock" be a read/write TCP socket.
+ *
+ *	"ccmsg" be non-NULL and an uninitialized or invalidated structure.
+ *
+ * Ensures:
+ *
+ *	"ccmsg" is a valid structure.
+ */
+
+void
+isccc_ccmsg_setmaxsize(isccc_ccmsg_t *ccmsg, unsigned int maxsize);
+/*
+ * Set the maximum packet size to "maxsize"
+ *
+ * Requires:
+ *
+ *	"ccmsg" be valid.
+ *
+ *	512 <= "maxsize" <= 4294967296
+ */
+
+isc_result_t
+isccc_ccmsg_readmessage(isccc_ccmsg_t *ccmsg,
+		       isc_task_t *task, isc_taskaction_t action, void *arg);
+/*
+ * Schedule an event to be delivered when a command channel message is
+ * readable, or when an error occurs on the socket.
+ *
+ * Requires:
+ *
+ *	"ccmsg" be valid.
+ *
+ *	"task", "taskaction", and "arg" be valid.
+ *
+ * Returns:
+ *
+ *	ISC_R_SUCCESS		-- no error
+ *	Anything that the isc_socket_recv() call can return.  XXXMLG
+ *
+ * Notes:
+ *
+ *	The event delivered is a fully generic event.  It will contain no
+ *	actual data.  The sender will be a pointer to the isccc_ccmsg_t.
+ *	The result code inside that structure should be checked to see
+ *	what the final result was.
+ */
+
+void
+isccc_ccmsg_cancelread(isccc_ccmsg_t *ccmsg);
+/*
+ * Cancel a readmessage() call.  The event will still be posted with a
+ * CANCELED result code.
+ *
+ * Requires:
+ *
+ *	"ccmsg" be valid.
+ */
+
+void
+isccc_ccmsg_invalidate(isccc_ccmsg_t *ccmsg);
+/*
+ * Clean up all allocated state, and invalidate the structure.
+ *
+ * Requires:
+ *
+ *	"ccmsg" be valid.
+ *
+ * Ensures:
+ *
+ *	"ccmsg" is invalidated and disassociated with all memory contexts,
+ *	sockets, etc.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCC_CCMSG_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/events.h b/contrib/bind9/lib/isccc/include/isccc/events.h
new file mode 100644
index 0000000..b78fc65
--- /dev/null
+++ b/contrib/bind9/lib/isccc/include/isccc/events.h
@@ -0,0 +1,35 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) 2001  Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: events.h,v 1.2.206.1 2004/03/06 08:15:22 marka Exp $ */
+
+#ifndef ISCCC_EVENTS_H
+#define ISCCC_EVENTS_H 1
+
+#include <isc/eventclass.h>
+
+/*
+ * Registry of ISCCC event numbers.
+ */
+
+#define ISCCC_EVENT_CCMSG			(ISC_EVENTCLASS_ISCCC + 0)
+
+#define ISCCC_EVENT_FIRSTEVENT			(ISC_EVENTCLASS_ISCCC + 0)
+#define ISCCC_EVENT_LASTEVENT			(ISC_EVENTCLASS_ISCCC + 65535)
+
+#endif /* ISCCC_EVENTS_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/lib.h b/contrib/bind9/lib/isccc/include/isccc/lib.h
new file mode 100644
index 0000000..a57357d
--- /dev/null
+++ b/contrib/bind9/lib/isccc/include/isccc/lib.h
@@ -0,0 +1,40 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) 2001  Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lib.h,v 1.2.12.3 2004/03/08 09:05:05 marka Exp $ */
+
+#ifndef ISCCC_LIB_H
+#define ISCCC_LIB_H 1
+
+#include <isc/types.h>
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+LIBISCCC_EXTERNAL_DATA extern isc_msgcat_t *isccc_msgcat;
+
+void
+isccc_lib_initmsgcat(void);
+/*
+ * Initialize the ISCCC library's message catalog, isccc_msgcat, if it
+ * has not already been initialized.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCC_LIB_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/result.h b/contrib/bind9/lib/isccc/include/isccc/result.h
new file mode 100644
index 0000000..33bbb4f
--- /dev/null
+++ b/contrib/bind9/lib/isccc/include/isccc/result.h
@@ -0,0 +1,52 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2001, 2003  Internet Software Consortium.
+ * Portions Copyright (C) 2001  Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: result.h,v 1.3.2.2.2.1 2004/03/06 08:15:22 marka Exp $ */
+
+#ifndef ISCCC_RESULT_H
+#define ISCCC_RESULT_H 1
+
+#include <isc/lang.h>
+#include <isc/resultclass.h>
+#include <isc/result.h>
+
+#include <isccc/types.h>
+
+#define ISCCC_R_UNKNOWNVERSION		(ISC_RESULTCLASS_ISCCC + 0)
+#define ISCCC_R_SYNTAX			(ISC_RESULTCLASS_ISCCC + 1)
+#define ISCCC_R_BADAUTH			(ISC_RESULTCLASS_ISCCC + 2)
+#define ISCCC_R_EXPIRED			(ISC_RESULTCLASS_ISCCC + 3)
+#define ISCCC_R_CLOCKSKEW		(ISC_RESULTCLASS_ISCCC + 4)
+#define ISCCC_R_DUPLICATE		(ISC_RESULTCLASS_ISCCC + 5)
+
+#define ISCCC_R_NRESULTS 		6	/* Number of results */
+
+ISC_LANG_BEGINDECLS
+
+const char *
+isccc_result_totext(isc_result_t result);
+/*
+ * Convert a isccc_result_t into a string message describing the result.
+ */
+
+void
+isccc_result_register(void);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCC_RESULT_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/sexpr.h b/contrib/bind9/lib/isccc/include/isccc/sexpr.h
new file mode 100644
index 0000000..0195a94
--- /dev/null
+++ b/contrib/bind9/lib/isccc/include/isccc/sexpr.h
@@ -0,0 +1,107 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) 2001  Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: sexpr.h,v 1.3.206.1 2004/03/06 08:15:22 marka Exp $ */
+
+#ifndef ISCCC_SEXPR_H
+#define ISCCC_SEXPR_H 1
+
+#include <stdio.h>
+
+#include <isc/lang.h>
+#include <isccc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+struct isccc_dottedpair {
+	isccc_sexpr_t *car;
+	isccc_sexpr_t *cdr;
+};
+
+struct isccc_sexpr {
+	unsigned int			type;
+	union {
+		char *			as_string;
+		isccc_dottedpair_t	as_dottedpair;
+		isccc_region_t		as_region;
+	}				value;
+};
+
+#define ISCCC_SEXPRTYPE_NONE		0x00	/* Illegal. */
+#define ISCCC_SEXPRTYPE_T			0x01
+#define ISCCC_SEXPRTYPE_STRING		0x02
+#define ISCCC_SEXPRTYPE_DOTTEDPAIR	0x03
+#define ISCCC_SEXPRTYPE_BINARY		0x04
+
+#define ISCCC_SEXPR_CAR(s)		(s)->value.as_dottedpair.car
+#define ISCCC_SEXPR_CDR(s)		(s)->value.as_dottedpair.cdr
+
+isccc_sexpr_t *
+isccc_sexpr_cons(isccc_sexpr_t *car, isccc_sexpr_t *cdr);
+
+isccc_sexpr_t *
+isccc_sexpr_tconst(void);
+
+isccc_sexpr_t *
+isccc_sexpr_fromstring(const char *str);
+
+isccc_sexpr_t *
+isccc_sexpr_frombinary(const isccc_region_t *region);
+
+void
+isccc_sexpr_free(isccc_sexpr_t **sexprp);
+
+void
+isccc_sexpr_print(isccc_sexpr_t *sexpr, FILE *stream);
+
+isccc_sexpr_t *
+isccc_sexpr_car(isccc_sexpr_t *list);
+
+isccc_sexpr_t *
+isccc_sexpr_cdr(isccc_sexpr_t *list);
+
+void
+isccc_sexpr_setcar(isccc_sexpr_t *pair, isccc_sexpr_t *car);
+
+void
+isccc_sexpr_setcdr(isccc_sexpr_t *pair, isccc_sexpr_t *cdr);
+
+isccc_sexpr_t *
+isccc_sexpr_addtolist(isccc_sexpr_t **l1p, isccc_sexpr_t *l2);
+
+isc_boolean_t
+isccc_sexpr_listp(isccc_sexpr_t *sexpr);
+
+isc_boolean_t
+isccc_sexpr_emptyp(isccc_sexpr_t *sexpr);
+
+isc_boolean_t
+isccc_sexpr_stringp(isccc_sexpr_t *sexpr);
+
+isc_boolean_t
+isccc_sexpr_binaryp(isccc_sexpr_t *sexpr);
+
+char *
+isccc_sexpr_tostring(isccc_sexpr_t *sexpr);
+
+isccc_region_t *
+isccc_sexpr_tobinary(isccc_sexpr_t *sexpr);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCC_SEXPR_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/symtab.h b/contrib/bind9/lib/isccc/include/isccc/symtab.h
new file mode 100644
index 0000000..53f30e7
--- /dev/null
+++ b/contrib/bind9/lib/isccc/include/isccc/symtab.h
@@ -0,0 +1,123 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) 2001  Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: symtab.h,v 1.2.206.1 2004/03/06 08:15:22 marka Exp $ */
+
+#ifndef ISCCC_SYMTAB_H
+#define ISCCC_SYMTAB_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Symbol Table
+ *
+ * Provides a simple memory-based symbol table.
+ *
+ * Keys are C strings.  A type may be specified when looking up,
+ * defining, or undefining.  A type value of 0 means "match any type";
+ * any other value will only match the given type.
+ *
+ * It's possible that a client will attempt to define a <key, type,
+ * value> tuple when a tuple with the given key and type already
+ * exists in the table.  What to do in this case is specified by the
+ * client.  Possible policies are:
+ *
+ *	isccc_symexists_reject	Disallow the define, returning ISC_R_EXISTS
+ *	isccc_symexists_replace	Replace the old value with the new.  The
+ *				undefine action (if provided) will be called
+ *				with the old <key, type, value> tuple.
+ *	isccc_symexists_add	Add the new tuple, leaving the old tuple in
+ *				the table.  Subsequent lookups will retrieve
+ *				the most-recently-defined tuple.
+ *
+ * A lookup of a key using type 0 will return the most-recently
+ * defined symbol with that key.  An undefine of a key using type 0
+ * will undefine the most-recently defined symbol with that key.
+ * Trying to define a key with type 0 is illegal.
+ *
+ * The symbol table library does not make a copy the key field, so the
+ * caller must ensure that any key it passes to isccc_symtab_define()
+ * will not change until it calls isccc_symtab_undefine() or
+ * isccc_symtab_destroy().
+ *
+ * A user-specified action will be called (if provided) when a symbol
+ * is undefined.  It can be used to free memory associated with keys
+ * and/or values.
+ */
+
+/***
+ *** Imports.
+ ***/
+
+#include <isc/lang.h>
+#include <isccc/types.h>
+
+/***
+ *** Symbol Tables.
+ ***/
+
+typedef union isccc_symvalue {
+	void *				as_pointer;
+	int				as_integer;
+	unsigned int			as_uinteger;
+} isccc_symvalue_t;
+
+typedef void (*isccc_symtabundefaction_t)(char *key, unsigned int type,
+					isccc_symvalue_t value, void *userarg);
+
+typedef isc_boolean_t (*isccc_symtabforeachaction_t)(char *key,
+						   unsigned int type,
+						   isccc_symvalue_t value,
+						   void *userarg);
+
+typedef enum {
+	isccc_symexists_reject = 0,
+	isccc_symexists_replace = 1,
+	isccc_symexists_add = 2
+} isccc_symexists_t;
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+isccc_symtab_create(unsigned int size,
+		  isccc_symtabundefaction_t undefine_action, void *undefine_arg,
+		  isc_boolean_t case_sensitive, isccc_symtab_t **symtabp);
+
+void
+isccc_symtab_destroy(isccc_symtab_t **symtabp);
+
+isc_result_t
+isccc_symtab_lookup(isccc_symtab_t *symtab, const char *key, unsigned int type,
+		  isccc_symvalue_t *value);
+
+isc_result_t
+isccc_symtab_define(isccc_symtab_t *symtab, char *key, unsigned int type,
+		  isccc_symvalue_t value, isccc_symexists_t exists_policy);
+
+isc_result_t
+isccc_symtab_undefine(isccc_symtab_t *symtab, const char *key, unsigned int type);
+
+void
+isccc_symtab_foreach(isccc_symtab_t *symtab, isccc_symtabforeachaction_t action,
+		   void *arg);
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCC_SYMTAB_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/symtype.h b/contrib/bind9/lib/isccc/include/isccc/symtype.h
new file mode 100644
index 0000000..2c15603
--- /dev/null
+++ b/contrib/bind9/lib/isccc/include/isccc/symtype.h
@@ -0,0 +1,29 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) 2001  Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: symtype.h,v 1.2.206.1 2004/03/06 08:15:22 marka Exp $ */
+
+#ifndef ISCCC_SYMTYPE_H
+#define ISCCC_SYMTYPE_H 1
+
+#define ISCCC_SYMTYPE_ZONESTATS			0x0001
+#define ISCCC_SYMTYPE_CCDUP			0x0002
+#define ISCCC_SYMTYPE_TELLSERVICE			0x0003
+#define ISCCC_SYMTYPE_TELLRESPONSE		0x0004
+
+#endif /* ISCCC_SYMTYPE_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/types.h b/contrib/bind9/lib/isccc/include/isccc/types.h
new file mode 100644
index 0000000..9b21ca1
--- /dev/null
+++ b/contrib/bind9/lib/isccc/include/isccc/types.h
@@ -0,0 +1,38 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) 2001  Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: types.h,v 1.2.206.1 2004/03/06 08:15:23 marka Exp $ */
+
+#ifndef ISCCC_TYPES_H
+#define ISCCC_TYPES_H 1
+
+#include <isc/boolean.h>
+#include <isc/int.h>
+#include <isc/result.h>
+
+typedef isc_uint32_t isccc_time_t;
+typedef struct isccc_sexpr isccc_sexpr_t;
+typedef struct isccc_dottedpair isccc_dottedpair_t;
+typedef struct isccc_symtab isccc_symtab_t;
+
+typedef struct isccc_region {
+	unsigned char *		rstart;
+	unsigned char *		rend;
+} isccc_region_t;
+
+#endif /* ISCCC_TYPES_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/util.h b/contrib/bind9/lib/isccc/include/isccc/util.h
new file mode 100644
index 0000000..8442586
--- /dev/null
+++ b/contrib/bind9/lib/isccc/include/isccc/util.h
@@ -0,0 +1,211 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) 2001  Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: util.h,v 1.3.206.1 2004/03/06 08:15:23 marka Exp $ */
+
+#ifndef ISCCC_UTIL_H
+#define ISCCC_UTIL_H 1
+
+#include <isc/util.h>
+
+/*
+ * Macros for dealing with unaligned numbers.
+ *
+ * Note: no side effects are allowed when invoking these macros!
+ */
+
+#define GET8(v, w) \
+	do { \
+		v = *w; \
+		w++; \
+	} while (0)
+
+#define GET16(v, w) \
+	do { \
+		v = (unsigned int)w[0] << 8; \
+ 		v |= (unsigned int)w[1]; \
+		w += 2; \
+	} while (0)
+
+#define GET24(v, w) \
+	do { \
+ 		v = (unsigned int)w[0] << 16; \
+ 		v |= (unsigned int)w[1] << 8; \
+ 		v |= (unsigned int)w[2]; \
+		w += 3; \
+	} while (0)
+
+#define GET32(v, w) \
+	do { \
+		v = (unsigned int)w[0] << 24; \
+ 		v |= (unsigned int)w[1] << 16; \
+ 		v |= (unsigned int)w[2] << 8; \
+ 		v |= (unsigned int)w[3]; \
+		w += 4; \
+	} while (0)
+
+#define GET64(v, w) \
+	do { \
+		v = (isc_uint64_t)w[0] << 56; \
+ 		v |= (isc_uint64_t)w[1] << 48; \
+ 		v |= (isc_uint64_t)w[2] << 40; \
+ 		v |= (isc_uint64_t)w[3] << 32; \
+ 		v |= (isc_uint64_t)w[4] << 24; \
+ 		v |= (isc_uint64_t)w[5] << 16; \
+ 		v |= (isc_uint64_t)w[6] << 8; \
+ 		v |= (isc_uint64_t)w[7]; \
+		w += 8; \
+	} while (0)
+
+#define GETC16(v, w, d) \
+	do { \
+		GET8(v, w); \
+		if (v == 0) \
+			d = ISCCC_TRUE; \
+ 		else { \
+			d = ISCCC_FALSE; \
+			if (v == 255) \
+				GET16(v, w); \
+		} \
+	} while (0)
+
+#define GETC32(v, w) \
+	do { \
+		GET24(v, w); \
+ 		if (v == 0xffffffu) \
+			GET32(v, w); \
+	} while (0)
+
+#define GET_OFFSET(v, w)		GET32(v, w)
+
+#define GET_MEM(v, c, w) \
+	do { \
+		memcpy(v, w, c); \
+		w += c; \
+	} while (0)
+
+#define GET_TYPE(v, w) \
+	do { \
+		GET8(v, w); \
+		if (v > 127) { \
+			if (v < 255) \
+				v = ((v & 0x7f) << 16) | ISCCC_RDATATYPE_SIG; \
+			else \
+				GET32(v, w); \
+		} \
+	} while (0)
+
+#define PUT8(v, w) \
+	do { \
+		*w = (v & 0x000000ffU); \
+		w++; \
+	} while (0)
+
+#define PUT16(v, w) \
+	do { \
+		w[0] = (v & 0x0000ff00U) >> 8; \
+		w[1] = (v & 0x000000ffU); \
+		w += 2; \
+	} while (0)
+
+#define PUT24(v, w) \
+	do { \
+		w[0] = (v & 0x00ff0000U) >> 16; \
+		w[1] = (v & 0x0000ff00U) >> 8; \
+		w[2] = (v & 0x000000ffU); \
+		w += 3; \
+	} while (0)
+
+#define PUT32(v, w) \
+	do { \
+		w[0] = (v & 0xff000000U) >> 24; \
+		w[1] = (v & 0x00ff0000U) >> 16; \
+		w[2] = (v & 0x0000ff00U) >> 8; \
+		w[3] = (v & 0x000000ffU); \
+		w += 4; \
+	} while (0)
+
+#define PUT64(v, w) \
+	do { \
+		w[0] = (v & 0xff00000000000000ULL) >> 56; \
+		w[1] = (v & 0x00ff000000000000ULL) >> 48; \
+		w[2] = (v & 0x0000ff0000000000ULL) >> 40; \
+		w[3] = (v & 0x000000ff00000000ULL) >> 32; \
+		w[4] = (v & 0x00000000ff000000ULL) >> 24; \
+		w[5] = (v & 0x0000000000ff0000ULL) >> 16; \
+		w[6] = (v & 0x000000000000ff00ULL) >> 8; \
+		w[7] = (v & 0x00000000000000ffULL); \
+		w += 8; \
+	} while (0)
+
+#define PUTC16(v, w) \
+	do { \
+		if (v > 0 && v < 255) \
+			PUT8(v, w); \
+		else { \
+			PUT8(255, w); \
+			PUT16(v, w); \
+		} \
+	} while (0)
+
+#define PUTC32(v, w) \
+	do { \
+		if (v < 0xffffffU) \
+			PUT24(v, w); \
+		else { \
+			PUT24(0xffffffU, w); \
+			PUT32(v, w); \
+		} \
+	} while (0)
+
+#define PUT_OFFSET(v, w)		PUT32(v, w)
+
+#include <string.h>
+
+#define PUT_MEM(s, c, w) \
+	do { \
+		memcpy(w, s, c); \
+		w += c; \
+	} while (0)
+
+/*
+ * Regions.
+ */
+#define REGION_SIZE(r)		((unsigned int)((r).rend - (r).rstart))
+#define REGION_EMPTY(r)		((r).rstart == (r).rend)
+#define REGION_FROMSTRING(r, s) do { \
+	(r).rstart = (unsigned char *)s; \
+	(r).rend = (r).rstart + strlen(s); \
+} while (0)
+
+/*
+ * Use this to remove the const qualifier of a variable to assign it to
+ * a non-const variable or pass it as a non-const function argument ...
+ * but only when you are sure it won't then be changed!
+ * This is necessary to sometimes shut up some compilers
+ * (as with gcc -Wcast-qual) when there is just no other good way to avoid the
+ * situation.
+ */
+#define DE_CONST(konst, var) \
+	do { \
+		union { const void *k; void *v; } _u; \
+		_u.k = konst; \
+		var = _u.v; \
+	} while (0)
+
+#endif /* ISCCC_UTIL_H */
diff --git a/contrib/bind9/lib/isccc/include/isccc/version.h b/contrib/bind9/lib/isccc/include/isccc/version.h
new file mode 100644
index 0000000..36a909c
--- /dev/null
+++ b/contrib/bind9/lib/isccc/include/isccc/version.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: version.h,v 1.2.222.3 2004/03/08 09:05:05 marka Exp $ */
+
+#include <isc/platform.h>
+
+LIBISCCC_EXTERNAL_DATA extern const char isccc_version[];
+
+LIBISCCC_EXTERNAL_DATA extern const unsigned int isccc_libinterface;
+LIBISCCC_EXTERNAL_DATA extern const unsigned int isccc_librevision;
+LIBISCCC_EXTERNAL_DATA extern const unsigned int isccc_libage;
diff --git a/contrib/bind9/lib/isccc/lib.c b/contrib/bind9/lib/isccc/lib.c
new file mode 100644
index 0000000..d37e28c
--- /dev/null
+++ b/contrib/bind9/lib/isccc/lib.c
@@ -0,0 +1,63 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) 2001  Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lib.c,v 1.2.12.3 2004/03/08 09:05:04 marka Exp $ */
+
+#include <config.h>
+
+#include <stddef.h>
+
+#include <isc/once.h>
+#include <isc/msgcat.h>
+#include <isc/util.h>
+
+#include <isccc/lib.h>
+
+/***
+ *** Globals
+ ***/
+
+LIBISCCC_EXTERNAL_DATA isc_msgcat_t *		isccc_msgcat = NULL;
+
+
+/***
+ *** Private
+ ***/
+
+static isc_once_t		msgcat_once = ISC_ONCE_INIT;
+
+
+/***
+ *** Functions
+ ***/
+
+static void
+open_msgcat(void) {
+	isc_msgcat_open("libisccc.cat", &isccc_msgcat);
+}
+
+void
+isccc_lib_initmsgcat(void) {
+
+	/*
+	 * Initialize the DNS library's message catalog, isccc_msgcat, if it
+	 * has not already been initialized.
+	 */
+
+	RUNTIME_CHECK(isc_once_do(&msgcat_once, open_msgcat) == ISC_R_SUCCESS);
+}
diff --git a/contrib/bind9/lib/isccc/result.c b/contrib/bind9/lib/isccc/result.c
new file mode 100644
index 0000000..e63e85f
--- /dev/null
+++ b/contrib/bind9/lib/isccc/result.c
@@ -0,0 +1,70 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2001, 2003  Internet Software Consortium.
+ * Portions Copyright (C) 2001  Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: result.c,v 1.3.2.2.2.1 2004/03/06 08:15:19 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/once.h>
+#include <isc/util.h>
+
+#include <isccc/result.h>
+#include <isccc/lib.h>
+
+static const char *text[ISCCC_R_NRESULTS] = {
+	"unknown version",			/* 1 */
+	"syntax error",				/* 2 */
+	"bad auth",				/* 3 */
+	"expired",				/* 4 */
+	"clock skew",				/* 5 */
+	"duplicate"				/* 6 */
+};
+
+#define ISCCC_RESULT_RESULTSET			2
+
+static isc_once_t		once = ISC_ONCE_INIT;
+
+static void
+initialize_action(void) {
+	isc_result_t result;
+
+	result = isc_result_register(ISC_RESULTCLASS_ISCCC, ISCCC_R_NRESULTS,
+				     text, isccc_msgcat,
+				     ISCCC_RESULT_RESULTSET);
+	if (result != ISC_R_SUCCESS)
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_result_register() failed: %u", result);
+}
+
+static void
+initialize(void) {
+	isccc_lib_initmsgcat();
+	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
+}
+
+const char *
+isccc_result_totext(isc_result_t result) {
+	initialize();
+
+	return (isc_result_totext(result));
+}
+
+void
+isccc_result_register(void) {
+	initialize();
+}
diff --git a/contrib/bind9/lib/isccc/sexpr.c b/contrib/bind9/lib/isccc/sexpr.c
new file mode 100644
index 0000000..a372a7d
--- /dev/null
+++ b/contrib/bind9/lib/isccc/sexpr.c
@@ -0,0 +1,310 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) 2001  Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: sexpr.c,v 1.2.12.3 2004/03/08 09:05:04 marka Exp $ */
+
+#include <config.h>
+
+#include <ctype.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/assertions.h>
+#include <isccc/sexpr.h>
+#include <isccc/util.h>
+
+static isccc_sexpr_t sexpr_t = { ISCCC_SEXPRTYPE_T, { NULL } };
+
+#define CAR(s)			(s)->value.as_dottedpair.car
+#define CDR(s)			(s)->value.as_dottedpair.cdr
+
+isccc_sexpr_t *
+isccc_sexpr_cons(isccc_sexpr_t *car, isccc_sexpr_t *cdr)
+{
+	isccc_sexpr_t *sexpr;
+
+	sexpr = malloc(sizeof(*sexpr));
+	if (sexpr == NULL)
+		return (NULL);
+	sexpr->type = ISCCC_SEXPRTYPE_DOTTEDPAIR;
+	CAR(sexpr) = car;
+	CDR(sexpr) = cdr;
+
+	return (sexpr);
+}
+
+isccc_sexpr_t *
+isccc_sexpr_tconst(void)
+{
+	return (&sexpr_t);
+}
+
+isccc_sexpr_t *
+isccc_sexpr_fromstring(const char *str)
+{
+	isccc_sexpr_t *sexpr;
+
+	sexpr = malloc(sizeof(*sexpr));
+	if (sexpr == NULL)
+		return (NULL);
+	sexpr->type = ISCCC_SEXPRTYPE_STRING;
+	sexpr->value.as_string = strdup(str);
+	if (sexpr->value.as_string == NULL) {
+		free(sexpr);
+		return (NULL);
+	}
+
+	return (sexpr);
+}
+
+isccc_sexpr_t *
+isccc_sexpr_frombinary(const isccc_region_t *region)
+{
+	isccc_sexpr_t *sexpr;
+	unsigned int region_size;
+
+	sexpr = malloc(sizeof(*sexpr));
+	if (sexpr == NULL)
+		return (NULL);
+	sexpr->type = ISCCC_SEXPRTYPE_BINARY;
+	region_size = REGION_SIZE(*region);
+	/*
+	 * We add an extra byte when we malloc so we can NUL terminate
+	 * the binary data.  This allows the caller to use it as a C
+	 * string.  It's up to the caller to ensure this is safe.  We don't
+	 * add 1 to the length of the binary region, because the NUL is
+	 * not part of the binary data.
+	 */
+	sexpr->value.as_region.rstart = malloc(region_size + 1);
+	if (sexpr->value.as_region.rstart == NULL) {
+		free(sexpr);
+		return (NULL);
+	}
+	sexpr->value.as_region.rend = sexpr->value.as_region.rstart +
+		region_size;
+	memcpy(sexpr->value.as_region.rstart, region->rstart, region_size);
+	/*
+	 * NUL terminate.
+	 */
+	sexpr->value.as_region.rstart[region_size] = '\0';
+
+	return (sexpr);
+}
+
+void
+isccc_sexpr_free(isccc_sexpr_t **sexprp)
+{
+	isccc_sexpr_t *sexpr;
+	isccc_sexpr_t *item;
+
+	sexpr = *sexprp;
+	if (sexpr == NULL)
+		return;
+	switch (sexpr->type) {
+	case ISCCC_SEXPRTYPE_STRING:
+		free(sexpr->value.as_string);
+		break;
+	case ISCCC_SEXPRTYPE_DOTTEDPAIR:
+		item = CAR(sexpr);
+		if (item != NULL)
+			isccc_sexpr_free(&item);
+		item = CDR(sexpr);
+		if (item != NULL)
+			isccc_sexpr_free(&item);
+		break;
+	case ISCCC_SEXPRTYPE_BINARY:
+		free(sexpr->value.as_region.rstart);
+		break;
+	}
+	free(sexpr);
+
+	*sexprp = NULL;
+}
+
+static isc_boolean_t
+printable(isccc_region_t *r)
+{
+	unsigned char *curr;
+
+	curr = r->rstart;
+	while (curr != r->rend) {
+		if (!isprint(*curr))
+			return (ISC_FALSE);
+		curr++;
+	}
+
+	return (ISC_TRUE);
+}
+
+void
+isccc_sexpr_print(isccc_sexpr_t *sexpr, FILE *stream)
+{
+	isccc_sexpr_t *cdr;
+	unsigned int size, i;
+	unsigned char *curr;
+
+	if (sexpr == NULL) {
+		fprintf(stream, "nil");
+		return;
+	}
+
+	switch (sexpr->type) {
+	case ISCCC_SEXPRTYPE_T:
+		fprintf(stream, "t");
+		break;
+	case ISCCC_SEXPRTYPE_STRING:
+		fprintf(stream, "\"%s\"", sexpr->value.as_string);
+		break;
+	case ISCCC_SEXPRTYPE_DOTTEDPAIR:
+		fprintf(stream, "(");
+		do {
+			isccc_sexpr_print(CAR(sexpr), stream);
+			cdr = CDR(sexpr);
+			if (cdr != NULL) {
+				fprintf(stream, " ");
+				if (cdr->type != ISCCC_SEXPRTYPE_DOTTEDPAIR) {
+					fprintf(stream, ". ");
+					isccc_sexpr_print(cdr, stream);
+					cdr = NULL;
+				}
+			}
+			sexpr = cdr;
+		} while (sexpr != NULL);
+		fprintf(stream, ")");
+		break;
+	case ISCCC_SEXPRTYPE_BINARY:
+		size = REGION_SIZE(sexpr->value.as_region);
+		curr = sexpr->value.as_region.rstart;
+		if (printable(&sexpr->value.as_region)) {
+			fprintf(stream, "'%.*s'", (int)size, curr);
+		} else {
+			fprintf(stream, "0x");
+			for (i = 0; i < size; i++)
+				fprintf(stream, "%02x", *curr++);
+		}
+		break;
+	default:
+		INSIST(0);
+	}
+}
+
+isccc_sexpr_t *
+isccc_sexpr_car(isccc_sexpr_t *list)
+{
+	REQUIRE(list->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
+
+	return (CAR(list));
+}
+
+isccc_sexpr_t *
+isccc_sexpr_cdr(isccc_sexpr_t *list)
+{
+	REQUIRE(list->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
+
+	return (CDR(list));
+}
+
+void
+isccc_sexpr_setcar(isccc_sexpr_t *pair, isccc_sexpr_t *car)
+{
+	REQUIRE(pair->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
+
+	CAR(pair) = car;
+}
+
+void
+isccc_sexpr_setcdr(isccc_sexpr_t *pair, isccc_sexpr_t *cdr)
+{
+	REQUIRE(pair->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
+
+	CDR(pair) = cdr;
+}
+
+isccc_sexpr_t *
+isccc_sexpr_addtolist(isccc_sexpr_t **l1p, isccc_sexpr_t *l2)
+{
+	isccc_sexpr_t *last, *elt, *l1;
+
+	REQUIRE(l1p != NULL);
+	l1 = *l1p;
+	REQUIRE(l1 == NULL || l1->type == ISCCC_SEXPRTYPE_DOTTEDPAIR);
+
+	elt = isccc_sexpr_cons(l2, NULL);
+	if (elt == NULL)
+		return (NULL);
+	if (l1 == NULL) {
+		*l1p = elt;
+		return (elt);
+	}
+	for (last = l1; CDR(last) != NULL; last = CDR(last))
+		/* Nothing */;
+	CDR(last) = elt;
+
+	return (elt);
+}
+
+isc_boolean_t
+isccc_sexpr_listp(isccc_sexpr_t *sexpr)
+{
+	if (sexpr == NULL || sexpr->type == ISCCC_SEXPRTYPE_DOTTEDPAIR)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+isc_boolean_t
+isccc_sexpr_emptyp(isccc_sexpr_t *sexpr)
+{
+	if (sexpr == NULL)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+isc_boolean_t
+isccc_sexpr_stringp(isccc_sexpr_t *sexpr)
+{
+	if (sexpr != NULL && sexpr->type == ISCCC_SEXPRTYPE_STRING)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+isc_boolean_t
+isccc_sexpr_binaryp(isccc_sexpr_t *sexpr)
+{
+	if (sexpr != NULL && sexpr->type == ISCCC_SEXPRTYPE_BINARY)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+char *
+isccc_sexpr_tostring(isccc_sexpr_t *sexpr)
+{
+	REQUIRE(sexpr != NULL &&
+		(sexpr->type == ISCCC_SEXPRTYPE_STRING ||
+		 sexpr->type == ISCCC_SEXPRTYPE_BINARY));
+	
+	if (sexpr->type == ISCCC_SEXPRTYPE_BINARY)
+		return ((char *)sexpr->value.as_region.rstart);
+	return (sexpr->value.as_string);
+}
+
+isccc_region_t *
+isccc_sexpr_tobinary(isccc_sexpr_t *sexpr)
+{
+	REQUIRE(sexpr != NULL && sexpr->type == ISCCC_SEXPRTYPE_BINARY);
+	return (&sexpr->value.as_region);
+}
diff --git a/contrib/bind9/lib/isccc/symtab.c b/contrib/bind9/lib/isccc/symtab.c
new file mode 100644
index 0000000..6aca485
--- /dev/null
+++ b/contrib/bind9/lib/isccc/symtab.c
@@ -0,0 +1,278 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) 2001  Nominum, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: symtab.c,v 1.3.12.3 2004/03/08 09:05:04 marka Exp $ */
+
+#include <config.h>
+
+#include <ctype.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <isc/assertions.h>
+#include <isc/magic.h>
+
+#include <isccc/result.h>
+#include <isccc/symtab.h>
+#include <isccc/util.h>
+
+typedef struct elt {
+	char *				key;
+	unsigned int			type;
+	isccc_symvalue_t			value;
+	ISC_LINK(struct elt)		link;
+} elt_t;
+
+typedef ISC_LIST(elt_t)			eltlist_t;
+
+#define SYMTAB_MAGIC			ISC_MAGIC('S', 'y', 'm', 'T')
+#define VALID_SYMTAB(st)		ISC_MAGIC_VALID(st, SYMTAB_MAGIC)
+
+struct isccc_symtab {
+	unsigned int			magic;
+	unsigned int			size;
+	eltlist_t *			table;
+	isccc_symtabundefaction_t		undefine_action;
+	void *				undefine_arg;
+	isc_boolean_t			case_sensitive;
+};
+
+isc_result_t
+isccc_symtab_create(unsigned int size,
+		  isccc_symtabundefaction_t undefine_action,
+		  void *undefine_arg,
+		  isc_boolean_t case_sensitive,
+		  isccc_symtab_t **symtabp)
+{
+	isccc_symtab_t *symtab;
+	unsigned int i;
+
+	REQUIRE(symtabp != NULL && *symtabp == NULL);
+	REQUIRE(size > 0);	/* Should be prime. */
+
+	symtab = malloc(sizeof(*symtab));
+	if (symtab == NULL)
+		return (ISC_R_NOMEMORY);
+	symtab->table = malloc(size * sizeof(eltlist_t));
+	if (symtab->table == NULL) {
+		free(symtab);
+		return (ISC_R_NOMEMORY);
+	}
+	for (i = 0; i < size; i++)
+		ISC_LIST_INIT(symtab->table[i]);
+	symtab->size = size;
+	symtab->undefine_action = undefine_action;
+	symtab->undefine_arg = undefine_arg;
+	symtab->case_sensitive = case_sensitive;
+	symtab->magic = SYMTAB_MAGIC;
+
+	*symtabp = symtab;
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+free_elt(isccc_symtab_t *symtab, unsigned int bucket, elt_t *elt) {
+	ISC_LIST_UNLINK(symtab->table[bucket], elt, link);
+	if (symtab->undefine_action != NULL)
+		(symtab->undefine_action)(elt->key, elt->type, elt->value,
+					  symtab->undefine_arg);
+	free(elt);
+}
+
+void
+isccc_symtab_destroy(isccc_symtab_t **symtabp) {
+	isccc_symtab_t *symtab;
+	unsigned int i;
+	elt_t *elt, *nelt;
+
+	REQUIRE(symtabp != NULL);
+	symtab = *symtabp;
+	REQUIRE(VALID_SYMTAB(symtab));
+
+	for (i = 0; i < symtab->size; i++) {
+		for (elt = ISC_LIST_HEAD(symtab->table[i]);
+		     elt != NULL;
+		     elt = nelt) {
+			nelt = ISC_LIST_NEXT(elt, link);
+			free_elt(symtab, i, elt);
+		}
+	}
+	free(symtab->table);
+	symtab->magic = 0;
+	free(symtab);
+
+	*symtabp = NULL;
+}
+
+static inline unsigned int
+hash(const char *key, isc_boolean_t case_sensitive) {
+	const char *s;
+	unsigned int h = 0;
+	unsigned int g;
+	int c;
+
+	/*
+	 * P. J. Weinberger's hash function, adapted from p. 436 of
+	 * _Compilers: Principles, Techniques, and Tools_, Aho, Sethi
+	 * and Ullman, Addison-Wesley, 1986, ISBN 0-201-10088-6.
+	 */
+
+	if (case_sensitive) {
+		for (s = key; *s != '\0'; s++) {
+			h = ( h << 4 ) + *s;
+			if ((g = ( h & 0xf0000000 )) != 0) {
+				h = h ^ (g >> 24);
+				h = h ^ g;
+			}
+		}
+	} else {
+		for (s = key; *s != '\0'; s++) {
+			c = *s;
+			c = tolower((unsigned char)c);
+			h = ( h << 4 ) + c;
+			if ((g = ( h & 0xf0000000 )) != 0) {
+				h = h ^ (g >> 24);
+				h = h ^ g;
+			}
+		}
+	}
+
+	return (h);
+}
+
+#define FIND(s, k, t, b, e) \
+	b = hash((k), (s)->case_sensitive) % (s)->size; \
+	if ((s)->case_sensitive) { \
+		for (e = ISC_LIST_HEAD((s)->table[b]); \
+		     e != NULL; \
+		     e = ISC_LIST_NEXT(e, link)) { \
+			if (((t) == 0 || e->type == (t)) && \
+			    strcmp(e->key, (k)) == 0) \
+				break; \
+		} \
+	} else { \
+		for (e = ISC_LIST_HEAD((s)->table[b]); \
+		     e != NULL; \
+		     e = ISC_LIST_NEXT(e, link)) { \
+			if (((t) == 0 || e->type == (t)) && \
+			    strcasecmp(e->key, (k)) == 0) \
+				break; \
+		} \
+	}
+
+isc_result_t
+isccc_symtab_lookup(isccc_symtab_t *symtab, const char *key, unsigned int type,
+		  isccc_symvalue_t *value)
+{
+	unsigned int bucket;
+	elt_t *elt;
+
+	REQUIRE(VALID_SYMTAB(symtab));
+	REQUIRE(key != NULL);
+
+	FIND(symtab, key, type, bucket, elt);
+
+	if (elt == NULL)
+		return (ISC_R_NOTFOUND);
+
+	if (value != NULL)
+		*value = elt->value;
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isccc_symtab_define(isccc_symtab_t *symtab, char *key, unsigned int type,
+		  isccc_symvalue_t value, isccc_symexists_t exists_policy)
+{
+	unsigned int bucket;
+	elt_t *elt;
+
+	REQUIRE(VALID_SYMTAB(symtab));
+	REQUIRE(key != NULL);
+	REQUIRE(type != 0);
+
+	FIND(symtab, key, type, bucket, elt);
+
+	if (exists_policy != isccc_symexists_add && elt != NULL) {
+		if (exists_policy == isccc_symexists_reject)
+			return (ISC_R_EXISTS);
+		INSIST(exists_policy == isccc_symexists_replace);
+		ISC_LIST_UNLINK(symtab->table[bucket], elt, link);
+		if (symtab->undefine_action != NULL)
+			(symtab->undefine_action)(elt->key, elt->type,
+						  elt->value,
+						  symtab->undefine_arg);
+	} else {
+		elt = malloc(sizeof(*elt));
+		if (elt == NULL)
+			return (ISC_R_NOMEMORY);
+		ISC_LINK_INIT(elt, link);
+	}
+
+	elt->key = key;
+	elt->type = type;
+	elt->value = value;
+
+	/*
+	 * We prepend so that the most recent definition will be found.
+	 */
+	ISC_LIST_PREPEND(symtab->table[bucket], elt, link);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isccc_symtab_undefine(isccc_symtab_t *symtab, const char *key, unsigned int type) {
+	unsigned int bucket;
+	elt_t *elt;
+
+	REQUIRE(VALID_SYMTAB(symtab));
+	REQUIRE(key != NULL);
+
+	FIND(symtab, key, type, bucket, elt);
+
+	if (elt == NULL)
+		return (ISC_R_NOTFOUND);
+
+	free_elt(symtab, bucket, elt);
+
+	return (ISC_R_SUCCESS);
+}
+
+void
+isccc_symtab_foreach(isccc_symtab_t *symtab, isccc_symtabforeachaction_t action,
+		   void *arg)
+{
+	unsigned int i;
+	elt_t *elt, *nelt;
+
+	REQUIRE(VALID_SYMTAB(symtab));
+	REQUIRE(action != NULL);
+
+	for (i = 0; i < symtab->size; i++) {
+		for (elt = ISC_LIST_HEAD(symtab->table[i]);
+		     elt != NULL;
+		     elt = nelt) {
+			nelt = ISC_LIST_NEXT(elt, link);
+			if ((action)(elt->key, elt->type, elt->value, arg))
+				free_elt(symtab, i, elt);
+		}
+	}
+}
diff --git a/contrib/bind9/lib/isccc/version.c b/contrib/bind9/lib/isccc/version.c
new file mode 100644
index 0000000..08cda2f
--- /dev/null
+++ b/contrib/bind9/lib/isccc/version.c
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: version.c,v 1.1.12.3 2004/03/08 09:05:04 marka Exp $ */
+
+#include <isccc/version.h>
+
+const char isccc_version[] = VERSION;
+
+const unsigned int isccc_libinterface = LIBINTERFACE;
+const unsigned int isccc_librevision = LIBREVISION;
+const unsigned int isccc_libage = LIBAGE;
diff --git a/contrib/bind9/lib/isccfg/Makefile.in b/contrib/bind9/lib/isccfg/Makefile.in
new file mode 100644
index 0000000..ee80508
--- /dev/null
+++ b/contrib/bind9/lib/isccfg/Makefile.in
@@ -0,0 +1,83 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001-2003  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.6.12.8 2004/07/20 07:01:58 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+@LIBISCCFG_API@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I. ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+ISCLIBS =	../../lib/isc/libisc.@A@
+ISCCCLIBS =	../../lib/isccc/libisccc.@A@
+DNSLIBS =	../../lib/dns/libdns.@A@
+ISCCFGLIBS =	../../lib/cfg/libisccfg.@A@
+
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+ISCCFGDEPLIBS =	libisccfg.@A@
+
+LIBS =		@LIBS@
+
+SUBDIRS =	include
+
+# Alphabetically
+OBJS =		log.@O@ namedconf.@O@ parser.@O@ version.@O@
+
+# Alphabetically
+SRCS =		log.c namedconf.c parser.c version.c
+
+TARGETS = 	timestamp
+
+@BIND9_MAKE_RULES@
+
+version.@O@: version.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-DLIBINTERFACE=${LIBINTERFACE} \
+		-DLIBREVISION=${LIBREVISION} \
+		-DLIBAGE=${LIBAGE} \
+		-c ${srcdir}/version.c
+
+libisccfg.@SA@: ${OBJS}
+	${AR} ${ARFLAGS} $@ ${OBJS}
+	${RANLIB} $@
+
+libisccfg.la: ${OBJS}
+	 ${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccfg.la -rpath ${libdir} \
+		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+		${OBJS} ${LIBS} ${DNSLIBS} ${ISCCCLIBS} ${ISCLIBS}
+
+timestamp: libisccfg.@A@
+	touch timestamp
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
+
+install:: timestamp installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} libisccfg.@A@ ${DESTDIR}${libdir}
+
+clean distclean::
+	rm -f libisccfg.@A@ timestamp
diff --git a/contrib/bind9/lib/isccfg/api b/contrib/bind9/lib/isccfg/api
new file mode 100644
index 0000000..7c378e6
--- /dev/null
+++ b/contrib/bind9/lib/isccfg/api
@@ -0,0 +1,3 @@
+LIBINTERFACE = 1
+LIBREVISION = 4
+LIBAGE = 0
diff --git a/contrib/bind9/lib/isccfg/include/Makefile.in b/contrib/bind9/lib/isccfg/include/Makefile.in
new file mode 100644
index 0000000..77d3219
--- /dev/null
+++ b/contrib/bind9/lib/isccfg/include/Makefile.in
@@ -0,0 +1,25 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.4.206.1 2004/03/06 08:15:27 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	isccfg
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/Makefile.in b/contrib/bind9/lib/isccfg/include/isccfg/Makefile.in
new file mode 100644
index 0000000..dc8b1b1
--- /dev/null
+++ b/contrib/bind9/lib/isccfg/include/isccfg/Makefile.in
@@ -0,0 +1,42 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001, 2002  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.4.12.3 2004/03/08 09:05:07 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+#
+# Only list headers that are to be installed and are not
+# machine generated.  The latter are handled specially in the
+# install target below.
+#
+HEADERS =	cfg.h grammar.h log.h namedconf.h version.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/isccfg
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/isccfg ; \
+	done
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/cfg.h b/contrib/bind9/lib/isccfg/include/isccfg/cfg.h
new file mode 100644
index 0000000..b4081cd
--- /dev/null
+++ b/contrib/bind9/lib/isccfg/include/isccfg/cfg.h
@@ -0,0 +1,415 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: cfg.h,v 1.30.12.4 2004/03/08 09:05:07 marka Exp $ */
+
+#ifndef ISCCFG_CFG_H
+#define ISCCFG_CFG_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * This is the new, table-driven, YACC-free configuration file parser.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <isc/formatcheck.h>
+#include <isc/lang.h>
+#include <isc/types.h>
+#include <isc/list.h>
+
+
+/***
+ *** Types
+ ***/
+
+typedef struct cfg_parser cfg_parser_t;
+/*
+ * A configuration parser.
+ */
+
+/*
+ * A configuration type definition object.  There is a single
+ * static cfg_type_t object for each data type supported by
+ * the configuration parser.
+ */
+typedef struct cfg_type cfg_type_t;
+
+/*
+ * A configuration object.  This is the basic building block of the
+ * configuration parse tree.  It contains a value (which may be
+ * of one of several types) and information identifying the file
+ * and line number the value came from, for printing error
+ * messages.
+ */
+typedef struct cfg_obj cfg_obj_t;
+
+/*
+ * A configuration object list element.
+ */
+typedef struct cfg_listelt cfg_listelt_t;
+
+/*
+ * A callback function to be called when parsing an option 
+ * that needs to be interpreted at parsing time, like
+ * "directory".
+ */
+typedef isc_result_t
+(*cfg_parsecallback_t)(const char *clausename, cfg_obj_t *obj, void *arg);
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+cfg_parser_create(isc_mem_t *mctx, isc_log_t *lctx, cfg_parser_t **ret);
+/*
+ * Create a configuration file parser.  Any warning and error
+ * messages will be logged to 'lctx'.
+ *
+ * The parser object returned can be used for a single call
+ * to cfg_parse_file() or cfg_parse_buffer().  It must not
+ * be reused for parsing multiple files or buffers.
+ */
+
+void
+cfg_parser_setcallback(cfg_parser_t *pctx,
+		       cfg_parsecallback_t callback,
+		       void *arg);
+/*
+ * Make the parser call 'callback' whenever it encounters
+ * a configuration clause with the callback attribute,
+ * passing it the clause name, the clause value,
+ * and 'arg' as arguments.
+ *
+ * To restore the default of not invoking callbacks, pass
+ * callback==NULL and arg==NULL.
+ */
+
+isc_result_t
+cfg_parse_file(cfg_parser_t *pctx, const char *filename,
+	       const cfg_type_t *type, cfg_obj_t **ret);
+isc_result_t
+cfg_parse_buffer(cfg_parser_t *pctx, isc_buffer_t *buffer,
+		 const cfg_type_t *type, cfg_obj_t **ret);
+/*
+ * Read a configuration containing data of type 'type'
+ * and make '*ret' point to its parse tree.
+ *
+ * The configuration is read from the file 'filename'
+ * (isc_parse_file()) or the buffer 'buffer'
+ * (isc_parse_buffer()).
+ *
+ * Returns an error if the file does not parse correctly.
+ * 
+ * Requires:
+ *      "filename" is valid.
+ *      "mem" is valid.
+ *	"type" is valid.
+ *      "cfg" is non-NULL and "*cfg" is NULL.
+ *
+ * Returns:
+ *      ISC_R_SUCCESS                 - success
+ *      ISC_R_NOMEMORY                - no memory available
+ *      ISC_R_INVALIDFILE             - file doesn't exist or is unreadable
+ *      others	                      - file contains errors
+ */
+
+void
+cfg_parser_destroy(cfg_parser_t **pctxp);
+/*
+ * Destroy a configuration parser.
+ */
+
+isc_boolean_t
+cfg_obj_isvoid(cfg_obj_t *obj);
+/*
+ * Return true iff 'obj' is of void type (e.g., an optional 
+ * value not specified).
+ */
+
+isc_boolean_t
+cfg_obj_ismap(cfg_obj_t *obj);
+/*
+ * Return true iff 'obj' is of a map type.
+ */
+
+isc_result_t
+cfg_map_get(cfg_obj_t *mapobj, const char* name, cfg_obj_t **obj);
+/*
+ * Extract an element from a configuration object, which
+ * must be of a map type.
+ *
+ * Requires:
+ *      'mapobj' points to a valid configuration object of a map type.
+ *      'name' points to a null-terminated string.
+ * 	'obj' is non-NULL and '*obj' is NULL.
+ *
+ * Returns:
+ *      ISC_R_SUCCESS                  - success
+ *      ISC_R_NOTFOUND                 - name not found in map
+ */
+
+cfg_obj_t *
+cfg_map_getname(cfg_obj_t *mapobj);
+/*
+ * Get the name of a named map object, like a server "key" clause.
+ *
+ * Requires:
+ *      'mapobj' points to a valid configuration object of a map type.
+ *
+ * Returns:
+ *      A pointer to a configuration object naming the map object,
+ *	or NULL if the map object does not have a name.
+ */
+
+isc_boolean_t
+cfg_obj_istuple(cfg_obj_t *obj);
+/*
+ * Return true iff 'obj' is of a map type.
+ */
+
+cfg_obj_t *
+cfg_tuple_get(cfg_obj_t *tupleobj, const char *name);
+/*
+ * Extract an element from a configuration object, which
+ * must be of a tuple type.
+ *
+ * Requires:
+ *      'tupleobj' points to a valid configuration object of a tuple type.
+ *      'name' points to a null-terminated string naming one of the
+ *	fields of said tuple type.
+ */
+
+isc_boolean_t
+cfg_obj_isuint32(cfg_obj_t *obj);
+/*
+ * Return true iff 'obj' is of integer type.
+ */
+
+isc_uint32_t
+cfg_obj_asuint32(cfg_obj_t *obj);
+/*
+ * Returns the value of a configuration object of 32-bit integer type.
+ *
+ * Requires:
+ *      'obj' points to a valid configuration object of 32-bit integer type.
+ *
+ * Returns:
+ *      A 32-bit unsigned integer.
+ */
+
+isc_boolean_t
+cfg_obj_isuint64(cfg_obj_t *obj);
+/*
+ * Return true iff 'obj' is of integer type.
+ */
+
+isc_uint64_t
+cfg_obj_asuint64(cfg_obj_t *obj);
+/*
+ * Returns the value of a configuration object of 64-bit integer type.
+ *
+ * Requires:
+ *      'obj' points to a valid configuration object of 64-bit integer type.
+ *
+ * Returns:
+ *      A 64-bit unsigned integer.
+ */
+
+isc_boolean_t
+cfg_obj_isstring(cfg_obj_t *obj);
+/*
+ * Return true iff 'obj' is of string type.
+ */
+
+char *
+cfg_obj_asstring(cfg_obj_t *obj);
+/*
+ * Returns the value of a configuration object of a string type
+ * as a null-terminated string.
+ *
+ * Requires:
+ *      'obj' points to a valid configuration object of a string type.
+ *
+ * Returns:
+ *      A pointer to a null terminated string.
+ */
+
+isc_boolean_t
+cfg_obj_isboolean(cfg_obj_t *obj);
+/*
+ * Return true iff 'obj' is of a boolean type.
+ */
+
+isc_boolean_t
+cfg_obj_asboolean(cfg_obj_t *obj);
+/*
+ * Returns the value of a configuration object of a boolean type.
+ *
+ * Requires:
+ *      'obj' points to a valid configuration object of a boolean type.
+ *
+ * Returns:
+ *      A boolean value.
+ */
+
+isc_boolean_t
+cfg_obj_issockaddr(cfg_obj_t *obj);
+/*
+ * Return true iff 'obj' is a socket address.
+ */
+
+isc_sockaddr_t *
+cfg_obj_assockaddr(cfg_obj_t *obj);
+/*
+ * Returns the value of a configuration object representing a socket address.
+ *
+ * Requires:
+ *      'obj' points to a valid configuration object of a socket address type.
+ *
+ * Returns:
+ *      A pointer to a sockaddr.  The sockaddr must be copied by the caller
+ *      if necessary.
+ */
+
+isc_boolean_t
+cfg_obj_isnetprefix(cfg_obj_t *obj);
+/*
+ * Return true iff 'obj' is a network prefix.
+ */
+
+void
+cfg_obj_asnetprefix(cfg_obj_t *obj, isc_netaddr_t *netaddr,
+		    unsigned int *prefixlen);
+/*
+ * Gets the value of a configuration object representing a network
+ * prefix.  The network address is returned through 'netaddr' and the
+ * prefix length in bits through 'prefixlen'.
+ *
+ * Requires:
+ *      'obj' points to a valid configuration object of network prefix type.
+ *	'netaddr' and 'prefixlen' are non-NULL.
+ */
+
+isc_boolean_t
+cfg_obj_islist(cfg_obj_t *obj);
+/*
+ * Return true iff 'obj' is of list type.
+ */
+
+cfg_listelt_t *
+cfg_list_first(cfg_obj_t *obj);
+/*
+ * Returns the first list element in a configuration object of a list type.
+ *
+ * Requires:
+ *      'obj' points to a valid configuration object of a list type or NULL.
+ *
+ * Returns:
+ *      A pointer to a cfg_listelt_t representing the first list element,
+ * 	or NULL if the list is empty or nonexistent.
+ */
+
+cfg_listelt_t *
+cfg_list_next(cfg_listelt_t *elt);
+/*
+ * Returns the next element of a list of configuration objects.
+ *
+ * Requires:
+ *      'elt' points to cfg_listelt_t obtained from cfg_list_first() or
+ *	a previous call to cfg_list_next().
+ *
+ * Returns:
+ *      A pointer to a cfg_listelt_t representing the next element,
+ * 	or NULL if there are no more elements.
+ */
+
+cfg_obj_t *
+cfg_listelt_value(cfg_listelt_t *elt);
+/*
+ * Returns the configuration object associated with cfg_listelt_t.
+ *
+ * Requires:
+ *      'elt' points to cfg_listelt_t obtained from cfg_list_first() or
+ *	cfg_list_next().
+ *
+ * Returns:
+ *      A non-NULL pointer to a configuration object.
+ */
+
+void
+cfg_print(cfg_obj_t *obj,
+	  void (*f)(void *closure, const char *text, int textlen),
+	  void *closure);
+/*
+ * Print the configuration object 'obj' by repeatedly calling the
+ * function 'f', passing 'closure' and a region of text starting
+ * at 'text' and comprising 'textlen' characters.
+ */
+
+void
+cfg_print_grammar(const cfg_type_t *type,
+	  void (*f)(void *closure, const char *text, int textlen),
+	  void *closure);
+/*
+ * Print a summary of the grammar of the configuration type 'type'.
+ */
+
+isc_boolean_t
+cfg_obj_istype(cfg_obj_t *obj, const cfg_type_t *type);
+/*
+ * Return true iff 'obj' is of type 'type'. 
+ */
+
+void cfg_obj_destroy(cfg_parser_t *pctx, cfg_obj_t **obj);
+/*
+ * Destroy a configuration object.
+ */
+
+void
+cfg_obj_log(cfg_obj_t *obj, isc_log_t *lctx, int level, const char *fmt, ...)
+	ISC_FORMAT_PRINTF(4, 5);
+/*
+ * Log a message concerning configuration object 'obj' to the logging
+ * channel of 'pctx', at log level 'level'.  The message will be prefixed
+ * with the file name(s) and line number where 'obj' was defined.
+ */
+
+const char *
+cfg_obj_file(cfg_obj_t *obj);
+/*
+ * Return the file that defined this object.
+ */
+
+unsigned int
+cfg_obj_line(cfg_obj_t *obj);
+/*
+ * Return the line in file where this object was defined.
+ */
+
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCFG_CFG_H */
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/grammar.h b/contrib/bind9/lib/isccfg/include/isccfg/grammar.h
new file mode 100644
index 0000000..1b5d8d1
--- /dev/null
+++ b/contrib/bind9/lib/isccfg/include/isccfg/grammar.h
@@ -0,0 +1,439 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: grammar.h,v 1.3.50.3 2004/03/08 09:05:07 marka Exp $ */
+
+#ifndef ISCCFG_GRAMMAR_H
+#define ISCCFG_GRAMMAR_H 1
+
+#include <isc/lex.h>
+#include <isc/netaddr.h>
+#include <isc/sockaddr.h>
+#include <isc/region.h>
+#include <isc/types.h>
+
+#include <isccfg/cfg.h>
+
+/*
+ * Definitions shared between the configuration parser
+ * and the grammars; not visible to users of the parser.
+ */
+
+/* Clause may occur multiple times (e.g., "zone") */
+#define CFG_CLAUSEFLAG_MULTI 		0x00000001
+/* Clause is obsolete */
+#define CFG_CLAUSEFLAG_OBSOLETE 	0x00000002
+/* Clause is not implemented, and may never be */
+#define CFG_CLAUSEFLAG_NOTIMP	 	0x00000004
+/* Clause is not implemented yet */
+#define CFG_CLAUSEFLAG_NYI 		0x00000008
+/* Default value has changed since earlier release */
+#define CFG_CLAUSEFLAG_NEWDEFAULT	0x00000010
+/*
+ * Clause needs to be interpreted during parsing
+ * by calling a callback function, like the
+ * "directory" option.
+ */
+#define CFG_CLAUSEFLAG_CALLBACK		0x00000020
+
+typedef struct cfg_clausedef cfg_clausedef_t;
+typedef struct cfg_tuplefielddef cfg_tuplefielddef_t;
+typedef struct cfg_printer cfg_printer_t;
+typedef ISC_LIST(cfg_listelt_t) cfg_list_t;
+typedef struct cfg_map cfg_map_t;
+typedef struct cfg_rep cfg_rep_t;
+
+/*
+ * Function types for configuration object methods
+ */
+
+typedef isc_result_t (*cfg_parsefunc_t)(cfg_parser_t *, const cfg_type_t *type,
+					cfg_obj_t **);
+typedef void	     (*cfg_printfunc_t)(cfg_printer_t *, cfg_obj_t *);
+typedef void	     (*cfg_docfunc_t)(cfg_printer_t *, const cfg_type_t *);
+typedef void	     (*cfg_freefunc_t)(cfg_parser_t *, cfg_obj_t *);
+
+/*
+ * Structure definitions
+ */
+
+/*
+ * A configuration printer object.  This is an abstract
+ * interface to a destination to which text can be printed
+ * by calling the function 'f'.
+ */
+struct cfg_printer {
+	void (*f)(void *closure, const char *text, int textlen);
+	void *closure;
+	int indent;
+};
+
+/* A clause definition. */
+
+struct cfg_clausedef {
+	const char      *name;
+	cfg_type_t      *type;
+	unsigned int	flags;
+};
+
+/* A tuple field definition. */
+
+struct cfg_tuplefielddef {
+	const char      *name;
+	cfg_type_t      *type;
+	unsigned int	flags;
+};
+
+/* A configuration object type definition. */
+struct cfg_type {
+	const char *name;	/* For debugging purposes only */
+	cfg_parsefunc_t	parse;
+	cfg_printfunc_t print;
+	cfg_docfunc_t	doc;	/* Print grammar description */
+	cfg_rep_t *	rep;	/* Data representation */
+	const void *	of;	/* Additional data for meta-types */
+};
+
+/* A keyword-type definition, for things like "port <integer>". */
+
+typedef struct {
+	const char *name;
+	const cfg_type_t *type;
+} keyword_type_t;
+
+struct cfg_map {
+	cfg_obj_t	 *id; /* Used for 'named maps' like keys, zones, &c */
+	const cfg_clausedef_t * const *clausesets; /* The clauses that
+						      can occur in this map;
+						      used for printing */
+	isc_symtab_t     *symtab;
+};
+
+typedef struct cfg_netprefix cfg_netprefix_t;
+
+struct cfg_netprefix {
+	isc_netaddr_t address; /* IP4/IP6 */
+	unsigned int prefixlen;
+};
+
+/*
+ * A configuration data representation.
+ */
+struct cfg_rep {
+	const char *	name;	/* For debugging only */
+	cfg_freefunc_t 	free;	/* How to free this kind of data. */
+};
+
+/*
+ * A configuration object.  This is the main building block
+ * of the configuration parse tree.
+ */
+
+struct cfg_obj {
+	const cfg_type_t *type;
+	union {
+		isc_uint32_t  	uint32;
+		isc_uint64_t  	uint64;
+		isc_textregion_t string; /* null terminated, too */
+		isc_boolean_t 	boolean;
+		cfg_map_t	map;
+		cfg_list_t	list;
+		cfg_obj_t **	tuple;
+		isc_sockaddr_t	sockaddr;
+		cfg_netprefix_t netprefix;
+	}               value;
+	char *		file;
+	unsigned int    line;
+};
+
+
+/* A list element. */
+
+struct cfg_listelt {
+	cfg_obj_t               *obj;
+	ISC_LINK(cfg_listelt_t)  link;
+};
+
+/* The parser object. */
+struct cfg_parser {
+	isc_mem_t *	mctx;
+	isc_log_t *	lctx;
+	isc_lex_t *	lexer;
+	unsigned int    errors;
+	unsigned int    warnings;
+	isc_token_t     token;
+
+	/* We are at the end of all input. */
+	isc_boolean_t	seen_eof;
+
+	/* The current token has been pushed back. */
+	isc_boolean_t	ungotten;
+
+	/*
+	 * The stack of currently active files, represented
+	 * as a configuration list of configuration strings.
+	 * The head is the top-level file, subsequent elements 
+	 * (if any) are the nested include files, and the 
+	 * last element is the file currently being parsed.
+	 */
+	cfg_obj_t *	open_files;
+
+	/*
+	 * Names of files that we have parsed and closed
+	 * and were previously on the open_file list.
+	 * We keep these objects around after closing
+	 * the files because the file names may still be
+	 * referenced from other configuration objects
+	 * for use in reporting semantic errors after
+	 * parsing is complete.
+	 */
+	cfg_obj_t *	closed_files;
+
+	/*
+	 * Current line number.  We maintain our own
+	 * copy of this so that it is available even
+	 * when a file has just been closed.
+	 */
+	unsigned int	line;
+
+	cfg_parsecallback_t callback;
+	void *callbackarg;
+};
+
+
+/*
+ * Flags defining whether to accept certain types of network addresses.
+ */
+#define CFG_ADDR_V4OK 		0x00000001
+#define CFG_ADDR_V4PREFIXOK 	0x00000002
+#define CFG_ADDR_V6OK 		0x00000004
+#define CFG_ADDR_WILDOK		0x00000008
+
+/*
+ * Predefined data representation types.
+ */
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_uint32;
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_uint64;
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_string;
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_boolean;
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_map;
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_list;
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_tuple;
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_sockaddr;
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_netprefix;
+LIBISCCFG_EXTERNAL_DATA cfg_rep_t cfg_rep_void;
+
+/*
+ * Predefined configuration object types.
+ */
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_boolean;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_uint32;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_uint64;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_qstring;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_astring;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_ustring;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_sockaddr;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_netaddr;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_netprefix;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_void;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_token;
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_unsupported;
+
+isc_result_t
+cfg_gettoken(cfg_parser_t *pctx, int options);
+
+isc_result_t
+cfg_peektoken(cfg_parser_t *pctx, int options);
+
+void
+cfg_ungettoken(cfg_parser_t *pctx);
+
+#define CFG_LEXOPT_QSTRING (ISC_LEXOPT_QSTRING | ISC_LEXOPT_QSTRINGMULTILINE)
+
+isc_result_t
+cfg_create_obj(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **objp);
+
+void
+cfg_print_rawuint(cfg_printer_t *pctx, unsigned int u);
+
+isc_result_t
+cfg_parse_uint32(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_uint32(cfg_printer_t *pctx, cfg_obj_t *obj);
+
+void
+cfg_print_uint64(cfg_printer_t *pctx, cfg_obj_t *obj);
+
+isc_result_t
+cfg_parse_qstring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_ustring(cfg_printer_t *pctx, cfg_obj_t *obj);
+
+isc_result_t
+cfg_parse_astring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+isc_result_t
+cfg_parse_rawaddr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na);
+
+void
+cfg_print_rawaddr(cfg_printer_t *pctx, isc_netaddr_t *na);
+
+isc_boolean_t
+cfg_lookingat_netaddr(cfg_parser_t *pctx, unsigned int flags);
+
+isc_result_t
+cfg_parse_rawport(cfg_parser_t *pctx, unsigned int flags, in_port_t *port);
+
+isc_result_t
+cfg_parse_sockaddr(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_sockaddr(cfg_printer_t *pctx, cfg_obj_t *obj);
+
+void
+cfg_doc_sockaddr(cfg_printer_t *pctx, const cfg_type_t *type);
+
+isc_result_t
+cfg_parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+isc_result_t
+cfg_parse_special(cfg_parser_t *pctx, int special);
+/* Parse a required special character 'special'. */
+
+isc_result_t
+cfg_create_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **objp);
+
+isc_result_t
+cfg_parse_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_tuple(cfg_printer_t *pctx, cfg_obj_t *obj);
+
+void
+cfg_doc_tuple(cfg_printer_t *pctx, const cfg_type_t *type);
+
+isc_result_t
+cfg_create_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **objp);
+
+isc_result_t
+cfg_parse_listelt(cfg_parser_t *pctx, const cfg_type_t *elttype,
+		  cfg_listelt_t **ret);
+
+isc_result_t
+cfg_parse_bracketed_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_bracketed_list(cfg_printer_t *pctx, cfg_obj_t *obj);
+
+void
+cfg_doc_bracketed_list(cfg_printer_t *pctx, const cfg_type_t *type);
+
+isc_result_t
+cfg_parse_spacelist(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_spacelist(cfg_printer_t *pctx, cfg_obj_t *obj);
+
+isc_result_t
+cfg_parse_enum(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_doc_enum(cfg_printer_t *pctx, const cfg_type_t *type);
+
+void
+cfg_print_chars(cfg_printer_t *pctx, const char *text, int len);
+/* Print 'len' characters at 'text' */
+
+void
+cfg_print_cstr(cfg_printer_t *pctx, const char *s);
+/* Print the null-terminated string 's' */
+
+isc_result_t
+cfg_parse_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+isc_result_t
+cfg_parse_named_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+isc_result_t
+cfg_parse_addressed_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_map(cfg_printer_t *pctx, cfg_obj_t *obj);
+
+void
+cfg_doc_map(cfg_printer_t *pctx, const cfg_type_t *type);
+
+isc_result_t
+cfg_parse_mapbody(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_mapbody(cfg_printer_t *pctx, cfg_obj_t *obj);
+
+void
+cfg_doc_mapbody(cfg_printer_t *pctx, const cfg_type_t *type);
+
+isc_result_t
+cfg_parse_void(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_void(cfg_printer_t *pctx, cfg_obj_t *obj);
+
+void
+cfg_doc_void(cfg_printer_t *pctx, const cfg_type_t *type);
+
+isc_result_t
+cfg_parse_obj(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+void
+cfg_print_obj(cfg_printer_t *pctx, cfg_obj_t *obj);
+
+void
+cfg_doc_obj(cfg_printer_t *pctx, const cfg_type_t *type);
+/*
+ * Print a description of the grammar of an arbitrary configuration
+ * type 'type'
+ */
+
+void
+cfg_doc_terminal(cfg_printer_t *pctx, const cfg_type_t *type);
+/*
+ * Document the type 'type' as a terminal by printing its
+ * name in angle brackets, e.g., <uint32>.
+ */
+
+void
+cfg_parser_error(cfg_parser_t *pctx, unsigned int flags,
+		 const char *fmt, ...) ISC_FORMAT_PRINTF(3, 4);
+/*
+ * Pass one of these flags to cfg_parser_error() to include the
+ * token text in log message.
+ */
+#define CFG_LOG_NEAR    0x00000001	/* Say "near <token>" */
+#define CFG_LOG_BEFORE  0x00000002	/* Say "before <token>" */
+#define CFG_LOG_NOPREP  0x00000004	/* Say just "<token>" */
+
+void
+cfg_parser_warning(cfg_parser_t *pctx, unsigned int flags,
+		   const char *fmt, ...) ISC_FORMAT_PRINTF(3, 4);
+
+isc_boolean_t
+cfg_is_enum(const char *s, const char *const *enums);
+/* Return true iff the string 's' is one of the strings in 'enums' */
+
+#endif /* ISCCFG_GRAMMAR_H */
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/log.h b/contrib/bind9/lib/isccfg/include/isccfg/log.h
new file mode 100644
index 0000000..b3d2da7d
--- /dev/null
+++ b/contrib/bind9/lib/isccfg/include/isccfg/log.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: log.h,v 1.3.2.1.10.3 2004/03/08 09:05:07 marka Exp $ */
+
+#ifndef ISCCFG_LOG_H
+#define ISCCFG_LOG_H 1
+
+#include <isc/lang.h>
+#include <isc/log.h>
+
+LIBISCCFG_EXTERNAL_DATA extern isc_logcategory_t cfg_categories[];
+LIBISCCFG_EXTERNAL_DATA extern isc_logmodule_t cfg_modules[];
+
+#define CFG_LOGCATEGORY_CONFIG	(&cfg_categories[0])
+
+#define CFG_LOGMODULE_PARSER	(&cfg_modules[0])
+
+ISC_LANG_BEGINDECLS
+
+void
+cfg_log_init(isc_log_t *lctx);
+/*
+ * Make the libisccfg categories and modules available for use with the
+ * ISC logging library.
+ *
+ * Requires:
+ *	lctx is a valid logging context.
+ *
+ *	cfg_log_init() is called only once.
+ *
+ * Ensures:
+ * 	The catgories and modules defined above are available for
+ * 	use by isc_log_usechannnel() and isc_log_write().
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISCCFG_LOG_H */
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/namedconf.h b/contrib/bind9/lib/isccfg/include/isccfg/namedconf.h
new file mode 100644
index 0000000..4d5bd0b
--- /dev/null
+++ b/contrib/bind9/lib/isccfg/include/isccfg/namedconf.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: namedconf.h,v 1.2.202.3 2004/03/08 09:05:07 marka Exp $ */
+
+#ifndef ISCCFG_NAMEDCONF_H
+#define ISCCFG_NAMEDCONF_H 1
+
+/*
+ * This module defines the named.conf, rndc.conf, and rndc.key grammars.
+ */
+
+#include <isccfg/cfg.h>
+
+/*
+ * Configuration object types.
+ */
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_namedconf;
+/* A complete named.conf file. */
+
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_rndcconf;
+/* A complete rndc.conf file. */
+
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_rndckey;
+/* A complete rndc.key file. */
+
+LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_keyref;
+/* A key reference, used as an ACL element */
+
+#endif /* ISCCFG_CFG_H */
diff --git a/contrib/bind9/lib/isccfg/include/isccfg/version.h b/contrib/bind9/lib/isccfg/include/isccfg/version.h
new file mode 100644
index 0000000..d02a814
--- /dev/null
+++ b/contrib/bind9/lib/isccfg/include/isccfg/version.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: version.h,v 1.2.222.3 2004/03/08 09:05:08 marka Exp $ */
+
+#include <isc/platform.h>
+
+LIBISCCFG_EXTERNAL_DATA extern const char cfg_version[];
+
+LIBISCCFG_EXTERNAL_DATA extern const unsigned int cfg_libinterface;
+LIBISCCFG_EXTERNAL_DATA extern const unsigned int cfg_librevision;
+LIBISCCFG_EXTERNAL_DATA extern const unsigned int cfg_libage;
diff --git a/contrib/bind9/lib/isccfg/log.c b/contrib/bind9/lib/isccfg/log.c
new file mode 100644
index 0000000..b16b4d3
--- /dev/null
+++ b/contrib/bind9/lib/isccfg/log.c
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: log.c,v 1.2.2.1.10.3 2004/03/08 09:05:06 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/util.h>
+
+#include <isccfg/log.h>
+
+/*
+ * When adding a new category, be sure to add the appropriate
+ * #define to <isccfg/log.h>.
+ */
+LIBISCCFG_EXTERNAL_DATA isc_logcategory_t cfg_categories[] = {
+	{ "config", 	0 },
+	{ NULL, 	0 }
+};
+
+/*
+ * When adding a new module, be sure to add the appropriate
+ * #define to <isccfg/log.h>.
+ */
+LIBISCCFG_EXTERNAL_DATA isc_logmodule_t cfg_modules[] = {
+	{ "isccfg/parser",	0 },
+	{ NULL, 		0 }
+};
+
+void
+cfg_log_init(isc_log_t *lctx) {
+	REQUIRE(lctx != NULL);
+
+	isc_log_registercategories(lctx, cfg_categories);
+	isc_log_registermodules(lctx, cfg_modules);
+}
diff --git a/contrib/bind9/lib/isccfg/namedconf.c b/contrib/bind9/lib/isccfg/namedconf.c
new file mode 100644
index 0000000..2e01b2b
--- /dev/null
+++ b/contrib/bind9/lib/isccfg/namedconf.c
@@ -0,0 +1,1906 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2002, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: namedconf.c,v 1.21.44.28 2004/06/04 02:33:01 marka Exp $ */
+
+#include <config.h>
+
+#include <string.h>
+
+#include <isc/lex.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <isccfg/cfg.h>
+#include <isccfg/grammar.h>
+#include <isccfg/log.h>
+
+#define TOKEN_STRING(pctx) (pctx->token.value.as_textregion.base)
+
+/* Check a return value. */
+#define CHECK(op) 						\
+     	do { result = (op); 					\
+		if (result != ISC_R_SUCCESS) goto cleanup; 	\
+	} while (0)
+
+/* Clean up a configuration object if non-NULL. */
+#define CLEANUP_OBJ(obj) \
+	do { if ((obj) != NULL) cfg_obj_destroy(pctx, &(obj)); } while (0)
+
+
+/*
+ * Forward declarations of static functions.
+ */
+
+static isc_result_t
+parse_enum_or_other(cfg_parser_t *pctx, const cfg_type_t *enumtype,
+		    const cfg_type_t *othertype, cfg_obj_t **ret);
+
+static isc_result_t
+parse_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+static isc_result_t
+parse_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+static void
+print_keyvalue(cfg_printer_t *pctx, cfg_obj_t *obj);
+
+static void
+doc_keyvalue(cfg_printer_t *pctx, const cfg_type_t *type);
+
+static void
+doc_optional_keyvalue(cfg_printer_t *pctx, const cfg_type_t *type);
+
+static cfg_type_t cfg_type_acl;
+static cfg_type_t cfg_type_addrmatchelt;
+static cfg_type_t cfg_type_bracketed_aml;
+static cfg_type_t cfg_type_bracketed_namesockaddrkeylist;
+static cfg_type_t cfg_type_bracketed_sockaddrlist;
+static cfg_type_t cfg_type_controls;
+static cfg_type_t cfg_type_controls_sockaddr;
+static cfg_type_t cfg_type_destinationlist;
+static cfg_type_t cfg_type_dialuptype;
+static cfg_type_t cfg_type_key;
+static cfg_type_t cfg_type_logfile;
+static cfg_type_t cfg_type_logging;
+static cfg_type_t cfg_type_logseverity;
+static cfg_type_t cfg_type_lwres;
+static cfg_type_t cfg_type_masterselement;
+static cfg_type_t cfg_type_nameportiplist;
+static cfg_type_t cfg_type_negated;
+static cfg_type_t cfg_type_notifytype;
+static cfg_type_t cfg_type_optional_class;
+static cfg_type_t cfg_type_optional_facility;
+static cfg_type_t cfg_type_optional_facility;
+static cfg_type_t cfg_type_optional_keyref;
+static cfg_type_t cfg_type_optional_port;
+static cfg_type_t cfg_type_options;
+static cfg_type_t cfg_type_portiplist;
+static cfg_type_t cfg_type_querysource4;
+static cfg_type_t cfg_type_querysource6;
+static cfg_type_t cfg_type_querysource;
+static cfg_type_t cfg_type_server;
+static cfg_type_t cfg_type_server_key_kludge;
+static cfg_type_t cfg_type_size;
+static cfg_type_t cfg_type_sizenodefault;
+static cfg_type_t cfg_type_sockaddr4wild;
+static cfg_type_t cfg_type_sockaddr6wild;
+static cfg_type_t cfg_type_view;
+static cfg_type_t cfg_type_viewopts;
+static cfg_type_t cfg_type_zone;
+static cfg_type_t cfg_type_zoneopts;
+
+/* tkey-dhkey */
+
+static cfg_tuplefielddef_t tkey_dhkey_fields[] = {
+	{ "name", &cfg_type_qstring, 0 },
+	{ "keyid", &cfg_type_uint32, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_tkey_dhkey = {
+	"tkey-dhkey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
+	tkey_dhkey_fields
+};
+
+/* listen-on */
+
+static cfg_tuplefielddef_t listenon_fields[] = {
+	{ "port", &cfg_type_optional_port, 0 },
+	{ "acl", &cfg_type_bracketed_aml, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_listenon = {
+	"listenon", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, listenon_fields };
+
+/* acl */
+
+static cfg_tuplefielddef_t acl_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "value", &cfg_type_bracketed_aml, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_acl = {
+	"acl", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, acl_fields };
+
+/* masters */
+static cfg_tuplefielddef_t masters_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "port", &cfg_type_optional_port, 0 },
+	{ "addresses", &cfg_type_bracketed_namesockaddrkeylist, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_masters = {
+	"masters", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, masters_fields };
+
+/*
+ * "sockaddrkeylist", a list of socket addresses with optional keys
+ * and an optional default port, as used in the masters option.
+ * E.g.,
+ *   "port 1234 { mymasters; 10.0.0.1 key foo; 1::2 port 69; }"
+ */
+
+static cfg_tuplefielddef_t namesockaddrkey_fields[] = {
+	{ "masterselement", &cfg_type_masterselement, 0 },
+	{ "key", &cfg_type_optional_keyref, 0 },
+	{ NULL, NULL, 0 },
+};
+
+static cfg_type_t cfg_type_namesockaddrkey = {
+	"namesockaddrkey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
+	namesockaddrkey_fields
+};
+
+static cfg_type_t cfg_type_bracketed_namesockaddrkeylist = {
+	"bracketed_namesockaddrkeylist", cfg_parse_bracketed_list,
+	cfg_print_bracketed_list, cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_namesockaddrkey
+};
+
+static cfg_tuplefielddef_t namesockaddrkeylist_fields[] = {
+	{ "port", &cfg_type_optional_port, 0 },
+	{ "addresses", &cfg_type_bracketed_namesockaddrkeylist, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_namesockaddrkeylist = {
+	"sockaddrkeylist", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
+	namesockaddrkeylist_fields
+};
+
+/*
+ * A list of socket addresses with an optional default port,
+ * as used in the also-notify option.  E.g.,
+ * "port 1234 { 10.0.0.1; 1::2 port 69; }"
+ */
+static cfg_tuplefielddef_t portiplist_fields[] = {
+	{ "port", &cfg_type_optional_port, 0 },
+	{ "addresses", &cfg_type_bracketed_sockaddrlist, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_portiplist = {
+	"portiplist", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
+	portiplist_fields
+};
+
+/*
+ * A public key, as in the "pubkey" statement.
+ */
+static cfg_tuplefielddef_t pubkey_fields[] = {
+	{ "flags", &cfg_type_uint32, 0 },
+	{ "protocol", &cfg_type_uint32, 0 },
+	{ "algorithm", &cfg_type_uint32, 0 },
+	{ "key", &cfg_type_qstring, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_pubkey = {
+	"pubkey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, pubkey_fields };
+
+/*
+ * A list of RR types, used in grant statements.
+ * Note that the old parser allows quotes around the RR type names.
+ */
+static cfg_type_t cfg_type_rrtypelist = {
+ 	"rrtypelist", cfg_parse_spacelist, cfg_print_spacelist, cfg_doc_terminal,
+	&cfg_rep_list, &cfg_type_astring
+};
+
+static const char *mode_enums[] = { "grant", "deny", NULL };
+static cfg_type_t cfg_type_mode = {
+	"mode", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string,
+	&mode_enums
+};
+
+static const char *matchtype_enums[] = {
+	"name", "subdomain", "wildcard", "self", NULL };
+static cfg_type_t cfg_type_matchtype = {
+	"matchtype", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string,
+	&matchtype_enums
+};
+
+/*
+ * A grant statement, used in the update policy.
+ */
+static cfg_tuplefielddef_t grant_fields[] = {
+	{ "mode", &cfg_type_mode, 0 },
+	{ "identity", &cfg_type_astring, 0 }, /* domain name */ 
+	{ "matchtype", &cfg_type_matchtype, 0 },
+	{ "name", &cfg_type_astring, 0 }, /* domain name */
+	{ "types", &cfg_type_rrtypelist, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_grant = {
+	"grant", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, grant_fields };
+
+static cfg_type_t cfg_type_updatepolicy = {
+	"update_policy", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list,
+	&cfg_rep_list, &cfg_type_grant
+};
+
+/*
+ * A view statement.
+ */
+static cfg_tuplefielddef_t view_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "class", &cfg_type_optional_class, 0 },
+	{ "options", &cfg_type_viewopts, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_view = {
+	"view", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, view_fields };
+
+/*
+ * A zone statement.
+ */
+static cfg_tuplefielddef_t zone_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "class", &cfg_type_optional_class, 0 },
+	{ "options", &cfg_type_zoneopts, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_zone = {
+	"zone", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, zone_fields };
+
+/*
+ * A "category" clause in the "logging" statement.
+ */
+static cfg_tuplefielddef_t category_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "destinations", &cfg_type_destinationlist,0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_category = {
+	"category", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple, category_fields };
+
+
+/*
+ * A trusted key, as used in the "trusted-keys" statement.
+ */
+static cfg_tuplefielddef_t trustedkey_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "flags", &cfg_type_uint32, 0 },
+	{ "protocol", &cfg_type_uint32, 0 },
+	{ "algorithm", &cfg_type_uint32, 0 },
+	{ "key", &cfg_type_qstring, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_trustedkey = {
+	"trustedkey", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
+	trustedkey_fields
+};
+
+static keyword_type_t wild_class_kw = { "class", &cfg_type_ustring };
+
+static cfg_type_t cfg_type_optional_wild_class = {
+	"optional_wild_class", parse_optional_keyvalue, print_keyvalue,
+	doc_optional_keyvalue, &cfg_rep_string, &wild_class_kw
+};
+
+static keyword_type_t wild_type_kw = { "type", &cfg_type_ustring };
+
+static cfg_type_t cfg_type_optional_wild_type = {
+	"optional_wild_type", parse_optional_keyvalue,
+	print_keyvalue, doc_optional_keyvalue, &cfg_rep_string, &wild_type_kw
+};
+
+static keyword_type_t wild_name_kw = { "name", &cfg_type_qstring };
+
+static cfg_type_t cfg_type_optional_wild_name = {
+	"optional_wild_name", parse_optional_keyvalue,
+	print_keyvalue, doc_optional_keyvalue, &cfg_rep_string, &wild_name_kw
+};
+
+/*
+ * An rrset ordering element.
+ */
+static cfg_tuplefielddef_t rrsetorderingelement_fields[] = {
+	{ "class", &cfg_type_optional_wild_class, 0 },
+	{ "type", &cfg_type_optional_wild_type, 0 },
+	{ "name", &cfg_type_optional_wild_name, 0 },
+	{ "order", &cfg_type_ustring, 0 }, /* must be literal "order" */ 
+	{ "ordering", &cfg_type_ustring, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_rrsetorderingelement = {
+	"rrsetorderingelement", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
+	rrsetorderingelement_fields
+};
+
+/*
+ * A global or view "check-names" option.  Note that the zone
+ * "check-names" option has a different syntax.
+ */
+
+static const char *checktype_enums[] = { "master", "slave", "response", NULL };
+static cfg_type_t cfg_type_checktype = {
+	"checktype", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
+	&cfg_rep_string, &checktype_enums
+};
+
+static const char *checkmode_enums[] = { "fail", "warn", "ignore", NULL };
+static cfg_type_t cfg_type_checkmode = {
+	"checkmode", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum,
+	&cfg_rep_string, &checkmode_enums
+};
+
+static cfg_tuplefielddef_t checknames_fields[] = {
+	{ "type", &cfg_type_checktype, 0 },
+	{ "mode", &cfg_type_checkmode, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_checknames = {
+	"checknames", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
+	checknames_fields
+};
+
+static cfg_type_t cfg_type_bracketed_sockaddrlist = {
+	"bracketed_sockaddrlist", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list,
+	&cfg_rep_list, &cfg_type_sockaddr
+};
+
+static cfg_type_t cfg_type_rrsetorder = {
+	"rrsetorder", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list,
+	&cfg_rep_list, &cfg_type_rrsetorderingelement
+};
+
+static keyword_type_t port_kw = { "port", &cfg_type_uint32 };
+
+static cfg_type_t cfg_type_optional_port = {
+	"optional_port", parse_optional_keyvalue, print_keyvalue,
+	doc_optional_keyvalue, &cfg_rep_uint32, &port_kw
+};
+
+/* A list of keys, as in the "key" clause of the controls statement. */
+static cfg_type_t cfg_type_keylist = {
+	"keylist", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list, &cfg_rep_list,
+	&cfg_type_astring
+};
+
+static cfg_type_t cfg_type_trustedkeys = {
+	"trusted-keys", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list, &cfg_rep_list,
+	&cfg_type_trustedkey
+};
+
+static const char *forwardtype_enums[] = { "first", "only", NULL };
+static cfg_type_t cfg_type_forwardtype = {
+	"forwardtype", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string,
+	&forwardtype_enums
+};
+
+static const char *zonetype_enums[] = {
+	"master", "slave", "stub", "hint", "forward", "delegation-only", NULL };
+static cfg_type_t cfg_type_zonetype = {
+	"zonetype", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string,
+	&zonetype_enums
+};
+
+static const char *loglevel_enums[] = {
+	"critical", "error", "warning", "notice", "info", "dynamic", NULL };
+static cfg_type_t cfg_type_loglevel = {
+	"loglevel", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string,
+	&loglevel_enums
+};
+
+static const char *transferformat_enums[] = {
+	"many-answers", "one-answer", NULL };
+static cfg_type_t cfg_type_transferformat = {
+	"transferformat", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string,
+	&transferformat_enums
+};
+
+/*
+ * The special keyword "none", as used in the pid-file option.
+ */
+
+static void
+print_none(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	UNUSED(obj);
+	cfg_print_chars(pctx, "none", 4);
+}
+
+static cfg_type_t cfg_type_none = {
+	"none", NULL, print_none, NULL, &cfg_rep_void, NULL
+};
+
+/*
+ * A quoted string or the special keyword "none".  Used in the pid-file option.
+ */
+static isc_result_t
+parse_qstringornone(cfg_parser_t *pctx, const cfg_type_t *type,
+		    cfg_obj_t **ret)
+{
+	isc_result_t result;
+	CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING));
+	if (pctx->token.type == isc_tokentype_string &&
+	    strcasecmp(TOKEN_STRING(pctx), "none") == 0)
+		return (cfg_create_obj(pctx, &cfg_type_none, ret));
+	cfg_ungettoken(pctx);
+	return (cfg_parse_qstring(pctx, type, ret));
+ cleanup:
+	return (result);
+}
+
+static void
+doc_qstringornone(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_chars(pctx, "( <quoted_string> | none )", 26);
+}
+
+static cfg_type_t cfg_type_qstringornone = {
+	"qstringornone", parse_qstringornone, NULL, doc_qstringornone, NULL, NULL };
+
+/*
+ * keyword hostname
+ */
+
+static void
+print_hostname(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	UNUSED(obj);
+	cfg_print_chars(pctx, "hostname", 4);
+}
+
+static cfg_type_t cfg_type_hostname = {
+	"hostname", NULL, print_hostname, NULL, &cfg_rep_boolean, NULL
+};
+
+/*
+ * "server-id" arguement.
+ */
+
+static isc_result_t
+parse_serverid(cfg_parser_t *pctx, const cfg_type_t *type,
+		    cfg_obj_t **ret)
+{
+	isc_result_t result;
+	CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING));
+	if (pctx->token.type == isc_tokentype_string &&
+	    strcasecmp(TOKEN_STRING(pctx), "none") == 0)
+		return (cfg_create_obj(pctx, &cfg_type_none, ret));
+	if (pctx->token.type == isc_tokentype_string &&
+	    strcasecmp(TOKEN_STRING(pctx), "hostname") == 0) {
+		return (cfg_create_obj(pctx, &cfg_type_hostname, ret));
+	}
+	cfg_ungettoken(pctx);
+	return (cfg_parse_qstring(pctx, type, ret));
+ cleanup:
+	return (result);
+}
+
+static void
+doc_serverid(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_chars(pctx, "( <quoted_string> | none | hostname )", 26);
+}
+
+static cfg_type_t cfg_type_serverid = {
+	"serverid", parse_serverid, NULL, doc_serverid, NULL, NULL };
+
+/*
+ * Port list.
+ */
+static isc_result_t
+parse_port(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	
+	UNUSED(type);
+
+	CHECK(cfg_parse_uint32(pctx, NULL, ret));
+	if ((*ret)->value.uint32 > 0xffff) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "invalid port");
+		cfg_obj_destroy(pctx, ret);
+		result = ISC_R_RANGE;
+	}
+ cleanup:
+	return (result);
+}
+
+static cfg_type_t cfg_type_port = {
+	"port", parse_port, NULL, cfg_doc_terminal,
+	NULL, NULL
+};
+
+static cfg_type_t cfg_type_bracketed_portlist = {
+	"bracketed_sockaddrlist", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list,
+	&cfg_rep_list, &cfg_type_port
+};
+
+/*
+ * Clauses that can be found within the top level of the named.conf
+ * file only.
+ */
+static cfg_clausedef_t
+namedconf_clauses[] = {
+	{ "options", &cfg_type_options, 0 },
+	{ "controls", &cfg_type_controls, CFG_CLAUSEFLAG_MULTI },
+	{ "acl", &cfg_type_acl, CFG_CLAUSEFLAG_MULTI },
+	{ "masters", &cfg_type_masters, CFG_CLAUSEFLAG_MULTI },
+	{ "logging", &cfg_type_logging, 0 },
+	{ "view", &cfg_type_view, CFG_CLAUSEFLAG_MULTI },
+	{ "lwres", &cfg_type_lwres, CFG_CLAUSEFLAG_MULTI },
+	{ NULL, NULL, 0 }
+};
+
+/*
+ * Clauses that can occur at the top level or in the view
+ * statement, but not in the options block.
+ */
+static cfg_clausedef_t
+namedconf_or_view_clauses[] = {
+	{ "key", &cfg_type_key, CFG_CLAUSEFLAG_MULTI },
+	{ "zone", &cfg_type_zone, CFG_CLAUSEFLAG_MULTI },
+	{ "server", &cfg_type_server, CFG_CLAUSEFLAG_MULTI },
+	{ "trusted-keys", &cfg_type_trustedkeys, CFG_CLAUSEFLAG_MULTI },
+	{ NULL, NULL, 0 }
+};
+
+/*
+ * Clauses that can be found within the 'options' statement.
+ */
+static cfg_clausedef_t
+options_clauses[] = {
+	{ "avoid-v4-udp-ports", &cfg_type_bracketed_portlist, 0 },
+	{ "avoid-v6-udp-ports", &cfg_type_bracketed_portlist, 0 },
+	{ "blackhole", &cfg_type_bracketed_aml, 0 },
+	{ "coresize", &cfg_type_size, 0 },
+	{ "datasize", &cfg_type_size, 0 },
+	{ "deallocate-on-exit", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "directory", &cfg_type_qstring, CFG_CLAUSEFLAG_CALLBACK },
+	{ "dump-file", &cfg_type_qstring, 0 },
+	{ "fake-iquery", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "files", &cfg_type_size, 0 },
+	{ "has-old-clients", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "heartbeat-interval", &cfg_type_uint32, 0 },
+	{ "host-statistics", &cfg_type_boolean, CFG_CLAUSEFLAG_NOTIMP },
+	{ "hostname", &cfg_type_qstringornone, 0 },
+	{ "interface-interval", &cfg_type_uint32, 0 },
+	{ "listen-on", &cfg_type_listenon, CFG_CLAUSEFLAG_MULTI },
+	{ "listen-on-v6", &cfg_type_listenon, CFG_CLAUSEFLAG_MULTI },
+	{ "match-mapped-addresses", &cfg_type_boolean, 0 },
+	{ "memstatistics-file", &cfg_type_qstring, 0 },
+	{ "multiple-cnames", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "named-xfer", &cfg_type_qstring, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "pid-file", &cfg_type_qstringornone, 0 },
+	{ "port", &cfg_type_uint32, 0 },
+	{ "querylog", &cfg_type_boolean, 0 },
+	{ "recursing-file", &cfg_type_qstring, 0 },
+	{ "random-device", &cfg_type_qstring, 0 },
+	{ "recursive-clients", &cfg_type_uint32, 0 },
+	{ "serial-queries", &cfg_type_uint32, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "serial-query-rate", &cfg_type_uint32, 0 },
+	{ "server-id", &cfg_type_serverid, 0 },
+	{ "stacksize", &cfg_type_size, 0 },
+	{ "statistics-file", &cfg_type_qstring, 0 },
+	{ "statistics-interval", &cfg_type_uint32, CFG_CLAUSEFLAG_NYI },
+	{ "tcp-clients", &cfg_type_uint32, 0 },
+	{ "tcp-listen-queue", &cfg_type_uint32, 0 },
+	{ "tkey-dhkey", &cfg_type_tkey_dhkey, 0 },
+	{ "tkey-gssapi-credential", &cfg_type_qstring, 0 },
+	{ "tkey-domain", &cfg_type_qstring, 0 },
+	{ "transfers-per-ns", &cfg_type_uint32, 0 },
+	{ "transfers-in", &cfg_type_uint32, 0 },
+	{ "transfers-out", &cfg_type_uint32, 0 },
+	{ "treat-cr-as-space", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "use-id-pool", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "use-ixfr", &cfg_type_boolean, 0 },
+	{ "version", &cfg_type_qstringornone, 0 },
+	{ NULL, NULL, 0 }
+};
+
+
+static cfg_type_t cfg_type_namelist = {
+	"namelist", cfg_parse_bracketed_list, cfg_print_bracketed_list,
+	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_qstring };
+
+static keyword_type_t exclude_kw = { "exclude", &cfg_type_namelist };
+
+static cfg_type_t cfg_type_optional_exclude = {
+	"optional_exclude", parse_optional_keyvalue, print_keyvalue,
+	doc_optional_keyvalue, &cfg_rep_list, &exclude_kw };
+
+static cfg_type_t cfg_type_algorithmlist = {
+	"algorithmlist", cfg_parse_bracketed_list, cfg_print_bracketed_list,
+	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_astring };
+
+static cfg_tuplefielddef_t disablealgorithm_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "algorithms", &cfg_type_algorithmlist, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_disablealgorithm = {
+	"disablealgorithm", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, disablealgorithm_fields
+};
+
+static cfg_tuplefielddef_t mustbesecure_fields[] = {
+        { "name", &cfg_type_astring, 0 },
+        { "value", &cfg_type_boolean, 0 },
+        { NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_mustbesecure = {
+	"mustbesecure", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, mustbesecure_fields
+};
+
+/*
+ * dnssec-lookaside
+ */
+
+static keyword_type_t trustanchor_kw = { "trust-anchor", &cfg_type_astring };
+
+static cfg_type_t cfg_type_trustanchor = {
+	"trust-anchor", parse_keyvalue, print_keyvalue, doc_keyvalue,
+	&cfg_rep_string, &trustanchor_kw
+};
+
+static cfg_tuplefielddef_t lookaside_fields[] = {
+	{ "domain", &cfg_type_astring, 0 },
+	{ "trust-anchor", &cfg_type_trustanchor, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_lookaside = {
+	"lookaside", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, lookaside_fields
+};
+
+/*
+ * Clauses that can be found within the 'view' statement,
+ * with defaults in the 'options' statement.
+ */
+
+static cfg_clausedef_t
+view_clauses[] = {
+	{ "allow-recursion", &cfg_type_bracketed_aml, 0 },
+	{ "allow-v6-synthesis", &cfg_type_bracketed_aml,
+	  CFG_CLAUSEFLAG_OBSOLETE },
+	{ "sortlist", &cfg_type_bracketed_aml, 0 },
+	{ "topology", &cfg_type_bracketed_aml, CFG_CLAUSEFLAG_NOTIMP },
+	{ "auth-nxdomain", &cfg_type_boolean, CFG_CLAUSEFLAG_NEWDEFAULT },
+	{ "minimal-responses", &cfg_type_boolean, 0 },
+	{ "recursion", &cfg_type_boolean, 0 },
+	{ "rrset-order", &cfg_type_rrsetorder, 0 },
+	{ "provide-ixfr", &cfg_type_boolean, 0 },
+	{ "request-ixfr", &cfg_type_boolean, 0 },
+	{ "fetch-glue", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "rfc2308-type1", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },
+	{ "additional-from-auth", &cfg_type_boolean, 0 },
+	{ "additional-from-cache", &cfg_type_boolean, 0 },
+	/*
+	 * Note that the query-source option syntax is different
+	 * from the other -source options.
+	 */
+	{ "query-source", &cfg_type_querysource4, 0 },
+	{ "query-source-v6", &cfg_type_querysource6, 0 },
+	{ "cleaning-interval", &cfg_type_uint32, 0 },
+	{ "min-roots", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTIMP },
+	{ "lame-ttl", &cfg_type_uint32, 0 },
+	{ "max-ncache-ttl", &cfg_type_uint32, 0 },
+	{ "max-cache-ttl", &cfg_type_uint32, 0 },
+	{ "transfer-format", &cfg_type_transferformat, 0 },
+	{ "max-cache-size", &cfg_type_sizenodefault, 0 },
+	{ "check-names", &cfg_type_checknames, CFG_CLAUSEFLAG_MULTI },
+	{ "cache-file", &cfg_type_qstring, 0 },
+	{ "suppress-initial-notify", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },
+	{ "preferred-glue", &cfg_type_astring, 0 },
+	{ "dual-stack-servers", &cfg_type_nameportiplist, 0 },
+	{ "edns-udp-size", &cfg_type_uint32, 0 },
+	{ "root-delegation-only",  &cfg_type_optional_exclude, 0 },
+	{ "disable-algorithms", &cfg_type_disablealgorithm,
+	  CFG_CLAUSEFLAG_MULTI },
+	{ "dnssec-enable", &cfg_type_boolean, 0 },
+	{ "dnssec-lookaside", &cfg_type_lookaside, CFG_CLAUSEFLAG_MULTI },
+	{ "dnssec-must-be-secure",  &cfg_type_mustbesecure,
+	   CFG_CLAUSEFLAG_MULTI },
+	{ NULL, NULL, 0 }
+};
+
+/*
+ * Clauses that can be found within the 'view' statement only.
+ */
+static cfg_clausedef_t
+view_only_clauses[] = {
+	{ "match-clients", &cfg_type_bracketed_aml, 0 },
+	{ "match-destinations", &cfg_type_bracketed_aml, 0 },
+	{ "match-recursive-only", &cfg_type_boolean, 0 },
+	{ NULL, NULL, 0 }
+};
+
+/*
+ * Clauses that can be found in a 'zone' statement,
+ * with defaults in the 'view' or 'options' statement.
+ */
+static cfg_clausedef_t
+zone_clauses[] = {
+	{ "allow-query", &cfg_type_bracketed_aml, 0 },
+	{ "allow-transfer", &cfg_type_bracketed_aml, 0 },
+	{ "allow-update-forwarding", &cfg_type_bracketed_aml, 0 },
+	{ "allow-notify", &cfg_type_bracketed_aml, 0 },
+	{ "notify", &cfg_type_notifytype, 0 },
+	{ "notify-source", &cfg_type_sockaddr4wild, 0 },
+	{ "notify-source-v6", &cfg_type_sockaddr6wild, 0 },
+	{ "also-notify", &cfg_type_portiplist, 0 },
+	{ "dialup", &cfg_type_dialuptype, 0 },
+	{ "forward", &cfg_type_forwardtype, 0 },
+	{ "forwarders", &cfg_type_portiplist, 0 },
+	{ "ixfr-from-differences", &cfg_type_boolean, 0 },
+	{ "maintain-ixfr-base", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "max-ixfr-log-size", &cfg_type_size, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "max-journal-size", &cfg_type_sizenodefault, 0 },
+	{ "max-transfer-time-in", &cfg_type_uint32, 0 },
+	{ "max-transfer-time-out", &cfg_type_uint32, 0 },
+	{ "max-transfer-idle-in", &cfg_type_uint32, 0 },
+	{ "max-transfer-idle-out", &cfg_type_uint32, 0 },
+	{ "max-retry-time", &cfg_type_uint32, 0 },
+	{ "min-retry-time", &cfg_type_uint32, 0 },
+	{ "max-refresh-time", &cfg_type_uint32, 0 },
+	{ "min-refresh-time", &cfg_type_uint32, 0 },
+	{ "multi-master", &cfg_type_boolean, 0 },
+	{ "sig-validity-interval", &cfg_type_uint32, 0 },
+	{ "transfer-source", &cfg_type_sockaddr4wild, 0 },
+	{ "transfer-source-v6", &cfg_type_sockaddr6wild, 0 },
+	{ "alt-transfer-source", &cfg_type_sockaddr4wild, 0 },
+	{ "alt-transfer-source-v6", &cfg_type_sockaddr6wild, 0 },
+	{ "use-alt-transfer-source", &cfg_type_boolean, 0 },
+	{ "zone-statistics", &cfg_type_boolean, 0 },
+	{ "key-directory", &cfg_type_qstring, 0 },
+	{ NULL, NULL, 0 }
+};
+
+/*
+ * Clauses that can be found in a 'zone' statement
+ * only.
+ */
+static cfg_clausedef_t
+zone_only_clauses[] = {
+	{ "type", &cfg_type_zonetype, 0 },
+	{ "allow-update", &cfg_type_bracketed_aml, 0 },
+	{ "file", &cfg_type_qstring, 0 },
+	{ "ixfr-base", &cfg_type_qstring, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "ixfr-tmp-file", &cfg_type_qstring, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "masters", &cfg_type_namesockaddrkeylist, 0 },
+	{ "pubkey", &cfg_type_pubkey,
+	  CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_OBSOLETE },
+	{ "update-policy", &cfg_type_updatepolicy, 0 },
+	{ "database", &cfg_type_astring, 0 },
+	{ "delegation-only", &cfg_type_boolean, 0 },
+	/*
+	 * Note that the format of the check-names option is different between
+	 * the zone options and the global/view options.  Ugh.
+	 */
+	{ "check-names", &cfg_type_checkmode, 0 },
+	{ NULL, NULL, 0 }
+};
+
+
+/* The top-level named.conf syntax. */
+
+static cfg_clausedef_t *
+namedconf_clausesets[] = {
+	namedconf_clauses,
+	namedconf_or_view_clauses,
+	NULL
+};
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_namedconf = {
+	"namedconf", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
+	&cfg_rep_map, namedconf_clausesets
+};
+
+/* The "options" statement syntax. */
+
+static cfg_clausedef_t *
+options_clausesets[] = {
+	options_clauses,
+	view_clauses,
+	zone_clauses,
+	NULL
+};
+static cfg_type_t cfg_type_options = {
+	"options", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map, options_clausesets };
+
+/* The "view" statement syntax. */
+
+static cfg_clausedef_t *
+view_clausesets[] = {
+	view_only_clauses,
+	namedconf_or_view_clauses,
+	view_clauses,
+	zone_clauses,
+	NULL
+};
+static cfg_type_t cfg_type_viewopts = {
+	"view", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map, view_clausesets };
+
+/* The "zone" statement syntax. */
+
+static cfg_clausedef_t *
+zone_clausesets[] = {
+	zone_only_clauses,
+	zone_clauses,
+	NULL
+};
+static cfg_type_t cfg_type_zoneopts = {
+	"zoneopts", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map, zone_clausesets };
+
+/*
+ * Clauses that can be found within the 'key' statement.
+ */
+static cfg_clausedef_t
+key_clauses[] = {
+	{ "algorithm", &cfg_type_astring, 0 },
+	{ "secret", &cfg_type_astring, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *
+key_clausesets[] = {
+	key_clauses,
+	NULL
+};
+static cfg_type_t cfg_type_key = {
+	"key", cfg_parse_named_map, cfg_print_map, cfg_doc_map, &cfg_rep_map, key_clausesets };
+
+
+/*
+ * Clauses that can be found in a 'server' statement.
+ */
+static cfg_clausedef_t
+server_clauses[] = {
+	{ "bogus", &cfg_type_boolean, 0 },
+	{ "provide-ixfr", &cfg_type_boolean, 0 },
+	{ "request-ixfr", &cfg_type_boolean, 0 },
+	{ "support-ixfr", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "transfers", &cfg_type_uint32, 0 },
+	{ "transfer-format", &cfg_type_transferformat, 0 },
+	{ "keys", &cfg_type_server_key_kludge, 0 },
+	{ "edns", &cfg_type_boolean, 0 },
+	{ "transfer-source", &cfg_type_sockaddr4wild, 0 },
+	{ "transfer-source-v6", &cfg_type_sockaddr6wild, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_clausedef_t *
+server_clausesets[] = {
+	server_clauses,
+	NULL
+};
+static cfg_type_t cfg_type_server = {
+	"server", cfg_parse_addressed_map, cfg_print_map, cfg_doc_map, &cfg_rep_map,
+	server_clausesets
+};
+
+
+/*
+ * Clauses that can be found in a 'channel' clause in the
+ * 'logging' statement.
+ *
+ * These have some additional constraints that need to be
+ * checked after parsing:
+ *  - There must exactly one of file/syslog/null/stderr
+ *
+ */
+static cfg_clausedef_t
+channel_clauses[] = {
+	/* Destinations.  We no longer require these to be first. */
+	{ "file", &cfg_type_logfile, 0 },
+	{ "syslog", &cfg_type_optional_facility, 0 },
+	{ "null", &cfg_type_void, 0 },
+	{ "stderr", &cfg_type_void, 0 },
+	/* Options.  We now accept these for the null channel, too. */
+	{ "severity", &cfg_type_logseverity, 0 },
+	{ "print-time", &cfg_type_boolean, 0 },
+	{ "print-severity", &cfg_type_boolean, 0 },
+	{ "print-category", &cfg_type_boolean, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_clausedef_t *
+channel_clausesets[] = {
+	channel_clauses,
+	NULL
+};
+static cfg_type_t cfg_type_channel = {
+	"channel", cfg_parse_named_map, cfg_print_map, cfg_doc_map,
+	&cfg_rep_map, channel_clausesets
+};
+
+/* A list of log destination, used in the "category" clause. */
+static cfg_type_t cfg_type_destinationlist = {
+	"destinationlist", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list,
+	&cfg_rep_list, &cfg_type_astring };
+
+/*
+ * Clauses that can be found in a 'logging' statement.
+ */
+static cfg_clausedef_t
+logging_clauses[] = {
+	{ "channel", &cfg_type_channel, CFG_CLAUSEFLAG_MULTI },
+	{ "category", &cfg_type_category, CFG_CLAUSEFLAG_MULTI },
+	{ NULL, NULL, 0 }
+};
+static cfg_clausedef_t *
+logging_clausesets[] = {
+	logging_clauses,
+	NULL
+};
+static cfg_type_t cfg_type_logging = {
+	"logging", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map, logging_clausesets };
+
+
+static isc_result_t
+parse_unitstring(char *str, isc_resourcevalue_t *valuep) {
+	char *endp;
+	unsigned int len;
+	isc_uint64_t value;
+	isc_uint64_t unit;
+
+	value = isc_string_touint64(str, &endp, 10);
+	if (*endp == 0) {
+		*valuep = value;
+		return (ISC_R_SUCCESS);
+	}
+
+	len = strlen(str);
+	if (len < 2 || endp[1] != '\0')
+		return (ISC_R_FAILURE);
+
+	switch (str[len - 1]) {
+	case 'k':
+	case 'K':
+		unit = 1024;
+		break;
+	case 'm':
+	case 'M':
+		unit = 1024 * 1024;
+		break;
+	case 'g':
+	case 'G':
+		unit = 1024 * 1024 * 1024;
+		break;
+	default:
+		return (ISC_R_FAILURE);
+	}
+	if (value > ISC_UINT64_MAX / unit)
+		return (ISC_R_FAILURE);
+	*valuep = value * unit;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+parse_sizeval(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	isc_uint64_t val;
+
+	UNUSED(type);
+
+	CHECK(cfg_gettoken(pctx, 0));
+	if (pctx->token.type != isc_tokentype_string) {
+		result = ISC_R_UNEXPECTEDTOKEN;
+		goto cleanup;
+	}
+	CHECK(parse_unitstring(TOKEN_STRING(pctx), &val));
+
+	CHECK(cfg_create_obj(pctx, &cfg_type_uint64, &obj));
+	obj->value.uint64 = val;
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	cfg_parser_error(pctx, CFG_LOG_NEAR, "expected integer and optional unit");
+	return (result);
+}
+
+/*
+ * A size value (number + optional unit).
+ */
+static cfg_type_t cfg_type_sizeval = {
+	"sizeval", parse_sizeval, cfg_print_uint64, cfg_doc_terminal,
+	&cfg_rep_uint64, NULL };
+
+/*
+ * A size, "unlimited", or "default".
+ */
+
+static isc_result_t
+parse_size(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (parse_enum_or_other(pctx, type, &cfg_type_sizeval, ret));
+}
+
+static const char *size_enums[] = { "unlimited", "default", NULL };
+static cfg_type_t cfg_type_size = {
+	"size", parse_size, cfg_print_ustring, cfg_doc_terminal,
+	&cfg_rep_string, size_enums
+};
+
+/*
+ * A size or "unlimited", but not "default".
+ */
+static const char *sizenodefault_enums[] = { "unlimited", NULL };
+static cfg_type_t cfg_type_sizenodefault = {
+	"size_no_default", parse_size, cfg_print_ustring, cfg_doc_terminal,
+	&cfg_rep_string, sizenodefault_enums
+};
+
+/*
+ * optional_keyvalue
+ */
+static isc_result_t
+parse_maybe_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type,
+			      isc_boolean_t optional, cfg_obj_t **ret)
+{
+        isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	const keyword_type_t *kw = type->of;
+
+	CHECK(cfg_peektoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_string &&
+	    strcasecmp(TOKEN_STRING(pctx), kw->name) == 0) {
+		CHECK(cfg_gettoken(pctx, 0));
+		CHECK(kw->type->parse(pctx, kw->type, &obj));
+		obj->type = type; /* XXX kludge */
+	} else {
+		if (optional) {
+			CHECK(cfg_parse_void(pctx, NULL, &obj));
+		} else {
+			cfg_parser_error(pctx, CFG_LOG_NEAR, "expected '%s'",
+				     kw->name);
+			result = ISC_R_UNEXPECTEDTOKEN;
+			goto cleanup;
+		}
+	}
+	*ret = obj;
+ cleanup:
+	return (result);
+}
+
+static isc_result_t
+parse_enum_or_other(cfg_parser_t *pctx, const cfg_type_t *enumtype,
+		    const cfg_type_t *othertype, cfg_obj_t **ret)
+{
+        isc_result_t result;
+	CHECK(cfg_peektoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_string &&
+	    cfg_is_enum(TOKEN_STRING(pctx), enumtype->of)) {
+		CHECK(cfg_parse_enum(pctx, enumtype, ret));
+	} else {
+		CHECK(cfg_parse_obj(pctx, othertype, ret));
+	}
+ cleanup:
+	return (result);
+}
+
+static void
+doc_enum_or_other(cfg_printer_t *pctx, const cfg_type_t *type) {
+	cfg_doc_terminal(pctx, type);
+#if 0 /* XXX */
+	cfg_print_chars(pctx, "( ", 2);...
+#endif
+
+}
+
+static isc_result_t
+parse_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (parse_maybe_optional_keyvalue(pctx, type, ISC_FALSE, ret));
+}
+
+static isc_result_t
+parse_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (parse_maybe_optional_keyvalue(pctx, type, ISC_TRUE, ret));
+}
+
+static void
+print_keyvalue(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	const keyword_type_t *kw = obj->type->of;
+	cfg_print_cstr(pctx, kw->name);
+	cfg_print_chars(pctx, " ", 1);
+	kw->type->print(pctx, obj);
+}
+
+static void
+doc_keyvalue(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const keyword_type_t *kw = type->of;
+	cfg_print_cstr(pctx, kw->name);
+	cfg_print_chars(pctx, " ", 1);
+	cfg_doc_obj(pctx, kw->type);
+}
+
+static void
+doc_optional_keyvalue(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const keyword_type_t *kw = type->of;
+	cfg_print_chars(pctx, "[ ", 2);
+	cfg_print_cstr(pctx, kw->name);
+	cfg_print_chars(pctx, " ", 1);
+	cfg_doc_obj(pctx, kw->type);
+	cfg_print_chars(pctx, " ]", 2);
+}
+
+static const char *dialup_enums[] = {
+	"notify", "notify-passive", "refresh", "passive", NULL };
+static isc_result_t
+parse_dialup_type(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
+}
+static cfg_type_t cfg_type_dialuptype = {
+	"dialuptype", parse_dialup_type, cfg_print_ustring, doc_enum_or_other,
+	&cfg_rep_string, dialup_enums
+};
+
+static const char *notify_enums[] = { "explicit", NULL };
+static isc_result_t
+parse_notify_type(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
+}
+static cfg_type_t cfg_type_notifytype = {
+	"notifytype", parse_notify_type, cfg_print_ustring, doc_enum_or_other,
+ 	&cfg_rep_string, notify_enums,
+};
+
+static keyword_type_t key_kw = { "key", &cfg_type_astring };
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_keyref = {
+	"keyref", parse_keyvalue, print_keyvalue, doc_keyvalue,
+	&cfg_rep_string, &key_kw
+};
+
+static cfg_type_t cfg_type_optional_keyref = {
+	"optional_keyref", parse_optional_keyvalue, print_keyvalue,
+	doc_optional_keyvalue, &cfg_rep_string, &key_kw
+};
+
+/*
+ * A "controls" statement is represented as a map with the multivalued
+ * "inet" and "unix" clauses.  Inet controls are tuples; unix controls
+ * are cfg_unsupported_t objects.
+ */
+
+static keyword_type_t controls_allow_kw = {
+	"allow", &cfg_type_bracketed_aml };
+static cfg_type_t cfg_type_controls_allow = {
+	"controls_allow", parse_keyvalue,
+	print_keyvalue, doc_keyvalue,
+	&cfg_rep_list, &controls_allow_kw
+};
+
+static keyword_type_t controls_keys_kw = {
+	"keys", &cfg_type_keylist };
+static cfg_type_t cfg_type_controls_keys = {
+	"controls_keys", parse_optional_keyvalue,
+	print_keyvalue, doc_optional_keyvalue,
+	&cfg_rep_list, &controls_keys_kw
+};
+
+static cfg_tuplefielddef_t inetcontrol_fields[] = {
+	{ "address", &cfg_type_controls_sockaddr, 0 },
+	{ "allow", &cfg_type_controls_allow, 0 },
+	{ "keys", &cfg_type_controls_keys, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_inetcontrol = {
+	"inetcontrol", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
+	inetcontrol_fields
+};
+
+static cfg_clausedef_t
+controls_clauses[] = {
+	{ "inet", &cfg_type_inetcontrol, CFG_CLAUSEFLAG_MULTI },
+	{ "unix", &cfg_type_unsupported,
+	  CFG_CLAUSEFLAG_MULTI|CFG_CLAUSEFLAG_NOTIMP },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *
+controls_clausesets[] = {
+	controls_clauses,
+	NULL
+};
+static cfg_type_t cfg_type_controls = {
+	"controls", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map,	&controls_clausesets
+};
+
+/*
+ * An optional class, as used in view and zone statements.
+ */
+static isc_result_t
+parse_optional_class(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	UNUSED(type);
+	CHECK(cfg_peektoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_string)
+		CHECK(cfg_parse_obj(pctx, &cfg_type_ustring, ret));
+	else
+		CHECK(cfg_parse_obj(pctx, &cfg_type_void, ret));
+ cleanup:
+	return (result);
+}
+
+static cfg_type_t cfg_type_optional_class = {
+	"optional_class", parse_optional_class, NULL, cfg_doc_terminal,
+	NULL, NULL
+};
+
+static isc_result_t
+parse_querysource(cfg_parser_t *pctx, int flags, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	isc_netaddr_t netaddr;
+	in_port_t port;
+	unsigned int have_address = 0;
+	unsigned int have_port = 0;
+
+	if ((flags & CFG_ADDR_V4OK) != 0)
+		isc_netaddr_any(&netaddr);
+	else if ((flags & CFG_ADDR_V6OK) != 0)
+		isc_netaddr_any6(&netaddr);
+	else
+		INSIST(0);
+
+	port = 0;
+
+	CHECK(cfg_create_obj(pctx, &cfg_type_querysource, &obj));
+	for (;;) {
+		CHECK(cfg_peektoken(pctx, 0));
+		if (pctx->token.type == isc_tokentype_string) {
+			if (strcasecmp(TOKEN_STRING(pctx),
+				       "address") == 0)
+			{
+				/* read "address" */
+				CHECK(cfg_gettoken(pctx, 0)); 
+				CHECK(cfg_parse_rawaddr(pctx,
+						flags | CFG_ADDR_WILDOK,
+							&netaddr));
+				have_address++;
+			} else if (strcasecmp(TOKEN_STRING(pctx), "port") == 0)
+			{
+				/* read "port" */
+				CHECK(cfg_gettoken(pctx, 0)); 
+				CHECK(cfg_parse_rawport(pctx,
+							CFG_ADDR_WILDOK,
+							&port));
+				have_port++;
+			} else {
+				cfg_parser_error(pctx, CFG_LOG_NEAR,
+					     "expected 'address' or 'port'");
+				return (ISC_R_UNEXPECTEDTOKEN);
+			}
+		} else
+			break;
+	}
+	if (have_address > 1 || have_port > 1 ||
+	    have_address + have_port == 0) {
+		cfg_parser_error(pctx, 0, "expected one address and/or port");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+
+	isc_sockaddr_fromnetaddr(&obj->value.sockaddr, &netaddr, port);
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	cfg_parser_error(pctx, CFG_LOG_NEAR, "invalid query source");
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+static isc_result_t
+parse_querysource4(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	UNUSED(type);
+	return (parse_querysource(pctx, CFG_ADDR_V4OK, ret));
+}
+
+static isc_result_t
+parse_querysource6(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	UNUSED(type);
+	return (parse_querysource(pctx, CFG_ADDR_V6OK, ret));
+}
+
+static void
+print_querysource(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	isc_netaddr_t na;
+	isc_netaddr_fromsockaddr(&na, &obj->value.sockaddr);
+	cfg_print_chars(pctx, "address ", 8);
+	cfg_print_rawaddr(pctx, &na);
+	cfg_print_chars(pctx, " port ", 6);
+	cfg_print_rawuint(pctx, isc_sockaddr_getport(&obj->value.sockaddr));
+}
+
+static cfg_type_t cfg_type_querysource4 = {
+	"querysource4", parse_querysource4, NULL, cfg_doc_terminal,
+	NULL, NULL
+};
+static cfg_type_t cfg_type_querysource6 = {
+	"querysource6", parse_querysource6, NULL, cfg_doc_terminal,
+	NULL, NULL
+};
+static cfg_type_t cfg_type_querysource = {
+	"querysource", NULL, print_querysource, NULL, &cfg_rep_sockaddr, NULL };
+
+/* addrmatchelt */
+
+static isc_result_t
+parse_addrmatchelt(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+        isc_result_t result;
+	UNUSED(type);
+
+	CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING));
+
+	if (pctx->token.type == isc_tokentype_string ||
+	    pctx->token.type == isc_tokentype_qstring) {
+		if (pctx->token.type == isc_tokentype_string &&
+		    (strcasecmp(TOKEN_STRING(pctx), "key") == 0)) {
+			CHECK(cfg_parse_obj(pctx, &cfg_type_keyref, ret));
+		} else {
+			if (cfg_lookingat_netaddr(pctx, CFG_ADDR_V4OK |
+						  CFG_ADDR_V4PREFIXOK |
+						  CFG_ADDR_V6OK))
+			{
+				CHECK(cfg_parse_netprefix(pctx, NULL, ret));
+			} else {
+				CHECK(cfg_parse_astring(pctx, NULL, ret));
+			}
+		}
+	} else if (pctx->token.type == isc_tokentype_special) {
+		if (pctx->token.value.as_char == '{') {
+			/* Nested match list. */
+			CHECK(cfg_parse_obj(pctx, &cfg_type_bracketed_aml, ret));
+		} else if (pctx->token.value.as_char == '!') {
+			CHECK(cfg_gettoken(pctx, 0)); /* read "!" */
+			CHECK(cfg_parse_obj(pctx, &cfg_type_negated, ret));
+		} else {
+			goto bad;
+		}
+	} else {
+	bad:
+		cfg_parser_error(pctx, CFG_LOG_NEAR,
+			     "expected IP match list element");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+ cleanup:
+	return (result);
+}
+
+/*
+ * A negated address match list element (like "! 10.0.0.1").
+ * Somewhat sneakily, the caller is expected to parse the
+ * "!", but not to print it.
+ */
+
+static cfg_tuplefielddef_t negated_fields[] = {
+	{ "value", &cfg_type_addrmatchelt, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static void
+print_negated(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	cfg_print_chars(pctx, "!", 1);
+	cfg_print_tuple(pctx, obj);
+}
+
+static cfg_type_t cfg_type_negated = {
+	"negated", cfg_parse_tuple, print_negated, NULL, &cfg_rep_tuple,
+	&negated_fields
+};
+
+/* An address match list element */
+
+static cfg_type_t cfg_type_addrmatchelt = {
+	"address_match_element", parse_addrmatchelt, NULL, cfg_doc_terminal,
+	NULL, NULL
+};
+
+/* A bracketed address match list */
+
+static cfg_type_t cfg_type_bracketed_aml = {
+	"bracketed_aml", cfg_parse_bracketed_list, cfg_print_bracketed_list,
+	cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_addrmatchelt
+};
+
+/*
+ * The socket address syntax in the "controls" statement is silly.
+ * It allows both socket address families, but also allows "*",
+ * whis is gratuitously interpreted as the IPv4 wildcard address.
+ */
+static unsigned int controls_sockaddr_flags =
+	CFG_ADDR_V4OK | CFG_ADDR_V6OK | CFG_ADDR_WILDOK;
+static cfg_type_t cfg_type_controls_sockaddr = {
+	"controls_sockaddr", cfg_parse_sockaddr, cfg_print_sockaddr,
+	cfg_doc_sockaddr, &cfg_rep_sockaddr, &controls_sockaddr_flags
+};
+
+/*
+ * Handle the special kludge syntax of the "keys" clause in the "server"
+ * statement, which takes a single key with or without braces and semicolon.
+ */
+static isc_result_t
+parse_server_key_kludge(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
+{
+	isc_result_t result;
+	isc_boolean_t braces = ISC_FALSE;
+	UNUSED(type);
+
+	/* Allow opening brace. */
+	CHECK(cfg_peektoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_special &&
+	    pctx->token.value.as_char == '{') {
+		result = cfg_gettoken(pctx, 0);
+		braces = ISC_TRUE;
+	}
+
+	CHECK(cfg_parse_obj(pctx, &cfg_type_astring, ret));
+
+	if (braces) {
+		/* Skip semicolon if present. */
+		CHECK(cfg_peektoken(pctx, 0));
+		if (pctx->token.type == isc_tokentype_special &&
+		    pctx->token.value.as_char == ';')
+			CHECK(cfg_gettoken(pctx, 0));
+
+		CHECK(cfg_parse_special(pctx, '}'));
+	}
+ cleanup:
+	return (result);
+}
+static cfg_type_t cfg_type_server_key_kludge = {
+	"server_key", parse_server_key_kludge, NULL, cfg_doc_terminal,
+	NULL, NULL
+};
+
+
+/*
+ * An optional logging facility.
+ */
+
+static isc_result_t
+parse_optional_facility(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
+{
+	isc_result_t result;
+	UNUSED(type);
+
+	CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING));
+	if (pctx->token.type == isc_tokentype_string ||
+	    pctx->token.type == isc_tokentype_qstring) {
+		CHECK(cfg_parse_obj(pctx, &cfg_type_astring, ret));
+	} else {
+		CHECK(cfg_parse_obj(pctx, &cfg_type_void, ret));
+	}
+ cleanup:
+	return (result);
+}
+
+static cfg_type_t cfg_type_optional_facility = {
+	"optional_facility", parse_optional_facility, NULL, cfg_doc_terminal,
+	NULL, NULL };
+
+
+/*
+ * A log severity.  Return as a string, except "debug N",
+ * which is returned as a keyword object.
+ */
+
+static keyword_type_t debug_kw = { "debug", &cfg_type_uint32 };
+static cfg_type_t cfg_type_debuglevel = {
+	"debuglevel", parse_keyvalue,
+	print_keyvalue, doc_keyvalue,
+	&cfg_rep_uint32, &debug_kw
+};
+
+static isc_result_t
+parse_logseverity(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	UNUSED(type);
+
+	CHECK(cfg_peektoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_string &&
+	    strcasecmp(TOKEN_STRING(pctx), "debug") == 0) {
+		CHECK(cfg_gettoken(pctx, 0)); /* read "debug" */
+		CHECK(cfg_peektoken(pctx, ISC_LEXOPT_NUMBER));
+		if (pctx->token.type == isc_tokentype_number) {
+			CHECK(cfg_parse_uint32(pctx, NULL, ret));
+		} else {
+			/*
+			 * The debug level is optional and defaults to 1.
+			 * This makes little sense, but we support it for
+			 * compatibility with BIND 8.
+			 */
+			CHECK(cfg_create_obj(pctx, &cfg_type_uint32, ret));
+			(*ret)->value.uint32 = 1;
+		}
+		(*ret)->type = &cfg_type_debuglevel; /* XXX kludge */
+	} else {
+		CHECK(cfg_parse_obj(pctx, &cfg_type_loglevel, ret));
+	}
+ cleanup:
+	return (result);
+}
+
+static cfg_type_t cfg_type_logseverity = {
+	"log_severity", parse_logseverity, NULL, cfg_doc_terminal,
+	NULL, NULL };
+
+/*
+ * The "file" clause of the "channel" statement.
+ * This is yet another special case.
+ */
+
+static const char *logversions_enums[] = { "unlimited", NULL };
+static isc_result_t
+parse_logversions(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (parse_enum_or_other(pctx, type, &cfg_type_uint32, ret));
+}
+static cfg_type_t cfg_type_logversions = {
+	"logversions", parse_logversions, cfg_print_ustring, cfg_doc_terminal,
+	&cfg_rep_string, logversions_enums
+};
+
+static cfg_tuplefielddef_t logfile_fields[] = {
+	{ "file", &cfg_type_qstring, 0 },
+	{ "versions", &cfg_type_logversions, 0 },
+	{ "size", &cfg_type_size, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static isc_result_t
+parse_logfile(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	const cfg_tuplefielddef_t *fields = type->of;	
+
+	CHECK(cfg_create_tuple(pctx, type, &obj));	
+
+	/* Parse the mandatory "file" field */
+	CHECK(cfg_parse_obj(pctx, fields[0].type, &obj->value.tuple[0]));
+
+	/* Parse "versions" and "size" fields in any order. */
+	for (;;) {
+		CHECK(cfg_peektoken(pctx, 0));
+		if (pctx->token.type == isc_tokentype_string) {
+			CHECK(cfg_gettoken(pctx, 0));		
+			if (strcasecmp(TOKEN_STRING(pctx),
+				       "versions") == 0 &&
+			    obj->value.tuple[1] == NULL) {
+				CHECK(cfg_parse_obj(pctx, fields[1].type,
+					    &obj->value.tuple[1]));
+			} else if (strcasecmp(TOKEN_STRING(pctx),
+					      "size") == 0 &&
+				   obj->value.tuple[2] == NULL) {
+				CHECK(cfg_parse_obj(pctx, fields[2].type,
+					    &obj->value.tuple[2]));
+			} else {
+				break;
+			}
+		} else {
+			break;
+		}
+	}
+
+	/* Create void objects for missing optional values. */
+	if (obj->value.tuple[1] == NULL)
+		CHECK(cfg_parse_void(pctx, NULL, &obj->value.tuple[1]));
+	if (obj->value.tuple[2] == NULL)
+		CHECK(cfg_parse_void(pctx, NULL, &obj->value.tuple[2]));
+
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	CLEANUP_OBJ(obj);	
+	return (result);
+}
+
+static void
+print_logfile(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	cfg_print_obj(pctx, obj->value.tuple[0]); /* file */
+	if (obj->value.tuple[1]->type->print != cfg_print_void) {
+		cfg_print_chars(pctx, " versions ", 10);
+		cfg_print_obj(pctx, obj->value.tuple[1]);
+	}
+	if (obj->value.tuple[2]->type->print != cfg_print_void) {
+		cfg_print_chars(pctx, " size ", 6);
+		cfg_print_obj(pctx, obj->value.tuple[2]);
+	}
+}
+
+static cfg_type_t cfg_type_logfile = {
+	"log_file", parse_logfile, print_logfile, cfg_doc_terminal,
+	&cfg_rep_tuple, logfile_fields
+};
+
+/* An IPv4/IPv6 address with optional port, "*" accepted as wildcard. */
+static unsigned int sockaddr4wild_flags = CFG_ADDR_WILDOK | CFG_ADDR_V4OK;
+static cfg_type_t cfg_type_sockaddr4wild = {
+	"sockaddr4wild", cfg_parse_sockaddr, cfg_print_sockaddr,
+	cfg_doc_sockaddr, &cfg_rep_sockaddr, &sockaddr4wild_flags
+};
+
+static unsigned int sockaddr6wild_flags = CFG_ADDR_WILDOK | CFG_ADDR_V6OK;
+static cfg_type_t cfg_type_sockaddr6wild = {
+	"v6addrportwild", cfg_parse_sockaddr, cfg_print_sockaddr,
+	cfg_doc_sockaddr, &cfg_rep_sockaddr, &sockaddr6wild_flags
+};
+
+/*
+ * lwres
+ */
+
+static cfg_tuplefielddef_t lwres_view_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "class", &cfg_type_optional_class, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_lwres_view = {
+	"lwres_view", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple, &cfg_rep_tuple,
+	lwres_view_fields
+};
+
+static cfg_type_t cfg_type_lwres_searchlist = {
+	"lwres_searchlist", cfg_parse_bracketed_list, cfg_print_bracketed_list, cfg_doc_bracketed_list,
+	&cfg_rep_list, &cfg_type_astring };
+
+static cfg_clausedef_t
+lwres_clauses[] = {
+	{ "listen-on", &cfg_type_portiplist, 0 },
+	{ "view", &cfg_type_lwres_view, 0 },
+	{ "search", &cfg_type_lwres_searchlist, 0 },
+	{ "ndots", &cfg_type_uint32, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *
+lwres_clausesets[] = {
+	lwres_clauses,
+	NULL
+};
+static cfg_type_t cfg_type_lwres = {
+	"lwres", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map, lwres_clausesets };
+
+/*
+ * rndc
+ */
+
+static cfg_clausedef_t
+rndcconf_options_clauses[] = {
+	{ "default-server", &cfg_type_astring, 0 },
+	{ "default-key", &cfg_type_astring, 0 },
+	{ "default-port", &cfg_type_uint32, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *
+rndcconf_options_clausesets[] = {
+	rndcconf_options_clauses,
+	NULL
+};
+
+static cfg_type_t cfg_type_rndcconf_options = {
+	"rndcconf_options", cfg_parse_map, cfg_print_map, cfg_doc_map, &cfg_rep_map,
+	rndcconf_options_clausesets
+};
+
+static cfg_clausedef_t
+rndcconf_server_clauses[] = {
+	{ "key", &cfg_type_astring, 0 },
+	{ "port", &cfg_type_uint32, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *
+rndcconf_server_clausesets[] = {
+	rndcconf_server_clauses,
+	NULL
+};
+
+static cfg_type_t cfg_type_rndcconf_server = {
+	"rndcconf_server", cfg_parse_named_map, cfg_print_map, cfg_doc_map, &cfg_rep_map,
+	rndcconf_server_clausesets
+};
+
+static cfg_clausedef_t
+rndcconf_clauses[] = {
+	{ "key", &cfg_type_key, CFG_CLAUSEFLAG_MULTI },
+	{ "server", &cfg_type_rndcconf_server, CFG_CLAUSEFLAG_MULTI },
+	{ "options", &cfg_type_rndcconf_options, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *
+rndcconf_clausesets[] = {
+	rndcconf_clauses,
+	NULL
+};
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_rndcconf = {
+	"rndcconf", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
+	&cfg_rep_map, rndcconf_clausesets
+};
+
+static cfg_clausedef_t
+rndckey_clauses[] = {
+	{ "key", &cfg_type_key, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *
+rndckey_clausesets[] = {
+	rndckey_clauses,
+	NULL
+};
+
+LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_rndckey = {
+	"rndckey", cfg_parse_mapbody, cfg_print_mapbody, cfg_doc_mapbody,
+	&cfg_rep_map, rndckey_clausesets
+};
+
+static cfg_tuplefielddef_t nameport_fields[] = {
+	{ "name", &cfg_type_astring, 0 },
+	{ "port", &cfg_type_optional_port, 0 },
+	{ NULL, NULL, 0 }
+};
+static cfg_type_t cfg_type_nameport = {
+	"nameport", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, nameport_fields
+};
+
+static void
+doc_sockaddrnameport(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_chars(pctx, "( ", 2);
+	cfg_print_cstr(pctx, "<quoted_string>");
+	cfg_print_chars(pctx, " ", 1);
+	cfg_print_cstr(pctx, "[port <integer>]");
+	cfg_print_chars(pctx, " | ", 3);
+	cfg_print_cstr(pctx, "<ipv4_address>");
+	cfg_print_chars(pctx, " ", 1);
+	cfg_print_cstr(pctx, "[port <integer>]");
+	cfg_print_chars(pctx, " | ", 3);
+	cfg_print_cstr(pctx, "<ipv6_address>");
+	cfg_print_chars(pctx, " ", 1);
+	cfg_print_cstr(pctx, "[port <integer>]");
+	cfg_print_chars(pctx, " )", 2);
+}
+
+static isc_result_t
+parse_sockaddrnameport(cfg_parser_t *pctx, const cfg_type_t *type,
+		       cfg_obj_t **ret)
+{
+        isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	UNUSED(type);
+
+	CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING));
+	if (pctx->token.type == isc_tokentype_string ||
+	    pctx->token.type == isc_tokentype_qstring) {
+		if (cfg_lookingat_netaddr(pctx, CFG_ADDR_V4OK | CFG_ADDR_V6OK))
+			CHECK(cfg_parse_sockaddr(pctx, &cfg_type_sockaddr, ret));
+		else {
+			const cfg_tuplefielddef_t *fields =
+						   cfg_type_nameport.of;	
+			CHECK(cfg_create_tuple(pctx, &cfg_type_nameport,
+					       &obj));	
+			CHECK(cfg_parse_obj(pctx, fields[0].type,
+					    &obj->value.tuple[0]));
+			CHECK(cfg_parse_obj(pctx, fields[1].type,
+					    &obj->value.tuple[1]));
+			*ret = obj;
+			obj = NULL;
+		}
+	} else {
+		cfg_parser_error(pctx, CFG_LOG_NEAR,
+			     "expected IP address or hostname");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+ cleanup:
+	CLEANUP_OBJ(obj);	
+	return (result);
+}
+
+static cfg_type_t cfg_type_sockaddrnameport = {
+	"sockaddrnameport_element", parse_sockaddrnameport, NULL,
+	 doc_sockaddrnameport, NULL, NULL
+};
+
+static cfg_type_t cfg_type_bracketed_sockaddrnameportlist = {
+	"bracketed_sockaddrnameportlist", cfg_parse_bracketed_list,
+	cfg_print_bracketed_list, cfg_doc_bracketed_list,
+	&cfg_rep_list, &cfg_type_sockaddrnameport
+};
+
+/*
+ * A list of socket addresses or name with an optional default port,
+ * as used in the dual-stack-servers option.  E.g.,
+ * "port 1234 { dual-stack-servers.net; 10.0.0.1; 1::2 port 69; }"
+ */
+static cfg_tuplefielddef_t nameportiplist_fields[] = {
+	{ "port", &cfg_type_optional_port, 0 },
+	{ "addresses", &cfg_type_bracketed_sockaddrnameportlist, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_nameportiplist = {
+	"nameportiplist", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, nameportiplist_fields
+};
+
+/*
+ * masters element.
+ */
+
+static void
+doc_masterselement(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_chars(pctx, "( ", 2);
+	cfg_print_cstr(pctx, "<masters>");
+	cfg_print_chars(pctx, " | ", 3);
+	cfg_print_cstr(pctx, "<ipv4_address>");
+	cfg_print_chars(pctx, " ", 1);
+	cfg_print_cstr(pctx, "[port <integer>]");
+	cfg_print_chars(pctx, " | ", 3);
+	cfg_print_cstr(pctx, "<ipv6_address>");
+	cfg_print_chars(pctx, " ", 1);
+	cfg_print_cstr(pctx, "[port <integer>]");
+	cfg_print_chars(pctx, " )", 2);
+}
+
+static isc_result_t
+parse_masterselement(cfg_parser_t *pctx, const cfg_type_t *type,
+		     cfg_obj_t **ret)
+{
+        isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	UNUSED(type);
+
+	CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING));
+	if (pctx->token.type == isc_tokentype_string ||
+	    pctx->token.type == isc_tokentype_qstring) {
+		if (cfg_lookingat_netaddr(pctx, CFG_ADDR_V4OK | CFG_ADDR_V6OK))
+			CHECK(cfg_parse_sockaddr(pctx, &cfg_type_sockaddr, ret));
+		else
+			CHECK(cfg_parse_astring(pctx, &cfg_type_astring, ret));
+	} else {
+		cfg_parser_error(pctx, CFG_LOG_NEAR,
+			     "expected IP address or masters name");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+ cleanup:
+	CLEANUP_OBJ(obj);	
+	return (result);
+}
+
+static cfg_type_t cfg_type_masterselement = {
+	"masters_element", parse_masterselement, NULL,
+	 doc_masterselement, NULL, NULL
+};
diff --git a/contrib/bind9/lib/isccfg/parser.c b/contrib/bind9/lib/isccfg/parser.c
new file mode 100644
index 0000000..f72c3c2
--- /dev/null
+++ b/contrib/bind9/lib/isccfg/parser.c
@@ -0,0 +1,2289 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: parser.c,v 1.70.2.20.2.18 2004/05/15 03:46:13 jinmei Exp $ */
+
+#include <config.h>
+
+#include <isc/buffer.h>
+#include <isc/dir.h>
+#include <isc/formatcheck.h>
+#include <isc/lex.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/net.h>
+#include <isc/netaddr.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/sockaddr.h>
+#include <isc/netscope.h>
+#include <isc/util.h>
+#include <isc/symtab.h>
+
+#include <isccfg/cfg.h>
+#include <isccfg/grammar.h>
+#include <isccfg/log.h>
+
+/* Shorthand */
+#define CAT CFG_LOGCATEGORY_CONFIG
+#define MOD CFG_LOGMODULE_PARSER
+
+#define MAP_SYM 1 	/* Unique type for isc_symtab */
+
+#define TOKEN_STRING(pctx) (pctx->token.value.as_textregion.base)
+
+/* Check a return value. */
+#define CHECK(op) 						\
+     	do { result = (op); 					\
+		if (result != ISC_R_SUCCESS) goto cleanup; 	\
+	} while (0)
+
+/* Clean up a configuration object if non-NULL. */
+#define CLEANUP_OBJ(obj) \
+	do { if ((obj) != NULL) cfg_obj_destroy(pctx, &(obj)); } while (0)
+
+
+/*
+ * Forward declarations of static functions.
+ */
+
+static void
+free_tuple(cfg_parser_t *pctx, cfg_obj_t *obj);
+
+static isc_result_t
+parse_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
+
+static void
+print_list(cfg_printer_t *pctx, cfg_obj_t *obj);
+
+static void
+free_list(cfg_parser_t *pctx, cfg_obj_t *obj);
+
+static isc_result_t
+create_listelt(cfg_parser_t *pctx, cfg_listelt_t **eltp);
+
+static isc_result_t
+create_string(cfg_parser_t *pctx, const char *contents, const cfg_type_t *type,
+	      cfg_obj_t **ret);
+
+static void
+free_string(cfg_parser_t *pctx, cfg_obj_t *obj);
+
+static isc_result_t
+create_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **objp);
+
+static void
+free_map(cfg_parser_t *pctx, cfg_obj_t *obj);
+
+static isc_result_t
+parse_symtab_elt(cfg_parser_t *pctx, const char *name,
+		 cfg_type_t *elttype, isc_symtab_t *symtab,
+		 isc_boolean_t callback);
+
+static void
+free_noop(cfg_parser_t *pctx, cfg_obj_t *obj);
+
+static isc_result_t
+cfg_getstringtoken(cfg_parser_t *pctx);
+
+static void
+parser_complain(cfg_parser_t *pctx, isc_boolean_t is_warning,
+		unsigned int flags, const char *format, va_list args);
+
+/*
+ * Data representations.  These correspond to members of the
+ * "value" union in struct cfg_obj (except "void", which does
+ * not need a union member).
+ */
+
+cfg_rep_t cfg_rep_uint32 = { "uint32", free_noop };
+cfg_rep_t cfg_rep_uint64 = { "uint64", free_noop };
+cfg_rep_t cfg_rep_string = { "string", free_string };
+cfg_rep_t cfg_rep_boolean = { "boolean", free_noop };
+cfg_rep_t cfg_rep_map = { "map", free_map };
+cfg_rep_t cfg_rep_list = { "list", free_list };
+cfg_rep_t cfg_rep_tuple = { "tuple", free_tuple };
+cfg_rep_t cfg_rep_sockaddr = { "sockaddr", free_noop };
+cfg_rep_t cfg_rep_netprefix = { "netprefix", free_noop };
+cfg_rep_t cfg_rep_void = { "void", free_noop };
+
+/*
+ * Configuration type definitions.
+ */
+
+/*
+ * An implicit list.  These are formed by clauses that occur multiple times.
+ */
+static cfg_type_t cfg_type_implicitlist = {
+	"implicitlist", NULL, print_list, NULL, &cfg_rep_list, NULL };
+
+/* Functions. */
+
+void
+cfg_print_obj(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	obj->type->print(pctx, obj);
+}
+
+void
+cfg_print_chars(cfg_printer_t *pctx, const char *text, int len) {
+	pctx->f(pctx->closure, text, len);
+}
+
+static void
+print_open(cfg_printer_t *pctx) {
+	cfg_print_chars(pctx, "{\n", 2);
+	pctx->indent++;
+}
+
+static void
+print_indent(cfg_printer_t *pctx) {
+	int indent = pctx->indent;
+	while (indent > 0) {
+		cfg_print_chars(pctx, "\t", 1);
+		indent--;
+	}
+}
+
+static void
+print_close(cfg_printer_t *pctx) {
+	pctx->indent--;
+	print_indent(pctx);
+	cfg_print_chars(pctx, "}", 1);
+}
+
+isc_result_t
+cfg_parse_obj(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	INSIST(ret != NULL && *ret == NULL);
+	result = type->parse(pctx, type, ret);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	INSIST(*ret != NULL);
+	return (ISC_R_SUCCESS);
+}
+
+void
+cfg_print(cfg_obj_t *obj,
+	  void (*f)(void *closure, const char *text, int textlen),
+	  void *closure)
+{
+	cfg_printer_t pctx;
+	pctx.f = f;
+	pctx.closure = closure;
+	pctx.indent = 0;
+	obj->type->print(&pctx, obj);
+}
+
+
+/* Tuples. */
+  
+isc_result_t
+cfg_create_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	const cfg_tuplefielddef_t *fields = type->of;
+	const cfg_tuplefielddef_t *f;
+	cfg_obj_t *obj = NULL;
+	unsigned int nfields = 0;
+	int i;
+
+	for (f = fields; f->name != NULL; f++)
+		nfields++;
+
+	CHECK(cfg_create_obj(pctx, type, &obj));
+	obj->value.tuple = isc_mem_get(pctx->mctx,
+				       nfields * sizeof(cfg_obj_t *));
+	if (obj->value.tuple == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	for (f = fields, i = 0; f->name != NULL; f++, i++)
+		obj->value.tuple[i] = NULL;
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (obj != NULL)
+		isc_mem_put(pctx->mctx, obj, sizeof(*obj));
+	return (result);
+}
+
+isc_result_t
+cfg_parse_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
+{
+	isc_result_t result;
+	const cfg_tuplefielddef_t *fields = type->of;
+	const cfg_tuplefielddef_t *f;
+	cfg_obj_t *obj = NULL;
+	unsigned int i;
+
+	CHECK(cfg_create_tuple(pctx, type, &obj));
+	for (f = fields, i = 0; f->name != NULL; f++, i++)
+		CHECK(cfg_parse_obj(pctx, f->type, &obj->value.tuple[i]));
+
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+void
+cfg_print_tuple(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	unsigned int i;
+	const cfg_tuplefielddef_t *fields = obj->type->of;
+	const cfg_tuplefielddef_t *f;
+	isc_boolean_t need_space = ISC_FALSE;
+
+	for (f = fields, i = 0; f->name != NULL; f++, i++) {
+		cfg_obj_t *fieldobj = obj->value.tuple[i];
+		if (need_space)
+			cfg_print_chars(pctx, " ", 1);
+		cfg_print_obj(pctx, fieldobj);
+		need_space = ISC_TF(fieldobj->type->print != cfg_print_void);
+	}
+}
+
+void
+cfg_doc_tuple(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const cfg_tuplefielddef_t *fields = type->of;
+	const cfg_tuplefielddef_t *f;
+	isc_boolean_t need_space = ISC_FALSE;
+
+	for (f = fields; f->name != NULL; f++) {
+		if (need_space)
+			cfg_print_chars(pctx, " ", 1);
+		cfg_doc_obj(pctx, f->type);
+		need_space = ISC_TF(f->type->print != cfg_print_void);
+	}
+}
+
+static void
+free_tuple(cfg_parser_t *pctx, cfg_obj_t *obj) {
+	unsigned int i;
+	const cfg_tuplefielddef_t *fields = obj->type->of;
+	const cfg_tuplefielddef_t *f;
+	unsigned int nfields = 0;
+
+	if (obj->value.tuple == NULL)
+		return;
+
+	for (f = fields, i = 0; f->name != NULL; f++, i++) {
+		CLEANUP_OBJ(obj->value.tuple[i]);
+		nfields++;
+	}
+	isc_mem_put(pctx->mctx, obj->value.tuple,
+		    nfields * sizeof(cfg_obj_t *));
+}
+
+isc_boolean_t
+cfg_obj_istuple(cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (ISC_TF(obj->type->rep == &cfg_rep_tuple));
+}
+
+cfg_obj_t *
+cfg_tuple_get(cfg_obj_t *tupleobj, const char* name) {
+	unsigned int i;
+	const cfg_tuplefielddef_t *fields;
+	const cfg_tuplefielddef_t *f;
+	
+	REQUIRE(tupleobj != NULL && tupleobj->type->rep == &cfg_rep_tuple);
+
+	fields = tupleobj->type->of;
+	for (f = fields, i = 0; f->name != NULL; f++, i++) {
+		if (strcmp(f->name, name) == 0)
+			return (tupleobj->value.tuple[i]);
+	}
+	INSIST(0);
+	return (NULL);
+}
+
+isc_result_t
+cfg_parse_special(cfg_parser_t *pctx, int special) {
+        isc_result_t result;
+	CHECK(cfg_gettoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_special &&
+	    pctx->token.value.as_char == special)
+		return (ISC_R_SUCCESS);
+
+	cfg_parser_error(pctx, CFG_LOG_NEAR, "'%c' expected", special);
+	return (ISC_R_UNEXPECTEDTOKEN);
+ cleanup:
+	return (result);
+}
+
+/*
+ * Parse a required semicolon.  If it is not there, log
+ * an error and increment the error count but continue
+ * parsing.  Since the next token is pushed back,
+ * care must be taken to make sure it is eventually
+ * consumed or an infinite loop may result.
+ */
+static isc_result_t
+parse_semicolon(cfg_parser_t *pctx) {
+        isc_result_t result;
+	CHECK(cfg_gettoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_special &&
+	    pctx->token.value.as_char == ';')
+		return (ISC_R_SUCCESS);
+
+	cfg_parser_error(pctx, CFG_LOG_BEFORE, "missing ';'");
+	cfg_ungettoken(pctx);
+ cleanup:
+	return (result);
+}
+
+/*
+ * Parse EOF, logging and returning an error if not there.
+ */
+static isc_result_t
+parse_eof(cfg_parser_t *pctx) {
+        isc_result_t result;
+	CHECK(cfg_gettoken(pctx, 0));
+
+	if (pctx->token.type == isc_tokentype_eof)
+		return (ISC_R_SUCCESS);
+
+	cfg_parser_error(pctx, CFG_LOG_NEAR, "syntax error");
+	return (ISC_R_UNEXPECTEDTOKEN);
+ cleanup:
+	return (result);
+}
+
+/* A list of files, used internally for pctx->files. */
+
+static cfg_type_t cfg_type_filelist = {
+	"filelist", NULL, print_list, NULL, &cfg_rep_list,
+	&cfg_type_qstring
+};
+
+isc_result_t
+cfg_parser_create(isc_mem_t *mctx, isc_log_t *lctx, cfg_parser_t **ret) {
+	isc_result_t result;
+	cfg_parser_t *pctx;
+	isc_lexspecials_t specials;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
+
+	pctx = isc_mem_get(mctx, sizeof(*pctx));
+	if (pctx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	pctx->mctx = mctx;
+	pctx->lctx = lctx;
+	pctx->lexer = NULL;
+	pctx->seen_eof = ISC_FALSE;
+	pctx->ungotten = ISC_FALSE;
+	pctx->errors = 0;
+	pctx->warnings = 0;
+	pctx->open_files = NULL;
+	pctx->closed_files = NULL;
+	pctx->line = 0;
+	pctx->callback = NULL;
+	pctx->callbackarg = NULL;
+	pctx->token.type = isc_tokentype_unknown;
+
+	memset(specials, 0, sizeof(specials));
+	specials['{'] = 1;
+	specials['}'] = 1;
+	specials[';'] = 1;
+	specials['/'] = 1;
+	specials['"'] = 1;
+	specials['!'] = 1;
+
+	CHECK(isc_lex_create(pctx->mctx, 1024, &pctx->lexer));
+
+	isc_lex_setspecials(pctx->lexer, specials);
+	isc_lex_setcomments(pctx->lexer, (ISC_LEXCOMMENT_C |
+					 ISC_LEXCOMMENT_CPLUSPLUS |
+					 ISC_LEXCOMMENT_SHELL));
+
+	CHECK(cfg_create_list(pctx, &cfg_type_filelist, &pctx->open_files));
+	CHECK(cfg_create_list(pctx, &cfg_type_filelist, &pctx->closed_files));
+
+	*ret = pctx;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (pctx->lexer != NULL)
+		isc_lex_destroy(&pctx->lexer);
+	CLEANUP_OBJ(pctx->open_files);
+	CLEANUP_OBJ(pctx->closed_files);
+	isc_mem_put(mctx, pctx, sizeof(*pctx));
+	return (result);
+}
+
+static isc_result_t
+parser_openfile(cfg_parser_t *pctx, const char *filename) {
+	isc_result_t result;
+	cfg_listelt_t *elt = NULL;
+	cfg_obj_t *stringobj = NULL;
+
+	result = isc_lex_openfile(pctx->lexer, filename);
+	if (result != ISC_R_SUCCESS) {
+		cfg_parser_error(pctx, 0, "open: %s: %s",
+			     filename, isc_result_totext(result));
+		goto cleanup;
+	}
+
+	CHECK(create_string(pctx, filename, &cfg_type_qstring, &stringobj));
+	CHECK(create_listelt(pctx, &elt));
+	elt->obj = stringobj;
+	ISC_LIST_APPEND(pctx->open_files->value.list, elt, link);
+
+	return (ISC_R_SUCCESS);
+ cleanup:
+	CLEANUP_OBJ(stringobj);
+	return (result);
+}
+
+void
+cfg_parser_setcallback(cfg_parser_t *pctx,
+		       cfg_parsecallback_t callback,
+		       void *arg)
+{
+	pctx->callback = callback;
+	pctx->callbackarg = arg;
+}
+
+/*
+ * Parse a configuration using a pctx where a lexer has already
+ * been set up with a source.
+ */
+static isc_result_t
+parse2(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+
+	result = cfg_parse_obj(pctx, type, &obj);
+
+	if (pctx->errors != 0) {
+		/* Errors have been logged. */
+		if (result == ISC_R_SUCCESS)
+			result = ISC_R_FAILURE;
+		goto cleanup;
+	}
+
+	if (result != ISC_R_SUCCESS) {
+		/* Parsing failed but no errors have been logged. */
+		cfg_parser_error(pctx, 0, "parsing failed");
+		goto cleanup;
+	}
+
+	CHECK(parse_eof(pctx));
+
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+isc_result_t
+cfg_parse_file(cfg_parser_t *pctx, const char *filename,
+	       const cfg_type_t *type, cfg_obj_t **ret)
+{
+	isc_result_t result;
+
+	REQUIRE(filename != NULL);
+
+	CHECK(parser_openfile(pctx, filename));
+	CHECK(parse2(pctx, type, ret));
+ cleanup:
+	return (result);
+}
+
+
+isc_result_t
+cfg_parse_buffer(cfg_parser_t *pctx, isc_buffer_t *buffer,
+	const cfg_type_t *type, cfg_obj_t **ret)
+{
+	isc_result_t result;
+	REQUIRE(buffer != NULL);
+	CHECK(isc_lex_openbuffer(pctx->lexer, buffer));	
+	CHECK(parse2(pctx, type, ret));
+ cleanup:
+	return (result);
+}
+
+void
+cfg_parser_destroy(cfg_parser_t **pctxp) {
+	cfg_parser_t *pctx = *pctxp;
+	isc_lex_destroy(&pctx->lexer);
+	/*
+	 * Cleaning up open_files does not
+	 * close the files; that was already done
+	 * by closing the lexer.
+	 */
+	CLEANUP_OBJ(pctx->open_files);
+	CLEANUP_OBJ(pctx->closed_files);
+	isc_mem_put(pctx->mctx, pctx, sizeof(*pctx));
+	*pctxp = NULL;
+}
+
+/*
+ * void
+ */
+isc_result_t
+cfg_parse_void(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	UNUSED(type);
+	return (cfg_create_obj(pctx, &cfg_type_void, ret));
+}
+
+void
+cfg_print_void(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	UNUSED(pctx);
+	UNUSED(obj);
+}
+
+void
+cfg_doc_void(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(pctx);
+	UNUSED(type);
+}
+
+isc_boolean_t
+cfg_obj_isvoid(cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (ISC_TF(obj->type->rep == &cfg_rep_void));
+}
+
+cfg_type_t cfg_type_void = {
+	"void", cfg_parse_void, cfg_print_void, cfg_doc_void, &cfg_rep_void,
+	NULL };
+
+
+/*
+ * uint32
+ */
+isc_result_t
+cfg_parse_uint32(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+        isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	UNUSED(type);
+
+	CHECK(cfg_gettoken(pctx, ISC_LEXOPT_NUMBER | ISC_LEXOPT_CNUMBER));
+	if (pctx->token.type != isc_tokentype_number) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "expected number");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+
+	CHECK(cfg_create_obj(pctx, &cfg_type_uint32, &obj));
+
+	obj->value.uint32 = pctx->token.value.as_ulong;
+	*ret = obj;
+ cleanup:
+	return (result);
+}
+
+void
+cfg_print_cstr(cfg_printer_t *pctx, const char *s) {
+	cfg_print_chars(pctx, s, strlen(s));
+}
+
+void
+cfg_print_rawuint(cfg_printer_t *pctx, unsigned int u) {
+	char buf[32];
+	snprintf(buf, sizeof(buf), "%u", u);
+	cfg_print_cstr(pctx, buf);
+}
+
+void
+cfg_print_uint32(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	cfg_print_rawuint(pctx, obj->value.uint32);
+}
+
+isc_boolean_t
+cfg_obj_isuint32(cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (ISC_TF(obj->type->rep == &cfg_rep_uint32));
+}
+
+isc_uint32_t
+cfg_obj_asuint32(cfg_obj_t *obj) {
+	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_uint32);
+	return (obj->value.uint32);
+}
+
+cfg_type_t cfg_type_uint32 = {
+	"integer", cfg_parse_uint32, cfg_print_uint32, cfg_doc_terminal,
+	&cfg_rep_uint32, NULL
+};
+
+
+/*
+ * uint64
+ */
+isc_boolean_t
+cfg_obj_isuint64(cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (ISC_TF(obj->type->rep == &cfg_rep_uint64));
+}
+
+isc_uint64_t
+cfg_obj_asuint64(cfg_obj_t *obj) {
+	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_uint64);
+	return (obj->value.uint64);
+}
+
+void
+cfg_print_uint64(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	char buf[32];
+	snprintf(buf, sizeof(buf), "%" ISC_PRINT_QUADFORMAT "u",
+		 obj->value.uint64);
+	cfg_print_cstr(pctx, buf);
+}
+
+cfg_type_t cfg_type_uint64 = {
+	"64_bit_integer", NULL, cfg_print_uint64, cfg_doc_terminal,
+	&cfg_rep_uint64, NULL
+};
+
+/*
+ * qstring (quoted string), ustring (unquoted string), astring
+ * (any string)
+ */
+
+/* Create a string object from a null-terminated C string. */
+static isc_result_t
+create_string(cfg_parser_t *pctx, const char *contents, const cfg_type_t *type,
+	      cfg_obj_t **ret)
+{
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	int len;
+
+	CHECK(cfg_create_obj(pctx, type, &obj));
+	len = strlen(contents);
+	obj->value.string.length = len;
+	obj->value.string.base = isc_mem_get(pctx->mctx, len + 1);
+	if (obj->value.string.base == 0) {
+		isc_mem_put(pctx->mctx, obj, sizeof(*obj));
+		return (ISC_R_NOMEMORY);
+	}
+	memcpy(obj->value.string.base, contents, len);
+	obj->value.string.base[len] = '\0';
+
+	*ret = obj;
+ cleanup:
+	return (result);
+}
+
+isc_result_t
+cfg_parse_qstring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+        isc_result_t result;
+	UNUSED(type);
+
+	CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING));
+	if (pctx->token.type != isc_tokentype_qstring) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "expected quoted string");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+	return (create_string(pctx,
+			      TOKEN_STRING(pctx),
+			      &cfg_type_qstring,
+			      ret));
+ cleanup:
+	return (result);
+}
+
+static isc_result_t
+parse_ustring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+        isc_result_t result;
+	UNUSED(type);
+
+	CHECK(cfg_gettoken(pctx, 0));
+	if (pctx->token.type != isc_tokentype_string) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "expected unquoted string");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+	return (create_string(pctx,
+			      TOKEN_STRING(pctx),
+			      &cfg_type_ustring,
+			      ret));
+ cleanup:
+	return (result);
+}
+
+isc_result_t
+cfg_parse_astring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+        isc_result_t result;
+	UNUSED(type);
+
+	CHECK(cfg_getstringtoken(pctx));
+	return (create_string(pctx,
+			      TOKEN_STRING(pctx),
+			      &cfg_type_qstring,
+			      ret));
+ cleanup:
+	return (result);
+}
+
+isc_boolean_t
+cfg_is_enum(const char *s, const char *const *enums) {
+	const char * const *p;
+	for (p = enums; *p != NULL; p++) {
+		if (strcasecmp(*p, s) == 0)
+			return (ISC_TRUE);
+	}
+	return (ISC_FALSE);
+}
+
+static isc_result_t
+check_enum(cfg_parser_t *pctx, cfg_obj_t *obj, const char *const *enums) {
+	const char *s = obj->value.string.base;
+	if (cfg_is_enum(s, enums))
+		return (ISC_R_SUCCESS);
+	cfg_parser_error(pctx, 0, "'%s' unexpected", s);
+	return (ISC_R_UNEXPECTEDTOKEN);
+}
+
+isc_result_t
+cfg_parse_enum(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+        isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	CHECK(parse_ustring(pctx, NULL, &obj));
+	CHECK(check_enum(pctx, obj, type->of));
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+ cleanup:
+	CLEANUP_OBJ(obj);	
+	return (result);
+}
+
+void
+cfg_doc_enum(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const char * const *p;
+	cfg_print_chars(pctx, "( ", 2);
+	for (p = type->of; *p != NULL; p++) {
+		cfg_print_cstr(pctx, *p);
+		if (p[1] != NULL)
+			cfg_print_chars(pctx, " | ", 3);
+	}
+	cfg_print_chars(pctx, " )", 2);
+}
+
+void
+cfg_print_ustring(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	cfg_print_chars(pctx, obj->value.string.base, obj->value.string.length);
+}
+
+static void
+print_qstring(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	cfg_print_chars(pctx, "\"", 1);
+	cfg_print_ustring(pctx, obj);
+	cfg_print_chars(pctx, "\"", 1);
+}
+
+static void
+free_string(cfg_parser_t *pctx, cfg_obj_t *obj) {
+	isc_mem_put(pctx->mctx, obj->value.string.base,
+		    obj->value.string.length + 1);
+}
+
+isc_boolean_t
+cfg_obj_isstring(cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (ISC_TF(obj->type->rep == &cfg_rep_string));
+}
+
+char *
+cfg_obj_asstring(cfg_obj_t *obj) {
+	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_string);
+	return (obj->value.string.base);
+}
+
+/* Quoted string only */
+cfg_type_t cfg_type_qstring = {
+	"quoted_string", cfg_parse_qstring, print_qstring, cfg_doc_terminal,
+	&cfg_rep_string, NULL
+};
+
+/* Unquoted string only */
+cfg_type_t cfg_type_ustring = {
+	"string", parse_ustring, cfg_print_ustring, cfg_doc_terminal,
+	&cfg_rep_string, NULL
+};
+
+/* Any string (quoted or unquoted); printed with quotes */
+cfg_type_t cfg_type_astring = {
+	"string", cfg_parse_astring, print_qstring, cfg_doc_terminal,
+	&cfg_rep_string, NULL
+};
+
+/*
+ * Booleans
+ */
+
+isc_boolean_t
+cfg_obj_isboolean(cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (ISC_TF(obj->type->rep == &cfg_rep_boolean));
+}
+
+isc_boolean_t
+cfg_obj_asboolean(cfg_obj_t *obj) {
+	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_boolean);
+	return (obj->value.boolean);
+}
+
+static isc_result_t
+parse_boolean(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
+{
+        isc_result_t result;
+	isc_boolean_t value;
+	cfg_obj_t *obj = NULL;
+	UNUSED(type);
+
+	result = cfg_gettoken(pctx, 0);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (pctx->token.type != isc_tokentype_string)
+		goto bad_boolean;
+
+	if ((strcasecmp(TOKEN_STRING(pctx), "true") == 0) ||
+	    (strcasecmp(TOKEN_STRING(pctx), "yes") == 0) ||
+	    (strcmp(TOKEN_STRING(pctx), "1") == 0)) {
+		value = ISC_TRUE;
+	} else if ((strcasecmp(TOKEN_STRING(pctx), "false") == 0) ||
+		   (strcasecmp(TOKEN_STRING(pctx), "no") == 0) ||
+		   (strcmp(TOKEN_STRING(pctx), "0") == 0)) {
+		value = ISC_FALSE;
+	} else {
+		goto bad_boolean;
+	}
+
+	CHECK(cfg_create_obj(pctx, &cfg_type_boolean, &obj));
+	obj->value.boolean = value;
+	*ret = obj;
+	return (result);
+
+ bad_boolean:
+	cfg_parser_error(pctx, CFG_LOG_NEAR, "boolean expected");
+	return (ISC_R_UNEXPECTEDTOKEN);
+
+ cleanup:
+	return (result);
+}
+
+static void
+print_boolean(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	if (obj->value.boolean)
+		cfg_print_chars(pctx, "yes", 3);
+	else
+		cfg_print_chars(pctx, "no", 2);
+}
+
+cfg_type_t cfg_type_boolean = {
+	"boolean", parse_boolean, print_boolean, cfg_doc_terminal,
+	&cfg_rep_boolean, NULL
+};
+
+/*
+ * Lists.
+ */
+
+isc_result_t
+cfg_create_list(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **obj) {
+	isc_result_t result;
+	CHECK(cfg_create_obj(pctx, type, obj));
+	ISC_LIST_INIT((*obj)->value.list);
+ cleanup:
+	return (result);
+}
+
+static isc_result_t
+create_listelt(cfg_parser_t *pctx, cfg_listelt_t **eltp) {
+	cfg_listelt_t *elt;
+	elt = isc_mem_get(pctx->mctx, sizeof(*elt));
+	if (elt == NULL)
+		return (ISC_R_NOMEMORY);
+	elt->obj = NULL;
+	ISC_LINK_INIT(elt, link);
+	*eltp = elt;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+free_list_elt(cfg_parser_t *pctx, cfg_listelt_t *elt) {
+	cfg_obj_destroy(pctx, &elt->obj);
+	isc_mem_put(pctx->mctx, elt, sizeof(*elt));
+}
+
+static void
+free_list(cfg_parser_t *pctx, cfg_obj_t *obj) {
+	cfg_listelt_t *elt, *next;
+	for (elt = ISC_LIST_HEAD(obj->value.list);
+	     elt != NULL;
+	     elt = next)
+	{
+		next = ISC_LIST_NEXT(elt, link);
+		free_list_elt(pctx, elt);
+	}
+}
+
+isc_result_t
+cfg_parse_listelt(cfg_parser_t *pctx, const cfg_type_t *elttype,
+		  cfg_listelt_t **ret)
+{
+	isc_result_t result;
+	cfg_listelt_t *elt = NULL;
+	cfg_obj_t *value = NULL;
+
+	CHECK(create_listelt(pctx, &elt));
+
+	result = cfg_parse_obj(pctx, elttype, &value);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	elt->obj = value;
+
+	*ret = elt;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	isc_mem_put(pctx->mctx, elt, sizeof(*elt));
+	return (result);
+}
+
+/*
+ * Parse a homogeneous list whose elements are of type 'elttype'
+ * and where each element is terminated by a semicolon.
+ */
+static isc_result_t
+parse_list(cfg_parser_t *pctx, const cfg_type_t *listtype, cfg_obj_t **ret)
+{
+	cfg_obj_t *listobj = NULL;
+	const cfg_type_t *listof = listtype->of;
+	isc_result_t result;
+	cfg_listelt_t *elt = NULL;
+
+	CHECK(cfg_create_list(pctx, listtype, &listobj));
+
+	for (;;) {
+		CHECK(cfg_peektoken(pctx, 0));
+		if (pctx->token.type == isc_tokentype_special &&
+		    pctx->token.value.as_char == /*{*/ '}')
+			break;
+		CHECK(cfg_parse_listelt(pctx, listof, &elt));
+		CHECK(parse_semicolon(pctx));
+		ISC_LIST_APPEND(listobj->value.list, elt, link);
+		elt = NULL;
+	}
+	*ret = listobj;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (elt != NULL)
+		free_list_elt(pctx, elt);
+	CLEANUP_OBJ(listobj);
+	return (result);
+}
+
+static void
+print_list(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	cfg_list_t *list = &obj->value.list;
+	cfg_listelt_t *elt;
+
+	for (elt = ISC_LIST_HEAD(*list);
+	     elt != NULL;
+	     elt = ISC_LIST_NEXT(elt, link)) {
+		print_indent(pctx);
+		cfg_print_obj(pctx, elt->obj);
+		cfg_print_chars(pctx, ";\n", 2);
+	}
+}
+
+isc_result_t
+cfg_parse_bracketed_list(cfg_parser_t *pctx, const cfg_type_t *type,
+		     cfg_obj_t **ret)
+{
+	isc_result_t result;
+	CHECK(cfg_parse_special(pctx, '{'));
+	CHECK(parse_list(pctx, type, ret));
+	CHECK(cfg_parse_special(pctx, '}'));
+ cleanup:
+	return (result);
+}
+
+void
+cfg_print_bracketed_list(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	print_open(pctx);
+	print_list(pctx, obj);
+	print_close(pctx);
+}
+
+void
+cfg_doc_bracketed_list(cfg_printer_t *pctx, const cfg_type_t *type) {
+	cfg_print_chars(pctx, "{ ", 2);
+	cfg_doc_obj(pctx, type->of);
+	cfg_print_chars(pctx, "; ... }", 7);
+}
+
+/*
+ * Parse a homogeneous list whose elements are of type 'elttype'
+ * and where elements are separated by space.  The list ends
+ * before the first semicolon.
+ */
+isc_result_t
+cfg_parse_spacelist(cfg_parser_t *pctx, const cfg_type_t *listtype,
+		    cfg_obj_t **ret)
+{
+	cfg_obj_t *listobj = NULL;
+	const cfg_type_t *listof = listtype->of;
+	isc_result_t result;
+
+	CHECK(cfg_create_list(pctx, listtype, &listobj));
+
+	for (;;) {
+		cfg_listelt_t *elt = NULL;
+
+		CHECK(cfg_peektoken(pctx, 0));
+		if (pctx->token.type == isc_tokentype_special &&
+		    pctx->token.value.as_char == ';')
+			break;
+		CHECK(cfg_parse_listelt(pctx, listof, &elt));
+		ISC_LIST_APPEND(listobj->value.list, elt, link);
+	}
+	*ret = listobj;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	CLEANUP_OBJ(listobj);
+	return (result);
+}
+
+void
+cfg_print_spacelist(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	cfg_list_t *list = &obj->value.list;
+	cfg_listelt_t *elt;
+
+	for (elt = ISC_LIST_HEAD(*list);
+	     elt != NULL;
+	     elt = ISC_LIST_NEXT(elt, link)) {
+		cfg_print_obj(pctx, elt->obj);
+		if (ISC_LIST_NEXT(elt, link) != NULL)
+			cfg_print_chars(pctx, " ", 1);
+	}
+}
+
+
+isc_boolean_t
+cfg_obj_islist(cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (ISC_TF(obj->type->rep == &cfg_rep_list));
+}
+
+cfg_listelt_t *
+cfg_list_first(cfg_obj_t *obj) {
+	REQUIRE(obj == NULL || obj->type->rep == &cfg_rep_list);
+	if (obj == NULL)
+		return (NULL);
+	return (ISC_LIST_HEAD(obj->value.list));
+}
+
+cfg_listelt_t *
+cfg_list_next(cfg_listelt_t *elt) {
+	REQUIRE(elt != NULL);
+	return (ISC_LIST_NEXT(elt, link));
+}
+
+cfg_obj_t *
+cfg_listelt_value(cfg_listelt_t *elt) {
+	REQUIRE(elt != NULL);
+	return (elt->obj);
+}
+
+/*
+ * Maps.
+ */
+
+/*
+ * Parse a map body.  That's something like
+ *
+ *   "foo 1; bar { glub; }; zap true; zap false;"
+ *
+ * i.e., a sequence of option names followed by values and
+ * terminated by semicolons.  Used for the top level of
+ * the named.conf syntax, as well as for the body of the
+ * options, view, zone, and other statements.
+ */
+isc_result_t
+cfg_parse_mapbody(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
+{
+	const cfg_clausedef_t * const *clausesets = type->of;
+	isc_result_t result;
+	const cfg_clausedef_t * const *clauseset;
+	const cfg_clausedef_t *clause;
+	cfg_obj_t *value = NULL;
+	cfg_obj_t *obj = NULL;
+	cfg_obj_t *eltobj = NULL;
+	cfg_obj_t *includename = NULL;
+	isc_symvalue_t symval;
+	cfg_list_t *list = NULL;
+
+	CHECK(create_map(pctx, type, &obj));
+
+	obj->value.map.clausesets = clausesets;
+
+	for (;;) {
+		cfg_listelt_t *elt;
+
+	redo:
+		/*
+		 * Parse the option name and see if it is known.
+		 */
+		CHECK(cfg_gettoken(pctx, 0));
+
+		if (pctx->token.type != isc_tokentype_string) {
+			cfg_ungettoken(pctx);
+			break;
+		}
+
+		/*
+		 * We accept "include" statements wherever a map body
+		 * clause can occur.
+		 */
+		if (strcasecmp(TOKEN_STRING(pctx), "include") == 0) {
+			/*
+			 * Turn the file name into a temporary configuration
+			 * object just so that it is not overwritten by the
+			 * semicolon token.
+			 */
+			CHECK(cfg_parse_obj(pctx, &cfg_type_qstring, &includename));
+			CHECK(parse_semicolon(pctx));
+			CHECK(parser_openfile(pctx, includename->
+					      value.string.base));
+			 cfg_obj_destroy(pctx, &includename);
+			 goto redo;
+		}
+
+		clause = NULL;
+		for (clauseset = clausesets; *clauseset != NULL; clauseset++) {
+			for (clause = *clauseset;
+			     clause->name != NULL;
+			     clause++) {
+				if (strcasecmp(TOKEN_STRING(pctx),
+					   clause->name) == 0)
+					goto done;
+			}
+		}
+	done:
+		if (clause == NULL || clause->name == NULL) {
+			cfg_parser_error(pctx, CFG_LOG_NOPREP, "unknown option");
+			/*
+			 * Try to recover by parsing this option as an unknown
+			 * option and discarding it.
+			 */
+			CHECK(cfg_parse_obj(pctx, &cfg_type_unsupported, &eltobj));
+			cfg_obj_destroy(pctx, &eltobj);
+			CHECK(parse_semicolon(pctx));
+			continue;
+		}
+
+		/* Clause is known. */
+
+		/* Issue warnings if appropriate */
+		if ((clause->flags & CFG_CLAUSEFLAG_OBSOLETE) != 0)
+			cfg_parser_warning(pctx, 0, "option '%s' is obsolete",
+				       clause->name);
+		if ((clause->flags & CFG_CLAUSEFLAG_NOTIMP) != 0)
+			cfg_parser_warning(pctx, 0, "option '%s' is "
+				       "not implemented", clause->name);
+		if ((clause->flags & CFG_CLAUSEFLAG_NYI) != 0)
+			cfg_parser_warning(pctx, 0, "option '%s' is "
+				       "not implemented", clause->name);
+		/*
+		 * Don't log options with CFG_CLAUSEFLAG_NEWDEFAULT
+		 * set here - we need to log the *lack* of such an option,
+		 * not its presence.
+		 */
+
+		/* See if the clause already has a value; if not create one. */
+		result = isc_symtab_lookup(obj->value.map.symtab,
+					   clause->name, 0, &symval);
+
+		if ((clause->flags & CFG_CLAUSEFLAG_MULTI) != 0) {
+			/* Multivalued clause */
+			cfg_obj_t *listobj = NULL;
+			if (result == ISC_R_NOTFOUND) {
+				CHECK(cfg_create_list(pctx,
+						  &cfg_type_implicitlist,
+						  &listobj));
+				symval.as_pointer = listobj;
+				result = isc_symtab_define(obj->value.
+						   map.symtab,
+						   clause->name,
+						   1, symval,
+						   isc_symexists_reject);
+				if (result != ISC_R_SUCCESS) {
+					cfg_parser_error(pctx, CFG_LOG_NEAR,
+						     "isc_symtab_define(%s) "
+						     "failed", clause->name);
+					isc_mem_put(pctx->mctx, list,
+						    sizeof(cfg_list_t));
+					goto cleanup;
+				}
+			} else {
+				INSIST(result == ISC_R_SUCCESS);
+				listobj = symval.as_pointer;
+			}
+
+			elt = NULL;
+			CHECK(cfg_parse_listelt(pctx, clause->type, &elt));
+			CHECK(parse_semicolon(pctx));
+
+			ISC_LIST_APPEND(listobj->value.list, elt, link);
+		} else {
+			/* Single-valued clause */
+			if (result == ISC_R_NOTFOUND) {
+				isc_boolean_t callback =
+					ISC_TF((clause->flags &
+						CFG_CLAUSEFLAG_CALLBACK) != 0);
+				CHECK(parse_symtab_elt(pctx, clause->name,
+						       clause->type,
+						       obj->value.map.symtab,
+						       callback));
+				CHECK(parse_semicolon(pctx));
+			} else if (result == ISC_R_SUCCESS) {
+				cfg_parser_error(pctx, CFG_LOG_NEAR, "'%s' redefined",
+					     clause->name);
+				result = ISC_R_EXISTS;
+				goto cleanup;
+			} else {
+				cfg_parser_error(pctx, CFG_LOG_NEAR,
+					     "isc_symtab_define() failed");
+				goto cleanup;
+			}
+		}
+	}
+
+
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	CLEANUP_OBJ(value);
+	CLEANUP_OBJ(obj);
+	CLEANUP_OBJ(eltobj);
+	CLEANUP_OBJ(includename);
+	return (result);
+}
+
+static isc_result_t
+parse_symtab_elt(cfg_parser_t *pctx, const char *name,
+		 cfg_type_t *elttype, isc_symtab_t *symtab,
+		 isc_boolean_t callback)
+{
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	isc_symvalue_t symval;
+
+	CHECK(cfg_parse_obj(pctx, elttype, &obj));
+
+	if (callback && pctx->callback != NULL)
+		CHECK(pctx->callback(name, obj, pctx->callbackarg));
+	
+	symval.as_pointer = obj;
+	CHECK(isc_symtab_define(symtab, name,
+				1, symval,
+				isc_symexists_reject));
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+/*
+ * Parse a map; e.g., "{ foo 1; bar { glub; }; zap true; zap false; }"
+ */
+isc_result_t
+cfg_parse_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	CHECK(cfg_parse_special(pctx, '{'));
+	CHECK(cfg_parse_mapbody(pctx, type, ret));
+	CHECK(cfg_parse_special(pctx, '}'));
+ cleanup:
+	return (result);
+}
+
+/*
+ * Subroutine for cfg_parse_named_map() and cfg_parse_addressed_map().
+ */
+static isc_result_t
+parse_any_named_map(cfg_parser_t *pctx, cfg_type_t *nametype, const cfg_type_t *type,
+		    cfg_obj_t **ret)
+{
+	isc_result_t result;
+	cfg_obj_t *idobj = NULL;
+	cfg_obj_t *mapobj = NULL;
+
+	CHECK(cfg_parse_obj(pctx, nametype, &idobj));
+	CHECK(cfg_parse_map(pctx, type, &mapobj));
+	mapobj->value.map.id = idobj;
+	idobj = NULL;
+	*ret = mapobj;
+ cleanup:
+	CLEANUP_OBJ(idobj);
+	return (result);
+}
+
+/*
+ * Parse a map identified by a string name.  E.g., "name { foo 1; }".  
+ * Used for the "key" and "channel" statements.
+ */
+isc_result_t
+cfg_parse_named_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (parse_any_named_map(pctx, &cfg_type_astring, type, ret));
+}
+
+/*
+ * Parse a map identified by a network address.
+ * Used for the "server" statement.
+ */
+isc_result_t
+cfg_parse_addressed_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	return (parse_any_named_map(pctx, &cfg_type_netaddr, type, ret));
+}
+
+void
+cfg_print_mapbody(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	isc_result_t result = ISC_R_SUCCESS;
+
+	const cfg_clausedef_t * const *clauseset;
+
+	for (clauseset = obj->value.map.clausesets;
+	     *clauseset != NULL;
+	     clauseset++)
+	{
+		isc_symvalue_t symval;
+		const cfg_clausedef_t *clause;
+
+		for (clause = *clauseset;
+		     clause->name != NULL;
+		     clause++) {
+			result = isc_symtab_lookup(obj->value.map.symtab,
+						   clause->name, 0, &symval);
+			if (result == ISC_R_SUCCESS) {
+				cfg_obj_t *obj = symval.as_pointer;
+				if (obj->type == &cfg_type_implicitlist) {
+					/* Multivalued. */
+					cfg_list_t *list = &obj->value.list;
+					cfg_listelt_t *elt;
+					for (elt = ISC_LIST_HEAD(*list);
+					     elt != NULL;
+					     elt = ISC_LIST_NEXT(elt, link)) {
+						print_indent(pctx);
+						cfg_print_cstr(pctx, clause->name);
+						cfg_print_chars(pctx, " ", 1);
+						cfg_print_obj(pctx, elt->obj);
+						cfg_print_chars(pctx, ";\n", 2);
+					}
+				} else {
+					/* Single-valued. */
+					print_indent(pctx);
+					cfg_print_cstr(pctx, clause->name);
+					cfg_print_chars(pctx, " ", 1);
+					cfg_print_obj(pctx, obj);
+					cfg_print_chars(pctx, ";\n", 2);
+				}
+			} else if (result == ISC_R_NOTFOUND) {
+				; /* do nothing */
+			} else {
+				INSIST(0);
+			}
+		}
+	}
+}
+
+void
+cfg_doc_mapbody(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const cfg_clausedef_t * const *clauseset;
+	const cfg_clausedef_t *clause;
+	
+	for (clauseset = type->of; *clauseset != NULL; clauseset++) {
+		for (clause = *clauseset;
+		     clause->name != NULL;
+		     clause++) {
+			cfg_print_cstr(pctx, clause->name);
+			cfg_print_chars(pctx, " ", 1);
+			cfg_doc_obj(pctx, clause->type);
+			cfg_print_chars(pctx, ";", 1);
+			/* XXX print flags here? */
+			cfg_print_chars(pctx, "\n\n", 2);
+		}
+	}
+}
+
+static struct flagtext {
+	unsigned int flag;
+	const char *text;
+} flagtexts[] = {
+	{ CFG_CLAUSEFLAG_NOTIMP, "not implemented" },
+	{ CFG_CLAUSEFLAG_NYI, "not yet implemented" },
+	{ CFG_CLAUSEFLAG_OBSOLETE, "obsolete" },
+	{ CFG_CLAUSEFLAG_NEWDEFAULT, "default changed" },
+	{ 0, NULL }
+};
+
+void
+cfg_print_map(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	if (obj->value.map.id != NULL) {
+		cfg_print_obj(pctx, obj->value.map.id);
+		cfg_print_chars(pctx, " ", 1);
+	}
+	print_open(pctx);
+	cfg_print_mapbody(pctx, obj);
+	print_close(pctx);
+}
+
+static void
+print_clause_flags(cfg_printer_t *pctx, unsigned int flags) {
+	struct flagtext *p;
+	isc_boolean_t first = ISC_TRUE;
+	for (p = flagtexts; p->flag != 0; p++) {
+		if ((flags & p->flag) != 0) {
+			if (first)
+				cfg_print_chars(pctx, " // ", 4);
+			else
+				cfg_print_chars(pctx, ", ", 2);
+			cfg_print_cstr(pctx, p->text);
+			first = ISC_FALSE;
+		}
+	}
+}
+
+void
+cfg_doc_map(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const cfg_clausedef_t * const *clauseset;
+	const cfg_clausedef_t *clause;
+	
+	if (type->parse == cfg_parse_named_map) {
+		cfg_doc_obj(pctx, &cfg_type_astring);
+		cfg_print_chars(pctx, " ", 1);
+	} else if (type->parse == cfg_parse_addressed_map) {
+		cfg_doc_obj(pctx, &cfg_type_netaddr);
+		cfg_print_chars(pctx, " ", 1);
+	}
+	
+	print_open(pctx);
+	
+	for (clauseset = type->of; *clauseset != NULL; clauseset++) {
+		for (clause = *clauseset;
+		     clause->name != NULL;
+		     clause++) {
+			print_indent(pctx);
+			cfg_print_cstr(pctx, clause->name);
+			if (clause->type->print != cfg_print_void)
+				cfg_print_chars(pctx, " ", 1);
+			cfg_doc_obj(pctx, clause->type);
+			cfg_print_chars(pctx, ";", 1);
+			print_clause_flags(pctx, clause->flags);
+			cfg_print_chars(pctx, "\n", 1);
+		}
+	}
+	print_close(pctx);
+}
+
+isc_boolean_t
+cfg_obj_ismap(cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (ISC_TF(obj->type->rep == &cfg_rep_map));
+}
+
+isc_result_t
+cfg_map_get(cfg_obj_t *mapobj, const char* name, cfg_obj_t **obj) {
+	isc_result_t result;
+	isc_symvalue_t val;
+	cfg_map_t *map;
+	
+	REQUIRE(mapobj != NULL && mapobj->type->rep == &cfg_rep_map);
+	REQUIRE(name != NULL);
+	REQUIRE(obj != NULL && *obj == NULL);
+
+	map = &mapobj->value.map;
+	
+	result = isc_symtab_lookup(map->symtab, name, MAP_SYM, &val);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	*obj = val.as_pointer;
+	return (ISC_R_SUCCESS);
+}
+
+cfg_obj_t *
+cfg_map_getname(cfg_obj_t *mapobj) {
+	REQUIRE(mapobj != NULL && mapobj->type->rep == &cfg_rep_map);
+	return (mapobj->value.map.id);
+}
+
+
+/* Parse an arbitrary token, storing its raw text representation. */
+static isc_result_t
+parse_token(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	cfg_obj_t *obj = NULL;
+        isc_result_t result;
+	isc_region_t r;
+
+	UNUSED(type);
+
+	CHECK(cfg_create_obj(pctx, &cfg_type_token, &obj));
+	CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING));
+	if (pctx->token.type == isc_tokentype_eof) {
+		cfg_ungettoken(pctx);
+		result = ISC_R_EOF;
+		goto cleanup;
+	}
+
+	isc_lex_getlasttokentext(pctx->lexer, &pctx->token, &r);
+
+	obj->value.string.base = isc_mem_get(pctx->mctx, r.length + 1);
+	obj->value.string.length = r.length;
+	memcpy(obj->value.string.base, r.base, r.length);
+	obj->value.string.base[r.length] = '\0';
+	*ret = obj;
+
+ cleanup:
+	return (result);
+}
+
+cfg_type_t cfg_type_token = {
+	"token", parse_token, cfg_print_ustring, cfg_doc_terminal,
+	&cfg_rep_string, NULL
+};
+
+/*
+ * An unsupported option.  This is just a list of tokens with balanced braces
+ * ending in a semicolon.
+ */
+
+static isc_result_t
+parse_unsupported(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	cfg_obj_t *listobj = NULL;
+	isc_result_t result;
+	int braces = 0;
+
+	CHECK(cfg_create_list(pctx, type, &listobj));
+
+	for (;;) {
+		cfg_listelt_t *elt = NULL;
+
+		CHECK(cfg_peektoken(pctx, 0));
+		if (pctx->token.type == isc_tokentype_special) {
+			if (pctx->token.value.as_char == '{')
+				braces++;
+			else if (pctx->token.value.as_char == '}')
+				braces--;
+			else if (pctx->token.value.as_char == ';')
+				if (braces == 0)
+					break;
+		}
+		if (pctx->token.type == isc_tokentype_eof || braces < 0) {
+			cfg_parser_error(pctx, CFG_LOG_NEAR, "unexpected token");
+			result = ISC_R_UNEXPECTEDTOKEN;
+			goto cleanup;
+		}
+
+		CHECK(cfg_parse_listelt(pctx, &cfg_type_token, &elt));
+		ISC_LIST_APPEND(listobj->value.list, elt, link);
+	}
+	INSIST(braces == 0);
+	*ret = listobj;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	CLEANUP_OBJ(listobj);
+	return (result);
+}
+
+cfg_type_t cfg_type_unsupported = {
+	"unsupported", parse_unsupported, cfg_print_spacelist, cfg_doc_terminal,
+	&cfg_rep_list, NULL
+};
+
+/*
+ * Try interpreting the current token as a network address.
+ *
+ * If CFG_ADDR_WILDOK is set in flags, "*" can be used as a wildcard
+ * and at least one of CFG_ADDR_V4OK and CFG_ADDR_V6OK must also be set.  The
+ * "*" is interpreted as the IPv4 wildcard address if CFG_ADDR_V4OK is 
+ * set (including the case where CFG_ADDR_V4OK and CFG_ADDR_V6OK are both set),
+ * and the IPv6 wildcard address otherwise.
+ */
+static isc_result_t
+token_addr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na) {
+	char *s;
+	struct in_addr in4a;
+	struct in6_addr in6a;
+
+	if (pctx->token.type != isc_tokentype_string)
+		return (ISC_R_UNEXPECTEDTOKEN);
+
+	s = TOKEN_STRING(pctx);
+	if ((flags & CFG_ADDR_WILDOK) != 0 && strcmp(s, "*") == 0) {
+		if ((flags & CFG_ADDR_V4OK) != 0) {
+			isc_netaddr_any(na);
+			return (ISC_R_SUCCESS);
+		} else if ((flags & CFG_ADDR_V6OK) != 0) {
+			isc_netaddr_any6(na);
+			return (ISC_R_SUCCESS);
+		} else {
+			INSIST(0);
+		}
+	} else {
+		if ((flags & (CFG_ADDR_V4OK | CFG_ADDR_V4PREFIXOK)) != 0) {
+			if (inet_pton(AF_INET, s, &in4a) == 1) {
+				isc_netaddr_fromin(na, &in4a);
+				return (ISC_R_SUCCESS);
+			}
+		}
+		if ((flags & CFG_ADDR_V4PREFIXOK) != 0 &&
+		    strlen(s) <= 15U) {
+			char buf[64];
+			int i;
+
+			strcpy(buf, s);
+			for (i = 0; i < 3; i++) {
+				strcat(buf, ".0");
+				if (inet_pton(AF_INET, buf, &in4a) == 1) {
+					isc_netaddr_fromin(na, &in4a);
+					return (ISC_R_SUCCESS);
+				}
+			}
+		}
+		if ((flags & CFG_ADDR_V6OK) != 0 &&
+		    strlen(s) <= 127U) {
+			char buf[128]; /* see lib/bind9/getaddresses.c */
+			char *d; /* zone delimiter */
+			isc_uint32_t zone = 0; /* scope zone ID */
+
+			strcpy(buf, s);
+			d = strchr(buf, '%');
+			if (d != NULL)
+				*d = '\0';
+
+			if (inet_pton(AF_INET6, buf, &in6a) == 1) {
+				if (d != NULL) {
+#ifdef ISC_PLATFORM_HAVESCOPEID
+					isc_result_t result;
+
+					result = isc_netscope_pton(AF_INET6,
+								   d + 1,
+								   &in6a,
+								   &zone);
+					if (result != ISC_R_SUCCESS)
+						return (result);
+#else
+				return (ISC_R_BADADDRESSFORM);
+#endif
+				}
+
+				isc_netaddr_fromin6(na, &in6a);
+				isc_netaddr_setzone(na, zone);
+				return (ISC_R_SUCCESS);
+			}
+		}
+	}
+	return (ISC_R_UNEXPECTEDTOKEN);
+}
+
+isc_result_t
+cfg_parse_rawaddr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na) {
+	isc_result_t result;
+	CHECK(cfg_gettoken(pctx, 0));
+	result = token_addr(pctx, flags, na);
+	if (result == ISC_R_UNEXPECTEDTOKEN)
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "expected IP address");
+ cleanup:
+	return (result);
+}
+
+isc_boolean_t
+cfg_lookingat_netaddr(cfg_parser_t *pctx, unsigned int flags) {
+	isc_result_t result;
+	isc_netaddr_t na_dummy;
+	result = token_addr(pctx, flags, &na_dummy);
+	return (ISC_TF(result == ISC_R_SUCCESS));
+}
+
+isc_result_t
+cfg_parse_rawport(cfg_parser_t *pctx, unsigned int flags, in_port_t *port) {
+	isc_result_t result;
+
+	CHECK(cfg_gettoken(pctx, ISC_LEXOPT_NUMBER));
+
+	if ((flags & CFG_ADDR_WILDOK) != 0 &&
+	    pctx->token.type == isc_tokentype_string &&
+	    strcmp(TOKEN_STRING(pctx), "*") == 0) {
+		*port = 0;
+		return (ISC_R_SUCCESS);
+	}
+	if (pctx->token.type != isc_tokentype_number) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR,
+			     "expected port number or '*'");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+	if (pctx->token.value.as_ulong >= 65536U) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR,
+			     "port number out of range");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+	*port = (in_port_t)(pctx->token.value.as_ulong);
+	return (ISC_R_SUCCESS);
+ cleanup:
+	return (result);
+}
+
+void
+cfg_print_rawaddr(cfg_printer_t *pctx, isc_netaddr_t *na) {
+	isc_result_t result;
+	char text[128];
+	isc_buffer_t buf;
+
+	isc_buffer_init(&buf, text, sizeof(text));
+	result = isc_netaddr_totext(na, &buf);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	cfg_print_chars(pctx, isc_buffer_base(&buf), isc_buffer_usedlength(&buf));
+}
+
+/* netaddr */
+
+static isc_result_t
+parse_netaddr(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	cfg_obj_t *obj = NULL;
+	isc_netaddr_t netaddr;
+	UNUSED(type);
+	CHECK(cfg_create_obj(pctx, type, &obj));
+	CHECK(cfg_parse_rawaddr(pctx, CFG_ADDR_V4OK | CFG_ADDR_V6OK, &netaddr));
+	isc_sockaddr_fromnetaddr(&obj->value.sockaddr, &netaddr, 0);
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+ cleanup:
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+cfg_type_t cfg_type_netaddr = {
+	"netaddr", parse_netaddr, cfg_print_sockaddr, cfg_doc_terminal,
+	&cfg_rep_sockaddr, NULL
+};
+
+/* netprefix */
+
+isc_result_t
+cfg_parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type,
+		    cfg_obj_t **ret)
+{
+	cfg_obj_t *obj = NULL;
+	isc_result_t result;
+	isc_netaddr_t netaddr;
+	unsigned int addrlen, prefixlen;
+	UNUSED(type);
+
+	CHECK(cfg_parse_rawaddr(pctx, CFG_ADDR_V4OK | CFG_ADDR_V4PREFIXOK |
+				CFG_ADDR_V6OK, &netaddr));
+	switch (netaddr.family) {
+	case AF_INET:
+		addrlen = 32;
+		break;
+	case AF_INET6:
+		addrlen = 128;
+		break;
+	default:
+		addrlen = 0;
+		INSIST(0);
+		break;
+	}
+	CHECK(cfg_peektoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_special &&
+	    pctx->token.value.as_char == '/') {
+		CHECK(cfg_gettoken(pctx, 0)); /* read "/" */
+		CHECK(cfg_gettoken(pctx, ISC_LEXOPT_NUMBER));
+		if (pctx->token.type != isc_tokentype_number) {
+			cfg_parser_error(pctx, CFG_LOG_NEAR,
+				     "expected prefix length");
+			return (ISC_R_UNEXPECTEDTOKEN);
+		}
+		prefixlen = pctx->token.value.as_ulong;
+		if (prefixlen > addrlen) {
+			cfg_parser_error(pctx, CFG_LOG_NOPREP,
+				     "invalid prefix length");
+			return (ISC_R_RANGE);
+		}
+	} else {
+		prefixlen = addrlen;
+	}
+	CHECK(cfg_create_obj(pctx, &cfg_type_netprefix, &obj));
+	obj->value.netprefix.address = netaddr;
+	obj->value.netprefix.prefixlen = prefixlen;
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+ cleanup:
+	cfg_parser_error(pctx, CFG_LOG_NEAR, "expected network prefix");
+	return (result);
+}
+
+static void
+print_netprefix(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	cfg_netprefix_t *p = &obj->value.netprefix;
+	cfg_print_rawaddr(pctx, &p->address);
+	cfg_print_chars(pctx, "/", 1);
+	cfg_print_rawuint(pctx, p->prefixlen);
+}
+
+isc_boolean_t
+cfg_obj_isnetprefix(cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (ISC_TF(obj->type->rep == &cfg_rep_netprefix));
+}
+
+void
+cfg_obj_asnetprefix(cfg_obj_t *obj, isc_netaddr_t *netaddr,
+		    unsigned int *prefixlen) {
+	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_netprefix);
+	*netaddr = obj->value.netprefix.address;
+	*prefixlen = obj->value.netprefix.prefixlen;
+}
+
+cfg_type_t cfg_type_netprefix = {
+	"netprefix", cfg_parse_netprefix, print_netprefix, cfg_doc_terminal,
+	&cfg_rep_netprefix, NULL
+};
+
+static isc_result_t
+parse_sockaddrsub(cfg_parser_t *pctx, const cfg_type_t *type,
+		  int flags, cfg_obj_t **ret)
+{
+	isc_result_t result;
+	isc_netaddr_t netaddr;
+	in_port_t port = 0;
+	cfg_obj_t *obj = NULL;
+
+	CHECK(cfg_create_obj(pctx, type, &obj));
+	CHECK(cfg_parse_rawaddr(pctx, flags, &netaddr));
+	CHECK(cfg_peektoken(pctx, 0));
+	if (pctx->token.type == isc_tokentype_string &&
+	    strcasecmp(TOKEN_STRING(pctx), "port") == 0) {
+		CHECK(cfg_gettoken(pctx, 0)); /* read "port" */
+		CHECK(cfg_parse_rawport(pctx, flags, &port));
+	}
+	isc_sockaddr_fromnetaddr(&obj->value.sockaddr, &netaddr, port);
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	CLEANUP_OBJ(obj);
+	return (result);
+}
+
+static unsigned int sockaddr_flags = CFG_ADDR_V4OK | CFG_ADDR_V6OK;
+cfg_type_t cfg_type_sockaddr = {
+	"sockaddr", cfg_parse_sockaddr, cfg_print_sockaddr, cfg_doc_sockaddr,
+	&cfg_rep_sockaddr, &sockaddr_flags
+};
+
+isc_result_t
+cfg_parse_sockaddr(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	const unsigned int *flagp = type->of;
+	return (parse_sockaddrsub(pctx, &cfg_type_sockaddr, *flagp, ret));
+}
+
+void
+cfg_print_sockaddr(cfg_printer_t *pctx, cfg_obj_t *obj) {
+	isc_netaddr_t netaddr;
+	in_port_t port;
+	char buf[ISC_NETADDR_FORMATSIZE];
+
+	isc_netaddr_fromsockaddr(&netaddr, &obj->value.sockaddr);
+	isc_netaddr_format(&netaddr, buf, sizeof(buf));
+	cfg_print_cstr(pctx, buf);
+	port = isc_sockaddr_getport(&obj->value.sockaddr);
+	if (port != 0) {
+		cfg_print_chars(pctx, " port ", 6);
+		cfg_print_rawuint(pctx, port);
+	}
+}
+
+void
+cfg_doc_sockaddr(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const unsigned int *flagp = type->of;
+	int n = 0;
+	cfg_print_chars(pctx, "( ", 2);
+	if (*flagp & CFG_ADDR_V4OK) {
+		if (n != 0)
+			cfg_print_chars(pctx, " | ", 3);
+		cfg_print_cstr(pctx, "<ipv4_address>");
+		n++;
+	}
+	if (*flagp & CFG_ADDR_V6OK) {
+		if (n != 0)
+			cfg_print_chars(pctx, " | ", 3);
+		cfg_print_cstr(pctx, "<ipv6_address>");
+		n++;			
+	}
+	if (*flagp & CFG_ADDR_WILDOK) {
+		if (n != 0)
+			cfg_print_chars(pctx, " | ", 3);
+		cfg_print_chars(pctx, "*", 1);
+		n++;
+	}
+	cfg_print_chars(pctx, " ) ", 3);
+	if (*flagp & CFG_ADDR_WILDOK) {
+		cfg_print_cstr(pctx, "[ port ( <integer> | * ) ]");
+	} else {
+		cfg_print_cstr(pctx, "[ port <integer> ]");
+	}
+}
+
+isc_boolean_t
+cfg_obj_issockaddr(cfg_obj_t *obj) {
+	REQUIRE(obj != NULL);
+	return (ISC_TF(obj->type->rep == &cfg_rep_sockaddr));
+}
+
+isc_sockaddr_t *
+cfg_obj_assockaddr(cfg_obj_t *obj) {
+	REQUIRE(obj != NULL && obj->type->rep == &cfg_rep_sockaddr);
+	return (&obj->value.sockaddr);
+}
+
+isc_result_t
+cfg_gettoken(cfg_parser_t *pctx, int options) {
+	isc_result_t result;
+
+	if (pctx->seen_eof)
+		return (ISC_R_SUCCESS);
+
+	options |= (ISC_LEXOPT_EOF | ISC_LEXOPT_NOMORE);
+
+ redo:
+	pctx->token.type = isc_tokentype_unknown;
+	result = isc_lex_gettoken(pctx->lexer, options, &pctx->token);
+	pctx->ungotten = ISC_FALSE;
+	pctx->line = isc_lex_getsourceline(pctx->lexer);
+
+	switch (result) {
+	case ISC_R_SUCCESS:
+		if (pctx->token.type == isc_tokentype_eof) {
+			result = isc_lex_close(pctx->lexer);
+			INSIST(result == ISC_R_NOMORE ||
+			       result == ISC_R_SUCCESS);
+
+			if (isc_lex_getsourcename(pctx->lexer) != NULL) {
+				/*
+				 * Closed an included file, not the main file.
+				 */
+				cfg_listelt_t *elt;
+				elt = ISC_LIST_TAIL(pctx->open_files->
+						    value.list);
+				INSIST(elt != NULL);
+				ISC_LIST_UNLINK(pctx->open_files->
+						value.list, elt, link);
+				ISC_LIST_APPEND(pctx->closed_files->
+						value.list, elt, link);
+				goto redo;
+			}
+			pctx->seen_eof = ISC_TRUE;
+		}
+		break;
+
+	case ISC_R_NOSPACE:
+		/* More understandable than "ran out of space". */
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "token too big");
+		break;
+
+	case ISC_R_IOERROR:
+		cfg_parser_error(pctx, 0, "%s",
+				 isc_result_totext(result));
+		break;
+
+	default:
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "%s",
+				 isc_result_totext(result));
+		break;
+	}
+	return (result);
+}
+
+void
+cfg_ungettoken(cfg_parser_t *pctx) {
+	if (pctx->seen_eof)
+		return;
+	isc_lex_ungettoken(pctx->lexer, &pctx->token);
+	pctx->ungotten = ISC_TRUE;
+}
+
+isc_result_t
+cfg_peektoken(cfg_parser_t *pctx, int options) {
+	isc_result_t result;
+	CHECK(cfg_gettoken(pctx, options));
+	cfg_ungettoken(pctx);
+ cleanup:
+	return (result);
+}
+
+/*
+ * Get a string token, accepting both the quoted and the unquoted form.
+ * Log an error if the next token is not a string.
+ */
+static isc_result_t
+cfg_getstringtoken(cfg_parser_t *pctx) {
+	isc_result_t result;
+
+	result = cfg_gettoken(pctx, CFG_LEXOPT_QSTRING);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	if (pctx->token.type != isc_tokentype_string &&
+	    pctx->token.type != isc_tokentype_qstring) {
+		cfg_parser_error(pctx, CFG_LOG_NEAR, "expected string");
+		return (ISC_R_UNEXPECTEDTOKEN);
+	}
+	return (ISC_R_SUCCESS);
+}
+
+void
+cfg_parser_error(cfg_parser_t *pctx, unsigned int flags, const char *fmt, ...) {
+	va_list args;
+	va_start(args, fmt);
+	parser_complain(pctx, ISC_FALSE, flags, fmt, args);
+	va_end(args);
+	pctx->errors++;
+}
+
+void
+cfg_parser_warning(cfg_parser_t *pctx, unsigned int flags, const char *fmt, ...) {
+	va_list args;
+	va_start(args, fmt);
+	parser_complain(pctx, ISC_TRUE, flags, fmt, args);
+	va_end(args);
+	pctx->warnings++;
+}
+
+#define MAX_LOG_TOKEN 30 /* How much of a token to quote in log messages. */
+
+static char *
+current_file(cfg_parser_t *pctx) {
+	static char none[] = "none";
+	cfg_listelt_t *elt;
+	cfg_obj_t *fileobj;
+
+	if (pctx->open_files == NULL)
+		return (none);
+	elt = ISC_LIST_TAIL(pctx->open_files->value.list);
+	if (elt == NULL)
+	      return (none);
+
+	fileobj = elt->obj;
+	INSIST(fileobj->type == &cfg_type_qstring);
+	return (fileobj->value.string.base);
+}
+
+static void
+parser_complain(cfg_parser_t *pctx, isc_boolean_t is_warning,
+		unsigned int flags, const char *format,
+		va_list args)
+{
+	char tokenbuf[MAX_LOG_TOKEN + 10];
+	static char where[ISC_DIR_PATHMAX + 100];
+	static char message[2048];
+	int level = ISC_LOG_ERROR;
+	const char *prep = "";
+	size_t len;
+
+	if (is_warning)
+		level = ISC_LOG_WARNING;
+
+	snprintf(where, sizeof(where), "%s:%u: ",
+		 current_file(pctx), pctx->line);
+
+	len = vsnprintf(message, sizeof(message), format, args);
+	if (len >= sizeof(message))
+		FATAL_ERROR(__FILE__, __LINE__,
+			    "error message would overflow");
+
+	if ((flags & (CFG_LOG_NEAR|CFG_LOG_BEFORE|CFG_LOG_NOPREP)) != 0) {
+		isc_region_t r;
+
+		if (pctx->ungotten)
+			(void)cfg_gettoken(pctx, 0);
+
+		if (pctx->token.type == isc_tokentype_eof) {
+			snprintf(tokenbuf, sizeof(tokenbuf), "end of file");
+		} else if (pctx->token.type == isc_tokentype_unknown) {
+			flags = 0;
+			tokenbuf[0] = '\0';
+		} else {
+			isc_lex_getlasttokentext(pctx->lexer,
+						 &pctx->token, &r);
+			if (r.length > MAX_LOG_TOKEN)
+				snprintf(tokenbuf, sizeof(tokenbuf),
+					 "'%.*s...'", MAX_LOG_TOKEN, r.base);
+			else
+				snprintf(tokenbuf, sizeof(tokenbuf),
+					 "'%.*s'", (int)r.length, r.base);
+		}
+
+		/* Choose a preposition. */
+		if (flags & CFG_LOG_NEAR)
+			prep = " near ";
+		else if (flags & CFG_LOG_BEFORE)
+			prep = " before ";
+		else
+			prep = " ";
+	} else {
+		tokenbuf[0] = '\0';
+	}
+	isc_log_write(pctx->lctx, CAT, MOD, level,
+		      "%s%s%s%s", where, message, prep, tokenbuf);
+}
+
+void
+cfg_obj_log(cfg_obj_t *obj, isc_log_t *lctx, int level, const char *fmt, ...) {
+	va_list ap;
+	char msgbuf[2048];
+
+	if (! isc_log_wouldlog(lctx, level))
+		return;
+
+	va_start(ap, fmt);
+
+	vsnprintf(msgbuf, sizeof(msgbuf), fmt, ap);
+	isc_log_write(lctx, CAT, MOD, level,
+		      "%s:%u: %s",
+		      obj->file == NULL ? "<unknown file>" : obj->file,
+		      obj->line, msgbuf);
+	va_end(ap);
+}
+
+const char *
+cfg_obj_file(cfg_obj_t *obj) {
+	return (obj->file);
+}
+
+unsigned int
+cfg_obj_line(cfg_obj_t *obj) {
+	return (obj->line);
+}
+
+isc_result_t
+cfg_create_obj(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	cfg_obj_t *obj;
+
+	obj = isc_mem_get(pctx->mctx, sizeof(cfg_obj_t));
+	if (obj == NULL)
+		return (ISC_R_NOMEMORY);
+	obj->type = type;
+	obj->file = current_file(pctx);
+	obj->line = pctx->line;
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+map_symtabitem_destroy(char *key, unsigned int type,
+		       isc_symvalue_t symval, void *userarg)
+{
+	cfg_obj_t *obj = symval.as_pointer;
+	cfg_parser_t *pctx = (cfg_parser_t *)userarg;
+
+	UNUSED(key);
+	UNUSED(type);
+
+	cfg_obj_destroy(pctx, &obj);
+}
+
+
+static isc_result_t
+create_map(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
+	isc_result_t result;
+	isc_symtab_t *symtab = NULL;
+	cfg_obj_t *obj = NULL;
+
+	CHECK(cfg_create_obj(pctx, type, &obj));
+	CHECK(isc_symtab_create(pctx->mctx, 5, /* XXX */
+				map_symtabitem_destroy,
+				pctx, ISC_FALSE, &symtab));
+
+	obj->value.map.symtab = symtab;
+	obj->value.map.id = NULL;
+
+	*ret = obj;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	if (obj != NULL)
+		isc_mem_put(pctx->mctx, obj, sizeof(*obj));
+	return (result);
+}
+
+static void
+free_map(cfg_parser_t *pctx, cfg_obj_t *obj) {
+	CLEANUP_OBJ(obj->value.map.id);
+	isc_symtab_destroy(&obj->value.map.symtab);
+}
+
+isc_boolean_t
+cfg_obj_istype(cfg_obj_t *obj, const cfg_type_t *type) {
+	return (ISC_TF(obj->type == type));
+}
+
+/*
+ * Destroy 'obj', a configuration object created in 'pctx'.
+ */
+void
+cfg_obj_destroy(cfg_parser_t *pctx, cfg_obj_t **objp) {
+	cfg_obj_t *obj = *objp;
+	obj->type->rep->free(pctx, obj);
+	isc_mem_put(pctx->mctx, obj, sizeof(cfg_obj_t));
+	*objp = NULL;
+}
+
+static void
+free_noop(cfg_parser_t *pctx, cfg_obj_t *obj) {
+	UNUSED(pctx);
+	UNUSED(obj);
+}
+
+void
+cfg_doc_obj(cfg_printer_t *pctx, const cfg_type_t *type) {
+	type->doc(pctx, type);
+}
+
+void
+cfg_doc_terminal(cfg_printer_t *pctx, const cfg_type_t *type) {
+	cfg_print_chars(pctx, "<", 1);
+	cfg_print_cstr(pctx, type->name);
+	cfg_print_chars(pctx, ">", 1);
+}
+
+void
+cfg_print_grammar(const cfg_type_t *type,
+	void (*f)(void *closure, const char *text, int textlen),
+	void *closure)
+{
+	cfg_printer_t pctx;
+	pctx.f = f;
+	pctx.closure = closure;
+	pctx.indent = 0;
+	cfg_doc_obj(&pctx, type);
+}
diff --git a/contrib/bind9/lib/isccfg/version.c b/contrib/bind9/lib/isccfg/version.c
new file mode 100644
index 0000000..fe001d7
--- /dev/null
+++ b/contrib/bind9/lib/isccfg/version.c
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1998-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: version.c,v 1.1.12.3 2004/03/08 09:05:06 marka Exp $ */
+
+#include <isccfg/version.h>
+
+const char cfg_version[] = VERSION;
+
+const unsigned int cfg_libinterface = LIBINTERFACE;
+const unsigned int cfg_librevision = LIBREVISION;
+const unsigned int cfg_libage = LIBAGE;
+
diff --git a/contrib/bind9/lib/lwres/Makefile.in b/contrib/bind9/lib/lwres/Makefile.in
new file mode 100644
index 0000000..548c5d5
--- /dev/null
+++ b/contrib/bind9/lib/lwres/Makefile.in
@@ -0,0 +1,82 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2000, 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.25.12.6 2004/08/28 06:25:23 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+@LIBLWRES_API@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I${srcdir}/unix/include \
+		-I. -I./include -I${srcdir}/include ${ISC_INCLUDES}
+CDEFINES =
+CWARNINGS =
+
+# Alphabetically
+OBJS =		context.@O@ gai_strerror.@O@ getaddrinfo.@O@ gethost.@O@ \
+		getipnode.@O@ getnameinfo.@O@ getrrset.@O@ herror.@O@ \
+		lwbuffer.@O@ lwconfig.@O@ lwpacket.@O@ lwresutil.@O@ \
+		lwres_gabn.@O@ lwres_gnba.@O@ lwres_grbn.@O@ lwres_noop.@O@ \
+		lwinetaton.@O@ lwinetpton.@O@ lwinetntop.@O@ print.@O@
+
+# Alphabetically
+SRCS =		context.c gai_strerror.c getaddrinfo.c gethost.c \
+		getipnode.c getnameinfo.c getrrset.c herror.c \
+		lwbuffer.c lwconfig.c lwpacket.c lwresutil.c \
+		lwres_gabn.c lwres_gnba.c lwres_grbn.c lwres_noop.c \
+		lwinetaton.c lwinetpton.c lwinetntop.c print.c
+
+LIBS =		@LIBS@
+
+SUBDIRS =	include man unix
+TARGETS =	timestamp
+
+@BIND9_MAKE_RULES@
+
+version.@O@: version.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-DLIBINTERFACE=${LIBINTERFACE} \
+		-DLIBREVISION=${LIBREVISION} \
+		-DLIBAGE=${LIBAGE} \
+		-c ${srcdir}/version.c
+
+liblwres.@SA@: ${OBJS} version.@O@
+	${AR} ${ARFLAGS} $@ ${OBJS} version.@O@
+	${RANLIB} $@
+
+liblwres.la: ${OBJS} version.@O@
+	${LIBTOOL_MODE_LINK} \
+		${CC} ${ALL_CFLAGS} ${LDFLAGS} -o liblwres.la -rpath ${libdir} \
+		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
+		${OBJS} version.@O@ ${LIBS}
+
+timestamp: liblwres.@A@
+	touch timestamp
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
+
+install:: timestamp installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_DATA} liblwres.@A@ ${DESTDIR}${libdir}
+
+clean distclean::
+	rm -f liblwres.@A@ liblwres.la timestamp
diff --git a/contrib/bind9/lib/lwres/api b/contrib/bind9/lib/lwres/api
new file mode 100644
index 0000000..1da8b02
--- /dev/null
+++ b/contrib/bind9/lib/lwres/api
@@ -0,0 +1,3 @@
+LIBINTERFACE = 3
+LIBREVISION = 1
+LIBAGE = 2
diff --git a/contrib/bind9/lib/lwres/assert_p.h b/contrib/bind9/lib/lwres/assert_p.h
new file mode 100644
index 0000000..78b4b79
--- /dev/null
+++ b/contrib/bind9/lib/lwres/assert_p.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: assert_p.h,v 1.9.206.1 2004/03/06 08:15:30 marka Exp $ */
+
+#ifndef LWRES_ASSERT_P_H
+#define LWRES_ASSERT_P_H 1
+
+#include <assert.h>		/* Required for assert() prototype. */
+
+#define REQUIRE(x)		assert(x)
+#define INSIST(x)		assert(x)
+
+#define UNUSED(x)		((void)(x))
+
+#define SPACE_OK(b, s)		(LWRES_BUFFER_AVAILABLECOUNT(b) >= (s))
+#define SPACE_REMAINING(b, s)	(LWRES_BUFFER_REMAINING(b) >= (s))
+
+#endif /* LWRES_ASSERT_P_H */
diff --git a/contrib/bind9/lib/lwres/context.c b/contrib/bind9/lib/lwres/context.c
new file mode 100644
index 0000000..42bb416
--- /dev/null
+++ b/contrib/bind9/lib/lwres/context.c
@@ -0,0 +1,380 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: context.c,v 1.41.2.1.2.3 2004/03/06 08:15:30 marka Exp $ */
+
+#include <config.h>
+
+#include <fcntl.h>
+#include <limits.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <lwres/lwres.h>
+#include <lwres/net.h>
+#include <lwres/platform.h>
+
+#ifdef LWRES_PLATFORM_NEEDSYSSELECTH
+#include <sys/select.h>
+#endif
+
+#include "context_p.h"
+#include "assert_p.h"
+
+/*
+ * Some systems define the socket length argument as an int, some as size_t,
+ * some as socklen_t.  The last is what the current POSIX standard mandates.
+ * This definition is here so it can be portable but easily changed if needed.
+ */
+#ifndef LWRES_SOCKADDR_LEN_T
+#define LWRES_SOCKADDR_LEN_T unsigned int
+#endif
+
+/*
+ * Make a socket nonblocking.
+ */
+#ifndef MAKE_NONBLOCKING
+#define MAKE_NONBLOCKING(sd, retval) \
+do { \
+	retval = fcntl(sd, F_GETFL, 0); \
+	if (retval != -1) { \
+		retval |= O_NONBLOCK; \
+		retval = fcntl(sd, F_SETFL, retval); \
+	} \
+} while (0)
+#endif
+
+LIBLWRES_EXTERNAL_DATA lwres_uint16_t lwres_udp_port = LWRES_UDP_PORT;
+LIBLWRES_EXTERNAL_DATA const char *lwres_resolv_conf = LWRES_RESOLV_CONF;
+
+static void *
+lwres_malloc(void *, size_t);
+
+static void
+lwres_free(void *, void *, size_t);
+
+static lwres_result_t
+context_connect(lwres_context_t *);
+
+lwres_result_t
+lwres_context_create(lwres_context_t **contextp, void *arg,
+		     lwres_malloc_t malloc_function,
+		     lwres_free_t free_function,
+		     unsigned int flags)
+{
+	lwres_context_t *ctx;
+
+	REQUIRE(contextp != NULL && *contextp == NULL);
+	UNUSED(flags);
+
+	/*
+	 * If we were not given anything special to use, use our own
+	 * functions.  These are just wrappers around malloc() and free().
+	 */
+	if (malloc_function == NULL || free_function == NULL) {
+		REQUIRE(malloc_function == NULL);
+		REQUIRE(free_function == NULL);
+		malloc_function = lwres_malloc;
+		free_function = lwres_free;
+	}
+
+	ctx = malloc_function(arg, sizeof(lwres_context_t));
+	if (ctx == NULL)
+		return (LWRES_R_NOMEMORY);
+
+	/*
+	 * Set up the context.
+	 */
+	ctx->malloc = malloc_function;
+	ctx->free = free_function;
+	ctx->arg = arg;
+	ctx->sock = -1;
+
+	ctx->timeout = LWRES_DEFAULT_TIMEOUT;
+	ctx->serial = time(NULL); /* XXXMLG or BEW */
+
+	/*
+	 * Init resolv.conf bits.
+	 */
+	lwres_conf_init(ctx);
+
+	*contextp = ctx;
+	return (LWRES_R_SUCCESS);
+}
+
+void
+lwres_context_destroy(lwres_context_t **contextp) {
+	lwres_context_t *ctx;
+
+	REQUIRE(contextp != NULL && *contextp != NULL);
+
+	ctx = *contextp;
+	*contextp = NULL;
+
+	if (ctx->sock != -1) {
+		(void)close(ctx->sock);
+		ctx->sock = -1;
+	}
+
+	CTXFREE(ctx, sizeof(lwres_context_t));
+}
+
+lwres_uint32_t
+lwres_context_nextserial(lwres_context_t *ctx) {
+	REQUIRE(ctx != NULL);
+
+	return (ctx->serial++);
+}
+
+void
+lwres_context_initserial(lwres_context_t *ctx, lwres_uint32_t serial) {
+	REQUIRE(ctx != NULL);
+
+	ctx->serial = serial;
+}
+
+void
+lwres_context_freemem(lwres_context_t *ctx, void *mem, size_t len) {
+	REQUIRE(mem != NULL);
+	REQUIRE(len != 0U);
+
+	CTXFREE(mem, len);
+}
+
+void *
+lwres_context_allocmem(lwres_context_t *ctx, size_t len) {
+	REQUIRE(len != 0U);
+
+	return (CTXMALLOC(len));
+}
+
+static void *
+lwres_malloc(void *arg, size_t len) {
+	void *mem;
+
+	UNUSED(arg);
+
+	mem = malloc(len);
+	if (mem == NULL)
+		return (NULL);
+
+	memset(mem, 0xe5, len);
+
+	return (mem);
+}
+
+static void
+lwres_free(void *arg, void *mem, size_t len) {
+	UNUSED(arg);
+
+	memset(mem, 0xa9, len);
+	free(mem);
+}
+
+static lwres_result_t
+context_connect(lwres_context_t *ctx) {
+	int s;
+	int ret;
+	struct sockaddr_in sin;
+	struct sockaddr_in6 sin6;
+	struct sockaddr *sa;
+	LWRES_SOCKADDR_LEN_T salen;
+	int domain;
+
+	if (ctx->confdata.lwnext != 0) {
+		memcpy(&ctx->address, &ctx->confdata.lwservers[0],
+		       sizeof(lwres_addr_t));
+		LWRES_LINK_INIT(&ctx->address, link);
+	} else {
+		/* The default is the IPv4 loopback address 127.0.0.1. */
+		memset(&ctx->address, 0, sizeof(ctx->address));
+		ctx->address.family = LWRES_ADDRTYPE_V4;
+		ctx->address.length = 4;
+		ctx->address.address[0] = 127;
+		ctx->address.address[1] = 0;
+		ctx->address.address[2] = 0;
+		ctx->address.address[3] = 1;
+	}
+
+	if (ctx->address.family == LWRES_ADDRTYPE_V4) {
+		memcpy(&sin.sin_addr, ctx->address.address,
+		       sizeof(sin.sin_addr));
+		sin.sin_port = htons(lwres_udp_port);
+		sin.sin_family = AF_INET;
+		sa = (struct sockaddr *)&sin;
+		salen = sizeof(sin);
+		domain = PF_INET;
+	} else if (ctx->address.family == LWRES_ADDRTYPE_V6) {
+		memcpy(&sin6.sin6_addr, ctx->address.address,
+		       sizeof(sin6.sin6_addr));
+		sin6.sin6_port = htons(lwres_udp_port);
+		sin6.sin6_family = AF_INET6;
+		sa = (struct sockaddr *)&sin6;
+		salen = sizeof(sin6);
+		domain = PF_INET6;
+	} else
+		return (LWRES_R_IOERROR);
+
+	s = socket(domain, SOCK_DGRAM, IPPROTO_UDP);
+	if (s < 0)
+		return (LWRES_R_IOERROR);
+
+	ret = connect(s, sa, salen);
+	if (ret != 0) {
+		(void)close(s);
+		return (LWRES_R_IOERROR);
+	}
+
+	MAKE_NONBLOCKING(s, ret);
+	if (ret < 0)
+		return (LWRES_R_IOERROR);
+
+	ctx->sock = s;
+
+	return (LWRES_R_SUCCESS);
+}
+
+int
+lwres_context_getsocket(lwres_context_t *ctx) {
+	return (ctx->sock);
+}
+
+lwres_result_t
+lwres_context_send(lwres_context_t *ctx,
+		   void *sendbase, int sendlen) {
+	int ret;
+	lwres_result_t lwresult;
+
+	if (ctx->sock == -1) {
+		lwresult = context_connect(ctx);
+		if (lwresult != LWRES_R_SUCCESS)
+			return (lwresult);
+	}
+
+	ret = sendto(ctx->sock, sendbase, sendlen, 0, NULL, 0);
+	if (ret < 0)
+		return (LWRES_R_IOERROR);
+	if (ret != sendlen)
+		return (LWRES_R_IOERROR);
+
+	return (LWRES_R_SUCCESS);
+}
+
+lwres_result_t
+lwres_context_recv(lwres_context_t *ctx,
+		   void *recvbase, int recvlen,
+		   int *recvd_len)
+{
+	LWRES_SOCKADDR_LEN_T fromlen;
+	struct sockaddr_in sin;
+	struct sockaddr_in6 sin6;
+	struct sockaddr *sa;
+	int ret;
+
+	if (ctx->address.family == LWRES_ADDRTYPE_V4) {
+		sa = (struct sockaddr *)&sin;
+		fromlen = sizeof(sin);
+	} else {
+		sa = (struct sockaddr *)&sin6;
+		fromlen = sizeof(sin6);
+	}
+
+	/*
+	 * The address of fromlen is cast to void * to shut up compiler
+	 * warnings, namely on systems that have the sixth parameter
+	 * prototyped as a signed int when LWRES_SOCKADDR_LEN_T is
+	 * defined as unsigned.
+	 */
+	ret = recvfrom(ctx->sock, recvbase, recvlen, 0, sa, (void *)&fromlen);
+
+	if (ret < 0)
+		return (LWRES_R_IOERROR);
+
+	if (ret == recvlen)
+		return (LWRES_R_TOOLARGE);
+
+	/*
+	 * If we got something other than what we expect, have the caller
+	 * wait for another packet.  This can happen if an old result
+	 * comes in, or if someone is sending us random stuff.
+	 */
+	if (ctx->address.family == LWRES_ADDRTYPE_V4) {
+		if (fromlen != sizeof(sin)
+		    || memcmp(&sin.sin_addr, ctx->address.address,
+			      sizeof(sin.sin_addr)) != 0
+		    || sin.sin_port != htons(lwres_udp_port))
+			return (LWRES_R_RETRY);
+	} else {
+		if (fromlen != sizeof(sin6)
+		    || memcmp(&sin6.sin6_addr, ctx->address.address,
+			      sizeof(sin6.sin6_addr)) != 0
+		    || sin6.sin6_port != htons(lwres_udp_port))
+			return (LWRES_R_RETRY);
+	}
+
+	if (recvd_len != NULL)
+		*recvd_len = ret;
+
+	return (LWRES_R_SUCCESS);
+}
+
+lwres_result_t
+lwres_context_sendrecv(lwres_context_t *ctx,
+		       void *sendbase, int sendlen,
+		       void *recvbase, int recvlen,
+		       int *recvd_len)
+{
+	lwres_result_t result;
+	int ret2;
+	fd_set readfds;
+	struct timeval timeout;
+
+	/*
+	 * Type of tv_sec is long, so make sure the unsigned long timeout
+	 * does not overflow it.
+	 */
+	if (ctx->timeout <= (unsigned int)LONG_MAX)
+		timeout.tv_sec = (long)ctx->timeout;
+	else
+		timeout.tv_sec = LONG_MAX;
+
+	timeout.tv_usec = 0;
+
+	result = lwres_context_send(ctx, sendbase, sendlen);
+	if (result != LWRES_R_SUCCESS)
+		return (result);
+ again:
+	FD_ZERO(&readfds);
+	FD_SET(ctx->sock, &readfds);
+	ret2 = select(ctx->sock + 1, &readfds, NULL, NULL, &timeout);
+	
+	/*
+	 * What happened with select?
+	 */
+	if (ret2 < 0)
+		return (LWRES_R_IOERROR);
+	if (ret2 == 0)
+		return (LWRES_R_TIMEOUT);
+
+	result = lwres_context_recv(ctx, recvbase, recvlen, recvd_len);
+	if (result == LWRES_R_RETRY)
+		goto again;
+	
+	return (result);
+}
diff --git a/contrib/bind9/lib/lwres/context_p.h b/contrib/bind9/lib/lwres/context_p.h
new file mode 100644
index 0000000..3e22bc0
--- /dev/null
+++ b/contrib/bind9/lib/lwres/context_p.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: context_p.h,v 1.12.206.1 2004/03/06 08:15:30 marka Exp $ */
+
+#ifndef LWRES_CONTEXT_P_H
+#define LWRES_CONTEXT_P_H 1
+
+/*
+ * Helper functions, assuming the context is always called "ctx" in
+ * the scope these functions are called from.
+ */
+#define CTXMALLOC(len)		ctx->malloc(ctx->arg, (len))
+#define CTXFREE(addr, len)	ctx->free(ctx->arg, (addr), (len))
+
+#define LWRES_DEFAULT_TIMEOUT	120	/* 120 seconds for a reply */
+
+/*
+ * Not all the attributes here are actually settable by the application at
+ * this time.
+ */
+struct lwres_context {
+	unsigned int		timeout;	/* time to wait for reply */
+	lwres_uint32_t		serial;		/* serial number state */
+
+	/*
+	 * For network I/O.
+	 */
+	int			sock;		/* socket to send on */
+	lwres_addr_t		address;	/* address to send to */
+
+	/*
+	 * Function pointers for allocating memory.
+	 */
+	lwres_malloc_t		malloc;
+	lwres_free_t		free;
+	void		       *arg;
+
+	/*
+	 * resolv.conf-like data
+	 */
+	lwres_conf_t		confdata;
+};
+
+#endif /* LWRES_CONTEXT_P_H */
diff --git a/contrib/bind9/lib/lwres/gai_strerror.c b/contrib/bind9/lib/lwres/gai_strerror.c
new file mode 100644
index 0000000..ae819dd
--- /dev/null
+++ b/contrib/bind9/lib/lwres/gai_strerror.c
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: gai_strerror.c,v 1.14.2.1.10.1 2004/03/06 08:15:30 marka Exp $ */
+
+#include <lwres/netdb.h>
+
+static const char *gai_messages[] = {
+	"no error",
+	"address family for hostname not supported",
+	"temporary failure in name resolution",
+	"invalid value for ai_flags",
+	"non-recoverable failure in name resolution",
+	"ai_family not supported",
+	"memory allocation failure",
+	"no address associated with hostname",
+	"hostname nor servname provided, or not known",
+	"servname not supported for ai_socktype",
+	"ai_socktype not supported",
+	"system error returned in errno",
+	"bad hints",
+	"bad protocol"
+};
+
+char *
+lwres_gai_strerror(int ecode) {
+	union {
+		const char *const_ptr;
+		char *deconst_ptr;
+	} ptr;
+
+	if ((ecode < 0) ||
+	    (ecode >= (int)(sizeof(gai_messages)/sizeof(*gai_messages))))
+		ptr.const_ptr = "invalid error code";
+	else
+		ptr.const_ptr = gai_messages[ecode];
+	return (ptr.deconst_ptr);
+}
diff --git a/contrib/bind9/lib/lwres/getaddrinfo.c b/contrib/bind9/lib/lwres/getaddrinfo.c
new file mode 100644
index 0000000..86f48aa
--- /dev/null
+++ b/contrib/bind9/lib/lwres/getaddrinfo.c
@@ -0,0 +1,691 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * This code is derived from software contributed to ISC by
+ * Berkeley Software Design, Inc.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND BERKELEY SOFTWARE DESIGN, INC.
+ * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: getaddrinfo.c,v 1.41.206.1 2004/03/06 08:15:30 marka Exp $ */
+
+#include <config.h>
+
+#include <string.h>
+#include <errno.h>
+#include <stdlib.h>
+
+#include <lwres/lwres.h>
+#include <lwres/net.h>
+#include <lwres/netdb.h>
+
+#define SA(addr)	((struct sockaddr *)(addr))
+#define SIN(addr)	((struct sockaddr_in *)(addr))
+#define SIN6(addr)	((struct sockaddr_in6 *)(addr))
+#define SUN(addr)	((struct sockaddr_un *)(addr))
+
+static struct addrinfo
+	*ai_reverse(struct addrinfo *oai),
+	*ai_clone(struct addrinfo *oai, int family),
+	*ai_alloc(int family, int addrlen);
+#ifdef AF_LOCAL
+static int get_local(const char *name, int socktype, struct addrinfo **res);
+#endif
+
+static int add_ipv4(const char *hostname, int flags, struct addrinfo **aip,
+    int socktype, int port);
+static int add_ipv6(const char *hostname, int flags, struct addrinfo **aip,
+    int socktype, int port);
+static void set_order(int, int (**)(const char *, int, struct addrinfo **,
+         int, int));
+
+#define FOUND_IPV4	0x1
+#define FOUND_IPV6	0x2
+#define FOUND_MAX	2
+
+#define ISC_AI_MASK (AI_PASSIVE|AI_CANONNAME|AI_NUMERICHOST)
+
+int
+lwres_getaddrinfo(const char *hostname, const char *servname,
+	const struct addrinfo *hints, struct addrinfo **res)
+{
+	struct servent *sp;
+	const char *proto;
+	int family, socktype, flags, protocol;
+	struct addrinfo *ai, *ai_list;
+	int port, err, i;
+	int (*net_order[FOUND_MAX+1])(const char *, int, struct addrinfo **,
+		 int, int);
+
+	if (hostname == NULL && servname == NULL)
+		return (EAI_NONAME);
+
+	proto = NULL;
+	if (hints != NULL) {
+		if ((hints->ai_flags & ~(ISC_AI_MASK)) != 0)
+			return (EAI_BADFLAGS);
+		if (hints->ai_addrlen || hints->ai_canonname ||
+		    hints->ai_addr || hints->ai_next) {
+			errno = EINVAL;
+			return (EAI_SYSTEM);
+		}
+		family = hints->ai_family;
+		socktype = hints->ai_socktype;
+		protocol = hints->ai_protocol;
+		flags = hints->ai_flags;
+		switch (family) {
+		case AF_UNSPEC:
+			switch (hints->ai_socktype) {
+			case SOCK_STREAM:
+				proto = "tcp";
+				break;
+			case SOCK_DGRAM:
+				proto = "udp";
+				break;
+			}
+			break;
+		case AF_INET:
+		case AF_INET6:
+			switch (hints->ai_socktype) {
+			case 0:
+				break;
+			case SOCK_STREAM:
+				proto = "tcp";
+				break;
+			case SOCK_DGRAM:
+				proto = "udp";
+				break;
+			case SOCK_RAW:
+				break;
+			default:
+				return (EAI_SOCKTYPE);
+			}
+			break;
+#ifdef	AF_LOCAL
+		case AF_LOCAL:
+			switch (hints->ai_socktype) {
+			case 0:
+				break;
+			case SOCK_STREAM:
+				break;
+			case SOCK_DGRAM:
+				break;
+			default:
+				return (EAI_SOCKTYPE);
+			}
+			break;
+#endif
+		default:
+			return (EAI_FAMILY);
+		}
+	} else {
+		protocol = 0;
+		family = 0;
+		socktype = 0;
+		flags = 0;
+	}
+
+#ifdef	AF_LOCAL
+	/*
+	 * First, deal with AF_LOCAL.  If the family was not set,
+	 * then assume AF_LOCAL if the first character of the
+	 * hostname/servname is '/'.
+	 */
+
+	if (hostname != NULL &&
+	    (family == AF_LOCAL || (family == 0 && *hostname == '/')))
+		return (get_local(hostname, socktype, res));
+
+	if (servname != NULL &&
+	    (family == AF_LOCAL || (family == 0 && *servname == '/')))
+		return (get_local(servname, socktype, res));
+#endif
+
+	/*
+	 * Ok, only AF_INET and AF_INET6 left.
+	 */
+	ai_list = NULL;
+
+	/*
+	 * First, look up the service name (port) if it was
+	 * requested.  If the socket type wasn't specified, then
+	 * try and figure it out.
+	 */
+	if (servname != NULL) {
+		char *e;
+
+		port = strtol(servname, &e, 10);
+		if (*e == '\0') {
+			if (socktype == 0)
+				return (EAI_SOCKTYPE);
+			if (port < 0 || port > 65535)
+				return (EAI_SERVICE);
+			port = htons((unsigned short) port);
+		} else {
+			sp = getservbyname(servname, proto);
+			if (sp == NULL)
+				return (EAI_SERVICE);
+			port = sp->s_port;
+			if (socktype == 0) {
+				if (strcmp(sp->s_proto, "tcp") == 0)
+					socktype = SOCK_STREAM;
+				else if (strcmp(sp->s_proto, "udp") == 0)
+					socktype = SOCK_DGRAM;
+			}
+		}
+	} else
+		port = 0;
+
+	/*
+	 * Next, deal with just a service name, and no hostname.
+	 * (we verified that one of them was non-null up above).
+	 */
+	if (hostname == NULL && (flags & AI_PASSIVE) != 0) {
+		if (family == AF_INET || family == 0) {
+			ai = ai_alloc(AF_INET, sizeof(struct sockaddr_in));
+			if (ai == NULL)
+				return (EAI_MEMORY);
+			ai->ai_socktype = socktype;
+			ai->ai_protocol = protocol;
+			SIN(ai->ai_addr)->sin_port = port;
+			ai->ai_next = ai_list;
+			ai_list = ai;
+		}
+
+		if (family == AF_INET6 || family == 0) {
+			ai = ai_alloc(AF_INET6, sizeof(struct sockaddr_in6));
+			if (ai == NULL) {
+				lwres_freeaddrinfo(ai_list);
+				return (EAI_MEMORY);
+			}
+			ai->ai_socktype = socktype;
+			ai->ai_protocol = protocol;
+			SIN6(ai->ai_addr)->sin6_port = port;
+			ai->ai_next = ai_list;
+			ai_list = ai;
+		}
+
+		*res = ai_list;
+		return (0);
+	}
+
+	/*
+	 * If the family isn't specified or AI_NUMERICHOST specified,
+	 * check first to see if it is a numeric address.
+	 * Though the gethostbyname2() routine
+	 * will recognize numeric addresses, it will only recognize
+	 * the format that it is being called for.  Thus, a numeric
+	 * AF_INET address will be treated by the AF_INET6 call as
+	 * a domain name, and vice versa.  Checking for both numerics
+	 * here avoids that.
+	 */
+	if (hostname != NULL &&
+	    (family == 0 || (flags & AI_NUMERICHOST) != 0)) {
+		char abuf[sizeof(struct in6_addr)];
+		char nbuf[NI_MAXHOST];
+		int addrsize, addroff;
+#ifdef LWRES_HAVE_SIN6_SCOPE_ID
+		char *p, *ep;
+		char ntmp[NI_MAXHOST];
+		lwres_uint32_t scopeid;
+#endif
+
+#ifdef LWRES_HAVE_SIN6_SCOPE_ID
+		/*
+		 * Scope identifier portion.
+		 */
+		ntmp[0] = '\0';
+		if (strchr(hostname, '%') != NULL) {
+			strncpy(ntmp, hostname, sizeof(ntmp) - 1);
+			ntmp[sizeof(ntmp) - 1] = '\0';
+			p = strchr(ntmp, '%');
+			ep = NULL;
+
+			/*
+			 * Vendors may want to support non-numeric
+			 * scopeid around here.
+			 */
+
+			if (p != NULL)
+				scopeid = (lwres_uint32_t)strtoul(p + 1,
+								  &ep, 10);
+			if (p != NULL && ep != NULL && ep[0] == '\0')
+				*p = '\0';
+			else {
+				ntmp[0] = '\0';
+				scopeid = 0;
+			}
+		} else
+			scopeid = 0;
+#endif
+
+               if (lwres_net_pton(AF_INET, hostname, (struct in_addr *)abuf)
+		   == 1)
+	       {
+			if (family == AF_INET6) {
+				/*
+				 * Convert to a V4 mapped address.
+				 */
+				struct in6_addr *a6 = (struct in6_addr *)abuf;
+				memcpy(&a6->s6_addr[12], &a6->s6_addr[0], 4);
+				memset(&a6->s6_addr[10], 0xff, 2);
+				memset(&a6->s6_addr[0], 0, 10);
+				goto inet6_addr;
+			}
+			addrsize = sizeof(struct in_addr);
+			addroff = (char *)(&SIN(0)->sin_addr) - (char *)0;
+			family = AF_INET;
+			goto common;
+#ifdef LWRES_HAVE_SIN6_SCOPE_ID
+		} else if (ntmp[0] != '\0' &&
+			   lwres_net_pton(AF_INET6, ntmp, abuf) == 1)
+		{
+			if (family && family != AF_INET6)
+				return (EAI_NONAME);
+			addrsize = sizeof(struct in6_addr);
+			addroff = (char *)(&SIN6(0)->sin6_addr) - (char *)0;
+			family = AF_INET6;
+			goto common;
+#endif
+		} else if (lwres_net_pton(AF_INET6, hostname, abuf) == 1) {
+			if (family != 0 && family != AF_INET6)
+				return (EAI_NONAME);
+		inet6_addr:
+			addrsize = sizeof(struct in6_addr);
+			addroff = (char *)(&SIN6(0)->sin6_addr) - (char *)0;
+			family = AF_INET6;
+
+		common:
+			ai = ai_clone(ai_list, family);
+			if (ai == NULL)
+				return (EAI_MEMORY);
+			ai_list = ai;
+			ai->ai_socktype = socktype;
+			SIN(ai->ai_addr)->sin_port = port;
+			memcpy((char *)ai->ai_addr + addroff, abuf, addrsize);
+			if (flags & AI_CANONNAME) {
+#if defined(LWRES_HAVE_SIN6_SCOPE_ID)
+				if (ai->ai_family == AF_INET6)
+					SIN6(ai->ai_addr)->sin6_scope_id =
+									scopeid;
+#endif
+				if (lwres_getnameinfo(ai->ai_addr,
+				    ai->ai_addrlen, nbuf, sizeof(nbuf),
+						      NULL, 0,
+						      NI_NUMERICHOST) == 0) {
+					ai->ai_canonname = strdup(nbuf);
+					if (ai->ai_canonname == NULL)
+						return (EAI_MEMORY);
+				} else {
+					/* XXX raise error? */
+					ai->ai_canonname = NULL;
+				}
+			}
+			goto done;
+		} else if ((flags & AI_NUMERICHOST) != 0) {
+			return (EAI_NONAME);
+		}
+	}
+
+	set_order(family, net_order);
+	for (i = 0; i < FOUND_MAX; i++) {
+		if (net_order[i] == NULL)
+			break;
+		err = (net_order[i])(hostname, flags, &ai_list,
+				     socktype, port);
+		if (err != 0)
+			return (err);
+	}
+
+	if (ai_list == NULL)
+		return (EAI_NODATA);
+
+done:
+	ai_list = ai_reverse(ai_list);
+
+	*res = ai_list;
+	return (0);
+}
+
+static char *
+lwres_strsep(char **stringp, const char *delim) {
+	char *string = *stringp;
+	char *s;
+	const char *d;
+	char sc, dc;
+
+	if (string == NULL)
+		return (NULL);
+
+	for (s = string; *s != '\0'; s++) {
+		sc = *s;
+		for (d = delim; (dc = *d) != '\0'; d++)
+			if (sc == dc) {
+				*s++ = '\0';
+				*stringp = s;
+				return (string);
+			}
+	}
+	*stringp = NULL;
+	return (string);
+}
+
+static void
+set_order(int family, int (**net_order)(const char *, int, struct addrinfo **,
+					int, int))
+{
+	char *order, *tok;
+	int found;
+
+	if (family) {
+		switch (family) {
+		case AF_INET:
+			*net_order++ = add_ipv4;
+			break;
+		case AF_INET6:
+			*net_order++ = add_ipv6;
+			break;
+		}
+	} else {
+		order = getenv("NET_ORDER");
+		found = 0;
+		while (order != NULL) {
+			/*
+			 * We ignore any unknown names.
+			 */
+			tok = lwres_strsep(&order, ":");
+			if (strcasecmp(tok, "inet6") == 0) {
+				if ((found & FOUND_IPV6) == 0)
+					*net_order++ = add_ipv6;
+				found |= FOUND_IPV6;
+			} else if (strcasecmp(tok, "inet") == 0 ||
+			    strcasecmp(tok, "inet4") == 0) {
+				if ((found & FOUND_IPV4) == 0)
+					*net_order++ = add_ipv4;
+				found |= FOUND_IPV4;
+			}
+		}
+
+		/*
+		 * Add in anything that we didn't find.
+		 */
+		if ((found & FOUND_IPV4) == 0)
+			*net_order++ = add_ipv4;
+		if ((found & FOUND_IPV6) == 0)
+			*net_order++ = add_ipv6;
+	}
+	*net_order = NULL;
+	return;
+}
+
+static char v4_loop[4] = { 127, 0, 0, 1 };
+
+/*
+ * The test against 0 is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
+ */
+#define ERR(code) \
+	do { result = (code);			\
+		if (result != 0) goto cleanup;	\
+	} while (0)
+
+static int
+add_ipv4(const char *hostname, int flags, struct addrinfo **aip,
+	int socktype, int port)
+{
+	struct addrinfo *ai;
+	lwres_context_t *lwrctx = NULL;
+	lwres_gabnresponse_t *by = NULL;
+	lwres_addr_t *addr;
+	lwres_result_t lwres;
+	int result = 0;
+
+	lwres = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
+	if (lwres != LWRES_R_SUCCESS)
+		ERR(EAI_FAIL);
+	(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
+	if (hostname == NULL && (flags & AI_PASSIVE) == 0) {
+		ai = ai_clone(*aip, AF_INET);
+		if (ai == NULL) {
+			lwres_freeaddrinfo(*aip);
+			ERR(EAI_MEMORY);
+		}
+
+		*aip = ai;
+		ai->ai_socktype = socktype;
+		SIN(ai->ai_addr)->sin_port = port;
+		memcpy(&SIN(ai->ai_addr)->sin_addr, v4_loop, 4);
+	} else {
+		lwres = lwres_getaddrsbyname(lwrctx, hostname,
+					     LWRES_ADDRTYPE_V4, &by);
+		if (lwres != LWRES_R_SUCCESS) {
+			if (lwres == LWRES_R_NOTFOUND)
+				goto cleanup;
+			else
+				ERR(EAI_FAIL);
+		}
+		addr = LWRES_LIST_HEAD(by->addrs);
+		while (addr != NULL) {
+			ai = ai_clone(*aip, AF_INET);
+			if (ai == NULL) {
+				lwres_freeaddrinfo(*aip);
+				ERR(EAI_MEMORY);
+			}
+			*aip = ai;
+			ai->ai_socktype = socktype;
+			SIN(ai->ai_addr)->sin_port = port;
+			memcpy(&SIN(ai->ai_addr)->sin_addr,
+			       addr->address, 4);
+			if (flags & AI_CANONNAME) {
+				ai->ai_canonname = strdup(by->realname);
+				if (ai->ai_canonname == NULL)
+					ERR(EAI_MEMORY);
+			}
+			addr = LWRES_LIST_NEXT(addr, link);
+		}
+	}
+ cleanup:
+	if (by != NULL)
+		lwres_gabnresponse_free(lwrctx, &by);
+	if (lwrctx != NULL) {
+		lwres_conf_clear(lwrctx);
+		lwres_context_destroy(&lwrctx);
+	}
+	return (result);
+}
+
+static char v6_loop[16] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1 };
+
+static int
+add_ipv6(const char *hostname, int flags, struct addrinfo **aip,
+	 int socktype, int port)
+{
+	struct addrinfo *ai;
+	lwres_context_t *lwrctx = NULL;
+	lwres_gabnresponse_t *by = NULL;
+	lwres_addr_t *addr;
+	lwres_result_t lwres;
+	int result = 0;
+
+	lwres = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
+	if (lwres != LWRES_R_SUCCESS)
+		ERR(EAI_FAIL);
+	(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
+
+	if (hostname == NULL && (flags & AI_PASSIVE) == 0) {
+		ai = ai_clone(*aip, AF_INET6);
+		if (ai == NULL) {
+			lwres_freeaddrinfo(*aip);
+			ERR(EAI_MEMORY);
+		}
+
+		*aip = ai;
+		ai->ai_socktype = socktype;
+		SIN6(ai->ai_addr)->sin6_port = port;
+		memcpy(&SIN6(ai->ai_addr)->sin6_addr, v6_loop, 16);
+	} else {
+		lwres = lwres_getaddrsbyname(lwrctx, hostname,
+					     LWRES_ADDRTYPE_V6, &by);
+		if (lwres != LWRES_R_SUCCESS) {
+			if (lwres == LWRES_R_NOTFOUND)
+				goto cleanup;
+			else
+				ERR(EAI_FAIL);
+		}
+		addr = LWRES_LIST_HEAD(by->addrs);
+		while (addr != NULL) {
+			ai = ai_clone(*aip, AF_INET6);
+			if (ai == NULL) {
+				lwres_freeaddrinfo(*aip);
+				ERR(EAI_MEMORY);
+			}
+			*aip = ai;
+			ai->ai_socktype = socktype;
+			SIN6(ai->ai_addr)->sin6_port = port;
+			memcpy(&SIN6(ai->ai_addr)->sin6_addr,
+			       addr->address, 16);
+			if (flags & AI_CANONNAME) {
+				ai->ai_canonname = strdup(by->realname);
+				if (ai->ai_canonname == NULL)
+					ERR(EAI_MEMORY);
+			}
+			addr = LWRES_LIST_NEXT(addr, link);
+		}
+	}
+ cleanup:
+	if (by != NULL)
+		lwres_gabnresponse_free(lwrctx, &by);
+	if (lwrctx != NULL) {
+		lwres_conf_clear(lwrctx);
+		lwres_context_destroy(&lwrctx);
+	}
+	return (result);
+}
+
+void
+lwres_freeaddrinfo(struct addrinfo *ai) {
+	struct addrinfo *ai_next;
+
+	while (ai != NULL) {
+		ai_next = ai->ai_next;
+		if (ai->ai_addr != NULL)
+			free(ai->ai_addr);
+		if (ai->ai_canonname)
+			free(ai->ai_canonname);
+		free(ai);
+		ai = ai_next;
+	}
+}
+
+#ifdef AF_LOCAL
+static int
+get_local(const char *name, int socktype, struct addrinfo **res) {
+	struct addrinfo *ai;
+	struct sockaddr_un *sun;
+
+	if (socktype == 0)
+		return (EAI_SOCKTYPE);
+
+	ai = ai_alloc(AF_LOCAL, sizeof(*sun));
+	if (ai == NULL)
+		return (EAI_MEMORY);
+
+	sun = SUN(ai->ai_addr);
+	strncpy(sun->sun_path, name, sizeof(sun->sun_path));
+
+	ai->ai_socktype = socktype;
+	/*
+	 * ai->ai_flags, ai->ai_protocol, ai->ai_canonname,
+	 * and ai->ai_next were initialized to zero.
+	 */
+
+	*res = ai;
+	return (0);
+}
+#endif
+
+/*
+ * Allocate an addrinfo structure, and a sockaddr structure
+ * of the specificed length.  We initialize:
+ *	ai_addrlen
+ *	ai_family
+ *	ai_addr
+ *	ai_addr->sa_family
+ *	ai_addr->sa_len	(LWRES_PLATFORM_HAVESALEN)
+ * and everything else is initialized to zero.
+ */
+static struct addrinfo *
+ai_alloc(int family, int addrlen) {
+	struct addrinfo *ai;
+
+	ai = (struct addrinfo *)calloc(1, sizeof(*ai));
+	if (ai == NULL)
+		return (NULL);
+
+	ai->ai_addr = SA(calloc(1, addrlen));
+	if (ai->ai_addr == NULL) {
+		free(ai);
+		return (NULL);
+	}
+	ai->ai_addrlen = addrlen;
+	ai->ai_family = family;
+	ai->ai_addr->sa_family = family;
+#ifdef LWRES_PLATFORM_HAVESALEN
+	ai->ai_addr->sa_len = addrlen;
+#endif
+	return (ai);
+}
+
+static struct addrinfo *
+ai_clone(struct addrinfo *oai, int family) {
+	struct addrinfo *ai;
+
+	ai = ai_alloc(family, ((family == AF_INET6) ?
+	    sizeof(struct sockaddr_in6) : sizeof(struct sockaddr_in)));
+
+	if (ai == NULL) {
+		lwres_freeaddrinfo(oai);
+		return (NULL);
+	}
+	if (oai == NULL)
+		return (ai);
+
+	ai->ai_flags = oai->ai_flags;
+	ai->ai_socktype = oai->ai_socktype;
+	ai->ai_protocol = oai->ai_protocol;
+	ai->ai_canonname = NULL;
+	ai->ai_next = oai;
+	return (ai);
+}
+
+static struct addrinfo *
+ai_reverse(struct addrinfo *oai) {
+	struct addrinfo *nai, *tai;
+
+	nai = NULL;
+
+	while (oai != NULL) {
+		/*
+		 * Grab one off the old list.
+		 */
+		tai = oai;
+		oai = oai->ai_next;
+		/*
+		 * Put it on the front of the new list.
+		 */
+		tai->ai_next = nai;
+		nai = tai;
+	}
+	return (nai);
+}
diff --git a/contrib/bind9/lib/lwres/gethost.c b/contrib/bind9/lib/lwres/gethost.c
new file mode 100644
index 0000000..9c362b9
--- /dev/null
+++ b/contrib/bind9/lib/lwres/gethost.c
@@ -0,0 +1,219 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: gethost.c,v 1.29.206.1 2004/03/06 08:15:30 marka Exp $ */
+
+#include <config.h>
+
+#include <errno.h>
+#include <string.h>
+
+#include <lwres/net.h>
+#include <lwres/netdb.h>
+
+#include "assert_p.h"
+
+#define LWRES_ALIGNBYTES (sizeof(char *) - 1)
+#define LWRES_ALIGN(p) \
+	(((unsigned long)(p) + LWRES_ALIGNBYTES) &~ LWRES_ALIGNBYTES)
+
+static struct hostent *he = NULL;
+static int copytobuf(struct hostent *, struct hostent *, char *, int);
+
+struct hostent *
+lwres_gethostbyname(const char *name) {
+
+	if (he != NULL)
+		lwres_freehostent(he);
+
+	he = lwres_getipnodebyname(name, AF_INET, 0, &lwres_h_errno);
+	return (he);
+}
+
+struct hostent *
+lwres_gethostbyname2(const char *name, int af) {
+	if (he != NULL)
+		lwres_freehostent(he);
+
+	he = lwres_getipnodebyname(name, af, 0, &lwres_h_errno);
+	return (he);
+}
+
+struct hostent *
+lwres_gethostbyaddr(const char *addr, int len, int type) {
+
+	if (he != NULL)
+		lwres_freehostent(he);
+
+	he = lwres_getipnodebyaddr(addr, len, type, &lwres_h_errno);
+	return (he);
+}
+
+struct hostent *
+lwres_gethostent(void) {
+	if (he != NULL)
+		lwres_freehostent(he);
+
+	return (NULL);
+}
+
+void
+lwres_sethostent(int stayopen) {
+	/*
+	 * Empty.
+	 */
+	UNUSED(stayopen);
+}
+
+void
+lwres_endhostent(void) {
+	/*
+	 * Empty.
+	 */
+}
+
+struct hostent *
+lwres_gethostbyname_r(const char *name, struct hostent *resbuf,
+		char *buf, int buflen, int *error)
+{
+	struct hostent *he;
+	int res;
+
+	he = lwres_getipnodebyname(name, AF_INET, 0, error);
+	if (he == NULL)
+		return (NULL);
+	res = copytobuf(he, resbuf, buf, buflen);
+	lwres_freehostent(he);
+	if (res != 0) {
+		errno = ERANGE;
+		return (NULL);
+	}
+	return (resbuf);
+}
+
+struct hostent  *
+lwres_gethostbyaddr_r(const char *addr, int len, int type,
+		      struct hostent *resbuf, char *buf, int buflen,
+		      int *error)
+{
+	struct hostent *he;
+	int res;
+
+	he = lwres_getipnodebyaddr(addr, len, type, error);
+	if (he == NULL)
+		return (NULL);
+	res = copytobuf(he, resbuf, buf, buflen);
+	lwres_freehostent(he);
+	if (res != 0) {
+		errno = ERANGE;
+		return (NULL);
+	}
+	return (resbuf);
+}
+
+struct hostent  *
+lwres_gethostent_r(struct hostent *resbuf, char *buf, int buflen, int *error) {
+	UNUSED(resbuf);
+	UNUSED(buf);
+	UNUSED(buflen);
+	*error = 0;
+	return (NULL);
+}
+
+void
+lwres_sethostent_r(int stayopen) {
+	/*
+	 * Empty.
+	 */
+	UNUSED(stayopen);
+}
+
+void
+lwres_endhostent_r(void) {
+	/*
+	 * Empty.
+	 */
+}
+
+static int
+copytobuf(struct hostent *he, struct hostent *hptr, char *buf, int buflen) {
+        char *cp;
+        char **ptr;
+        int i, n;
+        int nptr, len;
+
+        /*
+	 * Find out the amount of space required to store the answer.
+	 */
+        nptr = 2; /* NULL ptrs */
+        len = (char *)LWRES_ALIGN(buf) - buf;
+        for (i = 0; he->h_addr_list[i]; i++, nptr++) {
+                len += he->h_length;
+        }
+        for (i = 0; he->h_aliases[i]; i++, nptr++) {
+                len += strlen(he->h_aliases[i]) + 1;
+        }
+        len += strlen(he->h_name) + 1;
+        len += nptr * sizeof(char*);
+
+        if (len > buflen) {
+                return (-1);
+        }
+
+        /*
+	 * Copy address size and type.
+	 */
+        hptr->h_addrtype = he->h_addrtype;
+        n = hptr->h_length = he->h_length;
+
+        ptr = (char **)LWRES_ALIGN(buf);
+        cp = (char *)LWRES_ALIGN(buf) + nptr * sizeof(char *);
+
+        /*
+	 * Copy address list.
+	 */
+        hptr->h_addr_list = ptr;
+        for (i = 0; he->h_addr_list[i]; i++, ptr++) {
+                memcpy(cp, he->h_addr_list[i], n);
+                hptr->h_addr_list[i] = cp;
+                cp += n;
+        }
+        hptr->h_addr_list[i] = NULL;
+        ptr++;
+
+        /*
+	 * Copy official name.
+	 */
+        n = strlen(he->h_name) + 1;
+        strcpy(cp, he->h_name);
+        hptr->h_name = cp;
+        cp += n;
+
+        /*
+	 * Copy aliases.
+	 */
+        hptr->h_aliases = ptr;
+        for (i = 0; he->h_aliases[i]; i++) {
+                n = strlen(he->h_aliases[i]) + 1;
+                strcpy(cp, he->h_aliases[i]);
+                hptr->h_aliases[i] = cp;
+                cp += n;
+        }
+        hptr->h_aliases[i] = NULL;
+
+        return (0);
+}
diff --git a/contrib/bind9/lib/lwres/getipnode.c b/contrib/bind9/lib/lwres/getipnode.c
new file mode 100644
index 0000000..5bda15e
--- /dev/null
+++ b/contrib/bind9/lib/lwres/getipnode.c
@@ -0,0 +1,1026 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: getipnode.c,v 1.30.2.4.2.4 2004/03/06 08:15:31 marka Exp $ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+
+#include <lwres/lwres.h>
+#include <lwres/net.h>
+#include <lwres/netdb.h>	/* XXX #include <netdb.h> */
+
+#include "assert_p.h"
+
+#ifndef INADDRSZ
+#define INADDRSZ 4
+#endif
+#ifndef IN6ADDRSZ
+#define IN6ADDRSZ 16
+#endif
+
+#ifdef LWRES_PLATFORM_NEEDIN6ADDRANY
+LIBLWRES_EXTERNAL_DATA const struct in6_addr in6addr_any = IN6ADDR_ANY_INIT;
+#endif
+
+#ifndef IN6_IS_ADDR_V4COMPAT
+static const unsigned char in6addr_compat[12] = {
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+};
+#define IN6_IS_ADDR_V4COMPAT(x) (!memcmp((x)->s6_addr, in6addr_compat, 12) && \
+                                 ((x)->s6_addr[12] != 0 || \
+                                  (x)->s6_addr[13] != 0 || \
+                                  (x)->s6_addr[14] != 0 || \
+                                   ((x)->s6_addr[15] != 0 && \
+                                    (x)->s6_addr[15] != 1)))
+#endif
+#ifndef IN6_IS_ADDR_V4MAPPED
+#define IN6_IS_ADDR_V4MAPPED(x) (!memcmp((x)->s6_addr, in6addr_mapped, 12))
+#endif
+
+static const unsigned char in6addr_mapped[12] = {
+        0, 0, 0, 0,  0, 0, 0, 0,  0, 0, 0xff, 0xff
+};
+
+/***
+ ***	Forward declarations.
+ ***/
+
+static int
+scan_interfaces(int *, int *);
+
+static struct hostent *
+copyandmerge(struct hostent *, struct hostent *, int, int *);
+
+static struct hostent *
+hostfromaddr(lwres_gnbaresponse_t *addr, int af, const void *src);
+
+static struct hostent *
+hostfromname(lwres_gabnresponse_t *name, int af);
+
+/***
+ ***	Public functions.
+ ***/
+
+/*
+ *	AI_V4MAPPED + AF_INET6
+ *	If no IPv6 address then a query for IPv4 and map returned values.
+ *
+ *	AI_ALL + AI_V4MAPPED + AF_INET6
+ *	Return IPv6 and IPv4 mapped.
+ *
+ *	AI_ADDRCONFIG
+ *	Only return IPv6 / IPv4 address if there is an interface of that
+ *	type active.
+ */
+
+struct hostent *
+lwres_getipnodebyname(const char *name, int af, int flags, int *error_num) {
+	int have_v4 = 1, have_v6 = 1;
+	struct in_addr in4;
+	struct in6_addr in6;
+	struct hostent he, *he1 = NULL, *he2 = NULL, *he3 = NULL;
+	int v4 = 0, v6 = 0;
+	int tmp_err;
+	lwres_context_t *lwrctx = NULL;
+	lwres_gabnresponse_t *by = NULL;
+	int n;
+
+	/*
+	 * If we care about active interfaces then check.
+	 */
+	if ((flags & AI_ADDRCONFIG) != 0)
+		if (scan_interfaces(&have_v4, &have_v6) == -1) {
+			*error_num = NO_RECOVERY;
+			return (NULL);
+		}
+
+	/* Check for literal address. */
+	if ((v4 = lwres_net_pton(AF_INET, name, &in4)) != 1)
+		v6 = lwres_net_pton(AF_INET6, name, &in6);
+
+	/*
+	 * Impossible combination?
+	 */
+	if ((af == AF_INET6 && (flags & AI_V4MAPPED) == 0 && v4 == 1) ||
+	    (af == AF_INET && v6 == 1) ||
+	    (have_v4 == 0 && v4 == 1) ||
+	    (have_v6 == 0 && v6 == 1) ||
+	    (have_v4 == 0 && af == AF_INET) ||
+	    (have_v6 == 0 && af == AF_INET6 &&
+	     (((flags & AI_V4MAPPED) != 0 && have_v4) ||
+	      (flags & AI_V4MAPPED) == 0))) {
+		*error_num = HOST_NOT_FOUND;
+		return (NULL);
+	}
+
+	/*
+	 * Literal address?
+	 */
+	if (v4 == 1 || v6 == 1) {
+		char *addr_list[2];
+		char *aliases[1];
+		char mappedname[sizeof("::ffff:123.123.123.123")];
+		union {
+			const char *const_name;
+			char *deconst_name;
+		} u;
+
+		u.const_name = name;
+		if (v4 == 1 && af == AF_INET6) {
+			strcpy(mappedname, "::ffff:");
+			lwres_net_ntop(AF_INET, (char *)&in4,
+				       mappedname + sizeof("::ffff:") - 1,
+				       sizeof(mappedname) - sizeof("::ffff:")
+				       + 1);
+			he.h_name = mappedname;
+		} else
+			he.h_name = u.deconst_name;
+		he.h_addr_list = addr_list;
+		he.h_addr_list[0] = (v4 == 1) ? (char *)&in4 : (char *)&in6;
+		he.h_addr_list[1] = NULL;
+		he.h_aliases = aliases;
+		he.h_aliases[0] = NULL;
+		he.h_length = (v4 == 1) ? INADDRSZ : IN6ADDRSZ;
+		he.h_addrtype = (v4 == 1) ? AF_INET : AF_INET6;
+		return (copyandmerge(&he, NULL, af, error_num));
+	}
+
+	n = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
+	if (n != 0) {
+		*error_num = NO_RECOVERY;
+		goto cleanup;
+	}
+	(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
+	tmp_err = NO_RECOVERY;
+	if (have_v6 && af == AF_INET6) {
+
+		n = lwres_getaddrsbyname(lwrctx, name, LWRES_ADDRTYPE_V6, &by);
+		if (n == 0) {
+			he1 = hostfromname(by, AF_INET6);
+			lwres_gabnresponse_free(lwrctx, &by);
+			if (he1 == NULL) {
+				*error_num = NO_RECOVERY;
+				goto cleanup;
+			}
+		} else {
+			tmp_err = HOST_NOT_FOUND;
+		}
+	}
+
+	if (have_v4 &&
+	    ((af == AF_INET) ||
+	     (af == AF_INET6 && (flags & AI_V4MAPPED) != 0 &&
+	      (he1 == NULL || (flags & AI_ALL) != 0)))) {
+		n = lwres_getaddrsbyname(lwrctx, name, LWRES_ADDRTYPE_V4, &by);
+		if (n == 0) {
+			he2 = hostfromname(by, AF_INET);
+			lwres_gabnresponse_free(lwrctx, &by);
+			if (he2 == NULL) {
+				*error_num = NO_RECOVERY;
+				goto cleanup;
+			}
+		} else if (he1 == NULL) {
+			if (n == LWRES_R_NOTFOUND)
+				*error_num = HOST_NOT_FOUND;
+			else
+				*error_num = NO_RECOVERY;
+			goto cleanup;
+		}
+	} else
+		*error_num = tmp_err;
+
+	he3 = copyandmerge(he1, he2, af, error_num);
+
+ cleanup:
+	if (he1 != NULL)
+		lwres_freehostent(he1);
+	if (he2 != NULL)
+		lwres_freehostent(he2);
+	if (lwrctx != NULL) {
+		lwres_conf_clear(lwrctx);
+		lwres_context_destroy(&lwrctx);
+	}
+	return (he3);
+}
+
+struct hostent *
+lwres_getipnodebyaddr(const void *src, size_t len, int af, int *error_num) {
+	struct hostent *he1, *he2;
+	lwres_context_t *lwrctx = NULL;
+	lwres_gnbaresponse_t *by = NULL;
+	lwres_result_t n;
+	union {
+		const void *konst;
+		struct in6_addr *in6;
+	} u;
+
+	/*
+	 * Sanity checks.
+	 */
+	if (src == NULL) {
+		*error_num = NO_RECOVERY;
+		return (NULL);
+	}
+
+	switch (af) {
+	case AF_INET:
+		if (len != (unsigned int)INADDRSZ) {
+			*error_num = NO_RECOVERY;
+			return (NULL);
+		}
+		break;
+	case AF_INET6:
+		if (len != (unsigned int)IN6ADDRSZ) {
+			*error_num = NO_RECOVERY;
+			return (NULL);
+		}
+		break;
+	default:
+		*error_num = NO_RECOVERY;
+		return (NULL);
+	}
+
+	/*
+	 * The de-"const"-ing game is done because at least one
+	 * vendor's system (RedHat 6.0) defines the IN6_IS_ADDR_*
+	 * macros in such a way that they discard the const with
+	 * internal casting, and gcc ends up complaining.  Rather
+	 * than replacing their own (possibly optimized) definitions
+	 * with our own, cleanly discarding the const is the easiest
+	 * thing to do.
+	 */
+	u.konst = src;
+
+	/*
+	 * Look up IPv4 and IPv4 mapped/compatible addresses.
+	 */
+	if ((af == AF_INET6 && IN6_IS_ADDR_V4COMPAT(u.in6)) ||
+	    (af == AF_INET6 && IN6_IS_ADDR_V4MAPPED(u.in6)) ||
+	    (af == AF_INET)) {
+		const unsigned char *cp = src;
+
+		if (af == AF_INET6)
+			cp += 12;
+		n = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
+		if (n == LWRES_R_SUCCESS)
+			(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
+		if (n == LWRES_R_SUCCESS)
+			n = lwres_getnamebyaddr(lwrctx, LWRES_ADDRTYPE_V4,
+						INADDRSZ, cp, &by);
+		if (n != LWRES_R_SUCCESS) {
+			lwres_conf_clear(lwrctx);
+			lwres_context_destroy(&lwrctx);
+			if (n == LWRES_R_NOTFOUND)
+				*error_num = HOST_NOT_FOUND;
+			else
+				*error_num = NO_RECOVERY;
+			return (NULL);
+		}
+		he1 = hostfromaddr(by, AF_INET, cp);
+		lwres_gnbaresponse_free(lwrctx, &by);
+		lwres_conf_clear(lwrctx);
+		lwres_context_destroy(&lwrctx);
+		if (af != AF_INET6)
+			return (he1);
+
+		/*
+		 * Convert from AF_INET to AF_INET6.
+		 */
+		he2 = copyandmerge(he1, NULL, af, error_num);
+		lwres_freehostent(he1);
+		if (he2 == NULL)
+			return (NULL);
+		/*
+		 * Restore original address.
+		 */
+		memcpy(he2->h_addr, src, len);
+		return (he2);
+	}
+
+	/*
+	 * Lookup IPv6 address.
+	 */
+	if (memcmp(src, &in6addr_any, IN6ADDRSZ) == 0) {
+		*error_num = HOST_NOT_FOUND;
+		return (NULL);
+	}
+
+	n = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
+	if (n == LWRES_R_SUCCESS)
+		(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
+	if (n == LWRES_R_SUCCESS)
+		n = lwres_getnamebyaddr(lwrctx, LWRES_ADDRTYPE_V6, IN6ADDRSZ,
+					src, &by);
+	if (n != 0) {
+		*error_num = HOST_NOT_FOUND;
+		return (NULL);
+	}
+	he1 = hostfromaddr(by, AF_INET6, src);
+	lwres_gnbaresponse_free(lwrctx, &by);
+	if (he1 == NULL)
+		*error_num = NO_RECOVERY;
+	lwres_context_destroy(&lwrctx);
+	return (he1);
+}
+
+void
+lwres_freehostent(struct hostent *he) {
+	char **cpp;
+	int names = 1;
+	int addresses = 1;
+
+	free(he->h_name);
+
+	cpp = he->h_addr_list;
+	while (*cpp != NULL) {
+		free(*cpp);
+		*cpp = NULL;
+		cpp++;
+		addresses++;
+	}
+
+	cpp = he->h_aliases;
+	while (*cpp != NULL) {
+		free(*cpp);
+		cpp++;
+		names++;
+	}
+
+	free(he->h_aliases);
+	free(he->h_addr_list);
+	free(he);
+}
+
+/*
+ * Private
+ */
+
+/*
+ * Scan the interface table and set have_v4 and have_v6 depending
+ * upon whether there are IPv4 and IPv6 interface addresses.
+ *
+ * Returns:
+ *	0 on success
+ *	-1 on failure.
+ */
+
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR) && \
+    !defined(IRIX_EMUL_IOCTL_SIOCGIFCONF) 
+
+#ifdef __hpux
+#define lifc_len iflc_len
+#define lifc_buf iflc_buf
+#define lifc_req iflc_req
+#define LIFCONF if_laddrconf
+#else
+#define ISC_HAVE_LIFC_FAMILY 1
+#define ISC_HAVE_LIFC_FLAGS 1
+#define LIFCONF lifconf
+#endif
+ 
+#ifdef __hpux
+#define lifr_addr iflr_addr
+#define lifr_name iflr_name
+#define lifr_dstaddr iflr_dstaddr
+#define lifr_flags iflr_flags
+#define ss_family sa_family
+#define LIFREQ if_laddrreq
+#else
+#define LIFREQ lifreq
+#endif
+
+static int
+scan_interfaces6(int *have_v4, int *have_v6) {
+	struct LIFCONF lifc;
+	struct LIFREQ lifreq;
+	struct in_addr in4;
+	struct in6_addr in6;
+	char *buf = NULL, *cp, *cplim;
+	static unsigned int bufsiz = 4095;
+	int s, cpsize, n;
+
+	/*
+	 * Set to zero.  Used as loop terminators below.
+	 */
+	*have_v4 = *have_v6 = 0;
+
+	/*
+	 * Get interface list from system.
+	 */
+	if ((s = socket(AF_INET6, SOCK_DGRAM, 0)) == -1)
+		goto err_ret;
+
+	/*
+	 * Grow buffer until large enough to contain all interface
+	 * descriptions.
+	 */
+	for (;;) {
+		buf = malloc(bufsiz);
+		if (buf == NULL)
+			goto err_ret;
+#ifdef ISC_HAVE_LIFC_FAMILY
+		lifc.lifc_family = AF_UNSPEC;	/* request all families */
+#endif
+#ifdef ISC_HAVE_LIFC_FLAGS
+		lifc.lifc_flags = 0;
+#endif
+		lifc.lifc_len = bufsiz;
+		lifc.lifc_buf = buf;
+		if ((n = ioctl(s, SIOCGLIFCONF, (char *)&lifc)) != -1) {
+			/*
+			 * Some OS's just return what will fit rather
+			 * than set EINVAL if the buffer is too small
+			 * to fit all the interfaces in.  If 
+			 * lifc.lifc_len is too near to the end of the
+			 * buffer we will grow it just in case and
+			 * retry.
+			 */
+			if (lifc.lifc_len + 2 * sizeof(lifreq) < bufsiz)
+				break;
+		}
+		if ((n == -1) && errno != EINVAL)
+			goto err_ret;
+
+		if (bufsiz > 1000000)
+			goto err_ret;
+
+		free(buf);
+		bufsiz += 4096;
+	}
+
+	/*
+	 * Parse system's interface list.
+	 */
+	cplim = buf + lifc.lifc_len;    /* skip over if's with big ifr_addr's */
+	for (cp = buf;
+	     (*have_v4 == 0 || *have_v6 == 0) && cp < cplim;
+	     cp += cpsize) {
+		memcpy(&lifreq, cp, sizeof(lifreq));
+#ifdef LWRES_PLATFORM_HAVESALEN
+#ifdef FIX_ZERO_SA_LEN
+		if (lifreq.lifr_addr.sa_len == 0)
+			lifreq.lifr_addr.sa_len = 16;
+#endif
+#ifdef HAVE_MINIMUM_IFREQ
+		cpsize = sizeof(lifreq);
+		if (lifreq.lifr_addr.sa_len > sizeof(struct sockaddr))
+			cpsize += (int)lifreq.lifr_addr.sa_len -
+				(int)(sizeof(struct sockaddr));
+#else
+		cpsize = sizeof(lifreq.lifr_name) + lifreq.lifr_addr.sa_len;
+#endif /* HAVE_MINIMUM_IFREQ */
+#elif defined SIOCGIFCONF_ADDR
+		cpsize = sizeof(lifreq);
+#else
+		cpsize = sizeof(lifreq.lifr_name);
+		/* XXX maybe this should be a hard error? */
+		if (ioctl(s, SIOCGLIFADDR, (char *)&lifreq) < 0)
+			continue;
+#endif
+		switch (lifreq.lifr_addr.ss_family) {
+		case AF_INET:
+			if (*have_v4 == 0) {
+				memcpy(&in4,
+				       &((struct sockaddr_in *)
+				       &lifreq.lifr_addr)->sin_addr,
+				       sizeof(in4));
+				if (in4.s_addr == INADDR_ANY)
+					break;
+				n = ioctl(s, SIOCGLIFFLAGS, (char *)&lifreq);
+				if (n < 0)
+					break;
+				if ((lifreq.lifr_flags & IFF_UP) == 0)
+					break;
+				*have_v4 = 1;
+			} 
+			break;
+		case AF_INET6:
+			if (*have_v6 == 0) {
+				memcpy(&in6,
+				       &((struct sockaddr_in6 *)
+				       &lifreq.lifr_addr)->sin6_addr, 
+				       sizeof(in6));
+				if (memcmp(&in6, &in6addr_any,
+					   sizeof(in6)) == 0)
+					break;
+				n = ioctl(s, SIOCGLIFFLAGS, (char *)&lifreq);
+				if (n < 0)
+					break;
+				if ((lifreq.lifr_flags & IFF_UP) == 0)
+					break;
+				*have_v6 = 1;
+			}
+			break;
+		}
+	}
+	if (buf != NULL)
+		free(buf);
+	close(s);
+	return (0);
+ err_ret:
+	if (buf != NULL)
+		free(buf);
+	if (s != -1)
+		close(s);
+	return (-1);
+}
+#endif
+
+static int
+scan_interfaces(int *have_v4, int *have_v6) {
+#if !defined(SIOCGIFCONF) || !defined(SIOCGIFADDR)
+	*have_v4 = *have_v6 = 1;
+	return (0);
+#else
+	struct ifconf ifc;
+	union {
+		char _pad[256];		/* leave space for IPv6 addresses */
+		struct ifreq ifreq;
+	} u;
+	struct in_addr in4;
+	struct in6_addr in6;
+	char *buf = NULL, *cp, *cplim;
+	static unsigned int bufsiz = 4095;
+	int s, n;
+	size_t cpsize;
+
+#if defined(SIOCGLIFCONF) && defined(SIOCGLIFADDR) && \
+    !defined(IRIX_EMUL_IOCTL_SIOCGIFCONF) 
+	/*
+	 * Try to scan the interfaces using IPv6 ioctls().
+	 */
+	if (!scan_interfaces6(have_v4, have_v6))
+		return (0);
+#endif
+
+	/*
+	 * Set to zero.  Used as loop terminators below.
+	 */
+	*have_v4 = *have_v6 = 0;
+
+	/*
+	 * Get interface list from system.
+	 */
+	if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
+		goto err_ret;
+
+	/*
+	 * Grow buffer until large enough to contain all interface
+	 * descriptions.
+	 */
+	for (;;) {
+		buf = malloc(bufsiz);
+		if (buf == NULL)
+			goto err_ret;
+		ifc.ifc_len = bufsiz;
+		ifc.ifc_buf = buf;
+#ifdef IRIX_EMUL_IOCTL_SIOCGIFCONF
+		/*
+		 * This is a fix for IRIX OS in which the call to ioctl with
+		 * the flag SIOCGIFCONF may not return an entry for all the
+		 * interfaces like most flavors of Unix.
+		 */
+		if (emul_ioctl(&ifc) >= 0)
+			break;
+#else
+		if ((n = ioctl(s, SIOCGIFCONF, (char *)&ifc)) != -1) {
+			/*
+			 * Some OS's just return what will fit rather
+			 * than set EINVAL if the buffer is too small
+			 * to fit all the interfaces in.  If 
+			 * ifc.ifc_len is too near to the end of the
+			 * buffer we will grow it just in case and
+			 * retry.
+			 */
+			if (ifc.ifc_len + 2 * sizeof(u.ifreq) < bufsiz)
+				break;
+		}
+#endif
+		if ((n == -1) && errno != EINVAL)
+			goto err_ret;
+
+		if (bufsiz > 1000000)
+			goto err_ret;
+
+		free(buf);
+		bufsiz += 4096;
+	}
+
+	/*
+	 * Parse system's interface list.
+	 */
+	cplim = buf + ifc.ifc_len;    /* skip over if's with big ifr_addr's */
+	for (cp = buf;
+	     (*have_v4 == 0 || *have_v6 == 0) && cp < cplim;
+	     cp += cpsize) {
+		memcpy(&u.ifreq, cp, sizeof(u.ifreq));
+#ifdef LWRES_PLATFORM_HAVESALEN
+#ifdef FIX_ZERO_SA_LEN
+		if (u.ifreq.ifr_addr.sa_len == 0)
+			u.ifreq.ifr_addr.sa_len = 16;
+#endif
+#ifdef HAVE_MINIMUM_IFREQ
+		cpsize = sizeof(u.ifreq);
+		if (u.ifreq.ifr_addr.sa_len > sizeof(struct sockaddr))
+			cpsize += (int)u.ifreq.ifr_addr.sa_len -
+				(int)(sizeof(struct sockaddr));
+#else
+		cpsize = sizeof(u.ifreq.ifr_name) + u.ifreq.ifr_addr.sa_len;
+#endif /* HAVE_MINIMUM_IFREQ */
+		if (cpsize > sizeof(u.ifreq) && cpsize <= sizeof(u))
+			memcpy(&u.ifreq, cp, cpsize);
+#elif defined SIOCGIFCONF_ADDR
+		cpsize = sizeof(u.ifreq);
+#else
+		cpsize = sizeof(u.ifreq.ifr_name);
+		/* XXX maybe this should be a hard error? */
+		if (ioctl(s, SIOCGIFADDR, (char *)&u.ifreq) < 0)
+			continue;
+#endif
+		switch (u.ifreq.ifr_addr.sa_family) {
+		case AF_INET:
+			if (*have_v4 == 0) {
+				memcpy(&in4,
+				       &((struct sockaddr_in *)
+				       &u.ifreq.ifr_addr)->sin_addr,
+				       sizeof(in4));
+				if (in4.s_addr == INADDR_ANY)
+					break;
+				n = ioctl(s, SIOCGIFFLAGS, (char *)&u.ifreq);
+				if (n < 0)
+					break;
+				if ((u.ifreq.ifr_flags & IFF_UP) == 0)
+					break;
+				*have_v4 = 1;
+			} 
+			break;
+		case AF_INET6:
+			if (*have_v6 == 0) {
+				memcpy(&in6,
+				       &((struct sockaddr_in6 *)
+				       &u.ifreq.ifr_addr)->sin6_addr,
+				       sizeof(in6));
+				if (memcmp(&in6, &in6addr_any,
+					   sizeof(in6)) == 0)
+					break;
+				n = ioctl(s, SIOCGIFFLAGS, (char *)&u.ifreq);
+				if (n < 0)
+					break;
+				if ((u.ifreq.ifr_flags & IFF_UP) == 0)
+					break;
+				*have_v6 = 1;
+			}
+			break;
+		}
+	}
+	if (buf != NULL)
+		free(buf);
+	close(s);
+	return (0);
+ err_ret:
+	if (buf != NULL)
+		free(buf);
+	if (s != -1)
+		close(s);
+	return (-1);
+#endif
+}
+
+static struct hostent *
+copyandmerge(struct hostent *he1, struct hostent *he2, int af, int *error_num)
+{
+	struct hostent *he = NULL;
+	int addresses = 1;	/* NULL terminator */
+	int names = 1;		/* NULL terminator */
+	int len = 0;
+	char **cpp, **npp;
+
+	/*
+	 * Work out array sizes.
+	 */
+	if (he1 != NULL) {
+		cpp = he1->h_addr_list;
+		while (*cpp != NULL) {
+			addresses++;
+			cpp++;
+		}
+		cpp = he1->h_aliases;
+		while (*cpp != NULL) {
+			names++;
+			cpp++;
+		}
+	}
+
+	if (he2 != NULL) {
+		cpp = he2->h_addr_list;
+		while (*cpp != NULL) {
+			addresses++;
+			cpp++;
+		}
+		if (he1 == NULL) {
+			cpp = he2->h_aliases;
+			while (*cpp != NULL) {
+				names++;
+				cpp++;
+			}
+		}
+	}
+
+	if (addresses == 1) {
+		*error_num = NO_ADDRESS;
+		return (NULL);
+	}
+
+	he = malloc(sizeof(*he));
+	if (he == NULL)
+		goto no_recovery;
+
+	he->h_addr_list = malloc(sizeof(char *) * (addresses));
+	if (he->h_addr_list == NULL)
+		goto cleanup0;
+	memset(he->h_addr_list, 0, sizeof(char *) * (addresses));
+
+	/*
+	 * Copy addresses.
+	 */
+	npp = he->h_addr_list;
+	if (he1 != NULL) {
+		cpp = he1->h_addr_list;
+		while (*cpp != NULL) {
+			*npp = malloc((af == AF_INET) ? INADDRSZ : IN6ADDRSZ);
+			if (*npp == NULL)
+				goto cleanup1;
+			/*
+			 * Convert to mapped if required.
+			 */
+			if (af == AF_INET6 && he1->h_addrtype == AF_INET) {
+				memcpy(*npp, in6addr_mapped,
+				       sizeof(in6addr_mapped));
+				memcpy(*npp + sizeof(in6addr_mapped), *cpp,
+				       INADDRSZ);
+			} else {
+				memcpy(*npp, *cpp,
+				       (af == AF_INET) ? INADDRSZ : IN6ADDRSZ);
+			}
+			cpp++;
+			npp++;
+		}
+	}
+
+	if (he2 != NULL) {
+		cpp = he2->h_addr_list;
+		while (*cpp != NULL) {
+			*npp = malloc((af == AF_INET) ? INADDRSZ : IN6ADDRSZ);
+			if (*npp == NULL)
+				goto cleanup1;
+			/*
+			 * Convert to mapped if required.
+			 */
+			if (af == AF_INET6 && he2->h_addrtype == AF_INET) {
+				memcpy(*npp, in6addr_mapped,
+				       sizeof(in6addr_mapped));
+				memcpy(*npp + sizeof(in6addr_mapped), *cpp,
+				       INADDRSZ);
+			} else {
+				memcpy(*npp, *cpp,
+				       (af == AF_INET) ? INADDRSZ : IN6ADDRSZ);
+			}
+			cpp++;
+			npp++;
+		}
+	}
+
+	he->h_aliases = malloc(sizeof(char *) * (names));
+	if (he->h_aliases == NULL)
+		goto cleanup1;
+	memset(he->h_aliases, 0, sizeof(char *) * (names));
+
+	/*
+	 * Copy aliases.
+	 */
+	npp = he->h_aliases;
+	cpp = (he1 != NULL) ? he1->h_aliases : he2->h_aliases;
+	while (*cpp != NULL) {
+		len = strlen (*cpp) + 1;
+		*npp = malloc(len);
+		if (*npp == NULL)
+			goto cleanup2;
+		strcpy(*npp, *cpp);
+		npp++;
+		cpp++;
+	}
+
+	/*
+	 * Copy hostname.
+	 */
+	he->h_name = malloc(strlen((he1 != NULL) ?
+			    he1->h_name : he2->h_name) + 1);
+	if (he->h_name == NULL)
+		goto cleanup2;
+	strcpy(he->h_name, (he1 != NULL) ? he1->h_name : he2->h_name);
+
+	/*
+	 * Set address type and length.
+	 */
+	he->h_addrtype = af;
+	he->h_length = (af == AF_INET) ? INADDRSZ : IN6ADDRSZ;
+	return (he);
+
+ cleanup2:
+	cpp = he->h_aliases;
+	while (*cpp != NULL) {
+		free(*cpp);
+		cpp++;
+	}
+	free(he->h_aliases);
+
+ cleanup1:
+	cpp = he->h_addr_list;
+	while (*cpp != NULL) {
+		free(*cpp);
+		*cpp = NULL;
+		cpp++;
+	}
+	free(he->h_addr_list);
+
+ cleanup0:
+	free(he);
+
+ no_recovery:
+	*error_num = NO_RECOVERY;
+	return (NULL);
+}
+
+static struct hostent *
+hostfromaddr(lwres_gnbaresponse_t *addr, int af, const void *src) {
+	struct hostent *he;
+	int i;
+
+	he = malloc(sizeof(*he));
+	if (he == NULL)
+		goto cleanup;
+	memset(he, 0, sizeof(*he));
+
+	/*
+	 * Set family and length.
+	 */
+	he->h_addrtype = af;
+	switch (af) {
+	case AF_INET:
+		he->h_length = INADDRSZ;
+		break;
+	case AF_INET6:
+		he->h_length = IN6ADDRSZ;
+		break;
+	default:
+		INSIST(0);
+	}
+
+	/*
+	 * Copy name.
+	 */
+	he->h_name = strdup(addr->realname);
+	if (he->h_name == NULL)
+		goto cleanup;
+
+	/*
+	 * Copy aliases.
+	 */
+	he->h_aliases = malloc(sizeof(char *) * (addr->naliases + 1));
+	if (he->h_aliases == NULL)
+		goto cleanup;
+	for (i = 0; i < addr->naliases; i++) {
+		he->h_aliases[i] = strdup(addr->aliases[i]);
+		if (he->h_aliases[i] == NULL)
+			goto cleanup;
+	}
+	he->h_aliases[i] = NULL;
+
+	/*
+	 * Copy address.
+	 */
+	he->h_addr_list = malloc(sizeof(char *) * 2);
+	if (he->h_addr_list == NULL)
+		goto cleanup;
+	he->h_addr_list[0] = malloc(he->h_length);
+	if (he->h_addr_list[0] == NULL)
+		goto cleanup;
+	memcpy(he->h_addr_list[0], src, he->h_length);
+	he->h_addr_list[1] = NULL;
+	return (he);
+
+ cleanup:
+	if (he != NULL && he->h_addr_list != NULL) {
+		for (i = 0; he->h_addr_list[i] != NULL; i++)
+			free(he->h_addr_list[i]);
+		free(he->h_addr_list);
+	}
+	if (he != NULL && he->h_aliases != NULL) {
+		for (i = 0; he->h_aliases[i] != NULL; i++)
+			free(he->h_aliases[i]);
+		free(he->h_aliases);
+	}
+	if (he != NULL && he->h_name != NULL)
+		free(he->h_name);
+	if (he != NULL)
+		free(he);
+	return (NULL);
+}
+
+static struct hostent *
+hostfromname(lwres_gabnresponse_t *name, int af) {
+	struct hostent *he;
+	int i;
+	lwres_addr_t *addr;
+
+	he = malloc(sizeof(*he));
+	if (he == NULL)
+		goto cleanup;
+	memset(he, 0, sizeof(*he));
+
+	/*
+	 * Set family and length.
+	 */
+	he->h_addrtype = af;
+	switch (af) {
+	case AF_INET:
+		he->h_length = INADDRSZ;
+		break;
+	case AF_INET6:
+		he->h_length = IN6ADDRSZ;
+		break;
+	default:
+		INSIST(0);
+	}
+
+	/*
+	 * Copy name.
+	 */
+	he->h_name = strdup(name->realname);
+	if (he->h_name == NULL)
+		goto cleanup;
+
+	/*
+	 * Copy aliases.
+	 */
+	he->h_aliases = malloc(sizeof(char *) * (name->naliases + 1));
+	for (i = 0; i < name->naliases; i++) {
+		he->h_aliases[i] = strdup(name->aliases[i]);
+		if (he->h_aliases[i] == NULL)
+			goto cleanup;
+	}
+	he->h_aliases[i] = NULL;
+
+	/*
+	 * Copy addresses.
+	 */
+	he->h_addr_list = malloc(sizeof(char *) * (name->naddrs + 1));
+	addr = LWRES_LIST_HEAD(name->addrs);
+	i = 0;
+	while (addr != NULL) {
+		he->h_addr_list[i] = malloc(he->h_length);
+		if (he->h_addr_list[i] == NULL)
+			goto cleanup;
+		memcpy(he->h_addr_list[i], addr->address, he->h_length);
+		addr = LWRES_LIST_NEXT(addr, link);
+		i++;
+	}
+	he->h_addr_list[i] = NULL;
+	return (he);
+
+ cleanup:
+	if (he != NULL && he->h_addr_list != NULL) {
+		for (i = 0; he->h_addr_list[i] != NULL; i++)
+			free(he->h_addr_list[i]);
+		free(he->h_addr_list);
+	}
+	if (he != NULL && he->h_aliases != NULL) {
+		for (i = 0; he->h_aliases[i] != NULL; i++)
+			free(he->h_aliases[i]);
+		free(he->h_aliases);
+	}
+	if (he != NULL && he->h_name != NULL)
+		free(he->h_name);
+	if (he != NULL)
+		free(he);
+	return (NULL);
+}
diff --git a/contrib/bind9/lib/lwres/getnameinfo.c b/contrib/bind9/lib/lwres/getnameinfo.c
new file mode 100644
index 0000000..059c529
--- /dev/null
+++ b/contrib/bind9/lib/lwres/getnameinfo.c
@@ -0,0 +1,286 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: getnameinfo.c,v 1.30.2.3.2.4 2004/08/28 06:25:24 marka Exp $ */
+
+/*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * XXX
+ * Issues to be discussed:
+ * - Return values.  There seems to be no standard for return value (RFC2553)
+ *   but INRIA implementation returns EAI_xxx defined for getaddrinfo().
+ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <string.h>
+
+#include <lwres/lwres.h>
+#include <lwres/net.h>
+#include <lwres/netdb.h>
+#include "print_p.h"
+
+#include "assert_p.h"
+
+#define SUCCESS 0
+
+static struct afd {
+	int a_af;
+	size_t a_addrlen;
+	size_t a_socklen;
+} afdl [] = {
+	/*
+	 * First entry is linked last...
+	 */
+	{ AF_INET, sizeof(struct in_addr), sizeof(struct sockaddr_in) },
+	{ AF_INET6, sizeof(struct in6_addr), sizeof(struct sockaddr_in6) },
+	{0, 0, 0},
+};
+
+#define ENI_NOSERVNAME	1
+#define ENI_NOHOSTNAME	2
+#define ENI_MEMORY	3
+#define ENI_SYSTEM	4
+#define ENI_FAMILY	5
+#define ENI_SALEN	6
+#define ENI_NOSOCKET 	7
+
+/*
+ * The test against 0 is there to keep the Solaris compiler
+ * from complaining about "end-of-loop code not reached".
+ */
+#define ERR(code) \
+	do { result = (code);			\
+		if (result != 0) goto cleanup;	\
+	} while (0)
+
+int
+lwres_getnameinfo(const struct sockaddr *sa, size_t salen, char *host,
+		  size_t hostlen, char *serv, size_t servlen, int flags)
+{
+	struct afd *afd;
+	struct servent *sp;
+	unsigned short port;
+#ifdef LWRES_PLATFORM_HAVESALEN
+	size_t len;
+#endif
+	int family, i;
+	const void *addr;
+	char *p;
+#if 0
+	unsigned long v4a;
+	unsigned char pfx;
+#endif
+	char numserv[sizeof("65000")];
+	char numaddr[sizeof("abcd:abcd:abcd:abcd:abcd:abcd:255.255.255.255")
+		    + 1 + sizeof("4294967295")];
+	const char *proto;
+	lwres_uint32_t lwf = 0;
+	lwres_context_t *lwrctx = NULL;
+	lwres_gnbaresponse_t *by = NULL;
+	int result = SUCCESS;
+	int n;
+
+	if (sa == NULL)
+		ERR(ENI_NOSOCKET);
+
+#ifdef LWRES_PLATFORM_HAVESALEN
+	len = sa->sa_len;
+	if (len != salen)
+		ERR(ENI_SALEN);
+#endif
+
+	family = sa->sa_family;
+	for (i = 0; afdl[i].a_af; i++)
+		if (afdl[i].a_af == family) {
+			afd = &afdl[i];
+			goto found;
+		}
+	ERR(ENI_FAMILY);
+
+ found:
+	if (salen != afd->a_socklen)
+		ERR(ENI_SALEN);
+
+	switch (family) {
+	case AF_INET:
+		port = ((const struct sockaddr_in *)sa)->sin_port;
+		addr = &((const struct sockaddr_in *)sa)->sin_addr.s_addr;
+		break;
+
+	case AF_INET6:
+		port = ((const struct sockaddr_in6 *)sa)->sin6_port;
+		addr = ((const struct sockaddr_in6 *)sa)->sin6_addr.s6_addr;
+		break;
+
+	default:
+		port = 0;
+		addr = NULL;
+		INSIST(0);
+	}
+	proto = (flags & NI_DGRAM) ? "udp" : "tcp";
+
+	if (serv == NULL || servlen == 0U) {
+		/*
+		 * Caller does not want service.
+		 */
+	} else if ((flags & NI_NUMERICSERV) != 0 ||
+		   (sp = getservbyport(port, proto)) == NULL) {
+		snprintf(numserv, sizeof(numserv), "%d", ntohs(port));
+		if ((strlen(numserv) + 1) > servlen)
+			ERR(ENI_MEMORY);
+		strcpy(serv, numserv);
+	} else {
+		if ((strlen(sp->s_name) + 1) > servlen)
+			ERR(ENI_MEMORY);
+		strcpy(serv, sp->s_name);
+	}
+
+#if 0
+	switch (sa->sa_family) {
+	case AF_INET:
+		v4a = ((struct sockaddr_in *)sa)->sin_addr.s_addr;
+		if (IN_MULTICAST(v4a) || IN_EXPERIMENTAL(v4a))
+			flags |= NI_NUMERICHOST;
+		v4a >>= IN_CLASSA_NSHIFT;
+		if (v4a == 0 || v4a == IN_LOOPBACKNET)
+			flags |= NI_NUMERICHOST;
+		break;
+
+	case AF_INET6:
+		pfx = ((struct sockaddr_in6 *)sa)->sin6_addr.s6_addr[0];
+		if (pfx == 0 || pfx == 0xfe || pfx == 0xff)
+			flags |= NI_NUMERICHOST;
+		break;
+	}
+#endif
+
+	if (host == NULL || hostlen == 0U) {
+		/*
+		 * What should we do?
+		 */
+	} else if (flags & NI_NUMERICHOST) {
+		if (lwres_net_ntop(afd->a_af, addr, numaddr, sizeof(numaddr))
+		    == NULL)
+			ERR(ENI_SYSTEM);
+#if defined(LWRES_HAVE_SIN6_SCOPE_ID)
+		if (afd->a_af == AF_INET6 &&
+		    ((const struct sockaddr_in6 *)sa)->sin6_scope_id) {
+			char *p = numaddr + strlen(numaddr);
+			const char *stringscope = NULL;
+#if 0
+			if ((flags & NI_NUMERICSCOPE) == 0) {
+				/*
+				 * Vendors may want to add support for
+				 * non-numeric scope identifier.
+				 */
+				stringscope = foo;
+			}
+#endif
+			if (stringscope == NULL) {
+				snprintf(p, sizeof(numaddr) - (p - numaddr),
+				    "%%%u",
+				    ((const struct sockaddr_in6 *)sa)->sin6_scope_id);
+			} else {
+				snprintf(p, sizeof(numaddr) - (p - numaddr),
+				    "%%%s", stringscope);
+			}
+		}
+#endif
+		if (strlen(numaddr) + 1 > hostlen)
+			ERR(ENI_MEMORY);
+		strcpy(host, numaddr);
+	} else {
+		switch (family) {
+		case AF_INET:
+			lwf = LWRES_ADDRTYPE_V4;
+			break;
+		case AF_INET6:
+			lwf = LWRES_ADDRTYPE_V6;
+			break;
+		default:
+			INSIST(0);
+		}
+
+		n = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
+		if (n == 0)
+			(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
+
+		if (n == 0)
+			n = lwres_getnamebyaddr(lwrctx, lwf,
+						(lwres_uint16_t)afd->a_addrlen,
+						addr, &by);
+		if (n == 0) {
+			if (flags & NI_NOFQDN) {
+				p = strchr(by->realname, '.');
+				if (p)
+					*p = '\0';
+			}
+			if ((strlen(by->realname) + 1) > hostlen)
+				ERR(ENI_MEMORY);
+			strcpy(host, by->realname);
+		} else {
+			if (flags & NI_NAMEREQD)
+				ERR(ENI_NOHOSTNAME);
+			if (lwres_net_ntop(afd->a_af, addr, numaddr,
+					   sizeof(numaddr))
+			    == NULL)
+				ERR(ENI_NOHOSTNAME);
+			if ((strlen(numaddr) + 1) > hostlen)
+				ERR(ENI_MEMORY);
+			strcpy(host, numaddr);
+		}
+	}
+	result = SUCCESS;
+ cleanup:
+	if (by != NULL)
+		lwres_gnbaresponse_free(lwrctx, &by);
+	if (lwrctx != NULL) {
+		lwres_conf_clear(lwrctx);
+		lwres_context_destroy(&lwrctx);
+	}
+	return (result);
+}
diff --git a/contrib/bind9/lib/lwres/getrrset.c b/contrib/bind9/lib/lwres/getrrset.c
new file mode 100644
index 0000000..6160039
--- /dev/null
+++ b/contrib/bind9/lib/lwres/getrrset.c
@@ -0,0 +1,211 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: getrrset.c,v 1.11.2.3.2.2 2004/03/06 08:15:31 marka Exp $ */
+
+#include <config.h>
+
+#include <string.h>
+#include <errno.h>
+#include <stdlib.h>
+
+#include <lwres/lwres.h>
+#include <lwres/net.h>
+#include <lwres/netdb.h>	/* XXX #include <netdb.h> */
+
+#include "assert_p.h"
+
+static unsigned int
+lwresult_to_result(lwres_result_t lwresult) {
+	switch (lwresult) {
+	case LWRES_R_SUCCESS:	return (ERRSET_SUCCESS);
+	case LWRES_R_NOMEMORY:	return (ERRSET_NOMEMORY);
+	case LWRES_R_NOTFOUND:	return (ERRSET_NONAME);
+	case LWRES_R_TYPENOTFOUND: return (ERRSET_NODATA);
+	default:		return (ERRSET_FAIL);
+	}
+}
+
+/*
+ * malloc / calloc functions that guarantee to only
+ * return NULL if there is an error, like they used
+ * to before the ANSI C committee broke them.
+ */
+
+static void *
+sane_malloc(size_t size) {
+	if (size == 0U)
+		size = 1;
+	return (malloc(size));
+}
+
+static void *
+sane_calloc(size_t number, size_t size) {
+	size_t len = number * size;
+	void *mem  = sane_malloc(len);
+	if (mem != NULL)
+		memset(mem, 0, len);
+	return (mem);
+}
+
+int
+lwres_getrrsetbyname(const char *hostname, unsigned int rdclass,
+		     unsigned int rdtype, unsigned int flags,
+		     struct rrsetinfo **res)
+{
+	lwres_context_t *lwrctx = NULL;
+	lwres_result_t lwresult;
+	lwres_grbnresponse_t *response = NULL;
+	struct rrsetinfo *rrset = NULL;
+	unsigned int i;
+	unsigned int lwflags;
+	unsigned int result;
+
+	if (rdclass > 0xffff || rdtype > 0xffff) {
+		result = ERRSET_INVAL;
+		goto fail;
+	}
+
+	/*
+	 * Don't allow queries of class or type ANY
+	 */
+	if (rdclass == 0xff || rdtype == 0xff) {
+		result = ERRSET_INVAL;
+		goto fail;
+	}
+
+	lwresult = lwres_context_create(&lwrctx, NULL, NULL, NULL, 0);
+	if (lwresult != LWRES_R_SUCCESS) {
+		result = lwresult_to_result(lwresult);
+		goto fail;
+	}
+	(void) lwres_conf_parse(lwrctx, lwres_resolv_conf);
+
+	/*
+	 * If any input flags were defined, lwflags would be set here
+	 * based on them
+	 */
+	UNUSED(flags);
+	lwflags = 0;
+
+	lwresult = lwres_getrdatabyname(lwrctx, hostname,
+					(lwres_uint16_t)rdclass, 
+					(lwres_uint16_t)rdtype,
+					lwflags, &response);
+	if (lwresult != LWRES_R_SUCCESS) {
+		result = lwresult_to_result(lwresult);
+		goto fail;
+	}
+
+	rrset = sane_malloc(sizeof(struct rrsetinfo));
+	if (rrset == NULL) {
+		result = ERRSET_NOMEMORY;
+		goto fail;
+	}
+	rrset->rri_name = NULL;
+	rrset->rri_rdclass = response->rdclass;
+	rrset->rri_rdtype = response->rdtype;
+	rrset->rri_ttl = response->ttl;
+	rrset->rri_flags = 0;
+	rrset->rri_nrdatas = 0;
+	rrset->rri_rdatas = NULL;
+	rrset->rri_nsigs = 0;
+	rrset->rri_sigs = NULL;
+
+	rrset->rri_name = sane_malloc(response->realnamelen + 1);
+	if (rrset->rri_name == NULL) {
+		result = ERRSET_NOMEMORY;
+		goto fail;
+	}
+	strncpy(rrset->rri_name, response->realname, response->realnamelen);
+	rrset->rri_name[response->realnamelen] = 0;
+
+	if ((response->flags & LWRDATA_VALIDATED) != 0)
+		rrset->rri_flags |= RRSET_VALIDATED;
+
+	rrset->rri_nrdatas = response->nrdatas;
+	rrset->rri_rdatas = sane_calloc(rrset->rri_nrdatas,
+				   sizeof(struct rdatainfo));
+	if (rrset->rri_rdatas == NULL) {
+		result = ERRSET_NOMEMORY;
+		goto fail;
+	}
+	for (i = 0; i < rrset->rri_nrdatas; i++) {
+		rrset->rri_rdatas[i].rdi_length = response->rdatalen[i];
+		rrset->rri_rdatas[i].rdi_data =
+				sane_malloc(rrset->rri_rdatas[i].rdi_length);
+		if (rrset->rri_rdatas[i].rdi_data == NULL) {
+			result = ERRSET_NOMEMORY;
+			goto fail;
+		}
+		memcpy(rrset->rri_rdatas[i].rdi_data, response->rdatas[i],
+		       rrset->rri_rdatas[i].rdi_length);
+	}
+	rrset->rri_nsigs = response->nsigs;
+	rrset->rri_sigs = sane_calloc(rrset->rri_nsigs,
+				      sizeof(struct rdatainfo));
+	if (rrset->rri_sigs == NULL) {
+		result = ERRSET_NOMEMORY;
+		goto fail;
+	}
+	for (i = 0; i < rrset->rri_nsigs; i++) {
+		rrset->rri_sigs[i].rdi_length = response->siglen[i];
+		rrset->rri_sigs[i].rdi_data =
+				sane_malloc(rrset->rri_sigs[i].rdi_length);
+		if (rrset->rri_sigs[i].rdi_data == NULL) {
+			result = ERRSET_NOMEMORY;
+			goto fail;
+		}
+		memcpy(rrset->rri_sigs[i].rdi_data, response->sigs[i],
+		       rrset->rri_sigs[i].rdi_length);
+	}
+
+	lwres_grbnresponse_free(lwrctx, &response);
+	lwres_conf_clear(lwrctx);
+	lwres_context_destroy(&lwrctx);
+	*res = rrset;
+	return (ERRSET_SUCCESS);
+ fail:
+	if (rrset != NULL)
+		lwres_freerrset(rrset);
+	if (response != NULL)
+		lwres_grbnresponse_free(lwrctx, &response);
+	if (lwrctx != NULL) {
+		lwres_conf_clear(lwrctx);
+		lwres_context_destroy(&lwrctx);
+	}
+	return (result);
+}
+
+void
+lwres_freerrset(struct rrsetinfo *rrset) {
+	unsigned int i;
+	for (i = 0; i < rrset->rri_nrdatas; i++) {
+		if (rrset->rri_rdatas[i].rdi_data == NULL)
+			break;
+		free(rrset->rri_rdatas[i].rdi_data);
+	}
+	free(rrset->rri_rdatas);
+	for (i = 0; i < rrset->rri_nsigs; i++) {
+		if (rrset->rri_sigs[i].rdi_data == NULL)
+			break;
+		free(rrset->rri_sigs[i].rdi_data);
+	}
+	free(rrset->rri_sigs);
+	free(rrset->rri_name);
+	free(rrset);
+}
diff --git a/contrib/bind9/lib/lwres/herror.c b/contrib/bind9/lib/lwres/herror.c
new file mode 100644
index 0000000..1d0756a
--- /dev/null
+++ b/contrib/bind9/lib/lwres/herror.c
@@ -0,0 +1,101 @@
+/*
+ * Portions Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Copyright (c) 1987, 1993
+ *    The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ * 	This product includes software developed by the University of
+ * 	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static const char sccsid[] = "@(#)herror.c	8.1 (Berkeley) 6/4/93";
+static const char rcsid[] =
+	"$Id: herror.c,v 1.10.12.2 2004/03/06 08:15:31 marka Exp $";
+#endif /* LIBC_SCCS and not lint */
+
+#include <config.h>
+
+#include <stdio.h>
+
+#include <lwres/netdb.h>
+#include <lwres/platform.h>
+
+LIBLWRES_EXTERNAL_DATA int	lwres_h_errno;
+
+/*
+ * these have never been declared in any header file so make them static
+ */
+
+static const char *h_errlist[] = {
+	"Resolver Error 0 (no error)",
+	"Unknown host",				/* 1 HOST_NOT_FOUND */
+	"Host name lookup failure",		/* 2 TRY_AGAIN */
+	"Unknown server error",			/* 3 NO_RECOVERY */
+	"No address associated with name",	/* 4 NO_ADDRESS */
+};
+
+static int	h_nerr = { sizeof(h_errlist) / sizeof(h_errlist[0]) };
+
+
+/*
+ * herror --
+ *	print the error indicated by the h_errno value.
+ */
+void
+lwres_herror(const char *s) {
+	fprintf(stderr, "%s: %s\n", s, lwres_hstrerror(lwres_h_errno));
+}
+
+/*
+ * hstrerror --
+ *	return the string associated with a given "host" errno value.
+ */
+const char *
+lwres_hstrerror(int err) {
+	if (err < 0)
+		return ("Resolver internal error");
+	else if (err < h_nerr)
+		return (h_errlist[err]);
+	return ("Unknown resolver error");
+}
diff --git a/contrib/bind9/lib/lwres/include/Makefile.in b/contrib/bind9/lib/lwres/include/Makefile.in
new file mode 100644
index 0000000..dc075b9
--- /dev/null
+++ b/contrib/bind9/lib/lwres/include/Makefile.in
@@ -0,0 +1,25 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2000, 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.5.206.1 2004/03/06 08:15:33 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	lwres
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/lwres/include/lwres/Makefile.in b/contrib/bind9/lib/lwres/include/lwres/Makefile.in
new file mode 100644
index 0000000..48c28f6
--- /dev/null
+++ b/contrib/bind9/lib/lwres/include/lwres/Makefile.in
@@ -0,0 +1,46 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2000, 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.19.12.3 2004/03/08 09:05:11 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+#
+# Only list headers that are to be installed and are not
+# machine generated.  The latter are handled specially in the
+# install target below.
+#
+HEADERS =	context.h lwbuffer.h lwpacket.h lwres.h result.h \
+		int.h lang.h list.h ipv6.h version.h
+
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/lwres
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} ${srcdir}/$$i ${DESTDIR}${includedir}/lwres ; \
+	done
+	${INSTALL_DATA} netdb.h ${DESTDIR}${includedir}/lwres
+	${INSTALL_DATA} platform.h ${DESTDIR}${includedir}/lwres
+
+distclean::
+	rm -f netdb.h platform.h
diff --git a/contrib/bind9/lib/lwres/include/lwres/context.h b/contrib/bind9/lib/lwres/include/lwres/context.h
new file mode 100644
index 0000000..962b142
--- /dev/null
+++ b/contrib/bind9/lib/lwres/include/lwres/context.h
@@ -0,0 +1,133 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: context.h,v 1.14.206.1 2004/03/06 08:15:34 marka Exp $ */
+
+#ifndef LWRES_CONTEXT_H
+#define LWRES_CONTEXT_H 1
+
+#include <stddef.h>
+
+#include <lwres/lang.h>
+#include <lwres/int.h>
+#include <lwres/result.h>
+
+/*
+ * Used to set various options such as timeout, authentication, etc
+ */
+typedef struct lwres_context lwres_context_t;
+
+LWRES_LANG_BEGINDECLS
+
+typedef void *(*lwres_malloc_t)(void *arg, size_t length);
+typedef void (*lwres_free_t)(void *arg, void *mem, size_t length);
+
+/*
+ * XXXMLG
+ *
+ * Make the server reload /etc/resolv.conf periodically.
+ *
+ * Make the server do sortlist/searchlist.
+ *
+ * Client side can disable the search/sortlist processing.
+ *
+ * Use an array of addresses/masks and searchlist for client-side, and
+ * if added to the client disable the processing on the server.
+ *
+ * Share /etc/resolv.conf data between contexts.
+ */
+
+/*
+ * _SERVERMODE
+ *	Don't allocate and connect a socket to the server, since the
+ *	caller _is_ a server.
+ */
+#define LWRES_CONTEXT_SERVERMODE	0x00000001U
+
+lwres_result_t
+lwres_context_create(lwres_context_t **contextp, void *arg,
+		     lwres_malloc_t malloc_function,
+		     lwres_free_t free_function,
+		     unsigned int flags);
+/*
+ * Allocate a lwres context.  This is used in all lwres calls.
+ *
+ * Memory management can be replaced here by passing in two functions.
+ * If one is non-NULL, they must both be non-NULL.  "arg" is passed to
+ * these functions.
+ *
+ * Contexts are not thread safe.  Document at the top of the file.
+ * XXXMLG
+ *
+ * If they are NULL, the standard malloc() and free() will be used.
+ *
+ * Requires:
+ *
+ *	contextp != NULL && contextp == NULL.
+ *
+ * Returns:
+ *
+ *	Returns 0 on success, non-zero on failure.
+ */
+
+void
+lwres_context_destroy(lwres_context_t **contextp);
+/*
+ * Frees all memory associated with a lwres context.
+ *
+ * Requires:
+ *
+ *	contextp != NULL && contextp == NULL.
+ */
+
+lwres_uint32_t
+lwres_context_nextserial(lwres_context_t *ctx);
+/*
+ * XXXMLG Document
+ */
+
+void
+lwres_context_initserial(lwres_context_t *ctx, lwres_uint32_t serial);
+
+void
+lwres_context_freemem(lwres_context_t *ctx, void *mem, size_t len);
+
+void *
+lwres_context_allocmem(lwres_context_t *ctx, size_t len);
+
+int
+lwres_context_getsocket(lwres_context_t *ctx);
+
+lwres_result_t
+lwres_context_send(lwres_context_t *ctx,
+		   void *sendbase, int sendlen);
+
+lwres_result_t
+lwres_context_recv(lwres_context_t *ctx,
+		   void *recvbase, int recvlen,
+		   int *recvd_len);
+
+lwres_result_t
+lwres_context_sendrecv(lwres_context_t *ctx,
+		       void *sendbase, int sendlen,
+		       void *recvbase, int recvlen,
+		       int *recvd_len);
+
+LWRES_LANG_ENDDECLS
+
+#endif /* LWRES_CONTEXT_H */
+
diff --git a/contrib/bind9/lib/lwres/include/lwres/int.h b/contrib/bind9/lib/lwres/include/lwres/int.h
new file mode 100644
index 0000000..2523924
--- /dev/null
+++ b/contrib/bind9/lib/lwres/include/lwres/int.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: int.h,v 1.7.206.1 2004/03/06 08:15:34 marka Exp $ */
+
+#ifndef LWRES_INT_H
+#define LWRES_INT_H 1
+
+typedef char				lwres_int8_t;
+typedef unsigned char			lwres_uint8_t;
+typedef short				lwres_int16_t;
+typedef unsigned short			lwres_uint16_t;
+typedef int				lwres_int32_t;
+typedef unsigned int			lwres_uint32_t;
+typedef long long			lwres_int64_t;
+typedef unsigned long long		lwres_uint64_t;
+
+#endif /* LWRES_INT_H */
diff --git a/contrib/bind9/lib/lwres/include/lwres/ipv6.h b/contrib/bind9/lib/lwres/include/lwres/ipv6.h
new file mode 100644
index 0000000..5dc06d6
--- /dev/null
+++ b/contrib/bind9/lib/lwres/include/lwres/ipv6.h
@@ -0,0 +1,118 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ipv6.h,v 1.9.206.1 2004/03/06 08:15:34 marka Exp $ */
+
+#ifndef LWRES_IPV6_H
+#define LWRES_IPV6_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * IPv6 definitions for systems which do not support IPv6.
+ */
+
+/***
+ *** Imports.
+ ***/
+
+#include <lwres/int.h>
+#include <lwres/platform.h>
+
+/***
+ *** Types.
+ ***/
+
+struct in6_addr {
+        union {
+		lwres_uint8_t	_S6_u8[16];
+		lwres_uint16_t	_S6_u16[8];
+		lwres_uint32_t	_S6_u32[4];
+        } _S6_un;
+};
+#define s6_addr		_S6_un._S6_u8
+#define s6_addr8	_S6_un._S6_u8
+#define s6_addr16	_S6_un._S6_u16
+#define s6_addr32	_S6_un._S6_u32
+
+#define IN6ADDR_ANY_INIT 	{{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }}}
+#define IN6ADDR_LOOPBACK_INIT 	{{{ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 }}}
+
+LIBLWRES_EXTERNAL_DATA extern const struct in6_addr in6addr_any;
+LIBLWRES_EXTERNAL_DATA extern const struct in6_addr in6addr_loopback;
+
+struct sockaddr_in6 {
+#ifdef LWRES_PLATFORM_HAVESALEN
+	lwres_uint8_t		sin6_len;
+	lwres_uint8_t		sin6_family;
+#else
+	lwres_uint16_t		sin6_family;
+#endif
+	lwres_uint16_t		sin6_port;
+	lwres_uint32_t		sin6_flowinfo;
+	struct in6_addr		sin6_addr;
+	lwres_uint32_t		sin6_scope_id;
+};
+
+#ifdef LWRES_PLATFORM_HAVESALEN
+#define SIN6_LEN 1
+#endif
+
+struct in6_pktinfo {
+	struct in6_addr ipi6_addr;    /* src/dst IPv6 address */
+	unsigned int    ipi6_ifindex; /* send/recv interface index */
+};
+
+/*
+ * Unspecified
+ */
+#define IN6_IS_ADDR_UNSPECIFIED(a)      \
+        (((a)->s6_addr32[0] == 0) &&    \
+         ((a)->s6_addr32[1] == 0) &&    \
+         ((a)->s6_addr32[2] == 0) &&    \
+         ((a)->s6_addr32[3] == 0))
+
+/*
+ * Loopback
+ */
+#define IN6_IS_ADDR_LOOPBACK(a)         \
+        (((a)->s6_addr32[0] == 0) &&    \
+         ((a)->s6_addr32[1] == 0) &&    \
+         ((a)->s6_addr32[2] == 0) &&    \
+         ((a)->s6_addr32[3] == htonl(1)))
+
+/*
+ * IPv4 compatible
+ */
+#define IN6_IS_ADDR_V4COMPAT(a)         \
+        (((a)->s6_addr32[0] == 0) &&    \
+         ((a)->s6_addr32[1] == 0) &&    \
+         ((a)->s6_addr32[2] == 0) &&    \
+         ((a)->s6_addr32[3] != 0) &&    \
+         ((a)->s6_addr32[3] != htonl(1)))
+
+/*
+ * Mapped
+ */
+#define IN6_IS_ADDR_V4MAPPED(a)               \
+        (((a)->s6_addr32[0] == 0) &&          \
+         ((a)->s6_addr32[1] == 0) &&          \
+         ((a)->s6_addr32[2] == htonl(0x0000ffff)))
+
+#endif /* LWRES_IPV6_H */
diff --git a/contrib/bind9/lib/lwres/include/lwres/lang.h b/contrib/bind9/lib/lwres/include/lwres/lang.h
new file mode 100644
index 0000000..bd99ec0
--- /dev/null
+++ b/contrib/bind9/lib/lwres/include/lwres/lang.h
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lang.h,v 1.6.206.1 2004/03/06 08:15:35 marka Exp $ */
+
+#ifndef LWRES_LANG_H
+#define LWRES_LANG_H 1
+
+#ifdef __cplusplus
+#define LWRES_LANG_BEGINDECLS	extern "C" {
+#define LWRES_LANG_ENDDECLS	}
+#else
+#define LWRES_LANG_BEGINDECLS
+#define LWRES_LANG_ENDDECLS
+#endif
+
+#endif /* LWRES_LANG_H */
diff --git a/contrib/bind9/lib/lwres/include/lwres/list.h b/contrib/bind9/lib/lwres/include/lwres/list.h
new file mode 100644
index 0000000..9b61787
--- /dev/null
+++ b/contrib/bind9/lib/lwres/include/lwres/list.h
@@ -0,0 +1,119 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1997-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: list.h,v 1.7.206.1 2004/03/06 08:15:35 marka Exp $ */
+
+#ifndef LWRES_LIST_H
+#define LWRES_LIST_H 1
+
+#define LWRES_LIST(type) struct { type *head, *tail; }
+#define LWRES_LIST_INIT(list) \
+	do { (list).head = NULL; (list).tail = NULL; } while (0)
+
+#define LWRES_LINK(type) struct { type *prev, *next; }
+#define LWRES_LINK_INIT(elt, link) \
+	do { \
+		(elt)->link.prev = (void *)(-1); \
+		(elt)->link.next = (void *)(-1); \
+	} while (0)
+#define LWRES_LINK_LINKED(elt, link) \
+	((void *)((elt)->link.prev) != (void *)(-1))
+
+#define LWRES_LIST_HEAD(list) ((list).head)
+#define LWRES_LIST_TAIL(list) ((list).tail)
+#define LWRES_LIST_EMPTY(list) LWRES_TF((list).head == NULL)
+
+#define LWRES_LIST_PREPEND(list, elt, link) \
+	do { \
+		if ((list).head != NULL) \
+			(list).head->link.prev = (elt); \
+		else \
+			(list).tail = (elt); \
+		(elt)->link.prev = NULL; \
+		(elt)->link.next = (list).head; \
+		(list).head = (elt); \
+	} while (0)
+
+#define LWRES_LIST_APPEND(list, elt, link) \
+	do { \
+		if ((list).tail != NULL) \
+			(list).tail->link.next = (elt); \
+		else \
+			(list).head = (elt); \
+		(elt)->link.prev = (list).tail; \
+		(elt)->link.next = NULL; \
+		(list).tail = (elt); \
+	} while (0)
+
+#define LWRES_LIST_UNLINK(list, elt, link) \
+	do { \
+		if ((elt)->link.next != NULL) \
+			(elt)->link.next->link.prev = (elt)->link.prev; \
+		else \
+			(list).tail = (elt)->link.prev; \
+		if ((elt)->link.prev != NULL) \
+			(elt)->link.prev->link.next = (elt)->link.next; \
+		else \
+			(list).head = (elt)->link.next; \
+		(elt)->link.prev = (void *)(-1); \
+		(elt)->link.next = (void *)(-1); \
+	} while (0)
+
+#define LWRES_LIST_PREV(elt, link) ((elt)->link.prev)
+#define LWRES_LIST_NEXT(elt, link) ((elt)->link.next)
+
+#define LWRES_LIST_INSERTBEFORE(list, before, elt, link) \
+	do { \
+		if ((before)->link.prev == NULL) \
+			LWRES_LIST_PREPEND(list, elt, link); \
+		else { \
+			(elt)->link.prev = (before)->link.prev; \
+			(before)->link.prev = (elt); \
+			(elt)->link.prev->link.next = (elt); \
+			(elt)->link.next = (before); \
+		} \
+	} while (0)
+
+#define LWRES_LIST_INSERTAFTER(list, after, elt, link) \
+	do { \
+		if ((after)->link.next == NULL) \
+			LWRES_LIST_APPEND(list, elt, link); \
+		else { \
+			(elt)->link.next = (after)->link.next; \
+			(after)->link.next = (elt); \
+			(elt)->link.next->link.prev = (elt); \
+			(elt)->link.prev = (after); \
+		} \
+	} while (0)
+
+#define LWRES_LIST_APPENDLIST(list1, list2, link) \
+	do { \
+		if (LWRES_LIST_EMPTY(list1)) \
+			(list1) = (list2); \
+		else if (!LWRES_LIST_EMPTY(list2)) { \
+			(list1).tail->link.next = (list2).head; \
+			(list2).head->link.prev = (list1).tail; \
+			(list1).tail = (list2).tail; \
+		} \
+		(list2).head = NULL; \
+		(list2).tail = NULL; \
+	} while (0)
+
+#define LWRES_LIST_ENQUEUE(list, elt, link) LWRES_LIST_APPEND(list, elt, link)
+#define LWRES_LIST_DEQUEUE(list, elt, link) LWRES_LIST_UNLINK(list, elt, link)
+
+#endif /* LWRES_LIST_H */
diff --git a/contrib/bind9/lib/lwres/include/lwres/lwbuffer.h b/contrib/bind9/lib/lwres/include/lwres/lwbuffer.h
new file mode 100644
index 0000000..97f7b9d
--- /dev/null
+++ b/contrib/bind9/lib/lwres/include/lwres/lwbuffer.h
@@ -0,0 +1,402 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lwbuffer.h,v 1.15.206.1 2004/03/06 08:15:35 marka Exp $ */
+
+#ifndef LWRES_LWBUFFER_H
+#define LWRES_LWBUFFER_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Buffers
+ *
+ * A buffer is a region of memory, together with a set of related subregions.
+ * Buffers are used for parsing and I/O operations.
+ *
+ * The 'used region' and the 'available' region are disjoint, and their
+ * union is the buffer's region.  The used region extends from the beginning
+ * of the buffer region to the last used byte.  The available region
+ * extends from one byte greater than the last used byte to the end of the
+ * buffer's region.  The size of the used region can be changed using various
+ * buffer commands.  Initially, the used region is empty.
+ *
+ * The used region is further subdivided into two disjoint regions: the
+ * 'consumed region' and the 'remaining region'.  The union of these two
+ * regions is the used region.  The consumed region extends from the beginning
+ * of the used region to the byte before the 'current' offset (if any).  The
+ * 'remaining' region the current pointer to the end of the used
+ * region.  The size of the consumed region can be changed using various
+ * buffer commands.  Initially, the consumed region is empty.
+ *
+ * The 'active region' is an (optional) subregion of the remaining region.
+ * It extends from the current offset to an offset in the remaining region
+ * that is selected with lwres_buffer_setactive().  Initially, the active
+ * region is empty.  If the current offset advances beyond the chosen offset,
+ * the active region will also be empty.
+ *
+ *  /----- used region -----\/-- available --\
+ *  +----------------------------------------+
+ *  | consumed  | remaining |                |
+ *  +----------------------------------------+
+ *  a           b     c     d                e
+ *
+ * a == base of buffer.
+ * b == current pointer.  Can be anywhere between a and d.
+ * c == active pointer.  Meaningful between b and d.
+ * d == used pointer.
+ * e == length of buffer.
+ *
+ * a-e == entire (length) of buffer.
+ * a-d == used region.
+ * a-b == consumed region.
+ * b-d == remaining region.
+ * b-c == optional active region.
+ *
+ * The following invariants are maintained by all routines:
+ *
+ *	length > 0
+ *
+ *	base is a valid pointer to length bytes of memory
+ *
+ *	0 <= used <= length
+ *
+ *	0 <= current <= used
+ *
+ *	0 <= active <= used
+ *	(although active < current implies empty active region)
+ *
+ * MP:
+ *	Buffers have no synchronization.  Clients must ensure exclusive
+ *	access.
+ *
+ * Reliability:
+ *	No anticipated impact.
+ *
+ * Resources:
+ *	Memory: 1 pointer + 6 unsigned integers per buffer.
+ *
+ * Security:
+ *	No anticipated impact.
+ *
+ * Standards:
+ *	None.
+ */
+
+/***
+ *** Imports
+ ***/
+
+#include <lwres/lang.h>
+#include <lwres/int.h>
+
+LWRES_LANG_BEGINDECLS
+
+/***
+ *** Magic numbers
+ ***/
+#define LWRES_BUFFER_MAGIC		0x4275663fU	/* Buf?. */
+
+#define LWRES_BUFFER_VALID(b)		((b) != NULL && \
+					 (b)->magic == LWRES_BUFFER_MAGIC)
+
+/*
+ * The following macros MUST be used only on valid buffers.  It is the
+ * caller's responsibility to ensure this by using the LWRES_BUFFER_VALID
+ * check above, or by calling another lwres_buffer_*() function (rather than
+ * another macro.)
+ */
+
+/*
+ * Get the length of the used region of buffer "b"
+ */
+#define LWRES_BUFFER_USEDCOUNT(b)	((b)->used)
+
+/*
+ * Get the length of the available region of buffer "b"
+ */
+#define LWRES_BUFFER_AVAILABLECOUNT(b)	((b)->length - (b)->used)
+
+#define LWRES_BUFFER_REMAINING(b)	((b)->used - (b)->current)
+
+/*
+ * Note that the buffer structure is public.  This is principally so buffer
+ * operations can be implemented using macros.  Applications are strongly
+ * discouraged from directly manipulating the structure.
+ */
+
+typedef struct lwres_buffer lwres_buffer_t;
+struct lwres_buffer {
+	unsigned int		magic;
+	unsigned char 	       *base;
+	/* The following integers are byte offsets from 'base'. */
+	unsigned int		length;
+	unsigned int		used;
+	unsigned int 		current;
+	unsigned int 		active;
+};
+
+/***
+ *** Functions
+ ***/
+
+void
+lwres_buffer_init(lwres_buffer_t *b, void *base, unsigned int length);
+/*
+ * Make 'b' refer to the 'length'-byte region starting at base.
+ *
+ * Requires:
+ *
+ *	'length' > 0
+ *
+ *	'base' is a pointer to a sequence of 'length' bytes.
+ *
+ */
+
+void
+lwres_buffer_invalidate(lwres_buffer_t *b);
+/*
+ * Make 'b' an invalid buffer.
+ *
+ * Requires:
+ *	'b' is a valid buffer.
+ *
+ * Ensures:
+ *	If assertion checking is enabled, future attempts to use 'b' without
+ *	calling lwres_buffer_init() on it will cause an assertion failure.
+ */
+
+void
+lwres_buffer_add(lwres_buffer_t *b, unsigned int n);
+/*
+ * Increase the 'used' region of 'b' by 'n' bytes.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer
+ *
+ *	used + n <= length
+ *
+ */
+
+void
+lwres_buffer_subtract(lwres_buffer_t *b, unsigned int n);
+/*
+ * Decrease the 'used' region of 'b' by 'n' bytes.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer
+ *
+ *	used >= n
+ *
+ */
+
+void
+lwres_buffer_clear(lwres_buffer_t *b);
+/*
+ * Make the used region empty.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer
+ *
+ * Ensures:
+ *
+ *	used = 0
+ *
+ */
+
+void
+lwres_buffer_first(lwres_buffer_t *b);
+/*
+ * Make the consumed region empty.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer
+ *
+ * Ensures:
+ *
+ *	current == 0
+ *
+ */
+
+void
+lwres_buffer_forward(lwres_buffer_t *b, unsigned int n);
+/*
+ * Increase the 'consumed' region of 'b' by 'n' bytes.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer
+ *
+ *	current + n <= used
+ *
+ */
+
+void
+lwres_buffer_back(lwres_buffer_t *b, unsigned int n);
+/*
+ * Decrease the 'consumed' region of 'b' by 'n' bytes.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer
+ *
+ *	n <= current
+ *
+ */
+
+lwres_uint8_t
+lwres_buffer_getuint8(lwres_buffer_t *b);
+/*
+ * Read an unsigned 8-bit integer from 'b' and return it.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer.
+ *
+ *	The length of the available region of 'b' is at least 1.
+ *
+ * Ensures:
+ *
+ *	The current pointer in 'b' is advanced by 1.
+ *
+ * Returns:
+ *
+ *	A 8-bit unsigned integer.
+ */
+
+void
+lwres_buffer_putuint8(lwres_buffer_t *b, lwres_uint8_t val);
+/*
+ * Store an unsigned 8-bit integer from 'val' into 'b'.
+ *
+ * Requires:
+ *	'b' is a valid buffer.
+ *
+ *	The length of the unused region of 'b' is at least 1.
+ *
+ * Ensures:
+ *	The used pointer in 'b' is advanced by 1.
+ */
+
+lwres_uint16_t
+lwres_buffer_getuint16(lwres_buffer_t *b);
+/*
+ * Read an unsigned 16-bit integer in network byte order from 'b', convert
+ * it to host byte order, and return it.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer.
+ *
+ *	The length of the available region of 'b' is at least 2.
+ *
+ * Ensures:
+ *
+ *	The current pointer in 'b' is advanced by 2.
+ *
+ * Returns:
+ *
+ *	A 16-bit unsigned integer.
+ */
+
+void
+lwres_buffer_putuint16(lwres_buffer_t *b, lwres_uint16_t val);
+/*
+ * Store an unsigned 16-bit integer in host byte order from 'val'
+ * into 'b' in network byte order.
+ *
+ * Requires:
+ *	'b' is a valid buffer.
+ *
+ *	The length of the unused region of 'b' is at least 2.
+ *
+ * Ensures:
+ *	The used pointer in 'b' is advanced by 2.
+ */
+
+lwres_uint32_t
+lwres_buffer_getuint32(lwres_buffer_t *b);
+/*
+ * Read an unsigned 32-bit integer in network byte order from 'b', convert
+ * it to host byte order, and return it.
+ *
+ * Requires:
+ *
+ *	'b' is a valid buffer.
+ *
+ *	The length of the available region of 'b' is at least 2.
+ *
+ * Ensures:
+ *
+ *	The current pointer in 'b' is advanced by 2.
+ *
+ * Returns:
+ *
+ *	A 32-bit unsigned integer.
+ */
+
+void
+lwres_buffer_putuint32(lwres_buffer_t *b, lwres_uint32_t val);
+/*
+ * Store an unsigned 32-bit integer in host byte order from 'val'
+ * into 'b' in network byte order.
+ *
+ * Requires:
+ *	'b' is a valid buffer.
+ *
+ *	The length of the unused region of 'b' is at least 4.
+ *
+ * Ensures:
+ *	The used pointer in 'b' is advanced by 4.
+ */
+
+void
+lwres_buffer_putmem(lwres_buffer_t *b, const unsigned char *base,
+		    unsigned int length);
+/*
+ * Copy 'length' bytes of memory at 'base' into 'b'.
+ *
+ * Requires:
+ *	'b' is a valid buffer.
+ *
+ *	'base' points to 'length' bytes of valid memory.
+ *
+ */
+
+void
+lwres_buffer_getmem(lwres_buffer_t *b, unsigned char *base,
+		    unsigned int length);
+/*
+ * Copy 'length' bytes of memory from 'b' into 'base'.
+ *
+ * Requires:
+ *	'b' is a valid buffer.
+ *
+ *	'base' points to at least 'length' bytes of valid memory.
+ *
+ *	'b' have at least 'length' bytes remaining.
+ */
+
+LWRES_LANG_ENDDECLS
+
+#endif /* LWRES_LWBUFFER_H */
diff --git a/contrib/bind9/lib/lwres/include/lwres/lwpacket.h b/contrib/bind9/lib/lwres/include/lwres/lwpacket.h
new file mode 100644
index 0000000..48f6a34
--- /dev/null
+++ b/contrib/bind9/lib/lwres/include/lwres/lwpacket.h
@@ -0,0 +1,124 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lwpacket.h,v 1.17.206.1 2004/03/06 08:15:35 marka Exp $ */
+
+#ifndef LWRES_LWPACKET_H
+#define LWRES_LWPACKET_H 1
+
+#include <lwres/lang.h>
+#include <lwres/lwbuffer.h>
+#include <lwres/result.h>
+
+typedef struct lwres_lwpacket lwres_lwpacket_t;
+
+struct lwres_lwpacket {
+	lwres_uint32_t		length;
+	lwres_uint16_t		version;
+	lwres_uint16_t		pktflags;
+	lwres_uint32_t		serial;
+	lwres_uint32_t		opcode;
+	lwres_uint32_t		result;
+	lwres_uint32_t		recvlength;
+	lwres_uint16_t		authtype;
+	lwres_uint16_t		authlength;
+};
+
+#define LWRES_LWPACKET_LENGTH		(4 * 5 + 2 * 4)
+
+#define LWRES_LWPACKETFLAG_RESPONSE	0x0001U	/* if set, pkt is a response */
+
+
+#define LWRES_LWPACKETVERSION_0		0
+
+/*
+ * "length" is the overall packet length, including the entire packet header.
+ *
+ * "version" specifies the header format.  Currently, there is only one
+ * format, LWRES_LWPACKETVERSION_0.
+ *
+ * "flags" specifies library-defined flags for this packet.  None of these
+ * are definable by the caller, but library-defined values can be set by
+ * the caller.  For example, one bit in this field indicates if the packet
+ * is a request or a response.
+ *
+ * "serial" is set by the requestor and is returned in all replies.  If two
+ * packets from the same source have the same serial number and are from
+ * the same source, they are assumed to be duplicates and the latter ones
+ * may be dropped.  (The library does not do this by default on replies, but
+ * does so on requests.)
+ *
+ * "opcode" is application defined.  Opcodes between 0x04000000 and 0xffffffff
+ * are application defined.  Opcodes between 0x00000000 and 0x03ffffff are
+ * reserved for library use.
+ *
+ * "result" is application defined, and valid only on replies.
+ * Results between 0x04000000 and 0xffffffff are application defined.
+ * Results between 0x00000000 and 0x03ffffff are reserved for library use.
+ * (This is the same reserved range defined in <isc/resultclass.h>, so it
+ * would be trivial to map ISC_R_* result codes into packet result codes
+ * when appropriate.)
+ *
+ * "recvlength" is set to the maximum buffer size that the receiver can
+ * handle on requests, and the size of the buffer needed to satisfy a request
+ * when the buffer is too large for replies.
+ *
+ * "authtype" is the packet level auth type used.
+ * Authtypes between 0x1000 and 0xffff are application defined.  Authtypes
+ * between 0x0000 and 0x0fff are reserved for library use.  This is currently
+ * unused and MUST be set to zero.
+ *
+ * "authlen" is the length of the authentication data.  See the specific
+ * authtypes for more information on what is contained in this field.  This
+ * is currently unused, and MUST be set to zero.
+ *
+ * The remainder of the packet consists of two regions, one described by
+ * "authlen" and one of "length - authlen - sizeof(lwres_lwpacket_t)".
+ *
+ * That is:
+ *
+ *	pkt header
+ *	authlen bytes of auth information
+ *	data bytes
+ */
+
+/*
+ * Currently defined opcodes:
+ *
+ *	NOOP.  Success is always returned, with the packet contents echoed.
+ *
+ *	GETADDRSBYNAME.  Return all known addresses for a given name.
+ *		This may return NIS or /etc/hosts info as well as DNS
+ *		information.  Flags will be provided to indicate ip4/ip6
+ *		addresses are desired.
+ *
+ *	GETNAMEBYADDR.	Return the hostname for the given address.  Once
+ *		again, it will return data from multiple sources.
+ */
+
+LWRES_LANG_BEGINDECLS
+
+/* XXXMLG document */
+lwres_result_t
+lwres_lwpacket_renderheader(lwres_buffer_t *b, lwres_lwpacket_t *pkt);
+
+lwres_result_t
+lwres_lwpacket_parseheader(lwres_buffer_t *b, lwres_lwpacket_t *pkt);
+
+LWRES_LANG_ENDDECLS
+
+#endif /* LWRES_LWPACKET_H */
diff --git a/contrib/bind9/lib/lwres/include/lwres/lwres.h b/contrib/bind9/lib/lwres/include/lwres/lwres.h
new file mode 100644
index 0000000..7260b00
--- /dev/null
+++ b/contrib/bind9/lib/lwres/include/lwres/lwres.h
@@ -0,0 +1,579 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lwres.h,v 1.49.12.3 2004/03/08 09:05:11 marka Exp $ */
+
+#ifndef LWRES_LWRES_H
+#define LWRES_LWRES_H 1
+
+#include <stdio.h>
+
+#include <lwres/context.h>
+#include <lwres/lang.h>
+#include <lwres/list.h>
+#include <lwres/lwpacket.h>
+#include <lwres/platform.h>
+
+/*
+ * Design notes:
+ *
+ * Each opcode has two structures and three functions which operate on each
+ * structure.  For example, using the "no operation/ping" opcode as an
+ * example:
+ *
+ *	lwres_nooprequest_t:
+ *
+ *		lwres_nooprequest_render() takes a lwres_nooprequest_t and
+ *		and renders it into wire format, storing the allocated
+ *		buffer information in a passed-in buffer.  When this buffer
+ *		is no longer needed, it must be freed by
+ *		lwres_context_freemem().  All other memory used by the
+ *		caller must be freed manually, including the
+ *		lwres_nooprequest_t passed in.
+ *
+ *		lwres_nooprequest_parse() takes a wire format message and
+ *		breaks it out into a lwres_nooprequest_t.  The structure
+ *		must be freed via lwres_nooprequest_free() when it is no longer
+ *		needed.
+ *
+ *		lwres_nooprequest_free() releases into the lwres_context_t
+ *		any space allocated during parsing.
+ *
+ *	lwres_noopresponse_t:
+ *
+ *		The functions used are similar to the three used for
+ *		requests, just with different names.
+ *
+ * Typically, the client will use request_render, response_parse, and
+ * response_free, while the daemon will use request_parse, response_render,
+ * and request_free.
+ *
+ * The basic flow of a typical client is:
+ *
+ *	fill in a request_t, and call the render function.
+ *
+ *	Transmit the buffer returned to the daemon.
+ *
+ *	Wait for a response.
+ *
+ *	When a response is received, parse it into a response_t.
+ *
+ *	free the request buffer using lwres_context_freemem().
+ *
+ *	free the response structure and its associated buffer using
+ *	response_free().
+ */
+
+#define LWRES_UDP_PORT		921
+#define LWRES_RECVLENGTH	16384
+#define LWRES_ADDR_MAXLEN	16	/* changing this breaks ABI */
+#define LWRES_RESOLV_CONF	"/etc/resolv.conf"
+
+/*
+ * Flags.
+ *
+ * 	These flags are only relevant to rrset queries.
+ *
+ *	TRUSTNOTREQUIRED:  DNSSEC is not required (input)
+ *	SECUREDATA: The data was crypto-verified with DNSSEC (output)
+ *
+ */
+#define LWRES_FLAG_TRUSTNOTREQUIRED	0x00000001U
+#define LWRES_FLAG_SECUREDATA		0x00000002U
+
+/*
+ * no-op
+ */
+#define LWRES_OPCODE_NOOP		0x00000000U
+
+typedef struct {
+	/* public */
+	lwres_uint16_t			datalength;
+	unsigned char		       *data;
+} lwres_nooprequest_t;
+
+typedef struct {
+	/* public */
+	lwres_uint16_t			datalength;
+	unsigned char		       *data;
+} lwres_noopresponse_t;
+
+/*
+ * get addresses by name
+ */
+#define LWRES_OPCODE_GETADDRSBYNAME	0x00010001U
+
+typedef struct lwres_addr lwres_addr_t;
+typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t;
+
+struct lwres_addr {
+	lwres_uint32_t			family;
+	lwres_uint16_t			length;
+	unsigned char			address[LWRES_ADDR_MAXLEN];
+	LWRES_LINK(lwres_addr_t)	link;
+};
+
+typedef struct {
+	/* public */
+	lwres_uint32_t			flags;
+	lwres_uint32_t			addrtypes;
+	lwres_uint16_t			namelen;
+	char			       *name;
+} lwres_gabnrequest_t;
+
+typedef struct {
+	/* public */
+	lwres_uint32_t			flags;
+	lwres_uint16_t			naliases;
+	lwres_uint16_t			naddrs;
+	char			       *realname;
+	char			      **aliases;
+	lwres_uint16_t			realnamelen;
+	lwres_uint16_t		       *aliaslen;
+	lwres_addrlist_t		addrs;
+	/* if base != NULL, it will be freed when this structure is freed. */
+	void			       *base;
+	size_t				baselen;
+} lwres_gabnresponse_t;
+
+/*
+ * get name by address
+ */
+#define LWRES_OPCODE_GETNAMEBYADDR	0x00010002U
+typedef struct {
+	/* public */
+	lwres_uint32_t			flags;
+	lwres_addr_t			addr;
+} lwres_gnbarequest_t;
+
+typedef struct {
+	/* public */
+	lwres_uint32_t			flags;
+	lwres_uint16_t			naliases;
+	char			       *realname;
+	char			      **aliases;
+	lwres_uint16_t			realnamelen;
+	lwres_uint16_t		       *aliaslen;
+	/* if base != NULL, it will be freed when this structure is freed. */
+	void			       *base;
+	size_t				baselen;
+} lwres_gnbaresponse_t;
+
+/*
+ * get rdata by name
+ */
+#define LWRES_OPCODE_GETRDATABYNAME	0x00010003U
+
+typedef struct {
+	/* public */
+	lwres_uint32_t			flags;
+	lwres_uint16_t			rdclass;
+	lwres_uint16_t			rdtype;
+	lwres_uint16_t			namelen;
+	char			       *name;
+} lwres_grbnrequest_t;
+
+typedef struct {
+	/* public */
+	lwres_uint32_t			flags;
+	lwres_uint16_t			rdclass;
+	lwres_uint16_t			rdtype;
+	lwres_uint32_t			ttl;
+	lwres_uint16_t			nrdatas;
+	lwres_uint16_t			nsigs;
+	char			       *realname;
+	lwres_uint16_t			realnamelen;
+	unsigned char		      **rdatas;
+	lwres_uint16_t		       *rdatalen;
+	unsigned char		      **sigs;
+	lwres_uint16_t		       *siglen;
+	/* if base != NULL, it will be freed when this structure is freed. */
+	void			       *base;
+	size_t				baselen;
+} lwres_grbnresponse_t;
+
+#define LWRDATA_VALIDATED	0x00000001
+
+/*
+ * resolv.conf data
+ */
+
+#define LWRES_CONFMAXNAMESERVERS 3	/* max 3 "nameserver" entries */
+#define LWRES_CONFMAXLWSERVERS 1	/* max 1 "lwserver" entry */
+#define LWRES_CONFMAXSEARCH 8		/* max 8 domains in "search" entry */
+#define LWRES_CONFMAXLINELEN 256	/* max size of a line */
+#define LWRES_CONFMAXSORTLIST 10
+typedef struct {
+	lwres_context_t *lwctx;
+	lwres_addr_t    nameservers[LWRES_CONFMAXNAMESERVERS];
+	lwres_uint8_t	nsnext;		/* index for next free slot */
+
+	lwres_addr_t	lwservers[LWRES_CONFMAXLWSERVERS];
+	lwres_uint8_t	lwnext;		/* index for next free slot */
+
+	char	       *domainname;
+
+	char 	       *search[LWRES_CONFMAXSEARCH];
+	lwres_uint8_t	searchnxt;	/* index for next free slot */
+
+	struct {
+		lwres_addr_t addr;
+		/* mask has a non-zero 'family' and 'length' if set */
+		lwres_addr_t mask;
+	} sortlist[LWRES_CONFMAXSORTLIST];
+	lwres_uint8_t	sortlistnxt;
+
+	lwres_uint8_t	resdebug;      /* non-zero if 'options debug' set */
+	lwres_uint8_t	ndots;	       /* set to n in 'options ndots:n' */
+	lwres_uint8_t	no_tld_query;  /* non-zero if 'options no_tld_query' */
+} lwres_conf_t;
+
+#define LWRES_ADDRTYPE_V4		0x00000001U	/* ipv4 */
+#define LWRES_ADDRTYPE_V6		0x00000002U	/* ipv6 */
+
+#define LWRES_MAX_ALIASES		16		/* max # of aliases */
+#define LWRES_MAX_ADDRS			64		/* max # of addrs */
+
+LWRES_LANG_BEGINDECLS
+
+/*
+ * This is in host byte order.
+ */
+LIBLWRES_EXTERNAL_DATA extern lwres_uint16_t lwres_udp_port;
+
+LIBLWRES_EXTERNAL_DATA extern const char *lwres_resolv_conf;
+
+lwres_result_t
+lwres_gabnrequest_render(lwres_context_t *ctx, lwres_gabnrequest_t *req,
+			 lwres_lwpacket_t *pkt, lwres_buffer_t *b);
+
+lwres_result_t
+lwres_gabnresponse_render(lwres_context_t *ctx, lwres_gabnresponse_t *req,
+			  lwres_lwpacket_t *pkt, lwres_buffer_t *b);
+
+lwres_result_t
+lwres_gabnrequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
+			lwres_lwpacket_t *pkt, lwres_gabnrequest_t **structp);
+
+lwres_result_t
+lwres_gabnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
+			 lwres_lwpacket_t *pkt,
+			 lwres_gabnresponse_t **structp);
+
+void
+lwres_gabnrequest_free(lwres_context_t *ctx, lwres_gabnrequest_t **structp);
+/*
+ * Frees any dynamically allocated memory for this structure.
+ *
+ * Requires:
+ *
+ *	ctx != NULL, and be a context returned via lwres_contextcreate().
+ *
+ *	structp != NULL && *structp != NULL.
+ *
+ * Ensures:
+ *
+ *	*structp == NULL.
+ *
+ *	All memory allocated by this structure will be returned to the
+ *	system via the context's free function.
+ */
+
+void
+lwres_gabnresponse_free(lwres_context_t *ctx, lwres_gabnresponse_t **structp);
+/*
+ * Frees any dynamically allocated memory for this structure.
+ *
+ * Requires:
+ *
+ *	ctx != NULL, and be a context returned via lwres_contextcreate().
+ *
+ *	structp != NULL && *structp != NULL.
+ *
+ * Ensures:
+ *
+ *	*structp == NULL.
+ *
+ *	All memory allocated by this structure will be returned to the
+ *	system via the context's free function.
+ */
+
+
+lwres_result_t
+lwres_gnbarequest_render(lwres_context_t *ctx, lwres_gnbarequest_t *req,
+			 lwres_lwpacket_t *pkt, lwres_buffer_t *b);
+
+lwres_result_t
+lwres_gnbaresponse_render(lwres_context_t *ctx, lwres_gnbaresponse_t *req,
+			  lwres_lwpacket_t *pkt, lwres_buffer_t *b);
+
+lwres_result_t
+lwres_gnbarequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
+			lwres_lwpacket_t *pkt, lwres_gnbarequest_t **structp);
+
+lwres_result_t
+lwres_gnbaresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
+			 lwres_lwpacket_t *pkt,
+			 lwres_gnbaresponse_t **structp);
+
+void
+lwres_gnbarequest_free(lwres_context_t *ctx, lwres_gnbarequest_t **structp);
+/*
+ * Frees any dynamically allocated memory for this structure.
+ *
+ * Requires:
+ *
+ *	ctx != NULL, and be a context returned via lwres_contextcreate().
+ *
+ *	structp != NULL && *structp != NULL.
+ *
+ * Ensures:
+ *
+ *	*structp == NULL.
+ *
+ *	All memory allocated by this structure will be returned to the
+ *	system via the context's free function.
+ */
+
+void
+lwres_gnbaresponse_free(lwres_context_t *ctx, lwres_gnbaresponse_t **structp);
+/*
+ * Frees any dynamically allocated memory for this structure.
+ *
+ * Requires:
+ *
+ *	ctx != NULL, and be a context returned via lwres_contextcreate().
+ *
+ *	structp != NULL && *structp != NULL.
+ *
+ * Ensures:
+ *
+ *	*structp == NULL.
+ *
+ *	All memory allocated by this structure will be returned to the
+ *	system via the context's free function.
+ */
+
+lwres_result_t
+lwres_grbnrequest_render(lwres_context_t *ctx, lwres_grbnrequest_t *req,
+			 lwres_lwpacket_t *pkt, lwres_buffer_t *b);
+
+lwres_result_t
+lwres_grbnresponse_render(lwres_context_t *ctx, lwres_grbnresponse_t *req,
+			  lwres_lwpacket_t *pkt, lwres_buffer_t *b);
+
+lwres_result_t
+lwres_grbnrequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
+			lwres_lwpacket_t *pkt, lwres_grbnrequest_t **structp);
+
+lwres_result_t
+lwres_grbnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
+			 lwres_lwpacket_t *pkt,
+			 lwres_grbnresponse_t **structp);
+
+void
+lwres_grbnrequest_free(lwres_context_t *ctx, lwres_grbnrequest_t **structp);
+/*
+ * Frees any dynamically allocated memory for this structure.
+ *
+ * Requires:
+ *
+ *	ctx != NULL, and be a context returned via lwres_contextcreate().
+ *
+ *	structp != NULL && *structp != NULL.
+ *
+ * Ensures:
+ *
+ *	*structp == NULL.
+ *
+ *	All memory allocated by this structure will be returned to the
+ *	system via the context's free function.
+ */
+
+void
+lwres_grbnresponse_free(lwres_context_t *ctx, lwres_grbnresponse_t **structp);
+/*
+ * Frees any dynamically allocated memory for this structure.
+ *
+ * Requires:
+ *
+ *	ctx != NULL, and be a context returned via lwres_contextcreate().
+ *
+ *	structp != NULL && *structp != NULL.
+ *
+ * Ensures:
+ *
+ *	*structp == NULL.
+ *
+ *	All memory allocated by this structure will be returned to the
+ *	system via the context's free function.
+ */
+
+lwres_result_t
+lwres_nooprequest_render(lwres_context_t *ctx, lwres_nooprequest_t *req,
+			 lwres_lwpacket_t *pkt, lwres_buffer_t *b);
+/*
+ * Allocate space and render into wire format a noop request packet.
+ *
+ * Requires:
+ *
+ *	ctx != NULL, and be a context returned via lwres_contextcreate().
+ *
+ *	b != NULL, and points to a lwres_buffer_t.  The contents of the
+ *	buffer structure will be initialized to contain the wire-format
+ *	noop request packet.
+ *
+ *	Caller needs to fill in parts of "pkt" before calling:
+ *		serial, maxrecv, result.
+ *
+ * Returns:
+ *
+ *	Returns 0 on success, non-zero on failure.
+ *
+ *	On successful return, *b will contain data about the wire-format
+ *	packet.  It can be transmitted in any way, including lwres_sendblock().
+ */
+
+lwres_result_t
+lwres_noopresponse_render(lwres_context_t *ctx, lwres_noopresponse_t *req,
+			  lwres_lwpacket_t *pkt, lwres_buffer_t *b);
+
+lwres_result_t
+lwres_nooprequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
+			lwres_lwpacket_t *pkt, lwres_nooprequest_t **structp);
+/*
+ * Parse a noop request.  Note that to get here, the lwpacket must have
+ * already been parsed and removed by the caller, otherwise it would be
+ * pretty hard for it to know this is the right function to call.
+ *
+ * The function verifies bits of the header, but does not modify it.
+ */
+
+lwres_result_t
+lwres_noopresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
+			 lwres_lwpacket_t *pkt,
+			 lwres_noopresponse_t **structp);
+
+void
+lwres_nooprequest_free(lwres_context_t *ctx, lwres_nooprequest_t **structp);
+
+void
+lwres_noopresponse_free(lwres_context_t *ctx, lwres_noopresponse_t **structp);
+
+/*
+ * Frees any dynamically allocated memory for this structure.
+ *
+ * Requires:
+ *
+ *	ctx != NULL, and be a context returned via lwres_contextcreate().
+ *
+ *	structp != NULL && *structp != NULL.
+ *
+ * Ensures:
+ *
+ *	*structp == NULL.
+ *
+ *	All memory allocated by this structure will be returned to the
+ *	system via the context's free function.
+ */
+
+lwres_result_t
+lwres_conf_parse(lwres_context_t *ctx, const char *filename);
+/*
+ * parses a resolv.conf-format file and stores the results in the structure
+ * pointed to by *ctx.
+ *
+ * Requires:
+ *	ctx != NULL
+ *	filename != NULL && strlen(filename) > 0
+ *
+ * Returns:
+ *	LWRES_R_SUCCESS on a successful parse.
+ *	Anything else on error, although the structure may be partially filled
+ *	in.
+ */
+
+lwres_result_t
+lwres_conf_print(lwres_context_t *ctx, FILE *fp);
+/*
+ * Prints a resolv.conf-format of confdata output to fp.
+ *
+ * Requires:
+ *	ctx != NULL
+ */
+
+void
+lwres_conf_init(lwres_context_t *ctx);
+/*
+ * sets all internal fields to a default state. Used to initialize a new
+ * lwres_conf_t structure (not reset a used on).
+ *
+ * Requires:
+ *	ctx != NULL
+ */
+
+void
+lwres_conf_clear(lwres_context_t *ctx);
+/*
+ * frees all internally allocated memory in confdata. Uses the memory
+ * routines supplied by ctx.
+ *
+ * Requires:
+ *	ctx != NULL
+ */
+
+lwres_conf_t *
+lwres_conf_get(lwres_context_t *ctx);
+/*
+ * returns a pointer to the current config structure.
+ * Be extremely cautions in modifying the contents of this structure; it
+ * needs an API to return the various bits of data, walk lists, etc.
+ *
+ * Requires:
+ *	ctx != NULL
+ */
+
+/*
+ * Helper functions
+ */
+
+lwres_result_t
+lwres_data_parse(lwres_buffer_t *b, unsigned char **p, lwres_uint16_t *len);
+
+lwres_result_t
+lwres_string_parse(lwres_buffer_t *b, char **c, lwres_uint16_t *len);
+
+lwres_result_t
+lwres_addr_parse(lwres_buffer_t *b, lwres_addr_t *addr);
+
+lwres_result_t
+lwres_getaddrsbyname(lwres_context_t *ctx, const char *name,
+		     lwres_uint32_t addrtypes, lwres_gabnresponse_t **structp);
+
+lwres_result_t
+lwres_getnamebyaddr(lwres_context_t *ctx, lwres_uint32_t addrtype,
+		    lwres_uint16_t addrlen, const unsigned char *addr,
+		    lwres_gnbaresponse_t **structp);
+
+lwres_result_t
+lwres_getrdatabyname(lwres_context_t *ctx, const char *name,
+		     lwres_uint16_t rdclass, lwres_uint16_t rdtype,
+		     lwres_uint32_t flags, lwres_grbnresponse_t **structp);
+
+LWRES_LANG_ENDDECLS
+
+#endif /* LWRES_LWRES_H */
diff --git a/contrib/bind9/lib/lwres/include/lwres/netdb.h.in b/contrib/bind9/lib/lwres/include/lwres/netdb.h.in
new file mode 100644
index 0000000..7bf545f
--- /dev/null
+++ b/contrib/bind9/lib/lwres/include/lwres/netdb.h.in
@@ -0,0 +1,518 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: netdb.h.in,v 1.34.206.1 2004/03/06 08:15:35 marka Exp $ */
+
+#ifndef LWRES_NETDB_H
+#define LWRES_NETDB_H 1
+
+#include <stddef.h>	/* Required on FreeBSD (and  others?) for size_t. */
+#include <netdb.h>	/* Contractual provision. */
+
+#include <lwres/lang.h>
+
+/*
+ * Define if <netdb.h> does not declare struct addrinfo.
+ */
+@ISC_LWRES_NEEDADDRINFO@
+
+#ifdef ISC_LWRES_NEEDADDRINFO
+struct addrinfo {
+	int		ai_flags;      /* AI_PASSIVE, AI_CANONNAME */
+	int		ai_family;     /* PF_xxx */
+	int		ai_socktype;   /* SOCK_xxx */
+	int		ai_protocol;   /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
+	size_t		ai_addrlen;    /* Length of ai_addr */
+	char		*ai_canonname; /* Canonical name for hostname */
+	struct sockaddr	*ai_addr;      /* Binary address */
+	struct addrinfo	*ai_next;      /* Next structure in linked list */
+};
+#endif
+
+/*
+ * Undefine all #defines we are interested in as <netdb.h> may or may not have
+ * defined them.
+ */
+
+/*
+ * Error return codes from gethostbyname() and gethostbyaddr()
+ * (left in extern int h_errno).
+ */
+
+#undef	NETDB_INTERNAL
+#undef	NETDB_SUCCESS
+#undef	HOST_NOT_FOUND
+#undef	TRY_AGAIN
+#undef	NO_RECOVERY
+#undef	NO_DATA
+#undef	NO_ADDRESS
+
+#define	NETDB_INTERNAL	-1	/* see errno */
+#define	NETDB_SUCCESS	0	/* no problem */
+#define	HOST_NOT_FOUND	1 /* Authoritative Answer Host not found */
+#define	TRY_AGAIN	2 /* Non-Authoritive Host not found, or SERVERFAIL */
+#define	NO_RECOVERY	3 /* Non recoverable errors, FORMERR, REFUSED, NOTIMP */
+#define	NO_DATA		4 /* Valid name, no data record of requested type */
+#define	NO_ADDRESS	NO_DATA		/* no address, look for MX record */
+
+/*
+ * Error return codes from getaddrinfo()
+ */
+
+#undef	EAI_ADDRFAMILY
+#undef	EAI_AGAIN
+#undef	EAI_BADFLAGS
+#undef	EAI_FAIL
+#undef	EAI_FAMILY
+#undef	EAI_MEMORY
+#undef	EAI_NODATA
+#undef	EAI_NONAME
+#undef	EAI_SERVICE
+#undef	EAI_SOCKTYPE
+#undef	EAI_SYSTEM
+#undef	EAI_BADHINTS
+#undef	EAI_PROTOCOL
+#undef	EAI_MAX
+
+#define	EAI_ADDRFAMILY	 1	/* address family for hostname not supported */
+#define	EAI_AGAIN	 2	/* temporary failure in name resolution */
+#define	EAI_BADFLAGS	 3	/* invalid value for ai_flags */
+#define	EAI_FAIL	 4	/* non-recoverable failure in name resolution */
+#define	EAI_FAMILY	 5	/* ai_family not supported */
+#define	EAI_MEMORY	 6	/* memory allocation failure */
+#define	EAI_NODATA	 7	/* no address associated with hostname */
+#define	EAI_NONAME	 8	/* hostname nor servname provided, or not known */
+#define	EAI_SERVICE	 9	/* servname not supported for ai_socktype */
+#define	EAI_SOCKTYPE	10	/* ai_socktype not supported */
+#define	EAI_SYSTEM	11	/* system error returned in errno */
+#define EAI_BADHINTS	12
+#define EAI_PROTOCOL	13
+#define EAI_MAX		14
+
+/*
+ * Flag values for getaddrinfo()
+ */
+#undef	AI_PASSIVE
+#undef	AI_CANONNAME
+#undef	AI_NUMERICHOST
+
+#define	AI_PASSIVE	0x00000001
+#define	AI_CANONNAME	0x00000002
+#define AI_NUMERICHOST	0x00000004
+
+/*
+ * Flag values for getipnodebyname()
+ */
+#undef AI_V4MAPPED
+#undef AI_ALL
+#undef AI_ADDRCONFIG
+#undef AI_DEFAULT
+
+#define AI_V4MAPPED	0x00000008
+#define AI_ALL		0x00000010
+#define AI_ADDRCONFIG	0x00000020
+#define AI_DEFAULT	(AI_V4MAPPED|AI_ADDRCONFIG)
+
+/*
+ * Constants for lwres_getnameinfo()
+ */
+#undef	NI_MAXHOST
+#undef	NI_MAXSERV
+
+#define	NI_MAXHOST	1025
+#define	NI_MAXSERV	32
+
+/*
+ * Flag values for lwres_getnameinfo()
+ */
+#undef	NI_NOFQDN
+#undef	NI_NUMERICHOST
+#undef	NI_NAMEREQD
+#undef	NI_NUMERICSERV
+#undef	NI_DGRAM
+#undef	NI_NUMERICSCOPE
+
+#define	NI_NOFQDN	0x00000001
+#define	NI_NUMERICHOST	0x00000002
+#define	NI_NAMEREQD	0x00000004
+#define	NI_NUMERICSERV	0x00000008
+#define	NI_DGRAM	0x00000010
+#define	NI_NUMERICSCOPE	0x00000020	/*2553bis-00*/
+
+/*
+ * Define if <netdb.h> does not declare struct rrsetinfo.
+ */
+@ISC_LWRES_NEEDRRSETINFO@
+
+#ifdef ISC_LWRES_NEEDRRSETINFO
+/*
+ * Structures for getrrsetbyname()
+ */
+struct rdatainfo {
+	unsigned int		rdi_length;
+	unsigned char		*rdi_data;
+};
+
+struct rrsetinfo {
+	unsigned int		rri_flags;
+	int			rri_rdclass;
+	int			rri_rdtype;
+	unsigned int		rri_ttl;
+	unsigned int		rri_nrdatas;
+	unsigned int		rri_nsigs;
+	char			*rri_name;
+	struct rdatainfo	*rri_rdatas;
+	struct rdatainfo	*rri_sigs;
+};
+
+/*
+ * Flags for getrrsetbyname()
+ */
+#define RRSET_VALIDATED		0x00000001
+	/* Set was dnssec validated */
+
+/*
+ * Return codes for getrrsetbyname()
+ */
+#define ERRSET_SUCCESS		0
+#define ERRSET_NOMEMORY		1
+#define ERRSET_FAIL		2
+#define ERRSET_INVAL		3
+#define	ERRSET_NONAME	 	4
+#define	ERRSET_NODATA	 	5
+#endif
+
+/*
+ * Define to map into lwres_ namespace.
+ */
+
+#define LWRES_NAMESPACE
+
+#ifdef LWRES_NAMESPACE
+
+/*
+ * Use our versions not the ones from the C library.
+ */
+
+#ifdef getnameinfo
+#undef getnameinfo
+#endif
+#define getnameinfo lwres_getnameinfo
+
+#ifdef getaddrinfo
+#undef getaddrinfo
+#endif
+#define getaddrinfo lwres_getaddrinfo
+
+#ifdef freeaddrinfo
+#undef freeaddrinfo
+#endif
+#define freeaddrinfo lwres_freeaddrinfo
+
+#ifdef gai_strerror
+#undef gai_strerror
+#endif
+#define gai_strerror lwres_gai_strerror
+
+#ifdef herror
+#undef herror
+#endif
+#define herror lwres_herror
+
+#ifdef hstrerror
+#undef hstrerror
+#endif
+#define hstrerror lwres_hstrerror
+
+#ifdef getipnodebyname
+#undef getipnodebyname
+#endif
+#define getipnodebyname lwres_getipnodebyname
+
+#ifdef getipnodebyaddr
+#undef getipnodebyaddr
+#endif
+#define getipnodebyaddr lwres_getipnodebyaddr
+
+#ifdef freehostent
+#undef freehostent
+#endif
+#define freehostent lwres_freehostent
+
+#ifdef gethostbyname
+#undef gethostbyname
+#endif
+#define gethostbyname lwres_gethostbyname
+
+#ifdef gethostbyname2
+#undef gethostbyname2
+#endif
+#define gethostbyname2 lwres_gethostbyname2
+
+#ifdef gethostbyaddr
+#undef gethostbyaddr
+#endif
+#define gethostbyaddr lwres_gethostbyaddr
+
+#ifdef gethostent
+#undef gethostent
+#endif
+#define gethostent lwres_gethostent
+
+#ifdef sethostent
+#undef sethostent
+#endif
+#define sethostent lwres_sethostent
+
+#ifdef endhostent
+#undef endhostent
+#endif
+#define endhostent lwres_endhostent
+
+/* #define sethostfile lwres_sethostfile */
+
+#ifdef gethostbyname_r
+#undef gethostbyname_r
+#endif
+#define gethostbyname_r lwres_gethostbyname_r
+
+#ifdef gethostbyaddr_r
+#undef gethostbyaddr_r
+#endif
+#define gethostbyaddr_r lwres_gethostbyaddr_r
+
+#ifdef gethostent_r
+#undef gethostent_r
+#endif
+#define gethostent_r lwres_gethostent_r
+
+#ifdef sethostent_r
+#undef sethostent_r
+#endif
+#define sethostent_r lwres_sethostent_r
+
+#ifdef endhostent_r
+#undef endhostent_r
+#endif
+#define endhostent_r lwres_endhostent_r
+
+#ifdef getrrsetbyname
+#undef getrrsetbyname
+#endif
+#define getrrsetbyname lwres_getrrsetbyname
+
+#ifdef freerrset
+#undef freerrset
+#endif
+#define freerrset lwres_freerrset
+
+#ifdef notyet
+#define getservbyname lwres_getservbyname
+#define getservbyport lwres_getservbyport
+#define getservent lwres_getservent
+#define setservent lwres_setservent
+#define endservent lwres_endservent
+
+#define getservbyname_r lwres_getservbyname_r
+#define getservbyport_r lwres_getservbyport_r
+#define getservent_r lwres_getservent_r
+#define setservent_r lwres_setservent_r
+#define endservent_r lwres_endservent_r
+
+#define getprotobyname lwres_getprotobyname
+#define getprotobynumber lwres_getprotobynumber
+#define getprotoent lwres_getprotoent
+#define setprotoent lwres_setprotoent
+#define endprotoent lwres_endprotoent
+
+#define getprotobyname_r lwres_getprotobyname_r
+#define getprotobynumber_r lwres_getprotobynumber_r
+#define getprotoent_r lwres_getprotoent_r
+#define setprotoent_r lwres_setprotoent_r
+#define endprotoent_r lwres_endprotoent_r
+
+#ifdef getnetbyname
+#undef getnetbyname
+#endif
+#define getnetbyname lwres_getnetbyname
+
+#ifdef getnetbyaddr
+#undef getnetbyaddr
+#endif
+#define getnetbyaddr lwres_getnetbyaddr
+
+#ifdef getnetent
+#undef getnetent
+#endif
+#define getnetent lwres_getnetent
+
+#ifdef setnetent
+#undef setnetent
+#endif
+#define setnetent lwres_setnetent
+
+#ifdef endnetent
+#undef endnetent
+#endif
+#define endnetent lwres_endnetent
+
+
+#ifdef getnetbyname_r
+#undef getnetbyname_r
+#endif
+#define getnetbyname_r lwres_getnetbyname_r
+
+#ifdef getnetbyaddr_r
+#undef getnetbyaddr_r
+#endif
+#define getnetbyaddr_r lwres_getnetbyaddr_r
+
+#ifdef getnetent_r
+#undef getnetent_r
+#endif
+#define getnetent_r lwres_getnetent_r
+
+#ifdef setnetent_r
+#undef setnetent_r
+#endif
+#define setnetent_r lwres_setnetent_r
+
+#ifdef endnetent_r
+#undef endnetent_r
+#endif
+#define endnetent_r lwres_endnetent_r
+#endif	/* notyet */
+
+#ifdef h_errno
+#undef h_errno
+#endif
+#define h_errno lwres_h_errno
+
+#endif	/* LWRES_NAMESPACE */
+
+LWRES_LANG_BEGINDECLS
+
+extern int lwres_h_errno;
+
+int		lwres_getaddrinfo(const char *, const char *,
+				 const struct addrinfo *, struct addrinfo **);
+int		lwres_getnameinfo(const struct sockaddr *, size_t, char *,
+				 size_t, char *, size_t, int);
+void		lwres_freeaddrinfo(struct addrinfo *);
+char		*lwres_gai_strerror(int);
+
+struct hostent	*lwres_gethostbyaddr(const char *, int, int);
+struct hostent	*lwres_gethostbyname(const char *);
+struct hostent	*lwres_gethostbyname2(const char *, int);
+struct hostent	*lwres_gethostent(void);
+struct hostent	*lwres_getipnodebyname(const char *, int, int, int *);
+struct hostent	*lwres_getipnodebyaddr(const void *, size_t, int, int *);
+void		lwres_endhostent(void);
+void		lwres_sethostent(int);
+/* void		lwres_sethostfile(const char *); */
+void		lwres_freehostent(struct hostent *);
+
+int		lwres_getrrsetbyname(const char *, unsigned int, unsigned int,
+				     unsigned int, struct rrsetinfo **);
+void		lwres_freerrset(struct rrsetinfo *);
+
+#ifdef notyet
+struct netent	*lwres_getnetbyaddr(unsigned long, int);
+struct netent	*lwres_getnetbyname(const char *);
+struct netent	*lwres_getnetent(void);
+void		lwres_endnetent(void);
+void		lwres_setnetent(int);
+
+struct protoent	*lwres_getprotobyname(const char *);
+struct protoent	*lwres_getprotobynumber(int);
+struct protoent	*lwres_getprotoent(void);
+void		lwres_endprotoent(void);
+void		lwres_setprotoent(int);
+
+struct servent	*lwres_getservbyname(const char *, const char *);
+struct servent	*lwres_getservbyport(int, const char *);
+struct servent	*lwres_getservent(void);
+void		lwres_endservent(void);
+void		lwres_setservent(int);
+#endif /* notyet */
+
+void		lwres_herror(const char *);
+const char	*lwres_hstrerror(int);
+
+
+struct hostent	*lwres_gethostbyaddr_r(const char *, int, int, struct hostent *,
+					char *, int, int *);
+struct hostent	*lwres_gethostbyname_r(const char *, struct hostent *,
+					char *, int, int *);
+struct hostent	*lwres_gethostent_r(struct hostent *, char *, int, int *);
+void		lwres_sethostent_r(int);
+void		lwres_endhostent_r(void);
+
+#ifdef notyet
+struct netent	*lwres_getnetbyname_r(const char *, struct netent *,
+					char *, int);
+struct netent	*lwres_getnetbyaddr_r(long, int, struct netent *,
+					char *, int);
+struct netent	*lwres_getnetent_r(struct netent *, char *, int);
+void		lwres_setnetent_r(int);
+void		lwres_endnetent_r(void);
+
+struct protoent	*lwres_getprotobyname_r(const char *,
+				struct protoent *, char *, int);
+struct protoent	*lwres_getprotobynumber_r(int,
+				struct protoent *, char *, int);
+struct protoent	*lwres_getprotoent_r(struct protoent *, char *, int);
+void		lwres_setprotoent_r(int);
+void		lwres_endprotoent_r(void);
+
+struct servent	*lwres_getservbyname_r(const char *name, const char *,
+					struct servent *, char *, int);
+struct servent	*lwres_getservbyport_r(int port, const char *,
+					struct servent *, char *, int);
+struct servent	*lwres_getservent_r(struct servent *, char *, int);
+void		lwres_setservent_r(int);
+void		lwres_endservent_r(void);
+#endif	/* notyet */
+
+LWRES_LANG_ENDDECLS
+
+#ifdef notyet
+/* This is nec'y to make this include file properly replace the sun version. */
+#ifdef sun
+#ifdef __GNU_LIBRARY__
+#include <rpc/netdb.h>		/* Required. */
+#else /* !__GNU_LIBRARY__ */
+struct rpcent {
+	char	*r_name;	/* name of server for this rpc program */
+	char	**r_aliases;	/* alias list */
+	int	r_number;	/* rpc program number */
+};
+struct rpcent	*lwres_getrpcbyname();
+struct rpcent	*lwres_getrpcbynumber(),
+struct rpcent	*lwres_getrpcent();
+#endif /* __GNU_LIBRARY__ */
+#endif /* sun */
+#endif /* notyet */
+
+/*
+ * Tell Emacs to use C mode on this file.
+ * Local variables:
+ * mode: c
+ * End:
+ */
+
+#endif /* LWRES_NETDB_H */
diff --git a/contrib/bind9/lib/lwres/include/lwres/platform.h.in b/contrib/bind9/lib/lwres/include/lwres/platform.h.in
new file mode 100644
index 0000000..9c6502b
--- /dev/null
+++ b/contrib/bind9/lib/lwres/include/lwres/platform.h.in
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: platform.h.in,v 1.12.2.1.10.2 2004/08/28 06:25:26 marka Exp $ */
+
+#ifndef LWRES_PLATFORM_H
+#define LWRES_PLATFORM_H 1
+
+/*****
+ ***** Platform-dependent defines.
+ *****/
+
+/***
+ *** Network.
+ ***/
+
+/*
+ * Define if this system needs the <netinet/in6.h> header file for IPv6.
+ */
+@LWRES_PLATFORM_NEEDNETINETIN6H@
+
+/*
+ * Define if this system needs the <netinet6/in6.h> header file for IPv6.
+ */
+@LWRES_PLATFORM_NEEDNETINET6IN6H@
+
+/*
+ * If sockaddrs on this system have an sa_len field, LWRES_PLATFORM_HAVESALEN
+ * will be defined.
+ */
+@LWRES_PLATFORM_HAVESALEN@
+
+/*
+ * If this system has the IPv6 structure definitions, LWRES_PLATFORM_HAVEIPV6
+ * will be defined.
+ */
+@LWRES_PLATFORM_HAVEIPV6@
+
+/*
+ * If this system is missing in6addr_any, LWRES_PLATFORM_NEEDIN6ADDRANY will
+ * be defined.
+ */
+@LWRES_PLATFORM_NEEDIN6ADDRANY@
+
+/*
+ * If this system is missing in6addr_loopback, 
+ * LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK will be defined.
+ */
+@LWRES_PLATFORM_NEEDIN6ADDRLOOPBACK@
+
+/*
+ * If this system has in_addr6, rather than in6_addr,
+ * LWRES_PLATFORM_HAVEINADDR6 will be defined.
+ */
+@LWRES_PLATFORM_HAVEINADDR6@
+
+/*
+ * Defined if unistd.h does not cause fd_set to be delared.
+ */
+@LWRES_PLATFORM_NEEDSYSSELECTH@
+
+/*
+ * Used to control how extern data is linked; needed for Win32 platforms.
+ */
+@LWRES_PLATFORM_USEDECLSPEC@
+
+/*
+ * Defined this system needs vsnprintf() and snprintf().
+ */
+@LWRES_PLATFORM_NEEDVSNPRINTF@
+ 
+/*
+ * If this system need a modern sprintf() that returns (int) not (char*).
+ */
+@LWRES_PLATFORM_NEEDSPRINTF@
+
+#ifndef LWRES_PLATFORM_USEDECLSPEC
+#define LIBLWRES_EXTERNAL_DATA
+#else
+#ifdef LIBLWRES_EXPORTS
+#define LIBLWRES_EXTERNAL_DATA __declspec(dllexport)
+#else
+#define LIBLWRES_EXTERNAL_DATA __declspec(dllimport)
+#endif
+#endif
+
+#endif /* LWRES_PLATFORM_H */
diff --git a/contrib/bind9/lib/lwres/include/lwres/result.h b/contrib/bind9/lib/lwres/include/lwres/result.h
new file mode 100644
index 0000000..617ae322
--- /dev/null
+++ b/contrib/bind9/lib/lwres/include/lwres/result.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: result.h,v 1.14.206.1 2004/03/06 08:15:36 marka Exp $ */
+
+#ifndef LWRES_RESULT_H
+#define LWRES_RESULT_H 1
+
+typedef unsigned int lwres_result_t;
+
+#define LWRES_R_SUCCESS			0
+#define LWRES_R_NOMEMORY		1
+#define LWRES_R_TIMEOUT			2
+#define LWRES_R_NOTFOUND		3
+#define LWRES_R_UNEXPECTEDEND		4	/* unexpected end of input */
+#define LWRES_R_FAILURE			5	/* generic failure */
+#define LWRES_R_IOERROR			6
+#define LWRES_R_NOTIMPLEMENTED		7
+#define LWRES_R_UNEXPECTED		8
+#define LWRES_R_TRAILINGDATA		9
+#define LWRES_R_INCOMPLETE		10
+#define LWRES_R_RETRY			11
+#define LWRES_R_TYPENOTFOUND		12
+#define LWRES_R_TOOLARGE		13
+
+#endif /* LWRES_RESULT_H */
diff --git a/contrib/bind9/lib/lwres/include/lwres/version.h b/contrib/bind9/lib/lwres/include/lwres/version.h
new file mode 100644
index 0000000..1b291ce
--- /dev/null
+++ b/contrib/bind9/lib/lwres/include/lwres/version.h
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: version.h,v 1.2.224.3 2004/03/08 09:05:11 marka Exp $ */
+
+#include <lwres/platform.h>
+
+LIBLWRES_EXTERNAL_DATA extern const char lwres_version[];
+
+LIBLWRES_EXTERNAL_DATA extern const unsigned int lwres_libinterface;
+LIBLWRES_EXTERNAL_DATA extern const unsigned int lwres_librevision;
+LIBLWRES_EXTERNAL_DATA extern const unsigned int lwres_libage;
diff --git a/contrib/bind9/lib/lwres/lwbuffer.c b/contrib/bind9/lib/lwres/lwbuffer.c
new file mode 100644
index 0000000..69009f0
--- /dev/null
+++ b/contrib/bind9/lib/lwres/lwbuffer.c
@@ -0,0 +1,287 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lwbuffer.c,v 1.10.206.1 2004/03/06 08:15:31 marka Exp $ */
+
+#include <config.h>
+
+#include <string.h>
+
+#include <lwres/lwbuffer.h>
+
+#include "assert_p.h"
+
+void
+lwres_buffer_init(lwres_buffer_t *b, void *base, unsigned int length)
+{
+	/*
+	 * Make 'b' refer to the 'length'-byte region starting at base.
+	 */
+
+	REQUIRE(b != NULL);
+
+	b->magic = LWRES_BUFFER_MAGIC;
+	b->base = base;
+	b->length = length;
+	b->used = 0;
+	b->current = 0;
+	b->active = 0;
+}
+
+void
+lwres_buffer_invalidate(lwres_buffer_t *b)
+{
+	/*
+	 * Make 'b' an invalid buffer.
+	 */
+
+	REQUIRE(LWRES_BUFFER_VALID(b));
+
+	b->magic = 0;
+	b->base = NULL;
+	b->length = 0;
+	b->used = 0;
+	b->current = 0;
+	b->active = 0;
+}
+
+void
+lwres_buffer_add(lwres_buffer_t *b, unsigned int n)
+{
+	/*
+	 * Increase the 'used' region of 'b' by 'n' bytes.
+	 */
+
+	REQUIRE(LWRES_BUFFER_VALID(b));
+	REQUIRE(b->used + n <= b->length);
+
+	b->used += n;
+}
+
+void
+lwres_buffer_subtract(lwres_buffer_t *b, unsigned int n)
+{
+	/*
+	 * Decrease the 'used' region of 'b' by 'n' bytes.
+	 */
+
+	REQUIRE(LWRES_BUFFER_VALID(b));
+	REQUIRE(b->used >= n);
+
+	b->used -= n;
+	if (b->current > b->used)
+		b->current = b->used;
+	if (b->active > b->used)
+		b->active = b->used;
+}
+
+void
+lwres_buffer_clear(lwres_buffer_t *b)
+{
+	/*
+	 * Make the used region empty.
+	 */
+
+	REQUIRE(LWRES_BUFFER_VALID(b));
+
+	b->used = 0;
+	b->current = 0;
+	b->active = 0;
+}
+
+void
+lwres_buffer_first(lwres_buffer_t *b)
+{
+	/*
+	 * Make the consumed region empty.
+	 */
+
+	REQUIRE(LWRES_BUFFER_VALID(b));
+
+	b->current = 0;
+}
+
+void
+lwres_buffer_forward(lwres_buffer_t *b, unsigned int n)
+{
+	/*
+	 * Increase the 'consumed' region of 'b' by 'n' bytes.
+	 */
+
+	REQUIRE(LWRES_BUFFER_VALID(b));
+	REQUIRE(b->current + n <= b->used);
+
+	b->current += n;
+}
+
+void
+lwres_buffer_back(lwres_buffer_t *b, unsigned int n)
+{
+	/*
+	 * Decrease the 'consumed' region of 'b' by 'n' bytes.
+	 */
+
+	REQUIRE(LWRES_BUFFER_VALID(b));
+	REQUIRE(n <= b->current);
+
+	b->current -= n;
+}
+
+lwres_uint8_t
+lwres_buffer_getuint8(lwres_buffer_t *b)
+{
+	unsigned char *cp;
+	lwres_uint8_t result;
+
+	/*
+	 * Read an unsigned 8-bit integer from 'b' and return it.
+	 */
+
+	REQUIRE(LWRES_BUFFER_VALID(b));
+	REQUIRE(b->used - b->current >= 1);
+
+	cp = b->base;
+	cp += b->current;
+	b->current += 1;
+	result = ((unsigned int)(cp[0]));
+
+	return (result);
+}
+
+void
+lwres_buffer_putuint8(lwres_buffer_t *b, lwres_uint8_t val)
+{
+	unsigned char *cp;
+
+	REQUIRE(LWRES_BUFFER_VALID(b));
+	REQUIRE(b->used + 1 <= b->length);
+
+	cp = b->base;
+	cp += b->used;
+	b->used += 1;
+	cp[0] = (val & 0x00ff);
+}
+
+lwres_uint16_t
+lwres_buffer_getuint16(lwres_buffer_t *b)
+{
+	unsigned char *cp;
+	lwres_uint16_t result;
+
+	/*
+	 * Read an unsigned 16-bit integer in network byte order from 'b',
+	 * convert it to host byte order, and return it.
+	 */
+
+	REQUIRE(LWRES_BUFFER_VALID(b));
+	REQUIRE(b->used - b->current >= 2);
+
+	cp = b->base;
+	cp += b->current;
+	b->current += 2;
+	result = ((unsigned int)(cp[0])) << 8;
+	result |= ((unsigned int)(cp[1]));
+
+	return (result);
+}
+
+void
+lwres_buffer_putuint16(lwres_buffer_t *b, lwres_uint16_t val)
+{
+	unsigned char *cp;
+
+	REQUIRE(LWRES_BUFFER_VALID(b));
+	REQUIRE(b->used + 2 <= b->length);
+
+	cp = b->base;
+	cp += b->used;
+	b->used += 2;
+	cp[0] = (val & 0xff00) >> 8;
+	cp[1] = (val & 0x00ff);
+}
+
+lwres_uint32_t
+lwres_buffer_getuint32(lwres_buffer_t *b)
+{
+	unsigned char *cp;
+	lwres_uint32_t result;
+
+	/*
+	 * Read an unsigned 32-bit integer in network byte order from 'b',
+	 * convert it to host byte order, and return it.
+	 */
+
+	REQUIRE(LWRES_BUFFER_VALID(b));
+	REQUIRE(b->used - b->current >= 4);
+
+	cp = b->base;
+	cp += b->current;
+	b->current += 4;
+	result = ((unsigned int)(cp[0])) << 24;
+	result |= ((unsigned int)(cp[1])) << 16;
+	result |= ((unsigned int)(cp[2])) << 8;
+	result |= ((unsigned int)(cp[3]));
+
+	return (result);
+}
+
+void
+lwres_buffer_putuint32(lwres_buffer_t *b, lwres_uint32_t val)
+{
+	unsigned char *cp;
+
+	REQUIRE(LWRES_BUFFER_VALID(b));
+	REQUIRE(b->used + 4 <= b->length);
+
+	cp = b->base;
+	cp += b->used;
+	b->used += 4;
+	cp[0] = (unsigned char)((val & 0xff000000) >> 24);
+	cp[1] = (unsigned char)((val & 0x00ff0000) >> 16);
+	cp[2] = (unsigned char)((val & 0x0000ff00) >> 8);
+	cp[3] = (unsigned char)(val & 0x000000ff);
+}
+
+void
+lwres_buffer_putmem(lwres_buffer_t *b, const unsigned char *base,
+		    unsigned int length)
+{
+	unsigned char *cp;
+
+	REQUIRE(LWRES_BUFFER_VALID(b));
+	REQUIRE(b->used + length <= b->length);
+
+	cp = (unsigned char *)b->base + b->used;
+	memcpy(cp, base, length);
+	b->used += length;
+}
+
+void
+lwres_buffer_getmem(lwres_buffer_t *b, unsigned char *base,
+		    unsigned int length)
+{
+	unsigned char *cp;
+
+	REQUIRE(LWRES_BUFFER_VALID(b));
+	REQUIRE(b->used - b->current >= length);
+
+	cp = b->base;
+	cp += b->current;
+	b->current += length;
+
+	memcpy(base, cp, length);
+}
diff --git a/contrib/bind9/lib/lwres/lwconfig.c b/contrib/bind9/lib/lwres/lwconfig.c
new file mode 100644
index 0000000..9fc7825
--- /dev/null
+++ b/contrib/bind9/lib/lwres/lwconfig.c
@@ -0,0 +1,703 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lwconfig.c,v 1.33.2.1.2.5 2004/03/08 09:05:10 marka Exp $ */
+
+/***
+ *** Module for parsing resolv.conf files.
+ ***
+ *** entry points are:
+ ***	lwres_conf_init(lwres_context_t *ctx)
+ ***		intializes data structure for subsequent config parsing.
+ ***
+ ***	lwres_conf_parse(lwres_context_t *ctx, const char *filename)
+ ***		parses a file and fills in the data structure.
+ ***
+ ***	lwres_conf_print(lwres_context_t *ctx, FILE *fp)
+ ***		prints the config data structure to the FILE.
+ ***
+ ***	lwres_conf_clear(lwres_context_t *ctx)
+ ***		frees up all the internal memory used by the config data
+ ***		 structure, returning it to the lwres_context_t.
+ ***
+ ***/
+
+#include <config.h>
+
+#include <assert.h>
+#include <ctype.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <lwres/lwbuffer.h>
+#include <lwres/lwres.h>
+#include <lwres/net.h>
+#include <lwres/result.h>
+
+#include "assert_p.h"
+#include "context_p.h"
+
+
+#if ! defined(NS_INADDRSZ)
+#define NS_INADDRSZ	 4
+#endif
+
+#if ! defined(NS_IN6ADDRSZ)
+#define NS_IN6ADDRSZ	16
+#endif
+
+static lwres_result_t
+lwres_conf_parsenameserver(lwres_context_t *ctx,  FILE *fp);
+
+static lwres_result_t
+lwres_conf_parselwserver(lwres_context_t *ctx,  FILE *fp);
+
+static lwres_result_t
+lwres_conf_parsedomain(lwres_context_t *ctx, FILE *fp);
+
+static lwres_result_t
+lwres_conf_parsesearch(lwres_context_t *ctx,  FILE *fp);
+
+static lwres_result_t
+lwres_conf_parsesortlist(lwres_context_t *ctx,  FILE *fp);
+
+static lwres_result_t
+lwres_conf_parseoption(lwres_context_t *ctx,  FILE *fp);
+
+static void
+lwres_resetaddr(lwres_addr_t *addr);
+
+static lwres_result_t
+lwres_create_addr(const char *buff, lwres_addr_t *addr, int convert_zero);
+
+static int lwresaddr2af(int lwresaddrtype);
+
+
+static int
+lwresaddr2af(int lwresaddrtype)
+{
+	int af = 0;
+
+	switch (lwresaddrtype) {
+	case LWRES_ADDRTYPE_V4:
+		af = AF_INET;
+		break;
+
+	case LWRES_ADDRTYPE_V6:
+		af = AF_INET6;
+		break;
+	}
+
+	return (af);
+}
+
+
+/*
+ * Eat characters from FP until EOL or EOF. Returns EOF or '\n'
+ */
+static int
+eatline(FILE *fp) {
+	int ch;
+
+	ch = fgetc(fp);
+	while (ch != '\n' && ch != EOF)
+		ch = fgetc(fp);
+
+	return (ch);
+}
+
+
+/*
+ * Eats white space up to next newline or non-whitespace character (of
+ * EOF). Returns the last character read. Comments are considered white
+ * space.
+ */
+static int
+eatwhite(FILE *fp) {
+	int ch;
+
+	ch = fgetc(fp);
+	while (ch != '\n' && ch != EOF && isspace((unsigned char)ch))
+		ch = fgetc(fp);
+
+	if (ch == ';' || ch == '#')
+		ch = eatline(fp);
+
+	return (ch);
+}
+
+
+/*
+ * Skip over any leading whitespace and then read in the next sequence of
+ * non-whitespace characters. In this context newline is not considered
+ * whitespace. Returns EOF on end-of-file, or the character
+ * that caused the reading to stop.
+ */
+static int
+getword(FILE *fp, char *buffer, size_t size) {
+	int ch;
+	char *p = buffer;
+
+	REQUIRE(buffer != NULL);
+	REQUIRE(size > 0U);
+
+	*p = '\0';
+
+	ch = eatwhite(fp);
+
+	if (ch == EOF)
+		return (EOF);
+
+	do {
+		*p = '\0';
+
+		if (ch == EOF || isspace((unsigned char)ch))
+			break;
+		else if ((size_t) (p - buffer) == size - 1)
+			return (EOF);	/* Not enough space. */
+
+		*p++ = (char)ch;
+		ch = fgetc(fp);
+	} while (1);
+
+	return (ch);
+}
+
+static void
+lwres_resetaddr(lwres_addr_t *addr) {
+	REQUIRE(addr != NULL);
+
+	memset(addr->address, 0, LWRES_ADDR_MAXLEN);
+	addr->family = 0;
+	addr->length = 0;
+}
+
+static char *
+lwres_strdup(lwres_context_t *ctx, const char *str) {
+	char *p;
+
+	REQUIRE(str != NULL);
+	REQUIRE(strlen(str) > 0U);
+
+	p = CTXMALLOC(strlen(str) + 1);
+	if (p != NULL)
+		strcpy(p, str);
+
+	return (p);
+}
+
+void
+lwres_conf_init(lwres_context_t *ctx) {
+	int i;
+	lwres_conf_t *confdata;
+
+	REQUIRE(ctx != NULL);
+	confdata = &ctx->confdata;
+
+	confdata->nsnext = 0;
+	confdata->lwnext = 0;
+	confdata->domainname = NULL;
+	confdata->searchnxt = 0;
+	confdata->sortlistnxt = 0;
+	confdata->resdebug = 0;
+	confdata->ndots = 1;
+	confdata->no_tld_query = 0;
+
+	for (i = 0; i < LWRES_CONFMAXNAMESERVERS; i++)
+		lwres_resetaddr(&confdata->nameservers[i]);
+
+	for (i = 0; i < LWRES_CONFMAXSEARCH; i++)
+		confdata->search[i] = NULL;
+
+	for (i = 0; i < LWRES_CONFMAXSORTLIST; i++) {
+		lwres_resetaddr(&confdata->sortlist[i].addr);
+		lwres_resetaddr(&confdata->sortlist[i].mask);
+	}
+}
+
+void
+lwres_conf_clear(lwres_context_t *ctx) {
+	int i;
+	lwres_conf_t *confdata;
+
+	REQUIRE(ctx != NULL);
+	confdata = &ctx->confdata;
+
+	for (i = 0; i < confdata->nsnext; i++)
+		lwres_resetaddr(&confdata->nameservers[i]);
+
+	if (confdata->domainname != NULL) {
+		CTXFREE(confdata->domainname,
+			strlen(confdata->domainname) + 1);
+		confdata->domainname = NULL;
+	}
+
+	for (i = 0; i < confdata->searchnxt; i++) {
+		if (confdata->search[i] != NULL) {
+			CTXFREE(confdata->search[i],
+				strlen(confdata->search[i]) + 1);
+			confdata->search[i] = NULL;
+		}
+	}
+
+	for (i = 0; i < LWRES_CONFMAXSORTLIST; i++) {
+		lwres_resetaddr(&confdata->sortlist[i].addr);
+		lwres_resetaddr(&confdata->sortlist[i].mask);
+	}
+
+	confdata->nsnext = 0;
+	confdata->lwnext = 0;
+	confdata->domainname = NULL;
+	confdata->searchnxt = 0;
+	confdata->sortlistnxt = 0;
+	confdata->resdebug = 0;
+	confdata->ndots = 1;
+	confdata->no_tld_query = 0;
+}
+
+static lwres_result_t
+lwres_conf_parsenameserver(lwres_context_t *ctx,  FILE *fp) {
+	char word[LWRES_CONFMAXLINELEN];
+	int res;
+	lwres_conf_t *confdata;
+
+	confdata = &ctx->confdata;
+
+	if (confdata->nsnext == LWRES_CONFMAXNAMESERVERS)
+		return (LWRES_R_SUCCESS);
+
+	res = getword(fp, word, sizeof(word));
+	if (strlen(word) == 0U)
+		return (LWRES_R_FAILURE); /* Nothing on line. */
+	else if (res == ' ' || res == '\t')
+		res = eatwhite(fp);
+
+	if (res != EOF && res != '\n')
+		return (LWRES_R_FAILURE); /* Extra junk on line. */
+
+	res = lwres_create_addr(word,
+				&confdata->nameservers[confdata->nsnext++], 1);
+	if (res != LWRES_R_SUCCESS)
+		return (res);
+
+	return (LWRES_R_SUCCESS);
+}
+
+static lwres_result_t
+lwres_conf_parselwserver(lwres_context_t *ctx,  FILE *fp) {
+	char word[LWRES_CONFMAXLINELEN];
+	int res;
+	lwres_conf_t *confdata;
+
+	confdata = &ctx->confdata;
+
+	if (confdata->lwnext == LWRES_CONFMAXLWSERVERS)
+		return (LWRES_R_SUCCESS);
+
+	res = getword(fp, word, sizeof(word));
+	if (strlen(word) == 0U)
+		return (LWRES_R_FAILURE); /* Nothing on line. */
+	else if (res == ' ' || res == '\t')
+		res = eatwhite(fp);
+
+	if (res != EOF && res != '\n')
+		return (LWRES_R_FAILURE); /* Extra junk on line. */
+
+	res = lwres_create_addr(word,
+				&confdata->lwservers[confdata->lwnext++], 1);
+	if (res != LWRES_R_SUCCESS)
+		return (res);
+
+	return (LWRES_R_SUCCESS);
+}
+
+static lwres_result_t
+lwres_conf_parsedomain(lwres_context_t *ctx,  FILE *fp) {
+	char word[LWRES_CONFMAXLINELEN];
+	int res, i;
+	lwres_conf_t *confdata;
+
+	confdata = &ctx->confdata;
+
+	res = getword(fp, word, sizeof(word));
+	if (strlen(word) == 0U)
+		return (LWRES_R_FAILURE); /* Nothing else on line. */
+	else if (res == ' ' || res == '\t')
+		res = eatwhite(fp);
+
+	if (res != EOF && res != '\n')
+		return (LWRES_R_FAILURE); /* Extra junk on line. */
+
+	if (confdata->domainname != NULL)
+		CTXFREE(confdata->domainname,
+			strlen(confdata->domainname) + 1); /*  */
+
+	/*
+	 * Search and domain are mutually exclusive.
+	 */
+	for (i = 0; i < LWRES_CONFMAXSEARCH; i++) {
+		if (confdata->search[i] != NULL) {
+			CTXFREE(confdata->search[i],
+				strlen(confdata->search[i])+1);
+			confdata->search[i] = NULL;
+		}
+	}
+	confdata->searchnxt = 0;
+
+	confdata->domainname = lwres_strdup(ctx, word);
+
+	if (confdata->domainname == NULL)
+		return (LWRES_R_FAILURE);
+
+	return (LWRES_R_SUCCESS);
+}
+
+static lwres_result_t
+lwres_conf_parsesearch(lwres_context_t *ctx,  FILE *fp) {
+	int idx, delim;
+	char word[LWRES_CONFMAXLINELEN];
+	lwres_conf_t *confdata;
+
+	confdata = &ctx->confdata;
+
+	if (confdata->domainname != NULL) {
+		/*
+		 * Search and domain are mutually exclusive.
+		 */
+		CTXFREE(confdata->domainname,
+			strlen(confdata->domainname) + 1);
+		confdata->domainname = NULL;
+	}
+
+	/*
+	 * Remove any previous search definitions.
+	 */
+	for (idx = 0; idx < LWRES_CONFMAXSEARCH; idx++) {
+		if (confdata->search[idx] != NULL) {
+			CTXFREE(confdata->search[idx],
+				strlen(confdata->search[idx])+1);
+			confdata->search[idx] = NULL;
+		}
+	}
+	confdata->searchnxt = 0;
+
+	delim = getword(fp, word, sizeof(word));
+	if (strlen(word) == 0U)
+		return (LWRES_R_FAILURE); /* Nothing else on line. */
+
+	idx = 0;
+	while (strlen(word) > 0U) {
+		if (confdata->searchnxt == LWRES_CONFMAXSEARCH)
+			goto ignore; /* Too many domains. */
+
+		confdata->search[idx] = lwres_strdup(ctx, word);
+		if (confdata->search[idx] == NULL)
+			return (LWRES_R_FAILURE);
+		idx++;
+		confdata->searchnxt++;
+
+	ignore:
+		if (delim == EOF || delim == '\n')
+			break;
+		else
+			delim = getword(fp, word, sizeof(word));
+	}
+
+	return (LWRES_R_SUCCESS);
+}
+
+static lwres_result_t
+lwres_create_addr(const char *buffer, lwres_addr_t *addr, int convert_zero) {
+	struct in_addr v4;
+	struct in6_addr v6;
+
+	if (lwres_net_aton(buffer, &v4) == 1) {
+		if (convert_zero) {
+			unsigned char zeroaddress[] = {0, 0, 0, 0};
+			unsigned char loopaddress[] = {127, 0, 0, 1};
+			if (memcmp(&v4, zeroaddress, 4) == 0)
+				memcpy(&v4, loopaddress, 4);
+		}
+		addr->family = LWRES_ADDRTYPE_V4;
+		addr->length = NS_INADDRSZ;
+		memcpy((void *)addr->address, &v4, NS_INADDRSZ);
+
+	} else if (lwres_net_pton(AF_INET6, buffer, &v6) == 1) {
+		addr->family = LWRES_ADDRTYPE_V6;
+		addr->length = NS_IN6ADDRSZ;
+		memcpy((void *)addr->address, &v6, NS_IN6ADDRSZ);
+	} else {
+		return (LWRES_R_FAILURE); /* Unrecognised format. */
+	}
+
+	return (LWRES_R_SUCCESS);
+}
+
+static lwres_result_t
+lwres_conf_parsesortlist(lwres_context_t *ctx,  FILE *fp) {
+	int delim, res, idx;
+	char word[LWRES_CONFMAXLINELEN];
+	char *p;
+	lwres_conf_t *confdata;
+
+	confdata = &ctx->confdata;
+
+	delim = getword(fp, word, sizeof(word));
+	if (strlen(word) == 0U)
+		return (LWRES_R_FAILURE); /* Empty line after keyword. */
+
+	while (strlen(word) > 0U) {
+		if (confdata->sortlistnxt == LWRES_CONFMAXSORTLIST)
+			return (LWRES_R_FAILURE); /* Too many values. */
+
+		p = strchr(word, '/');
+		if (p != NULL)
+			*p++ = '\0';
+
+		idx = confdata->sortlistnxt;
+		res = lwres_create_addr(word, &confdata->sortlist[idx].addr, 1);
+		if (res != LWRES_R_SUCCESS)
+			return (res);
+
+		if (p != NULL) {
+			res = lwres_create_addr(p,
+						&confdata->sortlist[idx].mask,
+						0);
+			if (res != LWRES_R_SUCCESS)
+				return (res);
+		} else {
+			/*
+			 * Make up a mask.
+			 */
+			confdata->sortlist[idx].mask =
+				confdata->sortlist[idx].addr;
+
+			memset(&confdata->sortlist[idx].mask.address, 0xff,
+			       confdata->sortlist[idx].addr.length);
+		}
+
+		confdata->sortlistnxt++;
+
+		if (delim == EOF || delim == '\n')
+			break;
+		else
+			delim = getword(fp, word, sizeof(word));
+	}
+
+	return (LWRES_R_SUCCESS);
+}
+
+static lwres_result_t
+lwres_conf_parseoption(lwres_context_t *ctx,  FILE *fp) {
+	int delim;
+	long ndots;
+	char *p;
+	char word[LWRES_CONFMAXLINELEN];
+	lwres_conf_t *confdata;
+
+	REQUIRE(ctx != NULL);
+	confdata = &ctx->confdata;
+
+	delim = getword(fp, word, sizeof(word));
+	if (strlen(word) == 0U)
+		return (LWRES_R_FAILURE); /* Empty line after keyword. */
+
+	while (strlen(word) > 0U) {
+		if (strcmp("debug", word) == 0) {
+			confdata->resdebug = 1;
+		} else if (strcmp("no_tld_query", word) == 0) {
+			confdata->no_tld_query = 1;
+		} else if (strncmp("ndots:", word, 6) == 0) {
+			ndots = strtol(word + 6, &p, 10);
+			if (*p != '\0') /* Bad string. */
+				return (LWRES_R_FAILURE);
+			if (ndots < 0 || ndots > 0xff) /* Out of range. */
+				return (LWRES_R_FAILURE);
+			confdata->ndots = (lwres_uint8_t)ndots;
+		}
+
+		if (delim == EOF || delim == '\n')
+			break;
+		else
+			delim = getword(fp, word, sizeof(word));
+	}
+
+	return (LWRES_R_SUCCESS);
+}
+
+lwres_result_t
+lwres_conf_parse(lwres_context_t *ctx, const char *filename) {
+	FILE *fp = NULL;
+	char word[256];
+	lwres_result_t rval, ret;
+	lwres_conf_t *confdata;
+	int stopchar;
+
+	REQUIRE(ctx != NULL);
+	confdata = &ctx->confdata;
+
+	REQUIRE(filename != NULL);
+	REQUIRE(strlen(filename) > 0U);
+	REQUIRE(confdata != NULL);
+
+	errno = 0;
+	if ((fp = fopen(filename, "r")) == NULL)
+		return (LWRES_R_FAILURE);
+
+	ret = LWRES_R_SUCCESS;
+	do {
+		stopchar = getword(fp, word, sizeof(word));
+		if (stopchar == EOF) {
+			rval = LWRES_R_SUCCESS;
+			break;
+		}
+
+		if (strlen(word) == 0U)
+			rval = LWRES_R_SUCCESS;
+		else if (strcmp(word, "nameserver") == 0)
+			rval = lwres_conf_parsenameserver(ctx, fp);
+		else if (strcmp(word, "lwserver") == 0)
+			rval = lwres_conf_parselwserver(ctx, fp);
+		else if (strcmp(word, "domain") == 0)
+			rval = lwres_conf_parsedomain(ctx, fp);
+		else if (strcmp(word, "search") == 0)
+			rval = lwres_conf_parsesearch(ctx, fp);
+		else if (strcmp(word, "sortlist") == 0)
+			rval = lwres_conf_parsesortlist(ctx, fp);
+		else if (strcmp(word, "options") == 0)
+			rval = lwres_conf_parseoption(ctx, fp);
+		else {
+			/* unrecognised word. Ignore entire line */
+			rval = LWRES_R_SUCCESS;
+			stopchar = eatline(fp);
+			if (stopchar == EOF) {
+				break;
+			}
+		}
+		if (ret == LWRES_R_SUCCESS && rval != LWRES_R_SUCCESS)
+			ret = rval;
+	} while (1);
+
+	fclose(fp);
+
+	return (ret);
+}
+
+lwres_result_t
+lwres_conf_print(lwres_context_t *ctx, FILE *fp) {
+	int i;
+	int af;
+	char tmp[sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255")];
+	const char *p;
+	lwres_conf_t *confdata;
+	lwres_addr_t tmpaddr;
+
+	REQUIRE(ctx != NULL);
+	confdata = &ctx->confdata;
+
+	REQUIRE(confdata->nsnext <= LWRES_CONFMAXNAMESERVERS);
+
+	for (i = 0; i < confdata->nsnext; i++) {
+		af = lwresaddr2af(confdata->nameservers[i].family);
+
+		p = lwres_net_ntop(af, confdata->nameservers[i].address,
+				   tmp, sizeof(tmp));
+		if (p != tmp)
+			return (LWRES_R_FAILURE);
+
+		fprintf(fp, "nameserver %s\n", tmp);
+	}
+
+	for (i = 0; i < confdata->lwnext; i++) {
+		af = lwresaddr2af(confdata->lwservers[i].family);
+
+		p = lwres_net_ntop(af, confdata->lwservers[i].address,
+				   tmp, sizeof(tmp));
+		if (p != tmp)
+			return (LWRES_R_FAILURE);
+
+		fprintf(fp, "lwserver %s\n", tmp);
+	}
+
+	if (confdata->domainname != NULL) {
+		fprintf(fp, "domain %s\n", confdata->domainname);
+	} else if (confdata->searchnxt > 0) {
+		REQUIRE(confdata->searchnxt <= LWRES_CONFMAXSEARCH);
+
+		fprintf(fp, "search");
+		for (i = 0; i < confdata->searchnxt; i++)
+			fprintf(fp, " %s", confdata->search[i]);
+		fputc('\n', fp);
+	}
+
+	REQUIRE(confdata->sortlistnxt <= LWRES_CONFMAXSORTLIST);
+
+	if (confdata->sortlistnxt > 0) {
+		fputs("sortlist", fp);
+		for (i = 0; i < confdata->sortlistnxt; i++) {
+			af = lwresaddr2af(confdata->sortlist[i].addr.family);
+
+			p = lwres_net_ntop(af,
+					   confdata->sortlist[i].addr.address,
+					   tmp, sizeof(tmp));
+			if (p != tmp)
+				return (LWRES_R_FAILURE);
+
+			fprintf(fp, " %s", tmp);
+
+			tmpaddr = confdata->sortlist[i].mask;
+			memset(&tmpaddr.address, 0xff, tmpaddr.length);
+
+			if (memcmp(&tmpaddr.address,
+				   confdata->sortlist[i].mask.address,
+				   confdata->sortlist[i].mask.length) != 0) {
+				af = lwresaddr2af(
+					    confdata->sortlist[i].mask.family);
+				p = lwres_net_ntop
+					(af,
+					 confdata->sortlist[i].mask.address,
+					 tmp, sizeof(tmp));
+				if (p != tmp)
+					return (LWRES_R_FAILURE);
+
+				fprintf(fp, "/%s", tmp);
+			}
+		}
+		fputc('\n', fp);
+	}
+
+	if (confdata->resdebug)
+		fprintf(fp, "options debug\n");
+
+	if (confdata->ndots > 0)
+		fprintf(fp, "options ndots:%d\n", confdata->ndots);
+
+	if (confdata->no_tld_query)
+		fprintf(fp, "options no_tld_query\n");
+
+	return (LWRES_R_SUCCESS);
+}
+
+lwres_conf_t *
+lwres_conf_get(lwres_context_t *ctx) {
+	REQUIRE(ctx != NULL);
+
+	return (&ctx->confdata);
+}
diff --git a/contrib/bind9/lib/lwres/lwpacket.c b/contrib/bind9/lib/lwres/lwpacket.c
new file mode 100644
index 0000000..6e28df0
--- /dev/null
+++ b/contrib/bind9/lib/lwres/lwpacket.c
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lwpacket.c,v 1.13.206.1 2004/03/06 08:15:32 marka Exp $ */
+
+#include <config.h>
+
+#include <assert.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <lwres/lwbuffer.h>
+#include <lwres/lwpacket.h>
+#include <lwres/result.h>
+
+#include "assert_p.h"
+
+#define LWPACKET_LENGTH \
+	(sizeof(lwres_uint16_t) * 4 + sizeof(lwres_uint32_t) * 5)
+
+lwres_result_t
+lwres_lwpacket_renderheader(lwres_buffer_t *b, lwres_lwpacket_t *pkt) {
+	REQUIRE(b != NULL);
+	REQUIRE(pkt != NULL);
+
+	if (!SPACE_OK(b, LWPACKET_LENGTH))
+		return (LWRES_R_UNEXPECTEDEND);
+
+	lwres_buffer_putuint32(b, pkt->length);
+	lwres_buffer_putuint16(b, pkt->version);
+	lwres_buffer_putuint16(b, pkt->pktflags);
+	lwres_buffer_putuint32(b, pkt->serial);
+	lwres_buffer_putuint32(b, pkt->opcode);
+	lwres_buffer_putuint32(b, pkt->result);
+	lwres_buffer_putuint32(b, pkt->recvlength);
+	lwres_buffer_putuint16(b, pkt->authtype);
+	lwres_buffer_putuint16(b, pkt->authlength);
+
+	return (LWRES_R_SUCCESS);
+}
+
+lwres_result_t
+lwres_lwpacket_parseheader(lwres_buffer_t *b, lwres_lwpacket_t *pkt) {
+	lwres_uint32_t space;
+
+	REQUIRE(b != NULL);
+	REQUIRE(pkt != NULL);
+
+	space = LWRES_BUFFER_REMAINING(b);
+	if (space < LWPACKET_LENGTH)
+		return (LWRES_R_UNEXPECTEDEND);
+
+	pkt->length = lwres_buffer_getuint32(b);
+	/*
+	 * XXXBEW/MLG Checking that the buffer is long enough probably
+	 * shouldn't be done here, since this function is supposed to just
+	 * parse the header.
+	 */
+	if (pkt->length > space)
+		return (LWRES_R_UNEXPECTEDEND);
+	pkt->version = lwres_buffer_getuint16(b);
+	pkt->pktflags = lwres_buffer_getuint16(b);
+	pkt->serial = lwres_buffer_getuint32(b);
+	pkt->opcode = lwres_buffer_getuint32(b);
+	pkt->result = lwres_buffer_getuint32(b);
+	pkt->recvlength = lwres_buffer_getuint32(b);
+	pkt->authtype = lwres_buffer_getuint16(b);
+	pkt->authlength = lwres_buffer_getuint16(b);
+
+	return (LWRES_R_SUCCESS);
+}
diff --git a/contrib/bind9/lib/lwres/lwres_gabn.c b/contrib/bind9/lib/lwres/lwres_gabn.c
new file mode 100644
index 0000000..9df87ce
--- /dev/null
+++ b/contrib/bind9/lib/lwres/lwres_gabn.c
@@ -0,0 +1,415 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lwres_gabn.c,v 1.27.12.3 2004/03/08 09:05:10 marka Exp $ */
+
+#include <config.h>
+
+#include <assert.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <lwres/lwbuffer.h>
+#include <lwres/lwpacket.h>
+#include <lwres/lwres.h>
+#include <lwres/result.h>
+
+#include "context_p.h"
+#include "assert_p.h"
+
+lwres_result_t
+lwres_gabnrequest_render(lwres_context_t *ctx, lwres_gabnrequest_t *req,
+			 lwres_lwpacket_t *pkt, lwres_buffer_t *b)
+{
+	unsigned char *buf;
+	size_t buflen;
+	int ret;
+	size_t payload_length;
+	lwres_uint16_t datalen;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(req != NULL);
+	REQUIRE(req->name != NULL);
+	REQUIRE(pkt != NULL);
+	REQUIRE(b != NULL);
+
+	datalen = strlen(req->name);
+
+	payload_length = 4 + 4 + 2 + req->namelen + 1;
+
+	buflen = LWRES_LWPACKET_LENGTH + payload_length;
+	buf = CTXMALLOC(buflen);
+	if (buf == NULL)
+		return (LWRES_R_NOMEMORY);
+
+	lwres_buffer_init(b, buf, buflen);
+
+	pkt->length = buflen;
+	pkt->version = LWRES_LWPACKETVERSION_0;
+	pkt->pktflags &= ~LWRES_LWPACKETFLAG_RESPONSE;
+	pkt->opcode = LWRES_OPCODE_GETADDRSBYNAME;
+	pkt->result = 0;
+	pkt->authtype = 0;
+	pkt->authlength = 0;
+
+	ret = lwres_lwpacket_renderheader(b, pkt);
+	if (ret != LWRES_R_SUCCESS) {
+		lwres_buffer_invalidate(b);
+		CTXFREE(buf, buflen);
+		return (ret);
+	}
+
+	INSIST(SPACE_OK(b, payload_length));
+
+	/*
+	 * Flags.
+	 */
+	lwres_buffer_putuint32(b, req->flags);
+
+	/*
+	 * Address types we'll accept.
+	 */
+	lwres_buffer_putuint32(b, req->addrtypes);
+
+	/*
+	 * Put the length and the data.  We know this will fit because we
+	 * just checked for it.
+	 */
+	lwres_buffer_putuint16(b, datalen);
+	lwres_buffer_putmem(b, (unsigned char *)req->name, datalen);
+	lwres_buffer_putuint8(b, 0); /* trailing NUL */
+
+	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
+
+	return (LWRES_R_SUCCESS);
+}
+
+lwres_result_t
+lwres_gabnresponse_render(lwres_context_t *ctx, lwres_gabnresponse_t *req,
+			  lwres_lwpacket_t *pkt, lwres_buffer_t *b)
+{
+	unsigned char *buf;
+	size_t buflen;
+	int ret;
+	size_t payload_length;
+	lwres_uint16_t datalen;
+	lwres_addr_t *addr;
+	int x;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(req != NULL);
+	REQUIRE(pkt != NULL);
+	REQUIRE(b != NULL);
+
+	/* naliases, naddrs */
+	payload_length = 4 + 2 + 2;
+	/* real name encoding */
+	payload_length += 2 + req->realnamelen + 1;
+	/* each alias */
+	for (x = 0; x < req->naliases; x++)
+		payload_length += 2 + req->aliaslen[x] + 1;
+	/* each address */
+	x = 0;
+	addr = LWRES_LIST_HEAD(req->addrs);
+	while (addr != NULL) {
+		payload_length += 4 + 2;
+		payload_length += addr->length;
+		addr = LWRES_LIST_NEXT(addr, link);
+		x++;
+	}
+	INSIST(x == req->naddrs);
+
+	buflen = LWRES_LWPACKET_LENGTH + payload_length;
+	buf = CTXMALLOC(buflen);
+	if (buf == NULL)
+		return (LWRES_R_NOMEMORY);
+	lwres_buffer_init(b, buf, buflen);
+
+	pkt->length = buflen;
+	pkt->version = LWRES_LWPACKETVERSION_0;
+	pkt->pktflags |= LWRES_LWPACKETFLAG_RESPONSE;
+	pkt->opcode = LWRES_OPCODE_GETADDRSBYNAME;
+	pkt->authtype = 0;
+	pkt->authlength = 0;
+
+	ret = lwres_lwpacket_renderheader(b, pkt);
+	if (ret != LWRES_R_SUCCESS) {
+		lwres_buffer_invalidate(b);
+		CTXFREE(buf, buflen);
+		return (ret);
+	}
+
+	/*
+	 * Check space needed here.
+	 */
+	INSIST(SPACE_OK(b, payload_length));
+
+	/* Flags. */
+	lwres_buffer_putuint32(b, req->flags);
+
+	/* encode naliases and naddrs */
+	lwres_buffer_putuint16(b, req->naliases);
+	lwres_buffer_putuint16(b, req->naddrs);
+
+	/* encode the real name */
+	datalen = req->realnamelen;
+	lwres_buffer_putuint16(b, datalen);
+	lwres_buffer_putmem(b, (unsigned char *)req->realname, datalen);
+	lwres_buffer_putuint8(b, 0);
+
+	/* encode the aliases */
+	for (x = 0; x < req->naliases; x++) {
+		datalen = req->aliaslen[x];
+		lwres_buffer_putuint16(b, datalen);
+		lwres_buffer_putmem(b, (unsigned char *)req->aliases[x],
+				    datalen);
+		lwres_buffer_putuint8(b, 0);
+	}
+
+	/* encode the addresses */
+	addr = LWRES_LIST_HEAD(req->addrs);
+	while (addr != NULL) {
+		lwres_buffer_putuint32(b, addr->family);
+		lwres_buffer_putuint16(b, addr->length);
+		lwres_buffer_putmem(b, addr->address, addr->length);
+		addr = LWRES_LIST_NEXT(addr, link);
+	}
+
+	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
+	INSIST(LWRES_BUFFER_USEDCOUNT(b) == pkt->length);
+
+	return (LWRES_R_SUCCESS);
+}
+
+lwres_result_t
+lwres_gabnrequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
+			lwres_lwpacket_t *pkt, lwres_gabnrequest_t **structp)
+{
+	int ret;
+	char *name;
+	lwres_gabnrequest_t *gabn;
+	lwres_uint32_t addrtypes;
+	lwres_uint32_t flags;
+	lwres_uint16_t namelen;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(pkt != NULL);
+	REQUIRE(b != NULL);
+	REQUIRE(structp != NULL && *structp == NULL);
+
+	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) != 0)
+		return (LWRES_R_FAILURE);
+
+	if (!SPACE_REMAINING(b, 4 + 4))
+		return (LWRES_R_UNEXPECTEDEND);
+
+	flags = lwres_buffer_getuint32(b);
+	addrtypes = lwres_buffer_getuint32(b);
+
+	/*
+	 * Pull off the name itself
+	 */
+	ret = lwres_string_parse(b, &name, &namelen);
+	if (ret != LWRES_R_SUCCESS)
+		return (ret);
+
+	if (LWRES_BUFFER_REMAINING(b) != 0)
+		return (LWRES_R_TRAILINGDATA);
+
+	gabn = CTXMALLOC(sizeof(lwres_gabnrequest_t));
+	if (gabn == NULL)
+		return (LWRES_R_NOMEMORY);
+
+	gabn->flags = flags;
+	gabn->addrtypes = addrtypes;
+	gabn->name = name;
+	gabn->namelen = namelen;
+
+	*structp = gabn;
+	return (LWRES_R_SUCCESS);
+}
+
+lwres_result_t
+lwres_gabnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
+			lwres_lwpacket_t *pkt, lwres_gabnresponse_t **structp)
+{
+	lwres_result_t ret;
+	unsigned int x;
+	lwres_uint32_t flags;
+	lwres_uint16_t naliases;
+	lwres_uint16_t naddrs;
+	lwres_gabnresponse_t *gabn;
+	lwres_addrlist_t addrlist;
+	lwres_addr_t *addr;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(pkt != NULL);
+	REQUIRE(b != NULL);
+	REQUIRE(structp != NULL && *structp == NULL);
+
+	gabn = NULL;
+
+	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) == 0)
+		return (LWRES_R_FAILURE);
+
+	/*
+	 * Pull off the name itself
+	 */
+	if (!SPACE_REMAINING(b, 4 + 2 + 2))
+		return (LWRES_R_UNEXPECTEDEND);
+	flags = lwres_buffer_getuint32(b);
+	naliases = lwres_buffer_getuint16(b);
+	naddrs = lwres_buffer_getuint16(b);
+
+	gabn = CTXMALLOC(sizeof(lwres_gabnresponse_t));
+	if (gabn == NULL)
+		return (LWRES_R_NOMEMORY);
+	gabn->aliases = NULL;
+	gabn->aliaslen = NULL;
+	LWRES_LIST_INIT(gabn->addrs);
+	gabn->base = NULL;
+
+	gabn->flags = flags;
+	gabn->naliases = naliases;
+	gabn->naddrs = naddrs;
+
+	LWRES_LIST_INIT(addrlist);
+
+	if (naliases > 0) {
+		gabn->aliases = CTXMALLOC(sizeof(char *) * naliases);
+		if (gabn->aliases == NULL) {
+			ret = LWRES_R_NOMEMORY;
+			goto out;
+		}
+
+		gabn->aliaslen = CTXMALLOC(sizeof(lwres_uint16_t) * naliases);
+		if (gabn->aliaslen == NULL) {
+			ret = LWRES_R_NOMEMORY;
+			goto out;
+		}
+	}
+
+	for (x = 0; x < naddrs; x++) {
+		addr = CTXMALLOC(sizeof(lwres_addr_t));
+		if (addr == NULL) {
+			ret = LWRES_R_NOMEMORY;
+			goto out;
+		}
+		LWRES_LINK_INIT(addr, link);
+		LWRES_LIST_APPEND(addrlist, addr, link);
+	}
+
+	/*
+	 * Now, pull off the real name.
+	 */
+	ret = lwres_string_parse(b, &gabn->realname, &gabn->realnamelen);
+	if (ret != LWRES_R_SUCCESS)
+		goto out;
+
+	/*
+	 * Parse off the aliases.
+	 */
+	for (x = 0; x < gabn->naliases; x++) {
+		ret = lwres_string_parse(b, &gabn->aliases[x],
+					 &gabn->aliaslen[x]);
+		if (ret != LWRES_R_SUCCESS)
+			goto out;
+	}
+
+	/*
+	 * Pull off the addresses.  We already strung the linked list
+	 * up above.
+	 */
+	addr = LWRES_LIST_HEAD(addrlist);
+	for (x = 0; x < gabn->naddrs; x++) {
+		INSIST(addr != NULL);
+		ret = lwres_addr_parse(b, addr);
+		if (ret != LWRES_R_SUCCESS)
+			goto out;
+		addr = LWRES_LIST_NEXT(addr, link);
+	}
+
+	if (LWRES_BUFFER_REMAINING(b) != 0) {
+		ret = LWRES_R_TRAILINGDATA;
+		goto out;
+	}
+
+	gabn->addrs = addrlist;
+
+	*structp = gabn;
+	return (LWRES_R_SUCCESS);
+
+ out:
+	if (gabn != NULL) {
+		if (gabn->aliases != NULL)
+			CTXFREE(gabn->aliases, sizeof(char *) * naliases);
+		if (gabn->aliaslen != NULL)
+			CTXFREE(gabn->aliaslen,
+				sizeof(lwres_uint16_t) * naliases);
+		addr = LWRES_LIST_HEAD(addrlist);
+		while (addr != NULL) {
+			LWRES_LIST_UNLINK(addrlist, addr, link);
+			CTXFREE(addr, sizeof(lwres_addr_t));
+			addr = LWRES_LIST_HEAD(addrlist);
+		}
+		CTXFREE(gabn, sizeof(lwres_gabnresponse_t));
+	}
+
+	return (ret);
+}
+
+void
+lwres_gabnrequest_free(lwres_context_t *ctx, lwres_gabnrequest_t **structp)
+{
+	lwres_gabnrequest_t *gabn;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(structp != NULL && *structp != NULL);
+
+	gabn = *structp;
+	*structp = NULL;
+
+	CTXFREE(gabn, sizeof(lwres_gabnrequest_t));
+}
+
+void
+lwres_gabnresponse_free(lwres_context_t *ctx, lwres_gabnresponse_t **structp)
+{
+	lwres_gabnresponse_t *gabn;
+	lwres_addr_t *addr;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(structp != NULL && *structp != NULL);
+
+	gabn = *structp;
+	*structp = NULL;
+
+	if (gabn->naliases > 0) {
+		CTXFREE(gabn->aliases, sizeof(char *) * gabn->naliases);
+		CTXFREE(gabn->aliaslen,
+			sizeof(lwres_uint16_t) * gabn->naliases);
+	}
+	addr = LWRES_LIST_HEAD(gabn->addrs);
+	while (addr != NULL) {
+		LWRES_LIST_UNLINK(gabn->addrs, addr, link);
+		CTXFREE(addr, sizeof(lwres_addr_t));
+		addr = LWRES_LIST_HEAD(gabn->addrs);
+	}
+	if (gabn->base != NULL)
+		CTXFREE(gabn->base, gabn->baselen);
+	CTXFREE(gabn, sizeof(lwres_gabnresponse_t));
+}
diff --git a/contrib/bind9/lib/lwres/lwres_gnba.c b/contrib/bind9/lib/lwres/lwres_gnba.c
new file mode 100644
index 0000000..a11c066
--- /dev/null
+++ b/contrib/bind9/lib/lwres/lwres_gnba.c
@@ -0,0 +1,328 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lwres_gnba.c,v 1.20.2.2.8.4 2004/03/08 09:05:11 marka Exp $ */
+
+#include <config.h>
+
+#include <assert.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <lwres/lwbuffer.h>
+#include <lwres/lwpacket.h>
+#include <lwres/lwres.h>
+#include <lwres/result.h>
+
+#include "context_p.h"
+#include "assert_p.h"
+
+lwres_result_t
+lwres_gnbarequest_render(lwres_context_t *ctx, lwres_gnbarequest_t *req,
+			 lwres_lwpacket_t *pkt, lwres_buffer_t *b)
+{
+	unsigned char *buf;
+	size_t buflen;
+	int ret;
+	size_t payload_length;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(req != NULL);
+	REQUIRE(req->addr.family != 0);
+	REQUIRE(req->addr.length != 0);
+	REQUIRE(req->addr.address != NULL);
+	REQUIRE(pkt != NULL);
+	REQUIRE(b != NULL);
+
+	payload_length = 4 + 4 + 2 + + req->addr.length;
+
+	buflen = LWRES_LWPACKET_LENGTH + payload_length;
+	buf = CTXMALLOC(buflen);
+	if (buf == NULL)
+		return (LWRES_R_NOMEMORY);
+	lwres_buffer_init(b, buf, buflen);
+
+	pkt->length = buflen;
+	pkt->version = LWRES_LWPACKETVERSION_0;
+	pkt->pktflags &= ~LWRES_LWPACKETFLAG_RESPONSE;
+	pkt->opcode = LWRES_OPCODE_GETNAMEBYADDR;
+	pkt->result = 0;
+	pkt->authtype = 0;
+	pkt->authlength = 0;
+
+	ret = lwres_lwpacket_renderheader(b, pkt);
+	if (ret != LWRES_R_SUCCESS) {
+		lwres_buffer_invalidate(b);
+		CTXFREE(buf, buflen);
+		return (ret);
+	}
+
+	INSIST(SPACE_OK(b, payload_length));
+
+	/*
+	 * Put the length and the data.  We know this will fit because we
+	 * just checked for it.
+	 */
+	lwres_buffer_putuint32(b, req->flags);
+	lwres_buffer_putuint32(b, req->addr.family);
+	lwres_buffer_putuint16(b, req->addr.length);
+	lwres_buffer_putmem(b, (unsigned char *)req->addr.address,
+			    req->addr.length);
+
+	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
+
+	return (LWRES_R_SUCCESS);
+}
+
+lwres_result_t
+lwres_gnbaresponse_render(lwres_context_t *ctx, lwres_gnbaresponse_t *req,
+			  lwres_lwpacket_t *pkt, lwres_buffer_t *b)
+{
+	unsigned char *buf;
+	size_t buflen;
+	int ret;
+	size_t payload_length;
+	lwres_uint16_t datalen;
+	int x;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(req != NULL);
+	REQUIRE(pkt != NULL);
+	REQUIRE(b != NULL);
+
+	/*
+	 * Calculate packet size.
+	 */
+	payload_length = 4;			       /* flags */
+	payload_length += 2;			       /* naliases */
+	payload_length += 2 + req->realnamelen + 1;    /* real name encoding */
+	for (x = 0; x < req->naliases; x++)	       /* each alias */
+		payload_length += 2 + req->aliaslen[x] + 1;
+
+	buflen = LWRES_LWPACKET_LENGTH + payload_length;
+	buf = CTXMALLOC(buflen);
+	if (buf == NULL)
+		return (LWRES_R_NOMEMORY);
+	lwres_buffer_init(b, buf, buflen);
+
+	pkt->length = buflen;
+	pkt->version = LWRES_LWPACKETVERSION_0;
+	pkt->pktflags |= LWRES_LWPACKETFLAG_RESPONSE;
+	pkt->opcode = LWRES_OPCODE_GETNAMEBYADDR;
+	pkt->authtype = 0;
+	pkt->authlength = 0;
+
+	ret = lwres_lwpacket_renderheader(b, pkt);
+	if (ret != LWRES_R_SUCCESS) {
+		lwres_buffer_invalidate(b);
+		CTXFREE(buf, buflen);
+		return (ret);
+	}
+
+	INSIST(SPACE_OK(b, payload_length));
+	lwres_buffer_putuint32(b, req->flags);
+
+	/* encode naliases */
+	lwres_buffer_putuint16(b, req->naliases);
+
+	/* encode the real name */
+	datalen = req->realnamelen;
+	lwres_buffer_putuint16(b, datalen);
+	lwres_buffer_putmem(b, (unsigned char *)req->realname, datalen);
+	lwres_buffer_putuint8(b, 0);
+
+	/* encode the aliases */
+	for (x = 0; x < req->naliases; x++) {
+		datalen = req->aliaslen[x];
+		lwres_buffer_putuint16(b, datalen);
+		lwres_buffer_putmem(b, (unsigned char *)req->aliases[x],
+				    datalen);
+		lwres_buffer_putuint8(b, 0);
+	}
+
+	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
+
+	return (LWRES_R_SUCCESS);
+}
+
+lwres_result_t
+lwres_gnbarequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
+			lwres_lwpacket_t *pkt, lwres_gnbarequest_t **structp)
+{
+	int ret;
+	lwres_gnbarequest_t *gnba;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(pkt != NULL);
+	REQUIRE(b != NULL);
+	REQUIRE(structp != NULL && *structp == NULL);
+
+	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) != 0)
+		return (LWRES_R_FAILURE);
+
+	if (!SPACE_REMAINING(b, 4))
+		return (LWRES_R_UNEXPECTEDEND);
+
+	gnba = CTXMALLOC(sizeof(lwres_gnbarequest_t));
+	if (gnba == NULL)
+		return (LWRES_R_NOMEMORY);
+
+	gnba->flags = lwres_buffer_getuint32(b);
+
+	ret = lwres_addr_parse(b, &gnba->addr);
+	if (ret != LWRES_R_SUCCESS)
+		goto out;
+
+	if (LWRES_BUFFER_REMAINING(b) != 0) {
+		ret = LWRES_R_TRAILINGDATA;
+		goto out;
+	}
+
+	*structp = gnba;
+	return (LWRES_R_SUCCESS);
+
+ out:
+	if (gnba != NULL)
+		lwres_gnbarequest_free(ctx, &gnba);
+
+	return (ret);
+}
+
+lwres_result_t
+lwres_gnbaresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
+			 lwres_lwpacket_t *pkt, lwres_gnbaresponse_t **structp)
+{
+	int ret;
+	unsigned int x;
+	lwres_uint32_t flags;
+	lwres_uint16_t naliases;
+	lwres_gnbaresponse_t *gnba;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(pkt != NULL);
+	REQUIRE(b != NULL);
+	REQUIRE(structp != NULL && *structp == NULL);
+
+	gnba = NULL;
+
+	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) == 0)
+		return (LWRES_R_FAILURE);
+
+	/*
+	 * Pull off flags & naliases
+	 */
+	if (!SPACE_REMAINING(b, 4 + 2))
+		return (LWRES_R_UNEXPECTEDEND);
+	flags = lwres_buffer_getuint32(b);
+	naliases = lwres_buffer_getuint16(b);
+
+	gnba = CTXMALLOC(sizeof(lwres_gnbaresponse_t));
+	if (gnba == NULL)
+		return (LWRES_R_NOMEMORY);
+	gnba->base = NULL;
+	gnba->aliases = NULL;
+	gnba->aliaslen = NULL;
+
+	gnba->flags = flags;
+	gnba->naliases = naliases;
+
+	if (naliases > 0) {
+		gnba->aliases = CTXMALLOC(sizeof(char *) * naliases);
+		if (gnba->aliases == NULL) {
+			ret = LWRES_R_NOMEMORY;
+			goto out;
+		}
+
+		gnba->aliaslen = CTXMALLOC(sizeof(lwres_uint16_t) * naliases);
+		if (gnba->aliaslen == NULL) {
+			ret = LWRES_R_NOMEMORY;
+			goto out;
+		}
+	}
+
+	/*
+	 * Now, pull off the real name.
+	 */
+	ret = lwres_string_parse(b, &gnba->realname, &gnba->realnamelen);
+	if (ret != LWRES_R_SUCCESS)
+		goto out;
+
+	/*
+	 * Parse off the aliases.
+	 */
+	for (x = 0; x < gnba->naliases; x++) {
+		ret = lwres_string_parse(b, &gnba->aliases[x],
+					 &gnba->aliaslen[x]);
+		if (ret != LWRES_R_SUCCESS)
+			goto out;
+	}
+
+	if (LWRES_BUFFER_REMAINING(b) != 0) {
+		ret = LWRES_R_TRAILINGDATA;
+		goto out;
+	}
+
+	*structp = gnba;
+	return (LWRES_R_SUCCESS);
+
+ out:
+	if (gnba != NULL) {
+		if (gnba->aliases != NULL)
+			CTXFREE(gnba->aliases, sizeof(char *) * naliases);
+		if (gnba->aliaslen != NULL)
+			CTXFREE(gnba->aliaslen,
+				sizeof(lwres_uint16_t) * naliases);
+		CTXFREE(gnba, sizeof(lwres_gnbaresponse_t));
+	}
+
+	return (ret);
+}
+
+void
+lwres_gnbarequest_free(lwres_context_t *ctx, lwres_gnbarequest_t **structp)
+{
+	lwres_gnbarequest_t *gnba;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(structp != NULL && *structp != NULL);
+
+	gnba = *structp;
+	*structp = NULL;
+
+	CTXFREE(gnba, sizeof(lwres_gnbarequest_t));
+}
+
+void
+lwres_gnbaresponse_free(lwres_context_t *ctx, lwres_gnbaresponse_t **structp)
+{
+	lwres_gnbaresponse_t *gnba;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(structp != NULL && *structp != NULL);
+
+	gnba = *structp;
+	*structp = NULL;
+
+	if (gnba->naliases > 0) {
+		CTXFREE(gnba->aliases, sizeof(char *) * gnba->naliases);
+		CTXFREE(gnba->aliaslen,
+			sizeof(lwres_uint16_t) * gnba->naliases);
+	}
+	if (gnba->base != NULL)
+		CTXFREE(gnba->base, gnba->baselen);
+	CTXFREE(gnba, sizeof(lwres_gnbaresponse_t));
+}
diff --git a/contrib/bind9/lib/lwres/lwres_grbn.c b/contrib/bind9/lib/lwres/lwres_grbn.c
new file mode 100644
index 0000000..f8147fc
--- /dev/null
+++ b/contrib/bind9/lib/lwres/lwres_grbn.c
@@ -0,0 +1,416 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lwres_grbn.c,v 1.4.12.3 2004/03/08 09:05:11 marka Exp $ */
+
+#include <config.h>
+
+#include <assert.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <lwres/lwbuffer.h>
+#include <lwres/lwpacket.h>
+#include <lwres/lwres.h>
+#include <lwres/result.h>
+
+#include "context_p.h"
+#include "assert_p.h"
+
+lwres_result_t
+lwres_grbnrequest_render(lwres_context_t *ctx, lwres_grbnrequest_t *req,
+			 lwres_lwpacket_t *pkt, lwres_buffer_t *b)
+{
+	unsigned char *buf;
+	size_t buflen;
+	int ret;
+	size_t payload_length;
+	lwres_uint16_t datalen;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(req != NULL);
+	REQUIRE(req->name != NULL);
+	REQUIRE(pkt != NULL);
+	REQUIRE(b != NULL);
+
+	datalen = strlen(req->name);
+
+	payload_length = 4 + 2 + 2 + 2 + req->namelen + 1;
+
+	buflen = LWRES_LWPACKET_LENGTH + payload_length;
+	buf = CTXMALLOC(buflen);
+	if (buf == NULL)
+		return (LWRES_R_NOMEMORY);
+
+	lwres_buffer_init(b, buf, buflen);
+
+	pkt->length = buflen;
+	pkt->version = LWRES_LWPACKETVERSION_0;
+	pkt->pktflags &= ~LWRES_LWPACKETFLAG_RESPONSE;
+	pkt->opcode = LWRES_OPCODE_GETRDATABYNAME;
+	pkt->result = 0;
+	pkt->authtype = 0;
+	pkt->authlength = 0;
+
+	ret = lwres_lwpacket_renderheader(b, pkt);
+	if (ret != LWRES_R_SUCCESS) {
+		lwres_buffer_invalidate(b);
+		CTXFREE(buf, buflen);
+		return (ret);
+	}
+
+	INSIST(SPACE_OK(b, payload_length));
+
+	/*
+	 * Flags.
+	 */
+	lwres_buffer_putuint32(b, req->flags);
+
+	/*
+	 * Class.
+	 */
+	lwres_buffer_putuint16(b, req->rdclass);
+
+	/*
+	 * Type.
+	 */
+	lwres_buffer_putuint16(b, req->rdtype);
+
+	/*
+	 * Put the length and the data.  We know this will fit because we
+	 * just checked for it.
+	 */
+	lwres_buffer_putuint16(b, datalen);
+	lwres_buffer_putmem(b, (unsigned char *)req->name, datalen);
+	lwres_buffer_putuint8(b, 0); /* trailing NUL */
+
+	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
+
+	return (LWRES_R_SUCCESS);
+}
+
+lwres_result_t
+lwres_grbnresponse_render(lwres_context_t *ctx, lwres_grbnresponse_t *req,
+			  lwres_lwpacket_t *pkt, lwres_buffer_t *b)
+{
+	unsigned char *buf;
+	size_t buflen;
+	int ret;
+	size_t payload_length;
+	lwres_uint16_t datalen;
+	int x;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(req != NULL);
+	REQUIRE(pkt != NULL);
+	REQUIRE(b != NULL);
+
+	/* flags, class, type, ttl, nrdatas, nsigs */
+	payload_length = 4 + 2 + 2 + 4 + 2 + 2;
+	/* real name encoding */
+	payload_length += 2 + req->realnamelen + 1;
+	/* each rr */
+	for (x = 0; x < req->nrdatas; x++)
+		payload_length += 2 + req->rdatalen[x];
+	for (x = 0; x < req->nsigs; x++)
+		payload_length += 2 + req->siglen[x];
+
+	buflen = LWRES_LWPACKET_LENGTH + payload_length;
+	buf = CTXMALLOC(buflen);
+	if (buf == NULL)
+		return (LWRES_R_NOMEMORY);
+	lwres_buffer_init(b, buf, buflen);
+
+	pkt->length = buflen;
+	pkt->version = LWRES_LWPACKETVERSION_0;
+	pkt->pktflags |= LWRES_LWPACKETFLAG_RESPONSE;
+	pkt->opcode = LWRES_OPCODE_GETRDATABYNAME;
+	pkt->authtype = 0;
+	pkt->authlength = 0;
+
+	ret = lwres_lwpacket_renderheader(b, pkt);
+	if (ret != LWRES_R_SUCCESS) {
+		lwres_buffer_invalidate(b);
+		CTXFREE(buf, buflen);
+		return (ret);
+	}
+
+	/*
+	 * Check space needed here.
+	 */
+	INSIST(SPACE_OK(b, payload_length));
+
+	/* Flags. */
+	lwres_buffer_putuint32(b, req->flags);
+
+	/* encode class, type, ttl, and nrdatas */
+	lwres_buffer_putuint16(b, req->rdclass);
+	lwres_buffer_putuint16(b, req->rdtype);
+	lwres_buffer_putuint32(b, req->ttl);
+	lwres_buffer_putuint16(b, req->nrdatas);
+	lwres_buffer_putuint16(b, req->nsigs);
+
+	/* encode the real name */
+	datalen = req->realnamelen;
+	lwres_buffer_putuint16(b, datalen);
+	lwres_buffer_putmem(b, (unsigned char *)req->realname, datalen);
+	lwres_buffer_putuint8(b, 0);
+
+	/* encode the rdatas */
+	for (x = 0; x < req->nrdatas; x++) {
+		datalen = req->rdatalen[x];
+		lwres_buffer_putuint16(b, datalen);
+		lwres_buffer_putmem(b, req->rdatas[x], datalen);
+	}
+
+	/* encode the signatures */
+	for (x = 0; x < req->nsigs; x++) {
+		datalen = req->siglen[x];
+		lwres_buffer_putuint16(b, datalen);
+		lwres_buffer_putmem(b, req->sigs[x], datalen);
+	}
+
+	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
+	INSIST(LWRES_BUFFER_USEDCOUNT(b) == pkt->length);
+
+	return (LWRES_R_SUCCESS);
+}
+
+lwres_result_t
+lwres_grbnrequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
+			lwres_lwpacket_t *pkt, lwres_grbnrequest_t **structp)
+{
+	int ret;
+	char *name;
+	lwres_grbnrequest_t *grbn;
+	lwres_uint32_t flags;
+	lwres_uint16_t rdclass, rdtype;
+	lwres_uint16_t namelen;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(pkt != NULL);
+	REQUIRE(b != NULL);
+	REQUIRE(structp != NULL && *structp == NULL);
+
+	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) != 0)
+		return (LWRES_R_FAILURE);
+
+	if (!SPACE_REMAINING(b, 4 + 2 + 2))
+		return (LWRES_R_UNEXPECTEDEND);
+
+	/*
+	 * Pull off the flags, class, and type.
+	 */
+	flags = lwres_buffer_getuint32(b);
+	rdclass = lwres_buffer_getuint16(b);
+	rdtype = lwres_buffer_getuint16(b);
+
+	/*
+	 * Pull off the name itself
+	 */
+	ret = lwres_string_parse(b, &name, &namelen);
+	if (ret != LWRES_R_SUCCESS)
+		return (ret);
+
+	if (LWRES_BUFFER_REMAINING(b) != 0)
+		return (LWRES_R_TRAILINGDATA);
+
+	grbn = CTXMALLOC(sizeof(lwres_grbnrequest_t));
+	if (grbn == NULL)
+		return (LWRES_R_NOMEMORY);
+
+	grbn->flags = flags;
+	grbn->rdclass = rdclass;
+	grbn->rdtype = rdtype;
+	grbn->name = name;
+	grbn->namelen = namelen;
+
+	*structp = grbn;
+	return (LWRES_R_SUCCESS);
+}
+
+lwres_result_t
+lwres_grbnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
+			lwres_lwpacket_t *pkt, lwres_grbnresponse_t **structp)
+{
+	lwres_result_t ret;
+	unsigned int x;
+	lwres_uint32_t flags;
+	lwres_uint16_t rdclass, rdtype;
+	lwres_uint32_t ttl;
+	lwres_uint16_t nrdatas, nsigs;
+	lwres_grbnresponse_t *grbn;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(pkt != NULL);
+	REQUIRE(b != NULL);
+	REQUIRE(structp != NULL && *structp == NULL);
+
+	grbn = NULL;
+
+	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) == 0)
+		return (LWRES_R_FAILURE);
+
+	/*
+	 * Pull off the flags, class, type, ttl, nrdatas, and nsigs
+	 */
+	if (!SPACE_REMAINING(b, 4 + 2 + 2 + 4 + 2 + 2))
+		return (LWRES_R_UNEXPECTEDEND);
+	flags = lwres_buffer_getuint32(b);
+	rdclass = lwres_buffer_getuint16(b);
+	rdtype = lwres_buffer_getuint16(b);
+	ttl = lwres_buffer_getuint32(b);
+	nrdatas = lwres_buffer_getuint16(b);
+	nsigs = lwres_buffer_getuint16(b);
+
+	/*
+	 * Pull off the name itself
+	 */
+
+	grbn = CTXMALLOC(sizeof(lwres_grbnresponse_t));
+	if (grbn == NULL)
+		return (LWRES_R_NOMEMORY);
+	grbn->rdatas = NULL;
+	grbn->rdatalen = NULL;
+	grbn->sigs = NULL;
+	grbn->siglen = NULL;
+	grbn->base = NULL;
+
+	grbn->flags = flags;
+	grbn->rdclass = rdclass;
+	grbn->rdtype = rdtype;
+	grbn->ttl = ttl;
+	grbn->nrdatas = nrdatas;
+	grbn->nsigs = nsigs;
+
+	if (nrdatas > 0) {
+		grbn->rdatas = CTXMALLOC(sizeof(char *) * nrdatas);
+		if (grbn->rdatas == NULL) {
+			ret = LWRES_R_NOMEMORY;
+			goto out;
+		}
+
+		grbn->rdatalen = CTXMALLOC(sizeof(lwres_uint16_t) * nrdatas);
+		if (grbn->rdatalen == NULL) {
+			ret = LWRES_R_NOMEMORY;
+			goto out;
+		}
+	}
+
+	if (nsigs > 0) {
+		grbn->sigs = CTXMALLOC(sizeof(char *) * nsigs);
+		if (grbn->sigs == NULL) {
+			ret = LWRES_R_NOMEMORY;
+			goto out;
+		}
+
+		grbn->siglen = CTXMALLOC(sizeof(lwres_uint16_t) * nsigs);
+		if (grbn->siglen == NULL) {
+			ret = LWRES_R_NOMEMORY;
+			goto out;
+		}
+	}
+
+	/*
+	 * Now, pull off the real name.
+	 */
+	ret = lwres_string_parse(b, &grbn->realname, &grbn->realnamelen);
+	if (ret != LWRES_R_SUCCESS)
+		goto out;
+
+	/*
+	 * Parse off the rdatas.
+	 */
+	for (x = 0; x < grbn->nrdatas; x++) {
+		ret = lwres_data_parse(b, &grbn->rdatas[x],
+					 &grbn->rdatalen[x]);
+		if (ret != LWRES_R_SUCCESS)
+			goto out;
+	}
+
+	/*
+	 * Parse off the signatures.
+	 */
+	for (x = 0; x < grbn->nsigs; x++) {
+		ret = lwres_data_parse(b, &grbn->sigs[x], &grbn->siglen[x]);
+		if (ret != LWRES_R_SUCCESS)
+			goto out;
+	}
+
+	if (LWRES_BUFFER_REMAINING(b) != 0) {
+		ret = LWRES_R_TRAILINGDATA;
+		goto out;
+	}
+
+	*structp = grbn;
+	return (LWRES_R_SUCCESS);
+
+ out:
+	if (grbn != NULL) {
+		if (grbn->rdatas != NULL)
+			CTXFREE(grbn->rdatas, sizeof(char *) * nrdatas);
+		if (grbn->rdatalen != NULL)
+			CTXFREE(grbn->rdatalen,
+				sizeof(lwres_uint16_t) * nrdatas);
+		if (grbn->sigs != NULL)
+			CTXFREE(grbn->sigs, sizeof(char *) * nsigs);
+		if (grbn->siglen != NULL)
+			CTXFREE(grbn->siglen, sizeof(lwres_uint16_t) * nsigs);
+		CTXFREE(grbn, sizeof(lwres_grbnresponse_t));
+	}
+
+	return (ret);
+}
+
+void
+lwres_grbnrequest_free(lwres_context_t *ctx, lwres_grbnrequest_t **structp)
+{
+	lwres_grbnrequest_t *grbn;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(structp != NULL && *structp != NULL);
+
+	grbn = *structp;
+	*structp = NULL;
+
+	CTXFREE(grbn, sizeof(lwres_grbnrequest_t));
+}
+
+void
+lwres_grbnresponse_free(lwres_context_t *ctx, lwres_grbnresponse_t **structp)
+{
+	lwres_grbnresponse_t *grbn;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(structp != NULL && *structp != NULL);
+
+	grbn = *structp;
+	*structp = NULL;
+
+	if (grbn->nrdatas > 0) {
+		CTXFREE(grbn->rdatas, sizeof(char *) * grbn->nrdatas);
+		CTXFREE(grbn->rdatalen,
+			sizeof(lwres_uint16_t) * grbn->nrdatas);
+	}
+	if (grbn->nsigs > 0) {
+		CTXFREE(grbn->sigs, sizeof(char *) * grbn->nsigs);
+		CTXFREE(grbn->siglen, sizeof(lwres_uint16_t) * grbn->nsigs);
+	}
+	if (grbn->base != NULL)
+		CTXFREE(grbn->base, grbn->baselen);
+	CTXFREE(grbn, sizeof(lwres_grbnresponse_t));
+}
diff --git a/contrib/bind9/lib/lwres/lwres_noop.c b/contrib/bind9/lib/lwres/lwres_noop.c
new file mode 100644
index 0000000..f67c2b3
--- /dev/null
+++ b/contrib/bind9/lib/lwres/lwres_noop.c
@@ -0,0 +1,255 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lwres_noop.c,v 1.14.206.1 2004/03/06 08:15:33 marka Exp $ */
+
+#include <config.h>
+
+#include <assert.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <lwres/lwbuffer.h>
+#include <lwres/lwpacket.h>
+#include <lwres/lwres.h>
+#include <lwres/result.h>
+
+#include "context_p.h"
+#include "assert_p.h"
+
+lwres_result_t
+lwres_nooprequest_render(lwres_context_t *ctx, lwres_nooprequest_t *req,
+			 lwres_lwpacket_t *pkt, lwres_buffer_t *b)
+{
+	unsigned char *buf;
+	size_t buflen;
+	int ret;
+	size_t payload_length;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(req != NULL);
+	REQUIRE(pkt != NULL);
+	REQUIRE(b != NULL);
+
+	payload_length = sizeof(lwres_uint16_t) + req->datalength;
+
+	buflen = LWRES_LWPACKET_LENGTH + payload_length;
+	buf = CTXMALLOC(buflen);
+	if (buf == NULL)
+		return (LWRES_R_NOMEMORY);
+	lwres_buffer_init(b, buf, buflen);
+
+	pkt->length = buflen;
+	pkt->version = LWRES_LWPACKETVERSION_0;
+	pkt->pktflags &= ~LWRES_LWPACKETFLAG_RESPONSE;
+	pkt->opcode = LWRES_OPCODE_NOOP;
+	pkt->result = 0;
+	pkt->authtype = 0;
+	pkt->authlength = 0;
+
+	ret = lwres_lwpacket_renderheader(b, pkt);
+	if (ret != LWRES_R_SUCCESS) {
+		lwres_buffer_invalidate(b);
+		CTXFREE(buf, buflen);
+		return (ret);
+	}
+
+	INSIST(SPACE_OK(b, payload_length));
+
+	/*
+	 * Put the length and the data.  We know this will fit because we
+	 * just checked for it.
+	 */
+	lwres_buffer_putuint16(b, req->datalength);
+	lwres_buffer_putmem(b, req->data, req->datalength);
+
+	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
+
+	return (LWRES_R_SUCCESS);
+}
+
+lwres_result_t
+lwres_noopresponse_render(lwres_context_t *ctx, lwres_noopresponse_t *req,
+			  lwres_lwpacket_t *pkt, lwres_buffer_t *b)
+{
+	unsigned char *buf;
+	size_t buflen;
+	int ret;
+	size_t payload_length;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(req != NULL);
+	REQUIRE(pkt != NULL);
+	REQUIRE(b != NULL);
+
+	payload_length = sizeof(lwres_uint16_t) + req->datalength;
+
+	buflen = LWRES_LWPACKET_LENGTH + payload_length;
+	buf = CTXMALLOC(buflen);
+	if (buf == NULL)
+		return (LWRES_R_NOMEMORY);
+	lwres_buffer_init(b, buf, buflen);
+
+	pkt->length = buflen;
+	pkt->version = LWRES_LWPACKETVERSION_0;
+	pkt->pktflags |= LWRES_LWPACKETFLAG_RESPONSE;
+	pkt->opcode = LWRES_OPCODE_NOOP;
+	pkt->authtype = 0;
+	pkt->authlength = 0;
+
+	ret = lwres_lwpacket_renderheader(b, pkt);
+	if (ret != LWRES_R_SUCCESS) {
+		lwres_buffer_invalidate(b);
+		CTXFREE(buf, buflen);
+		return (ret);
+	}
+
+	INSIST(SPACE_OK(b, payload_length));
+
+	/*
+	 * Put the length and the data.  We know this will fit because we
+	 * just checked for it.
+	 */
+	lwres_buffer_putuint16(b, req->datalength);
+	lwres_buffer_putmem(b, req->data, req->datalength);
+
+	INSIST(LWRES_BUFFER_AVAILABLECOUNT(b) == 0);
+
+	return (LWRES_R_SUCCESS);
+}
+
+lwres_result_t
+lwres_nooprequest_parse(lwres_context_t *ctx, lwres_buffer_t *b,
+			lwres_lwpacket_t *pkt, lwres_nooprequest_t **structp)
+{
+	int ret;
+	lwres_nooprequest_t *req;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(b != NULL);
+	REQUIRE(pkt != NULL);
+	REQUIRE(structp != NULL && *structp == NULL);
+
+	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) != 0)
+		return (LWRES_R_FAILURE);
+
+	req = CTXMALLOC(sizeof(lwres_nooprequest_t));
+	if (req == NULL)
+		return (LWRES_R_NOMEMORY);
+
+	if (!SPACE_REMAINING(b, sizeof(lwres_uint16_t))) {
+		ret = LWRES_R_UNEXPECTEDEND;
+		goto out;
+	}
+	req->datalength = lwres_buffer_getuint16(b);
+
+	if (!SPACE_REMAINING(b, req->datalength)) {
+		ret = LWRES_R_UNEXPECTEDEND;
+		goto out;
+	}
+	req->data = b->base + b->current;
+	lwres_buffer_forward(b, req->datalength);
+
+	if (LWRES_BUFFER_REMAINING(b) != 0) {
+		ret = LWRES_R_TRAILINGDATA;
+		goto out;
+	}
+
+	/* success! */
+	*structp = req;
+	return (LWRES_R_SUCCESS);
+
+	/* Error return */
+ out:
+	CTXFREE(req, sizeof(lwres_nooprequest_t));
+	return (ret);
+}
+
+lwres_result_t
+lwres_noopresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b,
+			 lwres_lwpacket_t *pkt, lwres_noopresponse_t **structp)
+{
+	int ret;
+	lwres_noopresponse_t *req;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(b != NULL);
+	REQUIRE(pkt != NULL);
+	REQUIRE(structp != NULL && *structp == NULL);
+
+	if ((pkt->pktflags & LWRES_LWPACKETFLAG_RESPONSE) == 0)
+		return (LWRES_R_FAILURE);
+
+	req = CTXMALLOC(sizeof(lwres_noopresponse_t));
+	if (req == NULL)
+		return (LWRES_R_NOMEMORY);
+
+	if (!SPACE_REMAINING(b, sizeof(lwres_uint16_t))) {
+		ret = LWRES_R_UNEXPECTEDEND;
+		goto out;
+	}
+	req->datalength = lwres_buffer_getuint16(b);
+
+	if (!SPACE_REMAINING(b, req->datalength)) {
+		ret = LWRES_R_UNEXPECTEDEND;
+		goto out;
+	}
+	req->data = b->base + b->current;
+
+	lwres_buffer_forward(b, req->datalength);
+	if (LWRES_BUFFER_REMAINING(b) != 0) {
+		ret = LWRES_R_TRAILINGDATA;
+		goto out;
+	}
+
+	/* success! */
+	*structp = req;
+	return (LWRES_R_SUCCESS);
+
+	/* Error return */
+ out:
+	CTXFREE(req, sizeof(lwres_noopresponse_t));
+	return (ret);
+}
+
+void
+lwres_noopresponse_free(lwres_context_t *ctx, lwres_noopresponse_t **structp)
+{
+	lwres_noopresponse_t *noop;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(structp != NULL && *structp != NULL);
+
+	noop = *structp;
+	*structp = NULL;
+
+	CTXFREE(noop, sizeof(lwres_noopresponse_t));
+}
+
+void
+lwres_nooprequest_free(lwres_context_t *ctx, lwres_nooprequest_t **structp)
+{
+	lwres_nooprequest_t *noop;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(structp != NULL && *structp != NULL);
+
+	noop = *structp;
+	*structp = NULL;
+
+	CTXFREE(noop, sizeof(lwres_nooprequest_t));
+}
diff --git a/contrib/bind9/lib/lwres/lwresutil.c b/contrib/bind9/lib/lwres/lwresutil.c
new file mode 100644
index 0000000..1035f17
--- /dev/null
+++ b/contrib/bind9/lib/lwres/lwresutil.c
@@ -0,0 +1,491 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: lwresutil.c,v 1.29.206.1 2004/03/06 08:15:33 marka Exp $ */
+
+#include <config.h>
+
+#include <assert.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <lwres/lwbuffer.h>
+#include <lwres/lwres.h>
+#include <lwres/result.h>
+
+#include "assert_p.h"
+#include "context_p.h"
+
+/*
+ * Requires:
+ *
+ *	The "current" pointer in "b" points to encoded raw data.
+ *
+ * Ensures:
+ *
+ *	The address of the first byte of the data is returned via "p",
+ *	and the length is returned via "len".  If NULL, they are not
+ *	set.
+ *
+ *	On return, the current pointer of "b" will point to the character
+ *	following the data length and the data.
+ *
+ */
+lwres_result_t
+lwres_data_parse(lwres_buffer_t *b, unsigned char **p, lwres_uint16_t *len)
+{
+	lwres_uint16_t datalen;
+	unsigned char *data;
+
+	REQUIRE(b != NULL);
+
+	/*
+	 * Pull off the length (2 bytes)
+	 */
+	if (!SPACE_REMAINING(b, 2))
+		return (LWRES_R_UNEXPECTEDEND);
+	datalen = lwres_buffer_getuint16(b);
+
+	/*
+	 * Set the pointer to this string to the right place, then
+	 * advance the buffer pointer.
+	 */
+	if (!SPACE_REMAINING(b, datalen))
+		return (LWRES_R_UNEXPECTEDEND);
+	data = b->base + b->current;
+	lwres_buffer_forward(b, datalen);
+
+	if (len != NULL)
+		*len = datalen;
+	if (p != NULL)
+		*p = data;
+
+	return (LWRES_R_SUCCESS);
+}
+
+/*
+ * Requires:
+ *
+ *	The "current" pointer in "b" point to an encoded string.
+ *
+ * Ensures:
+ *
+ *	The address of the first byte of the string is returned via "c",
+ *	and the length is returned via "len".  If NULL, they are not
+ *	set.
+ *
+ *	On return, the current pointer of "b" will point to the character
+ *	following the string length, the string, and the trailing NULL.
+ *
+ */
+lwres_result_t
+lwres_string_parse(lwres_buffer_t *b, char **c, lwres_uint16_t *len)
+{
+	lwres_uint16_t datalen;
+	char *string;
+
+	REQUIRE(b != NULL);
+
+	/*
+	 * Pull off the length (2 bytes)
+	 */
+	if (!SPACE_REMAINING(b, 2))
+		return (LWRES_R_UNEXPECTEDEND);
+	datalen = lwres_buffer_getuint16(b);
+
+	/*
+	 * Set the pointer to this string to the right place, then
+	 * advance the buffer pointer.
+	 */
+	if (!SPACE_REMAINING(b, datalen))
+		return (LWRES_R_UNEXPECTEDEND);
+	string = (char *)b->base + b->current;
+	lwres_buffer_forward(b, datalen);
+
+	/*
+	 * Skip the "must be zero" byte.
+	 */
+	if (!SPACE_REMAINING(b, 1))
+		return (LWRES_R_UNEXPECTEDEND);
+	if (0 != lwres_buffer_getuint8(b))
+		return (LWRES_R_FAILURE);
+
+	if (len != NULL)
+		*len = datalen;
+	if (c != NULL)
+		*c = string;
+
+	return (LWRES_R_SUCCESS);
+}
+
+lwres_result_t
+lwres_addr_parse(lwres_buffer_t *b, lwres_addr_t *addr)
+{
+	REQUIRE(addr != NULL);
+
+	if (!SPACE_REMAINING(b, 6))
+		return (LWRES_R_UNEXPECTEDEND);
+
+	addr->family = lwres_buffer_getuint32(b);
+	addr->length = lwres_buffer_getuint16(b);
+
+	if (!SPACE_REMAINING(b, addr->length))
+		return (LWRES_R_UNEXPECTEDEND);
+	if (addr->length > LWRES_ADDR_MAXLEN)
+		return (LWRES_R_FAILURE);
+
+	lwres_buffer_getmem(b, addr->address, addr->length);
+
+	return (LWRES_R_SUCCESS);
+}
+
+lwres_result_t
+lwres_getaddrsbyname(lwres_context_t *ctx, const char *name,
+		     lwres_uint32_t addrtypes, lwres_gabnresponse_t **structp)
+{
+	lwres_gabnrequest_t request;
+	lwres_gabnresponse_t *response;
+	int ret;
+	int recvlen;
+	lwres_buffer_t b_in, b_out;
+	lwres_lwpacket_t pkt;
+	lwres_uint32_t serial;
+	char *buffer;
+	char target_name[1024];
+	unsigned int target_length;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(name != NULL);
+	REQUIRE(addrtypes != 0);
+	REQUIRE(structp != NULL && *structp == NULL);
+
+	b_in.base = NULL;
+	b_out.base = NULL;
+	response = NULL;
+	buffer = NULL;
+	serial = lwres_context_nextserial(ctx);
+
+	buffer = CTXMALLOC(LWRES_RECVLENGTH);
+	if (buffer == NULL) {
+		ret = LWRES_R_NOMEMORY;
+		goto out;
+	}
+
+	target_length = strlen(name);
+	if (target_length >= sizeof(target_name))
+		return (LWRES_R_FAILURE);
+	strcpy(target_name, name); /* strcpy is safe */
+
+	/*
+	 * Set up our request and render it to a buffer.
+	 */
+	request.flags = 0;
+	request.addrtypes = addrtypes;
+	request.name = target_name;
+	request.namelen = target_length;
+	pkt.pktflags = 0;
+	pkt.serial = serial;
+	pkt.result = 0;
+	pkt.recvlength = LWRES_RECVLENGTH;
+
+ again:
+	ret = lwres_gabnrequest_render(ctx, &request, &pkt, &b_out);
+	if (ret != LWRES_R_SUCCESS)
+		goto out;
+
+	ret = lwres_context_sendrecv(ctx, b_out.base, b_out.length, buffer,
+				     LWRES_RECVLENGTH, &recvlen);
+	if (ret != LWRES_R_SUCCESS)
+		goto out;
+
+	lwres_buffer_init(&b_in, buffer, recvlen);
+	b_in.used = recvlen;
+
+	/*
+	 * Parse the packet header.
+	 */
+	ret = lwres_lwpacket_parseheader(&b_in, &pkt);
+	if (ret != LWRES_R_SUCCESS)
+		goto out;
+
+	/*
+	 * Sanity check.
+	 */
+	if (pkt.serial != serial)
+		goto again;
+	if (pkt.opcode != LWRES_OPCODE_GETADDRSBYNAME)
+		goto again;
+
+	/*
+	 * Free what we've transmitted
+	 */
+	CTXFREE(b_out.base, b_out.length);
+	b_out.base = NULL;
+	b_out.length = 0;
+
+	if (pkt.result != LWRES_R_SUCCESS) {
+		ret = pkt.result;
+		goto out;
+	}
+
+	/*
+	 * Parse the response.
+	 */
+	ret = lwres_gabnresponse_parse(ctx, &b_in, &pkt, &response);
+	if (ret != LWRES_R_SUCCESS)
+		goto out;
+	response->base = buffer;
+	response->baselen = LWRES_RECVLENGTH;
+	buffer = NULL; /* don't free this below */
+
+	*structp = response;
+	return (LWRES_R_SUCCESS);
+
+ out:
+	if (b_out.base != NULL)
+		CTXFREE(b_out.base, b_out.length);
+	if (buffer != NULL)
+		CTXFREE(buffer, LWRES_RECVLENGTH);
+	if (response != NULL)
+		lwres_gabnresponse_free(ctx, &response);
+
+	return (ret);
+}
+
+
+lwres_result_t
+lwres_getnamebyaddr(lwres_context_t *ctx, lwres_uint32_t addrtype,
+		    lwres_uint16_t addrlen, const unsigned char *addr,
+		    lwres_gnbaresponse_t **structp)
+{
+	lwres_gnbarequest_t request;
+	lwres_gnbaresponse_t *response;
+	int ret;
+	int recvlen;
+	lwres_buffer_t b_in, b_out;
+	lwres_lwpacket_t pkt;
+	lwres_uint32_t serial;
+	char *buffer;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(addrtype != 0);
+	REQUIRE(addrlen != 0);
+	REQUIRE(addr != NULL);
+	REQUIRE(structp != NULL && *structp == NULL);
+
+	b_in.base = NULL;
+	b_out.base = NULL;
+	response = NULL;
+	buffer = NULL;
+	serial = lwres_context_nextserial(ctx);
+
+	buffer = CTXMALLOC(LWRES_RECVLENGTH);
+	if (buffer == NULL) {
+		ret = LWRES_R_NOMEMORY;
+		goto out;
+	}
+
+	/*
+	 * Set up our request and render it to a buffer.
+	 */
+	request.flags = 0;
+	request.addr.family = addrtype;
+	request.addr.length = addrlen;
+	memcpy(request.addr.address, addr, addrlen);
+	pkt.pktflags = 0;
+	pkt.serial = serial;
+	pkt.result = 0;
+	pkt.recvlength = LWRES_RECVLENGTH;
+
+ again:
+	ret = lwres_gnbarequest_render(ctx, &request, &pkt, &b_out);
+	if (ret != LWRES_R_SUCCESS)
+		goto out;
+
+	ret = lwres_context_sendrecv(ctx, b_out.base, b_out.length, buffer,
+				     LWRES_RECVLENGTH, &recvlen);
+	if (ret != LWRES_R_SUCCESS)
+		goto out;
+
+	lwres_buffer_init(&b_in, buffer, recvlen);
+	b_in.used = recvlen;
+
+	/*
+	 * Parse the packet header.
+	 */
+	ret = lwres_lwpacket_parseheader(&b_in, &pkt);
+	if (ret != LWRES_R_SUCCESS)
+		goto out;
+
+	/*
+	 * Sanity check.
+	 */
+	if (pkt.serial != serial)
+		goto again;
+	if (pkt.opcode != LWRES_OPCODE_GETNAMEBYADDR)
+		goto again;
+
+	/*
+	 * Free what we've transmitted
+	 */
+	CTXFREE(b_out.base, b_out.length);
+	b_out.base = NULL;
+	b_out.length = 0;
+
+	if (pkt.result != LWRES_R_SUCCESS) {
+		ret = pkt.result;
+		goto out;
+	}
+
+	/*
+	 * Parse the response.
+	 */
+	ret = lwres_gnbaresponse_parse(ctx, &b_in, &pkt, &response);
+	if (ret != LWRES_R_SUCCESS)
+		goto out;
+	response->base = buffer;
+	response->baselen = LWRES_RECVLENGTH;
+	buffer = NULL; /* don't free this below */
+
+	*structp = response;
+	return (LWRES_R_SUCCESS);
+
+ out:
+	if (b_out.base != NULL)
+		CTXFREE(b_out.base, b_out.length);
+	if (buffer != NULL)
+		CTXFREE(buffer, LWRES_RECVLENGTH);
+	if (response != NULL)
+		lwres_gnbaresponse_free(ctx, &response);
+
+	return (ret);
+}
+
+lwres_result_t
+lwres_getrdatabyname(lwres_context_t *ctx, const char *name,
+		     lwres_uint16_t rdclass, lwres_uint16_t rdtype,
+		     lwres_uint32_t flags, lwres_grbnresponse_t **structp)
+{
+	int ret;
+	int recvlen;
+	lwres_buffer_t b_in, b_out;
+	lwres_lwpacket_t pkt;
+	lwres_uint32_t serial;
+	char *buffer;
+	lwres_grbnrequest_t request;
+	lwres_grbnresponse_t *response;
+	char target_name[1024];
+	unsigned int target_length;
+
+	REQUIRE(ctx != NULL);
+	REQUIRE(name != NULL);
+	REQUIRE(structp != NULL && *structp == NULL);
+
+	b_in.base = NULL;
+	b_out.base = NULL;
+	response = NULL;
+	buffer = NULL;
+	serial = lwres_context_nextserial(ctx);
+
+	buffer = CTXMALLOC(LWRES_RECVLENGTH);
+	if (buffer == NULL) {
+		ret = LWRES_R_NOMEMORY;
+		goto out;
+	}
+
+	target_length = strlen(name);
+	if (target_length >= sizeof(target_name))
+		return (LWRES_R_FAILURE);
+	strcpy(target_name, name); /* strcpy is safe */
+
+	/*
+	 * Set up our request and render it to a buffer.
+	 */
+	request.rdclass = rdclass;
+	request.rdtype = rdtype;
+	request.flags = flags;
+	request.name = target_name;
+	request.namelen = target_length;
+	pkt.pktflags = 0;
+	pkt.serial = serial;
+	pkt.result = 0;
+	pkt.recvlength = LWRES_RECVLENGTH;
+
+ again:
+	ret = lwres_grbnrequest_render(ctx, &request, &pkt, &b_out);
+	if (ret != LWRES_R_SUCCESS)
+		goto out;
+
+	ret = lwres_context_sendrecv(ctx, b_out.base, b_out.length, buffer,
+				     LWRES_RECVLENGTH, &recvlen);
+	if (ret != LWRES_R_SUCCESS)
+		goto out;
+
+	lwres_buffer_init(&b_in, buffer, recvlen);
+	b_in.used = recvlen;
+
+	/*
+	 * Parse the packet header.
+	 */
+	ret = lwres_lwpacket_parseheader(&b_in, &pkt);
+	if (ret != LWRES_R_SUCCESS)
+		goto out;
+
+	/*
+	 * Sanity check.
+	 */
+	if (pkt.serial != serial)
+		goto again;
+	if (pkt.opcode != LWRES_OPCODE_GETRDATABYNAME)
+		goto again;
+
+	/*
+	 * Free what we've transmitted
+	 */
+	CTXFREE(b_out.base, b_out.length);
+	b_out.base = NULL;
+	b_out.length = 0;
+
+	if (pkt.result != LWRES_R_SUCCESS) {
+		ret = pkt.result;
+		goto out;
+	}
+
+	/*
+	 * Parse the response.
+	 */
+	ret = lwres_grbnresponse_parse(ctx, &b_in, &pkt, &response);
+	if (ret != LWRES_R_SUCCESS)
+		goto out;
+	response->base = buffer;
+	response->baselen = LWRES_RECVLENGTH;
+	buffer = NULL; /* don't free this below */
+
+	*structp = response;
+	return (LWRES_R_SUCCESS);
+
+ out:
+	if (b_out.base != NULL)
+		CTXFREE(b_out.base, b_out.length);
+	if (buffer != NULL)
+		CTXFREE(buffer, LWRES_RECVLENGTH);
+	if (response != NULL)
+		lwres_grbnresponse_free(ctx, &response);
+
+	return (ret);
+}
diff --git a/contrib/bind9/lib/lwres/man/Makefile.in b/contrib/bind9/lib/lwres/man/Makefile.in
new file mode 100644
index 0000000..a591a2a
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/Makefile.in
@@ -0,0 +1,232 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.6.206.1 2004/03/06 08:15:36 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+@BIND9_MAKE_RULES@
+
+# Alphabetically
+#MANPAGES =	lwres.3 lwres_addr_parse.3 lwres_buffer.3 \
+#		lwres_buffer_add.3 lwres_buffer_back.3 lwres_buffer_clear.3 \
+#		lwres_buffer_first.3 lwres_buffer_forward.3 \
+#		lwres_buffer_getmem.3 lwres_buffer_getuint16.3 \
+#		lwres_buffer_getuint32.3 lwres_buffer_getuint8.3 \
+#		lwres_buffer_init.3 lwres_buffer_invalidate.3 \
+#		lwres_buffer_putmem.3 lwres_buffer_putuint16.3 \
+#		lwres_buffer_putuint32.3 lwres_buffer_putuint8.3 \
+#		lwres_buffer_subtract.3 lwres_conf_clear.3 \
+#		lwres_conf_get.3 lwres_conf_init.3 \
+#		lwres_conf_parse.3 lwres_conf_print.3 \
+#		lwres_config.3 lwres_context.3 \
+#		lwres_context_allocmem.3 lwres_context_create.3 \
+#		lwres_context_destroy.3 lwres_context_freemem.3 \
+#		lwres_context_initserial.3 lwres_context_nextserial.3 \
+#		lwres_context_sendrecv.3 lwres_endhostent.3 \
+#		lwres_endhostent_r.3 lwres_freeaddrinfo.3 \
+#		lwres_freehostent.3 lwres_gabn.3 \
+#		lwres_gabnrequest_free.3 lwres_gabnrequest_parse.3 \
+#		lwres_gabnrequest_render.3 lwres_gabnresponse_free.3 \
+#		lwres_gabnresponse_parse.3 lwres_gabnresponse_render.3 \
+#		lwres_gai_strerror.3 lwres_getaddrinfo.3 \
+#		lwres_getaddrsbyname.3 lwres_gethostbyaddr.3 \
+#		lwres_gethostbyaddr_r.3 lwres_gethostbyname.3 \
+#		lwres_gethostbyname2.3 lwres_gethostbyname_r.3 \
+#		lwres_gethostent.3 lwres_gethostent_r.3 \
+#		lwres_getipnode.3 lwres_getipnodebyaddr.3 \
+#		lwres_getipnodebyname.3 lwres_getnamebyaddr.3 \
+#		lwres_getnameinfo.3 lwres_getrrsetbyname.3 \
+#		lwres_gnba.3 lwres_gnbarequest_free.3 \
+#		lwres_gnbarequest_parse.3 lwres_gnbarequest_render.3 \
+#		lwres_gnbaresponse_free.3 lwres_gnbaresponse_parse.3 \
+#		lwres_gnbaresponse_render.3 lwres_herror.3 \
+#		lwres_hstrerror.3 lwres_inetntop.3 \
+#		lwres_lwpacket_parseheader.3 lwres_lwpacket_renderheader.3 \
+#		lwres_net_ntop.3 lwres_noop.3 \
+#		lwres_nooprequest_free.3 lwres_nooprequest_parse.3 \
+#		lwres_nooprequest_render.3 lwres_noopresponse_free.3 \
+#		lwres_noopresponse_parse.3 lwres_noopresponse_render.3 \
+#		lwres_packet.3 lwres_resutil.3 \
+#		lwres_sethostent.3 lwres_sethostent_r.3 \
+#		lwres_string_parse.3
+
+
+MANPAGES = 	lwres.3 lwres_buffer.3 lwres_config.3 lwres_context.3	\
+		lwres_gabn.3 lwres_gai_strerror.3 lwres_getaddrinfo.3			\
+		lwres_gethostent.3 lwres_getipnode.3 lwres_getnameinfo.3		\
+		lwres_getrrsetbyname.3 lwres_gnba.3 lwres_hstrerror.3 lwres_inetntop.3	\
+		lwres_noop.3 lwres_packet.3 lwres_resutil.3
+
+HTMLPAGES = 	lwres.html lwres_buffer.html lwres_config.html lwres_context.html	\
+		lwres_gabn.html lwres_gai_strerror.html lwres_getaddrinfo.html			\
+		lwres_gethostent.html lwres_getipnode.html lwres_getnameinfo.html		\
+		lwres_getrrsetbyname.html lwres_gnba.html lwres_hstrerror.html lwres_inetntop.html	\
+		lwres_noop.html lwres_packet.html lwres_resutil.html
+
+MANOBJS =	${MANPAGES} ${HTMLPAGES}
+
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+	rm -f ${MANOBJS}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man3
+
+man3 = ${DESTDIR}${mandir}/man3
+
+install:: installdirs
+	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man3; done
+	rm -f ${man3}/lwres_addr_parse.3
+	@LN@ ${man3}/lwres_resutil.3 ${man3}/lwres_addr_parse.3
+	rm -f ${man3}/lwres_buffer_add.3
+	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_add.3
+	rm -f ${man3}/lwres_buffer_back.3
+	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_back.3
+	rm -f ${man3}/lwres_buffer_clear.3
+	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_clear.3
+	rm -f ${man3}/lwres_buffer_first.3
+	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_first.3
+	rm -f ${man3}/lwres_buffer_forward.3
+	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_forward.3
+	rm -f ${man3}/lwres_buffer_getmem.3
+	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_getmem.3
+	rm -f ${man3}/lwres_buffer_getuint16.3
+	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_getuint16.3
+	rm -f ${man3}/lwres_buffer_getuint32.3
+	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_getuint32.3
+	rm -f ${man3}/lwres_buffer_getuint8.3
+	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_getuint8.3
+	rm -f ${man3}/lwres_buffer_init.3
+	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_init.3
+	rm -f ${man3}/lwres_buffer_invalidate.3
+	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_invalidate.3
+	rm -f ${man3}/lwres_buffer_putmem.3
+	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_putmem.3
+	rm -f ${man3}/lwres_buffer_putuint16.3
+	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_putuint16.3
+	rm -f ${man3}/lwres_buffer_putuint32.3
+	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_putuint32.3
+	rm -f ${man3}/lwres_buffer_putuint8.3
+	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_putuint8.3
+	rm -f ${man3}/lwres_buffer_subtract.3
+	@LN@ ${man3}/lwres_buffer.3 ${man3}/lwres_buffer_subtract.3
+	rm -f ${man3}/lwres_conf_clear.3
+	@LN@ ${man3}/lwres_config.3 ${man3}/lwres_conf_clear.3
+	rm -f ${man3}/lwres_conf_get.3
+	@LN@ ${man3}/lwres_config.3 ${man3}/lwres_conf_get.3
+	rm -f ${man3}/lwres_conf_init.3
+	@LN@ ${man3}/lwres_config.3 ${man3}/lwres_conf_init.3
+	rm -f ${man3}/lwres_conf_parse.3
+	@LN@ ${man3}/lwres_config.3 ${man3}/lwres_conf_parse.3
+	rm -f ${man3}/lwres_conf_print.3
+	@LN@ ${man3}/lwres_config.3 ${man3}/lwres_conf_print.3
+	rm -f ${man3}/lwres_context_allocmem.3
+	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_allocmem.3
+	rm -f ${man3}/lwres_context_create.3
+	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_create.3
+	rm -f ${man3}/lwres_context_destroy.3
+	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_destroy.3
+	rm -f ${man3}/lwres_context_freemem.3
+	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_freemem.3
+	rm -f ${man3}/lwres_context_initserial.3
+	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_initserial.3
+	rm -f ${man3}/lwres_context_nextserial.3
+	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_nextserial.3
+	rm -f ${man3}/lwres_context_sendrecv.3
+	@LN@ ${man3}/lwres_context.3 ${man3}/lwres_context_sendrecv.3
+	rm -f ${man3}/lwres_endhostent.3
+	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_endhostent.3
+	rm -f ${man3}/lwres_endhostent_r.3
+	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_endhostent_r.3
+	rm -f ${man3}/lwres_freeaddrinfo.3
+	@LN@ ${man3}/lwres_getaddrinfo.3 ${man3}/lwres_freeaddrinfo.3
+	rm -f ${man3}/lwres_freehostent.3
+	@LN@ ${man3}/lwres_getipnode.3 ${man3}/lwres_freehostent.3
+	rm -f ${man3}/lwres_gabnrequest_free.3
+	@LN@ ${man3}/lwres_gabn.3 ${man3}/lwres_gabnrequest_free.3
+	rm -f ${man3}/lwres_gabnrequest_parse.3
+	@LN@ ${man3}/lwres_gabn.3 ${man3}/lwres_gabnrequest_parse.3
+	rm -f ${man3}/lwres_gabnrequest_render.3
+	@LN@ ${man3}/lwres_gabn.3 ${man3}/lwres_gabnrequest_render.3
+	rm -f ${man3}/lwres_gabnresponse_free.3
+	@LN@ ${man3}/lwres_gabn.3 ${man3}/lwres_gabnresponse_free.3
+	rm -f ${man3}/lwres_gabnresponse_parse.3
+	@LN@ ${man3}/lwres_gabn.3 ${man3}/lwres_gabnresponse_parse.3
+	rm -f ${man3}/lwres_gabnresponse_render.3
+	@LN@ ${man3}/lwres_gabn.3 ${man3}/lwres_gabnresponse_render.3
+	rm -f ${man3}/lwres_getaddrsbyname.3
+	@LN@ ${man3}/lwres_resutil.3 ${man3}/lwres_getaddrsbyname.3
+	rm -f ${man3}/lwres_gethostbyaddr.3
+	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_gethostbyaddr.3
+	rm -f ${man3}/lwres_gethostbyaddr_r.3
+	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_gethostbyaddr_r.3
+	rm -f ${man3}/lwres_gethostbyname.3
+	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_gethostbyname.3
+	rm -f ${man3}/lwres_gethostbyname2.3
+	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_gethostbyname2.3
+	rm -f ${man3}/lwres_gethostbyname_r.3
+	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_gethostbyname_r.3
+	rm -f ${man3}/lwres_gethostent_r.3
+	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_gethostent_r.3
+	rm -f ${man3}/lwres_getipnodebyaddr.3
+	@LN@ ${man3}/lwres_getipnode.3 ${man3}/lwres_getipnodebyaddr.3
+	rm -f ${man3}/lwres_getipnodebyname.3
+	@LN@ ${man3}/lwres_getipnode.3 ${man3}/lwres_getipnodebyname.3
+	rm -f ${man3}/lwres_getnamebyaddr.3
+	@LN@ ${man3}/lwres_resutil.3 ${man3}/lwres_getnamebyaddr.3
+	rm -f ${man3}/lwres_gnbarequest_free.3
+	@LN@ ${man3}/lwres_gnba.3 ${man3}/lwres_gnbarequest_free.3
+	rm -f ${man3}/lwres_gnbarequest_parse.3
+	@LN@ ${man3}/lwres_gnba.3 ${man3}/lwres_gnbarequest_parse.3
+	rm -f ${man3}/lwres_gnbarequest_render.3
+	@LN@ ${man3}/lwres_gnba.3 ${man3}/lwres_gnbarequest_render.3
+	rm -f ${man3}/lwres_gnbaresponse_free.3
+	@LN@ ${man3}/lwres_gnba.3 ${man3}/lwres_gnbaresponse_free.3
+	rm -f ${man3}/lwres_gnbaresponse_parse.3
+	@LN@ ${man3}/lwres_gnba.3 ${man3}/lwres_gnbaresponse_parse.3
+	rm -f ${man3}/lwres_gnbaresponse_render.3
+	@LN@ ${man3}/lwres_gnba.3 ${man3}/lwres_gnbaresponse_render.3
+	rm -f ${man3}/lwres_herror.3
+	@LN@ ${man3}/lwres_hstrerror.3 ${man3}/lwres_herror.3
+	rm -f ${man3}/lwres_lwpacket_parseheader.3
+	@LN@ ${man3}/lwres_packet.3 ${man3}/lwres_lwpacket_parseheader.3
+	rm -f ${man3}/lwres_lwpacket_renderheader.3
+	@LN@ ${man3}/lwres_packet.3 ${man3}/lwres_lwpacket_renderheader.3
+	rm -f ${man3}/lwres_net_ntop.3
+	@LN@ ${man3}/lwres_inetntop.3 ${man3}/lwres_net_ntop.3
+	rm -f ${man3}/lwres_nooprequest_free.3
+	@LN@ ${man3}/lwres_noop.3 ${man3}/lwres_nooprequest_free.3
+	rm -f ${man3}/lwres_nooprequest_parse.3
+	@LN@ ${man3}/lwres_noop.3 ${man3}/lwres_nooprequest_parse.3
+	rm -f ${man3}/lwres_nooprequest_render.3
+	@LN@ ${man3}/lwres_noop.3 ${man3}/lwres_nooprequest_render.3
+	rm -f ${man3}/lwres_noopresponse_free.3
+	@LN@ ${man3}/lwres_noop.3 ${man3}/lwres_noopresponse_free.3
+	rm -f ${man3}/lwres_noopresponse_parse.3
+	@LN@ ${man3}/lwres_noop.3 ${man3}/lwres_noopresponse_parse.3
+	rm -f ${man3}/lwres_noopresponse_render.3
+	@LN@ ${man3}/lwres_noop.3 ${man3}/lwres_noopresponse_render.3
+	rm -f ${man3}/lwres_sethostent.3
+	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_sethostent.3
+	rm -f ${man3}/lwres_sethostent_r.3
+	@LN@ ${man3}/lwres_gethostent.3 ${man3}/lwres_sethostent_r.3
+	rm -f ${man3}/lwres_string_parse.3
+	@LN@ ${man3}/lwres_resutil.3 ${man3}/lwres_string_parse.3
diff --git a/contrib/bind9/lib/lwres/man/lwres.3 b/contrib/bind9/lib/lwres/man/lwres.3
new file mode 100644
index 0000000..ad125d2
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres.3
@@ -0,0 +1,159 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: lwres.3,v 1.15.206.1 2004/03/06 07:41:42 marka Exp $
+.\"
+.TH "LWRES" "3" "Jun 30, 2000" "BIND9" ""
+.SH NAME
+lwres \- introduction to the lightweight resolver library
+.SH SYNOPSIS
+\fB#include <lwres/lwres.h>\fR
+.SH "DESCRIPTION"
+.PP
+The BIND 9 lightweight resolver library is a simple, name service
+independent stub resolver library. It provides hostname-to-address
+and address-to-hostname lookup services to applications by
+transmitting lookup requests to a resolver daemon
+\fBlwresd\fR
+running on the local host. The resover daemon performs the
+lookup using the DNS or possibly other name service protocols,
+and returns the results to the application through the library. 
+The library and resolver daemon communicate using a simple
+UDP-based protocol.
+.SH "OVERVIEW"
+.PP
+The lwresd library implements multiple name service APIs.
+The standard
+\fBgethostbyname()\fR,
+\fBgethostbyaddr()\fR,
+\fBgethostbyname_r()\fR,
+\fBgethostbyaddr_r()\fR,
+\fBgetaddrinfo()\fR,
+\fBgetipnodebyname()\fR,
+and
+\fBgetipnodebyaddr()\fR
+functions are all supported. To allow the lwres library to coexist
+with system libraries that define functions of the same name,
+the library defines these functions with names prefixed by
+lwres_.
+To define the standard names, applications must include the
+header file
+\fI<lwres/netdb.h>\fR
+which contains macro definitions mapping the standard function names
+into
+lwres_
+prefixed ones. Operating system vendors who integrate the lwres
+library into their base distributions should rename the functions
+in the library proper so that the renaming macros are not needed.
+.PP
+The library also provides a native API consisting of the functions
+\fBlwres_getaddrsbyname()\fR
+and
+\fBlwres_getnamebyaddr()\fR.
+These may be called by applications that require more detailed
+control over the lookup process than the standard functions
+provide.
+.PP
+In addition to these name service independent address lookup
+functions, the library implements a new, experimental API
+for looking up arbitrary DNS resource records, using the
+\fBlwres_getaddrsbyname()\fR
+function.
+.PP
+Finally, there is a low-level API for converting lookup
+requests and responses to and from raw lwres protocol packets. 
+This API can be used by clients requiring nonblocking operation, 
+and is also used when implementing the server side of the lwres
+protocol, for example in the
+\fBlwresd\fR
+resolver daemon. The use of this low-level API in clients
+and servers is outlined in the following sections.
+.SH "CLIENT-SIDE LOW-LEVEL API CALL FLOW"
+.PP
+When a client program wishes to make an lwres request using the
+native low-level API, it typically performs the following 
+sequence of actions.
+.PP
+(1) Allocate or use an existing \fBlwres_packet_t\fR,
+called pkt below.
+.PP
+(2) Set \fBpkt.recvlength\fR to the maximum length we will accept. 
+This is done so the receiver of our packets knows how large our receive 
+buffer is. The "default" is a constant in
+\fIlwres.h\fR: LWRES_RECVLENGTH = 4096.
+.PP
+(3) Set \fBpkt.serial\fR
+to a unique serial number. This value is echoed
+back to the application by the remote server.
+.PP
+(4) Set \fBpkt.pktflags\fR. Usually this is set to 0.
+.PP
+(5) Set \fBpkt.result\fR to 0.
+.PP
+(6) Call \fBlwres_*request_render()\fR, 
+or marshall in the data using the primitives
+such as \fBlwres_packet_render()\fR
+and storing the packet data.
+.PP
+(7) Transmit the resulting buffer.
+.PP
+(8) Call \fBlwres_*response_parse()\fR
+to parse any packets received.
+.PP
+(9) Verify that the opcode and serial match a request, and process the
+packet specific information contained in the body.
+.SH "SERVER-SIDE LOW-LEVEL API CALL FLOW"
+.PP
+When implementing the server side of the lightweight resolver
+protocol using the lwres library, a sequence of actions like the
+following is typically involved in processing each request packet.
+.PP
+Note that the same \fBlwres_packet_t\fR is used
+in both the \fB_parse()\fR and \fB_render()\fR calls,
+with only a few modifications made
+to the packet header's contents between uses. This method is recommended
+as it keeps the serial, opcode, and other fields correct.
+.PP
+(1) When a packet is received, call \fBlwres_*request_parse()\fR to
+unmarshall it. This returns a \fBlwres_packet_t\fR (also called pkt, below)
+as well as a data specific type, such as \fBlwres_gabnrequest_t\fR.
+.PP
+(2) Process the request in the data specific type.
+.PP
+(3) Set the \fBpkt.result\fR,
+\fBpkt.recvlength\fR as above. All other fields can
+be left untouched since they were filled in by the \fB*_parse()\fR call
+above. If using \fBlwres_*response_render()\fR,
+\fBpkt.pktflags\fR will be set up
+properly. Otherwise, the LWRES_LWPACKETFLAG_RESPONSE bit should be
+set.
+.PP
+(4) Call the data specific rendering function, such as
+\fBlwres_gabnresponse_render()\fR.
+.PP
+(5) Send the resulting packet to the client.
+.PP
+.SH "SEE ALSO"
+.PP
+\fBlwres_gethostent\fR(3),
+\fBlwres_getipnode\fR(3),
+\fBlwres_getnameinfo\fR(3),
+\fBlwres_noop\fR(3),
+\fBlwres_gabn\fR(3),
+\fBlwres_gnba\fR(3),
+\fBlwres_context\fR(3),
+\fBlwres_config\fR(3),
+\fBresolver\fR(5),
+\fBlwresd\fR(8).
diff --git a/contrib/bind9/lib/lwres/man/lwres.docbook b/contrib/bind9/lib/lwres/man/lwres.docbook
new file mode 100644
index 0000000..511d82e
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres.docbook
@@ -0,0 +1,244 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres.docbook,v 1.3.206.1 2004/03/06 08:15:37 marka Exp $ -->
+
+<refentry>
+<refentryinfo>
+
+<date>Jun 30, 2000</date>
+</refentryinfo>
+<refmeta>
+<refentrytitle>lwres</refentrytitle>
+<manvolnum>3</manvolnum>
+<refmiscinfo>BIND9</refmiscinfo>
+</refmeta>
+<refnamediv>
+<refname>lwres</refname>
+<refpurpose>introduction to the lightweight resolver library</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+<funcsynopsis>
+<funcsynopsisinfo>#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
+</funcsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+<title>DESCRIPTION</title>
+<para>
+The BIND 9 lightweight resolver library is a simple, name service
+independent stub resolver library.  It provides hostname-to-address
+and address-to-hostname lookup services to applications by
+transmitting lookup requests to a resolver daemon
+<command>lwresd</command>
+running on the local host. The resover daemon performs the
+lookup using the DNS or possibly other name service protocols,
+and returns the results to the application through the library.  
+The library and resolver daemon communicate using a simple
+UDP-based protocol.
+</para>
+</refsect1>
+
+<refsect1>
+<title>OVERVIEW</title>
+<para>
+The lwresd library implements multiple name service APIs.
+The standard
+<function>gethostbyname()</function>,
+<function>gethostbyaddr()</function>,
+<function>gethostbyname_r()</function>,
+<function>gethostbyaddr_r()</function>,
+<function>getaddrinfo()</function>,
+<function>getipnodebyname()</function>,
+and
+<function>getipnodebyaddr()</function>
+functions are all supported.  To allow the lwres library to coexist
+with system libraries that define functions of the same name,
+the library defines these functions with names prefixed by
+<literal>lwres_</literal>.
+To define the standard names, applications must include the
+header file
+<filename>&lt;lwres/netdb.h&gt;</filename>
+which contains macro definitions mapping the standard function names
+into
+<literal>lwres_</literal>
+prefixed ones.  Operating system vendors who integrate the lwres
+library into their base distributions should rename the functions
+in the library proper so that the renaming macros are not needed.
+</para>
+<para>
+The library also provides a native API consisting of the functions
+<function>lwres_getaddrsbyname()</function>
+and
+<function>lwres_getnamebyaddr()</function>.
+These may be called by applications that require more detailed
+control over the lookup process than the standard functions
+provide.
+</para>
+<para>
+In addition to these name service independent address lookup
+functions, the library implements a new, experimental API
+for looking up arbitrary DNS resource records, using the
+<function>lwres_getaddrsbyname()</function>
+function.
+</para>
+<para>
+Finally, there is a low-level API for converting lookup
+requests and responses to and from raw lwres protocol packets.  
+This API can be used by clients requiring nonblocking operation, 
+and is also used when implementing the server side of the lwres
+protocol, for example in the
+<command>lwresd</command>
+resolver daemon.  The use of this low-level API in clients
+and servers is outlined in the following sections.
+</para>
+</refsect1>
+<refsect1>
+<title>CLIENT-SIDE LOW-LEVEL API CALL FLOW</title>
+<para>
+When a client program wishes to make an lwres request using the
+native low-level API, it typically performs the following 
+sequence of actions.
+</para>
+<para>
+(1) Allocate or use an existing <type>lwres_packet_t</type>,
+called <varname>pkt</varname> below.
+</para>
+<para>
+(2) Set <structfield>pkt.recvlength</structfield> to the maximum length we will accept.  
+This is done so the receiver of our packets knows how large our receive 
+buffer is.  The "default" is a constant in
+<filename>lwres.h</filename>: <constant>LWRES_RECVLENGTH = 4096</constant>.
+</para>
+<para>
+(3) Set <structfield>pkt.serial</structfield>
+to a unique serial number.  This value is echoed
+back to the application by the remote server.
+</para>
+<para>
+(4) Set <structfield>pkt.pktflags</structfield>.  Usually this is set to 0.
+</para>
+<para>
+(5) Set <structfield>pkt.result</structfield> to 0.
+</para>
+<para>
+(6) Call <function>lwres_*request_render()</function>, 
+or marshall in the data using the primitives
+such as <function>lwres_packet_render()</function>
+and storing the packet data.
+</para>
+<para>
+(7) Transmit the resulting buffer.
+</para>
+<para>
+(8) Call <function>lwres_*response_parse()</function>
+to parse any packets received.
+</para>
+<para>
+(9) Verify that the opcode and serial match a request, and process the
+packet specific information contained in the body.
+</para>
+</refsect1>
+<refsect1>
+<title>SERVER-SIDE LOW-LEVEL API CALL FLOW</title>
+<para>
+When implementing the server side of the lightweight resolver
+protocol using the lwres library, a sequence of actions like the
+following is typically involved in processing each request packet.
+</para>
+<para>
+Note that the same <type>lwres_packet_t</type> is used
+in both the <function>_parse()</function> and <function>_render()</function> calls,
+with only a few modifications made
+to the packet header's contents between uses.  This method is recommended
+as it keeps the serial, opcode, and other fields correct.
+</para>
+<para>
+(1) When a packet is received, call <function>lwres_*request_parse()</function> to
+unmarshall it.  This returns a <type>lwres_packet_t</type> (also called <varname>pkt</varname>, below)
+as well as a data specific type, such as <type>lwres_gabnrequest_t</type>.
+</para>
+<para>
+(2) Process the request in the data specific type.
+</para>
+<para>
+(3) Set the <structfield>pkt.result</structfield>,
+<structfield>pkt.recvlength</structfield> as above.  All other fields can
+be left untouched since they were filled in by the <function>*_parse()</function> call
+above.  If using <function>lwres_*response_render()</function>,
+<structfield>pkt.pktflags</structfield> will be set up
+properly.  Otherwise, the <constant>LWRES_LWPACKETFLAG_RESPONSE</constant> bit should be
+set.
+</para>
+<para>
+(4) Call the data specific rendering function, such as
+<function>lwres_gabnresponse_render()</function>.
+</para>
+<para>
+(5) Send the resulting packet to the client.
+</para>
+<para>
+</para>
+</refsect1>
+<refsect1>
+<title>SEE ALSO</title>
+<para>
+<citerefentry>
+<refentrytitle>lwres_gethostent</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>lwres_getipnode</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>lwres_getnameinfo</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>lwres_noop</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>lwres_gabn</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>lwres_gnba</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>lwres_context</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>lwres_config</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>resolver</refentrytitle><manvolnum>5</manvolnum>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>lwresd</refentrytitle><manvolnum>8</manvolnum>
+</citerefentry>.
+
+</para>
+</refsect1>
+</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres.html b/contrib/bind9/lib/lwres/man/lwres.html
new file mode 100644
index 0000000..793ab72
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres.html
@@ -0,0 +1,433 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres.html,v 1.4.2.1.4.2 2004/08/22 23:39:02 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>lwres</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+>lwres</H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>lwres&nbsp;--&nbsp;introduction to the lightweight resolver library</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN11"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><P
+></P
+><A
+NAME="AEN12"
+></A
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/lwres.h&gt;</PRE
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN14"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>The BIND 9 lightweight resolver library is a simple, name service
+independent stub resolver library.  It provides hostname-to-address
+and address-to-hostname lookup services to applications by
+transmitting lookup requests to a resolver daemon
+<B
+CLASS="COMMAND"
+>lwresd</B
+>
+running on the local host. The resover daemon performs the
+lookup using the DNS or possibly other name service protocols,
+and returns the results to the application through the library.  
+The library and resolver daemon communicate using a simple
+UDP-based protocol.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN18"
+></A
+><H2
+>OVERVIEW</H2
+><P
+>The lwresd library implements multiple name service APIs.
+The standard
+<CODE
+CLASS="FUNCTION"
+>gethostbyname()</CODE
+>,
+<CODE
+CLASS="FUNCTION"
+>gethostbyaddr()</CODE
+>,
+<CODE
+CLASS="FUNCTION"
+>gethostbyname_r()</CODE
+>,
+<CODE
+CLASS="FUNCTION"
+>gethostbyaddr_r()</CODE
+>,
+<CODE
+CLASS="FUNCTION"
+>getaddrinfo()</CODE
+>,
+<CODE
+CLASS="FUNCTION"
+>getipnodebyname()</CODE
+>,
+and
+<CODE
+CLASS="FUNCTION"
+>getipnodebyaddr()</CODE
+>
+functions are all supported.  To allow the lwres library to coexist
+with system libraries that define functions of the same name,
+the library defines these functions with names prefixed by
+<VAR
+CLASS="LITERAL"
+>lwres_</VAR
+>.
+To define the standard names, applications must include the
+header file
+<TT
+CLASS="FILENAME"
+>&lt;lwres/netdb.h&gt;</TT
+>
+which contains macro definitions mapping the standard function names
+into
+<VAR
+CLASS="LITERAL"
+>lwres_</VAR
+>
+prefixed ones.  Operating system vendors who integrate the lwres
+library into their base distributions should rename the functions
+in the library proper so that the renaming macros are not needed.</P
+><P
+>The library also provides a native API consisting of the functions
+<CODE
+CLASS="FUNCTION"
+>lwres_getaddrsbyname()</CODE
+>
+and
+<CODE
+CLASS="FUNCTION"
+>lwres_getnamebyaddr()</CODE
+>.
+These may be called by applications that require more detailed
+control over the lookup process than the standard functions
+provide.</P
+><P
+>In addition to these name service independent address lookup
+functions, the library implements a new, experimental API
+for looking up arbitrary DNS resource records, using the
+<CODE
+CLASS="FUNCTION"
+>lwres_getaddrsbyname()</CODE
+>
+function.</P
+><P
+>Finally, there is a low-level API for converting lookup
+requests and responses to and from raw lwres protocol packets.  
+This API can be used by clients requiring nonblocking operation, 
+and is also used when implementing the server side of the lwres
+protocol, for example in the
+<B
+CLASS="COMMAND"
+>lwresd</B
+>
+resolver daemon.  The use of this low-level API in clients
+and servers is outlined in the following sections.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN38"
+></A
+><H2
+>CLIENT-SIDE LOW-LEVEL API CALL FLOW</H2
+><P
+>When a client program wishes to make an lwres request using the
+native low-level API, it typically performs the following 
+sequence of actions.</P
+><P
+>(1) Allocate or use an existing <SPAN
+CLASS="TYPE"
+>lwres_packet_t</SPAN
+>,
+called <VAR
+CLASS="VARNAME"
+>pkt</VAR
+> below.</P
+><P
+>(2) Set <CODE
+CLASS="STRUCTFIELD"
+>pkt.recvlength</CODE
+> to the maximum length we will accept.  
+This is done so the receiver of our packets knows how large our receive 
+buffer is.  The "default" is a constant in
+<TT
+CLASS="FILENAME"
+>lwres.h</TT
+>: <CODE
+CLASS="CONSTANT"
+>LWRES_RECVLENGTH = 4096</CODE
+>.</P
+><P
+>(3) Set <CODE
+CLASS="STRUCTFIELD"
+>pkt.serial</CODE
+>
+to a unique serial number.  This value is echoed
+back to the application by the remote server.</P
+><P
+>(4) Set <CODE
+CLASS="STRUCTFIELD"
+>pkt.pktflags</CODE
+>.  Usually this is set to 0.</P
+><P
+>(5) Set <CODE
+CLASS="STRUCTFIELD"
+>pkt.result</CODE
+> to 0.</P
+><P
+>(6) Call <CODE
+CLASS="FUNCTION"
+>lwres_*request_render()</CODE
+>, 
+or marshall in the data using the primitives
+such as <CODE
+CLASS="FUNCTION"
+>lwres_packet_render()</CODE
+>
+and storing the packet data.</P
+><P
+>(7) Transmit the resulting buffer.</P
+><P
+>(8) Call <CODE
+CLASS="FUNCTION"
+>lwres_*response_parse()</CODE
+>
+to parse any packets received.</P
+><P
+>(9) Verify that the opcode and serial match a request, and process the
+packet specific information contained in the body.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN61"
+></A
+><H2
+>SERVER-SIDE LOW-LEVEL API CALL FLOW</H2
+><P
+>When implementing the server side of the lightweight resolver
+protocol using the lwres library, a sequence of actions like the
+following is typically involved in processing each request packet.</P
+><P
+>Note that the same <SPAN
+CLASS="TYPE"
+>lwres_packet_t</SPAN
+> is used
+in both the <CODE
+CLASS="FUNCTION"
+>_parse()</CODE
+> and <CODE
+CLASS="FUNCTION"
+>_render()</CODE
+> calls,
+with only a few modifications made
+to the packet header's contents between uses.  This method is recommended
+as it keeps the serial, opcode, and other fields correct.</P
+><P
+>(1) When a packet is received, call <CODE
+CLASS="FUNCTION"
+>lwres_*request_parse()</CODE
+> to
+unmarshall it.  This returns a <SPAN
+CLASS="TYPE"
+>lwres_packet_t</SPAN
+> (also called <VAR
+CLASS="VARNAME"
+>pkt</VAR
+>, below)
+as well as a data specific type, such as <SPAN
+CLASS="TYPE"
+>lwres_gabnrequest_t</SPAN
+>.</P
+><P
+>(2) Process the request in the data specific type.</P
+><P
+>(3) Set the <CODE
+CLASS="STRUCTFIELD"
+>pkt.result</CODE
+>,
+<CODE
+CLASS="STRUCTFIELD"
+>pkt.recvlength</CODE
+> as above.  All other fields can
+be left untouched since they were filled in by the <CODE
+CLASS="FUNCTION"
+>*_parse()</CODE
+> call
+above.  If using <CODE
+CLASS="FUNCTION"
+>lwres_*response_render()</CODE
+>,
+<CODE
+CLASS="STRUCTFIELD"
+>pkt.pktflags</CODE
+> will be set up
+properly.  Otherwise, the <CODE
+CLASS="CONSTANT"
+>LWRES_LWPACKETFLAG_RESPONSE</CODE
+> bit should be
+set.</P
+><P
+>(4) Call the data specific rendering function, such as
+<CODE
+CLASS="FUNCTION"
+>lwres_gabnresponse_render()</CODE
+>.</P
+><P
+>(5) Send the resulting packet to the client.</P
+><P
+></P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN85"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_gethostent</SPAN
+>(3)</SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_getipnode</SPAN
+>(3)</SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_getnameinfo</SPAN
+>(3)</SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_noop</SPAN
+>(3)</SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_gabn</SPAN
+>(3)</SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_gnba</SPAN
+>(3)</SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_context</SPAN
+>(3)</SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_config</SPAN
+>(3)</SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>resolver</SPAN
+>(5)</SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwresd</SPAN
+>(8)</SPAN
+>.&#13;</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/lib/lwres/man/lwres_buffer.3 b/contrib/bind9/lib/lwres/man/lwres_buffer.3
new file mode 100644
index 0000000..232742a
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_buffer.3
@@ -0,0 +1,279 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: lwres_buffer.3,v 1.12.2.1.8.1 2004/03/06 07:41:42 marka Exp $
+.\"
+.TH "LWRES_BUFFER" "3" "Jun 30, 2000" "BIND9" ""
+.SH NAME
+lwres_buffer_init, lwres_buffer_invalidate, lwres_buffer_add, lwres_buffer_subtract, lwres_buffer_clear, lwres_buffer_first, lwres_buffer_forward, lwres_buffer_back, lwres_buffer_getuint8, lwres_buffer_putuint8, lwres_buffer_getuint16, lwres_buffer_putuint16, lwres_buffer_getuint32, lwres_buffer_putuint32, lwres_buffer_putmem, lwres_buffer_getmem \- lightweight resolver buffer management
+.SH SYNOPSIS
+\fB#include <lwres/lwbuffer.h>
+.sp
+.na
+void
+lwres_buffer_init(lwres_buffer_t *b, void *base, unsigned int length);
+.ad
+.sp
+.na
+void
+lwres_buffer_invalidate(lwres_buffer_t *b);
+.ad
+.sp
+.na
+void
+lwres_buffer_add(lwres_buffer_t *b, unsigned int n);
+.ad
+.sp
+.na
+void
+lwres_buffer_subtract(lwres_buffer_t *b, unsigned int n);
+.ad
+.sp
+.na
+void
+lwres_buffer_clear(lwres_buffer_t *b);
+.ad
+.sp
+.na
+void
+lwres_buffer_first(lwres_buffer_t *b);
+.ad
+.sp
+.na
+void
+lwres_buffer_forward(lwres_buffer_t *b, unsigned int n);
+.ad
+.sp
+.na
+void
+lwres_buffer_back(lwres_buffer_t *b, unsigned int n);
+.ad
+.sp
+.na
+lwres_uint8_t
+lwres_buffer_getuint8(lwres_buffer_t *b);
+.ad
+.sp
+.na
+void
+lwres_buffer_putuint8(lwres_buffer_t *b, lwres_uint8_t val);
+.ad
+.sp
+.na
+lwres_uint16_t
+lwres_buffer_getuint16(lwres_buffer_t *b);
+.ad
+.sp
+.na
+void
+lwres_buffer_putuint16(lwres_buffer_t *b, lwres_uint16_t val);
+.ad
+.sp
+.na
+lwres_uint32_t
+lwres_buffer_getuint32(lwres_buffer_t *b);
+.ad
+.sp
+.na
+void
+lwres_buffer_putuint32(lwres_buffer_t *b, lwres_uint32_t val);
+.ad
+.sp
+.na
+void
+lwres_buffer_putmem(lwres_buffer_t *b, const unsigned char *base, unsigned int length);
+.ad
+.sp
+.na
+void
+lwres_buffer_getmem(lwres_buffer_t *b, unsigned char *base, unsigned int length);
+.ad
+\fR
+.SH "DESCRIPTION"
+.PP
+These functions provide bounds checked access to a region of memory
+where data is being read or written.
+They are based on, and similar to, the
+isc_buffer_
+functions in the ISC library.
+.PP
+A buffer is a region of memory, together with a set of related
+subregions.
+The \fBused region\fR and the
+\fBavailable\fR region are disjoint, and
+their union is the buffer's region.
+The used region extends from the beginning of the buffer region to the
+last used byte.
+The available region extends from one byte greater than the last used
+byte to the end of the buffer's region.
+The size of the used region can be changed using various
+buffer commands.
+Initially, the used region is empty.
+.PP
+The used region is further subdivided into two disjoint regions: the
+\fBconsumed region\fR and the \fBremaining region\fR.
+The union of these two regions is the used region.
+The consumed region extends from the beginning of the used region to
+the byte before the \fBcurrent\fR offset (if any).
+The \fBremaining\fR region the current pointer to the end of the used
+region.
+The size of the consumed region can be changed using various
+buffer commands.
+Initially, the consumed region is empty.
+.PP
+The \fBactive region\fR is an (optional) subregion of the remaining
+region.
+It extends from the current offset to an offset in the
+remaining region.
+Initially, the active region is empty.
+If the current offset advances beyond the chosen offset,
+the active region will also be empty.
+.PP
+.sp
+.nf
+ 
+   /------------entire length---------------\\\\
+   /----- used region -----\\\\/-- available --\\\\
+   +----------------------------------------+
+   | consumed  | remaining |                |
+   +----------------------------------------+
+   a           b     c     d                e
+ 
+  a == base of buffer.
+  b == current pointer.  Can be anywhere between a and d.
+  c == active pointer.  Meaningful between b and d.
+  d == used pointer.
+  e == length of buffer.
+ 
+  a-e == entire length of buffer.
+  a-d == used region.
+  a-b == consumed region.
+  b-d == remaining region.
+  b-c == optional active region.
+.sp
+.fi
+.PP
+\fBlwres_buffer_init()\fR
+initializes the
+\fBlwres_buffer_t\fR
+\fI*b\fR
+and assocates it with the memory region of size
+\fIlength\fR
+bytes starting at location
+\fIbase.\fR
+.PP
+\fBlwres_buffer_invalidate()\fR
+marks the buffer
+\fI*b\fR
+as invalid. Invalidating a buffer after use is not required,
+but makes it possible to catch its possible accidental use.
+.PP
+The functions
+\fBlwres_buffer_add()\fR
+and
+\fBlwres_buffer_subtract()\fR
+respectively increase and decrease the used space in
+buffer
+\fI*b\fR
+by
+\fIn\fR
+bytes.
+\fBlwres_buffer_add()\fR
+checks for buffer overflow and
+\fBlwres_buffer_subtract()\fR
+checks for underflow.
+These functions do not allocate or deallocate memory.
+They just change the value of
+\fBused\fR.
+.PP
+A buffer is re-initialised by
+\fBlwres_buffer_clear()\fR.
+The function sets
+\fBused\fR ,
+\fBcurrent\fR
+and
+\fBactive\fR
+to zero.
+.PP
+\fBlwres_buffer_first\fR
+makes the consumed region of buffer
+\fI*p\fR
+empty by setting
+\fBcurrent\fR
+to zero (the start of the buffer).
+.PP
+\fBlwres_buffer_forward()\fR
+increases the consumed region of buffer
+\fI*b\fR
+by
+\fIn\fR
+bytes, checking for overflow.
+Similarly,
+\fBlwres_buffer_back()\fR
+decreases buffer
+\fIb\fR's
+consumed region by
+\fIn\fR
+bytes and checks for underflow.
+.PP
+\fBlwres_buffer_getuint8()\fR
+reads an unsigned 8-bit integer from
+\fI*b\fR
+and returns it.
+\fBlwres_buffer_putuint8()\fR
+writes the unsigned 8-bit integer
+\fIval\fR
+to buffer
+\fI*b\fR.
+.PP
+\fBlwres_buffer_getuint16()\fR
+and
+\fBlwres_buffer_getuint32()\fR
+are identical to
+\fBlwres_buffer_putuint8()\fR
+except that they respectively read an unsigned 16-bit or 32-bit integer 
+in network byte order from
+\fIb\fR.
+Similarly,
+\fBlwres_buffer_putuint16()\fR
+and
+\fBlwres_buffer_putuint32()\fR
+writes the unsigned 16-bit or 32-bit integer
+\fIval\fR
+to buffer
+\fIb\fR,
+in network byte order.
+.PP
+Arbitrary amounts of data are read or written from a lightweight
+resolver buffer with
+\fBlwres_buffer_getmem()\fR
+and
+\fBlwres_buffer_putmem()\fR
+respectively.
+\fBlwres_buffer_putmem()\fR
+copies
+\fIlength\fR
+bytes of memory at
+\fIbase\fR
+to
+\fIb\fR.
+Conversely,
+\fBlwres_buffer_getmem()\fR
+copies
+\fIlength\fR
+bytes of memory from
+\fIb\fR
+to
+\fIbase\fR.
diff --git a/contrib/bind9/lib/lwres/man/lwres_buffer.docbook b/contrib/bind9/lib/lwres/man/lwres_buffer.docbook
new file mode 100644
index 0000000..4db9fd3
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_buffer.docbook
@@ -0,0 +1,378 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres_buffer.docbook,v 1.3.206.1 2004/03/06 08:15:37 marka Exp $ -->
+
+<refentry>
+<refentryinfo>
+<date>Jun 30, 2000</date>
+</refentryinfo>
+
+<refmeta>
+<refentrytitle>lwres_buffer</refentrytitle>
+<manvolnum>3</manvolnum>
+<refmiscinfo>BIND9</refmiscinfo>
+</refmeta>
+
+<refnamediv>
+<refname>lwres_buffer_init</refname>
+<refname>lwres_buffer_invalidate</refname>
+<refname>lwres_buffer_add</refname>
+<refname>lwres_buffer_subtract</refname>
+<refname>lwres_buffer_clear</refname>
+<refname>lwres_buffer_first</refname>
+<refname>lwres_buffer_forward</refname>
+<refname>lwres_buffer_back</refname>
+<refname>lwres_buffer_getuint8</refname>
+<refname>lwres_buffer_putuint8</refname>
+<refname>lwres_buffer_getuint16</refname>
+<refname>lwres_buffer_putuint16</refname>
+<refname>lwres_buffer_getuint32</refname>
+<refname>lwres_buffer_putuint32</refname>
+<refname>lwres_buffer_putmem</refname>
+<refname>lwres_buffer_getmem</refname>
+<refpurpose>lightweight resolver buffer management</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+
+<funcsynopsis>
+<funcsynopsisinfo>
+#include &lt;lwres/lwbuffer.h&gt;
+</funcsynopsisinfo>
+
+<funcprototype>
+
+<funcdef>
+void
+<function>lwres_buffer_init</function></funcdef>
+<paramdef>lwres_buffer_t *b</paramdef>
+<paramdef>void *base</paramdef>
+<paramdef>unsigned int length</paramdef>
+</funcprototype>
+
+<funcprototype>
+<funcdef>
+void
+<function>lwres_buffer_invalidate</function></funcdef>
+<paramdef>lwres_buffer_t *b</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+void
+<function>lwres_buffer_add</function></funcdef>
+<paramdef>lwres_buffer_t *b</paramdef>
+<paramdef>unsigned int n</paramdef>
+</funcprototype>
+
+<funcprototype>
+<funcdef>
+void
+<function>lwres_buffer_subtract</function></funcdef>
+<paramdef>lwres_buffer_t *b</paramdef>
+<paramdef>unsigned int n</paramdef>
+</funcprototype>
+
+<funcprototype>
+<funcdef>
+void
+<function>lwres_buffer_clear</function></funcdef>
+<paramdef>lwres_buffer_t *b</paramdef>
+</funcprototype>
+
+<funcprototype>
+<funcdef>
+void
+<function>lwres_buffer_first</function></funcdef>
+<paramdef>lwres_buffer_t *b</paramdef>
+</funcprototype>
+
+<funcprototype>
+<funcdef>
+void
+<function>lwres_buffer_forward</function></funcdef>
+<paramdef>lwres_buffer_t *b</paramdef>
+<paramdef>unsigned int n</paramdef>
+</funcprototype>
+<funcprototype>
+
+<funcdef>
+void
+<function>lwres_buffer_back</function></funcdef>
+<paramdef>lwres_buffer_t *b</paramdef>
+<paramdef>unsigned int n</paramdef>
+</funcprototype>
+
+<funcprototype>
+<funcdef>
+lwres_uint8_t
+<function>lwres_buffer_getuint8</function></funcdef>
+<paramdef>lwres_buffer_t *b</paramdef>
+</funcprototype>
+
+<funcprototype>
+<funcdef>
+void
+<function>lwres_buffer_putuint8</function></funcdef>
+<paramdef>lwres_buffer_t *b</paramdef>
+<paramdef>lwres_uint8_t val</paramdef>
+</funcprototype>
+
+<funcprototype>
+<funcdef>
+lwres_uint16_t
+<function>lwres_buffer_getuint16</function></funcdef>
+<paramdef>lwres_buffer_t *b</paramdef>
+</funcprototype>
+
+<funcprototype>
+<funcdef>
+void
+<function>lwres_buffer_putuint16</function></funcdef>
+<paramdef>lwres_buffer_t *b</paramdef>
+<paramdef>lwres_uint16_t val</paramdef>
+</funcprototype>
+
+<funcprototype>
+<funcdef>
+lwres_uint32_t
+<function>lwres_buffer_getuint32</function></funcdef>
+<paramdef>lwres_buffer_t *b</paramdef>
+</funcprototype>
+
+<funcprototype>
+<funcdef>
+void
+<function>lwres_buffer_putuint32</function></funcdef>
+<paramdef>lwres_buffer_t *b</paramdef>
+<paramdef>lwres_uint32_t val</paramdef>
+</funcprototype>
+
+<funcprototype>
+<funcdef>
+void
+<function>lwres_buffer_putmem</function></funcdef>
+<paramdef>lwres_buffer_t *b</paramdef>
+<paramdef>const unsigned char *base</paramdef>
+<paramdef>unsigned int length</paramdef>
+</funcprototype>
+
+<funcprototype>
+<funcdef>
+void
+<function>lwres_buffer_getmem</function></funcdef>
+<paramdef>lwres_buffer_t *b</paramdef>
+<paramdef>unsigned char *base</paramdef>
+<paramdef>unsigned int length</paramdef>
+</funcprototype>
+
+</funcsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+
+<title>DESCRIPTION</title>
+<para>
+These functions provide bounds checked access to a region of memory
+where data is being read or written.
+They are based on, and similar to, the
+<literal>isc_buffer_</literal>
+functions in the ISC library.
+</para>
+<para>
+A buffer is a region of memory, together with a set of related
+subregions.
+The <emphasis>used region</emphasis> and the
+<emphasis>available</emphasis> region are disjoint, and
+their union is the buffer's region.
+The used region extends from the beginning of the buffer region to the
+last used byte.
+The available region extends from one byte greater than the last used
+byte to the end of the  buffer's region.
+The size of the used region can be changed using various
+buffer commands.
+Initially, the used region is empty.
+</para>
+<para>
+The used region is further subdivided into two disjoint regions: the
+<emphasis>consumed region</emphasis> and the <emphasis>remaining region</emphasis>.
+The union of these two regions is the used region.
+The consumed region extends from the beginning of the used region to
+the byte before the <emphasis>current</emphasis> offset (if any).
+The <emphasis>remaining</emphasis> region the current pointer to the end of the used
+region.
+The size of the consumed region can be changed using various
+buffer commands.
+Initially, the consumed region is empty.
+</para>
+<para>
+The <emphasis>active region</emphasis> is an (optional) subregion of the remaining
+region.
+It extends from the current offset to an offset in the
+remaining region.
+Initially, the active region is empty.
+If the current offset advances beyond the chosen offset,
+the active region will also be empty.
+</para>
+<para>
+<programlisting>
+ 
+   /------------entire length---------------\\
+   /----- used region -----\\/-- available --\\
+   +----------------------------------------+
+   | consumed  | remaining |                |
+   +----------------------------------------+
+   a           b     c     d                e
+ 
+  a == base of buffer.
+  b == current pointer.  Can be anywhere between a and d.
+  c == active pointer.  Meaningful between b and d.
+  d == used pointer.
+  e == length of buffer.
+ 
+  a-e == entire length of buffer.
+  a-d == used region.
+  a-b == consumed region.
+  b-d == remaining region.
+  b-c == optional active region.
+</programlisting>
+</para>
+<para>
+<function>lwres_buffer_init()</function>
+initializes the
+<type>lwres_buffer_t</type>
+<parameter>*b</parameter>
+and assocates it with the memory region of size
+<parameter>length</parameter>
+bytes starting at location
+<parameter>base.</parameter>
+</para>
+<para>
+<function>lwres_buffer_invalidate()</function>
+marks the buffer
+<parameter>*b</parameter>
+as invalid.  Invalidating a buffer after use is not required,
+but makes it possible to catch its possible accidental use.
+</para>
+<para>
+The functions
+<function>lwres_buffer_add()</function>
+and
+<function>lwres_buffer_subtract()</function>
+respectively increase and decrease the used space in
+buffer
+<parameter>*b</parameter>
+by
+<parameter>n</parameter>
+bytes.
+<function>lwres_buffer_add()</function>
+checks for buffer overflow and
+<function>lwres_buffer_subtract()</function>
+checks for underflow.
+These functions do not allocate or deallocate memory.
+They just change the value of
+<structfield>used</structfield>.
+</para>
+<para>
+A buffer is re-initialised by
+<function>lwres_buffer_clear()</function>.
+The function sets
+<structfield>used</structfield> ,
+<structfield>current</structfield>
+and
+<structfield>active</structfield>
+to zero.
+</para>
+<para>
+<function>lwres_buffer_first</function>
+makes the consumed region of buffer
+<parameter>*p</parameter>
+empty by setting
+<structfield>current</structfield>
+to zero (the start of the buffer).
+</para>
+<para>
+<function>lwres_buffer_forward()</function>
+increases the consumed region of buffer
+<parameter>*b</parameter>
+by
+<parameter>n</parameter>
+bytes, checking for overflow.
+Similarly,
+<function>lwres_buffer_back()</function>
+decreases buffer
+<parameter>b</parameter>'s
+consumed region by
+<parameter>n</parameter>
+bytes and checks for underflow.
+</para>
+<para>
+<function>lwres_buffer_getuint8()</function>
+reads an unsigned 8-bit integer from
+<parameter>*b</parameter>
+and returns it.
+<function>lwres_buffer_putuint8()</function>
+writes the unsigned 8-bit integer
+<parameter>val</parameter>
+to buffer
+<parameter>*b</parameter>.
+</para>
+<para>
+<function>lwres_buffer_getuint16()</function>
+and
+<function>lwres_buffer_getuint32()</function>
+are identical to
+<function>lwres_buffer_putuint8()</function>
+except that they respectively read an unsigned 16-bit or 32-bit integer 
+in network byte order from
+<parameter>b</parameter>.
+Similarly,
+<function>lwres_buffer_putuint16()</function>
+and
+<function>lwres_buffer_putuint32()</function>
+writes the unsigned 16-bit or 32-bit integer
+<parameter>val</parameter>
+to buffer
+<parameter>b</parameter>,
+in network byte order.
+</para>
+<para>
+Arbitrary amounts of data are read or written from a lightweight
+resolver buffer with
+<function>lwres_buffer_getmem()</function>
+and
+<function>lwres_buffer_putmem()</function>
+respectively.
+<function>lwres_buffer_putmem()</function>
+copies
+<parameter>length</parameter>
+bytes of memory at
+<parameter>base</parameter>
+to
+<parameter>b</parameter>.
+Conversely,
+<function>lwres_buffer_getmem()</function>
+copies
+<parameter>length</parameter>
+bytes of memory from
+<parameter>b</parameter>
+to
+<parameter>base</parameter>.
+</para>
+</refsect1>
+</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres_buffer.html b/contrib/bind9/lib/lwres/man/lwres_buffer.html
new file mode 100644
index 0000000..79354fc
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_buffer.html
@@ -0,0 +1,576 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres_buffer.html,v 1.4.2.1.4.2 2004/08/22 23:39:03 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>lwres_buffer</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+>lwres_buffer</H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>lwres_buffer_init, lwres_buffer_invalidate, lwres_buffer_add, lwres_buffer_subtract, lwres_buffer_clear, lwres_buffer_first, lwres_buffer_forward, lwres_buffer_back, lwres_buffer_getuint8, lwres_buffer_putuint8, lwres_buffer_getuint16, lwres_buffer_putuint16, lwres_buffer_getuint32, lwres_buffer_putuint32, lwres_buffer_putmem, lwres_buffer_getmem&nbsp;--&nbsp;lightweight resolver buffer management</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN26"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><P
+></P
+><A
+NAME="AEN27"
+></A
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/lwbuffer.h&gt;</PRE
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_buffer_init</CODE
+>(lwres_buffer_t *b, void *base, unsigned int length);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_buffer_invalidate</CODE
+>(lwres_buffer_t *b);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_buffer_add</CODE
+>(lwres_buffer_t *b, unsigned int n);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_buffer_subtract</CODE
+>(lwres_buffer_t *b, unsigned int n);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_buffer_clear</CODE
+>(lwres_buffer_t *b);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_buffer_first</CODE
+>(lwres_buffer_t *b);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_buffer_forward</CODE
+>(lwres_buffer_t *b, unsigned int n);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_buffer_back</CODE
+>(lwres_buffer_t *b, unsigned int n);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_uint8_t
+lwres_buffer_getuint8</CODE
+>(lwres_buffer_t *b);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_buffer_putuint8</CODE
+>(lwres_buffer_t *b, lwres_uint8_t val);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_uint16_t
+lwres_buffer_getuint16</CODE
+>(lwres_buffer_t *b);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_buffer_putuint16</CODE
+>(lwres_buffer_t *b, lwres_uint16_t val);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_uint32_t
+lwres_buffer_getuint32</CODE
+>(lwres_buffer_t *b);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_buffer_putuint32</CODE
+>(lwres_buffer_t *b, lwres_uint32_t val);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_buffer_putmem</CODE
+>(lwres_buffer_t *b, const unsigned char *base, unsigned int length);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_buffer_getmem</CODE
+>(lwres_buffer_t *b, unsigned char *base, unsigned int length);</CODE
+></P
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN106"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>These functions provide bounds checked access to a region of memory
+where data is being read or written.
+They are based on, and similar to, the
+<VAR
+CLASS="LITERAL"
+>isc_buffer_</VAR
+>
+functions in the ISC library.</P
+><P
+>A buffer is a region of memory, together with a set of related
+subregions.
+The <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>used region</I
+></SPAN
+> and the
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>available</I
+></SPAN
+> region are disjoint, and
+their union is the buffer's region.
+The used region extends from the beginning of the buffer region to the
+last used byte.
+The available region extends from one byte greater than the last used
+byte to the end of the  buffer's region.
+The size of the used region can be changed using various
+buffer commands.
+Initially, the used region is empty.</P
+><P
+>The used region is further subdivided into two disjoint regions: the
+<SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>consumed region</I
+></SPAN
+> and the <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>remaining region</I
+></SPAN
+>.
+The union of these two regions is the used region.
+The consumed region extends from the beginning of the used region to
+the byte before the <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>current</I
+></SPAN
+> offset (if any).
+The <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>remaining</I
+></SPAN
+> region the current pointer to the end of the used
+region.
+The size of the consumed region can be changed using various
+buffer commands.
+Initially, the consumed region is empty.</P
+><P
+>The <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>active region</I
+></SPAN
+> is an (optional) subregion of the remaining
+region.
+It extends from the current offset to an offset in the
+remaining region.
+Initially, the active region is empty.
+If the current offset advances beyond the chosen offset,
+the active region will also be empty.</P
+><P
+><PRE
+CLASS="PROGRAMLISTING"
+> 
+   /------------entire length---------------\\
+   /----- used region -----\\/-- available --\\
+   +----------------------------------------+
+   | consumed  | remaining |                |
+   +----------------------------------------+
+   a           b     c     d                e
+ 
+  a == base of buffer.
+  b == current pointer.  Can be anywhere between a and d.
+  c == active pointer.  Meaningful between b and d.
+  d == used pointer.
+  e == length of buffer.
+ 
+  a-e == entire length of buffer.
+  a-d == used region.
+  a-b == consumed region.
+  b-d == remaining region.
+  b-c == optional active region.</PRE
+></P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_buffer_init()</CODE
+>
+initializes the
+<SPAN
+CLASS="TYPE"
+>lwres_buffer_t</SPAN
+>
+<VAR
+CLASS="PARAMETER"
+>*b</VAR
+>
+and assocates it with the memory region of size
+<VAR
+CLASS="PARAMETER"
+>length</VAR
+>
+bytes starting at location
+<VAR
+CLASS="PARAMETER"
+>base.</VAR
+></P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_buffer_invalidate()</CODE
+>
+marks the buffer
+<VAR
+CLASS="PARAMETER"
+>*b</VAR
+>
+as invalid.  Invalidating a buffer after use is not required,
+but makes it possible to catch its possible accidental use.</P
+><P
+>The functions
+<CODE
+CLASS="FUNCTION"
+>lwres_buffer_add()</CODE
+>
+and
+<CODE
+CLASS="FUNCTION"
+>lwres_buffer_subtract()</CODE
+>
+respectively increase and decrease the used space in
+buffer
+<VAR
+CLASS="PARAMETER"
+>*b</VAR
+>
+by
+<VAR
+CLASS="PARAMETER"
+>n</VAR
+>
+bytes.
+<CODE
+CLASS="FUNCTION"
+>lwres_buffer_add()</CODE
+>
+checks for buffer overflow and
+<CODE
+CLASS="FUNCTION"
+>lwres_buffer_subtract()</CODE
+>
+checks for underflow.
+These functions do not allocate or deallocate memory.
+They just change the value of
+<CODE
+CLASS="STRUCTFIELD"
+>used</CODE
+>.</P
+><P
+>A buffer is re-initialised by
+<CODE
+CLASS="FUNCTION"
+>lwres_buffer_clear()</CODE
+>.
+The function sets
+<CODE
+CLASS="STRUCTFIELD"
+>used</CODE
+> ,
+<CODE
+CLASS="STRUCTFIELD"
+>current</CODE
+>
+and
+<CODE
+CLASS="STRUCTFIELD"
+>active</CODE
+>
+to zero.</P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_buffer_first</CODE
+>
+makes the consumed region of buffer
+<VAR
+CLASS="PARAMETER"
+>*p</VAR
+>
+empty by setting
+<CODE
+CLASS="STRUCTFIELD"
+>current</CODE
+>
+to zero (the start of the buffer).</P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_buffer_forward()</CODE
+>
+increases the consumed region of buffer
+<VAR
+CLASS="PARAMETER"
+>*b</VAR
+>
+by
+<VAR
+CLASS="PARAMETER"
+>n</VAR
+>
+bytes, checking for overflow.
+Similarly,
+<CODE
+CLASS="FUNCTION"
+>lwres_buffer_back()</CODE
+>
+decreases buffer
+<VAR
+CLASS="PARAMETER"
+>b</VAR
+>'s
+consumed region by
+<VAR
+CLASS="PARAMETER"
+>n</VAR
+>
+bytes and checks for underflow.</P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_buffer_getuint8()</CODE
+>
+reads an unsigned 8-bit integer from
+<VAR
+CLASS="PARAMETER"
+>*b</VAR
+>
+and returns it.
+<CODE
+CLASS="FUNCTION"
+>lwres_buffer_putuint8()</CODE
+>
+writes the unsigned 8-bit integer
+<VAR
+CLASS="PARAMETER"
+>val</VAR
+>
+to buffer
+<VAR
+CLASS="PARAMETER"
+>*b</VAR
+>.</P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_buffer_getuint16()</CODE
+>
+and
+<CODE
+CLASS="FUNCTION"
+>lwres_buffer_getuint32()</CODE
+>
+are identical to
+<CODE
+CLASS="FUNCTION"
+>lwres_buffer_putuint8()</CODE
+>
+except that they respectively read an unsigned 16-bit or 32-bit integer 
+in network byte order from
+<VAR
+CLASS="PARAMETER"
+>b</VAR
+>.
+Similarly,
+<CODE
+CLASS="FUNCTION"
+>lwres_buffer_putuint16()</CODE
+>
+and
+<CODE
+CLASS="FUNCTION"
+>lwres_buffer_putuint32()</CODE
+>
+writes the unsigned 16-bit or 32-bit integer
+<VAR
+CLASS="PARAMETER"
+>val</VAR
+>
+to buffer
+<VAR
+CLASS="PARAMETER"
+>b</VAR
+>,
+in network byte order.</P
+><P
+>Arbitrary amounts of data are read or written from a lightweight
+resolver buffer with
+<CODE
+CLASS="FUNCTION"
+>lwres_buffer_getmem()</CODE
+>
+and
+<CODE
+CLASS="FUNCTION"
+>lwres_buffer_putmem()</CODE
+>
+respectively.
+<CODE
+CLASS="FUNCTION"
+>lwres_buffer_putmem()</CODE
+>
+copies
+<VAR
+CLASS="PARAMETER"
+>length</VAR
+>
+bytes of memory at
+<VAR
+CLASS="PARAMETER"
+>base</VAR
+>
+to
+<VAR
+CLASS="PARAMETER"
+>b</VAR
+>.
+Conversely,
+<CODE
+CLASS="FUNCTION"
+>lwres_buffer_getmem()</CODE
+>
+copies
+<VAR
+CLASS="PARAMETER"
+>length</VAR
+>
+bytes of memory from
+<VAR
+CLASS="PARAMETER"
+>b</VAR
+>
+to
+<VAR
+CLASS="PARAMETER"
+>base</VAR
+>.</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/lib/lwres/man/lwres_config.3 b/contrib/bind9/lib/lwres/man/lwres_config.3
new file mode 100644
index 0000000..0c345ef
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_config.3
@@ -0,0 +1,107 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: lwres_config.3,v 1.12.2.1.8.1 2004/03/06 07:41:42 marka Exp $
+.\"
+.TH "LWRES_CONFIG" "3" "Jun 30, 2000" "BIND9" ""
+.SH NAME
+lwres_conf_init, lwres_conf_clear, lwres_conf_parse, lwres_conf_print, lwres_conf_get \- lightweight resolver configuration
+.SH SYNOPSIS
+\fB#include <lwres/lwres.h>
+.sp
+.na
+void
+lwres_conf_init(lwres_context_t *ctx);
+.ad
+.sp
+.na
+void
+lwres_conf_clear(lwres_context_t *ctx);
+.ad
+.sp
+.na
+lwres_result_t
+lwres_conf_parse(lwres_context_t *ctx, const char *filename);
+.ad
+.sp
+.na
+lwres_result_t
+lwres_conf_print(lwres_context_t *ctx, FILE *fp);
+.ad
+.sp
+.na
+lwres_conf_t *
+lwres_conf_get(lwres_context_t *ctx);
+.ad
+\fR
+.SH "DESCRIPTION"
+.PP
+\fBlwres_conf_init()\fR
+creates an empty
+\fBlwres_conf_t\fR
+structure for lightweight resolver context
+\fIctx\fR.
+.PP
+\fBlwres_conf_clear()\fR
+frees up all the internal memory used by
+that
+\fBlwres_conf_t\fR
+structure in resolver context
+\fIctx\fR.
+.PP
+\fBlwres_conf_parse()\fR
+opens the file
+\fIfilename\fR
+and parses it to initialise the resolver context
+\fIctx\fR's
+\fBlwres_conf_t\fR
+structure.
+.PP
+\fBlwres_conf_print()\fR
+prints the
+\fBlwres_conf_t\fR
+structure for resolver context
+\fIctx\fR
+to the
+\fBFILE\fR
+\fIfp\fR.
+.SH "RETURN VALUES"
+.PP
+\fBlwres_conf_parse()\fR
+returns
+LWRES_R_SUCCESS
+if it successfully read and parsed
+\fIfilename\fR.
+It returns
+LWRES_R_FAILURE
+if
+\fIfilename\fR
+could not be opened or contained incorrect
+resolver statements.
+.PP
+\fBlwres_conf_print()\fR
+returns
+LWRES_R_SUCCESS
+unless an error occurred when converting the network addresses to a
+numeric host address string.
+If this happens, the function returns
+LWRES_R_FAILURE.
+.SH "SEE ALSO"
+.PP
+\fBstdio\fR(3),
+\fBresolver\fR(5).
+.SH "FILES"
+.PP
+\fI/etc/resolv.conf\fR
diff --git a/contrib/bind9/lib/lwres/man/lwres_config.docbook b/contrib/bind9/lib/lwres/man/lwres_config.docbook
new file mode 100644
index 0000000..eeb244e
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_config.docbook
@@ -0,0 +1,159 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres_config.docbook,v 1.2.206.1 2004/03/06 08:15:37 marka Exp $ -->
+
+<refentry>
+<refentryinfo>
+
+<date>Jun 30, 2000</date>
+</refentryinfo>
+
+<refmeta>
+<refentrytitle>lwres_config</refentrytitle>
+<manvolnum>3</manvolnum>
+<refmiscinfo>BIND9</refmiscinfo>
+</refmeta>
+
+<refnamediv>
+<refname>lwres_conf_init</refname>
+<refname>lwres_conf_clear</refname>
+<refname>lwres_conf_parse</refname>
+<refname>lwres_conf_print</refname>
+<refname>lwres_conf_get</refname>
+<refpurpose>lightweight resolver configuration</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+<funcsynopsis>
+<funcsynopsisinfo>#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
+<funcprototype>
+<funcdef>
+void
+<function>lwres_conf_init</function></funcdef>
+<paramdef>lwres_context_t *ctx</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+void
+<function>lwres_conf_clear</function></funcdef>
+<paramdef>lwres_context_t *ctx</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+lwres_result_t
+<function>lwres_conf_parse</function></funcdef>
+<paramdef>lwres_context_t *ctx</paramdef>
+<paramdef>const char *filename</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+lwres_result_t
+<function>lwres_conf_print</function></funcdef>
+<paramdef>lwres_context_t *ctx</paramdef>
+<paramdef>FILE *fp</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+lwres_conf_t *
+<function>lwres_conf_get</function></funcdef>
+<paramdef>lwres_context_t *ctx</paramdef>
+</funcprototype>
+</funcsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+<title>DESCRIPTION</title>
+<para>
+<function>lwres_conf_init()</function>
+creates an empty
+<type>lwres_conf_t</type>
+structure for lightweight resolver context
+<parameter>ctx</parameter>.
+</para>
+<para>
+<function>lwres_conf_clear()</function>
+frees up all the internal memory used by
+that
+<type>lwres_conf_t</type>
+structure in resolver context
+<parameter>ctx</parameter>.
+</para>
+<para>
+<function>lwres_conf_parse()</function>
+opens the file
+<parameter>filename</parameter>
+and parses it to initialise the resolver context
+<parameter>ctx</parameter>'s
+<type>lwres_conf_t</type>
+structure.
+</para>
+<para>
+<function>lwres_conf_print()</function>
+prints the
+<type>lwres_conf_t</type>
+structure for resolver context
+<parameter>ctx</parameter>
+to the
+<type>FILE</type>
+<parameter>fp</parameter>.
+</para>
+</refsect1>
+<refsect1>
+
+<title>RETURN VALUES</title>
+<para>
+<function>lwres_conf_parse()</function>
+returns
+<errorcode>LWRES_R_SUCCESS</errorcode>
+if it successfully read and parsed
+<parameter>filename</parameter>.
+It returns
+<errorcode>LWRES_R_FAILURE</errorcode>
+if
+<parameter>filename</parameter>
+could not be opened or contained incorrect
+resolver statements.
+</para>
+<para>
+<function>lwres_conf_print()</function>
+returns
+<errorcode>LWRES_R_SUCCESS</errorcode>
+unless an error occurred when converting the network addresses to a
+numeric host address string.
+If this happens, the function returns
+<errorcode>LWRES_R_FAILURE</errorcode>.
+</para>
+</refsect1>
+<refsect1>
+<title>SEE ALSO</title>
+<para>
+<citerefentry>
+<refentrytitle>stdio</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>,
+<citerefentry>
+<refentrytitle>resolver</refentrytitle><manvolnum>5</manvolnum>
+</citerefentry>.
+</refsect1>
+<refsect1>
+<title>FILES</title>
+<para>
+<filename>/etc/resolv.conf</filename>
+</para>
+</refsect1>
+</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres_config.html b/contrib/bind9/lib/lwres/man/lwres_config.html
new file mode 100644
index 0000000..cd7c63b
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_config.html
@@ -0,0 +1,282 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres_config.html,v 1.4.2.1.4.2 2004/08/22 23:39:03 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>lwres_config</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+>lwres_config</H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>lwres_conf_init, lwres_conf_clear, lwres_conf_parse, lwres_conf_print, lwres_conf_get&nbsp;--&nbsp;lightweight resolver configuration</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN15"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><P
+></P
+><A
+NAME="AEN16"
+></A
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/lwres.h&gt;</PRE
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_conf_init</CODE
+>(lwres_context_t *ctx);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_conf_clear</CODE
+>(lwres_context_t *ctx);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_conf_parse</CODE
+>(lwres_context_t *ctx, const char *filename);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_conf_print</CODE
+>(lwres_context_t *ctx, FILE *fp);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_conf_t *
+lwres_conf_get</CODE
+>(lwres_context_t *ctx);</CODE
+></P
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN40"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_conf_init()</CODE
+>
+creates an empty
+<SPAN
+CLASS="TYPE"
+>lwres_conf_t</SPAN
+>
+structure for lightweight resolver context
+<VAR
+CLASS="PARAMETER"
+>ctx</VAR
+>.</P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_conf_clear()</CODE
+>
+frees up all the internal memory used by
+that
+<SPAN
+CLASS="TYPE"
+>lwres_conf_t</SPAN
+>
+structure in resolver context
+<VAR
+CLASS="PARAMETER"
+>ctx</VAR
+>.</P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_conf_parse()</CODE
+>
+opens the file
+<VAR
+CLASS="PARAMETER"
+>filename</VAR
+>
+and parses it to initialise the resolver context
+<VAR
+CLASS="PARAMETER"
+>ctx</VAR
+>'s
+<SPAN
+CLASS="TYPE"
+>lwres_conf_t</SPAN
+>
+structure.</P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_conf_print()</CODE
+>
+prints the
+<SPAN
+CLASS="TYPE"
+>lwres_conf_t</SPAN
+>
+structure for resolver context
+<VAR
+CLASS="PARAMETER"
+>ctx</VAR
+>
+to the
+<SPAN
+CLASS="TYPE"
+>FILE</SPAN
+>
+<VAR
+CLASS="PARAMETER"
+>fp</VAR
+>.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN61"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_conf_parse()</CODE
+>
+returns
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_SUCCESS</SPAN
+>
+if it successfully read and parsed
+<VAR
+CLASS="PARAMETER"
+>filename</VAR
+>.
+It returns
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_FAILURE</SPAN
+>
+if
+<VAR
+CLASS="PARAMETER"
+>filename</VAR
+>
+could not be opened or contained incorrect
+resolver statements.</P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_conf_print()</CODE
+>
+returns
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_SUCCESS</SPAN
+>
+unless an error occurred when converting the network addresses to a
+numeric host address string.
+If this happens, the function returns
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_FAILURE</SPAN
+>.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN73"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>stdio</SPAN
+>(3)</SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>resolver</SPAN
+>(5)</SPAN
+>.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN82"
+></A
+><H2
+>FILES</H2
+><P
+><TT
+CLASS="FILENAME"
+>/etc/resolv.conf</TT
+></P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/lib/lwres/man/lwres_context.3 b/contrib/bind9/lib/lwres/man/lwres_context.3
new file mode 100644
index 0000000..d19b18a
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_context.3
@@ -0,0 +1,196 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: lwres_context.3,v 1.13.2.2.2.2 2004/03/08 09:05:12 marka Exp $
+.\"
+.TH "LWRES_CONTEXT" "3" "Jun 30, 2000" "BIND9" ""
+.SH NAME
+lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_context_initserial, lwres_context_freemem, lwres_context_allocmem, lwres_context_sendrecv \- lightweight resolver context management
+.SH SYNOPSIS
+\fB#include <lwres/lwres.h>
+.sp
+.na
+lwres_result_t
+lwres_context_create(lwres_context_t **contextp, void *arg, lwres_malloc_t malloc_function, lwres_free_t free_function);
+.ad
+.sp
+.na
+lwres_result_t
+lwres_context_destroy(lwres_context_t **contextp);
+.ad
+.sp
+.na
+void
+lwres_context_initserial(lwres_context_t *ctx, lwres_uint32_t serial);
+.ad
+.sp
+.na
+lwres_uint32_t
+lwres_context_nextserial(lwres_context_t *ctx);
+.ad
+.sp
+.na
+void
+lwres_context_freemem(lwres_context_t *ctx, void *mem, size_t len);
+.ad
+.sp
+.na
+void
+lwres_context_allocmem(lwres_context_t *ctx, size_t len);
+.ad
+.sp
+.na
+void *
+lwres_context_sendrecv(lwres_context_t *ctx, void *sendbase, int sendlen, void *recvbase, int recvlen, int *recvd_len);
+.ad
+\fR
+.SH "DESCRIPTION"
+.PP
+\fBlwres_context_create()\fR
+creates a
+\fBlwres_context_t\fR
+structure for use in lightweight resolver operations.
+It holds a socket and other data needed for communicating
+with a resolver daemon.
+The new
+\fBlwres_context_t\fR
+is returned through
+\fIcontextp\fR,
+a pointer to a
+\fBlwres_context_t\fR
+pointer. This 
+\fBlwres_context_t\fR
+pointer must initially be NULL, and is modified 
+to point to the newly created
+\fBlwres_context_t\fR.
+.PP
+When the lightweight resolver needs to perform dynamic memory
+allocation, it will call
+\fImalloc_function\fR
+to allocate memory and
+\fIfree_function\fR
+to free it. If 
+\fImalloc_function\fR
+and
+\fIfree_function\fR
+are NULL, memory is allocated using
+\&.Xr malloc 3
+and
+\fBfree\fR(3).
+It is not permitted to have a NULL
+\fImalloc_function\fR
+and a non-NULL
+\fIfree_function\fR
+or vice versa.
+\fIarg\fR
+is passed as the first parameter to the memory
+allocation functions. 
+If
+\fImalloc_function\fR
+and
+\fIfree_function\fR
+are NULL,
+\fIarg\fR
+is unused and should be passed as NULL.
+.PP
+Once memory for the structure has been allocated,
+it is initialized using
+\fBlwres_conf_init\fR(3)
+and returned via
+\fI*contextp\fR.
+.PP
+\fBlwres_context_destroy()\fR
+destroys a 
+\fBlwres_context_t\fR,
+closing its socket.
+\fIcontextp\fR
+is a pointer to a pointer to the context that is to be destroyed.
+The pointer will be set to NULL when the context has been destroyed.
+.PP
+The context holds a serial number that is used to identify resolver
+request packets and associate responses with the corresponding requests.
+This serial number is controlled using
+\fBlwres_context_initserial()\fR
+and
+\fBlwres_context_nextserial()\fR.
+\fBlwres_context_initserial()\fR
+sets the serial number for context
+\fI*ctx\fR
+to
+\fIserial\fR.
+\fBlwres_context_nextserial()\fR
+increments the serial number and returns the previous value.
+.PP
+Memory for a lightweight resolver context is allocated and freed using
+\fBlwres_context_allocmem()\fR
+and
+\fBlwres_context_freemem()\fR.
+These use whatever allocations were defined when the context was
+created with
+\fBlwres_context_create()\fR.
+\fBlwres_context_allocmem()\fR
+allocates
+\fIlen\fR
+bytes of memory and if successful returns a pointer to the allocated
+storage.
+\fBlwres_context_freemem()\fR
+frees
+\fIlen\fR
+bytes of space starting at location
+\fImem\fR.
+.PP
+\fBlwres_context_sendrecv()\fR
+performs I/O for the context
+\fIctx\fR.
+Data are read and written from the context's socket.
+It writes data from
+\fIsendbase\fR
+\(em typically a lightweight resolver query packet \(em
+and waits for a reply which is copied to the receive buffer at
+\fIrecvbase\fR.
+The number of bytes that were written to this receive buffer is
+returned in
+\fI*recvd_len\fR.
+.SH "RETURN VALUES"
+.PP
+\fBlwres_context_create()\fR
+returns
+LWRES_R_NOMEMORY
+if memory for the
+\fBstruct lwres_context\fR
+could not be allocated, 
+LWRES_R_SUCCESS
+otherwise.
+.PP
+Successful calls to the memory allocator
+\fBlwres_context_allocmem()\fR
+return a pointer to the start of the allocated space.
+It returns NULL if memory could not be allocated.
+.PP
+LWRES_R_SUCCESS
+is returned when
+\fBlwres_context_sendrecv()\fR
+completes successfully.
+LWRES_R_IOERROR
+is returned if an I/O error occurs and
+LWRES_R_TIMEOUT
+is returned if
+\fBlwres_context_sendrecv()\fR
+times out waiting for a response.
+.SH "SEE ALSO"
+.PP
+\fBlwres_conf_init\fR(3),
+\fBmalloc\fR(3),
+\fBfree\fR(3).
diff --git a/contrib/bind9/lib/lwres/man/lwres_context.docbook b/contrib/bind9/lib/lwres/man/lwres_context.docbook
new file mode 100644
index 0000000..137e4bc
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_context.docbook
@@ -0,0 +1,283 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres_context.docbook,v 1.3.2.2.2.1 2004/03/06 08:15:38 marka Exp $ -->
+
+<refentry>
+<refentryinfo>
+
+
+<date>Jun 30, 2000</date>
+</refentryinfo>
+<refmeta>
+<refentrytitle>lwres_context</refentrytitle>
+<manvolnum>3</manvolnum>
+<refmiscinfo>BIND9</refmiscinfo>
+</refmeta>
+<refnamediv>
+<refname>lwres_context_create</refname>
+<refname>lwres_context_destroy</refname>
+<refname>lwres_context_nextserial</refname>
+<refname>lwres_context_initserial</refname>
+<refname>lwres_context_freemem</refname>
+<refname>lwres_context_allocmem</refname>
+<refname>lwres_context_sendrecv</refname>
+<refpurpose>lightweight resolver context management</refpurpose>
+</refnamediv>
+<refsynopsisdiv>
+<funcsynopsis>
+<funcsynopsisinfo>#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
+<funcprototype>
+<funcdef>
+lwres_result_t
+<function>lwres_context_create</function></funcdef>
+<paramdef>lwres_context_t **contextp</paramdef>
+<paramdef>void *arg</paramdef>
+<paramdef>lwres_malloc_t malloc_function</paramdef>
+<paramdef>lwres_free_t free_function</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+lwres_result_t
+<function>lwres_context_destroy</function></funcdef>
+<paramdef>lwres_context_t **contextp</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+void
+<function>lwres_context_initserial</function></funcdef>
+<paramdef>lwres_context_t *ctx</paramdef>
+<paramdef>lwres_uint32_t serial</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+lwres_uint32_t
+<function>lwres_context_nextserial</function></funcdef>
+<paramdef>lwres_context_t *ctx</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+void
+<function>lwres_context_freemem</function></funcdef>
+<paramdef>lwres_context_t *ctx</paramdef>
+<paramdef>void *mem</paramdef>
+<paramdef>size_t len</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+void
+<function>lwres_context_allocmem</function></funcdef>
+<paramdef>lwres_context_t *ctx</paramdef>
+<paramdef>size_t len</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+void *
+<function>lwres_context_sendrecv</function></funcdef>
+<paramdef>lwres_context_t *ctx</paramdef>
+<paramdef>void *sendbase</paramdef>
+<paramdef>int sendlen</paramdef>
+<paramdef>void *recvbase</paramdef>
+<paramdef>int recvlen</paramdef>
+<paramdef>int *recvd_len</paramdef>
+</funcprototype>
+</funcsynopsis>
+</refsynopsisdiv>
+<refsect1>
+<title>DESCRIPTION</title>
+<para>
+<function>lwres_context_create()</function>
+creates a
+<type>lwres_context_t</type>
+structure for use in lightweight resolver operations.
+It holds a socket and other data needed for communicating
+with a resolver daemon.
+The new
+<type>lwres_context_t</type>
+is returned through
+<parameter>contextp</parameter>,
+
+a pointer to a
+<type>lwres_context_t</type>
+pointer.  This 
+<type>lwres_context_t</type>
+pointer must initially be NULL, and is modified 
+to point to the newly created
+<type>lwres_context_t</type>.
+
+</para>
+<para>
+When the lightweight resolver needs to perform dynamic memory
+allocation, it will call
+<parameter>malloc_function</parameter>
+to allocate memory and
+<parameter>free_function</parameter>
+
+to free it.  If 
+<parameter>malloc_function</parameter>
+and
+<parameter>free_function</parameter>
+
+are NULL, memory is allocated using
+.Xr malloc 3
+and
+<citerefentry>
+<refentrytitle>free</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>.
+
+It is not permitted to have a NULL
+<parameter>malloc_function</parameter>
+and a non-NULL
+<parameter>free_function</parameter>
+or vice versa.
+<parameter>arg</parameter>
+is passed as the first parameter to the memory
+allocation functions.  
+If
+<parameter>malloc_function</parameter>
+and
+<parameter>free_function</parameter>
+are NULL,
+<parameter>arg</parameter>
+
+is unused and should be passed as NULL.
+</para>
+<para>
+Once memory for the structure has been allocated,
+it is initialized using
+<citerefentry>
+<refentrytitle>lwres_conf_init</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>
+
+and returned via
+<parameter>*contextp</parameter>.
+
+</para>
+<para>
+<function>lwres_context_destroy()</function>
+destroys a 
+<type>lwres_context_t</type>,
+
+closing its socket.
+<parameter>contextp</parameter>
+is a pointer to a pointer to the context that is to be destroyed.
+The pointer will be set to NULL when the context has been destroyed.
+</para>
+<para>
+The context holds a serial number that is used to identify resolver
+request packets and associate responses with the corresponding requests.
+This serial number is controlled using
+<function>lwres_context_initserial()</function>
+and
+<function>lwres_context_nextserial()</function>.
+<function>lwres_context_initserial()</function>
+sets the serial number for context
+<parameter>*ctx</parameter>
+to
+<parameter>serial</parameter>.
+
+<function>lwres_context_nextserial()</function>
+increments the serial number and returns the previous value.
+</para>
+<para>
+Memory for a lightweight resolver context is allocated and freed using
+<function>lwres_context_allocmem()</function>
+and
+<function>lwres_context_freemem()</function>.
+These use whatever allocations were defined when the context was
+created with
+<function>lwres_context_create()</function>.
+<function>lwres_context_allocmem()</function>
+allocates
+<parameter>len</parameter>
+bytes of memory and if successful returns a pointer to the allocated
+storage.
+<function>lwres_context_freemem()</function>
+frees
+<parameter>len</parameter>
+bytes of space starting at location
+<parameter>mem</parameter>.
+
+</para>
+<para>
+<function>lwres_context_sendrecv()</function>
+performs I/O for the context
+<parameter>ctx</parameter>.
+
+Data are read and written from the context's socket.
+It writes data from
+<parameter>sendbase</parameter>
+&mdash; typically a lightweight resolver query packet &mdash;
+and waits for a reply which is copied to the receive buffer at
+<parameter>recvbase</parameter>.
+
+The number of bytes that were written to this receive buffer is
+returned in
+<parameter>*recvd_len</parameter>.
+
+</para>
+</refsect1>
+<refsect1>
+<title>RETURN VALUES</title>
+<para>
+<function>lwres_context_create()</function>
+returns
+<errorcode>LWRES_R_NOMEMORY</errorcode>
+if memory for the
+<type>struct lwres_context</type>
+could not be allocated, 
+<errorcode>LWRES_R_SUCCESS</errorcode>
+otherwise.
+</para>
+<para>
+Successful calls to the memory allocator
+<function>lwres_context_allocmem()</function>
+return a pointer to the start of the allocated space.
+It returns NULL if memory could not be allocated.
+</para>
+<para>
+<errorcode>LWRES_R_SUCCESS</errorcode>
+is returned when
+<function>lwres_context_sendrecv()</function>
+completes successfully.
+<errorcode>LWRES_R_IOERROR</errorcode>
+is returned if an I/O error occurs and
+<errorcode>LWRES_R_TIMEOUT</errorcode>
+is returned if
+<function>lwres_context_sendrecv()</function>
+times out waiting for a response.
+</para>
+</refsect1>
+<refsect1>
+<title>SEE ALSO</title>
+<para>
+<citerefentry>
+<refentrytitle>lwres_conf_init</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>malloc</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>free</refentrytitle><manvolnum>3
+</manvolnum>
+</citerefentry>.
+</para>
+</refsect1>
+</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres_context.html b/contrib/bind9/lib/lwres/man/lwres_context.html
new file mode 100644
index 0000000..cca12d7
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_context.html
@@ -0,0 +1,478 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres_context.html,v 1.5.2.2.2.3 2004/08/22 23:39:03 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>lwres_context</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+>lwres_context</H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>lwres_context_create, lwres_context_destroy, lwres_context_nextserial, lwres_context_initserial, lwres_context_freemem, lwres_context_allocmem, lwres_context_sendrecv&nbsp;--&nbsp;lightweight resolver context management</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN17"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><P
+></P
+><A
+NAME="AEN18"
+></A
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/lwres.h&gt;</PRE
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_context_create</CODE
+>(lwres_context_t **contextp, void *arg, lwres_malloc_t malloc_function, lwres_free_t free_function);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_context_destroy</CODE
+>(lwres_context_t **contextp);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_context_initserial</CODE
+>(lwres_context_t *ctx, lwres_uint32_t serial);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_uint32_t
+lwres_context_nextserial</CODE
+>(lwres_context_t *ctx);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_context_freemem</CODE
+>(lwres_context_t *ctx, void *mem, size_t len);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_context_allocmem</CODE
+>(lwres_context_t *ctx, size_t len);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void *
+lwres_context_sendrecv</CODE
+>(lwres_context_t *ctx, void *sendbase, int sendlen, void *recvbase, int recvlen, int *recvd_len);</CODE
+></P
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN60"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_context_create()</CODE
+>
+creates a
+<SPAN
+CLASS="TYPE"
+>lwres_context_t</SPAN
+>
+structure for use in lightweight resolver operations.
+It holds a socket and other data needed for communicating
+with a resolver daemon.
+The new
+<SPAN
+CLASS="TYPE"
+>lwres_context_t</SPAN
+>
+is returned through
+<VAR
+CLASS="PARAMETER"
+>contextp</VAR
+>,
+
+a pointer to a
+<SPAN
+CLASS="TYPE"
+>lwres_context_t</SPAN
+>
+pointer.  This 
+<SPAN
+CLASS="TYPE"
+>lwres_context_t</SPAN
+>
+pointer must initially be NULL, and is modified 
+to point to the newly created
+<SPAN
+CLASS="TYPE"
+>lwres_context_t</SPAN
+>.&#13;</P
+><P
+>When the lightweight resolver needs to perform dynamic memory
+allocation, it will call
+<VAR
+CLASS="PARAMETER"
+>malloc_function</VAR
+>
+to allocate memory and
+<VAR
+CLASS="PARAMETER"
+>free_function</VAR
+>
+
+to free it.  If 
+<VAR
+CLASS="PARAMETER"
+>malloc_function</VAR
+>
+and
+<VAR
+CLASS="PARAMETER"
+>free_function</VAR
+>
+
+are NULL, memory is allocated using
+.Xr malloc 3
+and
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>free</SPAN
+>(3)</SPAN
+>.
+
+It is not permitted to have a NULL
+<VAR
+CLASS="PARAMETER"
+>malloc_function</VAR
+>
+and a non-NULL
+<VAR
+CLASS="PARAMETER"
+>free_function</VAR
+>
+or vice versa.
+<VAR
+CLASS="PARAMETER"
+>arg</VAR
+>
+is passed as the first parameter to the memory
+allocation functions.  
+If
+<VAR
+CLASS="PARAMETER"
+>malloc_function</VAR
+>
+and
+<VAR
+CLASS="PARAMETER"
+>free_function</VAR
+>
+are NULL,
+<VAR
+CLASS="PARAMETER"
+>arg</VAR
+>
+
+is unused and should be passed as NULL.</P
+><P
+>Once memory for the structure has been allocated,
+it is initialized using
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_conf_init</SPAN
+>(3)</SPAN
+>
+
+and returned via
+<VAR
+CLASS="PARAMETER"
+>*contextp</VAR
+>.&#13;</P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_context_destroy()</CODE
+>
+destroys a 
+<SPAN
+CLASS="TYPE"
+>lwres_context_t</SPAN
+>,
+
+closing its socket.
+<VAR
+CLASS="PARAMETER"
+>contextp</VAR
+>
+is a pointer to a pointer to the context that is to be destroyed.
+The pointer will be set to NULL when the context has been destroyed.</P
+><P
+>The context holds a serial number that is used to identify resolver
+request packets and associate responses with the corresponding requests.
+This serial number is controlled using
+<CODE
+CLASS="FUNCTION"
+>lwres_context_initserial()</CODE
+>
+and
+<CODE
+CLASS="FUNCTION"
+>lwres_context_nextserial()</CODE
+>.
+<CODE
+CLASS="FUNCTION"
+>lwres_context_initserial()</CODE
+>
+sets the serial number for context
+<VAR
+CLASS="PARAMETER"
+>*ctx</VAR
+>
+to
+<VAR
+CLASS="PARAMETER"
+>serial</VAR
+>.
+
+<CODE
+CLASS="FUNCTION"
+>lwres_context_nextserial()</CODE
+>
+increments the serial number and returns the previous value.</P
+><P
+>Memory for a lightweight resolver context is allocated and freed using
+<CODE
+CLASS="FUNCTION"
+>lwres_context_allocmem()</CODE
+>
+and
+<CODE
+CLASS="FUNCTION"
+>lwres_context_freemem()</CODE
+>.
+These use whatever allocations were defined when the context was
+created with
+<CODE
+CLASS="FUNCTION"
+>lwres_context_create()</CODE
+>.
+<CODE
+CLASS="FUNCTION"
+>lwres_context_allocmem()</CODE
+>
+allocates
+<VAR
+CLASS="PARAMETER"
+>len</VAR
+>
+bytes of memory and if successful returns a pointer to the allocated
+storage.
+<CODE
+CLASS="FUNCTION"
+>lwres_context_freemem()</CODE
+>
+frees
+<VAR
+CLASS="PARAMETER"
+>len</VAR
+>
+bytes of space starting at location
+<VAR
+CLASS="PARAMETER"
+>mem</VAR
+>.&#13;</P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_context_sendrecv()</CODE
+>
+performs I/O for the context
+<VAR
+CLASS="PARAMETER"
+>ctx</VAR
+>.
+
+Data are read and written from the context's socket.
+It writes data from
+<VAR
+CLASS="PARAMETER"
+>sendbase</VAR
+>
+&mdash; typically a lightweight resolver query packet &mdash;
+and waits for a reply which is copied to the receive buffer at
+<VAR
+CLASS="PARAMETER"
+>recvbase</VAR
+>.
+
+The number of bytes that were written to this receive buffer is
+returned in
+<VAR
+CLASS="PARAMETER"
+>*recvd_len</VAR
+>.&#13;</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN115"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_context_create()</CODE
+>
+returns
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_NOMEMORY</SPAN
+>
+if memory for the
+<SPAN
+CLASS="TYPE"
+>struct lwres_context</SPAN
+>
+could not be allocated, 
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_SUCCESS</SPAN
+>
+otherwise.</P
+><P
+>Successful calls to the memory allocator
+<CODE
+CLASS="FUNCTION"
+>lwres_context_allocmem()</CODE
+>
+return a pointer to the start of the allocated space.
+It returns NULL if memory could not be allocated.</P
+><P
+><SPAN
+CLASS="ERRORCODE"
+>LWRES_R_SUCCESS</SPAN
+>
+is returned when
+<CODE
+CLASS="FUNCTION"
+>lwres_context_sendrecv()</CODE
+>
+completes successfully.
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_IOERROR</SPAN
+>
+is returned if an I/O error occurs and
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_TIMEOUT</SPAN
+>
+is returned if
+<CODE
+CLASS="FUNCTION"
+>lwres_context_sendrecv()</CODE
+>
+times out waiting for a response.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN130"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_conf_init</SPAN
+>(3)</SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>malloc</SPAN
+>(3)</SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>free</SPAN
+>(3)</SPAN
+>.</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/lib/lwres/man/lwres_gabn.3 b/contrib/bind9/lib/lwres/man/lwres_gabn.3
new file mode 100644
index 0000000..a309f3e
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_gabn.3
@@ -0,0 +1,195 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: lwres_gabn.3,v 1.13.2.1.8.1 2004/03/06 07:41:42 marka Exp $
+.\"
+.TH "LWRES_GABN" "3" "Jun 30, 2000" "BIND9" ""
+.SH NAME
+lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lwres_gabnresponse_parse, lwres_gabnresponse_free, lwres_gabnrequest_free \- lightweight resolver getaddrbyname message handling
+.SH SYNOPSIS
+\fB#include <lwres/lwres.h>
+.sp
+.na
+lwres_result_t
+lwres_gabnrequest_render(lwres_context_t *ctx, lwres_gabnrequest_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);
+.ad
+.sp
+.na
+lwres_result_t
+lwres_gabnresponse_render(lwres_context_t *ctx, lwres_gabnresponse_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);
+.ad
+.sp
+.na
+lwres_result_t
+lwres_gabnrequest_parse(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_gabnrequest_t **structp);
+.ad
+.sp
+.na
+lwres_result_t
+lwres_gabnresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_gabnresponse_t **structp);
+.ad
+.sp
+.na
+void
+lwres_gabnresponse_free(lwres_context_t *ctx, lwres_gabnresponse_t **structp);
+.ad
+.sp
+.na
+void
+lwres_gabnrequest_free(lwres_context_t *ctx, lwres_gabnrequest_t **structp);
+.ad
+\fR
+.SH "DESCRIPTION"
+.PP
+These are low-level routines for creating and parsing
+lightweight resolver name-to-address lookup request and 
+response messages.
+.PP
+There are four main functions for the getaddrbyname opcode.
+One render function converts a getaddrbyname request structure \(em
+\fBlwres_gabnrequest_t\fR \(em
+to the lighweight resolver's canonical format.
+It is complemented by a parse function that converts a packet in this
+canonical format to a getaddrbyname request structure.
+Another render function converts the getaddrbyname response structure \(em
+\fBlwres_gabnresponse_t\fR \(em
+to the canonical format.
+This is complemented by a parse function which converts a packet in
+canonical format to a getaddrbyname response structure.
+.PP
+These structures are defined in
+\fI<lwres/lwres.h>\fR.
+They are shown below.
+.sp
+.nf
+#define LWRES_OPCODE_GETADDRSBYNAME     0x00010001U
+
+typedef struct lwres_addr lwres_addr_t;
+typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t;
+
+typedef struct {
+        lwres_uint32_t  flags;
+        lwres_uint32_t  addrtypes;
+        lwres_uint16_t  namelen;
+        char           *name;
+} lwres_gabnrequest_t;
+
+typedef struct {
+        lwres_uint32_t          flags;
+        lwres_uint16_t          naliases;
+        lwres_uint16_t          naddrs;
+        char                   *realname;
+        char                  **aliases;
+        lwres_uint16_t          realnamelen;
+        lwres_uint16_t         *aliaslen;
+        lwres_addrlist_t        addrs;
+        void                   *base;
+        size_t                  baselen;
+} lwres_gabnresponse_t;
+.sp
+.fi
+.PP
+\fBlwres_gabnrequest_render()\fR
+uses resolver context
+\fIctx\fR
+to convert getaddrbyname request structure
+\fIreq\fR
+to canonical format.
+The packet header structure
+\fIpkt\fR
+is initialised and transferred to
+buffer
+\fIb\fR.
+The contents of
+\fI*req\fR
+are then appended to the buffer in canonical format.
+\fBlwres_gabnresponse_render()\fR
+performs the same task, except it converts a getaddrbyname response structure
+\fBlwres_gabnresponse_t\fR
+to the lightweight resolver's canonical format.
+.PP
+\fBlwres_gabnrequest_parse()\fR
+uses context
+\fIctx\fR
+to convert the contents of packet
+\fIpkt\fR
+to a
+\fBlwres_gabnrequest_t\fR
+structure.
+Buffer
+\fIb\fR
+provides space to be used for storing this structure.
+When the function succeeds, the resulting
+\fBlwres_gabnrequest_t\fR
+is made available through
+\fI*structp\fR.
+\fBlwres_gabnresponse_parse()\fR
+offers the same semantics as
+\fBlwres_gabnrequest_parse()\fR
+except it yields a
+\fBlwres_gabnresponse_t\fR
+structure.
+.PP
+\fBlwres_gabnresponse_free()\fR
+and
+\fBlwres_gabnrequest_free()\fR
+release the memory in resolver context
+\fIctx\fR
+that was allocated to the
+\fBlwres_gabnresponse_t\fR
+or
+\fBlwres_gabnrequest_t\fR
+structures referenced via
+\fIstructp\fR.
+Any memory associated with ancillary buffers and strings for those
+structures is also discarded.
+.SH "RETURN VALUES"
+.PP
+The getaddrbyname opcode functions
+\fBlwres_gabnrequest_render()\fR, 
+\fBlwres_gabnresponse_render()\fR
+\fBlwres_gabnrequest_parse()\fR
+and
+\fBlwres_gabnresponse_parse()\fR
+all return
+LWRES_R_SUCCESS
+on success.
+They return
+LWRES_R_NOMEMORY
+if memory allocation fails.
+LWRES_R_UNEXPECTEDEND
+is returned if the available space in the buffer
+\fIb\fR
+is too small to accommodate the packet header or the
+\fBlwres_gabnrequest_t\fR
+and
+\fBlwres_gabnresponse_t\fR
+structures.
+\fBlwres_gabnrequest_parse()\fR
+and
+\fBlwres_gabnresponse_parse()\fR
+will return
+LWRES_R_UNEXPECTEDEND
+if the buffer is not empty after decoding the received packet.
+These functions will return
+LWRES_R_FAILURE
+if
+\fBpktflags\fR
+in the packet header structure
+\fBlwres_lwpacket_t\fR
+indicate that the packet is not a response to an earlier query.
+.SH "SEE ALSO"
+.PP
+\fBlwres_packet\fR(3)
diff --git a/contrib/bind9/lib/lwres/man/lwres_gabn.docbook b/contrib/bind9/lib/lwres/man/lwres_gabn.docbook
new file mode 100644
index 0000000..cb9481f
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_gabn.docbook
@@ -0,0 +1,255 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres_gabn.docbook,v 1.3.206.1 2004/03/06 08:15:38 marka Exp $ -->
+
+<refentry>
+<refentryinfo>
+
+
+<date>Jun 30, 2000</date>
+</refentryinfo>
+<refmeta>
+<refentrytitle>lwres_gabn</refentrytitle>
+<manvolnum>3</manvolnum>
+<refmiscinfo>BIND9</refmiscinfo>
+</refmeta>
+<refnamediv>
+<refname>lwres_gabnrequest_render</refname>
+<refname>lwres_gabnresponse_render</refname>
+<refname>lwres_gabnrequest_parse</refname>
+<refname>lwres_gabnresponse_parse</refname>
+<refname>lwres_gabnresponse_free</refname>
+<refname>lwres_gabnrequest_free</refname>
+<refpurpose>lightweight resolver getaddrbyname message handling</refpurpose>
+</refnamediv>
+<refsynopsisdiv>
+<funcsynopsis>
+<funcsynopsisinfo>#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
+<funcprototype>
+<funcdef>
+lwres_result_t
+<function>lwres_gabnrequest_render</function></funcdef>
+<paramdef>lwres_context_t *ctx</paramdef>
+<paramdef>lwres_gabnrequest_t *req</paramdef>
+<paramdef>lwres_lwpacket_t *pkt</paramdef>
+<paramdef>lwres_buffer_t *b</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+lwres_result_t
+<function>lwres_gabnresponse_render</function></funcdef>
+<paramdef>lwres_context_t *ctx</paramdef>
+<paramdef>lwres_gabnresponse_t *req</paramdef>
+<paramdef>lwres_lwpacket_t *pkt</paramdef>
+<paramdef>lwres_buffer_t *b</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+lwres_result_t
+<function>lwres_gabnrequest_parse</function></funcdef>
+<paramdef>lwres_context_t *ctx</paramdef>
+<paramdef>lwres_buffer_t *b</paramdef>
+<paramdef>lwres_lwpacket_t *pkt</paramdef>
+<paramdef>lwres_gabnrequest_t **structp</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+lwres_result_t
+<function>lwres_gabnresponse_parse</function></funcdef>
+<paramdef>lwres_context_t *ctx</paramdef>
+<paramdef>lwres_buffer_t *b</paramdef>
+<paramdef>lwres_lwpacket_t *pkt</paramdef>
+<paramdef>lwres_gabnresponse_t **structp</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+void
+<function>lwres_gabnresponse_free</function></funcdef>
+<paramdef>lwres_context_t *ctx</paramdef>
+<paramdef>lwres_gabnresponse_t **structp</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+void
+<function>lwres_gabnrequest_free</function></funcdef>
+<paramdef>lwres_context_t *ctx</paramdef>
+<paramdef>lwres_gabnrequest_t **structp</paramdef>
+</funcprototype>
+</funcsynopsis>
+</refsynopsisdiv>
+<refsect1>
+<title>DESCRIPTION</title>
+<para>
+These are low-level routines for creating and parsing
+lightweight resolver name-to-address lookup request and 
+response messages.
+</para><para>
+There are four main functions for the getaddrbyname opcode.
+One render function converts a getaddrbyname request structure &mdash;
+<type>lwres_gabnrequest_t</type> &mdash;
+to the lighweight resolver's canonical format.
+It is complemented by a parse function that converts a packet in this
+canonical format to a getaddrbyname request structure.
+Another render function converts the getaddrbyname response structure &mdash;
+<type>lwres_gabnresponse_t</type> &mdash;
+to the canonical format.
+This is complemented by a parse function which converts a packet in
+canonical format to a getaddrbyname response structure.
+</para>
+<para>
+These structures are defined in
+<filename>&lt;lwres/lwres.h&gt;</filename>.
+They are shown below.
+<programlisting>
+#define LWRES_OPCODE_GETADDRSBYNAME     0x00010001U
+
+typedef struct lwres_addr lwres_addr_t;
+typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t;
+
+typedef struct {
+        lwres_uint32_t  flags;
+        lwres_uint32_t  addrtypes;
+        lwres_uint16_t  namelen;
+        char           *name;
+} lwres_gabnrequest_t;
+
+typedef struct {
+        lwres_uint32_t          flags;
+        lwres_uint16_t          naliases;
+        lwres_uint16_t          naddrs;
+        char                   *realname;
+        char                  **aliases;
+        lwres_uint16_t          realnamelen;
+        lwres_uint16_t         *aliaslen;
+        lwres_addrlist_t        addrs;
+        void                   *base;
+        size_t                  baselen;
+} lwres_gabnresponse_t;
+</programlisting>
+</para>
+<para>
+<function>lwres_gabnrequest_render()</function>
+uses resolver context
+<parameter>ctx</parameter>
+to convert getaddrbyname request structure
+<parameter>req</parameter>
+to canonical format.
+The packet header structure
+<parameter>pkt</parameter>
+is initialised and transferred to
+buffer
+<parameter>b</parameter>.
+
+The contents of
+<parameter>*req</parameter>
+are then appended to the buffer in canonical format.
+<function>lwres_gabnresponse_render()</function>
+performs the same task, except it converts a getaddrbyname response structure
+<type>lwres_gabnresponse_t</type>
+to the lightweight resolver's canonical format.
+</para>
+<para>
+<function>lwres_gabnrequest_parse()</function>
+uses context
+<parameter>ctx</parameter>
+to convert the contents of packet
+<parameter>pkt</parameter>
+to a
+<type>lwres_gabnrequest_t</type>
+structure.
+Buffer
+<parameter>b</parameter>
+provides space to be used for storing this structure.
+When the function succeeds, the resulting
+<type>lwres_gabnrequest_t</type>
+is made available through
+<parameter>*structp</parameter>.
+
+<function>lwres_gabnresponse_parse()</function>
+offers the same semantics as
+<function>lwres_gabnrequest_parse()</function>
+except it yields a
+<type>lwres_gabnresponse_t</type>
+structure.
+</para>
+<para>
+<function>lwres_gabnresponse_free()</function>
+and
+<function>lwres_gabnrequest_free()</function>
+release the memory in resolver context
+<parameter>ctx</parameter>
+that was allocated to the
+<type>lwres_gabnresponse_t</type>
+or
+<type>lwres_gabnrequest_t</type>
+structures referenced via
+<parameter>structp</parameter>.
+
+Any memory associated with ancillary buffers and strings for those
+structures is also discarded.
+</para>
+</refsect1>
+<refsect1>
+<title>RETURN VALUES</title>
+<para>
+The getaddrbyname opcode functions
+<function>lwres_gabnrequest_render()</function>, 
+<function>lwres_gabnresponse_render()</function>
+<function>lwres_gabnrequest_parse()</function>
+and
+<function>lwres_gabnresponse_parse()</function>
+all return
+<errorcode>LWRES_R_SUCCESS</errorcode>
+on success.
+They return
+<errorcode>LWRES_R_NOMEMORY</errorcode>
+if memory allocation fails.
+<errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
+is returned if the available space in the buffer
+<parameter>b</parameter>
+is too small to accommodate the packet header or the
+<type>lwres_gabnrequest_t</type>
+and
+<type>lwres_gabnresponse_t</type>
+structures.
+<function>lwres_gabnrequest_parse()</function>
+and
+<function>lwres_gabnresponse_parse()</function>
+will return
+<errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
+if the buffer is not empty after decoding the received packet.
+These functions will return
+<errorcode>LWRES_R_FAILURE</errorcode>
+if
+<structfield>pktflags</structfield>
+in the packet header structure
+<type>lwres_lwpacket_t</type>
+indicate that the packet is not a response to an earlier query.
+</para>
+</refsect1>
+<refsect1>
+<title>SEE ALSO</title>
+<para>
+<citerefentry>
+<refentrytitle>lwres_packet</refentrytitle><manvolnum>3
+</manvolnum>
+</citerefentry>
+</para>
+</refsect1>
+</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres_gabn.html b/contrib/bind9/lib/lwres/man/lwres_gabn.html
new file mode 100644
index 0000000..6cb6614
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_gabn.html
@@ -0,0 +1,419 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres_gabn.html,v 1.6.2.1.4.2 2004/08/22 23:39:03 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>lwres_gabn</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+>lwres_gabn</H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>lwres_gabnrequest_render, lwres_gabnresponse_render, lwres_gabnrequest_parse, lwres_gabnresponse_parse, lwres_gabnresponse_free, lwres_gabnrequest_free&nbsp;--&nbsp;lightweight resolver getaddrbyname message handling</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN16"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><P
+></P
+><A
+NAME="AEN17"
+></A
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/lwres.h&gt;</PRE
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_gabnrequest_render</CODE
+>(lwres_context_t *ctx, lwres_gabnrequest_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_gabnresponse_render</CODE
+>(lwres_context_t *ctx, lwres_gabnresponse_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_gabnrequest_parse</CODE
+>(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_gabnrequest_t **structp);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_gabnresponse_parse</CODE
+>(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_gabnresponse_t **structp);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_gabnresponse_free</CODE
+>(lwres_context_t *ctx, lwres_gabnresponse_t **structp);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_gabnrequest_free</CODE
+>(lwres_context_t *ctx, lwres_gabnrequest_t **structp);</CODE
+></P
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN57"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>These are low-level routines for creating and parsing
+lightweight resolver name-to-address lookup request and 
+response messages.</P
+><P
+>There are four main functions for the getaddrbyname opcode.
+One render function converts a getaddrbyname request structure &mdash;
+<SPAN
+CLASS="TYPE"
+>lwres_gabnrequest_t</SPAN
+> &mdash;
+to the lighweight resolver's canonical format.
+It is complemented by a parse function that converts a packet in this
+canonical format to a getaddrbyname request structure.
+Another render function converts the getaddrbyname response structure &mdash;
+<SPAN
+CLASS="TYPE"
+>lwres_gabnresponse_t</SPAN
+> &mdash;
+to the canonical format.
+This is complemented by a parse function which converts a packet in
+canonical format to a getaddrbyname response structure.</P
+><P
+>These structures are defined in
+<TT
+CLASS="FILENAME"
+>&lt;lwres/lwres.h&gt;</TT
+>.
+They are shown below.
+<PRE
+CLASS="PROGRAMLISTING"
+>#define LWRES_OPCODE_GETADDRSBYNAME     0x00010001U
+
+typedef struct lwres_addr lwres_addr_t;
+typedef LWRES_LIST(lwres_addr_t) lwres_addrlist_t;
+
+typedef struct {
+        lwres_uint32_t  flags;
+        lwres_uint32_t  addrtypes;
+        lwres_uint16_t  namelen;
+        char           *name;
+} lwres_gabnrequest_t;
+
+typedef struct {
+        lwres_uint32_t          flags;
+        lwres_uint16_t          naliases;
+        lwres_uint16_t          naddrs;
+        char                   *realname;
+        char                  **aliases;
+        lwres_uint16_t          realnamelen;
+        lwres_uint16_t         *aliaslen;
+        lwres_addrlist_t        addrs;
+        void                   *base;
+        size_t                  baselen;
+} lwres_gabnresponse_t;</PRE
+></P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_gabnrequest_render()</CODE
+>
+uses resolver context
+<VAR
+CLASS="PARAMETER"
+>ctx</VAR
+>
+to convert getaddrbyname request structure
+<VAR
+CLASS="PARAMETER"
+>req</VAR
+>
+to canonical format.
+The packet header structure
+<VAR
+CLASS="PARAMETER"
+>pkt</VAR
+>
+is initialised and transferred to
+buffer
+<VAR
+CLASS="PARAMETER"
+>b</VAR
+>.
+
+The contents of
+<VAR
+CLASS="PARAMETER"
+>*req</VAR
+>
+are then appended to the buffer in canonical format.
+<CODE
+CLASS="FUNCTION"
+>lwres_gabnresponse_render()</CODE
+>
+performs the same task, except it converts a getaddrbyname response structure
+<SPAN
+CLASS="TYPE"
+>lwres_gabnresponse_t</SPAN
+>
+to the lightweight resolver's canonical format.</P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_gabnrequest_parse()</CODE
+>
+uses context
+<VAR
+CLASS="PARAMETER"
+>ctx</VAR
+>
+to convert the contents of packet
+<VAR
+CLASS="PARAMETER"
+>pkt</VAR
+>
+to a
+<SPAN
+CLASS="TYPE"
+>lwres_gabnrequest_t</SPAN
+>
+structure.
+Buffer
+<VAR
+CLASS="PARAMETER"
+>b</VAR
+>
+provides space to be used for storing this structure.
+When the function succeeds, the resulting
+<SPAN
+CLASS="TYPE"
+>lwres_gabnrequest_t</SPAN
+>
+is made available through
+<VAR
+CLASS="PARAMETER"
+>*structp</VAR
+>.
+
+<CODE
+CLASS="FUNCTION"
+>lwres_gabnresponse_parse()</CODE
+>
+offers the same semantics as
+<CODE
+CLASS="FUNCTION"
+>lwres_gabnrequest_parse()</CODE
+>
+except it yields a
+<SPAN
+CLASS="TYPE"
+>lwres_gabnresponse_t</SPAN
+>
+structure.</P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_gabnresponse_free()</CODE
+>
+and
+<CODE
+CLASS="FUNCTION"
+>lwres_gabnrequest_free()</CODE
+>
+release the memory in resolver context
+<VAR
+CLASS="PARAMETER"
+>ctx</VAR
+>
+that was allocated to the
+<SPAN
+CLASS="TYPE"
+>lwres_gabnresponse_t</SPAN
+>
+or
+<SPAN
+CLASS="TYPE"
+>lwres_gabnrequest_t</SPAN
+>
+structures referenced via
+<VAR
+CLASS="PARAMETER"
+>structp</VAR
+>.
+
+Any memory associated with ancillary buffers and strings for those
+structures is also discarded.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN93"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+>The getaddrbyname opcode functions
+<CODE
+CLASS="FUNCTION"
+>lwres_gabnrequest_render()</CODE
+>, 
+<CODE
+CLASS="FUNCTION"
+>lwres_gabnresponse_render()</CODE
+>
+<CODE
+CLASS="FUNCTION"
+>lwres_gabnrequest_parse()</CODE
+>
+and
+<CODE
+CLASS="FUNCTION"
+>lwres_gabnresponse_parse()</CODE
+>
+all return
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_SUCCESS</SPAN
+>
+on success.
+They return
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_NOMEMORY</SPAN
+>
+if memory allocation fails.
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_UNEXPECTEDEND</SPAN
+>
+is returned if the available space in the buffer
+<VAR
+CLASS="PARAMETER"
+>b</VAR
+>
+is too small to accommodate the packet header or the
+<SPAN
+CLASS="TYPE"
+>lwres_gabnrequest_t</SPAN
+>
+and
+<SPAN
+CLASS="TYPE"
+>lwres_gabnresponse_t</SPAN
+>
+structures.
+<CODE
+CLASS="FUNCTION"
+>lwres_gabnrequest_parse()</CODE
+>
+and
+<CODE
+CLASS="FUNCTION"
+>lwres_gabnresponse_parse()</CODE
+>
+will return
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_UNEXPECTEDEND</SPAN
+>
+if the buffer is not empty after decoding the received packet.
+These functions will return
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_FAILURE</SPAN
+>
+if
+<CODE
+CLASS="STRUCTFIELD"
+>pktflags</CODE
+>
+in the packet header structure
+<SPAN
+CLASS="TYPE"
+>lwres_lwpacket_t</SPAN
+>
+indicate that the packet is not a response to an earlier query.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN112"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_packet</SPAN
+>(3)</SPAN
+></P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/lib/lwres/man/lwres_gai_strerror.3 b/contrib/bind9/lib/lwres/man/lwres_gai_strerror.3
new file mode 100644
index 0000000..ea75066
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_gai_strerror.3
@@ -0,0 +1,88 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: lwres_gai_strerror.3,v 1.13.2.1.8.1 2004/03/06 07:41:43 marka Exp $
+.\"
+.TH "LWRES_GAI_STRERROR" "3" "Jun 30, 2000" "BIND9" ""
+.SH NAME
+gai_strerror \- print suitable error string
+.SH SYNOPSIS
+\fB#include <lwres/netdb.h>
+.sp
+.na
+char *
+gai_strerror(int ecode);
+.ad
+\fR
+.SH "DESCRIPTION"
+.PP
+\fBlwres_gai_strerror()\fR
+returns an error message corresponding to an error code returned by
+\fBgetaddrinfo()\fR.
+The following error codes and their meaning are defined in
+\fIinclude/lwres/netdb.h\fR.
+.TP
+\fBEAI_ADDRFAMILY\fR
+address family for hostname not supported
+.TP
+\fBEAI_AGAIN\fR
+temporary failure in name resolution
+.TP
+\fBEAI_BADFLAGS\fR
+invalid value for
+ai_flags
+.TP
+\fBEAI_FAIL\fR
+non-recoverable failure in name resolution
+.TP
+\fBEAI_FAMILY\fR
+ai_family not supported
+.TP
+\fBEAI_MEMORY\fR
+memory allocation failure
+.TP
+\fBEAI_NODATA\fR
+no address associated with hostname
+.TP
+\fBEAI_NONAME\fR
+hostname or servname not provided, or not known
+.TP
+\fBEAI_SERVICE\fR
+servname not supported for ai_socktype
+.TP
+\fBEAI_SOCKTYPE\fR
+ai_socktype not supported
+.TP
+\fBEAI_SYSTEM\fR
+system error returned in errno
+.PP
+The message \fBinvalid error code\fR is returned if
+\fIecode\fR
+is out of range.
+.PP
+ai_flags,
+ai_family
+and
+ai_socktype
+are elements of the
+\fBstruct addrinfo\fR
+used by
+\fBlwres_getaddrinfo()\fR.
+.SH "SEE ALSO"
+.PP
+\fBstrerror\fR(3),
+\fBlwres_getaddrinfo\fR(3),
+\fBgetaddrinfo\fR(3),
+\fBRFC2133\fR.
diff --git a/contrib/bind9/lib/lwres/man/lwres_gai_strerror.docbook b/contrib/bind9/lib/lwres/man/lwres_gai_strerror.docbook
new file mode 100644
index 0000000..475d444
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_gai_strerror.docbook
@@ -0,0 +1,161 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres_gai_strerror.docbook,v 1.3.206.1 2004/03/06 08:15:38 marka Exp $ -->
+
+<refentry>
+<refentryinfo>
+
+
+<date>Jun 30, 2000</date>
+</refentryinfo>
+<refmeta>
+<refentrytitle>lwres_gai_strerror</refentrytitle>
+<manvolnum>3</manvolnum>
+<refmiscinfo>BIND9</refmiscinfo>
+</refmeta>
+<refnamediv>
+<refname>gai_strerror</refname>
+<refpurpose>print suitable error string</refpurpose>
+</refnamediv>
+<refsynopsisdiv>
+<funcsynopsis>
+<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
+<funcprototype>
+<funcdef>
+char *
+<function>gai_strerror</function></funcdef>
+<paramdef>int ecode</paramdef>
+</funcprototype>
+</funcsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+<title>DESCRIPTION</title>
+<para>
+<function>lwres_gai_strerror()</function>
+returns an error message corresponding to an error code returned by
+<function>getaddrinfo()</function>.
+The following error codes and their meaning are defined in
+<filename>include/lwres/netdb.h</filename>.
+<variablelist>
+<varlistentry><term><errorcode>EAI_ADDRFAMILY</errorcode></term>
+<listitem>
+<para>
+address family for hostname not supported
+</para>
+</listitem></varlistentry>
+<varlistentry><term><errorcode>EAI_AGAIN</errorcode></term>
+<listitem>
+<para>
+temporary failure in name resolution
+</para>
+</listitem></varlistentry>
+<varlistentry><term><errorcode>EAI_BADFLAGS</errorcode></term>
+<listitem>
+<para>
+invalid value for
+<constant>ai_flags</constant>
+</para>
+</listitem></varlistentry>
+<varlistentry><term><errorcode>EAI_FAIL</errorcode></term>
+<listitem>
+<para>
+non-recoverable failure in name resolution
+</para>
+</listitem></varlistentry>
+<varlistentry><term><errorcode>EAI_FAMILY</errorcode></term>
+<listitem>
+<para>
+<constant>ai_family</constant> not supported
+</para>
+</listitem></varlistentry>
+<varlistentry><term><errorcode>EAI_MEMORY</errorcode></term>
+<listitem>
+<para>
+memory allocation failure
+</para>
+</listitem></varlistentry>
+<varlistentry><term><errorcode>EAI_NODATA</errorcode></term>
+<listitem>
+<para>
+no address associated with hostname
+</para>
+</listitem></varlistentry>
+<varlistentry><term><errorcode>EAI_NONAME</errorcode></term>
+<listitem>
+<para>
+hostname or servname not provided, or not known
+</para>
+</listitem></varlistentry>
+<varlistentry><term><errorcode>EAI_SERVICE</errorcode></term>
+<listitem>
+<para>
+servname not supported for <constant>ai_socktype</constant>
+</para>
+</listitem></varlistentry>
+<varlistentry><term><errorcode>EAI_SOCKTYPE</errorcode></term>
+<listitem>
+<para>
+<constant>ai_socktype</constant> not supported
+</para>
+</listitem></varlistentry>
+<varlistentry><term><errorcode>EAI_SYSTEM</errorcode></term>
+<listitem>
+<para>
+system error returned in errno
+</para>
+</listitem></varlistentry>
+</variablelist>
+The message <errorname>invalid error code</errorname> is returned if
+<parameter>ecode</parameter>
+is out of range.
+</para>
+<para>
+<constant>ai_flags</constant>,
+<constant>ai_family</constant>
+and
+<constant>ai_socktype</constant>
+are elements of the
+<type>struct  addrinfo</type>
+used by
+<function>lwres_getaddrinfo()</function>.
+</para>
+</refsect1>
+
+<refsect1>
+<title>SEE ALSO</title>
+<para>
+<citerefentry>
+<refentrytitle>strerror</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>lwres_getaddrinfo</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>getaddrinfo</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>RFC2133</refentrytitle>
+</citerefentry>.
+</para>
+</refsect1>
+</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres_gai_strerror.html b/contrib/bind9/lib/lwres/man/lwres_gai_strerror.html
new file mode 100644
index 0000000..45dc5cb
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_gai_strerror.html
@@ -0,0 +1,295 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres_gai_strerror.html,v 1.5.2.1.4.2 2004/08/22 23:39:03 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>lwres_gai_strerror</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+>lwres_gai_strerror</H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>gai_strerror&nbsp;--&nbsp;print suitable error string</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN11"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><P
+></P
+><A
+NAME="AEN12"
+></A
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/netdb.h&gt;</PRE
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>char *
+gai_strerror</CODE
+>(int ecode);</CODE
+></P
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN18"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_gai_strerror()</CODE
+>
+returns an error message corresponding to an error code returned by
+<CODE
+CLASS="FUNCTION"
+>getaddrinfo()</CODE
+>.
+The following error codes and their meaning are defined in
+<TT
+CLASS="FILENAME"
+>include/lwres/netdb.h</TT
+>.
+<P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><SPAN
+CLASS="ERRORCODE"
+>EAI_ADDRFAMILY</SPAN
+></DT
+><DD
+><P
+>address family for hostname not supported</P
+></DD
+><DT
+><SPAN
+CLASS="ERRORCODE"
+>EAI_AGAIN</SPAN
+></DT
+><DD
+><P
+>temporary failure in name resolution</P
+></DD
+><DT
+><SPAN
+CLASS="ERRORCODE"
+>EAI_BADFLAGS</SPAN
+></DT
+><DD
+><P
+>invalid value for
+<CODE
+CLASS="CONSTANT"
+>ai_flags</CODE
+></P
+></DD
+><DT
+><SPAN
+CLASS="ERRORCODE"
+>EAI_FAIL</SPAN
+></DT
+><DD
+><P
+>non-recoverable failure in name resolution</P
+></DD
+><DT
+><SPAN
+CLASS="ERRORCODE"
+>EAI_FAMILY</SPAN
+></DT
+><DD
+><P
+><CODE
+CLASS="CONSTANT"
+>ai_family</CODE
+> not supported</P
+></DD
+><DT
+><SPAN
+CLASS="ERRORCODE"
+>EAI_MEMORY</SPAN
+></DT
+><DD
+><P
+>memory allocation failure</P
+></DD
+><DT
+><SPAN
+CLASS="ERRORCODE"
+>EAI_NODATA</SPAN
+></DT
+><DD
+><P
+>no address associated with hostname</P
+></DD
+><DT
+><SPAN
+CLASS="ERRORCODE"
+>EAI_NONAME</SPAN
+></DT
+><DD
+><P
+>hostname or servname not provided, or not known</P
+></DD
+><DT
+><SPAN
+CLASS="ERRORCODE"
+>EAI_SERVICE</SPAN
+></DT
+><DD
+><P
+>servname not supported for <CODE
+CLASS="CONSTANT"
+>ai_socktype</CODE
+></P
+></DD
+><DT
+><SPAN
+CLASS="ERRORCODE"
+>EAI_SOCKTYPE</SPAN
+></DT
+><DD
+><P
+><CODE
+CLASS="CONSTANT"
+>ai_socktype</CODE
+> not supported</P
+></DD
+><DT
+><SPAN
+CLASS="ERRORCODE"
+>EAI_SYSTEM</SPAN
+></DT
+><DD
+><P
+>system error returned in errno</P
+></DD
+></DL
+></DIV
+>
+The message <SPAN
+CLASS="ERRORNAME"
+>invalid error code</SPAN
+> is returned if
+<VAR
+CLASS="PARAMETER"
+>ecode</VAR
+>
+is out of range.</P
+><P
+><CODE
+CLASS="CONSTANT"
+>ai_flags</CODE
+>,
+<CODE
+CLASS="CONSTANT"
+>ai_family</CODE
+>
+and
+<CODE
+CLASS="CONSTANT"
+>ai_socktype</CODE
+>
+are elements of the
+<SPAN
+CLASS="TYPE"
+>struct  addrinfo</SPAN
+>
+used by
+<CODE
+CLASS="FUNCTION"
+>lwres_getaddrinfo()</CODE
+>.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN92"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>strerror</SPAN
+>(3)</SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_getaddrinfo</SPAN
+>(3)</SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>getaddrinfo</SPAN
+>(3)</SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>RFC2133</SPAN
+></SPAN
+>.</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.3 b/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.3
new file mode 100644
index 0000000..d360b3e
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.3
@@ -0,0 +1,249 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: lwres_getaddrinfo.3,v 1.16.2.1.8.2 2004/03/06 07:41:43 marka Exp $
+.\"
+.TH "LWRES_GETADDRINFO" "3" "Jun 30, 2000" "BIND9" ""
+.SH NAME
+lwres_getaddrinfo, lwres_freeaddrinfo \- socket address structure to host and service name
+.SH SYNOPSIS
+\fB#include <lwres/netdb.h>
+.sp
+.na
+int
+lwres_getaddrinfo(const char *hostname, const char *servname, const struct addrinfo *hints, struct addrinfo **res);
+.ad
+.sp
+.na
+void
+lwres_freeaddrinfo(struct addrinfo *ai);
+.ad
+\fR
+.PP
+If the operating system does not provide a
+\fBstruct addrinfo\fR,
+the following structure is used:
+.sp
+.nf
+struct  addrinfo {
+        int             ai_flags;       /* AI_PASSIVE, AI_CANONNAME */
+        int             ai_family;      /* PF_xxx */
+        int             ai_socktype;    /* SOCK_xxx */
+        int             ai_protocol;    /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
+        size_t          ai_addrlen;     /* length of ai_addr */
+        char            *ai_canonname;  /* canonical name for hostname */
+        struct sockaddr *ai_addr;       /* binary address */
+        struct addrinfo *ai_next;       /* next structure in linked list */
+};
+.sp
+.fi
+.SH "DESCRIPTION"
+.PP
+\fBlwres_getaddrinfo()\fR
+is used to get a list of IP addresses and port numbers for host
+\fIhostname\fR
+and service
+\fIservname\fR.
+The function is the lightweight resolver's implementation of
+\fBgetaddrinfo()\fR
+as defined in RFC2133.
+\fIhostname\fR
+and
+\fIservname\fR
+are pointers to null-terminated
+strings or
+\fBNULL\fR.
+\fIhostname\fR
+is either a host name or a numeric host address string: a dotted decimal
+IPv4 address or an IPv6 address.
+\fIservname\fR
+is either a decimal port number or a service name as listed in
+\fI/etc/services\fR.
+.PP
+\fIhints\fR
+is an optional pointer to a
+\fBstruct addrinfo\fR.
+This structure can be used to provide hints concerning the type of socket
+that the caller supports or wishes to use.
+The caller can supply the following structure elements in
+\fI*hints\fR:
+.TP
+\fBai_family\fR
+The protocol family that should be used.
+When
+ai_family
+is set to
+\fBPF_UNSPEC\fR,
+it means the caller will accept any protocol family supported by the
+operating system.
+.TP
+\fBai_socktype\fR
+denotes the type of socket \(em
+\fBSOCK_STREAM\fR,
+\fBSOCK_DGRAM\fR
+or
+\fBSOCK_RAW\fR
+\(em that is wanted.
+When
+ai_socktype
+is zero the caller will accept any socket type.
+.TP
+\fBai_protocol\fR
+indicates which transport protocol is wanted: IPPROTO_UDP or 
+IPPROTO_TCP.
+If
+ai_protocol
+is zero the caller will accept any protocol.
+.TP
+\fBai_flags\fR
+Flag bits.
+If the
+\fBAI_CANONNAME\fR
+bit is set, a successful call to
+\fBlwres_getaddrinfo()\fR
+will return a null-terminated string containing the canonical name
+of the specified hostname in
+ai_canonname
+of the first
+\fBaddrinfo\fR
+structure returned.
+Setting the
+\fBAI_PASSIVE\fR
+bit indicates that the returned socket address structure is intended
+for used in a call to
+\fBbind\fR(2).
+In this case, if the hostname argument is a
+\fBNULL\fR
+pointer, then the IP address portion of the socket
+address structure will be set to
+\fBINADDR_ANY\fR
+for an IPv4 address or
+\fBIN6ADDR_ANY_INIT\fR
+for an IPv6 address.
+
+When
+ai_flags
+does not set the
+\fBAI_PASSIVE\fR
+bit, the returned socket address structure will be ready
+for use in a call to
+\fBconnect\fR(2)
+for a connection-oriented protocol or
+\fBconnect\fR(2),
+\fBsendto\fR(2),
+or
+\fBsendmsg\fR(2)
+if a connectionless protocol was chosen.
+The IP address portion of the socket address structure will be
+set to the loopback address if
+\fIhostname\fR
+is a
+\fBNULL\fR
+pointer and
+\fBAI_PASSIVE\fR
+is not set in
+ai_flags.
+
+If
+ai_flags
+is set to
+\fBAI_NUMERICHOST\fR
+it indicates that
+\fIhostname\fR
+should be treated as a numeric string defining an IPv4 or IPv6 address
+and no name resolution should be attempted.
+.PP
+All other elements of the \fBstruct addrinfo\fR passed
+via \fIhints\fR must be zero.
+.PP
+A \fIhints\fR of \fBNULL\fR is treated as if
+the caller provided a \fBstruct addrinfo\fR initialized to zero
+with ai_familyset to
+PF_UNSPEC.
+.PP
+After a successful call to
+\fBlwres_getaddrinfo()\fR,
+\fI*res\fR
+is a pointer to a linked list of one or more
+\fBaddrinfo\fR
+structures.
+Each
+\fBstruct addrinfo\fR
+in this list cn be processed by following
+the
+ai_next
+pointer, until a
+\fBNULL\fR
+pointer is encountered.
+The three members
+ai_family,
+ai_socktype,
+and
+ai_protocol
+in each
+returned
+\fBaddrinfo\fR
+structure contain the corresponding arguments for a call to
+\fBsocket\fR(2).
+For each
+\fBaddrinfo\fR
+structure in the list, the
+ai_addr
+member points to a filled-in socket address structure of length
+ai_addrlen.
+.PP
+All of the information returned by
+\fBlwres_getaddrinfo()\fR
+is dynamically allocated: the addrinfo structures, and the socket
+address structures and canonical host name strings pointed to by the
+addrinfostructures.
+Memory allocated for the dynamically allocated structures created by
+a successful call to
+\fBlwres_getaddrinfo()\fR
+is released by
+\fBlwres_freeaddrinfo()\fR.
+\fIai\fR
+is a pointer to a
+\fBstruct addrinfo\fR
+created by a call to
+\fBlwres_getaddrinfo()\fR.
+.SH "RETURN VALUES"
+.PP
+\fBlwres_getaddrinfo()\fR
+returns zero on success or one of the error codes listed in
+\fBgai_strerror\fR(3)
+if an error occurs.
+If both
+\fIhostname\fR
+and
+\fIservname\fR
+are
+\fBNULL\fR
+\fBlwres_getaddrinfo()\fR
+returns
+EAI_NONAME.
+.SH "SEE ALSO"
+.PP
+\fBlwres\fR(3),
+\fBlwres_getaddrinfo\fR(3),
+\fBlwres_freeaddrinfo\fR(3),
+\fBlwres_gai_strerror\fR(3),
+\fBRFC2133\fR,
+\fBgetservbyname\fR(3),
+\fBbind\fR(2),
+\fBconnect\fR(2),
+\fBsendto\fR(2),
+\fBsendmsg\fR(2),
+\fBsocket\fR(2).
diff --git a/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.docbook b/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.docbook
new file mode 100644
index 0000000..2f2fc82
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.docbook
@@ -0,0 +1,372 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres_getaddrinfo.docbook,v 1.5.206.2 2004/03/06 08:15:39 marka Exp $ -->
+
+<refentry>
+
+<refentryinfo>
+<date>Jun 30, 2000</date>
+</refentryinfo>
+
+<refmeta>
+<refentrytitle>lwres_getaddrinfo</refentrytitle>
+<manvolnum>3</manvolnum>
+<refmiscinfo>BIND9</refmiscinfo>
+</refmeta>
+
+<refnamediv>
+<refname>lwres_getaddrinfo</refname>
+<refname>lwres_freeaddrinfo</refname>
+<refpurpose>socket address structure to host and service name</refpurpose>
+</refnamediv>
+<refsynopsisdiv>
+<funcsynopsis>
+<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
+<funcprototype>
+<funcdef>
+int
+<function>lwres_getaddrinfo</function></funcdef>
+<paramdef>const char *hostname</paramdef>
+<paramdef>const char *servname</paramdef>
+<paramdef>const struct addrinfo *hints</paramdef>
+<paramdef>struct addrinfo **res</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+void
+<function>lwres_freeaddrinfo</function></funcdef>
+<paramdef>struct addrinfo *ai</paramdef>
+</funcprototype>
+</funcsynopsis>
+
+<para>
+If the operating system does not provide a
+<type>struct addrinfo</type>,
+the following structure is used:
+
+<programlisting>
+struct  addrinfo {
+        int             ai_flags;       /* AI_PASSIVE, AI_CANONNAME */
+        int             ai_family;      /* PF_xxx */
+        int             ai_socktype;    /* SOCK_xxx */
+        int             ai_protocol;    /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
+        size_t          ai_addrlen;     /* length of ai_addr */
+        char            *ai_canonname;  /* canonical name for hostname */
+        struct sockaddr *ai_addr;       /* binary address */
+        struct addrinfo *ai_next;       /* next structure in linked list */
+};
+</programlisting>
+</para>
+
+</refsynopsisdiv>
+
+<refsect1>
+<title>DESCRIPTION</title>
+<para>
+<function>lwres_getaddrinfo()</function>
+is used to get a list of IP addresses and port numbers for host
+<parameter>hostname</parameter>
+and service
+<parameter>servname</parameter>.
+
+The function is the lightweight resolver's implementation of
+<function>getaddrinfo()</function>
+as defined in RFC2133.
+<parameter>hostname</parameter>
+and
+<parameter>servname</parameter>
+are pointers to null-terminated
+strings or
+<type>NULL</type>.
+
+<parameter>hostname</parameter>
+is either a host name or a numeric host address string: a dotted decimal
+IPv4 address or an IPv6 address.
+<parameter>servname</parameter>
+is either a decimal port number or a service name as listed in
+<filename>/etc/services</filename>.
+</para>
+
+<para>
+<parameter>hints</parameter>
+is an optional pointer to a
+<type>struct addrinfo</type>.
+This structure can be used to provide hints concerning the type of socket
+that the caller supports or wishes to use.
+The caller can supply the following structure elements in
+<parameter>*hints</parameter>:
+
+<variablelist>
+<varlistentry><term><constant>ai_family</constant></term>
+<listitem>
+<para>The protocol family that should be used.
+When
+<constant>ai_family</constant>
+is set to
+<type>PF_UNSPEC</type>,
+it means the caller will accept any protocol family supported by the
+operating system.
+</para></listitem></varlistentry>
+<varlistentry><term><constant>ai_socktype</constant></term>
+<listitem>
+<para>
+denotes the type of socket &mdash;
+<type>SOCK_STREAM</type>,
+<type>SOCK_DGRAM</type>
+or
+<type>SOCK_RAW</type>
+&mdash; that is wanted.
+When
+<constant>ai_socktype</constant>
+is zero the caller will accept any socket type.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry><term><constant>ai_protocol</constant></term>
+<listitem>
+<para>
+indicates which transport protocol is wanted: IPPROTO_UDP or 
+IPPROTO_TCP.
+If
+<constant>ai_protocol</constant>
+is zero the caller will accept any protocol.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry><term><constant>ai_flags</constant></term>
+<listitem>
+<para>
+Flag bits.
+If the
+<type>AI_CANONNAME</type>
+bit is set, a successful call to
+<function>lwres_getaddrinfo()</function>
+will return a null-terminated string containing the canonical name
+of the specified hostname in
+<constant>ai_canonname</constant>
+of the first
+<type>addrinfo</type>
+structure returned.
+Setting the
+<type>AI_PASSIVE</type>
+bit indicates that the returned socket address structure is intended
+for used in a call to
+<citerefentry>
+<refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum>
+</citerefentry>.
+
+In this case, if the hostname argument is a
+<type>NULL</type>
+pointer, then the IP address portion of the socket
+address structure will be set to
+<type>INADDR_ANY</type>
+for an IPv4 address or
+<type>IN6ADDR_ANY_INIT</type>
+for an IPv6 address.
+</para>
+<para>
+When
+<constant>ai_flags</constant>
+does not set the
+<type>AI_PASSIVE</type>
+bit, the returned socket address structure will be ready
+for use in a call to
+<citerefentry>
+<refentrytitle>connect</refentrytitle><manvolnum>2
+</manvolnum>
+</citerefentry>
+for a connection-oriented protocol or
+<citerefentry>
+<refentrytitle>connect</refentrytitle><manvolnum>2</manvolnum>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>sendto</refentrytitle><manvolnum>2</manvolnum>
+</citerefentry>,
+
+or
+<citerefentry>
+<refentrytitle>sendmsg</refentrytitle><manvolnum>2
+</manvolnum>
+</citerefentry>
+if a connectionless protocol was chosen.
+The IP address portion of the socket address structure will be
+set to the loopback address if
+<parameter>hostname</parameter>
+is a
+<type>NULL</type>
+pointer and
+<type>AI_PASSIVE</type>
+is not set in
+<constant>ai_flags</constant>.
+</para>
+<para>
+If
+<constant>ai_flags</constant>
+is set to
+<type>AI_NUMERICHOST</type>
+it indicates that
+<parameter>hostname</parameter>
+should be treated as a numeric string defining an IPv4 or IPv6 address
+and no name resolution should be attempted.
+</para>
+</listitem>
+</varlistentry>
+</variablelist>
+</para>
+
+<para>
+All other elements of the <type>struct addrinfo</type> passed
+via <parameter>hints</parameter> must be zero.
+</para>
+
+<para>
+A <parameter>hints</parameter> of <type>NULL</type> is treated as if
+the caller provided a <type>struct addrinfo</type> initialized to zero
+with <constant>ai_family</constant>set to
+<constant>PF_UNSPEC</constant>.
+</para>
+
+<para>
+After a successful call to
+<function>lwres_getaddrinfo()</function>,
+<parameter>*res</parameter>
+is a pointer to a linked list of one or more
+<type>addrinfo</type>
+structures.
+Each
+<type>struct addrinfo</type>
+in this list cn be processed by following
+the
+<constant>ai_next</constant>
+pointer, until a
+<type>NULL</type>
+pointer is encountered.
+The three members
+<constant>ai_family</constant>,
+<constant>ai_socktype</constant>,
+and
+<constant>ai_protocol</constant>
+in each
+returned
+<type>addrinfo</type>
+structure contain the corresponding arguments for a call to
+<citerefentry>
+<refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum>
+</citerefentry>.
+For each
+<type>addrinfo</type>
+structure in the list, the
+<constant>ai_addr</constant>
+member points to a filled-in socket address structure of length
+<constant>ai_addrlen</constant>.
+</para>
+
+<para>
+All of the information returned by
+<function>lwres_getaddrinfo()</function>
+is dynamically allocated: the addrinfo structures, and the socket
+address structures and canonical host name strings pointed to by the
+<constant>addrinfo</constant>structures.
+Memory allocated for the dynamically allocated structures created by
+a successful call to
+<function>lwres_getaddrinfo()</function>
+is released by
+<function>lwres_freeaddrinfo()</function>.
+<parameter>ai</parameter>
+is a pointer to a
+<type>struct addrinfo</type>
+created by a call to
+<function>lwres_getaddrinfo()</function>.
+</para>
+
+</refsect1>
+
+<refsect1>
+<title>RETURN VALUES</title>
+<para>
+<function>lwres_getaddrinfo()</function>
+returns zero on success or one of the error codes listed in
+<citerefentry>
+<refentrytitle>gai_strerror</refentrytitle><manvolnum>3
+</manvolnum>
+</citerefentry>
+if an error occurs.
+If both
+<parameter>hostname</parameter>
+and
+<parameter>servname</parameter>
+are
+<type>NULL</type>
+<function>lwres_getaddrinfo()</function>
+returns
+<errorcode>EAI_NONAME</errorcode>.
+
+</para>
+</refsect1>
+<refsect1>
+<title>SEE ALSO</title>
+<para>
+<citerefentry>
+<refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>lwres_getaddrinfo</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>lwres_freeaddrinfo</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>lwres_gai_strerror</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>RFC2133</refentrytitle>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>getservbyname</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>bind</refentrytitle><manvolnum>2</manvolnum>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>connect</refentrytitle><manvolnum>2</manvolnum>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>sendto</refentrytitle><manvolnum>2</manvolnum>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>sendmsg</refentrytitle><manvolnum>2</manvolnum>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum>
+</citerefentry>.
+</para>
+
+</refsect1>
+</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.html b/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.html
new file mode 100644
index 0000000..b568e59
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_getaddrinfo.html
@@ -0,0 +1,693 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres_getaddrinfo.html,v 1.8.2.1.4.3 2004/08/22 23:39:03 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>lwres_getaddrinfo</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+>lwres_getaddrinfo</H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>lwres_getaddrinfo, lwres_freeaddrinfo&nbsp;--&nbsp;socket address structure to host and service name</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN12"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><P
+></P
+><A
+NAME="AEN13"
+></A
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/netdb.h&gt;</PRE
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>int
+lwres_getaddrinfo</CODE
+>(const char *hostname, const char *servname, const struct addrinfo *hints, struct addrinfo **res);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_freeaddrinfo</CODE
+>(struct addrinfo *ai);</CODE
+></P
+><P
+></P
+></DIV
+><P
+>If the operating system does not provide a
+<SPAN
+CLASS="TYPE"
+>struct addrinfo</SPAN
+>,
+the following structure is used:
+
+<PRE
+CLASS="PROGRAMLISTING"
+>struct  addrinfo {
+        int             ai_flags;       /* AI_PASSIVE, AI_CANONNAME */
+        int             ai_family;      /* PF_xxx */
+        int             ai_socktype;    /* SOCK_xxx */
+        int             ai_protocol;    /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
+        size_t          ai_addrlen;     /* length of ai_addr */
+        char            *ai_canonname;  /* canonical name for hostname */
+        struct sockaddr *ai_addr;       /* binary address */
+        struct addrinfo *ai_next;       /* next structure in linked list */
+};</PRE
+></P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN29"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_getaddrinfo()</CODE
+>
+is used to get a list of IP addresses and port numbers for host
+<VAR
+CLASS="PARAMETER"
+>hostname</VAR
+>
+and service
+<VAR
+CLASS="PARAMETER"
+>servname</VAR
+>.
+
+The function is the lightweight resolver's implementation of
+<CODE
+CLASS="FUNCTION"
+>getaddrinfo()</CODE
+>
+as defined in RFC2133.
+<VAR
+CLASS="PARAMETER"
+>hostname</VAR
+>
+and
+<VAR
+CLASS="PARAMETER"
+>servname</VAR
+>
+are pointers to null-terminated
+strings or
+<SPAN
+CLASS="TYPE"
+>NULL</SPAN
+>.
+
+<VAR
+CLASS="PARAMETER"
+>hostname</VAR
+>
+is either a host name or a numeric host address string: a dotted decimal
+IPv4 address or an IPv6 address.
+<VAR
+CLASS="PARAMETER"
+>servname</VAR
+>
+is either a decimal port number or a service name as listed in
+<TT
+CLASS="FILENAME"
+>/etc/services</TT
+>.</P
+><P
+><VAR
+CLASS="PARAMETER"
+>hints</VAR
+>
+is an optional pointer to a
+<SPAN
+CLASS="TYPE"
+>struct addrinfo</SPAN
+>.
+This structure can be used to provide hints concerning the type of socket
+that the caller supports or wishes to use.
+The caller can supply the following structure elements in
+<VAR
+CLASS="PARAMETER"
+>*hints</VAR
+>:
+
+<P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><CODE
+CLASS="CONSTANT"
+>ai_family</CODE
+></DT
+><DD
+><P
+>The protocol family that should be used.
+When
+<CODE
+CLASS="CONSTANT"
+>ai_family</CODE
+>
+is set to
+<SPAN
+CLASS="TYPE"
+>PF_UNSPEC</SPAN
+>,
+it means the caller will accept any protocol family supported by the
+operating system.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>ai_socktype</CODE
+></DT
+><DD
+><P
+>denotes the type of socket &mdash;
+<SPAN
+CLASS="TYPE"
+>SOCK_STREAM</SPAN
+>,
+<SPAN
+CLASS="TYPE"
+>SOCK_DGRAM</SPAN
+>
+or
+<SPAN
+CLASS="TYPE"
+>SOCK_RAW</SPAN
+>
+&mdash; that is wanted.
+When
+<CODE
+CLASS="CONSTANT"
+>ai_socktype</CODE
+>
+is zero the caller will accept any socket type.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>ai_protocol</CODE
+></DT
+><DD
+><P
+>indicates which transport protocol is wanted: IPPROTO_UDP or 
+IPPROTO_TCP.
+If
+<CODE
+CLASS="CONSTANT"
+>ai_protocol</CODE
+>
+is zero the caller will accept any protocol.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>ai_flags</CODE
+></DT
+><DD
+><P
+>Flag bits.
+If the
+<SPAN
+CLASS="TYPE"
+>AI_CANONNAME</SPAN
+>
+bit is set, a successful call to
+<CODE
+CLASS="FUNCTION"
+>lwres_getaddrinfo()</CODE
+>
+will return a null-terminated string containing the canonical name
+of the specified hostname in
+<CODE
+CLASS="CONSTANT"
+>ai_canonname</CODE
+>
+of the first
+<SPAN
+CLASS="TYPE"
+>addrinfo</SPAN
+>
+structure returned.
+Setting the
+<SPAN
+CLASS="TYPE"
+>AI_PASSIVE</SPAN
+>
+bit indicates that the returned socket address structure is intended
+for used in a call to
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>bind</SPAN
+>(2)</SPAN
+>.
+
+In this case, if the hostname argument is a
+<SPAN
+CLASS="TYPE"
+>NULL</SPAN
+>
+pointer, then the IP address portion of the socket
+address structure will be set to
+<SPAN
+CLASS="TYPE"
+>INADDR_ANY</SPAN
+>
+for an IPv4 address or
+<SPAN
+CLASS="TYPE"
+>IN6ADDR_ANY_INIT</SPAN
+>
+for an IPv6 address.</P
+><P
+>When
+<CODE
+CLASS="CONSTANT"
+>ai_flags</CODE
+>
+does not set the
+<SPAN
+CLASS="TYPE"
+>AI_PASSIVE</SPAN
+>
+bit, the returned socket address structure will be ready
+for use in a call to
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>connect</SPAN
+>(2)</SPAN
+>
+for a connection-oriented protocol or
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>connect</SPAN
+>(2)</SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>sendto</SPAN
+>(2)</SPAN
+>,
+
+or
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>sendmsg</SPAN
+>(2)</SPAN
+>
+if a connectionless protocol was chosen.
+The IP address portion of the socket address structure will be
+set to the loopback address if
+<VAR
+CLASS="PARAMETER"
+>hostname</VAR
+>
+is a
+<SPAN
+CLASS="TYPE"
+>NULL</SPAN
+>
+pointer and
+<SPAN
+CLASS="TYPE"
+>AI_PASSIVE</SPAN
+>
+is not set in
+<CODE
+CLASS="CONSTANT"
+>ai_flags</CODE
+>.</P
+><P
+>If
+<CODE
+CLASS="CONSTANT"
+>ai_flags</CODE
+>
+is set to
+<SPAN
+CLASS="TYPE"
+>AI_NUMERICHOST</SPAN
+>
+it indicates that
+<VAR
+CLASS="PARAMETER"
+>hostname</VAR
+>
+should be treated as a numeric string defining an IPv4 or IPv6 address
+and no name resolution should be attempted.</P
+></DD
+></DL
+></DIV
+></P
+><P
+>All other elements of the <SPAN
+CLASS="TYPE"
+>struct addrinfo</SPAN
+> passed
+via <VAR
+CLASS="PARAMETER"
+>hints</VAR
+> must be zero.</P
+><P
+>A <VAR
+CLASS="PARAMETER"
+>hints</VAR
+> of <SPAN
+CLASS="TYPE"
+>NULL</SPAN
+> is treated as if
+the caller provided a <SPAN
+CLASS="TYPE"
+>struct addrinfo</SPAN
+> initialized to zero
+with <CODE
+CLASS="CONSTANT"
+>ai_family</CODE
+>set to
+<CODE
+CLASS="CONSTANT"
+>PF_UNSPEC</CODE
+>.</P
+><P
+>After a successful call to
+<CODE
+CLASS="FUNCTION"
+>lwres_getaddrinfo()</CODE
+>,
+<VAR
+CLASS="PARAMETER"
+>*res</VAR
+>
+is a pointer to a linked list of one or more
+<SPAN
+CLASS="TYPE"
+>addrinfo</SPAN
+>
+structures.
+Each
+<SPAN
+CLASS="TYPE"
+>struct addrinfo</SPAN
+>
+in this list cn be processed by following
+the
+<CODE
+CLASS="CONSTANT"
+>ai_next</CODE
+>
+pointer, until a
+<SPAN
+CLASS="TYPE"
+>NULL</SPAN
+>
+pointer is encountered.
+The three members
+<CODE
+CLASS="CONSTANT"
+>ai_family</CODE
+>,
+<CODE
+CLASS="CONSTANT"
+>ai_socktype</CODE
+>,
+and
+<CODE
+CLASS="CONSTANT"
+>ai_protocol</CODE
+>
+in each
+returned
+<SPAN
+CLASS="TYPE"
+>addrinfo</SPAN
+>
+structure contain the corresponding arguments for a call to
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>socket</SPAN
+>(2)</SPAN
+>.
+For each
+<SPAN
+CLASS="TYPE"
+>addrinfo</SPAN
+>
+structure in the list, the
+<CODE
+CLASS="CONSTANT"
+>ai_addr</CODE
+>
+member points to a filled-in socket address structure of length
+<CODE
+CLASS="CONSTANT"
+>ai_addrlen</CODE
+>.</P
+><P
+>All of the information returned by
+<CODE
+CLASS="FUNCTION"
+>lwres_getaddrinfo()</CODE
+>
+is dynamically allocated: the addrinfo structures, and the socket
+address structures and canonical host name strings pointed to by the
+<CODE
+CLASS="CONSTANT"
+>addrinfo</CODE
+>structures.
+Memory allocated for the dynamically allocated structures created by
+a successful call to
+<CODE
+CLASS="FUNCTION"
+>lwres_getaddrinfo()</CODE
+>
+is released by
+<CODE
+CLASS="FUNCTION"
+>lwres_freeaddrinfo()</CODE
+>.
+<VAR
+CLASS="PARAMETER"
+>ai</VAR
+>
+is a pointer to a
+<SPAN
+CLASS="TYPE"
+>struct addrinfo</SPAN
+>
+created by a call to
+<CODE
+CLASS="FUNCTION"
+>lwres_getaddrinfo()</CODE
+>.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN142"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_getaddrinfo()</CODE
+>
+returns zero on success or one of the error codes listed in
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>gai_strerror</SPAN
+>(3)</SPAN
+>
+if an error occurs.
+If both
+<VAR
+CLASS="PARAMETER"
+>hostname</VAR
+>
+and
+<VAR
+CLASS="PARAMETER"
+>servname</VAR
+>
+are
+<SPAN
+CLASS="TYPE"
+>NULL</SPAN
+>
+<CODE
+CLASS="FUNCTION"
+>lwres_getaddrinfo()</CODE
+>
+returns
+<SPAN
+CLASS="ERRORCODE"
+>EAI_NONAME</SPAN
+>.&#13;</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN154"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres</SPAN
+>(3)</SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_getaddrinfo</SPAN
+>(3)</SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_freeaddrinfo</SPAN
+>(3)</SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_gai_strerror</SPAN
+>(3)</SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>RFC2133</SPAN
+></SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>getservbyname</SPAN
+>(3)</SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>bind</SPAN
+>(2)</SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>connect</SPAN
+>(2)</SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>sendto</SPAN
+>(2)</SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>sendmsg</SPAN
+>(2)</SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>socket</SPAN
+>(2)</SPAN
+>.</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/lib/lwres/man/lwres_gethostent.3 b/contrib/bind9/lib/lwres/man/lwres_gethostent.3
new file mode 100644
index 0000000..5a42347
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_gethostent.3
@@ -0,0 +1,272 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2001  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: lwres_gethostent.3,v 1.16.2.1.8.1 2004/03/06 07:41:43 marka Exp $
+.\"
+.TH "LWRES_GETHOSTENT" "3" "Jun 30, 2000" "BIND9" ""
+.SH NAME
+lwres_gethostbyname, lwres_gethostbyname2, lwres_gethostbyaddr, lwres_gethostent, lwres_sethostent, lwres_endhostent, lwres_gethostbyname_r, lwres_gethostbyaddr_r, lwres_gethostent_r, lwres_sethostent_r, lwres_endhostent_r \- lightweight resolver get network host entry
+.SH SYNOPSIS
+\fB#include <lwres/netdb.h>
+.sp
+.na
+struct hostent *
+lwres_gethostbyname(const char *name);
+.ad
+.sp
+.na
+struct hostent *
+lwres_gethostbyname2(const char *name, int af);
+.ad
+.sp
+.na
+struct hostent *
+lwres_gethostbyaddr(const char *addr, int len, int type);
+.ad
+.sp
+.na
+struct hostent *
+lwres_gethostent(void);
+.ad
+.sp
+.na
+void
+lwres_sethostent(int stayopen);
+.ad
+.sp
+.na
+void
+lwres_endhostent(void);
+.ad
+.sp
+.na
+struct hostent *
+lwres_gethostbyname_r(const char *name, struct hostent *resbuf, char *buf, int buflen, int *error);
+.ad
+.sp
+.na
+struct hostent *
+lwres_gethostbyaddr_r(const char *addr, int len, int type, struct hostent *resbuf, char *buf, int buflen, int *error);
+.ad
+.sp
+.na
+struct hostent *
+lwres_gethostent_r(struct hostent *resbuf, char *buf, int buflen, int *error);
+.ad
+.sp
+.na
+void
+lwres_sethostent_r(int stayopen);
+.ad
+.sp
+.na
+void
+lwres_endhostent_r(void);
+.ad
+\fR
+.SH "DESCRIPTION"
+.PP
+These functions provide hostname-to-address and
+address-to-hostname lookups by means of the lightweight resolver.
+They are similar to the standard
+\fBgethostent\fR(3)
+functions provided by most operating systems.
+They use a
+\fBstruct hostent\fR
+which is usually defined in
+\fI<namedb.h>\fR.
+.sp
+.nf
+struct  hostent {
+        char    *h_name;        /* official name of host */
+        char    **h_aliases;    /* alias list */
+        int     h_addrtype;     /* host address type */
+        int     h_length;       /* length of address */
+        char    **h_addr_list;  /* list of addresses from name server */
+};
+#define h_addr  h_addr_list[0]  /* address, for backward compatibility */
+.sp
+.fi
+.PP
+The members of this structure are:
+.TP
+\fBh_name\fR
+The official (canonical) name of the host.
+.TP
+\fBh_aliases\fR
+A NULL-terminated array of alternate names (nicknames) for the host.
+.TP
+\fBh_addrtype\fR
+The type of address being returned \(em
+\fBPF_INET\fR
+or
+\fBPF_INET6\fR.
+.TP
+\fBh_length\fR
+The length of the address in bytes.
+.TP
+\fBh_addr_list\fR
+A \fBNULL\fR
+terminated array of network addresses for the host.
+Host addresses are returned in network byte order.
+.PP
+For backward compatibility with very old software,
+h_addr
+is the first address in
+h_addr_list.
+.PP
+\fBlwres_gethostent()\fR,
+\fBlwres_sethostent()\fR,
+\fBlwres_endhostent()\fR,
+\fBlwres_gethostent_r()\fR,
+\fBlwres_sethostent_r()\fR
+and
+\fBlwres_endhostent_r()\fR
+provide iteration over the known host entries on systems that
+provide such functionality through facilities like
+\fI/etc/hosts\fR
+or NIS. The lightweight resolver does not currently implement
+these functions; it only provides them as stub functions that always
+return failure.
+.PP
+\fBlwres_gethostbyname()\fR and
+\fBlwres_gethostbyname2()\fR look up the hostname
+\fIname\fR.
+\fBlwres_gethostbyname()\fR always looks for an IPv4
+address while \fBlwres_gethostbyname2()\fR looks for an
+address of protocol family \fIaf\fR: either
+\fBPF_INET\fR or \fBPF_INET6\fR \(em IPv4 or IPV6
+addresses respectively. Successful calls of the functions return a
+\fBstruct hostent\fRfor the name that was looked up.
+\fBNULL\fR is returned if the lookups by
+\fBlwres_gethostbyname()\fR or
+\fBlwres_gethostbyname2()\fR fail.
+.PP
+Reverse lookups of addresses are performed by
+\fBlwres_gethostbyaddr()\fR.
+\fIaddr\fR is an address of length
+\fIlen\fR bytes and protocol family
+\fItype\fR \(em \fBPF_INET\fR or
+\fBPF_INET6\fR.
+\fBlwres_gethostbyname_r()\fR is a thread-safe function
+for forward lookups. If an error occurs, an error code is returned in
+\fI*error\fR.
+\fIresbuf\fR is a pointer to a \fBstruct
+hostent\fR which is initialised by a successful call to
+\fBlwres_gethostbyname_r()\fR .
+\fIbuf\fR is a buffer of length
+\fIlen\fR bytes which is used to store the
+h_name, h_aliases, and
+h_addr_list elements of the \fBstruct
+hostent\fR returned in \fIresbuf\fR.
+Successful calls to \fBlwres_gethostbyname_r()\fR
+return \fIresbuf\fR,
+which is a pointer to the \fBstruct hostent\fR it created.
+.PP
+\fBlwres_gethostbyaddr_r()\fR is a thread-safe function
+that performs a reverse lookup of address \fIaddr\fR
+which is \fIlen\fR bytes long and is of protocol
+family \fItype\fR \(em \fBPF_INET\fR or
+\fBPF_INET6\fR. If an error occurs, the error code is returned
+in \fI*error\fR. The other function parameters are
+identical to those in \fBlwres_gethostbyname_r()\fR.
+\fIresbuf\fR is a pointer to a \fBstruct
+hostent\fR which is initialised by a successful call to
+\fBlwres_gethostbyaddr_r()\fR.
+\fIbuf\fR is a buffer of length
+\fIlen\fR bytes which is used to store the
+h_name, h_aliases, and
+h_addr_list elements of the \fBstruct
+hostent\fR returned in \fIresbuf\fR. Successful
+calls to \fBlwres_gethostbyaddr_r()\fR return
+\fIresbuf\fR, which is a pointer to the
+\fBstruct hostent()\fR it created.
+.SH "RETURN VALUES"
+.PP
+The functions
+\fBlwres_gethostbyname()\fR,
+\fBlwres_gethostbyname2()\fR,
+\fBlwres_gethostbyaddr()\fR,
+and
+\fBlwres_gethostent()\fR
+return NULL to indicate an error. In this case the global variable
+\fBlwres_h_errno\fR
+will contain one of the following error codes defined in
+\fI<lwres/netdb.h>\fR:
+.TP
+\fBHOST_NOT_FOUND\fR
+The host or address was not found.
+.TP
+\fBTRY_AGAIN\fR
+A recoverable error occurred, e.g., a timeout.
+Retrying the lookup may succeed.
+.TP
+\fBNO_RECOVERY\fR
+A non-recoverable error occurred.
+.TP
+\fBNO_DATA\fR
+The name exists, but has no address information
+associated with it (or vice versa in the case
+of a reverse lookup). The code NO_ADDRESS
+is accepted as a synonym for NO_DATA for backwards
+compatibility.
+.PP
+\fBlwres_hstrerror\fR(3)
+translates these error codes to suitable error messages.
+.PP
+\fBlwres_gethostent()\fR
+and
+\fBlwres_gethostent_r()\fR
+always return
+\fBNULL\fR.
+.PP
+Successful calls to \fBlwres_gethostbyname_r()\fR and
+\fBlwres_gethostbyaddr_r()\fR return
+\fIresbuf\fR, a pointer to the \fBstruct
+hostent\fR that was initialised by these functions. They return
+\fBNULL\fR if the lookups fail or if \fIbuf\fR
+was too small to hold the list of addresses and names referenced by
+the h_name, h_aliases, and
+h_addr_list elements of the \fBstruct
+hostent\fR. If \fIbuf\fR was too small, both
+\fBlwres_gethostbyname_r()\fR and
+\fBlwres_gethostbyaddr_r()\fR set the global variable
+\fBerrno\fR to ERANGE.
+.SH "SEE ALSO"
+.PP
+\fBgethostent\fR(3),
+\fBlwres_getipnode\fR(3),
+\fBlwres_hstrerror\fR(3)
+.SH "BUGS"
+.PP
+\fBlwres_gethostbyname()\fR,
+\fBlwres_gethostbyname2()\fR,
+\fBlwres_gethostbyaddr()\fR
+and
+\fBlwres_endhostent()\fR
+are not thread safe; they return pointers to static data and 
+provide error codes through a global variable.
+Thread-safe versions for name and address lookup are provided by
+\fBlwres_gethostbyname_r()\fR,
+and
+\fBlwres_gethostbyaddr_r()\fR
+respectively.
+.PP
+The resolver daemon does not currently support any non-DNS
+name services such as 
+\fI/etc/hosts\fR
+or
+\fBNIS\fR,
+consequently the above functions don't, either.
diff --git a/contrib/bind9/lib/lwres/man/lwres_gethostent.docbook b/contrib/bind9/lib/lwres/man/lwres_gethostent.docbook
new file mode 100644
index 0000000..10324c3
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_gethostent.docbook
@@ -0,0 +1,407 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres_gethostent.docbook,v 1.5.206.1 2004/03/06 08:15:39 marka Exp $ -->
+
+<refentry>
+
+<refentryinfo>
+<date>Jun 30, 2000</date>
+</refentryinfo>
+
+<refmeta>
+<refentrytitle>lwres_gethostent</refentrytitle>
+<manvolnum>3</manvolnum>
+<refmiscinfo>BIND9</refmiscinfo>
+</refmeta>
+
+<refnamediv>
+<refname>lwres_gethostbyname</refname>
+<refname>lwres_gethostbyname2</refname>
+<refname>lwres_gethostbyaddr</refname>
+<refname>lwres_gethostent</refname>
+<refname>lwres_sethostent</refname>
+<refname>lwres_endhostent</refname>
+<refname>lwres_gethostbyname_r</refname>
+<refname>lwres_gethostbyaddr_r</refname>
+<refname>lwres_gethostent_r</refname>
+<refname>lwres_sethostent_r</refname>
+<refname>lwres_endhostent_r</refname>
+<refpurpose>lightweight resolver get network host entry</refpurpose>
+</refnamediv>
+<refsynopsisdiv>
+<funcsynopsis>
+<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
+<funcprototype>
+<funcdef>
+struct hostent *
+<function>lwres_gethostbyname</function></funcdef>
+<paramdef>const char *name</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+struct hostent *
+<function>lwres_gethostbyname2</function></funcdef>
+<paramdef>const char *name</paramdef>
+<paramdef>int af</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+struct hostent *
+<function>lwres_gethostbyaddr</function></funcdef>
+<paramdef>const char *addr</paramdef>
+<paramdef>int len</paramdef>
+<paramdef>int type</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+struct hostent *
+<function>lwres_gethostent</function></funcdef>
+<paramdef>void</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+void
+<function>lwres_sethostent</function></funcdef>
+<paramdef>int stayopen</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+void
+<function>lwres_endhostent</function></funcdef>
+<paramdef>void</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+struct hostent *
+<function>lwres_gethostbyname_r</function></funcdef>
+<paramdef>const char *name</paramdef>
+<paramdef>struct hostent *resbuf</paramdef>
+<paramdef>char *buf</paramdef>
+<paramdef>int buflen</paramdef>
+<paramdef>int *error</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+struct hostent  *
+<function>lwres_gethostbyaddr_r</function></funcdef>
+<paramdef>const char *addr</paramdef>
+<paramdef>int len</paramdef>
+<paramdef>int type</paramdef>
+<paramdef>struct hostent *resbuf</paramdef>
+<paramdef>char *buf</paramdef>
+<paramdef>int buflen</paramdef>
+<paramdef>int *error</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+struct hostent  *
+<function>lwres_gethostent_r</function></funcdef>
+<paramdef>struct hostent *resbuf</paramdef>
+<paramdef>char *buf</paramdef>
+<paramdef>int buflen</paramdef>
+<paramdef>int *error</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+void
+<function>lwres_sethostent_r</function></funcdef>
+<paramdef>int stayopen</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+void
+<function>lwres_endhostent_r</function></funcdef>
+<paramdef>void</paramdef>
+</funcprototype>
+</funcsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+<title>DESCRIPTION</title>
+<para>
+These functions provide hostname-to-address and
+address-to-hostname lookups by means of the lightweight resolver.
+They are similar to the standard
+<citerefentry>
+<refentrytitle>gethostent</refentrytitle><manvolnum>3
+</manvolnum>
+</citerefentry>
+functions provided by most operating systems.
+They use a
+<type>struct hostent</type>
+which is usually defined in
+<filename>&lt;namedb.h&gt;</filename>.
+
+<programlisting>
+struct  hostent {
+        char    *h_name;        /* official name of host */
+        char    **h_aliases;    /* alias list */
+        int     h_addrtype;     /* host address type */
+        int     h_length;       /* length of address */
+        char    **h_addr_list;  /* list of addresses from name server */
+};
+#define h_addr  h_addr_list[0]  /* address, for backward compatibility */
+</programlisting>
+</para>
+<para>
+The members of this structure are:
+<variablelist>
+<varlistentry><term><constant>h_name</constant></term>
+<listitem>
+<para>
+The official (canonical) name of the host.
+</para>
+</listitem></varlistentry>
+<varlistentry><term><constant>h_aliases</constant></term>
+<listitem>
+<para>
+A NULL-terminated array of alternate names (nicknames) for the host.
+</para>
+</listitem></varlistentry>
+<varlistentry><term><constant>h_addrtype</constant></term>
+<listitem>
+<para>
+The type of address being returned &mdash;
+<type>PF_INET</type>
+or
+<type>PF_INET6</type>.
+</para>
+</listitem></varlistentry>
+<varlistentry><term><constant>h_length</constant></term>
+<listitem>
+<para>
+The length of the address in bytes.
+</para>
+</listitem></varlistentry>
+<varlistentry><term><constant>h_addr_list</constant></term>
+<listitem>
+<para>
+A <type>NULL</type>
+terminated array of network addresses for the host.
+Host addresses are returned in network byte order.
+</para>
+</listitem></varlistentry>
+</variablelist>
+</para>
+<para>
+For backward compatibility with very old software,
+<constant>h_addr</constant>
+is the first address in
+<constant>h_addr_list.</constant>
+</para>
+<para>
+<function>lwres_gethostent()</function>,
+<function>lwres_sethostent()</function>,
+<function>lwres_endhostent()</function>,
+<function>lwres_gethostent_r()</function>,
+<function>lwres_sethostent_r()</function>
+and
+<function>lwres_endhostent_r()</function>
+provide iteration over the known host entries on systems that
+provide such functionality through facilities like
+<filename>/etc/hosts</filename>
+or NIS.  The lightweight resolver does not currently implement
+these functions; it only provides them as stub functions that always
+return failure.
+</para>
+
+<para>
+<function>lwres_gethostbyname()</function> and
+<function>lwres_gethostbyname2()</function> look up the hostname
+<parameter>name</parameter>.
+<function>lwres_gethostbyname()</function> always looks for an IPv4
+address while <function>lwres_gethostbyname2()</function> looks for an
+address of protocol family <parameter>af</parameter>: either
+<type>PF_INET</type> or <type>PF_INET6</type> &mdash; IPv4 or IPV6
+addresses respectively.  Successful calls of the functions return a
+<type>struct hostent</type>for the name that was looked up.
+<type>NULL</type> is returned if the lookups by
+<function>lwres_gethostbyname()</function> or
+<function>lwres_gethostbyname2()</function> fail.
+</para>
+
+<para>
+Reverse lookups of addresses are performed by
+<function>lwres_gethostbyaddr()</function>.
+<parameter>addr</parameter> is an address of length
+<parameter>len</parameter> bytes and protocol family
+<parameter>type</parameter> &mdash; <type>PF_INET</type> or
+<type>PF_INET6</type>.
+<function>lwres_gethostbyname_r()</function> is a thread-safe function
+for forward lookups.  If an error occurs, an error code is returned in
+<parameter>*error</parameter>.
+<parameter>resbuf</parameter> is a pointer to a <type>struct
+hostent</type> which is initialised by a successful call to
+<function>lwres_gethostbyname_r()</function> .
+<parameter>buf</parameter> is a buffer of length
+<parameter>len</parameter> bytes which is used to store the
+<constant>h_name</constant>, <constant>h_aliases</constant>, and
+<constant>h_addr_list</constant> elements of the <type>struct
+hostent</type> returned in <parameter>resbuf</parameter>.
+Successful calls to <function>lwres_gethostbyname_r()</function>
+return <parameter>resbuf</parameter>,
+which is a pointer to the <type>struct hostent</type> it created.
+</para>
+
+<para>
+<function>lwres_gethostbyaddr_r()</function> is a thread-safe function
+that performs a reverse lookup of address <parameter>addr</parameter>
+which is <parameter>len</parameter> bytes long and is of protocol
+family <parameter>type</parameter> &mdash; <type>PF_INET</type> or
+<type>PF_INET6</type>.  If an error occurs, the error code is returned
+in <parameter>*error</parameter>.  The other function parameters are
+identical to those in <function>lwres_gethostbyname_r()</function>.
+<parameter>resbuf</parameter> is a pointer to a <type>struct
+hostent</type> which is initialised by a successful call to
+<function>lwres_gethostbyaddr_r()</function>.
+<parameter>buf</parameter> is a buffer of length
+<parameter>len</parameter> bytes which is used to store the
+<constant>h_name</constant>, <constant>h_aliases</constant>, and
+<constant>h_addr_list</constant> elements of the <type>struct
+hostent</type> returned in <parameter>resbuf</parameter>.  Successful
+calls to <function>lwres_gethostbyaddr_r()</function> return
+<parameter>resbuf</parameter>, which is a pointer to the
+<function>struct hostent()</function> it created.
+</para>
+
+</refsect1>
+
+<refsect1>
+<title>RETURN VALUES</title>
+<para>
+The functions
+<function>lwres_gethostbyname()</function>,
+<function>lwres_gethostbyname2()</function>,
+<function>lwres_gethostbyaddr()</function>,
+and
+<function>lwres_gethostent()</function>
+return NULL to indicate an error.  In this case the global variable
+<type>lwres_h_errno</type>
+will contain one of the following error codes defined in
+<filename>&lt;lwres/netdb.h&gt;</filename>:
+
+<variablelist>
+<varlistentry><term><constant>HOST_NOT_FOUND</constant></term>
+<listitem>
+<para>
+The host or address was not found.
+</para>
+</listitem></varlistentry>
+<varlistentry><term><constant>TRY_AGAIN</constant></term>
+<listitem>
+<para>
+A recoverable error occurred, e.g., a timeout.
+Retrying the lookup may succeed.
+</para>
+</listitem></varlistentry>
+<varlistentry><term><constant>NO_RECOVERY</constant></term>
+<listitem>
+<para>
+A non-recoverable error occurred.
+</para>
+</listitem></varlistentry>
+<varlistentry><term><constant>NO_DATA</constant></term>
+<listitem>
+<para>
+The name exists, but has no address information
+associated with it (or vice versa in the case
+of a reverse lookup).  The code NO_ADDRESS
+is accepted as a synonym for NO_DATA for backwards
+compatibility.
+</para>
+</listitem></varlistentry>
+</variablelist>
+</para>
+
+<para>
+<citerefentry>
+<refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3
+</manvolnum>
+</citerefentry>
+translates these error codes to suitable error messages.
+</para>
+
+<para>
+<function>lwres_gethostent()</function>
+and
+<function>lwres_gethostent_r()</function>
+always return
+<type>NULL</type>.
+</para>
+
+<para>
+Successful calls to <function>lwres_gethostbyname_r()</function> and
+<function>lwres_gethostbyaddr_r()</function> return
+<parameter>resbuf</parameter>, a pointer to the <type>struct
+hostent</type> that was initialised by these functions.  They return
+<type>NULL</type> if the lookups fail or if <parameter>buf</parameter>
+was too small to hold the list of addresses and names referenced by
+the <constant>h_name</constant>, <constant>h_aliases</constant>, and
+<constant>h_addr_list</constant> elements of the <type>struct
+hostent</type>.  If <parameter>buf</parameter> was too small, both
+<function>lwres_gethostbyname_r()</function> and
+<function>lwres_gethostbyaddr_r()</function> set the global variable
+<type>errno</type> to <errorcode>ERANGE</errorcode>.
+</para>
+
+</refsect1>
+<refsect1>
+<title>SEE ALSO</title>
+<para>
+<citerefentry>
+<refentrytitle>gethostent</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>lwres_getipnode</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3
+</manvolnum>
+</citerefentry>
+</para>
+</refsect1>
+
+<refsect1>
+<title>BUGS</title>
+<para>
+<function>lwres_gethostbyname()</function>,
+<function>lwres_gethostbyname2()</function>,
+<function>lwres_gethostbyaddr()</function>
+and
+<function>lwres_endhostent()</function>
+are not thread safe; they return pointers to static data and 
+provide error codes through a global variable.
+Thread-safe versions for name and address lookup are provided by
+<function>lwres_gethostbyname_r()</function>,
+and
+<function>lwres_gethostbyaddr_r()</function>
+respectively.
+</para>
+<para>
+The resolver daemon does not currently support any non-DNS
+name services such as 
+<filename>/etc/hosts</filename>
+or
+<type>NIS</type>,
+consequently the above functions don't, either.
+</para>
+</refsect1>
+</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres_gethostent.html b/contrib/bind9/lib/lwres/man/lwres_gethostent.html
new file mode 100644
index 0000000..00b285d
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_gethostent.html
@@ -0,0 +1,784 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres_gethostent.html,v 1.8.2.1.4.2 2004/08/22 23:39:04 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>lwres_gethostent</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+>lwres_gethostent</H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>lwres_gethostbyname, lwres_gethostbyname2, lwres_gethostbyaddr, lwres_gethostent, lwres_sethostent, lwres_endhostent, lwres_gethostbyname_r, lwres_gethostbyaddr_r, lwres_gethostent_r, lwres_sethostent_r, lwres_endhostent_r&nbsp;--&nbsp;lightweight resolver get network host entry</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN21"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><P
+></P
+><A
+NAME="AEN22"
+></A
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/netdb.h&gt;</PRE
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>struct hostent *
+lwres_gethostbyname</CODE
+>(const char *name);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>struct hostent *
+lwres_gethostbyname2</CODE
+>(const char *name, int af);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>struct hostent *
+lwres_gethostbyaddr</CODE
+>(const char *addr, int len, int type);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>struct hostent *
+lwres_gethostent</CODE
+>(void);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_sethostent</CODE
+>(int stayopen);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_endhostent</CODE
+>(void);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>struct hostent *
+lwres_gethostbyname_r</CODE
+>(const char *name, struct hostent *resbuf, char *buf, int buflen, int *error);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>struct hostent  *
+lwres_gethostbyaddr_r</CODE
+>(const char *addr, int len, int type, struct hostent *resbuf, char *buf, int buflen, int *error);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>struct hostent  *
+lwres_gethostent_r</CODE
+>(struct hostent *resbuf, char *buf, int buflen, int *error);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_sethostent_r</CODE
+>(int stayopen);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_endhostent_r</CODE
+>(void);</CODE
+></P
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN84"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>These functions provide hostname-to-address and
+address-to-hostname lookups by means of the lightweight resolver.
+They are similar to the standard
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>gethostent</SPAN
+>(3)</SPAN
+>
+functions provided by most operating systems.
+They use a
+<SPAN
+CLASS="TYPE"
+>struct hostent</SPAN
+>
+which is usually defined in
+<TT
+CLASS="FILENAME"
+>&lt;namedb.h&gt;</TT
+>.
+
+<PRE
+CLASS="PROGRAMLISTING"
+>struct  hostent {
+        char    *h_name;        /* official name of host */
+        char    **h_aliases;    /* alias list */
+        int     h_addrtype;     /* host address type */
+        int     h_length;       /* length of address */
+        char    **h_addr_list;  /* list of addresses from name server */
+};
+#define h_addr  h_addr_list[0]  /* address, for backward compatibility */</PRE
+></P
+><P
+>The members of this structure are:
+<P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><CODE
+CLASS="CONSTANT"
+>h_name</CODE
+></DT
+><DD
+><P
+>The official (canonical) name of the host.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>h_aliases</CODE
+></DT
+><DD
+><P
+>A NULL-terminated array of alternate names (nicknames) for the host.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>h_addrtype</CODE
+></DT
+><DD
+><P
+>The type of address being returned &mdash;
+<SPAN
+CLASS="TYPE"
+>PF_INET</SPAN
+>
+or
+<SPAN
+CLASS="TYPE"
+>PF_INET6</SPAN
+>.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>h_length</CODE
+></DT
+><DD
+><P
+>The length of the address in bytes.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>h_addr_list</CODE
+></DT
+><DD
+><P
+>A <SPAN
+CLASS="TYPE"
+>NULL</SPAN
+>
+terminated array of network addresses for the host.
+Host addresses are returned in network byte order.</P
+></DD
+></DL
+></DIV
+></P
+><P
+>For backward compatibility with very old software,
+<CODE
+CLASS="CONSTANT"
+>h_addr</CODE
+>
+is the first address in
+<CODE
+CLASS="CONSTANT"
+>h_addr_list.</CODE
+></P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_gethostent()</CODE
+>,
+<CODE
+CLASS="FUNCTION"
+>lwres_sethostent()</CODE
+>,
+<CODE
+CLASS="FUNCTION"
+>lwres_endhostent()</CODE
+>,
+<CODE
+CLASS="FUNCTION"
+>lwres_gethostent_r()</CODE
+>,
+<CODE
+CLASS="FUNCTION"
+>lwres_sethostent_r()</CODE
+>
+and
+<CODE
+CLASS="FUNCTION"
+>lwres_endhostent_r()</CODE
+>
+provide iteration over the known host entries on systems that
+provide such functionality through facilities like
+<TT
+CLASS="FILENAME"
+>/etc/hosts</TT
+>
+or NIS.  The lightweight resolver does not currently implement
+these functions; it only provides them as stub functions that always
+return failure.</P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_gethostbyname()</CODE
+> and
+<CODE
+CLASS="FUNCTION"
+>lwres_gethostbyname2()</CODE
+> look up the hostname
+<VAR
+CLASS="PARAMETER"
+>name</VAR
+>.
+<CODE
+CLASS="FUNCTION"
+>lwres_gethostbyname()</CODE
+> always looks for an IPv4
+address while <CODE
+CLASS="FUNCTION"
+>lwres_gethostbyname2()</CODE
+> looks for an
+address of protocol family <VAR
+CLASS="PARAMETER"
+>af</VAR
+>: either
+<SPAN
+CLASS="TYPE"
+>PF_INET</SPAN
+> or <SPAN
+CLASS="TYPE"
+>PF_INET6</SPAN
+> &mdash; IPv4 or IPV6
+addresses respectively.  Successful calls of the functions return a
+<SPAN
+CLASS="TYPE"
+>struct hostent</SPAN
+>for the name that was looked up.
+<SPAN
+CLASS="TYPE"
+>NULL</SPAN
+> is returned if the lookups by
+<CODE
+CLASS="FUNCTION"
+>lwres_gethostbyname()</CODE
+> or
+<CODE
+CLASS="FUNCTION"
+>lwres_gethostbyname2()</CODE
+> fail.</P
+><P
+>Reverse lookups of addresses are performed by
+<CODE
+CLASS="FUNCTION"
+>lwres_gethostbyaddr()</CODE
+>.
+<VAR
+CLASS="PARAMETER"
+>addr</VAR
+> is an address of length
+<VAR
+CLASS="PARAMETER"
+>len</VAR
+> bytes and protocol family
+<VAR
+CLASS="PARAMETER"
+>type</VAR
+> &mdash; <SPAN
+CLASS="TYPE"
+>PF_INET</SPAN
+> or
+<SPAN
+CLASS="TYPE"
+>PF_INET6</SPAN
+>.
+<CODE
+CLASS="FUNCTION"
+>lwres_gethostbyname_r()</CODE
+> is a thread-safe function
+for forward lookups.  If an error occurs, an error code is returned in
+<VAR
+CLASS="PARAMETER"
+>*error</VAR
+>.
+<VAR
+CLASS="PARAMETER"
+>resbuf</VAR
+> is a pointer to a <SPAN
+CLASS="TYPE"
+>struct
+hostent</SPAN
+> which is initialised by a successful call to
+<CODE
+CLASS="FUNCTION"
+>lwres_gethostbyname_r()</CODE
+> .
+<VAR
+CLASS="PARAMETER"
+>buf</VAR
+> is a buffer of length
+<VAR
+CLASS="PARAMETER"
+>len</VAR
+> bytes which is used to store the
+<CODE
+CLASS="CONSTANT"
+>h_name</CODE
+>, <CODE
+CLASS="CONSTANT"
+>h_aliases</CODE
+>, and
+<CODE
+CLASS="CONSTANT"
+>h_addr_list</CODE
+> elements of the <SPAN
+CLASS="TYPE"
+>struct
+hostent</SPAN
+> returned in <VAR
+CLASS="PARAMETER"
+>resbuf</VAR
+>.
+Successful calls to <CODE
+CLASS="FUNCTION"
+>lwres_gethostbyname_r()</CODE
+>
+return <VAR
+CLASS="PARAMETER"
+>resbuf</VAR
+>,
+which is a pointer to the <SPAN
+CLASS="TYPE"
+>struct hostent</SPAN
+> it created.</P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_gethostbyaddr_r()</CODE
+> is a thread-safe function
+that performs a reverse lookup of address <VAR
+CLASS="PARAMETER"
+>addr</VAR
+>
+which is <VAR
+CLASS="PARAMETER"
+>len</VAR
+> bytes long and is of protocol
+family <VAR
+CLASS="PARAMETER"
+>type</VAR
+> &mdash; <SPAN
+CLASS="TYPE"
+>PF_INET</SPAN
+> or
+<SPAN
+CLASS="TYPE"
+>PF_INET6</SPAN
+>.  If an error occurs, the error code is returned
+in <VAR
+CLASS="PARAMETER"
+>*error</VAR
+>.  The other function parameters are
+identical to those in <CODE
+CLASS="FUNCTION"
+>lwres_gethostbyname_r()</CODE
+>.
+<VAR
+CLASS="PARAMETER"
+>resbuf</VAR
+> is a pointer to a <SPAN
+CLASS="TYPE"
+>struct
+hostent</SPAN
+> which is initialised by a successful call to
+<CODE
+CLASS="FUNCTION"
+>lwres_gethostbyaddr_r()</CODE
+>.
+<VAR
+CLASS="PARAMETER"
+>buf</VAR
+> is a buffer of length
+<VAR
+CLASS="PARAMETER"
+>len</VAR
+> bytes which is used to store the
+<CODE
+CLASS="CONSTANT"
+>h_name</CODE
+>, <CODE
+CLASS="CONSTANT"
+>h_aliases</CODE
+>, and
+<CODE
+CLASS="CONSTANT"
+>h_addr_list</CODE
+> elements of the <SPAN
+CLASS="TYPE"
+>struct
+hostent</SPAN
+> returned in <VAR
+CLASS="PARAMETER"
+>resbuf</VAR
+>.  Successful
+calls to <CODE
+CLASS="FUNCTION"
+>lwres_gethostbyaddr_r()</CODE
+> return
+<VAR
+CLASS="PARAMETER"
+>resbuf</VAR
+>, which is a pointer to the
+<CODE
+CLASS="FUNCTION"
+>struct hostent()</CODE
+> it created.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN191"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+>The functions
+<CODE
+CLASS="FUNCTION"
+>lwres_gethostbyname()</CODE
+>,
+<CODE
+CLASS="FUNCTION"
+>lwres_gethostbyname2()</CODE
+>,
+<CODE
+CLASS="FUNCTION"
+>lwres_gethostbyaddr()</CODE
+>,
+and
+<CODE
+CLASS="FUNCTION"
+>lwres_gethostent()</CODE
+>
+return NULL to indicate an error.  In this case the global variable
+<SPAN
+CLASS="TYPE"
+>lwres_h_errno</SPAN
+>
+will contain one of the following error codes defined in
+<TT
+CLASS="FILENAME"
+>&lt;lwres/netdb.h&gt;</TT
+>:
+
+<P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><CODE
+CLASS="CONSTANT"
+>HOST_NOT_FOUND</CODE
+></DT
+><DD
+><P
+>The host or address was not found.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>TRY_AGAIN</CODE
+></DT
+><DD
+><P
+>A recoverable error occurred, e.g., a timeout.
+Retrying the lookup may succeed.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>NO_RECOVERY</CODE
+></DT
+><DD
+><P
+>A non-recoverable error occurred.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>NO_DATA</CODE
+></DT
+><DD
+><P
+>The name exists, but has no address information
+associated with it (or vice versa in the case
+of a reverse lookup).  The code NO_ADDRESS
+is accepted as a synonym for NO_DATA for backwards
+compatibility.</P
+></DD
+></DL
+></DIV
+></P
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_hstrerror</SPAN
+>(3)</SPAN
+>
+translates these error codes to suitable error messages.</P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_gethostent()</CODE
+>
+and
+<CODE
+CLASS="FUNCTION"
+>lwres_gethostent_r()</CODE
+>
+always return
+<SPAN
+CLASS="TYPE"
+>NULL</SPAN
+>.</P
+><P
+>Successful calls to <CODE
+CLASS="FUNCTION"
+>lwres_gethostbyname_r()</CODE
+> and
+<CODE
+CLASS="FUNCTION"
+>lwres_gethostbyaddr_r()</CODE
+> return
+<VAR
+CLASS="PARAMETER"
+>resbuf</VAR
+>, a pointer to the <SPAN
+CLASS="TYPE"
+>struct
+hostent</SPAN
+> that was initialised by these functions.  They return
+<SPAN
+CLASS="TYPE"
+>NULL</SPAN
+> if the lookups fail or if <VAR
+CLASS="PARAMETER"
+>buf</VAR
+>
+was too small to hold the list of addresses and names referenced by
+the <CODE
+CLASS="CONSTANT"
+>h_name</CODE
+>, <CODE
+CLASS="CONSTANT"
+>h_aliases</CODE
+>, and
+<CODE
+CLASS="CONSTANT"
+>h_addr_list</CODE
+> elements of the <SPAN
+CLASS="TYPE"
+>struct
+hostent</SPAN
+>.  If <VAR
+CLASS="PARAMETER"
+>buf</VAR
+> was too small, both
+<CODE
+CLASS="FUNCTION"
+>lwres_gethostbyname_r()</CODE
+> and
+<CODE
+CLASS="FUNCTION"
+>lwres_gethostbyaddr_r()</CODE
+> set the global variable
+<SPAN
+CLASS="TYPE"
+>errno</SPAN
+> to <SPAN
+CLASS="ERRORCODE"
+>ERANGE</SPAN
+>.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN245"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>gethostent</SPAN
+>(3)</SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_getipnode</SPAN
+>(3)</SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_hstrerror</SPAN
+>(3)</SPAN
+></P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN257"
+></A
+><H2
+>BUGS</H2
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_gethostbyname()</CODE
+>,
+<CODE
+CLASS="FUNCTION"
+>lwres_gethostbyname2()</CODE
+>,
+<CODE
+CLASS="FUNCTION"
+>lwres_gethostbyaddr()</CODE
+>
+and
+<CODE
+CLASS="FUNCTION"
+>lwres_endhostent()</CODE
+>
+are not thread safe; they return pointers to static data and 
+provide error codes through a global variable.
+Thread-safe versions for name and address lookup are provided by
+<CODE
+CLASS="FUNCTION"
+>lwres_gethostbyname_r()</CODE
+>,
+and
+<CODE
+CLASS="FUNCTION"
+>lwres_gethostbyaddr_r()</CODE
+>
+respectively.</P
+><P
+>The resolver daemon does not currently support any non-DNS
+name services such as 
+<TT
+CLASS="FILENAME"
+>/etc/hosts</TT
+>
+or
+<SPAN
+CLASS="TYPE"
+>NIS</SPAN
+>,
+consequently the above functions don't, either.</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/lib/lwres/man/lwres_getipnode.3 b/contrib/bind9/lib/lwres/man/lwres_getipnode.3
new file mode 100644
index 0000000..815a841
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_getipnode.3
@@ -0,0 +1,189 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: lwres_getipnode.3,v 1.13.2.2.4.2 2004/03/09 05:21:10 marka Exp $
+.\"
+.TH "LWRES_GETIPNODE" "3" "Jun 30, 2000" "BIND9" ""
+.SH NAME
+lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent \- lightweight resolver nodename / address translation API
+.SH SYNOPSIS
+\fB#include <lwres/netdb.h>
+.sp
+.na
+struct hostent *
+lwres_getipnodebyname(const char *name, int af, int flags, int *error_num);
+.ad
+.sp
+.na
+struct hostent *
+lwres_getipnodebyaddr(const void *src, size_t len, int af, int *error_num);
+.ad
+.sp
+.na
+void
+lwres_freehostent(struct hostent *he);
+.ad
+\fR
+.SH "DESCRIPTION"
+.PP
+These functions perform thread safe, protocol independent
+nodename-to-address and address-to-nodename 
+translation as defined in RFC2553.
+.PP
+They use a
+\fBstruct hostent\fR
+which is defined in
+\fInamedb.h\fR:
+.sp
+.nf
+struct  hostent {
+        char    *h_name;        /* official name of host */
+        char    **h_aliases;    /* alias list */
+        int     h_addrtype;     /* host address type */
+        int     h_length;       /* length of address */
+        char    **h_addr_list;  /* list of addresses from name server */
+};
+#define h_addr  h_addr_list[0]  /* address, for backward compatibility */
+.sp
+.fi
+.PP
+The members of this structure are:
+.TP
+\fBh_name\fR
+The official (canonical) name of the host.
+.TP
+\fBh_aliases\fR
+A NULL-terminated array of alternate names (nicknames) for the host.
+.TP
+\fBh_addrtype\fR
+The type of address being returned - usually
+\fBPF_INET\fR
+or
+\fBPF_INET6\fR.
+.TP
+\fBh_length\fR
+The length of the address in bytes.
+.TP
+\fBh_addr_list\fR
+A
+\fBNULL\fR
+terminated array of network addresses for the host.
+Host addresses are returned in network byte order.
+.PP
+\fBlwres_getipnodebyname()\fR
+looks up addresses of protocol family
+\fIaf\fR
+for the hostname
+\fIname\fR.
+The
+\fIflags\fR
+parameter contains ORed flag bits to 
+specify the types of addresses that are searched
+for, and the types of addresses that are returned. 
+The flag bits are:
+.TP
+\fBAI_V4MAPPED\fR
+This is used with an
+\fIaf\fR
+of AF_INET6, and causes IPv4 addresses to be returned as IPv4-mapped
+IPv6 addresses.
+.TP
+\fBAI_ALL\fR
+This is used with an
+\fIaf\fR
+of AF_INET6, and causes all known addresses (IPv6 and IPv4) to be returned.
+If AI_V4MAPPED is also set, the IPv4 addresses are return as mapped
+IPv6 addresses.
+.TP
+\fBAI_ADDRCONFIG\fR
+Only return an IPv6 or IPv4 address if here is an active network
+interface of that type. This is not currently implemented
+in the BIND 9 lightweight resolver, and the flag is ignored.
+.TP
+\fBAI_DEFAULT\fR
+This default sets the
+AI_V4MAPPED
+and
+AI_ADDRCONFIG
+flag bits.
+.PP
+\fBlwres_getipnodebyaddr()\fR
+performs a reverse lookup
+of address
+\fIsrc\fR
+which is
+\fIlen\fR
+bytes long.
+\fIaf\fR
+denotes the protocol family, typically
+\fBPF_INET\fR
+or
+\fBPF_INET6\fR.
+.PP
+\fBlwres_freehostent()\fR
+releases all the memory associated with
+the
+\fBstruct hostent\fR
+pointer
+\fIhe\fR.
+Any memory allocated for the
+h_name,
+h_addr_list
+and
+h_aliases
+is freed, as is the memory for the
+\fBhostent\fR
+structure itself.
+.SH "RETURN VALUES"
+.PP
+If an error occurs,
+\fBlwres_getipnodebyname()\fR
+and
+\fBlwres_getipnodebyaddr()\fR
+set
+\fI*error_num\fR
+to an appropriate error code and the function returns a
+\fBNULL\fR
+pointer.
+The error codes and their meanings are defined in
+\fI<lwres/netdb.h>\fR:
+.TP
+\fBHOST_NOT_FOUND\fR
+No such host is known.
+.TP
+\fBNO_ADDRESS\fR
+The server recognised the request and the name but no address is
+available. Another type of request to the name server for the
+domain might return an answer.
+.TP
+\fBTRY_AGAIN\fR
+A temporary and possibly transient error occurred, such as a
+failure of a server to respond. The request may succeed if
+retried.
+.TP
+\fBNO_RECOVERY\fR
+An unexpected failure occurred, and retrying the request
+is pointless.
+.PP
+\fBlwres_hstrerror\fR(3)
+translates these error codes to suitable error messages.
+.SH "SEE ALSO"
+.PP
+\fBRFC2553\fR,
+\fBlwres\fR(3),
+\fBlwres_gethostent\fR(3),
+\fBlwres_getaddrinfo\fR(3),
+\fBlwres_getnameinfo\fR(3),
+\fBlwres_hstrerror\fR(3).
diff --git a/contrib/bind9/lib/lwres/man/lwres_getipnode.docbook b/contrib/bind9/lib/lwres/man/lwres_getipnode.docbook
new file mode 100644
index 0000000..30c04a3
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_getipnode.docbook
@@ -0,0 +1,307 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres_getipnode.docbook,v 1.4.2.2.4.1 2004/03/06 08:15:39 marka Exp $ -->
+
+<refentry>
+
+<refentryinfo>
+<date>Jun 30, 2000</date>
+</refentryinfo>
+
+<refmeta>
+<refentrytitle>lwres_getipnode</refentrytitle>
+<manvolnum>3</manvolnum>
+<refmiscinfo>BIND9</refmiscinfo>
+</refmeta>
+
+<refnamediv>
+<refname>lwres_getipnodebyname</refname>
+<refname>lwres_getipnodebyaddr</refname>
+<refname>lwres_freehostent</refname>
+<refpurpose>lightweight resolver nodename / address translation API</refpurpose>
+</refnamediv>
+<refsynopsisdiv>
+<funcsynopsis>
+<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
+<funcprototype>
+<funcdef>
+struct hostent *
+<function>lwres_getipnodebyname</function></funcdef>
+<paramdef>const char *name</paramdef>
+<paramdef>int af</paramdef>
+<paramdef>int flags</paramdef>
+<paramdef>int *error_num</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+struct hostent *
+<function>lwres_getipnodebyaddr</function></funcdef>
+<paramdef>const void *src</paramdef>
+<paramdef>size_t len</paramdef>
+<paramdef>int af</paramdef>
+<paramdef>int *error_num</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+void
+<function>lwres_freehostent</function></funcdef>
+<paramdef>struct hostent *he</paramdef>
+</funcprototype>
+</funcsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+<title>DESCRIPTION</title>
+
+<para>
+These functions perform thread safe, protocol independent
+nodename-to-address and address-to-nodename 
+translation as defined in RFC2553.
+</para>
+
+<para>
+They use a
+<type>struct hostent</type>
+which is defined in
+<filename>namedb.h</filename>:
+<programlisting>
+struct  hostent {
+        char    *h_name;        /* official name of host */
+        char    **h_aliases;    /* alias list */
+        int     h_addrtype;     /* host address type */
+        int     h_length;       /* length of address */
+        char    **h_addr_list;  /* list of addresses from name server */
+};
+#define h_addr  h_addr_list[0]  /* address, for backward compatibility */
+</programlisting>
+</para>
+
+<para>
+The members of this structure are:
+<variablelist>
+<varlistentry><term><constant>h_name</constant></term>
+<listitem>
+<para>
+The official (canonical) name of the host.
+</para>
+</listitem></varlistentry>
+<varlistentry><term><constant>h_aliases</constant></term>
+<listitem>
+<para>
+A NULL-terminated array of alternate names (nicknames) for the host.
+</para>
+</listitem></varlistentry>
+<varlistentry><term><constant>h_addrtype</constant></term>
+<listitem>
+<para>
+The type of address being returned - usually
+<type>PF_INET</type>
+or
+<type>PF_INET6</type>.
+
+</para>
+</listitem></varlistentry>
+<varlistentry><term><constant>h_length</constant></term>
+<listitem>
+<para>
+The length of the address in bytes.
+</para>
+</listitem></varlistentry>
+<varlistentry><term><constant>h_addr_list</constant></term>
+<listitem>
+<para>
+A
+<type>NULL</type>
+terminated array of network addresses for the host.
+Host addresses are returned in network byte order.
+</para>
+</listitem></varlistentry>
+</variablelist>
+</para>
+<para>
+<function>lwres_getipnodebyname()</function>
+looks up addresses of protocol family
+<parameter>af</parameter>
+
+for the hostname
+<parameter>name</parameter>.
+
+The
+<parameter>flags</parameter>
+parameter contains ORed flag bits to 
+specify the types of addresses that are searched
+for, and the types of addresses that are returned. 
+The flag bits are:
+<variablelist>
+<varlistentry><term><constant>AI_V4MAPPED</constant></term>
+<listitem>
+<para>
+This is used with an
+<parameter>af</parameter>
+of AF_INET6, and causes IPv4 addresses to be returned as IPv4-mapped
+IPv6 addresses.
+</para>
+</listitem></varlistentry>
+<varlistentry><term><constant>AI_ALL</constant></term>
+<listitem>
+<para>
+This is used with an
+<parameter>af</parameter>
+of AF_INET6, and causes all known addresses (IPv6 and IPv4) to be returned.
+If AI_V4MAPPED is also set, the IPv4 addresses are return as mapped
+IPv6 addresses.
+</para>
+</listitem></varlistentry>
+<varlistentry><term><constant>AI_ADDRCONFIG</constant></term>
+<listitem>
+<para>
+Only return an IPv6 or IPv4 address if here is an active network
+interface of that type.  This is not currently implemented
+in the BIND 9 lightweight resolver, and the flag is ignored.
+</para>
+</listitem></varlistentry>
+<varlistentry><term><constant>AI_DEFAULT</constant></term>
+<listitem>
+<para>
+This default sets the
+<constant>AI_V4MAPPED</constant>
+and
+<constant>AI_ADDRCONFIG</constant>
+flag bits.
+</para>
+</listitem></varlistentry>
+</variablelist>
+</para>
+<para>
+<function>lwres_getipnodebyaddr()</function>
+performs a reverse lookup
+of address
+<parameter>src</parameter>
+which is
+<parameter>len</parameter>
+bytes long.
+<parameter>af</parameter>
+denotes the protocol family, typically
+<type>PF_INET</type>
+or
+<type>PF_INET6</type>.
+
+</para>
+<para>
+<function>lwres_freehostent()</function>
+releases all the memory associated with
+the
+<type>struct hostent</type>
+pointer
+<parameter>he</parameter>.
+
+Any memory allocated for the
+<constant>h_name</constant>,
+
+<constant>h_addr_list</constant>
+and
+<constant>h_aliases</constant>
+is freed, as is the memory for the
+<type>hostent</type>
+structure itself.
+</para>
+</refsect1>
+<refsect1>
+<title>RETURN VALUES</title>
+<para>
+If an error occurs,
+<function>lwres_getipnodebyname()</function>
+and
+<function>lwres_getipnodebyaddr()</function>
+set
+<parameter>*error_num</parameter>
+to an appropriate error code and the function returns a
+<type>NULL</type>
+pointer.
+The error codes and their meanings are defined in
+<filename>&lt;lwres/netdb.h&gt;</filename>:
+<variablelist>
+<varlistentry><term><constant>HOST_NOT_FOUND</constant></term>
+<listitem>
+<para>
+No such host is known.
+</para>
+</listitem></varlistentry>
+<varlistentry><term><constant>NO_ADDRESS</constant></term>
+<listitem>
+<para>
+The server recognised the request and the name but no address is
+available.  Another type of request to the name server for the
+domain might return an answer.
+</para>
+</listitem></varlistentry>
+<varlistentry><term><constant>TRY_AGAIN</constant></term>
+<listitem>
+<para>
+A temporary and possibly transient error occurred, such as a
+failure of a server to respond.  The request may succeed if
+retried.
+</para>
+</listitem></varlistentry>
+<varlistentry><term><constant>NO_RECOVERY</constant></term>
+<listitem>
+<para>
+An unexpected failure occurred, and retrying the request
+is pointless.
+</para>
+</listitem></varlistentry>
+</variablelist>
+</para>
+<para>
+<citerefentry>
+<refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3
+</manvolnum>
+</citerefentry>
+translates these error codes to suitable error messages.
+</para>
+</refsect1>
+<refsect1>
+<title>SEE ALSO</title>
+<para>
+<citerefentry>
+<refentrytitle>RFC2553</refentrytitle>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>lwres_gethostent</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>lwres_getaddrinfo</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>lwres_getnameinfo</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>.
+</para>
+</refsect1>
+</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres_getipnode.html b/contrib/bind9/lib/lwres/man/lwres_getipnode.html
new file mode 100644
index 0000000..3063d44
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_getipnode.html
@@ -0,0 +1,512 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres_getipnode.html,v 1.7.2.1.4.2 2004/08/22 23:39:04 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>lwres_getipnode</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+>lwres_getipnode</H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>lwres_getipnodebyname, lwres_getipnodebyaddr, lwres_freehostent&nbsp;--&nbsp;lightweight resolver nodename / address translation API</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><P
+></P
+><A
+NAME="AEN14"
+></A
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/netdb.h&gt;</PRE
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>struct hostent *
+lwres_getipnodebyname</CODE
+>(const char *name, int af, int flags, int *error_num);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>struct hostent *
+lwres_getipnodebyaddr</CODE
+>(const void *src, size_t len, int af, int *error_num);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_freehostent</CODE
+>(struct hostent *he);</CODE
+></P
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN34"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>These functions perform thread safe, protocol independent
+nodename-to-address and address-to-nodename 
+translation as defined in RFC2553.</P
+><P
+>They use a
+<SPAN
+CLASS="TYPE"
+>struct hostent</SPAN
+>
+which is defined in
+<TT
+CLASS="FILENAME"
+>namedb.h</TT
+>:
+<PRE
+CLASS="PROGRAMLISTING"
+>struct  hostent {
+        char    *h_name;        /* official name of host */
+        char    **h_aliases;    /* alias list */
+        int     h_addrtype;     /* host address type */
+        int     h_length;       /* length of address */
+        char    **h_addr_list;  /* list of addresses from name server */
+};
+#define h_addr  h_addr_list[0]  /* address, for backward compatibility */</PRE
+></P
+><P
+>The members of this structure are:
+<P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><CODE
+CLASS="CONSTANT"
+>h_name</CODE
+></DT
+><DD
+><P
+>The official (canonical) name of the host.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>h_aliases</CODE
+></DT
+><DD
+><P
+>A NULL-terminated array of alternate names (nicknames) for the host.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>h_addrtype</CODE
+></DT
+><DD
+><P
+>The type of address being returned - usually
+<SPAN
+CLASS="TYPE"
+>PF_INET</SPAN
+>
+or
+<SPAN
+CLASS="TYPE"
+>PF_INET6</SPAN
+>.&#13;</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>h_length</CODE
+></DT
+><DD
+><P
+>The length of the address in bytes.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>h_addr_list</CODE
+></DT
+><DD
+><P
+>A
+<SPAN
+CLASS="TYPE"
+>NULL</SPAN
+>
+terminated array of network addresses for the host.
+Host addresses are returned in network byte order.</P
+></DD
+></DL
+></DIV
+></P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_getipnodebyname()</CODE
+>
+looks up addresses of protocol family
+<VAR
+CLASS="PARAMETER"
+>af</VAR
+>
+
+for the hostname
+<VAR
+CLASS="PARAMETER"
+>name</VAR
+>.
+
+The
+<VAR
+CLASS="PARAMETER"
+>flags</VAR
+>
+parameter contains ORed flag bits to 
+specify the types of addresses that are searched
+for, and the types of addresses that are returned. 
+The flag bits are:
+<P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><CODE
+CLASS="CONSTANT"
+>AI_V4MAPPED</CODE
+></DT
+><DD
+><P
+>This is used with an
+<VAR
+CLASS="PARAMETER"
+>af</VAR
+>
+of AF_INET6, and causes IPv4 addresses to be returned as IPv4-mapped
+IPv6 addresses.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>AI_ALL</CODE
+></DT
+><DD
+><P
+>This is used with an
+<VAR
+CLASS="PARAMETER"
+>af</VAR
+>
+of AF_INET6, and causes all known addresses (IPv6 and IPv4) to be returned.
+If AI_V4MAPPED is also set, the IPv4 addresses are return as mapped
+IPv6 addresses.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>AI_ADDRCONFIG</CODE
+></DT
+><DD
+><P
+>Only return an IPv6 or IPv4 address if here is an active network
+interface of that type.  This is not currently implemented
+in the BIND 9 lightweight resolver, and the flag is ignored.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>AI_DEFAULT</CODE
+></DT
+><DD
+><P
+>This default sets the
+<CODE
+CLASS="CONSTANT"
+>AI_V4MAPPED</CODE
+>
+and
+<CODE
+CLASS="CONSTANT"
+>AI_ADDRCONFIG</CODE
+>
+flag bits.</P
+></DD
+></DL
+></DIV
+></P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_getipnodebyaddr()</CODE
+>
+performs a reverse lookup
+of address
+<VAR
+CLASS="PARAMETER"
+>src</VAR
+>
+which is
+<VAR
+CLASS="PARAMETER"
+>len</VAR
+>
+bytes long.
+<VAR
+CLASS="PARAMETER"
+>af</VAR
+>
+denotes the protocol family, typically
+<SPAN
+CLASS="TYPE"
+>PF_INET</SPAN
+>
+or
+<SPAN
+CLASS="TYPE"
+>PF_INET6</SPAN
+>.&#13;</P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_freehostent()</CODE
+>
+releases all the memory associated with
+the
+<SPAN
+CLASS="TYPE"
+>struct hostent</SPAN
+>
+pointer
+<VAR
+CLASS="PARAMETER"
+>he</VAR
+>.
+
+Any memory allocated for the
+<CODE
+CLASS="CONSTANT"
+>h_name</CODE
+>,
+
+<CODE
+CLASS="CONSTANT"
+>h_addr_list</CODE
+>
+and
+<CODE
+CLASS="CONSTANT"
+>h_aliases</CODE
+>
+is freed, as is the memory for the
+<SPAN
+CLASS="TYPE"
+>hostent</SPAN
+>
+structure itself.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN116"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+>If an error occurs,
+<CODE
+CLASS="FUNCTION"
+>lwres_getipnodebyname()</CODE
+>
+and
+<CODE
+CLASS="FUNCTION"
+>lwres_getipnodebyaddr()</CODE
+>
+set
+<VAR
+CLASS="PARAMETER"
+>*error_num</VAR
+>
+to an appropriate error code and the function returns a
+<SPAN
+CLASS="TYPE"
+>NULL</SPAN
+>
+pointer.
+The error codes and their meanings are defined in
+<TT
+CLASS="FILENAME"
+>&lt;lwres/netdb.h&gt;</TT
+>:
+<P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><CODE
+CLASS="CONSTANT"
+>HOST_NOT_FOUND</CODE
+></DT
+><DD
+><P
+>No such host is known.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>NO_ADDRESS</CODE
+></DT
+><DD
+><P
+>The server recognised the request and the name but no address is
+available.  Another type of request to the name server for the
+domain might return an answer.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>TRY_AGAIN</CODE
+></DT
+><DD
+><P
+>A temporary and possibly transient error occurred, such as a
+failure of a server to respond.  The request may succeed if
+retried.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>NO_RECOVERY</CODE
+></DT
+><DD
+><P
+>An unexpected failure occurred, and retrying the request
+is pointless.</P
+></DD
+></DL
+></DIV
+></P
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_hstrerror</SPAN
+>(3)</SPAN
+>
+translates these error codes to suitable error messages.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN149"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>RFC2553</SPAN
+></SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres</SPAN
+>(3)</SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_gethostent</SPAN
+>(3)</SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_getaddrinfo</SPAN
+>(3)</SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_getnameinfo</SPAN
+>(3)</SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_hstrerror</SPAN
+>(3)</SPAN
+>.</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/lib/lwres/man/lwres_getnameinfo.3 b/contrib/bind9/lib/lwres/man/lwres_getnameinfo.3
new file mode 100644
index 0000000..a512270
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_getnameinfo.3
@@ -0,0 +1,86 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: lwres_getnameinfo.3,v 1.15.2.1.8.1 2004/03/06 07:41:43 marka Exp $
+.\"
+.TH "LWRES_GETNAMEINFO" "3" "Jun 30, 2000" "BIND9" ""
+.SH NAME
+lwres_getnameinfo \- lightweight resolver socket address structure to hostname and service name
+.SH SYNOPSIS
+\fB#include <lwres/netdb.h>
+.sp
+.na
+int
+lwres_getnameinfo(const struct sockaddr *sa, size_t salen, char *host, size_t hostlen, char *serv, size_t servlen, int flags);
+.ad
+\fR
+.SH "DESCRIPTION"
+.PP
+This function is equivalent to the \fBgetnameinfo\fR(3) function defined in RFC2133.
+\fBlwres_getnameinfo()\fR returns the hostname for the
+\fBstruct sockaddr\fR \fIsa\fR which is
+\fIsalen\fR bytes long. The hostname is of length
+\fIhostlen\fR and is returned via
+\fI*host.\fR The maximum length of the hostname is
+1025 bytes: NI_MAXHOST.
+.PP
+The name of the service associated with the port number in
+\fIsa\fR is returned in \fI*serv.\fR
+It is \fIservlen\fR bytes long. The maximum length
+of the service name is NI_MAXSERV - 32 bytes.
+.PP
+The \fIflags\fR argument sets the following
+bits:
+.TP
+\fBNI_NOFQDN\fR
+A fully qualified domain name is not required for local hosts.
+The local part of the fully qualified domain name is returned instead.
+.TP
+\fBNI_NUMERICHOST\fR
+Return the address in numeric form, as if calling inet_ntop(),
+instead of a host name.
+.TP
+\fBNI_NAMEREQD\fR
+A name is required. If the hostname cannot be found in the DNS and
+this flag is set, a non-zero error code is returned.
+If the hostname is not found and the flag is not set, the 
+address is returned in numeric form.
+.TP
+\fBNI_NUMERICSERV\fR
+The service name is returned as a digit string representing the port number.
+.TP
+\fBNI_DGRAM\fR
+Specifies that the service being looked up is a datagram
+service, and causes getservbyport() to be called with a second
+argument of "udp" instead of its default of "tcp". This is required
+for the few ports (512-514) that have different services for UDP and
+TCP.
+.SH "RETURN VALUES"
+.PP
+\fBlwres_getnameinfo()\fR
+returns 0 on success or a non-zero error code if an error occurs.
+.SH "SEE ALSO"
+.PP
+\fBRFC2133\fR,
+\fBgetservbyport\fR(3),
+\fBlwres\fR(3),
+\fBlwres_getnameinfo\fR(3),
+\fBlwres_getnamebyaddr\fR(3).
+\fBlwres_net_ntop\fR(3).
+.SH "BUGS"
+.PP
+RFC2133 fails to define what the nonzero return values of
+\fBgetnameinfo\fR(3)
+are.
diff --git a/contrib/bind9/lib/lwres/man/lwres_getnameinfo.docbook b/contrib/bind9/lib/lwres/man/lwres_getnameinfo.docbook
new file mode 100644
index 0000000..ff2eaad
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_getnameinfo.docbook
@@ -0,0 +1,154 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres_getnameinfo.docbook,v 1.3.206.1 2004/03/06 08:15:40 marka Exp $ -->
+
+<refentry>
+
+<refentryinfo>
+<date>Jun 30, 2000</date>
+</refentryinfo>
+
+<refmeta>
+<refentrytitle>lwres_getnameinfo</refentrytitle>
+<manvolnum>3</manvolnum>
+<refmiscinfo>BIND9</refmiscinfo>
+</refmeta>
+
+<refnamediv>
+<refname>lwres_getnameinfo</refname>
+<refpurpose>lightweight resolver socket address structure to hostname and service name</refpurpose>
+</refnamediv>
+<refsynopsisdiv>
+<funcsynopsis>
+<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
+<funcprototype>
+<funcdef>
+int
+<function>lwres_getnameinfo</function></funcdef>
+<paramdef>const struct sockaddr *sa</paramdef>
+<paramdef>size_t salen</paramdef>
+<paramdef>char *host</paramdef>
+<paramdef>size_t hostlen</paramdef>
+<paramdef>char *serv</paramdef>
+<paramdef>size_t servlen</paramdef>
+<paramdef>int flags</paramdef>
+</funcprototype>
+</funcsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+<title>DESCRIPTION</title>
+
+<para> This function is equivalent to the <citerefentry>
+<refentrytitle>getnameinfo</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry> function defined in RFC2133.
+<function>lwres_getnameinfo()</function> returns the hostname for the
+<type>struct sockaddr</type> <parameter>sa</parameter> which is
+<parameter>salen</parameter> bytes long.  The hostname is of length
+<parameter>hostlen</parameter> and is returned via
+<parameter>*host.</parameter> The maximum length of the hostname is
+1025 bytes: <constant>NI_MAXHOST</constant>.</para>
+
+<para> The name of the service associated with the port number in
+<parameter>sa</parameter> is returned in <parameter>*serv.</parameter>
+It is <parameter>servlen</parameter> bytes long.  The maximum length
+of the service name is <constant>NI_MAXSERV</constant> - 32 bytes.
+</para>
+
+<para> The <parameter>flags</parameter> argument sets the following
+bits:
+<variablelist>
+<varlistentry><term><constant>NI_NOFQDN</constant></term>
+<listitem>
+<para>
+A fully qualified domain name is not required for local hosts.
+The local part of the fully qualified domain name is returned instead.
+</para></listitem></varlistentry>
+<varlistentry><term><constant>NI_NUMERICHOST</constant></term>
+<listitem>
+<para>
+Return the address in numeric form, as if calling inet_ntop(),
+instead of a host name.
+</para></listitem></varlistentry>
+<varlistentry><term><constant>NI_NAMEREQD</constant></term>
+<listitem>
+<para>
+A name is required. If the hostname cannot be found in the DNS and
+this flag is set, a non-zero error code is returned.
+If the hostname is not found and the flag is not set, the 
+address is returned in numeric form.
+</para></listitem></varlistentry>
+<varlistentry><term><constant>NI_NUMERICSERV</constant></term>
+<listitem>
+<para>
+The service name is returned as a digit string representing the port number.
+</para></listitem></varlistentry>
+<varlistentry><term><constant>NI_DGRAM</constant></term>
+<listitem>
+<para>
+Specifies that the service being looked up is a datagram
+service,  and causes getservbyport() to be called with a second
+argument of "udp" instead of its default of "tcp".  This is required
+for the few ports (512-514) that have different services for UDP and
+TCP.
+</para></listitem></varlistentry>
+</variablelist>
+</para>
+</refsect1>
+
+<refsect1>
+<title>RETURN VALUES</title>
+<para>
+<function>lwres_getnameinfo()</function>
+returns 0 on success or a non-zero error code if an error occurs.
+</para>
+</refsect1>
+<refsect1>
+<title>SEE ALSO</title>
+<para>
+<citerefentry>
+<refentrytitle>RFC2133</refentrytitle>
+</citerefentry>,
+<citerefentry>
+<refentrytitle>getservbyport</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>,
+<citerefentry>
+<refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>,
+<citerefentry>
+<refentrytitle>lwres_getnameinfo</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>,
+<citerefentry>
+<refentrytitle>lwres_getnamebyaddr</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>.
+<citerefentry>
+<refentrytitle>lwres_net_ntop</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>.
+</refsect1>
+<refsect1>
+<title>BUGS</title>
+<para>
+RFC2133 fails to define what the nonzero return values of
+<citerefentry>
+<refentrytitle>getnameinfo</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>
+are.
+</para>
+</refsect1>
+</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres_getnameinfo.html b/contrib/bind9/lib/lwres/man/lwres_getnameinfo.html
new file mode 100644
index 0000000..8130fe8
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_getnameinfo.html
@@ -0,0 +1,290 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres_getnameinfo.html,v 1.5.2.1.4.2 2004/08/22 23:39:04 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>lwres_getnameinfo</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+>lwres_getnameinfo</H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>lwres_getnameinfo&nbsp;--&nbsp;lightweight resolver socket address structure to hostname and service name</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN11"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><P
+></P
+><A
+NAME="AEN12"
+></A
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/netdb.h&gt;</PRE
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>int
+lwres_getnameinfo</CODE
+>(const struct sockaddr *sa, size_t salen, char *host, size_t hostlen, char *serv, size_t servlen, int flags);</CODE
+></P
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN24"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+> This function is equivalent to the <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>getnameinfo</SPAN
+>(3)</SPAN
+> function defined in RFC2133.
+<CODE
+CLASS="FUNCTION"
+>lwres_getnameinfo()</CODE
+> returns the hostname for the
+<SPAN
+CLASS="TYPE"
+>struct sockaddr</SPAN
+> <VAR
+CLASS="PARAMETER"
+>sa</VAR
+> which is
+<VAR
+CLASS="PARAMETER"
+>salen</VAR
+> bytes long.  The hostname is of length
+<VAR
+CLASS="PARAMETER"
+>hostlen</VAR
+> and is returned via
+<VAR
+CLASS="PARAMETER"
+>*host.</VAR
+> The maximum length of the hostname is
+1025 bytes: <CODE
+CLASS="CONSTANT"
+>NI_MAXHOST</CODE
+>.</P
+><P
+> The name of the service associated with the port number in
+<VAR
+CLASS="PARAMETER"
+>sa</VAR
+> is returned in <VAR
+CLASS="PARAMETER"
+>*serv.</VAR
+>
+It is <VAR
+CLASS="PARAMETER"
+>servlen</VAR
+> bytes long.  The maximum length
+of the service name is <CODE
+CLASS="CONSTANT"
+>NI_MAXSERV</CODE
+> - 32 bytes.</P
+><P
+> The <VAR
+CLASS="PARAMETER"
+>flags</VAR
+> argument sets the following
+bits:
+<P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><CODE
+CLASS="CONSTANT"
+>NI_NOFQDN</CODE
+></DT
+><DD
+><P
+>A fully qualified domain name is not required for local hosts.
+The local part of the fully qualified domain name is returned instead.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>NI_NUMERICHOST</CODE
+></DT
+><DD
+><P
+>Return the address in numeric form, as if calling inet_ntop(),
+instead of a host name.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>NI_NAMEREQD</CODE
+></DT
+><DD
+><P
+>A name is required. If the hostname cannot be found in the DNS and
+this flag is set, a non-zero error code is returned.
+If the hostname is not found and the flag is not set, the 
+address is returned in numeric form.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>NI_NUMERICSERV</CODE
+></DT
+><DD
+><P
+>The service name is returned as a digit string representing the port number.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>NI_DGRAM</CODE
+></DT
+><DD
+><P
+>Specifies that the service being looked up is a datagram
+service,  and causes getservbyport() to be called with a second
+argument of "udp" instead of its default of "tcp".  This is required
+for the few ports (512-514) that have different services for UDP and
+TCP.</P
+></DD
+></DL
+></DIV
+></P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN70"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_getnameinfo()</CODE
+>
+returns 0 on success or a non-zero error code if an error occurs.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN74"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>RFC2133</SPAN
+></SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>getservbyport</SPAN
+>(3)</SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres</SPAN
+>(3)</SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_getnameinfo</SPAN
+>(3)</SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_getnamebyaddr</SPAN
+>(3)</SPAN
+>.
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_net_ntop</SPAN
+>(3)</SPAN
+>.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN94"
+></A
+><H2
+>BUGS</H2
+><P
+>RFC2133 fails to define what the nonzero return values of
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>getnameinfo</SPAN
+>(3)</SPAN
+>
+are.</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.3 b/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.3
new file mode 100644
index 0000000..1558f6d
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.3
@@ -0,0 +1,144 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: lwres_getrrsetbyname.3,v 1.11.2.1.8.1 2004/03/06 07:41:43 marka Exp $
+.\"
+.TH "LWRES_GETRRSETBYNAME" "3" "Oct 18, 2000" "BIND9" ""
+.SH NAME
+lwres_getrrsetbyname, lwres_freerrset \- retrieve DNS records
+.SH SYNOPSIS
+\fB#include <lwres/netdb.h>
+.sp
+.na
+int
+lwres_getrrsetbyname(const char *hostname, unsigned int rdclass, unsigned int rdtype, unsigned int flags, struct rrsetinfo **res);
+.ad
+.sp
+.na
+void
+lwres_freerrset(struct rrsetinfo *rrset);
+.ad
+\fR
+.PP
+The following structures are used:
+.sp
+.nf
+struct  rdatainfo {
+        unsigned int            rdi_length;     /* length of data */
+        unsigned char           *rdi_data;      /* record data */
+};
+
+struct  rrsetinfo {
+        unsigned int            rri_flags;      /* RRSET_VALIDATED... */
+        unsigned int            rri_rdclass;    /* class number */
+        unsigned int            rri_rdtype;     /* RR type number */
+        unsigned int            rri_ttl;        /* time to live */
+        unsigned int            rri_nrdatas;    /* size of rdatas array */
+        unsigned int            rri_nsigs;      /* size of sigs array */
+        char                    *rri_name;      /* canonical name */
+        struct rdatainfo        *rri_rdatas;    /* individual records */
+        struct rdatainfo        *rri_sigs;      /* individual signatures */
+};
+.sp
+.fi
+.SH "DESCRIPTION"
+.PP
+\fBlwres_getrrsetbyname()\fR
+gets a set of resource records associated with a
+\fIhostname\fR,
+\fIclass\fR,
+and
+\fItype\fR.
+\fIhostname\fR
+is
+a pointer a to null-terminated string. The
+\fIflags\fR
+field is currently unused and must be zero.
+.PP
+After a successful call to
+\fBlwres_getrrsetbyname()\fR,
+\fI*res\fR
+is a pointer to an
+\fBrrsetinfo\fR
+structure, containing a list of one or more
+\fBrdatainfo\fR
+structures containing resource records and potentially another list of
+\fBrdatainfo\fR
+structures containing SIG resource records
+associated with those records.
+The members
+rri_rdclass
+and
+rri_rdtype
+are copied from the parameters.
+rri_ttl
+and
+rri_name
+are properties of the obtained rrset.
+The resource records contained in
+rri_rdatas
+and
+rri_sigs
+are in uncompressed DNS wire format.
+Properties of the rdataset are represented in the
+rri_flags
+bitfield. If the RRSET_VALIDATED bit is set, the data has been DNSSEC
+validated and the signatures verified. 
+.PP
+All of the information returned by
+\fBlwres_getrrsetbyname()\fR
+is dynamically allocated: the
+rrsetinfo
+and
+rdatainfo
+structures,
+and the canonical host name strings pointed to by the
+rrsetinfostructure.
+Memory allocated for the dynamically allocated structures created by
+a successful call to
+\fBlwres_getrrsetbyname()\fR
+is released by
+\fBlwres_freerrset()\fR.
+\fIrrset\fR
+is a pointer to a
+\fBstruct rrset\fR
+created by a call to
+\fBlwres_getrrsetbyname()\fR.
+.PP
+.SH "RETURN VALUES"
+.PP
+\fBlwres_getrrsetbyname()\fR
+returns zero on success, and one of the following error
+codes if an error occurred:
+.TP
+\fBERRSET_NONAME\fR
+the name does not exist
+.TP
+\fBERRSET_NODATA\fR
+the name exists, but does not have data of the desired type
+.TP
+\fBERRSET_NOMEMORY\fR
+memory could not be allocated
+.TP
+\fBERRSET_INVAL\fR
+a parameter is invalid
+.TP
+\fBERRSET_FAIL\fR
+other failure
+.TP
+\fB\fR
+.SH "SEE ALSO"
+.PP
+\fBlwres\fR(3).
diff --git a/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.docbook b/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.docbook
new file mode 100644
index 0000000..5ec7884
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.docbook
@@ -0,0 +1,208 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres_getrrsetbyname.docbook,v 1.3.206.1 2004/03/06 08:15:40 marka Exp $ -->
+
+<refentry>
+<refentryinfo>
+
+
+<date>Oct 18, 2000</date>
+</refentryinfo>
+<refmeta>
+<refentrytitle>lwres_getrrsetbyname</refentrytitle>
+<manvolnum>3</manvolnum>
+<refmiscinfo>BIND9</refmiscinfo>
+</refmeta>
+<refnamediv>
+<refname>lwres_getrrsetbyname</refname>
+<refname>lwres_freerrset</refname>
+<refpurpose>retrieve DNS records</refpurpose>
+</refnamediv>
+<refsynopsisdiv>
+<funcsynopsis>
+<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
+<funcprototype>
+<funcdef>
+int
+<function>lwres_getrrsetbyname</function></funcdef>
+<paramdef>const char *hostname</paramdef>
+<paramdef>unsigned int rdclass</paramdef>
+<paramdef>unsigned int rdtype</paramdef>
+<paramdef>unsigned int flags</paramdef>
+<paramdef>struct rrsetinfo **res</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+void
+<function>lwres_freerrset</function></funcdef>
+<paramdef>struct rrsetinfo *rrset</paramdef>
+</funcprototype>
+</funcsynopsis>
+
+<para>
+The following structures are used:
+<programlisting>
+struct  rdatainfo {
+        unsigned int            rdi_length;     /* length of data */
+        unsigned char           *rdi_data;      /* record data */
+};
+
+struct  rrsetinfo {
+        unsigned int            rri_flags;      /* RRSET_VALIDATED... */
+        unsigned int            rri_rdclass;    /* class number */
+        unsigned int            rri_rdtype;     /* RR type number */
+        unsigned int            rri_ttl;        /* time to live */
+        unsigned int            rri_nrdatas;    /* size of rdatas array */
+        unsigned int            rri_nsigs;      /* size of sigs array */
+        char                    *rri_name;      /* canonical name */
+        struct rdatainfo        *rri_rdatas;    /* individual records */
+        struct rdatainfo        *rri_sigs;      /* individual signatures */
+};
+</programlisting>
+</para>
+</refsynopsisdiv>
+
+<refsect1>
+<title>DESCRIPTION</title>
+<para>
+<function>lwres_getrrsetbyname()</function>
+gets a set of resource records associated with a
+<parameter>hostname</parameter>,
+
+<parameter>class</parameter>,
+
+and
+<parameter>type</parameter>.
+
+<parameter>hostname</parameter>
+is
+a pointer a to null-terminated string.  The
+<parameter>flags</parameter>
+field is currently unused and must be zero.
+</para>
+<para>
+After a successful call to
+<function>lwres_getrrsetbyname()</function>,
+
+<parameter>*res</parameter>
+is a pointer to an
+<type>rrsetinfo</type>
+structure, containing a list of one or more
+<type>rdatainfo</type>
+structures containing resource records and potentially another list of
+<type>rdatainfo</type>
+structures containing SIG resource records
+associated with those records.
+The members
+<constant>rri_rdclass</constant>
+and
+<constant>rri_rdtype</constant>
+are copied from the parameters.
+<constant>rri_ttl</constant>
+and
+<constant>rri_name</constant>
+are properties of the obtained rrset.
+The resource records contained in
+<constant>rri_rdatas</constant>
+and
+<constant>rri_sigs</constant>
+are in uncompressed DNS wire format.
+Properties of the rdataset are represented in the
+<constant>rri_flags</constant>
+bitfield.  If the RRSET_VALIDATED bit is set, the data has been DNSSEC
+validated and the signatures verified.  
+</para>
+<para>
+All of the information returned by
+<function>lwres_getrrsetbyname()</function>
+is dynamically allocated: the
+<constant>rrsetinfo</constant>
+and
+<constant>rdatainfo</constant>
+structures,
+and the canonical host name strings pointed to by the
+<constant>rrsetinfo</constant>structure.
+
+Memory allocated for the dynamically allocated structures created by
+a successful call to
+<function>lwres_getrrsetbyname()</function>
+is released by
+<function>lwres_freerrset()</function>.
+
+<parameter>rrset</parameter>
+is a pointer to a
+<type>struct rrset</type>
+created by a call to
+<function>lwres_getrrsetbyname()</function>.
+
+</para>
+<para>
+</para>
+</refsect1>
+<refsect1>
+<title>RETURN VALUES</title>
+<para>
+<function>lwres_getrrsetbyname()</function>
+returns zero on success, and one of the following error
+codes if an error occurred:
+<variablelist>
+
+<varlistentry><term><constant>ERRSET_NONAME</constant></term>
+<listitem><para>
+the name does not exist
+</para></listitem></varlistentry>
+
+<varlistentry><term><constant>ERRSET_NODATA</constant></term>
+<listitem><para>
+the name exists, but does not have data of the desired type
+</para></listitem></varlistentry>
+
+<varlistentry><term><constant>ERRSET_NOMEMORY</constant></term>
+<listitem><para>
+memory could not be allocated
+</para></listitem></varlistentry>
+
+<varlistentry><term><constant>ERRSET_INVAL</constant></term>
+<listitem><para>
+a parameter is invalid
+</para></listitem></varlistentry>
+
+<varlistentry><term><constant>ERRSET_FAIL</constant></term>
+<listitem><para>
+other failure
+</para></listitem></varlistentry>
+
+<varlistentry><term><constant></constant></term>
+<listitem><para>
+</para></listitem></varlistentry>
+
+</variablelist>
+
+</para>
+</refsect1>
+<refsect1>
+<title>SEE ALSO</title>
+<para>
+<citerefentry>
+<refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>.
+</para>
+
+</refsect1>
+</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.html b/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.html
new file mode 100644
index 0000000..8a688e9
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_getrrsetbyname.html
@@ -0,0 +1,360 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres_getrrsetbyname.html,v 1.5.2.1.4.2 2004/08/22 23:39:04 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>lwres_getrrsetbyname</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+>lwres_getrrsetbyname</H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>lwres_getrrsetbyname, lwres_freerrset&nbsp;--&nbsp;retrieve DNS records</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN12"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><P
+></P
+><A
+NAME="AEN13"
+></A
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/netdb.h&gt;</PRE
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>int
+lwres_getrrsetbyname</CODE
+>(const char *hostname, unsigned int rdclass, unsigned int rdtype, unsigned int flags, struct rrsetinfo **res);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_freerrset</CODE
+>(struct rrsetinfo *rrset);</CODE
+></P
+><P
+></P
+></DIV
+><P
+>The following structures are used:
+<PRE
+CLASS="PROGRAMLISTING"
+>struct  rdatainfo {
+        unsigned int            rdi_length;     /* length of data */
+        unsigned char           *rdi_data;      /* record data */
+};
+
+struct  rrsetinfo {
+        unsigned int            rri_flags;      /* RRSET_VALIDATED... */
+        unsigned int            rri_rdclass;    /* class number */
+        unsigned int            rri_rdtype;     /* RR type number */
+        unsigned int            rri_ttl;        /* time to live */
+        unsigned int            rri_nrdatas;    /* size of rdatas array */
+        unsigned int            rri_nsigs;      /* size of sigs array */
+        char                    *rri_name;      /* canonical name */
+        struct rdatainfo        *rri_rdatas;    /* individual records */
+        struct rdatainfo        *rri_sigs;      /* individual signatures */
+};</PRE
+></P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN29"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_getrrsetbyname()</CODE
+>
+gets a set of resource records associated with a
+<VAR
+CLASS="PARAMETER"
+>hostname</VAR
+>,
+
+<VAR
+CLASS="PARAMETER"
+>class</VAR
+>,
+
+and
+<VAR
+CLASS="PARAMETER"
+>type</VAR
+>.
+
+<VAR
+CLASS="PARAMETER"
+>hostname</VAR
+>
+is
+a pointer a to null-terminated string.  The
+<VAR
+CLASS="PARAMETER"
+>flags</VAR
+>
+field is currently unused and must be zero.</P
+><P
+>After a successful call to
+<CODE
+CLASS="FUNCTION"
+>lwres_getrrsetbyname()</CODE
+>,
+
+<VAR
+CLASS="PARAMETER"
+>*res</VAR
+>
+is a pointer to an
+<SPAN
+CLASS="TYPE"
+>rrsetinfo</SPAN
+>
+structure, containing a list of one or more
+<SPAN
+CLASS="TYPE"
+>rdatainfo</SPAN
+>
+structures containing resource records and potentially another list of
+<SPAN
+CLASS="TYPE"
+>rdatainfo</SPAN
+>
+structures containing SIG resource records
+associated with those records.
+The members
+<CODE
+CLASS="CONSTANT"
+>rri_rdclass</CODE
+>
+and
+<CODE
+CLASS="CONSTANT"
+>rri_rdtype</CODE
+>
+are copied from the parameters.
+<CODE
+CLASS="CONSTANT"
+>rri_ttl</CODE
+>
+and
+<CODE
+CLASS="CONSTANT"
+>rri_name</CODE
+>
+are properties of the obtained rrset.
+The resource records contained in
+<CODE
+CLASS="CONSTANT"
+>rri_rdatas</CODE
+>
+and
+<CODE
+CLASS="CONSTANT"
+>rri_sigs</CODE
+>
+are in uncompressed DNS wire format.
+Properties of the rdataset are represented in the
+<CODE
+CLASS="CONSTANT"
+>rri_flags</CODE
+>
+bitfield.  If the RRSET_VALIDATED bit is set, the data has been DNSSEC
+validated and the signatures verified.  </P
+><P
+>All of the information returned by
+<CODE
+CLASS="FUNCTION"
+>lwres_getrrsetbyname()</CODE
+>
+is dynamically allocated: the
+<CODE
+CLASS="CONSTANT"
+>rrsetinfo</CODE
+>
+and
+<CODE
+CLASS="CONSTANT"
+>rdatainfo</CODE
+>
+structures,
+and the canonical host name strings pointed to by the
+<CODE
+CLASS="CONSTANT"
+>rrsetinfo</CODE
+>structure.
+
+Memory allocated for the dynamically allocated structures created by
+a successful call to
+<CODE
+CLASS="FUNCTION"
+>lwres_getrrsetbyname()</CODE
+>
+is released by
+<CODE
+CLASS="FUNCTION"
+>lwres_freerrset()</CODE
+>.
+
+<VAR
+CLASS="PARAMETER"
+>rrset</VAR
+>
+is a pointer to a
+<SPAN
+CLASS="TYPE"
+>struct rrset</SPAN
+>
+created by a call to
+<CODE
+CLASS="FUNCTION"
+>lwres_getrrsetbyname()</CODE
+>.&#13;</P
+><P
+></P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN62"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_getrrsetbyname()</CODE
+>
+returns zero on success, and one of the following error
+codes if an error occurred:
+<P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><CODE
+CLASS="CONSTANT"
+>ERRSET_NONAME</CODE
+></DT
+><DD
+><P
+>the name does not exist</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>ERRSET_NODATA</CODE
+></DT
+><DD
+><P
+>the name exists, but does not have data of the desired type</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>ERRSET_NOMEMORY</CODE
+></DT
+><DD
+><P
+>memory could not be allocated</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>ERRSET_INVAL</CODE
+></DT
+><DD
+><P
+>a parameter is invalid</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>ERRSET_FAIL</CODE
+></DT
+><DD
+><P
+>other failure</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+></CODE
+></DT
+><DD
+><P
+></P
+></DD
+></DL
+></DIV
+>&#13;</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN97"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres</SPAN
+>(3)</SPAN
+>.</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/lib/lwres/man/lwres_gnba.3 b/contrib/bind9/lib/lwres/man/lwres_gnba.3
new file mode 100644
index 0000000..404ae41
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_gnba.3
@@ -0,0 +1,188 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: lwres_gnba.3,v 1.13.2.1.8.1 2004/03/06 07:41:43 marka Exp $
+.\"
+.TH "LWRES_GNBA" "3" "Jun 30, 2000" "BIND9" ""
+.SH NAME
+lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lwres_gnbaresponse_parse, lwres_gnbaresponse_free, lwres_gnbarequest_free \- lightweight resolver getnamebyaddress message handling
+.SH SYNOPSIS
+\fB#include <lwres/lwres.h>
+.sp
+.na
+lwres_result_t
+lwres_gnbarequest_render(lwres_context_t *\fIctx\fB, lwres_gnbarequest_t *\fIreq\fB, lwres_lwpacket_t *\fIpkt\fB, lwres_buffer_t *\fIb\fB);
+.ad
+.sp
+.na
+lwres_result_t
+lwres_gnbaresponse_render(lwres_context_t *ctx, lwres_gnbaresponse_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);
+.ad
+.sp
+.na
+lwres_result_t
+lwres_gnbarequest_parse(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_gnbarequest_t **structp);
+.ad
+.sp
+.na
+lwres_result_t
+lwres_gnbaresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_gnbaresponse_t **structp);
+.ad
+.sp
+.na
+void
+lwres_gnbaresponse_free(lwres_context_t *ctx, lwres_gnbaresponse_t **structp);
+.ad
+.sp
+.na
+void
+lwres_gnbarequest_free(lwres_context_t *ctx, lwres_gnbarequest_t **structp);
+.ad
+\fR
+.SH "DESCRIPTION"
+.PP
+These are low-level routines for creating and parsing
+lightweight resolver address-to-name lookup request and 
+response messages.
+.PP
+There are four main functions for the getnamebyaddr opcode.
+One render function converts a getnamebyaddr request structure \(em
+\fBlwres_gnbarequest_t\fR \(em
+to the lightweight resolver's canonical format.
+It is complemented by a parse function that converts a packet in this
+canonical format to a getnamebyaddr request structure.
+Another render function converts the getnamebyaddr response structure \(em
+\fBlwres_gnbaresponse_t\fR
+to the canonical format.
+This is complemented by a parse function which converts a packet in
+canonical format to a getnamebyaddr response structure.
+.PP
+These structures are defined in
+\fIlwres/lwres.h\fR.
+They are shown below.
+.sp
+.nf
+#define LWRES_OPCODE_GETNAMEBYADDR      0x00010002U
+
+typedef struct {
+        lwres_uint32_t  flags;
+        lwres_addr_t    addr;
+} lwres_gnbarequest_t;
+
+typedef struct {
+        lwres_uint32_t  flags;
+        lwres_uint16_t  naliases;
+        char           *realname;
+        char          **aliases;
+        lwres_uint16_t  realnamelen;
+        lwres_uint16_t *aliaslen;
+        void           *base;
+        size_t          baselen;
+} lwres_gnbaresponse_t;
+.sp
+.fi
+.PP
+\fBlwres_gnbarequest_render()\fR
+uses resolver context
+ctx
+to convert getnamebyaddr request structure
+req
+to canonical format.
+The packet header structure
+pkt
+is initialised and transferred to
+buffer
+b.
+The contents of
+*req
+are then appended to the buffer in canonical format.
+\fBlwres_gnbaresponse_render()\fR
+performs the same task, except it converts a getnamebyaddr response structure
+\fBlwres_gnbaresponse_t\fR
+to the lightweight resolver's canonical format.
+.PP
+\fBlwres_gnbarequest_parse()\fR
+uses context
+ctx
+to convert the contents of packet
+pkt
+to a
+\fBlwres_gnbarequest_t\fR
+structure.
+Buffer
+b
+provides space to be used for storing this structure.
+When the function succeeds, the resulting
+\fBlwres_gnbarequest_t\fR
+is made available through
+*structp.
+\fBlwres_gnbaresponse_parse()\fR
+offers the same semantics as
+\fBlwres_gnbarequest_parse()\fR
+except it yields a
+\fBlwres_gnbaresponse_t\fR
+structure.
+.PP
+\fBlwres_gnbaresponse_free()\fR
+and
+\fBlwres_gnbarequest_free()\fR
+release the memory in resolver context
+ctx
+that was allocated to the
+\fBlwres_gnbaresponse_t\fR
+or
+\fBlwres_gnbarequest_t\fR
+structures referenced via
+structp.
+Any memory associated with ancillary buffers and strings for those
+structures is also discarded.
+.SH "RETURN VALUES"
+.PP
+The getnamebyaddr opcode functions
+\fBlwres_gnbarequest_render()\fR,
+\fBlwres_gnbaresponse_render()\fR
+\fBlwres_gnbarequest_parse()\fR
+and
+\fBlwres_gnbaresponse_parse()\fR
+all return
+LWRES_R_SUCCESS
+on success.
+They return
+LWRES_R_NOMEMORY
+if memory allocation fails.
+LWRES_R_UNEXPECTEDEND
+is returned if the available space in the buffer
+b
+is too small to accommodate the packet header or the
+\fBlwres_gnbarequest_t\fR
+and
+\fBlwres_gnbaresponse_t\fR
+structures.
+\fBlwres_gnbarequest_parse()\fR
+and
+\fBlwres_gnbaresponse_parse()\fR
+will return
+LWRES_R_UNEXPECTEDEND
+if the buffer is not empty after decoding the received packet.
+These functions will return
+LWRES_R_FAILURE
+if
+\fBpktflags\fR
+in the packet header structure
+\fBlwres_lwpacket_t\fR
+indicate that the packet is not a response to an earlier query.
+.SH "SEE ALSO"
+.PP
+\fBlwres_packet\fR(3).
diff --git a/contrib/bind9/lib/lwres/man/lwres_gnba.docbook b/contrib/bind9/lib/lwres/man/lwres_gnba.docbook
new file mode 100644
index 0000000..5bd4172
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_gnba.docbook
@@ -0,0 +1,259 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres_gnba.docbook,v 1.4.206.1 2004/03/06 08:15:40 marka Exp $ -->
+
+<refentry>
+
+<refentryinfo>
+<date>Jun 30, 2000</date>
+</refentryinfo>
+
+<refmeta>
+<refentrytitle>lwres_gnba</refentrytitle>
+<manvolnum>3</manvolnum>
+<refmiscinfo>BIND9</refmiscinfo>
+</refmeta>
+
+<refnamediv>
+<refname>lwres_gnbarequest_render</refname>
+<refname>lwres_gnbaresponse_render</refname>
+<refname>lwres_gnbarequest_parse</refname>
+<refname>lwres_gnbaresponse_parse</refname>
+<refname>lwres_gnbaresponse_free</refname>
+<refname>lwres_gnbarequest_free</refname>
+<refpurpose>lightweight resolver getnamebyaddress message handling</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+
+<funcsynopsis>
+<funcsynopsisinfo>
+#include &lt;lwres/lwres.h&gt;
+</funcsynopsisinfo>
+
+<funcprototype>
+<funcdef>
+lwres_result_t
+<function>lwres_gnbarequest_render</function>
+</funcdef>
+<paramdef>lwres_context_t *<parameter>ctx</parameter></paramdef>
+<paramdef>lwres_gnbarequest_t *<parameter>req</parameter></paramdef>
+<paramdef>lwres_lwpacket_t *<parameter>pkt</parameter></paramdef>
+<paramdef>lwres_buffer_t *<parameter>b</parameter></paramdef>
+</funcprototype>
+
+<funcprototype>
+<funcdef>
+lwres_result_t
+<function>lwres_gnbaresponse_render</function>
+</funcdef>
+<paramdef>lwres_context_t *ctx</paramdef>
+<paramdef>lwres_gnbaresponse_t *req</paramdef>
+<paramdef>lwres_lwpacket_t *pkt</paramdef>
+<paramdef>lwres_buffer_t *b</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+lwres_result_t
+<function>lwres_gnbarequest_parse</function></funcdef>
+<paramdef>lwres_context_t *ctx</paramdef>
+<paramdef>lwres_buffer_t *b</paramdef>
+<paramdef>lwres_lwpacket_t *pkt</paramdef>
+<paramdef>lwres_gnbarequest_t **structp</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+lwres_result_t
+<function>lwres_gnbaresponse_parse</function></funcdef>
+<paramdef>lwres_context_t *ctx</paramdef>
+<paramdef>lwres_buffer_t *b</paramdef>
+<paramdef>lwres_lwpacket_t *pkt</paramdef>
+<paramdef>lwres_gnbaresponse_t **structp</paramdef>
+</funcprototype>
+
+<funcprototype>
+<funcdef>
+void
+<function>lwres_gnbaresponse_free</function>
+</funcdef>
+<paramdef>lwres_context_t *ctx</paramdef>
+<paramdef>lwres_gnbaresponse_t **structp</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+void
+<function>lwres_gnbarequest_free</function></funcdef>
+<paramdef>lwres_context_t *ctx</paramdef>
+<paramdef>lwres_gnbarequest_t **structp</paramdef>
+</funcprototype>
+</funcsynopsis>
+
+</refsynopsisdiv>
+
+<refsect1>
+<title>DESCRIPTION</title>
+<para>
+These are low-level routines for creating and parsing
+lightweight resolver address-to-name lookup request and 
+response messages.
+</para>
+<para>
+There are four main functions for the getnamebyaddr opcode.
+One render function converts a getnamebyaddr request structure &mdash;
+<type>lwres_gnbarequest_t</type> &mdash;
+to the lightweight resolver's canonical format.
+It is complemented by a parse function that converts a packet in this
+canonical format to a getnamebyaddr request structure.
+Another render function converts the getnamebyaddr response structure &mdash;
+<type>lwres_gnbaresponse_t</type>
+to the canonical format.
+This is complemented by a parse function which converts a packet in
+canonical format to a getnamebyaddr response structure.
+</para>
+<para>
+These structures are defined in
+<filename>lwres/lwres.h</filename>.
+They are shown below.
+<programlisting>
+#define LWRES_OPCODE_GETNAMEBYADDR      0x00010002U
+
+typedef struct {
+        lwres_uint32_t  flags;
+        lwres_addr_t    addr;
+} lwres_gnbarequest_t;
+
+typedef struct {
+        lwres_uint32_t  flags;
+        lwres_uint16_t  naliases;
+        char           *realname;
+        char          **aliases;
+        lwres_uint16_t  realnamelen;
+        lwres_uint16_t *aliaslen;
+        void           *base;
+        size_t          baselen;
+} lwres_gnbaresponse_t;
+</programlisting>
+</para>
+<para>
+<function>lwres_gnbarequest_render()</function>
+uses resolver context
+<varname>ctx</varname>
+to convert getnamebyaddr request structure
+<varname>req</varname>
+to canonical format.
+The packet header structure
+<varname>pkt</varname>
+is initialised and transferred to
+buffer
+<varname>b</varname>.
+The contents of
+<varname>*req</varname>
+are then appended to the buffer in canonical format.
+<function>lwres_gnbaresponse_render()</function>
+performs the same task, except it converts a getnamebyaddr response structure
+<type>lwres_gnbaresponse_t</type>
+to the lightweight resolver's canonical format.
+</para>
+<para>
+<function>lwres_gnbarequest_parse()</function>
+uses context
+<varname>ctx</varname>
+to convert the contents of packet
+<varname>pkt</varname>
+to a
+<type>lwres_gnbarequest_t</type>
+structure.
+Buffer
+<varname>b</varname>
+provides space to be used for storing this structure.
+When the function succeeds, the resulting
+<type>lwres_gnbarequest_t</type>
+is made available through
+<varname>*structp</varname>.
+<function>lwres_gnbaresponse_parse()</function>
+offers the same semantics as
+<function>lwres_gnbarequest_parse()</function>
+except it yields a
+<type>lwres_gnbaresponse_t</type>
+structure.
+</para>
+<para>
+<function>lwres_gnbaresponse_free()</function>
+and
+<function>lwres_gnbarequest_free()</function>
+release the memory in resolver context
+<varname>ctx</varname>
+that was allocated to the
+<type>lwres_gnbaresponse_t</type>
+or
+<type>lwres_gnbarequest_t</type>
+structures referenced via
+<varname>structp</varname>.
+Any memory associated with ancillary buffers and strings for those
+structures is also discarded.
+</para>
+</refsect1>
+<refsect1>
+<title>RETURN VALUES</title>
+<para>
+The getnamebyaddr opcode functions
+<function>lwres_gnbarequest_render()</function>,
+<function>lwres_gnbaresponse_render()</function>
+<function>lwres_gnbarequest_parse()</function>
+and
+<function>lwres_gnbaresponse_parse()</function>
+all return
+<errorcode>LWRES_R_SUCCESS</errorcode>
+on success.
+They return
+<errorcode>LWRES_R_NOMEMORY</errorcode>
+if memory allocation fails.
+<errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
+is returned if the available space in the buffer
+<varname>b</varname>
+is too small to accommodate the packet header or the
+<type>lwres_gnbarequest_t</type>
+and
+<type>lwres_gnbaresponse_t</type>
+structures.
+<function>lwres_gnbarequest_parse()</function>
+and
+<function>lwres_gnbaresponse_parse()</function>
+will return
+<errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
+if the buffer is not empty after decoding the received packet.
+These functions will return
+<errorcode>LWRES_R_FAILURE</errorcode>
+if
+<structfield>pktflags</structfield>
+in the packet header structure
+<type>lwres_lwpacket_t</type>
+indicate that the packet is not a response to an earlier query.
+</para>
+</refsect1>
+<refsect1>
+<title>SEE ALSO</title>
+<para>
+<citerefentry>
+<refentrytitle>lwres_packet</refentrytitle>
+<manvolnum>3</manvolnum>
+</citerefentry>.
+</para>
+</refsect1>
+</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres_gnba.html b/contrib/bind9/lib/lwres/man/lwres_gnba.html
new file mode 100644
index 0000000..537b259
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_gnba.html
@@ -0,0 +1,409 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres_gnba.html,v 1.6.2.1.4.2 2004/08/22 23:39:04 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>lwres_gnba</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+>lwres_gnba</H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>lwres_gnbarequest_render, lwres_gnbaresponse_render, lwres_gnbarequest_parse, lwres_gnbaresponse_parse, lwres_gnbaresponse_free, lwres_gnbarequest_free&nbsp;--&nbsp;lightweight resolver getnamebyaddress message handling</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN16"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><P
+></P
+><A
+NAME="AEN17"
+></A
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/lwres.h&gt;</PRE
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_gnbarequest_render</CODE
+>(lwres_context_t *ctx, lwres_gnbarequest_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_gnbaresponse_render</CODE
+>(lwres_context_t *ctx, lwres_gnbaresponse_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_gnbarequest_parse</CODE
+>(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_gnbarequest_t **structp);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_gnbaresponse_parse</CODE
+>(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_gnbaresponse_t **structp);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_gnbaresponse_free</CODE
+>(lwres_context_t *ctx, lwres_gnbaresponse_t **structp);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_gnbarequest_free</CODE
+>(lwres_context_t *ctx, lwres_gnbarequest_t **structp);</CODE
+></P
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN61"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>These are low-level routines for creating and parsing
+lightweight resolver address-to-name lookup request and 
+response messages.</P
+><P
+>There are four main functions for the getnamebyaddr opcode.
+One render function converts a getnamebyaddr request structure &mdash;
+<SPAN
+CLASS="TYPE"
+>lwres_gnbarequest_t</SPAN
+> &mdash;
+to the lightweight resolver's canonical format.
+It is complemented by a parse function that converts a packet in this
+canonical format to a getnamebyaddr request structure.
+Another render function converts the getnamebyaddr response structure &mdash;
+<SPAN
+CLASS="TYPE"
+>lwres_gnbaresponse_t</SPAN
+>
+to the canonical format.
+This is complemented by a parse function which converts a packet in
+canonical format to a getnamebyaddr response structure.</P
+><P
+>These structures are defined in
+<TT
+CLASS="FILENAME"
+>lwres/lwres.h</TT
+>.
+They are shown below.
+<PRE
+CLASS="PROGRAMLISTING"
+>#define LWRES_OPCODE_GETNAMEBYADDR      0x00010002U
+
+typedef struct {
+        lwres_uint32_t  flags;
+        lwres_addr_t    addr;
+} lwres_gnbarequest_t;
+
+typedef struct {
+        lwres_uint32_t  flags;
+        lwres_uint16_t  naliases;
+        char           *realname;
+        char          **aliases;
+        lwres_uint16_t  realnamelen;
+        lwres_uint16_t *aliaslen;
+        void           *base;
+        size_t          baselen;
+} lwres_gnbaresponse_t;</PRE
+></P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_gnbarequest_render()</CODE
+>
+uses resolver context
+<VAR
+CLASS="VARNAME"
+>ctx</VAR
+>
+to convert getnamebyaddr request structure
+<VAR
+CLASS="VARNAME"
+>req</VAR
+>
+to canonical format.
+The packet header structure
+<VAR
+CLASS="VARNAME"
+>pkt</VAR
+>
+is initialised and transferred to
+buffer
+<VAR
+CLASS="VARNAME"
+>b</VAR
+>.
+The contents of
+<VAR
+CLASS="VARNAME"
+>*req</VAR
+>
+are then appended to the buffer in canonical format.
+<CODE
+CLASS="FUNCTION"
+>lwres_gnbaresponse_render()</CODE
+>
+performs the same task, except it converts a getnamebyaddr response structure
+<SPAN
+CLASS="TYPE"
+>lwres_gnbaresponse_t</SPAN
+>
+to the lightweight resolver's canonical format.</P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_gnbarequest_parse()</CODE
+>
+uses context
+<VAR
+CLASS="VARNAME"
+>ctx</VAR
+>
+to convert the contents of packet
+<VAR
+CLASS="VARNAME"
+>pkt</VAR
+>
+to a
+<SPAN
+CLASS="TYPE"
+>lwres_gnbarequest_t</SPAN
+>
+structure.
+Buffer
+<VAR
+CLASS="VARNAME"
+>b</VAR
+>
+provides space to be used for storing this structure.
+When the function succeeds, the resulting
+<SPAN
+CLASS="TYPE"
+>lwres_gnbarequest_t</SPAN
+>
+is made available through
+<VAR
+CLASS="VARNAME"
+>*structp</VAR
+>.
+<CODE
+CLASS="FUNCTION"
+>lwres_gnbaresponse_parse()</CODE
+>
+offers the same semantics as
+<CODE
+CLASS="FUNCTION"
+>lwres_gnbarequest_parse()</CODE
+>
+except it yields a
+<SPAN
+CLASS="TYPE"
+>lwres_gnbaresponse_t</SPAN
+>
+structure.</P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_gnbaresponse_free()</CODE
+>
+and
+<CODE
+CLASS="FUNCTION"
+>lwres_gnbarequest_free()</CODE
+>
+release the memory in resolver context
+<VAR
+CLASS="VARNAME"
+>ctx</VAR
+>
+that was allocated to the
+<SPAN
+CLASS="TYPE"
+>lwres_gnbaresponse_t</SPAN
+>
+or
+<SPAN
+CLASS="TYPE"
+>lwres_gnbarequest_t</SPAN
+>
+structures referenced via
+<VAR
+CLASS="VARNAME"
+>structp</VAR
+>.
+Any memory associated with ancillary buffers and strings for those
+structures is also discarded.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN97"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+>The getnamebyaddr opcode functions
+<CODE
+CLASS="FUNCTION"
+>lwres_gnbarequest_render()</CODE
+>,
+<CODE
+CLASS="FUNCTION"
+>lwres_gnbaresponse_render()</CODE
+>
+<CODE
+CLASS="FUNCTION"
+>lwres_gnbarequest_parse()</CODE
+>
+and
+<CODE
+CLASS="FUNCTION"
+>lwres_gnbaresponse_parse()</CODE
+>
+all return
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_SUCCESS</SPAN
+>
+on success.
+They return
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_NOMEMORY</SPAN
+>
+if memory allocation fails.
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_UNEXPECTEDEND</SPAN
+>
+is returned if the available space in the buffer
+<VAR
+CLASS="VARNAME"
+>b</VAR
+>
+is too small to accommodate the packet header or the
+<SPAN
+CLASS="TYPE"
+>lwres_gnbarequest_t</SPAN
+>
+and
+<SPAN
+CLASS="TYPE"
+>lwres_gnbaresponse_t</SPAN
+>
+structures.
+<CODE
+CLASS="FUNCTION"
+>lwres_gnbarequest_parse()</CODE
+>
+and
+<CODE
+CLASS="FUNCTION"
+>lwres_gnbaresponse_parse()</CODE
+>
+will return
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_UNEXPECTEDEND</SPAN
+>
+if the buffer is not empty after decoding the received packet.
+These functions will return
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_FAILURE</SPAN
+>
+if
+<CODE
+CLASS="STRUCTFIELD"
+>pktflags</CODE
+>
+in the packet header structure
+<SPAN
+CLASS="TYPE"
+>lwres_lwpacket_t</SPAN
+>
+indicate that the packet is not a response to an earlier query.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN116"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_packet</SPAN
+>(3)</SPAN
+>.</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/lib/lwres/man/lwres_hstrerror.3 b/contrib/bind9/lib/lwres/man/lwres_hstrerror.3
new file mode 100644
index 0000000..2260088
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_hstrerror.3
@@ -0,0 +1,69 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: lwres_hstrerror.3,v 1.13.2.1.8.1 2004/03/06 07:41:43 marka Exp $
+.\"
+.TH "LWRES_HSTRERROR" "3" "Jun 30, 2000" "BIND9" ""
+.SH NAME
+lwres_herror, lwres_hstrerror \- lightweight resolver error message generation
+.SH SYNOPSIS
+\fB#include <lwres/netdb.h>
+.sp
+.na
+void
+lwres_herror(const char *s);
+.ad
+.sp
+.na
+const char *
+lwres_hstrerror(int err);
+.ad
+\fR
+.SH "DESCRIPTION"
+.PP
+\fBlwres_herror()\fR prints the string
+\fIs\fR on \fBstderr\fR followed by the string
+generated by \fBlwres_hstrerror()\fR for the error code
+stored in the global variable lwres_h_errno.
+.PP
+\fBlwres_hstrerror()\fR returns an appropriate string
+for the error code gievn by \fIerr\fR. The values of
+the error codes and messages are as follows:
+.TP
+\fBNETDB_SUCCESS\fR
+\fBResolver Error 0 (no error)\fR
+.TP
+\fBHOST_NOT_FOUND\fR
+\fBUnknown host\fR
+.TP
+\fBTRY_AGAIN\fR
+\fBHost name lookup failure\fR
+.TP
+\fBNO_RECOVERY\fR
+\fBUnknown server error\fR
+.TP
+\fBNO_DATA\fR
+\fBNo address associated with name\fR
+.SH "RETURN VALUES"
+.PP
+The string \fBUnknown resolver error\fR is returned by
+\fBlwres_hstrerror()\fR
+when the value of
+lwres_h_errno
+is not a valid error code.
+.SH "SEE ALSO"
+.PP
+\fBherror\fR(3),
+\fBlwres_hstrerror\fR(3).
diff --git a/contrib/bind9/lib/lwres/man/lwres_hstrerror.docbook b/contrib/bind9/lib/lwres/man/lwres_hstrerror.docbook
new file mode 100644
index 0000000..2ad4c49
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_hstrerror.docbook
@@ -0,0 +1,124 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres_hstrerror.docbook,v 1.4.206.1 2004/03/06 08:15:41 marka Exp $ -->
+
+<refentry>
+
+<refentryinfo>
+<date>Jun 30, 2000</date>
+</refentryinfo>
+
+<refmeta>
+<refentrytitle>lwres_hstrerror</refentrytitle>
+<manvolnum>3</manvolnum>
+<refmiscinfo>BIND9</refmiscinfo>
+</refmeta>
+
+<refnamediv>
+<refname>lwres_herror</refname>
+<refname>lwres_hstrerror</refname>
+<refpurpose>lightweight resolver error message generation</refpurpose>
+</refnamediv>
+<refsynopsisdiv>
+<funcsynopsis>
+<funcsynopsisinfo>#include &lt;lwres/netdb.h&gt;</funcsynopsisinfo>
+<funcprototype>
+<funcdef>
+void
+<function>lwres_herror</function></funcdef>
+<paramdef>const char *s</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+const char *
+<function>lwres_hstrerror</function></funcdef>
+<paramdef>int err</paramdef>
+</funcprototype>
+</funcsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+<title>DESCRIPTION</title>
+
+<para>
+<function>lwres_herror()</function> prints the string
+<parameter>s</parameter> on <type>stderr</type> followed by the string
+generated by <function>lwres_hstrerror()</function> for the error code
+stored in the global variable <constant>lwres_h_errno</constant>.
+</para>
+
+<para>
+<function>lwres_hstrerror()</function> returns an appropriate string
+for the error code gievn by <parameter>err</parameter>.  The values of
+the error codes and messages are as follows:
+
+<variablelist>
+<varlistentry><term><errorcode>NETDB_SUCCESS</errorcode></term>
+<listitem>
+<para>
+<errorname>Resolver Error 0 (no error)</errorname>
+</para></listitem></varlistentry>
+<varlistentry><term><errorcode>HOST_NOT_FOUND</errorcode></term>
+<listitem>
+<para>
+<errorname>Unknown host</errorname>
+</para></listitem></varlistentry>
+<varlistentry><term><errorcode>TRY_AGAIN</errorcode></term>
+<listitem>
+<para>
+<errorname>Host name lookup failure</errorname>
+</para></listitem></varlistentry>
+<varlistentry><term><errorcode>NO_RECOVERY</errorcode></term>
+<listitem>
+<para>
+<errorname>Unknown server error</errorname>
+</para></listitem></varlistentry>
+<varlistentry><term><errorcode>NO_DATA</errorcode></term>
+<listitem>
+<para>
+<errorname>No address associated with name</errorname>
+</para></listitem></varlistentry>
+</variablelist>
+</para>
+</refsect1>
+
+<refsect1>
+<title>RETURN VALUES</title>
+<para>
+The string <errorname>Unknown resolver error</errorname> is returned by
+<function>lwres_hstrerror()</function>
+when the value of
+<constant>lwres_h_errno</constant>
+is not a valid error code.
+</para>
+</refsect1>
+<refsect1>
+<title>SEE ALSO</title>
+<para>
+<citerefentry>
+<refentrytitle>herror</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>lwres_hstrerror</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>.
+</para>
+
+</refsect1>
+</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres_hstrerror.html b/contrib/bind9/lib/lwres/man/lwres_hstrerror.html
new file mode 100644
index 0000000..0c264af
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_hstrerror.html
@@ -0,0 +1,241 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres_hstrerror.html,v 1.5.2.1.4.2 2004/08/22 23:39:04 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>lwres_hstrerror</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+>lwres_hstrerror</H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>lwres_herror, lwres_hstrerror&nbsp;--&nbsp;lightweight resolver error message generation</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN12"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><P
+></P
+><A
+NAME="AEN13"
+></A
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/netdb.h&gt;</PRE
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_herror</CODE
+>(const char *s);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>const char *
+lwres_hstrerror</CODE
+>(int err);</CODE
+></P
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN23"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_herror()</CODE
+> prints the string
+<VAR
+CLASS="PARAMETER"
+>s</VAR
+> on <SPAN
+CLASS="TYPE"
+>stderr</SPAN
+> followed by the string
+generated by <CODE
+CLASS="FUNCTION"
+>lwres_hstrerror()</CODE
+> for the error code
+stored in the global variable <CODE
+CLASS="CONSTANT"
+>lwres_h_errno</CODE
+>.</P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_hstrerror()</CODE
+> returns an appropriate string
+for the error code gievn by <VAR
+CLASS="PARAMETER"
+>err</VAR
+>.  The values of
+the error codes and messages are as follows:
+
+<P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><SPAN
+CLASS="ERRORCODE"
+>NETDB_SUCCESS</SPAN
+></DT
+><DD
+><P
+><SPAN
+CLASS="ERRORNAME"
+>Resolver Error 0 (no error)</SPAN
+></P
+></DD
+><DT
+><SPAN
+CLASS="ERRORCODE"
+>HOST_NOT_FOUND</SPAN
+></DT
+><DD
+><P
+><SPAN
+CLASS="ERRORNAME"
+>Unknown host</SPAN
+></P
+></DD
+><DT
+><SPAN
+CLASS="ERRORCODE"
+>TRY_AGAIN</SPAN
+></DT
+><DD
+><P
+><SPAN
+CLASS="ERRORNAME"
+>Host name lookup failure</SPAN
+></P
+></DD
+><DT
+><SPAN
+CLASS="ERRORCODE"
+>NO_RECOVERY</SPAN
+></DT
+><DD
+><P
+><SPAN
+CLASS="ERRORNAME"
+>Unknown server error</SPAN
+></P
+></DD
+><DT
+><SPAN
+CLASS="ERRORCODE"
+>NO_DATA</SPAN
+></DT
+><DD
+><P
+><SPAN
+CLASS="ERRORNAME"
+>No address associated with name</SPAN
+></P
+></DD
+></DL
+></DIV
+></P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN65"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+>The string <SPAN
+CLASS="ERRORNAME"
+>Unknown resolver error</SPAN
+> is returned by
+<CODE
+CLASS="FUNCTION"
+>lwres_hstrerror()</CODE
+>
+when the value of
+<CODE
+CLASS="CONSTANT"
+>lwres_h_errno</CODE
+>
+is not a valid error code.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN71"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>herror</SPAN
+>(3)</SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_hstrerror</SPAN
+>(3)</SPAN
+>.</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/lib/lwres/man/lwres_inetntop.3 b/contrib/bind9/lib/lwres/man/lwres_inetntop.3
new file mode 100644
index 0000000..a4603c6
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_inetntop.3
@@ -0,0 +1,54 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: lwres_inetntop.3,v 1.12.2.1.8.1 2004/03/06 07:41:44 marka Exp $
+.\"
+.TH "LWRES_INETNTOP" "3" "Jun 30, 2000" "BIND9" ""
+.SH NAME
+lwres_net_ntop \- lightweight resolver IP address presentation
+.SH SYNOPSIS
+\fB#include <lwres/net.h>
+.sp
+.na
+const char *
+lwres_net_ntop(int af, const void *src, char *dst, size_t size);
+.ad
+\fR
+.SH "DESCRIPTION"
+.PP
+\fBlwres_net_ntop()\fR converts an IP address of
+protocol family \fIaf\fR \(em IPv4 or IPv6 \(em
+at location \fIsrc\fR from network format to its
+conventional representation as a string. For IPv4 addresses, that
+string would be a dotted-decimal. An IPv6 address would be
+represented in colon notation as described in RFC1884.
+.PP
+The generated string is copied to \fIdst\fR provided
+\fIsize\fR indicates it is long enough to store the
+ASCII representation of the address.
+.SH "RETURN VALUES"
+.PP
+If successful, the function returns \fIdst\fR:
+a pointer to a string containing the presentation format of the
+address. \fBlwres_net_ntop()\fR returns
+\fBNULL\fR and sets the global variable
+errno to EAFNOSUPPORT if
+the protocol family given in \fIaf\fR is not
+supported.
+.SH "SEE ALSO"
+.PP
+\fBRFC1884\fR,
+\fBinet_ntop\fR(3),
+\fBerrno\fR(3).
diff --git a/contrib/bind9/lib/lwres/man/lwres_inetntop.docbook b/contrib/bind9/lib/lwres/man/lwres_inetntop.docbook
new file mode 100644
index 0000000..e771478
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_inetntop.docbook
@@ -0,0 +1,99 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres_inetntop.docbook,v 1.3.206.1 2004/03/06 08:15:41 marka Exp $ -->
+
+<refentry>
+
+<refentryinfo>
+<date>Jun 30, 2000</date>
+</refentryinfo>
+
+<refmeta>
+<refentrytitle>lwres_inetntop</refentrytitle>
+<manvolnum>3</manvolnum>
+<refmiscinfo>BIND9</refmiscinfo>
+</refmeta>
+
+<refnamediv>
+<refname>lwres_net_ntop</refname>
+<refpurpose>lightweight resolver IP address presentation</refpurpose>
+</refnamediv>
+<refsynopsisdiv>
+<funcsynopsis>
+<funcsynopsisinfo>#include &lt;lwres/net.h&gt;</funcsynopsisinfo>
+<funcprototype>
+<funcdef>
+const char *
+<function>lwres_net_ntop</function></funcdef>
+<paramdef>int af</paramdef>
+<paramdef>const void *src</paramdef>
+<paramdef>char *dst</paramdef>
+<paramdef>size_t size</paramdef>
+</funcprototype>
+</funcsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+<title>DESCRIPTION</title>
+
+<para>
+<function>lwres_net_ntop()</function> converts an IP address of
+protocol family <parameter>af</parameter> &mdash; IPv4 or IPv6 &mdash;
+at location <parameter>src</parameter> from network format to its
+conventional representation as a string.  For IPv4 addresses, that
+string would be a dotted-decimal.  An IPv6 address would be
+represented in colon notation as described in RFC1884.
+</para>
+
+<para>
+The generated string is copied to <parameter>dst</parameter> provided
+<parameter>size</parameter> indicates it is long enough to store the
+ASCII representation of the address.
+</para>
+
+</refsect1>
+<refsect1>
+<title>RETURN VALUES</title>
+
+<para>
+If successful, the function returns <parameter>dst</parameter>:
+a pointer to a string containing the presentation format of the
+address.  <function>lwres_net_ntop()</function> returns
+<type>NULL</type> and sets the global variable
+<constant>errno</constant> to <errorcode>EAFNOSUPPORT</errorcode> if
+the protocol family given in <parameter>af</parameter> is not
+supported.
+</para>
+
+</refsect1>
+<refsect1>
+<title>SEE ALSO</title>
+<para>
+<citerefentry>
+<refentrytitle>RFC1884</refentrytitle>
+</citerefentry>,
+<citerefentry>
+<refentrytitle>inet_ntop</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>,
+<citerefentry>
+<refentrytitle>errno</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>.
+</para>
+</refsect1>
+</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres_inetntop.html b/contrib/bind9/lib/lwres/man/lwres_inetntop.html
new file mode 100644
index 0000000..3453345
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_inetntop.html
@@ -0,0 +1,177 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres_inetntop.html,v 1.5.2.1.4.2 2004/08/22 23:39:05 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>lwres_inetntop</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+>lwres_inetntop</H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>lwres_net_ntop&nbsp;--&nbsp;lightweight resolver IP address presentation</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN11"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><P
+></P
+><A
+NAME="AEN12"
+></A
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/net.h&gt;</PRE
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>const char *
+lwres_net_ntop</CODE
+>(int af, const void *src, char *dst, size_t size);</CODE
+></P
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN21"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_net_ntop()</CODE
+> converts an IP address of
+protocol family <VAR
+CLASS="PARAMETER"
+>af</VAR
+> &mdash; IPv4 or IPv6 &mdash;
+at location <VAR
+CLASS="PARAMETER"
+>src</VAR
+> from network format to its
+conventional representation as a string.  For IPv4 addresses, that
+string would be a dotted-decimal.  An IPv6 address would be
+represented in colon notation as described in RFC1884.</P
+><P
+>The generated string is copied to <VAR
+CLASS="PARAMETER"
+>dst</VAR
+> provided
+<VAR
+CLASS="PARAMETER"
+>size</VAR
+> indicates it is long enough to store the
+ASCII representation of the address.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN30"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+>If successful, the function returns <VAR
+CLASS="PARAMETER"
+>dst</VAR
+>:
+a pointer to a string containing the presentation format of the
+address.  <CODE
+CLASS="FUNCTION"
+>lwres_net_ntop()</CODE
+> returns
+<SPAN
+CLASS="TYPE"
+>NULL</SPAN
+> and sets the global variable
+<CODE
+CLASS="CONSTANT"
+>errno</CODE
+> to <SPAN
+CLASS="ERRORCODE"
+>EAFNOSUPPORT</SPAN
+> if
+the protocol family given in <VAR
+CLASS="PARAMETER"
+>af</VAR
+> is not
+supported.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN39"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>RFC1884</SPAN
+></SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>inet_ntop</SPAN
+>(3)</SPAN
+>,
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>errno</SPAN
+>(3)</SPAN
+>.</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/lib/lwres/man/lwres_noop.3 b/contrib/bind9/lib/lwres/man/lwres_noop.3
new file mode 100644
index 0000000..36bb904
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_noop.3
@@ -0,0 +1,162 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: lwres_noop.3,v 1.14.2.1.8.1 2004/03/06 07:41:44 marka Exp $
+.\"
+.TH "LWRES_NOOP" "3" "Jun 30, 2000" "BIND9" ""
+.SH NAME
+lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lwres_noopresponse_parse, lwres_noopresponse_free, lwres_nooprequest_free \- lightweight resolver no-op message handling
+.SH SYNOPSIS
+\fB#include <lwres/lwres.h>
+.sp
+.na
+lwres_result_t
+lwres_nooprequest_render(lwres_context_t *ctx, lwres_nooprequest_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);
+.ad
+.sp
+.na
+lwres_result_t
+lwres_noopresponse_render(lwres_context_t *ctx, lwres_noopresponse_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);
+.ad
+.sp
+.na
+lwres_result_t
+lwres_nooprequest_parse(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_nooprequest_t **structp);
+.ad
+.sp
+.na
+lwres_result_t
+lwres_noopresponse_parse(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_noopresponse_t **structp);
+.ad
+.sp
+.na
+void
+lwres_noopresponse_free(lwres_context_t *ctx, lwres_noopresponse_t **structp);
+.ad
+.sp
+.na
+void
+lwres_nooprequest_free(lwres_context_t *ctx, lwres_nooprequest_t **structp);
+.ad
+\fR
+.SH "DESCRIPTION"
+.PP
+These are low-level routines for creating and parsing
+lightweight resolver no-op request and response messages.
+.PP
+The no-op message is analogous to a \fBping\fR packet: 
+a packet is sent to the resolver daemon and is simply echoed back.
+The opcode is intended to allow a client to determine if the server is
+operational or not.
+.PP
+There are four main functions for the no-op opcode.
+One render function converts a no-op request structure \(em
+\fBlwres_nooprequest_t\fR \(em
+to the lighweight resolver's canonical format.
+It is complemented by a parse function that converts a packet in this
+canonical format to a no-op request structure.
+Another render function converts the no-op response structure \(em
+\fBlwres_noopresponse_t\fR
+to the canonical format.
+This is complemented by a parse function which converts a packet in
+canonical format to a no-op response structure.
+.PP
+These structures are defined in
+\fIlwres/lwres.h\fR.
+They are shown below.
+.sp
+.nf
+#define LWRES_OPCODE_NOOP       0x00000000U
+
+typedef struct {
+        lwres_uint16_t  datalength;
+        unsigned char   *data;
+} lwres_nooprequest_t;
+
+typedef struct {
+        lwres_uint16_t  datalength;
+        unsigned char   *data;
+} lwres_noopresponse_t;
+.sp
+.fi
+Although the structures have different types, they are identical.
+This is because the no-op opcode simply echos whatever data was sent:
+the response is therefore identical to the request.
+.PP
+\fBlwres_nooprequest_render()\fR uses resolver
+context \fIctx\fR to convert no-op request structure
+\fIreq\fR to canonical format. The packet header
+structure \fIpkt\fR is initialised and transferred to
+buffer \fIb\fR. The contents of
+\fI*req\fR are then appended to the buffer in
+canonical format. \fBlwres_noopresponse_render()\fR
+performs the same task, except it converts a no-op response structure
+\fBlwres_noopresponse_t\fR to the lightweight resolver's
+canonical format.
+.PP
+\fBlwres_nooprequest_parse()\fR uses context
+\fIctx\fR to convert the contents of packet
+\fIpkt\fR to a \fBlwres_nooprequest_t\fR
+structure. Buffer \fIb\fR provides space to be used
+for storing this structure. When the function succeeds, the resulting
+\fBlwres_nooprequest_t\fR is made available through
+\fI*structp\fR.
+\fBlwres_noopresponse_parse()\fR offers the same
+semantics as \fBlwres_nooprequest_parse()\fR except it
+yields a \fBlwres_noopresponse_t\fR structure.
+.PP
+\fBlwres_noopresponse_free()\fR and
+\fBlwres_nooprequest_free()\fR release the memory in
+resolver context \fIctx\fR that was allocated to the
+\fBlwres_noopresponse_t\fR or \fBlwres_nooprequest_t\fR
+structures referenced via \fIstructp\fR.
+.SH "RETURN VALUES"
+.PP
+The no-op opcode functions
+\fBlwres_nooprequest_render()\fR,
+\fBlwres_noopresponse_render()\fR
+\fBlwres_nooprequest_parse()\fR
+and
+\fBlwres_noopresponse_parse()\fR
+all return
+LWRES_R_SUCCESS
+on success.
+They return
+LWRES_R_NOMEMORY
+if memory allocation fails.
+LWRES_R_UNEXPECTEDEND
+is returned if the available space in the buffer
+\fIb\fR
+is too small to accommodate the packet header or the
+\fBlwres_nooprequest_t\fR
+and
+\fBlwres_noopresponse_t\fR
+structures.
+\fBlwres_nooprequest_parse()\fR
+and
+\fBlwres_noopresponse_parse()\fR
+will return
+LWRES_R_UNEXPECTEDEND
+if the buffer is not empty after decoding the received packet.
+These functions will return
+LWRES_R_FAILURE
+if
+pktflags
+in the packet header structure
+\fBlwres_lwpacket_t\fR
+indicate that the packet is not a response to an earlier query.
+.SH "SEE ALSO"
+.PP
+\fBlwres_packet\fR(3)
diff --git a/contrib/bind9/lib/lwres/man/lwres_noop.docbook b/contrib/bind9/lib/lwres/man/lwres_noop.docbook
new file mode 100644
index 0000000..dde2795
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_noop.docbook
@@ -0,0 +1,229 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres_noop.docbook,v 1.4.206.1 2004/03/06 08:15:41 marka Exp $ -->
+
+<refentry>
+
+<refentryinfo>
+<date>Jun 30, 2000</date>
+</refentryinfo>
+
+<refmeta>
+<refentrytitle>lwres_noop</refentrytitle>
+<manvolnum>3</manvolnum>
+<refmiscinfo>BIND9</refmiscinfo>
+</refmeta>
+
+<refnamediv>
+<refname>lwres_nooprequest_render</refname>
+<refname>lwres_noopresponse_render</refname>
+<refname>lwres_nooprequest_parse</refname>
+<refname>lwres_noopresponse_parse</refname>
+<refname>lwres_noopresponse_free</refname>
+<refname>lwres_nooprequest_free</refname>
+<refpurpose>lightweight resolver no-op message handling</refpurpose>
+</refnamediv>
+<refsynopsisdiv>
+<funcsynopsis>
+<funcsynopsisinfo>
+#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
+<funcprototype>
+<funcdef>
+lwres_result_t
+<function>lwres_nooprequest_render</function></funcdef>
+<paramdef>lwres_context_t *ctx</paramdef>
+<paramdef>lwres_nooprequest_t *req</paramdef>
+<paramdef>lwres_lwpacket_t *pkt</paramdef>
+<paramdef>lwres_buffer_t *b</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+lwres_result_t
+<function>lwres_noopresponse_render</function></funcdef>
+<paramdef>lwres_context_t *ctx</paramdef>
+<paramdef>lwres_noopresponse_t *req</paramdef>
+<paramdef>lwres_lwpacket_t *pkt</paramdef>
+<paramdef>lwres_buffer_t *b</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+lwres_result_t
+<function>lwres_nooprequest_parse</function></funcdef>
+<paramdef>lwres_context_t *ctx</paramdef>
+<paramdef>lwres_buffer_t *b</paramdef>
+<paramdef>lwres_lwpacket_t *pkt</paramdef>
+<paramdef>lwres_nooprequest_t **structp</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+lwres_result_t
+<function>lwres_noopresponse_parse</function></funcdef>
+<paramdef>lwres_context_t *ctx</paramdef>
+<paramdef>lwres_buffer_t *b</paramdef>
+<paramdef>lwres_lwpacket_t *pkt</paramdef>
+<paramdef>lwres_noopresponse_t **structp</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+void
+<function>lwres_noopresponse_free</function></funcdef>
+<paramdef>lwres_context_t *ctx</paramdef>
+<paramdef>lwres_noopresponse_t **structp</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+void
+<function>lwres_nooprequest_free</function></funcdef>
+<paramdef>lwres_context_t *ctx</paramdef>
+<paramdef>lwres_nooprequest_t **structp</paramdef>
+</funcprototype>
+</funcsynopsis>
+</refsynopsisdiv>
+<refsect1>
+<title>DESCRIPTION</title>
+<para>
+These are low-level routines for creating and parsing
+lightweight resolver no-op request and response messages.
+</para>
+<para>
+The no-op message is analogous to a <command>ping</command> packet: 
+a packet is sent to the resolver daemon and is simply echoed back.
+The opcode is intended to allow a client to determine if the server is
+operational or not.
+</para>
+<para>
+There are four main functions for the no-op opcode.
+One render function converts a no-op request structure &mdash;
+<type>lwres_nooprequest_t</type> &mdash;
+to the lighweight resolver's canonical format.
+It is complemented by a parse function that converts a packet in this
+canonical format to a no-op request structure.
+Another render function converts the no-op response structure &mdash;
+<type>lwres_noopresponse_t</type>
+to the canonical format.
+This is complemented by a parse function which converts a packet in
+canonical format to a no-op response structure.
+</para>
+<para>
+These structures are defined in
+<filename>lwres/lwres.h</filename>.
+
+They are shown below.
+<programlisting>
+#define LWRES_OPCODE_NOOP       0x00000000U
+
+typedef struct {
+        lwres_uint16_t  datalength;
+        unsigned char   *data;
+} lwres_nooprequest_t;
+
+typedef struct {
+        lwres_uint16_t  datalength;
+        unsigned char   *data;
+} lwres_noopresponse_t;
+</programlisting>
+Although the structures have different types, they are identical.
+This is because the no-op opcode simply echos whatever data was sent:
+the response is therefore identical to the request.
+</para>
+
+<para>
+<function>lwres_nooprequest_render()</function> uses resolver
+context <parameter>ctx</parameter> to convert no-op request structure
+<parameter>req</parameter> to canonical format.  The packet header
+structure <parameter>pkt</parameter> is initialised and transferred to
+buffer <parameter>b</parameter>.  The contents of
+<parameter>*req</parameter> are then appended to the buffer in
+canonical format.  <function>lwres_noopresponse_render()</function>
+performs the same task, except it converts a no-op response structure
+<type>lwres_noopresponse_t</type> to the lightweight resolver's
+canonical format.
+</para>
+
+<para>
+<function>lwres_nooprequest_parse()</function> uses context
+<parameter>ctx</parameter> to convert the contents of packet
+<parameter>pkt</parameter> to a <type>lwres_nooprequest_t</type>
+structure.  Buffer <parameter>b</parameter> provides space to be used
+for storing this structure.  When the function succeeds, the resulting
+<type>lwres_nooprequest_t</type> is made available through
+<parameter>*structp</parameter>.
+<function>lwres_noopresponse_parse()</function> offers the same
+semantics as <function>lwres_nooprequest_parse()</function> except it
+yields a <type>lwres_noopresponse_t</type> structure.
+</para>
+
+<para>
+<function>lwres_noopresponse_free()</function> and
+<function>lwres_nooprequest_free()</function> release the memory in
+resolver context <parameter>ctx</parameter> that was allocated to the
+<type>lwres_noopresponse_t</type> or <type>lwres_nooprequest_t</type>
+structures referenced via <parameter>structp</parameter>.
+</para>
+
+</refsect1>
+<refsect1>
+<title>RETURN VALUES</title>
+<para>
+The no-op opcode functions
+<function>lwres_nooprequest_render()</function>,
+
+<function>lwres_noopresponse_render()</function>
+<function>lwres_nooprequest_parse()</function>
+and
+<function>lwres_noopresponse_parse()</function>
+all return
+<errorcode>LWRES_R_SUCCESS</errorcode>
+on success.
+They return
+<errorcode>LWRES_R_NOMEMORY</errorcode>
+if memory allocation fails.
+<errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
+is returned if the available space in the buffer
+<parameter>b</parameter>
+is too small to accommodate the packet header or the
+<type>lwres_nooprequest_t</type>
+and
+<type>lwres_noopresponse_t</type>
+structures.
+<function>lwres_nooprequest_parse()</function>
+and
+<function>lwres_noopresponse_parse()</function>
+will return
+<errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
+if the buffer is not empty after decoding the received packet.
+These functions will return
+<errorcode>LWRES_R_FAILURE</errorcode>
+if
+<constant>pktflags</constant>
+in the packet header structure
+<type>lwres_lwpacket_t</type>
+indicate that the packet is not a response to an earlier query.
+</para>
+</refsect1>
+<refsect1>
+<title>SEE ALSO</title>
+<para>
+<citerefentry>
+<refentrytitle>lwres_packet</refentrytitle><manvolnum>3
+</manvolnum>
+</citerefentry>
+</para>
+</refsect1>
+</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres_noop.html b/contrib/bind9/lib/lwres/man/lwres_noop.html
new file mode 100644
index 0000000..0962883
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_noop.html
@@ -0,0 +1,388 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres_noop.html,v 1.7.2.1.4.2 2004/08/22 23:39:05 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>lwres_noop</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+>lwres_noop</H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>lwres_nooprequest_render, lwres_noopresponse_render, lwres_nooprequest_parse, lwres_noopresponse_parse, lwres_noopresponse_free, lwres_nooprequest_free&nbsp;--&nbsp;lightweight resolver no-op message handling</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN16"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><P
+></P
+><A
+NAME="AEN17"
+></A
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/lwres.h&gt;</PRE
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_nooprequest_render</CODE
+>(lwres_context_t *ctx, lwres_nooprequest_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_noopresponse_render</CODE
+>(lwres_context_t *ctx, lwres_noopresponse_t *req, lwres_lwpacket_t *pkt, lwres_buffer_t *b);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_nooprequest_parse</CODE
+>(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_nooprequest_t **structp);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_noopresponse_parse</CODE
+>(lwres_context_t *ctx, lwres_buffer_t *b, lwres_lwpacket_t *pkt, lwres_noopresponse_t **structp);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_noopresponse_free</CODE
+>(lwres_context_t *ctx, lwres_noopresponse_t **structp);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>void
+lwres_nooprequest_free</CODE
+>(lwres_context_t *ctx, lwres_nooprequest_t **structp);</CODE
+></P
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN57"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>These are low-level routines for creating and parsing
+lightweight resolver no-op request and response messages.</P
+><P
+>The no-op message is analogous to a <B
+CLASS="COMMAND"
+>ping</B
+> packet: 
+a packet is sent to the resolver daemon and is simply echoed back.
+The opcode is intended to allow a client to determine if the server is
+operational or not.</P
+><P
+>There are four main functions for the no-op opcode.
+One render function converts a no-op request structure &mdash;
+<SPAN
+CLASS="TYPE"
+>lwres_nooprequest_t</SPAN
+> &mdash;
+to the lighweight resolver's canonical format.
+It is complemented by a parse function that converts a packet in this
+canonical format to a no-op request structure.
+Another render function converts the no-op response structure &mdash;
+<SPAN
+CLASS="TYPE"
+>lwres_noopresponse_t</SPAN
+>
+to the canonical format.
+This is complemented by a parse function which converts a packet in
+canonical format to a no-op response structure.</P
+><P
+>These structures are defined in
+<TT
+CLASS="FILENAME"
+>lwres/lwres.h</TT
+>.
+
+They are shown below.
+<PRE
+CLASS="PROGRAMLISTING"
+>#define LWRES_OPCODE_NOOP       0x00000000U
+
+typedef struct {
+        lwres_uint16_t  datalength;
+        unsigned char   *data;
+} lwres_nooprequest_t;
+
+typedef struct {
+        lwres_uint16_t  datalength;
+        unsigned char   *data;
+} lwres_noopresponse_t;</PRE
+>
+Although the structures have different types, they are identical.
+This is because the no-op opcode simply echos whatever data was sent:
+the response is therefore identical to the request.</P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_nooprequest_render()</CODE
+> uses resolver
+context <VAR
+CLASS="PARAMETER"
+>ctx</VAR
+> to convert no-op request structure
+<VAR
+CLASS="PARAMETER"
+>req</VAR
+> to canonical format.  The packet header
+structure <VAR
+CLASS="PARAMETER"
+>pkt</VAR
+> is initialised and transferred to
+buffer <VAR
+CLASS="PARAMETER"
+>b</VAR
+>.  The contents of
+<VAR
+CLASS="PARAMETER"
+>*req</VAR
+> are then appended to the buffer in
+canonical format.  <CODE
+CLASS="FUNCTION"
+>lwres_noopresponse_render()</CODE
+>
+performs the same task, except it converts a no-op response structure
+<SPAN
+CLASS="TYPE"
+>lwres_noopresponse_t</SPAN
+> to the lightweight resolver's
+canonical format.</P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_nooprequest_parse()</CODE
+> uses context
+<VAR
+CLASS="PARAMETER"
+>ctx</VAR
+> to convert the contents of packet
+<VAR
+CLASS="PARAMETER"
+>pkt</VAR
+> to a <SPAN
+CLASS="TYPE"
+>lwres_nooprequest_t</SPAN
+>
+structure.  Buffer <VAR
+CLASS="PARAMETER"
+>b</VAR
+> provides space to be used
+for storing this structure.  When the function succeeds, the resulting
+<SPAN
+CLASS="TYPE"
+>lwres_nooprequest_t</SPAN
+> is made available through
+<VAR
+CLASS="PARAMETER"
+>*structp</VAR
+>.
+<CODE
+CLASS="FUNCTION"
+>lwres_noopresponse_parse()</CODE
+> offers the same
+semantics as <CODE
+CLASS="FUNCTION"
+>lwres_nooprequest_parse()</CODE
+> except it
+yields a <SPAN
+CLASS="TYPE"
+>lwres_noopresponse_t</SPAN
+> structure.</P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_noopresponse_free()</CODE
+> and
+<CODE
+CLASS="FUNCTION"
+>lwres_nooprequest_free()</CODE
+> release the memory in
+resolver context <VAR
+CLASS="PARAMETER"
+>ctx</VAR
+> that was allocated to the
+<SPAN
+CLASS="TYPE"
+>lwres_noopresponse_t</SPAN
+> or <SPAN
+CLASS="TYPE"
+>lwres_nooprequest_t</SPAN
+>
+structures referenced via <VAR
+CLASS="PARAMETER"
+>structp</VAR
+>.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN95"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+>The no-op opcode functions
+<CODE
+CLASS="FUNCTION"
+>lwres_nooprequest_render()</CODE
+>,
+
+<CODE
+CLASS="FUNCTION"
+>lwres_noopresponse_render()</CODE
+>
+<CODE
+CLASS="FUNCTION"
+>lwres_nooprequest_parse()</CODE
+>
+and
+<CODE
+CLASS="FUNCTION"
+>lwres_noopresponse_parse()</CODE
+>
+all return
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_SUCCESS</SPAN
+>
+on success.
+They return
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_NOMEMORY</SPAN
+>
+if memory allocation fails.
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_UNEXPECTEDEND</SPAN
+>
+is returned if the available space in the buffer
+<VAR
+CLASS="PARAMETER"
+>b</VAR
+>
+is too small to accommodate the packet header or the
+<SPAN
+CLASS="TYPE"
+>lwres_nooprequest_t</SPAN
+>
+and
+<SPAN
+CLASS="TYPE"
+>lwres_noopresponse_t</SPAN
+>
+structures.
+<CODE
+CLASS="FUNCTION"
+>lwres_nooprequest_parse()</CODE
+>
+and
+<CODE
+CLASS="FUNCTION"
+>lwres_noopresponse_parse()</CODE
+>
+will return
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_UNEXPECTEDEND</SPAN
+>
+if the buffer is not empty after decoding the received packet.
+These functions will return
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_FAILURE</SPAN
+>
+if
+<CODE
+CLASS="CONSTANT"
+>pktflags</CODE
+>
+in the packet header structure
+<SPAN
+CLASS="TYPE"
+>lwres_lwpacket_t</SPAN
+>
+indicate that the packet is not a response to an earlier query.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN114"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_packet</SPAN
+>(3)</SPAN
+></P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/lib/lwres/man/lwres_packet.3 b/contrib/bind9/lib/lwres/man/lwres_packet.3
new file mode 100644
index 0000000..1fbc417
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_packet.3
@@ -0,0 +1,151 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: lwres_packet.3,v 1.15.2.1.8.1 2004/03/06 07:41:44 marka Exp $
+.\"
+.TH "LWRES_PACKET" "3" "Jun 30, 2000" "BIND9" ""
+.SH NAME
+lwres_lwpacket_renderheader, lwres_lwpacket_parseheader \- lightweight resolver packet handling functions
+.SH SYNOPSIS
+\fB#include <lwres/lwpacket.h>
+.sp
+.na
+lwres_result_t
+lwres_lwpacket_renderheader(lwres_buffer_t *b, lwres_lwpacket_t *pkt);
+.ad
+.sp
+.na
+lwres_result_t
+lwres_lwpacket_parseheader(lwres_buffer_t *b, lwres_lwpacket_t *pkt);
+.ad
+\fR
+.SH "DESCRIPTION"
+.PP
+These functions rely on a
+\fBstruct lwres_lwpacket\fR
+which is defined in
+\fIlwres/lwpacket.h\fR.
+.sp
+.nf
+typedef struct lwres_lwpacket lwres_lwpacket_t;
+
+struct lwres_lwpacket {
+        lwres_uint32_t          length;
+        lwres_uint16_t          version;
+        lwres_uint16_t          pktflags;
+        lwres_uint32_t          serial;
+        lwres_uint32_t          opcode;
+        lwres_uint32_t          result;
+        lwres_uint32_t          recvlength;
+        lwres_uint16_t          authtype;
+        lwres_uint16_t          authlength;
+};
+.sp
+.fi
+.PP
+The elements of this structure are:
+.TP
+\fBlength\fR
+the overall packet length, including the entire packet header.
+This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
+calls.
+.TP
+\fBversion\fR
+the header format. There is currently only one format,
+\fBLWRES_LWPACKETVERSION_0\fR.
+This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
+calls.
+.TP
+\fBpktflags\fR
+library-defined flags for this packet: for instance whether the packet
+is a request or a reply. Flag values can be set, but not defined by
+the caller.
+This field is filled in by the application wit the exception of the
+LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in the
+lwres_gabn_*() and lwres_gnba_*() calls.
+.TP
+\fBserial\fR
+is set by the requestor and is returned in all replies. If two or more
+packets from the same source have the same serial number and are from
+the same source, they are assumed to be duplicates and the latter ones
+may be dropped.
+This field must be set by the application.
+.TP
+\fBopcode\fR
+indicates the operation.
+Opcodes between 0x00000000 and 0x03ffffff are
+reserved for use by the lightweight resolver library. Opcodes between
+0x04000000 and 0xffffffff are application defined.
+This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
+calls.
+.TP
+\fBresult\fR
+is only valid for replies.
+Results between 0x04000000 and 0xffffffff are application defined.
+Results between 0x00000000 and 0x03ffffff are reserved for library use.
+This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
+calls.
+.TP
+\fBrecvlength\fR
+is the maximum buffer size that the receiver can handle on requests
+and the size of the buffer needed to satisfy a request when the buffer
+is too large for replies.
+This field is supplied by the application.
+.TP
+\fBauthtype\fR
+defines the packet level authentication that is used.
+Authorisation types between 0x1000 and 0xffff are application defined
+and types between 0x0000 and 0x0fff are reserved for library use.
+Currently these are not used and must be zero.
+.TP
+\fBauthlen\fR
+gives the length of the authentication data.
+Since packet authentication is currently not used, this must be zero.
+.PP
+The following opcodes are currently defined:
+.TP
+\fBNOOP\fR
+Success is always returned and the packet contents are echoed.
+The lwres_noop_*() functions should be used for this type.
+.TP
+\fBGETADDRSBYNAME\fR
+returns all known addresses for a given name.
+The lwres_gabn_*() functions should be used for this type.
+.TP
+\fBGETNAMEBYADDR\fR
+return the hostname for the given address.
+The lwres_gnba_*() functions should be used for this type.
+.PP
+\fBlwres_lwpacket_renderheader()\fR transfers the
+contents of lightweight resolver packet structure
+\fBlwres_lwpacket_t\fR \fI*pkt\fR in network
+byte order to the lightweight resolver buffer,
+\fI*b\fR.
+.PP
+\fBlwres_lwpacket_parseheader()\fR performs the
+converse operation. It transfers data in network byte order from
+buffer \fI*b\fR to resolver packet
+\fI*pkt\fR. The contents of the buffer
+\fIb\fR should correspond to a
+\fBlwres_lwpacket_t\fR.
+.SH "RETURN VALUES"
+.PP
+Successful calls to
+\fBlwres_lwpacket_renderheader()\fR and
+\fBlwres_lwpacket_parseheader()\fR return
+LWRES_R_SUCCESS. If there is insufficient
+space to copy data between the buffer \fI*b\fR and
+lightweight resolver packet \fI*pkt\fR both functions
+return LWRES_R_UNEXPECTEDEND.
diff --git a/contrib/bind9/lib/lwres/man/lwres_packet.docbook b/contrib/bind9/lib/lwres/man/lwres_packet.docbook
new file mode 100644
index 0000000..7795ebc
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_packet.docbook
@@ -0,0 +1,218 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres_packet.docbook,v 1.6.206.1 2004/03/06 08:15:42 marka Exp $ -->
+
+<refentry>
+
+<refentryinfo>
+<date>Jun 30, 2000</date>
+</refentryinfo>
+
+<refmeta>
+<refentrytitle>lwres_packet</refentrytitle>
+<manvolnum>3</manvolnum>
+<refmiscinfo>BIND9</refmiscinfo>
+</refmeta>
+
+<refnamediv>
+<refname>lwres_lwpacket_renderheader</refname>
+<refname>lwres_lwpacket_parseheader</refname>
+<refpurpose>lightweight resolver packet handling functions</refpurpose>
+</refnamediv>
+<refsynopsisdiv>
+<funcsynopsis>
+<funcsynopsisinfo>#include &lt;lwres/lwpacket.h&gt;</funcsynopsisinfo>
+<funcprototype>
+<funcdef>
+lwres_result_t
+<function>lwres_lwpacket_renderheader</function></funcdef>
+<paramdef>lwres_buffer_t *b</paramdef>
+<paramdef>lwres_lwpacket_t *pkt</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+lwres_result_t
+<function>lwres_lwpacket_parseheader</function></funcdef>
+<paramdef>lwres_buffer_t *b</paramdef>
+<paramdef>lwres_lwpacket_t *pkt</paramdef>
+</funcprototype>
+</funcsynopsis>
+</refsynopsisdiv>
+<refsect1>
+<title>DESCRIPTION</title>
+<para>
+These functions rely on a
+<type>struct lwres_lwpacket</type>
+which is defined in
+<filename>lwres/lwpacket.h</filename>.
+
+<programlisting>
+typedef struct lwres_lwpacket lwres_lwpacket_t;
+
+struct lwres_lwpacket {
+        lwres_uint32_t          length;
+        lwres_uint16_t          version;
+        lwres_uint16_t          pktflags;
+        lwres_uint32_t          serial;
+        lwres_uint32_t          opcode;
+        lwres_uint32_t          result;
+        lwres_uint32_t          recvlength;
+        lwres_uint16_t          authtype;
+        lwres_uint16_t          authlength;
+};
+</programlisting>
+</para>
+
+<para>
+The elements of this structure are:
+<variablelist>
+<varlistentry><term><constant>length</constant></term>
+<listitem>
+<para>
+the overall packet length, including the entire packet header.
+This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
+calls.
+</para></listitem></varlistentry>
+<varlistentry><term><constant>version</constant></term>
+<listitem>
+<para>
+the header format. There is currently only one format,
+<type>LWRES_LWPACKETVERSION_0</type>.
+
+This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
+calls.
+</para></listitem></varlistentry>
+<varlistentry><term><constant>pktflags</constant></term>
+<listitem>
+<para>
+library-defined flags for this packet: for instance whether the packet
+is a request or a reply. Flag values can be set, but not defined by
+the caller.
+This field is filled in by the application wit the exception of the
+LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in the
+lwres_gabn_*() and lwres_gnba_*() calls.
+</para></listitem></varlistentry>
+<varlistentry><term><constant>serial</constant></term>
+<listitem>
+<para>
+is set by the requestor and is returned in all replies. If two or more
+packets from the same source have the same serial number and are from
+the same source, they are assumed to be duplicates and the latter ones
+may be dropped.
+This field must be set by the application.
+</para></listitem></varlistentry>
+<varlistentry><term><constant>opcode</constant></term>
+<listitem>
+<para>
+indicates the operation.
+Opcodes between 0x00000000 and 0x03ffffff are
+reserved for use by the lightweight resolver library. Opcodes between
+0x04000000 and 0xffffffff are application defined.
+This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
+calls.
+</para></listitem></varlistentry>
+<varlistentry><term><constant>result</constant></term>
+<listitem>
+<para>
+is only valid for replies.
+Results between 0x04000000 and 0xffffffff are application defined.
+Results between 0x00000000 and 0x03ffffff are reserved for library use.
+This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
+calls.
+</para></listitem></varlistentry>
+<varlistentry><term><constant>recvlength</constant></term>
+<listitem>
+<para>
+is the maximum buffer size that the receiver can handle on requests
+and the size of the buffer needed to satisfy a request when the buffer
+is too large for replies.
+This field is supplied by the application.
+</para></listitem></varlistentry>
+<varlistentry><term><constant>authtype</constant></term>
+<listitem>
+<para>
+defines the packet level authentication that is used.
+Authorisation types between 0x1000 and 0xffff are application defined
+and types between 0x0000 and 0x0fff are reserved for library use.
+Currently these are not used and must be zero.
+</para></listitem></varlistentry>
+<varlistentry><term><constant>authlen</constant></term>
+<listitem>
+<para>
+gives the length of the authentication data.
+Since packet authentication is currently not used, this must be zero.
+</para></listitem></varlistentry>
+</variablelist>
+</para>
+<para>
+The following opcodes are currently defined:
+<variablelist>
+<varlistentry><term><constant>NOOP</constant></term>
+<listitem>
+<para>
+Success is always returned and the packet contents are echoed.
+The lwres_noop_*() functions should be used for this type.
+</para></listitem></varlistentry>
+<varlistentry><term><constant>GETADDRSBYNAME</constant></term>
+<listitem>
+<para>
+returns all known addresses for a given name.
+The lwres_gabn_*() functions should be used for this type.
+</para></listitem></varlistentry>
+<varlistentry><term><constant>GETNAMEBYADDR</constant></term>
+<listitem>
+<para>
+return the hostname for the given address.
+The lwres_gnba_*() functions should be used for this type.
+</para></listitem></varlistentry>
+</variablelist>
+</para>
+
+<para>
+<function>lwres_lwpacket_renderheader()</function> transfers the
+contents of lightweight resolver packet structure
+<type>lwres_lwpacket_t</type> <parameter>*pkt</parameter> in network
+byte order to the lightweight resolver buffer,
+<parameter>*b</parameter>.
+</para>
+
+<para>
+<function>lwres_lwpacket_parseheader()</function> performs the
+converse operation.  It transfers data in network byte order from
+buffer <parameter>*b</parameter> to resolver packet
+<parameter>*pkt</parameter>.  The contents of the buffer
+<parameter>b</parameter> should correspond to a
+<type>lwres_lwpacket_t</type>.
+</para>
+
+</refsect1>
+
+<refsect1>
+<title>RETURN VALUES</title>
+<para> Successful calls to
+<function>lwres_lwpacket_renderheader()</function> and
+<function>lwres_lwpacket_parseheader()</function> return
+<errorcode>LWRES_R_SUCCESS</errorcode>.  If there is insufficient
+space to copy data between the buffer <parameter>*b</parameter> and
+lightweight resolver packet <parameter>*pkt</parameter> both functions
+return <errorcode>LWRES_R_UNEXPECTEDEND</errorcode>.
+</para>
+
+</refsect1>
+</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres_packet.html b/contrib/bind9/lib/lwres/man/lwres_packet.html
new file mode 100644
index 0000000..cb61e0a
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_packet.html
@@ -0,0 +1,362 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres_packet.html,v 1.8.2.1.4.2 2004/08/22 23:39:05 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>lwres_packet</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+>lwres_packet</H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>lwres_lwpacket_renderheader, lwres_lwpacket_parseheader&nbsp;--&nbsp;lightweight resolver packet handling functions</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN12"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><P
+></P
+><A
+NAME="AEN13"
+></A
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/lwpacket.h&gt;</PRE
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_lwpacket_renderheader</CODE
+>(lwres_buffer_t *b, lwres_lwpacket_t *pkt);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_lwpacket_parseheader</CODE
+>(lwres_buffer_t *b, lwres_lwpacket_t *pkt);</CODE
+></P
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN25"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>These functions rely on a
+<SPAN
+CLASS="TYPE"
+>struct lwres_lwpacket</SPAN
+>
+which is defined in
+<TT
+CLASS="FILENAME"
+>lwres/lwpacket.h</TT
+>.
+
+<PRE
+CLASS="PROGRAMLISTING"
+>typedef struct lwres_lwpacket lwres_lwpacket_t;
+
+struct lwres_lwpacket {
+        lwres_uint32_t          length;
+        lwres_uint16_t          version;
+        lwres_uint16_t          pktflags;
+        lwres_uint32_t          serial;
+        lwres_uint32_t          opcode;
+        lwres_uint32_t          result;
+        lwres_uint32_t          recvlength;
+        lwres_uint16_t          authtype;
+        lwres_uint16_t          authlength;
+};</PRE
+></P
+><P
+>The elements of this structure are:
+<P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><CODE
+CLASS="CONSTANT"
+>length</CODE
+></DT
+><DD
+><P
+>the overall packet length, including the entire packet header.
+This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
+calls.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>version</CODE
+></DT
+><DD
+><P
+>the header format. There is currently only one format,
+<SPAN
+CLASS="TYPE"
+>LWRES_LWPACKETVERSION_0</SPAN
+>.
+
+This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
+calls.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>pktflags</CODE
+></DT
+><DD
+><P
+>library-defined flags for this packet: for instance whether the packet
+is a request or a reply. Flag values can be set, but not defined by
+the caller.
+This field is filled in by the application wit the exception of the
+LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library in the
+lwres_gabn_*() and lwres_gnba_*() calls.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>serial</CODE
+></DT
+><DD
+><P
+>is set by the requestor and is returned in all replies. If two or more
+packets from the same source have the same serial number and are from
+the same source, they are assumed to be duplicates and the latter ones
+may be dropped.
+This field must be set by the application.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>opcode</CODE
+></DT
+><DD
+><P
+>indicates the operation.
+Opcodes between 0x00000000 and 0x03ffffff are
+reserved for use by the lightweight resolver library. Opcodes between
+0x04000000 and 0xffffffff are application defined.
+This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
+calls.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>result</CODE
+></DT
+><DD
+><P
+>is only valid for replies.
+Results between 0x04000000 and 0xffffffff are application defined.
+Results between 0x00000000 and 0x03ffffff are reserved for library use.
+This field is filled in by the lwres_gabn_*() and lwres_gnba_*()
+calls.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>recvlength</CODE
+></DT
+><DD
+><P
+>is the maximum buffer size that the receiver can handle on requests
+and the size of the buffer needed to satisfy a request when the buffer
+is too large for replies.
+This field is supplied by the application.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>authtype</CODE
+></DT
+><DD
+><P
+>defines the packet level authentication that is used.
+Authorisation types between 0x1000 and 0xffff are application defined
+and types between 0x0000 and 0x0fff are reserved for library use.
+Currently these are not used and must be zero.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>authlen</CODE
+></DT
+><DD
+><P
+>gives the length of the authentication data.
+Since packet authentication is currently not used, this must be zero.</P
+></DD
+></DL
+></DIV
+></P
+><P
+>The following opcodes are currently defined:
+<P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+><CODE
+CLASS="CONSTANT"
+>NOOP</CODE
+></DT
+><DD
+><P
+>Success is always returned and the packet contents are echoed.
+The lwres_noop_*() functions should be used for this type.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>GETADDRSBYNAME</CODE
+></DT
+><DD
+><P
+>returns all known addresses for a given name.
+The lwres_gabn_*() functions should be used for this type.</P
+></DD
+><DT
+><CODE
+CLASS="CONSTANT"
+>GETNAMEBYADDR</CODE
+></DT
+><DD
+><P
+>return the hostname for the given address.
+The lwres_gnba_*() functions should be used for this type.</P
+></DD
+></DL
+></DIV
+></P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_lwpacket_renderheader()</CODE
+> transfers the
+contents of lightweight resolver packet structure
+<SPAN
+CLASS="TYPE"
+>lwres_lwpacket_t</SPAN
+> <VAR
+CLASS="PARAMETER"
+>*pkt</VAR
+> in network
+byte order to the lightweight resolver buffer,
+<VAR
+CLASS="PARAMETER"
+>*b</VAR
+>.</P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_lwpacket_parseheader()</CODE
+> performs the
+converse operation.  It transfers data in network byte order from
+buffer <VAR
+CLASS="PARAMETER"
+>*b</VAR
+> to resolver packet
+<VAR
+CLASS="PARAMETER"
+>*pkt</VAR
+>.  The contents of the buffer
+<VAR
+CLASS="PARAMETER"
+>b</VAR
+> should correspond to a
+<SPAN
+CLASS="TYPE"
+>lwres_lwpacket_t</SPAN
+>.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN107"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+> Successful calls to
+<CODE
+CLASS="FUNCTION"
+>lwres_lwpacket_renderheader()</CODE
+> and
+<CODE
+CLASS="FUNCTION"
+>lwres_lwpacket_parseheader()</CODE
+> return
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_SUCCESS</SPAN
+>.  If there is insufficient
+space to copy data between the buffer <VAR
+CLASS="PARAMETER"
+>*b</VAR
+> and
+lightweight resolver packet <VAR
+CLASS="PARAMETER"
+>*pkt</VAR
+> both functions
+return <SPAN
+CLASS="ERRORCODE"
+>LWRES_R_UNEXPECTEDEND</SPAN
+>.</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/lib/lwres/man/lwres_resutil.3 b/contrib/bind9/lib/lwres/man/lwres_resutil.3
new file mode 100644
index 0000000..d73122d
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_resutil.3
@@ -0,0 +1,153 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000, 2001  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: lwres_resutil.3,v 1.14.2.1.8.1 2004/03/06 07:41:44 marka Exp $
+.\"
+.TH "LWRES_RESUTIL" "3" "Jun 30, 2000" "BIND9" ""
+.SH NAME
+lwres_string_parse, lwres_addr_parse, lwres_getaddrsbyname, lwres_getnamebyaddr \- lightweight resolver utility functions
+.SH SYNOPSIS
+\fB#include <lwres/lwres.h>
+.sp
+.na
+lwres_result_t
+lwres_string_parse(lwres_buffer_t *b, char **c, lwres_uint16_t *len);
+.ad
+.sp
+.na
+lwres_result_t
+lwres_addr_parse(lwres_buffer_t *b, lwres_addr_t *addr);
+.ad
+.sp
+.na
+lwres_result_t
+lwres_getaddrsbyname(lwres_context_t *ctx, const char *name, lwres_uint32_t addrtypes, lwres_gabnresponse_t **structp);
+.ad
+.sp
+.na
+lwres_result_t
+lwres_getnamebyaddr(lwres_context_t *ctx, lwres_uint32_t addrtype, lwres_uint16_t addrlen, const unsigned char *addr, lwres_gnbaresponse_t **structp);
+.ad
+\fR
+.SH "DESCRIPTION"
+.PP
+\fBlwres_string_parse()\fR retrieves a DNS-encoded
+string starting the current pointer of lightweight resolver buffer
+\fIb\fR: i.e. b->current.
+When the function returns, the address of the first byte of the
+encoded string is returned via \fI*c\fR and the
+length of that string is given by \fI*len\fR. The
+buffer's current pointer is advanced to point at the character
+following the string length, the encoded string, and the trailing
+\fBNULL\fR character.
+.PP
+\fBlwres_addr_parse()\fR extracts an address from the
+buffer \fIb\fR. The buffer's current pointer
+b->current is presumed to point at an encoded
+address: the address preceded by a 32-bit protocol family identifier
+and a 16-bit length field. The encoded address is copied to
+addr->address and
+addr->length indicates the size in bytes of
+the address that was copied. b->current is
+advanced to point at the next byte of available data in the buffer
+following the encoded address.
+.PP
+\fBlwres_getaddrsbyname()\fR
+and
+\fBlwres_getnamebyaddr()\fR
+use the
+\fBlwres_gnbaresponse_t\fR
+structure defined below:
+.sp
+.nf
+typedef struct {
+        lwres_uint32_t          flags;
+        lwres_uint16_t          naliases;
+        lwres_uint16_t          naddrs;
+        char                   *realname;
+        char                  **aliases;
+        lwres_uint16_t          realnamelen;
+        lwres_uint16_t         *aliaslen;
+        lwres_addrlist_t        addrs;
+        void                   *base;
+        size_t                  baselen;
+} lwres_gabnresponse_t;
+.sp
+.fi
+The contents of this structure are not manipulated directly but
+they are controlled through the
+\fBlwres_gabn\fR(3)
+functions.
+.PP
+The lightweight resolver uses
+\fBlwres_getaddrsbyname()\fR to perform foward lookups.
+Hostname \fIname\fR is looked up using the resolver
+context \fIctx\fR for memory allocation.
+\fIaddrtypes\fR is a bitmask indicating which type of
+addresses are to be looked up. Current values for this bitmask are
+\fBLWRES_ADDRTYPE_V4\fR for IPv4 addresses and
+\fBLWRES_ADDRTYPE_V6\fR for IPv6 addresses. Results of the
+lookup are returned in \fI*structp\fR.
+.PP
+\fBlwres_getnamebyaddr()\fR performs reverse lookups.
+Resolver context \fIctx\fR is used for memory
+allocation. The address type is indicated by
+\fIaddrtype\fR: \fBLWRES_ADDRTYPE_V4\fR or
+\fBLWRES_ADDRTYPE_V6\fR. The address to be looked up is given
+by \fIaddr\fR and its length is
+\fIaddrlen\fR bytes. The result of the function call
+is made available through \fI*structp\fR.
+.SH "RETURN VALUES"
+.PP
+Successful calls to
+\fBlwres_string_parse()\fR
+and
+\fBlwres_addr_parse()\fR
+return
+LWRES_R_SUCCESS.
+Both functions return
+LWRES_R_FAILURE
+if the buffer is corrupt or
+LWRES_R_UNEXPECTEDEND
+if the buffer has less space than expected for the components of the
+encoded string or address.
+.PP
+\fBlwres_getaddrsbyname()\fR
+returns
+LWRES_R_SUCCESS
+on success and it returns
+LWRES_R_NOTFOUND
+if the hostname
+\fIname\fR
+could not be found.
+.PP
+LWRES_R_SUCCESS
+is returned by a successful call to
+\fBlwres_getnamebyaddr()\fR.
+.PP
+Both
+\fBlwres_getaddrsbyname()\fR
+and
+\fBlwres_getnamebyaddr()\fR
+return
+LWRES_R_NOMEMORY
+when memory allocation requests fail and
+LWRES_R_UNEXPECTEDEND
+if the buffers used for sending queries and receiving replies are too
+small.
+.SH "SEE ALSO"
+.PP
+\fBlwres_buffer\fR(3),
+\fBlwres_gabn\fR(3).
diff --git a/contrib/bind9/lib/lwres/man/lwres_resutil.docbook b/contrib/bind9/lib/lwres/man/lwres_resutil.docbook
new file mode 100644
index 0000000..e5f891f
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_resutil.docbook
@@ -0,0 +1,221 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres_resutil.docbook,v 1.5.206.1 2004/03/06 08:15:42 marka Exp $ -->
+
+<refentry>
+
+<refentryinfo>
+<date>Jun 30, 2000</date>
+</refentryinfo>
+
+<refmeta>
+  <refentrytitle>lwres_resutil</refentrytitle>
+  <manvolnum>3</manvolnum>
+  <refmiscinfo>BIND9</refmiscinfo>
+</refmeta>
+
+<refnamediv>
+<refname>lwres_string_parse</refname>
+<refname>lwres_addr_parse</refname>
+<refname>lwres_getaddrsbyname</refname>
+<refname>lwres_getnamebyaddr</refname>
+<refpurpose>lightweight resolver utility functions</refpurpose>
+</refnamediv>
+<refsynopsisdiv>
+<funcsynopsis>
+<funcsynopsisinfo>#include &lt;lwres/lwres.h&gt;</funcsynopsisinfo>
+<funcprototype>
+<funcdef>
+lwres_result_t
+<function>lwres_string_parse</function></funcdef>
+<paramdef>lwres_buffer_t *b</paramdef>
+<paramdef>char **c</paramdef>
+<paramdef>lwres_uint16_t *len</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+lwres_result_t
+<function>lwres_addr_parse</function></funcdef>
+<paramdef>lwres_buffer_t *b</paramdef>
+<paramdef>lwres_addr_t *addr</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+lwres_result_t
+<function>lwres_getaddrsbyname</function></funcdef>
+<paramdef>lwres_context_t *ctx</paramdef>
+<paramdef>const char *name</paramdef>
+<paramdef>lwres_uint32_t addrtypes</paramdef>
+<paramdef>lwres_gabnresponse_t **structp</paramdef>
+</funcprototype>
+<funcprototype>
+<funcdef>
+lwres_result_t
+<function>lwres_getnamebyaddr</function></funcdef>
+<paramdef>lwres_context_t *ctx</paramdef>
+<paramdef>lwres_uint32_t addrtype</paramdef>
+<paramdef>lwres_uint16_t addrlen</paramdef>
+<paramdef>const unsigned char *addr</paramdef>
+<paramdef>lwres_gnbaresponse_t **structp</paramdef>
+</funcprototype>
+</funcsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+<title>DESCRIPTION</title>
+
+<para>
+<function>lwres_string_parse()</function> retrieves a DNS-encoded
+string starting the current pointer of lightweight resolver buffer
+<parameter>b</parameter>: i.e.  <constant>b-&gt;current</constant>.
+When the function returns, the address of the first byte of the
+encoded string is returned via <parameter>*c</parameter> and the
+length of that string is given by <parameter>*len</parameter>.  The
+buffer's current pointer is advanced to point at the character
+following the string length, the encoded string, and the trailing
+<type>NULL</type> character.
+</para>
+
+<para>
+<function>lwres_addr_parse()</function> extracts an address from the
+buffer <parameter>b</parameter>.  The buffer's current pointer
+<constant>b-&gt;current</constant> is presumed to point at an encoded
+address: the address preceded by a 32-bit protocol family identifier
+and a 16-bit length field.  The encoded address is copied to
+<constant>addr-&gt;address</constant> and
+<constant>addr-&gt;length</constant> indicates the size in bytes of
+the address that was copied.  <constant>b-&gt;current</constant> is
+advanced to point at the next byte of available data in the buffer
+following the encoded address.
+</para>
+
+<para>
+<function>lwres_getaddrsbyname()</function>
+and
+<function>lwres_getnamebyaddr()</function>
+use the
+<type>lwres_gnbaresponse_t</type>
+structure defined below:
+<programlisting>
+typedef struct {
+        lwres_uint32_t          flags;
+        lwres_uint16_t          naliases;
+        lwres_uint16_t          naddrs;
+        char                   *realname;
+        char                  **aliases;
+        lwres_uint16_t          realnamelen;
+        lwres_uint16_t         *aliaslen;
+        lwres_addrlist_t        addrs;
+        void                   *base;
+        size_t                  baselen;
+} lwres_gabnresponse_t;
+</programlisting>
+The contents of this structure are not manipulated directly but
+they are controlled through the
+<citerefentry>
+<refentrytitle>lwres_gabn</refentrytitle><manvolnum>3
+</manvolnum>
+</citerefentry>
+functions.
+</para>
+
+<para>
+The lightweight resolver uses
+<function>lwres_getaddrsbyname()</function> to perform foward lookups.
+Hostname <parameter>name</parameter> is looked up using the resolver
+context <parameter>ctx</parameter> for memory allocation.
+<parameter>addrtypes</parameter> is a bitmask indicating which type of
+addresses are to be looked up.  Current values for this bitmask are
+<type>LWRES_ADDRTYPE_V4</type> for IPv4 addresses and
+<type>LWRES_ADDRTYPE_V6</type> for IPv6 addresses.  Results of the
+lookup are returned in <parameter>*structp</parameter>.
+</para>
+
+<para>
+<function>lwres_getnamebyaddr()</function> performs reverse lookups.
+Resolver context <parameter>ctx</parameter> is used for memory
+allocation.  The address type is indicated by
+<parameter>addrtype</parameter>: <type>LWRES_ADDRTYPE_V4</type> or
+<type>LWRES_ADDRTYPE_V6</type>.  The address to be looked up is given
+by <parameter>addr</parameter> and its length is
+<parameter>addrlen</parameter> bytes.  The result of the function call
+is made available through <parameter>*structp</parameter>.
+</para>
+</refsect1>
+
+<refsect1>
+<title>RETURN VALUES</title>
+<para>
+Successful calls to
+<function>lwres_string_parse()</function>
+and
+<function>lwres_addr_parse()</function>
+return
+<errorcode>LWRES_R_SUCCESS.</errorcode>
+Both functions return
+<errorcode>LWRES_R_FAILURE</errorcode>
+if the buffer is corrupt or
+<errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
+if the buffer has less space than expected for the components of the
+encoded string or address.
+</para>
+<para>
+<function>lwres_getaddrsbyname()</function>
+returns
+<errorcode>LWRES_R_SUCCESS</errorcode>
+on success and it returns
+<errorcode>LWRES_R_NOTFOUND</errorcode>
+if the hostname
+<parameter>name</parameter>
+could not be found.
+</para>
+<para>
+<errorcode>LWRES_R_SUCCESS</errorcode>
+is returned by a successful call to
+<function>lwres_getnamebyaddr()</function>.
+</para>
+
+<para>
+Both
+<function>lwres_getaddrsbyname()</function>
+and
+<function>lwres_getnamebyaddr()</function>
+return
+<errorcode>LWRES_R_NOMEMORY</errorcode>
+when memory allocation requests fail and
+<errorcode>LWRES_R_UNEXPECTEDEND</errorcode>
+if the buffers used for sending queries and receiving replies are too
+small.
+</para>
+
+</refsect1>
+<refsect1>
+<title>SEE ALSO</title>
+<para>
+<citerefentry>
+<refentrytitle>lwres_buffer</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>,
+
+<citerefentry>
+<refentrytitle>lwres_gabn</refentrytitle><manvolnum>3</manvolnum>
+</citerefentry>.
+</para>
+
+</refsect1>
+</refentry>
diff --git a/contrib/bind9/lib/lwres/man/lwres_resutil.html b/contrib/bind9/lib/lwres/man/lwres_resutil.html
new file mode 100644
index 0000000..cc45556
--- /dev/null
+++ b/contrib/bind9/lib/lwres/man/lwres_resutil.html
@@ -0,0 +1,387 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: lwres_resutil.html,v 1.8.2.1.4.2 2004/08/22 23:39:05 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>lwres_resutil</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+>lwres_resutil</H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN8"
+></A
+><H2
+>Name</H2
+>lwres_string_parse, lwres_addr_parse, lwres_getaddrsbyname, lwres_getnamebyaddr&nbsp;--&nbsp;lightweight resolver utility functions</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN14"
+></A
+><H2
+>Synopsis</H2
+><DIV
+CLASS="FUNCSYNOPSIS"
+><P
+></P
+><A
+NAME="AEN15"
+></A
+><PRE
+CLASS="FUNCSYNOPSISINFO"
+>#include &lt;lwres/lwres.h&gt;</PRE
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_string_parse</CODE
+>(lwres_buffer_t *b, char **c, lwres_uint16_t *len);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_addr_parse</CODE
+>(lwres_buffer_t *b, lwres_addr_t *addr);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_getaddrsbyname</CODE
+>(lwres_context_t *ctx, const char *name, lwres_uint32_t addrtypes, lwres_gabnresponse_t **structp);</CODE
+></P
+><P
+><CODE
+><CODE
+CLASS="FUNCDEF"
+>lwres_result_t
+lwres_getnamebyaddr</CODE
+>(lwres_context_t *ctx, lwres_uint32_t addrtype, lwres_uint16_t addrlen, const unsigned char *addr, lwres_gnbaresponse_t **structp);</CODE
+></P
+><P
+></P
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN43"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_string_parse()</CODE
+> retrieves a DNS-encoded
+string starting the current pointer of lightweight resolver buffer
+<VAR
+CLASS="PARAMETER"
+>b</VAR
+>: i.e.  <CODE
+CLASS="CONSTANT"
+>b-&gt;current</CODE
+>.
+When the function returns, the address of the first byte of the
+encoded string is returned via <VAR
+CLASS="PARAMETER"
+>*c</VAR
+> and the
+length of that string is given by <VAR
+CLASS="PARAMETER"
+>*len</VAR
+>.  The
+buffer's current pointer is advanced to point at the character
+following the string length, the encoded string, and the trailing
+<SPAN
+CLASS="TYPE"
+>NULL</SPAN
+> character.</P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_addr_parse()</CODE
+> extracts an address from the
+buffer <VAR
+CLASS="PARAMETER"
+>b</VAR
+>.  The buffer's current pointer
+<CODE
+CLASS="CONSTANT"
+>b-&gt;current</CODE
+> is presumed to point at an encoded
+address: the address preceded by a 32-bit protocol family identifier
+and a 16-bit length field.  The encoded address is copied to
+<CODE
+CLASS="CONSTANT"
+>addr-&gt;address</CODE
+> and
+<CODE
+CLASS="CONSTANT"
+>addr-&gt;length</CODE
+> indicates the size in bytes of
+the address that was copied.  <CODE
+CLASS="CONSTANT"
+>b-&gt;current</CODE
+> is
+advanced to point at the next byte of available data in the buffer
+following the encoded address.</P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_getaddrsbyname()</CODE
+>
+and
+<CODE
+CLASS="FUNCTION"
+>lwres_getnamebyaddr()</CODE
+>
+use the
+<SPAN
+CLASS="TYPE"
+>lwres_gnbaresponse_t</SPAN
+>
+structure defined below:
+<PRE
+CLASS="PROGRAMLISTING"
+>typedef struct {
+        lwres_uint32_t          flags;
+        lwres_uint16_t          naliases;
+        lwres_uint16_t          naddrs;
+        char                   *realname;
+        char                  **aliases;
+        lwres_uint16_t          realnamelen;
+        lwres_uint16_t         *aliaslen;
+        lwres_addrlist_t        addrs;
+        void                   *base;
+        size_t                  baselen;
+} lwres_gabnresponse_t;</PRE
+>
+The contents of this structure are not manipulated directly but
+they are controlled through the
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_gabn</SPAN
+>(3)</SPAN
+>
+functions.</P
+><P
+>The lightweight resolver uses
+<CODE
+CLASS="FUNCTION"
+>lwres_getaddrsbyname()</CODE
+> to perform foward lookups.
+Hostname <VAR
+CLASS="PARAMETER"
+>name</VAR
+> is looked up using the resolver
+context <VAR
+CLASS="PARAMETER"
+>ctx</VAR
+> for memory allocation.
+<VAR
+CLASS="PARAMETER"
+>addrtypes</VAR
+> is a bitmask indicating which type of
+addresses are to be looked up.  Current values for this bitmask are
+<SPAN
+CLASS="TYPE"
+>LWRES_ADDRTYPE_V4</SPAN
+> for IPv4 addresses and
+<SPAN
+CLASS="TYPE"
+>LWRES_ADDRTYPE_V6</SPAN
+> for IPv6 addresses.  Results of the
+lookup are returned in <VAR
+CLASS="PARAMETER"
+>*structp</VAR
+>.</P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_getnamebyaddr()</CODE
+> performs reverse lookups.
+Resolver context <VAR
+CLASS="PARAMETER"
+>ctx</VAR
+> is used for memory
+allocation.  The address type is indicated by
+<VAR
+CLASS="PARAMETER"
+>addrtype</VAR
+>: <SPAN
+CLASS="TYPE"
+>LWRES_ADDRTYPE_V4</SPAN
+> or
+<SPAN
+CLASS="TYPE"
+>LWRES_ADDRTYPE_V6</SPAN
+>.  The address to be looked up is given
+by <VAR
+CLASS="PARAMETER"
+>addr</VAR
+> and its length is
+<VAR
+CLASS="PARAMETER"
+>addrlen</VAR
+> bytes.  The result of the function call
+is made available through <VAR
+CLASS="PARAMETER"
+>*structp</VAR
+>.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN84"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+>Successful calls to
+<CODE
+CLASS="FUNCTION"
+>lwres_string_parse()</CODE
+>
+and
+<CODE
+CLASS="FUNCTION"
+>lwres_addr_parse()</CODE
+>
+return
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_SUCCESS.</SPAN
+>
+Both functions return
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_FAILURE</SPAN
+>
+if the buffer is corrupt or
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_UNEXPECTEDEND</SPAN
+>
+if the buffer has less space than expected for the components of the
+encoded string or address.</P
+><P
+><CODE
+CLASS="FUNCTION"
+>lwres_getaddrsbyname()</CODE
+>
+returns
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_SUCCESS</SPAN
+>
+on success and it returns
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_NOTFOUND</SPAN
+>
+if the hostname
+<VAR
+CLASS="PARAMETER"
+>name</VAR
+>
+could not be found.</P
+><P
+><SPAN
+CLASS="ERRORCODE"
+>LWRES_R_SUCCESS</SPAN
+>
+is returned by a successful call to
+<CODE
+CLASS="FUNCTION"
+>lwres_getnamebyaddr()</CODE
+>.</P
+><P
+>Both
+<CODE
+CLASS="FUNCTION"
+>lwres_getaddrsbyname()</CODE
+>
+and
+<CODE
+CLASS="FUNCTION"
+>lwres_getnamebyaddr()</CODE
+>
+return
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_NOMEMORY</SPAN
+>
+when memory allocation requests fail and
+<SPAN
+CLASS="ERRORCODE"
+>LWRES_R_UNEXPECTEDEND</SPAN
+>
+if the buffers used for sending queries and receiving replies are too
+small.</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN105"
+></A
+><H2
+>SEE ALSO</H2
+><P
+><SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_buffer</SPAN
+>(3)</SPAN
+>,
+
+<SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>lwres_gabn</SPAN
+>(3)</SPAN
+>.</P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/lib/lwres/print.c b/contrib/bind9/lib/lwres/print.c
new file mode 100644
index 0000000..13d273d
--- /dev/null
+++ b/contrib/bind9/lib/lwres/print.c
@@ -0,0 +1,553 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: print.c,v 1.2.4.1 2004/08/28 06:25:25 marka Exp $ */
+
+#include <config.h>
+
+#include <ctype.h>
+#include <stdio.h>		/* for sprintf */
+
+#define	LWRES__PRINT_SOURCE	/* Used to get the lwres_print_* prototypes. */
+
+#include <stdlib.h>
+
+#include "assert_p.h"
+#include "print_p.h"
+
+int
+lwres__print_sprintf(char *str, const char *format, ...) {
+	va_list ap;
+
+	va_start(ap, format);
+	vsprintf(str, format, ap);
+	va_end(ap);
+	return (strlen(str));
+}
+
+/*
+ * Return length of string that would have been written if not truncated.
+ */
+
+int
+lwres__print_snprintf(char *str, size_t size, const char *format, ...) {
+	va_list ap;
+	int ret;
+
+	va_start(ap, format);
+	ret = vsnprintf(str, size, format, ap);
+	va_end(ap);
+	return (ret);
+
+}
+
+/*
+ * Return length of string that would have been written if not truncated.
+ */
+
+int
+lwres__print_vsnprintf(char *str, size_t size, const char *format, va_list ap) {
+	int h;
+	int l;
+	int q;
+	int alt;
+	int zero;
+	int left;
+	int plus;
+	int space;
+	int neg;
+	long long tmpi;
+	unsigned long long tmpui;
+	unsigned long width;
+	unsigned long precision;
+	unsigned int length;
+	char buf[1024];
+	char c;
+	void *v;
+	char *save = str;
+	const char *cp;
+	const char *head;
+	int count = 0;
+	int pad;
+	int zeropad;
+	int dot;
+	double dbl;
+#ifdef HAVE_LONG_DOUBLE
+	long double ldbl;
+#endif
+	char fmt[32];
+
+	INSIST(str != NULL);
+	INSIST(format != NULL);
+
+	while (*format != '\0') {
+		if (*format != '%') {
+			if (size > 1) {
+				*str++ = *format;
+				size--;
+			}
+			count++;
+			format++;
+			continue;
+		}
+		format++;
+
+		/*
+		 * Reset flags.
+		 */
+		dot = neg = space = plus = left = zero = alt = h = l = q = 0;
+		width = precision = 0;
+		head = "";
+		length = pad = zeropad = 0;
+
+		do {
+			if (*format == '#') {
+				alt = 1;
+				format++;
+			} else if (*format == '-') {
+				left = 1;
+				zero = 0;
+				format++;
+			} else if (*format == ' ') {
+				if (!plus)
+					space = 1;
+				format++;
+			} else if (*format == '+') {
+				plus = 1;
+				space = 0;
+				format++;
+			} else if (*format == '0') {
+				if (!left)
+					zero = 1;
+				format++;
+			} else
+				break;
+		} while (1);
+
+		/*
+		 * Width.
+		 */
+		if (*format == '*') {
+			width = va_arg(ap, int);
+			format++;
+		} else if (isdigit((unsigned char)*format)) {
+			char *e;
+			width = strtoul(format, &e, 10);
+			format = e;
+		}
+
+		/*
+		 * Precision.
+		 */
+		if (*format == '.') {
+			format++;
+			dot = 1;
+			if (*format == '*') {
+				precision = va_arg(ap, int);
+				format++;
+			} else if (isdigit((unsigned char)*format)) {
+				char *e;
+				precision = strtoul(format, &e, 10);
+				format = e;
+			}
+		}
+
+		switch (*format) {
+		case '\0':
+			continue;
+		case '%':
+			if (size > 1) {
+				*str++ = *format;
+				size--;
+			}
+			count++;
+			break;
+		case 'q':
+			q = 1;
+			format++;
+			goto doint;
+		case 'h':
+			h = 1;
+			format++;
+			goto doint;
+		case 'l':
+			l = 1;
+			format++;
+			if (*format == 'l') {
+				q = 1;
+				format++;
+			}
+			goto doint;
+		case 'n':
+		case 'i':
+		case 'd':
+		case 'o':
+		case 'u':
+		case 'x':
+		case 'X':
+		doint:
+			if (precision != 0)
+				zero = 0;
+			switch (*format) {
+			case 'n':
+				if (h) {
+					short int *p;
+					p = va_arg(ap, short *);
+					REQUIRE(p != NULL);
+					*p = str - save;
+				} else if (l) {
+					long int *p;
+					p = va_arg(ap, long *);
+					REQUIRE(p != NULL);
+					*p = str - save;
+				} else {
+					int *p;
+					p = va_arg(ap, int *);
+					REQUIRE(p != NULL);
+					*p = str - save;
+				}
+				break;
+			case 'i':
+			case 'd':
+				if (q)
+					tmpi = va_arg(ap, long long int);
+				else if (l)
+					tmpi = va_arg(ap, long int);
+				else
+					tmpi = va_arg(ap, int);
+				if (tmpi < 0) {
+					head = "-";
+					tmpui = -tmpi;
+				} else {
+					if (plus)
+						head = "+";
+					else if (space)
+						head = " ";
+					else
+						head = "";
+					tmpui = tmpi;
+				}
+				sprintf(buf, "%llu",
+					tmpui);
+				goto printint;
+			case 'o':
+				if (q)
+					tmpui = va_arg(ap,
+						       unsigned long long int);
+				else if (l)
+					tmpui = va_arg(ap, long int);
+				else
+					tmpui = va_arg(ap, int);
+				sprintf(buf,
+					alt ? "%#llo" : "%llo", tmpui);
+				goto printint;
+			case 'u':
+				if (q)
+					tmpui = va_arg(ap,
+						       unsigned long long int);
+				else if (l)
+					tmpui = va_arg(ap, unsigned long int);
+				else
+					tmpui = va_arg(ap, unsigned int);
+				sprintf(buf, "%llu", tmpui);
+				goto printint;
+			case 'x':
+				if (q)
+					tmpui = va_arg(ap,
+						       unsigned long long int);
+				else if (l)
+					tmpui = va_arg(ap, unsigned long int);
+				else
+					tmpui = va_arg(ap, unsigned int);
+				if (alt) {
+					head = "0x";
+					if (precision > 2)
+						precision -= 2;
+				}
+				sprintf(buf, "%llx", tmpui);
+				goto printint;
+			case 'X':
+				if (q)
+					tmpui = va_arg(ap,
+						       unsigned long long int);
+				else if (l)
+					tmpui = va_arg(ap, unsigned long int);
+				else
+					tmpui = va_arg(ap, unsigned int);
+				if (alt) {
+					head = "0X";
+					if (precision > 2)
+						precision -= 2;
+				}
+				sprintf(buf, "%llX", tmpui);
+				goto printint;
+			printint:
+				if (precision != 0 || width != 0) {
+					length = strlen(buf);
+					if (length < precision)
+						zeropad = precision - length;
+					else if (length < width && zero)
+						zeropad = width - length;
+					if (width != 0) {
+						pad = width - length -
+						      zeropad - strlen(head);
+						if (pad < 0)
+							pad = 0;
+					}
+				}
+				count += strlen(head) + strlen(buf) + pad +
+					 zeropad;
+				if (!left) {
+					while (pad > 0 && size > 1) {
+						*str++ = ' ';
+						size--;
+						pad--;
+					}
+				}
+				cp = head;
+				while (*cp != '\0' && size > 1) {
+					*str++ = *cp++;
+					size--;
+				}
+				while (zeropad > 0 && size > 1) {
+					*str++ = '0';
+					size--;
+					zeropad--;
+				}
+				cp = buf;
+				while (*cp != '\0' && size > 1) {
+					*str++ = *cp++;
+					size--;
+				}
+				while (pad > 0 && size > 1) {
+					*str++ = ' ';
+					size--;
+					pad--;
+				}
+				break;
+			default:
+				break;
+			}
+			break;
+		case 's':
+			cp = va_arg(ap, char *);
+			REQUIRE(cp != NULL);
+
+			if (precision != 0) {
+				/*
+				 * cp need not be NULL terminated.
+				 */
+				const char *tp;
+				unsigned long n;
+
+				n = precision;
+				tp = cp;
+				while (n != 0 && *tp != '\0')
+					n--, tp++;
+				length = precision - n;
+			} else {
+				length = strlen(cp);
+			}
+			if (width != 0) {
+				pad = width - length;
+				if (pad < 0)
+					pad = 0;
+			}
+			count += pad + length;
+			if (!left)
+				while (pad > 0 && size > 1) {
+					*str++ = ' ';
+					size--;
+					pad--;
+				}
+			if (precision != 0)
+				while (precision > 0 && *cp != '\0' &&
+				       size > 1) {
+					*str++ = *cp++;
+					size--;
+					precision--;
+				}
+			else
+				while (*cp != '\0' && size > 1) {
+					*str++ = *cp++;
+					size--;
+				}
+			while (pad > 0 && size > 1) {
+				*str++ = ' ';
+				size--;
+				pad--;
+			}
+			break;
+		case 'c':
+			c = va_arg(ap, int);
+			if (width > 0) {
+				count += width;
+				width--;
+				if (left) {
+					*str++ = c;
+					size--;
+				}
+				while (width-- > 0 && size > 1) {
+					*str++ = ' ';
+					size--;
+				}
+				if (!left && size > 1) {
+					*str++ = c;
+					size--;
+				}
+			} else {
+				count++;
+				if (size > 1) {
+					*str++ = c;
+					size--;
+				}
+			}
+			break;
+		case 'p':
+			v = va_arg(ap, void *);
+			sprintf(buf, "%p", v);
+			length = strlen(buf);
+			if (precision > length)
+				zeropad = precision - length;
+			if (width > 0) {
+				pad = width - length - zeropad;
+				if (pad < 0)
+					pad = 0;
+			}
+			count += length + pad + zeropad;
+			if (!left)
+				while (pad > 0 && size > 1) {
+					*str++ = ' ';
+					size--;
+					pad--;
+				}
+			cp = buf;
+			if (zeropad > 0 && buf[0] == '0' &&
+			    (buf[1] == 'x' || buf[1] == 'X')) {
+				if (size > 1) {
+					*str++ = *cp++;
+					size--;
+				}
+				if (size > 1) {
+					*str++ = *cp++;
+					size--;
+				}
+				while (zeropad > 0 && size > 1) {
+					*str++ = '0';
+					size--;
+					zeropad--;
+				}
+			}
+			while (*cp != '\0' && size > 1) {
+				*str++ = *cp++;
+				size--;
+			}
+			while (pad > 0 && size > 1) {
+				*str++ = ' ';
+				size--;
+				pad--;
+			}
+			break;
+		case 'D':	/*deprecated*/
+			INSIST("use %ld instead of %D" == NULL);
+		case 'O':	/*deprecated*/
+			INSIST("use %lo instead of %O" == NULL);
+		case 'U':	/*deprecated*/
+			INSIST("use %lu instead of %U" == NULL);
+
+		case 'L':
+#ifdef HAVE_LONG_DOUBLE
+			l = 1;
+#else
+			INSIST("long doubles are not supported" == NULL);
+#endif
+			/*FALLTHROUGH*/
+		case 'e':
+		case 'E':
+		case 'f':
+		case 'g':
+		case 'G':
+			if (!dot)
+				precision = 6;
+			/*
+			 * IEEE floating point.
+			 * MIN 2.2250738585072014E-308
+			 * MAX 1.7976931348623157E+308
+			 * VAX floating point has a smaller range than IEEE.
+			 *
+			 * precisions > 324 don't make much sense.
+			 * if we cap the precision at 512 we will not
+			 * overflow buf.
+			 */
+			if (precision > 512)
+				precision = 512;
+			sprintf(fmt, "%%%s%s.%lu%s%c", alt ? "#" : "",
+				plus ? "+" : space ? " " : "",
+				precision, l ? "L" : "", *format);
+			switch (*format) {
+			case 'e':
+			case 'E':
+			case 'f':
+			case 'g':
+			case 'G':
+#ifdef HAVE_LONG_DOUBLE
+				if (l) {
+					ldbl = va_arg(ap, long double);
+					sprintf(buf, fmt, ldbl);
+				} else
+#endif
+				{
+					dbl = va_arg(ap, double);
+					sprintf(buf, fmt, dbl);
+				}
+				length = strlen(buf);
+				if (width > 0) {
+					pad = width - length;
+					if (pad < 0)
+						pad = 0;
+				}
+				count += length + pad;
+				if (!left)
+					while (pad > 0 && size > 1) {
+						*str++ = ' ';
+						size--;
+						pad--;
+					}
+				cp = buf;
+				while (*cp != ' ' && size > 1) {
+					*str++ = *cp++;
+					size--;
+				}
+				while (pad > 0 && size > 1) {
+					*str++ = ' ';
+					size--;
+					pad--;
+				}
+				break;
+			default:
+				continue;
+			}
+			break;
+		default:
+			continue;
+		}
+		format++;
+	}
+	if (size > 0)
+		*str = '\0';
+	return (count);
+}
diff --git a/contrib/bind9/lib/lwres/print_p.h b/contrib/bind9/lib/lwres/print_p.h
new file mode 100644
index 0000000..4e27e55
--- /dev/null
+++ b/contrib/bind9/lib/lwres/print_p.h
@@ -0,0 +1,86 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: print_p.h,v 1.2.4.1 2004/08/28 06:25:25 marka Exp $ */
+
+#ifndef LWRES_PRINT_P_H
+#define LWRES_PRINT_P_H 1
+
+/***
+ *** Imports
+ ***/
+
+#include <lwres/lang.h>
+#include <lwres/platform.h>
+
+/*
+ * This block allows lib/lwres/print.c to be cleanly compiled even if
+ * the platform does not need it.  The standard Makefile will still
+ * not compile print.c or archive print.o, so this is just to make test
+ * compilation ("make print.o") easier.
+ */
+#if !defined(LWRES_PLATFORM_NEEDVSNPRINTF) && defined(LWRES__PRINT_SOURCE)
+#define LWRES_PLATFORM_NEEDVSNPRINTF
+#endif
+
+#if !defined(LWRES_PLATFORM_NEEDSPRINTF) && defined(LWRES__PRINT_SOURCE)
+#define LWRES_PLATFORM_NEEDSPRINTF
+#endif
+
+/***
+ *** Macros.
+ ***/
+
+#ifdef __GNUC__
+#define LWRES_FORMAT_PRINTF(fmt, args) \
+        __attribute__((__format__(__printf__, fmt, args)))
+#else
+#define LWRES_FORMAT_PRINTF(fmt, args)
+#endif
+
+/***
+ *** Functions
+ ***/
+
+#ifdef LWRES_PLATFORM_NEEDVSNPRINTF
+#include <stdarg.h>
+#include <stddef.h>
+#endif
+
+LWRES_LANG_BEGINDECLS
+
+#ifdef LWRES_PLATFORM_NEEDVSNPRINTF
+int
+lwres__print_vsnprintf(char *str, size_t size, const char *format, va_list ap)
+     LWRES_FORMAT_PRINTF(3, 0);
+#define vsnprintf lwres__print_vsnprintf
+
+int
+lwres__print_snprintf(char *str, size_t size, const char *format, ...)
+     LWRES_FORMAT_PRINTF(3, 4);
+#define snprintf lwres__print_snprintf
+#endif /* LWRES_PLATFORM_NEEDVSNPRINTF */
+
+#ifdef LWRES_PLATFORM_NEEDSPRINTF
+int
+lwres__print_sprintf(char *str, const char *format, ...) LWRES_FORMAT_PRINTF(2, 3);
+#define sprintf lwres__print_sprintf
+#endif
+
+LWRES_LANG_ENDDECLS
+
+#endif /* LWRES_PRINT_P_H */
diff --git a/contrib/bind9/lib/lwres/unix/Makefile.in b/contrib/bind9/lib/lwres/unix/Makefile.in
new file mode 100644
index 0000000..b734bc1
--- /dev/null
+++ b/contrib/bind9/lib/lwres/unix/Makefile.in
@@ -0,0 +1,25 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.1.206.1 2004/03/06 08:15:43 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	include
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/lwres/unix/include/Makefile.in b/contrib/bind9/lib/lwres/unix/include/Makefile.in
new file mode 100644
index 0000000..8f3798e
--- /dev/null
+++ b/contrib/bind9/lib/lwres/unix/include/Makefile.in
@@ -0,0 +1,25 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.1.206.1 2004/03/06 08:15:43 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	lwres
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/lib/lwres/unix/include/lwres/Makefile.in b/contrib/bind9/lib/lwres/unix/include/lwres/Makefile.in
new file mode 100644
index 0000000..e969f50
--- /dev/null
+++ b/contrib/bind9/lib/lwres/unix/include/lwres/Makefile.in
@@ -0,0 +1,34 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.1.206.1 2004/03/06 08:15:43 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+HEADERS =	net.h
+SUBDIRS =
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${includedir}/lwres
+
+install:: installdirs
+	for i in ${HEADERS}; do \
+		${INSTALL_DATA} $(srcdir)/$$i ${DESTDIR}${includedir}/lwres ; \
+	done
diff --git a/contrib/bind9/lib/lwres/unix/include/lwres/net.h b/contrib/bind9/lib/lwres/unix/include/lwres/net.h
new file mode 100644
index 0000000..b214de6
--- /dev/null
+++ b/contrib/bind9/lib/lwres/unix/include/lwres/net.h
@@ -0,0 +1,130 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: net.h,v 1.3.12.3 2004/03/08 09:05:12 marka Exp $ */
+
+#ifndef LWRES_NET_H
+#define LWRES_NET_H 1
+
+/*****
+ ***** Module Info
+ *****/
+
+/*
+ * Basic Networking Types
+ *
+ * This module is responsible for defining the following basic networking
+ * types:
+ *
+ *		struct in_addr
+ *		struct in6_addr
+ *		struct sockaddr
+ *		struct sockaddr_in
+ *		struct sockaddr_in6
+ *
+ * It ensures that the AF_ and PF_ macros are defined.
+ *
+ * It declares ntoh[sl]() and hton[sl]().
+ *
+ * It declares lwres_net_aton(), lwres_net_ntop(), and lwres_net_pton().
+ *
+ * It ensures that INADDR_LOOPBACK, INADDR_ANY and IN6ADDR_ANY_INIT
+ * are defined.
+ */
+
+/***
+ *** Imports.
+ ***/
+
+#include <lwres/platform.h>	/* Required for LWRES_PLATFORM_*. */
+
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/socket.h>		/* Contractual promise. */
+#include <sys/ioctl.h>
+#include <sys/time.h>
+#include <sys/un.h>
+
+#include <netinet/in.h>		/* Contractual promise. */
+#include <arpa/inet.h>		/* Contractual promise. */
+#ifdef LWRES_PLATFORM_NEEDNETINETIN6H
+#include <netinet/in6.h>	/* Required on UnixWare. */
+#endif
+#ifdef LWRES_PLATFORM_NEEDNETINET6IN6H
+#include <netinet6/in6.h>	/* Required on BSD/OS for in6_pktinfo. */
+#endif
+#include <net/if.h>	
+
+#include <lwres/lang.h>
+
+#ifndef LWRES_PLATFORM_HAVEIPV6
+#include <lwres/ipv6.h>		/* Contractual promise. */
+#endif
+
+#ifdef LWRES_PLATFORM_HAVEINADDR6
+#define in6_addr in_addr6	/* Required for pre RFC2133 implementations. */
+#endif
+
+/*
+ * Required for some pre RFC2133 implementations.
+ * IN6ADDR_ANY_INIT and IN6ADDR_LOOPBACK_INIT were added in
+ * draft-ietf-ipngwg-bsd-api-04.txt or draft-ietf-ipngwg-bsd-api-05.txt.  
+ * If 's6_addr' is defined then assume that there is a union and three
+ * levels otherwise assume two levels required.
+ */
+#ifndef IN6ADDR_ANY_INIT
+#ifdef s6_addr
+#define IN6ADDR_ANY_INIT { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } } }
+#else
+#define IN6ADDR_ANY_INIT { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 } }
+#endif
+#endif
+
+#ifndef IN6ADDR_LOOPBACK_INIT
+#ifdef s6_addr
+#define IN6ADDR_LOOPBACK_INIT { { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 } } }
+#else
+#define IN6ADDR_LOOPBACK_INIT { { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 } }
+#endif
+#endif
+
+#ifndef AF_INET6
+#define AF_INET6 99
+#endif
+
+#ifndef PF_INET6
+#define PF_INET6 AF_INET6
+#endif
+
+#ifndef INADDR_LOOPBACK
+#define INADDR_LOOPBACK 0x7f000001UL
+#endif
+
+LWRES_LANG_BEGINDECLS
+
+const char *
+lwres_net_ntop(int af, const void *src, char *dst, size_t size);
+
+int
+lwres_net_pton(int af, const char *src, void *dst);
+
+int
+lwres_net_aton(const char *cp, struct in_addr *addr);
+
+LWRES_LANG_ENDDECLS
+
+#endif /* LWRES_NET_H */
diff --git a/contrib/bind9/lib/lwres/version.c b/contrib/bind9/lib/lwres/version.c
new file mode 100644
index 0000000..ac3e6c8
--- /dev/null
+++ b/contrib/bind9/lib/lwres/version.c
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: version.c,v 1.6.12.3 2004/03/08 09:05:11 marka Exp $ */
+
+#include <lwres/version.h>
+
+const char lwres_version[] = VERSION;
+
+const unsigned int lwres_libinterface = LIBINTERFACE;
+const unsigned int lwres_librevision = LIBREVISION;
+const unsigned int lwres_libage = LIBAGE;
diff --git a/contrib/bind9/libtool.m4 b/contrib/bind9/libtool.m4
new file mode 100644
index 0000000..bbcc5f2
--- /dev/null
+++ b/contrib/bind9/libtool.m4
@@ -0,0 +1,5943 @@
+# libtool.m4 - Configure libtool for the host system. -*-Autoconf-*-
+## Copyright 1996, 1997, 1998, 1999, 2000, 2001
+## Free Software Foundation, Inc.
+## Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; either version 2 of the License, or
+## (at your option) any later version.
+##
+## This program is distributed in the hope that it will be useful, but
+## WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+## General Public License for more details.
+##
+## You should have received a copy of the GNU General Public License
+## along with this program; if not, write to the Free Software
+## Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+##
+## As a special exception to the GNU General Public License, if you
+## distribute this file as part of a program that contains a
+## configuration script generated by Autoconf, you may include it under
+## the same distribution terms that you use for the rest of that program.
+
+# serial 47 AC_PROG_LIBTOOL
+
+
+# AC_PROVIDE_IFELSE(MACRO-NAME, IF-PROVIDED, IF-NOT-PROVIDED)
+# -----------------------------------------------------------
+# If this macro is not defined by Autoconf, define it here.
+m4_ifdef([AC_PROVIDE_IFELSE],
+         [],
+         [m4_define([AC_PROVIDE_IFELSE],
+	         [m4_ifdef([AC_PROVIDE_$1],
+		           [$2], [$3])])])
+
+
+# AC_PROG_LIBTOOL
+# ---------------
+AC_DEFUN([AC_PROG_LIBTOOL],
+[AC_REQUIRE([_AC_PROG_LIBTOOL])dnl
+dnl If AC_PROG_CXX has already been expanded, run AC_LIBTOOL_CXX
+dnl immediately, otherwise, hook it in at the end of AC_PROG_CXX.
+  AC_PROVIDE_IFELSE([AC_PROG_CXX],
+    [AC_LIBTOOL_CXX],
+    [define([AC_PROG_CXX], defn([AC_PROG_CXX])[AC_LIBTOOL_CXX
+  ])])
+dnl And a similar setup for Fortran 77 support
+  AC_PROVIDE_IFELSE([AC_PROG_F77],
+    [AC_LIBTOOL_F77],
+    [define([AC_PROG_F77], defn([AC_PROG_F77])[AC_LIBTOOL_F77
+])])
+
+dnl Quote A][M_PROG_GCJ so that aclocal doesn't bring it in needlessly.
+dnl If either AC_PROG_GCJ or A][M_PROG_GCJ have already been expanded, run
+dnl AC_LIBTOOL_GCJ immediately, otherwise, hook it in at the end of both.
+  AC_PROVIDE_IFELSE([AC_PROG_GCJ],
+    [AC_LIBTOOL_GCJ],
+    [AC_PROVIDE_IFELSE([A][M_PROG_GCJ],
+      [AC_LIBTOOL_GCJ],
+      [AC_PROVIDE_IFELSE([LT_AC_PROG_GCJ],
+	[AC_LIBTOOL_GCJ],
+      [ifdef([AC_PROG_GCJ],
+	     [define([AC_PROG_GCJ], defn([AC_PROG_GCJ])[AC_LIBTOOL_GCJ])])
+       ifdef([A][M_PROG_GCJ],
+	     [define([A][M_PROG_GCJ], defn([A][M_PROG_GCJ])[AC_LIBTOOL_GCJ])])
+       ifdef([LT_AC_PROG_GCJ],
+	     [define([LT_AC_PROG_GCJ],
+		defn([LT_AC_PROG_GCJ])[AC_LIBTOOL_GCJ])])])])
+])])# AC_PROG_LIBTOOL
+
+
+# _AC_PROG_LIBTOOL
+# ----------------
+AC_DEFUN([_AC_PROG_LIBTOOL],
+[AC_REQUIRE([AC_LIBTOOL_SETUP])dnl
+AC_BEFORE([$0],[AC_LIBTOOL_CXX])dnl
+AC_BEFORE([$0],[AC_LIBTOOL_F77])dnl
+AC_BEFORE([$0],[AC_LIBTOOL_GCJ])dnl
+
+# This can be used to rebuild libtool when needed
+LIBTOOL_DEPS="$ac_aux_dir/ltmain.sh"
+
+# Always use our own libtool.
+LIBTOOL='$(SHELL) $(top_builddir)/libtool'
+AC_SUBST(LIBTOOL)dnl
+
+# Prevent multiple expansion
+define([AC_PROG_LIBTOOL], [])
+])# _AC_PROG_LIBTOOL
+
+
+# AC_LIBTOOL_SETUP
+# ----------------
+AC_DEFUN([AC_LIBTOOL_SETUP],
+[AC_PREREQ(2.50)dnl
+AC_REQUIRE([AC_ENABLE_SHARED])dnl
+AC_REQUIRE([AC_ENABLE_STATIC])dnl
+AC_REQUIRE([AC_ENABLE_FAST_INSTALL])dnl
+AC_REQUIRE([AC_CANONICAL_HOST])dnl
+AC_REQUIRE([AC_CANONICAL_BUILD])dnl
+AC_REQUIRE([AC_PROG_CC])dnl
+AC_REQUIRE([AC_PROG_LD])dnl
+AC_REQUIRE([AC_PROG_LD_RELOAD_FLAG])dnl
+AC_REQUIRE([AC_PROG_NM])dnl
+
+AC_REQUIRE([AC_PROG_LN_S])dnl
+AC_REQUIRE([AC_DEPLIBS_CHECK_METHOD])dnl
+# Autoconf 2.13's AC_OBJEXT and AC_EXEEXT macros only works for C compilers!
+AC_REQUIRE([AC_OBJEXT])dnl
+AC_REQUIRE([AC_EXEEXT])dnl
+dnl
+
+AC_LIBTOOL_SYS_MAX_CMD_LEN
+AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE
+AC_LIBTOOL_OBJDIR
+
+AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl
+_LT_AC_PROG_ECHO_BACKSLASH
+
+case $host_os in
+aix3*)
+  # AIX sometimes has problems with the GCC collect2 program.  For some
+  # reason, if we set the COLLECT_NAMES environment variable, the problems
+  # vanish in a puff of smoke.
+  if test "X${COLLECT_NAMES+set}" != Xset; then
+    COLLECT_NAMES=
+    export COLLECT_NAMES
+  fi
+  ;;
+esac
+
+# Sed substitution that helps us do robust quoting.  It backslashifies
+# metacharacters that are still active within double-quoted strings.
+Xsed='sed -e s/^X//'
+[sed_quote_subst='s/\([\\"\\`$\\\\]\)/\\\1/g']
+
+# Same as above, but do not quote variable references.
+[double_quote_subst='s/\([\\"\\`\\\\]\)/\\\1/g']
+
+# Sed substitution to delay expansion of an escaped shell variable in a
+# double_quote_subst'ed string.
+delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g'
+
+# Sed substitution to avoid accidental globbing in evaled expressions
+no_glob_subst='s/\*/\\\*/g'
+
+# Constants:
+rm="rm -f"
+
+# Global variables:
+default_ofile=libtool
+can_build_shared=yes
+
+# All known linkers require a `.a' archive for static linking (except M$VC,
+# which needs '.lib').
+libext=a
+ltmain="$ac_aux_dir/ltmain.sh"
+ofile="$default_ofile"
+with_gnu_ld="$lt_cv_prog_gnu_ld"
+
+AC_CHECK_TOOL(AR, ar, false)
+AC_CHECK_TOOL(RANLIB, ranlib, :)
+AC_CHECK_TOOL(STRIP, strip, :)
+
+old_CC="$CC"
+old_CFLAGS="$CFLAGS"
+
+# Set sane defaults for various variables
+test -z "$AR" && AR=ar
+test -z "$AR_FLAGS" && AR_FLAGS=cru
+test -z "$AS" && AS=as
+test -z "$CC" && CC=cc
+test -z "$LTCC" && LTCC=$CC
+test -z "$DLLTOOL" && DLLTOOL=dlltool
+test -z "$LD" && LD=ld
+test -z "$LN_S" && LN_S="ln -s"
+test -z "$MAGIC_CMD" && MAGIC_CMD=file
+test -z "$NM" && NM=nm
+test -z "$SED" && SED=sed
+test -z "$OBJDUMP" && OBJDUMP=objdump
+test -z "$RANLIB" && RANLIB=:
+test -z "$STRIP" && STRIP=:
+test -z "$ac_objext" && ac_objext=o
+
+# Determine commands to create old-style static archives.
+old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs$old_deplibs'
+old_postinstall_cmds='chmod 644 $oldlib'
+old_postuninstall_cmds=
+
+if test -n "$RANLIB"; then
+  case $host_os in
+  openbsd*)
+    old_postinstall_cmds="\$RANLIB -t \$oldlib~$old_postinstall_cmds"
+    ;;
+  *)
+    old_postinstall_cmds="\$RANLIB \$oldlib~$old_postinstall_cmds"
+    ;;
+  esac
+  old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
+fi
+
+# Only perform the check for file, if the check method requires it
+case $deplibs_check_method in
+file_magic*)
+  if test "$file_magic_cmd" = '$MAGIC_CMD'; then
+    AC_PATH_MAGIC
+  fi
+  ;;
+esac
+
+AC_PROVIDE_IFELSE([AC_LIBTOOL_DLOPEN], enable_dlopen=yes, enable_dlopen=no)
+AC_PROVIDE_IFELSE([AC_LIBTOOL_WIN32_DLL],
+enable_win32_dll=yes, enable_win32_dll=no)
+
+AC_ARG_ENABLE([libtool-lock],
+    [AC_HELP_STRING([--disable-libtool-lock],
+	[avoid locking (might break parallel builds)])])
+test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
+
+AC_ARG_WITH([pic],
+    [AC_HELP_STRING([--with-pic],
+	[try to use only PIC/non-PIC objects @<:@default=use both@:>@])],
+    [pic_mode="$withval"],
+    [pic_mode=default])
+test -z "$pic_mode" && pic_mode=default
+
+# Use C for the default configuration in the libtool script
+tagname=
+AC_LIBTOOL_LANG_C_CONFIG
+_LT_AC_TAGCONFIG
+])# AC_LIBTOOL_SETUP
+
+
+# _LT_AC_SYS_COMPILER
+# -------------------
+AC_DEFUN([_LT_AC_SYS_COMPILER],
+[AC_REQUIRE([AC_PROG_CC])dnl
+
+# If no C compiler was specified, use CC.
+LTCC=${LTCC-"$CC"}
+
+# Allow CC to be a program name with arguments.
+compiler=$CC
+])# _LT_AC_SYS_COMPILER
+
+
+# _LT_AC_SYS_LIBPATH_AIX
+# ----------------------
+# Links a minimal program and checks the executable
+# for the system default hardcoded library path. In most cases,
+# this is /usr/lib:/lib, but when the MPI compilers are used
+# the location of the communication and MPI libs are included too.
+# If we don't find anything, use the default library path according
+# to the aix ld manual.
+AC_DEFUN([_LT_AC_SYS_LIBPATH_AIX],
+[AC_LINK_IFELSE(AC_LANG_PROGRAM,[
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`
+# Check for a 64-bit object if we didn't find anything.
+if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
+}'`; fi],[])
+if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
+])# _LT_AC_SYS_LIBPATH_AIX
+
+
+# _LT_AC_SHELL_INIT(ARG)
+# ----------------------
+AC_DEFUN([_LT_AC_SHELL_INIT],
+[ifdef([AC_DIVERSION_NOTICE],
+	     [AC_DIVERT_PUSH(AC_DIVERSION_NOTICE)],
+	 [AC_DIVERT_PUSH(NOTICE)])
+$1
+AC_DIVERT_POP
+])# _LT_AC_SHELL_INIT
+
+
+# _LT_AC_PROG_ECHO_BACKSLASH
+# --------------------------
+# Add some code to the start of the generated configure script which
+# will find an echo command which doesn't interpret backslashes.
+AC_DEFUN([_LT_AC_PROG_ECHO_BACKSLASH],
+[_LT_AC_SHELL_INIT([
+# Check that we are running under the correct shell.
+SHELL=${CONFIG_SHELL-/bin/sh}
+
+case X$ECHO in
+X*--fallback-echo)
+  # Remove one level of quotation (which was required for Make).
+  ECHO=`echo "$ECHO" | sed 's,\\\\\[$]\\[$]0,'[$]0','`
+  ;;
+esac
+
+echo=${ECHO-echo}
+if test "X[$]1" = X--no-reexec; then
+  # Discard the --no-reexec flag, and continue.
+  shift
+elif test "X[$]1" = X--fallback-echo; then
+  # Avoid inline document here, it may be left over
+  :
+elif test "X`($echo '\t') 2>/dev/null`" = 'X\t' ; then
+  # Yippee, $echo works!
+  :
+else
+  # Restart under the correct shell.
+  exec $SHELL "[$]0" --no-reexec ${1+"[$]@"}
+fi
+
+if test "X[$]1" = X--fallback-echo; then
+  # used as fallback echo
+  shift
+  cat <<EOF
+[$]*
+EOF
+  exit 0
+fi
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+if test "X${CDPATH+set}" = Xset; then CDPATH=:; export CDPATH; fi
+
+if test -z "$ECHO"; then
+if test "X${echo_test_string+set}" != Xset; then
+# find a string as large as possible, as long as the shell can cope with it
+  for cmd in 'sed 50q "[$]0"' 'sed 20q "[$]0"' 'sed 10q "[$]0"' 'sed 2q "[$]0"' 'echo test'; do
+    # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ...
+    if (echo_test_string="`eval $cmd`") 2>/dev/null &&
+       echo_test_string="`eval $cmd`" &&
+       (test "X$echo_test_string" = "X$echo_test_string") 2>/dev/null
+    then
+      break
+    fi
+  done
+fi
+
+if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
+   echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` &&
+   test "X$echo_testing_string" = "X$echo_test_string"; then
+  :
+else
+  # The Solaris, AIX, and Digital Unix default echo programs unquote
+  # backslashes.  This makes it impossible to quote backslashes using
+  #   echo "$something" | sed 's/\\/\\\\/g'
+  #
+  # So, first we look for a working echo in the user's PATH.
+
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  for dir in $PATH /usr/ucb; do
+    IFS="$lt_save_ifs"
+    if (test -f $dir/echo || test -f $dir/echo$ac_exeext) &&
+       test "X`($dir/echo '\t') 2>/dev/null`" = 'X\t' &&
+       echo_testing_string=`($dir/echo "$echo_test_string") 2>/dev/null` &&
+       test "X$echo_testing_string" = "X$echo_test_string"; then
+      echo="$dir/echo"
+      break
+    fi
+  done
+  IFS="$lt_save_ifs"
+
+  if test "X$echo" = Xecho; then
+    # We didn't find a better echo, so look for alternatives.
+    if test "X`(print -r '\t') 2>/dev/null`" = 'X\t' &&
+       echo_testing_string=`(print -r "$echo_test_string") 2>/dev/null` &&
+       test "X$echo_testing_string" = "X$echo_test_string"; then
+      # This shell has a builtin print -r that does the trick.
+      echo='print -r'
+    elif (test -f /bin/ksh || test -f /bin/ksh$ac_exeext) &&
+	 test "X$CONFIG_SHELL" != X/bin/ksh; then
+      # If we have ksh, try running configure again with it.
+      ORIGINAL_CONFIG_SHELL=${CONFIG_SHELL-/bin/sh}
+      export ORIGINAL_CONFIG_SHELL
+      CONFIG_SHELL=/bin/ksh
+      export CONFIG_SHELL
+      exec $CONFIG_SHELL "[$]0" --no-reexec ${1+"[$]@"}
+    else
+      # Try using printf.
+      echo='printf %s\n'
+      if test "X`($echo '\t') 2>/dev/null`" = 'X\t' &&
+	 echo_testing_string=`($echo "$echo_test_string") 2>/dev/null` &&
+	 test "X$echo_testing_string" = "X$echo_test_string"; then
+	# Cool, printf works
+	:
+      elif echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` &&
+	   test "X$echo_testing_string" = 'X\t' &&
+	   echo_testing_string=`($ORIGINAL_CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
+	   test "X$echo_testing_string" = "X$echo_test_string"; then
+	CONFIG_SHELL=$ORIGINAL_CONFIG_SHELL
+	export CONFIG_SHELL
+	SHELL="$CONFIG_SHELL"
+	export SHELL
+	echo="$CONFIG_SHELL [$]0 --fallback-echo"
+      elif echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo '\t') 2>/dev/null` &&
+	   test "X$echo_testing_string" = 'X\t' &&
+	   echo_testing_string=`($CONFIG_SHELL "[$]0" --fallback-echo "$echo_test_string") 2>/dev/null` &&
+	   test "X$echo_testing_string" = "X$echo_test_string"; then
+	echo="$CONFIG_SHELL [$]0 --fallback-echo"
+      else
+	# maybe with a smaller string...
+	prev=:
+
+	for cmd in 'echo test' 'sed 2q "[$]0"' 'sed 10q "[$]0"' 'sed 20q "[$]0"' 'sed 50q "[$]0"'; do
+	  if (test "X$echo_test_string" = "X`eval $cmd`") 2>/dev/null
+	  then
+	    break
+	  fi
+	  prev="$cmd"
+	done
+
+	if test "$prev" != 'sed 50q "[$]0"'; then
+	  echo_test_string=`eval $prev`
+	  export echo_test_string
+	  exec ${ORIGINAL_CONFIG_SHELL-${CONFIG_SHELL-/bin/sh}} "[$]0" ${1+"[$]@"}
+	else
+	  # Oops.  We lost completely, so just stick with echo.
+	  echo=echo
+	fi
+      fi
+    fi
+  fi
+fi
+fi
+
+# Copy echo and quote the copy suitably for passing to libtool from
+# the Makefile, instead of quoting the original, which is used later.
+ECHO=$echo
+if test "X$ECHO" = "X$CONFIG_SHELL [$]0 --fallback-echo"; then
+   ECHO="$CONFIG_SHELL \\\$\[$]0 --fallback-echo"
+fi
+
+AC_SUBST(ECHO)
+])])# _LT_AC_PROG_ECHO_BACKSLASH
+
+
+# _LT_AC_LOCK
+# -----------
+AC_DEFUN([_LT_AC_LOCK],
+[AC_ARG_ENABLE([libtool-lock],
+    [AC_HELP_STRING([--disable-libtool-lock],
+	[avoid locking (might break parallel builds)])])
+test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes
+
+# Some flags need to be propagated to the compiler or linker for good
+# libtool support.
+case $host in
+ia64-*-hpux*)
+  # Find out which ABI we are using.
+  echo 'int i;' > conftest.$ac_ext
+  if AC_TRY_EVAL(ac_compile); then
+    case `/usr/bin/file conftest.$ac_objext` in
+    *ELF-32*)
+      HPUX_IA64_MODE="32"
+      ;;
+    *ELF-64*)
+      HPUX_IA64_MODE="64"
+      ;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+*-*-irix6*)
+  # Find out which ABI we are using.
+  echo '[#]line __oline__ "configure"' > conftest.$ac_ext
+  if AC_TRY_EVAL(ac_compile); then
+   if test "$lt_cv_prog_gnu_ld" = yes; then
+    case `/usr/bin/file conftest.$ac_objext` in
+    *32-bit*)
+      LD="${LD-ld} -melf32bsmip"
+      ;;
+    *N32*)
+      LD="${LD-ld} -melf32bmipn32"
+      ;;
+    *64-bit*)
+      LD="${LD-ld} -melf64bmip"
+      ;;
+    esac
+   else
+    case `/usr/bin/file conftest.$ac_objext` in
+    *32-bit*)
+      LD="${LD-ld} -32"
+      ;;
+    *N32*)
+      LD="${LD-ld} -n32"
+      ;;
+    *64-bit*)
+      LD="${LD-ld} -64"
+      ;;
+    esac
+   fi
+  fi
+  rm -rf conftest*
+  ;;
+
+x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*|s390*-*linux*|sparc*-*linux*)
+  # Find out which ABI we are using.
+  echo 'int i;' > conftest.$ac_ext
+  if AC_TRY_EVAL(ac_compile); then
+    case "`/usr/bin/file conftest.o`" in
+    *32-bit*)
+      case $host in
+        x86_64-*linux*)
+          LD="${LD-ld} -m elf_i386"
+          ;;
+        ppc64-*linux*|powerpc64-*linux*)
+          LD="${LD-ld} -m elf32ppclinux"
+          ;;
+        s390x-*linux*)
+          LD="${LD-ld} -m elf_s390"
+          ;;
+        sparc64-*linux*)
+          LD="${LD-ld} -m elf32_sparc"
+          ;;
+      esac
+      ;;
+    *64-bit*)
+      case $host in
+        x86_64-*linux*)
+          LD="${LD-ld} -m elf_x86_64"
+          ;;
+        ppc*-*linux*|powerpc*-*linux*)
+          LD="${LD-ld} -m elf64ppc"
+          ;;
+        s390*-*linux*)
+          LD="${LD-ld} -m elf64_s390"
+          ;;
+        sparc*-*linux*)
+          LD="${LD-ld} -m elf64_sparc"
+          ;;
+      esac
+      ;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+
+*-*-sco3.2v5*)
+  # On SCO OpenServer 5, we need -belf to get full-featured binaries.
+  SAVE_CFLAGS="$CFLAGS"
+  CFLAGS="$CFLAGS -belf"
+  AC_CACHE_CHECK([whether the C compiler needs -belf], lt_cv_cc_needs_belf,
+    [AC_LANG_PUSH(C)
+     AC_TRY_LINK([],[],[lt_cv_cc_needs_belf=yes],[lt_cv_cc_needs_belf=no])
+     AC_LANG_POP])
+  if test x"$lt_cv_cc_needs_belf" != x"yes"; then
+    # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf
+    CFLAGS="$SAVE_CFLAGS"
+  fi
+  ;;
+AC_PROVIDE_IFELSE([AC_LIBTOOL_WIN32_DLL],
+[*-*-cygwin* | *-*-mingw* | *-*-pw32*)
+  AC_CHECK_TOOL(DLLTOOL, dlltool, false)
+  AC_CHECK_TOOL(AS, as, false)
+  AC_CHECK_TOOL(OBJDUMP, objdump, false)
+  ;;
+  ])
+esac
+
+need_locks="$enable_libtool_lock"
+
+])# _LT_AC_LOCK
+
+
+# AC_LIBTOOL_COMPILER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS,
+#		[OUTPUT-FILE], [ACTION-SUCCESS], [ACTION-FAILURE])
+# ----------------------------------------------------------------
+# Check whether the given compiler option works
+AC_DEFUN([AC_LIBTOOL_COMPILER_OPTION],
+[AC_REQUIRE([LT_AC_PROG_SED])
+AC_CACHE_CHECK([$1], [$2],
+  [$2=no
+  ifelse([$4], , [ac_outfile=conftest.$ac_objext], [ac_outfile=$4])
+   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+   lt_compiler_flag="$3"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   # The option is referenced via a variable to avoid confusing sed.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
+   -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
+   (eval "$lt_compile" 2>conftest.err)
+   ac_status=$?
+   cat conftest.err >&AS_MESSAGE_LOG_FD
+   echo "$as_me:__oline__: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
+   if (exit $ac_status) && test -s "$ac_outfile"; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test ! -s conftest.err; then
+       $2=yes
+     fi
+   fi
+   $rm conftest*
+])
+
+if test x"[$]$2" = xyes; then
+    ifelse([$5], , :, [$5])
+else
+    ifelse([$6], , :, [$6])
+fi
+])# AC_LIBTOOL_COMPILER_OPTION
+
+
+# AC_LIBTOOL_LINKER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS,
+#                          [ACTION-SUCCESS], [ACTION-FAILURE])
+# ------------------------------------------------------------
+# Check whether the given compiler option works
+AC_DEFUN([AC_LIBTOOL_LINKER_OPTION],
+[AC_CACHE_CHECK([$1], [$2],
+  [$2=no
+   save_LDFLAGS="$LDFLAGS"
+   LDFLAGS="$LDFLAGS $3"
+   printf "$lt_simple_link_test_code" > conftest.$ac_ext
+   if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test -s conftest.err; then
+       # Append any errors to the config.log.
+       cat conftest.err 1>&AS_MESSAGE_LOG_FD
+     else
+       $2=yes
+     fi
+   fi
+   $rm conftest*
+   LDFLAGS="$save_LDFLAGS"
+])
+
+if test x"[$]$2" = xyes; then
+    ifelse([$4], , :, [$4])
+else
+    ifelse([$5], , :, [$5])
+fi
+])# AC_LIBTOOL_LINKER_OPTION
+
+
+# AC_LIBTOOL_SYS_MAX_CMD_LEN
+# --------------------------
+AC_DEFUN([AC_LIBTOOL_SYS_MAX_CMD_LEN],
+[# find the maximum length of command line arguments
+AC_MSG_CHECKING([the maximum length of command line arguments])
+AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
+  i=0
+  testring="ABCD"
+
+  case $build_os in
+  msdosdjgpp*)
+    # On DJGPP, this test can blow up pretty badly due to problems in libc
+    # (any single argument exceeding 2000 bytes causes a buffer overrun
+    # during glob expansion).  Even if it were fixed, the result of this
+    # check would be larger than it should be.
+    lt_cv_sys_max_cmd_len=12288;    # 12K is about right
+    ;;
+
+  gnu*)
+    # Under GNU Hurd, this test is not required because there is
+    # no limit to the length of command line arguments.
+    # Libtool will interpret -1 as no limit whatsoever
+    lt_cv_sys_max_cmd_len=-1;
+    ;;
+
+  cygwin* | mingw*)
+    # On Win9x/ME, this test blows up -- it succeeds, but takes
+    # about 5 minutes as the teststring grows exponentially.
+    # Worse, since 9x/ME are not pre-emptively multitasking,
+    # you end up with a "frozen" computer, even though with patience
+    # the test eventually succeeds (with a max line length of 256k).
+    # Instead, let's just punt: use the minimum linelength reported by
+    # all of the supported platforms: 8192 (on NT/2K/XP).
+    lt_cv_sys_max_cmd_len=8192;
+    ;;
+
+  amigaos*)
+    # On AmigaOS with pdksh, this test takes hours, literally.
+    # So we just punt and use a minimum line length of 8192.
+    lt_cv_sys_max_cmd_len=8192;
+    ;;
+
+ *)
+    # If test is not a shell built-in, we'll probably end up computing a
+    # maximum length that is only half of the actual maximum length, but
+    # we can't tell.
+    while (test "X"`$CONFIG_SHELL [$]0 --fallback-echo "X$testring" 2>/dev/null` \
+	       = "XX$testring") >/dev/null 2>&1 &&
+	    new_result=`expr "X$testring" : ".*" 2>&1` &&
+	    lt_cv_sys_max_cmd_len=$new_result &&
+	    test $i != 17 # 1/2 MB should be enough
+    do
+      i=`expr $i + 1`
+      testring=$testring$testring
+    done
+    testring=
+    # Add a significant safety factor because C++ compilers can tack on massive
+    # amounts of additional arguments before passing them to the linker.
+    # It appears as though 1/2 is a usable value.
+    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2`
+    ;;
+  esac
+])
+if test -n $lt_cv_sys_max_cmd_len ; then
+  AC_MSG_RESULT($lt_cv_sys_max_cmd_len)
+else
+  AC_MSG_RESULT(none)
+fi
+])# AC_LIBTOOL_SYS_MAX_CMD_LEN
+
+
+# _LT_AC_CHECK_DLFCN
+# --------------------
+AC_DEFUN([_LT_AC_CHECK_DLFCN],
+[AC_CHECK_HEADERS(dlfcn.h)dnl
+])# _LT_AC_CHECK_DLFCN
+
+
+# _LT_AC_TRY_DLOPEN_SELF (ACTION-IF-TRUE, ACTION-IF-TRUE-W-USCORE,
+#                           ACTION-IF-FALSE, ACTION-IF-CROSS-COMPILING)
+# ------------------------------------------------------------------
+AC_DEFUN([_LT_AC_TRY_DLOPEN_SELF],
+[AC_REQUIRE([_LT_AC_CHECK_DLFCN])dnl
+if test "$cross_compiling" = yes; then :
+  [$4]
+else
+  lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
+  lt_status=$lt_dlunknown
+  cat > conftest.$ac_ext <<EOF
+[#line __oline__ "configure"
+#include "confdefs.h"
+
+#if HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+
+#include <stdio.h>
+
+#ifdef RTLD_GLOBAL
+#  define LT_DLGLOBAL		RTLD_GLOBAL
+#else
+#  ifdef DL_GLOBAL
+#    define LT_DLGLOBAL		DL_GLOBAL
+#  else
+#    define LT_DLGLOBAL		0
+#  endif
+#endif
+
+/* We may have to define LT_DLLAZY_OR_NOW in the command line if we
+   find out it does not work in some platform. */
+#ifndef LT_DLLAZY_OR_NOW
+#  ifdef RTLD_LAZY
+#    define LT_DLLAZY_OR_NOW		RTLD_LAZY
+#  else
+#    ifdef DL_LAZY
+#      define LT_DLLAZY_OR_NOW		DL_LAZY
+#    else
+#      ifdef RTLD_NOW
+#        define LT_DLLAZY_OR_NOW	RTLD_NOW
+#      else
+#        ifdef DL_NOW
+#          define LT_DLLAZY_OR_NOW	DL_NOW
+#        else
+#          define LT_DLLAZY_OR_NOW	0
+#        endif
+#      endif
+#    endif
+#  endif
+#endif
+
+#ifdef __cplusplus
+extern "C" void exit (int);
+#endif
+
+void fnord() { int i=42;}
+int main ()
+{
+  void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW);
+  int status = $lt_dlunknown;
+
+  if (self)
+    {
+      if (dlsym (self,"fnord"))       status = $lt_dlno_uscore;
+      else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
+      /* dlclose (self); */
+    }
+
+    exit (status);
+}]
+EOF
+  if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext} 2>/dev/null; then
+    (./conftest; exit; ) 2>/dev/null
+    lt_status=$?
+    case x$lt_status in
+      x$lt_dlno_uscore) $1 ;;
+      x$lt_dlneed_uscore) $2 ;;
+      x$lt_unknown|x*) $3 ;;
+    esac
+  else :
+    # compilation failed
+    $3
+  fi
+fi
+rm -fr conftest*
+])# _LT_AC_TRY_DLOPEN_SELF
+
+
+# AC_LIBTOOL_DLOPEN_SELF
+# -------------------
+AC_DEFUN([AC_LIBTOOL_DLOPEN_SELF],
+[AC_REQUIRE([_LT_AC_CHECK_DLFCN])dnl
+if test "x$enable_dlopen" != xyes; then
+  enable_dlopen=unknown
+  enable_dlopen_self=unknown
+  enable_dlopen_self_static=unknown
+else
+  lt_cv_dlopen=no
+  lt_cv_dlopen_libs=
+
+  case $host_os in
+  beos*)
+    lt_cv_dlopen="load_add_on"
+    lt_cv_dlopen_libs=
+    lt_cv_dlopen_self=yes
+    ;;
+
+  mingw* | pw32*)
+    lt_cv_dlopen="LoadLibrary"
+    lt_cv_dlopen_libs=
+   ;;
+
+  cygwin*)
+    lt_cv_dlopen="dlopen"
+    lt_cv_dlopen_libs=
+   ;;
+
+  darwin*)
+  # if libdl is installed we need to link against it
+    AC_CHECK_LIB([dl], [dlopen],
+		[lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"],[
+    lt_cv_dlopen="dyld"
+    lt_cv_dlopen_libs=
+    lt_cv_dlopen_self=yes
+    ])
+   ;;
+
+  *)
+    AC_CHECK_FUNC([shl_load],
+	  [lt_cv_dlopen="shl_load"],
+      [AC_CHECK_LIB([dld], [shl_load],
+	    [lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-dld"],
+	[AC_CHECK_FUNC([dlopen],
+	      [lt_cv_dlopen="dlopen"],
+	  [AC_CHECK_LIB([dl], [dlopen],
+		[lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"],
+	    [AC_CHECK_LIB([svld], [dlopen],
+		  [lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"],
+	      [AC_CHECK_LIB([dld], [dld_link],
+		    [lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-dld"])
+	      ])
+	    ])
+	  ])
+	])
+      ])
+    ;;
+  esac
+
+  if test "x$lt_cv_dlopen" != xno; then
+    enable_dlopen=yes
+  else
+    enable_dlopen=no
+  fi
+
+  case $lt_cv_dlopen in
+  dlopen)
+    save_CPPFLAGS="$CPPFLAGS"
+    test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H"
+
+    save_LDFLAGS="$LDFLAGS"
+    eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
+
+    save_LIBS="$LIBS"
+    LIBS="$lt_cv_dlopen_libs $LIBS"
+
+    AC_CACHE_CHECK([whether a program can dlopen itself],
+	  lt_cv_dlopen_self, [dnl
+	  _LT_AC_TRY_DLOPEN_SELF(
+	    lt_cv_dlopen_self=yes, lt_cv_dlopen_self=yes,
+	    lt_cv_dlopen_self=no, lt_cv_dlopen_self=cross)
+    ])
+
+    if test "x$lt_cv_dlopen_self" = xyes; then
+      LDFLAGS="$LDFLAGS $link_static_flag"
+      AC_CACHE_CHECK([whether a statically linked program can dlopen itself],
+    	  lt_cv_dlopen_self_static, [dnl
+	  _LT_AC_TRY_DLOPEN_SELF(
+	    lt_cv_dlopen_self_static=yes, lt_cv_dlopen_self_static=yes,
+	    lt_cv_dlopen_self_static=no,  lt_cv_dlopen_self_static=cross)
+      ])
+    fi
+
+    CPPFLAGS="$save_CPPFLAGS"
+    LDFLAGS="$save_LDFLAGS"
+    LIBS="$save_LIBS"
+    ;;
+  esac
+
+  case $lt_cv_dlopen_self in
+  yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;;
+  *) enable_dlopen_self=unknown ;;
+  esac
+
+  case $lt_cv_dlopen_self_static in
+  yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;;
+  *) enable_dlopen_self_static=unknown ;;
+  esac
+fi
+])# AC_LIBTOOL_DLOPEN_SELF
+
+
+# AC_LIBTOOL_PROG_CC_C_O([TAGNAME])
+# ---------------------------------
+# Check to see if options -c and -o are simultaneously supported by compiler
+AC_DEFUN([AC_LIBTOOL_PROG_CC_C_O],
+[AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl
+AC_CACHE_CHECK([if $compiler supports -c -o file.$ac_objext],
+  [_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)],
+  [_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=no
+   $rm -r conftest 2>/dev/null
+   mkdir conftest
+   cd conftest
+   mkdir out
+   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+   lt_compiler_flag="-o out/conftest2.$ac_objext"
+   # Insert the option either (1) after the last *FLAGS variable, or
+   # (2) before a word containing "conftest.", or (3) at the end.
+   # Note that $ac_compile itself does not contain backslashes and begins
+   # with a dollar sign (not a hyphen), so the echo should work correctly.
+   lt_compile=`echo "$ac_compile" | $SED \
+   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
+   -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \
+   -e 's:$: $lt_compiler_flag:'`
+   (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
+   (eval "$lt_compile" 2>out/conftest.err)
+   ac_status=$?
+   cat out/conftest.err >&AS_MESSAGE_LOG_FD
+   echo "$as_me:__oline__: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
+   if (exit $ac_status) && test -s out/conftest2.$ac_objext
+   then
+     # The compiler can only warn and ignore the option if not recognized
+     # So say no if there are warnings
+     if test ! -s out/conftest.err; then
+       _LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
+     fi
+   fi
+   chmod u+w .
+   $rm conftest*
+   # SGI C++ compiler will create directory out/ii_files/ for
+   # template instantiation
+   test -d out/ii_files && $rm out/ii_files/* && rmdir out/ii_files
+   $rm out/* && rmdir out
+   cd ..
+   rmdir conftest
+   $rm conftest*
+])
+])# AC_LIBTOOL_PROG_CC_C_O
+
+
+# AC_LIBTOOL_SYS_HARD_LINK_LOCKS([TAGNAME])
+# -----------------------------------------
+# Check to see if we can do hard links to lock some files if needed
+AC_DEFUN([AC_LIBTOOL_SYS_HARD_LINK_LOCKS],
+[AC_REQUIRE([_LT_AC_LOCK])dnl
+
+hard_links="nottested"
+if test "$_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)" = no && test "$need_locks" != no; then
+  # do not overwrite the value of need_locks provided by the user
+  AC_MSG_CHECKING([if we can lock with hard links])
+  hard_links=yes
+  $rm conftest*
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  touch conftest.a
+  ln conftest.a conftest.b 2>&5 || hard_links=no
+  ln conftest.a conftest.b 2>/dev/null && hard_links=no
+  AC_MSG_RESULT([$hard_links])
+  if test "$hard_links" = no; then
+    AC_MSG_WARN([`$CC' does not support `-c -o', so `make -j' may be unsafe])
+    need_locks=warn
+  fi
+else
+  need_locks=no
+fi
+])# AC_LIBTOOL_SYS_HARD_LINK_LOCKS
+
+
+# AC_LIBTOOL_OBJDIR
+# -----------------
+AC_DEFUN([AC_LIBTOOL_OBJDIR],
+[AC_CACHE_CHECK([for objdir], [lt_cv_objdir],
+[rm -f .libs 2>/dev/null
+mkdir .libs 2>/dev/null
+if test -d .libs; then
+  lt_cv_objdir=.libs
+else
+  # MS-DOS does not allow filenames that begin with a dot.
+  lt_cv_objdir=_libs
+fi
+rmdir .libs 2>/dev/null])
+objdir=$lt_cv_objdir
+])# AC_LIBTOOL_OBJDIR
+
+
+# AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH([TAGNAME])
+# ----------------------------------------------
+# Check hardcoding attributes.
+AC_DEFUN([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH],
+[AC_MSG_CHECKING([how to hardcode library paths into programs])
+_LT_AC_TAGVAR(hardcode_action, $1)=
+if test -n "$_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)" || \
+   test -n "$_LT_AC_TAGVAR(runpath_var $1)" || \
+   test "X$_LT_AC_TAGVAR(hardcode_automatic, $1)"="Xyes" ; then
+
+  # We can hardcode non-existant directories.
+  if test "$_LT_AC_TAGVAR(hardcode_direct, $1)" != no &&
+     # If the only mechanism to avoid hardcoding is shlibpath_var, we
+     # have to relink, otherwise we might link with an installed library
+     # when we should be linking with a yet-to-be-installed one
+     ## test "$_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)" != no &&
+     test "$_LT_AC_TAGVAR(hardcode_minus_L, $1)" != no; then
+    # Linking always hardcodes the temporary library directory.
+    _LT_AC_TAGVAR(hardcode_action, $1)=relink
+  else
+    # We can link without hardcoding, and we can hardcode nonexisting dirs.
+    _LT_AC_TAGVAR(hardcode_action, $1)=immediate
+  fi
+else
+  # We cannot hardcode anything, or else we can only hardcode existing
+  # directories.
+  _LT_AC_TAGVAR(hardcode_action, $1)=unsupported
+fi
+AC_MSG_RESULT([$_LT_AC_TAGVAR(hardcode_action, $1)])
+
+if test "$_LT_AC_TAGVAR(hardcode_action, $1)" = relink; then
+  # Fast installation is not supported
+  enable_fast_install=no
+elif test "$shlibpath_overrides_runpath" = yes ||
+     test "$enable_shared" = no; then
+  # Fast installation is not necessary
+  enable_fast_install=needless
+fi
+])# AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH
+
+
+# AC_LIBTOOL_SYS_LIB_STRIP
+# ------------------------
+AC_DEFUN([AC_LIBTOOL_SYS_LIB_STRIP],
+[striplib=
+old_striplib=
+AC_MSG_CHECKING([whether stripping libraries is possible])
+if test -n "$STRIP" && $STRIP -V 2>&1 | grep "GNU strip" >/dev/null; then
+  test -z "$old_striplib" && old_striplib="$STRIP --strip-debug"
+  test -z "$striplib" && striplib="$STRIP --strip-unneeded"
+  AC_MSG_RESULT([yes])
+else
+# FIXME - insert some real tests, host_os isn't really good enough
+  case $host_os in
+   darwin*)
+       if test -n "$STRIP" ; then
+         striplib="$STRIP -x"
+         AC_MSG_RESULT([yes])
+       else
+  AC_MSG_RESULT([no])
+fi
+       ;;
+   *)
+  AC_MSG_RESULT([no])
+    ;;
+  esac
+fi
+])# AC_LIBTOOL_SYS_LIB_STRIP
+
+
+# AC_LIBTOOL_SYS_DYNAMIC_LINKER
+# -----------------------------
+# PORTME Fill in your ld.so characteristics
+AC_DEFUN([AC_LIBTOOL_SYS_DYNAMIC_LINKER],
+[AC_MSG_CHECKING([dynamic linker characteristics])
+library_names_spec=
+libname_spec='lib$name'
+soname_spec=
+shrext=".so"
+postinstall_cmds=
+postuninstall_cmds=
+finish_cmds=
+finish_eval=
+shlibpath_var=
+shlibpath_overrides_runpath=unknown
+version_type=none
+dynamic_linker="$host_os ld.so"
+sys_lib_dlsearch_path_spec="/lib /usr/lib"
+if test "$GCC" = yes; then
+  sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+  if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then
+    # if the path contains ";" then we assume it to be the separator
+    # otherwise default to the standard path separator (i.e. ":") - it is
+    # assumed that no part of a normal pathname contains ";" but that should
+    # okay in the real world where ";" in dirpaths is itself problematic.
+    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+  else
+    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+  fi
+else
+  sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
+fi
+need_lib_prefix=unknown
+hardcode_into_libs=no
+
+# when you set need_version to no, make sure it does not cause -set_version
+# flags to be left without arguments
+need_version=unknown
+
+case $host_os in
+aix3*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a'
+  shlibpath_var=LIBPATH
+
+  # AIX 3 has no versioning support, so we append a major version to the name.
+  soname_spec='${libname}${release}${shared_ext}$major'
+  ;;
+
+aix4* | aix5*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  hardcode_into_libs=yes
+  if test "$host_cpu" = ia64; then
+    # AIX 5 supports IA64
+    library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}'
+    shlibpath_var=LD_LIBRARY_PATH
+  else
+    # With GCC up to 2.95.x, collect2 would create an import file
+    # for dependence libraries.  The import file would start with
+    # the line `#! .'.  This would cause the generated library to
+    # depend on `.', always an invalid library.  This was fixed in
+    # development snapshots of GCC prior to 3.0.
+    case $host_os in
+      aix4 | aix4.[[01]] | aix4.[[01]].*)
+      if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)'
+	   echo ' yes '
+	   echo '#endif'; } | ${CC} -E - | grep yes > /dev/null; then
+	:
+      else
+	can_build_shared=no
+      fi
+      ;;
+    esac
+    # AIX (on Power*) has no versioning support, so currently we can not hardcode correct
+    # soname into executable. Probably we can add versioning support to
+    # collect2, so additional links can be useful in future.
+    if test "$aix_use_runtimelinking" = yes; then
+      # If using run time linking (on AIX 4.2 or later) use lib<name>.so
+      # instead of lib<name>.a to let people know that these are not
+      # typical AIX shared libraries.
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    else
+      # We preserve .a as extension for shared libraries through AIX4.2
+      # and later when we are not doing run time linking.
+      library_names_spec='${libname}${release}.a $libname.a'
+      soname_spec='${libname}${release}${shared_ext}$major'
+    fi
+    shlibpath_var=LIBPATH
+  fi
+  ;;
+
+amigaos*)
+  library_names_spec='$libname.ixlibrary $libname.a'
+  # Create ${libname}_ixlibrary.a entries in /sys/libs.
+  finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`$echo "X$lib" | $Xsed -e '\''s%^.*/\([[^/]]*\)\.ixlibrary$%\1%'\''`; test $rm /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done'
+  ;;
+
+beos*)
+  library_names_spec='${libname}${shared_ext}'
+  dynamic_linker="$host_os ld.so"
+  shlibpath_var=LIBRARY_PATH
+  ;;
+
+bsdi4*)
+  version_type=linux
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib"
+  sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib"
+  # the default ld.so.conf also contains /usr/contrib/lib and
+  # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow
+  # libtool to hard-code these into programs
+  ;;
+
+cygwin* | mingw* | pw32*)
+  version_type=windows
+  shrext=".dll"
+  need_version=no
+  need_lib_prefix=no
+
+  case $GCC,$host_os in
+  yes,cygwin* | yes,mingw* | yes,pw32*)
+    library_names_spec='$libname.dll.a'
+    # DLL is installed to $(libdir)/../bin by postinstall_cmds
+    postinstall_cmds='base_file=`basename \${file}`~
+      dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
+      dldir=$destdir/`dirname \$dlpath`~
+      test -d \$dldir || mkdir -p \$dldir~
+      $install_prog $dir/$dlname \$dldir/$dlname'
+    postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
+      dlpath=$dir/\$dldll~
+       $rm \$dlpath'
+    shlibpath_overrides_runpath=yes
+
+    case $host_os in
+    cygwin*)
+      # Cygwin DLLs use 'cyg' prefix rather than 'lib'
+      soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec="/usr/lib /lib/w32api /lib /usr/local/lib"
+      ;;
+    mingw*)
+      # MinGW DLLs use traditional 'lib' prefix
+      soname_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
+      sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+      if echo "$sys_lib_search_path_spec" | [grep ';[c-zC-Z]:/' >/dev/null]; then
+        # It is most probably a Windows format PATH printed by
+        # mingw gcc, but we are running on Cygwin. Gcc prints its search
+        # path with ; separators, and with drive letters. We can handle the
+        # drive letters (cygwin fileutils understands them), so leave them,
+        # especially as we might pass files found there to a mingw objdump,
+        # which wouldn't understand a cygwinified path. Ahh.
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+      else
+        sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+      fi
+      ;;
+    pw32*)
+      # pw32 DLLs use 'pw' prefix rather than 'lib'
+      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      ;;
+    esac
+    ;;
+
+  *)
+    library_names_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext} $libname.lib'
+    ;;
+  esac
+  dynamic_linker='Win32 ld.exe'
+  # FIXME: first we should search . and the directory the executable is in
+  shlibpath_var=PATH
+  ;;
+
+darwin* | rhapsody*)
+  dynamic_linker="$host_os dyld"
+  version_type=darwin
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${versuffix}$shared_ext ${libname}${release}${major}$shared_ext ${libname}$shared_ext'
+  soname_spec='${libname}${release}${major}$shared_ext'
+  shlibpath_overrides_runpath=yes
+  shlibpath_var=DYLD_LIBRARY_PATH
+  shrext='$(test .$module = .yes && echo .so || echo .dylib)'
+  # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
+  if test "$GCC" = yes; then
+    sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
+  else
+    sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib'
+  fi
+  sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
+  ;;
+
+dgux*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+freebsd1*)
+  dynamic_linker=no
+  ;;
+
+kfreebsd*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='GNU ld.so'
+  ;;
+
+freebsd*)
+  objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo aout`
+  version_type=freebsd-$objformat
+  case $version_type in
+    freebsd-elf*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+      need_version=no
+      need_lib_prefix=no
+      ;;
+    freebsd-*)
+      library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix'
+      need_version=yes
+      ;;
+  esac
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_os in
+  freebsd2*)
+    shlibpath_overrides_runpath=yes
+    ;;
+  freebsd3.[01]* | freebsdelf3.[01]*)
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
+  *) # from 3.2 on
+    shlibpath_overrides_runpath=no
+    hardcode_into_libs=yes
+    ;;
+  esac
+  ;;
+
+gnu*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  ;;
+
+hpux9* | hpux10* | hpux11*)
+  # Give a soname corresponding to the major version so that dld.sl refuses to
+  # link against other versions.
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  case "$host_cpu" in
+  ia64*)
+    shrext='.so'
+    hardcode_into_libs=yes
+    dynamic_linker="$host_os dld.so"
+    shlibpath_var=LD_LIBRARY_PATH
+    shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    if test "X$HPUX_IA64_MODE" = X32; then
+      sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib"
+    else
+      sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64"
+    fi
+    sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+    ;;
+   hppa*64*)
+     shrext='.sl'
+     hardcode_into_libs=yes
+     dynamic_linker="$host_os dld.sl"
+     shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH
+     shlibpath_overrides_runpath=yes # Unless +noenvvar is specified.
+     library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+     soname_spec='${libname}${release}${shared_ext}$major'
+     sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64"
+     sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec
+     ;;
+   *)
+    shrext='.sl'
+    dynamic_linker="$host_os dld.sl"
+    shlibpath_var=SHLIB_PATH
+    shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    ;;
+  esac
+  # HP-UX runs *really* slowly unless shared libraries are mode 555.
+  postinstall_cmds='chmod 555 $lib'
+  ;;
+
+irix5* | irix6* | nonstopux*)
+  case $host_os in
+    nonstopux*) version_type=nonstopux ;;
+    *)
+	if test "$lt_cv_prog_gnu_ld" = yes; then
+		version_type=linux
+	else
+		version_type=irix
+	fi ;;
+  esac
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}'
+  case $host_os in
+  irix5* | nonstopux*)
+    libsuff= shlibsuff=
+    ;;
+  *)
+    case $LD in # libtool.m4 will add one of these switches to LD
+    *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ")
+      libsuff= shlibsuff= libmagic=32-bit;;
+    *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ")
+      libsuff=32 shlibsuff=N32 libmagic=N32;;
+    *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ")
+      libsuff=64 shlibsuff=64 libmagic=64-bit;;
+    *) libsuff= shlibsuff= libmagic=never-match;;
+    esac
+    ;;
+  esac
+  shlibpath_var=LD_LIBRARY${shlibsuff}_PATH
+  shlibpath_overrides_runpath=no
+  sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}"
+  sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}"
+  hardcode_into_libs=yes
+  ;;
+
+# No shared lib support for Linux oldld, aout, or coff.
+linux*oldld* | linux*aout* | linux*coff*)
+  dynamic_linker=no
+  ;;
+
+# This must be Linux ELF.
+linux*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  # This implies no fast_install, which is unacceptable.
+  # Some rework will be needed to allow for fast_install
+  # before this can be enabled.
+  hardcode_into_libs=yes
+
+  # Append ld.so.conf contents to the search path
+  if test -f /etc/ld.so.conf; then
+    ld_extra=`$SED -e 's/[:,\t]/ /g;s/=[^=]*$//;s/=[^= ]* / /g' /etc/ld.so.conf`
+    sys_lib_dlsearch_path_spec="/lib /usr/lib $ld_extra"
+  fi
+
+  # We used to test for /lib/ld.so.1 and disable shared libraries on
+  # powerpc, because MkLinux only supported shared libraries with the
+  # GNU dynamic linker.  Since this was broken with cross compilers,
+  # most powerpc-linux boxes support dynamic linking these days and
+  # people can always --disable-shared, the test was removed, and we
+  # assume the GNU/Linux dynamic linker is in use.
+  dynamic_linker='GNU/Linux ld.so'
+  ;;
+
+knetbsd*-gnu)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  dynamic_linker='GNU ld.so'
+  ;;
+
+netbsd*)
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=no
+  if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+    finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+    dynamic_linker='NetBSD (a.out) ld.so'
+  else
+    library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+    soname_spec='${libname}${release}${shared_ext}$major'
+    dynamic_linker='NetBSD ld.elf_so'
+  fi
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  ;;
+
+newsos6)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+nto-qnx*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  ;;
+
+openbsd*)
+  version_type=sunos
+  need_lib_prefix=no
+  need_version=yes
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+    case $host_os in
+      openbsd2.[[89]] | openbsd2.[[89]].*)
+	shlibpath_overrides_runpath=no
+	;;
+      *)
+	shlibpath_overrides_runpath=yes
+	;;
+      esac
+  else
+    shlibpath_overrides_runpath=yes
+  fi
+  ;;
+
+os2*)
+  libname_spec='$name'
+  shrext=".dll"
+  need_lib_prefix=no
+  library_names_spec='$libname${shared_ext} $libname.a'
+  dynamic_linker='OS/2 ld.exe'
+  shlibpath_var=LIBPATH
+  ;;
+
+osf3* | osf4* | osf5*)
+  version_type=osf
+  need_lib_prefix=no
+  need_version=no
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib"
+  sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
+  ;;
+
+sco3.2v5*)
+  version_type=osf
+  soname_spec='${libname}${release}${shared_ext}$major'
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+solaris*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  hardcode_into_libs=yes
+  # ldd complains unless libraries are executable
+  postinstall_cmds='chmod +x $lib'
+  ;;
+
+sunos4*)
+  version_type=sunos
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
+  finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=yes
+  if test "$with_gnu_ld" = yes; then
+    need_lib_prefix=no
+  fi
+  need_version=yes
+  ;;
+
+sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  case $host_vendor in
+    sni)
+      shlibpath_overrides_runpath=no
+      need_lib_prefix=no
+      export_dynamic_flag_spec='${wl}-Blargedynsym'
+      runpath_var=LD_RUN_PATH
+      ;;
+    siemens)
+      need_lib_prefix=no
+      ;;
+    motorola)
+      need_lib_prefix=no
+      need_version=no
+      shlibpath_overrides_runpath=no
+      sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib'
+      ;;
+  esac
+  ;;
+
+sysv4*MP*)
+  if test -d /usr/nec ;then
+    version_type=linux
+    library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}'
+    soname_spec='$libname${shared_ext}.$major'
+    shlibpath_var=LD_LIBRARY_PATH
+  fi
+  ;;
+
+uts4*)
+  version_type=linux
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  ;;
+
+*)
+  dynamic_linker=no
+  ;;
+esac
+AC_MSG_RESULT([$dynamic_linker])
+test "$dynamic_linker" = no && can_build_shared=no
+])# AC_LIBTOOL_SYS_DYNAMIC_LINKER
+
+
+# _LT_AC_TAGCONFIG
+# ----------------
+AC_DEFUN([_LT_AC_TAGCONFIG],
+[AC_ARG_WITH([tags],
+    [AC_HELP_STRING([--with-tags@<:@=TAGS@:>@],
+        [include additional configurations @<:@automatic@:>@])],
+    [tagnames="$withval"])
+
+if test -f "$ltmain" && test -n "$tagnames"; then
+  if test ! -f "${ofile}"; then
+    AC_MSG_WARN([output file `$ofile' does not exist])
+  fi
+
+  if test -z "$LTCC"; then
+    eval "`$SHELL ${ofile} --config | grep '^LTCC='`"
+    if test -z "$LTCC"; then
+      AC_MSG_WARN([output file `$ofile' does not look like a libtool script])
+    else
+      AC_MSG_WARN([using `LTCC=$LTCC', extracted from `$ofile'])
+    fi
+  fi
+
+  # Extract list of available tagged configurations in $ofile.
+  # Note that this assumes the entire list is on one line.
+  available_tags=`grep "^available_tags=" "${ofile}" | $SED -e 's/available_tags=\(.*$\)/\1/' -e 's/\"//g'`
+
+  lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+  for tagname in $tagnames; do
+    IFS="$lt_save_ifs"
+    # Check whether tagname contains only valid characters
+    case `$echo "X$tagname" | $Xsed -e 's:[[-_ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890,/]]::g'` in
+    "") ;;
+    *)  AC_MSG_ERROR([invalid tag name: $tagname])
+	;;
+    esac
+
+    if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "${ofile}" > /dev/null
+    then
+      AC_MSG_ERROR([tag name \"$tagname\" already exists])
+    fi
+
+    # Update the list of available tags.
+    if test -n "$tagname"; then
+      echo appending configuration tag \"$tagname\" to $ofile
+
+      case $tagname in
+      CXX)
+	if test -n "$CXX" && test "X$CXX" != "Xno"; then
+	  AC_LIBTOOL_LANG_CXX_CONFIG
+	else
+	  tagname=""
+	fi
+	;;
+
+      F77)
+	if test -n "$F77" && test "X$F77" != "Xno"; then
+	  AC_LIBTOOL_LANG_F77_CONFIG
+	else
+	  tagname=""
+	fi
+	;;
+
+      GCJ)
+	if test -n "$GCJ" && test "X$GCJ" != "Xno"; then
+	  AC_LIBTOOL_LANG_GCJ_CONFIG
+	else
+	  tagname=""
+	fi
+	;;
+
+      RC)
+	AC_LIBTOOL_LANG_RC_CONFIG
+	;;
+
+      *)
+	AC_MSG_ERROR([Unsupported tag name: $tagname])
+	;;
+      esac
+
+      # Append the new tag name to the list of available tags.
+      if test -n "$tagname" ; then
+      available_tags="$available_tags $tagname"
+    fi
+    fi
+  done
+  IFS="$lt_save_ifs"
+
+  # Now substitute the updated list of available tags.
+  if eval "sed -e 's/^available_tags=.*\$/available_tags=\"$available_tags\"/' \"$ofile\" > \"${ofile}T\""; then
+    mv "${ofile}T" "$ofile"
+    chmod +x "$ofile"
+  else
+    rm -f "${ofile}T"
+    AC_MSG_ERROR([unable to update list of available tagged configurations.])
+  fi
+fi
+])# _LT_AC_TAGCONFIG
+
+
+# AC_LIBTOOL_DLOPEN
+# -----------------
+# enable checks for dlopen support
+AC_DEFUN([AC_LIBTOOL_DLOPEN],
+ [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])
+])# AC_LIBTOOL_DLOPEN
+
+
+# AC_LIBTOOL_WIN32_DLL
+# --------------------
+# declare package support for building win32 dll's
+AC_DEFUN([AC_LIBTOOL_WIN32_DLL],
+[AC_BEFORE([$0], [AC_LIBTOOL_SETUP])
+])# AC_LIBTOOL_WIN32_DLL
+
+
+# AC_ENABLE_SHARED([DEFAULT])
+# ---------------------------
+# implement the --enable-shared flag
+# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
+AC_DEFUN([AC_ENABLE_SHARED],
+[define([AC_ENABLE_SHARED_DEFAULT], ifelse($1, no, no, yes))dnl
+AC_ARG_ENABLE([shared],
+    [AC_HELP_STRING([--enable-shared@<:@=PKGS@:>@],
+	[build shared libraries @<:@default=]AC_ENABLE_SHARED_DEFAULT[@:>@])],
+    [p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_shared=yes ;;
+    no) enable_shared=no ;;
+    *)
+      enable_shared=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_shared=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac],
+    [enable_shared=]AC_ENABLE_SHARED_DEFAULT)
+])# AC_ENABLE_SHARED
+
+
+# AC_DISABLE_SHARED
+# -----------------
+#- set the default shared flag to --disable-shared
+AC_DEFUN([AC_DISABLE_SHARED],
+[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+AC_ENABLE_SHARED(no)
+])# AC_DISABLE_SHARED
+
+
+# AC_ENABLE_STATIC([DEFAULT])
+# ---------------------------
+# implement the --enable-static flag
+# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
+AC_DEFUN([AC_ENABLE_STATIC],
+[define([AC_ENABLE_STATIC_DEFAULT], ifelse($1, no, no, yes))dnl
+AC_ARG_ENABLE([static],
+    [AC_HELP_STRING([--enable-static@<:@=PKGS@:>@],
+	[build static libraries @<:@default=]AC_ENABLE_STATIC_DEFAULT[@:>@])],
+    [p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_static=yes ;;
+    no) enable_static=no ;;
+    *)
+     enable_static=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_static=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac],
+    [enable_static=]AC_ENABLE_STATIC_DEFAULT)
+])# AC_ENABLE_STATIC
+
+
+# AC_DISABLE_STATIC
+# -----------------
+# set the default static flag to --disable-static
+AC_DEFUN([AC_DISABLE_STATIC],
+[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+AC_ENABLE_STATIC(no)
+])# AC_DISABLE_STATIC
+
+
+# AC_ENABLE_FAST_INSTALL([DEFAULT])
+# ---------------------------------
+# implement the --enable-fast-install flag
+# DEFAULT is either `yes' or `no'.  If omitted, it defaults to `yes'.
+AC_DEFUN([AC_ENABLE_FAST_INSTALL],
+[define([AC_ENABLE_FAST_INSTALL_DEFAULT], ifelse($1, no, no, yes))dnl
+AC_ARG_ENABLE([fast-install],
+    [AC_HELP_STRING([--enable-fast-install@<:@=PKGS@:>@],
+    [optimize for fast installation @<:@default=]AC_ENABLE_FAST_INSTALL_DEFAULT[@:>@])],
+    [p=${PACKAGE-default}
+    case $enableval in
+    yes) enable_fast_install=yes ;;
+    no) enable_fast_install=no ;;
+    *)
+      enable_fast_install=no
+      # Look at the argument we got.  We use all the common list separators.
+      lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR,"
+      for pkg in $enableval; do
+	IFS="$lt_save_ifs"
+	if test "X$pkg" = "X$p"; then
+	  enable_fast_install=yes
+	fi
+      done
+      IFS="$lt_save_ifs"
+      ;;
+    esac],
+    [enable_fast_install=]AC_ENABLE_FAST_INSTALL_DEFAULT)
+])# AC_ENABLE_FAST_INSTALL
+
+
+# AC_DISABLE_FAST_INSTALL
+# -----------------------
+# set the default to --disable-fast-install
+AC_DEFUN([AC_DISABLE_FAST_INSTALL],
+[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+AC_ENABLE_FAST_INSTALL(no)
+])# AC_DISABLE_FAST_INSTALL
+
+
+# AC_LIBTOOL_PICMODE([MODE])
+# --------------------------
+# implement the --with-pic flag
+# MODE is either `yes' or `no'.  If omitted, it defaults to `both'.
+AC_DEFUN([AC_LIBTOOL_PICMODE],
+[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+pic_mode=ifelse($#,1,$1,default)
+])# AC_LIBTOOL_PICMODE
+
+
+# AC_PROG_EGREP
+# -------------
+# This is predefined starting with Autoconf 2.54, so this conditional
+# definition can be removed once we require Autoconf 2.54 or later.
+m4_ifndef([AC_PROG_EGREP], [AC_DEFUN([AC_PROG_EGREP],
+[AC_CACHE_CHECK([for egrep], [ac_cv_prog_egrep],
+   [if echo a | (grep -E '(a|b)') >/dev/null 2>&1
+    then ac_cv_prog_egrep='grep -E'
+    else ac_cv_prog_egrep='egrep'
+    fi])
+ EGREP=$ac_cv_prog_egrep
+ AC_SUBST([EGREP])
+])])
+
+
+# AC_PATH_TOOL_PREFIX
+# -------------------
+# find a file program which can recognise shared library
+AC_DEFUN([AC_PATH_TOOL_PREFIX],
+[AC_REQUIRE([AC_PROG_EGREP])dnl
+AC_MSG_CHECKING([for $1])
+AC_CACHE_VAL(lt_cv_path_MAGIC_CMD,
+[case $MAGIC_CMD in
+[[\\/*] |  ?:[\\/]*])
+  lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path.
+  ;;
+*)
+  lt_save_MAGIC_CMD="$MAGIC_CMD"
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+dnl $ac_dummy forces splitting on constant user-supplied paths.
+dnl POSIX.2 word splitting is done only on the output of word expansions,
+dnl not every word.  This closes a longstanding sh security hole.
+  ac_dummy="ifelse([$2], , $PATH, [$2])"
+  for ac_dir in $ac_dummy; do
+    IFS="$lt_save_ifs"
+    test -z "$ac_dir" && ac_dir=.
+    if test -f $ac_dir/$1; then
+      lt_cv_path_MAGIC_CMD="$ac_dir/$1"
+      if test -n "$file_magic_test_file"; then
+	case $deplibs_check_method in
+	"file_magic "*)
+	  file_magic_regex="`expr \"$deplibs_check_method\" : \"file_magic \(.*\)\"`"
+	  MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
+	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
+	    $EGREP "$file_magic_regex" > /dev/null; then
+	    :
+	  else
+	    cat <<EOF 1>&2
+
+*** Warning: the command libtool uses to detect shared libraries,
+*** $file_magic_cmd, produces output that libtool cannot recognize.
+*** The result is that libtool may fail to recognize shared libraries
+*** as such.  This will affect the creation of libtool libraries that
+*** depend on shared libraries, but programs linked with such libtool
+*** libraries will work regardless of this problem.  Nevertheless, you
+*** may want to report the problem to your system manager and/or to
+*** bug-libtool@gnu.org
+
+EOF
+	  fi ;;
+	esac
+      fi
+      break
+    fi
+  done
+  IFS="$lt_save_ifs"
+  MAGIC_CMD="$lt_save_MAGIC_CMD"
+  ;;
+esac])
+MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
+if test -n "$MAGIC_CMD"; then
+  AC_MSG_RESULT($MAGIC_CMD)
+else
+  AC_MSG_RESULT(no)
+fi
+])# AC_PATH_TOOL_PREFIX
+
+
+# AC_PATH_MAGIC
+# -------------
+# find a file program which can recognise a shared library
+AC_DEFUN([AC_PATH_MAGIC],
+[AC_PATH_TOOL_PREFIX(${ac_tool_prefix}file, /usr/bin$PATH_SEPARATOR$PATH)
+if test -z "$lt_cv_path_MAGIC_CMD"; then
+  if test -n "$ac_tool_prefix"; then
+    AC_PATH_TOOL_PREFIX(file, /usr/bin$PATH_SEPARATOR$PATH)
+  else
+    MAGIC_CMD=:
+  fi
+fi
+])# AC_PATH_MAGIC
+
+
+# AC_PROG_LD
+# ----------
+# find the pathname to the GNU or non-GNU linker
+AC_DEFUN([AC_PROG_LD],
+[AC_ARG_WITH([gnu-ld],
+    [AC_HELP_STRING([--with-gnu-ld],
+	[assume the C compiler uses GNU ld @<:@default=no@:>@])],
+    [test "$withval" = no || with_gnu_ld=yes],
+    [with_gnu_ld=no])
+AC_REQUIRE([LT_AC_PROG_SED])dnl
+AC_REQUIRE([AC_PROG_CC])dnl
+AC_REQUIRE([AC_CANONICAL_HOST])dnl
+AC_REQUIRE([AC_CANONICAL_BUILD])dnl
+ac_prog=ld
+if test "$GCC" = yes; then
+  # Check if gcc -print-prog-name=ld gives a path.
+  AC_MSG_CHECKING([for ld used by $CC])
+  case $host in
+  *-*-mingw*)
+    # gcc leaves a trailing carriage return which upsets mingw
+    ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;;
+  *)
+    ac_prog=`($CC -print-prog-name=ld) 2>&5` ;;
+  esac
+  case $ac_prog in
+    # Accept absolute paths.
+    [[\\/]]* | ?:[[\\/]]*)
+      re_direlt='/[[^/]][[^/]]*/\.\./'
+      # Canonicalize the pathname of ld
+      ac_prog=`echo $ac_prog| $SED 's%\\\\%/%g'`
+      while echo $ac_prog | grep "$re_direlt" > /dev/null 2>&1; do
+	ac_prog=`echo $ac_prog| $SED "s%$re_direlt%/%"`
+      done
+      test -z "$LD" && LD="$ac_prog"
+      ;;
+  "")
+    # If it fails, then pretend we aren't using GCC.
+    ac_prog=ld
+    ;;
+  *)
+    # If it is relative, then search for the first ld in PATH.
+    with_gnu_ld=unknown
+    ;;
+  esac
+elif test "$with_gnu_ld" = yes; then
+  AC_MSG_CHECKING([for GNU ld])
+else
+  AC_MSG_CHECKING([for non-GNU ld])
+fi
+AC_CACHE_VAL(lt_cv_path_LD,
+[if test -z "$LD"; then
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  for ac_dir in $PATH; do
+    IFS="$lt_save_ifs"
+    test -z "$ac_dir" && ac_dir=.
+    if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
+      lt_cv_path_LD="$ac_dir/$ac_prog"
+      # Check to see if the program is GNU ld.  I'd rather use --version,
+      # but apparently some GNU ld's only accept -v.
+      # Break only if it was the GNU/non-GNU ld that we prefer.
+      case `"$lt_cv_path_LD" -v 2>&1 </dev/null` in
+      *GNU* | *'with BFD'*)
+	test "$with_gnu_ld" != no && break
+	;;
+      *)
+	test "$with_gnu_ld" != yes && break
+	;;
+      esac
+    fi
+  done
+  IFS="$lt_save_ifs"
+else
+  lt_cv_path_LD="$LD" # Let the user override the test with a path.
+fi])
+LD="$lt_cv_path_LD"
+if test -n "$LD"; then
+  AC_MSG_RESULT($LD)
+else
+  AC_MSG_RESULT(no)
+fi
+test -z "$LD" && AC_MSG_ERROR([no acceptable ld found in \$PATH])
+AC_PROG_LD_GNU
+])# AC_PROG_LD
+
+
+# AC_PROG_LD_GNU
+# --------------
+AC_DEFUN([AC_PROG_LD_GNU],
+[AC_REQUIRE([AC_PROG_EGREP])dnl
+AC_CACHE_CHECK([if the linker ($LD) is GNU ld], lt_cv_prog_gnu_ld,
+[# I'd rather use --version here, but apparently some GNU ld's only accept -v.
+case `$LD -v 2>&1 </dev/null` in
+*GNU* | *'with BFD'*)
+  lt_cv_prog_gnu_ld=yes
+  ;;
+*)
+  lt_cv_prog_gnu_ld=no
+  ;;
+esac])
+with_gnu_ld=$lt_cv_prog_gnu_ld
+])# AC_PROG_LD_GNU
+
+
+# AC_PROG_LD_RELOAD_FLAG
+# ----------------------
+# find reload flag for linker
+#   -- PORTME Some linkers may need a different reload flag.
+AC_DEFUN([AC_PROG_LD_RELOAD_FLAG],
+[AC_CACHE_CHECK([for $LD option to reload object files],
+  lt_cv_ld_reload_flag,
+  [lt_cv_ld_reload_flag='-r'])
+reload_flag=$lt_cv_ld_reload_flag
+case $reload_flag in
+"" | " "*) ;;
+*) reload_flag=" $reload_flag" ;;
+esac
+reload_cmds='$LD$reload_flag -o $output$reload_objs'
+])# AC_PROG_LD_RELOAD_FLAG
+
+
+# AC_DEPLIBS_CHECK_METHOD
+# -----------------------
+# how to check for library dependencies
+#  -- PORTME fill in with the dynamic library characteristics
+AC_DEFUN([AC_DEPLIBS_CHECK_METHOD],
+[AC_CACHE_CHECK([how to recognise dependent libraries],
+lt_cv_deplibs_check_method,
+[lt_cv_file_magic_cmd='$MAGIC_CMD'
+lt_cv_file_magic_test_file=
+lt_cv_deplibs_check_method='unknown'
+# Need to set the preceding variable on all platforms that support
+# interlibrary dependencies.
+# 'none' -- dependencies not supported.
+# `unknown' -- same as none, but documents that we really don't know.
+# 'pass_all' -- all dependencies passed with no checks.
+# 'test_compile' -- check by making test program.
+# 'file_magic [[regex]]' -- check by looking for files in library path
+# which responds to the $file_magic_cmd with a given extended regex.
+# If you have `file' or equivalent on your system and you're not sure
+# whether `pass_all' will *always* work, you probably want this one.
+
+case $host_os in
+aix4* | aix5*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+beos*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+bsdi4*)
+  lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib)'
+  lt_cv_file_magic_cmd='/usr/bin/file -L'
+  lt_cv_file_magic_test_file=/shlib/libc.so
+  ;;
+
+cygwin*)
+  # win32_libid is a shell function defined in ltmain.sh
+  lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
+  lt_cv_file_magic_cmd='win32_libid'
+  ;;
+
+mingw* | pw32*)
+  # Base MSYS/MinGW do not provide the 'file' command needed by
+  # win32_libid shell function, so use a weaker test based on 'objdump'.
+  lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
+  lt_cv_file_magic_cmd='$OBJDUMP -f'
+  ;;
+
+darwin* | rhapsody*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+freebsd* | kfreebsd*-gnu)
+  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
+    case $host_cpu in
+    i*86 )
+      # Not sure whether the presence of OpenBSD here was a mistake.
+      # Let's accept both of them until this is cleared up.
+      lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD)/i[[3-9]]86 (compact )?demand paged shared library'
+      lt_cv_file_magic_cmd=/usr/bin/file
+      lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
+      ;;
+    esac
+  else
+    lt_cv_deplibs_check_method=pass_all
+  fi
+  ;;
+
+gnu*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+hpux10.20* | hpux11*)
+  lt_cv_file_magic_cmd=/usr/bin/file
+  case "$host_cpu" in
+  ia64*)
+    lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|ELF-[[0-9]][[0-9]]) shared object file - IA64'
+    lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so
+    ;;
+  hppa*64*)
+    [lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF-[0-9][0-9]) shared object file - PA-RISC [0-9].[0-9]']
+    lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl
+    ;;
+  *)
+    lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|PA-RISC[[0-9]].[[0-9]]) shared library'
+    lt_cv_file_magic_test_file=/usr/lib/libc.sl
+    ;;
+  esac
+  ;;
+
+irix5* | irix6* | nonstopux*)
+  case $LD in
+  *-32|*"-32 ") libmagic=32-bit;;
+  *-n32|*"-n32 ") libmagic=N32;;
+  *-64|*"-64 ") libmagic=64-bit;;
+  *) libmagic=never-match;;
+  esac
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+# This must be Linux ELF.
+linux*)
+  case $host_cpu in
+  alpha*|hppa*|i*86|ia64*|m68*|mips*|powerpc*|sparc*|s390*|sh*)
+    lt_cv_deplibs_check_method=pass_all ;;
+  *)
+    # glibc up to 2.1.1 does not perform some relocations on ARM
+    # this will be overridden with pass_all, but let us keep it just in case
+    lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB (shared object|dynamic lib )' ;;
+  esac
+  lt_cv_file_magic_test_file=`echo /lib/libc.so* /lib/libc-*.so`
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+netbsd*)
+  if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
+    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
+  else
+    lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|_pic\.a)$'
+  fi
+  ;;
+
+newos6*)
+  lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (executable|dynamic lib)'
+  lt_cv_file_magic_cmd=/usr/bin/file
+  lt_cv_file_magic_test_file=/usr/lib/libnls.so
+  ;;
+
+nto-qnx*)
+  lt_cv_deplibs_check_method=unknown
+  ;;
+
+openbsd*)
+  lt_cv_file_magic_cmd=/usr/bin/file
+  lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
+  if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+    lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB shared object'
+  else
+    lt_cv_deplibs_check_method='file_magic OpenBSD.* shared library'
+  fi
+  ;;
+
+osf3* | osf4* | osf5*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+sco3.2v5*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+solaris*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+
+sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+  case $host_vendor in
+  motorola)
+    lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib) M[[0-9]][[0-9]]* Version [[0-9]]'
+    lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*`
+    ;;
+  ncr)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  sequent)
+    lt_cv_file_magic_cmd='/bin/file'
+    lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB (shared object|dynamic lib )'
+    ;;
+  sni)
+    lt_cv_file_magic_cmd='/bin/file'
+    lt_cv_deplibs_check_method="file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB dynamic lib"
+    lt_cv_file_magic_test_file=/lib/libc.so
+    ;;
+  siemens)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
+  esac
+  ;;
+
+sysv5OpenUNIX8* | sysv5UnixWare7* | sysv5uw[[78]]* | unixware7* | sysv4*uw2*)
+  lt_cv_deplibs_check_method=pass_all
+  ;;
+esac
+])
+file_magic_cmd=$lt_cv_file_magic_cmd
+deplibs_check_method=$lt_cv_deplibs_check_method
+test -z "$deplibs_check_method" && deplibs_check_method=unknown
+])# AC_DEPLIBS_CHECK_METHOD
+
+
+# AC_PROG_NM
+# ----------
+# find the pathname to a BSD-compatible name lister
+AC_DEFUN([AC_PROG_NM],
+[AC_CACHE_CHECK([for BSD-compatible nm], lt_cv_path_NM,
+[if test -n "$NM"; then
+  # Let the user override the test.
+  lt_cv_path_NM="$NM"
+else
+  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+  for ac_dir in $PATH /usr/ccs/bin /usr/ucb /bin; do
+    IFS="$lt_save_ifs"
+    test -z "$ac_dir" && ac_dir=.
+    tmp_nm="$ac_dir/${ac_tool_prefix}nm"
+    if test -f "$tmp_nm" || test -f "$tmp_nm$ac_exeext" ; then
+      # Check to see if the nm accepts a BSD-compat flag.
+      # Adding the `sed 1q' prevents false positives on HP-UX, which says:
+      #   nm: unknown option "B" ignored
+      # Tru64's nm complains that /dev/null is an invalid object file
+      case `"$tmp_nm" -B /dev/null 2>&1 | sed '1q'` in
+      */dev/null* | *'Invalid file or object type'*)
+	lt_cv_path_NM="$tmp_nm -B"
+	break
+        ;;
+      *)
+	case `"$tmp_nm" -p /dev/null 2>&1 | sed '1q'` in
+	*/dev/null*)
+	  lt_cv_path_NM="$tmp_nm -p"
+	  break
+	  ;;
+	*)
+	  lt_cv_path_NM=${lt_cv_path_NM="$tmp_nm"} # keep the first match, but
+	  continue # so that we can try to find one that supports BSD flags
+	  ;;
+	esac
+      esac
+    fi
+  done
+  IFS="$lt_save_ifs"
+  test -z "$lt_cv_path_NM" && lt_cv_path_NM=nm
+fi])
+NM="$lt_cv_path_NM"
+])# AC_PROG_NM
+
+
+# AC_CHECK_LIBM
+# -------------
+# check for math library
+AC_DEFUN([AC_CHECK_LIBM],
+[AC_REQUIRE([AC_CANONICAL_HOST])dnl
+LIBM=
+case $host in
+*-*-beos* | *-*-cygwin* | *-*-pw32* | *-*-darwin*)
+  # These system don't have libm, or don't need it
+  ;;
+*-ncr-sysv4.3*)
+  AC_CHECK_LIB(mw, _mwvalidcheckl, LIBM="-lmw")
+  AC_CHECK_LIB(m, cos, LIBM="$LIBM -lm")
+  ;;
+*)
+  AC_CHECK_LIB(m, cos, LIBM="-lm")
+  ;;
+esac
+])# AC_CHECK_LIBM
+
+
+# AC_LIBLTDL_CONVENIENCE([DIRECTORY])
+# -----------------------------------
+# sets LIBLTDL to the link flags for the libltdl convenience library and
+# LTDLINCL to the include flags for the libltdl header and adds
+# --enable-ltdl-convenience to the configure arguments.  Note that LIBLTDL
+# and LTDLINCL are not AC_SUBSTed, nor is AC_CONFIG_SUBDIRS called.  If
+# DIRECTORY is not provided, it is assumed to be `libltdl'.  LIBLTDL will
+# be prefixed with '${top_builddir}/' and LTDLINCL will be prefixed with
+# '${top_srcdir}/' (note the single quotes!).  If your package is not
+# flat and you're not using automake, define top_builddir and
+# top_srcdir appropriately in the Makefiles.
+AC_DEFUN([AC_LIBLTDL_CONVENIENCE],
+[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+  case $enable_ltdl_convenience in
+  no) AC_MSG_ERROR([this package needs a convenience libltdl]) ;;
+  "") enable_ltdl_convenience=yes
+      ac_configure_args="$ac_configure_args --enable-ltdl-convenience" ;;
+  esac
+  LIBLTDL='${top_builddir}/'ifelse($#,1,[$1],['libltdl'])/libltdlc.la
+  LTDLINCL='-I${top_srcdir}/'ifelse($#,1,[$1],['libltdl'])
+  # For backwards non-gettext consistent compatibility...
+  INCLTDL="$LTDLINCL"
+])# AC_LIBLTDL_CONVENIENCE
+
+
+# AC_LIBLTDL_INSTALLABLE([DIRECTORY])
+# -----------------------------------
+# sets LIBLTDL to the link flags for the libltdl installable library and
+# LTDLINCL to the include flags for the libltdl header and adds
+# --enable-ltdl-install to the configure arguments.  Note that LIBLTDL
+# and LTDLINCL are not AC_SUBSTed, nor is AC_CONFIG_SUBDIRS called.  If
+# DIRECTORY is not provided and an installed libltdl is not found, it is
+# assumed to be `libltdl'.  LIBLTDL will be prefixed with '${top_builddir}/'
+# and LTDLINCL will be prefixed with '${top_srcdir}/' (note the single
+# quotes!).  If your package is not flat and you're not using automake,
+# define top_builddir and top_srcdir appropriately in the Makefiles.
+# In the future, this macro may have to be called after AC_PROG_LIBTOOL.
+AC_DEFUN([AC_LIBLTDL_INSTALLABLE],
+[AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
+  AC_CHECK_LIB(ltdl, lt_dlinit,
+  [test x"$enable_ltdl_install" != xyes && enable_ltdl_install=no],
+  [if test x"$enable_ltdl_install" = xno; then
+     AC_MSG_WARN([libltdl not installed, but installation disabled])
+   else
+     enable_ltdl_install=yes
+   fi
+  ])
+  if test x"$enable_ltdl_install" = x"yes"; then
+    ac_configure_args="$ac_configure_args --enable-ltdl-install"
+    LIBLTDL='${top_builddir}/'ifelse($#,1,[$1],['libltdl'])/libltdl.la
+    LTDLINCL='-I${top_srcdir}/'ifelse($#,1,[$1],['libltdl'])
+  else
+    ac_configure_args="$ac_configure_args --enable-ltdl-install=no"
+    LIBLTDL="-lltdl"
+    LTDLINCL=
+  fi
+  # For backwards non-gettext consistent compatibility...
+  INCLTDL="$LTDLINCL"
+])# AC_LIBLTDL_INSTALLABLE
+
+
+# AC_LIBTOOL_CXX
+# --------------
+# enable support for C++ libraries
+AC_DEFUN([AC_LIBTOOL_CXX],
+[AC_REQUIRE([_LT_AC_LANG_CXX])
+])# AC_LIBTOOL_CXX
+
+
+# _LT_AC_LANG_CXX
+# ---------------
+AC_DEFUN([_LT_AC_LANG_CXX],
+[AC_REQUIRE([AC_PROG_CXX])
+AC_REQUIRE([AC_PROG_CXXCPP])
+_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}CXX])
+])# _LT_AC_LANG_CXX
+
+
+# AC_LIBTOOL_F77
+# --------------
+# enable support for Fortran 77 libraries
+AC_DEFUN([AC_LIBTOOL_F77],
+[AC_REQUIRE([_LT_AC_LANG_F77])
+])# AC_LIBTOOL_F77
+
+
+# _LT_AC_LANG_F77
+# ---------------
+AC_DEFUN([_LT_AC_LANG_F77],
+[AC_REQUIRE([AC_PROG_F77])
+_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}F77])
+])# _LT_AC_LANG_F77
+
+
+# AC_LIBTOOL_GCJ
+# --------------
+# enable support for GCJ libraries
+AC_DEFUN([AC_LIBTOOL_GCJ],
+[AC_REQUIRE([_LT_AC_LANG_GCJ])
+])# AC_LIBTOOL_GCJ
+
+
+# _LT_AC_LANG_GCJ
+# ---------------
+AC_DEFUN([_LT_AC_LANG_GCJ],
+[AC_PROVIDE_IFELSE([AC_PROG_GCJ],[],
+  [AC_PROVIDE_IFELSE([A][M_PROG_GCJ],[],
+    [AC_PROVIDE_IFELSE([LT_AC_PROG_GCJ],[],
+      [ifdef([AC_PROG_GCJ],[AC_REQUIRE([AC_PROG_GCJ])],
+	 [ifdef([A][M_PROG_GCJ],[AC_REQUIRE([A][M_PROG_GCJ])],
+	   [AC_REQUIRE([A][C_PROG_GCJ_OR_A][M_PROG_GCJ])])])])])])
+_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}GCJ])
+])# _LT_AC_LANG_GCJ
+
+
+# AC_LIBTOOL_RC
+# --------------
+# enable support for Windows resource files
+AC_DEFUN([AC_LIBTOOL_RC],
+[AC_REQUIRE([LT_AC_PROG_RC])
+_LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}RC])
+])# AC_LIBTOOL_RC
+
+
+# AC_LIBTOOL_LANG_C_CONFIG
+# ------------------------
+# Ensure that the configuration vars for the C compiler are
+# suitably defined.  Those variables are subsequently used by
+# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
+AC_DEFUN([AC_LIBTOOL_LANG_C_CONFIG], [_LT_AC_LANG_C_CONFIG])
+AC_DEFUN([_LT_AC_LANG_C_CONFIG],
+[lt_save_CC="$CC"
+AC_LANG_PUSH(C)
+
+# Source file extension for C test sources.
+ac_ext=c
+
+# Object file extension for compiled C test sources.
+objext=o
+_LT_AC_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="int some_variable = 0;\n"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='int main(){return(0);}\n'
+
+_LT_AC_SYS_COMPILER
+
+#
+# Check for any special shared library compilation flags.
+#
+_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)=
+if test "$GCC" = no; then
+  case $host_os in
+  sco3.2v5*)
+    _LT_AC_TAGVAR(lt_prog_cc_shlib, $1)='-belf'
+    ;;
+  esac
+fi
+if test -n "$_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)"; then
+  AC_MSG_WARN([`$CC' requires `$_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)' to build shared libraries])
+  if echo "$old_CC $old_CFLAGS " | grep "[[ 	]]$_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)[[ 	]]" >/dev/null; then :
+  else
+    AC_MSG_WARN([add `$_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)' to the CC or CFLAGS env variable and reconfigure])
+    _LT_AC_TAGVAR(lt_cv_prog_cc_can_build_shared, $1)=no
+  fi
+fi
+
+
+#
+# Check to make sure the static flag actually works.
+#
+AC_LIBTOOL_LINKER_OPTION([if $compiler static flag $_LT_AC_TAGVAR(lt_prog_compiler_static, $1) works],
+  _LT_AC_TAGVAR(lt_prog_compiler_static_works, $1),
+  $_LT_AC_TAGVAR(lt_prog_compiler_static, $1),
+  [],
+  [_LT_AC_TAGVAR(lt_prog_compiler_static, $1)=])
+
+
+## CAVEAT EMPTOR:
+## There is no encapsulation within the following macros, do not change
+## the running order or otherwise move them around unless you know exactly
+## what you are doing...
+AC_LIBTOOL_PROG_COMPILER_NO_RTTI($1)
+AC_LIBTOOL_PROG_COMPILER_PIC($1)
+AC_LIBTOOL_PROG_CC_C_O($1)
+AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
+AC_LIBTOOL_PROG_LD_SHLIBS($1)
+AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
+AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
+AC_LIBTOOL_SYS_LIB_STRIP
+AC_LIBTOOL_DLOPEN_SELF($1)
+
+# Report which librarie types wil actually be built
+AC_MSG_CHECKING([if libtool supports shared libraries])
+AC_MSG_RESULT([$can_build_shared])
+
+AC_MSG_CHECKING([whether to build shared libraries])
+test "$can_build_shared" = "no" && enable_shared=no
+
+# On AIX, shared libraries and static libraries use the same namespace, and
+# are all built from PIC.
+case "$host_os" in
+aix3*)
+  test "$enable_shared" = yes && enable_static=no
+  if test -n "$RANLIB"; then
+    archive_cmds="$archive_cmds~\$RANLIB \$lib"
+    postinstall_cmds='$RANLIB $lib'
+  fi
+  ;;
+
+aix4*)
+  if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
+    test "$enable_shared" = yes && enable_static=no
+  fi
+  ;;
+  darwin* | rhapsody*)
+  if test "$GCC" = yes; then
+    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+    case "$host_os" in
+    rhapsody* | darwin1.[[012]])
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined suppress'
+      ;;
+    *) # Darwin 1.3 on
+      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+      	_LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress'
+      else
+        case ${MACOSX_DEPLOYMENT_TARGET} in
+          10.[[012]])
+            _LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress'
+            ;;
+          10.*)
+            _LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined dynamic_lookup'
+            ;;
+        esac
+      fi
+      ;;
+    esac
+    output_verbose_link_cmd='echo'
+    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs$compiler_flags -install_name $rpath/$soname $verstring'
+    _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+    # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
+    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag  -o $lib $libobjs $deplibs$compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    _LT_AC_TAGVAR(hardcode_direct, $1)=no
+    _LT_AC_TAGVAR(hardcode_automatic, $1)=yes
+    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
+    _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-all_load $convenience'
+    _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+  else
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+  fi
+    ;;
+esac
+AC_MSG_RESULT([$enable_shared])
+
+AC_MSG_CHECKING([whether to build static libraries])
+# Make sure either enable_shared or enable_static is yes.
+test "$enable_shared" = yes || enable_static=yes
+AC_MSG_RESULT([$enable_static])
+
+AC_LIBTOOL_CONFIG($1)
+
+AC_LANG_POP
+CC="$lt_save_CC"
+])# AC_LIBTOOL_LANG_C_CONFIG
+
+
+# AC_LIBTOOL_LANG_CXX_CONFIG
+# --------------------------
+# Ensure that the configuration vars for the C compiler are
+# suitably defined.  Those variables are subsequently used by
+# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
+AC_DEFUN([AC_LIBTOOL_LANG_CXX_CONFIG], [_LT_AC_LANG_CXX_CONFIG(CXX)])
+AC_DEFUN([_LT_AC_LANG_CXX_CONFIG],
+[AC_LANG_PUSH(C++)
+AC_REQUIRE([AC_PROG_CXX])
+AC_REQUIRE([AC_PROG_CXXCPP])
+
+_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+_LT_AC_TAGVAR(allow_undefined_flag, $1)=
+_LT_AC_TAGVAR(always_export_symbols, $1)=no
+_LT_AC_TAGVAR(archive_expsym_cmds, $1)=
+_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=
+_LT_AC_TAGVAR(hardcode_direct, $1)=no
+_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
+_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
+_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
+_LT_AC_TAGVAR(hardcode_minus_L, $1)=no
+_LT_AC_TAGVAR(hardcode_automatic, $1)=no
+_LT_AC_TAGVAR(module_cmds, $1)=
+_LT_AC_TAGVAR(module_expsym_cmds, $1)=
+_LT_AC_TAGVAR(link_all_deplibs, $1)=unknown
+_LT_AC_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_AC_TAGVAR(no_undefined_flag, $1)=
+_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
+_LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=no
+
+# Dependencies to place before and after the object being linked:
+_LT_AC_TAGVAR(predep_objects, $1)=
+_LT_AC_TAGVAR(postdep_objects, $1)=
+_LT_AC_TAGVAR(predeps, $1)=
+_LT_AC_TAGVAR(postdeps, $1)=
+_LT_AC_TAGVAR(compiler_lib_search_path, $1)=
+
+# Source file extension for C++ test sources.
+ac_ext=cc
+
+# Object file extension for compiled C++ test sources.
+objext=o
+_LT_AC_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="int some_variable = 0;\n"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='int main(int, char *[]) { return(0); }\n'
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+_LT_AC_SYS_COMPILER
+
+# Allow CC to be a program name with arguments.
+lt_save_CC=$CC
+lt_save_LD=$LD
+lt_save_GCC=$GCC
+GCC=$GXX
+lt_save_with_gnu_ld=$with_gnu_ld
+lt_save_path_LD=$lt_cv_path_LD
+if test -n "${lt_cv_prog_gnu_ldcxx+set}"; then
+  lt_cv_prog_gnu_ld=$lt_cv_prog_gnu_ldcxx
+else
+  unset lt_cv_prog_gnu_ld
+fi
+if test -n "${lt_cv_path_LDCXX+set}"; then
+  lt_cv_path_LD=$lt_cv_path_LDCXX
+else
+  unset lt_cv_path_LD
+fi
+test -z "${LDCXX+set}" || LD=$LDCXX
+CC=${CXX-"c++"}
+compiler=$CC
+_LT_AC_TAGVAR(compiler, $1)=$CC
+cc_basename=`$echo X"$compiler" | $Xsed -e 's%^.*/%%'`
+
+# We don't want -fno-exception wen compiling C++ code, so set the
+# no_builtin_flag separately
+if test "$GXX" = yes; then
+  _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin'
+else
+  _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=
+fi
+
+if test "$GXX" = yes; then
+  # Set up default GNU C++ configuration
+
+  AC_PROG_LD
+
+  # Check if GNU C++ uses GNU ld as the underlying linker, since the
+  # archiving commands below assume that GNU ld is being used.
+  if test "$with_gnu_ld" = yes; then
+    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
+    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+
+    # If archive_cmds runs LD, not CC, wlarc should be empty
+    # XXX I think wlarc can be eliminated in ltcf-cxx, but I need to
+    #     investigate it a little bit more. (MM)
+    wlarc='${wl}'
+
+    # ancient GNU ld didn't support --whole-archive et. al.
+    if eval "`$CC -print-prog-name=ld` --help 2>&1" | \
+	grep 'no-whole-archive' > /dev/null; then
+      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+    else
+      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
+    fi
+  else
+    with_gnu_ld=no
+    wlarc=
+
+    # A generic and very simple default shared library creation
+    # command for GNU C++ for the case where it uses the native
+    # linker, instead of GNU ld.  If possible, this setting should
+    # overridden to take advantage of the native linker features on
+    # the platform it is being used on.
+    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
+  fi
+
+  # Commands to make compiler produce verbose output that lists
+  # what "hidden" libraries, object files and flags are used when
+  # linking a shared library.
+  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
+
+else
+  GXX=no
+  with_gnu_ld=no
+  wlarc=
+fi
+
+# PORTME: fill in a description of your system's C++ link characteristics
+AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
+_LT_AC_TAGVAR(ld_shlibs, $1)=yes
+case $host_os in
+  aix3*)
+    # FIXME: insert proper C++ library support
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  aix4* | aix5*)
+    if test "$host_cpu" = ia64; then
+      # On IA64, the linker does run time linking by default, so we don't
+      # have to do anything special.
+      aix_use_runtimelinking=no
+      exp_sym_flag='-Bexport'
+      no_entry_flag=""
+    else
+      aix_use_runtimelinking=no
+
+      # Test if we are trying to use run time linking or normal
+      # AIX style linking. If -brtl is somewhere in LDFLAGS, we
+      # need to do runtime linking.
+      case $host_os in aix4.[[23]]|aix4.[[23]].*|aix5*)
+	for ld_flag in $LDFLAGS; do
+	  case $ld_flag in
+	  *-brtl*)
+	    aix_use_runtimelinking=yes
+	    break
+	    ;;
+	  esac
+	done
+      esac
+
+      exp_sym_flag='-bexport'
+      no_entry_flag='-bnoentry'
+    fi
+
+    # When large executables or shared objects are built, AIX ld can
+    # have problems creating the table of contents.  If linking a library
+    # or program results in "error TOC overflow" add -mminimal-toc to
+    # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
+    # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
+
+    _LT_AC_TAGVAR(archive_cmds, $1)=''
+    _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+    _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':'
+    _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+
+    if test "$GXX" = yes; then
+      case $host_os in aix4.[012]|aix4.[012].*)
+      # We only want to do this on AIX 4.2 and lower, the check
+      # below for broken collect2 doesn't work under 4.3+
+	collect2name=`${CC} -print-prog-name=collect2`
+	if test -f "$collect2name" && \
+	   strings "$collect2name" | grep resolve_lib_name >/dev/null
+	then
+	  # We have reworked collect2
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+	else
+	  # We have old collect2
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=unsupported
+	  # It fails to find uninstalled libraries when the uninstalled
+	  # path is not listed in the libpath.  Setting hardcode_minus_L
+	  # to unsupported forces relinking
+	  _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
+	fi
+      esac
+      shared_flag='-shared'
+    else
+      # not using gcc
+      if test "$host_cpu" = ia64; then
+	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
+	# chokes on -Wl,-G. The following line is correct:
+	shared_flag='-G'
+      else
+	if test "$aix_use_runtimelinking" = yes; then
+	  shared_flag='${wl}-G'
+	else
+	  shared_flag='${wl}-bM:SRE'
+	fi
+      fi
+    fi
+
+    # It seems that -bexpall does not export symbols beginning with
+    # underscore (_), so it is better to generate a list of symbols to export.
+    _LT_AC_TAGVAR(always_export_symbols, $1)=yes
+    if test "$aix_use_runtimelinking" = yes; then
+      # Warning - without using the other runtime loading flags (-brtl),
+      # -berok will link without error, but may produce a broken library.
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)='-berok'
+      # Determine the default libpath from the value encoded in an empty executable.
+      _LT_AC_SYS_LIBPATH_AIX
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
+
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+     else
+      if test "$host_cpu" = ia64; then
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)="-z nodefs"
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols"
+      else
+	# Determine the default libpath from the value encoded in an empty executable.
+	_LT_AC_SYS_LIBPATH_AIX
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
+	# Warning - without using the other run time loading flags,
+	# -berok will link without error, but may produce a broken library.
+	_LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
+	# -bexpall does not export symbols beginning with underscore (_)
+	_LT_AC_TAGVAR(always_export_symbols, $1)=yes
+	# Exported symbols can be pulled into shared objects from archives
+	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=' '
+	_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
+	# This is similar to how AIX traditionally builds it's shared libraries.
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}-bE:$export_symbols ${wl}-bnoentry${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+      fi
+    fi
+    ;;
+  chorus*)
+    case $cc_basename in
+      *)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+    esac
+    ;;
+
+  cygwin* | mingw* | pw32*)
+    # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
+    # as there is no search path for DLLs.
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+    _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+    _LT_AC_TAGVAR(always_export_symbols, $1)=no
+    _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+
+    if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
+      # If the export-symbols file already is a .def file (1st line
+      # is EXPORTS), use it as is; otherwise, prepend...
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	cp $export_symbols $output_objdir/$soname.def;
+      else
+	echo EXPORTS > $output_objdir/$soname.def;
+	cat $export_symbols >> $output_objdir/$soname.def;
+      fi~
+      $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
+    else
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    fi
+  ;;
+
+  darwin* | rhapsody*)
+  if test "$GXX" = yes; then
+    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+    case "$host_os" in
+    rhapsody* | darwin1.[[012]])
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined suppress'
+      ;;
+    *) # Darwin 1.3 on
+      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+      	_LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress'
+      else
+        case ${MACOSX_DEPLOYMENT_TARGET} in
+          10.[[012]])
+            _LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress'
+            ;;
+          10.*)
+            _LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined dynamic_lookup'
+            ;;
+        esac
+      fi
+      ;;
+    esac
+    lt_int_apple_cc_single_mod=no
+    output_verbose_link_cmd='echo'
+    if $CC -dumpspecs 2>&1 | grep 'single_module' >/dev/null ; then
+      lt_int_apple_cc_single_mod=yes
+    fi
+    if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+    else
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+    fi
+    _LT_AC_TAGVAR(module_cmds, $1)='$CC ${wl}-bind_at_load $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+
+    # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
+    if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    else
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    fi
+    _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+    _LT_AC_TAGVAR(hardcode_direct, $1)=no
+    _LT_AC_TAGVAR(hardcode_automatic, $1)=yes
+    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
+    _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-all_load $convenience'
+    _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+  else
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+  fi
+    ;;
+
+  dgux*)
+    case $cc_basename in
+      ec++)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      ghcx)
+	# Green Hills C++ Compiler
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+    esac
+    ;;
+  freebsd[12]*)
+    # C++ shared libraries reported to be fairly broken before switch to ELF
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  freebsd-elf*)
+    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+    ;;
+  freebsd* | kfreebsd*-gnu)
+    # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF
+    # conventions
+    _LT_AC_TAGVAR(ld_shlibs, $1)=yes
+    ;;
+  gnu*)
+    ;;
+  hpux9*)
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+    _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+    _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+    _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
+				# but as the default
+				# location of the library.
+
+    case $cc_basename in
+    CC)
+      # FIXME: insert proper C++ library support
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+      ;;
+    aCC)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$CC -b ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      # Commands to make compiler produce verbose output that lists
+      # what "hidden" libraries, object files and flags are used when
+      # linking a shared library.
+      #
+      # There doesn't appear to be a way to prevent this compiler from
+      # explicitly linking system object files so we need to strip them
+      # from the output so that they don't get included in the library
+      # dependencies.
+      output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | egrep "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+      ;;
+    *)
+      if test "$GXX" = yes; then
+        _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$CC -shared -nostdlib -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      else
+        # FIXME: insert proper C++ library support
+        _LT_AC_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+    esac
+    ;;
+  hpux10*|hpux11*)
+    if test $with_gnu_ld = no; then
+      case "$host_cpu" in
+      hppa*64*)
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+        ;;
+      ia64*)
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+        ;;
+      *)
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+        ;;
+      esac
+    fi
+    case "$host_cpu" in
+    hppa*64*)
+      _LT_AC_TAGVAR(hardcode_direct, $1)=no
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+    ia64*)
+      _LT_AC_TAGVAR(hardcode_direct, $1)=no
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
+					      # but as the default
+					      # location of the library.
+      ;;
+    *)
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
+					      # but as the default
+					      # location of the library.
+      ;;
+    esac
+
+    case $cc_basename in
+      CC)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      aCC)
+	case "$host_cpu" in
+	hppa*64*|ia64*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname -o $lib $linker_flags $libobjs $deplibs'
+	  ;;
+	*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	  ;;
+	esac
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	;;
+      *)
+	if test "$GXX" = yes; then
+	  if test $with_gnu_ld = no; then
+	    case "$host_cpu" in
+	    ia64*|hppa*64*)
+	      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname -o $lib $linker_flags $libobjs $deplibs'
+	      ;;
+	    *)
+	      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	      ;;
+	    esac
+	  fi
+	else
+	  # FIXME: insert proper C++ library support
+	  _LT_AC_TAGVAR(ld_shlibs, $1)=no
+	fi
+	;;
+    esac
+    ;;
+  irix5* | irix6*)
+    case $cc_basename in
+      CC)
+	# SGI C++
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib'
+
+	# Archives containing C++ object files must be created using
+	# "CC -ar", where "CC" is the IRIX C++ compiler.  This is
+	# necessary to make sure instantiated templates are included
+	# in the archive.
+	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -ar -WR,-u -o $oldlib $oldobjs'
+	;;
+      *)
+	if test "$GXX" = yes; then
+	  if test "$with_gnu_ld" = no; then
+	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${objdir}/so_locations -o $lib'
+	  else
+	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` -o $lib'
+	  fi
+	fi
+	_LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+	;;
+    esac
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+    _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+    ;;
+  linux*)
+    case $cc_basename in
+      KCC)
+	# Kuck and Associates, Inc. (KAI) C++ Compiler
+
+	# KCC will only create a shared library if the output file
+	# ends with ".so" (or ".sl" for HP-UX), so rename the library
+	# to its proper name (with version) after linking.
+	_LT_AC_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib ${wl}-retain-symbols-file,$export_symbols; mv \$templib $lib'
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 | grep "ld"`; rm -f libconftest$shared_ext; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath,$libdir'
+	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+
+	# Archives containing C++ object files must be created using
+	# "CC -Bstatic", where "CC" is the KAI C++ compiler.
+	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs'
+	;;
+      icpc)
+	# Intel C++
+	with_gnu_ld=yes
+	_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
+	;;
+      cxx)
+	# Compaq C++
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname  -o $lib ${wl}-retain-symbols-file $wl$export_symbols'
+
+	runpath_var=LD_RUN_PATH
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	;;
+    esac
+    ;;
+  lynxos*)
+    # FIXME: insert proper C++ library support
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  m88k*)
+    # FIXME: insert proper C++ library support
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  mvs*)
+    case $cc_basename in
+      cxx)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+    esac
+    ;;
+  netbsd*)
+    if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable  -o $lib $predep_objects $libobjs $deplibs $postdep_objects $linker_flags'
+      wlarc=
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+    fi
+    # Workaround some broken pre-1.5 toolchains
+    output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep conftest.$objext | $SED -e "s:-lgcc -lc -lgcc::"'
+    ;;
+  osf3*)
+    case $cc_basename in
+      KCC)
+	# Kuck and Associates, Inc. (KAI) C++ Compiler
+
+	# KCC will only create a shared library if the output file
+	# ends with ".so" (or ".sl" for HP-UX), so rename the library
+	# to its proper name (with version) after linking.
+	_LT_AC_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	# Archives containing C++ object files must be created using
+	# "CC -Bstatic", where "CC" is the KAI C++ compiler.
+	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs'
+
+	;;
+      RCC)
+	# Rational C++ 2.4.1
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      cxx)
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && echo ${wl}-set_version $verstring` -update_registry ${objdir}/so_locations -o $lib'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	;;
+      *)
+	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
+	  _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${objdir}/so_locations -o $lib'
+
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	  # Commands to make compiler produce verbose output that lists
+	  # what "hidden" libraries, object files and flags are used when
+	  # linking a shared library.
+	  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
+
+	else
+	  # FIXME: insert proper C++ library support
+	  _LT_AC_TAGVAR(ld_shlibs, $1)=no
+	fi
+	;;
+    esac
+    ;;
+  osf4* | osf5*)
+    case $cc_basename in
+      KCC)
+	# Kuck and Associates, Inc. (KAI) C++ Compiler
+
+	# KCC will only create a shared library if the output file
+	# ends with ".so" (or ".sl" for HP-UX), so rename the library
+	# to its proper name (with version) after linking.
+	_LT_AC_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	# Archives containing C++ object files must be created using
+	# the KAI C++ compiler.
+	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -o $oldlib $oldobjs'
+	;;
+      RCC)
+	# Rational C++ 2.4.1
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      cxx)
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done~
+	  echo "-hidden">> $lib.exp~
+	  $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname -Wl,-input -Wl,$lib.exp  `test -n "$verstring" && echo -set_version	$verstring` -update_registry $objdir/so_locations -o $lib~
+	  $rm $lib.exp'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld" | grep -v "ld:"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	;;
+      *)
+	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
+	  _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	 _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${objdir}/so_locations -o $lib'
+
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	  # Commands to make compiler produce verbose output that lists
+	  # what "hidden" libraries, object files and flags are used when
+	  # linking a shared library.
+	  output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "\-L"'
+
+	else
+	  # FIXME: insert proper C++ library support
+	  _LT_AC_TAGVAR(ld_shlibs, $1)=no
+	fi
+	;;
+    esac
+    ;;
+  psos*)
+    # FIXME: insert proper C++ library support
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  sco*)
+    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+    case $cc_basename in
+      CC)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+    esac
+    ;;
+  sunos4*)
+    case $cc_basename in
+      CC)
+	# Sun C++ 4.x
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      lcc)
+	# Lucid
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+    esac
+    ;;
+  solaris*)
+    case $cc_basename in
+      CC)
+	# Sun C++ 4.2, 5.x and Centerline C++
+	_LT_AC_TAGVAR(no_undefined_flag, $1)=' -zdefs'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -nolib -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+	$CC -G${allow_undefined_flag} -nolib ${wl}-M ${wl}$lib.exp -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+	_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+	case $host_os in
+	  solaris2.[0-5] | solaris2.[0-5].*) ;;
+	  *)
+	    # The C++ compiler is used as linker so we must use $wl
+	    # flag to pass the commands to the underlying system
+	    # linker.
+	    # Supported since Solaris 2.6 (maybe 2.5.1?)
+	    _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
+	    ;;
+	esac
+	_LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+
+	# Commands to make compiler produce verbose output that lists
+	# what "hidden" libraries, object files and flags are used when
+	# linking a shared library.
+	#
+	# There doesn't appear to be a way to prevent this compiler from
+	# explicitly linking system object files so we need to strip them
+	# from the output so that they don't get included in the library
+	# dependencies.
+	output_verbose_link_cmd='templist=`$CC -G $CFLAGS -v conftest.$objext 2>&1 | grep "\-[[LR]]"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+
+	# Archives containing C++ object files must be created using
+	# "CC -xar", where "CC" is the Sun C++ compiler.  This is
+	# necessary to make sure instantiated templates are included
+	# in the archive.
+	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs'
+	;;
+      gcx)
+	# Green Hills C++ Compiler
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
+
+	# The C++ compiler must be used to create the archive.
+	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC $LDFLAGS -archive -o $oldlib $oldobjs'
+	;;
+      *)
+	# GNU C++ compiler with Solaris linker
+	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
+	  _LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-z ${wl}defs'
+	  if $CC --version | grep -v '^2\.7' > /dev/null; then
+	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
+	    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+		$CC -shared -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
+
+	    # Commands to make compiler produce verbose output that lists
+	    # what "hidden" libraries, object files and flags are used when
+	    # linking a shared library.
+	    output_verbose_link_cmd="$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\""
+	  else
+	    # g++ 2.7 appears to require `-G' NOT `-shared' on this
+	    # platform.
+	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -G -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
+	    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+		$CC -G -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
+
+	    # Commands to make compiler produce verbose output that lists
+	    # what "hidden" libraries, object files and flags are used when
+	    # linking a shared library.
+	    output_verbose_link_cmd="$CC -G $CFLAGS -v conftest.$objext 2>&1 | grep \"\-L\""
+	  fi
+
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $wl$libdir'
+	fi
+	;;
+    esac
+    ;;
+  sysv5OpenUNIX8* | sysv5UnixWare7* | sysv5uw[[78]]* | unixware7*)
+    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+    ;;
+  tandem*)
+    case $cc_basename in
+      NCC)
+	# NonStop-UX NCC 3.20
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+      *)
+	# FIXME: insert proper C++ library support
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	;;
+    esac
+    ;;
+  vxworks*)
+    # FIXME: insert proper C++ library support
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+  *)
+    # FIXME: insert proper C++ library support
+    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    ;;
+esac
+AC_MSG_RESULT([$_LT_AC_TAGVAR(ld_shlibs, $1)])
+test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no
+
+_LT_AC_TAGVAR(GCC, $1)="$GXX"
+_LT_AC_TAGVAR(LD, $1)="$LD"
+
+## CAVEAT EMPTOR:
+## There is no encapsulation within the following macros, do not change
+## the running order or otherwise move them around unless you know exactly
+## what you are doing...
+AC_LIBTOOL_POSTDEP_PREDEP($1)
+AC_LIBTOOL_PROG_COMPILER_PIC($1)
+AC_LIBTOOL_PROG_CC_C_O($1)
+AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
+AC_LIBTOOL_PROG_LD_SHLIBS($1)
+AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
+AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
+AC_LIBTOOL_SYS_LIB_STRIP
+AC_LIBTOOL_DLOPEN_SELF($1)
+
+AC_LIBTOOL_CONFIG($1)
+
+AC_LANG_POP
+CC=$lt_save_CC
+LDCXX=$LD
+LD=$lt_save_LD
+GCC=$lt_save_GCC
+with_gnu_ldcxx=$with_gnu_ld
+with_gnu_ld=$lt_save_with_gnu_ld
+lt_cv_path_LDCXX=$lt_cv_path_LD
+lt_cv_path_LD=$lt_save_path_LD
+lt_cv_prog_gnu_ldcxx=$lt_cv_prog_gnu_ld
+lt_cv_prog_gnu_ld=$lt_save_with_gnu_ld
+])# AC_LIBTOOL_LANG_CXX_CONFIG
+
+# AC_LIBTOOL_POSTDEP_PREDEP([TAGNAME])
+# ------------------------
+# Figure out "hidden" library dependencies from verbose
+# compiler output when linking a shared library.
+# Parse the compiler output and extract the necessary
+# objects, libraries and library flags.
+AC_DEFUN([AC_LIBTOOL_POSTDEP_PREDEP],[
+dnl we can't use the lt_simple_compile_test_code here,
+dnl because it contains code intended for an executable,
+dnl not a library.  It's possible we should let each
+dnl tag define a new lt_????_link_test_code variable,
+dnl but it's only used here...
+ifelse([$1],[],[cat > conftest.$ac_ext <<EOF
+int a;
+void foo (void) { a = 0; }
+EOF
+],[$1],[CXX],[cat > conftest.$ac_ext <<EOF
+class Foo
+{
+public:
+  Foo (void) { a = 0; }
+private:
+  int a;
+};
+EOF
+],[$1],[F77],[cat > conftest.$ac_ext <<EOF
+      subroutine foo
+      implicit none
+      integer*4 a
+      a=0
+      return
+      end
+EOF
+],[$1],[GCJ],[cat > conftest.$ac_ext <<EOF
+public class foo {
+  private int a;
+  public void bar (void) {
+    a = 0;
+  }
+};
+EOF
+])
+dnl Parse the compiler output and extract the necessary
+dnl objects, libraries and library flags.
+if AC_TRY_EVAL(ac_compile); then
+  # Parse the compiler output and extract the necessary
+  # objects, libraries and library flags.
+
+  # Sentinel used to keep track of whether or not we are before
+  # the conftest object file.
+  pre_test_object_deps_done=no
+
+  # The `*' in the case matches for architectures that use `case' in
+  # $output_verbose_cmd can trigger glob expansion during the loop
+  # eval without this substitution.
+  output_verbose_link_cmd="`$echo \"X$output_verbose_link_cmd\" | $Xsed -e \"$no_glob_subst\"`"
+
+  for p in `eval $output_verbose_link_cmd`; do
+    case $p in
+
+    -L* | -R* | -l*)
+       # Some compilers place space between "-{L,R}" and the path.
+       # Remove the space.
+       if test $p = "-L" \
+	  || test $p = "-R"; then
+	 prev=$p
+	 continue
+       else
+	 prev=
+       fi
+
+       if test "$pre_test_object_deps_done" = no; then
+	 case $p in
+	 -L* | -R*)
+	   # Internal compiler library paths should come after those
+	   # provided the user.  The postdeps already come after the
+	   # user supplied libs so there is no need to process them.
+	   if test -z "$_LT_AC_TAGVAR(compiler_lib_search_path, $1)"; then
+	     _LT_AC_TAGVAR(compiler_lib_search_path, $1)="${prev}${p}"
+	   else
+	     _LT_AC_TAGVAR(compiler_lib_search_path, $1)="${_LT_AC_TAGVAR(compiler_lib_search_path, $1)} ${prev}${p}"
+	   fi
+	   ;;
+	 # The "-l" case would never come before the object being
+	 # linked, so don't bother handling this case.
+	 esac
+       else
+	 if test -z "$_LT_AC_TAGVAR(postdeps, $1)"; then
+	   _LT_AC_TAGVAR(postdeps, $1)="${prev}${p}"
+	 else
+	   _LT_AC_TAGVAR(postdeps, $1)="${_LT_AC_TAGVAR(postdeps, $1)} ${prev}${p}"
+	 fi
+       fi
+       ;;
+
+    *.$objext)
+       # This assumes that the test object file only shows up
+       # once in the compiler output.
+       if test "$p" = "conftest.$objext"; then
+	 pre_test_object_deps_done=yes
+	 continue
+       fi
+
+       if test "$pre_test_object_deps_done" = no; then
+	 if test -z "$_LT_AC_TAGVAR(predep_objects, $1)"; then
+	   _LT_AC_TAGVAR(predep_objects, $1)="$p"
+	 else
+	   _LT_AC_TAGVAR(predep_objects, $1)="$_LT_AC_TAGVAR(predep_objects, $1) $p"
+	 fi
+       else
+	 if test -z "$_LT_AC_TAGVAR(postdep_objects, $1)"; then
+	   _LT_AC_TAGVAR(postdep_objects, $1)="$p"
+	 else
+	   _LT_AC_TAGVAR(postdep_objects, $1)="$_LT_AC_TAGVAR(postdep_objects, $1) $p"
+	 fi
+       fi
+       ;;
+
+    *) ;; # Ignore the rest.
+
+    esac
+  done
+
+  # Clean up.
+  rm -f a.out a.exe
+else
+  echo "libtool.m4: error: problem compiling $1 test program"
+fi
+
+$rm -f confest.$objext
+
+case " $_LT_AC_TAGVAR(postdeps, $1) " in
+*" -lc "*) _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no ;;
+esac
+])# AC_LIBTOOL_POSTDEP_PREDEP
+
+# AC_LIBTOOL_LANG_F77_CONFIG
+# ------------------------
+# Ensure that the configuration vars for the C compiler are
+# suitably defined.  Those variables are subsequently used by
+# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
+AC_DEFUN([AC_LIBTOOL_LANG_F77_CONFIG], [_LT_AC_LANG_F77_CONFIG(F77)])
+AC_DEFUN([_LT_AC_LANG_F77_CONFIG],
+[AC_REQUIRE([AC_PROG_F77])
+AC_LANG_PUSH(Fortran 77)
+
+_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+_LT_AC_TAGVAR(allow_undefined_flag, $1)=
+_LT_AC_TAGVAR(always_export_symbols, $1)=no
+_LT_AC_TAGVAR(archive_expsym_cmds, $1)=
+_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=
+_LT_AC_TAGVAR(hardcode_direct, $1)=no
+_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
+_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
+_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
+_LT_AC_TAGVAR(hardcode_minus_L, $1)=no
+_LT_AC_TAGVAR(hardcode_automatic, $1)=no
+_LT_AC_TAGVAR(module_cmds, $1)=
+_LT_AC_TAGVAR(module_expsym_cmds, $1)=
+_LT_AC_TAGVAR(link_all_deplibs, $1)=unknown
+_LT_AC_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+_LT_AC_TAGVAR(no_undefined_flag, $1)=
+_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
+_LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=no
+
+# Source file extension for f77 test sources.
+ac_ext=f
+
+# Object file extension for compiled f77 test sources.
+objext=o
+_LT_AC_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="      subroutine t\n      return\n      end\n"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code="      program t\n      end\n"
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+_LT_AC_SYS_COMPILER
+
+# Allow CC to be a program name with arguments.
+lt_save_CC="$CC"
+CC=${F77-"f77"}
+compiler=$CC
+_LT_AC_TAGVAR(compiler, $1)=$CC
+cc_basename=`$echo X"$compiler" | $Xsed -e 's%^.*/%%'`
+
+AC_MSG_CHECKING([if libtool supports shared libraries])
+AC_MSG_RESULT([$can_build_shared])
+
+AC_MSG_CHECKING([whether to build shared libraries])
+test "$can_build_shared" = "no" && enable_shared=no
+
+# On AIX, shared libraries and static libraries use the same namespace, and
+# are all built from PIC.
+case "$host_os" in
+aix3*)
+  test "$enable_shared" = yes && enable_static=no
+  if test -n "$RANLIB"; then
+    archive_cmds="$archive_cmds~\$RANLIB \$lib"
+    postinstall_cmds='$RANLIB $lib'
+  fi
+  ;;
+aix4*)
+  test "$enable_shared" = yes && enable_static=no
+  ;;
+esac
+AC_MSG_RESULT([$enable_shared])
+
+AC_MSG_CHECKING([whether to build static libraries])
+# Make sure either enable_shared or enable_static is yes.
+test "$enable_shared" = yes || enable_static=yes
+AC_MSG_RESULT([$enable_static])
+
+test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no
+
+_LT_AC_TAGVAR(GCC, $1)="$G77"
+_LT_AC_TAGVAR(LD, $1)="$LD"
+
+AC_LIBTOOL_PROG_COMPILER_PIC($1)
+AC_LIBTOOL_PROG_CC_C_O($1)
+AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
+AC_LIBTOOL_PROG_LD_SHLIBS($1)
+AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
+AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
+AC_LIBTOOL_SYS_LIB_STRIP
+
+
+AC_LIBTOOL_CONFIG($1)
+
+AC_LANG_POP
+CC="$lt_save_CC"
+])# AC_LIBTOOL_LANG_F77_CONFIG
+
+
+# AC_LIBTOOL_LANG_GCJ_CONFIG
+# --------------------------
+# Ensure that the configuration vars for the C compiler are
+# suitably defined.  Those variables are subsequently used by
+# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
+AC_DEFUN([AC_LIBTOOL_LANG_GCJ_CONFIG], [_LT_AC_LANG_GCJ_CONFIG(GCJ)])
+AC_DEFUN([_LT_AC_LANG_GCJ_CONFIG],
+[AC_LANG_SAVE
+
+# Source file extension for Java test sources.
+ac_ext=java
+
+# Object file extension for compiled Java test sources.
+objext=o
+_LT_AC_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code="class foo {}\n"
+
+# Code to be used in simple link tests
+lt_simple_link_test_code='public class conftest { public static void main(String[] argv) {}; }\n'
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+_LT_AC_SYS_COMPILER
+
+# Allow CC to be a program name with arguments.
+lt_save_CC="$CC"
+CC=${GCJ-"gcj"}
+compiler=$CC
+_LT_AC_TAGVAR(compiler, $1)=$CC
+
+# GCJ did not exist at the time GCC didn't implicitly link libc in.
+_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+
+## CAVEAT EMPTOR:
+## There is no encapsulation within the following macros, do not change
+## the running order or otherwise move them around unless you know exactly
+## what you are doing...
+AC_LIBTOOL_PROG_COMPILER_NO_RTTI($1)
+AC_LIBTOOL_PROG_COMPILER_PIC($1)
+AC_LIBTOOL_PROG_CC_C_O($1)
+AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
+AC_LIBTOOL_PROG_LD_SHLIBS($1)
+AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
+AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
+AC_LIBTOOL_SYS_LIB_STRIP
+AC_LIBTOOL_DLOPEN_SELF($1)
+
+AC_LIBTOOL_CONFIG($1)
+
+AC_LANG_RESTORE
+CC="$lt_save_CC"
+])# AC_LIBTOOL_LANG_GCJ_CONFIG
+
+
+# AC_LIBTOOL_LANG_RC_CONFIG
+# --------------------------
+# Ensure that the configuration vars for the Windows resource compiler are
+# suitably defined.  Those variables are subsequently used by
+# AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
+AC_DEFUN([AC_LIBTOOL_LANG_RC_CONFIG], [_LT_AC_LANG_RC_CONFIG(RC)])
+AC_DEFUN([_LT_AC_LANG_RC_CONFIG],
+[AC_LANG_SAVE
+
+# Source file extension for RC test sources.
+ac_ext=rc
+
+# Object file extension for compiled RC test sources.
+objext=o
+_LT_AC_TAGVAR(objext, $1)=$objext
+
+# Code to be used in simple compile tests
+lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }\n'
+
+# Code to be used in simple link tests
+lt_simple_link_test_code="$lt_simple_compile_test_code"
+
+# ltmain only uses $CC for tagged configurations so make sure $CC is set.
+_LT_AC_SYS_COMPILER
+
+# Allow CC to be a program name with arguments.
+lt_save_CC="$CC"
+CC=${RC-"windres"}
+compiler=$CC
+_LT_AC_TAGVAR(compiler, $1)=$CC
+_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
+
+AC_LIBTOOL_CONFIG($1)
+
+AC_LANG_RESTORE
+CC="$lt_save_CC"
+])# AC_LIBTOOL_LANG_RC_CONFIG
+
+
+# AC_LIBTOOL_CONFIG([TAGNAME])
+# ----------------------------
+# If TAGNAME is not passed, then create an initial libtool script
+# with a default configuration from the untagged config vars.  Otherwise
+# add code to config.status for appending the configuration named by
+# TAGNAME from the matching tagged config vars.
+AC_DEFUN([AC_LIBTOOL_CONFIG],
+[# The else clause should only fire when bootstrapping the
+# libtool distribution, otherwise you forgot to ship ltmain.sh
+# with your package, and you will get complaints that there are
+# no rules to generate ltmain.sh.
+if test -f "$ltmain"; then
+  # See if we are running on zsh, and set the options which allow our commands through
+  # without removal of \ escapes.
+  if test -n "${ZSH_VERSION+set}" ; then
+    setopt NO_GLOB_SUBST
+  fi
+  # Now quote all the things that may contain metacharacters while being
+  # careful not to overquote the AC_SUBSTed values.  We take copies of the
+  # variables and quote the copies for generation of the libtool script.
+  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC NM \
+    SED SHELL STRIP \
+    libname_spec library_names_spec soname_spec extract_expsyms_cmds \
+    old_striplib striplib file_magic_cmd finish_cmds finish_eval \
+    deplibs_check_method reload_flag reload_cmds need_locks \
+    lt_cv_sys_global_symbol_pipe lt_cv_sys_global_symbol_to_cdecl \
+    lt_cv_sys_global_symbol_to_c_name_address \
+    sys_lib_search_path_spec sys_lib_dlsearch_path_spec \
+    old_postinstall_cmds old_postuninstall_cmds \
+    _LT_AC_TAGVAR(compiler, $1) \
+    _LT_AC_TAGVAR(CC, $1) \
+    _LT_AC_TAGVAR(LD, $1) \
+    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1) \
+    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1) \
+    _LT_AC_TAGVAR(lt_prog_compiler_static, $1) \
+    _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1) \
+    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1) \
+    _LT_AC_TAGVAR(thread_safe_flag_spec, $1) \
+    _LT_AC_TAGVAR(whole_archive_flag_spec, $1) \
+    _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1) \
+    _LT_AC_TAGVAR(old_archive_cmds, $1) \
+    _LT_AC_TAGVAR(old_archive_from_new_cmds, $1) \
+    _LT_AC_TAGVAR(predep_objects, $1) \
+    _LT_AC_TAGVAR(postdep_objects, $1) \
+    _LT_AC_TAGVAR(predeps, $1) \
+    _LT_AC_TAGVAR(postdeps, $1) \
+    _LT_AC_TAGVAR(compiler_lib_search_path, $1) \
+    _LT_AC_TAGVAR(archive_cmds, $1) \
+    _LT_AC_TAGVAR(archive_expsym_cmds, $1) \
+    _LT_AC_TAGVAR(postinstall_cmds, $1) \
+    _LT_AC_TAGVAR(postuninstall_cmds, $1) \
+    _LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1) \
+    _LT_AC_TAGVAR(allow_undefined_flag, $1) \
+    _LT_AC_TAGVAR(no_undefined_flag, $1) \
+    _LT_AC_TAGVAR(export_symbols_cmds, $1) \
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) \
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1) \
+    _LT_AC_TAGVAR(hardcode_libdir_separator, $1) \
+    _LT_AC_TAGVAR(hardcode_automatic, $1) \
+    _LT_AC_TAGVAR(module_cmds, $1) \
+    _LT_AC_TAGVAR(module_expsym_cmds, $1) \
+    _LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1) \
+    _LT_AC_TAGVAR(exclude_expsyms, $1) \
+    _LT_AC_TAGVAR(include_expsyms, $1); do
+
+    case $var in
+    _LT_AC_TAGVAR(old_archive_cmds, $1) | \
+    _LT_AC_TAGVAR(old_archive_from_new_cmds, $1) | \
+    _LT_AC_TAGVAR(archive_cmds, $1) | \
+    _LT_AC_TAGVAR(archive_expsym_cmds, $1) | \
+    _LT_AC_TAGVAR(module_cmds, $1) | \
+    _LT_AC_TAGVAR(module_expsym_cmds, $1) | \
+    _LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1) | \
+    _LT_AC_TAGVAR(export_symbols_cmds, $1) | \
+    extract_expsyms_cmds | reload_cmds | finish_cmds | \
+    postinstall_cmds | postuninstall_cmds | \
+    old_postinstall_cmds | old_postuninstall_cmds | \
+    sys_lib_search_path_spec | sys_lib_dlsearch_path_spec)
+      # Double-quote double-evaled strings.
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$double_quote_subst\" -e \"\$sed_quote_subst\" -e \"\$delay_variable_subst\"\`\\\""
+      ;;
+    *)
+      eval "lt_$var=\\\"\`\$echo \"X\$$var\" | \$Xsed -e \"\$sed_quote_subst\"\`\\\""
+      ;;
+    esac
+  done
+
+  case $lt_echo in
+  *'\[$]0 --fallback-echo"')
+    lt_echo=`$echo "X$lt_echo" | $Xsed -e 's/\\\\\\\[$]0 --fallback-echo"[$]/[$]0 --fallback-echo"/'`
+    ;;
+  esac
+
+ifelse([$1], [],
+  [cfgfile="${ofile}T"
+  trap "$rm \"$cfgfile\"; exit 1" 1 2 15
+  $rm -f "$cfgfile"
+  AC_MSG_NOTICE([creating $ofile])],
+  [cfgfile="$ofile"])
+
+  cat <<__EOF__ >> "$cfgfile"
+ifelse([$1], [],
+[#! $SHELL
+
+# `$echo "$cfgfile" | sed 's%^.*/%%'` - Provide generalized library-building support services.
+# Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP)
+# NOTE: Changes made to this file will be lost: look at ltmain.sh.
+#
+# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001
+# Free Software Foundation, Inc.
+#
+# This file is part of GNU Libtool:
+# Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# A sed program that does not truncate output.
+SED=$lt_SED
+
+# Sed that helps us avoid accidentally triggering echo(1) options like -n.
+Xsed="$SED -e s/^X//"
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+if test "X\${CDPATH+set}" = Xset; then CDPATH=:; export CDPATH; fi
+
+# The names of the tagged configurations supported by this script.
+available_tags=
+
+# ### BEGIN LIBTOOL CONFIG],
+[# ### BEGIN LIBTOOL TAG CONFIG: $tagname])
+
+# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+
+# Shell to use when invoking shell scripts.
+SHELL=$lt_SHELL
+
+# Whether or not to build shared libraries.
+build_libtool_libs=$enable_shared
+
+# Whether or not to build static libraries.
+build_old_libs=$enable_static
+
+# Whether or not to add -lc for building shared libraries.
+build_libtool_need_lc=$_LT_AC_TAGVAR(archive_cmds_need_lc, $1)
+
+# Whether or not to disallow shared libs when runtime libs are static
+allow_libtool_libs_with_static_runtimes=$_LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)
+
+# Whether or not to optimize for fast installation.
+fast_install=$enable_fast_install
+
+# The host system.
+host_alias=$host_alias
+host=$host
+
+# An echo program that does not interpret backslashes.
+echo=$lt_echo
+
+# The archiver.
+AR=$lt_AR
+AR_FLAGS=$lt_AR_FLAGS
+
+# A C compiler.
+LTCC=$lt_LTCC
+
+# A language-specific compiler.
+CC=$lt_[]_LT_AC_TAGVAR(compiler, $1)
+
+# Is the compiler the GNU C compiler?
+with_gcc=$_LT_AC_TAGVAR(GCC, $1)
+
+# An ERE matcher.
+EGREP=$lt_EGREP
+
+# The linker used to build libraries.
+LD=$lt_[]_LT_AC_TAGVAR(LD, $1)
+
+# Whether we need hard or soft links.
+LN_S=$lt_LN_S
+
+# A BSD-compatible nm program.
+NM=$lt_NM
+
+# A symbol stripping program
+STRIP=$lt_STRIP
+
+# Used to examine libraries when file_magic_cmd begins "file"
+MAGIC_CMD=$MAGIC_CMD
+
+# Used on cygwin: DLL creation program.
+DLLTOOL="$DLLTOOL"
+
+# Used on cygwin: object dumper.
+OBJDUMP="$OBJDUMP"
+
+# Used on cygwin: assembler.
+AS="$AS"
+
+# The name of the directory that contains temporary libtool files.
+objdir=$objdir
+
+# How to create reloadable object files.
+reload_flag=$lt_reload_flag
+reload_cmds=$lt_reload_cmds
+
+# How to pass a linker flag through the compiler.
+wl=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)
+
+# Object file suffix (normally "o").
+objext="$ac_objext"
+
+# Old archive suffix (normally "a").
+libext="$libext"
+
+# Shared library suffix (normally ".so").
+shrext='$shrext'
+
+# Executable file suffix (normally "").
+exeext="$exeext"
+
+# Additional compiler flags for building library objects.
+pic_flag=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)
+pic_mode=$pic_mode
+
+# What is the maximum length of a command?
+max_cmd_len=$lt_cv_sys_max_cmd_len
+
+# Does compiler simultaneously support -c and -o options?
+compiler_c_o=$lt_[]_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)
+
+# Must we lock files when doing compilation ?
+need_locks=$lt_need_locks
+
+# Do we need the lib prefix for modules?
+need_lib_prefix=$need_lib_prefix
+
+# Do we need a version for libraries?
+need_version=$need_version
+
+# Whether dlopen is supported.
+dlopen_support=$enable_dlopen
+
+# Whether dlopen of programs is supported.
+dlopen_self=$enable_dlopen_self
+
+# Whether dlopen of statically linked programs is supported.
+dlopen_self_static=$enable_dlopen_self_static
+
+# Compiler flag to prevent dynamic linking.
+link_static_flag=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_static, $1)
+
+# Compiler flag to turn off builtin functions.
+no_builtin_flag=$lt_[]_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)
+
+# Compiler flag to allow reflexive dlopens.
+export_dynamic_flag_spec=$lt_[]_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)
+
+# Compiler flag to generate shared objects directly from archives.
+whole_archive_flag_spec=$lt_[]_LT_AC_TAGVAR(whole_archive_flag_spec, $1)
+
+# Compiler flag to generate thread-safe objects.
+thread_safe_flag_spec=$lt_[]_LT_AC_TAGVAR(thread_safe_flag_spec, $1)
+
+# Library versioning type.
+version_type=$version_type
+
+# Format of library name prefix.
+libname_spec=$lt_libname_spec
+
+# List of archive names.  First name is the real one, the rest are links.
+# The last name is the one that the linker finds with -lNAME.
+library_names_spec=$lt_library_names_spec
+
+# The coded name of the library, if different from the real name.
+soname_spec=$lt_soname_spec
+
+# Commands used to build and install an old-style archive.
+RANLIB=$lt_RANLIB
+old_archive_cmds=$lt_[]_LT_AC_TAGVAR(old_archive_cmds, $1)
+old_postinstall_cmds=$lt_old_postinstall_cmds
+old_postuninstall_cmds=$lt_old_postuninstall_cmds
+
+# Create an old-style archive from a shared archive.
+old_archive_from_new_cmds=$lt_[]_LT_AC_TAGVAR(old_archive_from_new_cmds, $1)
+
+# Create a temporary old-style archive to link instead of a shared archive.
+old_archive_from_expsyms_cmds=$lt_[]_LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1)
+
+# Commands used to build and install a shared archive.
+archive_cmds=$lt_[]_LT_AC_TAGVAR(archive_cmds, $1)
+archive_expsym_cmds=$lt_[]_LT_AC_TAGVAR(archive_expsym_cmds, $1)
+postinstall_cmds=$lt_postinstall_cmds
+postuninstall_cmds=$lt_postuninstall_cmds
+
+# Commands used to build a loadable module (assumed same as above if empty)
+module_cmds=$lt_[]_LT_AC_TAGVAR(module_cmds, $1)
+module_expsym_cmds=$lt_[]_LT_AC_TAGVAR(module_expsym_cmds, $1)
+
+# Commands to strip libraries.
+old_striplib=$lt_old_striplib
+striplib=$lt_striplib
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predep_objects=$lt_[]_LT_AC_TAGVAR(predep_objects, $1)
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdep_objects=$lt_[]_LT_AC_TAGVAR(postdep_objects, $1)
+
+# Dependencies to place before the objects being linked to create a
+# shared library.
+predeps=$lt_[]_LT_AC_TAGVAR(predeps, $1)
+
+# Dependencies to place after the objects being linked to create a
+# shared library.
+postdeps=$lt_[]_LT_AC_TAGVAR(postdeps, $1)
+
+# The library search path used internally by the compiler when linking
+# a shared library.
+compiler_lib_search_path=$lt_[]_LT_AC_TAGVAR(compiler_lib_search_path, $1)
+
+# Method to check whether dependent libraries are shared objects.
+deplibs_check_method=$lt_deplibs_check_method
+
+# Command to use when deplibs_check_method == file_magic.
+file_magic_cmd=$lt_file_magic_cmd
+
+# Flag that allows shared libraries with undefined symbols to be built.
+allow_undefined_flag=$lt_[]_LT_AC_TAGVAR(allow_undefined_flag, $1)
+
+# Flag that forces no undefined symbols.
+no_undefined_flag=$lt_[]_LT_AC_TAGVAR(no_undefined_flag, $1)
+
+# Commands used to finish a libtool library installation in a directory.
+finish_cmds=$lt_finish_cmds
+
+# Same as above, but a single script fragment to be evaled but not shown.
+finish_eval=$lt_finish_eval
+
+# Take the output of nm and produce a listing of raw symbols and C names.
+global_symbol_pipe=$lt_lt_cv_sys_global_symbol_pipe
+
+# Transform the output of nm in a proper C declaration
+global_symbol_to_cdecl=$lt_lt_cv_sys_global_symbol_to_cdecl
+
+# Transform the output of nm in a C name address pair
+global_symbol_to_c_name_address=$lt_lt_cv_sys_global_symbol_to_c_name_address
+
+# This is the shared library runtime path variable.
+runpath_var=$runpath_var
+
+# This is the shared library path variable.
+shlibpath_var=$shlibpath_var
+
+# Is shlibpath searched before the hard-coded library search path?
+shlibpath_overrides_runpath=$shlibpath_overrides_runpath
+
+# How to hardcode a shared library path into an executable.
+hardcode_action=$_LT_AC_TAGVAR(hardcode_action, $1)
+
+# Whether we should hardcode library paths into libraries.
+hardcode_into_libs=$hardcode_into_libs
+
+# Flag to hardcode \$libdir into a binary during linking.
+# This must work even if \$libdir does not exist.
+hardcode_libdir_flag_spec=$lt_[]_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)
+
+# If ld is used when linking, flag to hardcode \$libdir into
+# a binary during linking. This must work even if \$libdir does
+# not exist.
+hardcode_libdir_flag_spec_ld=$lt_[]_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)
+
+# Whether we need a single -rpath flag with a separated argument.
+hardcode_libdir_separator=$lt_[]_LT_AC_TAGVAR(hardcode_libdir_separator, $1)
+
+# Set to yes if using DIR/libNAME${shared_ext} during linking hardcodes DIR into the
+# resulting binary.
+hardcode_direct=$_LT_AC_TAGVAR(hardcode_direct, $1)
+
+# Set to yes if using the -LDIR flag during linking hardcodes DIR into the
+# resulting binary.
+hardcode_minus_L=$_LT_AC_TAGVAR(hardcode_minus_L, $1)
+
+# Set to yes if using SHLIBPATH_VAR=DIR during linking hardcodes DIR into
+# the resulting binary.
+hardcode_shlibpath_var=$_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)
+
+# Set to yes if building a shared library automatically hardcodes DIR into the library
+# and all subsequent libraries and executables linked against it.
+hardcode_automatic=$_LT_AC_TAGVAR(hardcode_automatic, $1)
+
+# Variables whose values should be saved in libtool wrapper scripts and
+# restored at relink time.
+variables_saved_for_relink="$variables_saved_for_relink"
+
+# Whether libtool must link a program against all its dependency libraries.
+link_all_deplibs=$_LT_AC_TAGVAR(link_all_deplibs, $1)
+
+# Compile-time system search path for libraries
+sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
+
+# Run-time system search path for libraries
+sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
+
+# Fix the shell variable \$srcfile for the compiler.
+fix_srcfile_path="$_LT_AC_TAGVAR(fix_srcfile_path, $1)"
+
+# Set to yes if exported symbols are required.
+always_export_symbols=$_LT_AC_TAGVAR(always_export_symbols, $1)
+
+# The commands to list exported symbols.
+export_symbols_cmds=$lt_[]_LT_AC_TAGVAR(export_symbols_cmds, $1)
+
+# The commands to extract the exported symbol list from a shared archive.
+extract_expsyms_cmds=$lt_extract_expsyms_cmds
+
+# Symbols that should not be listed in the preloaded symbols.
+exclude_expsyms=$lt_[]_LT_AC_TAGVAR(exclude_expsyms, $1)
+
+# Symbols that must always be exported.
+include_expsyms=$lt_[]_LT_AC_TAGVAR(include_expsyms, $1)
+
+ifelse([$1],[],
+[# ### END LIBTOOL CONFIG],
+[# ### END LIBTOOL TAG CONFIG: $tagname])
+
+__EOF__
+
+ifelse([$1],[], [
+  case $host_os in
+  aix3*)
+    cat <<\EOF >> "$cfgfile"
+
+# AIX sometimes has problems with the GCC collect2 program.  For some
+# reason, if we set the COLLECT_NAMES environment variable, the problems
+# vanish in a puff of smoke.
+if test "X${COLLECT_NAMES+set}" != Xset; then
+  COLLECT_NAMES=
+  export COLLECT_NAMES
+fi
+EOF
+    ;;
+  esac
+
+  # We use sed instead of cat because bash on DJGPP gets confused if
+  # if finds mixed CR/LF and LF-only lines.  Since sed operates in
+  # text mode, it properly converts lines to CR/LF.  This bash problem
+  # is reportedly fixed, but why not run on old versions too?
+  sed '$q' "$ltmain" >> "$cfgfile" || (rm -f "$cfgfile"; exit 1)
+
+  mv -f "$cfgfile" "$ofile" || \
+    (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile")
+  chmod +x "$ofile"
+])
+else
+  # If there is no Makefile yet, we rely on a make rule to execute
+  # `config.status --recheck' to rerun these tests and create the
+  # libtool script then.
+  ltmain_in=`echo $ltmain | sed -e 's/\.sh$/.in/'`
+  if test -f "$ltmain_in"; then
+    test -f Makefile && make "$ltmain"
+  fi
+fi
+])# AC_LIBTOOL_CONFIG
+
+
+# AC_LIBTOOL_PROG_COMPILER_NO_RTTI([TAGNAME])
+# -------------------------------------------
+AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_NO_RTTI],
+[AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl
+
+_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=
+
+if test "$GCC" = yes; then
+  _LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin'
+
+  AC_LIBTOOL_COMPILER_OPTION([if $compiler supports -fno-rtti -fno-exceptions],
+    lt_cv_prog_compiler_rtti_exceptions,
+    [-fno-rtti -fno-exceptions], [],
+    [_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)="$_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1) -fno-rtti -fno-exceptions"])
+fi
+])# AC_LIBTOOL_PROG_COMPILER_NO_RTTI
+
+
+# AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE
+# ---------------------------------
+AC_DEFUN([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE],
+[AC_REQUIRE([AC_CANONICAL_HOST])
+AC_REQUIRE([AC_PROG_NM])
+AC_REQUIRE([AC_OBJEXT])
+# Check for command to grab the raw symbol name followed by C symbol from nm.
+AC_MSG_CHECKING([command to parse $NM output from $compiler object])
+AC_CACHE_VAL([lt_cv_sys_global_symbol_pipe],
+[
+# These are sane defaults that work on at least a few old systems.
+# [They come from Ultrix.  What could be older than Ultrix?!! ;)]
+
+# Character class describing NM global symbol codes.
+symcode='[[BCDEGRST]]'
+
+# Regexp to match symbols that can be accessed directly from C.
+sympat='\([[_A-Za-z]][[_A-Za-z0-9]]*\)'
+
+# Transform the above into a raw symbol and a C symbol.
+symxfrm='\1 \2\3 \3'
+
+# Transform an extracted symbol line into a proper C declaration
+lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^. .* \(.*\)$/extern int \1;/p'"
+
+# Transform an extracted symbol line into symbol name and symbol address
+lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
+
+# Define system-specific variables.
+case $host_os in
+aix*)
+  symcode='[[BCDT]]'
+  ;;
+cygwin* | mingw* | pw32*)
+  symcode='[[ABCDGISTW]]'
+  ;;
+hpux*) # Its linker distinguishes data from code symbols
+  if test "$host_cpu" = ia64; then
+    symcode='[[ABCDEGRST]]'
+  fi
+  lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
+  lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
+  ;;
+irix* | nonstopux*)
+  symcode='[[BCDEGRST]]'
+  ;;
+osf*)
+  symcode='[[BCDEGQRST]]'
+  ;;
+solaris* | sysv5*)
+  symcode='[[BDRT]]'
+  ;;
+sysv4)
+  symcode='[[DFNSTU]]'
+  ;;
+esac
+
+# Handle CRLF in mingw tool chain
+opt_cr=
+case $build_os in
+mingw*)
+  opt_cr=`echo 'x\{0,1\}' | tr x '\015'` # option cr in regexp
+  ;;
+esac
+
+# If we're using GNU nm, then use its standard symbol codes.
+case `$NM -V 2>&1` in
+*GNU* | *'with BFD'*)
+  symcode='[[ABCDGIRSTW]]' ;;
+esac
+
+# Try without a prefix undercore, then with it.
+for ac_symprfx in "" "_"; do
+
+  # Write the raw and C identifiers.
+  lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[[ 	]]\($symcode$symcode*\)[[ 	]][[ 	]]*\($ac_symprfx\)$sympat$opt_cr$/$symxfrm/p'"
+
+  # Check to see that the pipe works correctly.
+  pipe_works=no
+
+  rm -f conftest*
+  cat > conftest.$ac_ext <<EOF
+#ifdef __cplusplus
+extern "C" {
+#endif
+char nm_test_var;
+void nm_test_func(){}
+#ifdef __cplusplus
+}
+#endif
+int main(){nm_test_var='a';nm_test_func();return(0);}
+EOF
+
+  if AC_TRY_EVAL(ac_compile); then
+    # Now try to grab the symbols.
+    nlist=conftest.nm
+    if AC_TRY_EVAL(NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \> $nlist) && test -s "$nlist"; then
+      # Try sorting and uniquifying the output.
+      if sort "$nlist" | uniq > "$nlist"T; then
+	mv -f "$nlist"T "$nlist"
+      else
+	rm -f "$nlist"T
+      fi
+
+      # Make sure that we snagged all the symbols we need.
+      if grep ' nm_test_var$' "$nlist" >/dev/null; then
+	if grep ' nm_test_func$' "$nlist" >/dev/null; then
+	  cat <<EOF > conftest.$ac_ext
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+EOF
+	  # Now generate the symbol file.
+	  eval "$lt_cv_sys_global_symbol_to_cdecl"' < "$nlist" | grep -v main >> conftest.$ac_ext'
+
+	  cat <<EOF >> conftest.$ac_ext
+#if defined (__STDC__) && __STDC__
+# define lt_ptr_t void *
+#else
+# define lt_ptr_t char *
+# define const
+#endif
+
+/* The mapping between symbol names and symbols. */
+const struct {
+  const char *name;
+  lt_ptr_t address;
+}
+lt_preloaded_symbols[[]] =
+{
+EOF
+	  $SED "s/^$symcode$symcode* \(.*\) \(.*\)$/  {\"\2\", (lt_ptr_t) \&\2},/" < "$nlist" | grep -v main >> conftest.$ac_ext
+	  cat <<\EOF >> conftest.$ac_ext
+  {0, (lt_ptr_t) 0}
+};
+
+#ifdef __cplusplus
+}
+#endif
+EOF
+	  # Now try linking the two files.
+	  mv conftest.$ac_objext conftstm.$ac_objext
+	  lt_save_LIBS="$LIBS"
+	  lt_save_CFLAGS="$CFLAGS"
+	  LIBS="conftstm.$ac_objext"
+	  CFLAGS="$CFLAGS$_LT_AC_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)"
+	  if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext}; then
+	    pipe_works=yes
+	  fi
+	  LIBS="$lt_save_LIBS"
+	  CFLAGS="$lt_save_CFLAGS"
+	else
+	  echo "cannot find nm_test_func in $nlist" >&AS_MESSAGE_LOG_FD
+	fi
+      else
+	echo "cannot find nm_test_var in $nlist" >&AS_MESSAGE_LOG_FD
+      fi
+    else
+      echo "cannot run $lt_cv_sys_global_symbol_pipe" >&AS_MESSAGE_LOG_FD
+    fi
+  else
+    echo "$progname: failed program was:" >&AS_MESSAGE_LOG_FD
+    cat conftest.$ac_ext >&5
+  fi
+  rm -f conftest* conftst*
+
+  # Do not use the global_symbol_pipe unless it works.
+  if test "$pipe_works" = yes; then
+    break
+  else
+    lt_cv_sys_global_symbol_pipe=
+  fi
+done
+])
+if test -z "$lt_cv_sys_global_symbol_pipe"; then
+  lt_cv_sys_global_symbol_to_cdecl=
+fi
+if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then
+  AC_MSG_RESULT(failed)
+else
+  AC_MSG_RESULT(ok)
+fi
+]) # AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE
+
+
+# AC_LIBTOOL_PROG_COMPILER_PIC([TAGNAME])
+# ---------------------------------------
+AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_PIC],
+[_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)=
+_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
+_LT_AC_TAGVAR(lt_prog_compiler_static, $1)=
+
+AC_MSG_CHECKING([for $compiler option to produce PIC])
+ ifelse([$1],[CXX],[
+  # C++ specific cases for pic, static, wl, etc.
+  if test "$GXX" = yes; then
+    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
+
+    case $host_os in
+    aix*)
+      # All AIX code is PIC.
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      fi
+      ;;
+    amigaos*)
+      # FIXME: we need at least 68020 code to build shared libraries, but
+      # adding the `-m68020' flag to GCC prevents building anything better,
+      # like `-m68040'.
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4'
+      ;;
+    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+      # PIC is the default for these OSes.
+      ;;
+    mingw* | os2* | pw32*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'
+      ;;
+    darwin* | rhapsody*)
+      # PIC is the default on this platform
+      # Common symbols not allowed in MH_DYLIB files
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common'
+      ;;
+    *djgpp*)
+      # DJGPP does not support shared libraries at all
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
+      ;;
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic
+      fi
+      ;;
+    hpux*)
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case "$host_cpu" in
+      hppa*64*|ia64*)
+	;;
+      *)
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	;;
+      esac
+      ;;
+    *)
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+      ;;
+    esac
+  else
+    case $host_os in
+      aix4* | aix5*)
+	# All AIX code is PIC.
+	if test "$host_cpu" = ia64; then
+	  # AIX 5 now supports IA64 processor
+	  _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	else
+	  _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp'
+	fi
+	;;
+      chorus*)
+	case $cc_basename in
+	cxch68)
+	  # Green Hills C++ Compiler
+	  # _LT_AC_TAGVAR(lt_prog_compiler_static, $1)="--no_auto_instantiation -u __main -u __premain -u _abort -r $COOL_DIR/lib/libOrb.a $MVME_DIR/lib/CC/libC.a $MVME_DIR/lib/classix/libcx.s.a"
+	  ;;
+	esac
+	;;
+      dgux*)
+	case $cc_basename in
+	  ec++)
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    ;;
+	  ghcx)
+	    # Green Hills C++ Compiler
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      freebsd* | kfreebsd*-gnu)
+	# FreeBSD uses GNU C++
+	;;
+      hpux9* | hpux10* | hpux11*)
+	case $cc_basename in
+	  CC)
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)="${ac_cv_prog_cc_wl}-a ${ac_cv_prog_cc_wl}archive"
+	    if test "$host_cpu" != ia64; then
+	      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
+	    fi
+	    ;;
+	  aCC)
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)="${ac_cv_prog_cc_wl}-a ${ac_cv_prog_cc_wl}archive"
+	    case "$host_cpu" in
+	    hppa*64*|ia64*)
+	      # +Z the default
+	      ;;
+	    *)
+	      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
+	      ;;
+	    esac
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      irix5* | irix6* | nonstopux*)
+	case $cc_basename in
+	  CC)
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+	    # CC pic flag -KPIC is the default.
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      linux*)
+	case $cc_basename in
+	  KCC)
+	    # KAI C++ Compiler
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	    ;;
+	  icpc)
+	    # Intel C++
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
+	    ;;
+	  cxx)
+	    # Compaq C++
+	    # Make sure the PIC flag is empty.  It appears that all Alpha
+	    # Linux and Compaq Tru64 Unix objects are PIC.
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      lynxos*)
+	;;
+      m88k*)
+	;;
+      mvs*)
+	case $cc_basename in
+	  cxx)
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-W c,exportall'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      netbsd*)
+	;;
+      osf3* | osf4* | osf5*)
+	case $cc_basename in
+	  KCC)
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,'
+	    ;;
+	  RCC)
+	    # Rational C++ 2.4.1
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+	    ;;
+	  cxx)
+	    # Digital/Compaq C++
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    # Make sure the PIC flag is empty.  It appears that all Alpha
+	    # Linux and Compaq Tru64 Unix objects are PIC.
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      psos*)
+	;;
+      sco*)
+	case $cc_basename in
+	  CC)
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      solaris*)
+	case $cc_basename in
+	  CC)
+	    # Sun C++ 4.2, 5.x and Centerline C++
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
+	    ;;
+	  gcx)
+	    # Green Hills C++ Compiler
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      sunos4*)
+	case $cc_basename in
+	  CC)
+	    # Sun C++ 4.x
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	    ;;
+	  lcc)
+	    # Lucid
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      tandem*)
+	case $cc_basename in
+	  NCC)
+	    # NonStop-UX NCC 3.20
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    ;;
+	  *)
+	    ;;
+	esac
+	;;
+      unixware*)
+	;;
+      vxworks*)
+	;;
+      *)
+	_LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
+	;;
+    esac
+  fi
+],
+[
+  if test "$GCC" = yes; then
+    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
+
+    case $host_os in
+      aix*)
+      # All AIX code is PIC.
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      fi
+      ;;
+
+    amigaos*)
+      # FIXME: we need at least 68020 code to build shared libraries, but
+      # adding the `-m68020' flag to GCC prevents building anything better,
+      # like `-m68040'.
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4'
+      ;;
+
+    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+      # PIC is the default for these OSes.
+      ;;
+
+    mingw* | pw32* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'
+      ;;
+
+    darwin* | rhapsody*)
+      # PIC is the default on this platform
+      # Common symbols not allowed in MH_DYLIB files
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common'
+      ;;
+
+    msdosdjgpp*)
+      # Just because we use GCC doesn't mean we suddenly get shared libraries
+      # on systems that don't support them.
+      _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
+      enable_shared=no
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic
+      fi
+      ;;
+
+    hpux*)
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case "$host_cpu" in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+	;;
+      esac
+      ;;
+
+    *)
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
+      ;;
+    esac
+  else
+    # PORTME Check for flag to pass linker flags through the system compiler.
+    case $host_os in
+    aix*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      if test "$host_cpu" = ia64; then
+	# AIX 5 now supports IA64 processor
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      else
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp'
+      fi
+      ;;
+
+    mingw* | pw32* | os2*)
+      # This hack is so that the source file can tell whether it is being
+      # built for inclusion in a dll (and should export symbols for example).
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'
+      ;;
+
+    hpux9* | hpux10* | hpux11*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
+      # not for PA HP-UX.
+      case "$host_cpu" in
+      hppa*64*|ia64*)
+	# +Z the default
+	;;
+      *)
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
+	;;
+      esac
+      # Is there a better lt_prog_compiler_static that works with the bundled CC?
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive'
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      # PIC (with -KPIC) is the default.
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+      ;;
+
+    newsos6)
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    linux*)
+      case $CC in
+      icc* | ecc*)
+	_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
+        ;;
+      ccc*)
+        _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+        # All Alpha code is PIC.
+        _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+        ;;
+      esac
+      ;;
+
+    osf3* | osf4* | osf5*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      # All OSF/1 code is PIC.
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
+      ;;
+
+    sco3.2v5*)
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-Kpic'
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-dn'
+      ;;
+
+    solaris*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    sunos4*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec ;then
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-Kconform_pic'
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      fi
+      ;;
+
+    uts4*)
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    *)
+      _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
+      ;;
+    esac
+  fi
+])
+AC_MSG_RESULT([$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)])
+
+#
+# Check to make sure the PIC flag actually works.
+#
+if test -n "$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)"; then
+  AC_LIBTOOL_COMPILER_OPTION([if $compiler PIC flag $_LT_AC_TAGVAR(lt_prog_compiler_pic, $1) works],
+    _LT_AC_TAGVAR(lt_prog_compiler_pic_works, $1),
+    [$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)ifelse([$1],[],[ -DPIC],[ifelse([$1],[CXX],[ -DPIC],[])])], [],
+    [case $_LT_AC_TAGVAR(lt_prog_compiler_pic, $1) in
+     "" | " "*) ;;
+     *) _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=" $_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)" ;;
+     esac],
+    [_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
+     _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no])
+fi
+case "$host_os" in
+  # For platforms which do not support PIC, -DPIC is meaningless:
+  *djgpp*)
+    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
+    ;;
+  *)
+    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)="$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)ifelse([$1],[],[ -DPIC],[ifelse([$1],[CXX],[ -DPIC],[])])"
+    ;;
+esac
+])
+
+
+# AC_LIBTOOL_PROG_LD_SHLIBS([TAGNAME])
+# ------------------------------------
+# See if the linker supports building shared libraries.
+AC_DEFUN([AC_LIBTOOL_PROG_LD_SHLIBS],
+[AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
+ifelse([$1],[CXX],[
+  _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  case $host_os in
+  aix4* | aix5*)
+    # If we're using GNU nm, then we don't want the "-C" option.
+    # -C means demangle to AIX nm, but means don't demangle with GNU nm
+    if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
+      _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols'
+    else
+      _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols'
+    fi
+    ;;
+  pw32*)
+    _LT_AC_TAGVAR(export_symbols_cmds, $1)="$ltdll_cmds"
+  ;;
+  cygwin* | mingw*)
+    _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGS]] /s/.* \([[^ ]]*\)/\1 DATA/'\'' | $SED -e '\''/^[[AITW]] /s/.* //'\'' | sort | uniq > $export_symbols'
+  ;;
+  *)
+    _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  ;;
+  esac
+],[
+  runpath_var=
+  _LT_AC_TAGVAR(allow_undefined_flag, $1)=
+  _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=no
+  _LT_AC_TAGVAR(archive_cmds, $1)=
+  _LT_AC_TAGVAR(archive_expsym_cmds, $1)=
+  _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)=
+  _LT_AC_TAGVAR(old_archive_from_expsyms_cmds, $1)=
+  _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=
+  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
+  _LT_AC_TAGVAR(thread_safe_flag_spec, $1)=
+  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
+  _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
+  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
+  _LT_AC_TAGVAR(hardcode_direct, $1)=no
+  _LT_AC_TAGVAR(hardcode_minus_L, $1)=no
+  _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
+  _LT_AC_TAGVAR(link_all_deplibs, $1)=unknown
+  _LT_AC_TAGVAR(hardcode_automatic, $1)=no
+  _LT_AC_TAGVAR(module_cmds, $1)=
+  _LT_AC_TAGVAR(module_expsym_cmds, $1)=
+  _LT_AC_TAGVAR(always_export_symbols, $1)=no
+  _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
+  # include_expsyms should be a list of space-separated symbols to be *always*
+  # included in the symbol list
+  _LT_AC_TAGVAR(include_expsyms, $1)=
+  # exclude_expsyms can be an extended regexp of symbols to exclude
+  # it will be wrapped by ` (' and `)$', so one must not match beginning or
+  # end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
+  # as well as any symbol that contains `d'.
+  _LT_AC_TAGVAR(exclude_expsyms, $1)="_GLOBAL_OFFSET_TABLE_"
+  # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
+  # platforms (ab)use it in PIC code, but their linkers get confused if
+  # the symbol is explicitly referenced.  Since portable code cannot
+  # rely on this symbol name, it's probably fine to never include it in
+  # preloaded symbol tables.
+  extract_expsyms_cmds=
+
+  case $host_os in
+  cygwin* | mingw* | pw32*)
+    # FIXME: the MSVC++ port hasn't been tested in a loooong time
+    # When not using gcc, we currently assume that we are using
+    # Microsoft Visual C++.
+    if test "$GCC" != yes; then
+      with_gnu_ld=no
+    fi
+    ;;
+  openbsd*)
+    with_gnu_ld=no
+    ;;
+  esac
+
+  _LT_AC_TAGVAR(ld_shlibs, $1)=yes
+  if test "$with_gnu_ld" = yes; then
+    # If archive_cmds runs LD, not CC, wlarc should be empty
+    wlarc='${wl}'
+
+    # See if GNU ld supports shared libraries.
+    case $host_os in
+    aix3* | aix4* | aix5*)
+      # On AIX/PPC, the GNU linker is very broken
+      if test "$host_cpu" != ia64; then
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	cat <<EOF 1>&2
+
+*** Warning: the GNU linker, at least up to release 2.9.1, is reported
+*** to be unable to reliably create shared libraries on AIX.
+*** Therefore, libtool is disabling shared libraries support.  If you
+*** really care for shared libraries, you may want to modify your PATH
+*** so that a non-GNU linker is found, and then restart.
+
+EOF
+      fi
+      ;;
+
+    amigaos*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+
+      # Samuel A. Falvo II <kc5tja@dolphin.openprojects.net> reports
+      # that the semantics of dynamic libraries on AmigaOS, at least up
+      # to version 4, is to share data among multiple programs linked
+      # with the same dynamic library.  Since this doesn't match the
+      # behavior of shared libraries on other platforms, we can't use
+      # them.
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+      ;;
+
+    beos*)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+	# Joseph Beckenbach <jrb3@best.com> says some releases of gcc
+	# support --undefined.  This deserves some investigation.  FIXME
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+      else
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+
+    cygwin* | mingw* | pw32*)
+      # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
+      # as there is no search path for DLLs.
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+      _LT_AC_TAGVAR(always_export_symbols, $1)=no
+      _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+      _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGS]] /s/.* \([[^ ]]*\)/\1 DATA/'\'' | $SED -e '\''/^[[AITW]] /s/.* //'\'' | sort | uniq > $export_symbols'
+
+      if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
+        _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
+	# If the export-symbols file already is a .def file (1st line
+	# is EXPORTS), use it as is; otherwise, prepend...
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
+	  cp $export_symbols $output_objdir/$soname.def;
+	else
+	  echo EXPORTS > $output_objdir/$soname.def;
+	  cat $export_symbols >> $output_objdir/$soname.def;
+	fi~
+	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000  ${wl}--out-implib,$lib'
+      else
+	ld_shlibs=no
+      fi
+      ;;
+
+    netbsd*)
+      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
+	wlarc=
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      fi
+      ;;
+
+    solaris* | sysv5*)
+      if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	cat <<EOF 1>&2
+
+*** Warning: The releases 2.8.* of the GNU linker cannot reliably
+*** create shared libraries on Solaris systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.9.1 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+EOF
+      elif $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+
+    sunos4*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      wlarc=
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+  linux*)
+    if $LD --help 2>&1 | egrep ': supported targets:.* elf' > /dev/null; then
+        tmp_archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_AC_TAGVAR(archive_cmds, $1)="$tmp_archive_cmds"
+      supports_anon_versioning=no
+      case `$LD -v 2>/dev/null` in
+        *\ [01].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11
+        *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
+        *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
+        *\ 2.11.*) ;; # other 2.11 versions
+        *) supports_anon_versioning=yes ;;
+      esac
+      if test $supports_anon_versioning = yes; then
+        _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $output_objdir/$libname.ver~
+cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+$echo "local: *; };" >> $output_objdir/$libname.ver~
+        $CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+      else
+        _LT_AC_TAGVAR(archive_expsym_cmds, $1)="$tmp_archive_cmds"
+      fi
+    else
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    fi
+    ;;
+
+    *)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+      else
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+    esac
+
+    if test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = yes; then
+      runpath_var=LD_RUN_PATH
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+      # ancient GNU ld didn't support --whole-archive et. al.
+      if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
+ 	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+      else
+  	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
+      fi
+    fi
+  else
+    # PORTME fill in a description of your system's linker (not GNU ld)
+    case $host_os in
+    aix3*)
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+      _LT_AC_TAGVAR(always_export_symbols, $1)=yes
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname'
+      # Note: this linker hardcodes the directories in LIBPATH if there
+      # are no directories specified by -L.
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      if test "$GCC" = yes && test -z "$link_static_flag"; then
+	# Neither direct hardcoding nor static linking is supported with a
+	# broken collect2.
+	_LT_AC_TAGVAR(hardcode_direct, $1)=unsupported
+      fi
+      ;;
+
+    aix4* | aix5*)
+      if test "$host_cpu" = ia64; then
+	# On IA64, the linker does run time linking by default, so we don't
+	# have to do anything special.
+	aix_use_runtimelinking=no
+	exp_sym_flag='-Bexport'
+	no_entry_flag=""
+      else
+	# If we're using GNU nm, then we don't want the "-C" option.
+	# -C means demangle to AIX nm, but means don't demangle with GNU nm
+	if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
+	  _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols'
+	else
+	  _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\[$]2 == "T") || (\[$]2 == "D") || (\[$]2 == "B")) && ([substr](\[$]3,1,1) != ".")) { print \[$]3 } }'\'' | sort -u > $export_symbols'
+	fi
+	aix_use_runtimelinking=no
+
+	# Test if we are trying to use run time linking or normal
+	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
+	# need to do runtime linking.
+	case $host_os in aix4.[[23]]|aix4.[[23]].*|aix5*)
+	  for ld_flag in $LDFLAGS; do
+  	  if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
+  	    aix_use_runtimelinking=yes
+  	    break
+  	  fi
+	  done
+	esac
+
+	exp_sym_flag='-bexport'
+	no_entry_flag='-bnoentry'
+      fi
+
+      # When large executables or shared objects are built, AIX ld can
+      # have problems creating the table of contents.  If linking a library
+      # or program results in "error TOC overflow" add -mminimal-toc to
+      # CXXFLAGS/CFLAGS for g++/gcc.  In the cases where that is not
+      # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS.
+
+      _LT_AC_TAGVAR(archive_cmds, $1)=''
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':'
+      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+
+      if test "$GCC" = yes; then
+	case $host_os in aix4.[012]|aix4.[012].*)
+	# We only want to do this on AIX 4.2 and lower, the check
+	# below for broken collect2 doesn't work under 4.3+
+	  collect2name=`${CC} -print-prog-name=collect2`
+	  if test -f "$collect2name" && \
+  	   strings "$collect2name" | grep resolve_lib_name >/dev/null
+	  then
+  	  # We have reworked collect2
+  	  _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+	  else
+  	  # We have old collect2
+  	  _LT_AC_TAGVAR(hardcode_direct, $1)=unsupported
+  	  # It fails to find uninstalled libraries when the uninstalled
+  	  # path is not listed in the libpath.  Setting hardcode_minus_L
+  	  # to unsupported forces relinking
+  	  _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+  	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+  	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
+	  fi
+	esac
+	shared_flag='-shared'
+      else
+	# not using gcc
+	if test "$host_cpu" = ia64; then
+  	# VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release
+  	# chokes on -Wl,-G. The following line is correct:
+	  shared_flag='-G'
+	else
+  	if test "$aix_use_runtimelinking" = yes; then
+	    shared_flag='${wl}-G'
+	  else
+	    shared_flag='${wl}-bM:SRE'
+  	fi
+	fi
+      fi
+
+      # It seems that -bexpall does not export symbols beginning with
+      # underscore (_), so it is better to generate a list of symbols to export.
+      _LT_AC_TAGVAR(always_export_symbols, $1)=yes
+      if test "$aix_use_runtimelinking" = yes; then
+	# Warning - without using the other runtime loading flags (-brtl),
+	# -berok will link without error, but may produce a broken library.
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)='-berok'
+       # Determine the default libpath from the value encoded in an empty executable.
+       _LT_AC_SYS_LIBPATH_AIX
+       _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+       else
+	if test "$host_cpu" = ia64; then
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
+	  _LT_AC_TAGVAR(allow_undefined_flag, $1)="-z nodefs"
+	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols"
+	else
+	 # Determine the default libpath from the value encoded in an empty executable.
+	 _LT_AC_SYS_LIBPATH_AIX
+	 _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
+	  # Warning - without using the other run time loading flags,
+	  # -berok will link without error, but may produce a broken library.
+	  _LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
+	  _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
+	  # -bexpall does not export symbols beginning with underscore (_)
+	  _LT_AC_TAGVAR(always_export_symbols, $1)=yes
+	  # Exported symbols can be pulled into shared objects from archives
+	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=' '
+	  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
+	  # This is similar to how AIX traditionally builds it's shared libraries.
+	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}-bE:$export_symbols ${wl}-bnoentry${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+	fi
+      fi
+      ;;
+
+    amigaos*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/a2ixlibrary.data~$echo "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$echo "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$echo "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$echo "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      # see comment about different semantics on the GNU ld section
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+      ;;
+
+    bsdi4*)
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=-rdynamic
+      ;;
+
+    cygwin* | mingw* | pw32*)
+      # When not using gcc, we currently assume that we are using
+      # Microsoft Visual C++.
+      # hardcode_libdir_flag_spec is actually meaningless, as there is
+      # no search path for DLLs.
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=' '
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+      # Tell ltmain to make .lib files, not .a files.
+      libext=lib
+      # Tell ltmain to make .dll files, not .so files.
+      shrext=".dll"
+      # FIXME: Setting linknames here is a bad hack.
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -o $lib $libobjs $compiler_flags `echo "$deplibs" | $SED -e '\''s/ -lc$//'\''` -link -dll~linknames='
+      # The linker will automatically build a .lib file if we build a DLL.
+      _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)='true'
+      # FIXME: Should let the user specify the lib program.
+      _LT_AC_TAGVAR(old_archive_cmds, $1)='lib /OUT:$oldlib$oldobjs$old_deplibs'
+      fix_srcfile_path='`cygpath -w "$srcfile"`'
+      _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
+      ;;
+
+    darwin* | rhapsody*)
+    if test "$GXX" = yes ; then
+      _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+      case "$host_os" in
+      rhapsody* | darwin1.[[012]])
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined suppress'
+	;;
+      *) # Darwin 1.3 on
+      if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
+      	_LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress'
+      else
+        case ${MACOSX_DEPLOYMENT_TARGET} in
+          10.[[012]])
+            _LT_AC_TAGVAR(allow_undefined_flag, $1)='-flat_namespace -undefined suppress'
+            ;;
+          10.*)
+            _LT_AC_TAGVAR(allow_undefined_flag, $1)='-undefined dynamic_lookup'
+            ;;
+        esac
+      fi
+	;;
+      esac
+    	lt_int_apple_cc_single_mod=no
+    	output_verbose_link_cmd='echo'
+    	if $CC -dumpspecs 2>&1 | grep 'single_module' >/dev/null ; then
+    	  lt_int_apple_cc_single_mod=yes
+    	fi
+    	if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+    	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+    	else
+        _LT_AC_TAGVAR(archive_cmds, $1)='$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
+      fi
+      _LT_AC_TAGVAR(module_cmds, $1)='$CC ${wl}-bind_at_load $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
+      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
+        if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
+          _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+        else
+          _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r ${wl}-bind_at_load -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+        fi
+          _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=no
+      _LT_AC_TAGVAR(hardcode_automatic, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
+      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-all_load $convenience'
+      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+    else
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    fi
+      ;;
+
+    dgux*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    freebsd1*)
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+      ;;
+
+    # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor
+    # support.  Future versions do this automatically, but an explicit c++rt0.o
+    # does not break anything, and helps significantly (at the cost of a little
+    # extra space).
+    freebsd2.2*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    # Unfortunately, older versions of FreeBSD 2 do not have this feature.
+    freebsd2*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
+    freebsd* | kfreebsd*-gnu)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    hpux9*)
+      if test "$GCC" = yes; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$CC -shared -fPIC ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+
+      # hardcode_minus_L: Not really in the search PATH,
+      # but as the default location of the library.
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+      ;;
+
+    hpux10* | hpux11*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	case "$host_cpu" in
+	hppa*64*|ia64*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	esac
+      else
+	case "$host_cpu" in
+	hppa*64*|ia64*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  ;;
+	*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+	  ;;
+	esac
+      fi
+      if test "$with_gnu_ld" = no; then
+	case "$host_cpu" in
+	hppa*64*)
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir'
+	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=no
+	  _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+	  ;;
+	ia64*)
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=no
+	  _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+
+	  # hardcode_minus_L: Not really in the search PATH,
+	  # but as the default location of the library.
+	  _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+	  ;;
+	*)
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+	  _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+
+	  # hardcode_minus_L: Not really in the search PATH,
+	  # but as the default location of the library.
+	  _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+	  ;;
+	esac
+      fi
+      ;;
+
+    irix5* | irix6* | nonstopux*)
+      if test "$GCC" = yes; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='-rpath $libdir'
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+      ;;
+
+    netbsd*)
+      if echo __ELF__ | $CC -E - | grep __ELF__ >/dev/null; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'  # a.out
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared -o $lib $libobjs $deplibs $linker_flags'      # ELF
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    newsos6)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    openbsd*)
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+      else
+       case $host_os in
+	 openbsd[[01]].* | openbsd2.[[0-7]] | openbsd2.[[0-7]].*)
+	   _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+	   _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+	   ;;
+	 *)
+	   _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	   _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	   ;;
+       esac
+      fi
+      ;;
+
+    os2*)
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+      _LT_AC_TAGVAR(archive_cmds, $1)='$echo "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$echo "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~$echo DATA >> $output_objdir/$libname.def~$echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~$echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def'
+      _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def'
+      ;;
+
+    osf3*)
+      if test "$GCC" = yes; then
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+      else
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+      ;;
+
+    osf4* | osf5*)	# as osf3* with the addition of -msym flag
+      if test "$GCC" = yes; then
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
+      else
+	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~
+	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib~$rm $lib.exp'
+
+	# Both c and cxx compiler support -rpath directly
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+      ;;
+
+    sco3.2v5*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport'
+      runpath_var=LD_RUN_PATH
+      hardcode_runpath_var=yes
+      ;;
+
+    solaris*)
+      _LT_AC_TAGVAR(no_undefined_flag, $1)=' -z text'
+      if test "$GCC" = yes; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+	  $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp'
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+  	$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      case $host_os in
+      solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
+      *) # Supported since Solaris 2.6 (maybe 2.5.1?)
+	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract' ;;
+      esac
+      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+      ;;
+
+    sunos4*)
+      if test "x$host_vendor" = xsequent; then
+	# Use $CC to link under sequent, because it throws in some extra .o
+	# files that make .init and .fini sections work.
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    sysv4)
+      case $host_vendor in
+	sni)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=yes # is this really true???
+	;;
+	siemens)
+	  ## LD is ld it makes a PLAMLIB
+	  ## CC just makes a GrossModule.
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -o $lib $libobjs $deplibs $linker_flags'
+	  _LT_AC_TAGVAR(reload_cmds, $1)='$CC -r -o $output$reload_objs'
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=no
+        ;;
+	motorola)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	  _LT_AC_TAGVAR(hardcode_direct, $1)=no #Motorola manual says yes, but my tests say they lie
+	;;
+      esac
+      runpath_var='LD_RUN_PATH'
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    sysv4.3*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='-Bexport'
+      ;;
+
+    sysv4*MP*)
+      if test -d /usr/nec; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+	_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+	runpath_var=LD_RUN_PATH
+	hardcode_runpath_var=yes
+	_LT_AC_TAGVAR(ld_shlibs, $1)=yes
+      fi
+      ;;
+
+    sysv4.2uw2*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_minus_L, $1)=no
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      hardcode_runpath_var=yes
+      runpath_var=LD_RUN_PATH
+      ;;
+
+   sysv5OpenUNIX8* | sysv5UnixWare7* |  sysv5uw[[78]]* | unixware7*)
+      _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z ${wl}text'
+      if test "$GCC" = yes; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
+      runpath_var='LD_RUN_PATH'
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    sysv5*)
+      _LT_AC_TAGVAR(no_undefined_flag, $1)=' -z text'
+      # $CC -shared without GNU ld will not create a library from C++
+      # object files and a static libstdc++, better avoid it by now
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
+  		$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      runpath_var='LD_RUN_PATH'
+      ;;
+
+    uts4*)
+      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      ;;
+
+    *)
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+      ;;
+    esac
+  fi
+])
+AC_MSG_RESULT([$_LT_AC_TAGVAR(ld_shlibs, $1)])
+test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no
+
+variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
+if test "$GCC" = yes; then
+  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
+fi
+
+#
+# Do we need to explicitly link libc?
+#
+case "x$_LT_AC_TAGVAR(archive_cmds_need_lc, $1)" in
+x|xyes)
+  # Assume -lc should be added
+  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
+
+  if test "$enable_shared" = yes && test "$GCC" = yes; then
+    case $_LT_AC_TAGVAR(archive_cmds, $1) in
+    *'~'*)
+      # FIXME: we may have to deal with multi-command sequences.
+      ;;
+    '$CC '*)
+      # Test whether the compiler implicitly links with -lc since on some
+      # systems, -lgcc has to come before -lc. If gcc already passes -lc
+      # to ld, don't add -lc before -lgcc.
+      AC_MSG_CHECKING([whether -lc should be explicitly linked in])
+      $rm conftest*
+      printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+
+      if AC_TRY_EVAL(ac_compile) 2>conftest.err; then
+        soname=conftest
+        lib=conftest
+        libobjs=conftest.$ac_objext
+        deplibs=
+        wl=$_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)
+        compiler_flags=-v
+        linker_flags=-v
+        verstring=
+        output_objdir=.
+        libname=conftest
+        lt_save_allow_undefined_flag=$_LT_AC_TAGVAR(allow_undefined_flag, $1)
+        _LT_AC_TAGVAR(allow_undefined_flag, $1)=
+        if AC_TRY_EVAL(_LT_AC_TAGVAR(archive_cmds, $1) 2\>\&1 \| grep \" -lc \" \>/dev/null 2\>\&1)
+        then
+	  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+        else
+	  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
+        fi
+        _LT_AC_TAGVAR(allow_undefined_flag, $1)=$lt_save_allow_undefined_flag
+      else
+        cat conftest.err 1>&5
+      fi
+      $rm conftest*
+      AC_MSG_RESULT([$_LT_AC_TAGVAR(archive_cmds_need_lc, $1)])
+      ;;
+    esac
+  fi
+  ;;
+esac
+])# AC_LIBTOOL_PROG_LD_SHLIBS
+
+
+# _LT_AC_FILE_LTDLL_C
+# -------------------
+# Be careful that the start marker always follows a newline.
+AC_DEFUN([_LT_AC_FILE_LTDLL_C], [
+# /* ltdll.c starts here */
+# #define WIN32_LEAN_AND_MEAN
+# #include <windows.h>
+# #undef WIN32_LEAN_AND_MEAN
+# #include <stdio.h>
+#
+# #ifndef __CYGWIN__
+# #  ifdef __CYGWIN32__
+# #    define __CYGWIN__ __CYGWIN32__
+# #  endif
+# #endif
+#
+# #ifdef __cplusplus
+# extern "C" {
+# #endif
+# BOOL APIENTRY DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved);
+# #ifdef __cplusplus
+# }
+# #endif
+#
+# #ifdef __CYGWIN__
+# #include <cygwin/cygwin_dll.h>
+# DECLARE_CYGWIN_DLL( DllMain );
+# #endif
+# HINSTANCE __hDllInstance_base;
+#
+# BOOL APIENTRY
+# DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved)
+# {
+#   __hDllInstance_base = hInst;
+#   return TRUE;
+# }
+# /* ltdll.c ends here */
+])# _LT_AC_FILE_LTDLL_C
+
+
+# _LT_AC_TAGVAR(VARNAME, [TAGNAME])
+# ---------------------------------
+AC_DEFUN([_LT_AC_TAGVAR], [ifelse([$2], [], [$1], [$1_$2])])
+
+
+# old names
+AC_DEFUN([AM_PROG_LIBTOOL],   [AC_PROG_LIBTOOL])
+AC_DEFUN([AM_ENABLE_SHARED],  [AC_ENABLE_SHARED($@)])
+AC_DEFUN([AM_ENABLE_STATIC],  [AC_ENABLE_STATIC($@)])
+AC_DEFUN([AM_DISABLE_SHARED], [AC_DISABLE_SHARED($@)])
+AC_DEFUN([AM_DISABLE_STATIC], [AC_DISABLE_STATIC($@)])
+AC_DEFUN([AM_PROG_LD],        [AC_PROG_LD])
+AC_DEFUN([AM_PROG_NM],        [AC_PROG_NM])
+
+# This is just to silence aclocal about the macro not being used
+ifelse([AC_DISABLE_FAST_INSTALL])
+
+AC_DEFUN([LT_AC_PROG_GCJ],
+[AC_CHECK_TOOL(GCJ, gcj, no)
+  test "x${GCJFLAGS+set}" = xset || GCJFLAGS="-g -O2"
+  AC_SUBST(GCJFLAGS)
+])
+
+AC_DEFUN([LT_AC_PROG_RC],
+[AC_CHECK_TOOL(RC, windres, no)
+])
+
+############################################################
+# NOTE: This macro has been submitted for inclusion into   #
+#  GNU Autoconf as AC_PROG_SED.  When it is available in   #
+#  a released version of Autoconf we should remove this    #
+#  macro and use it instead.                               #
+############################################################
+# LT_AC_PROG_SED
+# --------------
+# Check for a fully-functional sed program, that truncates
+# as few characters as possible.  Prefer GNU sed if found.
+AC_DEFUN([LT_AC_PROG_SED],
+[AC_MSG_CHECKING([for a sed that does not truncate output])
+AC_CACHE_VAL(lt_cv_path_SED,
+[# Loop through the user's path and test for sed and gsed.
+# Then use that list of sed's as ones to test for truncation.
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+  for lt_ac_prog in sed gsed; do
+    for ac_exec_ext in '' $ac_executable_extensions; do
+      if $as_executable_p "$as_dir/$lt_ac_prog$ac_exec_ext"; then
+        lt_ac_sed_list="$lt_ac_sed_list $as_dir/$lt_ac_prog$ac_exec_ext"
+      fi
+    done
+  done
+done
+lt_ac_max=0
+lt_ac_count=0
+# Add /usr/xpg4/bin/sed as it is typically found on Solaris
+# along with /bin/sed that truncates output.
+for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do
+  test ! -f $lt_ac_sed && break
+  cat /dev/null > conftest.in
+  lt_ac_count=0
+  echo $ECHO_N "0123456789$ECHO_C" >conftest.in
+  # Check for GNU sed and select it if it is found.
+  if "$lt_ac_sed" --version 2>&1 < /dev/null | grep 'GNU' > /dev/null; then
+    lt_cv_path_SED=$lt_ac_sed
+    break
+  fi
+  while true; do
+    cat conftest.in conftest.in >conftest.tmp
+    mv conftest.tmp conftest.in
+    cp conftest.in conftest.nl
+    echo >>conftest.nl
+    $lt_ac_sed -e 's/a$//' < conftest.nl >conftest.out || break
+    cmp -s conftest.out conftest.nl || break
+    # 10000 chars as input seems more than enough
+    test $lt_ac_count -gt 10 && break
+    lt_ac_count=`expr $lt_ac_count + 1`
+    if test $lt_ac_count -gt $lt_ac_max; then
+      lt_ac_max=$lt_ac_count
+      lt_cv_path_SED=$lt_ac_sed
+    fi
+  done
+done
+SED=$lt_cv_path_SED
+])
+AC_MSG_RESULT([$SED])
+])
diff --git a/contrib/bind9/ltmain.sh b/contrib/bind9/ltmain.sh
new file mode 100644
index 0000000..47fa4f1
--- /dev/null
+++ b/contrib/bind9/ltmain.sh
@@ -0,0 +1,6399 @@
+# ltmain.sh - Provide generalized library-building support services.
+# NOTE: Changing this file will not affect anything until you rerun configure.
+#
+# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003
+# Free Software Foundation, Inc.
+# Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# Check that we have a working $echo.
+if test "X$1" = X--no-reexec; then
+  # Discard the --no-reexec flag, and continue.
+  shift
+elif test "X$1" = X--fallback-echo; then
+  # Avoid inline document here, it may be left over
+  :
+elif test "X`($echo '\t') 2>/dev/null`" = 'X\t'; then
+  # Yippee, $echo works!
+  :
+else
+  # Restart under the correct shell, and then maybe $echo will work.
+  exec $SHELL "$0" --no-reexec ${1+"$@"}
+fi
+
+if test "X$1" = X--fallback-echo; then
+  # used as fallback echo
+  shift
+  cat <<EOF
+$*
+EOF
+  exit 0
+fi
+
+# The name of this program.
+progname=`$echo "$0" | ${SED} 's%^.*/%%'`
+modename="$progname"
+
+# Constants.
+PROGRAM=ltmain.sh
+PACKAGE=libtool
+VERSION=1.5.2
+TIMESTAMP=" (1.1220.2.60 2004/01/25 12:25:08)"
+
+default_mode=
+help="Try \`$progname --help' for more information."
+magic="%%%MAGIC variable%%%"
+mkdir="mkdir"
+mv="mv -f"
+rm="rm -f"
+
+# Sed substitution that helps us do robust quoting.  It backslashifies
+# metacharacters that are still active within double-quoted strings.
+Xsed="${SED}"' -e 1s/^X//'
+sed_quote_subst='s/\([\\`\\"$\\\\]\)/\\\1/g'
+# test EBCDIC or ASCII
+case `echo A|tr A '\301'` in
+ A) # EBCDIC based system
+  SP2NL="tr '\100' '\n'"
+  NL2SP="tr '\r\n' '\100\100'"
+  ;;
+ *) # Assume ASCII based system
+  SP2NL="tr '\040' '\012'"
+  NL2SP="tr '\015\012' '\040\040'"
+  ;;
+esac
+
+# NLS nuisances.
+# Only set LANG and LC_ALL to C if already set.
+# These must not be set unconditionally because not all systems understand
+# e.g. LANG=C (notably SCO).
+# We save the old values to restore during execute mode.
+if test "${LC_ALL+set}" = set; then
+  save_LC_ALL="$LC_ALL"; LC_ALL=C; export LC_ALL
+fi
+if test "${LANG+set}" = set; then
+  save_LANG="$LANG"; LANG=C; export LANG
+fi
+
+# Make sure IFS has a sensible default
+: ${IFS=" 	
+"}
+
+if test "$build_libtool_libs" != yes && test "$build_old_libs" != yes; then
+  $echo "$modename: not configured to build any kind of library" 1>&2
+  $echo "Fatal configuration error.  See the $PACKAGE docs for more information." 1>&2
+  exit 1
+fi
+
+# Global variables.
+mode=$default_mode
+nonopt=
+prev=
+prevopt=
+run=
+show="$echo"
+show_help=
+execute_dlfiles=
+lo2o="s/\\.lo\$/.${objext}/"
+o2lo="s/\\.${objext}\$/.lo/"
+
+#####################################
+# Shell function definitions:
+# This seems to be the best place for them
+
+# Need a lot of goo to handle *both* DLLs and import libs
+# Has to be a shell function in order to 'eat' the argument
+# that is supplied when $file_magic_command is called.
+win32_libid () {
+  win32_libid_type="unknown"
+  win32_fileres=`file -L $1 2>/dev/null`
+  case $win32_fileres in
+  *ar\ archive\ import\ library*) # definitely import
+    win32_libid_type="x86 archive import"
+    ;;
+  *ar\ archive*) # could be an import, or static
+    if eval $OBJDUMP -f $1 | $SED -e '10q' 2>/dev/null | \
+      grep -E 'file format pe-i386(.*architecture: i386)?' >/dev/null ; then
+      win32_nmres=`eval $NM -f posix -A $1 | \
+	sed -n -e '1,100{/ I /{x;/import/!{s/^/import/;h;p;};x;};}'`
+      if test "X$win32_nmres" = "Ximport" ; then
+        win32_libid_type="x86 archive import"
+      else
+        win32_libid_type="x86 archive static"
+      fi
+    fi
+    ;;
+  *DLL*) 
+    win32_libid_type="x86 DLL"
+    ;;
+  *executable*) # but shell scripts are "executable" too...
+    case $win32_fileres in
+    *MS\ Windows\ PE\ Intel*)
+      win32_libid_type="x86 DLL"
+      ;;
+    esac
+    ;;
+  esac
+  $echo $win32_libid_type
+}
+
+# End of Shell function definitions
+#####################################
+
+# Parse our command line options once, thoroughly.
+while test "$#" -gt 0
+do
+  arg="$1"
+  shift
+
+  case $arg in
+  -*=*) optarg=`$echo "X$arg" | $Xsed -e 's/[-_a-zA-Z0-9]*=//'` ;;
+  *) optarg= ;;
+  esac
+
+  # If the previous option needs an argument, assign it.
+  if test -n "$prev"; then
+    case $prev in
+    execute_dlfiles)
+      execute_dlfiles="$execute_dlfiles $arg"
+      ;;
+    tag)
+      tagname="$arg"
+      preserve_args="${preserve_args}=$arg"
+
+      # Check whether tagname contains only valid characters
+      case $tagname in
+      *[!-_A-Za-z0-9,/]*)
+	$echo "$progname: invalid tag name: $tagname" 1>&2
+	exit 1
+	;;
+      esac
+
+      case $tagname in
+      CC)
+	# Don't test for the "default" C tag, as we know, it's there, but
+	# not specially marked.
+	;;
+      *)
+	if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$" < "$0" > /dev/null; then
+	  taglist="$taglist $tagname"
+	  # Evaluate the configuration.
+	  eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$tagname'$/,/^# ### END LIBTOOL TAG CONFIG: '$tagname'$/p' < $0`"
+	else
+	  $echo "$progname: ignoring unknown tag $tagname" 1>&2
+	fi
+	;;
+      esac
+      ;;
+    *)
+      eval "$prev=\$arg"
+      ;;
+    esac
+
+    prev=
+    prevopt=
+    continue
+  fi
+
+  # Have we seen a non-optional argument yet?
+  case $arg in
+  --help)
+    show_help=yes
+    ;;
+
+  --version)
+    $echo "$PROGRAM (GNU $PACKAGE) $VERSION$TIMESTAMP"
+    $echo
+    $echo "Copyright (C) 2003  Free Software Foundation, Inc."
+    $echo "This is free software; see the source for copying conditions.  There is NO"
+    $echo "warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
+    exit 0
+    ;;
+
+  --config)
+    ${SED} -e '1,/^# ### BEGIN LIBTOOL CONFIG/d' -e '/^# ### END LIBTOOL CONFIG/,$d' $0
+    # Now print the configurations for the tags.
+    for tagname in $taglist; do
+      ${SED} -n -e "/^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$/,/^# ### END LIBTOOL TAG CONFIG: $tagname$/p" < "$0"
+    done
+    exit 0
+    ;;
+
+  --debug)
+    $echo "$progname: enabling shell trace mode"
+    set -x
+    preserve_args="$preserve_args $arg"
+    ;;
+
+  --dry-run | -n)
+    run=:
+    ;;
+
+  --features)
+    $echo "host: $host"
+    if test "$build_libtool_libs" = yes; then
+      $echo "enable shared libraries"
+    else
+      $echo "disable shared libraries"
+    fi
+    if test "$build_old_libs" = yes; then
+      $echo "enable static libraries"
+    else
+      $echo "disable static libraries"
+    fi
+    exit 0
+    ;;
+
+  --finish) mode="finish" ;;
+
+  --mode) prevopt="--mode" prev=mode ;;
+  --mode=*) mode="$optarg" ;;
+
+  --preserve-dup-deps) duplicate_deps="yes" ;;
+
+  --quiet | --silent)
+    show=:
+    preserve_args="$preserve_args $arg"
+    ;;
+
+  --tag) prevopt="--tag" prev=tag ;;
+  --tag=*)
+    set tag "$optarg" ${1+"$@"}
+    shift
+    prev=tag
+    preserve_args="$preserve_args --tag"
+    ;;
+
+  -dlopen)
+    prevopt="-dlopen"
+    prev=execute_dlfiles
+    ;;
+
+  -*)
+    $echo "$modename: unrecognized option \`$arg'" 1>&2
+    $echo "$help" 1>&2
+    exit 1
+    ;;
+
+  *)
+    nonopt="$arg"
+    break
+    ;;
+  esac
+done
+
+if test -n "$prevopt"; then
+  $echo "$modename: option \`$prevopt' requires an argument" 1>&2
+  $echo "$help" 1>&2
+  exit 1
+fi
+
+# If this variable is set in any of the actions, the command in it
+# will be execed at the end.  This prevents here-documents from being
+# left over by shells.
+exec_cmd=
+
+if test -z "$show_help"; then
+
+  # Infer the operation mode.
+  if test -z "$mode"; then
+    $echo "*** Warning: inferring the mode of operation is deprecated." 1>&2
+    $echo "*** Future versions of Libtool will require -mode=MODE be specified." 1>&2
+    case $nonopt in
+    *cc | cc* | *++ | gcc* | *-gcc* | g++* | xlc*)
+      mode=link
+      for arg
+      do
+	case $arg in
+	-c)
+	   mode=compile
+	   break
+	   ;;
+	esac
+      done
+      ;;
+    *db | *dbx | *strace | *truss)
+      mode=execute
+      ;;
+    *install*|cp|mv)
+      mode=install
+      ;;
+    *rm)
+      mode=uninstall
+      ;;
+    *)
+      # If we have no mode, but dlfiles were specified, then do execute mode.
+      test -n "$execute_dlfiles" && mode=execute
+
+      # Just use the default operation mode.
+      if test -z "$mode"; then
+	if test -n "$nonopt"; then
+	  $echo "$modename: warning: cannot infer operation mode from \`$nonopt'" 1>&2
+	else
+	  $echo "$modename: warning: cannot infer operation mode without MODE-ARGS" 1>&2
+	fi
+      fi
+      ;;
+    esac
+  fi
+
+  # Only execute mode is allowed to have -dlopen flags.
+  if test -n "$execute_dlfiles" && test "$mode" != execute; then
+    $echo "$modename: unrecognized option \`-dlopen'" 1>&2
+    $echo "$help" 1>&2
+    exit 1
+  fi
+
+  # Change the help message to a mode-specific one.
+  generic_help="$help"
+  help="Try \`$modename --help --mode=$mode' for more information."
+
+  # These modes are in order of execution frequency so that they run quickly.
+  case $mode in
+  # libtool compile mode
+  compile)
+    modename="$modename: compile"
+    # Get the compilation command and the source file.
+    base_compile=
+    srcfile="$nonopt"  #  always keep a non-empty value in "srcfile"
+    suppress_opt=yes
+    suppress_output=
+    arg_mode=normal
+    libobj=
+    later=
+
+    for arg
+    do
+      case "$arg_mode" in
+      arg  )
+	# do not "continue".  Instead, add this to base_compile
+	lastarg="$arg"
+	arg_mode=normal
+	;;
+
+      target )
+	libobj="$arg"
+	arg_mode=normal
+	continue
+	;;
+
+      normal )
+	# Accept any command-line options.
+	case $arg in
+	-o)
+	  if test -n "$libobj" ; then
+	    $echo "$modename: you cannot specify \`-o' more than once" 1>&2
+	    exit 1
+	  fi
+	  arg_mode=target
+	  continue
+	  ;;
+
+	-static | -prefer-pic | -prefer-non-pic)
+	  later="$later $arg"
+	  continue
+	  ;;
+
+	-no-suppress)
+	  suppress_opt=no
+	  continue
+	  ;;
+
+	-Xcompiler)
+	  arg_mode=arg  #  the next one goes into the "base_compile" arg list
+	  continue      #  The current "srcfile" will either be retained or
+	  ;;            #  replaced later.  I would guess that would be a bug.
+
+	-Wc,*)
+	  args=`$echo "X$arg" | $Xsed -e "s/^-Wc,//"`
+	  lastarg=
+	  save_ifs="$IFS"; IFS=','
+	  for arg in $args; do
+	    IFS="$save_ifs"
+
+	    # Double-quote args containing other shell metacharacters.
+	    # Many Bourne shells cannot handle close brackets correctly
+	    # in scan sets, so we specify it separately.
+	    case $arg in
+	      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	      arg="\"$arg\""
+	      ;;
+	    esac
+	    lastarg="$lastarg $arg"
+	  done
+	  IFS="$save_ifs"
+	  lastarg=`$echo "X$lastarg" | $Xsed -e "s/^ //"`
+
+	  # Add the arguments to base_compile.
+	  base_compile="$base_compile $lastarg"
+	  continue
+	  ;;
+
+	* )
+	  # Accept the current argument as the source file.
+	  # The previous "srcfile" becomes the current argument.
+	  #
+	  lastarg="$srcfile"
+	  srcfile="$arg"
+	  ;;
+	esac  #  case $arg
+	;;
+      esac    #  case $arg_mode
+
+      # Aesthetically quote the previous argument.
+      lastarg=`$echo "X$lastarg" | $Xsed -e "$sed_quote_subst"`
+
+      case $lastarg in
+      # Double-quote args containing other shell metacharacters.
+      # Many Bourne shells cannot handle close brackets correctly
+      # in scan sets, so we specify it separately.
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	lastarg="\"$lastarg\""
+	;;
+      esac
+
+      base_compile="$base_compile $lastarg"
+    done # for arg
+
+    case $arg_mode in
+    arg)
+      $echo "$modename: you must specify an argument for -Xcompile"
+      exit 1
+      ;;
+    target)
+      $echo "$modename: you must specify a target with \`-o'" 1>&2
+      exit 1
+      ;;
+    *)
+      # Get the name of the library object.
+      [ -z "$libobj" ] && libobj=`$echo "X$srcfile" | $Xsed -e 's%^.*/%%'`
+      ;;
+    esac
+
+    # Recognize several different file suffixes.
+    # If the user specifies -o file.o, it is replaced with file.lo
+    xform='[cCFSifmso]'
+    case $libobj in
+    *.ada) xform=ada ;;
+    *.adb) xform=adb ;;
+    *.ads) xform=ads ;;
+    *.asm) xform=asm ;;
+    *.c++) xform=c++ ;;
+    *.cc) xform=cc ;;
+    *.ii) xform=ii ;;
+    *.class) xform=class ;;
+    *.cpp) xform=cpp ;;
+    *.cxx) xform=cxx ;;
+    *.f90) xform=f90 ;;
+    *.for) xform=for ;;
+    *.java) xform=java ;;
+    esac
+
+    libobj=`$echo "X$libobj" | $Xsed -e "s/\.$xform$/.lo/"`
+
+    case $libobj in
+    *.lo) obj=`$echo "X$libobj" | $Xsed -e "$lo2o"` ;;
+    *)
+      $echo "$modename: cannot determine name of library object from \`$libobj'" 1>&2
+      exit 1
+      ;;
+    esac
+
+    # Infer tagged configuration to use if any are available and
+    # if one wasn't chosen via the "--tag" command line option.
+    # Only attempt this if the compiler in the base compile
+    # command doesn't match the default compiler.
+    if test -n "$available_tags" && test -z "$tagname"; then
+      case $base_compile in
+      # Blanks in the command may have been stripped by the calling shell,
+      # but not from the CC environment variable when configure was run.
+      " $CC "* | "$CC "* | " `$echo $CC` "* | "`$echo $CC` "*) ;;
+      # Blanks at the start of $base_compile will cause this to fail
+      # if we don't check for them as well.
+      *)
+	for z in $available_tags; do
+	  if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $z$" < "$0" > /dev/null; then
+	    # Evaluate the configuration.
+	    eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$z'$/,/^# ### END LIBTOOL TAG CONFIG: '$z'$/p' < $0`"
+	    case "$base_compile " in
+	    "$CC "* | " $CC "* | "`$echo $CC` "* | " `$echo $CC` "*)
+	      # The compiler in the base compile command matches
+	      # the one in the tagged configuration.
+	      # Assume this is the tagged configuration we want.
+	      tagname=$z
+	      break
+	      ;;
+	    esac
+	  fi
+	done
+	# If $tagname still isn't set, then no tagged configuration
+	# was found and let the user know that the "--tag" command
+	# line option must be used.
+	if test -z "$tagname"; then
+	  $echo "$modename: unable to infer tagged configuration"
+	  $echo "$modename: specify a tag with \`--tag'" 1>&2
+	  exit 1
+#        else
+#          $echo "$modename: using $tagname tagged configuration"
+	fi
+	;;
+      esac
+    fi
+
+    for arg in $later; do
+      case $arg in
+      -static)
+	build_old_libs=yes
+	continue
+	;;
+
+      -prefer-pic)
+	pic_mode=yes
+	continue
+	;;
+
+      -prefer-non-pic)
+	pic_mode=no
+	continue
+	;;
+      esac
+    done
+
+    objname=`$echo "X$obj" | $Xsed -e 's%^.*/%%'`
+    xdir=`$echo "X$obj" | $Xsed -e 's%/[^/]*$%%'`
+    if test "X$xdir" = "X$obj"; then
+      xdir=
+    else
+      xdir=$xdir/
+    fi
+    lobj=${xdir}$objdir/$objname
+
+    if test -z "$base_compile"; then
+      $echo "$modename: you must specify a compilation command" 1>&2
+      $echo "$help" 1>&2
+      exit 1
+    fi
+
+    # Delete any leftover library objects.
+    if test "$build_old_libs" = yes; then
+      removelist="$obj $lobj $libobj ${libobj}T"
+    else
+      removelist="$lobj $libobj ${libobj}T"
+    fi
+
+    $run $rm $removelist
+    trap "$run $rm $removelist; exit 1" 1 2 15
+
+    # On Cygwin there's no "real" PIC flag so we must build both object types
+    case $host_os in
+    cygwin* | mingw* | pw32* | os2*)
+      pic_mode=default
+      ;;
+    esac
+    if test "$pic_mode" = no && test "$deplibs_check_method" != pass_all; then
+      # non-PIC code in shared libraries is not supported
+      pic_mode=default
+    fi
+
+    # Calculate the filename of the output object if compiler does
+    # not support -o with -c
+    if test "$compiler_c_o" = no; then
+      output_obj=`$echo "X$srcfile" | $Xsed -e 's%^.*/%%' -e 's%\.[^.]*$%%'`.${objext}
+      lockfile="$output_obj.lock"
+      removelist="$removelist $output_obj $lockfile"
+      trap "$run $rm $removelist; exit 1" 1 2 15
+    else
+      output_obj=
+      need_locks=no
+      lockfile=
+    fi
+
+    # Lock this critical section if it is needed
+    # We use this script file to make the link, it avoids creating a new file
+    if test "$need_locks" = yes; then
+      until $run ln "$0" "$lockfile" 2>/dev/null; do
+	$show "Waiting for $lockfile to be removed"
+	sleep 2
+      done
+    elif test "$need_locks" = warn; then
+      if test -f "$lockfile"; then
+	$echo "\
+*** ERROR, $lockfile exists and contains:
+`cat $lockfile 2>/dev/null`
+
+This indicates that another process is trying to use the same
+temporary object file, and libtool could not work around it because
+your compiler does not support \`-c' and \`-o' together.  If you
+repeat this compilation, it may succeed, by chance, but you had better
+avoid parallel builds (make -j) in this platform, or get a better
+compiler."
+
+	$run $rm $removelist
+	exit 1
+      fi
+      $echo $srcfile > "$lockfile"
+    fi
+
+    if test -n "$fix_srcfile_path"; then
+      eval srcfile=\"$fix_srcfile_path\"
+    fi
+
+    $run $rm "$libobj" "${libobj}T"
+
+    # Create a libtool object file (analogous to a ".la" file),
+    # but don't create it if we're doing a dry run.
+    test -z "$run" && cat > ${libobj}T <<EOF
+# $libobj - a libtool object file
+# Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP
+#
+# Please DO NOT delete this file!
+# It is necessary for linking the library.
+
+# Name of the PIC object.
+EOF
+
+    # Only build a PIC object if we are building libtool libraries.
+    if test "$build_libtool_libs" = yes; then
+      # Without this assignment, base_compile gets emptied.
+      fbsd_hideous_sh_bug=$base_compile
+
+      if test "$pic_mode" != no; then
+	command="$base_compile $srcfile $pic_flag"
+      else
+	# Don't build PIC code
+	command="$base_compile $srcfile"
+      fi
+
+      if test ! -d "${xdir}$objdir"; then
+	$show "$mkdir ${xdir}$objdir"
+	$run $mkdir ${xdir}$objdir
+	status=$?
+	if test "$status" -ne 0 && test ! -d "${xdir}$objdir"; then
+	  exit $status
+	fi
+      fi
+
+      if test -z "$output_obj"; then
+	# Place PIC objects in $objdir
+	command="$command -o $lobj"
+      fi
+
+      $run $rm "$lobj" "$output_obj"
+
+      $show "$command"
+      if $run eval "$command"; then :
+      else
+	test -n "$output_obj" && $run $rm $removelist
+	exit 1
+      fi
+
+      if test "$need_locks" = warn &&
+	 test "X`cat $lockfile 2>/dev/null`" != "X$srcfile"; then
+	$echo "\
+*** ERROR, $lockfile contains:
+`cat $lockfile 2>/dev/null`
+
+but it should contain:
+$srcfile
+
+This indicates that another process is trying to use the same
+temporary object file, and libtool could not work around it because
+your compiler does not support \`-c' and \`-o' together.  If you
+repeat this compilation, it may succeed, by chance, but you had better
+avoid parallel builds (make -j) in this platform, or get a better
+compiler."
+
+	$run $rm $removelist
+	exit 1
+      fi
+
+      # Just move the object if needed, then go on to compile the next one
+      if test -n "$output_obj" && test "X$output_obj" != "X$lobj"; then
+	$show "$mv $output_obj $lobj"
+	if $run $mv $output_obj $lobj; then :
+	else
+	  error=$?
+	  $run $rm $removelist
+	  exit $error
+	fi
+      fi
+
+      # Append the name of the PIC object to the libtool object file.
+      test -z "$run" && cat >> ${libobj}T <<EOF
+pic_object='$objdir/$objname'
+
+EOF
+
+      # Allow error messages only from the first compilation.
+      if test "$suppress_opt" = yes; then
+        suppress_output=' >/dev/null 2>&1'
+      fi
+    else
+      # No PIC object so indicate it doesn't exist in the libtool
+      # object file.
+      test -z "$run" && cat >> ${libobj}T <<EOF
+pic_object=none
+
+EOF
+    fi
+
+    # Only build a position-dependent object if we build old libraries.
+    if test "$build_old_libs" = yes; then
+      if test "$pic_mode" != yes; then
+	# Don't build PIC code
+	command="$base_compile $srcfile"
+      else
+	command="$base_compile $srcfile $pic_flag"
+      fi
+      if test "$compiler_c_o" = yes; then
+	command="$command -o $obj"
+      fi
+
+      # Suppress compiler output if we already did a PIC compilation.
+      command="$command$suppress_output"
+      $run $rm "$obj" "$output_obj"
+      $show "$command"
+      if $run eval "$command"; then :
+      else
+	$run $rm $removelist
+	exit 1
+      fi
+
+      if test "$need_locks" = warn &&
+	 test "X`cat $lockfile 2>/dev/null`" != "X$srcfile"; then
+	$echo "\
+*** ERROR, $lockfile contains:
+`cat $lockfile 2>/dev/null`
+
+but it should contain:
+$srcfile
+
+This indicates that another process is trying to use the same
+temporary object file, and libtool could not work around it because
+your compiler does not support \`-c' and \`-o' together.  If you
+repeat this compilation, it may succeed, by chance, but you had better
+avoid parallel builds (make -j) in this platform, or get a better
+compiler."
+
+	$run $rm $removelist
+	exit 1
+      fi
+
+      # Just move the object if needed
+      if test -n "$output_obj" && test "X$output_obj" != "X$obj"; then
+	$show "$mv $output_obj $obj"
+	if $run $mv $output_obj $obj; then :
+	else
+	  error=$?
+	  $run $rm $removelist
+	  exit $error
+	fi
+      fi
+
+      # Append the name of the non-PIC object the libtool object file.
+      # Only append if the libtool object file exists.
+      test -z "$run" && cat >> ${libobj}T <<EOF
+# Name of the non-PIC object.
+non_pic_object='$objname'
+
+EOF
+    else
+      # Append the name of the non-PIC object the libtool object file.
+      # Only append if the libtool object file exists.
+      test -z "$run" && cat >> ${libobj}T <<EOF
+# Name of the non-PIC object.
+non_pic_object=none
+
+EOF
+    fi
+
+    $run $mv "${libobj}T" "${libobj}"
+
+    # Unlock the critical section if it was locked
+    if test "$need_locks" != no; then
+      $run $rm "$lockfile"
+    fi
+
+    exit 0
+    ;;
+
+  # libtool link mode
+  link | relink)
+    modename="$modename: link"
+    case $host in
+    *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
+      # It is impossible to link a dll without this setting, and
+      # we shouldn't force the makefile maintainer to figure out
+      # which system we are compiling for in order to pass an extra
+      # flag for every libtool invocation.
+      # allow_undefined=no
+
+      # FIXME: Unfortunately, there are problems with the above when trying
+      # to make a dll which has undefined symbols, in which case not
+      # even a static library is built.  For now, we need to specify
+      # -no-undefined on the libtool link line when we can be certain
+      # that all symbols are satisfied, otherwise we get a static library.
+      allow_undefined=yes
+      ;;
+    *)
+      allow_undefined=yes
+      ;;
+    esac
+    libtool_args="$nonopt"
+    base_compile="$nonopt $@"
+    compile_command="$nonopt"
+    finalize_command="$nonopt"
+
+    compile_rpath=
+    finalize_rpath=
+    compile_shlibpath=
+    finalize_shlibpath=
+    convenience=
+    old_convenience=
+    deplibs=
+    old_deplibs=
+    compiler_flags=
+    linker_flags=
+    dllsearchpath=
+    lib_search_path=`pwd`
+    inst_prefix_dir=
+
+    avoid_version=no
+    dlfiles=
+    dlprefiles=
+    dlself=no
+    export_dynamic=no
+    export_symbols=
+    export_symbols_regex=
+    generated=
+    libobjs=
+    ltlibs=
+    module=no
+    no_install=no
+    objs=
+    non_pic_objects=
+    precious_files_regex=
+    prefer_static_libs=no
+    preload=no
+    prev=
+    prevarg=
+    release=
+    rpath=
+    xrpath=
+    perm_rpath=
+    temp_rpath=
+    thread_safe=no
+    vinfo=
+    vinfo_number=no
+
+    # Infer tagged configuration to use if any are available and
+    # if one wasn't chosen via the "--tag" command line option.
+    # Only attempt this if the compiler in the base link
+    # command doesn't match the default compiler.
+    if test -n "$available_tags" && test -z "$tagname"; then
+      case $base_compile in
+      # Blanks in the command may have been stripped by the calling shell,
+      # but not from the CC environment variable when configure was run.
+      "$CC "* | " $CC "* | "`$echo $CC` "* | " `$echo $CC` "*) ;;
+      # Blanks at the start of $base_compile will cause this to fail
+      # if we don't check for them as well.
+      *)
+	for z in $available_tags; do
+	  if grep "^# ### BEGIN LIBTOOL TAG CONFIG: $z$" < "$0" > /dev/null; then
+	    # Evaluate the configuration.
+	    eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$z'$/,/^# ### END LIBTOOL TAG CONFIG: '$z'$/p' < $0`"
+	    case $base_compile in
+	    "$CC "* | " $CC "* | "`$echo $CC` "* | " `$echo $CC` "*)
+	      # The compiler in $compile_command matches
+	      # the one in the tagged configuration.
+	      # Assume this is the tagged configuration we want.
+	      tagname=$z
+	      break
+	      ;;
+	    esac
+	  fi
+	done
+	# If $tagname still isn't set, then no tagged configuration
+	# was found and let the user know that the "--tag" command
+	# line option must be used.
+	if test -z "$tagname"; then
+	  $echo "$modename: unable to infer tagged configuration"
+	  $echo "$modename: specify a tag with \`--tag'" 1>&2
+	  exit 1
+#       else
+#         $echo "$modename: using $tagname tagged configuration"
+	fi
+	;;
+      esac
+    fi
+
+    # We need to know -static, to get the right output filenames.
+    for arg
+    do
+      case $arg in
+      -all-static | -static)
+	if test "X$arg" = "X-all-static"; then
+	  if test "$build_libtool_libs" = yes && test -z "$link_static_flag"; then
+	    $echo "$modename: warning: complete static linking is impossible in this configuration" 1>&2
+	  fi
+	  if test -n "$link_static_flag"; then
+	    dlopen_self=$dlopen_self_static
+	  fi
+	else
+	  if test -z "$pic_flag" && test -n "$link_static_flag"; then
+	    dlopen_self=$dlopen_self_static
+	  fi
+	fi
+	build_libtool_libs=no
+	build_old_libs=yes
+	prefer_static_libs=yes
+	break
+	;;
+      esac
+    done
+
+    # See if our shared archives depend on static archives.
+    test -n "$old_archive_from_new_cmds" && build_old_libs=yes
+
+    # Go through the arguments, transforming them on the way.
+    while test "$#" -gt 0; do
+      arg="$1"
+      shift
+      case $arg in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	qarg=\"`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`\" ### testsuite: skip nested quoting test
+	;;
+      *) qarg=$arg ;;
+      esac
+      libtool_args="$libtool_args $qarg"
+
+      # If the previous option needs an argument, assign it.
+      if test -n "$prev"; then
+	case $prev in
+	output)
+	  compile_command="$compile_command @OUTPUT@"
+	  finalize_command="$finalize_command @OUTPUT@"
+	  ;;
+	esac
+
+	case $prev in
+	dlfiles|dlprefiles)
+	  if test "$preload" = no; then
+	    # Add the symbol object into the linking commands.
+	    compile_command="$compile_command @SYMFILE@"
+	    finalize_command="$finalize_command @SYMFILE@"
+	    preload=yes
+	  fi
+	  case $arg in
+	  *.la | *.lo) ;;  # We handle these cases below.
+	  force)
+	    if test "$dlself" = no; then
+	      dlself=needless
+	      export_dynamic=yes
+	    fi
+	    prev=
+	    continue
+	    ;;
+	  self)
+	    if test "$prev" = dlprefiles; then
+	      dlself=yes
+	    elif test "$prev" = dlfiles && test "$dlopen_self" != yes; then
+	      dlself=yes
+	    else
+	      dlself=needless
+	      export_dynamic=yes
+	    fi
+	    prev=
+	    continue
+	    ;;
+	  *)
+	    if test "$prev" = dlfiles; then
+	      dlfiles="$dlfiles $arg"
+	    else
+	      dlprefiles="$dlprefiles $arg"
+	    fi
+	    prev=
+	    continue
+	    ;;
+	  esac
+	  ;;
+	expsyms)
+	  export_symbols="$arg"
+	  if test ! -f "$arg"; then
+	    $echo "$modename: symbol file \`$arg' does not exist"
+	    exit 1
+	  fi
+	  prev=
+	  continue
+	  ;;
+	expsyms_regex)
+	  export_symbols_regex="$arg"
+	  prev=
+	  continue
+	  ;;
+	inst_prefix)
+	  inst_prefix_dir="$arg"
+	  prev=
+	  continue
+	  ;;
+	precious_regex)
+	  precious_files_regex="$arg"
+	  prev=
+	  continue
+	  ;;
+	release)
+	  release="-$arg"
+	  prev=
+	  continue
+	  ;;
+	objectlist)
+	  if test -f "$arg"; then
+	    save_arg=$arg
+	    moreargs=
+	    for fil in `cat $save_arg`
+	    do
+#	      moreargs="$moreargs $fil"
+	      arg=$fil
+	      # A libtool-controlled object.
+
+	      # Check to see that this really is a libtool object.
+	      if (${SED} -e '2q' $arg | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+		pic_object=
+		non_pic_object=
+
+		# Read the .lo file
+		# If there is no directory component, then add one.
+		case $arg in
+		*/* | *\\*) . $arg ;;
+		*) . ./$arg ;;
+		esac
+
+		if test -z "$pic_object" || \
+		   test -z "$non_pic_object" ||
+		   test "$pic_object" = none && \
+		   test "$non_pic_object" = none; then
+		  $echo "$modename: cannot find name of object for \`$arg'" 1>&2
+		  exit 1
+		fi
+
+		# Extract subdirectory from the argument.
+		xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'`
+		if test "X$xdir" = "X$arg"; then
+		  xdir=
+		else
+		  xdir="$xdir/"
+		fi
+
+		if test "$pic_object" != none; then
+		  # Prepend the subdirectory the object is found in.
+		  pic_object="$xdir$pic_object"
+
+		  if test "$prev" = dlfiles; then
+		    if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then
+		      dlfiles="$dlfiles $pic_object"
+		      prev=
+		      continue
+		    else
+		      # If libtool objects are unsupported, then we need to preload.
+		      prev=dlprefiles
+		    fi
+		  fi
+
+		  # CHECK ME:  I think I busted this.  -Ossama
+		  if test "$prev" = dlprefiles; then
+		    # Preload the old-style object.
+		    dlprefiles="$dlprefiles $pic_object"
+		    prev=
+		  fi
+
+		  # A PIC object.
+		  libobjs="$libobjs $pic_object"
+		  arg="$pic_object"
+		fi
+
+		# Non-PIC object.
+		if test "$non_pic_object" != none; then
+		  # Prepend the subdirectory the object is found in.
+		  non_pic_object="$xdir$non_pic_object"
+
+		  # A standard non-PIC object
+		  non_pic_objects="$non_pic_objects $non_pic_object"
+		  if test -z "$pic_object" || test "$pic_object" = none ; then
+		    arg="$non_pic_object"
+		  fi
+		fi
+	      else
+		# Only an error if not doing a dry-run.
+		if test -z "$run"; then
+		  $echo "$modename: \`$arg' is not a valid libtool object" 1>&2
+		  exit 1
+		else
+		  # Dry-run case.
+
+		  # Extract subdirectory from the argument.
+		  xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'`
+		  if test "X$xdir" = "X$arg"; then
+		    xdir=
+		  else
+		    xdir="$xdir/"
+		  fi
+
+		  pic_object=`$echo "X${xdir}${objdir}/${arg}" | $Xsed -e "$lo2o"`
+		  non_pic_object=`$echo "X${xdir}${arg}" | $Xsed -e "$lo2o"`
+		  libobjs="$libobjs $pic_object"
+		  non_pic_objects="$non_pic_objects $non_pic_object"
+		fi
+	      fi
+	    done
+	  else
+	    $echo "$modename: link input file \`$save_arg' does not exist"
+	    exit 1
+	  fi
+	  arg=$save_arg
+	  prev=
+	  continue
+	  ;;
+	rpath | xrpath)
+	  # We need an absolute path.
+	  case $arg in
+	  [\\/]* | [A-Za-z]:[\\/]*) ;;
+	  *)
+	    $echo "$modename: only absolute run-paths are allowed" 1>&2
+	    exit 1
+	    ;;
+	  esac
+	  if test "$prev" = rpath; then
+	    case "$rpath " in
+	    *" $arg "*) ;;
+	    *) rpath="$rpath $arg" ;;
+	    esac
+	  else
+	    case "$xrpath " in
+	    *" $arg "*) ;;
+	    *) xrpath="$xrpath $arg" ;;
+	    esac
+	  fi
+	  prev=
+	  continue
+	  ;;
+	xcompiler)
+	  compiler_flags="$compiler_flags $qarg"
+	  prev=
+	  compile_command="$compile_command $qarg"
+	  finalize_command="$finalize_command $qarg"
+	  continue
+	  ;;
+	xlinker)
+	  linker_flags="$linker_flags $qarg"
+	  compiler_flags="$compiler_flags $wl$qarg"
+	  prev=
+	  compile_command="$compile_command $wl$qarg"
+	  finalize_command="$finalize_command $wl$qarg"
+	  continue
+	  ;;
+	xcclinker)
+	  linker_flags="$linker_flags $qarg"
+	  compiler_flags="$compiler_flags $qarg"
+	  prev=
+	  compile_command="$compile_command $qarg"
+	  finalize_command="$finalize_command $qarg"
+	  continue
+	  ;;
+	*)
+	  eval "$prev=\"\$arg\""
+	  prev=
+	  continue
+	  ;;
+	esac
+      fi # test -n "$prev"
+
+      prevarg="$arg"
+
+      case $arg in
+      -all-static)
+	if test -n "$link_static_flag"; then
+	  compile_command="$compile_command $link_static_flag"
+	  finalize_command="$finalize_command $link_static_flag"
+	fi
+	continue
+	;;
+
+      -allow-undefined)
+	# FIXME: remove this flag sometime in the future.
+	$echo "$modename: \`-allow-undefined' is deprecated because it is the default" 1>&2
+	continue
+	;;
+
+      -avoid-version)
+	avoid_version=yes
+	continue
+	;;
+
+      -dlopen)
+	prev=dlfiles
+	continue
+	;;
+
+      -dlpreopen)
+	prev=dlprefiles
+	continue
+	;;
+
+      -export-dynamic)
+	export_dynamic=yes
+	continue
+	;;
+
+      -export-symbols | -export-symbols-regex)
+	if test -n "$export_symbols" || test -n "$export_symbols_regex"; then
+	  $echo "$modename: more than one -exported-symbols argument is not allowed"
+	  exit 1
+	fi
+	if test "X$arg" = "X-export-symbols"; then
+	  prev=expsyms
+	else
+	  prev=expsyms_regex
+	fi
+	continue
+	;;
+
+      -inst-prefix-dir)
+	prev=inst_prefix
+	continue
+	;;
+
+      # The native IRIX linker understands -LANG:*, -LIST:* and -LNO:*
+      # so, if we see these flags be careful not to treat them like -L
+      -L[A-Z][A-Z]*:*)
+	case $with_gcc/$host in
+	no/*-*-irix* | /*-*-irix*)
+	  compile_command="$compile_command $arg"
+	  finalize_command="$finalize_command $arg"
+	  ;;
+	esac
+	continue
+	;;
+
+      -L*)
+	dir=`$echo "X$arg" | $Xsed -e 's/^-L//'`
+	# We need an absolute path.
+	case $dir in
+	[\\/]* | [A-Za-z]:[\\/]*) ;;
+	*)
+	  absdir=`cd "$dir" && pwd`
+	  if test -z "$absdir"; then
+	    $echo "$modename: cannot determine absolute directory name of \`$dir'" 1>&2
+	    exit 1
+	  fi
+	  dir="$absdir"
+	  ;;
+	esac
+	case "$deplibs " in
+	*" -L$dir "*) ;;
+	*)
+	  deplibs="$deplibs -L$dir"
+	  lib_search_path="$lib_search_path $dir"
+	  ;;
+	esac
+	case $host in
+	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
+	  case :$dllsearchpath: in
+	  *":$dir:"*) ;;
+	  *) dllsearchpath="$dllsearchpath:$dir";;
+	  esac
+	  ;;
+	esac
+	continue
+	;;
+
+      -l*)
+	if test "X$arg" = "X-lc" || test "X$arg" = "X-lm"; then
+	  case $host in
+	  *-*-cygwin* | *-*-pw32* | *-*-beos*)
+	    # These systems don't actually have a C or math library (as such)
+	    continue
+	    ;;
+	  *-*-mingw* | *-*-os2*)
+	    # These systems don't actually have a C library (as such)
+	    test "X$arg" = "X-lc" && continue
+	    ;;
+	  *-*-openbsd* | *-*-freebsd*)
+	    # Do not include libc due to us having libc/libc_r.
+	    test "X$arg" = "X-lc" && continue
+	    ;;
+	  *-*-rhapsody* | *-*-darwin1.[012])
+	    # Rhapsody C and math libraries are in the System framework
+	    deplibs="$deplibs -framework System"
+	    continue
+	  esac
+	elif test "X$arg" = "X-lc_r"; then
+	 case $host in
+	 *-*-openbsd* | *-*-freebsd*)
+	   # Do not include libc_r directly, use -pthread flag.
+	   continue
+	   ;;
+	 esac
+	fi
+	deplibs="$deplibs $arg"
+	continue
+	;;
+
+     -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe)
+	deplibs="$deplibs $arg"
+	continue
+	;;
+
+      -module)
+	module=yes
+	continue
+	;;
+
+      # gcc -m* arguments should be passed to the linker via $compiler_flags
+      # in order to pass architecture information to the linker
+      # (e.g. 32 vs 64-bit).  This may also be accomplished via -Wl,-mfoo
+      # but this is not reliable with gcc because gcc may use -mfoo to
+      # select a different linker, different libraries, etc, while
+      # -Wl,-mfoo simply passes -mfoo to the linker.
+      -m*)
+	# Unknown arguments in both finalize_command and compile_command need
+	# to be aesthetically quoted because they are evaled later.
+	arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+	case $arg in
+	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	  arg="\"$arg\""
+	  ;;
+	esac
+        compile_command="$compile_command $arg"
+        finalize_command="$finalize_command $arg"
+        if test "$with_gcc" = "yes" ; then
+          compiler_flags="$compiler_flags $arg"
+        fi
+        continue
+        ;;
+
+      -shrext)
+	prev=shrext
+	continue
+	;;
+
+      -no-fast-install)
+	fast_install=no
+	continue
+	;;
+
+      -no-install)
+	case $host in
+	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
+	  # The PATH hackery in wrapper scripts is required on Windows
+	  # in order for the loader to find any dlls it needs.
+	  $echo "$modename: warning: \`-no-install' is ignored for $host" 1>&2
+	  $echo "$modename: warning: assuming \`-no-fast-install' instead" 1>&2
+	  fast_install=no
+	  ;;
+	*) no_install=yes ;;
+	esac
+	continue
+	;;
+
+      -no-undefined)
+	allow_undefined=no
+	continue
+	;;
+
+      -objectlist)
+	prev=objectlist
+	continue
+	;;
+
+      -o) prev=output ;;
+
+      -precious-files-regex)
+	prev=precious_regex
+	continue
+	;;
+
+      -release)
+	prev=release
+	continue
+	;;
+
+      -rpath)
+	prev=rpath
+	continue
+	;;
+
+      -R)
+	prev=xrpath
+	continue
+	;;
+
+      -R*)
+	dir=`$echo "X$arg" | $Xsed -e 's/^-R//'`
+	# We need an absolute path.
+	case $dir in
+	[\\/]* | [A-Za-z]:[\\/]*) ;;
+	*)
+	  $echo "$modename: only absolute run-paths are allowed" 1>&2
+	  exit 1
+	  ;;
+	esac
+	case "$xrpath " in
+	*" $dir "*) ;;
+	*) xrpath="$xrpath $dir" ;;
+	esac
+	continue
+	;;
+
+      -static)
+	# The effects of -static are defined in a previous loop.
+	# We used to do the same as -all-static on platforms that
+	# didn't have a PIC flag, but the assumption that the effects
+	# would be equivalent was wrong.  It would break on at least
+	# Digital Unix and AIX.
+	continue
+	;;
+
+      -thread-safe)
+	thread_safe=yes
+	continue
+	;;
+
+      -version-info)
+	prev=vinfo
+	continue
+	;;
+      -version-number)
+	prev=vinfo
+	vinfo_number=yes
+	continue
+	;;
+
+      -Wc,*)
+	args=`$echo "X$arg" | $Xsed -e "$sed_quote_subst" -e 's/^-Wc,//'`
+	arg=
+	save_ifs="$IFS"; IFS=','
+	for flag in $args; do
+	  IFS="$save_ifs"
+	  case $flag in
+	    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	    flag="\"$flag\""
+	    ;;
+	  esac
+	  arg="$arg $wl$flag"
+	  compiler_flags="$compiler_flags $flag"
+	done
+	IFS="$save_ifs"
+	arg=`$echo "X$arg" | $Xsed -e "s/^ //"`
+	;;
+
+      -Wl,*)
+	args=`$echo "X$arg" | $Xsed -e "$sed_quote_subst" -e 's/^-Wl,//'`
+	arg=
+	save_ifs="$IFS"; IFS=','
+	for flag in $args; do
+	  IFS="$save_ifs"
+	  case $flag in
+	    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	    flag="\"$flag\""
+	    ;;
+	  esac
+	  arg="$arg $wl$flag"
+	  compiler_flags="$compiler_flags $wl$flag"
+	  linker_flags="$linker_flags $flag"
+	done
+	IFS="$save_ifs"
+	arg=`$echo "X$arg" | $Xsed -e "s/^ //"`
+	;;
+
+      -Xcompiler)
+	prev=xcompiler
+	continue
+	;;
+
+      -Xlinker)
+	prev=xlinker
+	continue
+	;;
+
+      -XCClinker)
+	prev=xcclinker
+	continue
+	;;
+
+      # Some other compiler flag.
+      -* | +*)
+	# Unknown arguments in both finalize_command and compile_command need
+	# to be aesthetically quoted because they are evaled later.
+	arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+	case $arg in
+	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	  arg="\"$arg\""
+	  ;;
+	esac
+	;;
+
+      *.$objext)
+	# A standard object.
+	objs="$objs $arg"
+	;;
+
+      *.lo)
+	# A libtool-controlled object.
+
+	# Check to see that this really is a libtool object.
+	if (${SED} -e '2q' $arg | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+	  pic_object=
+	  non_pic_object=
+
+	  # Read the .lo file
+	  # If there is no directory component, then add one.
+	  case $arg in
+	  */* | *\\*) . $arg ;;
+	  *) . ./$arg ;;
+	  esac
+
+	  if test -z "$pic_object" || \
+	     test -z "$non_pic_object" ||
+	     test "$pic_object" = none && \
+	     test "$non_pic_object" = none; then
+	    $echo "$modename: cannot find name of object for \`$arg'" 1>&2
+	    exit 1
+	  fi
+
+	  # Extract subdirectory from the argument.
+	  xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'`
+	  if test "X$xdir" = "X$arg"; then
+	    xdir=
+ 	  else
+	    xdir="$xdir/"
+	  fi
+
+	  if test "$pic_object" != none; then
+	    # Prepend the subdirectory the object is found in.
+	    pic_object="$xdir$pic_object"
+
+	    if test "$prev" = dlfiles; then
+	      if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then
+		dlfiles="$dlfiles $pic_object"
+		prev=
+		continue
+	      else
+		# If libtool objects are unsupported, then we need to preload.
+		prev=dlprefiles
+	      fi
+	    fi
+
+	    # CHECK ME:  I think I busted this.  -Ossama
+	    if test "$prev" = dlprefiles; then
+	      # Preload the old-style object.
+	      dlprefiles="$dlprefiles $pic_object"
+	      prev=
+	    fi
+
+	    # A PIC object.
+	    libobjs="$libobjs $pic_object"
+	    arg="$pic_object"
+	  fi
+
+	  # Non-PIC object.
+	  if test "$non_pic_object" != none; then
+	    # Prepend the subdirectory the object is found in.
+	    non_pic_object="$xdir$non_pic_object"
+
+	    # A standard non-PIC object
+	    non_pic_objects="$non_pic_objects $non_pic_object"
+	    if test -z "$pic_object" || test "$pic_object" = none ; then
+	      arg="$non_pic_object"
+	    fi
+	  fi
+	else
+	  # Only an error if not doing a dry-run.
+	  if test -z "$run"; then
+	    $echo "$modename: \`$arg' is not a valid libtool object" 1>&2
+	    exit 1
+	  else
+	    # Dry-run case.
+
+	    # Extract subdirectory from the argument.
+	    xdir=`$echo "X$arg" | $Xsed -e 's%/[^/]*$%%'`
+	    if test "X$xdir" = "X$arg"; then
+	      xdir=
+	    else
+	      xdir="$xdir/"
+	    fi
+
+	    pic_object=`$echo "X${xdir}${objdir}/${arg}" | $Xsed -e "$lo2o"`
+	    non_pic_object=`$echo "X${xdir}${arg}" | $Xsed -e "$lo2o"`
+	    libobjs="$libobjs $pic_object"
+	    non_pic_objects="$non_pic_objects $non_pic_object"
+	  fi
+	fi
+	;;
+
+      *.$libext)
+	# An archive.
+	deplibs="$deplibs $arg"
+	old_deplibs="$old_deplibs $arg"
+	continue
+	;;
+
+      *.la)
+	# A libtool-controlled library.
+
+	if test "$prev" = dlfiles; then
+	  # This library was specified with -dlopen.
+	  dlfiles="$dlfiles $arg"
+	  prev=
+	elif test "$prev" = dlprefiles; then
+	  # The library was specified with -dlpreopen.
+	  dlprefiles="$dlprefiles $arg"
+	  prev=
+	else
+	  deplibs="$deplibs $arg"
+	fi
+	continue
+	;;
+
+      # Some other compiler argument.
+      *)
+	# Unknown arguments in both finalize_command and compile_command need
+	# to be aesthetically quoted because they are evaled later.
+	arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+	case $arg in
+	*[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	  arg="\"$arg\""
+	  ;;
+	esac
+	;;
+      esac # arg
+
+      # Now actually substitute the argument into the commands.
+      if test -n "$arg"; then
+	compile_command="$compile_command $arg"
+	finalize_command="$finalize_command $arg"
+      fi
+    done # argument parsing loop
+
+    if test -n "$prev"; then
+      $echo "$modename: the \`$prevarg' option requires an argument" 1>&2
+      $echo "$help" 1>&2
+      exit 1
+    fi
+
+    if test "$export_dynamic" = yes && test -n "$export_dynamic_flag_spec"; then
+      eval arg=\"$export_dynamic_flag_spec\"
+      compile_command="$compile_command $arg"
+      finalize_command="$finalize_command $arg"
+    fi
+
+    oldlibs=
+    # calculate the name of the file, without its directory
+    outputname=`$echo "X$output" | $Xsed -e 's%^.*/%%'`
+    libobjs_save="$libobjs"
+
+    if test -n "$shlibpath_var"; then
+      # get the directories listed in $shlibpath_var
+      eval shlib_search_path=\`\$echo \"X\${$shlibpath_var}\" \| \$Xsed -e \'s/:/ /g\'\`
+    else
+      shlib_search_path=
+    fi
+    eval sys_lib_search_path=\"$sys_lib_search_path_spec\"
+    eval sys_lib_dlsearch_path=\"$sys_lib_dlsearch_path_spec\"
+
+    output_objdir=`$echo "X$output" | $Xsed -e 's%/[^/]*$%%'`
+    if test "X$output_objdir" = "X$output"; then
+      output_objdir="$objdir"
+    else
+      output_objdir="$output_objdir/$objdir"
+    fi
+    # Create the object directory.
+    if test ! -d "$output_objdir"; then
+      $show "$mkdir $output_objdir"
+      $run $mkdir $output_objdir
+      status=$?
+      if test "$status" -ne 0 && test ! -d "$output_objdir"; then
+	exit $status
+      fi
+    fi
+
+    # Determine the type of output
+    case $output in
+    "")
+      $echo "$modename: you must specify an output file" 1>&2
+      $echo "$help" 1>&2
+      exit 1
+      ;;
+    *.$libext) linkmode=oldlib ;;
+    *.lo | *.$objext) linkmode=obj ;;
+    *.la) linkmode=lib ;;
+    *) linkmode=prog ;; # Anything else should be a program.
+    esac
+
+    case $host in
+    *cygwin* | *mingw* | *pw32*)
+      # don't eliminate duplcations in $postdeps and $predeps
+      duplicate_compiler_generated_deps=yes
+      ;;
+    *)
+      duplicate_compiler_generated_deps=$duplicate_deps
+      ;;
+    esac
+    specialdeplibs=
+
+    libs=
+    # Find all interdependent deplibs by searching for libraries
+    # that are linked more than once (e.g. -la -lb -la)
+    for deplib in $deplibs; do
+      if test "X$duplicate_deps" = "Xyes" ; then
+	case "$libs " in
+	*" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	esac
+      fi
+      libs="$libs $deplib"
+    done
+
+    if test "$linkmode" = lib; then
+      libs="$predeps $libs $compiler_lib_search_path $postdeps"
+
+      # Compute libraries that are listed more than once in $predeps
+      # $postdeps and mark them as special (i.e., whose duplicates are
+      # not to be eliminated).
+      pre_post_deps=
+      if test "X$duplicate_compiler_generated_deps" = "Xyes" ; then
+	for pre_post_dep in $predeps $postdeps; do
+	  case "$pre_post_deps " in
+	  *" $pre_post_dep "*) specialdeplibs="$specialdeplibs $pre_post_deps" ;;
+	  esac
+	  pre_post_deps="$pre_post_deps $pre_post_dep"
+	done
+      fi
+      pre_post_deps=
+    fi
+
+    deplibs=
+    newdependency_libs=
+    newlib_search_path=
+    need_relink=no # whether we're linking any uninstalled libtool libraries
+    notinst_deplibs= # not-installed libtool libraries
+    notinst_path= # paths that contain not-installed libtool libraries
+    case $linkmode in
+    lib)
+	passes="conv link"
+	for file in $dlfiles $dlprefiles; do
+	  case $file in
+	  *.la) ;;
+	  *)
+	    $echo "$modename: libraries can \`-dlopen' only libtool libraries: $file" 1>&2
+	    exit 1
+	    ;;
+	  esac
+	done
+	;;
+    prog)
+	compile_deplibs=
+	finalize_deplibs=
+	alldeplibs=no
+	newdlfiles=
+	newdlprefiles=
+	passes="conv scan dlopen dlpreopen link"
+	;;
+    *)  passes="conv"
+	;;
+    esac
+    for pass in $passes; do
+      if test "$linkmode,$pass" = "lib,link" ||
+	 test "$linkmode,$pass" = "prog,scan"; then
+	libs="$deplibs"
+	deplibs=
+      fi
+      if test "$linkmode" = prog; then
+	case $pass in
+	dlopen) libs="$dlfiles" ;;
+	dlpreopen) libs="$dlprefiles" ;;
+	link) libs="$deplibs %DEPLIBS% $dependency_libs" ;;
+	esac
+      fi
+      if test "$pass" = dlopen; then
+	# Collect dlpreopened libraries
+	save_deplibs="$deplibs"
+	deplibs=
+      fi
+      for deplib in $libs; do
+	lib=
+	found=no
+	case $deplib in
+	-mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe)
+	  if test "$linkmode,$pass" = "prog,link"; then
+	    compile_deplibs="$deplib $compile_deplibs"
+	    finalize_deplibs="$deplib $finalize_deplibs"
+	  else
+	    deplibs="$deplib $deplibs"
+	  fi
+	  continue
+	  ;;
+	-l*)
+	  if test "$linkmode" != lib && test "$linkmode" != prog; then
+	    $echo "$modename: warning: \`-l' is ignored for archives/objects" 1>&2
+	    continue
+	  fi
+	  if test "$pass" = conv; then
+	    deplibs="$deplib $deplibs"
+	    continue
+	  fi
+	  name=`$echo "X$deplib" | $Xsed -e 's/^-l//'`
+	  for searchdir in $newlib_search_path $lib_search_path $sys_lib_search_path $shlib_search_path; do
+	    for search_ext in .la $shrext .so .a; do
+	      # Search the libtool library
+	      lib="$searchdir/lib${name}${search_ext}"
+	      if test -f "$lib"; then
+		if test "$search_ext" = ".la"; then
+		  found=yes
+		else
+		  found=no
+		fi
+		break 2
+	      fi
+	    done
+	  done
+	  if test "$found" != yes; then
+	    # deplib doesn't seem to be a libtool library
+	    if test "$linkmode,$pass" = "prog,link"; then
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    else
+	      deplibs="$deplib $deplibs"
+	      test "$linkmode" = lib && newdependency_libs="$deplib $newdependency_libs"
+	    fi
+	    continue
+	  else # deplib is a libtool library
+	    # If $allow_libtool_libs_with_static_runtimes && $deplib is a stdlib,
+	    # We need to do some special things here, and not later.
+	    if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
+	      case " $predeps $postdeps " in
+	      *" $deplib "*)
+		if (${SED} -e '2q' $lib |
+                    grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+		  library_names=
+		  old_library=
+		  case $lib in
+		  */* | *\\*) . $lib ;;
+		  *) . ./$lib ;;
+		  esac
+		  for l in $old_library $library_names; do
+		    ll="$l"
+		  done
+		  if test "X$ll" = "X$old_library" ; then # only static version available
+		    found=no
+		    ladir=`$echo "X$lib" | $Xsed -e 's%/[^/]*$%%'`
+		    test "X$ladir" = "X$lib" && ladir="."
+		    lib=$ladir/$old_library
+		    if test "$linkmode,$pass" = "prog,link"; then
+		      compile_deplibs="$deplib $compile_deplibs"
+		      finalize_deplibs="$deplib $finalize_deplibs"
+		    else
+		      deplibs="$deplib $deplibs"
+		      test "$linkmode" = lib && newdependency_libs="$deplib $newdependency_libs"
+		    fi
+		    continue
+		  fi
+		fi
+	        ;;
+	      *) ;;
+	      esac
+	    fi
+	  fi
+	  ;; # -l
+	-L*)
+	  case $linkmode in
+	  lib)
+	    deplibs="$deplib $deplibs"
+	    test "$pass" = conv && continue
+	    newdependency_libs="$deplib $newdependency_libs"
+	    newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`
+	    ;;
+	  prog)
+	    if test "$pass" = conv; then
+	      deplibs="$deplib $deplibs"
+	      continue
+	    fi
+	    if test "$pass" = scan; then
+	      deplibs="$deplib $deplibs"
+	      newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`
+	    else
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    fi
+	    ;;
+	  *)
+	    $echo "$modename: warning: \`-L' is ignored for archives/objects" 1>&2
+	    ;;
+	  esac # linkmode
+	  continue
+	  ;; # -L
+	-R*)
+	  if test "$pass" = link; then
+	    dir=`$echo "X$deplib" | $Xsed -e 's/^-R//'`
+	    # Make sure the xrpath contains only unique directories.
+	    case "$xrpath " in
+	    *" $dir "*) ;;
+	    *) xrpath="$xrpath $dir" ;;
+	    esac
+	  fi
+	  deplibs="$deplib $deplibs"
+	  continue
+	  ;;
+	*.la) lib="$deplib" ;;
+	*.$libext)
+	  if test "$pass" = conv; then
+	    deplibs="$deplib $deplibs"
+	    continue
+	  fi
+	  case $linkmode in
+	  lib)
+	    if test "$deplibs_check_method" != pass_all; then
+	      $echo
+	      $echo "*** Warning: Trying to link with static lib archive $deplib."
+	      $echo "*** I have the capability to make that library automatically link in when"
+	      $echo "*** you link to this library.  But I can only do this if you have a"
+	      $echo "*** shared version of the library, which you do not appear to have"
+	      $echo "*** because the file extensions .$libext of this argument makes me believe"
+	      $echo "*** that it is just a static archive that I should not used here."
+	    else
+	      $echo
+	      $echo "*** Warning: Linking the shared library $output against the"
+	      $echo "*** static library $deplib is not portable!"
+	      deplibs="$deplib $deplibs"
+	    fi
+	    continue
+	    ;;
+	  prog)
+	    if test "$pass" != link; then
+	      deplibs="$deplib $deplibs"
+	    else
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    fi
+	    continue
+	    ;;
+	  esac # linkmode
+	  ;; # *.$libext
+	*.lo | *.$objext)
+	  if test "$pass" = conv; then
+	    deplibs="$deplib $deplibs"
+	  elif test "$linkmode" = prog; then
+	    if test "$pass" = dlpreopen || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then
+	      # If there is no dlopen support or we're linking statically,
+	      # we need to preload.
+	      newdlprefiles="$newdlprefiles $deplib"
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    else
+	      newdlfiles="$newdlfiles $deplib"
+	    fi
+	  fi
+	  continue
+	  ;;
+	%DEPLIBS%)
+	  alldeplibs=yes
+	  continue
+	  ;;
+	esac # case $deplib
+	if test "$found" = yes || test -f "$lib"; then :
+	else
+	  $echo "$modename: cannot find the library \`$lib'" 1>&2
+	  exit 1
+	fi
+
+	# Check to see that this really is a libtool archive.
+	if (${SED} -e '2q' $lib | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
+	else
+	  $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
+	  exit 1
+	fi
+
+	ladir=`$echo "X$lib" | $Xsed -e 's%/[^/]*$%%'`
+	test "X$ladir" = "X$lib" && ladir="."
+
+	dlname=
+	dlopen=
+	dlpreopen=
+	libdir=
+	library_names=
+	old_library=
+	# If the library was installed with an old release of libtool,
+	# it will not redefine variables installed, or shouldnotlink
+	installed=yes
+	shouldnotlink=no
+
+	# Read the .la file
+	case $lib in
+	*/* | *\\*) . $lib ;;
+	*) . ./$lib ;;
+	esac
+
+	if test "$linkmode,$pass" = "lib,link" ||
+	   test "$linkmode,$pass" = "prog,scan" ||
+	   { test "$linkmode" != prog && test "$linkmode" != lib; }; then
+	  test -n "$dlopen" && dlfiles="$dlfiles $dlopen"
+	  test -n "$dlpreopen" && dlprefiles="$dlprefiles $dlpreopen"
+	fi
+
+	if test "$pass" = conv; then
+	  # Only check for convenience libraries
+	  deplibs="$lib $deplibs"
+	  if test -z "$libdir"; then
+	    if test -z "$old_library"; then
+	      $echo "$modename: cannot find name of link library for \`$lib'" 1>&2
+	      exit 1
+	    fi
+	    # It is a libtool convenience library, so add in its objects.
+	    convenience="$convenience $ladir/$objdir/$old_library"
+	    old_convenience="$old_convenience $ladir/$objdir/$old_library"
+	    tmp_libs=
+	    for deplib in $dependency_libs; do
+	      deplibs="$deplib $deplibs"
+              if test "X$duplicate_deps" = "Xyes" ; then
+	        case "$tmp_libs " in
+	        *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	        esac
+              fi
+	      tmp_libs="$tmp_libs $deplib"
+	    done
+	  elif test "$linkmode" != prog && test "$linkmode" != lib; then
+	    $echo "$modename: \`$lib' is not a convenience library" 1>&2
+	    exit 1
+	  fi
+	  continue
+	fi # $pass = conv
+
+    
+	# Get the name of the library we link against.
+	linklib=
+	for l in $old_library $library_names; do
+	  linklib="$l"
+	done
+	if test -z "$linklib"; then
+	  $echo "$modename: cannot find name of link library for \`$lib'" 1>&2
+	  exit 1
+	fi
+
+	# This library was specified with -dlopen.
+	if test "$pass" = dlopen; then
+	  if test -z "$libdir"; then
+	    $echo "$modename: cannot -dlopen a convenience library: \`$lib'" 1>&2
+	    exit 1
+	  fi
+	  if test -z "$dlname" || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then
+	    # If there is no dlname, no dlopen support or we're linking
+	    # statically, we need to preload.  We also need to preload any
+	    # dependent libraries so libltdl's deplib preloader doesn't
+	    # bomb out in the load deplibs phase.
+	    dlprefiles="$dlprefiles $lib $dependency_libs"
+	  else
+	    newdlfiles="$newdlfiles $lib"
+	  fi
+	  continue
+	fi # $pass = dlopen
+
+	# We need an absolute path.
+	case $ladir in
+	[\\/]* | [A-Za-z]:[\\/]*) abs_ladir="$ladir" ;;
+	*)
+	  abs_ladir=`cd "$ladir" && pwd`
+	  if test -z "$abs_ladir"; then
+	    $echo "$modename: warning: cannot determine absolute directory name of \`$ladir'" 1>&2
+	    $echo "$modename: passing it literally to the linker, although it might fail" 1>&2
+	    abs_ladir="$ladir"
+	  fi
+	  ;;
+	esac
+	laname=`$echo "X$lib" | $Xsed -e 's%^.*/%%'`
+
+	# Find the relevant object directory and library name.
+	if test "X$installed" = Xyes; then
+	  if test ! -f "$libdir/$linklib" && test -f "$abs_ladir/$linklib"; then
+	    $echo "$modename: warning: library \`$lib' was moved." 1>&2
+	    dir="$ladir"
+	    absdir="$abs_ladir"
+	    libdir="$abs_ladir"
+	  else
+	    dir="$libdir"
+	    absdir="$libdir"
+	  fi
+	else
+	  dir="$ladir/$objdir"
+	  absdir="$abs_ladir/$objdir"
+	  # Remove this search path later
+	  notinst_path="$notinst_path $abs_ladir"
+	fi # $installed = yes
+	name=`$echo "X$laname" | $Xsed -e 's/\.la$//' -e 's/^lib//'`
+
+	# This library was specified with -dlpreopen.
+	if test "$pass" = dlpreopen; then
+	  if test -z "$libdir"; then
+	    $echo "$modename: cannot -dlpreopen a convenience library: \`$lib'" 1>&2
+	    exit 1
+	  fi
+	  # Prefer using a static library (so that no silly _DYNAMIC symbols
+	  # are required to link).
+	  if test -n "$old_library"; then
+	    newdlprefiles="$newdlprefiles $dir/$old_library"
+	  # Otherwise, use the dlname, so that lt_dlopen finds it.
+	  elif test -n "$dlname"; then
+	    newdlprefiles="$newdlprefiles $dir/$dlname"
+	  else
+	    newdlprefiles="$newdlprefiles $dir/$linklib"
+	  fi
+	fi # $pass = dlpreopen
+
+	if test -z "$libdir"; then
+	  # Link the convenience library
+	  if test "$linkmode" = lib; then
+	    deplibs="$dir/$old_library $deplibs"
+	  elif test "$linkmode,$pass" = "prog,link"; then
+	    compile_deplibs="$dir/$old_library $compile_deplibs"
+	    finalize_deplibs="$dir/$old_library $finalize_deplibs"
+	  else
+	    deplibs="$lib $deplibs" # used for prog,scan pass
+	  fi
+	  continue
+	fi
+
+    
+	if test "$linkmode" = prog && test "$pass" != link; then
+	  newlib_search_path="$newlib_search_path $ladir"
+	  deplibs="$lib $deplibs"
+
+	  linkalldeplibs=no
+	  if test "$link_all_deplibs" != no || test -z "$library_names" ||
+	     test "$build_libtool_libs" = no; then
+	    linkalldeplibs=yes
+	  fi
+
+	  tmp_libs=
+	  for deplib in $dependency_libs; do
+	    case $deplib in
+	    -L*) newlib_search_path="$newlib_search_path "`$echo "X$deplib" | $Xsed -e 's/^-L//'`;; ### testsuite: skip nested quoting test
+	    esac
+	    # Need to link against all dependency_libs?
+	    if test "$linkalldeplibs" = yes; then
+	      deplibs="$deplib $deplibs"
+	    else
+	      # Need to hardcode shared library paths
+	      # or/and link against static libraries
+	      newdependency_libs="$deplib $newdependency_libs"
+	    fi
+	    if test "X$duplicate_deps" = "Xyes" ; then
+	      case "$tmp_libs " in
+	      *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	      esac
+	    fi
+	    tmp_libs="$tmp_libs $deplib"
+	  done # for deplib
+	  continue
+	fi # $linkmode = prog...
+
+	if test "$linkmode,$pass" = "prog,link"; then
+	  if test -n "$library_names" &&
+	     { test "$prefer_static_libs" = no || test -z "$old_library"; }; then
+	    # We need to hardcode the library path
+	    if test -n "$shlibpath_var"; then
+	      # Make sure the rpath contains only unique directories.
+	      case "$temp_rpath " in
+	      *" $dir "*) ;;
+	      *" $absdir "*) ;;
+	      *) temp_rpath="$temp_rpath $dir" ;;
+	      esac
+	    fi
+
+	    # Hardcode the library path.
+	    # Skip directories that are in the system default run-time
+	    # search path.
+	    case " $sys_lib_dlsearch_path " in
+	    *" $absdir "*) ;;
+	    *)
+	      case "$compile_rpath " in
+	      *" $absdir "*) ;;
+	      *) compile_rpath="$compile_rpath $absdir"
+	      esac
+	      ;;
+	    esac
+	    case " $sys_lib_dlsearch_path " in
+	    *" $libdir "*) ;;
+	    *)
+	      case "$finalize_rpath " in
+	      *" $libdir "*) ;;
+	      *) finalize_rpath="$finalize_rpath $libdir"
+	      esac
+	      ;;
+	    esac
+	  fi # $linkmode,$pass = prog,link...
+
+	  if test "$alldeplibs" = yes &&
+	     { test "$deplibs_check_method" = pass_all ||
+	       { test "$build_libtool_libs" = yes &&
+		 test -n "$library_names"; }; }; then
+	    # We only need to search for static libraries
+	    continue
+	  fi
+	fi
+
+	link_static=no # Whether the deplib will be linked statically
+	if test -n "$library_names" &&
+	   { test "$prefer_static_libs" = no || test -z "$old_library"; }; then
+	  if test "$installed" = no; then
+	    notinst_deplibs="$notinst_deplibs $lib"
+	    need_relink=yes
+	  fi
+	  # This is a shared library
+	
+      # Warn about portability, can't link against -module's on some systems (darwin)
+      if test "$shouldnotlink" = yes && test "$pass" = link ; then
+	    $echo
+	    if test "$linkmode" = prog; then
+	      $echo "*** Warning: Linking the executable $output against the loadable module"
+	    else
+	      $echo "*** Warning: Linking the shared library $output against the loadable module"
+	    fi
+	    $echo "*** $linklib is not portable!"    
+      fi	  
+	  if test "$linkmode" = lib &&
+	     test "$hardcode_into_libs" = yes; then
+	    # Hardcode the library path.
+	    # Skip directories that are in the system default run-time
+	    # search path.
+	    case " $sys_lib_dlsearch_path " in
+	    *" $absdir "*) ;;
+	    *)
+	      case "$compile_rpath " in
+	      *" $absdir "*) ;;
+	      *) compile_rpath="$compile_rpath $absdir"
+	      esac
+	      ;;
+	    esac
+	    case " $sys_lib_dlsearch_path " in
+	    *" $libdir "*) ;;
+	    *)
+	      case "$finalize_rpath " in
+	      *" $libdir "*) ;;
+	      *) finalize_rpath="$finalize_rpath $libdir"
+	      esac
+	      ;;
+	    esac
+	  fi
+
+	  if test -n "$old_archive_from_expsyms_cmds"; then
+	    # figure out the soname
+	    set dummy $library_names
+	    realname="$2"
+	    shift; shift
+	    libname=`eval \\$echo \"$libname_spec\"`
+	    # use dlname if we got it. it's perfectly good, no?
+	    if test -n "$dlname"; then
+	      soname="$dlname"
+	    elif test -n "$soname_spec"; then
+	      # bleh windows
+	      case $host in
+	      *cygwin* | mingw*)
+		major=`expr $current - $age`
+		versuffix="-$major"
+		;;
+	      esac
+	      eval soname=\"$soname_spec\"
+	    else
+	      soname="$realname"
+	    fi
+
+	    # Make a new name for the extract_expsyms_cmds to use
+	    soroot="$soname"
+	    soname=`$echo $soroot | ${SED} -e 's/^.*\///'`
+	    newlib="libimp-`$echo $soname | ${SED} 's/^lib//;s/\.dll$//'`.a"
+
+	    # If the library has no export list, then create one now
+	    if test -f "$output_objdir/$soname-def"; then :
+	    else
+	      $show "extracting exported symbol list from \`$soname'"
+	      save_ifs="$IFS"; IFS='~'
+	      cmds=$extract_expsyms_cmds
+	      for cmd in $cmds; do
+		IFS="$save_ifs"
+		eval cmd=\"$cmd\"
+		$show "$cmd"
+		$run eval "$cmd" || exit $?
+	      done
+	      IFS="$save_ifs"
+	    fi
+
+	    # Create $newlib
+	    if test -f "$output_objdir/$newlib"; then :; else
+	      $show "generating import library for \`$soname'"
+	      save_ifs="$IFS"; IFS='~'
+	      cmds=$old_archive_from_expsyms_cmds
+	      for cmd in $cmds; do
+		IFS="$save_ifs"
+		eval cmd=\"$cmd\"
+		$show "$cmd"
+		$run eval "$cmd" || exit $?
+	      done
+	      IFS="$save_ifs"
+	    fi
+	    # make sure the library variables are pointing to the new library
+	    dir=$output_objdir
+	    linklib=$newlib
+	  fi # test -n "$old_archive_from_expsyms_cmds"
+
+	  if test "$linkmode" = prog || test "$mode" != relink; then
+	    add_shlibpath=
+	    add_dir=
+	    add=
+	    lib_linked=yes
+	    case $hardcode_action in
+	    immediate | unsupported)
+	      if test "$hardcode_direct" = no; then
+		add="$dir/$linklib"
+		case $host in
+		  *-*-sco3.2v5* ) add_dir="-L$dir" ;;
+		  *-*-darwin* )
+		    # if the lib is a module then we can not link against it, someone
+		    # is ignoring the new warnings I added
+		    if /usr/bin/file -L $add 2> /dev/null | grep "bundle" >/dev/null ; then
+		      $echo "** Warning, lib $linklib is a module, not a shared library"
+		      if test -z "$old_library" ; then
+		        $echo
+		        $echo "** And there doesn't seem to be a static archive available"
+		        $echo "** The link will probably fail, sorry"
+		      else
+		        add="$dir/$old_library"
+		      fi 
+		    fi
+		esac
+	      elif test "$hardcode_minus_L" = no; then
+		case $host in
+		*-*-sunos*) add_shlibpath="$dir" ;;
+		esac
+		add_dir="-L$dir"
+		add="-l$name"
+	      elif test "$hardcode_shlibpath_var" = no; then
+		add_shlibpath="$dir"
+		add="-l$name"
+	      else
+		lib_linked=no
+	      fi
+	      ;;
+	    relink)
+	      if test "$hardcode_direct" = yes; then
+		add="$dir/$linklib"
+	      elif test "$hardcode_minus_L" = yes; then
+		add_dir="-L$dir"
+		# Try looking first in the location we're being installed to.
+		if test -n "$inst_prefix_dir"; then
+		  case "$libdir" in
+		    [\\/]*)
+		      add_dir="$add_dir -L$inst_prefix_dir$libdir"
+		      ;;
+		  esac
+		fi
+		add="-l$name"
+	      elif test "$hardcode_shlibpath_var" = yes; then
+		add_shlibpath="$dir"
+		add="-l$name"
+	      else
+		lib_linked=no
+	      fi
+	      ;;
+	    *) lib_linked=no ;;
+	    esac
+
+	    if test "$lib_linked" != yes; then
+	      $echo "$modename: configuration error: unsupported hardcode properties"
+	      exit 1
+	    fi
+
+	    if test -n "$add_shlibpath"; then
+	      case :$compile_shlibpath: in
+	      *":$add_shlibpath:"*) ;;
+	      *) compile_shlibpath="$compile_shlibpath$add_shlibpath:" ;;
+	      esac
+	    fi
+	    if test "$linkmode" = prog; then
+	      test -n "$add_dir" && compile_deplibs="$add_dir $compile_deplibs"
+	      test -n "$add" && compile_deplibs="$add $compile_deplibs"
+	    else
+	      test -n "$add_dir" && deplibs="$add_dir $deplibs"
+	      test -n "$add" && deplibs="$add $deplibs"
+	      if test "$hardcode_direct" != yes && \
+		 test "$hardcode_minus_L" != yes && \
+		 test "$hardcode_shlibpath_var" = yes; then
+		case :$finalize_shlibpath: in
+		*":$libdir:"*) ;;
+		*) finalize_shlibpath="$finalize_shlibpath$libdir:" ;;
+		esac
+	      fi
+	    fi
+	  fi
+
+	  if test "$linkmode" = prog || test "$mode" = relink; then
+	    add_shlibpath=
+	    add_dir=
+	    add=
+	    # Finalize command for both is simple: just hardcode it.
+	    if test "$hardcode_direct" = yes; then
+	      add="$libdir/$linklib"
+	    elif test "$hardcode_minus_L" = yes; then
+	      add_dir="-L$libdir"
+	      add="-l$name"
+	    elif test "$hardcode_shlibpath_var" = yes; then
+	      case :$finalize_shlibpath: in
+	      *":$libdir:"*) ;;
+	      *) finalize_shlibpath="$finalize_shlibpath$libdir:" ;;
+	      esac
+	      add="-l$name"
+	    elif test "$hardcode_automatic" = yes; then
+	      if test -n "$inst_prefix_dir" && test -f "$inst_prefix_dir$libdir/$linklib" ; then
+	        add="$inst_prefix_dir$libdir/$linklib"
+	      else
+	        add="$libdir/$linklib"
+	      fi
+	    else
+	      # We cannot seem to hardcode it, guess we'll fake it.
+	      add_dir="-L$libdir"
+	      # Try looking first in the location we're being installed to.
+	      if test -n "$inst_prefix_dir"; then
+		case "$libdir" in
+		  [\\/]*)
+		    add_dir="$add_dir -L$inst_prefix_dir$libdir"
+		    ;;
+		esac
+	      fi
+	      add="-l$name"
+	    fi
+
+	    if test "$linkmode" = prog; then
+	      test -n "$add_dir" && finalize_deplibs="$add_dir $finalize_deplibs"
+	      test -n "$add" && finalize_deplibs="$add $finalize_deplibs"
+	    else
+	      test -n "$add_dir" && deplibs="$add_dir $deplibs"
+	      test -n "$add" && deplibs="$add $deplibs"
+	    fi
+	  fi
+	elif test "$linkmode" = prog; then
+	  # Here we assume that one of hardcode_direct or hardcode_minus_L
+	  # is not unsupported.  This is valid on all known static and
+	  # shared platforms.
+	  if test "$hardcode_direct" != unsupported; then
+	    test -n "$old_library" && linklib="$old_library"
+	    compile_deplibs="$dir/$linklib $compile_deplibs"
+	    finalize_deplibs="$dir/$linklib $finalize_deplibs"
+	  else
+	    compile_deplibs="-l$name -L$dir $compile_deplibs"
+	    finalize_deplibs="-l$name -L$dir $finalize_deplibs"
+	  fi
+	elif test "$build_libtool_libs" = yes; then
+	  # Not a shared library
+	  if test "$deplibs_check_method" != pass_all; then
+	    # We're trying link a shared library against a static one
+	    # but the system doesn't support it.
+
+	    # Just print a warning and add the library to dependency_libs so
+	    # that the program can be linked against the static library.
+	    $echo
+	    $echo "*** Warning: This system can not link to static lib archive $lib."
+	    $echo "*** I have the capability to make that library automatically link in when"
+	    $echo "*** you link to this library.  But I can only do this if you have a"
+	    $echo "*** shared version of the library, which you do not appear to have."
+	    if test "$module" = yes; then
+	      $echo "*** But as you try to build a module library, libtool will still create "
+	      $echo "*** a static module, that should work as long as the dlopening application"
+	      $echo "*** is linked with the -dlopen flag to resolve symbols at runtime."
+	      if test -z "$global_symbol_pipe"; then
+		$echo
+		$echo "*** However, this would only work if libtool was able to extract symbol"
+		$echo "*** lists from a program, using \`nm' or equivalent, but libtool could"
+		$echo "*** not find such a program.  So, this module is probably useless."
+		$echo "*** \`nm' from GNU binutils and a full rebuild may help."
+	      fi
+	      if test "$build_old_libs" = no; then
+		build_libtool_libs=module
+		build_old_libs=yes
+	      else
+		build_libtool_libs=no
+	      fi
+	    fi
+	  else
+	    convenience="$convenience $dir/$old_library"
+	    old_convenience="$old_convenience $dir/$old_library"
+	    deplibs="$dir/$old_library $deplibs"
+	    link_static=yes
+	  fi
+	fi # link shared/static library?
+
+	if test "$linkmode" = lib; then
+	  if test -n "$dependency_libs" &&
+	     { test "$hardcode_into_libs" != yes || test "$build_old_libs" = yes ||
+	       test "$link_static" = yes; }; then
+	    # Extract -R from dependency_libs
+	    temp_deplibs=
+	    for libdir in $dependency_libs; do
+	      case $libdir in
+	      -R*) temp_xrpath=`$echo "X$libdir" | $Xsed -e 's/^-R//'`
+		   case " $xrpath " in
+		   *" $temp_xrpath "*) ;;
+		   *) xrpath="$xrpath $temp_xrpath";;
+		   esac;;
+	      *) temp_deplibs="$temp_deplibs $libdir";;
+	      esac
+	    done
+	    dependency_libs="$temp_deplibs"
+	  fi
+
+	  newlib_search_path="$newlib_search_path $absdir"
+	  # Link against this library
+	  test "$link_static" = no && newdependency_libs="$abs_ladir/$laname $newdependency_libs"
+	  # ... and its dependency_libs
+	  tmp_libs=
+	  for deplib in $dependency_libs; do
+	    newdependency_libs="$deplib $newdependency_libs"
+	    if test "X$duplicate_deps" = "Xyes" ; then
+	      case "$tmp_libs " in
+	      *" $deplib "*) specialdeplibs="$specialdeplibs $deplib" ;;
+	      esac
+	    fi
+	    tmp_libs="$tmp_libs $deplib"
+	  done
+
+	  if test "$link_all_deplibs" != no; then
+	    # Add the search paths of all dependency libraries
+	    for deplib in $dependency_libs; do
+	      case $deplib in
+	      -L*) path="$deplib" ;;
+	      *.la)
+		dir=`$echo "X$deplib" | $Xsed -e 's%/[^/]*$%%'`
+		test "X$dir" = "X$deplib" && dir="."
+		# We need an absolute path.
+		case $dir in
+		[\\/]* | [A-Za-z]:[\\/]*) absdir="$dir" ;;
+		*)
+		  absdir=`cd "$dir" && pwd`
+		  if test -z "$absdir"; then
+		    $echo "$modename: warning: cannot determine absolute directory name of \`$dir'" 1>&2
+		    absdir="$dir"
+		  fi
+		  ;;
+		esac
+		if grep "^installed=no" $deplib > /dev/null; then
+		  path="$absdir/$objdir"
+		else
+		  eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
+		  if test -z "$libdir"; then
+		    $echo "$modename: \`$deplib' is not a valid libtool archive" 1>&2
+		    exit 1
+		  fi
+		  if test "$absdir" != "$libdir"; then
+		    $echo "$modename: warning: \`$deplib' seems to be moved" 1>&2
+		  fi
+		  path="$absdir"
+		fi
+		depdepl=
+		case $host in
+		*-*-darwin*)
+		  # we do not want to link against static libs, but need to link against shared
+		  eval deplibrary_names=`${SED} -n -e 's/^library_names=\(.*\)$/\1/p' $deplib`
+		  if test -n "$deplibrary_names" ; then
+		    for tmp in $deplibrary_names ; do
+		      depdepl=$tmp
+		    done
+		    if test -f "$path/$depdepl" ; then
+		      depdepl="$path/$depdepl"
+		   fi
+		    # do not add paths which are already there
+		    case " $newlib_search_path " in
+		    *" $path "*) ;;
+		    *) newlib_search_path="$newlib_search_path $path";;
+		    esac
+		  fi
+		  path=""
+		  ;;
+		*)
+		path="-L$path"
+		;;
+		esac 
+		
+		;;
+		  -l*)
+		case $host in
+		*-*-darwin*)
+		 # Again, we only want to link against shared libraries
+		 eval tmp_libs=`$echo "X$deplib" | $Xsed -e "s,^\-l,,"`
+		 for tmp in $newlib_search_path ; do
+		     if test -f "$tmp/lib$tmp_libs.dylib" ; then
+		       eval depdepl="$tmp/lib$tmp_libs.dylib"
+		       break
+		     fi  
+         done
+         path=""
+		  ;;
+		*) continue ;;
+		esac  		  
+		;;
+	      *) continue ;;
+	      esac
+	      case " $deplibs " in
+	      *" $depdepl "*) ;;
+	      *) deplibs="$deplibs $depdepl" ;;
+	      esac	      
+	      case " $deplibs " in
+	      *" $path "*) ;;
+	      *) deplibs="$deplibs $path" ;;
+	      esac
+	    done
+	  fi # link_all_deplibs != no
+	fi # linkmode = lib
+      done # for deplib in $libs
+      dependency_libs="$newdependency_libs"
+      if test "$pass" = dlpreopen; then
+	# Link the dlpreopened libraries before other libraries
+	for deplib in $save_deplibs; do
+	  deplibs="$deplib $deplibs"
+	done
+      fi
+      if test "$pass" != dlopen; then
+	if test "$pass" != conv; then
+	  # Make sure lib_search_path contains only unique directories.
+	  lib_search_path=
+	  for dir in $newlib_search_path; do
+	    case "$lib_search_path " in
+	    *" $dir "*) ;;
+	    *) lib_search_path="$lib_search_path $dir" ;;
+	    esac
+	  done
+	  newlib_search_path=
+	fi
+
+	if test "$linkmode,$pass" != "prog,link"; then
+	  vars="deplibs"
+	else
+	  vars="compile_deplibs finalize_deplibs"
+	fi
+	for var in $vars dependency_libs; do
+	  # Add libraries to $var in reverse order
+	  eval tmp_libs=\"\$$var\"
+	  new_libs=
+	  for deplib in $tmp_libs; do
+	    # FIXME: Pedantically, this is the right thing to do, so
+	    #        that some nasty dependency loop isn't accidentally
+	    #        broken:
+	    #new_libs="$deplib $new_libs"
+	    # Pragmatically, this seems to cause very few problems in
+	    # practice:
+	    case $deplib in
+	    -L*) new_libs="$deplib $new_libs" ;;
+	    -R*) ;;
+	    *)
+	      # And here is the reason: when a library appears more
+	      # than once as an explicit dependence of a library, or
+	      # is implicitly linked in more than once by the
+	      # compiler, it is considered special, and multiple
+	      # occurrences thereof are not removed.  Compare this
+	      # with having the same library being listed as a
+	      # dependency of multiple other libraries: in this case,
+	      # we know (pedantically, we assume) the library does not
+	      # need to be listed more than once, so we keep only the
+	      # last copy.  This is not always right, but it is rare
+	      # enough that we require users that really mean to play
+	      # such unportable linking tricks to link the library
+	      # using -Wl,-lname, so that libtool does not consider it
+	      # for duplicate removal.
+	      case " $specialdeplibs " in
+	      *" $deplib "*) new_libs="$deplib $new_libs" ;;
+	      *)
+		case " $new_libs " in
+		*" $deplib "*) ;;
+		*) new_libs="$deplib $new_libs" ;;
+		esac
+		;;
+	      esac
+	      ;;
+	    esac
+	  done
+	  tmp_libs=
+	  for deplib in $new_libs; do
+	    case $deplib in
+	    -L*)
+	      case " $tmp_libs " in
+	      *" $deplib "*) ;;
+	      *) tmp_libs="$tmp_libs $deplib" ;;
+	      esac
+	      ;;
+	    *) tmp_libs="$tmp_libs $deplib" ;;
+	    esac
+	  done
+	  eval $var=\"$tmp_libs\"
+	done # for var
+      fi
+      # Last step: remove runtime libs from dependency_libs (they stay in deplibs)
+      tmp_libs=
+      for i in $dependency_libs ; do
+	case " $predeps $postdeps $compiler_lib_search_path " in
+	*" $i "*)
+	  i=""
+	  ;;
+	esac
+	if test -n "$i" ; then
+	  tmp_libs="$tmp_libs $i"
+	fi
+      done
+      dependency_libs=$tmp_libs
+    done # for pass
+    if test "$linkmode" = prog; then
+      dlfiles="$newdlfiles"
+      dlprefiles="$newdlprefiles"
+    fi
+
+    case $linkmode in
+    oldlib)
+      if test -n "$deplibs"; then
+	$echo "$modename: warning: \`-l' and \`-L' are ignored for archives" 1>&2
+      fi
+
+      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
+	$echo "$modename: warning: \`-dlopen' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$rpath"; then
+	$echo "$modename: warning: \`-rpath' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$xrpath"; then
+	$echo "$modename: warning: \`-R' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$vinfo"; then
+	$echo "$modename: warning: \`-version-info/-version-number' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$release"; then
+	$echo "$modename: warning: \`-release' is ignored for archives" 1>&2
+      fi
+
+      if test -n "$export_symbols" || test -n "$export_symbols_regex"; then
+	$echo "$modename: warning: \`-export-symbols' is ignored for archives" 1>&2
+      fi
+
+      # Now set the variables for building old libraries.
+      build_libtool_libs=no
+      oldlibs="$output"
+      objs="$objs$old_deplibs"
+      ;;
+
+    lib)
+      # Make sure we only generate libraries of the form `libNAME.la'.
+      case $outputname in
+      lib*)
+	name=`$echo "X$outputname" | $Xsed -e 's/\.la$//' -e 's/^lib//'`
+	eval shared_ext=\"$shrext\"
+	eval libname=\"$libname_spec\"
+	;;
+      *)
+	if test "$module" = no; then
+	  $echo "$modename: libtool library \`$output' must begin with \`lib'" 1>&2
+	  $echo "$help" 1>&2
+	  exit 1
+	fi
+	if test "$need_lib_prefix" != no; then
+	  # Add the "lib" prefix for modules if required
+	  name=`$echo "X$outputname" | $Xsed -e 's/\.la$//'`
+	  eval shared_ext=\"$shrext\"
+	  eval libname=\"$libname_spec\"
+	else
+	  libname=`$echo "X$outputname" | $Xsed -e 's/\.la$//'`
+	fi
+	;;
+      esac
+
+      if test -n "$objs"; then
+	if test "$deplibs_check_method" != pass_all; then
+	  $echo "$modename: cannot build libtool library \`$output' from non-libtool objects on this host:$objs" 2>&1
+	  exit 1
+	else
+	  $echo
+	  $echo "*** Warning: Linking the shared library $output against the non-libtool"
+	  $echo "*** objects $objs is not portable!"
+	  libobjs="$libobjs $objs"
+	fi
+      fi
+
+      if test "$dlself" != no; then
+	$echo "$modename: warning: \`-dlopen self' is ignored for libtool libraries" 1>&2
+      fi
+
+      set dummy $rpath
+      if test "$#" -gt 2; then
+	$echo "$modename: warning: ignoring multiple \`-rpath's for a libtool library" 1>&2
+      fi
+      install_libdir="$2"
+
+      oldlibs=
+      if test -z "$rpath"; then
+	if test "$build_libtool_libs" = yes; then
+	  # Building a libtool convenience library.
+	  # Some compilers have problems with a `.al' extension so
+	  # convenience libraries should have the same extension an
+	  # archive normally would.
+	  oldlibs="$output_objdir/$libname.$libext $oldlibs"
+	  build_libtool_libs=convenience
+	  build_old_libs=yes
+	fi
+
+	if test -n "$vinfo"; then
+	  $echo "$modename: warning: \`-version-info/-version-number' is ignored for convenience libraries" 1>&2
+	fi
+
+	if test -n "$release"; then
+	  $echo "$modename: warning: \`-release' is ignored for convenience libraries" 1>&2
+	fi
+      else
+
+	# Parse the version information argument.
+	save_ifs="$IFS"; IFS=':'
+	set dummy $vinfo 0 0 0
+	IFS="$save_ifs"
+
+	if test -n "$8"; then
+	  $echo "$modename: too many parameters to \`-version-info'" 1>&2
+	  $echo "$help" 1>&2
+	  exit 1
+	fi
+
+	# convert absolute version numbers to libtool ages
+	# this retains compatibility with .la files and attempts
+	# to make the code below a bit more comprehensible
+	
+	case $vinfo_number in
+	yes)
+	  number_major="$2"
+	  number_minor="$3"
+	  number_revision="$4"
+	  #
+	  # There are really only two kinds -- those that
+	  # use the current revision as the major version
+	  # and those that subtract age and use age as
+	  # a minor version.  But, then there is irix
+	  # which has an extra 1 added just for fun
+	  #
+	  case $version_type in
+	  darwin|linux|osf|windows)
+	    current=`expr $number_major + $number_minor`
+	    age="$number_minor"
+	    revision="$number_revision"
+	    ;;
+	  freebsd-aout|freebsd-elf|sunos)
+	    current="$number_major"
+	    revision="$number_minor"
+	    age="0"
+	    ;;
+	  irix|nonstopux)
+	    current=`expr $number_major + $number_minor - 1`
+	    age="$number_minor"
+	    revision="$number_minor"
+	    ;;
+	  esac
+	  ;;
+	no)
+	  current="$2"
+	  revision="$3"
+	  age="$4"
+	  ;;
+	esac
+
+	# Check that each of the things are valid numbers.
+	case $current in
+	0 | [1-9] | [1-9][0-9] | [1-9][0-9][0-9]) ;;
+	*)
+	  $echo "$modename: CURRENT \`$current' is not a nonnegative integer" 1>&2
+	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
+	  exit 1
+	  ;;
+	esac
+
+	case $revision in
+	0 | [1-9] | [1-9][0-9] | [1-9][0-9][0-9]) ;;
+	*)
+	  $echo "$modename: REVISION \`$revision' is not a nonnegative integer" 1>&2
+	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
+	  exit 1
+	  ;;
+	esac
+
+	case $age in
+	0 | [1-9] | [1-9][0-9] | [1-9][0-9][0-9]) ;;
+	*)
+	  $echo "$modename: AGE \`$age' is not a nonnegative integer" 1>&2
+	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
+	  exit 1
+	  ;;
+	esac
+
+	if test "$age" -gt "$current"; then
+	  $echo "$modename: AGE \`$age' is greater than the current interface number \`$current'" 1>&2
+	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
+	  exit 1
+	fi
+
+	# Calculate the version variables.
+	major=
+	versuffix=
+	verstring=
+	case $version_type in
+	none) ;;
+
+	darwin)
+	  # Like Linux, but with the current version available in
+	  # verstring for coding it into the library header
+	  major=.`expr $current - $age`
+	  versuffix="$major.$age.$revision"
+	  # Darwin ld doesn't like 0 for these options...
+	  minor_current=`expr $current + 1`
+	  verstring="-compatibility_version $minor_current -current_version $minor_current.$revision"
+	  ;;
+
+	freebsd-aout)
+	  major=".$current"
+	  versuffix=".$current.$revision";
+	  ;;
+
+	freebsd-elf)
+	  major=".$current"
+	  versuffix=".$current";
+	  ;;
+
+	irix | nonstopux)
+	  major=`expr $current - $age + 1`
+
+	  case $version_type in
+	    nonstopux) verstring_prefix=nonstopux ;;
+	    *)         verstring_prefix=sgi ;;
+	  esac
+	  verstring="$verstring_prefix$major.$revision"
+
+	  # Add in all the interfaces that we are compatible with.
+	  loop=$revision
+	  while test "$loop" -ne 0; do
+	    iface=`expr $revision - $loop`
+	    loop=`expr $loop - 1`
+	    verstring="$verstring_prefix$major.$iface:$verstring"
+	  done
+
+	  # Before this point, $major must not contain `.'.
+	  major=.$major
+	  versuffix="$major.$revision"
+	  ;;
+
+	linux)
+	  major=.`expr $current - $age`
+	  versuffix="$major.$age.$revision"
+	  ;;
+
+	osf)
+	  major=.`expr $current - $age`
+	  versuffix=".$current.$age.$revision"
+	  verstring="$current.$age.$revision"
+
+	  # Add in all the interfaces that we are compatible with.
+	  loop=$age
+	  while test "$loop" -ne 0; do
+	    iface=`expr $current - $loop`
+	    loop=`expr $loop - 1`
+	    verstring="$verstring:${iface}.0"
+	  done
+
+	  # Make executables depend on our current version.
+	  verstring="$verstring:${current}.0"
+	  ;;
+
+	sunos)
+	  major=".$current"
+	  versuffix=".$current.$revision"
+	  ;;
+
+	windows)
+	  # Use '-' rather than '.', since we only want one
+	  # extension on DOS 8.3 filesystems.
+	  major=`expr $current - $age`
+	  versuffix="-$major"
+	  ;;
+
+	*)
+	  $echo "$modename: unknown library version type \`$version_type'" 1>&2
+	  $echo "Fatal configuration error.  See the $PACKAGE docs for more information." 1>&2
+	  exit 1
+	  ;;
+	esac
+
+	# Clear the version info if we defaulted, and they specified a release.
+	if test -z "$vinfo" && test -n "$release"; then
+	  major=
+	  case $version_type in
+	  darwin)
+	    # we can't check for "0.0" in archive_cmds due to quoting
+	    # problems, so we reset it completely
+	    verstring=
+	    ;;
+	  *)
+	    verstring="0.0"
+	    ;;
+	  esac
+	  if test "$need_version" = no; then
+	    versuffix=
+	  else
+	    versuffix=".0.0"
+	  fi
+	fi
+
+	# Remove version info from name if versioning should be avoided
+	if test "$avoid_version" = yes && test "$need_version" = no; then
+	  major=
+	  versuffix=
+	  verstring=""
+	fi
+
+	# Check to see if the archive will have undefined symbols.
+	if test "$allow_undefined" = yes; then
+	  if test "$allow_undefined_flag" = unsupported; then
+	    $echo "$modename: warning: undefined symbols not allowed in $host shared libraries" 1>&2
+	    build_libtool_libs=no
+	    build_old_libs=yes
+	  fi
+	else
+	  # Don't allow undefined symbols.
+	  allow_undefined_flag="$no_undefined_flag"
+	fi
+      fi
+
+      if test "$mode" != relink; then
+	# Remove our outputs, but don't remove object files since they
+	# may have been created when compiling PIC objects.
+	removelist=
+	tempremovelist=`$echo "$output_objdir/*"`
+	for p in $tempremovelist; do
+	  case $p in
+	    *.$objext)
+	       ;;
+	    $output_objdir/$outputname | $output_objdir/$libname.* | $output_objdir/${libname}${release}.*)
+	       if echo $p | $EGREP -e "$precious_files_regex" >/dev/null 2>&1
+	       then
+		 continue
+	       fi
+	       removelist="$removelist $p"
+	       ;;
+	    *) ;;
+	  esac
+	done
+	if test -n "$removelist"; then
+	  $show "${rm}r $removelist"
+	  $run ${rm}r $removelist
+	fi
+      fi
+
+      # Now set the variables for building old libraries.
+      if test "$build_old_libs" = yes && test "$build_libtool_libs" != convenience ; then
+	oldlibs="$oldlibs $output_objdir/$libname.$libext"
+
+	# Transform .lo files to .o files.
+	oldobjs="$objs "`$echo "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}'$/d' -e "$lo2o" | $NL2SP`
+      fi
+
+      # Eliminate all temporary directories.
+      for path in $notinst_path; do
+	lib_search_path=`$echo "$lib_search_path " | ${SED} -e 's% $path % %g'`
+	deplibs=`$echo "$deplibs " | ${SED} -e 's% -L$path % %g'`
+	dependency_libs=`$echo "$dependency_libs " | ${SED} -e 's% -L$path % %g'`
+      done
+
+      if test -n "$xrpath"; then
+	# If the user specified any rpath flags, then add them.
+	temp_xrpath=
+	for libdir in $xrpath; do
+	  temp_xrpath="$temp_xrpath -R$libdir"
+	  case "$finalize_rpath " in
+	  *" $libdir "*) ;;
+	  *) finalize_rpath="$finalize_rpath $libdir" ;;
+	  esac
+	done
+	if test "$hardcode_into_libs" != yes || test "$build_old_libs" = yes; then
+	  dependency_libs="$temp_xrpath $dependency_libs"
+	fi
+      fi
+
+      # Make sure dlfiles contains only unique files that won't be dlpreopened
+      old_dlfiles="$dlfiles"
+      dlfiles=
+      for lib in $old_dlfiles; do
+	case " $dlprefiles $dlfiles " in
+	*" $lib "*) ;;
+	*) dlfiles="$dlfiles $lib" ;;
+	esac
+      done
+
+      # Make sure dlprefiles contains only unique files
+      old_dlprefiles="$dlprefiles"
+      dlprefiles=
+      for lib in $old_dlprefiles; do
+	case "$dlprefiles " in
+	*" $lib "*) ;;
+	*) dlprefiles="$dlprefiles $lib" ;;
+	esac
+      done
+
+      if test "$build_libtool_libs" = yes; then
+	if test -n "$rpath"; then
+	  case $host in
+	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-beos*)
+	    # these systems don't actually have a c library (as such)!
+	    ;;
+	  *-*-rhapsody* | *-*-darwin1.[012])
+	    # Rhapsody C library is in the System framework
+	    deplibs="$deplibs -framework System"
+	    ;;
+	  *-*-netbsd*)
+	    # Don't link with libc until the a.out ld.so is fixed.
+	    ;;
+	  *-*-openbsd* | *-*-freebsd*)
+	    # Do not include libc due to us having libc/libc_r.
+	    test "X$arg" = "X-lc" && continue
+	    ;;
+ 	  *)
+	    # Add libc to deplibs on all other systems if necessary.
+	    if test "$build_libtool_need_lc" = "yes"; then
+	      deplibs="$deplibs -lc"
+	    fi
+	    ;;
+	  esac
+	fi
+
+	# Transform deplibs into only deplibs that can be linked in shared.
+	name_save=$name
+	libname_save=$libname
+	release_save=$release
+	versuffix_save=$versuffix
+	major_save=$major
+	# I'm not sure if I'm treating the release correctly.  I think
+	# release should show up in the -l (ie -lgmp5) so we don't want to
+	# add it in twice.  Is that correct?
+	release=""
+	versuffix=""
+	major=""
+	newdeplibs=
+	droppeddeps=no
+	case $deplibs_check_method in
+	pass_all)
+	  # Don't check for shared/static.  Everything works.
+	  # This might be a little naive.  We might want to check
+	  # whether the library exists or not.  But this is on
+	  # osf3 & osf4 and I'm not really sure... Just
+	  # implementing what was already the behavior.
+	  newdeplibs=$deplibs
+	  ;;
+	test_compile)
+	  # This code stresses the "libraries are programs" paradigm to its
+	  # limits. Maybe even breaks it.  We compile a program, linking it
+	  # against the deplibs as a proxy for the library.  Then we can check
+	  # whether they linked in statically or dynamically with ldd.
+	  $rm conftest.c
+	  cat > conftest.c <<EOF
+	  int main() { return 0; }
+EOF
+	  $rm conftest
+	  $LTCC -o conftest conftest.c $deplibs
+	  if test "$?" -eq 0 ; then
+	    ldd_output=`ldd conftest`
+	    for i in $deplibs; do
+	      name="`expr $i : '-l\(.*\)'`"
+	      # If $name is empty we are operating on a -L argument.
+              if test "$name" != "" && test "$name" -ne "0"; then
+		if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
+		  case " $predeps $postdeps " in
+		  *" $i "*)
+		    newdeplibs="$newdeplibs $i"
+		    i=""
+		    ;;
+		  esac
+	        fi
+		if test -n "$i" ; then
+		  libname=`eval \\$echo \"$libname_spec\"`
+		  deplib_matches=`eval \\$echo \"$library_names_spec\"`
+		  set dummy $deplib_matches
+		  deplib_match=$2
+		  if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
+		    newdeplibs="$newdeplibs $i"
+		  else
+		    droppeddeps=yes
+		    $echo
+		    $echo "*** Warning: dynamic linker does not accept needed library $i."
+		    $echo "*** I have the capability to make that library automatically link in when"
+		    $echo "*** you link to this library.  But I can only do this if you have a"
+		    $echo "*** shared version of the library, which I believe you do not have"
+		    $echo "*** because a test_compile did reveal that the linker did not use it for"
+		    $echo "*** its dynamic dependency list that programs get resolved with at runtime."
+		  fi
+		fi
+	      else
+		newdeplibs="$newdeplibs $i"
+	      fi
+	    done
+	  else
+	    # Error occurred in the first compile.  Let's try to salvage
+	    # the situation: Compile a separate program for each library.
+	    for i in $deplibs; do
+	      name="`expr $i : '-l\(.*\)'`"
+	      # If $name is empty we are operating on a -L argument.
+              if test "$name" != "" && test "$name" != "0"; then
+		$rm conftest
+		$LTCC -o conftest conftest.c $i
+		# Did it work?
+		if test "$?" -eq 0 ; then
+		  ldd_output=`ldd conftest`
+		  if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
+		    case " $predeps $postdeps " in
+		    *" $i "*)
+		      newdeplibs="$newdeplibs $i"
+		      i=""
+		      ;;
+		    esac
+		  fi
+		  if test -n "$i" ; then
+		    libname=`eval \\$echo \"$libname_spec\"`
+		    deplib_matches=`eval \\$echo \"$library_names_spec\"`
+		    set dummy $deplib_matches
+		    deplib_match=$2
+		    if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
+		      newdeplibs="$newdeplibs $i"
+		    else
+		      droppeddeps=yes
+		      $echo
+		      $echo "*** Warning: dynamic linker does not accept needed library $i."
+		      $echo "*** I have the capability to make that library automatically link in when"
+		      $echo "*** you link to this library.  But I can only do this if you have a"
+		      $echo "*** shared version of the library, which you do not appear to have"
+		      $echo "*** because a test_compile did reveal that the linker did not use this one"
+		      $echo "*** as a dynamic dependency that programs can get resolved with at runtime."
+		    fi
+		  fi
+		else
+		  droppeddeps=yes
+		  $echo
+		  $echo "*** Warning!  Library $i is needed by this library but I was not able to"
+		  $echo "***  make it link in!  You will probably need to install it or some"
+		  $echo "*** library that it depends on before this library will be fully"
+		  $echo "*** functional.  Installing it before continuing would be even better."
+		fi
+	      else
+		newdeplibs="$newdeplibs $i"
+	      fi
+	    done
+	  fi
+	  ;;
+	file_magic*)
+	  set dummy $deplibs_check_method
+	  file_magic_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"`
+	  for a_deplib in $deplibs; do
+	    name="`expr $a_deplib : '-l\(.*\)'`"
+	    # If $name is empty we are operating on a -L argument.
+            if test "$name" != "" && test  "$name" != "0"; then
+	      if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
+		case " $predeps $postdeps " in
+		*" $a_deplib "*)
+		  newdeplibs="$newdeplibs $a_deplib"
+		  a_deplib=""
+		  ;;
+		esac
+	      fi
+	      if test -n "$a_deplib" ; then
+		libname=`eval \\$echo \"$libname_spec\"`
+		for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do
+		  potential_libs=`ls $i/$libname[.-]* 2>/dev/null`
+		  for potent_lib in $potential_libs; do
+		      # Follow soft links.
+		      if ls -lLd "$potent_lib" 2>/dev/null \
+			 | grep " -> " >/dev/null; then
+			continue
+		      fi
+		      # The statement above tries to avoid entering an
+		      # endless loop below, in case of cyclic links.
+		      # We might still enter an endless loop, since a link
+		      # loop can be closed while we follow links,
+		      # but so what?
+		      potlib="$potent_lib"
+		      while test -h "$potlib" 2>/dev/null; do
+			potliblink=`ls -ld $potlib | ${SED} 's/.* -> //'`
+			case $potliblink in
+			[\\/]* | [A-Za-z]:[\\/]*) potlib="$potliblink";;
+			*) potlib=`$echo "X$potlib" | $Xsed -e 's,[^/]*$,,'`"$potliblink";;
+			esac
+		      done
+		      if eval $file_magic_cmd \"\$potlib\" 2>/dev/null \
+			 | ${SED} 10q \
+			 | $EGREP "$file_magic_regex" > /dev/null; then
+			newdeplibs="$newdeplibs $a_deplib"
+			a_deplib=""
+			break 2
+		      fi
+		  done
+		done
+	      fi
+	      if test -n "$a_deplib" ; then
+		droppeddeps=yes
+		$echo
+		$echo "*** Warning: linker path does not have real file for library $a_deplib."
+		$echo "*** I have the capability to make that library automatically link in when"
+		$echo "*** you link to this library.  But I can only do this if you have a"
+		$echo "*** shared version of the library, which you do not appear to have"
+		$echo "*** because I did check the linker path looking for a file starting"
+		if test -z "$potlib" ; then
+		  $echo "*** with $libname but no candidates were found. (...for file magic test)"
+		else
+		  $echo "*** with $libname and none of the candidates passed a file format test"
+		  $echo "*** using a file magic. Last file checked: $potlib"
+		fi
+	      fi
+	    else
+	      # Add a -L argument.
+	      newdeplibs="$newdeplibs $a_deplib"
+	    fi
+	  done # Gone through all deplibs.
+	  ;;
+	match_pattern*)
+	  set dummy $deplibs_check_method
+	  match_pattern_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"`
+	  for a_deplib in $deplibs; do
+	    name="`expr $a_deplib : '-l\(.*\)'`"
+	    # If $name is empty we are operating on a -L argument.
+	    if test -n "$name" && test "$name" != "0"; then
+	      if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
+		case " $predeps $postdeps " in
+		*" $a_deplib "*)
+		  newdeplibs="$newdeplibs $a_deplib"
+		  a_deplib=""
+		  ;;
+		esac
+	      fi
+	      if test -n "$a_deplib" ; then
+		libname=`eval \\$echo \"$libname_spec\"`
+		for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do
+		  potential_libs=`ls $i/$libname[.-]* 2>/dev/null`
+		  for potent_lib in $potential_libs; do
+		    potlib="$potent_lib" # see symlink-check above in file_magic test
+		    if eval $echo \"$potent_lib\" 2>/dev/null \
+		        | ${SED} 10q \
+		        | $EGREP "$match_pattern_regex" > /dev/null; then
+		      newdeplibs="$newdeplibs $a_deplib"
+		      a_deplib=""
+		      break 2
+		    fi
+		  done
+		done
+	      fi
+	      if test -n "$a_deplib" ; then
+		droppeddeps=yes
+		$echo
+		$echo "*** Warning: linker path does not have real file for library $a_deplib."
+		$echo "*** I have the capability to make that library automatically link in when"
+		$echo "*** you link to this library.  But I can only do this if you have a"
+		$echo "*** shared version of the library, which you do not appear to have"
+		$echo "*** because I did check the linker path looking for a file starting"
+		if test -z "$potlib" ; then
+		  $echo "*** with $libname but no candidates were found. (...for regex pattern test)"
+		else
+		  $echo "*** with $libname and none of the candidates passed a file format test"
+		  $echo "*** using a regex pattern. Last file checked: $potlib"
+		fi
+	      fi
+	    else
+	      # Add a -L argument.
+	      newdeplibs="$newdeplibs $a_deplib"
+	    fi
+	  done # Gone through all deplibs.
+	  ;;
+	none | unknown | *)
+	  newdeplibs=""
+	  tmp_deplibs=`$echo "X $deplibs" | $Xsed -e 's/ -lc$//' \
+	    -e 's/ -[LR][^ ]*//g'`
+	  if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
+	    for i in $predeps $postdeps ; do
+	      # can't use Xsed below, because $i might contain '/'
+	      tmp_deplibs=`$echo "X $tmp_deplibs" | ${SED} -e "1s,^X,," -e "s,$i,,"`
+	    done
+	  fi
+	  if $echo "X $tmp_deplibs" | $Xsed -e 's/[ 	]//g' \
+	    | grep . >/dev/null; then
+	    $echo
+	    if test "X$deplibs_check_method" = "Xnone"; then
+	      $echo "*** Warning: inter-library dependencies are not supported in this platform."
+	    else
+	      $echo "*** Warning: inter-library dependencies are not known to be supported."
+	    fi
+	    $echo "*** All declared inter-library dependencies are being dropped."
+	    droppeddeps=yes
+	  fi
+	  ;;
+	esac
+	versuffix=$versuffix_save
+	major=$major_save
+	release=$release_save
+	libname=$libname_save
+	name=$name_save
+
+	case $host in
+	*-*-rhapsody* | *-*-darwin1.[012])
+	  # On Rhapsody replace the C library is the System framework
+	  newdeplibs=`$echo "X $newdeplibs" | $Xsed -e 's/ -lc / -framework System /'`
+	  ;;
+	esac
+
+	if test "$droppeddeps" = yes; then
+	  if test "$module" = yes; then
+	    $echo
+	    $echo "*** Warning: libtool could not satisfy all declared inter-library"
+	    $echo "*** dependencies of module $libname.  Therefore, libtool will create"
+	    $echo "*** a static module, that should work as long as the dlopening"
+	    $echo "*** application is linked with the -dlopen flag."
+	    if test -z "$global_symbol_pipe"; then
+	      $echo
+	      $echo "*** However, this would only work if libtool was able to extract symbol"
+	      $echo "*** lists from a program, using \`nm' or equivalent, but libtool could"
+	      $echo "*** not find such a program.  So, this module is probably useless."
+	      $echo "*** \`nm' from GNU binutils and a full rebuild may help."
+	    fi
+	    if test "$build_old_libs" = no; then
+	      oldlibs="$output_objdir/$libname.$libext"
+	      build_libtool_libs=module
+	      build_old_libs=yes
+	    else
+	      build_libtool_libs=no
+	    fi
+	  else
+	    $echo "*** The inter-library dependencies that have been dropped here will be"
+	    $echo "*** automatically added whenever a program is linked with this library"
+	    $echo "*** or is declared to -dlopen it."
+
+	    if test "$allow_undefined" = no; then
+	      $echo
+	      $echo "*** Since this library must not contain undefined symbols,"
+	      $echo "*** because either the platform does not support them or"
+	      $echo "*** it was explicitly requested with -no-undefined,"
+	      $echo "*** libtool will only create a static version of it."
+	      if test "$build_old_libs" = no; then
+		oldlibs="$output_objdir/$libname.$libext"
+		build_libtool_libs=module
+		build_old_libs=yes
+	      else
+		build_libtool_libs=no
+	      fi
+	    fi
+	  fi
+	fi
+	# Done checking deplibs!
+	deplibs=$newdeplibs
+      fi
+
+      # All the library-specific variables (install_libdir is set above).
+      library_names=
+      old_library=
+      dlname=
+
+      # Test again, we may have decided not to build it any more
+      if test "$build_libtool_libs" = yes; then
+	if test "$hardcode_into_libs" = yes; then
+	  # Hardcode the library paths
+	  hardcode_libdirs=
+	  dep_rpath=
+	  rpath="$finalize_rpath"
+	  test "$mode" != relink && rpath="$compile_rpath$rpath"
+	  for libdir in $rpath; do
+	    if test -n "$hardcode_libdir_flag_spec"; then
+	      if test -n "$hardcode_libdir_separator"; then
+		if test -z "$hardcode_libdirs"; then
+		  hardcode_libdirs="$libdir"
+		else
+		  # Just accumulate the unique libdirs.
+		  case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
+		  *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
+		    ;;
+		  *)
+		    hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		    ;;
+		  esac
+		fi
+	      else
+		eval flag=\"$hardcode_libdir_flag_spec\"
+		dep_rpath="$dep_rpath $flag"
+	      fi
+	    elif test -n "$runpath_var"; then
+	      case "$perm_rpath " in
+	      *" $libdir "*) ;;
+	      *) perm_rpath="$perm_rpath $libdir" ;;
+	      esac
+	    fi
+	  done
+	  # Substitute the hardcoded libdirs into the rpath.
+	  if test -n "$hardcode_libdir_separator" &&
+	     test -n "$hardcode_libdirs"; then
+	    libdir="$hardcode_libdirs"
+	    if test -n "$hardcode_libdir_flag_spec_ld"; then
+	      eval dep_rpath=\"$hardcode_libdir_flag_spec_ld\"
+	    else
+	      eval dep_rpath=\"$hardcode_libdir_flag_spec\"
+	    fi
+	  fi
+	  if test -n "$runpath_var" && test -n "$perm_rpath"; then
+	    # We should set the runpath_var.
+	    rpath=
+	    for dir in $perm_rpath; do
+	      rpath="$rpath$dir:"
+	    done
+	    eval "$runpath_var='$rpath\$$runpath_var'; export $runpath_var"
+	  fi
+	  test -n "$dep_rpath" && deplibs="$dep_rpath $deplibs"
+	fi
+
+	shlibpath="$finalize_shlibpath"
+	test "$mode" != relink && shlibpath="$compile_shlibpath$shlibpath"
+	if test -n "$shlibpath"; then
+	  eval "$shlibpath_var='$shlibpath\$$shlibpath_var'; export $shlibpath_var"
+	fi
+
+	# Get the real and link names of the library.
+	eval shared_ext=\"$shrext\"
+	eval library_names=\"$library_names_spec\"
+	set dummy $library_names
+	realname="$2"
+	shift; shift
+
+	if test -n "$soname_spec"; then
+	  eval soname=\"$soname_spec\"
+	else
+	  soname="$realname"
+	fi
+	if test -z "$dlname"; then
+	  dlname=$soname
+	fi
+
+	lib="$output_objdir/$realname"
+	for link
+	do
+	  linknames="$linknames $link"
+	done
+
+	# Use standard objects if they are pic
+	test -z "$pic_flag" && libobjs=`$echo "X$libobjs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+
+	# Prepare the list of exported symbols
+	if test -z "$export_symbols"; then
+	  if test "$always_export_symbols" = yes || test -n "$export_symbols_regex"; then
+	    $show "generating symbol list for \`$libname.la'"
+	    export_symbols="$output_objdir/$libname.exp"
+	    $run $rm $export_symbols
+	    cmds=$export_symbols_cmds
+	    save_ifs="$IFS"; IFS='~'
+	    for cmd in $cmds; do
+	      IFS="$save_ifs"
+	      eval cmd=\"$cmd\"
+	      if len=`expr "X$cmd" : ".*"` &&
+	       test "$len" -le "$max_cmd_len" || test "$max_cmd_len" -le -1; then
+	        $show "$cmd"
+	        $run eval "$cmd" || exit $?
+	        skipped_export=false
+	      else
+	        # The command line is too long to execute in one step.
+	        $show "using reloadable object file for export list..."
+	        skipped_export=:
+	      fi
+	    done
+	    IFS="$save_ifs"
+	    if test -n "$export_symbols_regex"; then
+	      $show "$EGREP -e \"$export_symbols_regex\" \"$export_symbols\" > \"${export_symbols}T\""
+	      $run eval '$EGREP -e "$export_symbols_regex" "$export_symbols" > "${export_symbols}T"'
+	      $show "$mv \"${export_symbols}T\" \"$export_symbols\""
+	      $run eval '$mv "${export_symbols}T" "$export_symbols"'
+	    fi
+	  fi
+	fi
+
+	if test -n "$export_symbols" && test -n "$include_expsyms"; then
+	  $run eval '$echo "X$include_expsyms" | $SP2NL >> "$export_symbols"'
+	fi
+
+	tmp_deplibs=
+	for test_deplib in $deplibs; do
+		case " $convenience " in
+		*" $test_deplib "*) ;;
+		*) 
+			tmp_deplibs="$tmp_deplibs $test_deplib"
+			;;
+		esac
+	done
+	deplibs="$tmp_deplibs" 
+
+	if test -n "$convenience"; then
+	  if test -n "$whole_archive_flag_spec"; then
+	    save_libobjs=$libobjs
+	    eval libobjs=\"\$libobjs $whole_archive_flag_spec\"
+	  else
+	    gentop="$output_objdir/${outputname}x"
+	    $show "${rm}r $gentop"
+	    $run ${rm}r "$gentop"
+	    $show "$mkdir $gentop"
+	    $run $mkdir "$gentop"
+	    status=$?
+	    if test "$status" -ne 0 && test ! -d "$gentop"; then
+	      exit $status
+	    fi
+	    generated="$generated $gentop"
+
+	    for xlib in $convenience; do
+	      # Extract the objects.
+	      case $xlib in
+	      [\\/]* | [A-Za-z]:[\\/]*) xabs="$xlib" ;;
+	      *) xabs=`pwd`"/$xlib" ;;
+	      esac
+	      xlib=`$echo "X$xlib" | $Xsed -e 's%^.*/%%'`
+	      xdir="$gentop/$xlib"
+
+	      $show "${rm}r $xdir"
+	      $run ${rm}r "$xdir"
+	      $show "$mkdir $xdir"
+	      $run $mkdir "$xdir"
+	      status=$?
+	      if test "$status" -ne 0 && test ! -d "$xdir"; then
+		exit $status
+	      fi
+	      # We will extract separately just the conflicting names and we will no
+	      # longer touch any unique names. It is faster to leave these extract
+	      # automatically by $AR in one run.
+	      $show "(cd $xdir && $AR x $xabs)"
+	      $run eval "(cd \$xdir && $AR x \$xabs)" || exit $?
+	      if ($AR t "$xabs" | sort | sort -uc >/dev/null 2>&1); then
+		:
+	      else
+		$echo "$modename: warning: object name conflicts; renaming object files" 1>&2
+		$echo "$modename: warning: to ensure that they will not overwrite" 1>&2
+		$AR t "$xabs" | sort | uniq -cd | while read -r count name
+		do
+		  i=1
+		  while test "$i" -le "$count"
+		  do
+		   # Put our $i before any first dot (extension)
+		   # Never overwrite any file
+		   name_to="$name"
+		   while test "X$name_to" = "X$name" || test -f "$xdir/$name_to"
+		   do
+		     name_to=`$echo "X$name_to" | $Xsed -e "s/\([^.]*\)/\1-$i/"`
+		   done
+		   $show "(cd $xdir && $AR xN $i $xabs '$name' && $mv '$name' '$name_to')"
+		   $run eval "(cd \$xdir && $AR xN $i \$xabs '$name' && $mv '$name' '$name_to')" || exit $?
+		   i=`expr $i + 1`
+		  done
+		done
+	      fi
+
+	      libobjs="$libobjs "`find $xdir -name \*.$objext -print -o -name \*.lo -print | $NL2SP`
+	    done
+	  fi
+	fi
+
+	if test "$thread_safe" = yes && test -n "$thread_safe_flag_spec"; then
+	  eval flag=\"$thread_safe_flag_spec\"
+	  linker_flags="$linker_flags $flag"
+	fi
+
+	# Make a backup of the uninstalled library when relinking
+	if test "$mode" = relink; then
+	  $run eval '(cd $output_objdir && $rm ${realname}U && $mv $realname ${realname}U)' || exit $?
+	fi
+
+	# Do each of the archive commands.
+	if test "$module" = yes && test -n "$module_cmds" ; then
+	  if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then
+	    eval test_cmds=\"$module_expsym_cmds\"
+	    cmds=$module_expsym_cmds
+	  else
+	    eval test_cmds=\"$module_cmds\"
+	    cmds=$module_cmds
+	  fi
+	else
+	if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then
+	  eval test_cmds=\"$archive_expsym_cmds\"
+	  cmds=$archive_expsym_cmds
+	else
+	  eval test_cmds=\"$archive_cmds\"
+	  cmds=$archive_cmds
+	  fi
+	fi
+
+	if test "X$skipped_export" != "X:" && len=`expr "X$test_cmds" : ".*"` &&
+	   test "$len" -le "$max_cmd_len" || test "$max_cmd_len" -le -1; then
+	  :
+	else
+	  # The command line is too long to link in one step, link piecewise.
+	  $echo "creating reloadable object files..."
+
+	  # Save the value of $output and $libobjs because we want to
+	  # use them later.  If we have whole_archive_flag_spec, we
+	  # want to use save_libobjs as it was before
+	  # whole_archive_flag_spec was expanded, because we can't
+	  # assume the linker understands whole_archive_flag_spec.
+	  # This may have to be revisited, in case too many
+	  # convenience libraries get linked in and end up exceeding
+	  # the spec.
+	  if test -z "$convenience" || test -z "$whole_archive_flag_spec"; then
+	    save_libobjs=$libobjs
+	  fi
+	  save_output=$output
+
+	  # Clear the reloadable object creation command queue and
+	  # initialize k to one.
+	  test_cmds=
+	  concat_cmds=
+	  objlist=
+	  delfiles=
+	  last_robj=
+	  k=1
+	  output=$output_objdir/$save_output-${k}.$objext
+	  # Loop over the list of objects to be linked.
+	  for obj in $save_libobjs
+	  do
+	    eval test_cmds=\"$reload_cmds $objlist $last_robj\"
+	    if test "X$objlist" = X ||
+	       { len=`expr "X$test_cmds" : ".*"` &&
+		 test "$len" -le "$max_cmd_len"; }; then
+	      objlist="$objlist $obj"
+	    else
+	      # The command $test_cmds is almost too long, add a
+	      # command to the queue.
+	      if test "$k" -eq 1 ; then
+		# The first file doesn't have a previous command to add.
+		eval concat_cmds=\"$reload_cmds $objlist $last_robj\"
+	      else
+		# All subsequent reloadable object files will link in
+		# the last one created.
+		eval concat_cmds=\"\$concat_cmds~$reload_cmds $objlist $last_robj\"
+	      fi
+	      last_robj=$output_objdir/$save_output-${k}.$objext
+	      k=`expr $k + 1`
+	      output=$output_objdir/$save_output-${k}.$objext
+	      objlist=$obj
+	      len=1
+	    fi
+	  done
+	  # Handle the remaining objects by creating one last
+	  # reloadable object file.  All subsequent reloadable object
+	  # files will link in the last one created.
+	  test -z "$concat_cmds" || concat_cmds=$concat_cmds~
+	  eval concat_cmds=\"\${concat_cmds}$reload_cmds $objlist $last_robj\"
+
+	  if ${skipped_export-false}; then
+	    $show "generating symbol list for \`$libname.la'"
+	    export_symbols="$output_objdir/$libname.exp"
+	    $run $rm $export_symbols
+	    libobjs=$output
+	    # Append the command to create the export file.
+	    eval concat_cmds=\"\$concat_cmds~$export_symbols_cmds\"
+          fi
+
+	  # Set up a command to remove the reloadale object files
+	  # after they are used.
+	  i=0
+	  while test "$i" -lt "$k"
+	  do
+	    i=`expr $i + 1`
+	    delfiles="$delfiles $output_objdir/$save_output-${i}.$objext"
+	  done
+
+	  $echo "creating a temporary reloadable object file: $output"
+
+	  # Loop through the commands generated above and execute them.
+	  save_ifs="$IFS"; IFS='~'
+	  for cmd in $concat_cmds; do
+	    IFS="$save_ifs"
+	    eval cmd=\"$cmd\"
+	    $show "$cmd"
+	    $run eval "$cmd" || exit $?
+	  done
+	  IFS="$save_ifs"
+
+	  libobjs=$output
+	  # Restore the value of output.
+	  output=$save_output
+
+	  if test -n "$convenience" && test -n "$whole_archive_flag_spec"; then
+	    eval libobjs=\"\$libobjs $whole_archive_flag_spec\"
+	  fi
+	  # Expand the library linking commands again to reset the
+	  # value of $libobjs for piecewise linking.
+
+	  # Do each of the archive commands.
+	  if test "$module" = yes && test -n "$module_cmds" ; then
+	    if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then
+	      cmds=$module_expsym_cmds
+	    else
+	      cmds=$module_cmds
+	    fi
+	  else
+	  if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then
+	    cmds=$archive_expsym_cmds
+	  else
+	    cmds=$archive_cmds
+	    fi
+	  fi
+
+	  # Append the command to remove the reloadable object files
+	  # to the just-reset $cmds.
+	  eval cmds=\"\$cmds~\$rm $delfiles\"
+	fi
+	save_ifs="$IFS"; IFS='~'
+	for cmd in $cmds; do
+	  IFS="$save_ifs"
+	  eval cmd=\"$cmd\"
+	  $show "$cmd"
+	  $run eval "$cmd" || exit $?
+	done
+	IFS="$save_ifs"
+
+	# Restore the uninstalled library and exit
+	if test "$mode" = relink; then
+	  $run eval '(cd $output_objdir && $rm ${realname}T && $mv $realname ${realname}T && $mv "$realname"U $realname)' || exit $?
+	  exit 0
+	fi
+
+	# Create links to the real library.
+	for linkname in $linknames; do
+	  if test "$realname" != "$linkname"; then
+	    $show "(cd $output_objdir && $rm $linkname && $LN_S $realname $linkname)"
+	    $run eval '(cd $output_objdir && $rm $linkname && $LN_S $realname $linkname)' || exit $?
+	  fi
+	done
+
+	# If -module or -export-dynamic was specified, set the dlname.
+	if test "$module" = yes || test "$export_dynamic" = yes; then
+	  # On all known operating systems, these are identical.
+	  dlname="$soname"
+	fi
+      fi
+      ;;
+
+    obj)
+      if test -n "$deplibs"; then
+	$echo "$modename: warning: \`-l' and \`-L' are ignored for objects" 1>&2
+      fi
+
+      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
+	$echo "$modename: warning: \`-dlopen' is ignored for objects" 1>&2
+      fi
+
+      if test -n "$rpath"; then
+	$echo "$modename: warning: \`-rpath' is ignored for objects" 1>&2
+      fi
+
+      if test -n "$xrpath"; then
+	$echo "$modename: warning: \`-R' is ignored for objects" 1>&2
+      fi
+
+      if test -n "$vinfo"; then
+	$echo "$modename: warning: \`-version-info' is ignored for objects" 1>&2
+      fi
+
+      if test -n "$release"; then
+	$echo "$modename: warning: \`-release' is ignored for objects" 1>&2
+      fi
+
+      case $output in
+      *.lo)
+	if test -n "$objs$old_deplibs"; then
+	  $echo "$modename: cannot build library object \`$output' from non-libtool objects" 1>&2
+	  exit 1
+	fi
+	libobj="$output"
+	obj=`$echo "X$output" | $Xsed -e "$lo2o"`
+	;;
+      *)
+	libobj=
+	obj="$output"
+	;;
+      esac
+
+      # Delete the old objects.
+      $run $rm $obj $libobj
+
+      # Objects from convenience libraries.  This assumes
+      # single-version convenience libraries.  Whenever we create
+      # different ones for PIC/non-PIC, this we'll have to duplicate
+      # the extraction.
+      reload_conv_objs=
+      gentop=
+      # reload_cmds runs $LD directly, so let us get rid of
+      # -Wl from whole_archive_flag_spec
+      wl=
+
+      if test -n "$convenience"; then
+	if test -n "$whole_archive_flag_spec"; then
+	  eval reload_conv_objs=\"\$reload_objs $whole_archive_flag_spec\"
+	else
+	  gentop="$output_objdir/${obj}x"
+	  $show "${rm}r $gentop"
+	  $run ${rm}r "$gentop"
+	  $show "$mkdir $gentop"
+	  $run $mkdir "$gentop"
+	  status=$?
+	  if test "$status" -ne 0 && test ! -d "$gentop"; then
+	    exit $status
+	  fi
+	  generated="$generated $gentop"
+
+	  for xlib in $convenience; do
+	    # Extract the objects.
+	    case $xlib in
+	    [\\/]* | [A-Za-z]:[\\/]*) xabs="$xlib" ;;
+	    *) xabs=`pwd`"/$xlib" ;;
+	    esac
+	    xlib=`$echo "X$xlib" | $Xsed -e 's%^.*/%%'`
+	    xdir="$gentop/$xlib"
+
+	    $show "${rm}r $xdir"
+	    $run ${rm}r "$xdir"
+	    $show "$mkdir $xdir"
+	    $run $mkdir "$xdir"
+	    status=$?
+	    if test "$status" -ne 0 && test ! -d "$xdir"; then
+	      exit $status
+	    fi
+	    # We will extract separately just the conflicting names and we will no
+	    # longer touch any unique names. It is faster to leave these extract
+	    # automatically by $AR in one run.
+	    $show "(cd $xdir && $AR x $xabs)"
+	    $run eval "(cd \$xdir && $AR x \$xabs)" || exit $?
+	    if ($AR t "$xabs" | sort | sort -uc >/dev/null 2>&1); then
+	      :
+	    else
+	      $echo "$modename: warning: object name conflicts; renaming object files" 1>&2
+	      $echo "$modename: warning: to ensure that they will not overwrite" 1>&2
+	      $AR t "$xabs" | sort | uniq -cd | while read -r count name
+	      do
+		i=1
+		while test "$i" -le "$count"
+		do
+		 # Put our $i before any first dot (extension)
+		 # Never overwrite any file
+		 name_to="$name"
+		 while test "X$name_to" = "X$name" || test -f "$xdir/$name_to"
+		 do
+		   name_to=`$echo "X$name_to" | $Xsed -e "s/\([^.]*\)/\1-$i/"`
+		 done
+		 $show "(cd $xdir && $AR xN $i $xabs '$name' && $mv '$name' '$name_to')"
+		 $run eval "(cd \$xdir && $AR xN $i \$xabs '$name' && $mv '$name' '$name_to')" || exit $?
+		 i=`expr $i + 1`
+		done
+	      done
+	    fi
+
+	    reload_conv_objs="$reload_objs "`find $xdir -name \*.$objext -print -o -name \*.lo -print | $NL2SP`
+	  done
+	fi
+      fi
+
+      # Create the old-style object.
+      reload_objs="$objs$old_deplibs "`$echo "X$libobjs" | $SP2NL | $Xsed -e '/\.'${libext}$'/d' -e '/\.lib$/d' -e "$lo2o" | $NL2SP`" $reload_conv_objs" ### testsuite: skip nested quoting test
+
+      output="$obj"
+      cmds=$reload_cmds
+      save_ifs="$IFS"; IFS='~'
+      for cmd in $cmds; do
+	IFS="$save_ifs"
+	eval cmd=\"$cmd\"
+	$show "$cmd"
+	$run eval "$cmd" || exit $?
+      done
+      IFS="$save_ifs"
+
+      # Exit if we aren't doing a library object file.
+      if test -z "$libobj"; then
+	if test -n "$gentop"; then
+	  $show "${rm}r $gentop"
+	  $run ${rm}r $gentop
+	fi
+
+	exit 0
+      fi
+
+      if test "$build_libtool_libs" != yes; then
+	if test -n "$gentop"; then
+	  $show "${rm}r $gentop"
+	  $run ${rm}r $gentop
+	fi
+
+	# Create an invalid libtool object if no PIC, so that we don't
+	# accidentally link it into a program.
+	# $show "echo timestamp > $libobj"
+	# $run eval "echo timestamp > $libobj" || exit $?
+	exit 0
+      fi
+
+      if test -n "$pic_flag" || test "$pic_mode" != default; then
+	# Only do commands if we really have different PIC objects.
+	reload_objs="$libobjs $reload_conv_objs"
+	output="$libobj"
+	cmds=$reload_cmds
+	save_ifs="$IFS"; IFS='~'
+	for cmd in $cmds; do
+	  IFS="$save_ifs"
+	  eval cmd=\"$cmd\"
+	  $show "$cmd"
+	  $run eval "$cmd" || exit $?
+	done
+	IFS="$save_ifs"
+      fi
+
+      if test -n "$gentop"; then
+	$show "${rm}r $gentop"
+	$run ${rm}r $gentop
+      fi
+
+      exit 0
+      ;;
+
+    prog)
+      case $host in
+	*cygwin*) output=`$echo $output | ${SED} -e 's,.exe$,,;s,$,.exe,'` ;;
+      esac
+      if test -n "$vinfo"; then
+	$echo "$modename: warning: \`-version-info' is ignored for programs" 1>&2
+      fi
+
+      if test -n "$release"; then
+	$echo "$modename: warning: \`-release' is ignored for programs" 1>&2
+      fi
+
+      if test "$preload" = yes; then
+	if test "$dlopen_support" = unknown && test "$dlopen_self" = unknown &&
+	   test "$dlopen_self_static" = unknown; then
+	  $echo "$modename: warning: \`AC_LIBTOOL_DLOPEN' not used. Assuming no dlopen support."
+	fi
+      fi
+
+      case $host in
+      *-*-rhapsody* | *-*-darwin1.[012])
+	# On Rhapsody replace the C library is the System framework
+	compile_deplibs=`$echo "X $compile_deplibs" | $Xsed -e 's/ -lc / -framework System /'`
+	finalize_deplibs=`$echo "X $finalize_deplibs" | $Xsed -e 's/ -lc / -framework System /'`
+	;;
+      esac
+
+      case $host in
+      *darwin*)
+        # Don't allow lazy linking, it breaks C++ global constructors
+        if test "$tagname" = CXX ; then
+        compile_command="$compile_command ${wl}-bind_at_load"
+        finalize_command="$finalize_command ${wl}-bind_at_load"
+        fi
+        ;;
+      esac
+
+      compile_command="$compile_command $compile_deplibs"
+      finalize_command="$finalize_command $finalize_deplibs"
+
+      if test -n "$rpath$xrpath"; then
+	# If the user specified any rpath flags, then add them.
+	for libdir in $rpath $xrpath; do
+	  # This is the magic to use -rpath.
+	  case "$finalize_rpath " in
+	  *" $libdir "*) ;;
+	  *) finalize_rpath="$finalize_rpath $libdir" ;;
+	  esac
+	done
+      fi
+
+      # Now hardcode the library paths
+      rpath=
+      hardcode_libdirs=
+      for libdir in $compile_rpath $finalize_rpath; do
+	if test -n "$hardcode_libdir_flag_spec"; then
+	  if test -n "$hardcode_libdir_separator"; then
+	    if test -z "$hardcode_libdirs"; then
+	      hardcode_libdirs="$libdir"
+	    else
+	      # Just accumulate the unique libdirs.
+	      case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
+	      *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
+		;;
+	      *)
+		hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		;;
+	      esac
+	    fi
+	  else
+	    eval flag=\"$hardcode_libdir_flag_spec\"
+	    rpath="$rpath $flag"
+	  fi
+	elif test -n "$runpath_var"; then
+	  case "$perm_rpath " in
+	  *" $libdir "*) ;;
+	  *) perm_rpath="$perm_rpath $libdir" ;;
+	  esac
+	fi
+	case $host in
+	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
+	  case :$dllsearchpath: in
+	  *":$libdir:"*) ;;
+	  *) dllsearchpath="$dllsearchpath:$libdir";;
+	  esac
+	  ;;
+	esac
+      done
+      # Substitute the hardcoded libdirs into the rpath.
+      if test -n "$hardcode_libdir_separator" &&
+	 test -n "$hardcode_libdirs"; then
+	libdir="$hardcode_libdirs"
+	eval rpath=\" $hardcode_libdir_flag_spec\"
+      fi
+      compile_rpath="$rpath"
+
+      rpath=
+      hardcode_libdirs=
+      for libdir in $finalize_rpath; do
+	if test -n "$hardcode_libdir_flag_spec"; then
+	  if test -n "$hardcode_libdir_separator"; then
+	    if test -z "$hardcode_libdirs"; then
+	      hardcode_libdirs="$libdir"
+	    else
+	      # Just accumulate the unique libdirs.
+	      case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
+	      *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*)
+		;;
+	      *)
+		hardcode_libdirs="$hardcode_libdirs$hardcode_libdir_separator$libdir"
+		;;
+	      esac
+	    fi
+	  else
+	    eval flag=\"$hardcode_libdir_flag_spec\"
+	    rpath="$rpath $flag"
+	  fi
+	elif test -n "$runpath_var"; then
+	  case "$finalize_perm_rpath " in
+	  *" $libdir "*) ;;
+	  *) finalize_perm_rpath="$finalize_perm_rpath $libdir" ;;
+	  esac
+	fi
+      done
+      # Substitute the hardcoded libdirs into the rpath.
+      if test -n "$hardcode_libdir_separator" &&
+	 test -n "$hardcode_libdirs"; then
+	libdir="$hardcode_libdirs"
+	eval rpath=\" $hardcode_libdir_flag_spec\"
+      fi
+      finalize_rpath="$rpath"
+
+      if test -n "$libobjs" && test "$build_old_libs" = yes; then
+	# Transform all the library objects into standard objects.
+	compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+	finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+      fi
+
+      dlsyms=
+      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
+	if test -n "$NM" && test -n "$global_symbol_pipe"; then
+	  dlsyms="${outputname}S.c"
+	else
+	  $echo "$modename: not configured to extract global symbols from dlpreopened files" 1>&2
+	fi
+      fi
+
+      if test -n "$dlsyms"; then
+	case $dlsyms in
+	"") ;;
+	*.c)
+	  # Discover the nlist of each of the dlfiles.
+	  nlist="$output_objdir/${outputname}.nm"
+
+	  $show "$rm $nlist ${nlist}S ${nlist}T"
+	  $run $rm "$nlist" "${nlist}S" "${nlist}T"
+
+	  # Parse the name list into a source file.
+	  $show "creating $output_objdir/$dlsyms"
+
+	  test -z "$run" && $echo > "$output_objdir/$dlsyms" "\
+/* $dlsyms - symbol resolution table for \`$outputname' dlsym emulation. */
+/* Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP */
+
+#ifdef __cplusplus
+extern \"C\" {
+#endif
+
+/* Prevent the only kind of declaration conflicts we can make. */
+#define lt_preloaded_symbols some_other_symbol
+
+/* External symbol declarations for the compiler. */\
+"
+
+	  if test "$dlself" = yes; then
+	    $show "generating symbol list for \`$output'"
+
+	    test -z "$run" && $echo ': @PROGRAM@ ' > "$nlist"
+
+	    # Add our own program objects to the symbol list.
+	    progfiles=`$echo "X$objs$old_deplibs" | $SP2NL | $Xsed -e "$lo2o" | $NL2SP`
+	    for arg in $progfiles; do
+	      $show "extracting global C symbols from \`$arg'"
+	      $run eval "$NM $arg | $global_symbol_pipe >> '$nlist'"
+	    done
+
+	    if test -n "$exclude_expsyms"; then
+	      $run eval '$EGREP -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T'
+	      $run eval '$mv "$nlist"T "$nlist"'
+	    fi
+
+	    if test -n "$export_symbols_regex"; then
+	      $run eval '$EGREP -e "$export_symbols_regex" "$nlist" > "$nlist"T'
+	      $run eval '$mv "$nlist"T "$nlist"'
+	    fi
+
+	    # Prepare the list of exported symbols
+	    if test -z "$export_symbols"; then
+	      export_symbols="$output_objdir/$output.exp"
+	      $run $rm $export_symbols
+	      $run eval "${SED} -n -e '/^: @PROGRAM@$/d' -e 's/^.* \(.*\)$/\1/p' "'< "$nlist" > "$export_symbols"'
+	    else
+	      $run eval "${SED} -e 's/\([][.*^$]\)/\\\1/g' -e 's/^/ /' -e 's/$/$/'"' < "$export_symbols" > "$output_objdir/$output.exp"'
+	      $run eval 'grep -f "$output_objdir/$output.exp" < "$nlist" > "$nlist"T'
+	      $run eval 'mv "$nlist"T "$nlist"'
+	    fi
+	  fi
+
+	  for arg in $dlprefiles; do
+	    $show "extracting global C symbols from \`$arg'"
+	    name=`$echo "$arg" | ${SED} -e 's%^.*/%%'`
+	    $run eval '$echo ": $name " >> "$nlist"'
+	    $run eval "$NM $arg | $global_symbol_pipe >> '$nlist'"
+	  done
+
+	  if test -z "$run"; then
+	    # Make sure we have at least an empty file.
+	    test -f "$nlist" || : > "$nlist"
+
+	    if test -n "$exclude_expsyms"; then
+	      $EGREP -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T
+	      $mv "$nlist"T "$nlist"
+	    fi
+
+	    # Try sorting and uniquifying the output.
+	    if grep -v "^: " < "$nlist" |
+		if sort -k 3 </dev/null >/dev/null 2>&1; then
+		  sort -k 3
+		else
+		  sort +2
+		fi |
+		uniq > "$nlist"S; then
+	      :
+	    else
+	      grep -v "^: " < "$nlist" > "$nlist"S
+	    fi
+
+	    if test -f "$nlist"S; then
+	      eval "$global_symbol_to_cdecl"' < "$nlist"S >> "$output_objdir/$dlsyms"'
+	    else
+	      $echo '/* NONE */' >> "$output_objdir/$dlsyms"
+	    fi
+
+	    $echo >> "$output_objdir/$dlsyms" "\
+
+#undef lt_preloaded_symbols
+
+#if defined (__STDC__) && __STDC__
+# define lt_ptr void *
+#else
+# define lt_ptr char *
+# define const
+#endif
+
+/* The mapping between symbol names and symbols. */
+const struct {
+  const char *name;
+  lt_ptr address;
+}
+lt_preloaded_symbols[] =
+{\
+"
+
+	    eval "$global_symbol_to_c_name_address" < "$nlist" >> "$output_objdir/$dlsyms"
+
+	    $echo >> "$output_objdir/$dlsyms" "\
+  {0, (lt_ptr) 0}
+};
+
+/* This works around a problem in FreeBSD linker */
+#ifdef FREEBSD_WORKAROUND
+static const void *lt_preloaded_setup() {
+  return lt_preloaded_symbols;
+}
+#endif
+
+#ifdef __cplusplus
+}
+#endif\
+"
+	  fi
+
+	  pic_flag_for_symtable=
+	  case $host in
+	  # compiling the symbol table file with pic_flag works around
+	  # a FreeBSD bug that causes programs to crash when -lm is
+	  # linked before any other PIC object.  But we must not use
+	  # pic_flag when linking with -static.  The problem exists in
+	  # FreeBSD 2.2.6 and is fixed in FreeBSD 3.1.
+	  *-*-freebsd2*|*-*-freebsd3.0*|*-*-freebsdelf3.0*)
+	    case "$compile_command " in
+	    *" -static "*) ;;
+	    *) pic_flag_for_symtable=" $pic_flag -DFREEBSD_WORKAROUND";;
+	    esac;;
+	  *-*-hpux*)
+	    case "$compile_command " in
+	    *" -static "*) ;;
+	    *) pic_flag_for_symtable=" $pic_flag";;
+	    esac
+	  esac
+
+	  # Now compile the dynamic symbol file.
+	  $show "(cd $output_objdir && $LTCC -c$no_builtin_flag$pic_flag_for_symtable \"$dlsyms\")"
+	  $run eval '(cd $output_objdir && $LTCC -c$no_builtin_flag$pic_flag_for_symtable "$dlsyms")' || exit $?
+
+	  # Clean up the generated files.
+	  $show "$rm $output_objdir/$dlsyms $nlist ${nlist}S ${nlist}T"
+	  $run $rm "$output_objdir/$dlsyms" "$nlist" "${nlist}S" "${nlist}T"
+
+	  # Transform the symbol file into the correct name.
+	  compile_command=`$echo "X$compile_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%"`
+	  finalize_command=`$echo "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%"`
+	  ;;
+	*)
+	  $echo "$modename: unknown suffix for \`$dlsyms'" 1>&2
+	  exit 1
+	  ;;
+	esac
+      else
+	# We keep going just in case the user didn't refer to
+	# lt_preloaded_symbols.  The linker will fail if global_symbol_pipe
+	# really was required.
+
+	# Nullify the symbol file.
+	compile_command=`$echo "X$compile_command" | $Xsed -e "s% @SYMFILE@%%"`
+	finalize_command=`$echo "X$finalize_command" | $Xsed -e "s% @SYMFILE@%%"`
+      fi
+
+      if test "$need_relink" = no || test "$build_libtool_libs" != yes; then
+	# Replace the output file specification.
+	compile_command=`$echo "X$compile_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'`
+	link_command="$compile_command$compile_rpath"
+
+	# We have no uninstalled library dependencies, so finalize right now.
+	$show "$link_command"
+	$run eval "$link_command"
+	status=$?
+
+	# Delete the generated files.
+	if test -n "$dlsyms"; then
+	  $show "$rm $output_objdir/${outputname}S.${objext}"
+	  $run $rm "$output_objdir/${outputname}S.${objext}"
+	fi
+
+	exit $status
+      fi
+
+      if test -n "$shlibpath_var"; then
+	# We should set the shlibpath_var
+	rpath=
+	for dir in $temp_rpath; do
+	  case $dir in
+	  [\\/]* | [A-Za-z]:[\\/]*)
+	    # Absolute path.
+	    rpath="$rpath$dir:"
+	    ;;
+	  *)
+	    # Relative path: add a thisdir entry.
+	    rpath="$rpath\$thisdir/$dir:"
+	    ;;
+	  esac
+	done
+	temp_rpath="$rpath"
+      fi
+
+      if test -n "$compile_shlibpath$finalize_shlibpath"; then
+	compile_command="$shlibpath_var=\"$compile_shlibpath$finalize_shlibpath\$$shlibpath_var\" $compile_command"
+      fi
+      if test -n "$finalize_shlibpath"; then
+	finalize_command="$shlibpath_var=\"$finalize_shlibpath\$$shlibpath_var\" $finalize_command"
+      fi
+
+      compile_var=
+      finalize_var=
+      if test -n "$runpath_var"; then
+	if test -n "$perm_rpath"; then
+	  # We should set the runpath_var.
+	  rpath=
+	  for dir in $perm_rpath; do
+	    rpath="$rpath$dir:"
+	  done
+	  compile_var="$runpath_var=\"$rpath\$$runpath_var\" "
+	fi
+	if test -n "$finalize_perm_rpath"; then
+	  # We should set the runpath_var.
+	  rpath=
+	  for dir in $finalize_perm_rpath; do
+	    rpath="$rpath$dir:"
+	  done
+	  finalize_var="$runpath_var=\"$rpath\$$runpath_var\" "
+	fi
+      fi
+
+      if test "$no_install" = yes; then
+	# We don't need to create a wrapper script.
+	link_command="$compile_var$compile_command$compile_rpath"
+	# Replace the output file specification.
+	link_command=`$echo "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'`
+	# Delete the old output file.
+	$run $rm $output
+	# Link the executable and exit
+	$show "$link_command"
+	$run eval "$link_command" || exit $?
+	exit 0
+      fi
+
+      if test "$hardcode_action" = relink; then
+	# Fast installation is not supported
+	link_command="$compile_var$compile_command$compile_rpath"
+	relink_command="$finalize_var$finalize_command$finalize_rpath"
+
+	$echo "$modename: warning: this platform does not like uninstalled shared libraries" 1>&2
+	$echo "$modename: \`$output' will be relinked during installation" 1>&2
+      else
+	if test "$fast_install" != no; then
+	  link_command="$finalize_var$compile_command$finalize_rpath"
+	  if test "$fast_install" = yes; then
+	    relink_command=`$echo "X$compile_var$compile_command$compile_rpath" | $Xsed -e 's%@OUTPUT@%\$progdir/\$file%g'`
+	  else
+	    # fast_install is set to needless
+	    relink_command=
+	  fi
+	else
+	  link_command="$compile_var$compile_command$compile_rpath"
+	  relink_command="$finalize_var$finalize_command$finalize_rpath"
+	fi
+      fi
+
+      # Replace the output file specification.
+      link_command=`$echo "X$link_command" | $Xsed -e 's%@OUTPUT@%'"$output_objdir/$outputname"'%g'`
+
+      # Delete the old output files.
+      $run $rm $output $output_objdir/$outputname $output_objdir/lt-$outputname
+
+      $show "$link_command"
+      $run eval "$link_command" || exit $?
+
+      # Now create the wrapper script.
+      $show "creating $output"
+
+      # Quote the relink command for shipping.
+      if test -n "$relink_command"; then
+	# Preserve any variables that may affect compiler behavior
+	for var in $variables_saved_for_relink; do
+	  if eval test -z \"\${$var+set}\"; then
+	    relink_command="{ test -z \"\${$var+set}\" || unset $var || { $var=; export $var; }; }; $relink_command"
+	  elif eval var_value=\$$var; test -z "$var_value"; then
+	    relink_command="$var=; export $var; $relink_command"
+	  else
+	    var_value=`$echo "X$var_value" | $Xsed -e "$sed_quote_subst"`
+	    relink_command="$var=\"$var_value\"; export $var; $relink_command"
+	  fi
+	done
+	relink_command="(cd `pwd`; $relink_command)"
+	relink_command=`$echo "X$relink_command" | $Xsed -e "$sed_quote_subst"`
+      fi
+
+      # Quote $echo for shipping.
+      if test "X$echo" = "X$SHELL $0 --fallback-echo"; then
+	case $0 in
+	[\\/]* | [A-Za-z]:[\\/]*) qecho="$SHELL $0 --fallback-echo";;
+	*) qecho="$SHELL `pwd`/$0 --fallback-echo";;
+	esac
+	qecho=`$echo "X$qecho" | $Xsed -e "$sed_quote_subst"`
+      else
+	qecho=`$echo "X$echo" | $Xsed -e "$sed_quote_subst"`
+      fi
+
+      # Only actually do things if our run command is non-null.
+      if test -z "$run"; then
+	# win32 will think the script is a binary if it has
+	# a .exe suffix, so we strip it off here.
+	case $output in
+	  *.exe) output=`$echo $output|${SED} 's,.exe$,,'` ;;
+	esac
+	# test for cygwin because mv fails w/o .exe extensions
+	case $host in
+	  *cygwin*)
+	    exeext=.exe
+	    outputname=`$echo $outputname|${SED} 's,.exe$,,'` ;;
+	  *) exeext= ;;
+	esac
+	case $host in
+	  *cygwin* | *mingw* )
+	    cwrappersource=`$echo ${objdir}/lt-${output}.c`
+	    cwrapper=`$echo ${output}.exe`
+	    $rm $cwrappersource $cwrapper
+	    trap "$rm $cwrappersource $cwrapper; exit 1" 1 2 15
+
+	    cat > $cwrappersource <<EOF
+
+/* $cwrappersource - temporary wrapper executable for $objdir/$outputname
+   Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP
+
+   The $output program cannot be directly executed until all the libtool
+   libraries that it depends on are installed.
+   
+   This wrapper executable should never be moved out of the build directory.
+   If it is, it will not operate correctly.
+
+   Currently, it simply execs the wrapper *script* "/bin/sh $output",
+   but could eventually absorb all of the scripts functionality and
+   exec $objdir/$outputname directly.
+*/
+EOF
+	    cat >> $cwrappersource<<"EOF"
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <malloc.h>
+#include <stdarg.h>
+#include <assert.h>
+
+#if defined(PATH_MAX)
+# define LT_PATHMAX PATH_MAX
+#elif defined(MAXPATHLEN)
+# define LT_PATHMAX MAXPATHLEN
+#else
+# define LT_PATHMAX 1024
+#endif
+
+#ifndef DIR_SEPARATOR
+#define DIR_SEPARATOR '/'
+#endif
+
+#if defined (_WIN32) || defined (__MSDOS__) || defined (__DJGPP__) || \
+  defined (__OS2__)
+#define HAVE_DOS_BASED_FILE_SYSTEM
+#ifndef DIR_SEPARATOR_2 
+#define DIR_SEPARATOR_2 '\\'
+#endif
+#endif
+
+#ifndef DIR_SEPARATOR_2
+# define IS_DIR_SEPARATOR(ch) ((ch) == DIR_SEPARATOR)
+#else /* DIR_SEPARATOR_2 */
+# define IS_DIR_SEPARATOR(ch) \
+        (((ch) == DIR_SEPARATOR) || ((ch) == DIR_SEPARATOR_2))
+#endif /* DIR_SEPARATOR_2 */
+
+#define XMALLOC(type, num)      ((type *) xmalloc ((num) * sizeof(type)))
+#define XFREE(stale) do { \
+  if (stale) { free ((void *) stale); stale = 0; } \
+} while (0)
+
+const char *program_name = NULL;
+
+void * xmalloc (size_t num);
+char * xstrdup (const char *string);
+char * basename (const char *name);
+char * fnqualify(const char *path);
+char * strendzap(char *str, const char *pat);
+void lt_fatal (const char *message, ...);
+
+int
+main (int argc, char *argv[])
+{
+  char **newargz;
+  int i;
+  
+  program_name = (char *) xstrdup ((char *) basename (argv[0]));
+  newargz = XMALLOC(char *, argc+2);
+EOF
+
+	    cat >> $cwrappersource <<EOF
+  newargz[0] = "$SHELL";
+EOF
+
+	    cat >> $cwrappersource <<"EOF"
+  newargz[1] = fnqualify(argv[0]);
+  /* we know the script has the same name, without the .exe */
+  /* so make sure newargz[1] doesn't end in .exe */
+  strendzap(newargz[1],".exe"); 
+  for (i = 1; i < argc; i++)
+    newargz[i+1] = xstrdup(argv[i]);
+  newargz[argc+1] = NULL;
+EOF
+
+	    cat >> $cwrappersource <<EOF
+  execv("$SHELL",newargz);
+EOF
+
+	    cat >> $cwrappersource <<"EOF"
+}
+
+void *
+xmalloc (size_t num)
+{
+  void * p = (void *) malloc (num);
+  if (!p)
+    lt_fatal ("Memory exhausted");
+
+  return p;
+}
+
+char * 
+xstrdup (const char *string)
+{
+  return string ? strcpy ((char *) xmalloc (strlen (string) + 1), string) : NULL
+;
+}
+
+char *
+basename (const char *name)
+{
+  const char *base;
+
+#if defined (HAVE_DOS_BASED_FILE_SYSTEM)
+  /* Skip over the disk name in MSDOS pathnames. */
+  if (isalpha (name[0]) && name[1] == ':') 
+    name += 2;
+#endif
+
+  for (base = name; *name; name++)
+    if (IS_DIR_SEPARATOR (*name))
+      base = name + 1;
+  return (char *) base;
+}
+
+char * 
+fnqualify(const char *path)
+{
+  size_t size;
+  char *p;
+  char tmp[LT_PATHMAX + 1];
+
+  assert(path != NULL);
+
+  /* Is it qualified already? */
+#if defined (HAVE_DOS_BASED_FILE_SYSTEM)
+  if (isalpha (path[0]) && path[1] == ':')
+    return xstrdup (path);
+#endif
+  if (IS_DIR_SEPARATOR (path[0]))
+    return xstrdup (path);
+
+  /* prepend the current directory */
+  /* doesn't handle '~' */
+  if (getcwd (tmp, LT_PATHMAX) == NULL)
+    lt_fatal ("getcwd failed");
+  size = strlen(tmp) + 1 + strlen(path) + 1; /* +2 for '/' and '\0' */
+  p = XMALLOC(char, size);
+  sprintf(p, "%s%c%s", tmp, DIR_SEPARATOR, path);
+  return p;
+}
+
+char *
+strendzap(char *str, const char *pat) 
+{
+  size_t len, patlen;
+
+  assert(str != NULL);
+  assert(pat != NULL);
+
+  len = strlen(str);
+  patlen = strlen(pat);
+
+  if (patlen <= len)
+  {
+    str += len - patlen;
+    if (strcmp(str, pat) == 0)
+      *str = '\0';
+  }
+  return str;
+}
+
+static void
+lt_error_core (int exit_status, const char * mode, 
+          const char * message, va_list ap)
+{
+  fprintf (stderr, "%s: %s: ", program_name, mode);
+  vfprintf (stderr, message, ap);
+  fprintf (stderr, ".\n");
+
+  if (exit_status >= 0)
+    exit (exit_status);
+}
+
+void
+lt_fatal (const char *message, ...)
+{
+  va_list ap;
+  va_start (ap, message);
+  lt_error_core (EXIT_FAILURE, "FATAL", message, ap);
+  va_end (ap);
+}
+EOF
+	  # we should really use a build-platform specific compiler
+	  # here, but OTOH, the wrappers (shell script and this C one)
+	  # are only useful if you want to execute the "real" binary.
+	  # Since the "real" binary is built for $host, then this
+	  # wrapper might as well be built for $host, too.
+	  $run $LTCC -s -o $cwrapper $cwrappersource
+	  ;;
+	esac
+	$rm $output
+	trap "$rm $output; exit 1" 1 2 15
+
+	$echo > $output "\
+#! $SHELL
+
+# $output - temporary wrapper script for $objdir/$outputname
+# Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP
+#
+# The $output program cannot be directly executed until all the libtool
+# libraries that it depends on are installed.
+#
+# This wrapper script should never be moved out of the build directory.
+# If it is, it will not operate correctly.
+
+# Sed substitution that helps us do robust quoting.  It backslashifies
+# metacharacters that are still active within double-quoted strings.
+Xsed='${SED} -e 1s/^X//'
+sed_quote_subst='$sed_quote_subst'
+
+# The HP-UX ksh and POSIX shell print the target directory to stdout
+# if CDPATH is set.
+if test \"\${CDPATH+set}\" = set; then CDPATH=:; export CDPATH; fi
+
+relink_command=\"$relink_command\"
+
+# This environment variable determines our operation mode.
+if test \"\$libtool_install_magic\" = \"$magic\"; then
+  # install mode needs the following variable:
+  notinst_deplibs='$notinst_deplibs'
+else
+  # When we are sourced in execute mode, \$file and \$echo are already set.
+  if test \"\$libtool_execute_magic\" != \"$magic\"; then
+    echo=\"$qecho\"
+    file=\"\$0\"
+    # Make sure echo works.
+    if test \"X\$1\" = X--no-reexec; then
+      # Discard the --no-reexec flag, and continue.
+      shift
+    elif test \"X\`(\$echo '\t') 2>/dev/null\`\" = 'X\t'; then
+      # Yippee, \$echo works!
+      :
+    else
+      # Restart under the correct shell, and then maybe \$echo will work.
+      exec $SHELL \"\$0\" --no-reexec \${1+\"\$@\"}
+    fi
+  fi\
+"
+	$echo >> $output "\
+
+  # Find the directory that this script lives in.
+  thisdir=\`\$echo \"X\$file\" | \$Xsed -e 's%/[^/]*$%%'\`
+  test \"x\$thisdir\" = \"x\$file\" && thisdir=.
+
+  # Follow symbolic links until we get to the real thisdir.
+  file=\`ls -ld \"\$file\" | ${SED} -n 's/.*-> //p'\`
+  while test -n \"\$file\"; do
+    destdir=\`\$echo \"X\$file\" | \$Xsed -e 's%/[^/]*\$%%'\`
+
+    # If there was a directory component, then change thisdir.
+    if test \"x\$destdir\" != \"x\$file\"; then
+      case \"\$destdir\" in
+      [\\\\/]* | [A-Za-z]:[\\\\/]*) thisdir=\"\$destdir\" ;;
+      *) thisdir=\"\$thisdir/\$destdir\" ;;
+      esac
+    fi
+
+    file=\`\$echo \"X\$file\" | \$Xsed -e 's%^.*/%%'\`
+    file=\`ls -ld \"\$thisdir/\$file\" | ${SED} -n 's/.*-> //p'\`
+  done
+
+  # Try to get the absolute directory name.
+  absdir=\`cd \"\$thisdir\" && pwd\`
+  test -n \"\$absdir\" && thisdir=\"\$absdir\"
+"
+
+	if test "$fast_install" = yes; then
+	  $echo >> $output "\
+  program=lt-'$outputname'$exeext
+  progdir=\"\$thisdir/$objdir\"
+
+  if test ! -f \"\$progdir/\$program\" || \\
+     { file=\`ls -1dt \"\$progdir/\$program\" \"\$progdir/../\$program\" 2>/dev/null | ${SED} 1q\`; \\
+       test \"X\$file\" != \"X\$progdir/\$program\"; }; then
+
+    file=\"\$\$-\$program\"
+
+    if test ! -d \"\$progdir\"; then
+      $mkdir \"\$progdir\"
+    else
+      $rm \"\$progdir/\$file\"
+    fi"
+
+	  $echo >> $output "\
+
+    # relink executable if necessary
+    if test -n \"\$relink_command\"; then
+      if relink_command_output=\`eval \$relink_command 2>&1\`; then :
+      else
+	$echo \"\$relink_command_output\" >&2
+	$rm \"\$progdir/\$file\"
+	exit 1
+      fi
+    fi
+
+    $mv \"\$progdir/\$file\" \"\$progdir/\$program\" 2>/dev/null ||
+    { $rm \"\$progdir/\$program\";
+      $mv \"\$progdir/\$file\" \"\$progdir/\$program\"; }
+    $rm \"\$progdir/\$file\"
+  fi"
+	else
+	  $echo >> $output "\
+  program='$outputname'
+  progdir=\"\$thisdir/$objdir\"
+"
+	fi
+
+	$echo >> $output "\
+
+  if test -f \"\$progdir/\$program\"; then"
+
+	# Export our shlibpath_var if we have one.
+	if test "$shlibpath_overrides_runpath" = yes && test -n "$shlibpath_var" && test -n "$temp_rpath"; then
+	  $echo >> $output "\
+    # Add our own library path to $shlibpath_var
+    $shlibpath_var=\"$temp_rpath\$$shlibpath_var\"
+
+    # Some systems cannot cope with colon-terminated $shlibpath_var
+    # The second colon is a workaround for a bug in BeOS R4 sed
+    $shlibpath_var=\`\$echo \"X\$$shlibpath_var\" | \$Xsed -e 's/::*\$//'\`
+
+    export $shlibpath_var
+"
+	fi
+
+	# fixup the dll searchpath if we need to.
+	if test -n "$dllsearchpath"; then
+	  $echo >> $output "\
+    # Add the dll search path components to the executable PATH
+    PATH=$dllsearchpath:\$PATH
+"
+	fi
+
+	$echo >> $output "\
+    if test \"\$libtool_execute_magic\" != \"$magic\"; then
+      # Run the actual program with our arguments.
+"
+	case $host in
+	# Backslashes separate directories on plain windows
+	*-*-mingw | *-*-os2*)
+	  $echo >> $output "\
+      exec \$progdir\\\\\$program \${1+\"\$@\"}
+"
+	  ;;
+
+	*)
+	  $echo >> $output "\
+      exec \$progdir/\$program \${1+\"\$@\"}
+"
+	  ;;
+	esac
+	$echo >> $output "\
+      \$echo \"\$0: cannot exec \$program \${1+\"\$@\"}\"
+      exit 1
+    fi
+  else
+    # The program doesn't exist.
+    \$echo \"\$0: error: \$progdir/\$program does not exist\" 1>&2
+    \$echo \"This script is just a wrapper for \$program.\" 1>&2
+    $echo \"See the $PACKAGE documentation for more information.\" 1>&2
+    exit 1
+  fi
+fi\
+"
+	chmod +x $output
+      fi
+      exit 0
+      ;;
+    esac
+
+    # See if we need to build an old-fashioned archive.
+    for oldlib in $oldlibs; do
+
+      if test "$build_libtool_libs" = convenience; then
+	oldobjs="$libobjs_save"
+	addlibs="$convenience"
+	build_libtool_libs=no
+      else
+	if test "$build_libtool_libs" = module; then
+	  oldobjs="$libobjs_save"
+	  build_libtool_libs=no
+	else
+	  oldobjs="$old_deplibs $non_pic_objects"
+	fi
+	addlibs="$old_convenience"
+      fi
+
+      if test -n "$addlibs"; then
+	gentop="$output_objdir/${outputname}x"
+	$show "${rm}r $gentop"
+	$run ${rm}r "$gentop"
+	$show "$mkdir $gentop"
+	$run $mkdir "$gentop"
+	status=$?
+	if test "$status" -ne 0 && test ! -d "$gentop"; then
+	  exit $status
+	fi
+	generated="$generated $gentop"
+
+	# Add in members from convenience archives.
+	for xlib in $addlibs; do
+	  # Extract the objects.
+	  case $xlib in
+	  [\\/]* | [A-Za-z]:[\\/]*) xabs="$xlib" ;;
+	  *) xabs=`pwd`"/$xlib" ;;
+	  esac
+	  xlib=`$echo "X$xlib" | $Xsed -e 's%^.*/%%'`
+	  xdir="$gentop/$xlib"
+
+	  $show "${rm}r $xdir"
+	  $run ${rm}r "$xdir"
+	  $show "$mkdir $xdir"
+	  $run $mkdir "$xdir"
+	  status=$?
+	  if test "$status" -ne 0 && test ! -d "$xdir"; then
+	    exit $status
+	  fi
+	  # We will extract separately just the conflicting names and we will no
+	  # longer touch any unique names. It is faster to leave these extract
+	  # automatically by $AR in one run.
+	  $show "(cd $xdir && $AR x $xabs)"
+	  $run eval "(cd \$xdir && $AR x \$xabs)" || exit $?
+	  if ($AR t "$xabs" | sort | sort -uc >/dev/null 2>&1); then
+	    :
+	  else
+	    $echo "$modename: warning: object name conflicts; renaming object files" 1>&2
+	    $echo "$modename: warning: to ensure that they will not overwrite" 1>&2
+	    $AR t "$xabs" | sort | uniq -cd | while read -r count name
+	    do
+	      i=1
+	      while test "$i" -le "$count"
+	      do
+	       # Put our $i before any first dot (extension)
+	       # Never overwrite any file
+	       name_to="$name"
+	       while test "X$name_to" = "X$name" || test -f "$xdir/$name_to"
+	       do
+		 name_to=`$echo "X$name_to" | $Xsed -e "s/\([^.]*\)/\1-$i/"`
+	       done
+	       $show "(cd $xdir && $AR xN $i $xabs '$name' && $mv '$name' '$name_to')"
+	       $run eval "(cd \$xdir && $AR xN $i \$xabs '$name' && $mv '$name' '$name_to')" || exit $?
+	       i=`expr $i + 1`
+	      done
+	    done
+	  fi
+
+	  oldobjs="$oldobjs "`find $xdir -name \*.${objext} -print -o -name \*.lo -print | $NL2SP`
+	done
+      fi
+
+      # Do each command in the archive commands.
+      if test -n "$old_archive_from_new_cmds" && test "$build_libtool_libs" = yes; then
+       cmds=$old_archive_from_new_cmds
+      else
+	eval cmds=\"$old_archive_cmds\"
+
+	if len=`expr "X$cmds" : ".*"` &&
+	     test "$len" -le "$max_cmd_len" || test "$max_cmd_len" -le -1; then
+	  cmds=$old_archive_cmds
+	else
+	  # the command line is too long to link in one step, link in parts
+	  $echo "using piecewise archive linking..."
+	  save_RANLIB=$RANLIB
+	  RANLIB=:
+	  objlist=
+	  concat_cmds=
+	  save_oldobjs=$oldobjs
+	  # GNU ar 2.10+ was changed to match POSIX; thus no paths are
+	  # encoded into archives.  This makes 'ar r' malfunction in
+	  # this piecewise linking case whenever conflicting object
+	  # names appear in distinct ar calls; check, warn and compensate.
+	    if (for obj in $save_oldobjs
+	    do
+	      $echo "X$obj" | $Xsed -e 's%^.*/%%'
+	    done | sort | sort -uc >/dev/null 2>&1); then
+	    :
+	  else
+	    $echo "$modename: warning: object name conflicts; overriding AR_FLAGS to 'cq'" 1>&2
+	    $echo "$modename: warning: to ensure that POSIX-compatible ar will work" 1>&2
+	    AR_FLAGS=cq
+	  fi
+	  # Is there a better way of finding the last object in the list?
+	  for obj in $save_oldobjs
+	  do
+	    last_oldobj=$obj
+	  done  
+	  for obj in $save_oldobjs
+	  do
+	    oldobjs="$objlist $obj"
+	    objlist="$objlist $obj"
+	    eval test_cmds=\"$old_archive_cmds\"
+	    if len=`expr "X$test_cmds" : ".*"` &&
+	       test "$len" -le "$max_cmd_len"; then
+	      :
+	    else
+	      # the above command should be used before it gets too long
+	      oldobjs=$objlist
+	      if test "$obj" = "$last_oldobj" ; then
+	        RANLIB=$save_RANLIB
+	      fi  
+	      test -z "$concat_cmds" || concat_cmds=$concat_cmds~
+	      eval concat_cmds=\"\${concat_cmds}$old_archive_cmds\"
+	      objlist=
+	    fi
+	  done
+	  RANLIB=$save_RANLIB
+	  oldobjs=$objlist
+	  if test "X$oldobjs" = "X" ; then
+	    eval cmds=\"\$concat_cmds\"
+	  else
+	    eval cmds=\"\$concat_cmds~\$old_archive_cmds\"
+	  fi
+	fi
+      fi
+      save_ifs="$IFS"; IFS='~'
+      for cmd in $cmds; do
+        eval cmd=\"$cmd\"
+	IFS="$save_ifs"
+	$show "$cmd"
+	$run eval "$cmd" || exit $?
+      done
+      IFS="$save_ifs"
+    done
+
+    if test -n "$generated"; then
+      $show "${rm}r$generated"
+      $run ${rm}r$generated
+    fi
+
+    # Now create the libtool archive.
+    case $output in
+    *.la)
+      old_library=
+      test "$build_old_libs" = yes && old_library="$libname.$libext"
+      $show "creating $output"
+
+      # Preserve any variables that may affect compiler behavior
+      for var in $variables_saved_for_relink; do
+	if eval test -z \"\${$var+set}\"; then
+	  relink_command="{ test -z \"\${$var+set}\" || unset $var || { $var=; export $var; }; }; $relink_command"
+	elif eval var_value=\$$var; test -z "$var_value"; then
+	  relink_command="$var=; export $var; $relink_command"
+	else
+	  var_value=`$echo "X$var_value" | $Xsed -e "$sed_quote_subst"`
+	  relink_command="$var=\"$var_value\"; export $var; $relink_command"
+	fi
+      done
+      # Quote the link command for shipping.
+      relink_command="(cd `pwd`; $SHELL $0 $preserve_args --mode=relink $libtool_args @inst_prefix_dir@)"
+      relink_command=`$echo "X$relink_command" | $Xsed -e "$sed_quote_subst"`
+      if test "$hardcode_automatic" = yes ; then
+        relink_command=
+      fi  
+      # Only create the output if not a dry run.
+      if test -z "$run"; then
+	for installed in no yes; do
+	  if test "$installed" = yes; then
+	    if test -z "$install_libdir"; then
+	      break
+	    fi
+	    output="$output_objdir/$outputname"i
+	    # Replace all uninstalled libtool libraries with the installed ones
+	    newdependency_libs=
+	    for deplib in $dependency_libs; do
+	      case $deplib in
+	      *.la)
+		name=`$echo "X$deplib" | $Xsed -e 's%^.*/%%'`
+		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
+		if test -z "$libdir"; then
+		  $echo "$modename: \`$deplib' is not a valid libtool archive" 1>&2
+		  exit 1
+		fi
+		newdependency_libs="$newdependency_libs $libdir/$name"
+		;;
+	      *) newdependency_libs="$newdependency_libs $deplib" ;;
+	      esac
+	    done
+	    dependency_libs="$newdependency_libs"
+	    newdlfiles=
+	    for lib in $dlfiles; do
+	      name=`$echo "X$lib" | $Xsed -e 's%^.*/%%'`
+	      eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
+	      if test -z "$libdir"; then
+		$echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
+		exit 1
+	      fi
+	      newdlfiles="$newdlfiles $libdir/$name"
+	    done
+	    dlfiles="$newdlfiles"
+	    newdlprefiles=
+	    for lib in $dlprefiles; do
+	      name=`$echo "X$lib" | $Xsed -e 's%^.*/%%'`
+	      eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
+	      if test -z "$libdir"; then
+		$echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
+		exit 1
+	      fi
+	      newdlprefiles="$newdlprefiles $libdir/$name"
+	    done
+	    dlprefiles="$newdlprefiles"
+	  else
+	    newdlfiles=
+	    for lib in $dlfiles; do
+	      case $lib in 
+		[\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;;
+		*) abs=`pwd`"/$lib" ;;
+	      esac
+	      newdlfiles="$newdlfiles $abs"
+	    done
+	    dlfiles="$newdlfiles"
+	    newdlprefiles=
+	    for lib in $dlprefiles; do
+	      case $lib in 
+		[\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;;
+		*) abs=`pwd`"/$lib" ;;
+	      esac
+	      newdlprefiles="$newdlprefiles $abs"
+	    done
+	    dlprefiles="$newdlprefiles"
+	  fi
+	  $rm $output
+	  # place dlname in correct position for cygwin
+	  tdlname=$dlname
+	  case $host,$output,$installed,$module,$dlname in
+	    *cygwin*,*lai,yes,no,*.dll | *mingw*,*lai,yes,no,*.dll) tdlname=../bin/$dlname ;;
+	  esac
+	  $echo > $output "\
+# $outputname - a libtool library file
+# Generated by $PROGRAM - GNU $PACKAGE $VERSION$TIMESTAMP
+#
+# Please DO NOT delete this file!
+# It is necessary for linking the library.
+
+# The name that we can dlopen(3).
+dlname='$tdlname'
+
+# Names of this library.
+library_names='$library_names'
+
+# The name of the static archive.
+old_library='$old_library'
+
+# Libraries that this one depends upon.
+dependency_libs='$dependency_libs'
+
+# Version information for $libname.
+current=$current
+age=$age
+revision=$revision
+
+# Is this an already installed library?
+installed=$installed
+
+# Should we warn about portability when linking against -modules?
+shouldnotlink=$module
+
+# Files to dlopen/dlpreopen
+dlopen='$dlfiles'
+dlpreopen='$dlprefiles'
+
+# Directory that this library needs to be installed in:
+libdir='$install_libdir'"
+	  if test "$installed" = no && test "$need_relink" = yes; then
+	    $echo >> $output "\
+relink_command=\"$relink_command\""
+	  fi
+	done
+      fi
+
+      # Do a symbolic link so that the libtool archive can be found in
+      # LD_LIBRARY_PATH before the program is installed.
+      $show "(cd $output_objdir && $rm $outputname && $LN_S ../$outputname $outputname)"
+      $run eval '(cd $output_objdir && $rm $outputname && $LN_S ../$outputname $outputname)' || exit $?
+      ;;
+    esac
+    exit 0
+    ;;
+
+  # libtool install mode
+  install)
+    modename="$modename: install"
+
+    # There may be an optional sh(1) argument at the beginning of
+    # install_prog (especially on Windows NT).
+    if test "$nonopt" = "$SHELL" || test "$nonopt" = /bin/sh ||
+       # Allow the use of GNU shtool's install command.
+       $echo "X$nonopt" | $Xsed | grep shtool > /dev/null; then
+      # Aesthetically quote it.
+      arg=`$echo "X$nonopt" | $Xsed -e "$sed_quote_subst"`
+      case $arg in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*)
+	arg="\"$arg\""
+	;;
+      esac
+      install_prog="$arg "
+      arg="$1"
+      shift
+    else
+      install_prog=
+      arg="$nonopt"
+    fi
+
+    # The real first argument should be the name of the installation program.
+    # Aesthetically quote it.
+    arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+    case $arg in
+    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*)
+      arg="\"$arg\""
+      ;;
+    esac
+    install_prog="$install_prog$arg"
+
+    # We need to accept at least all the BSD install flags.
+    dest=
+    files=
+    opts=
+    prev=
+    install_type=
+    isdir=no
+    stripme=
+    for arg
+    do
+      if test -n "$dest"; then
+	files="$files $dest"
+	dest="$arg"
+	continue
+      fi
+
+      case $arg in
+      -d) isdir=yes ;;
+      -f) prev="-f" ;;
+      -g) prev="-g" ;;
+      -m) prev="-m" ;;
+      -o) prev="-o" ;;
+      -s)
+	stripme=" -s"
+	continue
+	;;
+      -*) ;;
+
+      *)
+	# If the previous option needed an argument, then skip it.
+	if test -n "$prev"; then
+	  prev=
+	else
+	  dest="$arg"
+	  continue
+	fi
+	;;
+      esac
+
+      # Aesthetically quote the argument.
+      arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
+      case $arg in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*)
+	arg="\"$arg\""
+	;;
+      esac
+      install_prog="$install_prog $arg"
+    done
+
+    if test -z "$install_prog"; then
+      $echo "$modename: you must specify an install program" 1>&2
+      $echo "$help" 1>&2
+      exit 1
+    fi
+
+    if test -n "$prev"; then
+      $echo "$modename: the \`$prev' option requires an argument" 1>&2
+      $echo "$help" 1>&2
+      exit 1
+    fi
+
+    if test -z "$files"; then
+      if test -z "$dest"; then
+	$echo "$modename: no file or destination specified" 1>&2
+      else
+	$echo "$modename: you must specify a destination" 1>&2
+      fi
+      $echo "$help" 1>&2
+      exit 1
+    fi
+
+    # Strip any trailing slash from the destination.
+    dest=`$echo "X$dest" | $Xsed -e 's%/$%%'`
+
+    # Check to see that the destination is a directory.
+    test -d "$dest" && isdir=yes
+    if test "$isdir" = yes; then
+      destdir="$dest"
+      destname=
+    else
+      destdir=`$echo "X$dest" | $Xsed -e 's%/[^/]*$%%'`
+      test "X$destdir" = "X$dest" && destdir=.
+      destname=`$echo "X$dest" | $Xsed -e 's%^.*/%%'`
+
+      # Not a directory, so check to see that there is only one file specified.
+      set dummy $files
+      if test "$#" -gt 2; then
+	$echo "$modename: \`$dest' is not a directory" 1>&2
+	$echo "$help" 1>&2
+	exit 1
+      fi
+    fi
+    case $destdir in
+    [\\/]* | [A-Za-z]:[\\/]*) ;;
+    *)
+      for file in $files; do
+	case $file in
+	*.lo) ;;
+	*)
+	  $echo "$modename: \`$destdir' must be an absolute directory name" 1>&2
+	  $echo "$help" 1>&2
+	  exit 1
+	  ;;
+	esac
+      done
+      ;;
+    esac
+
+    # This variable tells wrapper scripts just to set variables rather
+    # than running their programs.
+    libtool_install_magic="$magic"
+
+    staticlibs=
+    future_libdirs=
+    current_libdirs=
+    for file in $files; do
+
+      # Do each installation.
+      case $file in
+      *.$libext)
+	# Do the static libraries later.
+	staticlibs="$staticlibs $file"
+	;;
+
+      *.la)
+	# Check to see that this really is a libtool archive.
+	if (${SED} -e '2q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
+	else
+	  $echo "$modename: \`$file' is not a valid libtool archive" 1>&2
+	  $echo "$help" 1>&2
+	  exit 1
+	fi
+
+	library_names=
+	old_library=
+	relink_command=
+	# If there is no directory component, then add one.
+	case $file in
+	*/* | *\\*) . $file ;;
+	*) . ./$file ;;
+	esac
+
+	# Add the libdir to current_libdirs if it is the destination.
+	if test "X$destdir" = "X$libdir"; then
+	  case "$current_libdirs " in
+	  *" $libdir "*) ;;
+	  *) current_libdirs="$current_libdirs $libdir" ;;
+	  esac
+	else
+	  # Note the libdir as a future libdir.
+	  case "$future_libdirs " in
+	  *" $libdir "*) ;;
+	  *) future_libdirs="$future_libdirs $libdir" ;;
+	  esac
+	fi
+
+	dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`/
+	test "X$dir" = "X$file/" && dir=
+	dir="$dir$objdir"
+
+	if test -n "$relink_command"; then
+	  # Determine the prefix the user has applied to our future dir.
+	  inst_prefix_dir=`$echo "$destdir" | $SED "s%$libdir\$%%"`
+
+	  # Don't allow the user to place us outside of our expected
+	  # location b/c this prevents finding dependent libraries that
+	  # are installed to the same prefix.
+	  # At present, this check doesn't affect windows .dll's that
+	  # are installed into $libdir/../bin (currently, that works fine)
+	  # but it's something to keep an eye on.
+	  if test "$inst_prefix_dir" = "$destdir"; then
+	    $echo "$modename: error: cannot install \`$file' to a directory not ending in $libdir" 1>&2
+	    exit 1
+	  fi
+
+	  if test -n "$inst_prefix_dir"; then
+	    # Stick the inst_prefix_dir data into the link command.
+	    relink_command=`$echo "$relink_command" | $SED "s%@inst_prefix_dir@%-inst-prefix-dir $inst_prefix_dir%"`
+	  else
+	    relink_command=`$echo "$relink_command" | $SED "s%@inst_prefix_dir@%%"`
+	  fi
+
+	  $echo "$modename: warning: relinking \`$file'" 1>&2
+	  $show "$relink_command"
+	  if $run eval "$relink_command"; then :
+	  else
+	    $echo "$modename: error: relink \`$file' with the above command before installing it" 1>&2
+	    exit 1
+	  fi
+	fi
+
+	# See the names of the shared library.
+	set dummy $library_names
+	if test -n "$2"; then
+	  realname="$2"
+	  shift
+	  shift
+
+	  srcname="$realname"
+	  test -n "$relink_command" && srcname="$realname"T
+
+	  # Install the shared library and build the symlinks.
+	  $show "$install_prog $dir/$srcname $destdir/$realname"
+	  $run eval "$install_prog $dir/$srcname $destdir/$realname" || exit $?
+	  if test -n "$stripme" && test -n "$striplib"; then
+	    $show "$striplib $destdir/$realname"
+	    $run eval "$striplib $destdir/$realname" || exit $?
+	  fi
+
+	  if test "$#" -gt 0; then
+	    # Delete the old symlinks, and create new ones.
+	    for linkname
+	    do
+	      if test "$linkname" != "$realname"; then
+		$show "(cd $destdir && $rm $linkname && $LN_S $realname $linkname)"
+		$run eval "(cd $destdir && $rm $linkname && $LN_S $realname $linkname)"
+	      fi
+	    done
+	  fi
+
+	  # Do each command in the postinstall commands.
+	  lib="$destdir/$realname"
+	  cmds=$postinstall_cmds
+	  save_ifs="$IFS"; IFS='~'
+	  for cmd in $cmds; do
+	    IFS="$save_ifs"
+	    eval cmd=\"$cmd\"
+	    $show "$cmd"
+	    $run eval "$cmd" || exit $?
+	  done
+	  IFS="$save_ifs"
+	fi
+
+	# Install the pseudo-library for information purposes.
+	name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+	instname="$dir/$name"i
+	$show "$install_prog $instname $destdir/$name"
+	$run eval "$install_prog $instname $destdir/$name" || exit $?
+
+	# Maybe install the static library, too.
+	test -n "$old_library" && staticlibs="$staticlibs $dir/$old_library"
+	;;
+
+      *.lo)
+	# Install (i.e. copy) a libtool object.
+
+	# Figure out destination file name, if it wasn't already specified.
+	if test -n "$destname"; then
+	  destfile="$destdir/$destname"
+	else
+	  destfile=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+	  destfile="$destdir/$destfile"
+	fi
+
+	# Deduce the name of the destination old-style object file.
+	case $destfile in
+	*.lo)
+	  staticdest=`$echo "X$destfile" | $Xsed -e "$lo2o"`
+	  ;;
+	*.$objext)
+	  staticdest="$destfile"
+	  destfile=
+	  ;;
+	*)
+	  $echo "$modename: cannot copy a libtool object to \`$destfile'" 1>&2
+	  $echo "$help" 1>&2
+	  exit 1
+	  ;;
+	esac
+
+	# Install the libtool object if requested.
+	if test -n "$destfile"; then
+	  $show "$install_prog $file $destfile"
+	  $run eval "$install_prog $file $destfile" || exit $?
+	fi
+
+	# Install the old object if enabled.
+	if test "$build_old_libs" = yes; then
+	  # Deduce the name of the old-style object file.
+	  staticobj=`$echo "X$file" | $Xsed -e "$lo2o"`
+
+	  $show "$install_prog $staticobj $staticdest"
+	  $run eval "$install_prog \$staticobj \$staticdest" || exit $?
+	fi
+	exit 0
+	;;
+
+      *)
+	# Figure out destination file name, if it wasn't already specified.
+	if test -n "$destname"; then
+	  destfile="$destdir/$destname"
+	else
+	  destfile=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+	  destfile="$destdir/$destfile"
+	fi
+
+	# If the file is missing, and there is a .exe on the end, strip it
+	# because it is most likely a libtool script we actually want to
+	# install
+	stripped_ext=""
+	case $file in
+	  *.exe)
+	    if test ! -f "$file"; then
+	      file=`$echo $file|${SED} 's,.exe$,,'`
+	      stripped_ext=".exe"
+	    fi
+	    ;;
+	esac
+
+	# Do a test to see if this is really a libtool program.
+	case $host in
+	*cygwin*|*mingw*)
+	    wrapper=`$echo $file | ${SED} -e 's,.exe$,,'`
+	    ;;
+	*)
+	    wrapper=$file
+	    ;;
+	esac
+	if (${SED} -e '4q' $wrapper | grep "^# Generated by .*$PACKAGE")>/dev/null 2>&1; then
+	  notinst_deplibs=
+	  relink_command=
+
+	  # To insure that "foo" is sourced, and not "foo.exe",
+	  # finese the cygwin/MSYS system by explicitly sourcing "foo."
+	  # which disallows the automatic-append-.exe behavior.
+	  case $build in
+	  *cygwin* | *mingw*) wrapperdot=${wrapper}. ;;
+	  *) wrapperdot=${wrapper} ;;
+	  esac
+	  # If there is no directory component, then add one.
+	  case $file in
+	  */* | *\\*) . ${wrapperdot} ;;
+	  *) . ./${wrapperdot} ;;
+	  esac
+
+	  # Check the variables that should have been set.
+	  if test -z "$notinst_deplibs"; then
+	    $echo "$modename: invalid libtool wrapper script \`$wrapper'" 1>&2
+	    exit 1
+	  fi
+
+	  finalize=yes
+	  for lib in $notinst_deplibs; do
+	    # Check to see that each library is installed.
+	    libdir=
+	    if test -f "$lib"; then
+	      # If there is no directory component, then add one.
+	      case $lib in
+	      */* | *\\*) . $lib ;;
+	      *) . ./$lib ;;
+	      esac
+	    fi
+	    libfile="$libdir/"`$echo "X$lib" | $Xsed -e 's%^.*/%%g'` ### testsuite: skip nested quoting test
+	    if test -n "$libdir" && test ! -f "$libfile"; then
+	      $echo "$modename: warning: \`$lib' has not been installed in \`$libdir'" 1>&2
+	      finalize=no
+	    fi
+	  done
+
+	  relink_command=
+	  # To insure that "foo" is sourced, and not "foo.exe",
+	  # finese the cygwin/MSYS system by explicitly sourcing "foo."
+	  # which disallows the automatic-append-.exe behavior.
+	  case $build in
+	  *cygwin* | *mingw*) wrapperdot=${wrapper}. ;;
+	  *) wrapperdot=${wrapper} ;;
+	  esac
+	  # If there is no directory component, then add one.
+	  case $file in
+	  */* | *\\*) . ${wrapperdot} ;;
+	  *) . ./${wrapperdot} ;;
+	  esac
+
+	  outputname=
+	  if test "$fast_install" = no && test -n "$relink_command"; then
+	    if test "$finalize" = yes && test -z "$run"; then
+	      tmpdir="/tmp"
+	      test -n "$TMPDIR" && tmpdir="$TMPDIR"
+	      tmpdir="$tmpdir/libtool-$$"
+	      if $mkdir "$tmpdir" && chmod 700 "$tmpdir"; then :
+	      else
+		$echo "$modename: error: cannot create temporary directory \`$tmpdir'" 1>&2
+		continue
+	      fi
+	      file=`$echo "X$file$stripped_ext" | $Xsed -e 's%^.*/%%'`
+	      outputname="$tmpdir/$file"
+	      # Replace the output file specification.
+	      relink_command=`$echo "X$relink_command" | $Xsed -e 's%@OUTPUT@%'"$outputname"'%g'`
+
+	      $show "$relink_command"
+	      if $run eval "$relink_command"; then :
+	      else
+		$echo "$modename: error: relink \`$file' with the above command before installing it" 1>&2
+		${rm}r "$tmpdir"
+		continue
+	      fi
+	      file="$outputname"
+	    else
+	      $echo "$modename: warning: cannot relink \`$file'" 1>&2
+	    fi
+	  else
+	    # Install the binary that we compiled earlier.
+	    file=`$echo "X$file$stripped_ext" | $Xsed -e "s%\([^/]*\)$%$objdir/\1%"`
+	  fi
+	fi
+
+	# remove .exe since cygwin /usr/bin/install will append another
+	# one anyways
+	case $install_prog,$host in
+	*/usr/bin/install*,*cygwin*)
+	  case $file:$destfile in
+	  *.exe:*.exe)
+	    # this is ok
+	    ;;
+	  *.exe:*)
+	    destfile=$destfile.exe
+	    ;;
+	  *:*.exe)
+	    destfile=`$echo $destfile | ${SED} -e 's,.exe$,,'`
+	    ;;
+	  esac
+	  ;;
+	esac
+	$show "$install_prog$stripme $file $destfile"
+	$run eval "$install_prog\$stripme \$file \$destfile" || exit $?
+	test -n "$outputname" && ${rm}r "$tmpdir"
+	;;
+      esac
+    done
+
+    for file in $staticlibs; do
+      name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+
+      # Set up the ranlib parameters.
+      oldlib="$destdir/$name"
+
+      $show "$install_prog $file $oldlib"
+      $run eval "$install_prog \$file \$oldlib" || exit $?
+
+      if test -n "$stripme" && test -n "$old_striplib"; then
+	$show "$old_striplib $oldlib"
+	$run eval "$old_striplib $oldlib" || exit $?
+      fi
+
+      # Do each command in the postinstall commands.
+      cmds=$old_postinstall_cmds
+      save_ifs="$IFS"; IFS='~'
+      for cmd in $cmds; do
+	IFS="$save_ifs"
+	eval cmd=\"$cmd\"
+	$show "$cmd"
+	$run eval "$cmd" || exit $?
+      done
+      IFS="$save_ifs"
+    done
+
+    if test -n "$future_libdirs"; then
+      $echo "$modename: warning: remember to run \`$progname --finish$future_libdirs'" 1>&2
+    fi
+
+    if test -n "$current_libdirs"; then
+      # Maybe just do a dry run.
+      test -n "$run" && current_libdirs=" -n$current_libdirs"
+      exec_cmd='$SHELL $0 $preserve_args --finish$current_libdirs'
+    else
+      exit 0
+    fi
+    ;;
+
+  # libtool finish mode
+  finish)
+    modename="$modename: finish"
+    libdirs="$nonopt"
+    admincmds=
+
+    if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then
+      for dir
+      do
+	libdirs="$libdirs $dir"
+      done
+
+      for libdir in $libdirs; do
+	if test -n "$finish_cmds"; then
+	  # Do each command in the finish commands.
+	  cmds=$finish_cmds
+	  save_ifs="$IFS"; IFS='~'
+	  for cmd in $cmds; do
+	    IFS="$save_ifs"
+	    eval cmd=\"$cmd\"
+	    $show "$cmd"
+	    $run eval "$cmd" || admincmds="$admincmds
+       $cmd"
+	  done
+	  IFS="$save_ifs"
+	fi
+	if test -n "$finish_eval"; then
+	  # Do the single finish_eval.
+	  eval cmds=\"$finish_eval\"
+	  $run eval "$cmds" || admincmds="$admincmds
+       $cmds"
+	fi
+      done
+    fi
+
+    # Exit here if they wanted silent mode.
+    test "$show" = : && exit 0
+
+    $echo "----------------------------------------------------------------------"
+    $echo "Libraries have been installed in:"
+    for libdir in $libdirs; do
+      $echo "   $libdir"
+    done
+    $echo
+    $echo "If you ever happen to want to link against installed libraries"
+    $echo "in a given directory, LIBDIR, you must either use libtool, and"
+    $echo "specify the full pathname of the library, or use the \`-LLIBDIR'"
+    $echo "flag during linking and do at least one of the following:"
+    if test -n "$shlibpath_var"; then
+      $echo "   - add LIBDIR to the \`$shlibpath_var' environment variable"
+      $echo "     during execution"
+    fi
+    if test -n "$runpath_var"; then
+      $echo "   - add LIBDIR to the \`$runpath_var' environment variable"
+      $echo "     during linking"
+    fi
+    if test -n "$hardcode_libdir_flag_spec"; then
+      libdir=LIBDIR
+      eval flag=\"$hardcode_libdir_flag_spec\"
+
+      $echo "   - use the \`$flag' linker flag"
+    fi
+    if test -n "$admincmds"; then
+      $echo "   - have your system administrator run these commands:$admincmds"
+    fi
+    if test -f /etc/ld.so.conf; then
+      $echo "   - have your system administrator add LIBDIR to \`/etc/ld.so.conf'"
+    fi
+    $echo
+    $echo "See any operating system documentation about shared libraries for"
+    $echo "more information, such as the ld(1) and ld.so(8) manual pages."
+    $echo "----------------------------------------------------------------------"
+    exit 0
+    ;;
+
+  # libtool execute mode
+  execute)
+    modename="$modename: execute"
+
+    # The first argument is the command name.
+    cmd="$nonopt"
+    if test -z "$cmd"; then
+      $echo "$modename: you must specify a COMMAND" 1>&2
+      $echo "$help"
+      exit 1
+    fi
+
+    # Handle -dlopen flags immediately.
+    for file in $execute_dlfiles; do
+      if test ! -f "$file"; then
+	$echo "$modename: \`$file' is not a file" 1>&2
+	$echo "$help" 1>&2
+	exit 1
+      fi
+
+      dir=
+      case $file in
+      *.la)
+	# Check to see that this really is a libtool archive.
+	if (${SED} -e '2q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then :
+	else
+	  $echo "$modename: \`$lib' is not a valid libtool archive" 1>&2
+	  $echo "$help" 1>&2
+	  exit 1
+	fi
+
+	# Read the libtool library.
+	dlname=
+	library_names=
+
+	# If there is no directory component, then add one.
+	case $file in
+	*/* | *\\*) . $file ;;
+	*) . ./$file ;;
+	esac
+
+	# Skip this library if it cannot be dlopened.
+	if test -z "$dlname"; then
+	  # Warn if it was a shared library.
+	  test -n "$library_names" && $echo "$modename: warning: \`$file' was not linked with \`-export-dynamic'"
+	  continue
+	fi
+
+	dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`
+	test "X$dir" = "X$file" && dir=.
+
+	if test -f "$dir/$objdir/$dlname"; then
+	  dir="$dir/$objdir"
+	else
+	  $echo "$modename: cannot find \`$dlname' in \`$dir' or \`$dir/$objdir'" 1>&2
+	  exit 1
+	fi
+	;;
+
+      *.lo)
+	# Just add the directory containing the .lo file.
+	dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`
+	test "X$dir" = "X$file" && dir=.
+	;;
+
+      *)
+	$echo "$modename: warning \`-dlopen' is ignored for non-libtool libraries and objects" 1>&2
+	continue
+	;;
+      esac
+
+      # Get the absolute pathname.
+      absdir=`cd "$dir" && pwd`
+      test -n "$absdir" && dir="$absdir"
+
+      # Now add the directory to shlibpath_var.
+      if eval "test -z \"\$$shlibpath_var\""; then
+	eval "$shlibpath_var=\"\$dir\""
+      else
+	eval "$shlibpath_var=\"\$dir:\$$shlibpath_var\""
+      fi
+    done
+
+    # This variable tells wrapper scripts just to set shlibpath_var
+    # rather than running their programs.
+    libtool_execute_magic="$magic"
+
+    # Check if any of the arguments is a wrapper script.
+    args=
+    for file
+    do
+      case $file in
+      -*) ;;
+      *)
+	# Do a test to see if this is really a libtool program.
+	if (${SED} -e '4q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+	  # If there is no directory component, then add one.
+	  case $file in
+	  */* | *\\*) . $file ;;
+	  *) . ./$file ;;
+	  esac
+
+	  # Transform arg to wrapped name.
+	  file="$progdir/$program"
+	fi
+	;;
+      esac
+      # Quote arguments (to preserve shell metacharacters).
+      file=`$echo "X$file" | $Xsed -e "$sed_quote_subst"`
+      args="$args \"$file\""
+    done
+
+    if test -z "$run"; then
+      if test -n "$shlibpath_var"; then
+	# Export the shlibpath_var.
+	eval "export $shlibpath_var"
+      fi
+
+      # Restore saved environment variables
+      if test "${save_LC_ALL+set}" = set; then
+	LC_ALL="$save_LC_ALL"; export LC_ALL
+      fi
+      if test "${save_LANG+set}" = set; then
+	LANG="$save_LANG"; export LANG
+      fi
+
+      # Now prepare to actually exec the command.
+      exec_cmd="\$cmd$args"
+    else
+      # Display what would be done.
+      if test -n "$shlibpath_var"; then
+	eval "\$echo \"\$shlibpath_var=\$$shlibpath_var\""
+	$echo "export $shlibpath_var"
+      fi
+      $echo "$cmd$args"
+      exit 0
+    fi
+    ;;
+
+  # libtool clean and uninstall mode
+  clean | uninstall)
+    modename="$modename: $mode"
+    rm="$nonopt"
+    files=
+    rmforce=
+    exit_status=0
+
+    # This variable tells wrapper scripts just to set variables rather
+    # than running their programs.
+    libtool_install_magic="$magic"
+
+    for arg
+    do
+      case $arg in
+      -f) rm="$rm $arg"; rmforce=yes ;;
+      -*) rm="$rm $arg" ;;
+      *) files="$files $arg" ;;
+      esac
+    done
+
+    if test -z "$rm"; then
+      $echo "$modename: you must specify an RM program" 1>&2
+      $echo "$help" 1>&2
+      exit 1
+    fi
+
+    rmdirs=
+
+    origobjdir="$objdir"
+    for file in $files; do
+      dir=`$echo "X$file" | $Xsed -e 's%/[^/]*$%%'`
+      if test "X$dir" = "X$file"; then
+	dir=.
+	objdir="$origobjdir"
+      else
+	objdir="$dir/$origobjdir"
+      fi
+      name=`$echo "X$file" | $Xsed -e 's%^.*/%%'`
+      test "$mode" = uninstall && objdir="$dir"
+
+      # Remember objdir for removal later, being careful to avoid duplicates
+      if test "$mode" = clean; then
+	case " $rmdirs " in
+	  *" $objdir "*) ;;
+	  *) rmdirs="$rmdirs $objdir" ;;
+	esac
+      fi
+
+      # Don't error if the file doesn't exist and rm -f was used.
+      if (test -L "$file") >/dev/null 2>&1 \
+	|| (test -h "$file") >/dev/null 2>&1 \
+	|| test -f "$file"; then
+	:
+      elif test -d "$file"; then
+	exit_status=1
+	continue
+      elif test "$rmforce" = yes; then
+	continue
+      fi
+
+      rmfiles="$file"
+
+      case $name in
+      *.la)
+	# Possibly a libtool archive, so verify it.
+	if (${SED} -e '2q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+	  . $dir/$name
+
+	  # Delete the libtool libraries and symlinks.
+	  for n in $library_names; do
+	    rmfiles="$rmfiles $objdir/$n"
+	  done
+	  test -n "$old_library" && rmfiles="$rmfiles $objdir/$old_library"
+	  test "$mode" = clean && rmfiles="$rmfiles $objdir/$name $objdir/${name}i"
+
+	  if test "$mode" = uninstall; then
+	    if test -n "$library_names"; then
+	      # Do each command in the postuninstall commands.
+	      cmds=$postuninstall_cmds
+	      save_ifs="$IFS"; IFS='~'
+	      for cmd in $cmds; do
+		IFS="$save_ifs"
+		eval cmd=\"$cmd\"
+		$show "$cmd"
+		$run eval "$cmd"
+		if test "$?" -ne 0 && test "$rmforce" != yes; then
+		  exit_status=1
+		fi
+	      done
+	      IFS="$save_ifs"
+	    fi
+
+	    if test -n "$old_library"; then
+	      # Do each command in the old_postuninstall commands.
+	      cmds=$old_postuninstall_cmds
+	      save_ifs="$IFS"; IFS='~'
+	      for cmd in $cmds; do
+		IFS="$save_ifs"
+		eval cmd=\"$cmd\"
+		$show "$cmd"
+		$run eval "$cmd"
+		if test "$?" -ne 0 && test "$rmforce" != yes; then
+		  exit_status=1
+		fi
+	      done
+	      IFS="$save_ifs"
+	    fi
+	    # FIXME: should reinstall the best remaining shared library.
+	  fi
+	fi
+	;;
+
+      *.lo)
+	# Possibly a libtool object, so verify it.
+	if (${SED} -e '2q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+
+	  # Read the .lo file
+	  . $dir/$name
+
+	  # Add PIC object to the list of files to remove.
+	  if test -n "$pic_object" \
+	     && test "$pic_object" != none; then
+	    rmfiles="$rmfiles $dir/$pic_object"
+	  fi
+
+	  # Add non-PIC object to the list of files to remove.
+	  if test -n "$non_pic_object" \
+	     && test "$non_pic_object" != none; then
+	    rmfiles="$rmfiles $dir/$non_pic_object"
+	  fi
+	fi
+	;;
+
+      *)
+	if test "$mode" = clean ; then
+	  noexename=$name
+	  case $file in
+	  *.exe) 
+	    file=`$echo $file|${SED} 's,.exe$,,'`
+	    noexename=`$echo $name|${SED} 's,.exe$,,'`
+	    # $file with .exe has already been added to rmfiles,
+	    # add $file without .exe
+	    rmfiles="$rmfiles $file"
+	    ;;
+	  esac
+	  # Do a test to see if this is a libtool program.
+	  if (${SED} -e '4q' $file | grep "^# Generated by .*$PACKAGE") >/dev/null 2>&1; then
+	    relink_command=
+	    . $dir/$noexename
+
+	    # note $name still contains .exe if it was in $file originally
+	    # as does the version of $file that was added into $rmfiles
+	    rmfiles="$rmfiles $objdir/$name $objdir/${name}S.${objext}"
+	    if test "$fast_install" = yes && test -n "$relink_command"; then
+	      rmfiles="$rmfiles $objdir/lt-$name"
+	    fi
+	    if test "X$noexename" != "X$name" ; then
+	      rmfiles="$rmfiles $objdir/lt-${noexename}.c"
+	    fi
+	  fi
+	fi
+	;;
+      esac
+      $show "$rm $rmfiles"
+      $run $rm $rmfiles || exit_status=1
+    done
+    objdir="$origobjdir"
+
+    # Try to remove the ${objdir}s in the directories where we deleted files
+    for dir in $rmdirs; do
+      if test -d "$dir"; then
+	$show "rmdir $dir"
+	$run rmdir $dir >/dev/null 2>&1
+      fi
+    done
+
+    exit $exit_status
+    ;;
+
+  "")
+    $echo "$modename: you must specify a MODE" 1>&2
+    $echo "$generic_help" 1>&2
+    exit 1
+    ;;
+  esac
+
+  if test -z "$exec_cmd"; then
+    $echo "$modename: invalid operation mode \`$mode'" 1>&2
+    $echo "$generic_help" 1>&2
+    exit 1
+  fi
+fi # test -z "$show_help"
+
+if test -n "$exec_cmd"; then
+  eval exec $exec_cmd
+  exit 1
+fi
+
+# We need to display help for each of the modes.
+case $mode in
+"") $echo \
+"Usage: $modename [OPTION]... [MODE-ARG]...
+
+Provide generalized library-building support services.
+
+    --config          show all configuration variables
+    --debug           enable verbose shell tracing
+-n, --dry-run         display commands without modifying any files
+    --features        display basic configuration information and exit
+    --finish          same as \`--mode=finish'
+    --help            display this help message and exit
+    --mode=MODE       use operation mode MODE [default=inferred from MODE-ARGS]
+    --quiet           same as \`--silent'
+    --silent          don't print informational messages
+    --tag=TAG         use configuration variables from tag TAG
+    --version         print version information
+
+MODE must be one of the following:
+
+      clean           remove files from the build directory
+      compile         compile a source file into a libtool object
+      execute         automatically set library path, then run a program
+      finish          complete the installation of libtool libraries
+      install         install libraries or executables
+      link            create a library or an executable
+      uninstall       remove libraries from an installed directory
+
+MODE-ARGS vary depending on the MODE.  Try \`$modename --help --mode=MODE' for
+a more detailed description of MODE.
+
+Report bugs to <bug-libtool@gnu.org>."
+  exit 0
+  ;;
+
+clean)
+  $echo \
+"Usage: $modename [OPTION]... --mode=clean RM [RM-OPTION]... FILE...
+
+Remove files from the build directory.
+
+RM is the name of the program to use to delete files associated with each FILE
+(typically \`/bin/rm').  RM-OPTIONS are options (such as \`-f') to be passed
+to RM.
+
+If FILE is a libtool library, object or program, all the files associated
+with it are deleted. Otherwise, only FILE itself is deleted using RM."
+  ;;
+
+compile)
+  $echo \
+"Usage: $modename [OPTION]... --mode=compile COMPILE-COMMAND... SOURCEFILE
+
+Compile a source file into a libtool library object.
+
+This mode accepts the following additional options:
+
+  -o OUTPUT-FILE    set the output file name to OUTPUT-FILE
+  -prefer-pic       try to building PIC objects only
+  -prefer-non-pic   try to building non-PIC objects only
+  -static           always build a \`.o' file suitable for static linking
+
+COMPILE-COMMAND is a command to be used in creating a \`standard' object file
+from the given SOURCEFILE.
+
+The output file name is determined by removing the directory component from
+SOURCEFILE, then substituting the C source code suffix \`.c' with the
+library object suffix, \`.lo'."
+  ;;
+
+execute)
+  $echo \
+"Usage: $modename [OPTION]... --mode=execute COMMAND [ARGS]...
+
+Automatically set library path, then run a program.
+
+This mode accepts the following additional options:
+
+  -dlopen FILE      add the directory containing FILE to the library path
+
+This mode sets the library path environment variable according to \`-dlopen'
+flags.
+
+If any of the ARGS are libtool executable wrappers, then they are translated
+into their corresponding uninstalled binary, and any of their required library
+directories are added to the library path.
+
+Then, COMMAND is executed, with ARGS as arguments."
+  ;;
+
+finish)
+  $echo \
+"Usage: $modename [OPTION]... --mode=finish [LIBDIR]...
+
+Complete the installation of libtool libraries.
+
+Each LIBDIR is a directory that contains libtool libraries.
+
+The commands that this mode executes may require superuser privileges.  Use
+the \`--dry-run' option if you just want to see what would be executed."
+  ;;
+
+install)
+  $echo \
+"Usage: $modename [OPTION]... --mode=install INSTALL-COMMAND...
+
+Install executables or libraries.
+
+INSTALL-COMMAND is the installation command.  The first component should be
+either the \`install' or \`cp' program.
+
+The rest of the components are interpreted as arguments to that command (only
+BSD-compatible install options are recognized)."
+  ;;
+
+link)
+  $echo \
+"Usage: $modename [OPTION]... --mode=link LINK-COMMAND...
+
+Link object files or libraries together to form another library, or to
+create an executable program.
+
+LINK-COMMAND is a command using the C compiler that you would use to create
+a program from several object files.
+
+The following components of LINK-COMMAND are treated specially:
+
+  -all-static       do not do any dynamic linking at all
+  -avoid-version    do not add a version suffix if possible
+  -dlopen FILE      \`-dlpreopen' FILE if it cannot be dlopened at runtime
+  -dlpreopen FILE   link in FILE and add its symbols to lt_preloaded_symbols
+  -export-dynamic   allow symbols from OUTPUT-FILE to be resolved with dlsym(3)
+  -export-symbols SYMFILE
+		    try to export only the symbols listed in SYMFILE
+  -export-symbols-regex REGEX
+		    try to export only the symbols matching REGEX
+  -LLIBDIR          search LIBDIR for required installed libraries
+  -lNAME            OUTPUT-FILE requires the installed library libNAME
+  -module           build a library that can dlopened
+  -no-fast-install  disable the fast-install mode
+  -no-install       link a not-installable executable
+  -no-undefined     declare that a library does not refer to external symbols
+  -o OUTPUT-FILE    create OUTPUT-FILE from the specified objects
+  -objectlist FILE  Use a list of object files found in FILE to specify objects
+  -precious-files-regex REGEX
+                    don't remove output files matching REGEX
+  -release RELEASE  specify package release information
+  -rpath LIBDIR     the created library will eventually be installed in LIBDIR
+  -R[ ]LIBDIR       add LIBDIR to the runtime path of programs and libraries
+  -static           do not do any dynamic linking of libtool libraries
+  -version-info CURRENT[:REVISION[:AGE]]
+		    specify library version info [each variable defaults to 0]
+
+All other options (arguments beginning with \`-') are ignored.
+
+Every other argument is treated as a filename.  Files ending in \`.la' are
+treated as uninstalled libtool libraries, other files are standard or library
+object files.
+
+If the OUTPUT-FILE ends in \`.la', then a libtool library is created,
+only library objects (\`.lo' files) may be specified, and \`-rpath' is
+required, except when creating a convenience library.
+
+If OUTPUT-FILE ends in \`.a' or \`.lib', then a standard library is created
+using \`ar' and \`ranlib', or on Windows using \`lib'.
+
+If OUTPUT-FILE ends in \`.lo' or \`.${objext}', then a reloadable object file
+is created, otherwise an executable program is created."
+  ;;
+
+uninstall)
+  $echo \
+"Usage: $modename [OPTION]... --mode=uninstall RM [RM-OPTION]... FILE...
+
+Remove libraries from an installation directory.
+
+RM is the name of the program to use to delete files associated with each FILE
+(typically \`/bin/rm').  RM-OPTIONS are options (such as \`-f') to be passed
+to RM.
+
+If FILE is a libtool library, all the files associated with it are deleted.
+Otherwise, only FILE itself is deleted using RM."
+  ;;
+
+*)
+  $echo "$modename: invalid operation mode \`$mode'" 1>&2
+  $echo "$help" 1>&2
+  exit 1
+  ;;
+esac
+
+$echo
+$echo "Try \`$modename --help' for more information about other modes."
+
+exit 0
+
+# The TAGs below are defined such that we never get into a situation
+# in which we disable both kinds of libraries.  Given conflicting
+# choices, we go for a static library, that is the most portable,
+# since we can't tell whether shared libraries were disabled because
+# the user asked for that or because the platform doesn't support
+# them.  This is particularly important on AIX, because we don't
+# support having both static and shared libraries enabled at the same
+# time on that platform, so we default to a shared-only configuration.
+# If a disable-shared tag is given, we'll fallback to a static-only
+# configuration.  But we'll never go from static-only to shared-only.
+
+# ### BEGIN LIBTOOL TAG CONFIG: disable-shared
+build_libtool_libs=no
+build_old_libs=yes
+# ### END LIBTOOL TAG CONFIG: disable-shared
+
+# ### BEGIN LIBTOOL TAG CONFIG: disable-static
+build_old_libs=`case $build_libtool_libs in yes) $echo no;; *) $echo yes;; esac`
+# ### END LIBTOOL TAG CONFIG: disable-static
+
+# Local Variables:
+# mode:shell-script
+# sh-indentation:2
+# End:
diff --git a/contrib/bind9/make/Makefile.in b/contrib/bind9/make/Makefile.in
new file mode 100644
index 0000000..73efb1f
--- /dev/null
+++ b/contrib/bind9/make/Makefile.in
@@ -0,0 +1,28 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1998-2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.13.206.1 2004/03/06 13:16:21 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS=
+TARGETS=
+
+@BIND9_MAKE_RULES@
+
+distclean::
+	rm -f rules mkdep includes
diff --git a/contrib/bind9/make/includes.in b/contrib/bind9/make/includes.in
new file mode 100644
index 0000000..8d170a4
--- /dev/null
+++ b/contrib/bind9/make/includes.in
@@ -0,0 +1,48 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1999-2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: includes.in,v 1.15.12.3 2004/03/08 09:05:14 marka Exp $
+
+# Search for machine-generated header files in the build tree,
+# and for normal headers in the source tree (${top_srcdir}).
+# We only need to look in OS-specific subdirectories for the
+# latter case, because there are no machine-generated OS-specific
+# headers.
+
+ISC_INCLUDES = @BIND9_ISC_BUILDINCLUDE@ \
+	-I${top_srcdir}/lib/isc \
+	-I${top_srcdir}/lib/isc/include \
+	-I${top_srcdir}/lib/isc/unix/include \
+	-I${top_srcdir}/lib/isc/@ISC_THREAD_DIR@/include
+
+ISCCC_INCLUDES = @BIND9_ISCCC_BUILDINCLUDE@ \
+       -I${top_srcdir}/lib/isccc/include
+
+ISCCFG_INCLUDES = @BIND9_ISCCFG_BUILDINCLUDE@ \
+       -I${top_srcdir}/lib/isccfg/include
+
+DNS_INCLUDES = @BIND9_DNS_BUILDINCLUDE@ \
+	-I${top_srcdir}/lib/dns/include \
+	-I${top_srcdir}/lib/dns/sec/dst/include
+
+LWRES_INCLUDES = @BIND9_LWRES_BUILDINCLUDE@ \
+	-I${top_srcdir}/lib/lwres/unix/include \
+	-I${top_srcdir}/lib/lwres/include
+
+BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
+	-I${top_srcdir}/lib/bind9/include
+
+TEST_INCLUDES = \
+	-I${top_srcdir}/lib/tests/include
diff --git a/contrib/bind9/make/mkdep.in b/contrib/bind9/make/mkdep.in
new file mode 100644
index 0000000..fc3e250
--- /dev/null
+++ b/contrib/bind9/make/mkdep.in
@@ -0,0 +1,148 @@
+#!/bin/sh -
+
+## ++Copyright++ 1987
+## -
+## Copyright (c) 1987 Regents of the University of California.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted provided that the following conditions
+## are met:
+## 1. Redistributions of source code must retain the above copyright
+##    notice, this list of conditions and the following disclaimer.
+## 2. Redistributions in binary form must reproduce the above copyright
+##    notice, this list of conditions and the following disclaimer in the
+##    documentation and/or other materials provided with the distribution.
+## 3. All advertising materials mentioning features or use of this software
+##    must display the following acknowledgement:
+## This product includes software developed by the University of
+## California, Berkeley and its contributors.
+## 4. Neither the name of the University nor the names of its contributors
+##    may be used to endorse or promote products derived from this software
+##    without specific prior written permission.
+## THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+## IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+## ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+## OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+## HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+## OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+## SUCH DAMAGE.
+## -
+## Portions Copyright (c) 1993 by Digital Equipment Corporation.
+##
+## Permission to use, copy, modify, and distribute this software for any
+## purpose with or without fee is hereby granted, provided that the above
+## copyright notice and this permission notice appear in all copies, and that
+## the name of Digital Equipment Corporation not be used in advertising or
+## publicity pertaining to distribution of the document or software without
+## specific, written prior permission.
+##
+## THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
+## WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
+## OF MERCHANTABILITY AND FITNESS.   IN NO EVENT SHALL DIGITAL EQUIPMENT
+## CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+## DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+## PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+## ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+## SOFTWARE.
+## -
+## --Copyright--
+
+#
+#	@(#)mkdep.sh	5.12 (Berkeley) 6/30/88
+#
+
+MAKE=Makefile			# default makefile name is "Makefile"
+
+while :
+	do case "$1" in
+		# -f allows you to select a makefile name
+		-f)
+			MAKE=$2
+			shift; shift ;;
+
+		# the -p flag produces "program: program.c" style dependencies
+		# so .o's don't get produced
+		-p)
+			SED='s;\.o;;'
+			shift ;;
+		*)
+			break ;;
+	esac
+done
+
+if [ $# = 0 ] ; then
+	echo 'usage: mkdep [-p] [-f makefile] [flags] file ...'
+	exit 1
+fi
+
+if [ ! -w $MAKE ]; then
+	echo "mkdep: no writeable file \"$MAKE\""
+	exit 1
+fi
+
+TMP=mkdep$$
+
+trap 'rm -f $TMP ; exit 1' 1 2 3 13 15
+
+cp $MAKE ${MAKE}.bak
+
+sed -e '/DO NOT DELETE THIS LINE/,$d' < $MAKE > $TMP
+
+cat << _EOF_ >> $TMP
+# DO NOT DELETE THIS LINE -- mkdep uses it.
+# DO NOT PUT ANYTHING AFTER THIS LINE, IT WILL GO AWAY.
+
+_EOF_
+
+# If your compiler doesn't have -M, add it.  If you can't, the next two
+# lines will try and replace the "cc -M".  The real problem is that this
+# hack can't deal with anything that requires a search path, and doesn't
+# even try for anything using bracket (<>) syntax.
+#
+# egrep '^#include[ 	]*".*"' /dev/null $* |
+# sed -e 's/:[^"]*"\([^"]*\)".*/: \1/' -e 's/\.c/.o/' |
+
+MKDEPPROG="@MKDEPPROG@"
+if [ X"${MKDEPPROG}" != X ]; then
+    @SHELL@ -c "${MKDEPPROG} $*"
+else
+    @MKDEPCC@ @MKDEPCFLAGS@ $* |
+    sed "
+	s; \./; ;g
+	@LIBTOOL_MKDEP_SED@
+	$SED" |
+    awk '{
+	if ($1 != prev) {
+		if (rec != "")
+			print rec;
+		rec = $0;
+		prev = $1;
+	}
+	else {
+		if (length(rec $2) > 78) {
+			print rec;
+			rec = $0;
+		}
+		else
+			rec = rec " " $2
+	}
+    }
+    END {
+	print rec
+    }' >> $TMP
+fi
+
+cat << _EOF_ >> $TMP
+
+# IF YOU PUT ANYTHING HERE IT WILL GO AWAY
+_EOF_
+
+# copy to preserve permissions
+cp $TMP $MAKE
+rm -f ${MAKE}.bak $TMP
+exit 0
diff --git a/contrib/bind9/make/rules.in b/contrib/bind9/make/rules.in
new file mode 100644
index 0000000..45bca27
--- /dev/null
+++ b/contrib/bind9/make/rules.in
@@ -0,0 +1,228 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1998-2003  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: rules.in,v 1.40.2.5.4.4 2004/07/20 07:02:00 marka Exp $
+
+###
+### Common Makefile rules for BIND 9.
+###
+
+###
+### Paths
+###
+### Note: paths that vary by Makefile MUST NOT be listed
+### here, or they won't get expanded correctly.
+
+prefix =	@prefix@
+exec_prefix =	@exec_prefix@
+bindir =	@bindir@
+sbindir =	@sbindir@
+includedir =	@includedir@
+libdir =	@libdir@
+sysconfdir =	@sysconfdir@
+localstatedir =	@localstatedir@
+mandir =	@mandir@
+
+DESTDIR =
+
+@SET_MAKE@
+
+top_builddir =	@BIND9_TOP_BUILDDIR@
+
+###
+### All
+###
+### Makefile may define:
+###	TARGETS
+
+all: subdirs ${TARGETS}
+
+###
+### Subdirectories
+###
+### Makefile may define:
+###	SUBDIRS
+
+ALL_SUBDIRS = ${SUBDIRS} nulldir
+
+#
+# We use a single-colon rule so that additional dependencies of
+# subdirectories can be specified after the inclusion of this file.
+# The "depend" target is treated the same way.
+#
+subdirs:
+	@for i in ${ALL_SUBDIRS}; do \
+		if [ "$$i" != "nulldir" -a -d $$i ]; then \
+			echo "making all in `pwd`/$$i"; \
+			(cd $$i; ${MAKE} ${MAKEDEFS} DESTDIR="${DESTDIR}" all) || exit 1; \
+		fi; \
+	done
+
+install:: all
+
+install clean distclean maintainer-clean doc docclean man manclean::
+	@for i in ${ALL_SUBDIRS}; do \
+		if [ "$$i" != "nulldir" -a -d $$i ]; then \
+			echo "making $@ in `pwd`/$$i"; \
+			(cd $$i; ${MAKE} ${MAKEDEFS} DESTDIR="${DESTDIR}" $@) || exit 1; \
+		fi; \
+	done
+
+###
+### C Programs
+###
+### Makefile must define
+###	CC
+### Makefile may define
+###	CFLAGS
+###	LDFLAGS
+###	CINCLUDES
+###	CDEFINES
+###	CWARNINGS
+### User may define externally
+###     EXT_CFLAGS
+
+CC = 		@CC@
+CFLAGS =	@CFLAGS@
+LDFLAGS =	@LDFLAGS@
+STD_CINCLUDES =	@STD_CINCLUDES@
+STD_CDEFINES =	@STD_CDEFINES@
+STD_CWARNINGS =	@STD_CWARNINGS@
+
+.SUFFIXES:
+.SUFFIXES: .c .@O@
+
+ALWAYS_INCLUDES = -I${top_builddir}
+ALWAYS_DEFINES = @ALWAYS_DEFINES@
+ALWAYS_WARNINGS =
+
+ALL_CPPFLAGS = \
+	${ALWAYS_INCLUDES} ${CINCLUDES} ${STD_CINCLUDES} \
+	${ALWAYS_DEFINES} ${CDEFINES} ${STD_CDEFINES}
+
+ALL_CFLAGS = ${EXT_CFLAGS} ${CFLAGS} \
+	${ALL_CPPFLAGS} \
+	${ALWAYS_WARNINGS} ${STD_CWARNINGS} ${CWARNINGS}
+
+.c.@O@:
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c $<
+
+SHELL = @SHELL@
+LIBTOOL = @LIBTOOL@
+LIBTOOL_MODE_COMPILE = ${LIBTOOL} @LIBTOOL_MODE_COMPILE@
+LIBTOOL_MODE_INSTALL = ${LIBTOOL} @LIBTOOL_MODE_INSTALL@
+LIBTOOL_MODE_LINK = ${LIBTOOL} @LIBTOOL_MODE_LINK@
+PURIFY = @PURIFY@
+
+MKDEP = ${SHELL} ${top_builddir}/make/mkdep
+
+cleandir: distclean
+superclean: maintainer-clean
+
+clean distclean maintainer-clean::
+	rm -f *.@O@ *.lo *.la core *.core .depend
+	rm -rf .libs
+
+distclean maintainer-clean::
+	rm -f Makefile
+
+depend:
+	@for i in ${ALL_SUBDIRS}; do \
+		if [ "$$i" != "nulldir" -a -d $$i ]; then \
+			echo "making depend in `pwd`/$$i"; \
+			(cd $$i; ${MAKE} ${MAKEDEFS} DESTDIR="${DESTDIR}" $@) || exit 1; \
+		fi; \
+	done
+	@if [ X"${SRCS}" != X -a X"${PSRCS}" != X ] ; then \
+		echo ${MKDEP} ${ALL_CPPFLAGS} ${SRCS}; \
+		${MKDEP} ${ALL_CPPFLAGS} ${SRCS}; \
+		echo ${MKDEP} -ap ${ALL_CPPFLAGS} ${PSRCS}; \
+		${MKDEP} -ap ${ALL_CPPFLAGS} ${PSRCS}; \
+		${DEPENDEXTRA} \
+	elif [ X"${SRCS}" != X ] ; then \
+		echo ${MKDEP} ${ALL_CPPFLAGS} ${SRCS}; \
+		${MKDEP} ${ALL_CPPFLAGS} ${SRCS}; \
+		${DEPENDEXTRA} \
+	elif [ X"${PSRCS}" != X ] ; then \
+		echo ${MKDEP} ${ALL_CPPFLAGS} ${PSRCS}; \
+		${MKDEP} -p ${ALL_CPPFLAGS} ${PSRCS}; \
+		${DEPENDEXTRA} \
+	fi
+
+FORCE:
+
+###
+### Libraries
+###
+
+AR =		@AR@
+ARFLAGS =	@ARFLAGS@
+RANLIB =	@RANLIB@
+
+###
+### Installation
+###
+
+INSTALL =		@INSTALL@
+INSTALL_PROGRAM =	@INSTALL_PROGRAM@
+INSTALL_SCRIPT =	@INSTALL_SCRIPT@
+INSTALL_DATA =		@INSTALL_DATA@
+
+###
+### DocBook -> HTML
+### DocBook -> man page
+###
+
+.SUFFIXES: .docbook .html .1 .2 .3 .4 .5 .6 .7 .8
+
+OPENJADE = @OPENJADE@
+SGMLCATALOG = @SGMLCATALOG@
+HTMLSTYLE = @HTMLSTYLE@
+XMLDCL = @XMLDCL@
+DOCBOOK2MANSPEC = @DOCBOOK2MANSPEC@
+JADETEX = @JADETEX@
+PDFJADETEX = @PDFJADETEX@
+
+ONSGMLS = onsgmls
+SGMLSPL = sgmlspl
+
+#
+# Note: this rule assumes the docbook.dsl stylesheet
+# is being used.  If another stylesheet is used, the
+# filename 'r1.htm' in the rule might have to be
+# be changed.
+#
+.docbook.html:
+	${OPENJADE} -c ${SGMLCATALOG} -t sgml -d ${HTMLSTYLE} $<
+	echo "" >> r1.htm
+	cat ${top_srcdir}/docutil/HTML_COPYRIGHT r1.htm > $@
+	rm -f r1.htm
+
+.docbook.1:
+	sh ${top_srcdir}/docutil/docbook2man-wrapper.sh ${top_srcdir} $< $@
+.docbook.2:
+	sh ${top_srcdir}/docutil/docbook2man-wrapper.sh ${top_srcdir} $< $@
+.docbook.3:
+	sh ${top_srcdir}/docutil/docbook2man-wrapper.sh ${top_srcdir} $< $@
+.docbook.4:
+	sh ${top_srcdir}/docutil/docbook2man-wrapper.sh ${top_srcdir} $< $@
+.docbook.5:
+	sh ${top_srcdir}/docutil/docbook2man-wrapper.sh ${top_srcdir} $< $@
+.docbook.6:
+	sh ${top_srcdir}/docutil/docbook2man-wrapper.sh ${top_srcdir} $< $@
+.docbook.7:
+	sh ${top_srcdir}/docutil/docbook2man-wrapper.sh ${top_srcdir} $< $@
+.docbook.8:
+	sh ${top_srcdir}/docutil/docbook2man-wrapper.sh ${top_srcdir} $< $@
diff --git a/contrib/bind9/mkinstalldirs b/contrib/bind9/mkinstalldirs
new file mode 100755
index 0000000..4992567
--- /dev/null
+++ b/contrib/bind9/mkinstalldirs
@@ -0,0 +1,40 @@
+#! /bin/sh
+# mkinstalldirs --- make directory hierarchy
+# Author: Noah Friedman <friedman@prep.ai.mit.edu>
+# Created: 1993-05-16
+# Public domain
+
+# $Id: mkinstalldirs,v 1.1 2000/09/20 19:05:51 gson Exp $
+
+errstatus=0
+
+for file
+do
+   set fnord `echo ":$file" | sed -ne 's/^:\//#/;s/^://;s/\// /g;s/^#/\//;p'`
+   shift
+
+   pathcomp=
+   for d
+   do
+     pathcomp="$pathcomp$d"
+     case "$pathcomp" in
+       -* ) pathcomp=./$pathcomp ;;
+     esac
+
+     if test ! -d "$pathcomp"; then
+        echo "mkdir $pathcomp" 1>&2
+
+        mkdir "$pathcomp" || lasterr=$?
+
+        if test ! -d "$pathcomp"; then
+  	  errstatus=$lasterr
+        fi
+     fi
+
+     pathcomp="$pathcomp/"
+   done
+done
+
+exit $errstatus
+
+# mkinstalldirs ends here
diff --git a/contrib/bind9/version b/contrib/bind9/version
new file mode 100644
index 0000000..153edf9
--- /dev/null
+++ b/contrib/bind9/version
@@ -0,0 +1,10 @@
+# $Id: version,v 1.26.2.17.2.10 2004/09/01 07:29:40 marka Exp $
+#
+# This file must follow /bin/sh rules.  It is imported directly via
+# configure.
+#
+MAJORVER=9
+MINORVER=3
+PATCHVER=0
+RELEASETYPE=rc
+RELEASEVER=4